From 01c0aa9b45667b25e8105160119da011471c77cb Mon Sep 17 00:00:00 2001
From: David Waltermire <david.waltermire@nist.gov>
Date: Mon, 31 Aug 2020 21:09:15 -0400
Subject: [PATCH] removed all source and generated content files. Updated
 readmes to point to the new content repository.

---
 content/README.md                             |     8 +-
 .../json/example-component-min.json           |    55 -
 .../components/json/example-component.json    |    57 -
 content/components/xml/example-component.xml  |    41 -
 .../components/yaml/example-component.yaml    |    38 -
 content/fedramp.gov/README.md                 |    32 +-
 ...baseline-resolved-profile_catalog-min.json |     1 -
 ...IGH-baseline-resolved-profile_catalog.json | 99007 ----------------
 .../FedRAMP_HIGH-baseline_profile-min.json    |     1 -
 .../json/FedRAMP_HIGH-baseline_profile.json   | 35474 ------
 ...baseline-resolved-profile_catalog-min.json |     1 -
 ...aaS-baseline-resolved-profile_catalog.json | 38994 ------
 .../FedRAMP_LI-SaaS-baseline_profile-min.json |     1 -
 .../FedRAMP_LI-SaaS-baseline_profile.json     |  4462 -
 ...baseline-resolved-profile_catalog-min.json |     1 -
 ...LOW-baseline-resolved-profile_catalog.json | 47817 --------
 .../FedRAMP_LOW-baseline_profile-min.json     |     1 -
 .../json/FedRAMP_LOW-baseline_profile.json    | 17083 ---
 ...baseline-resolved-profile_catalog-min.json |     1 -
 ...ATE-baseline-resolved-profile_catalog.json | 83593 -------------
 ...FedRAMP_MODERATE-baseline_profile-min.json |     1 -
 .../FedRAMP_MODERATE-baseline_profile.json    | 29889 -----
 ...HIGH-baseline-resolved-profile_catalog.xml | 42714 -------
 .../xml/FedRAMP_HIGH-baseline_profile.xml     |  9689 --
 ...SaaS-baseline-resolved-profile_catalog.xml | 17511 ---
 .../xml/FedRAMP_LI-SaaS-baseline_profile.xml  |  1734 -
 ..._LOW-baseline-resolved-profile_catalog.xml | 19131 ---
 .../xml/FedRAMP_LOW-baseline_profile.xml      |  4623 -
 ...RATE-baseline-resolved-profile_catalog.xml | 35446 ------
 .../xml/FedRAMP_MODERATE-baseline_profile.xml |  8143 --
 ...IGH-baseline-resolved-profile_catalog.yaml | 86776 --------------
 .../yaml/FedRAMP_HIGH-baseline_profile.yaml   | 25999 ----
 ...aaS-baseline-resolved-profile_catalog.yaml | 34573 ------
 .../FedRAMP_LI-SaaS-baseline_profile.yaml     |  3132 -
 ...LOW-baseline-resolved-profile_catalog.yaml | 41309 -------
 .../yaml/FedRAMP_LOW-baseline_profile.yaml    | 12591 --
 ...ATE-baseline-resolved-profile_catalog.yaml | 72916 ------------
 .../FedRAMP_MODERATE-baseline_profile.yaml    | 21952 ----
 content/nist.gov/SP800-53/README.md           |    21 +-
 content/ssp-example/json/ssp-example-min.json |   376 -
 content/ssp-example/json/ssp-example.json     |   442 -
 content/ssp-example/xml/ssp-example.xml       |   304 -
 content/ssp-example/yaml/ssp-example.yaml     |   292 -
 src/content/README.md                         |    11 +-
 .../json/example-component-with-config.json   |    82 -
 .../components/json/example-component.json    |    55 -
 .../xml/import_component_definition_ut.xml    |    10 -
 .../xml/FedRAMP_HIGH-baseline_profile.xml     |  9689 --
 .../xml/FedRAMP_LI-SaaS-baseline_profile.xml  |  1734 -
 .../xml/FedRAMP_LOW-baseline_profile.xml      |  4623 -
 .../xml/FedRAMP_MODERATE-baseline_profile.xml |  8143 --
 .../mini-testing/Unit-Testing-Description.md  |    53 -
 .../oscal_01-identity_profile.xml             |    12 -
 .../oscal_01a-param-only_profile.xml          |    23 -
 .../mini-testing/oscal_02-all_profile.xml     |    12 -
 .../oscal_03-all-with-enh_profile.xml         |    14 -
 .../oscal_04-exclude1_profile.xml             |    17 -
 .../oscal_05-exclude2_profile.xml             |    16 -
 .../oscal_10-some-params_profile.xml          |    27 -
 .../oscal_11-more-params_profile.xml          |    70 -
 .../oscal_20-compound_profile.xml             |    26 -
 .../mini-testing/oscal_30-patched_profile.xml |    35 -
 .../oscal_31-patched-messy_profile.xml        |    51 -
 .../mini-testing/oscal_32-invalid_profile.xml |    56 -
 .../oscal_41-exceptions_profile.xml           |    49 -
 .../oscal_42-invoke-exceptions_profile.xml    |    24 -
 .../oscal_99includeACx2_profile.xml           |    70 -
 .../oscal_99includeRAx3_profile.xml           |    32 -
 .../oscal_dinosaur-testing_profile.xml        |    32 -
 .../mini-testing/oscal_dinosaur_profile.xml   |    88 -
 .../oscal_testing_dinosaur_catalog.xml        |    71 -
 .../oscal_testing_mini-testing_catalog.xml    |   476 -
 src/content/mini-testing/readme.md            |     6 -
 ...T_SP-800-53_rev4_HIGH-baseline_profile.xml |  1248 -
 ...ST_SP-800-53_rev4_LOW-baseline_profile.xml |   754 -
 ...-800-53_rev4_MODERATE-baseline_profile.xml |  1111 -
 .../rev4/xml/NIST_SP-800-53_rev4_catalog.xml  | 67541 -----------
 .../xml/NIST_SP-800-53_rev4_declarations.xml  |   108 -
 .../SP800-53/rev4/xml/conversion-notes.md     |    47 -
 .../xml/validate-labels_SP800-53-catalog.sch  |   125 -
 .../validate-names-etc_SP800-53-catalog.sch   |   197 -
 .../xml/NIST_SP-800-53_rev5-FPD_catalog.xml   | 26078 ----
 .../Master Validation List - DRAFT.xlsx       |   Bin 30805 -> 0 bytes
 ...AMP System Security Plan (SSP) Modeling.md |   716 -
 ...RAMP System Security Plan (SSP) Mock Up.md |   945 -
 src/content/ssp-example/json/ssp-example.json |   376 -
 src/content/ssp-example/readme.md             |     1 -
 src/content/ssp-example/ssp.sch               |    35 -
 src/content/ssp-example/validate.sh           |    37 -
 89 files changed, 7 insertions(+), 921151 deletions(-)
 delete mode 100644 content/components/json/example-component-min.json
 delete mode 100644 content/components/json/example-component.json
 delete mode 100644 content/components/xml/example-component.xml
 delete mode 100644 content/components/yaml/example-component.yaml
 delete mode 100644 content/fedramp.gov/json/FedRAMP_HIGH-baseline-resolved-profile_catalog-min.json
 delete mode 100644 content/fedramp.gov/json/FedRAMP_HIGH-baseline-resolved-profile_catalog.json
 delete mode 100644 content/fedramp.gov/json/FedRAMP_HIGH-baseline_profile-min.json
 delete mode 100644 content/fedramp.gov/json/FedRAMP_HIGH-baseline_profile.json
 delete mode 100644 content/fedramp.gov/json/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog-min.json
 delete mode 100644 content/fedramp.gov/json/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.json
 delete mode 100644 content/fedramp.gov/json/FedRAMP_LI-SaaS-baseline_profile-min.json
 delete mode 100644 content/fedramp.gov/json/FedRAMP_LI-SaaS-baseline_profile.json
 delete mode 100644 content/fedramp.gov/json/FedRAMP_LOW-baseline-resolved-profile_catalog-min.json
 delete mode 100644 content/fedramp.gov/json/FedRAMP_LOW-baseline-resolved-profile_catalog.json
 delete mode 100644 content/fedramp.gov/json/FedRAMP_LOW-baseline_profile-min.json
 delete mode 100644 content/fedramp.gov/json/FedRAMP_LOW-baseline_profile.json
 delete mode 100644 content/fedramp.gov/json/FedRAMP_MODERATE-baseline-resolved-profile_catalog-min.json
 delete mode 100644 content/fedramp.gov/json/FedRAMP_MODERATE-baseline-resolved-profile_catalog.json
 delete mode 100644 content/fedramp.gov/json/FedRAMP_MODERATE-baseline_profile-min.json
 delete mode 100644 content/fedramp.gov/json/FedRAMP_MODERATE-baseline_profile.json
 delete mode 100644 content/fedramp.gov/xml/FedRAMP_HIGH-baseline-resolved-profile_catalog.xml
 delete mode 100644 content/fedramp.gov/xml/FedRAMP_HIGH-baseline_profile.xml
 delete mode 100644 content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.xml
 delete mode 100644 content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline_profile.xml
 delete mode 100644 content/fedramp.gov/xml/FedRAMP_LOW-baseline-resolved-profile_catalog.xml
 delete mode 100644 content/fedramp.gov/xml/FedRAMP_LOW-baseline_profile.xml
 delete mode 100644 content/fedramp.gov/xml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.xml
 delete mode 100644 content/fedramp.gov/xml/FedRAMP_MODERATE-baseline_profile.xml
 delete mode 100644 content/fedramp.gov/yaml/FedRAMP_HIGH-baseline-resolved-profile_catalog.yaml
 delete mode 100644 content/fedramp.gov/yaml/FedRAMP_HIGH-baseline_profile.yaml
 delete mode 100644 content/fedramp.gov/yaml/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.yaml
 delete mode 100644 content/fedramp.gov/yaml/FedRAMP_LI-SaaS-baseline_profile.yaml
 delete mode 100644 content/fedramp.gov/yaml/FedRAMP_LOW-baseline-resolved-profile_catalog.yaml
 delete mode 100644 content/fedramp.gov/yaml/FedRAMP_LOW-baseline_profile.yaml
 delete mode 100644 content/fedramp.gov/yaml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.yaml
 delete mode 100644 content/fedramp.gov/yaml/FedRAMP_MODERATE-baseline_profile.yaml
 delete mode 100644 content/ssp-example/json/ssp-example-min.json
 delete mode 100644 content/ssp-example/json/ssp-example.json
 delete mode 100644 content/ssp-example/xml/ssp-example.xml
 delete mode 100644 content/ssp-example/yaml/ssp-example.yaml
 delete mode 100644 src/content/components/json/example-component-with-config.json
 delete mode 100644 src/content/components/json/example-component.json
 delete mode 100644 src/content/components/xml/import_component_definition_ut.xml
 delete mode 100644 src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline_profile.xml
 delete mode 100644 src/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline_profile.xml
 delete mode 100644 src/content/fedramp.gov/xml/FedRAMP_LOW-baseline_profile.xml
 delete mode 100644 src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline_profile.xml
 delete mode 100644 src/content/mini-testing/Unit-Testing-Description.md
 delete mode 100644 src/content/mini-testing/oscal_01-identity_profile.xml
 delete mode 100644 src/content/mini-testing/oscal_01a-param-only_profile.xml
 delete mode 100644 src/content/mini-testing/oscal_02-all_profile.xml
 delete mode 100644 src/content/mini-testing/oscal_03-all-with-enh_profile.xml
 delete mode 100644 src/content/mini-testing/oscal_04-exclude1_profile.xml
 delete mode 100644 src/content/mini-testing/oscal_05-exclude2_profile.xml
 delete mode 100644 src/content/mini-testing/oscal_10-some-params_profile.xml
 delete mode 100644 src/content/mini-testing/oscal_11-more-params_profile.xml
 delete mode 100644 src/content/mini-testing/oscal_20-compound_profile.xml
 delete mode 100644 src/content/mini-testing/oscal_30-patched_profile.xml
 delete mode 100644 src/content/mini-testing/oscal_31-patched-messy_profile.xml
 delete mode 100644 src/content/mini-testing/oscal_32-invalid_profile.xml
 delete mode 100644 src/content/mini-testing/oscal_41-exceptions_profile.xml
 delete mode 100644 src/content/mini-testing/oscal_42-invoke-exceptions_profile.xml
 delete mode 100644 src/content/mini-testing/oscal_99includeACx2_profile.xml
 delete mode 100644 src/content/mini-testing/oscal_99includeRAx3_profile.xml
 delete mode 100644 src/content/mini-testing/oscal_dinosaur-testing_profile.xml
 delete mode 100644 src/content/mini-testing/oscal_dinosaur_profile.xml
 delete mode 100644 src/content/mini-testing/oscal_testing_dinosaur_catalog.xml
 delete mode 100644 src/content/mini-testing/oscal_testing_mini-testing_catalog.xml
 delete mode 100644 src/content/mini-testing/readme.md
 delete mode 100644 src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline_profile.xml
 delete mode 100644 src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml
 delete mode 100644 src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml
 delete mode 100644 src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml
 delete mode 100644 src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_declarations.xml
 delete mode 100644 src/content/nist.gov/SP800-53/rev4/xml/conversion-notes.md
 delete mode 100644 src/content/nist.gov/SP800-53/rev4/xml/validate-labels_SP800-53-catalog.sch
 delete mode 100644 src/content/nist.gov/SP800-53/rev4/xml/validate-names-etc_SP800-53-catalog.sch
 delete mode 100644 src/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_catalog.xml
 delete mode 100644 src/content/ssp-example/Master Validation List - DRAFT.xlsx
 delete mode 100644 src/content/ssp-example/OSCAL Implementation Layer - FedRAMP System Security Plan (SSP) Modeling.md
 delete mode 100644 src/content/ssp-example/OSCAL Implementation Layer_ FedRAMP System Security Plan (SSP) Mock Up.md
 delete mode 100644 src/content/ssp-example/json/ssp-example.json
 delete mode 100644 src/content/ssp-example/readme.md
 delete mode 100644 src/content/ssp-example/ssp.sch
 delete mode 100644 src/content/ssp-example/validate.sh

diff --git a/content/README.md b/content/README.md
index f0976efd17..db667e3686 100644
--- a/content/README.md
+++ b/content/README.md
@@ -1,9 +1,3 @@
 # OSCAL Examples
 
-This directory contains OSCAL examples in both XML and JSON formats. Some examples are considered provisional "finished" versions of OSCAL catalogs and profiles; they are not authoritative but are intended as demonstrations of OSCAL. Other examples are works in progress. Each subdirectory within the examples directory clearly indicates the current status of its example files.
-
-The structure and contents of the examples directory are as follows:
-
- * [fedramp.gov](fedramp.gov): This directory contains examples in XML and JSON formats of the low, moderate, and high baselines defined by FedRAMP (the Federal Risk and Authorization Management Program).
- * [nist.gov/SP800-53/rev4](nist.gov/SP800-53/rev4): This directory contains examples in XML and JSON formats of the low, moderate, and high baselines defined by NIST Special Publication (SP) 800-53 Revision 4.
-
+All OSCAL content examples have been moved to the [OSCAL content GitHub repository](https://github.com/usnistgov/oscal-content).
diff --git a/content/components/json/example-component-min.json b/content/components/json/example-component-min.json
deleted file mode 100644
index e2dbe89a86..0000000000
--- a/content/components/json/example-component-min.json
+++ /dev/null
@@ -1,55 +0,0 @@
-{
-    "component-definition": {
-        "metadata": {
-            "title": "Test Component Defintion",
-            "last-modified": "2019-08-21T15:24:24.389Z",
-            "version": "20200723",
-            "oscal-version": "1.0.0-milestone2",
-            "parties": [
-                {
-                    "uuid": "ee47836c-877c-4007-bbf3-c9d9bd805a9a",
-                    "party-name": "Test Vendor",
-                    "type": "organization"
-                }
-            ]
-        },
-        "components": {
-            "b036a6ac-6cff-4066-92bc-74ddfd9ad6fa": {
-                "name": "test component 1",
-                "component-type": "software",
-                "title": "test component 1",
-                "description": "This is a software component that implements basic authentication mechanisms.",
-                "responsible-parties": {
-                    "supplier": {
-                        "party-uuids": ["ee47836c-877c-4007-bbf3-c9d9bd805a9a"]
-                    }
-                },
-                "control-implementations": [
-                    {
-                        "uuid": "cfcdd674-8595-4f98-a9d1-3ac70825c49f",
-                        "source": "../../../content/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json",
-                        "description": "This is a partial implementation of the SP 800-53 rev4 catalog, focusing on the control enhancement AC-2 (2).",
-                        "implemented-requirements": [
-                            {
-                                "uuid": "d1016df0-9b5c-4839-86cd-f9c1d113077b",
-                                "description": "Inactive accounts are automatically disabled based on the duration specified by the duration parameter. Disabled accounts are expected to be reviewed and removed when appropriate.",
-                                "control-id": "ac-2.2"
-                            }
-                        ]
-                    },
-                    {
-                        "uuid": "22dbff65-9729-449f-9dfc-4e5fee0906de",
-                        "source": "../../../content/fedramp.gov/json/FedRAMP_HIGH-baseline_profile.json",
-                        "description": "This is a partial implementation of the FedRAMP High profile, focusing on the control enhancement AC-2 (2).",
-                        "implemented-requirements": [
-                            {
-                                "uuid": "65e30b37-0640-4844-9f42-b2a7ae944bb1",
-                                "control-id": "ac-2.2"
-                            }
-                        ]
-                    }
-                ]
-            }
-        }
-    }
-}
\ No newline at end of file
diff --git a/content/components/json/example-component.json b/content/components/json/example-component.json
deleted file mode 100644
index 858a9522a6..0000000000
--- a/content/components/json/example-component.json
+++ /dev/null
@@ -1,57 +0,0 @@
-{
-  "component-definition": {
-    "metadata": {
-      "title": "Test Component Defintion",
-      "last-modified": "2019-08-21T15:24:24.389Z",
-      "version": "20200723",
-      "oscal-version": "1.0.0-milestone2",
-      "parties": [
-        {
-          "uuid": "ee47836c-877c-4007-bbf3-c9d9bd805a9a",
-          "party-name": "Test Vendor",
-          "type": "organization"
-        }
-      ]
-    },
-    "components": {
-      "b036a6ac-6cff-4066-92bc-74ddfd9ad6fa": {
-        "name": "test component 1",
-        "component-type": "software",
-        "title": "test component 1",
-        "description": "This is a software component that implements basic authentication mechanisms.",
-        "responsible-parties": {
-          "supplier": {
-            "party-uuids": [
-              "ee47836c-877c-4007-bbf3-c9d9bd805a9a"
-            ]
-          }
-        },
-        "control-implementations": [
-          {
-            "uuid": "cfcdd674-8595-4f98-a9d1-3ac70825c49f",
-            "source": "../../../content/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json",
-            "description": "This is a partial implementation of the SP 800-53 rev4 catalog, focusing on the control enhancement AC-2 (2).",
-            "implemented-requirements": [
-              {
-                "uuid": "d1016df0-9b5c-4839-86cd-f9c1d113077b",
-                "description": "Inactive accounts are automatically disabled based on the duration specified by the duration parameter. Disabled accounts are expected to be reviewed and removed when appropriate.",
-                "control-id": "ac-2.2"
-              }
-            ]
-          },
-          {
-            "uuid": "22dbff65-9729-449f-9dfc-4e5fee0906de",
-            "source": "../../../content/fedramp.gov/json/FedRAMP_HIGH-baseline_profile.json",
-            "description": "This is a partial implementation of the FedRAMP High profile, focusing on the control enhancement AC-2 (2).",
-            "implemented-requirements": [
-              {
-                "uuid": "65e30b37-0640-4844-9f42-b2a7ae944bb1",
-                "control-id": "ac-2.2"
-              }
-            ]
-          }
-        ]
-      }
-    }
-  }
-}
diff --git a/content/components/xml/example-component.xml b/content/components/xml/example-component.xml
deleted file mode 100644
index acf35420a1..0000000000
--- a/content/components/xml/example-component.xml
+++ /dev/null
@@ -1,41 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<component-definition xmlns="http://csrc.nist.gov/ns/oscal/1.0">
-   <metadata>
-      <title>Test Component Defintion</title>
-      <last-modified>2019-08-21T15:24:24.389Z</last-modified>
-      <version>20200723</version>
-      <oscal-version>1.0.0-milestone2</oscal-version>
-      <party uuid="ee47836c-877c-4007-bbf3-c9d9bd805a9a" type="organization">
-         <party-name>Test Vendor</party-name>
-      </party>
-   </metadata>
-   <component uuid="b036a6ac-6cff-4066-92bc-74ddfd9ad6fa"
-              name="test component 1"
-              component-type="software">
-      <title>test component 1</title>
-      <description>
-         <p>This is a software component that implements basic authentication mechanisms.</p>
-      </description>
-      <responsible-party role-id="supplier">
-         <party-uuid>ee47836c-877c-4007-bbf3-c9d9bd805a9a</party-uuid>
-      </responsible-party>
-      <control-implementation uuid="cfcdd674-8595-4f98-a9d1-3ac70825c49f"
-                              source="../../../content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml">
-         <description>
-            <p>This is a partial implementation of the SP 800-53 rev4 catalog, focusing on the control enhancement AC-2 (2).</p>
-         </description>
-         <implemented-requirement uuid="d1016df0-9b5c-4839-86cd-f9c1d113077b" control-id="ac-2.2">
-            <description>
-               <p>Inactive accounts are automatically disabled based on the duration specified by the duration parameter. Disabled accounts are expected to be reviewed and removed when appropriate.</p>
-            </description>
-         </implemented-requirement>
-      </control-implementation>
-      <control-implementation uuid="22dbff65-9729-449f-9dfc-4e5fee0906de"
-                              source="../../../content/fedramp.gov/xml/FedRAMP_HIGH-baseline_profile.xml">
-         <description>
-            <p>This is a partial implementation of the FedRAMP High profile, focusing on the control enhancement AC-2 (2).</p>
-         </description>
-         <implemented-requirement uuid="65e30b37-0640-4844-9f42-b2a7ae944bb1" control-id="ac-2.2"/>
-      </control-implementation>
-   </component>
-</component-definition>
diff --git a/content/components/yaml/example-component.yaml b/content/components/yaml/example-component.yaml
deleted file mode 100644
index 6dd8fa7f5c..0000000000
--- a/content/components/yaml/example-component.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-component-definition: 
-  metadata: 
-    title:         Test Component Defintion
-    last-modified: 2019-08-21T15:24:24.389Z
-    version:       20200723
-    oscal-version: 1.0.0-milestone2
-    parties: 
-      - 
-        uuid:       ee47836c-877c-4007-bbf3-c9d9bd805a9a
-        party-name: Test Vendor
-        type:       organization
-  components: 
-    b036a6ac-6cff-4066-92bc-74ddfd9ad6fa: 
-      name:                    test component 1
-      component-type:          software
-      title:                   test component 1
-      description:             This is a software component that implements basic authentication mechanisms.
-      responsible-parties: 
-        supplier: 
-          party-uuids: ee47836c-877c-4007-bbf3-c9d9bd805a9a
-      control-implementations: 
-        - 
-          uuid:                     cfcdd674-8595-4f98-a9d1-3ac70825c49f
-          source:                   ../../../content/nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_catalog.yaml
-          description:              This is a partial implementation of the SP 800-53 rev4 catalog, focusing on the control enhancement AC-2 (2).
-          implemented-requirements: 
-            - 
-              uuid:        d1016df0-9b5c-4839-86cd-f9c1d113077b
-              description: Inactive accounts are automatically disabled based on the duration specified by the duration parameter. Disabled accounts are expected to be reviewed and removed when appropriate.
-              control-id:  ac-2.2
-        - 
-          uuid:                     22dbff65-9729-449f-9dfc-4e5fee0906de
-          source:                   ../../../content/fedramp.gov/yaml/FedRAMP_HIGH-baseline_profile.yaml
-          description:              This is a partial implementation of the FedRAMP High profile, focusing on the control enhancement AC-2 (2).
-          implemented-requirements: 
-            - 
-              uuid:       65e30b37-0640-4844-9f42-b2a7ae944bb1
-              control-id: ac-2.2
diff --git a/content/fedramp.gov/README.md b/content/fedramp.gov/README.md
index a136a82a6f..c5e589906f 100644
--- a/content/fedramp.gov/README.md
+++ b/content/fedramp.gov/README.md
@@ -1,31 +1,3 @@
-# Federal Risk and Authorization Management Program (FedRAMP) Profile Examples
+# Content Moved
 
-The following representations of the "High", "Moderate" and "Low" baselines (profiles) are derived from [source data](https://www.fedramp.gov/documents/) defined by FedRAMP:
-
-- [FedRAMP High Security Controls](https://www.fedramp.gov/assets/resources/documents/FedRAMP_High_Security_Controls.xlsx)
-- [FedRAMP MODERATE Security Controls](https://www.fedramp.gov/assets/resources/documents/FedRAMP_Moderate_Security_Controls.xlsx)
-- [FedRAMP LOW Security Controls](https://www.fedramp.gov/assets/resources/documents/FedRAMP_Low_Security_Controls.xlsx)
-
-Machine made OSCAL Profile versions:
-
-- [FedRAMP HIGH Baseline OSCAL Profile](xml/FedRAMP_HIGH-baseline_profile.xml)
-- [FedRAMP MODERATE Baseline OSCAL Profile](xml/FedRAMP_MODERATE-baseline_profile.xml)
-- [FedRAMP LOW Baseline OSCAL Profile](xml/FedRAMP_LOW-baseline_profile.xml)
-
-[JSON versions](json) are also available for the OSCAL profiles above containing equivalent content.
-
-Each one of these captures the (indicated) spreadsheet data and represents it as an OSCAL profile, calling controls in from the appropriate SP 800-53 rev4 baselines or when necessary from the SP 800-53 rev4 catalog.
-
-Specific FedRAMP guidance and parameter constraints are provided for each control.
-
-### Extraction / conversion process
-
-All control information from NIST SP 800-53 revision 4 and all FedRAMP control baseline details are correlated in an MS Access database, which is part of the MS Office 2016 product suite.
-The FedRAMP profiles are created with MS Access Visual Basic for Applications (VBA) code, which queries the information and creates OSCAL-compliant XML using MSXML Document Object Model (DOM) Version 6.
-This tool represents a proof-of-concept. Open-source tools may be developed in the future.
-
-### Special considerations
-
-Note also the profiles here make reference to profiles and catalogs stored in the neighbor '[SP 800-53](../nist.gov/SP800-53)' directory, on which they are dependent.
-
-Also note that (at least according to Schematron `oscal-profiles-sources.sch`), several of the OSCAL invocations in these profiles could be rewritten to exclude rather than include controls. In a number of cases, invoking controls by exclusion will be much more concise than the same control set (selection) expressed by inclusion; the Schematron detects and reports on this.
+All OSCAL FedRAMP content have been moved to the [OSCAL content GitHub repository](https://github.com/usnistgov/oscal-content/tree/master/fedramp.gov).
diff --git a/content/fedramp.gov/json/FedRAMP_HIGH-baseline-resolved-profile_catalog-min.json b/content/fedramp.gov/json/FedRAMP_HIGH-baseline-resolved-profile_catalog-min.json
deleted file mode 100644
index 4652968af6..0000000000
--- a/content/fedramp.gov/json/FedRAMP_HIGH-baseline-resolved-profile_catalog-min.json
+++ /dev/null
@@ -1 +0,0 @@
-{"catalog":{"uuid":"a8ace2a3-4082-40eb-be07-0b0cd7bb4c15","metadata":{"title":"FedRAMP High Baseline","published":"2020-06-01T00:00:00.000-04:00","last-modified":"2020-06-01T10:00:00.000-04:00","version":"1.2","oscal-version":"1.0.0-milestone3","properties":[{"name":"resolution-timestamp","value":"2020-08-31T17:38:24.694738Z"}],"links":[{"href":"FedRAMP_HIGH-baseline_profile.xml","rel":"resolution-source","text":"FedRAMP High Baseline"}],"roles":[{"id":"parpared-by","title":"Document creator"},{"id":"fedramp-pmo","title":"The FedRAMP Program Management Office (PMO)","short-name":"CSP"},{"id":"fedramp-jab","title":"The FedRAMP Joint Authorization Board (JAB)","short-name":"CSP"}],"parties":[{"uuid":"8cc0b8e5-9650-4d5f-9796-316f05fa9a2d","type":"organization","party-name":"Federal Risk and Authorization Management Program: Program Management Office","short-name":"FedRAMP PMO","links":[{"href":"https://fedramp.gov","rel":"homepage","text":""}],"addresses":[{"type":"work","postal-address":["1800 F St. NW",""],"city":"Washington","state":"DC","postal-code":"","country":"US"}],"email-addresses":["info@fedramp.gov"]},{"uuid":"ca9ba80e-1342-4bfd-b32a-abac468c24b4","type":"organization","party-name":"Federal Risk and Authorization Management Program: Joint Authorization Board","short-name":"FedRAMP JAB"}],"responsible-parties":{"prepared-by":{"party-uuids":["4aa7b203-318b-4cde-96cf-feaeffc3a4b7"]},"fedramp-pmo":{"party-uuids":["4aa7b203-318b-4cde-96cf-feaeffc3a4b7"]},"fedramp-jab":{"party-uuids":["ca9ba80e-1342-4bfd-b32a-abac468c24b4"]}}},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Access Control Policy and Procedures","parameters":[{"id":"ac-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ac-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ac-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually or whenever a significant change occurs"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-1"},{"name":"sort-id","value":"ac-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ac-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"An access control policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ac-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and\n                     associated access controls; and"}]},{"id":"ac-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ac-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Access control policy {{ ac-1_prm_2 }}; and"},{"id":"ac-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Access control procedures {{ ac-1_prm_3 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AC\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ac-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-1.a_obj","name":"objective","properties":[{"name":"label","value":"AC-1(a)"}],"parts":[{"id":"ac-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)"}],"parts":[{"id":"ac-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(a)(1)[1]"}],"prose":"develops and documents an access control policy that addresses:","parts":[{"id":"ac-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ac-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ac-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ac-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ac-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ac-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ac-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ac-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the access control policy are to be\n                        disseminated;"},{"id":"ac-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AC-1(a)(1)[3]"}],"prose":"disseminates the access control policy to organization-defined personnel or\n                        roles;"}]},{"id":"ac-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"AC-1(a)(2)"}],"parts":[{"id":"ac-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        access control policy and associated access control controls;"},{"id":"ac-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ac-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ac-1.b_obj","name":"objective","properties":[{"name":"label","value":"AC-1(b)"}],"parts":[{"id":"ac-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"AC-1(b)(1)"}],"parts":[{"id":"ac-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current access control\n                        policy;"},{"id":"ac-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(b)(1)[2]"}],"prose":"reviews and updates the current access control policy with the\n                        organization-defined frequency;"}]},{"id":"ac-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"AC-1(b)(2)"}],"parts":[{"id":"ac-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current access control\n                        procedures; and"},{"id":"ac-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(b)(2)[2]"}],"prose":"reviews and updates the current access control procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","parameters":[{"id":"ac-2_prm_1","label":"organization-defined information system account types"},{"id":"ac-2_prm_2","label":"organization-defined personnel or roles"},{"id":"ac-2_prm_3","label":"organization-defined procedures or conditions"},{"id":"ac-2_prm_4","label":"organization-defined frequency","constraints":[{"detail":"monthly for privileged accessed, every six (6) months for non-privileged access"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-2"},{"name":"sort-id","value":"ac-02"}],"parts":[{"id":"ac-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identifies and selects the following types of information system accounts to\n                  support organizational missions/business functions: {{ ac-2_prm_1 }};"},{"id":"ac-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Assigns account managers for information system accounts;"},{"id":"ac-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Establishes conditions for group and role membership;"},{"id":"ac-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Specifies authorized users of the information system, group and role membership,\n                  and access authorizations (i.e., privileges) and other attributes (as required)\n                  for each account;"},{"id":"ac-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Requires approvals by {{ ac-2_prm_2 }} for requests to create\n                  information system accounts;"},{"id":"ac-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Creates, enables, modifies, disables, and removes information system accounts in\n                  accordance with {{ ac-2_prm_3 }};"},{"id":"ac-2_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Monitors the use of information system accounts;"},{"id":"ac-2_smt.h","name":"item","properties":[{"name":"label","value":"h."}],"prose":"Notifies account managers:","parts":[{"id":"ac-2_smt.h.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"When accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"When users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"When individual information system usage or need-to-know changes;"}]},{"id":"ac-2_smt.i","name":"item","properties":[{"name":"label","value":"i."}],"prose":"Authorizes access to the information system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Other attributes as required by the organization or associated\n                     missions/business functions;"}]},{"id":"ac-2_smt.j","name":"item","properties":[{"name":"label","value":"j."}],"prose":"Reviews accounts for compliance with account management requirements {{ ac-2_prm_4 }}; and"},{"id":"ac-2_smt.k","name":"item","properties":[{"name":"label","value":"k."}],"prose":"Establishes a process for reissuing shared/group account credentials (if deployed)\n                  when individuals are removed from the group."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Information system account types include, for example, individual, shared, group,\n               system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and\n               service. Some of the account management requirements listed above can be implemented\n               by organizational information systems. The identification of authorized users of the\n               information system and the specification of access privileges reflects the\n               requirements in other security controls in the security plan. Users requiring\n               administrative privileges on information system accounts receive additional scrutiny\n               by appropriate organizational personnel (e.g., system owner, mission/business owner,\n               or chief information security officer) responsible for approving such accounts and\n               privileged access. Organizations may choose to define access privileges or other\n               attributes by account, by type of account, or a combination of both. Other attributes\n               required for authorizing access include, for example, restrictions on time-of-day,\n               day-of-week, and point-of-origin. In defining other account attributes, organizations\n               consider system-related requirements (e.g., scheduled maintenance, system upgrades)\n               and mission/business requirements, (e.g., time zone differences, customer\n               requirements, remote access to support travel requirements). Failure to consider\n               these factors could affect information system availability. Temporary and emergency\n               accounts are accounts intended for short-term use. Organizations establish temporary\n               accounts as a part of normal account activation procedures when there is a need for\n               short-term accounts without the demand for immediacy in account activation.\n               Organizations establish emergency accounts in response to crisis situations and with\n               the need for rapid account activation. Therefore, emergency account activation may\n               bypass normal account authorization processes. Emergency and temporary accounts are\n               not to be confused with infrequently used accounts (e.g., local logon accounts used\n               for special tasks defined by organizations or when network resources are\n               unavailable). Such accounts remain available and are not subject to automatic\n               disabling or removal dates. Conditions for disabling or deactivating accounts\n               include, for example: (i) when shared/group, emergency, or temporary accounts are no\n               longer required; or (ii) when individuals are transferred or terminated. Some types\n               of information system accounts may require specialized training.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-10","rel":"related","text":"AC-10"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"ac-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.a_obj","name":"objective","properties":[{"name":"label","value":"AC-2(a)"}],"parts":[{"id":"ac-2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(a)[1]"}],"prose":"defines information system account types to be identified and selected to\n                     support organizational missions/business functions;"},{"id":"ac-2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AC-2(a)[2]"}],"prose":"identifies and selects organization-defined information system account types to\n                     support organizational missions/business functions;"}]},{"id":"ac-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AC-2(b)"}],"prose":"assigns account managers for information system accounts;"},{"id":"ac-2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(c)"}],"prose":"establishes conditions for group and role membership;"},{"id":"ac-2.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(d)"}],"prose":"specifies for each account (as required):","parts":[{"id":"ac-2.d_obj.1","name":"objective","properties":[{"name":"label","value":"AC-2(d)[1]"}],"prose":"authorized users of the information system;"},{"id":"ac-2.d_obj.2","name":"objective","properties":[{"name":"label","value":"AC-2(d)[2]"}],"prose":"group and role membership;"},{"id":"ac-2.d_obj.3","name":"objective","properties":[{"name":"label","value":"AC-2(d)[3]"}],"prose":"access authorizations (i.e., privileges);"},{"id":"ac-2.d_obj.4","name":"objective","properties":[{"name":"label","value":"AC-2(d)[4]"}],"prose":"other attributes;"}]},{"id":"ac-2.e_obj","name":"objective","properties":[{"name":"label","value":"AC-2(e)"}],"parts":[{"id":"ac-2.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(e)[1]"}],"prose":"defines personnel or roles required to approve requests to create information\n                     system accounts;"},{"id":"ac-2.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(e)[2]"}],"prose":"requires approvals by organization-defined personnel or roles for requests to\n                     create information system accounts;"}]},{"id":"ac-2.f_obj","name":"objective","properties":[{"name":"label","value":"AC-2(f)"}],"parts":[{"id":"ac-2.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(f)[1]"}],"prose":"defines procedures or conditions to:","parts":[{"id":"ac-2.f_obj.1.a","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][a]"}],"prose":"create information system accounts;"},{"id":"ac-2.f_obj.1.b","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][b]"}],"prose":"enable information system accounts;"},{"id":"ac-2.f_obj.1.c","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][c]"}],"prose":"modify information system accounts;"},{"id":"ac-2.f_obj.1.d","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][d]"}],"prose":"disable information system accounts;"},{"id":"ac-2.f_obj.1.e","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][e]"}],"prose":"remove information system accounts;"}]},{"id":"ac-2.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(f)[2]"}],"prose":"in accordance with organization-defined procedures or conditions:","parts":[{"id":"ac-2.f_obj.2.a","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][a]"}],"prose":"creates information system accounts;"},{"id":"ac-2.f_obj.2.b","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][b]"}],"prose":"enables information system accounts;"},{"id":"ac-2.f_obj.2.c","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][c]"}],"prose":"modifies information system accounts;"},{"id":"ac-2.f_obj.2.d","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][d]"}],"prose":"disables information system accounts;"},{"id":"ac-2.f_obj.2.e","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][e]"}],"prose":"removes information system accounts;"}]}]},{"id":"ac-2.g_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(g)"}],"prose":"monitors the use of information system accounts;"},{"id":"ac-2.h_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(h)"}],"prose":"notifies account managers:","parts":[{"id":"ac-2.h.1_obj","name":"objective","properties":[{"name":"label","value":"AC-2(h)(1)"}],"prose":"when accounts are no longer required;"},{"id":"ac-2.h.2_obj","name":"objective","properties":[{"name":"label","value":"AC-2(h)(2)"}],"prose":"when users are terminated or transferred;"},{"id":"ac-2.h.3_obj","name":"objective","properties":[{"name":"label","value":"AC-2(h)(3)"}],"prose":"when individual information system usage or need to know changes;"}]},{"id":"ac-2.i_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(i)"}],"prose":"authorizes access to the information system based on;","parts":[{"id":"ac-2.i.1_obj","name":"objective","properties":[{"name":"label","value":"AC-2(i)(1)"}],"prose":"a valid access authorization;"},{"id":"ac-2.i.2_obj","name":"objective","properties":[{"name":"label","value":"AC-2(i)(2)"}],"prose":"intended system usage;"},{"id":"ac-2.i.3_obj","name":"objective","properties":[{"name":"label","value":"AC-2(i)(3)"}],"prose":"other attributes as required by the organization or associated\n                     missions/business functions;"}]},{"id":"ac-2.j_obj","name":"objective","properties":[{"name":"label","value":"AC-2(j)"}],"parts":[{"id":"ac-2.j_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(j)[1]"}],"prose":"defines the frequency to review accounts for compliance with account management\n                     requirements;"},{"id":"ac-2.j_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(j)[2]"}],"prose":"reviews accounts for compliance with account management requirements with the\n                     organization-defined frequency; and"}]},{"id":"ac-2.k_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(k)"}],"prose":"establishes a process for reissuing shared/group account credentials (if deployed)\n                  when individuals are removed from the group."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of active system accounts along with the name of the individual associated\n                  with each account\\n\\nlist of conditions for group and role membership\\n\\nnotifications or records of recently transferred, separated, or terminated\n                  employees\\n\\nlist of recently disabled information system accounts along with the name of the\n                  individual associated with each account\\n\\naccess authorization records\\n\\naccount management compliance reviews\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes account management on the information system\\n\\nautomated mechanisms for implementing account management"}]}],"controls":[{"id":"ac-2.1","class":"SP800-53-enhancement","title":"Automated System Account Management","properties":[{"name":"label","value":"AC-2(1)"},{"name":"sort-id","value":"ac-02.01"}],"parts":[{"id":"ac-2.1_smt","name":"statement","prose":"The organization employs automated mechanisms to support the management of\n                  information system accounts."},{"id":"ac-2.1_gdn","name":"guidance","prose":"The use of automated mechanisms can include, for example: using email or text\n                  messaging to automatically notify account managers when users are terminated or\n                  transferred; using the information system to monitor account usage; and using\n                  telephonic notification to report atypical system account usage."},{"id":"ac-2.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs automated mechanisms to support the\n                  management of information system accounts."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.2","class":"SP800-53-enhancement","title":"Removal of Temporary / Emergency Accounts","parameters":[{"id":"ac-2.2_prm_1","constraints":[{"detail":"Selection: disables"}]},{"id":"ac-2.2_prm_2","label":"organization-defined time period for each type of account","constraints":[{"detail":"24 hours from last use"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-2(2)"},{"name":"sort-id","value":"ac-02.02"}],"parts":[{"id":"ac-2.2_smt","name":"statement","prose":"The information system automatically {{ ac-2.2_prm_1 }} temporary\n                  and emergency accounts after {{ ac-2.2_prm_2 }}."},{"id":"ac-2.2_gdn","name":"guidance","prose":"This control enhancement requires the removal of both temporary and emergency\n                  accounts automatically after a predefined period of time has elapsed, rather than\n                  at the convenience of the systems administrator."},{"id":"ac-2.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(2)[1]"}],"prose":"the organization defines the time period after which the information system\n                     automatically removes or disables temporary and emergency accounts; and"},{"id":"ac-2.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(2)[2]"}],"prose":"the information system automatically removes or disables temporary and\n                     emergency accounts after the organization-defined time period for each type of\n                     account."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system-generated list of temporary accounts removed and/or\n                     disabled\\n\\ninformation system-generated list of emergency accounts removed and/or\n                     disabled\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.3","class":"SP800-53-enhancement","title":"Disable Inactive Accounts","parameters":[{"id":"ac-2.3_prm_1","label":"organization-defined time period","constraints":[{"detail":"35 days for user accounts"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-2(3)"},{"name":"sort-id","value":"ac-02.03"}],"parts":[{"id":"ac-2.3_smt","name":"statement","prose":"The information system automatically disables inactive accounts after {{ ac-2.3_prm_1 }}.","parts":[{"id":"ac-2.3_fr","name":"item","title":"AC-2 (3) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2.3_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available."}]}]},{"id":"ac-2.3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(3)[1]"}],"prose":"the organization defines the time period after which the information system\n                     automatically disables inactive accounts; and"},{"id":"ac-2.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(3)[2]"}],"prose":"the information system automatically disables inactive accounts after the\n                     organization-defined time period."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system-generated list of temporary accounts removed and/or\n                     disabled\\n\\ninformation system-generated list of emergency accounts removed and/or\n                     disabled\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.4","class":"SP800-53-enhancement","title":"Automated Audit Actions","parameters":[{"id":"ac-2.4_prm_1","label":"organization-defined personnel or roles","constraints":[{"detail":"organization and/or service provider system owner"}]}],"properties":[{"name":"label","value":"AC-2(4)"},{"name":"sort-id","value":"ac-02.04"}],"parts":[{"id":"ac-2.4_smt","name":"statement","prose":"The information system automatically audits account creation, modification,\n                  enabling, disabling, and removal actions, and notifies {{ ac-2.4_prm_1 }}."},{"id":"ac-2.4_gdn","name":"guidance","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"}]},{"id":"ac-2.4_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(4)[1]"}],"prose":"the information system automatically audits the following account actions:","parts":[{"id":"ac-2.4_obj.1.a","name":"objective","properties":[{"name":"label","value":"AC-2(4)[1][a]"}],"prose":"creation;"},{"id":"ac-2.4_obj.1.b","name":"objective","properties":[{"name":"label","value":"AC-2(4)[1][b]"}],"prose":"modification;"},{"id":"ac-2.4_obj.1.c","name":"objective","properties":[{"name":"label","value":"AC-2(4)[1][c]"}],"prose":"enabling;"},{"id":"ac-2.4_obj.1.d","name":"objective","properties":[{"name":"label","value":"AC-2(4)[1][d]"}],"prose":"disabling;"},{"id":"ac-2.4_obj.1.e","name":"objective","properties":[{"name":"label","value":"AC-2(4)[1][e]"}],"prose":"removal;"}]},{"id":"ac-2.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(4)[2]"}],"prose":"the organization defines personnel or roles to be notified of the following\n                     account actions:","parts":[{"id":"ac-2.4_obj.2.a","name":"objective","properties":[{"name":"label","value":"AC-2(4)[2][a]"}],"prose":"creation;"},{"id":"ac-2.4_obj.2.b","name":"objective","properties":[{"name":"label","value":"AC-2(4)[2][b]"}],"prose":"modification;"},{"id":"ac-2.4_obj.2.c","name":"objective","properties":[{"name":"label","value":"AC-2(4)[2][c]"}],"prose":"enabling;"},{"id":"ac-2.4_obj.2.d","name":"objective","properties":[{"name":"label","value":"AC-2(4)[2][d]"}],"prose":"disabling;"},{"id":"ac-2.4_obj.2.e","name":"objective","properties":[{"name":"label","value":"AC-2(4)[2][e]"}],"prose":"removal;"}]},{"id":"ac-2.4_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(4)[3]"}],"prose":"the information system notifies organization-defined personnel or roles of the\n                     following account actions:","parts":[{"id":"ac-2.4_obj.3.a","name":"objective","properties":[{"name":"label","value":"AC-2(4)[3][a]"}],"prose":"creation;"},{"id":"ac-2.4_obj.3.b","name":"objective","properties":[{"name":"label","value":"AC-2(4)[3][b]"}],"prose":"modification;"},{"id":"ac-2.4_obj.3.c","name":"objective","properties":[{"name":"label","value":"AC-2(4)[3][c]"}],"prose":"enabling;"},{"id":"ac-2.4_obj.3.d","name":"objective","properties":[{"name":"label","value":"AC-2(4)[3][d]"}],"prose":"disabling; and"},{"id":"ac-2.4_obj.3.e","name":"objective","properties":[{"name":"label","value":"AC-2(4)[3][e]"}],"prose":"removal."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nnotifications/alerts of account creation, modification, enabling, disabling,\n                     and removal actions\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.5","class":"SP800-53-enhancement","title":"Inactivity Logout","parameters":[{"id":"ac-2.5_prm_1","label":"organization-defined time-period of expected inactivity or description of when\n                  to log out","constraints":[{"detail":"inactivity is anticipated to exceed Fifteen (15) minutes"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-2(5)"},{"name":"sort-id","value":"ac-02.05"}],"parts":[{"id":"ac-2.5_smt","name":"statement","prose":"The organization requires that users log out when {{ ac-2.5_prm_1 }}.","parts":[{"id":"ac-2.5_fr","name":"item","title":"AC-2 (5) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2.5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Should use a shorter timeframe than AC-12."}]}]},{"id":"ac-2.5_gdn","name":"guidance","links":[{"href":"#sc-23","rel":"related","text":"SC-23"}]},{"id":"ac-2.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(5)[1]"}],"prose":"defines either the time period of expected inactivity that requires users to\n                     log out or the description of when users are required to log out; and"},{"id":"ac-2.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(5)[2]"}],"prose":"requires that users log out when the organization-defined time period of\n                     inactivity is reached or in accordance with organization-defined description of\n                     when to log out."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity violation reports\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nusers that must comply with inactivity logout policy"}]}]},{"id":"ac-2.7","class":"SP800-53-enhancement","title":"Role-based Schemes","parameters":[{"id":"ac-2.7_prm_1","label":"organization-defined actions","constraints":[{"detail":"disables/revokes access within a organization-specified timeframe"}]}],"properties":[{"name":"label","value":"AC-2(7)"},{"name":"sort-id","value":"ac-02.07"}],"parts":[{"id":"ac-2.7_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-2.7_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Establishes and administers privileged user accounts in accordance with a\n                     role-based access scheme that organizes allowed information system access and\n                     privileges into roles;"},{"id":"ac-2.7_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Monitors privileged role assignments; and"},{"id":"ac-2.7_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Takes {{ ac-2.7_prm_1 }} when privileged role assignments are no\n                     longer appropriate."}]},{"id":"ac-2.7_gdn","name":"guidance","prose":"Privileged roles are organization-defined roles assigned to individuals that allow\n                  those individuals to perform certain security-relevant functions that ordinary\n                  users are not authorized to perform. These privileged roles include, for example,\n                  key management, account management, network and system administration, database\n                  administration, and web administration."},{"id":"ac-2.7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.7.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(7)(a)"}],"prose":"establishes and administers privileged user accounts in accordance with a\n                     role-based access scheme that organizes allowed information system access and\n                     privileges into roles;","links":[{"href":"#ac-2.7_smt.a","rel":"corresp","text":"AC-2(7)(a)"}]},{"id":"ac-2.7.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(7)(b)"}],"prose":"monitors privileged role assignments;","links":[{"href":"#ac-2.7_smt.b","rel":"corresp","text":"AC-2(7)(b)"}]},{"id":"ac-2.7.c_obj","name":"objective","properties":[{"name":"label","value":"AC-2(7)(c)"}],"parts":[{"id":"ac-2.7.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(7)(c)[1]"}],"prose":"defines actions to be taken when privileged role assignments are no longer\n                        appropriate; and"},{"id":"ac-2.7.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(7)(c)[2]"}],"prose":"takes organization-defined actions when privileged role assignments are no\n                        longer appropriate."}],"links":[{"href":"#ac-2.7_smt.c","rel":"corresp","text":"AC-2(7)(c)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system-generated list of privileged user accounts and associated\n                     role\\n\\nrecords of actions taken when privileged role assignments are no longer\n                     appropriate\\n\\ninformation system audit records\\n\\naudit tracking and monitoring reports\\n\\ninformation system monitoring records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions\\n\\nautomated mechanisms monitoring privileged role assignments"}]}]},{"id":"ac-2.9","class":"SP800-53-enhancement","title":"Restrictions On Use of Shared / Group Accounts","parameters":[{"id":"ac-2.9_prm_1","label":"organization-defined conditions for establishing shared/group accounts","constraints":[{"detail":"organization-defined need with justification statement that explains why such accounts are necessary"}]}],"properties":[{"name":"label","value":"AC-2(9)"},{"name":"sort-id","value":"ac-02.09"}],"parts":[{"id":"ac-2.9_smt","name":"statement","prose":"The organization only permits the use of shared/group accounts that meet {{ ac-2.9_prm_1 }}.","parts":[{"id":"ac-2.9_fr","name":"item","title":"AC-2 (9) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2.9_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Required if shared/group accounts are deployed"}]}]},{"id":"ac-2.9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.9_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(9)[1]"}],"prose":"defines conditions for establishing shared/group accounts; and"},{"id":"ac-2.9_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(9)[2]"}],"prose":"only permits the use of shared/group accounts that meet organization-defined\n                     conditions for establishing shared/group accounts."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsystem-generated list of shared/group accounts and associated role\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing management of shared/group accounts"}]}]},{"id":"ac-2.10","class":"SP800-53-enhancement","title":"Shared / Group Account Credential Termination","properties":[{"name":"label","value":"AC-2(10)"},{"name":"sort-id","value":"ac-02.10"}],"parts":[{"id":"ac-2.10_smt","name":"statement","prose":"The information system terminates shared/group account credentials when members\n                  leave the group.","parts":[{"id":"ac-2.10_fr","name":"item","title":"AC-2 (10) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2.10_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Required if shared/group accounts are deployed"}]}]},{"id":"ac-2.10_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system terminates shared/group account credentials\n                  when members leave the group."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naccount access termination records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.11","class":"SP800-53-enhancement","title":"Usage Conditions","parameters":[{"id":"ac-2.11_prm_1","label":"organization-defined circumstances and/or usage conditions"},{"id":"ac-2.11_prm_2","label":"organization-defined information system accounts"}],"properties":[{"name":"label","value":"AC-2(11)"},{"name":"sort-id","value":"ac-02.11"}],"parts":[{"id":"ac-2.11_smt","name":"statement","prose":"The information system enforces {{ ac-2.11_prm_1 }} for {{ ac-2.11_prm_2 }}."},{"id":"ac-2.11_gdn","name":"guidance","prose":"Organizations can describe the specific conditions or circumstances under which\n                  information system accounts can be used, for example, by restricting usage to\n                  certain days of the week, time of day, or specific durations of time."},{"id":"ac-2.11_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.11_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(11)[1]"}],"prose":"the organization defines circumstances and/or usage conditions to be enforced\n                     for information system accounts;"},{"id":"ac-2.11_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(11)[2]"}],"prose":"the organization defines information system accounts for which\n                     organization-defined circumstances and/or usage conditions are to be enforced;\n                     and"},{"id":"ac-2.11_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(11)[3]"}],"prose":"the information system enforces organization-defined circumstances and/or usage\n                     conditions for organization-defined information system accounts."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsystem-generated list of information system accounts and associated assignments\n                     of usage circumstances and/or usage conditions\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.12","class":"SP800-53-enhancement","title":"Account Monitoring / Atypical Usage","parameters":[{"id":"ac-2.12_prm_1","label":"organization-defined atypical usage"},{"id":"ac-2.12_prm_2","label":"organization-defined personnel or roles","constraints":[{"detail":"at a minimum, the ISSO and/or similar role within the organization"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-2(12)"},{"name":"sort-id","value":"ac-02.12"}],"parts":[{"id":"ac-2.12_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-2.12_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Monitors information system accounts for {{ ac-2.12_prm_1 }};\n                     and"},{"id":"ac-2.12_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Reports atypical usage of information system accounts to {{ ac-2.12_prm_2 }}."},{"id":"ac-2.12_fr","name":"item","title":"AC-2 (12) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2.12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"(a) Guidance:"}],"prose":"Required for privileged accounts."},{"id":"ac-2.12_fr_gdn.2","name":"guidance","properties":[{"name":"label","value":"(b) Guidance:"}],"prose":"Required for privileged accounts."}]}]},{"id":"ac-2.12_gdn","name":"guidance","prose":"Atypical usage includes, for example, accessing information systems at certain\n                  times of the day and from locations that are not consistent with the normal usage\n                  patterns of individuals working in organizations.","links":[{"href":"#ca-7","rel":"related","text":"CA-7"}]},{"id":"ac-2.12_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.12.a_obj","name":"objective","properties":[{"name":"label","value":"AC-2(12)(a)"}],"parts":[{"id":"ac-2.12.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(12)(a)[1]"}],"prose":"defines atypical usage to be monitored for information system accounts;"},{"id":"ac-2.12.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(12)(a)[2]"}],"prose":"monitors information system accounts for organization-defined atypical\n                        usage;"}],"links":[{"href":"#ac-2.12_smt.a","rel":"corresp","text":"AC-2(12)(a)"}]},{"id":"ac-2.12.b_obj","name":"objective","properties":[{"name":"label","value":"AC-2(12)(b)"}],"parts":[{"id":"ac-2.12.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(12)(b)[1]"}],"prose":"defines personnel or roles to whom atypical usage of information system\n                        accounts are to be reported; and"},{"id":"ac-2.12.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(12)(b)[2]"}],"prose":"reports atypical usage of information system accounts to\n                        organization-defined personnel or roles."}],"links":[{"href":"#ac-2.12_smt.b","rel":"corresp","text":"AC-2(12)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\naudit tracking and monitoring reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.13","class":"SP800-53-enhancement","title":"Disable Accounts for High-risk Individuals","parameters":[{"id":"ac-2.13_prm_1","label":"organization-defined time period","constraints":[{"detail":"one (1) hour"}]}],"properties":[{"name":"label","value":"AC-2(13)"},{"name":"sort-id","value":"ac-02.13"}],"parts":[{"id":"ac-2.13_smt","name":"statement","prose":"The organization disables accounts of users posing a significant risk within\n                     {{ ac-2.13_prm_1 }} of discovery of the risk."},{"id":"ac-2.13_gdn","name":"guidance","prose":"Users posing a significant risk to organizations include individuals for whom\n                  reliable evidence or intelligence indicates either the intention to use authorized\n                  access to information systems to cause harm or through whom adversaries will cause\n                  harm. Harm includes potential adverse impacts to organizational operations and\n                  assets, individuals, other organizations, or the Nation. Close coordination\n                  between authorizing officials, information system administrators, and human\n                  resource managers is essential in order for timely execution of this control\n                  enhancement.","links":[{"href":"#ps-4","rel":"related","text":"PS-4"}]},{"id":"ac-2.13_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ac-2.13_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(13)[1]"}],"prose":"defines the time period within which accounts are disabled upon discovery of a\n                     significant risk posed by users of such accounts; and"},{"id":"ac-2.13_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(13)[2]"}],"prose":"disables accounts of users posing a significant risk within the\n                     organization-defined time period of discovery of the risk."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsystem-generated list of disabled accounts\\n\\nlist of user activities posing significant organizational risk\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","properties":[{"name":"label","value":"AC-3"},{"name":"sort-id","value":"ac-03"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"The information system enforces approved authorizations for logical access to\n               information and system resources in accordance with applicable access control\n               policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies (e.g., identity-based policies, role-based policies, control\n               matrices, cryptography) control access between active entities or subjects (i.e.,\n               users or processes acting on behalf of users) and passive entities or objects (e.g.,\n               devices, files, records, domains) in information systems. In addition to enforcing\n               authorized access at the information system level and recognizing that information\n               systems can host many applications and services in support of organizational missions\n               and business operations, access enforcement mechanisms can also be employed at the\n               application and service level to provide increased information security.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ac-21","rel":"related","text":"AC-21"},{"href":"#ac-22","rel":"related","text":"AC-22"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-3","rel":"related","text":"PE-3"}]},{"id":"ac-3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system enforces approved authorizations for logical\n               access to information and system resources in accordance with applicable access\n               control policies."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing access enforcement\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of approved authorizations (user privileges)\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access enforcement responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy"}]}]},{"id":"ac-4","class":"SP800-53","title":"Information Flow Enforcement","parameters":[{"id":"ac-4_prm_1","label":"organization-defined information flow control policies"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-4"},{"name":"sort-id","value":"ac-04"}],"parts":[{"id":"ac-4_smt","name":"statement","prose":"The information system enforces approved authorizations for controlling the flow of\n               information within the system and between interconnected systems based on {{ ac-4_prm_1 }}."},{"id":"ac-4_gdn","name":"guidance","prose":"Information flow control regulates where information is allowed to travel within an\n               information system and between information systems (as opposed to who is allowed to\n               access the information) and without explicit regard to subsequent accesses to that\n               information. Flow control restrictions include, for example, keeping\n               export-controlled information from being transmitted in the clear to the Internet,\n               blocking outside traffic that claims to be from within the organization, restricting\n               web requests to the Internet that are not from the internal web proxy server, and\n               limiting information transfers between organizations based on data structures and\n               content. Transferring information between information systems representing different\n               security domains with different security policies introduces risk that such transfers\n               violate one or more domain security policies. In such situations, information\n               owners/stewards provide guidance at designated policy enforcement points between\n               interconnected systems. Organizations consider mandating specific architectural\n               solutions when required to enforce specific security policies. Enforcement includes,\n               for example: (i) prohibiting information transfers between interconnected systems\n               (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way\n               information flows; and (iii) implementing trustworthy regrading mechanisms to\n               reassign security attributes and security labels. Organizations commonly employ\n               information flow control policies and enforcement mechanisms to control the flow of\n               information between designated sources and destinations (e.g., networks, individuals,\n               and devices) within information systems and between interconnected systems. Flow\n               control is based on the characteristics of the information and/or the information\n               path. Enforcement occurs, for example, in boundary protection devices (e.g.,\n               gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or\n               establish configuration settings that restrict information system services, provide a\n               packet-filtering capability based on header information, or message-filtering\n               capability based on message content (e.g., implementing key word searches or using\n               document characteristics). Organizations also consider the trustworthiness of\n               filtering/inspection mechanisms (i.e., hardware, firmware, and software components)\n               that are critical to information flow enforcement. Control enhancements 3 through 22\n               primarily address cross-domain solution needs which focus on more advanced filtering\n               techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented\n               in cross-domain products, for example, high-assurance guards. Such capabilities are\n               generally not available in commercial off-the-shelf information technology\n               products.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-21","rel":"related","text":"AC-21"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"}]},{"id":"ac-4_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-4_obj.1","name":"objective","properties":[{"name":"label","value":"AC-4[1]"}],"prose":"the organization defines information flow control policies to control the flow of\n                  information within the system and between interconnected systems; and"},{"id":"ac-4_obj.2","name":"objective","properties":[{"name":"label","value":"AC-4[2]"}],"prose":"the information system enforces approved authorizations for controlling the flow\n                  of information within the system and between interconnected systems based on\n                  organization-defined information flow control policies."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\ninformation flow control policies\\n\\nprocedures addressing information flow enforcement\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system baseline configuration\\n\\nlist of information flow authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information flow enforcement policy"}]}],"controls":[{"id":"ac-4.8","class":"SP800-53-enhancement","title":"Security Policy Filters","parameters":[{"id":"ac-4.8_prm_1","label":"organization-defined security policy filters"},{"id":"ac-4.8_prm_2","label":"organization-defined information flows"}],"properties":[{"name":"label","value":"AC-4(8)"},{"name":"sort-id","value":"ac-04.08"}],"parts":[{"id":"ac-4.8_smt","name":"statement","prose":"The information system enforces information flow control using {{ ac-4.8_prm_1 }} as a basis for flow control decisions for {{ ac-4.8_prm_2 }}."},{"id":"ac-4.8_gdn","name":"guidance","prose":"Organization-defined security policy filters can address data structures and\n                  content. For example, security policy filters for data structures can check for\n                  maximum file lengths, maximum field sizes, and data/file types (for structured and\n                  unstructured data). Security policy filters for data content can check for\n                  specific words (e.g., dirty/clean word filters), enumerated values or data value\n                  ranges, and hidden content. Structured data permits the interpretation of data\n                  content by applications. Unstructured data typically refers to digital information\n                  without a particular data structure or with a data structure that does not\n                  facilitate the development of rule sets to address the particular sensitivity of\n                  the information conveyed by the data or the associated flow enforcement decisions.\n                  Unstructured data consists of: (i) bitmap objects that are inherently non\n                  language-based (i.e., image, video, or audio files); and (ii) textual objects that\n                  are based on written or printed languages (e.g., commercial off-the-shelf word\n                  processing documents, spreadsheets, or emails). Organizations can implement more\n                  than one security policy filter to meet information flow control objectives (e.g.,\n                  employing clean word lists in conjunction with dirty word lists may help to reduce\n                  false positives)."},{"id":"ac-4.8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-4.8_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-4(8)[1]"}],"prose":"the organization defines security policy filters to be used as a basis for\n                     enforcing flow control decisions;"},{"id":"ac-4.8_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-4(8)[2]"}],"prose":"the organization defines information flows for which flow control decisions are\n                     to be applied and enforced; and"},{"id":"ac-4.8_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-4(8)[3]"}],"prose":"the information system enforces information flow control using\n                     organization-defined security policy filters as a basis for flow control\n                     decisions for organization-defined information flows."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\ninformation flow control policies\\n\\nprocedures addressing information flow enforcement\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of security policy filters regulating flow control decisions\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.21","class":"SP800-53-enhancement","title":"Physical / Logical Separation of Information Flows","parameters":[{"id":"ac-4.21_prm_1","label":"organization-defined mechanisms and/or techniques"},{"id":"ac-4.21_prm_2","label":"organization-defined required separations by types of information"}],"properties":[{"name":"label","value":"AC-4(21)"},{"name":"sort-id","value":"ac-04.21"}],"parts":[{"id":"ac-4.21_smt","name":"statement","prose":"The information system separates information flows logically or physically using\n                     {{ ac-4.21_prm_1 }} to accomplish {{ ac-4.21_prm_2 }}."},{"id":"ac-4.21_gdn","name":"guidance","prose":"Enforcing the separation of information flows by type can enhance protection by\n                  ensuring that information is not commingled while in transit and by enabling flow\n                  control by transmission paths perhaps not otherwise achievable. Types of separable\n                  information include, for example, inbound and outbound communications traffic,\n                  service requests and responses, and information of differing security\n                  categories."},{"id":"ac-4.21_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"ac-4.21_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-4(21)[1]"}],"prose":"the organization defines the required separations of information flows by types\n                     of information;"},{"id":"ac-4.21_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-4(21)[2]"}],"prose":"the organization defines the mechanisms and/or techniques to be used to\n                     separate information flows logically or physically; and"},{"id":"ac-4.21_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-4(21)[3]"}],"prose":"the information system separates information flows logically or physically\n                     using organization-defined mechanisms and/or techniques to accomplish\n                     organization-defined required separations by types of information."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information flow enforcement policy\\n\\ninformation flow control policies\\n\\nprocedures addressing information flow enforcement\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of required separation of information flows by information types\\n\\nlist of mechanisms and/or techniques used to logically or physically separate\n                     information flows\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information flow enforcement responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information flow enforcement functions"}]}]}]},{"id":"ac-5","class":"SP800-53","title":"Separation of Duties","parameters":[{"id":"ac-5_prm_1","label":"organization-defined duties of individuals"}],"properties":[{"name":"label","value":"AC-5"},{"name":"sort-id","value":"ac-05"}],"parts":[{"id":"ac-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Separates {{ ac-5_prm_1 }};"},{"id":"ac-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents separation of duties of individuals; and"},{"id":"ac-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Defines information system access authorizations to support separation of\n                  duties."},{"id":"ac-5_fr","name":"item","title":"AC-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP."}]}]},{"id":"ac-5_gdn","name":"guidance","prose":"Separation of duties addresses the potential for abuse of authorized privileges and\n               helps to reduce the risk of malevolent activity without collusion. Separation of\n               duties includes, for example: (i) dividing mission functions and information system\n               support functions among different individuals and/or roles; (ii) conducting\n               information system support functions with different individuals (e.g., system\n               management, programming, configuration management, quality assurance and testing, and\n               network security); and (iii) ensuring security personnel administering access control\n               functions do not also administer audit functions.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#ps-2","rel":"related","text":"PS-2"}]},{"id":"ac-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-5.a_obj","name":"objective","properties":[{"name":"label","value":"AC-5(a)"}],"parts":[{"id":"ac-5.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-5(a)[1]"}],"prose":"defines duties of individuals to be separated;"},{"id":"ac-5.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-5(a)[2]"}],"prose":"separates organization-defined duties of individuals;"}]},{"id":"ac-5.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-5(b)"}],"prose":"documents separation of duties; and"},{"id":"ac-5.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-5(c)"}],"prose":"defines information system access authorizations to support separation of\n                  duties."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing divisions of responsibility and separation of duties\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of divisions of responsibility and separation of duties\\n\\ninformation system access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining appropriate divisions\n                  of responsibility and separation of duties\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing separation of duties policy"}]}]},{"id":"ac-6","class":"SP800-53","title":"Least Privilege","properties":[{"name":"label","value":"AC-6"},{"name":"sort-id","value":"ac-06"}],"parts":[{"id":"ac-6_smt","name":"statement","prose":"The organization employs the principle of least privilege, allowing only authorized\n               accesses for users (or processes acting on behalf of users) which are necessary to\n               accomplish assigned tasks in accordance with organizational missions and business\n               functions."},{"id":"ac-6_gdn","name":"guidance","prose":"Organizations employ least privilege for specific duties and information systems. The\n               principle of least privilege is also applied to information system processes,\n               ensuring that the processes operate at privilege levels no higher than necessary to\n               accomplish required organizational missions/business functions. Organizations\n               consider the creation of additional processes, roles, and information system accounts\n               as necessary, to achieve least privilege. Organizations also apply least privilege to\n               the development, implementation, and operation of organizational information\n               systems.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#pl-2","rel":"related","text":"PL-2"}]},{"id":"ac-6_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs the principle of least privilege, allowing only\n               authorized access for users (and processes acting on behalf of users) which are\n               necessary to accomplish assigned tasks in accordance with organizational missions and\n               business functions. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of assigned access authorizations (user privileges)\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges\n                  necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}],"controls":[{"id":"ac-6.1","class":"SP800-53-enhancement","title":"Authorize Access to Security Functions","parameters":[{"id":"ac-6.1_prm_1","label":"organization-defined security functions (deployed in hardware, software, and\n                  firmware) and security-relevant information","constraints":[{"detail":"all functions not publicly accessible and all security-relevant information not publicly available"}]}],"properties":[{"name":"label","value":"AC-6(1)"},{"name":"sort-id","value":"ac-06.01"}],"parts":[{"id":"ac-6.1_smt","name":"statement","prose":"The organization explicitly authorizes access to {{ ac-6.1_prm_1 }}."},{"id":"ac-6.1_gdn","name":"guidance","prose":"Security functions include, for example, establishing system accounts, configuring\n                  access authorizations (i.e., permissions, privileges), setting events to be\n                  audited, and setting intrusion detection parameters. Security-relevant information\n                  includes, for example, filtering rules for routers/firewalls, cryptographic key\n                  management information, configuration parameters for security services, and access\n                  control lists. Explicitly authorized personnel include, for example, security\n                  administrators, system and network administrators, system security officers,\n                  system maintenance personnel, system programmers, and other privileged users.","links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"}]},{"id":"ac-6.1_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ac-6.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-6(1)[1]"}],"prose":"defines security-relevant information for which access must be explicitly\n                     authorized;"},{"id":"ac-6.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-6(1)[2]"}],"prose":"defines security functions deployed in:","parts":[{"id":"ac-6.1_obj.2.a","name":"objective","properties":[{"name":"label","value":"AC-6(1)[2][a]"}],"prose":"hardware;"},{"id":"ac-6.1_obj.2.b","name":"objective","properties":[{"name":"label","value":"AC-6(1)[2][b]"}],"prose":"software;"},{"id":"ac-6.1_obj.2.c","name":"objective","properties":[{"name":"label","value":"AC-6(1)[2][c]"}],"prose":"firmware;"}]},{"id":"ac-6.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-6(1)[3]"}],"prose":"explicitly authorizes access to:","parts":[{"id":"ac-6.1_obj.3.a","name":"objective","properties":[{"name":"label","value":"AC-6(1)[3][a]"}],"prose":"organization-defined security functions; and"},{"id":"ac-6.1_obj.3.b","name":"objective","properties":[{"name":"label","value":"AC-6(1)[3][b]"}],"prose":"security-relevant information."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of security functions (deployed in hardware, software, and firmware) and\n                     security-relevant information for which access must be explicitly\n                     authorized\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.2","class":"SP800-53-enhancement","title":"Non-privileged Access for Nonsecurity Functions","parameters":[{"id":"ac-6.2_prm_1","label":"organization-defined security functions or security-relevant\n                  information","constraints":[{"detail":"all security functions"}]}],"properties":[{"name":"label","value":"AC-6(2)"},{"name":"sort-id","value":"ac-06.02"}],"parts":[{"id":"ac-6.2_smt","name":"statement","prose":"The organization requires that users of information system accounts, or roles,\n                  with access to {{ ac-6.2_prm_1 }}, use non-privileged accounts or\n                  roles, when accessing nonsecurity functions.","parts":[{"id":"ac-6.2_fr","name":"item","title":"AC-6 (2) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-6.2_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions."}]}]},{"id":"ac-6.2_gdn","name":"guidance","prose":"This control enhancement limits exposure when operating from within privileged\n                  accounts or roles. The inclusion of roles addresses situations where organizations\n                  implement access control policies such as role-based access control and where a\n                  change of role provides the same degree of assurance in the change of access\n                  authorizations for both the user and all processes acting on behalf of the user as\n                  would be provided by a change between a privileged and non-privileged account.","links":[{"href":"#pl-4","rel":"related","text":"PL-4"}]},{"id":"ac-6.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-6.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-6(2)[1]"}],"prose":"defines security functions or security-relevant information to which users of\n                     information system accounts, or roles, have access; and"},{"id":"ac-6.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-6(2)[2]"}],"prose":"requires that users of information system accounts, or roles, with access to\n                     organization-defined security functions or security-relevant information, use\n                     non-privileged accounts, or roles, when accessing nonsecurity functions."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of system-generated security functions or security-relevant information\n                     assigned to information system accounts or roles\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.3","class":"SP800-53-enhancement","title":"Network Access to Privileged Commands","parameters":[{"id":"ac-6.3_prm_1","label":"organization-defined privileged commands","constraints":[{"detail":"all privileged commands"}]},{"id":"ac-6.3_prm_2","label":"organization-defined compelling operational needs"}],"properties":[{"name":"label","value":"AC-6(3)"},{"name":"sort-id","value":"ac-06.03"}],"parts":[{"id":"ac-6.3_smt","name":"statement","prose":"The organization authorizes network access to {{ ac-6.3_prm_1 }}\n                  only for {{ ac-6.3_prm_2 }} and documents the rationale for such\n                  access in the security plan for the information system."},{"id":"ac-6.3_gdn","name":"guidance","prose":"Network access is any access across a network connection in lieu of local access\n                  (i.e., user being physically present at the device).","links":[{"href":"#ac-17","rel":"related","text":"AC-17"}]},{"id":"ac-6.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-6.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-6(3)[1]"}],"prose":"defines privileged commands to which network access is to be authorized only\n                     for compelling operational needs;"},{"id":"ac-6.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-6(3)[2]"}],"prose":"defines compelling operational needs for which network access to\n                     organization-defined privileged commands are to be solely authorized;"},{"id":"ac-6.3_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-6(3)[3]"}],"prose":"authorizes network access to organization-defined privileged commands only for\n                     organization-defined compelling operational needs; and"},{"id":"ac-6.3_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AC-6(3)[4]"}],"prose":"documents the rationale for authorized network access to organization-defined\n                     privileged commands in the security plan for the information system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing least privilege\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of operational needs for authorizing network access to privileged\n                     commands\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.5","class":"SP800-53-enhancement","title":"Privileged Accounts","parameters":[{"id":"ac-6.5_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"AC-6(5)"},{"name":"sort-id","value":"ac-06.05"}],"parts":[{"id":"ac-6.5_smt","name":"statement","prose":"The organization restricts privileged accounts on the information system to\n                     {{ ac-6.5_prm_1 }}."},{"id":"ac-6.5_gdn","name":"guidance","prose":"Privileged accounts, including super user accounts, are typically described as\n                  system administrator for various types of commercial off-the-shelf operating\n                  systems. Restricting privileged accounts to specific personnel or roles prevents\n                  day-to-day users from having access to privileged information/functions.\n                  Organizations may differentiate in the application of this control enhancement\n                  between allowed privileges for local accounts and for domain accounts provided\n                  organizations retain the ability to control information system configurations for\n                  key security parameters and as otherwise necessary to sufficiently mitigate\n                  risk.","links":[{"href":"#cm-6","rel":"related","text":"CM-6"}]},{"id":"ac-6.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-6.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-6(5)[1]"}],"prose":"defines personnel or roles for which privileged accounts on the information\n                     system are to be restricted; and"},{"id":"ac-6.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-6(5)[2]"}],"prose":"restricts privileged accounts on the information system to organization-defined\n                     personnel or roles."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of system-generated privileged accounts\\n\\nlist of system administration personnel\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.7","class":"SP800-53-enhancement","title":"Review of User Privileges","parameters":[{"id":"ac-6.7_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at a minimum, annually"}]},{"id":"ac-6.7_prm_2","label":"organization-defined roles or classes of users","constraints":[{"detail":"all users with privileges"}]}],"properties":[{"name":"label","value":"AC-6(7)"},{"name":"sort-id","value":"ac-06.07"}],"parts":[{"id":"ac-6.7_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-6.7_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Reviews {{ ac-6.7_prm_1 }} the privileges assigned to {{ ac-6.7_prm_2 }} to validate the need for such privileges; and"},{"id":"ac-6.7_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Reassigns or removes privileges, if necessary, to correctly reflect\n                     organizational mission/business needs."}]},{"id":"ac-6.7_gdn","name":"guidance","prose":"The need for certain assigned user privileges may change over time reflecting\n                  changes in organizational missions/business function, environments of operation,\n                  technologies, or threat. Periodic review of assigned user privileges is necessary\n                  to determine if the rationale for assigning such privileges remains valid. If the\n                  need cannot be revalidated, organizations take appropriate corrective actions.","links":[{"href":"#ca-7","rel":"related","text":"CA-7"}]},{"id":"ac-6.7_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ac-6.7.a_obj","name":"objective","properties":[{"name":"label","value":"AC-6(7)(a)"}],"parts":[{"id":"ac-6.7.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-6(7)(a)[1]"}],"prose":"defines roles or classes of users to which privileges are assigned;"},{"id":"ac-6.7.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-6(7)(a)[2]"}],"prose":"defines the frequency to review the privileges assigned to\n                        organization-defined roles or classes of users to validate the need for such\n                        privileges;"},{"id":"ac-6.7.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AC-6(7)(a)[3]"}],"prose":"reviews the privileges assigned to organization-defined roles or classes of\n                        users with the organization-defined frequency to validate the need for such\n                        privileges; and"}],"links":[{"href":"#ac-6.7_smt.a","rel":"corresp","text":"AC-6(7)(a)"}]},{"id":"ac-6.7.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-6(7)(b)"}],"prose":"reassigns or removes privileges, if necessary, to correctly reflect\n                     organizational missions/business needs.","links":[{"href":"#ac-6.7_smt.b","rel":"corresp","text":"AC-6(7)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of system-generated roles or classes of users and assigned privileges\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nvalidation reviews of privileges assigned to roles or classes or users\\n\\nrecords of privilege removals or reassignments for roles or classes of\n                     users\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for reviewing least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing review of user privileges"}]}]},{"id":"ac-6.8","class":"SP800-53-enhancement","title":"Privilege Levels for Code Execution","parameters":[{"id":"ac-6.8_prm_1","label":"organization-defined software","constraints":[{"detail":"any software except software explicitly documented"}]}],"properties":[{"name":"label","value":"AC-6(8)"},{"name":"sort-id","value":"ac-06.08"}],"parts":[{"id":"ac-6.8_smt","name":"statement","prose":"The information system prevents {{ ac-6.8_prm_1 }} from executing\n                  at higher privilege levels than users executing the software."},{"id":"ac-6.8_gdn","name":"guidance","prose":"In certain situations, software applications/programs need to execute with\n                  elevated privileges to perform required functions. However, if the privileges\n                  required for execution are at a higher level than the privileges assigned to\n                  organizational users invoking such applications/programs, those users are\n                  indirectly provided with greater privileges than assigned by organizations."},{"id":"ac-6.8_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"ac-6.8_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-6(8)[1]"}],"prose":"the organization defines software that should not execute at higher privilege\n                     levels than users executing the software; and"},{"id":"ac-6.8_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-6(8)[2]"}],"prose":"the information system prevents organization-defined software from executing at\n                     higher privilege levels than users executing the software."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of software that should not execute at higher privilege levels than users\n                     executing software\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions for software\n                     execution"}]}]},{"id":"ac-6.9","class":"SP800-53-enhancement","title":"Auditing Use of Privileged Functions","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-6(9)"},{"name":"sort-id","value":"ac-06.09"}],"parts":[{"id":"ac-6.9_smt","name":"statement","prose":"The information system audits the execution of privileged functions."},{"id":"ac-6.9_gdn","name":"guidance","prose":"Misuse of privileged functions, either intentionally or unintentionally by\n                  authorized users, or by unauthorized external entities that have compromised\n                  information system accounts, is a serious and ongoing concern and can have\n                  significant adverse impacts on organizations. Auditing the use of privileged\n                  functions is one way to detect such misuse, and in doing so, help mitigate the\n                  risk from insider threats and the advanced persistent threat (APT).","links":[{"href":"#au-2","rel":"related","text":"AU-2"}]},{"id":"ac-6.9_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system audits the execution of privileged functions.\n               "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing least privilege\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of privileged functions to be audited\\n\\nlist of audited events\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for reviewing least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms auditing the execution of least privilege functions"}]}]},{"id":"ac-6.10","class":"SP800-53-enhancement","title":"Prohibit Non-privileged Users from Executing Privileged Functions","properties":[{"name":"label","value":"AC-6(10)"},{"name":"sort-id","value":"ac-06.10"}],"parts":[{"id":"ac-6.10_smt","name":"statement","prose":"The information system prevents non-privileged users from executing privileged\n                  functions to include disabling, circumventing, or altering implemented security\n                  safeguards/countermeasures."},{"id":"ac-6.10_gdn","name":"guidance","prose":"Privileged functions include, for example, establishing information system\n                  accounts, performing system integrity checks, or administering cryptographic key\n                  management activities. Non-privileged users are individuals that do not possess\n                  appropriate authorizations. Circumventing intrusion detection and prevention\n                  mechanisms or malicious code protection mechanisms are examples of privileged\n                  functions that require protection from non-privileged users."},{"id":"ac-6.10_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system prevents non-privileged users from executing\n                  privileged functions to include:","parts":[{"id":"ac-6.10_obj.1","name":"objective","properties":[{"name":"label","value":"AC-6(10)[1]"}],"prose":"disabling implemented security safeguards/countermeasures;"},{"id":"ac-6.10_obj.2","name":"objective","properties":[{"name":"label","value":"AC-6(10)[2]"}],"prose":"circumventing security safeguards/countermeasures; or"},{"id":"ac-6.10_obj.3","name":"objective","properties":[{"name":"label","value":"AC-6(10)[3]"}],"prose":"altering implemented security safeguards/countermeasures."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing least privilege\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of privileged functions and associated user account assignments\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions for non-privileged\n                     users"}]}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","parameters":[{"id":"ac-7_prm_1","label":"organization-defined number","constraints":[{"detail":"not more than three (3)"}]},{"id":"ac-7_prm_2","label":"organization-defined time period","constraints":[{"detail":"fifteen (15) minutes"}]},{"id":"ac-7_prm_3"},{"id":"ac-7_prm_4","depends-on":"ac-7_prm_3","label":"organization-defined time period","constraints":[{"detail":"locks the account/node for a minimum of three (3) hours or until unlocked by an administrator"}]},{"id":"ac-7_prm_5","depends-on":"ac-7_prm_3","label":"organization-defined delay algorithm"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-7"},{"name":"sort-id","value":"ac-07"}],"parts":[{"id":"ac-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Enforces a limit of {{ ac-7_prm_1 }} consecutive invalid logon\n                  attempts by a user during a {{ ac-7_prm_2 }}; and"},{"id":"ac-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Automatically {{ ac-7_prm_3 }} when the maximum number of\n                  unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"This control applies regardless of whether the logon occurs via a local or network\n               connection. Due to the potential for denial of service, automatic lockouts initiated\n               by information systems are usually temporary and automatically release after a\n               predetermined time period established by organizations. If a delay algorithm is\n               selected, organizations may choose to employ different algorithms for different\n               information system components based on the capabilities of those components.\n               Responses to unsuccessful logon attempts may be implemented at both the operating\n               system and the application levels.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-9","rel":"related","text":"AC-9"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ia-5","rel":"related","text":"IA-5"}]},{"id":"ac-7_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"ac-7.a_obj","name":"objective","properties":[{"name":"label","value":"AC-7(a)"}],"parts":[{"id":"ac-7.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-7(a)[1]"}],"prose":"the organization defines the number of consecutive invalid logon attempts\n                     allowed to the information system by a user during an organization-defined time\n                     period;"},{"id":"ac-7.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-7(a)[2]"}],"prose":"the organization defines the time period allowed by a user of the information\n                     system for an organization-defined number of consecutive invalid logon\n                     attempts;"},{"id":"ac-7.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-7(a)[3]"}],"prose":"the information system enforces a limit of organization-defined number of\n                     consecutive invalid logon attempts by a user during an organization-defined\n                     time period;"}]},{"id":"ac-7.b_obj","name":"objective","properties":[{"name":"label","value":"AC-7(b)"}],"parts":[{"id":"ac-7.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-7(b)[1]"}],"prose":"the organization defines account/node lockout time period or logon delay\n                     algorithm to be automatically enforced by the information system when the\n                     maximum number of unsuccessful logon attempts is exceeded;"},{"id":"ac-7.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-7(b)[2]"}],"prose":"the information system, when the maximum number of unsuccessful logon attempts\n                     is exceeded, automatically:","parts":[{"id":"ac-7.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"AC-7(b)[2][a]"}],"prose":"locks the account/node for the organization-defined time period;"},{"id":"ac-7.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"AC-7(b)[2][b]"}],"prose":"locks the account/node until released by an administrator; or"},{"id":"ac-7.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"AC-7(b)[2][c]"}],"prose":"delays next logon prompt according to the organization-defined delay\n                        algorithm."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing unsuccessful logon attempts\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem developers\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for unsuccessful logon\n                  attempts"}]}],"controls":[{"id":"ac-7.2","class":"SP800-53-enhancement","title":"Purge / Wipe Mobile Device","parameters":[{"id":"ac-7.2_prm_1","label":"organization-defined mobile devices","constraints":[{"detail":"mobile devices as defined by organization policy"}]},{"id":"ac-7.2_prm_2","label":"organization-defined purging/wiping requirements/techniques"},{"id":"ac-7.2_prm_3","label":"organization-defined number","constraints":[{"detail":"three (3)"}]}],"properties":[{"name":"label","value":"AC-7(2)"},{"name":"sort-id","value":"ac-07.02"}],"parts":[{"id":"ac-7.2_smt","name":"statement","prose":"The information system purges/wipes information from {{ ac-7.2_prm_1 }} based on {{ ac-7.2_prm_2 }} after\n                     {{ ac-7.2_prm_3 }} consecutive, unsuccessful device logon\n                  attempts."},{"id":"ac-7.2_gdn","name":"guidance","prose":"This control enhancement applies only to mobile devices for which a logon occurs\n                  (e.g., personal digital assistants, smart phones, tablets). The logon is to the\n                  mobile device, not to any one account on the device. Therefore, successful logons\n                  to any accounts on mobile devices reset the unsuccessful logon count to zero.\n                  Organizations define information to be purged/wiped carefully in order to avoid\n                  over purging/wiping which may result in devices becoming unusable. Purging/wiping\n                  may be unnecessary if the information on the device is protected with sufficiently\n                  strong encryption mechanisms.","links":[{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"ac-7.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-7.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-7(2)[1]"}],"prose":"the organization defines mobile devices to be purged/wiped after\n                     organization-defined number of consecutive, unsuccessful device logon\n                     attempts;"},{"id":"ac-7.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-7(2)[2]"}],"prose":"the organization defines purging/wiping requirements/techniques to be used when\n                     organization-defined mobile devices are purged/wiped after organization-defined\n                     number of consecutive, unsuccessful device logon attempts;"},{"id":"ac-7.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-7(2)[3]"}],"prose":"the organization defines the number of consecutive, unsuccessful logon attempts\n                     allowed for accessing mobile devices before the information system purges/wipes\n                     information from such devices; and"},{"id":"ac-7.2_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-7(2)[4]"}],"prose":"the information system purges/wipes information from organization-defined\n                     mobile devices based on organization-defined purging/wiping\n                     requirements/techniques after organization-defined number of consecutive,\n                     unsuccessful logon attempts."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing unsuccessful login attempts on mobile devices\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of mobile devices to be purged/wiped after organization-defined\n                     consecutive, unsuccessful device logon attempts\\n\\nlist of purging/wiping requirements or techniques for mobile devices\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for unsuccessful device\n                     logon attempts"}]}]}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","parameters":[{"id":"ac-8_prm_1","label":"organization-defined system use notification message or banner","constraints":[{"detail":"see additional Requirements and Guidance"}]},{"id":"ac-8_prm_2","label":"organization-defined conditions","constraints":[{"detail":"see additional Requirements and Guidance"}]}],"properties":[{"name":"label","value":"AC-8"},{"name":"sort-id","value":"ac-08"}],"parts":[{"id":"ac-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Displays to users {{ ac-8_prm_1 }} before granting access to the\n                  system that provides privacy and security notices consistent with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance and states that:","parts":[{"id":"ac-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government information system;"},{"id":"ac-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Information system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the information system is prohibited and subject to\n                     criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Use of the information system indicates consent to monitoring and\n                     recording;"}]},{"id":"ac-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retains the notification message or banner on the screen until users acknowledge\n                  the usage conditions and take explicit actions to log on to or further access the\n                  information system; and"},{"id":"ac-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Displays system use information {{ ac-8_prm_2 }}, before\n                     granting further access;"},{"id":"ac-8_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Displays references, if any, to monitoring, recording, or auditing that are\n                     consistent with privacy accommodations for such systems that generally prohibit\n                     those activities; and"},{"id":"ac-8_smt.c.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Includes a description of the authorized uses of the system."}]},{"id":"ac-8_fr","name":"item","title":"AC-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO."},{"id":"ac-8_fr_smt.2","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided."},{"id":"ac-8_fr_smt.3","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners\n               displayed before individuals log in to information systems. System use notifications\n               are used only for access via logon interfaces with human users and are not required\n               when such human interfaces do not exist. Organizations consider system use\n               notification messages/banners displayed in multiple languages based on specific\n               organizational needs and the demographics of information system users. Organizations\n               also consult with the Office of the General Counsel for legal review and approval of\n               warning banner content."},{"id":"ac-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-8.a_obj","name":"objective","properties":[{"name":"label","value":"AC-8(a)"}],"parts":[{"id":"ac-8.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-8(a)[1]"}],"prose":"the organization defines a system use notification message or banner to be\n                     displayed by the information system to users before granting access to the\n                     system;"},{"id":"ac-8.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-8(a)[2]"}],"prose":"the information system displays to users the organization-defined system use\n                     notification message or banner before granting access to the information system\n                     that provides privacy and security notices consistent with applicable federal\n                     laws, Executive Orders, directives, policies, regulations, standards, and\n                     guidance, and states that:","parts":[{"id":"ac-8.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"AC-8(a)[2](1)"}],"prose":"users are accessing a U.S. Government information system;"},{"id":"ac-8.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"AC-8(a)[2](2)"}],"prose":"information system usage may be monitored, recorded, and subject to\n                        audit;"},{"id":"ac-8.a.3_obj.2","name":"objective","properties":[{"name":"label","value":"AC-8(a)[2](3)"}],"prose":"unauthorized use of the information system is prohibited and subject to\n                        criminal and civil penalties;"},{"id":"ac-8.a.4_obj.2","name":"objective","properties":[{"name":"label","value":"AC-8(a)[2](4)"}],"prose":"use of the information system indicates consent to monitoring and\n                        recording;"}]}]},{"id":"ac-8.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-8(b)"}],"prose":"the information system retains the notification message or banner on the screen\n                  until users acknowledge the usage conditions and take explicit actions to log on\n                  to or further access the information system;"},{"id":"ac-8.c_obj","name":"objective","properties":[{"name":"label","value":"AC-8(c)"}],"prose":"for publicly accessible systems:","parts":[{"id":"ac-8.c.1_obj","name":"objective","properties":[{"name":"label","value":"AC-8(c)(1)"}],"parts":[{"id":"ac-8.c.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-8(c)(1)[1]"}],"prose":"the organization defines conditions for system use to be displayed by the\n                        information system before granting further access;"},{"id":"ac-8.c.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-8(c)(1)[2]"}],"prose":"the information system displays organization-defined conditions before\n                        granting further access;"}]},{"id":"ac-8.c.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-8(c)(2)"}],"prose":"the information system displays references, if any, to monitoring, recording,\n                     or auditing that are consistent with privacy accommodations for such systems\n                     that generally prohibit those activities; and"},{"id":"ac-8.c.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-8(c)(3)"}],"prose":"the information system includes a description of the authorized uses of the\n                     system."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprivacy and security policies, procedures addressing system use notification\\n\\ndocumented approval of information system use notification messages or banners\\n\\ninformation system audit records\\n\\nuser acknowledgements of notification message or banner\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system use notification messages\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for providing legal advice\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing system use notification"}]}]},{"id":"ac-10","class":"SP800-53","title":"Concurrent Session Control","parameters":[{"id":"ac-10_prm_1","label":"organization-defined account and/or account type"},{"id":"ac-10_prm_2","label":"organization-defined number","constraints":[{"detail":"three (3) sessions for privileged access and two (2) sessions for non-privileged access"}]}],"properties":[{"name":"label","value":"AC-10"},{"name":"sort-id","value":"ac-10"}],"parts":[{"id":"ac-10_smt","name":"statement","prose":"The information system limits the number of concurrent sessions for each {{ ac-10_prm_1 }} to {{ ac-10_prm_2 }}."},{"id":"ac-10_gdn","name":"guidance","prose":"Organizations may define the maximum number of concurrent sessions for information\n               system accounts globally, by account type (e.g., privileged user, non-privileged\n               user, domain, specific application), by account, or a combination. For example,\n               organizations may limit the number of concurrent sessions for system administrators\n               or individuals working in particularly sensitive domains or mission-critical\n               applications. This control addresses concurrent sessions for information system\n               accounts and does not address concurrent sessions by single users via multiple system\n               accounts."},{"id":"ac-10_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-10_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-10[1]"}],"prose":"the organization defines account and/or account types for the information\n                  system;"},{"id":"ac-10_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-10[2]"}],"prose":"the organization defines the number of concurrent sessions to be allowed for each\n                  organization-defined account and/or account type; and"},{"id":"ac-10_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-10[3]"}],"prose":"the information system limits the number of concurrent sessions for each\n                  organization-defined account and/or account type to the organization-defined\n                  number of concurrent sessions allowed."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing concurrent session control\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for concurrent session\n                  control"}]}]},{"id":"ac-11","class":"SP800-53","title":"Session Lock","parameters":[{"id":"ac-11_prm_1","label":"organization-defined time period","constraints":[{"detail":"fifteen (15) minutes"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-11"},{"name":"sort-id","value":"ac-11"}],"links":[{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference","text":"OMB Memorandum 06-16"}],"parts":[{"id":"ac-11_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Prevents further access to the system by initiating a session lock after {{ ac-11_prm_1 }} of inactivity or upon receiving a request from a user;\n                  and"},{"id":"ac-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retains the session lock until the user reestablishes access using established\n                  identification and authentication procedures."}]},{"id":"ac-11_gdn","name":"guidance","prose":"Session locks are temporary actions taken when users stop work and move away from the\n               immediate vicinity of information systems but do not want to log out because of the\n               temporary nature of their absences. Session locks are implemented where session\n               activities can be determined. This is typically at the operating system level, but\n               can also be at the application level. Session locks are not an acceptable substitute\n               for logging out of information systems, for example, if organizations require users\n               to log out at the end of workdays.","links":[{"href":"#ac-7","rel":"related","text":"AC-7"}]},{"id":"ac-11_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-11.a_obj","name":"objective","properties":[{"name":"label","value":"AC-11(a)"}],"parts":[{"id":"ac-11.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-11(a)[1]"}],"prose":"the organization defines the time period of user inactivity after which the\n                     information system initiates a session lock;"},{"id":"ac-11.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-11(a)[2]"}],"prose":"the information system prevents further access to the system by initiating a\n                     session lock after organization-defined time period of user inactivity or upon\n                     receiving a request from a user; and"}]},{"id":"ac-11.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-11(b)"}],"prose":"the information system retains the session lock until the user reestablishes\n                  access using established identification and authentication procedures."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing session lock\\n\\nprocedures addressing identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for session lock"}]}],"controls":[{"id":"ac-11.1","class":"SP800-53-enhancement","title":"Pattern-hiding Displays","properties":[{"name":"label","value":"AC-11(1)"},{"name":"sort-id","value":"ac-11.01"}],"parts":[{"id":"ac-11.1_smt","name":"statement","prose":"The information system conceals, via the session lock, information previously\n                  visible on the display with a publicly viewable image."},{"id":"ac-11.1_gdn","name":"guidance","prose":"Publicly viewable images can include static or dynamic images, for example,\n                  patterns used with screen savers, photographic images, solid colors, clock,\n                  battery life indicator, or a blank screen, with the additional caveat that none of\n                  the images convey sensitive information."},{"id":"ac-11.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system conceals, via the session lock, information\n                  previously visible on the display with a publicly viewable image."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing session lock\\n\\ndisplay screen with session lock activated\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Information system session lock mechanisms"}]}]}]},{"id":"ac-12","class":"SP800-53","title":"Session Termination","parameters":[{"id":"ac-12_prm_1","label":"organization-defined conditions or trigger events requiring session\n               disconnect"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-12"},{"name":"sort-id","value":"ac-12"}],"parts":[{"id":"ac-12_smt","name":"statement","prose":"The information system automatically terminates a user session after {{ ac-12_prm_1 }}."},{"id":"ac-12_gdn","name":"guidance","prose":"This control addresses the termination of user-initiated logical sessions in contrast\n               to SC-10 which addresses the termination of network connections that are associated\n               with communications sessions (i.e., network disconnect). A logical session (for\n               local, network, and remote access) is initiated whenever a user (or process acting on\n               behalf of a user) accesses an organizational information system. Such user sessions\n               can be terminated (and thus terminate user access) without terminating network\n               sessions. Session termination terminates all processes associated with a user’s\n               logical session except those processes that are specifically created by the user\n               (i.e., session owner) to continue after the session is terminated. Conditions or\n               trigger events requiring automatic session termination can include, for example,\n               organization-defined periods of user inactivity, targeted responses to certain types\n               of incidents, time-of-day restrictions on information system use.","links":[{"href":"#sc-10","rel":"related","text":"SC-10"},{"href":"#sc-23","rel":"related","text":"SC-23"}]},{"id":"ac-12_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-12_obj.1","name":"objective","properties":[{"name":"label","value":"AC-12[1]"}],"prose":"the organization defines conditions or trigger events requiring session\n                  disconnect; and"},{"id":"ac-12_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-12[2]"}],"prose":"the information system automatically terminates a user session after\n                  organization-defined conditions or trigger events requiring session disconnect\n                  occurs."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing session termination\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of conditions or trigger events requiring session disconnect\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing user session termination"}]}],"controls":[{"id":"ac-12.1","class":"SP800-53-enhancement","title":"User-initiated Logouts / Message Displays","parameters":[{"id":"ac-12.1_prm_1","label":"organization-defined information resources"}],"properties":[{"name":"label","value":"AC-12(1)"},{"name":"sort-id","value":"ac-12.01"}],"parts":[{"id":"ac-12.1_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-12.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Provides a logout capability for user-initiated communications sessions\n                     whenever authentication is used to gain access to {{ ac-12.1_prm_1 }}; and"},{"id":"ac-12.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Displays an explicit logout message to users indicating the reliable\n                     termination of authenticated communications sessions."},{"id":"ac-12.1_fr","name":"item","title":"AC-12 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-12.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"https://www.owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-006%29"}]}]},{"id":"ac-12.1_gdn","name":"guidance","prose":"Information resources to which users gain access via authentication include, for\n                  example, local workstations, databases, and password-protected websites/web-based\n                  services. Logout messages for web page access, for example, can be displayed after\n                  authenticated sessions have been terminated. However, for some types of\n                  interactive sessions including, for example, file transfer protocol (FTP)\n                  sessions, information systems typically send logout messages as final messages\n                  prior to terminating sessions."},{"id":"ac-12.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-12.1.a_obj","name":"objective","properties":[{"name":"label","value":"AC-12(1)(a)"}],"parts":[{"id":"ac-12.1.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-12(1)(a)[1]"}],"prose":"the organization defines information resources for which user authentication\n                        is required to gain access to such resources;"},{"id":"ac-12.1.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-12(1)(a)[2]"}],"prose":"the information system provides a logout capability for user-initiated\n                        communications sessions whenever authentication is used to gain access to\n                        organization-defined information resources; and"}],"links":[{"href":"#ac-12.1_smt.a","rel":"corresp","text":"AC-12(1)(a)"}]},{"id":"ac-12.1.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-12(1)(b)"}],"prose":"the information system displays an explicit logout message to users indicating\n                     the reliable termination of authenticated communications sessions.","links":[{"href":"#ac-12.1_smt.b","rel":"corresp","text":"AC-12(1)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing session termination\\n\\nuser logout messages\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Information system session lock mechanisms"}]}]}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","parameters":[{"id":"ac-14_prm_1","label":"organization-defined user actions"}],"properties":[{"name":"label","value":"AC-14"},{"name":"sort-id","value":"ac-14"}],"parts":[{"id":"ac-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-14_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identifies {{ ac-14_prm_1 }} that can be performed on the\n                  information system without identification or authentication consistent with\n                  organizational missions/business functions; and"},{"id":"ac-14_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents and provides supporting rationale in the security plan for the\n                  information system, user actions not requiring identification or\n                  authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"This control addresses situations in which organizations determine that no\n               identification or authentication is required in organizational information systems.\n               Organizations may allow a limited number of user actions without identification or\n               authentication including, for example, when individuals access public websites or\n               other publicly accessible federal information systems, when individuals use mobile\n               phones to receive calls, or when facsimiles are received. Organizations also identify\n               actions that normally require identification or authentication but may under certain\n               circumstances (e.g., emergencies), allow identification or authentication mechanisms\n               to be bypassed. Such bypasses may occur, for example, via a software-readable\n               physical switch that commands bypass of the logon functionality and is protected from\n               accidental or unmonitored use. This control does not apply to situations where\n               identification and authentication have already occurred and are not repeated, but\n               rather to situations where identification and authentication have not yet occurred.\n               Organizations may decide that there are no user actions that can be performed on\n               organizational information systems without identification and authentication and\n               thus, the values for assignment statements can be none.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ia-2","rel":"related","text":"IA-2"}]},{"id":"ac-14_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-14.a_obj","name":"objective","properties":[{"name":"label","value":"AC-14(a)"}],"parts":[{"id":"ac-14.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-14(a)[1]"}],"prose":"defines user actions that can be performed on the information system without\n                     identification or authentication consistent with organizational\n                     missions/business functions;"},{"id":"ac-14.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AC-14(a)[2]"}],"prose":"identifies organization-defined user actions that can be performed on the\n                     information system without identification or authentication consistent with\n                     organizational missions/business functions; and"}]},{"id":"ac-14.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-14(b)"}],"prose":"documents and provides supporting rationale in the security plan for the\n                  information system, user actions not requiring identification or\n                  authentication."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing permitted actions without identification or\n                  authentication\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\nlist of user actions that can be performed without identification or\n                  authentication\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-17"},{"name":"sort-id","value":"ac-17"}],"links":[{"href":"#5309d4d0-46f8-4213-a749-e7584164e5e8","rel":"reference","text":"NIST Special Publication 800-46"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference","text":"NIST Special Publication 800-77"},{"href":"#349fe082-502d-464a-aa0c-1443c6a5cf40","rel":"reference","text":"NIST Special Publication 800-113"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference","text":"NIST Special Publication 800-114"},{"href":"#d1a4e2a9-e512-4132-8795-5357aba29254","rel":"reference","text":"NIST Special Publication 800-121"}],"parts":[{"id":"ac-17_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-17_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes and documents usage restrictions, configuration/connection\n                  requirements, and implementation guidance for each type of remote access allowed;\n                  and"},{"id":"ac-17_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorizes remote access to the information system prior to allowing such\n                  connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational information systems by users (or processes\n               acting on behalf of users) communicating through external networks (e.g., the\n               Internet). Remote access methods include, for example, dial-up, broadband, and\n               wireless. Organizations often employ encrypted virtual private networks (VPNs) to\n               enhance confidentiality and integrity over remote connections. The use of encrypted\n               VPNs does not make the access non-remote; however, the use of VPNs, when adequately\n               provisioned with appropriate security controls (e.g., employing appropriate\n               encryption techniques for confidentiality and integrity protection) may provide\n               sufficient assurance to the organization that it can effectively treat such\n               connections as internal networks. Still, VPN connections traverse external networks,\n               and the encrypted VPN does not enhance the availability of remote connections. Also,\n               VPNs with encrypted tunnels can affect the organizational capability to adequately\n               monitor network communications traffic for malicious code. Remote access controls\n               apply to information systems other than public web servers or systems designed for\n               public access. This control addresses authorization prior to allowing remote access\n               without specifying the formats for such authorization. While organizations may use\n               interconnection security agreements to authorize remote access connections, such\n               agreements are not required by this control. Enforcing access restrictions for remote\n               connections is addressed in AC-3.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-17","rel":"related","text":"PE-17"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-10","rel":"related","text":"SC-10"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ac-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-17.a_obj","name":"objective","properties":[{"name":"label","value":"AC-17(a)"}],"parts":[{"id":"ac-17.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-17(a)[1]"}],"prose":"identifies the types of remote access allowed to the information system;"},{"id":"ac-17.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-17(a)[2]"}],"prose":"establishes for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"AC-17(a)[2][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"AC-17(a)[2][b]"}],"prose":"configuration/connection requirements;"},{"id":"ac-17.a_obj.2.c","name":"objective","properties":[{"name":"label","value":"AC-17(a)[2][c]"}],"prose":"implementation guidance;"}]},{"id":"ac-17.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-17(a)[3]"}],"prose":"documents for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.3.a","name":"objective","properties":[{"name":"label","value":"AC-17(a)[3][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.3.b","name":"objective","properties":[{"name":"label","value":"AC-17(a)[3][b]"}],"prose":"configuration/connection requirements;"},{"id":"ac-17.a_obj.3.c","name":"objective","properties":[{"name":"label","value":"AC-17(a)[3][c]"}],"prose":"implementation guidance; and"}]}]},{"id":"ac-17.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-17(b)"}],"prose":"authorizes remote access to the information system prior to allowing such\n                  connections."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing remote access implementation and usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\nremote access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing remote access\n                  connections\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Remote access management capability for the information system"}]}],"controls":[{"id":"ac-17.1","class":"SP800-53-enhancement","title":"Automated Monitoring / Control","properties":[{"name":"label","value":"AC-17(1)"},{"name":"sort-id","value":"ac-17.01"}],"parts":[{"id":"ac-17.1_smt","name":"statement","prose":"The information system monitors and controls remote access methods."},{"id":"ac-17.1_gdn","name":"guidance","prose":"Automated monitoring and control of remote access sessions allows organizations to\n                  detect cyber attacks and also ensure ongoing compliance with remote access\n                  policies by auditing connection activities of remote users on a variety of\n                  information system components (e.g., servers, workstations, notebook computers,\n                  smart phones, and tablets).","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"}]},{"id":"ac-17.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system monitors and controls remote access methods.\n               "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing remote access to the information system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\ninformation system monitoring records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms monitoring and controlling remote access methods"}]}]},{"id":"ac-17.2","class":"SP800-53-enhancement","title":"Protection of Confidentiality / Integrity Using Encryption","properties":[{"name":"label","value":"AC-17(2)"},{"name":"sort-id","value":"ac-17.02"}],"parts":[{"id":"ac-17.2_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to protect the\n                  confidentiality and integrity of remote access sessions."},{"id":"ac-17.2_gdn","name":"guidance","prose":"The encryption strength of mechanism is selected based on the security\n                  categorization of the information.","links":[{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"ac-17.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements cryptographic mechanisms to protect\n                  the confidentiality and integrity of remote access sessions. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing remote access to the information system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic mechanisms and associated configuration documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms protecting confidentiality and integrity of remote\n                     access sessions"}]}]},{"id":"ac-17.3","class":"SP800-53-enhancement","title":"Managed Access Control Points","parameters":[{"id":"ac-17.3_prm_1","label":"organization-defined number"}],"properties":[{"name":"label","value":"AC-17(3)"},{"name":"sort-id","value":"ac-17.03"}],"parts":[{"id":"ac-17.3_smt","name":"statement","prose":"The information system routes all remote accesses through {{ ac-17.3_prm_1 }} managed network access control points."},{"id":"ac-17.3_gdn","name":"guidance","prose":"Limiting the number of access control points for remote accesses reduces the\n                  attack surface for organizations. Organizations consider the Trusted Internet\n                  Connections (TIC) initiative requirements for external network connections.","links":[{"href":"#sc-7","rel":"related","text":"SC-7"}]},{"id":"ac-17.3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-17.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-17(3)[1]"}],"prose":"the organization defines the number of managed network access control points\n                     through which all remote accesses are to be routed; and"},{"id":"ac-17.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-17(3)[2]"}],"prose":"the information system routes all remote accesses through the\n                     organization-defined number of managed network access control points."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing remote access to the information system\\n\\ninformation system design documentation\\n\\nlist of all managed network access control points\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms routing all remote accesses through managed network access\n                     control points"}]}]},{"id":"ac-17.4","class":"SP800-53-enhancement","title":"Privileged Commands / Access","parameters":[{"id":"ac-17.4_prm_1","label":"organization-defined needs"}],"properties":[{"name":"label","value":"AC-17(4)"},{"name":"sort-id","value":"ac-17.04"}],"parts":[{"id":"ac-17.4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-17.4_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Authorizes the execution of privileged commands and access to security-relevant\n                     information via remote access only for {{ ac-17.4_prm_1 }};\n                     and"},{"id":"ac-17.4_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Documents the rationale for such access in the security plan for the\n                     information system."}]},{"id":"ac-17.4_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related","text":"AC-6"}]},{"id":"ac-17.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-17.4.a_obj","name":"objective","properties":[{"name":"label","value":"AC-17(4)(a)"}],"parts":[{"id":"ac-17.4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-17(4)(a)[1]"}],"prose":"defines needs to authorize the execution of privileged commands and access\n                        to security-relevant information via remote access;"},{"id":"ac-17.4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-17(4)(a)[2]"}],"prose":"authorizes the execution of privileged commands and access to\n                        security-relevant information via remote access only for\n                        organization-defined needs; and"}],"links":[{"href":"#ac-17.4_smt.a","rel":"corresp","text":"AC-17(4)(a)"}]},{"id":"ac-17.4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-17(4)(b)"}],"prose":"documents the rationale for such access in the information system security\n                     plan.","links":[{"href":"#ac-17.4_smt.b","rel":"corresp","text":"AC-17(4)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing remote access to the information system\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing remote access management"}]}]},{"id":"ac-17.9","class":"SP800-53-enhancement","title":"Disconnect / Disable Access","parameters":[{"id":"ac-17.9_prm_1","label":"organization-defined time period","constraints":[{"detail":"fifteen (15) minutes"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-17(9)"},{"name":"sort-id","value":"ac-17.09"}],"parts":[{"id":"ac-17.9_smt","name":"statement","prose":"The organization provides the capability to expeditiously disconnect or disable\n                  remote access to the information system within {{ ac-17.9_prm_1 }}."},{"id":"ac-17.9_gdn","name":"guidance","prose":"This control enhancement requires organizations to have the capability to rapidly\n                  disconnect current users remotely accessing the information system and/or disable\n                  further remote access. The speed of disconnect or disablement varies based on the\n                  criticality of missions/business functions and the need to eliminate immediate or\n                  future remote access to organizational information systems."},{"id":"ac-17.9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-17.9_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-17(9)[1]"}],"prose":"defines the time period within which to expeditiously disconnect or disable\n                     remote access to the information system; and"},{"id":"ac-17.9_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-17(9)[2]"}],"prose":"provides the capability to expeditiously disconnect or disable remote access to\n                     the information system within the organization-defined time period."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing disconnecting or disabling remote access to the\n                     information system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan, information system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing capability to disconnect or disable remote\n                     access to information system"}]}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-18"},{"name":"sort-id","value":"ac-18"}],"links":[{"href":"#238ed479-eccb-49f6-82ec-ab74a7a428cf","rel":"reference","text":"NIST Special Publication 800-48"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference","text":"NIST Special Publication 800-94"},{"href":"#6f336ecd-f2a0-4c84-9699-0491d81b6e0d","rel":"reference","text":"NIST Special Publication 800-97"}],"parts":[{"id":"ac-18_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-18_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration/connection requirements, and\n                  implementation guidance for wireless access; and"},{"id":"ac-18_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorizes wireless access to the information system prior to allowing such\n                  connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include, for example, microwave, packet radio (UHF/VHF),\n               802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g.,\n               EAP/TLS, PEAP), which provide credential protection and mutual authentication.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ac-18_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-18.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-18(a)"}],"prose":"establishes for wireless access:","parts":[{"id":"ac-18.a_obj.1","name":"objective","properties":[{"name":"label","value":"AC-18(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-18.a_obj.2","name":"objective","properties":[{"name":"label","value":"AC-18(a)[2]"}],"prose":"configuration/connection requirement;"},{"id":"ac-18.a_obj.3","name":"objective","properties":[{"name":"label","value":"AC-18(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-18.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-18(b)"}],"prose":"authorizes wireless access to the information system prior to allowing such\n                  connections."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing wireless access implementation and usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nwireless access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing wireless access\n                  connections\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Wireless access management capability for the information system"}]}],"controls":[{"id":"ac-18.1","class":"SP800-53-enhancement","title":"Authentication and Encryption","parameters":[{"id":"ac-18.1_prm_1"}],"properties":[{"name":"label","value":"AC-18(1)"},{"name":"sort-id","value":"ac-18.01"}],"parts":[{"id":"ac-18.1_smt","name":"statement","prose":"The information system protects wireless access to the system using authentication\n                  of {{ ac-18.1_prm_1 }} and encryption."},{"id":"ac-18.1_gdn","name":"guidance","links":[{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"ac-18.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system protects wireless access to the system using\n                  encryption and one or more of the following:","parts":[{"id":"ac-18.1_obj.1","name":"objective","properties":[{"name":"label","value":"AC-18(1)[1]"}],"prose":"authentication of users; and/or"},{"id":"ac-18.1_obj.2","name":"objective","properties":[{"name":"label","value":"AC-18(1)[2]"}],"prose":"authentication of devices."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing wireless implementation and usage (including\n                     restrictions)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing wireless access protections to the\n                     information system"}]}]},{"id":"ac-18.3","class":"SP800-53-enhancement","title":"Disable Wireless Networking","properties":[{"name":"label","value":"AC-18(3)"},{"name":"sort-id","value":"ac-18.03"}],"parts":[{"id":"ac-18.3_smt","name":"statement","prose":"The organization disables, when not intended for use, wireless networking\n                  capabilities internally embedded within information system components prior to\n                  issuance and deployment."},{"id":"ac-18.3_gdn","name":"guidance","links":[{"href":"#ac-19","rel":"related","text":"AC-19"}]},{"id":"ac-18.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization disables, when not intended for use, wireless\n                  networking capabilities internally embedded within information system components\n                  prior to issuance and deployment."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing wireless implementation and usage (including\n                     restrictions)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing the disabling of wireless networking capabilities\n                     internally embedded within information system components"}]}]},{"id":"ac-18.4","class":"SP800-53-enhancement","title":"Restrict Configurations by Users","properties":[{"name":"label","value":"AC-18(4)"},{"name":"sort-id","value":"ac-18.04"}],"parts":[{"id":"ac-18.4_smt","name":"statement","prose":"The organization identifies and explicitly authorizes users allowed to\n                  independently configure wireless networking capabilities."},{"id":"ac-18.4_gdn","name":"guidance","prose":"Organizational authorizations to allow selected users to configure wireless\n                  networking capability are enforced in part, by the access enforcement mechanisms\n                  employed within organizational information systems.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#sc-15","rel":"related","text":"SC-15"}]},{"id":"ac-18.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-18.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-18(4)[1]"}],"prose":"identifies users allowed to independently configure wireless networking\n                     capabilities; and"},{"id":"ac-18.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-18(4)[2]"}],"prose":"explicitly authorizes the identified users allowed to independently configure\n                     wireless networking capabilities."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing wireless implementation and usage (including\n                     restrictions)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms authorizing independent user configuration of wireless\n                     networking capabilities"}]}]},{"id":"ac-18.5","class":"SP800-53-enhancement","title":"Antennas / Transmission Power Levels","properties":[{"name":"label","value":"AC-18(5)"},{"name":"sort-id","value":"ac-18.05"}],"parts":[{"id":"ac-18.5_smt","name":"statement","prose":"The organization selects radio antennas and calibrates transmission power levels\n                  to reduce the probability that usable signals can be received outside of\n                  organization-controlled boundaries."},{"id":"ac-18.5_gdn","name":"guidance","prose":"Actions that may be taken by organizations to limit unauthorized use of wireless\n                  communications outside of organization-controlled boundaries include, for example:\n                  (i) reducing the power of wireless transmissions so that the transmissions are\n                  less likely to emit a signal that can be used by adversaries outside of the\n                  physical perimeters of organizations; (ii) employing measures such as TEMPEST to\n                  control wireless emanations; and (iii) using directional/beam forming antennas\n                  that reduce the likelihood that unintended receivers will be able to intercept\n                  signals. Prior to taking such actions, organizations can conduct periodic wireless\n                  surveys to understand the radio frequency profile of organizational information\n                  systems as well as other systems that may be operating in the area.","links":[{"href":"#pe-19","rel":"related","text":"PE-19"}]},{"id":"ac-18.5_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ac-18.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-18(5)[1]"}],"prose":"selects radio antennas to reduce the probability that usable signals can be\n                     received outside of organization-controlled boundaries; and"},{"id":"ac-18.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-18(5)[2]"}],"prose":"calibrates transmission power levels to reduce the probability that usable\n                     signals can be received outside of organization-controlled boundaries."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing wireless implementation and usage (including\n                     restrictions)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Wireless access capability protecting usable signals from unauthorized access\n                     outside organization-controlled boundaries"}]}]}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-19"},{"name":"sort-id","value":"ac-19"}],"links":[{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference","text":"OMB Memorandum 06-16"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference","text":"NIST Special Publication 800-114"},{"href":"#0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","rel":"reference","text":"NIST Special Publication 800-124"},{"href":"#6513e480-fada-4876-abba-1397084dfb26","rel":"reference","text":"NIST Special Publication 800-164"}],"parts":[{"id":"ac-19_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-19_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration requirements, connection\n                  requirements, and implementation guidance for organization-controlled mobile\n                  devices; and"},{"id":"ac-19_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorizes the connection of mobile devices to organizational information\n                  systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that: (i) has a small form factor such that it\n               can easily be carried by a single individual; (ii) is designed to operate without a\n               physical connection (e.g., wirelessly transmit or receive information); (iii)\n               possesses local, non-removable or removable data storage; and (iv) includes a\n               self-contained power source. Mobile devices may also include voice communication\n               capabilities, on-board sensors that allow the device to capture information, and/or\n               built-in features for synchronizing local data with remote locations. Examples\n               include smart phones, E-readers, and tablets. Mobile devices are typically associated\n               with a single individual and the device is usually in close proximity to the\n               individual; however, the degree of proximity can vary depending upon on the form\n               factor and size of the device. The processing, storage, and transmission capability\n               of the mobile device may be comparable to or merely a subset of desktop systems,\n               depending upon the nature and intended purpose of the device. Due to the large\n               variety of mobile devices with different technical characteristics and capabilities,\n               organizational restrictions may vary for the different classes/types of such devices.\n               Usage restrictions and specific implementation guidance for mobile devices include,\n               for example, configuration management, device identification and authentication,\n               implementation of mandatory protective software (e.g., malicious code detection,\n               firewall), scanning devices for malicious code, updating virus protection software,\n               scanning for critical software updates and patches, conducting primary operating\n               system (and possibly other resident software) integrity checks, and disabling\n               unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the\n               need to provide adequate security for mobile devices goes beyond the requirements in\n               this control. Many safeguards and countermeasures for mobile devices are reflected in\n               other security controls in the catalog allocated in the initial control baselines as\n               starting points for the development of security plans and overlays using the\n               tailoring process. There may also be some degree of overlap in the requirements\n               articulated by the security controls within the different families of controls. AC-20\n               addresses mobile devices that are not organization-controlled.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ac-19_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-19.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-19(a)"}],"prose":"establishes for organization-controlled mobile devices:","parts":[{"id":"ac-19.a_obj.1","name":"objective","properties":[{"name":"label","value":"AC-19(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-19.a_obj.2","name":"objective","properties":[{"name":"label","value":"AC-19(a)[2]"}],"prose":"configuration/connection requirement;"},{"id":"ac-19.a_obj.3","name":"objective","properties":[{"name":"label","value":"AC-19(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-19.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-19(b)"}],"prose":"authorizes the connection of mobile devices to organizational information\n                  systems."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing access control for mobile device usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nauthorizations for mobile device connections to organizational information\n                  systems\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel using mobile devices to access organizational information\n                  systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Access control capability authorizing mobile device connections to organizational\n                  information systems"}]}],"controls":[{"id":"ac-19.5","class":"SP800-53-enhancement","title":"Full Device / Container-based Encryption","parameters":[{"id":"ac-19.5_prm_1"},{"id":"ac-19.5_prm_2","label":"organization-defined mobile devices"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-19(5)"},{"name":"sort-id","value":"ac-19.05"}],"parts":[{"id":"ac-19.5_smt","name":"statement","prose":"The organization employs {{ ac-19.5_prm_1 }} to protect the\n                  confidentiality and integrity of information on {{ ac-19.5_prm_2 }}."},{"id":"ac-19.5_gdn","name":"guidance","prose":"Container-based encryption provides a more fine-grained approach to the encryption\n                  of data/information on mobile devices, including for example, encrypting selected\n                  data structures such as files, records, or fields.","links":[{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-28","rel":"related","text":"SC-28"}]},{"id":"ac-19.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-19.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-19(5)[1]"}],"prose":"defines mobile devices for which full-device encryption or container encryption\n                     is required to protect the confidentiality and integrity of information on such\n                     devices; and"},{"id":"ac-19.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-19(5)[2]"}],"prose":"employs full-device encryption or container encryption to protect the\n                     confidentiality and integrity of information on organization-defined mobile\n                     devices."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing access control for mobile devices\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nencryption mechanism s and associated configuration documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities for mobile\n                     devices\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Encryption mechanisms protecting confidentiality and integrity of information\n                     on mobile devices"}]}]}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Information Systems","properties":[{"name":"label","value":"AC-20"},{"name":"sort-id","value":"ac-20"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"}],"parts":[{"id":"ac-20_smt","name":"statement","prose":"The organization establishes terms and conditions, consistent with any trust\n               relationships established with other organizations owning, operating, and/or\n               maintaining external information systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Access the information system from external information systems; and"},{"id":"ac-20_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Process, store, or transmit organization-controlled information using external\n                  information systems."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External information systems are information systems or components of information\n               systems that are outside of the authorization boundary established by organizations\n               and for which organizations typically have no direct supervision and authority over\n               the application of required security controls or the assessment of control\n               effectiveness. External information systems include, for example: (i) personally\n               owned information systems/devices (e.g., notebook computers, smart phones, tablets,\n               personal digital assistants); (ii) privately owned computing and communications\n               devices resident in commercial or public facilities (e.g., hotels, train stations,\n               convention centers, shopping malls, or airports); (iii) information systems owned or\n               controlled by nonfederal governmental organizations; and (iv) federal information\n               systems that are not owned by, operated by, or under the direct supervision and\n               authority of organizations. This control also addresses the use of external\n               information systems for the processing, storage, or transmission of organizational\n               information, including, for example, accessing cloud services (e.g., infrastructure\n               as a service, platform as a service, or software as a service) from organizational\n               information systems. For some external information systems (i.e., information systems\n               operated by other federal agencies, including organizations subordinate to those\n               agencies), the trust relationships that have been established between those\n               organizations and the originating organization may be such, that no explicit terms\n               and conditions are required. Information systems within these organizations would not\n               be considered external. These situations occur when, for example, there are\n               pre-existing sharing/trust agreements (either implicit or explicit) established\n               between federal agencies or organizations subordinate to those agencies, or when such\n               trust agreements are specified by applicable laws, Executive Orders, directives, or\n               policies. Authorized individuals include, for example, organizational personnel,\n               contractors, or other individuals with authorized access to organizational\n               information systems and over which organizations have the authority to impose rules\n               of behavior with regard to system access. Restrictions that organizations impose on\n               authorized individuals need not be uniform, as those restrictions may vary depending\n               upon the trust relationships between organizations. Therefore, organizations may\n               choose to impose different security restrictions on contractors than on state, local,\n               or tribal governments. This control does not apply to the use of external information\n               systems to access public interfaces to organizational information systems (e.g.,\n               individuals accessing federal information through www.usa.gov). Organizations\n               establish terms and conditions for the use of external information systems in\n               accordance with organizational security policies and procedures. Terms and conditions\n               address as a minimum: types of applications that can be accessed on organizational\n               information systems from external information systems; and the highest security\n               category of information that can be processed, stored, or transmitted on external\n               information systems. If terms and conditions with the owners of external information\n               systems cannot be established, organizations may impose restrictions on\n               organizational personnel using those external systems.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sa-9","rel":"related","text":"SA-9"}]},{"id":"ac-20_obj","name":"objective","prose":"Determine if the organization establishes terms and conditions, consistent with any\n               trust relationships established with other organizations owning, operating, and/or\n               maintaining external information systems, allowing authorized individuals to: ","parts":[{"id":"ac-20.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-20(a)"}],"prose":"access the information system from the external information systems; and"},{"id":"ac-20.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-20(b)"}],"prose":"process, store, or transmit organization-controlled information using external\n                  information systems."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing the use of external information systems\\n\\nexternal information systems terms and conditions\\n\\nlist of types of applications accessible from external information systems\\n\\nmaximum security categorization for information processed, stored, or transmitted\n                  on external information systems\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining terms and conditions\n                  for use of external information systems to access organizational systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing terms and conditions on use of external\n                  information systems"}]}],"controls":[{"id":"ac-20.1","class":"SP800-53-enhancement","title":"Limits On Authorized Use","properties":[{"name":"label","value":"AC-20(1)"},{"name":"sort-id","value":"ac-20.01"}],"parts":[{"id":"ac-20.1_smt","name":"statement","prose":"The organization permits authorized individuals to use an external information\n                  system to access the information system or to process, store, or transmit\n                  organization-controlled information only when the organization:","parts":[{"id":"ac-20.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Verifies the implementation of required security controls on the external\n                     system as specified in the organization’s information security policy and\n                     security plan; or"},{"id":"ac-20.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Retains approved information system connection or processing agreements with\n                     the organizational entity hosting the external information system."}]},{"id":"ac-20.1_gdn","name":"guidance","prose":"This control enhancement recognizes that there are circumstances where individuals\n                  using external information systems (e.g., contractors, coalition partners) need to\n                  access organizational information systems. In those situations, organizations need\n                  confidence that the external information systems contain the necessary security\n                  safeguards (i.e., security controls), so as not to compromise, damage, or\n                  otherwise harm organizational information systems. Verification that the required\n                  security controls have been implemented can be achieved, for example, by\n                  third-party, independent assessments, attestations, or other means, depending on\n                  the confidence level required by organizations.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"}]},{"id":"ac-20.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization permits authorized individuals to use an external\n                  information system to access the information system or to process, store, or\n                  transmit organization-controlled information only when the organization: ","parts":[{"id":"ac-20.1.a_obj","name":"objective","properties":[{"name":"label","value":"AC-20(1)(a)"}],"prose":"verifies the implementation of required security controls on the external\n                     system as specified in the organization’s information security policy and\n                     security plan; or","links":[{"href":"#ac-20.1_smt.a","rel":"corresp","text":"AC-20(1)(a)"}]},{"id":"ac-20.1.b_obj","name":"objective","properties":[{"name":"label","value":"AC-20(1)(b)"}],"prose":"retains approved information system connection or processing agreements with\n                     the organizational entity hosting the external information system.","links":[{"href":"#ac-20.1_smt.b","rel":"corresp","text":"AC-20(1)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing the use of external information systems\\n\\nsecurity plan\\n\\ninformation system connection or processing agreements\\n\\naccount management documents\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing limits on use of external information\n                     systems"}]}]},{"id":"ac-20.2","class":"SP800-53-enhancement","title":"Portable Storage Devices","parameters":[{"id":"ac-20.2_prm_1"}],"properties":[{"name":"label","value":"AC-20(2)"},{"name":"sort-id","value":"ac-20.02"}],"parts":[{"id":"ac-20.2_smt","name":"statement","prose":"The organization {{ ac-20.2_prm_1 }} the use of\n                  organization-controlled portable storage devices by authorized individuals on\n                  external information systems."},{"id":"ac-20.2_gdn","name":"guidance","prose":"Limits on the use of organization-controlled portable storage devices in external\n                  information systems include, for example, complete prohibition of the use of such\n                  devices or restrictions on how the devices may be used and under what conditions\n                  the devices may be used."},{"id":"ac-20.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization restricts or prohibits the use of\n                  organization-controlled portable storage devices by authorized individuals on\n                  external information systems. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing the use of external information systems\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system connection or processing agreements\\n\\naccount management documents\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for restricting or prohibiting\n                     use of organization-controlled storage devices on external information\n                     systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing restrictions on use of portable storage\n                     devices"}]}]}]},{"id":"ac-21","class":"SP800-53","title":"Information Sharing","parameters":[{"id":"ac-21_prm_1","label":"organization-defined information sharing circumstances where user discretion is\n               required"},{"id":"ac-21_prm_2","label":"organization-defined automated mechanisms or manual processes"}],"properties":[{"name":"label","value":"AC-21"},{"name":"sort-id","value":"ac-21"}],"parts":[{"id":"ac-21_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-21_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Facilitates information sharing by enabling authorized users to determine whether\n                  access authorizations assigned to the sharing partner match the access\n                  restrictions on the information for {{ ac-21_prm_1 }}; and"},{"id":"ac-21_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employs {{ ac-21_prm_2 }} to assist users in making information\n                  sharing/collaboration decisions."}]},{"id":"ac-21_gdn","name":"guidance","prose":"This control applies to information that may be restricted in some manner (e.g.,\n               privileged medical information, contract-sensitive information, proprietary\n               information, personally identifiable information, classified information related to\n               special access programs or compartments) based on some formal or administrative\n               determination. Depending on the particular information-sharing circumstances, sharing\n               partners may be defined at the individual, group, or organizational level.\n               Information may be defined by content, type, security category, or special access\n               program/compartment.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"}]},{"id":"ac-21_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ac-21.a_obj","name":"objective","properties":[{"name":"label","value":"AC-21(a)"}],"parts":[{"id":"ac-21.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-21(a)[1]"}],"prose":"defines information sharing circumstances where user discretion is\n                     required;"},{"id":"ac-21.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-21(a)[2]"}],"prose":"facilitates information sharing by enabling authorized users to determine\n                     whether access authorizations assigned to the sharing partner match the access\n                     restrictions on the information for organization-defined information sharing\n                     circumstances;"}]},{"id":"ac-21.b_obj","name":"objective","properties":[{"name":"label","value":"AC-21(b)"}],"parts":[{"id":"ac-21.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-21(b)[1]"}],"prose":"defines automated mechanisms or manual processes to be employed to assist users\n                     in making information sharing/collaboration decisions; and"},{"id":"ac-21.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-21(b)[2]"}],"prose":"employs organization-defined automated mechanisms or manual processes to assist\n                     users in making information sharing/collaboration decisions."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing user-based collaboration and information sharing (including\n                  restrictions)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of users authorized to make information sharing/collaboration decisions\\n\\nlist of information sharing circumstances requiring user discretion\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel responsible for making information sharing/collaboration\n                  decisions\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms or manual process implementing access authorizations\n                  supporting information sharing/user collaboration decisions"}]}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","parameters":[{"id":"ac-22_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least quarterly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-22"},{"name":"sort-id","value":"ac-22"}],"parts":[{"id":"ac-22_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-22_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Designates individuals authorized to post information onto a publicly accessible\n                  information system;"},{"id":"ac-22_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Trains authorized individuals to ensure that publicly accessible information does\n                  not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews the proposed content of information prior to posting onto the publicly\n                  accessible information system to ensure that nonpublic information is not\n                  included; and"},{"id":"ac-22_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Reviews the content on the publicly accessible information system for nonpublic\n                  information {{ ac-22_prm_1 }} and removes such information, if\n                  discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with federal laws, Executive Orders, directives, policies, regulations,\n               standards, and/or guidance, the general public is not authorized access to nonpublic\n               information (e.g., information protected under the Privacy Act and proprietary\n               information). This control addresses information systems that are controlled by the\n               organization and accessible to the general public, typically without identification\n               or authentication. The posting of information on non-organization information systems\n               is covered by organizational policy.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-13","rel":"related","text":"AU-13"}]},{"id":"ac-22_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ac-22.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-22(a)"}],"prose":"designates individuals authorized to post information onto a publicly accessible\n                  information system;"},{"id":"ac-22.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-22(b)"}],"prose":"trains authorized individuals to ensure that publicly accessible information does\n                  not contain nonpublic information;"},{"id":"ac-22.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-22(c)"}],"prose":"reviews the proposed content of information prior to posting onto the publicly\n                  accessible information system to ensure that nonpublic information is not\n                  included;"},{"id":"ac-22.d_obj","name":"objective","properties":[{"name":"label","value":"AC-22(d)"}],"parts":[{"id":"ac-22.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-22(d)[1]"}],"prose":"defines the frequency to review the content on the publicly accessible\n                     information system for nonpublic information;"},{"id":"ac-22.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-22(d)[2]"}],"prose":"reviews the content on the publicly accessible information system for nonpublic\n                     information with the organization-defined frequency; and"},{"id":"ac-22.d_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-22(d)[3]"}],"prose":"removes nonpublic information from the publicly accessible information system,\n                     if discovered."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing publicly accessible content\\n\\nlist of users authorized to post publicly accessible content on organizational\n                  information systems\\n\\ntraining materials and/or records\\n\\nrecords of publicly accessible information reviews\\n\\nrecords of response to nonpublic information on public websites\\n\\nsystem audit logs\\n\\nsecurity awareness training records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing publicly accessible\n                  information posted on organizational information systems\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing management of publicly accessible content"}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Security Awareness and Training Policy and Procedures","parameters":[{"id":"at-1_prm_1","label":"organization-defined personnel or roles"},{"id":"at-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},{"id":"at-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually or whenever a significant change occurs"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AT-1"},{"name":"sort-id","value":"at-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference","text":"NIST Special Publication 800-16"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"at-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A security awareness and training policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"at-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security awareness and\n                     training policy and associated security awareness and training controls;\n                     and"}]},{"id":"at-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"at-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security awareness and training policy {{ at-1_prm_2 }}; and"},{"id":"at-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Security awareness and training procedures {{ at-1_prm_3 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AT\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"at-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-1.a_obj","name":"objective","properties":[{"name":"label","value":"AT-1(a)"}],"parts":[{"id":"at-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)"}],"parts":[{"id":"at-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(a)(1)[1]"}],"prose":"develops and documents an security awareness and training policy that\n                        addresses:","parts":[{"id":"at-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"at-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"at-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"at-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"at-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"at-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"at-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"at-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security awareness and training\n                        policy are to be disseminated;"},{"id":"at-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AT-1(a)(1)[3]"}],"prose":"disseminates the security awareness and training policy to\n                        organization-defined personnel or roles;"}]},{"id":"at-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"AT-1(a)(2)"}],"parts":[{"id":"at-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        security awareness and training policy and associated awareness and training\n                        controls;"},{"id":"at-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"at-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AT-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"at-1.b_obj","name":"objective","properties":[{"name":"label","value":"AT-1(b)"}],"parts":[{"id":"at-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"AT-1(b)(1)"}],"parts":[{"id":"at-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security awareness\n                        and training policy;"},{"id":"at-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(b)(1)[2]"}],"prose":"reviews and updates the current security awareness and training policy with\n                        the organization-defined frequency;"}]},{"id":"at-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"AT-1(b)(2)"}],"parts":[{"id":"at-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security awareness\n                        and training procedures; and"},{"id":"at-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(b)(2)[2]"}],"prose":"reviews and updates the current security awareness and training procedures\n                        with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security awareness and training responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Security Awareness Training","parameters":[{"id":"at-2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AT-2"},{"name":"sort-id","value":"at-02"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference","text":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"},{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference","text":"Executive Order 13587"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"}],"parts":[{"id":"at-2_smt","name":"statement","prose":"The organization provides basic security awareness training to information system\n               users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"As part of initial training for new users;"},{"id":"at-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n                  {{ at-2_prm_1 }} thereafter."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security awareness training and\n               security awareness techniques based on the specific organizational requirements and\n               the information systems to which personnel have authorized access. The content\n               includes a basic understanding of the need for information security and user actions\n               to maintain security and to respond to suspected security incidents. The content also\n               addresses awareness of the need for operations security. Security awareness\n               techniques can include, for example, displaying posters, offering supplies inscribed\n               with security reminders, generating email advisories/notices from senior\n               organizational officials, displaying logon screen messages, and conducting\n               information security awareness events.","links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#pl-4","rel":"related","text":"PL-4"}]},{"id":"at-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-2.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AT-2(a)"}],"prose":"provides basic security awareness training to information system users (including\n                  managers, senior executives, and contractors) as part of initial training for new\n                  users;"},{"id":"at-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AT-2(b)"}],"prose":"provides basic security awareness training to information system users (including\n                  managers, senior executives, and contractors) when required by information system\n                  changes; and"},{"id":"at-2.c_obj","name":"objective","properties":[{"name":"label","value":"AT-2(c)"}],"parts":[{"id":"at-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-2(c)[1]"}],"prose":"defines the frequency to provide refresher security awareness training\n                     thereafter to information system users (including managers, senior executives,\n                     and contractors); and"},{"id":"at-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AT-2(c)[2]"}],"prose":"provides refresher security awareness training to information users (including\n                     managers, senior executives, and contractors) with the organization-defined\n                     frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\\n\\nprocedures addressing security awareness training implementation\\n\\nappropriate codes of federal regulations\\n\\nsecurity awareness training curriculum\\n\\nsecurity awareness training materials\\n\\nsecurity plan\\n\\ntraining records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for security awareness training\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel comprising the general information system user\n                  community"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing security awareness training"}]}],"controls":[{"id":"at-2.2","class":"SP800-53-enhancement","title":"Insider Threat","properties":[{"name":"label","value":"AT-2(2)"},{"name":"sort-id","value":"at-02.02"}],"parts":[{"id":"at-2.2_smt","name":"statement","prose":"The organization includes security awareness training on recognizing and reporting\n                  potential indicators of insider threat."},{"id":"at-2.2_gdn","name":"guidance","prose":"Potential indicators and possible precursors of insider threat can include\n                  behaviors such as inordinate, long-term job dissatisfaction, attempts to gain\n                  access to information not required for job performance, unexplained access to\n                  financial resources, bullying or sexual harassment of fellow employees, workplace\n                  violence, and other serious violations of organizational policies, procedures,\n                  directives, rules, or practices. Security awareness training includes how to\n                  communicate employee and management concerns regarding potential indicators of\n                  insider threat through appropriate organizational channels in accordance with\n                  established organizational policies and procedures.","links":[{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-6","rel":"related","text":"PS-6"}]},{"id":"at-2.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization includes security awareness training on recognizing\n                  and reporting potential indicators of insider threat. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\\n\\nprocedures addressing security awareness training implementation\\n\\nsecurity awareness training curriculum\\n\\nsecurity awareness training materials\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel that participate in security awareness training\\n\\norganizational personnel with responsibilities for basic security awareness\n                     training\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Security Training","parameters":[{"id":"at-3_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AT-3"},{"name":"sort-id","value":"at-03"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference","text":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference","text":"NIST Special Publication 800-16"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"}],"parts":[{"id":"at-3_smt","name":"statement","prose":"The organization provides role-based security training to personnel with assigned\n               security roles and responsibilities:","parts":[{"id":"at-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Before authorizing access to the information system or performing assigned\n                  duties;"},{"id":"at-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n                  {{ at-3_prm_1 }} thereafter."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security training based on the\n               assigned roles and responsibilities of individuals and the specific security\n               requirements of organizations and the information systems to which personnel have\n               authorized access. In addition, organizations provide enterprise architects,\n               information system developers, software developers, acquisition/procurement\n               officials, information system managers, system/network administrators, personnel\n               conducting configuration management and auditing activities, personnel performing\n               independent verification and validation activities, security control assessors, and\n               other personnel having access to system-level software, adequate security-related\n               technical training specifically tailored for their assigned duties. Comprehensive\n               role-based training addresses management, operational, and technical roles and\n               responsibilities covering physical, personnel, and technical safeguards and\n               countermeasures. Such training can include for example, policies, procedures, tools,\n               and artifacts for the organizational security roles defined. Organizations also\n               provide the training necessary for individuals to carry out their responsibilities\n               related to operations and supply chain security within the context of organizational\n               information security programs. Role-based security training also applies to\n               contractors providing services to federal agencies.","links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#sa-16","rel":"related","text":"SA-16"}]},{"id":"at-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AT-3(a)"}],"prose":"provides role-based security training to personnel with assigned security roles\n                  and responsibilities before authorizing access to the information system or\n                  performing assigned duties;"},{"id":"at-3.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AT-3(b)"}],"prose":"provides role-based security training to personnel with assigned security roles\n                  and responsibilities when required by information system changes; and"},{"id":"at-3.c_obj","name":"objective","properties":[{"name":"label","value":"AT-3(c)"}],"parts":[{"id":"at-3.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-3(c)[1]"}],"prose":"defines the frequency to provide refresher role-based security training\n                     thereafter to personnel with assigned security roles and responsibilities;\n                     and"},{"id":"at-3.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AT-3(c)[2]"}],"prose":"provides refresher role-based security training to personnel with assigned\n                     security roles and responsibilities with the organization-defined\n                     frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\\n\\nprocedures addressing security training implementation\\n\\ncodes of federal regulations\\n\\nsecurity training curriculum\\n\\nsecurity training materials\\n\\nsecurity plan\\n\\ntraining records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for role-based security\n                  training\\n\\norganizational personnel with assigned information system security roles and\n                  responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing role-based security training"}]}],"controls":[{"id":"at-3.3","class":"SP800-53-enhancement","title":"Practical Exercises","properties":[{"name":"label","value":"AT-3(3)"},{"name":"sort-id","value":"at-03.03"}],"parts":[{"id":"at-3.3_smt","name":"statement","prose":"The organization includes practical exercises in security training that reinforce\n                  training objectives."},{"id":"at-3.3_gdn","name":"guidance","prose":"Practical exercises may include, for example, security training for software\n                  developers that includes simulated cyber attacks exploiting common software\n                  vulnerabilities (e.g., buffer overflows), or spear/whale phishing attacks targeted\n                  at senior leaders/executives. These types of practical exercises help developers\n                  better understand the effects of such vulnerabilities and appreciate the need for\n                  security coding standards and processes."},{"id":"at-3.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization includes practical exercises in security training\n                  that reinforce training objectives. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\\n\\nprocedures addressing security awareness training implementation\\n\\nsecurity awareness training curriculum\\n\\nsecurity awareness training materials\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for role-based security\n                     training\\n\\norganizational personnel that participate in security awareness training"}]}]},{"id":"at-3.4","class":"SP800-53-enhancement","title":"Suspicious Communications and Anomalous System Behavior","parameters":[{"id":"at-3.4_prm_1","label":"organization-defined indicators of malicious code","constraints":[{"detail":"malicious code indicators as defined by organization incident policy/capability."}]}],"properties":[{"name":"label","value":"AT-3(4)"},{"name":"sort-id","value":"at-03.04"}],"parts":[{"id":"at-3.4_smt","name":"statement","prose":"The organization provides training to its personnel on {{ at-3.4_prm_1 }} to recognize suspicious communications and anomalous\n                  behavior in organizational information systems."},{"id":"at-3.4_gdn","name":"guidance","prose":"A well-trained workforce provides another organizational safeguard that can be\n                  employed as part of a defense-in-depth strategy to protect organizations against\n                  malicious code coming in to organizations via email or the web applications.\n                  Personnel are trained to look for indications of potentially suspicious email\n                  (e.g., receiving an unexpected email, receiving an email containing strange or\n                  poor grammar, or receiving an email from an unfamiliar sender but who appears to\n                  be from a known sponsor or contractor). Personnel are also trained on how to\n                  respond to such suspicious email or web communications (e.g., not opening\n                  attachments, not clicking on embedded web links, and checking the source of email\n                  addresses). For this process to work effectively, all organizational personnel are\n                  trained and made aware of what constitutes suspicious communications. Training\n                  personnel on how to recognize anomalous behaviors in organizational information\n                  systems can potentially provide early warning for the presence of malicious code.\n                  Recognition of such anomalous behavior by organizational personnel can supplement\n                  automated malicious code detection and protection tools and systems employed by\n                  organizations."},{"id":"at-3.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-3.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-3(4)[1]"}],"prose":"defines indicators of malicious code; and"},{"id":"at-3.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AT-3(4)[2]"}],"prose":"provides training to its personnel on organization-defined indicators of\n                     malicious code to recognize suspicious communications and anomalous behavior in\n                     organizational information systems."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\\n\\nprocedures addressing security training implementation\\n\\nsecurity training curriculum\\n\\nsecurity training materials\\n\\nsecurity plan\\n\\ntraining records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for role-based security\n                     training\\n\\norganizational personnel that participate in security awareness training"}]}]}]},{"id":"at-4","class":"SP800-53","title":"Security Training Records","parameters":[{"id":"at-4_prm_1","label":"organization-defined time period","constraints":[{"detail":"five (5) years or 5 years after completion of a specific training program"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AT-4"},{"name":"sort-id","value":"at-04"}],"parts":[{"id":"at-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Documents and monitors individual information system security training activities\n                  including basic security awareness training and specific information system\n                  security training; and"},{"id":"at-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retains individual training records for {{ at-4_prm_1 }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at\n               the option of the organization.","links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pm-14","rel":"related","text":"PM-14"}]},{"id":"at-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-4.a_obj","name":"objective","properties":[{"name":"label","value":"AT-4(a)"}],"parts":[{"id":"at-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-4(a)[1]"}],"prose":"documents individual information system security training activities\n                     including:","parts":[{"id":"at-4.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"AT-4(a)[1][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"AT-4(a)[1][b]"}],"prose":"specific role-based information system security training;"}]},{"id":"at-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AT-4(a)[2]"}],"prose":"monitors individual information system security training activities\n                     including:","parts":[{"id":"at-4.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"AT-4(a)[2][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"AT-4(a)[2][b]"}],"prose":"specific role-based information system security training;"}]}]},{"id":"at-4.b_obj","name":"objective","properties":[{"name":"label","value":"AT-4(b)"}],"parts":[{"id":"at-4.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-4(b)[1]"}],"prose":"defines a time period to retain individual training records; and"},{"id":"at-4.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AT-4(b)[2]"}],"prose":"retains individual training records for the organization-defined time\n                     period."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\\n\\nprocedures addressing security training records\\n\\nsecurity awareness and training records\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security training record retention\n                  responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting management of security training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Audit and Accountability Policy and Procedures","parameters":[{"id":"au-1_prm_1","label":"organization-defined personnel or roles"},{"id":"au-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"au-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually or whenever a significant change occurs"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AU-1"},{"name":"sort-id","value":"au-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"au-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"An audit and accountability policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"au-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability\n                     policy and associated audit and accountability controls; and"}]},{"id":"au-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"au-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Audit and accountability policy {{ au-1_prm_2 }}; and"},{"id":"au-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Audit and accountability procedures {{ au-1_prm_3 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AU\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"au-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-1.a_obj","name":"objective","properties":[{"name":"label","value":"AU-1(a)"}],"parts":[{"id":"au-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)"}],"parts":[{"id":"au-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(a)(1)[1]"}],"prose":"develops and documents an audit and accountability policy that\n                        addresses:","parts":[{"id":"au-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"au-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"au-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"au-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"au-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"au-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"au-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"au-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the audit and accountability policy are\n                        to be disseminated;"},{"id":"au-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-1(a)(1)[3]"}],"prose":"disseminates the audit and accountability policy to organization-defined\n                        personnel or roles;"}]},{"id":"au-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"AU-1(a)(2)"}],"parts":[{"id":"au-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        audit and accountability policy and associated audit and accountability\n                        controls;"},{"id":"au-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"au-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"au-1.b_obj","name":"objective","properties":[{"name":"label","value":"AU-1(b)"}],"parts":[{"id":"au-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"AU-1(b)(1)"}],"parts":[{"id":"au-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current audit and\n                        accountability policy;"},{"id":"au-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(b)(1)[2]"}],"prose":"reviews and updates the current audit and accountability policy with the\n                        organization-defined frequency;"}]},{"id":"au-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"AU-1(b)(2)"}],"parts":[{"id":"au-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current audit and\n                        accountability procedures; and"},{"id":"au-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(b)(2)[2]"}],"prose":"reviews and updates the current audit and accountability procedures in\n                        accordance with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Audit Events","parameters":[{"id":"au-2_prm_1","label":"organization-defined auditable events","constraints":[{"detail":"successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes"}]},{"id":"au-2_prm_2","label":"organization-defined audited events (the subset of the auditable events defined\n               in AU-2 a.) along with the frequency of (or situation requiring) auditing for each\n               identified event","constraints":[{"detail":"organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AU-2"},{"name":"sort-id","value":"au-02"}],"links":[{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference","text":"NIST Special Publication 800-92"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"au-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determines that the information system is capable of auditing the following\n                  events: {{ au-2_prm_1 }};"},{"id":"au-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Coordinates the security audit function with other organizational entities\n                  requiring audit-related information to enhance mutual support and to help guide\n                  the selection of auditable events;"},{"id":"au-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Provides a rationale for why the auditable events are deemed to be adequate to\n                  support after-the-fact investigations of security incidents; and"},{"id":"au-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Determines that the following events are to be audited within the information\n                  system: {{ au-2_prm_2 }}."},{"id":"au-2_fr","name":"item","title":"AU-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-2_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Coordination between service provider and consumer shall be documented and accepted by the JAB/AO."}]}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is any observable occurrence in an organizational information system.\n               Organizations identify audit events as those events which are significant and\n               relevant to the security of information systems and the environments in which those\n               systems operate in order to meet specific and ongoing audit needs. Audit events can\n               include, for example, password changes, failed logons, or failed accesses related to\n               information systems, administrative privilege usage, PIV credential usage, or\n               third-party credential usage. In determining the set of auditable events,\n               organizations consider the auditing appropriate for each of the security controls to\n               be implemented. To balance auditing requirements with other information system needs,\n               this control also requires identifying that subset of auditable events that are\n               audited at a given point in time. For example, organizations may determine that\n               information systems must have the capability to log every file access both successful\n               and unsuccessful, but not activate that capability except for specific circumstances\n               due to the potential burden on system performance. Auditing requirements, including\n               the need for auditable events, may be referenced in other security controls and\n               control enhancements. Organizations also include auditable events that are required\n               by applicable federal laws, Executive Orders, directives, policies, regulations, and\n               standards. Audit records can be generated at various levels of abstraction, including\n               at the packet level as information traverses the network. Selecting the appropriate\n               level of abstraction is a critical aspect of an audit capability and can facilitate\n               the identification of root causes to problems. Organizations consider in the\n               definition of auditable events, the auditing necessary to cover related events such\n               as the steps in distributed, transaction-based processes (e.g., processes that are\n               distributed across multiple organizations) and actions that occur in service-oriented\n               architectures.","links":[{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"au-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-2.a_obj","name":"objective","properties":[{"name":"label","value":"AU-2(a)"}],"parts":[{"id":"au-2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-2(a)[1]"}],"prose":"defines the auditable events that the information system must be capable of\n                     auditing;"},{"id":"au-2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-2(a)[2]"}],"prose":"determines that the information system is capable of auditing\n                     organization-defined auditable events;"}]},{"id":"au-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-2(b)"}],"prose":"coordinates the security audit function with other organizational entities\n                  requiring audit-related information to enhance mutual support and to help guide\n                  the selection of auditable events;"},{"id":"au-2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-2(c)"}],"prose":"provides a rationale for why the auditable events are deemed to be adequate to\n                  support after-the-fact investigations of security incidents;"},{"id":"au-2.d_obj","name":"objective","properties":[{"name":"label","value":"AU-2(d)"}],"parts":[{"id":"au-2.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-2(d)[1]"}],"prose":"defines the subset of auditable events defined in AU-2a that are to be audited\n                     within the information system;"},{"id":"au-2.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-2(d)[2]"}],"prose":"determines that the subset of auditable events defined in AU-2a are to be\n                     audited within the information system; and"},{"id":"au-2.d_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-2(d)[3]"}],"prose":"determines the frequency of (or situation requiring) auditing for each\n                     identified event."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing auditable events\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\ninformation system auditable events\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing"}]}],"controls":[{"id":"au-2.3","class":"SP800-53-enhancement","title":"Reviews and Updates","parameters":[{"id":"au-2.3_prm_1","label":"organization-defined frequency","constraints":[{"detail":"annually or whenever there is a change in the threat environment"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AU-2(3)"},{"name":"sort-id","value":"au-02.03"}],"parts":[{"id":"au-2.3_smt","name":"statement","prose":"The organization reviews and updates the audited events {{ au-2.3_prm_1 }}.","parts":[{"id":"au-2.3_fr","name":"item","title":"AU-2 (3) Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-2.3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO."}]}]},{"id":"au-2.3_gdn","name":"guidance","prose":"Over time, the events that organizations believe should be audited may change.\n                  Reviewing and updating the set of audited events periodically is necessary to\n                  ensure that the current set is still necessary and sufficient."},{"id":"au-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-2.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-2(3)[1]"}],"prose":"defines the frequency to review and update the audited events; and"},{"id":"au-2.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-2(3)[2]"}],"prose":"reviews and updates the auditable events with organization-defined\n                     frequency."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing auditable events\\n\\nsecurity plan\\n\\nlist of organization-defined auditable events\\n\\nauditable events review and update records\\n\\ninformation system audit records\\n\\ninformation system incident reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting review and update of auditable events"}]}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","properties":[{"name":"label","value":"AU-3"},{"name":"sort-id","value":"au-03"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"The information system generates audit records containing information that\n               establishes what type of event occurred, when the event occurred, where the event\n               occurred, the source of the event, the outcome of the event, and the identity of any\n               individuals or subjects associated with the event."},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to satisfy the requirement of this\n               control, includes, for example, time stamps, source and destination addresses,\n               user/process identifiers, event descriptions, success/fail indications, filenames\n               involved, and access control or flow control rules invoked. Event outcomes can\n               include indicators of event success or failure and event-specific results (e.g., the\n               security state of the information system after the event occurred).","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-8","rel":"related","text":"AU-8"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#si-11","rel":"related","text":"SI-11"}]},{"id":"au-3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system generates audit records containing information\n               that establishes: ","parts":[{"id":"au-3_obj.1","name":"objective","properties":[{"name":"label","value":"AU-3[1]"}],"prose":"what type of event occurred;"},{"id":"au-3_obj.2","name":"objective","properties":[{"name":"label","value":"AU-3[2]"}],"prose":"when the event occurred;"},{"id":"au-3_obj.3","name":"objective","properties":[{"name":"label","value":"AU-3[3]"}],"prose":"where the event occurred;"},{"id":"au-3_obj.4","name":"objective","properties":[{"name":"label","value":"AU-3[4]"}],"prose":"the source of the event;"},{"id":"au-3_obj.5","name":"objective","properties":[{"name":"label","value":"AU-3[5]"}],"prose":"the outcome of the event; and"},{"id":"au-3_obj.6","name":"objective","properties":[{"name":"label","value":"AU-3[6]"}],"prose":"the identity of any individuals or subjects associated with the event."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing content of audit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of organization-defined auditable events\\n\\ninformation system audit records\\n\\ninformation system incident reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing of auditable\n                  events"}]}],"controls":[{"id":"au-3.1","class":"SP800-53-enhancement","title":"Additional Audit Information","parameters":[{"id":"au-3.1_prm_1","label":"organization-defined additional, more detailed information","constraints":[{"detail":"session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands"}]}],"properties":[{"name":"label","value":"AU-3(1)"},{"name":"sort-id","value":"au-03.01"}],"parts":[{"id":"au-3.1_smt","name":"statement","prose":"The information system generates audit records containing the following additional\n                  information: {{ au-3.1_prm_1 }}.","parts":[{"id":"au-3.1_fr","name":"item","title":"AU-3 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-3.1_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines audit record types *[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]*.  The audit record types are approved and accepted by the JAB/AO."},{"id":"au-3.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry."}]}]},{"id":"au-3.1_gdn","name":"guidance","prose":"Detailed information that organizations may consider in audit records includes,\n                  for example, full text recording of privileged commands or the individual\n                  identities of group account users. Organizations consider limiting the additional\n                  audit information to only that information explicitly needed for specific audit\n                  requirements. This facilitates the use of audit trails and audit logs by not\n                  including information that could potentially be misleading or could make it more\n                  difficult to locate information of interest."},{"id":"au-3.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-3.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-3(1)[1]"}],"prose":"the organization defines additional, more detailed information to be contained\n                     in audit records that the information system generates; and"},{"id":"au-3.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-3(1)[2]"}],"prose":"the information system generates audit records containing the\n                     organization-defined additional, more detailed information."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing content of audit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of organization-defined auditable events\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Information system audit capability"}]}]},{"id":"au-3.2","class":"SP800-53-enhancement","title":"Centralized Management of Planned Audit Record Content","parameters":[{"id":"au-3.2_prm_1","label":"organization-defined information system components","constraints":[{"detail":"all network, data storage, and computing devices"}]}],"properties":[{"name":"label","value":"AU-3(2)"},{"name":"sort-id","value":"au-03.02"}],"parts":[{"id":"au-3.2_smt","name":"statement","prose":"The information system provides centralized management and configuration of the\n                  content to be captured in audit records generated by {{ au-3.2_prm_1 }}."},{"id":"au-3.2_gdn","name":"guidance","prose":"This control enhancement requires that the content to be captured in audit records\n                  be configured from a central location (necessitating automation). Organizations\n                  coordinate the selection of required audit content to support the centralized\n                  management and configuration capability provided by the information system.","links":[{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"}]},{"id":"au-3.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-3.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-3(2)[1]"}],"prose":"the organization defines information system components that generate audit\n                     records whose content is to be centrally managed and configured by the\n                     information system; and"},{"id":"au-3.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-3(2)[2]"}],"prose":"the information system provides centralized management and configuration of the\n                     content to be captured in audit records generated by the organization-defined\n                     information system components."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing content of audit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of organization-defined auditable events\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Information system capability implementing centralized management and\n                     configuration of audit record content"}]}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Storage Capacity","parameters":[{"id":"au-4_prm_1","label":"organization-defined audit record storage requirements"}],"properties":[{"name":"label","value":"AU-4"},{"name":"sort-id","value":"au-04"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"The organization allocates audit record storage capacity in accordance with {{ au-4_prm_1 }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of auditing to be performed and the audit processing\n               requirements when allocating audit storage capacity. Allocating sufficient audit\n               storage capacity reduces the likelihood of such capacity being exceeded and resulting\n               in the potential loss or reduction of auditing capability.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"au-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-4_obj.1","name":"objective","properties":[{"name":"label","value":"AU-4[1]"}],"prose":"defines audit record storage requirements; and"},{"id":"au-4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-4[2]"}],"prose":"allocates audit record storage capacity in accordance with the\n                  organization-defined audit record storage requirements."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit storage capacity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit record storage requirements\\n\\naudit record storage capability for information system components\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit record storage capacity and related configuration settings"}]}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Processing Failures","parameters":[{"id":"au-5_prm_1","label":"organization-defined personnel or roles"},{"id":"au-5_prm_2","label":"organization-defined actions to be taken (e.g., shut down information system,\n               overwrite oldest audit records, stop generating audit records)","constraints":[{"detail":"organization-defined actions to be taken (overwrite oldest record)"}]}],"properties":[{"name":"label","value":"AU-5"},{"name":"sort-id","value":"au-05"}],"parts":[{"id":"au-5_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Alerts {{ au-5_prm_1 }} in the event of an audit processing\n                  failure; and"},{"id":"au-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Takes the following additional actions: {{ au-5_prm_2 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit processing failures include, for example, software/hardware errors, failures in\n               the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n               Organizations may choose to define additional actions for different audit processing\n               failures (e.g., by type, by location, by severity, or a combination of such factors).\n               This control applies to each audit data storage repository (i.e., distinct\n               information system component where audit records are stored), the total audit storage\n               capacity of organizations (i.e., all audit data storage repositories combined), or\n               both.","links":[{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#si-12","rel":"related","text":"SI-12"}]},{"id":"au-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-5.a_obj","name":"objective","properties":[{"name":"label","value":"AU-5(a)"}],"parts":[{"id":"au-5.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-5(a)[1]"}],"prose":"the organization defines the personnel or roles to be alerted in the event of\n                     an audit processing failure;"},{"id":"au-5.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-5(a)[2]"}],"prose":"the information system alerts the organization-defined personnel or roles in\n                     the event of an audit processing failure;"}]},{"id":"au-5.b_obj","name":"objective","properties":[{"name":"label","value":"AU-5(b)"}],"parts":[{"id":"au-5.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-5(b)[1]"}],"prose":"the organization defines additional actions to be taken (e.g., shutdown\n                     information system, overwrite oldest audit records, stop generating audit\n                     records) in the event of an audit processing failure; and"},{"id":"au-5.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-5(b)[2]"}],"prose":"the information system takes the additional organization-defined actions in the\n                     event of an audit processing failure."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing response to audit processing failures\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of personnel to be notified in case of an audit processing failure\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system response to audit processing\n                  failures"}]}],"controls":[{"id":"au-5.1","class":"SP800-53-enhancement","title":"Audit Storage Capacity","parameters":[{"id":"au-5.1_prm_1","label":"organization-defined personnel, roles, and/or locations"},{"id":"au-5.1_prm_2","label":"organization-defined time period"},{"id":"au-5.1_prm_3","label":"organization-defined percentage"}],"properties":[{"name":"label","value":"AU-5(1)"},{"name":"sort-id","value":"au-05.01"}],"parts":[{"id":"au-5.1_smt","name":"statement","prose":"The information system provides a warning to {{ au-5.1_prm_1 }}\n                  within {{ au-5.1_prm_2 }} when allocated audit record storage\n                  volume reaches {{ au-5.1_prm_3 }} of repository maximum audit\n                  record storage capacity."},{"id":"au-5.1_gdn","name":"guidance","prose":"Organizations may have multiple audit data storage repositories distributed across\n                  multiple information system components, with each repository having different\n                  storage volume capacities."},{"id":"au-5.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-5.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-5(1)[1]"}],"prose":"the organization defines:","parts":[{"id":"au-5.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"AU-5(1)[1][a]"}],"prose":"personnel to be warned when allocated audit record storage volume reaches\n                        organization-defined percentage of repository maximum audit record storage\n                        capacity;"},{"id":"au-5.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"AU-5(1)[1][b]"}],"prose":"roles to be warned when allocated audit record storage volume reaches\n                        organization-defined percentage of repository maximum audit record storage\n                        capacity; and/or"},{"id":"au-5.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"AU-5(1)[1][c]"}],"prose":"locations to be warned when allocated audit record storage volume reaches\n                        organization-defined percentage of repository maximum audit record storage\n                        capacity;"}]},{"id":"au-5.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-5(1)[2]"}],"prose":"the organization defines the time period within which the information system is\n                     to provide a warning to the organization-defined personnel, roles, and/or\n                     locations when allocated audit record storage volume reaches the\n                     organization-defined percentage of repository maximum audit record storage\n                     capacity;"},{"id":"au-5.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-5(1)[3]"}],"prose":"the organization defines the percentage of repository maximum audit record\n                     storage capacity that, if reached, requires a warning to be provided; and"},{"id":"au-5.1_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-5(1)[4]"}],"prose":"the information system provides a warning to the organization-defined\n                     personnel, roles, and/or locations within the organization-defined time period\n                     when allocated audit record storage volume reaches the organization-defined\n                     percentage of repository maximum audit record storage capacity."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing response to audit processing failures\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit storage limit warnings"}]}]},{"id":"au-5.2","class":"SP800-53-enhancement","title":"Real-time Alerts","parameters":[{"id":"au-5.2_prm_1","label":"organization-defined real-time period","constraints":[{"detail":"real-time"}]},{"id":"au-5.2_prm_2","label":"organization-defined personnel, roles, and/or locations","constraints":[{"detail":"service provider personnel with authority to address failed audit events"}]},{"id":"au-5.2_prm_3","label":"organization-defined audit failure events requiring real-time alerts","constraints":[{"detail":"audit failure events requiring real-time alerts, as defined by organization audit policy"}]}],"properties":[{"name":"label","value":"AU-5(2)"},{"name":"sort-id","value":"au-05.02"}],"parts":[{"id":"au-5.2_smt","name":"statement","prose":"The information system provides an alert in {{ au-5.2_prm_1 }} to\n                     {{ au-5.2_prm_2 }} when the following audit failure events\n                  occur: {{ au-5.2_prm_3 }}."},{"id":"au-5.2_gdn","name":"guidance","prose":"Alerts provide organizations with urgent messages. Real-time alerts provide these\n                  messages at information technology speed (i.e., the time from event detection to\n                  alert occurs in seconds or less)."},{"id":"au-5.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-5.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-5(2)[1]"}],"prose":"the organization defines audit failure events requiring real-time alerts;"},{"id":"au-5.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-5(2)[2]"}],"prose":"the organization defines:","parts":[{"id":"au-5.2_obj.2.a","name":"objective","properties":[{"name":"label","value":"AU-5(2)[2][a]"}],"prose":"personnel to be alerted when organization-defined audit failure events\n                        requiring real-time alerts occur;"},{"id":"au-5.2_obj.2.b","name":"objective","properties":[{"name":"label","value":"AU-5(2)[2][b]"}],"prose":"roles to be alerted when organization-defined audit failure events requiring\n                        real-time alerts occur; and/or"},{"id":"au-5.2_obj.2.c","name":"objective","properties":[{"name":"label","value":"AU-5(2)[2][c]"}],"prose":"locations to be alerted when organization-defined audit failure events\n                        requiring real-time alerts occur;"}]},{"id":"au-5.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-5(2)[3]"}],"prose":"the organization defines the real-time period within which the information\n                     system is to provide an alert to the organization-defined personnel, roles,\n                     and/or locations when the organization-defined audit failure events requiring\n                     real-time alerts occur; and"},{"id":"au-5.2_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-5(2)[4]"}],"prose":"the information system provides an alert within the organization-defined\n                     real-time period to the organization-defined personnel, roles, and/or locations\n                     when organization-defined audit failure events requiring real-time alerts\n                     occur."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing response to audit processing failures\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\nrecords of notifications or real-time alerts when audit processing failures\n                     occur\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing real-time audit alerts when\n                     organization-defined audit failure events occur"}]}]}]},{"id":"au-6","class":"SP800-53","title":"Audit Review, Analysis, and Reporting","parameters":[{"id":"au-6_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least weekly"}]},{"id":"au-6_prm_2","label":"organization-defined inappropriate or unusual activity"},{"id":"au-6_prm_3","label":"organization-defined personnel or roles"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AU-6"},{"name":"sort-id","value":"au-06"}],"parts":[{"id":"au-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Reviews and analyzes information system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }};\n                  and"},{"id":"au-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reports findings to {{ au-6_prm_3 }}."},{"id":"au-6_fr","name":"item","title":"AU-6 Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented."}]}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit review, analysis, and reporting covers information security-related auditing\n               performed by organizations including, for example, auditing that results from\n               monitoring of account usage, remote access, wireless connectivity, mobile device\n               connection, configuration settings, system component inventory, use of maintenance\n               tools and nonlocal maintenance, physical access, temperature and humidity, equipment\n               delivery and removal, communications at the information system boundaries, use of\n               mobile code, and use of VoIP. Findings can be reported to organizational entities\n               that include, for example, incident response team, help desk, information security\n               group/department. If organizations are prohibited from reviewing and analyzing audit\n               information or unable to conduct such activities (e.g., in certain national security\n               applications or systems), the review/analysis may be carried out by other\n               organizations granted such authority.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-16","rel":"related","text":"AU-16"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-10","rel":"related","text":"CM-10"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pe-14","rel":"related","text":"PE-14"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#sc-19","rel":"related","text":"SC-19"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"au-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-6.a_obj","name":"objective","properties":[{"name":"label","value":"AU-6(a)"}],"parts":[{"id":"au-6.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-6(a)[1]"}],"prose":"defines the types of inappropriate or unusual activity to look for when\n                     information system audit records are reviewed and analyzed;"},{"id":"au-6.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-6(a)[2]"}],"prose":"defines the frequency to review and analyze information system audit records\n                     for indications of organization-defined inappropriate or unusual activity;"},{"id":"au-6.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-6(a)[3]"}],"prose":"reviews and analyzes information system audit records for indications of\n                     organization-defined inappropriate or unusual activity with the\n                     organization-defined frequency;"}]},{"id":"au-6.b_obj","name":"objective","properties":[{"name":"label","value":"AU-6(b)"}],"parts":[{"id":"au-6.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-6(b)[1]"}],"prose":"defines personnel or roles to whom findings resulting from reviews and analysis\n                     of information system audit records are to be reported; and"},{"id":"au-6.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-6(b)[2]"}],"prose":"reports findings to organization-defined personnel or roles."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\nreports of audit findings\\n\\nrecords of actions taken in response to reviews/analyses of audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}],"controls":[{"id":"au-6.1","class":"SP800-53-enhancement","title":"Process Integration","properties":[{"name":"label","value":"AU-6(1)"},{"name":"sort-id","value":"au-06.01"}],"parts":[{"id":"au-6.1_smt","name":"statement","prose":"The organization employs automated mechanisms to integrate audit review, analysis,\n                  and reporting processes to support organizational processes for investigation and\n                  response to suspicious activities."},{"id":"au-6.1_gdn","name":"guidance","prose":"Organizational processes benefiting from integrated audit review, analysis, and\n                  reporting include, for example, incident response, continuous monitoring,\n                  contingency planning, and Inspector General audits.","links":[{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#pm-7","rel":"related","text":"PM-7"}]},{"id":"au-6.1_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"au-6.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-6(1)[1]"}],"prose":"employs automated mechanisms to integrate:","parts":[{"id":"au-6.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"AU-6(1)[1][a]"}],"prose":"audit review;"},{"id":"au-6.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"AU-6(1)[1][b]"}],"prose":"analysis;"},{"id":"au-6.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"AU-6(1)[1][c]"}],"prose":"reporting processes;"}]},{"id":"au-6.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-6(1)[2]"}],"prose":"uses integrated audit review, analysis and reporting processes to support\n                     organizational processes for:","parts":[{"id":"au-6.1_obj.2.a","name":"objective","properties":[{"name":"label","value":"AU-6(1)[2][a]"}],"prose":"investigation of suspicious activities; and"},{"id":"au-6.1_obj.2.b","name":"objective","properties":[{"name":"label","value":"AU-6(1)[2][b]"}],"prose":"response to suspicious activities."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\nprocedures addressing investigation and response to suspicious activities\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms integrating audit review, analysis, and reporting\n                     processes"}]}]},{"id":"au-6.3","class":"SP800-53-enhancement","title":"Correlate Audit Repositories","properties":[{"name":"label","value":"AU-6(3)"},{"name":"sort-id","value":"au-06.03"}],"parts":[{"id":"au-6.3_smt","name":"statement","prose":"The organization analyzes and correlates audit records across different\n                  repositories to gain organization-wide situational awareness."},{"id":"au-6.3_gdn","name":"guidance","prose":"Organization-wide situational awareness includes awareness across all three tiers\n                  of risk management (i.e., organizational, mission/business process, and\n                  information system) and supports cross-organization awareness.","links":[{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ir-4","rel":"related","text":"IR-4"}]},{"id":"au-6.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization analyzes and correlates audit records across\n                  different repositories to gain organization-wide situational awareness. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records across different repositories\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting analysis and correlation of audit records"}]}]},{"id":"au-6.4","class":"SP800-53-enhancement","title":"Central Review and Analysis","properties":[{"name":"label","value":"AU-6(4)"},{"name":"sort-id","value":"au-06.04"}],"parts":[{"id":"au-6.4_smt","name":"statement","prose":"The information system provides the capability to centrally review and analyze\n                  audit records from multiple components within the system."},{"id":"au-6.4_gdn","name":"guidance","prose":"Automated mechanisms for centralized reviews and analyses include, for example,\n                  Security Information Management products.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"}]},{"id":"au-6.4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system provides the capability to centrally review\n                  and analyze audit records from multiple components within the system."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Information system capability to centralize review and analysis of audit\n                     records"}]}]},{"id":"au-6.5","class":"SP800-53-enhancement","title":"Integration / Scanning and Monitoring Capabilities","parameters":[{"id":"au-6.5_prm_1"},{"id":"au-6.5_prm_2","depends-on":"au-6.5_prm_1","label":"organization-defined data/information collected from other sources","constraints":[{"detail":"Possibly to include penetration test data."}]}],"properties":[{"name":"label","value":"AU-6(5)"},{"name":"sort-id","value":"au-06.05"}],"parts":[{"id":"au-6.5_smt","name":"statement","prose":"The organization integrates analysis of audit records with analysis of {{ au-6.5_prm_1 }} to further enhance the ability to identify\n                  inappropriate or unusual activity."},{"id":"au-6.5_gdn","name":"guidance","prose":"This control enhancement does not require vulnerability scanning, the generation\n                  of performance data, or information system monitoring. Rather, the enhancement\n                  requires that the analysis of information being otherwise produced in these areas\n                  is integrated with the analysis of audit information. Security Event and\n                  Information Management System tools can facilitate audit record\n                  aggregation/consolidation from multiple information system components as well as\n                  audit record correlation and analysis. The use of standardized audit record\n                  analysis scripts developed by organizations (with localized script adjustments, as\n                  necessary) provides more cost-effective approaches for analyzing audit record\n                  information collected. The correlation of audit record information with\n                  vulnerability scanning information is important in determining the veracity of\n                  vulnerability scans and correlating attack detection events with scanning results.\n                  Correlation with performance data can help uncover denial of service attacks or\n                  cyber attacks resulting in unauthorized use of resources. Correlation with system\n                  monitoring information can assist in uncovering attacks and in better relating\n                  audit information to operational situations.","links":[{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ra-5","rel":"related","text":"RA-5"}]},{"id":"au-6.5_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"au-6.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-6(5)[1]"}],"prose":"defines data/information to be collected from other sources;"},{"id":"au-6.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-6(5)[2]"}],"prose":"selects sources of data/information to be analyzed and integrated with the\n                     analysis of audit records from one or more of the following:","parts":[{"id":"au-6.5_obj.2.a","name":"objective","properties":[{"name":"label","value":"AU-6(5)[2][a]"}],"prose":"vulnerability scanning information;"},{"id":"au-6.5_obj.2.b","name":"objective","properties":[{"name":"label","value":"AU-6(5)[2][b]"}],"prose":"performance data;"},{"id":"au-6.5_obj.2.c","name":"objective","properties":[{"name":"label","value":"AU-6(5)[2][c]"}],"prose":"information system monitoring information; and/or"},{"id":"au-6.5_obj.2.d","name":"objective","properties":[{"name":"label","value":"AU-6(5)[2][d]"}],"prose":"organization-defined data/information collected from other sources; and"}]},{"id":"au-6.5_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-6(5)[3]"}],"prose":"integrates the analysis of audit records with the analysis of selected\n                     data/information to further enhance the ability to identify inappropriate or\n                     unusual activity."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nintegrated analysis of audit records, vulnerability scanning information,\n                     performance data, network monitoring information and associated\n                     documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing capability to integrate analysis of audit\n                     records with analysis of data/information sources"}]}]},{"id":"au-6.6","class":"SP800-53-enhancement","title":"Correlation with Physical Monitoring","properties":[{"name":"label","value":"AU-6(6)"},{"name":"sort-id","value":"au-06.06"}],"parts":[{"id":"au-6.6_smt","name":"statement","prose":"The organization correlates information from audit records with information\n                  obtained from monitoring physical access to further enhance the ability to\n                  identify suspicious, inappropriate, unusual, or malevolent activity.","parts":[{"id":"au-6.6_fr","name":"item","title":"AU-6 (6) Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-6.6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Coordination between service provider and consumer shall be documented and accepted by the JAB/AO."}]}]},{"id":"au-6.6_gdn","name":"guidance","prose":"The correlation of physical audit information and audit logs from information\n                  systems may assist organizations in identifying examples of suspicious behavior or\n                  supporting evidence of such behavior. For example, the correlation of an\n                  individual’s identity for logical access to certain information systems with the\n                  additional physical security information that the individual was actually present\n                  at the facility when the logical access occurred, may prove to be useful in\n                  investigations."},{"id":"au-6.6_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization correlates information from audit records with\n                  information obtained from monitoring physical access to enhance the ability to\n                  identify suspicious, inappropriate, unusual, or malevolent activity."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\nprocedures addressing physical access monitoring\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ndocumentation providing evidence of correlated information obtained from audit\n                     records and physical access monitoring records\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting\n                     responsibilities\\n\\norganizational personnel with physical access monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing capability to correlate information from\n                     audit records with information from monitoring physical access"}]}]},{"id":"au-6.7","class":"SP800-53-enhancement","title":"Permitted Actions","parameters":[{"id":"au-6.7_prm_1","constraints":[{"detail":"information system process; role; user"}]}],"properties":[{"name":"label","value":"AU-6(7)"},{"name":"sort-id","value":"au-06.07"}],"parts":[{"id":"au-6.7_smt","name":"statement","prose":"The organization specifies the permitted actions for each {{ au-6.7_prm_1 }} associated with the review, analysis, and reporting\n                  of audit information."},{"id":"au-6.7_gdn","name":"guidance","prose":"Organizations specify permitted actions for information system processes, roles,\n                  and/or users associated with the review, analysis, and reporting of audit records\n                  through account management techniques. Specifying permitted actions on audit\n                  information is a way to enforce the principle of least privilege. Permitted\n                  actions are enforced by the information system and include, for example, read,\n                  write, execute, append, and delete."},{"id":"au-6.7_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization specifies the permitted actions for each one or more\n                  of the following associated with the review, analysis and reporting of audit\n                  information:","parts":[{"id":"au-6.7_obj.1","name":"objective","properties":[{"name":"label","value":"AU-6(7)[1]"}],"prose":"information system process;"},{"id":"au-6.7_obj.2","name":"objective","properties":[{"name":"label","value":"AU-6(7)[2]"}],"prose":"role; and/or"},{"id":"au-6.7_obj.3","name":"objective","properties":[{"name":"label","value":"AU-6(7)[3]"}],"prose":"user."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing process, role and/or user permitted actions from audit\n                     review, analysis, and reporting\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting permitted actions for review, analysis, and\n                     reporting of audit information"}]}]},{"id":"au-6.10","class":"SP800-53-enhancement","title":"Audit Level Adjustment","properties":[{"name":"label","value":"AU-6(10)"},{"name":"sort-id","value":"au-06.10"}],"parts":[{"id":"au-6.10_smt","name":"statement","prose":"The organization adjusts the level of audit review, analysis, and reporting within\n                  the information system when there is a change in risk based on law enforcement\n                  information, intelligence information, or other credible sources of\n                  information."},{"id":"au-6.10_gdn","name":"guidance","prose":"The frequency, scope, and/or depth of the audit review, analysis, and reporting\n                  may be adjusted to meet organizational needs based on new information\n                  received."},{"id":"au-6.10_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization adjusts the level of audit review, analysis, and\n                  reporting within the information system when there is a change in risk based\n                  on:","parts":[{"id":"au-6.10_obj.1","name":"objective","properties":[{"name":"label","value":"AU-6(10)[1]"}],"prose":"law enforcement information;"},{"id":"au-6.10_obj.2","name":"objective","properties":[{"name":"label","value":"AU-6(10)[2]"}],"prose":"intelligence information; and/or"},{"id":"au-6.10_obj.3","name":"objective","properties":[{"name":"label","value":"AU-6(10)[3]"}],"prose":"other credible sources of information."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\norganizational risk assessment\\n\\nsecurity control assessment\\n\\nvulnerability assessment\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting review, analysis, and reporting of audit\n                     information"}]}]}]},{"id":"au-7","class":"SP800-53","title":"Audit Reduction and Report Generation","properties":[{"name":"label","value":"AU-7"},{"name":"sort-id","value":"au-07"}],"parts":[{"id":"au-7_smt","name":"statement","prose":"The information system provides an audit reduction and report generation capability\n               that:","parts":[{"id":"au-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Supports on-demand audit review, analysis, and reporting requirements and\n                  after-the-fact investigations of security incidents; and"},{"id":"au-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Does not alter the original content or time ordering of audit records."}]},{"id":"au-7_gdn","name":"guidance","prose":"Audit reduction is a process that manipulates collected audit information and\n               organizes such information in a summary format that is more meaningful to analysts.\n               Audit reduction and report generation capabilities do not always emanate from the\n               same information system or from the same organizational entities conducting auditing\n               activities. Audit reduction capability can include, for example, modern data mining\n               techniques with advanced data filters to identify anomalous behavior in audit\n               records. The report generation capability provided by the information system can\n               generate customizable reports. Time ordering of audit records can be a significant\n               issue if the granularity of the timestamp in the record is insufficient.","links":[{"href":"#au-6","rel":"related","text":"AU-6"}]},{"id":"au-7_obj","name":"objective","prose":"Determine if the information system provides an audit reduction and report generation\n               capability that supports:","parts":[{"id":"au-7.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-7(a)"}],"parts":[{"id":"au-7.a_obj.1","name":"objective","properties":[{"name":"label","value":"AU-7(a)[1]"}],"prose":"on-demand audit review;"},{"id":"au-7.a_obj.2","name":"objective","properties":[{"name":"label","value":"AU-7(a)[2]"}],"prose":"analysis;"},{"id":"au-7.a_obj.3","name":"objective","properties":[{"name":"label","value":"AU-7(a)[3]"}],"prose":"reporting requirements;"},{"id":"au-7.a_obj.4","name":"objective","properties":[{"name":"label","value":"AU-7(a)[4]"}],"prose":"after-the-fact investigations of security incidents; and"}]},{"id":"au-7.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-7(b)"}],"prose":"does not alter the original content or time ordering of audit records."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit reduction and report generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit reduction, review, analysis, and reporting tools\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit reduction and report generation\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit reduction and report generation capability"}]}],"controls":[{"id":"au-7.1","class":"SP800-53-enhancement","title":"Automatic Processing","parameters":[{"id":"au-7.1_prm_1","label":"organization-defined audit fields within audit records"}],"properties":[{"name":"label","value":"AU-7(1)"},{"name":"sort-id","value":"au-07.01"}],"parts":[{"id":"au-7.1_smt","name":"statement","prose":"The information system provides the capability to process audit records for events\n                  of interest based on {{ au-7.1_prm_1 }}."},{"id":"au-7.1_gdn","name":"guidance","prose":"Events of interest can be identified by the content of specific audit record\n                  fields including, for example, identities of individuals, event types, event\n                  locations, event times, event dates, system resources involved, IP addresses\n                  involved, or information objects accessed. Organizations may define audit event\n                  criteria to any degree of granularity required, for example, locations selectable\n                  by general networking location (e.g., by network or subnetwork) or selectable by\n                  specific information system component.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"}]},{"id":"au-7.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-7.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-7(1)[1]"}],"prose":"the organization defines audit fields within audit records in order to process\n                     audit records for events of interest; and"},{"id":"au-7.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-7(1)[2]"}],"prose":"the information system provides the capability to process audit records for\n                     events of interest based on the organization-defined audit fields within audit\n                     records."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit reduction and report generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit reduction, review, analysis, and reporting tools\\n\\naudit record criteria (fields) establishing events of interest\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit reduction and report generation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit reduction and report generation capability"}]}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","parameters":[{"id":"au-8_prm_1","label":"organization-defined granularity of time measurement","constraints":[{"detail":"one second granularity of time measurement"}]}],"properties":[{"name":"label","value":"AU-8"},{"name":"sort-id","value":"au-08"}],"parts":[{"id":"au-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Uses internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Records time stamps for audit records that can be mapped to Coordinated Universal\n                  Time (UTC) or Greenwich Mean Time (GMT) and meets {{ au-8_prm_1 }}."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the information system include date and time. Time is\n               commonly expressed in Coordinated Universal Time (UTC), a modern continuation of\n               Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time\n               measurements refers to the degree of synchronization between information system\n               clocks and reference clocks, for example, clocks synchronizing within hundreds of\n               milliseconds or within tens of milliseconds. Organizations may define different time\n               granularities for different system components. Time service can also be critical to\n               other security capabilities such as access control and identification and\n               authentication, depending on the nature of the mechanisms used to support those\n               capabilities.","links":[{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-12","rel":"related","text":"AU-12"}]},{"id":"au-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-8.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-8(a)"}],"prose":"the information system uses internal system clocks to generate time stamps for\n                  audit records;"},{"id":"au-8.b_obj","name":"objective","properties":[{"name":"label","value":"AU-8(b)"}],"parts":[{"id":"au-8.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-8(b)[1]"}],"prose":"the information system records time stamps for audit records that can be mapped\n                     to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);"},{"id":"au-8.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-8(b)[2]"}],"prose":"the organization defines the granularity of time measurement to be met when\n                     recording time stamps for audit records; and"},{"id":"au-8.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-8(b)[3]"}],"prose":"the organization records time stamps for audit records that meet the\n                     organization-defined granularity of time measurement."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing time stamp generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing time stamp generation"}]}],"controls":[{"id":"au-8.1","class":"SP800-53-enhancement","title":"Synchronization with Authoritative Time Source","parameters":[{"id":"au-8.1_prm_1","label":"organization-defined frequency","constraints":[{"detail":"At least hourly"}]},{"id":"au-8.1_prm_2","label":"organization-defined authoritative time source","constraints":[{"detail":"http://tf.nist.gov/tf-cgi/servers.cgi"}]},{"id":"au-8.1_prm_3","label":"organization-defined time period"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AU-8(1)"},{"name":"sort-id","value":"au-08.01"}],"parts":[{"id":"au-8.1_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-8.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Compares the internal information system clocks {{ au-8.1_prm_1 }} with {{ au-8.1_prm_2 }}; and"},{"id":"au-8.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Synchronizes the internal system clocks to the authoritative time source when\n                     the time difference is greater than {{ au-8.1_prm_3 }}."},{"id":"au-8.1_fr","name":"item","title":"AU-8 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-8.1_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server."},{"id":"au-8.1_fr_smt.2","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server."},{"id":"au-8.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Synchronization of system clocks improves the accuracy of log analysis."}]}]},{"id":"au-8.1_gdn","name":"guidance","prose":"This control enhancement provides uniformity of time stamps for information\n                  systems with multiple system clocks and systems connected over a network."},{"id":"au-8.1_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"au-8.1.a_obj","name":"objective","properties":[{"name":"label","value":"AU-8(1)(a)"}],"parts":[{"id":"au-8.1.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-8(1)(a)[1]"}],"prose":"the organization defines the authoritative time source to which internal\n                        information system clocks are to be compared;"},{"id":"au-8.1.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-8(1)(a)[2]"}],"prose":"the organization defines the frequency to compare the internal information\n                        system clocks with the organization-defined authoritative time source;\n                        and"},{"id":"au-8.1.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-8(1)(a)[3]"}],"prose":"the information system compares the internal information system clocks with\n                        the organization-defined authoritative time source with organization-defined\n                        frequency; and"}],"links":[{"href":"#au-8.1_smt.a","rel":"corresp","text":"AU-8(1)(a)"}]},{"id":"au-8.1.b_obj","name":"objective","properties":[{"name":"label","value":"AU-8(1)(b)"}],"parts":[{"id":"au-8.1.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-8(1)(b)[1]"}],"prose":"the organization defines the time period that, if exceeded by the time\n                        difference between the internal system clocks and the authoritative time\n                        source, will result in the internal system clocks being synchronized to the\n                        authoritative time source; and"},{"id":"au-8.1.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-8(1)(b)[2]"}],"prose":"the information system synchronizes the internal information system clocks\n                        to the authoritative time source when the time difference is greater than\n                        the organization-defined time period."}],"links":[{"href":"#au-8.1_smt.b","rel":"corresp","text":"AU-8(1)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing time stamp generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing internal information system clock\n                     synchronization"}]}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","properties":[{"name":"label","value":"AU-9"},{"name":"sort-id","value":"au-09"}],"parts":[{"id":"au-9_smt","name":"statement","prose":"The information system protects audit information and audit tools from unauthorized\n               access, modification, and deletion."},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information (e.g., audit records, audit settings, and\n               audit reports) needed to successfully audit information system activity. This control\n               focuses on technical protection of audit information. Physical protection of audit\n               information is addressed by media protection controls and physical and environmental\n               protection controls.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"}]},{"id":"au-9_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"au-9_obj.1","name":"objective","properties":[{"name":"label","value":"AU-9[1]"}],"prose":"the information system protects audit information from unauthorized:","parts":[{"id":"au-9_obj.1.a","name":"objective","properties":[{"name":"label","value":"AU-9[1][a]"}],"prose":"access;"},{"id":"au-9_obj.1.b","name":"objective","properties":[{"name":"label","value":"AU-9[1][b]"}],"prose":"modification;"},{"id":"au-9_obj.1.c","name":"objective","properties":[{"name":"label","value":"AU-9[1][c]"}],"prose":"deletion;"}]},{"id":"au-9_obj.2","name":"objective","properties":[{"name":"label","value":"AU-9[2]"}],"prose":"the information system protects audit tools from unauthorized:","parts":[{"id":"au-9_obj.2.a","name":"objective","properties":[{"name":"label","value":"AU-9[2][a]"}],"prose":"access;"},{"id":"au-9_obj.2.b","name":"objective","properties":[{"name":"label","value":"AU-9[2][b]"}],"prose":"modification; and"},{"id":"au-9_obj.2.c","name":"objective","properties":[{"name":"label","value":"AU-9[2][c]"}],"prose":"deletion."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\naccess control policy and procedures\\n\\nprocedures addressing protection of audit information\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation,\n                  information system audit records\\n\\naudit tools\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit information protection"}]}],"controls":[{"id":"au-9.2","class":"SP800-53-enhancement","title":"Audit Backup On Separate Physical Systems / Components","parameters":[{"id":"au-9.2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least weekly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AU-9(2)"},{"name":"sort-id","value":"au-09.02"}],"parts":[{"id":"au-9.2_smt","name":"statement","prose":"The information system backs up audit records {{ au-9.2_prm_1 }}\n                  onto a physically different system or system component than the system or\n                  component being audited."},{"id":"au-9.2_gdn","name":"guidance","prose":"This control enhancement helps to ensure that a compromise of the information\n                  system being audited does not also result in a compromise of the audit\n                  records.","links":[{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-11","rel":"related","text":"AU-11"}]},{"id":"au-9.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-9.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-9(2)[1]"}],"prose":"the organization defines the frequency to back up audit records onto a\n                     physically different system or system component than the system or component\n                     being audited; and"},{"id":"au-9.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-9(2)[2]"}],"prose":"the information system backs up audit records with the organization-defined\n                     frequency, onto a physically different system or system component than the\n                     system or component being audited."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing protection of audit information\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation, system\n                     or media storing backups of information system audit records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing the backing up of audit records"}]}]},{"id":"au-9.3","class":"SP800-53-enhancement","title":"Cryptographic Protection","properties":[{"name":"label","value":"AU-9(3)"},{"name":"sort-id","value":"au-09.03"}],"parts":[{"id":"au-9.3_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to protect the\n                  integrity of audit information and audit tools."},{"id":"au-9.3_gdn","name":"guidance","prose":"Cryptographic mechanisms used for protecting the integrity of audit information\n                  include, for example, signed hash functions using asymmetric cryptography enabling\n                  distribution of the public key to verify the hash information while maintaining\n                  the confidentiality of the secret key used to generate the hash.","links":[{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"au-9.3_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"au-9.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-9(3)[1]"}],"prose":"uses cryptographic mechanisms to protect the integrity of audit information;\n                     and"},{"id":"au-9.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-9(3)[2]"}],"prose":"uses cryptographic mechanisms to protect the integrity of audit tools."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\naccess control policy and procedures\\n\\nprocedures addressing protection of audit information\\n\\ninformation system design documentation\\n\\ninformation system hardware settings\\n\\ninformation system configuration settings and associated documentation,\n                     information system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms protecting integrity of audit information and\n                     tools"}]}]},{"id":"au-9.4","class":"SP800-53-enhancement","title":"Access by Subset of Privileged Users","parameters":[{"id":"au-9.4_prm_1","label":"organization-defined subset of privileged users"}],"properties":[{"name":"label","value":"AU-9(4)"},{"name":"sort-id","value":"au-09.04"}],"parts":[{"id":"au-9.4_smt","name":"statement","prose":"The organization authorizes access to management of audit functionality to only\n                     {{ au-9.4_prm_1 }}."},{"id":"au-9.4_gdn","name":"guidance","prose":"Individuals with privileged access to an information system and who are also the\n                  subject of an audit by that system, may affect the reliability of audit\n                  information by inhibiting audit activities or modifying audit records. This\n                  control enhancement requires that privileged access be further defined between\n                  audit-related privileges and other privileges, thus limiting the users with\n                  audit-related privileges.","links":[{"href":"#ac-5","rel":"related","text":"AC-5"}]},{"id":"au-9.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-9.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-9(4)[1]"}],"prose":"defines a subset of privileged users to be authorized access to management of\n                     audit functionality; and"},{"id":"au-9.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-9(4)[2]"}],"prose":"authorizes access to management of audit functionality to only the\n                     organization-defined subset of privileged users."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\naccess control policy and procedures\\n\\nprocedures addressing protection of audit information\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation,\n                     system-generated list of privileged users with access to management of audit\n                     functionality\\n\\naccess authorizations\\n\\naccess control list\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing access to audit functionality"}]}]}]},{"id":"au-10","class":"SP800-53","title":"Non-repudiation","parameters":[{"id":"au-10_prm_1","label":"organization-defined actions to be covered by non-repudiation","constraints":[{"detail":"minimum actions including the addition, modification, deletion, approval, sending, or receiving of data"}]}],"properties":[{"name":"label","value":"AU-10"},{"name":"sort-id","value":"au-10"}],"parts":[{"id":"au-10_smt","name":"statement","prose":"The information system protects against an individual (or process acting on behalf of\n               an individual) falsely denying having performed {{ au-10_prm_1 }}."},{"id":"au-10_gdn","name":"guidance","prose":"Types of individual actions covered by non-repudiation include, for example, creating\n               information, sending and receiving messages, approving information (e.g., indicating\n               concurrence or signing a contract). Non-repudiation protects individuals against\n               later claims by: (i) authors of not having authored particular documents; (ii)\n               senders of not having transmitted messages; (iii) receivers of not having received\n               messages; or (iv) signatories of not having signed documents. Non-repudiation\n               services can be used to determine if information originated from a particular\n               individual, or if an individual took specific actions (e.g., sending an email,\n               signing a contract, approving a procurement request) or received specific\n               information. Organizations obtain non-repudiation services by employing various\n               techniques or mechanisms (e.g., digital signatures, digital message receipts).","links":[{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-16","rel":"related","text":"SC-16"},{"href":"#sc-17","rel":"related","text":"SC-17"},{"href":"#sc-23","rel":"related","text":"SC-23"}]},{"id":"au-10_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"au-10_obj.1","name":"objective","properties":[{"name":"label","value":"AU-10[1]"}],"prose":"the organization defines actions to be covered by non-repudiation; and"},{"id":"au-10_obj.2","name":"objective","properties":[{"name":"label","value":"AU-10[2]"}],"prose":"the information system protects against an individual (or process acting on behalf\n                  of an individual) falsely denying having performed organization-defined actions to\n                  be covered by non-repudiation."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing non-repudiation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing non-repudiation capability"}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","parameters":[{"id":"au-11_prm_1","label":"organization-defined time period consistent with records retention policy","constraints":[{"detail":"at least one (1) year"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AU-11"},{"name":"sort-id","value":"au-11"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"The organization retains audit records for {{ au-11_prm_1 }} to\n               provide support for after-the-fact investigations of security incidents and to meet\n               regulatory and organizational information retention requirements.","parts":[{"id":"au-11_fr","name":"item","title":"AU-11 Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-11_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements."}]}]},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that they are no longer\n               needed for administrative, legal, audit, or other operational purposes. This\n               includes, for example, retention and availability of audit records relative to\n               Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions.\n               Organizations develop standard categories of audit records relative to such types of\n               actions and standard response processes for each type of action. The National\n               Archives and Records Administration (NARA) General Records Schedules provide federal\n               policy on record retention.","links":[{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#mp-6","rel":"related","text":"MP-6"}]},{"id":"au-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-11_obj.1","name":"objective","properties":[{"name":"label","value":"AU-11[1]"}],"prose":"defines a time period to retain audit records that is consistent with records\n                  retention policy;"},{"id":"au-11_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-11[2]"}],"prose":"retains audit records for the organization-defined time period consistent with\n                  records retention policy to:","parts":[{"id":"au-11_obj.2.a","name":"objective","properties":[{"name":"label","value":"AU-11[2][a]"}],"prose":"provide support for after-the-fact investigations of security incidents;\n                     and"},{"id":"au-11_obj.2.b","name":"objective","properties":[{"name":"label","value":"AU-11[2][b]"}],"prose":"meet regulatory and organizational information retention requirements."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\naudit record retention policy and procedures\\n\\nsecurity plan\\n\\norganization-defined retention period for audit records\\n\\naudit record archives\\n\\naudit logs\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record retention responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]}]},{"id":"au-12","class":"SP800-53","title":"Audit Generation","parameters":[{"id":"au-12_prm_1","label":"organization-defined information system components","constraints":[{"detail":"all information system and network components where audit capability is deployed/available"}]},{"id":"au-12_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"AU-12"},{"name":"sort-id","value":"au-12"}],"parts":[{"id":"au-12_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-12_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provides audit record generation capability for the auditable events defined in\n                  AU-2 a. at {{ au-12_prm_1 }};"},{"id":"au-12_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Allows {{ au-12_prm_2 }} to select which auditable events are to be\n                  audited by specific components of the information system; and"},{"id":"au-12_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Generates audit records for the events defined in AU-2 d. with the content defined\n                  in AU-3."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different information system components. The\n               list of audited events is the set of events for which audits are to be generated.\n               These events are typically a subset of all events for which the information system is\n               capable of generating audit records.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"}]},{"id":"au-12_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-12.a_obj","name":"objective","properties":[{"name":"label","value":"AU-12(a)"}],"parts":[{"id":"au-12.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-12(a)[1]"}],"prose":"the organization defines the information system components which are to provide\n                     audit record generation capability for the auditable events defined in\n                     AU-2a;"},{"id":"au-12.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-12(a)[2]"}],"prose":"the information system provides audit record generation capability, for the\n                     auditable events defined in AU-2a, at organization-defined information system\n                     components;"}]},{"id":"au-12.b_obj","name":"objective","properties":[{"name":"label","value":"AU-12(b)"}],"parts":[{"id":"au-12.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-12(b)[1]"}],"prose":"the organization defines the personnel or roles allowed to select which\n                     auditable events are to be audited by specific components of the information\n                     system;"},{"id":"au-12.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-12(b)[2]"}],"prose":"the information system allows the organization-defined personnel or roles to\n                     select which auditable events are to be audited by specific components of the\n                     system; and"}]},{"id":"au-12.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-12(c)"}],"prose":"the information system generates audit records for the events defined in AU-2d\n                  with the content in defined in AU-3."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit record generation\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of auditable events\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record generation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit record generation capability"}]}],"controls":[{"id":"au-12.1","class":"SP800-53-enhancement","title":"System-wide / Time-correlated Audit Trail","parameters":[{"id":"au-12.1_prm_1","label":"organization-defined information system components","constraints":[{"detail":"all network, data storage, and computing devices"}]},{"id":"au-12.1_prm_2","label":"organization-defined level of tolerance for the relationship between time\n                  stamps of individual records in the audit trail"}],"properties":[{"name":"label","value":"AU-12(1)"},{"name":"sort-id","value":"au-12.01"}],"parts":[{"id":"au-12.1_smt","name":"statement","prose":"The information system compiles audit records from {{ au-12.1_prm_1 }} into a system-wide (logical or physical) audit trail\n                  that is time-correlated to within {{ au-12.1_prm_2 }}."},{"id":"au-12.1_gdn","name":"guidance","prose":"Audit trails are time-correlated if the time stamps in the individual audit\n                  records can be reliably related to the time stamps in other audit records to\n                  achieve a time ordering of the records within organizational tolerances.","links":[{"href":"#au-8","rel":"related","text":"AU-8"},{"href":"#au-12","rel":"related","text":"AU-12"}]},{"id":"au-12.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-12.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-12(1)[1]"}],"prose":"the organization defines the information system components from which audit\n                     records are to be compiled into a system-wide (logical or physical) audit\n                     trail;"},{"id":"au-12.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-12(1)[2]"}],"prose":"the organization defines the level of tolerance for the relationship between\n                     time stamps of individual records in the audit trail; and"},{"id":"au-12.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-12(1)[3]"}],"prose":"the information system compiles audit records from organization-defined\n                     information system components into a system-wide (logical or physical) audit\n                     trail that is time-correlated to within the organization-defined level of\n                     tolerance for the relationship between time stamps of individual records in the\n                     audit trail."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit record generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsystem-wide audit trail (logical or physical)\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record generation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit record generation capability"}]}]},{"id":"au-12.3","class":"SP800-53-enhancement","title":"Changes by Authorized Individuals","parameters":[{"id":"au-12.3_prm_1","label":"organization-defined individuals or roles","constraints":[{"detail":"service provider-defined individuals or roles with audit configuration responsibilities"}]},{"id":"au-12.3_prm_2","label":"organization-defined information system components","constraints":[{"detail":"all network, data storage, and computing devices"}]},{"id":"au-12.3_prm_3","label":"organization-defined selectable event criteria"},{"id":"au-12.3_prm_4","label":"organization-defined time thresholds"}],"properties":[{"name":"label","value":"AU-12(3)"},{"name":"sort-id","value":"au-12.03"}],"parts":[{"id":"au-12.3_smt","name":"statement","prose":"The information system provides the capability for {{ au-12.3_prm_1 }} to change the auditing to be performed on {{ au-12.3_prm_2 }} based on {{ au-12.3_prm_3 }} within\n                     {{ au-12.3_prm_4 }}."},{"id":"au-12.3_gdn","name":"guidance","prose":"This control enhancement enables organizations to extend or limit auditing as\n                  necessary to meet organizational requirements. Auditing that is limited to\n                  conserve information system resources may be extended to address certain threat\n                  situations. In addition, auditing may be limited to a specific set of events to\n                  facilitate audit reduction, analysis, and reporting. Organizations can establish\n                  time thresholds in which audit actions are changed, for example, near real-time,\n                  within minutes, or within hours.","links":[{"href":"#au-7","rel":"related","text":"AU-7"}]},{"id":"au-12.3_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"au-12.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-12(3)[1]"}],"prose":"the organization defines information system components on which auditing is to\n                     be performed;"},{"id":"au-12.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-12(3)[2]"}],"prose":"the organization defines individuals or roles authorized to change the auditing\n                     to be performed on organization-defined information system components;"},{"id":"au-12.3_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-12(3)[3]"}],"prose":"the organization defines time thresholds within which organization-defined\n                     individuals or roles can change the auditing to be performed on\n                     organization-defined information system components;"},{"id":"au-12.3_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-12(3)[4]"}],"prose":"the organization defines selectable event criteria that support the capability\n                     for organization-defined individuals or roles to change the auditing to be\n                     performed on organization-defined information system components; and"},{"id":"au-12.3_obj.5","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-12(3)[5]"}],"prose":"the information system provides the capability for organization-defined\n                     individuals or roles to change the auditing to be performed on\n                     organization-defined information system components based on\n                     organization-defined selectable event criteria within organization-defined time\n                     thresholds."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit record generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsystem-generated list of individuals or roles authorized to change auditing to\n                     be performed\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record generation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit record generation capability"}]}]}]}]},{"id":"ca","class":"family","title":"Security Assessment and Authorization","controls":[{"id":"ca-1","class":"SP800-53","title":"Security Assessment and Authorization Policy and Procedures","parameters":[{"id":"ca-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ca-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ca-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually or whenever a significant change occurs"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-1"},{"name":"sort-id","value":"ca-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference","text":"NIST Special Publication 800-53A"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ca-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A security assessment and authorization policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"},{"id":"ca-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security assessment and\n                     authorization policy and associated security assessment and authorization\n                     controls; and"}]},{"id":"ca-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ca-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security assessment and authorization policy {{ ca-1_prm_2 }};\n                     and"},{"id":"ca-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Security assessment and authorization procedures {{ ca-1_prm_3 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ca-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-1.a_obj","name":"objective","properties":[{"name":"label","value":"CA-1(a)"}],"parts":[{"id":"ca-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)"}],"parts":[{"id":"ca-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(a)(1)[1]"}],"prose":"develops and documents a security assessment and authorization policy that\n                        addresses:","parts":[{"id":"ca-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ca-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ca-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ca-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ca-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ca-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ca-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ca-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security assessment and authorization\n                        policy is to be disseminated;"},{"id":"ca-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-1(a)(1)[3]"}],"prose":"disseminates the security assessment and authorization policy to\n                        organization-defined personnel or roles;"}]},{"id":"ca-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"CA-1(a)(2)"}],"parts":[{"id":"ca-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        security assessment and authorization policy and associated assessment and\n                        authorization controls;"},{"id":"ca-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ca-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ca-1.b_obj","name":"objective","properties":[{"name":"label","value":"CA-1(b)"}],"parts":[{"id":"ca-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"CA-1(b)(1)"}],"parts":[{"id":"ca-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security assessment\n                        and authorization policy;"},{"id":"ca-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(b)(1)[2]"}],"prose":"reviews and updates the current security assessment and authorization policy\n                        with the organization-defined frequency;"}]},{"id":"ca-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"CA-1(b)(2)"}],"parts":[{"id":"ca-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security assessment\n                        and authorization procedures; and"},{"id":"ca-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(b)(2)[2]"}],"prose":"reviews and updates the current security assessment and authorization\n                        procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment and authorization\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Security Assessments","parameters":[{"id":"ca-2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ca-2_prm_2","label":"organization-defined individuals or roles","constraints":[{"detail":"individuals or roles to include FedRAMP PMO"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-2"},{"name":"sort-id","value":"ca-02"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference","text":"Executive Order 13587"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference","text":"NIST Special Publication 800-39"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference","text":"NIST Special Publication 800-53A"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference","text":"NIST Special Publication 800-115"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"}],"parts":[{"id":"ca-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a security assessment plan that describes the scope of the assessment\n                  including:","parts":[{"id":"ca-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security controls and control enhancements under assessment;"},{"id":"ca-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine security control effectiveness;\n                     and"},{"id":"ca-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and\n                     responsibilities;"}]},{"id":"ca-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Assesses the security controls in the information system and its environment of\n                  operation {{ ca-2_prm_1 }} to determine the extent to which the\n                  controls are implemented correctly, operating as intended, and producing the\n                  desired outcome with respect to meeting established security requirements;"},{"id":"ca-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Produces a security assessment report that documents the results of the\n                  assessment; and"},{"id":"ca-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Provides the results of the security control assessment to {{ ca-2_prm_2 }}."},{"id":"ca-2_fr","name":"item","title":"CA-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-2_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "}]}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations assess security controls in organizational information systems and the\n               environments in which those systems operate as part of: (i) initial and ongoing\n               security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring;\n               and (iv) system development life cycle activities. Security assessments: (i) ensure\n               that information security is built into organizational information systems; (ii)\n               identify weaknesses and deficiencies early in the development process; (iii) provide\n               essential information needed to make risk-based decisions as part of security\n               authorization processes; and (iv) ensure compliance to vulnerability mitigation\n               procedures. Assessments are conducted on the implemented security controls from\n               Appendix F (main catalog) and Appendix G (Program Management controls) as documented\n               in System Security Plans and Information Security Program Plans. Organizations can\n               use other types of assessment activities such as vulnerability scanning and system\n               monitoring to maintain the security posture of information systems during the entire\n               life cycle. Security assessment reports document assessment results in sufficient\n               detail as deemed necessary by organizations, to determine the accuracy and\n               completeness of the reports and whether the security controls are implemented\n               correctly, operating as intended, and producing the desired outcome with respect to\n               meeting security requirements. The FISMA requirement for assessing security controls\n               at least annually does not require additional assessment activities to those\n               activities already in place in organizational security authorization processes.\n               Security assessment results are provided to the individuals or roles appropriate for\n               the types of assessments being conducted. For example, assessments conducted in\n               support of security authorization decisions are provided to authorizing officials or\n               authorizing official designated representatives. To satisfy annual assessment\n               requirements, organizations can use assessment results from the following sources:\n               (i) initial or ongoing information system authorizations; (ii) continuous monitoring;\n               or (iii) system development life cycle activities. Organizations ensure that security\n               assessment results are current, relevant to the determination of security control\n               effectiveness, and obtained with the appropriate level of assessor independence.\n               Existing security control assessment results can be reused to the extent that the\n               results are still valid and can also be supplemented with additional assessments as\n               needed. Subsequent to initial authorizations and in accordance with OMB policy,\n               organizations assess security controls during continuous monitoring. Organizations\n               establish the frequency for ongoing security control assessments in accordance with\n               organizational continuous monitoring strategies. Information Assurance Vulnerability\n               Alerts provide useful examples of vulnerability mitigation procedures. External\n               audits (e.g., audits by external entities such as regulatory agencies) are outside\n               the scope of this control.","links":[{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ca-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(a)"}],"prose":"develops a security assessment plan that describes the scope of the assessment\n                  including:","parts":[{"id":"ca-2.a.1_obj","name":"objective","properties":[{"name":"label","value":"CA-2(a)(1)"}],"prose":"security controls and control enhancements under assessment;"},{"id":"ca-2.a.2_obj","name":"objective","properties":[{"name":"label","value":"CA-2(a)(2)"}],"prose":"assessment procedures to be used to determine security control\n                     effectiveness;"},{"id":"ca-2.a.3_obj","name":"objective","properties":[{"name":"label","value":"CA-2(a)(3)"}],"parts":[{"id":"ca-2.a.3_obj.1","name":"objective","properties":[{"name":"label","value":"CA-2(a)(3)[1]"}],"prose":"assessment environment;"},{"id":"ca-2.a.3_obj.2","name":"objective","properties":[{"name":"label","value":"CA-2(a)(3)[2]"}],"prose":"assessment team;"},{"id":"ca-2.a.3_obj.3","name":"objective","properties":[{"name":"label","value":"CA-2(a)(3)[3]"}],"prose":"assessment roles and responsibilities;"}]}]},{"id":"ca-2.b_obj","name":"objective","properties":[{"name":"label","value":"CA-2(b)"}],"parts":[{"id":"ca-2.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(b)[1]"}],"prose":"defines the frequency to assess the security controls in the information system\n                     and its environment of operation;"},{"id":"ca-2.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-2(b)[2]"}],"prose":"assesses the security controls in the information system with the\n                     organization-defined frequency to determine the extent to which the controls\n                     are implemented correctly, operating as intended, and producing the desired\n                     outcome with respect to meeting established security requirements;"}]},{"id":"ca-2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-2(c)"}],"prose":"produces a security assessment report that documents the results of the\n                  assessment;"},{"id":"ca-2.d_obj","name":"objective","properties":[{"name":"label","value":"CA-2(d)"}],"parts":[{"id":"ca-2.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(d)[1]"}],"prose":"defines individuals or roles to whom the results of the security control\n                     assessment are to be provided; and"},{"id":"ca-2.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-2(d)[2]"}],"prose":"provides the results of the security control assessment to organization-defined\n                     individuals or roles."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing security assessment planning\\n\\nprocedures addressing security assessments\\n\\nsecurity assessment plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting security assessment, security assessment plan\n                  development, and/or security assessment reporting"}]}],"controls":[{"id":"ca-2.1","class":"SP800-53-enhancement","title":"Independent Assessors","parameters":[{"id":"ca-2.1_prm_1","label":"organization-defined level of independence"}],"properties":[{"name":"label","value":"CA-2(1)"},{"name":"sort-id","value":"ca-02.01"}],"parts":[{"id":"ca-2.1_smt","name":"statement","prose":"The organization employs assessors or assessment teams with {{ ca-2.1_prm_1 }} to conduct security control assessments.","parts":[{"id":"ca-2.1_fr","name":"item","title":"CA-2 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-2.1_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO)."}]}]},{"id":"ca-2.1_gdn","name":"guidance","prose":"Independent assessors or assessment teams are individuals or groups who conduct\n                  impartial assessments of organizational information systems. Impartiality implies\n                  that assessors are free from any perceived or actual conflicts of interest with\n                  regard to the development, operation, or management of the organizational\n                  information systems under assessment or to the determination of security control\n                  effectiveness. To achieve impartiality, assessors should not: (i) create a mutual\n                  or conflicting interest with the organizations where the assessments are being\n                  conducted; (ii) assess their own work; (iii) act as management or employees of the\n                  organizations they are serving; or (iv) place themselves in positions of advocacy\n                  for the organizations acquiring their services. Independent assessments can be\n                  obtained from elements within organizations or can be contracted to public or\n                  private sector entities outside of organizations. Authorizing officials determine\n                  the required level of independence based on the security categories of information\n                  systems and/or the ultimate risk to organizational operations, organizational\n                  assets, or individuals. Authorizing officials also determine if the level of\n                  assessor independence provides sufficient assurance that the results are sound and\n                  can be used to make credible, risk-based decisions. This includes determining\n                  whether contracted security assessment services have sufficient independence, for\n                  example, when information system owners are not directly involved in contracting\n                  processes or cannot unduly influence the impartiality of assessors conducting\n                  assessments. In special situations, for example, when organizations that own the\n                  information systems are small or organizational structures require that\n                  assessments are conducted by individuals that are in the developmental,\n                  operational, or management chain of system owners, independence in assessment\n                  processes can be achieved by ensuring that assessment results are carefully\n                  reviewed and analyzed by independent teams of experts to validate the\n                  completeness, accuracy, integrity, and reliability of the results. Organizations\n                  recognize that assessments performed for purposes other than direct support to\n                  authorization decisions are, when performed by assessors with sufficient\n                  independence, more likely to be useable for such decisions, thereby reducing the\n                  need to repeat assessments."},{"id":"ca-2.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(1)[1]"}],"prose":"defines the level of independence to be employed to conduct security control\n                     assessments; and"},{"id":"ca-2.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-2(1)[2]"}],"prose":"employs assessors or assessment teams with the organization-defined level of\n                     independence to conduct security control assessments."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing security assessments\\n\\nsecurity authorization package (including security plan, security assessment\n                     plan, security assessment report, plan of action and milestones, authorization\n                     statement)\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ca-2.2","class":"SP800-53-enhancement","title":"Specialized Assessments","parameters":[{"id":"ca-2.2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ca-2.2_prm_2"},{"id":"ca-2.2_prm_3"},{"id":"ca-2.2_prm_4","depends-on":"ca-2.2_prm_3","label":"organization-defined other forms of security assessment"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-2(2)"},{"name":"sort-id","value":"ca-02.02"}],"parts":[{"id":"ca-2.2_smt","name":"statement","prose":"The organization includes as part of security control assessments, {{ ca-2.2_prm_1 }}, {{ ca-2.2_prm_2 }}, {{ ca-2.2_prm_3 }}.","parts":[{"id":"ca-2.2_fr","name":"item","title":"CA-2 (2) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-2.2_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"To include 'announced', 'vulnerability scanning'"}]}]},{"id":"ca-2.2_gdn","name":"guidance","prose":"Organizations can employ information system monitoring, insider threat\n                  assessments, malicious user testing, and other forms of testing (e.g.,\n                  verification and validation) to improve readiness by exercising organizational\n                  capabilities and indicating current performance levels as a means of focusing\n                  actions to improve security. Organizations conduct assessment activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  regulations, and standards. Authorizing officials approve the assessment methods\n                  in coordination with the organizational risk executive function. Organizations can\n                  incorporate vulnerabilities uncovered during assessments into vulnerability\n                  remediation processes.","links":[{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"ca-2.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(2)[1]"}],"prose":"selects one or more of the following forms of specialized security assessment\n                     to be included as part of security control assessments:","parts":[{"id":"ca-2.2_obj.1.a","name":"objective","properties":[{"name":"label","value":"CA-2(2)[1][a]"}],"prose":"in-depth monitoring;"},{"id":"ca-2.2_obj.1.b","name":"objective","properties":[{"name":"label","value":"CA-2(2)[1][b]"}],"prose":"vulnerability scanning;"},{"id":"ca-2.2_obj.1.c","name":"objective","properties":[{"name":"label","value":"CA-2(2)[1][c]"}],"prose":"malicious user testing;"},{"id":"ca-2.2_obj.1.d","name":"objective","properties":[{"name":"label","value":"CA-2(2)[1][d]"}],"prose":"insider threat assessment;"},{"id":"ca-2.2_obj.1.e","name":"objective","properties":[{"name":"label","value":"CA-2(2)[1][e]"}],"prose":"performance/load testing; and/or"},{"id":"ca-2.2_obj.1.f","name":"objective","properties":[{"name":"label","value":"CA-2(2)[1][f]"}],"prose":"other forms of organization-defined specialized security assessment;"}]},{"id":"ca-2.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(2)[2]"}],"prose":"defines the frequency for conducting the selected form(s) of specialized\n                     security assessment;"},{"id":"ca-2.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(2)[3]"}],"prose":"defines whether the specialized security assessment will be announced or\n                     unannounced; and"},{"id":"ca-2.2_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-2(2)[4]"}],"prose":"conducts announced or unannounced organization-defined forms of specialized\n                     security assessments with the organization-defined frequency as part of\n                     security control assessments."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing security assessments\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting security control assessment"}]}]},{"id":"ca-2.3","class":"SP800-53-enhancement","title":"External Organizations","parameters":[{"id":"ca-2.3_prm_1","label":"organization-defined information system","constraints":[{"detail":"any FedRAMP Accredited 3PAO"}]},{"id":"ca-2.3_prm_2","label":"organization-defined external organization","constraints":[{"detail":"any FedRAMP Accredited 3PAO"}]},{"id":"ca-2.3_prm_3","label":"organization-defined requirements","constraints":[{"detail":"the conditions of the JAB/AO in the FedRAMP Repository"}]}],"properties":[{"name":"label","value":"CA-2(3)"},{"name":"sort-id","value":"ca-02.03"}],"parts":[{"id":"ca-2.3_smt","name":"statement","prose":"The organization accepts the results of an assessment of {{ ca-2.3_prm_1 }} performed by {{ ca-2.3_prm_2 }} when\n                  the assessment meets {{ ca-2.3_prm_3 }}."},{"id":"ca-2.3_gdn","name":"guidance","prose":"Organizations may often rely on assessments of specific information systems by\n                  other (external) organizations. Utilizing such existing assessments (i.e., reusing\n                  existing assessment evidence) can significantly decrease the time and resources\n                  required for organizational assessments by limiting the amount of independent\n                  assessment activities that organizations need to perform. The factors that\n                  organizations may consider in determining whether to accept assessment results\n                  from external organizations can vary. Determinations for accepting assessment\n                  results can be based on, for example, past assessment experiences one organization\n                  has had with another organization, the reputation that organizations have with\n                  regard to assessments, the level of detail of supporting assessment documentation\n                  provided, or mandates imposed upon organizations by federal legislation, policies,\n                  or directives."},{"id":"ca-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(3)[1]"}],"prose":"defines an information system for which the results of a security assessment\n                     performed by an external organization are to be accepted;"},{"id":"ca-2.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(3)[2]"}],"prose":"defines an external organization from which to accept a security assessment\n                     performed on an organization-defined information system;"},{"id":"ca-2.3_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(3)[3]"}],"prose":"defines the requirements to be met by a security assessment performed by\n                     organization-defined external organization on organization-defined information\n                     system; and"},{"id":"ca-2.3_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-2(3)[4]"}],"prose":"accepts the results of an assessment of an organization-defined information\n                     system performed by an organization-defined external organization when the\n                     assessment meets organization-defined requirements."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing security assessments\\n\\nsecurity plan\\n\\nsecurity assessment requirements\\n\\nsecurity assessment plan\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nplan of action and milestones\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel performing security assessments for the specified external\n                     organization"}]}]}]},{"id":"ca-3","class":"SP800-53","title":"System Interconnections","parameters":[{"id":"ca-3_prm_1","label":"organization-defined frequency","constraints":[{"detail":"At least annually and on input from FedRAMP"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-3"},{"name":"sort-id","value":"ca-03"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#2711f068-734e-4afd-94ba-0b22247fbc88","rel":"reference","text":"NIST Special Publication 800-47"}],"parts":[{"id":"ca-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Authorizes connections from the information system to other information systems\n                  through the use of Interconnection Security Agreements;"},{"id":"ca-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents, for each interconnection, the interface characteristics, security\n                  requirements, and the nature of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews and updates Interconnection Security Agreements {{ ca-3_prm_1 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"This control applies to dedicated connections between information systems (i.e.,\n               system interconnections) and does not apply to transitory, user-controlled\n               connections such as email and website browsing. Organizations carefully consider the\n               risks that may be introduced when information systems are connected to other systems\n               with different security requirements and security controls, both within organizations\n               and external to organizations. Authorizing officials determine the risk associated\n               with information system connections and the appropriate controls employed. If\n               interconnecting systems have the same authorizing official, organizations do not need\n               to develop Interconnection Security Agreements. Instead, organizations can describe\n               the interface characteristics between those interconnecting systems in their\n               respective security plans. If interconnecting systems have different authorizing\n               officials within the same organization, organizations can either develop\n               Interconnection Security Agreements or describe the interface characteristics between\n               systems in the security plans for the respective systems. Organizations may also\n               incorporate Interconnection Security Agreement information into formal contracts,\n               especially for interconnections established between federal agencies and nonfederal\n               (i.e., private sector) organizations. Risk considerations also include information\n               systems sharing the same networks. For certain technologies (e.g., space, unmanned\n               aerial vehicles, and medical devices), there may be specialized connections in place\n               during preoperational testing. Such connections may require Interconnection Security\n               Agreements and be subject to additional security controls.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-16","rel":"related","text":"AU-16"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ca-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-3(a)"}],"prose":"authorizes connections from the information system to other information systems\n                  through the use of Interconnection Security Agreements;"},{"id":"ca-3.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-3(b)"}],"prose":"documents, for each interconnection:","parts":[{"id":"ca-3.b_obj.1","name":"objective","properties":[{"name":"label","value":"CA-3(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-3.b_obj.2","name":"objective","properties":[{"name":"label","value":"CA-3(b)[2]"}],"prose":"the security requirements;"},{"id":"ca-3.b_obj.3","name":"objective","properties":[{"name":"label","value":"CA-3(b)[3]"}],"prose":"the nature of the information communicated;"}]},{"id":"ca-3.c_obj","name":"objective","properties":[{"name":"label","value":"CA-3(c)"}],"parts":[{"id":"ca-3.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-3(c)[1]"}],"prose":"defines the frequency to review and update Interconnection Security Agreements;\n                     and"},{"id":"ca-3.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-3(c)[2]"}],"prose":"reviews and updates Interconnection Security Agreements with the\n                     organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\ninformation system Interconnection Security Agreements\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or\n                  approving information system interconnection agreements\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel managing the system(s) to which the Interconnection Security Agreement\n                  applies"}]}],"controls":[{"id":"ca-3.3","class":"SP800-53-enhancement","title":"Unclassified Non-national Security System Connections","parameters":[{"id":"ca-3.3_prm_1","label":"organization-defined unclassified, non-national security system"},{"id":"ca-3.3_prm_2","label":"Assignment; organization-defined boundary protection device","constraints":[{"detail":"boundary protections which meet the Trusted Internet Connection (TIC) requirements"}]}],"properties":[{"name":"label","value":"CA-3(3)"},{"name":"sort-id","value":"ca-03.03"}],"parts":[{"id":"ca-3.3_smt","name":"statement","prose":"The organization prohibits the direct connection of an {{ ca-3.3_prm_1 }} to an external network without the use of {{ ca-3.3_prm_2 }}.","parts":[{"id":"ca-3.3_fr","name":"item","title":"CA-3 (3) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-3.3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document."}]}]},{"id":"ca-3.3_gdn","name":"guidance","prose":"Organizations typically do not have control over external networks (e.g., the\n                  Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate\n                  communications (i.e., information flows) between unclassified non-national\n                  security systems and external networks. This control enhancement is required for\n                  organizations processing, storing, or transmitting Controlled Unclassified\n                  Information (CUI)."},{"id":"ca-3.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-3.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-3(3)[1]"}],"prose":"defines an unclassified, non-national security system whose direct connection\n                     to an external network is to be prohibited without the use of approved boundary\n                     protection device;"},{"id":"ca-3.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-3(3)[2]"}],"prose":"defines a boundary protection device to be used to establish the direct\n                     connection of an organization-defined unclassified, non-national security\n                     system to an external network; and"},{"id":"ca-3.3_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-3(3)[3]"}],"prose":"prohibits the direct connection of an organization-defined unclassified,\n                     non-national security system to an external network without the use of an\n                     organization-defined boundary protection device."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\ninformation system interconnection security agreements\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity assessment report\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for managing direct connections to\n                     external networks\\n\\nnetwork administrators\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel managing directly connected external networks"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting the management of external network\n                     connections"}]}]},{"id":"ca-3.5","class":"SP800-53-enhancement","title":"Restrictions On External System Connections","parameters":[{"id":"ca-3.5_prm_1","constraints":[{"detail":"deny-all, permit by exception"}]},{"id":"ca-3.5_prm_2","label":"organization-defined information systems","constraints":[{"detail":"any systems"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-3(5)"},{"name":"sort-id","value":"ca-03.05"}],"parts":[{"id":"ca-3.5_smt","name":"statement","prose":"The organization employs {{ ca-3.5_prm_1 }} policy for allowing\n                     {{ ca-3.5_prm_2 }} to connect to external information\n                  systems.","parts":[{"id":"ca-3.5_fr","name":"item","title":"CA-3 (5) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-3.5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing"}]}]},{"id":"ca-3.5_gdn","name":"guidance","prose":"Organizations can constrain information system connectivity to external domains\n                  (e.g., websites) by employing one of two policies with regard to such\n                  connectivity: (i) allow-all, deny by exception, also known as blacklisting (the\n                  weaker of the two policies); or (ii) deny-all, allow by exception, also known as\n                  whitelisting (the stronger of the two policies). For either policy, organizations\n                  determine what exceptions, if any, are acceptable.","links":[{"href":"#cm-7","rel":"related","text":"CM-7"}]},{"id":"ca-3.5_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ca-3.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-3(5)[1]"}],"prose":"defines information systems to be allowed to connect to external information\n                     systems;"},{"id":"ca-3.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-3(5)[2]"}],"prose":"employs one of the following policies for allowing organization-defined\n                     information systems to connect to external information systems:","parts":[{"id":"ca-3.5_obj.2.a","name":"objective","properties":[{"name":"label","value":"CA-3(5)[2][a]"}],"prose":"allow-all policy;"},{"id":"ca-3.5_obj.2.b","name":"objective","properties":[{"name":"label","value":"CA-3(5)[2][b]"}],"prose":"deny-by-exception policy;"},{"id":"ca-3.5_obj.2.c","name":"objective","properties":[{"name":"label","value":"CA-3(5)[2][c]"}],"prose":"deny-all policy; or"},{"id":"ca-3.5_obj.2.d","name":"objective","properties":[{"name":"label","value":"CA-3(5)[2][d]"}],"prose":"permit-by-exception policy."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\ninformation system interconnection agreements\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity assessment report\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for managing connections to\n                     external information systems\\n\\nnetwork administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing restrictions on external system\n                     connections"}]}]}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","parameters":[{"id":"ca-5_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-5"},{"name":"sort-id","value":"ca-05"}],"links":[{"href":"#2c5884cd-7b96-425c-862a-99877e1cf909","rel":"reference","text":"OMB Memorandum 02-01"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"}],"parts":[{"id":"ca-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a plan of action and milestones for the information system to document\n                  the organization’s planned remedial actions to correct weaknesses or deficiencies\n                  noted during the assessment of the security controls and to reduce or eliminate\n                  known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Updates existing plan of action and milestones {{ ca-5_prm_1 }}\n                  based on the findings from security controls assessments, security impact\n                  analyses, and continuous monitoring activities."},{"id":"ca-5_fr","name":"item","title":"CA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-5_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Plan of Action & Milestones (POA&M) must be provided at least monthly."},{"id":"ca-5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "}]}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are key documents in security authorization packages\n               and are subject to federal reporting requirements established by OMB.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#pm-4","rel":"related","text":"PM-4"}]},{"id":"ca-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-5.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-5(a)"}],"prose":"develops a plan of action and milestones for the information system to:","parts":[{"id":"ca-5.a_obj.1","name":"objective","properties":[{"name":"label","value":"CA-5(a)[1]"}],"prose":"document the organization’s planned remedial actions to correct weaknesses or\n                     deficiencies noted during the assessment of the security controls;"},{"id":"ca-5.a_obj.2","name":"objective","properties":[{"name":"label","value":"CA-5(a)[2]"}],"prose":"reduce or eliminate known vulnerabilities in the system;"}]},{"id":"ca-5.b_obj","name":"objective","properties":[{"name":"label","value":"CA-5(b)"}],"parts":[{"id":"ca-5.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-5(b)[1]"}],"prose":"defines the frequency to update the existing plan of action and milestones;"},{"id":"ca-5.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-5(b)[2]"}],"prose":"updates the existing plan of action and milestones with the\n                     organization-defined frequency based on the findings from:","parts":[{"id":"ca-5.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"CA-5(b)[2][a]"}],"prose":"security controls assessments;"},{"id":"ca-5.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"CA-5(b)[2][b]"}],"prose":"security impact analyses; and"},{"id":"ca-5.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"CA-5(b)[2][c]"}],"prose":"continuous monitoring activities."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing plan of action and milestones\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nplan of action and milestones\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with plan of action and milestones development and\n                  implementation responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms for developing, implementing, and maintaining plan of action\n                  and milestones"}]}]},{"id":"ca-6","class":"SP800-53","title":"Security Authorization","parameters":[{"id":"ca-6_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least every three (3) years or when a significant change occurs"}]}],"properties":[{"name":"label","value":"CA-6"},{"name":"sort-id","value":"ca-06"}],"links":[{"href":"#9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","rel":"reference","text":"OMB Circular A-130"},{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference","text":"OMB Memorandum 11-33"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"}],"parts":[{"id":"ca-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Assigns a senior-level executive or manager as the authorizing official for the\n                  information system;"},{"id":"ca-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensures that the authorizing official authorizes the information system for\n                  processing before commencing operations; and"},{"id":"ca-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Updates the security authorization {{ ca-6_prm_1 }}."},{"id":"ca-6_fr","name":"item","title":"CA-6(c) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO."}]}]},{"id":"ca-6_gdn","name":"guidance","prose":"Security authorizations are official management decisions, conveyed through\n               authorization decision documents, by senior organizational officials or executives\n               (i.e., authorizing officials) to authorize operation of information systems and to\n               explicitly accept the risk to organizational operations and assets, individuals,\n               other organizations, and the Nation based on the implementation of agreed-upon\n               security controls. Authorizing officials provide budgetary oversight for\n               organizational information systems or assume responsibility for the mission/business\n               operations supported by those systems. The security authorization process is an\n               inherently federal responsibility and therefore, authorizing officials must be\n               federal employees. Through the security authorization process, authorizing officials\n               assume responsibility and are accountable for security risks associated with the\n               operation and use of organizational information systems. Accordingly, authorizing\n               officials are in positions with levels of authority commensurate with understanding\n               and accepting such information security-related risks. OMB policy requires that\n               organizations conduct ongoing authorizations of information systems by implementing\n               continuous monitoring programs. Continuous monitoring programs can satisfy three-year\n               reauthorization requirements, so separate reauthorization processes are not\n               necessary. Through the employment of comprehensive continuous monitoring processes,\n               critical information contained in authorization packages (i.e., security plans,\n               security assessment reports, and plans of action and milestones) is updated on an\n               ongoing basis, providing authorizing officials and information system owners with an\n               up-to-date status of the security state of organizational information systems and\n               environments of operation. To reduce the administrative cost of security\n               reauthorization, authorizing officials use the results of continuous monitoring\n               processes to the maximum extent possible as the basis for rendering reauthorization\n               decisions.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"}]},{"id":"ca-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-6.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-6(a)"}],"prose":"assigns a senior-level executive or manager as the authorizing official for the\n                  information system;"},{"id":"ca-6.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-6(b)"}],"prose":"ensures that the authorizing official authorizes the information system for\n                  processing before commencing operations;"},{"id":"ca-6.c_obj","name":"objective","properties":[{"name":"label","value":"CA-6(c)"}],"parts":[{"id":"ca-6.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-6(c)[1]"}],"prose":"defines the frequency to update the security authorization; and"},{"id":"ca-6.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-6(c)[2]"}],"prose":"updates the security authorization with the organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing security authorization\\n\\nsecurity authorization package (including security plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\nauthorization statement)\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security authorization responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that facilitate security authorizations and updates"}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","parameters":[{"id":"ca-7_prm_1","label":"organization-defined metrics"},{"id":"ca-7_prm_2","label":"organization-defined frequencies"},{"id":"ca-7_prm_3","label":"organization-defined frequencies"},{"id":"ca-7_prm_4","label":"organization-defined personnel or roles","constraints":[{"detail":"to meet Federal and FedRAMP requirements (See additional guidance)"}]},{"id":"ca-7_prm_5","label":"organization-defined frequency","constraints":[{"detail":"to meet Federal and FedRAMP requirements (See additional guidance)"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-7"},{"name":"sort-id","value":"ca-07"}],"links":[{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference","text":"OMB Memorandum 11-33"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference","text":"NIST Special Publication 800-39"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference","text":"NIST Special Publication 800-53A"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference","text":"NIST Special Publication 800-115"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"},{"href":"#8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","rel":"reference","text":"US-CERT Technical Cyber Security Alerts"},{"href":"#2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","rel":"reference","text":"DoD Information Assurance Vulnerability Alerts"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"The organization develops a continuous monitoring strategy and implements a\n               continuous monitoring program that includes:","parts":[{"id":"ca-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishment of {{ ca-7_prm_1 }} to be monitored;"},{"id":"ca-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishment of {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessments supporting such monitoring;"},{"id":"ca-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ongoing security control assessments in accordance with the organizational\n                  continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Ongoing security status monitoring of organization-defined metrics in accordance\n                  with the organizational continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of security-related information generated by assessments\n                  and monitoring;"},{"id":"ca-7_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of security-related\n                  information; and"},{"id":"ca-7_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Reporting the security status of organization and the information system to\n                     {{ ca-7_prm_4 }}\n                  {{ ca-7_prm_5 }}."},{"id":"ca-7_fr","name":"item","title":"CA-7 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-7_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually."},{"id":"ca-7_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates."},{"id":"ca-7_fr_gdn.2","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "}]}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring programs facilitate ongoing awareness of threats,\n               vulnerabilities, and information security to support organizational risk management\n               decisions. The terms continuous and ongoing imply that organizations assess/analyze\n               security controls and information security-related risks at a frequency sufficient to\n               support organizational risk-based decisions. The results of continuous monitoring\n               programs generate appropriate risk response actions by organizations. Continuous\n               monitoring programs also allow organizations to maintain the security authorizations\n               of information systems and common controls over time in highly dynamic environments\n               of operation with changing mission/business needs, threats, vulnerabilities, and\n               technologies. Having access to security-related information on a continuing basis\n               through reports/dashboards gives organizational officials the capability to make more\n               effective and timely risk management decisions, including ongoing security\n               authorization decisions. Automation supports more frequent updates to security\n               authorization packages, hardware/software/firmware inventories, and other system\n               information. Effectiveness is further enhanced when continuous monitoring outputs are\n               formatted to provide information that is specific, measurable, actionable, relevant,\n               and timely. Continuous monitoring activities are scaled in accordance with the\n               security categories of information systems.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#pm-6","rel":"related","text":"PM-6"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ca-7_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ca-7.a_obj","name":"objective","properties":[{"name":"label","value":"CA-7(a)"}],"parts":[{"id":"ca-7.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(a)[1]"}],"prose":"develops a continuous monitoring strategy that defines metrics to be\n                     monitored;"},{"id":"ca-7.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(a)[2]"}],"prose":"develops a continuous monitoring strategy that includes monitoring of\n                     organization-defined metrics;"},{"id":"ca-7.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(a)[3]"}],"prose":"implements a continuous monitoring program that includes monitoring of\n                     organization-defined metrics in accordance with the organizational continuous\n                     monitoring strategy;"}]},{"id":"ca-7.b_obj","name":"objective","properties":[{"name":"label","value":"CA-7(b)"}],"parts":[{"id":"ca-7.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(b)[1]"}],"prose":"develops a continuous monitoring strategy that defines frequencies for\n                     monitoring;"},{"id":"ca-7.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(b)[2]"}],"prose":"defines frequencies for assessments supporting monitoring;"},{"id":"ca-7.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(b)[3]"}],"prose":"develops a continuous monitoring strategy that includes establishment of the\n                     organization-defined frequencies for monitoring and for assessments supporting\n                     monitoring;"},{"id":"ca-7.b_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(b)[4]"}],"prose":"implements a continuous monitoring program that includes establishment of\n                     organization-defined frequencies for monitoring and for assessments supporting\n                     such monitoring in accordance with the organizational continuous monitoring\n                     strategy;"}]},{"id":"ca-7.c_obj","name":"objective","properties":[{"name":"label","value":"CA-7(c)"}],"parts":[{"id":"ca-7.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(c)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security\n                     control assessments;"},{"id":"ca-7.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(c)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security\n                     control assessments in accordance with the organizational continuous monitoring\n                     strategy;"}]},{"id":"ca-7.d_obj","name":"objective","properties":[{"name":"label","value":"CA-7(d)"}],"parts":[{"id":"ca-7.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(d)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security status\n                     monitoring of organization-defined metrics;"},{"id":"ca-7.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(d)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security\n                     status monitoring of organization-defined metrics in accordance with the\n                     organizational continuous monitoring strategy;"}]},{"id":"ca-7.e_obj","name":"objective","properties":[{"name":"label","value":"CA-7(e)"}],"parts":[{"id":"ca-7.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(e)[1]"}],"prose":"develops a continuous monitoring strategy that includes correlation and\n                     analysis of security-related information generated by assessments and\n                     monitoring;"},{"id":"ca-7.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(e)[2]"}],"prose":"implements a continuous monitoring program that includes correlation and\n                     analysis of security-related information generated by assessments and\n                     monitoring in accordance with the organizational continuous monitoring\n                     strategy;"}]},{"id":"ca-7.f_obj","name":"objective","properties":[{"name":"label","value":"CA-7(f)"}],"parts":[{"id":"ca-7.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(f)[1]"}],"prose":"develops a continuous monitoring strategy that includes response actions to\n                     address results of the analysis of security-related information;"},{"id":"ca-7.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(f)[2]"}],"prose":"implements a continuous monitoring program that includes response actions to\n                     address results of the analysis of security-related information in accordance\n                     with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.g_obj","name":"objective","properties":[{"name":"label","value":"CA-7(g)"}],"parts":[{"id":"ca-7.g_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(g)[1]"}],"prose":"develops a continuous monitoring strategy that defines the personnel or roles\n                     to whom the security status of the organization and information system are to\n                     be reported;"},{"id":"ca-7.g_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(g)[2]"}],"prose":"develops a continuous monitoring strategy that defines the frequency to report\n                     the security status of the organization and information system to\n                     organization-defined personnel or roles;"},{"id":"ca-7.g_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(g)[3]"}],"prose":"develops a continuous monitoring strategy that includes reporting the security\n                     status of the organization or information system to organizational-defined\n                     personnel or roles with the organization-defined frequency; and"},{"id":"ca-7.g_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(g)[4]"}],"prose":"implements a continuous monitoring program that includes reporting the security\n                     status of the organization and information system to organization-defined\n                     personnel or roles with the organization-defined frequency in accordance with\n                     the organizational continuous monitoring strategy."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing continuous monitoring of information system security\n                  controls\\n\\nprocedures addressing configuration management\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\ninformation system monitoring records\\n\\nconfiguration management records, security impact analyses\\n\\nstatus reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Mechanisms implementing continuous monitoring"}]}],"controls":[{"id":"ca-7.1","class":"SP800-53-enhancement","title":"Independent Assessment","parameters":[{"id":"ca-7.1_prm_1","label":"organization-defined level of independence"}],"properties":[{"name":"label","value":"CA-7(1)"},{"name":"sort-id","value":"ca-07.01"}],"parts":[{"id":"ca-7.1_smt","name":"statement","prose":"The organization employs assessors or assessment teams with {{ ca-7.1_prm_1 }} to monitor the security controls in the information\n                  system on an ongoing basis."},{"id":"ca-7.1_gdn","name":"guidance","prose":"Organizations can maximize the value of assessments of security controls during\n                  the continuous monitoring process by requiring that such assessments be conducted\n                  by assessors or assessment teams with appropriate levels of independence based on\n                  continuous monitoring strategies. Assessor independence provides a degree of\n                  impartiality to the monitoring process. To achieve such impartiality, assessors\n                  should not: (i) create a mutual or conflicting interest with the organizations\n                  where the assessments are being conducted; (ii) assess their own work; (iii) act\n                  as management or employees of the organizations they are serving; or (iv) place\n                  themselves in advocacy positions for the organizations acquiring their\n                  services."},{"id":"ca-7.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-7.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(1)[1]"}],"prose":"defines a level of independence to be employed to monitor the security controls\n                     in the information system on an ongoing basis; and"},{"id":"ca-7.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-7(1)[2]"}],"prose":"employs assessors or assessment teams with the organization-defined level of\n                     independence to monitor the security controls in the information system on an\n                     ongoing basis."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing continuous monitoring of information system security\n                     controls\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\ninformation system monitoring records\\n\\nsecurity impact analyses\\n\\nstatus reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ca-7.3","class":"SP800-53-enhancement","title":"Trend Analyses","properties":[{"name":"label","value":"CA-7(3)"},{"name":"sort-id","value":"ca-07.03"}],"parts":[{"id":"ca-7.3_smt","name":"statement","prose":"The organization employs trend analyses to determine if security control\n                  implementations, the frequency of continuous monitoring activities, and/or the\n                  types of activities used in the continuous monitoring process need to be modified\n                  based on empirical data."},{"id":"ca-7.3_gdn","name":"guidance","prose":"Trend analyses can include, for example, examining recent threat information\n                  regarding the types of threat events that have occurred within the organization or\n                  across the federal government, success rates of certain types of cyber attacks,\n                  emerging vulnerabilities in information technologies, evolving social engineering\n                  techniques, results from multiple security control assessments, the effectiveness\n                  of configuration settings, and findings from Inspectors General or auditors."},{"id":"ca-7.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization employs trend analyses to determine if the following\n                  items need to be modified based on empirical data:","parts":[{"id":"ca-7.3_obj.1","name":"objective","properties":[{"name":"label","value":"CA-7(3)[1]"}],"prose":"security control implementations;"},{"id":"ca-7.3_obj.2","name":"objective","properties":[{"name":"label","value":"CA-7(3)[2]"}],"prose":"the frequency of continuous monitoring activities; and/or"},{"id":"ca-7.3_obj.3","name":"objective","properties":[{"name":"label","value":"CA-7(3)[3]"}],"prose":"the types of activities used in the continuous monitoring process."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Continuous monitoring strategy\\n\\nSecurity assessment and authorization policy\\n\\nprocedures addressing continuous monitoring of information system security\n                     controls\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\ninformation system monitoring records\\n\\nsecurity impact analyses\\n\\nstatus reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ca-8","class":"SP800-53","title":"Penetration Testing","parameters":[{"id":"ca-8_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ca-8_prm_2","label":"organization-defined information systems or system components"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-8"},{"name":"sort-id","value":"ca-08"}],"parts":[{"id":"ca-8_smt","name":"statement","prose":"The organization conducts penetration testing {{ ca-8_prm_1 }} on\n                  {{ ca-8_prm_2 }}.","parts":[{"id":"ca-8_fr","name":"item","title":"CA-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-8_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance [https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/)\n                  "}]}]},{"id":"ca-8_gdn","name":"guidance","prose":"Penetration testing is a specialized type of assessment conducted on information\n               systems or individual system components to identify vulnerabilities that could be\n               exploited by adversaries. Such testing can be used to either validate vulnerabilities\n               or determine the degree of resistance organizational information systems have to\n               adversaries within a set of specified constraints (e.g., time, resources, and/or\n               skills). Penetration testing attempts to duplicate the actions of adversaries in\n               carrying out hostile cyber attacks against organizations and provides a more in-depth\n               analysis of security-related weaknesses/deficiencies. Organizations can also use the\n               results of vulnerability analyses to support penetration testing activities.\n               Penetration testing can be conducted on the hardware, software, or firmware\n               components of an information system and can exercise both physical and technical\n               security controls. A standard method for penetration testing includes, for example:\n               (i) pretest analysis based on full knowledge of the target system; (ii) pretest\n               identification of potential vulnerabilities based on pretest analysis; and (iii)\n               testing designed to determine exploitability of identified vulnerabilities. All\n               parties agree to the rules of engagement before the commencement of penetration\n               testing scenarios. Organizations correlate the penetration testing rules of\n               engagement with the tools, techniques, and procedures that are anticipated to be\n               employed by adversaries carrying out attacks. Organizational risk assessments guide\n               decisions on the level of independence required for personnel conducting penetration\n               testing.","links":[{"href":"#sa-12","rel":"related","text":"SA-12"}]},{"id":"ca-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-8_obj.1","name":"objective","properties":[{"name":"label","value":"CA-8[1]"}],"prose":"defines information systems or system components on which penetration testing is\n                  to be conducted;"},{"id":"ca-8_obj.2","name":"objective","properties":[{"name":"label","value":"CA-8[2]"}],"prose":"defines the frequency to conduct penetration testing on organization-defined\n                  information systems or system components; and"},{"id":"ca-8_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-8[3]"}],"prose":"conducts penetration testing on organization-defined information systems or system\n                  components with the organization-defined frequency."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing penetration testing\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\npenetration test report\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities,\n                  system/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting penetration testing"}]}],"controls":[{"id":"ca-8.1","class":"SP800-53-enhancement","title":"Independent Penetration Agent or Team","properties":[{"name":"label","value":"CA-8(1)"},{"name":"sort-id","value":"ca-08.01"}],"parts":[{"id":"ca-8.1_smt","name":"statement","prose":"The organization employs an independent penetration agent or penetration team to\n                  perform penetration testing on the information system or system components."},{"id":"ca-8.1_gdn","name":"guidance","prose":"Independent penetration agents or teams are individuals or groups who conduct\n                  impartial penetration testing of organizational information systems. Impartiality\n                  implies that penetration agents or teams are free from any perceived or actual\n                  conflicts of interest with regard to the development, operation, or management of\n                  the information systems that are the targets of the penetration testing.\n                  Supplemental guidance for CA-2 (1) provides additional information regarding\n                  independent assessments that can be applied to penetration testing.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"}]},{"id":"ca-8.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization employs an independent penetration agent or\n                  penetration team to perform penetration testing on the information system or\n                  system components. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing penetration testing\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\npenetration test report\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","parameters":[{"id":"ca-9_prm_1","label":"organization-defined information system components or classes of\n               components"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-9"},{"name":"sort-id","value":"ca-09"}],"parts":[{"id":"ca-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Authorizes internal connections of {{ ca-9_prm_1 }} to the\n                  information system; and"},{"id":"ca-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents, for each internal connection, the interface characteristics, security\n                  requirements, and the nature of the information communicated."}]},{"id":"ca-9_gdn","name":"guidance","prose":"This control applies to connections between organizational information systems and\n               (separate) constituent system components (i.e., intra-system connections) including,\n               for example, system connections with mobile devices, notebook/desktop computers,\n               printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of\n               authorizing each individual internal connection, organizations can authorize internal\n               connections for a class of components with common characteristics and/or\n               configurations, for example, all digital printers, scanners, and copiers with a\n               specified processing, storage, and transmission capability or all smart phones with a\n               specific baseline configuration.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ca-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-9.a_obj","name":"objective","properties":[{"name":"label","value":"CA-9(a)"}],"parts":[{"id":"ca-9.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-9(a)[1]"}],"prose":"defines information system components or classes of components to be authorized\n                     as internal connections to the information system;"},{"id":"ca-9.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-9(a)[2]"}],"prose":"authorizes internal connections of organization-defined information system\n                     components or classes of components to the information system;"}]},{"id":"ca-9.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-9(b)"}],"prose":"documents, for each internal connection:","parts":[{"id":"ca-9.b_obj.1","name":"objective","properties":[{"name":"label","value":"CA-9(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-9.b_obj.2","name":"objective","properties":[{"name":"label","value":"CA-9(b)[2]"}],"prose":"the security requirements; and"},{"id":"ca-9.b_obj.3","name":"objective","properties":[{"name":"label","value":"CA-9(b)[3]"}],"prose":"the nature of the information communicated."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of components or classes of components authorized as internal system\n                  connections\\n\\nsecurity assessment report\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or\n                  authorizing internal system connections\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Configuration Management Policy and Procedures","parameters":[{"id":"cm-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cm-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"cm-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually or whenever a significant change occurs"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-1"},{"name":"sort-id","value":"cm-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"cm-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A configuration management policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"cm-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management\n                     policy and associated configuration management controls; and"}]},{"id":"cm-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cm-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Configuration management policy {{ cm-1_prm_2 }}; and"},{"id":"cm-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Configuration management procedures {{ cm-1_prm_3 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CM\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"cm-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-1.a_obj","name":"objective","properties":[{"name":"label","value":"CM-1(a)"}],"parts":[{"id":"cm-1.a.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(a)(1)"}],"parts":[{"id":"cm-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1]"}],"prose":"develops and documents a configuration management policy that addresses:","parts":[{"id":"cm-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cm-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cm-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cm-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cm-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cm-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cm-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cm-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the configuration management policy is to\n                        be disseminated;"},{"id":"cm-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CM-1(a)(1)[3]"}],"prose":"disseminates the configuration management policy to organization-defined\n                        personnel or roles;"}]},{"id":"cm-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"CM-1(a)(2)"}],"parts":[{"id":"cm-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        configuration management policy and associated configuration management\n                        controls;"},{"id":"cm-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"cm-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CM-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"cm-1.b_obj","name":"objective","properties":[{"name":"label","value":"CM-1(b)"}],"parts":[{"id":"cm-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"CM-1(b)(1)"}],"parts":[{"id":"cm-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current configuration\n                        management policy;"},{"id":"cm-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(b)(1)[2]"}],"prose":"reviews and updates the current configuration management policy with the\n                        organization-defined frequency;"}]},{"id":"cm-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"CM-1(b)(2)"}],"parts":[{"id":"cm-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current configuration\n                        management procedures; and"},{"id":"cm-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(b)(2)[2]"}],"prose":"reviews and updates the current configuration management procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","properties":[{"name":"label","value":"CM-2"},{"name":"sort-id","value":"cm-02"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"cm-2_smt","name":"statement","prose":"The organization develops, documents, and maintains under configuration control, a\n               current baseline configuration of the information system."},{"id":"cm-2_gdn","name":"guidance","prose":"This control establishes baseline configurations for information systems and system\n               components including communications and connectivity-related aspects of systems.\n               Baseline configurations are documented, formally reviewed and agreed-upon sets of\n               specifications for information systems or configuration items within those systems.\n               Baseline configurations serve as a basis for future builds, releases, and/or changes\n               to information systems. Baseline configurations include information about information\n               system components (e.g., standard software packages installed on workstations,\n               notebook computers, servers, network components, or mobile devices; current version\n               numbers and patch information on operating systems and applications; and\n               configuration settings/parameters), network topology, and the logical placement of\n               those components within the system architecture. Maintaining baseline configurations\n               requires creating new baselines as organizational information systems change over\n               time. Baseline configurations of information systems reflect the current enterprise\n               architecture.","links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#pm-7","rel":"related","text":"PM-7"}]},{"id":"cm-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CM-2[1]"}],"prose":"develops and documents a current baseline configuration of the information system;\n                  and"},{"id":"cm-2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2[2]"}],"prose":"maintains, under configuration control, a current baseline configuration of the\n                  information system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nconfiguration management plan\\n\\nenterprise architecture documentation\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\\n\\nautomated mechanisms supporting configuration control of the baseline\n                  configuration"}]}],"controls":[{"id":"cm-2.1","class":"SP800-53-enhancement","title":"Reviews and Updates","parameters":[{"id":"cm-2.1_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually or when a significant change occurs"}]},{"id":"cm-2.1_prm_2","label":"Assignment organization-defined circumstances","constraints":[{"detail":"to include when directed by the JAB"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-2(1)"},{"name":"sort-id","value":"cm-02.01"}],"parts":[{"id":"cm-2.1_smt","name":"statement","prose":"The organization reviews and updates the baseline configuration of the information\n                  system:","parts":[{"id":"cm-2.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"\n                     {{ cm-2.1_prm_1 }};"},{"id":"cm-2.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"When required due to {{ cm-2.1_prm_2 }}; and"},{"id":"cm-2.1_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"As an integral part of information system component installations and\n                     upgrades."},{"id":"cm-2.1_fr","name":"item","title":"CM-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-2.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"(a) Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7."}]}]},{"id":"cm-2.1_gdn","name":"guidance","links":[{"href":"#cm-5","rel":"related","text":"CM-5"}]},{"id":"cm-2.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2.1.a_obj","name":"objective","properties":[{"name":"label","value":"CM-2(1)(a)"}],"parts":[{"id":"cm-2.1.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-2(1)(a)[1]"}],"prose":"defines the frequency to review and update the baseline configuration of the\n                        information system;"},{"id":"cm-2.1.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(1)(a)[2]"}],"prose":"reviews and updates the baseline configuration of the information system\n                        with the organization-defined frequency;"}],"links":[{"href":"#cm-2.1_smt.a","rel":"corresp","text":"CM-2(1)(a)"}]},{"id":"cm-2.1.b_obj","name":"objective","properties":[{"name":"label","value":"CM-2(1)(b)"}],"parts":[{"id":"cm-2.1.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-2(1)(b)[1]"}],"prose":"defines circumstances that require the baseline configuration of the\n                        information system to be reviewed and updated;"},{"id":"cm-2.1.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(1)(b)[2]"}],"prose":"reviews and updates the baseline configuration of the information system\n                        when required due to organization-defined circumstances; and"}],"links":[{"href":"#cm-2.1_smt.b","rel":"corresp","text":"CM-2(1)(b)"}]},{"id":"cm-2.1.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(1)(c)"}],"prose":"reviews and updates the baseline configuration of the information system as an\n                     integral part of information system component installations and upgrades.","links":[{"href":"#cm-2.1_smt.c","rel":"corresp","text":"CM-2(1)(c)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nprocedures addressing information system component installations and\n                     upgrades\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nrecords of information system baseline configuration reviews and updates\\n\\ninformation system component installations/upgrades and associated records\\n\\nchange control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\\n\\nautomated mechanisms supporting review and update of the baseline\n                     configuration"}]}]},{"id":"cm-2.2","class":"SP800-53-enhancement","title":"Automation Support for Accuracy / Currency","properties":[{"name":"label","value":"CM-2(2)"},{"name":"sort-id","value":"cm-02.02"}],"parts":[{"id":"cm-2.2_smt","name":"statement","prose":"The organization employs automated mechanisms to maintain an up-to-date, complete,\n                  accurate, and readily available baseline configuration of the information\n                  system."},{"id":"cm-2.2_gdn","name":"guidance","prose":"Automated mechanisms that help organizations maintain consistent baseline\n                  configurations for information systems include, for example, hardware and software\n                  inventory tools, configuration management tools, and network management tools.\n                  Such tools can be deployed and/or allocated as common controls, at the information\n                  system level, or at the operating system or component level (e.g., on\n                  workstations, servers, notebook computers, network components, or mobile devices).\n                  Tools can be used, for example, to track version numbers on operating system\n                  applications, types of software installed, and current patch levels. This control\n                  enhancement can be satisfied by the implementation of CM-8 (2) for organizations\n                  that choose to combine information system component inventory and baseline\n                  configuration activities.","links":[{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#ra-5","rel":"related","text":"RA-5"}]},{"id":"cm-2.2_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to maintain: ","parts":[{"id":"cm-2.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(2)[1]"}],"prose":"an up-to-date baseline configuration of the information system;"},{"id":"cm-2.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(2)[2]"}],"prose":"a complete baseline configuration of the information system;"},{"id":"cm-2.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(2)[3]"}],"prose":"an accurate baseline configuration of the information system; and"},{"id":"cm-2.2_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(2)[4]"}],"prose":"a readily available baseline configuration of the information system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nconfiguration management plan\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nconfiguration change control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\\n\\nautomated mechanisms implementing baseline configuration maintenance"}]}]},{"id":"cm-2.3","class":"SP800-53-enhancement","title":"Retention of Previous Configurations","parameters":[{"id":"cm-2.3_prm_1","label":"organization-defined previous versions of baseline configurations of the\n                  information system","constraints":[{"detail":"organization-defined previous versions of baseline configurations of the previously approved baseline configuration of IS components"}]}],"properties":[{"name":"label","value":"CM-2(3)"},{"name":"sort-id","value":"cm-02.03"}],"parts":[{"id":"cm-2.3_smt","name":"statement","prose":"The organization retains {{ cm-2.3_prm_1 }} to support\n                  rollback."},{"id":"cm-2.3_gdn","name":"guidance","prose":"Retaining previous versions of baseline configurations to support rollback may\n                  include, for example, hardware, software, firmware, configuration files, and\n                  configuration records."},{"id":"cm-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-2(3)[1]"}],"prose":"defines previous versions of baseline configurations of the information system\n                     to be retained to support rollback; and"},{"id":"cm-2.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(3)[2]"}],"prose":"retains organization-defined previous versions of baseline configurations of\n                     the information system to support rollback."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nconfiguration management plan\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncopies of previous baseline configuration versions\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations"}]}]},{"id":"cm-2.7","class":"SP800-53-enhancement","title":"Configure Systems, Components, or Devices for High-risk Areas","parameters":[{"id":"cm-2.7_prm_1","label":"organization-defined information systems, system components, or\n                  devices"},{"id":"cm-2.7_prm_2","label":"organization-defined configurations"},{"id":"cm-2.7_prm_3","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"CM-2(7)"},{"name":"sort-id","value":"cm-02.07"}],"parts":[{"id":"cm-2.7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-2.7_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Issues {{ cm-2.7_prm_1 }} with {{ cm-2.7_prm_2 }}\n                     to individuals traveling to locations that the organization deems to be of\n                     significant risk; and"},{"id":"cm-2.7_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Applies {{ cm-2.7_prm_3 }} to the devices when the individuals\n                     return."}]},{"id":"cm-2.7_gdn","name":"guidance","prose":"When it is known that information systems, system components, or devices (e.g.,\n                  notebook computers, mobile devices) will be located in high-risk areas, additional\n                  security controls may be implemented to counter the greater threat in such areas\n                  coupled with the lack of physical security relative to organizational-controlled\n                  areas. For example, organizational policies and procedures for notebook computers\n                  used by individuals departing on and returning from travel include, for example,\n                  determining which locations are of concern, defining required configurations for\n                  the devices, ensuring that the devices are configured as intended before travel is\n                  initiated, and applying specific safeguards to the device after travel is\n                  completed. Specially configured notebook computers include, for example, computers\n                  with sanitized hard drives, limited applications, and additional hardening (e.g.,\n                  more stringent configuration settings). Specified safeguards applied to mobile\n                  devices upon return from travel include, for example, examining the device for\n                  signs of physical tampering and purging/reimaging the hard disk drive. Protecting\n                  information residing on mobile devices is covered in the media protection\n                  family."},{"id":"cm-2.7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2.7.a_obj","name":"objective","properties":[{"name":"label","value":"CM-2(7)(a)"}],"parts":[{"id":"cm-2.7.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-2(7)(a)[1]"}],"prose":"defines information systems, system components, or devices to be issued to\n                        individuals traveling to locations that the organization deems to be of\n                        significant risk;"},{"id":"cm-2.7.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-2(7)(a)[2]"}],"prose":"defines configurations to be employed on organization-defined information\n                        systems, system components, or devices issued to individuals traveling to\n                        such locations;"},{"id":"cm-2.7.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(7)(a)[3]"}],"prose":"issues organization-defined information systems, system components, or\n                        devices with organization-defined configurations to individuals traveling to\n                        locations that the organization deems to be of significant risk;"}],"links":[{"href":"#cm-2.7_smt.a","rel":"corresp","text":"CM-2(7)(a)"}]},{"id":"cm-2.7.b_obj","name":"objective","properties":[{"name":"label","value":"CM-2(7)(b)"}],"parts":[{"id":"cm-2.7.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-2(7)(b)[1]"}],"prose":"defines security safeguards to be applied to the devices when the\n                        individuals return; and"},{"id":"cm-2.7.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(7)(b)[2]"}],"prose":"applies organization-defined safeguards to the devices when the individuals\n                        return."}],"links":[{"href":"#cm-2.7_smt.b","rel":"corresp","text":"CM-2(7)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nprocedures addressing information system component installations and\n                     upgrades\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nrecords of information system baseline configuration reviews and updates\\n\\ninformation system component installations/upgrades and associated records\\n\\nchange control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations"}]}]}]},{"id":"cm-3","class":"SP800-53","title":"Configuration Change Control","parameters":[{"id":"cm-3_prm_1","label":"organization-defined time period"},{"id":"cm-3_prm_2","label":"organization-defined configuration change control element (e.g., committee,\n               board)"},{"id":"cm-3_prm_3"},{"id":"cm-3_prm_4","depends-on":"cm-3_prm_3","label":"organization-defined frequency"},{"id":"cm-3_prm_5","depends-on":"cm-3_prm_3","label":"organization-defined configuration change conditions"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-3"},{"name":"sort-id","value":"cm-03"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"cm-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determines the types of changes to the information system that are\n                  configuration-controlled;"},{"id":"cm-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews proposed configuration-controlled changes to the information system and\n                  approves or disapproves such changes with explicit consideration for security\n                  impact analyses;"},{"id":"cm-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Documents configuration change decisions associated with the information\n                  system;"},{"id":"cm-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Implements approved configuration-controlled changes to the information\n                  system;"},{"id":"cm-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Retains records of configuration-controlled changes to the information system for\n                     {{ cm-3_prm_1 }};"},{"id":"cm-3_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Audits and reviews activities associated with configuration-controlled changes to\n                  the information system; and"},{"id":"cm-3_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Coordinates and provides oversight for configuration change control activities\n                  through {{ cm-3_prm_2 }} that convenes {{ cm-3_prm_3 }}."},{"id":"cm-3_fr","name":"item","title":"CM-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-3_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO."},{"id":"cm-3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"(e) Guidance:"}],"prose":"In accordance with record retention policies and procedures."}]}]},{"id":"cm-3_gdn","name":"guidance","prose":"Configuration change controls for organizational information systems involve the\n               systematic proposal, justification, implementation, testing, review, and disposition\n               of changes to the systems, including system upgrades and modifications. Configuration\n               change control includes changes to baseline configurations for components and\n               configuration items of information systems, changes to configuration settings for\n               information technology products (e.g., operating systems, applications, firewalls,\n               routers, and mobile devices), unscheduled/unauthorized changes, and changes to\n               remediate vulnerabilities. Typical processes for managing configuration changes to\n               information systems include, for example, Configuration Control Boards that approve\n               proposed changes to systems. For new development information systems or systems\n               undergoing major upgrades, organizations consider including representatives from\n               development organizations on the Configuration Control Boards. Auditing of changes\n               includes activities before and after changes are made to organizational information\n               systems and the auditing activities required to implement such changes.","links":[{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-12","rel":"related","text":"SI-12"}]},{"id":"cm-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-3(a)"}],"prose":"determines the type of changes to the information system that must be\n                  configuration-controlled;"},{"id":"cm-3.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CM-3(b)"}],"prose":"reviews proposed configuration-controlled changes to the information system and\n                  approves or disapproves such changes with explicit consideration for security\n                  impact analyses;"},{"id":"cm-3.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CM-3(c)"}],"prose":"documents configuration change decisions associated with the information\n                  system;"},{"id":"cm-3.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-3(d)"}],"prose":"implements approved configuration-controlled changes to the information\n                  system;"},{"id":"cm-3.e_obj","name":"objective","properties":[{"name":"label","value":"CM-3(e)"}],"parts":[{"id":"cm-3.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-3(e)[1]"}],"prose":"defines a time period to retain records of configuration-controlled changes to\n                     the information system;"},{"id":"cm-3.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-3(e)[2]"}],"prose":"retains records of configuration-controlled changes to the information system\n                     for the organization-defined time period;"}]},{"id":"cm-3.f_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-3(f)"}],"prose":"audits and reviews activities associated with configuration-controlled changes to\n                  the information system;"},{"id":"cm-3.g_obj","name":"objective","properties":[{"name":"label","value":"CM-3(g)"}],"parts":[{"id":"cm-3.g_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-3(g)[1]"}],"prose":"defines a configuration change control element (e.g., committee, board)\n                     responsible for coordinating and providing oversight for configuration change\n                     control activities;"},{"id":"cm-3.g_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-3(g)[2]"}],"prose":"defines the frequency with which the configuration change control element must\n                     convene; and/or"},{"id":"cm-3.g_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-3(g)[3]"}],"prose":"defines configuration change conditions that prompt the configuration change\n                     control element to convene; and"},{"id":"cm-3.g_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-3(g)[4]"}],"prose":"coordinates and provides oversight for configuration change control activities\n                     through organization-defined configuration change control element that convenes\n                     at organization-defined frequency and/or for any organization-defined\n                     configuration change conditions."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing information system configuration change control\\n\\nconfiguration management plan\\n\\ninformation system architecture and configuration documentation\\n\\nsecurity plan\\n\\nchange control records\\n\\ninformation system audit records\\n\\nchange control audit and review reports\\n\\nagenda /minutes from configuration change control oversight meetings\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration change control responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nmembers of change control board or similar"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for configuration change control\\n\\nautomated mechanisms that implement configuration change control"}]}],"controls":[{"id":"cm-3.1","class":"SP800-53-enhancement","title":"Automated Document / Notification / Prohibition of Changes","parameters":[{"id":"cm-3.1_prm_1","label":"organized-defined approval authorities"},{"id":"cm-3.1_prm_2","label":"organization-defined time period","constraints":[{"detail":"organization agreed upon time period"}]},{"id":"cm-3.1_prm_3","label":"organization-defined personnel","constraints":[{"detail":"organization defined configuration management approval authorities"}]}],"properties":[{"name":"label","value":"CM-3(1)"},{"name":"sort-id","value":"cm-03.01"}],"parts":[{"id":"cm-3.1_smt","name":"statement","prose":"The organization employs automated mechanisms to:","parts":[{"id":"cm-3.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Document proposed changes to the information system;"},{"id":"cm-3.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Notify {{ cm-3.1_prm_1 }} of proposed changes to the information\n                     system and request change approval;"},{"id":"cm-3.1_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Highlight proposed changes to the information system that have not been\n                     approved or disapproved by {{ cm-3.1_prm_2 }};"},{"id":"cm-3.1_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Prohibit changes to the information system until designated approvals are\n                     received;"},{"id":"cm-3.1_smt.e","name":"item","properties":[{"name":"label","value":"(e)"}],"prose":"Document all changes to the information system; and"},{"id":"cm-3.1_smt.f","name":"item","properties":[{"name":"label","value":"(f)"}],"prose":"Notify {{ cm-3.1_prm_3 }} when approved changes to the\n                     information system are completed."}]},{"id":"cm-3.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-3.1.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-3(1)(a)"}],"prose":"employs automated mechanisms to document proposed changes to the information\n                     system;","links":[{"href":"#cm-3.1_smt.a","rel":"corresp","text":"CM-3(1)(a)"}]},{"id":"cm-3.1.b_obj","name":"objective","properties":[{"name":"label","value":"CM-3(1)(b)"}],"parts":[{"id":"cm-3.1.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-3(1)(b)[1]"}],"prose":"defines approval authorities to be notified of proposed changes to the\n                        information system and request change approval;"},{"id":"cm-3.1.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-3(1)(b)[2]"}],"prose":"employs automated mechanisms to notify organization-defined approval\n                        authorities of proposed changes to the information system and request change\n                        approval;"}],"links":[{"href":"#cm-3.1_smt.b","rel":"corresp","text":"CM-3(1)(b)"}]},{"id":"cm-3.1.c_obj","name":"objective","properties":[{"name":"label","value":"CM-3(1)(c)"}],"parts":[{"id":"cm-3.1.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-3(1)(c)[1]"}],"prose":"defines the time period within which proposed changes to the information\n                        system that have not been approved or disapproved must be highlighted;"},{"id":"cm-3.1.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-3(1)(c)[2]"}],"prose":"employs automated mechanisms to highlight proposed changes to the\n                        information system that have not been approved or disapproved by\n                        organization-defined time period;"}],"links":[{"href":"#cm-3.1_smt.c","rel":"corresp","text":"CM-3(1)(c)"}]},{"id":"cm-3.1.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-3(1)(d)"}],"prose":"employs automated mechanisms to prohibit changes to the information system\n                     until designated approvals are received;","links":[{"href":"#cm-3.1_smt.d","rel":"corresp","text":"CM-3(1)(d)"}]},{"id":"cm-3.1.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-3(1)(e)"}],"prose":"employs automated mechanisms to document all changes to the information\n                     system;","links":[{"href":"#cm-3.1_smt.e","rel":"corresp","text":"CM-3(1)(e)"}]},{"id":"cm-3.1.f_obj","name":"objective","properties":[{"name":"label","value":"CM-3(1)(f)"}],"parts":[{"id":"cm-3.1.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-3(1)(f)[1]"}],"prose":"defines personnel to be notified when approved changes to the information\n                        system are completed; and"},{"id":"cm-3.1.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-3(1)(f)[2]"}],"prose":"employs automated mechanisms to notify organization-defined personnel when\n                        approved changes to the information system are completed."}],"links":[{"href":"#cm-3.1_smt.f","rel":"corresp","text":"CM-3(1)(f)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing information system configuration change control\\n\\nconfiguration management plan\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\nautomated configuration control mechanisms\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\ninformation system audit records\\n\\nchange approval requests\\n\\nchange approvals\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration change control responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for configuration change control\\n\\nautomated mechanisms implementing configuration change control activities"}]}]},{"id":"cm-3.2","class":"SP800-53-enhancement","title":"Test / Validate / Document Changes","properties":[{"name":"label","value":"CM-3(2)"},{"name":"sort-id","value":"cm-03.02"}],"parts":[{"id":"cm-3.2_smt","name":"statement","prose":"The organization tests, validates, and documents changes to the information system\n                  before implementing the changes on the operational system."},{"id":"cm-3.2_gdn","name":"guidance","prose":"Changes to information systems include modifications to hardware, software, or\n                  firmware components and configuration settings defined in CM-6. Organizations\n                  ensure that testing does not interfere with information system operations.\n                  Individuals/groups conducting tests understand organizational security policies\n                  and procedures, information system security policies and procedures, and the\n                  specific health, safety, and environmental risks associated with particular\n                  facilities/processes. Operational systems may need to be taken off-line, or\n                  replicated to the extent feasible, before testing can be conducted. If information\n                  systems must be taken off-line for testing, the tests are scheduled to occur\n                  during planned system outages whenever possible. If testing cannot be conducted on\n                  operational systems, organizations employ compensating controls (e.g., testing on\n                  replicated systems)."},{"id":"cm-3.2_obj","name":"objective","prose":"Determine if the organization, before implementing changes on the operational\n                  system:","parts":[{"id":"cm-3.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-3(2)[1]"}],"prose":"tests changes to the information system;"},{"id":"cm-3.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-3(2)[2]"}],"prose":"validates changes to the information system; and"},{"id":"cm-3.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-3(2)[3]"}],"prose":"documents changes to the information system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing information system configuration change control\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ntest records\\n\\nvalidation records\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration change control responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for configuration change control\\n\\nautomated mechanisms supporting and/or implementing testing, validating, and\n                     documenting information system changes"}]}]},{"id":"cm-3.4","class":"SP800-53-enhancement","title":"Security Representative","parameters":[{"id":"cm-3.4_prm_1","label":"organization-defined configuration change control element","constraints":[{"detail":"Configuration control board (CCB) or similar (as defined in CM-3)"}]}],"properties":[{"name":"label","value":"CM-3(4)"},{"name":"sort-id","value":"cm-03.04"}],"parts":[{"id":"cm-3.4_smt","name":"statement","prose":"The organization requires an information security representative to be a member of\n                  the {{ cm-3.4_prm_1 }}."},{"id":"cm-3.4_gdn","name":"guidance","prose":"Information security representatives can include, for example, senior agency\n                  information security officers, information system security officers, or\n                  information system security managers. Representation by personnel with information\n                  security expertise is important because changes to information system\n                  configurations can have unintended side effects, some of which may be\n                  security-relevant. Detecting such changes early in the process can help avoid\n                  unintended, negative consequences that could ultimately affect the security state\n                  of organizational information systems. The configuration change control element in\n                  this control enhancement reflects the change control elements defined by\n                  organizations in CM-3."},{"id":"cm-3.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-3.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CM-3(4)[1]"}],"prose":"specifies the configuration change control elements (as defined in CM-3g) of\n                     which an information security representative is to be a member; and"},{"id":"cm-3.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-3(4)[2]"}],"prose":"requires an information security representative to be a member of the specified\n                     configuration control element."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing information system configuration change control\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration change control responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for configuration change control"}]}]},{"id":"cm-3.6","class":"SP800-53-enhancement","title":"Cryptography Management","parameters":[{"id":"cm-3.6_prm_1","label":"organization-defined security safeguards","constraints":[{"detail":"All security safeguards that rely on cryptography"}]}],"properties":[{"name":"label","value":"CM-3(6)"},{"name":"sort-id","value":"cm-03.06"}],"parts":[{"id":"cm-3.6_smt","name":"statement","prose":"The organization ensures that cryptographic mechanisms used to provide {{ cm-3.6_prm_1 }} are under configuration management."},{"id":"cm-3.6_gdn","name":"guidance","prose":"Regardless of the cryptographic means employed (e.g., public key, private key,\n                  shared secrets), organizations ensure that there are processes and procedures in\n                  place to effectively manage those means. For example, if devices use certificates\n                  as a basis for identification and authentication, there needs to be a process in\n                  place to address the expiration of those certificates.","links":[{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"cm-3.6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-3.6_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-3(6)[1]"}],"prose":"defines security safeguards provided by cryptographic mechanisms that are to be\n                     under configuration management; and"},{"id":"cm-3.6_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-3(6)[2]"}],"prose":"ensures that cryptographic mechanisms used to provide organization-defined\n                     security safeguards are under configuration management."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing information system configuration change control\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration change control responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for configuration change control\\n\\ncryptographic mechanisms implementing organizational security safeguards"}]}]}]},{"id":"cm-4","class":"SP800-53","title":"Security Impact Analysis","properties":[{"name":"label","value":"CM-4"},{"name":"sort-id","value":"cm-04"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"The organization analyzes changes to the information system to determine potential\n               security impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with information security responsibilities (e.g.,\n               Information System Administrators, Information System Security Officers, Information\n               System Security Managers, and Information System Security Engineers) conduct security\n               impact analyses. Individuals conducting security impact analyses possess the\n               necessary skills/technical expertise to analyze the changes to information systems\n               and the associated security ramifications. Security impact analysis may include, for\n               example, reviewing security plans to understand security control requirements and\n               reviewing system design documentation to understand control implementation and how\n               specific changes might affect the controls. Security impact analyses may also include\n               assessments of risk to better understand the impact of the changes and to determine\n               if additional security controls are required. Security impact analyses are scaled in\n               accordance with the security categories of the information systems.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"cm-4_obj","name":"objective","prose":"Determine if the organization analyzes changes to the information system to determine\n               potential security impacts prior to change implementation."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing security impact analysis for changes to the information\n                  system\\n\\nconfiguration management plan\\n\\nsecurity impact analysis documentation\\n\\nanalysis tools and associated outputs\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for conducting security impact\n                  analysis\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security impact analysis"}]}],"controls":[{"id":"cm-4.1","class":"SP800-53-enhancement","title":"Separate Test Environments","properties":[{"name":"label","value":"CM-4(1)"},{"name":"sort-id","value":"cm-04.01"}],"parts":[{"id":"cm-4.1_smt","name":"statement","prose":"The organization analyzes changes to the information system in a separate test\n                  environment before implementation in an operational environment, looking for\n                  security impacts due to flaws, weaknesses, incompatibility, or intentional\n                  malice."},{"id":"cm-4.1_gdn","name":"guidance","prose":"Separate test environment in this context means an environment that is physically\n                  or logically isolated and distinct from the operational environment. The\n                  separation is sufficient to ensure that activities in the test environment do not\n                  impact activities in the operational environment, and information in the\n                  operational environment is not inadvertently transmitted to the test environment.\n                  Separate environments can be achieved by physical or logical means. If physically\n                  separate test environments are not used, organizations determine the strength of\n                  mechanism required when implementing logical separation (e.g., separation achieved\n                  through virtual machines).","links":[{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sc-3","rel":"related","text":"SC-3"},{"href":"#sc-7","rel":"related","text":"SC-7"}]},{"id":"cm-4.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-4.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-4(1)[1]"}],"prose":"analyzes changes to the information system in a separate test environment\n                     before implementation in an operational environment;"},{"id":"cm-4.1_obj.2","name":"objective","properties":[{"name":"label","value":"CM-4(1)[2]"}],"prose":"when analyzing changes to the information system in a separate test\n                     environment, looks for security impacts due to:","parts":[{"id":"cm-4.1_obj.2.a","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-4(1)[2][a]"}],"prose":"flaws;"},{"id":"cm-4.1_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-4(1)[2][b]"}],"prose":"weaknesses;"},{"id":"cm-4.1_obj.2.c","name":"objective","properties":[{"name":"label","value":"CM-4(1)[2][c]"}],"prose":"incompatibility; and"},{"id":"cm-4.1_obj.2.d","name":"objective","properties":[{"name":"label","value":"CM-4(1)[2][d]"}],"prose":"intentional malice."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing security impact analysis for changes to the information\n                     system\\n\\nconfiguration management plan\\n\\nsecurity impact analysis documentation\\n\\nanalysis tools and associated outputs information system design\n                     documentation\\n\\ninformation system architecture and configuration documentation\\n\\nchange control records\\n\\ninformation system audit records\\n\\ndocumentation evidence of separate test and operational environments\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for conducting security impact\n                     analysis\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security impact analysis\\n\\nautomated mechanisms supporting and/or implementing security impact analysis of\n                     changes"}]}]}]},{"id":"cm-5","class":"SP800-53","title":"Access Restrictions for Change","properties":[{"name":"label","value":"CM-5"},{"name":"sort-id","value":"cm-05"}],"parts":[{"id":"cm-5_smt","name":"statement","prose":"The organization defines, documents, approves, and enforces physical and logical\n               access restrictions associated with changes to the information system."},{"id":"cm-5_gdn","name":"guidance","prose":"Any changes to the hardware, software, and/or firmware components of information\n               systems can potentially have significant effects on the overall security of the\n               systems. Therefore, organizations permit only qualified and authorized individuals to\n               access information systems for purposes of initiating changes, including upgrades and\n               modifications. Organizations maintain records of access to ensure that configuration\n               change control is implemented and to support after-the-fact actions should\n               organizations discover any unauthorized changes. Access restrictions for change also\n               include software libraries. Access restrictions include, for example, physical and\n               logical access controls (see AC-3 and PE-3), workflow automation, media libraries,\n               abstract layers (e.g., changes implemented into third-party interfaces rather than\n               directly into information systems), and change windows (e.g., changes occur only\n               during specified times, making unauthorized changes easy to discover).","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#pe-3","rel":"related","text":"PE-3"}]},{"id":"cm-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-5_obj.1","name":"objective","properties":[{"name":"label","value":"CM-5[1]"}],"prose":"defines physical access restrictions associated with changes to the information\n                  system;"},{"id":"cm-5_obj.2","name":"objective","properties":[{"name":"label","value":"CM-5[2]"}],"prose":"documents physical access restrictions associated with changes to the information\n                  system;"},{"id":"cm-5_obj.3","name":"objective","properties":[{"name":"label","value":"CM-5[3]"}],"prose":"approves physical access restrictions associated with changes to the information\n                  system;"},{"id":"cm-5_obj.4","name":"objective","properties":[{"name":"label","value":"CM-5[4]"}],"prose":"enforces physical access restrictions associated with changes to the information\n                  system;"},{"id":"cm-5_obj.5","name":"objective","properties":[{"name":"label","value":"CM-5[5]"}],"prose":"defines logical access restrictions associated with changes to the information\n                  system;"},{"id":"cm-5_obj.6","name":"objective","properties":[{"name":"label","value":"CM-5[6]"}],"prose":"documents logical access restrictions associated with changes to the information\n                  system;"},{"id":"cm-5_obj.7","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-5[7]"}],"prose":"approves logical access restrictions associated with changes to the information\n                  system; and"},{"id":"cm-5_obj.8","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-5[8]"}],"prose":"enforces logical access restrictions associated with changes to the information\n                  system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing access restrictions for changes to the information\n                  system\\n\\nconfiguration management plan\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlogical access approvals\\n\\nphysical access approvals\\n\\naccess credentials\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with logical access control responsibilities\\n\\norganizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing access restrictions to change\\n\\nautomated mechanisms supporting/implementing/enforcing access restrictions\n                  associated with changes to the information system"}]}],"controls":[{"id":"cm-5.1","class":"SP800-53-enhancement","title":"Automated Access Enforcement / Auditing","properties":[{"name":"label","value":"CM-5(1)"},{"name":"sort-id","value":"cm-05.01"}],"parts":[{"id":"cm-5.1_smt","name":"statement","prose":"The information system enforces access restrictions and supports auditing of the\n                  enforcement actions."},{"id":"cm-5.1_gdn","name":"guidance","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-6","rel":"related","text":"CM-6"}]},{"id":"cm-5.1_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"cm-5.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-5(1)[1]"}],"prose":"enforces access restrictions for change; and"},{"id":"cm-5.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-5(1)[2]"}],"prose":"supports auditing of the enforcement actions."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing access restrictions for changes to the information\n                     system\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing access restrictions to change\\n\\nautomated mechanisms implementing enforcement of access restrictions for\n                     changes to the information system\\n\\nautomated mechanisms supporting auditing of enforcement actions"}]}]},{"id":"cm-5.2","class":"SP800-53-enhancement","title":"Review System Changes","parameters":[{"id":"cm-5.2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least every thirty (30) days"}]},{"id":"cm-5.2_prm_2","label":"organization-defined circumstances"}],"properties":[{"name":"label","value":"CM-5(2)"},{"name":"sort-id","value":"cm-05.02"}],"parts":[{"id":"cm-5.2_smt","name":"statement","prose":"The organization reviews information system changes {{ cm-5.2_prm_1 }} and {{ cm-5.2_prm_2 }} to determine\n                  whether unauthorized changes have occurred."},{"id":"cm-5.2_gdn","name":"guidance","prose":"Indications that warrant review of information system changes and the specific\n                  circumstances justifying such reviews may be obtained from activities carried out\n                  by organizations during the configuration change process.","links":[{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pe-8","rel":"related","text":"PE-8"}]},{"id":"cm-5.2_obj","name":"objective","prose":"Determine if the organization, in an effort to ascertain whether unauthorized\n                  changes have occurred:","parts":[{"id":"cm-5.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-5(2)[1]"}],"prose":"defines the frequency to review information system changes;"},{"id":"cm-5.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-5(2)[2]"}],"prose":"defines circumstances that warrant review of information system changes;"},{"id":"cm-5.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-5(2)[3]"}],"prose":"reviews information system changes with the organization-defined frequency;\n                     and"},{"id":"cm-5.2_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-5(2)[4]"}],"prose":"reviews information system changes with the organization-defined\n                     circumstances."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing access restrictions for changes to the information\n                     system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nreviews of information system changes\\n\\naudit and review reports\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing access restrictions to change\\n\\nautomated mechanisms supporting/implementing information system reviews to\n                     determine whether unauthorized changes have occurred"}]}]},{"id":"cm-5.3","class":"SP800-53-enhancement","title":"Signed Components","parameters":[{"id":"cm-5.3_prm_1","label":"organization-defined software and firmware components"}],"properties":[{"name":"label","value":"CM-5(3)"},{"name":"sort-id","value":"cm-05.03"}],"parts":[{"id":"cm-5.3_smt","name":"statement","prose":"The information system prevents the installation of {{ cm-5.3_prm_1 }} without verification that the component has been\n                  digitally signed using a certificate that is recognized and approved by the\n                  organization.","parts":[{"id":"cm-5.3_fr","name":"item","title":"CM-5 (3) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-5.3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized."}]}]},{"id":"cm-5.3_gdn","name":"guidance","prose":"Software and firmware components prevented from installation unless signed with\n                  recognized and approved certificates include, for example, software and firmware\n                  version updates, patches, service packs, device drivers, and basic input output\n                  system (BIOS) updates. Organizations can identify applicable software and firmware\n                  components by type, by specific items, or a combination of both. Digital\n                  signatures and organizational verification of such signatures, is a method of code\n                  authentication.","links":[{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"cm-5.3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cm-5.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-5(3)[1]"}],"prose":"the organization defines software and firmware components that the information\n                     system will prevent from being installed without verification that such\n                     components have been digitally signed using a certificate that is recognized\n                     and approved by the organization; and"},{"id":"cm-5.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-5(3)[2]"}],"prose":"the information system prevents the installation of organization-defined\n                     software and firmware components without verification that such components have\n                     been digitally signed using a certificate that is recognized and approved by\n                     the organization."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing access restrictions for changes to the information\n                     system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nlist of software and firmware components to be prohibited from installation\n                     without a recognized and approved certificate\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing access restrictions to change\\n\\nautomated mechanisms preventing installation of software and firmware\n                     components not signed with an organization-recognized and approved\n                     certificate"}]}]},{"id":"cm-5.5","class":"SP800-53-enhancement","title":"Limit Production / Operational Privileges","parameters":[{"id":"cm-5.5_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least quarterly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-5(5)"},{"name":"sort-id","value":"cm-05.05"}],"parts":[{"id":"cm-5.5_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-5.5_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Limits privileges to change information system components and system-related\n                     information within a production or operational environment; and"},{"id":"cm-5.5_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Reviews and reevaluates privileges {{ cm-5.5_prm_1 }}."}]},{"id":"cm-5.5_gdn","name":"guidance","prose":"In many organizations, information systems support multiple core missions/business\n                  functions. Limiting privileges to change information system components with\n                  respect to operational systems is necessary because changes to a particular\n                  information system component may have far-reaching effects on mission/business\n                  processes supported by the system where the component resides. The complex,\n                  many-to-many relationships between systems and mission/business processes are in\n                  some cases, unknown to developers.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"}]},{"id":"cm-5.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-5.5.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-5(5)(a)"}],"prose":"limits privileges to change information system components and system-related\n                     information within a production or operational environment;","links":[{"href":"#cm-5.5_smt.a","rel":"corresp","text":"CM-5(5)(a)"}]},{"id":"cm-5.5.b_obj","name":"objective","properties":[{"name":"label","value":"CM-5(5)(b)"}],"parts":[{"id":"cm-5.5.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-5(5)(b)[1]"}],"prose":"defines the frequency to review and reevaluate privileges; and"},{"id":"cm-5.5.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-5(5)(b)[2]"}],"prose":"reviews and reevaluates privileges with the organization-defined\n                        frequency."}],"links":[{"href":"#cm-5.5_smt.b","rel":"corresp","text":"CM-5(5)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing access restrictions for changes to the information\n                     system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nuser privilege reviews\\n\\nuser privilege recertifications\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing access restrictions to change\\n\\nautomated mechanisms supporting and/or implementing access restrictions for\n                     change"}]}]}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","parameters":[{"id":"cm-6_prm_1","label":"organization-defined security configuration checklists","guidance":[{"prose":"See CM-6(a) Additional FedRAMP Requirements and Guidance"}]},{"id":"cm-6_prm_2","label":"organization-defined information system components"},{"id":"cm-6_prm_3","label":"organization-defined operational requirements"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-6"},{"name":"sort-id","value":"cm-06"}],"links":[{"href":"#990268bf-f4a9-4c81-91ae-dc7d3115f4b1","rel":"reference","text":"OMB Memorandum 07-11"},{"href":"#0b3d8ba9-051f-498d-81ea-97f0f018c612","rel":"reference","text":"OMB Memorandum 07-18"},{"href":"#0916ef02-3618-411b-a525-565c088849a6","rel":"reference","text":"OMB Memorandum 08-22"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference","text":"NIST Special Publication 800-70"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference","text":"http://nvd.nist.gov"},{"href":"#e95dd121-2733-413e-bf1e-f1eb49f20a98","rel":"reference","text":"http://checklists.nist.gov"},{"href":"#647b6de3-81d0-4d22-bec1-5f1333e34380","rel":"reference","text":"http://www.nsa.gov"}],"parts":[{"id":"cm-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes and documents configuration settings for information technology\n                  products employed within the information system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with\n                  operational requirements;"},{"id":"cm-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implements the configuration settings;"},{"id":"cm-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Identifies, documents, and approves any deviations from established configuration\n                  settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and"},{"id":"cm-6_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Monitors and controls changes to the configuration settings in accordance with\n                  organizational policies and procedures."},{"id":"cm-6_fr","name":"item","title":"CM-6(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement 1:"}],"prose":"The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. "},{"id":"cm-6_fr_smt.2","name":"item","properties":[{"name":"label","value":"Requirement 2:"}],"prose":"The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available)."},{"id":"cm-6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)."}]}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the set of parameters that can be changed in hardware,\n               software, or firmware components of the information system that affect the security\n               posture and/or functionality of the system. Information technology products for which\n               security-related configuration settings can be defined include, for example,\n               mainframe computers, servers (e.g., database, electronic mail, authentication, web,\n               proxy, file, domain name), workstations, input/output devices (e.g., scanners,\n               copiers, and printers), network components (e.g., firewalls, routers, gateways, voice\n               and data switches, wireless access points, network appliances, sensors), operating\n               systems, middleware, and applications. Security-related parameters are those\n               parameters impacting the security state of information systems including the\n               parameters required to satisfy other security control requirements. Security-related\n               parameters include, for example: (i) registry settings; (ii) account, file, directory\n               permission settings; and (iii) settings for functions, ports, protocols, services,\n               and remote connections. Organizations establish organization-wide configuration\n               settings and subsequently derive specific settings for information systems. The\n               established settings become part of the systems configuration baseline. Common secure\n               configurations (also referred to as security configuration checklists, lockdown and\n               hardening guides, security reference guides, security technical implementation\n               guides) provide recognized, standardized, and established benchmarks that stipulate\n               secure configuration settings for specific information technology platforms/products\n               and instructions for configuring those information system components to meet\n               operational requirements. Common secure configurations can be developed by a variety\n               of organizations including, for example, information technology product developers,\n               manufacturers, vendors, consortia, academia, industry, federal agencies, and other\n               organizations in the public and private sectors. Common secure configurations include\n               the United States Government Configuration Baseline (USGCB) which affects the\n               implementation of CM-6 and other controls such as AC-19 and CM-7. The Security\n               Content Automation Protocol (SCAP) and the defined standards within the protocol\n               (e.g., Common Configuration Enumeration) provide an effective method to uniquely\n               identify, track, and control configuration settings. OMB establishes federal policy\n               on configuration requirements for federal information systems.","links":[{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"cm-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-6.a_obj","name":"objective","properties":[{"name":"label","value":"CM-6(a)"}],"parts":[{"id":"cm-6.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-6(a)[1]"}],"prose":"defines security configuration checklists to be used to establish and document\n                     configuration settings for the information technology products employed;"},{"id":"cm-6.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CM-6(a)[2]"}],"prose":"ensures the defined security configuration checklists reflect the most\n                     restrictive mode consistent with operational requirements;"},{"id":"cm-6.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-6(a)[3]"}],"prose":"establishes and documents configuration settings for information technology\n                     products employed within the information system using organization-defined\n                     security configuration checklists;"}]},{"id":"cm-6.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-6(b)"}],"prose":"implements the configuration settings established/documented in CM-6(a);;"},{"id":"cm-6.c_obj","name":"objective","properties":[{"name":"label","value":"CM-6(c)"}],"parts":[{"id":"cm-6.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-6(c)[1]"}],"prose":"defines information system components for which any deviations from established\n                     configuration settings must be:","parts":[{"id":"cm-6.c_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-6(c)[1][a]"}],"prose":"identified;"},{"id":"cm-6.c_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-6(c)[1][b]"}],"prose":"documented;"},{"id":"cm-6.c_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-6(c)[1][c]"}],"prose":"approved;"}]},{"id":"cm-6.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-6(c)[2]"}],"prose":"defines operational requirements to support:","parts":[{"id":"cm-6.c_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-6(c)[2][a]"}],"prose":"the identification of any deviations from established configuration\n                        settings;"},{"id":"cm-6.c_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-6(c)[2][b]"}],"prose":"the documentation of any deviations from established configuration\n                        settings;"},{"id":"cm-6.c_obj.2.c","name":"objective","properties":[{"name":"label","value":"CM-6(c)[2][c]"}],"prose":"the approval of any deviations from established configuration settings;"}]},{"id":"cm-6.c_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-6(c)[3]"}],"prose":"identifies any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"},{"id":"cm-6.c_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-6(c)[4]"}],"prose":"documents any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"},{"id":"cm-6.c_obj.5","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-6(c)[5]"}],"prose":"approves any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"}]},{"id":"cm-6.d_obj","name":"objective","properties":[{"name":"label","value":"CM-6(d)"}],"parts":[{"id":"cm-6.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-6(d)[1]"}],"prose":"monitors changes to the configuration settings in accordance with\n                     organizational policies and procedures; and"},{"id":"cm-6.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-6(d)[2]"}],"prose":"controls changes to the configuration settings in accordance with\n                     organizational policies and procedures."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing configuration settings for the information system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nevidence supporting approved deviations from established configuration\n                  settings\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing configuration settings\\n\\nautomated mechanisms that implement, monitor, and/or control information system\n                  configuration settings\\n\\nautomated mechanisms that identify and/or document deviations from established\n                  configuration settings"}]}],"controls":[{"id":"cm-6.1","class":"SP800-53-enhancement","title":"Automated Central Management / Application / Verification","parameters":[{"id":"cm-6.1_prm_1","label":"organization-defined information system components"}],"properties":[{"name":"label","value":"CM-6(1)"},{"name":"sort-id","value":"cm-06.01"}],"parts":[{"id":"cm-6.1_smt","name":"statement","prose":"The organization employs automated mechanisms to centrally manage, apply, and\n                  verify configuration settings for {{ cm-6.1_prm_1 }}."},{"id":"cm-6.1_gdn","name":"guidance","links":[{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-4","rel":"related","text":"CM-4"}]},{"id":"cm-6.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-6.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-6(1)[1]"}],"prose":"defines information system components for which automated mechanisms are to be\n                     employed to:","parts":[{"id":"cm-6.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-6(1)[1][a]"}],"prose":"centrally manage configuration settings of such components;"},{"id":"cm-6.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-6(1)[1][b]"}],"prose":"apply configuration settings of such components;"},{"id":"cm-6.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-6(1)[1][c]"}],"prose":"verify configuration settings of such components;"}]},{"id":"cm-6.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-6(1)[2]"}],"prose":"employs automated mechanisms to:","parts":[{"id":"cm-6.1_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-6(1)[2][a]"}],"prose":"centrally manage configuration settings for organization-defined information\n                        system components;"},{"id":"cm-6.1_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-6(1)[2][b]"}],"prose":"apply configuration settings for organization-defined information system\n                        components; and"},{"id":"cm-6.1_obj.2.c","name":"objective","properties":[{"name":"label","value":"CM-6(1)[2][c]"}],"prose":"verify configuration settings for organization-defined information system\n                        components."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing configuration settings for the information system\\n\\nconfiguration management plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing configuration settings\\n\\nautomated mechanisms implemented to centrally manage, apply, and verify\n                     information system configuration settings"}]}]},{"id":"cm-6.2","class":"SP800-53-enhancement","title":"Respond to Unauthorized Changes","parameters":[{"id":"cm-6.2_prm_1","label":"organization-defined security safeguards"},{"id":"cm-6.2_prm_2","label":"organization-defined configuration settings"}],"properties":[{"name":"label","value":"CM-6(2)"},{"name":"sort-id","value":"cm-06.02"}],"parts":[{"id":"cm-6.2_smt","name":"statement","prose":"The organization employs {{ cm-6.2_prm_1 }} to respond to\n                  unauthorized changes to {{ cm-6.2_prm_2 }}."},{"id":"cm-6.2_gdn","name":"guidance","prose":"Responses to unauthorized changes to configuration settings can include, for\n                  example, alerting designated organizational personnel, restoring established\n                  configuration settings, or in extreme cases, halting affected information system\n                  processing.","links":[{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"cm-6.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-6.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-6(2)[1]"}],"prose":"defines configuration settings that, if modified by unauthorized changes,\n                     result in organizational security safeguards being employed to respond to such\n                     changes;"},{"id":"cm-6.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-6(2)[2]"}],"prose":"defines security safeguards to be employed to respond to unauthorized changes\n                     to organization-defined configuration settings; and"},{"id":"cm-6.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-6(2)[3]"}],"prose":"employs organization-defined security safeguards to respond to unauthorized\n                     changes to organization-defined configuration settings."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing configuration settings for the information system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nalerts/notifications of unauthorized changes to information system\n                     configuration settings\\n\\ndocumented responses to unauthorized changes to information system\n                     configuration settings\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for responding to unauthorized changes to information\n                     system configuration settings\\n\\nautomated mechanisms supporting and/or implementing security safeguards for\n                     response to unauthorized changes"}]}]}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","parameters":[{"id":"cm-7_prm_1","label":"organization-defined prohibited or restricted functions, ports, protocols, and/or\n               services","constraints":[{"detail":"United States Government Configuration Baseline (USGCB)"}]}],"properties":[{"name":"label","value":"CM-7"},{"name":"sort-id","value":"cm-07"}],"links":[{"href":"#e42b2099-3e1c-415b-952c-61c96533c12e","rel":"reference","text":"DoD Instruction 8551.01"}],"parts":[{"id":"cm-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Configures the information system to provide only essential capabilities; and"},{"id":"cm-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Prohibits or restricts the use of the following functions, ports, protocols,\n                  and/or services: {{ cm-7_prm_1 }}."},{"id":"cm-7_fr","name":"item","title":"CM-7 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-7_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available."},{"id":"cm-7_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Information on the USGCB checklists can be found at: [http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc](http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc). Partially derived from AC-17(8)."}]}]},{"id":"cm-7_gdn","name":"guidance","prose":"Information systems can provide a wide variety of functions and services. Some of the\n               functions and services, provided by default, may not be necessary to support\n               essential organizational operations (e.g., key missions, functions). Additionally, it\n               is sometimes convenient to provide multiple services from single information system\n               components, but doing so increases risk over limiting the services provided by any\n               one component. Where feasible, organizations limit component functionality to a\n               single function per device (e.g., email servers or web servers, but not both).\n               Organizations review functions and services provided by information systems or\n               individual components of information systems, to determine which functions and\n               services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant\n               Messaging, auto-execute, and file sharing). Organizations consider disabling unused\n               or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File\n               Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to\n               prevent unauthorized connection of devices, unauthorized transfer of information, or\n               unauthorized tunneling. Organizations can utilize network scanning tools, intrusion\n               detection and prevention systems, and end-point protections such as firewalls and\n               host-based intrusion detection systems to identify and prevent the use of prohibited\n               functions, ports, protocols, and services.","links":[{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sc-7","rel":"related","text":"SC-7"}]},{"id":"cm-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-7(a)"}],"prose":"configures the information system to provide only essential capabilities;"},{"id":"cm-7.b_obj","name":"objective","properties":[{"name":"label","value":"CM-7(b)"}],"parts":[{"id":"cm-7.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-7(b)[1]"}],"prose":"defines prohibited or restricted:","parts":[{"id":"cm-7.b_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-7(b)[1][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-7(b)[1][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-7(b)[1][c]"}],"prose":"protocols; and/or"},{"id":"cm-7.b_obj.1.d","name":"objective","properties":[{"name":"label","value":"CM-7(b)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-7(b)[2]"}],"prose":"prohibits or restricts the use of organization-defined:","parts":[{"id":"cm-7.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-7(b)[2][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-7(b)[2][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"CM-7(b)[2][c]"}],"prose":"protocols; and/or"},{"id":"cm-7.b_obj.2.d","name":"objective","properties":[{"name":"label","value":"CM-7(b)[2][d]"}],"prose":"services."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing least functionality in the information system\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes prohibiting or restricting functions, ports, protocols,\n                  and/or services\\n\\nautomated mechanisms implementing restrictions or prohibition of functions, ports,\n                  protocols, and/or services"}]}],"controls":[{"id":"cm-7.1","class":"SP800-53-enhancement","title":"Periodic Review","parameters":[{"id":"cm-7.1_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]},{"id":"cm-7.1_prm_2","label":"organization-defined functions, ports, protocols, and services within the\n                  information system deemed to be unnecessary and/or nonsecure"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-7(1)"},{"name":"sort-id","value":"cm-07.01"}],"parts":[{"id":"cm-7.1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Reviews the information system {{ cm-7.1_prm_1 }} to identify\n                     unnecessary and/or nonsecure functions, ports, protocols, and services; and"},{"id":"cm-7.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Disables {{ cm-7.1_prm_2 }}."}]},{"id":"cm-7.1_gdn","name":"guidance","prose":"The organization can either make a determination of the relative security of the\n                  function, port, protocol, and/or service or base the security decision on the\n                  assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are\n                  examples of less than secure protocols.","links":[{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#ia-2","rel":"related","text":"IA-2"}]},{"id":"cm-7.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.1.a_obj","name":"objective","properties":[{"name":"label","value":"CM-7(1)(a)"}],"parts":[{"id":"cm-7.1.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-7(1)(a)[1]"}],"prose":"defines the frequency to review the information system to identify\n                        unnecessary and/or nonsecure:","parts":[{"id":"cm-7.1.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-7(1)(a)[1][a]"}],"prose":"functions;"},{"id":"cm-7.1.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-7(1)(a)[1][b]"}],"prose":"ports;"},{"id":"cm-7.1.a_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-7(1)(a)[1][c]"}],"prose":"protocols; and/or"},{"id":"cm-7.1.a_obj.1.d","name":"objective","properties":[{"name":"label","value":"CM-7(1)(a)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.1.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-7(1)(a)[2]"}],"prose":"reviews the information system with the organization-defined frequency to\n                        identify unnecessary and/or nonsecure:","parts":[{"id":"cm-7.1.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-7(1)(a)[2][a]"}],"prose":"functions;"},{"id":"cm-7.1.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-7(1)(a)[2][b]"}],"prose":"ports;"},{"id":"cm-7.1.a_obj.2.c","name":"objective","properties":[{"name":"label","value":"CM-7(1)(a)[2][c]"}],"prose":"protocols; and/or"},{"id":"cm-7.1.a_obj.2.d","name":"objective","properties":[{"name":"label","value":"CM-7(1)(a)[2][d]"}],"prose":"services;"}]}],"links":[{"href":"#cm-7.1_smt.a","rel":"corresp","text":"CM-7(1)(a)"}]},{"id":"cm-7.1.b_obj","name":"objective","properties":[{"name":"label","value":"CM-7(1)(b)"}],"parts":[{"id":"cm-7.1.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-7(1)(b)[1]"}],"prose":"defines, within the information system, unnecessary and/or nonsecure:","parts":[{"id":"cm-7.1.b_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-7(1)(b)[1][a]"}],"prose":"functions;"},{"id":"cm-7.1.b_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-7(1)(b)[1][b]"}],"prose":"ports;"},{"id":"cm-7.1.b_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-7(1)(b)[1][c]"}],"prose":"protocols; and/or"},{"id":"cm-7.1.b_obj.1.d","name":"objective","properties":[{"name":"label","value":"CM-7(1)(b)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.1.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-7(1)(b)[2]"}],"prose":"disables organization-defined unnecessary and/or nonsecure:","parts":[{"id":"cm-7.1.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-7(1)(b)[2][a]"}],"prose":"functions;"},{"id":"cm-7.1.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-7(1)(b)[2][b]"}],"prose":"ports;"},{"id":"cm-7.1.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"CM-7(1)(b)[2][c]"}],"prose":"protocols; and/or"},{"id":"cm-7.1.b_obj.2.d","name":"objective","properties":[{"name":"label","value":"CM-7(1)(b)[2][d]"}],"prose":"services."}]}],"links":[{"href":"#cm-7.1_smt.b","rel":"corresp","text":"CM-7(1)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing least functionality in the information system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\ndocumented reviews of functions, ports, protocols, and/or services\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for reviewing functions, ports,\n                     protocols, and services on the information system\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for reviewing/disabling nonsecure functions, ports,\n                     protocols, and/or services\\n\\nautomated mechanisms implementing review and disabling of nonsecure functions,\n                     ports, protocols, and/or services"}]}]},{"id":"cm-7.2","class":"SP800-53-enhancement","title":"Prevent Program Execution","parameters":[{"id":"cm-7.2_prm_1"},{"id":"cm-7.2_prm_2","depends-on":"cm-7.2_prm_1","label":"organization-defined policies regarding software program usage and\n                  restrictions"}],"properties":[{"name":"label","value":"CM-7(2)"},{"name":"sort-id","value":"cm-07.02"}],"parts":[{"id":"cm-7.2_smt","name":"statement","prose":"The information system prevents program execution in accordance with {{ cm-7.2_prm_1 }}.","parts":[{"id":"cm-7.2_fr","name":"item","title":"CM-7 (2) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-7.2_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run."}]}]},{"id":"cm-7.2_gdn","name":"guidance","links":[{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pm-5","rel":"related","text":"PM-5"}]},{"id":"cm-7.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cm-7.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-7(2)[1]"}],"prose":"the organization defines policies regarding software program usage and\n                     restrictions;"},{"id":"cm-7.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-7(2)[2]"}],"prose":"the information system prevents program execution in accordance with one or\n                     more of the following:","parts":[{"id":"cm-7.2_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-7(2)[2][a]"}],"prose":"organization-defined policies regarding program usage and restrictions;\n                        and/or"},{"id":"cm-7.2_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-7(2)[2][b]"}],"prose":"rules authorizing the terms and conditions of software program usage."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing least functionality in the information system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\nspecifications for preventing software program execution\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes preventing program execution on the information\n                     system\\n\\norganizational processes for software program usage and restrictions\\n\\nautomated mechanisms preventing program execution on the information system\\n\\nautomated mechanisms supporting and/or implementing software program usage and\n                     restrictions"}]}]},{"id":"cm-7.5","class":"SP800-53-enhancement","title":"Authorized Software / Whitelisting","parameters":[{"id":"cm-7.5_prm_1","label":"organization-defined software programs authorized to execute on the\n                  information system"},{"id":"cm-7.5_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least quarterly or when there is a change"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-7(5)"},{"name":"sort-id","value":"cm-07.05"}],"parts":[{"id":"cm-7.5_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7.5_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Identifies {{ cm-7.5_prm_1 }};"},{"id":"cm-7.5_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Employs a deny-all, permit-by-exception policy to allow the execution of\n                     authorized software programs on the information system; and"},{"id":"cm-7.5_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Reviews and updates the list of authorized software programs {{ cm-7.5_prm_2 }}."}]},{"id":"cm-7.5_gdn","name":"guidance","prose":"The process used to identify software programs that are authorized to execute on\n                  organizational information systems is commonly referred to as whitelisting. In\n                  addition to whitelisting, organizations consider verifying the integrity of\n                  white-listed software programs using, for example, cryptographic checksums,\n                  digital signatures, or hash functions. Verification of white-listed software can\n                  occur either prior to execution or at system startup.","links":[{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"cm-7.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.5.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-7(5)(a)"}],"prose":"Identifies/defines software programs authorized to execute on the information\n                     system;","links":[{"href":"#cm-7.5_smt.a","rel":"corresp","text":"CM-7(5)(a)"}]},{"id":"cm-7.5.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-7(5)(b)"}],"prose":"employs a deny-all, permit-by-exception policy to allow the execution of\n                     authorized software programs on the information system;","links":[{"href":"#cm-7.5_smt.b","rel":"corresp","text":"CM-7(5)(b)"}]},{"id":"cm-7.5.c_obj","name":"objective","properties":[{"name":"label","value":"CM-7(5)(c)"}],"parts":[{"id":"cm-7.5.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-7(5)(c)[1]"}],"prose":"defines the frequency to review and update the list of authorized software\n                        programs on the information system; and"},{"id":"cm-7.5.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-7(5)(c)[2]"}],"prose":"reviews and updates the list of authorized software programs with the\n                        organization-defined frequency."}],"links":[{"href":"#cm-7.5_smt.c","rel":"corresp","text":"CM-7(5)(c)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing least functionality in the information system\\n\\nconfiguration management plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of software programs authorized to execute on the information system\\n\\nsecurity configuration checklists\\n\\nreview and update records associated with list of authorized software\n                     programs\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for identifying software\n                     authorized to execute on the information system\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for identifying, reviewing, and updating programs\n                     authorized to execute on the information system\\n\\norganizational process for implementing whitelisting\\n\\nautomated mechanisms implementing whitelisting"}]}]}]},{"id":"cm-8","class":"SP800-53","title":"Information System Component Inventory","parameters":[{"id":"cm-8_prm_1","label":"organization-defined information deemed necessary to achieve effective\n               information system component accountability"},{"id":"cm-8_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-8"},{"name":"sort-id","value":"cm-08"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"cm-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops and documents an inventory of information system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Accurately reflects the current information system;"},{"id":"cm-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Includes all components within the authorization boundary of the information\n                     system;"},{"id":"cm-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting;\n                     and"},{"id":"cm-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Includes {{ cm-8_prm_1 }}; and"}]},{"id":"cm-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the information system component inventory {{ cm-8_prm_2 }}."},{"id":"cm-8_fr","name":"item","title":"CM-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Must be provided at least monthly or when there is a change."}]}]},{"id":"cm-8_gdn","name":"guidance","prose":"Organizations may choose to implement centralized information system component\n               inventories that include components from all organizational information systems. In\n               such situations, organizations ensure that the resulting inventories include\n               system-specific information required for proper component accountability (e.g.,\n               information system association, information system owner). Information deemed\n               necessary for effective accountability of information system components includes, for\n               example, hardware inventory specifications, software license information, software\n               version numbers, component owners, and for networked components or devices, machine\n               names and network addresses. Inventory specifications include, for example,\n               manufacturer, device type, model, serial number, and physical location.","links":[{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#pm-5","rel":"related","text":"PM-5"}]},{"id":"cm-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-8.a_obj","name":"objective","properties":[{"name":"label","value":"CM-8(a)"}],"parts":[{"id":"cm-8.a.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(a)(1)"}],"prose":"develops and documents an inventory of information system components that\n                     accurately reflects the current information system;"},{"id":"cm-8.a.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(a)(2)"}],"prose":"develops and documents an inventory of information system components that\n                     includes all components within the authorization boundary of the information\n                     system;"},{"id":"cm-8.a.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(a)(3)"}],"prose":"develops and documents an inventory of information system components that is at\n                     the level of granularity deemed necessary for tracking and reporting;"},{"id":"cm-8.a.4_obj","name":"objective","properties":[{"name":"label","value":"CM-8(a)(4)"}],"parts":[{"id":"cm-8.a.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(a)(4)[1]"}],"prose":"defines the information deemed necessary to achieve effective information\n                        system component accountability;"},{"id":"cm-8.a.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(a)(4)[2]"}],"prose":"develops and documents an inventory of information system components that\n                        includes organization-defined information deemed necessary to achieve\n                        effective information system component accountability;"}]}]},{"id":"cm-8.b_obj","name":"objective","properties":[{"name":"label","value":"CM-8(b)"}],"parts":[{"id":"cm-8.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(b)[1]"}],"prose":"defines the frequency to review and update the information system component\n                     inventory; and"},{"id":"cm-8.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-8(b)[2]"}],"prose":"reviews and updates the information system component inventory with the\n                     organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system inventory records\\n\\ninventory reviews and update records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system component\n                  inventory\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing and documenting an inventory of\n                  information system components\\n\\nautomated mechanisms supporting and/or implementing the information system\n                  component inventory"}]}],"controls":[{"id":"cm-8.1","class":"SP800-53-enhancement","title":"Updates During Installations / Removals","properties":[{"name":"label","value":"CM-8(1)"},{"name":"sort-id","value":"cm-08.01"}],"parts":[{"id":"cm-8.1_smt","name":"statement","prose":"The organization updates the inventory of information system components as an\n                  integral part of component installations, removals, and information system\n                  updates."},{"id":"cm-8.1_obj","name":"objective","prose":"Determine if the organization updates the inventory of information system\n                  components as an integral part of:","parts":[{"id":"cm-8.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-8(1)[1]"}],"prose":"component installations;"},{"id":"cm-8.1_obj.2","name":"objective","properties":[{"name":"label","value":"CM-8(1)[2]"}],"prose":"component removals; and"},{"id":"cm-8.1_obj.3","name":"objective","properties":[{"name":"label","value":"CM-8(1)[3]"}],"prose":"information system updates."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system inventory records\\n\\ninventory reviews and update records\\n\\ncomponent installation records\\n\\ncomponent removal records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for updating the information\n                     system component inventory\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for updating inventory of information system\n                     components\\n\\nautomated mechanisms implementing updating of the information system component\n                     inventory"}]}]},{"id":"cm-8.2","class":"SP800-53-enhancement","title":"Automated Maintenance","properties":[{"name":"label","value":"CM-8(2)"},{"name":"sort-id","value":"cm-08.02"}],"parts":[{"id":"cm-8.2_smt","name":"statement","prose":"The organization employs automated mechanisms to help maintain an up-to-date,\n                  complete, accurate, and readily available inventory of information system\n                  components."},{"id":"cm-8.2_gdn","name":"guidance","prose":"Organizations maintain information system inventories to the extent feasible.\n                  Virtual machines, for example, can be difficult to monitor because such machines\n                  are not visible to the network when not in use. In such cases, organizations\n                  maintain as up-to-date, complete, and accurate an inventory as is deemed\n                  reasonable. This control enhancement can be satisfied by the implementation of\n                  CM-2 (2) for organizations that choose to combine information system component\n                  inventory and baseline configuration activities.","links":[{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"cm-8.2_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to maintain an\n                  inventory of information system components that is:","parts":[{"id":"cm-8.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-8(2)[1]"}],"prose":"up-to-date;"},{"id":"cm-8.2_obj.2","name":"objective","properties":[{"name":"label","value":"CM-8(2)[2]"}],"prose":"complete;"},{"id":"cm-8.2_obj.3","name":"objective","properties":[{"name":"label","value":"CM-8(2)[3]"}],"prose":"accurate; and"},{"id":"cm-8.2_obj.4","name":"objective","properties":[{"name":"label","value":"CM-8(2)[4]"}],"prose":"readily available."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing information system component inventory\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system inventory records\\n\\nchange control records\\n\\ninformation system maintenance records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing the automated\n                     mechanisms implementing the information system component inventory\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining the inventory of information system\n                     components\\n\\nautomated mechanisms implementing the information system component\n                     inventory"}]}]},{"id":"cm-8.3","class":"SP800-53-enhancement","title":"Automated Unauthorized Component Detection","parameters":[{"id":"cm-8.3_prm_1","label":"organization-defined frequency","constraints":[{"detail":"Continuously, using automated mechanisms with a maximum five-minute delay in detection."}]},{"id":"cm-8.3_prm_2"},{"id":"cm-8.3_prm_3","depends-on":"cm-8.3_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-8(3)"},{"name":"sort-id","value":"cm-08.03"}],"parts":[{"id":"cm-8.3_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-8.3_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Employs automated mechanisms {{ cm-8.3_prm_1 }} to detect the\n                     presence of unauthorized hardware, software, and firmware components within the\n                     information system; and"},{"id":"cm-8.3_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Takes the following actions when unauthorized components are detected: {{ cm-8.3_prm_2 }}."}]},{"id":"cm-8.3_gdn","name":"guidance","prose":"This control enhancement is applied in addition to the monitoring for unauthorized\n                  remote connections and mobile devices. Monitoring for unauthorized system\n                  components may be accomplished on an ongoing basis or by the periodic scanning of\n                  systems for that purpose. Automated mechanisms can be implemented within\n                  information systems or in other separate devices. Isolation can be achieved, for\n                  example, by placing unauthorized information system components in separate domains\n                  or subnets or otherwise quarantining such components. This type of component\n                  isolation is commonly referred to as sandboxing.","links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#ra-5","rel":"related","text":"RA-5"}]},{"id":"cm-8.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-8.3.a_obj","name":"objective","properties":[{"name":"label","value":"CM-8(3)(a)"}],"parts":[{"id":"cm-8.3.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(3)(a)[1]"}],"prose":"defines the frequency to employ automated mechanisms to detect the presence\n                        of unauthorized:","parts":[{"id":"cm-8.3.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-8(3)(a)[1][a]"}],"prose":"hardware components within the information system;"},{"id":"cm-8.3.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-8(3)(a)[1][b]"}],"prose":"software components within the information system;"},{"id":"cm-8.3.a_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-8(3)(a)[1][c]"}],"prose":"firmware components within the information system;"}]},{"id":"cm-8.3.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-8(3)(a)[2]"}],"prose":"employs automated mechanisms with the organization-defined frequency to\n                        detect the presence of unauthorized:","parts":[{"id":"cm-8.3.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-8(3)(a)[2][a]"}],"prose":"hardware components within the information system;"},{"id":"cm-8.3.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-8(3)(a)[2][b]"}],"prose":"software components within the information system;"},{"id":"cm-8.3.a_obj.2.c","name":"objective","properties":[{"name":"label","value":"CM-8(3)(a)[2][c]"}],"prose":"firmware components within the information system;"}]}],"links":[{"href":"#cm-8.3_smt.a","rel":"corresp","text":"CM-8(3)(a)"}]},{"id":"cm-8.3.b_obj","name":"objective","properties":[{"name":"label","value":"CM-8(3)(b)"}],"parts":[{"id":"cm-8.3.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(3)(b)[1]"}],"prose":"defines personnel or roles to be notified when unauthorized components are\n                        detected;"},{"id":"cm-8.3.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-8(3)(b)[2]"}],"prose":"takes one or more of the following actions when unauthorized components are\n                        detected:","parts":[{"id":"cm-8.3.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-8(3)(b)[2][a]"}],"prose":"disables network access by such components;"},{"id":"cm-8.3.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-8(3)(b)[2][b]"}],"prose":"isolates the components; and/or"},{"id":"cm-8.3.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"CM-8(3)(b)[2][c]"}],"prose":"notifies organization-defined personnel or roles."}]}],"links":[{"href":"#cm-8.3_smt.b","rel":"corresp","text":"CM-8(3)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system inventory records\\n\\nalerts/notifications of unauthorized components within the information\n                     system\\n\\ninformation system monitoring records\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing the automated\n                     mechanisms implementing unauthorized information system component detection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for detection of unauthorized information system\n                     components\\n\\nautomated mechanisms implementing the detection of unauthorized information\n                     system components"}]}]},{"id":"cm-8.4","class":"SP800-53-enhancement","title":"Accountability Information","parameters":[{"id":"cm-8.4_prm_1","constraints":[{"detail":"position and role"}]}],"properties":[{"name":"label","value":"CM-8(4)"},{"name":"sort-id","value":"cm-08.04"}],"parts":[{"id":"cm-8.4_smt","name":"statement","prose":"The organization includes in the information system component inventory\n                  information, a means for identifying by {{ cm-8.4_prm_1 }},\n                  individuals responsible/accountable for administering those components."},{"id":"cm-8.4_gdn","name":"guidance","prose":"Identifying individuals who are both responsible and accountable for administering\n                  information system components helps to ensure that the assigned components are\n                  properly administered and organizations can contact those individuals if some\n                  action is required (e.g., component is determined to be the source of a\n                  breach/compromise, component needs to be recalled/replaced, or component needs to\n                  be relocated)."},{"id":"cm-8.4_obj","name":"objective","prose":"Determine if the organization includes in the information system component\n                  inventory for information system components, a means for identifying the\n                  individuals responsible and accountable for administering those components by one\n                  or more of the following: ","parts":[{"id":"cm-8.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-8(4)[1]"}],"prose":"name;"},{"id":"cm-8.4_obj.2","name":"objective","properties":[{"name":"label","value":"CM-8(4)[2]"}],"prose":"position; and/or"},{"id":"cm-8.4_obj.3","name":"objective","properties":[{"name":"label","value":"CM-8(4)[3]"}],"prose":"role."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system inventory records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing the information\n                     system component inventory\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining the inventory of information system\n                     components\\n\\nautomated mechanisms implementing the information system component\n                     inventory"}]}]},{"id":"cm-8.5","class":"SP800-53-enhancement","title":"No Duplicate Accounting of Components","properties":[{"name":"label","value":"CM-8(5)"},{"name":"sort-id","value":"cm-08.05"}],"parts":[{"id":"cm-8.5_smt","name":"statement","prose":"The organization verifies that all components within the authorization boundary of\n                  the information system are not duplicated in other information system component\n                  inventories."},{"id":"cm-8.5_gdn","name":"guidance","prose":"This control enhancement addresses the potential problem of duplicate accounting\n                  of information system components in large or complex interconnected systems."},{"id":"cm-8.5_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization verifies that all components within the\n                  authorization boundary of the information system are not duplicated in other\n                  information system inventories. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system inventory records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system inventory responsibilities\\n\\norganizational personnel with responsibilities for defining information system\n                     components within the authorization boundary of the system\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining the inventory of information system\n                     components\\n\\nautomated mechanisms implementing the information system component\n                     inventory"}]}]}]},{"id":"cm-9","class":"SP800-53","title":"Configuration Management Plan","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-9"},{"name":"sort-id","value":"cm-09"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"cm-9_smt","name":"statement","prose":"The organization develops, documents, and implements a configuration management plan\n               for the information system that:","parts":[{"id":"cm-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Addresses roles, responsibilities, and configuration management processes and\n                  procedures;"},{"id":"cm-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishes a process for identifying configuration items throughout the system\n                  development life cycle and for managing the configuration of the configuration\n                  items;"},{"id":"cm-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Defines the configuration items for the information system and places the\n                  configuration items under configuration management; and"},{"id":"cm-9_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protects the configuration management plan from unauthorized disclosure and\n                  modification."}]},{"id":"cm-9_gdn","name":"guidance","prose":"Configuration management plans satisfy the requirements in configuration management\n               policies while being tailored to individual information systems. Such plans define\n               detailed processes and procedures for how configuration management is used to support\n               system development life cycle activities at the information system level.\n               Configuration management plans are typically developed during the\n               development/acquisition phase of the system development life cycle. The plans\n               describe how to move changes through change management processes, how to update\n               configuration settings and baselines, how to maintain information system component\n               inventories, how to control development, test, and operational environments, and how\n               to develop, release, and update key documents. Organizations can employ templates to\n               help ensure consistent and timely development and implementation of configuration\n               management plans. Such templates can represent a master configuration management plan\n               for the organization at large with subsets of the plan implemented on a system by\n               system basis. Configuration management approval processes include designation of key\n               management stakeholders responsible for reviewing and approving proposed changes to\n               information systems, and personnel that conduct security impact analyses prior to the\n               implementation of changes to the systems. Configuration items are the information\n               system items (hardware, software, firmware, and documentation) to be\n               configuration-managed. As information systems continue through the system development\n               life cycle, new configuration items may be identified and some existing configuration\n               items may no longer need to be under configuration control.","links":[{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#sa-10","rel":"related","text":"SA-10"}]},{"id":"cm-9_obj","name":"objective","prose":"Determine if the organization develops, documents, and implements a configuration\n               management plan for the information system that:","parts":[{"id":"cm-9.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-9(a)"}],"parts":[{"id":"cm-9.a_obj.1","name":"objective","properties":[{"name":"label","value":"CM-9(a)[1]"}],"prose":"addresses roles;"},{"id":"cm-9.a_obj.2","name":"objective","properties":[{"name":"label","value":"CM-9(a)[2]"}],"prose":"addresses responsibilities;"},{"id":"cm-9.a_obj.3","name":"objective","properties":[{"name":"label","value":"CM-9(a)[3]"}],"prose":"addresses configuration management processes and procedures;"}]},{"id":"cm-9.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-9(b)"}],"prose":"establishes a process for:","parts":[{"id":"cm-9.b_obj.1","name":"objective","properties":[{"name":"label","value":"CM-9(b)[1]"}],"prose":"identifying configuration items throughout the SDLC;"},{"id":"cm-9.b_obj.2","name":"objective","properties":[{"name":"label","value":"CM-9(b)[2]"}],"prose":"managing the configuration of the configuration items;"}]},{"id":"cm-9.c_obj","name":"objective","properties":[{"name":"label","value":"CM-9(c)"}],"parts":[{"id":"cm-9.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-9(c)[1]"}],"prose":"defines the configuration items for the information system;"},{"id":"cm-9.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-9(c)[2]"}],"prose":"places the configuration items under configuration management;"}]},{"id":"cm-9.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-9(d)"}],"prose":"protects the configuration management plan from unauthorized:","parts":[{"id":"cm-9.d_obj.1","name":"objective","properties":[{"name":"label","value":"CM-9(d)[1]"}],"prose":"disclosure; and"},{"id":"cm-9.d_obj.2","name":"objective","properties":[{"name":"label","value":"CM-9(d)[2]"}],"prose":"modification."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing configuration management planning\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for developing the configuration\n                  management plan\\n\\norganizational personnel with responsibilities for implementing and managing\n                  processes defined in the configuration management plan\\n\\norganizational personnel with responsibilities for protecting the configuration\n                  management plan\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing and documenting the configuration\n                  management plan\\n\\norganizational processes for identifying and managing configuration items\\n\\norganizational processes for protecting the configuration management plan\\n\\nautomated mechanisms implementing the configuration management plan\\n\\nautomated mechanisms for managing configuration items\\n\\nautomated mechanisms for protecting the configuration management plan"}]}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","properties":[{"name":"label","value":"CM-10"},{"name":"sort-id","value":"cm-10"}],"parts":[{"id":"cm-10_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-10_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Uses software and associated documentation in accordance with contract agreements\n                  and copyright laws;"},{"id":"cm-10_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Tracks the use of software and associated documentation protected by quantity\n                  licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Controls and documents the use of peer-to-peer file sharing technology to ensure\n                  that this capability is not used for the unauthorized distribution, display,\n                  performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual methods (e.g., simple\n               spreadsheets) or automated methods (e.g., specialized tracking applications)\n               depending on organizational needs.","links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#sc-7","rel":"related","text":"SC-7"}]},{"id":"cm-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-10.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-10(a)"}],"prose":"uses software and associated documentation in accordance with contract agreements\n                  and copyright laws;"},{"id":"cm-10.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-10(b)"}],"prose":"tracks the use of software and associated documentation protected by quantity\n                  licenses to control copying and distribution; and"},{"id":"cm-10.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-10(c)"}],"prose":"controls and documents the use of peer-to-peer file sharing technology to ensure\n                  that this capability is not used for the unauthorized distribution, display,\n                  performance, or reproduction of copyrighted work."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing software usage restrictions\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nsoftware contract agreements and copyright laws\\n\\nsite license documentation\\n\\nlist of software usage restrictions\\n\\nsoftware license tracking reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\norganizational personnel with software license management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for tracking the use of software protected by quantity\n                  licenses\\n\\norganization process for controlling/documenting the use of peer-to-peer file\n                  sharing technology\\n\\nautomated mechanisms implementing software license tracking\\n\\nautomated mechanisms implementing and controlling the use of peer-to-peer files\n                  sharing technology"}]}],"controls":[{"id":"cm-10.1","class":"SP800-53-enhancement","title":"Open Source Software","parameters":[{"id":"cm-10.1_prm_1","label":"organization-defined restrictions"}],"properties":[{"name":"label","value":"CM-10(1)"},{"name":"sort-id","value":"cm-10.01"}],"parts":[{"id":"cm-10.1_smt","name":"statement","prose":"The organization establishes the following restrictions on the use of open source\n                  software: {{ cm-10.1_prm_1 }}."},{"id":"cm-10.1_gdn","name":"guidance","prose":"Open source software refers to software that is available in source code form.\n                  Certain software rights normally reserved for copyright holders are routinely\n                  provided under software license agreements that permit individuals to study,\n                  change, and improve the software. From a security perspective, the major advantage\n                  of open source software is that it provides organizations with the ability to\n                  examine the source code. However, there are also various licensing issues\n                  associated with open source software including, for example, the constraints on\n                  derivative use of such software."},{"id":"cm-10.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-10.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-10(1)[1]"}],"prose":"defines restrictions on the use of open source software; and"},{"id":"cm-10.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-10(1)[2]"}],"prose":"establishes organization-defined restrictions on the use of open source\n                     software."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing restrictions on use of open source software\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for establishing and enforcing\n                     restrictions on use of open source software\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for restricting the use of open source software\\n\\nautomated mechanisms implementing restrictions on the use of open source\n                     software"}]}]}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","parameters":[{"id":"cm-11_prm_1","label":"organization-defined policies"},{"id":"cm-11_prm_2","label":"organization-defined methods"},{"id":"cm-11_prm_3","label":"organization-defined frequency","constraints":[{"detail":"Continuously (via CM-7 (5))"}]}],"properties":[{"name":"label","value":"CM-11"},{"name":"sort-id","value":"cm-11"}],"parts":[{"id":"cm-11_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes {{ cm-11_prm_1 }} governing the installation of\n                  software by users;"},{"id":"cm-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Enforces software installation policies through {{ cm-11_prm_2 }};\n                  and"},{"id":"cm-11_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Monitors policy compliance at {{ cm-11_prm_3 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users have the ability to install software in\n               organizational information systems. To maintain control over the types of software\n               installed, organizations identify permitted and prohibited actions regarding software\n               installation. Permitted software installations may include, for example, updates and\n               security patches to existing software and downloading applications from\n               organization-approved “app stores” Prohibited software installations may include, for\n               example, software with unknown or suspect pedigrees or software that organizations\n               consider potentially malicious. The policies organizations select governing\n               user-installed software may be organization-developed or provided by some external\n               entity. Policy enforcement methods include procedural methods (e.g., periodic\n               examination of user accounts), automated methods (e.g., configuration settings\n               implemented on organizational information systems), or both.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#pl-4","rel":"related","text":"PL-4"}]},{"id":"cm-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-11.a_obj","name":"objective","properties":[{"name":"label","value":"CM-11(a)"}],"parts":[{"id":"cm-11.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-11(a)[1]"}],"prose":"defines policies to govern the installation of software by users;"},{"id":"cm-11.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-11(a)[2]"}],"prose":"establishes organization-defined policies governing the installation of\n                     software by users;"}]},{"id":"cm-11.b_obj","name":"objective","properties":[{"name":"label","value":"CM-11(b)"}],"parts":[{"id":"cm-11.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-11(b)[1]"}],"prose":"defines methods to enforce software installation policies;"},{"id":"cm-11.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-11(b)[2]"}],"prose":"enforces software installation policies through organization-defined\n                     methods;"}]},{"id":"cm-11.c_obj","name":"objective","properties":[{"name":"label","value":"CM-11(c)"}],"parts":[{"id":"cm-11.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-11(c)[1]"}],"prose":"defines frequency to monitor policy compliance; and"},{"id":"cm-11.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-11(c)[2]"}],"prose":"monitors policy compliance at organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing user installed software\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of rules governing user installed software\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records\\n\\ncontinuous monitoring strategy"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for governing user-installed\n                  software\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\norganizational personnel monitoring compliance with user-installed software\n                  policy\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes governing user-installed software on the information\n                  system\\n\\nautomated mechanisms enforcing rules/methods for governing the installation of\n                  software by users\\n\\nautomated mechanisms monitoring policy compliance"}]}],"controls":[{"id":"cm-11.1","class":"SP800-53-enhancement","title":"Alerts for Unauthorized Installations","parameters":[{"id":"cm-11.1_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"CM-11(1)"},{"name":"sort-id","value":"cm-11.01"}],"parts":[{"id":"cm-11.1_smt","name":"statement","prose":"The information system alerts {{ cm-11.1_prm_1 }} when the\n                  unauthorized installation of software is detected."},{"id":"cm-11.1_gdn","name":"guidance","links":[{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"cm-11.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cm-11.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-11(1)[1]"}],"prose":"the organization defines personnel or roles to be alerted when the unauthorized\n                     installation of software is detected; and"},{"id":"cm-11.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-11(1)[2]"}],"prose":"the information system alerts organization-defined personnel or roles when the\n                     unauthorized installation of software is detected."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing user installed software\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for governing user-installed\n                     software\\n\\norganizational personnel operating, using, and/or maintaining the information\n                     system\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes governing user-installed software on the information\n                     system\\n\\nautomated mechanisms for alerting personnel/roles when unauthorized\n                     installation of software is detected"}]}]}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Contingency Planning Policy and Procedures","parameters":[{"id":"cp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"cp-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually or whenever a significant change occurs"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CP-1"},{"name":"sort-id","value":"cp-01"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"cp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A contingency planning policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"cp-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy\n                     and associated contingency planning controls; and"}]},{"id":"cp-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cp-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Contingency planning policy {{ cp-1_prm_2 }}; and"},{"id":"cp-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Contingency planning procedures {{ cp-1_prm_3 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CP\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"cp-1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cp-1.a_obj","name":"objective","properties":[{"name":"label","value":"CP-1(a)"}],"parts":[{"id":"cp-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)"}],"parts":[{"id":"cp-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(a)(1)[1]"}],"prose":"the organization develops and documents a contingency planning policy that\n                        addresses:","parts":[{"id":"cp-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cp-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cp-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cp-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cp-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cp-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cp-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cp-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(a)(1)[2]"}],"prose":"the organization defines personnel or roles to whom the contingency planning\n                        policy is to be disseminated;"},{"id":"cp-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-1(a)(1)[3]"}],"prose":"the organization disseminates the contingency planning policy to\n                        organization-defined personnel or roles;"}]},{"id":"cp-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"CP-1(a)(2)"}],"parts":[{"id":"cp-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(a)(2)[1]"}],"prose":"the organization develops and documents procedures to facilitate the\n                        implementation of the contingency planning policy and associated contingency\n                        planning controls;"},{"id":"cp-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(a)(2)[2]"}],"prose":"the organization defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"cp-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-1(a)(2)[3]"}],"prose":"the organization disseminates the procedures to organization-defined\n                        personnel or roles;"}]}]},{"id":"cp-1.b_obj","name":"objective","properties":[{"name":"label","value":"CP-1(b)"}],"parts":[{"id":"cp-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"CP-1(b)(1)"}],"parts":[{"id":"cp-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(b)(1)[1]"}],"prose":"the organization defines the frequency to review and update the current\n                        contingency planning policy;"},{"id":"cp-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(b)(1)[2]"}],"prose":"the organization reviews and updates the current contingency planning with\n                        the organization-defined frequency;"}]},{"id":"cp-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"CP-1(b)(2)"}],"parts":[{"id":"cp-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(b)(2)[1]"}],"prose":"the organization defines the frequency to review and update the current\n                        contingency planning procedures; and"},{"id":"cp-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(b)(2)[2]"}],"prose":"the organization reviews and updates the current contingency planning\n                        procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","parameters":[{"id":"cp-2_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","label":"organization-defined key contingency personnel (identified by name and/or by\n               role) and organizational elements"},{"id":"cp-2_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"cp-2_prm_4","label":"organization-defined key contingency personnel (identified by name and/or by\n               role) and organizational elements"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CP-2"},{"name":"sort-id","value":"cp-02"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"}],"parts":[{"id":"cp-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a contingency plan for the information system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Identifies essential missions and business functions and associated contingency\n                     requirements;"},{"id":"cp-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with\n                     contact information;"},{"id":"cp-2_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential missions and business functions despite an\n                     information system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full information system restoration without deterioration\n                     of the security safeguards originally planned and implemented; and"},{"id":"cp-2_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Is reviewed and approved by {{ cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distributes copies of the contingency plan to {{ cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Reviews the contingency plan for the information system {{ cp-2_prm_3 }};"},{"id":"cp-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Updates the contingency plan to address changes to the organization, information\n                  system, or environment of operation and problems encountered during contingency\n                  plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Communicates contingency plan changes to {{ cp-2_prm_4 }}; and"},{"id":"cp-2_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Protects the contingency plan from unauthorized disclosure and modification."},{"id":"cp-2_fr","name":"item","title":"CP-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-2_fr_smt.1","name":"item","properties":[{"name":"label","value":"CP-2 Requirement:"}],"prose":"For JAB authorizations the contingency lists include designated FedRAMP personnel."}]}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for information systems is part of an overall organizational\n               program for achieving continuity of operations for mission/business functions.\n               Contingency planning addresses both information system restoration and implementation\n               of alternative mission/business processes when systems are compromised. The\n               effectiveness of contingency planning is maximized by considering such planning\n               throughout the phases of the system development life cycle. Performing contingency\n               planning on hardware, software, and firmware development can be an effective means of\n               achieving information system resiliency. Contingency plans reflect the degree of\n               restoration required for organizational information systems since not all systems may\n               need to fully recover to achieve the level of continuity of operations desired.\n               Information system recovery objectives reflect applicable laws, Executive Orders,\n               directives, policies, standards, regulations, and guidelines. In addition to\n               information system availability, contingency plans also address other\n               security-related events resulting in a reduction in mission and/or business\n               effectiveness, such as malicious attacks compromising the confidentiality or\n               integrity of information systems. Actions addressed in contingency plans include, for\n               example, orderly/graceful degradation, information system shutdown, fallback to a\n               manual mode, alternate information flows, and operating in modes reserved for when\n               systems are under attack. By closely coordinating contingency planning with incident\n               handling activities, organizations can ensure that the necessary contingency planning\n               activities are in place and activated in the event of a security incident.","links":[{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-11","rel":"related","text":"PM-11"}]},{"id":"cp-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.a_obj","name":"objective","properties":[{"name":"label","value":"CP-2(a)"}],"prose":"develops and documents a contingency plan for the information system that:","parts":[{"id":"cp-2.a.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(1)"}],"prose":"identifies essential missions and business functions and associated contingency\n                     requirements;"},{"id":"cp-2.a.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(2)"}],"parts":[{"id":"cp-2.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"CP-2(a)(2)[1]"}],"prose":"provides recovery objectives;"},{"id":"cp-2.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"CP-2(a)(2)[2]"}],"prose":"provides restoration priorities;"},{"id":"cp-2.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"CP-2(a)(2)[3]"}],"prose":"provides metrics;"}]},{"id":"cp-2.a.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(3)"}],"parts":[{"id":"cp-2.a.3_obj.1","name":"objective","properties":[{"name":"label","value":"CP-2(a)(3)[1]"}],"prose":"addresses contingency roles;"},{"id":"cp-2.a.3_obj.2","name":"objective","properties":[{"name":"label","value":"CP-2(a)(3)[2]"}],"prose":"addresses contingency responsibilities;"},{"id":"cp-2.a.3_obj.3","name":"objective","properties":[{"name":"label","value":"CP-2(a)(3)[3]"}],"prose":"addresses assigned individuals with contact information;"}]},{"id":"cp-2.a.4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(4)"}],"prose":"addresses maintaining essential missions and business functions despite an\n                     information system disruption, compromise, or failure;"},{"id":"cp-2.a.5_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(5)"}],"prose":"addresses eventual, full information system restoration without deterioration\n                     of the security safeguards originally planned and implemented;"},{"id":"cp-2.a.6_obj","name":"objective","properties":[{"name":"label","value":"CP-2(a)(6)"}],"parts":[{"id":"cp-2.a.6_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(6)[1]"}],"prose":"defines personnel or roles to review and approve the contingency plan for\n                        the information system;"},{"id":"cp-2.a.6_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(6)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"cp-2.b_obj","name":"objective","properties":[{"name":"label","value":"CP-2(b)"}],"parts":[{"id":"cp-2.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(b)[1]"}],"prose":"defines key contingency personnel (identified by name and/or by role) and\n                     organizational elements to whom copies of the contingency plan are to be\n                     distributed;"},{"id":"cp-2.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-2(b)[2]"}],"prose":"distributes copies of the contingency plan to organization-defined key\n                     contingency personnel and organizational elements;"}]},{"id":"cp-2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-2(c)"}],"prose":"coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2.d_obj","name":"objective","properties":[{"name":"label","value":"CP-2(d)"}],"parts":[{"id":"cp-2.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(d)[1]"}],"prose":"defines a frequency to review the contingency plan for the information\n                     system;"},{"id":"cp-2.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(d)[2]"}],"prose":"reviews the contingency plan with the organization-defined frequency;"}]},{"id":"cp-2.e_obj","name":"objective","properties":[{"name":"label","value":"CP-2(e)"}],"prose":"updates the contingency plan to address:","parts":[{"id":"cp-2.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-2(e)[1]"}],"prose":"changes to the organization, information system, or environment of\n                     operation;"},{"id":"cp-2.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-2(e)[2]"}],"prose":"problems encountered during plan implementation, execution, and testing;"}]},{"id":"cp-2.f_obj","name":"objective","properties":[{"name":"label","value":"CP-2(f)"}],"parts":[{"id":"cp-2.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(f)[1]"}],"prose":"defines key contingency personnel (identified by name and/or by role) and\n                     organizational elements to whom contingency plan changes are to be\n                     communicated;"},{"id":"cp-2.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-2(f)[2]"}],"prose":"communicates contingency plan changes to organization-defined key contingency\n                     personnel and organizational elements; and"}]},{"id":"cp-2.g_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-2(g)"}],"prose":"protects the contingency plan from unauthorized disclosure and modification."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nevidence of contingency plan reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan development, review, update, and\n                  protection\\n\\nautomated mechanisms for developing, reviewing, updating and/or protecting the\n                  contingency plan"}]}],"controls":[{"id":"cp-2.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","properties":[{"name":"label","value":"CP-2(1)"},{"name":"sort-id","value":"cp-02.01"}],"parts":[{"id":"cp-2.1_smt","name":"statement","prose":"The organization coordinates contingency plan development with organizational\n                  elements responsible for related plans."},{"id":"cp-2.1_gdn","name":"guidance","prose":"Plans related to contingency plans for organizational information systems include,\n                  for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of\n                  Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,\n                  Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant\n                  Emergency Plans."},{"id":"cp-2.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization coordinates contingency plan development with\n                  organizational elements responsible for related plans."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nbusiness contingency plans\\n\\ndisaster recovery plans\\n\\ncontinuity of operations plans\\n\\ncrisis communications plans\\n\\ncritical infrastructure plans\\n\\ncyber incident response plan\\n\\ninsider threat implementation plans\\n\\noccupant emergency plans\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel with responsibility for related plans"}]}]},{"id":"cp-2.2","class":"SP800-53-enhancement","title":"Capacity Planning","properties":[{"name":"label","value":"CP-2(2)"},{"name":"sort-id","value":"cp-02.02"}],"parts":[{"id":"cp-2.2_smt","name":"statement","prose":"The organization conducts capacity planning so that necessary capacity for\n                  information processing, telecommunications, and environmental support exists\n                  during contingency operations."},{"id":"cp-2.2_gdn","name":"guidance","prose":"Capacity planning is needed because different types of threats (e.g., natural\n                  disasters, targeted cyber attacks) can result in a reduction of the available\n                  processing, telecommunications, and support services originally intended to\n                  support the organizational missions/business functions. Organizations may need to\n                  anticipate degraded operations during contingency operations and factor such\n                  degradation into capacity planning."},{"id":"cp-2.2_obj","name":"objective","prose":"Determine if the organization conducts capacity planning so that necessary\n                  capacity exists during contingency operations for: ","parts":[{"id":"cp-2.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-2(2)[1]"}],"prose":"information processing;"},{"id":"cp-2.2_obj.2","name":"objective","properties":[{"name":"label","value":"CP-2(2)[2]"}],"prose":"telecommunications; and"},{"id":"cp-2.2_obj.3","name":"objective","properties":[{"name":"label","value":"CP-2(2)[3]"}],"prose":"environmental support."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\ncapacity planning documents\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2.3","class":"SP800-53-enhancement","title":"Resume Essential Missions / Business Functions","parameters":[{"id":"cp-2.3_prm_1","label":"organization-defined time period"}],"properties":[{"name":"label","value":"CP-2(3)"},{"name":"sort-id","value":"cp-02.03"}],"parts":[{"id":"cp-2.3_smt","name":"statement","prose":"The organization plans for the resumption of essential missions and business\n                  functions within {{ cp-2.3_prm_1 }} of contingency plan\n                  activation."},{"id":"cp-2.3_gdn","name":"guidance","prose":"Organizations may choose to carry out the contingency planning activities in this\n                  control enhancement as part of organizational business continuity planning\n                  including, for example, as part of business impact analyses. The time period for\n                  resumption of essential missions/business functions may be dependent on the\n                  severity/extent of disruptions to the information system and its supporting\n                  infrastructure.","links":[{"href":"#pe-12","rel":"related","text":"PE-12"}]},{"id":"cp-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(3)[1]"}],"prose":"defines the time period to plan for the resumption of essential missions and\n                     business functions as a result of contingency plan activation; and"},{"id":"cp-2.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-2(3)[2]"}],"prose":"plans for the resumption of essential missions and business functions within\n                     organization-defined time period of contingency plan activation."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nbusiness impact assessment\\n\\nother related plans\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for resumption of missions and business functions"}]}]},{"id":"cp-2.4","class":"SP800-53-enhancement","title":"Resume All Missions / Business Functions","parameters":[{"id":"cp-2.4_prm_1","label":"organization-defined time period","constraints":[{"detail":"time period defined in service provider and organization SLA"}]}],"properties":[{"name":"label","value":"CP-2(4)"},{"name":"sort-id","value":"cp-02.04"}],"parts":[{"id":"cp-2.4_smt","name":"statement","prose":"The organization plans for the resumption of all missions and business functions\n                  within {{ cp-2.4_prm_1 }} of contingency plan activation."},{"id":"cp-2.4_gdn","name":"guidance","prose":"Organizations may choose to carry out the contingency planning activities in this\n                  control enhancement as part of organizational business continuity planning\n                  including, for example, as part of business impact analyses. The time period for\n                  resumption of all missions/business functions may be dependent on the\n                  severity/extent of disruptions to the information system and its supporting\n                  infrastructure.","links":[{"href":"#pe-12","rel":"related","text":"PE-12"}]},{"id":"cp-2.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(4)[1]"}],"prose":"defines the time period to plan for the resumption of all missions and business\n                     functions as a result of contingency plan activation; and"},{"id":"cp-2.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-2(4)[2]"}],"prose":"plans for the resumption of all missions and business functions within\n                     organization-defined time period of contingency plan activation."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nbusiness impact assessment\\n\\nother related plans\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for resumption of missions and business functions"}]}]},{"id":"cp-2.5","class":"SP800-53-enhancement","title":"Continue Essential Missions / Business Functions","properties":[{"name":"label","value":"CP-2(5)"},{"name":"sort-id","value":"cp-02.05"}],"parts":[{"id":"cp-2.5_smt","name":"statement","prose":"The organization plans for the continuance of essential missions and business\n                  functions with little or no loss of operational continuity and sustains that\n                  continuity until full information system restoration at primary processing and/or\n                  storage sites."},{"id":"cp-2.5_gdn","name":"guidance","prose":"Organizations may choose to carry out the contingency planning activities in this\n                  control enhancement as part of organizational business continuity planning\n                  including, for example, as part of business impact analyses. Primary processing\n                  and/or storage sites defined by organizations as part of contingency planning may\n                  change depending on the circumstances associated with the contingency (e.g.,\n                  backup sites may become primary sites).","links":[{"href":"#pe-12","rel":"related","text":"PE-12"}]},{"id":"cp-2.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(5)[1]"}],"prose":"plans for the continuance of essential missions and business functions with\n                     little or no loss of operational continuity; and"},{"id":"cp-2.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-2(5)[2]"}],"prose":"sustains that operational continuity until full information system restoration\n                     at primary processing and/or storage sites."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nbusiness impact assessment\\n\\nprimary processing site agreements\\n\\nprimary storage site agreements\\n\\nalternate processing site agreements\\n\\nalternate storage site agreements\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for continuing missions and business functions"}]}]},{"id":"cp-2.8","class":"SP800-53-enhancement","title":"Identify Critical Assets","properties":[{"name":"label","value":"CP-2(8)"},{"name":"sort-id","value":"cp-02.08"}],"parts":[{"id":"cp-2.8_smt","name":"statement","prose":"The organization identifies critical information system assets supporting\n                  essential missions and business functions."},{"id":"cp-2.8_gdn","name":"guidance","prose":"Organizations may choose to carry out the contingency planning activities in this\n                  control enhancement as part of organizational business continuity planning\n                  including, for example, as part of business impact analyses. Organizations\n                  identify critical information system assets so that additional safeguards and\n                  countermeasures can be employed (above and beyond those safeguards and\n                  countermeasures routinely implemented) to help ensure that organizational\n                  missions/business functions can continue to be conducted during contingency\n                  operations. In addition, the identification of critical information assets\n                  facilitates the prioritization of organizational resources. Critical information\n                  system assets include technical and operational aspects. Technical aspects\n                  include, for example, information technology services, information system\n                  components, information technology products, and mechanisms. Operational aspects\n                  include, for example, procedures (manually executed operations) and personnel\n                  (individuals operating technical safeguards and/or executing manual procedures).\n                  Organizational program protection plans can provide assistance in identifying\n                  critical assets.","links":[{"href":"#sa-14","rel":"related","text":"SA-14"},{"href":"#sa-15","rel":"related","text":"SA-15"}]},{"id":"cp-2.8_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization identifies critical information system assets\n                  supporting essential missions and business functions."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nbusiness impact assessment\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","parameters":[{"id":"cp-3_prm_1","label":"organization-defined time period","constraints":[{"detail":"ten (10) days"}]},{"id":"cp-3_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CP-3"},{"name":"sort-id","value":"cp-03"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference","text":"NIST Special Publication 800-16"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"}],"parts":[{"id":"cp-3_smt","name":"statement","prose":"The organization provides contingency training to information system users consistent\n               with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Within {{ cp-3_prm_1 }} of assuming a contingency role or\n                  responsibility;"},{"id":"cp-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"cp-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n                  {{ cp-3_prm_2 }} thereafter."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and\n               responsibilities of organizational personnel to ensure that the appropriate content\n               and level of detail is included in such training. For example, regular users may only\n               need to know when and where to report for duty during contingency operations and if\n               normal duties are affected; system administrators may require additional training on\n               how to set up information systems at alternate processing and storage sites; and\n               managers/senior leaders may receive more specific training on how to conduct\n               mission-essential functions in designated off-site locations and how to establish\n               communications with other governmental entities for purposes of coordination on\n               contingency-related activities. Training for contingency roles/responsibilities\n               reflects the specific continuity requirements in the contingency plan.","links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-2","rel":"related","text":"IR-2"}]},{"id":"cp-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-3.a_obj","name":"objective","properties":[{"name":"label","value":"CP-3(a)"}],"parts":[{"id":"cp-3.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-3(a)[1]"}],"prose":"defines a time period within which contingency training is to be provided to\n                     information system users assuming a contingency role or responsibility;"},{"id":"cp-3.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-3(a)[2]"}],"prose":"provides contingency training to information system users consistent with\n                     assigned roles and responsibilities within the organization-defined time period\n                     of assuming a contingency role or responsibility;"}]},{"id":"cp-3.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-3(b)"}],"prose":"provides contingency training to information system users consistent with assigned\n                  roles and responsibilities when required by information system changes;"},{"id":"cp-3.c_obj","name":"objective","properties":[{"name":"label","value":"CP-3(c)"}],"parts":[{"id":"cp-3.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-3(c)[1]"}],"prose":"defines the frequency for contingency training thereafter; and"},{"id":"cp-3.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-3(c)[2]"}],"prose":"provides contingency training to information system users consistent with\n                     assigned roles and responsibilities with the organization-defined frequency\n                     thereafter."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency training\\n\\ncontingency plan\\n\\ncontingency training curriculum\\n\\ncontingency training material\\n\\nsecurity plan\\n\\ncontingency training records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, plan implementation, and\n                  training responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency training"}]}],"controls":[{"id":"cp-3.1","class":"SP800-53-enhancement","title":"Simulated Events","properties":[{"name":"label","value":"CP-3(1)"},{"name":"sort-id","value":"cp-03.01"}],"parts":[{"id":"cp-3.1_smt","name":"statement","prose":"The organization incorporates simulated events into contingency training to\n                  facilitate effective response by personnel in crisis situations."},{"id":"cp-3.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization incorporates simulated events into contingency\n                  training to facilitate effective response by personnel in crisis situations."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency training\\n\\ncontingency plan\\n\\ncontingency training curriculum\\n\\ncontingency training material\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, plan implementation, and\n                     training responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency training\\n\\nautomated mechanisms for simulating contingency events"}]}]}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","parameters":[{"id":"cp-4_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"cp-4_prm_2","label":"organization-defined tests","constraints":[{"detail":"functional exercises"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CP-4"},{"name":"sort-id","value":"cp-04"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"},{"href":"#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","rel":"reference","text":"NIST Special Publication 800-84"}],"parts":[{"id":"cp-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Tests the contingency plan for the information system {{ cp-4_prm_1 }} using {{ cp-4_prm_2 }} to determine the\n                  effectiveness of the plan and the organizational readiness to execute the\n                  plan;"},{"id":"cp-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Initiates corrective actions, if needed."},{"id":"cp-4_fr","name":"item","title":"CP-4(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-4_fr_smt.a","name":"item","properties":[{"name":"label","value":"CP-4(a) Requirement:"}],"prose":"The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing."}]}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and\n               to identify potential weaknesses in the plans include, for example, walk-through and\n               tabletop exercises, checklists, simulations (parallel, full interrupt), and\n               comprehensive exercises. Organizations conduct testing based on the continuity\n               requirements in contingency plans and include a determination of the effects on\n               organizational operations, assets, and individuals arising due to contingency\n               operations. Organizations have flexibility and discretion in the breadth, depth, and\n               timelines of corrective actions.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ir-3","rel":"related","text":"IR-3"}]},{"id":"cp-4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-4.a_obj","name":"objective","properties":[{"name":"label","value":"CP-4(a)"}],"parts":[{"id":"cp-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-4(a)[1]"}],"prose":"defines tests to determine the effectiveness of the contingency plan and the\n                     organizational readiness to execute the plan;"},{"id":"cp-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-4(a)[2]"}],"prose":"defines a frequency to test the contingency plan for the information\n                     system;"},{"id":"cp-4.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-4(a)[3]"}],"prose":"tests the contingency plan for the information system with the\n                     organization-defined frequency, using organization-defined tests to determine\n                     the effectiveness of the plan and the organizational readiness to execute the\n                     plan;"}]},{"id":"cp-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-4(b)"}],"prose":"reviews the contingency plan test results; and"},{"id":"cp-4.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-4(c)"}],"prose":"initiates corrective actions, if needed."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency plan testing\\n\\ncontingency plan\\n\\nsecurity plan\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for contingency plan testing,\n                  reviewing or responding to contingency plan tests\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan testing\\n\\nautomated mechanisms supporting the contingency plan and/or contingency plan\n                  testing"}]}],"controls":[{"id":"cp-4.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","properties":[{"name":"label","value":"CP-4(1)"},{"name":"sort-id","value":"cp-04.01"}],"parts":[{"id":"cp-4.1_smt","name":"statement","prose":"The organization coordinates contingency plan testing with organizational elements\n                  responsible for related plans."},{"id":"cp-4.1_gdn","name":"guidance","prose":"Plans related to contingency plans for organizational information systems include,\n                  for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of\n                  Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,\n                  Cyber Incident Response Plans, and Occupant Emergency Plans. This control\n                  enhancement does not require organizations to create organizational elements to\n                  handle related plans or to align such elements with specific plans. It does\n                  require, however, that if such organizational elements are responsible for related\n                  plans, organizations should coordinate with those elements.","links":[{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pm-8","rel":"related","text":"PM-8"}]},{"id":"cp-4.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization coordinates contingency plan testing with\n                  organizational elements responsible for related plans. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nincident response policy\\n\\nprocedures addressing contingency plan testing\\n\\ncontingency plan testing documentation\\n\\ncontingency plan\\n\\nbusiness continuity plans\\n\\ndisaster recovery plans\\n\\ncontinuity of operations plans\\n\\ncrisis communications plans\\n\\ncritical infrastructure plans\\n\\ncyber incident response plans\\n\\noccupant emergency plans\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan testing responsibilities\\n\\norganizational personnel\\n\\npersonnel with responsibilities for related plans\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-4.2","class":"SP800-53-enhancement","title":"Alternate Processing Site","properties":[{"name":"label","value":"CP-4(2)"},{"name":"sort-id","value":"cp-04.02"}],"parts":[{"id":"cp-4.2_smt","name":"statement","prose":"The organization tests the contingency plan at the alternate processing site:","parts":[{"id":"cp-4.2_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"To familiarize contingency personnel with the facility and available resources;\n                     and"},{"id":"cp-4.2_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"To evaluate the capabilities of the alternate processing site to support\n                     contingency operations."}]},{"id":"cp-4.2_gdn","name":"guidance","links":[{"href":"#cp-7","rel":"related","text":"CP-7"}]},{"id":"cp-4.2_obj","name":"objective","prose":"Determine if the organization tests the contingency plan at the alternate\n                  processing site to:","parts":[{"id":"cp-4.2.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-4(2)(a)"}],"prose":"familiarize contingency personnel with the facility and available resources;\n                     and","links":[{"href":"#cp-4.2_smt.a","rel":"corresp","text":"CP-4(2)(a)"}]},{"id":"cp-4.2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-4(2)(b)"}],"prose":"evaluate the capabilities of the alternate processing site to support\n                     contingency operations.","links":[{"href":"#cp-4.2_smt.b","rel":"corresp","text":"CP-4(2)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency plan testing\\n\\ncontingency plan\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nalternate processing site agreements\\n\\nservice-level agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan testing\\n\\nautomated mechanisms supporting the contingency plan and/or contingency plan\n                     testing"}]}]}]},{"id":"cp-6","class":"SP800-53","title":"Alternate Storage Site","properties":[{"name":"label","value":"CP-6"},{"name":"sort-id","value":"cp-06"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"}],"parts":[{"id":"cp-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes an alternate storage site including necessary agreements to permit the\n                  storage and retrieval of information system backup information; and"},{"id":"cp-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensures that the alternate storage site provides information security safeguards\n                  equivalent to that of the primary site."}]},{"id":"cp-6_gdn","name":"guidance","prose":"Alternate storage sites are sites that are geographically distinct from primary\n               storage sites. An alternate storage site maintains duplicate copies of information\n               and data in the event that the primary storage site is not available. Items covered\n               by alternate storage site agreements include, for example, environmental conditions\n               at alternate sites, access rules, physical and environmental protection requirements,\n               and coordination of delivery/retrieval of backup media. Alternate storage sites\n               reflect the requirements in contingency plans so that organizations can maintain\n               essential missions/business functions despite disruption, compromise, or failure in\n               organizational information systems.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#mp-4","rel":"related","text":"MP-4"}]},{"id":"cp-6_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-6_obj.1","name":"objective","properties":[{"name":"label","value":"CP-6[1]"}],"prose":"establishes an alternate storage site including necessary agreements to permit the\n                  storage and retrieval of information system backup information; and"},{"id":"cp-6_obj.2","name":"objective","properties":[{"name":"label","value":"CP-6[2]"}],"prose":"ensures that the alternate storage site provides information security safeguards\n                  equivalent to that of the primary site."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing alternate storage sites\\n\\ncontingency plan\\n\\nalternate storage site agreements\\n\\nprimary storage site agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate storage site\n                  responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for storing and retrieving information system backup\n                  information at the alternate storage site\\n\\nautomated mechanisms supporting and/or implementing storage and retrieval of\n                  information system backup information at the alternate storage site"}]}],"controls":[{"id":"cp-6.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","properties":[{"name":"label","value":"CP-6(1)"},{"name":"sort-id","value":"cp-06.01"}],"parts":[{"id":"cp-6.1_smt","name":"statement","prose":"The organization identifies an alternate storage site that is separated from the\n                  primary storage site to reduce susceptibility to the same threats."},{"id":"cp-6.1_gdn","name":"guidance","prose":"Threats that affect alternate storage sites are typically defined in\n                  organizational assessments of risk and include, for example, natural disasters,\n                  structural failures, hostile cyber attacks, and errors of omission/commission.\n                  Organizations determine what is considered a sufficient degree of separation\n                  between primary and alternate storage sites based on the types of threats that are\n                  of concern. For one particular type of threat (i.e., hostile cyber attack), the\n                  degree of separation between sites is less relevant.","links":[{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"cp-6.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization identifies an alternate storage site that is\n                  separated from the primary storage site to reduce susceptibility to the same\n                  threats. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing alternate storage sites\\n\\ncontingency plan\\n\\nalternate storage site\\n\\nalternate storage site agreements\\n\\nprimary storage site agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate storage site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-6.2","class":"SP800-53-enhancement","title":"Recovery Time / Point Objectives","properties":[{"name":"label","value":"CP-6(2)"},{"name":"sort-id","value":"cp-06.02"}],"parts":[{"id":"cp-6.2_smt","name":"statement","prose":"The organization configures the alternate storage site to facilitate recovery\n                  operations in accordance with recovery time and recovery point objectives."},{"id":"cp-6.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization configures the alternate storage site to facilitate\n                  recovery operations in accordance with recovery time objectives and recovery point\n                  objectives (as specified in the information system contingency plan)."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing alternate storage sites\\n\\ncontingency plan\\n\\nalternate storage site\\n\\nalternate storage site agreements\\n\\nalternate storage site configurations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan testing responsibilities\\n\\norganizational personnel with responsibilities for testing related plans\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan testing\\n\\nautomated mechanisms supporting recovery time/point objectives"}]}]},{"id":"cp-6.3","class":"SP800-53-enhancement","title":"Accessibility","properties":[{"name":"label","value":"CP-6(3)"},{"name":"sort-id","value":"cp-06.03"}],"parts":[{"id":"cp-6.3_smt","name":"statement","prose":"The organization identifies potential accessibility problems to the alternate\n                  storage site in the event of an area-wide disruption or disaster and outlines\n                  explicit mitigation actions."},{"id":"cp-6.3_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in\n                  geographic scope (e.g., hurricane, regional power outage) with such determinations\n                  made by organizations based on organizational assessments of risk. Explicit\n                  mitigation actions include, for example: (i) duplicating backup information at\n                  other alternate storage sites if access problems occur at originally designated\n                  alternate sites; or (ii) planning for physical access to retrieve backup\n                  information if electronic accessibility to the alternate site is disrupted.","links":[{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"cp-6.3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-6.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-6(3)[1]"}],"prose":"identifies potential accessibility problems to the alternate storage site in\n                     the event of an area-wide disruption or disaster; and"},{"id":"cp-6.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-6(3)[2]"}],"prose":"outlines explicit mitigation actions for such potential accessibility problems\n                     to the alternate storage site in the event of an area-wide disruption or\n                     disaster."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing alternate storage sites\\n\\ncontingency plan\\n\\nalternate storage site\\n\\nlist of potential accessibility problems to alternate storage site\\n\\nmitigation actions for accessibility problems to alternate storage site\\n\\norganizational risk assessments\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate storage site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-7","class":"SP800-53","title":"Alternate Processing Site","parameters":[{"id":"cp-7_prm_1","label":"organization-defined information system operations"},{"id":"cp-7_prm_2","label":"organization-defined time period consistent with recovery time and recovery point\n               objectives"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CP-7"},{"name":"sort-id","value":"cp-07"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"}],"parts":[{"id":"cp-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes an alternate processing site including necessary agreements to permit\n                  the transfer and resumption of {{ cp-7_prm_1 }} for essential\n                  missions/business functions within {{ cp-7_prm_2 }} when the\n                  primary processing capabilities are unavailable;"},{"id":"cp-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensures that equipment and supplies required to transfer and resume operations are\n                  available at the alternate processing site or contracts are in place to support\n                  delivery to the site within the organization-defined time period for\n                  transfer/resumption; and"},{"id":"cp-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensures that the alternate processing site provides information security\n                  safeguards equivalent to those of the primary site."},{"id":"cp-7_fr","name":"item","title":"CP-7 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-7_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider defines a time period consistent with the recovery time objectives and business impact analysis."}]}]},{"id":"cp-7_gdn","name":"guidance","prose":"Alternate processing sites are sites that are geographically distinct from primary\n               processing sites. An alternate processing site provides processing capability in the\n               event that the primary processing site is not available. Items covered by alternate\n               processing site agreements include, for example, environmental conditions at\n               alternate sites, access rules, physical and environmental protection requirements,\n               and coordination for the transfer/assignment of personnel. Requirements are\n               specifically allocated to alternate processing sites that reflect the requirements in\n               contingency plans to maintain essential missions/business functions despite\n               disruption, compromise, or failure in organizational information systems.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ma-6","rel":"related","text":"MA-6"}]},{"id":"cp-7_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-7.a_obj","name":"objective","properties":[{"name":"label","value":"CP-7(a)"}],"parts":[{"id":"cp-7.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-7(a)[1]"}],"prose":"defines information system operations requiring an alternate processing site to\n                     be established to permit the transfer and resumption of such operations;"},{"id":"cp-7.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-7(a)[2]"}],"prose":"defines the time period consistent with recovery time objectives and recovery\n                     point objectives (as specified in the information system contingency plan) for\n                     transfer/resumption of organization-defined information system operations for\n                     essential missions/business functions;"},{"id":"cp-7.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-7(a)[3]"}],"prose":"establishes an alternate processing site including necessary agreements to\n                     permit the transfer and resumption of organization-defined information system\n                     operations for essential missions/business functions, within the\n                     organization-defined time period, when the primary processing capabilities are\n                     unavailable;"}]},{"id":"cp-7.b_obj","name":"objective","properties":[{"name":"label","value":"CP-7(b)"}],"parts":[{"id":"cp-7.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-7(b)[1]"}],"prose":"ensures that equipment and supplies required to transfer and resume operations\n                     are available at the alternate processing site; or"},{"id":"cp-7.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-7(b)[2]"}],"prose":"ensures that contracts are in place to support delivery to the site within the\n                     organization-defined time period for transfer/resumption; and"}]},{"id":"cp-7.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-7(c)"}],"prose":"ensures that the alternate processing site provides information security\n                  safeguards equivalent to those of the primary site."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing alternate processing sites\\n\\ncontingency plan\\n\\nalternate processing site agreements\\n\\nprimary processing site agreements\\n\\nspare equipment and supplies inventory at alternate processing site\\n\\nequipment and supply contracts\\n\\nservice-level agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for contingency planning and/or\n                  alternate site arrangements\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for recovery at the alternate site\\n\\nautomated mechanisms supporting and/or implementing recovery at the alternate\n                  processing site"}]}],"controls":[{"id":"cp-7.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","properties":[{"name":"label","value":"CP-7(1)"},{"name":"sort-id","value":"cp-07.01"}],"parts":[{"id":"cp-7.1_smt","name":"statement","prose":"The organization identifies an alternate processing site that is separated from\n                  the primary processing site to reduce susceptibility to the same threats.","parts":[{"id":"cp-7.1_fr","name":"item","title":"CP-7 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-7.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant."}]}]},{"id":"cp-7.1_gdn","name":"guidance","prose":"Threats that affect alternate processing sites are typically defined in\n                  organizational assessments of risk and include, for example, natural disasters,\n                  structural failures, hostile cyber attacks, and errors of omission/commission.\n                  Organizations determine what is considered a sufficient degree of separation\n                  between primary and alternate processing sites based on the types of threats that\n                  are of concern. For one particular type of threat (i.e., hostile cyber attack),\n                  the degree of separation between sites is less relevant.","links":[{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"cp-7.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization identifies an alternate processing site that is\n                  separated from the primary storage site to reduce susceptibility to the same\n                  threats. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing alternate processing sites\\n\\ncontingency plan\\n\\nalternate processing site\\n\\nalternate processing site agreements\\n\\nprimary processing site agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.2","class":"SP800-53-enhancement","title":"Accessibility","properties":[{"name":"label","value":"CP-7(2)"},{"name":"sort-id","value":"cp-07.02"}],"parts":[{"id":"cp-7.2_smt","name":"statement","prose":"The organization identifies potential accessibility problems to the alternate\n                  processing site in the event of an area-wide disruption or disaster and outlines\n                  explicit mitigation actions."},{"id":"cp-7.2_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in\n                  geographic scope (e.g., hurricane, regional power outage) with such determinations\n                  made by organizations based on organizational assessments of risk.","links":[{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"cp-7.2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-7.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-7(2)[1]"}],"prose":"identifies potential accessibility problems to the alternate processing site in\n                     the event of an area-wide disruption or disaster; and"},{"id":"cp-7.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-7(2)[2]"}],"prose":"outlines explicit mitigation actions for such potential accessibility problems\n                     to the alternate processing site in the event of an area-wide disruption or\n                     disaster."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing alternate processing sites\\n\\ncontingency plan\\n\\nalternate processing site\\n\\nalternate processing site agreements\\n\\nprimary processing site agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.3","class":"SP800-53-enhancement","title":"Priority of Service","properties":[{"name":"label","value":"CP-7(3)"},{"name":"sort-id","value":"cp-07.03"}],"parts":[{"id":"cp-7.3_smt","name":"statement","prose":"The organization develops alternate processing site agreements that contain\n                  priority-of-service provisions in accordance with organizational availability\n                  requirements (including recovery time objectives)."},{"id":"cp-7.3_gdn","name":"guidance","prose":"Priority-of-service agreements refer to negotiated agreements with service\n                  providers that ensure that organizations receive priority treatment consistent\n                  with their availability requirements and the availability of information resources\n                  at the alternate processing site."},{"id":"cp-7.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization develops alternate processing site agreements that\n                  contain priority-of-service provisions in accordance with organizational\n                  availability requirements (including recovery time objectives as specified in the\n                  information system contingency plan)."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing alternate processing sites\\n\\ncontingency plan\\n\\nalternate processing site agreements\\n\\nservice-level agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for acquisitions/contractual\n                     agreements"}]}]},{"id":"cp-7.4","class":"SP800-53-enhancement","title":"Preparation for Use","properties":[{"name":"label","value":"CP-7(4)"},{"name":"sort-id","value":"cp-07.04"}],"parts":[{"id":"cp-7.4_smt","name":"statement","prose":"The organization prepares the alternate processing site so that the site is ready\n                  to be used as the operational site supporting essential missions and business\n                  functions."},{"id":"cp-7.4_gdn","name":"guidance","prose":"Site preparation includes, for example, establishing configuration settings for\n                  information system components at the alternate processing site consistent with the\n                  requirements for such settings at the primary site and ensuring that essential\n                  supplies and other logistical considerations are in place.","links":[{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"}]},{"id":"cp-7.4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization prepares the alternate processing site so that the\n                  site is ready to be used as the operational site supporting essential missions and\n                  business functions."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing alternate processing sites\\n\\ncontingency plan\\n\\nalternate processing site\\n\\nalternate processing site agreements\\n\\nalternate processing site configurations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing recovery at the alternate\n                     processing site"}]}]}]},{"id":"cp-8","class":"SP800-53","title":"Telecommunications Services","parameters":[{"id":"cp-8_prm_1","label":"organization-defined information system operations"},{"id":"cp-8_prm_2","label":"organization-defined time period"}],"properties":[{"name":"label","value":"CP-8"},{"name":"sort-id","value":"cp-08"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"},{"href":"#fb5844de-ff96-47c0-b258-4f52bcc2f30d","rel":"reference","text":"National Communications Systems Directive 3-10"},{"href":"#3ac12e79-f54f-4a63-9f4b-ee4bcd4df604","rel":"reference","text":"http://www.dhs.gov/telecommunications-service-priority-tsp"}],"parts":[{"id":"cp-8_smt","name":"statement","prose":"The organization establishes alternate telecommunications services including\n               necessary agreements to permit the resumption of {{ cp-8_prm_1 }} for\n               essential missions and business functions within {{ cp-8_prm_2 }} when\n               the primary telecommunications capabilities are unavailable at either the primary or\n               alternate processing or storage sites.","parts":[{"id":"cp-8_fr","name":"item","title":"CP-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines a time period consistent with the recovery time objectives and business impact analysis."}]}]},{"id":"cp-8_gdn","name":"guidance","prose":"This control applies to telecommunications services (data and voice) for primary and\n               alternate processing and storage sites. Alternate telecommunications services reflect\n               the continuity requirements in contingency plans to maintain essential\n               missions/business functions despite the loss of primary telecommunications services.\n               Organizations may specify different time periods for primary/alternate sites.\n               Alternate telecommunications services include, for example, additional organizational\n               or commercial ground-based circuits/lines or satellites in lieu of ground-based\n               communications. Organizations consider factors such as availability, quality of\n               service, and access when entering into alternate telecommunications agreements.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"}]},{"id":"cp-8_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-8_obj.1","name":"objective","properties":[{"name":"label","value":"CP-8[1]"}],"prose":"defines information system operations requiring alternate telecommunications\n                  services to be established to permit the resumption of such operations;"},{"id":"cp-8_obj.2","name":"objective","properties":[{"name":"label","value":"CP-8[2]"}],"prose":"defines the time period to permit resumption of organization-defined information\n                  system operations for essential missions and business functions; and"},{"id":"cp-8_obj.3","name":"objective","properties":[{"name":"label","value":"CP-8[3]"}],"prose":"establishes alternate telecommunications services including necessary agreements\n                  to permit the resumption of organization-defined information system operations for\n                  essential missions and business functions, within the organization-defined time\n                  period, when the primary telecommunications capabilities are unavailable at either\n                  the primary or alternate processing or storage sites."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing alternate telecommunications services\\n\\ncontingency plan\\n\\nprimary and alternate telecommunications service agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications\n                  responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for acquisitions/contractual\n                  agreements"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting telecommunications"}]}],"controls":[{"id":"cp-8.1","class":"SP800-53-enhancement","title":"Priority of Service Provisions","properties":[{"name":"label","value":"CP-8(1)"},{"name":"sort-id","value":"cp-08.01"}],"parts":[{"id":"cp-8.1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-8.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Develops primary and alternate telecommunications service agreements that\n                     contain priority-of-service provisions in accordance with organizational\n                     availability requirements (including recovery time objectives); and"},{"id":"cp-8.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Requests Telecommunications Service Priority for all telecommunications\n                     services used for national security emergency preparedness in the event that\n                     the primary and/or alternate telecommunications services are provided by a\n                     common carrier."}]},{"id":"cp-8.1_gdn","name":"guidance","prose":"Organizations consider the potential mission/business impact in situations where\n                  telecommunications service providers are servicing other organizations with\n                  similar priority-of-service provisions."},{"id":"cp-8.1_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-8.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-8(1)[1]"}],"prose":"develops primary and alternate telecommunications service agreements that\n                     contain priority-of-service provisions in accordance with organizational\n                     availability requirements (including recovery time objectives as specified in\n                     the information system contingency plan); and"},{"id":"cp-8.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-8(1)[2]"}],"prose":"requests Telecommunications Service Priority for all telecommunications\n                     services used for national security emergency preparedness in the event that\n                     the primary and/or alternate telecommunications services are provided by a\n                     common carrier."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing primary and alternate telecommunications services\\n\\ncontingency plan\\n\\nprimary and alternate telecommunications service agreements\\n\\nTelecommunications Service Priority documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for acquisitions/contractual\n                     agreements"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting telecommunications"}]}]},{"id":"cp-8.2","class":"SP800-53-enhancement","title":"Single Points of Failure","properties":[{"name":"label","value":"CP-8(2)"},{"name":"sort-id","value":"cp-08.02"}],"parts":[{"id":"cp-8.2_smt","name":"statement","prose":"The organization obtains alternate telecommunications services to reduce the\n                  likelihood of sharing a single point of failure with primary telecommunications\n                  services."},{"id":"cp-8.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization obtains alternate telecommunications services to\n                  reduce the likelihood of sharing a single point of failure with primary\n                  telecommunications services. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing primary and alternate telecommunications services\\n\\ncontingency plan\\n\\nprimary and alternate telecommunications service agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\nprimary and alternate telecommunications service providers\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-8.3","class":"SP800-53-enhancement","title":"Separation of Primary / Alternate Providers","properties":[{"name":"label","value":"CP-8(3)"},{"name":"sort-id","value":"cp-08.03"}],"parts":[{"id":"cp-8.3_smt","name":"statement","prose":"The organization obtains alternate telecommunications services from providers that\n                  are separated from primary service providers to reduce susceptibility to the same\n                  threats."},{"id":"cp-8.3_gdn","name":"guidance","prose":"Threats that affect telecommunications services are typically defined in\n                  organizational assessments of risk and include, for example, natural disasters,\n                  structural failures, hostile cyber/physical attacks, and errors of\n                  omission/commission. Organizations seek to reduce common susceptibilities by, for\n                  example, minimizing shared infrastructure among telecommunications service\n                  providers and achieving sufficient geographic separation between services.\n                  Organizations may consider using a single service provider in situations where the\n                  service provider can provide alternate telecommunications services meeting the\n                  separation needs addressed in the risk assessment."},{"id":"cp-8.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization obtains alternate telecommunications services from\n                  providers that are separated from primary service providers to reduce\n                  susceptibility to the same threats. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing primary and alternate telecommunications services\\n\\ncontingency plan\\n\\nprimary and alternate telecommunications service agreements\\n\\nalternate telecommunications service provider site\\n\\nprimary telecommunications service provider site\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\nprimary and alternate telecommunications service providers\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-8.4","class":"SP800-53-enhancement","title":"Provider Contingency Plan","parameters":[{"id":"cp-8.4_prm_1","label":"organization-defined frequency","constraints":[{"detail":"annually"}]}],"properties":[{"name":"label","value":"CP-8(4)"},{"name":"sort-id","value":"cp-08.04"}],"parts":[{"id":"cp-8.4_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-8.4_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Requires primary and alternate telecommunications service providers to have\n                     contingency plans;"},{"id":"cp-8.4_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Reviews provider contingency plans to ensure that the plans meet organizational\n                     contingency requirements; and"},{"id":"cp-8.4_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Obtains evidence of contingency testing/training by providers {{ cp-8.4_prm_1 }}."}]},{"id":"cp-8.4_gdn","name":"guidance","prose":"Reviews of provider contingency plans consider the proprietary nature of such\n                  plans. In some situations, a summary of provider contingency plans may be\n                  sufficient evidence for organizations to satisfy the review requirement.\n                  Telecommunications service providers may also participate in ongoing disaster\n                  recovery exercises in coordination with the Department of Homeland Security,\n                  state, and local governments. Organizations may use these types of activities to\n                  satisfy evidentiary requirements related to service provider contingency plan\n                  reviews, testing, and training."},{"id":"cp-8.4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-8.4.a_obj","name":"objective","properties":[{"name":"label","value":"CP-8(4)(a)"}],"parts":[{"id":"cp-8.4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-8(4)(a)[1]"}],"prose":"requires primary telecommunications service provider to have contingency\n                        plans;"},{"id":"cp-8.4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-8(4)(a)[2]"}],"prose":"requires alternate telecommunications service provider(s) to have\n                        contingency plans;"}],"links":[{"href":"#cp-8.4_smt.a","rel":"corresp","text":"CP-8(4)(a)"}]},{"id":"cp-8.4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-8(4)(b)"}],"prose":"reviews provider contingency plans to ensure that the plans meet organizational\n                     contingency requirements;","links":[{"href":"#cp-8.4_smt.b","rel":"corresp","text":"CP-8(4)(b)"}]},{"id":"cp-8.4.c_obj","name":"objective","properties":[{"name":"label","value":"CP-8(4)(c)"}],"parts":[{"id":"cp-8.4.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-8(4)(c)[1]"}],"prose":"defines the frequency to obtain evidence of contingency testing/training by\n                        providers; and"},{"id":"cp-8.4.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-8(4)(c)[2]"}],"prose":"obtains evidence of contingency testing/training by providers with the\n                        organization-defined frequency."}],"links":[{"href":"#cp-8.4_smt.c","rel":"corresp","text":"CP-8(4)(c)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing primary and alternate telecommunications services\\n\\ncontingency plan\\n\\nprovider contingency plans\\n\\nevidence of contingency testing/training by providers\\n\\nprimary and alternate telecommunications service agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, plan implementation, and\n                     testing responsibilities\\n\\nprimary and alternate telecommunications service providers\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for acquisitions/contractual\n                     agreements"}]}]}]},{"id":"cp-9","class":"SP800-53","title":"Information System Backup","parameters":[{"id":"cp-9_prm_1","label":"organization-defined frequency consistent with recovery time and recovery point\n               objectives","constraints":[{"detail":"daily incremental; weekly full"}]},{"id":"cp-9_prm_2","label":"organization-defined frequency consistent with recovery time and recovery point\n               objectives","constraints":[{"detail":"daily incremental; weekly full"}]},{"id":"cp-9_prm_3","label":"organization-defined frequency consistent with recovery time and recovery point\n               objectives","constraints":[{"detail":"daily incremental; weekly full"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CP-9"},{"name":"sort-id","value":"cp-09"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"}],"parts":[{"id":"cp-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Conducts backups of user-level information contained in the information system\n                     {{ cp-9_prm_1 }};"},{"id":"cp-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Conducts backups of system-level information contained in the information system\n                     {{ cp-9_prm_2 }};"},{"id":"cp-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Conducts backups of information system documentation including security-related\n                  documentation {{ cp-9_prm_3 }}; and"},{"id":"cp-9_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protects the confidentiality, integrity, and availability of backup information at\n                  storage locations."},{"id":"cp-9_fr","name":"item","title":"CP-9 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-9_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check."},{"id":"cp-9_fr_smt.a","name":"item","properties":[{"name":"label","value":"CP-9(a) Requirement:"}],"prose":"The service provider maintains at least three backup copies of user-level information (at least one of which is available online)."},{"id":"cp-9_fr_smt.b","name":"item","properties":[{"name":"label","value":"CP-9(b)Requirement:"}],"prose":"The service provider maintains at least three backup copies of system-level information (at least one of which is available online)."},{"id":"cp-9_fr_smt.c","name":"item","properties":[{"name":"label","value":"CP-9(c)Requirement:"}],"prose":"The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online)."}]}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes, for example, system-state information, operating\n               system and application software, and licenses. User-level information includes any\n               information other than system-level information. Mechanisms employed by organizations\n               to protect the integrity of information system backups include, for example, digital\n               signatures and cryptographic hashes. Protection of system backup information while in\n               transit is beyond the scope of this control. Information system backups reflect the\n               requirements in contingency plans as well as other organizational requirements for\n               backing up information.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"cp-9_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-9.a_obj","name":"objective","properties":[{"name":"label","value":"CP-9(a)"}],"parts":[{"id":"cp-9.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-9(a)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of user-level information contained in the information\n                     system;"},{"id":"cp-9.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-9(a)[2]"}],"prose":"conducts backups of user-level information contained in the information system\n                     with the organization-defined frequency;"}]},{"id":"cp-9.b_obj","name":"objective","properties":[{"name":"label","value":"CP-9(b)"}],"parts":[{"id":"cp-9.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-9(b)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of system-level information contained in the information\n                     system;"},{"id":"cp-9.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-9(b)[2]"}],"prose":"conducts backups of system-level information contained in the information\n                     system with the organization-defined frequency;"}]},{"id":"cp-9.c_obj","name":"objective","properties":[{"name":"label","value":"CP-9(c)"}],"parts":[{"id":"cp-9.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-9(c)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of information system documentation including security-related\n                     documentation;"},{"id":"cp-9.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-9(c)[2]"}],"prose":"conducts backups of information system documentation, including\n                     security-related documentation, with the organization-defined frequency;\n                     and"}]},{"id":"cp-9.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-9(d)"}],"prose":"protects the confidentiality, integrity, and availability of backup information at\n                  storage locations."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\nbackup storage location(s)\\n\\ninformation system backup logs or records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups\\n\\nautomated mechanisms supporting and/or implementing information system backups"}]}],"controls":[{"id":"cp-9.1","class":"SP800-53-enhancement","title":"Testing for Reliability / Integrity","parameters":[{"id":"cp-9.1_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CP-9(1)"},{"name":"sort-id","value":"cp-09.01"}],"parts":[{"id":"cp-9.1_smt","name":"statement","prose":"The organization tests backup information {{ cp-9.1_prm_1 }} to\n                  verify media reliability and information integrity."},{"id":"cp-9.1_gdn","name":"guidance","links":[{"href":"#cp-4","rel":"related","text":"CP-4"}]},{"id":"cp-9.1_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-9.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-9(1)[1]"}],"prose":"defines the frequency to test backup information to verify media reliability\n                     and information integrity; and"},{"id":"cp-9.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-9(1)[2]"}],"prose":"tests backup information with the organization-defined frequency to verify\n                     media reliability and information integrity."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\ninformation system backup test results\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups\\n\\nautomated mechanisms supporting and/or implementing information system\n                     backups"}]}]},{"id":"cp-9.2","class":"SP800-53-enhancement","title":"Test Restoration Using Sampling","properties":[{"name":"label","value":"CP-9(2)"},{"name":"sort-id","value":"cp-09.02"}],"parts":[{"id":"cp-9.2_smt","name":"statement","prose":"The organization uses a sample of backup information in the restoration of\n                  selected information system functions as part of contingency plan testing."},{"id":"cp-9.2_gdn","name":"guidance","links":[{"href":"#cp-4","rel":"related","text":"CP-4"}]},{"id":"cp-9.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization uses a sample of backup information in the\n                  restoration of selected information system functions as part of contingency plan\n                  testing. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\ninformation system backup test results\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\\n\\norganizational personnel with contingency planning/contingency plan testing\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups\\n\\nautomated mechanisms supporting and/or implementing information system\n                     backups"}]}]},{"id":"cp-9.3","class":"SP800-53-enhancement","title":"Separate Storage for Critical Information","parameters":[{"id":"cp-9.3_prm_1","label":"organization-defined critical information system software and other\n                  security-related information"}],"properties":[{"name":"label","value":"CP-9(3)"},{"name":"sort-id","value":"cp-09.03"}],"parts":[{"id":"cp-9.3_smt","name":"statement","prose":"The organization stores backup copies of {{ cp-9.3_prm_1 }} in a\n                  separate facility or in a fire-rated container that is not collocated with the\n                  operational system."},{"id":"cp-9.3_gdn","name":"guidance","prose":"Critical information system software includes, for example, operating systems,\n                  cryptographic key management systems, and intrusion detection/prevention systems.\n                  Security-related information includes, for example, organizational inventories of\n                  hardware, software, and firmware components. Alternate storage sites typically\n                  serve as separate storage facilities for organizations.","links":[{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-8","rel":"related","text":"CM-8"}]},{"id":"cp-9.3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-9.3_obj.1","name":"objective","properties":[{"name":"label","value":"CP-9(3)[1]"}],"parts":[{"id":"cp-9.3_obj.1.a","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-9(3)[1][a]"}],"prose":"defines critical information system software and other security-related\n                        information requiring backup copies to be stored in a separate facility;\n                        or"},{"id":"cp-9.3_obj.1.b","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-9(3)[1][b]"}],"prose":"defines critical information system software and other security-related\n                        information requiring backup copies to be stored in a fire-rated container\n                        that is not collocated with the operational system; and"}]},{"id":"cp-9.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-9(3)[2]"}],"prose":"stores backup copies of organization-defined critical information system\n                     software and other security-related information in a separate facility or in a\n                     fire-rated container that is not collocated with the operational system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\nbackup storage location(s)\\n\\ninformation system backup configurations and associated documentation\\n\\ninformation system backup logs or records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information system backup responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-9.5","class":"SP800-53-enhancement","title":"Transfer to Alternate Storage Site","parameters":[{"id":"cp-9.5_prm_1","label":"organization-defined time period and transfer rate consistent with the\n                  recovery time and recovery point objectives","constraints":[{"detail":"time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA"}]}],"properties":[{"name":"label","value":"CP-9(5)"},{"name":"sort-id","value":"cp-09.05"}],"parts":[{"id":"cp-9.5_smt","name":"statement","prose":"The organization transfers information system backup information to the alternate\n                  storage site {{ cp-9.5_prm_1 }}."},{"id":"cp-9.5_gdn","name":"guidance","prose":"Information system backup information can be transferred to alternate storage\n                  sites either electronically or by physical shipment of storage media."},{"id":"cp-9.5_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-9.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-9(5)[1]"}],"prose":"defines a time period, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     transfer information system backup information to the alternate storage\n                     site;"},{"id":"cp-9.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-9(5)[2]"}],"prose":"defines a transfer rate, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     transfer information system backup information to the alternate storage site;\n                     and"},{"id":"cp-9.5_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-9(5)[3]"}],"prose":"transfers information system backup information to the alternate storage site\n                     with the organization-defined time period and transfer rate."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\ninformation system backup logs or records\\n\\nevidence of system backup information transferred to alternate storage site\\n\\nalternate storage site agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for transferring information system backups to the\n                     alternate storage site\\n\\nautomated mechanisms supporting and/or implementing information system\n                     backups\\n\\nautomated mechanisms supporting and/or implementing information transfer to the\n                     alternate storage site"}]}]}]},{"id":"cp-10","class":"SP800-53","title":"Information System Recovery and Reconstitution","properties":[{"name":"label","value":"CP-10"},{"name":"sort-id","value":"cp-10"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"The organization provides for the recovery and reconstitution of the information\n               system to a known state after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing information system contingency plan activities to restore\n               organizational missions/business functions. Reconstitution takes place following\n               recovery and includes activities for returning organizational information systems to\n               fully operational states. Recovery and reconstitution operations reflect mission and\n               business priorities, recovery point/time and reconstitution objectives, and\n               established organizational metrics consistent with contingency plan requirements.\n               Reconstitution includes the deactivation of any interim information system\n               capabilities that may have been needed during recovery operations. Reconstitution\n               also includes assessments of fully restored information system capabilities,\n               reestablishment of continuous monitoring activities, potential information system\n               reauthorizations, and activities to prepare the systems against future disruptions,\n               compromises, or failures. Recovery/reconstitution capabilities employed by\n               organizations can include both automated mechanisms and manual procedures.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#sc-24","rel":"related","text":"SC-24"}]},{"id":"cp-10_obj","name":"objective","prose":"Determine if the organization provides for: ","parts":[{"id":"cp-10_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-10[1]"}],"prose":"the recovery of the information system to a known state after:","parts":[{"id":"cp-10_obj.1.a","name":"objective","properties":[{"name":"label","value":"CP-10[1][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.1.b","name":"objective","properties":[{"name":"label","value":"CP-10[1][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.1.c","name":"objective","properties":[{"name":"label","value":"CP-10[1][c]"}],"prose":"a failure;"}]},{"id":"cp-10_obj.2","name":"objective","properties":[{"name":"label","value":"CP-10[2]"}],"prose":"the reconstitution of the information system to a known state after:","parts":[{"id":"cp-10_obj.2.a","name":"objective","properties":[{"name":"label","value":"CP-10[2][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.2.b","name":"objective","properties":[{"name":"label","value":"CP-10[2][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.2.c","name":"objective","properties":[{"name":"label","value":"CP-10[2][c]"}],"prose":"a failure."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\ninformation system backup test results\\n\\ncontingency plan test results\\n\\ncontingency plan test documentation\\n\\nredundant secondary system for information system backups\\n\\nlocation(s) of redundant secondary backup system(s)\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, recovery, and/or\n                  reconstitution responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes implementing information system recovery and\n                  reconstitution operations\\n\\nautomated mechanisms supporting and/or implementing information system recovery\n                  and reconstitution operations"}]}],"controls":[{"id":"cp-10.2","class":"SP800-53-enhancement","title":"Transaction Recovery","properties":[{"name":"label","value":"CP-10(2)"},{"name":"sort-id","value":"cp-10.02"}],"parts":[{"id":"cp-10.2_smt","name":"statement","prose":"The information system implements transaction recovery for systems that are\n                  transaction-based."},{"id":"cp-10.2_gdn","name":"guidance","prose":"Transaction-based information systems include, for example, database management\n                  systems and transaction processing systems. Mechanisms supporting transaction\n                  recovery include, for example, transaction rollback and transaction\n                  journaling."},{"id":"cp-10.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements transaction recovery for systems\n                  that are transaction-based. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing information system recovery and reconstitution\\n\\ncontingency plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\ninformation system transaction recovery records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for transaction recovery\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing transaction recovery\n                     capability"}]}]},{"id":"cp-10.4","class":"SP800-53-enhancement","title":"Restore Within Time Period","parameters":[{"id":"cp-10.4_prm_1","label":"organization-defined restoration time-periods","constraints":[{"detail":"time period consistent with the restoration time-periods defined in the service provider and organization SLA"}]}],"properties":[{"name":"label","value":"CP-10(4)"},{"name":"sort-id","value":"cp-10.04"}],"parts":[{"id":"cp-10.4_smt","name":"statement","prose":"The organization provides the capability to restore information system components\n                  within {{ cp-10.4_prm_1 }} from configuration-controlled and\n                  integrity-protected information representing a known, operational state for the\n                  components."},{"id":"cp-10.4_gdn","name":"guidance","prose":"Restoration of information system components includes, for example, reimaging\n                  which restores components to known, operational states.","links":[{"href":"#cm-2","rel":"related","text":"CM-2"}]},{"id":"cp-10.4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-10.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-10(4)[1]"}],"prose":"defines a time period to restore information system components from\n                     configuration-controlled and integrity-protected information representing a\n                     known, operational state for the components; and"},{"id":"cp-10.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-10(4)[2]"}],"prose":"provides the capability to restore information system components within the\n                     organization-defined time period from configuration-controlled and\n                     integrity-protected information representing a known, operational state for the\n                     components."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing information system recovery and reconstitution\\n\\ncontingency plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nevidence of information system recovery and reconstitution operations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system recovery and reconstitution\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing recovery/reconstitution of\n                     information system information"}]}]}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Identification and Authentication Policy and Procedures","parameters":[{"id":"ia-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ia-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually or whenever a significant change occurs"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IA-1"},{"name":"sort-id","value":"ia-01"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ia-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ia-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"An identification and authentication policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"},{"id":"ia-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and\n                     authentication policy and associated identification and authentication\n                     controls; and"}]},{"id":"ia-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ia-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Identification and authentication policy {{ ia-1_prm_2 }};\n                     and"},{"id":"ia-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Identification and authentication procedures {{ ia-1_prm_3 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the IA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ia-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-1.a_obj","name":"objective","properties":[{"name":"label","value":"IA-1(a)"}],"parts":[{"id":"ia-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)"}],"parts":[{"id":"ia-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(a)(1)[1]"}],"prose":"develops and documents an identification and authentication policy that\n                        addresses:","parts":[{"id":"ia-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ia-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ia-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ia-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ia-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ia-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ia-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ia-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the identification and authentication\n                        policy is to be disseminated; and"},{"id":"ia-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IA-1(a)(1)[3]"}],"prose":"disseminates the identification and authentication policy to\n                        organization-defined personnel or roles;"}]},{"id":"ia-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"IA-1(a)(2)"}],"parts":[{"id":"ia-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        identification and authentication policy and associated identification and\n                        authentication controls;"},{"id":"ia-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ia-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ia-1.b_obj","name":"objective","properties":[{"name":"label","value":"IA-1(b)"}],"parts":[{"id":"ia-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"IA-1(b)(1)"}],"parts":[{"id":"ia-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current identification and\n                        authentication policy;"},{"id":"ia-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(b)(1)[2]"}],"prose":"reviews and updates the current identification and authentication policy\n                        with the organization-defined frequency; and"}]},{"id":"ia-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"IA-1(b)(2)"}],"parts":[{"id":"ia-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current identification and\n                        authentication procedures; and"},{"id":"ia-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(b)(2)[2]"}],"prose":"reviews and updates the current identification and authentication procedures\n                        with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identification and authentication\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (organizational Users)","properties":[{"name":"label","value":"IA-2"},{"name":"sort-id","value":"ia-02"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference","text":"HSPD-12"},{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference","text":"OMB Memorandum 04-04"},{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference","text":"OMB Memorandum 06-16"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference","text":"OMB Memorandum 11-11"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference","text":"FICAM Roadmap and Implementation Guidance"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"The information system uniquely identifies and authenticates organizational users (or\n               processes acting on behalf of organizational users)."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizational users include employees or individuals that organizations deem to have\n               equivalent status of employees (e.g., contractors, guest researchers). This control\n               applies to all accesses other than: (i) accesses that are explicitly identified and\n               documented in AC-14; and (ii) accesses that occur through authorized use of group\n               authenticators without individual authentication. Organizations may require unique\n               identification of individuals in group accounts (e.g., shared privilege accounts) or\n               for detailed accountability of individual activity. Organizations employ passwords,\n               tokens, or biometrics to authenticate user identities, or in the case multifactor\n               authentication, or some combination thereof. Access to organizational information\n               systems is defined as either local access or network access. Local access is any\n               access to organizational information systems by users (or processes acting on behalf\n               of users) where such access is obtained by direct connections without the use of\n               networks. Network access is access to organizational information systems by users (or\n               processes acting on behalf of users) where such access is obtained through network\n               connections (i.e., nonlocal accesses). Remote access is a type of network access that\n               involves communication through external networks (e.g., the Internet). Internal\n               networks include local area networks and wide area networks. In addition, the use of\n               encrypted virtual private networks (VPNs) for network connections between\n               organization-controlled endpoints and non-organization controlled endpoints may be\n               treated as internal networks from the perspective of protecting the confidentiality\n               and integrity of information traversing the network. Organizations can satisfy the\n               identification and authentication requirements in this control by complying with the\n               requirements in Homeland Security Presidential Directive 12 consistent with the\n               specific organizational implementation plans. Multifactor authentication requires the\n               use of two or more different factors to achieve authentication. The factors are\n               defined as: (i) something you know (e.g., password, personal identification number\n               [PIN]); (ii) something you have (e.g., cryptographic identification device, token);\n               or (iii) something you are (e.g., biometric). Multifactor solutions that require\n               devices separate from information systems gaining access include, for example,\n               hardware tokens providing time-based or challenge-response authenticators and smart\n               cards such as the U.S. Government Personal Identity Verification card and the DoD\n               common access card. In addition to identifying and authenticating users at the\n               information system level (i.e., at logon), organizations also employ identification\n               and authentication mechanisms at the application level, when necessary, to provide\n               increased information security. Identification and authentication requirements for\n               other than organizational users are described in IA-8.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"}]},{"id":"ia-2_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates\n               organizational users (or processes acting on behalf of organizational users)."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for uniquely identifying and authenticating users\\n\\nautomated mechanisms supporting and/or implementing identification and\n                  authentication capability"}]}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Network Access to Privileged Accounts","properties":[{"name":"label","value":"IA-2(1)"},{"name":"sort-id","value":"ia-02.01"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"The information system implements multifactor authentication for network access to\n                  privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related","text":"AC-6"}]},{"id":"ia-2.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements multifactor authentication for\n                  network access to privileged accounts."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing multifactor authentication\n                     capability"}]}]},{"id":"ia-2.2","class":"SP800-53-enhancement","title":"Network Access to Non-privileged Accounts","properties":[{"name":"label","value":"IA-2(2)"},{"name":"sort-id","value":"ia-02.02"}],"parts":[{"id":"ia-2.2_smt","name":"statement","prose":"The information system implements multifactor authentication for network access to\n                  non-privileged accounts."},{"id":"ia-2.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements multifactor authentication for\n                  network access to non-privileged accounts."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing multifactor authentication\n                     capability"}]}]},{"id":"ia-2.3","class":"SP800-53-enhancement","title":"Local Access to Privileged Accounts","properties":[{"name":"label","value":"IA-2(3)"},{"name":"sort-id","value":"ia-02.03"}],"parts":[{"id":"ia-2.3_smt","name":"statement","prose":"The information system implements multifactor authentication for local access to\n                  privileged accounts."},{"id":"ia-2.3_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related","text":"AC-6"}]},{"id":"ia-2.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements multifactor authentication for\n                  local access to privileged accounts."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing multifactor authentication\n                     capability"}]}]},{"id":"ia-2.4","class":"SP800-53-enhancement","title":"Local Access to Non-privileged Accounts","properties":[{"name":"label","value":"IA-2(4)"},{"name":"sort-id","value":"ia-02.04"}],"parts":[{"id":"ia-2.4_smt","name":"statement","prose":"The information system implements multifactor authentication for local access to\n                  non-privileged accounts."},{"id":"ia-2.4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements multifactor authentication for\n                  local access to non-privileged accounts."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing multifactor authentication\n                     capability"}]}]},{"id":"ia-2.5","class":"SP800-53-enhancement","title":"Group Authentication","properties":[{"name":"label","value":"IA-2(5)"},{"name":"sort-id","value":"ia-02.05"}],"parts":[{"id":"ia-2.5_smt","name":"statement","prose":"The organization requires individuals to be authenticated with an individual\n                  authenticator when a group authenticator is employed."},{"id":"ia-2.5_gdn","name":"guidance","prose":"Requiring individuals to use individual authenticators as a second level of\n                  authentication helps organizations to mitigate the risk of using group\n                  authenticators."},{"id":"ia-2.5_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization requires individuals to be authenticated with an\n                  individual authenticator when a group authenticator is employed."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing authentication capability\n                     for group accounts"}]}]},{"id":"ia-2.8","class":"SP800-53-enhancement","title":"Network Access to Privileged Accounts - Replay Resistant","properties":[{"name":"label","value":"IA-2(8)"},{"name":"sort-id","value":"ia-02.08"}],"parts":[{"id":"ia-2.8_smt","name":"statement","prose":"The information system implements replay-resistant authentication mechanisms for\n                  network access to privileged accounts."},{"id":"ia-2.8_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve\n                  successful authentications by replaying previous authentication messages.\n                  Replay-resistant techniques include, for example, protocols that use nonces or\n                  challenges such as Transport Layer Security (TLS) and time synchronous or\n                  challenge-response one-time authenticators."},{"id":"ia-2.8_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements replay-resistant authentication\n                  mechanisms for network access to privileged accounts. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of privileged information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms supporting and/or implementing replay resistant\n                     authentication mechanisms"}]}]},{"id":"ia-2.9","class":"SP800-53-enhancement","title":"Network Access to Non-privileged Accounts - Replay Resistant","properties":[{"name":"label","value":"IA-2(9)"},{"name":"sort-id","value":"ia-02.09"}],"parts":[{"id":"ia-2.9_smt","name":"statement","prose":"The information system implements replay-resistant authentication mechanisms for\n                  network access to non-privileged accounts."},{"id":"ia-2.9_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve\n                  successful authentications by recording/replaying previous authentication\n                  messages. Replay-resistant techniques include, for example, protocols that use\n                  nonces or challenges such as Transport Layer Security (TLS) and time synchronous\n                  or challenge-response one-time authenticators."},{"id":"ia-2.9_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements replay-resistant authentication\n                  mechanisms for network access to non-privileged accounts. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of non-privileged information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms supporting and/or implementing replay resistant\n                     authentication mechanisms"}]}]},{"id":"ia-2.11","class":"SP800-53-enhancement","title":"Remote Access - Separate Device","parameters":[{"id":"ia-2.11_prm_1","label":"organization-defined strength of mechanism requirements","constraints":[{"detail":"FIPS 140-2, NIAP Certification, or NSA approval"}]}],"properties":[{"name":"label","value":"IA-2(11)"},{"name":"sort-id","value":"ia-02.11"}],"parts":[{"id":"ia-2.11_smt","name":"statement","prose":"The information system implements multifactor authentication for remote access to\n                  privileged and non-privileged accounts such that one of the factors is provided by\n                  a device separate from the system gaining access and the device meets {{ ia-2.11_prm_1 }}.","parts":[{"id":"ia-2.11_fr","name":"item","title":"IA-2 (11) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-2.11_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials."}]}]},{"id":"ia-2.11_gdn","name":"guidance","prose":"For remote access to privileged/non-privileged accounts, the purpose of requiring\n                  a device that is separate from the information system gaining access for one of\n                  the factors during multifactor authentication is to reduce the likelihood of\n                  compromising authentication credentials stored on the system. For example,\n                  adversaries deploying malicious code on organizational information systems can\n                  potentially compromise such credentials resident on the system and subsequently\n                  impersonate authorized users.","links":[{"href":"#ac-6","rel":"related","text":"AC-6"}]},{"id":"ia-2.11_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"ia-2.11_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-2(11)[1]"}],"prose":"the information system implements multifactor authentication for remote access\n                     to privileged accounts such that one of the factors is provided by a device\n                     separate from the system gaining access;"},{"id":"ia-2.11_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-2(11)[2]"}],"prose":"the information system implements multifactor authentication for remote access\n                     to non-privileged accounts such that one of the factors is provided by a device\n                     separate from the system gaining access;"},{"id":"ia-2.11_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-2(11)[3]"}],"prose":"the organization defines strength of mechanism requirements to be enforced by a\n                     device separate from the system gaining remote access to privileged\n                     accounts;"},{"id":"ia-2.11_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-2(11)[4]"}],"prose":"the organization defines strength of mechanism requirements to be enforced by a\n                     device separate from the system gaining remote access to non-privileged\n                     accounts;"},{"id":"ia-2.11_obj.5","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-2(11)[5]"}],"prose":"the information system implements multifactor authentication for remote access\n                     to privileged accounts such that a device, separate from the system gaining\n                     access, meets organization-defined strength of mechanism requirements; and"},{"id":"ia-2.11_obj.6","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-2(11)[6]"}],"prose":"the information system implements multifactor authentication for remote access\n                     to non-privileged accounts such that a device, separate from the system gaining\n                     access, meets organization-defined strength of mechanism requirements."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of privileged and non-privileged information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability"}]}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","properties":[{"name":"label","value":"IA-2(12)"},{"name":"sort-id","value":"ia-02.12"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity\n                  Verification (PIV) credentials.","parts":[{"id":"ia-2.12_fr","name":"item","title":"IA-2 (12) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-2.12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12."}]}]},{"id":"ia-2.12_gdn","name":"guidance","prose":"This control enhancement applies to organizations implementing logical access\n                  control systems (LACS) and physical access control systems (PACS). Personal\n                  Identity Verification (PIV) credentials are those credentials issued by federal\n                  agencies that conform to FIPS Publication 201 and supporting guidance documents.\n                  OMB Memorandum 11-11 requires federal agencies to continue implementing the\n                  requirements specified in HSPD-12 to enable agency-wide use of PIV\n                  credentials.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"ia-2.12_obj","name":"objective","prose":"Determine if the information system: ","parts":[{"id":"ia-2.12_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-2(12)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials; and"},{"id":"ia-2.12_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-2(12)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nPIV verification records\\n\\nevidence of PIV credentials\\n\\nPIV credential authorizations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing acceptance and verification\n                     of PIV credentials"}]}]}]},{"id":"ia-3","class":"SP800-53","title":"Device Identification and Authentication","parameters":[{"id":"ia-3_prm_1","label":"organization-defined specific and/or types of devices"},{"id":"ia-3_prm_2"}],"properties":[{"name":"label","value":"IA-3"},{"name":"sort-id","value":"ia-03"}],"parts":[{"id":"ia-3_smt","name":"statement","prose":"The information system uniquely identifies and authenticates {{ ia-3_prm_1 }} before establishing a {{ ia-3_prm_2 }}\n               connection."},{"id":"ia-3_gdn","name":"guidance","prose":"Organizational devices requiring unique device-to-device identification and\n               authentication may be defined by type, by device, or by a combination of type/device.\n               Information systems typically use either shared known information (e.g., Media Access\n               Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses)\n               for device identification or organizational authentication solutions (e.g., IEEE\n               802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport\n               Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on\n               local and/or wide area networks. Organizations determine the required strength of\n               authentication mechanisms by the security categories of information systems. Because\n               of the challenges of applying this control on large scale, organizations are\n               encouraged to only apply the control to those limited number (and type) of devices\n               that truly need to support this capability.","links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"}]},{"id":"ia-3_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"ia-3_obj.1","name":"objective","properties":[{"name":"label","value":"IA-3[1]"}],"prose":"the organization defines specific and/or types of devices that the information\n                  system uniquely identifies and authenticates before establishing one or more of\n                  the following:","parts":[{"id":"ia-3_obj.1.a","name":"objective","properties":[{"name":"label","value":"IA-3[1][a]"}],"prose":"a local connection;"},{"id":"ia-3_obj.1.b","name":"objective","properties":[{"name":"label","value":"IA-3[1][b]"}],"prose":"a remote connection; and/or"},{"id":"ia-3_obj.1.c","name":"objective","properties":[{"name":"label","value":"IA-3[1][c]"}],"prose":"a network connection; and"}]},{"id":"ia-3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-3[2]"}],"prose":"the information system uniquely identifies and authenticates organization-defined\n                  devices before establishing one or more of the following:","parts":[{"id":"ia-3_obj.2.a","name":"objective","properties":[{"name":"label","value":"IA-3[2][a]"}],"prose":"a local connection;"},{"id":"ia-3_obj.2.b","name":"objective","properties":[{"name":"label","value":"IA-3[2][b]"}],"prose":"a remote connection; and/or"},{"id":"ia-3_obj.2.c","name":"objective","properties":[{"name":"label","value":"IA-3[2][c]"}],"prose":"a network connection."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing device identification and authentication\\n\\ninformation system design documentation\\n\\nlist of devices requiring unique identification and authentication\\n\\ndevice connection reports\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with operational responsibilities for device\n                  identification and authentication\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing device identification and\n                  authentication capability"}]}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","parameters":[{"id":"ia-4_prm_1","label":"organization-defined personnel or roles","constraints":[{"detail":"at a minimum, the ISSO (or similar role within the organization)"}]},{"id":"ia-4_prm_2","label":"organization-defined time period","constraints":[{"detail":"at least two (2) years"}]},{"id":"ia-4_prm_3","label":"organization-defined time period of inactivity","constraints":[{"detail":"thirty-five (35) days (See additional requirements and guidance.)"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IA-4"},{"name":"sort-id","value":"ia-04"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"The organization manages information system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ ia-4_prm_1 }} to assign an\n                  individual, group, role, or device identifier;"},{"id":"ia-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, or device;"},{"id":"ia-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, or device;"},{"id":"ia-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ ia-4_prm_2 }}; and"},{"id":"ia-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Disabling the identifier after {{ ia-4_prm_3 }}."},{"id":"ia-4_fr","name":"item","title":"IA-4(e) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-4_fr_smt.e","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines the time period of inactivity for device identifiers."},{"id":"ia-4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP [http://iase.disa.mil/cloud_security/Pages/index.aspx](http://iase.disa.mil/cloud_security/Pages/index.aspx)."}]}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include, for example, media access control (MAC), Internet\n               protocol (IP) addresses, or device-unique token identifiers. Management of individual\n               identifiers is not applicable to shared information system accounts (e.g., guest and\n               anonymous accounts). Typically, individual identifiers are the user names of the\n               information system accounts assigned to those individuals. In such instances, the\n               account management activities of AC-2 use account names provided by IA-4. This\n               control also addresses individual identifiers not necessarily associated with\n               information system accounts (e.g., identifiers used in physical security control\n               databases accessed by badge reader systems for access to information systems).\n               Preventing reuse of identifiers implies preventing the assignment of previously used\n               individual, group, role, or device identifiers to different individuals, groups,\n               roles, or devices.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#sc-37","rel":"related","text":"SC-37"}]},{"id":"ia-4_obj","name":"objective","prose":"Determine if the organization manages information system identifiers by: ","parts":[{"id":"ia-4.a_obj","name":"objective","properties":[{"name":"label","value":"IA-4(a)"}],"parts":[{"id":"ia-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-4(a)[1]"}],"prose":"defining personnel or roles from whom authorization must be received to\n                     assign:","parts":[{"id":"ia-4.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"IA-4(a)[1][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"IA-4(a)[1][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.1.c","name":"objective","properties":[{"name":"label","value":"IA-4(a)[1][c]"}],"prose":"a role identifier; and/or"},{"id":"ia-4.a_obj.1.d","name":"objective","properties":[{"name":"label","value":"IA-4(a)[1][d]"}],"prose":"a device identifier;"}]},{"id":"ia-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-4(a)[2]"}],"prose":"receiving authorization from organization-defined personnel or roles to\n                     assign:","parts":[{"id":"ia-4.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"IA-4(a)[2][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"IA-4(a)[2][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.2.c","name":"objective","properties":[{"name":"label","value":"IA-4(a)[2][c]"}],"prose":"a role identifier; and/or"},{"id":"ia-4.a_obj.2.d","name":"objective","properties":[{"name":"label","value":"IA-4(a)[2][d]"}],"prose":"a device identifier;"}]}]},{"id":"ia-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-4(b)"}],"prose":"selecting an identifier that identifies:","parts":[{"id":"ia-4.b_obj.1","name":"objective","properties":[{"name":"label","value":"IA-4(b)[1]"}],"prose":"an individual;"},{"id":"ia-4.b_obj.2","name":"objective","properties":[{"name":"label","value":"IA-4(b)[2]"}],"prose":"a group;"},{"id":"ia-4.b_obj.3","name":"objective","properties":[{"name":"label","value":"IA-4(b)[3]"}],"prose":"a role; and/or"},{"id":"ia-4.b_obj.4","name":"objective","properties":[{"name":"label","value":"IA-4(b)[4]"}],"prose":"a device;"}]},{"id":"ia-4.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-4(c)"}],"prose":"assigning the identifier to the intended:","parts":[{"id":"ia-4.c_obj.1","name":"objective","properties":[{"name":"label","value":"IA-4(c)[1]"}],"prose":"individual;"},{"id":"ia-4.c_obj.2","name":"objective","properties":[{"name":"label","value":"IA-4(c)[2]"}],"prose":"group;"},{"id":"ia-4.c_obj.3","name":"objective","properties":[{"name":"label","value":"IA-4(c)[3]"}],"prose":"role; and/or"},{"id":"ia-4.c_obj.4","name":"objective","properties":[{"name":"label","value":"IA-4(c)[4]"}],"prose":"device;"}]},{"id":"ia-4.d_obj","name":"objective","properties":[{"name":"label","value":"IA-4(d)"}],"parts":[{"id":"ia-4.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-4(d)[1]"}],"prose":"defining a time period for preventing reuse of identifiers;"},{"id":"ia-4.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-4(d)[2]"}],"prose":"preventing reuse of identifiers for the organization-defined time period;"}]},{"id":"ia-4.e_obj","name":"objective","properties":[{"name":"label","value":"IA-4(e)"}],"parts":[{"id":"ia-4.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-4(e)[1]"}],"prose":"defining a time period of inactivity to disable the identifier; and"},{"id":"ia-4.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-4(e)[2]"}],"prose":"disabling the identifier after the organization-defined time period of\n                     inactivity."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing identifier management\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system accounts\\n\\nlist of identifiers generated from physical access control devices\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identifier management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identifier management"}]}],"controls":[{"id":"ia-4.4","class":"SP800-53-enhancement","title":"Identify User Status","parameters":[{"id":"ia-4.4_prm_1","label":"organization-defined characteristic identifying individual status","constraints":[{"detail":"contractors; foreign nationals]"}]}],"properties":[{"name":"label","value":"IA-4(4)"},{"name":"sort-id","value":"ia-04.04"}],"parts":[{"id":"ia-4.4_smt","name":"statement","prose":"The organization manages individual identifiers by uniquely identifying each\n                  individual as {{ ia-4.4_prm_1 }}."},{"id":"ia-4.4_gdn","name":"guidance","prose":"Characteristics identifying the status of individuals include, for example,\n                  contractors and foreign nationals. Identifying the status of individuals by\n                  specific characteristics provides additional information about the people with\n                  whom organizational personnel are communicating. For example, it might be useful\n                  for a government employee to know that one of the individuals on an email message\n                  is a contractor.","links":[{"href":"#at-2","rel":"related","text":"AT-2"}]},{"id":"ia-4.4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ia-4.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-4(4)[1]"}],"prose":"defines a characteristic to be used to identify individual status; and"},{"id":"ia-4.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-4(4)[2]"}],"prose":"manages individual identifiers by uniquely identifying each individual as the\n                     organization-defined characteristic identifying individual status."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing identifier management\\n\\nprocedures addressing account management\\n\\nlist of characteristics identifying individual status\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identifier management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identifier management"}]}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","parameters":[{"id":"ia-5_prm_1","label":"organization-defined time period by authenticator type"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IA-5"},{"name":"sort-id","value":"ia-05"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference","text":"OMB Memorandum 04-04"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference","text":"OMB Memorandum 11-11"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference","text":"FICAM Roadmap and Implementation Guidance"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"The organization manages information system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the\n                  individual, group, role, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for authenticators defined by the\n                  organization;"},{"id":"ia-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their\n                  intended use;"},{"id":"ia-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator\n                  distribution, for lost/compromised or damaged authenticators, and for revoking\n                  authenticators;"},{"id":"ia-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Changing default content of authenticators prior to information system\n                  installation;"},{"id":"ia-5_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Establishing minimum and maximum lifetime restrictions and reuse conditions for\n                  authenticators;"},{"id":"ia-5_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Changing/refreshing authenticators {{ ia-5_prm_1 }};"},{"id":"ia-5_smt.h","name":"item","properties":[{"name":"label","value":"h."}],"prose":"Protecting authenticator content from unauthorized disclosure and\n                  modification;"},{"id":"ia-5_smt.i","name":"item","properties":[{"name":"label","value":"i."}],"prose":"Requiring individuals to take, and having devices implement, specific security\n                  safeguards to protect authenticators; and"},{"id":"ia-5_smt.j","name":"item","properties":[{"name":"label","value":"j."}],"prose":"Changing authenticators for group/role accounts when membership to those accounts\n                  changes."},{"id":"ia-5_fr","name":"item","title":"IA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-5_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link [https://pages.nist.gov/800-63-3](https://pages.nist.gov/800-63-3)."}]}]},{"id":"ia-5_gdn","name":"guidance","prose":"Individual authenticators include, for example, passwords, tokens, biometrics, PKI\n               certificates, and key cards. Initial authenticator content is the actual content\n               (e.g., the initial password) as opposed to requirements about authenticator content\n               (e.g., minimum password length). In many cases, developers ship information system\n               components with factory default authentication credentials to allow for initial\n               installation and configuration. Default authentication credentials are often well\n               known, easily discoverable, and present a significant security risk. The requirement\n               to protect individual authenticators may be implemented via control PL-4 or PS-6 for\n               authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28\n               for authenticators stored within organizational information systems (e.g., passwords\n               stored in hashed or encrypted formats, files containing encrypted or hashed passwords\n               accessible with administrator privileges). Information systems support individual\n               authenticator management by organization-defined settings and restrictions for\n               various authenticator characteristics including, for example, minimum password\n               length, password composition, validation time window for time synchronous one-time\n               tokens, and number of allowed rejections during the verification stage of biometric\n               authentication. Specific actions that can be taken to safeguard authenticators\n               include, for example, maintaining possession of individual authenticators, not\n               loaning or sharing individual authenticators with others, and reporting lost, stolen,\n               or compromised authenticators immediately. Authenticator management includes issuing\n               and revoking, when no longer needed, authenticators for temporary access such as that\n               required for remote maintenance. Device authenticators include, for example,\n               certificates and passwords.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-17","rel":"related","text":"SC-17"},{"href":"#sc-28","rel":"related","text":"SC-28"}]},{"id":"ia-5_obj","name":"objective","prose":"Determine if the organization manages information system authenticators by: ","parts":[{"id":"ia-5.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(a)"}],"prose":"verifying, as part of the initial authenticator distribution, the identity of:","parts":[{"id":"ia-5.a_obj.1","name":"objective","properties":[{"name":"label","value":"IA-5(a)[1]"}],"prose":"the individual receiving the authenticator;"},{"id":"ia-5.a_obj.2","name":"objective","properties":[{"name":"label","value":"IA-5(a)[2]"}],"prose":"the group receiving the authenticator;"},{"id":"ia-5.a_obj.3","name":"objective","properties":[{"name":"label","value":"IA-5(a)[3]"}],"prose":"the role receiving the authenticator; and/or"},{"id":"ia-5.a_obj.4","name":"objective","properties":[{"name":"label","value":"IA-5(a)[4]"}],"prose":"the device receiving the authenticator;"}]},{"id":"ia-5.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(b)"}],"prose":"establishing initial authenticator content for authenticators defined by the\n                  organization;"},{"id":"ia-5.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(c)"}],"prose":"ensuring that authenticators have sufficient strength of mechanism for their\n                  intended use;"},{"id":"ia-5.d_obj","name":"objective","properties":[{"name":"label","value":"IA-5(d)"}],"parts":[{"id":"ia-5.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(d)[1]"}],"prose":"establishing and implementing administrative procedures for initial\n                     authenticator distribution;"},{"id":"ia-5.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(d)[2]"}],"prose":"establishing and implementing administrative procedures for lost/compromised or\n                     damaged authenticators;"},{"id":"ia-5.d_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(d)[3]"}],"prose":"establishing and implementing administrative procedures for revoking\n                     authenticators;"}]},{"id":"ia-5.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(e)"}],"prose":"changing default content of authenticators prior to information system\n                  installation;"},{"id":"ia-5.f_obj","name":"objective","properties":[{"name":"label","value":"IA-5(f)"}],"parts":[{"id":"ia-5.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(f)[1]"}],"prose":"establishing minimum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(f)[2]"}],"prose":"establishing maximum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(f)[3]"}],"prose":"establishing reuse conditions for authenticators;"}]},{"id":"ia-5.g_obj","name":"objective","properties":[{"name":"label","value":"IA-5(g)"}],"parts":[{"id":"ia-5.g_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(g)[1]"}],"prose":"defining a time period (by authenticator type) for changing/refreshing\n                     authenticators;"},{"id":"ia-5.g_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(g)[2]"}],"prose":"changing/refreshing authenticators with the organization-defined time period by\n                     authenticator type;"}]},{"id":"ia-5.h_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(h)"}],"prose":"protecting authenticator content from unauthorized:","parts":[{"id":"ia-5.h_obj.1","name":"objective","properties":[{"name":"label","value":"IA-5(h)[1]"}],"prose":"disclosure;"},{"id":"ia-5.h_obj.2","name":"objective","properties":[{"name":"label","value":"IA-5(h)[2]"}],"prose":"modification;"}]},{"id":"ia-5.i_obj","name":"objective","properties":[{"name":"label","value":"IA-5(i)"}],"parts":[{"id":"ia-5.i_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IA-5(i)[1]"}],"prose":"requiring individuals to take specific security safeguards to protect\n                     authenticators;"},{"id":"ia-5.i_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(i)[2]"}],"prose":"having devices implement specific security safeguards to protect\n                     authenticators; and"}]},{"id":"ia-5.j_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(j)"}],"prose":"changing authenticators for group/role accounts when membership to those accounts\n                  changes."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system authenticator types\\n\\nchange control records associated with managing information system\n                  authenticators\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing authenticator management\n                  capability"}]}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","parameters":[{"id":"ia-5.1_prm_1","label":"organization-defined requirements for case sensitivity, number of characters,\n                  mix of upper-case letters, lower-case letters, numbers, and special characters,\n                  including minimum requirements for each type"},{"id":"ia-5.1_prm_2","label":"organization-defined number","constraints":[{"detail":"at least fifty percent (50%)"}]},{"id":"ia-5.1_prm_3","label":"organization-defined numbers for lifetime minimum, lifetime maximum"},{"id":"ia-5.1_prm_4","label":"organization-defined number","constraints":[{"detail":"twenty four (24)"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IA-5(1)"},{"name":"sort-id","value":"ia-05.01"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"The information system, for password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Enforces minimum password complexity of {{ ia-5.1_prm_1 }};"},{"id":"ia-5.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Enforces at least the following number of changed characters when new passwords\n                     are created: {{ ia-5.1_prm_2 }};"},{"id":"ia-5.1_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Stores and transmits only cryptographically-protected passwords;"},{"id":"ia-5.1_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Enforces password minimum and maximum lifetime restrictions of {{ ia-5.1_prm_3 }};"},{"id":"ia-5.1_smt.e","name":"item","properties":[{"name":"label","value":"(e)"}],"prose":"Prohibits password reuse for {{ ia-5.1_prm_4 }} generations;\n                     and"},{"id":"ia-5.1_smt.f","name":"item","properties":[{"name":"label","value":"(f)"}],"prose":"Allows the use of a temporary password for system logons with an immediate\n                     change to a permanent password."},{"id":"ia-5.1_fr","name":"item","title":"IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-5.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"(a) (d) Guidance:"}],"prose":"If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant."}]}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"This control enhancement applies to single-factor authentication of individuals\n                  using passwords as individual or group authenticators, and in a similar manner,\n                  when passwords are part of multifactor authenticators. This control enhancement\n                  does not apply when passwords are used to unlock hardware authenticators (e.g.,\n                  Personal Identity Verification cards). The implementation of such password\n                  mechanisms may not meet all of the requirements in the enhancement.\n                  Cryptographically-protected passwords include, for example, encrypted versions of\n                  passwords and one-way cryptographic hashes of passwords. The number of changed\n                  characters refers to the number of changes required with respect to the total\n                  number of positions in the current password. Password lifetime restrictions do not\n                  apply to temporary passwords. To mitigate certain brute force attacks against\n                  passwords, organizations may also consider salting passwords.","links":[{"href":"#ia-6","rel":"related","text":"IA-6"}]},{"id":"ia-5.1_obj","name":"objective","prose":"Determine if, for password-based authentication: ","parts":[{"id":"ia-5.1.a_obj","name":"objective","properties":[{"name":"label","value":"IA-5(1)(a)"}],"parts":[{"id":"ia-5.1.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(a)[1]"}],"prose":"the organization defines requirements for case sensitivity;"},{"id":"ia-5.1.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(a)[2]"}],"prose":"the organization defines requirements for number of characters;"},{"id":"ia-5.1.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(a)[3]"}],"prose":"the organization defines requirements for the mix of upper-case letters,\n                        lower-case letters, numbers and special characters;"},{"id":"ia-5.1.a_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(a)[4]"}],"prose":"the organization defines minimum requirements for each type of\n                        character;"},{"id":"ia-5.1.a_obj.5","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(a)[5]"}],"prose":"the information system enforces minimum password complexity of\n                        organization-defined requirements for case sensitivity, number of\n                        characters, mix of upper-case letters, lower-case letters, numbers, and\n                        special characters, including minimum requirements for each type;"}],"links":[{"href":"#ia-5.1_smt.a","rel":"corresp","text":"IA-5(1)(a)"}]},{"id":"ia-5.1.b_obj","name":"objective","properties":[{"name":"label","value":"IA-5(1)(b)"}],"parts":[{"id":"ia-5.1.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(b)[1]"}],"prose":"the organization defines a minimum number of changed characters to be\n                        enforced when new passwords are created;"},{"id":"ia-5.1.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(b)[2]"}],"prose":"the information system enforces at least the organization-defined minimum\n                        number of characters that must be changed when new passwords are\n                        created;"}],"links":[{"href":"#ia-5.1_smt.b","rel":"corresp","text":"IA-5(1)(b)"}]},{"id":"ia-5.1.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(c)"}],"prose":"the information system stores and transmits only encrypted representations of\n                     passwords;","links":[{"href":"#ia-5.1_smt.c","rel":"corresp","text":"IA-5(1)(c)"}]},{"id":"ia-5.1.d_obj","name":"objective","properties":[{"name":"label","value":"IA-5(1)(d)"}],"parts":[{"id":"ia-5.1.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(d)[1]"}],"prose":"the organization defines numbers for password minimum lifetime restrictions\n                        to be enforced for passwords;"},{"id":"ia-5.1.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(d)[2]"}],"prose":"the organization defines numbers for password maximum lifetime restrictions\n                        to be enforced for passwords;"},{"id":"ia-5.1.d_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(d)[3]"}],"prose":"the information system enforces password minimum lifetime restrictions of\n                        organization-defined numbers for lifetime minimum;"},{"id":"ia-5.1.d_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(d)[4]"}],"prose":"the information system enforces password maximum lifetime restrictions of\n                        organization-defined numbers for lifetime maximum;"}],"links":[{"href":"#ia-5.1_smt.d","rel":"corresp","text":"IA-5(1)(d)"}]},{"id":"ia-5.1.e_obj","name":"objective","properties":[{"name":"label","value":"IA-5(1)(e)"}],"parts":[{"id":"ia-5.1.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(e)[1]"}],"prose":"the organization defines the number of password generations to be prohibited\n                        from password reuse;"},{"id":"ia-5.1.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(e)[2]"}],"prose":"the information system prohibits password reuse for the organization-defined\n                        number of generations; and"}],"links":[{"href":"#ia-5.1_smt.e","rel":"corresp","text":"IA-5(1)(e)"}]},{"id":"ia-5.1.f_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(f)"}],"prose":"the information system allows the use of a temporary password for system logons\n                     with an immediate change to a permanent password.","links":[{"href":"#ia-5.1_smt.f","rel":"corresp","text":"IA-5(1)(f)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\npassword policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\npassword configurations and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing password-based\n                     authenticator management capability"}]}]},{"id":"ia-5.2","class":"SP800-53-enhancement","title":"Pki-based Authentication","properties":[{"name":"label","value":"IA-5(2)"},{"name":"sort-id","value":"ia-05.02"}],"parts":[{"id":"ia-5.2_smt","name":"statement","prose":"The information system, for PKI-based authentication:","parts":[{"id":"ia-5.2_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Validates certifications by constructing and verifying a certification path to\n                     an accepted trust anchor including checking certificate status information;"},{"id":"ia-5.2_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Enforces authorized access to the corresponding private key;"},{"id":"ia-5.2_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Maps the authenticated identity to the account of the individual or group;\n                     and"},{"id":"ia-5.2_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Implements a local cache of revocation data to support path discovery and\n                     validation in case of inability to access revocation information via the\n                     network."}]},{"id":"ia-5.2_gdn","name":"guidance","prose":"Status information for certification paths includes, for example, certificate\n                  revocation lists or certificate status protocol responses. For PIV cards,\n                  validation of certifications involves the construction and verification of a\n                  certification path to the Common Policy Root trust anchor including certificate\n                  policy processing.","links":[{"href":"#ia-6","rel":"related","text":"IA-6"}]},{"id":"ia-5.2_obj","name":"objective","prose":"Determine if the information system, for PKI-based authentication: ","parts":[{"id":"ia-5.2.a_obj","name":"objective","properties":[{"name":"label","value":"IA-5(2)(a)"}],"parts":[{"id":"ia-5.2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(2)(a)[1]"}],"prose":"validates certifications by constructing a certification path to an accepted\n                        trust anchor;"},{"id":"ia-5.2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(2)(a)[2]"}],"prose":"validates certifications by verifying a certification path to an accepted\n                        trust anchor;"},{"id":"ia-5.2.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(2)(a)[3]"}],"prose":"includes checking certificate status information when constructing and\n                        verifying the certification path;"}],"links":[{"href":"#ia-5.2_smt.a","rel":"corresp","text":"IA-5(2)(a)"}]},{"id":"ia-5.2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(2)(b)"}],"prose":"enforces authorized access to the corresponding private key;","links":[{"href":"#ia-5.2_smt.b","rel":"corresp","text":"IA-5(2)(b)"}]},{"id":"ia-5.2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(2)(c)"}],"prose":"maps the authenticated identity to the account of the individual or group;\n                     and","links":[{"href":"#ia-5.2_smt.c","rel":"corresp","text":"IA-5(2)(c)"}]},{"id":"ia-5.2.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(2)(d)"}],"prose":"implements a local cache of revocation data to support path discovery and\n                     validation in case of inability to access revocation information via the\n                     network.","links":[{"href":"#ia-5.2_smt.d","rel":"corresp","text":"IA-5(2)(d)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nPKI certification validation records\\n\\nPKI certification revocation lists\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with PKI-based, authenticator management\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing PKI-based, authenticator\n                     management capability"}]}]},{"id":"ia-5.3","class":"SP800-53-enhancement","title":"In-person or Trusted Third-party Registration","parameters":[{"id":"ia-5.3_prm_1","label":"organization-defined types of and/or specific authenticators","constraints":[{"detail":"All hardware/biometric (multifactor authenticators)"}]},{"id":"ia-5.3_prm_2","constraints":[{"detail":"in person"}]},{"id":"ia-5.3_prm_3","label":"organization-defined registration authority"},{"id":"ia-5.3_prm_4","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"IA-5(3)"},{"name":"sort-id","value":"ia-05.03"}],"parts":[{"id":"ia-5.3_smt","name":"statement","prose":"The organization requires that the registration process to receive {{ ia-5.3_prm_1 }} be conducted {{ ia-5.3_prm_2 }} before\n                     {{ ia-5.3_prm_3 }} with authorization by {{ ia-5.3_prm_4 }}."},{"id":"ia-5.3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ia-5.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(3)[1]"}],"prose":"defines types of and/or specific authenticators to be received in person or by\n                     a trusted third party;"},{"id":"ia-5.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(3)[2]"}],"prose":"defines the registration authority with oversight of the registration process\n                     for receipt of organization-defined types of and/or specific\n                     authenticators;"},{"id":"ia-5.3_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(3)[3]"}],"prose":"defines personnel or roles responsible for authorizing organization-defined\n                     registration authority;"},{"id":"ia-5.3_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(3)[4]"}],"prose":"defines if the registration process is to be conducted:","parts":[{"id":"ia-5.3_obj.4.a","name":"objective","properties":[{"name":"label","value":"IA-5(3)[4][a]"}],"prose":"in person; or"},{"id":"ia-5.3_obj.4.b","name":"objective","properties":[{"name":"label","value":"IA-5(3)[4][b]"}],"prose":"by a trusted third party; and"}]},{"id":"ia-5.3_obj.5","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IA-5(3)[5]"}],"prose":"requires that the registration process to receive organization-defined types of\n                     and/or specific authenticators be conducted in person or by a trusted third\n                     party before organization-defined registration authority with authorization by\n                     organization-defined personnel or roles."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nregistration process for receiving information system authenticators\\n\\nlist of authenticators requiring in-person registration\\n\\nlist of authenticators requiring trusted third party registration\\n\\nauthenticator registration documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\nregistration authority\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ia-5.4","class":"SP800-53-enhancement","title":"Automated Support for Password Strength Determination","parameters":[{"id":"ia-5.4_prm_1","label":"organization-defined requirements","constraints":[{"detail":"complexity as identified in IA-5 (1) Control Enhancement Part (a)"}]}],"properties":[{"name":"label","value":"IA-5(4)"},{"name":"sort-id","value":"ia-05.04"}],"parts":[{"id":"ia-5.4_smt","name":"statement","prose":"The organization employs automated tools to determine if password authenticators\n                  are sufficiently strong to satisfy {{ ia-5.4_prm_1 }}.","parts":[{"id":"ia-5.4_fr","name":"item","title":"IA-5 (4) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-5.4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators."}]}]},{"id":"ia-5.4_gdn","name":"guidance","prose":"This control enhancement focuses on the creation of strong passwords and the\n                  characteristics of such passwords (e.g., complexity) prior to use, the enforcement\n                  of which is carried out by organizational information systems in IA-5 (1).","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ra-5","rel":"related","text":"RA-5"}]},{"id":"ia-5.4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ia-5.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(4)[1]"}],"prose":"defines requirements to be satisfied by password authenticators; and"},{"id":"ia-5.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(4)[2]"}],"prose":"employs automated tools to determine if password authenticators are\n                     sufficiently strong to satisfy organization-defined requirements."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nautomated tools for evaluating password authenticators\\n\\npassword strength assessment results\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing password-based\n                     authenticator management capability\\n\\nautomated tools for determining password strength"}]}]},{"id":"ia-5.6","class":"SP800-53-enhancement","title":"Protection of Authenticators","properties":[{"name":"label","value":"IA-5(6)"},{"name":"sort-id","value":"ia-05.06"}],"parts":[{"id":"ia-5.6_smt","name":"statement","prose":"The organization protects authenticators commensurate with the security category\n                  of the information to which use of the authenticator permits access."},{"id":"ia-5.6_gdn","name":"guidance","prose":"For information systems containing multiple security categories of information\n                  without reliable physical or logical separation between categories, authenticators\n                  used to grant access to the systems are protected commensurate with the highest\n                  security category of information on the systems."},{"id":"ia-5.6_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization protects authenticators commensurate with the\n                  security category of the information to which use of the authenticator permits\n                  access."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity categorization documentation for the information system\\n\\nsecurity assessments of authenticator protections\\n\\nrisk assessment results\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel implementing and/or maintaining authenticator\n                     protections\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing authenticator management\n                     capability\\n\\nautomated mechanisms protecting authenticators"}]}]},{"id":"ia-5.7","class":"SP800-53-enhancement","title":"No Embedded Unencrypted Static Authenticators","properties":[{"name":"label","value":"IA-5(7)"},{"name":"sort-id","value":"ia-05.07"}],"parts":[{"id":"ia-5.7_smt","name":"statement","prose":"The organization ensures that unencrypted static authenticators are not embedded\n                  in applications or access scripts or stored on function keys."},{"id":"ia-5.7_gdn","name":"guidance","prose":"Organizations exercise caution in determining whether embedded or stored\n                  authenticators are in encrypted or unencrypted form. If authenticators are used in\n                  the manner stored, then those representations are considered unencrypted\n                  authenticators. This is irrespective of whether that representation is perhaps an\n                  encrypted version of something else (e.g., a password)."},{"id":"ia-5.7_obj","name":"objective","prose":"Determine if the organization ensures that unencrypted static authenticators are\n                  not: ","parts":[{"id":"ia-5.7_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(7)[1]"}],"prose":"embedded in applications;"},{"id":"ia-5.7_obj.2","name":"objective","properties":[{"name":"label","value":"IA-5(7)[2]"}],"prose":"embedded in access scripts; or"},{"id":"ia-5.7_obj.3","name":"objective","properties":[{"name":"label","value":"IA-5(7)[3]"}],"prose":"stored on function keys."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlogical access scripts\\n\\napplication code reviews for detecting unencrypted static authenticators\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing authenticator management\n                     capability\\n\\nautomated mechanisms implementing authentication in applications"}]}]},{"id":"ia-5.8","class":"SP800-53-enhancement","title":"Multiple Information System Accounts","parameters":[{"id":"ia-5.8_prm_1","label":"organization-defined security safeguards","constraints":[{"detail":"different authenticators on different systems"}]}],"properties":[{"name":"label","value":"IA-5(8)"},{"name":"sort-id","value":"ia-05.08"}],"parts":[{"id":"ia-5.8_smt","name":"statement","prose":"The organization implements {{ ia-5.8_prm_1 }} to manage the risk\n                  of compromise due to individuals having accounts on multiple information\n                  systems."},{"id":"ia-5.8_gdn","name":"guidance","prose":"When individuals have accounts on multiple information systems, there is the risk\n                  that the compromise of one account may lead to the compromise of other accounts if\n                  individuals use the same authenticators. Possible alternatives include, for\n                  example: (i) having different authenticators on all systems; (ii) employing some\n                  form of single sign-on mechanism; or (iii) including some form of one-time\n                  passwords on all systems."},{"id":"ia-5.8_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ia-5.8_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(8)[1]"}],"prose":"defines security safeguards to manage the risk of compromise due to individuals\n                     having accounts on multiple information systems; and"},{"id":"ia-5.8_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(8)[2]"}],"prose":"implements organization-defined security safeguards to manage the risk of\n                     compromise due to individuals having accounts on multiple information\n                     systems."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\nlist of individuals having accounts on multiple information systems\\n\\nlist of security safeguards intended to manage risk of compromise due to\n                     individuals having accounts on multiple information systems\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing safeguards for\n                     authenticator management"}]}]},{"id":"ia-5.11","class":"SP800-53-enhancement","title":"Hardware Token-based Authentication","parameters":[{"id":"ia-5.11_prm_1","label":"organization-defined token quality requirements"}],"properties":[{"name":"label","value":"IA-5(11)"},{"name":"sort-id","value":"ia-05.11"}],"parts":[{"id":"ia-5.11_smt","name":"statement","prose":"The information system, for hardware token-based authentication, employs\n                  mechanisms that satisfy {{ ia-5.11_prm_1 }}."},{"id":"ia-5.11_gdn","name":"guidance","prose":"Hardware token-based authentication typically refers to the use of PKI-based\n                  tokens, such as the U.S. Government Personal Identity Verification (PIV) card.\n                  Organizations define specific requirements for tokens, such as working with a\n                  particular PKI."},{"id":"ia-5.11_obj","name":"objective","prose":"Determine if, for hardware token-based authentication: ","parts":[{"id":"ia-5.11_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(11)[1]"}],"prose":"the organization defines token quality requirements to be satisfied; and"},{"id":"ia-5.11_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(11)[2]"}],"prose":"the information system employs mechanisms that satisfy organization-defined\n                     token quality requirements."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\nautomated mechanisms employing hardware token-based authentication for the\n                     information system\\n\\nlist of token quality requirements\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing hardware token-based\n                     authenticator management capability"}]}]},{"id":"ia-5.13","class":"SP800-53-enhancement","title":"Expiration of Cached Authenticators","parameters":[{"id":"ia-5.13_prm_1","label":"organization-defined time period"}],"properties":[{"name":"label","value":"IA-5(13)"},{"name":"sort-id","value":"ia-05.13"}],"parts":[{"id":"ia-5.13_smt","name":"statement","prose":"The information system prohibits the use of cached authenticators after {{ ia-5.13_prm_1 }}."},{"id":"ia-5.13_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"ia-5.13_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(13)[1]"}],"prose":"the organization defines the time period after which the information system is\n                     to prohibit the use of cached authenticators; and"},{"id":"ia-5.13_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(13)[2]"}],"prose":"the information system prohibits the use of cached authenticators after the\n                     organization-defined time period."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing authenticator management\n                     capability"}]}]}]},{"id":"ia-6","class":"SP800-53","title":"Authenticator Feedback","properties":[{"name":"label","value":"IA-6"},{"name":"sort-id","value":"ia-06"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"The information system obscures feedback of authentication information during the\n               authentication process to protect the information from possible exploitation/use by\n               unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"The feedback from information systems does not provide information that would allow\n               unauthorized individuals to compromise authentication mechanisms. For some types of\n               information systems or system components, for example, desktops/notebooks with\n               relatively large monitors, the threat (often referred to as shoulder surfing) may be\n               significant. For other types of systems or components, for example, mobile devices\n               with 2-4 inch screens, this threat may be less significant, and may need to be\n               balanced against the increased likelihood of typographic input errors due to the\n               small keyboards. Therefore, the means for obscuring the authenticator feedback is\n               selected accordingly. Obscuring the feedback of authentication information includes,\n               for example, displaying asterisks when users type passwords into input devices, or\n               displaying feedback for a very limited time before fully obscuring it.","links":[{"href":"#pe-18","rel":"related","text":"PE-18"}]},{"id":"ia-6_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system obscures feedback of authentication information\n               during the authentication process to protect the information from possible\n               exploitation/use by unauthorized individuals."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator feedback\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing the obscuring of feedback of\n                  authentication information during authentication"}]}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","properties":[{"name":"label","value":"IA-7"},{"name":"sort-id","value":"ia-07"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference","text":"FIPS Publication 140"},{"href":"#b09d1a31-d3c9-4138-a4f4-4c63816afd7d","rel":"reference","text":"http://csrc.nist.gov/groups/STM/cmvp/index.html"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"The information system implements mechanisms for authentication to a cryptographic\n               module that meet the requirements of applicable federal laws, Executive Orders,\n               directives, policies, regulations, standards, and guidance for such\n               authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to\n               authenticate an operator accessing the module and to verify that the operator is\n               authorized to assume the requested role and perform services within that role.","links":[{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"ia-7_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements mechanisms for authentication to a\n               cryptographic module that meet the requirements of applicable federal laws, Executive\n               Orders, directives, policies, regulations, standards, and guidance for such\n               authentication."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing cryptographic module authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for cryptographic module\n                  authentication\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing cryptographic module\n                  authentication"}]}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (non-organizational Users)","properties":[{"name":"label","value":"IA-8"},{"name":"sort-id","value":"ia-08"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference","text":"OMB Memorandum 04-04"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference","text":"OMB Memorandum 11-11"},{"href":"#599fe9ba-4750-4450-9eeb-b95bd19a5e8f","rel":"reference","text":"OMB Memorandum 10-06-2011"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference","text":"FICAM Roadmap and Implementation Guidance"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference","text":"NIST Special Publication 800-116"},{"href":"#654f21e2-f3bc-43b2-abdc-60ab8d09744b","rel":"reference","text":"National Strategy for Trusted Identities in\n            Cyberspace"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"The information system uniquely identifies and authenticates non-organizational users\n               (or processes acting on behalf of non-organizational users)."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include information system users other than organizational\n               users explicitly covered by IA-2. These individuals are uniquely identified and\n               authenticated for accesses other than those accesses explicitly identified and\n               documented in AC-14. In accordance with the E-Authentication E-Government initiative,\n               authentication of non-organizational users accessing federal information systems may\n               be required to protect federal, proprietary, or privacy-related information (with\n               exceptions noted for national security systems). Organizations use risk assessments\n               to determine authentication needs and consider scalability, practicality, and\n               security in balancing the need to ensure ease of use for access to federal\n               information and information systems with the need to protect and adequately mitigate\n               risk. IA-2 addresses identification and authentication requirements for access to\n               information systems by organizational users.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#sc-8","rel":"related","text":"SC-8"}]},{"id":"ia-8_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates\n               non-organizational users (or processes acting on behalf of non-organizational\n               users)."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                  authentication capability"}]}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","properties":[{"name":"label","value":"IA-8(1)"},{"name":"sort-id","value":"ia-08.01"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity\n                  Verification (PIV) credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"This control enhancement applies to logical access control systems (LACS) and\n                  physical access control systems (PACS). Personal Identity Verification (PIV)\n                  credentials are those credentials issued by federal agencies that conform to FIPS\n                  Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires\n                  federal agencies to continue implementing the requirements specified in HSPD-12 to\n                  enable agency-wide use of PIV credentials.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"ia-8.1_obj","name":"objective","prose":"Determine if the information system: ","parts":[{"id":"ia-8.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-8(1)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials from other agencies;\n                     and"},{"id":"ia-8.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-8(1)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials from\n                     other agencies."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nPIV verification records\\n\\nevidence of PIV credentials\\n\\nPIV credential authorizations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms that accept and verify PIV credentials"}]}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of Third-party Credentials","properties":[{"name":"label","value":"IA-8(2)"},{"name":"sort-id","value":"ia-08.02"}],"parts":[{"id":"ia-8.2_smt","name":"statement","prose":"The information system accepts only FICAM-approved third-party credentials."},{"id":"ia-8.2_gdn","name":"guidance","prose":"This control enhancement typically applies to organizational information systems\n                  that are accessible to the general public, for example, public-facing websites.\n                  Third-party credentials are those credentials issued by nonfederal government\n                  entities approved by the Federal Identity, Credential, and Access Management\n                  (FICAM) Trust Framework Solutions initiative. Approved third-party credentials\n                  meet or exceed the set of minimum federal government-wide technical, security,\n                  privacy, and organizational maturity requirements. This allows federal government\n                  relying parties to trust such credentials at their approved assurance levels.","links":[{"href":"#au-2","rel":"related","text":"AU-2"}]},{"id":"ia-8.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system accepts only FICAM-approved third-party\n                  credentials. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FICAM-approved, third-party credentialing products, components, or\n                     services procured and implemented by organization\\n\\nthird-party credential verification records\\n\\nevidence of FICAM-approved third-party credentials\\n\\nthird-party credential authorizations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms that accept FICAM-approved credentials"}]}]},{"id":"ia-8.3","class":"SP800-53-enhancement","title":"Use of Ficam-approved Products","parameters":[{"id":"ia-8.3_prm_1","label":"organization-defined information systems"}],"properties":[{"name":"label","value":"IA-8(3)"},{"name":"sort-id","value":"ia-08.03"}],"parts":[{"id":"ia-8.3_smt","name":"statement","prose":"The organization employs only FICAM-approved information system components in\n                     {{ ia-8.3_prm_1 }} to accept third-party credentials."},{"id":"ia-8.3_gdn","name":"guidance","prose":"This control enhancement typically applies to information systems that are\n                  accessible to the general public, for example, public-facing websites.\n                  FICAM-approved information system components include, for example, information\n                  technology products and software libraries that have been approved by the Federal\n                  Identity, Credential, and Access Management conformance program.","links":[{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"ia-8.3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ia-8.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-8(3)[1]"}],"prose":"defines information systems in which only FICAM-approved information system\n                     components are to be employed to accept third-party credentials; and"},{"id":"ia-8.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-8(3)[2]"}],"prose":"employs only FICAM-approved information system components in\n                     organization-defined information systems to accept third-party credentials."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nsystem and services acquisition policy\\n\\nprocedures addressing user identification and authentication\\n\\nprocedures addressing the integration of security requirements into the\n                     acquisition process\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nthird-party credential validations\\n\\nthird-party credential authorizations\\n\\nthird-party credential records\\n\\nlist of FICAM-approved information system components procured and implemented\n                     by organization\\n\\nacquisition documentation\\n\\nacquisition contracts for information system procurements or services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information system security, acquisition, and\n                     contracting responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability"}]}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Ficam-issued Profiles","properties":[{"name":"label","value":"IA-8(4)"},{"name":"sort-id","value":"ia-08.04"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"The information system conforms to FICAM-issued profiles."},{"id":"ia-8.4_gdn","name":"guidance","prose":"This control enhancement addresses open identity management standards. To ensure\n                  that these standards are viable, robust, reliable, sustainable (e.g., available in\n                  commercial information technology products), and interoperable as documented, the\n                  United States Government assesses and scopes identity management standards and\n                  technology implementations against applicable federal legislation, directives,\n                  policies, and requirements. The result is FICAM-issued implementation profiles of\n                  approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and\n                  OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute\n                  Exchange).","links":[{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"ia-8.4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system conforms to FICAM-issued profiles. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nsystem and services acquisition policy\\n\\nprocedures addressing user identification and authentication\\n\\nprocedures addressing the integration of security requirements into the\n                     acquisition process\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FICAM-issued profiles and associated, approved protocols\\n\\nacquisition documentation\\n\\nacquisition contracts for information system procurements or services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms supporting and/or implementing conformance with\n                     FICAM-issued profiles"}]}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Incident Response Policy and Procedures","parameters":[{"id":"ir-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ir-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually or whenever a significant change occurs"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IR-1"},{"name":"sort-id","value":"ir-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference","text":"NIST Special Publication 800-83"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ir-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"An incident response policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ir-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and\n                     associated incident response controls; and"}]},{"id":"ir-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ir-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Incident response policy {{ ir-1_prm_2 }}; and"},{"id":"ir-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Incident response procedures {{ ir-1_prm_3 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the IR\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ir-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-1.a_obj","name":"objective","properties":[{"name":"label","value":"IR-1(a)"}],"parts":[{"id":"ir-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)"}],"parts":[{"id":"ir-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(a)(1)[1]"}],"prose":"develops and documents an incident response policy that addresses:","parts":[{"id":"ir-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ir-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ir-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ir-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ir-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ir-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ir-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ir-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the incident response policy is to be\n                        disseminated;"},{"id":"ir-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-1(a)(1)[3]"}],"prose":"disseminates the incident response policy to organization-defined personnel\n                        or roles;"}]},{"id":"ir-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"IR-1(a)(2)"}],"parts":[{"id":"ir-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        incident response policy and associated incident response controls;"},{"id":"ir-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ir-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ir-1.b_obj","name":"objective","properties":[{"name":"label","value":"IR-1(b)"}],"parts":[{"id":"ir-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"IR-1(b)(1)"}],"parts":[{"id":"ir-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current incident response\n                        policy;"},{"id":"ir-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(b)(1)[2]"}],"prose":"reviews and updates the current incident response policy with the\n                        organization-defined frequency;"}]},{"id":"ir-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"IR-1(b)(2)"}],"parts":[{"id":"ir-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current incident response\n                        procedures; and"},{"id":"ir-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(b)(2)[2]"}],"prose":"reviews and updates the current incident response procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","parameters":[{"id":"ir-2_prm_1","label":"organization-defined time period","constraints":[{"detail":"within ten (10) days"}]},{"id":"ir-2_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IR-2"},{"name":"sort-id","value":"ir-02"}],"links":[{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference","text":"NIST Special Publication 800-16"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"}],"parts":[{"id":"ir-2_smt","name":"statement","prose":"The organization provides incident response training to information system users\n               consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Within {{ ir-2_prm_1 }} of assuming an incident response role or\n                  responsibility;"},{"id":"ir-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"ir-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n                  {{ ir-2_prm_2 }} thereafter."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training provided by organizations is linked to the assigned roles\n               and responsibilities of organizational personnel to ensure the appropriate content\n               and level of detail is included in such training. For example, regular users may only\n               need to know who to call or how to recognize an incident on the information system;\n               system administrators may require additional training on how to handle/remediate\n               incidents; and incident responders may receive more specific training on forensics,\n               reporting, system recovery, and restoration. Incident response training includes user\n               training in the identification and reporting of suspicious activities, both from\n               external and internal sources.","links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ir-8","rel":"related","text":"IR-8"}]},{"id":"ir-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-2.a_obj","name":"objective","properties":[{"name":"label","value":"IR-2(a)"}],"parts":[{"id":"ir-2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-2(a)[1]"}],"prose":"defines a time period within which incident response training is to be provided\n                     to information system users assuming an incident response role or\n                     responsibility;"},{"id":"ir-2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-2(a)[2]"}],"prose":"provides incident response training to information system users consistent with\n                     assigned roles and responsibilities within the organization-defined time period\n                     of assuming an incident response role or responsibility;"}]},{"id":"ir-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-2(b)"}],"prose":"provides incident response training to information system users consistent with\n                  assigned roles and responsibilities when required by information system\n                  changes;"},{"id":"ir-2.c_obj","name":"objective","properties":[{"name":"label","value":"IR-2(c)"}],"parts":[{"id":"ir-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-2(c)[1]"}],"prose":"defines the frequency to provide refresher incident response training to\n                     information system users consistent with assigned roles or responsibilities;\n                     and"},{"id":"ir-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-2(c)[2]"}],"prose":"after the initial incident response training, provides refresher incident\n                     response training to information system users consistent with assigned roles\n                     and responsibilities in accordance with the organization-defined frequency to\n                     provide refresher training."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident response training\\n\\nincident response training curriculum\\n\\nincident response training materials\\n\\nsecurity plan\\n\\nincident response plan\\n\\nsecurity plan\\n\\nincident response training records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response training and operational\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}],"controls":[{"id":"ir-2.1","class":"SP800-53-enhancement","title":"Simulated Events","properties":[{"name":"label","value":"IR-2(1)"},{"name":"sort-id","value":"ir-02.01"}],"parts":[{"id":"ir-2.1_smt","name":"statement","prose":"The organization incorporates simulated events into incident response training to\n                  facilitate effective response by personnel in crisis situations."},{"id":"ir-2.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization incorporates simulated events into incident response\n                  training to facilitate effective response by personnel in crisis situations. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident response training\\n\\nincident response training curriculum\\n\\nincident response training materials\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response training and operational\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that support and/or implement simulated events for\n                     incident response training"}]}]},{"id":"ir-2.2","class":"SP800-53-enhancement","title":"Automated Training Environments","properties":[{"name":"label","value":"IR-2(2)"},{"name":"sort-id","value":"ir-02.02"}],"parts":[{"id":"ir-2.2_smt","name":"statement","prose":"The organization employs automated mechanisms to provide a more thorough and\n                  realistic incident response training environment."},{"id":"ir-2.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs automated mechanisms to provide a more\n                  thorough and realistic incident response training environment. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident response training\\n\\nincident response training curriculum\\n\\nincident response training materials\\n\\nautomated mechanisms supporting incident response training\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response training and operational\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that provide a thorough and realistic incident response\n                     training environment"}]}]}]},{"id":"ir-3","class":"SP800-53","title":"Incident Response Testing","parameters":[{"id":"ir-3_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least every six (6) months"}]},{"id":"ir-3_prm_2","label":"organization-defined tests"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IR-3"},{"name":"sort-id","value":"ir-03"}],"links":[{"href":"#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","rel":"reference","text":"NIST Special Publication 800-84"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference","text":"NIST Special Publication 800-115"}],"parts":[{"id":"ir-3_smt","name":"statement","prose":"The organization tests the incident response capability for the information system\n                  {{ ir-3_prm_1 }} using {{ ir-3_prm_2 }} to determine\n               the incident response effectiveness and documents the results.","parts":[{"id":"ir-3_fr","name":"item","title":"IR-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-3_fr_smt.1","name":"item","properties":[{"name":"label","value":"IR-3 -2 Requirement:"}],"prose":"The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing."}]}]},{"id":"ir-3_gdn","name":"guidance","prose":"Organizations test incident response capabilities to determine the overall\n               effectiveness of the capabilities and to identify potential weaknesses or\n               deficiencies. Incident response testing includes, for example, the use of checklists,\n               walk-through or tabletop exercises, simulations (parallel/full interrupt), and\n               comprehensive exercises. Incident response testing can also include a determination\n               of the effects on organizational operations (e.g., reduction in mission\n               capabilities), organizational assets, and individuals due to incident response.","links":[{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-8","rel":"related","text":"IR-8"}]},{"id":"ir-3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ir-3_obj.1","name":"objective","properties":[{"name":"label","value":"IR-3[1]"}],"prose":"defines incident response tests to test the incident response capability for the\n                  information system;"},{"id":"ir-3_obj.2","name":"objective","properties":[{"name":"label","value":"IR-3[2]"}],"prose":"defines the frequency to test the incident response capability for the information\n                  system; and"},{"id":"ir-3_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-3[3]"}],"prose":"tests the incident response capability for the information system with the\n                  organization-defined frequency, using organization-defined tests to determine the\n                  incident response effectiveness and documents the results."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\ncontingency planning policy\\n\\nprocedures addressing incident response testing\\n\\nprocedures addressing contingency plan testing\\n\\nincident response testing material\\n\\nincident response test results\\n\\nincident response test plan\\n\\nincident response plan\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response testing responsibilities\\n\\norganizational personnel with information security responsibilities"}]}],"controls":[{"id":"ir-3.2","class":"SP800-53-enhancement","title":"Coordination with Related Plans","properties":[{"name":"label","value":"IR-3(2)"},{"name":"sort-id","value":"ir-03.02"}],"parts":[{"id":"ir-3.2_smt","name":"statement","prose":"The organization coordinates incident response testing with organizational\n                  elements responsible for related plans."},{"id":"ir-3.2_gdn","name":"guidance","prose":"Organizational plans related to incident response testing include, for example,\n                  Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity\n                  of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,\n                  and Occupant Emergency Plans."},{"id":"ir-3.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization coordinates incident response testing with\n                  organizational elements responsible for related plans. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\ncontingency planning policy\\n\\nprocedures addressing incident response testing\\n\\nincident response testing documentation\\n\\nincident response plan\\n\\nbusiness continuity plans\\n\\ncontingency plans\\n\\ndisaster recovery plans\\n\\ncontinuity of operations plans\\n\\ncrisis communications plans\\n\\ncritical infrastructure plans\\n\\noccupant emergency plans\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response testing responsibilities\\n\\norganizational personnel with responsibilities for testing organizational plans\n                     related to incident response testing\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","properties":[{"name":"label","value":"IR-4"},{"name":"sort-id","value":"ir-04"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference","text":"Executive Order 13587"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"}],"parts":[{"id":"ir-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Implements an incident handling capability for security incidents that includes\n                  preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Coordinates incident handling activities with contingency planning activities;\n                  and"},{"id":"ir-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Incorporates lessons learned from ongoing incident handling activities into\n                  incident response procedures, training, and testing, and implements the resulting\n                  changes accordingly."},{"id":"ir-4_fr","name":"item","title":"IR-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-4_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system."}]}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capability is dependent on the\n               capabilities of organizational information systems and the mission/business processes\n               being supported by those systems. Therefore, organizations consider incident response\n               as part of the definition, design, and development of mission/business processes and\n               information systems. Incident-related information can be obtained from a variety of\n               sources including, for example, audit monitoring, network monitoring, physical access\n               monitoring, user/administrator reports, and reported supply chain events. Effective\n               incident handling capability includes coordination among many organizational entities\n               including, for example, mission/business owners, information system owners,\n               authorizing officials, human resources offices, physical and personnel security\n               offices, legal departments, operations personnel, procurement offices, and the risk\n               executive (function).","links":[{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-3","rel":"related","text":"IR-3"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"ir-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-4.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-4(a)"}],"prose":"implements an incident handling capability for security incidents that\n                  includes:","parts":[{"id":"ir-4.a_obj.1","name":"objective","properties":[{"name":"label","value":"IR-4(a)[1]"}],"prose":"preparation;"},{"id":"ir-4.a_obj.2","name":"objective","properties":[{"name":"label","value":"IR-4(a)[2]"}],"prose":"detection and analysis;"},{"id":"ir-4.a_obj.3","name":"objective","properties":[{"name":"label","value":"IR-4(a)[3]"}],"prose":"containment;"},{"id":"ir-4.a_obj.4","name":"objective","properties":[{"name":"label","value":"IR-4(a)[4]"}],"prose":"eradication;"},{"id":"ir-4.a_obj.5","name":"objective","properties":[{"name":"label","value":"IR-4(a)[5]"}],"prose":"recovery;"}]},{"id":"ir-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-4(b)"}],"prose":"coordinates incident handling activities with contingency planning activities;"},{"id":"ir-4.c_obj","name":"objective","properties":[{"name":"label","value":"IR-4(c)"}],"parts":[{"id":"ir-4.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-4(c)[1]"}],"prose":"incorporates lessons learned from ongoing incident handling activities\n                     into:","parts":[{"id":"ir-4.c_obj.1.a","name":"objective","properties":[{"name":"label","value":"IR-4(c)[1][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.1.b","name":"objective","properties":[{"name":"label","value":"IR-4(c)[1][b]"}],"prose":"training;"},{"id":"ir-4.c_obj.1.c","name":"objective","properties":[{"name":"label","value":"IR-4(c)[1][c]"}],"prose":"testing/exercises;"}]},{"id":"ir-4.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-4(c)[2]"}],"prose":"implements the resulting changes accordingly to:","parts":[{"id":"ir-4.c_obj.2.a","name":"objective","properties":[{"name":"label","value":"IR-4(c)[2][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.2.b","name":"objective","properties":[{"name":"label","value":"IR-4(c)[2][b]"}],"prose":"training; and"},{"id":"ir-4.c_obj.2.c","name":"objective","properties":[{"name":"label","value":"IR-4(c)[2][c]"}],"prose":"testing/exercises."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\ncontingency planning policy\\n\\nprocedures addressing incident handling\\n\\nincident response plan\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with contingency planning responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident handling capability for the organization"}]}],"controls":[{"id":"ir-4.1","class":"SP800-53-enhancement","title":"Automated Incident Handling Processes","properties":[{"name":"label","value":"IR-4(1)"},{"name":"sort-id","value":"ir-04.01"}],"parts":[{"id":"ir-4.1_smt","name":"statement","prose":"The organization employs automated mechanisms to support the incident handling\n                  process."},{"id":"ir-4.1_gdn","name":"guidance","prose":"Automated mechanisms supporting incident handling processes include, for example,\n                  online incident management systems."},{"id":"ir-4.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs automated mechanisms to support the incident\n                  handling process. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident handling\\n\\nautomated mechanisms supporting incident handling\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that support and/or implement the incident handling\n                     process"}]}]},{"id":"ir-4.2","class":"SP800-53-enhancement","title":"Dynamic Reconfiguration","parameters":[{"id":"ir-4.2_prm_1","label":"organization-defined information system components","constraints":[{"detail":"all network, data storage, and computing devices"}]}],"properties":[{"name":"label","value":"IR-4(2)"},{"name":"sort-id","value":"ir-04.02"}],"parts":[{"id":"ir-4.2_smt","name":"statement","prose":"The organization includes dynamic reconfiguration of {{ ir-4.2_prm_1 }} as part of the incident response capability."},{"id":"ir-4.2_gdn","name":"guidance","prose":"Dynamic reconfiguration includes, for example, changes to router rules, access\n                  control lists, intrusion detection/prevention system parameters, and filter rules\n                  for firewalls and gateways. Organizations perform dynamic reconfiguration of\n                  information systems, for example, to stop attacks, to misdirect attackers, and to\n                  isolate components of systems, thus limiting the extent of the damage from\n                  breaches or compromises. Organizations include time frames for achieving the\n                  reconfiguration of information systems in the definition of the reconfiguration\n                  capability, considering the potential need for rapid response in order to\n                  effectively address sophisticated cyber threats.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"}]},{"id":"ir-4.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-4.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-4(2)[1]"}],"prose":"defines information system components to be dynamically reconfigured as part of\n                     the incident response capability; and"},{"id":"ir-4.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-4(2)[2]"}],"prose":"includes dynamic reconfiguration of organization-defined information system\n                     components as part of the incident response capability."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident handling\\n\\nautomated mechanisms supporting incident handling\\n\\nlist of system components to be dynamically reconfigured as part of incident\n                     response capability\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that support and/or implement dynamic reconfiguration of\n                     components as part of incident response"}]}]},{"id":"ir-4.3","class":"SP800-53-enhancement","title":"Continuity of Operations","parameters":[{"id":"ir-4.3_prm_1","label":"organization-defined classes of incidents"},{"id":"ir-4.3_prm_2","label":"organization-defined actions to take in response to classes of\n                  incidents"}],"properties":[{"name":"label","value":"IR-4(3)"},{"name":"sort-id","value":"ir-04.03"}],"parts":[{"id":"ir-4.3_smt","name":"statement","prose":"The organization identifies {{ ir-4.3_prm_1 }} and {{ ir-4.3_prm_2 }} to ensure continuation of organizational missions and\n                  business functions."},{"id":"ir-4.3_gdn","name":"guidance","prose":"Classes of incidents include, for example, malfunctions due to\n                  design/implementation errors and omissions, targeted malicious attacks, and\n                  untargeted malicious attacks. Appropriate incident response actions include, for\n                  example, graceful degradation, information system shutdown, fall back to manual\n                  mode/alternative technology whereby the system operates differently, employing\n                  deceptive measures, alternate information flows, or operating in a mode that is\n                  reserved solely for when systems are under attack."},{"id":"ir-4.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-4.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-4(3)[1]"}],"prose":"defines classes of incidents requiring an organization-defined action to be\n                     taken;"},{"id":"ir-4.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-4(3)[2]"}],"prose":"defines actions to be taken in response to organization-defined classes of\n                     incidents; and"},{"id":"ir-4.3_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-4(3)[3]"}],"prose":"identifies organization-defined classes of incidents and organization-defined\n                     actions to take in response to classes of incidents to ensure continuation of\n                     organizational missions and business functions."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident handling\\n\\nincident response plan\\n\\nsecurity plan\\n\\nlist of classes of incidents\\n\\nlist of appropriate incident response actions\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that support and/or implement continuity of operations"}]}]},{"id":"ir-4.4","class":"SP800-53-enhancement","title":"Information Correlation","properties":[{"name":"label","value":"IR-4(4)"},{"name":"sort-id","value":"ir-04.04"}],"parts":[{"id":"ir-4.4_smt","name":"statement","prose":"The organization correlates incident information and individual incident responses\n                  to achieve an organization-wide perspective on incident awareness and\n                  response."},{"id":"ir-4.4_gdn","name":"guidance","prose":"Sometimes the nature of a threat event, for example, a hostile cyber attack, is\n                  such that it can only be observed by bringing together information from different\n                  sources including various reports and reporting procedures established by\n                  organizations."},{"id":"ir-4.4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization correlates incident information and individual\n                  incident responses to achieve an organization-wide perspective on incident\n                  awareness and response. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident handling\\n\\nincident response plan\\n\\nsecurity plan\\n\\nautomated mechanisms supporting incident and event correlation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nincident management correlation logs\\n\\nevent management correlation logs\\n\\nsecurity information and event management logs\\n\\nincident management correlation reports\\n\\nevent management correlation reports\\n\\nsecurity information and event management reports\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with whom incident information and individual incident\n                     responses are to be correlated"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for correlating incident information and individual\n                     incident responses\\n\\nautomated mechanisms that support and or implement correlation of incident\n                     response information with individual incident responses"}]}]},{"id":"ir-4.6","class":"SP800-53-enhancement","title":"Insider Threats - Specific Capabilities","properties":[{"name":"label","value":"IR-4(6)"},{"name":"sort-id","value":"ir-04.06"}],"parts":[{"id":"ir-4.6_smt","name":"statement","prose":"The organization implements incident handling capability for insider threats."},{"id":"ir-4.6_gdn","name":"guidance","prose":"While many organizations address insider threat incidents as an inherent part of\n                  their organizational incident response capability, this control enhancement\n                  provides additional emphasis on this type of threat and the need for specific\n                  incident handling capabilities (as defined within organizations) to provide\n                  appropriate and timely responses."},{"id":"ir-4.6_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization implements incident handling capability for insider\n                  threats."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident handling\\n\\nautomated mechanisms supporting incident handling\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident handling capability for the organization"}]}]},{"id":"ir-4.8","class":"SP800-53-enhancement","title":"Correlation with External Organizations","parameters":[{"id":"ir-4.8_prm_1","label":"organization-defined external organizations","constraints":[{"detail":"external organizations including consumer incident responders and network defenders and the appropriate CIRT/CERT (such as US-CERT, DOD CERT, IC CERT)"}]},{"id":"ir-4.8_prm_2","label":"organization-defined incident information"}],"properties":[{"name":"label","value":"IR-4(8)"},{"name":"sort-id","value":"ir-04.08"}],"parts":[{"id":"ir-4.8_smt","name":"statement","prose":"The organization coordinates with {{ ir-4.8_prm_1 }} to correlate\n                  and share {{ ir-4.8_prm_2 }} to achieve a cross-organization\n                  perspective on incident awareness and more effective incident responses."},{"id":"ir-4.8_gdn","name":"guidance","prose":"The coordination of incident information with external organizations including,\n                  for example, mission/business partners, military/coalition partners, customers,\n                  and multitiered developers, can provide significant benefits. Cross-organizational\n                  coordination with respect to incident handling can serve as an important risk\n                  management capability. This capability allows organizations to leverage critical\n                  information from a variety of sources to effectively respond to information\n                  security-related incidents potentially affecting the organization’s operations,\n                  assets, and individuals."},{"id":"ir-4.8_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ir-4.8_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-4(8)[1]"}],"prose":"defines external organizations with whom organizational incident information is\n                     to be coordinated;"},{"id":"ir-4.8_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-4(8)[2]"}],"prose":"defines incident information to be correlated and shared with\n                     organization-defined external organizations; and"},{"id":"ir-4.8_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-4(8)[3]"}],"prose":"the organization coordinates with organization-defined external organizations\n                     to correlate and share organization-defined information to achieve a\n                     cross-organization perspective on incident awareness and more effective\n                     incident responses."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident handling\\n\\nlist of external organizations\\n\\nrecords of incident handling coordination with external organizations\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel from external organizations with whom incident response information\n                     is to be coordinated/shared/correlated"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for coordinating incident handling information with\n                     external organizations"}]}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","properties":[{"name":"label","value":"IR-5"},{"name":"sort-id","value":"ir-05"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"The organization tracks and documents information system security incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting information system security incidents includes, for example, maintaining\n               records about each incident, the status of the incident, and other pertinent\n               information necessary for forensics, evaluating incident details, trends, and\n               handling. Incident information can be obtained from a variety of sources including,\n               for example, incident reports, incident response teams, audit monitoring, network\n               monitoring, physical access monitoring, and user/administrator reports.","links":[{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"ir-5_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ir-5_obj.1","name":"objective","properties":[{"name":"label","value":"IR-5[1]"}],"prose":"tracks information system security incidents; and"},{"id":"ir-5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-5[2]"}],"prose":"documents information system security incidents."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident monitoring\\n\\nincident response records and documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident monitoring capability for the organization\\n\\nautomated mechanisms supporting and/or implementing tracking and documenting of\n                  system security incidents"}]}],"controls":[{"id":"ir-5.1","class":"SP800-53-enhancement","title":"Automated Tracking / Data Collection / Analysis","properties":[{"name":"label","value":"IR-5(1)"},{"name":"sort-id","value":"ir-05.01"}],"parts":[{"id":"ir-5.1_smt","name":"statement","prose":"The organization employs automated mechanisms to assist in the tracking of\n                  security incidents and in the collection and analysis of incident information."},{"id":"ir-5.1_gdn","name":"guidance","prose":"Automated mechanisms for tracking security incidents and collecting/analyzing\n                  incident information include, for example, the Einstein network monitoring device\n                  and monitoring online Computer Incident Response Centers (CIRCs) or other\n                  electronic databases of incidents.","links":[{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#ir-4","rel":"related","text":"IR-4"}]},{"id":"ir-5.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to assist in:","parts":[{"id":"ir-5.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-5(1)[1]"}],"prose":"the tracking of security incidents;"},{"id":"ir-5.1_obj.2","name":"objective","properties":[{"name":"label","value":"IR-5(1)[2]"}],"prose":"the collection of incident information; and"},{"id":"ir-5.1_obj.3","name":"objective","properties":[{"name":"label","value":"IR-5(1)[3]"}],"prose":"the analysis of incident information."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident monitoring\\n\\nautomated mechanisms supporting incident monitoring\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms assisting in tracking of security incidents and in the\n                     collection and analysis of incident information"}]}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","parameters":[{"id":"ir-6_prm_1","label":"organization-defined time period","constraints":[{"detail":"US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)"}]},{"id":"ir-6_prm_2","label":"organization-defined authorities"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IR-6"},{"name":"sort-id","value":"ir-06"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"},{"href":"#02631467-668b-4233-989b-3dfded2fd184","rel":"reference","text":"http://www.us-cert.gov"}],"parts":[{"id":"ir-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Requires personnel to report suspected security incidents to the organizational\n                  incident response capability within {{ ir-6_prm_1 }}; and"},{"id":"ir-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reports security incident information to {{ ir-6_prm_2 }}."},{"id":"ir-6_fr","name":"item","title":"IR-6 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Report security incident information according to FedRAMP Incident Communications Procedure."}]}]},{"id":"ir-6_gdn","name":"guidance","prose":"The intent of this control is to address both specific incident reporting\n               requirements within an organization and the formal incident reporting requirements\n               for federal agencies and their subordinate organizations. Suspected security\n               incidents include, for example, the receipt of suspicious email communications that\n               can potentially contain malicious code. The types of security incidents reported, the\n               content and timeliness of the reports, and the designated reporting authorities\n               reflect applicable federal laws, Executive Orders, directives, regulations, policies,\n               standards, and guidance. Current federal policy requires that all federal agencies\n               (unless specifically exempted from such requirements) report security incidents to\n               the United States Computer Emergency Readiness Team (US-CERT) within specified time\n               frames designated in the US-CERT Concept of Operations for Federal Cyber Security\n               Incident Handling.","links":[{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ir-8","rel":"related","text":"IR-8"}]},{"id":"ir-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-6.a_obj","name":"objective","properties":[{"name":"label","value":"IR-6(a)"}],"parts":[{"id":"ir-6.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-6(a)[1]"}],"prose":"defines the time period within which personnel report suspected security\n                     incidents to the organizational incident response capability;"},{"id":"ir-6.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-6(a)[2]"}],"prose":"requires personnel to report suspected security incidents to the organizational\n                     incident response capability within the organization-defined time period;"}]},{"id":"ir-6.b_obj","name":"objective","properties":[{"name":"label","value":"IR-6(b)"}],"parts":[{"id":"ir-6.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-6(b)[1]"}],"prose":"defines authorities to whom security incident information is to be reported;\n                     and"},{"id":"ir-6.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-6(b)[2]"}],"prose":"reports security incident information to organization-defined authorities."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident reporting\\n\\nincident reporting records and documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident reporting responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel who have/should have reported incidents\\n\\npersonnel (authorities) to whom incident information is to be reported"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident reporting\\n\\nautomated mechanisms supporting and/or implementing incident reporting"}]}],"controls":[{"id":"ir-6.1","class":"SP800-53-enhancement","title":"Automated Reporting","properties":[{"name":"label","value":"IR-6(1)"},{"name":"sort-id","value":"ir-06.01"}],"parts":[{"id":"ir-6.1_smt","name":"statement","prose":"The organization employs automated mechanisms to assist in the reporting of\n                  security incidents."},{"id":"ir-6.1_gdn","name":"guidance","links":[{"href":"#ir-7","rel":"related","text":"IR-7"}]},{"id":"ir-6.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs automated mechanisms to assist in the\n                  reporting of security incidents."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident reporting\\n\\nautomated mechanisms supporting incident reporting\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident reporting responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident reporting\\n\\nautomated mechanisms supporting and/or implementing reporting of security\n                     incidents"}]}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","properties":[{"name":"label","value":"IR-7"},{"name":"sort-id","value":"ir-07"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"The organization provides an incident response support resource, integral to the\n               organizational incident response capability that offers advice and assistance to\n               users of the information system for the handling and reporting of security\n               incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include, for example,\n               help desks, assistance groups, and access to forensics services, when required.","links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#sa-9","rel":"related","text":"SA-9"}]},{"id":"ir-7_obj","name":"objective","prose":"Determine if the organization provides an incident response support resource:","parts":[{"id":"ir-7_obj.1","name":"objective","properties":[{"name":"label","value":"IR-7[1]"}],"prose":"that is integral to the organizational incident response capability; and"},{"id":"ir-7_obj.2","name":"objective","properties":[{"name":"label","value":"IR-7[2]"}],"prose":"that offers advice and assistance to users of the information system for the\n                  handling and reporting of security incidents."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident response assistance\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response assistance and support\n                  responsibilities\\n\\norganizational personnel with access to incident response support and assistance\n                  capability\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident response assistance\\n\\nautomated mechanisms supporting and/or implementing incident response\n                  assistance"}]}],"controls":[{"id":"ir-7.1","class":"SP800-53-enhancement","title":"Automation Support for Availability of Information / Support","properties":[{"name":"label","value":"IR-7(1)"},{"name":"sort-id","value":"ir-07.01"}],"parts":[{"id":"ir-7.1_smt","name":"statement","prose":"The organization employs automated mechanisms to increase the availability of\n                  incident response-related information and support."},{"id":"ir-7.1_gdn","name":"guidance","prose":"Automated mechanisms can provide a push and/or pull capability for users to obtain\n                  incident response assistance. For example, individuals might have access to a\n                  website to query the assistance capability, or conversely, the assistance\n                  capability may have the ability to proactively send information to users (general\n                  distribution or targeted) as part of increasing understanding of current response\n                  capabilities and support."},{"id":"ir-7.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs automated mechanisms to increase the\n                  availability of incident response-related information and support."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident response assistance\\n\\nautomated mechanisms supporting incident response support and assistance\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response support and assistance\n                     responsibilities\\n\\norganizational personnel with access to incident response support and\n                     assistance capability\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident response assistance\\n\\nautomated mechanisms supporting and/or implementing an increase in the\n                     availability of incident response information and support"}]}]},{"id":"ir-7.2","class":"SP800-53-enhancement","title":"Coordination with External Providers","properties":[{"name":"label","value":"IR-7(2)"},{"name":"sort-id","value":"ir-07.02"}],"parts":[{"id":"ir-7.2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-7.2_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Establishes a direct, cooperative relationship between its incident response\n                     capability and external providers of information system protection capability;\n                     and"},{"id":"ir-7.2_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Identifies organizational incident response team members to the external\n                     providers."}]},{"id":"ir-7.2_gdn","name":"guidance","prose":"External providers of information system protection capability include, for\n                  example, the Computer Network Defense program within the U.S. Department of\n                  Defense. External providers help to protect, monitor, analyze, detect, and respond\n                  to unauthorized activity within organizational information systems and\n                  networks."},{"id":"ir-7.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-7.2.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-7(2)(a)"}],"prose":"establishes a direct, cooperative relationship between its incident response\n                     capability and external providers of information system protection capability;\n                     and","links":[{"href":"#ir-7.2_smt.a","rel":"corresp","text":"IR-7(2)(a)"}]},{"id":"ir-7.2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-7(2)(b)"}],"prose":"identifies organizational incident response team members to the external\n                     providers.","links":[{"href":"#ir-7.2_smt.b","rel":"corresp","text":"IR-7(2)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident response assistance\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response support and assistance\n                     responsibilities\\n\\nexternal providers of information system protection capability\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","parameters":[{"id":"ir-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-8_prm_2","label":"organization-defined incident response personnel (identified by name and/or by\n               role) and organizational elements","constraints":[{"detail":"see additional FedRAMP Requirements and Guidance"}]},{"id":"ir-8_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ir-8_prm_4","label":"organization-defined incident response personnel (identified by name and/or by\n               role) and organizational elements","constraints":[{"detail":"see additional FedRAMP Requirements and Guidance"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IR-8"},{"name":"sort-id","value":"ir-08"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"}],"parts":[{"id":"ir-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response\n                     capability;"},{"id":"ir-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response\n                     capability;"},{"id":"ir-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits\n                     into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission,\n                     size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the\n                     organization;"},{"id":"ir-8_smt.a.7","name":"item","properties":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and\n                     mature an incident response capability; and"},{"id":"ir-8_smt.a.8","name":"item","properties":[{"name":"label","value":"8."}],"prose":"Is reviewed and approved by {{ ir-8_prm_1 }};"}]},{"id":"ir-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distributes copies of the incident response plan to {{ ir-8_prm_2 }};"},{"id":"ir-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews the incident response plan {{ ir-8_prm_3 }};"},{"id":"ir-8_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Updates the incident response plan to address system/organizational changes or\n                  problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Communicates incident response plan changes to {{ ir-8_prm_4 }};\n                  and"},{"id":"ir-8_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Protects the incident response plan from unauthorized disclosure and\n                  modification."},{"id":"ir-8_fr","name":"item","title":"IR-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-8_fr_smt.b","name":"item","properties":[{"name":"label","value":"(b) Requirement:"}],"prose":"The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."},{"id":"ir-8_fr_smt.e","name":"item","properties":[{"name":"label","value":"(e) Requirement:"}],"prose":"The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."}]}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to\n               incident response. Organizational missions, business functions, strategies, goals,\n               and objectives for incident response help to determine the structure of incident\n               response capabilities. As part of a comprehensive incident response capability,\n               organizations consider the coordination and sharing of information with external\n               organizations, including, for example, external service providers and organizations\n               involved in the supply chain for organizational information systems.","links":[{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"}]},{"id":"ir-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-8.a_obj","name":"objective","properties":[{"name":"label","value":"IR-8(a)"}],"prose":"develops an incident response plan that:","parts":[{"id":"ir-8.a.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(1)"}],"prose":"provides the organization with a roadmap for implementing its incident response\n                     capability;"},{"id":"ir-8.a.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(2)"}],"prose":"describes the structure and organization of the incident response\n                     capability;"},{"id":"ir-8.a.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(3)"}],"prose":"provides a high-level approach for how the incident response capability fits\n                     into the overall organization;"},{"id":"ir-8.a.4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(4)"}],"prose":"meets the unique requirements of the organization, which relate to:","parts":[{"id":"ir-8.a.4_obj.1","name":"objective","properties":[{"name":"label","value":"IR-8(a)(4)[1]"}],"prose":"mission;"},{"id":"ir-8.a.4_obj.2","name":"objective","properties":[{"name":"label","value":"IR-8(a)(4)[2]"}],"prose":"size;"},{"id":"ir-8.a.4_obj.3","name":"objective","properties":[{"name":"label","value":"IR-8(a)(4)[3]"}],"prose":"structure;"},{"id":"ir-8.a.4_obj.4","name":"objective","properties":[{"name":"label","value":"IR-8(a)(4)[4]"}],"prose":"functions;"}]},{"id":"ir-8.a.5_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(5)"}],"prose":"defines reportable incidents;"},{"id":"ir-8.a.6_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-8(a)(6)"}],"prose":"provides metrics for measuring the incident response capability within the\n                     organization;"},{"id":"ir-8.a.7_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(7)"}],"prose":"defines the resources and management support needed to effectively maintain and\n                     mature an incident response capability;"},{"id":"ir-8.a.8_obj","name":"objective","properties":[{"name":"label","value":"IR-8(a)(8)"}],"parts":[{"id":"ir-8.a.8_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(8)[1]"}],"prose":"defines personnel or roles to review and approve the incident response\n                        plan;"},{"id":"ir-8.a.8_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-8(a)(8)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"ir-8.b_obj","name":"objective","properties":[{"name":"label","value":"IR-8(b)"}],"parts":[{"id":"ir-8.b_obj.1","name":"objective","properties":[{"name":"label","value":"IR-8(b)[1]"}],"parts":[{"id":"ir-8.b_obj.1.a","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(b)[1][a]"}],"prose":"defines incident response personnel (identified by name and/or by role) to\n                        whom copies of the incident response plan are to be distributed;"},{"id":"ir-8.b_obj.1.b","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(b)[1][b]"}],"prose":"defines organizational elements to whom copies of the incident response plan\n                        are to be distributed;"}]},{"id":"ir-8.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-8(b)[2]"}],"prose":"distributes copies of the incident response plan to organization-defined\n                     incident response personnel (identified by name and/or by role) and\n                     organizational elements;"}]},{"id":"ir-8.c_obj","name":"objective","properties":[{"name":"label","value":"IR-8(c)"}],"parts":[{"id":"ir-8.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(c)[1]"}],"prose":"defines the frequency to review the incident response plan;"},{"id":"ir-8.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-8(c)[2]"}],"prose":"reviews the incident response plan with the organization-defined frequency;"}]},{"id":"ir-8.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-8(d)"}],"prose":"updates the incident response plan to address system/organizational changes or\n                  problems encountered during plan:","parts":[{"id":"ir-8.d_obj.1","name":"objective","properties":[{"name":"label","value":"IR-8(d)[1]"}],"prose":"implementation;"},{"id":"ir-8.d_obj.2","name":"objective","properties":[{"name":"label","value":"IR-8(d)[2]"}],"prose":"execution; or"},{"id":"ir-8.d_obj.3","name":"objective","properties":[{"name":"label","value":"IR-8(d)[3]"}],"prose":"testing;"}]},{"id":"ir-8.e_obj","name":"objective","properties":[{"name":"label","value":"IR-8(e)"}],"parts":[{"id":"ir-8.e_obj.1","name":"objective","properties":[{"name":"label","value":"IR-8(e)[1]"}],"parts":[{"id":"ir-8.e_obj.1.a","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(e)[1][a]"}],"prose":"defines incident response personnel (identified by name and/or by role) to\n                        whom incident response plan changes are to be communicated;"},{"id":"ir-8.e_obj.1.b","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-8(e)[1][b]"}],"prose":"defines organizational elements to whom incident response plan changes are\n                        to be communicated;"}]},{"id":"ir-8.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-8(e)[2]"}],"prose":"communicates incident response plan changes to organization-defined incident\n                     response personnel (identified by name and/or by role) and organizational\n                     elements; and"}]},{"id":"ir-8.f_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-8(f)"}],"prose":"protects the incident response plan from unauthorized disclosure and\n                  modification."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident response planning\\n\\nincident response plan\\n\\nrecords of incident response plan reviews and approvals\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response planning responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational incident response plan and related organizational processes"}]}]},{"id":"ir-9","class":"SP800-53","title":"Information Spillage Response","parameters":[{"id":"ir-9_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-9_prm_2","label":"organization-defined actions"}],"properties":[{"name":"label","value":"IR-9"},{"name":"sort-id","value":"ir-09"}],"parts":[{"id":"ir-9_smt","name":"statement","prose":"The organization responds to information spills by:","parts":[{"id":"ir-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identifying the specific information involved in the information system\n                  contamination;"},{"id":"ir-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Alerting {{ ir-9_prm_1 }} of the information spill using a method\n                  of communication not associated with the spill;"},{"id":"ir-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Isolating the contaminated information system or system component;"},{"id":"ir-9_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Eradicating the information from the contaminated information system or\n                  component;"},{"id":"ir-9_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Identifying other information systems or system components that may have been\n                  subsequently contaminated; and"},{"id":"ir-9_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Performing other {{ ir-9_prm_2 }}."}]},{"id":"ir-9_gdn","name":"guidance","prose":"Information spillage refers to instances where either classified or sensitive\n               information is inadvertently placed on information systems that are not authorized to\n               process such information. Such information spills often occur when information that\n               is initially thought to be of lower sensitivity is transmitted to an information\n               system and then is subsequently determined to be of higher sensitivity. At that\n               point, corrective action is required. The nature of the organizational response is\n               generally based upon the degree of sensitivity of the spilled information (e.g.,\n               security category or classification level), the security capabilities of the\n               information system, the specific nature of contaminated storage media, and the access\n               authorizations (e.g., security clearances) of individuals with authorized access to\n               the contaminated system. The methods used to communicate information about the spill\n               after the fact do not involve methods directly associated with the actual spill to\n               minimize the risk of further spreading the contamination before such contamination is\n               isolated and eradicated."},{"id":"ir-9_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ir-9.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-9(a)"}],"prose":"responds to information spills by identifying the specific information causing the\n                  information system contamination;"},{"id":"ir-9.b_obj","name":"objective","properties":[{"name":"label","value":"IR-9(b)"}],"parts":[{"id":"ir-9.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-9(b)[1]"}],"prose":"defines personnel to be alerted of the information spillage;"},{"id":"ir-9.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-9(b)[2]"}],"prose":"identifies a method of communication not associated with the information spill\n                     to use to alert organization-defined personnel of the spill;"},{"id":"ir-9.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-9(b)[3]"}],"prose":"responds to information spills by alerting organization-defined personnel of\n                     the information spill using a method of communication not associated with the\n                     spill;"}]},{"id":"ir-9.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-9(c)"}],"prose":"responds to information spills by isolating the contaminated information\n                  system;"},{"id":"ir-9.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-9(d)"}],"prose":"responds to information spills by eradicating the information from the\n                  contaminated information system;"},{"id":"ir-9.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-9(e)"}],"prose":"responds to information spills by identifying other information systems that may\n                  have been subsequently contaminated;"},{"id":"ir-9.f_obj","name":"objective","properties":[{"name":"label","value":"IR-9(f)"}],"parts":[{"id":"ir-9.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-9(f)[1]"}],"prose":"defines other actions to be performed in response to information spills;\n                     and"},{"id":"ir-9.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-9(f)[2]"}],"prose":"responds to information spills by performing other organization-defined\n                     actions."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing information spillage\\n\\nincident response plan\\n\\nrecords of information spillage alerts/notifications, list of personnel who should\n                  receive alerts of information spillage\\n\\nlist of actions to be performed regarding information spillage\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information spillage response\\n\\nautomated mechanisms supporting and/or implementing information spillage response\n                  actions and related communications"}]}],"controls":[{"id":"ir-9.1","class":"SP800-53-enhancement","title":"Responsible Personnel","parameters":[{"id":"ir-9.1_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"IR-9(1)"},{"name":"sort-id","value":"ir-09.01"}],"parts":[{"id":"ir-9.1_smt","name":"statement","prose":"The organization assigns {{ ir-9.1_prm_1 }} with responsibility for\n                  responding to information spills."},{"id":"ir-9.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-9.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-9(1)[1]"}],"prose":"defines personnel with responsibility for responding to information spills;\n                     and"},{"id":"ir-9.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-9(1)[2]"}],"prose":"assigns organization-defined personnel with responsibility for responding to\n                     information spills."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing information spillage\\n\\nincident response plan\\n\\nlist of personnel responsible for responding to information spillage\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-9.2","class":"SP800-53-enhancement","title":"Training","parameters":[{"id":"ir-9.2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IR-9(2)"},{"name":"sort-id","value":"ir-09.02"}],"parts":[{"id":"ir-9.2_smt","name":"statement","prose":"The organization provides information spillage response training {{ ir-9.2_prm_1 }}."},{"id":"ir-9.2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ir-9.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-9(2)[1]"}],"prose":"defines the frequency to provide information spillage response training;\n                     and"},{"id":"ir-9.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-9(2)[2]"}],"prose":"provides information spillage response training with the organization-defined\n                     frequency."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing information spillage response training\\n\\ninformation spillage response training curriculum\\n\\ninformation spillage response training materials\\n\\nincident response plan\\n\\ninformation spillage response training records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response training responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-9.3","class":"SP800-53-enhancement","title":"Post-spill Operations","parameters":[{"id":"ir-9.3_prm_1","label":"organization-defined procedures"}],"properties":[{"name":"label","value":"IR-9(3)"},{"name":"sort-id","value":"ir-09.03"}],"parts":[{"id":"ir-9.3_smt","name":"statement","prose":"The organization implements {{ ir-9.3_prm_1 }} to ensure that\n                  organizational personnel impacted by information spills can continue to carry out\n                  assigned tasks while contaminated systems are undergoing corrective actions."},{"id":"ir-9.3_gdn","name":"guidance","prose":"Correction actions for information systems contaminated due to information\n                  spillages may be very time-consuming. During those periods, personnel may not have\n                  access to the contaminated systems, which may potentially affect their ability to\n                  conduct organizational business."},{"id":"ir-9.3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ir-9.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-9(3)[1]"}],"prose":"defines procedures that ensure organizational personnel impacted by information\n                     spills can continue to carry out assigned tasks while contaminated systems are\n                     undergoing corrective actions; and"},{"id":"ir-9.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-9(3)[2]"}],"prose":"implements organization-defined procedures to ensure that organizational\n                     personnel impacted by information spills can continue to carry out assigned\n                     tasks while contaminated systems are undergoing corrective actions."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident handling\\n\\nprocedures addressing information spillage\\n\\nincident response plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for post-spill operations"}]}]},{"id":"ir-9.4","class":"SP800-53-enhancement","title":"Exposure to Unauthorized Personnel","parameters":[{"id":"ir-9.4_prm_1","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"IR-9(4)"},{"name":"sort-id","value":"ir-09.04"}],"parts":[{"id":"ir-9.4_smt","name":"statement","prose":"The organization employs {{ ir-9.4_prm_1 }} for personnel exposed\n                  to information not within assigned access authorizations."},{"id":"ir-9.4_gdn","name":"guidance","prose":"Security safeguards include, for example, making personnel exposed to spilled\n                  information aware of the federal laws, directives, policies, and/or regulations\n                  regarding the information and the restrictions imposed based on exposure to such\n                  information."},{"id":"ir-9.4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ir-9.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-9(4)[1]"}],"prose":"defines security safeguards to be employed for personnel exposed to information\n                     not within assigned access authorizations; and"},{"id":"ir-9.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-9(4)[2]"}],"prose":"employs organization-defined security safeguards for personnel exposed to\n                     information not within assigned access authorizations."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident handling\\n\\nprocedures addressing information spillage\\n\\nincident response plan\\n\\nsecurity safeguards regarding information spillage/exposure to unauthorized\n                     personnel\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for dealing with information exposed to unauthorized\n                     personnel\\n\\nautomated mechanisms supporting and/or implementing safeguards for personnel\n                     exposed to information not within assigned access authorizations"}]}]}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"System Maintenance Policy and Procedures","parameters":[{"id":"ma-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ma-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually or whenever a significant change occurs"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"MA-1"},{"name":"sort-id","value":"ma-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ma-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A system maintenance policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ma-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system maintenance policy\n                     and associated system maintenance controls; and"}]},{"id":"ma-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ma-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"System maintenance policy {{ ma-1_prm_2 }}; and"},{"id":"ma-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"System maintenance procedures {{ ma-1_prm_3 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the MA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ma-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-1.a_obj","name":"objective","properties":[{"name":"label","value":"MA-1(a)"}],"parts":[{"id":"ma-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)"}],"parts":[{"id":"ma-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(a)(1)[1]"}],"prose":"develops and documents a system maintenance policy that addresses:","parts":[{"id":"ma-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ma-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ma-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ma-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ma-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ma-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ma-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ma-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system maintenance policy is to be\n                        disseminated;"},{"id":"ma-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MA-1(a)(1)[3]"}],"prose":"disseminates the system maintenance policy to organization-defined personnel\n                        or roles;"}]},{"id":"ma-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"MA-1(a)(2)"}],"parts":[{"id":"ma-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        maintenance policy and associated system maintenance controls;"},{"id":"ma-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ma-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ma-1.b_obj","name":"objective","properties":[{"name":"label","value":"MA-1(b)"}],"parts":[{"id":"ma-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"MA-1(b)(1)"}],"parts":[{"id":"ma-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system maintenance\n                        policy;"},{"id":"ma-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(b)(1)[2]"}],"prose":"reviews and updates the current system maintenance policy with the\n                        organization-defined frequency;"}]},{"id":"ma-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"MA-1(b)(2)"}],"parts":[{"id":"ma-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system maintenance\n                        procedures; and"},{"id":"ma-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(b)(2)[2]"}],"prose":"reviews and updates the current system maintenance procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Maintenance policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","parameters":[{"id":"ma-2_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-2_prm_2","label":"organization-defined maintenance-related information"}],"properties":[{"name":"label","value":"MA-2"},{"name":"sort-id","value":"ma-02"}],"parts":[{"id":"ma-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Schedules, performs, documents, and reviews records of maintenance and repairs on\n                  information system components in accordance with manufacturer or vendor\n                  specifications and/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Approves and monitors all maintenance activities, whether performed on site or\n                  remotely and whether the equipment is serviced on site or removed to another\n                  location;"},{"id":"ma-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Requires that {{ ma-2_prm_1 }} explicitly approve the removal of\n                  the information system or system components from organizational facilities for\n                  off-site maintenance or repairs;"},{"id":"ma-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Sanitizes equipment to remove all information from associated media prior to\n                  removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Checks all potentially impacted security controls to verify that the controls are\n                  still functioning properly following maintenance or repair actions; and"},{"id":"ma-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Includes {{ ma-2_prm_2 }} in organizational maintenance\n                  records."}]},{"id":"ma-2_gdn","name":"guidance","prose":"This control addresses the information security aspects of the information system\n               maintenance program and applies to all types of maintenance to any system component\n               (including applications) conducted by any local or nonlocal entity (e.g.,\n               in-contract, warranty, in-house, software maintenance agreement). System maintenance\n               also includes those components not directly associated with information processing\n               and/or data/information retention such as scanners, copiers, and printers.\n               Information necessary for creating effective maintenance records includes, for\n               example: (i) date and time of maintenance; (ii) name of individuals or group\n               performing the maintenance; (iii) name of escort, if necessary; (iv) a description of\n               the maintenance performed; and (v) information system components/equipment removed or\n               replaced (including identification numbers, if applicable). The level of detail\n               included in maintenance records can be informed by the security categories of\n               organizational information systems. Organizations consider supply chain issues\n               associated with replacement components for information systems.","links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"ma-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-2.a_obj","name":"objective","properties":[{"name":"label","value":"MA-2(a)"}],"parts":[{"id":"ma-2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-2(a)[1]"}],"prose":"schedules maintenance and repairs on information system components in\n                     accordance with:","parts":[{"id":"ma-2.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"MA-2(a)[1][a]"}],"prose":"manufacturer or vendor specifications; and/or"},{"id":"ma-2.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"MA-2(a)[1][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MA-2(a)[2]"}],"prose":"performs maintenance and repairs on information system components in accordance\n                     with:","parts":[{"id":"ma-2.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"MA-2(a)[2][a]"}],"prose":"manufacturer or vendor specifications; and/or"},{"id":"ma-2.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"MA-2(a)[2][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-2(a)[3]"}],"prose":"documents maintenance and repairs on information system components in\n                     accordance with:","parts":[{"id":"ma-2.a_obj.3.a","name":"objective","properties":[{"name":"label","value":"MA-2(a)[3][a]"}],"prose":"manufacturer or vendor specifications; and/or"},{"id":"ma-2.a_obj.3.b","name":"objective","properties":[{"name":"label","value":"MA-2(a)[3][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MA-2(a)[4]"}],"prose":"reviews records of maintenance and repairs on information system components in\n                     accordance with:","parts":[{"id":"ma-2.a_obj.4.a","name":"objective","properties":[{"name":"label","value":"MA-2(a)[4][a]"}],"prose":"manufacturer or vendor specifications; and/or"},{"id":"ma-2.a_obj.4.b","name":"objective","properties":[{"name":"label","value":"MA-2(a)[4][b]"}],"prose":"organizational requirements;"}]}]},{"id":"ma-2.b_obj","name":"objective","properties":[{"name":"label","value":"MA-2(b)"}],"parts":[{"id":"ma-2.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MA-2(b)[1]"}],"prose":"approves all maintenance activities, whether performed on site or remotely and\n                     whether the equipment is serviced on site or removed to another location;"},{"id":"ma-2.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-2(b)[2]"}],"prose":"monitors all maintenance activities, whether performed on site or remotely and\n                     whether the equipment is serviced on site or removed to another location;"}]},{"id":"ma-2.c_obj","name":"objective","properties":[{"name":"label","value":"MA-2(c)"}],"parts":[{"id":"ma-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-2(c)[1]"}],"prose":"defines personnel or roles required to explicitly approve the removal of the\n                     information system or system components from organizational facilities for\n                     off-site maintenance or repairs;"},{"id":"ma-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-2(c)[2]"}],"prose":"requires that organization-defined personnel or roles explicitly approve the\n                     removal of the information system or system components from organizational\n                     facilities for off-site maintenance or repairs;"}]},{"id":"ma-2.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-2(d)"}],"prose":"sanitizes equipment to remove all information from associated media prior to\n                  removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-2(e)"}],"prose":"checks all potentially impacted security controls to verify that the controls are\n                  still functioning properly following maintenance or repair actions;"},{"id":"ma-2.f_obj","name":"objective","properties":[{"name":"label","value":"MA-2(f)"}],"parts":[{"id":"ma-2.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-2(f)[1]"}],"prose":"defines maintenance-related information to be included in organizational\n                     maintenance records; and"},{"id":"ma-2.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-2(f)[2]"}],"prose":"includes organization-defined maintenance-related information in organizational\n                     maintenance records."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing controlled information system maintenance\\n\\nmaintenance records\\n\\nmanufacturer/vendor maintenance specifications\\n\\nequipment sanitization records\\n\\nmedia sanitization records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel responsible for media sanitization\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for scheduling, performing, documenting, reviewing,\n                  approving, and monitoring maintenance and repairs for the information system\\n\\norganizational processes for sanitizing information system components\\n\\nautomated mechanisms supporting and/or implementing controlled maintenance\\n\\nautomated mechanisms implementing sanitization of information system\n                  components"}]}],"controls":[{"id":"ma-2.2","class":"SP800-53-enhancement","title":"Automated Maintenance Activities","properties":[{"name":"label","value":"MA-2(2)"},{"name":"sort-id","value":"ma-02.02"}],"parts":[{"id":"ma-2.2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-2.2_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Employs automated mechanisms to schedule, conduct, and document maintenance and\n                     repairs; and"},{"id":"ma-2.2_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Produces up-to date, accurate, and complete records of all maintenance and\n                     repair actions requested, scheduled, in process, and completed."}]},{"id":"ma-2.2_gdn","name":"guidance","links":[{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ma-3","rel":"related","text":"MA-3"}]},{"id":"ma-2.2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ma-2.2.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-2(2)(a)"}],"prose":"employs automated mechanisms to:","parts":[{"id":"ma-2.2.a_obj.1","name":"objective","properties":[{"name":"label","value":"MA-2(2)(a)[1]"}],"prose":"schedule maintenance and repairs;"},{"id":"ma-2.2.a_obj.2","name":"objective","properties":[{"name":"label","value":"MA-2(2)(a)[2]"}],"prose":"conduct maintenance and repairs;"},{"id":"ma-2.2.a_obj.3","name":"objective","properties":[{"name":"label","value":"MA-2(2)(a)[3]"}],"prose":"document maintenance and repairs;"}],"links":[{"href":"#ma-2.2_smt.a","rel":"corresp","text":"MA-2(2)(a)"}]},{"id":"ma-2.2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-2(2)(b)"}],"prose":"produces up-to-date, accurate, and complete records of all maintenance and\n                     repair actions:","parts":[{"id":"ma-2.2.b_obj.1","name":"objective","properties":[{"name":"label","value":"MA-2(2)(b)[1]"}],"prose":"requested;"},{"id":"ma-2.2.b_obj.2","name":"objective","properties":[{"name":"label","value":"MA-2(2)(b)[2]"}],"prose":"scheduled;"},{"id":"ma-2.2.b_obj.3","name":"objective","properties":[{"name":"label","value":"MA-2(2)(b)[3]"}],"prose":"in process; and"},{"id":"ma-2.2.b_obj.4","name":"objective","properties":[{"name":"label","value":"MA-2(2)(b)[4]"}],"prose":"completed."}],"links":[{"href":"#ma-2.2_smt.b","rel":"corresp","text":"MA-2(2)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing controlled information system maintenance\\n\\nautomated mechanisms supporting information system maintenance activities\\n\\ninformation system configuration settings and associated documentation\\n\\nmaintenance records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing controlled maintenance\\n\\nautomated mechanisms supporting and/or implementing production of records of\n                     maintenance and repair actions"}]}]}]},{"id":"ma-3","class":"SP800-53","title":"Maintenance Tools","properties":[{"name":"label","value":"MA-3"},{"name":"sort-id","value":"ma-03"}],"links":[{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference","text":"NIST Special Publication 800-88"}],"parts":[{"id":"ma-3_smt","name":"statement","prose":"The organization approves, controls, and monitors information system maintenance\n               tools."},{"id":"ma-3_gdn","name":"guidance","prose":"This control addresses security-related issues associated with maintenance tools used\n               specifically for diagnostic and repair actions on organizational information systems.\n               Maintenance tools can include hardware, software, and firmware items. Maintenance\n               tools are potential vehicles for transporting malicious code, either intentionally or\n               unintentionally, into a facility and subsequently into organizational information\n               systems. Maintenance tools can include, for example, hardware/software diagnostic\n               test equipment and hardware/software packet sniffers. This control does not cover\n               hardware/software components that may support information system maintenance, yet are\n               a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,\n               or the hardware and software implementing the monitoring port of an Ethernet\n               switch.","links":[{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-6","rel":"related","text":"MP-6"}]},{"id":"ma-3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ma-3_obj.1","name":"objective","properties":[{"name":"label","value":"MA-3[1]"}],"prose":"approves information system maintenance tools;"},{"id":"ma-3_obj.2","name":"objective","properties":[{"name":"label","value":"MA-3[2]"}],"prose":"controls information system maintenance tools; and"},{"id":"ma-3_obj.3","name":"objective","properties":[{"name":"label","value":"MA-3[3]"}],"prose":"monitors information system maintenance tools."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing information system maintenance tools\\n\\ninformation system maintenance tools and associated documentation\\n\\nmaintenance records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for approving, controlling, and monitoring maintenance\n                  tools\\n\\nautomated mechanisms supporting and/or implementing approval, control, and/or\n                  monitoring of maintenance tools"}]}],"controls":[{"id":"ma-3.1","class":"SP800-53-enhancement","title":"Inspect Tools","properties":[{"name":"label","value":"MA-3(1)"},{"name":"sort-id","value":"ma-03.01"}],"parts":[{"id":"ma-3.1_smt","name":"statement","prose":"The organization inspects the maintenance tools carried into a facility by\n                  maintenance personnel for improper or unauthorized modifications."},{"id":"ma-3.1_gdn","name":"guidance","prose":"If, upon inspection of maintenance tools, organizations determine that the tools\n                  have been modified in an improper/unauthorized manner or contain malicious code,\n                  the incident is handled consistent with organizational policies and procedures for\n                  incident handling.","links":[{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"ma-3.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization inspects the maintenance tools carried into a\n                  facility by maintenance personnel for improper or unauthorized modifications. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing information system maintenance tools\\n\\ninformation system maintenance tools and associated documentation\\n\\nmaintenance tool inspection records\\n\\nmaintenance records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for inspecting maintenance tools\\n\\nautomated mechanisms supporting and/or implementing inspection of maintenance\n                     tools"}]}]},{"id":"ma-3.2","class":"SP800-53-enhancement","title":"Inspect Media","properties":[{"name":"label","value":"MA-3(2)"},{"name":"sort-id","value":"ma-03.02"}],"parts":[{"id":"ma-3.2_smt","name":"statement","prose":"The organization checks media containing diagnostic and test programs for\n                  malicious code before the media are used in the information system."},{"id":"ma-3.2_gdn","name":"guidance","prose":"If, upon inspection of media containing maintenance diagnostic and test programs,\n                  organizations determine that the media contain malicious code, the incident is\n                  handled consistent with organizational incident handling policies and\n                  procedures.","links":[{"href":"#si-3","rel":"related","text":"SI-3"}]},{"id":"ma-3.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization checks media containing diagnostic and test programs\n                  for malicious code before the media are used in the information system. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing information system maintenance tools\\n\\ninformation system maintenance tools and associated documentation\\n\\nmaintenance records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for inspecting media for malicious code\\n\\nautomated mechanisms supporting and/or implementing inspection of media used\n                     for maintenance"}]}]},{"id":"ma-3.3","class":"SP800-53-enhancement","title":"Prevent Unauthorized Removal","parameters":[{"id":"ma-3.3_prm_1","label":"organization-defined personnel or roles","constraints":[{"detail":"the information owner explicitly authorizing removal of the equipment from the facility"}]}],"properties":[{"name":"label","value":"MA-3(3)"},{"name":"sort-id","value":"ma-03.03"}],"parts":[{"id":"ma-3.3_smt","name":"statement","prose":"The organization prevents the unauthorized removal of maintenance equipment\n                  containing organizational information by:","parts":[{"id":"ma-3.3_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Verifying that there is no organizational information contained on the\n                     equipment;"},{"id":"ma-3.3_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Sanitizing or destroying the equipment;"},{"id":"ma-3.3_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Retaining the equipment within the facility; or"},{"id":"ma-3.3_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Obtaining an exemption from {{ ma-3.3_prm_1 }} explicitly\n                     authorizing removal of the equipment from the facility."}]},{"id":"ma-3.3_gdn","name":"guidance","prose":"Organizational information includes all information specifically owned by\n                  organizations and information provided to organizations in which organizations\n                  serve as information stewards."},{"id":"ma-3.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization prevents the unauthorized removal of maintenance\n                  equipment containing organizational information by: ","parts":[{"id":"ma-3.3.a_obj","name":"objective","properties":[{"name":"label","value":"MA-3(3)(a)"}],"prose":"verifying that there is no organizational information contained on the\n                     equipment;","links":[{"href":"#ma-3.3_smt.a","rel":"corresp","text":"MA-3(3)(a)"}]},{"id":"ma-3.3.b_obj","name":"objective","properties":[{"name":"label","value":"MA-3(3)(b)"}],"prose":"sanitizing or destroying the equipment;","links":[{"href":"#ma-3.3_smt.b","rel":"corresp","text":"MA-3(3)(b)"}]},{"id":"ma-3.3.c_obj","name":"objective","properties":[{"name":"label","value":"MA-3(3)(c)"}],"prose":"retaining the equipment within the facility; or","links":[{"href":"#ma-3.3_smt.c","rel":"corresp","text":"MA-3(3)(c)"}]},{"id":"ma-3.3.d_obj","name":"objective","properties":[{"name":"label","value":"MA-3(3)(d)"}],"parts":[{"id":"ma-3.3.d_obj.1","name":"objective","properties":[{"name":"label","value":"MA-3(3)(d)[1]"}],"prose":"defining personnel or roles that can grant an exemption from explicitly\n                        authorizing removal of the equipment from the facility; and"},{"id":"ma-3.3.d_obj.2","name":"objective","properties":[{"name":"label","value":"MA-3(3)(d)[2]"}],"prose":"obtaining an exemption from organization-defined personnel or roles\n                        explicitly authorizing removal of the equipment from the facility."}],"links":[{"href":"#ma-3.3_smt.d","rel":"corresp","text":"MA-3(3)(d)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing information system maintenance tools\\n\\ninformation system maintenance tools and associated documentation\\n\\nmaintenance records\\n\\nequipment sanitization records\\n\\nmedia sanitization records\\n\\nexemptions for equipment removal\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel responsible for media sanitization"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for preventing unauthorized removal of information\\n\\nautomated mechanisms supporting media sanitization or destruction of\n                     equipment\\n\\nautomated mechanisms supporting verification of media sanitization"}]}]}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"MA-4"},{"name":"sort-id","value":"ma-04"}],"links":[{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference","text":"FIPS Publication 140-2"},{"href":"#f2dbd4ec-c413-4714-b85b-6b7184d1c195","rel":"reference","text":"FIPS Publication 197"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference","text":"NIST Special Publication 800-88"},{"href":"#a4aa9645-9a8a-4b51-90a9-e223250f9a75","rel":"reference","text":"CNSS Policy 15"}],"parts":[{"id":"ma-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Approves and monitors nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Allows the use of nonlocal maintenance and diagnostic tools only as consistent\n                  with organizational policy and documented in the security plan for the information\n                  system;"},{"id":"ma-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Employs strong authenticators in the establishment of nonlocal maintenance and\n                  diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Maintains records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Terminates session and network connections when nonlocal maintenance is\n                  completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are those activities conducted by\n               individuals communicating through a network, either an external network (e.g., the\n               Internet) or an internal network. Local maintenance and diagnostic activities are\n               those activities carried out by individuals physically present at the information\n               system or information system component and not communicating across a network\n               connection. Authentication techniques used in the establishment of nonlocal\n               maintenance and diagnostic sessions reflect the network access requirements in IA-2.\n               Typically, strong authentication requires authenticators that are resistant to replay\n               attacks and employ multifactor authentication. Strong authenticators include, for\n               example, PKI where certificates are stored on a token protected by a password,\n               passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by\n               other controls.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-10","rel":"related","text":"SC-10"},{"href":"#sc-17","rel":"related","text":"SC-17"}]},{"id":"ma-4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ma-4.a_obj","name":"objective","properties":[{"name":"label","value":"MA-4(a)"}],"parts":[{"id":"ma-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-4(a)[1]"}],"prose":"approves nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-4(a)[2]"}],"prose":"monitors nonlocal maintenance and diagnostic activities;"}]},{"id":"ma-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-4(b)"}],"prose":"allows the use of nonlocal maintenance and diagnostic tools only:","parts":[{"id":"ma-4.b_obj.1","name":"objective","properties":[{"name":"label","value":"MA-4(b)[1]"}],"prose":"as consistent with organizational policy;"},{"id":"ma-4.b_obj.2","name":"objective","properties":[{"name":"label","value":"MA-4(b)[2]"}],"prose":"as documented in the security plan for the information system;"}]},{"id":"ma-4.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-4(c)"}],"prose":"employs strong authenticators in the establishment of nonlocal maintenance and\n                  diagnostic sessions;"},{"id":"ma-4.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-4(d)"}],"prose":"maintains records for nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.e_obj","name":"objective","properties":[{"name":"label","value":"MA-4(e)"}],"parts":[{"id":"ma-4.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-4(e)[1]"}],"prose":"terminates sessions when nonlocal maintenance or diagnostics is completed;\n                     and"},{"id":"ma-4.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-4(e)[2]"}],"prose":"terminates network connections when nonlocal maintenance or diagnostics is\n                     completed."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing nonlocal information system maintenance\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nmaintenance records\\n\\ndiagnostic records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing nonlocal maintenance\\n\\nautomated mechanisms implementing, supporting, and/or managing nonlocal\n                  maintenance\\n\\nautomated mechanisms for strong authentication of nonlocal maintenance diagnostic\n                  sessions\\n\\nautomated mechanisms for terminating nonlocal maintenance sessions and network\n                  connections"}]}],"controls":[{"id":"ma-4.2","class":"SP800-53-enhancement","title":"Document Nonlocal Maintenance","properties":[{"name":"label","value":"MA-4(2)"},{"name":"sort-id","value":"ma-04.02"}],"parts":[{"id":"ma-4.2_smt","name":"statement","prose":"The organization documents in the security plan for the information system, the\n                  policies and procedures for the establishment and use of nonlocal maintenance and\n                  diagnostic connections."},{"id":"ma-4.2_obj","name":"objective","prose":"Determine if the organization documents in the security plan for the information\n                  system: ","parts":[{"id":"ma-4.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MA-4(2)[1]"}],"prose":"the policies for the establishment and use of nonlocal maintenance and\n                     diagnostic connections; and"},{"id":"ma-4.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MA-4(2)[2]"}],"prose":"the procedures for the establishment and use of nonlocal maintenance and\n                     diagnostic connections."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing non-local information system maintenance\\n\\nsecurity plan\\n\\nmaintenance records\\n\\ndiagnostic records\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ma-4.3","class":"SP800-53-enhancement","title":"Comparable Security / Sanitization","properties":[{"name":"label","value":"MA-4(3)"},{"name":"sort-id","value":"ma-04.03"}],"parts":[{"id":"ma-4.3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-4.3_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Requires that nonlocal maintenance and diagnostic services be performed from an\n                     information system that implements a security capability comparable to the\n                     capability implemented on the system being serviced; or"},{"id":"ma-4.3_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Removes the component to be serviced from the information system prior to\n                     nonlocal maintenance or diagnostic services, sanitizes the component (with\n                     regard to organizational information) before removal from organizational\n                     facilities, and after the service is performed, inspects and sanitizes the\n                     component (with regard to potentially malicious software) before reconnecting\n                     the component to the information system."}]},{"id":"ma-4.3_gdn","name":"guidance","prose":"Comparable security capability on information systems, diagnostic tools, and\n                  equipment providing maintenance services implies that the implemented security\n                  controls on those systems, tools, and equipment are at least as comprehensive as\n                  the controls on the information system being serviced.","links":[{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"ma-4.3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ma-4.3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-4(3)(a)"}],"prose":"requires that nonlocal maintenance and diagnostic services be performed from an\n                     information system that implements a security capability comparable to the\n                     capability implemented on the system being serviced; or","links":[{"href":"#ma-4.3_smt.a","rel":"corresp","text":"MA-4(3)(a)"}]},{"id":"ma-4.3.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-4(3)(b)"}],"parts":[{"id":"ma-4.3.b_obj.1","name":"objective","properties":[{"name":"label","value":"MA-4(3)(b)[1]"}],"prose":"removes the component to be serviced from the information system;"},{"id":"ma-4.3.b_obj.2","name":"objective","properties":[{"name":"label","value":"MA-4(3)(b)[2]"}],"prose":"sanitizes the component (with regard to organizational information) prior to\n                        nonlocal maintenance or diagnostic services and/or before removal from\n                        organizational facilities; and"},{"id":"ma-4.3.b_obj.3","name":"objective","properties":[{"name":"label","value":"MA-4(3)(b)[3]"}],"prose":"inspects and sanitizes the component (with regard to potentially malicious\n                        software) after service is performed on the component and before\n                        reconnecting the component to the information system."}],"links":[{"href":"#ma-4.3_smt.b","rel":"corresp","text":"MA-4(3)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing nonlocal information system maintenance\\n\\nservice provider contracts and/or service-level agreements\\n\\nmaintenance records\\n\\ninspection records\\n\\naudit records\\n\\nequipment sanitization records\\n\\nmedia sanitization records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance\n                     responsibilities\\n\\ninformation system maintenance provider\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel responsible for media sanitization\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for comparable security and sanitization for nonlocal\n                     maintenance\\n\\norganizational processes for removal, sanitization, and inspection of\n                     components serviced via nonlocal maintenance\\n\\nautomated mechanisms supporting and/or implementing component sanitization and\n                     inspection"}]}]},{"id":"ma-4.6","class":"SP800-53-enhancement","title":"Cryptographic Protection","properties":[{"name":"label","value":"MA-4(6)"},{"name":"sort-id","value":"ma-04.06"}],"parts":[{"id":"ma-4.6_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to protect the\n                  integrity and confidentiality of nonlocal maintenance and diagnostic\n                  communications."},{"id":"ma-4.6_gdn","name":"guidance","links":[{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"ma-4.6_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements cryptographic mechanisms to protect\n                  the integrity and confidentiality of nonlocal maintenance and diagnostic\n                  communications. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing non-local information system maintenance\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic mechanisms protecting nonlocal maintenance activities\\n\\nmaintenance records\\n\\ndiagnostic records\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance\n                     responsibilities\\n\\nnetwork engineers\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms protecting nonlocal maintenance and diagnostic\n                     communications"}]}]}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","properties":[{"name":"label","value":"MA-5"},{"name":"sort-id","value":"ma-05"}],"parts":[{"id":"ma-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes a process for maintenance personnel authorization and maintains a list\n                  of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensures that non-escorted personnel performing maintenance on the information\n                  system have required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Designates organizational personnel with required access authorizations and\n                  technical competence to supervise the maintenance activities of personnel who do\n                  not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"This control applies to individuals performing hardware or software maintenance on\n               organizational information systems, while PE-2 addresses physical access for\n               individuals whose maintenance duties place them within the physical protection\n               perimeter of the systems (e.g., custodial staff, physical plant maintenance\n               personnel). Technical competence of supervising individuals relates to the\n               maintenance performed on the information systems while having required access\n               authorizations refers to maintenance on and near the systems. Individuals not\n               previously identified as authorized maintenance personnel, such as information\n               technology manufacturers, vendors, systems integrators, and consultants, may require\n               privileged access to organizational information systems, for example, when required\n               to conduct maintenance activities with little or no notice. Based on organizational\n               assessments of risk, organizations may issue temporary credentials to these\n               individuals. Temporary credentials may be for one-time use or for very limited time\n               periods.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"ma-5_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ma-5.a_obj","name":"objective","properties":[{"name":"label","value":"MA-5(a)"}],"parts":[{"id":"ma-5.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-5(a)[1]"}],"prose":"establishes a process for maintenance personnel authorization;"},{"id":"ma-5.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-5(a)[2]"}],"prose":"maintains a list of authorized maintenance organizations or personnel;"}]},{"id":"ma-5.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-5(b)"}],"prose":"ensures that non-escorted personnel performing maintenance on the information\n                  system have required access authorizations; and"},{"id":"ma-5.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-5(c)"}],"prose":"designates organizational personnel with required access authorizations and\n                  technical competence to supervise the maintenance activities of personnel who do\n                  not possess the required access authorizations."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing maintenance personnel\\n\\nservice provider contracts\\n\\nservice-level agreements\\n\\nlist of authorized personnel\\n\\nmaintenance records\\n\\naccess control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for authorizing and managing maintenance personnel\\n\\nautomated mechanisms supporting and/or implementing authorization of maintenance\n                  personnel"}]}],"controls":[{"id":"ma-5.1","class":"SP800-53-enhancement","title":"Individuals Without Appropriate Access","properties":[{"name":"label","value":"MA-5(1)"},{"name":"sort-id","value":"ma-05.01"}],"parts":[{"id":"ma-5.1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-5.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Implements procedures for the use of maintenance personnel that lack\n                     appropriate security clearances or are not U.S. citizens, that include the\n                     following requirements:","parts":[{"id":"ma-5.1_smt.a.1","name":"item","properties":[{"name":"label","value":"(1)"}],"prose":"Maintenance personnel who do not have needed access authorizations,\n                        clearances, or formal access approvals are escorted and supervised during\n                        the performance of maintenance and diagnostic activities on the information\n                        system by approved organizational personnel who are fully cleared, have\n                        appropriate access authorizations, and are technically qualified;"},{"id":"ma-5.1_smt.a.2","name":"item","properties":[{"name":"label","value":"(2)"}],"prose":"Prior to initiating maintenance or diagnostic activities by personnel who do\n                        not have needed access authorizations, clearances or formal access\n                        approvals, all volatile information storage components within the\n                        information system are sanitized and all nonvolatile storage media are\n                        removed or physically disconnected from the system and secured; and"}]},{"id":"ma-5.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Develops and implements alternate security safeguards in the event an\n                     information system component cannot be sanitized, removed, or disconnected from\n                     the system."}]},{"id":"ma-5.1_gdn","name":"guidance","prose":"This control enhancement denies individuals who lack appropriate security\n                  clearances (i.e., individuals who do not possess security clearances or possess\n                  security clearances at a lower level than required) or who are not U.S. citizens,\n                  visual and electronic access to any classified information, Controlled\n                  Unclassified Information (CUI), or any other sensitive information contained on\n                  organizational information systems. Procedures for the use of maintenance\n                  personnel can be documented in security plans for the information systems.","links":[{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pl-2","rel":"related","text":"PL-2"}]},{"id":"ma-5.1_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ma-5.1.a_obj","name":"objective","properties":[{"name":"label","value":"MA-5(1)(a)"}],"prose":"implements procedures for the use of maintenance personnel that lack\n                     appropriate security clearances or are not U.S. citizens, that include the\n                     following requirements:","parts":[{"id":"ma-5.1.a.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-5(1)(a)(1)"}],"prose":"maintenance personnel who do not have needed access authorizations,\n                        clearances, or formal access approvals are escorted and supervised during\n                        the performance of maintenance and diagnostic activities on the information\n                        system by approved organizational personnel who:","parts":[{"id":"ma-5.1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"MA-5(1)(a)(1)[1]"}],"prose":"are fully cleared;"},{"id":"ma-5.1.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"MA-5(1)(a)(1)[2]"}],"prose":"have appropriate access authorizations;"},{"id":"ma-5.1.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"MA-5(1)(a)(1)[3]"}],"prose":"are technically qualified;"}],"links":[{"href":"#ma-5.1_smt.a.1","rel":"corresp","text":"MA-5(1)(a)(1)"}]},{"id":"ma-5.1.a.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-5(1)(a)(2)"}],"prose":"prior to initiating maintenance or diagnostic activities by personnel who do\n                        not have needed access authorizations, clearances, or formal access\n                        approvals:","parts":[{"id":"ma-5.1.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"MA-5(1)(a)(2)[1]"}],"prose":"all volatile information storage components within the information system\n                           are sanitized; and"},{"id":"ma-5.1.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"MA-5(1)(a)(2)[2]"}],"prose":"all nonvolatile storage media are removed; or"},{"id":"ma-5.1.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"MA-5(1)(a)(2)[3]"}],"prose":"all nonvolatile storage media are physically disconnected from the system\n                           and secured; and"}],"links":[{"href":"#ma-5.1_smt.a.2","rel":"corresp","text":"MA-5(1)(a)(2)"}]}],"links":[{"href":"#ma-5.1_smt.a","rel":"corresp","text":"MA-5(1)(a)"}]},{"id":"ma-5.1.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-5(1)(b)"}],"prose":"develops and implements alternative security safeguards in the event an\n                     information system component cannot be sanitized, removed, or disconnected from\n                     the system.","links":[{"href":"#ma-5.1_smt.b","rel":"corresp","text":"MA-5(1)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing maintenance personnel\\n\\ninformation system media protection policy\\n\\nphysical and environmental protection policy\\n\\nsecurity plan\\n\\nlist of maintenance personnel requiring escort/supervision\\n\\nmaintenance records\\n\\naccess control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with personnel security responsibilities\\n\\norganizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel responsible for media sanitization\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing maintenance personnel without appropriate\n                     access\\n\\nautomated mechanisms supporting and/or implementing alternative security\n                     safeguards\\n\\nautomated mechanisms supporting and/or implementing information storage\n                     component sanitization"}]}]}]},{"id":"ma-6","class":"SP800-53","title":"Timely Maintenance","parameters":[{"id":"ma-6_prm_1","label":"organization-defined information system components"},{"id":"ma-6_prm_2","label":"organization-defined time period"}],"properties":[{"name":"label","value":"MA-6"},{"name":"sort-id","value":"ma-06"}],"parts":[{"id":"ma-6_smt","name":"statement","prose":"The organization obtains maintenance support and/or spare parts for {{ ma-6_prm_1 }} within {{ ma-6_prm_2 }} of failure."},{"id":"ma-6_gdn","name":"guidance","prose":"Organizations specify the information system components that result in increased risk\n               to organizational operations and assets, individuals, other organizations, or the\n               Nation when the functionality provided by those components is not operational.\n               Organizational actions to obtain maintenance support typically include having\n               appropriate contracts in place.","links":[{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#sa-14","rel":"related","text":"SA-14"},{"href":"#sa-15","rel":"related","text":"SA-15"}]},{"id":"ma-6_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ma-6_obj.1","name":"objective","properties":[{"name":"label","value":"MA-6[1]"}],"prose":"defines information system components for which maintenance support and/or spare\n                  parts are to be obtained;"},{"id":"ma-6_obj.2","name":"objective","properties":[{"name":"label","value":"MA-6[2]"}],"prose":"defines the time period within which maintenance support and/or spare parts are to\n                  be obtained after a failure;"},{"id":"ma-6_obj.3","name":"objective","properties":[{"name":"label","value":"MA-6[3]"}],"parts":[{"id":"ma-6_obj.3.a","name":"objective","properties":[{"name":"label","value":"MA-6[3][a]"}],"prose":"obtains maintenance support for organization-defined information system\n                     components within the organization-defined time period of failure; and/or"},{"id":"ma-6_obj.3.b","name":"objective","properties":[{"name":"label","value":"MA-6[3][b]"}],"prose":"obtains spare parts for organization-defined information system components\n                     within the organization-defined time period of failure."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing information system maintenance\\n\\nservice provider contracts\\n\\nservice-level agreements\\n\\ninventory and availability of spare parts\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with acquisition responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for ensuring timely maintenance"}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Media Protection Policy and Procedures","parameters":[{"id":"mp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"mp-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"mp-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually or whenever a significant change occurs"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"MP-1"},{"name":"sort-id","value":"mp-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"mp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A media protection policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"mp-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and\n                     associated media protection controls; and"}]},{"id":"mp-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"mp-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Media protection policy {{ mp-1_prm_2 }}; and"},{"id":"mp-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Media protection procedures {{ mp-1_prm_3 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the MP\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"mp-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-1.a_obj","name":"objective","properties":[{"name":"label","value":"MP-1(a)"}],"parts":[{"id":"mp-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)"}],"parts":[{"id":"mp-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(a)(1)[1]"}],"prose":"develops and documents a media protection policy that addresses:","parts":[{"id":"mp-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"mp-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"mp-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"mp-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"mp-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"mp-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"mp-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"mp-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the media protection policy is to be\n                        disseminated;"},{"id":"mp-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MP-1(a)(1)[3]"}],"prose":"disseminates the media protection policy to organization-defined personnel\n                        or roles;"}]},{"id":"mp-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"MP-1(a)(2)"}],"parts":[{"id":"mp-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        media protection policy and associated media protection controls;"},{"id":"mp-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"mp-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MP-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"mp-1.b_obj","name":"objective","properties":[{"name":"label","value":"MP-1(b)"}],"parts":[{"id":"mp-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"MP-1(b)(1)"}],"parts":[{"id":"mp-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current media protection\n                        policy;"},{"id":"mp-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(b)(1)[2]"}],"prose":"reviews and updates the current media protection policy with the\n                        organization-defined frequency;"}]},{"id":"mp-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"MP-1(b)(2)"}],"parts":[{"id":"mp-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current media protection\n                        procedures; and"},{"id":"mp-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(b)(2)[2]"}],"prose":"reviews and updates the current media protection procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Media protection policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media protection responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","parameters":[{"id":"mp-2_prm_1","label":"organization-defined types of digital and/or non-digital media","constraints":[{"detail":"any digital and non-digital media deemed sensitive"}]},{"id":"mp-2_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"MP-2"},{"name":"sort-id","value":"mp-02"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference","text":"NIST Special Publication 800-111"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"The organization restricts access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. Restricting non-digital media access\n               includes, for example, denying access to patient medical records in a community\n               hospital unless the individuals seeking access to such records are authorized\n               healthcare providers. Restricting access to digital media includes, for example,\n               limiting access to design specifications stored on compact disks in the media library\n               to the project leader and the individuals on the development team.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pl-2","rel":"related","text":"PL-2"}]},{"id":"mp-2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-2[1]"}],"prose":"defines types of digital and/or non-digital media requiring restricted access;"},{"id":"mp-2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-2[2]"}],"prose":"defines personnel or roles authorized to access organization-defined types of\n                  digital and/or non-digital media; and"},{"id":"mp-2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-2[3]"}],"prose":"restricts access to organization-defined types of digital and/or non-digital media\n                  to organization-defined personnel or roles."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media access restrictions\\n\\naccess control policy and procedures\\n\\nphysical and environmental protection policy and procedures\\n\\nmedia storage facilities\\n\\naccess control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for restricting information media\\n\\nautomated mechanisms supporting and/or implementing media access restrictions"}]}]},{"id":"mp-3","class":"SP800-53","title":"Media Marking","parameters":[{"id":"mp-3_prm_1","label":"organization-defined types of information system media","constraints":[{"detail":"no removable media types"}]},{"id":"mp-3_prm_2","label":"organization-defined controlled areas","constraints":[{"detail":"organization-defined security safeguards not applicable"}]}],"properties":[{"name":"label","value":"MP-3"},{"name":"sort-id","value":"mp-03"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"}],"parts":[{"id":"mp-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Marks information system media indicating the distribution limitations, handling\n                  caveats, and applicable security markings (if any) of the information; and"},{"id":"mp-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Exempts {{ mp-3_prm_1 }} from marking as long as the media remain\n                  within {{ mp-3_prm_2 }}."},{"id":"mp-3_fr","name":"item","title":"MP-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"mp-3_fr_gdn.b","name":"guidance","properties":[{"name":"label","value":"(b) Guidance:"}],"prose":"Second parameter not-applicable"}]}]},{"id":"mp-3_gdn","name":"guidance","prose":"The term security marking refers to the application/use of human-readable security\n               attributes. The term security labeling refers to the application/use of security\n               attributes with regard to internal data structures within information systems (see\n               AC-16). Information system media includes both digital and non-digital media. Digital\n               media includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. Security marking is generally not\n               required for media containing information determined by organizations to be in the\n               public domain or to be publicly releasable. However, some organizations may require\n               markings for public information indicating that the information is publicly\n               releasable. Marking of information system media reflects applicable federal laws,\n               Executive Orders, directives, policies, regulations, standards, and guidance.","links":[{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"mp-3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-3(a)"}],"prose":"marks information system media indicating the:","parts":[{"id":"mp-3.a_obj.1","name":"objective","properties":[{"name":"label","value":"MP-3(a)[1]"}],"prose":"distribution limitations of the information;"},{"id":"mp-3.a_obj.2","name":"objective","properties":[{"name":"label","value":"MP-3(a)[2]"}],"prose":"handling caveats of the information;"},{"id":"mp-3.a_obj.3","name":"objective","properties":[{"name":"label","value":"MP-3(a)[3]"}],"prose":"applicable security markings (if any) of the information;"}]},{"id":"mp-3.b_obj","name":"objective","properties":[{"name":"label","value":"MP-3(b)"}],"parts":[{"id":"mp-3.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-3(b)[1]"}],"prose":"defines types of information system media to be exempted from marking as long\n                     as the media remain in designated controlled areas;"},{"id":"mp-3.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-3(b)[2]"}],"prose":"defines controlled areas where organization-defined types of information system\n                     media exempt from marking are to be retained; and"},{"id":"mp-3.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-3(b)[3]"}],"prose":"exempts organization-defined types of information system media from marking as\n                     long as the media remain within organization-defined controlled areas."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media marking\\n\\nphysical and environmental protection policy and procedures\\n\\nsecurity plan\\n\\nlist of information system media marking security attributes\\n\\ndesignated controlled areas\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection and marking\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for marking information media\\n\\nautomated mechanisms supporting and/or implementing media marking"}]}]},{"id":"mp-4","class":"SP800-53","title":"Media Storage","parameters":[{"id":"mp-4_prm_1","label":"organization-defined types of digital and/or non-digital media","constraints":[{"detail":"all types of digital and non-digital media with sensitive information"}]},{"id":"mp-4_prm_2","label":"organization-defined controlled areas","constraints":[{"detail":"see additional FedRAMP requirements and guidance"}]}],"properties":[{"name":"label","value":"MP-4"},{"name":"sort-id","value":"mp-04"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference","text":"NIST Special Publication 800-56"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference","text":"NIST Special Publication 800-57"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference","text":"NIST Special Publication 800-111"}],"parts":[{"id":"mp-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Physically controls and securely stores {{ mp-4_prm_1 }} within\n                     {{ mp-4_prm_2 }}; and"},{"id":"mp-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Protects information system media until the media are destroyed or sanitized using\n                  approved equipment, techniques, and procedures."},{"id":"mp-4_fr","name":"item","title":"MP-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"mp-4_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider defines controlled areas within facilities where the information and information system reside."}]}]},{"id":"mp-4_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. Physically controlling information system\n               media includes, for example, conducting inventories, ensuring procedures are in place\n               to allow individuals to check out and return media to the media library, and\n               maintaining accountability for all stored media. Secure storage includes, for\n               example, a locked drawer, desk, or cabinet, or a controlled media library. The type\n               of media storage is commensurate with the security category and/or classification of\n               the information residing on the media. Controlled areas are areas for which\n               organizations provide sufficient physical and procedural safeguards to meet the\n               requirements established for protecting information and/or information systems. For\n               media containing information determined by organizations to be in the public domain,\n               to be publicly releasable, or to have limited or no adverse impact on organizations\n               or individuals if accessed by other than authorized personnel, fewer safeguards may\n               be needed. In these situations, physical access controls provide adequate\n               protection.","links":[{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#pe-3","rel":"related","text":"PE-3"}]},{"id":"mp-4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-4.a_obj","name":"objective","properties":[{"name":"label","value":"MP-4(a)"}],"parts":[{"id":"mp-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-4(a)[1]"}],"prose":"defines types of digital and/or non-digital media to be physically controlled\n                     and securely stored within designated controlled areas;"},{"id":"mp-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-4(a)[2]"}],"prose":"defines controlled areas designated to physically control and securely store\n                     organization-defined types of digital and/or non-digital media;"},{"id":"mp-4.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-4(a)[3]"}],"prose":"physically controls organization-defined types of digital and/or non-digital\n                     media within organization-defined controlled areas;"},{"id":"mp-4.a_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-4(a)[4]"}],"prose":"securely stores organization-defined types of digital and/or non-digital media\n                     within organization-defined controlled areas; and"}]},{"id":"mp-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-4(b)"}],"prose":"protects information system media until the media are destroyed or sanitized using\n                  approved equipment, techniques, and procedures."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media storage\\n\\nphysical and environmental protection policy and procedures\\n\\naccess control policy and procedures\\n\\nsecurity plan\\n\\ninformation system media\\n\\ndesignated controlled areas\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection and storage\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for storing information media\\n\\nautomated mechanisms supporting and/or implementing secure media storage/media\n                  protection"}]}]},{"id":"mp-5","class":"SP800-53","title":"Media Transport","parameters":[{"id":"mp-5_prm_1","label":"organization-defined types of information system media","constraints":[{"detail":"all media with sensitive information"}]},{"id":"mp-5_prm_2","label":"organization-defined security safeguards","constraints":[{"detail":"prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container"}]}],"properties":[{"name":"label","value":"MP-5"},{"name":"sort-id","value":"mp-05"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference","text":"NIST Special Publication 800-60"}],"parts":[{"id":"mp-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Protects and controls {{ mp-5_prm_1 }} during transport outside of\n                  controlled areas using {{ mp-5_prm_2 }};"},{"id":"mp-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Maintains accountability for information system media during transport outside of\n                  controlled areas;"},{"id":"mp-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Documents activities associated with the transport of information system media;\n                  and"},{"id":"mp-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Restricts the activities associated with the transport of information system media\n                  to authorized personnel."},{"id":"mp-5_fr","name":"item","title":"MP-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"mp-5_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider defines security measures to protect digital and non-digital media in transport.  The security measures are approved and accepted by the JAB."}]}]},{"id":"mp-5_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. This control also applies to mobile\n               devices with information storage capability (e.g., smart phones, tablets, E-readers),\n               that are transported outside of controlled areas. Controlled areas are areas or\n               spaces for which organizations provide sufficient physical and/or procedural\n               safeguards to meet the requirements established for protecting information and/or\n               information systems. Physical and technical safeguards for media are commensurate\n               with the security category or classification of the information residing on the\n               media. Safeguards to protect media during transport include, for example, locked\n               containers and cryptography. Cryptographic mechanisms can provide confidentiality and\n               integrity protections depending upon the mechanisms used. Activities associated with\n               transport include the actual transport as well as those activities such as releasing\n               media for transport and ensuring that media enters the appropriate transport\n               processes. For the actual transport, authorized transport and courier personnel may\n               include individuals from outside the organization (e.g., U.S. Postal Service or a\n               commercial transport or delivery service). Maintaining accountability of media during\n               transport includes, for example, restricting transport activities to authorized\n               personnel, and tracking and/or obtaining explicit records of transport activities as\n               the media moves through the transportation system to prevent and detect loss,\n               destruction, or tampering. Organizations establish documentation requirements for\n               activities associated with the transport of information system media in accordance\n               with organizational assessments of risk to include the flexibility to define\n               different record-keeping methods for the different types of media transport as part\n               of an overall system of transport-related records.","links":[{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#mp-3","rel":"related","text":"MP-3"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-28","rel":"related","text":"SC-28"}]},{"id":"mp-5_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-5.a_obj","name":"objective","properties":[{"name":"label","value":"MP-5(a)"}],"parts":[{"id":"mp-5.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-5(a)[1]"}],"prose":"defines types of information system media to be protected and controlled during\n                     transport outside of controlled areas;"},{"id":"mp-5.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-5(a)[2]"}],"prose":"defines security safeguards to protect and control organization-defined\n                     information system media during transport outside of controlled areas;"},{"id":"mp-5.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-5(a)[3]"}],"prose":"protects and controls organization-defined information system media during\n                     transport outside of controlled areas using organization-defined security\n                     safeguards;"}]},{"id":"mp-5.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-5(b)"}],"prose":"maintains accountability for information system media during transport outside of\n                  controlled areas;"},{"id":"mp-5.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-5(c)"}],"prose":"documents activities associated with the transport of information system media;\n                  and"},{"id":"mp-5.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-5(d)"}],"prose":"restricts the activities associated with transport of information system media to\n                  authorized personnel."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media storage\\n\\nphysical and environmental protection policy and procedures\\n\\naccess control policy and procedures\\n\\nsecurity plan\\n\\ninformation system media\\n\\ndesignated controlled areas\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection and storage\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for storing information media\\n\\nautomated mechanisms supporting and/or implementing media storage/media\n                  protection"}]}],"controls":[{"id":"mp-5.4","class":"SP800-53-enhancement","title":"Cryptographic Protection","properties":[{"name":"label","value":"MP-5(4)"},{"name":"sort-id","value":"mp-05.04"}],"parts":[{"id":"mp-5.4_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to protect the\n                  confidentiality and integrity of information stored on digital media during\n                  transport outside of controlled areas."},{"id":"mp-5.4_gdn","name":"guidance","prose":"This control enhancement applies to both portable storage devices (e.g., USB\n                  memory sticks, compact disks, digital video disks, external/removable hard disk\n                  drives) and mobile devices with storage capability (e.g., smart phones, tablets,\n                  E-readers).","links":[{"href":"#mp-2","rel":"related","text":"MP-2"}]},{"id":"mp-5.4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs cryptographic mechanisms to protect the\n                  confidentiality and integrity of information stored on digital media during\n                  transport outside of controlled areas. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media transport\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system media transport records\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media transport\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms protecting information on digital media during\n                     transportation outside controlled areas"}]}]}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","parameters":[{"id":"mp-6_prm_1","label":"organization-defined information system media"},{"id":"mp-6_prm_2","label":"organization-defined sanitization techniques and procedures","constraints":[{"detail":"techniques and procedures IAW NIST SP 800-88 R1, Appendix A - Minimum Sanitization Recommendations"}]}],"properties":[{"name":"label","value":"MP-6"},{"name":"sort-id","value":"mp-06"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference","text":"NIST Special Publication 800-60"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference","text":"NIST Special Publication 800-88"},{"href":"#a47466c4-c837-4f06-a39f-e68412a5f73d","rel":"reference","text":"http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"}],"parts":[{"id":"mp-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Sanitizes {{ mp-6_prm_1 }} prior to disposal, release out of\n                  organizational control, or release for reuse using {{ mp-6_prm_2 }}\n                  in accordance with applicable federal and organizational standards and policies;\n                  and"},{"id":"mp-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employs sanitization mechanisms with the strength and integrity commensurate with\n                  the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"This control applies to all information system media, both digital and non-digital,\n               subject to disposal or reuse, whether or not the media is considered removable.\n               Examples include media found in scanners, copiers, printers, notebook computers,\n               workstations, network components, and mobile devices. The sanitization process\n               removes information from the media such that the information cannot be retrieved or\n               reconstructed. Sanitization techniques, including clearing, purging, cryptographic\n               erase, and destruction, prevent the disclosure of information to unauthorized\n               individuals when such media is reused or released for disposal. Organizations\n               determine the appropriate sanitization methods recognizing that destruction is\n               sometimes necessary when other methods cannot be applied to media requiring\n               sanitization. Organizations use discretion on the employment of approved sanitization\n               techniques and procedures for media containing information deemed to be in the public\n               domain or publicly releasable, or deemed to have no adverse impact on organizations\n               or individuals if released for reuse or disposal. Sanitization of non-digital media\n               includes, for example, removing a classified appendix from an otherwise unclassified\n               document, or redacting selected sections or words from a document by obscuring the\n               redacted sections/words in a manner equivalent in effectiveness to removing them from\n               the document. NSA standards and policies control the sanitization process for media\n               containing classified information.","links":[{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sc-4","rel":"related","text":"SC-4"}]},{"id":"mp-6_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-6.a_obj","name":"objective","properties":[{"name":"label","value":"MP-6(a)"}],"parts":[{"id":"mp-6.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-6(a)[1]"}],"prose":"defines information system media to be sanitized prior to:","parts":[{"id":"mp-6.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"MP-6(a)[1][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"MP-6(a)[1][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.1.c","name":"objective","properties":[{"name":"label","value":"MP-6(a)[1][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-6(a)[2]"}],"prose":"defines sanitization techniques or procedures to be used for sanitizing\n                     organization-defined information system media prior to:","parts":[{"id":"mp-6.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"MP-6(a)[2][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"MP-6(a)[2][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.2.c","name":"objective","properties":[{"name":"label","value":"MP-6(a)[2][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-6(a)[3]"}],"prose":"sanitizes organization-defined information system media prior to disposal,\n                     release out of organizational control, or release for reuse using\n                     organization-defined sanitization techniques or procedures in accordance with\n                     applicable federal and organizational standards and policies; and"}]},{"id":"mp-6.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-6(b)"}],"prose":"employs sanitization mechanisms with strength and integrity commensurate with the\n                  security category or classification of the information."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media sanitization and disposal\\n\\napplicable federal standards and policies addressing media sanitization\\n\\nmedia sanitization records\\n\\naudit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media sanitization responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization\\n\\nautomated mechanisms supporting and/or implementing media sanitization"}]}],"controls":[{"id":"mp-6.1","class":"SP800-53-enhancement","title":"Review / Approve / Track / Document / Verify","properties":[{"name":"label","value":"MP-6(1)"},{"name":"sort-id","value":"mp-06.01"}],"parts":[{"id":"mp-6.1_smt","name":"statement","prose":"The organization reviews, approves, tracks, documents, and verifies media\n                  sanitization and disposal actions."},{"id":"mp-6.1_gdn","name":"guidance","prose":"Organizations review and approve media to be sanitized to ensure compliance with\n                  records-retention policies. Tracking/documenting actions include, for example,\n                  listing personnel who reviewed and approved sanitization and disposal actions,\n                  types of media sanitized, specific files stored on the media, sanitization methods\n                  used, date and time of the sanitization actions, personnel who performed the\n                  sanitization, verification actions taken, personnel who performed the\n                  verification, and disposal action taken. Organizations verify that the\n                  sanitization of the media was effective prior to disposal.","links":[{"href":"#si-12","rel":"related","text":"SI-12"}]},{"id":"mp-6.1_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-6.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-6(1)[1]"}],"prose":"reviews media sanitization and disposal actions;"},{"id":"mp-6.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-6(1)[2]"}],"prose":"approves media sanitization and disposal actions;"},{"id":"mp-6.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-6(1)[3]"}],"prose":"tracks media sanitization and disposal actions;"},{"id":"mp-6.1_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-6(1)[4]"}],"prose":"documents media sanitization and disposal actions; and"},{"id":"mp-6.1_obj.5","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-6(1)[5]"}],"prose":"verifies media sanitization and disposal actions."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media sanitization and disposal\\n\\nmedia sanitization and disposal records\\n\\nreview records for media sanitization and disposal actions\\n\\napprovals for media sanitization and disposal actions\\n\\ntracking records\\n\\nverification records\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media sanitization and\n                     disposal responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization\\n\\nautomated mechanisms supporting and/or implementing media sanitization"}]}]},{"id":"mp-6.2","class":"SP800-53-enhancement","title":"Equipment Testing","parameters":[{"id":"mp-6.2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least every six (6) months"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"MP-6(2)"},{"name":"sort-id","value":"mp-06.02"}],"parts":[{"id":"mp-6.2_smt","name":"statement","prose":"The organization tests sanitization equipment and procedures {{ mp-6.2_prm_1 }} to verify that the intended sanitization is being\n                  achieved.","parts":[{"id":"mp-6.2_fr","name":"item","title":"MP-6 (2) Additional FedRAMP Requirements and Guidance","parts":[{"id":"mp-6.2_fr_gdn.a","name":"guidance","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"Equipment and procedures may be tested or validated for effectiveness"}]}]},{"id":"mp-6.2_gdn","name":"guidance","prose":"Testing of sanitization equipment and procedures may be conducted by qualified and\n                  authorized external entities (e.g., other federal agencies or external service\n                  providers)."},{"id":"mp-6.2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-6.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-6(2)[1]"}],"prose":"defines the frequency for testing sanitization equipment and procedures to\n                     verify that the intended sanitization is being achieved; and"},{"id":"mp-6.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-6(2)[2]"}],"prose":"tests sanitization equipment and procedures with the organization-defined\n                     frequency to verify that the intended sanitization is being achieved."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media sanitization and disposal\\n\\nprocedures addressing testing of media sanitization equipment\\n\\nresults of media sanitization equipment and procedures testing\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media sanitization\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization\\n\\nautomated mechanisms supporting and/or implementing media sanitization"}]}]},{"id":"mp-6.3","class":"SP800-53-enhancement","title":"Nondestructive Techniques","parameters":[{"id":"mp-6.3_prm_1","label":"organization-defined circumstances requiring sanitization of portable storage\n                  devices"}],"properties":[{"name":"label","value":"MP-6(3)"},{"name":"sort-id","value":"mp-06.03"}],"parts":[{"id":"mp-6.3_smt","name":"statement","prose":"The organization applies nondestructive sanitization techniques to portable\n                  storage devices prior to connecting such devices to the information system under\n                  the following circumstances: {{ mp-6.3_prm_1 }}."},{"id":"mp-6.3_gdn","name":"guidance","prose":"This control enhancement applies to digital media containing classified\n                  information and Controlled Unclassified Information (CUI). Portable storage\n                  devices can be the source of malicious code insertions into organizational\n                  information systems. Many of these devices are obtained from unknown and\n                  potentially untrustworthy sources and may contain malicious code that can be\n                  readily transferred to information systems through USB ports or other entry\n                  portals. While scanning such storage devices is always recommended, sanitization\n                  provides additional assurance that the devices are free of malicious code to\n                  include code capable of initiating zero-day attacks. Organizations consider\n                  nondestructive sanitization of portable storage devices when such devices are\n                  first purchased from the manufacturer or vendor prior to initial use or when\n                  organizations lose a positive chain of custody for the devices.","links":[{"href":"#si-3","rel":"related","text":"SI-3"}]},{"id":"mp-6.3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-6.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-6(3)[1]"}],"prose":"defines circumstances requiring sanitization of portable storage devices;\n                     and"},{"id":"mp-6.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-6(3)[2]"}],"prose":"applies nondestructive sanitization techniques to portable storage devices\n                     prior to connecting such devices to the information system under\n                     organization-defined circumstances requiring sanitization of portable storage\n                     devices."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media sanitization and disposal\\n\\nlist of circumstances requiring sanitization of portable storage devices\\n\\nmedia sanitization records\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media sanitization\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization of portable storage devices\\n\\nautomated mechanisms supporting and/or implementing media sanitization"}]}]}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","parameters":[{"id":"mp-7_prm_1"},{"id":"mp-7_prm_2","label":"organization-defined types of information system media"},{"id":"mp-7_prm_3","label":"organization-defined information systems or system components"},{"id":"mp-7_prm_4","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"MP-7"},{"name":"sort-id","value":"mp-07"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference","text":"NIST Special Publication 800-111"}],"parts":[{"id":"mp-7_smt","name":"statement","prose":"The organization {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}."},{"id":"mp-7_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. This control also applies to mobile\n               devices with information storage capability (e.g., smart phones, tablets, E-readers).\n               In contrast to MP-2, which restricts user access to media, this control restricts the\n               use of certain types of media on information systems, for example,\n               restricting/prohibiting the use of flash drives or external hard disk drives.\n               Organizations can employ technical and nontechnical safeguards (e.g., policies,\n               procedures, rules of behavior) to restrict the use of information system media.\n               Organizations may restrict the use of portable storage devices, for example, by using\n               physical cages on workstations to prohibit access to certain external ports, or\n               disabling/removing the ability to insert, read or write to such devices.\n               Organizations may also limit the use of portable storage devices to only approved\n               devices including, for example, devices provided by the organization, devices\n               provided by other approved organizations, and devices that are not personally owned.\n               Finally, organizations may restrict the use of portable storage devices based on the\n               type of device, for example, prohibiting the use of writeable, portable storage\n               devices, and implementing this restriction by disabling or removing the capability to\n               write to such devices.","links":[{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#pl-4","rel":"related","text":"PL-4"}]},{"id":"mp-7_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-7_obj.1","name":"objective","properties":[{"name":"label","value":"MP-7[1]"}],"prose":"defines types of information system media to be:","parts":[{"id":"mp-7_obj.1.a","name":"objective","properties":[{"name":"label","value":"MP-7[1][a]"}],"prose":"restricted on information systems or system components; or"},{"id":"mp-7_obj.1.b","name":"objective","properties":[{"name":"label","value":"MP-7[1][b]"}],"prose":"prohibited from use on information systems or system components;"}]},{"id":"mp-7_obj.2","name":"objective","properties":[{"name":"label","value":"MP-7[2]"}],"prose":"defines information systems or system components on which the use of\n                  organization-defined types of information system media is to be one of the\n                  following:","parts":[{"id":"mp-7_obj.2.a","name":"objective","properties":[{"name":"label","value":"MP-7[2][a]"}],"prose":"restricted; or"},{"id":"mp-7_obj.2.b","name":"objective","properties":[{"name":"label","value":"MP-7[2][b]"}],"prose":"prohibited;"}]},{"id":"mp-7_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-7[3]"}],"prose":"defines security safeguards to be employed to restrict or prohibit the use of\n                  organization-defined types of information system media on organization-defined\n                  information systems or system components; and"},{"id":"mp-7_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-7[4]"}],"prose":"restricts or prohibits the use of organization-defined information system media on\n                  organization-defined information systems or system components using\n                  organization-defined security safeguards."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nsystem use policy\\n\\nprocedures addressing media usage restrictions\\n\\nsecurity plan\\n\\nrules of behavior\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media use responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media use\\n\\nautomated mechanisms restricting or prohibiting use of information system media on\n                  information systems or system components"}]}],"controls":[{"id":"mp-7.1","class":"SP800-53-enhancement","title":"Prohibit Use Without Owner","properties":[{"name":"label","value":"MP-7(1)"},{"name":"sort-id","value":"mp-07.01"}],"parts":[{"id":"mp-7.1_smt","name":"statement","prose":"The organization prohibits the use of portable storage devices in organizational\n                  information systems when such devices have no identifiable owner."},{"id":"mp-7.1_gdn","name":"guidance","prose":"Requiring identifiable owners (e.g., individuals, organizations, or projects) for\n                  portable storage devices reduces the risk of using such technologies by allowing\n                  organizations to assign responsibility and accountability for addressing known\n                  vulnerabilities in the devices (e.g., malicious code insertion).","links":[{"href":"#pl-4","rel":"related","text":"PL-4"}]},{"id":"mp-7.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization prohibits the use of portable storage devices in\n                  organizational information systems when such devices have no identifiable owner.\n               "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nsystem use policy\\n\\nprocedures addressing media usage restrictions\\n\\nsecurity plan\\n\\nrules of behavior\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media use responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media use\\n\\nautomated mechanisms prohibiting use of media on information systems or system\n                     components"}]}]}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Physical and Environmental Protection Policy and Procedures","parameters":[{"id":"pe-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"pe-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually or whenever a significant change occurs"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PE-1"},{"name":"sort-id","value":"pe-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"pe-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A physical and environmental protection policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"},{"id":"pe-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental\n                     protection policy and associated physical and environmental protection\n                     controls; and"}]},{"id":"pe-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pe-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Physical and environmental protection policy {{ pe-1_prm_2 }};\n                     and"},{"id":"pe-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Physical and environmental protection procedures {{ pe-1_prm_3 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PE\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"pe-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-1.a_obj","name":"objective","properties":[{"name":"label","value":"PE-1(a)"}],"parts":[{"id":"pe-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)"}],"parts":[{"id":"pe-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(a)(1)[1]"}],"prose":"develops and documents a physical and environmental protection policy that\n                        addresses:","parts":[{"id":"pe-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pe-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pe-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pe-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pe-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pe-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pe-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pe-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the physical and environmental protection\n                        policy is to be disseminated;"},{"id":"pe-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-1(a)(1)[3]"}],"prose":"disseminates the physical and environmental protection policy to\n                        organization-defined personnel or roles;"}]},{"id":"pe-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"PE-1(a)(2)"}],"parts":[{"id":"pe-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        physical and environmental protection policy and associated physical and\n                        environmental protection controls;"},{"id":"pe-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"pe-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pe-1.b_obj","name":"objective","properties":[{"name":"label","value":"PE-1(b)"}],"parts":[{"id":"pe-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"PE-1(b)(1)"}],"parts":[{"id":"pe-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current physical and\n                        environmental protection policy;"},{"id":"pe-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(b)(1)[2]"}],"prose":"reviews and updates the current physical and environmental protection policy\n                        with the organization-defined frequency;"}]},{"id":"pe-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"PE-1(b)(2)"}],"parts":[{"id":"pe-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current physical and\n                        environmental protection procedures; and"},{"id":"pe-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(b)(2)[2]"}],"prose":"reviews and updates the current physical and environmental protection\n                        procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical and environmental protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","parameters":[{"id":"pe-2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least every ninety (90) days"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PE-2"},{"name":"sort-id","value":"pe-02"}],"parts":[{"id":"pe-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, approves, and maintains a list of individuals with authorized access to\n                  the facility where the information system resides;"},{"id":"pe-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Issues authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews the access list detailing authorized facility access by individuals\n                     {{ pe-2_prm_1 }}; and"},{"id":"pe-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Removes individuals from the facility access list when access is no longer\n                  required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g.,\n               employees, contractors, and others) with permanent physical access authorization\n               credentials are not considered visitors. Authorization credentials include, for\n               example, badges, identification cards, and smart cards. Organizations determine the\n               strength of authorization credentials needed (including level of forge-proof badges,\n               smart cards, or identification cards) consistent with federal standards, policies,\n               and procedures. This control only applies to areas within facilities that have not\n               been designated as publicly accessible.","links":[{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#ps-3","rel":"related","text":"PS-3"}]},{"id":"pe-2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-2.a_obj","name":"objective","properties":[{"name":"label","value":"PE-2(a)"}],"parts":[{"id":"pe-2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-2(a)[1]"}],"prose":"develops a list of individuals with authorized access to the facility where the\n                     information system resides;"},{"id":"pe-2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-2(a)[2]"}],"prose":"approves a list of individuals with authorized access to the facility where the\n                     information system resides;"},{"id":"pe-2.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-2(a)[3]"}],"prose":"maintains a list of individuals with authorized access to the facility where\n                     the information system resides;"}]},{"id":"pe-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-2(b)"}],"prose":"issues authorization credentials for facility access;"},{"id":"pe-2.c_obj","name":"objective","properties":[{"name":"label","value":"PE-2(c)"}],"parts":[{"id":"pe-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-2(c)[1]"}],"prose":"defines the frequency to review the access list detailing authorized facility\n                     access by individuals;"},{"id":"pe-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-2(c)[2]"}],"prose":"reviews the access list detailing authorized facility access by individuals\n                     with the organization-defined frequency; and"}]},{"id":"pe-2.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-2(d)"}],"prose":"removes individuals from the facility access list when access is no longer\n                  required."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing physical access authorizations\\n\\nsecurity plan\\n\\nauthorized personnel access list\\n\\nauthorization credentials\\n\\nphysical access list reviews\\n\\nphysical access termination records and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities\\n\\norganizational personnel with physical access to information system facility\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access authorizations\\n\\nautomated mechanisms supporting and/or implementing physical access\n                  authorizations"}]}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","parameters":[{"id":"pe-3_prm_1","label":"organization-defined entry/exit points to the facility where the information\n               system resides"},{"id":"pe-3_prm_2","constraints":[{"detail":"CSP defined physical access control systems/devices AND guards"}]},{"id":"pe-3_prm_3","depends-on":"pe-3_prm_2","label":"organization-defined physical access control systems/devices","constraints":[{"detail":"CSP defined physical access control systems/devices"}]},{"id":"pe-3_prm_4","label":"organization-defined entry/exit points"},{"id":"pe-3_prm_5","label":"organization-defined security safeguards"},{"id":"pe-3_prm_6","label":"organization-defined circumstances requiring visitor escorts and\n               monitoring","constraints":[{"detail":"in all circumstances within restricted access area where the information system resides"}]},{"id":"pe-3_prm_7","label":"organization-defined physical access devices"},{"id":"pe-3_prm_8","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"pe-3_prm_9","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PE-3"},{"name":"sort-id","value":"pe-03"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference","text":"NIST Special Publication 800-116"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference","text":"ICD 704"},{"href":"#398e33fd-f404-4e5c-b90e-2d50d3181244","rel":"reference","text":"ICD 705"},{"href":"#61081e7f-041d-4033-96a7-44a439071683","rel":"reference","text":"DoD Instruction 5200.39"},{"href":"#dd2f5acd-08f1-435a-9837-f8203088dc1a","rel":"reference","text":"Personal Identity Verification (PIV) in Enterprise\n            Physical Access Control System (E-PACS)"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference","text":"http://fips201ep.cio.gov"}],"parts":[{"id":"pe-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Enforces physical access authorizations at {{ pe-3_prm_1 }} by;","parts":[{"id":"pe-3_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the\n                     facility; and"},{"id":"pe-3_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Controlling ingress/egress to the facility using {{ pe-3_prm_2 }};"}]},{"id":"pe-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Maintains physical access audit logs for {{ pe-3_prm_4 }};"},{"id":"pe-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Provides {{ pe-3_prm_5 }} to control access to areas within the\n                  facility officially designated as publicly accessible;"},{"id":"pe-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Escorts visitors and monitors visitor activity {{ pe-3_prm_6 }};"},{"id":"pe-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Secures keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Inventories {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }};\n                  and"},{"id":"pe-3_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Changes combinations and keys {{ pe-3_prm_9 }} and/or when keys are\n                  lost, combinations are compromised, or individuals are transferred or\n                  terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g.,\n               employees, contractors, and others) with permanent physical access authorization\n               credentials are not considered visitors. Organizations determine the types of\n               facility guards needed including, for example, professional physical security staff\n               or other personnel such as administrative staff or information system users. Physical\n               access devices include, for example, keys, locks, combinations, and card readers.\n               Safeguards for publicly accessible areas within organizational facilities include,\n               for example, cameras, monitoring by guards, and isolating selected information\n               systems and/or system components in secured areas. Physical access control systems\n               comply with applicable federal laws, Executive Orders, directives, policies,\n               regulations, standards, and guidance. The Federal Identity, Credential, and Access\n               Management Program provides implementation guidance for identity, credential, and\n               access management capabilities for physical access control systems. Organizations\n               have flexibility in the types of audit logs employed. Audit logs can be procedural\n               (e.g., a written log of individuals accessing the facility and when such access\n               occurred), automated (e.g., capturing ID provided by a PIV card), or some combination\n               thereof. Physical access points can include facility access points, interior access\n               points to information systems and/or components requiring supplemental access\n               controls, or both. Components of organizational information systems (e.g.,\n               workstations, terminals) may be located in areas designated as publicly accessible\n               with organizations safeguarding access to such devices.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#pe-5","rel":"related","text":"PE-5"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"pe-3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-3.a_obj","name":"objective","properties":[{"name":"label","value":"PE-3(a)"}],"parts":[{"id":"pe-3.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(a)[1]"}],"prose":"defines entry/exit points to the facility where the information system\n                     resides;"},{"id":"pe-3.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(a)[2]"}],"prose":"enforces physical access authorizations at organization-defined entry/exit\n                     points to the facility where the information system resides by:","parts":[{"id":"pe-3.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](1)"}],"prose":"verifying individual access authorizations before granting access to the\n                        facility;"},{"id":"pe-3.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(a)[2](2)"}],"parts":[{"id":"pe-3.a.2_obj.2.a","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](2)[a]"}],"prose":"defining physical access control systems/devices to be employed to\n                           control ingress/egress to the facility where the information system\n                           resides;"},{"id":"pe-3.a.2_obj.2.b","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](2)[b]"}],"prose":"using one or more of the following ways to control ingress/egress to the\n                           facility:","parts":[{"id":"pe-3.a.2_obj.2.b.1","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](2)[b][1]"}],"prose":"organization-defined physical access control systems/devices;\n                              and/or"},{"id":"pe-3.a.2_obj.2.b.2","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](2)[b][2]"}],"prose":"guards;"}]}]}]}]},{"id":"pe-3.b_obj","name":"objective","properties":[{"name":"label","value":"PE-3(b)"}],"parts":[{"id":"pe-3.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(b)[1]"}],"prose":"defines entry/exit points for which physical access audit logs are to be\n                     maintained;"},{"id":"pe-3.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(b)[2]"}],"prose":"maintains physical access audit logs for organization-defined entry/exit\n                     points;"}]},{"id":"pe-3.c_obj","name":"objective","properties":[{"name":"label","value":"PE-3(c)"}],"parts":[{"id":"pe-3.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(c)[1]"}],"prose":"defines security safeguards to be employed to control access to areas within\n                     the facility officially designated as publicly accessible;"},{"id":"pe-3.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(c)[2]"}],"prose":"provides organization-defined security safeguards to control access to areas\n                     within the facility officially designated as publicly accessible;"}]},{"id":"pe-3.d_obj","name":"objective","properties":[{"name":"label","value":"PE-3(d)"}],"parts":[{"id":"pe-3.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(d)[1]"}],"prose":"defines circumstances requiring visitor:","parts":[{"id":"pe-3.d_obj.1.a","name":"objective","properties":[{"name":"label","value":"PE-3(d)[1][a]"}],"prose":"escorts;"},{"id":"pe-3.d_obj.1.b","name":"objective","properties":[{"name":"label","value":"PE-3(d)[1][b]"}],"prose":"monitoring;"}]},{"id":"pe-3.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(d)[2]"}],"prose":"in accordance with organization-defined circumstances requiring visitor escorts\n                     and monitoring:","parts":[{"id":"pe-3.d_obj.2.a","name":"objective","properties":[{"name":"label","value":"PE-3(d)[2][a]"}],"prose":"escorts visitors;"},{"id":"pe-3.d_obj.2.b","name":"objective","properties":[{"name":"label","value":"PE-3(d)[2][b]"}],"prose":"monitors visitor activities;"}]}]},{"id":"pe-3.e_obj","name":"objective","properties":[{"name":"label","value":"PE-3(e)"}],"parts":[{"id":"pe-3.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(e)[1]"}],"prose":"secures keys;"},{"id":"pe-3.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(e)[2]"}],"prose":"secures combinations;"},{"id":"pe-3.e_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(e)[3]"}],"prose":"secures other physical access devices;"}]},{"id":"pe-3.f_obj","name":"objective","properties":[{"name":"label","value":"PE-3(f)"}],"parts":[{"id":"pe-3.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(f)[1]"}],"prose":"defines physical access devices to be inventoried;"},{"id":"pe-3.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(f)[2]"}],"prose":"defines the frequency to inventory organization-defined physical access\n                     devices;"},{"id":"pe-3.f_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(f)[3]"}],"prose":"inventories the organization-defined physical access devices with the\n                     organization-defined frequency;"}]},{"id":"pe-3.g_obj","name":"objective","properties":[{"name":"label","value":"PE-3(g)"}],"parts":[{"id":"pe-3.g_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(g)[1]"}],"prose":"defines the frequency to change combinations and keys; and"},{"id":"pe-3.g_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(g)[2]"}],"prose":"changes combinations and keys with the organization-defined frequency and/or\n                     when:","parts":[{"id":"pe-3.g_obj.2.a","name":"objective","properties":[{"name":"label","value":"PE-3(g)[2][a]"}],"prose":"keys are lost;"},{"id":"pe-3.g_obj.2.b","name":"objective","properties":[{"name":"label","value":"PE-3(g)[2][b]"}],"prose":"combinations are compromised;"},{"id":"pe-3.g_obj.2.c","name":"objective","properties":[{"name":"label","value":"PE-3(g)[2][c]"}],"prose":"individuals are transferred or terminated."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing physical access control\\n\\nsecurity plan\\n\\nphysical access control logs or records\\n\\ninventory records of physical access control devices\\n\\ninformation system entry and exit points\\n\\nrecords of key and lock combination changes\\n\\nstorage locations for physical access control devices\\n\\nphysical access control devices\\n\\nlist of security safeguards controlling access to designated publicly accessible\n                  areas within facility\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access control\\n\\nautomated mechanisms supporting and/or implementing physical access control\\n\\nphysical access control devices"}]}],"controls":[{"id":"pe-3.1","class":"SP800-53-enhancement","title":"Information System Access","parameters":[{"id":"pe-3.1_prm_1","label":"organization-defined physical spaces containing one or more components of the\n                  information system"}],"properties":[{"name":"label","value":"PE-3(1)"},{"name":"sort-id","value":"pe-03.01"}],"parts":[{"id":"pe-3.1_smt","name":"statement","prose":"The organization enforces physical access authorizations to the information system\n                  in addition to the physical access controls for the facility at {{ pe-3.1_prm_1 }}."},{"id":"pe-3.1_gdn","name":"guidance","prose":"This control enhancement provides additional physical security for those areas\n                  within facilities where there is a concentration of information system components\n                  (e.g., server rooms, media storage areas, data and communications centers).","links":[{"href":"#ps-2","rel":"related","text":"PS-2"}]},{"id":"pe-3.1_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-3.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(1)[1]"}],"prose":"defines physical spaces containing one or more components of the information\n                     system; and"},{"id":"pe-3.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(1)[2]"}],"prose":"enforces physical access authorizations to the information system in addition\n                     to the physical access controls for the facility at organization-defined\n                     physical spaces containing one or more components of the information\n                     system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing physical access control\\n\\nphysical access control logs or records\\n\\nphysical access control devices\\n\\naccess authorizations\\n\\naccess credentials\\n\\ninformation system entry and exit points\\n\\nlist of areas within the facility containing concentrations of information\n                     system components or information system components requiring additional\n                     physical protection\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access control to the information\n                     system/components\\n\\nautomated mechanisms supporting and/or implementing physical access control for\n                     facility areas containing information system components"}]}]}]},{"id":"pe-4","class":"SP800-53","title":"Access Control for Transmission Medium","parameters":[{"id":"pe-4_prm_1","label":"organization-defined information system distribution and transmission\n               lines"},{"id":"pe-4_prm_2","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"PE-4"},{"name":"sort-id","value":"pe-04"}],"links":[{"href":"#06dff0ea-3848-4945-8d91-e955ee69f05d","rel":"reference","text":"NSTISSI No. 7003"}],"parts":[{"id":"pe-4_smt","name":"statement","prose":"The organization controls physical access to {{ pe-4_prm_1 }} within\n               organizational facilities using {{ pe-4_prm_2 }}."},{"id":"pe-4_gdn","name":"guidance","prose":"Physical security safeguards applied to information system distribution and\n               transmission lines help to prevent accidental damage, disruption, and physical\n               tampering. In addition, physical safeguards may be necessary to help prevent\n               eavesdropping or in transit modification of unencrypted transmissions. Security\n               safeguards to control physical access to system distribution and transmission lines\n               include, for example: (i) locked wiring closets; (ii) disconnected or locked spare\n               jacks; and/or (iii) protection of cabling by conduit or cable trays.","links":[{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-5","rel":"related","text":"PE-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-8","rel":"related","text":"SC-8"}]},{"id":"pe-4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-4[1]"}],"prose":"defines information system distribution and transmission lines requiring physical\n                  access controls;"},{"id":"pe-4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-4[2]"}],"prose":"defines security safeguards to be employed to control physical access to\n                  organization-defined information system distribution and transmission lines within\n                  organizational facilities; and"},{"id":"pe-4_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-4[3]"}],"prose":"controls physical access to organization-defined information system distribution\n                  and transmission lines within organizational facilities using organization-defined\n                  security safeguards."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing access control for transmission medium\\n\\ninformation system design documentation\\n\\nfacility communications and wiring diagrams\\n\\nlist of physical security safeguards applied to information system distribution\n                  and transmission lines\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access control to distribution and transmission\n                  lines\\n\\nautomated mechanisms/security safeguards supporting and/or implementing access\n                  control to distribution and transmission lines"}]}]},{"id":"pe-5","class":"SP800-53","title":"Access Control for Output Devices","properties":[{"name":"label","value":"PE-5"},{"name":"sort-id","value":"pe-05"}],"parts":[{"id":"pe-5_smt","name":"statement","prose":"The organization controls physical access to information system output devices to\n               prevent unauthorized individuals from obtaining the output."},{"id":"pe-5_gdn","name":"guidance","prose":"Controlling physical access to output devices includes, for example, placing output\n               devices in locked rooms or other secured areas and allowing access to authorized\n               individuals only, and placing output devices in locations that can be monitored by\n               organizational personnel. Monitors, printers, copiers, scanners, facsimile machines,\n               and audio devices are examples of information system output devices.","links":[{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#pe-18","rel":"related","text":"PE-18"}]},{"id":"pe-5_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization controls physical access to information system output\n               devices to prevent unauthorized individuals from obtaining the output. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing access control for display medium\\n\\nfacility layout of information system components\\n\\nactual displays from information system components\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access control to output devices\\n\\nautomated mechanisms supporting and/or implementing access control to output\n                  devices"}]}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","parameters":[{"id":"pe-6_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]},{"id":"pe-6_prm_2","label":"organization-defined events or potential indications of events"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PE-6"},{"name":"sort-id","value":"pe-06"}],"parts":[{"id":"pe-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitors physical access to the facility where the information system resides to\n                  detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews physical access logs {{ pe-6_prm_1 }} and upon occurrence\n                  of {{ pe-6_prm_2 }}; and"},{"id":"pe-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Coordinates results of reviews and investigations with the organizational incident\n                  response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Organizational incident response capabilities include investigations of and responses\n               to detected physical security incidents. Security incidents include, for example,\n               apparent security violations or suspicious physical access activities. Suspicious\n               physical access activities include, for example: (i) accesses outside of normal work\n               hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for\n               unusual lengths of time; and (iv) out-of-sequence accesses.","links":[{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"}]},{"id":"pe-6_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-6.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-6(a)"}],"prose":"monitors physical access to the facility where the information system resides to\n                  detect and respond to physical security incidents;"},{"id":"pe-6.b_obj","name":"objective","properties":[{"name":"label","value":"PE-6(b)"}],"parts":[{"id":"pe-6.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-6(b)[1]"}],"prose":"defines the frequency to review physical access logs;"},{"id":"pe-6.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-6(b)[2]"}],"prose":"defines events or potential indication of events requiring physical access logs\n                     to be reviewed;"},{"id":"pe-6.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-6(b)[3]"}],"prose":"reviews physical access logs with the organization-defined frequency and upon\n                     occurrence of organization-defined events or potential indications of events;\n                     and"}]},{"id":"pe-6.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-6(c)"}],"prose":"coordinates results of reviews and investigations with the organizational incident\n                  response capability."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing physical access monitoring\\n\\nsecurity plan\\n\\nphysical access logs or records\\n\\nphysical access monitoring records\\n\\nphysical access log reviews\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access monitoring responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring physical access\\n\\nautomated mechanisms supporting and/or implementing physical access monitoring\\n\\nautomated mechanisms supporting and/or implementing reviewing of physical access\n                  logs"}]}],"controls":[{"id":"pe-6.1","class":"SP800-53-enhancement","title":"Intrusion Alarms / Surveillance Equipment","properties":[{"name":"label","value":"PE-6(1)"},{"name":"sort-id","value":"pe-06.01"}],"parts":[{"id":"pe-6.1_smt","name":"statement","prose":"The organization monitors physical intrusion alarms and surveillance\n                  equipment."},{"id":"pe-6.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization monitors physical intrusion alarms and surveillance\n                  equipment. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing physical access monitoring\\n\\nsecurity plan\\n\\nphysical access logs or records\\n\\nphysical access monitoring records\\n\\nphysical access log reviews\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access monitoring responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring physical intrusion alarms and\n                     surveillance equipment\\n\\nautomated mechanisms supporting and/or implementing physical access\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing physical intrusion alarms\n                     and surveillance equipment"}]}]},{"id":"pe-6.4","class":"SP800-53-enhancement","title":"Monitoring Physical Access to Information Systems","parameters":[{"id":"pe-6.4_prm_1","label":"organization-defined physical spaces containing one or more components of the\n                  information system"}],"properties":[{"name":"label","value":"PE-6(4)"},{"name":"sort-id","value":"pe-06.04"}],"parts":[{"id":"pe-6.4_smt","name":"statement","prose":"The organization monitors physical access to the information system in addition to\n                  the physical access monitoring of the facility as {{ pe-6.4_prm_1 }}."},{"id":"pe-6.4_gdn","name":"guidance","prose":"This control enhancement provides additional monitoring for those areas within\n                  facilities where there is a concentration of information system components (e.g.,\n                  server rooms, media storage areas, communications centers).","links":[{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-3","rel":"related","text":"PS-3"}]},{"id":"pe-6.4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-6.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-6(4)[1]"}],"prose":"defines physical spaces containing one or more components of the information\n                     system; and"},{"id":"pe-6.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-6(4)[2]"}],"prose":"monitors physical access to the information system in addition to the physical\n                     access monitoring of the facility at organization-defined physical spaces\n                     containing one or more components of the information system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing physical access monitoring\\n\\nphysical access control logs or records\\n\\nphysical access control devices\\n\\naccess authorizations\\n\\naccess credentials\\n\\nlist of areas within the facility containing concentrations of information\n                     system components or information system components requiring additional\n                     physical access monitoring\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring physical access to the information\n                     system\\n\\nautomated mechanisms supporting and/or implementing physical access monitoring\n                     for facility areas containing information system components"}]}]}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","parameters":[{"id":"pe-8_prm_1","label":"organization-defined time period","constraints":[{"detail":"for a minimum of one (1) year"}]},{"id":"pe-8_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PE-8"},{"name":"sort-id","value":"pe-08"}],"parts":[{"id":"pe-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Maintains visitor access records to the facility where the information system\n                  resides for {{ pe-8_prm_1 }}; and"},{"id":"pe-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews visitor access records {{ pe-8_prm_2 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include, for example, names and organizations of persons\n               visiting, visitor signatures, forms of identification, dates of access, entry and\n               departure times, purposes of visits, and names and organizations of persons visited.\n               Visitor access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-8.a_obj","name":"objective","properties":[{"name":"label","value":"PE-8(a)"}],"parts":[{"id":"pe-8.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-8(a)[1]"}],"prose":"defines the time period to maintain visitor access records to the facility\n                     where the information system resides;"},{"id":"pe-8.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-8(a)[2]"}],"prose":"maintains visitor access records to the facility where the information system\n                     resides for the organization-defined time period;"}]},{"id":"pe-8.b_obj","name":"objective","properties":[{"name":"label","value":"PE-8(b)"}],"parts":[{"id":"pe-8.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-8(b)[1]"}],"prose":"defines the frequency to review visitor access records; and"},{"id":"pe-8.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-8(b)[2]"}],"prose":"reviews visitor access records with the organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing visitor access records\\n\\nsecurity plan\\n\\nvisitor access control logs or records\\n\\nvisitor access record or log reviews\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with visitor access records responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining and reviewing visitor access records\\n\\nautomated mechanisms supporting and/or implementing maintenance and review of\n                  visitor access records"}]}],"controls":[{"id":"pe-8.1","class":"SP800-53-enhancement","title":"Automated Records Maintenance / Review","properties":[{"name":"label","value":"PE-8(1)"},{"name":"sort-id","value":"pe-08.01"}],"parts":[{"id":"pe-8.1_smt","name":"statement","prose":"The organization employs automated mechanisms to facilitate the maintenance and\n                  review of visitor access records."},{"id":"pe-8.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs automated mechanisms to facilitate the\n                  maintenance and review of visitor access records. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing visitor access records\\n\\nautomated mechanisms supporting management of visitor access records\\n\\nvisitor access control logs or records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with visitor access records responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining and reviewing visitor access\n                     records\\n\\nautomated mechanisms supporting and/or implementing maintenance and review of\n                     visitor access records"}]}]}]},{"id":"pe-9","class":"SP800-53","title":"Power Equipment and Cabling","properties":[{"name":"label","value":"PE-9"},{"name":"sort-id","value":"pe-09"}],"parts":[{"id":"pe-9_smt","name":"statement","prose":"The organization protects power equipment and power cabling for the information\n               system from damage and destruction."},{"id":"pe-9_gdn","name":"guidance","prose":"Organizations determine the types of protection necessary for power equipment and\n               cabling employed at different locations both internal and external to organizational\n               facilities and environments of operation. This includes, for example, generators and\n               power cabling outside of buildings, internal cabling and uninterruptable power\n               sources within an office or data center, and power sources for self-contained\n               entities such as vehicles and satellites.","links":[{"href":"#pe-4","rel":"related","text":"PE-4"}]},{"id":"pe-9_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization protects power equipment and power cabling for the\n               information system from damage and destruction. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing power equipment/cabling protection\\n\\nfacilities housing power equipment/cabling\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for protecting power\n                  equipment/cabling\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing protection of power\n                  equipment/cabling"}]}]},{"id":"pe-10","class":"SP800-53","title":"Emergency Shutoff","parameters":[{"id":"pe-10_prm_1","label":"organization-defined location by information system or system component"}],"properties":[{"name":"label","value":"PE-10"},{"name":"sort-id","value":"pe-10"}],"parts":[{"id":"pe-10_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-10_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provides the capability of shutting off power to the information system or\n                  individual system components in emergency situations;"},{"id":"pe-10_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Places emergency shutoff switches or devices in {{ pe-10_prm_1 }}\n                  to facilitate safe and easy access for personnel; and"},{"id":"pe-10_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Protects emergency power shutoff capability from unauthorized activation."}]},{"id":"pe-10_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms.","links":[{"href":"#pe-15","rel":"related","text":"PE-15"}]},{"id":"pe-10_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-10.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-10(a)"}],"prose":"provides the capability of shutting off power to the information system or\n                  individual system components in emergency situations;"},{"id":"pe-10.b_obj","name":"objective","properties":[{"name":"label","value":"PE-10(b)"}],"parts":[{"id":"pe-10.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-10(b)[1]"}],"prose":"defines the location of emergency shutoff switches or devices by information\n                     system or system component;"},{"id":"pe-10.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-10(b)[2]"}],"prose":"places emergency shutoff switches or devices in the organization-defined\n                     location by information system or system component to facilitate safe and easy\n                     access for personnel; and"}]},{"id":"pe-10.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-10(c)"}],"prose":"protects emergency power shutoff capability from unauthorized activation."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing power source emergency shutoff\\n\\nsecurity plan\\n\\nemergency shutoff controls or switches\\n\\nlocations housing emergency shutoff switches and devices\\n\\nsecurity safeguards protecting emergency power shutoff capability from\n                  unauthorized activation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency power shutoff\n                  capability (both implementing and using the capability)\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing emergency power shutoff"}]}]},{"id":"pe-11","class":"SP800-53","title":"Emergency Power","parameters":[{"id":"pe-11_prm_1"}],"properties":[{"name":"label","value":"PE-11"},{"name":"sort-id","value":"pe-11"}],"parts":[{"id":"pe-11_smt","name":"statement","prose":"The organization provides a short-term uninterruptible power supply to facilitate\n                  {{ pe-11_prm_1 }} in the event of a primary power source loss."},{"id":"pe-11_gdn","name":"guidance","links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-7","rel":"related","text":"CP-7"}]},{"id":"pe-11_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization provides a short-term uninterruptible power supply to\n               facilitate one or more of the following in the event of a primary power source loss: ","parts":[{"id":"pe-11_obj.1","name":"objective","properties":[{"name":"label","value":"PE-11[1]"}],"prose":"an orderly shutdown of the information system; and/or"},{"id":"pe-11_obj.2","name":"objective","properties":[{"name":"label","value":"PE-11[2]"}],"prose":"transition of the information system to long-term alternate power."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing emergency power\\n\\nuninterruptible power supply\\n\\nuninterruptible power supply documentation\\n\\nuninterruptible power supply test records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency power and/or\n                  planning\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing uninterruptible power\n                  supply\\n\\nthe uninterruptable power supply"}]}],"controls":[{"id":"pe-11.1","class":"SP800-53-enhancement","title":"Long-term Alternate Power Supply - Minimal Operational Capability","properties":[{"name":"label","value":"PE-11(1)"},{"name":"sort-id","value":"pe-11.01"}],"parts":[{"id":"pe-11.1_smt","name":"statement","prose":"The organization provides a long-term alternate power supply for the information\n                  system that is capable of maintaining minimally required operational capability in\n                  the event of an extended loss of the primary power source."},{"id":"pe-11.1_gdn","name":"guidance","prose":"This control enhancement can be satisfied, for example, by the use of a secondary\n                  commercial power supply or other external power supply. Long-term alternate power\n                  supplies for the information system can be either manually or automatically\n                  activated."},{"id":"pe-11.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization provides a long-term alternate power supply for the\n                  information system that is capable of maintaining minimally required operational\n                  capability in the event of an extended loss of the primary power source. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing emergency power\\n\\nalternate power supply\\n\\nalternate power supply documentation\\n\\nalternate power supply test records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency power and/or\n                     planning\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing alternate power supply\\n\\nthe alternate power supply"}]}]}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","properties":[{"name":"label","value":"PE-12"},{"name":"sort-id","value":"pe-12"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"The organization employs and maintains automatic emergency lighting for the\n               information system that activates in the event of a power outage or disruption and\n               that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-7","rel":"related","text":"CP-7"}]},{"id":"pe-12_obj","name":"objective","prose":"Determine if the organization employs and maintains automatic emergency lighting for\n               the information system that: ","parts":[{"id":"pe-12_obj.1","name":"objective","properties":[{"name":"label","value":"PE-12[1]"}],"prose":"activates in the event of a power outage or disruption; and"},{"id":"pe-12_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-12[2]"}],"prose":"covers emergency exits and evacuation routes within the facility."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing emergency lighting\\n\\nemergency lighting documentation\\n\\nemergency lighting test records\\n\\nemergency exits and evacuation routes\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency lighting and/or\n                  planning\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing emergency lighting\n                  capability"}]}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","properties":[{"name":"label","value":"PE-13"},{"name":"sort-id","value":"pe-13"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"The organization employs and maintains fire suppression and detection devices/systems\n               for the information system that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms. Fire suppression and detection devices/systems include, for example,\n               sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke\n               detectors."},{"id":"pe-13_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-13_obj.1","name":"objective","properties":[{"name":"label","value":"PE-13[1]"}],"prose":"employs fire suppression and detection devices/systems for the information system\n                  that are supported by an independent energy source; and"},{"id":"pe-13_obj.2","name":"objective","properties":[{"name":"label","value":"PE-13[2]"}],"prose":"maintains fire suppression and detection devices/systems for the information\n                  system that are supported by an independent energy source."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing fire protection\\n\\nfire suppression and detection devices/systems\\n\\nfire suppression and detection devices/systems documentation\\n\\ntest records of fire suppression and detection devices/systems\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and suppression\n                  devices/systems\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing fire suppression/detection\n                  devices/systems"}]}],"controls":[{"id":"pe-13.1","class":"SP800-53-enhancement","title":"Detection Devices / Systems","parameters":[{"id":"pe-13.1_prm_1","label":"organization-defined personnel or roles","constraints":[{"detail":"service provider building maintenance/physical security personnel"}]},{"id":"pe-13.1_prm_2","label":"organization-defined emergency responders","constraints":[{"detail":"service provider emergency responders with incident response responsibilities"}]}],"properties":[{"name":"label","value":"PE-13(1)"},{"name":"sort-id","value":"pe-13.01"}],"parts":[{"id":"pe-13.1_smt","name":"statement","prose":"The organization employs fire detection devices/systems for the information system\n                  that activate automatically and notify {{ pe-13.1_prm_1 }} and\n                     {{ pe-13.1_prm_2 }} in the event of a fire."},{"id":"pe-13.1_gdn","name":"guidance","prose":"Organizations can identify specific personnel, roles, and emergency responders in\n                  the event that individuals on the notification list must have appropriate access\n                  authorizations and/or clearances, for example, to obtain access to facilities\n                  where classified operations are taking place or where there are information\n                  systems containing classified information."},{"id":"pe-13.1_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-13.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-13(1)[1]"}],"prose":"defines personnel or roles to be notified in the event of a fire;"},{"id":"pe-13.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-13(1)[2]"}],"prose":"defines emergency responders to be notified in the event of a fire;"},{"id":"pe-13.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-13(1)[3]"}],"prose":"employs fire detection devices/systems for the information system that, in the\n                     event of a fire,:","parts":[{"id":"pe-13.1_obj.3.a","name":"objective","properties":[{"name":"label","value":"PE-13(1)[3][a]"}],"prose":"activate automatically;"},{"id":"pe-13.1_obj.3.b","name":"objective","properties":[{"name":"label","value":"PE-13(1)[3][b]"}],"prose":"notify organization-defined personnel or roles; and"},{"id":"pe-13.1_obj.3.c","name":"objective","properties":[{"name":"label","value":"PE-13(1)[3][c]"}],"prose":"notify organization-defined emergency responders."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing fire protection\\n\\nfacility housing the information system\\n\\nalarm service-level agreements\\n\\ntest records of fire suppression and detection devices/systems\\n\\nfire suppression and detection devices/systems documentation\\n\\nalerts/notifications of fire events\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and\n                     suppression devices/systems\\n\\norganizational personnel with responsibilities for notifying appropriate\n                     personnel, roles, and emergency responders of fires\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing fire detection\n                     devices/systems\\n\\nactivation of fire detection devices/systems (simulated)\\n\\nautomated notifications"}]}]},{"id":"pe-13.2","class":"SP800-53-enhancement","title":"Suppression Devices / Systems","parameters":[{"id":"pe-13.2_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-13.2_prm_2","label":"organization-defined emergency responders"}],"properties":[{"name":"label","value":"PE-13(2)"},{"name":"sort-id","value":"pe-13.02"}],"parts":[{"id":"pe-13.2_smt","name":"statement","prose":"The organization employs fire suppression devices/systems for the information\n                  system that provide automatic notification of any activation to {{ pe-13.2_prm_1 }} and {{ pe-13.2_prm_2 }}."},{"id":"pe-13.2_gdn","name":"guidance","prose":"Organizations can identify specific personnel, roles, and emergency responders in\n                  the event that individuals on the notification list must have appropriate access\n                  authorizations and/or clearances, for example, to obtain access to facilities\n                  where classified operations are taking place or where there are information\n                  systems containing classified information."},{"id":"pe-13.2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-13.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-13(2)[1]"}],"prose":"defines personnel or roles to be provided automatic notification of any\n                     activation of fire suppression devices/systems for the information system;"},{"id":"pe-13.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-13(2)[2]"}],"prose":"defines emergency responders to be provided automatic notification of any\n                     activation of fire suppression devices/systems for the information system;"},{"id":"pe-13.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-13(2)[3]"}],"prose":"employs fire suppression devices/systems for the information system that\n                     provide automatic notification of any activation to:","parts":[{"id":"pe-13.2_obj.3.a","name":"objective","properties":[{"name":"label","value":"PE-13(2)[3][a]"}],"prose":"organization-defined personnel or roles; and"},{"id":"pe-13.2_obj.3.b","name":"objective","properties":[{"name":"label","value":"PE-13(2)[3][b]"}],"prose":"organization-defined emergency responders."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing fire protection\\n\\nfire suppression and detection devices/systems documentation\\n\\nfacility housing the information system\\n\\nalarm service-level agreements\\n\\ntest records of fire suppression and detection devices/systems\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and\n                     suppression devices/systems\\n\\norganizational personnel with responsibilities for providing automatic\n                     notifications of any activation of fire suppression devices/systems to\n                     appropriate personnel, roles, and emergency responders\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing fire suppression\n                     devices/systems\\n\\nactivation of fire suppression devices/systems (simulated)\\n\\nautomated notifications"}]}]},{"id":"pe-13.3","class":"SP800-53-enhancement","title":"Automatic Fire Suppression","properties":[{"name":"label","value":"PE-13(3)"},{"name":"sort-id","value":"pe-13.03"}],"parts":[{"id":"pe-13.3_smt","name":"statement","prose":"The organization employs an automatic fire suppression capability for the\n                  information system when the facility is not staffed on a continuous basis."},{"id":"pe-13.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs an automatic fire suppression capability for\n                  the information system when the facility is not staffed on a continuous basis.\n               "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing fire protection\\n\\nfire suppression and detection devices/systems documentation\\n\\nfacility housing the information system\\n\\nalarm service-level agreements\\n\\ntest records of fire suppression and detection devices/systems\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and\n                     suppression devices/systems\\n\\norganizational personnel with responsibilities for providing automatic\n                     notifications of any activation of fire suppression devices/systems to\n                     appropriate personnel, roles, and emergency responders\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing fire suppression\n                     devices/systems\\n\\nactivation of fire suppression devices/systems (simulated)"}]}]}]},{"id":"pe-14","class":"SP800-53","title":"Temperature and Humidity Controls","parameters":[{"id":"pe-14_prm_1","label":"organization-defined acceptable levels","constraints":[{"detail":"consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments"}]},{"id":"pe-14_prm_2","label":"organization-defined frequency","constraints":[{"detail":"continuously"}]}],"properties":[{"name":"label","value":"PE-14"},{"name":"sort-id","value":"pe-14"}],"parts":[{"id":"pe-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-14_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Maintains temperature and humidity levels within the facility where the\n                  information system resides at {{ pe-14_prm_1 }}; and"},{"id":"pe-14_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Monitors temperature and humidity levels {{ pe-14_prm_2 }}."},{"id":"pe-14_fr","name":"item","title":"PE-14(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"pe-14_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider measures temperature at server inlets and humidity levels by dew point."}]}]},{"id":"pe-14_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information\n               system resources, for example, data centers, server rooms, and mainframe computer\n               rooms.","links":[{"href":"#at-3","rel":"related","text":"AT-3"}]},{"id":"pe-14_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-14.a_obj","name":"objective","properties":[{"name":"label","value":"PE-14(a)"}],"parts":[{"id":"pe-14.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-14(a)[1]"}],"prose":"defines acceptable temperature levels to be maintained within the facility\n                     where the information system resides;"},{"id":"pe-14.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-14(a)[2]"}],"prose":"defines acceptable humidity levels to be maintained within the facility where\n                     the information system resides;"},{"id":"pe-14.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-14(a)[3]"}],"prose":"maintains temperature levels within the facility where the information system\n                     resides at the organization-defined levels;"},{"id":"pe-14.a_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-14(a)[4]"}],"prose":"maintains humidity levels within the facility where the information system\n                     resides at the organization-defined levels;"}]},{"id":"pe-14.b_obj","name":"objective","properties":[{"name":"label","value":"PE-14(b)"}],"parts":[{"id":"pe-14.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-14(b)[1]"}],"prose":"defines the frequency to monitor temperature levels;"},{"id":"pe-14.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-14(b)[2]"}],"prose":"defines the frequency to monitor humidity levels;"},{"id":"pe-14.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-14(b)[3]"}],"prose":"monitors temperature levels with the organization-defined frequency; and"},{"id":"pe-14.b_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-14(b)[4]"}],"prose":"monitors humidity levels with the organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing temperature and humidity control\\n\\nsecurity plan\\n\\ntemperature and humidity controls\\n\\nfacility housing the information system\\n\\ntemperature and humidity controls documentation\\n\\ntemperature and humidity records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system\n                  environmental controls\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing maintenance and monitoring of\n                  temperature and humidity levels"}]}],"controls":[{"id":"pe-14.2","class":"SP800-53-enhancement","title":"Monitoring with Alarms / Notifications","properties":[{"name":"label","value":"PE-14(2)"},{"name":"sort-id","value":"pe-14.02"}],"parts":[{"id":"pe-14.2_smt","name":"statement","prose":"The organization employs temperature and humidity monitoring that provides an\n                  alarm or notification of changes potentially harmful to personnel or\n                  equipment."},{"id":"pe-14.2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-14.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-14(2)[1]"}],"prose":"employs temperature monitoring that provides an alarm of changes potentially\n                     harmful to personnel or equipment; and/or"},{"id":"pe-14.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-14(2)[2]"}],"prose":"employs temperature monitoring that provides notification of changes\n                     potentially harmful to personnel or equipment;"},{"id":"pe-14.2_obj.3","name":"objective","properties":[{"name":"label","value":"PE-14(2)[3]"}],"prose":"employs humidity monitoring that provides an alarm of changes potentially\n                     harmful to personnel or equipment; and/or"},{"id":"pe-14.2_obj.4","name":"objective","properties":[{"name":"label","value":"PE-14(2)[4]"}],"prose":"employs humidity monitoring that provides notification of changes potentially\n                     harmful to personnel or equipment."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing temperature and humidity monitoring\\n\\nfacility housing the information system\\n\\nlogs or records of temperature and humidity monitoring\\n\\nrecords of changes to temperature and humidity levels that generate alarms or\n                     notifications\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system\n                     environmental controls\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing temperature and humidity\n                     monitoring"}]}]}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","properties":[{"name":"label","value":"PE-15"},{"name":"sort-id","value":"pe-15"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"The organization protects the information system from damage resulting from water\n               leakage by providing master shutoff or isolation valves that are accessible, working\n               properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms. Isolation valves can be employed in addition to or in lieu of master\n               shutoff valves to shut off water supplies in specific areas of concern, without\n               affecting entire organizations.","links":[{"href":"#at-3","rel":"related","text":"AT-3"}]},{"id":"pe-15_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization protects the information system from damage resulting\n               from water leakage by providing master shutoff or isolation valves that are: ","parts":[{"id":"pe-15_obj.1","name":"objective","properties":[{"name":"label","value":"PE-15[1]"}],"prose":"accessible;"},{"id":"pe-15_obj.2","name":"objective","properties":[{"name":"label","value":"PE-15[2]"}],"prose":"working properly; and"},{"id":"pe-15_obj.3","name":"objective","properties":[{"name":"label","value":"PE-15[3]"}],"prose":"known to key personnel."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing water damage protection\\n\\nfacility housing the information system\\n\\nmaster shutoff valves\\n\\nlist of key personnel with knowledge of location and activation procedures for\n                  master shutoff valves for the plumbing system\\n\\nmaster shutoff valve documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system\n                  environmental controls\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Master water-shutoff valves\\n\\norganizational process for activating master water-shutoff"}]}],"controls":[{"id":"pe-15.1","class":"SP800-53-enhancement","title":"Automation Support","parameters":[{"id":"pe-15.1_prm_1","label":"organization-defined personnel or roles","constraints":[{"detail":"service provider building maintenance/physical security personnel"}]}],"properties":[{"name":"label","value":"PE-15(1)"},{"name":"sort-id","value":"pe-15.01"}],"parts":[{"id":"pe-15.1_smt","name":"statement","prose":"The organization employs automated mechanisms to detect the presence of water in\n                  the vicinity of the information system and alerts {{ pe-15.1_prm_1 }}."},{"id":"pe-15.1_gdn","name":"guidance","prose":"Automated mechanisms can include, for example, water detection sensors, alarms,\n                  and notification systems."},{"id":"pe-15.1_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-15.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-15(1)[1]"}],"prose":"defines personnel or roles to be alerted when the presence of water is detected\n                     in the vicinity of the information system;"},{"id":"pe-15.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-15(1)[2]"}],"prose":"employs automated mechanisms to detect the presence of water in the vicinity of\n                     the information system; and"},{"id":"pe-15.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-15(1)[3]"}],"prose":"alerts organization-defined personnel or roles when the presence of water is\n                     detected in the vicinity of the information system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing water damage protection\\n\\nfacility housing the information system\\n\\nautomated mechanisms for water shutoff valves\\n\\nautomated mechanisms detecting presence of water in vicinity of information\n                     system\\n\\nalerts/notifications of water detection in information system facility\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system\n                     environmental controls\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing water detection capability\n                     and alerts for the information system"}]}]}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","parameters":[{"id":"pe-16_prm_1","label":"organization-defined types of information system components","constraints":[{"detail":"all information system components"}]}],"properties":[{"name":"label","value":"PE-16"},{"name":"sort-id","value":"pe-16"}],"parts":[{"id":"pe-16_smt","name":"statement","prose":"The organization authorizes, monitors, and controls {{ pe-16_prm_1 }}\n               entering and exiting the facility and maintains records of those items."},{"id":"pe-16_gdn","name":"guidance","prose":"Effectively enforcing authorizations for entry and exit of information system\n               components may require restricting access to delivery areas and possibly isolating\n               the areas from the information system and media libraries.","links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sa-12","rel":"related","text":"SA-12"}]},{"id":"pe-16_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-16_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-16[1]"}],"prose":"defines types of information system components to be authorized, monitored, and\n                  controlled as such components are entering and exiting the facility;"},{"id":"pe-16_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-16[2]"}],"prose":"authorizes organization-defined information system components entering the\n                  facility;"},{"id":"pe-16_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-16[3]"}],"prose":"monitors organization-defined information system components entering the\n                  facility;"},{"id":"pe-16_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-16[4]"}],"prose":"controls organization-defined information system components entering the\n                  facility;"},{"id":"pe-16_obj.5","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-16[5]"}],"prose":"authorizes organization-defined information system components exiting the\n                  facility;"},{"id":"pe-16_obj.6","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-16[6]"}],"prose":"monitors organization-defined information system components exiting the\n                  facility;"},{"id":"pe-16_obj.7","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-16[7]"}],"prose":"controls organization-defined information system components exiting the\n                  facility;"},{"id":"pe-16_obj.8","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-16[8]"}],"prose":"maintains records of information system components entering the facility; and"},{"id":"pe-16_obj.9","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-16[9]"}],"prose":"maintains records of information system components exiting the facility."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing delivery and removal of information system components from\n                  the facility\\n\\nsecurity plan\\n\\nfacility housing the information system\\n\\nrecords of items entering and exiting the facility\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for controlling information system\n                  components entering and exiting the facility\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for authorizing, monitoring, and controlling information\n                  system-related items entering and exiting the facility\\n\\nautomated mechanisms supporting and/or implementing authorizing, monitoring, and\n                  controlling information system-related items entering and exiting the facility"}]}]},{"id":"pe-17","class":"SP800-53","title":"Alternate Work Site","parameters":[{"id":"pe-17_prm_1","label":"organization-defined security controls"}],"properties":[{"name":"label","value":"PE-17"},{"name":"sort-id","value":"pe-17"}],"links":[{"href":"#5309d4d0-46f8-4213-a749-e7584164e5e8","rel":"reference","text":"NIST Special Publication 800-46"}],"parts":[{"id":"pe-17_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-17_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Employs {{ pe-17_prm_1 }} at alternate work sites;"},{"id":"pe-17_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Assesses as feasible, the effectiveness of security controls at alternate work\n                  sites; and"},{"id":"pe-17_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Provides a means for employees to communicate with information security personnel\n                  in case of security incidents or problems."}]},{"id":"pe-17_gdn","name":"guidance","prose":"Alternate work sites may include, for example, government facilities or private\n               residences of employees. While commonly distinct from alternative processing sites,\n               alternate work sites may provide readily available alternate locations as part of\n               contingency operations. Organizations may define different sets of security controls\n               for specific alternate work sites or types of sites depending on the work-related\n               activities conducted at those sites. This control supports the contingency planning\n               activities of organizations and the federal telework initiative.","links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#cp-7","rel":"related","text":"CP-7"}]},{"id":"pe-17_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-17.a_obj","name":"objective","properties":[{"name":"label","value":"PE-17(a)"}],"parts":[{"id":"pe-17.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-17(a)[1]"}],"prose":"defines security controls to be employed at alternate work sites;"},{"id":"pe-17.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-17(a)[2]"}],"prose":"employs organization-defined security controls at alternate work sites;"}]},{"id":"pe-17.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-17(b)"}],"prose":"assesses, as feasible, the effectiveness of security controls at alternate work\n                  sites; and"},{"id":"pe-17.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-17(c)"}],"prose":"provides a means for employees to communicate with information security personnel\n                  in case of security incidents or problems."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing alternate work sites for organizational personnel\\n\\nsecurity plan\\n\\nlist of security controls required for alternate work sites\\n\\nassessments of security controls at alternate work sites\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel approving use of alternate work sites\\n\\norganizational personnel using alternate work sites\\n\\norganizational personnel assessing controls at alternate work sites\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security at alternate work sites\\n\\nautomated mechanisms supporting alternate work sites\\n\\nsecurity controls employed at alternate work sites\\n\\nmeans of communications between personnel at alternate work sites and security\n                  personnel"}]}]},{"id":"pe-18","class":"SP800-53","title":"Location of Information System Components","parameters":[{"id":"pe-18_prm_1","label":"organization-defined physical and environmental hazards","constraints":[{"detail":"physical and environmental hazards identified during threat assessment"}]}],"properties":[{"name":"label","value":"PE-18"},{"name":"sort-id","value":"pe-18"}],"parts":[{"id":"pe-18_smt","name":"statement","prose":"The organization positions information system components within the facility to\n               minimize potential damage from {{ pe-18_prm_1 }} and to minimize the\n               opportunity for unauthorized access."},{"id":"pe-18_gdn","name":"guidance","prose":"Physical and environmental hazards include, for example, flooding, fire, tornados,\n               earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse,\n               electrical interference, and other forms of incoming electromagnetic radiation. In\n               addition, organizations consider the location of physical entry points where\n               unauthorized individuals, while not being granted access, might nonetheless be in\n               close proximity to information systems and therefore increase the potential for\n               unauthorized access to organizational communications (e.g., through the use of\n               wireless sniffers or microphones).","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#pe-19","rel":"related","text":"PE-19"},{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"pe-18_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-18_obj.1","name":"objective","properties":[{"name":"label","value":"PE-18[1]"}],"prose":"defines physical hazards that could result in potential damage to information\n                  system components within the facility;"},{"id":"pe-18_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-18[2]"}],"prose":"defines environmental hazards that could result in potential damage to information\n                  system components within the facility;"},{"id":"pe-18_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-18[3]"}],"prose":"positions information system components within the facility to minimize potential\n                  damage from organization-defined physical and environmental hazards; and"},{"id":"pe-18_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-18[4]"}],"prose":"positions information system components within the facility to minimize the\n                  opportunity for unauthorized access."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing positioning of information system components\\n\\ndocumentation providing the location and position of information system components\n                  within the facility\\n\\nlocations housing information system components within the facility\\n\\nlist of physical and environmental hazards with potential to damage information\n                  system components within the facility\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for positioning information system\n                  components\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for positioning information system components"}]}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Security Planning Policy and Procedures","parameters":[{"id":"pl-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"pl-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually or whenever a significant change occurs"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PL-1"},{"name":"sort-id","value":"pl-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference","text":"NIST Special Publication 800-18"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"pl-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A security planning policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"pl-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security planning policy and\n                     associated security planning controls; and"}]},{"id":"pl-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pl-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security planning policy {{ pl-1_prm_2 }}; and"},{"id":"pl-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Security planning procedures {{ pl-1_prm_3 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PL\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"pl-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-1.a_obj","name":"objective","properties":[{"name":"label","value":"PL-1(a)"}],"parts":[{"id":"pl-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)"}],"parts":[{"id":"pl-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(a)(1)[1]"}],"prose":"develops and documents a planning policy that addresses:","parts":[{"id":"pl-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pl-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pl-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pl-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pl-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pl-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pl-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pl-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the planning policy is to be\n                        disseminated;"},{"id":"pl-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PL-1(a)(1)[3]"}],"prose":"disseminates the planning policy to organization-defined personnel or\n                        roles;"}]},{"id":"pl-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"PL-1(a)(2)"}],"parts":[{"id":"pl-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        planning policy and associated planning controls;"},{"id":"pl-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"pl-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PL-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pl-1.b_obj","name":"objective","properties":[{"name":"label","value":"PL-1(b)"}],"parts":[{"id":"pl-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"PL-1(b)(1)"}],"parts":[{"id":"pl-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current planning policy;"},{"id":"pl-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(b)(1)[2]"}],"prose":"reviews and updates the current planning policy with the\n                        organization-defined frequency;"}]},{"id":"pl-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"PL-1(b)(2)"}],"parts":[{"id":"pl-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current planning procedures;\n                        and"},{"id":"pl-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(b)(2)[2]"}],"prose":"reviews and updates the current planning procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Planning policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with planning responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security Plan","parameters":[{"id":"pl-2_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-2_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PL-2"},{"name":"sort-id","value":"pl-02"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference","text":"NIST Special Publication 800-18"}],"parts":[{"id":"pl-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a security plan for the information system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Is consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Explicitly defines the authorization boundary for the system;"},{"id":"pl-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Describes the operational context of the information system in terms of\n                     missions and business processes;"},{"id":"pl-2_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Provides the security categorization of the information system including\n                     supporting rationale;"},{"id":"pl-2_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Describes the operational environment for the information system and\n                     relationships with or connections to other information systems;"},{"id":"pl-2_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Provides an overview of the security requirements for the system;"},{"id":"pl-2_smt.a.7","name":"item","properties":[{"name":"label","value":"7."}],"prose":"Identifies any relevant overlays, if applicable;"},{"id":"pl-2_smt.a.8","name":"item","properties":[{"name":"label","value":"8."}],"prose":"Describes the security controls in place or planned for meeting those\n                     requirements including a rationale for the tailoring decisions; and"},{"id":"pl-2_smt.a.9","name":"item","properties":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by the authorizing official or designated\n                     representative prior to plan implementation;"}]},{"id":"pl-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distributes copies of the security plan and communicates subsequent changes to the\n                  plan to {{ pl-2_prm_1 }};"},{"id":"pl-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews the security plan for the information system {{ pl-2_prm_2 }};"},{"id":"pl-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Updates the plan to address changes to the information system/environment of\n                  operation or problems identified during plan implementation or security control\n                  assessments; and"},{"id":"pl-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Protects the security plan from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"Security plans relate security requirements to a set of security controls and control\n               enhancements. Security plans also describe, at a high level, how the security\n               controls and control enhancements meet those security requirements, but do not\n               provide detailed, technical descriptions of the specific design or implementation of\n               the controls/enhancements. Security plans contain sufficient information (including\n               the specification of parameter values for assignment and selection statements either\n               explicitly or by reference) to enable a design and implementation that is\n               unambiguously compliant with the intent of the plans and subsequent determinations of\n               risk to organizational operations and assets, individuals, other organizations, and\n               the Nation if the plan is implemented as intended. Organizations can also apply\n               tailoring guidance to the security control baselines in Appendix D and CNSS\n               Instruction 1253 to develop overlays for community-wide use or to address specialized\n               requirements, technologies, or missions/environments of operation (e.g.,\n               DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and\n               Access Management, space operations). Appendix I provides guidance on developing\n               overlays. Security plans need not be single documents; the plans can be a collection\n               of various documents including documents that already exist. Effective security plans\n               make extensive use of references to policies, procedures, and additional documents\n               (e.g., design and implementation specifications) where more detailed information can\n               be obtained. This reduces the documentation requirements associated with security\n               programs and maintains security-related information in other established\n               management/operational areas related to enterprise architecture, system development\n               life cycle, systems engineering, and acquisition. For example, security plans do not\n               contain detailed contingency plan or incident response plan information but instead\n               provide explicitly or by reference, sufficient information to define what needs to be\n               accomplished by those plans.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pl-7","rel":"related","text":"PL-7"},{"href":"#pm-1","rel":"related","text":"PM-1"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-17","rel":"related","text":"SA-17"}]},{"id":"pl-2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pl-2.a_obj","name":"objective","properties":[{"name":"label","value":"PL-2(a)"}],"prose":"develops a security plan for the information system that:","parts":[{"id":"pl-2.a.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(1)"}],"prose":"is consistent with the organization’s enterprise architecture;"},{"id":"pl-2.a.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(2)"}],"prose":"explicitly defines the authorization boundary for the system;"},{"id":"pl-2.a.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(3)"}],"prose":"describes the operational context of the information system in terms of\n                     missions and business processes;"},{"id":"pl-2.a.4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(4)"}],"prose":"provides the security categorization of the information system including\n                     supporting rationale;"},{"id":"pl-2.a.5_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(5)"}],"prose":"describes the operational environment for the information system and\n                     relationships with or connections to other information systems;"},{"id":"pl-2.a.6_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(6)"}],"prose":"provides an overview of the security requirements for the system;"},{"id":"pl-2.a.7_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(7)"}],"prose":"identifies any relevant overlays, if applicable;"},{"id":"pl-2.a.8_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(8)"}],"prose":"describes the security controls in place or planned for meeting those\n                     requirements including a rationale for the tailoring and supplemental\n                     decisions;"},{"id":"pl-2.a.9_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-2(a)(9)"}],"prose":"is reviewed and approved by the authorizing official or designated\n                     representative prior to plan implementation;"}]},{"id":"pl-2.b_obj","name":"objective","properties":[{"name":"label","value":"PL-2(b)"}],"parts":[{"id":"pl-2.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(b)[1]"}],"prose":"defines personnel or roles to whom copies of the security plan are to be\n                     distributed and subsequent changes to the plan are to be communicated;"},{"id":"pl-2.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-2(b)[2]"}],"prose":"distributes copies of the security plan and communicates subsequent changes to\n                     the plan to organization-defined personnel or roles;"}]},{"id":"pl-2.c_obj","name":"objective","properties":[{"name":"label","value":"PL-2(c)"}],"parts":[{"id":"pl-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(c)[1]"}],"prose":"defines the frequency to review the security plan for the information\n                     system;"},{"id":"pl-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(c)[2]"}],"prose":"reviews the security plan for the information system with the\n                     organization-defined frequency;"}]},{"id":"pl-2.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-2(d)"}],"prose":"updates the plan to address:","parts":[{"id":"pl-2.d_obj.1","name":"objective","properties":[{"name":"label","value":"PL-2(d)[1]"}],"prose":"changes to the information system/environment of operation;"},{"id":"pl-2.d_obj.2","name":"objective","properties":[{"name":"label","value":"PL-2(d)[2]"}],"prose":"problems identified during plan implementation;"},{"id":"pl-2.d_obj.3","name":"objective","properties":[{"name":"label","value":"PL-2(d)[3]"}],"prose":"problems identified during security control assessments;"}]},{"id":"pl-2.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-2(e)"}],"prose":"protects the security plan from unauthorized:","parts":[{"id":"pl-2.e_obj.1","name":"objective","properties":[{"name":"label","value":"PL-2(e)[1]"}],"prose":"disclosure; and"},{"id":"pl-2.e_obj.2","name":"objective","properties":[{"name":"label","value":"PL-2(e)[2]"}],"prose":"modification."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\\n\\nprocedures addressing security plan development and implementation\\n\\nprocedures addressing security plan reviews and updates\\n\\nenterprise architecture documentation\\n\\nsecurity plan for the information system\\n\\nrecords of security plan reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security plan development/review/update/approval\\n\\nautomated mechanisms supporting the information system security plan"}]}],"controls":[{"id":"pl-2.3","class":"SP800-53-enhancement","title":"Plan / Coordinate with Other Organizational Entities","parameters":[{"id":"pl-2.3_prm_1","label":"organization-defined individuals or groups"}],"properties":[{"name":"label","value":"PL-2(3)"},{"name":"sort-id","value":"pl-02.03"}],"parts":[{"id":"pl-2.3_smt","name":"statement","prose":"The organization plans and coordinates security-related activities affecting the\n                  information system with {{ pl-2.3_prm_1 }} before conducting such\n                  activities in order to reduce the impact on other organizational entities."},{"id":"pl-2.3_gdn","name":"guidance","prose":"Security-related activities include, for example, security assessments, audits,\n                  hardware and software maintenance, patch management, and contingency plan testing.\n                  Advance planning and coordination includes emergency and nonemergency (i.e.,\n                  planned or nonurgent unplanned) situations. The process defined by organizations\n                  to plan and coordinate security-related activities can be included in security\n                  plans for information systems or other documents, as appropriate.","links":[{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-4","rel":"related","text":"IR-4"}]},{"id":"pl-2.3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pl-2.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(3)[1]"}],"prose":"defines individuals or groups with whom security-related activities affecting\n                     the information system are to be planned and coordinated before conducting such\n                     activities in order to reduce the impact on other organizational entities;\n                     and"},{"id":"pl-2.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PL-2(3)[2]"}],"prose":"plans and coordinates security-related activities affecting the information\n                     system with organization-defined individuals or groups before conducting such\n                     activities in order to reduce the impact on other organizational entities."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\\n\\naccess control policy\\n\\ncontingency planning policy\\n\\nprocedures addressing security-related activity planning for the information\n                     system\\n\\nsecurity plan for the information system\\n\\ncontingency plan for the information system\\n\\ninformation system design documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation\n                     responsibilities\\n\\norganizational individuals or groups with whom security-related activities are\n                     to be planned and coordinated\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","parameters":[{"id":"pl-4_prm_1","label":"organization-defined frequency","constraints":[{"detail":"annually"}]}],"properties":[{"name":"label","value":"PL-4"},{"name":"sort-id","value":"pl-04"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference","text":"NIST Special Publication 800-18"}],"parts":[{"id":"pl-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes and makes readily available to individuals requiring access to the\n                  information system, the rules that describe their responsibilities and expected\n                  behavior with regard to information and information system usage;"},{"id":"pl-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Receives a signed acknowledgment from such individuals, indicating that they have\n                  read, understand, and agree to abide by the rules of behavior, before authorizing\n                  access to information and the information system;"},{"id":"pl-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews and updates the rules of behavior {{ pl-4_prm_1 }}; and"},{"id":"pl-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Requires individuals who have signed a previous version of the rules of behavior\n                  to read and re-sign when the rules of behavior are revised/updated."}]},{"id":"pl-4_gdn","name":"guidance","prose":"This control enhancement applies to organizational users. Organizations consider\n               rules of behavior based on individual user roles and responsibilities,\n               differentiating, for example, between rules that apply to privileged users and rules\n               that apply to general users. Establishing rules of behavior for some types of\n               non-organizational users including, for example, individuals who simply receive\n               data/information from federal information systems, is often not feasible given the\n               large number of such users and the limited nature of their interactions with the\n               systems. Rules of behavior for both organizational and non-organizational users can\n               also be established in AC-8, System Use Notification. PL-4 b. (the signed\n               acknowledgment portion of this control) may be satisfied by the security awareness\n               training and role-based security training programs conducted by organizations if such\n               training includes rules of behavior. Organizations can use electronic signatures for\n               acknowledging rules of behavior.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ac-9","rel":"related","text":"AC-9"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-5","rel":"related","text":"SA-5"}]},{"id":"pl-4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pl-4.a_obj","name":"objective","properties":[{"name":"label","value":"PL-4(a)"}],"parts":[{"id":"pl-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-4(a)[1]"}],"prose":"establishes, for individuals requiring access to the information system, the\n                     rules that describe their responsibilities and expected behavior with regard to\n                     information and information system usage;"},{"id":"pl-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-4(a)[2]"}],"prose":"makes readily available to individuals requiring access to the information\n                     system, the rules that describe their responsibilities and expected behavior\n                     with regard to information and information system usage;"}]},{"id":"pl-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-4(b)"}],"prose":"receives a signed acknowledgement from such individuals, indicating that they have\n                  read, understand, and agree to abide by the rules of behavior, before authorizing\n                  access to information and the information system;"},{"id":"pl-4.c_obj","name":"objective","properties":[{"name":"label","value":"PL-4(c)"}],"parts":[{"id":"pl-4.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-4(c)[1]"}],"prose":"defines the frequency to review and update the rules of behavior;"},{"id":"pl-4.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-4(c)[2]"}],"prose":"reviews and updates the rules of behavior with the organization-defined\n                     frequency; and"}]},{"id":"pl-4.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-4(d)"}],"prose":"requires individuals who have signed a previous version of the rules of behavior\n                  to read and resign when the rules of behavior are revised/updated."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\\n\\nprocedures addressing rules of behavior for information system users\\n\\nrules of behavior\\n\\nsigned acknowledgements\\n\\nrecords for rules of behavior reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and\n                  updating rules of behavior\\n\\norganizational personnel who are authorized users of the information system and\n                  have signed and resigned rules of behavior\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating\n                  rules of behavior\\n\\nautomated mechanisms supporting and/or implementing the establishment, review,\n                  dissemination, and update of rules of behavior"}]}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and Networking Restrictions","properties":[{"name":"label","value":"PL-4(1)"},{"name":"sort-id","value":"pl-04.01"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"The organization includes in the rules of behavior, explicit restrictions on the\n                  use of social media/networking sites and posting organizational information on\n                  public websites."},{"id":"pl-4.1_gdn","name":"guidance","prose":"This control enhancement addresses rules of behavior related to the use of social\n                  media/networking sites: (i) when organizational personnel are using such sites for\n                  official duties or in the conduct of official business; (ii) when organizational\n                  information is involved in social media/networking transactions; and (iii) when\n                  personnel are accessing social media/networking sites from organizational\n                  information systems. Organizations also address specific rules that prevent\n                  unauthorized entities from obtaining and/or inferring non-public organizational\n                  information (e.g., system account information, personally identifiable\n                  information) from social media/networking sites."},{"id":"pl-4.1_obj","name":"objective","prose":"Determine if the organization includes the following in the rules of behavior: ","parts":[{"id":"pl-4.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-4(1)[1]"}],"prose":"explicit restrictions on the use of social media/networking sites; and"},{"id":"pl-4.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-4(1)[2]"}],"prose":"posting organizational information on public websites."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\\n\\nprocedures addressing rules of behavior for information system users\\n\\nrules of behavior\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and\n                     updating rules of behavior\\n\\norganizational personnel who are authorized users of the information system and\n                     have signed rules of behavior\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for establishing rules of behavior\\n\\nautomated mechanisms supporting and/or implementing the establishment of rules\n                     of behavior"}]}]}]},{"id":"pl-8","class":"SP800-53","title":"Information Security Architecture","parameters":[{"id":"pl-8_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually or when a significant change occurs"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PL-8"},{"name":"sort-id","value":"pl-08"}],"parts":[{"id":"pl-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops an information security architecture for the information system that:","parts":[{"id":"pl-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Describes the overall philosophy, requirements, and approach to be taken with\n                     regard to protecting the confidentiality, integrity, and availability of\n                     organizational information;"},{"id":"pl-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Describes how the information security architecture is integrated into and\n                     supports the enterprise architecture; and"},{"id":"pl-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Describes any information security assumptions about, and dependencies on,\n                     external services;"}]},{"id":"pl-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the information security architecture {{ pl-8_prm_1 }} to reflect updates in the enterprise architecture;\n                  and"},{"id":"pl-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensures that planned information security architecture changes are reflected in\n                  the security plan, the security Concept of Operations (CONOPS), and organizational\n                  procurements/acquisitions."},{"id":"pl-8_fr","name":"item","title":"PL-8(b) Additional FedRAMP Requirements and Guidance","parts":[{"id":"pl-8_fr_gdn.b","name":"guidance","properties":[{"name":"label","value":"(b) Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7."}]}]},{"id":"pl-8_gdn","name":"guidance","prose":"This control addresses actions taken by organizations in the design and development\n               of information systems. The information security architecture at the individual\n               information system level is consistent with and complements the more global,\n               organization-wide information security architecture described in PM-7 that is\n               integral to and developed as part of the enterprise architecture. The information\n               security architecture includes an architectural description, the placement/allocation\n               of security functionality (including security controls), security-related information\n               for external interfaces, information being exchanged across the interfaces, and the\n               protection mechanisms associated with each interface. In addition, the security\n               architecture can include other important security-related information, for example,\n               user roles and access privileges assigned to each role, unique security requirements,\n               the types of information processed, stored, and transmitted by the information\n               system, restoration priorities of information and information system services, and\n               any other specific protection needs. In today’s modern architecture, it is becoming\n               less common for organizations to control all information resources. There are going\n               to be key dependencies on external information services and service providers.\n               Describing such dependencies in the information security architecture is important to\n               developing a comprehensive mission/business protection strategy. Establishing,\n               developing, documenting, and maintaining under configuration control, a baseline\n               configuration for organizational information systems is critical to implementing and\n               maintaining an effective information security architecture. The development of the\n               information security architecture is coordinated with the Senior Agency Official for\n               Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to\n               support privacy requirements are identified and effectively implemented. PL-8 is\n               primarily directed at organizations (i.e., internally focused) to help ensure that\n               organizations develop an information security architecture for the information\n               system, and that the security architecture is integrated with or tightly coupled to\n               the enterprise architecture through the organization-wide information security\n               architecture. In contrast, SA-17 is primarily directed at external information\n               technology product/system developers and integrators (although SA-17 could be used\n               internally within organizations for in-house system development). SA-17, which is\n               complementary to PL-8, is selected when organizations outsource the development of\n               information systems or information system components to external entities, and there\n               is a need to demonstrate/show consistency with the organization’s enterprise\n               architecture and information security architecture.","links":[{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"https://doi.org/10.6028/NIST.SP.800-53r4","rel":"related","text":"Appendix J"}]},{"id":"pl-8_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pl-8.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-8(a)"}],"prose":"develops an information security architecture for the information system that\n                  describes:","parts":[{"id":"pl-8.a.1_obj","name":"objective","properties":[{"name":"label","value":"PL-8(a)(1)"}],"prose":"the overall philosophy, requirements, and approach to be taken with regard to\n                     protecting the confidentiality, integrity, and availability of organizational\n                     information;"},{"id":"pl-8.a.2_obj","name":"objective","properties":[{"name":"label","value":"PL-8(a)(2)"}],"prose":"how the information security architecture is integrated into and supports the\n                     enterprise architecture;"},{"id":"pl-8.a.3_obj","name":"objective","properties":[{"name":"label","value":"PL-8(a)(3)"}],"prose":"any information security assumptions about, and dependencies on, external\n                     services;"}]},{"id":"pl-8.b_obj","name":"objective","properties":[{"name":"label","value":"PL-8(b)"}],"parts":[{"id":"pl-8.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-8(b)[1]"}],"prose":"defines the frequency to review and update the information security\n                     architecture;"},{"id":"pl-8.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-8(b)[2]"}],"prose":"reviews and updates the information security architecture with the\n                     organization-defined frequency to reflect updates in the enterprise\n                     architecture;"}]},{"id":"pl-8.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-8(c)"}],"prose":"ensures that planned information security architecture changes are reflected\n                  in:","parts":[{"id":"pl-8.c_obj.1","name":"objective","properties":[{"name":"label","value":"PL-8(c)[1]"}],"prose":"the security plan;"},{"id":"pl-8.c_obj.2","name":"objective","properties":[{"name":"label","value":"PL-8(c)[2]"}],"prose":"the security Concept of Operations (CONOPS); and"},{"id":"pl-8.c_obj.3","name":"objective","properties":[{"name":"label","value":"PL-8(c)[3]"}],"prose":"the organizational procurements/acquisitions."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\\n\\nprocedures addressing information security architecture development\\n\\nprocedures addressing information security architecture reviews and updates\\n\\nenterprise architecture documentation\\n\\ninformation security architecture documentation\\n\\nsecurity plan for the information system\\n\\nsecurity CONOPS for the information system\\n\\nrecords of information security architecture reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with information security architecture development\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing, reviewing, and updating the information\n                  security architecture\\n\\nautomated mechanisms supporting and/or implementing the development, review, and\n                  update of the information security architecture"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Personnel Security Policy and Procedures","parameters":[{"id":"ps-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ps-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually or whenever a significant change occurs"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PS-1"},{"name":"sort-id","value":"ps-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ps-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A personnel security policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ps-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy\n                     and associated personnel security controls; and"}]},{"id":"ps-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ps-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Personnel security policy {{ ps-1_prm_2 }}; and"},{"id":"ps-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Personnel security procedures {{ ps-1_prm_3 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PS\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ps-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-1.a_obj","name":"objective","properties":[{"name":"label","value":"PS-1(a)"}],"parts":[{"id":"ps-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)"}],"parts":[{"id":"ps-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(a)(1)[1]"}],"prose":"develops and documents an personnel security policy that addresses:","parts":[{"id":"ps-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ps-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ps-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ps-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ps-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ps-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ps-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ps-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the personnel security policy is to be\n                        disseminated;"},{"id":"ps-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-1(a)(1)[3]"}],"prose":"disseminates the personnel security policy to organization-defined personnel\n                        or roles;"}]},{"id":"ps-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"PS-1(a)(2)"}],"parts":[{"id":"ps-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        personnel security policy and associated personnel security controls;"},{"id":"ps-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ps-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ps-1.b_obj","name":"objective","properties":[{"name":"label","value":"PS-1(b)"}],"parts":[{"id":"ps-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"PS-1(b)(1)"}],"parts":[{"id":"ps-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current personnel security\n                        policy;"},{"id":"ps-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(b)(1)[2]"}],"prose":"reviews and updates the current personnel security policy with the\n                        organization-defined frequency;"}]},{"id":"ps-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"PS-1(b)(2)"}],"parts":[{"id":"ps-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current personnel security\n                        procedures; and"},{"id":"ps-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(b)(2)[2]"}],"prose":"reviews and updates the current personnel security procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","parameters":[{"id":"ps-2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"label","value":"PS-2"},{"name":"sort-id","value":"ps-02"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference","text":"5 C.F.R. 731.106"}],"parts":[{"id":"ps-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Assigns a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishes screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews and updates position risk designations {{ ps-2_prm_1 }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management policy and\n               guidance. Risk designations can guide and inform the types of authorizations\n               individuals receive when accessing organizational information and information\n               systems. Position screening criteria include explicit information security role\n               appointment requirements (e.g., training, security clearances).","links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#ps-3","rel":"related","text":"PS-3"}]},{"id":"ps-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-2.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-2(a)"}],"prose":"assigns a risk designation to all organizational positions;"},{"id":"ps-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-2(b)"}],"prose":"establishes screening criteria for individuals filling those positions;"},{"id":"ps-2.c_obj","name":"objective","properties":[{"name":"label","value":"PS-2(c)"}],"parts":[{"id":"ps-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-2(c)[1]"}],"prose":"defines the frequency to review and update position risk designations; and"},{"id":"ps-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-2(c)[2]"}],"prose":"reviews and updates position risk designations with the organization-defined\n                     frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing position categorization\\n\\nappropriate codes of federal regulations\\n\\nlist of risk designations for organizational positions\\n\\nsecurity plan\\n\\nrecords of position risk designation reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for assigning, reviewing, and updating position risk\n                  designations\\n\\norganizational processes for establishing screening criteria"}]}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","parameters":[{"id":"ps-3_prm_1","label":"organization-defined conditions requiring rescreening and, where rescreening is\n               so indicated, the frequency of such rescreening","constraints":[{"detail":"for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PS-3"},{"name":"sort-id","value":"ps-03"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference","text":"5 C.F.R. 731.106"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference","text":"NIST Special Publication 800-60"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference","text":"ICD 704"}],"parts":[{"id":"ps-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Screens individuals prior to authorizing access to the information system; and"},{"id":"ps-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Rescreens individuals according to {{ ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable federal laws,\n               Executive Orders, directives, regulations, policies, standards, guidance, and\n               specific criteria established for the risk designations of assigned positions.\n               Organizations may define different rescreening conditions and frequencies for\n               personnel accessing information systems based on types of information processed,\n               stored, or transmitted by the systems.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#ps-2","rel":"related","text":"PS-2"}]},{"id":"ps-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-3(a)"}],"prose":"screens individuals prior to authorizing access to the information system;"},{"id":"ps-3.b_obj","name":"objective","properties":[{"name":"label","value":"PS-3(b)"}],"parts":[{"id":"ps-3.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-3(b)[1]"}],"prose":"defines conditions requiring re-screening;"},{"id":"ps-3.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-3(b)[2]"}],"prose":"defines the frequency of re-screening where it is so indicated; and"},{"id":"ps-3.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-3(b)[3]"}],"prose":"re-screens individuals in accordance with organization-defined conditions\n                     requiring re-screening and, where re-screening is so indicated, with the\n                     organization-defined frequency of such re-screening."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing personnel screening\\n\\nrecords of screened personnel\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel screening"}]}],"controls":[{"id":"ps-3.3","class":"SP800-53-enhancement","title":"Information with Special Protection Measures","parameters":[{"id":"ps-3.3_prm_1","label":"organization-defined additional personnel screening criteria","constraints":[{"detail":"personnel screening criteria - as required by specific information"}]}],"properties":[{"name":"label","value":"PS-3(3)"},{"name":"sort-id","value":"ps-03.03"}],"parts":[{"id":"ps-3.3_smt","name":"statement","prose":"The organization ensures that individuals accessing an information system\n                  processing, storing, or transmitting information requiring special protection:","parts":[{"id":"ps-3.3_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Have valid access authorizations that are demonstrated by assigned official\n                     government duties; and"},{"id":"ps-3.3_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Satisfy {{ ps-3.3_prm_1 }}."}]},{"id":"ps-3.3_gdn","name":"guidance","prose":"Organizational information requiring special protection includes, for example,\n                  Controlled Unclassified Information (CUI) and Sources and Methods Information\n                  (SAMI). Personnel security criteria include, for example, position sensitivity\n                  background screening requirements."},{"id":"ps-3.3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ps-3.3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-3(3)(a)"}],"prose":"ensures that individuals accessing an information system processing, storing,\n                     or transmitting information requiring special protection have valid access\n                     authorizations that are demonstrated by assigned official government\n                     duties;","links":[{"href":"#ps-3.3_smt.a","rel":"corresp","text":"PS-3(3)(a)"}]},{"id":"ps-3.3.b_obj","name":"objective","properties":[{"name":"label","value":"PS-3(3)(b)"}],"parts":[{"id":"ps-3.3.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-3(3)(b)[1]"}],"prose":"defines additional personnel screening criteria to be satisfied for\n                        individuals accessing an information system processing, storing, or\n                        transmitting information requiring special protection; and"},{"id":"ps-3.3.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-3(3)(b)[2]"}],"prose":"ensures that individuals accessing an information system processing,\n                        storing, or transmitting information requiring special protection satisfy\n                        organization-defined additional personnel screening criteria."}],"links":[{"href":"#ps-3.3_smt.b","rel":"corresp","text":"PS-3(3)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\naccess control policy, procedures addressing personnel screening\\n\\nrecords of screened personnel\\n\\nscreening criteria\\n\\nrecords of access authorizations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for ensuring valid access authorizations for\n                     information requiring special protection\\n\\norganizational process for additional personnel screening for information\n                     requiring special protection"}]}]}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","parameters":[{"id":"ps-4_prm_1","label":"organization-defined time period","constraints":[{"detail":"eight (8) hours"}]},{"id":"ps-4_prm_2","label":"organization-defined information security topics"},{"id":"ps-4_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-4_prm_4","label":"organization-defined time period"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PS-4"},{"name":"sort-id","value":"ps-04"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"The organization, upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Disables information system access within {{ ps-4_prm_1 }};"},{"id":"ps-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Terminates/revokes any authenticators/credentials associated with the\n                  individual;"},{"id":"ps-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Conducts exit interviews that include a discussion of {{ ps-4_prm_2 }};"},{"id":"ps-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Retrieves all security-related organizational information system-related\n                  property;"},{"id":"ps-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Retains access to organizational information and information systems formerly\n                  controlled by terminated individual; and"},{"id":"ps-4_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Notifies {{ ps-4_prm_3 }} within {{ ps-4_prm_4 }}."}]},{"id":"ps-4_gdn","name":"guidance","prose":"Information system-related property includes, for example, hardware authentication\n               tokens, system administration technical manuals, keys, identification cards, and\n               building passes. Exit interviews ensure that terminated individuals understand the\n               security constraints imposed by being former employees and that proper accountability\n               is achieved for information system-related property. Security topics of interest at\n               exit interviews can include, for example, reminding terminated individuals of\n               nondisclosure agreements and potential limitations on future employment. Exit\n               interviews may not be possible for some terminated individuals, for example, in cases\n               related to job abandonment, illnesses, and nonavailability of supervisors. Exit\n               interviews are important for individuals with security clearances. Timely execution\n               of termination actions is essential for individuals terminated for cause. In certain\n               situations, organizations consider disabling the information system accounts of\n               individuals that are being terminated prior to the individuals being notified.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-6","rel":"related","text":"PS-6"}]},{"id":"ps-4_obj","name":"objective","prose":"Determine if the organization, upon termination of individual employment,:","parts":[{"id":"ps-4.a_obj","name":"objective","properties":[{"name":"label","value":"PS-4(a)"}],"parts":[{"id":"ps-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-4(a)[1]"}],"prose":"defines a time period within which to disable information system access;"},{"id":"ps-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-4(a)[2]"}],"prose":"disables information system access within the organization-defined time\n                     period;"}]},{"id":"ps-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-4(b)"}],"prose":"terminates/revokes any authenticators/credentials associated with the\n                  individual;"},{"id":"ps-4.c_obj","name":"objective","properties":[{"name":"label","value":"PS-4(c)"}],"parts":[{"id":"ps-4.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-4(c)[1]"}],"prose":"defines information security topics to be discussed when conducting exit\n                     interviews;"},{"id":"ps-4.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-4(c)[2]"}],"prose":"conducts exit interviews that include a discussion of organization-defined\n                     information security topics;"}]},{"id":"ps-4.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-4(d)"}],"prose":"retrieves all security-related organizational information system-related\n                  property;"},{"id":"ps-4.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-4(e)"}],"prose":"retains access to organizational information and information systems formerly\n                  controlled by the terminated individual;"},{"id":"ps-4.f_obj","name":"objective","properties":[{"name":"label","value":"PS-4(f)"}],"parts":[{"id":"ps-4.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-4(f)[1]"}],"prose":"defines personnel or roles to be notified of the termination;"},{"id":"ps-4.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-4(f)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel\n                     or roles; and"},{"id":"ps-4.f_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-4(f)[3]"}],"prose":"notifies organization-defined personnel or roles within the\n                     organization-defined time period."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing personnel termination\\n\\nrecords of personnel termination actions\\n\\nlist of information system accounts\\n\\nrecords of terminated or revoked authenticators/credentials\\n\\nrecords of exit interviews\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel termination\\n\\nautomated mechanisms supporting and/or implementing personnel termination\n                  notifications\\n\\nautomated mechanisms for disabling information system access/revoking\n                  authenticators"}]}],"controls":[{"id":"ps-4.2","class":"SP800-53-enhancement","title":"Automated Notification","parameters":[{"id":"ps-4.2_prm_1","label":"organization-defined personnel or roles","constraints":[{"detail":"access control personnel responsible for disabling access to the system"}]}],"properties":[{"name":"label","value":"PS-4(2)"},{"name":"sort-id","value":"ps-04.02"}],"parts":[{"id":"ps-4.2_smt","name":"statement","prose":"The organization employs automated mechanisms to notify {{ ps-4.2_prm_1 }} upon termination of an individual."},{"id":"ps-4.2_gdn","name":"guidance","prose":"In organizations with a large number of employees, not all personnel who need to\n                  know about termination actions receive the appropriate notifications—or, if such\n                  notifications are received, they may not occur in a timely manner. Automated\n                  mechanisms can be used to send automatic alerts or notifications to specific\n                  organizational personnel or roles (e.g., management personnel, supervisors,\n                  personnel security officers, information security officers, systems\n                  administrators, or information technology administrators) when individuals are\n                  terminated. Such automatic alerts or notifications can be conveyed in a variety of\n                  ways, including, for example, telephonically, via electronic mail, via text\n                  message, or via websites."},{"id":"ps-4.2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ps-4.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-4(2)[1]"}],"prose":"defines personnel or roles to be notified upon termination of an individual;\n                     and"},{"id":"ps-4.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-4(2)[2]"}],"prose":"employs automated mechanisms to notify organization-defined personnel or roles\n                     upon termination of an individual."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing personnel termination\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nrecords of personnel termination actions\\n\\nautomated notifications of employee terminations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel termination\\n\\nautomated mechanisms supporting and/or implementing personnel termination\n                     notifications"}]}]}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","parameters":[{"id":"ps-5_prm_1","label":"organization-defined transfer or reassignment actions"},{"id":"ps-5_prm_2","label":"organization-defined time period following the formal transfer action","constraints":[{"detail":"twenty-four (24) hours"}]},{"id":"ps-5_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-5_prm_4","label":"organization-defined time period","constraints":[{"detail":"twenty-four (24) hours"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PS-5"},{"name":"sort-id","value":"ps-05"}],"parts":[{"id":"ps-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Reviews and confirms ongoing operational need for current logical and physical\n                  access authorizations to information systems/facilities when individuals are\n                  reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Initiates {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }};"},{"id":"ps-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Modifies access authorization as needed to correspond with any changes in\n                  operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Notifies {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"This control applies when reassignments or transfers of individuals are permanent or\n               of such extended durations as to make the actions warranted. Organizations define\n               actions appropriate for the types of reassignments or transfers, whether permanent or\n               extended. Actions that may be required for personnel transfers or reassignments to\n               other positions within organizations include, for example: (i) returning old and\n               issuing new keys, identification cards, and building passes; (ii) closing information\n               system accounts and establishing new accounts; (iii) changing information system\n               access authorizations (i.e., privileges); and (iv) providing for access to official\n               records to which individuals had access at previous work locations and in previous\n               information system accounts.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#ps-4","rel":"related","text":"PS-4"}]},{"id":"ps-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-5.a_obj","name":"objective","properties":[{"name":"label","value":"PS-5(a)"}],"prose":"when individuals are reassigned or transferred to other positions within the\n                  organization, reviews and confirms ongoing operational need for current:","parts":[{"id":"ps-5.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-5(a)[1]"}],"prose":"logical access authorizations to information systems;"},{"id":"ps-5.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-5(a)[2]"}],"prose":"physical access authorizations to information systems and facilities;"}]},{"id":"ps-5.b_obj","name":"objective","properties":[{"name":"label","value":"PS-5(b)"}],"parts":[{"id":"ps-5.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-5(b)[1]"}],"prose":"defines transfer or reassignment actions to be initiated following transfer or\n                     reassignment;"},{"id":"ps-5.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-5(b)[2]"}],"prose":"defines the time period within which transfer or reassignment actions must\n                     occur following transfer or reassignment;"},{"id":"ps-5.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-5(b)[3]"}],"prose":"initiates organization-defined transfer or reassignment actions within the\n                     organization-defined time period following transfer or reassignment;"}]},{"id":"ps-5.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-5(c)"}],"prose":"modifies access authorization as needed to correspond with any changes in\n                  operational need due to reassignment or transfer;"},{"id":"ps-5.d_obj","name":"objective","properties":[{"name":"label","value":"PS-5(d)"}],"parts":[{"id":"ps-5.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-5(d)[1]"}],"prose":"defines personnel or roles to be notified when individuals are reassigned or\n                     transferred to other positions within the organization;"},{"id":"ps-5.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-5(d)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel\n                     or roles when individuals are reassigned or transferred to other positions\n                     within the organization; and"},{"id":"ps-5.d_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-5(d)[3]"}],"prose":"notifies organization-defined personnel or roles within the\n                     organization-defined time period when individuals are reassigned or transferred\n                     to other positions within the organization."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing personnel transfer\\n\\nsecurity plan\\n\\nrecords of personnel transfer actions\\n\\nlist of information system and facility access authorizations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities organizational\n                  personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel transfer\\n\\nautomated mechanisms supporting and/or implementing personnel transfer\n                  notifications\\n\\nautomated mechanisms for disabling information system access/revoking\n                  authenticators"}]}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","parameters":[{"id":"ps-6_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ps-6_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually and any time there is a change to the user's level of access"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PS-6"},{"name":"sort-id","value":"ps-06"}],"parts":[{"id":"ps-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops and documents access agreements for organizational information\n                  systems;"},{"id":"ps-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the access agreements {{ ps-6_prm_1 }}; and"},{"id":"ps-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensures that individuals requiring access to organizational information and\n                  information systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational information\n                     systems when access agreements have been updated or {{ ps-6_prm_2 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include, for example, nondisclosure agreements, acceptable use\n               agreements, rules of behavior, and conflict-of-interest agreements. Signed access\n               agreements include an acknowledgement that individuals have read, understand, and\n               agree to abide by the constraints associated with organizational information systems\n               to which access is authorized. Organizations can use electronic signatures to\n               acknowledge access agreements unless specifically prohibited by organizational\n               policy.","links":[{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-8","rel":"related","text":"PS-8"}]},{"id":"ps-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-6.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-6(a)"}],"prose":"develops and documents access agreements for organizational information\n                  systems;"},{"id":"ps-6.b_obj","name":"objective","properties":[{"name":"label","value":"PS-6(b)"}],"parts":[{"id":"ps-6.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-6(b)[1]"}],"prose":"defines the frequency to review and update the access agreements;"},{"id":"ps-6.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-6(b)[2]"}],"prose":"reviews and updates the access agreements with the organization-defined\n                     frequency;"}]},{"id":"ps-6.c_obj","name":"objective","properties":[{"name":"label","value":"PS-6(c)"}],"parts":[{"id":"ps-6.c.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-6(c)(1)"}],"prose":"ensures that individuals requiring access to organizational information and\n                     information systems sign appropriate access agreements prior to being granted\n                     access;"},{"id":"ps-6.c.2_obj","name":"objective","properties":[{"name":"label","value":"PS-6(c)(2)"}],"parts":[{"id":"ps-6.c.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-6(c)(2)[1]"}],"prose":"defines the frequency to re-sign access agreements to maintain access to\n                        organizational information systems when access agreements have been\n                        updated;"},{"id":"ps-6.c.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-6(c)(2)[2]"}],"prose":"ensures that individuals requiring access to organizational information and\n                        information systems re-sign access agreements to maintain access to\n                        organizational information systems when access agreements have been updated\n                        or with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing access agreements for organizational information and\n                  information systems\\n\\nsecurity plan\\n\\naccess agreements\\n\\nrecords of access agreement reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel who have signed/resigned access agreements\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access agreements\\n\\nautomated mechanisms supporting access agreements"}]}]},{"id":"ps-7","class":"SP800-53","title":"Third-party Personnel Security","parameters":[{"id":"ps-7_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-7_prm_2","label":"organization-defined time period","constraints":[{"detail":"terminations: immediately; transfers: within twenty-four (24) hours"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PS-7"},{"name":"sort-id","value":"ps-07"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference","text":"NIST Special Publication 800-35"}],"parts":[{"id":"ps-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes personnel security requirements including security roles and\n                  responsibilities for third-party providers;"},{"id":"ps-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Requires third-party providers to comply with personnel security policies and\n                  procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Documents personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Requires third-party providers to notify {{ ps-7_prm_1 }} of any\n                  personnel transfers or terminations of third-party personnel who possess\n                  organizational credentials and/or badges, or who have information system\n                  privileges within {{ ps-7_prm_2 }}; and"},{"id":"ps-7_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Monitors provider compliance."}]},{"id":"ps-7_gdn","name":"guidance","prose":"Third-party providers include, for example, service bureaus, contractors, and other\n               organizations providing information system development, information technology\n               services, outsourced applications, and network and security management. Organizations\n               explicitly include personnel security requirements in acquisition-related documents.\n               Third-party providers may have personnel working at organizational facilities with\n               credentials, badges, or information system privileges issued by organizations.\n               Notifications of third-party personnel changes ensure appropriate termination of\n               privileges and credentials. Organizations define the transfers and terminations\n               deemed reportable by security-related characteristics that include, for example,\n               functions, roles, and nature of credentials/privileges associated with individuals\n               transferred or terminated.","links":[{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-21","rel":"related","text":"SA-21"}]},{"id":"ps-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-7.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-7(a)"}],"prose":"establishes personnel security requirements, including security roles and\n                  responsibilities, for third-party providers;"},{"id":"ps-7.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-7(b)"}],"prose":"requires third-party providers to comply with personnel security policies and\n                  procedures established by the organization;"},{"id":"ps-7.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-7(c)"}],"prose":"documents personnel security requirements;"},{"id":"ps-7.d_obj","name":"objective","properties":[{"name":"label","value":"PS-7(d)"}],"parts":[{"id":"ps-7.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-7(d)[1]"}],"prose":"defines personnel or roles to be notified of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-7(d)[2]"}],"prose":"defines the time period within which third-party providers are required to\n                     notify organization-defined personnel or roles of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-7(d)[3]"}],"prose":"requires third-party providers to notify organization-defined personnel or\n                     roles within the organization-defined time period of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges; and"}]},{"id":"ps-7.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-7(e)"}],"prose":"monitors provider compliance."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing third-party personnel security\\n\\nlist of personnel security requirements\\n\\nacquisition documents\\n\\nservice-level agreements\\n\\ncompliance monitoring process\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\nthird-party providers\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing and monitoring third-party personnel\n                  security\\n\\nautomated mechanisms supporting and/or implementing monitoring of provider\n                  compliance"}]}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","parameters":[{"id":"ps-8_prm_1","label":"organization-defined personnel or roles","constraints":[{"detail":"at a minimum, the ISSO and/or similar role within the organization"}]},{"id":"ps-8_prm_2","label":"organization-defined time period"}],"properties":[{"name":"label","value":"PS-8"},{"name":"sort-id","value":"ps-08"}],"parts":[{"id":"ps-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Employs a formal sanctions process for individuals failing to comply with\n                  established information security policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Notifies {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }}\n                  when a formal employee sanctions process is initiated, identifying the individual\n                  sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions processes reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Sanctions processes are\n               described in access agreements and can be included as part of general personnel\n               policies and procedures for organizations. Organizations consult with the Office of\n               the General Counsel regarding matters of employee sanctions.","links":[{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-6","rel":"related","text":"PS-6"}]},{"id":"ps-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-8.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-8(a)"}],"prose":"employs a formal sanctions process for individuals failing to comply with\n                  established information security policies and procedures;"},{"id":"ps-8.b_obj","name":"objective","properties":[{"name":"label","value":"PS-8(b)"}],"parts":[{"id":"ps-8.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-8(b)[1]"}],"prose":"defines personnel or roles to be notified when a formal employee sanctions\n                     process is initiated;"},{"id":"ps-8.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-8(b)[2]"}],"prose":"defines the time period within which organization-defined personnel or roles\n                     must be notified when a formal employee sanctions process is initiated; and"},{"id":"ps-8.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-8(b)[3]"}],"prose":"notifies organization-defined personnel or roles within the\n                     organization-defined time period when a formal employee sanctions process is\n                     initiated, identifying the individual sanctioned and the reason for the\n                     sanction."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing personnel sanctions\\n\\nrules of behavior\\n\\nrecords of formal sanctions\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing personnel sanctions\\n\\nautomated mechanisms supporting and/or implementing notifications"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Risk Assessment Policy and Procedures","parameters":[{"id":"ra-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ra-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ra-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually or whenever a significant change occurs"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"RA-1"},{"name":"sort-id","value":"ra-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference","text":"NIST Special Publication 800-30"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ra-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A risk assessment policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ra-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and\n                     associated risk assessment controls; and"}]},{"id":"ra-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ra-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Risk assessment policy {{ ra-1_prm_2 }}; and"},{"id":"ra-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Risk assessment procedures {{ ra-1_prm_3 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the RA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ra-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-1.a_obj","name":"objective","properties":[{"name":"label","value":"RA-1(a)"}],"parts":[{"id":"ra-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)"}],"parts":[{"id":"ra-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(a)(1)[1]"}],"prose":"develops and documents a risk assessment policy that addresses:","parts":[{"id":"ra-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ra-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ra-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ra-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ra-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ra-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ra-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ra-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the risk assessment policy is to be\n                        disseminated;"},{"id":"ra-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"RA-1(a)(1)[3]"}],"prose":"disseminates the risk assessment policy to organization-defined personnel or\n                        roles;"}]},{"id":"ra-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"RA-1(a)(2)"}],"parts":[{"id":"ra-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        risk assessment policy and associated risk assessment controls;"},{"id":"ra-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ra-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"RA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ra-1.b_obj","name":"objective","properties":[{"name":"label","value":"RA-1(b)"}],"parts":[{"id":"ra-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"RA-1(b)(1)"}],"parts":[{"id":"ra-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current risk assessment\n                        policy;"},{"id":"ra-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(b)(1)[2]"}],"prose":"reviews and updates the current risk assessment policy with the\n                        organization-defined frequency;"}]},{"id":"ra-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"RA-1(b)(2)"}],"parts":[{"id":"ra-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current risk assessment\n                        procedures; and"},{"id":"ra-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(b)(2)[2]"}],"prose":"reviews and updates the current risk assessment procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"risk assessment policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","properties":[{"name":"label","value":"RA-2"},{"name":"sort-id","value":"ra-02"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference","text":"NIST Special Publication 800-30"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference","text":"NIST Special Publication 800-39"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference","text":"NIST Special Publication 800-60"}],"parts":[{"id":"ra-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Categorizes information and the information system in accordance with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance;"},{"id":"ra-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents the security categorization results (including supporting rationale) in\n                  the security plan for the information system; and"},{"id":"ra-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensures that the authorizing official or authorizing official designated\n                  representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective security\n               categorization decisions. Security categories describe the potential adverse impacts\n               to organizational operations, organizational assets, and individuals if\n               organizational information and information systems are comprised through a loss of\n               confidentiality, integrity, or availability. Organizations conduct the security\n               categorization process as an organization-wide activity with the involvement of chief\n               information officers, senior information security officers, information system\n               owners, mission/business owners, and information owners/stewards. Organizations also\n               consider the potential adverse impacts to other organizations and, in accordance with\n               the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential\n               national-level adverse impacts. Security categorization processes carried out by\n               organizations facilitate the development of inventories of information assets, and\n               along with CM-8, mappings to specific information system components where information\n               is processed, stored, or transmitted.","links":[{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sc-7","rel":"related","text":"SC-7"}]},{"id":"ra-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-2.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-2(a)"}],"prose":"categorizes information and the information system in accordance with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance;"},{"id":"ra-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-2(b)"}],"prose":"documents the security categorization results (including supporting rationale) in\n                  the security plan for the information system; and"},{"id":"ra-2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-2(c)"}],"prose":"ensures the authorizing official or authorizing official designated representative\n                  reviews and approves the security categorization decision."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\\n\\nsecurity planning policy and procedures\\n\\nprocedures addressing security categorization of organizational information and\n                  information systems\\n\\nsecurity plan\\n\\nsecurity categorization documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security categorization and risk assessment\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security categorization"}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","parameters":[{"id":"ra-3_prm_1"},{"id":"ra-3_prm_2","depends-on":"ra-3_prm_1","label":"organization-defined document","constraints":[{"detail":"security assessment report"}]},{"id":"ra-3_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},{"id":"ra-3_prm_4","label":"organization-defined personnel or roles"},{"id":"ra-3_prm_5","label":"organization-defined frequency","constraints":[{"detail":"annually"}]}],"properties":[{"name":"label","value":"RA-3"},{"name":"sort-id","value":"ra-03"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference","text":"OMB Memorandum 04-04"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference","text":"NIST Special Publication 800-30"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference","text":"NIST Special Publication 800-39"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"ra-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Conducts an assessment of risk, including the likelihood and magnitude of harm,\n                  from the unauthorized access, use, disclosure, disruption, modification, or\n                  destruction of the information system and the information it processes, stores, or\n                  transmits;"},{"id":"ra-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents risk assessment results in {{ ra-3_prm_1 }};"},{"id":"ra-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews risk assessment results {{ ra-3_prm_3 }};"},{"id":"ra-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Disseminates risk assessment results to {{ ra-3_prm_4 }}; and"},{"id":"ra-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Updates the risk assessment {{ ra-3_prm_5 }} or whenever there are\n                  significant changes to the information system or environment of operation\n                  (including the identification of new threats and vulnerabilities), or other\n                  conditions that may impact the security state of the system."},{"id":"ra-3_fr","name":"item","title":"RA-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F"},{"id":"ra-3_fr_smt.d","name":"item","properties":[{"name":"label","value":"RA-3 (d) Requirement:"}],"prose":"Include all Authorizing Officials; for JAB authorizations to include FedRAMP."}]}]},{"id":"ra-3_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective risk\n               assessments. Risk assessments take into account threats, vulnerabilities, likelihood,\n               and impact to organizational operations and assets, individuals, other organizations,\n               and the Nation based on the operation and use of information systems. Risk\n               assessments also take into account risk from external parties (e.g., service\n               providers, contractors operating information systems on behalf of the organization,\n               individuals accessing organizational information systems, outsourcing entities). In\n               accordance with OMB policy and related E-authentication initiatives, authentication\n               of public users accessing federal information systems may also be required to protect\n               nonpublic or privacy-related information. As such, organizational assessments of risk\n               also address public access to federal information systems. Risk assessments (either\n               formal or informal) can be conducted at all three tiers in the risk management\n               hierarchy (i.e., organization level, mission/business process level, or information\n               system level) and at any phase in the system development life cycle. Risk assessments\n               can also be conducted at various steps in the Risk Management Framework, including\n               categorization, security control selection, security control implementation, security\n               control assessment, information system authorization, and security control\n               monitoring. RA-3 is noteworthy in that the control must be partially implemented\n               prior to the implementation of other controls in order to complete the first two\n               steps in the Risk Management Framework. Risk assessments can play an important role\n               in security control selection processes, particularly during the application of\n               tailoring guidance, which includes security control supplementation.","links":[{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ra-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-3.a_obj","name":"objective","properties":[{"name":"label","value":"RA-3(a)"}],"prose":"conducts an assessment of risk, including the likelihood and magnitude of harm,\n                  from the unauthorized access, use, disclosure, disruption, modification, or\n                  destruction of:","parts":[{"id":"ra-3.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-3(a)[1]"}],"prose":"the information system;"},{"id":"ra-3.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-3(a)[2]"}],"prose":"the information the system processes, stores, or transmits;"}]},{"id":"ra-3.b_obj","name":"objective","properties":[{"name":"label","value":"RA-3(b)"}],"parts":[{"id":"ra-3.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-3(b)[1]"}],"prose":"defines a document in which risk assessment results are to be documented (if\n                     not documented in the security plan or risk assessment report);"},{"id":"ra-3.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-3(b)[2]"}],"prose":"documents risk assessment results in one of the following:","parts":[{"id":"ra-3.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"RA-3(b)[2][a]"}],"prose":"the security plan;"},{"id":"ra-3.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"RA-3(b)[2][b]"}],"prose":"the risk assessment report; or"},{"id":"ra-3.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"RA-3(b)[2][c]"}],"prose":"the organization-defined document;"}]}]},{"id":"ra-3.c_obj","name":"objective","properties":[{"name":"label","value":"RA-3(c)"}],"parts":[{"id":"ra-3.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-3(c)[1]"}],"prose":"defines the frequency to review risk assessment results;"},{"id":"ra-3.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-3(c)[2]"}],"prose":"reviews risk assessment results with the organization-defined frequency;"}]},{"id":"ra-3.d_obj","name":"objective","properties":[{"name":"label","value":"RA-3(d)"}],"parts":[{"id":"ra-3.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-3(d)[1]"}],"prose":"defines personnel or roles to whom risk assessment results are to be\n                     disseminated;"},{"id":"ra-3.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-3(d)[2]"}],"prose":"disseminates risk assessment results to organization-defined personnel or\n                     roles;"}]},{"id":"ra-3.e_obj","name":"objective","properties":[{"name":"label","value":"RA-3(e)"}],"parts":[{"id":"ra-3.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-3(e)[1]"}],"prose":"defines the frequency to update the risk assessment;"},{"id":"ra-3.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-3(e)[2]"}],"prose":"updates the risk assessment:","parts":[{"id":"ra-3.e_obj.2.a","name":"objective","properties":[{"name":"label","value":"RA-3(e)[2][a]"}],"prose":"with the organization-defined frequency;"},{"id":"ra-3.e_obj.2.b","name":"objective","properties":[{"name":"label","value":"RA-3(e)[2][b]"}],"prose":"whenever there are significant changes to the information system or\n                        environment of operation (including the identification of new threats and\n                        vulnerabilities); and"},{"id":"ra-3.e_obj.2.c","name":"objective","properties":[{"name":"label","value":"RA-3(e)[2][c]"}],"prose":"whenever there are other conditions that may impact the security state of\n                        the system."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\\n\\nsecurity planning policy and procedures\\n\\nprocedures addressing organizational assessments of risk\\n\\nsecurity plan\\n\\nrisk assessment\\n\\nrisk assessment results\\n\\nrisk assessment reviews\\n\\nrisk assessment updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for risk assessment\\n\\nautomated mechanisms supporting and/or for conducting, documenting, reviewing,\n                  disseminating, and updating the risk assessment"}]}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Scanning","parameters":[{"id":"ra-5_prm_1","label":"organization-defined frequency and/or randomly in accordance with\n               organization-defined process","constraints":[{"detail":"monthly operating system/infrastructure; monthly web applications and databases"}]},{"id":"ra-5_prm_2","label":"organization-defined response times","constraints":[{"detail":"high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery"}]},{"id":"ra-5_prm_3","label":"organization-defined personnel or roles"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"RA-5"},{"name":"sort-id","value":"ra-05"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference","text":"NIST Special Publication 800-40"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference","text":"NIST Special Publication 800-70"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference","text":"NIST Special Publication 800-115"},{"href":"#15522e92-9192-463d-9646-6a01982db8ca","rel":"reference","text":"http://cwe.mitre.org"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference","text":"http://nvd.nist.gov"}],"parts":[{"id":"ra-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Scans for vulnerabilities in the information system and hosted applications\n                     {{ ra-5_prm_1 }} and when new vulnerabilities potentially\n                  affecting the system/applications are identified and reported;"},{"id":"ra-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employs vulnerability scanning tools and techniques that facilitate\n                  interoperability among tools and automate parts of the vulnerability management\n                  process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Analyzes vulnerability scan reports and results from security control\n                  assessments;"},{"id":"ra-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Remediates legitimate vulnerabilities {{ ra-5_prm_2 }} in\n                  accordance with an organizational assessment of risk; and"},{"id":"ra-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Shares information obtained from the vulnerability scanning process and security\n                  control assessments with {{ ra-5_prm_3 }} to help eliminate similar\n                  vulnerabilities in other information systems (i.e., systemic weaknesses or\n                  deficiencies)."},{"id":"ra-5_fr_smt.a","name":"item","title":"RA-5(a) Additional FedRAMP Requirements and Guidance","properties":[{"name":"label","value":"RA-5 (a)Requirement:"}],"prose":"An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually."},{"id":"ra-5_fr_smt.e","name":"item","title":"RA-5(e) Additional FedRAMP Requirements and Guidance","properties":[{"name":"label","value":"RA-5 (e)Requirement:"}],"prose":"To include all Authorizing Officials; for JAB authorizations to include FedRAMP."},{"id":"ra-5_fr","name":"item","title":"RA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"\n                     **See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))"}]}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information systems guides the frequency and\n               comprehensiveness of vulnerability scans. Organizations determine the required\n               vulnerability scanning for all information system components, ensuring that potential\n               sources of vulnerabilities such as networked printers, scanners, and copiers are not\n               overlooked. Vulnerability analyses for custom software applications may require\n               additional approaches such as static analysis, dynamic analysis, binary analysis, or\n               a hybrid of the three approaches. Organizations can employ these analysis approaches\n               in a variety of tools (e.g., web-based application scanners, static analysis tools,\n               binary analyzers) and in source code reviews. Vulnerability scanning includes, for\n               example: (i) scanning for patch levels; (ii) scanning for functions, ports,\n               protocols, and services that should not be accessible to users or devices; and (iii)\n               scanning for improperly configured or incorrectly operating information flow control\n               mechanisms. Organizations consider using tools that express vulnerabilities in the\n               Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open\n               Vulnerability Assessment Language (OVAL) to determine/test for the presence of\n               vulnerabilities. Suggested sources for vulnerability information include the Common\n               Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In\n               addition, security control assessments such as red team exercises provide other\n               sources of potential vulnerabilities for which to scan. Organizations also consider\n               using tools that express vulnerability impact by the Common Vulnerability Scoring\n               System (CVSS).","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"ra-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-5.a_obj","name":"objective","properties":[{"name":"label","value":"RA-5(a)"}],"parts":[{"id":"ra-5.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-5(a)[1]"}],"parts":[{"id":"ra-5.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"RA-5(a)[1][a]"}],"prose":"defines the frequency for conducting vulnerability scans on the information\n                        system and hosted applications; and/or"},{"id":"ra-5.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"RA-5(a)[1][b]"}],"prose":"defines the process for conducting random vulnerability scans on the\n                        information system and hosted applications;"}]},{"id":"ra-5.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(a)[2]"}],"prose":"in accordance with the organization-defined frequency and/or\n                     organization-defined process for conducting random scans, scans for\n                     vulnerabilities in:","parts":[{"id":"ra-5.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"RA-5(a)[2][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"RA-5(a)[2][b]"}],"prose":"hosted applications;"}]},{"id":"ra-5.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(a)[3]"}],"prose":"when new vulnerabilities potentially affecting the system/applications are\n                     identified and reported, scans for vulnerabilities in:","parts":[{"id":"ra-5.a_obj.3.a","name":"objective","properties":[{"name":"label","value":"RA-5(a)[3][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.3.b","name":"objective","properties":[{"name":"label","value":"RA-5(a)[3][b]"}],"prose":"hosted applications;"}]}]},{"id":"ra-5.b_obj","name":"objective","properties":[{"name":"label","value":"RA-5(b)"}],"prose":"employs vulnerability scanning tools and techniques that facilitate\n                  interoperability among tools and automate parts of the vulnerability management\n                  process by using standards for:","parts":[{"id":"ra-5.b.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(b)(1)"}],"parts":[{"id":"ra-5.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"RA-5(b)(1)[1]"}],"prose":"enumerating platforms;"},{"id":"ra-5.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"RA-5(b)(1)[2]"}],"prose":"enumerating software flaws;"},{"id":"ra-5.b.1_obj.3","name":"objective","properties":[{"name":"label","value":"RA-5(b)(1)[3]"}],"prose":"enumerating improper configurations;"}]},{"id":"ra-5.b.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(b)(2)"}],"parts":[{"id":"ra-5.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"RA-5(b)(2)[1]"}],"prose":"formatting checklists;"},{"id":"ra-5.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"RA-5(b)(2)[2]"}],"prose":"formatting test procedures;"}]},{"id":"ra-5.b.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(b)(3)"}],"prose":"measuring vulnerability impact;"}]},{"id":"ra-5.c_obj","name":"objective","properties":[{"name":"label","value":"RA-5(c)"}],"parts":[{"id":"ra-5.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(c)[1]"}],"prose":"analyzes vulnerability scan reports;"},{"id":"ra-5.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(c)[2]"}],"prose":"analyzes results from security control assessments;"}]},{"id":"ra-5.d_obj","name":"objective","properties":[{"name":"label","value":"RA-5(d)"}],"parts":[{"id":"ra-5.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-5(d)[1]"}],"prose":"defines response times to remediate legitimate vulnerabilities in accordance\n                     with an organizational assessment of risk;"},{"id":"ra-5.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(d)[2]"}],"prose":"remediates legitimate vulnerabilities within the organization-defined response\n                     times in accordance with an organizational assessment of risk;"}]},{"id":"ra-5.e_obj","name":"objective","properties":[{"name":"label","value":"RA-5(e)"}],"parts":[{"id":"ra-5.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-5(e)[1]"}],"prose":"defines personnel or roles with whom information obtained from the\n                     vulnerability scanning process and security control assessments is to be\n                     shared;"},{"id":"ra-5.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(e)[2]"}],"prose":"shares information obtained from the vulnerability scanning process with\n                     organization-defined personnel or roles to help eliminate similar\n                     vulnerabilities in other information systems (i.e., systemic weaknesses or\n                     deficiencies); and"},{"id":"ra-5.e_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(e)[3]"}],"prose":"shares information obtained from security control assessments with\n                     organization-defined personnel or roles to help eliminate similar\n                     vulnerabilities in other information systems (i.e., systemic weaknesses or\n                     deficiencies)."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\nrisk assessment\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment, security control assessment and\n                  vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with vulnerability remediation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning, analysis, remediation, and\n                  information sharing\\n\\nautomated mechanisms supporting and/or implementing vulnerability scanning,\n                  analysis, remediation, and information sharing"}]}],"controls":[{"id":"ra-5.1","class":"SP800-53-enhancement","title":"Update Tool Capability","properties":[{"name":"label","value":"RA-5(1)"},{"name":"sort-id","value":"ra-05.01"}],"parts":[{"id":"ra-5.1_smt","name":"statement","prose":"The organization employs vulnerability scanning tools that include the capability\n                  to readily update the information system vulnerabilities to be scanned."},{"id":"ra-5.1_gdn","name":"guidance","prose":"The vulnerabilities to be scanned need to be readily updated as new\n                  vulnerabilities are discovered, announced, and scanning methods developed. This\n                  updating process helps to ensure that potential vulnerabilities in the information\n                  system are identified and addressed as quickly as possible.","links":[{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"ra-5.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs vulnerability scanning tools that include\n                  the capability to readily update the information system vulnerabilities to be\n                  scanned."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Procedures addressing vulnerability scanning\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning"}]}]},{"id":"ra-5.2","class":"SP800-53-enhancement","title":"Update by Frequency / Prior to New Scan / When Identified","parameters":[{"id":"ra-5.2_prm_1","constraints":[{"detail":"prior to a new scan"}]},{"id":"ra-5.2_prm_2","depends-on":"ra-5.2_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"RA-5(2)"},{"name":"sort-id","value":"ra-05.02"}],"parts":[{"id":"ra-5.2_smt","name":"statement","prose":"The organization updates the information system vulnerabilities scanned {{ ra-5.2_prm_1 }}."},{"id":"ra-5.2_gdn","name":"guidance","links":[{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-5","rel":"related","text":"SI-5"}]},{"id":"ra-5.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-5.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-5(2)[1]"}],"prose":"defines the frequency to update the information system vulnerabilities\n                     scanned;"},{"id":"ra-5.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(2)[2]"}],"prose":"updates the information system vulnerabilities scanned one or more of the\n                     following:","parts":[{"id":"ra-5.2_obj.2.a","name":"objective","properties":[{"name":"label","value":"RA-5(2)[2][a]"}],"prose":"with the organization-defined frequency;"},{"id":"ra-5.2_obj.2.b","name":"objective","properties":[{"name":"label","value":"RA-5(2)[2][b]"}],"prose":"prior to a new scan; and/or"},{"id":"ra-5.2_obj.2.c","name":"objective","properties":[{"name":"label","value":"RA-5(2)[2][c]"}],"prose":"when new vulnerabilities are identified and reported."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Procedures addressing vulnerability scanning\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning"}]}]},{"id":"ra-5.3","class":"SP800-53-enhancement","title":"Breadth / Depth of Coverage","properties":[{"name":"label","value":"RA-5(3)"},{"name":"sort-id","value":"ra-05.03"}],"parts":[{"id":"ra-5.3_smt","name":"statement","prose":"The organization employs vulnerability scanning procedures that can identify the\n                  breadth and depth of coverage (i.e., information system components scanned and\n                  vulnerabilities checked)."},{"id":"ra-5.3_obj","name":"objective","prose":"Determine if the organization employs vulnerability scanning procedures that can\n                  identify:","parts":[{"id":"ra-5.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(3)[1]"}],"prose":"the breadth of coverage (i.e., information system components scanned); and"},{"id":"ra-5.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(3)[2]"}],"prose":"the depth of coverage (i.e., vulnerabilities checked)."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Procedures addressing vulnerability scanning\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning"}]}]},{"id":"ra-5.4","class":"SP800-53-enhancement","title":"Discoverable Information","parameters":[{"id":"ra-5.4_prm_1","label":"organization-defined corrective actions","constraints":[{"detail":"notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions"}]}],"properties":[{"name":"label","value":"RA-5(4)"},{"name":"sort-id","value":"ra-05.04"}],"parts":[{"id":"ra-5.4_smt","name":"statement","prose":"The organization determines what information about the information system is\n                  discoverable by adversaries and subsequently takes {{ ra-5.4_prm_1 }}."},{"id":"ra-5.4_gdn","name":"guidance","prose":"Discoverable information includes information that adversaries could obtain\n                  without directly compromising or breaching the information system, for example, by\n                  collecting information the system is exposing or by conducting extensive searches\n                  of the web. Corrective actions can include, for example, notifying appropriate\n                  organizational personnel, removing designated information, or changing the\n                  information system to make designated information less relevant or attractive to\n                  adversaries.","links":[{"href":"#au-13","rel":"related","text":"AU-13"}]},{"id":"ra-5.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-5.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-5(4)[1]"}],"prose":"defines corrective actions to be taken if information about the information\n                     system is discoverable by adversaries;"},{"id":"ra-5.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(4)[2]"}],"prose":"determines what information about the information system is discoverable by\n                     adversaries; and"},{"id":"ra-5.4_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(4)[3]"}],"prose":"subsequently takes organization-defined corrective actions."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Procedures addressing vulnerability scanning\\n\\nsecurity assessment report\\n\\npenetration test results\\n\\nvulnerability scanning results\\n\\nrisk assessment report\\n\\nrecords of corrective actions taken\\n\\nincident response records\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning and/or penetration testing\n                     responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel responsible for risk response\\n\\norganizational personnel responsible for incident management and response\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\\n\\norganizational processes for risk response\\n\\norganizational processes for incident management and response\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning\\n\\nautomated mechanisms supporting and/or implementing risk response\\n\\nautomated mechanisms supporting and/or implementing incident management and\n                     response"}]}]},{"id":"ra-5.5","class":"SP800-53-enhancement","title":"Privileged Access","parameters":[{"id":"ra-5.5_prm_1","label":"organization-identified information system components","constraints":[{"detail":"operating systems / web applications / databases"}]},{"id":"ra-5.5_prm_2","label":"organization-defined vulnerability scanning activities","constraints":[{"detail":"all scans"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"RA-5(5)"},{"name":"sort-id","value":"ra-05.05"}],"parts":[{"id":"ra-5.5_smt","name":"statement","prose":"The information system implements privileged access authorization to {{ ra-5.5_prm_1 }} for selected {{ ra-5.5_prm_2 }}."},{"id":"ra-5.5_gdn","name":"guidance","prose":"In certain situations, the nature of the vulnerability scanning may be more\n                  intrusive or the information system component that is the subject of the scanning\n                  may contain highly sensitive information. Privileged access authorization to\n                  selected system components facilitates more thorough vulnerability scanning and\n                  also protects the sensitive nature of such scanning."},{"id":"ra-5.5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ra-5.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-5(5)[1]"}],"prose":"the organization defines information system components to which privileged\n                     access is authorized for selected vulnerability scanning activities;"},{"id":"ra-5.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-5(5)[2]"}],"prose":"the organization defines vulnerability scanning activities selected for\n                     privileged access authorization to organization-defined information system\n                     components; and"},{"id":"ra-5.5_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(5)[3]"}],"prose":"the information system implements privileged access authorization to\n                     organization-defined information system components for selected\n                     organization-defined vulnerability scanning activities."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system components for vulnerability scanning\\n\\npersonnel access authorization list\\n\\nauthorization credentials\\n\\naccess authorization records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel responsible for access control to the information\n                     system\\n\\norganizational personnel responsible for configuration management of the\n                     information system\\n\\nsystem developers\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\\n\\norganizational processes for access control\\n\\nautomated mechanisms supporting and/or implementing access control\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning"}]}]},{"id":"ra-5.6","class":"SP800-53-enhancement","title":"Automated Trend Analyses","properties":[{"name":"label","value":"RA-5(6)"},{"name":"sort-id","value":"ra-05.06"}],"parts":[{"id":"ra-5.6_smt","name":"statement","prose":"The organization employs automated mechanisms to compare the results of\n                  vulnerability scans over time to determine trends in information system\n                  vulnerabilities.","parts":[{"id":"ra-5.6_fr","name":"item","title":"RA-5 (6) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-5.6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Include in Continuous Monitoring ISSO digest/report to JAB/AO"}]}]},{"id":"ra-5.6_gdn","name":"guidance","links":[{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ra-5.6_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs automated mechanisms to compare the results\n                  of vulnerability scans over time to determine trends in information system\n                  vulnerabilities."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\ninformation system design documentation\\n\\nvulnerability scanning tools and techniques documentation\\n\\nvulnerability scanning results\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning\\n\\nautomated mechanisms supporting and/or implementing trend analysis of\n                     vulnerability scan results"}]}]},{"id":"ra-5.8","class":"SP800-53-enhancement","title":"Review Historic Audit Logs","properties":[{"name":"label","value":"RA-5(8)"},{"name":"sort-id","value":"ra-05.08"}],"parts":[{"id":"ra-5.8_smt","name":"statement","prose":"The organization reviews historic audit logs to determine if a vulnerability\n                  identified in the information system has been previously exploited.","parts":[{"id":"ra-5.8_fr","name":"item","title":"RA-5 (8) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-5.8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"This enhancement is required for all high vulnerability scan findings."},{"id":"ra-5.8_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability."}]}]},{"id":"ra-5.8_gdn","name":"guidance","links":[{"href":"#au-6","rel":"related","text":"AU-6"}]},{"id":"ra-5.8_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization reviews historic audit logs to determine if a\n                  vulnerability identified in the information system has been previously exploited.\n               "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\naudit logs\\n\\nrecords of audit log reviews\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with audit record review responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\\n\\norganizational process for audit record review and response\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning\\n\\nautomated mechanisms supporting and/or implementing audit record review"}]}]},{"id":"ra-5.10","class":"SP800-53-enhancement","title":"Correlate Scanning Information","properties":[{"name":"label","value":"RA-5(10)"},{"name":"sort-id","value":"ra-05.10"}],"parts":[{"id":"ra-5.10_smt","name":"statement","prose":"The organization correlates the output from vulnerability scanning tools to\n                  determine the presence of multi-vulnerability/multi-hop attack vectors.","parts":[{"id":"ra-5.10_fr","name":"item","title":"RA-5 (10) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-5.10_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"If multiple tools are not used, this control is not applicable."}]}]},{"id":"ra-5.10_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization correlates the output from vulnerability scanning\n                  tools to determine the presence of multi-vulnerability/multi-hop attack vectors.\n               "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\nrisk assessment\\n\\nsecurity plan\\n\\nvulnerability scanning tools and techniques documentation\\n\\nvulnerability scanning results\\n\\nvulnerability management records\\n\\naudit records\\n\\nevent/vulnerability correlation logs\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning\\n\\nautomated mechanisms implementing correlation of vulnerability scan results"}]}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"System and Services Acquisition Policy and Procedures","parameters":[{"id":"sa-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sa-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"sa-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually or whenever a significant change occurs"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SA-1"},{"name":"sort-id","value":"sa-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"sa-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A system and services acquisition policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"sa-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services\n                     acquisition policy and associated system and services acquisition controls;\n                     and"}]},{"id":"sa-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sa-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"System and services acquisition policy {{ sa-1_prm_2 }}; and"},{"id":"sa-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"System and services acquisition procedures {{ sa-1_prm_3 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"sa-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-1.a_obj","name":"objective","properties":[{"name":"label","value":"SA-1(a)"}],"parts":[{"id":"sa-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)"}],"parts":[{"id":"sa-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(a)(1)[1]"}],"prose":"develops and documents a system and services acquisition policy that\n                        addresses:","parts":[{"id":"sa-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sa-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sa-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sa-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sa-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sa-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sa-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sa-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and services acquisition\n                        policy is to be disseminated;"},{"id":"sa-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SA-1(a)(1)[3]"}],"prose":"disseminates the system and services acquisition policy to\n                        organization-defined personnel or roles;"}]},{"id":"sa-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"SA-1(a)(2)"}],"parts":[{"id":"sa-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        system and services acquisition policy and associated system and services\n                        acquisition controls;"},{"id":"sa-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"sa-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sa-1.b_obj","name":"objective","properties":[{"name":"label","value":"SA-1(b)"}],"parts":[{"id":"sa-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"SA-1(b)(1)"}],"parts":[{"id":"sa-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and services\n                        acquisition policy;"},{"id":"sa-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(b)(1)[2]"}],"prose":"reviews and updates the current system and services acquisition policy with\n                        the organization-defined frequency;"}]},{"id":"sa-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"SA-1(b)(2)"}],"parts":[{"id":"sa-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and services\n                        acquisition procedures; and"},{"id":"sa-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(b)(2)[2]"}],"prose":"reviews and updates the current system and services acquisition procedures\n                        with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","properties":[{"name":"label","value":"SA-2"},{"name":"sort-id","value":"sa-02"}],"links":[{"href":"#29fcfe59-33cd-494a-8756-5907ae3a8f92","rel":"reference","text":"NIST Special Publication 800-65"}],"parts":[{"id":"sa-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determines information security requirements for the information system or\n                  information system service in mission/business process planning;"},{"id":"sa-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Determines, documents, and allocates the resources required to protect the\n                  information system or information system service as part of its capital planning\n                  and investment control process; and"},{"id":"sa-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Establishes a discrete line item for information security in organizational\n                  programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security includes funding for the initial\n               information system or information system service acquisition and funding for the\n               sustainment of the system/service.","links":[{"href":"#pm-3","rel":"related","text":"PM-3"},{"href":"#pm-11","rel":"related","text":"PM-11"}]},{"id":"sa-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-2.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-2(a)"}],"prose":"determines information security requirements for the information system or\n                  information system service in mission/business process planning;"},{"id":"sa-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-2(b)"}],"prose":"to protect the information system or information system service as part of its\n                  capital planning and investment control process:","parts":[{"id":"sa-2.b_obj.1","name":"objective","properties":[{"name":"label","value":"SA-2(b)[1]"}],"prose":"determines the resources required;"},{"id":"sa-2.b_obj.2","name":"objective","properties":[{"name":"label","value":"SA-2(b)[2]"}],"prose":"documents the resources required;"},{"id":"sa-2.b_obj.3","name":"objective","properties":[{"name":"label","value":"SA-2(b)[3]"}],"prose":"allocates the resources required; and"}]},{"id":"sa-2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-2(c)"}],"prose":"establishes a discrete line item for information security in organizational\n                  programming and budgeting documentation."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the allocation of resources to information security\n                  requirements\\n\\nprocedures addressing capital planning and investment control\\n\\norganizational programming and budgeting documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with capital planning, investment control, organizational\n                  programming and budgeting responsibilities\\n\\norganizational personnel responsible for determining information security\n                  requirements for information systems/services\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information security requirements\\n\\norganizational processes for capital planning, programming, and budgeting\\n\\nautomated mechanisms supporting and/or implementing organizational capital\n                  planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","parameters":[{"id":"sa-3_prm_1","label":"organization-defined system development life cycle"}],"properties":[{"name":"label","value":"SA-3"},{"name":"sort-id","value":"sa-03"}],"links":[{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference","text":"NIST Special Publication 800-64"}],"parts":[{"id":"sa-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Manages the information system using {{ sa-3_prm_1 }} that\n                  incorporates information security considerations;"},{"id":"sa-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Defines and documents information security roles and responsibilities throughout\n                  the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Identifies individuals having information security roles and responsibilities;\n                  and"},{"id":"sa-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Integrates the organizational information security risk management process into\n                  system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A well-defined system development life cycle provides the foundation for the\n               successful development, implementation, and operation of organizational information\n               systems. To apply the required security controls within the system development life\n               cycle requires a basic understanding of information security, threats,\n               vulnerabilities, adverse impacts, and risk to critical missions/business functions.\n               The security engineering principles in SA-8 cannot be properly applied if individuals\n               that design, code, and test information systems and system components (including\n               information technology products) do not understand security. Therefore, organizations\n               include qualified personnel, for example, chief information security officers,\n               security architects, security engineers, and information system security officers in\n               system development life cycle activities to ensure that security requirements are\n               incorporated into organizational information systems. It is equally important that\n               developers include individuals on the development team that possess the requisite\n               security expertise and skills to ensure that needed security capabilities are\n               effectively integrated into the information system. Security awareness and training\n               programs can help ensure that individuals having key security roles and\n               responsibilities have the appropriate experience, skills, and expertise to conduct\n               assigned system development life cycle activities. The effective integration of\n               security requirements into enterprise architecture also helps to ensure that\n               important security considerations are addressed early in the system development life\n               cycle and that those considerations are directly related to the organizational\n               mission/business processes. This process also facilitates the integration of the\n               information security architecture into the enterprise architecture, consistent with\n               organizational risk management and information security strategies.","links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#sa-8","rel":"related","text":"SA-8"}]},{"id":"sa-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-3.a_obj","name":"objective","properties":[{"name":"label","value":"SA-3(a)"}],"parts":[{"id":"sa-3.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-3(a)[1]"}],"prose":"defines a system development life cycle that incorporates information security\n                     considerations to be used to manage the information system;"},{"id":"sa-3.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-3(a)[2]"}],"prose":"manages the information system using the organization-defined system\n                     development life cycle;"}]},{"id":"sa-3.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-3(b)"}],"prose":"defines and documents information security roles and responsibilities throughout\n                  the system development life cycle;"},{"id":"sa-3.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-3(c)"}],"prose":"identifies individuals having information security roles and responsibilities;\n                  and"},{"id":"sa-3.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-3(d)"}],"prose":"integrates the organizational information security risk management process into\n                  system development life cycle activities."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the integration of information security into the system\n                  development life cycle process\\n\\ninformation system development life cycle documentation\\n\\ninformation security risk management strategy/program documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security and system life cycle\n                  development responsibilities\\n\\norganizational personnel with information security risk management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining and documenting the SDLC\\n\\norganizational processes for identifying SDLC roles and responsibilities\\n\\norganizational process for integrating information security risk management into\n                  the SDLC\\n\\nautomated mechanisms supporting and/or implementing the SDLC"}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","properties":[{"name":"label","value":"SA-4"},{"name":"sort-id","value":"sa-04"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference","text":"HSPD-12"},{"href":"#1737a687-52fb-4008-b900-cbfa836f7b65","rel":"reference","text":"ISO/IEC 15408"},{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference","text":"FIPS Publication 140-2"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#0a5db899-f033-467f-8631-f5a8ba971475","rel":"reference","text":"NIST Special Publication 800-23"},{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference","text":"NIST Special Publication 800-35"},{"href":"#d818efd3-db31-4953-8afa-9e76afe83ce2","rel":"reference","text":"NIST Special Publication 800-36"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference","text":"NIST Special Publication 800-64"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference","text":"NIST Special Publication 800-70"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"},{"href":"#56d671da-6b7b-4abf-8296-84b61980390a","rel":"reference","text":"Federal Acquisition Regulation"},{"href":"#c95a9986-3cd6-4a98-931b-ccfc56cb11e5","rel":"reference","text":"http://www.niap-ccevs.org"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference","text":"http://fips201ep.cio.gov"},{"href":"#bbd50dd1-54ce-4432-959d-63ea564b1bb4","rel":"reference","text":"http://www.acquisition.gov/far"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"The organization includes the following requirements, descriptions, and criteria,\n               explicitly or by reference, in the acquisition contract for the information system,\n               system component, or information system service in accordance with applicable federal\n               laws, Executive Orders, directives, policies, regulations, standards, guidelines, and\n               organizational mission/business needs:","parts":[{"id":"sa-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Security functional requirements;"},{"id":"sa-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Security strength requirements;"},{"id":"sa-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Security assurance requirements;"},{"id":"sa-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Security-related documentation requirements;"},{"id":"sa-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Requirements for protecting security-related documentation;"},{"id":"sa-4_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Description of the information system development environment and environment in\n                  which the system is intended to operate; and"},{"id":"sa-4_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Acceptance criteria."},{"id":"sa-4_fr","name":"item","title":"SA-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See [http://www.niap-ccevs.org/vpl](http://www.niap-ccevs.org/vpl) or [http://www.commoncriteriaportal.org/products.html](http://www.commoncriteriaportal.org/products.html)."}]}]},{"id":"sa-4_gdn","name":"guidance","prose":"Information system components are discrete, identifiable information technology\n               assets (e.g., hardware, software, or firmware) that represent the building blocks of\n               an information system. Information system components include commercial information\n               technology products. Security functional requirements include security capabilities,\n               security functions, and security mechanisms. Security strength requirements\n               associated with such capabilities, functions, and mechanisms include degree of\n               correctness, completeness, resistance to direct attack, and resistance to tampering\n               or bypass. Security assurance requirements include: (i) development processes,\n               procedures, practices, and methodologies; and (ii) evidence from development and\n               assessment activities providing grounds for confidence that the required security\n               functionality has been implemented and the required security strength has been\n               achieved. Security documentation requirements address all phases of the system\n               development life cycle. Security functionality, assurance, and documentation\n               requirements are expressed in terms of security controls and control enhancements\n               that have been selected through the tailoring process. The security control tailoring\n               process includes, for example, the specification of parameter values through the use\n               of assignment and selection statements and the specification of platform dependencies\n               and implementation information. Security documentation provides user and\n               administrator guidance regarding the implementation and operation of security\n               controls. The level of detail required in security documentation is based on the\n               security category or classification level of the information system and the degree to\n               which organizations depend on the stated security capability, functions, or\n               mechanisms to meet overall risk response expectations (as defined in the\n               organizational risk management strategy). Security requirements can also include\n               organizationally mandated configuration settings specifying allowed functions, ports,\n               protocols, and services. Acceptance criteria for information systems, information\n               system components, and information system services are defined in the same manner as\n               such criteria for any organizational acquisition or procurement. The Federal\n               Acquisition Regulation (FAR) Section 7.103 contains information security requirements\n               from FISMA.","links":[{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-12","rel":"related","text":"SA-12"}]},{"id":"sa-4_obj","name":"objective","prose":"Determine if the organization includes the following requirements, descriptions, and\n               criteria, explicitly or by reference, in the acquisition contracts for the\n               information system, system component, or information system service in accordance\n               with applicable federal laws, Executive Orders, directives, policies, regulations,\n               standards, guidelines, and organizational mission/business needs:","parts":[{"id":"sa-4.a_obj","name":"objective","properties":[{"name":"label","value":"SA-4(a)"}],"prose":"security functional requirements;"},{"id":"sa-4.b_obj","name":"objective","properties":[{"name":"label","value":"SA-4(b)"}],"prose":"security strength requirements;"},{"id":"sa-4.c_obj","name":"objective","properties":[{"name":"label","value":"SA-4(c)"}],"prose":"security assurance requirements;"},{"id":"sa-4.d_obj","name":"objective","properties":[{"name":"label","value":"SA-4(d)"}],"prose":"security-related documentation requirements;"},{"id":"sa-4.e_obj","name":"objective","properties":[{"name":"label","value":"SA-4(e)"}],"prose":"requirements for protecting security-related documentation;"},{"id":"sa-4.f_obj","name":"objective","properties":[{"name":"label","value":"SA-4(f)"}],"prose":"description of:","parts":[{"id":"sa-4.f_obj.1","name":"objective","properties":[{"name":"label","value":"SA-4(f)[1]"}],"prose":"the information system development environment;"},{"id":"sa-4.f_obj.2","name":"objective","properties":[{"name":"label","value":"SA-4(f)[2]"}],"prose":"the environment in which the system is intended to operate; and"}]},{"id":"sa-4.g_obj","name":"objective","properties":[{"name":"label","value":"SA-4(g)"}],"prose":"acceptance criteria."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                  descriptions, and criteria into the acquisition process\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\ninformation system design documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security functional, strength, and assurance requirements\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information system security functional,\n                  strength, and assurance requirements\\n\\norganizational processes for developing acquisition contracts\\n\\nautomated mechanisms supporting and/or implementing acquisitions and inclusion of\n                  security requirements in contracts"}]}],"controls":[{"id":"sa-4.1","class":"SP800-53-enhancement","title":"Functional Properties of Security Controls","properties":[{"name":"label","value":"SA-4(1)"},{"name":"sort-id","value":"sa-04.01"}],"parts":[{"id":"sa-4.1_smt","name":"statement","prose":"The organization requires the developer of the information system, system\n                  component, or information system service to provide a description of the\n                  functional properties of the security controls to be employed."},{"id":"sa-4.1_gdn","name":"guidance","prose":"Functional properties of security controls describe the functionality (i.e.,\n                  security capability, functions, or mechanisms) visible at the interfaces of the\n                  controls and specifically exclude functionality and data structures internal to\n                  the operation of the controls.","links":[{"href":"#sa-5","rel":"related","text":"SA-5"}]},{"id":"sa-4.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization requires the developer of the information system,\n                  system component, or information system service to provide a description of the\n                  functional properties of the security controls to be employed."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\nsolicitation documents\\n\\nacquisition documentation\\n\\nacquisition contracts for the information system, system component, or\n                     information system services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security functional requirements\\n\\ninformation system developer or service provider\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information system security\n                     functional, requirements\\n\\norganizational processes for developing acquisition contracts\\n\\nautomated mechanisms supporting and/or implementing acquisitions and inclusion\n                     of security requirements in contracts"}]}]},{"id":"sa-4.2","class":"SP800-53-enhancement","title":"Design / Implementation Information for Security Controls","parameters":[{"id":"sa-4.2_prm_1","constraints":[{"detail":"at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram; [organization-defined design/implementation information]"}]},{"id":"sa-4.2_prm_2","depends-on":"sa-4.2_prm_1","label":"organization-defined design/implementation information"},{"id":"sa-4.2_prm_3","label":"organization-defined level of detail"}],"properties":[{"name":"label","value":"SA-4(2)"},{"name":"sort-id","value":"sa-04.02"}],"parts":[{"id":"sa-4.2_smt","name":"statement","prose":"The organization requires the developer of the information system, system\n                  component, or information system service to provide design and implementation\n                  information for the security controls to be employed that includes: {{ sa-4.2_prm_1 }} at {{ sa-4.2_prm_3 }}."},{"id":"sa-4.2_gdn","name":"guidance","prose":"Organizations may require different levels of detail in design and implementation\n                  documentation for security controls employed in organizational information\n                  systems, system components, or information system services based on\n                  mission/business requirements, requirements for trustworthiness/resiliency, and\n                  requirements for analysis and testing. Information systems can be partitioned into\n                  multiple subsystems. Each subsystem within the system can contain one or more\n                  modules. The high-level design for the system is expressed in terms of multiple\n                  subsystems and the interfaces between subsystems providing security-relevant\n                  functionality. The low-level design for the system is expressed in terms of\n                  modules with particular emphasis on software and firmware (but not excluding\n                  hardware) and the interfaces between modules providing security-relevant\n                  functionality. Source code and hardware schematics are typically referred to as\n                  the implementation representation of the information system.","links":[{"href":"#sa-5","rel":"related","text":"SA-5"}]},{"id":"sa-4.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-4.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-4(2)[1]"}],"prose":"defines level of detail that the developer is required to provide in design and\n                     implementation information for the security controls to be employed in the\n                     information system, system component, or information system service;"},{"id":"sa-4.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-4(2)[2]"}],"prose":"defines design/implementation information that the developer is to provide for\n                     the security controls to be employed (if selected);"},{"id":"sa-4.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-4(2)[3]"}],"prose":"requires the developer of the information system, system component, or\n                     information system service to provide design and implementation information for\n                     the security controls to be employed that includes, at the organization-defined\n                     level of detail, one or more of the following:","parts":[{"id":"sa-4.2_obj.3.a","name":"objective","properties":[{"name":"label","value":"SA-4(2)[3][a]"}],"prose":"security-relevant external system interfaces;"},{"id":"sa-4.2_obj.3.b","name":"objective","properties":[{"name":"label","value":"SA-4(2)[3][b]"}],"prose":"high-level design;"},{"id":"sa-4.2_obj.3.c","name":"objective","properties":[{"name":"label","value":"SA-4(2)[3][c]"}],"prose":"low-level design;"},{"id":"sa-4.2_obj.3.d","name":"objective","properties":[{"name":"label","value":"SA-4(2)[3][d]"}],"prose":"source code;"},{"id":"sa-4.2_obj.3.e","name":"objective","properties":[{"name":"label","value":"SA-4(2)[3][e]"}],"prose":"hardware schematics; and/or"},{"id":"sa-4.2_obj.3.f","name":"objective","properties":[{"name":"label","value":"SA-4(2)[3][f]"}],"prose":"organization-defined design/implementation information."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\nsolicitation documents\\n\\nacquisition documentation\\n\\nacquisition contracts for the information system, system components, or\n                     information system services\\n\\ndesign and implementation information for security controls employed in the\n                     information system, system component, or information system service\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security requirements\\n\\ninformation system developer or service provider\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining level of detail for system design and\n                     security controls\\n\\norganizational processes for developing acquisition contracts\\n\\nautomated mechanisms supporting and/or implementing development of system\n                     design details"}]}]},{"id":"sa-4.8","class":"SP800-53-enhancement","title":"Continuous Monitoring Plan","parameters":[{"id":"sa-4.8_prm_1","label":"organization-defined level of detail","constraints":[{"detail":"at least the minimum requirement as defined in control CA-7"}]}],"properties":[{"name":"label","value":"SA-4(8)"},{"name":"sort-id","value":"sa-04.08"}],"parts":[{"id":"sa-4.8_smt","name":"statement","prose":"The organization requires the developer of the information system, system\n                  component, or information system service to produce a plan for the continuous\n                  monitoring of security control effectiveness that contains {{ sa-4.8_prm_1 }}.","parts":[{"id":"sa-4.8_fr","name":"item","title":"SA-4 (8) Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-4.8_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"CSP must use the same security standards regardless of where the system component or information system service is acquired."}]}]},{"id":"sa-4.8_gdn","name":"guidance","prose":"The objective of continuous monitoring plans is to determine if the complete set\n                  of planned, required, and deployed security controls within the information\n                  system, system component, or information system service continue to be effective\n                  over time based on the inevitable changes that occur. Developer continuous\n                  monitoring plans include a sufficient level of detail such that the information\n                  can be incorporated into the continuous monitoring strategies and programs\n                  implemented by organizations.","links":[{"href":"#ca-7","rel":"related","text":"CA-7"}]},{"id":"sa-4.8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-4.8_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-4(8)[1]"}],"prose":"defines the level of detail the developer of the information system, system\n                     component, or information system service is required to provide when producing\n                     a plan for the continuous monitoring of security control effectiveness; and"},{"id":"sa-4.8_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-4(8)[2]"}],"prose":"requires the developer of the information system, system component, or\n                     information system service to produce a plan for the continuous monitoring of\n                     security control effectiveness that contains the organization-defined level of\n                     detail."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing developer continuous monitoring plans\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\ndeveloper continuous monitoring plans\\n\\nsecurity assessment plans\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nacquisition documentation\\n\\nsolicitation documentation\\n\\nservice-level agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security requirements\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Vendor processes for continuous monitoring\\n\\nautomated mechanisms supporting and/or implementing developer continuous\n                     monitoring"}]}]},{"id":"sa-4.9","class":"SP800-53-enhancement","title":"Functions / Ports / Protocols / Services in Use","properties":[{"name":"label","value":"SA-4(9)"},{"name":"sort-id","value":"sa-04.09"}],"parts":[{"id":"sa-4.9_smt","name":"statement","prose":"The organization requires the developer of the information system, system\n                  component, or information system service to identify early in the system\n                  development life cycle, the functions, ports, protocols, and services intended for\n                  organizational use."},{"id":"sa-4.9_gdn","name":"guidance","prose":"The identification of functions, ports, protocols, and services early in the\n                  system development life cycle (e.g., during the initial requirements definition\n                  and design phases) allows organizations to influence the design of the information\n                  system, information system component, or information system service. This early\n                  involvement in the life cycle helps organizations to avoid or minimize the use of\n                  functions, ports, protocols, or services that pose unnecessarily high risks and\n                  understand the trade-offs involved in blocking specific ports, protocols, or\n                  services (or when requiring information system service providers to do so). Early\n                  identification of functions, ports, protocols, and services avoids costly\n                  retrofitting of security controls after the information system, system component,\n                  or information system service has been implemented. SA-9 describes requirements\n                  for external information system services with organizations identifying which\n                  functions, ports, protocols, and services are provided from external sources.","links":[{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#sa-9","rel":"related","text":"SA-9"}]},{"id":"sa-4.9_obj","name":"objective","prose":"Determine if the organization requires the developer of the information system,\n                  system component, or information system service to identify early in the system\n                  development life cycle:","parts":[{"id":"sa-4.9_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SA-4(9)[1]"}],"prose":"the functions intended for organizational use;"},{"id":"sa-4.9_obj.2","name":"objective","properties":[{"name":"label","value":"SA-4(9)[2]"}],"prose":"the ports intended for organizational use;"},{"id":"sa-4.9_obj.3","name":"objective","properties":[{"name":"label","value":"SA-4(9)[3]"}],"prose":"the protocols intended for organizational use; and"},{"id":"sa-4.9_obj.4","name":"objective","properties":[{"name":"label","value":"SA-4(9)[4]"}],"prose":"the services intended for organizational use."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\ninformation system design documentation\\n\\ninformation system documentation including functions, ports, protocols, and\n                     services intended for organizational use\\n\\nacquisition contracts for information systems or services\\n\\nacquisition documentation\\n\\nsolicitation documentation\\n\\nservice-level agreements\\n\\norganizational security requirements, descriptions, and criteria for developers\n                     of information systems, system components, and information system services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security requirements\\n\\nsystem/network administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                     system\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","properties":[{"name":"label","value":"SA-4(10)"},{"name":"sort-id","value":"sa-04.10"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"The organization employs only information technology products on the FIPS\n                  201-approved products list for Personal Identity Verification (PIV) capability\n                  implemented within organizational information systems."},{"id":"sa-4.10_gdn","name":"guidance","links":[{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-8","rel":"related","text":"IA-8"}]},{"id":"sa-4.10_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs only information technology products on the\n                  FIPS 201-approved products list for Personal Identity Verification (PIV)\n                  capability implemented within organizational information systems. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nservice-level agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security requirements\\n\\norganizational personnel with responsibility for ensuring only FIPS\n                     201-approved products are implemented\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for selecting and employing FIPS 201-approved\n                     products"}]}]}]},{"id":"sa-5","class":"SP800-53","title":"Information System Documentation","parameters":[{"id":"sa-5_prm_1","label":"organization-defined actions"},{"id":"sa-5_prm_2","label":"organization-defined personnel or roles","constraints":[{"detail":"at a minimum, the ISSO (or similar role within the organization)"}]}],"properties":[{"name":"label","value":"SA-5"},{"name":"sort-id","value":"sa-05"}],"parts":[{"id":"sa-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Obtains administrator documentation for the information system, system component,\n                  or information system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or\n                     service;"},{"id":"sa-5_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security functions/mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative (i.e.,\n                     privileged) functions;"}]},{"id":"sa-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Obtains user documentation for the information system, system component, or\n                  information system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"User-accessible security functions/mechanisms and how to effectively use those\n                     security functions/mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system,\n                     component, or service in a more secure manner; and"},{"id":"sa-5_smt.b.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or\n                     service;"}]},{"id":"sa-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Documents attempts to obtain information system, system component, or information\n                  system service documentation when such documentation is either unavailable or\n                  nonexistent and takes {{ sa-5_prm_1 }} in response;"},{"id":"sa-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protects documentation as required, in accordance with the risk management\n                  strategy; and"},{"id":"sa-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Distributes documentation to {{ sa-5_prm_2 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"This control helps organizational personnel understand the implementation and\n               operation of security controls associated with information systems, system\n               components, and information system services. Organizations consider establishing\n               specific measures to determine the quality/completeness of the content provided. The\n               inability to obtain needed documentation may occur, for example, due to the age of\n               the information system/component or lack of support from developers and contractors.\n               In those situations, organizations may need to recreate selected documentation if\n               such documentation is essential to the effective implementation or operation of\n               security controls. The level of protection provided for selected information system,\n               component, or service documentation is commensurate with the security category or\n               classification of the system. For example, documentation associated with a key DoD\n               weapons system or command and control system would typically require a higher level\n               of protection than a routine administrative system. Documentation that addresses\n               information system vulnerabilities may also require an increased level of protection.\n               Secure operation of the information system, includes, for example, initially starting\n               the system and resuming secure system operation after any lapse in system\n               operation.","links":[{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"sa-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-5.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-5(a)"}],"prose":"obtains administrator documentation for the information system, system component,\n                  or information system service that describes:","parts":[{"id":"sa-5.a.1_obj","name":"objective","properties":[{"name":"label","value":"SA-5(a)(1)"}],"parts":[{"id":"sa-5.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"SA-5(a)(1)[1]"}],"prose":"secure configuration of the system, system component, or service;"},{"id":"sa-5.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"SA-5(a)(1)[2]"}],"prose":"secure installation of the system, system component, or service;"},{"id":"sa-5.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"SA-5(a)(1)[3]"}],"prose":"secure operation of the system, system component, or service;"}]},{"id":"sa-5.a.2_obj","name":"objective","properties":[{"name":"label","value":"SA-5(a)(2)"}],"parts":[{"id":"sa-5.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"SA-5(a)(2)[1]"}],"prose":"effective use of the security features/mechanisms;"},{"id":"sa-5.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"SA-5(a)(2)[2]"}],"prose":"effective maintenance of the security features/mechanisms;"}]},{"id":"sa-5.a.3_obj","name":"objective","properties":[{"name":"label","value":"SA-5(a)(3)"}],"prose":"known vulnerabilities regarding configuration and use of administrative (i.e.,\n                     privileged) functions;"}]},{"id":"sa-5.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-5(b)"}],"prose":"obtains user documentation for the information system, system component, or\n                  information system service that describes:","parts":[{"id":"sa-5.b.1_obj","name":"objective","properties":[{"name":"label","value":"SA-5(b)(1)"}],"parts":[{"id":"sa-5.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"SA-5(b)(1)[1]"}],"prose":"user-accessible security functions/mechanisms;"},{"id":"sa-5.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"SA-5(b)(1)[2]"}],"prose":"how to effectively use those functions/mechanisms;"}]},{"id":"sa-5.b.2_obj","name":"objective","properties":[{"name":"label","value":"SA-5(b)(2)"}],"prose":"methods for user interaction, which enables individuals to use the system,\n                     component, or service in a more secure manner;"},{"id":"sa-5.b.3_obj","name":"objective","properties":[{"name":"label","value":"SA-5(b)(3)"}],"prose":"user responsibilities in maintaining the security of the system, component, or\n                     service;"}]},{"id":"sa-5.c_obj","name":"objective","properties":[{"name":"label","value":"SA-5(c)"}],"parts":[{"id":"sa-5.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-5(c)[1]"}],"prose":"defines actions to be taken after documented attempts to obtain information\n                     system, system component, or information system service documentation when such\n                     documentation is either unavailable or nonexistent;"},{"id":"sa-5.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-5(c)[2]"}],"prose":"documents attempts to obtain information system, system component, or\n                     information system service documentation when such documentation is either\n                     unavailable or nonexistent;"},{"id":"sa-5.c_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-5(c)[3]"}],"prose":"takes organization-defined actions in response;"}]},{"id":"sa-5.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-5(d)"}],"prose":"protects documentation as required, in accordance with the risk management\n                  strategy;"},{"id":"sa-5.e_obj","name":"objective","properties":[{"name":"label","value":"SA-5(e)"}],"parts":[{"id":"sa-5.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-5(e)[1]"}],"prose":"defines personnel or roles to whom documentation is to be distributed; and"},{"id":"sa-5.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-5(e)[2]"}],"prose":"distributes documentation to organization-defined personnel or roles."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing information system documentation\\n\\ninformation system documentation including administrator and user guides\\n\\nrecords documenting attempts to obtain unavailable or nonexistent information\n                  system documentation\\n\\nlist of actions to be taken in response to documented attempts to obtain\n                  information system, system component, or information system service\n                  documentation\\n\\nrisk management strategy documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security requirements\\n\\nsystem administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for obtaining, protecting, and distributing information\n                  system administrator and user documentation"}]}]},{"id":"sa-8","class":"SP800-53","title":"Security Engineering Principles","properties":[{"name":"label","value":"SA-8"},{"name":"sort-id","value":"sa-08"}],"links":[{"href":"#21b1ed35-56d2-40a8-bdfe-b461fffe322f","rel":"reference","text":"NIST Special Publication 800-27"}],"parts":[{"id":"sa-8_smt","name":"statement","prose":"The organization applies information system security engineering principles in the\n               specification, design, development, implementation, and modification of the\n               information system."},{"id":"sa-8_gdn","name":"guidance","prose":"Organizations apply security engineering principles primarily to new development\n               information systems or systems undergoing major upgrades. For legacy systems,\n               organizations apply security engineering principles to system upgrades and\n               modifications to the extent feasible, given the current state of hardware, software,\n               and firmware within those systems. Security engineering principles include, for\n               example: (i) developing layered protections; (ii) establishing sound security policy,\n               architecture, and controls as the foundation for design; (iii) incorporating security\n               requirements into the system development life cycle; (iv) delineating physical and\n               logical security boundaries; (v) ensuring that system developers are trained on how\n               to build secure software; (vi) tailoring security controls to meet organizational and\n               operational needs; (vii) performing threat modeling to identify use cases, threat\n               agents, attack vectors, and attack patterns as well as compensating controls and\n               design patterns needed to mitigate risk; and (viii) reducing risk to acceptable\n               levels, thus enabling informed risk management decisions.","links":[{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"}]},{"id":"sa-8_obj","name":"objective","prose":"Determine if the organization applies information system security engineering\n               principles in: ","parts":[{"id":"sa-8_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-8[1]"}],"prose":"the specification of the information system;"},{"id":"sa-8_obj.2","name":"objective","properties":[{"name":"label","value":"SA-8[2]"}],"prose":"the design of the information system;"},{"id":"sa-8_obj.3","name":"objective","properties":[{"name":"label","value":"SA-8[3]"}],"prose":"the development of the information system;"},{"id":"sa-8_obj.4","name":"objective","properties":[{"name":"label","value":"SA-8[4]"}],"prose":"the implementation of the information system; and"},{"id":"sa-8_obj.5","name":"objective","properties":[{"name":"label","value":"SA-8[5]"}],"prose":"the modification of the information system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing security engineering principles used in the specification,\n                  design, development, implementation, and modification of the information\n                  system\\n\\ninformation system design documentation\\n\\ninformation security requirements and specifications for the information\n                  system\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security requirements\\n\\norganizational personnel with information system specification, design,\n                  development, implementation, and modification responsibilities\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for applying security engineering principles in\n                  information system specification, design, development, implementation, and\n                  modification\\n\\nautomated mechanisms supporting the application of security engineering principles\n                  in information system specification, design, development, implementation, and\n                  modification"}]}]},{"id":"sa-9","class":"SP800-53","title":"External Information System Services","parameters":[{"id":"sa-9_prm_1","label":"organization-defined security controls","constraints":[{"detail":"FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system"}]},{"id":"sa-9_prm_2","label":"organization-defined processes, methods, and techniques","constraints":[{"detail":"Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored"}]}],"properties":[{"name":"label","value":"SA-9"},{"name":"sort-id","value":"sa-09"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference","text":"NIST Special Publication 800-35"}],"parts":[{"id":"sa-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Requires that providers of external information system services comply with\n                  organizational information security requirements and employ {{ sa-9_prm_1 }} in accordance with applicable federal laws, Executive\n                  Orders, directives, policies, regulations, standards, and guidance;"},{"id":"sa-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Defines and documents government oversight and user roles and responsibilities\n                  with regard to external information system services; and"},{"id":"sa-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Employs {{ sa-9_prm_2 }} to monitor security control compliance by\n                  external service providers on an ongoing basis."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External information system services are services that are implemented outside of the\n               authorization boundaries of organizational information systems. This includes\n               services that are used by, but not a part of, organizational information systems.\n               FISMA and OMB policy require that organizations using external service providers that\n               are processing, storing, or transmitting federal information or operating information\n               systems on behalf of the federal government ensure that such providers meet the same\n               security requirements that federal agencies are required to meet. Organizations\n               establish relationships with external service providers in a variety of ways\n               including, for example, through joint ventures, business partnerships, contracts,\n               interagency agreements, lines of business arrangements, licensing agreements, and\n               supply chain exchanges. The responsibility for managing risks from the use of\n               external information system services remains with authorizing officials. For services\n               external to organizations, a chain of trust requires that organizations establish and\n               retain a level of confidence that each participating provider in the potentially\n               complex consumer-provider relationship provides adequate protection for the services\n               rendered. The extent and nature of this chain of trust varies based on the\n               relationships between organizations and the external providers. Organizations\n               document the basis for trust relationships so the relationships can be monitored over\n               time. External information system services documentation includes government, service\n               providers, end user security roles and responsibilities, and service-level\n               agreements. Service-level agreements define expectations of performance for security\n               controls, describe measurable outcomes, and identify remedies and response\n               requirements for identified instances of noncompliance.","links":[{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ps-7","rel":"related","text":"PS-7"}]},{"id":"sa-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.a_obj","name":"objective","properties":[{"name":"label","value":"SA-9(a)"}],"parts":[{"id":"sa-9.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(a)[1]"}],"prose":"defines security controls to be employed by providers of external information\n                     system services;"},{"id":"sa-9.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(a)[2]"}],"prose":"requires that providers of external information system services comply with\n                     organizational information security requirements;"},{"id":"sa-9.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(a)[3]"}],"prose":"requires that providers of external information system services employ\n                     organization-defined security controls in accordance with applicable federal\n                     laws, Executive Orders, directives, policies, regulations, standards, and\n                     guidance;"}]},{"id":"sa-9.b_obj","name":"objective","properties":[{"name":"label","value":"SA-9(b)"}],"parts":[{"id":"sa-9.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(b)[1]"}],"prose":"defines and documents government oversight with regard to external information\n                     system services;"},{"id":"sa-9.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(b)[2]"}],"prose":"defines and documents user roles and responsibilities with regard to external\n                     information system services;"}]},{"id":"sa-9.c_obj","name":"objective","properties":[{"name":"label","value":"SA-9(c)"}],"parts":[{"id":"sa-9.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(c)[1]"}],"prose":"defines processes, methods, and techniques to be employed to monitor security\n                     control compliance by external service providers; and"},{"id":"sa-9.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-9(c)[2]"}],"prose":"employs organization-defined processes, methods, and techniques to monitor\n                     security control compliance by external service providers on an ongoing\n                     basis."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nprocedures addressing methods and techniques for monitoring security control\n                  compliance by external service providers of information system services\\n\\nacquisition contracts, service-level agreements\\n\\norganizational security requirements and security specifications for external\n                  provider services\\n\\nsecurity control assessment evidence from external providers of information system\n                  services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\\n\\nexternal providers of information system services\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring security control compliance by external\n                  service providers on an ongoing basis\\n\\nautomated mechanisms for monitoring security control compliance by external\n                  service providers on an ongoing basis"}]}],"controls":[{"id":"sa-9.1","class":"SP800-53-enhancement","title":"Risk Assessments / Organizational Approvals","parameters":[{"id":"sa-9.1_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SA-9(1)"},{"name":"sort-id","value":"sa-09.01"}],"parts":[{"id":"sa-9.1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-9.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Conducts an organizational assessment of risk prior to the acquisition or\n                     outsourcing of dedicated information security services; and"},{"id":"sa-9.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Ensures that the acquisition or outsourcing of dedicated information security\n                     services is approved by {{ sa-9.1_prm_1 }}."}]},{"id":"sa-9.1_gdn","name":"guidance","prose":"Dedicated information security services include, for example, incident monitoring,\n                  analysis and response, operation of information security-related devices such as\n                  firewalls, or key management services.","links":[{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"sa-9.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.1.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-9(1)(a)"}],"prose":"conducts an organizational assessment of risk prior to the acquisition or\n                     outsourcing of dedicated information security services;","links":[{"href":"#sa-9.1_smt.a","rel":"corresp","text":"SA-9(1)(a)"}]},{"id":"sa-9.1.b_obj","name":"objective","properties":[{"name":"label","value":"SA-9(1)(b)"}],"parts":[{"id":"sa-9.1.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(1)(b)[1]"}],"prose":"defines personnel or roles designated to approve the acquisition or\n                        outsourcing of dedicated information security services; and"},{"id":"sa-9.1.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-9(1)(b)[2]"}],"prose":"ensures that the acquisition or outsourcing of dedicated information\n                        security services is approved by organization-defined personnel or\n                        roles."}],"links":[{"href":"#sa-9.1_smt.b","rel":"corresp","text":"SA-9(1)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nacquisition documentation\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nrisk assessment reports\\n\\napproval records for acquisition or outsourcing of dedicated information\n                     security services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information system security responsibilities\\n\\nexternal providers of information system services\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting a risk assessment prior to acquiring or\n                     outsourcing dedicated information security services\\n\\norganizational processes for approving the outsourcing of dedicated information\n                     security services\\n\\nautomated mechanisms supporting and/or implementing risk assessment\\n\\nautomated mechanisms supporting and/or implementing approval processes"}]}]},{"id":"sa-9.2","class":"SP800-53-enhancement","title":"Identification of Functions / Ports / Protocols / Services","parameters":[{"id":"sa-9.2_prm_1","label":"organization-defined external information system services","constraints":[{"detail":"all external systems where Federal information is processed or stored"}]}],"properties":[{"name":"label","value":"SA-9(2)"},{"name":"sort-id","value":"sa-09.02"}],"parts":[{"id":"sa-9.2_smt","name":"statement","prose":"The organization requires providers of {{ sa-9.2_prm_1 }} to\n                  identify the functions, ports, protocols, and other services required for the use\n                  of such services."},{"id":"sa-9.2_gdn","name":"guidance","prose":"Information from external service providers regarding the specific functions,\n                  ports, protocols, and services used in the provision of such services can be\n                  particularly useful when the need arises to understand the trade-offs involved in\n                  restricting certain functions/services or blocking certain ports/protocols.","links":[{"href":"#cm-7","rel":"related","text":"CM-7"}]},{"id":"sa-9.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(2)[1]"}],"prose":"defines external information system services for which providers of such\n                     services are to identify the functions, ports, protocols, and other services\n                     required for the use of such services;"},{"id":"sa-9.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SA-9(2)[2]"}],"prose":"requires providers of organization-defined external information system services\n                     to identify:","parts":[{"id":"sa-9.2_obj.2.a","name":"objective","properties":[{"name":"label","value":"SA-9(2)[2][a]"}],"prose":"the functions required for the use of such services;"},{"id":"sa-9.2_obj.2.b","name":"objective","properties":[{"name":"label","value":"SA-9(2)[2][b]"}],"prose":"the ports required for the use of such services;"},{"id":"sa-9.2_obj.2.c","name":"objective","properties":[{"name":"label","value":"SA-9(2)[2][c]"}],"prose":"the protocols required for the use of such services; and"},{"id":"sa-9.2_obj.2.d","name":"objective","properties":[{"name":"label","value":"SA-9(2)[2][d]"}],"prose":"the other services required for the use of such services."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nacquisition documentation\\n\\nsolicitation documentation, service-level agreements\\n\\norganizational security requirements and security specifications for external\n                     service providers\\n\\nlist of required functions, ports, protocols, and other services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nexternal providers of information system services"}]}]},{"id":"sa-9.4","class":"SP800-53-enhancement","title":"Consistent Interests of Consumers and Providers","parameters":[{"id":"sa-9.4_prm_1","label":"organization-defined security safeguards"},{"id":"sa-9.4_prm_2","label":"organization-defined external service providers","constraints":[{"detail":"all external systems where Federal information is processed or stored"}]}],"properties":[{"name":"label","value":"SA-9(4)"},{"name":"sort-id","value":"sa-09.04"}],"parts":[{"id":"sa-9.4_smt","name":"statement","prose":"The organization employs {{ sa-9.4_prm_1 }} to ensure that the\n                  interests of {{ sa-9.4_prm_2 }} are consistent with and reflect\n                  organizational interests."},{"id":"sa-9.4_gdn","name":"guidance","prose":"As organizations increasingly use external service providers, the possibility\n                  exists that the interests of the service providers may diverge from organizational\n                  interests. In such situations, simply having the correct technical, procedural, or\n                  operational safeguards in place may not be sufficient if the service providers\n                  that implement and control those safeguards are not operating in a manner\n                  consistent with the interests of the consuming organizations. Possible actions\n                  that organizations might take to address such concerns include, for example,\n                  requiring background checks for selected service provider personnel, examining\n                  ownership records, employing only trustworthy service providers (i.e., providers\n                  with which organizations have had positive experiences), and conducting\n                  periodic/unscheduled visits to service provider facilities."},{"id":"sa-9.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(4)[1]"}],"prose":"defines external service providers whose interests are to be consistent with\n                     and reflect organizational interests;"},{"id":"sa-9.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(4)[2]"}],"prose":"defines security safeguards to be employed to ensure that the interests of\n                     organization-defined external service providers are consistent with and reflect\n                     organizational interests; and"},{"id":"sa-9.4_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-9(4)[3]"}],"prose":"employs organization-defined security safeguards to ensure that the interests\n                     of organization-defined external service providers are consistent with and\n                     reflect organizational interests."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\norganizational security requirements/safeguards for external service\n                     providers\\n\\npersonnel security policies for external service providers\\n\\nassessments performed on external service providers\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nexternal providers of information system services"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining and employing safeguards to ensure\n                     consistent interests with external service providers\\n\\nautomated mechanisms supporting and/or implementing safeguards to ensure\n                     consistent interests with external service providers"}]}]},{"id":"sa-9.5","class":"SP800-53-enhancement","title":"Processing, Storage, and Service Location","parameters":[{"id":"sa-9.5_prm_1","constraints":[{"detail":"information processing, information data, AND information services"}]},{"id":"sa-9.5_prm_2","label":"organization-defined locations","constraints":[{"detail":"U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction"}]},{"id":"sa-9.5_prm_3","label":"organization-defined requirements or conditions","constraints":[{"detail":"all High Impact Data, Systems, or Services"}]}],"properties":[{"name":"label","value":"SA-9(5)"},{"name":"sort-id","value":"sa-09.05"}],"parts":[{"id":"sa-9.5_smt","name":"statement","prose":"The organization restricts the location of {{ sa-9.5_prm_1 }} to\n                     {{ sa-9.5_prm_2 }} based on {{ sa-9.5_prm_3 }}."},{"id":"sa-9.5_gdn","name":"guidance","prose":"The location of information processing, information/data storage, or information\n                  system services that are critical to organizations can have a direct impact on the\n                  ability of those organizations to successfully execute their missions/business\n                  functions. This situation exists when external providers control the location of\n                  processing, storage or services. The criteria external providers use for the\n                  selection of processing, storage, or service locations may be different from\n                  organizational criteria. For example, organizations may want to ensure that\n                  data/information storage locations are restricted to certain locations to\n                  facilitate incident response activities (e.g., forensic analyses, after-the-fact\n                  investigations) in case of information security breaches/compromises. Such\n                  incident response activities may be adversely affected by the governing laws or\n                  protocols in the locations where processing and storage occur and/or the locations\n                  from which information system services emanate."},{"id":"sa-9.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(5)[1]"}],"prose":"defines locations where organization-defined information processing,\n                     information/data, and/or information system services are to be restricted;"},{"id":"sa-9.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(5)[2]"}],"prose":"defines requirements or conditions to restrict the location of information\n                     processing, information/data, and/or information system services;"},{"id":"sa-9.5_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-9(5)[3]"}],"prose":"restricts the location of one or more of the following to organization-defined\n                     locations based on organization-defined requirements or conditions:","parts":[{"id":"sa-9.5_obj.3.a","name":"objective","properties":[{"name":"label","value":"SA-9(5)[3][a]"}],"prose":"information processing;"},{"id":"sa-9.5_obj.3.b","name":"objective","properties":[{"name":"label","value":"SA-9(5)[3][b]"}],"prose":"information/data; and/or"},{"id":"sa-9.5_obj.3.c","name":"objective","properties":[{"name":"label","value":"SA-9(5)[3][c]"}],"prose":"information services."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nrestricted locations for information processing\\n\\ninformation/data and/or information system services\\n\\ninformation processing, information/data, and/or information system services to\n                     be maintained in restricted locations\\n\\norganizational security requirements or conditions for external providers\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nexternal providers of information system services"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining requirements to restrict locations of\n                     information processing, information/data, or information services\\n\\norganizational processes for ensuring the location is restricted in accordance\n                     with requirements or conditions"}]}]}]},{"id":"sa-10","class":"SP800-53","title":"Developer Configuration Management","parameters":[{"id":"sa-10_prm_1","constraints":[{"detail":"development, implementation, AND operation"}]},{"id":"sa-10_prm_2","label":"organization-defined configuration items under configuration management"},{"id":"sa-10_prm_3","label":"organization-defined personnel"}],"properties":[{"name":"label","value":"SA-10"},{"name":"sort-id","value":"sa-10"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"sa-10_smt","name":"statement","prose":"The organization requires the developer of the information system, system component,\n               or information system service to:","parts":[{"id":"sa-10_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Perform configuration management during system, component, or service {{ sa-10_prm_1 }};"},{"id":"sa-10_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Document, manage, and control the integrity of changes to {{ sa-10_prm_2 }};"},{"id":"sa-10_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Implement only organization-approved changes to the system, component, or\n                  service;"},{"id":"sa-10_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Document approved changes to the system, component, or service and the potential\n                  security impacts of such changes; and"},{"id":"sa-10_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Track security flaws and flaw resolution within the system, component, or service\n                  and report findings to {{ sa-10_prm_3 }}."},{"id":"sa-10_fr","name":"item","title":"SA-10 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-10_fr_smt.1","name":"item","properties":[{"name":"label","value":"(e)  Requirement:"}],"prose":"For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP."}]}]},{"id":"sa-10_gdn","name":"guidance","prose":"This control also applies to organizations conducting internal information systems\n               development and integration. Organizations consider the quality and completeness of\n               the configuration management activities conducted by developers as evidence of\n               applying effective security safeguards. Safeguards include, for example, protecting\n               from unauthorized modification or destruction, the master copies of all material used\n               to generate security-relevant portions of the system hardware, software, and\n               firmware. Maintaining the integrity of changes to the information system, information\n               system component, or information system service requires configuration control\n               throughout the system development life cycle to track authorized changes and prevent\n               unauthorized changes. Configuration items that are placed under configuration\n               management (if existence/use is required by other security controls) include: the\n               formal model; the functional, high-level, and low-level design specifications; other\n               design data; implementation documentation; source code and hardware schematics; the\n               running version of the object code; tools for comparing new versions of\n               security-relevant hardware descriptions and software/firmware source code with\n               previous versions; and test fixtures and documentation. Depending on the\n               mission/business needs of organizations and the nature of the contractual\n               relationships in place, developers may provide configuration management support\n               during the operations and maintenance phases of the life cycle.","links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"sa-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-10.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-10(a)"}],"prose":"requires the developer of the information system, system component, or information\n                  system service to perform configuration management during one or more of the\n                  following:","parts":[{"id":"sa-10.a_obj.1","name":"objective","properties":[{"name":"label","value":"SA-10(a)[1]"}],"prose":"system, component, or service design;"},{"id":"sa-10.a_obj.2","name":"objective","properties":[{"name":"label","value":"SA-10(a)[2]"}],"prose":"system, component, or service development;"},{"id":"sa-10.a_obj.3","name":"objective","properties":[{"name":"label","value":"SA-10(a)[3]"}],"prose":"system, component, or service implementation; and/or"},{"id":"sa-10.a_obj.4","name":"objective","properties":[{"name":"label","value":"SA-10(a)[4]"}],"prose":"system, component, or service operation;"}]},{"id":"sa-10.b_obj","name":"objective","properties":[{"name":"label","value":"SA-10(b)"}],"parts":[{"id":"sa-10.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-10(b)[1]"}],"prose":"defines configuration items to be placed under configuration management;"},{"id":"sa-10.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-10(b)[2]"}],"prose":"requires the developer of the information system, system component, or\n                     information system service to:","parts":[{"id":"sa-10.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"SA-10(b)[2][a]"}],"prose":"document the integrity of changes to organization-defined items under\n                        configuration management;"},{"id":"sa-10.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"SA-10(b)[2][b]"}],"prose":"manage the integrity of changes to organization-defined items under\n                        configuration management;"},{"id":"sa-10.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"SA-10(b)[2][c]"}],"prose":"control the integrity of changes to organization-defined items under\n                        configuration management;"}]}]},{"id":"sa-10.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-10(c)"}],"prose":"requires the developer of the information system, system component, or information\n                  system service to implement only organization-approved changes to the system,\n                  component, or service;"},{"id":"sa-10.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-10(d)"}],"prose":"requires the developer of the information system, system component, or information\n                  system service to document:","parts":[{"id":"sa-10.d_obj.1","name":"objective","properties":[{"name":"label","value":"SA-10(d)[1]"}],"prose":"approved changes to the system, component, or service;"},{"id":"sa-10.d_obj.2","name":"objective","properties":[{"name":"label","value":"SA-10(d)[2]"}],"prose":"the potential security impacts of such changes;"}]},{"id":"sa-10.e_obj","name":"objective","properties":[{"name":"label","value":"SA-10(e)"}],"parts":[{"id":"sa-10.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-10(e)[1]"}],"prose":"defines personnel to whom findings, resulting from security flaws and flaw\n                     resolution tracked within the system, component, or service, are to be\n                     reported;"},{"id":"sa-10.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-10(e)[2]"}],"prose":"requires the developer of the information system, system component, or\n                     information system service to:","parts":[{"id":"sa-10.e_obj.2.a","name":"objective","properties":[{"name":"label","value":"SA-10(e)[2][a]"}],"prose":"track security flaws within the system, component, or service;"},{"id":"sa-10.e_obj.2.b","name":"objective","properties":[{"name":"label","value":"SA-10(e)[2][b]"}],"prose":"track security flaw resolution within the system, component, or service;\n                        and"},{"id":"sa-10.e_obj.2.c","name":"objective","properties":[{"name":"label","value":"SA-10(e)[2][c]"}],"prose":"report findings to organization-defined personnel."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing system developer configuration management\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\nsystem developer configuration management plan\\n\\nsecurity flaw and flaw resolution tracking records\\n\\nsystem change authorization records\\n\\nchange control records\\n\\nconfiguration management records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with configuration management responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer configuration management\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                  configuration management"}]}],"controls":[{"id":"sa-10.1","class":"SP800-53-enhancement","title":"Software / Firmware Integrity Verification","properties":[{"name":"label","value":"SA-10(1)"},{"name":"sort-id","value":"sa-10.01"}],"parts":[{"id":"sa-10.1_smt","name":"statement","prose":"The organization requires the developer of the information system, system\n                  component, or information system service to enable integrity verification of\n                  software and firmware components."},{"id":"sa-10.1_gdn","name":"guidance","prose":"This control enhancement allows organizations to detect unauthorized changes to\n                  software and firmware components through the use of tools, techniques, and/or\n                  mechanisms provided by developers. Integrity checking mechanisms can also address\n                  counterfeiting of software and firmware components. Organizations verify the\n                  integrity of software and firmware components, for example, through secure one-way\n                  hashes provided by developers. Delivered software and firmware components also\n                  include any updates to such components.","links":[{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"sa-10.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization requires the developer of the information system,\n                  system component, or information system service to enable integrity verification\n                  of software and firmware components."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing system developer configuration management\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system\\n\\nsystem component, or information system service\\n\\nsystem developer configuration management plan\\n\\nsoftware and firmware integrity verification records\\n\\nsystem change authorization records\\n\\nchange control records\\n\\nconfiguration management records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with configuration management responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer configuration management\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                     configuration management"}]}]}]},{"id":"sa-11","class":"SP800-53","title":"Developer Security Testing and Evaluation","parameters":[{"id":"sa-11_prm_1"},{"id":"sa-11_prm_2","label":"organization-defined depth and coverage"}],"properties":[{"name":"label","value":"SA-11"},{"name":"sort-id","value":"sa-11"}],"links":[{"href":"#1737a687-52fb-4008-b900-cbfa836f7b65","rel":"reference","text":"ISO/IEC 15408"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference","text":"NIST Special Publication 800-53A"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference","text":"http://nvd.nist.gov"},{"href":"#15522e92-9192-463d-9646-6a01982db8ca","rel":"reference","text":"http://cwe.mitre.org"},{"href":"#0931209f-00ae-4132-b92c-bc645847e8f9","rel":"reference","text":"http://cve.mitre.org"},{"href":"#4ef539ba-b767-4666-b0d3-168c53005fa3","rel":"reference","text":"http://capec.mitre.org"}],"parts":[{"id":"sa-11_smt","name":"statement","prose":"The organization requires the developer of the information system, system component,\n               or information system service to:","parts":[{"id":"sa-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Create and implement a security assessment plan;"},{"id":"sa-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Perform {{ sa-11_prm_1 }} testing/evaluation at {{ sa-11_prm_2 }};"},{"id":"sa-11_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Produce evidence of the execution of the security assessment plan and the results\n                  of the security testing/evaluation;"},{"id":"sa-11_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Implement a verifiable flaw remediation process; and"},{"id":"sa-11_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Correct flaws identified during security testing/evaluation."}]},{"id":"sa-11_gdn","name":"guidance","prose":"Developmental security testing/evaluation occurs at all post-design phases of the\n               system development life cycle. Such testing/evaluation confirms that the required\n               security controls are implemented correctly, operating as intended, enforcing the\n               desired security policy, and meeting established security requirements. Security\n               properties of information systems may be affected by the interconnection of system\n               components or changes to those components. These interconnections or changes (e.g.,\n               upgrading or replacing applications and operating systems) may adversely affect\n               previously implemented security controls. This control provides additional types of\n               security testing/evaluation that developers can conduct to reduce or eliminate\n               potential flaws. Testing custom software applications may require approaches such as\n               static analysis, dynamic analysis, binary analysis, or a hybrid of the three\n               approaches. Developers can employ these analysis approaches in a variety of tools\n               (e.g., web-based application scanners, static analysis tools, binary analyzers) and\n               in source code reviews. Security assessment plans provide the specific activities\n               that developers plan to carry out including the types of analyses, testing,\n               evaluation, and reviews of software and firmware components, the degree of rigor to\n               be applied, and the types of artifacts produced during those processes. The depth of\n               security testing/evaluation refers to the rigor and level of detail associated with\n               the assessment process (e.g., black box, gray box, or white box testing). The\n               coverage of security testing/evaluation refers to the scope (i.e., number and type)\n               of the artifacts included in the assessment process. Contracts specify the acceptance\n               criteria for security assessment plans, flaw remediation processes, and the evidence\n               that the plans/processes have been diligently applied. Methods for reviewing and\n               protecting assessment plans, evidence, and documentation are commensurate with the\n               security category or classification level of the information system. Contracts may\n               specify documentation protection requirements.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"sa-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-11.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-11(a)"}],"prose":"requires the developer of the information system, system component, or information\n                  system service to create and implement a security plan;"},{"id":"sa-11.b_obj","name":"objective","properties":[{"name":"label","value":"SA-11(b)"}],"parts":[{"id":"sa-11.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-11(b)[1]"}],"prose":"defines the depth of testing/evaluation to be performed by the developer of the\n                     information system, system component, or information system service;"},{"id":"sa-11.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-11(b)[2]"}],"prose":"defines the coverage of testing/evaluation to be performed by the developer of\n                     the information system, system component, or information system service;"},{"id":"sa-11.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-11(b)[3]"}],"prose":"requires the developer of the information system, system component, or\n                     information system service to perform one or more of the following\n                     testing/evaluation at the organization-defined depth and coverage:","parts":[{"id":"sa-11.b_obj.3.a","name":"objective","properties":[{"name":"label","value":"SA-11(b)[3][a]"}],"prose":"unit testing/evaluation;"},{"id":"sa-11.b_obj.3.b","name":"objective","properties":[{"name":"label","value":"SA-11(b)[3][b]"}],"prose":"integration testing/evaluation;"},{"id":"sa-11.b_obj.3.c","name":"objective","properties":[{"name":"label","value":"SA-11(b)[3][c]"}],"prose":"system testing/evaluation; and/or"},{"id":"sa-11.b_obj.3.d","name":"objective","properties":[{"name":"label","value":"SA-11(b)[3][d]"}],"prose":"regression testing/evaluation;"}]}]},{"id":"sa-11.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-11(c)"}],"prose":"requires the developer of the information system, system component, or information\n                  system service to produce evidence of:","parts":[{"id":"sa-11.c_obj.1","name":"objective","properties":[{"name":"label","value":"SA-11(c)[1]"}],"prose":"the execution of the security assessment plan;"},{"id":"sa-11.c_obj.2","name":"objective","properties":[{"name":"label","value":"SA-11(c)[2]"}],"prose":"the results of the security testing/evaluation;"}]},{"id":"sa-11.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-11(d)"}],"prose":"requires the developer of the information system, system component, or information\n                  system service to implement a verifiable flaw remediation process; and"},{"id":"sa-11.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-11(e)"}],"prose":"requires the developer of the information system, system component, or information\n                  system service to correct flaws identified during security testing/evaluation."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing system developer security testing\\n\\nprocedures addressing flaw remediation\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\nsystem developer security test plans\\n\\nrecords of developer security testing results for the information system, system\n                  component, or information system service\\n\\nsecurity flaw and remediation tracking records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with developer security testing responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer security testing and\n                  evaluation\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                  security testing and evaluation"}]}],"controls":[{"id":"sa-11.1","class":"SP800-53-enhancement","title":"Static Code Analysis","properties":[{"name":"label","value":"SA-11(1)"},{"name":"sort-id","value":"sa-11.01"}],"parts":[{"id":"sa-11.1_smt","name":"statement","prose":"The organization requires the developer of the information system, system\n                  component, or information system service to employ static code analysis tools to\n                  identify common flaws and document the results of the analysis.","parts":[{"id":"sa-11.1_fr","name":"item","title":"SA-11 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-11.1_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed."}]}]},{"id":"sa-11.1_gdn","name":"guidance","prose":"Static code analysis provides a technology and methodology for security reviews.\n                  Such analysis can be used to identify security vulnerabilities and enforce\n                  security coding practices. Static code analysis is most effective when used early\n                  in the development process, when each code change can be automatically scanned for\n                  potential weaknesses. Static analysis can provide clear remediation guidance along\n                  with defects to enable developers to fix such defects. Evidence of correct\n                  implementation of static analysis can include, for example, aggregate defect\n                  density for critical defect types, evidence that defects were inspected by\n                  developers or security professionals, and evidence that defects were fixed. An\n                  excessively high density of ignored findings (commonly referred to as ignored or\n                  false positives) indicates a potential problem with the analysis process or tool.\n                  In such cases, organizations weigh the validity of the evidence against evidence\n                  from other sources."},{"id":"sa-11.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization requires the developer of the information system,\n                  system component, or information system service to employ static code analysis\n                  tools to identify common flaws and document the results of the analysis."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing system developer security testing\\n\\nprocedures addressing flaw remediation\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsystem developer security test plans\\n\\nsystem developer security testing results\\n\\nsecurity flaw and remediation tracking records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with developer security testing responsibilities\\n\\norganizational personnel with configuration management responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer security testing and\n                     evaluation\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                     security testing and evaluation\\n\\nstatic code analysis tools"}]}]},{"id":"sa-11.2","class":"SP800-53-enhancement","title":"Threat and Vulnerability Analyses","properties":[{"name":"label","value":"SA-11(2)"},{"name":"sort-id","value":"sa-11.02"}],"parts":[{"id":"sa-11.2_smt","name":"statement","prose":"The organization requires the developer of the information system, system\n                  component, or information system service to perform threat and vulnerability\n                  analyses and subsequent testing/evaluation of the as-built system, component, or\n                  service."},{"id":"sa-11.2_gdn","name":"guidance","prose":"Applications may deviate significantly from the functional and design\n                  specifications created during the requirements and design phases of the system\n                  development life cycle. Therefore, threat and vulnerability analyses of\n                  information systems, system components, and information system services prior to\n                  delivery are critical to the effective operation of those systems, components, and\n                  services. Threat and vulnerability analyses at this phase of the life cycle help\n                  to ensure that design or implementation changes have been accounted for, and that\n                  any new vulnerabilities created as a result of those changes have been reviewed\n                  and mitigated.","links":[{"href":"#pm-15","rel":"related","text":"PM-15"},{"href":"#ra-5","rel":"related","text":"RA-5"}]},{"id":"sa-11.2_obj","name":"objective","prose":"Determine if the organization requires the developer of the information system,\n                  system component, or information system service to perform:","parts":[{"id":"sa-11.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-11(2)[1]"}],"prose":"threat analyses of the as-built, system component, or service;"},{"id":"sa-11.2_obj.2","name":"objective","properties":[{"name":"label","value":"SA-11(2)[2]"}],"prose":"vulnerability analyses of the as-built, system component, or service; and"},{"id":"sa-11.2_obj.3","name":"objective","properties":[{"name":"label","value":"SA-11(2)[3]"}],"prose":"subsequent testing/evaluation of the as-built, system component, or\n                     service."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing system developer security testing\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsystem developer security test plans\\n\\nrecords of developer security testing results for the information system,\n                     system component, or information system service\\n\\nvulnerability scanning results\\n\\ninformation system risk assessment reports\\n\\nthreat and vulnerability analysis reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with developer security testing responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer security testing and\n                     evaluation\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                     security testing and evaluation"}]}]},{"id":"sa-11.8","class":"SP800-53-enhancement","title":"Dynamic Code Analysis","properties":[{"name":"label","value":"SA-11(8)"},{"name":"sort-id","value":"sa-11.08"}],"parts":[{"id":"sa-11.8_smt","name":"statement","prose":"The organization requires the developer of the information system, system\n                  component, or information system service to employ dynamic code analysis tools to\n                  identify common flaws and document the results of the analysis.","parts":[{"id":"sa-11.8_fr","name":"item","title":"SA-11 (8) Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-11.8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed."}]}]},{"id":"sa-11.8_gdn","name":"guidance","prose":"Dynamic code analysis provides run-time verification of software programs, using\n                  tools capable of monitoring programs for memory corruption, user privilege issues,\n                  and other potential security problems. Dynamic code analysis employs run-time\n                  tools to help to ensure that security functionality performs in the manner in\n                  which it was designed. A specialized type of dynamic analysis, known as fuzz\n                  testing, induces program failures by deliberately introducing malformed or random\n                  data into software programs. Fuzz testing strategies derive from the intended use\n                  of applications and the functional and design specifications for the applications.\n                  To understand the scope of dynamic code analysis and hence the assurance provided,\n                  organizations may also consider conducting code coverage analysis (checking the\n                  degree to which the code has been tested using metrics such as percent of\n                  subroutines tested or percent of program statements called during execution of the\n                  test suite) and/or concordance analysis (checking for words that are out of place\n                  in software code such as non-English language words or derogatory terms)."},{"id":"sa-11.8_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization requires the developer of the information system,\n                  system component, or information system service to employ dynamic code analysis\n                  tools to identify common flaws and document the results of the analysis."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing system developer security testing\\n\\nprocedures addressing flaw remediation\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsystem developer security test and evaluation plans\\n\\nsecurity test and evaluation results\\n\\nsecurity flaw and remediation tracking reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with developer security testing responsibilities\\n\\norganizational personnel with configuration management responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer security testing and\n                     evaluation\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                     security testing and evaluation"}]}]}]},{"id":"sa-12","class":"SP800-53","title":"Supply Chain Protection","parameters":[{"id":"sa-12_prm_1","label":"organization-defined security safeguards","constraints":[{"detail":"organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures"}]}],"properties":[{"name":"label","value":"SA-12"},{"name":"sort-id","value":"sa-12"}],"links":[{"href":"#8ab6bcdc-339b-4068-b45e-994814a6e187","rel":"reference","text":"NIST Special Publication 800-161"},{"href":"#bdd2f49e-edf7-491f-a178-4487898228f3","rel":"reference","text":"NIST Interagency Report 7622"}],"parts":[{"id":"sa-12_smt","name":"statement","prose":"The organization protects against supply chain threats to the information system,\n               system component, or information system service by employing {{ sa-12_prm_1 }} as part of a comprehensive, defense-in-breadth\n               information security strategy."},{"id":"sa-12_gdn","name":"guidance","prose":"Information systems (including system components that compose those systems) need to\n               be protected throughout the system development life cycle (i.e., during design,\n               development, manufacturing, packaging, assembly, distribution, system integration,\n               operations, maintenance, and retirement). Protection of organizational information\n               systems is accomplished through threat awareness, by the identification, management,\n               and reduction of vulnerabilities at each phase of the life cycle and the use of\n               complementary, mutually reinforcing strategies to respond to risk. Organizations\n               consider implementing a standardized process to address supply chain risk with\n               respect to information systems and system components, and to educate the acquisition\n               workforce on threats, risk, and required security controls. Organizations use the\n               acquisition/procurement processes to require supply chain entities to implement\n               necessary security safeguards to: (i) reduce the likelihood of unauthorized\n               modifications at each stage in the supply chain; and (ii) protect information systems\n               and information system components, prior to taking delivery of such\n               systems/components. This control also applies to information system services.\n               Security safeguards include, for example: (i) security controls for development\n               systems, development facilities, and external connections to development systems;\n               (ii) vetting development personnel; and (iii) use of tamper-evident packaging during\n               shipping/warehousing. Methods for reviewing and protecting development plans,\n               evidence, and documentation are commensurate with the security category or\n               classification level of the information system. Contracts may specify documentation\n               protection requirements.","links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-14","rel":"related","text":"SA-14"},{"href":"#sa-15","rel":"related","text":"SA-15"},{"href":"#sa-18","rel":"related","text":"SA-18"},{"href":"#sa-19","rel":"related","text":"SA-19"},{"href":"#sc-29","rel":"related","text":"SC-29"},{"href":"#sc-30","rel":"related","text":"SC-30"},{"href":"#sc-38","rel":"related","text":"SC-38"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"sa-12_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-12_obj.1","name":"objective","properties":[{"name":"label","value":"SA-12[1]"}],"prose":"defines security safeguards to be employed to protect against supply chain threats\n                  to the information system, system component, or information system service;\n                  and"},{"id":"sa-12_obj.2","name":"objective","properties":[{"name":"label","value":"SA-12[2]"}],"prose":"protects against supply chain threats to the information system, system component,\n                  or information system service by employing organization-defined security\n                  safeguards as part of a comprehensive, defense-in-breadth information security\n                  strategy."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing supply chain protection\\n\\nprocedures addressing the integration of information security requirements into\n                  the acquisition process\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\nlist of supply chain threats\\n\\nlist of security safeguards to be taken against supply chain threats\\n\\nsystem development life cycle documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with supply chain protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining safeguards for and protecting against supply\n                  chain threats\\n\\nautomated mechanisms supporting and/or implementing safeguards for supply chain\n                  threats"}]}]},{"id":"sa-15","class":"SP800-53","title":"Development Process, Standards, and Tools","parameters":[{"id":"sa-15_prm_1","label":"organization-defined frequency","constraints":[{"detail":"as needed and as dictated by the current threat posture"}]},{"id":"sa-15_prm_2","label":"organization-defined security requirements","constraints":[{"detail":"organization and service provider- defined security requirements"}]}],"properties":[{"name":"label","value":"SA-15"},{"name":"sort-id","value":"sa-15"}],"parts":[{"id":"sa-15_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-15_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Requires the developer of the information system, system component, or information\n                  system service to follow a documented development process that:","parts":[{"id":"sa-15_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Explicitly addresses security requirements;"},{"id":"sa-15_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Identifies the standards and tools used in the development process;"},{"id":"sa-15_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Documents the specific tool options and tool configurations used in the\n                     development process; and"},{"id":"sa-15_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Documents, manages, and ensures the integrity of changes to the process and/or\n                     tools used in development; and"}]},{"id":"sa-15_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews the development process, standards, tools, and tool options/configurations\n                     {{ sa-15_prm_1 }} to determine if the process, standards, tools,\n                  and tool options/configurations selected and employed can satisfy {{ sa-15_prm_2 }}."}]},{"id":"sa-15_gdn","name":"guidance","prose":"Development tools include, for example, programming languages and computer-aided\n               design (CAD) systems. Reviews of development processes can include, for example, the\n               use of maturity models to determine the potential effectiveness of such processes.\n               Maintaining the integrity of changes to tools and processes enables accurate supply\n               chain risk assessment and mitigation, and requires robust configuration control\n               throughout the life cycle (including design, development, transport, delivery,\n               integration, and maintenance) to track authorized changes and prevent unauthorized\n               changes.","links":[{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-8","rel":"related","text":"SA-8"}]},{"id":"sa-15_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-15.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-15(a)"}],"prose":"requires the developer of the information system, system component, or information\n                  system service to follow a documented development process that:","parts":[{"id":"sa-15.a.1_obj","name":"objective","properties":[{"name":"label","value":"SA-15(a)(1)"}],"prose":"explicitly addresses security requirements;"},{"id":"sa-15.a.2_obj","name":"objective","properties":[{"name":"label","value":"SA-15(a)(2)"}],"prose":"identifies the standards and tools used in the development process;"},{"id":"sa-15.a.3_obj","name":"objective","properties":[{"name":"label","value":"SA-15(a)(3)"}],"parts":[{"id":"sa-15.a.3_obj.1","name":"objective","properties":[{"name":"label","value":"SA-15(a)(3)[1]"}],"prose":"documents the specific tool options used in the development process;"},{"id":"sa-15.a.3_obj.2","name":"objective","properties":[{"name":"label","value":"SA-15(a)(3)[2]"}],"prose":"documents the specific tool configurations used in the development\n                        process;"}]},{"id":"sa-15.a.4_obj","name":"objective","properties":[{"name":"label","value":"SA-15(a)(4)"}],"parts":[{"id":"sa-15.a.4_obj.1","name":"objective","properties":[{"name":"label","value":"SA-15(a)(4)[1]"}],"prose":"documents changes to the process and/or tools used in the development;"},{"id":"sa-15.a.4_obj.2","name":"objective","properties":[{"name":"label","value":"SA-15(a)(4)[2]"}],"prose":"manages changes to the process and/or tools used in the development;"},{"id":"sa-15.a.4_obj.3","name":"objective","properties":[{"name":"label","value":"SA-15(a)(4)[3]"}],"prose":"ensures the integrity of changes to the process and/or tools used in the\n                        development;"}]}]},{"id":"sa-15.b_obj","name":"objective","properties":[{"name":"label","value":"SA-15(b)"}],"parts":[{"id":"sa-15.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-15(b)[1]"}],"prose":"defines a frequency to review the development process, standards, tools, and\n                     tool options/configurations;"},{"id":"sa-15.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-15(b)[2]"}],"prose":"defines security requirements to be satisfied by the process, standards, tools,\n                     and tool option/configurations selected and employed; and"},{"id":"sa-15.b_obj.3","name":"objective","properties":[{"name":"label","value":"SA-15(b)[3]"}],"parts":[{"id":"sa-15.b_obj.3.a","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SA-15(b)[3][a]"}],"prose":"reviews the development process with the organization-defined frequency to\n                        determine if the process selected and employed can satisfy\n                        organization-defined security requirements;"},{"id":"sa-15.b_obj.3.b","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SA-15(b)[3][b]"}],"prose":"reviews the development standards with the organization-defined frequency to\n                        determine if the standards selected and employed can satisfy\n                        organization-defined security requirements;"},{"id":"sa-15.b_obj.3.c","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SA-15(b)[3][c]"}],"prose":"reviews the development tools with the organization-defined frequency to\n                        determine if the tools selected and employed can satisfy\n                        organization-defined security requirements; and"},{"id":"sa-15.b_obj.3.d","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SA-15(b)[3][d]"}],"prose":"reviews the development tool options/configurations with the\n                        organization-defined frequency to determine if the tool\n                        options/configurations selected and employed can satisfy\n                        organization-defined security requirements."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing development process, standards, and tools\\n\\nprocedures addressing the integration of security requirements during the\n                  development process\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\nsystem developer documentation listing tool options/configuration guides,\n                  configuration management records\\n\\nchange control records\\n\\nconfiguration control records\\n\\ndocumented reviews of development process, standards, tools, and tool\n                  options/configurations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]}]},{"id":"sa-16","class":"SP800-53","title":"Developer-provided Training","parameters":[{"id":"sa-16_prm_1","label":"organization-defined training"}],"properties":[{"name":"label","value":"SA-16"},{"name":"sort-id","value":"sa-16"}],"parts":[{"id":"sa-16_smt","name":"statement","prose":"The organization requires the developer of the information system, system component,\n               or information system service to provide {{ sa-16_prm_1 }} on the\n               correct use and operation of the implemented security functions, controls, and/or\n               mechanisms."},{"id":"sa-16_gdn","name":"guidance","prose":"This control applies to external and internal (in-house) developers. Training of\n               personnel is an essential element to ensure the effectiveness of security controls\n               implemented within organizational information systems. Training options include, for\n               example, classroom-style training, web-based/computer-based training, and hands-on\n               training. Organizations can also request sufficient training materials from\n               developers to conduct in-house training or offer self-training to organizational\n               personnel. Organizations determine the type of training necessary and may require\n               different types of training for different security functions, controls, or\n               mechanisms.","links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#sa-5","rel":"related","text":"SA-5"}]},{"id":"sa-16_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-16_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-16[1]"}],"prose":"defines training to be provided by the developer of the information system, system\n                  component, or information system service; and"},{"id":"sa-16_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SA-16[2]"}],"prose":"requires the developer of the information system, system component, or information\n                  system service to provide organization-defined training on the correct use and\n                  operation of the implemented security functions, controls, and/or mechanisms."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing developer-provided training\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\ndeveloper-provided training materials\\n\\ntraining records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information system security responsibilities\\n\\nsystem developer\\n\\norganizational or third-party developers with training responsibilities for the\n                  information system, system component, or information system service"}]}]},{"id":"sa-17","class":"SP800-53","title":"Developer Security Architecture and Design","properties":[{"name":"label","value":"SA-17"},{"name":"sort-id","value":"sa-17"}],"parts":[{"id":"sa-17_smt","name":"statement","prose":"The organization requires the developer of the information system, system component,\n               or information system service to produce a design specification and security\n               architecture that:","parts":[{"id":"sa-17_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Is consistent with and supportive of the organization’s security architecture\n                  which is established within and is an integrated part of the organization’s\n                  enterprise architecture;"},{"id":"sa-17_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Accurately and completely describes the required security functionality, and the\n                  allocation of security controls among physical and logical components; and"},{"id":"sa-17_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Expresses how individual security functions, mechanisms, and services work\n                  together to provide required security capabilities and a unified approach to\n                  protection."}]},{"id":"sa-17_gdn","name":"guidance","prose":"This control is primarily directed at external developers, although it could also be\n               used for internal (in-house) development. In contrast, PL-8 is primarily directed at\n               internal developers to help ensure that organizations develop an information security\n               architecture and such security architecture is integrated or tightly coupled to the\n               enterprise architecture. This distinction is important if/when organizations\n               outsource the development of information systems, information system components, or\n               information system services to external entities, and there is a requirement to\n               demonstrate consistency with the organization’s enterprise architecture and\n               information security architecture.","links":[{"href":"#pl-8","rel":"related","text":"PL-8"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-8","rel":"related","text":"SA-8"}]},{"id":"sa-17_obj","name":"objective","prose":"Determine if the organization requires the developer of the information system,\n               system component, or information system service to produce a design specification and\n               security architecture that:","parts":[{"id":"sa-17.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SA-17(a)"}],"prose":"is consistent with and supportive of the organization’s security architecture\n                  which is established within and is an integrated part of the organization’s\n                  enterprise architecture;"},{"id":"sa-17.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SA-17(b)"}],"prose":"accurately and completely describes:","parts":[{"id":"sa-17.b_obj.1","name":"objective","properties":[{"name":"label","value":"SA-17(b)[1]"}],"prose":"the required security functionality;"},{"id":"sa-17.b_obj.2","name":"objective","properties":[{"name":"label","value":"SA-17(b)[2]"}],"prose":"the allocation of security controls among physical and logical components;\n                     and"}]},{"id":"sa-17.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SA-17(c)"}],"prose":"expresses how individual security functions, mechanisms, and services work\n                  together to provide required security capabilities and a unified approach to\n                  protection."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nenterprise architecture policy\\n\\nprocedures addressing developer security architecture and design specification for\n                  the information system\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\ndesign specification and security architecture documentation for the system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with security architecture and design\n                  responsibilities"}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"System and Communications Protection Policy and Procedures","parameters":[{"id":"sc-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sc-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"sc-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually or whenever a significant change occurs"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SC-1"},{"name":"sort-id","value":"sc-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"sc-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A system and communications protection policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"},{"id":"sc-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications\n                     protection policy and associated system and communications protection controls;\n                     and"}]},{"id":"sc-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sc-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"System and communications protection policy {{ sc-1_prm_2 }};\n                     and"},{"id":"sc-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"System and communications protection procedures {{ sc-1_prm_3 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SC\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"sc-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-1.a_obj","name":"objective","properties":[{"name":"label","value":"SC-1(a)"}],"parts":[{"id":"sc-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)"}],"parts":[{"id":"sc-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(a)(1)[1]"}],"prose":"develops and documents a system and communications protection policy that\n                        addresses:","parts":[{"id":"sc-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sc-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sc-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sc-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sc-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sc-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sc-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sc-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and communications protection\n                        policy is to be disseminated;"},{"id":"sc-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SC-1(a)(1)[3]"}],"prose":"disseminates the system and communications protection policy to\n                        organization-defined personnel or roles;"}]},{"id":"sc-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"SC-1(a)(2)"}],"parts":[{"id":"sc-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        system and communications protection policy and associated system and\n                        communications protection controls;"},{"id":"sc-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"sc-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sc-1.b_obj","name":"objective","properties":[{"name":"label","value":"SC-1(b)"}],"parts":[{"id":"sc-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"SC-1(b)(1)"}],"parts":[{"id":"sc-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and\n                        communications protection policy;"},{"id":"sc-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(b)(1)[2]"}],"prose":"reviews and updates the current system and communications protection policy\n                        with the organization-defined frequency;"}]},{"id":"sc-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"SC-1(b)(2)"}],"parts":[{"id":"sc-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and\n                        communications protection procedures; and"},{"id":"sc-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(b)(2)[2]"}],"prose":"reviews and updates the current system and communications protection\n                        procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and communications protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"sc-2","class":"SP800-53","title":"Application Partitioning","properties":[{"name":"label","value":"SC-2"},{"name":"sort-id","value":"sc-02"}],"parts":[{"id":"sc-2_smt","name":"statement","prose":"The information system separates user functionality (including user interface\n               services) from information system management functionality."},{"id":"sc-2_gdn","name":"guidance","prose":"Information system management functionality includes, for example, functions\n               necessary to administer databases, network components, workstations, or servers, and\n               typically requires privileged user access. The separation of user functionality from\n               information system management functionality is either physical or logical.\n               Organizations implement separation of system management-related functionality from\n               user functionality by using different computers, different central processing units,\n               different instances of operating systems, different network addresses, virtualization\n               techniques, or combinations of these or other methods, as appropriate. This type of\n               separation includes, for example, web administrative interfaces that use separate\n               authentication methods for users of any other information system resources.\n               Separation of system and user functionality may include isolating administrative\n               interfaces on different domains and with additional access controls.","links":[{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-3","rel":"related","text":"SC-3"}]},{"id":"sc-2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system separates user functionality (including user\n               interface services) from information system management functionality."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing application partitioning\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Separation of user functionality from information system management\n                  functionality"}]}]},{"id":"sc-3","class":"SP800-53","title":"Security Function Isolation","properties":[{"name":"label","value":"SC-3"},{"name":"sort-id","value":"sc-03"}],"parts":[{"id":"sc-3_smt","name":"statement","prose":"The information system isolates security functions from nonsecurity functions."},{"id":"sc-3_gdn","name":"guidance","prose":"The information system isolates security functions from nonsecurity functions by\n               means of an isolation boundary (implemented via partitions and domains). Such\n               isolation controls access to and protects the integrity of the hardware, software,\n               and firmware that perform those security functions. Information systems implement\n               code separation (i.e., separation of security functions from nonsecurity functions)\n               in a number of ways, including, for example, through the provision of security\n               kernels via processor rings or processor modes. For non-kernel code, security\n               function isolation is often achieved through file system protections that serve to\n               protect the code on disk, and address space protections that protect executing code.\n               Information systems restrict access to security functions through the use of access\n               control mechanisms and by implementing least privilege capabilities. While the ideal\n               is for all of the code within the security function isolation boundary to only\n               contain security-relevant code, it is sometimes necessary to include nonsecurity\n               functions within the isolation boundary as an exception.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-13","rel":"related","text":"SA-13"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-39","rel":"related","text":"SC-39"}]},{"id":"sc-3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system isolates security functions from nonsecurity\n               functions."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing security function isolation\\n\\nlist of security functions to be isolated from nonsecurity functions\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Separation of security functions from nonsecurity functions within the information\n                  system"}]}]},{"id":"sc-4","class":"SP800-53","title":"Information in Shared Resources","properties":[{"name":"label","value":"SC-4"},{"name":"sort-id","value":"sc-04"}],"parts":[{"id":"sc-4_smt","name":"statement","prose":"The information system prevents unauthorized and unintended information transfer via\n               shared system resources."},{"id":"sc-4_gdn","name":"guidance","prose":"This control prevents information, including encrypted representations of\n               information, produced by the actions of prior users/roles (or the actions of\n               processes acting on behalf of prior users/roles) from being available to any current\n               users/roles (or current processes) that obtain access to shared system resources\n               (e.g., registers, main memory, hard disks) after those resources have been released\n               back to information systems. The control of information in shared resources is also\n               commonly referred to as object reuse and residual information protection. This\n               control does not address: (i) information remanence which refers to residual\n               representation of data that has been nominally erased or removed; (ii) covert\n               channels (including storage and/or timing channels) where shared resources are\n               manipulated to violate information flow restrictions; or (iii) components within\n               information systems for which there are only single users/roles.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#mp-6","rel":"related","text":"MP-6"}]},{"id":"sc-4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system prevents unauthorized and unintended information\n               transfer via shared system resources."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing information protection in shared system resources\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms preventing unauthorized and unintended transfer of\n                  information via shared system resources"}]}]},{"id":"sc-5","class":"SP800-53","title":"Denial of Service Protection","parameters":[{"id":"sc-5_prm_1","label":"organization-defined types of denial of service attacks or references to sources\n               for such information"},{"id":"sc-5_prm_2","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"SC-5"},{"name":"sort-id","value":"sc-05"}],"parts":[{"id":"sc-5_smt","name":"statement","prose":"The information system protects against or limits the effects of the following types\n               of denial of service attacks: {{ sc-5_prm_1 }} by employing {{ sc-5_prm_2 }}."},{"id":"sc-5_gdn","name":"guidance","prose":"A variety of technologies exist to limit, or in some cases, eliminate the effects of\n               denial of service attacks. For example, boundary protection devices can filter\n               certain types of packets to protect information system components on internal\n               organizational networks from being directly affected by denial of service attacks.\n               Employing increased capacity and bandwidth combined with service redundancy may also\n               reduce the susceptibility to denial of service attacks.","links":[{"href":"#sc-6","rel":"related","text":"SC-6"},{"href":"#sc-7","rel":"related","text":"SC-7"}]},{"id":"sc-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-5_obj.1","name":"objective","properties":[{"name":"label","value":"SC-5[1]"}],"prose":"the organization defines types of denial of service attacks or reference to source\n                  of such information for the information system to protect against or limit the\n                  effects;"},{"id":"sc-5_obj.2","name":"objective","properties":[{"name":"label","value":"SC-5[2]"}],"prose":"the organization defines security safeguards to be employed by the information\n                  system to protect against or limit the effects of organization-defined types of\n                  denial of service attacks; and"},{"id":"sc-5_obj.3","name":"objective","properties":[{"name":"label","value":"SC-5[3]"}],"prose":"the information system protects against or limits the effects of the\n                  organization-defined denial or service attacks (or reference to source for such\n                  information) by employing organization-defined security safeguards."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing denial of service protection\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\nlist of denial of services attacks requiring employment of security safeguards to\n                  protect against or limit effects of such attacks\\n\\nlist of security safeguards protecting against or limiting the effects of denial\n                  of service attacks\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms protecting against or limiting the effects of denial of\n                  service attacks"}]}]},{"id":"sc-6","class":"SP800-53","title":"Resource Availability","parameters":[{"id":"sc-6_prm_1","label":"organization-defined resources"},{"id":"sc-6_prm_2"},{"id":"sc-6_prm_3","depends-on":"sc-6_prm_2","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"SC-6"},{"name":"sort-id","value":"sc-06"}],"parts":[{"id":"sc-6_smt","name":"statement","prose":"The information system protects the availability of resources by allocating {{ sc-6_prm_1 }} by {{ sc-6_prm_2 }}."},{"id":"sc-6_gdn","name":"guidance","prose":"Priority protection helps prevent lower-priority processes from delaying or\n               interfering with the information system servicing any higher-priority processes.\n               Quotas prevent users or processes from obtaining more than predetermined amounts of\n               resources. This control does not apply to information system components for which\n               there are only single users/roles."},{"id":"sc-6_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-6_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-6[1]"}],"prose":"the organization defines resources to be allocated to protect the availability of\n                  resources;"},{"id":"sc-6_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-6[2]"}],"prose":"the organization defines security safeguards to be employed to protect the\n                  availability of resources;"},{"id":"sc-6_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-6[3]"}],"prose":"the information system protects the availability of resources by allocating\n                  organization-defined resources by one or more of the following:","parts":[{"id":"sc-6_obj.3.a","name":"objective","properties":[{"name":"label","value":"SC-6[3][a]"}],"prose":"priority;"},{"id":"sc-6_obj.3.b","name":"objective","properties":[{"name":"label","value":"SC-6[3][b]"}],"prose":"quota; and/or"},{"id":"sc-6_obj.3.c","name":"objective","properties":[{"name":"label","value":"SC-6[3][c]"}],"prose":"organization-defined safeguards."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing prioritization of information system resources\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing resource allocation\n                  capability\\n\\nsafeguards employed to protect availability of resources"}]}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","parameters":[{"id":"sc-7_prm_1"}],"properties":[{"name":"label","value":"SC-7"},{"name":"sort-id","value":"sc-07"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#756a8e86-57d5-4701-8382-f7a40439665a","rel":"reference","text":"NIST Special Publication 800-41"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference","text":"NIST Special Publication 800-77"}],"parts":[{"id":"sc-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitors and controls communications at the external boundary of the system and at\n                  key internal boundaries within the system;"},{"id":"sc-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implements subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks;\n                  and"},{"id":"sc-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Connects to external networks or information systems only through managed\n                  interfaces consisting of boundary protection devices arranged in accordance with\n                  an organizational security architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include, for example, gateways, routers, firewalls, guards,\n               network-based malicious code analysis and virtualization systems, or encrypted\n               tunnels implemented within a security architecture (e.g., routers protecting\n               firewalls or application gateways residing on protected subnetworks). Subnetworks\n               that are physically or logically separated from internal networks are referred to as\n               demilitarized zones or DMZs. Restricting or prohibiting interfaces within\n               organizational information systems includes, for example, restricting external web\n               traffic to designated web servers within managed interfaces and prohibiting external\n               traffic that appears to be spoofing internal addresses. Organizations consider the\n               shared nature of commercial telecommunications services in the implementation of\n               security controls associated with the use of such services. Commercial\n               telecommunications services are commonly based on network components and consolidated\n               management systems shared by all attached commercial customers, and may also include\n               third party-provided access lines and other service elements. Such transmission\n               services may represent sources of increased risk despite contract security\n               provisions.","links":[{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"sc-7_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-7.a_obj","name":"objective","properties":[{"name":"label","value":"SC-7(a)"}],"parts":[{"id":"sc-7.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(a)[1]"}],"prose":"monitors communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(a)[2]"}],"prose":"monitors communications at key internal boundaries within the system;"},{"id":"sc-7.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(a)[3]"}],"prose":"controls communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(a)[4]"}],"prose":"controls communications at key internal boundaries within the system;"}]},{"id":"sc-7.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(b)"}],"prose":"implements subnetworks for publicly accessible system components that are\n                  either:","parts":[{"id":"sc-7.b_obj.1","name":"objective","properties":[{"name":"label","value":"SC-7(b)[1]"}],"prose":"physically separated from internal organizational networks; and/or"},{"id":"sc-7.b_obj.2","name":"objective","properties":[{"name":"label","value":"SC-7(b)[2]"}],"prose":"logically separated from internal organizational networks; and"}]},{"id":"sc-7.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(c)"}],"prose":"connects to external networks or information systems only through managed\n                  interfaces consisting of boundary protection devices arranged in accordance with\n                  an organizational security architecture."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\nlist of key internal boundaries of the information system\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system configuration settings and associated documentation\\n\\nenterprise security architecture documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability"}]}],"controls":[{"id":"sc-7.3","class":"SP800-53-enhancement","title":"Access Points","properties":[{"name":"label","value":"SC-7(3)"},{"name":"sort-id","value":"sc-07.03"}],"parts":[{"id":"sc-7.3_smt","name":"statement","prose":"The organization limits the number of external network connections to the\n                  information system."},{"id":"sc-7.3_gdn","name":"guidance","prose":"Limiting the number of external network connections facilitates more comprehensive\n                  monitoring of inbound and outbound communications traffic. The Trusted Internet\n                  Connection (TIC) initiative is an example of limiting the number of external\n                  network connections."},{"id":"sc-7.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization limits the number of external network connections to\n                  the information system."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncommunications and network traffic monitoring logs\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability\\n\\nautomated mechanisms limiting the number of external network connections to the\n                     information system"}]}]},{"id":"sc-7.4","class":"SP800-53-enhancement","title":"External Telecommunications Services","parameters":[{"id":"sc-7.4_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SC-7(4)"},{"name":"sort-id","value":"sc-07.04"}],"parts":[{"id":"sc-7.4_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-7.4_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Implements a managed interface for each external telecommunication service;"},{"id":"sc-7.4_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Establishes a traffic flow policy for each managed interface;"},{"id":"sc-7.4_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Protects the confidentiality and integrity of the information being transmitted\n                     across each interface;"},{"id":"sc-7.4_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Documents each exception to the traffic flow policy with a supporting\n                     mission/business need and duration of that need; and"},{"id":"sc-7.4_smt.e","name":"item","properties":[{"name":"label","value":"(e)"}],"prose":"Reviews exceptions to the traffic flow policy {{ sc-7.4_prm_1 }}\n                     and removes exceptions that are no longer supported by an explicit\n                     mission/business need."}]},{"id":"sc-7.4_gdn","name":"guidance","links":[{"href":"#sc-8","rel":"related","text":"SC-8"}]},{"id":"sc-7.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-7.4.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(4)(a)"}],"prose":"implements a managed interface for each external telecommunication service;","links":[{"href":"#sc-7.4_smt.a","rel":"corresp","text":"SC-7(4)(a)"}]},{"id":"sc-7.4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(4)(b)"}],"prose":"establishes a traffic flow policy for each managed interface;","links":[{"href":"#sc-7.4_smt.b","rel":"corresp","text":"SC-7(4)(b)"}]},{"id":"sc-7.4.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(4)(c)"}],"prose":"protects the confidentiality and integrity of the information being transmitted\n                     across each interface;","links":[{"href":"#sc-7.4_smt.c","rel":"corresp","text":"SC-7(4)(c)"}]},{"id":"sc-7.4.d_obj","name":"objective","properties":[{"name":"label","value":"SC-7(4)(d)"}],"prose":"documents each exception to the traffic flow policy with:","parts":[{"id":"sc-7.4.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(4)(d)[1]"}],"prose":"a supporting mission/business need;"},{"id":"sc-7.4.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(4)(d)[2]"}],"prose":"duration of that need;"}],"links":[{"href":"#sc-7.4_smt.d","rel":"corresp","text":"SC-7(4)(d)"}]},{"id":"sc-7.4.e_obj","name":"objective","properties":[{"name":"label","value":"SC-7(4)(e)"}],"parts":[{"id":"sc-7.4.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(4)(e)[1]"}],"prose":"defines a frequency to review exceptions to traffic flow policy;"},{"id":"sc-7.4.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(4)(e)[2]"}],"prose":"reviews exceptions to the traffic flow policy with the organization-defined\n                        frequency; and"},{"id":"sc-7.4.e_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(4)(e)[3]"}],"prose":"removes traffic flow policy exceptions that are no longer supported by an\n                        explicit mission/business need"}],"links":[{"href":"#sc-7.4_smt.e","rel":"corresp","text":"SC-7(4)(e)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\ntraffic flow policy\\n\\ninformation flow control policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system security architecture\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nrecords of traffic flow policy exceptions\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for documenting and reviewing exceptions to the\n                     traffic flow policy\\n\\norganizational processes for removing exceptions to the traffic flow policy\\n\\nautomated mechanisms implementing boundary protection capability\\n\\nmanaged interfaces implementing traffic flow policy"}]}]},{"id":"sc-7.5","class":"SP800-53-enhancement","title":"Deny by Default / Allow by Exception","properties":[{"name":"label","value":"SC-7(5)"},{"name":"sort-id","value":"sc-07.05"}],"parts":[{"id":"sc-7.5_smt","name":"statement","prose":"The information system at managed interfaces denies network communications traffic\n                  by default and allows network communications traffic by exception (i.e., deny all,\n                  permit by exception)."},{"id":"sc-7.5_gdn","name":"guidance","prose":"This control enhancement applies to both inbound and outbound network\n                  communications traffic. A deny-all, permit-by-exception network communications\n                  traffic policy ensures that only those connections which are essential and\n                  approved are allowed."},{"id":"sc-7.5_obj","name":"objective","prose":"Determine if the information system, at managed interfaces:","parts":[{"id":"sc-7.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(5)[1]"}],"prose":"denies network traffic by default; and"},{"id":"sc-7.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(5)[2]"}],"prose":"allows network traffic by exception."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing traffic management at managed interfaces"}]}]},{"id":"sc-7.7","class":"SP800-53-enhancement","title":"Prevent Split Tunneling for Remote Devices","properties":[{"name":"label","value":"SC-7(7)"},{"name":"sort-id","value":"sc-07.07"}],"parts":[{"id":"sc-7.7_smt","name":"statement","prose":"The information system, in conjunction with a remote device, prevents the device\n                  from simultaneously establishing non-remote connections with the system and\n                  communicating via some other connection to resources in external networks."},{"id":"sc-7.7_gdn","name":"guidance","prose":"This control enhancement is implemented within remote devices (e.g., notebook\n                  computers) through configuration settings to disable split tunneling in those\n                  devices, and by preventing those configuration settings from being readily\n                  configurable by users. This control enhancement is implemented within the\n                  information system by the detection of split tunneling (or of configuration\n                  settings that allow split tunneling) in the remote device, and by prohibiting the\n                  connection if the remote device is using split tunneling. Split tunneling might be\n                  desirable by remote users to communicate with local information system resources\n                  such as printers/file servers. However, split tunneling would in effect allow\n                  unauthorized external connections, making the system more vulnerable to attack and\n                  to exfiltration of organizational information. The use of VPNs for remote\n                  connections, when adequately provisioned with appropriate security controls, may\n                  provide the organization with sufficient assurance that it can effectively treat\n                  such connections as non-remote connections from the confidentiality and integrity\n                  perspective. VPNs thus provide a means for allowing non-remote communications\n                  paths from remote devices. The use of an adequately provisioned VPN does not\n                  eliminate the need for preventing split tunneling."},{"id":"sc-7.7_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system, in conjunction with a remote device, prevents\n                  the device from simultaneously establishing non-remote connections with the system\n                  and communicating via some other connection to resources in external networks."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system hardware and software\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability\\n\\nautomated mechanisms supporting/restricting non-remote connections"}]}]},{"id":"sc-7.8","class":"SP800-53-enhancement","title":"Route Traffic to Authenticated Proxy Servers","parameters":[{"id":"sc-7.8_prm_1","label":"organization-defined internal communications traffic"},{"id":"sc-7.8_prm_2","label":"organization-defined external networks"}],"properties":[{"name":"label","value":"SC-7(8)"},{"name":"sort-id","value":"sc-07.08"}],"parts":[{"id":"sc-7.8_smt","name":"statement","prose":"The information system routes {{ sc-7.8_prm_1 }} to {{ sc-7.8_prm_2 }} through authenticated proxy servers at managed\n                  interfaces."},{"id":"sc-7.8_gdn","name":"guidance","prose":"External networks are networks outside of organizational control. A proxy server\n                  is a server (i.e., information system or application) that acts as an intermediary\n                  for clients requesting information system resources (e.g., files, connections, web\n                  pages, or services) from other organizational servers. Client requests established\n                  through an initial connection to the proxy server are evaluated to manage\n                  complexity and to provide additional protection by limiting direct connectivity.\n                  Web content filtering devices are one of the most common proxy servers providing\n                  access to the Internet. Proxy servers support logging individual Transmission\n                  Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators\n                  (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be\n                  configured with organization-defined lists of authorized and unauthorized\n                  websites.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#au-2","rel":"related","text":"AU-2"}]},{"id":"sc-7.8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-7.8_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(8)[1]"}],"prose":"the organization defines internal communications traffic to be routed to\n                     external networks;"},{"id":"sc-7.8_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(8)[2]"}],"prose":"the organization defines external networks to which organization-defined\n                     internal communications traffic is to be routed; and"},{"id":"sc-7.8_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(8)[3]"}],"prose":"the information system routes organization-defined internal communications\n                     traffic to organization-defined external networks through authenticated proxy\n                     servers at managed interfaces."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system hardware and software\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing traffic management through authenticated\n                     proxy servers at managed interfaces"}]}]},{"id":"sc-7.10","class":"SP800-53-enhancement","title":"Prevent Unauthorized Exfiltration","properties":[{"name":"label","value":"SC-7(10)"},{"name":"sort-id","value":"sc-07.10"}],"parts":[{"id":"sc-7.10_smt","name":"statement","prose":"The organization prevents the unauthorized exfiltration of information across\n                  managed interfaces."},{"id":"sc-7.10_gdn","name":"guidance","prose":"Safeguards implemented by organizations to prevent unauthorized exfiltration of\n                  information from information systems include, for example: (i) strict adherence to\n                  protocol formats; (ii) monitoring for beaconing from information systems; (iii)\n                  monitoring for steganography; (iv) disconnecting external network interfaces\n                  except when explicitly needed; (v) disassembling and reassembling packet headers;\n                  and (vi) employing traffic profile analysis to detect deviations from the\n                  volume/types of traffic expected within organizations or call backs to command and\n                  control centers. Devices enforcing strict adherence to protocol formats include,\n                  for example, deep packet inspection firewalls and XML gateways. These devices\n                  verify adherence to protocol formats and specification at the application layer\n                  and serve to identify vulnerabilities that cannot be detected by devices operating\n                  at the network or transport layers. This control enhancement is closely associated\n                  with cross-domain solutions and system guards enforcing information flow\n                  requirements.","links":[{"href":"#si-3","rel":"related","text":"SI-3"}]},{"id":"sc-7.10_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization prevents the unauthorized exfiltration of\n                  information across managed interfaces."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability\\n\\npreventing unauthorized exfiltration of information across managed\n                     interfaces"}]}]},{"id":"sc-7.12","class":"SP800-53-enhancement","title":"Host-based Protection","parameters":[{"id":"sc-7.12_prm_1","label":"organization-defined host-based boundary protection mechanisms","constraints":[{"detail":"Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall"}]},{"id":"sc-7.12_prm_2","label":"organization-defined information system components"}],"properties":[{"name":"label","value":"SC-7(12)"},{"name":"sort-id","value":"sc-07.12"}],"parts":[{"id":"sc-7.12_smt","name":"statement","prose":"The organization implements {{ sc-7.12_prm_1 }} at {{ sc-7.12_prm_2 }}."},{"id":"sc-7.12_gdn","name":"guidance","prose":"Host-based boundary protection mechanisms include, for example, host-based\n                  firewalls. Information system components employing host-based boundary protection\n                  mechanisms include, for example, servers, workstations, and mobile devices."},{"id":"sc-7.12_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-7.12_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(12)[1]"}],"prose":"defines host-based boundary protection mechanisms;"},{"id":"sc-7.12_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(12)[2]"}],"prose":"defines information system components where organization-defined host-based\n                     boundary protection mechanisms are to be implemented; and"},{"id":"sc-7.12_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(12)[3]"}],"prose":"implements organization-defined host-based boundary protection mechanisms at\n                     organization-defined information system components."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities\\n\\ninformation system users"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing host-based boundary protection\n                     capabilities"}]}]},{"id":"sc-7.13","class":"SP800-53-enhancement","title":"Isolation of Security Tools / Mechanisms / Support Components","parameters":[{"id":"sc-7.13_prm_1","label":"organization-defined information security tools, mechanisms, and support\n                  components"}],"properties":[{"name":"label","value":"SC-7(13)"},{"name":"sort-id","value":"sc-07.13"}],"parts":[{"id":"sc-7.13_smt","name":"statement","prose":"The organization isolates {{ sc-7.13_prm_1 }} from other internal\n                  information system components by implementing physically separate subnetworks with\n                  managed interfaces to other components of the system.","parts":[{"id":"sc-7.13_fr","name":"item","title":"SC-7 (13) Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-7.13_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets."},{"id":"sc-7.13_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Examples include: information security tools, mechanisms, and support components such as, but not limited to PKI, patching infrastructure, cyber defense tools, special purpose gateway, vulnerability tracking systems, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc."}]}]},{"id":"sc-7.13_gdn","name":"guidance","prose":"Physically separate subnetworks with managed interfaces are useful, for example,\n                  in isolating computer network defenses from critical operational processing\n                  networks to prevent adversaries from discovering the analysis and forensics\n                  techniques of organizations.","links":[{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"}]},{"id":"sc-7.13_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-7.13_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(13)[1]"}],"prose":"defines information security tools, mechanisms, and support components to be\n                     isolated from other internal information system components; and"},{"id":"sc-7.13_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(13)[2]"}],"prose":"isolates organization-defined information security tools, mechanisms, and\n                     support components from other internal information system components by\n                     implementing physically separate subnetworks with managed interfaces to other\n                     components of the system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system hardware and software\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of security tools and support components to be isolated from other\n                     internal information system components\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing isolation of information\n                     security tools, mechanisms, and support components"}]}]},{"id":"sc-7.18","class":"SP800-53-enhancement","title":"Fail Secure","properties":[{"name":"label","value":"SC-7(18)"},{"name":"sort-id","value":"sc-07.18"}],"parts":[{"id":"sc-7.18_smt","name":"statement","prose":"The information system fails securely in the event of an operational failure of a\n                  boundary protection device."},{"id":"sc-7.18_gdn","name":"guidance","prose":"Fail secure is a condition achieved by employing information system mechanisms to\n                  ensure that in the event of operational failures of boundary protection devices at\n                  managed interfaces (e.g., routers, firewalls, guards, and application gateways\n                  residing on protected subnetworks commonly referred to as demilitarized zones),\n                  information systems do not enter into unsecure states where intended security\n                  properties no longer hold. Failures of boundary protection devices cannot lead to,\n                  or cause information external to the devices to enter the devices, nor can\n                  failures permit unauthorized information releases.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#sc-24","rel":"related","text":"SC-24"}]},{"id":"sc-7.18_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system fails securely in the event of an operational\n                  failure of a boundary protection device."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing secure failure"}]}]},{"id":"sc-7.20","class":"SP800-53-enhancement","title":"Dynamic Isolation / Segregation","parameters":[{"id":"sc-7.20_prm_1","label":"organization-defined information system components"}],"properties":[{"name":"label","value":"SC-7(20)"},{"name":"sort-id","value":"sc-07.20"}],"parts":[{"id":"sc-7.20_smt","name":"statement","prose":"The information system provides the capability to dynamically isolate/segregate\n                     {{ sc-7.20_prm_1 }} from other components of the system."},{"id":"sc-7.20_gdn","name":"guidance","prose":"The capability to dynamically isolate or segregate certain internal components of\n                  organizational information systems is useful when it is necessary to partition or\n                  separate certain components of dubious origin from those components possessing\n                  greater trustworthiness. Component isolation reduces the attack surface of\n                  organizational information systems. Isolation of selected information system\n                  components is also a means of limiting the damage from successful cyber attacks\n                  when those attacks occur."},{"id":"sc-7.20_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-7.20_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(20)[1]"}],"prose":"the organization defines information system components to be dynamically\n                     isolated/segregated from other components of the system; and"},{"id":"sc-7.20_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(20)[2]"}],"prose":"the information system provides the capability to dynamically isolate/segregate\n                     organization-defined information system components from other components of the\n                     system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system hardware and software\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system components to be dynamically isolated/segregated\n                     from other components of the system\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing the capability to\n                     dynamically isolate/segregate information system components"}]}]},{"id":"sc-7.21","class":"SP800-53-enhancement","title":"Isolation of Information System Components","parameters":[{"id":"sc-7.21_prm_1","label":"organization-defined information system components"},{"id":"sc-7.21_prm_2","label":"organization-defined missions and/or business functions"}],"properties":[{"name":"label","value":"SC-7(21)"},{"name":"sort-id","value":"sc-07.21"}],"parts":[{"id":"sc-7.21_smt","name":"statement","prose":"The organization employs boundary protection mechanisms to separate {{ sc-7.21_prm_1 }} supporting {{ sc-7.21_prm_2 }}."},{"id":"sc-7.21_gdn","name":"guidance","prose":"Organizations can isolate information system components performing different\n                  missions and/or business functions. Such isolation limits unauthorized information\n                  flows among system components and also provides the opportunity to deploy greater\n                  levels of protection for selected components. Separating system components with\n                  boundary protection mechanisms provides the capability for increased protection of\n                  individual components and to more effectively control information flows between\n                  those components. This type of enhanced protection limits the potential harm from\n                  cyber attacks and errors. The degree of separation provided varies depending upon\n                  the mechanisms chosen. Boundary protection mechanisms include, for example,\n                  routers, gateways, and firewalls separating system components into physically\n                  separate networks or subnetworks, cross-domain devices separating subnetworks,\n                  virtualization techniques, and encrypting information flows among system\n                  components using distinct encryption keys.","links":[{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#sc-3","rel":"related","text":"SC-3"}]},{"id":"sc-7.21_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-7.21_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(21)[1]"}],"prose":"defines information system components to be separated by boundary protection\n                     mechanisms;"},{"id":"sc-7.21_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(21)[2]"}],"prose":"defines missions and/or business functions to be supported by\n                     organization-defined information system components separated by boundary\n                     protection mechanisms; and"},{"id":"sc-7.21_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(21)[3]"}],"prose":"employs boundary protection mechanisms to separate organization-defined\n                     information system components supporting organization-defined missions and/or\n                     business functions."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system hardware and software\\n\\nenterprise architecture documentation\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing the capability to separate\n                     information system components supporting organizational missions and/or\n                     business functions"}]}]}]},{"id":"sc-8","class":"SP800-53","title":"Transmission Confidentiality and Integrity","parameters":[{"id":"sc-8_prm_1","constraints":[{"detail":"confidentiality AND integrity"}]}],"properties":[{"name":"label","value":"SC-8"},{"name":"sort-id","value":"sc-08"}],"links":[{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference","text":"FIPS Publication 140-2"},{"href":"#f2dbd4ec-c413-4714-b85b-6b7184d1c195","rel":"reference","text":"FIPS Publication 197"},{"href":"#90c5bc98-f9c4-44c9-98b7-787422f0999c","rel":"reference","text":"NIST Special Publication 800-52"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference","text":"NIST Special Publication 800-77"},{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference","text":"NIST Special Publication 800-81"},{"href":"#349fe082-502d-464a-aa0c-1443c6a5cf40","rel":"reference","text":"NIST Special Publication 800-113"},{"href":"#a4aa9645-9a8a-4b51-90a9-e223250f9a75","rel":"reference","text":"CNSS Policy 15"},{"href":"#06dff0ea-3848-4945-8d91-e955ee69f05d","rel":"reference","text":"NSTISSI No. 7003"}],"parts":[{"id":"sc-8_smt","name":"statement","prose":"The information system protects the {{ sc-8_prm_1 }} of transmitted\n               information."},{"id":"sc-8_gdn","name":"guidance","prose":"This control applies to both internal and external networks and all types of\n               information system components from which information can be transmitted (e.g.,\n               servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile\n               machines). Communication paths outside the physical protection of a controlled\n               boundary are exposed to the possibility of interception and modification. Protecting\n               the confidentiality and/or integrity of organizational information can be\n               accomplished by physical means (e.g., by employing protected distribution systems) or\n               by logical means (e.g., employing encryption techniques). Organizations relying on\n               commercial providers offering transmission services as commodity services rather than\n               as fully dedicated services (i.e., services which can be highly specialized to\n               individual customer needs), may find it difficult to obtain the necessary assurances\n               regarding the implementation of needed security controls for transmission\n               confidentiality/integrity. In such situations, organizations determine what types of\n               confidentiality/integrity services are available in standard, commercial\n               telecommunication service packages. If it is infeasible or impractical to obtain the\n               necessary security controls and assurances of control effectiveness through\n               appropriate contracting vehicles, organizations implement appropriate compensating\n               security controls or explicitly accept the additional risk.","links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#pe-4","rel":"related","text":"PE-4"}]},{"id":"sc-8_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system protects one or more of the following:","parts":[{"id":"sc-8_obj.1","name":"objective","properties":[{"name":"label","value":"SC-8[1]"}],"prose":"confidentiality of transmitted information; and/or"},{"id":"sc-8_obj.2","name":"objective","properties":[{"name":"label","value":"SC-8[2]"}],"prose":"integrity of transmitted information."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing transmission confidentiality and integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing transmission confidentiality\n                  and/or integrity"}]}],"controls":[{"id":"sc-8.1","class":"SP800-53-enhancement","title":"Cryptographic or Alternate Physical Protection","parameters":[{"id":"sc-8.1_prm_1","constraints":[{"detail":"prevent unauthorized disclosure of information AND detect changes to information"}]},{"id":"sc-8.1_prm_2","label":"organization-defined alternative physical safeguards","constraints":[{"detail":"a hardened or alarmed carrier Protective Distribution System (PDS)"}]}],"properties":[{"name":"label","value":"SC-8(1)"},{"name":"sort-id","value":"sc-08.01"}],"parts":[{"id":"sc-8.1_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to {{ sc-8.1_prm_1 }} during transmission unless otherwise protected by\n                     {{ sc-8.1_prm_2 }}."},{"id":"sc-8.1_gdn","name":"guidance","prose":"Encrypting information for transmission protects information from unauthorized\n                  disclosure and modification. Cryptographic mechanisms implemented to protect\n                  information integrity include, for example, cryptographic hash functions which\n                  have common application in digital signatures, checksums, and message\n                  authentication codes. Alternative physical security safeguards include, for\n                  example, protected distribution systems.","links":[{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"sc-8.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-8.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-8(1)[1]"}],"prose":"the organization defines physical safeguards to be implemented to protect\n                     information during transmission when cryptographic mechanisms are not\n                     implemented; and"},{"id":"sc-8.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-8(1)[2]"}],"prose":"the information system implements cryptographic mechanisms to do one or more of\n                     the following during transmission unless otherwise protected by\n                     organization-defined alternative physical safeguards:","parts":[{"id":"sc-8.1_obj.2.a","name":"objective","properties":[{"name":"label","value":"SC-8(1)[2][a]"}],"prose":"prevent unauthorized disclosure of information; and/or"},{"id":"sc-8.1_obj.2.b","name":"objective","properties":[{"name":"label","value":"SC-8(1)[2][b]"}],"prose":"detect changes to information."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing transmission confidentiality and integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms supporting and/or implementing transmission\n                     confidentiality and/or integrity\\n\\nautomated mechanisms supporting and/or implementing alternative physical\n                     safeguards\\n\\norganizational processes for defining and implementing alternative physical\n                     safeguards"}]}]}]},{"id":"sc-10","class":"SP800-53","title":"Network Disconnect","parameters":[{"id":"sc-10_prm_1","label":"organization-defined time period","constraints":[{"detail":"no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions"}]}],"properties":[{"name":"label","value":"SC-10"},{"name":"sort-id","value":"sc-10"}],"parts":[{"id":"sc-10_smt","name":"statement","prose":"The information system terminates the network connection associated with a\n               communications session at the end of the session or after {{ sc-10_prm_1 }} of inactivity."},{"id":"sc-10_gdn","name":"guidance","prose":"This control applies to both internal and external networks. Terminating network\n               connections associated with communications sessions include, for example,\n               de-allocating associated TCP/IP address/port pairs at the operating system level, or\n               de-allocating networking assignments at the application level if multiple application\n               sessions are using a single, operating system-level network connection. Time periods\n               of inactivity may be established by organizations and include, for example, time\n               periods by type of network access or for specific network accesses."},{"id":"sc-10_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-10_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-10[1]"}],"prose":"the organization defines a time period of inactivity after which the information\n                  system terminates a network connection associated with a communications session;\n                  and"},{"id":"sc-10_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-10[2]"}],"prose":"the information system terminates the network connection associated with a\n                  communication session at the end of the session or after the organization-defined\n                  time period of inactivity."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing network disconnect\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing network disconnect\n                  capability"}]}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","parameters":[{"id":"sc-12_prm_1","label":"organization-defined requirements for key generation, distribution, storage,\n               access, and destruction"}],"properties":[{"name":"label","value":"SC-12"},{"name":"sort-id","value":"sc-12"}],"links":[{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference","text":"NIST Special Publication 800-56"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference","text":"NIST Special Publication 800-57"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"The organization establishes and manages cryptographic keys for required cryptography\n               employed within the information system in accordance with {{ sc-12_prm_1 }}.","parts":[{"id":"sc-12_fr","name":"item","title":"SC-12 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Federally approved and validated cryptography."}]}]},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual\n               procedures or automated mechanisms with supporting manual procedures. Organizations\n               define key management requirements in accordance with applicable federal laws,\n               Executive Orders, directives, regulations, policies, standards, and guidance,\n               specifying appropriate options, levels, and parameters. Organizations manage trust\n               stores to ensure that only approved trust anchors are in such trust stores. This\n               includes certificates with visibility external to organizational information systems\n               and certificates related to the internal operations of systems.","links":[{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-17","rel":"related","text":"SC-17"}]},{"id":"sc-12_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-12_obj.1","name":"objective","properties":[{"name":"label","value":"SC-12[1]"}],"prose":"defines requirements for cryptographic key:","parts":[{"id":"sc-12_obj.1.a","name":"objective","properties":[{"name":"label","value":"SC-12[1][a]"}],"prose":"generation;"},{"id":"sc-12_obj.1.b","name":"objective","properties":[{"name":"label","value":"SC-12[1][b]"}],"prose":"distribution;"},{"id":"sc-12_obj.1.c","name":"objective","properties":[{"name":"label","value":"SC-12[1][c]"}],"prose":"storage;"},{"id":"sc-12_obj.1.d","name":"objective","properties":[{"name":"label","value":"SC-12[1][d]"}],"prose":"access;"},{"id":"sc-12_obj.1.e","name":"objective","properties":[{"name":"label","value":"SC-12[1][e]"}],"prose":"destruction; and"}]},{"id":"sc-12_obj.2","name":"objective","properties":[{"name":"label","value":"SC-12[2]"}],"prose":"establishes and manages cryptographic keys for required cryptography employed\n                  within the information system in accordance with organization-defined requirements\n                  for key generation, distribution, storage, access, and destruction."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing cryptographic key establishment and management\\n\\ninformation system design documentation\\n\\ncryptographic mechanisms\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for cryptographic key establishment\n                  and/or management"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing cryptographic key\n                  establishment and management"}]}],"controls":[{"id":"sc-12.1","class":"SP800-53-enhancement","title":"Availability","properties":[{"name":"label","value":"SC-12(1)"},{"name":"sort-id","value":"sc-12.01"}],"parts":[{"id":"sc-12.1_smt","name":"statement","prose":"The organization maintains availability of information in the event of the loss of\n                  cryptographic keys by users."},{"id":"sc-12.1_gdn","name":"guidance","prose":"Escrowing of encryption keys is a common practice for ensuring availability in the\n                  event of loss of keys (e.g., due to forgotten passphrase)."},{"id":"sc-12.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization maintains availability of information in the event\n                  of the loss of cryptographic keys by users."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing cryptographic key establishment, management, and\n                     recovery\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for cryptographic key\n                     establishment or management"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing cryptographic key\n                     establishment and management"}]}]},{"id":"sc-12.2","class":"SP800-53-enhancement","title":"Symmetric Keys","parameters":[{"id":"sc-12.2_prm_1","constraints":[{"detail":"NIST FIPS-compliant"}]}],"properties":[{"name":"label","value":"SC-12(2)"},{"name":"sort-id","value":"sc-12.02"}],"parts":[{"id":"sc-12.2_smt","name":"statement","prose":"The organization produces, controls, and distributes symmetric cryptographic keys\n                  using {{ sc-12.2_prm_1 }} key management technology and\n                  processes."},{"id":"sc-12.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization produces, controls, and distributes symmetric\n                  cryptographic keys using one of the following: ","parts":[{"id":"sc-12.2_obj.1","name":"objective","properties":[{"name":"label","value":"SC-12(2)[1]"}],"prose":"NIST FIPS-compliant key management technology and processes; or"},{"id":"sc-12.2_obj.2","name":"objective","properties":[{"name":"label","value":"SC-12(2)[2]"}],"prose":"NSA-approved key management technology and processes."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing cryptographic key establishment and management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FIPS validated cryptographic products\\n\\nlist of NSA-approved cryptographic products\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for cryptographic key\n                     establishment or management"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing symmetric cryptographic key\n                     establishment and management"}]}]},{"id":"sc-12.3","class":"SP800-53-enhancement","title":"Asymmetric Keys","parameters":[{"id":"sc-12.3_prm_1"}],"properties":[{"name":"label","value":"SC-12(3)"},{"name":"sort-id","value":"sc-12.03"}],"parts":[{"id":"sc-12.3_smt","name":"statement","prose":"The organization produces, controls, and distributes asymmetric cryptographic keys\n                  using {{ sc-12.3_prm_1 }}."},{"id":"sc-12.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization produces, controls, and distributes asymmetric\n                  cryptographic keys using one of the following: ","parts":[{"id":"sc-12.3_obj.1","name":"objective","properties":[{"name":"label","value":"SC-12(3)[1]"}],"prose":"NSA-approved key management technology and processes;"},{"id":"sc-12.3_obj.2","name":"objective","properties":[{"name":"label","value":"SC-12(3)[2]"}],"prose":"approved PKI Class 3 certificates or prepositioned keying material; or"},{"id":"sc-12.3_obj.3","name":"objective","properties":[{"name":"label","value":"SC-12(3)[3]"}],"prose":"approved PKI Class 3 or Class 4 certificates and hardware security tokens that\n                     protect the user’s private key."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing cryptographic key establishment and management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of NSA-approved cryptographic products\\n\\nlist of approved PKI Class 3 and Class 4 certificates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for cryptographic key\n                     establishment or management\\n\\norganizational personnel with responsibilities for PKI certificates"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing asymmetric cryptographic\n                     key establishment and management"}]}]}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","parameters":[{"id":"sc-13_prm_1","label":"organization-defined cryptographic uses and type of cryptography required for\n               each use","constraints":[{"detail":"FIPS-validated or NSA-approved cryptography"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SC-13"},{"name":"sort-id","value":"sc-13"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference","text":"FIPS Publication 140"},{"href":"#6a1041fc-054e-4230-946b-2e6f4f3731bb","rel":"reference","text":"http://csrc.nist.gov/cryptval"},{"href":"#9b97ed27-3dd6-4f9a-ade5-1b43e9669794","rel":"reference","text":"http://www.cnss.gov"}],"parts":[{"id":"sc-13_smt","name":"statement","prose":"The information system implements {{ sc-13_prm_1 }} in accordance with\n               applicable federal laws, Executive Orders, directives, policies, regulations, and\n               standards."},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions including,\n               for example, the protection of classified and Controlled Unclassified Information,\n               the provision of digital signatures, and the enforcement of information separation\n               when authorized individuals have the necessary clearances for such information but\n               lack the necessary formal access approvals. Cryptography can also be used to support\n               random number generation and hash generation. Generally applicable cryptographic\n               standards include FIPS-validated cryptography and NSA-approved cryptography. This\n               control does not impose any requirements on organizations to use cryptography.\n               However, if cryptography is required based on the selection of other security\n               controls, organizations define each type of cryptographic use and the type of\n               cryptography required (e.g., protection of classified information: NSA-approved\n               cryptography; provision of digital signatures: FIPS-validated cryptography).","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-7","rel":"related","text":"IA-7"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"sc-13_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-13_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-13[1]"}],"prose":"the organization defines cryptographic uses; and"},{"id":"sc-13_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-13[2]"}],"prose":"the organization defines the type of cryptography required for each use; and"},{"id":"sc-13_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-13[3]"}],"prose":"the information system implements the organization-defined cryptographic uses and\n                  type of cryptography required for each use in accordance with applicable federal\n                  laws, Executive Orders, directives, policies, regulations, and standards."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing cryptographic protection\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic module validation certificates\\n\\nlist of FIPS validated cryptographic modules\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for cryptographic protection"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing cryptographic protection"}]}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices","parameters":[{"id":"sc-15_prm_1","label":"organization-defined exceptions where remote activation is to be allowed","constraints":[{"detail":"no exceptions"}]}],"properties":[{"name":"label","value":"SC-15"},{"name":"sort-id","value":"sc-15"}],"parts":[{"id":"sc-15_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-15_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Prohibits remote activation of collaborative computing devices with the following\n                  exceptions: {{ sc-15_prm_1 }}; and"},{"id":"sc-15_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Provides an explicit indication of use to users physically present at the\n                  devices."},{"id":"sc-15_fr","name":"item","title":"SC-15 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-15_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use."}]}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices include, for example, networked white boards,\n               cameras, and microphones. Explicit indication of use includes, for example, signals\n               to users when collaborative computing devices are activated.","links":[{"href":"#ac-21","rel":"related","text":"AC-21"}]},{"id":"sc-15_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-15.a_obj","name":"objective","properties":[{"name":"label","value":"SC-15(a)"}],"parts":[{"id":"sc-15.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-15(a)[1]"}],"prose":"the organization defines exceptions where remote activation of collaborative\n                     computing devices is to be allowed;"},{"id":"sc-15.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-15(a)[2]"}],"prose":"the information system prohibits remote activation of collaborative computing\n                     devices, except for organization-defined exceptions where remote activation is\n                     to be allowed; and"}]},{"id":"sc-15.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-15(b)"}],"prose":"the information system provides an explicit indication of use to users physically\n                  present at the devices."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing collaborative computing\\n\\naccess control policy and procedures\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for managing collaborative\n                  computing devices"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing management of remote\n                  activation of collaborative computing devices\\n\\nautomated mechanisms providing an indication of use of collaborative computing\n                  devices"}]}]},{"id":"sc-17","class":"SP800-53","title":"Public Key Infrastructure Certificates","parameters":[{"id":"sc-17_prm_1","label":"organization-defined certificate policy"}],"properties":[{"name":"label","value":"SC-17"},{"name":"sort-id","value":"sc-17"}],"links":[{"href":"#58ad6f27-af99-429f-86a8-8bb767b014b9","rel":"reference","text":"OMB Memorandum 05-24"},{"href":"#8f174e91-844e-4cf1-a72a-45c119a3a8dd","rel":"reference","text":"NIST Special Publication 800-32"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"}],"parts":[{"id":"sc-17_smt","name":"statement","prose":"The organization issues public key certificates under an {{ sc-17_prm_1 }} or obtains public key certificates from an approved\n               service provider."},{"id":"sc-17_gdn","name":"guidance","prose":"For all certificates, organizations manage information system trust stores to ensure\n               only approved trust anchors are in the trust stores. This control addresses both\n               certificates with visibility external to organizational information systems and\n               certificates related to the internal operations of systems, for example,\n               application-specific time services.","links":[{"href":"#sc-12","rel":"related","text":"SC-12"}]},{"id":"sc-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-17_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-17[1]"}],"prose":"defines a certificate policy for issuing public key certificates;"},{"id":"sc-17_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-17[2]"}],"prose":"issues public key certificates:","parts":[{"id":"sc-17_obj.2.a","name":"objective","properties":[{"name":"label","value":"SC-17[2][a]"}],"prose":"under an organization-defined certificate policy: or"},{"id":"sc-17_obj.2.b","name":"objective","properties":[{"name":"label","value":"SC-17[2][b]"}],"prose":"obtains public key certificates from an approved service provider."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing public key infrastructure certificates\\n\\npublic key certificate policy or policies\\n\\npublic key issuing process\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for issuing public key\n                  certificates\\n\\nservice providers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing the management of public key\n                  infrastructure certificates"}]}]},{"id":"sc-18","class":"SP800-53","title":"Mobile Code","properties":[{"name":"label","value":"SC-18"},{"name":"sort-id","value":"sc-18"}],"links":[{"href":"#e716cd51-d1d5-4c6a-967a-22e9fbbc42f1","rel":"reference","text":"NIST Special Publication 800-28"},{"href":"#e6522953-6714-435d-a0d3-140df554c186","rel":"reference","text":"DoD Instruction 8552.01"}],"parts":[{"id":"sc-18_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-18_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Defines acceptable and unacceptable mobile code and mobile code technologies;"},{"id":"sc-18_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishes usage restrictions and implementation guidance for acceptable mobile\n                  code and mobile code technologies; and"},{"id":"sc-18_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Authorizes, monitors, and controls the use of mobile code within the information\n                  system."}]},{"id":"sc-18_gdn","name":"guidance","prose":"Decisions regarding the employment of mobile code within organizational information\n               systems are based on the potential for the code to cause damage to the systems if\n               used maliciously. Mobile code technologies include, for example, Java, JavaScript,\n               ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage\n               restrictions and implementation guidance apply to both the selection and use of\n               mobile code installed on servers and mobile code downloaded and executed on\n               individual workstations and devices (e.g., smart phones). Mobile code policy and\n               procedures address preventing the development, acquisition, or introduction of\n               unacceptable mobile code within organizational information systems.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#si-3","rel":"related","text":"SI-3"}]},{"id":"sc-18_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-18.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-18(a)"}],"prose":"defines acceptable and unacceptable mobile code and mobile code technologies;"},{"id":"sc-18.b_obj","name":"objective","properties":[{"name":"label","value":"SC-18(b)"}],"parts":[{"id":"sc-18.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-18(b)[1]"}],"prose":"establishes usage restrictions for acceptable mobile code and mobile code\n                     technologies;"},{"id":"sc-18.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-18(b)[2]"}],"prose":"establishes implementation guidance for acceptable mobile code and mobile code\n                     technologies;"}]},{"id":"sc-18.c_obj","name":"objective","properties":[{"name":"label","value":"SC-18(c)"}],"parts":[{"id":"sc-18.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-18(c)[1]"}],"prose":"authorizes the use of mobile code within the information system;"},{"id":"sc-18.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-18(c)[2]"}],"prose":"monitors the use of mobile code within the information system; and"},{"id":"sc-18.c_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-18(c)[3]"}],"prose":"controls the use of mobile code within the information system."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing mobile code\\n\\nmobile code usage restrictions, mobile code implementation policy and\n                  procedures\\n\\nlist of acceptable mobile code and mobile code technologies\\n\\nlist of unacceptable mobile code and mobile technologies\\n\\nauthorization records\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing mobile code"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for controlling, authorizing, monitoring, and restricting\n                  mobile code\\n\\nautomated mechanisms supporting and/or implementing the management of mobile\n                  code\\n\\nautomated mechanisms supporting and/or implementing the monitoring of mobile\n                  code"}]}]},{"id":"sc-19","class":"SP800-53","title":"Voice Over Internet Protocol","properties":[{"name":"label","value":"SC-19"},{"name":"sort-id","value":"sc-19"}],"links":[{"href":"#7783f3e7-09b3-478b-9aa2-4a76dfd0ea90","rel":"reference","text":"NIST Special Publication 800-58"}],"parts":[{"id":"sc-19_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-19_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions and implementation guidance for Voice over Internet\n                  Protocol (VoIP) technologies based on the potential to cause damage to the\n                  information system if used maliciously; and"},{"id":"sc-19_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorizes, monitors, and controls the use of VoIP within the information\n                  system."}]},{"id":"sc-19_gdn","name":"guidance","links":[{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-15","rel":"related","text":"SC-15"}]},{"id":"sc-19_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-19.a_obj","name":"objective","properties":[{"name":"label","value":"SC-19(a)"}],"parts":[{"id":"sc-19.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-19(a)[1]"}],"prose":"establishes usage restrictions for Voice over Internet Protocol (VoIP)\n                     technologies based on the potential to cause damage to the information system\n                     if used maliciously;"},{"id":"sc-19.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-19(a)[2]"}],"prose":"establishes implementation guidance for Voice over Internet Protocol (VoIP)\n                     technologies based on the potential to cause damage to the information system\n                     if used maliciously;"}]},{"id":"sc-19.b_obj","name":"objective","properties":[{"name":"label","value":"SC-19(b)"}],"parts":[{"id":"sc-19.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-19(b)[1]"}],"prose":"authorizes the use of VoIP within the information system;"},{"id":"sc-19.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-19(b)[2]"}],"prose":"monitors the use of VoIP within the information system; and"},{"id":"sc-19.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-19(b)[3]"}],"prose":"controls the use of VoIP within the information system."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing VoIP\\n\\nVoIP usage restrictions\\n\\nVoIP implementation guidance\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing VoIP"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for authorizing, monitoring, and controlling VoIP\\n\\nautomated mechanisms supporting and/or implementing authorizing, monitoring, and\n                  controlling VoIP"}]}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name / Address Resolution Service (authoritative Source)","properties":[{"name":"label","value":"SC-20"},{"name":"sort-id","value":"sc-20"}],"links":[{"href":"#28115a56-da6b-4d44-b1df-51dd7f048a3e","rel":"reference","text":"OMB Memorandum 08-23"},{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference","text":"NIST Special Publication 800-81"}],"parts":[{"id":"sc-20_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-20_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provides additional data origin authentication and integrity verification\n                  artifacts along with the authoritative name resolution data the system returns in\n                  response to external name/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Provides the means to indicate the security status of child zones and (if the\n                  child supports secure resolution services) to enable verification of a chain of\n                  trust among parent and child domains, when operating as part of a distributed,\n                  hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"This control enables external clients including, for example, remote Internet\n               clients, to obtain origin authentication and integrity verification assurances for\n               the host/service name to network address resolution information obtained through the\n               service. Information systems that provide name and address resolution services\n               include, for example, domain name system (DNS) servers. Additional artifacts include,\n               for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS\n               resource records are examples of authoritative data. The means to indicate the\n               security status of child zones includes, for example, the use of delegation signer\n               resource records in the DNS. The DNS security controls reflect (and are referenced\n               from) OMB Memorandum 08-23. Information systems that use technologies other than the\n               DNS to map between host/service names and network addresses provide other means to\n               assure the authenticity and integrity of response data.","links":[{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-21","rel":"related","text":"SC-21"},{"href":"#sc-22","rel":"related","text":"SC-22"}]},{"id":"sc-20_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-20.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-20(a)"}],"prose":"provides additional data origin and integrity verification artifacts along with\n                  the authoritative name resolution data the system returns in response to external\n                  name/address resolution queries;"},{"id":"sc-20.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-20(b)"}],"prose":"provides the means to, when operating as part of a distributed, hierarchical\n                  namespace:","parts":[{"id":"sc-20.b_obj.1","name":"objective","properties":[{"name":"label","value":"SC-20(b)[1]"}],"prose":"indicate the security status of child zones; and"},{"id":"sc-20.b_obj.2","name":"objective","properties":[{"name":"label","value":"SC-20(b)[2]"}],"prose":"enable verification of a chain of trust among parent and child domains (if the\n                     child supports secure resolution services)."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing secure name/address resolution service (authoritative\n                  source)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing secure name/address resolution\n                  service"}]}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name / Address Resolution Service (recursive or Caching Resolver)","properties":[{"name":"label","value":"SC-21"},{"name":"sort-id","value":"sc-21"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference","text":"NIST Special Publication 800-81"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"The information system requests and performs data origin authentication and data\n               integrity verification on the name/address resolution responses the system receives\n               from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own,\n               or has authenticated channels to trusted validation providers. Information systems\n               that provide name and address resolution services for local clients include, for\n               example, recursive resolving or caching domain name system (DNS) servers. DNS client\n               resolvers either perform validation of DNSSEC signatures, or clients use\n               authenticated channels to recursive resolvers that perform such validations.\n               Information systems that use technologies other than the DNS to map between\n               host/service names and network addresses provide other means to enable clients to\n               verify the authenticity and integrity of response data.","links":[{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-22","rel":"related","text":"SC-22"}]},{"id":"sc-21_obj","name":"objective","prose":"Determine if the information system: ","parts":[{"id":"sc-21_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-21[1]"}],"prose":"requests data origin authentication on the name/address resolution responses the\n                  system receives from authoritative sources;"},{"id":"sc-21_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-21[2]"}],"prose":"requests data integrity verification on the name/address resolution responses the\n                  system receives from authoritative sources;"},{"id":"sc-21_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-21[3]"}],"prose":"performs data origin authentication on the name/address resolution responses the\n                  system receives from authoritative sources; and"},{"id":"sc-21_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-21[4]"}],"prose":"performs data integrity verification on the name/address resolution responses the\n                  system receives from authoritative sources."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing secure name/address resolution service (recursive or caching\n                  resolver)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing data origin authentication and\n                  data integrity verification for name/address resolution services"}]}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name / Address Resolution Service","properties":[{"name":"label","value":"SC-22"},{"name":"sort-id","value":"sc-22"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference","text":"NIST Special Publication 800-81"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"The information systems that collectively provide name/address resolution service for\n               an organization are fault-tolerant and implement internal/external role\n               separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Information systems that provide name and address resolution services include, for\n               example, domain name system (DNS) servers. To eliminate single points of failure and\n               to enhance redundancy, organizations employ at least two authoritative domain name\n               system servers, one configured as the primary server and the other configured as the\n               secondary server. Additionally, organizations typically deploy the servers in two\n               geographically separated network subnetworks (i.e., not located in the same physical\n               facility). For role separation, DNS servers with internal roles only process name and\n               address resolution requests from within organizations (i.e., from internal clients).\n               DNS servers with external roles only process name and address resolution information\n               requests from clients external to organizations (i.e., on external networks including\n               the Internet). Organizations specify clients that can access authoritative DNS\n               servers in particular roles (e.g., by address ranges, explicit lists).","links":[{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-21","rel":"related","text":"SC-21"},{"href":"#sc-24","rel":"related","text":"SC-24"}]},{"id":"sc-22_obj","name":"objective","prose":"Determine if the information systems that collectively provide name/address\n               resolution service for an organization: ","parts":[{"id":"sc-22_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-22[1]"}],"prose":"are fault tolerant; and"},{"id":"sc-22_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-22[2]"}],"prose":"implement internal/external role separation."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing architecture and provisioning for name/address resolution\n                  service\\n\\naccess control policy and procedures\\n\\ninformation system design documentation\\n\\nassessment results from independent, testing organizations\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing name/address resolution\n                  service for fault tolerance and role separation"}]}]},{"id":"sc-23","class":"SP800-53","title":"Session Authenticity","properties":[{"name":"label","value":"SC-23"},{"name":"sort-id","value":"sc-23"}],"links":[{"href":"#90c5bc98-f9c4-44c9-98b7-787422f0999c","rel":"reference","text":"NIST Special Publication 800-52"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference","text":"NIST Special Publication 800-77"},{"href":"#1ebdf782-d95d-4a7b-8ec7-ee860951eced","rel":"reference","text":"NIST Special Publication 800-95"}],"parts":[{"id":"sc-23_smt","name":"statement","prose":"The information system protects the authenticity of communications sessions."},{"id":"sc-23_gdn","name":"guidance","prose":"This control addresses communications protection at the session, versus packet level\n               (e.g., sessions in service-oriented architectures providing web-based services) and\n               establishes grounds for confidence at both ends of communications sessions in ongoing\n               identities of other parties and in the validity of information transmitted.\n               Authenticity protection includes, for example, protecting against man-in-the-middle\n               attacks/session hijacking and the insertion of false information into sessions.","links":[{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-10","rel":"related","text":"SC-10"},{"href":"#sc-11","rel":"related","text":"SC-11"}]},{"id":"sc-23_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system protects the authenticity of communications\n               sessions."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing session authenticity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing session authenticity"}]}],"controls":[{"id":"sc-23.1","class":"SP800-53-enhancement","title":"Invalidate Session Identifiers at Logout","properties":[{"name":"label","value":"SC-23(1)"},{"name":"sort-id","value":"sc-23.01"}],"parts":[{"id":"sc-23.1_smt","name":"statement","prose":"The information system invalidates session identifiers upon user logout or other\n                  session termination."},{"id":"sc-23.1_gdn","name":"guidance","prose":"This control enhancement curtails the ability of adversaries from capturing and\n                  continuing to employ previously valid session IDs."},{"id":"sc-23.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system invalidates session identifiers upon user\n                  logout or other session termination."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing session authenticity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing session identifier\n                     invalidation upon session termination"}]}]}]},{"id":"sc-24","class":"SP800-53","title":"Fail in Known State","parameters":[{"id":"sc-24_prm_1","label":"organization-defined known-state"},{"id":"sc-24_prm_2","label":"organization-defined types of failures"},{"id":"sc-24_prm_3","label":"organization-defined system state information"}],"properties":[{"name":"label","value":"SC-24"},{"name":"sort-id","value":"sc-24"}],"parts":[{"id":"sc-24_smt","name":"statement","prose":"The information system fails to a {{ sc-24_prm_1 }} for {{ sc-24_prm_2 }} preserving {{ sc-24_prm_3 }} in\n               failure."},{"id":"sc-24_gdn","name":"guidance","prose":"Failure in a known state addresses security concerns in accordance with the\n               mission/business needs of organizations. Failure in a known secure state helps to\n               prevent the loss of confidentiality, integrity, or availability of information in the\n               event of failures of organizational information systems or system components. Failure\n               in a known safe state helps to prevent systems from failing to a state that may cause\n               injury to individuals or destruction to property. Preserving information system state\n               information facilitates system restart and return to the operational mode of\n               organizations with less disruption of mission/business processes.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#cp-12","rel":"related","text":"CP-12"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-22","rel":"related","text":"SC-22"}]},{"id":"sc-24_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-24_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-24[1]"}],"prose":"the organization defines a known-state to which the information system is to fail\n                  in the event of a system failure;"},{"id":"sc-24_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-24[2]"}],"prose":"the organization defines types of failures for which the information system is to\n                  fail to an organization-defined known-state;"},{"id":"sc-24_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-24[3]"}],"prose":"the organization defines system state information to be preserved in the event of\n                  a system failure;"},{"id":"sc-24_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-24[4]"}],"prose":"the information system fails to the organization-defined known-state for\n                  organization-defined types of failures; and"},{"id":"sc-24_obj.5","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-24[5]"}],"prose":"the information system preserves the organization-defined system state information\n                  in the event of a system failure."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing information system failure to known state\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of failures requiring information system to fail in a known state\\n\\nstate information to be preserved in system failure\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing fail-in-known state\n                  capability\\n\\nautomated mechanisms preserving system state information in the event of a system\n                  failure"}]}]},{"id":"sc-28","class":"SP800-53","title":"Protection of Information at Rest","parameters":[{"id":"sc-28_prm_1","constraints":[{"detail":"confidentiality AND integrity"}]},{"id":"sc-28_prm_2","label":"organization-defined information at rest"}],"properties":[{"name":"label","value":"SC-28"},{"name":"sort-id","value":"sc-28"}],"links":[{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference","text":"NIST Special Publication 800-56"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference","text":"NIST Special Publication 800-57"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference","text":"NIST Special Publication 800-111"}],"parts":[{"id":"sc-28_smt","name":"statement","prose":"The information system protects the {{ sc-28_prm_1 }} of {{ sc-28_prm_2 }}.","parts":[{"id":"sc-28_fr","name":"item","title":"SC-28 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-28_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"The organization supports the capability to use cryptographic mechanisms to protect information at rest."}]}]},{"id":"sc-28_gdn","name":"guidance","prose":"This control addresses the confidentiality and integrity of information at rest and\n               covers user information and system information. Information at rest refers to the\n               state of information when it is located on storage devices as specific components of\n               information systems. System-related information requiring protection includes, for\n               example, configurations or rule sets for firewalls, gateways, intrusion\n               detection/prevention systems, filtering routers, and authenticator content.\n               Organizations may employ different mechanisms to achieve confidentiality and\n               integrity protections, including the use of cryptographic mechanisms and file share\n               scanning. Integrity protection can be achieved, for example, by implementing\n               Write-Once-Read-Many (WORM) technologies. Organizations may also employ other\n               security controls including, for example, secure off-line storage in lieu of online\n               storage when adequate protection of information at rest cannot otherwise be achieved\n               and/or continuous monitoring to identify malicious code at rest.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"sc-28_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-28_obj.1","name":"objective","properties":[{"name":"label","value":"SC-28[1]"}],"prose":"the organization defines information at rest requiring one or more of the\n                  following:","parts":[{"id":"sc-28_obj.1.a","name":"objective","properties":[{"name":"label","value":"SC-28[1][a]"}],"prose":"confidentiality protection; and/or"},{"id":"sc-28_obj.1.b","name":"objective","properties":[{"name":"label","value":"SC-28[1][b]"}],"prose":"integrity protection;"}]},{"id":"sc-28_obj.2","name":"objective","properties":[{"name":"label","value":"SC-28[2]"}],"prose":"the information system protects:","parts":[{"id":"sc-28_obj.2.a","name":"objective","properties":[{"name":"label","value":"SC-28[2][a]"}],"prose":"the confidentiality of organization-defined information at rest; and/or"},{"id":"sc-28_obj.2.b","name":"objective","properties":[{"name":"label","value":"SC-28[2][b]"}],"prose":"the integrity of organization-defined information at rest."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing protection of information at rest\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic mechanisms and associated configuration documentation\\n\\nlist of information at rest requiring confidentiality and integrity\n                  protections\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing confidentiality and integrity\n                  protections for information at rest"}]}],"controls":[{"id":"sc-28.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","parameters":[{"id":"sc-28.1_prm_1","label":"organization-defined information"},{"id":"sc-28.1_prm_2","label":"organization-defined information system components","constraints":[{"detail":"all information system components storing customer data deemed sensitive"}]}],"properties":[{"name":"label","value":"SC-28(1)"},{"name":"sort-id","value":"sc-28.01"}],"parts":[{"id":"sc-28.1_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to prevent unauthorized\n                  disclosure and modification of {{ sc-28.1_prm_1 }} on {{ sc-28.1_prm_2 }}."},{"id":"sc-28.1_gdn","name":"guidance","prose":"Selection of cryptographic mechanisms is based on the need to protect the\n                  confidentiality and integrity of organizational information. The strength of\n                  mechanism is commensurate with the security category and/or classification of the\n                  information. This control enhancement applies to significant concentrations of\n                  digital media in organizational areas designated for media storage and also to\n                  limited quantities of media generally associated with information system\n                  components in operational environments (e.g., portable storage devices, mobile\n                  devices). Organizations have the flexibility to either encrypt all information on\n                  storage devices (i.e., full disk encryption) or encrypt specific data structures\n                  (e.g., files, records, or fields). Organizations employing cryptographic\n                  mechanisms to protect information at rest also consider cryptographic key\n                  management solutions.","links":[{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#sc-12","rel":"related","text":"SC-12"}]},{"id":"sc-28.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-28.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-28(1)[1]"}],"prose":"the organization defines information requiring cryptographic protection;"},{"id":"sc-28.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-28(1)[2]"}],"prose":"the organization defines information system components with\n                     organization-defined information requiring cryptographic protection; and"},{"id":"sc-28.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-28(1)[3]"}],"prose":"the information system employs cryptographic mechanisms to prevent unauthorized\n                     disclosure and modification of organization-defined information on\n                     organization-defined information system components."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing protection of information at rest\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic mechanisms and associated configuration documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms implementing confidentiality and integrity protections\n                     for information at rest"}]}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","properties":[{"name":"label","value":"SC-39"},{"name":"sort-id","value":"sc-39"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"The information system maintains a separate execution domain for each executing\n               process."},{"id":"sc-39_gdn","name":"guidance","prose":"Information systems can maintain separate execution domains for each executing\n               process by assigning each process a separate address space. Each information system\n               process has a distinct address space so that communication between processes is\n               performed in a manner controlled through the security functions, and one process\n               cannot modify the executing code of another process. Maintaining separate execution\n               domains for executing processes can be achieved, for example, by implementing\n               separate address spaces. This capability is available in most commercial operating\n               systems that employ multi-state processor technologies.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"}]},{"id":"sc-39_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system maintains a separate execution domain for each\n               executing process."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system design documentation\\n\\ninformation system architecture\\n\\nindependent verification and validation documentation\\n\\ntesting and evaluation documentation, other relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Information system developers/integrators\\n\\ninformation system security architect"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing separate execution domains for\n                  each executing process"}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"System and Information Integrity Policy and Procedures","parameters":[{"id":"si-1_prm_1","label":"organization-defined personnel or roles"},{"id":"si-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"si-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually or whenever a significant change occurs"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-1"},{"name":"sort-id","value":"si-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"si-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A system and information integrity policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"si-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information\n                     integrity policy and associated system and information integrity controls;\n                     and"}]},{"id":"si-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"si-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"System and information integrity policy {{ si-1_prm_2 }};\n                     and"},{"id":"si-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"System and information integrity procedures {{ si-1_prm_3 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SI\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"si-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-1.a_obj","name":"objective","properties":[{"name":"label","value":"SI-1(a)"}],"parts":[{"id":"si-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)"}],"parts":[{"id":"si-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(a)(1)[1]"}],"prose":"develops and documents a system and information integrity policy that\n                        addresses:","parts":[{"id":"si-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"si-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"si-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"si-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"si-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"si-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"si-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"si-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and information integrity\n                        policy is to be disseminated;"},{"id":"si-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SI-1(a)(1)[3]"}],"prose":"disseminates the system and information integrity policy to\n                        organization-defined personnel or roles;"}]},{"id":"si-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"SI-1(a)(2)"}],"parts":[{"id":"si-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        system and information integrity policy and associated system and\n                        information integrity controls;"},{"id":"si-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"si-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SI-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"si-1.b_obj","name":"objective","properties":[{"name":"label","value":"SI-1(b)"}],"parts":[{"id":"si-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"SI-1(b)(1)"}],"parts":[{"id":"si-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and\n                        information integrity policy;"},{"id":"si-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(b)(1)[2]"}],"prose":"reviews and updates the current system and information integrity policy with\n                        the organization-defined frequency;"}]},{"id":"si-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"SI-1(b)(2)"}],"parts":[{"id":"si-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and\n                        information integrity procedures; and"},{"id":"si-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(b)(2)[2]"}],"prose":"reviews and updates the current system and information integrity procedures\n                        with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and information integrity\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","parameters":[{"id":"si-2_prm_1","label":"organization-defined time period","constraints":[{"detail":"thirty (30) days of release of updates"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-2"},{"name":"sort-id","value":"si-02"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference","text":"NIST Special Publication 800-40"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"si-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identifies, reports, and corrects information system flaws;"},{"id":"si-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Tests software and firmware updates related to flaw remediation for effectiveness\n                  and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Installs security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Incorporates flaw remediation into the organizational configuration management\n                  process."}]},{"id":"si-2_gdn","name":"guidance","prose":"Organizations identify information systems affected by announced software flaws\n               including potential vulnerabilities resulting from those flaws, and report this\n               information to designated organizational personnel with information security\n               responsibilities. Security-relevant software updates include, for example, patches,\n               service packs, hot fixes, and anti-virus signatures. Organizations also address flaws\n               discovered during security assessments, continuous monitoring, incident response\n               activities, and system error handling. Organizations take advantage of available\n               resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and\n               Exposures (CVE) databases in remediating flaws discovered in organizational\n               information systems. By incorporating flaw remediation into ongoing configuration\n               management processes, required/anticipated remediation actions can be tracked and\n               verified. Flaw remediation actions that can be tracked and verified include, for\n               example, determining whether organizations follow US-CERT guidance and Information\n               Assurance Vulnerability Alerts. Organization-defined time periods for updating\n               security-relevant software and firmware may vary based on a variety of factors\n               including, for example, the security category of the information system or the\n               criticality of the update (i.e., severity of the vulnerability related to the\n               discovered flaw). Some types of flaw remediation may require more testing than other\n               types. Organizations determine the degree and type of testing needed for the specific\n               type of flaw remediation activity under consideration and also the types of changes\n               that are to be configuration-managed. In some situations, organizations may determine\n               that the testing of software and/or firmware updates is not necessary or practical,\n               for example, when implementing simple anti-virus signature updates. Organizations may\n               also consider in testing decisions, whether security-relevant software or firmware\n               updates are obtained from authorized sources with appropriate digital signatures.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#si-11","rel":"related","text":"SI-11"}]},{"id":"si-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-2.a_obj","name":"objective","properties":[{"name":"label","value":"SI-2(a)"}],"parts":[{"id":"si-2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(a)[1]"}],"prose":"identifies information system flaws;"},{"id":"si-2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(a)[2]"}],"prose":"reports information system flaws;"},{"id":"si-2.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(a)[3]"}],"prose":"corrects information system flaws;"}]},{"id":"si-2.b_obj","name":"objective","properties":[{"name":"label","value":"SI-2(b)"}],"parts":[{"id":"si-2.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(b)[1]"}],"prose":"tests software updates related to flaw remediation for effectiveness and\n                     potential side effects before installation;"},{"id":"si-2.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(b)[2]"}],"prose":"tests firmware updates related to flaw remediation for effectiveness and\n                     potential side effects before installation;"}]},{"id":"si-2.c_obj","name":"objective","properties":[{"name":"label","value":"SI-2(c)"}],"parts":[{"id":"si-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-2(c)[1]"}],"prose":"defines the time period within which to install security-relevant software\n                     updates after the release of the updates;"},{"id":"si-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-2(c)[2]"}],"prose":"defines the time period within which to install security-relevant firmware\n                     updates after the release of the updates;"},{"id":"si-2.c_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(c)[3]"}],"prose":"installs software updates within the organization-defined time period of the\n                     release of the updates;"},{"id":"si-2.c_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(c)[4]"}],"prose":"installs firmware updates within the organization-defined time period of the\n                     release of the updates; and"}]},{"id":"si-2.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(d)"}],"prose":"incorporates flaw remediation into the organizational configuration management\n                  process."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing flaw remediation\\n\\nprocedures addressing configuration management\\n\\nlist of flaws and vulnerabilities potentially affecting the information system\\n\\nlist of recent security flaw remediation actions performed on the information\n                  system (e.g., list of installed patches, service packs, hot fixes, and other\n                  software updates to correct information system flaws)\\n\\ntest results from the installation of software and firmware updates to correct\n                  information system flaws\\n\\ninstallation/change control records for security-relevant software and firmware\n                  updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility for flaw remediation\\n\\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for identifying, reporting, and correcting information\n                  system flaws\\n\\norganizational process for installing software and firmware updates\\n\\nautomated mechanisms supporting and/or implementing reporting, and correcting\n                  information system flaws\\n\\nautomated mechanisms supporting and/or implementing testing software and firmware\n                  updates"}]}],"controls":[{"id":"si-2.1","class":"SP800-53-enhancement","title":"Central Management","properties":[{"name":"label","value":"SI-2(1)"},{"name":"sort-id","value":"si-02.01"}],"parts":[{"id":"si-2.1_smt","name":"statement","prose":"The organization centrally manages the flaw remediation process."},{"id":"si-2.1_gdn","name":"guidance","prose":"Central management is the organization-wide management and implementation of flaw\n                  remediation processes. Central management includes planning, implementing,\n                  assessing, authorizing, and monitoring the organization-defined, centrally managed\n                  flaw remediation security controls."},{"id":"si-2.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization centrally manages the flaw remediation process."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing flaw remediation\\n\\nautomated mechanisms supporting centralized management of flaw remediation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for flaw remediation"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for central management of the flaw remediation\n                     process\\n\\nautomated mechanisms supporting and/or implementing central management of the\n                     flaw remediation process"}]}]},{"id":"si-2.2","class":"SP800-53-enhancement","title":"Automated Flaw Remediation Status","parameters":[{"id":"si-2.2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-2(2)"},{"name":"sort-id","value":"si-02.02"}],"parts":[{"id":"si-2.2_smt","name":"statement","prose":"The organization employs automated mechanisms {{ si-2.2_prm_1 }} to\n                  determine the state of information system components with regard to flaw\n                  remediation."},{"id":"si-2.2_gdn","name":"guidance","links":[{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"si-2.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-2.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-2(2)[1]"}],"prose":"defines a frequency to employ automated mechanisms to determine the state of\n                     information system components with regard to flaw remediation; and"},{"id":"si-2.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(2)[2]"}],"prose":"employs automated mechanisms with the organization-defined frequency to\n                     determine the state of information system components with regard to flaw\n                     remediation."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing flaw remediation\\n\\nautomated mechanisms supporting centralized management of flaw remediation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for flaw remediation"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms used to determine the state of information system\n                     components with regard to flaw remediation"}]}]},{"id":"si-2.3","class":"SP800-53-enhancement","title":"Time to Remediate Flaws / Benchmarks for Corrective Actions","parameters":[{"id":"si-2.3_prm_1","label":"organization-defined benchmarks"}],"properties":[{"name":"label","value":"SI-2(3)"},{"name":"sort-id","value":"si-02.03"}],"parts":[{"id":"si-2.3_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-2.3_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Measures the time between flaw identification and flaw remediation; and"},{"id":"si-2.3_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Establishes {{ si-2.3_prm_1 }} for taking corrective\n                     actions."}]},{"id":"si-2.3_gdn","name":"guidance","prose":"This control enhancement requires organizations to determine the current time it\n                  takes on the average to correct information system flaws after such flaws have\n                  been identified, and subsequently establish organizational benchmarks (i.e., time\n                  frames) for taking corrective actions. Benchmarks can be established by type of\n                  flaw and/or severity of the potential vulnerability if the flaw can be\n                  exploited."},{"id":"si-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-2.3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(3)(a)"}],"prose":"measures the time between flaw identification and flaw remediation;","links":[{"href":"#si-2.3_smt.a","rel":"corresp","text":"SI-2(3)(a)"}]},{"id":"si-2.3.b_obj","name":"objective","properties":[{"name":"label","value":"SI-2(3)(b)"}],"parts":[{"id":"si-2.3.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-2(3)(b)[1]"}],"prose":"defines benchmarks for taking corrective actions; and"},{"id":"si-2.3.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-2(3)(b)[2]"}],"prose":"establishes organization-defined benchmarks for taking corrective\n                        actions."}],"links":[{"href":"#si-2.3_smt.b","rel":"corresp","text":"SI-2(3)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing flaw remediation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of benchmarks for taking corrective action on flaws identified\\n\\nrecords providing time stamps of flaw identification and subsequent flaw\n                     remediation activities\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for flaw remediation"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for identifying, reporting, and correcting information\n                     system flaws\\n\\nautomated mechanisms used to measure the time between flaw identification and\n                     flaw remediation"}]}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","parameters":[{"id":"si-3_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least weekly"}]},{"id":"si-3_prm_2","constraints":[{"detail":"to include endpoints"}]},{"id":"si-3_prm_3","constraints":[{"detail":"to include blocking and quarantining malicious code and alerting administrator or defined security personnel near-realtime"}]},{"id":"si-3_prm_4","depends-on":"si-3_prm_3","label":"organization-defined action"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-3"},{"name":"sort-id","value":"si-03"}],"links":[{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference","text":"NIST Special Publication 800-83"}],"parts":[{"id":"si-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Employs malicious code protection mechanisms at information system entry and exit\n                  points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Updates malicious code protection mechanisms whenever new releases are available\n                  in accordance with organizational configuration management policy and\n                  procedures;"},{"id":"si-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Configures malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the information system {{ si-3_prm_1 }} and real-time scans of files from external sources at {{ si-3_prm_2 }} as the files are downloaded, opened, or executed in\n                     accordance with organizational security policy; and"},{"id":"si-3_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"\n                     {{ si-3_prm_3 }} in response to malicious code detection;\n                     and"}]},{"id":"si-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Addresses the receipt of false positives during malicious code detection and\n                  eradication and the resulting potential impact on the availability of the\n                  information system."}]},{"id":"si-3_gdn","name":"guidance","prose":"Information system entry and exit points include, for example, firewalls, electronic\n               mail servers, web servers, proxy servers, remote-access servers, workstations,\n               notebook computers, and mobile devices. Malicious code includes, for example,\n               viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in\n               various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden\n               files, or hidden in files using steganography. Malicious code can be transported by\n               different means including, for example, web accesses, electronic mail, electronic\n               mail attachments, and portable storage devices. Malicious code insertions occur\n               through the exploitation of information system vulnerabilities. Malicious code\n               protection mechanisms include, for example, anti-virus signature definitions and\n               reputation-based technologies. A variety of technologies and methods exist to limit\n               or eliminate the effects of malicious code. Pervasive configuration management and\n               comprehensive software integrity controls may be effective in preventing execution of\n               unauthorized code. In addition to commercial off-the-shelf software, malicious code\n               may also be present in custom-built software. This could include, for example, logic\n               bombs, back doors, and other types of cyber attacks that could affect organizational\n               missions/business functions. Traditional malicious code protection mechanisms cannot\n               always detect such code. In these situations, organizations rely instead on other\n               safeguards including, for example, secure coding practices, configuration management\n               and control, trusted procurement processes, and monitoring practices to help ensure\n               that software does not perform functions other than the functions intended.\n               Organizations may determine that in response to the detection of malicious code,\n               different actions may be warranted. For example, organizations can define actions in\n               response to malicious code detection during periodic scans, actions in response to\n               detection of malicious downloads, and/or actions in response to detection of\n               maliciousness when attempting to open or execute files.","links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#sa-13","rel":"related","text":"SA-13"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-26","rel":"related","text":"SC-26"},{"href":"#sc-44","rel":"related","text":"SC-44"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"si-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-3(a)"}],"prose":"employs malicious code protection mechanisms to detect and eradicate malicious\n                  code at information system:","parts":[{"id":"si-3.a_obj.1","name":"objective","properties":[{"name":"label","value":"SI-3(a)[1]"}],"prose":"entry points;"},{"id":"si-3.a_obj.2","name":"objective","properties":[{"name":"label","value":"SI-3(a)[2]"}],"prose":"exit points;"}]},{"id":"si-3.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-3(b)"}],"prose":"updates malicious code protection mechanisms whenever new releases are available\n                  in accordance with organizational configuration management policy and procedures\n                  (as identified in CM-1);"},{"id":"si-3.c_obj","name":"objective","properties":[{"name":"label","value":"SI-3(c)"}],"parts":[{"id":"si-3.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-3(c)[1]"}],"prose":"defines a frequency for malicious code protection mechanisms to perform\n                     periodic scans of the information system;"},{"id":"si-3.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-3(c)[2]"}],"prose":"defines action to be initiated by malicious protection mechanisms in response\n                     to malicious code detection;"},{"id":"si-3.c_obj.3","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3]"}],"parts":[{"id":"si-3.c.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-3(c)[3](1)"}],"prose":"configures malicious code protection mechanisms to:","parts":[{"id":"si-3.c.1_obj.3.a","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](1)[a]"}],"prose":"perform periodic scans of the information system with the\n                           organization-defined frequency;"},{"id":"si-3.c.1_obj.3.b","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](1)[b]"}],"prose":"perform real-time scans of files from external sources at endpoint and/or\n                           network entry/exit points as the files are downloaded, opened, or\n                           executed in accordance with organizational security policy;"}]},{"id":"si-3.c.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-3(c)[3](2)"}],"prose":"configures malicious code protection mechanisms to do one or more of the\n                        following:","parts":[{"id":"si-3.c.2_obj.3.a","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](2)[a]"}],"prose":"block malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.b","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](2)[b]"}],"prose":"quarantine malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.c","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](2)[c]"}],"prose":"send alert to administrator in response to malicious code detection;\n                           and/or"},{"id":"si-3.c.2_obj.3.d","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](2)[d]"}],"prose":"initiate organization-defined action in response to malicious code\n                           detection;"}]}]}]},{"id":"si-3.d_obj","name":"objective","properties":[{"name":"label","value":"SI-3(d)"}],"parts":[{"id":"si-3.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-3(d)[1]"}],"prose":"addresses the receipt of false positives during malicious code detection and\n                     eradication; and"},{"id":"si-3.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-3(d)[2]"}],"prose":"addresses the resulting potential impact on the availability of the information\n                     system."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nconfiguration management policy and procedures\\n\\nprocedures addressing malicious code protection\\n\\nmalicious code protection mechanisms\\n\\nrecords of malicious code protection updates\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nscan results from malicious code protection mechanisms\\n\\nrecord of actions initiated by malicious code protection mechanisms in response to\n                  malicious code detection\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility for malicious code protection\\n\\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for employing, updating, and configuring malicious code\n                  protection mechanisms\\n\\norganizational process for addressing false positives and resulting potential\n                  impact\\n\\nautomated mechanisms supporting and/or implementing employing, updating, and\n                  configuring malicious code protection mechanisms\\n\\nautomated mechanisms supporting and/or implementing malicious code scanning and\n                  subsequent actions"}]}],"controls":[{"id":"si-3.1","class":"SP800-53-enhancement","title":"Central Management","properties":[{"name":"label","value":"SI-3(1)"},{"name":"sort-id","value":"si-03.01"}],"parts":[{"id":"si-3.1_smt","name":"statement","prose":"The organization centrally manages malicious code protection mechanisms."},{"id":"si-3.1_gdn","name":"guidance","prose":"Central management is the organization-wide management and implementation of\n                  malicious code protection mechanisms. Central management includes planning,\n                  implementing, assessing, authorizing, and monitoring the organization-defined,\n                  centrally managed flaw malicious code protection security controls.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#si-8","rel":"related","text":"SI-8"}]},{"id":"si-3.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization centrally manages malicious code protection\n                  mechanisms."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing malicious code protection\\n\\nautomated mechanisms supporting centralized management of malicious code\n                     protection mechanisms\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for malicious code protection"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for central management of malicious code protection\n                     mechanisms\\n\\nautomated mechanisms supporting and/or implementing central management of\n                     malicious code protection mechanisms"}]}]},{"id":"si-3.2","class":"SP800-53-enhancement","title":"Automatic Updates","properties":[{"name":"label","value":"SI-3(2)"},{"name":"sort-id","value":"si-03.02"}],"parts":[{"id":"si-3.2_smt","name":"statement","prose":"The information system automatically updates malicious code protection\n                  mechanisms."},{"id":"si-3.2_gdn","name":"guidance","prose":"Malicious code protection mechanisms include, for example, signature definitions.\n                  Due to information system integrity and availability concerns, organizations give\n                  careful consideration to the methodology used to carry out automatic updates.","links":[{"href":"#si-8","rel":"related","text":"SI-8"}]},{"id":"si-3.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system automatically updates malicious code\n                  protection mechanisms."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing malicious code protection\\n\\nautomated mechanisms supporting centralized management of malicious code\n                     protection mechanisms\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for malicious code protection"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing automatic updates to\n                     malicious code protection capability"}]}]},{"id":"si-3.7","class":"SP800-53-enhancement","title":"Nonsignature-based Detection","properties":[{"name":"label","value":"SI-3(7)"},{"name":"sort-id","value":"si-03.07"}],"parts":[{"id":"si-3.7_smt","name":"statement","prose":"The information system implements nonsignature-based malicious code detection\n                  mechanisms."},{"id":"si-3.7_gdn","name":"guidance","prose":"Nonsignature-based detection mechanisms include, for example, the use of\n                  heuristics to detect, analyze, and describe the characteristics or behavior of\n                  malicious code and to provide safeguards against malicious code for which\n                  signatures do not yet exist or for which existing signatures may not be effective.\n                  This includes polymorphic malicious code (i.e., code that changes signatures when\n                  it replicates). This control enhancement does not preclude the use of\n                  signature-based detection mechanisms."},{"id":"si-3.7_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements non signature-based malicious code\n                  detection mechanisms."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing malicious code protection\\n\\ninformation system design documentation\\n\\nmalicious code protection mechanisms\\n\\nrecords of malicious code protection updates\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for malicious code protection"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing nonsignature-based\n                     malicious code protection capability"}]}]}]},{"id":"si-4","class":"SP800-53","title":"Information System Monitoring","parameters":[{"id":"si-4_prm_1","label":"organization-defined monitoring objectives"},{"id":"si-4_prm_2","label":"organization-defined techniques and methods"},{"id":"si-4_prm_3","label":"organization-defined information system monitoring information"},{"id":"si-4_prm_4","label":"organization-defined personnel or roles"},{"id":"si-4_prm_5"},{"id":"si-4_prm_6","depends-on":"si-4_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-4"},{"name":"sort-id","value":"si-04"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference","text":"NIST Special Publication 800-83"},{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference","text":"NIST Special Publication 800-92"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference","text":"NIST Special Publication 800-94"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"}],"parts":[{"id":"si-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitors the information system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with {{ si-4_prm_1 }}; and"},{"id":"si-4_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Identifies unauthorized use of the information system through {{ si-4_prm_2 }};"},{"id":"si-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Deploys monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Strategically within the information system to collect organization-determined\n                     essential information; and"},{"id":"si-4_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions\n                     of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protects information obtained from intrusion-monitoring tools from unauthorized\n                  access, modification, and deletion;"},{"id":"si-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Heightens the level of information system monitoring activity whenever there is an\n                  indication of increased risk to organizational operations and assets, individuals,\n                  other organizations, or the Nation based on law enforcement information,\n                  intelligence information, or other credible sources of information;"},{"id":"si-4_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Obtains legal opinion with regard to information system monitoring activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  or regulations; and"},{"id":"si-4_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Provides {{ si-4_prm_3 }} to {{ si-4_prm_4 }}\n                  {{ si-4_prm_5 }}."},{"id":"si-4_fr","name":"item","title":"SI-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"si-4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See US-CERT Incident Response Reporting Guidelines."}]}]},{"id":"si-4_gdn","name":"guidance","prose":"Information system monitoring includes external and internal monitoring. External\n               monitoring includes the observation of events occurring at the information system\n               boundary (i.e., part of perimeter defense and boundary protection). Internal\n               monitoring includes the observation of events occurring within the information\n               system. Organizations can monitor information systems, for example, by observing\n               audit activities in real time or by observing other system aspects such as access\n               patterns, characteristics of access, and other actions. The monitoring objectives may\n               guide determination of the events. Information system monitoring capability is\n               achieved through a variety of tools and techniques (e.g., intrusion detection\n               systems, intrusion prevention systems, malicious code protection software, scanning\n               tools, audit record monitoring software, network monitoring software). Strategic\n               locations for monitoring devices include, for example, selected perimeter locations\n               and near server farms supporting critical applications, with such devices typically\n               being employed at the managed interfaces associated with controls SC-7 and AC-17.\n               Einstein network monitoring devices from the Department of Homeland Security can also\n               be included as monitoring devices. The granularity of monitoring information\n               collected is based on organizational monitoring objectives and the capability of\n               information systems to support such objectives. Specific types of transactions of\n               interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that\n               bypasses HTTP proxies. Information system monitoring is an integral part of\n               organizational continuous monitoring and incident response programs. Output from\n               system monitoring serves as input to continuous monitoring and incident response\n               programs. A network connection is any connection with a device that communicates\n               through a network (e.g., local area network, Internet). A remote connection is any\n               connection with a device communicating through an external network (e.g., the\n               Internet). Local, network, and remote connections can be either wired or\n               wireless.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-26","rel":"related","text":"SC-26"},{"href":"#sc-35","rel":"related","text":"SC-35"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"si-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.a_obj","name":"objective","properties":[{"name":"label","value":"SI-4(a)"}],"parts":[{"id":"si-4.a.1_obj","name":"objective","properties":[{"name":"label","value":"SI-4(a)(1)"}],"parts":[{"id":"si-4.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(a)(1)[1]"}],"prose":"defines monitoring objectives to detect attacks and indicators of potential\n                        attacks on the information system;"},{"id":"si-4.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(a)(1)[2]"}],"prose":"monitors the information system to detect, in accordance with\n                        organization-defined monitoring objectives,:","parts":[{"id":"si-4.a.1_obj.2.a","name":"objective","properties":[{"name":"label","value":"SI-4(a)(1)[2][a]"}],"prose":"attacks;"},{"id":"si-4.a.1_obj.2.b","name":"objective","properties":[{"name":"label","value":"SI-4(a)(1)[2][b]"}],"prose":"indicators of potential attacks;"}]}]},{"id":"si-4.a.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(a)(2)"}],"prose":"monitors the information system to detect unauthorized:","parts":[{"id":"si-4.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"SI-4(a)(2)[1]"}],"prose":"local connections;"},{"id":"si-4.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"SI-4(a)(2)[2]"}],"prose":"network connections;"},{"id":"si-4.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"SI-4(a)(2)[3]"}],"prose":"remote connections;"}]}]},{"id":"si-4.b_obj","name":"objective","properties":[{"name":"label","value":"SI-4(b)"}],"parts":[{"id":"si-4.b.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(b)(1)"}],"prose":"defines techniques and methods to identify unauthorized use of the information\n                     system;"},{"id":"si-4.b.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(b)(2)"}],"prose":"identifies unauthorized use of the information system through\n                     organization-defined techniques and methods;"}]},{"id":"si-4.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(c)"}],"prose":"deploys monitoring devices:","parts":[{"id":"si-4.c_obj.1","name":"objective","properties":[{"name":"label","value":"SI-4(c)[1]"}],"prose":"strategically within the information system to collect organization-determined\n                     essential information;"},{"id":"si-4.c_obj.2","name":"objective","properties":[{"name":"label","value":"SI-4(c)[2]"}],"prose":"at ad hoc locations within the system to track specific types of transactions\n                     of interest to the organization;"}]},{"id":"si-4.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(d)"}],"prose":"protects information obtained from intrusion-monitoring tools from\n                  unauthorized:","parts":[{"id":"si-4.d_obj.1","name":"objective","properties":[{"name":"label","value":"SI-4(d)[1]"}],"prose":"access;"},{"id":"si-4.d_obj.2","name":"objective","properties":[{"name":"label","value":"SI-4(d)[2]"}],"prose":"modification;"},{"id":"si-4.d_obj.3","name":"objective","properties":[{"name":"label","value":"SI-4(d)[3]"}],"prose":"deletion;"}]},{"id":"si-4.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(e)"}],"prose":"heightens the level of information system monitoring activity whenever there is an\n                  indication of increased risk to organizational operations and assets, individuals,\n                  other organizations, or the Nation based on law enforcement information,\n                  intelligence information, or other credible sources of information;"},{"id":"si-4.f_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SI-4(f)"}],"prose":"obtains legal opinion with regard to information system monitoring activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  or regulations;"},{"id":"si-4.g_obj","name":"objective","properties":[{"name":"label","value":"SI-4(g)"}],"parts":[{"id":"si-4.g_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(g)[1]"}],"prose":"defines personnel or roles to whom information system monitoring information is\n                     to be provided;"},{"id":"si-4.g_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(g)[2]"}],"prose":"defines information system monitoring information to be provided to\n                     organization-defined personnel or roles;"},{"id":"si-4.g_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(g)[3]"}],"prose":"defines a frequency to provide organization-defined information system\n                     monitoring to organization-defined personnel or roles;"},{"id":"si-4.g_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(g)[4]"}],"prose":"provides organization-defined information system monitoring information to\n                     organization-defined personnel or roles one or more of the following:","parts":[{"id":"si-4.g_obj.4.a","name":"objective","properties":[{"name":"label","value":"SI-4(g)[4][a]"}],"prose":"as needed; and/or"},{"id":"si-4.g_obj.4.b","name":"objective","properties":[{"name":"label","value":"SI-4(g)[4][b]"}],"prose":"with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Continuous monitoring strategy\\n\\nsystem and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\nfacility diagram/layout\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\nlocations within information system where monitoring devices are deployed\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility monitoring the information system"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing information system monitoring\n                  capability"}]}],"controls":[{"id":"si-4.1","class":"SP800-53-enhancement","title":"System-wide Intrusion Detection System","properties":[{"name":"label","value":"SI-4(1)"},{"name":"sort-id","value":"si-04.01"}],"parts":[{"id":"si-4.1_smt","name":"statement","prose":"The organization connects and configures individual intrusion detection tools into\n                  an information system-wide intrusion detection system."},{"id":"si-4.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(1)[1]"}],"prose":"connects individual intrusion detection tools into an information system-wide\n                     intrusion detection system; and"},{"id":"si-4.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(1)[2]"}],"prose":"configures individual intrusion detection tools into an information system-wide\n                     intrusion detection system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion detection\n                     capability"}]}]},{"id":"si-4.2","class":"SP800-53-enhancement","title":"Automated Tools for Real-time Analysis","properties":[{"name":"label","value":"SI-4(2)"},{"name":"sort-id","value":"si-04.02"}],"parts":[{"id":"si-4.2_smt","name":"statement","prose":"The organization employs automated tools to support near real-time analysis of\n                  events."},{"id":"si-4.2_gdn","name":"guidance","prose":"Automated tools include, for example, host-based, network-based, transport-based,\n                  or storage-based event monitoring tools or Security Information and Event\n                  Management (SIEM) technologies that provide real time analysis of alerts and/or\n                  notifications generated by organizational information systems."},{"id":"si-4.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs automated tools to support near real-time\n                  analysis of events."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for incident\n                     response/management"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for near real-time analysis of events\\n\\norganizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing information system\n                     monitoring\\n\\nautomated mechanisms/tools supporting and/or implementing analysis of\n                     events"}]}]},{"id":"si-4.4","class":"SP800-53-enhancement","title":"Inbound and Outbound Communications Traffic","parameters":[{"id":"si-4.4_prm_1","label":"organization-defined frequency","constraints":[{"detail":"continuously"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-4(4)"},{"name":"sort-id","value":"si-04.04"}],"parts":[{"id":"si-4.4_smt","name":"statement","prose":"The information system monitors inbound and outbound communications traffic\n                     {{ si-4.4_prm_1 }} for unusual or unauthorized activities or\n                  conditions."},{"id":"si-4.4_gdn","name":"guidance","prose":"Unusual/unauthorized activities or conditions related to information system\n                  inbound and outbound communications traffic include, for example, internal traffic\n                  that indicates the presence of malicious code within organizational information\n                  systems or propagating among system components, the unauthorized exporting of\n                  information, or signaling to external information systems. Evidence of malicious\n                  code is used to identify potentially compromised information systems or\n                  information system components."},{"id":"si-4.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(4)[1]"}],"prose":"defines a frequency to monitor:","parts":[{"id":"si-4.4_obj.1.a","name":"objective","properties":[{"name":"label","value":"SI-4(4)[1][a]"}],"prose":"inbound communications traffic for unusual or unauthorized activities or\n                        conditions;"},{"id":"si-4.4_obj.1.b","name":"objective","properties":[{"name":"label","value":"SI-4(4)[1][b]"}],"prose":"outbound communications traffic for unusual or unauthorized activities or\n                        conditions;"}]},{"id":"si-4.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(4)[2]"}],"prose":"monitors, with the organization-defined frequency:","parts":[{"id":"si-4.4_obj.2.a","name":"objective","properties":[{"name":"label","value":"SI-4(4)[2][a]"}],"prose":"inbound communications traffic for unusual or unauthorized activities or\n                        conditions; and"},{"id":"si-4.4_obj.2.b","name":"objective","properties":[{"name":"label","value":"SI-4(4)[2][b]"}],"prose":"outbound communications traffic for unusual or unauthorized activities or\n                        conditions."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system protocols\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion detection\n                     capability/information system monitoring\\n\\nautomated mechanisms supporting and/or implementing monitoring of\n                     inbound/outbound communications traffic"}]}]},{"id":"si-4.5","class":"SP800-53-enhancement","title":"System-generated Alerts","parameters":[{"id":"si-4.5_prm_1","label":"organization-defined personnel or roles"},{"id":"si-4.5_prm_2","label":"organization-defined compromise indicators"}],"properties":[{"name":"label","value":"SI-4(5)"},{"name":"sort-id","value":"si-04.05"}],"parts":[{"id":"si-4.5_smt","name":"statement","prose":"The information system alerts {{ si-4.5_prm_1 }} when the following\n                  indications of compromise or potential compromise occur: {{ si-4.5_prm_2 }}.","parts":[{"id":"si-4.5_fr","name":"item","title":"SI-4 (5) Additional FedRAMP Requirements and Guidance","parts":[{"id":"si-4.5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"In accordance with the incident response plan."}]}]},{"id":"si-4.5_gdn","name":"guidance","prose":"Alerts may be generated from a variety of sources, including, for example, audit\n                  records or inputs from malicious code protection mechanisms, intrusion detection\n                  or prevention mechanisms, or boundary protection devices such as firewalls,\n                  gateways, and routers. Alerts can be transmitted, for example, telephonically, by\n                  electronic mail messages, or by text messaging. Organizational personnel on the\n                  notification list can include, for example, system administrators,\n                  mission/business owners, system owners, or information system security\n                  officers.","links":[{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#pe-6","rel":"related","text":"PE-6"}]},{"id":"si-4.5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-4.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(5)[1]"}],"prose":"the organization defines compromise indicators for the information system;"},{"id":"si-4.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(5)[2]"}],"prose":"the organization defines personnel or roles to be alerted when indications of\n                     compromise or potential compromise occur; and"},{"id":"si-4.5_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(5)[3]"}],"prose":"the information system alerts organization-defined personnel or roles when\n                     organization-defined compromise indicators occur."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nalerts/notifications generated based on compromise indicators\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion\n                     detection/information system monitoring capability\\n\\nautomated mechanisms supporting and/or implementing alerts for compromise\n                     indicators"}]}]},{"id":"si-4.11","class":"SP800-53-enhancement","title":"Analyze Communications Traffic Anomalies","parameters":[{"id":"si-4.11_prm_1","label":"organization-defined interior points within the system (e.g., subnetworks,\n                  subsystems)"}],"properties":[{"name":"label","value":"SI-4(11)"},{"name":"sort-id","value":"si-04.11"}],"parts":[{"id":"si-4.11_smt","name":"statement","prose":"The organization analyzes outbound communications traffic at the external boundary\n                  of the information system and selected {{ si-4.11_prm_1 }} to\n                  discover anomalies."},{"id":"si-4.11_gdn","name":"guidance","prose":"Anomalies within organizational information systems include, for example, large\n                  file transfers, long-time persistent connections, unusual protocols and ports in\n                  use, and attempted communications with suspected malicious external addresses."},{"id":"si-4.11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.11_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(11)[1]"}],"prose":"defines interior points within the system (e.g., subnetworks, subsystems) where\n                     communications traffic is to be analyzed;"},{"id":"si-4.11_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(11)[2]"}],"prose":"analyzes outbound communications traffic to discover anomalies at:","parts":[{"id":"si-4.11_obj.2.a","name":"objective","properties":[{"name":"label","value":"SI-4(11)[2][a]"}],"prose":"the external boundary of the information system; and"},{"id":"si-4.11_obj.2.b","name":"objective","properties":[{"name":"label","value":"SI-4(11)[2][b]"}],"prose":"selected organization-defined interior points within the system."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\nnetwork diagram\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system monitoring logs or records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion\n                     detection/information system monitoring capability\\n\\nautomated mechanisms supporting and/or implementing analysis of communications\n                     traffic"}]}]},{"id":"si-4.14","class":"SP800-53-enhancement","title":"Wireless Intrusion Detection","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-4(14)"},{"name":"sort-id","value":"si-04.14"}],"parts":[{"id":"si-4.14_smt","name":"statement","prose":"The organization employs a wireless intrusion detection system to identify rogue\n                  wireless devices and to detect attack attempts and potential compromises/breaches\n                  to the information system."},{"id":"si-4.14_gdn","name":"guidance","prose":"Wireless signals may radiate beyond the confines of organization-controlled\n                  facilities. Organizations proactively search for unauthorized wireless connections\n                  including the conduct of thorough scans for unauthorized wireless access points.\n                  Scans are not limited to those areas within facilities containing information\n                  systems, but also include areas outside of facilities as needed, to verify that\n                  unauthorized wireless access points are not connected to the systems.","links":[{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ia-3","rel":"related","text":"IA-3"}]},{"id":"si-4.14_obj","name":"objective","prose":"Determine if the organization employs a wireless intrusion detection system\n                  to:","parts":[{"id":"si-4.14_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(14)[1]"}],"prose":"identify rogue wireless devices;"},{"id":"si-4.14_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(14)[2]"}],"prose":"detect attack attempts to the information system; and"},{"id":"si-4.14_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(14)[3]"}],"prose":"detect potential compromises/breaches to the information system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system protocols\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection\\n\\nautomated mechanisms supporting and/or implementing wireless intrusion\n                     detection capability"}]}]},{"id":"si-4.16","class":"SP800-53-enhancement","title":"Correlate Monitoring Information","properties":[{"name":"label","value":"SI-4(16)"},{"name":"sort-id","value":"si-04.16"}],"parts":[{"id":"si-4.16_smt","name":"statement","prose":"The organization correlates information from monitoring tools employed throughout\n                  the information system."},{"id":"si-4.16_gdn","name":"guidance","prose":"Correlating information from different monitoring tools can provide a more\n                  comprehensive view of information system activity. The correlation of monitoring\n                  tools that usually work in isolation (e.g., host monitoring, network monitoring,\n                  anti-virus software) can provide an organization-wide view and in so doing, may\n                  reveal otherwise unseen attack patterns. Understanding the\n                  capabilities/limitations of diverse monitoring tools and how to maximize the\n                  utility of information generated by those tools can help organizations to build,\n                  operate, and maintain effective monitoring programs.","links":[{"href":"#au-6","rel":"related","text":"AU-6"}]},{"id":"si-4.16_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization correlates information from monitoring tools\n                  employed throughout the information system."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nevent correlation logs or records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion\n                     detection/information system monitoring capability\\n\\nautomated mechanisms supporting and/or implementing correlation of information\n                     from monitoring tools"}]}]},{"id":"si-4.18","class":"SP800-53-enhancement","title":"Analyze Traffic / Covert Exfiltration","parameters":[{"id":"si-4.18_prm_1","label":"organization-defined interior points within the system (e.g., subsystems,\n                  subnetworks)"}],"properties":[{"name":"label","value":"SI-4(18)"},{"name":"sort-id","value":"si-04.18"}],"parts":[{"id":"si-4.18_smt","name":"statement","prose":"The organization analyzes outbound communications traffic at the external boundary\n                  of the information system (i.e., system perimeter) and at {{ si-4.18_prm_1 }} to detect covert exfiltration of information."},{"id":"si-4.18_gdn","name":"guidance","prose":"Covert means that can be used for the unauthorized exfiltration of organizational\n                  information include, for example, steganography."},{"id":"si-4.18_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.18_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(18)[1]"}],"prose":"defines interior points within the system (e.g., subsystems, subnetworks) where\n                     communications traffic is to be analyzed;"},{"id":"si-4.18_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(18)[2]"}],"prose":"to detect covert exfiltration of information, analyzes outbound communications\n                     traffic at:","parts":[{"id":"si-4.18_obj.2.a","name":"objective","properties":[{"name":"label","value":"SI-4(18)[2][a]"}],"prose":"the external boundary of the information system (i.e., system perimeter);\n                        and"},{"id":"si-4.18_obj.2.b","name":"objective","properties":[{"name":"label","value":"SI-4(18)[2][b]"}],"prose":"organization-defined interior points within the system."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\nnetwork diagram\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system monitoring logs or records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion detection/system\n                     monitoring capability\\n\\nautomated mechanisms supporting and/or implementing analysis of outbound\n                     communications traffic"}]}]},{"id":"si-4.19","class":"SP800-53-enhancement","title":"Individuals Posing Greater Risk","parameters":[{"id":"si-4.19_prm_1","label":"organization-defined additional monitoring"},{"id":"si-4.19_prm_2","label":"organization-defined sources"}],"properties":[{"name":"label","value":"SI-4(19)"},{"name":"sort-id","value":"si-04.19"}],"parts":[{"id":"si-4.19_smt","name":"statement","prose":"The organization implements {{ si-4.19_prm_1 }} of individuals who\n                  have been identified by {{ si-4.19_prm_2 }} as posing an increased\n                  level of risk."},{"id":"si-4.19_gdn","name":"guidance","prose":"Indications of increased risk from individuals can be obtained from a variety of\n                  sources including, for example, human resource records, intelligence agencies, law\n                  enforcement organizations, and/or other credible sources. The monitoring of\n                  individuals is closely coordinated with management, legal, security, and human\n                  resources officials within organizations conducting such monitoring and complies\n                  with federal legislation, Executive Orders, policies, directives, regulations, and\n                  standards."},{"id":"si-4.19_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.19_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(19)[1]"}],"prose":"defines sources that identify individuals who pose an increased level of\n                     risk;"},{"id":"si-4.19_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(19)[2]"}],"prose":"defines additional monitoring to be implemented on individuals who have been\n                     identified by organization-defined sources as posing an increased level of\n                     risk; and"},{"id":"si-4.19_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(19)[3]"}],"prose":"implements organization-defined additional monitoring of individuals who have\n                     been identified by organization-defined sources as posing an increased level of\n                     risk."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring\\n\\ninformation system design documentation\\n\\nlist of individuals who have been identified as posing an increased level of\n                     risk\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing system monitoring\n                     capability"}]}]},{"id":"si-4.20","class":"SP800-53-enhancement","title":"Privileged Users","parameters":[{"id":"si-4.20_prm_1","label":"organization-defined additional monitoring"}],"properties":[{"name":"label","value":"SI-4(20)"},{"name":"sort-id","value":"si-04.20"}],"parts":[{"id":"si-4.20_smt","name":"statement","prose":"The organization implements {{ si-4.20_prm_1 }} of privileged\n                  users."},{"id":"si-4.20_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.20_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(20)[1]"}],"prose":"defines additional monitoring to be implemented on privileged users; and"},{"id":"si-4.20_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(20)[2]"}],"prose":"implements organization-defined additional monitoring of privileged users;"}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\nlist of privileged users\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system monitoring logs or records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing system monitoring\n                     capability"}]}]},{"id":"si-4.22","class":"SP800-53-enhancement","title":"Unauthorized Network Services","parameters":[{"id":"si-4.22_prm_1","label":"organization-defined authorization or approval processes"},{"id":"si-4.22_prm_2"},{"id":"si-4.22_prm_3","depends-on":"si-4.22_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SI-4(22)"},{"name":"sort-id","value":"si-04.22"}],"parts":[{"id":"si-4.22_smt","name":"statement","prose":"The information system detects network services that have not been authorized or\n                  approved by {{ si-4.22_prm_1 }} and {{ si-4.22_prm_2 }}."},{"id":"si-4.22_gdn","name":"guidance","prose":"Unauthorized or unapproved network services include, for example, services in\n                  service-oriented architectures that lack organizational verification or validation\n                  and therefore may be unreliable or serve as malicious rogues for valid\n                  services.","links":[{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-9","rel":"related","text":"SA-9"}]},{"id":"si-4.22_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-4.22_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(22)[1]"}],"prose":"the organization defines authorization or approval processes for network\n                     services;"},{"id":"si-4.22_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(22)[2]"}],"prose":"the organization defines personnel or roles to be alerted upon detection of\n                     network services that have not been authorized or approved by\n                     organization-defined authorization or approval processes;"},{"id":"si-4.22_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(22)[3]"}],"prose":"the information system detects network services that have not been authorized\n                     or approved by organization-defined authorization or approval processes and\n                     does one or more of the following:","parts":[{"id":"si-4.22_obj.3.a","name":"objective","properties":[{"name":"label","value":"SI-4(22)[3][a]"}],"prose":"audits; and/or"},{"id":"si-4.22_obj.3.b","name":"objective","properties":[{"name":"label","value":"SI-4(22)[3][b]"}],"prose":"alerts organization-defined personnel or roles."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ndocumented authorization/approval of network services\\n\\nnotifications or alerts of unauthorized network services\\n\\ninformation system monitoring logs or records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing system monitoring\n                     capability\\n\\nautomated mechanisms for auditing network services\\n\\nautomated mechanisms for providing alerts"}]}]},{"id":"si-4.23","class":"SP800-53-enhancement","title":"Host-based Devices","parameters":[{"id":"si-4.23_prm_1","label":"organization-defined host-based monitoring mechanisms"},{"id":"si-4.23_prm_2","label":"organization-defined information system components"}],"properties":[{"name":"label","value":"SI-4(23)"},{"name":"sort-id","value":"si-04.23"}],"parts":[{"id":"si-4.23_smt","name":"statement","prose":"The organization implements {{ si-4.23_prm_1 }} at {{ si-4.23_prm_2 }}."},{"id":"si-4.23_gdn","name":"guidance","prose":"Information system components where host-based monitoring can be implemented\n                  include, for example, servers, workstations, and mobile devices. Organizations\n                  consider employing host-based monitoring mechanisms from multiple information\n                  technology product developers."},{"id":"si-4.23_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.23_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(23)[1]"}],"prose":"defines host-based monitoring mechanisms to be implemented;"},{"id":"si-4.23_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(23)[2]"}],"prose":"defines information system components where organization-defined host-based\n                     monitoring is to be implemented; and"},{"id":"si-4.23_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(23)[3]"}],"prose":"implements organization-defined host-based monitoring mechanisms at\n                     organization-defined information system components."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\nhost-based monitoring mechanisms\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system components requiring host-based monitoring\\n\\ninformation system monitoring logs or records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring information system\n                     hosts"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing host-based monitoring\n                     capability"}]}]},{"id":"si-4.24","class":"SP800-53-enhancement","title":"Indicators of Compromise","properties":[{"name":"label","value":"SI-4(24)"},{"name":"sort-id","value":"si-04.24"}],"parts":[{"id":"si-4.24_smt","name":"statement","prose":"The information system discovers, collects, distributes, and uses indicators of\n                  compromise."},{"id":"si-4.24_gdn","name":"guidance","prose":"Indicators of compromise (IOC) are forensic artifacts from intrusions that are\n                  identified on organizational information systems (at the host or network level).\n                  IOCs provide organizations with valuable information on objects or information\n                  systems that have been compromised. IOCs for the discovery of compromised hosts\n                  can include for example, the creation of registry key values. IOCs for network\n                  traffic include, for example, Universal Resource Locator (URL) or protocol\n                  elements that indicate malware command and control servers. The rapid distribution\n                  and adoption of IOCs can improve information security by reducing the time that\n                  information systems and organizations are vulnerable to the same exploit or\n                  attack."},{"id":"si-4.24_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"si-4.24_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(24)[1]"}],"prose":"discovers indicators of compromise;"},{"id":"si-4.24_obj.2","name":"objective","properties":[{"name":"label","value":"SI-4(24)[2]"}],"prose":"collects indicators of compromise;"},{"id":"si-4.24_obj.3","name":"objective","properties":[{"name":"label","value":"SI-4(24)[3]"}],"prose":"distributes indicators of compromise; and"},{"id":"si-4.24_obj.4","name":"objective","properties":[{"name":"label","value":"SI-4(24)[4]"}],"prose":"uses indicators of compromise."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system monitoring logs or records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring information system\n                     hosts"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information system monitoring\\n\\norganizational processes for discovery, collection, distribution, and use of\n                     indicators of compromise\\n\\nautomated mechanisms supporting and/or implementing system monitoring\n                     capability\\n\\nautomated mechanisms supporting and/or implementing the discovery, collection,\n                     distribution, and use of indicators of compromise"}]}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","parameters":[{"id":"si-5_prm_1","label":"organization-defined external organizations","constraints":[{"detail":"to include US-CERT"}]},{"id":"si-5_prm_2","constraints":[{"detail":"to include system security personnel and administrators with configuration/patch-management responsibilities"}]},{"id":"si-5_prm_3","depends-on":"si-5_prm_2","label":"organization-defined personnel or roles"},{"id":"si-5_prm_4","depends-on":"si-5_prm_2","label":"organization-defined elements within the organization"},{"id":"si-5_prm_5","depends-on":"si-5_prm_2","label":"organization-defined external organizations"}],"properties":[{"name":"label","value":"SI-5"},{"name":"sort-id","value":"si-05"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference","text":"NIST Special Publication 800-40"}],"parts":[{"id":"si-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Receives information system security alerts, advisories, and directives from\n                     {{ si-5_prm_1 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Generates internal security alerts, advisories, and directives as deemed\n                  necessary;"},{"id":"si-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Disseminates security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and"},{"id":"si-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Implements security directives in accordance with established time frames, or\n                  notifies the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The United States Computer Emergency Readiness Team (US-CERT) generates security\n               alerts and advisories to maintain situational awareness across the federal\n               government. Security directives are issued by OMB or other designated organizations\n               with the responsibility and authority to issue such directives. Compliance to\n               security directives is essential due to the critical nature of many of these\n               directives and the potential immediate adverse effects on organizational operations\n               and assets, individuals, other organizations, and the Nation should the directives\n               not be implemented in a timely manner. External organizations include, for example,\n               external mission/business partners, supply chain partners, external service\n               providers, and other peer/supporting organizations.","links":[{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"si-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-5.a_obj","name":"objective","properties":[{"name":"label","value":"SI-5(a)"}],"parts":[{"id":"si-5.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-5(a)[1]"}],"prose":"defines external organizations from whom information system security alerts,\n                     advisories and directives are to be received;"},{"id":"si-5.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-5(a)[2]"}],"prose":"receives information system security alerts, advisories, and directives from\n                     organization-defined external organizations on an ongoing basis;"}]},{"id":"si-5.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-5(b)"}],"prose":"generates internal security alerts, advisories, and directives as deemed\n                  necessary;"},{"id":"si-5.c_obj","name":"objective","properties":[{"name":"label","value":"SI-5(c)"}],"parts":[{"id":"si-5.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-5(c)[1]"}],"prose":"defines personnel or roles to whom security alerts, advisories, and directives\n                     are to be provided;"},{"id":"si-5.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-5(c)[2]"}],"prose":"defines elements within the organization to whom security alerts, advisories,\n                     and directives are to be provided;"},{"id":"si-5.c_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-5(c)[3]"}],"prose":"defines external organizations to whom security alerts, advisories, and\n                     directives are to be provided;"},{"id":"si-5.c_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-5(c)[4]"}],"prose":"disseminates security alerts, advisories, and directives to one or more of the\n                     following:","parts":[{"id":"si-5.c_obj.4.a","name":"objective","properties":[{"name":"label","value":"SI-5(c)[4][a]"}],"prose":"organization-defined personnel or roles;"},{"id":"si-5.c_obj.4.b","name":"objective","properties":[{"name":"label","value":"SI-5(c)[4][b]"}],"prose":"organization-defined elements within the organization; and/or"},{"id":"si-5.c_obj.4.c","name":"objective","properties":[{"name":"label","value":"SI-5(c)[4][c]"}],"prose":"organization-defined external organizations; and"}]}]},{"id":"si-5.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-5(d)"}],"parts":[{"id":"si-5.d_obj.1","name":"objective","properties":[{"name":"label","value":"SI-5(d)[1]"}],"prose":"implements security directives in accordance with established time frames;\n                     or"},{"id":"si-5.d_obj.2","name":"objective","properties":[{"name":"label","value":"SI-5(d)[2]"}],"prose":"notifies the issuing organization of the degree of noncompliance."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing security alerts, advisories, and directives\\n\\nrecords of security alerts and advisories\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security alert and advisory responsibilities\\n\\norganizational personnel implementing, operating, maintaining, and using the\n                  information system\\n\\norganizational personnel, organizational elements, and/or external organizations\n                  to whom alerts, advisories, and directives are to be disseminated\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining, receiving, generating, disseminating, and\n                  complying with security alerts, advisories, and directives\\n\\nautomated mechanisms supporting and/or implementing definition, receipt,\n                  generation, and dissemination of security alerts, advisories, and directives\\n\\nautomated mechanisms supporting and/or implementing security directives"}]}],"controls":[{"id":"si-5.1","class":"SP800-53-enhancement","title":"Automated Alerts and Advisories","properties":[{"name":"label","value":"SI-5(1)"},{"name":"sort-id","value":"si-05.01"}],"parts":[{"id":"si-5.1_smt","name":"statement","prose":"The organization employs automated mechanisms to make security alert and advisory\n                  information available throughout the organization."},{"id":"si-5.1_gdn","name":"guidance","prose":"The significant number of changes to organizational information systems and the\n                  environments in which those systems operate requires the dissemination of\n                  security-related information to a variety of organizational entities that have a\n                  direct interest in the success of organizational missions and business functions.\n                  Based on the information provided by the security alerts and advisories, changes\n                  may be required at one or more of the three tiers related to the management of\n                  information security risk including the governance level, mission/business\n                  process/enterprise architecture level, and the information system level."},{"id":"si-5.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs automated mechanisms to make security alert\n                  and advisory information available throughout the organization."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing security alerts, advisories, and directives\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nautomated mechanisms supporting the distribution of security alert and advisory\n                     information\\n\\nrecords of security alerts and advisories\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security alert and advisory responsibilities\\n\\norganizational personnel implementing, operating, maintaining, and using the\n                     information system\\n\\norganizational personnel, organizational elements, and/or external\n                     organizations to whom alerts and advisories are to be disseminated\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining, receiving, generating, and disseminating\n                     security alerts and advisories\\n\\nautomated mechanisms supporting and/or implementing dissemination of security\n                     alerts and advisories"}]}]}]},{"id":"si-6","class":"SP800-53","title":"Security Function Verification","parameters":[{"id":"si-6_prm_1","label":"organization-defined security functions"},{"id":"si-6_prm_2"},{"id":"si-6_prm_3","depends-on":"si-6_prm_2","label":"organization-defined system transitional states","constraints":[{"detail":"to include upon system startup and/or restart"}]},{"id":"si-6_prm_4","depends-on":"si-6_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]},{"id":"si-6_prm_5","label":"organization-defined personnel or roles","constraints":[{"detail":"to include system administrators and security personnel"}]},{"id":"si-6_prm_6"},{"id":"si-6_prm_7","depends-on":"si-6_prm_6","label":"organization-defined alternative action(s)","constraints":[{"detail":"to include notification of system administrators and security personnel"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-6"},{"name":"sort-id","value":"si-06"}],"parts":[{"id":"si-6_smt","name":"statement","prose":"The information system:","parts":[{"id":"si-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Verifies the correct operation of {{ si-6_prm_1 }};"},{"id":"si-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Performs this verification {{ si-6_prm_2 }};"},{"id":"si-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Notifies {{ si-6_prm_5 }} of failed security verification tests;\n                  and"},{"id":"si-6_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"\n                  {{ si-6_prm_6 }} when anomalies are discovered."}]},{"id":"si-6_gdn","name":"guidance","prose":"Transitional states for information systems include, for example, system startup,\n               restart, shutdown, and abort. Notifications provided by information systems include,\n               for example, electronic alerts to system administrators, messages to local computer\n               consoles, and/or hardware indications such as lights.","links":[{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-6","rel":"related","text":"CM-6"}]},{"id":"si-6_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-6.a_obj","name":"objective","properties":[{"name":"label","value":"SI-6(a)"}],"parts":[{"id":"si-6.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-6(a)[1]"}],"prose":"the organization defines security functions to be verified for correct\n                     operation;"},{"id":"si-6.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-6(a)[2]"}],"prose":"the information system verifies the correct operation of organization-defined\n                     security functions;"}]},{"id":"si-6.b_obj","name":"objective","properties":[{"name":"label","value":"SI-6(b)"}],"parts":[{"id":"si-6.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-6(b)[1]"}],"prose":"the organization defines system transitional states requiring verification of\n                     organization-defined security functions;"},{"id":"si-6.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-6(b)[2]"}],"prose":"the organization defines a frequency to verify the correct operation of\n                     organization-defined security functions;"},{"id":"si-6.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-6(b)[3]"}],"prose":"the information system performs this verification one or more of the\n                     following:","parts":[{"id":"si-6.b_obj.3.a","name":"objective","properties":[{"name":"label","value":"SI-6(b)[3][a]"}],"prose":"at organization-defined system transitional states;"},{"id":"si-6.b_obj.3.b","name":"objective","properties":[{"name":"label","value":"SI-6(b)[3][b]"}],"prose":"upon command by user with appropriate privilege; and/or"},{"id":"si-6.b_obj.3.c","name":"objective","properties":[{"name":"label","value":"SI-6(b)[3][c]"}],"prose":"with the organization-defined frequency;"}]}]},{"id":"si-6.c_obj","name":"objective","properties":[{"name":"label","value":"SI-6(c)"}],"parts":[{"id":"si-6.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-6(c)[1]"}],"prose":"the organization defines personnel or roles to be notified of failed security\n                     verification tests;"},{"id":"si-6.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-6(c)[2]"}],"prose":"the information system notifies organization-defined personnel or roles of\n                     failed security verification tests;"}]},{"id":"si-6.d_obj","name":"objective","properties":[{"name":"label","value":"SI-6(d)"}],"parts":[{"id":"si-6.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-6(d)[1]"}],"prose":"the organization defines alternative action(s) to be performed when anomalies\n                     are discovered;"},{"id":"si-6.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-6(d)[2]"}],"prose":"the information system performs one or more of the following actions when\n                     anomalies are discovered:","parts":[{"id":"si-6.d_obj.2.a","name":"objective","properties":[{"name":"label","value":"SI-6(d)[2][a]"}],"prose":"shuts the information system down;"},{"id":"si-6.d_obj.2.b","name":"objective","properties":[{"name":"label","value":"SI-6(d)[2][b]"}],"prose":"restarts the information system; and/or"},{"id":"si-6.d_obj.2.c","name":"objective","properties":[{"name":"label","value":"SI-6(d)[2][c]"}],"prose":"performs organization-defined alternative action(s)."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing security function verification\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nalerts/notifications of failed security verification tests\\n\\nlist of system transition states requiring security functionality verification\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security function verification responsibilities\\n\\norganizational personnel implementing, operating, and maintaining the information\n                  system\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security function verification\\n\\nautomated mechanisms supporting and/or implementing security function verification\n                  capability"}]}]},{"id":"si-7","class":"SP800-53","title":"Software, Firmware, and Information Integrity","parameters":[{"id":"si-7_prm_1","label":"organization-defined software, firmware, and information"}],"properties":[{"name":"label","value":"SI-7"},{"name":"sort-id","value":"si-07"}],"links":[{"href":"#6bf8d24a-78dc-4727-a2ac-0e64d71c495c","rel":"reference","text":"NIST Special Publication 800-147"},{"href":"#3878cc04-144a-483e-af62-8fe6f4ad6c7a","rel":"reference","text":"NIST Special Publication 800-155"}],"parts":[{"id":"si-7_smt","name":"statement","prose":"The organization employs integrity verification tools to detect unauthorized changes\n               to {{ si-7_prm_1 }}."},{"id":"si-7_gdn","name":"guidance","prose":"Unauthorized changes to software, firmware, and information can occur due to errors\n               or malicious activity (e.g., tampering). Software includes, for example, operating\n               systems (with key internal components such as kernels, drivers), middleware, and\n               applications. Firmware includes, for example, the Basic Input Output System (BIOS).\n               Information includes metadata such as security attributes associated with\n               information. State-of-the-practice integrity-checking mechanisms (e.g., parity\n               checks, cyclical redundancy checks, cryptographic hashes) and associated tools can\n               automatically monitor the integrity of information systems and hosted\n               applications.","links":[{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#si-3","rel":"related","text":"SI-3"}]},{"id":"si-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-7_obj.1","name":"objective","properties":[{"name":"label","value":"SI-7[1]"}],"parts":[{"id":"si-7_obj.1.a","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-7[1][a]"}],"prose":"defines software requiring integrity verification tools to be employed to\n                     detect unauthorized changes;"},{"id":"si-7_obj.1.b","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-7[1][b]"}],"prose":"defines firmware requiring integrity verification tools to be employed to\n                     detect unauthorized changes;"},{"id":"si-7_obj.1.c","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-7[1][c]"}],"prose":"defines information requiring integrity verification tools to be employed to\n                     detect unauthorized changes;"}]},{"id":"si-7_obj.2","name":"objective","properties":[{"name":"label","value":"SI-7[2]"}],"prose":"employs integrity verification tools to detect unauthorized changes to\n                  organization-defined:","parts":[{"id":"si-7_obj.2.a","name":"objective","properties":[{"name":"label","value":"SI-7[2][a]"}],"prose":"software;"},{"id":"si-7_obj.2.b","name":"objective","properties":[{"name":"label","value":"SI-7[2][b]"}],"prose":"firmware; and"},{"id":"si-7_obj.2.c","name":"objective","properties":[{"name":"label","value":"SI-7[2][c]"}],"prose":"information."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing software, firmware, and information integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nintegrity verification tools and associated documentation\\n\\nrecords generated/triggered from integrity verification tools regarding\n                  unauthorized software, firmware, and information changes\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and/or\n                  information integrity\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Software, firmware, and information integrity verification tools"}]}],"controls":[{"id":"si-7.1","class":"SP800-53-enhancement","title":"Integrity Checks","parameters":[{"id":"si-7.1_prm_1","label":"organization-defined software, firmware, and information"},{"id":"si-7.1_prm_2"},{"id":"si-7.1_prm_3","depends-on":"si-7.1_prm_2","label":"organization-defined transitional states or security-relevant events","constraints":[{"detail":"selection to include security relevant events"}]},{"id":"si-7.1_prm_4","depends-on":"si-7.1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-7(1)"},{"name":"sort-id","value":"si-07.01"}],"parts":[{"id":"si-7.1_smt","name":"statement","prose":"The information system performs an integrity check of {{ si-7.1_prm_1 }}\n                  {{ si-7.1_prm_2 }}."},{"id":"si-7.1_gdn","name":"guidance","prose":"Security-relevant events include, for example, the identification of a new threat\n                  to which organizational information systems are susceptible, and the installation\n                  of new hardware, software, or firmware. Transitional states include, for example,\n                  system startup, restart, shutdown, and abort."},{"id":"si-7.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-7.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-7(1)[1]"}],"prose":"the organization defines:","parts":[{"id":"si-7.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"SI-7(1)[1][a]"}],"prose":"software requiring integrity checks to be performed;"},{"id":"si-7.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"SI-7(1)[1][b]"}],"prose":"firmware requiring integrity checks to be performed;"},{"id":"si-7.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"SI-7(1)[1][c]"}],"prose":"information requiring integrity checks to be performed;"}]},{"id":"si-7.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-7(1)[2]"}],"prose":"the organization defines transitional states or security-relevant events\n                     requiring integrity checks of organization-defined:","parts":[{"id":"si-7.1_obj.2.a","name":"objective","properties":[{"name":"label","value":"SI-7(1)[2][a]"}],"prose":"software;"},{"id":"si-7.1_obj.2.b","name":"objective","properties":[{"name":"label","value":"SI-7(1)[2][b]"}],"prose":"firmware;"},{"id":"si-7.1_obj.2.c","name":"objective","properties":[{"name":"label","value":"SI-7(1)[2][c]"}],"prose":"information;"}]},{"id":"si-7.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-7(1)[3]"}],"prose":"the organization defines a frequency with which to perform an integrity check\n                     of organization-defined:","parts":[{"id":"si-7.1_obj.3.a","name":"objective","properties":[{"name":"label","value":"SI-7(1)[3][a]"}],"prose":"software;"},{"id":"si-7.1_obj.3.b","name":"objective","properties":[{"name":"label","value":"SI-7(1)[3][b]"}],"prose":"firmware;"},{"id":"si-7.1_obj.3.c","name":"objective","properties":[{"name":"label","value":"SI-7(1)[3][c]"}],"prose":"information;"}]},{"id":"si-7.1_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-7(1)[4]"}],"prose":"the information system performs an integrity check of organization-defined\n                     software, firmware, and information one or more of the following:","parts":[{"id":"si-7.1_obj.4.a","name":"objective","properties":[{"name":"label","value":"SI-7(1)[4][a]"}],"prose":"at startup;"},{"id":"si-7.1_obj.4.b","name":"objective","properties":[{"name":"label","value":"SI-7(1)[4][b]"}],"prose":"at organization-defined transitional states or security-relevant events;\n                        and/or"},{"id":"si-7.1_obj.4.c","name":"objective","properties":[{"name":"label","value":"SI-7(1)[4][c]"}],"prose":"with the organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing software, firmware, and information integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nintegrity verification tools and associated documentation\\n\\nrecords of integrity scans\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and/or\n                     information integrity\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Software, firmware, and information integrity verification tools"}]}]},{"id":"si-7.2","class":"SP800-53-enhancement","title":"Automated Notifications of Integrity Violations","parameters":[{"id":"si-7.2_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SI-7(2)"},{"name":"sort-id","value":"si-07.02"}],"parts":[{"id":"si-7.2_smt","name":"statement","prose":"The organization employs automated tools that provide notification to {{ si-7.2_prm_1 }} upon discovering discrepancies during integrity\n                  verification."},{"id":"si-7.2_gdn","name":"guidance","prose":"The use of automated tools to report integrity violations and to notify\n                  organizational personnel in a timely matter is an essential precursor to effective\n                  risk response. Personnel having an interest in integrity violations include, for\n                  example, mission/business owners, information system owners, systems\n                  administrators, software developers, systems integrators, and information security\n                  officers."},{"id":"si-7.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-7.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-7(2)[1]"}],"prose":"defines personnel or roles to whom notification is to be provided upon\n                     discovering discrepancies during integrity verification; and"},{"id":"si-7.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-7(2)[2]"}],"prose":"employs automated tools that provide notification to organization-defined\n                     personnel or roles upon discovering discrepancies during integrity\n                     verification."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing software, firmware, and information integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nintegrity verification tools and associated documentation\\n\\nrecords of integrity scans\\n\\nautomated tools supporting alerts and notifications for integrity\n                     discrepancies\\n\\nalerts/notifications provided upon discovering discrepancies during integrity\n                     verifications\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and/or\n                     information integrity\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Software, firmware, and information integrity verification tools\\n\\nautomated mechanisms providing integrity discrepancy notifications"}]}]},{"id":"si-7.5","class":"SP800-53-enhancement","title":"Automated Response to Integrity Violations","parameters":[{"id":"si-7.5_prm_1"},{"id":"si-7.5_prm_2","depends-on":"si-7.5_prm_1","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"SI-7(5)"},{"name":"sort-id","value":"si-07.05"}],"parts":[{"id":"si-7.5_smt","name":"statement","prose":"The information system automatically {{ si-7.5_prm_1 }} when\n                  integrity violations are discovered."},{"id":"si-7.5_gdn","name":"guidance","prose":"Organizations may define different integrity checking and anomaly responses: (i)\n                  by type of information (e.g., firmware, software, user data); (ii) by specific\n                  information (e.g., boot firmware, boot firmware for a specific types of machines);\n                  or (iii) a combination of both. Automatic implementation of specific safeguards\n                  within organizational information systems includes, for example, reversing the\n                  changes, halting the information system, or triggering audit alerts when\n                  unauthorized modifications to critical security files occur."},{"id":"si-7.5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-7.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-7(5)[1]"}],"prose":"the organization defines security safeguards to be implemented when integrity\n                     violations are discovered;"},{"id":"si-7.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-7(5)[2]"}],"prose":"the information system automatically performs one or more of the following\n                     actions when integrity violations are discovered:","parts":[{"id":"si-7.5_obj.2.a","name":"objective","properties":[{"name":"label","value":"SI-7(5)[2][a]"}],"prose":"shuts the information system down;"},{"id":"si-7.5_obj.2.b","name":"objective","properties":[{"name":"label","value":"SI-7(5)[2][b]"}],"prose":"restarts the information system; and/or"},{"id":"si-7.5_obj.2.c","name":"objective","properties":[{"name":"label","value":"SI-7(5)[2][c]"}],"prose":"implements the organization-defined security safeguards."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing software, firmware, and information integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nintegrity verification tools and associated documentation\\n\\nrecords of integrity scans\\n\\nrecords of integrity checks and responses to integrity violations\\n\\ninformation audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and/or\n                     information integrity\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Software, firmware, and information integrity verification tools\\n\\nautomated mechanisms providing an automated response to integrity\n                     violations\\n\\nautomated mechanisms supporting and/or implementing security safeguards to be\n                     implemented when integrity violations are discovered"}]}]},{"id":"si-7.7","class":"SP800-53-enhancement","title":"Integration of Detection and Response","parameters":[{"id":"si-7.7_prm_1","label":"organization-defined security-relevant changes to the information\n                  system"}],"properties":[{"name":"label","value":"SI-7(7)"},{"name":"sort-id","value":"si-07.07"}],"parts":[{"id":"si-7.7_smt","name":"statement","prose":"The organization incorporates the detection of unauthorized {{ si-7.7_prm_1 }} into the organizational incident response\n                  capability."},{"id":"si-7.7_gdn","name":"guidance","prose":"This control enhancement helps to ensure that detected events are tracked,\n                  monitored, corrected, and available for historical purposes. Maintaining\n                  historical records is important both for being able to identify and discern\n                  adversary actions over an extended period of time and for possible legal actions.\n                  Security-relevant changes include, for example, unauthorized changes to\n                  established configuration settings or unauthorized elevation of information system\n                  privileges.","links":[{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"si-7.7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-7.7_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-7(7)[1]"}],"prose":"defines unauthorized security-relevant changes to the information system;\n                     and"},{"id":"si-7.7_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-7(7)[2]"}],"prose":"incorporates the detection of unauthorized organization-defined\n                     security-relevant changes to the information system into the organizational\n                     incident response capability."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing software, firmware, and information integrity\\n\\nprocedures addressing incident response\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nincident response records\\n\\ninformation audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and/or\n                     information integrity\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with incident response responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incorporating detection of unauthorized\n                     security-relevant changes into the incident response capability\\n\\nsoftware, firmware, and information integrity verification tools\\n\\nautomated mechanisms supporting and/or implementing incorporation of detection\n                     of unauthorized security-relevant changes into the incident response\n                     capability"}]}]},{"id":"si-7.14","class":"SP800-53-enhancement","title":"Binary or Machine Executable Code","properties":[{"name":"label","value":"SI-7(14)"},{"name":"sort-id","value":"si-07.14"}],"parts":[{"id":"si-7.14_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-7.14_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Prohibits the use of binary or machine-executable code from sources with\n                     limited or no warranty and without the provision of source code; and"},{"id":"si-7.14_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Provides exceptions to the source code requirement only for compelling\n                     mission/operational requirements and with the approval of the authorizing\n                     official."}]},{"id":"si-7.14_gdn","name":"guidance","prose":"This control enhancement applies to all sources of binary or machine-executable\n                  code including, for example, commercial software/firmware and open source\n                  software. Organizations assess software products without accompanying source code\n                  from sources with limited or no warranty for potential security impacts. The\n                  assessments address the fact that these types of software products may be very\n                  difficult to review, repair, or extend, given that organizations, in most cases,\n                  do not have access to the original source code, and there may be no owners who\n                  could make such repairs on behalf of organizations.","links":[{"href":"#sa-5","rel":"related","text":"SA-5"}]},{"id":"si-7.14_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-7.14.a_obj","name":"objective","properties":[{"name":"label","value":"SI-7(14)(a)"}],"parts":[{"id":"si-7.14.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-7(14)(a)[1]"}],"prose":"prohibits the use of binary or machine-executable code from sources with\n                        limited or no warranty;"},{"id":"si-7.14.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-7(14)(a)[2]"}],"prose":"prohibits the use of binary or machine-executable code without the provision\n                        of source code;"}],"links":[{"href":"#si-7.14_smt.a","rel":"corresp","text":"SI-7(14)(a)"}]},{"id":"si-7.14.b_obj","name":"objective","properties":[{"name":"label","value":"SI-7(14)(b)"}],"parts":[{"id":"si-7.14.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-7(14)(b)[1]"}],"prose":"provides exceptions to the source code requirement only for compelling\n                        mission/operational requirements; and"},{"id":"si-7.14.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-7(14)(b)[2]"}],"prose":"provides exceptions to the source code requirement only with the approval of\n                        the authorizing official."}],"links":[{"href":"#si-7.14_smt.b","rel":"corresp","text":"SI-7(14)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing software, firmware, and information integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\napproval records for execution of binary and machine-executable code\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and/or\n                     information integrity\\n\\norganizational personnel with information security responsibilities\\n\\nauthorizing official\\n\\nsystem/network administrators\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing prohibition of the\n                     execution of binary or machine-executable code"}]}]}]},{"id":"si-8","class":"SP800-53","title":"Spam Protection","properties":[{"name":"label","value":"SI-8"},{"name":"sort-id","value":"si-08"}],"links":[{"href":"#c6e95ca0-5828-420e-b095-00895b72b5e8","rel":"reference","text":"NIST Special Publication 800-45"}],"parts":[{"id":"si-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Employs spam protection mechanisms at information system entry and exit points to\n                  detect and take action on unsolicited messages; and"},{"id":"si-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Updates spam protection mechanisms when new releases are available in accordance\n                  with organizational configuration management policy and procedures."}]},{"id":"si-8_gdn","name":"guidance","prose":"Information system entry and exit points include, for example, firewalls, electronic\n               mail servers, web servers, proxy servers, remote-access servers, workstations, mobile\n               devices, and notebook/laptop computers. Spam can be transported by different means\n               including, for example, electronic mail, electronic mail attachments, and web\n               accesses. Spam protection mechanisms include, for example, signature definitions.","links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"}]},{"id":"si-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-8.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-8(a)"}],"prose":"employs spam protection mechanisms:","parts":[{"id":"si-8.a_obj.1","name":"objective","properties":[{"name":"label","value":"SI-8(a)[1]"}],"prose":"at information system entry points to detect unsolicited messages;"},{"id":"si-8.a_obj.2","name":"objective","properties":[{"name":"label","value":"SI-8(a)[2]"}],"prose":"at information system entry points to take action on unsolicited messages;"},{"id":"si-8.a_obj.3","name":"objective","properties":[{"name":"label","value":"SI-8(a)[3]"}],"prose":"at information system exit points to detect unsolicited messages;"},{"id":"si-8.a_obj.4","name":"objective","properties":[{"name":"label","value":"SI-8(a)[4]"}],"prose":"at information system exit points to take action on unsolicited messages;\n                     and"}]},{"id":"si-8.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-8(b)"}],"prose":"updates spam protection mechanisms when new releases are available in accordance\n                  with organizational configuration management policy and procedures."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nconfiguration management policy and procedures (CM-1)\\n\\nprocedures addressing spam protection\\n\\nspam protection mechanisms\\n\\nrecords of spam protection updates\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for spam protection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for implementing spam protection\\n\\nautomated mechanisms supporting and/or implementing spam protection"}]}],"controls":[{"id":"si-8.1","class":"SP800-53-enhancement","title":"Central Management","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-8(1)"},{"name":"sort-id","value":"si-08.01"}],"parts":[{"id":"si-8.1_smt","name":"statement","prose":"The organization centrally manages spam protection mechanisms."},{"id":"si-8.1_gdn","name":"guidance","prose":"Central management is the organization-wide management and implementation of spam\n                  protection mechanisms. Central management includes planning, implementing,\n                  assessing, authorizing, and monitoring the organization-defined, centrally managed\n                  spam protection security controls.","links":[{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"si-8.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization centrally manages spam protection mechanisms."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing spam protection\\n\\nspam protection mechanisms\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for spam protection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for central management of spam protection\\n\\nautomated mechanisms supporting and/or implementing central management of spam\n                     protection"}]}]},{"id":"si-8.2","class":"SP800-53-enhancement","title":"Automatic Updates","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-8(2)"},{"name":"sort-id","value":"si-08.02"}],"parts":[{"id":"si-8.2_smt","name":"statement","prose":"The information system automatically updates spam protection mechanisms."},{"id":"si-8.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system automatically updates spam protection\n                  mechanisms."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing spam protection\\n\\nspam protection mechanisms\\n\\nrecords of spam protection updates\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for spam protection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for spam protection\\n\\nautomated mechanisms supporting and/or implementing automatic updates to spam\n                     protection mechanisms"}]}]}]},{"id":"si-10","class":"SP800-53","title":"Information Input Validation","parameters":[{"id":"si-10_prm_1","label":"organization-defined information inputs"}],"properties":[{"name":"label","value":"SI-10"},{"name":"sort-id","value":"si-10"}],"parts":[{"id":"si-10_smt","name":"statement","prose":"The information system checks the validity of {{ si-10_prm_1 }}."},{"id":"si-10_gdn","name":"guidance","prose":"Checking the valid syntax and semantics of information system inputs (e.g., character\n               set, length, numerical range, and acceptable values) verifies that inputs match\n               specified definitions for format and content. Software applications typically follow\n               well-defined protocols that use structured messages (i.e., commands or queries) to\n               communicate between software modules or system components. Structured messages can\n               contain raw or unstructured data interspersed with metadata or control information.\n               If software applications use attacker-supplied inputs to construct structured\n               messages without properly encoding such messages, then the attacker could insert\n               malicious commands or special characters that can cause the data to be interpreted as\n               control information or metadata. Consequently, the module or component that receives\n               the tainted output will perform the wrong operations or otherwise interpret the data\n               incorrectly. Prescreening inputs prior to passing to interpreters prevents the\n               content from being unintentionally interpreted as commands. Input validation helps to\n               ensure accurate and correct inputs and prevent attacks such as cross-site scripting\n               and a variety of injection attacks."},{"id":"si-10_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-10_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-10[1]"}],"prose":"the organization defines information inputs requiring validity checks; and"},{"id":"si-10_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-10[2]"}],"prose":"the information system checks the validity of organization-defined information\n                  inputs."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\naccess control policy and procedures\\n\\nseparation of duties policy and procedures\\n\\nprocedures addressing information input validation\\n\\ndocumentation for automated tools and applications to verify validity of\n                  information\\n\\nlist of information inputs requiring validity checks\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information input validation\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing validity checks on information\n                  inputs"}]}]},{"id":"si-11","class":"SP800-53","title":"Error Handling","parameters":[{"id":"si-11_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SI-11"},{"name":"sort-id","value":"si-11"}],"parts":[{"id":"si-11_smt","name":"statement","prose":"The information system:","parts":[{"id":"si-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Generates error messages that provide information necessary for corrective actions\n                  without revealing information that could be exploited by adversaries; and"},{"id":"si-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reveals error messages only to {{ si-11_prm_1 }}."}]},{"id":"si-11_gdn","name":"guidance","prose":"Organizations carefully consider the structure/content of error messages. The extent\n               to which information systems are able to identify and handle error conditions is\n               guided by organizational policy and operational requirements. Information that could\n               be exploited by adversaries includes, for example, erroneous logon attempts with\n               passwords entered by mistake as the username, mission/business information that can\n               be derived from (if not stated explicitly by) information recorded, and personal\n               information such as account numbers, social security numbers, and credit card\n               numbers. In addition, error messages may provide a covert channel for transmitting\n               information.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#sc-31","rel":"related","text":"SC-31"}]},{"id":"si-11_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-11.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-11(a)"}],"prose":"the information system generates error messages that provide information necessary\n                  for corrective actions without revealing information that could be exploited by\n                  adversaries;"},{"id":"si-11.b_obj","name":"objective","properties":[{"name":"label","value":"SI-11(b)"}],"parts":[{"id":"si-11.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-11(b)[1]"}],"prose":"the organization defines personnel or roles to whom error messages are to be\n                     revealed; and"},{"id":"si-11.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-11(b)[2]"}],"prose":"the information system reveals error messages only to organization-defined\n                     personnel or roles."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system error handling\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ndocumentation providing structure/content of error messages\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information input validation\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for error handling\\n\\nautomated mechanisms supporting and/or implementing error handling\\n\\nautomated mechanisms supporting and/or implementing management of error\n                  messages"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Handling and Retention","properties":[{"name":"label","value":"SI-12"},{"name":"sort-id","value":"si-12"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"The organization handles and retains information within the information system and\n               information output from the system in accordance with applicable federal laws,\n               Executive Orders, directives, policies, regulations, standards, and operational\n               requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information handling and retention requirements cover the full life cycle of\n               information, in some cases extending beyond the disposal of information systems. The\n               National Archives and Records Administration provides guidance on records\n               retention.","links":[{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"}]},{"id":"si-12_obj","name":"objective","prose":"Determine if the organization, in accordance with applicable federal laws, Executive\n               Orders, directives, policies, regulations, standards, and operational\n               requirements:","parts":[{"id":"si-12_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-12[1]"}],"prose":"handles information within the information system;"},{"id":"si-12_obj.2","name":"objective","properties":[{"name":"label","value":"SI-12[2]"}],"prose":"handles output from the information system;"},{"id":"si-12_obj.3","name":"objective","properties":[{"name":"label","value":"SI-12[3]"}],"prose":"retains information within the information system; and"},{"id":"si-12_obj.4","name":"objective","properties":[{"name":"label","value":"SI-12[4]"}],"prose":"retains output from the information system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nfederal laws, Executive Orders, directives, policies, regulations, standards, and\n                  operational requirements applicable to information handling and retention\\n\\nmedia protection policy and procedures\\n\\nprocedures addressing information system output handling and retention\\n\\ninformation retention records, other relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information handling and\n                  retention\\n\\norganizational personnel with information security responsibilities/network\n                  administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information handling and retention\\n\\nautomated mechanisms supporting and/or implementing information handling and\n                  retention"}]}]},{"id":"si-16","class":"SP800-53","title":"Memory Protection","parameters":[{"id":"si-16_prm_1","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"SI-16"},{"name":"sort-id","value":"si-16"}],"parts":[{"id":"si-16_smt","name":"statement","prose":"The information system implements {{ si-16_prm_1 }} to protect its\n               memory from unauthorized code execution."},{"id":"si-16_gdn","name":"guidance","prose":"Some adversaries launch attacks with the intent of executing code in non-executable\n               regions of memory or in memory locations that are prohibited. Security safeguards\n               employed to protect memory include, for example, data execution prevention and\n               address space layout randomization. Data execution prevention safeguards can either\n               be hardware-enforced or software-enforced with hardware providing the greater\n               strength of mechanism.","links":[{"href":"#ac-25","rel":"related","text":"AC-25"},{"href":"#sc-3","rel":"related","text":"SC-3"}]},{"id":"si-16_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-16_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-16[1]"}],"prose":"the organization defines security safeguards to be implemented to protect\n                  information system memory from unauthorized code execution; and"},{"id":"si-16_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-16[2]"}],"prose":"the information system implements organization-defined security safeguards to\n                  protect its memory from unauthorized code execution."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing memory protection for the information system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of security safeguards protecting information system memory from unauthorized\n                  code execution\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for memory protection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing safeguards to protect\n                  information system memory from unauthorized code execution"}]}]}]}],"back-matter":{"resources":[{"uuid":"0c97e60b-325a-4efa-ba2b-90f20ccd5abc","title":"5 C.F.R. 731.106","citation":{"text":"Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106,\n               Designation of Public Trust Positions and Investigative Requirements (5 C.F.R.\n               731.106)."},"rlinks":[{"href":"http://www.gpo.gov/fdsys/granule/CFR-2012-title5-vol2/CFR-2012-title5-vol2-sec731-106/content-detail.html"}]},{"uuid":"bb61234b-46c3-4211-8c2b-9869222a720d","title":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)","citation":{"text":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"},"rlinks":[{"href":"http://www.gpo.gov/fdsys/granule/CFR-2009-title5-vol2/CFR-2009-title5-vol2-sec930-301/content-detail.html"}]},{"uuid":"a4aa9645-9a8a-4b51-90a9-e223250f9a75","title":"CNSS Policy 15","citation":{"text":"CNSS Policy 15"},"rlinks":[{"href":"https://www.cnss.gov/policies.html"}]},{"uuid":"2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","title":"DoD Information Assurance Vulnerability Alerts","citation":{"text":"DoD Information Assurance Vulnerability Alerts"}},{"uuid":"61081e7f-041d-4033-96a7-44a439071683","title":"DoD Instruction 5200.39","citation":{"text":"DoD Instruction 5200.39"},"rlinks":[{"href":"http://www.dtic.mil/whs/directives/corres/ins1.html"}]},{"uuid":"e42b2099-3e1c-415b-952c-61c96533c12e","title":"DoD Instruction 8551.01","citation":{"text":"DoD Instruction 8551.01"},"rlinks":[{"href":"http://www.dtic.mil/whs/directives/corres/ins1.html"}]},{"uuid":"e6522953-6714-435d-a0d3-140df554c186","title":"DoD Instruction 8552.01","citation":{"text":"DoD Instruction 8552.01"},"rlinks":[{"href":"http://www.dtic.mil/whs/directives/corres/ins1.html"}]},{"uuid":"c5034e0c-eba6-4ecd-a541-79f0678f4ba4","title":"Executive Order 13587","citation":{"text":"Executive Order 13587"},"rlinks":[{"href":"http://www.whitehouse.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"56d671da-6b7b-4abf-8296-84b61980390a","title":"Federal Acquisition Regulation","citation":{"text":"Federal Acquisition Regulation"},"rlinks":[{"href":"https://acquisition.gov/far"}]},{"uuid":"023104bc-6f75-4cd5-b7d0-fc92326f8007","title":"Federal Continuity Directive 1","citation":{"text":"Federal Continuity Directive 1"},"rlinks":[{"href":"http://www.fema.gov/pdf/about/offices/fcd1.pdf"}]},{"uuid":"ba557c91-ba3e-4792-adc6-a4ae479b39ff","title":"FICAM Roadmap and Implementation Guidance","citation":{"text":"FICAM Roadmap and Implementation Guidance"},"rlinks":[{"href":"http://www.idmanagement.gov/documents/ficam-roadmap-and-implementation-guidance"}]},{"uuid":"39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","title":"FIPS Publication 140","citation":{"text":"FIPS Publication 140"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html"}]},{"uuid":"d715b234-9b5b-4e07-b1ed-99836727664d","title":"FIPS Publication 140-2","citation":{"text":"FIPS Publication 140-2"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html#140-2"}]},{"uuid":"f2dbd4ec-c413-4714-b85b-6b7184d1c195","title":"FIPS Publication 197","citation":{"text":"FIPS Publication 197"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html#197"}]},{"uuid":"e85cdb3f-7f0a-4083-8639-f13f70d3760b","title":"FIPS Publication 199","citation":{"text":"FIPS Publication 199"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html#199"}]},{"uuid":"c80c10b3-1294-4984-a4cc-d1733ca432b9","title":"FIPS Publication 201","citation":{"text":"FIPS Publication 201"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html#201"}]},{"uuid":"ad733a42-a7ed-4774-b988-4930c28852f3","title":"HSPD-12","citation":{"text":"HSPD-12"},"rlinks":[{"href":"http://www.dhs.gov/homeland-security-presidential-directive-12"}]},{"uuid":"4ef539ba-b767-4666-b0d3-168c53005fa3","title":"http://capec.mitre.org","citation":{"text":"http://capec.mitre.org"},"rlinks":[{"href":"http://capec.mitre.org"}]},{"uuid":"e95dd121-2733-413e-bf1e-f1eb49f20a98","title":"http://checklists.nist.gov","citation":{"text":"http://checklists.nist.gov"},"rlinks":[{"href":"http://checklists.nist.gov"}]},{"uuid":"6a1041fc-054e-4230-946b-2e6f4f3731bb","title":"http://csrc.nist.gov/cryptval","citation":{"text":"http://csrc.nist.gov/cryptval"},"rlinks":[{"href":"http://csrc.nist.gov/cryptval"}]},{"uuid":"b09d1a31-d3c9-4138-a4f4-4c63816afd7d","title":"http://csrc.nist.gov/groups/STM/cmvp/index.html","citation":{"text":"http://csrc.nist.gov/groups/STM/cmvp/index.html"},"rlinks":[{"href":"http://csrc.nist.gov/groups/STM/cmvp/index.html"}]},{"uuid":"0931209f-00ae-4132-b92c-bc645847e8f9","title":"http://cve.mitre.org","citation":{"text":"http://cve.mitre.org"},"rlinks":[{"href":"http://cve.mitre.org"}]},{"uuid":"15522e92-9192-463d-9646-6a01982db8ca","title":"http://cwe.mitre.org","citation":{"text":"http://cwe.mitre.org"},"rlinks":[{"href":"http://cwe.mitre.org"}]},{"uuid":"5ed1f4d5-1494-421b-97ed-39d3c88ab51f","title":"http://fips201ep.cio.gov","citation":{"text":"http://fips201ep.cio.gov"},"rlinks":[{"href":"http://fips201ep.cio.gov"}]},{"uuid":"85280698-0417-489d-b214-12bb935fb939","title":"http://idmanagement.gov","citation":{"text":"http://idmanagement.gov"},"rlinks":[{"href":"http://idmanagement.gov"}]},{"uuid":"275cc052-0f7f-423c-bdb6-ed503dc36228","title":"http://nvd.nist.gov","citation":{"text":"http://nvd.nist.gov"},"rlinks":[{"href":"http://nvd.nist.gov"}]},{"uuid":"bbd50dd1-54ce-4432-959d-63ea564b1bb4","title":"http://www.acquisition.gov/far","citation":{"text":"http://www.acquisition.gov/far"},"rlinks":[{"href":"http://www.acquisition.gov/far"}]},{"uuid":"9b97ed27-3dd6-4f9a-ade5-1b43e9669794","title":"http://www.cnss.gov","citation":{"text":"http://www.cnss.gov"},"rlinks":[{"href":"http://www.cnss.gov"}]},{"uuid":"3ac12e79-f54f-4a63-9f4b-ee4bcd4df604","title":"http://www.dhs.gov/telecommunications-service-priority-tsp","citation":{"text":"http://www.dhs.gov/telecommunications-service-priority-tsp"},"rlinks":[{"href":"http://www.dhs.gov/telecommunications-service-priority-tsp"}]},{"uuid":"c95a9986-3cd6-4a98-931b-ccfc56cb11e5","title":"http://www.niap-ccevs.org","citation":{"text":"http://www.niap-ccevs.org"},"rlinks":[{"href":"http://www.niap-ccevs.org"}]},{"uuid":"647b6de3-81d0-4d22-bec1-5f1333e34380","title":"http://www.nsa.gov","citation":{"text":"http://www.nsa.gov"},"rlinks":[{"href":"http://www.nsa.gov"}]},{"uuid":"a47466c4-c837-4f06-a39f-e68412a5f73d","title":"http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml","citation":{"text":"http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"},"rlinks":[{"href":"http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"}]},{"uuid":"02631467-668b-4233-989b-3dfded2fd184","title":"http://www.us-cert.gov","citation":{"text":"http://www.us-cert.gov"},"rlinks":[{"href":"http://www.us-cert.gov"}]},{"uuid":"6caa237b-531b-43ac-9711-d8f6b97b0377","title":"ICD 704","citation":{"text":"ICD 704"},"rlinks":[{"href":"http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"}]},{"uuid":"398e33fd-f404-4e5c-b90e-2d50d3181244","title":"ICD 705","citation":{"text":"ICD 705"},"rlinks":[{"href":"http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"}]},{"uuid":"1737a687-52fb-4008-b900-cbfa836f7b65","title":"ISO/IEC 15408","citation":{"text":"ISO/IEC 15408"},"rlinks":[{"href":"http://www.iso.org/iso/iso_catalog/catalog_tc/catalog_detail.htm?csnumber=50341"}]},{"uuid":"fb5844de-ff96-47c0-b258-4f52bcc2f30d","title":"National Communications Systems Directive 3-10","citation":{"text":"National Communications Systems Directive 3-10"}},{"uuid":"654f21e2-f3bc-43b2-abdc-60ab8d09744b","title":"National Strategy for Trusted Identities in Cyberspace","citation":{"text":"National Strategy for Trusted Identities in Cyberspace"},"rlinks":[{"href":"http://www.nist.gov/nstic"}]},{"uuid":"bdd2f49e-edf7-491f-a178-4487898228f3","title":"NIST Interagency Report 7622","citation":{"text":"NIST Interagency Report 7622"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7622"}]},{"uuid":"9cb3d8fe-2127-48ba-821e-cdd2d7aee921","title":"NIST Special Publication 800-100","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-100"}],"citation":{"text":"NIST Special Publication 800-100"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-100"}]},{"uuid":"3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","title":"NIST Special Publication 800-111","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-111"}],"citation":{"text":"NIST Special Publication 800-111"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-111"}]},{"uuid":"349fe082-502d-464a-aa0c-1443c6a5cf40","title":"NIST Special Publication 800-113","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-113"}],"citation":{"text":"NIST Special Publication 800-113"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-113"}]},{"uuid":"1201fcf3-afb1-4675-915a-fb4ae0435717","title":"NIST Special Publication 800-114 Rev. 1","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-114r1"}],"citation":{"text":"NIST Special Publication 800-114 Rev. 1"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-114r1"}]},{"uuid":"c4691b88-57d1-463b-9053-2d0087913f31","title":"NIST Special Publication 800-115","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-115"}],"citation":{"text":"NIST Special Publication 800-115"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-115"}]},{"uuid":"2157bb7e-192c-4eaa-877f-93ef6b0a3292","title":"NIST Special Publication 800-116 Rev. 1","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-116r1"}],"citation":{"text":"NIST Special Publication 800-116 Rev. 1"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-116r1"}]},{"uuid":"5c201b63-0768-417b-ac22-3f014e3941b2","title":"NIST Special Publication 800-12 Rev. 1","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-12r1"}],"citation":{"text":"NIST Special Publication 800-12 Rev. 1"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-12r1"}]},{"uuid":"d1a4e2a9-e512-4132-8795-5357aba29254","title":"NIST Special Publication 800-121","citation":{"text":"NIST Special Publication 800-121"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-121"}]},{"uuid":"0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","title":"NIST Special Publication 800-124","citation":{"text":"NIST Special Publication 800-124"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-124"}]},{"uuid":"080f8068-5e3e-435e-9790-d22ba4722693","title":"NIST Special Publication 800-128","citation":{"text":"NIST Special Publication 800-128"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-128"}]},{"uuid":"cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","title":"NIST Special Publication 800-137","citation":{"text":"NIST Special Publication 800-137"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-137"}]},{"uuid":"6bf8d24a-78dc-4727-a2ac-0e64d71c495c","title":"NIST Special Publication 800-147","citation":{"text":"NIST Special Publication 800-147"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-147"}]},{"uuid":"3878cc04-144a-483e-af62-8fe6f4ad6c7a","title":"NIST Special Publication 800-155","citation":{"text":"NIST Special Publication 800-155"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-155"}]},{"uuid":"825438c3-248d-4e30-a51e-246473ce6ada","title":"NIST Special Publication 800-16","citation":{"text":"NIST Special Publication 800-16"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-16"}]},{"uuid":"8ab6bcdc-339b-4068-b45e-994814a6e187","title":"NIST Special Publication 800-161","citation":{"text":"NIST Special Publication 800-161"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-161"}]},{"uuid":"6513e480-fada-4876-abba-1397084dfb26","title":"NIST Special Publication 800-164","citation":{"text":"NIST Special Publication 800-164"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-164"}]},{"uuid":"9c5c9e8c-dc81-4f55-a11c-d71d7487790f","title":"NIST Special Publication 800-18","citation":{"text":"NIST Special Publication 800-18"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-18"}]},{"uuid":"0a5db899-f033-467f-8631-f5a8ba971475","title":"NIST Special Publication 800-23","citation":{"text":"NIST Special Publication 800-23"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-23"}]},{"uuid":"21b1ed35-56d2-40a8-bdfe-b461fffe322f","title":"NIST Special Publication 800-27","citation":{"text":"NIST Special Publication 800-27"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-27"}]},{"uuid":"e716cd51-d1d5-4c6a-967a-22e9fbbc42f1","title":"NIST Special Publication 800-28","citation":{"text":"NIST Special Publication 800-28"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-28"}]},{"uuid":"a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","title":"NIST Special Publication 800-30","citation":{"text":"NIST Special Publication 800-30"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-30"}]},{"uuid":"8f174e91-844e-4cf1-a72a-45c119a3a8dd","title":"NIST Special Publication 800-32","citation":{"text":"NIST Special Publication 800-32"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-32"}]},{"uuid":"748a81b9-9cad-463f-abde-8b368167e70d","title":"NIST Special Publication 800-34","citation":{"text":"NIST Special Publication 800-34"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-34"}]},{"uuid":"0c775bc3-bfc3-42c7-a382-88949f503171","title":"NIST Special Publication 800-35","citation":{"text":"NIST Special Publication 800-35"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-35"}]},{"uuid":"d818efd3-db31-4953-8afa-9e76afe83ce2","title":"NIST Special Publication 800-36","citation":{"text":"NIST Special Publication 800-36"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-36"}]},{"uuid":"0a0c26b6-fd44-4274-8b36-93442d49d998","title":"NIST Special Publication 800-37","citation":{"text":"NIST Special Publication 800-37"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-37"}]},{"uuid":"d480aa6a-7a88-424e-a10c-ad1c7870354b","title":"NIST Special Publication 800-39","citation":{"text":"NIST Special Publication 800-39"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-39"}]},{"uuid":"bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","title":"NIST Special Publication 800-40","citation":{"text":"NIST Special Publication 800-40"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-40"}]},{"uuid":"756a8e86-57d5-4701-8382-f7a40439665a","title":"NIST Special Publication 800-41","citation":{"text":"NIST Special Publication 800-41"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-41"}]},{"uuid":"c6e95ca0-5828-420e-b095-00895b72b5e8","title":"NIST Special Publication 800-45","citation":{"text":"NIST Special Publication 800-45"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-45"}]},{"uuid":"5309d4d0-46f8-4213-a749-e7584164e5e8","title":"NIST Special Publication 800-46","citation":{"text":"NIST Special Publication 800-46"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-46"}]},{"uuid":"2711f068-734e-4afd-94ba-0b22247fbc88","title":"NIST Special Publication 800-47","citation":{"text":"NIST Special Publication 800-47"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-47"}]},{"uuid":"238ed479-eccb-49f6-82ec-ab74a7a428cf","title":"NIST Special Publication 800-48","citation":{"text":"NIST Special Publication 800-48"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-48"}]},{"uuid":"e12b5738-de74-4fb3-8317-a3995a8a1898","title":"NIST Special Publication 800-50","citation":{"text":"NIST Special Publication 800-50"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-50"}]},{"uuid":"90c5bc98-f9c4-44c9-98b7-787422f0999c","title":"NIST Special Publication 800-52","citation":{"text":"NIST Special Publication 800-52"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-52"}]},{"uuid":"cd4cf751-3312-4a55-b1a9-fad2f1db9119","title":"NIST Special Publication 800-53A","citation":{"text":"NIST Special Publication 800-53A"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-53A"}]},{"uuid":"81f09e01-d0b0-4ae2-aa6a-064ed9950070","title":"NIST Special Publication 800-56","citation":{"text":"NIST Special Publication 800-56"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-56"}]},{"uuid":"a6c774c0-bf50-4590-9841-2a5c1c91ac6f","title":"NIST Special Publication 800-57","citation":{"text":"NIST Special Publication 800-57"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-57"}]},{"uuid":"7783f3e7-09b3-478b-9aa2-4a76dfd0ea90","title":"NIST Special Publication 800-58","citation":{"text":"NIST Special Publication 800-58"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-58"}]},{"uuid":"f152844f-b1ef-4836-8729-6277078ebee1","title":"NIST Special Publication 800-60","citation":{"text":"NIST Special Publication 800-60"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-60"}]},{"uuid":"be95fb85-a53f-4624-bdbb-140075500aa3","title":"NIST Special Publication 800-61","citation":{"text":"NIST Special Publication 800-61"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-61"}]},{"uuid":"644f44a9-a2de-4494-9c04-cd37fba45471","title":"NIST Special Publication 800-63","citation":{"text":"NIST Special Publication 800-63"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-63"}]},{"uuid":"abd950ae-092f-4b7a-b374-1c7c67fe9350","title":"NIST Special Publication 800-64","citation":{"text":"NIST Special Publication 800-64"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-64"}]},{"uuid":"29fcfe59-33cd-494a-8756-5907ae3a8f92","title":"NIST Special Publication 800-65","citation":{"text":"NIST Special Publication 800-65"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-65"}]},{"uuid":"84a37532-6db6-477b-9ea8-f9085ebca0fc","title":"NIST Special Publication 800-70","citation":{"text":"NIST Special Publication 800-70"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-70"}]},{"uuid":"ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","title":"NIST Special Publication 800-73","citation":{"text":"NIST Special Publication 800-73"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-73"}]},{"uuid":"2a71298a-ee90-490e-80ff-48c967173a47","title":"NIST Special Publication 800-76","citation":{"text":"NIST Special Publication 800-76"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-76"}]},{"uuid":"99f331f2-a9f0-46c2-9856-a3cbb9b89442","title":"NIST Special Publication 800-77","citation":{"text":"NIST Special Publication 800-77"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-77"}]},{"uuid":"2042d97b-f7f6-4c74-84f8-981867684659","title":"NIST Special Publication 800-78","citation":{"text":"NIST Special Publication 800-78"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-78"}]},{"uuid":"6af1e841-672c-46c4-b121-96f603d04be3","title":"NIST Special Publication 800-81","citation":{"text":"NIST Special Publication 800-81"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-81"}]},{"uuid":"6d431fee-658f-4a0e-9f2e-a38b5d398fab","title":"NIST Special Publication 800-83","citation":{"text":"NIST Special Publication 800-83"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-83"}]},{"uuid":"0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","title":"NIST Special Publication 800-84","citation":{"text":"NIST Special Publication 800-84"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-84"}]},{"uuid":"263823e0-a971-4b00-959d-315b26278b22","title":"NIST Special Publication 800-88","citation":{"text":"NIST Special Publication 800-88"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-88"}]},{"uuid":"672fd561-b92b-4713-b9cf-6c9d9456728b","title":"NIST Special Publication 800-92","citation":{"text":"NIST Special Publication 800-92"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-92"}]},{"uuid":"d1b1d689-0f66-4474-9924-c81119758dc1","title":"NIST Special Publication 800-94","citation":{"text":"NIST Special Publication 800-94"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-94"}]},{"uuid":"1ebdf782-d95d-4a7b-8ec7-ee860951eced","title":"NIST Special Publication 800-95","citation":{"text":"NIST Special Publication 800-95"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-95"}]},{"uuid":"6f336ecd-f2a0-4c84-9699-0491d81b6e0d","title":"NIST Special Publication 800-97","citation":{"text":"NIST Special Publication 800-97"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-97"}]},{"uuid":"06dff0ea-3848-4945-8d91-e955ee69f05d","title":"NSTISSI No. 7003","citation":{"text":"NSTISSI No. 7003"},"rlinks":[{"href":"http://www.cnss.gov/Assets/pdf/nstissi_7003.pdf"}]},{"uuid":"9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","title":"OMB Circular A-130","citation":{"text":"OMB Circular A-130"},"rlinks":[{"href":"http://www.whitehouse.gov/omb/circulars_a130_a130trans4"}]},{"uuid":"2c5884cd-7b96-425c-862a-99877e1cf909","title":"OMB Memorandum 02-01","citation":{"text":"OMB Memorandum 02-01"},"rlinks":[{"href":"http://www.whitehouse.gov/omb/memoranda_m02-01"}]},{"uuid":"ff3bfb02-79b2-411f-8735-98dfe5af2ab0","title":"OMB Memorandum 04-04","citation":{"text":"OMB Memorandum 04-04"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy04/m04-04.pdf"}]},{"uuid":"58ad6f27-af99-429f-86a8-8bb767b014b9","title":"OMB Memorandum 05-24","citation":{"text":"OMB Memorandum 05-24"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2005/m05-24.pdf"}]},{"uuid":"4da24a96-6cf8-435d-9d1f-c73247cad109","title":"OMB Memorandum 06-16","citation":{"text":"OMB Memorandum 06-16"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2006/m06-16.pdf"}]},{"uuid":"990268bf-f4a9-4c81-91ae-dc7d3115f4b1","title":"OMB Memorandum 07-11","citation":{"text":"OMB Memorandum 07-11"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-11.pdf"}]},{"uuid":"0b3d8ba9-051f-498d-81ea-97f0f018c612","title":"OMB Memorandum 07-18","citation":{"text":"OMB Memorandum 07-18"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-18.pdf"}]},{"uuid":"0916ef02-3618-411b-a525-565c088849a6","title":"OMB Memorandum 08-22","citation":{"text":"OMB Memorandum 08-22"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-22.pdf"}]},{"uuid":"28115a56-da6b-4d44-b1df-51dd7f048a3e","title":"OMB Memorandum 08-23","citation":{"text":"OMB Memorandum 08-23"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf"}]},{"uuid":"599fe9ba-4750-4450-9eeb-b95bd19a5e8f","title":"OMB Memorandum 10-06-2011","citation":{"text":"OMB Memorandum 10-06-2011"}},{"uuid":"74e740a4-c45d-49f3-a86e-eb747c549e01","title":"OMB Memorandum 11-11","citation":{"text":"OMB Memorandum 11-11"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf"}]},{"uuid":"bedb15b7-ec5c-4a68-807f-385125751fcd","title":"OMB Memorandum 11-33","citation":{"text":"OMB Memorandum 11-33"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf"}]},{"uuid":"dd2f5acd-08f1-435a-9837-f8203088dc1a","title":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System\n            (E-PACS)","citation":{"text":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System\n               (E-PACS)"}},{"uuid":"8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","title":"US-CERT Technical Cyber Security Alerts","citation":{"text":"US-CERT Technical Cyber Security Alerts"},"rlinks":[{"href":"http://www.us-cert.gov/ncas/alerts"}]},{"uuid":"985475ee-d4d6-4581-8fdf-d84d3d8caa48","title":"FedRAMP Applicable Laws and Regulations","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-citations"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"}]},{"uuid":"1a23a771-d481-4594-9a1a-71d584fa4123","title":"FedRAMP Master Acronym and Glossary","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-acronyms"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"}]},{"uuid":"a2381e87-3d04-4108-a30b-b4d2f36d001f","desc":"FedRAMP Logo","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-logo"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/img/logo-main-fedramp.png"}]},{"uuid":"ad005eae-cc63-4e64-9109-3905a9a825e4","title":"NIST Special Publication (SP) 800-53","properties":[{"name":"version","ns":"https://fedramp.gov/ns/oscal","value":"Revision 4"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://raw.githubusercontent.com/usnistgov/OSCAL/v1.0.0-milestone3/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml","media-type":"application/xml"}]}]}}}
\ No newline at end of file
diff --git a/content/fedramp.gov/json/FedRAMP_HIGH-baseline-resolved-profile_catalog.json b/content/fedramp.gov/json/FedRAMP_HIGH-baseline-resolved-profile_catalog.json
deleted file mode 100644
index eb3435c0f8..0000000000
--- a/content/fedramp.gov/json/FedRAMP_HIGH-baseline-resolved-profile_catalog.json
+++ /dev/null
@@ -1,99007 +0,0 @@
-{
-  "catalog": {
-    "uuid": "a8ace2a3-4082-40eb-be07-0b0cd7bb4c15",
-    "metadata": {
-      "title": "FedRAMP High Baseline",
-      "published": "2020-06-01T00:00:00.000-04:00",
-      "last-modified": "2020-06-01T10:00:00.000-04:00",
-      "version": "1.2",
-      "oscal-version": "1.0.0-milestone3",
-      "properties": [
-        {
-          "name": "resolution-timestamp",
-          "value": "2020-08-31T17:38:24.694738Z"
-        }
-      ],
-      "links": [
-        {
-          "href": "FedRAMP_HIGH-baseline_profile.xml",
-          "rel": "resolution-source",
-          "text": "FedRAMP High Baseline"
-        }
-      ],
-      "roles": [
-        {
-          "id": "parpared-by",
-          "title": "Document creator"
-        },
-        {
-          "id": "fedramp-pmo",
-          "title": "The FedRAMP Program Management Office (PMO)",
-          "short-name": "CSP"
-        },
-        {
-          "id": "fedramp-jab",
-          "title": "The FedRAMP Joint Authorization Board (JAB)",
-          "short-name": "CSP"
-        }
-      ],
-      "parties": [
-        {
-          "uuid": "8cc0b8e5-9650-4d5f-9796-316f05fa9a2d",
-          "type": "organization",
-          "party-name": "Federal Risk and Authorization Management Program: Program Management Office",
-          "short-name": "FedRAMP PMO",
-          "links": [
-            {
-              "href": "https://fedramp.gov",
-              "rel": "homepage",
-              "text": ""
-            }
-          ],
-          "addresses": [
-            {
-              "type": "work",
-              "postal-address": [
-                "1800 F St. NW",
-                ""
-              ],
-              "city": "Washington",
-              "state": "DC",
-              "postal-code": "",
-              "country": "US"
-            }
-          ],
-          "email-addresses": [
-            "info@fedramp.gov"
-          ]
-        },
-        {
-          "uuid": "ca9ba80e-1342-4bfd-b32a-abac468c24b4",
-          "type": "organization",
-          "party-name": "Federal Risk and Authorization Management Program: Joint Authorization Board",
-          "short-name": "FedRAMP JAB"
-        }
-      ],
-      "responsible-parties": {
-        "prepared-by": {
-          "party-uuids": [
-            "4aa7b203-318b-4cde-96cf-feaeffc3a4b7"
-          ]
-        },
-        "fedramp-pmo": {
-          "party-uuids": [
-            "4aa7b203-318b-4cde-96cf-feaeffc3a4b7"
-          ]
-        },
-        "fedramp-jab": {
-          "party-uuids": [
-            "ca9ba80e-1342-4bfd-b32a-abac468c24b4"
-          ]
-        }
-      }
-    },
-    "groups": [
-      {
-        "id": "ac",
-        "class": "family",
-        "title": "Access Control",
-        "controls": [
-          {
-            "id": "ac-1",
-            "class": "SP800-53",
-            "title": "Access Control Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ac-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ac-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ac-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or whenever a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ac-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ac-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "An access control policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ac-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the access control policy and\n                     associated access controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ac-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Access control policy {{ ac-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ac-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Access control procedures {{ ac-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AC\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ac-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an access control policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ac-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ac-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the access control policy are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ac-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the access control policy to organization-defined personnel or\n                        roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        access control policy and associated access control controls;"
-                          },
-                          {
-                            "id": "ac-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ac-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current access control\n                        policy;"
-                          },
-                          {
-                            "id": "ac-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current access control policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current access control\n                        procedures; and"
-                          },
-                          {
-                            "id": "ac-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current access control procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with access control responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-2",
-            "class": "SP800-53",
-            "title": "Account Management",
-            "parameters": [
-              {
-                "id": "ac-2_prm_1",
-                "label": "organization-defined information system account types"
-              },
-              {
-                "id": "ac-2_prm_2",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ac-2_prm_3",
-                "label": "organization-defined procedures or conditions"
-              },
-              {
-                "id": "ac-2_prm_4",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "monthly for privileged accessed, every six (6) months for non-privileged access"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-02"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Identifies and selects the following types of information system accounts to\n                  support organizational missions/business functions: {{ ac-2_prm_1 }};"
-                  },
-                  {
-                    "id": "ac-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Assigns account managers for information system accounts;"
-                  },
-                  {
-                    "id": "ac-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Establishes conditions for group and role membership;"
-                  },
-                  {
-                    "id": "ac-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Specifies authorized users of the information system, group and role membership,\n                  and access authorizations (i.e., privileges) and other attributes (as required)\n                  for each account;"
-                  },
-                  {
-                    "id": "ac-2_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Requires approvals by {{ ac-2_prm_2 }} for requests to create\n                  information system accounts;"
-                  },
-                  {
-                    "id": "ac-2_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Creates, enables, modifies, disables, and removes information system accounts in\n                  accordance with {{ ac-2_prm_3 }};"
-                  },
-                  {
-                    "id": "ac-2_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Monitors the use of information system accounts;"
-                  },
-                  {
-                    "id": "ac-2_smt.h",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "h."
-                      }
-                    ],
-                    "prose": "Notifies account managers:",
-                    "parts": [
-                      {
-                        "id": "ac-2_smt.h.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "When accounts are no longer required;"
-                      },
-                      {
-                        "id": "ac-2_smt.h.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "When users are terminated or transferred; and"
-                      },
-                      {
-                        "id": "ac-2_smt.h.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "When individual information system usage or need-to-know changes;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2_smt.i",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "i."
-                      }
-                    ],
-                    "prose": "Authorizes access to the information system based on:",
-                    "parts": [
-                      {
-                        "id": "ac-2_smt.i.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A valid access authorization;"
-                      },
-                      {
-                        "id": "ac-2_smt.i.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Intended system usage; and"
-                      },
-                      {
-                        "id": "ac-2_smt.i.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Other attributes as required by the organization or associated\n                     missions/business functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2_smt.j",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "j."
-                      }
-                    ],
-                    "prose": "Reviews accounts for compliance with account management requirements {{ ac-2_prm_4 }}; and"
-                  },
-                  {
-                    "id": "ac-2_smt.k",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "k."
-                      }
-                    ],
-                    "prose": "Establishes a process for reissuing shared/group account credentials (if deployed)\n                  when individuals are removed from the group."
-                  }
-                ]
-              },
-              {
-                "id": "ac-2_gdn",
-                "name": "guidance",
-                "prose": "Information system account types include, for example, individual, shared, group,\n               system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and\n               service. Some of the account management requirements listed above can be implemented\n               by organizational information systems. The identification of authorized users of the\n               information system and the specification of access privileges reflects the\n               requirements in other security controls in the security plan. Users requiring\n               administrative privileges on information system accounts receive additional scrutiny\n               by appropriate organizational personnel (e.g., system owner, mission/business owner,\n               or chief information security officer) responsible for approving such accounts and\n               privileged access. Organizations may choose to define access privileges or other\n               attributes by account, by type of account, or a combination of both. Other attributes\n               required for authorizing access include, for example, restrictions on time-of-day,\n               day-of-week, and point-of-origin. In defining other account attributes, organizations\n               consider system-related requirements (e.g., scheduled maintenance, system upgrades)\n               and mission/business requirements, (e.g., time zone differences, customer\n               requirements, remote access to support travel requirements). Failure to consider\n               these factors could affect information system availability. Temporary and emergency\n               accounts are accounts intended for short-term use. Organizations establish temporary\n               accounts as a part of normal account activation procedures when there is a need for\n               short-term accounts without the demand for immediacy in account activation.\n               Organizations establish emergency accounts in response to crisis situations and with\n               the need for rapid account activation. Therefore, emergency account activation may\n               bypass normal account authorization processes. Emergency and temporary accounts are\n               not to be confused with infrequently used accounts (e.g., local logon accounts used\n               for special tasks defined by organizations or when network resources are\n               unavailable). Such accounts remain available and are not subject to automatic\n               disabling or removal dates. Conditions for disabling or deactivating accounts\n               include, for example: (i) when shared/group, emergency, or temporary accounts are no\n               longer required; or (ii) when individuals are transferred or terminated. Some types\n               of information system accounts may require specialized training.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-5",
-                    "rel": "related",
-                    "text": "AC-5"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-10",
-                    "rel": "related",
-                    "text": "AC-10"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#ma-3",
-                    "rel": "related",
-                    "text": "MA-3"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ma-5",
-                    "rel": "related",
-                    "text": "MA-5"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  }
-                ]
-              },
-              {
-                "id": "ac-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(a)[1]"
-                          }
-                        ],
-                        "prose": "defines information system account types to be identified and selected to\n                     support organizational missions/business functions;"
-                      },
-                      {
-                        "id": "ac-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(a)[2]"
-                          }
-                        ],
-                        "prose": "identifies and selects organization-defined information system account types to\n                     support organizational missions/business functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(b)"
-                      }
-                    ],
-                    "prose": "assigns account managers for information system accounts;"
-                  },
-                  {
-                    "id": "ac-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(c)"
-                      }
-                    ],
-                    "prose": "establishes conditions for group and role membership;"
-                  },
-                  {
-                    "id": "ac-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(d)"
-                      }
-                    ],
-                    "prose": "specifies for each account (as required):",
-                    "parts": [
-                      {
-                        "id": "ac-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(d)[1]"
-                          }
-                        ],
-                        "prose": "authorized users of the information system;"
-                      },
-                      {
-                        "id": "ac-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(d)[2]"
-                          }
-                        ],
-                        "prose": "group and role membership;"
-                      },
-                      {
-                        "id": "ac-2.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(d)[3]"
-                          }
-                        ],
-                        "prose": "access authorizations (i.e., privileges);"
-                      },
-                      {
-                        "id": "ac-2.d_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(d)[4]"
-                          }
-                        ],
-                        "prose": "other attributes;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-2.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(e)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles required to approve requests to create information\n                     system accounts;"
-                      },
-                      {
-                        "id": "ac-2.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(e)[2]"
-                          }
-                        ],
-                        "prose": "requires approvals by organization-defined personnel or roles for requests to\n                     create information system accounts;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-2.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(f)[1]"
-                          }
-                        ],
-                        "prose": "defines procedures or conditions to:",
-                        "parts": [
-                          {
-                            "id": "ac-2.f_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][a]"
-                              }
-                            ],
-                            "prose": "create information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][b]"
-                              }
-                            ],
-                            "prose": "enable information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][c]"
-                              }
-                            ],
-                            "prose": "modify information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.1.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][d]"
-                              }
-                            ],
-                            "prose": "disable information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.1.e",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][e]"
-                              }
-                            ],
-                            "prose": "remove information system accounts;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-2.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(f)[2]"
-                          }
-                        ],
-                        "prose": "in accordance with organization-defined procedures or conditions:",
-                        "parts": [
-                          {
-                            "id": "ac-2.f_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][a]"
-                              }
-                            ],
-                            "prose": "creates information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][b]"
-                              }
-                            ],
-                            "prose": "enables information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][c]"
-                              }
-                            ],
-                            "prose": "modifies information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][d]"
-                              }
-                            ],
-                            "prose": "disables information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.2.e",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][e]"
-                              }
-                            ],
-                            "prose": "removes information system accounts;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(g)"
-                      }
-                    ],
-                    "prose": "monitors the use of information system accounts;"
-                  },
-                  {
-                    "id": "ac-2.h_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(h)"
-                      }
-                    ],
-                    "prose": "notifies account managers:",
-                    "parts": [
-                      {
-                        "id": "ac-2.h.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(h)(1)"
-                          }
-                        ],
-                        "prose": "when accounts are no longer required;"
-                      },
-                      {
-                        "id": "ac-2.h.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(h)(2)"
-                          }
-                        ],
-                        "prose": "when users are terminated or transferred;"
-                      },
-                      {
-                        "id": "ac-2.h.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(h)(3)"
-                          }
-                        ],
-                        "prose": "when individual information system usage or need to know changes;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.i_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(i)"
-                      }
-                    ],
-                    "prose": "authorizes access to the information system based on;",
-                    "parts": [
-                      {
-                        "id": "ac-2.i.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(i)(1)"
-                          }
-                        ],
-                        "prose": "a valid access authorization;"
-                      },
-                      {
-                        "id": "ac-2.i.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(i)(2)"
-                          }
-                        ],
-                        "prose": "intended system usage;"
-                      },
-                      {
-                        "id": "ac-2.i.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(i)(3)"
-                          }
-                        ],
-                        "prose": "other attributes as required by the organization or associated\n                     missions/business functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.j_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(j)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-2.j_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(j)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review accounts for compliance with account management\n                     requirements;"
-                      },
-                      {
-                        "id": "ac-2.j_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(j)[2]"
-                          }
-                        ],
-                        "prose": "reviews accounts for compliance with account management requirements with the\n                     organization-defined frequency; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.k_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(k)"
-                      }
-                    ],
-                    "prose": "establishes a process for reissuing shared/group account credentials (if deployed)\n                  when individuals are removed from the group."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of active system accounts along with the name of the individual associated\n                  with each account\\n\\nlist of conditions for group and role membership\\n\\nnotifications or records of recently transferred, separated, or terminated\n                  employees\\n\\nlist of recently disabled information system accounts along with the name of the\n                  individual associated with each account\\n\\naccess authorization records\\n\\naccount management compliance reviews\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes account management on the information system\\n\\nautomated mechanisms for implementing account management"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ac-2.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automated System Account Management",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-2(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to support the management of\n                  information system accounts."
-                  },
-                  {
-                    "id": "ac-2.1_gdn",
-                    "name": "guidance",
-                    "prose": "The use of automated mechanisms can include, for example: using email or text\n                  messaging to automatically notify account managers when users are terminated or\n                  transferred; using the information system to monitor account usage; and using\n                  telephonic notification to report atypical system account usage."
-                  },
-                  {
-                    "id": "ac-2.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs automated mechanisms to support the\n                  management of information system accounts."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing account management functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-2.2",
-                "class": "SP800-53-enhancement",
-                "title": "Removal of Temporary / Emergency Accounts",
-                "parameters": [
-                  {
-                    "id": "ac-2.2_prm_1",
-                    "constraints": [
-                      {
-                        "detail": "Selection: disables"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.2_prm_2",
-                    "label": "organization-defined time period for each type of account",
-                    "constraints": [
-                      {
-                        "detail": "24 hours from last use"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AC-2(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.2_smt",
-                    "name": "statement",
-                    "prose": "The information system automatically {{ ac-2.2_prm_1 }} temporary\n                  and emergency accounts after {{ ac-2.2_prm_2 }}."
-                  },
-                  {
-                    "id": "ac-2.2_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement requires the removal of both temporary and emergency\n                  accounts automatically after a predefined period of time has elapsed, rather than\n                  at the convenience of the systems administrator."
-                  },
-                  {
-                    "id": "ac-2.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "ac-2.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(2)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the time period after which the information system\n                     automatically removes or disables temporary and emergency accounts; and"
-                      },
-                      {
-                        "id": "ac-2.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(2)[2]"
-                          }
-                        ],
-                        "prose": "the information system automatically removes or disables temporary and\n                     emergency accounts after the organization-defined time period for each type of\n                     account."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system-generated list of temporary accounts removed and/or\n                     disabled\\n\\ninformation system-generated list of emergency accounts removed and/or\n                     disabled\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing account management functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-2.3",
-                "class": "SP800-53-enhancement",
-                "title": "Disable Inactive Accounts",
-                "parameters": [
-                  {
-                    "id": "ac-2.3_prm_1",
-                    "label": "organization-defined time period",
-                    "constraints": [
-                      {
-                        "detail": "35 days for user accounts"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AC-2(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.3_smt",
-                    "name": "statement",
-                    "prose": "The information system automatically disables inactive accounts after {{ ac-2.3_prm_1 }}.",
-                    "parts": [
-                      {
-                        "id": "ac-2.3_fr",
-                        "name": "item",
-                        "title": "AC-2 (3) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ac-2.3_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "ac-2.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(3)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the time period after which the information system\n                     automatically disables inactive accounts; and"
-                      },
-                      {
-                        "id": "ac-2.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(3)[2]"
-                          }
-                        ],
-                        "prose": "the information system automatically disables inactive accounts after the\n                     organization-defined time period."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system-generated list of temporary accounts removed and/or\n                     disabled\\n\\ninformation system-generated list of emergency accounts removed and/or\n                     disabled\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing account management functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-2.4",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Audit Actions",
-                "parameters": [
-                  {
-                    "id": "ac-2.4_prm_1",
-                    "label": "organization-defined personnel or roles",
-                    "constraints": [
-                      {
-                        "detail": "organization and/or service provider system owner"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-2(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.4_smt",
-                    "name": "statement",
-                    "prose": "The information system automatically audits account creation, modification,\n                  enabling, disabling, and removal actions, and notifies {{ ac-2.4_prm_1 }}."
-                  },
-                  {
-                    "id": "ac-2.4_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      },
-                      {
-                        "href": "#au-12",
-                        "rel": "related",
-                        "text": "AU-12"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "ac-2.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(4)[1]"
-                          }
-                        ],
-                        "prose": "the information system automatically audits the following account actions:",
-                        "parts": [
-                          {
-                            "id": "ac-2.4_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[1][a]"
-                              }
-                            ],
-                            "prose": "creation;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[1][b]"
-                              }
-                            ],
-                            "prose": "modification;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[1][c]"
-                              }
-                            ],
-                            "prose": "enabling;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.1.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[1][d]"
-                              }
-                            ],
-                            "prose": "disabling;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.1.e",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[1][e]"
-                              }
-                            ],
-                            "prose": "removal;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-2.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(4)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines personnel or roles to be notified of the following\n                     account actions:",
-                        "parts": [
-                          {
-                            "id": "ac-2.4_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[2][a]"
-                              }
-                            ],
-                            "prose": "creation;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[2][b]"
-                              }
-                            ],
-                            "prose": "modification;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[2][c]"
-                              }
-                            ],
-                            "prose": "enabling;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[2][d]"
-                              }
-                            ],
-                            "prose": "disabling;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.2.e",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[2][e]"
-                              }
-                            ],
-                            "prose": "removal;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-2.4_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(4)[3]"
-                          }
-                        ],
-                        "prose": "the information system notifies organization-defined personnel or roles of the\n                     following account actions:",
-                        "parts": [
-                          {
-                            "id": "ac-2.4_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[3][a]"
-                              }
-                            ],
-                            "prose": "creation;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[3][b]"
-                              }
-                            ],
-                            "prose": "modification;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.3.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[3][c]"
-                              }
-                            ],
-                            "prose": "enabling;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.3.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[3][d]"
-                              }
-                            ],
-                            "prose": "disabling; and"
-                          },
-                          {
-                            "id": "ac-2.4_obj.3.e",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[3][e]"
-                              }
-                            ],
-                            "prose": "removal."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nnotifications/alerts of account creation, modification, enabling, disabling,\n                     and removal actions\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing account management functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-2.5",
-                "class": "SP800-53-enhancement",
-                "title": "Inactivity Logout",
-                "parameters": [
-                  {
-                    "id": "ac-2.5_prm_1",
-                    "label": "organization-defined time-period of expected inactivity or description of when\n                  to log out",
-                    "constraints": [
-                      {
-                        "detail": "inactivity is anticipated to exceed Fifteen (15) minutes"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AC-2(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.5_smt",
-                    "name": "statement",
-                    "prose": "The organization requires that users log out when {{ ac-2.5_prm_1 }}.",
-                    "parts": [
-                      {
-                        "id": "ac-2.5_fr",
-                        "name": "item",
-                        "title": "AC-2 (5) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ac-2.5_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "Should use a shorter timeframe than AC-12."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.5_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#sc-23",
-                        "rel": "related",
-                        "text": "SC-23"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-2.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(5)[1]"
-                          }
-                        ],
-                        "prose": "defines either the time period of expected inactivity that requires users to\n                     log out or the description of when users are required to log out; and"
-                      },
-                      {
-                        "id": "ac-2.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(5)[2]"
-                          }
-                        ],
-                        "prose": "requires that users log out when the organization-defined time period of\n                     inactivity is reached or in accordance with organization-defined description of\n                     when to log out."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity violation reports\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nusers that must comply with inactivity logout policy"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-2.7",
-                "class": "SP800-53-enhancement",
-                "title": "Role-based Schemes",
-                "parameters": [
-                  {
-                    "id": "ac-2.7_prm_1",
-                    "label": "organization-defined actions",
-                    "constraints": [
-                      {
-                        "detail": "disables/revokes access within a organization-specified timeframe"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-2(7)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.07"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.7_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "ac-2.7_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Establishes and administers privileged user accounts in accordance with a\n                     role-based access scheme that organizes allowed information system access and\n                     privileges into roles;"
-                      },
-                      {
-                        "id": "ac-2.7_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Monitors privileged role assignments; and"
-                      },
-                      {
-                        "id": "ac-2.7_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(c)"
-                          }
-                        ],
-                        "prose": "Takes {{ ac-2.7_prm_1 }} when privileged role assignments are no\n                     longer appropriate."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.7_gdn",
-                    "name": "guidance",
-                    "prose": "Privileged roles are organization-defined roles assigned to individuals that allow\n                  those individuals to perform certain security-relevant functions that ordinary\n                  users are not authorized to perform. These privileged roles include, for example,\n                  key management, account management, network and system administration, database\n                  administration, and web administration."
-                  },
-                  {
-                    "id": "ac-2.7_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-2.7.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(7)(a)"
-                          }
-                        ],
-                        "prose": "establishes and administers privileged user accounts in accordance with a\n                     role-based access scheme that organizes allowed information system access and\n                     privileges into roles;",
-                        "links": [
-                          {
-                            "href": "#ac-2.7_smt.a",
-                            "rel": "corresp",
-                            "text": "AC-2(7)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-2.7.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(7)(b)"
-                          }
-                        ],
-                        "prose": "monitors privileged role assignments;",
-                        "links": [
-                          {
-                            "href": "#ac-2.7_smt.b",
-                            "rel": "corresp",
-                            "text": "AC-2(7)(b)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-2.7.c_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(7)(c)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-2.7.c_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-2(7)(c)[1]"
-                              }
-                            ],
-                            "prose": "defines actions to be taken when privileged role assignments are no longer\n                        appropriate; and"
-                          },
-                          {
-                            "id": "ac-2.7.c_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-2(7)(c)[2]"
-                              }
-                            ],
-                            "prose": "takes organization-defined actions when privileged role assignments are no\n                        longer appropriate."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ac-2.7_smt.c",
-                            "rel": "corresp",
-                            "text": "AC-2(7)(c)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system-generated list of privileged user accounts and associated\n                     role\\n\\nrecords of actions taken when privileged role assignments are no longer\n                     appropriate\\n\\ninformation system audit records\\n\\naudit tracking and monitoring reports\\n\\ninformation system monitoring records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing account management functions\\n\\nautomated mechanisms monitoring privileged role assignments"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-2.9",
-                "class": "SP800-53-enhancement",
-                "title": "Restrictions On Use of Shared / Group Accounts",
-                "parameters": [
-                  {
-                    "id": "ac-2.9_prm_1",
-                    "label": "organization-defined conditions for establishing shared/group accounts",
-                    "constraints": [
-                      {
-                        "detail": "organization-defined need with justification statement that explains why such accounts are necessary"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-2(9)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.09"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.9_smt",
-                    "name": "statement",
-                    "prose": "The organization only permits the use of shared/group accounts that meet {{ ac-2.9_prm_1 }}.",
-                    "parts": [
-                      {
-                        "id": "ac-2.9_fr",
-                        "name": "item",
-                        "title": "AC-2 (9) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ac-2.9_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "Required if shared/group accounts are deployed"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.9_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-2.9_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(9)[1]"
-                          }
-                        ],
-                        "prose": "defines conditions for establishing shared/group accounts; and"
-                      },
-                      {
-                        "id": "ac-2.9_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(9)[2]"
-                          }
-                        ],
-                        "prose": "only permits the use of shared/group accounts that meet organization-defined\n                     conditions for establishing shared/group accounts."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsystem-generated list of shared/group accounts and associated role\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing management of shared/group accounts"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-2.10",
-                "class": "SP800-53-enhancement",
-                "title": "Shared / Group Account Credential Termination",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-2(10)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.10"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.10_smt",
-                    "name": "statement",
-                    "prose": "The information system terminates shared/group account credentials when members\n                  leave the group.",
-                    "parts": [
-                      {
-                        "id": "ac-2.10_fr",
-                        "name": "item",
-                        "title": "AC-2 (10) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ac-2.10_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "Required if shared/group accounts are deployed"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.10_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system terminates shared/group account credentials\n                  when members leave the group."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naccount access termination records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing account management functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-2.11",
-                "class": "SP800-53-enhancement",
-                "title": "Usage Conditions",
-                "parameters": [
-                  {
-                    "id": "ac-2.11_prm_1",
-                    "label": "organization-defined circumstances and/or usage conditions"
-                  },
-                  {
-                    "id": "ac-2.11_prm_2",
-                    "label": "organization-defined information system accounts"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-2(11)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.11"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.11_smt",
-                    "name": "statement",
-                    "prose": "The information system enforces {{ ac-2.11_prm_1 }} for {{ ac-2.11_prm_2 }}."
-                  },
-                  {
-                    "id": "ac-2.11_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations can describe the specific conditions or circumstances under which\n                  information system accounts can be used, for example, by restricting usage to\n                  certain days of the week, time of day, or specific durations of time."
-                  },
-                  {
-                    "id": "ac-2.11_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "ac-2.11_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(11)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines circumstances and/or usage conditions to be enforced\n                     for information system accounts;"
-                      },
-                      {
-                        "id": "ac-2.11_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(11)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines information system accounts for which\n                     organization-defined circumstances and/or usage conditions are to be enforced;\n                     and"
-                      },
-                      {
-                        "id": "ac-2.11_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(11)[3]"
-                          }
-                        ],
-                        "prose": "the information system enforces organization-defined circumstances and/or usage\n                     conditions for organization-defined information system accounts."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsystem-generated list of information system accounts and associated assignments\n                     of usage circumstances and/or usage conditions\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing account management functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-2.12",
-                "class": "SP800-53-enhancement",
-                "title": "Account Monitoring / Atypical Usage",
-                "parameters": [
-                  {
-                    "id": "ac-2.12_prm_1",
-                    "label": "organization-defined atypical usage"
-                  },
-                  {
-                    "id": "ac-2.12_prm_2",
-                    "label": "organization-defined personnel or roles",
-                    "constraints": [
-                      {
-                        "detail": "at a minimum, the ISSO and/or similar role within the organization"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AC-2(12)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.12"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.12_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "ac-2.12_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Monitors information system accounts for {{ ac-2.12_prm_1 }};\n                     and"
-                      },
-                      {
-                        "id": "ac-2.12_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Reports atypical usage of information system accounts to {{ ac-2.12_prm_2 }}."
-                      },
-                      {
-                        "id": "ac-2.12_fr",
-                        "name": "item",
-                        "title": "AC-2 (12) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ac-2.12_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "(a) Guidance:"
-                              }
-                            ],
-                            "prose": "Required for privileged accounts."
-                          },
-                          {
-                            "id": "ac-2.12_fr_gdn.2",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "(b) Guidance:"
-                              }
-                            ],
-                            "prose": "Required for privileged accounts."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.12_gdn",
-                    "name": "guidance",
-                    "prose": "Atypical usage includes, for example, accessing information systems at certain\n                  times of the day and from locations that are not consistent with the normal usage\n                  patterns of individuals working in organizations.",
-                    "links": [
-                      {
-                        "href": "#ca-7",
-                        "rel": "related",
-                        "text": "CA-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.12_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-2.12.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(12)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-2.12.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-2(12)(a)[1]"
-                              }
-                            ],
-                            "prose": "defines atypical usage to be monitored for information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.12.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-2(12)(a)[2]"
-                              }
-                            ],
-                            "prose": "monitors information system accounts for organization-defined atypical\n                        usage;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ac-2.12_smt.a",
-                            "rel": "corresp",
-                            "text": "AC-2(12)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-2.12.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(12)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-2.12.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-2(12)(b)[1]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom atypical usage of information system\n                        accounts are to be reported; and"
-                          },
-                          {
-                            "id": "ac-2.12.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-2(12)(b)[2]"
-                              }
-                            ],
-                            "prose": "reports atypical usage of information system accounts to\n                        organization-defined personnel or roles."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ac-2.12_smt.b",
-                            "rel": "corresp",
-                            "text": "AC-2(12)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\naudit tracking and monitoring reports\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing account management functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-2.13",
-                "class": "SP800-53-enhancement",
-                "title": "Disable Accounts for High-risk Individuals",
-                "parameters": [
-                  {
-                    "id": "ac-2.13_prm_1",
-                    "label": "organization-defined time period",
-                    "constraints": [
-                      {
-                        "detail": "one (1) hour"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-2(13)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.13"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.13_smt",
-                    "name": "statement",
-                    "prose": "The organization disables accounts of users posing a significant risk within\n                     {{ ac-2.13_prm_1 }} of discovery of the risk."
-                  },
-                  {
-                    "id": "ac-2.13_gdn",
-                    "name": "guidance",
-                    "prose": "Users posing a significant risk to organizations include individuals for whom\n                  reliable evidence or intelligence indicates either the intention to use authorized\n                  access to information systems to cause harm or through whom adversaries will cause\n                  harm. Harm includes potential adverse impacts to organizational operations and\n                  assets, individuals, other organizations, or the Nation. Close coordination\n                  between authorizing officials, information system administrators, and human\n                  resource managers is essential in order for timely execution of this control\n                  enhancement.",
-                    "links": [
-                      {
-                        "href": "#ps-4",
-                        "rel": "related",
-                        "text": "PS-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.13_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ac-2.13_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(13)[1]"
-                          }
-                        ],
-                        "prose": "defines the time period within which accounts are disabled upon discovery of a\n                     significant risk posed by users of such accounts; and"
-                      },
-                      {
-                        "id": "ac-2.13_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(13)[2]"
-                          }
-                        ],
-                        "prose": "disables accounts of users posing a significant risk within the\n                     organization-defined time period of discovery of the risk."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsystem-generated list of disabled accounts\\n\\nlist of user activities posing significant organizational risk\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing account management functions"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-3",
-            "class": "SP800-53",
-            "title": "Access Enforcement",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-03"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-3_smt",
-                "name": "statement",
-                "prose": "The information system enforces approved authorizations for logical access to\n               information and system resources in accordance with applicable access control\n               policies."
-              },
-              {
-                "id": "ac-3_gdn",
-                "name": "guidance",
-                "prose": "Access control policies (e.g., identity-based policies, role-based policies, control\n               matrices, cryptography) control access between active entities or subjects (i.e.,\n               users or processes acting on behalf of users) and passive entities or objects (e.g.,\n               devices, files, records, domains) in information systems. In addition to enforcing\n               authorized access at the information system level and recognizing that information\n               systems can host many applications and services in support of organizational missions\n               and business operations, access enforcement mechanisms can also be employed at the\n               application and service level to provide increased information security.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-5",
-                    "rel": "related",
-                    "text": "AC-5"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-16",
-                    "rel": "related",
-                    "text": "AC-16"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#ac-21",
-                    "rel": "related",
-                    "text": "AC-21"
-                  },
-                  {
-                    "href": "#ac-22",
-                    "rel": "related",
-                    "text": "AC-22"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#ma-3",
-                    "rel": "related",
-                    "text": "MA-3"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ma-5",
-                    "rel": "related",
-                    "text": "MA-5"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  }
-                ]
-              },
-              {
-                "id": "ac-3_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system enforces approved authorizations for logical\n               access to information and system resources in accordance with applicable access\n               control policies."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing access enforcement\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of approved authorizations (user privileges)\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with access enforcement responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing access control policy"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-4",
-            "class": "SP800-53",
-            "title": "Information Flow Enforcement",
-            "parameters": [
-              {
-                "id": "ac-4_prm_1",
-                "label": "organization-defined information flow control policies"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-04"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-4_smt",
-                "name": "statement",
-                "prose": "The information system enforces approved authorizations for controlling the flow of\n               information within the system and between interconnected systems based on {{ ac-4_prm_1 }}."
-              },
-              {
-                "id": "ac-4_gdn",
-                "name": "guidance",
-                "prose": "Information flow control regulates where information is allowed to travel within an\n               information system and between information systems (as opposed to who is allowed to\n               access the information) and without explicit regard to subsequent accesses to that\n               information. Flow control restrictions include, for example, keeping\n               export-controlled information from being transmitted in the clear to the Internet,\n               blocking outside traffic that claims to be from within the organization, restricting\n               web requests to the Internet that are not from the internal web proxy server, and\n               limiting information transfers between organizations based on data structures and\n               content. Transferring information between information systems representing different\n               security domains with different security policies introduces risk that such transfers\n               violate one or more domain security policies. In such situations, information\n               owners/stewards provide guidance at designated policy enforcement points between\n               interconnected systems. Organizations consider mandating specific architectural\n               solutions when required to enforce specific security policies. Enforcement includes,\n               for example: (i) prohibiting information transfers between interconnected systems\n               (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way\n               information flows; and (iii) implementing trustworthy regrading mechanisms to\n               reassign security attributes and security labels. Organizations commonly employ\n               information flow control policies and enforcement mechanisms to control the flow of\n               information between designated sources and destinations (e.g., networks, individuals,\n               and devices) within information systems and between interconnected systems. Flow\n               control is based on the characteristics of the information and/or the information\n               path. Enforcement occurs, for example, in boundary protection devices (e.g.,\n               gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or\n               establish configuration settings that restrict information system services, provide a\n               packet-filtering capability based on header information, or message-filtering\n               capability based on message content (e.g., implementing key word searches or using\n               document characteristics). Organizations also consider the trustworthiness of\n               filtering/inspection mechanisms (i.e., hardware, firmware, and software components)\n               that are critical to information flow enforcement. Control enhancements 3 through 22\n               primarily address cross-domain solution needs which focus on more advanced filtering\n               techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented\n               in cross-domain products, for example, high-assurance guards. Such capabilities are\n               generally not available in commercial off-the-shelf information technology\n               products.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ac-21",
-                    "rel": "related",
-                    "text": "AC-21"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-7",
-                    "rel": "related",
-                    "text": "CM-7"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  },
-                  {
-                    "href": "#sc-2",
-                    "rel": "related",
-                    "text": "SC-2"
-                  },
-                  {
-                    "href": "#sc-5",
-                    "rel": "related",
-                    "text": "SC-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-18",
-                    "rel": "related",
-                    "text": "SC-18"
-                  }
-                ]
-              },
-              {
-                "id": "ac-4_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "ac-4_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-4[1]"
-                      }
-                    ],
-                    "prose": "the organization defines information flow control policies to control the flow of\n                  information within the system and between interconnected systems; and"
-                  },
-                  {
-                    "id": "ac-4_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-4[2]"
-                      }
-                    ],
-                    "prose": "the information system enforces approved authorizations for controlling the flow\n                  of information within the system and between interconnected systems based on\n                  organization-defined information flow control policies."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\ninformation flow control policies\\n\\nprocedures addressing information flow enforcement\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system baseline configuration\\n\\nlist of information flow authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing information flow enforcement policy"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ac-4.8",
-                "class": "SP800-53-enhancement",
-                "title": "Security Policy Filters",
-                "parameters": [
-                  {
-                    "id": "ac-4.8_prm_1",
-                    "label": "organization-defined security policy filters"
-                  },
-                  {
-                    "id": "ac-4.8_prm_2",
-                    "label": "organization-defined information flows"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-4(8)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-04.08"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-4.8_smt",
-                    "name": "statement",
-                    "prose": "The information system enforces information flow control using {{ ac-4.8_prm_1 }} as a basis for flow control decisions for {{ ac-4.8_prm_2 }}."
-                  },
-                  {
-                    "id": "ac-4.8_gdn",
-                    "name": "guidance",
-                    "prose": "Organization-defined security policy filters can address data structures and\n                  content. For example, security policy filters for data structures can check for\n                  maximum file lengths, maximum field sizes, and data/file types (for structured and\n                  unstructured data). Security policy filters for data content can check for\n                  specific words (e.g., dirty/clean word filters), enumerated values or data value\n                  ranges, and hidden content. Structured data permits the interpretation of data\n                  content by applications. Unstructured data typically refers to digital information\n                  without a particular data structure or with a data structure that does not\n                  facilitate the development of rule sets to address the particular sensitivity of\n                  the information conveyed by the data or the associated flow enforcement decisions.\n                  Unstructured data consists of: (i) bitmap objects that are inherently non\n                  language-based (i.e., image, video, or audio files); and (ii) textual objects that\n                  are based on written or printed languages (e.g., commercial off-the-shelf word\n                  processing documents, spreadsheets, or emails). Organizations can implement more\n                  than one security policy filter to meet information flow control objectives (e.g.,\n                  employing clean word lists in conjunction with dirty word lists may help to reduce\n                  false positives)."
-                  },
-                  {
-                    "id": "ac-4.8_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "ac-4.8_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-4(8)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines security policy filters to be used as a basis for\n                     enforcing flow control decisions;"
-                      },
-                      {
-                        "id": "ac-4.8_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-4(8)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines information flows for which flow control decisions are\n                     to be applied and enforced; and"
-                      },
-                      {
-                        "id": "ac-4.8_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-4(8)[3]"
-                          }
-                        ],
-                        "prose": "the information system enforces information flow control using\n                     organization-defined security policy filters as a basis for flow control\n                     decisions for organization-defined information flows."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\ninformation flow control policies\\n\\nprocedures addressing information flow enforcement\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of security policy filters regulating flow control decisions\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing information flow enforcement policy"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-4.21",
-                "class": "SP800-53-enhancement",
-                "title": "Physical / Logical Separation of Information Flows",
-                "parameters": [
-                  {
-                    "id": "ac-4.21_prm_1",
-                    "label": "organization-defined mechanisms and/or techniques"
-                  },
-                  {
-                    "id": "ac-4.21_prm_2",
-                    "label": "organization-defined required separations by types of information"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-4(21)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-04.21"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-4.21_smt",
-                    "name": "statement",
-                    "prose": "The information system separates information flows logically or physically using\n                     {{ ac-4.21_prm_1 }} to accomplish {{ ac-4.21_prm_2 }}."
-                  },
-                  {
-                    "id": "ac-4.21_gdn",
-                    "name": "guidance",
-                    "prose": "Enforcing the separation of information flows by type can enhance protection by\n                  ensuring that information is not commingled while in transit and by enabling flow\n                  control by transmission paths perhaps not otherwise achievable. Types of separable\n                  information include, for example, inbound and outbound communications traffic,\n                  service requests and responses, and information of differing security\n                  categories."
-                  },
-                  {
-                    "id": "ac-4.21_obj",
-                    "name": "objective",
-                    "prose": "Determine if: ",
-                    "parts": [
-                      {
-                        "id": "ac-4.21_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-4(21)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the required separations of information flows by types\n                     of information;"
-                      },
-                      {
-                        "id": "ac-4.21_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-4(21)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines the mechanisms and/or techniques to be used to\n                     separate information flows logically or physically; and"
-                      },
-                      {
-                        "id": "ac-4.21_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-4(21)[3]"
-                          }
-                        ],
-                        "prose": "the information system separates information flows logically or physically\n                     using organization-defined mechanisms and/or techniques to accomplish\n                     organization-defined required separations by types of information."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information flow enforcement policy\\n\\ninformation flow control policies\\n\\nprocedures addressing information flow enforcement\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of required separation of information flows by information types\\n\\nlist of mechanisms and/or techniques used to logically or physically separate\n                     information flows\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information flow enforcement responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing information flow enforcement functions"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-5",
-            "class": "SP800-53",
-            "title": "Separation of Duties",
-            "parameters": [
-              {
-                "id": "ac-5_prm_1",
-                "label": "organization-defined duties of individuals"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Separates {{ ac-5_prm_1 }};"
-                  },
-                  {
-                    "id": "ac-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents separation of duties of individuals; and"
-                  },
-                  {
-                    "id": "ac-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Defines information system access authorizations to support separation of\n                  duties."
-                  },
-                  {
-                    "id": "ac-5_fr",
-                    "name": "item",
-                    "title": "AC-5 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ac-5_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-5_gdn",
-                "name": "guidance",
-                "prose": "Separation of duties addresses the potential for abuse of authorized privileges and\n               helps to reduce the risk of malevolent activity without collusion. Separation of\n               duties includes, for example: (i) dividing mission functions and information system\n               support functions among different individuals and/or roles; (ii) conducting\n               information system support functions with different individuals (e.g., system\n               management, programming, configuration management, quality assurance and testing, and\n               network security); and (iii) ensuring security personnel administering access control\n               functions do not also administer audit functions.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  },
-                  {
-                    "href": "#ps-2",
-                    "rel": "related",
-                    "text": "PS-2"
-                  }
-                ]
-              },
-              {
-                "id": "ac-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-5(a)[1]"
-                          }
-                        ],
-                        "prose": "defines duties of individuals to be separated;"
-                      },
-                      {
-                        "id": "ac-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-5(a)[2]"
-                          }
-                        ],
-                        "prose": "separates organization-defined duties of individuals;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-5(b)"
-                      }
-                    ],
-                    "prose": "documents separation of duties; and"
-                  },
-                  {
-                    "id": "ac-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-5(c)"
-                      }
-                    ],
-                    "prose": "defines information system access authorizations to support separation of\n                  duties."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing divisions of responsibility and separation of duties\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of divisions of responsibility and separation of duties\\n\\ninformation system access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for defining appropriate divisions\n                  of responsibility and separation of duties\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing separation of duties policy"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-6",
-            "class": "SP800-53",
-            "title": "Least Privilege",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-6_smt",
-                "name": "statement",
-                "prose": "The organization employs the principle of least privilege, allowing only authorized\n               accesses for users (or processes acting on behalf of users) which are necessary to\n               accomplish assigned tasks in accordance with organizational missions and business\n               functions."
-              },
-              {
-                "id": "ac-6_gdn",
-                "name": "guidance",
-                "prose": "Organizations employ least privilege for specific duties and information systems. The\n               principle of least privilege is also applied to information system processes,\n               ensuring that the processes operate at privilege levels no higher than necessary to\n               accomplish required organizational missions/business functions. Organizations\n               consider the creation of additional processes, roles, and information system accounts\n               as necessary, to achieve least privilege. Organizations also apply least privilege to\n               the development, implementation, and operation of organizational information\n               systems.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-5",
-                    "rel": "related",
-                    "text": "AC-5"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-7",
-                    "rel": "related",
-                    "text": "CM-7"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  }
-                ]
-              },
-              {
-                "id": "ac-6_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the organization employs the principle of least privilege, allowing only\n               authorized access for users (and processes acting on behalf of users) which are\n               necessary to accomplish assigned tasks in accordance with organizational missions and\n               business functions. "
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of assigned access authorizations (user privileges)\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for defining least privileges\n                  necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing least privilege functions"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ac-6.1",
-                "class": "SP800-53-enhancement",
-                "title": "Authorize Access to Security Functions",
-                "parameters": [
-                  {
-                    "id": "ac-6.1_prm_1",
-                    "label": "organization-defined security functions (deployed in hardware, software, and\n                  firmware) and security-relevant information",
-                    "constraints": [
-                      {
-                        "detail": "all functions not publicly accessible and all security-relevant information not publicly available"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-6(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-06.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-6.1_smt",
-                    "name": "statement",
-                    "prose": "The organization explicitly authorizes access to {{ ac-6.1_prm_1 }}."
-                  },
-                  {
-                    "id": "ac-6.1_gdn",
-                    "name": "guidance",
-                    "prose": "Security functions include, for example, establishing system accounts, configuring\n                  access authorizations (i.e., permissions, privileges), setting events to be\n                  audited, and setting intrusion detection parameters. Security-relevant information\n                  includes, for example, filtering rules for routers/firewalls, cryptographic key\n                  management information, configuration parameters for security services, and access\n                  control lists. Explicitly authorized personnel include, for example, security\n                  administrators, system and network administrators, system security officers,\n                  system maintenance personnel, system programmers, and other privileged users.",
-                    "links": [
-                      {
-                        "href": "#ac-17",
-                        "rel": "related",
-                        "text": "AC-17"
-                      },
-                      {
-                        "href": "#ac-18",
-                        "rel": "related",
-                        "text": "AC-18"
-                      },
-                      {
-                        "href": "#ac-19",
-                        "rel": "related",
-                        "text": "AC-19"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-6.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ac-6.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(1)[1]"
-                          }
-                        ],
-                        "prose": "defines security-relevant information for which access must be explicitly\n                     authorized;"
-                      },
-                      {
-                        "id": "ac-6.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(1)[2]"
-                          }
-                        ],
-                        "prose": "defines security functions deployed in:",
-                        "parts": [
-                          {
-                            "id": "ac-6.1_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-6(1)[2][a]"
-                              }
-                            ],
-                            "prose": "hardware;"
-                          },
-                          {
-                            "id": "ac-6.1_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-6(1)[2][b]"
-                              }
-                            ],
-                            "prose": "software;"
-                          },
-                          {
-                            "id": "ac-6.1_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-6(1)[2][c]"
-                              }
-                            ],
-                            "prose": "firmware;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-6.1_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(1)[3]"
-                          }
-                        ],
-                        "prose": "explicitly authorizes access to:",
-                        "parts": [
-                          {
-                            "id": "ac-6.1_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-6(1)[3][a]"
-                              }
-                            ],
-                            "prose": "organization-defined security functions; and"
-                          },
-                          {
-                            "id": "ac-6.1_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-6(1)[3][b]"
-                              }
-                            ],
-                            "prose": "security-relevant information."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of security functions (deployed in hardware, software, and firmware) and\n                     security-relevant information for which access must be explicitly\n                     authorized\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing least privilege functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-6.2",
-                "class": "SP800-53-enhancement",
-                "title": "Non-privileged Access for Nonsecurity Functions",
-                "parameters": [
-                  {
-                    "id": "ac-6.2_prm_1",
-                    "label": "organization-defined security functions or security-relevant\n                  information",
-                    "constraints": [
-                      {
-                        "detail": "all security functions"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-6(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-06.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-6.2_smt",
-                    "name": "statement",
-                    "prose": "The organization requires that users of information system accounts, or roles,\n                  with access to {{ ac-6.2_prm_1 }}, use non-privileged accounts or\n                  roles, when accessing nonsecurity functions.",
-                    "parts": [
-                      {
-                        "id": "ac-6.2_fr",
-                        "name": "item",
-                        "title": "AC-6 (2) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ac-6.2_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-6.2_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement limits exposure when operating from within privileged\n                  accounts or roles. The inclusion of roles addresses situations where organizations\n                  implement access control policies such as role-based access control and where a\n                  change of role provides the same degree of assurance in the change of access\n                  authorizations for both the user and all processes acting on behalf of the user as\n                  would be provided by a change between a privileged and non-privileged account.",
-                    "links": [
-                      {
-                        "href": "#pl-4",
-                        "rel": "related",
-                        "text": "PL-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-6.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-6.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(2)[1]"
-                          }
-                        ],
-                        "prose": "defines security functions or security-relevant information to which users of\n                     information system accounts, or roles, have access; and"
-                      },
-                      {
-                        "id": "ac-6.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(2)[2]"
-                          }
-                        ],
-                        "prose": "requires that users of information system accounts, or roles, with access to\n                     organization-defined security functions or security-relevant information, use\n                     non-privileged accounts, or roles, when accessing nonsecurity functions."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of system-generated security functions or security-relevant information\n                     assigned to information system accounts or roles\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing least privilege functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-6.3",
-                "class": "SP800-53-enhancement",
-                "title": "Network Access to Privileged Commands",
-                "parameters": [
-                  {
-                    "id": "ac-6.3_prm_1",
-                    "label": "organization-defined privileged commands",
-                    "constraints": [
-                      {
-                        "detail": "all privileged commands"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-6.3_prm_2",
-                    "label": "organization-defined compelling operational needs"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-6(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-06.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-6.3_smt",
-                    "name": "statement",
-                    "prose": "The organization authorizes network access to {{ ac-6.3_prm_1 }}\n                  only for {{ ac-6.3_prm_2 }} and documents the rationale for such\n                  access in the security plan for the information system."
-                  },
-                  {
-                    "id": "ac-6.3_gdn",
-                    "name": "guidance",
-                    "prose": "Network access is any access across a network connection in lieu of local access\n                  (i.e., user being physically present at the device).",
-                    "links": [
-                      {
-                        "href": "#ac-17",
-                        "rel": "related",
-                        "text": "AC-17"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-6.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-6.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(3)[1]"
-                          }
-                        ],
-                        "prose": "defines privileged commands to which network access is to be authorized only\n                     for compelling operational needs;"
-                      },
-                      {
-                        "id": "ac-6.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(3)[2]"
-                          }
-                        ],
-                        "prose": "defines compelling operational needs for which network access to\n                     organization-defined privileged commands are to be solely authorized;"
-                      },
-                      {
-                        "id": "ac-6.3_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(3)[3]"
-                          }
-                        ],
-                        "prose": "authorizes network access to organization-defined privileged commands only for\n                     organization-defined compelling operational needs; and"
-                      },
-                      {
-                        "id": "ac-6.3_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(3)[4]"
-                          }
-                        ],
-                        "prose": "documents the rationale for authorized network access to organization-defined\n                     privileged commands in the security plan for the information system."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing least privilege\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of operational needs for authorizing network access to privileged\n                     commands\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing least privilege functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-6.5",
-                "class": "SP800-53-enhancement",
-                "title": "Privileged Accounts",
-                "parameters": [
-                  {
-                    "id": "ac-6.5_prm_1",
-                    "label": "organization-defined personnel or roles"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-6(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-06.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-6.5_smt",
-                    "name": "statement",
-                    "prose": "The organization restricts privileged accounts on the information system to\n                     {{ ac-6.5_prm_1 }}."
-                  },
-                  {
-                    "id": "ac-6.5_gdn",
-                    "name": "guidance",
-                    "prose": "Privileged accounts, including super user accounts, are typically described as\n                  system administrator for various types of commercial off-the-shelf operating\n                  systems. Restricting privileged accounts to specific personnel or roles prevents\n                  day-to-day users from having access to privileged information/functions.\n                  Organizations may differentiate in the application of this control enhancement\n                  between allowed privileges for local accounts and for domain accounts provided\n                  organizations retain the ability to control information system configurations for\n                  key security parameters and as otherwise necessary to sufficiently mitigate\n                  risk.",
-                    "links": [
-                      {
-                        "href": "#cm-6",
-                        "rel": "related",
-                        "text": "CM-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-6.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-6.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(5)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles for which privileged accounts on the information\n                     system are to be restricted; and"
-                      },
-                      {
-                        "id": "ac-6.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(5)[2]"
-                          }
-                        ],
-                        "prose": "restricts privileged accounts on the information system to organization-defined\n                     personnel or roles."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of system-generated privileged accounts\\n\\nlist of system administration personnel\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing least privilege functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-6.7",
-                "class": "SP800-53-enhancement",
-                "title": "Review of User Privileges",
-                "parameters": [
-                  {
-                    "id": "ac-6.7_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at a minimum, annually"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-6.7_prm_2",
-                    "label": "organization-defined roles or classes of users",
-                    "constraints": [
-                      {
-                        "detail": "all users with privileges"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-6(7)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-06.07"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-6.7_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "ac-6.7_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Reviews {{ ac-6.7_prm_1 }} the privileges assigned to {{ ac-6.7_prm_2 }} to validate the need for such privileges; and"
-                      },
-                      {
-                        "id": "ac-6.7_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Reassigns or removes privileges, if necessary, to correctly reflect\n                     organizational mission/business needs."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-6.7_gdn",
-                    "name": "guidance",
-                    "prose": "The need for certain assigned user privileges may change over time reflecting\n                  changes in organizational missions/business function, environments of operation,\n                  technologies, or threat. Periodic review of assigned user privileges is necessary\n                  to determine if the rationale for assigning such privileges remains valid. If the\n                  need cannot be revalidated, organizations take appropriate corrective actions.",
-                    "links": [
-                      {
-                        "href": "#ca-7",
-                        "rel": "related",
-                        "text": "CA-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-6.7_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ac-6.7.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-6(7)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-6.7.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-6(7)(a)[1]"
-                              }
-                            ],
-                            "prose": "defines roles or classes of users to which privileges are assigned;"
-                          },
-                          {
-                            "id": "ac-6.7.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-6(7)(a)[2]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review the privileges assigned to\n                        organization-defined roles or classes of users to validate the need for such\n                        privileges;"
-                          },
-                          {
-                            "id": "ac-6.7.a_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-6(7)(a)[3]"
-                              }
-                            ],
-                            "prose": "reviews the privileges assigned to organization-defined roles or classes of\n                        users with the organization-defined frequency to validate the need for such\n                        privileges; and"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ac-6.7_smt.a",
-                            "rel": "corresp",
-                            "text": "AC-6(7)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-6.7.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(7)(b)"
-                          }
-                        ],
-                        "prose": "reassigns or removes privileges, if necessary, to correctly reflect\n                     organizational missions/business needs.",
-                        "links": [
-                          {
-                            "href": "#ac-6.7_smt.b",
-                            "rel": "corresp",
-                            "text": "AC-6(7)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of system-generated roles or classes of users and assigned privileges\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nvalidation reviews of privileges assigned to roles or classes or users\\n\\nrecords of privilege removals or reassignments for roles or classes of\n                     users\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for reviewing least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing review of user privileges"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-6.8",
-                "class": "SP800-53-enhancement",
-                "title": "Privilege Levels for Code Execution",
-                "parameters": [
-                  {
-                    "id": "ac-6.8_prm_1",
-                    "label": "organization-defined software",
-                    "constraints": [
-                      {
-                        "detail": "any software except software explicitly documented"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-6(8)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-06.08"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-6.8_smt",
-                    "name": "statement",
-                    "prose": "The information system prevents {{ ac-6.8_prm_1 }} from executing\n                  at higher privilege levels than users executing the software."
-                  },
-                  {
-                    "id": "ac-6.8_gdn",
-                    "name": "guidance",
-                    "prose": "In certain situations, software applications/programs need to execute with\n                  elevated privileges to perform required functions. However, if the privileges\n                  required for execution are at a higher level than the privileges assigned to\n                  organizational users invoking such applications/programs, those users are\n                  indirectly provided with greater privileges than assigned by organizations."
-                  },
-                  {
-                    "id": "ac-6.8_obj",
-                    "name": "objective",
-                    "prose": "Determine if: ",
-                    "parts": [
-                      {
-                        "id": "ac-6.8_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(8)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines software that should not execute at higher privilege\n                     levels than users executing the software; and"
-                      },
-                      {
-                        "id": "ac-6.8_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(8)[2]"
-                          }
-                        ],
-                        "prose": "the information system prevents organization-defined software from executing at\n                     higher privilege levels than users executing the software."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of software that should not execute at higher privilege levels than users\n                     executing software\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing least privilege functions for software\n                     execution"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-6.9",
-                "class": "SP800-53-enhancement",
-                "title": "Auditing Use of Privileged Functions",
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AC-6(9)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-06.09"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-6.9_smt",
-                    "name": "statement",
-                    "prose": "The information system audits the execution of privileged functions."
-                  },
-                  {
-                    "id": "ac-6.9_gdn",
-                    "name": "guidance",
-                    "prose": "Misuse of privileged functions, either intentionally or unintentionally by\n                  authorized users, or by unauthorized external entities that have compromised\n                  information system accounts, is a serious and ongoing concern and can have\n                  significant adverse impacts on organizations. Auditing the use of privileged\n                  functions is one way to detect such misuse, and in doing so, help mitigate the\n                  risk from insider threats and the advanced persistent threat (APT).",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-6.9_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system audits the execution of privileged functions.\n               "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing least privilege\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of privileged functions to be audited\\n\\nlist of audited events\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for reviewing least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms auditing the execution of least privilege functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-6.10",
-                "class": "SP800-53-enhancement",
-                "title": "Prohibit Non-privileged Users from Executing Privileged Functions",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-6(10)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-06.10"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-6.10_smt",
-                    "name": "statement",
-                    "prose": "The information system prevents non-privileged users from executing privileged\n                  functions to include disabling, circumventing, or altering implemented security\n                  safeguards/countermeasures."
-                  },
-                  {
-                    "id": "ac-6.10_gdn",
-                    "name": "guidance",
-                    "prose": "Privileged functions include, for example, establishing information system\n                  accounts, performing system integrity checks, or administering cryptographic key\n                  management activities. Non-privileged users are individuals that do not possess\n                  appropriate authorizations. Circumventing intrusion detection and prevention\n                  mechanisms or malicious code protection mechanisms are examples of privileged\n                  functions that require protection from non-privileged users."
-                  },
-                  {
-                    "id": "ac-6.10_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system prevents non-privileged users from executing\n                  privileged functions to include:",
-                    "parts": [
-                      {
-                        "id": "ac-6.10_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-6(10)[1]"
-                          }
-                        ],
-                        "prose": "disabling implemented security safeguards/countermeasures;"
-                      },
-                      {
-                        "id": "ac-6.10_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-6(10)[2]"
-                          }
-                        ],
-                        "prose": "circumventing security safeguards/countermeasures; or"
-                      },
-                      {
-                        "id": "ac-6.10_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-6(10)[3]"
-                          }
-                        ],
-                        "prose": "altering implemented security safeguards/countermeasures."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing least privilege\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of privileged functions and associated user account assignments\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing least privilege functions for non-privileged\n                     users"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-7",
-            "class": "SP800-53",
-            "title": "Unsuccessful Logon Attempts",
-            "parameters": [
-              {
-                "id": "ac-7_prm_1",
-                "label": "organization-defined number",
-                "constraints": [
-                  {
-                    "detail": "not more than three (3)"
-                  }
-                ]
-              },
-              {
-                "id": "ac-7_prm_2",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "fifteen (15) minutes"
-                  }
-                ]
-              },
-              {
-                "id": "ac-7_prm_3"
-              },
-              {
-                "id": "ac-7_prm_4",
-                "depends-on": "ac-7_prm_3",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "locks the account/node for a minimum of three (3) hours or until unlocked by an administrator"
-                  }
-                ]
-              },
-              {
-                "id": "ac-7_prm_5",
-                "depends-on": "ac-7_prm_3",
-                "label": "organization-defined delay algorithm"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-07"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-7_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "ac-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Enforces a limit of {{ ac-7_prm_1 }} consecutive invalid logon\n                  attempts by a user during a {{ ac-7_prm_2 }}; and"
-                  },
-                  {
-                    "id": "ac-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Automatically {{ ac-7_prm_3 }} when the maximum number of\n                  unsuccessful attempts is exceeded."
-                  }
-                ]
-              },
-              {
-                "id": "ac-7_gdn",
-                "name": "guidance",
-                "prose": "This control applies regardless of whether the logon occurs via a local or network\n               connection. Due to the potential for denial of service, automatic lockouts initiated\n               by information systems are usually temporary and automatically release after a\n               predetermined time period established by organizations. If a delay algorithm is\n               selected, organizations may choose to employ different algorithms for different\n               information system components based on the capabilities of those components.\n               Responses to unsuccessful logon attempts may be implemented at both the operating\n               system and the application levels.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-9",
-                    "rel": "related",
-                    "text": "AC-9"
-                  },
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  }
-                ]
-              },
-              {
-                "id": "ac-7_obj",
-                "name": "objective",
-                "prose": "Determine if: ",
-                "parts": [
-                  {
-                    "id": "ac-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-7(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-7.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-7(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the number of consecutive invalid logon attempts\n                     allowed to the information system by a user during an organization-defined time\n                     period;"
-                      },
-                      {
-                        "id": "ac-7.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-7(a)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines the time period allowed by a user of the information\n                     system for an organization-defined number of consecutive invalid logon\n                     attempts;"
-                      },
-                      {
-                        "id": "ac-7.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-7(a)[3]"
-                          }
-                        ],
-                        "prose": "the information system enforces a limit of organization-defined number of\n                     consecutive invalid logon attempts by a user during an organization-defined\n                     time period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-7(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-7.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-7(b)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines account/node lockout time period or logon delay\n                     algorithm to be automatically enforced by the information system when the\n                     maximum number of unsuccessful logon attempts is exceeded;"
-                      },
-                      {
-                        "id": "ac-7.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-7(b)[2]"
-                          }
-                        ],
-                        "prose": "the information system, when the maximum number of unsuccessful logon attempts\n                     is exceeded, automatically:",
-                        "parts": [
-                          {
-                            "id": "ac-7.b_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-7(b)[2][a]"
-                              }
-                            ],
-                            "prose": "locks the account/node for the organization-defined time period;"
-                          },
-                          {
-                            "id": "ac-7.b_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-7(b)[2][b]"
-                              }
-                            ],
-                            "prose": "locks the account/node until released by an administrator; or"
-                          },
-                          {
-                            "id": "ac-7.b_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-7(b)[2][c]"
-                              }
-                            ],
-                            "prose": "delays next logon prompt according to the organization-defined delay\n                        algorithm."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing unsuccessful logon attempts\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security responsibilities\\n\\nsystem developers\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing access control policy for unsuccessful logon\n                  attempts"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ac-7.2",
-                "class": "SP800-53-enhancement",
-                "title": "Purge / Wipe Mobile Device",
-                "parameters": [
-                  {
-                    "id": "ac-7.2_prm_1",
-                    "label": "organization-defined mobile devices",
-                    "constraints": [
-                      {
-                        "detail": "mobile devices as defined by organization policy"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-7.2_prm_2",
-                    "label": "organization-defined purging/wiping requirements/techniques"
-                  },
-                  {
-                    "id": "ac-7.2_prm_3",
-                    "label": "organization-defined number",
-                    "constraints": [
-                      {
-                        "detail": "three (3)"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-7(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-07.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-7.2_smt",
-                    "name": "statement",
-                    "prose": "The information system purges/wipes information from {{ ac-7.2_prm_1 }} based on {{ ac-7.2_prm_2 }} after\n                     {{ ac-7.2_prm_3 }} consecutive, unsuccessful device logon\n                  attempts."
-                  },
-                  {
-                    "id": "ac-7.2_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement applies only to mobile devices for which a logon occurs\n                  (e.g., personal digital assistants, smart phones, tablets). The logon is to the\n                  mobile device, not to any one account on the device. Therefore, successful logons\n                  to any accounts on mobile devices reset the unsuccessful logon count to zero.\n                  Organizations define information to be purged/wiped carefully in order to avoid\n                  over purging/wiping which may result in devices becoming unusable. Purging/wiping\n                  may be unnecessary if the information on the device is protected with sufficiently\n                  strong encryption mechanisms.",
-                    "links": [
-                      {
-                        "href": "#ac-19",
-                        "rel": "related",
-                        "text": "AC-19"
-                      },
-                      {
-                        "href": "#mp-5",
-                        "rel": "related",
-                        "text": "MP-5"
-                      },
-                      {
-                        "href": "#mp-6",
-                        "rel": "related",
-                        "text": "MP-6"
-                      },
-                      {
-                        "href": "#sc-13",
-                        "rel": "related",
-                        "text": "SC-13"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-7.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "ac-7.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-7(2)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines mobile devices to be purged/wiped after\n                     organization-defined number of consecutive, unsuccessful device logon\n                     attempts;"
-                      },
-                      {
-                        "id": "ac-7.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-7(2)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines purging/wiping requirements/techniques to be used when\n                     organization-defined mobile devices are purged/wiped after organization-defined\n                     number of consecutive, unsuccessful device logon attempts;"
-                      },
-                      {
-                        "id": "ac-7.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-7(2)[3]"
-                          }
-                        ],
-                        "prose": "the organization defines the number of consecutive, unsuccessful logon attempts\n                     allowed for accessing mobile devices before the information system purges/wipes\n                     information from such devices; and"
-                      },
-                      {
-                        "id": "ac-7.2_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-7(2)[4]"
-                          }
-                        ],
-                        "prose": "the information system purges/wipes information from organization-defined\n                     mobile devices based on organization-defined purging/wiping\n                     requirements/techniques after organization-defined number of consecutive,\n                     unsuccessful logon attempts."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing unsuccessful login attempts on mobile devices\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of mobile devices to be purged/wiped after organization-defined\n                     consecutive, unsuccessful device logon attempts\\n\\nlist of purging/wiping requirements or techniques for mobile devices\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing access control policy for unsuccessful device\n                     logon attempts"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-8",
-            "class": "SP800-53",
-            "title": "System Use Notification",
-            "parameters": [
-              {
-                "id": "ac-8_prm_1",
-                "label": "organization-defined system use notification message or banner",
-                "constraints": [
-                  {
-                    "detail": "see additional Requirements and Guidance"
-                  }
-                ]
-              },
-              {
-                "id": "ac-8_prm_2",
-                "label": "organization-defined conditions",
-                "constraints": [
-                  {
-                    "detail": "see additional Requirements and Guidance"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-08"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-8_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "ac-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Displays to users {{ ac-8_prm_1 }} before granting access to the\n                  system that provides privacy and security notices consistent with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance and states that:",
-                    "parts": [
-                      {
-                        "id": "ac-8_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Users are accessing a U.S. Government information system;"
-                      },
-                      {
-                        "id": "ac-8_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Information system usage may be monitored, recorded, and subject to audit;"
-                      },
-                      {
-                        "id": "ac-8_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Unauthorized use of the information system is prohibited and subject to\n                     criminal and civil penalties; and"
-                      },
-                      {
-                        "id": "ac-8_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Use of the information system indicates consent to monitoring and\n                     recording;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Retains the notification message or banner on the screen until users acknowledge\n                  the usage conditions and take explicit actions to log on to or further access the\n                  information system; and"
-                  },
-                  {
-                    "id": "ac-8_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "For publicly accessible systems:",
-                    "parts": [
-                      {
-                        "id": "ac-8_smt.c.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Displays system use information {{ ac-8_prm_2 }}, before\n                     granting further access;"
-                      },
-                      {
-                        "id": "ac-8_smt.c.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Displays references, if any, to monitoring, recording, or auditing that are\n                     consistent with privacy accommodations for such systems that generally prohibit\n                     those activities; and"
-                      },
-                      {
-                        "id": "ac-8_smt.c.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Includes a description of the authorized uses of the system."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-8_fr",
-                    "name": "item",
-                    "title": "AC-8 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ac-8_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO."
-                      },
-                      {
-                        "id": "ac-8_fr_smt.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided."
-                      },
-                      {
-                        "id": "ac-8_fr_smt.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-8_gdn",
-                "name": "guidance",
-                "prose": "System use notifications can be implemented using messages or warning banners\n               displayed before individuals log in to information systems. System use notifications\n               are used only for access via logon interfaces with human users and are not required\n               when such human interfaces do not exist. Organizations consider system use\n               notification messages/banners displayed in multiple languages based on specific\n               organizational needs and the demographics of information system users. Organizations\n               also consult with the Office of the General Counsel for legal review and approval of\n               warning banner content."
-              },
-              {
-                "id": "ac-8_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "ac-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-8(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-8.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-8(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines a system use notification message or banner to be\n                     displayed by the information system to users before granting access to the\n                     system;"
-                      },
-                      {
-                        "id": "ac-8.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-8(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system displays to users the organization-defined system use\n                     notification message or banner before granting access to the information system\n                     that provides privacy and security notices consistent with applicable federal\n                     laws, Executive Orders, directives, policies, regulations, standards, and\n                     guidance, and states that:",
-                        "parts": [
-                          {
-                            "id": "ac-8.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-8(a)[2](1)"
-                              }
-                            ],
-                            "prose": "users are accessing a U.S. Government information system;"
-                          },
-                          {
-                            "id": "ac-8.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-8(a)[2](2)"
-                              }
-                            ],
-                            "prose": "information system usage may be monitored, recorded, and subject to\n                        audit;"
-                          },
-                          {
-                            "id": "ac-8.a.3_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-8(a)[2](3)"
-                              }
-                            ],
-                            "prose": "unauthorized use of the information system is prohibited and subject to\n                        criminal and civil penalties;"
-                          },
-                          {
-                            "id": "ac-8.a.4_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-8(a)[2](4)"
-                              }
-                            ],
-                            "prose": "use of the information system indicates consent to monitoring and\n                        recording;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-8(b)"
-                      }
-                    ],
-                    "prose": "the information system retains the notification message or banner on the screen\n                  until users acknowledge the usage conditions and take explicit actions to log on\n                  to or further access the information system;"
-                  },
-                  {
-                    "id": "ac-8.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-8(c)"
-                      }
-                    ],
-                    "prose": "for publicly accessible systems:",
-                    "parts": [
-                      {
-                        "id": "ac-8.c.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-8(c)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-8.c.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-8(c)(1)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines conditions for system use to be displayed by the\n                        information system before granting further access;"
-                          },
-                          {
-                            "id": "ac-8.c.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-8(c)(1)[2]"
-                              }
-                            ],
-                            "prose": "the information system displays organization-defined conditions before\n                        granting further access;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-8.c.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-8(c)(2)"
-                          }
-                        ],
-                        "prose": "the information system displays references, if any, to monitoring, recording,\n                     or auditing that are consistent with privacy accommodations for such systems\n                     that generally prohibit those activities; and"
-                      },
-                      {
-                        "id": "ac-8.c.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-8(c)(3)"
-                          }
-                        ],
-                        "prose": "the information system includes a description of the authorized uses of the\n                     system."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprivacy and security policies, procedures addressing system use notification\\n\\ndocumented approval of information system use notification messages or banners\\n\\ninformation system audit records\\n\\nuser acknowledgements of notification message or banner\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system use notification messages\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for providing legal advice\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing system use notification"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-10",
-            "class": "SP800-53",
-            "title": "Concurrent Session Control",
-            "parameters": [
-              {
-                "id": "ac-10_prm_1",
-                "label": "organization-defined account and/or account type"
-              },
-              {
-                "id": "ac-10_prm_2",
-                "label": "organization-defined number",
-                "constraints": [
-                  {
-                    "detail": "three (3) sessions for privileged access and two (2) sessions for non-privileged access"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-10"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-10"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-10_smt",
-                "name": "statement",
-                "prose": "The information system limits the number of concurrent sessions for each {{ ac-10_prm_1 }} to {{ ac-10_prm_2 }}."
-              },
-              {
-                "id": "ac-10_gdn",
-                "name": "guidance",
-                "prose": "Organizations may define the maximum number of concurrent sessions for information\n               system accounts globally, by account type (e.g., privileged user, non-privileged\n               user, domain, specific application), by account, or a combination. For example,\n               organizations may limit the number of concurrent sessions for system administrators\n               or individuals working in particularly sensitive domains or mission-critical\n               applications. This control addresses concurrent sessions for information system\n               accounts and does not address concurrent sessions by single users via multiple system\n               accounts."
-              },
-              {
-                "id": "ac-10_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "ac-10_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-10[1]"
-                      }
-                    ],
-                    "prose": "the organization defines account and/or account types for the information\n                  system;"
-                  },
-                  {
-                    "id": "ac-10_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-10[2]"
-                      }
-                    ],
-                    "prose": "the organization defines the number of concurrent sessions to be allowed for each\n                  organization-defined account and/or account type; and"
-                  },
-                  {
-                    "id": "ac-10_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-10[3]"
-                      }
-                    ],
-                    "prose": "the information system limits the number of concurrent sessions for each\n                  organization-defined account and/or account type to the organization-defined\n                  number of concurrent sessions allowed."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing concurrent session control\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing access control policy for concurrent session\n                  control"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-11",
-            "class": "SP800-53",
-            "title": "Session Lock",
-            "parameters": [
-              {
-                "id": "ac-11_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "fifteen (15) minutes"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-11"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-11"
-              }
-            ],
-            "links": [
-              {
-                "href": "#4da24a96-6cf8-435d-9d1f-c73247cad109",
-                "rel": "reference",
-                "text": "OMB Memorandum 06-16"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-11_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "ac-11_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Prevents further access to the system by initiating a session lock after {{ ac-11_prm_1 }} of inactivity or upon receiving a request from a user;\n                  and"
-                  },
-                  {
-                    "id": "ac-11_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Retains the session lock until the user reestablishes access using established\n                  identification and authentication procedures."
-                  }
-                ]
-              },
-              {
-                "id": "ac-11_gdn",
-                "name": "guidance",
-                "prose": "Session locks are temporary actions taken when users stop work and move away from the\n               immediate vicinity of information systems but do not want to log out because of the\n               temporary nature of their absences. Session locks are implemented where session\n               activities can be determined. This is typically at the operating system level, but\n               can also be at the application level. Session locks are not an acceptable substitute\n               for logging out of information systems, for example, if organizations require users\n               to log out at the end of workdays.",
-                "links": [
-                  {
-                    "href": "#ac-7",
-                    "rel": "related",
-                    "text": "AC-7"
-                  }
-                ]
-              },
-              {
-                "id": "ac-11_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "ac-11.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-11(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-11.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-11(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the time period of user inactivity after which the\n                     information system initiates a session lock;"
-                      },
-                      {
-                        "id": "ac-11.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-11(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system prevents further access to the system by initiating a\n                     session lock after organization-defined time period of user inactivity or upon\n                     receiving a request from a user; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-11.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-11(b)"
-                      }
-                    ],
-                    "prose": "the information system retains the session lock until the user reestablishes\n                  access using established identification and authentication procedures."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing session lock\\n\\nprocedures addressing identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing access control policy for session lock"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ac-11.1",
-                "class": "SP800-53-enhancement",
-                "title": "Pattern-hiding Displays",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-11(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-11.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-11.1_smt",
-                    "name": "statement",
-                    "prose": "The information system conceals, via the session lock, information previously\n                  visible on the display with a publicly viewable image."
-                  },
-                  {
-                    "id": "ac-11.1_gdn",
-                    "name": "guidance",
-                    "prose": "Publicly viewable images can include static or dynamic images, for example,\n                  patterns used with screen savers, photographic images, solid colors, clock,\n                  battery life indicator, or a blank screen, with the additional caveat that none of\n                  the images convey sensitive information."
-                  },
-                  {
-                    "id": "ac-11.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system conceals, via the session lock, information\n                  previously visible on the display with a publicly viewable image."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing session lock\\n\\ndisplay screen with session lock activated\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system session lock mechanisms"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-12",
-            "class": "SP800-53",
-            "title": "Session Termination",
-            "parameters": [
-              {
-                "id": "ac-12_prm_1",
-                "label": "organization-defined conditions or trigger events requiring session\n               disconnect"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-12"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-12"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-12_smt",
-                "name": "statement",
-                "prose": "The information system automatically terminates a user session after {{ ac-12_prm_1 }}."
-              },
-              {
-                "id": "ac-12_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the termination of user-initiated logical sessions in contrast\n               to SC-10 which addresses the termination of network connections that are associated\n               with communications sessions (i.e., network disconnect). A logical session (for\n               local, network, and remote access) is initiated whenever a user (or process acting on\n               behalf of a user) accesses an organizational information system. Such user sessions\n               can be terminated (and thus terminate user access) without terminating network\n               sessions. Session termination terminates all processes associated with a user’s\n               logical session except those processes that are specifically created by the user\n               (i.e., session owner) to continue after the session is terminated. Conditions or\n               trigger events requiring automatic session termination can include, for example,\n               organization-defined periods of user inactivity, targeted responses to certain types\n               of incidents, time-of-day restrictions on information system use.",
-                "links": [
-                  {
-                    "href": "#sc-10",
-                    "rel": "related",
-                    "text": "SC-10"
-                  },
-                  {
-                    "href": "#sc-23",
-                    "rel": "related",
-                    "text": "SC-23"
-                  }
-                ]
-              },
-              {
-                "id": "ac-12_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "ac-12_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-12[1]"
-                      }
-                    ],
-                    "prose": "the organization defines conditions or trigger events requiring session\n                  disconnect; and"
-                  },
-                  {
-                    "id": "ac-12_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-12[2]"
-                      }
-                    ],
-                    "prose": "the information system automatically terminates a user session after\n                  organization-defined conditions or trigger events requiring session disconnect\n                  occurs."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing session termination\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of conditions or trigger events requiring session disconnect\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing user session termination"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ac-12.1",
-                "class": "SP800-53-enhancement",
-                "title": "User-initiated Logouts / Message Displays",
-                "parameters": [
-                  {
-                    "id": "ac-12.1_prm_1",
-                    "label": "organization-defined information resources"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-12(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-12.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-12.1_smt",
-                    "name": "statement",
-                    "prose": "The information system:",
-                    "parts": [
-                      {
-                        "id": "ac-12.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Provides a logout capability for user-initiated communications sessions\n                     whenever authentication is used to gain access to {{ ac-12.1_prm_1 }}; and"
-                      },
-                      {
-                        "id": "ac-12.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Displays an explicit logout message to users indicating the reliable\n                     termination of authenticated communications sessions."
-                      },
-                      {
-                        "id": "ac-12.1_fr",
-                        "name": "item",
-                        "title": "AC-12 (1) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ac-12.1_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "https://www.owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-006%29"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-12.1_gdn",
-                    "name": "guidance",
-                    "prose": "Information resources to which users gain access via authentication include, for\n                  example, local workstations, databases, and password-protected websites/web-based\n                  services. Logout messages for web page access, for example, can be displayed after\n                  authenticated sessions have been terminated. However, for some types of\n                  interactive sessions including, for example, file transfer protocol (FTP)\n                  sessions, information systems typically send logout messages as final messages\n                  prior to terminating sessions."
-                  },
-                  {
-                    "id": "ac-12.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "ac-12.1.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-12(1)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-12.1.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-12(1)(a)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines information resources for which user authentication\n                        is required to gain access to such resources;"
-                          },
-                          {
-                            "id": "ac-12.1.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-12(1)(a)[2]"
-                              }
-                            ],
-                            "prose": "the information system provides a logout capability for user-initiated\n                        communications sessions whenever authentication is used to gain access to\n                        organization-defined information resources; and"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ac-12.1_smt.a",
-                            "rel": "corresp",
-                            "text": "AC-12(1)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-12.1.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-12(1)(b)"
-                          }
-                        ],
-                        "prose": "the information system displays an explicit logout message to users indicating\n                     the reliable termination of authenticated communications sessions.",
-                        "links": [
-                          {
-                            "href": "#ac-12.1_smt.b",
-                            "rel": "corresp",
-                            "text": "AC-12(1)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing session termination\\n\\nuser logout messages\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system session lock mechanisms"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-14",
-            "class": "SP800-53",
-            "title": "Permitted Actions Without Identification or Authentication",
-            "parameters": [
-              {
-                "id": "ac-14_prm_1",
-                "label": "organization-defined user actions"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-14"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-14"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-14_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-14_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Identifies {{ ac-14_prm_1 }} that can be performed on the\n                  information system without identification or authentication consistent with\n                  organizational missions/business functions; and"
-                  },
-                  {
-                    "id": "ac-14_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents and provides supporting rationale in the security plan for the\n                  information system, user actions not requiring identification or\n                  authentication."
-                  }
-                ]
-              },
-              {
-                "id": "ac-14_gdn",
-                "name": "guidance",
-                "prose": "This control addresses situations in which organizations determine that no\n               identification or authentication is required in organizational information systems.\n               Organizations may allow a limited number of user actions without identification or\n               authentication including, for example, when individuals access public websites or\n               other publicly accessible federal information systems, when individuals use mobile\n               phones to receive calls, or when facsimiles are received. Organizations also identify\n               actions that normally require identification or authentication but may under certain\n               circumstances (e.g., emergencies), allow identification or authentication mechanisms\n               to be bypassed. Such bypasses may occur, for example, via a software-readable\n               physical switch that commands bypass of the logon functionality and is protected from\n               accidental or unmonitored use. This control does not apply to situations where\n               identification and authentication have already occurred and are not repeated, but\n               rather to situations where identification and authentication have not yet occurred.\n               Organizations may decide that there are no user actions that can be performed on\n               organizational information systems without identification and authentication and\n               thus, the values for assignment statements can be none.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  }
-                ]
-              },
-              {
-                "id": "ac-14_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-14.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-14(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-14.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-14(a)[1]"
-                          }
-                        ],
-                        "prose": "defines user actions that can be performed on the information system without\n                     identification or authentication consistent with organizational\n                     missions/business functions;"
-                      },
-                      {
-                        "id": "ac-14.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-14(a)[2]"
-                          }
-                        ],
-                        "prose": "identifies organization-defined user actions that can be performed on the\n                     information system without identification or authentication consistent with\n                     organizational missions/business functions; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-14.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-14(b)"
-                      }
-                    ],
-                    "prose": "documents and provides supporting rationale in the security plan for the\n                  information system, user actions not requiring identification or\n                  authentication."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing permitted actions without identification or\n                  authentication\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\nlist of user actions that can be performed without identification or\n                  authentication\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-17",
-            "class": "SP800-53",
-            "title": "Remote Access",
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-17"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-17"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5309d4d0-46f8-4213-a749-e7584164e5e8",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-46"
-              },
-              {
-                "href": "#99f331f2-a9f0-46c2-9856-a3cbb9b89442",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-77"
-              },
-              {
-                "href": "#349fe082-502d-464a-aa0c-1443c6a5cf40",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-113"
-              },
-              {
-                "href": "#1201fcf3-afb1-4675-915a-fb4ae0435717",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-114"
-              },
-              {
-                "href": "#d1a4e2a9-e512-4132-8795-5357aba29254",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-121"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-17_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-17_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes and documents usage restrictions, configuration/connection\n                  requirements, and implementation guidance for each type of remote access allowed;\n                  and"
-                  },
-                  {
-                    "id": "ac-17_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Authorizes remote access to the information system prior to allowing such\n                  connections."
-                  }
-                ]
-              },
-              {
-                "id": "ac-17_gdn",
-                "name": "guidance",
-                "prose": "Remote access is access to organizational information systems by users (or processes\n               acting on behalf of users) communicating through external networks (e.g., the\n               Internet). Remote access methods include, for example, dial-up, broadband, and\n               wireless. Organizations often employ encrypted virtual private networks (VPNs) to\n               enhance confidentiality and integrity over remote connections. The use of encrypted\n               VPNs does not make the access non-remote; however, the use of VPNs, when adequately\n               provisioned with appropriate security controls (e.g., employing appropriate\n               encryption techniques for confidentiality and integrity protection) may provide\n               sufficient assurance to the organization that it can effectively treat such\n               connections as internal networks. Still, VPN connections traverse external networks,\n               and the encrypted VPN does not enhance the availability of remote connections. Also,\n               VPNs with encrypted tunnels can affect the organizational capability to adequately\n               monitor network communications traffic for malicious code. Remote access controls\n               apply to information systems other than public web servers or systems designed for\n               public access. This control addresses authorization prior to allowing remote access\n               without specifying the formats for such authorization. While organizations may use\n               interconnection security agreements to authorize remote access connections, such\n               agreements are not required by this control. Enforcing access restrictions for remote\n               connections is addressed in AC-3.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#pe-17",
-                    "rel": "related",
-                    "text": "PE-17"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#sc-10",
-                    "rel": "related",
-                    "text": "SC-10"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ac-17_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-17.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-17(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-17.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-17(a)[1]"
-                          }
-                        ],
-                        "prose": "identifies the types of remote access allowed to the information system;"
-                      },
-                      {
-                        "id": "ac-17.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-17(a)[2]"
-                          }
-                        ],
-                        "prose": "establishes for each type of remote access allowed:",
-                        "parts": [
-                          {
-                            "id": "ac-17.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[2][a]"
-                              }
-                            ],
-                            "prose": "usage restrictions;"
-                          },
-                          {
-                            "id": "ac-17.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[2][b]"
-                              }
-                            ],
-                            "prose": "configuration/connection requirements;"
-                          },
-                          {
-                            "id": "ac-17.a_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[2][c]"
-                              }
-                            ],
-                            "prose": "implementation guidance;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-17.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-17(a)[3]"
-                          }
-                        ],
-                        "prose": "documents for each type of remote access allowed:",
-                        "parts": [
-                          {
-                            "id": "ac-17.a_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[3][a]"
-                              }
-                            ],
-                            "prose": "usage restrictions;"
-                          },
-                          {
-                            "id": "ac-17.a_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[3][b]"
-                              }
-                            ],
-                            "prose": "configuration/connection requirements;"
-                          },
-                          {
-                            "id": "ac-17.a_obj.3.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[3][c]"
-                              }
-                            ],
-                            "prose": "implementation guidance; and"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-17.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-17(b)"
-                      }
-                    ],
-                    "prose": "authorizes remote access to the information system prior to allowing such\n                  connections."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing remote access implementation and usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\nremote access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for managing remote access\n                  connections\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Remote access management capability for the information system"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ac-17.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Monitoring / Control",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-17(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-17.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-17.1_smt",
-                    "name": "statement",
-                    "prose": "The information system monitors and controls remote access methods."
-                  },
-                  {
-                    "id": "ac-17.1_gdn",
-                    "name": "guidance",
-                    "prose": "Automated monitoring and control of remote access sessions allows organizations to\n                  detect cyber attacks and also ensure ongoing compliance with remote access\n                  policies by auditing connection activities of remote users on a variety of\n                  information system components (e.g., servers, workstations, notebook computers,\n                  smart phones, and tablets).",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      },
-                      {
-                        "href": "#au-12",
-                        "rel": "related",
-                        "text": "AU-12"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-17.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system monitors and controls remote access methods.\n               "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing remote access to the information system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\ninformation system monitoring records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms monitoring and controlling remote access methods"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-17.2",
-                "class": "SP800-53-enhancement",
-                "title": "Protection of Confidentiality / Integrity Using Encryption",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-17(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-17.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-17.2_smt",
-                    "name": "statement",
-                    "prose": "The information system implements cryptographic mechanisms to protect the\n                  confidentiality and integrity of remote access sessions."
-                  },
-                  {
-                    "id": "ac-17.2_gdn",
-                    "name": "guidance",
-                    "prose": "The encryption strength of mechanism is selected based on the security\n                  categorization of the information.",
-                    "links": [
-                      {
-                        "href": "#sc-8",
-                        "rel": "related",
-                        "text": "SC-8"
-                      },
-                      {
-                        "href": "#sc-12",
-                        "rel": "related",
-                        "text": "SC-12"
-                      },
-                      {
-                        "href": "#sc-13",
-                        "rel": "related",
-                        "text": "SC-13"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-17.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system implements cryptographic mechanisms to protect\n                  the confidentiality and integrity of remote access sessions. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing remote access to the information system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic mechanisms and associated configuration documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Cryptographic mechanisms protecting confidentiality and integrity of remote\n                     access sessions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-17.3",
-                "class": "SP800-53-enhancement",
-                "title": "Managed Access Control Points",
-                "parameters": [
-                  {
-                    "id": "ac-17.3_prm_1",
-                    "label": "organization-defined number"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-17(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-17.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-17.3_smt",
-                    "name": "statement",
-                    "prose": "The information system routes all remote accesses through {{ ac-17.3_prm_1 }} managed network access control points."
-                  },
-                  {
-                    "id": "ac-17.3_gdn",
-                    "name": "guidance",
-                    "prose": "Limiting the number of access control points for remote accesses reduces the\n                  attack surface for organizations. Organizations consider the Trusted Internet\n                  Connections (TIC) initiative requirements for external network connections.",
-                    "links": [
-                      {
-                        "href": "#sc-7",
-                        "rel": "related",
-                        "text": "SC-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-17.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "ac-17.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-17(3)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the number of managed network access control points\n                     through which all remote accesses are to be routed; and"
-                      },
-                      {
-                        "id": "ac-17.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-17(3)[2]"
-                          }
-                        ],
-                        "prose": "the information system routes all remote accesses through the\n                     organization-defined number of managed network access control points."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing remote access to the information system\\n\\ninformation system design documentation\\n\\nlist of all managed network access control points\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms routing all remote accesses through managed network access\n                     control points"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-17.4",
-                "class": "SP800-53-enhancement",
-                "title": "Privileged Commands / Access",
-                "parameters": [
-                  {
-                    "id": "ac-17.4_prm_1",
-                    "label": "organization-defined needs"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-17(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-17.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-17.4_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "ac-17.4_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Authorizes the execution of privileged commands and access to security-relevant\n                     information via remote access only for {{ ac-17.4_prm_1 }};\n                     and"
-                      },
-                      {
-                        "id": "ac-17.4_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Documents the rationale for such access in the security plan for the\n                     information system."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-17.4_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ac-6",
-                        "rel": "related",
-                        "text": "AC-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-17.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-17.4.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-17(4)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-17.4.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-17(4)(a)[1]"
-                              }
-                            ],
-                            "prose": "defines needs to authorize the execution of privileged commands and access\n                        to security-relevant information via remote access;"
-                          },
-                          {
-                            "id": "ac-17.4.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-17(4)(a)[2]"
-                              }
-                            ],
-                            "prose": "authorizes the execution of privileged commands and access to\n                        security-relevant information via remote access only for\n                        organization-defined needs; and"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ac-17.4_smt.a",
-                            "rel": "corresp",
-                            "text": "AC-17(4)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-17.4.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-17(4)(b)"
-                          }
-                        ],
-                        "prose": "documents the rationale for such access in the information system security\n                     plan.",
-                        "links": [
-                          {
-                            "href": "#ac-17.4_smt.b",
-                            "rel": "corresp",
-                            "text": "AC-17(4)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing remote access to the information system\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing remote access management"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-17.9",
-                "class": "SP800-53-enhancement",
-                "title": "Disconnect / Disable Access",
-                "parameters": [
-                  {
-                    "id": "ac-17.9_prm_1",
-                    "label": "organization-defined time period",
-                    "constraints": [
-                      {
-                        "detail": "fifteen (15) minutes"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AC-17(9)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-17.09"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-17.9_smt",
-                    "name": "statement",
-                    "prose": "The organization provides the capability to expeditiously disconnect or disable\n                  remote access to the information system within {{ ac-17.9_prm_1 }}."
-                  },
-                  {
-                    "id": "ac-17.9_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement requires organizations to have the capability to rapidly\n                  disconnect current users remotely accessing the information system and/or disable\n                  further remote access. The speed of disconnect or disablement varies based on the\n                  criticality of missions/business functions and the need to eliminate immediate or\n                  future remote access to organizational information systems."
-                  },
-                  {
-                    "id": "ac-17.9_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-17.9_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-17(9)[1]"
-                          }
-                        ],
-                        "prose": "defines the time period within which to expeditiously disconnect or disable\n                     remote access to the information system; and"
-                      },
-                      {
-                        "id": "ac-17.9_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-17(9)[2]"
-                          }
-                        ],
-                        "prose": "provides the capability to expeditiously disconnect or disable remote access to\n                     the information system within the organization-defined time period."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing disconnecting or disabling remote access to the\n                     information system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan, information system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing capability to disconnect or disable remote\n                     access to information system"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-18",
-            "class": "SP800-53",
-            "title": "Wireless Access",
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-18"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-18"
-              }
-            ],
-            "links": [
-              {
-                "href": "#238ed479-eccb-49f6-82ec-ab74a7a428cf",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-48"
-              },
-              {
-                "href": "#d1b1d689-0f66-4474-9924-c81119758dc1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-94"
-              },
-              {
-                "href": "#6f336ecd-f2a0-4c84-9699-0491d81b6e0d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-97"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-18_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-18_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes usage restrictions, configuration/connection requirements, and\n                  implementation guidance for wireless access; and"
-                  },
-                  {
-                    "id": "ac-18_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Authorizes wireless access to the information system prior to allowing such\n                  connections."
-                  }
-                ]
-              },
-              {
-                "id": "ac-18_gdn",
-                "name": "guidance",
-                "prose": "Wireless technologies include, for example, microwave, packet radio (UHF/VHF),\n               802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g.,\n               EAP/TLS, PEAP), which provide credential protection and mutual authentication.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ac-18_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-18.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-18(a)"
-                      }
-                    ],
-                    "prose": "establishes for wireless access:",
-                    "parts": [
-                      {
-                        "id": "ac-18.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-18(a)[1]"
-                          }
-                        ],
-                        "prose": "usage restrictions;"
-                      },
-                      {
-                        "id": "ac-18.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-18(a)[2]"
-                          }
-                        ],
-                        "prose": "configuration/connection requirement;"
-                      },
-                      {
-                        "id": "ac-18.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-18(a)[3]"
-                          }
-                        ],
-                        "prose": "implementation guidance; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-18.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-18(b)"
-                      }
-                    ],
-                    "prose": "authorizes wireless access to the information system prior to allowing such\n                  connections."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing wireless access implementation and usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nwireless access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for managing wireless access\n                  connections\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Wireless access management capability for the information system"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ac-18.1",
-                "class": "SP800-53-enhancement",
-                "title": "Authentication and Encryption",
-                "parameters": [
-                  {
-                    "id": "ac-18.1_prm_1"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-18(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-18.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-18.1_smt",
-                    "name": "statement",
-                    "prose": "The information system protects wireless access to the system using authentication\n                  of {{ ac-18.1_prm_1 }} and encryption."
-                  },
-                  {
-                    "id": "ac-18.1_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#sc-8",
-                        "rel": "related",
-                        "text": "SC-8"
-                      },
-                      {
-                        "href": "#sc-13",
-                        "rel": "related",
-                        "text": "SC-13"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-18.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system protects wireless access to the system using\n                  encryption and one or more of the following:",
-                    "parts": [
-                      {
-                        "id": "ac-18.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-18(1)[1]"
-                          }
-                        ],
-                        "prose": "authentication of users; and/or"
-                      },
-                      {
-                        "id": "ac-18.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-18(1)[2]"
-                          }
-                        ],
-                        "prose": "authentication of devices."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing wireless implementation and usage (including\n                     restrictions)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing wireless access protections to the\n                     information system"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-18.3",
-                "class": "SP800-53-enhancement",
-                "title": "Disable Wireless Networking",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-18(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-18.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-18.3_smt",
-                    "name": "statement",
-                    "prose": "The organization disables, when not intended for use, wireless networking\n                  capabilities internally embedded within information system components prior to\n                  issuance and deployment."
-                  },
-                  {
-                    "id": "ac-18.3_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ac-19",
-                        "rel": "related",
-                        "text": "AC-19"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-18.3_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization disables, when not intended for use, wireless\n                  networking capabilities internally embedded within information system components\n                  prior to issuance and deployment."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing wireless implementation and usage (including\n                     restrictions)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms managing the disabling of wireless networking capabilities\n                     internally embedded within information system components"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-18.4",
-                "class": "SP800-53-enhancement",
-                "title": "Restrict Configurations by Users",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-18(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-18.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-18.4_smt",
-                    "name": "statement",
-                    "prose": "The organization identifies and explicitly authorizes users allowed to\n                  independently configure wireless networking capabilities."
-                  },
-                  {
-                    "id": "ac-18.4_gdn",
-                    "name": "guidance",
-                    "prose": "Organizational authorizations to allow selected users to configure wireless\n                  networking capability are enforced in part, by the access enforcement mechanisms\n                  employed within organizational information systems.",
-                    "links": [
-                      {
-                        "href": "#ac-3",
-                        "rel": "related",
-                        "text": "AC-3"
-                      },
-                      {
-                        "href": "#sc-15",
-                        "rel": "related",
-                        "text": "SC-15"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-18.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-18.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-18(4)[1]"
-                          }
-                        ],
-                        "prose": "identifies users allowed to independently configure wireless networking\n                     capabilities; and"
-                      },
-                      {
-                        "id": "ac-18.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-18(4)[2]"
-                          }
-                        ],
-                        "prose": "explicitly authorizes the identified users allowed to independently configure\n                     wireless networking capabilities."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing wireless implementation and usage (including\n                     restrictions)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms authorizing independent user configuration of wireless\n                     networking capabilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-18.5",
-                "class": "SP800-53-enhancement",
-                "title": "Antennas / Transmission Power Levels",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-18(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-18.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-18.5_smt",
-                    "name": "statement",
-                    "prose": "The organization selects radio antennas and calibrates transmission power levels\n                  to reduce the probability that usable signals can be received outside of\n                  organization-controlled boundaries."
-                  },
-                  {
-                    "id": "ac-18.5_gdn",
-                    "name": "guidance",
-                    "prose": "Actions that may be taken by organizations to limit unauthorized use of wireless\n                  communications outside of organization-controlled boundaries include, for example:\n                  (i) reducing the power of wireless transmissions so that the transmissions are\n                  less likely to emit a signal that can be used by adversaries outside of the\n                  physical perimeters of organizations; (ii) employing measures such as TEMPEST to\n                  control wireless emanations; and (iii) using directional/beam forming antennas\n                  that reduce the likelihood that unintended receivers will be able to intercept\n                  signals. Prior to taking such actions, organizations can conduct periodic wireless\n                  surveys to understand the radio frequency profile of organizational information\n                  systems as well as other systems that may be operating in the area.",
-                    "links": [
-                      {
-                        "href": "#pe-19",
-                        "rel": "related",
-                        "text": "PE-19"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-18.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ac-18.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-18(5)[1]"
-                          }
-                        ],
-                        "prose": "selects radio antennas to reduce the probability that usable signals can be\n                     received outside of organization-controlled boundaries; and"
-                      },
-                      {
-                        "id": "ac-18.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-18(5)[2]"
-                          }
-                        ],
-                        "prose": "calibrates transmission power levels to reduce the probability that usable\n                     signals can be received outside of organization-controlled boundaries."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing wireless implementation and usage (including\n                     restrictions)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Wireless access capability protecting usable signals from unauthorized access\n                     outside organization-controlled boundaries"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-19",
-            "class": "SP800-53",
-            "title": "Access Control for Mobile Devices",
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-19"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-19"
-              }
-            ],
-            "links": [
-              {
-                "href": "#4da24a96-6cf8-435d-9d1f-c73247cad109",
-                "rel": "reference",
-                "text": "OMB Memorandum 06-16"
-              },
-              {
-                "href": "#1201fcf3-afb1-4675-915a-fb4ae0435717",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-114"
-              },
-              {
-                "href": "#0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-124"
-              },
-              {
-                "href": "#6513e480-fada-4876-abba-1397084dfb26",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-164"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-19_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-19_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes usage restrictions, configuration requirements, connection\n                  requirements, and implementation guidance for organization-controlled mobile\n                  devices; and"
-                  },
-                  {
-                    "id": "ac-19_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Authorizes the connection of mobile devices to organizational information\n                  systems."
-                  }
-                ]
-              },
-              {
-                "id": "ac-19_gdn",
-                "name": "guidance",
-                "prose": "A mobile device is a computing device that: (i) has a small form factor such that it\n               can easily be carried by a single individual; (ii) is designed to operate without a\n               physical connection (e.g., wirelessly transmit or receive information); (iii)\n               possesses local, non-removable or removable data storage; and (iv) includes a\n               self-contained power source. Mobile devices may also include voice communication\n               capabilities, on-board sensors that allow the device to capture information, and/or\n               built-in features for synchronizing local data with remote locations. Examples\n               include smart phones, E-readers, and tablets. Mobile devices are typically associated\n               with a single individual and the device is usually in close proximity to the\n               individual; however, the degree of proximity can vary depending upon on the form\n               factor and size of the device. The processing, storage, and transmission capability\n               of the mobile device may be comparable to or merely a subset of desktop systems,\n               depending upon the nature and intended purpose of the device. Due to the large\n               variety of mobile devices with different technical characteristics and capabilities,\n               organizational restrictions may vary for the different classes/types of such devices.\n               Usage restrictions and specific implementation guidance for mobile devices include,\n               for example, configuration management, device identification and authentication,\n               implementation of mandatory protective software (e.g., malicious code detection,\n               firewall), scanning devices for malicious code, updating virus protection software,\n               scanning for critical software updates and patches, conducting primary operating\n               system (and possibly other resident software) integrity checks, and disabling\n               unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the\n               need to provide adequate security for mobile devices goes beyond the requirements in\n               this control. Many safeguards and countermeasures for mobile devices are reflected in\n               other security controls in the catalog allocated in the initial control baselines as\n               starting points for the development of security plans and overlays using the\n               tailoring process. There may also be some degree of overlap in the requirements\n               articulated by the security controls within the different families of controls. AC-20\n               addresses mobile devices that are not organization-controlled.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-7",
-                    "rel": "related",
-                    "text": "AC-7"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#ca-9",
-                    "rel": "related",
-                    "text": "CA-9"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-43",
-                    "rel": "related",
-                    "text": "SC-43"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ac-19_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-19.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-19(a)"
-                      }
-                    ],
-                    "prose": "establishes for organization-controlled mobile devices:",
-                    "parts": [
-                      {
-                        "id": "ac-19.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-19(a)[1]"
-                          }
-                        ],
-                        "prose": "usage restrictions;"
-                      },
-                      {
-                        "id": "ac-19.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-19(a)[2]"
-                          }
-                        ],
-                        "prose": "configuration/connection requirement;"
-                      },
-                      {
-                        "id": "ac-19.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-19(a)[3]"
-                          }
-                        ],
-                        "prose": "implementation guidance; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-19.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-19(b)"
-                      }
-                    ],
-                    "prose": "authorizes the connection of mobile devices to organizational information\n                  systems."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing access control for mobile device usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nauthorizations for mobile device connections to organizational information\n                  systems\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel using mobile devices to access organizational information\n                  systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control capability authorizing mobile device connections to organizational\n                  information systems"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ac-19.5",
-                "class": "SP800-53-enhancement",
-                "title": "Full Device / Container-based Encryption",
-                "parameters": [
-                  {
-                    "id": "ac-19.5_prm_1"
-                  },
-                  {
-                    "id": "ac-19.5_prm_2",
-                    "label": "organization-defined mobile devices"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AC-19(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-19.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-19.5_smt",
-                    "name": "statement",
-                    "prose": "The organization employs {{ ac-19.5_prm_1 }} to protect the\n                  confidentiality and integrity of information on {{ ac-19.5_prm_2 }}."
-                  },
-                  {
-                    "id": "ac-19.5_gdn",
-                    "name": "guidance",
-                    "prose": "Container-based encryption provides a more fine-grained approach to the encryption\n                  of data/information on mobile devices, including for example, encrypting selected\n                  data structures such as files, records, or fields.",
-                    "links": [
-                      {
-                        "href": "#mp-5",
-                        "rel": "related",
-                        "text": "MP-5"
-                      },
-                      {
-                        "href": "#sc-13",
-                        "rel": "related",
-                        "text": "SC-13"
-                      },
-                      {
-                        "href": "#sc-28",
-                        "rel": "related",
-                        "text": "SC-28"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-19.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-19.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-19(5)[1]"
-                          }
-                        ],
-                        "prose": "defines mobile devices for which full-device encryption or container encryption\n                     is required to protect the confidentiality and integrity of information on such\n                     devices; and"
-                      },
-                      {
-                        "id": "ac-19.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-19(5)[2]"
-                          }
-                        ],
-                        "prose": "employs full-device encryption or container encryption to protect the\n                     confidentiality and integrity of information on organization-defined mobile\n                     devices."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing access control for mobile devices\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nencryption mechanism s and associated configuration documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with access control responsibilities for mobile\n                     devices\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Encryption mechanisms protecting confidentiality and integrity of information\n                     on mobile devices"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-20",
-            "class": "SP800-53",
-            "title": "Use of External Information Systems",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-20"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-20"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-20_smt",
-                "name": "statement",
-                "prose": "The organization establishes terms and conditions, consistent with any trust\n               relationships established with other organizations owning, operating, and/or\n               maintaining external information systems, allowing authorized individuals to:",
-                "parts": [
-                  {
-                    "id": "ac-20_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Access the information system from external information systems; and"
-                  },
-                  {
-                    "id": "ac-20_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Process, store, or transmit organization-controlled information using external\n                  information systems."
-                  }
-                ]
-              },
-              {
-                "id": "ac-20_gdn",
-                "name": "guidance",
-                "prose": "External information systems are information systems or components of information\n               systems that are outside of the authorization boundary established by organizations\n               and for which organizations typically have no direct supervision and authority over\n               the application of required security controls or the assessment of control\n               effectiveness. External information systems include, for example: (i) personally\n               owned information systems/devices (e.g., notebook computers, smart phones, tablets,\n               personal digital assistants); (ii) privately owned computing and communications\n               devices resident in commercial or public facilities (e.g., hotels, train stations,\n               convention centers, shopping malls, or airports); (iii) information systems owned or\n               controlled by nonfederal governmental organizations; and (iv) federal information\n               systems that are not owned by, operated by, or under the direct supervision and\n               authority of organizations. This control also addresses the use of external\n               information systems for the processing, storage, or transmission of organizational\n               information, including, for example, accessing cloud services (e.g., infrastructure\n               as a service, platform as a service, or software as a service) from organizational\n               information systems. For some external information systems (i.e., information systems\n               operated by other federal agencies, including organizations subordinate to those\n               agencies), the trust relationships that have been established between those\n               organizations and the originating organization may be such, that no explicit terms\n               and conditions are required. Information systems within these organizations would not\n               be considered external. These situations occur when, for example, there are\n               pre-existing sharing/trust agreements (either implicit or explicit) established\n               between federal agencies or organizations subordinate to those agencies, or when such\n               trust agreements are specified by applicable laws, Executive Orders, directives, or\n               policies. Authorized individuals include, for example, organizational personnel,\n               contractors, or other individuals with authorized access to organizational\n               information systems and over which organizations have the authority to impose rules\n               of behavior with regard to system access. Restrictions that organizations impose on\n               authorized individuals need not be uniform, as those restrictions may vary depending\n               upon the trust relationships between organizations. Therefore, organizations may\n               choose to impose different security restrictions on contractors than on state, local,\n               or tribal governments. This control does not apply to the use of external information\n               systems to access public interfaces to organizational information systems (e.g.,\n               individuals accessing federal information through www.usa.gov). Organizations\n               establish terms and conditions for the use of external information systems in\n               accordance with organizational security policies and procedures. Terms and conditions\n               address as a minimum: types of applications that can be accessed on organizational\n               information systems from external information systems; and the highest security\n               category of information that can be processed, stored, or transmitted on external\n               information systems. If terms and conditions with the owners of external information\n               systems cannot be established, organizations may impose restrictions on\n               organizational personnel using those external systems.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#sa-9",
-                    "rel": "related",
-                    "text": "SA-9"
-                  }
-                ]
-              },
-              {
-                "id": "ac-20_obj",
-                "name": "objective",
-                "prose": "Determine if the organization establishes terms and conditions, consistent with any\n               trust relationships established with other organizations owning, operating, and/or\n               maintaining external information systems, allowing authorized individuals to: ",
-                "parts": [
-                  {
-                    "id": "ac-20.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-20(a)"
-                      }
-                    ],
-                    "prose": "access the information system from the external information systems; and"
-                  },
-                  {
-                    "id": "ac-20.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-20(b)"
-                      }
-                    ],
-                    "prose": "process, store, or transmit organization-controlled information using external\n                  information systems."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing the use of external information systems\\n\\nexternal information systems terms and conditions\\n\\nlist of types of applications accessible from external information systems\\n\\nmaximum security categorization for information processed, stored, or transmitted\n                  on external information systems\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for defining terms and conditions\n                  for use of external information systems to access organizational systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing terms and conditions on use of external\n                  information systems"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ac-20.1",
-                "class": "SP800-53-enhancement",
-                "title": "Limits On Authorized Use",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-20(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-20.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-20.1_smt",
-                    "name": "statement",
-                    "prose": "The organization permits authorized individuals to use an external information\n                  system to access the information system or to process, store, or transmit\n                  organization-controlled information only when the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-20.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Verifies the implementation of required security controls on the external\n                     system as specified in the organization’s information security policy and\n                     security plan; or"
-                      },
-                      {
-                        "id": "ac-20.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Retains approved information system connection or processing agreements with\n                     the organizational entity hosting the external information system."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-20.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement recognizes that there are circumstances where individuals\n                  using external information systems (e.g., contractors, coalition partners) need to\n                  access organizational information systems. In those situations, organizations need\n                  confidence that the external information systems contain the necessary security\n                  safeguards (i.e., security controls), so as not to compromise, damage, or\n                  otherwise harm organizational information systems. Verification that the required\n                  security controls have been implemented can be achieved, for example, by\n                  third-party, independent assessments, attestations, or other means, depending on\n                  the confidence level required by organizations.",
-                    "links": [
-                      {
-                        "href": "#ca-2",
-                        "rel": "related",
-                        "text": "CA-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-20.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization permits authorized individuals to use an external\n                  information system to access the information system or to process, store, or\n                  transmit organization-controlled information only when the organization: ",
-                    "parts": [
-                      {
-                        "id": "ac-20.1.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-20(1)(a)"
-                          }
-                        ],
-                        "prose": "verifies the implementation of required security controls on the external\n                     system as specified in the organization’s information security policy and\n                     security plan; or",
-                        "links": [
-                          {
-                            "href": "#ac-20.1_smt.a",
-                            "rel": "corresp",
-                            "text": "AC-20(1)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-20.1.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-20(1)(b)"
-                          }
-                        ],
-                        "prose": "retains approved information system connection or processing agreements with\n                     the organizational entity hosting the external information system.",
-                        "links": [
-                          {
-                            "href": "#ac-20.1_smt.b",
-                            "rel": "corresp",
-                            "text": "AC-20(1)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing the use of external information systems\\n\\nsecurity plan\\n\\ninformation system connection or processing agreements\\n\\naccount management documents\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing limits on use of external information\n                     systems"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-20.2",
-                "class": "SP800-53-enhancement",
-                "title": "Portable Storage Devices",
-                "parameters": [
-                  {
-                    "id": "ac-20.2_prm_1"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-20(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-20.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-20.2_smt",
-                    "name": "statement",
-                    "prose": "The organization {{ ac-20.2_prm_1 }} the use of\n                  organization-controlled portable storage devices by authorized individuals on\n                  external information systems."
-                  },
-                  {
-                    "id": "ac-20.2_gdn",
-                    "name": "guidance",
-                    "prose": "Limits on the use of organization-controlled portable storage devices in external\n                  information systems include, for example, complete prohibition of the use of such\n                  devices or restrictions on how the devices may be used and under what conditions\n                  the devices may be used."
-                  },
-                  {
-                    "id": "ac-20.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization restricts or prohibits the use of\n                  organization-controlled portable storage devices by authorized individuals on\n                  external information systems. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing the use of external information systems\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system connection or processing agreements\\n\\naccount management documents\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for restricting or prohibiting\n                     use of organization-controlled storage devices on external information\n                     systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing restrictions on use of portable storage\n                     devices"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-21",
-            "class": "SP800-53",
-            "title": "Information Sharing",
-            "parameters": [
-              {
-                "id": "ac-21_prm_1",
-                "label": "organization-defined information sharing circumstances where user discretion is\n               required"
-              },
-              {
-                "id": "ac-21_prm_2",
-                "label": "organization-defined automated mechanisms or manual processes"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-21"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-21"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-21_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-21_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Facilitates information sharing by enabling authorized users to determine whether\n                  access authorizations assigned to the sharing partner match the access\n                  restrictions on the information for {{ ac-21_prm_1 }}; and"
-                  },
-                  {
-                    "id": "ac-21_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Employs {{ ac-21_prm_2 }} to assist users in making information\n                  sharing/collaboration decisions."
-                  }
-                ]
-              },
-              {
-                "id": "ac-21_gdn",
-                "name": "guidance",
-                "prose": "This control applies to information that may be restricted in some manner (e.g.,\n               privileged medical information, contract-sensitive information, proprietary\n               information, personally identifiable information, classified information related to\n               special access programs or compartments) based on some formal or administrative\n               determination. Depending on the particular information-sharing circumstances, sharing\n               partners may be defined at the individual, group, or organizational level.\n               Information may be defined by content, type, security category, or special access\n               program/compartment.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  }
-                ]
-              },
-              {
-                "id": "ac-21_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ac-21.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-21(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-21.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-21(a)[1]"
-                          }
-                        ],
-                        "prose": "defines information sharing circumstances where user discretion is\n                     required;"
-                      },
-                      {
-                        "id": "ac-21.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-21(a)[2]"
-                          }
-                        ],
-                        "prose": "facilitates information sharing by enabling authorized users to determine\n                     whether access authorizations assigned to the sharing partner match the access\n                     restrictions on the information for organization-defined information sharing\n                     circumstances;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-21.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-21(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-21.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-21(b)[1]"
-                          }
-                        ],
-                        "prose": "defines automated mechanisms or manual processes to be employed to assist users\n                     in making information sharing/collaboration decisions; and"
-                      },
-                      {
-                        "id": "ac-21.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-21(b)[2]"
-                          }
-                        ],
-                        "prose": "employs organization-defined automated mechanisms or manual processes to assist\n                     users in making information sharing/collaboration decisions."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing user-based collaboration and information sharing (including\n                  restrictions)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of users authorized to make information sharing/collaboration decisions\\n\\nlist of information sharing circumstances requiring user discretion\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel responsible for making information sharing/collaboration\n                  decisions\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms or manual process implementing access authorizations\n                  supporting information sharing/user collaboration decisions"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-22",
-            "class": "SP800-53",
-            "title": "Publicly Accessible Content",
-            "parameters": [
-              {
-                "id": "ac-22_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least quarterly"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-22"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-22"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-22_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-22_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Designates individuals authorized to post information onto a publicly accessible\n                  information system;"
-                  },
-                  {
-                    "id": "ac-22_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Trains authorized individuals to ensure that publicly accessible information does\n                  not contain nonpublic information;"
-                  },
-                  {
-                    "id": "ac-22_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews the proposed content of information prior to posting onto the publicly\n                  accessible information system to ensure that nonpublic information is not\n                  included; and"
-                  },
-                  {
-                    "id": "ac-22_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Reviews the content on the publicly accessible information system for nonpublic\n                  information {{ ac-22_prm_1 }} and removes such information, if\n                  discovered."
-                  }
-                ]
-              },
-              {
-                "id": "ac-22_gdn",
-                "name": "guidance",
-                "prose": "In accordance with federal laws, Executive Orders, directives, policies, regulations,\n               standards, and/or guidance, the general public is not authorized access to nonpublic\n               information (e.g., information protected under the Privacy Act and proprietary\n               information). This control addresses information systems that are controlled by the\n               organization and accessible to the general public, typically without identification\n               or authentication. The posting of information on non-organization information systems\n               is covered by organizational policy.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#au-13",
-                    "rel": "related",
-                    "text": "AU-13"
-                  }
-                ]
-              },
-              {
-                "id": "ac-22_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ac-22.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-22(a)"
-                      }
-                    ],
-                    "prose": "designates individuals authorized to post information onto a publicly accessible\n                  information system;"
-                  },
-                  {
-                    "id": "ac-22.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-22(b)"
-                      }
-                    ],
-                    "prose": "trains authorized individuals to ensure that publicly accessible information does\n                  not contain nonpublic information;"
-                  },
-                  {
-                    "id": "ac-22.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-22(c)"
-                      }
-                    ],
-                    "prose": "reviews the proposed content of information prior to posting onto the publicly\n                  accessible information system to ensure that nonpublic information is not\n                  included;"
-                  },
-                  {
-                    "id": "ac-22.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-22(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-22.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-22(d)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review the content on the publicly accessible\n                     information system for nonpublic information;"
-                      },
-                      {
-                        "id": "ac-22.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-22(d)[2]"
-                          }
-                        ],
-                        "prose": "reviews the content on the publicly accessible information system for nonpublic\n                     information with the organization-defined frequency; and"
-                      },
-                      {
-                        "id": "ac-22.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-22(d)[3]"
-                          }
-                        ],
-                        "prose": "removes nonpublic information from the publicly accessible information system,\n                     if discovered."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing publicly accessible content\\n\\nlist of users authorized to post publicly accessible content on organizational\n                  information systems\\n\\ntraining materials and/or records\\n\\nrecords of publicly accessible information reviews\\n\\nrecords of response to nonpublic information on public websites\\n\\nsystem audit logs\\n\\nsecurity awareness training records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for managing publicly accessible\n                  information posted on organizational information systems\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing management of publicly accessible content"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "at",
-        "class": "family",
-        "title": "Awareness and Training",
-        "controls": [
-          {
-            "id": "at-1",
-            "class": "SP800-53",
-            "title": "Security Awareness and Training Policy and Procedures",
-            "parameters": [
-              {
-                "id": "at-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "at-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or whenever a significant change occurs"
-                  }
-                ]
-              },
-              {
-                "id": "at-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or whenever a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AT-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "at-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#825438c3-248d-4e30-a51e-246473ce6ada",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-16"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "at-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "at-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ at-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "at-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A security awareness and training policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "at-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the security awareness and\n                     training policy and associated security awareness and training controls;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "at-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "at-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Security awareness and training policy {{ at-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "at-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Security awareness and training procedures {{ at-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "at-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AT\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "at-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "at-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "at-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an security awareness and training policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "at-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "at-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the security awareness and training\n                        policy are to be disseminated;"
-                          },
-                          {
-                            "id": "at-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the security awareness and training policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "at-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "at-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        security awareness and training policy and associated awareness and training\n                        controls;"
-                          },
-                          {
-                            "id": "at-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "at-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "at-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "at-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current security awareness\n                        and training policy;"
-                          },
-                          {
-                            "id": "at-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current security awareness and training policy with\n                        the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "at-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "at-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current security awareness\n                        and training procedures; and"
-                          },
-                          {
-                            "id": "at-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current security awareness and training procedures\n                        with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security awareness and training policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security awareness and training responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "at-2",
-            "class": "SP800-53",
-            "title": "Security Awareness Training",
-            "parameters": [
-              {
-                "id": "at-2_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AT-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "at-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bb61234b-46c3-4211-8c2b-9869222a720d",
-                "rel": "reference",
-                "text": "C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"
-              },
-              {
-                "href": "#c5034e0c-eba6-4ecd-a541-79f0678f4ba4",
-                "rel": "reference",
-                "text": "Executive Order 13587"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              }
-            ],
-            "parts": [
-              {
-                "id": "at-2_smt",
-                "name": "statement",
-                "prose": "The organization provides basic security awareness training to information system\n               users (including managers, senior executives, and contractors):",
-                "parts": [
-                  {
-                    "id": "at-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "As part of initial training for new users;"
-                  },
-                  {
-                    "id": "at-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "When required by information system changes; and"
-                  },
-                  {
-                    "id": "at-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "\n                  {{ at-2_prm_1 }} thereafter."
-                  }
-                ]
-              },
-              {
-                "id": "at-2_gdn",
-                "name": "guidance",
-                "prose": "Organizations determine the appropriate content of security awareness training and\n               security awareness techniques based on the specific organizational requirements and\n               the information systems to which personnel have authorized access. The content\n               includes a basic understanding of the need for information security and user actions\n               to maintain security and to respond to suspected security incidents. The content also\n               addresses awareness of the need for operations security. Security awareness\n               techniques can include, for example, displaying posters, offering supplies inscribed\n               with security reminders, generating email advisories/notices from senior\n               organizational officials, displaying logon screen messages, and conducting\n               information security awareness events.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#at-4",
-                    "rel": "related",
-                    "text": "AT-4"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  }
-                ]
-              },
-              {
-                "id": "at-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "at-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AT-2(a)"
-                      }
-                    ],
-                    "prose": "provides basic security awareness training to information system users (including\n                  managers, senior executives, and contractors) as part of initial training for new\n                  users;"
-                  },
-                  {
-                    "id": "at-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AT-2(b)"
-                      }
-                    ],
-                    "prose": "provides basic security awareness training to information system users (including\n                  managers, senior executives, and contractors) when required by information system\n                  changes; and"
-                  },
-                  {
-                    "id": "at-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to provide refresher security awareness training\n                     thereafter to information system users (including managers, senior executives,\n                     and contractors); and"
-                      },
-                      {
-                        "id": "at-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-2(c)[2]"
-                          }
-                        ],
-                        "prose": "provides refresher security awareness training to information users (including\n                     managers, senior executives, and contractors) with the organization-defined\n                     frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security awareness and training policy\\n\\nprocedures addressing security awareness training implementation\\n\\nappropriate codes of federal regulations\\n\\nsecurity awareness training curriculum\\n\\nsecurity awareness training materials\\n\\nsecurity plan\\n\\ntraining records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for security awareness training\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel comprising the general information system user\n                  community"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms managing security awareness training"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "at-2.2",
-                "class": "SP800-53-enhancement",
-                "title": "Insider Threat",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AT-2(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "at-02.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "at-2.2_smt",
-                    "name": "statement",
-                    "prose": "The organization includes security awareness training on recognizing and reporting\n                  potential indicators of insider threat."
-                  },
-                  {
-                    "id": "at-2.2_gdn",
-                    "name": "guidance",
-                    "prose": "Potential indicators and possible precursors of insider threat can include\n                  behaviors such as inordinate, long-term job dissatisfaction, attempts to gain\n                  access to information not required for job performance, unexplained access to\n                  financial resources, bullying or sexual harassment of fellow employees, workplace\n                  violence, and other serious violations of organizational policies, procedures,\n                  directives, rules, or practices. Security awareness training includes how to\n                  communicate employee and management concerns regarding potential indicators of\n                  insider threat through appropriate organizational channels in accordance with\n                  established organizational policies and procedures.",
-                    "links": [
-                      {
-                        "href": "#pl-4",
-                        "rel": "related",
-                        "text": "PL-4"
-                      },
-                      {
-                        "href": "#pm-12",
-                        "rel": "related",
-                        "text": "PM-12"
-                      },
-                      {
-                        "href": "#ps-3",
-                        "rel": "related",
-                        "text": "PS-3"
-                      },
-                      {
-                        "href": "#ps-6",
-                        "rel": "related",
-                        "text": "PS-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "at-2.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization includes security awareness training on recognizing\n                  and reporting potential indicators of insider threat. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security awareness and training policy\\n\\nprocedures addressing security awareness training implementation\\n\\nsecurity awareness training curriculum\\n\\nsecurity awareness training materials\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel that participate in security awareness training\\n\\norganizational personnel with responsibilities for basic security awareness\n                     training\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "at-3",
-            "class": "SP800-53",
-            "title": "Role-based Security Training",
-            "parameters": [
-              {
-                "id": "at-3_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AT-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "at-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bb61234b-46c3-4211-8c2b-9869222a720d",
-                "rel": "reference",
-                "text": "C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"
-              },
-              {
-                "href": "#825438c3-248d-4e30-a51e-246473ce6ada",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-16"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              }
-            ],
-            "parts": [
-              {
-                "id": "at-3_smt",
-                "name": "statement",
-                "prose": "The organization provides role-based security training to personnel with assigned\n               security roles and responsibilities:",
-                "parts": [
-                  {
-                    "id": "at-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Before authorizing access to the information system or performing assigned\n                  duties;"
-                  },
-                  {
-                    "id": "at-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "When required by information system changes; and"
-                  },
-                  {
-                    "id": "at-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "\n                  {{ at-3_prm_1 }} thereafter."
-                  }
-                ]
-              },
-              {
-                "id": "at-3_gdn",
-                "name": "guidance",
-                "prose": "Organizations determine the appropriate content of security training based on the\n               assigned roles and responsibilities of individuals and the specific security\n               requirements of organizations and the information systems to which personnel have\n               authorized access. In addition, organizations provide enterprise architects,\n               information system developers, software developers, acquisition/procurement\n               officials, information system managers, system/network administrators, personnel\n               conducting configuration management and auditing activities, personnel performing\n               independent verification and validation activities, security control assessors, and\n               other personnel having access to system-level software, adequate security-related\n               technical training specifically tailored for their assigned duties. Comprehensive\n               role-based training addresses management, operational, and technical roles and\n               responsibilities covering physical, personnel, and technical safeguards and\n               countermeasures. Such training can include for example, policies, procedures, tools,\n               and artifacts for the organizational security roles defined. Organizations also\n               provide the training necessary for individuals to carry out their responsibilities\n               related to operations and supply chain security within the context of organizational\n               information security programs. Role-based security training also applies to\n               contractors providing services to federal agencies.",
-                "links": [
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-4",
-                    "rel": "related",
-                    "text": "AT-4"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-7",
-                    "rel": "related",
-                    "text": "PS-7"
-                  },
-                  {
-                    "href": "#sa-3",
-                    "rel": "related",
-                    "text": "SA-3"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#sa-16",
-                    "rel": "related",
-                    "text": "SA-16"
-                  }
-                ]
-              },
-              {
-                "id": "at-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "at-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AT-3(a)"
-                      }
-                    ],
-                    "prose": "provides role-based security training to personnel with assigned security roles\n                  and responsibilities before authorizing access to the information system or\n                  performing assigned duties;"
-                  },
-                  {
-                    "id": "at-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AT-3(b)"
-                      }
-                    ],
-                    "prose": "provides role-based security training to personnel with assigned security roles\n                  and responsibilities when required by information system changes; and"
-                  },
-                  {
-                    "id": "at-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to provide refresher role-based security training\n                     thereafter to personnel with assigned security roles and responsibilities;\n                     and"
-                      },
-                      {
-                        "id": "at-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-3(c)[2]"
-                          }
-                        ],
-                        "prose": "provides refresher role-based security training to personnel with assigned\n                     security roles and responsibilities with the organization-defined\n                     frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security awareness and training policy\\n\\nprocedures addressing security training implementation\\n\\ncodes of federal regulations\\n\\nsecurity training curriculum\\n\\nsecurity training materials\\n\\nsecurity plan\\n\\ntraining records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for role-based security\n                  training\\n\\norganizational personnel with assigned information system security roles and\n                  responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms managing role-based security training"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "at-3.3",
-                "class": "SP800-53-enhancement",
-                "title": "Practical Exercises",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AT-3(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "at-03.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "at-3.3_smt",
-                    "name": "statement",
-                    "prose": "The organization includes practical exercises in security training that reinforce\n                  training objectives."
-                  },
-                  {
-                    "id": "at-3.3_gdn",
-                    "name": "guidance",
-                    "prose": "Practical exercises may include, for example, security training for software\n                  developers that includes simulated cyber attacks exploiting common software\n                  vulnerabilities (e.g., buffer overflows), or spear/whale phishing attacks targeted\n                  at senior leaders/executives. These types of practical exercises help developers\n                  better understand the effects of such vulnerabilities and appreciate the need for\n                  security coding standards and processes."
-                  },
-                  {
-                    "id": "at-3.3_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization includes practical exercises in security training\n                  that reinforce training objectives. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security awareness and training policy\\n\\nprocedures addressing security awareness training implementation\\n\\nsecurity awareness training curriculum\\n\\nsecurity awareness training materials\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for role-based security\n                     training\\n\\norganizational personnel that participate in security awareness training"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "at-3.4",
-                "class": "SP800-53-enhancement",
-                "title": "Suspicious Communications and Anomalous System Behavior",
-                "parameters": [
-                  {
-                    "id": "at-3.4_prm_1",
-                    "label": "organization-defined indicators of malicious code",
-                    "constraints": [
-                      {
-                        "detail": "malicious code indicators as defined by organization incident policy/capability."
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AT-3(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "at-03.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "at-3.4_smt",
-                    "name": "statement",
-                    "prose": "The organization provides training to its personnel on {{ at-3.4_prm_1 }} to recognize suspicious communications and anomalous\n                  behavior in organizational information systems."
-                  },
-                  {
-                    "id": "at-3.4_gdn",
-                    "name": "guidance",
-                    "prose": "A well-trained workforce provides another organizational safeguard that can be\n                  employed as part of a defense-in-depth strategy to protect organizations against\n                  malicious code coming in to organizations via email or the web applications.\n                  Personnel are trained to look for indications of potentially suspicious email\n                  (e.g., receiving an unexpected email, receiving an email containing strange or\n                  poor grammar, or receiving an email from an unfamiliar sender but who appears to\n                  be from a known sponsor or contractor). Personnel are also trained on how to\n                  respond to such suspicious email or web communications (e.g., not opening\n                  attachments, not clicking on embedded web links, and checking the source of email\n                  addresses). For this process to work effectively, all organizational personnel are\n                  trained and made aware of what constitutes suspicious communications. Training\n                  personnel on how to recognize anomalous behaviors in organizational information\n                  systems can potentially provide early warning for the presence of malicious code.\n                  Recognition of such anomalous behavior by organizational personnel can supplement\n                  automated malicious code detection and protection tools and systems employed by\n                  organizations."
-                  },
-                  {
-                    "id": "at-3.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "at-3.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-3(4)[1]"
-                          }
-                        ],
-                        "prose": "defines indicators of malicious code; and"
-                      },
-                      {
-                        "id": "at-3.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-3(4)[2]"
-                          }
-                        ],
-                        "prose": "provides training to its personnel on organization-defined indicators of\n                     malicious code to recognize suspicious communications and anomalous behavior in\n                     organizational information systems."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security awareness and training policy\\n\\nprocedures addressing security training implementation\\n\\nsecurity training curriculum\\n\\nsecurity training materials\\n\\nsecurity plan\\n\\ntraining records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for role-based security\n                     training\\n\\norganizational personnel that participate in security awareness training"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "at-4",
-            "class": "SP800-53",
-            "title": "Security Training Records",
-            "parameters": [
-              {
-                "id": "at-4_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "five (5) years or 5 years after completion of a specific training program"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AT-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "at-04"
-              }
-            ],
-            "parts": [
-              {
-                "id": "at-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "at-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Documents and monitors individual information system security training activities\n                  including basic security awareness training and specific information system\n                  security training; and"
-                  },
-                  {
-                    "id": "at-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Retains individual training records for {{ at-4_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "at-4_gdn",
-                "name": "guidance",
-                "prose": "Documentation for specialized training may be maintained by individual supervisors at\n               the option of the organization.",
-                "links": [
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#pm-14",
-                    "rel": "related",
-                    "text": "PM-14"
-                  }
-                ]
-              },
-              {
-                "id": "at-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "at-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-4(a)[1]"
-                          }
-                        ],
-                        "prose": "documents individual information system security training activities\n                     including:",
-                        "parts": [
-                          {
-                            "id": "at-4.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-4(a)[1][a]"
-                              }
-                            ],
-                            "prose": "basic security awareness training;"
-                          },
-                          {
-                            "id": "at-4.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-4(a)[1][b]"
-                              }
-                            ],
-                            "prose": "specific role-based information system security training;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "at-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-4(a)[2]"
-                          }
-                        ],
-                        "prose": "monitors individual information system security training activities\n                     including:",
-                        "parts": [
-                          {
-                            "id": "at-4.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-4(a)[2][a]"
-                              }
-                            ],
-                            "prose": "basic security awareness training;"
-                          },
-                          {
-                            "id": "at-4.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-4(a)[2][b]"
-                              }
-                            ],
-                            "prose": "specific role-based information system security training;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "at-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-4(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-4.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-4(b)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period to retain individual training records; and"
-                      },
-                      {
-                        "id": "at-4.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-4(b)[2]"
-                          }
-                        ],
-                        "prose": "retains individual training records for the organization-defined time\n                     period."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security awareness and training policy\\n\\nprocedures addressing security training records\\n\\nsecurity awareness and training records\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security training record retention\n                  responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting management of security training records"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "au",
-        "class": "family",
-        "title": "Audit and Accountability",
-        "controls": [
-          {
-            "id": "au-1",
-            "class": "SP800-53",
-            "title": "Audit and Accountability Policy and Procedures",
-            "parameters": [
-              {
-                "id": "au-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "au-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "au-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or whenever a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AU-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "au-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ au-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "au-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "An audit and accountability policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "au-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the audit and accountability\n                     policy and associated audit and accountability controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "au-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Audit and accountability policy {{ au-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "au-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Audit and accountability procedures {{ au-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AU\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "au-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an audit and accountability policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "au-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "au-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the audit and accountability policy are\n                        to be disseminated;"
-                          },
-                          {
-                            "id": "au-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the audit and accountability policy to organization-defined\n                        personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "au-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        audit and accountability policy and associated audit and accountability\n                        controls;"
-                          },
-                          {
-                            "id": "au-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "au-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current audit and\n                        accountability policy;"
-                          },
-                          {
-                            "id": "au-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current audit and accountability policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "au-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current audit and\n                        accountability procedures; and"
-                          },
-                          {
-                            "id": "au-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current audit and accountability procedures in\n                        accordance with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-2",
-            "class": "SP800-53",
-            "title": "Audit Events",
-            "parameters": [
-              {
-                "id": "au-2_prm_1",
-                "label": "organization-defined auditable events",
-                "constraints": [
-                  {
-                    "detail": "successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes"
-                  }
-                ]
-              },
-              {
-                "id": "au-2_prm_2",
-                "label": "organization-defined audited events (the subset of the auditable events defined\n               in AU-2 a.) along with the frequency of (or situation requiring) auditing for each\n               identified event",
-                "constraints": [
-                  {
-                    "detail": "organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AU-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#672fd561-b92b-4713-b9cf-6c9d9456728b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-92"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "au-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Determines that the information system is capable of auditing the following\n                  events: {{ au-2_prm_1 }};"
-                  },
-                  {
-                    "id": "au-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Coordinates the security audit function with other organizational entities\n                  requiring audit-related information to enhance mutual support and to help guide\n                  the selection of auditable events;"
-                  },
-                  {
-                    "id": "au-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Provides a rationale for why the auditable events are deemed to be adequate to\n                  support after-the-fact investigations of security incidents; and"
-                  },
-                  {
-                    "id": "au-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Determines that the following events are to be audited within the information\n                  system: {{ au-2_prm_2 }}."
-                  },
-                  {
-                    "id": "au-2_fr",
-                    "name": "item",
-                    "title": "AU-2 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "au-2_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-2_gdn",
-                "name": "guidance",
-                "prose": "An event is any observable occurrence in an organizational information system.\n               Organizations identify audit events as those events which are significant and\n               relevant to the security of information systems and the environments in which those\n               systems operate in order to meet specific and ongoing audit needs. Audit events can\n               include, for example, password changes, failed logons, or failed accesses related to\n               information systems, administrative privilege usage, PIV credential usage, or\n               third-party credential usage. In determining the set of auditable events,\n               organizations consider the auditing appropriate for each of the security controls to\n               be implemented. To balance auditing requirements with other information system needs,\n               this control also requires identifying that subset of auditable events that are\n               audited at a given point in time. For example, organizations may determine that\n               information systems must have the capability to log every file access both successful\n               and unsuccessful, but not activate that capability except for specific circumstances\n               due to the potential burden on system performance. Auditing requirements, including\n               the need for auditable events, may be referenced in other security controls and\n               control enhancements. Organizations also include auditable events that are required\n               by applicable federal laws, Executive Orders, directives, policies, regulations, and\n               standards. Audit records can be generated at various levels of abstraction, including\n               at the packet level as information traverses the network. Selecting the appropriate\n               level of abstraction is a critical aspect of an audit capability and can facilitate\n               the identification of root causes to problems. Organizations consider in the\n               definition of auditable events, the auditing necessary to cover related events such\n               as the steps in distributed, transaction-based processes (e.g., processes that are\n               distributed across multiple organizations) and actions that occur in service-oriented\n               architectures.",
-                "links": [
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#au-3",
-                    "rel": "related",
-                    "text": "AU-3"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "au-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-2(a)[1]"
-                          }
-                        ],
-                        "prose": "defines the auditable events that the information system must be capable of\n                     auditing;"
-                      },
-                      {
-                        "id": "au-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-2(a)[2]"
-                          }
-                        ],
-                        "prose": "determines that the information system is capable of auditing\n                     organization-defined auditable events;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-2(b)"
-                      }
-                    ],
-                    "prose": "coordinates the security audit function with other organizational entities\n                  requiring audit-related information to enhance mutual support and to help guide\n                  the selection of auditable events;"
-                  },
-                  {
-                    "id": "au-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-2(c)"
-                      }
-                    ],
-                    "prose": "provides a rationale for why the auditable events are deemed to be adequate to\n                  support after-the-fact investigations of security incidents;"
-                  },
-                  {
-                    "id": "au-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-2(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-2(d)[1]"
-                          }
-                        ],
-                        "prose": "defines the subset of auditable events defined in AU-2a that are to be audited\n                     within the information system;"
-                      },
-                      {
-                        "id": "au-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-2(d)[2]"
-                          }
-                        ],
-                        "prose": "determines that the subset of auditable events defined in AU-2a are to be\n                     audited within the information system; and"
-                      },
-                      {
-                        "id": "au-2.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-2(d)[3]"
-                          }
-                        ],
-                        "prose": "determines the frequency of (or situation requiring) auditing for each\n                     identified event."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing auditable events\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\ninformation system auditable events\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing information system auditing"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "au-2.3",
-                "class": "SP800-53-enhancement",
-                "title": "Reviews and Updates",
-                "parameters": [
-                  {
-                    "id": "au-2.3_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "annually or whenever there is a change in the threat environment"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AU-2(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-02.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-2.3_smt",
-                    "name": "statement",
-                    "prose": "The organization reviews and updates the audited events {{ au-2.3_prm_1 }}.",
-                    "parts": [
-                      {
-                        "id": "au-2.3_fr",
-                        "name": "item",
-                        "title": "AU-2 (3) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "au-2.3_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-2.3_gdn",
-                    "name": "guidance",
-                    "prose": "Over time, the events that organizations believe should be audited may change.\n                  Reviewing and updating the set of audited events periodically is necessary to\n                  ensure that the current set is still necessary and sufficient."
-                  },
-                  {
-                    "id": "au-2.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "au-2.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-2(3)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update the audited events; and"
-                      },
-                      {
-                        "id": "au-2.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-2(3)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates the auditable events with organization-defined\n                     frequency."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing auditable events\\n\\nsecurity plan\\n\\nlist of organization-defined auditable events\\n\\nauditable events review and update records\\n\\ninformation system audit records\\n\\ninformation system incident reports\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting review and update of auditable events"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-3",
-            "class": "SP800-53",
-            "title": "Content of Audit Records",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-03"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-3_smt",
-                "name": "statement",
-                "prose": "The information system generates audit records containing information that\n               establishes what type of event occurred, when the event occurred, where the event\n               occurred, the source of the event, the outcome of the event, and the identity of any\n               individuals or subjects associated with the event."
-              },
-              {
-                "id": "au-3_gdn",
-                "name": "guidance",
-                "prose": "Audit record content that may be necessary to satisfy the requirement of this\n               control, includes, for example, time stamps, source and destination addresses,\n               user/process identifiers, event descriptions, success/fail indications, filenames\n               involved, and access control or flow control rules invoked. Event outcomes can\n               include indicators of event success or failure and event-specific results (e.g., the\n               security state of the information system after the event occurred).",
-                "links": [
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-8",
-                    "rel": "related",
-                    "text": "AU-8"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#si-11",
-                    "rel": "related",
-                    "text": "SI-11"
-                  }
-                ]
-              },
-              {
-                "id": "au-3_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system generates audit records containing information\n               that establishes: ",
-                "parts": [
-                  {
-                    "id": "au-3_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[1]"
-                      }
-                    ],
-                    "prose": "what type of event occurred;"
-                  },
-                  {
-                    "id": "au-3_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[2]"
-                      }
-                    ],
-                    "prose": "when the event occurred;"
-                  },
-                  {
-                    "id": "au-3_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[3]"
-                      }
-                    ],
-                    "prose": "where the event occurred;"
-                  },
-                  {
-                    "id": "au-3_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[4]"
-                      }
-                    ],
-                    "prose": "the source of the event;"
-                  },
-                  {
-                    "id": "au-3_obj.5",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[5]"
-                      }
-                    ],
-                    "prose": "the outcome of the event; and"
-                  },
-                  {
-                    "id": "au-3_obj.6",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[6]"
-                      }
-                    ],
-                    "prose": "the identity of any individuals or subjects associated with the event."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing content of audit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of organization-defined auditable events\\n\\ninformation system audit records\\n\\ninformation system incident reports\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing information system auditing of auditable\n                  events"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "au-3.1",
-                "class": "SP800-53-enhancement",
-                "title": "Additional Audit Information",
-                "parameters": [
-                  {
-                    "id": "au-3.1_prm_1",
-                    "label": "organization-defined additional, more detailed information",
-                    "constraints": [
-                      {
-                        "detail": "session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-3(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-03.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-3.1_smt",
-                    "name": "statement",
-                    "prose": "The information system generates audit records containing the following additional\n                  information: {{ au-3.1_prm_1 }}.",
-                    "parts": [
-                      {
-                        "id": "au-3.1_fr",
-                        "name": "item",
-                        "title": "AU-3 (1) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "au-3.1_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "The service provider defines audit record types *[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]*.  The audit record types are approved and accepted by the JAB/AO."
-                          },
-                          {
-                            "id": "au-3.1_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-3.1_gdn",
-                    "name": "guidance",
-                    "prose": "Detailed information that organizations may consider in audit records includes,\n                  for example, full text recording of privileged commands or the individual\n                  identities of group account users. Organizations consider limiting the additional\n                  audit information to only that information explicitly needed for specific audit\n                  requirements. This facilitates the use of audit trails and audit logs by not\n                  including information that could potentially be misleading or could make it more\n                  difficult to locate information of interest."
-                  },
-                  {
-                    "id": "au-3.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "au-3.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-3(1)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines additional, more detailed information to be contained\n                     in audit records that the information system generates; and"
-                      },
-                      {
-                        "id": "au-3.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-3(1)[2]"
-                          }
-                        ],
-                        "prose": "the information system generates audit records containing the\n                     organization-defined additional, more detailed information."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing content of audit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of organization-defined auditable events\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system audit capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-3.2",
-                "class": "SP800-53-enhancement",
-                "title": "Centralized Management of Planned Audit Record Content",
-                "parameters": [
-                  {
-                    "id": "au-3.2_prm_1",
-                    "label": "organization-defined information system components",
-                    "constraints": [
-                      {
-                        "detail": "all network, data storage, and computing devices"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-3(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-03.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-3.2_smt",
-                    "name": "statement",
-                    "prose": "The information system provides centralized management and configuration of the\n                  content to be captured in audit records generated by {{ au-3.2_prm_1 }}."
-                  },
-                  {
-                    "id": "au-3.2_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement requires that the content to be captured in audit records\n                  be configured from a central location (necessitating automation). Organizations\n                  coordinate the selection of required audit content to support the centralized\n                  management and configuration capability provided by the information system.",
-                    "links": [
-                      {
-                        "href": "#au-6",
-                        "rel": "related",
-                        "text": "AU-6"
-                      },
-                      {
-                        "href": "#au-7",
-                        "rel": "related",
-                        "text": "AU-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-3.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "au-3.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-3(2)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines information system components that generate audit\n                     records whose content is to be centrally managed and configured by the\n                     information system; and"
-                      },
-                      {
-                        "id": "au-3.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-3(2)[2]"
-                          }
-                        ],
-                        "prose": "the information system provides centralized management and configuration of the\n                     content to be captured in audit records generated by the organization-defined\n                     information system components."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing content of audit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of organization-defined auditable events\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system capability implementing centralized management and\n                     configuration of audit record content"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-4",
-            "class": "SP800-53",
-            "title": "Audit Storage Capacity",
-            "parameters": [
-              {
-                "id": "au-4_prm_1",
-                "label": "organization-defined audit record storage requirements"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-04"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-4_smt",
-                "name": "statement",
-                "prose": "The organization allocates audit record storage capacity in accordance with {{ au-4_prm_1 }}."
-              },
-              {
-                "id": "au-4_gdn",
-                "name": "guidance",
-                "prose": "Organizations consider the types of auditing to be performed and the audit processing\n               requirements when allocating audit storage capacity. Allocating sufficient audit\n               storage capacity reduces the likelihood of such capacity being exceeded and resulting\n               in the potential loss or reduction of auditing capability.",
-                "links": [
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-5",
-                    "rel": "related",
-                    "text": "AU-5"
-                  },
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#au-7",
-                    "rel": "related",
-                    "text": "AU-7"
-                  },
-                  {
-                    "href": "#au-11",
-                    "rel": "related",
-                    "text": "AU-11"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "au-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-4_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-4[1]"
-                      }
-                    ],
-                    "prose": "defines audit record storage requirements; and"
-                  },
-                  {
-                    "id": "au-4_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-4[2]"
-                      }
-                    ],
-                    "prose": "allocates audit record storage capacity in accordance with the\n                  organization-defined audit record storage requirements."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing audit storage capacity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit record storage requirements\\n\\naudit record storage capability for information system components\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit record storage capacity and related configuration settings"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-5",
-            "class": "SP800-53",
-            "title": "Response to Audit Processing Failures",
-            "parameters": [
-              {
-                "id": "au-5_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "au-5_prm_2",
-                "label": "organization-defined actions to be taken (e.g., shut down information system,\n               overwrite oldest audit records, stop generating audit records)",
-                "constraints": [
-                  {
-                    "detail": "organization-defined actions to be taken (overwrite oldest record)"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-5_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "au-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Alerts {{ au-5_prm_1 }} in the event of an audit processing\n                  failure; and"
-                  },
-                  {
-                    "id": "au-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Takes the following additional actions: {{ au-5_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "au-5_gdn",
-                "name": "guidance",
-                "prose": "Audit processing failures include, for example, software/hardware errors, failures in\n               the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n               Organizations may choose to define additional actions for different audit processing\n               failures (e.g., by type, by location, by severity, or a combination of such factors).\n               This control applies to each audit data storage repository (i.e., distinct\n               information system component where audit records are stored), the total audit storage\n               capacity of organizations (i.e., all audit data storage repositories combined), or\n               both.",
-                "links": [
-                  {
-                    "href": "#au-4",
-                    "rel": "related",
-                    "text": "AU-4"
-                  },
-                  {
-                    "href": "#si-12",
-                    "rel": "related",
-                    "text": "SI-12"
-                  }
-                ]
-              },
-              {
-                "id": "au-5_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "au-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the personnel or roles to be alerted in the event of\n                     an audit processing failure;"
-                      },
-                      {
-                        "id": "au-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system alerts the organization-defined personnel or roles in\n                     the event of an audit processing failure;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-5(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-5.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(b)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines additional actions to be taken (e.g., shutdown\n                     information system, overwrite oldest audit records, stop generating audit\n                     records) in the event of an audit processing failure; and"
-                      },
-                      {
-                        "id": "au-5.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(b)[2]"
-                          }
-                        ],
-                        "prose": "the information system takes the additional organization-defined actions in the\n                     event of an audit processing failure."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing response to audit processing failures\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of personnel to be notified in case of an audit processing failure\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing information system response to audit processing\n                  failures"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "au-5.1",
-                "class": "SP800-53-enhancement",
-                "title": "Audit Storage Capacity",
-                "parameters": [
-                  {
-                    "id": "au-5.1_prm_1",
-                    "label": "organization-defined personnel, roles, and/or locations"
-                  },
-                  {
-                    "id": "au-5.1_prm_2",
-                    "label": "organization-defined time period"
-                  },
-                  {
-                    "id": "au-5.1_prm_3",
-                    "label": "organization-defined percentage"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-5(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-05.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-5.1_smt",
-                    "name": "statement",
-                    "prose": "The information system provides a warning to {{ au-5.1_prm_1 }}\n                  within {{ au-5.1_prm_2 }} when allocated audit record storage\n                  volume reaches {{ au-5.1_prm_3 }} of repository maximum audit\n                  record storage capacity."
-                  },
-                  {
-                    "id": "au-5.1_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations may have multiple audit data storage repositories distributed across\n                  multiple information system components, with each repository having different\n                  storage volume capacities."
-                  },
-                  {
-                    "id": "au-5.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "au-5.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(1)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines:",
-                        "parts": [
-                          {
-                            "id": "au-5.1_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-5(1)[1][a]"
-                              }
-                            ],
-                            "prose": "personnel to be warned when allocated audit record storage volume reaches\n                        organization-defined percentage of repository maximum audit record storage\n                        capacity;"
-                          },
-                          {
-                            "id": "au-5.1_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-5(1)[1][b]"
-                              }
-                            ],
-                            "prose": "roles to be warned when allocated audit record storage volume reaches\n                        organization-defined percentage of repository maximum audit record storage\n                        capacity; and/or"
-                          },
-                          {
-                            "id": "au-5.1_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-5(1)[1][c]"
-                              }
-                            ],
-                            "prose": "locations to be warned when allocated audit record storage volume reaches\n                        organization-defined percentage of repository maximum audit record storage\n                        capacity;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "au-5.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(1)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines the time period within which the information system is\n                     to provide a warning to the organization-defined personnel, roles, and/or\n                     locations when allocated audit record storage volume reaches the\n                     organization-defined percentage of repository maximum audit record storage\n                     capacity;"
-                      },
-                      {
-                        "id": "au-5.1_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(1)[3]"
-                          }
-                        ],
-                        "prose": "the organization defines the percentage of repository maximum audit record\n                     storage capacity that, if reached, requires a warning to be provided; and"
-                      },
-                      {
-                        "id": "au-5.1_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(1)[4]"
-                          }
-                        ],
-                        "prose": "the information system provides a warning to the organization-defined\n                     personnel, roles, and/or locations within the organization-defined time period\n                     when allocated audit record storage volume reaches the organization-defined\n                     percentage of repository maximum audit record storage capacity."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing response to audit processing failures\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing audit storage limit warnings"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-5.2",
-                "class": "SP800-53-enhancement",
-                "title": "Real-time Alerts",
-                "parameters": [
-                  {
-                    "id": "au-5.2_prm_1",
-                    "label": "organization-defined real-time period",
-                    "constraints": [
-                      {
-                        "detail": "real-time"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-5.2_prm_2",
-                    "label": "organization-defined personnel, roles, and/or locations",
-                    "constraints": [
-                      {
-                        "detail": "service provider personnel with authority to address failed audit events"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-5.2_prm_3",
-                    "label": "organization-defined audit failure events requiring real-time alerts",
-                    "constraints": [
-                      {
-                        "detail": "audit failure events requiring real-time alerts, as defined by organization audit policy"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-5(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-05.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-5.2_smt",
-                    "name": "statement",
-                    "prose": "The information system provides an alert in {{ au-5.2_prm_1 }} to\n                     {{ au-5.2_prm_2 }} when the following audit failure events\n                  occur: {{ au-5.2_prm_3 }}."
-                  },
-                  {
-                    "id": "au-5.2_gdn",
-                    "name": "guidance",
-                    "prose": "Alerts provide organizations with urgent messages. Real-time alerts provide these\n                  messages at information technology speed (i.e., the time from event detection to\n                  alert occurs in seconds or less)."
-                  },
-                  {
-                    "id": "au-5.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "au-5.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(2)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines audit failure events requiring real-time alerts;"
-                      },
-                      {
-                        "id": "au-5.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(2)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines:",
-                        "parts": [
-                          {
-                            "id": "au-5.2_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-5(2)[2][a]"
-                              }
-                            ],
-                            "prose": "personnel to be alerted when organization-defined audit failure events\n                        requiring real-time alerts occur;"
-                          },
-                          {
-                            "id": "au-5.2_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-5(2)[2][b]"
-                              }
-                            ],
-                            "prose": "roles to be alerted when organization-defined audit failure events requiring\n                        real-time alerts occur; and/or"
-                          },
-                          {
-                            "id": "au-5.2_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-5(2)[2][c]"
-                              }
-                            ],
-                            "prose": "locations to be alerted when organization-defined audit failure events\n                        requiring real-time alerts occur;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "au-5.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(2)[3]"
-                          }
-                        ],
-                        "prose": "the organization defines the real-time period within which the information\n                     system is to provide an alert to the organization-defined personnel, roles,\n                     and/or locations when the organization-defined audit failure events requiring\n                     real-time alerts occur; and"
-                      },
-                      {
-                        "id": "au-5.2_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(2)[4]"
-                          }
-                        ],
-                        "prose": "the information system provides an alert within the organization-defined\n                     real-time period to the organization-defined personnel, roles, and/or locations\n                     when organization-defined audit failure events requiring real-time alerts\n                     occur."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing response to audit processing failures\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\nrecords of notifications or real-time alerts when audit processing failures\n                     occur\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing real-time audit alerts when\n                     organization-defined audit failure events occur"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-6",
-            "class": "SP800-53",
-            "title": "Audit Review, Analysis, and Reporting",
-            "parameters": [
-              {
-                "id": "au-6_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least weekly"
-                  }
-                ]
-              },
-              {
-                "id": "au-6_prm_2",
-                "label": "organization-defined inappropriate or unusual activity"
-              },
-              {
-                "id": "au-6_prm_3",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AU-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "au-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Reviews and analyzes information system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }};\n                  and"
-                  },
-                  {
-                    "id": "au-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reports findings to {{ au-6_prm_3 }}."
-                  },
-                  {
-                    "id": "au-6_fr",
-                    "name": "item",
-                    "title": "AU-6 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "au-6_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-6_gdn",
-                "name": "guidance",
-                "prose": "Audit review, analysis, and reporting covers information security-related auditing\n               performed by organizations including, for example, auditing that results from\n               monitoring of account usage, remote access, wireless connectivity, mobile device\n               connection, configuration settings, system component inventory, use of maintenance\n               tools and nonlocal maintenance, physical access, temperature and humidity, equipment\n               delivery and removal, communications at the information system boundaries, use of\n               mobile code, and use of VoIP. Findings can be reported to organizational entities\n               that include, for example, incident response team, help desk, information security\n               group/department. If organizations are prohibited from reviewing and analyzing audit\n               information or unable to conduct such activities (e.g., in certain national security\n               applications or systems), the review/analysis may be carried out by other\n               organizations granted such authority.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#au-7",
-                    "rel": "related",
-                    "text": "AU-7"
-                  },
-                  {
-                    "href": "#au-16",
-                    "rel": "related",
-                    "text": "AU-16"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-10",
-                    "rel": "related",
-                    "text": "CM-10"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ir-5",
-                    "rel": "related",
-                    "text": "IR-5"
-                  },
-                  {
-                    "href": "#ir-6",
-                    "rel": "related",
-                    "text": "IR-6"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-6",
-                    "rel": "related",
-                    "text": "PE-6"
-                  },
-                  {
-                    "href": "#pe-14",
-                    "rel": "related",
-                    "text": "PE-14"
-                  },
-                  {
-                    "href": "#pe-16",
-                    "rel": "related",
-                    "text": "PE-16"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-18",
-                    "rel": "related",
-                    "text": "SC-18"
-                  },
-                  {
-                    "href": "#sc-19",
-                    "rel": "related",
-                    "text": "SC-19"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "au-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-6(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-6.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(a)[1]"
-                          }
-                        ],
-                        "prose": "defines the types of inappropriate or unusual activity to look for when\n                     information system audit records are reviewed and analyzed;"
-                      },
-                      {
-                        "id": "au-6.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(a)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and analyze information system audit records\n                     for indications of organization-defined inappropriate or unusual activity;"
-                      },
-                      {
-                        "id": "au-6.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(a)[3]"
-                          }
-                        ],
-                        "prose": "reviews and analyzes information system audit records for indications of\n                     organization-defined inappropriate or unusual activity with the\n                     organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-6(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-6.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(b)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom findings resulting from reviews and analysis\n                     of information system audit records are to be reported; and"
-                      },
-                      {
-                        "id": "au-6.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(b)[2]"
-                          }
-                        ],
-                        "prose": "reports findings to organization-defined personnel or roles."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\nreports of audit findings\\n\\nrecords of actions taken in response to reviews/analyses of audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit review, analysis, and reporting\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "au-6.1",
-                "class": "SP800-53-enhancement",
-                "title": "Process Integration",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-6(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-06.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-6.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to integrate audit review, analysis,\n                  and reporting processes to support organizational processes for investigation and\n                  response to suspicious activities."
-                  },
-                  {
-                    "id": "au-6.1_gdn",
-                    "name": "guidance",
-                    "prose": "Organizational processes benefiting from integrated audit review, analysis, and\n                  reporting include, for example, incident response, continuous monitoring,\n                  contingency planning, and Inspector General audits.",
-                    "links": [
-                      {
-                        "href": "#au-12",
-                        "rel": "related",
-                        "text": "AU-12"
-                      },
-                      {
-                        "href": "#pm-7",
-                        "rel": "related",
-                        "text": "PM-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-6.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "au-6.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(1)[1]"
-                          }
-                        ],
-                        "prose": "employs automated mechanisms to integrate:",
-                        "parts": [
-                          {
-                            "id": "au-6.1_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-6(1)[1][a]"
-                              }
-                            ],
-                            "prose": "audit review;"
-                          },
-                          {
-                            "id": "au-6.1_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-6(1)[1][b]"
-                              }
-                            ],
-                            "prose": "analysis;"
-                          },
-                          {
-                            "id": "au-6.1_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-6(1)[1][c]"
-                              }
-                            ],
-                            "prose": "reporting processes;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "au-6.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(1)[2]"
-                          }
-                        ],
-                        "prose": "uses integrated audit review, analysis and reporting processes to support\n                     organizational processes for:",
-                        "parts": [
-                          {
-                            "id": "au-6.1_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-6(1)[2][a]"
-                              }
-                            ],
-                            "prose": "investigation of suspicious activities; and"
-                          },
-                          {
-                            "id": "au-6.1_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-6(1)[2][b]"
-                              }
-                            ],
-                            "prose": "response to suspicious activities."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\nprocedures addressing investigation and response to suspicious activities\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit review, analysis, and reporting\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms integrating audit review, analysis, and reporting\n                     processes"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-6.3",
-                "class": "SP800-53-enhancement",
-                "title": "Correlate Audit Repositories",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-6(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-06.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-6.3_smt",
-                    "name": "statement",
-                    "prose": "The organization analyzes and correlates audit records across different\n                  repositories to gain organization-wide situational awareness."
-                  },
-                  {
-                    "id": "au-6.3_gdn",
-                    "name": "guidance",
-                    "prose": "Organization-wide situational awareness includes awareness across all three tiers\n                  of risk management (i.e., organizational, mission/business process, and\n                  information system) and supports cross-organization awareness.",
-                    "links": [
-                      {
-                        "href": "#au-12",
-                        "rel": "related",
-                        "text": "AU-12"
-                      },
-                      {
-                        "href": "#ir-4",
-                        "rel": "related",
-                        "text": "IR-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-6.3_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization analyzes and correlates audit records across\n                  different repositories to gain organization-wide situational awareness. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records across different repositories\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit review, analysis, and reporting\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting analysis and correlation of audit records"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-6.4",
-                "class": "SP800-53-enhancement",
-                "title": "Central Review and Analysis",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-6(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-06.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-6.4_smt",
-                    "name": "statement",
-                    "prose": "The information system provides the capability to centrally review and analyze\n                  audit records from multiple components within the system."
-                  },
-                  {
-                    "id": "au-6.4_gdn",
-                    "name": "guidance",
-                    "prose": "Automated mechanisms for centralized reviews and analyses include, for example,\n                  Security Information Management products.",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      },
-                      {
-                        "href": "#au-12",
-                        "rel": "related",
-                        "text": "AU-12"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-6.4_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system provides the capability to centrally review\n                  and analyze audit records from multiple components within the system."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit review, analysis, and reporting\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system capability to centralize review and analysis of audit\n                     records"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-6.5",
-                "class": "SP800-53-enhancement",
-                "title": "Integration / Scanning and Monitoring Capabilities",
-                "parameters": [
-                  {
-                    "id": "au-6.5_prm_1"
-                  },
-                  {
-                    "id": "au-6.5_prm_2",
-                    "depends-on": "au-6.5_prm_1",
-                    "label": "organization-defined data/information collected from other sources",
-                    "constraints": [
-                      {
-                        "detail": "Possibly to include penetration test data."
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-6(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-06.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-6.5_smt",
-                    "name": "statement",
-                    "prose": "The organization integrates analysis of audit records with analysis of {{ au-6.5_prm_1 }} to further enhance the ability to identify\n                  inappropriate or unusual activity."
-                  },
-                  {
-                    "id": "au-6.5_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement does not require vulnerability scanning, the generation\n                  of performance data, or information system monitoring. Rather, the enhancement\n                  requires that the analysis of information being otherwise produced in these areas\n                  is integrated with the analysis of audit information. Security Event and\n                  Information Management System tools can facilitate audit record\n                  aggregation/consolidation from multiple information system components as well as\n                  audit record correlation and analysis. The use of standardized audit record\n                  analysis scripts developed by organizations (with localized script adjustments, as\n                  necessary) provides more cost-effective approaches for analyzing audit record\n                  information collected. The correlation of audit record information with\n                  vulnerability scanning information is important in determining the veracity of\n                  vulnerability scans and correlating attack detection events with scanning results.\n                  Correlation with performance data can help uncover denial of service attacks or\n                  cyber attacks resulting in unauthorized use of resources. Correlation with system\n                  monitoring information can assist in uncovering attacks and in better relating\n                  audit information to operational situations.",
-                    "links": [
-                      {
-                        "href": "#au-12",
-                        "rel": "related",
-                        "text": "AU-12"
-                      },
-                      {
-                        "href": "#ir-4",
-                        "rel": "related",
-                        "text": "IR-4"
-                      },
-                      {
-                        "href": "#ra-5",
-                        "rel": "related",
-                        "text": "RA-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-6.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "au-6.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(5)[1]"
-                          }
-                        ],
-                        "prose": "defines data/information to be collected from other sources;"
-                      },
-                      {
-                        "id": "au-6.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(5)[2]"
-                          }
-                        ],
-                        "prose": "selects sources of data/information to be analyzed and integrated with the\n                     analysis of audit records from one or more of the following:",
-                        "parts": [
-                          {
-                            "id": "au-6.5_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-6(5)[2][a]"
-                              }
-                            ],
-                            "prose": "vulnerability scanning information;"
-                          },
-                          {
-                            "id": "au-6.5_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-6(5)[2][b]"
-                              }
-                            ],
-                            "prose": "performance data;"
-                          },
-                          {
-                            "id": "au-6.5_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-6(5)[2][c]"
-                              }
-                            ],
-                            "prose": "information system monitoring information; and/or"
-                          },
-                          {
-                            "id": "au-6.5_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-6(5)[2][d]"
-                              }
-                            ],
-                            "prose": "organization-defined data/information collected from other sources; and"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "au-6.5_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(5)[3]"
-                          }
-                        ],
-                        "prose": "integrates the analysis of audit records with the analysis of selected\n                     data/information to further enhance the ability to identify inappropriate or\n                     unusual activity."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nintegrated analysis of audit records, vulnerability scanning information,\n                     performance data, network monitoring information and associated\n                     documentation\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit review, analysis, and reporting\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing capability to integrate analysis of audit\n                     records with analysis of data/information sources"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-6.6",
-                "class": "SP800-53-enhancement",
-                "title": "Correlation with Physical Monitoring",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-6(6)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-06.06"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-6.6_smt",
-                    "name": "statement",
-                    "prose": "The organization correlates information from audit records with information\n                  obtained from monitoring physical access to further enhance the ability to\n                  identify suspicious, inappropriate, unusual, or malevolent activity.",
-                    "parts": [
-                      {
-                        "id": "au-6.6_fr",
-                        "name": "item",
-                        "title": "AU-6 (6) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "au-6.6_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-6.6_gdn",
-                    "name": "guidance",
-                    "prose": "The correlation of physical audit information and audit logs from information\n                  systems may assist organizations in identifying examples of suspicious behavior or\n                  supporting evidence of such behavior. For example, the correlation of an\n                  individual’s identity for logical access to certain information systems with the\n                  additional physical security information that the individual was actually present\n                  at the facility when the logical access occurred, may prove to be useful in\n                  investigations."
-                  },
-                  {
-                    "id": "au-6.6_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization correlates information from audit records with\n                  information obtained from monitoring physical access to enhance the ability to\n                  identify suspicious, inappropriate, unusual, or malevolent activity."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\nprocedures addressing physical access monitoring\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ndocumentation providing evidence of correlated information obtained from audit\n                     records and physical access monitoring records\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit review, analysis, and reporting\n                     responsibilities\\n\\norganizational personnel with physical access monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing capability to correlate information from\n                     audit records with information from monitoring physical access"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-6.7",
-                "class": "SP800-53-enhancement",
-                "title": "Permitted Actions",
-                "parameters": [
-                  {
-                    "id": "au-6.7_prm_1",
-                    "constraints": [
-                      {
-                        "detail": "information system process; role; user"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-6(7)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-06.07"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-6.7_smt",
-                    "name": "statement",
-                    "prose": "The organization specifies the permitted actions for each {{ au-6.7_prm_1 }} associated with the review, analysis, and reporting\n                  of audit information."
-                  },
-                  {
-                    "id": "au-6.7_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations specify permitted actions for information system processes, roles,\n                  and/or users associated with the review, analysis, and reporting of audit records\n                  through account management techniques. Specifying permitted actions on audit\n                  information is a way to enforce the principle of least privilege. Permitted\n                  actions are enforced by the information system and include, for example, read,\n                  write, execute, append, and delete."
-                  },
-                  {
-                    "id": "au-6.7_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization specifies the permitted actions for each one or more\n                  of the following associated with the review, analysis and reporting of audit\n                  information:",
-                    "parts": [
-                      {
-                        "id": "au-6.7_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-6(7)[1]"
-                          }
-                        ],
-                        "prose": "information system process;"
-                      },
-                      {
-                        "id": "au-6.7_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-6(7)[2]"
-                          }
-                        ],
-                        "prose": "role; and/or"
-                      },
-                      {
-                        "id": "au-6.7_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-6(7)[3]"
-                          }
-                        ],
-                        "prose": "user."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing process, role and/or user permitted actions from audit\n                     review, analysis, and reporting\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit review, analysis, and reporting\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting permitted actions for review, analysis, and\n                     reporting of audit information"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-6.10",
-                "class": "SP800-53-enhancement",
-                "title": "Audit Level Adjustment",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-6(10)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-06.10"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-6.10_smt",
-                    "name": "statement",
-                    "prose": "The organization adjusts the level of audit review, analysis, and reporting within\n                  the information system when there is a change in risk based on law enforcement\n                  information, intelligence information, or other credible sources of\n                  information."
-                  },
-                  {
-                    "id": "au-6.10_gdn",
-                    "name": "guidance",
-                    "prose": "The frequency, scope, and/or depth of the audit review, analysis, and reporting\n                  may be adjusted to meet organizational needs based on new information\n                  received."
-                  },
-                  {
-                    "id": "au-6.10_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization adjusts the level of audit review, analysis, and\n                  reporting within the information system when there is a change in risk based\n                  on:",
-                    "parts": [
-                      {
-                        "id": "au-6.10_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-6(10)[1]"
-                          }
-                        ],
-                        "prose": "law enforcement information;"
-                      },
-                      {
-                        "id": "au-6.10_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-6(10)[2]"
-                          }
-                        ],
-                        "prose": "intelligence information; and/or"
-                      },
-                      {
-                        "id": "au-6.10_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-6(10)[3]"
-                          }
-                        ],
-                        "prose": "other credible sources of information."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\norganizational risk assessment\\n\\nsecurity control assessment\\n\\nvulnerability assessment\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit review, analysis, and reporting\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting review, analysis, and reporting of audit\n                     information"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-7",
-            "class": "SP800-53",
-            "title": "Audit Reduction and Report Generation",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-07"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-7_smt",
-                "name": "statement",
-                "prose": "The information system provides an audit reduction and report generation capability\n               that:",
-                "parts": [
-                  {
-                    "id": "au-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Supports on-demand audit review, analysis, and reporting requirements and\n                  after-the-fact investigations of security incidents; and"
-                  },
-                  {
-                    "id": "au-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Does not alter the original content or time ordering of audit records."
-                  }
-                ]
-              },
-              {
-                "id": "au-7_gdn",
-                "name": "guidance",
-                "prose": "Audit reduction is a process that manipulates collected audit information and\n               organizes such information in a summary format that is more meaningful to analysts.\n               Audit reduction and report generation capabilities do not always emanate from the\n               same information system or from the same organizational entities conducting auditing\n               activities. Audit reduction capability can include, for example, modern data mining\n               techniques with advanced data filters to identify anomalous behavior in audit\n               records. The report generation capability provided by the information system can\n               generate customizable reports. Time ordering of audit records can be a significant\n               issue if the granularity of the timestamp in the record is insufficient.",
-                "links": [
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  }
-                ]
-              },
-              {
-                "id": "au-7_obj",
-                "name": "objective",
-                "prose": "Determine if the information system provides an audit reduction and report generation\n               capability that supports:",
-                "parts": [
-                  {
-                    "id": "au-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-7(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-7.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-7(a)[1]"
-                          }
-                        ],
-                        "prose": "on-demand audit review;"
-                      },
-                      {
-                        "id": "au-7.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-7(a)[2]"
-                          }
-                        ],
-                        "prose": "analysis;"
-                      },
-                      {
-                        "id": "au-7.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-7(a)[3]"
-                          }
-                        ],
-                        "prose": "reporting requirements;"
-                      },
-                      {
-                        "id": "au-7.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-7(a)[4]"
-                          }
-                        ],
-                        "prose": "after-the-fact investigations of security incidents; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-7(b)"
-                      }
-                    ],
-                    "prose": "does not alter the original content or time ordering of audit records."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing audit reduction and report generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit reduction, review, analysis, and reporting tools\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit reduction and report generation\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit reduction and report generation capability"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "au-7.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automatic Processing",
-                "parameters": [
-                  {
-                    "id": "au-7.1_prm_1",
-                    "label": "organization-defined audit fields within audit records"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-7(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-07.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-7.1_smt",
-                    "name": "statement",
-                    "prose": "The information system provides the capability to process audit records for events\n                  of interest based on {{ au-7.1_prm_1 }}."
-                  },
-                  {
-                    "id": "au-7.1_gdn",
-                    "name": "guidance",
-                    "prose": "Events of interest can be identified by the content of specific audit record\n                  fields including, for example, identities of individuals, event types, event\n                  locations, event times, event dates, system resources involved, IP addresses\n                  involved, or information objects accessed. Organizations may define audit event\n                  criteria to any degree of granularity required, for example, locations selectable\n                  by general networking location (e.g., by network or subnetwork) or selectable by\n                  specific information system component.",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      },
-                      {
-                        "href": "#au-12",
-                        "rel": "related",
-                        "text": "AU-12"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-7.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "au-7.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-7(1)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines audit fields within audit records in order to process\n                     audit records for events of interest; and"
-                      },
-                      {
-                        "id": "au-7.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-7(1)[2]"
-                          }
-                        ],
-                        "prose": "the information system provides the capability to process audit records for\n                     events of interest based on the organization-defined audit fields within audit\n                     records."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing audit reduction and report generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit reduction, review, analysis, and reporting tools\\n\\naudit record criteria (fields) establishing events of interest\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit reduction and report generation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit reduction and report generation capability"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-8",
-            "class": "SP800-53",
-            "title": "Time Stamps",
-            "parameters": [
-              {
-                "id": "au-8_prm_1",
-                "label": "organization-defined granularity of time measurement",
-                "constraints": [
-                  {
-                    "detail": "one second granularity of time measurement"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-08"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-8_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "au-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Uses internal system clocks to generate time stamps for audit records; and"
-                  },
-                  {
-                    "id": "au-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Records time stamps for audit records that can be mapped to Coordinated Universal\n                  Time (UTC) or Greenwich Mean Time (GMT) and meets {{ au-8_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "au-8_gdn",
-                "name": "guidance",
-                "prose": "Time stamps generated by the information system include date and time. Time is\n               commonly expressed in Coordinated Universal Time (UTC), a modern continuation of\n               Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time\n               measurements refers to the degree of synchronization between information system\n               clocks and reference clocks, for example, clocks synchronizing within hundreds of\n               milliseconds or within tens of milliseconds. Organizations may define different time\n               granularities for different system components. Time service can also be critical to\n               other security capabilities such as access control and identification and\n               authentication, depending on the nature of the mechanisms used to support those\n               capabilities.",
-                "links": [
-                  {
-                    "href": "#au-3",
-                    "rel": "related",
-                    "text": "AU-3"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  }
-                ]
-              },
-              {
-                "id": "au-8_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "au-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-8(a)"
-                      }
-                    ],
-                    "prose": "the information system uses internal system clocks to generate time stamps for\n                  audit records;"
-                  },
-                  {
-                    "id": "au-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-8(b)[1]"
-                          }
-                        ],
-                        "prose": "the information system records time stamps for audit records that can be mapped\n                     to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);"
-                      },
-                      {
-                        "id": "au-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-8(b)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines the granularity of time measurement to be met when\n                     recording time stamps for audit records; and"
-                      },
-                      {
-                        "id": "au-8.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-8(b)[3]"
-                          }
-                        ],
-                        "prose": "the organization records time stamps for audit records that meet the\n                     organization-defined granularity of time measurement."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing time stamp generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing time stamp generation"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "au-8.1",
-                "class": "SP800-53-enhancement",
-                "title": "Synchronization with Authoritative Time Source",
-                "parameters": [
-                  {
-                    "id": "au-8.1_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "At least hourly"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-8.1_prm_2",
-                    "label": "organization-defined authoritative time source",
-                    "constraints": [
-                      {
-                        "detail": "http://tf.nist.gov/tf-cgi/servers.cgi"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-8.1_prm_3",
-                    "label": "organization-defined time period"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AU-8(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-08.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-8.1_smt",
-                    "name": "statement",
-                    "prose": "The information system:",
-                    "parts": [
-                      {
-                        "id": "au-8.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Compares the internal information system clocks {{ au-8.1_prm_1 }} with {{ au-8.1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "au-8.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Synchronizes the internal system clocks to the authoritative time source when\n                     the time difference is greater than {{ au-8.1_prm_3 }}."
-                      },
-                      {
-                        "id": "au-8.1_fr",
-                        "name": "item",
-                        "title": "AU-8 (1) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "au-8.1_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server."
-                          },
-                          {
-                            "id": "au-8.1_fr_smt.2",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server."
-                          },
-                          {
-                            "id": "au-8.1_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "Synchronization of system clocks improves the accuracy of log analysis."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-8.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement provides uniformity of time stamps for information\n                  systems with multiple system clocks and systems connected over a network."
-                  },
-                  {
-                    "id": "au-8.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if: ",
-                    "parts": [
-                      {
-                        "id": "au-8.1.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-8(1)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-8.1.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-8(1)(a)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines the authoritative time source to which internal\n                        information system clocks are to be compared;"
-                          },
-                          {
-                            "id": "au-8.1.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-8(1)(a)[2]"
-                              }
-                            ],
-                            "prose": "the organization defines the frequency to compare the internal information\n                        system clocks with the organization-defined authoritative time source;\n                        and"
-                          },
-                          {
-                            "id": "au-8.1.a_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-8(1)(a)[3]"
-                              }
-                            ],
-                            "prose": "the information system compares the internal information system clocks with\n                        the organization-defined authoritative time source with organization-defined\n                        frequency; and"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#au-8.1_smt.a",
-                            "rel": "corresp",
-                            "text": "AU-8(1)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "au-8.1.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-8(1)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-8.1.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-8(1)(b)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines the time period that, if exceeded by the time\n                        difference between the internal system clocks and the authoritative time\n                        source, will result in the internal system clocks being synchronized to the\n                        authoritative time source; and"
-                          },
-                          {
-                            "id": "au-8.1.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-8(1)(b)[2]"
-                              }
-                            ],
-                            "prose": "the information system synchronizes the internal information system clocks\n                        to the authoritative time source when the time difference is greater than\n                        the organization-defined time period."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#au-8.1_smt.b",
-                            "rel": "corresp",
-                            "text": "AU-8(1)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing time stamp generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing internal information system clock\n                     synchronization"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-9",
-            "class": "SP800-53",
-            "title": "Protection of Audit Information",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-09"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-9_smt",
-                "name": "statement",
-                "prose": "The information system protects audit information and audit tools from unauthorized\n               access, modification, and deletion."
-              },
-              {
-                "id": "au-9_gdn",
-                "name": "guidance",
-                "prose": "Audit information includes all information (e.g., audit records, audit settings, and\n               audit reports) needed to successfully audit information system activity. This control\n               focuses on technical protection of audit information. Physical protection of audit\n               information is addressed by media protection controls and physical and environmental\n               protection controls.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-6",
-                    "rel": "related",
-                    "text": "PE-6"
-                  }
-                ]
-              },
-              {
-                "id": "au-9_obj",
-                "name": "objective",
-                "prose": "Determine if: ",
-                "parts": [
-                  {
-                    "id": "au-9_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-9[1]"
-                      }
-                    ],
-                    "prose": "the information system protects audit information from unauthorized:",
-                    "parts": [
-                      {
-                        "id": "au-9_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[1][a]"
-                          }
-                        ],
-                        "prose": "access;"
-                      },
-                      {
-                        "id": "au-9_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[1][b]"
-                          }
-                        ],
-                        "prose": "modification;"
-                      },
-                      {
-                        "id": "au-9_obj.1.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[1][c]"
-                          }
-                        ],
-                        "prose": "deletion;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-9_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-9[2]"
-                      }
-                    ],
-                    "prose": "the information system protects audit tools from unauthorized:",
-                    "parts": [
-                      {
-                        "id": "au-9_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[2][a]"
-                          }
-                        ],
-                        "prose": "access;"
-                      },
-                      {
-                        "id": "au-9_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[2][b]"
-                          }
-                        ],
-                        "prose": "modification; and"
-                      },
-                      {
-                        "id": "au-9_obj.2.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[2][c]"
-                          }
-                        ],
-                        "prose": "deletion."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\naccess control policy and procedures\\n\\nprocedures addressing protection of audit information\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation,\n                  information system audit records\\n\\naudit tools\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing audit information protection"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "au-9.2",
-                "class": "SP800-53-enhancement",
-                "title": "Audit Backup On Separate Physical Systems / Components",
-                "parameters": [
-                  {
-                    "id": "au-9.2_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least weekly"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AU-9(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-09.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-9.2_smt",
-                    "name": "statement",
-                    "prose": "The information system backs up audit records {{ au-9.2_prm_1 }}\n                  onto a physically different system or system component than the system or\n                  component being audited."
-                  },
-                  {
-                    "id": "au-9.2_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement helps to ensure that a compromise of the information\n                  system being audited does not also result in a compromise of the audit\n                  records.",
-                    "links": [
-                      {
-                        "href": "#au-4",
-                        "rel": "related",
-                        "text": "AU-4"
-                      },
-                      {
-                        "href": "#au-5",
-                        "rel": "related",
-                        "text": "AU-5"
-                      },
-                      {
-                        "href": "#au-11",
-                        "rel": "related",
-                        "text": "AU-11"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-9.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "au-9.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-9(2)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the frequency to back up audit records onto a\n                     physically different system or system component than the system or component\n                     being audited; and"
-                      },
-                      {
-                        "id": "au-9.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-9(2)[2]"
-                          }
-                        ],
-                        "prose": "the information system backs up audit records with the organization-defined\n                     frequency, onto a physically different system or system component than the\n                     system or component being audited."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing protection of audit information\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation, system\n                     or media storing backups of information system audit records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing the backing up of audit records"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-9.3",
-                "class": "SP800-53-enhancement",
-                "title": "Cryptographic Protection",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-9(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-09.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-9.3_smt",
-                    "name": "statement",
-                    "prose": "The information system implements cryptographic mechanisms to protect the\n                  integrity of audit information and audit tools."
-                  },
-                  {
-                    "id": "au-9.3_gdn",
-                    "name": "guidance",
-                    "prose": "Cryptographic mechanisms used for protecting the integrity of audit information\n                  include, for example, signed hash functions using asymmetric cryptography enabling\n                  distribution of the public key to verify the hash information while maintaining\n                  the confidentiality of the secret key used to generate the hash.",
-                    "links": [
-                      {
-                        "href": "#au-10",
-                        "rel": "related",
-                        "text": "AU-10"
-                      },
-                      {
-                        "href": "#sc-12",
-                        "rel": "related",
-                        "text": "SC-12"
-                      },
-                      {
-                        "href": "#sc-13",
-                        "rel": "related",
-                        "text": "SC-13"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-9.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the information system:",
-                    "parts": [
-                      {
-                        "id": "au-9.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-9(3)[1]"
-                          }
-                        ],
-                        "prose": "uses cryptographic mechanisms to protect the integrity of audit information;\n                     and"
-                      },
-                      {
-                        "id": "au-9.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-9(3)[2]"
-                          }
-                        ],
-                        "prose": "uses cryptographic mechanisms to protect the integrity of audit tools."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\naccess control policy and procedures\\n\\nprocedures addressing protection of audit information\\n\\ninformation system design documentation\\n\\ninformation system hardware settings\\n\\ninformation system configuration settings and associated documentation,\n                     information system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Cryptographic mechanisms protecting integrity of audit information and\n                     tools"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-9.4",
-                "class": "SP800-53-enhancement",
-                "title": "Access by Subset of Privileged Users",
-                "parameters": [
-                  {
-                    "id": "au-9.4_prm_1",
-                    "label": "organization-defined subset of privileged users"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-9(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-09.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-9.4_smt",
-                    "name": "statement",
-                    "prose": "The organization authorizes access to management of audit functionality to only\n                     {{ au-9.4_prm_1 }}."
-                  },
-                  {
-                    "id": "au-9.4_gdn",
-                    "name": "guidance",
-                    "prose": "Individuals with privileged access to an information system and who are also the\n                  subject of an audit by that system, may affect the reliability of audit\n                  information by inhibiting audit activities or modifying audit records. This\n                  control enhancement requires that privileged access be further defined between\n                  audit-related privileges and other privileges, thus limiting the users with\n                  audit-related privileges.",
-                    "links": [
-                      {
-                        "href": "#ac-5",
-                        "rel": "related",
-                        "text": "AC-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-9.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "au-9.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-9(4)[1]"
-                          }
-                        ],
-                        "prose": "defines a subset of privileged users to be authorized access to management of\n                     audit functionality; and"
-                      },
-                      {
-                        "id": "au-9.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-9(4)[2]"
-                          }
-                        ],
-                        "prose": "authorizes access to management of audit functionality to only the\n                     organization-defined subset of privileged users."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\naccess control policy and procedures\\n\\nprocedures addressing protection of audit information\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation,\n                     system-generated list of privileged users with access to management of audit\n                     functionality\\n\\naccess authorizations\\n\\naccess control list\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms managing access to audit functionality"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-10",
-            "class": "SP800-53",
-            "title": "Non-repudiation",
-            "parameters": [
-              {
-                "id": "au-10_prm_1",
-                "label": "organization-defined actions to be covered by non-repudiation",
-                "constraints": [
-                  {
-                    "detail": "minimum actions including the addition, modification, deletion, approval, sending, or receiving of data"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-10"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-10"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-10_smt",
-                "name": "statement",
-                "prose": "The information system protects against an individual (or process acting on behalf of\n               an individual) falsely denying having performed {{ au-10_prm_1 }}."
-              },
-              {
-                "id": "au-10_gdn",
-                "name": "guidance",
-                "prose": "Types of individual actions covered by non-repudiation include, for example, creating\n               information, sending and receiving messages, approving information (e.g., indicating\n               concurrence or signing a contract). Non-repudiation protects individuals against\n               later claims by: (i) authors of not having authored particular documents; (ii)\n               senders of not having transmitted messages; (iii) receivers of not having received\n               messages; or (iv) signatories of not having signed documents. Non-repudiation\n               services can be used to determine if information originated from a particular\n               individual, or if an individual took specific actions (e.g., sending an email,\n               signing a contract, approving a procurement request) or received specific\n               information. Organizations obtain non-repudiation services by employing various\n               techniques or mechanisms (e.g., digital signatures, digital message receipts).",
-                "links": [
-                  {
-                    "href": "#sc-12",
-                    "rel": "related",
-                    "text": "SC-12"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  },
-                  {
-                    "href": "#sc-16",
-                    "rel": "related",
-                    "text": "SC-16"
-                  },
-                  {
-                    "href": "#sc-17",
-                    "rel": "related",
-                    "text": "SC-17"
-                  },
-                  {
-                    "href": "#sc-23",
-                    "rel": "related",
-                    "text": "SC-23"
-                  }
-                ]
-              },
-              {
-                "id": "au-10_obj",
-                "name": "objective",
-                "prose": "Determine if: ",
-                "parts": [
-                  {
-                    "id": "au-10_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-10[1]"
-                      }
-                    ],
-                    "prose": "the organization defines actions to be covered by non-repudiation; and"
-                  },
-                  {
-                    "id": "au-10_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-10[2]"
-                      }
-                    ],
-                    "prose": "the information system protects against an individual (or process acting on behalf\n                  of an individual) falsely denying having performed organization-defined actions to\n                  be covered by non-repudiation."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing non-repudiation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing non-repudiation capability"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-11",
-            "class": "SP800-53",
-            "title": "Audit Record Retention",
-            "parameters": [
-              {
-                "id": "au-11_prm_1",
-                "label": "organization-defined time period consistent with records retention policy",
-                "constraints": [
-                  {
-                    "detail": "at least one (1) year"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AU-11"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-11"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-11_smt",
-                "name": "statement",
-                "prose": "The organization retains audit records for {{ au-11_prm_1 }} to\n               provide support for after-the-fact investigations of security incidents and to meet\n               regulatory and organizational information retention requirements.",
-                "parts": [
-                  {
-                    "id": "au-11_fr",
-                    "name": "item",
-                    "title": "AU-11 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "au-11_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-11_gdn",
-                "name": "guidance",
-                "prose": "Organizations retain audit records until it is determined that they are no longer\n               needed for administrative, legal, audit, or other operational purposes. This\n               includes, for example, retention and availability of audit records relative to\n               Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions.\n               Organizations develop standard categories of audit records relative to such types of\n               actions and standard response processes for each type of action. The National\n               Archives and Records Administration (NARA) General Records Schedules provide federal\n               policy on record retention.",
-                "links": [
-                  {
-                    "href": "#au-4",
-                    "rel": "related",
-                    "text": "AU-4"
-                  },
-                  {
-                    "href": "#au-5",
-                    "rel": "related",
-                    "text": "AU-5"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#mp-6",
-                    "rel": "related",
-                    "text": "MP-6"
-                  }
-                ]
-              },
-              {
-                "id": "au-11_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-11_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-11[1]"
-                      }
-                    ],
-                    "prose": "defines a time period to retain audit records that is consistent with records\n                  retention policy;"
-                  },
-                  {
-                    "id": "au-11_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-11[2]"
-                      }
-                    ],
-                    "prose": "retains audit records for the organization-defined time period consistent with\n                  records retention policy to:",
-                    "parts": [
-                      {
-                        "id": "au-11_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-11[2][a]"
-                          }
-                        ],
-                        "prose": "provide support for after-the-fact investigations of security incidents;\n                     and"
-                      },
-                      {
-                        "id": "au-11_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-11[2][b]"
-                          }
-                        ],
-                        "prose": "meet regulatory and organizational information retention requirements."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\naudit record retention policy and procedures\\n\\nsecurity plan\\n\\norganization-defined retention period for audit records\\n\\naudit record archives\\n\\naudit logs\\n\\naudit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit record retention responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-12",
-            "class": "SP800-53",
-            "title": "Audit Generation",
-            "parameters": [
-              {
-                "id": "au-12_prm_1",
-                "label": "organization-defined information system components",
-                "constraints": [
-                  {
-                    "detail": "all information system and network components where audit capability is deployed/available"
-                  }
-                ]
-              },
-              {
-                "id": "au-12_prm_2",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-12"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-12"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-12_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "au-12_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Provides audit record generation capability for the auditable events defined in\n                  AU-2 a. at {{ au-12_prm_1 }};"
-                  },
-                  {
-                    "id": "au-12_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Allows {{ au-12_prm_2 }} to select which auditable events are to be\n                  audited by specific components of the information system; and"
-                  },
-                  {
-                    "id": "au-12_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Generates audit records for the events defined in AU-2 d. with the content defined\n                  in AU-3."
-                  }
-                ]
-              },
-              {
-                "id": "au-12_gdn",
-                "name": "guidance",
-                "prose": "Audit records can be generated from many different information system components. The\n               list of audited events is the set of events for which audits are to be generated.\n               These events are typically a subset of all events for which the information system is\n               capable of generating audit records.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-3",
-                    "rel": "related",
-                    "text": "AU-3"
-                  },
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#au-7",
-                    "rel": "related",
-                    "text": "AU-7"
-                  }
-                ]
-              },
-              {
-                "id": "au-12_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "au-12.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-12(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-12.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the information system components which are to provide\n                     audit record generation capability for the auditable events defined in\n                     AU-2a;"
-                      },
-                      {
-                        "id": "au-12.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system provides audit record generation capability, for the\n                     auditable events defined in AU-2a, at organization-defined information system\n                     components;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-12.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-12(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-12.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(b)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the personnel or roles allowed to select which\n                     auditable events are to be audited by specific components of the information\n                     system;"
-                      },
-                      {
-                        "id": "au-12.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(b)[2]"
-                          }
-                        ],
-                        "prose": "the information system allows the organization-defined personnel or roles to\n                     select which auditable events are to be audited by specific components of the\n                     system; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-12.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-12(c)"
-                      }
-                    ],
-                    "prose": "the information system generates audit records for the events defined in AU-2d\n                  with the content in defined in AU-3."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing audit record generation\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of auditable events\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit record generation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing audit record generation capability"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "au-12.1",
-                "class": "SP800-53-enhancement",
-                "title": "System-wide / Time-correlated Audit Trail",
-                "parameters": [
-                  {
-                    "id": "au-12.1_prm_1",
-                    "label": "organization-defined information system components",
-                    "constraints": [
-                      {
-                        "detail": "all network, data storage, and computing devices"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-12.1_prm_2",
-                    "label": "organization-defined level of tolerance for the relationship between time\n                  stamps of individual records in the audit trail"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-12(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-12.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-12.1_smt",
-                    "name": "statement",
-                    "prose": "The information system compiles audit records from {{ au-12.1_prm_1 }} into a system-wide (logical or physical) audit trail\n                  that is time-correlated to within {{ au-12.1_prm_2 }}."
-                  },
-                  {
-                    "id": "au-12.1_gdn",
-                    "name": "guidance",
-                    "prose": "Audit trails are time-correlated if the time stamps in the individual audit\n                  records can be reliably related to the time stamps in other audit records to\n                  achieve a time ordering of the records within organizational tolerances.",
-                    "links": [
-                      {
-                        "href": "#au-8",
-                        "rel": "related",
-                        "text": "AU-8"
-                      },
-                      {
-                        "href": "#au-12",
-                        "rel": "related",
-                        "text": "AU-12"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-12.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "au-12.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(1)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the information system components from which audit\n                     records are to be compiled into a system-wide (logical or physical) audit\n                     trail;"
-                      },
-                      {
-                        "id": "au-12.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(1)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines the level of tolerance for the relationship between\n                     time stamps of individual records in the audit trail; and"
-                      },
-                      {
-                        "id": "au-12.1_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(1)[3]"
-                          }
-                        ],
-                        "prose": "the information system compiles audit records from organization-defined\n                     information system components into a system-wide (logical or physical) audit\n                     trail that is time-correlated to within the organization-defined level of\n                     tolerance for the relationship between time stamps of individual records in the\n                     audit trail."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing audit record generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsystem-wide audit trail (logical or physical)\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit record generation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing audit record generation capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-12.3",
-                "class": "SP800-53-enhancement",
-                "title": "Changes by Authorized Individuals",
-                "parameters": [
-                  {
-                    "id": "au-12.3_prm_1",
-                    "label": "organization-defined individuals or roles",
-                    "constraints": [
-                      {
-                        "detail": "service provider-defined individuals or roles with audit configuration responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-12.3_prm_2",
-                    "label": "organization-defined information system components",
-                    "constraints": [
-                      {
-                        "detail": "all network, data storage, and computing devices"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-12.3_prm_3",
-                    "label": "organization-defined selectable event criteria"
-                  },
-                  {
-                    "id": "au-12.3_prm_4",
-                    "label": "organization-defined time thresholds"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-12(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-12.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-12.3_smt",
-                    "name": "statement",
-                    "prose": "The information system provides the capability for {{ au-12.3_prm_1 }} to change the auditing to be performed on {{ au-12.3_prm_2 }} based on {{ au-12.3_prm_3 }} within\n                     {{ au-12.3_prm_4 }}."
-                  },
-                  {
-                    "id": "au-12.3_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement enables organizations to extend or limit auditing as\n                  necessary to meet organizational requirements. Auditing that is limited to\n                  conserve information system resources may be extended to address certain threat\n                  situations. In addition, auditing may be limited to a specific set of events to\n                  facilitate audit reduction, analysis, and reporting. Organizations can establish\n                  time thresholds in which audit actions are changed, for example, near real-time,\n                  within minutes, or within hours.",
-                    "links": [
-                      {
-                        "href": "#au-7",
-                        "rel": "related",
-                        "text": "AU-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-12.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if: ",
-                    "parts": [
-                      {
-                        "id": "au-12.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(3)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines information system components on which auditing is to\n                     be performed;"
-                      },
-                      {
-                        "id": "au-12.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(3)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines individuals or roles authorized to change the auditing\n                     to be performed on organization-defined information system components;"
-                      },
-                      {
-                        "id": "au-12.3_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(3)[3]"
-                          }
-                        ],
-                        "prose": "the organization defines time thresholds within which organization-defined\n                     individuals or roles can change the auditing to be performed on\n                     organization-defined information system components;"
-                      },
-                      {
-                        "id": "au-12.3_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(3)[4]"
-                          }
-                        ],
-                        "prose": "the organization defines selectable event criteria that support the capability\n                     for organization-defined individuals or roles to change the auditing to be\n                     performed on organization-defined information system components; and"
-                      },
-                      {
-                        "id": "au-12.3_obj.5",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(3)[5]"
-                          }
-                        ],
-                        "prose": "the information system provides the capability for organization-defined\n                     individuals or roles to change the auditing to be performed on\n                     organization-defined information system components based on\n                     organization-defined selectable event criteria within organization-defined time\n                     thresholds."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing audit record generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsystem-generated list of individuals or roles authorized to change auditing to\n                     be performed\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit record generation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing audit record generation capability"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ca",
-        "class": "family",
-        "title": "Security Assessment and Authorization",
-        "controls": [
-          {
-            "id": "ca-1",
-            "class": "SP800-53",
-            "title": "Security Assessment and Authorization Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ca-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ca-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ca-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or whenever a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#cd4cf751-3312-4a55-b1a9-fad2f1db9119",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-53A"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ca-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ca-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A security assessment and authorization policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"
-                      },
-                      {
-                        "id": "ca-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the security assessment and\n                     authorization policy and associated security assessment and authorization\n                     controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ca-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Security assessment and authorization policy {{ ca-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "ca-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Security assessment and authorization procedures {{ ca-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ca-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a security assessment and authorization policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "ca-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ca-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the security assessment and authorization\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "ca-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the security assessment and authorization policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ca-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        security assessment and authorization policy and associated assessment and\n                        authorization controls;"
-                          },
-                          {
-                            "id": "ca-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ca-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current security assessment\n                        and authorization policy;"
-                          },
-                          {
-                            "id": "ca-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current security assessment and authorization policy\n                        with the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ca-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current security assessment\n                        and authorization procedures; and"
-                          },
-                          {
-                            "id": "ca-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current security assessment and authorization\n                        procedures with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security assessment and authorization\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-2",
-            "class": "SP800-53",
-            "title": "Security Assessments",
-            "parameters": [
-              {
-                "id": "ca-2_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ca-2_prm_2",
-                "label": "organization-defined individuals or roles",
-                "constraints": [
-                  {
-                    "detail": "individuals or roles to include FedRAMP PMO"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c5034e0c-eba6-4ecd-a541-79f0678f4ba4",
-                "rel": "reference",
-                "text": "Executive Order 13587"
-              },
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#d480aa6a-7a88-424e-a10c-ad1c7870354b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-39"
-              },
-              {
-                "href": "#cd4cf751-3312-4a55-b1a9-fad2f1db9119",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-53A"
-              },
-              {
-                "href": "#c4691b88-57d1-463b-9053-2d0087913f31",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-115"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops a security assessment plan that describes the scope of the assessment\n                  including:",
-                    "parts": [
-                      {
-                        "id": "ca-2_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Security controls and control enhancements under assessment;"
-                      },
-                      {
-                        "id": "ca-2_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Assessment procedures to be used to determine security control effectiveness;\n                     and"
-                      },
-                      {
-                        "id": "ca-2_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Assessment environment, assessment team, and assessment roles and\n                     responsibilities;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Assesses the security controls in the information system and its environment of\n                  operation {{ ca-2_prm_1 }} to determine the extent to which the\n                  controls are implemented correctly, operating as intended, and producing the\n                  desired outcome with respect to meeting established security requirements;"
-                  },
-                  {
-                    "id": "ca-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Produces a security assessment report that documents the results of the\n                  assessment; and"
-                  },
-                  {
-                    "id": "ca-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Provides the results of the security control assessment to {{ ca-2_prm_2 }}."
-                  },
-                  {
-                    "id": "ca-2_fr",
-                    "name": "item",
-                    "title": "CA-2 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ca-2_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-2_gdn",
-                "name": "guidance",
-                "prose": "Organizations assess security controls in organizational information systems and the\n               environments in which those systems operate as part of: (i) initial and ongoing\n               security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring;\n               and (iv) system development life cycle activities. Security assessments: (i) ensure\n               that information security is built into organizational information systems; (ii)\n               identify weaknesses and deficiencies early in the development process; (iii) provide\n               essential information needed to make risk-based decisions as part of security\n               authorization processes; and (iv) ensure compliance to vulnerability mitigation\n               procedures. Assessments are conducted on the implemented security controls from\n               Appendix F (main catalog) and Appendix G (Program Management controls) as documented\n               in System Security Plans and Information Security Program Plans. Organizations can\n               use other types of assessment activities such as vulnerability scanning and system\n               monitoring to maintain the security posture of information systems during the entire\n               life cycle. Security assessment reports document assessment results in sufficient\n               detail as deemed necessary by organizations, to determine the accuracy and\n               completeness of the reports and whether the security controls are implemented\n               correctly, operating as intended, and producing the desired outcome with respect to\n               meeting security requirements. The FISMA requirement for assessing security controls\n               at least annually does not require additional assessment activities to those\n               activities already in place in organizational security authorization processes.\n               Security assessment results are provided to the individuals or roles appropriate for\n               the types of assessments being conducted. For example, assessments conducted in\n               support of security authorization decisions are provided to authorizing officials or\n               authorizing official designated representatives. To satisfy annual assessment\n               requirements, organizations can use assessment results from the following sources:\n               (i) initial or ongoing information system authorizations; (ii) continuous monitoring;\n               or (iii) system development life cycle activities. Organizations ensure that security\n               assessment results are current, relevant to the determination of security control\n               effectiveness, and obtained with the appropriate level of assessor independence.\n               Existing security control assessment results can be reused to the extent that the\n               results are still valid and can also be supplemented with additional assessments as\n               needed. Subsequent to initial authorizations and in accordance with OMB policy,\n               organizations assess security controls during continuous monitoring. Organizations\n               establish the frequency for ongoing security control assessments in accordance with\n               organizational continuous monitoring strategies. Information Assurance Vulnerability\n               Alerts provide useful examples of vulnerability mitigation procedures. External\n               audits (e.g., audits by external entities such as regulatory agencies) are outside\n               the scope of this control.",
-                "links": [
-                  {
-                    "href": "#ca-5",
-                    "rel": "related",
-                    "text": "CA-5"
-                  },
-                  {
-                    "href": "#ca-6",
-                    "rel": "related",
-                    "text": "CA-6"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-2(a)"
-                      }
-                    ],
-                    "prose": "develops a security assessment plan that describes the scope of the assessment\n                  including:",
-                    "parts": [
-                      {
-                        "id": "ca-2.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-2(a)(1)"
-                          }
-                        ],
-                        "prose": "security controls and control enhancements under assessment;"
-                      },
-                      {
-                        "id": "ca-2.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-2(a)(2)"
-                          }
-                        ],
-                        "prose": "assessment procedures to be used to determine security control\n                     effectiveness;"
-                      },
-                      {
-                        "id": "ca-2.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-2(a)(3)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-2.a.3_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(a)(3)[1]"
-                              }
-                            ],
-                            "prose": "assessment environment;"
-                          },
-                          {
-                            "id": "ca-2.a.3_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(a)(3)[2]"
-                              }
-                            ],
-                            "prose": "assessment team;"
-                          },
-                          {
-                            "id": "ca-2.a.3_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(a)(3)[3]"
-                              }
-                            ],
-                            "prose": "assessment roles and responsibilities;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to assess the security controls in the information system\n                     and its environment of operation;"
-                      },
-                      {
-                        "id": "ca-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(b)[2]"
-                          }
-                        ],
-                        "prose": "assesses the security controls in the information system with the\n                     organization-defined frequency to determine the extent to which the controls\n                     are implemented correctly, operating as intended, and producing the desired\n                     outcome with respect to meeting established security requirements;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-2(c)"
-                      }
-                    ],
-                    "prose": "produces a security assessment report that documents the results of the\n                  assessment;"
-                  },
-                  {
-                    "id": "ca-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-2(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(d)[1]"
-                          }
-                        ],
-                        "prose": "defines individuals or roles to whom the results of the security control\n                     assessment are to be provided; and"
-                      },
-                      {
-                        "id": "ca-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(d)[2]"
-                          }
-                        ],
-                        "prose": "provides the results of the security control assessment to organization-defined\n                     individuals or roles."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy\\n\\nprocedures addressing security assessment planning\\n\\nprocedures addressing security assessments\\n\\nsecurity assessment plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting security assessment, security assessment plan\n                  development, and/or security assessment reporting"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ca-2.1",
-                "class": "SP800-53-enhancement",
-                "title": "Independent Assessors",
-                "parameters": [
-                  {
-                    "id": "ca-2.1_prm_1",
-                    "label": "organization-defined level of independence"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CA-2(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ca-02.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ca-2.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs assessors or assessment teams with {{ ca-2.1_prm_1 }} to conduct security control assessments.",
-                    "parts": [
-                      {
-                        "id": "ca-2.1_fr",
-                        "name": "item",
-                        "title": "CA-2 (1) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ca-2.1_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO)."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.1_gdn",
-                    "name": "guidance",
-                    "prose": "Independent assessors or assessment teams are individuals or groups who conduct\n                  impartial assessments of organizational information systems. Impartiality implies\n                  that assessors are free from any perceived or actual conflicts of interest with\n                  regard to the development, operation, or management of the organizational\n                  information systems under assessment or to the determination of security control\n                  effectiveness. To achieve impartiality, assessors should not: (i) create a mutual\n                  or conflicting interest with the organizations where the assessments are being\n                  conducted; (ii) assess their own work; (iii) act as management or employees of the\n                  organizations they are serving; or (iv) place themselves in positions of advocacy\n                  for the organizations acquiring their services. Independent assessments can be\n                  obtained from elements within organizations or can be contracted to public or\n                  private sector entities outside of organizations. Authorizing officials determine\n                  the required level of independence based on the security categories of information\n                  systems and/or the ultimate risk to organizational operations, organizational\n                  assets, or individuals. Authorizing officials also determine if the level of\n                  assessor independence provides sufficient assurance that the results are sound and\n                  can be used to make credible, risk-based decisions. This includes determining\n                  whether contracted security assessment services have sufficient independence, for\n                  example, when information system owners are not directly involved in contracting\n                  processes or cannot unduly influence the impartiality of assessors conducting\n                  assessments. In special situations, for example, when organizations that own the\n                  information systems are small or organizational structures require that\n                  assessments are conducted by individuals that are in the developmental,\n                  operational, or management chain of system owners, independence in assessment\n                  processes can be achieved by ensuring that assessment results are carefully\n                  reviewed and analyzed by independent teams of experts to validate the\n                  completeness, accuracy, integrity, and reliability of the results. Organizations\n                  recognize that assessments performed for purposes other than direct support to\n                  authorization decisions are, when performed by assessors with sufficient\n                  independence, more likely to be useable for such decisions, thereby reducing the\n                  need to repeat assessments."
-                  },
-                  {
-                    "id": "ca-2.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ca-2.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(1)[1]"
-                          }
-                        ],
-                        "prose": "defines the level of independence to be employed to conduct security control\n                     assessments; and"
-                      },
-                      {
-                        "id": "ca-2.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(1)[2]"
-                          }
-                        ],
-                        "prose": "employs assessors or assessment teams with the organization-defined level of\n                     independence to conduct security control assessments."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security assessment and authorization policy\\n\\nprocedures addressing security assessments\\n\\nsecurity authorization package (including security plan, security assessment\n                     plan, security assessment report, plan of action and milestones, authorization\n                     statement)\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-2.2",
-                "class": "SP800-53-enhancement",
-                "title": "Specialized Assessments",
-                "parameters": [
-                  {
-                    "id": "ca-2.2_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least annually"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.2_prm_2"
-                  },
-                  {
-                    "id": "ca-2.2_prm_3"
-                  },
-                  {
-                    "id": "ca-2.2_prm_4",
-                    "depends-on": "ca-2.2_prm_3",
-                    "label": "organization-defined other forms of security assessment"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "CA-2(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ca-02.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ca-2.2_smt",
-                    "name": "statement",
-                    "prose": "The organization includes as part of security control assessments, {{ ca-2.2_prm_1 }}, {{ ca-2.2_prm_2 }}, {{ ca-2.2_prm_3 }}.",
-                    "parts": [
-                      {
-                        "id": "ca-2.2_fr",
-                        "name": "item",
-                        "title": "CA-2 (2) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ca-2.2_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "To include 'announced', 'vulnerability scanning'"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.2_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations can employ information system monitoring, insider threat\n                  assessments, malicious user testing, and other forms of testing (e.g.,\n                  verification and validation) to improve readiness by exercising organizational\n                  capabilities and indicating current performance levels as a means of focusing\n                  actions to improve security. Organizations conduct assessment activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  regulations, and standards. Authorizing officials approve the assessment methods\n                  in coordination with the organizational risk executive function. Organizations can\n                  incorporate vulnerabilities uncovered during assessments into vulnerability\n                  remediation processes.",
-                    "links": [
-                      {
-                        "href": "#pe-3",
-                        "rel": "related",
-                        "text": "PE-3"
-                      },
-                      {
-                        "href": "#si-2",
-                        "rel": "related",
-                        "text": "SI-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ca-2.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(2)[1]"
-                          }
-                        ],
-                        "prose": "selects one or more of the following forms of specialized security assessment\n                     to be included as part of security control assessments:",
-                        "parts": [
-                          {
-                            "id": "ca-2.2_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(2)[1][a]"
-                              }
-                            ],
-                            "prose": "in-depth monitoring;"
-                          },
-                          {
-                            "id": "ca-2.2_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(2)[1][b]"
-                              }
-                            ],
-                            "prose": "vulnerability scanning;"
-                          },
-                          {
-                            "id": "ca-2.2_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(2)[1][c]"
-                              }
-                            ],
-                            "prose": "malicious user testing;"
-                          },
-                          {
-                            "id": "ca-2.2_obj.1.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(2)[1][d]"
-                              }
-                            ],
-                            "prose": "insider threat assessment;"
-                          },
-                          {
-                            "id": "ca-2.2_obj.1.e",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(2)[1][e]"
-                              }
-                            ],
-                            "prose": "performance/load testing; and/or"
-                          },
-                          {
-                            "id": "ca-2.2_obj.1.f",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(2)[1][f]"
-                              }
-                            ],
-                            "prose": "other forms of organization-defined specialized security assessment;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ca-2.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(2)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency for conducting the selected form(s) of specialized\n                     security assessment;"
-                      },
-                      {
-                        "id": "ca-2.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(2)[3]"
-                          }
-                        ],
-                        "prose": "defines whether the specialized security assessment will be announced or\n                     unannounced; and"
-                      },
-                      {
-                        "id": "ca-2.2_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(2)[4]"
-                          }
-                        ],
-                        "prose": "conducts announced or unannounced organization-defined forms of specialized\n                     security assessments with the organization-defined frequency as part of\n                     security control assessments."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security assessment and authorization policy\\n\\nprocedures addressing security assessments\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting security control assessment"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-2.3",
-                "class": "SP800-53-enhancement",
-                "title": "External Organizations",
-                "parameters": [
-                  {
-                    "id": "ca-2.3_prm_1",
-                    "label": "organization-defined information system",
-                    "constraints": [
-                      {
-                        "detail": "any FedRAMP Accredited 3PAO"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.3_prm_2",
-                    "label": "organization-defined external organization",
-                    "constraints": [
-                      {
-                        "detail": "any FedRAMP Accredited 3PAO"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.3_prm_3",
-                    "label": "organization-defined requirements",
-                    "constraints": [
-                      {
-                        "detail": "the conditions of the JAB/AO in the FedRAMP Repository"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CA-2(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ca-02.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ca-2.3_smt",
-                    "name": "statement",
-                    "prose": "The organization accepts the results of an assessment of {{ ca-2.3_prm_1 }} performed by {{ ca-2.3_prm_2 }} when\n                  the assessment meets {{ ca-2.3_prm_3 }}."
-                  },
-                  {
-                    "id": "ca-2.3_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations may often rely on assessments of specific information systems by\n                  other (external) organizations. Utilizing such existing assessments (i.e., reusing\n                  existing assessment evidence) can significantly decrease the time and resources\n                  required for organizational assessments by limiting the amount of independent\n                  assessment activities that organizations need to perform. The factors that\n                  organizations may consider in determining whether to accept assessment results\n                  from external organizations can vary. Determinations for accepting assessment\n                  results can be based on, for example, past assessment experiences one organization\n                  has had with another organization, the reputation that organizations have with\n                  regard to assessments, the level of detail of supporting assessment documentation\n                  provided, or mandates imposed upon organizations by federal legislation, policies,\n                  or directives."
-                  },
-                  {
-                    "id": "ca-2.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ca-2.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(3)[1]"
-                          }
-                        ],
-                        "prose": "defines an information system for which the results of a security assessment\n                     performed by an external organization are to be accepted;"
-                      },
-                      {
-                        "id": "ca-2.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(3)[2]"
-                          }
-                        ],
-                        "prose": "defines an external organization from which to accept a security assessment\n                     performed on an organization-defined information system;"
-                      },
-                      {
-                        "id": "ca-2.3_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(3)[3]"
-                          }
-                        ],
-                        "prose": "defines the requirements to be met by a security assessment performed by\n                     organization-defined external organization on organization-defined information\n                     system; and"
-                      },
-                      {
-                        "id": "ca-2.3_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(3)[4]"
-                          }
-                        ],
-                        "prose": "accepts the results of an assessment of an organization-defined information\n                     system performed by an organization-defined external organization when the\n                     assessment meets organization-defined requirements."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security assessment and authorization policy\\n\\nprocedures addressing security assessments\\n\\nsecurity plan\\n\\nsecurity assessment requirements\\n\\nsecurity assessment plan\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nplan of action and milestones\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel performing security assessments for the specified external\n                     organization"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-3",
-            "class": "SP800-53",
-            "title": "System Interconnections",
-            "parameters": [
-              {
-                "id": "ca-3_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "At least annually and on input from FedRAMP"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#2711f068-734e-4afd-94ba-0b22247fbc88",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-47"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Authorizes connections from the information system to other information systems\n                  through the use of Interconnection Security Agreements;"
-                  },
-                  {
-                    "id": "ca-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents, for each interconnection, the interface characteristics, security\n                  requirements, and the nature of the information communicated; and"
-                  },
-                  {
-                    "id": "ca-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews and updates Interconnection Security Agreements {{ ca-3_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ca-3_gdn",
-                "name": "guidance",
-                "prose": "This control applies to dedicated connections between information systems (i.e.,\n               system interconnections) and does not apply to transitory, user-controlled\n               connections such as email and website browsing. Organizations carefully consider the\n               risks that may be introduced when information systems are connected to other systems\n               with different security requirements and security controls, both within organizations\n               and external to organizations. Authorizing officials determine the risk associated\n               with information system connections and the appropriate controls employed. If\n               interconnecting systems have the same authorizing official, organizations do not need\n               to develop Interconnection Security Agreements. Instead, organizations can describe\n               the interface characteristics between those interconnecting systems in their\n               respective security plans. If interconnecting systems have different authorizing\n               officials within the same organization, organizations can either develop\n               Interconnection Security Agreements or describe the interface characteristics between\n               systems in the security plans for the respective systems. Organizations may also\n               incorporate Interconnection Security Agreement information into formal contracts,\n               especially for interconnections established between federal agencies and nonfederal\n               (i.e., private sector) organizations. Risk considerations also include information\n               systems sharing the same networks. For certain technologies (e.g., space, unmanned\n               aerial vehicles, and medical devices), there may be specialized connections in place\n               during preoperational testing. Such connections may require Interconnection Security\n               Agreements and be subject to additional security controls.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#au-16",
-                    "rel": "related",
-                    "text": "AU-16"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#sa-9",
-                    "rel": "related",
-                    "text": "SA-9"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-3(a)"
-                      }
-                    ],
-                    "prose": "authorizes connections from the information system to other information systems\n                  through the use of Interconnection Security Agreements;"
-                  },
-                  {
-                    "id": "ca-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-3(b)"
-                      }
-                    ],
-                    "prose": "documents, for each interconnection:",
-                    "parts": [
-                      {
-                        "id": "ca-3.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-3(b)[1]"
-                          }
-                        ],
-                        "prose": "the interface characteristics;"
-                      },
-                      {
-                        "id": "ca-3.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-3(b)[2]"
-                          }
-                        ],
-                        "prose": "the security requirements;"
-                      },
-                      {
-                        "id": "ca-3.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-3(b)[3]"
-                          }
-                        ],
-                        "prose": "the nature of the information communicated;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update Interconnection Security Agreements;\n                     and"
-                      },
-                      {
-                        "id": "ca-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-3(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates Interconnection Security Agreements with the\n                     organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\ninformation system Interconnection Security Agreements\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for developing, implementing, or\n                  approving information system interconnection agreements\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel managing the system(s) to which the Interconnection Security Agreement\n                  applies"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ca-3.3",
-                "class": "SP800-53-enhancement",
-                "title": "Unclassified Non-national Security System Connections",
-                "parameters": [
-                  {
-                    "id": "ca-3.3_prm_1",
-                    "label": "organization-defined unclassified, non-national security system"
-                  },
-                  {
-                    "id": "ca-3.3_prm_2",
-                    "label": "Assignment; organization-defined boundary protection device",
-                    "constraints": [
-                      {
-                        "detail": "boundary protections which meet the Trusted Internet Connection (TIC) requirements"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CA-3(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ca-03.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ca-3.3_smt",
-                    "name": "statement",
-                    "prose": "The organization prohibits the direct connection of an {{ ca-3.3_prm_1 }} to an external network without the use of {{ ca-3.3_prm_2 }}.",
-                    "parts": [
-                      {
-                        "id": "ca-3.3_fr",
-                        "name": "item",
-                        "title": "CA-3 (3) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ca-3.3_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-3.3_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations typically do not have control over external networks (e.g., the\n                  Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate\n                  communications (i.e., information flows) between unclassified non-national\n                  security systems and external networks. This control enhancement is required for\n                  organizations processing, storing, or transmitting Controlled Unclassified\n                  Information (CUI)."
-                  },
-                  {
-                    "id": "ca-3.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ca-3.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-3(3)[1]"
-                          }
-                        ],
-                        "prose": "defines an unclassified, non-national security system whose direct connection\n                     to an external network is to be prohibited without the use of approved boundary\n                     protection device;"
-                      },
-                      {
-                        "id": "ca-3.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-3(3)[2]"
-                          }
-                        ],
-                        "prose": "defines a boundary protection device to be used to establish the direct\n                     connection of an organization-defined unclassified, non-national security\n                     system to an external network; and"
-                      },
-                      {
-                        "id": "ca-3.3_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-3(3)[3]"
-                          }
-                        ],
-                        "prose": "prohibits the direct connection of an organization-defined unclassified,\n                     non-national security system to an external network without the use of an\n                     organization-defined boundary protection device."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\ninformation system interconnection security agreements\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity assessment report\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for managing direct connections to\n                     external networks\\n\\nnetwork administrators\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel managing directly connected external networks"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting the management of external network\n                     connections"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-3.5",
-                "class": "SP800-53-enhancement",
-                "title": "Restrictions On External System Connections",
-                "parameters": [
-                  {
-                    "id": "ca-3.5_prm_1",
-                    "constraints": [
-                      {
-                        "detail": "deny-all, permit by exception"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-3.5_prm_2",
-                    "label": "organization-defined information systems",
-                    "constraints": [
-                      {
-                        "detail": "any systems"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "CA-3(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ca-03.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ca-3.5_smt",
-                    "name": "statement",
-                    "prose": "The organization employs {{ ca-3.5_prm_1 }} policy for allowing\n                     {{ ca-3.5_prm_2 }} to connect to external information\n                  systems.",
-                    "parts": [
-                      {
-                        "id": "ca-3.5_fr",
-                        "name": "item",
-                        "title": "CA-3 (5) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ca-3.5_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-3.5_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations can constrain information system connectivity to external domains\n                  (e.g., websites) by employing one of two policies with regard to such\n                  connectivity: (i) allow-all, deny by exception, also known as blacklisting (the\n                  weaker of the two policies); or (ii) deny-all, allow by exception, also known as\n                  whitelisting (the stronger of the two policies). For either policy, organizations\n                  determine what exceptions, if any, are acceptable.",
-                    "links": [
-                      {
-                        "href": "#cm-7",
-                        "rel": "related",
-                        "text": "CM-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-3.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ca-3.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-3(5)[1]"
-                          }
-                        ],
-                        "prose": "defines information systems to be allowed to connect to external information\n                     systems;"
-                      },
-                      {
-                        "id": "ca-3.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-3(5)[2]"
-                          }
-                        ],
-                        "prose": "employs one of the following policies for allowing organization-defined\n                     information systems to connect to external information systems:",
-                        "parts": [
-                          {
-                            "id": "ca-3.5_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-3(5)[2][a]"
-                              }
-                            ],
-                            "prose": "allow-all policy;"
-                          },
-                          {
-                            "id": "ca-3.5_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-3(5)[2][b]"
-                              }
-                            ],
-                            "prose": "deny-by-exception policy;"
-                          },
-                          {
-                            "id": "ca-3.5_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-3(5)[2][c]"
-                              }
-                            ],
-                            "prose": "deny-all policy; or"
-                          },
-                          {
-                            "id": "ca-3.5_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-3(5)[2][d]"
-                              }
-                            ],
-                            "prose": "permit-by-exception policy."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\ninformation system interconnection agreements\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity assessment report\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for managing connections to\n                     external information systems\\n\\nnetwork administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing restrictions on external system\n                     connections"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-5",
-            "class": "SP800-53",
-            "title": "Plan of Action and Milestones",
-            "parameters": [
-              {
-                "id": "ca-5_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least monthly"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-05"
-              }
-            ],
-            "links": [
-              {
-                "href": "#2c5884cd-7b96-425c-862a-99877e1cf909",
-                "rel": "reference",
-                "text": "OMB Memorandum 02-01"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops a plan of action and milestones for the information system to document\n                  the organization’s planned remedial actions to correct weaknesses or deficiencies\n                  noted during the assessment of the security controls and to reduce or eliminate\n                  known vulnerabilities in the system; and"
-                  },
-                  {
-                    "id": "ca-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Updates existing plan of action and milestones {{ ca-5_prm_1 }}\n                  based on the findings from security controls assessments, security impact\n                  analyses, and continuous monitoring activities."
-                  },
-                  {
-                    "id": "ca-5_fr",
-                    "name": "item",
-                    "title": "CA-5 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ca-5_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Plan of Action & Milestones (POA&M) must be provided at least monthly."
-                      },
-                      {
-                        "id": "ca-5_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-5_gdn",
-                "name": "guidance",
-                "prose": "Plans of action and milestones are key documents in security authorization packages\n               and are subject to federal reporting requirements established by OMB.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#pm-4",
-                    "rel": "related",
-                    "text": "PM-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-5(a)"
-                      }
-                    ],
-                    "prose": "develops a plan of action and milestones for the information system to:",
-                    "parts": [
-                      {
-                        "id": "ca-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-5(a)[1]"
-                          }
-                        ],
-                        "prose": "document the organization’s planned remedial actions to correct weaknesses or\n                     deficiencies noted during the assessment of the security controls;"
-                      },
-                      {
-                        "id": "ca-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-5(a)[2]"
-                          }
-                        ],
-                        "prose": "reduce or eliminate known vulnerabilities in the system;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-5(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-5.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-5(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to update the existing plan of action and milestones;"
-                      },
-                      {
-                        "id": "ca-5.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-5(b)[2]"
-                          }
-                        ],
-                        "prose": "updates the existing plan of action and milestones with the\n                     organization-defined frequency based on the findings from:",
-                        "parts": [
-                          {
-                            "id": "ca-5.b_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-5(b)[2][a]"
-                              }
-                            ],
-                            "prose": "security controls assessments;"
-                          },
-                          {
-                            "id": "ca-5.b_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-5(b)[2][b]"
-                              }
-                            ],
-                            "prose": "security impact analyses; and"
-                          },
-                          {
-                            "id": "ca-5.b_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-5(b)[2][c]"
-                              }
-                            ],
-                            "prose": "continuous monitoring activities."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy\\n\\nprocedures addressing plan of action and milestones\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nplan of action and milestones\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with plan of action and milestones development and\n                  implementation responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms for developing, implementing, and maintaining plan of action\n                  and milestones"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-6",
-            "class": "SP800-53",
-            "title": "Security Authorization",
-            "parameters": [
-              {
-                "id": "ca-6_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every three (3) years or when a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CA-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-06"
-              }
-            ],
-            "links": [
-              {
-                "href": "#9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab",
-                "rel": "reference",
-                "text": "OMB Circular A-130"
-              },
-              {
-                "href": "#bedb15b7-ec5c-4a68-807f-385125751fcd",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-33"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Assigns a senior-level executive or manager as the authorizing official for the\n                  information system;"
-                  },
-                  {
-                    "id": "ca-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Ensures that the authorizing official authorizes the information system for\n                  processing before commencing operations; and"
-                  },
-                  {
-                    "id": "ca-6_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Updates the security authorization {{ ca-6_prm_1 }}."
-                  },
-                  {
-                    "id": "ca-6_fr",
-                    "name": "item",
-                    "title": "CA-6(c) Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ca-6_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-6_gdn",
-                "name": "guidance",
-                "prose": "Security authorizations are official management decisions, conveyed through\n               authorization decision documents, by senior organizational officials or executives\n               (i.e., authorizing officials) to authorize operation of information systems and to\n               explicitly accept the risk to organizational operations and assets, individuals,\n               other organizations, and the Nation based on the implementation of agreed-upon\n               security controls. Authorizing officials provide budgetary oversight for\n               organizational information systems or assume responsibility for the mission/business\n               operations supported by those systems. The security authorization process is an\n               inherently federal responsibility and therefore, authorizing officials must be\n               federal employees. Through the security authorization process, authorizing officials\n               assume responsibility and are accountable for security risks associated with the\n               operation and use of organizational information systems. Accordingly, authorizing\n               officials are in positions with levels of authority commensurate with understanding\n               and accepting such information security-related risks. OMB policy requires that\n               organizations conduct ongoing authorizations of information systems by implementing\n               continuous monitoring programs. Continuous monitoring programs can satisfy three-year\n               reauthorization requirements, so separate reauthorization processes are not\n               necessary. Through the employment of comprehensive continuous monitoring processes,\n               critical information contained in authorization packages (i.e., security plans,\n               security assessment reports, and plans of action and milestones) is updated on an\n               ongoing basis, providing authorizing officials and information system owners with an\n               up-to-date status of the security state of organizational information systems and\n               environments of operation. To reduce the administrative cost of security\n               reauthorization, authorizing officials use the results of continuous monitoring\n               processes to the maximum extent possible as the basis for rendering reauthorization\n               decisions.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  },
-                  {
-                    "href": "#pm-10",
-                    "rel": "related",
-                    "text": "PM-10"
-                  }
-                ]
-              },
-              {
-                "id": "ca-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-6(a)"
-                      }
-                    ],
-                    "prose": "assigns a senior-level executive or manager as the authorizing official for the\n                  information system;"
-                  },
-                  {
-                    "id": "ca-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-6(b)"
-                      }
-                    ],
-                    "prose": "ensures that the authorizing official authorizes the information system for\n                  processing before commencing operations;"
-                  },
-                  {
-                    "id": "ca-6.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-6(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-6.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-6(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to update the security authorization; and"
-                      },
-                      {
-                        "id": "ca-6.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-6(c)[2]"
-                          }
-                        ],
-                        "prose": "updates the security authorization with the organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy\\n\\nprocedures addressing security authorization\\n\\nsecurity authorization package (including security plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\nauthorization statement)\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security authorization responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms that facilitate security authorizations and updates"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-7",
-            "class": "SP800-53",
-            "title": "Continuous Monitoring",
-            "parameters": [
-              {
-                "id": "ca-7_prm_1",
-                "label": "organization-defined metrics"
-              },
-              {
-                "id": "ca-7_prm_2",
-                "label": "organization-defined frequencies"
-              },
-              {
-                "id": "ca-7_prm_3",
-                "label": "organization-defined frequencies"
-              },
-              {
-                "id": "ca-7_prm_4",
-                "label": "organization-defined personnel or roles",
-                "constraints": [
-                  {
-                    "detail": "to meet Federal and FedRAMP requirements (See additional guidance)"
-                  }
-                ]
-              },
-              {
-                "id": "ca-7_prm_5",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "to meet Federal and FedRAMP requirements (See additional guidance)"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bedb15b7-ec5c-4a68-807f-385125751fcd",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-33"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#d480aa6a-7a88-424e-a10c-ad1c7870354b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-39"
-              },
-              {
-                "href": "#cd4cf751-3312-4a55-b1a9-fad2f1db9119",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-53A"
-              },
-              {
-                "href": "#c4691b88-57d1-463b-9053-2d0087913f31",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-115"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              },
-              {
-                "href": "#8ade2fbe-e468-4ca8-9a40-54d7f23c32bb",
-                "rel": "reference",
-                "text": "US-CERT Technical Cyber Security Alerts"
-              },
-              {
-                "href": "#2d8b14e9-c8b5-4d3d-8bdc-155078f3281b",
-                "rel": "reference",
-                "text": "DoD Information Assurance Vulnerability Alerts"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-7_smt",
-                "name": "statement",
-                "prose": "The organization develops a continuous monitoring strategy and implements a\n               continuous monitoring program that includes:",
-                "parts": [
-                  {
-                    "id": "ca-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishment of {{ ca-7_prm_1 }} to be monitored;"
-                  },
-                  {
-                    "id": "ca-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Establishment of {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessments supporting such monitoring;"
-                  },
-                  {
-                    "id": "ca-7_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ongoing security control assessments in accordance with the organizational\n                  continuous monitoring strategy;"
-                  },
-                  {
-                    "id": "ca-7_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Ongoing security status monitoring of organization-defined metrics in accordance\n                  with the organizational continuous monitoring strategy;"
-                  },
-                  {
-                    "id": "ca-7_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Correlation and analysis of security-related information generated by assessments\n                  and monitoring;"
-                  },
-                  {
-                    "id": "ca-7_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Response actions to address results of the analysis of security-related\n                  information; and"
-                  },
-                  {
-                    "id": "ca-7_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Reporting the security status of organization and the information system to\n                     {{ ca-7_prm_4 }}\n                  {{ ca-7_prm_5 }}."
-                  },
-                  {
-                    "id": "ca-7_fr",
-                    "name": "item",
-                    "title": "CA-7 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ca-7_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually."
-                      },
-                      {
-                        "id": "ca-7_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates."
-                      },
-                      {
-                        "id": "ca-7_fr_gdn.2",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-7_gdn",
-                "name": "guidance",
-                "prose": "Continuous monitoring programs facilitate ongoing awareness of threats,\n               vulnerabilities, and information security to support organizational risk management\n               decisions. The terms continuous and ongoing imply that organizations assess/analyze\n               security controls and information security-related risks at a frequency sufficient to\n               support organizational risk-based decisions. The results of continuous monitoring\n               programs generate appropriate risk response actions by organizations. Continuous\n               monitoring programs also allow organizations to maintain the security authorizations\n               of information systems and common controls over time in highly dynamic environments\n               of operation with changing mission/business needs, threats, vulnerabilities, and\n               technologies. Having access to security-related information on a continuing basis\n               through reports/dashboards gives organizational officials the capability to make more\n               effective and timely risk management decisions, including ongoing security\n               authorization decisions. Automation supports more frequent updates to security\n               authorization packages, hardware/software/firmware inventories, and other system\n               information. Effectiveness is further enhanced when continuous monitoring outputs are\n               formatted to provide information that is specific, measurable, actionable, relevant,\n               and timely. Continuous monitoring activities are scaled in accordance with the\n               security categories of information systems.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-5",
-                    "rel": "related",
-                    "text": "CA-5"
-                  },
-                  {
-                    "href": "#ca-6",
-                    "rel": "related",
-                    "text": "CA-6"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#pm-6",
-                    "rel": "related",
-                    "text": "PM-6"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ca-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(a)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that defines metrics to be\n                     monitored;"
-                      },
-                      {
-                        "id": "ca-7.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(a)[2]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes monitoring of\n                     organization-defined metrics;"
-                      },
-                      {
-                        "id": "ca-7.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(a)[3]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes monitoring of\n                     organization-defined metrics in accordance with the organizational continuous\n                     monitoring strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(b)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that defines frequencies for\n                     monitoring;"
-                      },
-                      {
-                        "id": "ca-7.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(b)[2]"
-                          }
-                        ],
-                        "prose": "defines frequencies for assessments supporting monitoring;"
-                      },
-                      {
-                        "id": "ca-7.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(b)[3]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes establishment of the\n                     organization-defined frequencies for monitoring and for assessments supporting\n                     monitoring;"
-                      },
-                      {
-                        "id": "ca-7.b_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(b)[4]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes establishment of\n                     organization-defined frequencies for monitoring and for assessments supporting\n                     such monitoring in accordance with the organizational continuous monitoring\n                     strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(c)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes ongoing security\n                     control assessments;"
-                      },
-                      {
-                        "id": "ca-7.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(c)[2]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes ongoing security\n                     control assessments in accordance with the organizational continuous monitoring\n                     strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(d)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes ongoing security status\n                     monitoring of organization-defined metrics;"
-                      },
-                      {
-                        "id": "ca-7.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(d)[2]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes ongoing security\n                     status monitoring of organization-defined metrics in accordance with the\n                     organizational continuous monitoring strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(e)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes correlation and\n                     analysis of security-related information generated by assessments and\n                     monitoring;"
-                      },
-                      {
-                        "id": "ca-7.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(e)[2]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes correlation and\n                     analysis of security-related information generated by assessments and\n                     monitoring in accordance with the organizational continuous monitoring\n                     strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(f)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes response actions to\n                     address results of the analysis of security-related information;"
-                      },
-                      {
-                        "id": "ca-7.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(f)[2]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes response actions to\n                     address results of the analysis of security-related information in accordance\n                     with the organizational continuous monitoring strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(g)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.g_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(g)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that defines the personnel or roles\n                     to whom the security status of the organization and information system are to\n                     be reported;"
-                      },
-                      {
-                        "id": "ca-7.g_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(g)[2]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that defines the frequency to report\n                     the security status of the organization and information system to\n                     organization-defined personnel or roles;"
-                      },
-                      {
-                        "id": "ca-7.g_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(g)[3]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes reporting the security\n                     status of the organization or information system to organizational-defined\n                     personnel or roles with the organization-defined frequency; and"
-                      },
-                      {
-                        "id": "ca-7.g_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(g)[4]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes reporting the security\n                     status of the organization and information system to organization-defined\n                     personnel or roles with the organization-defined frequency in accordance with\n                     the organizational continuous monitoring strategy."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy\\n\\nprocedures addressing continuous monitoring of information system security\n                  controls\\n\\nprocedures addressing configuration management\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\ninformation system monitoring records\\n\\nconfiguration management records, security impact analyses\\n\\nstatus reports\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Mechanisms implementing continuous monitoring"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ca-7.1",
-                "class": "SP800-53-enhancement",
-                "title": "Independent Assessment",
-                "parameters": [
-                  {
-                    "id": "ca-7.1_prm_1",
-                    "label": "organization-defined level of independence"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CA-7(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ca-07.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ca-7.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs assessors or assessment teams with {{ ca-7.1_prm_1 }} to monitor the security controls in the information\n                  system on an ongoing basis."
-                  },
-                  {
-                    "id": "ca-7.1_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations can maximize the value of assessments of security controls during\n                  the continuous monitoring process by requiring that such assessments be conducted\n                  by assessors or assessment teams with appropriate levels of independence based on\n                  continuous monitoring strategies. Assessor independence provides a degree of\n                  impartiality to the monitoring process. To achieve such impartiality, assessors\n                  should not: (i) create a mutual or conflicting interest with the organizations\n                  where the assessments are being conducted; (ii) assess their own work; (iii) act\n                  as management or employees of the organizations they are serving; or (iv) place\n                  themselves in advocacy positions for the organizations acquiring their\n                  services."
-                  },
-                  {
-                    "id": "ca-7.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ca-7.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(1)[1]"
-                          }
-                        ],
-                        "prose": "defines a level of independence to be employed to monitor the security controls\n                     in the information system on an ongoing basis; and"
-                      },
-                      {
-                        "id": "ca-7.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(1)[2]"
-                          }
-                        ],
-                        "prose": "employs assessors or assessment teams with the organization-defined level of\n                     independence to monitor the security controls in the information system on an\n                     ongoing basis."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security assessment and authorization policy\\n\\nprocedures addressing continuous monitoring of information system security\n                     controls\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\ninformation system monitoring records\\n\\nsecurity impact analyses\\n\\nstatus reports\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-7.3",
-                "class": "SP800-53-enhancement",
-                "title": "Trend Analyses",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CA-7(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ca-07.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ca-7.3_smt",
-                    "name": "statement",
-                    "prose": "The organization employs trend analyses to determine if security control\n                  implementations, the frequency of continuous monitoring activities, and/or the\n                  types of activities used in the continuous monitoring process need to be modified\n                  based on empirical data."
-                  },
-                  {
-                    "id": "ca-7.3_gdn",
-                    "name": "guidance",
-                    "prose": "Trend analyses can include, for example, examining recent threat information\n                  regarding the types of threat events that have occurred within the organization or\n                  across the federal government, success rates of certain types of cyber attacks,\n                  emerging vulnerabilities in information technologies, evolving social engineering\n                  techniques, results from multiple security control assessments, the effectiveness\n                  of configuration settings, and findings from Inspectors General or auditors."
-                  },
-                  {
-                    "id": "ca-7.3_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs trend analyses to determine if the following\n                  items need to be modified based on empirical data:",
-                    "parts": [
-                      {
-                        "id": "ca-7.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(3)[1]"
-                          }
-                        ],
-                        "prose": "security control implementations;"
-                      },
-                      {
-                        "id": "ca-7.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(3)[2]"
-                          }
-                        ],
-                        "prose": "the frequency of continuous monitoring activities; and/or"
-                      },
-                      {
-                        "id": "ca-7.3_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(3)[3]"
-                          }
-                        ],
-                        "prose": "the types of activities used in the continuous monitoring process."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Continuous monitoring strategy\\n\\nSecurity assessment and authorization policy\\n\\nprocedures addressing continuous monitoring of information system security\n                     controls\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\ninformation system monitoring records\\n\\nsecurity impact analyses\\n\\nstatus reports\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-8",
-            "class": "SP800-53",
-            "title": "Penetration Testing",
-            "parameters": [
-              {
-                "id": "ca-8_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ca-8_prm_2",
-                "label": "organization-defined information systems or system components"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-08"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-8_smt",
-                "name": "statement",
-                "prose": "The organization conducts penetration testing {{ ca-8_prm_1 }} on\n                  {{ ca-8_prm_2 }}.",
-                "parts": [
-                  {
-                    "id": "ca-8_fr",
-                    "name": "item",
-                    "title": "CA-8 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ca-8_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance [https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/)\n                  "
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-8_gdn",
-                "name": "guidance",
-                "prose": "Penetration testing is a specialized type of assessment conducted on information\n               systems or individual system components to identify vulnerabilities that could be\n               exploited by adversaries. Such testing can be used to either validate vulnerabilities\n               or determine the degree of resistance organizational information systems have to\n               adversaries within a set of specified constraints (e.g., time, resources, and/or\n               skills). Penetration testing attempts to duplicate the actions of adversaries in\n               carrying out hostile cyber attacks against organizations and provides a more in-depth\n               analysis of security-related weaknesses/deficiencies. Organizations can also use the\n               results of vulnerability analyses to support penetration testing activities.\n               Penetration testing can be conducted on the hardware, software, or firmware\n               components of an information system and can exercise both physical and technical\n               security controls. A standard method for penetration testing includes, for example:\n               (i) pretest analysis based on full knowledge of the target system; (ii) pretest\n               identification of potential vulnerabilities based on pretest analysis; and (iii)\n               testing designed to determine exploitability of identified vulnerabilities. All\n               parties agree to the rules of engagement before the commencement of penetration\n               testing scenarios. Organizations correlate the penetration testing rules of\n               engagement with the tools, techniques, and procedures that are anticipated to be\n               employed by adversaries carrying out attacks. Organizational risk assessments guide\n               decisions on the level of independence required for personnel conducting penetration\n               testing.",
-                "links": [
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  }
-                ]
-              },
-              {
-                "id": "ca-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-8_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-8[1]"
-                      }
-                    ],
-                    "prose": "defines information systems or system components on which penetration testing is\n                  to be conducted;"
-                  },
-                  {
-                    "id": "ca-8_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-8[2]"
-                      }
-                    ],
-                    "prose": "defines the frequency to conduct penetration testing on organization-defined\n                  information systems or system components; and"
-                  },
-                  {
-                    "id": "ca-8_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-8[3]"
-                      }
-                    ],
-                    "prose": "conducts penetration testing on organization-defined information systems or system\n                  components with the organization-defined frequency."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy\\n\\nprocedures addressing penetration testing\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\npenetration test report\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities,\n                  system/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting penetration testing"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ca-8.1",
-                "class": "SP800-53-enhancement",
-                "title": "Independent Penetration Agent or Team",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CA-8(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ca-08.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ca-8.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs an independent penetration agent or penetration team to\n                  perform penetration testing on the information system or system components."
-                  },
-                  {
-                    "id": "ca-8.1_gdn",
-                    "name": "guidance",
-                    "prose": "Independent penetration agents or teams are individuals or groups who conduct\n                  impartial penetration testing of organizational information systems. Impartiality\n                  implies that penetration agents or teams are free from any perceived or actual\n                  conflicts of interest with regard to the development, operation, or management of\n                  the information systems that are the targets of the penetration testing.\n                  Supplemental guidance for CA-2 (1) provides additional information regarding\n                  independent assessments that can be applied to penetration testing.",
-                    "links": [
-                      {
-                        "href": "#ca-2",
-                        "rel": "related",
-                        "text": "CA-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-8.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs an independent penetration agent or\n                  penetration team to perform penetration testing on the information system or\n                  system components. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security assessment and authorization policy\\n\\nprocedures addressing penetration testing\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\npenetration test report\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-9",
-            "class": "SP800-53",
-            "title": "Internal System Connections",
-            "parameters": [
-              {
-                "id": "ca-9_prm_1",
-                "label": "organization-defined information system components or classes of\n               components"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-09"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-9_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-9_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Authorizes internal connections of {{ ca-9_prm_1 }} to the\n                  information system; and"
-                  },
-                  {
-                    "id": "ca-9_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents, for each internal connection, the interface characteristics, security\n                  requirements, and the nature of the information communicated."
-                  }
-                ]
-              },
-              {
-                "id": "ca-9_gdn",
-                "name": "guidance",
-                "prose": "This control applies to connections between organizational information systems and\n               (separate) constituent system components (i.e., intra-system connections) including,\n               for example, system connections with mobile devices, notebook/desktop computers,\n               printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of\n               authorizing each individual internal connection, organizations can authorize internal\n               connections for a class of components with common characteristics and/or\n               configurations, for example, all digital printers, scanners, and copiers with a\n               specified processing, storage, and transmission capability or all smart phones with a\n               specific baseline configuration.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-9_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-9.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-9(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-9.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-9(a)[1]"
-                          }
-                        ],
-                        "prose": "defines information system components or classes of components to be authorized\n                     as internal connections to the information system;"
-                      },
-                      {
-                        "id": "ca-9.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-9(a)[2]"
-                          }
-                        ],
-                        "prose": "authorizes internal connections of organization-defined information system\n                     components or classes of components to the information system;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-9.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-9(b)"
-                      }
-                    ],
-                    "prose": "documents, for each internal connection:",
-                    "parts": [
-                      {
-                        "id": "ca-9.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-9(b)[1]"
-                          }
-                        ],
-                        "prose": "the interface characteristics;"
-                      },
-                      {
-                        "id": "ca-9.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-9(b)[2]"
-                          }
-                        ],
-                        "prose": "the security requirements; and"
-                      },
-                      {
-                        "id": "ca-9.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-9(b)[3]"
-                          }
-                        ],
-                        "prose": "the nature of the information communicated."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of components or classes of components authorized as internal system\n                  connections\\n\\nsecurity assessment report\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for developing, implementing, or\n                  authorizing internal system connections\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "cm",
-        "class": "family",
-        "title": "Configuration Management",
-        "controls": [
-          {
-            "id": "cm-1",
-            "class": "SP800-53",
-            "title": "Configuration Management Policy and Procedures",
-            "parameters": [
-              {
-                "id": "cm-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "cm-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "cm-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or whenever a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CM-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ cm-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "cm-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A configuration management policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "cm-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the configuration management\n                     policy and associated configuration management controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "cm-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Configuration management policy {{ cm-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "cm-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Configuration management procedures {{ cm-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CM\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "cm-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a configuration management policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "cm-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "cm-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the configuration management policy is to\n                        be disseminated;"
-                          },
-                          {
-                            "id": "cm-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the configuration management policy to organization-defined\n                        personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        configuration management policy and associated configuration management\n                        controls;"
-                          },
-                          {
-                            "id": "cm-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "cm-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current configuration\n                        management policy;"
-                          },
-                          {
-                            "id": "cm-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current configuration management policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current configuration\n                        management procedures; and"
-                          },
-                          {
-                            "id": "cm-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current configuration management procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-2",
-            "class": "SP800-53",
-            "title": "Baseline Configuration",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-2_smt",
-                "name": "statement",
-                "prose": "The organization develops, documents, and maintains under configuration control, a\n               current baseline configuration of the information system."
-              },
-              {
-                "id": "cm-2_gdn",
-                "name": "guidance",
-                "prose": "This control establishes baseline configurations for information systems and system\n               components including communications and connectivity-related aspects of systems.\n               Baseline configurations are documented, formally reviewed and agreed-upon sets of\n               specifications for information systems or configuration items within those systems.\n               Baseline configurations serve as a basis for future builds, releases, and/or changes\n               to information systems. Baseline configurations include information about information\n               system components (e.g., standard software packages installed on workstations,\n               notebook computers, servers, network components, or mobile devices; current version\n               numbers and patch information on operating systems and applications; and\n               configuration settings/parameters), network topology, and the logical placement of\n               those components within the system architecture. Maintaining baseline configurations\n               requires creating new baselines as organizational information systems change over\n               time. Baseline configurations of information systems reflect the current enterprise\n               architecture.",
-                "links": [
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#cm-9",
-                    "rel": "related",
-                    "text": "CM-9"
-                  },
-                  {
-                    "href": "#sa-10",
-                    "rel": "related",
-                    "text": "SA-10"
-                  },
-                  {
-                    "href": "#pm-5",
-                    "rel": "related",
-                    "text": "PM-5"
-                  },
-                  {
-                    "href": "#pm-7",
-                    "rel": "related",
-                    "text": "PM-7"
-                  }
-                ]
-              },
-              {
-                "id": "cm-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-2_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-2[1]"
-                      }
-                    ],
-                    "prose": "develops and documents a current baseline configuration of the information system;\n                  and"
-                  },
-                  {
-                    "id": "cm-2_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-2[2]"
-                      }
-                    ],
-                    "prose": "maintains, under configuration control, a current baseline configuration of the\n                  information system."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nconfiguration management plan\\n\\nenterprise architecture documentation\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing baseline configurations\\n\\nautomated mechanisms supporting configuration control of the baseline\n                  configuration"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cm-2.1",
-                "class": "SP800-53-enhancement",
-                "title": "Reviews and Updates",
-                "parameters": [
-                  {
-                    "id": "cm-2.1_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least annually or when a significant change occurs"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-2.1_prm_2",
-                    "label": "Assignment organization-defined circumstances",
-                    "constraints": [
-                      {
-                        "detail": "to include when directed by the JAB"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "CM-2(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-02.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-2.1_smt",
-                    "name": "statement",
-                    "prose": "The organization reviews and updates the baseline configuration of the information\n                  system:",
-                    "parts": [
-                      {
-                        "id": "cm-2.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "\n                     {{ cm-2.1_prm_1 }};"
-                      },
-                      {
-                        "id": "cm-2.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "When required due to {{ cm-2.1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "cm-2.1_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(c)"
-                          }
-                        ],
-                        "prose": "As an integral part of information system component installations and\n                     upgrades."
-                      },
-                      {
-                        "id": "cm-2.1_fr",
-                        "name": "item",
-                        "title": "CM-8 Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "cm-2.1_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "(a) Guidance:"
-                              }
-                            ],
-                            "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-2.1_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#cm-5",
-                        "rel": "related",
-                        "text": "CM-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-2.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-2.1.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-2(1)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-2.1.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-2(1)(a)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the baseline configuration of the\n                        information system;"
-                          },
-                          {
-                            "id": "cm-2.1.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-2(1)(a)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the baseline configuration of the information system\n                        with the organization-defined frequency;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-2.1_smt.a",
-                            "rel": "corresp",
-                            "text": "CM-2(1)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-2.1.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-2(1)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-2.1.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-2(1)(b)[1]"
-                              }
-                            ],
-                            "prose": "defines circumstances that require the baseline configuration of the\n                        information system to be reviewed and updated;"
-                          },
-                          {
-                            "id": "cm-2.1.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-2(1)(b)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the baseline configuration of the information system\n                        when required due to organization-defined circumstances; and"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-2.1_smt.b",
-                            "rel": "corresp",
-                            "text": "CM-2(1)(b)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-2.1.c_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-2(1)(c)"
-                          }
-                        ],
-                        "prose": "reviews and updates the baseline configuration of the information system as an\n                     integral part of information system component installations and upgrades.",
-                        "links": [
-                          {
-                            "href": "#cm-2.1_smt.c",
-                            "rel": "corresp",
-                            "text": "CM-2(1)(c)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nprocedures addressing information system component installations and\n                     upgrades\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nrecords of information system baseline configuration reviews and updates\\n\\ninformation system component installations/upgrades and associated records\\n\\nchange control records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for managing baseline configurations\\n\\nautomated mechanisms supporting review and update of the baseline\n                     configuration"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-2.2",
-                "class": "SP800-53-enhancement",
-                "title": "Automation Support for Accuracy / Currency",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-2(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-02.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-2.2_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to maintain an up-to-date, complete,\n                  accurate, and readily available baseline configuration of the information\n                  system."
-                  },
-                  {
-                    "id": "cm-2.2_gdn",
-                    "name": "guidance",
-                    "prose": "Automated mechanisms that help organizations maintain consistent baseline\n                  configurations for information systems include, for example, hardware and software\n                  inventory tools, configuration management tools, and network management tools.\n                  Such tools can be deployed and/or allocated as common controls, at the information\n                  system level, or at the operating system or component level (e.g., on\n                  workstations, servers, notebook computers, network components, or mobile devices).\n                  Tools can be used, for example, to track version numbers on operating system\n                  applications, types of software installed, and current patch levels. This control\n                  enhancement can be satisfied by the implementation of CM-8 (2) for organizations\n                  that choose to combine information system component inventory and baseline\n                  configuration activities.",
-                    "links": [
-                      {
-                        "href": "#cm-7",
-                        "rel": "related",
-                        "text": "CM-7"
-                      },
-                      {
-                        "href": "#ra-5",
-                        "rel": "related",
-                        "text": "RA-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-2.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization employs automated mechanisms to maintain: ",
-                    "parts": [
-                      {
-                        "id": "cm-2.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-2(2)[1]"
-                          }
-                        ],
-                        "prose": "an up-to-date baseline configuration of the information system;"
-                      },
-                      {
-                        "id": "cm-2.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-2(2)[2]"
-                          }
-                        ],
-                        "prose": "a complete baseline configuration of the information system;"
-                      },
-                      {
-                        "id": "cm-2.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-2(2)[3]"
-                          }
-                        ],
-                        "prose": "an accurate baseline configuration of the information system; and"
-                      },
-                      {
-                        "id": "cm-2.2_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-2(2)[4]"
-                          }
-                        ],
-                        "prose": "a readily available baseline configuration of the information system."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nconfiguration management plan\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nconfiguration change control records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for managing baseline configurations\\n\\nautomated mechanisms implementing baseline configuration maintenance"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-2.3",
-                "class": "SP800-53-enhancement",
-                "title": "Retention of Previous Configurations",
-                "parameters": [
-                  {
-                    "id": "cm-2.3_prm_1",
-                    "label": "organization-defined previous versions of baseline configurations of the\n                  information system",
-                    "constraints": [
-                      {
-                        "detail": "organization-defined previous versions of baseline configurations of the previously approved baseline configuration of IS components"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-2(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-02.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-2.3_smt",
-                    "name": "statement",
-                    "prose": "The organization retains {{ cm-2.3_prm_1 }} to support\n                  rollback."
-                  },
-                  {
-                    "id": "cm-2.3_gdn",
-                    "name": "guidance",
-                    "prose": "Retaining previous versions of baseline configurations to support rollback may\n                  include, for example, hardware, software, firmware, configuration files, and\n                  configuration records."
-                  },
-                  {
-                    "id": "cm-2.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-2.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-2(3)[1]"
-                          }
-                        ],
-                        "prose": "defines previous versions of baseline configurations of the information system\n                     to be retained to support rollback; and"
-                      },
-                      {
-                        "id": "cm-2.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-2(3)[2]"
-                          }
-                        ],
-                        "prose": "retains organization-defined previous versions of baseline configurations of\n                     the information system to support rollback."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nconfiguration management plan\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncopies of previous baseline configuration versions\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for managing baseline configurations"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-2.7",
-                "class": "SP800-53-enhancement",
-                "title": "Configure Systems, Components, or Devices for High-risk Areas",
-                "parameters": [
-                  {
-                    "id": "cm-2.7_prm_1",
-                    "label": "organization-defined information systems, system components, or\n                  devices"
-                  },
-                  {
-                    "id": "cm-2.7_prm_2",
-                    "label": "organization-defined configurations"
-                  },
-                  {
-                    "id": "cm-2.7_prm_3",
-                    "label": "organization-defined security safeguards"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-2(7)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-02.07"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-2.7_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "cm-2.7_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Issues {{ cm-2.7_prm_1 }} with {{ cm-2.7_prm_2 }}\n                     to individuals traveling to locations that the organization deems to be of\n                     significant risk; and"
-                      },
-                      {
-                        "id": "cm-2.7_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Applies {{ cm-2.7_prm_3 }} to the devices when the individuals\n                     return."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-2.7_gdn",
-                    "name": "guidance",
-                    "prose": "When it is known that information systems, system components, or devices (e.g.,\n                  notebook computers, mobile devices) will be located in high-risk areas, additional\n                  security controls may be implemented to counter the greater threat in such areas\n                  coupled with the lack of physical security relative to organizational-controlled\n                  areas. For example, organizational policies and procedures for notebook computers\n                  used by individuals departing on and returning from travel include, for example,\n                  determining which locations are of concern, defining required configurations for\n                  the devices, ensuring that the devices are configured as intended before travel is\n                  initiated, and applying specific safeguards to the device after travel is\n                  completed. Specially configured notebook computers include, for example, computers\n                  with sanitized hard drives, limited applications, and additional hardening (e.g.,\n                  more stringent configuration settings). Specified safeguards applied to mobile\n                  devices upon return from travel include, for example, examining the device for\n                  signs of physical tampering and purging/reimaging the hard disk drive. Protecting\n                  information residing on mobile devices is covered in the media protection\n                  family."
-                  },
-                  {
-                    "id": "cm-2.7_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-2.7.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-2(7)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-2.7.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-2(7)(a)[1]"
-                              }
-                            ],
-                            "prose": "defines information systems, system components, or devices to be issued to\n                        individuals traveling to locations that the organization deems to be of\n                        significant risk;"
-                          },
-                          {
-                            "id": "cm-2.7.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-2(7)(a)[2]"
-                              }
-                            ],
-                            "prose": "defines configurations to be employed on organization-defined information\n                        systems, system components, or devices issued to individuals traveling to\n                        such locations;"
-                          },
-                          {
-                            "id": "cm-2.7.a_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-2(7)(a)[3]"
-                              }
-                            ],
-                            "prose": "issues organization-defined information systems, system components, or\n                        devices with organization-defined configurations to individuals traveling to\n                        locations that the organization deems to be of significant risk;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-2.7_smt.a",
-                            "rel": "corresp",
-                            "text": "CM-2(7)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-2.7.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-2(7)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-2.7.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-2(7)(b)[1]"
-                              }
-                            ],
-                            "prose": "defines security safeguards to be applied to the devices when the\n                        individuals return; and"
-                          },
-                          {
-                            "id": "cm-2.7.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-2(7)(b)[2]"
-                              }
-                            ],
-                            "prose": "applies organization-defined safeguards to the devices when the individuals\n                        return."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-2.7_smt.b",
-                            "rel": "corresp",
-                            "text": "CM-2(7)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nprocedures addressing information system component installations and\n                     upgrades\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nrecords of information system baseline configuration reviews and updates\\n\\ninformation system component installations/upgrades and associated records\\n\\nchange control records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for managing baseline configurations"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-3",
-            "class": "SP800-53",
-            "title": "Configuration Change Control",
-            "parameters": [
-              {
-                "id": "cm-3_prm_1",
-                "label": "organization-defined time period"
-              },
-              {
-                "id": "cm-3_prm_2",
-                "label": "organization-defined configuration change control element (e.g., committee,\n               board)"
-              },
-              {
-                "id": "cm-3_prm_3"
-              },
-              {
-                "id": "cm-3_prm_4",
-                "depends-on": "cm-3_prm_3",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "cm-3_prm_5",
-                "depends-on": "cm-3_prm_3",
-                "label": "organization-defined configuration change conditions"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CM-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Determines the types of changes to the information system that are\n                  configuration-controlled;"
-                  },
-                  {
-                    "id": "cm-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews proposed configuration-controlled changes to the information system and\n                  approves or disapproves such changes with explicit consideration for security\n                  impact analyses;"
-                  },
-                  {
-                    "id": "cm-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Documents configuration change decisions associated with the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-3_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Implements approved configuration-controlled changes to the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-3_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Retains records of configuration-controlled changes to the information system for\n                     {{ cm-3_prm_1 }};"
-                  },
-                  {
-                    "id": "cm-3_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Audits and reviews activities associated with configuration-controlled changes to\n                  the information system; and"
-                  },
-                  {
-                    "id": "cm-3_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Coordinates and provides oversight for configuration change control activities\n                  through {{ cm-3_prm_2 }} that convenes {{ cm-3_prm_3 }}."
-                  },
-                  {
-                    "id": "cm-3_fr",
-                    "name": "item",
-                    "title": "CM-3 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cm-3_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO."
-                      },
-                      {
-                        "id": "cm-3_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(e) Guidance:"
-                          }
-                        ],
-                        "prose": "In accordance with record retention policies and procedures."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-3_gdn",
-                "name": "guidance",
-                "prose": "Configuration change controls for organizational information systems involve the\n               systematic proposal, justification, implementation, testing, review, and disposition\n               of changes to the systems, including system upgrades and modifications. Configuration\n               change control includes changes to baseline configurations for components and\n               configuration items of information systems, changes to configuration settings for\n               information technology products (e.g., operating systems, applications, firewalls,\n               routers, and mobile devices), unscheduled/unauthorized changes, and changes to\n               remediate vulnerabilities. Typical processes for managing configuration changes to\n               information systems include, for example, Configuration Control Boards that approve\n               proposed changes to systems. For new development information systems or systems\n               undergoing major upgrades, organizations consider including representatives from\n               development organizations on the Configuration Control Boards. Auditing of changes\n               includes activities before and after changes are made to organizational information\n               systems and the auditing activities required to implement such changes.",
-                "links": [
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-9",
-                    "rel": "related",
-                    "text": "CM-9"
-                  },
-                  {
-                    "href": "#sa-10",
-                    "rel": "related",
-                    "text": "SA-10"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  },
-                  {
-                    "href": "#si-12",
-                    "rel": "related",
-                    "text": "SI-12"
-                  }
-                ]
-              },
-              {
-                "id": "cm-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-3(a)"
-                      }
-                    ],
-                    "prose": "determines the type of changes to the information system that must be\n                  configuration-controlled;"
-                  },
-                  {
-                    "id": "cm-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-3(b)"
-                      }
-                    ],
-                    "prose": "reviews proposed configuration-controlled changes to the information system and\n                  approves or disapproves such changes with explicit consideration for security\n                  impact analyses;"
-                  },
-                  {
-                    "id": "cm-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-3(c)"
-                      }
-                    ],
-                    "prose": "documents configuration change decisions associated with the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-3.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-3(d)"
-                      }
-                    ],
-                    "prose": "implements approved configuration-controlled changes to the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-3.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-3(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-3.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(e)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period to retain records of configuration-controlled changes to\n                     the information system;"
-                      },
-                      {
-                        "id": "cm-3.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(e)[2]"
-                          }
-                        ],
-                        "prose": "retains records of configuration-controlled changes to the information system\n                     for the organization-defined time period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-3.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-3(f)"
-                      }
-                    ],
-                    "prose": "audits and reviews activities associated with configuration-controlled changes to\n                  the information system;"
-                  },
-                  {
-                    "id": "cm-3.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-3(g)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-3.g_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(g)[1]"
-                          }
-                        ],
-                        "prose": "defines a configuration change control element (e.g., committee, board)\n                     responsible for coordinating and providing oversight for configuration change\n                     control activities;"
-                      },
-                      {
-                        "id": "cm-3.g_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(g)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency with which the configuration change control element must\n                     convene; and/or"
-                      },
-                      {
-                        "id": "cm-3.g_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(g)[3]"
-                          }
-                        ],
-                        "prose": "defines configuration change conditions that prompt the configuration change\n                     control element to convene; and"
-                      },
-                      {
-                        "id": "cm-3.g_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(g)[4]"
-                          }
-                        ],
-                        "prose": "coordinates and provides oversight for configuration change control activities\n                     through organization-defined configuration change control element that convenes\n                     at organization-defined frequency and/or for any organization-defined\n                     configuration change conditions."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing information system configuration change control\\n\\nconfiguration management plan\\n\\ninformation system architecture and configuration documentation\\n\\nsecurity plan\\n\\nchange control records\\n\\ninformation system audit records\\n\\nchange control audit and review reports\\n\\nagenda /minutes from configuration change control oversight meetings\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with configuration change control responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nmembers of change control board or similar"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for configuration change control\\n\\nautomated mechanisms that implement configuration change control"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cm-3.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Document / Notification / Prohibition of Changes",
-                "parameters": [
-                  {
-                    "id": "cm-3.1_prm_1",
-                    "label": "organized-defined approval authorities"
-                  },
-                  {
-                    "id": "cm-3.1_prm_2",
-                    "label": "organization-defined time period",
-                    "constraints": [
-                      {
-                        "detail": "organization agreed upon time period"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-3.1_prm_3",
-                    "label": "organization-defined personnel",
-                    "constraints": [
-                      {
-                        "detail": "organization defined configuration management approval authorities"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-3(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-03.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-3.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to:",
-                    "parts": [
-                      {
-                        "id": "cm-3.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Document proposed changes to the information system;"
-                      },
-                      {
-                        "id": "cm-3.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Notify {{ cm-3.1_prm_1 }} of proposed changes to the information\n                     system and request change approval;"
-                      },
-                      {
-                        "id": "cm-3.1_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(c)"
-                          }
-                        ],
-                        "prose": "Highlight proposed changes to the information system that have not been\n                     approved or disapproved by {{ cm-3.1_prm_2 }};"
-                      },
-                      {
-                        "id": "cm-3.1_smt.d",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(d)"
-                          }
-                        ],
-                        "prose": "Prohibit changes to the information system until designated approvals are\n                     received;"
-                      },
-                      {
-                        "id": "cm-3.1_smt.e",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(e)"
-                          }
-                        ],
-                        "prose": "Document all changes to the information system; and"
-                      },
-                      {
-                        "id": "cm-3.1_smt.f",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(f)"
-                          }
-                        ],
-                        "prose": "Notify {{ cm-3.1_prm_3 }} when approved changes to the\n                     information system are completed."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-3.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-3.1.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(1)(a)"
-                          }
-                        ],
-                        "prose": "employs automated mechanisms to document proposed changes to the information\n                     system;",
-                        "links": [
-                          {
-                            "href": "#cm-3.1_smt.a",
-                            "rel": "corresp",
-                            "text": "CM-3(1)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-3.1.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-3(1)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-3.1.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-3(1)(b)[1]"
-                              }
-                            ],
-                            "prose": "defines approval authorities to be notified of proposed changes to the\n                        information system and request change approval;"
-                          },
-                          {
-                            "id": "cm-3.1.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-3(1)(b)[2]"
-                              }
-                            ],
-                            "prose": "employs automated mechanisms to notify organization-defined approval\n                        authorities of proposed changes to the information system and request change\n                        approval;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-3.1_smt.b",
-                            "rel": "corresp",
-                            "text": "CM-3(1)(b)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-3.1.c_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-3(1)(c)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-3.1.c_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-3(1)(c)[1]"
-                              }
-                            ],
-                            "prose": "defines the time period within which proposed changes to the information\n                        system that have not been approved or disapproved must be highlighted;"
-                          },
-                          {
-                            "id": "cm-3.1.c_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-3(1)(c)[2]"
-                              }
-                            ],
-                            "prose": "employs automated mechanisms to highlight proposed changes to the\n                        information system that have not been approved or disapproved by\n                        organization-defined time period;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-3.1_smt.c",
-                            "rel": "corresp",
-                            "text": "CM-3(1)(c)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-3.1.d_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(1)(d)"
-                          }
-                        ],
-                        "prose": "employs automated mechanisms to prohibit changes to the information system\n                     until designated approvals are received;",
-                        "links": [
-                          {
-                            "href": "#cm-3.1_smt.d",
-                            "rel": "corresp",
-                            "text": "CM-3(1)(d)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-3.1.e_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(1)(e)"
-                          }
-                        ],
-                        "prose": "employs automated mechanisms to document all changes to the information\n                     system;",
-                        "links": [
-                          {
-                            "href": "#cm-3.1_smt.e",
-                            "rel": "corresp",
-                            "text": "CM-3(1)(e)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-3.1.f_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-3(1)(f)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-3.1.f_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-3(1)(f)[1]"
-                              }
-                            ],
-                            "prose": "defines personnel to be notified when approved changes to the information\n                        system are completed; and"
-                          },
-                          {
-                            "id": "cm-3.1.f_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-3(1)(f)[2]"
-                              }
-                            ],
-                            "prose": "employs automated mechanisms to notify organization-defined personnel when\n                        approved changes to the information system are completed."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-3.1_smt.f",
-                            "rel": "corresp",
-                            "text": "CM-3(1)(f)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing information system configuration change control\\n\\nconfiguration management plan\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\nautomated configuration control mechanisms\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\ninformation system audit records\\n\\nchange approval requests\\n\\nchange approvals\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with configuration change control responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for configuration change control\\n\\nautomated mechanisms implementing configuration change control activities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-3.2",
-                "class": "SP800-53-enhancement",
-                "title": "Test / Validate / Document Changes",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-3(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-03.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-3.2_smt",
-                    "name": "statement",
-                    "prose": "The organization tests, validates, and documents changes to the information system\n                  before implementing the changes on the operational system."
-                  },
-                  {
-                    "id": "cm-3.2_gdn",
-                    "name": "guidance",
-                    "prose": "Changes to information systems include modifications to hardware, software, or\n                  firmware components and configuration settings defined in CM-6. Organizations\n                  ensure that testing does not interfere with information system operations.\n                  Individuals/groups conducting tests understand organizational security policies\n                  and procedures, information system security policies and procedures, and the\n                  specific health, safety, and environmental risks associated with particular\n                  facilities/processes. Operational systems may need to be taken off-line, or\n                  replicated to the extent feasible, before testing can be conducted. If information\n                  systems must be taken off-line for testing, the tests are scheduled to occur\n                  during planned system outages whenever possible. If testing cannot be conducted on\n                  operational systems, organizations employ compensating controls (e.g., testing on\n                  replicated systems)."
-                  },
-                  {
-                    "id": "cm-3.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization, before implementing changes on the operational\n                  system:",
-                    "parts": [
-                      {
-                        "id": "cm-3.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(2)[1]"
-                          }
-                        ],
-                        "prose": "tests changes to the information system;"
-                      },
-                      {
-                        "id": "cm-3.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(2)[2]"
-                          }
-                        ],
-                        "prose": "validates changes to the information system; and"
-                      },
-                      {
-                        "id": "cm-3.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(2)[3]"
-                          }
-                        ],
-                        "prose": "documents changes to the information system."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing information system configuration change control\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ntest records\\n\\nvalidation records\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with configuration change control responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for configuration change control\\n\\nautomated mechanisms supporting and/or implementing testing, validating, and\n                     documenting information system changes"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-3.4",
-                "class": "SP800-53-enhancement",
-                "title": "Security Representative",
-                "parameters": [
-                  {
-                    "id": "cm-3.4_prm_1",
-                    "label": "organization-defined configuration change control element",
-                    "constraints": [
-                      {
-                        "detail": "Configuration control board (CCB) or similar (as defined in CM-3)"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-3(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-03.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-3.4_smt",
-                    "name": "statement",
-                    "prose": "The organization requires an information security representative to be a member of\n                  the {{ cm-3.4_prm_1 }}."
-                  },
-                  {
-                    "id": "cm-3.4_gdn",
-                    "name": "guidance",
-                    "prose": "Information security representatives can include, for example, senior agency\n                  information security officers, information system security officers, or\n                  information system security managers. Representation by personnel with information\n                  security expertise is important because changes to information system\n                  configurations can have unintended side effects, some of which may be\n                  security-relevant. Detecting such changes early in the process can help avoid\n                  unintended, negative consequences that could ultimately affect the security state\n                  of organizational information systems. The configuration change control element in\n                  this control enhancement reflects the change control elements defined by\n                  organizations in CM-3."
-                  },
-                  {
-                    "id": "cm-3.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-3.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(4)[1]"
-                          }
-                        ],
-                        "prose": "specifies the configuration change control elements (as defined in CM-3g) of\n                     which an information security representative is to be a member; and"
-                      },
-                      {
-                        "id": "cm-3.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(4)[2]"
-                          }
-                        ],
-                        "prose": "requires an information security representative to be a member of the specified\n                     configuration control element."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing information system configuration change control\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with configuration change control responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for configuration change control"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-3.6",
-                "class": "SP800-53-enhancement",
-                "title": "Cryptography Management",
-                "parameters": [
-                  {
-                    "id": "cm-3.6_prm_1",
-                    "label": "organization-defined security safeguards",
-                    "constraints": [
-                      {
-                        "detail": "All security safeguards that rely on cryptography"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-3(6)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-03.06"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-3.6_smt",
-                    "name": "statement",
-                    "prose": "The organization ensures that cryptographic mechanisms used to provide {{ cm-3.6_prm_1 }} are under configuration management."
-                  },
-                  {
-                    "id": "cm-3.6_gdn",
-                    "name": "guidance",
-                    "prose": "Regardless of the cryptographic means employed (e.g., public key, private key,\n                  shared secrets), organizations ensure that there are processes and procedures in\n                  place to effectively manage those means. For example, if devices use certificates\n                  as a basis for identification and authentication, there needs to be a process in\n                  place to address the expiration of those certificates.",
-                    "links": [
-                      {
-                        "href": "#sc-13",
-                        "rel": "related",
-                        "text": "SC-13"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-3.6_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-3.6_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(6)[1]"
-                          }
-                        ],
-                        "prose": "defines security safeguards provided by cryptographic mechanisms that are to be\n                     under configuration management; and"
-                      },
-                      {
-                        "id": "cm-3.6_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(6)[2]"
-                          }
-                        ],
-                        "prose": "ensures that cryptographic mechanisms used to provide organization-defined\n                     security safeguards are under configuration management."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing information system configuration change control\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with configuration change control responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for configuration change control\\n\\ncryptographic mechanisms implementing organizational security safeguards"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-4",
-            "class": "SP800-53",
-            "title": "Security Impact Analysis",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-4_smt",
-                "name": "statement",
-                "prose": "The organization analyzes changes to the information system to determine potential\n               security impacts prior to change implementation."
-              },
-              {
-                "id": "cm-4_gdn",
-                "name": "guidance",
-                "prose": "Organizational personnel with information security responsibilities (e.g.,\n               Information System Administrators, Information System Security Officers, Information\n               System Security Managers, and Information System Security Engineers) conduct security\n               impact analyses. Individuals conducting security impact analyses possess the\n               necessary skills/technical expertise to analyze the changes to information systems\n               and the associated security ramifications. Security impact analysis may include, for\n               example, reviewing security plans to understand security control requirements and\n               reviewing system design documentation to understand control implementation and how\n               specific changes might affect the controls. Security impact analyses may also include\n               assessments of risk to better understand the impact of the changes and to determine\n               if additional security controls are required. Security impact analyses are scaled in\n               accordance with the security categories of the information systems.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-9",
-                    "rel": "related",
-                    "text": "CM-9"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sa-10",
-                    "rel": "related",
-                    "text": "SA-10"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "cm-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization analyzes changes to the information system to determine\n               potential security impacts prior to change implementation."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing security impact analysis for changes to the information\n                  system\\n\\nconfiguration management plan\\n\\nsecurity impact analysis documentation\\n\\nanalysis tools and associated outputs\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for conducting security impact\n                  analysis\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for security impact analysis"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cm-4.1",
-                "class": "SP800-53-enhancement",
-                "title": "Separate Test Environments",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-4(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-04.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-4.1_smt",
-                    "name": "statement",
-                    "prose": "The organization analyzes changes to the information system in a separate test\n                  environment before implementation in an operational environment, looking for\n                  security impacts due to flaws, weaknesses, incompatibility, or intentional\n                  malice."
-                  },
-                  {
-                    "id": "cm-4.1_gdn",
-                    "name": "guidance",
-                    "prose": "Separate test environment in this context means an environment that is physically\n                  or logically isolated and distinct from the operational environment. The\n                  separation is sufficient to ensure that activities in the test environment do not\n                  impact activities in the operational environment, and information in the\n                  operational environment is not inadvertently transmitted to the test environment.\n                  Separate environments can be achieved by physical or logical means. If physically\n                  separate test environments are not used, organizations determine the strength of\n                  mechanism required when implementing logical separation (e.g., separation achieved\n                  through virtual machines).",
-                    "links": [
-                      {
-                        "href": "#sa-11",
-                        "rel": "related",
-                        "text": "SA-11"
-                      },
-                      {
-                        "href": "#sc-3",
-                        "rel": "related",
-                        "text": "SC-3"
-                      },
-                      {
-                        "href": "#sc-7",
-                        "rel": "related",
-                        "text": "SC-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-4.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-4.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-4(1)[1]"
-                          }
-                        ],
-                        "prose": "analyzes changes to the information system in a separate test environment\n                     before implementation in an operational environment;"
-                      },
-                      {
-                        "id": "cm-4.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-4(1)[2]"
-                          }
-                        ],
-                        "prose": "when analyzing changes to the information system in a separate test\n                     environment, looks for security impacts due to:",
-                        "parts": [
-                          {
-                            "id": "cm-4.1_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-4(1)[2][a]"
-                              }
-                            ],
-                            "prose": "flaws;"
-                          },
-                          {
-                            "id": "cm-4.1_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-4(1)[2][b]"
-                              }
-                            ],
-                            "prose": "weaknesses;"
-                          },
-                          {
-                            "id": "cm-4.1_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-4(1)[2][c]"
-                              }
-                            ],
-                            "prose": "incompatibility; and"
-                          },
-                          {
-                            "id": "cm-4.1_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-4(1)[2][d]"
-                              }
-                            ],
-                            "prose": "intentional malice."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing security impact analysis for changes to the information\n                     system\\n\\nconfiguration management plan\\n\\nsecurity impact analysis documentation\\n\\nanalysis tools and associated outputs information system design\n                     documentation\\n\\ninformation system architecture and configuration documentation\\n\\nchange control records\\n\\ninformation system audit records\\n\\ndocumentation evidence of separate test and operational environments\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for conducting security impact\n                     analysis\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for security impact analysis\\n\\nautomated mechanisms supporting and/or implementing security impact analysis of\n                     changes"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-5",
-            "class": "SP800-53",
-            "title": "Access Restrictions for Change",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-5_smt",
-                "name": "statement",
-                "prose": "The organization defines, documents, approves, and enforces physical and logical\n               access restrictions associated with changes to the information system."
-              },
-              {
-                "id": "cm-5_gdn",
-                "name": "guidance",
-                "prose": "Any changes to the hardware, software, and/or firmware components of information\n               systems can potentially have significant effects on the overall security of the\n               systems. Therefore, organizations permit only qualified and authorized individuals to\n               access information systems for purposes of initiating changes, including upgrades and\n               modifications. Organizations maintain records of access to ensure that configuration\n               change control is implemented and to support after-the-fact actions should\n               organizations discover any unauthorized changes. Access restrictions for change also\n               include software libraries. Access restrictions include, for example, physical and\n               logical access controls (see AC-3 and PE-3), workflow automation, media libraries,\n               abstract layers (e.g., changes implemented into third-party interfaces rather than\n               directly into information systems), and change windows (e.g., changes occur only\n               during specified times, making unauthorized changes easy to discover).",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  }
-                ]
-              },
-              {
-                "id": "cm-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-5_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-5[1]"
-                      }
-                    ],
-                    "prose": "defines physical access restrictions associated with changes to the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-5_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-5[2]"
-                      }
-                    ],
-                    "prose": "documents physical access restrictions associated with changes to the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-5_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-5[3]"
-                      }
-                    ],
-                    "prose": "approves physical access restrictions associated with changes to the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-5_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-5[4]"
-                      }
-                    ],
-                    "prose": "enforces physical access restrictions associated with changes to the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-5_obj.5",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-5[5]"
-                      }
-                    ],
-                    "prose": "defines logical access restrictions associated with changes to the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-5_obj.6",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-5[6]"
-                      }
-                    ],
-                    "prose": "documents logical access restrictions associated with changes to the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-5_obj.7",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-5[7]"
-                      }
-                    ],
-                    "prose": "approves logical access restrictions associated with changes to the information\n                  system; and"
-                  },
-                  {
-                    "id": "cm-5_obj.8",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-5[8]"
-                      }
-                    ],
-                    "prose": "enforces logical access restrictions associated with changes to the information\n                  system."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing access restrictions for changes to the information\n                  system\\n\\nconfiguration management plan\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlogical access approvals\\n\\nphysical access approvals\\n\\naccess credentials\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with logical access control responsibilities\\n\\norganizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing access restrictions to change\\n\\nautomated mechanisms supporting/implementing/enforcing access restrictions\n                  associated with changes to the information system"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cm-5.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Access Enforcement / Auditing",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-5(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-05.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-5.1_smt",
-                    "name": "statement",
-                    "prose": "The information system enforces access restrictions and supports auditing of the\n                  enforcement actions."
-                  },
-                  {
-                    "id": "cm-5.1_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      },
-                      {
-                        "href": "#au-12",
-                        "rel": "related",
-                        "text": "AU-12"
-                      },
-                      {
-                        "href": "#au-6",
-                        "rel": "related",
-                        "text": "AU-6"
-                      },
-                      {
-                        "href": "#cm-3",
-                        "rel": "related",
-                        "text": "CM-3"
-                      },
-                      {
-                        "href": "#cm-6",
-                        "rel": "related",
-                        "text": "CM-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-5.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the information system:",
-                    "parts": [
-                      {
-                        "id": "cm-5.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-5(1)[1]"
-                          }
-                        ],
-                        "prose": "enforces access restrictions for change; and"
-                      },
-                      {
-                        "id": "cm-5.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-5(1)[2]"
-                          }
-                        ],
-                        "prose": "supports auditing of the enforcement actions."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing access restrictions for changes to the information\n                     system\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for managing access restrictions to change\\n\\nautomated mechanisms implementing enforcement of access restrictions for\n                     changes to the information system\\n\\nautomated mechanisms supporting auditing of enforcement actions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-5.2",
-                "class": "SP800-53-enhancement",
-                "title": "Review System Changes",
-                "parameters": [
-                  {
-                    "id": "cm-5.2_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least every thirty (30) days"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-5.2_prm_2",
-                    "label": "organization-defined circumstances"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-5(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-05.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-5.2_smt",
-                    "name": "statement",
-                    "prose": "The organization reviews information system changes {{ cm-5.2_prm_1 }} and {{ cm-5.2_prm_2 }} to determine\n                  whether unauthorized changes have occurred."
-                  },
-                  {
-                    "id": "cm-5.2_gdn",
-                    "name": "guidance",
-                    "prose": "Indications that warrant review of information system changes and the specific\n                  circumstances justifying such reviews may be obtained from activities carried out\n                  by organizations during the configuration change process.",
-                    "links": [
-                      {
-                        "href": "#au-6",
-                        "rel": "related",
-                        "text": "AU-6"
-                      },
-                      {
-                        "href": "#au-7",
-                        "rel": "related",
-                        "text": "AU-7"
-                      },
-                      {
-                        "href": "#cm-3",
-                        "rel": "related",
-                        "text": "CM-3"
-                      },
-                      {
-                        "href": "#cm-5",
-                        "rel": "related",
-                        "text": "CM-5"
-                      },
-                      {
-                        "href": "#pe-6",
-                        "rel": "related",
-                        "text": "PE-6"
-                      },
-                      {
-                        "href": "#pe-8",
-                        "rel": "related",
-                        "text": "PE-8"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-5.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization, in an effort to ascertain whether unauthorized\n                  changes have occurred:",
-                    "parts": [
-                      {
-                        "id": "cm-5.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-5(2)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review information system changes;"
-                      },
-                      {
-                        "id": "cm-5.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-5(2)[2]"
-                          }
-                        ],
-                        "prose": "defines circumstances that warrant review of information system changes;"
-                      },
-                      {
-                        "id": "cm-5.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-5(2)[3]"
-                          }
-                        ],
-                        "prose": "reviews information system changes with the organization-defined frequency;\n                     and"
-                      },
-                      {
-                        "id": "cm-5.2_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-5(2)[4]"
-                          }
-                        ],
-                        "prose": "reviews information system changes with the organization-defined\n                     circumstances."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing access restrictions for changes to the information\n                     system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nreviews of information system changes\\n\\naudit and review reports\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for managing access restrictions to change\\n\\nautomated mechanisms supporting/implementing information system reviews to\n                     determine whether unauthorized changes have occurred"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-5.3",
-                "class": "SP800-53-enhancement",
-                "title": "Signed Components",
-                "parameters": [
-                  {
-                    "id": "cm-5.3_prm_1",
-                    "label": "organization-defined software and firmware components"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-5(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-05.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-5.3_smt",
-                    "name": "statement",
-                    "prose": "The information system prevents the installation of {{ cm-5.3_prm_1 }} without verification that the component has been\n                  digitally signed using a certificate that is recognized and approved by the\n                  organization.",
-                    "parts": [
-                      {
-                        "id": "cm-5.3_fr",
-                        "name": "item",
-                        "title": "CM-5 (3) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "cm-5.3_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-5.3_gdn",
-                    "name": "guidance",
-                    "prose": "Software and firmware components prevented from installation unless signed with\n                  recognized and approved certificates include, for example, software and firmware\n                  version updates, patches, service packs, device drivers, and basic input output\n                  system (BIOS) updates. Organizations can identify applicable software and firmware\n                  components by type, by specific items, or a combination of both. Digital\n                  signatures and organizational verification of such signatures, is a method of code\n                  authentication.",
-                    "links": [
-                      {
-                        "href": "#cm-7",
-                        "rel": "related",
-                        "text": "CM-7"
-                      },
-                      {
-                        "href": "#sc-13",
-                        "rel": "related",
-                        "text": "SC-13"
-                      },
-                      {
-                        "href": "#si-7",
-                        "rel": "related",
-                        "text": "SI-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-5.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "cm-5.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-5(3)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines software and firmware components that the information\n                     system will prevent from being installed without verification that such\n                     components have been digitally signed using a certificate that is recognized\n                     and approved by the organization; and"
-                      },
-                      {
-                        "id": "cm-5.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-5(3)[2]"
-                          }
-                        ],
-                        "prose": "the information system prevents the installation of organization-defined\n                     software and firmware components without verification that such components have\n                     been digitally signed using a certificate that is recognized and approved by\n                     the organization."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing access restrictions for changes to the information\n                     system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nlist of software and firmware components to be prohibited from installation\n                     without a recognized and approved certificate\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for managing access restrictions to change\\n\\nautomated mechanisms preventing installation of software and firmware\n                     components not signed with an organization-recognized and approved\n                     certificate"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-5.5",
-                "class": "SP800-53-enhancement",
-                "title": "Limit Production / Operational Privileges",
-                "parameters": [
-                  {
-                    "id": "cm-5.5_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least quarterly"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "CM-5(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-05.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-5.5_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "cm-5.5_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Limits privileges to change information system components and system-related\n                     information within a production or operational environment; and"
-                      },
-                      {
-                        "id": "cm-5.5_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Reviews and reevaluates privileges {{ cm-5.5_prm_1 }}."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-5.5_gdn",
-                    "name": "guidance",
-                    "prose": "In many organizations, information systems support multiple core missions/business\n                  functions. Limiting privileges to change information system components with\n                  respect to operational systems is necessary because changes to a particular\n                  information system component may have far-reaching effects on mission/business\n                  processes supported by the system where the component resides. The complex,\n                  many-to-many relationships between systems and mission/business processes are in\n                  some cases, unknown to developers.",
-                    "links": [
-                      {
-                        "href": "#ac-2",
-                        "rel": "related",
-                        "text": "AC-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-5.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-5.5.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-5(5)(a)"
-                          }
-                        ],
-                        "prose": "limits privileges to change information system components and system-related\n                     information within a production or operational environment;",
-                        "links": [
-                          {
-                            "href": "#cm-5.5_smt.a",
-                            "rel": "corresp",
-                            "text": "CM-5(5)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-5.5.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-5(5)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-5.5.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-5(5)(b)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and reevaluate privileges; and"
-                          },
-                          {
-                            "id": "cm-5.5.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-5(5)(b)[2]"
-                              }
-                            ],
-                            "prose": "reviews and reevaluates privileges with the organization-defined\n                        frequency."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-5.5_smt.b",
-                            "rel": "corresp",
-                            "text": "CM-5(5)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing access restrictions for changes to the information\n                     system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nuser privilege reviews\\n\\nuser privilege recertifications\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for managing access restrictions to change\\n\\nautomated mechanisms supporting and/or implementing access restrictions for\n                     change"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-6",
-            "class": "SP800-53",
-            "title": "Configuration Settings",
-            "parameters": [
-              {
-                "id": "cm-6_prm_1",
-                "label": "organization-defined security configuration checklists",
-                "guidance": [
-                  {
-                    "prose": "See CM-6(a) Additional FedRAMP Requirements and Guidance"
-                  }
-                ]
-              },
-              {
-                "id": "cm-6_prm_2",
-                "label": "organization-defined information system components"
-              },
-              {
-                "id": "cm-6_prm_3",
-                "label": "organization-defined operational requirements"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CM-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-06"
-              }
-            ],
-            "links": [
-              {
-                "href": "#990268bf-f4a9-4c81-91ae-dc7d3115f4b1",
-                "rel": "reference",
-                "text": "OMB Memorandum 07-11"
-              },
-              {
-                "href": "#0b3d8ba9-051f-498d-81ea-97f0f018c612",
-                "rel": "reference",
-                "text": "OMB Memorandum 07-18"
-              },
-              {
-                "href": "#0916ef02-3618-411b-a525-565c088849a6",
-                "rel": "reference",
-                "text": "OMB Memorandum 08-22"
-              },
-              {
-                "href": "#84a37532-6db6-477b-9ea8-f9085ebca0fc",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-70"
-              },
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              },
-              {
-                "href": "#275cc052-0f7f-423c-bdb6-ed503dc36228",
-                "rel": "reference",
-                "text": "http://nvd.nist.gov"
-              },
-              {
-                "href": "#e95dd121-2733-413e-bf1e-f1eb49f20a98",
-                "rel": "reference",
-                "text": "http://checklists.nist.gov"
-              },
-              {
-                "href": "#647b6de3-81d0-4d22-bec1-5f1333e34380",
-                "rel": "reference",
-                "text": "http://www.nsa.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes and documents configuration settings for information technology\n                  products employed within the information system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with\n                  operational requirements;"
-                  },
-                  {
-                    "id": "cm-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Implements the configuration settings;"
-                  },
-                  {
-                    "id": "cm-6_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Identifies, documents, and approves any deviations from established configuration\n                  settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and"
-                  },
-                  {
-                    "id": "cm-6_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Monitors and controls changes to the configuration settings in accordance with\n                  organizational policies and procedures."
-                  },
-                  {
-                    "id": "cm-6_fr",
-                    "name": "item",
-                    "title": "CM-6(a) Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cm-6_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement 1:"
-                          }
-                        ],
-                        "prose": "The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. "
-                      },
-                      {
-                        "id": "cm-6_fr_smt.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement 2:"
-                          }
-                        ],
-                        "prose": "The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available)."
-                      },
-                      {
-                        "id": "cm-6_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-6_gdn",
-                "name": "guidance",
-                "prose": "Configuration settings are the set of parameters that can be changed in hardware,\n               software, or firmware components of the information system that affect the security\n               posture and/or functionality of the system. Information technology products for which\n               security-related configuration settings can be defined include, for example,\n               mainframe computers, servers (e.g., database, electronic mail, authentication, web,\n               proxy, file, domain name), workstations, input/output devices (e.g., scanners,\n               copiers, and printers), network components (e.g., firewalls, routers, gateways, voice\n               and data switches, wireless access points, network appliances, sensors), operating\n               systems, middleware, and applications. Security-related parameters are those\n               parameters impacting the security state of information systems including the\n               parameters required to satisfy other security control requirements. Security-related\n               parameters include, for example: (i) registry settings; (ii) account, file, directory\n               permission settings; and (iii) settings for functions, ports, protocols, services,\n               and remote connections. Organizations establish organization-wide configuration\n               settings and subsequently derive specific settings for information systems. The\n               established settings become part of the systems configuration baseline. Common secure\n               configurations (also referred to as security configuration checklists, lockdown and\n               hardening guides, security reference guides, security technical implementation\n               guides) provide recognized, standardized, and established benchmarks that stipulate\n               secure configuration settings for specific information technology platforms/products\n               and instructions for configuring those information system components to meet\n               operational requirements. Common secure configurations can be developed by a variety\n               of organizations including, for example, information technology product developers,\n               manufacturers, vendors, consortia, academia, industry, federal agencies, and other\n               organizations in the public and private sectors. Common secure configurations include\n               the United States Government Configuration Baseline (USGCB) which affects the\n               implementation of CM-6 and other controls such as AC-19 and CM-7. The Security\n               Content Automation Protocol (SCAP) and the defined standards within the protocol\n               (e.g., Common Configuration Enumeration) provide an effective method to uniquely\n               identify, track, and control configuration settings. OMB establishes federal policy\n               on configuration requirements for federal information systems.",
-                "links": [
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-7",
-                    "rel": "related",
-                    "text": "CM-7"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "cm-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-6(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-6.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(a)[1]"
-                          }
-                        ],
-                        "prose": "defines security configuration checklists to be used to establish and document\n                     configuration settings for the information technology products employed;"
-                      },
-                      {
-                        "id": "cm-6.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(a)[2]"
-                          }
-                        ],
-                        "prose": "ensures the defined security configuration checklists reflect the most\n                     restrictive mode consistent with operational requirements;"
-                      },
-                      {
-                        "id": "cm-6.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(a)[3]"
-                          }
-                        ],
-                        "prose": "establishes and documents configuration settings for information technology\n                     products employed within the information system using organization-defined\n                     security configuration checklists;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-6(b)"
-                      }
-                    ],
-                    "prose": "implements the configuration settings established/documented in CM-6(a);;"
-                  },
-                  {
-                    "id": "cm-6.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-6(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-6.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[1]"
-                          }
-                        ],
-                        "prose": "defines information system components for which any deviations from established\n                     configuration settings must be:",
-                        "parts": [
-                          {
-                            "id": "cm-6.c_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[1][a]"
-                              }
-                            ],
-                            "prose": "identified;"
-                          },
-                          {
-                            "id": "cm-6.c_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[1][b]"
-                              }
-                            ],
-                            "prose": "documented;"
-                          },
-                          {
-                            "id": "cm-6.c_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[1][c]"
-                              }
-                            ],
-                            "prose": "approved;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-6.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[2]"
-                          }
-                        ],
-                        "prose": "defines operational requirements to support:",
-                        "parts": [
-                          {
-                            "id": "cm-6.c_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[2][a]"
-                              }
-                            ],
-                            "prose": "the identification of any deviations from established configuration\n                        settings;"
-                          },
-                          {
-                            "id": "cm-6.c_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[2][b]"
-                              }
-                            ],
-                            "prose": "the documentation of any deviations from established configuration\n                        settings;"
-                          },
-                          {
-                            "id": "cm-6.c_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[2][c]"
-                              }
-                            ],
-                            "prose": "the approval of any deviations from established configuration settings;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-6.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[3]"
-                          }
-                        ],
-                        "prose": "identifies any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"
-                      },
-                      {
-                        "id": "cm-6.c_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[4]"
-                          }
-                        ],
-                        "prose": "documents any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"
-                      },
-                      {
-                        "id": "cm-6.c_obj.5",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[5]"
-                          }
-                        ],
-                        "prose": "approves any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-6.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-6(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-6.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(d)[1]"
-                          }
-                        ],
-                        "prose": "monitors changes to the configuration settings in accordance with\n                     organizational policies and procedures; and"
-                      },
-                      {
-                        "id": "cm-6.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(d)[2]"
-                          }
-                        ],
-                        "prose": "controls changes to the configuration settings in accordance with\n                     organizational policies and procedures."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing configuration settings for the information system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nevidence supporting approved deviations from established configuration\n                  settings\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security configuration management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing configuration settings\\n\\nautomated mechanisms that implement, monitor, and/or control information system\n                  configuration settings\\n\\nautomated mechanisms that identify and/or document deviations from established\n                  configuration settings"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cm-6.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Central Management / Application / Verification",
-                "parameters": [
-                  {
-                    "id": "cm-6.1_prm_1",
-                    "label": "organization-defined information system components"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-6(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-06.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-6.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to centrally manage, apply, and\n                  verify configuration settings for {{ cm-6.1_prm_1 }}."
-                  },
-                  {
-                    "id": "cm-6.1_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ca-7",
-                        "rel": "related",
-                        "text": "CA-7"
-                      },
-                      {
-                        "href": "#cm-4",
-                        "rel": "related",
-                        "text": "CM-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-6.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-6.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(1)[1]"
-                          }
-                        ],
-                        "prose": "defines information system components for which automated mechanisms are to be\n                     employed to:",
-                        "parts": [
-                          {
-                            "id": "cm-6.1_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(1)[1][a]"
-                              }
-                            ],
-                            "prose": "centrally manage configuration settings of such components;"
-                          },
-                          {
-                            "id": "cm-6.1_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(1)[1][b]"
-                              }
-                            ],
-                            "prose": "apply configuration settings of such components;"
-                          },
-                          {
-                            "id": "cm-6.1_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(1)[1][c]"
-                              }
-                            ],
-                            "prose": "verify configuration settings of such components;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-6.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(1)[2]"
-                          }
-                        ],
-                        "prose": "employs automated mechanisms to:",
-                        "parts": [
-                          {
-                            "id": "cm-6.1_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(1)[2][a]"
-                              }
-                            ],
-                            "prose": "centrally manage configuration settings for organization-defined information\n                        system components;"
-                          },
-                          {
-                            "id": "cm-6.1_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(1)[2][b]"
-                              }
-                            ],
-                            "prose": "apply configuration settings for organization-defined information system\n                        components; and"
-                          },
-                          {
-                            "id": "cm-6.1_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(1)[2][c]"
-                              }
-                            ],
-                            "prose": "verify configuration settings for organization-defined information system\n                        components."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing configuration settings for the information system\\n\\nconfiguration management plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with security configuration management\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for managing configuration settings\\n\\nautomated mechanisms implemented to centrally manage, apply, and verify\n                     information system configuration settings"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-6.2",
-                "class": "SP800-53-enhancement",
-                "title": "Respond to Unauthorized Changes",
-                "parameters": [
-                  {
-                    "id": "cm-6.2_prm_1",
-                    "label": "organization-defined security safeguards"
-                  },
-                  {
-                    "id": "cm-6.2_prm_2",
-                    "label": "organization-defined configuration settings"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-6(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-06.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-6.2_smt",
-                    "name": "statement",
-                    "prose": "The organization employs {{ cm-6.2_prm_1 }} to respond to\n                  unauthorized changes to {{ cm-6.2_prm_2 }}."
-                  },
-                  {
-                    "id": "cm-6.2_gdn",
-                    "name": "guidance",
-                    "prose": "Responses to unauthorized changes to configuration settings can include, for\n                  example, alerting designated organizational personnel, restoring established\n                  configuration settings, or in extreme cases, halting affected information system\n                  processing.",
-                    "links": [
-                      {
-                        "href": "#ir-4",
-                        "rel": "related",
-                        "text": "IR-4"
-                      },
-                      {
-                        "href": "#si-7",
-                        "rel": "related",
-                        "text": "SI-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-6.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-6.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(2)[1]"
-                          }
-                        ],
-                        "prose": "defines configuration settings that, if modified by unauthorized changes,\n                     result in organizational security safeguards being employed to respond to such\n                     changes;"
-                      },
-                      {
-                        "id": "cm-6.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(2)[2]"
-                          }
-                        ],
-                        "prose": "defines security safeguards to be employed to respond to unauthorized changes\n                     to organization-defined configuration settings; and"
-                      },
-                      {
-                        "id": "cm-6.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(2)[3]"
-                          }
-                        ],
-                        "prose": "employs organization-defined security safeguards to respond to unauthorized\n                     changes to organization-defined configuration settings."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing configuration settings for the information system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nalerts/notifications of unauthorized changes to information system\n                     configuration settings\\n\\ndocumented responses to unauthorized changes to information system\n                     configuration settings\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with security configuration management\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational process for responding to unauthorized changes to information\n                     system configuration settings\\n\\nautomated mechanisms supporting and/or implementing security safeguards for\n                     response to unauthorized changes"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-7",
-            "class": "SP800-53",
-            "title": "Least Functionality",
-            "parameters": [
-              {
-                "id": "cm-7_prm_1",
-                "label": "organization-defined prohibited or restricted functions, ports, protocols, and/or\n               services",
-                "constraints": [
-                  {
-                    "detail": "United States Government Configuration Baseline (USGCB)"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e42b2099-3e1c-415b-952c-61c96533c12e",
-                "rel": "reference",
-                "text": "DoD Instruction 8551.01"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-7_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Configures the information system to provide only essential capabilities; and"
-                  },
-                  {
-                    "id": "cm-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Prohibits or restricts the use of the following functions, ports, protocols,\n                  and/or services: {{ cm-7_prm_1 }}."
-                  },
-                  {
-                    "id": "cm-7_fr",
-                    "name": "item",
-                    "title": "CM-7 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cm-7_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available."
-                      },
-                      {
-                        "id": "cm-7_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "Information on the USGCB checklists can be found at: [http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc](http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc). Partially derived from AC-17(8)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-7_gdn",
-                "name": "guidance",
-                "prose": "Information systems can provide a wide variety of functions and services. Some of the\n               functions and services, provided by default, may not be necessary to support\n               essential organizational operations (e.g., key missions, functions). Additionally, it\n               is sometimes convenient to provide multiple services from single information system\n               components, but doing so increases risk over limiting the services provided by any\n               one component. Where feasible, organizations limit component functionality to a\n               single function per device (e.g., email servers or web servers, but not both).\n               Organizations review functions and services provided by information systems or\n               individual components of information systems, to determine which functions and\n               services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant\n               Messaging, auto-execute, and file sharing). Organizations consider disabling unused\n               or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File\n               Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to\n               prevent unauthorized connection of devices, unauthorized transfer of information, or\n               unauthorized tunneling. Organizations can utilize network scanning tools, intrusion\n               detection and prevention systems, and end-point protections such as firewalls and\n               host-based intrusion detection systems to identify and prevent the use of prohibited\n               functions, ports, protocols, and services.",
-                "links": [
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  }
-                ]
-              },
-              {
-                "id": "cm-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-7(a)"
-                      }
-                    ],
-                    "prose": "configures the information system to provide only essential capabilities;"
-                  },
-                  {
-                    "id": "cm-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-7(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-7.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-7(b)[1]"
-                          }
-                        ],
-                        "prose": "defines prohibited or restricted:",
-                        "parts": [
-                          {
-                            "id": "cm-7.b_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[1][a]"
-                              }
-                            ],
-                            "prose": "functions;"
-                          },
-                          {
-                            "id": "cm-7.b_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[1][b]"
-                              }
-                            ],
-                            "prose": "ports;"
-                          },
-                          {
-                            "id": "cm-7.b_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[1][c]"
-                              }
-                            ],
-                            "prose": "protocols; and/or"
-                          },
-                          {
-                            "id": "cm-7.b_obj.1.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[1][d]"
-                              }
-                            ],
-                            "prose": "services;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-7.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-7(b)[2]"
-                          }
-                        ],
-                        "prose": "prohibits or restricts the use of organization-defined:",
-                        "parts": [
-                          {
-                            "id": "cm-7.b_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[2][a]"
-                              }
-                            ],
-                            "prose": "functions;"
-                          },
-                          {
-                            "id": "cm-7.b_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[2][b]"
-                              }
-                            ],
-                            "prose": "ports;"
-                          },
-                          {
-                            "id": "cm-7.b_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[2][c]"
-                              }
-                            ],
-                            "prose": "protocols; and/or"
-                          },
-                          {
-                            "id": "cm-7.b_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[2][d]"
-                              }
-                            ],
-                            "prose": "services."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing least functionality in the information system\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security configuration management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes prohibiting or restricting functions, ports, protocols,\n                  and/or services\\n\\nautomated mechanisms implementing restrictions or prohibition of functions, ports,\n                  protocols, and/or services"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cm-7.1",
-                "class": "SP800-53-enhancement",
-                "title": "Periodic Review",
-                "parameters": [
-                  {
-                    "id": "cm-7.1_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least monthly"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-7.1_prm_2",
-                    "label": "organization-defined functions, ports, protocols, and services within the\n                  information system deemed to be unnecessary and/or nonsecure"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "CM-7(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-07.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-7.1_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "cm-7.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Reviews the information system {{ cm-7.1_prm_1 }} to identify\n                     unnecessary and/or nonsecure functions, ports, protocols, and services; and"
-                      },
-                      {
-                        "id": "cm-7.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Disables {{ cm-7.1_prm_2 }}."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-7.1_gdn",
-                    "name": "guidance",
-                    "prose": "The organization can either make a determination of the relative security of the\n                  function, port, protocol, and/or service or base the security decision on the\n                  assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are\n                  examples of less than secure protocols.",
-                    "links": [
-                      {
-                        "href": "#ac-18",
-                        "rel": "related",
-                        "text": "AC-18"
-                      },
-                      {
-                        "href": "#cm-7",
-                        "rel": "related",
-                        "text": "CM-7"
-                      },
-                      {
-                        "href": "#ia-2",
-                        "rel": "related",
-                        "text": "IA-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-7.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-7.1.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-7(1)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-7.1.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-7(1)(a)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review the information system to identify\n                        unnecessary and/or nonsecure:",
-                            "parts": [
-                              {
-                                "id": "cm-7.1.a_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(a)[1][a]"
-                                  }
-                                ],
-                                "prose": "functions;"
-                              },
-                              {
-                                "id": "cm-7.1.a_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(a)[1][b]"
-                                  }
-                                ],
-                                "prose": "ports;"
-                              },
-                              {
-                                "id": "cm-7.1.a_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(a)[1][c]"
-                                  }
-                                ],
-                                "prose": "protocols; and/or"
-                              },
-                              {
-                                "id": "cm-7.1.a_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(a)[1][d]"
-                                  }
-                                ],
-                                "prose": "services;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "cm-7.1.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-7(1)(a)[2]"
-                              }
-                            ],
-                            "prose": "reviews the information system with the organization-defined frequency to\n                        identify unnecessary and/or nonsecure:",
-                            "parts": [
-                              {
-                                "id": "cm-7.1.a_obj.2.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(a)[2][a]"
-                                  }
-                                ],
-                                "prose": "functions;"
-                              },
-                              {
-                                "id": "cm-7.1.a_obj.2.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(a)[2][b]"
-                                  }
-                                ],
-                                "prose": "ports;"
-                              },
-                              {
-                                "id": "cm-7.1.a_obj.2.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(a)[2][c]"
-                                  }
-                                ],
-                                "prose": "protocols; and/or"
-                              },
-                              {
-                                "id": "cm-7.1.a_obj.2.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(a)[2][d]"
-                                  }
-                                ],
-                                "prose": "services;"
-                              }
-                            ]
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-7.1_smt.a",
-                            "rel": "corresp",
-                            "text": "CM-7(1)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-7.1.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-7(1)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-7.1.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-7(1)(b)[1]"
-                              }
-                            ],
-                            "prose": "defines, within the information system, unnecessary and/or nonsecure:",
-                            "parts": [
-                              {
-                                "id": "cm-7.1.b_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(b)[1][a]"
-                                  }
-                                ],
-                                "prose": "functions;"
-                              },
-                              {
-                                "id": "cm-7.1.b_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(b)[1][b]"
-                                  }
-                                ],
-                                "prose": "ports;"
-                              },
-                              {
-                                "id": "cm-7.1.b_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(b)[1][c]"
-                                  }
-                                ],
-                                "prose": "protocols; and/or"
-                              },
-                              {
-                                "id": "cm-7.1.b_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(b)[1][d]"
-                                  }
-                                ],
-                                "prose": "services;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "cm-7.1.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-7(1)(b)[2]"
-                              }
-                            ],
-                            "prose": "disables organization-defined unnecessary and/or nonsecure:",
-                            "parts": [
-                              {
-                                "id": "cm-7.1.b_obj.2.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(b)[2][a]"
-                                  }
-                                ],
-                                "prose": "functions;"
-                              },
-                              {
-                                "id": "cm-7.1.b_obj.2.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(b)[2][b]"
-                                  }
-                                ],
-                                "prose": "ports;"
-                              },
-                              {
-                                "id": "cm-7.1.b_obj.2.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(b)[2][c]"
-                                  }
-                                ],
-                                "prose": "protocols; and/or"
-                              },
-                              {
-                                "id": "cm-7.1.b_obj.2.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(b)[2][d]"
-                                  }
-                                ],
-                                "prose": "services."
-                              }
-                            ]
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-7.1_smt.b",
-                            "rel": "corresp",
-                            "text": "CM-7(1)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing least functionality in the information system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\ndocumented reviews of functions, ports, protocols, and/or services\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for reviewing functions, ports,\n                     protocols, and services on the information system\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for reviewing/disabling nonsecure functions, ports,\n                     protocols, and/or services\\n\\nautomated mechanisms implementing review and disabling of nonsecure functions,\n                     ports, protocols, and/or services"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-7.2",
-                "class": "SP800-53-enhancement",
-                "title": "Prevent Program Execution",
-                "parameters": [
-                  {
-                    "id": "cm-7.2_prm_1"
-                  },
-                  {
-                    "id": "cm-7.2_prm_2",
-                    "depends-on": "cm-7.2_prm_1",
-                    "label": "organization-defined policies regarding software program usage and\n                  restrictions"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-7(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-07.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-7.2_smt",
-                    "name": "statement",
-                    "prose": "The information system prevents program execution in accordance with {{ cm-7.2_prm_1 }}.",
-                    "parts": [
-                      {
-                        "id": "cm-7.2_fr",
-                        "name": "item",
-                        "title": "CM-7 (2) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "cm-7.2_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-7.2_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#cm-8",
-                        "rel": "related",
-                        "text": "CM-8"
-                      },
-                      {
-                        "href": "#pm-5",
-                        "rel": "related",
-                        "text": "PM-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-7.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "cm-7.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-7(2)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines policies regarding software program usage and\n                     restrictions;"
-                      },
-                      {
-                        "id": "cm-7.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-7(2)[2]"
-                          }
-                        ],
-                        "prose": "the information system prevents program execution in accordance with one or\n                     more of the following:",
-                        "parts": [
-                          {
-                            "id": "cm-7.2_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(2)[2][a]"
-                              }
-                            ],
-                            "prose": "organization-defined policies regarding program usage and restrictions;\n                        and/or"
-                          },
-                          {
-                            "id": "cm-7.2_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(2)[2][b]"
-                              }
-                            ],
-                            "prose": "rules authorizing the terms and conditions of software program usage."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing least functionality in the information system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\nspecifications for preventing software program execution\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes preventing program execution on the information\n                     system\\n\\norganizational processes for software program usage and restrictions\\n\\nautomated mechanisms preventing program execution on the information system\\n\\nautomated mechanisms supporting and/or implementing software program usage and\n                     restrictions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-7.5",
-                "class": "SP800-53-enhancement",
-                "title": "Authorized Software / Whitelisting",
-                "parameters": [
-                  {
-                    "id": "cm-7.5_prm_1",
-                    "label": "organization-defined software programs authorized to execute on the\n                  information system"
-                  },
-                  {
-                    "id": "cm-7.5_prm_2",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least quarterly or when there is a change"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "CM-7(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-07.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-7.5_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "cm-7.5_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Identifies {{ cm-7.5_prm_1 }};"
-                      },
-                      {
-                        "id": "cm-7.5_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Employs a deny-all, permit-by-exception policy to allow the execution of\n                     authorized software programs on the information system; and"
-                      },
-                      {
-                        "id": "cm-7.5_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(c)"
-                          }
-                        ],
-                        "prose": "Reviews and updates the list of authorized software programs {{ cm-7.5_prm_2 }}."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-7.5_gdn",
-                    "name": "guidance",
-                    "prose": "The process used to identify software programs that are authorized to execute on\n                  organizational information systems is commonly referred to as whitelisting. In\n                  addition to whitelisting, organizations consider verifying the integrity of\n                  white-listed software programs using, for example, cryptographic checksums,\n                  digital signatures, or hash functions. Verification of white-listed software can\n                  occur either prior to execution or at system startup.",
-                    "links": [
-                      {
-                        "href": "#cm-2",
-                        "rel": "related",
-                        "text": "CM-2"
-                      },
-                      {
-                        "href": "#cm-6",
-                        "rel": "related",
-                        "text": "CM-6"
-                      },
-                      {
-                        "href": "#cm-8",
-                        "rel": "related",
-                        "text": "CM-8"
-                      },
-                      {
-                        "href": "#pm-5",
-                        "rel": "related",
-                        "text": "PM-5"
-                      },
-                      {
-                        "href": "#sa-10",
-                        "rel": "related",
-                        "text": "SA-10"
-                      },
-                      {
-                        "href": "#sc-34",
-                        "rel": "related",
-                        "text": "SC-34"
-                      },
-                      {
-                        "href": "#si-7",
-                        "rel": "related",
-                        "text": "SI-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-7.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-7.5.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-7(5)(a)"
-                          }
-                        ],
-                        "prose": "Identifies/defines software programs authorized to execute on the information\n                     system;",
-                        "links": [
-                          {
-                            "href": "#cm-7.5_smt.a",
-                            "rel": "corresp",
-                            "text": "CM-7(5)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-7.5.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-7(5)(b)"
-                          }
-                        ],
-                        "prose": "employs a deny-all, permit-by-exception policy to allow the execution of\n                     authorized software programs on the information system;",
-                        "links": [
-                          {
-                            "href": "#cm-7.5_smt.b",
-                            "rel": "corresp",
-                            "text": "CM-7(5)(b)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-7.5.c_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-7(5)(c)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-7.5.c_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-7(5)(c)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the list of authorized software\n                        programs on the information system; and"
-                          },
-                          {
-                            "id": "cm-7.5.c_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-7(5)(c)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the list of authorized software programs with the\n                        organization-defined frequency."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-7.5_smt.c",
-                            "rel": "corresp",
-                            "text": "CM-7(5)(c)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing least functionality in the information system\\n\\nconfiguration management plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of software programs authorized to execute on the information system\\n\\nsecurity configuration checklists\\n\\nreview and update records associated with list of authorized software\n                     programs\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for identifying software\n                     authorized to execute on the information system\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational process for identifying, reviewing, and updating programs\n                     authorized to execute on the information system\\n\\norganizational process for implementing whitelisting\\n\\nautomated mechanisms implementing whitelisting"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-8",
-            "class": "SP800-53",
-            "title": "Information System Component Inventory",
-            "parameters": [
-              {
-                "id": "cm-8_prm_1",
-                "label": "organization-defined information deemed necessary to achieve effective\n               information system component accountability"
-              },
-              {
-                "id": "cm-8_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least monthly"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CM-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-08"
-              }
-            ],
-            "links": [
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops and documents an inventory of information system components that:",
-                    "parts": [
-                      {
-                        "id": "cm-8_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Accurately reflects the current information system;"
-                      },
-                      {
-                        "id": "cm-8_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Includes all components within the authorization boundary of the information\n                     system;"
-                      },
-                      {
-                        "id": "cm-8_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Is at the level of granularity deemed necessary for tracking and reporting;\n                     and"
-                      },
-                      {
-                        "id": "cm-8_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Includes {{ cm-8_prm_1 }}; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the information system component inventory {{ cm-8_prm_2 }}."
-                  },
-                  {
-                    "id": "cm-8_fr",
-                    "name": "item",
-                    "title": "CM-8 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cm-8_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Must be provided at least monthly or when there is a change."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-8_gdn",
-                "name": "guidance",
-                "prose": "Organizations may choose to implement centralized information system component\n               inventories that include components from all organizational information systems. In\n               such situations, organizations ensure that the resulting inventories include\n               system-specific information required for proper component accountability (e.g.,\n               information system association, information system owner). Information deemed\n               necessary for effective accountability of information system components includes, for\n               example, hardware inventory specifications, software license information, software\n               version numbers, component owners, and for networked components or devices, machine\n               names and network addresses. Inventory specifications include, for example,\n               manufacturer, device type, model, serial number, and physical location.",
-                "links": [
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#pm-5",
-                    "rel": "related",
-                    "text": "PM-5"
-                  }
-                ]
-              },
-              {
-                "id": "cm-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-8(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-8.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-8(a)(1)"
-                          }
-                        ],
-                        "prose": "develops and documents an inventory of information system components that\n                     accurately reflects the current information system;"
-                      },
-                      {
-                        "id": "cm-8.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-8(a)(2)"
-                          }
-                        ],
-                        "prose": "develops and documents an inventory of information system components that\n                     includes all components within the authorization boundary of the information\n                     system;"
-                      },
-                      {
-                        "id": "cm-8.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-8(a)(3)"
-                          }
-                        ],
-                        "prose": "develops and documents an inventory of information system components that is at\n                     the level of granularity deemed necessary for tracking and reporting;"
-                      },
-                      {
-                        "id": "cm-8.a.4_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(a)(4)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-8.a.4_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-8(a)(4)[1]"
-                              }
-                            ],
-                            "prose": "defines the information deemed necessary to achieve effective information\n                        system component accountability;"
-                          },
-                          {
-                            "id": "cm-8.a.4_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-8(a)(4)[2]"
-                              }
-                            ],
-                            "prose": "develops and documents an inventory of information system components that\n                        includes organization-defined information deemed necessary to achieve\n                        effective information system component accountability;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-8(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update the information system component\n                     inventory; and"
-                      },
-                      {
-                        "id": "cm-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-8(b)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates the information system component inventory with the\n                     organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system inventory records\\n\\ninventory reviews and update records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for information system component\n                  inventory\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for developing and documenting an inventory of\n                  information system components\\n\\nautomated mechanisms supporting and/or implementing the information system\n                  component inventory"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cm-8.1",
-                "class": "SP800-53-enhancement",
-                "title": "Updates During Installations / Removals",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-8(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-08.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-8.1_smt",
-                    "name": "statement",
-                    "prose": "The organization updates the inventory of information system components as an\n                  integral part of component installations, removals, and information system\n                  updates."
-                  },
-                  {
-                    "id": "cm-8.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization updates the inventory of information system\n                  components as an integral part of:",
-                    "parts": [
-                      {
-                        "id": "cm-8.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-8(1)[1]"
-                          }
-                        ],
-                        "prose": "component installations;"
-                      },
-                      {
-                        "id": "cm-8.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(1)[2]"
-                          }
-                        ],
-                        "prose": "component removals; and"
-                      },
-                      {
-                        "id": "cm-8.1_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(1)[3]"
-                          }
-                        ],
-                        "prose": "information system updates."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system inventory records\\n\\ninventory reviews and update records\\n\\ncomponent installation records\\n\\ncomponent removal records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for updating the information\n                     system component inventory\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for updating inventory of information system\n                     components\\n\\nautomated mechanisms implementing updating of the information system component\n                     inventory"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-8.2",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Maintenance",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-8(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-08.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-8.2_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to help maintain an up-to-date,\n                  complete, accurate, and readily available inventory of information system\n                  components."
-                  },
-                  {
-                    "id": "cm-8.2_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations maintain information system inventories to the extent feasible.\n                  Virtual machines, for example, can be difficult to monitor because such machines\n                  are not visible to the network when not in use. In such cases, organizations\n                  maintain as up-to-date, complete, and accurate an inventory as is deemed\n                  reasonable. This control enhancement can be satisfied by the implementation of\n                  CM-2 (2) for organizations that choose to combine information system component\n                  inventory and baseline configuration activities.",
-                    "links": [
-                      {
-                        "href": "#si-7",
-                        "rel": "related",
-                        "text": "SI-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-8.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization employs automated mechanisms to maintain an\n                  inventory of information system components that is:",
-                    "parts": [
-                      {
-                        "id": "cm-8.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-8(2)[1]"
-                          }
-                        ],
-                        "prose": "up-to-date;"
-                      },
-                      {
-                        "id": "cm-8.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(2)[2]"
-                          }
-                        ],
-                        "prose": "complete;"
-                      },
-                      {
-                        "id": "cm-8.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(2)[3]"
-                          }
-                        ],
-                        "prose": "accurate; and"
-                      },
-                      {
-                        "id": "cm-8.2_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(2)[4]"
-                          }
-                        ],
-                        "prose": "readily available."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing information system component inventory\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system inventory records\\n\\nchange control records\\n\\ninformation system maintenance records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for managing the automated\n                     mechanisms implementing the information system component inventory\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for maintaining the inventory of information system\n                     components\\n\\nautomated mechanisms implementing the information system component\n                     inventory"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-8.3",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Unauthorized Component Detection",
-                "parameters": [
-                  {
-                    "id": "cm-8.3_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "Continuously, using automated mechanisms with a maximum five-minute delay in detection."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-8.3_prm_2"
-                  },
-                  {
-                    "id": "cm-8.3_prm_3",
-                    "depends-on": "cm-8.3_prm_2",
-                    "label": "organization-defined personnel or roles"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "CM-8(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-08.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-8.3_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "cm-8.3_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Employs automated mechanisms {{ cm-8.3_prm_1 }} to detect the\n                     presence of unauthorized hardware, software, and firmware components within the\n                     information system; and"
-                      },
-                      {
-                        "id": "cm-8.3_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Takes the following actions when unauthorized components are detected: {{ cm-8.3_prm_2 }}."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-8.3_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement is applied in addition to the monitoring for unauthorized\n                  remote connections and mobile devices. Monitoring for unauthorized system\n                  components may be accomplished on an ongoing basis or by the periodic scanning of\n                  systems for that purpose. Automated mechanisms can be implemented within\n                  information systems or in other separate devices. Isolation can be achieved, for\n                  example, by placing unauthorized information system components in separate domains\n                  or subnets or otherwise quarantining such components. This type of component\n                  isolation is commonly referred to as sandboxing.",
-                    "links": [
-                      {
-                        "href": "#ac-17",
-                        "rel": "related",
-                        "text": "AC-17"
-                      },
-                      {
-                        "href": "#ac-18",
-                        "rel": "related",
-                        "text": "AC-18"
-                      },
-                      {
-                        "href": "#ac-19",
-                        "rel": "related",
-                        "text": "AC-19"
-                      },
-                      {
-                        "href": "#ca-7",
-                        "rel": "related",
-                        "text": "CA-7"
-                      },
-                      {
-                        "href": "#si-3",
-                        "rel": "related",
-                        "text": "SI-3"
-                      },
-                      {
-                        "href": "#si-4",
-                        "rel": "related",
-                        "text": "SI-4"
-                      },
-                      {
-                        "href": "#si-7",
-                        "rel": "related",
-                        "text": "SI-7"
-                      },
-                      {
-                        "href": "#ra-5",
-                        "rel": "related",
-                        "text": "RA-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-8.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-8.3.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(3)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-8.3.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-8(3)(a)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to employ automated mechanisms to detect the presence\n                        of unauthorized:",
-                            "parts": [
-                              {
-                                "id": "cm-8.3.a_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-8(3)(a)[1][a]"
-                                  }
-                                ],
-                                "prose": "hardware components within the information system;"
-                              },
-                              {
-                                "id": "cm-8.3.a_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-8(3)(a)[1][b]"
-                                  }
-                                ],
-                                "prose": "software components within the information system;"
-                              },
-                              {
-                                "id": "cm-8.3.a_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-8(3)(a)[1][c]"
-                                  }
-                                ],
-                                "prose": "firmware components within the information system;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "cm-8.3.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-8(3)(a)[2]"
-                              }
-                            ],
-                            "prose": "employs automated mechanisms with the organization-defined frequency to\n                        detect the presence of unauthorized:",
-                            "parts": [
-                              {
-                                "id": "cm-8.3.a_obj.2.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-8(3)(a)[2][a]"
-                                  }
-                                ],
-                                "prose": "hardware components within the information system;"
-                              },
-                              {
-                                "id": "cm-8.3.a_obj.2.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-8(3)(a)[2][b]"
-                                  }
-                                ],
-                                "prose": "software components within the information system;"
-                              },
-                              {
-                                "id": "cm-8.3.a_obj.2.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-8(3)(a)[2][c]"
-                                  }
-                                ],
-                                "prose": "firmware components within the information system;"
-                              }
-                            ]
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-8.3_smt.a",
-                            "rel": "corresp",
-                            "text": "CM-8(3)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-8.3.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(3)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-8.3.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-8(3)(b)[1]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to be notified when unauthorized components are\n                        detected;"
-                          },
-                          {
-                            "id": "cm-8.3.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-8(3)(b)[2]"
-                              }
-                            ],
-                            "prose": "takes one or more of the following actions when unauthorized components are\n                        detected:",
-                            "parts": [
-                              {
-                                "id": "cm-8.3.b_obj.2.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-8(3)(b)[2][a]"
-                                  }
-                                ],
-                                "prose": "disables network access by such components;"
-                              },
-                              {
-                                "id": "cm-8.3.b_obj.2.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-8(3)(b)[2][b]"
-                                  }
-                                ],
-                                "prose": "isolates the components; and/or"
-                              },
-                              {
-                                "id": "cm-8.3.b_obj.2.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-8(3)(b)[2][c]"
-                                  }
-                                ],
-                                "prose": "notifies organization-defined personnel or roles."
-                              }
-                            ]
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-8.3_smt.b",
-                            "rel": "corresp",
-                            "text": "CM-8(3)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system inventory records\\n\\nalerts/notifications of unauthorized components within the information\n                     system\\n\\ninformation system monitoring records\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for managing the automated\n                     mechanisms implementing unauthorized information system component detection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for detection of unauthorized information system\n                     components\\n\\nautomated mechanisms implementing the detection of unauthorized information\n                     system components"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-8.4",
-                "class": "SP800-53-enhancement",
-                "title": "Accountability Information",
-                "parameters": [
-                  {
-                    "id": "cm-8.4_prm_1",
-                    "constraints": [
-                      {
-                        "detail": "position and role"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-8(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-08.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-8.4_smt",
-                    "name": "statement",
-                    "prose": "The organization includes in the information system component inventory\n                  information, a means for identifying by {{ cm-8.4_prm_1 }},\n                  individuals responsible/accountable for administering those components."
-                  },
-                  {
-                    "id": "cm-8.4_gdn",
-                    "name": "guidance",
-                    "prose": "Identifying individuals who are both responsible and accountable for administering\n                  information system components helps to ensure that the assigned components are\n                  properly administered and organizations can contact those individuals if some\n                  action is required (e.g., component is determined to be the source of a\n                  breach/compromise, component needs to be recalled/replaced, or component needs to\n                  be relocated)."
-                  },
-                  {
-                    "id": "cm-8.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization includes in the information system component\n                  inventory for information system components, a means for identifying the\n                  individuals responsible and accountable for administering those components by one\n                  or more of the following: ",
-                    "parts": [
-                      {
-                        "id": "cm-8.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-8(4)[1]"
-                          }
-                        ],
-                        "prose": "name;"
-                      },
-                      {
-                        "id": "cm-8.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(4)[2]"
-                          }
-                        ],
-                        "prose": "position; and/or"
-                      },
-                      {
-                        "id": "cm-8.4_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(4)[3]"
-                          }
-                        ],
-                        "prose": "role."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system inventory records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for managing the information\n                     system component inventory\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for maintaining the inventory of information system\n                     components\\n\\nautomated mechanisms implementing the information system component\n                     inventory"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-8.5",
-                "class": "SP800-53-enhancement",
-                "title": "No Duplicate Accounting of Components",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-8(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-08.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-8.5_smt",
-                    "name": "statement",
-                    "prose": "The organization verifies that all components within the authorization boundary of\n                  the information system are not duplicated in other information system component\n                  inventories."
-                  },
-                  {
-                    "id": "cm-8.5_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement addresses the potential problem of duplicate accounting\n                  of information system components in large or complex interconnected systems."
-                  },
-                  {
-                    "id": "cm-8.5_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization verifies that all components within the\n                  authorization boundary of the information system are not duplicated in other\n                  information system inventories. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system inventory records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system inventory responsibilities\\n\\norganizational personnel with responsibilities for defining information system\n                     components within the authorization boundary of the system\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for maintaining the inventory of information system\n                     components\\n\\nautomated mechanisms implementing the information system component\n                     inventory"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-9",
-            "class": "SP800-53",
-            "title": "Configuration Management Plan",
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CM-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-09"
-              }
-            ],
-            "links": [
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-9_smt",
-                "name": "statement",
-                "prose": "The organization develops, documents, and implements a configuration management plan\n               for the information system that:",
-                "parts": [
-                  {
-                    "id": "cm-9_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Addresses roles, responsibilities, and configuration management processes and\n                  procedures;"
-                  },
-                  {
-                    "id": "cm-9_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Establishes a process for identifying configuration items throughout the system\n                  development life cycle and for managing the configuration of the configuration\n                  items;"
-                  },
-                  {
-                    "id": "cm-9_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Defines the configuration items for the information system and places the\n                  configuration items under configuration management; and"
-                  },
-                  {
-                    "id": "cm-9_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Protects the configuration management plan from unauthorized disclosure and\n                  modification."
-                  }
-                ]
-              },
-              {
-                "id": "cm-9_gdn",
-                "name": "guidance",
-                "prose": "Configuration management plans satisfy the requirements in configuration management\n               policies while being tailored to individual information systems. Such plans define\n               detailed processes and procedures for how configuration management is used to support\n               system development life cycle activities at the information system level.\n               Configuration management plans are typically developed during the\n               development/acquisition phase of the system development life cycle. The plans\n               describe how to move changes through change management processes, how to update\n               configuration settings and baselines, how to maintain information system component\n               inventories, how to control development, test, and operational environments, and how\n               to develop, release, and update key documents. Organizations can employ templates to\n               help ensure consistent and timely development and implementation of configuration\n               management plans. Such templates can represent a master configuration management plan\n               for the organization at large with subsets of the plan implemented on a system by\n               system basis. Configuration management approval processes include designation of key\n               management stakeholders responsible for reviewing and approving proposed changes to\n               information systems, and personnel that conduct security impact analyses prior to the\n               implementation of changes to the systems. Configuration items are the information\n               system items (hardware, software, firmware, and documentation) to be\n               configuration-managed. As information systems continue through the system development\n               life cycle, new configuration items may be identified and some existing configuration\n               items may no longer need to be under configuration control.",
-                "links": [
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#sa-10",
-                    "rel": "related",
-                    "text": "SA-10"
-                  }
-                ]
-              },
-              {
-                "id": "cm-9_obj",
-                "name": "objective",
-                "prose": "Determine if the organization develops, documents, and implements a configuration\n               management plan for the information system that:",
-                "parts": [
-                  {
-                    "id": "cm-9.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-9(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-9.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-9(a)[1]"
-                          }
-                        ],
-                        "prose": "addresses roles;"
-                      },
-                      {
-                        "id": "cm-9.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-9(a)[2]"
-                          }
-                        ],
-                        "prose": "addresses responsibilities;"
-                      },
-                      {
-                        "id": "cm-9.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-9(a)[3]"
-                          }
-                        ],
-                        "prose": "addresses configuration management processes and procedures;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-9.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-9(b)"
-                      }
-                    ],
-                    "prose": "establishes a process for:",
-                    "parts": [
-                      {
-                        "id": "cm-9.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-9(b)[1]"
-                          }
-                        ],
-                        "prose": "identifying configuration items throughout the SDLC;"
-                      },
-                      {
-                        "id": "cm-9.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-9(b)[2]"
-                          }
-                        ],
-                        "prose": "managing the configuration of the configuration items;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-9.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-9(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-9.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-9(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the configuration items for the information system;"
-                      },
-                      {
-                        "id": "cm-9.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-9(c)[2]"
-                          }
-                        ],
-                        "prose": "places the configuration items under configuration management;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-9.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-9(d)"
-                      }
-                    ],
-                    "prose": "protects the configuration management plan from unauthorized:",
-                    "parts": [
-                      {
-                        "id": "cm-9.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-9(d)[1]"
-                          }
-                        ],
-                        "prose": "disclosure; and"
-                      },
-                      {
-                        "id": "cm-9.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-9(d)[2]"
-                          }
-                        ],
-                        "prose": "modification."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing configuration management planning\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for developing the configuration\n                  management plan\\n\\norganizational personnel with responsibilities for implementing and managing\n                  processes defined in the configuration management plan\\n\\norganizational personnel with responsibilities for protecting the configuration\n                  management plan\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for developing and documenting the configuration\n                  management plan\\n\\norganizational processes for identifying and managing configuration items\\n\\norganizational processes for protecting the configuration management plan\\n\\nautomated mechanisms implementing the configuration management plan\\n\\nautomated mechanisms for managing configuration items\\n\\nautomated mechanisms for protecting the configuration management plan"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-10",
-            "class": "SP800-53",
-            "title": "Software Usage Restrictions",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-10"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-10"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-10_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-10_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Uses software and associated documentation in accordance with contract agreements\n                  and copyright laws;"
-                  },
-                  {
-                    "id": "cm-10_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Tracks the use of software and associated documentation protected by quantity\n                  licenses to control copying and distribution; and"
-                  },
-                  {
-                    "id": "cm-10_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Controls and documents the use of peer-to-peer file sharing technology to ensure\n                  that this capability is not used for the unauthorized distribution, display,\n                  performance, or reproduction of copyrighted work."
-                  }
-                ]
-              },
-              {
-                "id": "cm-10_gdn",
-                "name": "guidance",
-                "prose": "Software license tracking can be accomplished by manual methods (e.g., simple\n               spreadsheets) or automated methods (e.g., specialized tracking applications)\n               depending on organizational needs.",
-                "links": [
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  }
-                ]
-              },
-              {
-                "id": "cm-10_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-10.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-10(a)"
-                      }
-                    ],
-                    "prose": "uses software and associated documentation in accordance with contract agreements\n                  and copyright laws;"
-                  },
-                  {
-                    "id": "cm-10.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-10(b)"
-                      }
-                    ],
-                    "prose": "tracks the use of software and associated documentation protected by quantity\n                  licenses to control copying and distribution; and"
-                  },
-                  {
-                    "id": "cm-10.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-10(c)"
-                      }
-                    ],
-                    "prose": "controls and documents the use of peer-to-peer file sharing technology to ensure\n                  that this capability is not used for the unauthorized distribution, display,\n                  performance, or reproduction of copyrighted work."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing software usage restrictions\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nsoftware contract agreements and copyright laws\\n\\nsite license documentation\\n\\nlist of software usage restrictions\\n\\nsoftware license tracking reports\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\norganizational personnel with software license management responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational process for tracking the use of software protected by quantity\n                  licenses\\n\\norganization process for controlling/documenting the use of peer-to-peer file\n                  sharing technology\\n\\nautomated mechanisms implementing software license tracking\\n\\nautomated mechanisms implementing and controlling the use of peer-to-peer files\n                  sharing technology"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cm-10.1",
-                "class": "SP800-53-enhancement",
-                "title": "Open Source Software",
-                "parameters": [
-                  {
-                    "id": "cm-10.1_prm_1",
-                    "label": "organization-defined restrictions"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-10(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-10.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-10.1_smt",
-                    "name": "statement",
-                    "prose": "The organization establishes the following restrictions on the use of open source\n                  software: {{ cm-10.1_prm_1 }}."
-                  },
-                  {
-                    "id": "cm-10.1_gdn",
-                    "name": "guidance",
-                    "prose": "Open source software refers to software that is available in source code form.\n                  Certain software rights normally reserved for copyright holders are routinely\n                  provided under software license agreements that permit individuals to study,\n                  change, and improve the software. From a security perspective, the major advantage\n                  of open source software is that it provides organizations with the ability to\n                  examine the source code. However, there are also various licensing issues\n                  associated with open source software including, for example, the constraints on\n                  derivative use of such software."
-                  },
-                  {
-                    "id": "cm-10.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-10.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-10(1)[1]"
-                          }
-                        ],
-                        "prose": "defines restrictions on the use of open source software; and"
-                      },
-                      {
-                        "id": "cm-10.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-10(1)[2]"
-                          }
-                        ],
-                        "prose": "establishes organization-defined restrictions on the use of open source\n                     software."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing restrictions on use of open source software\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for establishing and enforcing\n                     restrictions on use of open source software\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational process for restricting the use of open source software\\n\\nautomated mechanisms implementing restrictions on the use of open source\n                     software"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-11",
-            "class": "SP800-53",
-            "title": "User-installed Software",
-            "parameters": [
-              {
-                "id": "cm-11_prm_1",
-                "label": "organization-defined policies"
-              },
-              {
-                "id": "cm-11_prm_2",
-                "label": "organization-defined methods"
-              },
-              {
-                "id": "cm-11_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "Continuously (via CM-7 (5))"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-11"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-11"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-11_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-11_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes {{ cm-11_prm_1 }} governing the installation of\n                  software by users;"
-                  },
-                  {
-                    "id": "cm-11_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Enforces software installation policies through {{ cm-11_prm_2 }};\n                  and"
-                  },
-                  {
-                    "id": "cm-11_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Monitors policy compliance at {{ cm-11_prm_3 }}."
-                  }
-                ]
-              },
-              {
-                "id": "cm-11_gdn",
-                "name": "guidance",
-                "prose": "If provided the necessary privileges, users have the ability to install software in\n               organizational information systems. To maintain control over the types of software\n               installed, organizations identify permitted and prohibited actions regarding software\n               installation. Permitted software installations may include, for example, updates and\n               security patches to existing software and downloading applications from\n               organization-approved “app stores” Prohibited software installations may include, for\n               example, software with unknown or suspect pedigrees or software that organizations\n               consider potentially malicious. The policies organizations select governing\n               user-installed software may be organization-developed or provided by some external\n               entity. Policy enforcement methods include procedural methods (e.g., periodic\n               examination of user accounts), automated methods (e.g., configuration settings\n               implemented on organizational information systems), or both.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-7",
-                    "rel": "related",
-                    "text": "CM-7"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  }
-                ]
-              },
-              {
-                "id": "cm-11_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-11.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-11(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-11.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(a)[1]"
-                          }
-                        ],
-                        "prose": "defines policies to govern the installation of software by users;"
-                      },
-                      {
-                        "id": "cm-11.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(a)[2]"
-                          }
-                        ],
-                        "prose": "establishes organization-defined policies governing the installation of\n                     software by users;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-11.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-11(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-11.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(b)[1]"
-                          }
-                        ],
-                        "prose": "defines methods to enforce software installation policies;"
-                      },
-                      {
-                        "id": "cm-11.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(b)[2]"
-                          }
-                        ],
-                        "prose": "enforces software installation policies through organization-defined\n                     methods;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-11.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-11(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-11.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(c)[1]"
-                          }
-                        ],
-                        "prose": "defines frequency to monitor policy compliance; and"
-                      },
-                      {
-                        "id": "cm-11.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(c)[2]"
-                          }
-                        ],
-                        "prose": "monitors policy compliance at organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing user installed software\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of rules governing user installed software\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records\\n\\ncontinuous monitoring strategy"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for governing user-installed\n                  software\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\norganizational personnel monitoring compliance with user-installed software\n                  policy\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes governing user-installed software on the information\n                  system\\n\\nautomated mechanisms enforcing rules/methods for governing the installation of\n                  software by users\\n\\nautomated mechanisms monitoring policy compliance"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cm-11.1",
-                "class": "SP800-53-enhancement",
-                "title": "Alerts for Unauthorized Installations",
-                "parameters": [
-                  {
-                    "id": "cm-11.1_prm_1",
-                    "label": "organization-defined personnel or roles"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-11(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-11.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-11.1_smt",
-                    "name": "statement",
-                    "prose": "The information system alerts {{ cm-11.1_prm_1 }} when the\n                  unauthorized installation of software is detected."
-                  },
-                  {
-                    "id": "cm-11.1_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ca-7",
-                        "rel": "related",
-                        "text": "CA-7"
-                      },
-                      {
-                        "href": "#si-4",
-                        "rel": "related",
-                        "text": "SI-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-11.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "cm-11.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(1)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines personnel or roles to be alerted when the unauthorized\n                     installation of software is detected; and"
-                      },
-                      {
-                        "id": "cm-11.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(1)[2]"
-                          }
-                        ],
-                        "prose": "the information system alerts organization-defined personnel or roles when the\n                     unauthorized installation of software is detected."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing user installed software\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for governing user-installed\n                     software\\n\\norganizational personnel operating, using, and/or maintaining the information\n                     system\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes governing user-installed software on the information\n                     system\\n\\nautomated mechanisms for alerting personnel/roles when unauthorized\n                     installation of software is detected"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "cp",
-        "class": "family",
-        "title": "Contingency Planning",
-        "controls": [
-          {
-            "id": "cp-1",
-            "class": "SP800-53",
-            "title": "Contingency Planning Policy and Procedures",
-            "parameters": [
-              {
-                "id": "cp-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "cp-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "cp-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or whenever a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CP-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ cp-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "cp-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A contingency planning policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "cp-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the contingency planning policy\n                     and associated contingency planning controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "cp-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Contingency planning policy {{ cp-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "cp-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Contingency planning procedures {{ cp-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CP\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "cp-1_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "cp-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "the organization develops and documents a contingency planning policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "cp-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "cp-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "the organization defines personnel or roles to whom the contingency planning\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "cp-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "the organization disseminates the contingency planning policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "the organization develops and documents procedures to facilitate the\n                        implementation of the contingency planning policy and associated contingency\n                        planning controls;"
-                          },
-                          {
-                            "id": "cp-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "the organization defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "cp-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "the organization disseminates the procedures to organization-defined\n                        personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines the frequency to review and update the current\n                        contingency planning policy;"
-                          },
-                          {
-                            "id": "cp-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "the organization reviews and updates the current contingency planning with\n                        the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines the frequency to review and update the current\n                        contingency planning procedures; and"
-                          },
-                          {
-                            "id": "cp-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "the organization reviews and updates the current contingency planning\n                        procedures with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency planning responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-2",
-            "class": "SP800-53",
-            "title": "Contingency Plan",
-            "parameters": [
-              {
-                "id": "cp-2_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "cp-2_prm_2",
-                "label": "organization-defined key contingency personnel (identified by name and/or by\n               role) and organizational elements"
-              },
-              {
-                "id": "cp-2_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "cp-2_prm_4",
-                "label": "organization-defined key contingency personnel (identified by name and/or by\n               role) and organizational elements"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CP-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops a contingency plan for the information system that:",
-                    "parts": [
-                      {
-                        "id": "cp-2_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Identifies essential missions and business functions and associated contingency\n                     requirements;"
-                      },
-                      {
-                        "id": "cp-2_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Provides recovery objectives, restoration priorities, and metrics;"
-                      },
-                      {
-                        "id": "cp-2_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Addresses contingency roles, responsibilities, assigned individuals with\n                     contact information;"
-                      },
-                      {
-                        "id": "cp-2_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Addresses maintaining essential missions and business functions despite an\n                     information system disruption, compromise, or failure;"
-                      },
-                      {
-                        "id": "cp-2_smt.a.5",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "5."
-                          }
-                        ],
-                        "prose": "Addresses eventual, full information system restoration without deterioration\n                     of the security safeguards originally planned and implemented; and"
-                      },
-                      {
-                        "id": "cp-2_smt.a.6",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "6."
-                          }
-                        ],
-                        "prose": "Is reviewed and approved by {{ cp-2_prm_1 }};"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Distributes copies of the contingency plan to {{ cp-2_prm_2 }};"
-                  },
-                  {
-                    "id": "cp-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Coordinates contingency planning activities with incident handling activities;"
-                  },
-                  {
-                    "id": "cp-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Reviews the contingency plan for the information system {{ cp-2_prm_3 }};"
-                  },
-                  {
-                    "id": "cp-2_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Updates the contingency plan to address changes to the organization, information\n                  system, or environment of operation and problems encountered during contingency\n                  plan implementation, execution, or testing;"
-                  },
-                  {
-                    "id": "cp-2_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Communicates contingency plan changes to {{ cp-2_prm_4 }}; and"
-                  },
-                  {
-                    "id": "cp-2_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Protects the contingency plan from unauthorized disclosure and modification."
-                  },
-                  {
-                    "id": "cp-2_fr",
-                    "name": "item",
-                    "title": "CP-2 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cp-2_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2 Requirement:"
-                          }
-                        ],
-                        "prose": "For JAB authorizations the contingency lists include designated FedRAMP personnel."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-2_gdn",
-                "name": "guidance",
-                "prose": "Contingency planning for information systems is part of an overall organizational\n               program for achieving continuity of operations for mission/business functions.\n               Contingency planning addresses both information system restoration and implementation\n               of alternative mission/business processes when systems are compromised. The\n               effectiveness of contingency planning is maximized by considering such planning\n               throughout the phases of the system development life cycle. Performing contingency\n               planning on hardware, software, and firmware development can be an effective means of\n               achieving information system resiliency. Contingency plans reflect the degree of\n               restoration required for organizational information systems since not all systems may\n               need to fully recover to achieve the level of continuity of operations desired.\n               Information system recovery objectives reflect applicable laws, Executive Orders,\n               directives, policies, standards, regulations, and guidelines. In addition to\n               information system availability, contingency plans also address other\n               security-related events resulting in a reduction in mission and/or business\n               effectiveness, such as malicious attacks compromising the confidentiality or\n               integrity of information systems. Actions addressed in contingency plans include, for\n               example, orderly/graceful degradation, information system shutdown, fallback to a\n               manual mode, alternate information flows, and operating in modes reserved for when\n               systems are under attack. By closely coordinating contingency planning with incident\n               handling activities, organizations can ensure that the necessary contingency planning\n               activities are in place and activated in the event of a security incident.",
-                "links": [
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#cp-6",
-                    "rel": "related",
-                    "text": "CP-6"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  },
-                  {
-                    "href": "#cp-8",
-                    "rel": "related",
-                    "text": "CP-8"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#cp-10",
-                    "rel": "related",
-                    "text": "CP-10"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#pm-8",
-                    "rel": "related",
-                    "text": "PM-8"
-                  },
-                  {
-                    "href": "#pm-11",
-                    "rel": "related",
-                    "text": "PM-11"
-                  }
-                ]
-              },
-              {
-                "id": "cp-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cp-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(a)"
-                      }
-                    ],
-                    "prose": "develops and documents a contingency plan for the information system that:",
-                    "parts": [
-                      {
-                        "id": "cp-2.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(1)"
-                          }
-                        ],
-                        "prose": "identifies essential missions and business functions and associated contingency\n                     requirements;"
-                      },
-                      {
-                        "id": "cp-2.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-2.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "provides recovery objectives;"
-                          },
-                          {
-                            "id": "cp-2.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "provides restoration priorities;"
-                          },
-                          {
-                            "id": "cp-2.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "provides metrics;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-2.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(3)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-2.a.3_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(3)[1]"
-                              }
-                            ],
-                            "prose": "addresses contingency roles;"
-                          },
-                          {
-                            "id": "cp-2.a.3_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(3)[2]"
-                              }
-                            ],
-                            "prose": "addresses contingency responsibilities;"
-                          },
-                          {
-                            "id": "cp-2.a.3_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(3)[3]"
-                              }
-                            ],
-                            "prose": "addresses assigned individuals with contact information;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-2.a.4_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(4)"
-                          }
-                        ],
-                        "prose": "addresses maintaining essential missions and business functions despite an\n                     information system disruption, compromise, or failure;"
-                      },
-                      {
-                        "id": "cp-2.a.5_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(5)"
-                          }
-                        ],
-                        "prose": "addresses eventual, full information system restoration without deterioration\n                     of the security safeguards originally planned and implemented;"
-                      },
-                      {
-                        "id": "cp-2.a.6_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(6)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-2.a.6_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(6)[1]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to review and approve the contingency plan for\n                        the information system;"
-                          },
-                          {
-                            "id": "cp-2.a.6_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(6)[2]"
-                              }
-                            ],
-                            "prose": "is reviewed and approved by organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(b)[1]"
-                          }
-                        ],
-                        "prose": "defines key contingency personnel (identified by name and/or by role) and\n                     organizational elements to whom copies of the contingency plan are to be\n                     distributed;"
-                      },
-                      {
-                        "id": "cp-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(b)[2]"
-                          }
-                        ],
-                        "prose": "distributes copies of the contingency plan to organization-defined key\n                     contingency personnel and organizational elements;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-2(c)"
-                      }
-                    ],
-                    "prose": "coordinates contingency planning activities with incident handling activities;"
-                  },
-                  {
-                    "id": "cp-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(d)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency to review the contingency plan for the information\n                     system;"
-                      },
-                      {
-                        "id": "cp-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(d)[2]"
-                          }
-                        ],
-                        "prose": "reviews the contingency plan with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(e)"
-                      }
-                    ],
-                    "prose": "updates the contingency plan to address:",
-                    "parts": [
-                      {
-                        "id": "cp-2.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(e)[1]"
-                          }
-                        ],
-                        "prose": "changes to the organization, information system, or environment of\n                     operation;"
-                      },
-                      {
-                        "id": "cp-2.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(e)[2]"
-                          }
-                        ],
-                        "prose": "problems encountered during plan implementation, execution, and testing;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-2.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(f)[1]"
-                          }
-                        ],
-                        "prose": "defines key contingency personnel (identified by name and/or by role) and\n                     organizational elements to whom contingency plan changes are to be\n                     communicated;"
-                      },
-                      {
-                        "id": "cp-2.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(f)[2]"
-                          }
-                        ],
-                        "prose": "communicates contingency plan changes to organization-defined key contingency\n                     personnel and organizational elements; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-2(g)"
-                      }
-                    ],
-                    "prose": "protects the contingency plan from unauthorized disclosure and modification."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nevidence of contingency plan reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for contingency plan development, review, update, and\n                  protection\\n\\nautomated mechanisms for developing, reviewing, updating and/or protecting the\n                  contingency plan"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cp-2.1",
-                "class": "SP800-53-enhancement",
-                "title": "Coordinate with Related Plans",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-2(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-02.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-2.1_smt",
-                    "name": "statement",
-                    "prose": "The organization coordinates contingency plan development with organizational\n                  elements responsible for related plans."
-                  },
-                  {
-                    "id": "cp-2.1_gdn",
-                    "name": "guidance",
-                    "prose": "Plans related to contingency plans for organizational information systems include,\n                  for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of\n                  Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,\n                  Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant\n                  Emergency Plans."
-                  },
-                  {
-                    "id": "cp-2.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization coordinates contingency plan development with\n                  organizational elements responsible for related plans."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nbusiness contingency plans\\n\\ndisaster recovery plans\\n\\ncontinuity of operations plans\\n\\ncrisis communications plans\\n\\ncritical infrastructure plans\\n\\ncyber incident response plan\\n\\ninsider threat implementation plans\\n\\noccupant emergency plans\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel with responsibility for related plans"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-2.2",
-                "class": "SP800-53-enhancement",
-                "title": "Capacity Planning",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-2(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-02.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-2.2_smt",
-                    "name": "statement",
-                    "prose": "The organization conducts capacity planning so that necessary capacity for\n                  information processing, telecommunications, and environmental support exists\n                  during contingency operations."
-                  },
-                  {
-                    "id": "cp-2.2_gdn",
-                    "name": "guidance",
-                    "prose": "Capacity planning is needed because different types of threats (e.g., natural\n                  disasters, targeted cyber attacks) can result in a reduction of the available\n                  processing, telecommunications, and support services originally intended to\n                  support the organizational missions/business functions. Organizations may need to\n                  anticipate degraded operations during contingency operations and factor such\n                  degradation into capacity planning."
-                  },
-                  {
-                    "id": "cp-2.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization conducts capacity planning so that necessary\n                  capacity exists during contingency operations for: ",
-                    "parts": [
-                      {
-                        "id": "cp-2.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(2)[1]"
-                          }
-                        ],
-                        "prose": "information processing;"
-                      },
-                      {
-                        "id": "cp-2.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(2)[2]"
-                          }
-                        ],
-                        "prose": "telecommunications; and"
-                      },
-                      {
-                        "id": "cp-2.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(2)[3]"
-                          }
-                        ],
-                        "prose": "environmental support."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\ncapacity planning documents\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-2.3",
-                "class": "SP800-53-enhancement",
-                "title": "Resume Essential Missions / Business Functions",
-                "parameters": [
-                  {
-                    "id": "cp-2.3_prm_1",
-                    "label": "organization-defined time period"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-2(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-02.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-2.3_smt",
-                    "name": "statement",
-                    "prose": "The organization plans for the resumption of essential missions and business\n                  functions within {{ cp-2.3_prm_1 }} of contingency plan\n                  activation."
-                  },
-                  {
-                    "id": "cp-2.3_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations may choose to carry out the contingency planning activities in this\n                  control enhancement as part of organizational business continuity planning\n                  including, for example, as part of business impact analyses. The time period for\n                  resumption of essential missions/business functions may be dependent on the\n                  severity/extent of disruptions to the information system and its supporting\n                  infrastructure.",
-                    "links": [
-                      {
-                        "href": "#pe-12",
-                        "rel": "related",
-                        "text": "PE-12"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cp-2.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(3)[1]"
-                          }
-                        ],
-                        "prose": "defines the time period to plan for the resumption of essential missions and\n                     business functions as a result of contingency plan activation; and"
-                      },
-                      {
-                        "id": "cp-2.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(3)[2]"
-                          }
-                        ],
-                        "prose": "plans for the resumption of essential missions and business functions within\n                     organization-defined time period of contingency plan activation."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nbusiness impact assessment\\n\\nother related plans\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for resumption of missions and business functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-2.4",
-                "class": "SP800-53-enhancement",
-                "title": "Resume All Missions / Business Functions",
-                "parameters": [
-                  {
-                    "id": "cp-2.4_prm_1",
-                    "label": "organization-defined time period",
-                    "constraints": [
-                      {
-                        "detail": "time period defined in service provider and organization SLA"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-2(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-02.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-2.4_smt",
-                    "name": "statement",
-                    "prose": "The organization plans for the resumption of all missions and business functions\n                  within {{ cp-2.4_prm_1 }} of contingency plan activation."
-                  },
-                  {
-                    "id": "cp-2.4_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations may choose to carry out the contingency planning activities in this\n                  control enhancement as part of organizational business continuity planning\n                  including, for example, as part of business impact analyses. The time period for\n                  resumption of all missions/business functions may be dependent on the\n                  severity/extent of disruptions to the information system and its supporting\n                  infrastructure.",
-                    "links": [
-                      {
-                        "href": "#pe-12",
-                        "rel": "related",
-                        "text": "PE-12"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cp-2.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(4)[1]"
-                          }
-                        ],
-                        "prose": "defines the time period to plan for the resumption of all missions and business\n                     functions as a result of contingency plan activation; and"
-                      },
-                      {
-                        "id": "cp-2.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(4)[2]"
-                          }
-                        ],
-                        "prose": "plans for the resumption of all missions and business functions within\n                     organization-defined time period of contingency plan activation."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nbusiness impact assessment\\n\\nother related plans\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for resumption of missions and business functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-2.5",
-                "class": "SP800-53-enhancement",
-                "title": "Continue Essential Missions / Business Functions",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-2(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-02.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-2.5_smt",
-                    "name": "statement",
-                    "prose": "The organization plans for the continuance of essential missions and business\n                  functions with little or no loss of operational continuity and sustains that\n                  continuity until full information system restoration at primary processing and/or\n                  storage sites."
-                  },
-                  {
-                    "id": "cp-2.5_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations may choose to carry out the contingency planning activities in this\n                  control enhancement as part of organizational business continuity planning\n                  including, for example, as part of business impact analyses. Primary processing\n                  and/or storage sites defined by organizations as part of contingency planning may\n                  change depending on the circumstances associated with the contingency (e.g.,\n                  backup sites may become primary sites).",
-                    "links": [
-                      {
-                        "href": "#pe-12",
-                        "rel": "related",
-                        "text": "PE-12"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cp-2.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(5)[1]"
-                          }
-                        ],
-                        "prose": "plans for the continuance of essential missions and business functions with\n                     little or no loss of operational continuity; and"
-                      },
-                      {
-                        "id": "cp-2.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(5)[2]"
-                          }
-                        ],
-                        "prose": "sustains that operational continuity until full information system restoration\n                     at primary processing and/or storage sites."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nbusiness impact assessment\\n\\nprimary processing site agreements\\n\\nprimary storage site agreements\\n\\nalternate processing site agreements\\n\\nalternate storage site agreements\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for continuing missions and business functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-2.8",
-                "class": "SP800-53-enhancement",
-                "title": "Identify Critical Assets",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-2(8)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-02.08"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-2.8_smt",
-                    "name": "statement",
-                    "prose": "The organization identifies critical information system assets supporting\n                  essential missions and business functions."
-                  },
-                  {
-                    "id": "cp-2.8_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations may choose to carry out the contingency planning activities in this\n                  control enhancement as part of organizational business continuity planning\n                  including, for example, as part of business impact analyses. Organizations\n                  identify critical information system assets so that additional safeguards and\n                  countermeasures can be employed (above and beyond those safeguards and\n                  countermeasures routinely implemented) to help ensure that organizational\n                  missions/business functions can continue to be conducted during contingency\n                  operations. In addition, the identification of critical information assets\n                  facilitates the prioritization of organizational resources. Critical information\n                  system assets include technical and operational aspects. Technical aspects\n                  include, for example, information technology services, information system\n                  components, information technology products, and mechanisms. Operational aspects\n                  include, for example, procedures (manually executed operations) and personnel\n                  (individuals operating technical safeguards and/or executing manual procedures).\n                  Organizational program protection plans can provide assistance in identifying\n                  critical assets.",
-                    "links": [
-                      {
-                        "href": "#sa-14",
-                        "rel": "related",
-                        "text": "SA-14"
-                      },
-                      {
-                        "href": "#sa-15",
-                        "rel": "related",
-                        "text": "SA-15"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.8_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization identifies critical information system assets\n                  supporting essential missions and business functions."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nbusiness impact assessment\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-3",
-            "class": "SP800-53",
-            "title": "Contingency Training",
-            "parameters": [
-              {
-                "id": "cp-3_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "ten (10) days"
-                  }
-                ]
-              },
-              {
-                "id": "cp-3_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CP-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#825438c3-248d-4e30-a51e-246473ce6ada",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-16"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-3_smt",
-                "name": "statement",
-                "prose": "The organization provides contingency training to information system users consistent\n               with assigned roles and responsibilities:",
-                "parts": [
-                  {
-                    "id": "cp-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Within {{ cp-3_prm_1 }} of assuming a contingency role or\n                  responsibility;"
-                  },
-                  {
-                    "id": "cp-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "When required by information system changes; and"
-                  },
-                  {
-                    "id": "cp-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "\n                  {{ cp-3_prm_2 }} thereafter."
-                  }
-                ]
-              },
-              {
-                "id": "cp-3_gdn",
-                "name": "guidance",
-                "prose": "Contingency training provided by organizations is linked to the assigned roles and\n               responsibilities of organizational personnel to ensure that the appropriate content\n               and level of detail is included in such training. For example, regular users may only\n               need to know when and where to report for duty during contingency operations and if\n               normal duties are affected; system administrators may require additional training on\n               how to set up information systems at alternate processing and storage sites; and\n               managers/senior leaders may receive more specific training on how to conduct\n               mission-essential functions in designated off-site locations and how to establish\n               communications with other governmental entities for purposes of coordination on\n               contingency-related activities. Training for contingency roles/responsibilities\n               reflects the specific continuity requirements in the contingency plan.",
-                "links": [
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#ir-2",
-                    "rel": "related",
-                    "text": "IR-2"
-                  }
-                ]
-              },
-              {
-                "id": "cp-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cp-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-3(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-3(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period within which contingency training is to be provided to\n                     information system users assuming a contingency role or responsibility;"
-                      },
-                      {
-                        "id": "cp-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-3(a)[2]"
-                          }
-                        ],
-                        "prose": "provides contingency training to information system users consistent with\n                     assigned roles and responsibilities within the organization-defined time period\n                     of assuming a contingency role or responsibility;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-3(b)"
-                      }
-                    ],
-                    "prose": "provides contingency training to information system users consistent with assigned\n                  roles and responsibilities when required by information system changes;"
-                  },
-                  {
-                    "id": "cp-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency for contingency training thereafter; and"
-                      },
-                      {
-                        "id": "cp-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-3(c)[2]"
-                          }
-                        ],
-                        "prose": "provides contingency training to information system users consistent with\n                     assigned roles and responsibilities with the organization-defined frequency\n                     thereafter."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing contingency training\\n\\ncontingency plan\\n\\ncontingency training curriculum\\n\\ncontingency training material\\n\\nsecurity plan\\n\\ncontingency training records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency planning, plan implementation, and\n                  training responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for contingency training"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cp-3.1",
-                "class": "SP800-53-enhancement",
-                "title": "Simulated Events",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-3(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-03.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-3.1_smt",
-                    "name": "statement",
-                    "prose": "The organization incorporates simulated events into contingency training to\n                  facilitate effective response by personnel in crisis situations."
-                  },
-                  {
-                    "id": "cp-3.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization incorporates simulated events into contingency\n                  training to facilitate effective response by personnel in crisis situations."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing contingency training\\n\\ncontingency plan\\n\\ncontingency training curriculum\\n\\ncontingency training material\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency planning, plan implementation, and\n                     training responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for contingency training\\n\\nautomated mechanisms for simulating contingency events"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-4",
-            "class": "SP800-53",
-            "title": "Contingency Plan Testing",
-            "parameters": [
-              {
-                "id": "cp-4_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "cp-4_prm_2",
-                "label": "organization-defined tests",
-                "constraints": [
-                  {
-                    "detail": "functional exercises"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CP-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              },
-              {
-                "href": "#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-84"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Tests the contingency plan for the information system {{ cp-4_prm_1 }} using {{ cp-4_prm_2 }} to determine the\n                  effectiveness of the plan and the organizational readiness to execute the\n                  plan;"
-                  },
-                  {
-                    "id": "cp-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews the contingency plan test results; and"
-                  },
-                  {
-                    "id": "cp-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Initiates corrective actions, if needed."
-                  },
-                  {
-                    "id": "cp-4_fr",
-                    "name": "item",
-                    "title": "CP-4(a) Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cp-4_fr_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-4(a) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-4_gdn",
-                "name": "guidance",
-                "prose": "Methods for testing contingency plans to determine the effectiveness of the plans and\n               to identify potential weaknesses in the plans include, for example, walk-through and\n               tabletop exercises, checklists, simulations (parallel, full interrupt), and\n               comprehensive exercises. Organizations conduct testing based on the continuity\n               requirements in contingency plans and include a determination of the effects on\n               organizational operations, assets, and individuals arising due to contingency\n               operations. Organizations have flexibility and discretion in the breadth, depth, and\n               timelines of corrective actions.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-3",
-                    "rel": "related",
-                    "text": "CP-3"
-                  },
-                  {
-                    "href": "#ir-3",
-                    "rel": "related",
-                    "text": "IR-3"
-                  }
-                ]
-              },
-              {
-                "id": "cp-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "cp-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-4(a)[1]"
-                          }
-                        ],
-                        "prose": "defines tests to determine the effectiveness of the contingency plan and the\n                     organizational readiness to execute the plan;"
-                      },
-                      {
-                        "id": "cp-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-4(a)[2]"
-                          }
-                        ],
-                        "prose": "defines a frequency to test the contingency plan for the information\n                     system;"
-                      },
-                      {
-                        "id": "cp-4.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-4(a)[3]"
-                          }
-                        ],
-                        "prose": "tests the contingency plan for the information system with the\n                     organization-defined frequency, using organization-defined tests to determine\n                     the effectiveness of the plan and the organizational readiness to execute the\n                     plan;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-4(b)"
-                      }
-                    ],
-                    "prose": "reviews the contingency plan test results; and"
-                  },
-                  {
-                    "id": "cp-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-4(c)"
-                      }
-                    ],
-                    "prose": "initiates corrective actions, if needed."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing contingency plan testing\\n\\ncontingency plan\\n\\nsecurity plan\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for contingency plan testing,\n                  reviewing or responding to contingency plan tests\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for contingency plan testing\\n\\nautomated mechanisms supporting the contingency plan and/or contingency plan\n                  testing"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cp-4.1",
-                "class": "SP800-53-enhancement",
-                "title": "Coordinate with Related Plans",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-4(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-04.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-4.1_smt",
-                    "name": "statement",
-                    "prose": "The organization coordinates contingency plan testing with organizational elements\n                  responsible for related plans."
-                  },
-                  {
-                    "id": "cp-4.1_gdn",
-                    "name": "guidance",
-                    "prose": "Plans related to contingency plans for organizational information systems include,\n                  for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of\n                  Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,\n                  Cyber Incident Response Plans, and Occupant Emergency Plans. This control\n                  enhancement does not require organizations to create organizational elements to\n                  handle related plans or to align such elements with specific plans. It does\n                  require, however, that if such organizational elements are responsible for related\n                  plans, organizations should coordinate with those elements.",
-                    "links": [
-                      {
-                        "href": "#ir-8",
-                        "rel": "related",
-                        "text": "IR-8"
-                      },
-                      {
-                        "href": "#pm-8",
-                        "rel": "related",
-                        "text": "PM-8"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-4.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization coordinates contingency plan testing with\n                  organizational elements responsible for related plans. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nincident response policy\\n\\nprocedures addressing contingency plan testing\\n\\ncontingency plan testing documentation\\n\\ncontingency plan\\n\\nbusiness continuity plans\\n\\ndisaster recovery plans\\n\\ncontinuity of operations plans\\n\\ncrisis communications plans\\n\\ncritical infrastructure plans\\n\\ncyber incident response plans\\n\\noccupant emergency plans\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency plan testing responsibilities\\n\\norganizational personnel\\n\\npersonnel with responsibilities for related plans\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-4.2",
-                "class": "SP800-53-enhancement",
-                "title": "Alternate Processing Site",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-4(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-04.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-4.2_smt",
-                    "name": "statement",
-                    "prose": "The organization tests the contingency plan at the alternate processing site:",
-                    "parts": [
-                      {
-                        "id": "cp-4.2_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "To familiarize contingency personnel with the facility and available resources;\n                     and"
-                      },
-                      {
-                        "id": "cp-4.2_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "To evaluate the capabilities of the alternate processing site to support\n                     contingency operations."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-4.2_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#cp-7",
-                        "rel": "related",
-                        "text": "CP-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-4.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization tests the contingency plan at the alternate\n                  processing site to:",
-                    "parts": [
-                      {
-                        "id": "cp-4.2.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-4(2)(a)"
-                          }
-                        ],
-                        "prose": "familiarize contingency personnel with the facility and available resources;\n                     and",
-                        "links": [
-                          {
-                            "href": "#cp-4.2_smt.a",
-                            "rel": "corresp",
-                            "text": "CP-4(2)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-4.2.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-4(2)(b)"
-                          }
-                        ],
-                        "prose": "evaluate the capabilities of the alternate processing site to support\n                     contingency operations.",
-                        "links": [
-                          {
-                            "href": "#cp-4.2_smt.b",
-                            "rel": "corresp",
-                            "text": "CP-4(2)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing contingency plan testing\\n\\ncontingency plan\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nalternate processing site agreements\\n\\nservice-level agreements\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for contingency plan testing\\n\\nautomated mechanisms supporting the contingency plan and/or contingency plan\n                     testing"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-6",
-            "class": "SP800-53",
-            "title": "Alternate Storage Site",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CP-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-06"
-              }
-            ],
-            "links": [
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes an alternate storage site including necessary agreements to permit the\n                  storage and retrieval of information system backup information; and"
-                  },
-                  {
-                    "id": "cp-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Ensures that the alternate storage site provides information security safeguards\n                  equivalent to that of the primary site."
-                  }
-                ]
-              },
-              {
-                "id": "cp-6_gdn",
-                "name": "guidance",
-                "prose": "Alternate storage sites are sites that are geographically distinct from primary\n               storage sites. An alternate storage site maintains duplicate copies of information\n               and data in the event that the primary storage site is not available. Items covered\n               by alternate storage site agreements include, for example, environmental conditions\n               at alternate sites, access rules, physical and environmental protection requirements,\n               and coordination of delivery/retrieval of backup media. Alternate storage sites\n               reflect the requirements in contingency plans so that organizations can maintain\n               essential missions/business functions despite disruption, compromise, or failure in\n               organizational information systems.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#cp-10",
-                    "rel": "related",
-                    "text": "CP-10"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  }
-                ]
-              },
-              {
-                "id": "cp-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "cp-6_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-6[1]"
-                      }
-                    ],
-                    "prose": "establishes an alternate storage site including necessary agreements to permit the\n                  storage and retrieval of information system backup information; and"
-                  },
-                  {
-                    "id": "cp-6_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-6[2]"
-                      }
-                    ],
-                    "prose": "ensures that the alternate storage site provides information security safeguards\n                  equivalent to that of the primary site."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing alternate storage sites\\n\\ncontingency plan\\n\\nalternate storage site agreements\\n\\nprimary storage site agreements\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency plan alternate storage site\n                  responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for storing and retrieving information system backup\n                  information at the alternate storage site\\n\\nautomated mechanisms supporting and/or implementing storage and retrieval of\n                  information system backup information at the alternate storage site"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cp-6.1",
-                "class": "SP800-53-enhancement",
-                "title": "Separation from Primary Site",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-6(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-06.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-6.1_smt",
-                    "name": "statement",
-                    "prose": "The organization identifies an alternate storage site that is separated from the\n                  primary storage site to reduce susceptibility to the same threats."
-                  },
-                  {
-                    "id": "cp-6.1_gdn",
-                    "name": "guidance",
-                    "prose": "Threats that affect alternate storage sites are typically defined in\n                  organizational assessments of risk and include, for example, natural disasters,\n                  structural failures, hostile cyber attacks, and errors of omission/commission.\n                  Organizations determine what is considered a sufficient degree of separation\n                  between primary and alternate storage sites based on the types of threats that are\n                  of concern. For one particular type of threat (i.e., hostile cyber attack), the\n                  degree of separation between sites is less relevant.",
-                    "links": [
-                      {
-                        "href": "#ra-3",
-                        "rel": "related",
-                        "text": "RA-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-6.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization identifies an alternate storage site that is\n                  separated from the primary storage site to reduce susceptibility to the same\n                  threats. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing alternate storage sites\\n\\ncontingency plan\\n\\nalternate storage site\\n\\nalternate storage site agreements\\n\\nprimary storage site agreements\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency plan alternate storage site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-6.2",
-                "class": "SP800-53-enhancement",
-                "title": "Recovery Time / Point Objectives",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-6(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-06.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-6.2_smt",
-                    "name": "statement",
-                    "prose": "The organization configures the alternate storage site to facilitate recovery\n                  operations in accordance with recovery time and recovery point objectives."
-                  },
-                  {
-                    "id": "cp-6.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization configures the alternate storage site to facilitate\n                  recovery operations in accordance with recovery time objectives and recovery point\n                  objectives (as specified in the information system contingency plan)."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing alternate storage sites\\n\\ncontingency plan\\n\\nalternate storage site\\n\\nalternate storage site agreements\\n\\nalternate storage site configurations\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency plan testing responsibilities\\n\\norganizational personnel with responsibilities for testing related plans\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for contingency plan testing\\n\\nautomated mechanisms supporting recovery time/point objectives"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-6.3",
-                "class": "SP800-53-enhancement",
-                "title": "Accessibility",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-6(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-06.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-6.3_smt",
-                    "name": "statement",
-                    "prose": "The organization identifies potential accessibility problems to the alternate\n                  storage site in the event of an area-wide disruption or disaster and outlines\n                  explicit mitigation actions."
-                  },
-                  {
-                    "id": "cp-6.3_gdn",
-                    "name": "guidance",
-                    "prose": "Area-wide disruptions refer to those types of disruptions that are broad in\n                  geographic scope (e.g., hurricane, regional power outage) with such determinations\n                  made by organizations based on organizational assessments of risk. Explicit\n                  mitigation actions include, for example: (i) duplicating backup information at\n                  other alternate storage sites if access problems occur at originally designated\n                  alternate sites; or (ii) planning for physical access to retrieve backup\n                  information if electronic accessibility to the alternate site is disrupted.",
-                    "links": [
-                      {
-                        "href": "#ra-3",
-                        "rel": "related",
-                        "text": "RA-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-6.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "cp-6.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-6(3)[1]"
-                          }
-                        ],
-                        "prose": "identifies potential accessibility problems to the alternate storage site in\n                     the event of an area-wide disruption or disaster; and"
-                      },
-                      {
-                        "id": "cp-6.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-6(3)[2]"
-                          }
-                        ],
-                        "prose": "outlines explicit mitigation actions for such potential accessibility problems\n                     to the alternate storage site in the event of an area-wide disruption or\n                     disaster."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing alternate storage sites\\n\\ncontingency plan\\n\\nalternate storage site\\n\\nlist of potential accessibility problems to alternate storage site\\n\\nmitigation actions for accessibility problems to alternate storage site\\n\\norganizational risk assessments\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency plan alternate storage site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-7",
-            "class": "SP800-53",
-            "title": "Alternate Processing Site",
-            "parameters": [
-              {
-                "id": "cp-7_prm_1",
-                "label": "organization-defined information system operations"
-              },
-              {
-                "id": "cp-7_prm_2",
-                "label": "organization-defined time period consistent with recovery time and recovery point\n               objectives"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CP-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-7_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes an alternate processing site including necessary agreements to permit\n                  the transfer and resumption of {{ cp-7_prm_1 }} for essential\n                  missions/business functions within {{ cp-7_prm_2 }} when the\n                  primary processing capabilities are unavailable;"
-                  },
-                  {
-                    "id": "cp-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Ensures that equipment and supplies required to transfer and resume operations are\n                  available at the alternate processing site or contracts are in place to support\n                  delivery to the site within the organization-defined time period for\n                  transfer/resumption; and"
-                  },
-                  {
-                    "id": "cp-7_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ensures that the alternate processing site provides information security\n                  safeguards equivalent to those of the primary site."
-                  },
-                  {
-                    "id": "cp-7_fr",
-                    "name": "item",
-                    "title": "CP-7 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cp-7_fr_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider defines a time period consistent with the recovery time objectives and business impact analysis."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-7_gdn",
-                "name": "guidance",
-                "prose": "Alternate processing sites are sites that are geographically distinct from primary\n               processing sites. An alternate processing site provides processing capability in the\n               event that the primary processing site is not available. Items covered by alternate\n               processing site agreements include, for example, environmental conditions at\n               alternate sites, access rules, physical and environmental protection requirements,\n               and coordination for the transfer/assignment of personnel. Requirements are\n               specifically allocated to alternate processing sites that reflect the requirements in\n               contingency plans to maintain essential missions/business functions despite\n               disruption, compromise, or failure in organizational information systems.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-6",
-                    "rel": "related",
-                    "text": "CP-6"
-                  },
-                  {
-                    "href": "#cp-8",
-                    "rel": "related",
-                    "text": "CP-8"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#cp-10",
-                    "rel": "related",
-                    "text": "CP-10"
-                  },
-                  {
-                    "href": "#ma-6",
-                    "rel": "related",
-                    "text": "MA-6"
-                  }
-                ]
-              },
-              {
-                "id": "cp-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "cp-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-7(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-7.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-7(a)[1]"
-                          }
-                        ],
-                        "prose": "defines information system operations requiring an alternate processing site to\n                     be established to permit the transfer and resumption of such operations;"
-                      },
-                      {
-                        "id": "cp-7.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-7(a)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period consistent with recovery time objectives and recovery\n                     point objectives (as specified in the information system contingency plan) for\n                     transfer/resumption of organization-defined information system operations for\n                     essential missions/business functions;"
-                      },
-                      {
-                        "id": "cp-7.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-7(a)[3]"
-                          }
-                        ],
-                        "prose": "establishes an alternate processing site including necessary agreements to\n                     permit the transfer and resumption of organization-defined information system\n                     operations for essential missions/business functions, within the\n                     organization-defined time period, when the primary processing capabilities are\n                     unavailable;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-7(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-7.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-7(b)[1]"
-                          }
-                        ],
-                        "prose": "ensures that equipment and supplies required to transfer and resume operations\n                     are available at the alternate processing site; or"
-                      },
-                      {
-                        "id": "cp-7.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-7(b)[2]"
-                          }
-                        ],
-                        "prose": "ensures that contracts are in place to support delivery to the site within the\n                     organization-defined time period for transfer/resumption; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-7.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-7(c)"
-                      }
-                    ],
-                    "prose": "ensures that the alternate processing site provides information security\n                  safeguards equivalent to those of the primary site."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing alternate processing sites\\n\\ncontingency plan\\n\\nalternate processing site agreements\\n\\nprimary processing site agreements\\n\\nspare equipment and supplies inventory at alternate processing site\\n\\nequipment and supply contracts\\n\\nservice-level agreements\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for contingency planning and/or\n                  alternate site arrangements\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for recovery at the alternate site\\n\\nautomated mechanisms supporting and/or implementing recovery at the alternate\n                  processing site"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cp-7.1",
-                "class": "SP800-53-enhancement",
-                "title": "Separation from Primary Site",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-7(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-07.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-7.1_smt",
-                    "name": "statement",
-                    "prose": "The organization identifies an alternate processing site that is separated from\n                  the primary processing site to reduce susceptibility to the same threats.",
-                    "parts": [
-                      {
-                        "id": "cp-7.1_fr",
-                        "name": "item",
-                        "title": "CP-7 (1) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "cp-7.1_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-7.1_gdn",
-                    "name": "guidance",
-                    "prose": "Threats that affect alternate processing sites are typically defined in\n                  organizational assessments of risk and include, for example, natural disasters,\n                  structural failures, hostile cyber attacks, and errors of omission/commission.\n                  Organizations determine what is considered a sufficient degree of separation\n                  between primary and alternate processing sites based on the types of threats that\n                  are of concern. For one particular type of threat (i.e., hostile cyber attack),\n                  the degree of separation between sites is less relevant.",
-                    "links": [
-                      {
-                        "href": "#ra-3",
-                        "rel": "related",
-                        "text": "RA-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-7.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization identifies an alternate processing site that is\n                  separated from the primary storage site to reduce susceptibility to the same\n                  threats. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing alternate processing sites\\n\\ncontingency plan\\n\\nalternate processing site\\n\\nalternate processing site agreements\\n\\nprimary processing site agreements\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency plan alternate processing site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-7.2",
-                "class": "SP800-53-enhancement",
-                "title": "Accessibility",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-7(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-07.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-7.2_smt",
-                    "name": "statement",
-                    "prose": "The organization identifies potential accessibility problems to the alternate\n                  processing site in the event of an area-wide disruption or disaster and outlines\n                  explicit mitigation actions."
-                  },
-                  {
-                    "id": "cp-7.2_gdn",
-                    "name": "guidance",
-                    "prose": "Area-wide disruptions refer to those types of disruptions that are broad in\n                  geographic scope (e.g., hurricane, regional power outage) with such determinations\n                  made by organizations based on organizational assessments of risk.",
-                    "links": [
-                      {
-                        "href": "#ra-3",
-                        "rel": "related",
-                        "text": "RA-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-7.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "cp-7.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-7(2)[1]"
-                          }
-                        ],
-                        "prose": "identifies potential accessibility problems to the alternate processing site in\n                     the event of an area-wide disruption or disaster; and"
-                      },
-                      {
-                        "id": "cp-7.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-7(2)[2]"
-                          }
-                        ],
-                        "prose": "outlines explicit mitigation actions for such potential accessibility problems\n                     to the alternate processing site in the event of an area-wide disruption or\n                     disaster."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing alternate processing sites\\n\\ncontingency plan\\n\\nalternate processing site\\n\\nalternate processing site agreements\\n\\nprimary processing site agreements\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency plan alternate processing site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-7.3",
-                "class": "SP800-53-enhancement",
-                "title": "Priority of Service",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-7(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-07.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-7.3_smt",
-                    "name": "statement",
-                    "prose": "The organization develops alternate processing site agreements that contain\n                  priority-of-service provisions in accordance with organizational availability\n                  requirements (including recovery time objectives)."
-                  },
-                  {
-                    "id": "cp-7.3_gdn",
-                    "name": "guidance",
-                    "prose": "Priority-of-service agreements refer to negotiated agreements with service\n                  providers that ensure that organizations receive priority treatment consistent\n                  with their availability requirements and the availability of information resources\n                  at the alternate processing site."
-                  },
-                  {
-                    "id": "cp-7.3_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization develops alternate processing site agreements that\n                  contain priority-of-service provisions in accordance with organizational\n                  availability requirements (including recovery time objectives as specified in the\n                  information system contingency plan)."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing alternate processing sites\\n\\ncontingency plan\\n\\nalternate processing site agreements\\n\\nservice-level agreements\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency plan alternate processing site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for acquisitions/contractual\n                     agreements"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-7.4",
-                "class": "SP800-53-enhancement",
-                "title": "Preparation for Use",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-7(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-07.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-7.4_smt",
-                    "name": "statement",
-                    "prose": "The organization prepares the alternate processing site so that the site is ready\n                  to be used as the operational site supporting essential missions and business\n                  functions."
-                  },
-                  {
-                    "id": "cp-7.4_gdn",
-                    "name": "guidance",
-                    "prose": "Site preparation includes, for example, establishing configuration settings for\n                  information system components at the alternate processing site consistent with the\n                  requirements for such settings at the primary site and ensuring that essential\n                  supplies and other logistical considerations are in place.",
-                    "links": [
-                      {
-                        "href": "#cm-2",
-                        "rel": "related",
-                        "text": "CM-2"
-                      },
-                      {
-                        "href": "#cm-6",
-                        "rel": "related",
-                        "text": "CM-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-7.4_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization prepares the alternate processing site so that the\n                  site is ready to be used as the operational site supporting essential missions and\n                  business functions."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing alternate processing sites\\n\\ncontingency plan\\n\\nalternate processing site\\n\\nalternate processing site agreements\\n\\nalternate processing site configurations\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency plan alternate processing site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing recovery at the alternate\n                     processing site"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-8",
-            "class": "SP800-53",
-            "title": "Telecommunications Services",
-            "parameters": [
-              {
-                "id": "cp-8_prm_1",
-                "label": "organization-defined information system operations"
-              },
-              {
-                "id": "cp-8_prm_2",
-                "label": "organization-defined time period"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CP-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-08"
-              }
-            ],
-            "links": [
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              },
-              {
-                "href": "#fb5844de-ff96-47c0-b258-4f52bcc2f30d",
-                "rel": "reference",
-                "text": "National Communications Systems Directive 3-10"
-              },
-              {
-                "href": "#3ac12e79-f54f-4a63-9f4b-ee4bcd4df604",
-                "rel": "reference",
-                "text": "http://www.dhs.gov/telecommunications-service-priority-tsp"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-8_smt",
-                "name": "statement",
-                "prose": "The organization establishes alternate telecommunications services including\n               necessary agreements to permit the resumption of {{ cp-8_prm_1 }} for\n               essential missions and business functions within {{ cp-8_prm_2 }} when\n               the primary telecommunications capabilities are unavailable at either the primary or\n               alternate processing or storage sites.",
-                "parts": [
-                  {
-                    "id": "cp-8_fr",
-                    "name": "item",
-                    "title": "CP-8 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cp-8_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider defines a time period consistent with the recovery time objectives and business impact analysis."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-8_gdn",
-                "name": "guidance",
-                "prose": "This control applies to telecommunications services (data and voice) for primary and\n               alternate processing and storage sites. Alternate telecommunications services reflect\n               the continuity requirements in contingency plans to maintain essential\n               missions/business functions despite the loss of primary telecommunications services.\n               Organizations may specify different time periods for primary/alternate sites.\n               Alternate telecommunications services include, for example, additional organizational\n               or commercial ground-based circuits/lines or satellites in lieu of ground-based\n               communications. Organizations consider factors such as availability, quality of\n               service, and access when entering into alternate telecommunications agreements.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-6",
-                    "rel": "related",
-                    "text": "CP-6"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  }
-                ]
-              },
-              {
-                "id": "cp-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "cp-8_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-8[1]"
-                      }
-                    ],
-                    "prose": "defines information system operations requiring alternate telecommunications\n                  services to be established to permit the resumption of such operations;"
-                  },
-                  {
-                    "id": "cp-8_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-8[2]"
-                      }
-                    ],
-                    "prose": "defines the time period to permit resumption of organization-defined information\n                  system operations for essential missions and business functions; and"
-                  },
-                  {
-                    "id": "cp-8_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-8[3]"
-                      }
-                    ],
-                    "prose": "establishes alternate telecommunications services including necessary agreements\n                  to permit the resumption of organization-defined information system operations for\n                  essential missions and business functions, within the organization-defined time\n                  period, when the primary telecommunications capabilities are unavailable at either\n                  the primary or alternate processing or storage sites."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing alternate telecommunications services\\n\\ncontingency plan\\n\\nprimary and alternate telecommunications service agreements\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency plan telecommunications\n                  responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for acquisitions/contractual\n                  agreements"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting telecommunications"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cp-8.1",
-                "class": "SP800-53-enhancement",
-                "title": "Priority of Service Provisions",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-8(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-08.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-8.1_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "cp-8.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Develops primary and alternate telecommunications service agreements that\n                     contain priority-of-service provisions in accordance with organizational\n                     availability requirements (including recovery time objectives); and"
-                      },
-                      {
-                        "id": "cp-8.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Requests Telecommunications Service Priority for all telecommunications\n                     services used for national security emergency preparedness in the event that\n                     the primary and/or alternate telecommunications services are provided by a\n                     common carrier."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-8.1_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations consider the potential mission/business impact in situations where\n                  telecommunications service providers are servicing other organizations with\n                  similar priority-of-service provisions."
-                  },
-                  {
-                    "id": "cp-8.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "cp-8.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-8(1)[1]"
-                          }
-                        ],
-                        "prose": "develops primary and alternate telecommunications service agreements that\n                     contain priority-of-service provisions in accordance with organizational\n                     availability requirements (including recovery time objectives as specified in\n                     the information system contingency plan); and"
-                      },
-                      {
-                        "id": "cp-8.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-8(1)[2]"
-                          }
-                        ],
-                        "prose": "requests Telecommunications Service Priority for all telecommunications\n                     services used for national security emergency preparedness in the event that\n                     the primary and/or alternate telecommunications services are provided by a\n                     common carrier."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing primary and alternate telecommunications services\\n\\ncontingency plan\\n\\nprimary and alternate telecommunications service agreements\\n\\nTelecommunications Service Priority documentation\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency plan telecommunications\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for acquisitions/contractual\n                     agreements"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting telecommunications"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-8.2",
-                "class": "SP800-53-enhancement",
-                "title": "Single Points of Failure",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-8(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-08.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-8.2_smt",
-                    "name": "statement",
-                    "prose": "The organization obtains alternate telecommunications services to reduce the\n                  likelihood of sharing a single point of failure with primary telecommunications\n                  services."
-                  },
-                  {
-                    "id": "cp-8.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization obtains alternate telecommunications services to\n                  reduce the likelihood of sharing a single point of failure with primary\n                  telecommunications services. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing primary and alternate telecommunications services\\n\\ncontingency plan\\n\\nprimary and alternate telecommunications service agreements\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency plan telecommunications\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\nprimary and alternate telecommunications service providers\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-8.3",
-                "class": "SP800-53-enhancement",
-                "title": "Separation of Primary / Alternate Providers",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-8(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-08.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-8.3_smt",
-                    "name": "statement",
-                    "prose": "The organization obtains alternate telecommunications services from providers that\n                  are separated from primary service providers to reduce susceptibility to the same\n                  threats."
-                  },
-                  {
-                    "id": "cp-8.3_gdn",
-                    "name": "guidance",
-                    "prose": "Threats that affect telecommunications services are typically defined in\n                  organizational assessments of risk and include, for example, natural disasters,\n                  structural failures, hostile cyber/physical attacks, and errors of\n                  omission/commission. Organizations seek to reduce common susceptibilities by, for\n                  example, minimizing shared infrastructure among telecommunications service\n                  providers and achieving sufficient geographic separation between services.\n                  Organizations may consider using a single service provider in situations where the\n                  service provider can provide alternate telecommunications services meeting the\n                  separation needs addressed in the risk assessment."
-                  },
-                  {
-                    "id": "cp-8.3_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization obtains alternate telecommunications services from\n                  providers that are separated from primary service providers to reduce\n                  susceptibility to the same threats. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing primary and alternate telecommunications services\\n\\ncontingency plan\\n\\nprimary and alternate telecommunications service agreements\\n\\nalternate telecommunications service provider site\\n\\nprimary telecommunications service provider site\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency plan telecommunications\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\nprimary and alternate telecommunications service providers\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-8.4",
-                "class": "SP800-53-enhancement",
-                "title": "Provider Contingency Plan",
-                "parameters": [
-                  {
-                    "id": "cp-8.4_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "annually"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-8(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-08.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-8.4_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "cp-8.4_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Requires primary and alternate telecommunications service providers to have\n                     contingency plans;"
-                      },
-                      {
-                        "id": "cp-8.4_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Reviews provider contingency plans to ensure that the plans meet organizational\n                     contingency requirements; and"
-                      },
-                      {
-                        "id": "cp-8.4_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(c)"
-                          }
-                        ],
-                        "prose": "Obtains evidence of contingency testing/training by providers {{ cp-8.4_prm_1 }}."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-8.4_gdn",
-                    "name": "guidance",
-                    "prose": "Reviews of provider contingency plans consider the proprietary nature of such\n                  plans. In some situations, a summary of provider contingency plans may be\n                  sufficient evidence for organizations to satisfy the review requirement.\n                  Telecommunications service providers may also participate in ongoing disaster\n                  recovery exercises in coordination with the Department of Homeland Security,\n                  state, and local governments. Organizations may use these types of activities to\n                  satisfy evidentiary requirements related to service provider contingency plan\n                  reviews, testing, and training."
-                  },
-                  {
-                    "id": "cp-8.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "cp-8.4.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-8(4)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-8.4.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-8(4)(a)[1]"
-                              }
-                            ],
-                            "prose": "requires primary telecommunications service provider to have contingency\n                        plans;"
-                          },
-                          {
-                            "id": "cp-8.4.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-8(4)(a)[2]"
-                              }
-                            ],
-                            "prose": "requires alternate telecommunications service provider(s) to have\n                        contingency plans;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cp-8.4_smt.a",
-                            "rel": "corresp",
-                            "text": "CP-8(4)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-8.4.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-8(4)(b)"
-                          }
-                        ],
-                        "prose": "reviews provider contingency plans to ensure that the plans meet organizational\n                     contingency requirements;",
-                        "links": [
-                          {
-                            "href": "#cp-8.4_smt.b",
-                            "rel": "corresp",
-                            "text": "CP-8(4)(b)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-8.4.c_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-8(4)(c)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-8.4.c_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-8(4)(c)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to obtain evidence of contingency testing/training by\n                        providers; and"
-                          },
-                          {
-                            "id": "cp-8.4.c_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-8(4)(c)[2]"
-                              }
-                            ],
-                            "prose": "obtains evidence of contingency testing/training by providers with the\n                        organization-defined frequency."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cp-8.4_smt.c",
-                            "rel": "corresp",
-                            "text": "CP-8(4)(c)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing primary and alternate telecommunications services\\n\\ncontingency plan\\n\\nprovider contingency plans\\n\\nevidence of contingency testing/training by providers\\n\\nprimary and alternate telecommunications service agreements\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency planning, plan implementation, and\n                     testing responsibilities\\n\\nprimary and alternate telecommunications service providers\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for acquisitions/contractual\n                     agreements"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-9",
-            "class": "SP800-53",
-            "title": "Information System Backup",
-            "parameters": [
-              {
-                "id": "cp-9_prm_1",
-                "label": "organization-defined frequency consistent with recovery time and recovery point\n               objectives",
-                "constraints": [
-                  {
-                    "detail": "daily incremental; weekly full"
-                  }
-                ]
-              },
-              {
-                "id": "cp-9_prm_2",
-                "label": "organization-defined frequency consistent with recovery time and recovery point\n               objectives",
-                "constraints": [
-                  {
-                    "detail": "daily incremental; weekly full"
-                  }
-                ]
-              },
-              {
-                "id": "cp-9_prm_3",
-                "label": "organization-defined frequency consistent with recovery time and recovery point\n               objectives",
-                "constraints": [
-                  {
-                    "detail": "daily incremental; weekly full"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CP-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-09"
-              }
-            ],
-            "links": [
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-9_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-9_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Conducts backups of user-level information contained in the information system\n                     {{ cp-9_prm_1 }};"
-                  },
-                  {
-                    "id": "cp-9_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Conducts backups of system-level information contained in the information system\n                     {{ cp-9_prm_2 }};"
-                  },
-                  {
-                    "id": "cp-9_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Conducts backups of information system documentation including security-related\n                  documentation {{ cp-9_prm_3 }}; and"
-                  },
-                  {
-                    "id": "cp-9_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Protects the confidentiality, integrity, and availability of backup information at\n                  storage locations."
-                  },
-                  {
-                    "id": "cp-9_fr",
-                    "name": "item",
-                    "title": "CP-9 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cp-9_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check."
-                      },
-                      {
-                        "id": "cp-9_fr_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-9(a) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider maintains at least three backup copies of user-level information (at least one of which is available online)."
-                      },
-                      {
-                        "id": "cp-9_fr_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-9(b)Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider maintains at least three backup copies of system-level information (at least one of which is available online)."
-                      },
-                      {
-                        "id": "cp-9_fr_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-9(c)Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-9_gdn",
-                "name": "guidance",
-                "prose": "System-level information includes, for example, system-state information, operating\n               system and application software, and licenses. User-level information includes any\n               information other than system-level information. Mechanisms employed by organizations\n               to protect the integrity of information system backups include, for example, digital\n               signatures and cryptographic hashes. Protection of system backup information while in\n               transit is beyond the scope of this control. Information system backups reflect the\n               requirements in contingency plans as well as other organizational requirements for\n               backing up information.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-6",
-                    "rel": "related",
-                    "text": "CP-6"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  }
-                ]
-              },
-              {
-                "id": "cp-9_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "cp-9.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-9(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-9.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of user-level information contained in the information\n                     system;"
-                      },
-                      {
-                        "id": "cp-9.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(a)[2]"
-                          }
-                        ],
-                        "prose": "conducts backups of user-level information contained in the information system\n                     with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-9.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-9(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-9.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(b)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of system-level information contained in the information\n                     system;"
-                      },
-                      {
-                        "id": "cp-9.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(b)[2]"
-                          }
-                        ],
-                        "prose": "conducts backups of system-level information contained in the information\n                     system with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-9.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-9(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-9.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(c)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of information system documentation including security-related\n                     documentation;"
-                      },
-                      {
-                        "id": "cp-9.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(c)[2]"
-                          }
-                        ],
-                        "prose": "conducts backups of information system documentation, including\n                     security-related documentation, with the organization-defined frequency;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-9.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-9(d)"
-                      }
-                    ],
-                    "prose": "protects the confidentiality, integrity, and availability of backup information at\n                  storage locations."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\nbackup storage location(s)\\n\\ninformation system backup logs or records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system backup responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for conducting information system backups\\n\\nautomated mechanisms supporting and/or implementing information system backups"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cp-9.1",
-                "class": "SP800-53-enhancement",
-                "title": "Testing for Reliability / Integrity",
-                "parameters": [
-                  {
-                    "id": "cp-9.1_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least monthly"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "CP-9(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-09.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-9.1_smt",
-                    "name": "statement",
-                    "prose": "The organization tests backup information {{ cp-9.1_prm_1 }} to\n                  verify media reliability and information integrity."
-                  },
-                  {
-                    "id": "cp-9.1_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#cp-4",
-                        "rel": "related",
-                        "text": "CP-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-9.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "cp-9.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(1)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to test backup information to verify media reliability\n                     and information integrity; and"
-                      },
-                      {
-                        "id": "cp-9.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(1)[2]"
-                          }
-                        ],
-                        "prose": "tests backup information with the organization-defined frequency to verify\n                     media reliability and information integrity."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\ninformation system backup test results\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system backup responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for conducting information system backups\\n\\nautomated mechanisms supporting and/or implementing information system\n                     backups"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-9.2",
-                "class": "SP800-53-enhancement",
-                "title": "Test Restoration Using Sampling",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-9(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-09.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-9.2_smt",
-                    "name": "statement",
-                    "prose": "The organization uses a sample of backup information in the restoration of\n                  selected information system functions as part of contingency plan testing."
-                  },
-                  {
-                    "id": "cp-9.2_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#cp-4",
-                        "rel": "related",
-                        "text": "CP-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-9.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization uses a sample of backup information in the\n                  restoration of selected information system functions as part of contingency plan\n                  testing. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\ninformation system backup test results\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system backup responsibilities\\n\\norganizational personnel with contingency planning/contingency plan testing\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for conducting information system backups\\n\\nautomated mechanisms supporting and/or implementing information system\n                     backups"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-9.3",
-                "class": "SP800-53-enhancement",
-                "title": "Separate Storage for Critical Information",
-                "parameters": [
-                  {
-                    "id": "cp-9.3_prm_1",
-                    "label": "organization-defined critical information system software and other\n                  security-related information"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-9(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-09.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-9.3_smt",
-                    "name": "statement",
-                    "prose": "The organization stores backup copies of {{ cp-9.3_prm_1 }} in a\n                  separate facility or in a fire-rated container that is not collocated with the\n                  operational system."
-                  },
-                  {
-                    "id": "cp-9.3_gdn",
-                    "name": "guidance",
-                    "prose": "Critical information system software includes, for example, operating systems,\n                  cryptographic key management systems, and intrusion detection/prevention systems.\n                  Security-related information includes, for example, organizational inventories of\n                  hardware, software, and firmware components. Alternate storage sites typically\n                  serve as separate storage facilities for organizations.",
-                    "links": [
-                      {
-                        "href": "#cm-2",
-                        "rel": "related",
-                        "text": "CM-2"
-                      },
-                      {
-                        "href": "#cm-8",
-                        "rel": "related",
-                        "text": "CM-8"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-9.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "cp-9.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-9(3)[1]"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-9.3_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-9(3)[1][a]"
-                              }
-                            ],
-                            "prose": "defines critical information system software and other security-related\n                        information requiring backup copies to be stored in a separate facility;\n                        or"
-                          },
-                          {
-                            "id": "cp-9.3_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-9(3)[1][b]"
-                              }
-                            ],
-                            "prose": "defines critical information system software and other security-related\n                        information requiring backup copies to be stored in a fire-rated container\n                        that is not collocated with the operational system; and"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-9.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(3)[2]"
-                          }
-                        ],
-                        "prose": "stores backup copies of organization-defined critical information system\n                     software and other security-related information in a separate facility or in a\n                     fire-rated container that is not collocated with the operational system."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\nbackup storage location(s)\\n\\ninformation system backup configurations and associated documentation\\n\\ninformation system backup logs or records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information system backup responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-9.5",
-                "class": "SP800-53-enhancement",
-                "title": "Transfer to Alternate Storage Site",
-                "parameters": [
-                  {
-                    "id": "cp-9.5_prm_1",
-                    "label": "organization-defined time period and transfer rate consistent with the\n                  recovery time and recovery point objectives",
-                    "constraints": [
-                      {
-                        "detail": "time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-9(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-09.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-9.5_smt",
-                    "name": "statement",
-                    "prose": "The organization transfers information system backup information to the alternate\n                  storage site {{ cp-9.5_prm_1 }}."
-                  },
-                  {
-                    "id": "cp-9.5_gdn",
-                    "name": "guidance",
-                    "prose": "Information system backup information can be transferred to alternate storage\n                  sites either electronically or by physical shipment of storage media."
-                  },
-                  {
-                    "id": "cp-9.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "cp-9.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(5)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     transfer information system backup information to the alternate storage\n                     site;"
-                      },
-                      {
-                        "id": "cp-9.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(5)[2]"
-                          }
-                        ],
-                        "prose": "defines a transfer rate, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     transfer information system backup information to the alternate storage site;\n                     and"
-                      },
-                      {
-                        "id": "cp-9.5_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(5)[3]"
-                          }
-                        ],
-                        "prose": "transfers information system backup information to the alternate storage site\n                     with the organization-defined time period and transfer rate."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\ninformation system backup logs or records\\n\\nevidence of system backup information transferred to alternate storage site\\n\\nalternate storage site agreements\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system backup responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for transferring information system backups to the\n                     alternate storage site\\n\\nautomated mechanisms supporting and/or implementing information system\n                     backups\\n\\nautomated mechanisms supporting and/or implementing information transfer to the\n                     alternate storage site"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-10",
-            "class": "SP800-53",
-            "title": "Information System Recovery and Reconstitution",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CP-10"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-10"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-10_smt",
-                "name": "statement",
-                "prose": "The organization provides for the recovery and reconstitution of the information\n               system to a known state after a disruption, compromise, or failure."
-              },
-              {
-                "id": "cp-10_gdn",
-                "name": "guidance",
-                "prose": "Recovery is executing information system contingency plan activities to restore\n               organizational missions/business functions. Reconstitution takes place following\n               recovery and includes activities for returning organizational information systems to\n               fully operational states. Recovery and reconstitution operations reflect mission and\n               business priorities, recovery point/time and reconstitution objectives, and\n               established organizational metrics consistent with contingency plan requirements.\n               Reconstitution includes the deactivation of any interim information system\n               capabilities that may have been needed during recovery operations. Reconstitution\n               also includes assessments of fully restored information system capabilities,\n               reestablishment of continuous monitoring activities, potential information system\n               reauthorizations, and activities to prepare the systems against future disruptions,\n               compromises, or failures. Recovery/reconstitution capabilities employed by\n               organizations can include both automated mechanisms and manual procedures.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-6",
-                    "rel": "related",
-                    "text": "CA-6"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-6",
-                    "rel": "related",
-                    "text": "CP-6"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#sc-24",
-                    "rel": "related",
-                    "text": "SC-24"
-                  }
-                ]
-              },
-              {
-                "id": "cp-10_obj",
-                "name": "objective",
-                "prose": "Determine if the organization provides for: ",
-                "parts": [
-                  {
-                    "id": "cp-10_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-10[1]"
-                      }
-                    ],
-                    "prose": "the recovery of the information system to a known state after:",
-                    "parts": [
-                      {
-                        "id": "cp-10_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[1][a]"
-                          }
-                        ],
-                        "prose": "a disruption;"
-                      },
-                      {
-                        "id": "cp-10_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[1][b]"
-                          }
-                        ],
-                        "prose": "a compromise; or"
-                      },
-                      {
-                        "id": "cp-10_obj.1.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[1][c]"
-                          }
-                        ],
-                        "prose": "a failure;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-10_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-10[2]"
-                      }
-                    ],
-                    "prose": "the reconstitution of the information system to a known state after:",
-                    "parts": [
-                      {
-                        "id": "cp-10_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[2][a]"
-                          }
-                        ],
-                        "prose": "a disruption;"
-                      },
-                      {
-                        "id": "cp-10_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[2][b]"
-                          }
-                        ],
-                        "prose": "a compromise; or"
-                      },
-                      {
-                        "id": "cp-10_obj.2.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[2][c]"
-                          }
-                        ],
-                        "prose": "a failure."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\ninformation system backup test results\\n\\ncontingency plan test results\\n\\ncontingency plan test documentation\\n\\nredundant secondary system for information system backups\\n\\nlocation(s) of redundant secondary backup system(s)\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency planning, recovery, and/or\n                  reconstitution responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes implementing information system recovery and\n                  reconstitution operations\\n\\nautomated mechanisms supporting and/or implementing information system recovery\n                  and reconstitution operations"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cp-10.2",
-                "class": "SP800-53-enhancement",
-                "title": "Transaction Recovery",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-10(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-10.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-10.2_smt",
-                    "name": "statement",
-                    "prose": "The information system implements transaction recovery for systems that are\n                  transaction-based."
-                  },
-                  {
-                    "id": "cp-10.2_gdn",
-                    "name": "guidance",
-                    "prose": "Transaction-based information systems include, for example, database management\n                  systems and transaction processing systems. Mechanisms supporting transaction\n                  recovery include, for example, transaction rollback and transaction\n                  journaling."
-                  },
-                  {
-                    "id": "cp-10.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system implements transaction recovery for systems\n                  that are transaction-based. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing information system recovery and reconstitution\\n\\ncontingency plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\ninformation system transaction recovery records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for transaction recovery\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing transaction recovery\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-10.4",
-                "class": "SP800-53-enhancement",
-                "title": "Restore Within Time Period",
-                "parameters": [
-                  {
-                    "id": "cp-10.4_prm_1",
-                    "label": "organization-defined restoration time-periods",
-                    "constraints": [
-                      {
-                        "detail": "time period consistent with the restoration time-periods defined in the service provider and organization SLA"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-10(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-10.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-10.4_smt",
-                    "name": "statement",
-                    "prose": "The organization provides the capability to restore information system components\n                  within {{ cp-10.4_prm_1 }} from configuration-controlled and\n                  integrity-protected information representing a known, operational state for the\n                  components."
-                  },
-                  {
-                    "id": "cp-10.4_gdn",
-                    "name": "guidance",
-                    "prose": "Restoration of information system components includes, for example, reimaging\n                  which restores components to known, operational states.",
-                    "links": [
-                      {
-                        "href": "#cm-2",
-                        "rel": "related",
-                        "text": "CM-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-10.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "cp-10.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-10(4)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period to restore information system components from\n                     configuration-controlled and integrity-protected information representing a\n                     known, operational state for the components; and"
-                      },
-                      {
-                        "id": "cp-10.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-10(4)[2]"
-                          }
-                        ],
-                        "prose": "provides the capability to restore information system components within the\n                     organization-defined time period from configuration-controlled and\n                     integrity-protected information representing a known, operational state for the\n                     components."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing information system recovery and reconstitution\\n\\ncontingency plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nevidence of information system recovery and reconstitution operations\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system recovery and reconstitution\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing recovery/reconstitution of\n                     information system information"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ia",
-        "class": "family",
-        "title": "Identification and Authentication",
-        "controls": [
-          {
-            "id": "ia-1",
-            "class": "SP800-53",
-            "title": "Identification and Authentication Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ia-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ia-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ia-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or whenever a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ia-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ia-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ia-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "An identification and authentication policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"
-                      },
-                      {
-                        "id": "ia-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the identification and\n                     authentication policy and associated identification and authentication\n                     controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ia-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Identification and authentication policy {{ ia-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "ia-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Identification and authentication procedures {{ ia-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the IA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ia-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ia-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an identification and authentication policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "ia-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ia-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the identification and authentication\n                        policy is to be disseminated; and"
-                          },
-                          {
-                            "id": "ia-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the identification and authentication policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        identification and authentication policy and associated identification and\n                        authentication controls;"
-                          },
-                          {
-                            "id": "ia-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ia-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current identification and\n                        authentication policy;"
-                          },
-                          {
-                            "id": "ia-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current identification and authentication policy\n                        with the organization-defined frequency; and"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current identification and\n                        authentication procedures; and"
-                          },
-                          {
-                            "id": "ia-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current identification and authentication procedures\n                        with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with identification and authentication\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-2",
-            "class": "SP800-53",
-            "title": "Identification and Authentication (organizational Users)",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ad733a42-a7ed-4774-b988-4930c28852f3",
-                "rel": "reference",
-                "text": "HSPD-12"
-              },
-              {
-                "href": "#ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-                "rel": "reference",
-                "text": "OMB Memorandum 04-04"
-              },
-              {
-                "href": "#4da24a96-6cf8-435d-9d1f-c73247cad109",
-                "rel": "reference",
-                "text": "OMB Memorandum 06-16"
-              },
-              {
-                "href": "#74e740a4-c45d-49f3-a86e-eb747c549e01",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-11"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#ba557c91-ba3e-4792-adc6-a4ae479b39ff",
-                "rel": "reference",
-                "text": "FICAM Roadmap and Implementation Guidance"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-2_smt",
-                "name": "statement",
-                "prose": "The information system uniquely identifies and authenticates organizational users (or\n               processes acting on behalf of organizational users)."
-              },
-              {
-                "id": "ia-2_gdn",
-                "name": "guidance",
-                "prose": "Organizational users include employees or individuals that organizations deem to have\n               equivalent status of employees (e.g., contractors, guest researchers). This control\n               applies to all accesses other than: (i) accesses that are explicitly identified and\n               documented in AC-14; and (ii) accesses that occur through authorized use of group\n               authenticators without individual authentication. Organizations may require unique\n               identification of individuals in group accounts (e.g., shared privilege accounts) or\n               for detailed accountability of individual activity. Organizations employ passwords,\n               tokens, or biometrics to authenticate user identities, or in the case multifactor\n               authentication, or some combination thereof. Access to organizational information\n               systems is defined as either local access or network access. Local access is any\n               access to organizational information systems by users (or processes acting on behalf\n               of users) where such access is obtained by direct connections without the use of\n               networks. Network access is access to organizational information systems by users (or\n               processes acting on behalf of users) where such access is obtained through network\n               connections (i.e., nonlocal accesses). Remote access is a type of network access that\n               involves communication through external networks (e.g., the Internet). Internal\n               networks include local area networks and wide area networks. In addition, the use of\n               encrypted virtual private networks (VPNs) for network connections between\n               organization-controlled endpoints and non-organization controlled endpoints may be\n               treated as internal networks from the perspective of protecting the confidentiality\n               and integrity of information traversing the network. Organizations can satisfy the\n               identification and authentication requirements in this control by complying with the\n               requirements in Homeland Security Presidential Directive 12 consistent with the\n               specific organizational implementation plans. Multifactor authentication requires the\n               use of two or more different factors to achieve authentication. The factors are\n               defined as: (i) something you know (e.g., password, personal identification number\n               [PIN]); (ii) something you have (e.g., cryptographic identification device, token);\n               or (iii) something you are (e.g., biometric). Multifactor solutions that require\n               devices separate from information systems gaining access include, for example,\n               hardware tokens providing time-based or challenge-response authenticators and smart\n               cards such as the U.S. Government Personal Identity Verification card and the DoD\n               common access card. In addition to identifying and authenticating users at the\n               information system level (i.e., at logon), organizations also employ identification\n               and authentication mechanisms at the application level, when necessary, to provide\n               increased information security. Identification and authentication requirements for\n               other than organizational users are described in IA-8.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  }
-                ]
-              },
-              {
-                "id": "ia-2_obj",
-                "name": "objective",
-                "prose": "Determine if the information system uniquely identifies and authenticates\n               organizational users (or processes acting on behalf of organizational users)."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system operations responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for uniquely identifying and authenticating users\\n\\nautomated mechanisms supporting and/or implementing identification and\n                  authentication capability"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ia-2.1",
-                "class": "SP800-53-enhancement",
-                "title": "Network Access to Privileged Accounts",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.1_smt",
-                    "name": "statement",
-                    "prose": "The information system implements multifactor authentication for network access to\n                  privileged accounts."
-                  },
-                  {
-                    "id": "ia-2.1_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ac-6",
-                        "rel": "related",
-                        "text": "AC-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-2.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system implements multifactor authentication for\n                  network access to privileged accounts."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing multifactor authentication\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-2.2",
-                "class": "SP800-53-enhancement",
-                "title": "Network Access to Non-privileged Accounts",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.2_smt",
-                    "name": "statement",
-                    "prose": "The information system implements multifactor authentication for network access to\n                  non-privileged accounts."
-                  },
-                  {
-                    "id": "ia-2.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system implements multifactor authentication for\n                  network access to non-privileged accounts."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing multifactor authentication\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-2.3",
-                "class": "SP800-53-enhancement",
-                "title": "Local Access to Privileged Accounts",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.3_smt",
-                    "name": "statement",
-                    "prose": "The information system implements multifactor authentication for local access to\n                  privileged accounts."
-                  },
-                  {
-                    "id": "ia-2.3_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ac-6",
-                        "rel": "related",
-                        "text": "AC-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-2.3_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system implements multifactor authentication for\n                  local access to privileged accounts."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing multifactor authentication\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-2.4",
-                "class": "SP800-53-enhancement",
-                "title": "Local Access to Non-privileged Accounts",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.4_smt",
-                    "name": "statement",
-                    "prose": "The information system implements multifactor authentication for local access to\n                  non-privileged accounts."
-                  },
-                  {
-                    "id": "ia-2.4_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system implements multifactor authentication for\n                  local access to non-privileged accounts."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing multifactor authentication\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-2.5",
-                "class": "SP800-53-enhancement",
-                "title": "Group Authentication",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.5_smt",
-                    "name": "statement",
-                    "prose": "The organization requires individuals to be authenticated with an individual\n                  authenticator when a group authenticator is employed."
-                  },
-                  {
-                    "id": "ia-2.5_gdn",
-                    "name": "guidance",
-                    "prose": "Requiring individuals to use individual authenticators as a second level of\n                  authentication helps organizations to mitigate the risk of using group\n                  authenticators."
-                  },
-                  {
-                    "id": "ia-2.5_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization requires individuals to be authenticated with an\n                  individual authenticator when a group authenticator is employed."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing authentication capability\n                     for group accounts"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-2.8",
-                "class": "SP800-53-enhancement",
-                "title": "Network Access to Privileged Accounts - Replay Resistant",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(8)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.08"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.8_smt",
-                    "name": "statement",
-                    "prose": "The information system implements replay-resistant authentication mechanisms for\n                  network access to privileged accounts."
-                  },
-                  {
-                    "id": "ia-2.8_gdn",
-                    "name": "guidance",
-                    "prose": "Authentication processes resist replay attacks if it is impractical to achieve\n                  successful authentications by replaying previous authentication messages.\n                  Replay-resistant techniques include, for example, protocols that use nonces or\n                  challenges such as Transport Layer Security (TLS) and time synchronous or\n                  challenge-response one-time authenticators."
-                  },
-                  {
-                    "id": "ia-2.8_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system implements replay-resistant authentication\n                  mechanisms for network access to privileged accounts. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of privileged information system accounts\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms supporting and/or implementing replay resistant\n                     authentication mechanisms"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-2.9",
-                "class": "SP800-53-enhancement",
-                "title": "Network Access to Non-privileged Accounts - Replay Resistant",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(9)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.09"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.9_smt",
-                    "name": "statement",
-                    "prose": "The information system implements replay-resistant authentication mechanisms for\n                  network access to non-privileged accounts."
-                  },
-                  {
-                    "id": "ia-2.9_gdn",
-                    "name": "guidance",
-                    "prose": "Authentication processes resist replay attacks if it is impractical to achieve\n                  successful authentications by recording/replaying previous authentication\n                  messages. Replay-resistant techniques include, for example, protocols that use\n                  nonces or challenges such as Transport Layer Security (TLS) and time synchronous\n                  or challenge-response one-time authenticators."
-                  },
-                  {
-                    "id": "ia-2.9_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system implements replay-resistant authentication\n                  mechanisms for network access to non-privileged accounts. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of non-privileged information system accounts\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms supporting and/or implementing replay resistant\n                     authentication mechanisms"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-2.11",
-                "class": "SP800-53-enhancement",
-                "title": "Remote Access - Separate Device",
-                "parameters": [
-                  {
-                    "id": "ia-2.11_prm_1",
-                    "label": "organization-defined strength of mechanism requirements",
-                    "constraints": [
-                      {
-                        "detail": "FIPS 140-2, NIAP Certification, or NSA approval"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(11)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.11"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.11_smt",
-                    "name": "statement",
-                    "prose": "The information system implements multifactor authentication for remote access to\n                  privileged and non-privileged accounts such that one of the factors is provided by\n                  a device separate from the system gaining access and the device meets {{ ia-2.11_prm_1 }}.",
-                    "parts": [
-                      {
-                        "id": "ia-2.11_fr",
-                        "name": "item",
-                        "title": "IA-2 (11) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ia-2.11_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-2.11_gdn",
-                    "name": "guidance",
-                    "prose": "For remote access to privileged/non-privileged accounts, the purpose of requiring\n                  a device that is separate from the information system gaining access for one of\n                  the factors during multifactor authentication is to reduce the likelihood of\n                  compromising authentication credentials stored on the system. For example,\n                  adversaries deploying malicious code on organizational information systems can\n                  potentially compromise such credentials resident on the system and subsequently\n                  impersonate authorized users.",
-                    "links": [
-                      {
-                        "href": "#ac-6",
-                        "rel": "related",
-                        "text": "AC-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-2.11_obj",
-                    "name": "objective",
-                    "prose": "Determine if: ",
-                    "parts": [
-                      {
-                        "id": "ia-2.11_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-2(11)[1]"
-                          }
-                        ],
-                        "prose": "the information system implements multifactor authentication for remote access\n                     to privileged accounts such that one of the factors is provided by a device\n                     separate from the system gaining access;"
-                      },
-                      {
-                        "id": "ia-2.11_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-2(11)[2]"
-                          }
-                        ],
-                        "prose": "the information system implements multifactor authentication for remote access\n                     to non-privileged accounts such that one of the factors is provided by a device\n                     separate from the system gaining access;"
-                      },
-                      {
-                        "id": "ia-2.11_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-2(11)[3]"
-                          }
-                        ],
-                        "prose": "the organization defines strength of mechanism requirements to be enforced by a\n                     device separate from the system gaining remote access to privileged\n                     accounts;"
-                      },
-                      {
-                        "id": "ia-2.11_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-2(11)[4]"
-                          }
-                        ],
-                        "prose": "the organization defines strength of mechanism requirements to be enforced by a\n                     device separate from the system gaining remote access to non-privileged\n                     accounts;"
-                      },
-                      {
-                        "id": "ia-2.11_obj.5",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-2(11)[5]"
-                          }
-                        ],
-                        "prose": "the information system implements multifactor authentication for remote access\n                     to privileged accounts such that a device, separate from the system gaining\n                     access, meets organization-defined strength of mechanism requirements; and"
-                      },
-                      {
-                        "id": "ia-2.11_obj.6",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-2(11)[6]"
-                          }
-                        ],
-                        "prose": "the information system implements multifactor authentication for remote access\n                     to non-privileged accounts such that a device, separate from the system gaining\n                     access, meets organization-defined strength of mechanism requirements."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of privileged and non-privileged information system accounts\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-2.12",
-                "class": "SP800-53-enhancement",
-                "title": "Acceptance of PIV Credentials",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(12)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.12"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.12_smt",
-                    "name": "statement",
-                    "prose": "The information system accepts and electronically verifies Personal Identity\n                  Verification (PIV) credentials.",
-                    "parts": [
-                      {
-                        "id": "ia-2.12_fr",
-                        "name": "item",
-                        "title": "IA-2 (12) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ia-2.12_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-2.12_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement applies to organizations implementing logical access\n                  control systems (LACS) and physical access control systems (PACS). Personal\n                  Identity Verification (PIV) credentials are those credentials issued by federal\n                  agencies that conform to FIPS Publication 201 and supporting guidance documents.\n                  OMB Memorandum 11-11 requires federal agencies to continue implementing the\n                  requirements specified in HSPD-12 to enable agency-wide use of PIV\n                  credentials.",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      },
-                      {
-                        "href": "#pe-3",
-                        "rel": "related",
-                        "text": "PE-3"
-                      },
-                      {
-                        "href": "#sa-4",
-                        "rel": "related",
-                        "text": "SA-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-2.12_obj",
-                    "name": "objective",
-                    "prose": "Determine if the information system: ",
-                    "parts": [
-                      {
-                        "id": "ia-2.12_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-2(12)[1]"
-                          }
-                        ],
-                        "prose": "accepts Personal Identity Verification (PIV) credentials; and"
-                      },
-                      {
-                        "id": "ia-2.12_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-2(12)[2]"
-                          }
-                        ],
-                        "prose": "electronically verifies Personal Identity Verification (PIV) credentials."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nPIV verification records\\n\\nevidence of PIV credentials\\n\\nPIV credential authorizations\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing acceptance and verification\n                     of PIV credentials"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-3",
-            "class": "SP800-53",
-            "title": "Device Identification and Authentication",
-            "parameters": [
-              {
-                "id": "ia-3_prm_1",
-                "label": "organization-defined specific and/or types of devices"
-              },
-              {
-                "id": "ia-3_prm_2"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-03"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-3_smt",
-                "name": "statement",
-                "prose": "The information system uniquely identifies and authenticates {{ ia-3_prm_1 }} before establishing a {{ ia-3_prm_2 }}\n               connection."
-              },
-              {
-                "id": "ia-3_gdn",
-                "name": "guidance",
-                "prose": "Organizational devices requiring unique device-to-device identification and\n               authentication may be defined by type, by device, or by a combination of type/device.\n               Information systems typically use either shared known information (e.g., Media Access\n               Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses)\n               for device identification or organizational authentication solutions (e.g., IEEE\n               802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport\n               Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on\n               local and/or wide area networks. Organizations determine the required strength of\n               authentication mechanisms by the security categories of information systems. Because\n               of the challenges of applying this control on large scale, organizations are\n               encouraged to only apply the control to those limited number (and type) of devices\n               that truly need to support this capability.",
-                "links": [
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  }
-                ]
-              },
-              {
-                "id": "ia-3_obj",
-                "name": "objective",
-                "prose": "Determine if: ",
-                "parts": [
-                  {
-                    "id": "ia-3_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-3[1]"
-                      }
-                    ],
-                    "prose": "the organization defines specific and/or types of devices that the information\n                  system uniquely identifies and authenticates before establishing one or more of\n                  the following:",
-                    "parts": [
-                      {
-                        "id": "ia-3_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-3[1][a]"
-                          }
-                        ],
-                        "prose": "a local connection;"
-                      },
-                      {
-                        "id": "ia-3_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-3[1][b]"
-                          }
-                        ],
-                        "prose": "a remote connection; and/or"
-                      },
-                      {
-                        "id": "ia-3_obj.1.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-3[1][c]"
-                          }
-                        ],
-                        "prose": "a network connection; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-3_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-3[2]"
-                      }
-                    ],
-                    "prose": "the information system uniquely identifies and authenticates organization-defined\n                  devices before establishing one or more of the following:",
-                    "parts": [
-                      {
-                        "id": "ia-3_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-3[2][a]"
-                          }
-                        ],
-                        "prose": "a local connection;"
-                      },
-                      {
-                        "id": "ia-3_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-3[2][b]"
-                          }
-                        ],
-                        "prose": "a remote connection; and/or"
-                      },
-                      {
-                        "id": "ia-3_obj.2.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-3[2][c]"
-                          }
-                        ],
-                        "prose": "a network connection."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing device identification and authentication\\n\\ninformation system design documentation\\n\\nlist of devices requiring unique identification and authentication\\n\\ndevice connection reports\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with operational responsibilities for device\n                  identification and authentication\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing device identification and\n                  authentication capability"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-4",
-            "class": "SP800-53",
-            "title": "Identifier Management",
-            "parameters": [
-              {
-                "id": "ia-4_prm_1",
-                "label": "organization-defined personnel or roles",
-                "constraints": [
-                  {
-                    "detail": "at a minimum, the ISSO (or similar role within the organization)"
-                  }
-                ]
-              },
-              {
-                "id": "ia-4_prm_2",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "at least two (2) years"
-                  }
-                ]
-              },
-              {
-                "id": "ia-4_prm_3",
-                "label": "organization-defined time period of inactivity",
-                "constraints": [
-                  {
-                    "detail": "thirty-five (35) days (See additional requirements and guidance.)"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IA-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-4_smt",
-                "name": "statement",
-                "prose": "The organization manages information system identifiers by:",
-                "parts": [
-                  {
-                    "id": "ia-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Receiving authorization from {{ ia-4_prm_1 }} to assign an\n                  individual, group, role, or device identifier;"
-                  },
-                  {
-                    "id": "ia-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Selecting an identifier that identifies an individual, group, role, or device;"
-                  },
-                  {
-                    "id": "ia-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Assigning the identifier to the intended individual, group, role, or device;"
-                  },
-                  {
-                    "id": "ia-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Preventing reuse of identifiers for {{ ia-4_prm_2 }}; and"
-                  },
-                  {
-                    "id": "ia-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Disabling the identifier after {{ ia-4_prm_3 }}."
-                  },
-                  {
-                    "id": "ia-4_fr",
-                    "name": "item",
-                    "title": "IA-4(e) Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ia-4_fr_smt.e",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider defines the time period of inactivity for device identifiers."
-                      },
-                      {
-                        "id": "ia-4_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP [http://iase.disa.mil/cloud_security/Pages/index.aspx](http://iase.disa.mil/cloud_security/Pages/index.aspx)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-4_gdn",
-                "name": "guidance",
-                "prose": "Common device identifiers include, for example, media access control (MAC), Internet\n               protocol (IP) addresses, or device-unique token identifiers. Management of individual\n               identifiers is not applicable to shared information system accounts (e.g., guest and\n               anonymous accounts). Typically, individual identifiers are the user names of the\n               information system accounts assigned to those individuals. In such instances, the\n               account management activities of AC-2 use account names provided by IA-4. This\n               control also addresses individual identifiers not necessarily associated with\n               information system accounts (e.g., identifiers used in physical security control\n               databases accessed by badge reader systems for access to information systems).\n               Preventing reuse of identifiers implies preventing the assignment of previously used\n               individual, group, role, or device identifiers to different individuals, groups,\n               roles, or devices.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#sc-37",
-                    "rel": "related",
-                    "text": "SC-37"
-                  }
-                ]
-              },
-              {
-                "id": "ia-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization manages information system identifiers by: ",
-                "parts": [
-                  {
-                    "id": "ia-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(a)[1]"
-                          }
-                        ],
-                        "prose": "defining personnel or roles from whom authorization must be received to\n                     assign:",
-                        "parts": [
-                          {
-                            "id": "ia-4.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[1][a]"
-                              }
-                            ],
-                            "prose": "an individual identifier;"
-                          },
-                          {
-                            "id": "ia-4.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[1][b]"
-                              }
-                            ],
-                            "prose": "a group identifier;"
-                          },
-                          {
-                            "id": "ia-4.a_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[1][c]"
-                              }
-                            ],
-                            "prose": "a role identifier; and/or"
-                          },
-                          {
-                            "id": "ia-4.a_obj.1.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[1][d]"
-                              }
-                            ],
-                            "prose": "a device identifier;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(a)[2]"
-                          }
-                        ],
-                        "prose": "receiving authorization from organization-defined personnel or roles to\n                     assign:",
-                        "parts": [
-                          {
-                            "id": "ia-4.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[2][a]"
-                              }
-                            ],
-                            "prose": "an individual identifier;"
-                          },
-                          {
-                            "id": "ia-4.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[2][b]"
-                              }
-                            ],
-                            "prose": "a group identifier;"
-                          },
-                          {
-                            "id": "ia-4.a_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[2][c]"
-                              }
-                            ],
-                            "prose": "a role identifier; and/or"
-                          },
-                          {
-                            "id": "ia-4.a_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[2][d]"
-                              }
-                            ],
-                            "prose": "a device identifier;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-4(b)"
-                      }
-                    ],
-                    "prose": "selecting an identifier that identifies:",
-                    "parts": [
-                      {
-                        "id": "ia-4.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(b)[1]"
-                          }
-                        ],
-                        "prose": "an individual;"
-                      },
-                      {
-                        "id": "ia-4.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(b)[2]"
-                          }
-                        ],
-                        "prose": "a group;"
-                      },
-                      {
-                        "id": "ia-4.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(b)[3]"
-                          }
-                        ],
-                        "prose": "a role; and/or"
-                      },
-                      {
-                        "id": "ia-4.b_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(b)[4]"
-                          }
-                        ],
-                        "prose": "a device;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-4(c)"
-                      }
-                    ],
-                    "prose": "assigning the identifier to the intended:",
-                    "parts": [
-                      {
-                        "id": "ia-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(c)[1]"
-                          }
-                        ],
-                        "prose": "individual;"
-                      },
-                      {
-                        "id": "ia-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(c)[2]"
-                          }
-                        ],
-                        "prose": "group;"
-                      },
-                      {
-                        "id": "ia-4.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(c)[3]"
-                          }
-                        ],
-                        "prose": "role; and/or"
-                      },
-                      {
-                        "id": "ia-4.c_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(c)[4]"
-                          }
-                        ],
-                        "prose": "device;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-4(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-4.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(d)[1]"
-                          }
-                        ],
-                        "prose": "defining a time period for preventing reuse of identifiers;"
-                      },
-                      {
-                        "id": "ia-4.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(d)[2]"
-                          }
-                        ],
-                        "prose": "preventing reuse of identifiers for the organization-defined time period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-4(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-4.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(e)[1]"
-                          }
-                        ],
-                        "prose": "defining a time period of inactivity to disable the identifier; and"
-                      },
-                      {
-                        "id": "ia-4.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(e)[2]"
-                          }
-                        ],
-                        "prose": "disabling the identifier after the organization-defined time period of\n                     inactivity."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing identifier management\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system accounts\\n\\nlist of identifiers generated from physical access control devices\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with identifier management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing identifier management"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ia-4.4",
-                "class": "SP800-53-enhancement",
-                "title": "Identify User Status",
-                "parameters": [
-                  {
-                    "id": "ia-4.4_prm_1",
-                    "label": "organization-defined characteristic identifying individual status",
-                    "constraints": [
-                      {
-                        "detail": "contractors; foreign nationals]"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-4(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-04.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-4.4_smt",
-                    "name": "statement",
-                    "prose": "The organization manages individual identifiers by uniquely identifying each\n                  individual as {{ ia-4.4_prm_1 }}."
-                  },
-                  {
-                    "id": "ia-4.4_gdn",
-                    "name": "guidance",
-                    "prose": "Characteristics identifying the status of individuals include, for example,\n                  contractors and foreign nationals. Identifying the status of individuals by\n                  specific characteristics provides additional information about the people with\n                  whom organizational personnel are communicating. For example, it might be useful\n                  for a government employee to know that one of the individuals on an email message\n                  is a contractor.",
-                    "links": [
-                      {
-                        "href": "#at-2",
-                        "rel": "related",
-                        "text": "AT-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-4.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ia-4.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(4)[1]"
-                          }
-                        ],
-                        "prose": "defines a characteristic to be used to identify individual status; and"
-                      },
-                      {
-                        "id": "ia-4.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(4)[2]"
-                          }
-                        ],
-                        "prose": "manages individual identifiers by uniquely identifying each individual as the\n                     organization-defined characteristic identifying individual status."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing identifier management\\n\\nprocedures addressing account management\\n\\nlist of characteristics identifying individual status\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with identifier management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identifier management"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-5",
-            "class": "SP800-53",
-            "title": "Authenticator Management",
-            "parameters": [
-              {
-                "id": "ia-5_prm_1",
-                "label": "organization-defined time period by authenticator type"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-05"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-                "rel": "reference",
-                "text": "OMB Memorandum 04-04"
-              },
-              {
-                "href": "#74e740a4-c45d-49f3-a86e-eb747c549e01",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-11"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#ba557c91-ba3e-4792-adc6-a4ae479b39ff",
-                "rel": "reference",
-                "text": "FICAM Roadmap and Implementation Guidance"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-5_smt",
-                "name": "statement",
-                "prose": "The organization manages information system authenticators by:",
-                "parts": [
-                  {
-                    "id": "ia-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Verifying, as part of the initial authenticator distribution, the identity of the\n                  individual, group, role, or device receiving the authenticator;"
-                  },
-                  {
-                    "id": "ia-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Establishing initial authenticator content for authenticators defined by the\n                  organization;"
-                  },
-                  {
-                    "id": "ia-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ensuring that authenticators have sufficient strength of mechanism for their\n                  intended use;"
-                  },
-                  {
-                    "id": "ia-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Establishing and implementing administrative procedures for initial authenticator\n                  distribution, for lost/compromised or damaged authenticators, and for revoking\n                  authenticators;"
-                  },
-                  {
-                    "id": "ia-5_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Changing default content of authenticators prior to information system\n                  installation;"
-                  },
-                  {
-                    "id": "ia-5_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Establishing minimum and maximum lifetime restrictions and reuse conditions for\n                  authenticators;"
-                  },
-                  {
-                    "id": "ia-5_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Changing/refreshing authenticators {{ ia-5_prm_1 }};"
-                  },
-                  {
-                    "id": "ia-5_smt.h",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "h."
-                      }
-                    ],
-                    "prose": "Protecting authenticator content from unauthorized disclosure and\n                  modification;"
-                  },
-                  {
-                    "id": "ia-5_smt.i",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "i."
-                      }
-                    ],
-                    "prose": "Requiring individuals to take, and having devices implement, specific security\n                  safeguards to protect authenticators; and"
-                  },
-                  {
-                    "id": "ia-5_smt.j",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "j."
-                      }
-                    ],
-                    "prose": "Changing authenticators for group/role accounts when membership to those accounts\n                  changes."
-                  },
-                  {
-                    "id": "ia-5_fr",
-                    "name": "item",
-                    "title": "IA-5 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ia-5_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link [https://pages.nist.gov/800-63-3](https://pages.nist.gov/800-63-3)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-5_gdn",
-                "name": "guidance",
-                "prose": "Individual authenticators include, for example, passwords, tokens, biometrics, PKI\n               certificates, and key cards. Initial authenticator content is the actual content\n               (e.g., the initial password) as opposed to requirements about authenticator content\n               (e.g., minimum password length). In many cases, developers ship information system\n               components with factory default authentication credentials to allow for initial\n               installation and configuration. Default authentication credentials are often well\n               known, easily discoverable, and present a significant security risk. The requirement\n               to protect individual authenticators may be implemented via control PL-4 or PS-6 for\n               authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28\n               for authenticators stored within organizational information systems (e.g., passwords\n               stored in hashed or encrypted formats, files containing encrypted or hashed passwords\n               accessible with administrator privileges). Information systems support individual\n               authenticator management by organization-defined settings and restrictions for\n               various authenticator characteristics including, for example, minimum password\n               length, password composition, validation time window for time synchronous one-time\n               tokens, and number of allowed rejections during the verification stage of biometric\n               authentication. Specific actions that can be taken to safeguard authenticators\n               include, for example, maintaining possession of individual authenticators, not\n               loaning or sharing individual authenticators with others, and reporting lost, stolen,\n               or compromised authenticators immediately. Authenticator management includes issuing\n               and revoking, when no longer needed, authenticators for temporary access such as that\n               required for remote maintenance. Device authenticators include, for example,\n               certificates and passwords.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-5",
-                    "rel": "related",
-                    "text": "PS-5"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  },
-                  {
-                    "href": "#sc-12",
-                    "rel": "related",
-                    "text": "SC-12"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  },
-                  {
-                    "href": "#sc-17",
-                    "rel": "related",
-                    "text": "SC-17"
-                  },
-                  {
-                    "href": "#sc-28",
-                    "rel": "related",
-                    "text": "SC-28"
-                  }
-                ]
-              },
-              {
-                "id": "ia-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization manages information system authenticators by: ",
-                "parts": [
-                  {
-                    "id": "ia-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-5(a)"
-                      }
-                    ],
-                    "prose": "verifying, as part of the initial authenticator distribution, the identity of:",
-                    "parts": [
-                      {
-                        "id": "ia-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(a)[1]"
-                          }
-                        ],
-                        "prose": "the individual receiving the authenticator;"
-                      },
-                      {
-                        "id": "ia-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(a)[2]"
-                          }
-                        ],
-                        "prose": "the group receiving the authenticator;"
-                      },
-                      {
-                        "id": "ia-5.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(a)[3]"
-                          }
-                        ],
-                        "prose": "the role receiving the authenticator; and/or"
-                      },
-                      {
-                        "id": "ia-5.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(a)[4]"
-                          }
-                        ],
-                        "prose": "the device receiving the authenticator;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-5(b)"
-                      }
-                    ],
-                    "prose": "establishing initial authenticator content for authenticators defined by the\n                  organization;"
-                  },
-                  {
-                    "id": "ia-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-5(c)"
-                      }
-                    ],
-                    "prose": "ensuring that authenticators have sufficient strength of mechanism for their\n                  intended use;"
-                  },
-                  {
-                    "id": "ia-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-5.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(d)[1]"
-                          }
-                        ],
-                        "prose": "establishing and implementing administrative procedures for initial\n                     authenticator distribution;"
-                      },
-                      {
-                        "id": "ia-5.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(d)[2]"
-                          }
-                        ],
-                        "prose": "establishing and implementing administrative procedures for lost/compromised or\n                     damaged authenticators;"
-                      },
-                      {
-                        "id": "ia-5.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(d)[3]"
-                          }
-                        ],
-                        "prose": "establishing and implementing administrative procedures for revoking\n                     authenticators;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-5(e)"
-                      }
-                    ],
-                    "prose": "changing default content of authenticators prior to information system\n                  installation;"
-                  },
-                  {
-                    "id": "ia-5.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-5.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(f)[1]"
-                          }
-                        ],
-                        "prose": "establishing minimum lifetime restrictions for authenticators;"
-                      },
-                      {
-                        "id": "ia-5.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(f)[2]"
-                          }
-                        ],
-                        "prose": "establishing maximum lifetime restrictions for authenticators;"
-                      },
-                      {
-                        "id": "ia-5.f_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(f)[3]"
-                          }
-                        ],
-                        "prose": "establishing reuse conditions for authenticators;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(g)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-5.g_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(g)[1]"
-                          }
-                        ],
-                        "prose": "defining a time period (by authenticator type) for changing/refreshing\n                     authenticators;"
-                      },
-                      {
-                        "id": "ia-5.g_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(g)[2]"
-                          }
-                        ],
-                        "prose": "changing/refreshing authenticators with the organization-defined time period by\n                     authenticator type;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.h_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-5(h)"
-                      }
-                    ],
-                    "prose": "protecting authenticator content from unauthorized:",
-                    "parts": [
-                      {
-                        "id": "ia-5.h_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(h)[1]"
-                          }
-                        ],
-                        "prose": "disclosure;"
-                      },
-                      {
-                        "id": "ia-5.h_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(h)[2]"
-                          }
-                        ],
-                        "prose": "modification;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.i_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(i)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-5.i_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(i)[1]"
-                          }
-                        ],
-                        "prose": "requiring individuals to take specific security safeguards to protect\n                     authenticators;"
-                      },
-                      {
-                        "id": "ia-5.i_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(i)[2]"
-                          }
-                        ],
-                        "prose": "having devices implement specific security safeguards to protect\n                     authenticators; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.j_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-5(j)"
-                      }
-                    ],
-                    "prose": "changing authenticators for group/role accounts when membership to those accounts\n                  changes."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system authenticator types\\n\\nchange control records associated with managing information system\n                  authenticators\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing authenticator management\n                  capability"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ia-5.1",
-                "class": "SP800-53-enhancement",
-                "title": "Password-based Authentication",
-                "parameters": [
-                  {
-                    "id": "ia-5.1_prm_1",
-                    "label": "organization-defined requirements for case sensitivity, number of characters,\n                  mix of upper-case letters, lower-case letters, numbers, and special characters,\n                  including minimum requirements for each type"
-                  },
-                  {
-                    "id": "ia-5.1_prm_2",
-                    "label": "organization-defined number",
-                    "constraints": [
-                      {
-                        "detail": "at least fifty percent (50%)"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.1_prm_3",
-                    "label": "organization-defined numbers for lifetime minimum, lifetime maximum"
-                  },
-                  {
-                    "id": "ia-5.1_prm_4",
-                    "label": "organization-defined number",
-                    "constraints": [
-                      {
-                        "detail": "twenty four (24)"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "IA-5(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.1_smt",
-                    "name": "statement",
-                    "prose": "The information system, for password-based authentication:",
-                    "parts": [
-                      {
-                        "id": "ia-5.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Enforces minimum password complexity of {{ ia-5.1_prm_1 }};"
-                      },
-                      {
-                        "id": "ia-5.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Enforces at least the following number of changed characters when new passwords\n                     are created: {{ ia-5.1_prm_2 }};"
-                      },
-                      {
-                        "id": "ia-5.1_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(c)"
-                          }
-                        ],
-                        "prose": "Stores and transmits only cryptographically-protected passwords;"
-                      },
-                      {
-                        "id": "ia-5.1_smt.d",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(d)"
-                          }
-                        ],
-                        "prose": "Enforces password minimum and maximum lifetime restrictions of {{ ia-5.1_prm_3 }};"
-                      },
-                      {
-                        "id": "ia-5.1_smt.e",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(e)"
-                          }
-                        ],
-                        "prose": "Prohibits password reuse for {{ ia-5.1_prm_4 }} generations;\n                     and"
-                      },
-                      {
-                        "id": "ia-5.1_smt.f",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(f)"
-                          }
-                        ],
-                        "prose": "Allows the use of a temporary password for system logons with an immediate\n                     change to a permanent password."
-                      },
-                      {
-                        "id": "ia-5.1_fr",
-                        "name": "item",
-                        "title": "IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ia-5.1_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "(a) (d) Guidance:"
-                              }
-                            ],
-                            "prose": "If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement applies to single-factor authentication of individuals\n                  using passwords as individual or group authenticators, and in a similar manner,\n                  when passwords are part of multifactor authenticators. This control enhancement\n                  does not apply when passwords are used to unlock hardware authenticators (e.g.,\n                  Personal Identity Verification cards). The implementation of such password\n                  mechanisms may not meet all of the requirements in the enhancement.\n                  Cryptographically-protected passwords include, for example, encrypted versions of\n                  passwords and one-way cryptographic hashes of passwords. The number of changed\n                  characters refers to the number of changes required with respect to the total\n                  number of positions in the current password. Password lifetime restrictions do not\n                  apply to temporary passwords. To mitigate certain brute force attacks against\n                  passwords, organizations may also consider salting passwords.",
-                    "links": [
-                      {
-                        "href": "#ia-6",
-                        "rel": "related",
-                        "text": "IA-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if, for password-based authentication: ",
-                    "parts": [
-                      {
-                        "id": "ia-5.1.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-5.1.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines requirements for case sensitivity;"
-                          },
-                          {
-                            "id": "ia-5.1.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[2]"
-                              }
-                            ],
-                            "prose": "the organization defines requirements for number of characters;"
-                          },
-                          {
-                            "id": "ia-5.1.a_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[3]"
-                              }
-                            ],
-                            "prose": "the organization defines requirements for the mix of upper-case letters,\n                        lower-case letters, numbers and special characters;"
-                          },
-                          {
-                            "id": "ia-5.1.a_obj.4",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[4]"
-                              }
-                            ],
-                            "prose": "the organization defines minimum requirements for each type of\n                        character;"
-                          },
-                          {
-                            "id": "ia-5.1.a_obj.5",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[5]"
-                              }
-                            ],
-                            "prose": "the information system enforces minimum password complexity of\n                        organization-defined requirements for case sensitivity, number of\n                        characters, mix of upper-case letters, lower-case letters, numbers, and\n                        special characters, including minimum requirements for each type;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.a",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-5.1.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(b)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines a minimum number of changed characters to be\n                        enforced when new passwords are created;"
-                          },
-                          {
-                            "id": "ia-5.1.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(b)[2]"
-                              }
-                            ],
-                            "prose": "the information system enforces at least the organization-defined minimum\n                        number of characters that must be changed when new passwords are\n                        created;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.b",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(b)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.c_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(c)"
-                          }
-                        ],
-                        "prose": "the information system stores and transmits only encrypted representations of\n                     passwords;",
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.c",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(c)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.d_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(d)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-5.1.d_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(d)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines numbers for password minimum lifetime restrictions\n                        to be enforced for passwords;"
-                          },
-                          {
-                            "id": "ia-5.1.d_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(d)[2]"
-                              }
-                            ],
-                            "prose": "the organization defines numbers for password maximum lifetime restrictions\n                        to be enforced for passwords;"
-                          },
-                          {
-                            "id": "ia-5.1.d_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(d)[3]"
-                              }
-                            ],
-                            "prose": "the information system enforces password minimum lifetime restrictions of\n                        organization-defined numbers for lifetime minimum;"
-                          },
-                          {
-                            "id": "ia-5.1.d_obj.4",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(d)[4]"
-                              }
-                            ],
-                            "prose": "the information system enforces password maximum lifetime restrictions of\n                        organization-defined numbers for lifetime maximum;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.d",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(d)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.e_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(e)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-5.1.e_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(e)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines the number of password generations to be prohibited\n                        from password reuse;"
-                          },
-                          {
-                            "id": "ia-5.1.e_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(e)[2]"
-                              }
-                            ],
-                            "prose": "the information system prohibits password reuse for the organization-defined\n                        number of generations; and"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.e",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(e)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.f_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(f)"
-                          }
-                        ],
-                        "prose": "the information system allows the use of a temporary password for system logons\n                     with an immediate change to a permanent password.",
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.f",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(f)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\npassword policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\npassword configurations and associated documentation\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing password-based\n                     authenticator management capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-5.2",
-                "class": "SP800-53-enhancement",
-                "title": "Pki-based Authentication",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-5(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.2_smt",
-                    "name": "statement",
-                    "prose": "The information system, for PKI-based authentication:",
-                    "parts": [
-                      {
-                        "id": "ia-5.2_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Validates certifications by constructing and verifying a certification path to\n                     an accepted trust anchor including checking certificate status information;"
-                      },
-                      {
-                        "id": "ia-5.2_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Enforces authorized access to the corresponding private key;"
-                      },
-                      {
-                        "id": "ia-5.2_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(c)"
-                          }
-                        ],
-                        "prose": "Maps the authenticated identity to the account of the individual or group;\n                     and"
-                      },
-                      {
-                        "id": "ia-5.2_smt.d",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(d)"
-                          }
-                        ],
-                        "prose": "Implements a local cache of revocation data to support path discovery and\n                     validation in case of inability to access revocation information via the\n                     network."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.2_gdn",
-                    "name": "guidance",
-                    "prose": "Status information for certification paths includes, for example, certificate\n                  revocation lists or certificate status protocol responses. For PIV cards,\n                  validation of certifications involves the construction and verification of a\n                  certification path to the Common Policy Root trust anchor including certificate\n                  policy processing.",
-                    "links": [
-                      {
-                        "href": "#ia-6",
-                        "rel": "related",
-                        "text": "IA-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the information system, for PKI-based authentication: ",
-                    "parts": [
-                      {
-                        "id": "ia-5.2.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(2)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-5.2.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(2)(a)[1]"
-                              }
-                            ],
-                            "prose": "validates certifications by constructing a certification path to an accepted\n                        trust anchor;"
-                          },
-                          {
-                            "id": "ia-5.2.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(2)(a)[2]"
-                              }
-                            ],
-                            "prose": "validates certifications by verifying a certification path to an accepted\n                        trust anchor;"
-                          },
-                          {
-                            "id": "ia-5.2.a_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(2)(a)[3]"
-                              }
-                            ],
-                            "prose": "includes checking certificate status information when constructing and\n                        verifying the certification path;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ia-5.2_smt.a",
-                            "rel": "corresp",
-                            "text": "IA-5(2)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.2.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(2)(b)"
-                          }
-                        ],
-                        "prose": "enforces authorized access to the corresponding private key;",
-                        "links": [
-                          {
-                            "href": "#ia-5.2_smt.b",
-                            "rel": "corresp",
-                            "text": "IA-5(2)(b)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.2.c_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(2)(c)"
-                          }
-                        ],
-                        "prose": "maps the authenticated identity to the account of the individual or group;\n                     and",
-                        "links": [
-                          {
-                            "href": "#ia-5.2_smt.c",
-                            "rel": "corresp",
-                            "text": "IA-5(2)(c)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.2.d_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(2)(d)"
-                          }
-                        ],
-                        "prose": "implements a local cache of revocation data to support path discovery and\n                     validation in case of inability to access revocation information via the\n                     network.",
-                        "links": [
-                          {
-                            "href": "#ia-5.2_smt.d",
-                            "rel": "corresp",
-                            "text": "IA-5(2)(d)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nPKI certification validation records\\n\\nPKI certification revocation lists\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with PKI-based, authenticator management\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing PKI-based, authenticator\n                     management capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-5.3",
-                "class": "SP800-53-enhancement",
-                "title": "In-person or Trusted Third-party Registration",
-                "parameters": [
-                  {
-                    "id": "ia-5.3_prm_1",
-                    "label": "organization-defined types of and/or specific authenticators",
-                    "constraints": [
-                      {
-                        "detail": "All hardware/biometric (multifactor authenticators)"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.3_prm_2",
-                    "constraints": [
-                      {
-                        "detail": "in person"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.3_prm_3",
-                    "label": "organization-defined registration authority"
-                  },
-                  {
-                    "id": "ia-5.3_prm_4",
-                    "label": "organization-defined personnel or roles"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-5(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.3_smt",
-                    "name": "statement",
-                    "prose": "The organization requires that the registration process to receive {{ ia-5.3_prm_1 }} be conducted {{ ia-5.3_prm_2 }} before\n                     {{ ia-5.3_prm_3 }} with authorization by {{ ia-5.3_prm_4 }}."
-                  },
-                  {
-                    "id": "ia-5.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ia-5.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(3)[1]"
-                          }
-                        ],
-                        "prose": "defines types of and/or specific authenticators to be received in person or by\n                     a trusted third party;"
-                      },
-                      {
-                        "id": "ia-5.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(3)[2]"
-                          }
-                        ],
-                        "prose": "defines the registration authority with oversight of the registration process\n                     for receipt of organization-defined types of and/or specific\n                     authenticators;"
-                      },
-                      {
-                        "id": "ia-5.3_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(3)[3]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles responsible for authorizing organization-defined\n                     registration authority;"
-                      },
-                      {
-                        "id": "ia-5.3_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(3)[4]"
-                          }
-                        ],
-                        "prose": "defines if the registration process is to be conducted:",
-                        "parts": [
-                          {
-                            "id": "ia-5.3_obj.4.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-5(3)[4][a]"
-                              }
-                            ],
-                            "prose": "in person; or"
-                          },
-                          {
-                            "id": "ia-5.3_obj.4.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-5(3)[4][b]"
-                              }
-                            ],
-                            "prose": "by a trusted third party; and"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.3_obj.5",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(3)[5]"
-                          }
-                        ],
-                        "prose": "requires that the registration process to receive organization-defined types of\n                     and/or specific authenticators be conducted in person or by a trusted third\n                     party before organization-defined registration authority with authorization by\n                     organization-defined personnel or roles."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nregistration process for receiving information system authenticators\\n\\nlist of authenticators requiring in-person registration\\n\\nlist of authenticators requiring trusted third party registration\\n\\nauthenticator registration documentation\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with authenticator management responsibilities\\n\\nregistration authority\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-5.4",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Support for Password Strength Determination",
-                "parameters": [
-                  {
-                    "id": "ia-5.4_prm_1",
-                    "label": "organization-defined requirements",
-                    "constraints": [
-                      {
-                        "detail": "complexity as identified in IA-5 (1) Control Enhancement Part (a)"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-5(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.4_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated tools to determine if password authenticators\n                  are sufficiently strong to satisfy {{ ia-5.4_prm_1 }}.",
-                    "parts": [
-                      {
-                        "id": "ia-5.4_fr",
-                        "name": "item",
-                        "title": "IA-5 (4) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ia-5.4_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.4_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement focuses on the creation of strong passwords and the\n                  characteristics of such passwords (e.g., complexity) prior to use, the enforcement\n                  of which is carried out by organizational information systems in IA-5 (1).",
-                    "links": [
-                      {
-                        "href": "#ca-2",
-                        "rel": "related",
-                        "text": "CA-2"
-                      },
-                      {
-                        "href": "#ca-7",
-                        "rel": "related",
-                        "text": "CA-7"
-                      },
-                      {
-                        "href": "#ra-5",
-                        "rel": "related",
-                        "text": "RA-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ia-5.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(4)[1]"
-                          }
-                        ],
-                        "prose": "defines requirements to be satisfied by password authenticators; and"
-                      },
-                      {
-                        "id": "ia-5.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(4)[2]"
-                          }
-                        ],
-                        "prose": "employs automated tools to determine if password authenticators are\n                     sufficiently strong to satisfy organization-defined requirements."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nautomated tools for evaluating password authenticators\\n\\npassword strength assessment results\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing password-based\n                     authenticator management capability\\n\\nautomated tools for determining password strength"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-5.6",
-                "class": "SP800-53-enhancement",
-                "title": "Protection of Authenticators",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-5(6)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.06"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.6_smt",
-                    "name": "statement",
-                    "prose": "The organization protects authenticators commensurate with the security category\n                  of the information to which use of the authenticator permits access."
-                  },
-                  {
-                    "id": "ia-5.6_gdn",
-                    "name": "guidance",
-                    "prose": "For information systems containing multiple security categories of information\n                  without reliable physical or logical separation between categories, authenticators\n                  used to grant access to the systems are protected commensurate with the highest\n                  security category of information on the systems."
-                  },
-                  {
-                    "id": "ia-5.6_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization protects authenticators commensurate with the\n                  security category of the information to which use of the authenticator permits\n                  access."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity categorization documentation for the information system\\n\\nsecurity assessments of authenticator protections\\n\\nrisk assessment results\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel implementing and/or maintaining authenticator\n                     protections\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing authenticator management\n                     capability\\n\\nautomated mechanisms protecting authenticators"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-5.7",
-                "class": "SP800-53-enhancement",
-                "title": "No Embedded Unencrypted Static Authenticators",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-5(7)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.07"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.7_smt",
-                    "name": "statement",
-                    "prose": "The organization ensures that unencrypted static authenticators are not embedded\n                  in applications or access scripts or stored on function keys."
-                  },
-                  {
-                    "id": "ia-5.7_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations exercise caution in determining whether embedded or stored\n                  authenticators are in encrypted or unencrypted form. If authenticators are used in\n                  the manner stored, then those representations are considered unencrypted\n                  authenticators. This is irrespective of whether that representation is perhaps an\n                  encrypted version of something else (e.g., a password)."
-                  },
-                  {
-                    "id": "ia-5.7_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization ensures that unencrypted static authenticators are\n                  not: ",
-                    "parts": [
-                      {
-                        "id": "ia-5.7_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(7)[1]"
-                          }
-                        ],
-                        "prose": "embedded in applications;"
-                      },
-                      {
-                        "id": "ia-5.7_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(7)[2]"
-                          }
-                        ],
-                        "prose": "embedded in access scripts; or"
-                      },
-                      {
-                        "id": "ia-5.7_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(7)[3]"
-                          }
-                        ],
-                        "prose": "stored on function keys."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlogical access scripts\\n\\napplication code reviews for detecting unencrypted static authenticators\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing authenticator management\n                     capability\\n\\nautomated mechanisms implementing authentication in applications"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-5.8",
-                "class": "SP800-53-enhancement",
-                "title": "Multiple Information System Accounts",
-                "parameters": [
-                  {
-                    "id": "ia-5.8_prm_1",
-                    "label": "organization-defined security safeguards",
-                    "constraints": [
-                      {
-                        "detail": "different authenticators on different systems"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-5(8)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.08"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.8_smt",
-                    "name": "statement",
-                    "prose": "The organization implements {{ ia-5.8_prm_1 }} to manage the risk\n                  of compromise due to individuals having accounts on multiple information\n                  systems."
-                  },
-                  {
-                    "id": "ia-5.8_gdn",
-                    "name": "guidance",
-                    "prose": "When individuals have accounts on multiple information systems, there is the risk\n                  that the compromise of one account may lead to the compromise of other accounts if\n                  individuals use the same authenticators. Possible alternatives include, for\n                  example: (i) having different authenticators on all systems; (ii) employing some\n                  form of single sign-on mechanism; or (iii) including some form of one-time\n                  passwords on all systems."
-                  },
-                  {
-                    "id": "ia-5.8_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ia-5.8_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(8)[1]"
-                          }
-                        ],
-                        "prose": "defines security safeguards to manage the risk of compromise due to individuals\n                     having accounts on multiple information systems; and"
-                      },
-                      {
-                        "id": "ia-5.8_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(8)[2]"
-                          }
-                        ],
-                        "prose": "implements organization-defined security safeguards to manage the risk of\n                     compromise due to individuals having accounts on multiple information\n                     systems."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\nlist of individuals having accounts on multiple information systems\\n\\nlist of security safeguards intended to manage risk of compromise due to\n                     individuals having accounts on multiple information systems\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing safeguards for\n                     authenticator management"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-5.11",
-                "class": "SP800-53-enhancement",
-                "title": "Hardware Token-based Authentication",
-                "parameters": [
-                  {
-                    "id": "ia-5.11_prm_1",
-                    "label": "organization-defined token quality requirements"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-5(11)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.11"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.11_smt",
-                    "name": "statement",
-                    "prose": "The information system, for hardware token-based authentication, employs\n                  mechanisms that satisfy {{ ia-5.11_prm_1 }}."
-                  },
-                  {
-                    "id": "ia-5.11_gdn",
-                    "name": "guidance",
-                    "prose": "Hardware token-based authentication typically refers to the use of PKI-based\n                  tokens, such as the U.S. Government Personal Identity Verification (PIV) card.\n                  Organizations define specific requirements for tokens, such as working with a\n                  particular PKI."
-                  },
-                  {
-                    "id": "ia-5.11_obj",
-                    "name": "objective",
-                    "prose": "Determine if, for hardware token-based authentication: ",
-                    "parts": [
-                      {
-                        "id": "ia-5.11_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(11)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines token quality requirements to be satisfied; and"
-                      },
-                      {
-                        "id": "ia-5.11_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(11)[2]"
-                          }
-                        ],
-                        "prose": "the information system employs mechanisms that satisfy organization-defined\n                     token quality requirements."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\nautomated mechanisms employing hardware token-based authentication for the\n                     information system\\n\\nlist of token quality requirements\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing hardware token-based\n                     authenticator management capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-5.13",
-                "class": "SP800-53-enhancement",
-                "title": "Expiration of Cached Authenticators",
-                "parameters": [
-                  {
-                    "id": "ia-5.13_prm_1",
-                    "label": "organization-defined time period"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-5(13)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.13"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.13_smt",
-                    "name": "statement",
-                    "prose": "The information system prohibits the use of cached authenticators after {{ ia-5.13_prm_1 }}."
-                  },
-                  {
-                    "id": "ia-5.13_obj",
-                    "name": "objective",
-                    "prose": "Determine if: ",
-                    "parts": [
-                      {
-                        "id": "ia-5.13_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(13)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the time period after which the information system is\n                     to prohibit the use of cached authenticators; and"
-                      },
-                      {
-                        "id": "ia-5.13_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(13)[2]"
-                          }
-                        ],
-                        "prose": "the information system prohibits the use of cached authenticators after the\n                     organization-defined time period."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing authenticator management\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-6",
-            "class": "SP800-53",
-            "title": "Authenticator Feedback",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-6_smt",
-                "name": "statement",
-                "prose": "The information system obscures feedback of authentication information during the\n               authentication process to protect the information from possible exploitation/use by\n               unauthorized individuals."
-              },
-              {
-                "id": "ia-6_gdn",
-                "name": "guidance",
-                "prose": "The feedback from information systems does not provide information that would allow\n               unauthorized individuals to compromise authentication mechanisms. For some types of\n               information systems or system components, for example, desktops/notebooks with\n               relatively large monitors, the threat (often referred to as shoulder surfing) may be\n               significant. For other types of systems or components, for example, mobile devices\n               with 2-4 inch screens, this threat may be less significant, and may need to be\n               balanced against the increased likelihood of typographic input errors due to the\n               small keyboards. Therefore, the means for obscuring the authenticator feedback is\n               selected accordingly. Obscuring the feedback of authentication information includes,\n               for example, displaying asterisks when users type passwords into input devices, or\n               displaying feedback for a very limited time before fully obscuring it.",
-                "links": [
-                  {
-                    "href": "#pe-18",
-                    "rel": "related",
-                    "text": "PE-18"
-                  }
-                ]
-              },
-              {
-                "id": "ia-6_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system obscures feedback of authentication information\n               during the authentication process to protect the information from possible\n               exploitation/use by unauthorized individuals."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator feedback\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing the obscuring of feedback of\n                  authentication information during authentication"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-7",
-            "class": "SP800-53",
-            "title": "Cryptographic Module Authentication",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9",
-                "rel": "reference",
-                "text": "FIPS Publication 140"
-              },
-              {
-                "href": "#b09d1a31-d3c9-4138-a4f4-4c63816afd7d",
-                "rel": "reference",
-                "text": "http://csrc.nist.gov/groups/STM/cmvp/index.html"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-7_smt",
-                "name": "statement",
-                "prose": "The information system implements mechanisms for authentication to a cryptographic\n               module that meet the requirements of applicable federal laws, Executive Orders,\n               directives, policies, regulations, standards, and guidance for such\n               authentication."
-              },
-              {
-                "id": "ia-7_gdn",
-                "name": "guidance",
-                "prose": "Authentication mechanisms may be required within a cryptographic module to\n               authenticate an operator accessing the module and to verify that the operator is\n               authorized to assume the requested role and perform services within that role.",
-                "links": [
-                  {
-                    "href": "#sc-12",
-                    "rel": "related",
-                    "text": "SC-12"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  }
-                ]
-              },
-              {
-                "id": "ia-7_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system implements mechanisms for authentication to a\n               cryptographic module that meet the requirements of applicable federal laws, Executive\n               Orders, directives, policies, regulations, standards, and guidance for such\n               authentication."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing cryptographic module authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for cryptographic module\n                  authentication\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing cryptographic module\n                  authentication"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-8",
-            "class": "SP800-53",
-            "title": "Identification and Authentication (non-organizational Users)",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-08"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-                "rel": "reference",
-                "text": "OMB Memorandum 04-04"
-              },
-              {
-                "href": "#74e740a4-c45d-49f3-a86e-eb747c549e01",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-11"
-              },
-              {
-                "href": "#599fe9ba-4750-4450-9eeb-b95bd19a5e8f",
-                "rel": "reference",
-                "text": "OMB Memorandum 10-06-2011"
-              },
-              {
-                "href": "#ba557c91-ba3e-4792-adc6-a4ae479b39ff",
-                "rel": "reference",
-                "text": "FICAM Roadmap and Implementation Guidance"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#2157bb7e-192c-4eaa-877f-93ef6b0a3292",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-116"
-              },
-              {
-                "href": "#654f21e2-f3bc-43b2-abdc-60ab8d09744b",
-                "rel": "reference",
-                "text": "National Strategy for Trusted Identities in\n            Cyberspace"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-8_smt",
-                "name": "statement",
-                "prose": "The information system uniquely identifies and authenticates non-organizational users\n               (or processes acting on behalf of non-organizational users)."
-              },
-              {
-                "id": "ia-8_gdn",
-                "name": "guidance",
-                "prose": "Non-organizational users include information system users other than organizational\n               users explicitly covered by IA-2. These individuals are uniquely identified and\n               authenticated for accesses other than those accesses explicitly identified and\n               documented in AC-14. In accordance with the E-Authentication E-Government initiative,\n               authentication of non-organizational users accessing federal information systems may\n               be required to protect federal, proprietary, or privacy-related information (with\n               exceptions noted for national security systems). Organizations use risk assessments\n               to determine authentication needs and consider scalability, practicality, and\n               security in balancing the need to ensure ease of use for access to federal\n               information and information systems with the need to protect and adequately mitigate\n               risk. IA-2 addresses identification and authentication requirements for access to\n               information systems by organizational users.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  }
-                ]
-              },
-              {
-                "id": "ia-8_obj",
-                "name": "objective",
-                "prose": "Determine if the information system uniquely identifies and authenticates\n               non-organizational users (or processes acting on behalf of non-organizational\n               users)."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system operations responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing identification and\n                  authentication capability"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ia-8.1",
-                "class": "SP800-53-enhancement",
-                "title": "Acceptance of PIV Credentials from Other Agencies",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-8(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-08.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-8.1_smt",
-                    "name": "statement",
-                    "prose": "The information system accepts and electronically verifies Personal Identity\n                  Verification (PIV) credentials from other federal agencies."
-                  },
-                  {
-                    "id": "ia-8.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement applies to logical access control systems (LACS) and\n                  physical access control systems (PACS). Personal Identity Verification (PIV)\n                  credentials are those credentials issued by federal agencies that conform to FIPS\n                  Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires\n                  federal agencies to continue implementing the requirements specified in HSPD-12 to\n                  enable agency-wide use of PIV credentials.",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      },
-                      {
-                        "href": "#pe-3",
-                        "rel": "related",
-                        "text": "PE-3"
-                      },
-                      {
-                        "href": "#sa-4",
-                        "rel": "related",
-                        "text": "SA-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-8.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the information system: ",
-                    "parts": [
-                      {
-                        "id": "ia-8.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-8(1)[1]"
-                          }
-                        ],
-                        "prose": "accepts Personal Identity Verification (PIV) credentials from other agencies;\n                     and"
-                      },
-                      {
-                        "id": "ia-8.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-8(1)[2]"
-                          }
-                        ],
-                        "prose": "electronically verifies Personal Identity Verification (PIV) credentials from\n                     other agencies."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nPIV verification records\\n\\nevidence of PIV credentials\\n\\nPIV credential authorizations\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms that accept and verify PIV credentials"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-8.2",
-                "class": "SP800-53-enhancement",
-                "title": "Acceptance of Third-party Credentials",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-8(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-08.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-8.2_smt",
-                    "name": "statement",
-                    "prose": "The information system accepts only FICAM-approved third-party credentials."
-                  },
-                  {
-                    "id": "ia-8.2_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement typically applies to organizational information systems\n                  that are accessible to the general public, for example, public-facing websites.\n                  Third-party credentials are those credentials issued by nonfederal government\n                  entities approved by the Federal Identity, Credential, and Access Management\n                  (FICAM) Trust Framework Solutions initiative. Approved third-party credentials\n                  meet or exceed the set of minimum federal government-wide technical, security,\n                  privacy, and organizational maturity requirements. This allows federal government\n                  relying parties to trust such credentials at their approved assurance levels.",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-8.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system accepts only FICAM-approved third-party\n                  credentials. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FICAM-approved, third-party credentialing products, components, or\n                     services procured and implemented by organization\\n\\nthird-party credential verification records\\n\\nevidence of FICAM-approved third-party credentials\\n\\nthird-party credential authorizations\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms that accept FICAM-approved credentials"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-8.3",
-                "class": "SP800-53-enhancement",
-                "title": "Use of Ficam-approved Products",
-                "parameters": [
-                  {
-                    "id": "ia-8.3_prm_1",
-                    "label": "organization-defined information systems"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-8(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-08.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-8.3_smt",
-                    "name": "statement",
-                    "prose": "The organization employs only FICAM-approved information system components in\n                     {{ ia-8.3_prm_1 }} to accept third-party credentials."
-                  },
-                  {
-                    "id": "ia-8.3_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement typically applies to information systems that are\n                  accessible to the general public, for example, public-facing websites.\n                  FICAM-approved information system components include, for example, information\n                  technology products and software libraries that have been approved by the Federal\n                  Identity, Credential, and Access Management conformance program.",
-                    "links": [
-                      {
-                        "href": "#sa-4",
-                        "rel": "related",
-                        "text": "SA-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-8.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ia-8.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-8(3)[1]"
-                          }
-                        ],
-                        "prose": "defines information systems in which only FICAM-approved information system\n                     components are to be employed to accept third-party credentials; and"
-                      },
-                      {
-                        "id": "ia-8.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-8(3)[2]"
-                          }
-                        ],
-                        "prose": "employs only FICAM-approved information system components in\n                     organization-defined information systems to accept third-party credentials."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nsystem and services acquisition policy\\n\\nprocedures addressing user identification and authentication\\n\\nprocedures addressing the integration of security requirements into the\n                     acquisition process\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nthird-party credential validations\\n\\nthird-party credential authorizations\\n\\nthird-party credential records\\n\\nlist of FICAM-approved information system components procured and implemented\n                     by organization\\n\\nacquisition documentation\\n\\nacquisition contracts for information system procurements or services\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information system security, acquisition, and\n                     contracting responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-8.4",
-                "class": "SP800-53-enhancement",
-                "title": "Use of Ficam-issued Profiles",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-8(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-08.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-8.4_smt",
-                    "name": "statement",
-                    "prose": "The information system conforms to FICAM-issued profiles."
-                  },
-                  {
-                    "id": "ia-8.4_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement addresses open identity management standards. To ensure\n                  that these standards are viable, robust, reliable, sustainable (e.g., available in\n                  commercial information technology products), and interoperable as documented, the\n                  United States Government assesses and scopes identity management standards and\n                  technology implementations against applicable federal legislation, directives,\n                  policies, and requirements. The result is FICAM-issued implementation profiles of\n                  approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and\n                  OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute\n                  Exchange).",
-                    "links": [
-                      {
-                        "href": "#sa-4",
-                        "rel": "related",
-                        "text": "SA-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-8.4_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system conforms to FICAM-issued profiles. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nsystem and services acquisition policy\\n\\nprocedures addressing user identification and authentication\\n\\nprocedures addressing the integration of security requirements into the\n                     acquisition process\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FICAM-issued profiles and associated, approved protocols\\n\\nacquisition documentation\\n\\nacquisition contracts for information system procurements or services\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms supporting and/or implementing conformance with\n                     FICAM-issued profiles"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ir",
-        "class": "family",
-        "title": "Incident Response",
-        "controls": [
-          {
-            "id": "ir-1",
-            "class": "SP800-53",
-            "title": "Incident Response Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ir-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ir-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ir-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or whenever a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IR-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              },
-              {
-                "href": "#6d431fee-658f-4a0e-9f2e-a38b5d398fab",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-83"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ir-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ir-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ir-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "An incident response policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ir-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the incident response policy and\n                     associated incident response controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ir-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Incident response policy {{ ir-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ir-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Incident response procedures {{ ir-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the IR\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ir-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an incident response policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ir-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ir-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the incident response policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ir-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the incident response policy to organization-defined personnel\n                        or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        incident response policy and associated incident response controls;"
-                          },
-                          {
-                            "id": "ir-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ir-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current incident response\n                        policy;"
-                          },
-                          {
-                            "id": "ir-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current incident response policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current incident response\n                        procedures; and"
-                          },
-                          {
-                            "id": "ir-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current incident response procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-2",
-            "class": "SP800-53",
-            "title": "Incident Response Training",
-            "parameters": [
-              {
-                "id": "ir-2_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "within ten (10) days"
-                  }
-                ]
-              },
-              {
-                "id": "ir-2_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IR-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#825438c3-248d-4e30-a51e-246473ce6ada",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-16"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-2_smt",
-                "name": "statement",
-                "prose": "The organization provides incident response training to information system users\n               consistent with assigned roles and responsibilities:",
-                "parts": [
-                  {
-                    "id": "ir-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Within {{ ir-2_prm_1 }} of assuming an incident response role or\n                  responsibility;"
-                  },
-                  {
-                    "id": "ir-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "When required by information system changes; and"
-                  },
-                  {
-                    "id": "ir-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "\n                  {{ ir-2_prm_2 }} thereafter."
-                  }
-                ]
-              },
-              {
-                "id": "ir-2_gdn",
-                "name": "guidance",
-                "prose": "Incident response training provided by organizations is linked to the assigned roles\n               and responsibilities of organizational personnel to ensure the appropriate content\n               and level of detail is included in such training. For example, regular users may only\n               need to know who to call or how to recognize an incident on the information system;\n               system administrators may require additional training on how to handle/remediate\n               incidents; and incident responders may receive more specific training on forensics,\n               reporting, system recovery, and restoration. Incident response training includes user\n               training in the identification and reporting of suspicious activities, both from\n               external and internal sources.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#cp-3",
-                    "rel": "related",
-                    "text": "CP-3"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  }
-                ]
-              },
-              {
-                "id": "ir-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-2(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period within which incident response training is to be provided\n                     to information system users assuming an incident response role or\n                     responsibility;"
-                      },
-                      {
-                        "id": "ir-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-2(a)[2]"
-                          }
-                        ],
-                        "prose": "provides incident response training to information system users consistent with\n                     assigned roles and responsibilities within the organization-defined time period\n                     of assuming an incident response role or responsibility;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-2(b)"
-                      }
-                    ],
-                    "prose": "provides incident response training to information system users consistent with\n                  assigned roles and responsibilities when required by information system\n                  changes;"
-                  },
-                  {
-                    "id": "ir-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to provide refresher incident response training to\n                     information system users consistent with assigned roles or responsibilities;\n                     and"
-                      },
-                      {
-                        "id": "ir-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-2(c)[2]"
-                          }
-                        ],
-                        "prose": "after the initial incident response training, provides refresher incident\n                     response training to information system users consistent with assigned roles\n                     and responsibilities in accordance with the organization-defined frequency to\n                     provide refresher training."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident response training\\n\\nincident response training curriculum\\n\\nincident response training materials\\n\\nsecurity plan\\n\\nincident response plan\\n\\nsecurity plan\\n\\nincident response training records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response training and operational\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ir-2.1",
-                "class": "SP800-53-enhancement",
-                "title": "Simulated Events",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-2(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-02.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-2.1_smt",
-                    "name": "statement",
-                    "prose": "The organization incorporates simulated events into incident response training to\n                  facilitate effective response by personnel in crisis situations."
-                  },
-                  {
-                    "id": "ir-2.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization incorporates simulated events into incident response\n                  training to facilitate effective response by personnel in crisis situations. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident response training\\n\\nincident response training curriculum\\n\\nincident response training materials\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident response training and operational\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms that support and/or implement simulated events for\n                     incident response training"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-2.2",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Training Environments",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-2(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-02.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-2.2_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to provide a more thorough and\n                  realistic incident response training environment."
-                  },
-                  {
-                    "id": "ir-2.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs automated mechanisms to provide a more\n                  thorough and realistic incident response training environment. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident response training\\n\\nincident response training curriculum\\n\\nincident response training materials\\n\\nautomated mechanisms supporting incident response training\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident response training and operational\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms that provide a thorough and realistic incident response\n                     training environment"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-3",
-            "class": "SP800-53",
-            "title": "Incident Response Testing",
-            "parameters": [
-              {
-                "id": "ir-3_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every six (6) months"
-                  }
-                ]
-              },
-              {
-                "id": "ir-3_prm_2",
-                "label": "organization-defined tests"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IR-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-84"
-              },
-              {
-                "href": "#c4691b88-57d1-463b-9053-2d0087913f31",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-115"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-3_smt",
-                "name": "statement",
-                "prose": "The organization tests the incident response capability for the information system\n                  {{ ir-3_prm_1 }} using {{ ir-3_prm_2 }} to determine\n               the incident response effectiveness and documents the results.",
-                "parts": [
-                  {
-                    "id": "ir-3_fr",
-                    "name": "item",
-                    "title": "IR-3 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ir-3_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-3 -2 Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-3_gdn",
-                "name": "guidance",
-                "prose": "Organizations test incident response capabilities to determine the overall\n               effectiveness of the capabilities and to identify potential weaknesses or\n               deficiencies. Incident response testing includes, for example, the use of checklists,\n               walk-through or tabletop exercises, simulations (parallel/full interrupt), and\n               comprehensive exercises. Incident response testing can also include a determination\n               of the effects on organizational operations (e.g., reduction in mission\n               capabilities), organizational assets, and individuals due to incident response.",
-                "links": [
-                  {
-                    "href": "#cp-4",
-                    "rel": "related",
-                    "text": "CP-4"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  }
-                ]
-              },
-              {
-                "id": "ir-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ir-3_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-3[1]"
-                      }
-                    ],
-                    "prose": "defines incident response tests to test the incident response capability for the\n                  information system;"
-                  },
-                  {
-                    "id": "ir-3_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-3[2]"
-                      }
-                    ],
-                    "prose": "defines the frequency to test the incident response capability for the information\n                  system; and"
-                  },
-                  {
-                    "id": "ir-3_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-3[3]"
-                      }
-                    ],
-                    "prose": "tests the incident response capability for the information system with the\n                  organization-defined frequency, using organization-defined tests to determine the\n                  incident response effectiveness and documents the results."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\ncontingency planning policy\\n\\nprocedures addressing incident response testing\\n\\nprocedures addressing contingency plan testing\\n\\nincident response testing material\\n\\nincident response test results\\n\\nincident response test plan\\n\\nincident response plan\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response testing responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ir-3.2",
-                "class": "SP800-53-enhancement",
-                "title": "Coordination with Related Plans",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-3(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-03.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-3.2_smt",
-                    "name": "statement",
-                    "prose": "The organization coordinates incident response testing with organizational\n                  elements responsible for related plans."
-                  },
-                  {
-                    "id": "ir-3.2_gdn",
-                    "name": "guidance",
-                    "prose": "Organizational plans related to incident response testing include, for example,\n                  Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity\n                  of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,\n                  and Occupant Emergency Plans."
-                  },
-                  {
-                    "id": "ir-3.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization coordinates incident response testing with\n                  organizational elements responsible for related plans. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\ncontingency planning policy\\n\\nprocedures addressing incident response testing\\n\\nincident response testing documentation\\n\\nincident response plan\\n\\nbusiness continuity plans\\n\\ncontingency plans\\n\\ndisaster recovery plans\\n\\ncontinuity of operations plans\\n\\ncrisis communications plans\\n\\ncritical infrastructure plans\\n\\noccupant emergency plans\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident response testing responsibilities\\n\\norganizational personnel with responsibilities for testing organizational plans\n                     related to incident response testing\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-4",
-            "class": "SP800-53",
-            "title": "Incident Handling",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IR-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c5034e0c-eba6-4ecd-a541-79f0678f4ba4",
-                "rel": "reference",
-                "text": "Executive Order 13587"
-              },
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ir-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Implements an incident handling capability for security incidents that includes\n                  preparation, detection and analysis, containment, eradication, and recovery;"
-                  },
-                  {
-                    "id": "ir-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Coordinates incident handling activities with contingency planning activities;\n                  and"
-                  },
-                  {
-                    "id": "ir-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Incorporates lessons learned from ongoing incident handling activities into\n                  incident response procedures, training, and testing, and implements the resulting\n                  changes accordingly."
-                  },
-                  {
-                    "id": "ir-4_fr",
-                    "name": "item",
-                    "title": "IR-4 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ir-4_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-4_gdn",
-                "name": "guidance",
-                "prose": "Organizations recognize that incident response capability is dependent on the\n               capabilities of organizational information systems and the mission/business processes\n               being supported by those systems. Therefore, organizations consider incident response\n               as part of the definition, design, and development of mission/business processes and\n               information systems. Incident-related information can be obtained from a variety of\n               sources including, for example, audit monitoring, network monitoring, physical access\n               monitoring, user/administrator reports, and reported supply chain events. Effective\n               incident handling capability includes coordination among many organizational entities\n               including, for example, mission/business owners, information system owners,\n               authorizing officials, human resources offices, physical and personnel security\n               offices, legal departments, operations personnel, procurement offices, and the risk\n               executive (function).",
-                "links": [
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-4",
-                    "rel": "related",
-                    "text": "CP-4"
-                  },
-                  {
-                    "href": "#ir-2",
-                    "rel": "related",
-                    "text": "IR-2"
-                  },
-                  {
-                    "href": "#ir-3",
-                    "rel": "related",
-                    "text": "IR-3"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#pe-6",
-                    "rel": "related",
-                    "text": "PE-6"
-                  },
-                  {
-                    "href": "#sc-5",
-                    "rel": "related",
-                    "text": "SC-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "ir-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-4(a)"
-                      }
-                    ],
-                    "prose": "implements an incident handling capability for security incidents that\n                  includes:",
-                    "parts": [
-                      {
-                        "id": "ir-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[1]"
-                          }
-                        ],
-                        "prose": "preparation;"
-                      },
-                      {
-                        "id": "ir-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[2]"
-                          }
-                        ],
-                        "prose": "detection and analysis;"
-                      },
-                      {
-                        "id": "ir-4.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[3]"
-                          }
-                        ],
-                        "prose": "containment;"
-                      },
-                      {
-                        "id": "ir-4.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[4]"
-                          }
-                        ],
-                        "prose": "eradication;"
-                      },
-                      {
-                        "id": "ir-4.a_obj.5",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[5]"
-                          }
-                        ],
-                        "prose": "recovery;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-4(b)"
-                      }
-                    ],
-                    "prose": "coordinates incident handling activities with contingency planning activities;"
-                  },
-                  {
-                    "id": "ir-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-4(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-4(c)[1]"
-                          }
-                        ],
-                        "prose": "incorporates lessons learned from ongoing incident handling activities\n                     into:",
-                        "parts": [
-                          {
-                            "id": "ir-4.c_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[1][a]"
-                              }
-                            ],
-                            "prose": "incident response procedures;"
-                          },
-                          {
-                            "id": "ir-4.c_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[1][b]"
-                              }
-                            ],
-                            "prose": "training;"
-                          },
-                          {
-                            "id": "ir-4.c_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[1][c]"
-                              }
-                            ],
-                            "prose": "testing/exercises;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-4(c)[2]"
-                          }
-                        ],
-                        "prose": "implements the resulting changes accordingly to:",
-                        "parts": [
-                          {
-                            "id": "ir-4.c_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[2][a]"
-                              }
-                            ],
-                            "prose": "incident response procedures;"
-                          },
-                          {
-                            "id": "ir-4.c_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[2][b]"
-                              }
-                            ],
-                            "prose": "training; and"
-                          },
-                          {
-                            "id": "ir-4.c_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[2][c]"
-                              }
-                            ],
-                            "prose": "testing/exercises."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\ncontingency planning policy\\n\\nprocedures addressing incident handling\\n\\nincident response plan\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with contingency planning responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident handling capability for the organization"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ir-4.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Incident Handling Processes",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-4(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-04.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-4.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to support the incident handling\n                  process."
-                  },
-                  {
-                    "id": "ir-4.1_gdn",
-                    "name": "guidance",
-                    "prose": "Automated mechanisms supporting incident handling processes include, for example,\n                  online incident management systems."
-                  },
-                  {
-                    "id": "ir-4.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs automated mechanisms to support the incident\n                  handling process. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident handling\\n\\nautomated mechanisms supporting incident handling\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms that support and/or implement the incident handling\n                     process"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-4.2",
-                "class": "SP800-53-enhancement",
-                "title": "Dynamic Reconfiguration",
-                "parameters": [
-                  {
-                    "id": "ir-4.2_prm_1",
-                    "label": "organization-defined information system components",
-                    "constraints": [
-                      {
-                        "detail": "all network, data storage, and computing devices"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-4(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-04.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-4.2_smt",
-                    "name": "statement",
-                    "prose": "The organization includes dynamic reconfiguration of {{ ir-4.2_prm_1 }} as part of the incident response capability."
-                  },
-                  {
-                    "id": "ir-4.2_gdn",
-                    "name": "guidance",
-                    "prose": "Dynamic reconfiguration includes, for example, changes to router rules, access\n                  control lists, intrusion detection/prevention system parameters, and filter rules\n                  for firewalls and gateways. Organizations perform dynamic reconfiguration of\n                  information systems, for example, to stop attacks, to misdirect attackers, and to\n                  isolate components of systems, thus limiting the extent of the damage from\n                  breaches or compromises. Organizations include time frames for achieving the\n                  reconfiguration of information systems in the definition of the reconfiguration\n                  capability, considering the potential need for rapid response in order to\n                  effectively address sophisticated cyber threats.",
-                    "links": [
-                      {
-                        "href": "#ac-2",
-                        "rel": "related",
-                        "text": "AC-2"
-                      },
-                      {
-                        "href": "#ac-4",
-                        "rel": "related",
-                        "text": "AC-4"
-                      },
-                      {
-                        "href": "#ac-16",
-                        "rel": "related",
-                        "text": "AC-16"
-                      },
-                      {
-                        "href": "#cm-2",
-                        "rel": "related",
-                        "text": "CM-2"
-                      },
-                      {
-                        "href": "#cm-3",
-                        "rel": "related",
-                        "text": "CM-3"
-                      },
-                      {
-                        "href": "#cm-4",
-                        "rel": "related",
-                        "text": "CM-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-4.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ir-4.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-4(2)[1]"
-                          }
-                        ],
-                        "prose": "defines information system components to be dynamically reconfigured as part of\n                     the incident response capability; and"
-                      },
-                      {
-                        "id": "ir-4.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-4(2)[2]"
-                          }
-                        ],
-                        "prose": "includes dynamic reconfiguration of organization-defined information system\n                     components as part of the incident response capability."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident handling\\n\\nautomated mechanisms supporting incident handling\\n\\nlist of system components to be dynamically reconfigured as part of incident\n                     response capability\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms that support and/or implement dynamic reconfiguration of\n                     components as part of incident response"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-4.3",
-                "class": "SP800-53-enhancement",
-                "title": "Continuity of Operations",
-                "parameters": [
-                  {
-                    "id": "ir-4.3_prm_1",
-                    "label": "organization-defined classes of incidents"
-                  },
-                  {
-                    "id": "ir-4.3_prm_2",
-                    "label": "organization-defined actions to take in response to classes of\n                  incidents"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-4(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-04.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-4.3_smt",
-                    "name": "statement",
-                    "prose": "The organization identifies {{ ir-4.3_prm_1 }} and {{ ir-4.3_prm_2 }} to ensure continuation of organizational missions and\n                  business functions."
-                  },
-                  {
-                    "id": "ir-4.3_gdn",
-                    "name": "guidance",
-                    "prose": "Classes of incidents include, for example, malfunctions due to\n                  design/implementation errors and omissions, targeted malicious attacks, and\n                  untargeted malicious attacks. Appropriate incident response actions include, for\n                  example, graceful degradation, information system shutdown, fall back to manual\n                  mode/alternative technology whereby the system operates differently, employing\n                  deceptive measures, alternate information flows, or operating in a mode that is\n                  reserved solely for when systems are under attack."
-                  },
-                  {
-                    "id": "ir-4.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ir-4.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-4(3)[1]"
-                          }
-                        ],
-                        "prose": "defines classes of incidents requiring an organization-defined action to be\n                     taken;"
-                      },
-                      {
-                        "id": "ir-4.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-4(3)[2]"
-                          }
-                        ],
-                        "prose": "defines actions to be taken in response to organization-defined classes of\n                     incidents; and"
-                      },
-                      {
-                        "id": "ir-4.3_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-4(3)[3]"
-                          }
-                        ],
-                        "prose": "identifies organization-defined classes of incidents and organization-defined\n                     actions to take in response to classes of incidents to ensure continuation of\n                     organizational missions and business functions."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident handling\\n\\nincident response plan\\n\\nsecurity plan\\n\\nlist of classes of incidents\\n\\nlist of appropriate incident response actions\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms that support and/or implement continuity of operations"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-4.4",
-                "class": "SP800-53-enhancement",
-                "title": "Information Correlation",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-4(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-04.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-4.4_smt",
-                    "name": "statement",
-                    "prose": "The organization correlates incident information and individual incident responses\n                  to achieve an organization-wide perspective on incident awareness and\n                  response."
-                  },
-                  {
-                    "id": "ir-4.4_gdn",
-                    "name": "guidance",
-                    "prose": "Sometimes the nature of a threat event, for example, a hostile cyber attack, is\n                  such that it can only be observed by bringing together information from different\n                  sources including various reports and reporting procedures established by\n                  organizations."
-                  },
-                  {
-                    "id": "ir-4.4_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization correlates incident information and individual\n                  incident responses to achieve an organization-wide perspective on incident\n                  awareness and response. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident handling\\n\\nincident response plan\\n\\nsecurity plan\\n\\nautomated mechanisms supporting incident and event correlation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nincident management correlation logs\\n\\nevent management correlation logs\\n\\nsecurity information and event management logs\\n\\nincident management correlation reports\\n\\nevent management correlation reports\\n\\nsecurity information and event management reports\\n\\naudit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with whom incident information and individual incident\n                     responses are to be correlated"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for correlating incident information and individual\n                     incident responses\\n\\nautomated mechanisms that support and or implement correlation of incident\n                     response information with individual incident responses"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-4.6",
-                "class": "SP800-53-enhancement",
-                "title": "Insider Threats - Specific Capabilities",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-4(6)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-04.06"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-4.6_smt",
-                    "name": "statement",
-                    "prose": "The organization implements incident handling capability for insider threats."
-                  },
-                  {
-                    "id": "ir-4.6_gdn",
-                    "name": "guidance",
-                    "prose": "While many organizations address insider threat incidents as an inherent part of\n                  their organizational incident response capability, this control enhancement\n                  provides additional emphasis on this type of threat and the need for specific\n                  incident handling capabilities (as defined within organizations) to provide\n                  appropriate and timely responses."
-                  },
-                  {
-                    "id": "ir-4.6_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization implements incident handling capability for insider\n                  threats."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident handling\\n\\nautomated mechanisms supporting incident handling\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\naudit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident handling capability for the organization"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-4.8",
-                "class": "SP800-53-enhancement",
-                "title": "Correlation with External Organizations",
-                "parameters": [
-                  {
-                    "id": "ir-4.8_prm_1",
-                    "label": "organization-defined external organizations",
-                    "constraints": [
-                      {
-                        "detail": "external organizations including consumer incident responders and network defenders and the appropriate CIRT/CERT (such as US-CERT, DOD CERT, IC CERT)"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-4.8_prm_2",
-                    "label": "organization-defined incident information"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-4(8)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-04.08"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-4.8_smt",
-                    "name": "statement",
-                    "prose": "The organization coordinates with {{ ir-4.8_prm_1 }} to correlate\n                  and share {{ ir-4.8_prm_2 }} to achieve a cross-organization\n                  perspective on incident awareness and more effective incident responses."
-                  },
-                  {
-                    "id": "ir-4.8_gdn",
-                    "name": "guidance",
-                    "prose": "The coordination of incident information with external organizations including,\n                  for example, mission/business partners, military/coalition partners, customers,\n                  and multitiered developers, can provide significant benefits. Cross-organizational\n                  coordination with respect to incident handling can serve as an important risk\n                  management capability. This capability allows organizations to leverage critical\n                  information from a variety of sources to effectively respond to information\n                  security-related incidents potentially affecting the organization’s operations,\n                  assets, and individuals."
-                  },
-                  {
-                    "id": "ir-4.8_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ir-4.8_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-4(8)[1]"
-                          }
-                        ],
-                        "prose": "defines external organizations with whom organizational incident information is\n                     to be coordinated;"
-                      },
-                      {
-                        "id": "ir-4.8_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-4(8)[2]"
-                          }
-                        ],
-                        "prose": "defines incident information to be correlated and shared with\n                     organization-defined external organizations; and"
-                      },
-                      {
-                        "id": "ir-4.8_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-4(8)[3]"
-                          }
-                        ],
-                        "prose": "the organization coordinates with organization-defined external organizations\n                     to correlate and share organization-defined information to achieve a\n                     cross-organization perspective on incident awareness and more effective\n                     incident responses."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident handling\\n\\nlist of external organizations\\n\\nrecords of incident handling coordination with external organizations\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel from external organizations with whom incident response information\n                     is to be coordinated/shared/correlated"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for coordinating incident handling information with\n                     external organizations"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-5",
-            "class": "SP800-53",
-            "title": "Incident Monitoring",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IR-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-05"
-              }
-            ],
-            "links": [
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-5_smt",
-                "name": "statement",
-                "prose": "The organization tracks and documents information system security incidents."
-              },
-              {
-                "id": "ir-5_gdn",
-                "name": "guidance",
-                "prose": "Documenting information system security incidents includes, for example, maintaining\n               records about each incident, the status of the incident, and other pertinent\n               information necessary for forensics, evaluating incident details, trends, and\n               handling. Incident information can be obtained from a variety of sources including,\n               for example, incident reports, incident response teams, audit monitoring, network\n               monitoring, physical access monitoring, and user/administrator reports.",
-                "links": [
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#pe-6",
-                    "rel": "related",
-                    "text": "PE-6"
-                  },
-                  {
-                    "href": "#sc-5",
-                    "rel": "related",
-                    "text": "SC-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "ir-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ir-5_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-5[1]"
-                      }
-                    ],
-                    "prose": "tracks information system security incidents; and"
-                  },
-                  {
-                    "id": "ir-5_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-5[2]"
-                      }
-                    ],
-                    "prose": "documents information system security incidents."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident monitoring\\n\\nincident response records and documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident monitoring capability for the organization\\n\\nautomated mechanisms supporting and/or implementing tracking and documenting of\n                  system security incidents"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ir-5.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Tracking / Data Collection / Analysis",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-5(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-05.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-5.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to assist in the tracking of\n                  security incidents and in the collection and analysis of incident information."
-                  },
-                  {
-                    "id": "ir-5.1_gdn",
-                    "name": "guidance",
-                    "prose": "Automated mechanisms for tracking security incidents and collecting/analyzing\n                  incident information include, for example, the Einstein network monitoring device\n                  and monitoring online Computer Incident Response Centers (CIRCs) or other\n                  electronic databases of incidents.",
-                    "links": [
-                      {
-                        "href": "#au-7",
-                        "rel": "related",
-                        "text": "AU-7"
-                      },
-                      {
-                        "href": "#ir-4",
-                        "rel": "related",
-                        "text": "IR-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-5.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization employs automated mechanisms to assist in:",
-                    "parts": [
-                      {
-                        "id": "ir-5.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-5(1)[1]"
-                          }
-                        ],
-                        "prose": "the tracking of security incidents;"
-                      },
-                      {
-                        "id": "ir-5.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-5(1)[2]"
-                          }
-                        ],
-                        "prose": "the collection of incident information; and"
-                      },
-                      {
-                        "id": "ir-5.1_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-5(1)[3]"
-                          }
-                        ],
-                        "prose": "the analysis of incident information."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident monitoring\\n\\nautomated mechanisms supporting incident monitoring\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\naudit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms assisting in tracking of security incidents and in the\n                     collection and analysis of incident information"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-6",
-            "class": "SP800-53",
-            "title": "Incident Reporting",
-            "parameters": [
-              {
-                "id": "ir-6_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)"
-                  }
-                ]
-              },
-              {
-                "id": "ir-6_prm_2",
-                "label": "organization-defined authorities"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IR-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-06"
-              }
-            ],
-            "links": [
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              },
-              {
-                "href": "#02631467-668b-4233-989b-3dfded2fd184",
-                "rel": "reference",
-                "text": "http://www.us-cert.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ir-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Requires personnel to report suspected security incidents to the organizational\n                  incident response capability within {{ ir-6_prm_1 }}; and"
-                  },
-                  {
-                    "id": "ir-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reports security incident information to {{ ir-6_prm_2 }}."
-                  },
-                  {
-                    "id": "ir-6_fr",
-                    "name": "item",
-                    "title": "IR-6 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ir-6_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Report security incident information according to FedRAMP Incident Communications Procedure."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-6_gdn",
-                "name": "guidance",
-                "prose": "The intent of this control is to address both specific incident reporting\n               requirements within an organization and the formal incident reporting requirements\n               for federal agencies and their subordinate organizations. Suspected security\n               incidents include, for example, the receipt of suspicious email communications that\n               can potentially contain malicious code. The types of security incidents reported, the\n               content and timeliness of the reports, and the designated reporting authorities\n               reflect applicable federal laws, Executive Orders, directives, regulations, policies,\n               standards, and guidance. Current federal policy requires that all federal agencies\n               (unless specifically exempted from such requirements) report security incidents to\n               the United States Computer Emergency Readiness Team (US-CERT) within specified time\n               frames designated in the US-CERT Concept of Operations for Federal Cyber Security\n               Incident Handling.",
-                "links": [
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ir-5",
-                    "rel": "related",
-                    "text": "IR-5"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  }
-                ]
-              },
-              {
-                "id": "ir-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-6(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-6.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-6(a)[1]"
-                          }
-                        ],
-                        "prose": "defines the time period within which personnel report suspected security\n                     incidents to the organizational incident response capability;"
-                      },
-                      {
-                        "id": "ir-6.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-6(a)[2]"
-                          }
-                        ],
-                        "prose": "requires personnel to report suspected security incidents to the organizational\n                     incident response capability within the organization-defined time period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-6(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-6.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-6(b)[1]"
-                          }
-                        ],
-                        "prose": "defines authorities to whom security incident information is to be reported;\n                     and"
-                      },
-                      {
-                        "id": "ir-6.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-6(b)[2]"
-                          }
-                        ],
-                        "prose": "reports security incident information to organization-defined authorities."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident reporting\\n\\nincident reporting records and documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident reporting responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel who have/should have reported incidents\\n\\npersonnel (authorities) to whom incident information is to be reported"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for incident reporting\\n\\nautomated mechanisms supporting and/or implementing incident reporting"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ir-6.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Reporting",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-6(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-06.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-6.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to assist in the reporting of\n                  security incidents."
-                  },
-                  {
-                    "id": "ir-6.1_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ir-7",
-                        "rel": "related",
-                        "text": "IR-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-6.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs automated mechanisms to assist in the\n                  reporting of security incidents."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident reporting\\n\\nautomated mechanisms supporting incident reporting\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident reporting responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for incident reporting\\n\\nautomated mechanisms supporting and/or implementing reporting of security\n                     incidents"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-7",
-            "class": "SP800-53",
-            "title": "Incident Response Assistance",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IR-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-07"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-7_smt",
-                "name": "statement",
-                "prose": "The organization provides an incident response support resource, integral to the\n               organizational incident response capability that offers advice and assistance to\n               users of the information system for the handling and reporting of security\n               incidents."
-              },
-              {
-                "id": "ir-7_gdn",
-                "name": "guidance",
-                "prose": "Incident response support resources provided by organizations include, for example,\n               help desks, assistance groups, and access to forensics services, when required.",
-                "links": [
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ir-6",
-                    "rel": "related",
-                    "text": "IR-6"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#sa-9",
-                    "rel": "related",
-                    "text": "SA-9"
-                  }
-                ]
-              },
-              {
-                "id": "ir-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization provides an incident response support resource:",
-                "parts": [
-                  {
-                    "id": "ir-7_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-7[1]"
-                      }
-                    ],
-                    "prose": "that is integral to the organizational incident response capability; and"
-                  },
-                  {
-                    "id": "ir-7_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-7[2]"
-                      }
-                    ],
-                    "prose": "that offers advice and assistance to users of the information system for the\n                  handling and reporting of security incidents."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident response assistance\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response assistance and support\n                  responsibilities\\n\\norganizational personnel with access to incident response support and assistance\n                  capability\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for incident response assistance\\n\\nautomated mechanisms supporting and/or implementing incident response\n                  assistance"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ir-7.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automation Support for Availability of Information / Support",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-7(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-07.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-7.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to increase the availability of\n                  incident response-related information and support."
-                  },
-                  {
-                    "id": "ir-7.1_gdn",
-                    "name": "guidance",
-                    "prose": "Automated mechanisms can provide a push and/or pull capability for users to obtain\n                  incident response assistance. For example, individuals might have access to a\n                  website to query the assistance capability, or conversely, the assistance\n                  capability may have the ability to proactively send information to users (general\n                  distribution or targeted) as part of increasing understanding of current response\n                  capabilities and support."
-                  },
-                  {
-                    "id": "ir-7.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs automated mechanisms to increase the\n                  availability of incident response-related information and support."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident response assistance\\n\\nautomated mechanisms supporting incident response support and assistance\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident response support and assistance\n                     responsibilities\\n\\norganizational personnel with access to incident response support and\n                     assistance capability\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for incident response assistance\\n\\nautomated mechanisms supporting and/or implementing an increase in the\n                     availability of incident response information and support"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-7.2",
-                "class": "SP800-53-enhancement",
-                "title": "Coordination with External Providers",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-7(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-07.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-7.2_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "ir-7.2_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Establishes a direct, cooperative relationship between its incident response\n                     capability and external providers of information system protection capability;\n                     and"
-                      },
-                      {
-                        "id": "ir-7.2_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Identifies organizational incident response team members to the external\n                     providers."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-7.2_gdn",
-                    "name": "guidance",
-                    "prose": "External providers of information system protection capability include, for\n                  example, the Computer Network Defense program within the U.S. Department of\n                  Defense. External providers help to protect, monitor, analyze, detect, and respond\n                  to unauthorized activity within organizational information systems and\n                  networks."
-                  },
-                  {
-                    "id": "ir-7.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ir-7.2.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-7(2)(a)"
-                          }
-                        ],
-                        "prose": "establishes a direct, cooperative relationship between its incident response\n                     capability and external providers of information system protection capability;\n                     and",
-                        "links": [
-                          {
-                            "href": "#ir-7.2_smt.a",
-                            "rel": "corresp",
-                            "text": "IR-7(2)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-7.2.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-7(2)(b)"
-                          }
-                        ],
-                        "prose": "identifies organizational incident response team members to the external\n                     providers.",
-                        "links": [
-                          {
-                            "href": "#ir-7.2_smt.b",
-                            "rel": "corresp",
-                            "text": "IR-7(2)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident response assistance\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident response support and assistance\n                     responsibilities\\n\\nexternal providers of information system protection capability\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-8",
-            "class": "SP800-53",
-            "title": "Incident Response Plan",
-            "parameters": [
-              {
-                "id": "ir-8_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ir-8_prm_2",
-                "label": "organization-defined incident response personnel (identified by name and/or by\n               role) and organizational elements",
-                "constraints": [
-                  {
-                    "detail": "see additional FedRAMP Requirements and Guidance"
-                  }
-                ]
-              },
-              {
-                "id": "ir-8_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ir-8_prm_4",
-                "label": "organization-defined incident response personnel (identified by name and/or by\n               role) and organizational elements",
-                "constraints": [
-                  {
-                    "detail": "see additional FedRAMP Requirements and Guidance"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IR-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-08"
-              }
-            ],
-            "links": [
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ir-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops an incident response plan that:",
-                    "parts": [
-                      {
-                        "id": "ir-8_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Provides the organization with a roadmap for implementing its incident response\n                     capability;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Describes the structure and organization of the incident response\n                     capability;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Provides a high-level approach for how the incident response capability fits\n                     into the overall organization;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Meets the unique requirements of the organization, which relate to mission,\n                     size, structure, and functions;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.5",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "5."
-                          }
-                        ],
-                        "prose": "Defines reportable incidents;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.6",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "6."
-                          }
-                        ],
-                        "prose": "Provides metrics for measuring the incident response capability within the\n                     organization;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.7",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "7."
-                          }
-                        ],
-                        "prose": "Defines the resources and management support needed to effectively maintain and\n                     mature an incident response capability; and"
-                      },
-                      {
-                        "id": "ir-8_smt.a.8",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "8."
-                          }
-                        ],
-                        "prose": "Is reviewed and approved by {{ ir-8_prm_1 }};"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Distributes copies of the incident response plan to {{ ir-8_prm_2 }};"
-                  },
-                  {
-                    "id": "ir-8_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews the incident response plan {{ ir-8_prm_3 }};"
-                  },
-                  {
-                    "id": "ir-8_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Updates the incident response plan to address system/organizational changes or\n                  problems encountered during plan implementation, execution, or testing;"
-                  },
-                  {
-                    "id": "ir-8_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Communicates incident response plan changes to {{ ir-8_prm_4 }};\n                  and"
-                  },
-                  {
-                    "id": "ir-8_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Protects the incident response plan from unauthorized disclosure and\n                  modification."
-                  },
-                  {
-                    "id": "ir-8_fr",
-                    "name": "item",
-                    "title": "IR-8 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ir-8_fr_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."
-                      },
-                      {
-                        "id": "ir-8_fr_smt.e",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(e) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-8_gdn",
-                "name": "guidance",
-                "prose": "It is important that organizations develop and implement a coordinated approach to\n               incident response. Organizational missions, business functions, strategies, goals,\n               and objectives for incident response help to determine the structure of incident\n               response capabilities. As part of a comprehensive incident response capability,\n               organizations consider the coordination and sharing of information with external\n               organizations, including, for example, external service providers and organizations\n               involved in the supply chain for organizational information systems.",
-                "links": [
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  }
-                ]
-              },
-              {
-                "id": "ir-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-8(a)"
-                      }
-                    ],
-                    "prose": "develops an incident response plan that:",
-                    "parts": [
-                      {
-                        "id": "ir-8.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(1)"
-                          }
-                        ],
-                        "prose": "provides the organization with a roadmap for implementing its incident response\n                     capability;"
-                      },
-                      {
-                        "id": "ir-8.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(2)"
-                          }
-                        ],
-                        "prose": "describes the structure and organization of the incident response\n                     capability;"
-                      },
-                      {
-                        "id": "ir-8.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(3)"
-                          }
-                        ],
-                        "prose": "provides a high-level approach for how the incident response capability fits\n                     into the overall organization;"
-                      },
-                      {
-                        "id": "ir-8.a.4_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(4)"
-                          }
-                        ],
-                        "prose": "meets the unique requirements of the organization, which relate to:",
-                        "parts": [
-                          {
-                            "id": "ir-8.a.4_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(4)[1]"
-                              }
-                            ],
-                            "prose": "mission;"
-                          },
-                          {
-                            "id": "ir-8.a.4_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(4)[2]"
-                              }
-                            ],
-                            "prose": "size;"
-                          },
-                          {
-                            "id": "ir-8.a.4_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(4)[3]"
-                              }
-                            ],
-                            "prose": "structure;"
-                          },
-                          {
-                            "id": "ir-8.a.4_obj.4",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(4)[4]"
-                              }
-                            ],
-                            "prose": "functions;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-8.a.5_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(5)"
-                          }
-                        ],
-                        "prose": "defines reportable incidents;"
-                      },
-                      {
-                        "id": "ir-8.a.6_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(6)"
-                          }
-                        ],
-                        "prose": "provides metrics for measuring the incident response capability within the\n                     organization;"
-                      },
-                      {
-                        "id": "ir-8.a.7_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(7)"
-                          }
-                        ],
-                        "prose": "defines the resources and management support needed to effectively maintain and\n                     mature an incident response capability;"
-                      },
-                      {
-                        "id": "ir-8.a.8_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(8)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-8.a.8_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(8)[1]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to review and approve the incident response\n                        plan;"
-                          },
-                          {
-                            "id": "ir-8.a.8_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(8)[2]"
-                              }
-                            ],
-                            "prose": "is reviewed and approved by organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(b)[1]"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-8.b_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-8(b)[1][a]"
-                              }
-                            ],
-                            "prose": "defines incident response personnel (identified by name and/or by role) to\n                        whom copies of the incident response plan are to be distributed;"
-                          },
-                          {
-                            "id": "ir-8.b_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-8(b)[1][b]"
-                              }
-                            ],
-                            "prose": "defines organizational elements to whom copies of the incident response plan\n                        are to be distributed;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(b)[2]"
-                          }
-                        ],
-                        "prose": "distributes copies of the incident response plan to organization-defined\n                     incident response personnel (identified by name and/or by role) and\n                     organizational elements;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-8(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-8.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review the incident response plan;"
-                      },
-                      {
-                        "id": "ir-8.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews the incident response plan with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-8(d)"
-                      }
-                    ],
-                    "prose": "updates the incident response plan to address system/organizational changes or\n                  problems encountered during plan:",
-                    "parts": [
-                      {
-                        "id": "ir-8.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(d)[1]"
-                          }
-                        ],
-                        "prose": "implementation;"
-                      },
-                      {
-                        "id": "ir-8.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(d)[2]"
-                          }
-                        ],
-                        "prose": "execution; or"
-                      },
-                      {
-                        "id": "ir-8.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(d)[3]"
-                          }
-                        ],
-                        "prose": "testing;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-8(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-8.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(e)[1]"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-8.e_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-8(e)[1][a]"
-                              }
-                            ],
-                            "prose": "defines incident response personnel (identified by name and/or by role) to\n                        whom incident response plan changes are to be communicated;"
-                          },
-                          {
-                            "id": "ir-8.e_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-8(e)[1][b]"
-                              }
-                            ],
-                            "prose": "defines organizational elements to whom incident response plan changes are\n                        to be communicated;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-8.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(e)[2]"
-                          }
-                        ],
-                        "prose": "communicates incident response plan changes to organization-defined incident\n                     response personnel (identified by name and/or by role) and organizational\n                     elements; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-8(f)"
-                      }
-                    ],
-                    "prose": "protects the incident response plan from unauthorized disclosure and\n                  modification."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident response planning\\n\\nincident response plan\\n\\nrecords of incident response plan reviews and approvals\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response planning responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational incident response plan and related organizational processes"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-9",
-            "class": "SP800-53",
-            "title": "Information Spillage Response",
-            "parameters": [
-              {
-                "id": "ir-9_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ir-9_prm_2",
-                "label": "organization-defined actions"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "IR-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-09"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-9_smt",
-                "name": "statement",
-                "prose": "The organization responds to information spills by:",
-                "parts": [
-                  {
-                    "id": "ir-9_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Identifying the specific information involved in the information system\n                  contamination;"
-                  },
-                  {
-                    "id": "ir-9_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Alerting {{ ir-9_prm_1 }} of the information spill using a method\n                  of communication not associated with the spill;"
-                  },
-                  {
-                    "id": "ir-9_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Isolating the contaminated information system or system component;"
-                  },
-                  {
-                    "id": "ir-9_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Eradicating the information from the contaminated information system or\n                  component;"
-                  },
-                  {
-                    "id": "ir-9_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Identifying other information systems or system components that may have been\n                  subsequently contaminated; and"
-                  },
-                  {
-                    "id": "ir-9_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Performing other {{ ir-9_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ir-9_gdn",
-                "name": "guidance",
-                "prose": "Information spillage refers to instances where either classified or sensitive\n               information is inadvertently placed on information systems that are not authorized to\n               process such information. Such information spills often occur when information that\n               is initially thought to be of lower sensitivity is transmitted to an information\n               system and then is subsequently determined to be of higher sensitivity. At that\n               point, corrective action is required. The nature of the organizational response is\n               generally based upon the degree of sensitivity of the spilled information (e.g.,\n               security category or classification level), the security capabilities of the\n               information system, the specific nature of contaminated storage media, and the access\n               authorizations (e.g., security clearances) of individuals with authorized access to\n               the contaminated system. The methods used to communicate information about the spill\n               after the fact do not involve methods directly associated with the actual spill to\n               minimize the risk of further spreading the contamination before such contamination is\n               isolated and eradicated."
-              },
-              {
-                "id": "ir-9_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ir-9.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-9(a)"
-                      }
-                    ],
-                    "prose": "responds to information spills by identifying the specific information causing the\n                  information system contamination;"
-                  },
-                  {
-                    "id": "ir-9.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-9(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-9.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(b)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel to be alerted of the information spillage;"
-                      },
-                      {
-                        "id": "ir-9.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(b)[2]"
-                          }
-                        ],
-                        "prose": "identifies a method of communication not associated with the information spill\n                     to use to alert organization-defined personnel of the spill;"
-                      },
-                      {
-                        "id": "ir-9.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(b)[3]"
-                          }
-                        ],
-                        "prose": "responds to information spills by alerting organization-defined personnel of\n                     the information spill using a method of communication not associated with the\n                     spill;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-9.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-9(c)"
-                      }
-                    ],
-                    "prose": "responds to information spills by isolating the contaminated information\n                  system;"
-                  },
-                  {
-                    "id": "ir-9.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-9(d)"
-                      }
-                    ],
-                    "prose": "responds to information spills by eradicating the information from the\n                  contaminated information system;"
-                  },
-                  {
-                    "id": "ir-9.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-9(e)"
-                      }
-                    ],
-                    "prose": "responds to information spills by identifying other information systems that may\n                  have been subsequently contaminated;"
-                  },
-                  {
-                    "id": "ir-9.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-9(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-9.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(f)[1]"
-                          }
-                        ],
-                        "prose": "defines other actions to be performed in response to information spills;\n                     and"
-                      },
-                      {
-                        "id": "ir-9.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(f)[2]"
-                          }
-                        ],
-                        "prose": "responds to information spills by performing other organization-defined\n                     actions."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing information spillage\\n\\nincident response plan\\n\\nrecords of information spillage alerts/notifications, list of personnel who should\n                  receive alerts of information spillage\\n\\nlist of actions to be performed regarding information spillage\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for information spillage response\\n\\nautomated mechanisms supporting and/or implementing information spillage response\n                  actions and related communications"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ir-9.1",
-                "class": "SP800-53-enhancement",
-                "title": "Responsible Personnel",
-                "parameters": [
-                  {
-                    "id": "ir-9.1_prm_1",
-                    "label": "organization-defined personnel or roles"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-9(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-09.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-9.1_smt",
-                    "name": "statement",
-                    "prose": "The organization assigns {{ ir-9.1_prm_1 }} with responsibility for\n                  responding to information spills."
-                  },
-                  {
-                    "id": "ir-9.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ir-9.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(1)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel with responsibility for responding to information spills;\n                     and"
-                      },
-                      {
-                        "id": "ir-9.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(1)[2]"
-                          }
-                        ],
-                        "prose": "assigns organization-defined personnel with responsibility for responding to\n                     information spills."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing information spillage\\n\\nincident response plan\\n\\nlist of personnel responsible for responding to information spillage\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-9.2",
-                "class": "SP800-53-enhancement",
-                "title": "Training",
-                "parameters": [
-                  {
-                    "id": "ir-9.2_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least annually"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "IR-9(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-09.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-9.2_smt",
-                    "name": "statement",
-                    "prose": "The organization provides information spillage response training {{ ir-9.2_prm_1 }}."
-                  },
-                  {
-                    "id": "ir-9.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ir-9.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(2)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to provide information spillage response training;\n                     and"
-                      },
-                      {
-                        "id": "ir-9.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(2)[2]"
-                          }
-                        ],
-                        "prose": "provides information spillage response training with the organization-defined\n                     frequency."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing information spillage response training\\n\\ninformation spillage response training curriculum\\n\\ninformation spillage response training materials\\n\\nincident response plan\\n\\ninformation spillage response training records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident response training responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-9.3",
-                "class": "SP800-53-enhancement",
-                "title": "Post-spill Operations",
-                "parameters": [
-                  {
-                    "id": "ir-9.3_prm_1",
-                    "label": "organization-defined procedures"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-9(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-09.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-9.3_smt",
-                    "name": "statement",
-                    "prose": "The organization implements {{ ir-9.3_prm_1 }} to ensure that\n                  organizational personnel impacted by information spills can continue to carry out\n                  assigned tasks while contaminated systems are undergoing corrective actions."
-                  },
-                  {
-                    "id": "ir-9.3_gdn",
-                    "name": "guidance",
-                    "prose": "Correction actions for information systems contaminated due to information\n                  spillages may be very time-consuming. During those periods, personnel may not have\n                  access to the contaminated systems, which may potentially affect their ability to\n                  conduct organizational business."
-                  },
-                  {
-                    "id": "ir-9.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ir-9.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(3)[1]"
-                          }
-                        ],
-                        "prose": "defines procedures that ensure organizational personnel impacted by information\n                     spills can continue to carry out assigned tasks while contaminated systems are\n                     undergoing corrective actions; and"
-                      },
-                      {
-                        "id": "ir-9.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(3)[2]"
-                          }
-                        ],
-                        "prose": "implements organization-defined procedures to ensure that organizational\n                     personnel impacted by information spills can continue to carry out assigned\n                     tasks while contaminated systems are undergoing corrective actions."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident handling\\n\\nprocedures addressing information spillage\\n\\nincident response plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for post-spill operations"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-9.4",
-                "class": "SP800-53-enhancement",
-                "title": "Exposure to Unauthorized Personnel",
-                "parameters": [
-                  {
-                    "id": "ir-9.4_prm_1",
-                    "label": "organization-defined security safeguards"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-9(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-09.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-9.4_smt",
-                    "name": "statement",
-                    "prose": "The organization employs {{ ir-9.4_prm_1 }} for personnel exposed\n                  to information not within assigned access authorizations."
-                  },
-                  {
-                    "id": "ir-9.4_gdn",
-                    "name": "guidance",
-                    "prose": "Security safeguards include, for example, making personnel exposed to spilled\n                  information aware of the federal laws, directives, policies, and/or regulations\n                  regarding the information and the restrictions imposed based on exposure to such\n                  information."
-                  },
-                  {
-                    "id": "ir-9.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ir-9.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(4)[1]"
-                          }
-                        ],
-                        "prose": "defines security safeguards to be employed for personnel exposed to information\n                     not within assigned access authorizations; and"
-                      },
-                      {
-                        "id": "ir-9.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(4)[2]"
-                          }
-                        ],
-                        "prose": "employs organization-defined security safeguards for personnel exposed to\n                     information not within assigned access authorizations."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident handling\\n\\nprocedures addressing information spillage\\n\\nincident response plan\\n\\nsecurity safeguards regarding information spillage/exposure to unauthorized\n                     personnel\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for dealing with information exposed to unauthorized\n                     personnel\\n\\nautomated mechanisms supporting and/or implementing safeguards for personnel\n                     exposed to information not within assigned access authorizations"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ma",
-        "class": "family",
-        "title": "Maintenance",
-        "controls": [
-          {
-            "id": "ma-1",
-            "class": "SP800-53",
-            "title": "System Maintenance Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ma-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ma-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ma-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or whenever a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "MA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ma-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ma-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ma-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A system maintenance policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ma-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the system maintenance policy\n                     and associated system maintenance controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ma-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "System maintenance policy {{ ma-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ma-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "System maintenance procedures {{ ma-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ma-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the MA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ma-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ma-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ma-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a system maintenance policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ma-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ma-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the system maintenance policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ma-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the system maintenance policy to organization-defined personnel\n                        or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ma-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        maintenance policy and associated system maintenance controls;"
-                          },
-                          {
-                            "id": "ma-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ma-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ma-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system maintenance\n                        policy;"
-                          },
-                          {
-                            "id": "ma-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system maintenance policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ma-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system maintenance\n                        procedures; and"
-                          },
-                          {
-                            "id": "ma-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system maintenance procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Maintenance policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ma-2",
-            "class": "SP800-53",
-            "title": "Controlled Maintenance",
-            "parameters": [
-              {
-                "id": "ma-2_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ma-2_prm_2",
-                "label": "organization-defined maintenance-related information"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-02"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ma-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Schedules, performs, documents, and reviews records of maintenance and repairs on\n                  information system components in accordance with manufacturer or vendor\n                  specifications and/or organizational requirements;"
-                  },
-                  {
-                    "id": "ma-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Approves and monitors all maintenance activities, whether performed on site or\n                  remotely and whether the equipment is serviced on site or removed to another\n                  location;"
-                  },
-                  {
-                    "id": "ma-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Requires that {{ ma-2_prm_1 }} explicitly approve the removal of\n                  the information system or system components from organizational facilities for\n                  off-site maintenance or repairs;"
-                  },
-                  {
-                    "id": "ma-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Sanitizes equipment to remove all information from associated media prior to\n                  removal from organizational facilities for off-site maintenance or repairs;"
-                  },
-                  {
-                    "id": "ma-2_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Checks all potentially impacted security controls to verify that the controls are\n                  still functioning properly following maintenance or repair actions; and"
-                  },
-                  {
-                    "id": "ma-2_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Includes {{ ma-2_prm_2 }} in organizational maintenance\n                  records."
-                  }
-                ]
-              },
-              {
-                "id": "ma-2_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the information security aspects of the information system\n               maintenance program and applies to all types of maintenance to any system component\n               (including applications) conducted by any local or nonlocal entity (e.g.,\n               in-contract, warranty, in-house, software maintenance agreement). System maintenance\n               also includes those components not directly associated with information processing\n               and/or data/information retention such as scanners, copiers, and printers.\n               Information necessary for creating effective maintenance records includes, for\n               example: (i) date and time of maintenance; (ii) name of individuals or group\n               performing the maintenance; (iii) name of escort, if necessary; (iv) a description of\n               the maintenance performed; and (v) information system components/equipment removed or\n               replaced (including identification numbers, if applicable). The level of detail\n               included in maintenance records can be informed by the security categories of\n               organizational information systems. Organizations consider supply chain issues\n               associated with replacement components for information systems.",
-                "links": [
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#mp-6",
-                    "rel": "related",
-                    "text": "MP-6"
-                  },
-                  {
-                    "href": "#pe-16",
-                    "rel": "related",
-                    "text": "PE-16"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "ma-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ma-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(a)[1]"
-                          }
-                        ],
-                        "prose": "schedules maintenance and repairs on information system components in\n                     accordance with:",
-                        "parts": [
-                          {
-                            "id": "ma-2.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[1][a]"
-                              }
-                            ],
-                            "prose": "manufacturer or vendor specifications; and/or"
-                          },
-                          {
-                            "id": "ma-2.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[1][b]"
-                              }
-                            ],
-                            "prose": "organizational requirements;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(a)[2]"
-                          }
-                        ],
-                        "prose": "performs maintenance and repairs on information system components in accordance\n                     with:",
-                        "parts": [
-                          {
-                            "id": "ma-2.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[2][a]"
-                              }
-                            ],
-                            "prose": "manufacturer or vendor specifications; and/or"
-                          },
-                          {
-                            "id": "ma-2.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[2][b]"
-                              }
-                            ],
-                            "prose": "organizational requirements;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-2.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(a)[3]"
-                          }
-                        ],
-                        "prose": "documents maintenance and repairs on information system components in\n                     accordance with:",
-                        "parts": [
-                          {
-                            "id": "ma-2.a_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[3][a]"
-                              }
-                            ],
-                            "prose": "manufacturer or vendor specifications; and/or"
-                          },
-                          {
-                            "id": "ma-2.a_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[3][b]"
-                              }
-                            ],
-                            "prose": "organizational requirements;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-2.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(a)[4]"
-                          }
-                        ],
-                        "prose": "reviews records of maintenance and repairs on information system components in\n                     accordance with:",
-                        "parts": [
-                          {
-                            "id": "ma-2.a_obj.4.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[4][a]"
-                              }
-                            ],
-                            "prose": "manufacturer or vendor specifications; and/or"
-                          },
-                          {
-                            "id": "ma-2.a_obj.4.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[4][b]"
-                              }
-                            ],
-                            "prose": "organizational requirements;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(b)[1]"
-                          }
-                        ],
-                        "prose": "approves all maintenance activities, whether performed on site or remotely and\n                     whether the equipment is serviced on site or removed to another location;"
-                      },
-                      {
-                        "id": "ma-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(b)[2]"
-                          }
-                        ],
-                        "prose": "monitors all maintenance activities, whether performed on site or remotely and\n                     whether the equipment is serviced on site or removed to another location;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles required to explicitly approve the removal of the\n                     information system or system components from organizational facilities for\n                     off-site maintenance or repairs;"
-                      },
-                      {
-                        "id": "ma-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(c)[2]"
-                          }
-                        ],
-                        "prose": "requires that organization-defined personnel or roles explicitly approve the\n                     removal of the information system or system components from organizational\n                     facilities for off-site maintenance or repairs;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-2(d)"
-                      }
-                    ],
-                    "prose": "sanitizes equipment to remove all information from associated media prior to\n                  removal from organizational facilities for off-site maintenance or repairs;"
-                  },
-                  {
-                    "id": "ma-2.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-2(e)"
-                      }
-                    ],
-                    "prose": "checks all potentially impacted security controls to verify that the controls are\n                  still functioning properly following maintenance or repair actions;"
-                  },
-                  {
-                    "id": "ma-2.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-2(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-2.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(f)[1]"
-                          }
-                        ],
-                        "prose": "defines maintenance-related information to be included in organizational\n                     maintenance records; and"
-                      },
-                      {
-                        "id": "ma-2.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(f)[2]"
-                          }
-                        ],
-                        "prose": "includes organization-defined maintenance-related information in organizational\n                     maintenance records."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system maintenance policy\\n\\nprocedures addressing controlled information system maintenance\\n\\nmaintenance records\\n\\nmanufacturer/vendor maintenance specifications\\n\\nequipment sanitization records\\n\\nmedia sanitization records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel responsible for media sanitization\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for scheduling, performing, documenting, reviewing,\n                  approving, and monitoring maintenance and repairs for the information system\\n\\norganizational processes for sanitizing information system components\\n\\nautomated mechanisms supporting and/or implementing controlled maintenance\\n\\nautomated mechanisms implementing sanitization of information system\n                  components"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ma-2.2",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Maintenance Activities",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "MA-2(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ma-02.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ma-2.2_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "ma-2.2_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Employs automated mechanisms to schedule, conduct, and document maintenance and\n                     repairs; and"
-                      },
-                      {
-                        "id": "ma-2.2_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Produces up-to date, accurate, and complete records of all maintenance and\n                     repair actions requested, scheduled, in process, and completed."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-2.2_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ca-7",
-                        "rel": "related",
-                        "text": "CA-7"
-                      },
-                      {
-                        "href": "#ma-3",
-                        "rel": "related",
-                        "text": "MA-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-2.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ma-2.2.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(2)(a)"
-                          }
-                        ],
-                        "prose": "employs automated mechanisms to:",
-                        "parts": [
-                          {
-                            "id": "ma-2.2.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(2)(a)[1]"
-                              }
-                            ],
-                            "prose": "schedule maintenance and repairs;"
-                          },
-                          {
-                            "id": "ma-2.2.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(2)(a)[2]"
-                              }
-                            ],
-                            "prose": "conduct maintenance and repairs;"
-                          },
-                          {
-                            "id": "ma-2.2.a_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(2)(a)[3]"
-                              }
-                            ],
-                            "prose": "document maintenance and repairs;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ma-2.2_smt.a",
-                            "rel": "corresp",
-                            "text": "MA-2(2)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-2.2.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(2)(b)"
-                          }
-                        ],
-                        "prose": "produces up-to-date, accurate, and complete records of all maintenance and\n                     repair actions:",
-                        "parts": [
-                          {
-                            "id": "ma-2.2.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(2)(b)[1]"
-                              }
-                            ],
-                            "prose": "requested;"
-                          },
-                          {
-                            "id": "ma-2.2.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(2)(b)[2]"
-                              }
-                            ],
-                            "prose": "scheduled;"
-                          },
-                          {
-                            "id": "ma-2.2.b_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(2)(b)[3]"
-                              }
-                            ],
-                            "prose": "in process; and"
-                          },
-                          {
-                            "id": "ma-2.2.b_obj.4",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(2)(b)[4]"
-                              }
-                            ],
-                            "prose": "completed."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ma-2.2_smt.b",
-                            "rel": "corresp",
-                            "text": "MA-2(2)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system maintenance policy\\n\\nprocedures addressing controlled information system maintenance\\n\\nautomated mechanisms supporting information system maintenance activities\\n\\ninformation system configuration settings and associated documentation\\n\\nmaintenance records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing controlled maintenance\\n\\nautomated mechanisms supporting and/or implementing production of records of\n                     maintenance and repair actions"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ma-3",
-            "class": "SP800-53",
-            "title": "Maintenance Tools",
-            "properties": [
-              {
-                "name": "label",
-                "value": "MA-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#263823e0-a971-4b00-959d-315b26278b22",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-88"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-3_smt",
-                "name": "statement",
-                "prose": "The organization approves, controls, and monitors information system maintenance\n               tools."
-              },
-              {
-                "id": "ma-3_gdn",
-                "name": "guidance",
-                "prose": "This control addresses security-related issues associated with maintenance tools used\n               specifically for diagnostic and repair actions on organizational information systems.\n               Maintenance tools can include hardware, software, and firmware items. Maintenance\n               tools are potential vehicles for transporting malicious code, either intentionally or\n               unintentionally, into a facility and subsequently into organizational information\n               systems. Maintenance tools can include, for example, hardware/software diagnostic\n               test equipment and hardware/software packet sniffers. This control does not cover\n               hardware/software components that may support information system maintenance, yet are\n               a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,\n               or the hardware and software implementing the monitoring port of an Ethernet\n               switch.",
-                "links": [
-                  {
-                    "href": "#ma-2",
-                    "rel": "related",
-                    "text": "MA-2"
-                  },
-                  {
-                    "href": "#ma-5",
-                    "rel": "related",
-                    "text": "MA-5"
-                  },
-                  {
-                    "href": "#mp-6",
-                    "rel": "related",
-                    "text": "MP-6"
-                  }
-                ]
-              },
-              {
-                "id": "ma-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ma-3_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-3[1]"
-                      }
-                    ],
-                    "prose": "approves information system maintenance tools;"
-                  },
-                  {
-                    "id": "ma-3_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-3[2]"
-                      }
-                    ],
-                    "prose": "controls information system maintenance tools; and"
-                  },
-                  {
-                    "id": "ma-3_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-3[3]"
-                      }
-                    ],
-                    "prose": "monitors information system maintenance tools."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system maintenance policy\\n\\nprocedures addressing information system maintenance tools\\n\\ninformation system maintenance tools and associated documentation\\n\\nmaintenance records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for approving, controlling, and monitoring maintenance\n                  tools\\n\\nautomated mechanisms supporting and/or implementing approval, control, and/or\n                  monitoring of maintenance tools"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ma-3.1",
-                "class": "SP800-53-enhancement",
-                "title": "Inspect Tools",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "MA-3(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ma-03.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ma-3.1_smt",
-                    "name": "statement",
-                    "prose": "The organization inspects the maintenance tools carried into a facility by\n                  maintenance personnel for improper or unauthorized modifications."
-                  },
-                  {
-                    "id": "ma-3.1_gdn",
-                    "name": "guidance",
-                    "prose": "If, upon inspection of maintenance tools, organizations determine that the tools\n                  have been modified in an improper/unauthorized manner or contain malicious code,\n                  the incident is handled consistent with organizational policies and procedures for\n                  incident handling.",
-                    "links": [
-                      {
-                        "href": "#si-7",
-                        "rel": "related",
-                        "text": "SI-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-3.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization inspects the maintenance tools carried into a\n                  facility by maintenance personnel for improper or unauthorized modifications. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system maintenance policy\\n\\nprocedures addressing information system maintenance tools\\n\\ninformation system maintenance tools and associated documentation\\n\\nmaintenance tool inspection records\\n\\nmaintenance records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for inspecting maintenance tools\\n\\nautomated mechanisms supporting and/or implementing inspection of maintenance\n                     tools"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ma-3.2",
-                "class": "SP800-53-enhancement",
-                "title": "Inspect Media",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "MA-3(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ma-03.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ma-3.2_smt",
-                    "name": "statement",
-                    "prose": "The organization checks media containing diagnostic and test programs for\n                  malicious code before the media are used in the information system."
-                  },
-                  {
-                    "id": "ma-3.2_gdn",
-                    "name": "guidance",
-                    "prose": "If, upon inspection of media containing maintenance diagnostic and test programs,\n                  organizations determine that the media contain malicious code, the incident is\n                  handled consistent with organizational incident handling policies and\n                  procedures.",
-                    "links": [
-                      {
-                        "href": "#si-3",
-                        "rel": "related",
-                        "text": "SI-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-3.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization checks media containing diagnostic and test programs\n                  for malicious code before the media are used in the information system. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system maintenance policy\\n\\nprocedures addressing information system maintenance tools\\n\\ninformation system maintenance tools and associated documentation\\n\\nmaintenance records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational process for inspecting media for malicious code\\n\\nautomated mechanisms supporting and/or implementing inspection of media used\n                     for maintenance"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ma-3.3",
-                "class": "SP800-53-enhancement",
-                "title": "Prevent Unauthorized Removal",
-                "parameters": [
-                  {
-                    "id": "ma-3.3_prm_1",
-                    "label": "organization-defined personnel or roles",
-                    "constraints": [
-                      {
-                        "detail": "the information owner explicitly authorizing removal of the equipment from the facility"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "MA-3(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ma-03.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ma-3.3_smt",
-                    "name": "statement",
-                    "prose": "The organization prevents the unauthorized removal of maintenance equipment\n                  containing organizational information by:",
-                    "parts": [
-                      {
-                        "id": "ma-3.3_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Verifying that there is no organizational information contained on the\n                     equipment;"
-                      },
-                      {
-                        "id": "ma-3.3_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Sanitizing or destroying the equipment;"
-                      },
-                      {
-                        "id": "ma-3.3_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(c)"
-                          }
-                        ],
-                        "prose": "Retaining the equipment within the facility; or"
-                      },
-                      {
-                        "id": "ma-3.3_smt.d",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(d)"
-                          }
-                        ],
-                        "prose": "Obtaining an exemption from {{ ma-3.3_prm_1 }} explicitly\n                     authorizing removal of the equipment from the facility."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-3.3_gdn",
-                    "name": "guidance",
-                    "prose": "Organizational information includes all information specifically owned by\n                  organizations and information provided to organizations in which organizations\n                  serve as information stewards."
-                  },
-                  {
-                    "id": "ma-3.3_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization prevents the unauthorized removal of maintenance\n                  equipment containing organizational information by: ",
-                    "parts": [
-                      {
-                        "id": "ma-3.3.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-3(3)(a)"
-                          }
-                        ],
-                        "prose": "verifying that there is no organizational information contained on the\n                     equipment;",
-                        "links": [
-                          {
-                            "href": "#ma-3.3_smt.a",
-                            "rel": "corresp",
-                            "text": "MA-3(3)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-3.3.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-3(3)(b)"
-                          }
-                        ],
-                        "prose": "sanitizing or destroying the equipment;",
-                        "links": [
-                          {
-                            "href": "#ma-3.3_smt.b",
-                            "rel": "corresp",
-                            "text": "MA-3(3)(b)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-3.3.c_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-3(3)(c)"
-                          }
-                        ],
-                        "prose": "retaining the equipment within the facility; or",
-                        "links": [
-                          {
-                            "href": "#ma-3.3_smt.c",
-                            "rel": "corresp",
-                            "text": "MA-3(3)(c)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-3.3.d_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-3(3)(d)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ma-3.3.d_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-3(3)(d)[1]"
-                              }
-                            ],
-                            "prose": "defining personnel or roles that can grant an exemption from explicitly\n                        authorizing removal of the equipment from the facility; and"
-                          },
-                          {
-                            "id": "ma-3.3.d_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-3(3)(d)[2]"
-                              }
-                            ],
-                            "prose": "obtaining an exemption from organization-defined personnel or roles\n                        explicitly authorizing removal of the equipment from the facility."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ma-3.3_smt.d",
-                            "rel": "corresp",
-                            "text": "MA-3(3)(d)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system maintenance policy\\n\\nprocedures addressing information system maintenance tools\\n\\ninformation system maintenance tools and associated documentation\\n\\nmaintenance records\\n\\nequipment sanitization records\\n\\nmedia sanitization records\\n\\nexemptions for equipment removal\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel responsible for media sanitization"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational process for preventing unauthorized removal of information\\n\\nautomated mechanisms supporting media sanitization or destruction of\n                     equipment\\n\\nautomated mechanisms supporting verification of media sanitization"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ma-4",
-            "class": "SP800-53",
-            "title": "Nonlocal Maintenance",
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "MA-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#d715b234-9b5b-4e07-b1ed-99836727664d",
-                "rel": "reference",
-                "text": "FIPS Publication 140-2"
-              },
-              {
-                "href": "#f2dbd4ec-c413-4714-b85b-6b7184d1c195",
-                "rel": "reference",
-                "text": "FIPS Publication 197"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#263823e0-a971-4b00-959d-315b26278b22",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-88"
-              },
-              {
-                "href": "#a4aa9645-9a8a-4b51-90a9-e223250f9a75",
-                "rel": "reference",
-                "text": "CNSS Policy 15"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ma-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Approves and monitors nonlocal maintenance and diagnostic activities;"
-                  },
-                  {
-                    "id": "ma-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Allows the use of nonlocal maintenance and diagnostic tools only as consistent\n                  with organizational policy and documented in the security plan for the information\n                  system;"
-                  },
-                  {
-                    "id": "ma-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Employs strong authenticators in the establishment of nonlocal maintenance and\n                  diagnostic sessions;"
-                  },
-                  {
-                    "id": "ma-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Maintains records for nonlocal maintenance and diagnostic activities; and"
-                  },
-                  {
-                    "id": "ma-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Terminates session and network connections when nonlocal maintenance is\n                  completed."
-                  }
-                ]
-              },
-              {
-                "id": "ma-4_gdn",
-                "name": "guidance",
-                "prose": "Nonlocal maintenance and diagnostic activities are those activities conducted by\n               individuals communicating through a network, either an external network (e.g., the\n               Internet) or an internal network. Local maintenance and diagnostic activities are\n               those activities carried out by individuals physically present at the information\n               system or information system component and not communicating across a network\n               connection. Authentication techniques used in the establishment of nonlocal\n               maintenance and diagnostic sessions reflect the network access requirements in IA-2.\n               Typically, strong authentication requires authenticators that are resistant to replay\n               attacks and employ multifactor authentication. Strong authenticators include, for\n               example, PKI where certificates are stored on a token protected by a password,\n               passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by\n               other controls.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-3",
-                    "rel": "related",
-                    "text": "AU-3"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#ma-2",
-                    "rel": "related",
-                    "text": "MA-2"
-                  },
-                  {
-                    "href": "#ma-5",
-                    "rel": "related",
-                    "text": "MA-5"
-                  },
-                  {
-                    "href": "#mp-6",
-                    "rel": "related",
-                    "text": "MP-6"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-10",
-                    "rel": "related",
-                    "text": "SC-10"
-                  },
-                  {
-                    "href": "#sc-17",
-                    "rel": "related",
-                    "text": "SC-17"
-                  }
-                ]
-              },
-              {
-                "id": "ma-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ma-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-4(a)[1]"
-                          }
-                        ],
-                        "prose": "approves nonlocal maintenance and diagnostic activities;"
-                      },
-                      {
-                        "id": "ma-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-4(a)[2]"
-                          }
-                        ],
-                        "prose": "monitors nonlocal maintenance and diagnostic activities;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-4(b)"
-                      }
-                    ],
-                    "prose": "allows the use of nonlocal maintenance and diagnostic tools only:",
-                    "parts": [
-                      {
-                        "id": "ma-4.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-4(b)[1]"
-                          }
-                        ],
-                        "prose": "as consistent with organizational policy;"
-                      },
-                      {
-                        "id": "ma-4.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-4(b)[2]"
-                          }
-                        ],
-                        "prose": "as documented in the security plan for the information system;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-4(c)"
-                      }
-                    ],
-                    "prose": "employs strong authenticators in the establishment of nonlocal maintenance and\n                  diagnostic sessions;"
-                  },
-                  {
-                    "id": "ma-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-4(d)"
-                      }
-                    ],
-                    "prose": "maintains records for nonlocal maintenance and diagnostic activities;"
-                  },
-                  {
-                    "id": "ma-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-4(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-4.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-4(e)[1]"
-                          }
-                        ],
-                        "prose": "terminates sessions when nonlocal maintenance or diagnostics is completed;\n                     and"
-                      },
-                      {
-                        "id": "ma-4.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-4(e)[2]"
-                          }
-                        ],
-                        "prose": "terminates network connections when nonlocal maintenance or diagnostics is\n                     completed."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system maintenance policy\\n\\nprocedures addressing nonlocal information system maintenance\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nmaintenance records\\n\\ndiagnostic records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing nonlocal maintenance\\n\\nautomated mechanisms implementing, supporting, and/or managing nonlocal\n                  maintenance\\n\\nautomated mechanisms for strong authentication of nonlocal maintenance diagnostic\n                  sessions\\n\\nautomated mechanisms for terminating nonlocal maintenance sessions and network\n                  connections"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ma-4.2",
-                "class": "SP800-53-enhancement",
-                "title": "Document Nonlocal Maintenance",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "MA-4(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ma-04.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ma-4.2_smt",
-                    "name": "statement",
-                    "prose": "The organization documents in the security plan for the information system, the\n                  policies and procedures for the establishment and use of nonlocal maintenance and\n                  diagnostic connections."
-                  },
-                  {
-                    "id": "ma-4.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization documents in the security plan for the information\n                  system: ",
-                    "parts": [
-                      {
-                        "id": "ma-4.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-4(2)[1]"
-                          }
-                        ],
-                        "prose": "the policies for the establishment and use of nonlocal maintenance and\n                     diagnostic connections; and"
-                      },
-                      {
-                        "id": "ma-4.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-4(2)[2]"
-                          }
-                        ],
-                        "prose": "the procedures for the establishment and use of nonlocal maintenance and\n                     diagnostic connections."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system maintenance policy\\n\\nprocedures addressing non-local information system maintenance\\n\\nsecurity plan\\n\\nmaintenance records\\n\\ndiagnostic records\\n\\naudit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ma-4.3",
-                "class": "SP800-53-enhancement",
-                "title": "Comparable Security / Sanitization",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "MA-4(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ma-04.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ma-4.3_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "ma-4.3_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Requires that nonlocal maintenance and diagnostic services be performed from an\n                     information system that implements a security capability comparable to the\n                     capability implemented on the system being serviced; or"
-                      },
-                      {
-                        "id": "ma-4.3_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Removes the component to be serviced from the information system prior to\n                     nonlocal maintenance or diagnostic services, sanitizes the component (with\n                     regard to organizational information) before removal from organizational\n                     facilities, and after the service is performed, inspects and sanitizes the\n                     component (with regard to potentially malicious software) before reconnecting\n                     the component to the information system."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-4.3_gdn",
-                    "name": "guidance",
-                    "prose": "Comparable security capability on information systems, diagnostic tools, and\n                  equipment providing maintenance services implies that the implemented security\n                  controls on those systems, tools, and equipment are at least as comprehensive as\n                  the controls on the information system being serviced.",
-                    "links": [
-                      {
-                        "href": "#ma-3",
-                        "rel": "related",
-                        "text": "MA-3"
-                      },
-                      {
-                        "href": "#sa-12",
-                        "rel": "related",
-                        "text": "SA-12"
-                      },
-                      {
-                        "href": "#si-3",
-                        "rel": "related",
-                        "text": "SI-3"
-                      },
-                      {
-                        "href": "#si-7",
-                        "rel": "related",
-                        "text": "SI-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-4.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ma-4.3.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-4(3)(a)"
-                          }
-                        ],
-                        "prose": "requires that nonlocal maintenance and diagnostic services be performed from an\n                     information system that implements a security capability comparable to the\n                     capability implemented on the system being serviced; or",
-                        "links": [
-                          {
-                            "href": "#ma-4.3_smt.a",
-                            "rel": "corresp",
-                            "text": "MA-4(3)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-4.3.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-4(3)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ma-4.3.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-4(3)(b)[1]"
-                              }
-                            ],
-                            "prose": "removes the component to be serviced from the information system;"
-                          },
-                          {
-                            "id": "ma-4.3.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-4(3)(b)[2]"
-                              }
-                            ],
-                            "prose": "sanitizes the component (with regard to organizational information) prior to\n                        nonlocal maintenance or diagnostic services and/or before removal from\n                        organizational facilities; and"
-                          },
-                          {
-                            "id": "ma-4.3.b_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-4(3)(b)[3]"
-                              }
-                            ],
-                            "prose": "inspects and sanitizes the component (with regard to potentially malicious\n                        software) after service is performed on the component and before\n                        reconnecting the component to the information system."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ma-4.3_smt.b",
-                            "rel": "corresp",
-                            "text": "MA-4(3)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system maintenance policy\\n\\nprocedures addressing nonlocal information system maintenance\\n\\nservice provider contracts and/or service-level agreements\\n\\nmaintenance records\\n\\ninspection records\\n\\naudit records\\n\\nequipment sanitization records\\n\\nmedia sanitization records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system maintenance\n                     responsibilities\\n\\ninformation system maintenance provider\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel responsible for media sanitization\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for comparable security and sanitization for nonlocal\n                     maintenance\\n\\norganizational processes for removal, sanitization, and inspection of\n                     components serviced via nonlocal maintenance\\n\\nautomated mechanisms supporting and/or implementing component sanitization and\n                     inspection"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ma-4.6",
-                "class": "SP800-53-enhancement",
-                "title": "Cryptographic Protection",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "MA-4(6)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ma-04.06"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ma-4.6_smt",
-                    "name": "statement",
-                    "prose": "The information system implements cryptographic mechanisms to protect the\n                  integrity and confidentiality of nonlocal maintenance and diagnostic\n                  communications."
-                  },
-                  {
-                    "id": "ma-4.6_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#sc-8",
-                        "rel": "related",
-                        "text": "SC-8"
-                      },
-                      {
-                        "href": "#sc-13",
-                        "rel": "related",
-                        "text": "SC-13"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-4.6_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system implements cryptographic mechanisms to protect\n                  the integrity and confidentiality of nonlocal maintenance and diagnostic\n                  communications. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system maintenance policy\\n\\nprocedures addressing non-local information system maintenance\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic mechanisms protecting nonlocal maintenance activities\\n\\nmaintenance records\\n\\ndiagnostic records\\n\\naudit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system maintenance\n                     responsibilities\\n\\nnetwork engineers\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Cryptographic mechanisms protecting nonlocal maintenance and diagnostic\n                     communications"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ma-5",
-            "class": "SP800-53",
-            "title": "Maintenance Personnel",
-            "properties": [
-              {
-                "name": "label",
-                "value": "MA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ma-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes a process for maintenance personnel authorization and maintains a list\n                  of authorized maintenance organizations or personnel;"
-                  },
-                  {
-                    "id": "ma-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Ensures that non-escorted personnel performing maintenance on the information\n                  system have required access authorizations; and"
-                  },
-                  {
-                    "id": "ma-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Designates organizational personnel with required access authorizations and\n                  technical competence to supervise the maintenance activities of personnel who do\n                  not possess the required access authorizations."
-                  }
-                ]
-              },
-              {
-                "id": "ma-5_gdn",
-                "name": "guidance",
-                "prose": "This control applies to individuals performing hardware or software maintenance on\n               organizational information systems, while PE-2 addresses physical access for\n               individuals whose maintenance duties place them within the physical protection\n               perimeter of the systems (e.g., custodial staff, physical plant maintenance\n               personnel). Technical competence of supervising individuals relates to the\n               maintenance performed on the information systems while having required access\n               authorizations refers to maintenance on and near the systems. Individuals not\n               previously identified as authorized maintenance personnel, such as information\n               technology manufacturers, vendors, systems integrators, and consultants, may require\n               privileged access to organizational information systems, for example, when required\n               to conduct maintenance activities with little or no notice. Based on organizational\n               assessments of risk, organizations may issue temporary credentials to these\n               individuals. Temporary credentials may be for one-time use or for very limited time\n               periods.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  }
-                ]
-              },
-              {
-                "id": "ma-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ma-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-5(a)[1]"
-                          }
-                        ],
-                        "prose": "establishes a process for maintenance personnel authorization;"
-                      },
-                      {
-                        "id": "ma-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-5(a)[2]"
-                          }
-                        ],
-                        "prose": "maintains a list of authorized maintenance organizations or personnel;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-5(b)"
-                      }
-                    ],
-                    "prose": "ensures that non-escorted personnel performing maintenance on the information\n                  system have required access authorizations; and"
-                  },
-                  {
-                    "id": "ma-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-5(c)"
-                      }
-                    ],
-                    "prose": "designates organizational personnel with required access authorizations and\n                  technical competence to supervise the maintenance activities of personnel who do\n                  not possess the required access authorizations."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system maintenance policy\\n\\nprocedures addressing maintenance personnel\\n\\nservice provider contracts\\n\\nservice-level agreements\\n\\nlist of authorized personnel\\n\\nmaintenance records\\n\\naccess control records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for authorizing and managing maintenance personnel\\n\\nautomated mechanisms supporting and/or implementing authorization of maintenance\n                  personnel"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ma-5.1",
-                "class": "SP800-53-enhancement",
-                "title": "Individuals Without Appropriate Access",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "MA-5(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ma-05.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ma-5.1_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "ma-5.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Implements procedures for the use of maintenance personnel that lack\n                     appropriate security clearances or are not U.S. citizens, that include the\n                     following requirements:",
-                        "parts": [
-                          {
-                            "id": "ma-5.1_smt.a.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "(1)"
-                              }
-                            ],
-                            "prose": "Maintenance personnel who do not have needed access authorizations,\n                        clearances, or formal access approvals are escorted and supervised during\n                        the performance of maintenance and diagnostic activities on the information\n                        system by approved organizational personnel who are fully cleared, have\n                        appropriate access authorizations, and are technically qualified;"
-                          },
-                          {
-                            "id": "ma-5.1_smt.a.2",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "(2)"
-                              }
-                            ],
-                            "prose": "Prior to initiating maintenance or diagnostic activities by personnel who do\n                        not have needed access authorizations, clearances or formal access\n                        approvals, all volatile information storage components within the\n                        information system are sanitized and all nonvolatile storage media are\n                        removed or physically disconnected from the system and secured; and"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-5.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Develops and implements alternate security safeguards in the event an\n                     information system component cannot be sanitized, removed, or disconnected from\n                     the system."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-5.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement denies individuals who lack appropriate security\n                  clearances (i.e., individuals who do not possess security clearances or possess\n                  security clearances at a lower level than required) or who are not U.S. citizens,\n                  visual and electronic access to any classified information, Controlled\n                  Unclassified Information (CUI), or any other sensitive information contained on\n                  organizational information systems. Procedures for the use of maintenance\n                  personnel can be documented in security plans for the information systems.",
-                    "links": [
-                      {
-                        "href": "#mp-6",
-                        "rel": "related",
-                        "text": "MP-6"
-                      },
-                      {
-                        "href": "#pl-2",
-                        "rel": "related",
-                        "text": "PL-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-5.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ma-5.1.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-5(1)(a)"
-                          }
-                        ],
-                        "prose": "implements procedures for the use of maintenance personnel that lack\n                     appropriate security clearances or are not U.S. citizens, that include the\n                     following requirements:",
-                        "parts": [
-                          {
-                            "id": "ma-5.1.a.1_obj",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-5(1)(a)(1)"
-                              }
-                            ],
-                            "prose": "maintenance personnel who do not have needed access authorizations,\n                        clearances, or formal access approvals are escorted and supervised during\n                        the performance of maintenance and diagnostic activities on the information\n                        system by approved organizational personnel who:",
-                            "parts": [
-                              {
-                                "id": "ma-5.1.a.1_obj.1",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-5(1)(a)(1)[1]"
-                                  }
-                                ],
-                                "prose": "are fully cleared;"
-                              },
-                              {
-                                "id": "ma-5.1.a.1_obj.2",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-5(1)(a)(1)[2]"
-                                  }
-                                ],
-                                "prose": "have appropriate access authorizations;"
-                              },
-                              {
-                                "id": "ma-5.1.a.1_obj.3",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-5(1)(a)(1)[3]"
-                                  }
-                                ],
-                                "prose": "are technically qualified;"
-                              }
-                            ],
-                            "links": [
-                              {
-                                "href": "#ma-5.1_smt.a.1",
-                                "rel": "corresp",
-                                "text": "MA-5(1)(a)(1)"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ma-5.1.a.2_obj",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-5(1)(a)(2)"
-                              }
-                            ],
-                            "prose": "prior to initiating maintenance or diagnostic activities by personnel who do\n                        not have needed access authorizations, clearances, or formal access\n                        approvals:",
-                            "parts": [
-                              {
-                                "id": "ma-5.1.a.2_obj.1",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-5(1)(a)(2)[1]"
-                                  }
-                                ],
-                                "prose": "all volatile information storage components within the information system\n                           are sanitized; and"
-                              },
-                              {
-                                "id": "ma-5.1.a.2_obj.2",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-5(1)(a)(2)[2]"
-                                  }
-                                ],
-                                "prose": "all nonvolatile storage media are removed; or"
-                              },
-                              {
-                                "id": "ma-5.1.a.2_obj.3",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-5(1)(a)(2)[3]"
-                                  }
-                                ],
-                                "prose": "all nonvolatile storage media are physically disconnected from the system\n                           and secured; and"
-                              }
-                            ],
-                            "links": [
-                              {
-                                "href": "#ma-5.1_smt.a.2",
-                                "rel": "corresp",
-                                "text": "MA-5(1)(a)(2)"
-                              }
-                            ]
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ma-5.1_smt.a",
-                            "rel": "corresp",
-                            "text": "MA-5(1)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-5.1.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-5(1)(b)"
-                          }
-                        ],
-                        "prose": "develops and implements alternative security safeguards in the event an\n                     information system component cannot be sanitized, removed, or disconnected from\n                     the system.",
-                        "links": [
-                          {
-                            "href": "#ma-5.1_smt.b",
-                            "rel": "corresp",
-                            "text": "MA-5(1)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system maintenance policy\\n\\nprocedures addressing maintenance personnel\\n\\ninformation system media protection policy\\n\\nphysical and environmental protection policy\\n\\nsecurity plan\\n\\nlist of maintenance personnel requiring escort/supervision\\n\\nmaintenance records\\n\\naccess control records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with personnel security responsibilities\\n\\norganizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel responsible for media sanitization\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for managing maintenance personnel without appropriate\n                     access\\n\\nautomated mechanisms supporting and/or implementing alternative security\n                     safeguards\\n\\nautomated mechanisms supporting and/or implementing information storage\n                     component sanitization"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ma-6",
-            "class": "SP800-53",
-            "title": "Timely Maintenance",
-            "parameters": [
-              {
-                "id": "ma-6_prm_1",
-                "label": "organization-defined information system components"
-              },
-              {
-                "id": "ma-6_prm_2",
-                "label": "organization-defined time period"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MA-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-6_smt",
-                "name": "statement",
-                "prose": "The organization obtains maintenance support and/or spare parts for {{ ma-6_prm_1 }} within {{ ma-6_prm_2 }} of failure."
-              },
-              {
-                "id": "ma-6_gdn",
-                "name": "guidance",
-                "prose": "Organizations specify the information system components that result in increased risk\n               to organizational operations and assets, individuals, other organizations, or the\n               Nation when the functionality provided by those components is not operational.\n               Organizational actions to obtain maintenance support typically include having\n               appropriate contracts in place.",
-                "links": [
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  },
-                  {
-                    "href": "#sa-14",
-                    "rel": "related",
-                    "text": "SA-14"
-                  },
-                  {
-                    "href": "#sa-15",
-                    "rel": "related",
-                    "text": "SA-15"
-                  }
-                ]
-              },
-              {
-                "id": "ma-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ma-6_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-6[1]"
-                      }
-                    ],
-                    "prose": "defines information system components for which maintenance support and/or spare\n                  parts are to be obtained;"
-                  },
-                  {
-                    "id": "ma-6_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-6[2]"
-                      }
-                    ],
-                    "prose": "defines the time period within which maintenance support and/or spare parts are to\n                  be obtained after a failure;"
-                  },
-                  {
-                    "id": "ma-6_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-6[3]"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-6_obj.3.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-6[3][a]"
-                          }
-                        ],
-                        "prose": "obtains maintenance support for organization-defined information system\n                     components within the organization-defined time period of failure; and/or"
-                      },
-                      {
-                        "id": "ma-6_obj.3.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-6[3][b]"
-                          }
-                        ],
-                        "prose": "obtains spare parts for organization-defined information system components\n                     within the organization-defined time period of failure."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system maintenance policy\\n\\nprocedures addressing information system maintenance\\n\\nservice provider contracts\\n\\nservice-level agreements\\n\\ninventory and availability of spare parts\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with acquisition responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for ensuring timely maintenance"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "mp",
-        "class": "family",
-        "title": "Media Protection",
-        "controls": [
-          {
-            "id": "mp-1",
-            "class": "SP800-53",
-            "title": "Media Protection Policy and Procedures",
-            "parameters": [
-              {
-                "id": "mp-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "mp-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "mp-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or whenever a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "MP-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "mp-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ mp-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "mp-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A media protection policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "mp-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the media protection policy and\n                     associated media protection controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "mp-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Media protection policy {{ mp-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "mp-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Media protection procedures {{ mp-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "mp-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the MP\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "mp-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "mp-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "mp-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "mp-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a media protection policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "mp-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "mp-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the media protection policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "mp-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the media protection policy to organization-defined personnel\n                        or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "mp-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "mp-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        media protection policy and associated media protection controls;"
-                          },
-                          {
-                            "id": "mp-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "mp-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "mp-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "mp-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current media protection\n                        policy;"
-                          },
-                          {
-                            "id": "mp-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current media protection policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "mp-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "mp-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current media protection\n                        procedures; and"
-                          },
-                          {
-                            "id": "mp-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current media protection procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Media protection policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with media protection responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "mp-2",
-            "class": "SP800-53",
-            "title": "Media Access",
-            "parameters": [
-              {
-                "id": "mp-2_prm_1",
-                "label": "organization-defined types of digital and/or non-digital media",
-                "constraints": [
-                  {
-                    "detail": "any digital and non-digital media deemed sensitive"
-                  }
-                ]
-              },
-              {
-                "id": "mp-2_prm_2",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MP-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-111"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-2_smt",
-                "name": "statement",
-                "prose": "The organization restricts access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}."
-              },
-              {
-                "id": "mp-2_gdn",
-                "name": "guidance",
-                "prose": "Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. Restricting non-digital media access\n               includes, for example, denying access to patient medical records in a community\n               hospital unless the individuals seeking access to such records are authorized\n               healthcare providers. Restricting access to digital media includes, for example,\n               limiting access to design specifications stored on compact disks in the media library\n               to the project leader and the individuals on the development team.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  }
-                ]
-              },
-              {
-                "id": "mp-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "mp-2_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-2[1]"
-                      }
-                    ],
-                    "prose": "defines types of digital and/or non-digital media requiring restricted access;"
-                  },
-                  {
-                    "id": "mp-2_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-2[2]"
-                      }
-                    ],
-                    "prose": "defines personnel or roles authorized to access organization-defined types of\n                  digital and/or non-digital media; and"
-                  },
-                  {
-                    "id": "mp-2_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-2[3]"
-                      }
-                    ],
-                    "prose": "restricts access to organization-defined types of digital and/or non-digital media\n                  to organization-defined personnel or roles."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system media protection policy\\n\\nprocedures addressing media access restrictions\\n\\naccess control policy and procedures\\n\\nphysical and environmental protection policy and procedures\\n\\nmedia storage facilities\\n\\naccess control records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system media protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for restricting information media\\n\\nautomated mechanisms supporting and/or implementing media access restrictions"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "mp-3",
-            "class": "SP800-53",
-            "title": "Media Marking",
-            "parameters": [
-              {
-                "id": "mp-3_prm_1",
-                "label": "organization-defined types of information system media",
-                "constraints": [
-                  {
-                    "detail": "no removable media types"
-                  }
-                ]
-              },
-              {
-                "id": "mp-3_prm_2",
-                "label": "organization-defined controlled areas",
-                "constraints": [
-                  {
-                    "detail": "organization-defined security safeguards not applicable"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MP-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "mp-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Marks information system media indicating the distribution limitations, handling\n                  caveats, and applicable security markings (if any) of the information; and"
-                  },
-                  {
-                    "id": "mp-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Exempts {{ mp-3_prm_1 }} from marking as long as the media remain\n                  within {{ mp-3_prm_2 }}."
-                  },
-                  {
-                    "id": "mp-3_fr",
-                    "name": "item",
-                    "title": "MP-3 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "mp-3_fr_gdn.b",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b) Guidance:"
-                          }
-                        ],
-                        "prose": "Second parameter not-applicable"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "mp-3_gdn",
-                "name": "guidance",
-                "prose": "The term security marking refers to the application/use of human-readable security\n               attributes. The term security labeling refers to the application/use of security\n               attributes with regard to internal data structures within information systems (see\n               AC-16). Information system media includes both digital and non-digital media. Digital\n               media includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. Security marking is generally not\n               required for media containing information determined by organizations to be in the\n               public domain or to be publicly releasable. However, some organizations may require\n               markings for public information indicating that the information is publicly\n               releasable. Marking of information system media reflects applicable federal laws,\n               Executive Orders, directives, policies, regulations, standards, and guidance.",
-                "links": [
-                  {
-                    "href": "#ac-16",
-                    "rel": "related",
-                    "text": "AC-16"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  }
-                ]
-              },
-              {
-                "id": "mp-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "mp-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-3(a)"
-                      }
-                    ],
-                    "prose": "marks information system media indicating the:",
-                    "parts": [
-                      {
-                        "id": "mp-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-3(a)[1]"
-                          }
-                        ],
-                        "prose": "distribution limitations of the information;"
-                      },
-                      {
-                        "id": "mp-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-3(a)[2]"
-                          }
-                        ],
-                        "prose": "handling caveats of the information;"
-                      },
-                      {
-                        "id": "mp-3.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-3(a)[3]"
-                          }
-                        ],
-                        "prose": "applicable security markings (if any) of the information;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-3(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "mp-3.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-3(b)[1]"
-                          }
-                        ],
-                        "prose": "defines types of information system media to be exempted from marking as long\n                     as the media remain in designated controlled areas;"
-                      },
-                      {
-                        "id": "mp-3.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-3(b)[2]"
-                          }
-                        ],
-                        "prose": "defines controlled areas where organization-defined types of information system\n                     media exempt from marking are to be retained; and"
-                      },
-                      {
-                        "id": "mp-3.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-3(b)[3]"
-                          }
-                        ],
-                        "prose": "exempts organization-defined types of information system media from marking as\n                     long as the media remain within organization-defined controlled areas."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system media protection policy\\n\\nprocedures addressing media marking\\n\\nphysical and environmental protection policy and procedures\\n\\nsecurity plan\\n\\nlist of information system media marking security attributes\\n\\ndesignated controlled areas\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system media protection and marking\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for marking information media\\n\\nautomated mechanisms supporting and/or implementing media marking"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "mp-4",
-            "class": "SP800-53",
-            "title": "Media Storage",
-            "parameters": [
-              {
-                "id": "mp-4_prm_1",
-                "label": "organization-defined types of digital and/or non-digital media",
-                "constraints": [
-                  {
-                    "detail": "all types of digital and non-digital media with sensitive information"
-                  }
-                ]
-              },
-              {
-                "id": "mp-4_prm_2",
-                "label": "organization-defined controlled areas",
-                "constraints": [
-                  {
-                    "detail": "see additional FedRAMP requirements and guidance"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MP-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#81f09e01-d0b0-4ae2-aa6a-064ed9950070",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-56"
-              },
-              {
-                "href": "#a6c774c0-bf50-4590-9841-2a5c1c91ac6f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-57"
-              },
-              {
-                "href": "#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-111"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "mp-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Physically controls and securely stores {{ mp-4_prm_1 }} within\n                     {{ mp-4_prm_2 }}; and"
-                  },
-                  {
-                    "id": "mp-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Protects information system media until the media are destroyed or sanitized using\n                  approved equipment, techniques, and procedures."
-                  },
-                  {
-                    "id": "mp-4_fr",
-                    "name": "item",
-                    "title": "MP-4 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "mp-4_fr_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider defines controlled areas within facilities where the information and information system reside."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "mp-4_gdn",
-                "name": "guidance",
-                "prose": "Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. Physically controlling information system\n               media includes, for example, conducting inventories, ensuring procedures are in place\n               to allow individuals to check out and return media to the media library, and\n               maintaining accountability for all stored media. Secure storage includes, for\n               example, a locked drawer, desk, or cabinet, or a controlled media library. The type\n               of media storage is commensurate with the security category and/or classification of\n               the information residing on the media. Controlled areas are areas for which\n               organizations provide sufficient physical and procedural safeguards to meet the\n               requirements established for protecting information and/or information systems. For\n               media containing information determined by organizations to be in the public domain,\n               to be publicly releasable, or to have limited or no adverse impact on organizations\n               or individuals if accessed by other than authorized personnel, fewer safeguards may\n               be needed. In these situations, physical access controls provide adequate\n               protection.",
-                "links": [
-                  {
-                    "href": "#cp-6",
-                    "rel": "related",
-                    "text": "CP-6"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-7",
-                    "rel": "related",
-                    "text": "MP-7"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  }
-                ]
-              },
-              {
-                "id": "mp-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "mp-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "mp-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-4(a)[1]"
-                          }
-                        ],
-                        "prose": "defines types of digital and/or non-digital media to be physically controlled\n                     and securely stored within designated controlled areas;"
-                      },
-                      {
-                        "id": "mp-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-4(a)[2]"
-                          }
-                        ],
-                        "prose": "defines controlled areas designated to physically control and securely store\n                     organization-defined types of digital and/or non-digital media;"
-                      },
-                      {
-                        "id": "mp-4.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-4(a)[3]"
-                          }
-                        ],
-                        "prose": "physically controls organization-defined types of digital and/or non-digital\n                     media within organization-defined controlled areas;"
-                      },
-                      {
-                        "id": "mp-4.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-4(a)[4]"
-                          }
-                        ],
-                        "prose": "securely stores organization-defined types of digital and/or non-digital media\n                     within organization-defined controlled areas; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-4(b)"
-                      }
-                    ],
-                    "prose": "protects information system media until the media are destroyed or sanitized using\n                  approved equipment, techniques, and procedures."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system media protection policy\\n\\nprocedures addressing media storage\\n\\nphysical and environmental protection policy and procedures\\n\\naccess control policy and procedures\\n\\nsecurity plan\\n\\ninformation system media\\n\\ndesignated controlled areas\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system media protection and storage\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for storing information media\\n\\nautomated mechanisms supporting and/or implementing secure media storage/media\n                  protection"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "mp-5",
-            "class": "SP800-53",
-            "title": "Media Transport",
-            "parameters": [
-              {
-                "id": "mp-5_prm_1",
-                "label": "organization-defined types of information system media",
-                "constraints": [
-                  {
-                    "detail": "all media with sensitive information"
-                  }
-                ]
-              },
-              {
-                "id": "mp-5_prm_2",
-                "label": "organization-defined security safeguards",
-                "constraints": [
-                  {
-                    "detail": "prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MP-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-05"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#f152844f-b1ef-4836-8729-6277078ebee1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-60"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "mp-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Protects and controls {{ mp-5_prm_1 }} during transport outside of\n                  controlled areas using {{ mp-5_prm_2 }};"
-                  },
-                  {
-                    "id": "mp-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Maintains accountability for information system media during transport outside of\n                  controlled areas;"
-                  },
-                  {
-                    "id": "mp-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Documents activities associated with the transport of information system media;\n                  and"
-                  },
-                  {
-                    "id": "mp-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Restricts the activities associated with the transport of information system media\n                  to authorized personnel."
-                  },
-                  {
-                    "id": "mp-5_fr",
-                    "name": "item",
-                    "title": "MP-5 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "mp-5_fr_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider defines security measures to protect digital and non-digital media in transport.  The security measures are approved and accepted by the JAB."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "mp-5_gdn",
-                "name": "guidance",
-                "prose": "Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. This control also applies to mobile\n               devices with information storage capability (e.g., smart phones, tablets, E-readers),\n               that are transported outside of controlled areas. Controlled areas are areas or\n               spaces for which organizations provide sufficient physical and/or procedural\n               safeguards to meet the requirements established for protecting information and/or\n               information systems. Physical and technical safeguards for media are commensurate\n               with the security category or classification of the information residing on the\n               media. Safeguards to protect media during transport include, for example, locked\n               containers and cryptography. Cryptographic mechanisms can provide confidentiality and\n               integrity protections depending upon the mechanisms used. Activities associated with\n               transport include the actual transport as well as those activities such as releasing\n               media for transport and ensuring that media enters the appropriate transport\n               processes. For the actual transport, authorized transport and courier personnel may\n               include individuals from outside the organization (e.g., U.S. Postal Service or a\n               commercial transport or delivery service). Maintaining accountability of media during\n               transport includes, for example, restricting transport activities to authorized\n               personnel, and tracking and/or obtaining explicit records of transport activities as\n               the media moves through the transportation system to prevent and detect loss,\n               destruction, or tampering. Organizations establish documentation requirements for\n               activities associated with the transport of information system media in accordance\n               with organizational assessments of risk to include the flexibility to define\n               different record-keeping methods for the different types of media transport as part\n               of an overall system of transport-related records.",
-                "links": [
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#mp-3",
-                    "rel": "related",
-                    "text": "MP-3"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  },
-                  {
-                    "href": "#sc-28",
-                    "rel": "related",
-                    "text": "SC-28"
-                  }
-                ]
-              },
-              {
-                "id": "mp-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "mp-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "mp-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-5(a)[1]"
-                          }
-                        ],
-                        "prose": "defines types of information system media to be protected and controlled during\n                     transport outside of controlled areas;"
-                      },
-                      {
-                        "id": "mp-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-5(a)[2]"
-                          }
-                        ],
-                        "prose": "defines security safeguards to protect and control organization-defined\n                     information system media during transport outside of controlled areas;"
-                      },
-                      {
-                        "id": "mp-5.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-5(a)[3]"
-                          }
-                        ],
-                        "prose": "protects and controls organization-defined information system media during\n                     transport outside of controlled areas using organization-defined security\n                     safeguards;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-5(b)"
-                      }
-                    ],
-                    "prose": "maintains accountability for information system media during transport outside of\n                  controlled areas;"
-                  },
-                  {
-                    "id": "mp-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-5(c)"
-                      }
-                    ],
-                    "prose": "documents activities associated with the transport of information system media;\n                  and"
-                  },
-                  {
-                    "id": "mp-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-5(d)"
-                      }
-                    ],
-                    "prose": "restricts the activities associated with transport of information system media to\n                  authorized personnel."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system media protection policy\\n\\nprocedures addressing media storage\\n\\nphysical and environmental protection policy and procedures\\n\\naccess control policy and procedures\\n\\nsecurity plan\\n\\ninformation system media\\n\\ndesignated controlled areas\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system media protection and storage\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for storing information media\\n\\nautomated mechanisms supporting and/or implementing media storage/media\n                  protection"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "mp-5.4",
-                "class": "SP800-53-enhancement",
-                "title": "Cryptographic Protection",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "MP-5(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "mp-05.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "mp-5.4_smt",
-                    "name": "statement",
-                    "prose": "The information system implements cryptographic mechanisms to protect the\n                  confidentiality and integrity of information stored on digital media during\n                  transport outside of controlled areas."
-                  },
-                  {
-                    "id": "mp-5.4_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement applies to both portable storage devices (e.g., USB\n                  memory sticks, compact disks, digital video disks, external/removable hard disk\n                  drives) and mobile devices with storage capability (e.g., smart phones, tablets,\n                  E-readers).",
-                    "links": [
-                      {
-                        "href": "#mp-2",
-                        "rel": "related",
-                        "text": "MP-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-5.4_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs cryptographic mechanisms to protect the\n                  confidentiality and integrity of information stored on digital media during\n                  transport outside of controlled areas. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system media protection policy\\n\\nprocedures addressing media transport\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system media transport records\\n\\naudit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system media transport\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Cryptographic mechanisms protecting information on digital media during\n                     transportation outside controlled areas"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "mp-6",
-            "class": "SP800-53",
-            "title": "Media Sanitization",
-            "parameters": [
-              {
-                "id": "mp-6_prm_1",
-                "label": "organization-defined information system media"
-              },
-              {
-                "id": "mp-6_prm_2",
-                "label": "organization-defined sanitization techniques and procedures",
-                "constraints": [
-                  {
-                    "detail": "techniques and procedures IAW NIST SP 800-88 R1, Appendix A - Minimum Sanitization Recommendations"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MP-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-06"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#f152844f-b1ef-4836-8729-6277078ebee1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-60"
-              },
-              {
-                "href": "#263823e0-a971-4b00-959d-315b26278b22",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-88"
-              },
-              {
-                "href": "#a47466c4-c837-4f06-a39f-e68412a5f73d",
-                "rel": "reference",
-                "text": "http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "mp-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Sanitizes {{ mp-6_prm_1 }} prior to disposal, release out of\n                  organizational control, or release for reuse using {{ mp-6_prm_2 }}\n                  in accordance with applicable federal and organizational standards and policies;\n                  and"
-                  },
-                  {
-                    "id": "mp-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Employs sanitization mechanisms with the strength and integrity commensurate with\n                  the security category or classification of the information."
-                  }
-                ]
-              },
-              {
-                "id": "mp-6_gdn",
-                "name": "guidance",
-                "prose": "This control applies to all information system media, both digital and non-digital,\n               subject to disposal or reuse, whether or not the media is considered removable.\n               Examples include media found in scanners, copiers, printers, notebook computers,\n               workstations, network components, and mobile devices. The sanitization process\n               removes information from the media such that the information cannot be retrieved or\n               reconstructed. Sanitization techniques, including clearing, purging, cryptographic\n               erase, and destruction, prevent the disclosure of information to unauthorized\n               individuals when such media is reused or released for disposal. Organizations\n               determine the appropriate sanitization methods recognizing that destruction is\n               sometimes necessary when other methods cannot be applied to media requiring\n               sanitization. Organizations use discretion on the employment of approved sanitization\n               techniques and procedures for media containing information deemed to be in the public\n               domain or publicly releasable, or deemed to have no adverse impact on organizations\n               or individuals if released for reuse or disposal. Sanitization of non-digital media\n               includes, for example, removing a classified appendix from an otherwise unclassified\n               document, or redacting selected sections or words from a document by obscuring the\n               redacted sections/words in a manner equivalent in effectiveness to removing them from\n               the document. NSA standards and policies control the sanitization process for media\n               containing classified information.",
-                "links": [
-                  {
-                    "href": "#ma-2",
-                    "rel": "related",
-                    "text": "MA-2"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sc-4",
-                    "rel": "related",
-                    "text": "SC-4"
-                  }
-                ]
-              },
-              {
-                "id": "mp-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "mp-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-6(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "mp-6.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(a)[1]"
-                          }
-                        ],
-                        "prose": "defines information system media to be sanitized prior to:",
-                        "parts": [
-                          {
-                            "id": "mp-6.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[1][a]"
-                              }
-                            ],
-                            "prose": "disposal;"
-                          },
-                          {
-                            "id": "mp-6.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[1][b]"
-                              }
-                            ],
-                            "prose": "release out of organizational control; or"
-                          },
-                          {
-                            "id": "mp-6.a_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[1][c]"
-                              }
-                            ],
-                            "prose": "release for reuse;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "mp-6.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(a)[2]"
-                          }
-                        ],
-                        "prose": "defines sanitization techniques or procedures to be used for sanitizing\n                     organization-defined information system media prior to:",
-                        "parts": [
-                          {
-                            "id": "mp-6.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[2][a]"
-                              }
-                            ],
-                            "prose": "disposal;"
-                          },
-                          {
-                            "id": "mp-6.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[2][b]"
-                              }
-                            ],
-                            "prose": "release out of organizational control; or"
-                          },
-                          {
-                            "id": "mp-6.a_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[2][c]"
-                              }
-                            ],
-                            "prose": "release for reuse;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "mp-6.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(a)[3]"
-                          }
-                        ],
-                        "prose": "sanitizes organization-defined information system media prior to disposal,\n                     release out of organizational control, or release for reuse using\n                     organization-defined sanitization techniques or procedures in accordance with\n                     applicable federal and organizational standards and policies; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-6(b)"
-                      }
-                    ],
-                    "prose": "employs sanitization mechanisms with strength and integrity commensurate with the\n                  security category or classification of the information."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system media protection policy\\n\\nprocedures addressing media sanitization and disposal\\n\\napplicable federal standards and policies addressing media sanitization\\n\\nmedia sanitization records\\n\\naudit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with media sanitization responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for media sanitization\\n\\nautomated mechanisms supporting and/or implementing media sanitization"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "mp-6.1",
-                "class": "SP800-53-enhancement",
-                "title": "Review / Approve / Track / Document / Verify",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "MP-6(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "mp-06.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "mp-6.1_smt",
-                    "name": "statement",
-                    "prose": "The organization reviews, approves, tracks, documents, and verifies media\n                  sanitization and disposal actions."
-                  },
-                  {
-                    "id": "mp-6.1_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations review and approve media to be sanitized to ensure compliance with\n                  records-retention policies. Tracking/documenting actions include, for example,\n                  listing personnel who reviewed and approved sanitization and disposal actions,\n                  types of media sanitized, specific files stored on the media, sanitization methods\n                  used, date and time of the sanitization actions, personnel who performed the\n                  sanitization, verification actions taken, personnel who performed the\n                  verification, and disposal action taken. Organizations verify that the\n                  sanitization of the media was effective prior to disposal.",
-                    "links": [
-                      {
-                        "href": "#si-12",
-                        "rel": "related",
-                        "text": "SI-12"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-6.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "mp-6.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(1)[1]"
-                          }
-                        ],
-                        "prose": "reviews media sanitization and disposal actions;"
-                      },
-                      {
-                        "id": "mp-6.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(1)[2]"
-                          }
-                        ],
-                        "prose": "approves media sanitization and disposal actions;"
-                      },
-                      {
-                        "id": "mp-6.1_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(1)[3]"
-                          }
-                        ],
-                        "prose": "tracks media sanitization and disposal actions;"
-                      },
-                      {
-                        "id": "mp-6.1_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(1)[4]"
-                          }
-                        ],
-                        "prose": "documents media sanitization and disposal actions; and"
-                      },
-                      {
-                        "id": "mp-6.1_obj.5",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(1)[5]"
-                          }
-                        ],
-                        "prose": "verifies media sanitization and disposal actions."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system media protection policy\\n\\nprocedures addressing media sanitization and disposal\\n\\nmedia sanitization and disposal records\\n\\nreview records for media sanitization and disposal actions\\n\\napprovals for media sanitization and disposal actions\\n\\ntracking records\\n\\nverification records\\n\\naudit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system media sanitization and\n                     disposal responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for media sanitization\\n\\nautomated mechanisms supporting and/or implementing media sanitization"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "mp-6.2",
-                "class": "SP800-53-enhancement",
-                "title": "Equipment Testing",
-                "parameters": [
-                  {
-                    "id": "mp-6.2_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least every six (6) months"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "MP-6(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "mp-06.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "mp-6.2_smt",
-                    "name": "statement",
-                    "prose": "The organization tests sanitization equipment and procedures {{ mp-6.2_prm_1 }} to verify that the intended sanitization is being\n                  achieved.",
-                    "parts": [
-                      {
-                        "id": "mp-6.2_fr",
-                        "name": "item",
-                        "title": "MP-6 (2) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "mp-6.2_fr_gdn.a",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "(a) Requirement:"
-                              }
-                            ],
-                            "prose": "Equipment and procedures may be tested or validated for effectiveness"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-6.2_gdn",
-                    "name": "guidance",
-                    "prose": "Testing of sanitization equipment and procedures may be conducted by qualified and\n                  authorized external entities (e.g., other federal agencies or external service\n                  providers)."
-                  },
-                  {
-                    "id": "mp-6.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "mp-6.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(2)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency for testing sanitization equipment and procedures to\n                     verify that the intended sanitization is being achieved; and"
-                      },
-                      {
-                        "id": "mp-6.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(2)[2]"
-                          }
-                        ],
-                        "prose": "tests sanitization equipment and procedures with the organization-defined\n                     frequency to verify that the intended sanitization is being achieved."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system media protection policy\\n\\nprocedures addressing media sanitization and disposal\\n\\nprocedures addressing testing of media sanitization equipment\\n\\nresults of media sanitization equipment and procedures testing\\n\\naudit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system media sanitization\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for media sanitization\\n\\nautomated mechanisms supporting and/or implementing media sanitization"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "mp-6.3",
-                "class": "SP800-53-enhancement",
-                "title": "Nondestructive Techniques",
-                "parameters": [
-                  {
-                    "id": "mp-6.3_prm_1",
-                    "label": "organization-defined circumstances requiring sanitization of portable storage\n                  devices"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "MP-6(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "mp-06.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "mp-6.3_smt",
-                    "name": "statement",
-                    "prose": "The organization applies nondestructive sanitization techniques to portable\n                  storage devices prior to connecting such devices to the information system under\n                  the following circumstances: {{ mp-6.3_prm_1 }}."
-                  },
-                  {
-                    "id": "mp-6.3_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement applies to digital media containing classified\n                  information and Controlled Unclassified Information (CUI). Portable storage\n                  devices can be the source of malicious code insertions into organizational\n                  information systems. Many of these devices are obtained from unknown and\n                  potentially untrustworthy sources and may contain malicious code that can be\n                  readily transferred to information systems through USB ports or other entry\n                  portals. While scanning such storage devices is always recommended, sanitization\n                  provides additional assurance that the devices are free of malicious code to\n                  include code capable of initiating zero-day attacks. Organizations consider\n                  nondestructive sanitization of portable storage devices when such devices are\n                  first purchased from the manufacturer or vendor prior to initial use or when\n                  organizations lose a positive chain of custody for the devices.",
-                    "links": [
-                      {
-                        "href": "#si-3",
-                        "rel": "related",
-                        "text": "SI-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-6.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "mp-6.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(3)[1]"
-                          }
-                        ],
-                        "prose": "defines circumstances requiring sanitization of portable storage devices;\n                     and"
-                      },
-                      {
-                        "id": "mp-6.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(3)[2]"
-                          }
-                        ],
-                        "prose": "applies nondestructive sanitization techniques to portable storage devices\n                     prior to connecting such devices to the information system under\n                     organization-defined circumstances requiring sanitization of portable storage\n                     devices."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system media protection policy\\n\\nprocedures addressing media sanitization and disposal\\n\\nlist of circumstances requiring sanitization of portable storage devices\\n\\nmedia sanitization records\\n\\naudit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system media sanitization\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for media sanitization of portable storage devices\\n\\nautomated mechanisms supporting and/or implementing media sanitization"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "mp-7",
-            "class": "SP800-53",
-            "title": "Media Use",
-            "parameters": [
-              {
-                "id": "mp-7_prm_1"
-              },
-              {
-                "id": "mp-7_prm_2",
-                "label": "organization-defined types of information system media"
-              },
-              {
-                "id": "mp-7_prm_3",
-                "label": "organization-defined information systems or system components"
-              },
-              {
-                "id": "mp-7_prm_4",
-                "label": "organization-defined security safeguards"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MP-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-111"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-7_smt",
-                "name": "statement",
-                "prose": "The organization {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}."
-              },
-              {
-                "id": "mp-7_gdn",
-                "name": "guidance",
-                "prose": "Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. This control also applies to mobile\n               devices with information storage capability (e.g., smart phones, tablets, E-readers).\n               In contrast to MP-2, which restricts user access to media, this control restricts the\n               use of certain types of media on information systems, for example,\n               restricting/prohibiting the use of flash drives or external hard disk drives.\n               Organizations can employ technical and nontechnical safeguards (e.g., policies,\n               procedures, rules of behavior) to restrict the use of information system media.\n               Organizations may restrict the use of portable storage devices, for example, by using\n               physical cages on workstations to prohibit access to certain external ports, or\n               disabling/removing the ability to insert, read or write to such devices.\n               Organizations may also limit the use of portable storage devices to only approved\n               devices including, for example, devices provided by the organization, devices\n               provided by other approved organizations, and devices that are not personally owned.\n               Finally, organizations may restrict the use of portable storage devices based on the\n               type of device, for example, prohibiting the use of writeable, portable storage\n               devices, and implementing this restriction by disabling or removing the capability to\n               write to such devices.",
-                "links": [
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  }
-                ]
-              },
-              {
-                "id": "mp-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "mp-7_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-7[1]"
-                      }
-                    ],
-                    "prose": "defines types of information system media to be:",
-                    "parts": [
-                      {
-                        "id": "mp-7_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-7[1][a]"
-                          }
-                        ],
-                        "prose": "restricted on information systems or system components; or"
-                      },
-                      {
-                        "id": "mp-7_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-7[1][b]"
-                          }
-                        ],
-                        "prose": "prohibited from use on information systems or system components;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-7_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-7[2]"
-                      }
-                    ],
-                    "prose": "defines information systems or system components on which the use of\n                  organization-defined types of information system media is to be one of the\n                  following:",
-                    "parts": [
-                      {
-                        "id": "mp-7_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-7[2][a]"
-                          }
-                        ],
-                        "prose": "restricted; or"
-                      },
-                      {
-                        "id": "mp-7_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-7[2][b]"
-                          }
-                        ],
-                        "prose": "prohibited;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-7_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-7[3]"
-                      }
-                    ],
-                    "prose": "defines security safeguards to be employed to restrict or prohibit the use of\n                  organization-defined types of information system media on organization-defined\n                  information systems or system components; and"
-                  },
-                  {
-                    "id": "mp-7_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-7[4]"
-                      }
-                    ],
-                    "prose": "restricts or prohibits the use of organization-defined information system media on\n                  organization-defined information systems or system components using\n                  organization-defined security safeguards."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system media protection policy\\n\\nsystem use policy\\n\\nprocedures addressing media usage restrictions\\n\\nsecurity plan\\n\\nrules of behavior\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system media use responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for media use\\n\\nautomated mechanisms restricting or prohibiting use of information system media on\n                  information systems or system components"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "mp-7.1",
-                "class": "SP800-53-enhancement",
-                "title": "Prohibit Use Without Owner",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "MP-7(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "mp-07.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "mp-7.1_smt",
-                    "name": "statement",
-                    "prose": "The organization prohibits the use of portable storage devices in organizational\n                  information systems when such devices have no identifiable owner."
-                  },
-                  {
-                    "id": "mp-7.1_gdn",
-                    "name": "guidance",
-                    "prose": "Requiring identifiable owners (e.g., individuals, organizations, or projects) for\n                  portable storage devices reduces the risk of using such technologies by allowing\n                  organizations to assign responsibility and accountability for addressing known\n                  vulnerabilities in the devices (e.g., malicious code insertion).",
-                    "links": [
-                      {
-                        "href": "#pl-4",
-                        "rel": "related",
-                        "text": "PL-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-7.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization prohibits the use of portable storage devices in\n                  organizational information systems when such devices have no identifiable owner.\n               "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system media protection policy\\n\\nsystem use policy\\n\\nprocedures addressing media usage restrictions\\n\\nsecurity plan\\n\\nrules of behavior\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system media use responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for media use\\n\\nautomated mechanisms prohibiting use of media on information systems or system\n                     components"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "pe",
-        "class": "family",
-        "title": "Physical and Environmental Protection",
-        "controls": [
-          {
-            "id": "pe-1",
-            "class": "SP800-53",
-            "title": "Physical and Environmental Protection Policy and Procedures",
-            "parameters": [
-              {
-                "id": "pe-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "pe-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "pe-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or whenever a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PE-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ pe-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "pe-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A physical and environmental protection policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"
-                      },
-                      {
-                        "id": "pe-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the physical and environmental\n                     protection policy and associated physical and environmental protection\n                     controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "pe-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Physical and environmental protection policy {{ pe-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "pe-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Physical and environmental protection procedures {{ pe-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "pe-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PE\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "pe-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "pe-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pe-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a physical and environmental protection policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "pe-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "pe-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the physical and environmental protection\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "pe-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the physical and environmental protection policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pe-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pe-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        physical and environmental protection policy and associated physical and\n                        environmental protection controls;"
-                          },
-                          {
-                            "id": "pe-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "pe-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pe-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current physical and\n                        environmental protection policy;"
-                          },
-                          {
-                            "id": "pe-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current physical and environmental protection policy\n                        with the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pe-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pe-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current physical and\n                        environmental protection procedures; and"
-                          },
-                          {
-                            "id": "pe-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current physical and environmental protection\n                        procedures with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical and environmental protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-2",
-            "class": "SP800-53",
-            "title": "Physical Access Authorizations",
-            "parameters": [
-              {
-                "id": "pe-2_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every ninety (90) days"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PE-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-02"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, approves, and maintains a list of individuals with authorized access to\n                  the facility where the information system resides;"
-                  },
-                  {
-                    "id": "pe-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Issues authorization credentials for facility access;"
-                  },
-                  {
-                    "id": "pe-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews the access list detailing authorized facility access by individuals\n                     {{ pe-2_prm_1 }}; and"
-                  },
-                  {
-                    "id": "pe-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Removes individuals from the facility access list when access is no longer\n                  required."
-                  }
-                ]
-              },
-              {
-                "id": "pe-2_gdn",
-                "name": "guidance",
-                "prose": "This control applies to organizational employees and visitors. Individuals (e.g.,\n               employees, contractors, and others) with permanent physical access authorization\n               credentials are not considered visitors. Authorization credentials include, for\n               example, badges, identification cards, and smart cards. Organizations determine the\n               strength of authorization credentials needed (including level of forge-proof badges,\n               smart cards, or identification cards) consistent with federal standards, policies,\n               and procedures. This control only applies to areas within facilities that have not\n               been designated as publicly accessible.",
-                "links": [
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  }
-                ]
-              },
-              {
-                "id": "pe-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-2(a)[1]"
-                          }
-                        ],
-                        "prose": "develops a list of individuals with authorized access to the facility where the\n                     information system resides;"
-                      },
-                      {
-                        "id": "pe-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-2(a)[2]"
-                          }
-                        ],
-                        "prose": "approves a list of individuals with authorized access to the facility where the\n                     information system resides;"
-                      },
-                      {
-                        "id": "pe-2.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-2(a)[3]"
-                          }
-                        ],
-                        "prose": "maintains a list of individuals with authorized access to the facility where\n                     the information system resides;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-2(b)"
-                      }
-                    ],
-                    "prose": "issues authorization credentials for facility access;"
-                  },
-                  {
-                    "id": "pe-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review the access list detailing authorized facility\n                     access by individuals;"
-                      },
-                      {
-                        "id": "pe-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-2(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews the access list detailing authorized facility access by individuals\n                     with the organization-defined frequency; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-2(d)"
-                      }
-                    ],
-                    "prose": "removes individuals from the facility access list when access is no longer\n                  required."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing physical access authorizations\\n\\nsecurity plan\\n\\nauthorized personnel access list\\n\\nauthorization credentials\\n\\nphysical access list reviews\\n\\nphysical access termination records and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical access authorization responsibilities\\n\\norganizational personnel with physical access to information system facility\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for physical access authorizations\\n\\nautomated mechanisms supporting and/or implementing physical access\n                  authorizations"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-3",
-            "class": "SP800-53",
-            "title": "Physical Access Control",
-            "parameters": [
-              {
-                "id": "pe-3_prm_1",
-                "label": "organization-defined entry/exit points to the facility where the information\n               system resides"
-              },
-              {
-                "id": "pe-3_prm_2",
-                "constraints": [
-                  {
-                    "detail": "CSP defined physical access control systems/devices AND guards"
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_prm_3",
-                "depends-on": "pe-3_prm_2",
-                "label": "organization-defined physical access control systems/devices",
-                "constraints": [
-                  {
-                    "detail": "CSP defined physical access control systems/devices"
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_prm_4",
-                "label": "organization-defined entry/exit points"
-              },
-              {
-                "id": "pe-3_prm_5",
-                "label": "organization-defined security safeguards"
-              },
-              {
-                "id": "pe-3_prm_6",
-                "label": "organization-defined circumstances requiring visitor escorts and\n               monitoring",
-                "constraints": [
-                  {
-                    "detail": "in all circumstances within restricted access area where the information system resides"
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_prm_7",
-                "label": "organization-defined physical access devices"
-              },
-              {
-                "id": "pe-3_prm_8",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_prm_9",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PE-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#2157bb7e-192c-4eaa-877f-93ef6b0a3292",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-116"
-              },
-              {
-                "href": "#6caa237b-531b-43ac-9711-d8f6b97b0377",
-                "rel": "reference",
-                "text": "ICD 704"
-              },
-              {
-                "href": "#398e33fd-f404-4e5c-b90e-2d50d3181244",
-                "rel": "reference",
-                "text": "ICD 705"
-              },
-              {
-                "href": "#61081e7f-041d-4033-96a7-44a439071683",
-                "rel": "reference",
-                "text": "DoD Instruction 5200.39"
-              },
-              {
-                "href": "#dd2f5acd-08f1-435a-9837-f8203088dc1a",
-                "rel": "reference",
-                "text": "Personal Identity Verification (PIV) in Enterprise\n            Physical Access Control System (E-PACS)"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              },
-              {
-                "href": "#5ed1f4d5-1494-421b-97ed-39d3c88ab51f",
-                "rel": "reference",
-                "text": "http://fips201ep.cio.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Enforces physical access authorizations at {{ pe-3_prm_1 }} by;",
-                    "parts": [
-                      {
-                        "id": "pe-3_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Verifying individual access authorizations before granting access to the\n                     facility; and"
-                      },
-                      {
-                        "id": "pe-3_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Controlling ingress/egress to the facility using {{ pe-3_prm_2 }};"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Maintains physical access audit logs for {{ pe-3_prm_4 }};"
-                  },
-                  {
-                    "id": "pe-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Provides {{ pe-3_prm_5 }} to control access to areas within the\n                  facility officially designated as publicly accessible;"
-                  },
-                  {
-                    "id": "pe-3_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Escorts visitors and monitors visitor activity {{ pe-3_prm_6 }};"
-                  },
-                  {
-                    "id": "pe-3_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Secures keys, combinations, and other physical access devices;"
-                  },
-                  {
-                    "id": "pe-3_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Inventories {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }};\n                  and"
-                  },
-                  {
-                    "id": "pe-3_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Changes combinations and keys {{ pe-3_prm_9 }} and/or when keys are\n                  lost, combinations are compromised, or individuals are transferred or\n                  terminated."
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_gdn",
-                "name": "guidance",
-                "prose": "This control applies to organizational employees and visitors. Individuals (e.g.,\n               employees, contractors, and others) with permanent physical access authorization\n               credentials are not considered visitors. Organizations determine the types of\n               facility guards needed including, for example, professional physical security staff\n               or other personnel such as administrative staff or information system users. Physical\n               access devices include, for example, keys, locks, combinations, and card readers.\n               Safeguards for publicly accessible areas within organizational facilities include,\n               for example, cameras, monitoring by guards, and isolating selected information\n               systems and/or system components in secured areas. Physical access control systems\n               comply with applicable federal laws, Executive Orders, directives, policies,\n               regulations, standards, and guidance. The Federal Identity, Credential, and Access\n               Management Program provides implementation guidance for identity, credential, and\n               access management capabilities for physical access control systems. Organizations\n               have flexibility in the types of audit logs employed. Audit logs can be procedural\n               (e.g., a written log of individuals accessing the facility and when such access\n               occurred), automated (e.g., capturing ID provided by a PIV card), or some combination\n               thereof. Physical access points can include facility access points, interior access\n               points to information systems and/or components requiring supplemental access\n               controls, or both. Components of organizational information systems (e.g.,\n               workstations, terminals) may be located in areas designated as publicly accessible\n               with organizations safeguarding access to such devices.",
-                "links": [
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  },
-                  {
-                    "href": "#pe-5",
-                    "rel": "related",
-                    "text": "PE-5"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(a)[1]"
-                          }
-                        ],
-                        "prose": "defines entry/exit points to the facility where the information system\n                     resides;"
-                      },
-                      {
-                        "id": "pe-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(a)[2]"
-                          }
-                        ],
-                        "prose": "enforces physical access authorizations at organization-defined entry/exit\n                     points to the facility where the information system resides by:",
-                        "parts": [
-                          {
-                            "id": "pe-3.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(a)[2](1)"
-                              }
-                            ],
-                            "prose": "verifying individual access authorizations before granting access to the\n                        facility;"
-                          },
-                          {
-                            "id": "pe-3.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-3(a)[2](2)"
-                              }
-                            ],
-                            "parts": [
-                              {
-                                "id": "pe-3.a.2_obj.2.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-3(a)[2](2)[a]"
-                                  }
-                                ],
-                                "prose": "defining physical access control systems/devices to be employed to\n                           control ingress/egress to the facility where the information system\n                           resides;"
-                              },
-                              {
-                                "id": "pe-3.a.2_obj.2.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-3(a)[2](2)[b]"
-                                  }
-                                ],
-                                "prose": "using one or more of the following ways to control ingress/egress to the\n                           facility:",
-                                "parts": [
-                                  {
-                                    "id": "pe-3.a.2_obj.2.b.1",
-                                    "name": "objective",
-                                    "properties": [
-                                      {
-                                        "name": "label",
-                                        "value": "PE-3(a)[2](2)[b][1]"
-                                      }
-                                    ],
-                                    "prose": "organization-defined physical access control systems/devices;\n                              and/or"
-                                  },
-                                  {
-                                    "id": "pe-3.a.2_obj.2.b.2",
-                                    "name": "objective",
-                                    "properties": [
-                                      {
-                                        "name": "label",
-                                        "value": "PE-3(a)[2](2)[b][2]"
-                                      }
-                                    ],
-                                    "prose": "guards;"
-                                  }
-                                ]
-                              }
-                            ]
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(b)[1]"
-                          }
-                        ],
-                        "prose": "defines entry/exit points for which physical access audit logs are to be\n                     maintained;"
-                      },
-                      {
-                        "id": "pe-3.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(b)[2]"
-                          }
-                        ],
-                        "prose": "maintains physical access audit logs for organization-defined entry/exit\n                     points;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines security safeguards to be employed to control access to areas within\n                     the facility officially designated as publicly accessible;"
-                      },
-                      {
-                        "id": "pe-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(c)[2]"
-                          }
-                        ],
-                        "prose": "provides organization-defined security safeguards to control access to areas\n                     within the facility officially designated as publicly accessible;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(d)[1]"
-                          }
-                        ],
-                        "prose": "defines circumstances requiring visitor:",
-                        "parts": [
-                          {
-                            "id": "pe-3.d_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(d)[1][a]"
-                              }
-                            ],
-                            "prose": "escorts;"
-                          },
-                          {
-                            "id": "pe-3.d_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(d)[1][b]"
-                              }
-                            ],
-                            "prose": "monitoring;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pe-3.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(d)[2]"
-                          }
-                        ],
-                        "prose": "in accordance with organization-defined circumstances requiring visitor escorts\n                     and monitoring:",
-                        "parts": [
-                          {
-                            "id": "pe-3.d_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(d)[2][a]"
-                              }
-                            ],
-                            "prose": "escorts visitors;"
-                          },
-                          {
-                            "id": "pe-3.d_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(d)[2][b]"
-                              }
-                            ],
-                            "prose": "monitors visitor activities;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(e)[1]"
-                          }
-                        ],
-                        "prose": "secures keys;"
-                      },
-                      {
-                        "id": "pe-3.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(e)[2]"
-                          }
-                        ],
-                        "prose": "secures combinations;"
-                      },
-                      {
-                        "id": "pe-3.e_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(e)[3]"
-                          }
-                        ],
-                        "prose": "secures other physical access devices;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(f)[1]"
-                          }
-                        ],
-                        "prose": "defines physical access devices to be inventoried;"
-                      },
-                      {
-                        "id": "pe-3.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(f)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency to inventory organization-defined physical access\n                     devices;"
-                      },
-                      {
-                        "id": "pe-3.f_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(f)[3]"
-                          }
-                        ],
-                        "prose": "inventories the organization-defined physical access devices with the\n                     organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(g)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.g_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(g)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to change combinations and keys; and"
-                      },
-                      {
-                        "id": "pe-3.g_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(g)[2]"
-                          }
-                        ],
-                        "prose": "changes combinations and keys with the organization-defined frequency and/or\n                     when:",
-                        "parts": [
-                          {
-                            "id": "pe-3.g_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(g)[2][a]"
-                              }
-                            ],
-                            "prose": "keys are lost;"
-                          },
-                          {
-                            "id": "pe-3.g_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(g)[2][b]"
-                              }
-                            ],
-                            "prose": "combinations are compromised;"
-                          },
-                          {
-                            "id": "pe-3.g_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(g)[2][c]"
-                              }
-                            ],
-                            "prose": "individuals are transferred or terminated."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing physical access control\\n\\nsecurity plan\\n\\nphysical access control logs or records\\n\\ninventory records of physical access control devices\\n\\ninformation system entry and exit points\\n\\nrecords of key and lock combination changes\\n\\nstorage locations for physical access control devices\\n\\nphysical access control devices\\n\\nlist of security safeguards controlling access to designated publicly accessible\n                  areas within facility\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for physical access control\\n\\nautomated mechanisms supporting and/or implementing physical access control\\n\\nphysical access control devices"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "pe-3.1",
-                "class": "SP800-53-enhancement",
-                "title": "Information System Access",
-                "parameters": [
-                  {
-                    "id": "pe-3.1_prm_1",
-                    "label": "organization-defined physical spaces containing one or more components of the\n                  information system"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PE-3(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "pe-03.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "pe-3.1_smt",
-                    "name": "statement",
-                    "prose": "The organization enforces physical access authorizations to the information system\n                  in addition to the physical access controls for the facility at {{ pe-3.1_prm_1 }}."
-                  },
-                  {
-                    "id": "pe-3.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement provides additional physical security for those areas\n                  within facilities where there is a concentration of information system components\n                  (e.g., server rooms, media storage areas, data and communications centers).",
-                    "links": [
-                      {
-                        "href": "#ps-2",
-                        "rel": "related",
-                        "text": "PS-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "pe-3.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(1)[1]"
-                          }
-                        ],
-                        "prose": "defines physical spaces containing one or more components of the information\n                     system; and"
-                      },
-                      {
-                        "id": "pe-3.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(1)[2]"
-                          }
-                        ],
-                        "prose": "enforces physical access authorizations to the information system in addition\n                     to the physical access controls for the facility at organization-defined\n                     physical spaces containing one or more components of the information\n                     system."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Physical and environmental protection policy\\n\\nprocedures addressing physical access control\\n\\nphysical access control logs or records\\n\\nphysical access control devices\\n\\naccess authorizations\\n\\naccess credentials\\n\\ninformation system entry and exit points\\n\\nlist of areas within the facility containing concentrations of information\n                     system components or information system components requiring additional\n                     physical protection\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with physical access authorization\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for physical access control to the information\n                     system/components\\n\\nautomated mechanisms supporting and/or implementing physical access control for\n                     facility areas containing information system components"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-4",
-            "class": "SP800-53",
-            "title": "Access Control for Transmission Medium",
-            "parameters": [
-              {
-                "id": "pe-4_prm_1",
-                "label": "organization-defined information system distribution and transmission\n               lines"
-              },
-              {
-                "id": "pe-4_prm_2",
-                "label": "organization-defined security safeguards"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#06dff0ea-3848-4945-8d91-e955ee69f05d",
-                "rel": "reference",
-                "text": "NSTISSI No. 7003"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-4_smt",
-                "name": "statement",
-                "prose": "The organization controls physical access to {{ pe-4_prm_1 }} within\n               organizational facilities using {{ pe-4_prm_2 }}."
-              },
-              {
-                "id": "pe-4_gdn",
-                "name": "guidance",
-                "prose": "Physical security safeguards applied to information system distribution and\n               transmission lines help to prevent accidental damage, disruption, and physical\n               tampering. In addition, physical safeguards may be necessary to help prevent\n               eavesdropping or in transit modification of unencrypted transmissions. Security\n               safeguards to control physical access to system distribution and transmission lines\n               include, for example: (i) locked wiring closets; (ii) disconnected or locked spare\n               jacks; and/or (iii) protection of cabling by conduit or cable trays.",
-                "links": [
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-5",
-                    "rel": "related",
-                    "text": "PE-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  }
-                ]
-              },
-              {
-                "id": "pe-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-4_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-4[1]"
-                      }
-                    ],
-                    "prose": "defines information system distribution and transmission lines requiring physical\n                  access controls;"
-                  },
-                  {
-                    "id": "pe-4_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-4[2]"
-                      }
-                    ],
-                    "prose": "defines security safeguards to be employed to control physical access to\n                  organization-defined information system distribution and transmission lines within\n                  organizational facilities; and"
-                  },
-                  {
-                    "id": "pe-4_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-4[3]"
-                      }
-                    ],
-                    "prose": "controls physical access to organization-defined information system distribution\n                  and transmission lines within organizational facilities using organization-defined\n                  security safeguards."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing access control for transmission medium\\n\\ninformation system design documentation\\n\\nfacility communications and wiring diagrams\\n\\nlist of physical security safeguards applied to information system distribution\n                  and transmission lines\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for access control to distribution and transmission\n                  lines\\n\\nautomated mechanisms/security safeguards supporting and/or implementing access\n                  control to distribution and transmission lines"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-5",
-            "class": "SP800-53",
-            "title": "Access Control for Output Devices",
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-5_smt",
-                "name": "statement",
-                "prose": "The organization controls physical access to information system output devices to\n               prevent unauthorized individuals from obtaining the output."
-              },
-              {
-                "id": "pe-5_gdn",
-                "name": "guidance",
-                "prose": "Controlling physical access to output devices includes, for example, placing output\n               devices in locked rooms or other secured areas and allowing access to authorized\n               individuals only, and placing output devices in locations that can be monitored by\n               organizational personnel. Monitors, printers, copiers, scanners, facsimile machines,\n               and audio devices are examples of information system output devices.",
-                "links": [
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  },
-                  {
-                    "href": "#pe-18",
-                    "rel": "related",
-                    "text": "PE-18"
-                  }
-                ]
-              },
-              {
-                "id": "pe-5_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the organization controls physical access to information system output\n               devices to prevent unauthorized individuals from obtaining the output. "
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing access control for display medium\\n\\nfacility layout of information system components\\n\\nactual displays from information system components\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for access control to output devices\\n\\nautomated mechanisms supporting and/or implementing access control to output\n                  devices"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-6",
-            "class": "SP800-53",
-            "title": "Monitoring Physical Access",
-            "parameters": [
-              {
-                "id": "pe-6_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least monthly"
-                  }
-                ]
-              },
-              {
-                "id": "pe-6_prm_2",
-                "label": "organization-defined events or potential indications of events"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PE-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Monitors physical access to the facility where the information system resides to\n                  detect and respond to physical security incidents;"
-                  },
-                  {
-                    "id": "pe-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews physical access logs {{ pe-6_prm_1 }} and upon occurrence\n                  of {{ pe-6_prm_2 }}; and"
-                  },
-                  {
-                    "id": "pe-6_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Coordinates results of reviews and investigations with the organizational incident\n                  response capability."
-                  }
-                ]
-              },
-              {
-                "id": "pe-6_gdn",
-                "name": "guidance",
-                "prose": "Organizational incident response capabilities include investigations of and responses\n               to detected physical security incidents. Security incidents include, for example,\n               apparent security violations or suspicious physical access activities. Suspicious\n               physical access activities include, for example: (i) accesses outside of normal work\n               hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for\n               unusual lengths of time; and (iv) out-of-sequence accesses.",
-                "links": [
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  }
-                ]
-              },
-              {
-                "id": "pe-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-6(a)"
-                      }
-                    ],
-                    "prose": "monitors physical access to the facility where the information system resides to\n                  detect and respond to physical security incidents;"
-                  },
-                  {
-                    "id": "pe-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-6(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-6.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-6(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review physical access logs;"
-                      },
-                      {
-                        "id": "pe-6.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-6(b)[2]"
-                          }
-                        ],
-                        "prose": "defines events or potential indication of events requiring physical access logs\n                     to be reviewed;"
-                      },
-                      {
-                        "id": "pe-6.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-6(b)[3]"
-                          }
-                        ],
-                        "prose": "reviews physical access logs with the organization-defined frequency and upon\n                     occurrence of organization-defined events or potential indications of events;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-6.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-6(c)"
-                      }
-                    ],
-                    "prose": "coordinates results of reviews and investigations with the organizational incident\n                  response capability."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing physical access monitoring\\n\\nsecurity plan\\n\\nphysical access logs or records\\n\\nphysical access monitoring records\\n\\nphysical access log reviews\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical access monitoring responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for monitoring physical access\\n\\nautomated mechanisms supporting and/or implementing physical access monitoring\\n\\nautomated mechanisms supporting and/or implementing reviewing of physical access\n                  logs"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "pe-6.1",
-                "class": "SP800-53-enhancement",
-                "title": "Intrusion Alarms / Surveillance Equipment",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PE-6(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "pe-06.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "pe-6.1_smt",
-                    "name": "statement",
-                    "prose": "The organization monitors physical intrusion alarms and surveillance\n                  equipment."
-                  },
-                  {
-                    "id": "pe-6.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization monitors physical intrusion alarms and surveillance\n                  equipment. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Physical and environmental protection policy\\n\\nprocedures addressing physical access monitoring\\n\\nsecurity plan\\n\\nphysical access logs or records\\n\\nphysical access monitoring records\\n\\nphysical access log reviews\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with physical access monitoring responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for monitoring physical intrusion alarms and\n                     surveillance equipment\\n\\nautomated mechanisms supporting and/or implementing physical access\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing physical intrusion alarms\n                     and surveillance equipment"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "pe-6.4",
-                "class": "SP800-53-enhancement",
-                "title": "Monitoring Physical Access to Information Systems",
-                "parameters": [
-                  {
-                    "id": "pe-6.4_prm_1",
-                    "label": "organization-defined physical spaces containing one or more components of the\n                  information system"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PE-6(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "pe-06.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "pe-6.4_smt",
-                    "name": "statement",
-                    "prose": "The organization monitors physical access to the information system in addition to\n                  the physical access monitoring of the facility as {{ pe-6.4_prm_1 }}."
-                  },
-                  {
-                    "id": "pe-6.4_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement provides additional monitoring for those areas within\n                  facilities where there is a concentration of information system components (e.g.,\n                  server rooms, media storage areas, communications centers).",
-                    "links": [
-                      {
-                        "href": "#ps-2",
-                        "rel": "related",
-                        "text": "PS-2"
-                      },
-                      {
-                        "href": "#ps-3",
-                        "rel": "related",
-                        "text": "PS-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-6.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "pe-6.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-6(4)[1]"
-                          }
-                        ],
-                        "prose": "defines physical spaces containing one or more components of the information\n                     system; and"
-                      },
-                      {
-                        "id": "pe-6.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-6(4)[2]"
-                          }
-                        ],
-                        "prose": "monitors physical access to the information system in addition to the physical\n                     access monitoring of the facility at organization-defined physical spaces\n                     containing one or more components of the information system."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Physical and environmental protection policy\\n\\nprocedures addressing physical access monitoring\\n\\nphysical access control logs or records\\n\\nphysical access control devices\\n\\naccess authorizations\\n\\naccess credentials\\n\\nlist of areas within the facility containing concentrations of information\n                     system components or information system components requiring additional\n                     physical access monitoring\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with physical access monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for monitoring physical access to the information\n                     system\\n\\nautomated mechanisms supporting and/or implementing physical access monitoring\n                     for facility areas containing information system components"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-8",
-            "class": "SP800-53",
-            "title": "Visitor Access Records",
-            "parameters": [
-              {
-                "id": "pe-8_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "for a minimum of one (1) year"
-                  }
-                ]
-              },
-              {
-                "id": "pe-8_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least monthly"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PE-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-08"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Maintains visitor access records to the facility where the information system\n                  resides for {{ pe-8_prm_1 }}; and"
-                  },
-                  {
-                    "id": "pe-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews visitor access records {{ pe-8_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "pe-8_gdn",
-                "name": "guidance",
-                "prose": "Visitor access records include, for example, names and organizations of persons\n               visiting, visitor signatures, forms of identification, dates of access, entry and\n               departure times, purposes of visits, and names and organizations of persons visited.\n               Visitor access records are not required for publicly accessible areas."
-              },
-              {
-                "id": "pe-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-8(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-8.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-8(a)[1]"
-                          }
-                        ],
-                        "prose": "defines the time period to maintain visitor access records to the facility\n                     where the information system resides;"
-                      },
-                      {
-                        "id": "pe-8.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-8(a)[2]"
-                          }
-                        ],
-                        "prose": "maintains visitor access records to the facility where the information system\n                     resides for the organization-defined time period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-8(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review visitor access records; and"
-                      },
-                      {
-                        "id": "pe-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-8(b)[2]"
-                          }
-                        ],
-                        "prose": "reviews visitor access records with the organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing visitor access records\\n\\nsecurity plan\\n\\nvisitor access control logs or records\\n\\nvisitor access record or log reviews\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with visitor access records responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for maintaining and reviewing visitor access records\\n\\nautomated mechanisms supporting and/or implementing maintenance and review of\n                  visitor access records"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "pe-8.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Records Maintenance / Review",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PE-8(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "pe-08.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "pe-8.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to facilitate the maintenance and\n                  review of visitor access records."
-                  },
-                  {
-                    "id": "pe-8.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs automated mechanisms to facilitate the\n                  maintenance and review of visitor access records. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Physical and environmental protection policy\\n\\nprocedures addressing visitor access records\\n\\nautomated mechanisms supporting management of visitor access records\\n\\nvisitor access control logs or records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with visitor access records responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for maintaining and reviewing visitor access\n                     records\\n\\nautomated mechanisms supporting and/or implementing maintenance and review of\n                     visitor access records"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-9",
-            "class": "SP800-53",
-            "title": "Power Equipment and Cabling",
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-09"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-9_smt",
-                "name": "statement",
-                "prose": "The organization protects power equipment and power cabling for the information\n               system from damage and destruction."
-              },
-              {
-                "id": "pe-9_gdn",
-                "name": "guidance",
-                "prose": "Organizations determine the types of protection necessary for power equipment and\n               cabling employed at different locations both internal and external to organizational\n               facilities and environments of operation. This includes, for example, generators and\n               power cabling outside of buildings, internal cabling and uninterruptable power\n               sources within an office or data center, and power sources for self-contained\n               entities such as vehicles and satellites.",
-                "links": [
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  }
-                ]
-              },
-              {
-                "id": "pe-9_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the organization protects power equipment and power cabling for the\n               information system from damage and destruction. "
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing power equipment/cabling protection\\n\\nfacilities housing power equipment/cabling\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for protecting power\n                  equipment/cabling\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing protection of power\n                  equipment/cabling"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-10",
-            "class": "SP800-53",
-            "title": "Emergency Shutoff",
-            "parameters": [
-              {
-                "id": "pe-10_prm_1",
-                "label": "organization-defined location by information system or system component"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-10"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-10"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-10_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-10_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Provides the capability of shutting off power to the information system or\n                  individual system components in emergency situations;"
-                  },
-                  {
-                    "id": "pe-10_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Places emergency shutoff switches or devices in {{ pe-10_prm_1 }}\n                  to facilitate safe and easy access for personnel; and"
-                  },
-                  {
-                    "id": "pe-10_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Protects emergency power shutoff capability from unauthorized activation."
-                  }
-                ]
-              },
-              {
-                "id": "pe-10_gdn",
-                "name": "guidance",
-                "prose": "This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms.",
-                "links": [
-                  {
-                    "href": "#pe-15",
-                    "rel": "related",
-                    "text": "PE-15"
-                  }
-                ]
-              },
-              {
-                "id": "pe-10_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-10.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-10(a)"
-                      }
-                    ],
-                    "prose": "provides the capability of shutting off power to the information system or\n                  individual system components in emergency situations;"
-                  },
-                  {
-                    "id": "pe-10.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-10(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-10.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-10(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the location of emergency shutoff switches or devices by information\n                     system or system component;"
-                      },
-                      {
-                        "id": "pe-10.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-10(b)[2]"
-                          }
-                        ],
-                        "prose": "places emergency shutoff switches or devices in the organization-defined\n                     location by information system or system component to facilitate safe and easy\n                     access for personnel; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-10.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-10(c)"
-                      }
-                    ],
-                    "prose": "protects emergency power shutoff capability from unauthorized activation."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing power source emergency shutoff\\n\\nsecurity plan\\n\\nemergency shutoff controls or switches\\n\\nlocations housing emergency shutoff switches and devices\\n\\nsecurity safeguards protecting emergency power shutoff capability from\n                  unauthorized activation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for emergency power shutoff\n                  capability (both implementing and using the capability)\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing emergency power shutoff"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-11",
-            "class": "SP800-53",
-            "title": "Emergency Power",
-            "parameters": [
-              {
-                "id": "pe-11_prm_1"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-11"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-11"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-11_smt",
-                "name": "statement",
-                "prose": "The organization provides a short-term uninterruptible power supply to facilitate\n                  {{ pe-11_prm_1 }} in the event of a primary power source loss."
-              },
-              {
-                "id": "pe-11_gdn",
-                "name": "guidance",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  }
-                ]
-              },
-              {
-                "id": "pe-11_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the organization provides a short-term uninterruptible power supply to\n               facilitate one or more of the following in the event of a primary power source loss: ",
-                "parts": [
-                  {
-                    "id": "pe-11_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-11[1]"
-                      }
-                    ],
-                    "prose": "an orderly shutdown of the information system; and/or"
-                  },
-                  {
-                    "id": "pe-11_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-11[2]"
-                      }
-                    ],
-                    "prose": "transition of the information system to long-term alternate power."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing emergency power\\n\\nuninterruptible power supply\\n\\nuninterruptible power supply documentation\\n\\nuninterruptible power supply test records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for emergency power and/or\n                  planning\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing uninterruptible power\n                  supply\\n\\nthe uninterruptable power supply"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "pe-11.1",
-                "class": "SP800-53-enhancement",
-                "title": "Long-term Alternate Power Supply - Minimal Operational Capability",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PE-11(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "pe-11.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "pe-11.1_smt",
-                    "name": "statement",
-                    "prose": "The organization provides a long-term alternate power supply for the information\n                  system that is capable of maintaining minimally required operational capability in\n                  the event of an extended loss of the primary power source."
-                  },
-                  {
-                    "id": "pe-11.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement can be satisfied, for example, by the use of a secondary\n                  commercial power supply or other external power supply. Long-term alternate power\n                  supplies for the information system can be either manually or automatically\n                  activated."
-                  },
-                  {
-                    "id": "pe-11.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization provides a long-term alternate power supply for the\n                  information system that is capable of maintaining minimally required operational\n                  capability in the event of an extended loss of the primary power source. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Physical and environmental protection policy\\n\\nprocedures addressing emergency power\\n\\nalternate power supply\\n\\nalternate power supply documentation\\n\\nalternate power supply test records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for emergency power and/or\n                     planning\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing alternate power supply\\n\\nthe alternate power supply"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-12",
-            "class": "SP800-53",
-            "title": "Emergency Lighting",
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-12"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-12"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-12_smt",
-                "name": "statement",
-                "prose": "The organization employs and maintains automatic emergency lighting for the\n               information system that activates in the event of a power outage or disruption and\n               that covers emergency exits and evacuation routes within the facility."
-              },
-              {
-                "id": "pe-12_gdn",
-                "name": "guidance",
-                "prose": "This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  }
-                ]
-              },
-              {
-                "id": "pe-12_obj",
-                "name": "objective",
-                "prose": "Determine if the organization employs and maintains automatic emergency lighting for\n               the information system that: ",
-                "parts": [
-                  {
-                    "id": "pe-12_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-12[1]"
-                      }
-                    ],
-                    "prose": "activates in the event of a power outage or disruption; and"
-                  },
-                  {
-                    "id": "pe-12_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-12[2]"
-                      }
-                    ],
-                    "prose": "covers emergency exits and evacuation routes within the facility."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing emergency lighting\\n\\nemergency lighting documentation\\n\\nemergency lighting test records\\n\\nemergency exits and evacuation routes\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for emergency lighting and/or\n                  planning\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing emergency lighting\n                  capability"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-13",
-            "class": "SP800-53",
-            "title": "Fire Protection",
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-13"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-13"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-13_smt",
-                "name": "statement",
-                "prose": "The organization employs and maintains fire suppression and detection devices/systems\n               for the information system that are supported by an independent energy source."
-              },
-              {
-                "id": "pe-13_gdn",
-                "name": "guidance",
-                "prose": "This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms. Fire suppression and detection devices/systems include, for example,\n               sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke\n               detectors."
-              },
-              {
-                "id": "pe-13_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-13_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-13[1]"
-                      }
-                    ],
-                    "prose": "employs fire suppression and detection devices/systems for the information system\n                  that are supported by an independent energy source; and"
-                  },
-                  {
-                    "id": "pe-13_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-13[2]"
-                      }
-                    ],
-                    "prose": "maintains fire suppression and detection devices/systems for the information\n                  system that are supported by an independent energy source."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing fire protection\\n\\nfire suppression and detection devices/systems\\n\\nfire suppression and detection devices/systems documentation\\n\\ntest records of fire suppression and detection devices/systems\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for fire detection and suppression\n                  devices/systems\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing fire suppression/detection\n                  devices/systems"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "pe-13.1",
-                "class": "SP800-53-enhancement",
-                "title": "Detection Devices / Systems",
-                "parameters": [
-                  {
-                    "id": "pe-13.1_prm_1",
-                    "label": "organization-defined personnel or roles",
-                    "constraints": [
-                      {
-                        "detail": "service provider building maintenance/physical security personnel"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-13.1_prm_2",
-                    "label": "organization-defined emergency responders",
-                    "constraints": [
-                      {
-                        "detail": "service provider emergency responders with incident response responsibilities"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PE-13(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "pe-13.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "pe-13.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs fire detection devices/systems for the information system\n                  that activate automatically and notify {{ pe-13.1_prm_1 }} and\n                     {{ pe-13.1_prm_2 }} in the event of a fire."
-                  },
-                  {
-                    "id": "pe-13.1_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations can identify specific personnel, roles, and emergency responders in\n                  the event that individuals on the notification list must have appropriate access\n                  authorizations and/or clearances, for example, to obtain access to facilities\n                  where classified operations are taking place or where there are information\n                  systems containing classified information."
-                  },
-                  {
-                    "id": "pe-13.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "pe-13.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-13(1)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be notified in the event of a fire;"
-                      },
-                      {
-                        "id": "pe-13.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-13(1)[2]"
-                          }
-                        ],
-                        "prose": "defines emergency responders to be notified in the event of a fire;"
-                      },
-                      {
-                        "id": "pe-13.1_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-13(1)[3]"
-                          }
-                        ],
-                        "prose": "employs fire detection devices/systems for the information system that, in the\n                     event of a fire,:",
-                        "parts": [
-                          {
-                            "id": "pe-13.1_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-13(1)[3][a]"
-                              }
-                            ],
-                            "prose": "activate automatically;"
-                          },
-                          {
-                            "id": "pe-13.1_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-13(1)[3][b]"
-                              }
-                            ],
-                            "prose": "notify organization-defined personnel or roles; and"
-                          },
-                          {
-                            "id": "pe-13.1_obj.3.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-13(1)[3][c]"
-                              }
-                            ],
-                            "prose": "notify organization-defined emergency responders."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Physical and environmental protection policy\\n\\nprocedures addressing fire protection\\n\\nfacility housing the information system\\n\\nalarm service-level agreements\\n\\ntest records of fire suppression and detection devices/systems\\n\\nfire suppression and detection devices/systems documentation\\n\\nalerts/notifications of fire events\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for fire detection and\n                     suppression devices/systems\\n\\norganizational personnel with responsibilities for notifying appropriate\n                     personnel, roles, and emergency responders of fires\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing fire detection\n                     devices/systems\\n\\nactivation of fire detection devices/systems (simulated)\\n\\nautomated notifications"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "pe-13.2",
-                "class": "SP800-53-enhancement",
-                "title": "Suppression Devices / Systems",
-                "parameters": [
-                  {
-                    "id": "pe-13.2_prm_1",
-                    "label": "organization-defined personnel or roles"
-                  },
-                  {
-                    "id": "pe-13.2_prm_2",
-                    "label": "organization-defined emergency responders"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PE-13(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "pe-13.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "pe-13.2_smt",
-                    "name": "statement",
-                    "prose": "The organization employs fire suppression devices/systems for the information\n                  system that provide automatic notification of any activation to {{ pe-13.2_prm_1 }} and {{ pe-13.2_prm_2 }}."
-                  },
-                  {
-                    "id": "pe-13.2_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations can identify specific personnel, roles, and emergency responders in\n                  the event that individuals on the notification list must have appropriate access\n                  authorizations and/or clearances, for example, to obtain access to facilities\n                  where classified operations are taking place or where there are information\n                  systems containing classified information."
-                  },
-                  {
-                    "id": "pe-13.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "pe-13.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-13(2)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be provided automatic notification of any\n                     activation of fire suppression devices/systems for the information system;"
-                      },
-                      {
-                        "id": "pe-13.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-13(2)[2]"
-                          }
-                        ],
-                        "prose": "defines emergency responders to be provided automatic notification of any\n                     activation of fire suppression devices/systems for the information system;"
-                      },
-                      {
-                        "id": "pe-13.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-13(2)[3]"
-                          }
-                        ],
-                        "prose": "employs fire suppression devices/systems for the information system that\n                     provide automatic notification of any activation to:",
-                        "parts": [
-                          {
-                            "id": "pe-13.2_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-13(2)[3][a]"
-                              }
-                            ],
-                            "prose": "organization-defined personnel or roles; and"
-                          },
-                          {
-                            "id": "pe-13.2_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-13(2)[3][b]"
-                              }
-                            ],
-                            "prose": "organization-defined emergency responders."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Physical and environmental protection policy\\n\\nprocedures addressing fire protection\\n\\nfire suppression and detection devices/systems documentation\\n\\nfacility housing the information system\\n\\nalarm service-level agreements\\n\\ntest records of fire suppression and detection devices/systems\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for fire detection and\n                     suppression devices/systems\\n\\norganizational personnel with responsibilities for providing automatic\n                     notifications of any activation of fire suppression devices/systems to\n                     appropriate personnel, roles, and emergency responders\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing fire suppression\n                     devices/systems\\n\\nactivation of fire suppression devices/systems (simulated)\\n\\nautomated notifications"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "pe-13.3",
-                "class": "SP800-53-enhancement",
-                "title": "Automatic Fire Suppression",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PE-13(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "pe-13.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "pe-13.3_smt",
-                    "name": "statement",
-                    "prose": "The organization employs an automatic fire suppression capability for the\n                  information system when the facility is not staffed on a continuous basis."
-                  },
-                  {
-                    "id": "pe-13.3_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs an automatic fire suppression capability for\n                  the information system when the facility is not staffed on a continuous basis.\n               "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Physical and environmental protection policy\\n\\nprocedures addressing fire protection\\n\\nfire suppression and detection devices/systems documentation\\n\\nfacility housing the information system\\n\\nalarm service-level agreements\\n\\ntest records of fire suppression and detection devices/systems\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for fire detection and\n                     suppression devices/systems\\n\\norganizational personnel with responsibilities for providing automatic\n                     notifications of any activation of fire suppression devices/systems to\n                     appropriate personnel, roles, and emergency responders\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing fire suppression\n                     devices/systems\\n\\nactivation of fire suppression devices/systems (simulated)"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-14",
-            "class": "SP800-53",
-            "title": "Temperature and Humidity Controls",
-            "parameters": [
-              {
-                "id": "pe-14_prm_1",
-                "label": "organization-defined acceptable levels",
-                "constraints": [
-                  {
-                    "detail": "consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments"
-                  }
-                ]
-              },
-              {
-                "id": "pe-14_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "continuously"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-14"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-14"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-14_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-14_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Maintains temperature and humidity levels within the facility where the\n                  information system resides at {{ pe-14_prm_1 }}; and"
-                  },
-                  {
-                    "id": "pe-14_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Monitors temperature and humidity levels {{ pe-14_prm_2 }}."
-                  },
-                  {
-                    "id": "pe-14_fr",
-                    "name": "item",
-                    "title": "PE-14(a) Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "pe-14_fr_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider measures temperature at server inlets and humidity levels by dew point."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "pe-14_gdn",
-                "name": "guidance",
-                "prose": "This control applies primarily to facilities containing concentrations of information\n               system resources, for example, data centers, server rooms, and mainframe computer\n               rooms.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  }
-                ]
-              },
-              {
-                "id": "pe-14_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-14.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-14(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-14.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(a)[1]"
-                          }
-                        ],
-                        "prose": "defines acceptable temperature levels to be maintained within the facility\n                     where the information system resides;"
-                      },
-                      {
-                        "id": "pe-14.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(a)[2]"
-                          }
-                        ],
-                        "prose": "defines acceptable humidity levels to be maintained within the facility where\n                     the information system resides;"
-                      },
-                      {
-                        "id": "pe-14.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(a)[3]"
-                          }
-                        ],
-                        "prose": "maintains temperature levels within the facility where the information system\n                     resides at the organization-defined levels;"
-                      },
-                      {
-                        "id": "pe-14.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(a)[4]"
-                          }
-                        ],
-                        "prose": "maintains humidity levels within the facility where the information system\n                     resides at the organization-defined levels;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-14.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-14(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-14.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to monitor temperature levels;"
-                      },
-                      {
-                        "id": "pe-14.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(b)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency to monitor humidity levels;"
-                      },
-                      {
-                        "id": "pe-14.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(b)[3]"
-                          }
-                        ],
-                        "prose": "monitors temperature levels with the organization-defined frequency; and"
-                      },
-                      {
-                        "id": "pe-14.b_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(b)[4]"
-                          }
-                        ],
-                        "prose": "monitors humidity levels with the organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing temperature and humidity control\\n\\nsecurity plan\\n\\ntemperature and humidity controls\\n\\nfacility housing the information system\\n\\ntemperature and humidity controls documentation\\n\\ntemperature and humidity records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for information system\n                  environmental controls\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing maintenance and monitoring of\n                  temperature and humidity levels"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "pe-14.2",
-                "class": "SP800-53-enhancement",
-                "title": "Monitoring with Alarms / Notifications",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PE-14(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "pe-14.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "pe-14.2_smt",
-                    "name": "statement",
-                    "prose": "The organization employs temperature and humidity monitoring that provides an\n                  alarm or notification of changes potentially harmful to personnel or\n                  equipment."
-                  },
-                  {
-                    "id": "pe-14.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "pe-14.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(2)[1]"
-                          }
-                        ],
-                        "prose": "employs temperature monitoring that provides an alarm of changes potentially\n                     harmful to personnel or equipment; and/or"
-                      },
-                      {
-                        "id": "pe-14.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(2)[2]"
-                          }
-                        ],
-                        "prose": "employs temperature monitoring that provides notification of changes\n                     potentially harmful to personnel or equipment;"
-                      },
-                      {
-                        "id": "pe-14.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-14(2)[3]"
-                          }
-                        ],
-                        "prose": "employs humidity monitoring that provides an alarm of changes potentially\n                     harmful to personnel or equipment; and/or"
-                      },
-                      {
-                        "id": "pe-14.2_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-14(2)[4]"
-                          }
-                        ],
-                        "prose": "employs humidity monitoring that provides notification of changes potentially\n                     harmful to personnel or equipment."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Physical and environmental protection policy\\n\\nprocedures addressing temperature and humidity monitoring\\n\\nfacility housing the information system\\n\\nlogs or records of temperature and humidity monitoring\\n\\nrecords of changes to temperature and humidity levels that generate alarms or\n                     notifications\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for information system\n                     environmental controls\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing temperature and humidity\n                     monitoring"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-15",
-            "class": "SP800-53",
-            "title": "Water Damage Protection",
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-15"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-15"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-15_smt",
-                "name": "statement",
-                "prose": "The organization protects the information system from damage resulting from water\n               leakage by providing master shutoff or isolation valves that are accessible, working\n               properly, and known to key personnel."
-              },
-              {
-                "id": "pe-15_gdn",
-                "name": "guidance",
-                "prose": "This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms. Isolation valves can be employed in addition to or in lieu of master\n               shutoff valves to shut off water supplies in specific areas of concern, without\n               affecting entire organizations.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  }
-                ]
-              },
-              {
-                "id": "pe-15_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the organization protects the information system from damage resulting\n               from water leakage by providing master shutoff or isolation valves that are: ",
-                "parts": [
-                  {
-                    "id": "pe-15_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-15[1]"
-                      }
-                    ],
-                    "prose": "accessible;"
-                  },
-                  {
-                    "id": "pe-15_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-15[2]"
-                      }
-                    ],
-                    "prose": "working properly; and"
-                  },
-                  {
-                    "id": "pe-15_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-15[3]"
-                      }
-                    ],
-                    "prose": "known to key personnel."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing water damage protection\\n\\nfacility housing the information system\\n\\nmaster shutoff valves\\n\\nlist of key personnel with knowledge of location and activation procedures for\n                  master shutoff valves for the plumbing system\\n\\nmaster shutoff valve documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for information system\n                  environmental controls\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Master water-shutoff valves\\n\\norganizational process for activating master water-shutoff"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "pe-15.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automation Support",
-                "parameters": [
-                  {
-                    "id": "pe-15.1_prm_1",
-                    "label": "organization-defined personnel or roles",
-                    "constraints": [
-                      {
-                        "detail": "service provider building maintenance/physical security personnel"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PE-15(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "pe-15.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "pe-15.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to detect the presence of water in\n                  the vicinity of the information system and alerts {{ pe-15.1_prm_1 }}."
-                  },
-                  {
-                    "id": "pe-15.1_gdn",
-                    "name": "guidance",
-                    "prose": "Automated mechanisms can include, for example, water detection sensors, alarms,\n                  and notification systems."
-                  },
-                  {
-                    "id": "pe-15.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "pe-15.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-15(1)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be alerted when the presence of water is detected\n                     in the vicinity of the information system;"
-                      },
-                      {
-                        "id": "pe-15.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-15(1)[2]"
-                          }
-                        ],
-                        "prose": "employs automated mechanisms to detect the presence of water in the vicinity of\n                     the information system; and"
-                      },
-                      {
-                        "id": "pe-15.1_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-15(1)[3]"
-                          }
-                        ],
-                        "prose": "alerts organization-defined personnel or roles when the presence of water is\n                     detected in the vicinity of the information system."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Physical and environmental protection policy\\n\\nprocedures addressing water damage protection\\n\\nfacility housing the information system\\n\\nautomated mechanisms for water shutoff valves\\n\\nautomated mechanisms detecting presence of water in vicinity of information\n                     system\\n\\nalerts/notifications of water detection in information system facility\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for information system\n                     environmental controls\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing water detection capability\n                     and alerts for the information system"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-16",
-            "class": "SP800-53",
-            "title": "Delivery and Removal",
-            "parameters": [
-              {
-                "id": "pe-16_prm_1",
-                "label": "organization-defined types of information system components",
-                "constraints": [
-                  {
-                    "detail": "all information system components"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-16"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-16"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-16_smt",
-                "name": "statement",
-                "prose": "The organization authorizes, monitors, and controls {{ pe-16_prm_1 }}\n               entering and exiting the facility and maintains records of those items."
-              },
-              {
-                "id": "pe-16_gdn",
-                "name": "guidance",
-                "prose": "Effectively enforcing authorizations for entry and exit of information system\n               components may require restricting access to delivery areas and possibly isolating\n               the areas from the information system and media libraries.",
-                "links": [
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#ma-2",
-                    "rel": "related",
-                    "text": "MA-2"
-                  },
-                  {
-                    "href": "#ma-3",
-                    "rel": "related",
-                    "text": "MA-3"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  }
-                ]
-              },
-              {
-                "id": "pe-16_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-16_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[1]"
-                      }
-                    ],
-                    "prose": "defines types of information system components to be authorized, monitored, and\n                  controlled as such components are entering and exiting the facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[2]"
-                      }
-                    ],
-                    "prose": "authorizes organization-defined information system components entering the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[3]"
-                      }
-                    ],
-                    "prose": "monitors organization-defined information system components entering the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[4]"
-                      }
-                    ],
-                    "prose": "controls organization-defined information system components entering the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.5",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[5]"
-                      }
-                    ],
-                    "prose": "authorizes organization-defined information system components exiting the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.6",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[6]"
-                      }
-                    ],
-                    "prose": "monitors organization-defined information system components exiting the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.7",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[7]"
-                      }
-                    ],
-                    "prose": "controls organization-defined information system components exiting the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.8",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[8]"
-                      }
-                    ],
-                    "prose": "maintains records of information system components entering the facility; and"
-                  },
-                  {
-                    "id": "pe-16_obj.9",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[9]"
-                      }
-                    ],
-                    "prose": "maintains records of information system components exiting the facility."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing delivery and removal of information system components from\n                  the facility\\n\\nsecurity plan\\n\\nfacility housing the information system\\n\\nrecords of items entering and exiting the facility\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for controlling information system\n                  components entering and exiting the facility\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational process for authorizing, monitoring, and controlling information\n                  system-related items entering and exiting the facility\\n\\nautomated mechanisms supporting and/or implementing authorizing, monitoring, and\n                  controlling information system-related items entering and exiting the facility"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-17",
-            "class": "SP800-53",
-            "title": "Alternate Work Site",
-            "parameters": [
-              {
-                "id": "pe-17_prm_1",
-                "label": "organization-defined security controls"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-17"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-17"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5309d4d0-46f8-4213-a749-e7584164e5e8",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-46"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-17_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-17_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Employs {{ pe-17_prm_1 }} at alternate work sites;"
-                  },
-                  {
-                    "id": "pe-17_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Assesses as feasible, the effectiveness of security controls at alternate work\n                  sites; and"
-                  },
-                  {
-                    "id": "pe-17_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Provides a means for employees to communicate with information security personnel\n                  in case of security incidents or problems."
-                  }
-                ]
-              },
-              {
-                "id": "pe-17_gdn",
-                "name": "guidance",
-                "prose": "Alternate work sites may include, for example, government facilities or private\n               residences of employees. While commonly distinct from alternative processing sites,\n               alternate work sites may provide readily available alternate locations as part of\n               contingency operations. Organizations may define different sets of security controls\n               for specific alternate work sites or types of sites depending on the work-related\n               activities conducted at those sites. This control supports the contingency planning\n               activities of organizations and the federal telework initiative.",
-                "links": [
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  }
-                ]
-              },
-              {
-                "id": "pe-17_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-17.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-17(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-17.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-17(a)[1]"
-                          }
-                        ],
-                        "prose": "defines security controls to be employed at alternate work sites;"
-                      },
-                      {
-                        "id": "pe-17.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-17(a)[2]"
-                          }
-                        ],
-                        "prose": "employs organization-defined security controls at alternate work sites;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-17.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-17(b)"
-                      }
-                    ],
-                    "prose": "assesses, as feasible, the effectiveness of security controls at alternate work\n                  sites; and"
-                  },
-                  {
-                    "id": "pe-17.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-17(c)"
-                      }
-                    ],
-                    "prose": "provides a means for employees to communicate with information security personnel\n                  in case of security incidents or problems."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing alternate work sites for organizational personnel\\n\\nsecurity plan\\n\\nlist of security controls required for alternate work sites\\n\\nassessments of security controls at alternate work sites\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel approving use of alternate work sites\\n\\norganizational personnel using alternate work sites\\n\\norganizational personnel assessing controls at alternate work sites\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for security at alternate work sites\\n\\nautomated mechanisms supporting alternate work sites\\n\\nsecurity controls employed at alternate work sites\\n\\nmeans of communications between personnel at alternate work sites and security\n                  personnel"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-18",
-            "class": "SP800-53",
-            "title": "Location of Information System Components",
-            "parameters": [
-              {
-                "id": "pe-18_prm_1",
-                "label": "organization-defined physical and environmental hazards",
-                "constraints": [
-                  {
-                    "detail": "physical and environmental hazards identified during threat assessment"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-18"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-18"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-18_smt",
-                "name": "statement",
-                "prose": "The organization positions information system components within the facility to\n               minimize potential damage from {{ pe-18_prm_1 }} and to minimize the\n               opportunity for unauthorized access."
-              },
-              {
-                "id": "pe-18_gdn",
-                "name": "guidance",
-                "prose": "Physical and environmental hazards include, for example, flooding, fire, tornados,\n               earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse,\n               electrical interference, and other forms of incoming electromagnetic radiation. In\n               addition, organizations consider the location of physical entry points where\n               unauthorized individuals, while not being granted access, might nonetheless be in\n               close proximity to information systems and therefore increase the potential for\n               unauthorized access to organizational communications (e.g., through the use of\n               wireless sniffers or microphones).",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#pe-19",
-                    "rel": "related",
-                    "text": "PE-19"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  }
-                ]
-              },
-              {
-                "id": "pe-18_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-18_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-18[1]"
-                      }
-                    ],
-                    "prose": "defines physical hazards that could result in potential damage to information\n                  system components within the facility;"
-                  },
-                  {
-                    "id": "pe-18_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-18[2]"
-                      }
-                    ],
-                    "prose": "defines environmental hazards that could result in potential damage to information\n                  system components within the facility;"
-                  },
-                  {
-                    "id": "pe-18_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-18[3]"
-                      }
-                    ],
-                    "prose": "positions information system components within the facility to minimize potential\n                  damage from organization-defined physical and environmental hazards; and"
-                  },
-                  {
-                    "id": "pe-18_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-18[4]"
-                      }
-                    ],
-                    "prose": "positions information system components within the facility to minimize the\n                  opportunity for unauthorized access."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing positioning of information system components\\n\\ndocumentation providing the location and position of information system components\n                  within the facility\\n\\nlocations housing information system components within the facility\\n\\nlist of physical and environmental hazards with potential to damage information\n                  system components within the facility\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for positioning information system\n                  components\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for positioning information system components"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "pl",
-        "class": "family",
-        "title": "Planning",
-        "controls": [
-          {
-            "id": "pl-1",
-            "class": "SP800-53",
-            "title": "Security Planning Policy and Procedures",
-            "parameters": [
-              {
-                "id": "pl-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "pl-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "pl-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or whenever a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PL-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "pl-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9c5c9e8c-dc81-4f55-a11c-d71d7487790f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-18"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pl-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pl-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ pl-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "pl-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A security planning policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "pl-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the security planning policy and\n                     associated security planning controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "pl-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Security planning policy {{ pl-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "pl-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Security planning procedures {{ pl-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "pl-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PL\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "pl-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "pl-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pl-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a planning policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "pl-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "pl-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the planning policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "pl-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the planning policy to organization-defined personnel or\n                        roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pl-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pl-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        planning policy and associated planning controls;"
-                          },
-                          {
-                            "id": "pl-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "pl-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pl-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current planning policy;"
-                          },
-                          {
-                            "id": "pl-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current planning policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pl-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pl-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current planning procedures;\n                        and"
-                          },
-                          {
-                            "id": "pl-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current planning procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Planning policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with planning responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pl-2",
-            "class": "SP800-53",
-            "title": "System Security Plan",
-            "parameters": [
-              {
-                "id": "pl-2_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "pl-2_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PL-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "pl-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#9c5c9e8c-dc81-4f55-a11c-d71d7487790f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-18"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pl-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pl-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops a security plan for the information system that:",
-                    "parts": [
-                      {
-                        "id": "pl-2_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Is consistent with the organization’s enterprise architecture;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Explicitly defines the authorization boundary for the system;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Describes the operational context of the information system in terms of\n                     missions and business processes;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Provides the security categorization of the information system including\n                     supporting rationale;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.5",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "5."
-                          }
-                        ],
-                        "prose": "Describes the operational environment for the information system and\n                     relationships with or connections to other information systems;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.6",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "6."
-                          }
-                        ],
-                        "prose": "Provides an overview of the security requirements for the system;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.7",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "7."
-                          }
-                        ],
-                        "prose": "Identifies any relevant overlays, if applicable;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.8",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "8."
-                          }
-                        ],
-                        "prose": "Describes the security controls in place or planned for meeting those\n                     requirements including a rationale for the tailoring decisions; and"
-                      },
-                      {
-                        "id": "pl-2_smt.a.9",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "9."
-                          }
-                        ],
-                        "prose": "Is reviewed and approved by the authorizing official or designated\n                     representative prior to plan implementation;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Distributes copies of the security plan and communicates subsequent changes to the\n                  plan to {{ pl-2_prm_1 }};"
-                  },
-                  {
-                    "id": "pl-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews the security plan for the information system {{ pl-2_prm_2 }};"
-                  },
-                  {
-                    "id": "pl-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Updates the plan to address changes to the information system/environment of\n                  operation or problems identified during plan implementation or security control\n                  assessments; and"
-                  },
-                  {
-                    "id": "pl-2_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Protects the security plan from unauthorized disclosure and modification."
-                  }
-                ]
-              },
-              {
-                "id": "pl-2_gdn",
-                "name": "guidance",
-                "prose": "Security plans relate security requirements to a set of security controls and control\n               enhancements. Security plans also describe, at a high level, how the security\n               controls and control enhancements meet those security requirements, but do not\n               provide detailed, technical descriptions of the specific design or implementation of\n               the controls/enhancements. Security plans contain sufficient information (including\n               the specification of parameter values for assignment and selection statements either\n               explicitly or by reference) to enable a design and implementation that is\n               unambiguously compliant with the intent of the plans and subsequent determinations of\n               risk to organizational operations and assets, individuals, other organizations, and\n               the Nation if the plan is implemented as intended. Organizations can also apply\n               tailoring guidance to the security control baselines in Appendix D and CNSS\n               Instruction 1253 to develop overlays for community-wide use or to address specialized\n               requirements, technologies, or missions/environments of operation (e.g.,\n               DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and\n               Access Management, space operations). Appendix I provides guidance on developing\n               overlays. Security plans need not be single documents; the plans can be a collection\n               of various documents including documents that already exist. Effective security plans\n               make extensive use of references to policies, procedures, and additional documents\n               (e.g., design and implementation specifications) where more detailed information can\n               be obtained. This reduces the documentation requirements associated with security\n               programs and maintains security-related information in other established\n               management/operational areas related to enterprise architecture, system development\n               life cycle, systems engineering, and acquisition. For example, security plans do not\n               contain detailed contingency plan or incident response plan information but instead\n               provide explicitly or by reference, sufficient information to define what needs to be\n               accomplished by those plans.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-9",
-                    "rel": "related",
-                    "text": "CM-9"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ma-5",
-                    "rel": "related",
-                    "text": "MA-5"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#pl-7",
-                    "rel": "related",
-                    "text": "PL-7"
-                  },
-                  {
-                    "href": "#pm-1",
-                    "rel": "related",
-                    "text": "PM-1"
-                  },
-                  {
-                    "href": "#pm-7",
-                    "rel": "related",
-                    "text": "PM-7"
-                  },
-                  {
-                    "href": "#pm-8",
-                    "rel": "related",
-                    "text": "PM-8"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  },
-                  {
-                    "href": "#pm-11",
-                    "rel": "related",
-                    "text": "PM-11"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sa-17",
-                    "rel": "related",
-                    "text": "SA-17"
-                  }
-                ]
-              },
-              {
-                "id": "pl-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pl-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-2(a)"
-                      }
-                    ],
-                    "prose": "develops a security plan for the information system that:",
-                    "parts": [
-                      {
-                        "id": "pl-2.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(1)"
-                          }
-                        ],
-                        "prose": "is consistent with the organization’s enterprise architecture;"
-                      },
-                      {
-                        "id": "pl-2.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(2)"
-                          }
-                        ],
-                        "prose": "explicitly defines the authorization boundary for the system;"
-                      },
-                      {
-                        "id": "pl-2.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(3)"
-                          }
-                        ],
-                        "prose": "describes the operational context of the information system in terms of\n                     missions and business processes;"
-                      },
-                      {
-                        "id": "pl-2.a.4_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(4)"
-                          }
-                        ],
-                        "prose": "provides the security categorization of the information system including\n                     supporting rationale;"
-                      },
-                      {
-                        "id": "pl-2.a.5_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(5)"
-                          }
-                        ],
-                        "prose": "describes the operational environment for the information system and\n                     relationships with or connections to other information systems;"
-                      },
-                      {
-                        "id": "pl-2.a.6_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(6)"
-                          }
-                        ],
-                        "prose": "provides an overview of the security requirements for the system;"
-                      },
-                      {
-                        "id": "pl-2.a.7_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(7)"
-                          }
-                        ],
-                        "prose": "identifies any relevant overlays, if applicable;"
-                      },
-                      {
-                        "id": "pl-2.a.8_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(8)"
-                          }
-                        ],
-                        "prose": "describes the security controls in place or planned for meeting those\n                     requirements including a rationale for the tailoring and supplemental\n                     decisions;"
-                      },
-                      {
-                        "id": "pl-2.a.9_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(9)"
-                          }
-                        ],
-                        "prose": "is reviewed and approved by the authorizing official or designated\n                     representative prior to plan implementation;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(b)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom copies of the security plan are to be\n                     distributed and subsequent changes to the plan are to be communicated;"
-                      },
-                      {
-                        "id": "pl-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(b)[2]"
-                          }
-                        ],
-                        "prose": "distributes copies of the security plan and communicates subsequent changes to\n                     the plan to organization-defined personnel or roles;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review the security plan for the information\n                     system;"
-                      },
-                      {
-                        "id": "pl-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews the security plan for the information system with the\n                     organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PL-2(d)"
-                      }
-                    ],
-                    "prose": "updates the plan to address:",
-                    "parts": [
-                      {
-                        "id": "pl-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(d)[1]"
-                          }
-                        ],
-                        "prose": "changes to the information system/environment of operation;"
-                      },
-                      {
-                        "id": "pl-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(d)[2]"
-                          }
-                        ],
-                        "prose": "problems identified during plan implementation;"
-                      },
-                      {
-                        "id": "pl-2.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(d)[3]"
-                          }
-                        ],
-                        "prose": "problems identified during security control assessments;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PL-2(e)"
-                      }
-                    ],
-                    "prose": "protects the security plan from unauthorized:",
-                    "parts": [
-                      {
-                        "id": "pl-2.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(e)[1]"
-                          }
-                        ],
-                        "prose": "disclosure; and"
-                      },
-                      {
-                        "id": "pl-2.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(e)[2]"
-                          }
-                        ],
-                        "prose": "modification."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security planning policy\\n\\nprocedures addressing security plan development and implementation\\n\\nprocedures addressing security plan reviews and updates\\n\\nenterprise architecture documentation\\n\\nsecurity plan for the information system\\n\\nrecords of security plan reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for security plan development/review/update/approval\\n\\nautomated mechanisms supporting the information system security plan"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "pl-2.3",
-                "class": "SP800-53-enhancement",
-                "title": "Plan / Coordinate with Other Organizational Entities",
-                "parameters": [
-                  {
-                    "id": "pl-2.3_prm_1",
-                    "label": "organization-defined individuals or groups"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PL-2(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "pl-02.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "pl-2.3_smt",
-                    "name": "statement",
-                    "prose": "The organization plans and coordinates security-related activities affecting the\n                  information system with {{ pl-2.3_prm_1 }} before conducting such\n                  activities in order to reduce the impact on other organizational entities."
-                  },
-                  {
-                    "id": "pl-2.3_gdn",
-                    "name": "guidance",
-                    "prose": "Security-related activities include, for example, security assessments, audits,\n                  hardware and software maintenance, patch management, and contingency plan testing.\n                  Advance planning and coordination includes emergency and nonemergency (i.e.,\n                  planned or nonurgent unplanned) situations. The process defined by organizations\n                  to plan and coordinate security-related activities can be included in security\n                  plans for information systems or other documents, as appropriate.",
-                    "links": [
-                      {
-                        "href": "#cp-4",
-                        "rel": "related",
-                        "text": "CP-4"
-                      },
-                      {
-                        "href": "#ir-4",
-                        "rel": "related",
-                        "text": "IR-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "pl-2.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(3)[1]"
-                          }
-                        ],
-                        "prose": "defines individuals or groups with whom security-related activities affecting\n                     the information system are to be planned and coordinated before conducting such\n                     activities in order to reduce the impact on other organizational entities;\n                     and"
-                      },
-                      {
-                        "id": "pl-2.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(3)[2]"
-                          }
-                        ],
-                        "prose": "plans and coordinates security-related activities affecting the information\n                     system with organization-defined individuals or groups before conducting such\n                     activities in order to reduce the impact on other organizational entities."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security planning policy\\n\\naccess control policy\\n\\ncontingency planning policy\\n\\nprocedures addressing security-related activity planning for the information\n                     system\\n\\nsecurity plan for the information system\\n\\ncontingency plan for the information system\\n\\ninformation system design documentation\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with security planning and plan implementation\n                     responsibilities\\n\\norganizational individuals or groups with whom security-related activities are\n                     to be planned and coordinated\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pl-4",
-            "class": "SP800-53",
-            "title": "Rules of Behavior",
-            "parameters": [
-              {
-                "id": "pl-4_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PL-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "pl-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#9c5c9e8c-dc81-4f55-a11c-d71d7487790f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-18"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pl-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pl-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes and makes readily available to individuals requiring access to the\n                  information system, the rules that describe their responsibilities and expected\n                  behavior with regard to information and information system usage;"
-                  },
-                  {
-                    "id": "pl-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Receives a signed acknowledgment from such individuals, indicating that they have\n                  read, understand, and agree to abide by the rules of behavior, before authorizing\n                  access to information and the information system;"
-                  },
-                  {
-                    "id": "pl-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews and updates the rules of behavior {{ pl-4_prm_1 }}; and"
-                  },
-                  {
-                    "id": "pl-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Requires individuals who have signed a previous version of the rules of behavior\n                  to read and re-sign when the rules of behavior are revised/updated."
-                  }
-                ]
-              },
-              {
-                "id": "pl-4_gdn",
-                "name": "guidance",
-                "prose": "This control enhancement applies to organizational users. Organizations consider\n               rules of behavior based on individual user roles and responsibilities,\n               differentiating, for example, between rules that apply to privileged users and rules\n               that apply to general users. Establishing rules of behavior for some types of\n               non-organizational users including, for example, individuals who simply receive\n               data/information from federal information systems, is often not feasible given the\n               large number of such users and the limited nature of their interactions with the\n               systems. Rules of behavior for both organizational and non-organizational users can\n               also be established in AC-8, System Use Notification. PL-4 b. (the signed\n               acknowledgment portion of this control) may be satisfied by the security awareness\n               training and role-based security training programs conducted by organizations if such\n               training includes rules of behavior. Organizations can use electronic signatures for\n               acknowledging rules of behavior.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-8",
-                    "rel": "related",
-                    "text": "AC-8"
-                  },
-                  {
-                    "href": "#ac-9",
-                    "rel": "related",
-                    "text": "AC-9"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#mp-7",
-                    "rel": "related",
-                    "text": "MP-7"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  },
-                  {
-                    "href": "#ps-8",
-                    "rel": "related",
-                    "text": "PS-8"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  }
-                ]
-              },
-              {
-                "id": "pl-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pl-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-4(a)[1]"
-                          }
-                        ],
-                        "prose": "establishes, for individuals requiring access to the information system, the\n                     rules that describe their responsibilities and expected behavior with regard to\n                     information and information system usage;"
-                      },
-                      {
-                        "id": "pl-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-4(a)[2]"
-                          }
-                        ],
-                        "prose": "makes readily available to individuals requiring access to the information\n                     system, the rules that describe their responsibilities and expected behavior\n                     with regard to information and information system usage;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PL-4(b)"
-                      }
-                    ],
-                    "prose": "receives a signed acknowledgement from such individuals, indicating that they have\n                  read, understand, and agree to abide by the rules of behavior, before authorizing\n                  access to information and the information system;"
-                  },
-                  {
-                    "id": "pl-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-4(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-4(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update the rules of behavior;"
-                      },
-                      {
-                        "id": "pl-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-4(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates the rules of behavior with the organization-defined\n                     frequency; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PL-4(d)"
-                      }
-                    ],
-                    "prose": "requires individuals who have signed a previous version of the rules of behavior\n                  to read and resign when the rules of behavior are revised/updated."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security planning policy\\n\\nprocedures addressing rules of behavior for information system users\\n\\nrules of behavior\\n\\nsigned acknowledgements\\n\\nrecords for rules of behavior reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for establishing, reviewing, and\n                  updating rules of behavior\\n\\norganizational personnel who are authorized users of the information system and\n                  have signed and resigned rules of behavior\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for establishing, reviewing, disseminating, and updating\n                  rules of behavior\\n\\nautomated mechanisms supporting and/or implementing the establishment, review,\n                  dissemination, and update of rules of behavior"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "pl-4.1",
-                "class": "SP800-53-enhancement",
-                "title": "Social Media and Networking Restrictions",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PL-4(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "pl-04.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "pl-4.1_smt",
-                    "name": "statement",
-                    "prose": "The organization includes in the rules of behavior, explicit restrictions on the\n                  use of social media/networking sites and posting organizational information on\n                  public websites."
-                  },
-                  {
-                    "id": "pl-4.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement addresses rules of behavior related to the use of social\n                  media/networking sites: (i) when organizational personnel are using such sites for\n                  official duties or in the conduct of official business; (ii) when organizational\n                  information is involved in social media/networking transactions; and (iii) when\n                  personnel are accessing social media/networking sites from organizational\n                  information systems. Organizations also address specific rules that prevent\n                  unauthorized entities from obtaining and/or inferring non-public organizational\n                  information (e.g., system account information, personally identifiable\n                  information) from social media/networking sites."
-                  },
-                  {
-                    "id": "pl-4.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization includes the following in the rules of behavior: ",
-                    "parts": [
-                      {
-                        "id": "pl-4.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-4(1)[1]"
-                          }
-                        ],
-                        "prose": "explicit restrictions on the use of social media/networking sites; and"
-                      },
-                      {
-                        "id": "pl-4.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-4(1)[2]"
-                          }
-                        ],
-                        "prose": "posting organizational information on public websites."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security planning policy\\n\\nprocedures addressing rules of behavior for information system users\\n\\nrules of behavior\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for establishing, reviewing, and\n                     updating rules of behavior\\n\\norganizational personnel who are authorized users of the information system and\n                     have signed rules of behavior\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for establishing rules of behavior\\n\\nautomated mechanisms supporting and/or implementing the establishment of rules\n                     of behavior"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pl-8",
-            "class": "SP800-53",
-            "title": "Information Security Architecture",
-            "parameters": [
-              {
-                "id": "pl-8_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or when a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PL-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "pl-08"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pl-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pl-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops an information security architecture for the information system that:",
-                    "parts": [
-                      {
-                        "id": "pl-8_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Describes the overall philosophy, requirements, and approach to be taken with\n                     regard to protecting the confidentiality, integrity, and availability of\n                     organizational information;"
-                      },
-                      {
-                        "id": "pl-8_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Describes how the information security architecture is integrated into and\n                     supports the enterprise architecture; and"
-                      },
-                      {
-                        "id": "pl-8_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Describes any information security assumptions about, and dependencies on,\n                     external services;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the information security architecture {{ pl-8_prm_1 }} to reflect updates in the enterprise architecture;\n                  and"
-                  },
-                  {
-                    "id": "pl-8_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ensures that planned information security architecture changes are reflected in\n                  the security plan, the security Concept of Operations (CONOPS), and organizational\n                  procurements/acquisitions."
-                  },
-                  {
-                    "id": "pl-8_fr",
-                    "name": "item",
-                    "title": "PL-8(b) Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "pl-8_fr_gdn.b",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b) Guidance:"
-                          }
-                        ],
-                        "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "pl-8_gdn",
-                "name": "guidance",
-                "prose": "This control addresses actions taken by organizations in the design and development\n               of information systems. The information security architecture at the individual\n               information system level is consistent with and complements the more global,\n               organization-wide information security architecture described in PM-7 that is\n               integral to and developed as part of the enterprise architecture. The information\n               security architecture includes an architectural description, the placement/allocation\n               of security functionality (including security controls), security-related information\n               for external interfaces, information being exchanged across the interfaces, and the\n               protection mechanisms associated with each interface. In addition, the security\n               architecture can include other important security-related information, for example,\n               user roles and access privileges assigned to each role, unique security requirements,\n               the types of information processed, stored, and transmitted by the information\n               system, restoration priorities of information and information system services, and\n               any other specific protection needs. In today’s modern architecture, it is becoming\n               less common for organizations to control all information resources. There are going\n               to be key dependencies on external information services and service providers.\n               Describing such dependencies in the information security architecture is important to\n               developing a comprehensive mission/business protection strategy. Establishing,\n               developing, documenting, and maintaining under configuration control, a baseline\n               configuration for organizational information systems is critical to implementing and\n               maintaining an effective information security architecture. The development of the\n               information security architecture is coordinated with the Senior Agency Official for\n               Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to\n               support privacy requirements are identified and effectively implemented. PL-8 is\n               primarily directed at organizations (i.e., internally focused) to help ensure that\n               organizations develop an information security architecture for the information\n               system, and that the security architecture is integrated with or tightly coupled to\n               the enterprise architecture through the organization-wide information security\n               architecture. In contrast, SA-17 is primarily directed at external information\n               technology product/system developers and integrators (although SA-17 could be used\n               internally within organizations for in-house system development). SA-17, which is\n               complementary to PL-8, is selected when organizations outsource the development of\n               information systems or information system components to external entities, and there\n               is a need to demonstrate/show consistency with the organization’s enterprise\n               architecture and information security architecture.",
-                "links": [
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#pm-7",
-                    "rel": "related",
-                    "text": "PM-7"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sa-17",
-                    "rel": "related",
-                    "text": "SA-17"
-                  },
-                  {
-                    "href": "https://doi.org/10.6028/NIST.SP.800-53r4",
-                    "rel": "related",
-                    "text": "Appendix J"
-                  }
-                ]
-              },
-              {
-                "id": "pl-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pl-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PL-8(a)"
-                      }
-                    ],
-                    "prose": "develops an information security architecture for the information system that\n                  describes:",
-                    "parts": [
-                      {
-                        "id": "pl-8.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-8(a)(1)"
-                          }
-                        ],
-                        "prose": "the overall philosophy, requirements, and approach to be taken with regard to\n                     protecting the confidentiality, integrity, and availability of organizational\n                     information;"
-                      },
-                      {
-                        "id": "pl-8.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-8(a)(2)"
-                          }
-                        ],
-                        "prose": "how the information security architecture is integrated into and supports the\n                     enterprise architecture;"
-                      },
-                      {
-                        "id": "pl-8.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-8(a)(3)"
-                          }
-                        ],
-                        "prose": "any information security assumptions about, and dependencies on, external\n                     services;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-8(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update the information security\n                     architecture;"
-                      },
-                      {
-                        "id": "pl-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-8(b)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates the information security architecture with the\n                     organization-defined frequency to reflect updates in the enterprise\n                     architecture;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-8.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PL-8(c)"
-                      }
-                    ],
-                    "prose": "ensures that planned information security architecture changes are reflected\n                  in:",
-                    "parts": [
-                      {
-                        "id": "pl-8.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-8(c)[1]"
-                          }
-                        ],
-                        "prose": "the security plan;"
-                      },
-                      {
-                        "id": "pl-8.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-8(c)[2]"
-                          }
-                        ],
-                        "prose": "the security Concept of Operations (CONOPS); and"
-                      },
-                      {
-                        "id": "pl-8.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-8(c)[3]"
-                          }
-                        ],
-                        "prose": "the organizational procurements/acquisitions."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security planning policy\\n\\nprocedures addressing information security architecture development\\n\\nprocedures addressing information security architecture reviews and updates\\n\\nenterprise architecture documentation\\n\\ninformation security architecture documentation\\n\\nsecurity plan for the information system\\n\\nsecurity CONOPS for the information system\\n\\nrecords of information security architecture reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with information security architecture development\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for developing, reviewing, and updating the information\n                  security architecture\\n\\nautomated mechanisms supporting and/or implementing the development, review, and\n                  update of the information security architecture"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ps",
-        "class": "family",
-        "title": "Personnel Security",
-        "controls": [
-          {
-            "id": "ps-1",
-            "class": "SP800-53",
-            "title": "Personnel Security Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ps-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ps-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ps-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or whenever a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PS-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ps-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ps-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A personnel security policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ps-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the personnel security policy\n                     and associated personnel security controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ps-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Personnel security policy {{ ps-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ps-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Personnel security procedures {{ ps-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ps-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PS\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ps-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an personnel security policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ps-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ps-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the personnel security policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ps-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the personnel security policy to organization-defined personnel\n                        or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ps-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        personnel security policy and associated personnel security controls;"
-                          },
-                          {
-                            "id": "ps-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ps-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current personnel security\n                        policy;"
-                          },
-                          {
-                            "id": "ps-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current personnel security policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ps-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current personnel security\n                        procedures; and"
-                          },
-                          {
-                            "id": "ps-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current personnel security procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with access control responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-2",
-            "class": "SP800-53",
-            "title": "Position Risk Designation",
-            "parameters": [
-              {
-                "id": "ps-2_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PS-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0c97e60b-325a-4efa-ba2b-90f20ccd5abc",
-                "rel": "reference",
-                "text": "5 C.F.R. 731.106"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Assigns a risk designation to all organizational positions;"
-                  },
-                  {
-                    "id": "ps-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Establishes screening criteria for individuals filling those positions; and"
-                  },
-                  {
-                    "id": "ps-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews and updates position risk designations {{ ps-2_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ps-2_gdn",
-                "name": "guidance",
-                "prose": "Position risk designations reflect Office of Personnel Management policy and\n               guidance. Risk designations can guide and inform the types of authorizations\n               individuals receive when accessing organizational information and information\n               systems. Position screening criteria include explicit information security role\n               appointment requirements (e.g., training, security clearances).",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  }
-                ]
-              },
-              {
-                "id": "ps-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-2(a)"
-                      }
-                    ],
-                    "prose": "assigns a risk designation to all organizational positions;"
-                  },
-                  {
-                    "id": "ps-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-2(b)"
-                      }
-                    ],
-                    "prose": "establishes screening criteria for individuals filling those positions;"
-                  },
-                  {
-                    "id": "ps-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update position risk designations; and"
-                      },
-                      {
-                        "id": "ps-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-2(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates position risk designations with the organization-defined\n                     frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing position categorization\\n\\nappropriate codes of federal regulations\\n\\nlist of risk designations for organizational positions\\n\\nsecurity plan\\n\\nrecords of position risk designation reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for assigning, reviewing, and updating position risk\n                  designations\\n\\norganizational processes for establishing screening criteria"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-3",
-            "class": "SP800-53",
-            "title": "Personnel Screening",
-            "parameters": [
-              {
-                "id": "ps-3_prm_1",
-                "label": "organization-defined conditions requiring rescreening and, where rescreening is\n               so indicated, the frequency of such rescreening",
-                "constraints": [
-                  {
-                    "detail": "for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PS-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0c97e60b-325a-4efa-ba2b-90f20ccd5abc",
-                "rel": "reference",
-                "text": "5 C.F.R. 731.106"
-              },
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#f152844f-b1ef-4836-8729-6277078ebee1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-60"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#6caa237b-531b-43ac-9711-d8f6b97b0377",
-                "rel": "reference",
-                "text": "ICD 704"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Screens individuals prior to authorizing access to the information system; and"
-                  },
-                  {
-                    "id": "ps-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Rescreens individuals according to {{ ps-3_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ps-3_gdn",
-                "name": "guidance",
-                "prose": "Personnel screening and rescreening activities reflect applicable federal laws,\n               Executive Orders, directives, regulations, policies, standards, guidance, and\n               specific criteria established for the risk designations of assigned positions.\n               Organizations may define different rescreening conditions and frequencies for\n               personnel accessing information systems based on types of information processed,\n               stored, or transmitted by the systems.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#ps-2",
-                    "rel": "related",
-                    "text": "PS-2"
-                  }
-                ]
-              },
-              {
-                "id": "ps-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-3(a)"
-                      }
-                    ],
-                    "prose": "screens individuals prior to authorizing access to the information system;"
-                  },
-                  {
-                    "id": "ps-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-3(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-3.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-3(b)[1]"
-                          }
-                        ],
-                        "prose": "defines conditions requiring re-screening;"
-                      },
-                      {
-                        "id": "ps-3.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-3(b)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency of re-screening where it is so indicated; and"
-                      },
-                      {
-                        "id": "ps-3.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-3(b)[3]"
-                          }
-                        ],
-                        "prose": "re-screens individuals in accordance with organization-defined conditions\n                     requiring re-screening and, where re-screening is so indicated, with the\n                     organization-defined frequency of such re-screening."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing personnel screening\\n\\nrecords of screened personnel\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for personnel screening"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ps-3.3",
-                "class": "SP800-53-enhancement",
-                "title": "Information with Special Protection Measures",
-                "parameters": [
-                  {
-                    "id": "ps-3.3_prm_1",
-                    "label": "organization-defined additional personnel screening criteria",
-                    "constraints": [
-                      {
-                        "detail": "personnel screening criteria - as required by specific information"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PS-3(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ps-03.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ps-3.3_smt",
-                    "name": "statement",
-                    "prose": "The organization ensures that individuals accessing an information system\n                  processing, storing, or transmitting information requiring special protection:",
-                    "parts": [
-                      {
-                        "id": "ps-3.3_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Have valid access authorizations that are demonstrated by assigned official\n                     government duties; and"
-                      },
-                      {
-                        "id": "ps-3.3_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Satisfy {{ ps-3.3_prm_1 }}."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-3.3_gdn",
-                    "name": "guidance",
-                    "prose": "Organizational information requiring special protection includes, for example,\n                  Controlled Unclassified Information (CUI) and Sources and Methods Information\n                  (SAMI). Personnel security criteria include, for example, position sensitivity\n                  background screening requirements."
-                  },
-                  {
-                    "id": "ps-3.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ps-3.3.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-3(3)(a)"
-                          }
-                        ],
-                        "prose": "ensures that individuals accessing an information system processing, storing,\n                     or transmitting information requiring special protection have valid access\n                     authorizations that are demonstrated by assigned official government\n                     duties;",
-                        "links": [
-                          {
-                            "href": "#ps-3.3_smt.a",
-                            "rel": "corresp",
-                            "text": "PS-3(3)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ps-3.3.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-3(3)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-3.3.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-3(3)(b)[1]"
-                              }
-                            ],
-                            "prose": "defines additional personnel screening criteria to be satisfied for\n                        individuals accessing an information system processing, storing, or\n                        transmitting information requiring special protection; and"
-                          },
-                          {
-                            "id": "ps-3.3.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-3(3)(b)[2]"
-                              }
-                            ],
-                            "prose": "ensures that individuals accessing an information system processing,\n                        storing, or transmitting information requiring special protection satisfy\n                        organization-defined additional personnel screening criteria."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ps-3.3_smt.b",
-                            "rel": "corresp",
-                            "text": "PS-3(3)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Personnel security policy\\n\\naccess control policy, procedures addressing personnel screening\\n\\nrecords of screened personnel\\n\\nscreening criteria\\n\\nrecords of access authorizations\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for ensuring valid access authorizations for\n                     information requiring special protection\\n\\norganizational process for additional personnel screening for information\n                     requiring special protection"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-4",
-            "class": "SP800-53",
-            "title": "Personnel Termination",
-            "parameters": [
-              {
-                "id": "ps-4_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "eight (8) hours"
-                  }
-                ]
-              },
-              {
-                "id": "ps-4_prm_2",
-                "label": "organization-defined information security topics"
-              },
-              {
-                "id": "ps-4_prm_3",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ps-4_prm_4",
-                "label": "organization-defined time period"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PS-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-04"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-4_smt",
-                "name": "statement",
-                "prose": "The organization, upon termination of individual employment:",
-                "parts": [
-                  {
-                    "id": "ps-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Disables information system access within {{ ps-4_prm_1 }};"
-                  },
-                  {
-                    "id": "ps-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Terminates/revokes any authenticators/credentials associated with the\n                  individual;"
-                  },
-                  {
-                    "id": "ps-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Conducts exit interviews that include a discussion of {{ ps-4_prm_2 }};"
-                  },
-                  {
-                    "id": "ps-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Retrieves all security-related organizational information system-related\n                  property;"
-                  },
-                  {
-                    "id": "ps-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Retains access to organizational information and information systems formerly\n                  controlled by terminated individual; and"
-                  },
-                  {
-                    "id": "ps-4_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Notifies {{ ps-4_prm_3 }} within {{ ps-4_prm_4 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ps-4_gdn",
-                "name": "guidance",
-                "prose": "Information system-related property includes, for example, hardware authentication\n               tokens, system administration technical manuals, keys, identification cards, and\n               building passes. Exit interviews ensure that terminated individuals understand the\n               security constraints imposed by being former employees and that proper accountability\n               is achieved for information system-related property. Security topics of interest at\n               exit interviews can include, for example, reminding terminated individuals of\n               nondisclosure agreements and potential limitations on future employment. Exit\n               interviews may not be possible for some terminated individuals, for example, in cases\n               related to job abandonment, illnesses, and nonavailability of supervisors. Exit\n               interviews are important for individuals with security clearances. Timely execution\n               of termination actions is essential for individuals terminated for cause. In certain\n               situations, organizations consider disabling the information system accounts of\n               individuals that are being terminated prior to the individuals being notified.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#ps-5",
-                    "rel": "related",
-                    "text": "PS-5"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  }
-                ]
-              },
-              {
-                "id": "ps-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization, upon termination of individual employment,:",
-                "parts": [
-                  {
-                    "id": "ps-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period within which to disable information system access;"
-                      },
-                      {
-                        "id": "ps-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(a)[2]"
-                          }
-                        ],
-                        "prose": "disables information system access within the organization-defined time\n                     period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-4(b)"
-                      }
-                    ],
-                    "prose": "terminates/revokes any authenticators/credentials associated with the\n                  individual;"
-                  },
-                  {
-                    "id": "ps-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-4(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(c)[1]"
-                          }
-                        ],
-                        "prose": "defines information security topics to be discussed when conducting exit\n                     interviews;"
-                      },
-                      {
-                        "id": "ps-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(c)[2]"
-                          }
-                        ],
-                        "prose": "conducts exit interviews that include a discussion of organization-defined\n                     information security topics;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-4(d)"
-                      }
-                    ],
-                    "prose": "retrieves all security-related organizational information system-related\n                  property;"
-                  },
-                  {
-                    "id": "ps-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-4(e)"
-                      }
-                    ],
-                    "prose": "retains access to organizational information and information systems formerly\n                  controlled by the terminated individual;"
-                  },
-                  {
-                    "id": "ps-4.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-4(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-4.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(f)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be notified of the termination;"
-                      },
-                      {
-                        "id": "ps-4.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(f)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which to notify organization-defined personnel\n                     or roles; and"
-                      },
-                      {
-                        "id": "ps-4.f_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(f)[3]"
-                          }
-                        ],
-                        "prose": "notifies organization-defined personnel or roles within the\n                     organization-defined time period."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing personnel termination\\n\\nrecords of personnel termination actions\\n\\nlist of information system accounts\\n\\nrecords of terminated or revoked authenticators/credentials\\n\\nrecords of exit interviews\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for personnel termination\\n\\nautomated mechanisms supporting and/or implementing personnel termination\n                  notifications\\n\\nautomated mechanisms for disabling information system access/revoking\n                  authenticators"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ps-4.2",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Notification",
-                "parameters": [
-                  {
-                    "id": "ps-4.2_prm_1",
-                    "label": "organization-defined personnel or roles",
-                    "constraints": [
-                      {
-                        "detail": "access control personnel responsible for disabling access to the system"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PS-4(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ps-04.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ps-4.2_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to notify {{ ps-4.2_prm_1 }} upon termination of an individual."
-                  },
-                  {
-                    "id": "ps-4.2_gdn",
-                    "name": "guidance",
-                    "prose": "In organizations with a large number of employees, not all personnel who need to\n                  know about termination actions receive the appropriate notifications—or, if such\n                  notifications are received, they may not occur in a timely manner. Automated\n                  mechanisms can be used to send automatic alerts or notifications to specific\n                  organizational personnel or roles (e.g., management personnel, supervisors,\n                  personnel security officers, information security officers, systems\n                  administrators, or information technology administrators) when individuals are\n                  terminated. Such automatic alerts or notifications can be conveyed in a variety of\n                  ways, including, for example, telephonically, via electronic mail, via text\n                  message, or via websites."
-                  },
-                  {
-                    "id": "ps-4.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ps-4.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(2)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be notified upon termination of an individual;\n                     and"
-                      },
-                      {
-                        "id": "ps-4.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(2)[2]"
-                          }
-                        ],
-                        "prose": "employs automated mechanisms to notify organization-defined personnel or roles\n                     upon termination of an individual."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Personnel security policy\\n\\nprocedures addressing personnel termination\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nrecords of personnel termination actions\\n\\nautomated notifications of employee terminations\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for personnel termination\\n\\nautomated mechanisms supporting and/or implementing personnel termination\n                     notifications"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-5",
-            "class": "SP800-53",
-            "title": "Personnel Transfer",
-            "parameters": [
-              {
-                "id": "ps-5_prm_1",
-                "label": "organization-defined transfer or reassignment actions"
-              },
-              {
-                "id": "ps-5_prm_2",
-                "label": "organization-defined time period following the formal transfer action",
-                "constraints": [
-                  {
-                    "detail": "twenty-four (24) hours"
-                  }
-                ]
-              },
-              {
-                "id": "ps-5_prm_3",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ps-5_prm_4",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "twenty-four (24) hours"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PS-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Reviews and confirms ongoing operational need for current logical and physical\n                  access authorizations to information systems/facilities when individuals are\n                  reassigned or transferred to other positions within the organization;"
-                  },
-                  {
-                    "id": "ps-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Initiates {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }};"
-                  },
-                  {
-                    "id": "ps-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Modifies access authorization as needed to correspond with any changes in\n                  operational need due to reassignment or transfer; and"
-                  },
-                  {
-                    "id": "ps-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Notifies {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ps-5_gdn",
-                "name": "guidance",
-                "prose": "This control applies when reassignments or transfers of individuals are permanent or\n               of such extended durations as to make the actions warranted. Organizations define\n               actions appropriate for the types of reassignments or transfers, whether permanent or\n               extended. Actions that may be required for personnel transfers or reassignments to\n               other positions within organizations include, for example: (i) returning old and\n               issuing new keys, identification cards, and building passes; (ii) closing information\n               system accounts and establishing new accounts; (iii) changing information system\n               access authorizations (i.e., privileges); and (iv) providing for access to official\n               records to which individuals had access at previous work locations and in previous\n               information system accounts.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#ps-4",
-                    "rel": "related",
-                    "text": "PS-4"
-                  }
-                ]
-              },
-              {
-                "id": "ps-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-5(a)"
-                      }
-                    ],
-                    "prose": "when individuals are reassigned or transferred to other positions within the\n                  organization, reviews and confirms ongoing operational need for current:",
-                    "parts": [
-                      {
-                        "id": "ps-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(a)[1]"
-                          }
-                        ],
-                        "prose": "logical access authorizations to information systems;"
-                      },
-                      {
-                        "id": "ps-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(a)[2]"
-                          }
-                        ],
-                        "prose": "physical access authorizations to information systems and facilities;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-5(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-5.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(b)[1]"
-                          }
-                        ],
-                        "prose": "defines transfer or reassignment actions to be initiated following transfer or\n                     reassignment;"
-                      },
-                      {
-                        "id": "ps-5.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(b)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which transfer or reassignment actions must\n                     occur following transfer or reassignment;"
-                      },
-                      {
-                        "id": "ps-5.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(b)[3]"
-                          }
-                        ],
-                        "prose": "initiates organization-defined transfer or reassignment actions within the\n                     organization-defined time period following transfer or reassignment;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-5(c)"
-                      }
-                    ],
-                    "prose": "modifies access authorization as needed to correspond with any changes in\n                  operational need due to reassignment or transfer;"
-                  },
-                  {
-                    "id": "ps-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-5(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-5.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(d)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be notified when individuals are reassigned or\n                     transferred to other positions within the organization;"
-                      },
-                      {
-                        "id": "ps-5.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(d)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which to notify organization-defined personnel\n                     or roles when individuals are reassigned or transferred to other positions\n                     within the organization; and"
-                      },
-                      {
-                        "id": "ps-5.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(d)[3]"
-                          }
-                        ],
-                        "prose": "notifies organization-defined personnel or roles within the\n                     organization-defined time period when individuals are reassigned or transferred\n                     to other positions within the organization."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing personnel transfer\\n\\nsecurity plan\\n\\nrecords of personnel transfer actions\\n\\nlist of information system and facility access authorizations\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities organizational\n                  personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for personnel transfer\\n\\nautomated mechanisms supporting and/or implementing personnel transfer\n                  notifications\\n\\nautomated mechanisms for disabling information system access/revoking\n                  authenticators"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-6",
-            "class": "SP800-53",
-            "title": "Access Agreements",
-            "parameters": [
-              {
-                "id": "ps-6_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ps-6_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually and any time there is a change to the user's level of access"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PS-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops and documents access agreements for organizational information\n                  systems;"
-                  },
-                  {
-                    "id": "ps-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the access agreements {{ ps-6_prm_1 }}; and"
-                  },
-                  {
-                    "id": "ps-6_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ensures that individuals requiring access to organizational information and\n                  information systems:",
-                    "parts": [
-                      {
-                        "id": "ps-6_smt.c.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Sign appropriate access agreements prior to being granted access; and"
-                      },
-                      {
-                        "id": "ps-6_smt.c.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Re-sign access agreements to maintain access to organizational information\n                     systems when access agreements have been updated or {{ ps-6_prm_2 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ps-6_gdn",
-                "name": "guidance",
-                "prose": "Access agreements include, for example, nondisclosure agreements, acceptable use\n               agreements, rules of behavior, and conflict-of-interest agreements. Signed access\n               agreements include an acknowledgement that individuals have read, understand, and\n               agree to abide by the constraints associated with organizational information systems\n               to which access is authorized. Organizations can use electronic signatures to\n               acknowledge access agreements unless specifically prohibited by organizational\n               policy.",
-                "links": [
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-2",
-                    "rel": "related",
-                    "text": "PS-2"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  },
-                  {
-                    "href": "#ps-4",
-                    "rel": "related",
-                    "text": "PS-4"
-                  },
-                  {
-                    "href": "#ps-8",
-                    "rel": "related",
-                    "text": "PS-8"
-                  }
-                ]
-              },
-              {
-                "id": "ps-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-6(a)"
-                      }
-                    ],
-                    "prose": "develops and documents access agreements for organizational information\n                  systems;"
-                  },
-                  {
-                    "id": "ps-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-6(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-6.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-6(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update the access agreements;"
-                      },
-                      {
-                        "id": "ps-6.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-6(b)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates the access agreements with the organization-defined\n                     frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-6.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-6(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-6.c.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-6(c)(1)"
-                          }
-                        ],
-                        "prose": "ensures that individuals requiring access to organizational information and\n                     information systems sign appropriate access agreements prior to being granted\n                     access;"
-                      },
-                      {
-                        "id": "ps-6.c.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-6(c)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-6.c.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-6(c)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to re-sign access agreements to maintain access to\n                        organizational information systems when access agreements have been\n                        updated;"
-                          },
-                          {
-                            "id": "ps-6.c.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-6(c)(2)[2]"
-                              }
-                            ],
-                            "prose": "ensures that individuals requiring access to organizational information and\n                        information systems re-sign access agreements to maintain access to\n                        organizational information systems when access agreements have been updated\n                        or with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing access agreements for organizational information and\n                  information systems\\n\\nsecurity plan\\n\\naccess agreements\\n\\nrecords of access agreement reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel who have signed/resigned access agreements\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for access agreements\\n\\nautomated mechanisms supporting access agreements"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-7",
-            "class": "SP800-53",
-            "title": "Third-party Personnel Security",
-            "parameters": [
-              {
-                "id": "ps-7_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ps-7_prm_2",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "terminations: immediately; transfers: within twenty-four (24) hours"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PS-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0c775bc3-bfc3-42c7-a382-88949f503171",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-35"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-7_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes personnel security requirements including security roles and\n                  responsibilities for third-party providers;"
-                  },
-                  {
-                    "id": "ps-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Requires third-party providers to comply with personnel security policies and\n                  procedures established by the organization;"
-                  },
-                  {
-                    "id": "ps-7_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Documents personnel security requirements;"
-                  },
-                  {
-                    "id": "ps-7_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Requires third-party providers to notify {{ ps-7_prm_1 }} of any\n                  personnel transfers or terminations of third-party personnel who possess\n                  organizational credentials and/or badges, or who have information system\n                  privileges within {{ ps-7_prm_2 }}; and"
-                  },
-                  {
-                    "id": "ps-7_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Monitors provider compliance."
-                  }
-                ]
-              },
-              {
-                "id": "ps-7_gdn",
-                "name": "guidance",
-                "prose": "Third-party providers include, for example, service bureaus, contractors, and other\n               organizations providing information system development, information technology\n               services, outsourced applications, and network and security management. Organizations\n               explicitly include personnel security requirements in acquisition-related documents.\n               Third-party providers may have personnel working at organizational facilities with\n               credentials, badges, or information system privileges issued by organizations.\n               Notifications of third-party personnel changes ensure appropriate termination of\n               privileges and credentials. Organizations define the transfers and terminations\n               deemed reportable by security-related characteristics that include, for example,\n               functions, roles, and nature of credentials/privileges associated with individuals\n               transferred or terminated.",
-                "links": [
-                  {
-                    "href": "#ps-2",
-                    "rel": "related",
-                    "text": "PS-2"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  },
-                  {
-                    "href": "#ps-4",
-                    "rel": "related",
-                    "text": "PS-4"
-                  },
-                  {
-                    "href": "#ps-5",
-                    "rel": "related",
-                    "text": "PS-5"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  },
-                  {
-                    "href": "#sa-9",
-                    "rel": "related",
-                    "text": "SA-9"
-                  },
-                  {
-                    "href": "#sa-21",
-                    "rel": "related",
-                    "text": "SA-21"
-                  }
-                ]
-              },
-              {
-                "id": "ps-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-7(a)"
-                      }
-                    ],
-                    "prose": "establishes personnel security requirements, including security roles and\n                  responsibilities, for third-party providers;"
-                  },
-                  {
-                    "id": "ps-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-7(b)"
-                      }
-                    ],
-                    "prose": "requires third-party providers to comply with personnel security policies and\n                  procedures established by the organization;"
-                  },
-                  {
-                    "id": "ps-7.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-7(c)"
-                      }
-                    ],
-                    "prose": "documents personnel security requirements;"
-                  },
-                  {
-                    "id": "ps-7.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-7(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-7.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-7(d)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be notified of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges;"
-                      },
-                      {
-                        "id": "ps-7.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-7(d)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which third-party providers are required to\n                     notify organization-defined personnel or roles of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges;"
-                      },
-                      {
-                        "id": "ps-7.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-7(d)[3]"
-                          }
-                        ],
-                        "prose": "requires third-party providers to notify organization-defined personnel or\n                     roles within the organization-defined time period of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-7.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-7(e)"
-                      }
-                    ],
-                    "prose": "monitors provider compliance."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing third-party personnel security\\n\\nlist of personnel security requirements\\n\\nacquisition documents\\n\\nservice-level agreements\\n\\ncompliance monitoring process\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\nthird-party providers\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing and monitoring third-party personnel\n                  security\\n\\nautomated mechanisms supporting and/or implementing monitoring of provider\n                  compliance"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-8",
-            "class": "SP800-53",
-            "title": "Personnel Sanctions",
-            "parameters": [
-              {
-                "id": "ps-8_prm_1",
-                "label": "organization-defined personnel or roles",
-                "constraints": [
-                  {
-                    "detail": "at a minimum, the ISSO and/or similar role within the organization"
-                  }
-                ]
-              },
-              {
-                "id": "ps-8_prm_2",
-                "label": "organization-defined time period"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PS-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-08"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Employs a formal sanctions process for individuals failing to comply with\n                  established information security policies and procedures; and"
-                  },
-                  {
-                    "id": "ps-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Notifies {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }}\n                  when a formal employee sanctions process is initiated, identifying the individual\n                  sanctioned and the reason for the sanction."
-                  }
-                ]
-              },
-              {
-                "id": "ps-8_gdn",
-                "name": "guidance",
-                "prose": "Organizational sanctions processes reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Sanctions processes are\n               described in access agreements and can be included as part of general personnel\n               policies and procedures for organizations. Organizations consult with the Office of\n               the General Counsel regarding matters of employee sanctions.",
-                "links": [
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  }
-                ]
-              },
-              {
-                "id": "ps-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-8(a)"
-                      }
-                    ],
-                    "prose": "employs a formal sanctions process for individuals failing to comply with\n                  established information security policies and procedures;"
-                  },
-                  {
-                    "id": "ps-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-8(b)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be notified when a formal employee sanctions\n                     process is initiated;"
-                      },
-                      {
-                        "id": "ps-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-8(b)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which organization-defined personnel or roles\n                     must be notified when a formal employee sanctions process is initiated; and"
-                      },
-                      {
-                        "id": "ps-8.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-8(b)[3]"
-                          }
-                        ],
-                        "prose": "notifies organization-defined personnel or roles within the\n                     organization-defined time period when a formal employee sanctions process is\n                     initiated, identifying the individual sanctioned and the reason for the\n                     sanction."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing personnel sanctions\\n\\nrules of behavior\\n\\nrecords of formal sanctions\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing personnel sanctions\\n\\nautomated mechanisms supporting and/or implementing notifications"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ra",
-        "class": "family",
-        "title": "Risk Assessment",
-        "controls": [
-          {
-            "id": "ra-1",
-            "class": "SP800-53",
-            "title": "Risk Assessment Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ra-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ra-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ra-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or whenever a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "RA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ra-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-30"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ra-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ra-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ra-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ra-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A risk assessment policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ra-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the risk assessment policy and\n                     associated risk assessment controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ra-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Risk assessment policy {{ ra-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ra-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Risk assessment procedures {{ ra-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the RA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ra-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ra-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a risk assessment policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ra-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ra-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the risk assessment policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ra-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the risk assessment policy to organization-defined personnel or\n                        roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        risk assessment policy and associated risk assessment controls;"
-                          },
-                          {
-                            "id": "ra-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ra-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current risk assessment\n                        policy;"
-                          },
-                          {
-                            "id": "ra-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current risk assessment policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current risk assessment\n                        procedures; and"
-                          },
-                          {
-                            "id": "ra-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current risk assessment procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "risk assessment policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with risk assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ra-2",
-            "class": "SP800-53",
-            "title": "Security Categorization",
-            "properties": [
-              {
-                "name": "label",
-                "value": "RA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ra-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-30"
-              },
-              {
-                "href": "#d480aa6a-7a88-424e-a10c-ad1c7870354b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-39"
-              },
-              {
-                "href": "#f152844f-b1ef-4836-8729-6277078ebee1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-60"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ra-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ra-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Categorizes information and the information system in accordance with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance;"
-                  },
-                  {
-                    "id": "ra-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents the security categorization results (including supporting rationale) in\n                  the security plan for the information system; and"
-                  },
-                  {
-                    "id": "ra-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ensures that the authorizing official or authorizing official designated\n                  representative reviews and approves the security categorization decision."
-                  }
-                ]
-              },
-              {
-                "id": "ra-2_gdn",
-                "name": "guidance",
-                "prose": "Clearly defined authorization boundaries are a prerequisite for effective security\n               categorization decisions. Security categories describe the potential adverse impacts\n               to organizational operations, organizational assets, and individuals if\n               organizational information and information systems are comprised through a loss of\n               confidentiality, integrity, or availability. Organizations conduct the security\n               categorization process as an organization-wide activity with the involvement of chief\n               information officers, senior information security officers, information system\n               owners, mission/business owners, and information owners/stewards. Organizations also\n               consider the potential adverse impacts to other organizations and, in accordance with\n               the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential\n               national-level adverse impacts. Security categorization processes carried out by\n               organizations facilitate the development of inventories of information assets, and\n               along with CM-8, mappings to specific information system components where information\n               is processed, stored, or transmitted.",
-                "links": [
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  }
-                ]
-              },
-              {
-                "id": "ra-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ra-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "RA-2(a)"
-                      }
-                    ],
-                    "prose": "categorizes information and the information system in accordance with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance;"
-                  },
-                  {
-                    "id": "ra-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "RA-2(b)"
-                      }
-                    ],
-                    "prose": "documents the security categorization results (including supporting rationale) in\n                  the security plan for the information system; and"
-                  },
-                  {
-                    "id": "ra-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "RA-2(c)"
-                      }
-                    ],
-                    "prose": "ensures the authorizing official or authorizing official designated representative\n                  reviews and approves the security categorization decision."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Risk assessment policy\\n\\nsecurity planning policy and procedures\\n\\nprocedures addressing security categorization of organizational information and\n                  information systems\\n\\nsecurity plan\\n\\nsecurity categorization documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security categorization and risk assessment\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for security categorization"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ra-3",
-            "class": "SP800-53",
-            "title": "Risk Assessment",
-            "parameters": [
-              {
-                "id": "ra-3_prm_1"
-              },
-              {
-                "id": "ra-3_prm_2",
-                "depends-on": "ra-3_prm_1",
-                "label": "organization-defined document",
-                "constraints": [
-                  {
-                    "detail": "security assessment report"
-                  }
-                ]
-              },
-              {
-                "id": "ra-3_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or whenever a significant change occurs"
-                  }
-                ]
-              },
-              {
-                "id": "ra-3_prm_4",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ra-3_prm_5",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "RA-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ra-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-                "rel": "reference",
-                "text": "OMB Memorandum 04-04"
-              },
-              {
-                "href": "#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-30"
-              },
-              {
-                "href": "#d480aa6a-7a88-424e-a10c-ad1c7870354b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-39"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ra-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ra-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Conducts an assessment of risk, including the likelihood and magnitude of harm,\n                  from the unauthorized access, use, disclosure, disruption, modification, or\n                  destruction of the information system and the information it processes, stores, or\n                  transmits;"
-                  },
-                  {
-                    "id": "ra-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents risk assessment results in {{ ra-3_prm_1 }};"
-                  },
-                  {
-                    "id": "ra-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews risk assessment results {{ ra-3_prm_3 }};"
-                  },
-                  {
-                    "id": "ra-3_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Disseminates risk assessment results to {{ ra-3_prm_4 }}; and"
-                  },
-                  {
-                    "id": "ra-3_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Updates the risk assessment {{ ra-3_prm_5 }} or whenever there are\n                  significant changes to the information system or environment of operation\n                  (including the identification of new threats and vulnerabilities), or other\n                  conditions that may impact the security state of the system."
-                  },
-                  {
-                    "id": "ra-3_fr",
-                    "name": "item",
-                    "title": "RA-3 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ra-3_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F"
-                      },
-                      {
-                        "id": "ra-3_fr_smt.d",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-3 (d) Requirement:"
-                          }
-                        ],
-                        "prose": "Include all Authorizing Officials; for JAB authorizations to include FedRAMP."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-3_gdn",
-                "name": "guidance",
-                "prose": "Clearly defined authorization boundaries are a prerequisite for effective risk\n               assessments. Risk assessments take into account threats, vulnerabilities, likelihood,\n               and impact to organizational operations and assets, individuals, other organizations,\n               and the Nation based on the operation and use of information systems. Risk\n               assessments also take into account risk from external parties (e.g., service\n               providers, contractors operating information systems on behalf of the organization,\n               individuals accessing organizational information systems, outsourcing entities). In\n               accordance with OMB policy and related E-authentication initiatives, authentication\n               of public users accessing federal information systems may also be required to protect\n               nonpublic or privacy-related information. As such, organizational assessments of risk\n               also address public access to federal information systems. Risk assessments (either\n               formal or informal) can be conducted at all three tiers in the risk management\n               hierarchy (i.e., organization level, mission/business process level, or information\n               system level) and at any phase in the system development life cycle. Risk assessments\n               can also be conducted at various steps in the Risk Management Framework, including\n               categorization, security control selection, security control implementation, security\n               control assessment, information system authorization, and security control\n               monitoring. RA-3 is noteworthy in that the control must be partially implemented\n               prior to the implementation of other controls in order to complete the first two\n               steps in the Risk Management Framework. Risk assessments can play an important role\n               in security control selection processes, particularly during the application of\n               tailoring guidance, which includes security control supplementation.",
-                "links": [
-                  {
-                    "href": "#ra-2",
-                    "rel": "related",
-                    "text": "RA-2"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ra-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ra-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(a)"
-                      }
-                    ],
-                    "prose": "conducts an assessment of risk, including the likelihood and magnitude of harm,\n                  from the unauthorized access, use, disclosure, disruption, modification, or\n                  destruction of:",
-                    "parts": [
-                      {
-                        "id": "ra-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(a)[1]"
-                          }
-                        ],
-                        "prose": "the information system;"
-                      },
-                      {
-                        "id": "ra-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(a)[2]"
-                          }
-                        ],
-                        "prose": "the information the system processes, stores, or transmits;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-3.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(b)[1]"
-                          }
-                        ],
-                        "prose": "defines a document in which risk assessment results are to be documented (if\n                     not documented in the security plan or risk assessment report);"
-                      },
-                      {
-                        "id": "ra-3.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(b)[2]"
-                          }
-                        ],
-                        "prose": "documents risk assessment results in one of the following:",
-                        "parts": [
-                          {
-                            "id": "ra-3.b_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(b)[2][a]"
-                              }
-                            ],
-                            "prose": "the security plan;"
-                          },
-                          {
-                            "id": "ra-3.b_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(b)[2][b]"
-                              }
-                            ],
-                            "prose": "the risk assessment report; or"
-                          },
-                          {
-                            "id": "ra-3.b_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(b)[2][c]"
-                              }
-                            ],
-                            "prose": "the organization-defined document;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review risk assessment results;"
-                      },
-                      {
-                        "id": "ra-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews risk assessment results with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-3.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-3.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(d)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom risk assessment results are to be\n                     disseminated;"
-                      },
-                      {
-                        "id": "ra-3.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(d)[2]"
-                          }
-                        ],
-                        "prose": "disseminates risk assessment results to organization-defined personnel or\n                     roles;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-3.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-3.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(e)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to update the risk assessment;"
-                      },
-                      {
-                        "id": "ra-3.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(e)[2]"
-                          }
-                        ],
-                        "prose": "updates the risk assessment:",
-                        "parts": [
-                          {
-                            "id": "ra-3.e_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(e)[2][a]"
-                              }
-                            ],
-                            "prose": "with the organization-defined frequency;"
-                          },
-                          {
-                            "id": "ra-3.e_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(e)[2][b]"
-                              }
-                            ],
-                            "prose": "whenever there are significant changes to the information system or\n                        environment of operation (including the identification of new threats and\n                        vulnerabilities); and"
-                          },
-                          {
-                            "id": "ra-3.e_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(e)[2][c]"
-                              }
-                            ],
-                            "prose": "whenever there are other conditions that may impact the security state of\n                        the system."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Risk assessment policy\\n\\nsecurity planning policy and procedures\\n\\nprocedures addressing organizational assessments of risk\\n\\nsecurity plan\\n\\nrisk assessment\\n\\nrisk assessment results\\n\\nrisk assessment reviews\\n\\nrisk assessment updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with risk assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for risk assessment\\n\\nautomated mechanisms supporting and/or for conducting, documenting, reviewing,\n                  disseminating, and updating the risk assessment"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ra-5",
-            "class": "SP800-53",
-            "title": "Vulnerability Scanning",
-            "parameters": [
-              {
-                "id": "ra-5_prm_1",
-                "label": "organization-defined frequency and/or randomly in accordance with\n               organization-defined process",
-                "constraints": [
-                  {
-                    "detail": "monthly operating system/infrastructure; monthly web applications and databases"
-                  }
-                ]
-              },
-              {
-                "id": "ra-5_prm_2",
-                "label": "organization-defined response times",
-                "constraints": [
-                  {
-                    "detail": "high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery"
-                  }
-                ]
-              },
-              {
-                "id": "ra-5_prm_3",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "RA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ra-05"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-40"
-              },
-              {
-                "href": "#84a37532-6db6-477b-9ea8-f9085ebca0fc",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-70"
-              },
-              {
-                "href": "#c4691b88-57d1-463b-9053-2d0087913f31",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-115"
-              },
-              {
-                "href": "#15522e92-9192-463d-9646-6a01982db8ca",
-                "rel": "reference",
-                "text": "http://cwe.mitre.org"
-              },
-              {
-                "href": "#275cc052-0f7f-423c-bdb6-ed503dc36228",
-                "rel": "reference",
-                "text": "http://nvd.nist.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ra-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ra-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Scans for vulnerabilities in the information system and hosted applications\n                     {{ ra-5_prm_1 }} and when new vulnerabilities potentially\n                  affecting the system/applications are identified and reported;"
-                  },
-                  {
-                    "id": "ra-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Employs vulnerability scanning tools and techniques that facilitate\n                  interoperability among tools and automate parts of the vulnerability management\n                  process by using standards for:",
-                    "parts": [
-                      {
-                        "id": "ra-5_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Enumerating platforms, software flaws, and improper configurations;"
-                      },
-                      {
-                        "id": "ra-5_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Formatting checklists and test procedures; and"
-                      },
-                      {
-                        "id": "ra-5_smt.b.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Measuring vulnerability impact;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Analyzes vulnerability scan reports and results from security control\n                  assessments;"
-                  },
-                  {
-                    "id": "ra-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Remediates legitimate vulnerabilities {{ ra-5_prm_2 }} in\n                  accordance with an organizational assessment of risk; and"
-                  },
-                  {
-                    "id": "ra-5_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Shares information obtained from the vulnerability scanning process and security\n                  control assessments with {{ ra-5_prm_3 }} to help eliminate similar\n                  vulnerabilities in other information systems (i.e., systemic weaknesses or\n                  deficiencies)."
-                  },
-                  {
-                    "id": "ra-5_fr_smt.a",
-                    "name": "item",
-                    "title": "RA-5(a) Additional FedRAMP Requirements and Guidance",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5 (a)Requirement:"
-                      }
-                    ],
-                    "prose": "An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually."
-                  },
-                  {
-                    "id": "ra-5_fr_smt.e",
-                    "name": "item",
-                    "title": "RA-5(e) Additional FedRAMP Requirements and Guidance",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5 (e)Requirement:"
-                      }
-                    ],
-                    "prose": "To include all Authorizing Officials; for JAB authorizations to include FedRAMP."
-                  },
-                  {
-                    "id": "ra-5_fr",
-                    "name": "item",
-                    "title": "RA-5 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ra-5_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "\n                     **See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-5_gdn",
-                "name": "guidance",
-                "prose": "Security categorization of information systems guides the frequency and\n               comprehensiveness of vulnerability scans. Organizations determine the required\n               vulnerability scanning for all information system components, ensuring that potential\n               sources of vulnerabilities such as networked printers, scanners, and copiers are not\n               overlooked. Vulnerability analyses for custom software applications may require\n               additional approaches such as static analysis, dynamic analysis, binary analysis, or\n               a hybrid of the three approaches. Organizations can employ these analysis approaches\n               in a variety of tools (e.g., web-based application scanners, static analysis tools,\n               binary analyzers) and in source code reviews. Vulnerability scanning includes, for\n               example: (i) scanning for patch levels; (ii) scanning for functions, ports,\n               protocols, and services that should not be accessible to users or devices; and (iii)\n               scanning for improperly configured or incorrectly operating information flow control\n               mechanisms. Organizations consider using tools that express vulnerabilities in the\n               Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open\n               Vulnerability Assessment Language (OVAL) to determine/test for the presence of\n               vulnerabilities. Suggested sources for vulnerability information include the Common\n               Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In\n               addition, security control assessments such as red team exercises provide other\n               sources of potential vulnerabilities for which to scan. Organizations also consider\n               using tools that express vulnerability impact by the Common Vulnerability Scoring\n               System (CVSS).",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#ra-2",
-                    "rel": "related",
-                    "text": "RA-2"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "ra-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ra-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(a)[1]"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-5.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[1][a]"
-                              }
-                            ],
-                            "prose": "defines the frequency for conducting vulnerability scans on the information\n                        system and hosted applications; and/or"
-                          },
-                          {
-                            "id": "ra-5.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[1][b]"
-                              }
-                            ],
-                            "prose": "defines the process for conducting random vulnerability scans on the\n                        information system and hosted applications;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(a)[2]"
-                          }
-                        ],
-                        "prose": "in accordance with the organization-defined frequency and/or\n                     organization-defined process for conducting random scans, scans for\n                     vulnerabilities in:",
-                        "parts": [
-                          {
-                            "id": "ra-5.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[2][a]"
-                              }
-                            ],
-                            "prose": "the information system;"
-                          },
-                          {
-                            "id": "ra-5.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[2][b]"
-                              }
-                            ],
-                            "prose": "hosted applications;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-5.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(a)[3]"
-                          }
-                        ],
-                        "prose": "when new vulnerabilities potentially affecting the system/applications are\n                     identified and reported, scans for vulnerabilities in:",
-                        "parts": [
-                          {
-                            "id": "ra-5.a_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[3][a]"
-                              }
-                            ],
-                            "prose": "the information system;"
-                          },
-                          {
-                            "id": "ra-5.a_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[3][b]"
-                              }
-                            ],
-                            "prose": "hosted applications;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(b)"
-                      }
-                    ],
-                    "prose": "employs vulnerability scanning tools and techniques that facilitate\n                  interoperability among tools and automate parts of the vulnerability management\n                  process by using standards for:",
-                    "parts": [
-                      {
-                        "id": "ra-5.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-5.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "enumerating platforms;"
-                          },
-                          {
-                            "id": "ra-5.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "enumerating software flaws;"
-                          },
-                          {
-                            "id": "ra-5.b.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(1)[3]"
-                              }
-                            ],
-                            "prose": "enumerating improper configurations;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-5.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-5.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "formatting checklists;"
-                          },
-                          {
-                            "id": "ra-5.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "formatting test procedures;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-5.b.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(b)(3)"
-                          }
-                        ],
-                        "prose": "measuring vulnerability impact;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-5.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(c)[1]"
-                          }
-                        ],
-                        "prose": "analyzes vulnerability scan reports;"
-                      },
-                      {
-                        "id": "ra-5.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(c)[2]"
-                          }
-                        ],
-                        "prose": "analyzes results from security control assessments;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-5.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(d)[1]"
-                          }
-                        ],
-                        "prose": "defines response times to remediate legitimate vulnerabilities in accordance\n                     with an organizational assessment of risk;"
-                      },
-                      {
-                        "id": "ra-5.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(d)[2]"
-                          }
-                        ],
-                        "prose": "remediates legitimate vulnerabilities within the organization-defined response\n                     times in accordance with an organizational assessment of risk;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-5.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(e)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles with whom information obtained from the\n                     vulnerability scanning process and security control assessments is to be\n                     shared;"
-                      },
-                      {
-                        "id": "ra-5.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(e)[2]"
-                          }
-                        ],
-                        "prose": "shares information obtained from the vulnerability scanning process with\n                     organization-defined personnel or roles to help eliminate similar\n                     vulnerabilities in other information systems (i.e., systemic weaknesses or\n                     deficiencies); and"
-                      },
-                      {
-                        "id": "ra-5.e_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(e)[3]"
-                          }
-                        ],
-                        "prose": "shares information obtained from security control assessments with\n                     organization-defined personnel or roles to help eliminate similar\n                     vulnerabilities in other information systems (i.e., systemic weaknesses or\n                     deficiencies)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\nrisk assessment\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with risk assessment, security control assessment and\n                  vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with vulnerability remediation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for vulnerability scanning, analysis, remediation, and\n                  information sharing\\n\\nautomated mechanisms supporting and/or implementing vulnerability scanning,\n                  analysis, remediation, and information sharing"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ra-5.1",
-                "class": "SP800-53-enhancement",
-                "title": "Update Tool Capability",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "RA-5(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ra-05.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ra-5.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs vulnerability scanning tools that include the capability\n                  to readily update the information system vulnerabilities to be scanned."
-                  },
-                  {
-                    "id": "ra-5.1_gdn",
-                    "name": "guidance",
-                    "prose": "The vulnerabilities to be scanned need to be readily updated as new\n                  vulnerabilities are discovered, announced, and scanning methods developed. This\n                  updating process helps to ensure that potential vulnerabilities in the information\n                  system are identified and addressed as quickly as possible.",
-                    "links": [
-                      {
-                        "href": "#si-3",
-                        "rel": "related",
-                        "text": "SI-3"
-                      },
-                      {
-                        "href": "#si-7",
-                        "rel": "related",
-                        "text": "SI-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs vulnerability scanning tools that include\n                  the capability to readily update the information system vulnerabilities to be\n                  scanned."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Procedures addressing vulnerability scanning\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for vulnerability scanning\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-5.2",
-                "class": "SP800-53-enhancement",
-                "title": "Update by Frequency / Prior to New Scan / When Identified",
-                "parameters": [
-                  {
-                    "id": "ra-5.2_prm_1",
-                    "constraints": [
-                      {
-                        "detail": "prior to a new scan"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.2_prm_2",
-                    "depends-on": "ra-5.2_prm_1",
-                    "label": "organization-defined frequency"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "RA-5(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ra-05.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ra-5.2_smt",
-                    "name": "statement",
-                    "prose": "The organization updates the information system vulnerabilities scanned {{ ra-5.2_prm_1 }}."
-                  },
-                  {
-                    "id": "ra-5.2_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#si-3",
-                        "rel": "related",
-                        "text": "SI-3"
-                      },
-                      {
-                        "href": "#si-5",
-                        "rel": "related",
-                        "text": "SI-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ra-5.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(2)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to update the information system vulnerabilities\n                     scanned;"
-                      },
-                      {
-                        "id": "ra-5.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(2)[2]"
-                          }
-                        ],
-                        "prose": "updates the information system vulnerabilities scanned one or more of the\n                     following:",
-                        "parts": [
-                          {
-                            "id": "ra-5.2_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(2)[2][a]"
-                              }
-                            ],
-                            "prose": "with the organization-defined frequency;"
-                          },
-                          {
-                            "id": "ra-5.2_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(2)[2][b]"
-                              }
-                            ],
-                            "prose": "prior to a new scan; and/or"
-                          },
-                          {
-                            "id": "ra-5.2_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(2)[2][c]"
-                              }
-                            ],
-                            "prose": "when new vulnerabilities are identified and reported."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Procedures addressing vulnerability scanning\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for vulnerability scanning\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-5.3",
-                "class": "SP800-53-enhancement",
-                "title": "Breadth / Depth of Coverage",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "RA-5(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ra-05.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ra-5.3_smt",
-                    "name": "statement",
-                    "prose": "The organization employs vulnerability scanning procedures that can identify the\n                  breadth and depth of coverage (i.e., information system components scanned and\n                  vulnerabilities checked)."
-                  },
-                  {
-                    "id": "ra-5.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization employs vulnerability scanning procedures that can\n                  identify:",
-                    "parts": [
-                      {
-                        "id": "ra-5.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(3)[1]"
-                          }
-                        ],
-                        "prose": "the breadth of coverage (i.e., information system components scanned); and"
-                      },
-                      {
-                        "id": "ra-5.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(3)[2]"
-                          }
-                        ],
-                        "prose": "the depth of coverage (i.e., vulnerabilities checked)."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Procedures addressing vulnerability scanning\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for vulnerability scanning\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-5.4",
-                "class": "SP800-53-enhancement",
-                "title": "Discoverable Information",
-                "parameters": [
-                  {
-                    "id": "ra-5.4_prm_1",
-                    "label": "organization-defined corrective actions",
-                    "constraints": [
-                      {
-                        "detail": "notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "RA-5(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ra-05.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ra-5.4_smt",
-                    "name": "statement",
-                    "prose": "The organization determines what information about the information system is\n                  discoverable by adversaries and subsequently takes {{ ra-5.4_prm_1 }}."
-                  },
-                  {
-                    "id": "ra-5.4_gdn",
-                    "name": "guidance",
-                    "prose": "Discoverable information includes information that adversaries could obtain\n                  without directly compromising or breaching the information system, for example, by\n                  collecting information the system is exposing or by conducting extensive searches\n                  of the web. Corrective actions can include, for example, notifying appropriate\n                  organizational personnel, removing designated information, or changing the\n                  information system to make designated information less relevant or attractive to\n                  adversaries.",
-                    "links": [
-                      {
-                        "href": "#au-13",
-                        "rel": "related",
-                        "text": "AU-13"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ra-5.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(4)[1]"
-                          }
-                        ],
-                        "prose": "defines corrective actions to be taken if information about the information\n                     system is discoverable by adversaries;"
-                      },
-                      {
-                        "id": "ra-5.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(4)[2]"
-                          }
-                        ],
-                        "prose": "determines what information about the information system is discoverable by\n                     adversaries; and"
-                      },
-                      {
-                        "id": "ra-5.4_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(4)[3]"
-                          }
-                        ],
-                        "prose": "subsequently takes organization-defined corrective actions."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Procedures addressing vulnerability scanning\\n\\nsecurity assessment report\\n\\npenetration test results\\n\\nvulnerability scanning results\\n\\nrisk assessment report\\n\\nrecords of corrective actions taken\\n\\nincident response records\\n\\naudit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with vulnerability scanning and/or penetration testing\n                     responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel responsible for risk response\\n\\norganizational personnel responsible for incident management and response\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for vulnerability scanning\\n\\norganizational processes for risk response\\n\\norganizational processes for incident management and response\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning\\n\\nautomated mechanisms supporting and/or implementing risk response\\n\\nautomated mechanisms supporting and/or implementing incident management and\n                     response"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-5.5",
-                "class": "SP800-53-enhancement",
-                "title": "Privileged Access",
-                "parameters": [
-                  {
-                    "id": "ra-5.5_prm_1",
-                    "label": "organization-identified information system components",
-                    "constraints": [
-                      {
-                        "detail": "operating systems / web applications / databases"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.5_prm_2",
-                    "label": "organization-defined vulnerability scanning activities",
-                    "constraints": [
-                      {
-                        "detail": "all scans"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "RA-5(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ra-05.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ra-5.5_smt",
-                    "name": "statement",
-                    "prose": "The information system implements privileged access authorization to {{ ra-5.5_prm_1 }} for selected {{ ra-5.5_prm_2 }}."
-                  },
-                  {
-                    "id": "ra-5.5_gdn",
-                    "name": "guidance",
-                    "prose": "In certain situations, the nature of the vulnerability scanning may be more\n                  intrusive or the information system component that is the subject of the scanning\n                  may contain highly sensitive information. Privileged access authorization to\n                  selected system components facilitates more thorough vulnerability scanning and\n                  also protects the sensitive nature of such scanning."
-                  },
-                  {
-                    "id": "ra-5.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "ra-5.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(5)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines information system components to which privileged\n                     access is authorized for selected vulnerability scanning activities;"
-                      },
-                      {
-                        "id": "ra-5.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(5)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines vulnerability scanning activities selected for\n                     privileged access authorization to organization-defined information system\n                     components; and"
-                      },
-                      {
-                        "id": "ra-5.5_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(5)[3]"
-                          }
-                        ],
-                        "prose": "the information system implements privileged access authorization to\n                     organization-defined information system components for selected\n                     organization-defined vulnerability scanning activities."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system components for vulnerability scanning\\n\\npersonnel access authorization list\\n\\nauthorization credentials\\n\\naccess authorization records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with vulnerability scanning responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel responsible for access control to the information\n                     system\\n\\norganizational personnel responsible for configuration management of the\n                     information system\\n\\nsystem developers\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for vulnerability scanning\\n\\norganizational processes for access control\\n\\nautomated mechanisms supporting and/or implementing access control\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-5.6",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Trend Analyses",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "RA-5(6)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ra-05.06"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ra-5.6_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to compare the results of\n                  vulnerability scans over time to determine trends in information system\n                  vulnerabilities.",
-                    "parts": [
-                      {
-                        "id": "ra-5.6_fr",
-                        "name": "item",
-                        "title": "RA-5 (6) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ra-5.6_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "Include in Continuous Monitoring ISSO digest/report to JAB/AO"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.6_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ir-4",
-                        "rel": "related",
-                        "text": "IR-4"
-                      },
-                      {
-                        "href": "#ir-5",
-                        "rel": "related",
-                        "text": "IR-5"
-                      },
-                      {
-                        "href": "#si-4",
-                        "rel": "related",
-                        "text": "SI-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.6_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs automated mechanisms to compare the results\n                  of vulnerability scans over time to determine trends in information system\n                  vulnerabilities."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\ninformation system design documentation\\n\\nvulnerability scanning tools and techniques documentation\\n\\nvulnerability scanning results\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for vulnerability scanning\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning\\n\\nautomated mechanisms supporting and/or implementing trend analysis of\n                     vulnerability scan results"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-5.8",
-                "class": "SP800-53-enhancement",
-                "title": "Review Historic Audit Logs",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "RA-5(8)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ra-05.08"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ra-5.8_smt",
-                    "name": "statement",
-                    "prose": "The organization reviews historic audit logs to determine if a vulnerability\n                  identified in the information system has been previously exploited.",
-                    "parts": [
-                      {
-                        "id": "ra-5.8_fr",
-                        "name": "item",
-                        "title": "RA-5 (8) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ra-5.8_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "This enhancement is required for all high vulnerability scan findings."
-                          },
-                          {
-                            "id": "ra-5.8_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.8_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#au-6",
-                        "rel": "related",
-                        "text": "AU-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.8_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization reviews historic audit logs to determine if a\n                  vulnerability identified in the information system has been previously exploited.\n               "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\naudit logs\\n\\nrecords of audit log reviews\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with audit record review responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for vulnerability scanning\\n\\norganizational process for audit record review and response\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning\\n\\nautomated mechanisms supporting and/or implementing audit record review"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-5.10",
-                "class": "SP800-53-enhancement",
-                "title": "Correlate Scanning Information",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "RA-5(10)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ra-05.10"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ra-5.10_smt",
-                    "name": "statement",
-                    "prose": "The organization correlates the output from vulnerability scanning tools to\n                  determine the presence of multi-vulnerability/multi-hop attack vectors.",
-                    "parts": [
-                      {
-                        "id": "ra-5.10_fr",
-                        "name": "item",
-                        "title": "RA-5 (10) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ra-5.10_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "If multiple tools are not used, this control is not applicable."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.10_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization correlates the output from vulnerability scanning\n                  tools to determine the presence of multi-vulnerability/multi-hop attack vectors.\n               "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\nrisk assessment\\n\\nsecurity plan\\n\\nvulnerability scanning tools and techniques documentation\\n\\nvulnerability scanning results\\n\\nvulnerability management records\\n\\naudit records\\n\\nevent/vulnerability correlation logs\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for vulnerability scanning\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning\\n\\nautomated mechanisms implementing correlation of vulnerability scan results"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "sa",
-        "class": "family",
-        "title": "System and Services Acquisition",
-        "controls": [
-          {
-            "id": "sa-1",
-            "class": "SP800-53",
-            "title": "System and Services Acquisition Policy and Procedures",
-            "parameters": [
-              {
-                "id": "sa-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "sa-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "sa-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or whenever a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ sa-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "sa-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A system and services acquisition policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "sa-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the system and services\n                     acquisition policy and associated system and services acquisition controls;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "sa-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "System and services acquisition policy {{ sa-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "sa-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "System and services acquisition procedures {{ sa-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "sa-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a system and services acquisition policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "sa-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "sa-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the system and services acquisition\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "sa-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the system and services acquisition policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        system and services acquisition policy and associated system and services\n                        acquisition controls;"
-                          },
-                          {
-                            "id": "sa-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "sa-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and services\n                        acquisition policy;"
-                          },
-                          {
-                            "id": "sa-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and services acquisition policy with\n                        the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and services\n                        acquisition procedures; and"
-                          },
-                          {
-                            "id": "sa-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and services acquisition procedures\n                        with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-2",
-            "class": "SP800-53",
-            "title": "Allocation of Resources",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#29fcfe59-33cd-494a-8756-5907ae3a8f92",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-65"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Determines information security requirements for the information system or\n                  information system service in mission/business process planning;"
-                  },
-                  {
-                    "id": "sa-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Determines, documents, and allocates the resources required to protect the\n                  information system or information system service as part of its capital planning\n                  and investment control process; and"
-                  },
-                  {
-                    "id": "sa-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Establishes a discrete line item for information security in organizational\n                  programming and budgeting documentation."
-                  }
-                ]
-              },
-              {
-                "id": "sa-2_gdn",
-                "name": "guidance",
-                "prose": "Resource allocation for information security includes funding for the initial\n               information system or information system service acquisition and funding for the\n               sustainment of the system/service.",
-                "links": [
-                  {
-                    "href": "#pm-3",
-                    "rel": "related",
-                    "text": "PM-3"
-                  },
-                  {
-                    "href": "#pm-11",
-                    "rel": "related",
-                    "text": "PM-11"
-                  }
-                ]
-              },
-              {
-                "id": "sa-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-2(a)"
-                      }
-                    ],
-                    "prose": "determines information security requirements for the information system or\n                  information system service in mission/business process planning;"
-                  },
-                  {
-                    "id": "sa-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-2(b)"
-                      }
-                    ],
-                    "prose": "to protect the information system or information system service as part of its\n                  capital planning and investment control process:",
-                    "parts": [
-                      {
-                        "id": "sa-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-2(b)[1]"
-                          }
-                        ],
-                        "prose": "determines the resources required;"
-                      },
-                      {
-                        "id": "sa-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-2(b)[2]"
-                          }
-                        ],
-                        "prose": "documents the resources required;"
-                      },
-                      {
-                        "id": "sa-2.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-2(b)[3]"
-                          }
-                        ],
-                        "prose": "allocates the resources required; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-2(c)"
-                      }
-                    ],
-                    "prose": "establishes a discrete line item for information security in organizational\n                  programming and budgeting documentation."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing the allocation of resources to information security\n                  requirements\\n\\nprocedures addressing capital planning and investment control\\n\\norganizational programming and budgeting documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with capital planning, investment control, organizational\n                  programming and budgeting responsibilities\\n\\norganizational personnel responsible for determining information security\n                  requirements for information systems/services\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for determining information security requirements\\n\\norganizational processes for capital planning, programming, and budgeting\\n\\nautomated mechanisms supporting and/or implementing organizational capital\n                  planning, programming, and budgeting"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-3",
-            "class": "SP800-53",
-            "title": "System Development Life Cycle",
-            "parameters": [
-              {
-                "id": "sa-3_prm_1",
-                "label": "organization-defined system development life cycle"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#abd950ae-092f-4b7a-b374-1c7c67fe9350",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-64"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Manages the information system using {{ sa-3_prm_1 }} that\n                  incorporates information security considerations;"
-                  },
-                  {
-                    "id": "sa-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Defines and documents information security roles and responsibilities throughout\n                  the system development life cycle;"
-                  },
-                  {
-                    "id": "sa-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Identifies individuals having information security roles and responsibilities;\n                  and"
-                  },
-                  {
-                    "id": "sa-3_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Integrates the organizational information security risk management process into\n                  system development life cycle activities."
-                  }
-                ]
-              },
-              {
-                "id": "sa-3_gdn",
-                "name": "guidance",
-                "prose": "A well-defined system development life cycle provides the foundation for the\n               successful development, implementation, and operation of organizational information\n               systems. To apply the required security controls within the system development life\n               cycle requires a basic understanding of information security, threats,\n               vulnerabilities, adverse impacts, and risk to critical missions/business functions.\n               The security engineering principles in SA-8 cannot be properly applied if individuals\n               that design, code, and test information systems and system components (including\n               information technology products) do not understand security. Therefore, organizations\n               include qualified personnel, for example, chief information security officers,\n               security architects, security engineers, and information system security officers in\n               system development life cycle activities to ensure that security requirements are\n               incorporated into organizational information systems. It is equally important that\n               developers include individuals on the development team that possess the requisite\n               security expertise and skills to ensure that needed security capabilities are\n               effectively integrated into the information system. Security awareness and training\n               programs can help ensure that individuals having key security roles and\n               responsibilities have the appropriate experience, skills, and expertise to conduct\n               assigned system development life cycle activities. The effective integration of\n               security requirements into enterprise architecture also helps to ensure that\n               important security considerations are addressed early in the system development life\n               cycle and that those considerations are directly related to the organizational\n               mission/business processes. This process also facilitates the integration of the\n               information security architecture into the enterprise architecture, consistent with\n               organizational risk management and information security strategies.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#pm-7",
-                    "rel": "related",
-                    "text": "PM-7"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  }
-                ]
-              },
-              {
-                "id": "sa-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-3(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-3(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a system development life cycle that incorporates information security\n                     considerations to be used to manage the information system;"
-                      },
-                      {
-                        "id": "sa-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-3(a)[2]"
-                          }
-                        ],
-                        "prose": "manages the information system using the organization-defined system\n                     development life cycle;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-3(b)"
-                      }
-                    ],
-                    "prose": "defines and documents information security roles and responsibilities throughout\n                  the system development life cycle;"
-                  },
-                  {
-                    "id": "sa-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-3(c)"
-                      }
-                    ],
-                    "prose": "identifies individuals having information security roles and responsibilities;\n                  and"
-                  },
-                  {
-                    "id": "sa-3.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-3(d)"
-                      }
-                    ],
-                    "prose": "integrates the organizational information security risk management process into\n                  system development life cycle activities."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing the integration of information security into the system\n                  development life cycle process\\n\\ninformation system development life cycle documentation\\n\\ninformation security risk management strategy/program documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security and system life cycle\n                  development responsibilities\\n\\norganizational personnel with information security risk management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for defining and documenting the SDLC\\n\\norganizational processes for identifying SDLC roles and responsibilities\\n\\norganizational process for integrating information security risk management into\n                  the SDLC\\n\\nautomated mechanisms supporting and/or implementing the SDLC"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-4",
-            "class": "SP800-53",
-            "title": "Acquisition Process",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ad733a42-a7ed-4774-b988-4930c28852f3",
-                "rel": "reference",
-                "text": "HSPD-12"
-              },
-              {
-                "href": "#1737a687-52fb-4008-b900-cbfa836f7b65",
-                "rel": "reference",
-                "text": "ISO/IEC 15408"
-              },
-              {
-                "href": "#d715b234-9b5b-4e07-b1ed-99836727664d",
-                "rel": "reference",
-                "text": "FIPS Publication 140-2"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#0a5db899-f033-467f-8631-f5a8ba971475",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-23"
-              },
-              {
-                "href": "#0c775bc3-bfc3-42c7-a382-88949f503171",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-35"
-              },
-              {
-                "href": "#d818efd3-db31-4953-8afa-9e76afe83ce2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-36"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#abd950ae-092f-4b7a-b374-1c7c67fe9350",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-64"
-              },
-              {
-                "href": "#84a37532-6db6-477b-9ea8-f9085ebca0fc",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-70"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              },
-              {
-                "href": "#56d671da-6b7b-4abf-8296-84b61980390a",
-                "rel": "reference",
-                "text": "Federal Acquisition Regulation"
-              },
-              {
-                "href": "#c95a9986-3cd6-4a98-931b-ccfc56cb11e5",
-                "rel": "reference",
-                "text": "http://www.niap-ccevs.org"
-              },
-              {
-                "href": "#5ed1f4d5-1494-421b-97ed-39d3c88ab51f",
-                "rel": "reference",
-                "text": "http://fips201ep.cio.gov"
-              },
-              {
-                "href": "#bbd50dd1-54ce-4432-959d-63ea564b1bb4",
-                "rel": "reference",
-                "text": "http://www.acquisition.gov/far"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-4_smt",
-                "name": "statement",
-                "prose": "The organization includes the following requirements, descriptions, and criteria,\n               explicitly or by reference, in the acquisition contract for the information system,\n               system component, or information system service in accordance with applicable federal\n               laws, Executive Orders, directives, policies, regulations, standards, guidelines, and\n               organizational mission/business needs:",
-                "parts": [
-                  {
-                    "id": "sa-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Security functional requirements;"
-                  },
-                  {
-                    "id": "sa-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Security strength requirements;"
-                  },
-                  {
-                    "id": "sa-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Security assurance requirements;"
-                  },
-                  {
-                    "id": "sa-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Security-related documentation requirements;"
-                  },
-                  {
-                    "id": "sa-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Requirements for protecting security-related documentation;"
-                  },
-                  {
-                    "id": "sa-4_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Description of the information system development environment and environment in\n                  which the system is intended to operate; and"
-                  },
-                  {
-                    "id": "sa-4_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Acceptance criteria."
-                  },
-                  {
-                    "id": "sa-4_fr",
-                    "name": "item",
-                    "title": "SA-4 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "sa-4_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See [http://www.niap-ccevs.org/vpl](http://www.niap-ccevs.org/vpl) or [http://www.commoncriteriaportal.org/products.html](http://www.commoncriteriaportal.org/products.html)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-4_gdn",
-                "name": "guidance",
-                "prose": "Information system components are discrete, identifiable information technology\n               assets (e.g., hardware, software, or firmware) that represent the building blocks of\n               an information system. Information system components include commercial information\n               technology products. Security functional requirements include security capabilities,\n               security functions, and security mechanisms. Security strength requirements\n               associated with such capabilities, functions, and mechanisms include degree of\n               correctness, completeness, resistance to direct attack, and resistance to tampering\n               or bypass. Security assurance requirements include: (i) development processes,\n               procedures, practices, and methodologies; and (ii) evidence from development and\n               assessment activities providing grounds for confidence that the required security\n               functionality has been implemented and the required security strength has been\n               achieved. Security documentation requirements address all phases of the system\n               development life cycle. Security functionality, assurance, and documentation\n               requirements are expressed in terms of security controls and control enhancements\n               that have been selected through the tailoring process. The security control tailoring\n               process includes, for example, the specification of parameter values through the use\n               of assignment and selection statements and the specification of platform dependencies\n               and implementation information. Security documentation provides user and\n               administrator guidance regarding the implementation and operation of security\n               controls. The level of detail required in security documentation is based on the\n               security category or classification level of the information system and the degree to\n               which organizations depend on the stated security capability, functions, or\n               mechanisms to meet overall risk response expectations (as defined in the\n               organizational risk management strategy). Security requirements can also include\n               organizationally mandated configuration settings specifying allowed functions, ports,\n               protocols, and services. Acceptance criteria for information systems, information\n               system components, and information system services are defined in the same manner as\n               such criteria for any organizational acquisition or procurement. The Federal\n               Acquisition Regulation (FAR) Section 7.103 contains information security requirements\n               from FISMA.",
-                "links": [
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#ps-7",
-                    "rel": "related",
-                    "text": "PS-7"
-                  },
-                  {
-                    "href": "#sa-3",
-                    "rel": "related",
-                    "text": "SA-3"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  }
-                ]
-              },
-              {
-                "id": "sa-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization includes the following requirements, descriptions, and\n               criteria, explicitly or by reference, in the acquisition contracts for the\n               information system, system component, or information system service in accordance\n               with applicable federal laws, Executive Orders, directives, policies, regulations,\n               standards, guidelines, and organizational mission/business needs:",
-                "parts": [
-                  {
-                    "id": "sa-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(a)"
-                      }
-                    ],
-                    "prose": "security functional requirements;"
-                  },
-                  {
-                    "id": "sa-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(b)"
-                      }
-                    ],
-                    "prose": "security strength requirements;"
-                  },
-                  {
-                    "id": "sa-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(c)"
-                      }
-                    ],
-                    "prose": "security assurance requirements;"
-                  },
-                  {
-                    "id": "sa-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(d)"
-                      }
-                    ],
-                    "prose": "security-related documentation requirements;"
-                  },
-                  {
-                    "id": "sa-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(e)"
-                      }
-                    ],
-                    "prose": "requirements for protecting security-related documentation;"
-                  },
-                  {
-                    "id": "sa-4.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(f)"
-                      }
-                    ],
-                    "prose": "description of:",
-                    "parts": [
-                      {
-                        "id": "sa-4.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-4(f)[1]"
-                          }
-                        ],
-                        "prose": "the information system development environment;"
-                      },
-                      {
-                        "id": "sa-4.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-4(f)[2]"
-                          }
-                        ],
-                        "prose": "the environment in which the system is intended to operate; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-4.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(g)"
-                      }
-                    ],
-                    "prose": "acceptance criteria."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                  descriptions, and criteria into the acquisition process\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\ninformation system design documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security functional, strength, and assurance requirements\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for determining information system security functional,\n                  strength, and assurance requirements\\n\\norganizational processes for developing acquisition contracts\\n\\nautomated mechanisms supporting and/or implementing acquisitions and inclusion of\n                  security requirements in contracts"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "sa-4.1",
-                "class": "SP800-53-enhancement",
-                "title": "Functional Properties of Security Controls",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-4(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-04.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-4.1_smt",
-                    "name": "statement",
-                    "prose": "The organization requires the developer of the information system, system\n                  component, or information system service to provide a description of the\n                  functional properties of the security controls to be employed."
-                  },
-                  {
-                    "id": "sa-4.1_gdn",
-                    "name": "guidance",
-                    "prose": "Functional properties of security controls describe the functionality (i.e.,\n                  security capability, functions, or mechanisms) visible at the interfaces of the\n                  controls and specifically exclude functionality and data structures internal to\n                  the operation of the controls.",
-                    "links": [
-                      {
-                        "href": "#sa-5",
-                        "rel": "related",
-                        "text": "SA-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-4.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization requires the developer of the information system,\n                  system component, or information system service to provide a description of the\n                  functional properties of the security controls to be employed."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\nsolicitation documents\\n\\nacquisition documentation\\n\\nacquisition contracts for the information system, system component, or\n                     information system services\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security functional requirements\\n\\ninformation system developer or service provider\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for determining information system security\n                     functional, requirements\\n\\norganizational processes for developing acquisition contracts\\n\\nautomated mechanisms supporting and/or implementing acquisitions and inclusion\n                     of security requirements in contracts"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-4.2",
-                "class": "SP800-53-enhancement",
-                "title": "Design / Implementation Information for Security Controls",
-                "parameters": [
-                  {
-                    "id": "sa-4.2_prm_1",
-                    "constraints": [
-                      {
-                        "detail": "at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram; [organization-defined design/implementation information]"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-4.2_prm_2",
-                    "depends-on": "sa-4.2_prm_1",
-                    "label": "organization-defined design/implementation information"
-                  },
-                  {
-                    "id": "sa-4.2_prm_3",
-                    "label": "organization-defined level of detail"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-4(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-04.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-4.2_smt",
-                    "name": "statement",
-                    "prose": "The organization requires the developer of the information system, system\n                  component, or information system service to provide design and implementation\n                  information for the security controls to be employed that includes: {{ sa-4.2_prm_1 }} at {{ sa-4.2_prm_3 }}."
-                  },
-                  {
-                    "id": "sa-4.2_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations may require different levels of detail in design and implementation\n                  documentation for security controls employed in organizational information\n                  systems, system components, or information system services based on\n                  mission/business requirements, requirements for trustworthiness/resiliency, and\n                  requirements for analysis and testing. Information systems can be partitioned into\n                  multiple subsystems. Each subsystem within the system can contain one or more\n                  modules. The high-level design for the system is expressed in terms of multiple\n                  subsystems and the interfaces between subsystems providing security-relevant\n                  functionality. The low-level design for the system is expressed in terms of\n                  modules with particular emphasis on software and firmware (but not excluding\n                  hardware) and the interfaces between modules providing security-relevant\n                  functionality. Source code and hardware schematics are typically referred to as\n                  the implementation representation of the information system.",
-                    "links": [
-                      {
-                        "href": "#sa-5",
-                        "rel": "related",
-                        "text": "SA-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-4.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "sa-4.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-4(2)[1]"
-                          }
-                        ],
-                        "prose": "defines level of detail that the developer is required to provide in design and\n                     implementation information for the security controls to be employed in the\n                     information system, system component, or information system service;"
-                      },
-                      {
-                        "id": "sa-4.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-4(2)[2]"
-                          }
-                        ],
-                        "prose": "defines design/implementation information that the developer is to provide for\n                     the security controls to be employed (if selected);"
-                      },
-                      {
-                        "id": "sa-4.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-4(2)[3]"
-                          }
-                        ],
-                        "prose": "requires the developer of the information system, system component, or\n                     information system service to provide design and implementation information for\n                     the security controls to be employed that includes, at the organization-defined\n                     level of detail, one or more of the following:",
-                        "parts": [
-                          {
-                            "id": "sa-4.2_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-4(2)[3][a]"
-                              }
-                            ],
-                            "prose": "security-relevant external system interfaces;"
-                          },
-                          {
-                            "id": "sa-4.2_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-4(2)[3][b]"
-                              }
-                            ],
-                            "prose": "high-level design;"
-                          },
-                          {
-                            "id": "sa-4.2_obj.3.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-4(2)[3][c]"
-                              }
-                            ],
-                            "prose": "low-level design;"
-                          },
-                          {
-                            "id": "sa-4.2_obj.3.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-4(2)[3][d]"
-                              }
-                            ],
-                            "prose": "source code;"
-                          },
-                          {
-                            "id": "sa-4.2_obj.3.e",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-4(2)[3][e]"
-                              }
-                            ],
-                            "prose": "hardware schematics; and/or"
-                          },
-                          {
-                            "id": "sa-4.2_obj.3.f",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-4(2)[3][f]"
-                              }
-                            ],
-                            "prose": "organization-defined design/implementation information."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\nsolicitation documents\\n\\nacquisition documentation\\n\\nacquisition contracts for the information system, system components, or\n                     information system services\\n\\ndesign and implementation information for security controls employed in the\n                     information system, system component, or information system service\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security requirements\\n\\ninformation system developer or service provider\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for determining level of detail for system design and\n                     security controls\\n\\norganizational processes for developing acquisition contracts\\n\\nautomated mechanisms supporting and/or implementing development of system\n                     design details"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-4.8",
-                "class": "SP800-53-enhancement",
-                "title": "Continuous Monitoring Plan",
-                "parameters": [
-                  {
-                    "id": "sa-4.8_prm_1",
-                    "label": "organization-defined level of detail",
-                    "constraints": [
-                      {
-                        "detail": "at least the minimum requirement as defined in control CA-7"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-4(8)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-04.08"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-4.8_smt",
-                    "name": "statement",
-                    "prose": "The organization requires the developer of the information system, system\n                  component, or information system service to produce a plan for the continuous\n                  monitoring of security control effectiveness that contains {{ sa-4.8_prm_1 }}.",
-                    "parts": [
-                      {
-                        "id": "sa-4.8_fr",
-                        "name": "item",
-                        "title": "SA-4 (8) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "sa-4.8_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "CSP must use the same security standards regardless of where the system component or information system service is acquired."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-4.8_gdn",
-                    "name": "guidance",
-                    "prose": "The objective of continuous monitoring plans is to determine if the complete set\n                  of planned, required, and deployed security controls within the information\n                  system, system component, or information system service continue to be effective\n                  over time based on the inevitable changes that occur. Developer continuous\n                  monitoring plans include a sufficient level of detail such that the information\n                  can be incorporated into the continuous monitoring strategies and programs\n                  implemented by organizations.",
-                    "links": [
-                      {
-                        "href": "#ca-7",
-                        "rel": "related",
-                        "text": "CA-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-4.8_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "sa-4.8_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-4(8)[1]"
-                          }
-                        ],
-                        "prose": "defines the level of detail the developer of the information system, system\n                     component, or information system service is required to provide when producing\n                     a plan for the continuous monitoring of security control effectiveness; and"
-                      },
-                      {
-                        "id": "sa-4.8_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-4(8)[2]"
-                          }
-                        ],
-                        "prose": "requires the developer of the information system, system component, or\n                     information system service to produce a plan for the continuous monitoring of\n                     security control effectiveness that contains the organization-defined level of\n                     detail."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing developer continuous monitoring plans\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\ndeveloper continuous monitoring plans\\n\\nsecurity assessment plans\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nacquisition documentation\\n\\nsolicitation documentation\\n\\nservice-level agreements\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security requirements\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Vendor processes for continuous monitoring\\n\\nautomated mechanisms supporting and/or implementing developer continuous\n                     monitoring"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-4.9",
-                "class": "SP800-53-enhancement",
-                "title": "Functions / Ports / Protocols / Services in Use",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-4(9)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-04.09"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-4.9_smt",
-                    "name": "statement",
-                    "prose": "The organization requires the developer of the information system, system\n                  component, or information system service to identify early in the system\n                  development life cycle, the functions, ports, protocols, and services intended for\n                  organizational use."
-                  },
-                  {
-                    "id": "sa-4.9_gdn",
-                    "name": "guidance",
-                    "prose": "The identification of functions, ports, protocols, and services early in the\n                  system development life cycle (e.g., during the initial requirements definition\n                  and design phases) allows organizations to influence the design of the information\n                  system, information system component, or information system service. This early\n                  involvement in the life cycle helps organizations to avoid or minimize the use of\n                  functions, ports, protocols, or services that pose unnecessarily high risks and\n                  understand the trade-offs involved in blocking specific ports, protocols, or\n                  services (or when requiring information system service providers to do so). Early\n                  identification of functions, ports, protocols, and services avoids costly\n                  retrofitting of security controls after the information system, system component,\n                  or information system service has been implemented. SA-9 describes requirements\n                  for external information system services with organizations identifying which\n                  functions, ports, protocols, and services are provided from external sources.",
-                    "links": [
-                      {
-                        "href": "#cm-7",
-                        "rel": "related",
-                        "text": "CM-7"
-                      },
-                      {
-                        "href": "#sa-9",
-                        "rel": "related",
-                        "text": "SA-9"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-4.9_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization requires the developer of the information system,\n                  system component, or information system service to identify early in the system\n                  development life cycle:",
-                    "parts": [
-                      {
-                        "id": "sa-4.9_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-4(9)[1]"
-                          }
-                        ],
-                        "prose": "the functions intended for organizational use;"
-                      },
-                      {
-                        "id": "sa-4.9_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-4(9)[2]"
-                          }
-                        ],
-                        "prose": "the ports intended for organizational use;"
-                      },
-                      {
-                        "id": "sa-4.9_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-4(9)[3]"
-                          }
-                        ],
-                        "prose": "the protocols intended for organizational use; and"
-                      },
-                      {
-                        "id": "sa-4.9_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-4(9)[4]"
-                          }
-                        ],
-                        "prose": "the services intended for organizational use."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\ninformation system design documentation\\n\\ninformation system documentation including functions, ports, protocols, and\n                     services intended for organizational use\\n\\nacquisition contracts for information systems or services\\n\\nacquisition documentation\\n\\nsolicitation documentation\\n\\nservice-level agreements\\n\\norganizational security requirements, descriptions, and criteria for developers\n                     of information systems, system components, and information system services\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security requirements\\n\\nsystem/network administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                     system\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-4.10",
-                "class": "SP800-53-enhancement",
-                "title": "Use of Approved PIV Products",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-4(10)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-04.10"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-4.10_smt",
-                    "name": "statement",
-                    "prose": "The organization employs only information technology products on the FIPS\n                  201-approved products list for Personal Identity Verification (PIV) capability\n                  implemented within organizational information systems."
-                  },
-                  {
-                    "id": "sa-4.10_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ia-2",
-                        "rel": "related",
-                        "text": "IA-2"
-                      },
-                      {
-                        "href": "#ia-8",
-                        "rel": "related",
-                        "text": "IA-8"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-4.10_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs only information technology products on the\n                  FIPS 201-approved products list for Personal Identity Verification (PIV)\n                  capability implemented within organizational information systems. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nservice-level agreements\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security requirements\\n\\norganizational personnel with responsibility for ensuring only FIPS\n                     201-approved products are implemented\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for selecting and employing FIPS 201-approved\n                     products"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-5",
-            "class": "SP800-53",
-            "title": "Information System Documentation",
-            "parameters": [
-              {
-                "id": "sa-5_prm_1",
-                "label": "organization-defined actions"
-              },
-              {
-                "id": "sa-5_prm_2",
-                "label": "organization-defined personnel or roles",
-                "constraints": [
-                  {
-                    "detail": "at a minimum, the ISSO (or similar role within the organization)"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Obtains administrator documentation for the information system, system component,\n                  or information system service that describes:",
-                    "parts": [
-                      {
-                        "id": "sa-5_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Secure configuration, installation, and operation of the system, component, or\n                     service;"
-                      },
-                      {
-                        "id": "sa-5_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Effective use and maintenance of security functions/mechanisms; and"
-                      },
-                      {
-                        "id": "sa-5_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Known vulnerabilities regarding configuration and use of administrative (i.e.,\n                     privileged) functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Obtains user documentation for the information system, system component, or\n                  information system service that describes:",
-                    "parts": [
-                      {
-                        "id": "sa-5_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "User-accessible security functions/mechanisms and how to effectively use those\n                     security functions/mechanisms;"
-                      },
-                      {
-                        "id": "sa-5_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Methods for user interaction, which enables individuals to use the system,\n                     component, or service in a more secure manner; and"
-                      },
-                      {
-                        "id": "sa-5_smt.b.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "User responsibilities in maintaining the security of the system, component, or\n                     service;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Documents attempts to obtain information system, system component, or information\n                  system service documentation when such documentation is either unavailable or\n                  nonexistent and takes {{ sa-5_prm_1 }} in response;"
-                  },
-                  {
-                    "id": "sa-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Protects documentation as required, in accordance with the risk management\n                  strategy; and"
-                  },
-                  {
-                    "id": "sa-5_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Distributes documentation to {{ sa-5_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "sa-5_gdn",
-                "name": "guidance",
-                "prose": "This control helps organizational personnel understand the implementation and\n               operation of security controls associated with information systems, system\n               components, and information system services. Organizations consider establishing\n               specific measures to determine the quality/completeness of the content provided. The\n               inability to obtain needed documentation may occur, for example, due to the age of\n               the information system/component or lack of support from developers and contractors.\n               In those situations, organizations may need to recreate selected documentation if\n               such documentation is essential to the effective implementation or operation of\n               security controls. The level of protection provided for selected information system,\n               component, or service documentation is commensurate with the security category or\n               classification of the system. For example, documentation associated with a key DoD\n               weapons system or command and control system would typically require a higher level\n               of protection than a routine administrative system. Documentation that addresses\n               information system vulnerabilities may also require an increased level of protection.\n               Secure operation of the information system, includes, for example, initially starting\n               the system and resuming secure system operation after any lapse in system\n               operation.",
-                "links": [
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-2",
-                    "rel": "related",
-                    "text": "PS-2"
-                  },
-                  {
-                    "href": "#sa-3",
-                    "rel": "related",
-                    "text": "SA-3"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  }
-                ]
-              },
-              {
-                "id": "sa-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-5(a)"
-                      }
-                    ],
-                    "prose": "obtains administrator documentation for the information system, system component,\n                  or information system service that describes:",
-                    "parts": [
-                      {
-                        "id": "sa-5.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-5.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "secure configuration of the system, system component, or service;"
-                          },
-                          {
-                            "id": "sa-5.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "secure installation of the system, system component, or service;"
-                          },
-                          {
-                            "id": "sa-5.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "secure operation of the system, system component, or service;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-5.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-5.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "effective use of the security features/mechanisms;"
-                          },
-                          {
-                            "id": "sa-5.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "effective maintenance of the security features/mechanisms;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-5.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(a)(3)"
-                          }
-                        ],
-                        "prose": "known vulnerabilities regarding configuration and use of administrative (i.e.,\n                     privileged) functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-5(b)"
-                      }
-                    ],
-                    "prose": "obtains user documentation for the information system, system component, or\n                  information system service that describes:",
-                    "parts": [
-                      {
-                        "id": "sa-5.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-5.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "user-accessible security functions/mechanisms;"
-                          },
-                          {
-                            "id": "sa-5.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "how to effectively use those functions/mechanisms;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-5.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(b)(2)"
-                          }
-                        ],
-                        "prose": "methods for user interaction, which enables individuals to use the system,\n                     component, or service in a more secure manner;"
-                      },
-                      {
-                        "id": "sa-5.b.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(b)(3)"
-                          }
-                        ],
-                        "prose": "user responsibilities in maintaining the security of the system, component, or\n                     service;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-5(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-5.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-5(c)[1]"
-                          }
-                        ],
-                        "prose": "defines actions to be taken after documented attempts to obtain information\n                     system, system component, or information system service documentation when such\n                     documentation is either unavailable or nonexistent;"
-                      },
-                      {
-                        "id": "sa-5.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-5(c)[2]"
-                          }
-                        ],
-                        "prose": "documents attempts to obtain information system, system component, or\n                     information system service documentation when such documentation is either\n                     unavailable or nonexistent;"
-                      },
-                      {
-                        "id": "sa-5.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-5(c)[3]"
-                          }
-                        ],
-                        "prose": "takes organization-defined actions in response;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-5(d)"
-                      }
-                    ],
-                    "prose": "protects documentation as required, in accordance with the risk management\n                  strategy;"
-                  },
-                  {
-                    "id": "sa-5.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-5(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-5.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-5(e)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom documentation is to be distributed; and"
-                      },
-                      {
-                        "id": "sa-5.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-5(e)[2]"
-                          }
-                        ],
-                        "prose": "distributes documentation to organization-defined personnel or roles."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing information system documentation\\n\\ninformation system documentation including administrator and user guides\\n\\nrecords documenting attempts to obtain unavailable or nonexistent information\n                  system documentation\\n\\nlist of actions to be taken in response to documented attempts to obtain\n                  information system, system component, or information system service\n                  documentation\\n\\nrisk management strategy documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security requirements\\n\\nsystem administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for obtaining, protecting, and distributing information\n                  system administrator and user documentation"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-8",
-            "class": "SP800-53",
-            "title": "Security Engineering Principles",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-08"
-              }
-            ],
-            "links": [
-              {
-                "href": "#21b1ed35-56d2-40a8-bdfe-b461fffe322f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-27"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-8_smt",
-                "name": "statement",
-                "prose": "The organization applies information system security engineering principles in the\n               specification, design, development, implementation, and modification of the\n               information system."
-              },
-              {
-                "id": "sa-8_gdn",
-                "name": "guidance",
-                "prose": "Organizations apply security engineering principles primarily to new development\n               information systems or systems undergoing major upgrades. For legacy systems,\n               organizations apply security engineering principles to system upgrades and\n               modifications to the extent feasible, given the current state of hardware, software,\n               and firmware within those systems. Security engineering principles include, for\n               example: (i) developing layered protections; (ii) establishing sound security policy,\n               architecture, and controls as the foundation for design; (iii) incorporating security\n               requirements into the system development life cycle; (iv) delineating physical and\n               logical security boundaries; (v) ensuring that system developers are trained on how\n               to build secure software; (vi) tailoring security controls to meet organizational and\n               operational needs; (vii) performing threat modeling to identify use cases, threat\n               agents, attack vectors, and attack patterns as well as compensating controls and\n               design patterns needed to mitigate risk; and (viii) reducing risk to acceptable\n               levels, thus enabling informed risk management decisions.",
-                "links": [
-                  {
-                    "href": "#pm-7",
-                    "rel": "related",
-                    "text": "PM-7"
-                  },
-                  {
-                    "href": "#sa-3",
-                    "rel": "related",
-                    "text": "SA-3"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-17",
-                    "rel": "related",
-                    "text": "SA-17"
-                  },
-                  {
-                    "href": "#sc-2",
-                    "rel": "related",
-                    "text": "SC-2"
-                  },
-                  {
-                    "href": "#sc-3",
-                    "rel": "related",
-                    "text": "SC-3"
-                  }
-                ]
-              },
-              {
-                "id": "sa-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization applies information system security engineering\n               principles in: ",
-                "parts": [
-                  {
-                    "id": "sa-8_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-8[1]"
-                      }
-                    ],
-                    "prose": "the specification of the information system;"
-                  },
-                  {
-                    "id": "sa-8_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-8[2]"
-                      }
-                    ],
-                    "prose": "the design of the information system;"
-                  },
-                  {
-                    "id": "sa-8_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-8[3]"
-                      }
-                    ],
-                    "prose": "the development of the information system;"
-                  },
-                  {
-                    "id": "sa-8_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-8[4]"
-                      }
-                    ],
-                    "prose": "the implementation of the information system; and"
-                  },
-                  {
-                    "id": "sa-8_obj.5",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-8[5]"
-                      }
-                    ],
-                    "prose": "the modification of the information system."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing security engineering principles used in the specification,\n                  design, development, implementation, and modification of the information\n                  system\\n\\ninformation system design documentation\\n\\ninformation security requirements and specifications for the information\n                  system\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security requirements\\n\\norganizational personnel with information system specification, design,\n                  development, implementation, and modification responsibilities\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for applying security engineering principles in\n                  information system specification, design, development, implementation, and\n                  modification\\n\\nautomated mechanisms supporting the application of security engineering principles\n                  in information system specification, design, development, implementation, and\n                  modification"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-9",
-            "class": "SP800-53",
-            "title": "External Information System Services",
-            "parameters": [
-              {
-                "id": "sa-9_prm_1",
-                "label": "organization-defined security controls",
-                "constraints": [
-                  {
-                    "detail": "FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system"
-                  }
-                ]
-              },
-              {
-                "id": "sa-9_prm_2",
-                "label": "organization-defined processes, methods, and techniques",
-                "constraints": [
-                  {
-                    "detail": "Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-09"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0c775bc3-bfc3-42c7-a382-88949f503171",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-35"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-9_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-9_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Requires that providers of external information system services comply with\n                  organizational information security requirements and employ {{ sa-9_prm_1 }} in accordance with applicable federal laws, Executive\n                  Orders, directives, policies, regulations, standards, and guidance;"
-                  },
-                  {
-                    "id": "sa-9_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Defines and documents government oversight and user roles and responsibilities\n                  with regard to external information system services; and"
-                  },
-                  {
-                    "id": "sa-9_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Employs {{ sa-9_prm_2 }} to monitor security control compliance by\n                  external service providers on an ongoing basis."
-                  }
-                ]
-              },
-              {
-                "id": "sa-9_gdn",
-                "name": "guidance",
-                "prose": "External information system services are services that are implemented outside of the\n               authorization boundaries of organizational information systems. This includes\n               services that are used by, but not a part of, organizational information systems.\n               FISMA and OMB policy require that organizations using external service providers that\n               are processing, storing, or transmitting federal information or operating information\n               systems on behalf of the federal government ensure that such providers meet the same\n               security requirements that federal agencies are required to meet. Organizations\n               establish relationships with external service providers in a variety of ways\n               including, for example, through joint ventures, business partnerships, contracts,\n               interagency agreements, lines of business arrangements, licensing agreements, and\n               supply chain exchanges. The responsibility for managing risks from the use of\n               external information system services remains with authorizing officials. For services\n               external to organizations, a chain of trust requires that organizations establish and\n               retain a level of confidence that each participating provider in the potentially\n               complex consumer-provider relationship provides adequate protection for the services\n               rendered. The extent and nature of this chain of trust varies based on the\n               relationships between organizations and the external providers. Organizations\n               document the basis for trust relationships so the relationships can be monitored over\n               time. External information system services documentation includes government, service\n               providers, end user security roles and responsibilities, and service-level\n               agreements. Service-level agreements define expectations of performance for security\n               controls, describe measurable outcomes, and identify remedies and response\n               requirements for identified instances of noncompliance.",
-                "links": [
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#ir-7",
-                    "rel": "related",
-                    "text": "IR-7"
-                  },
-                  {
-                    "href": "#ps-7",
-                    "rel": "related",
-                    "text": "PS-7"
-                  }
-                ]
-              },
-              {
-                "id": "sa-9_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-9.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-9(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-9.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(a)[1]"
-                          }
-                        ],
-                        "prose": "defines security controls to be employed by providers of external information\n                     system services;"
-                      },
-                      {
-                        "id": "sa-9.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(a)[2]"
-                          }
-                        ],
-                        "prose": "requires that providers of external information system services comply with\n                     organizational information security requirements;"
-                      },
-                      {
-                        "id": "sa-9.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(a)[3]"
-                          }
-                        ],
-                        "prose": "requires that providers of external information system services employ\n                     organization-defined security controls in accordance with applicable federal\n                     laws, Executive Orders, directives, policies, regulations, standards, and\n                     guidance;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-9.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-9(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-9.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(b)[1]"
-                          }
-                        ],
-                        "prose": "defines and documents government oversight with regard to external information\n                     system services;"
-                      },
-                      {
-                        "id": "sa-9.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(b)[2]"
-                          }
-                        ],
-                        "prose": "defines and documents user roles and responsibilities with regard to external\n                     information system services;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-9.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-9(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-9.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(c)[1]"
-                          }
-                        ],
-                        "prose": "defines processes, methods, and techniques to be employed to monitor security\n                     control compliance by external service providers; and"
-                      },
-                      {
-                        "id": "sa-9.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(c)[2]"
-                          }
-                        ],
-                        "prose": "employs organization-defined processes, methods, and techniques to monitor\n                     security control compliance by external service providers on an ongoing\n                     basis."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nprocedures addressing methods and techniques for monitoring security control\n                  compliance by external service providers of information system services\\n\\nacquisition contracts, service-level agreements\\n\\norganizational security requirements and security specifications for external\n                  provider services\\n\\nsecurity control assessment evidence from external providers of information system\n                  services\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and services acquisition responsibilities\\n\\nexternal providers of information system services\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for monitoring security control compliance by external\n                  service providers on an ongoing basis\\n\\nautomated mechanisms for monitoring security control compliance by external\n                  service providers on an ongoing basis"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "sa-9.1",
-                "class": "SP800-53-enhancement",
-                "title": "Risk Assessments / Organizational Approvals",
-                "parameters": [
-                  {
-                    "id": "sa-9.1_prm_1",
-                    "label": "organization-defined personnel or roles"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-9(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-09.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-9.1_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "sa-9.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Conducts an organizational assessment of risk prior to the acquisition or\n                     outsourcing of dedicated information security services; and"
-                      },
-                      {
-                        "id": "sa-9.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Ensures that the acquisition or outsourcing of dedicated information security\n                     services is approved by {{ sa-9.1_prm_1 }}."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-9.1_gdn",
-                    "name": "guidance",
-                    "prose": "Dedicated information security services include, for example, incident monitoring,\n                  analysis and response, operation of information security-related devices such as\n                  firewalls, or key management services.",
-                    "links": [
-                      {
-                        "href": "#ca-6",
-                        "rel": "related",
-                        "text": "CA-6"
-                      },
-                      {
-                        "href": "#ra-3",
-                        "rel": "related",
-                        "text": "RA-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-9.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "sa-9.1.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(1)(a)"
-                          }
-                        ],
-                        "prose": "conducts an organizational assessment of risk prior to the acquisition or\n                     outsourcing of dedicated information security services;",
-                        "links": [
-                          {
-                            "href": "#sa-9.1_smt.a",
-                            "rel": "corresp",
-                            "text": "SA-9(1)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-9.1.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-9(1)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-9.1.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-9(1)(b)[1]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles designated to approve the acquisition or\n                        outsourcing of dedicated information security services; and"
-                          },
-                          {
-                            "id": "sa-9.1.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-9(1)(b)[2]"
-                              }
-                            ],
-                            "prose": "ensures that the acquisition or outsourcing of dedicated information\n                        security services is approved by organization-defined personnel or\n                        roles."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#sa-9.1_smt.b",
-                            "rel": "corresp",
-                            "text": "SA-9(1)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nacquisition documentation\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nrisk assessment reports\\n\\napproval records for acquisition or outsourcing of dedicated information\n                     security services\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information system security responsibilities\\n\\nexternal providers of information system services\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for conducting a risk assessment prior to acquiring or\n                     outsourcing dedicated information security services\\n\\norganizational processes for approving the outsourcing of dedicated information\n                     security services\\n\\nautomated mechanisms supporting and/or implementing risk assessment\\n\\nautomated mechanisms supporting and/or implementing approval processes"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-9.2",
-                "class": "SP800-53-enhancement",
-                "title": "Identification of Functions / Ports / Protocols / Services",
-                "parameters": [
-                  {
-                    "id": "sa-9.2_prm_1",
-                    "label": "organization-defined external information system services",
-                    "constraints": [
-                      {
-                        "detail": "all external systems where Federal information is processed or stored"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-9(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-09.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-9.2_smt",
-                    "name": "statement",
-                    "prose": "The organization requires providers of {{ sa-9.2_prm_1 }} to\n                  identify the functions, ports, protocols, and other services required for the use\n                  of such services."
-                  },
-                  {
-                    "id": "sa-9.2_gdn",
-                    "name": "guidance",
-                    "prose": "Information from external service providers regarding the specific functions,\n                  ports, protocols, and services used in the provision of such services can be\n                  particularly useful when the need arises to understand the trade-offs involved in\n                  restricting certain functions/services or blocking certain ports/protocols.",
-                    "links": [
-                      {
-                        "href": "#cm-7",
-                        "rel": "related",
-                        "text": "CM-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-9.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "sa-9.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(2)[1]"
-                          }
-                        ],
-                        "prose": "defines external information system services for which providers of such\n                     services are to identify the functions, ports, protocols, and other services\n                     required for the use of such services;"
-                      },
-                      {
-                        "id": "sa-9.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(2)[2]"
-                          }
-                        ],
-                        "prose": "requires providers of organization-defined external information system services\n                     to identify:",
-                        "parts": [
-                          {
-                            "id": "sa-9.2_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-9(2)[2][a]"
-                              }
-                            ],
-                            "prose": "the functions required for the use of such services;"
-                          },
-                          {
-                            "id": "sa-9.2_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-9(2)[2][b]"
-                              }
-                            ],
-                            "prose": "the ports required for the use of such services;"
-                          },
-                          {
-                            "id": "sa-9.2_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-9(2)[2][c]"
-                              }
-                            ],
-                            "prose": "the protocols required for the use of such services; and"
-                          },
-                          {
-                            "id": "sa-9.2_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-9(2)[2][d]"
-                              }
-                            ],
-                            "prose": "the other services required for the use of such services."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nacquisition documentation\\n\\nsolicitation documentation, service-level agreements\\n\\norganizational security requirements and security specifications for external\n                     service providers\\n\\nlist of required functions, ports, protocols, and other services\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nexternal providers of information system services"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-9.4",
-                "class": "SP800-53-enhancement",
-                "title": "Consistent Interests of Consumers and Providers",
-                "parameters": [
-                  {
-                    "id": "sa-9.4_prm_1",
-                    "label": "organization-defined security safeguards"
-                  },
-                  {
-                    "id": "sa-9.4_prm_2",
-                    "label": "organization-defined external service providers",
-                    "constraints": [
-                      {
-                        "detail": "all external systems where Federal information is processed or stored"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-9(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-09.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-9.4_smt",
-                    "name": "statement",
-                    "prose": "The organization employs {{ sa-9.4_prm_1 }} to ensure that the\n                  interests of {{ sa-9.4_prm_2 }} are consistent with and reflect\n                  organizational interests."
-                  },
-                  {
-                    "id": "sa-9.4_gdn",
-                    "name": "guidance",
-                    "prose": "As organizations increasingly use external service providers, the possibility\n                  exists that the interests of the service providers may diverge from organizational\n                  interests. In such situations, simply having the correct technical, procedural, or\n                  operational safeguards in place may not be sufficient if the service providers\n                  that implement and control those safeguards are not operating in a manner\n                  consistent with the interests of the consuming organizations. Possible actions\n                  that organizations might take to address such concerns include, for example,\n                  requiring background checks for selected service provider personnel, examining\n                  ownership records, employing only trustworthy service providers (i.e., providers\n                  with which organizations have had positive experiences), and conducting\n                  periodic/unscheduled visits to service provider facilities."
-                  },
-                  {
-                    "id": "sa-9.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "sa-9.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(4)[1]"
-                          }
-                        ],
-                        "prose": "defines external service providers whose interests are to be consistent with\n                     and reflect organizational interests;"
-                      },
-                      {
-                        "id": "sa-9.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(4)[2]"
-                          }
-                        ],
-                        "prose": "defines security safeguards to be employed to ensure that the interests of\n                     organization-defined external service providers are consistent with and reflect\n                     organizational interests; and"
-                      },
-                      {
-                        "id": "sa-9.4_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(4)[3]"
-                          }
-                        ],
-                        "prose": "employs organization-defined security safeguards to ensure that the interests\n                     of organization-defined external service providers are consistent with and\n                     reflect organizational interests."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\norganizational security requirements/safeguards for external service\n                     providers\\n\\npersonnel security policies for external service providers\\n\\nassessments performed on external service providers\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nexternal providers of information system services"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for defining and employing safeguards to ensure\n                     consistent interests with external service providers\\n\\nautomated mechanisms supporting and/or implementing safeguards to ensure\n                     consistent interests with external service providers"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-9.5",
-                "class": "SP800-53-enhancement",
-                "title": "Processing, Storage, and Service Location",
-                "parameters": [
-                  {
-                    "id": "sa-9.5_prm_1",
-                    "constraints": [
-                      {
-                        "detail": "information processing, information data, AND information services"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-9.5_prm_2",
-                    "label": "organization-defined locations",
-                    "constraints": [
-                      {
-                        "detail": "U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-9.5_prm_3",
-                    "label": "organization-defined requirements or conditions",
-                    "constraints": [
-                      {
-                        "detail": "all High Impact Data, Systems, or Services"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-9(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-09.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-9.5_smt",
-                    "name": "statement",
-                    "prose": "The organization restricts the location of {{ sa-9.5_prm_1 }} to\n                     {{ sa-9.5_prm_2 }} based on {{ sa-9.5_prm_3 }}."
-                  },
-                  {
-                    "id": "sa-9.5_gdn",
-                    "name": "guidance",
-                    "prose": "The location of information processing, information/data storage, or information\n                  system services that are critical to organizations can have a direct impact on the\n                  ability of those organizations to successfully execute their missions/business\n                  functions. This situation exists when external providers control the location of\n                  processing, storage or services. The criteria external providers use for the\n                  selection of processing, storage, or service locations may be different from\n                  organizational criteria. For example, organizations may want to ensure that\n                  data/information storage locations are restricted to certain locations to\n                  facilitate incident response activities (e.g., forensic analyses, after-the-fact\n                  investigations) in case of information security breaches/compromises. Such\n                  incident response activities may be adversely affected by the governing laws or\n                  protocols in the locations where processing and storage occur and/or the locations\n                  from which information system services emanate."
-                  },
-                  {
-                    "id": "sa-9.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "sa-9.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(5)[1]"
-                          }
-                        ],
-                        "prose": "defines locations where organization-defined information processing,\n                     information/data, and/or information system services are to be restricted;"
-                      },
-                      {
-                        "id": "sa-9.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(5)[2]"
-                          }
-                        ],
-                        "prose": "defines requirements or conditions to restrict the location of information\n                     processing, information/data, and/or information system services;"
-                      },
-                      {
-                        "id": "sa-9.5_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(5)[3]"
-                          }
-                        ],
-                        "prose": "restricts the location of one or more of the following to organization-defined\n                     locations based on organization-defined requirements or conditions:",
-                        "parts": [
-                          {
-                            "id": "sa-9.5_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-9(5)[3][a]"
-                              }
-                            ],
-                            "prose": "information processing;"
-                          },
-                          {
-                            "id": "sa-9.5_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-9(5)[3][b]"
-                              }
-                            ],
-                            "prose": "information/data; and/or"
-                          },
-                          {
-                            "id": "sa-9.5_obj.3.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-9(5)[3][c]"
-                              }
-                            ],
-                            "prose": "information services."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nrestricted locations for information processing\\n\\ninformation/data and/or information system services\\n\\ninformation processing, information/data, and/or information system services to\n                     be maintained in restricted locations\\n\\norganizational security requirements or conditions for external providers\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nexternal providers of information system services"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for defining requirements to restrict locations of\n                     information processing, information/data, or information services\\n\\norganizational processes for ensuring the location is restricted in accordance\n                     with requirements or conditions"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-10",
-            "class": "SP800-53",
-            "title": "Developer Configuration Management",
-            "parameters": [
-              {
-                "id": "sa-10_prm_1",
-                "constraints": [
-                  {
-                    "detail": "development, implementation, AND operation"
-                  }
-                ]
-              },
-              {
-                "id": "sa-10_prm_2",
-                "label": "organization-defined configuration items under configuration management"
-              },
-              {
-                "id": "sa-10_prm_3",
-                "label": "organization-defined personnel"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-10"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-10"
-              }
-            ],
-            "links": [
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-10_smt",
-                "name": "statement",
-                "prose": "The organization requires the developer of the information system, system component,\n               or information system service to:",
-                "parts": [
-                  {
-                    "id": "sa-10_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Perform configuration management during system, component, or service {{ sa-10_prm_1 }};"
-                  },
-                  {
-                    "id": "sa-10_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Document, manage, and control the integrity of changes to {{ sa-10_prm_2 }};"
-                  },
-                  {
-                    "id": "sa-10_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Implement only organization-approved changes to the system, component, or\n                  service;"
-                  },
-                  {
-                    "id": "sa-10_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Document approved changes to the system, component, or service and the potential\n                  security impacts of such changes; and"
-                  },
-                  {
-                    "id": "sa-10_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Track security flaws and flaw resolution within the system, component, or service\n                  and report findings to {{ sa-10_prm_3 }}."
-                  },
-                  {
-                    "id": "sa-10_fr",
-                    "name": "item",
-                    "title": "SA-10 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "sa-10_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(e)  Requirement:"
-                          }
-                        ],
-                        "prose": "For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-10_gdn",
-                "name": "guidance",
-                "prose": "This control also applies to organizations conducting internal information systems\n               development and integration. Organizations consider the quality and completeness of\n               the configuration management activities conducted by developers as evidence of\n               applying effective security safeguards. Safeguards include, for example, protecting\n               from unauthorized modification or destruction, the master copies of all material used\n               to generate security-relevant portions of the system hardware, software, and\n               firmware. Maintaining the integrity of changes to the information system, information\n               system component, or information system service requires configuration control\n               throughout the system development life cycle to track authorized changes and prevent\n               unauthorized changes. Configuration items that are placed under configuration\n               management (if existence/use is required by other security controls) include: the\n               formal model; the functional, high-level, and low-level design specifications; other\n               design data; implementation documentation; source code and hardware schematics; the\n               running version of the object code; tools for comparing new versions of\n               security-relevant hardware descriptions and software/firmware source code with\n               previous versions; and test fixtures and documentation. Depending on the\n               mission/business needs of organizations and the nature of the contractual\n               relationships in place, developers may provide configuration management support\n               during the operations and maintenance phases of the life cycle.",
-                "links": [
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#cm-9",
-                    "rel": "related",
-                    "text": "CM-9"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "sa-10_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-10.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-10(a)"
-                      }
-                    ],
-                    "prose": "requires the developer of the information system, system component, or information\n                  system service to perform configuration management during one or more of the\n                  following:",
-                    "parts": [
-                      {
-                        "id": "sa-10.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-10(a)[1]"
-                          }
-                        ],
-                        "prose": "system, component, or service design;"
-                      },
-                      {
-                        "id": "sa-10.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-10(a)[2]"
-                          }
-                        ],
-                        "prose": "system, component, or service development;"
-                      },
-                      {
-                        "id": "sa-10.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-10(a)[3]"
-                          }
-                        ],
-                        "prose": "system, component, or service implementation; and/or"
-                      },
-                      {
-                        "id": "sa-10.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-10(a)[4]"
-                          }
-                        ],
-                        "prose": "system, component, or service operation;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-10.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-10(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-10.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-10(b)[1]"
-                          }
-                        ],
-                        "prose": "defines configuration items to be placed under configuration management;"
-                      },
-                      {
-                        "id": "sa-10.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-10(b)[2]"
-                          }
-                        ],
-                        "prose": "requires the developer of the information system, system component, or\n                     information system service to:",
-                        "parts": [
-                          {
-                            "id": "sa-10.b_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-10(b)[2][a]"
-                              }
-                            ],
-                            "prose": "document the integrity of changes to organization-defined items under\n                        configuration management;"
-                          },
-                          {
-                            "id": "sa-10.b_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-10(b)[2][b]"
-                              }
-                            ],
-                            "prose": "manage the integrity of changes to organization-defined items under\n                        configuration management;"
-                          },
-                          {
-                            "id": "sa-10.b_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-10(b)[2][c]"
-                              }
-                            ],
-                            "prose": "control the integrity of changes to organization-defined items under\n                        configuration management;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-10.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-10(c)"
-                      }
-                    ],
-                    "prose": "requires the developer of the information system, system component, or information\n                  system service to implement only organization-approved changes to the system,\n                  component, or service;"
-                  },
-                  {
-                    "id": "sa-10.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-10(d)"
-                      }
-                    ],
-                    "prose": "requires the developer of the information system, system component, or information\n                  system service to document:",
-                    "parts": [
-                      {
-                        "id": "sa-10.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-10(d)[1]"
-                          }
-                        ],
-                        "prose": "approved changes to the system, component, or service;"
-                      },
-                      {
-                        "id": "sa-10.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-10(d)[2]"
-                          }
-                        ],
-                        "prose": "the potential security impacts of such changes;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-10.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-10(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-10.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-10(e)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel to whom findings, resulting from security flaws and flaw\n                     resolution tracked within the system, component, or service, are to be\n                     reported;"
-                      },
-                      {
-                        "id": "sa-10.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-10(e)[2]"
-                          }
-                        ],
-                        "prose": "requires the developer of the information system, system component, or\n                     information system service to:",
-                        "parts": [
-                          {
-                            "id": "sa-10.e_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-10(e)[2][a]"
-                              }
-                            ],
-                            "prose": "track security flaws within the system, component, or service;"
-                          },
-                          {
-                            "id": "sa-10.e_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-10(e)[2][b]"
-                              }
-                            ],
-                            "prose": "track security flaw resolution within the system, component, or service;\n                        and"
-                          },
-                          {
-                            "id": "sa-10.e_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-10(e)[2][c]"
-                              }
-                            ],
-                            "prose": "report findings to organization-defined personnel."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing system developer configuration management\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\nsystem developer configuration management plan\\n\\nsecurity flaw and flaw resolution tracking records\\n\\nsystem change authorization records\\n\\nchange control records\\n\\nconfiguration management records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with configuration management responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for monitoring developer configuration management\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                  configuration management"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "sa-10.1",
-                "class": "SP800-53-enhancement",
-                "title": "Software / Firmware Integrity Verification",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-10(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-10.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-10.1_smt",
-                    "name": "statement",
-                    "prose": "The organization requires the developer of the information system, system\n                  component, or information system service to enable integrity verification of\n                  software and firmware components."
-                  },
-                  {
-                    "id": "sa-10.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement allows organizations to detect unauthorized changes to\n                  software and firmware components through the use of tools, techniques, and/or\n                  mechanisms provided by developers. Integrity checking mechanisms can also address\n                  counterfeiting of software and firmware components. Organizations verify the\n                  integrity of software and firmware components, for example, through secure one-way\n                  hashes provided by developers. Delivered software and firmware components also\n                  include any updates to such components.",
-                    "links": [
-                      {
-                        "href": "#si-7",
-                        "rel": "related",
-                        "text": "SI-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-10.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization requires the developer of the information system,\n                  system component, or information system service to enable integrity verification\n                  of software and firmware components."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing system developer configuration management\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system\\n\\nsystem component, or information system service\\n\\nsystem developer configuration management plan\\n\\nsoftware and firmware integrity verification records\\n\\nsystem change authorization records\\n\\nchange control records\\n\\nconfiguration management records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with configuration management responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for monitoring developer configuration management\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                     configuration management"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-11",
-            "class": "SP800-53",
-            "title": "Developer Security Testing and Evaluation",
-            "parameters": [
-              {
-                "id": "sa-11_prm_1"
-              },
-              {
-                "id": "sa-11_prm_2",
-                "label": "organization-defined depth and coverage"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-11"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-11"
-              }
-            ],
-            "links": [
-              {
-                "href": "#1737a687-52fb-4008-b900-cbfa836f7b65",
-                "rel": "reference",
-                "text": "ISO/IEC 15408"
-              },
-              {
-                "href": "#cd4cf751-3312-4a55-b1a9-fad2f1db9119",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-53A"
-              },
-              {
-                "href": "#275cc052-0f7f-423c-bdb6-ed503dc36228",
-                "rel": "reference",
-                "text": "http://nvd.nist.gov"
-              },
-              {
-                "href": "#15522e92-9192-463d-9646-6a01982db8ca",
-                "rel": "reference",
-                "text": "http://cwe.mitre.org"
-              },
-              {
-                "href": "#0931209f-00ae-4132-b92c-bc645847e8f9",
-                "rel": "reference",
-                "text": "http://cve.mitre.org"
-              },
-              {
-                "href": "#4ef539ba-b767-4666-b0d3-168c53005fa3",
-                "rel": "reference",
-                "text": "http://capec.mitre.org"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-11_smt",
-                "name": "statement",
-                "prose": "The organization requires the developer of the information system, system component,\n               or information system service to:",
-                "parts": [
-                  {
-                    "id": "sa-11_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Create and implement a security assessment plan;"
-                  },
-                  {
-                    "id": "sa-11_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Perform {{ sa-11_prm_1 }} testing/evaluation at {{ sa-11_prm_2 }};"
-                  },
-                  {
-                    "id": "sa-11_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Produce evidence of the execution of the security assessment plan and the results\n                  of the security testing/evaluation;"
-                  },
-                  {
-                    "id": "sa-11_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Implement a verifiable flaw remediation process; and"
-                  },
-                  {
-                    "id": "sa-11_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Correct flaws identified during security testing/evaluation."
-                  }
-                ]
-              },
-              {
-                "id": "sa-11_gdn",
-                "name": "guidance",
-                "prose": "Developmental security testing/evaluation occurs at all post-design phases of the\n               system development life cycle. Such testing/evaluation confirms that the required\n               security controls are implemented correctly, operating as intended, enforcing the\n               desired security policy, and meeting established security requirements. Security\n               properties of information systems may be affected by the interconnection of system\n               components or changes to those components. These interconnections or changes (e.g.,\n               upgrading or replacing applications and operating systems) may adversely affect\n               previously implemented security controls. This control provides additional types of\n               security testing/evaluation that developers can conduct to reduce or eliminate\n               potential flaws. Testing custom software applications may require approaches such as\n               static analysis, dynamic analysis, binary analysis, or a hybrid of the three\n               approaches. Developers can employ these analysis approaches in a variety of tools\n               (e.g., web-based application scanners, static analysis tools, binary analyzers) and\n               in source code reviews. Security assessment plans provide the specific activities\n               that developers plan to carry out including the types of analyses, testing,\n               evaluation, and reviews of software and firmware components, the degree of rigor to\n               be applied, and the types of artifacts produced during those processes. The depth of\n               security testing/evaluation refers to the rigor and level of detail associated with\n               the assessment process (e.g., black box, gray box, or white box testing). The\n               coverage of security testing/evaluation refers to the scope (i.e., number and type)\n               of the artifacts included in the assessment process. Contracts specify the acceptance\n               criteria for security assessment plans, flaw remediation processes, and the evidence\n               that the plans/processes have been diligently applied. Methods for reviewing and\n               protecting assessment plans, evidence, and documentation are commensurate with the\n               security category or classification level of the information system. Contracts may\n               specify documentation protection requirements.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#sa-3",
-                    "rel": "related",
-                    "text": "SA-3"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "sa-11_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-11.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-11(a)"
-                      }
-                    ],
-                    "prose": "requires the developer of the information system, system component, or information\n                  system service to create and implement a security plan;"
-                  },
-                  {
-                    "id": "sa-11.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-11(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-11.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-11(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the depth of testing/evaluation to be performed by the developer of the\n                     information system, system component, or information system service;"
-                      },
-                      {
-                        "id": "sa-11.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-11(b)[2]"
-                          }
-                        ],
-                        "prose": "defines the coverage of testing/evaluation to be performed by the developer of\n                     the information system, system component, or information system service;"
-                      },
-                      {
-                        "id": "sa-11.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-11(b)[3]"
-                          }
-                        ],
-                        "prose": "requires the developer of the information system, system component, or\n                     information system service to perform one or more of the following\n                     testing/evaluation at the organization-defined depth and coverage:",
-                        "parts": [
-                          {
-                            "id": "sa-11.b_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-11(b)[3][a]"
-                              }
-                            ],
-                            "prose": "unit testing/evaluation;"
-                          },
-                          {
-                            "id": "sa-11.b_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-11(b)[3][b]"
-                              }
-                            ],
-                            "prose": "integration testing/evaluation;"
-                          },
-                          {
-                            "id": "sa-11.b_obj.3.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-11(b)[3][c]"
-                              }
-                            ],
-                            "prose": "system testing/evaluation; and/or"
-                          },
-                          {
-                            "id": "sa-11.b_obj.3.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-11(b)[3][d]"
-                              }
-                            ],
-                            "prose": "regression testing/evaluation;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-11.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-11(c)"
-                      }
-                    ],
-                    "prose": "requires the developer of the information system, system component, or information\n                  system service to produce evidence of:",
-                    "parts": [
-                      {
-                        "id": "sa-11.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-11(c)[1]"
-                          }
-                        ],
-                        "prose": "the execution of the security assessment plan;"
-                      },
-                      {
-                        "id": "sa-11.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-11(c)[2]"
-                          }
-                        ],
-                        "prose": "the results of the security testing/evaluation;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-11.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-11(d)"
-                      }
-                    ],
-                    "prose": "requires the developer of the information system, system component, or information\n                  system service to implement a verifiable flaw remediation process; and"
-                  },
-                  {
-                    "id": "sa-11.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-11(e)"
-                      }
-                    ],
-                    "prose": "requires the developer of the information system, system component, or information\n                  system service to correct flaws identified during security testing/evaluation."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing system developer security testing\\n\\nprocedures addressing flaw remediation\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\nsystem developer security test plans\\n\\nrecords of developer security testing results for the information system, system\n                  component, or information system service\\n\\nsecurity flaw and remediation tracking records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with developer security testing responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for monitoring developer security testing and\n                  evaluation\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                  security testing and evaluation"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "sa-11.1",
-                "class": "SP800-53-enhancement",
-                "title": "Static Code Analysis",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-11(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-11.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-11.1_smt",
-                    "name": "statement",
-                    "prose": "The organization requires the developer of the information system, system\n                  component, or information system service to employ static code analysis tools to\n                  identify common flaws and document the results of the analysis.",
-                    "parts": [
-                      {
-                        "id": "sa-11.1_fr",
-                        "name": "item",
-                        "title": "SA-11 (1) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "sa-11.1_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-11.1_gdn",
-                    "name": "guidance",
-                    "prose": "Static code analysis provides a technology and methodology for security reviews.\n                  Such analysis can be used to identify security vulnerabilities and enforce\n                  security coding practices. Static code analysis is most effective when used early\n                  in the development process, when each code change can be automatically scanned for\n                  potential weaknesses. Static analysis can provide clear remediation guidance along\n                  with defects to enable developers to fix such defects. Evidence of correct\n                  implementation of static analysis can include, for example, aggregate defect\n                  density for critical defect types, evidence that defects were inspected by\n                  developers or security professionals, and evidence that defects were fixed. An\n                  excessively high density of ignored findings (commonly referred to as ignored or\n                  false positives) indicates a potential problem with the analysis process or tool.\n                  In such cases, organizations weigh the validity of the evidence against evidence\n                  from other sources."
-                  },
-                  {
-                    "id": "sa-11.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization requires the developer of the information system,\n                  system component, or information system service to employ static code analysis\n                  tools to identify common flaws and document the results of the analysis."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing system developer security testing\\n\\nprocedures addressing flaw remediation\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsystem developer security test plans\\n\\nsystem developer security testing results\\n\\nsecurity flaw and remediation tracking records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with developer security testing responsibilities\\n\\norganizational personnel with configuration management responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for monitoring developer security testing and\n                     evaluation\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                     security testing and evaluation\\n\\nstatic code analysis tools"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-11.2",
-                "class": "SP800-53-enhancement",
-                "title": "Threat and Vulnerability Analyses",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-11(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-11.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-11.2_smt",
-                    "name": "statement",
-                    "prose": "The organization requires the developer of the information system, system\n                  component, or information system service to perform threat and vulnerability\n                  analyses and subsequent testing/evaluation of the as-built system, component, or\n                  service."
-                  },
-                  {
-                    "id": "sa-11.2_gdn",
-                    "name": "guidance",
-                    "prose": "Applications may deviate significantly from the functional and design\n                  specifications created during the requirements and design phases of the system\n                  development life cycle. Therefore, threat and vulnerability analyses of\n                  information systems, system components, and information system services prior to\n                  delivery are critical to the effective operation of those systems, components, and\n                  services. Threat and vulnerability analyses at this phase of the life cycle help\n                  to ensure that design or implementation changes have been accounted for, and that\n                  any new vulnerabilities created as a result of those changes have been reviewed\n                  and mitigated.",
-                    "links": [
-                      {
-                        "href": "#pm-15",
-                        "rel": "related",
-                        "text": "PM-15"
-                      },
-                      {
-                        "href": "#ra-5",
-                        "rel": "related",
-                        "text": "RA-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-11.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization requires the developer of the information system,\n                  system component, or information system service to perform:",
-                    "parts": [
-                      {
-                        "id": "sa-11.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-11(2)[1]"
-                          }
-                        ],
-                        "prose": "threat analyses of the as-built, system component, or service;"
-                      },
-                      {
-                        "id": "sa-11.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-11(2)[2]"
-                          }
-                        ],
-                        "prose": "vulnerability analyses of the as-built, system component, or service; and"
-                      },
-                      {
-                        "id": "sa-11.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-11(2)[3]"
-                          }
-                        ],
-                        "prose": "subsequent testing/evaluation of the as-built, system component, or\n                     service."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing system developer security testing\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsystem developer security test plans\\n\\nrecords of developer security testing results for the information system,\n                     system component, or information system service\\n\\nvulnerability scanning results\\n\\ninformation system risk assessment reports\\n\\nthreat and vulnerability analysis reports\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with developer security testing responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for monitoring developer security testing and\n                     evaluation\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                     security testing and evaluation"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-11.8",
-                "class": "SP800-53-enhancement",
-                "title": "Dynamic Code Analysis",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-11(8)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-11.08"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-11.8_smt",
-                    "name": "statement",
-                    "prose": "The organization requires the developer of the information system, system\n                  component, or information system service to employ dynamic code analysis tools to\n                  identify common flaws and document the results of the analysis.",
-                    "parts": [
-                      {
-                        "id": "sa-11.8_fr",
-                        "name": "item",
-                        "title": "SA-11 (8) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "sa-11.8_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-11.8_gdn",
-                    "name": "guidance",
-                    "prose": "Dynamic code analysis provides run-time verification of software programs, using\n                  tools capable of monitoring programs for memory corruption, user privilege issues,\n                  and other potential security problems. Dynamic code analysis employs run-time\n                  tools to help to ensure that security functionality performs in the manner in\n                  which it was designed. A specialized type of dynamic analysis, known as fuzz\n                  testing, induces program failures by deliberately introducing malformed or random\n                  data into software programs. Fuzz testing strategies derive from the intended use\n                  of applications and the functional and design specifications for the applications.\n                  To understand the scope of dynamic code analysis and hence the assurance provided,\n                  organizations may also consider conducting code coverage analysis (checking the\n                  degree to which the code has been tested using metrics such as percent of\n                  subroutines tested or percent of program statements called during execution of the\n                  test suite) and/or concordance analysis (checking for words that are out of place\n                  in software code such as non-English language words or derogatory terms)."
-                  },
-                  {
-                    "id": "sa-11.8_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization requires the developer of the information system,\n                  system component, or information system service to employ dynamic code analysis\n                  tools to identify common flaws and document the results of the analysis."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing system developer security testing\\n\\nprocedures addressing flaw remediation\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsystem developer security test and evaluation plans\\n\\nsecurity test and evaluation results\\n\\nsecurity flaw and remediation tracking reports\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with developer security testing responsibilities\\n\\norganizational personnel with configuration management responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for monitoring developer security testing and\n                     evaluation\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                     security testing and evaluation"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-12",
-            "class": "SP800-53",
-            "title": "Supply Chain Protection",
-            "parameters": [
-              {
-                "id": "sa-12_prm_1",
-                "label": "organization-defined security safeguards",
-                "constraints": [
-                  {
-                    "detail": "organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-12"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-12"
-              }
-            ],
-            "links": [
-              {
-                "href": "#8ab6bcdc-339b-4068-b45e-994814a6e187",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-161"
-              },
-              {
-                "href": "#bdd2f49e-edf7-491f-a178-4487898228f3",
-                "rel": "reference",
-                "text": "NIST Interagency Report 7622"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-12_smt",
-                "name": "statement",
-                "prose": "The organization protects against supply chain threats to the information system,\n               system component, or information system service by employing {{ sa-12_prm_1 }} as part of a comprehensive, defense-in-breadth\n               information security strategy."
-              },
-              {
-                "id": "sa-12_gdn",
-                "name": "guidance",
-                "prose": "Information systems (including system components that compose those systems) need to\n               be protected throughout the system development life cycle (i.e., during design,\n               development, manufacturing, packaging, assembly, distribution, system integration,\n               operations, maintenance, and retirement). Protection of organizational information\n               systems is accomplished through threat awareness, by the identification, management,\n               and reduction of vulnerabilities at each phase of the life cycle and the use of\n               complementary, mutually reinforcing strategies to respond to risk. Organizations\n               consider implementing a standardized process to address supply chain risk with\n               respect to information systems and system components, and to educate the acquisition\n               workforce on threats, risk, and required security controls. Organizations use the\n               acquisition/procurement processes to require supply chain entities to implement\n               necessary security safeguards to: (i) reduce the likelihood of unauthorized\n               modifications at each stage in the supply chain; and (ii) protect information systems\n               and information system components, prior to taking delivery of such\n               systems/components. This control also applies to information system services.\n               Security safeguards include, for example: (i) security controls for development\n               systems, development facilities, and external connections to development systems;\n               (ii) vetting development personnel; and (iii) use of tamper-evident packaging during\n               shipping/warehousing. Methods for reviewing and protecting development plans,\n               evidence, and documentation are commensurate with the security category or\n               classification level of the information system. Contracts may specify documentation\n               protection requirements.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#pe-16",
-                    "rel": "related",
-                    "text": "PE-16"
-                  },
-                  {
-                    "href": "#pl-8",
-                    "rel": "related",
-                    "text": "PL-8"
-                  },
-                  {
-                    "href": "#sa-3",
-                    "rel": "related",
-                    "text": "SA-3"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  },
-                  {
-                    "href": "#sa-10",
-                    "rel": "related",
-                    "text": "SA-10"
-                  },
-                  {
-                    "href": "#sa-14",
-                    "rel": "related",
-                    "text": "SA-14"
-                  },
-                  {
-                    "href": "#sa-15",
-                    "rel": "related",
-                    "text": "SA-15"
-                  },
-                  {
-                    "href": "#sa-18",
-                    "rel": "related",
-                    "text": "SA-18"
-                  },
-                  {
-                    "href": "#sa-19",
-                    "rel": "related",
-                    "text": "SA-19"
-                  },
-                  {
-                    "href": "#sc-29",
-                    "rel": "related",
-                    "text": "SC-29"
-                  },
-                  {
-                    "href": "#sc-30",
-                    "rel": "related",
-                    "text": "SC-30"
-                  },
-                  {
-                    "href": "#sc-38",
-                    "rel": "related",
-                    "text": "SC-38"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "sa-12_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-12_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-12[1]"
-                      }
-                    ],
-                    "prose": "defines security safeguards to be employed to protect against supply chain threats\n                  to the information system, system component, or information system service;\n                  and"
-                  },
-                  {
-                    "id": "sa-12_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-12[2]"
-                      }
-                    ],
-                    "prose": "protects against supply chain threats to the information system, system component,\n                  or information system service by employing organization-defined security\n                  safeguards as part of a comprehensive, defense-in-breadth information security\n                  strategy."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing supply chain protection\\n\\nprocedures addressing the integration of information security requirements into\n                  the acquisition process\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\nlist of supply chain threats\\n\\nlist of security safeguards to be taken against supply chain threats\\n\\nsystem development life cycle documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with supply chain protection responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for defining safeguards for and protecting against supply\n                  chain threats\\n\\nautomated mechanisms supporting and/or implementing safeguards for supply chain\n                  threats"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-15",
-            "class": "SP800-53",
-            "title": "Development Process, Standards, and Tools",
-            "parameters": [
-              {
-                "id": "sa-15_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "as needed and as dictated by the current threat posture"
-                  }
-                ]
-              },
-              {
-                "id": "sa-15_prm_2",
-                "label": "organization-defined security requirements",
-                "constraints": [
-                  {
-                    "detail": "organization and service provider- defined security requirements"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-15"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-15"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-15_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-15_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Requires the developer of the information system, system component, or information\n                  system service to follow a documented development process that:",
-                    "parts": [
-                      {
-                        "id": "sa-15_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Explicitly addresses security requirements;"
-                      },
-                      {
-                        "id": "sa-15_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Identifies the standards and tools used in the development process;"
-                      },
-                      {
-                        "id": "sa-15_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Documents the specific tool options and tool configurations used in the\n                     development process; and"
-                      },
-                      {
-                        "id": "sa-15_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Documents, manages, and ensures the integrity of changes to the process and/or\n                     tools used in development; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-15_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews the development process, standards, tools, and tool options/configurations\n                     {{ sa-15_prm_1 }} to determine if the process, standards, tools,\n                  and tool options/configurations selected and employed can satisfy {{ sa-15_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "sa-15_gdn",
-                "name": "guidance",
-                "prose": "Development tools include, for example, programming languages and computer-aided\n               design (CAD) systems. Reviews of development processes can include, for example, the\n               use of maturity models to determine the potential effectiveness of such processes.\n               Maintaining the integrity of changes to tools and processes enables accurate supply\n               chain risk assessment and mitigation, and requires robust configuration control\n               throughout the life cycle (including design, development, transport, delivery,\n               integration, and maintenance) to track authorized changes and prevent unauthorized\n               changes.",
-                "links": [
-                  {
-                    "href": "#sa-3",
-                    "rel": "related",
-                    "text": "SA-3"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  }
-                ]
-              },
-              {
-                "id": "sa-15_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-15.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-15(a)"
-                      }
-                    ],
-                    "prose": "requires the developer of the information system, system component, or information\n                  system service to follow a documented development process that:",
-                    "parts": [
-                      {
-                        "id": "sa-15.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-15(a)(1)"
-                          }
-                        ],
-                        "prose": "explicitly addresses security requirements;"
-                      },
-                      {
-                        "id": "sa-15.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-15(a)(2)"
-                          }
-                        ],
-                        "prose": "identifies the standards and tools used in the development process;"
-                      },
-                      {
-                        "id": "sa-15.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-15(a)(3)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-15.a.3_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-15(a)(3)[1]"
-                              }
-                            ],
-                            "prose": "documents the specific tool options used in the development process;"
-                          },
-                          {
-                            "id": "sa-15.a.3_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-15(a)(3)[2]"
-                              }
-                            ],
-                            "prose": "documents the specific tool configurations used in the development\n                        process;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-15.a.4_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-15(a)(4)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-15.a.4_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-15(a)(4)[1]"
-                              }
-                            ],
-                            "prose": "documents changes to the process and/or tools used in the development;"
-                          },
-                          {
-                            "id": "sa-15.a.4_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-15(a)(4)[2]"
-                              }
-                            ],
-                            "prose": "manages changes to the process and/or tools used in the development;"
-                          },
-                          {
-                            "id": "sa-15.a.4_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-15(a)(4)[3]"
-                              }
-                            ],
-                            "prose": "ensures the integrity of changes to the process and/or tools used in the\n                        development;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-15.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-15(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-15.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-15(b)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency to review the development process, standards, tools, and\n                     tool options/configurations;"
-                      },
-                      {
-                        "id": "sa-15.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-15(b)[2]"
-                          }
-                        ],
-                        "prose": "defines security requirements to be satisfied by the process, standards, tools,\n                     and tool option/configurations selected and employed; and"
-                      },
-                      {
-                        "id": "sa-15.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-15(b)[3]"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-15.b_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-15(b)[3][a]"
-                              }
-                            ],
-                            "prose": "reviews the development process with the organization-defined frequency to\n                        determine if the process selected and employed can satisfy\n                        organization-defined security requirements;"
-                          },
-                          {
-                            "id": "sa-15.b_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-15(b)[3][b]"
-                              }
-                            ],
-                            "prose": "reviews the development standards with the organization-defined frequency to\n                        determine if the standards selected and employed can satisfy\n                        organization-defined security requirements;"
-                          },
-                          {
-                            "id": "sa-15.b_obj.3.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-15(b)[3][c]"
-                              }
-                            ],
-                            "prose": "reviews the development tools with the organization-defined frequency to\n                        determine if the tools selected and employed can satisfy\n                        organization-defined security requirements; and"
-                          },
-                          {
-                            "id": "sa-15.b_obj.3.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-15(b)[3][d]"
-                              }
-                            ],
-                            "prose": "reviews the development tool options/configurations with the\n                        organization-defined frequency to determine if the tool\n                        options/configurations selected and employed can satisfy\n                        organization-defined security requirements."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing development process, standards, and tools\\n\\nprocedures addressing the integration of security requirements during the\n                  development process\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\nsystem developer documentation listing tool options/configuration guides,\n                  configuration management records\\n\\nchange control records\\n\\nconfiguration control records\\n\\ndocumented reviews of development process, standards, tools, and tool\n                  options/configurations\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-16",
-            "class": "SP800-53",
-            "title": "Developer-provided Training",
-            "parameters": [
-              {
-                "id": "sa-16_prm_1",
-                "label": "organization-defined training"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-16"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-16"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-16_smt",
-                "name": "statement",
-                "prose": "The organization requires the developer of the information system, system component,\n               or information system service to provide {{ sa-16_prm_1 }} on the\n               correct use and operation of the implemented security functions, controls, and/or\n               mechanisms."
-              },
-              {
-                "id": "sa-16_gdn",
-                "name": "guidance",
-                "prose": "This control applies to external and internal (in-house) developers. Training of\n               personnel is an essential element to ensure the effectiveness of security controls\n               implemented within organizational information systems. Training options include, for\n               example, classroom-style training, web-based/computer-based training, and hands-on\n               training. Organizations can also request sufficient training materials from\n               developers to conduct in-house training or offer self-training to organizational\n               personnel. Organizations determine the type of training necessary and may require\n               different types of training for different security functions, controls, or\n               mechanisms.",
-                "links": [
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  }
-                ]
-              },
-              {
-                "id": "sa-16_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-16_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-16[1]"
-                      }
-                    ],
-                    "prose": "defines training to be provided by the developer of the information system, system\n                  component, or information system service; and"
-                  },
-                  {
-                    "id": "sa-16_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-16[2]"
-                      }
-                    ],
-                    "prose": "requires the developer of the information system, system component, or information\n                  system service to provide organization-defined training on the correct use and\n                  operation of the implemented security functions, controls, and/or mechanisms."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing developer-provided training\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\ndeveloper-provided training materials\\n\\ntraining records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information system security responsibilities\\n\\nsystem developer\\n\\norganizational or third-party developers with training responsibilities for the\n                  information system, system component, or information system service"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-17",
-            "class": "SP800-53",
-            "title": "Developer Security Architecture and Design",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-17"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-17"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-17_smt",
-                "name": "statement",
-                "prose": "The organization requires the developer of the information system, system component,\n               or information system service to produce a design specification and security\n               architecture that:",
-                "parts": [
-                  {
-                    "id": "sa-17_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Is consistent with and supportive of the organization’s security architecture\n                  which is established within and is an integrated part of the organization’s\n                  enterprise architecture;"
-                  },
-                  {
-                    "id": "sa-17_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Accurately and completely describes the required security functionality, and the\n                  allocation of security controls among physical and logical components; and"
-                  },
-                  {
-                    "id": "sa-17_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Expresses how individual security functions, mechanisms, and services work\n                  together to provide required security capabilities and a unified approach to\n                  protection."
-                  }
-                ]
-              },
-              {
-                "id": "sa-17_gdn",
-                "name": "guidance",
-                "prose": "This control is primarily directed at external developers, although it could also be\n               used for internal (in-house) development. In contrast, PL-8 is primarily directed at\n               internal developers to help ensure that organizations develop an information security\n               architecture and such security architecture is integrated or tightly coupled to the\n               enterprise architecture. This distinction is important if/when organizations\n               outsource the development of information systems, information system components, or\n               information system services to external entities, and there is a requirement to\n               demonstrate consistency with the organization’s enterprise architecture and\n               information security architecture.",
-                "links": [
-                  {
-                    "href": "#pl-8",
-                    "rel": "related",
-                    "text": "PL-8"
-                  },
-                  {
-                    "href": "#pm-7",
-                    "rel": "related",
-                    "text": "PM-7"
-                  },
-                  {
-                    "href": "#sa-3",
-                    "rel": "related",
-                    "text": "SA-3"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  }
-                ]
-              },
-              {
-                "id": "sa-17_obj",
-                "name": "objective",
-                "prose": "Determine if the organization requires the developer of the information system,\n               system component, or information system service to produce a design specification and\n               security architecture that:",
-                "parts": [
-                  {
-                    "id": "sa-17.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-17(a)"
-                      }
-                    ],
-                    "prose": "is consistent with and supportive of the organization’s security architecture\n                  which is established within and is an integrated part of the organization’s\n                  enterprise architecture;"
-                  },
-                  {
-                    "id": "sa-17.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-17(b)"
-                      }
-                    ],
-                    "prose": "accurately and completely describes:",
-                    "parts": [
-                      {
-                        "id": "sa-17.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-17(b)[1]"
-                          }
-                        ],
-                        "prose": "the required security functionality;"
-                      },
-                      {
-                        "id": "sa-17.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-17(b)[2]"
-                          }
-                        ],
-                        "prose": "the allocation of security controls among physical and logical components;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-17.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-17(c)"
-                      }
-                    ],
-                    "prose": "expresses how individual security functions, mechanisms, and services work\n                  together to provide required security capabilities and a unified approach to\n                  protection."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nenterprise architecture policy\\n\\nprocedures addressing developer security architecture and design specification for\n                  the information system\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\ndesign specification and security architecture documentation for the system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with security architecture and design\n                  responsibilities"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "sc",
-        "class": "family",
-        "title": "System and Communications Protection",
-        "controls": [
-          {
-            "id": "sc-1",
-            "class": "SP800-53",
-            "title": "System and Communications Protection Policy and Procedures",
-            "parameters": [
-              {
-                "id": "sc-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "sc-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "sc-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or whenever a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SC-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sc-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ sc-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "sc-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A system and communications protection policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"
-                      },
-                      {
-                        "id": "sc-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the system and communications\n                     protection policy and associated system and communications protection controls;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "sc-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "System and communications protection policy {{ sc-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "sc-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "System and communications protection procedures {{ sc-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SC\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "sc-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sc-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sc-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a system and communications protection policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "sc-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "sc-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the system and communications protection\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "sc-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the system and communications protection policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sc-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sc-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        system and communications protection policy and associated system and\n                        communications protection controls;"
-                          },
-                          {
-                            "id": "sc-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "sc-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sc-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and\n                        communications protection policy;"
-                          },
-                          {
-                            "id": "sc-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and communications protection policy\n                        with the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sc-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sc-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and\n                        communications protection procedures; and"
-                          },
-                          {
-                            "id": "sc-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and communications protection\n                        procedures with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and communications protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-2",
-            "class": "SP800-53",
-            "title": "Application Partitioning",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-02"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-2_smt",
-                "name": "statement",
-                "prose": "The information system separates user functionality (including user interface\n               services) from information system management functionality."
-              },
-              {
-                "id": "sc-2_gdn",
-                "name": "guidance",
-                "prose": "Information system management functionality includes, for example, functions\n               necessary to administer databases, network components, workstations, or servers, and\n               typically requires privileged user access. The separation of user functionality from\n               information system management functionality is either physical or logical.\n               Organizations implement separation of system management-related functionality from\n               user functionality by using different computers, different central processing units,\n               different instances of operating systems, different network addresses, virtualization\n               techniques, or combinations of these or other methods, as appropriate. This type of\n               separation includes, for example, web administrative interfaces that use separate\n               authentication methods for users of any other information system resources.\n               Separation of system and user functionality may include isolating administrative\n               interfaces on different domains and with additional access controls.",
-                "links": [
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  },
-                  {
-                    "href": "#sc-3",
-                    "rel": "related",
-                    "text": "SC-3"
-                  }
-                ]
-              },
-              {
-                "id": "sc-2_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system separates user functionality (including user\n               interface services) from information system management functionality."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing application partitioning\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Separation of user functionality from information system management\n                  functionality"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-3",
-            "class": "SP800-53",
-            "title": "Security Function Isolation",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-03"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-3_smt",
-                "name": "statement",
-                "prose": "The information system isolates security functions from nonsecurity functions."
-              },
-              {
-                "id": "sc-3_gdn",
-                "name": "guidance",
-                "prose": "The information system isolates security functions from nonsecurity functions by\n               means of an isolation boundary (implemented via partitions and domains). Such\n               isolation controls access to and protects the integrity of the hardware, software,\n               and firmware that perform those security functions. Information systems implement\n               code separation (i.e., separation of security functions from nonsecurity functions)\n               in a number of ways, including, for example, through the provision of security\n               kernels via processor rings or processor modes. For non-kernel code, security\n               function isolation is often achieved through file system protections that serve to\n               protect the code on disk, and address space protections that protect executing code.\n               Information systems restrict access to security functions through the use of access\n               control mechanisms and by implementing least privilege capabilities. While the ideal\n               is for all of the code within the security function isolation boundary to only\n               contain security-relevant code, it is sometimes necessary to include nonsecurity\n               functions within the isolation boundary as an exception.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  },
-                  {
-                    "href": "#sa-13",
-                    "rel": "related",
-                    "text": "SA-13"
-                  },
-                  {
-                    "href": "#sc-2",
-                    "rel": "related",
-                    "text": "SC-2"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-39",
-                    "rel": "related",
-                    "text": "SC-39"
-                  }
-                ]
-              },
-              {
-                "id": "sc-3_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system isolates security functions from nonsecurity\n               functions."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing security function isolation\\n\\nlist of security functions to be isolated from nonsecurity functions\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Separation of security functions from nonsecurity functions within the information\n                  system"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-4",
-            "class": "SP800-53",
-            "title": "Information in Shared Resources",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-04"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-4_smt",
-                "name": "statement",
-                "prose": "The information system prevents unauthorized and unintended information transfer via\n               shared system resources."
-              },
-              {
-                "id": "sc-4_gdn",
-                "name": "guidance",
-                "prose": "This control prevents information, including encrypted representations of\n               information, produced by the actions of prior users/roles (or the actions of\n               processes acting on behalf of prior users/roles) from being available to any current\n               users/roles (or current processes) that obtain access to shared system resources\n               (e.g., registers, main memory, hard disks) after those resources have been released\n               back to information systems. The control of information in shared resources is also\n               commonly referred to as object reuse and residual information protection. This\n               control does not address: (i) information remanence which refers to residual\n               representation of data that has been nominally erased or removed; (ii) covert\n               channels (including storage and/or timing channels) where shared resources are\n               manipulated to violate information flow restrictions; or (iii) components within\n               information systems for which there are only single users/roles.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#mp-6",
-                    "rel": "related",
-                    "text": "MP-6"
-                  }
-                ]
-              },
-              {
-                "id": "sc-4_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system prevents unauthorized and unintended information\n               transfer via shared system resources."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing information protection in shared system resources\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms preventing unauthorized and unintended transfer of\n                  information via shared system resources"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-5",
-            "class": "SP800-53",
-            "title": "Denial of Service Protection",
-            "parameters": [
-              {
-                "id": "sc-5_prm_1",
-                "label": "organization-defined types of denial of service attacks or references to sources\n               for such information"
-              },
-              {
-                "id": "sc-5_prm_2",
-                "label": "organization-defined security safeguards"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-5_smt",
-                "name": "statement",
-                "prose": "The information system protects against or limits the effects of the following types\n               of denial of service attacks: {{ sc-5_prm_1 }} by employing {{ sc-5_prm_2 }}."
-              },
-              {
-                "id": "sc-5_gdn",
-                "name": "guidance",
-                "prose": "A variety of technologies exist to limit, or in some cases, eliminate the effects of\n               denial of service attacks. For example, boundary protection devices can filter\n               certain types of packets to protect information system components on internal\n               organizational networks from being directly affected by denial of service attacks.\n               Employing increased capacity and bandwidth combined with service redundancy may also\n               reduce the susceptibility to denial of service attacks.",
-                "links": [
-                  {
-                    "href": "#sc-6",
-                    "rel": "related",
-                    "text": "SC-6"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  }
-                ]
-              },
-              {
-                "id": "sc-5_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "sc-5_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-5[1]"
-                      }
-                    ],
-                    "prose": "the organization defines types of denial of service attacks or reference to source\n                  of such information for the information system to protect against or limit the\n                  effects;"
-                  },
-                  {
-                    "id": "sc-5_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-5[2]"
-                      }
-                    ],
-                    "prose": "the organization defines security safeguards to be employed by the information\n                  system to protect against or limit the effects of organization-defined types of\n                  denial of service attacks; and"
-                  },
-                  {
-                    "id": "sc-5_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-5[3]"
-                      }
-                    ],
-                    "prose": "the information system protects against or limits the effects of the\n                  organization-defined denial or service attacks (or reference to source for such\n                  information) by employing organization-defined security safeguards."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing denial of service protection\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\nlist of denial of services attacks requiring employment of security safeguards to\n                  protect against or limit effects of such attacks\\n\\nlist of security safeguards protecting against or limiting the effects of denial\n                  of service attacks\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms protecting against or limiting the effects of denial of\n                  service attacks"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-6",
-            "class": "SP800-53",
-            "title": "Resource Availability",
-            "parameters": [
-              {
-                "id": "sc-6_prm_1",
-                "label": "organization-defined resources"
-              },
-              {
-                "id": "sc-6_prm_2"
-              },
-              {
-                "id": "sc-6_prm_3",
-                "depends-on": "sc-6_prm_2",
-                "label": "organization-defined security safeguards"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-6_smt",
-                "name": "statement",
-                "prose": "The information system protects the availability of resources by allocating {{ sc-6_prm_1 }} by {{ sc-6_prm_2 }}."
-              },
-              {
-                "id": "sc-6_gdn",
-                "name": "guidance",
-                "prose": "Priority protection helps prevent lower-priority processes from delaying or\n               interfering with the information system servicing any higher-priority processes.\n               Quotas prevent users or processes from obtaining more than predetermined amounts of\n               resources. This control does not apply to information system components for which\n               there are only single users/roles."
-              },
-              {
-                "id": "sc-6_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "sc-6_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-6[1]"
-                      }
-                    ],
-                    "prose": "the organization defines resources to be allocated to protect the availability of\n                  resources;"
-                  },
-                  {
-                    "id": "sc-6_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-6[2]"
-                      }
-                    ],
-                    "prose": "the organization defines security safeguards to be employed to protect the\n                  availability of resources;"
-                  },
-                  {
-                    "id": "sc-6_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-6[3]"
-                      }
-                    ],
-                    "prose": "the information system protects the availability of resources by allocating\n                  organization-defined resources by one or more of the following:",
-                    "parts": [
-                      {
-                        "id": "sc-6_obj.3.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-6[3][a]"
-                          }
-                        ],
-                        "prose": "priority;"
-                      },
-                      {
-                        "id": "sc-6_obj.3.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-6[3][b]"
-                          }
-                        ],
-                        "prose": "quota; and/or"
-                      },
-                      {
-                        "id": "sc-6_obj.3.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-6[3][c]"
-                          }
-                        ],
-                        "prose": "organization-defined safeguards."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing prioritization of information system resources\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing resource allocation\n                  capability\\n\\nsafeguards employed to protect availability of resources"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-7",
-            "class": "SP800-53",
-            "title": "Boundary Protection",
-            "parameters": [
-              {
-                "id": "sc-7_prm_1"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#756a8e86-57d5-4701-8382-f7a40439665a",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-41"
-              },
-              {
-                "href": "#99f331f2-a9f0-46c2-9856-a3cbb9b89442",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-77"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-7_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "sc-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Monitors and controls communications at the external boundary of the system and at\n                  key internal boundaries within the system;"
-                  },
-                  {
-                    "id": "sc-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Implements subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks;\n                  and"
-                  },
-                  {
-                    "id": "sc-7_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Connects to external networks or information systems only through managed\n                  interfaces consisting of boundary protection devices arranged in accordance with\n                  an organizational security architecture."
-                  }
-                ]
-              },
-              {
-                "id": "sc-7_gdn",
-                "name": "guidance",
-                "prose": "Managed interfaces include, for example, gateways, routers, firewalls, guards,\n               network-based malicious code analysis and virtualization systems, or encrypted\n               tunnels implemented within a security architecture (e.g., routers protecting\n               firewalls or application gateways residing on protected subnetworks). Subnetworks\n               that are physically or logically separated from internal networks are referred to as\n               demilitarized zones or DMZs. Restricting or prohibiting interfaces within\n               organizational information systems includes, for example, restricting external web\n               traffic to designated web servers within managed interfaces and prohibiting external\n               traffic that appears to be spoofing internal addresses. Organizations consider the\n               shared nature of commercial telecommunications services in the implementation of\n               security controls associated with the use of such services. Commercial\n               telecommunications services are commonly based on network components and consolidated\n               management systems shared by all attached commercial customers, and may also include\n               third party-provided access lines and other service elements. Such transmission\n               services may represent sources of increased risk despite contract security\n               provisions.",
-                "links": [
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#cm-7",
-                    "rel": "related",
-                    "text": "CM-7"
-                  },
-                  {
-                    "href": "#cp-8",
-                    "rel": "related",
-                    "text": "CP-8"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sc-5",
-                    "rel": "related",
-                    "text": "SC-5"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  }
-                ]
-              },
-              {
-                "id": "sc-7_obj",
-                "name": "objective",
-                "prose": "Determine if the information system:",
-                "parts": [
-                  {
-                    "id": "sc-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-7(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-7.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(a)[1]"
-                          }
-                        ],
-                        "prose": "monitors communications at the external boundary of the information system;"
-                      },
-                      {
-                        "id": "sc-7.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(a)[2]"
-                          }
-                        ],
-                        "prose": "monitors communications at key internal boundaries within the system;"
-                      },
-                      {
-                        "id": "sc-7.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(a)[3]"
-                          }
-                        ],
-                        "prose": "controls communications at the external boundary of the information system;"
-                      },
-                      {
-                        "id": "sc-7.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(a)[4]"
-                          }
-                        ],
-                        "prose": "controls communications at key internal boundaries within the system;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-7(b)"
-                      }
-                    ],
-                    "prose": "implements subnetworks for publicly accessible system components that are\n                  either:",
-                    "parts": [
-                      {
-                        "id": "sc-7.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-7(b)[1]"
-                          }
-                        ],
-                        "prose": "physically separated from internal organizational networks; and/or"
-                      },
-                      {
-                        "id": "sc-7.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-7(b)[2]"
-                          }
-                        ],
-                        "prose": "logically separated from internal organizational networks; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-7(c)"
-                      }
-                    ],
-                    "prose": "connects to external networks or information systems only through managed\n                  interfaces consisting of boundary protection devices arranged in accordance with\n                  an organizational security architecture."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\nlist of key internal boundaries of the information system\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system configuration settings and associated documentation\\n\\nenterprise security architecture documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing boundary protection capability"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "sc-7.3",
-                "class": "SP800-53-enhancement",
-                "title": "Access Points",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-7(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-07.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-7.3_smt",
-                    "name": "statement",
-                    "prose": "The organization limits the number of external network connections to the\n                  information system."
-                  },
-                  {
-                    "id": "sc-7.3_gdn",
-                    "name": "guidance",
-                    "prose": "Limiting the number of external network connections facilitates more comprehensive\n                  monitoring of inbound and outbound communications traffic. The Trusted Internet\n                  Connection (TIC) initiative is an example of limiting the number of external\n                  network connections."
-                  },
-                  {
-                    "id": "sc-7.3_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization limits the number of external network connections to\n                  the information system."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncommunications and network traffic monitoring logs\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing boundary protection capability\\n\\nautomated mechanisms limiting the number of external network connections to the\n                     information system"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-7.4",
-                "class": "SP800-53-enhancement",
-                "title": "External Telecommunications Services",
-                "parameters": [
-                  {
-                    "id": "sc-7.4_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "SC-7(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-07.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-7.4_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "sc-7.4_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Implements a managed interface for each external telecommunication service;"
-                      },
-                      {
-                        "id": "sc-7.4_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Establishes a traffic flow policy for each managed interface;"
-                      },
-                      {
-                        "id": "sc-7.4_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(c)"
-                          }
-                        ],
-                        "prose": "Protects the confidentiality and integrity of the information being transmitted\n                     across each interface;"
-                      },
-                      {
-                        "id": "sc-7.4_smt.d",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(d)"
-                          }
-                        ],
-                        "prose": "Documents each exception to the traffic flow policy with a supporting\n                     mission/business need and duration of that need; and"
-                      },
-                      {
-                        "id": "sc-7.4_smt.e",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(e)"
-                          }
-                        ],
-                        "prose": "Reviews exceptions to the traffic flow policy {{ sc-7.4_prm_1 }}\n                     and removes exceptions that are no longer supported by an explicit\n                     mission/business need."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.4_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#sc-8",
-                        "rel": "related",
-                        "text": "SC-8"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "sc-7.4.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(4)(a)"
-                          }
-                        ],
-                        "prose": "implements a managed interface for each external telecommunication service;",
-                        "links": [
-                          {
-                            "href": "#sc-7.4_smt.a",
-                            "rel": "corresp",
-                            "text": "SC-7(4)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sc-7.4.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(4)(b)"
-                          }
-                        ],
-                        "prose": "establishes a traffic flow policy for each managed interface;",
-                        "links": [
-                          {
-                            "href": "#sc-7.4_smt.b",
-                            "rel": "corresp",
-                            "text": "SC-7(4)(b)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sc-7.4.c_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(4)(c)"
-                          }
-                        ],
-                        "prose": "protects the confidentiality and integrity of the information being transmitted\n                     across each interface;",
-                        "links": [
-                          {
-                            "href": "#sc-7.4_smt.c",
-                            "rel": "corresp",
-                            "text": "SC-7(4)(c)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sc-7.4.d_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-7(4)(d)"
-                          }
-                        ],
-                        "prose": "documents each exception to the traffic flow policy with:",
-                        "parts": [
-                          {
-                            "id": "sc-7.4.d_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-7(4)(d)[1]"
-                              }
-                            ],
-                            "prose": "a supporting mission/business need;"
-                          },
-                          {
-                            "id": "sc-7.4.d_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-7(4)(d)[2]"
-                              }
-                            ],
-                            "prose": "duration of that need;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#sc-7.4_smt.d",
-                            "rel": "corresp",
-                            "text": "SC-7(4)(d)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sc-7.4.e_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-7(4)(e)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sc-7.4.e_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-7(4)(e)[1]"
-                              }
-                            ],
-                            "prose": "defines a frequency to review exceptions to traffic flow policy;"
-                          },
-                          {
-                            "id": "sc-7.4.e_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-7(4)(e)[2]"
-                              }
-                            ],
-                            "prose": "reviews exceptions to the traffic flow policy with the organization-defined\n                        frequency; and"
-                          },
-                          {
-                            "id": "sc-7.4.e_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-7(4)(e)[3]"
-                              }
-                            ],
-                            "prose": "removes traffic flow policy exceptions that are no longer supported by an\n                        explicit mission/business need"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#sc-7.4_smt.e",
-                            "rel": "corresp",
-                            "text": "SC-7(4)(e)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\ntraffic flow policy\\n\\ninformation flow control policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system security architecture\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nrecords of traffic flow policy exceptions\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for documenting and reviewing exceptions to the\n                     traffic flow policy\\n\\norganizational processes for removing exceptions to the traffic flow policy\\n\\nautomated mechanisms implementing boundary protection capability\\n\\nmanaged interfaces implementing traffic flow policy"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-7.5",
-                "class": "SP800-53-enhancement",
-                "title": "Deny by Default / Allow by Exception",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-7(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-07.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-7.5_smt",
-                    "name": "statement",
-                    "prose": "The information system at managed interfaces denies network communications traffic\n                  by default and allows network communications traffic by exception (i.e., deny all,\n                  permit by exception)."
-                  },
-                  {
-                    "id": "sc-7.5_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement applies to both inbound and outbound network\n                  communications traffic. A deny-all, permit-by-exception network communications\n                  traffic policy ensures that only those connections which are essential and\n                  approved are allowed."
-                  },
-                  {
-                    "id": "sc-7.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the information system, at managed interfaces:",
-                    "parts": [
-                      {
-                        "id": "sc-7.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(5)[1]"
-                          }
-                        ],
-                        "prose": "denies network traffic by default; and"
-                      },
-                      {
-                        "id": "sc-7.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(5)[2]"
-                          }
-                        ],
-                        "prose": "allows network traffic by exception."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing traffic management at managed interfaces"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-7.7",
-                "class": "SP800-53-enhancement",
-                "title": "Prevent Split Tunneling for Remote Devices",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-7(7)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-07.07"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-7.7_smt",
-                    "name": "statement",
-                    "prose": "The information system, in conjunction with a remote device, prevents the device\n                  from simultaneously establishing non-remote connections with the system and\n                  communicating via some other connection to resources in external networks."
-                  },
-                  {
-                    "id": "sc-7.7_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement is implemented within remote devices (e.g., notebook\n                  computers) through configuration settings to disable split tunneling in those\n                  devices, and by preventing those configuration settings from being readily\n                  configurable by users. This control enhancement is implemented within the\n                  information system by the detection of split tunneling (or of configuration\n                  settings that allow split tunneling) in the remote device, and by prohibiting the\n                  connection if the remote device is using split tunneling. Split tunneling might be\n                  desirable by remote users to communicate with local information system resources\n                  such as printers/file servers. However, split tunneling would in effect allow\n                  unauthorized external connections, making the system more vulnerable to attack and\n                  to exfiltration of organizational information. The use of VPNs for remote\n                  connections, when adequately provisioned with appropriate security controls, may\n                  provide the organization with sufficient assurance that it can effectively treat\n                  such connections as non-remote connections from the confidentiality and integrity\n                  perspective. VPNs thus provide a means for allowing non-remote communications\n                  paths from remote devices. The use of an adequately provisioned VPN does not\n                  eliminate the need for preventing split tunneling."
-                  },
-                  {
-                    "id": "sc-7.7_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system, in conjunction with a remote device, prevents\n                  the device from simultaneously establishing non-remote connections with the system\n                  and communicating via some other connection to resources in external networks."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system hardware and software\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing boundary protection capability\\n\\nautomated mechanisms supporting/restricting non-remote connections"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-7.8",
-                "class": "SP800-53-enhancement",
-                "title": "Route Traffic to Authenticated Proxy Servers",
-                "parameters": [
-                  {
-                    "id": "sc-7.8_prm_1",
-                    "label": "organization-defined internal communications traffic"
-                  },
-                  {
-                    "id": "sc-7.8_prm_2",
-                    "label": "organization-defined external networks"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-7(8)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-07.08"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-7.8_smt",
-                    "name": "statement",
-                    "prose": "The information system routes {{ sc-7.8_prm_1 }} to {{ sc-7.8_prm_2 }} through authenticated proxy servers at managed\n                  interfaces."
-                  },
-                  {
-                    "id": "sc-7.8_gdn",
-                    "name": "guidance",
-                    "prose": "External networks are networks outside of organizational control. A proxy server\n                  is a server (i.e., information system or application) that acts as an intermediary\n                  for clients requesting information system resources (e.g., files, connections, web\n                  pages, or services) from other organizational servers. Client requests established\n                  through an initial connection to the proxy server are evaluated to manage\n                  complexity and to provide additional protection by limiting direct connectivity.\n                  Web content filtering devices are one of the most common proxy servers providing\n                  access to the Internet. Proxy servers support logging individual Transmission\n                  Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators\n                  (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be\n                  configured with organization-defined lists of authorized and unauthorized\n                  websites.",
-                    "links": [
-                      {
-                        "href": "#ac-3",
-                        "rel": "related",
-                        "text": "AC-3"
-                      },
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.8_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "sc-7.8_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(8)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines internal communications traffic to be routed to\n                     external networks;"
-                      },
-                      {
-                        "id": "sc-7.8_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(8)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines external networks to which organization-defined\n                     internal communications traffic is to be routed; and"
-                      },
-                      {
-                        "id": "sc-7.8_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(8)[3]"
-                          }
-                        ],
-                        "prose": "the information system routes organization-defined internal communications\n                     traffic to organization-defined external networks through authenticated proxy\n                     servers at managed interfaces."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system hardware and software\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing traffic management through authenticated\n                     proxy servers at managed interfaces"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-7.10",
-                "class": "SP800-53-enhancement",
-                "title": "Prevent Unauthorized Exfiltration",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-7(10)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-07.10"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-7.10_smt",
-                    "name": "statement",
-                    "prose": "The organization prevents the unauthorized exfiltration of information across\n                  managed interfaces."
-                  },
-                  {
-                    "id": "sc-7.10_gdn",
-                    "name": "guidance",
-                    "prose": "Safeguards implemented by organizations to prevent unauthorized exfiltration of\n                  information from information systems include, for example: (i) strict adherence to\n                  protocol formats; (ii) monitoring for beaconing from information systems; (iii)\n                  monitoring for steganography; (iv) disconnecting external network interfaces\n                  except when explicitly needed; (v) disassembling and reassembling packet headers;\n                  and (vi) employing traffic profile analysis to detect deviations from the\n                  volume/types of traffic expected within organizations or call backs to command and\n                  control centers. Devices enforcing strict adherence to protocol formats include,\n                  for example, deep packet inspection firewalls and XML gateways. These devices\n                  verify adherence to protocol formats and specification at the application layer\n                  and serve to identify vulnerabilities that cannot be detected by devices operating\n                  at the network or transport layers. This control enhancement is closely associated\n                  with cross-domain solutions and system guards enforcing information flow\n                  requirements.",
-                    "links": [
-                      {
-                        "href": "#si-3",
-                        "rel": "related",
-                        "text": "SI-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.10_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization prevents the unauthorized exfiltration of\n                  information across managed interfaces."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing boundary protection capability\\n\\npreventing unauthorized exfiltration of information across managed\n                     interfaces"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-7.12",
-                "class": "SP800-53-enhancement",
-                "title": "Host-based Protection",
-                "parameters": [
-                  {
-                    "id": "sc-7.12_prm_1",
-                    "label": "organization-defined host-based boundary protection mechanisms",
-                    "constraints": [
-                      {
-                        "detail": "Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.12_prm_2",
-                    "label": "organization-defined information system components"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-7(12)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-07.12"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-7.12_smt",
-                    "name": "statement",
-                    "prose": "The organization implements {{ sc-7.12_prm_1 }} at {{ sc-7.12_prm_2 }}."
-                  },
-                  {
-                    "id": "sc-7.12_gdn",
-                    "name": "guidance",
-                    "prose": "Host-based boundary protection mechanisms include, for example, host-based\n                  firewalls. Information system components employing host-based boundary protection\n                  mechanisms include, for example, servers, workstations, and mobile devices."
-                  },
-                  {
-                    "id": "sc-7.12_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "sc-7.12_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(12)[1]"
-                          }
-                        ],
-                        "prose": "defines host-based boundary protection mechanisms;"
-                      },
-                      {
-                        "id": "sc-7.12_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(12)[2]"
-                          }
-                        ],
-                        "prose": "defines information system components where organization-defined host-based\n                     boundary protection mechanisms are to be implemented; and"
-                      },
-                      {
-                        "id": "sc-7.12_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(12)[3]"
-                          }
-                        ],
-                        "prose": "implements organization-defined host-based boundary protection mechanisms at\n                     organization-defined information system components."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities\\n\\ninformation system users"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing host-based boundary protection\n                     capabilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-7.13",
-                "class": "SP800-53-enhancement",
-                "title": "Isolation of Security Tools / Mechanisms / Support Components",
-                "parameters": [
-                  {
-                    "id": "sc-7.13_prm_1",
-                    "label": "organization-defined information security tools, mechanisms, and support\n                  components"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-7(13)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-07.13"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-7.13_smt",
-                    "name": "statement",
-                    "prose": "The organization isolates {{ sc-7.13_prm_1 }} from other internal\n                  information system components by implementing physically separate subnetworks with\n                  managed interfaces to other components of the system.",
-                    "parts": [
-                      {
-                        "id": "sc-7.13_fr",
-                        "name": "item",
-                        "title": "SC-7 (13) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "sc-7.13_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets."
-                          },
-                          {
-                            "id": "sc-7.13_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "Examples include: information security tools, mechanisms, and support components such as, but not limited to PKI, patching infrastructure, cyber defense tools, special purpose gateway, vulnerability tracking systems, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.13_gdn",
-                    "name": "guidance",
-                    "prose": "Physically separate subnetworks with managed interfaces are useful, for example,\n                  in isolating computer network defenses from critical operational processing\n                  networks to prevent adversaries from discovering the analysis and forensics\n                  techniques of organizations.",
-                    "links": [
-                      {
-                        "href": "#sa-8",
-                        "rel": "related",
-                        "text": "SA-8"
-                      },
-                      {
-                        "href": "#sc-2",
-                        "rel": "related",
-                        "text": "SC-2"
-                      },
-                      {
-                        "href": "#sc-3",
-                        "rel": "related",
-                        "text": "SC-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.13_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "sc-7.13_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(13)[1]"
-                          }
-                        ],
-                        "prose": "defines information security tools, mechanisms, and support components to be\n                     isolated from other internal information system components; and"
-                      },
-                      {
-                        "id": "sc-7.13_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(13)[2]"
-                          }
-                        ],
-                        "prose": "isolates organization-defined information security tools, mechanisms, and\n                     support components from other internal information system components by\n                     implementing physically separate subnetworks with managed interfaces to other\n                     components of the system."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system hardware and software\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of security tools and support components to be isolated from other\n                     internal information system components\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing isolation of information\n                     security tools, mechanisms, and support components"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-7.18",
-                "class": "SP800-53-enhancement",
-                "title": "Fail Secure",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-7(18)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-07.18"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-7.18_smt",
-                    "name": "statement",
-                    "prose": "The information system fails securely in the event of an operational failure of a\n                  boundary protection device."
-                  },
-                  {
-                    "id": "sc-7.18_gdn",
-                    "name": "guidance",
-                    "prose": "Fail secure is a condition achieved by employing information system mechanisms to\n                  ensure that in the event of operational failures of boundary protection devices at\n                  managed interfaces (e.g., routers, firewalls, guards, and application gateways\n                  residing on protected subnetworks commonly referred to as demilitarized zones),\n                  information systems do not enter into unsecure states where intended security\n                  properties no longer hold. Failures of boundary protection devices cannot lead to,\n                  or cause information external to the devices to enter the devices, nor can\n                  failures permit unauthorized information releases.",
-                    "links": [
-                      {
-                        "href": "#cp-2",
-                        "rel": "related",
-                        "text": "CP-2"
-                      },
-                      {
-                        "href": "#sc-24",
-                        "rel": "related",
-                        "text": "SC-24"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.18_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system fails securely in the event of an operational\n                  failure of a boundary protection device."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing secure failure"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-7.20",
-                "class": "SP800-53-enhancement",
-                "title": "Dynamic Isolation / Segregation",
-                "parameters": [
-                  {
-                    "id": "sc-7.20_prm_1",
-                    "label": "organization-defined information system components"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-7(20)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-07.20"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-7.20_smt",
-                    "name": "statement",
-                    "prose": "The information system provides the capability to dynamically isolate/segregate\n                     {{ sc-7.20_prm_1 }} from other components of the system."
-                  },
-                  {
-                    "id": "sc-7.20_gdn",
-                    "name": "guidance",
-                    "prose": "The capability to dynamically isolate or segregate certain internal components of\n                  organizational information systems is useful when it is necessary to partition or\n                  separate certain components of dubious origin from those components possessing\n                  greater trustworthiness. Component isolation reduces the attack surface of\n                  organizational information systems. Isolation of selected information system\n                  components is also a means of limiting the damage from successful cyber attacks\n                  when those attacks occur."
-                  },
-                  {
-                    "id": "sc-7.20_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "sc-7.20_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(20)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines information system components to be dynamically\n                     isolated/segregated from other components of the system; and"
-                      },
-                      {
-                        "id": "sc-7.20_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(20)[2]"
-                          }
-                        ],
-                        "prose": "the information system provides the capability to dynamically isolate/segregate\n                     organization-defined information system components from other components of the\n                     system."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system hardware and software\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system components to be dynamically isolated/segregated\n                     from other components of the system\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing the capability to\n                     dynamically isolate/segregate information system components"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-7.21",
-                "class": "SP800-53-enhancement",
-                "title": "Isolation of Information System Components",
-                "parameters": [
-                  {
-                    "id": "sc-7.21_prm_1",
-                    "label": "organization-defined information system components"
-                  },
-                  {
-                    "id": "sc-7.21_prm_2",
-                    "label": "organization-defined missions and/or business functions"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-7(21)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-07.21"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-7.21_smt",
-                    "name": "statement",
-                    "prose": "The organization employs boundary protection mechanisms to separate {{ sc-7.21_prm_1 }} supporting {{ sc-7.21_prm_2 }}."
-                  },
-                  {
-                    "id": "sc-7.21_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations can isolate information system components performing different\n                  missions and/or business functions. Such isolation limits unauthorized information\n                  flows among system components and also provides the opportunity to deploy greater\n                  levels of protection for selected components. Separating system components with\n                  boundary protection mechanisms provides the capability for increased protection of\n                  individual components and to more effectively control information flows between\n                  those components. This type of enhanced protection limits the potential harm from\n                  cyber attacks and errors. The degree of separation provided varies depending upon\n                  the mechanisms chosen. Boundary protection mechanisms include, for example,\n                  routers, gateways, and firewalls separating system components into physically\n                  separate networks or subnetworks, cross-domain devices separating subnetworks,\n                  virtualization techniques, and encrypting information flows among system\n                  components using distinct encryption keys.",
-                    "links": [
-                      {
-                        "href": "#ca-9",
-                        "rel": "related",
-                        "text": "CA-9"
-                      },
-                      {
-                        "href": "#sc-3",
-                        "rel": "related",
-                        "text": "SC-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.21_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "sc-7.21_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(21)[1]"
-                          }
-                        ],
-                        "prose": "defines information system components to be separated by boundary protection\n                     mechanisms;"
-                      },
-                      {
-                        "id": "sc-7.21_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(21)[2]"
-                          }
-                        ],
-                        "prose": "defines missions and/or business functions to be supported by\n                     organization-defined information system components separated by boundary\n                     protection mechanisms; and"
-                      },
-                      {
-                        "id": "sc-7.21_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(21)[3]"
-                          }
-                        ],
-                        "prose": "employs boundary protection mechanisms to separate organization-defined\n                     information system components supporting organization-defined missions and/or\n                     business functions."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system hardware and software\\n\\nenterprise architecture documentation\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing the capability to separate\n                     information system components supporting organizational missions and/or\n                     business functions"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-8",
-            "class": "SP800-53",
-            "title": "Transmission Confidentiality and Integrity",
-            "parameters": [
-              {
-                "id": "sc-8_prm_1",
-                "constraints": [
-                  {
-                    "detail": "confidentiality AND integrity"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-08"
-              }
-            ],
-            "links": [
-              {
-                "href": "#d715b234-9b5b-4e07-b1ed-99836727664d",
-                "rel": "reference",
-                "text": "FIPS Publication 140-2"
-              },
-              {
-                "href": "#f2dbd4ec-c413-4714-b85b-6b7184d1c195",
-                "rel": "reference",
-                "text": "FIPS Publication 197"
-              },
-              {
-                "href": "#90c5bc98-f9c4-44c9-98b7-787422f0999c",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-52"
-              },
-              {
-                "href": "#99f331f2-a9f0-46c2-9856-a3cbb9b89442",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-77"
-              },
-              {
-                "href": "#6af1e841-672c-46c4-b121-96f603d04be3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-81"
-              },
-              {
-                "href": "#349fe082-502d-464a-aa0c-1443c6a5cf40",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-113"
-              },
-              {
-                "href": "#a4aa9645-9a8a-4b51-90a9-e223250f9a75",
-                "rel": "reference",
-                "text": "CNSS Policy 15"
-              },
-              {
-                "href": "#06dff0ea-3848-4945-8d91-e955ee69f05d",
-                "rel": "reference",
-                "text": "NSTISSI No. 7003"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-8_smt",
-                "name": "statement",
-                "prose": "The information system protects the {{ sc-8_prm_1 }} of transmitted\n               information."
-              },
-              {
-                "id": "sc-8_gdn",
-                "name": "guidance",
-                "prose": "This control applies to both internal and external networks and all types of\n               information system components from which information can be transmitted (e.g.,\n               servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile\n               machines). Communication paths outside the physical protection of a controlled\n               boundary are exposed to the possibility of interception and modification. Protecting\n               the confidentiality and/or integrity of organizational information can be\n               accomplished by physical means (e.g., by employing protected distribution systems) or\n               by logical means (e.g., employing encryption techniques). Organizations relying on\n               commercial providers offering transmission services as commodity services rather than\n               as fully dedicated services (i.e., services which can be highly specialized to\n               individual customer needs), may find it difficult to obtain the necessary assurances\n               regarding the implementation of needed security controls for transmission\n               confidentiality/integrity. In such situations, organizations determine what types of\n               confidentiality/integrity services are available in standard, commercial\n               telecommunication service packages. If it is infeasible or impractical to obtain the\n               necessary security controls and assurances of control effectiveness through\n               appropriate contracting vehicles, organizations implement appropriate compensating\n               security controls or explicitly accept the additional risk.",
-                "links": [
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  }
-                ]
-              },
-              {
-                "id": "sc-8_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system protects one or more of the following:",
-                "parts": [
-                  {
-                    "id": "sc-8_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-8[1]"
-                      }
-                    ],
-                    "prose": "confidentiality of transmitted information; and/or"
-                  },
-                  {
-                    "id": "sc-8_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-8[2]"
-                      }
-                    ],
-                    "prose": "integrity of transmitted information."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing transmission confidentiality and integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing transmission confidentiality\n                  and/or integrity"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "sc-8.1",
-                "class": "SP800-53-enhancement",
-                "title": "Cryptographic or Alternate Physical Protection",
-                "parameters": [
-                  {
-                    "id": "sc-8.1_prm_1",
-                    "constraints": [
-                      {
-                        "detail": "prevent unauthorized disclosure of information AND detect changes to information"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-8.1_prm_2",
-                    "label": "organization-defined alternative physical safeguards",
-                    "constraints": [
-                      {
-                        "detail": "a hardened or alarmed carrier Protective Distribution System (PDS)"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-8(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-08.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-8.1_smt",
-                    "name": "statement",
-                    "prose": "The information system implements cryptographic mechanisms to {{ sc-8.1_prm_1 }} during transmission unless otherwise protected by\n                     {{ sc-8.1_prm_2 }}."
-                  },
-                  {
-                    "id": "sc-8.1_gdn",
-                    "name": "guidance",
-                    "prose": "Encrypting information for transmission protects information from unauthorized\n                  disclosure and modification. Cryptographic mechanisms implemented to protect\n                  information integrity include, for example, cryptographic hash functions which\n                  have common application in digital signatures, checksums, and message\n                  authentication codes. Alternative physical security safeguards include, for\n                  example, protected distribution systems.",
-                    "links": [
-                      {
-                        "href": "#sc-13",
-                        "rel": "related",
-                        "text": "SC-13"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-8.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "sc-8.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-8(1)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines physical safeguards to be implemented to protect\n                     information during transmission when cryptographic mechanisms are not\n                     implemented; and"
-                      },
-                      {
-                        "id": "sc-8.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-8(1)[2]"
-                          }
-                        ],
-                        "prose": "the information system implements cryptographic mechanisms to do one or more of\n                     the following during transmission unless otherwise protected by\n                     organization-defined alternative physical safeguards:",
-                        "parts": [
-                          {
-                            "id": "sc-8.1_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SC-8(1)[2][a]"
-                              }
-                            ],
-                            "prose": "prevent unauthorized disclosure of information; and/or"
-                          },
-                          {
-                            "id": "sc-8.1_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SC-8(1)[2][b]"
-                              }
-                            ],
-                            "prose": "detect changes to information."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing transmission confidentiality and integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Cryptographic mechanisms supporting and/or implementing transmission\n                     confidentiality and/or integrity\\n\\nautomated mechanisms supporting and/or implementing alternative physical\n                     safeguards\\n\\norganizational processes for defining and implementing alternative physical\n                     safeguards"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-10",
-            "class": "SP800-53",
-            "title": "Network Disconnect",
-            "parameters": [
-              {
-                "id": "sc-10_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-10"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-10"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-10_smt",
-                "name": "statement",
-                "prose": "The information system terminates the network connection associated with a\n               communications session at the end of the session or after {{ sc-10_prm_1 }} of inactivity."
-              },
-              {
-                "id": "sc-10_gdn",
-                "name": "guidance",
-                "prose": "This control applies to both internal and external networks. Terminating network\n               connections associated with communications sessions include, for example,\n               de-allocating associated TCP/IP address/port pairs at the operating system level, or\n               de-allocating networking assignments at the application level if multiple application\n               sessions are using a single, operating system-level network connection. Time periods\n               of inactivity may be established by organizations and include, for example, time\n               periods by type of network access or for specific network accesses."
-              },
-              {
-                "id": "sc-10_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "sc-10_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-10[1]"
-                      }
-                    ],
-                    "prose": "the organization defines a time period of inactivity after which the information\n                  system terminates a network connection associated with a communications session;\n                  and"
-                  },
-                  {
-                    "id": "sc-10_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-10[2]"
-                      }
-                    ],
-                    "prose": "the information system terminates the network connection associated with a\n                  communication session at the end of the session or after the organization-defined\n                  time period of inactivity."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing network disconnect\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing network disconnect\n                  capability"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-12",
-            "class": "SP800-53",
-            "title": "Cryptographic Key Establishment and Management",
-            "parameters": [
-              {
-                "id": "sc-12_prm_1",
-                "label": "organization-defined requirements for key generation, distribution, storage,\n               access, and destruction"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-12"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-12"
-              }
-            ],
-            "links": [
-              {
-                "href": "#81f09e01-d0b0-4ae2-aa6a-064ed9950070",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-56"
-              },
-              {
-                "href": "#a6c774c0-bf50-4590-9841-2a5c1c91ac6f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-57"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-12_smt",
-                "name": "statement",
-                "prose": "The organization establishes and manages cryptographic keys for required cryptography\n               employed within the information system in accordance with {{ sc-12_prm_1 }}.",
-                "parts": [
-                  {
-                    "id": "sc-12_fr",
-                    "name": "item",
-                    "title": "SC-12 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "sc-12_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "Federally approved and validated cryptography."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-12_gdn",
-                "name": "guidance",
-                "prose": "Cryptographic key management and establishment can be performed using manual\n               procedures or automated mechanisms with supporting manual procedures. Organizations\n               define key management requirements in accordance with applicable federal laws,\n               Executive Orders, directives, regulations, policies, standards, and guidance,\n               specifying appropriate options, levels, and parameters. Organizations manage trust\n               stores to ensure that only approved trust anchors are in such trust stores. This\n               includes certificates with visibility external to organizational information systems\n               and certificates related to the internal operations of systems.",
-                "links": [
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  },
-                  {
-                    "href": "#sc-17",
-                    "rel": "related",
-                    "text": "SC-17"
-                  }
-                ]
-              },
-              {
-                "id": "sc-12_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sc-12_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-12[1]"
-                      }
-                    ],
-                    "prose": "defines requirements for cryptographic key:",
-                    "parts": [
-                      {
-                        "id": "sc-12_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][a]"
-                          }
-                        ],
-                        "prose": "generation;"
-                      },
-                      {
-                        "id": "sc-12_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][b]"
-                          }
-                        ],
-                        "prose": "distribution;"
-                      },
-                      {
-                        "id": "sc-12_obj.1.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][c]"
-                          }
-                        ],
-                        "prose": "storage;"
-                      },
-                      {
-                        "id": "sc-12_obj.1.d",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][d]"
-                          }
-                        ],
-                        "prose": "access;"
-                      },
-                      {
-                        "id": "sc-12_obj.1.e",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][e]"
-                          }
-                        ],
-                        "prose": "destruction; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-12_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-12[2]"
-                      }
-                    ],
-                    "prose": "establishes and manages cryptographic keys for required cryptography employed\n                  within the information system in accordance with organization-defined requirements\n                  for key generation, distribution, storage, access, and destruction."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing cryptographic key establishment and management\\n\\ninformation system design documentation\\n\\ncryptographic mechanisms\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for cryptographic key establishment\n                  and/or management"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing cryptographic key\n                  establishment and management"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "sc-12.1",
-                "class": "SP800-53-enhancement",
-                "title": "Availability",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-12(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-12.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-12.1_smt",
-                    "name": "statement",
-                    "prose": "The organization maintains availability of information in the event of the loss of\n                  cryptographic keys by users."
-                  },
-                  {
-                    "id": "sc-12.1_gdn",
-                    "name": "guidance",
-                    "prose": "Escrowing of encryption keys is a common practice for ensuring availability in the\n                  event of loss of keys (e.g., due to forgotten passphrase)."
-                  },
-                  {
-                    "id": "sc-12.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization maintains availability of information in the event\n                  of the loss of cryptographic keys by users."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing cryptographic key establishment, management, and\n                     recovery\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for cryptographic key\n                     establishment or management"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing cryptographic key\n                     establishment and management"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-12.2",
-                "class": "SP800-53-enhancement",
-                "title": "Symmetric Keys",
-                "parameters": [
-                  {
-                    "id": "sc-12.2_prm_1",
-                    "constraints": [
-                      {
-                        "detail": "NIST FIPS-compliant"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-12(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-12.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-12.2_smt",
-                    "name": "statement",
-                    "prose": "The organization produces, controls, and distributes symmetric cryptographic keys\n                  using {{ sc-12.2_prm_1 }} key management technology and\n                  processes."
-                  },
-                  {
-                    "id": "sc-12.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization produces, controls, and distributes symmetric\n                  cryptographic keys using one of the following: ",
-                    "parts": [
-                      {
-                        "id": "sc-12.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12(2)[1]"
-                          }
-                        ],
-                        "prose": "NIST FIPS-compliant key management technology and processes; or"
-                      },
-                      {
-                        "id": "sc-12.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12(2)[2]"
-                          }
-                        ],
-                        "prose": "NSA-approved key management technology and processes."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing cryptographic key establishment and management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FIPS validated cryptographic products\\n\\nlist of NSA-approved cryptographic products\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for cryptographic key\n                     establishment or management"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing symmetric cryptographic key\n                     establishment and management"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-12.3",
-                "class": "SP800-53-enhancement",
-                "title": "Asymmetric Keys",
-                "parameters": [
-                  {
-                    "id": "sc-12.3_prm_1"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-12(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-12.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-12.3_smt",
-                    "name": "statement",
-                    "prose": "The organization produces, controls, and distributes asymmetric cryptographic keys\n                  using {{ sc-12.3_prm_1 }}."
-                  },
-                  {
-                    "id": "sc-12.3_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization produces, controls, and distributes asymmetric\n                  cryptographic keys using one of the following: ",
-                    "parts": [
-                      {
-                        "id": "sc-12.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12(3)[1]"
-                          }
-                        ],
-                        "prose": "NSA-approved key management technology and processes;"
-                      },
-                      {
-                        "id": "sc-12.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12(3)[2]"
-                          }
-                        ],
-                        "prose": "approved PKI Class 3 certificates or prepositioned keying material; or"
-                      },
-                      {
-                        "id": "sc-12.3_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12(3)[3]"
-                          }
-                        ],
-                        "prose": "approved PKI Class 3 or Class 4 certificates and hardware security tokens that\n                     protect the user’s private key."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing cryptographic key establishment and management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of NSA-approved cryptographic products\\n\\nlist of approved PKI Class 3 and Class 4 certificates\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for cryptographic key\n                     establishment or management\\n\\norganizational personnel with responsibilities for PKI certificates"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing asymmetric cryptographic\n                     key establishment and management"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-13",
-            "class": "SP800-53",
-            "title": "Cryptographic Protection",
-            "parameters": [
-              {
-                "id": "sc-13_prm_1",
-                "label": "organization-defined cryptographic uses and type of cryptography required for\n               each use",
-                "constraints": [
-                  {
-                    "detail": "FIPS-validated or NSA-approved cryptography"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SC-13"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-13"
-              }
-            ],
-            "links": [
-              {
-                "href": "#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9",
-                "rel": "reference",
-                "text": "FIPS Publication 140"
-              },
-              {
-                "href": "#6a1041fc-054e-4230-946b-2e6f4f3731bb",
-                "rel": "reference",
-                "text": "http://csrc.nist.gov/cryptval"
-              },
-              {
-                "href": "#9b97ed27-3dd6-4f9a-ade5-1b43e9669794",
-                "rel": "reference",
-                "text": "http://www.cnss.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-13_smt",
-                "name": "statement",
-                "prose": "The information system implements {{ sc-13_prm_1 }} in accordance with\n               applicable federal laws, Executive Orders, directives, policies, regulations, and\n               standards."
-              },
-              {
-                "id": "sc-13_gdn",
-                "name": "guidance",
-                "prose": "Cryptography can be employed to support a variety of security solutions including,\n               for example, the protection of classified and Controlled Unclassified Information,\n               the provision of digital signatures, and the enforcement of information separation\n               when authorized individuals have the necessary clearances for such information but\n               lack the necessary formal access approvals. Cryptography can also be used to support\n               random number generation and hash generation. Generally applicable cryptographic\n               standards include FIPS-validated cryptography and NSA-approved cryptography. This\n               control does not impose any requirements on organizations to use cryptography.\n               However, if cryptography is required based on the selection of other security\n               controls, organizations define each type of cryptographic use and the type of\n               cryptography required (e.g., protection of classified information: NSA-approved\n               cryptography; provision of digital signatures: FIPS-validated cryptography).",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-7",
-                    "rel": "related",
-                    "text": "AC-7"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#au-10",
-                    "rel": "related",
-                    "text": "AU-10"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-7",
-                    "rel": "related",
-                    "text": "IA-7"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  },
-                  {
-                    "href": "#sc-12",
-                    "rel": "related",
-                    "text": "SC-12"
-                  },
-                  {
-                    "href": "#sc-28",
-                    "rel": "related",
-                    "text": "SC-28"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "sc-13_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "sc-13_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-13[1]"
-                      }
-                    ],
-                    "prose": "the organization defines cryptographic uses; and"
-                  },
-                  {
-                    "id": "sc-13_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-13[2]"
-                      }
-                    ],
-                    "prose": "the organization defines the type of cryptography required for each use; and"
-                  },
-                  {
-                    "id": "sc-13_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-13[3]"
-                      }
-                    ],
-                    "prose": "the information system implements the organization-defined cryptographic uses and\n                  type of cryptography required for each use in accordance with applicable federal\n                  laws, Executive Orders, directives, policies, regulations, and standards."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing cryptographic protection\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic module validation certificates\\n\\nlist of FIPS validated cryptographic modules\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for cryptographic protection"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing cryptographic protection"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-15",
-            "class": "SP800-53",
-            "title": "Collaborative Computing Devices",
-            "parameters": [
-              {
-                "id": "sc-15_prm_1",
-                "label": "organization-defined exceptions where remote activation is to be allowed",
-                "constraints": [
-                  {
-                    "detail": "no exceptions"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-15"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-15"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-15_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "sc-15_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Prohibits remote activation of collaborative computing devices with the following\n                  exceptions: {{ sc-15_prm_1 }}; and"
-                  },
-                  {
-                    "id": "sc-15_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Provides an explicit indication of use to users physically present at the\n                  devices."
-                  },
-                  {
-                    "id": "sc-15_fr",
-                    "name": "item",
-                    "title": "SC-15 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "sc-15_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-15_gdn",
-                "name": "guidance",
-                "prose": "Collaborative computing devices include, for example, networked white boards,\n               cameras, and microphones. Explicit indication of use includes, for example, signals\n               to users when collaborative computing devices are activated.",
-                "links": [
-                  {
-                    "href": "#ac-21",
-                    "rel": "related",
-                    "text": "AC-21"
-                  }
-                ]
-              },
-              {
-                "id": "sc-15_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "sc-15.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-15(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-15.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-15(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines exceptions where remote activation of collaborative\n                     computing devices is to be allowed;"
-                      },
-                      {
-                        "id": "sc-15.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-15(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system prohibits remote activation of collaborative computing\n                     devices, except for organization-defined exceptions where remote activation is\n                     to be allowed; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-15.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-15(b)"
-                      }
-                    ],
-                    "prose": "the information system provides an explicit indication of use to users physically\n                  present at the devices."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing collaborative computing\\n\\naccess control policy and procedures\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for managing collaborative\n                  computing devices"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing management of remote\n                  activation of collaborative computing devices\\n\\nautomated mechanisms providing an indication of use of collaborative computing\n                  devices"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-17",
-            "class": "SP800-53",
-            "title": "Public Key Infrastructure Certificates",
-            "parameters": [
-              {
-                "id": "sc-17_prm_1",
-                "label": "organization-defined certificate policy"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-17"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-17"
-              }
-            ],
-            "links": [
-              {
-                "href": "#58ad6f27-af99-429f-86a8-8bb767b014b9",
-                "rel": "reference",
-                "text": "OMB Memorandum 05-24"
-              },
-              {
-                "href": "#8f174e91-844e-4cf1-a72a-45c119a3a8dd",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-32"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-17_smt",
-                "name": "statement",
-                "prose": "The organization issues public key certificates under an {{ sc-17_prm_1 }} or obtains public key certificates from an approved\n               service provider."
-              },
-              {
-                "id": "sc-17_gdn",
-                "name": "guidance",
-                "prose": "For all certificates, organizations manage information system trust stores to ensure\n               only approved trust anchors are in the trust stores. This control addresses both\n               certificates with visibility external to organizational information systems and\n               certificates related to the internal operations of systems, for example,\n               application-specific time services.",
-                "links": [
-                  {
-                    "href": "#sc-12",
-                    "rel": "related",
-                    "text": "SC-12"
-                  }
-                ]
-              },
-              {
-                "id": "sc-17_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sc-17_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-17[1]"
-                      }
-                    ],
-                    "prose": "defines a certificate policy for issuing public key certificates;"
-                  },
-                  {
-                    "id": "sc-17_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-17[2]"
-                      }
-                    ],
-                    "prose": "issues public key certificates:",
-                    "parts": [
-                      {
-                        "id": "sc-17_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-17[2][a]"
-                          }
-                        ],
-                        "prose": "under an organization-defined certificate policy: or"
-                      },
-                      {
-                        "id": "sc-17_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-17[2][b]"
-                          }
-                        ],
-                        "prose": "obtains public key certificates from an approved service provider."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing public key infrastructure certificates\\n\\npublic key certificate policy or policies\\n\\npublic key issuing process\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for issuing public key\n                  certificates\\n\\nservice providers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing the management of public key\n                  infrastructure certificates"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-18",
-            "class": "SP800-53",
-            "title": "Mobile Code",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-18"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-18"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e716cd51-d1d5-4c6a-967a-22e9fbbc42f1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-28"
-              },
-              {
-                "href": "#e6522953-6714-435d-a0d3-140df554c186",
-                "rel": "reference",
-                "text": "DoD Instruction 8552.01"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-18_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sc-18_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Defines acceptable and unacceptable mobile code and mobile code technologies;"
-                  },
-                  {
-                    "id": "sc-18_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Establishes usage restrictions and implementation guidance for acceptable mobile\n                  code and mobile code technologies; and"
-                  },
-                  {
-                    "id": "sc-18_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Authorizes, monitors, and controls the use of mobile code within the information\n                  system."
-                  }
-                ]
-              },
-              {
-                "id": "sc-18_gdn",
-                "name": "guidance",
-                "prose": "Decisions regarding the employment of mobile code within organizational information\n               systems are based on the potential for the code to cause damage to the systems if\n               used maliciously. Mobile code technologies include, for example, Java, JavaScript,\n               ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage\n               restrictions and implementation guidance apply to both the selection and use of\n               mobile code installed on servers and mobile code downloaded and executed on\n               individual workstations and devices (e.g., smart phones). Mobile code policy and\n               procedures address preventing the development, acquisition, or introduction of\n               unacceptable mobile code within organizational information systems.",
-                "links": [
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  }
-                ]
-              },
-              {
-                "id": "sc-18_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sc-18.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-18(a)"
-                      }
-                    ],
-                    "prose": "defines acceptable and unacceptable mobile code and mobile code technologies;"
-                  },
-                  {
-                    "id": "sc-18.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-18(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-18.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-18(b)[1]"
-                          }
-                        ],
-                        "prose": "establishes usage restrictions for acceptable mobile code and mobile code\n                     technologies;"
-                      },
-                      {
-                        "id": "sc-18.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-18(b)[2]"
-                          }
-                        ],
-                        "prose": "establishes implementation guidance for acceptable mobile code and mobile code\n                     technologies;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-18.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-18(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-18.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-18(c)[1]"
-                          }
-                        ],
-                        "prose": "authorizes the use of mobile code within the information system;"
-                      },
-                      {
-                        "id": "sc-18.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-18(c)[2]"
-                          }
-                        ],
-                        "prose": "monitors the use of mobile code within the information system; and"
-                      },
-                      {
-                        "id": "sc-18.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-18(c)[3]"
-                          }
-                        ],
-                        "prose": "controls the use of mobile code within the information system."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing mobile code\\n\\nmobile code usage restrictions, mobile code implementation policy and\n                  procedures\\n\\nlist of acceptable mobile code and mobile code technologies\\n\\nlist of unacceptable mobile code and mobile technologies\\n\\nauthorization records\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing mobile code"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational process for controlling, authorizing, monitoring, and restricting\n                  mobile code\\n\\nautomated mechanisms supporting and/or implementing the management of mobile\n                  code\\n\\nautomated mechanisms supporting and/or implementing the monitoring of mobile\n                  code"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-19",
-            "class": "SP800-53",
-            "title": "Voice Over Internet Protocol",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-19"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-19"
-              }
-            ],
-            "links": [
-              {
-                "href": "#7783f3e7-09b3-478b-9aa2-4a76dfd0ea90",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-58"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-19_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sc-19_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes usage restrictions and implementation guidance for Voice over Internet\n                  Protocol (VoIP) technologies based on the potential to cause damage to the\n                  information system if used maliciously; and"
-                  },
-                  {
-                    "id": "sc-19_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Authorizes, monitors, and controls the use of VoIP within the information\n                  system."
-                  }
-                ]
-              },
-              {
-                "id": "sc-19_gdn",
-                "name": "guidance",
-                "links": [
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-15",
-                    "rel": "related",
-                    "text": "SC-15"
-                  }
-                ]
-              },
-              {
-                "id": "sc-19_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sc-19.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-19(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-19.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-19(a)[1]"
-                          }
-                        ],
-                        "prose": "establishes usage restrictions for Voice over Internet Protocol (VoIP)\n                     technologies based on the potential to cause damage to the information system\n                     if used maliciously;"
-                      },
-                      {
-                        "id": "sc-19.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-19(a)[2]"
-                          }
-                        ],
-                        "prose": "establishes implementation guidance for Voice over Internet Protocol (VoIP)\n                     technologies based on the potential to cause damage to the information system\n                     if used maliciously;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-19.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-19(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-19.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-19(b)[1]"
-                          }
-                        ],
-                        "prose": "authorizes the use of VoIP within the information system;"
-                      },
-                      {
-                        "id": "sc-19.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-19(b)[2]"
-                          }
-                        ],
-                        "prose": "monitors the use of VoIP within the information system; and"
-                      },
-                      {
-                        "id": "sc-19.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-19(b)[3]"
-                          }
-                        ],
-                        "prose": "controls the use of VoIP within the information system."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing VoIP\\n\\nVoIP usage restrictions\\n\\nVoIP implementation guidance\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing VoIP"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational process for authorizing, monitoring, and controlling VoIP\\n\\nautomated mechanisms supporting and/or implementing authorizing, monitoring, and\n                  controlling VoIP"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-20",
-            "class": "SP800-53",
-            "title": "Secure Name / Address Resolution Service (authoritative Source)",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-20"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-20"
-              }
-            ],
-            "links": [
-              {
-                "href": "#28115a56-da6b-4d44-b1df-51dd7f048a3e",
-                "rel": "reference",
-                "text": "OMB Memorandum 08-23"
-              },
-              {
-                "href": "#6af1e841-672c-46c4-b121-96f603d04be3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-81"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-20_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "sc-20_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Provides additional data origin authentication and integrity verification\n                  artifacts along with the authoritative name resolution data the system returns in\n                  response to external name/address resolution queries; and"
-                  },
-                  {
-                    "id": "sc-20_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Provides the means to indicate the security status of child zones and (if the\n                  child supports secure resolution services) to enable verification of a chain of\n                  trust among parent and child domains, when operating as part of a distributed,\n                  hierarchical namespace."
-                  }
-                ]
-              },
-              {
-                "id": "sc-20_gdn",
-                "name": "guidance",
-                "prose": "This control enables external clients including, for example, remote Internet\n               clients, to obtain origin authentication and integrity verification assurances for\n               the host/service name to network address resolution information obtained through the\n               service. Information systems that provide name and address resolution services\n               include, for example, domain name system (DNS) servers. Additional artifacts include,\n               for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS\n               resource records are examples of authoritative data. The means to indicate the\n               security status of child zones includes, for example, the use of delegation signer\n               resource records in the DNS. The DNS security controls reflect (and are referenced\n               from) OMB Memorandum 08-23. Information systems that use technologies other than the\n               DNS to map between host/service names and network addresses provide other means to\n               assure the authenticity and integrity of response data.",
-                "links": [
-                  {
-                    "href": "#au-10",
-                    "rel": "related",
-                    "text": "AU-10"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  },
-                  {
-                    "href": "#sc-12",
-                    "rel": "related",
-                    "text": "SC-12"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  },
-                  {
-                    "href": "#sc-21",
-                    "rel": "related",
-                    "text": "SC-21"
-                  },
-                  {
-                    "href": "#sc-22",
-                    "rel": "related",
-                    "text": "SC-22"
-                  }
-                ]
-              },
-              {
-                "id": "sc-20_obj",
-                "name": "objective",
-                "prose": "Determine if the information system:",
-                "parts": [
-                  {
-                    "id": "sc-20.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-20(a)"
-                      }
-                    ],
-                    "prose": "provides additional data origin and integrity verification artifacts along with\n                  the authoritative name resolution data the system returns in response to external\n                  name/address resolution queries;"
-                  },
-                  {
-                    "id": "sc-20.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-20(b)"
-                      }
-                    ],
-                    "prose": "provides the means to, when operating as part of a distributed, hierarchical\n                  namespace:",
-                    "parts": [
-                      {
-                        "id": "sc-20.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-20(b)[1]"
-                          }
-                        ],
-                        "prose": "indicate the security status of child zones; and"
-                      },
-                      {
-                        "id": "sc-20.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-20(b)[2]"
-                          }
-                        ],
-                        "prose": "enable verification of a chain of trust among parent and child domains (if the\n                     child supports secure resolution services)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing secure name/address resolution service (authoritative\n                  source)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing secure name/address resolution\n                  service"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-21",
-            "class": "SP800-53",
-            "title": "Secure Name / Address Resolution Service (recursive or Caching Resolver)",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-21"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-21"
-              }
-            ],
-            "links": [
-              {
-                "href": "#6af1e841-672c-46c4-b121-96f603d04be3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-81"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-21_smt",
-                "name": "statement",
-                "prose": "The information system requests and performs data origin authentication and data\n               integrity verification on the name/address resolution responses the system receives\n               from authoritative sources."
-              },
-              {
-                "id": "sc-21_gdn",
-                "name": "guidance",
-                "prose": "Each client of name resolution services either performs this validation on its own,\n               or has authenticated channels to trusted validation providers. Information systems\n               that provide name and address resolution services for local clients include, for\n               example, recursive resolving or caching domain name system (DNS) servers. DNS client\n               resolvers either perform validation of DNSSEC signatures, or clients use\n               authenticated channels to recursive resolvers that perform such validations.\n               Information systems that use technologies other than the DNS to map between\n               host/service names and network addresses provide other means to enable clients to\n               verify the authenticity and integrity of response data.",
-                "links": [
-                  {
-                    "href": "#sc-20",
-                    "rel": "related",
-                    "text": "SC-20"
-                  },
-                  {
-                    "href": "#sc-22",
-                    "rel": "related",
-                    "text": "SC-22"
-                  }
-                ]
-              },
-              {
-                "id": "sc-21_obj",
-                "name": "objective",
-                "prose": "Determine if the information system: ",
-                "parts": [
-                  {
-                    "id": "sc-21_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-21[1]"
-                      }
-                    ],
-                    "prose": "requests data origin authentication on the name/address resolution responses the\n                  system receives from authoritative sources;"
-                  },
-                  {
-                    "id": "sc-21_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-21[2]"
-                      }
-                    ],
-                    "prose": "requests data integrity verification on the name/address resolution responses the\n                  system receives from authoritative sources;"
-                  },
-                  {
-                    "id": "sc-21_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-21[3]"
-                      }
-                    ],
-                    "prose": "performs data origin authentication on the name/address resolution responses the\n                  system receives from authoritative sources; and"
-                  },
-                  {
-                    "id": "sc-21_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-21[4]"
-                      }
-                    ],
-                    "prose": "performs data integrity verification on the name/address resolution responses the\n                  system receives from authoritative sources."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing secure name/address resolution service (recursive or caching\n                  resolver)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing data origin authentication and\n                  data integrity verification for name/address resolution services"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-22",
-            "class": "SP800-53",
-            "title": "Architecture and Provisioning for Name / Address Resolution Service",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-22"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-22"
-              }
-            ],
-            "links": [
-              {
-                "href": "#6af1e841-672c-46c4-b121-96f603d04be3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-81"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-22_smt",
-                "name": "statement",
-                "prose": "The information systems that collectively provide name/address resolution service for\n               an organization are fault-tolerant and implement internal/external role\n               separation."
-              },
-              {
-                "id": "sc-22_gdn",
-                "name": "guidance",
-                "prose": "Information systems that provide name and address resolution services include, for\n               example, domain name system (DNS) servers. To eliminate single points of failure and\n               to enhance redundancy, organizations employ at least two authoritative domain name\n               system servers, one configured as the primary server and the other configured as the\n               secondary server. Additionally, organizations typically deploy the servers in two\n               geographically separated network subnetworks (i.e., not located in the same physical\n               facility). For role separation, DNS servers with internal roles only process name and\n               address resolution requests from within organizations (i.e., from internal clients).\n               DNS servers with external roles only process name and address resolution information\n               requests from clients external to organizations (i.e., on external networks including\n               the Internet). Organizations specify clients that can access authoritative DNS\n               servers in particular roles (e.g., by address ranges, explicit lists).",
-                "links": [
-                  {
-                    "href": "#sc-2",
-                    "rel": "related",
-                    "text": "SC-2"
-                  },
-                  {
-                    "href": "#sc-20",
-                    "rel": "related",
-                    "text": "SC-20"
-                  },
-                  {
-                    "href": "#sc-21",
-                    "rel": "related",
-                    "text": "SC-21"
-                  },
-                  {
-                    "href": "#sc-24",
-                    "rel": "related",
-                    "text": "SC-24"
-                  }
-                ]
-              },
-              {
-                "id": "sc-22_obj",
-                "name": "objective",
-                "prose": "Determine if the information systems that collectively provide name/address\n               resolution service for an organization: ",
-                "parts": [
-                  {
-                    "id": "sc-22_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-22[1]"
-                      }
-                    ],
-                    "prose": "are fault tolerant; and"
-                  },
-                  {
-                    "id": "sc-22_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-22[2]"
-                      }
-                    ],
-                    "prose": "implement internal/external role separation."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing architecture and provisioning for name/address resolution\n                  service\\n\\naccess control policy and procedures\\n\\ninformation system design documentation\\n\\nassessment results from independent, testing organizations\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing name/address resolution\n                  service for fault tolerance and role separation"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-23",
-            "class": "SP800-53",
-            "title": "Session Authenticity",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-23"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-23"
-              }
-            ],
-            "links": [
-              {
-                "href": "#90c5bc98-f9c4-44c9-98b7-787422f0999c",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-52"
-              },
-              {
-                "href": "#99f331f2-a9f0-46c2-9856-a3cbb9b89442",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-77"
-              },
-              {
-                "href": "#1ebdf782-d95d-4a7b-8ec7-ee860951eced",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-95"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-23_smt",
-                "name": "statement",
-                "prose": "The information system protects the authenticity of communications sessions."
-              },
-              {
-                "id": "sc-23_gdn",
-                "name": "guidance",
-                "prose": "This control addresses communications protection at the session, versus packet level\n               (e.g., sessions in service-oriented architectures providing web-based services) and\n               establishes grounds for confidence at both ends of communications sessions in ongoing\n               identities of other parties and in the validity of information transmitted.\n               Authenticity protection includes, for example, protecting against man-in-the-middle\n               attacks/session hijacking and the insertion of false information into sessions.",
-                "links": [
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  },
-                  {
-                    "href": "#sc-10",
-                    "rel": "related",
-                    "text": "SC-10"
-                  },
-                  {
-                    "href": "#sc-11",
-                    "rel": "related",
-                    "text": "SC-11"
-                  }
-                ]
-              },
-              {
-                "id": "sc-23_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system protects the authenticity of communications\n               sessions."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing session authenticity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing session authenticity"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "sc-23.1",
-                "class": "SP800-53-enhancement",
-                "title": "Invalidate Session Identifiers at Logout",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-23(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-23.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-23.1_smt",
-                    "name": "statement",
-                    "prose": "The information system invalidates session identifiers upon user logout or other\n                  session termination."
-                  },
-                  {
-                    "id": "sc-23.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement curtails the ability of adversaries from capturing and\n                  continuing to employ previously valid session IDs."
-                  },
-                  {
-                    "id": "sc-23.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system invalidates session identifiers upon user\n                  logout or other session termination."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing session authenticity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing session identifier\n                     invalidation upon session termination"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-24",
-            "class": "SP800-53",
-            "title": "Fail in Known State",
-            "parameters": [
-              {
-                "id": "sc-24_prm_1",
-                "label": "organization-defined known-state"
-              },
-              {
-                "id": "sc-24_prm_2",
-                "label": "organization-defined types of failures"
-              },
-              {
-                "id": "sc-24_prm_3",
-                "label": "organization-defined system state information"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-24"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-24"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-24_smt",
-                "name": "statement",
-                "prose": "The information system fails to a {{ sc-24_prm_1 }} for {{ sc-24_prm_2 }} preserving {{ sc-24_prm_3 }} in\n               failure."
-              },
-              {
-                "id": "sc-24_gdn",
-                "name": "guidance",
-                "prose": "Failure in a known state addresses security concerns in accordance with the\n               mission/business needs of organizations. Failure in a known secure state helps to\n               prevent the loss of confidentiality, integrity, or availability of information in the\n               event of failures of organizational information systems or system components. Failure\n               in a known safe state helps to prevent systems from failing to a state that may cause\n               injury to individuals or destruction to property. Preserving information system state\n               information facilitates system restart and return to the operational mode of\n               organizations with less disruption of mission/business processes.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-10",
-                    "rel": "related",
-                    "text": "CP-10"
-                  },
-                  {
-                    "href": "#cp-12",
-                    "rel": "related",
-                    "text": "CP-12"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-22",
-                    "rel": "related",
-                    "text": "SC-22"
-                  }
-                ]
-              },
-              {
-                "id": "sc-24_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "sc-24_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-24[1]"
-                      }
-                    ],
-                    "prose": "the organization defines a known-state to which the information system is to fail\n                  in the event of a system failure;"
-                  },
-                  {
-                    "id": "sc-24_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-24[2]"
-                      }
-                    ],
-                    "prose": "the organization defines types of failures for which the information system is to\n                  fail to an organization-defined known-state;"
-                  },
-                  {
-                    "id": "sc-24_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-24[3]"
-                      }
-                    ],
-                    "prose": "the organization defines system state information to be preserved in the event of\n                  a system failure;"
-                  },
-                  {
-                    "id": "sc-24_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-24[4]"
-                      }
-                    ],
-                    "prose": "the information system fails to the organization-defined known-state for\n                  organization-defined types of failures; and"
-                  },
-                  {
-                    "id": "sc-24_obj.5",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-24[5]"
-                      }
-                    ],
-                    "prose": "the information system preserves the organization-defined system state information\n                  in the event of a system failure."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing information system failure to known state\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of failures requiring information system to fail in a known state\\n\\nstate information to be preserved in system failure\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing fail-in-known state\n                  capability\\n\\nautomated mechanisms preserving system state information in the event of a system\n                  failure"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-28",
-            "class": "SP800-53",
-            "title": "Protection of Information at Rest",
-            "parameters": [
-              {
-                "id": "sc-28_prm_1",
-                "constraints": [
-                  {
-                    "detail": "confidentiality AND integrity"
-                  }
-                ]
-              },
-              {
-                "id": "sc-28_prm_2",
-                "label": "organization-defined information at rest"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-28"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-28"
-              }
-            ],
-            "links": [
-              {
-                "href": "#81f09e01-d0b0-4ae2-aa6a-064ed9950070",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-56"
-              },
-              {
-                "href": "#a6c774c0-bf50-4590-9841-2a5c1c91ac6f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-57"
-              },
-              {
-                "href": "#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-111"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-28_smt",
-                "name": "statement",
-                "prose": "The information system protects the {{ sc-28_prm_1 }} of {{ sc-28_prm_2 }}.",
-                "parts": [
-                  {
-                    "id": "sc-28_fr",
-                    "name": "item",
-                    "title": "SC-28 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "sc-28_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "The organization supports the capability to use cryptographic mechanisms to protect information at rest."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-28_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the confidentiality and integrity of information at rest and\n               covers user information and system information. Information at rest refers to the\n               state of information when it is located on storage devices as specific components of\n               information systems. System-related information requiring protection includes, for\n               example, configurations or rule sets for firewalls, gateways, intrusion\n               detection/prevention systems, filtering routers, and authenticator content.\n               Organizations may employ different mechanisms to achieve confidentiality and\n               integrity protections, including the use of cryptographic mechanisms and file share\n               scanning. Integrity protection can be achieved, for example, by implementing\n               Write-Once-Read-Many (WORM) technologies. Organizations may also employ other\n               security controls including, for example, secure off-line storage in lieu of online\n               storage when adequate protection of information at rest cannot otherwise be achieved\n               and/or continuous monitoring to identify malicious code at rest.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "sc-28_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "sc-28_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-28[1]"
-                      }
-                    ],
-                    "prose": "the organization defines information at rest requiring one or more of the\n                  following:",
-                    "parts": [
-                      {
-                        "id": "sc-28_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-28[1][a]"
-                          }
-                        ],
-                        "prose": "confidentiality protection; and/or"
-                      },
-                      {
-                        "id": "sc-28_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-28[1][b]"
-                          }
-                        ],
-                        "prose": "integrity protection;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-28_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-28[2]"
-                      }
-                    ],
-                    "prose": "the information system protects:",
-                    "parts": [
-                      {
-                        "id": "sc-28_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-28[2][a]"
-                          }
-                        ],
-                        "prose": "the confidentiality of organization-defined information at rest; and/or"
-                      },
-                      {
-                        "id": "sc-28_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-28[2][b]"
-                          }
-                        ],
-                        "prose": "the integrity of organization-defined information at rest."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing protection of information at rest\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic mechanisms and associated configuration documentation\\n\\nlist of information at rest requiring confidentiality and integrity\n                  protections\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing confidentiality and integrity\n                  protections for information at rest"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "sc-28.1",
-                "class": "SP800-53-enhancement",
-                "title": "Cryptographic Protection",
-                "parameters": [
-                  {
-                    "id": "sc-28.1_prm_1",
-                    "label": "organization-defined information"
-                  },
-                  {
-                    "id": "sc-28.1_prm_2",
-                    "label": "organization-defined information system components",
-                    "constraints": [
-                      {
-                        "detail": "all information system components storing customer data deemed sensitive"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-28(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-28.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-28.1_smt",
-                    "name": "statement",
-                    "prose": "The information system implements cryptographic mechanisms to prevent unauthorized\n                  disclosure and modification of {{ sc-28.1_prm_1 }} on {{ sc-28.1_prm_2 }}."
-                  },
-                  {
-                    "id": "sc-28.1_gdn",
-                    "name": "guidance",
-                    "prose": "Selection of cryptographic mechanisms is based on the need to protect the\n                  confidentiality and integrity of organizational information. The strength of\n                  mechanism is commensurate with the security category and/or classification of the\n                  information. This control enhancement applies to significant concentrations of\n                  digital media in organizational areas designated for media storage and also to\n                  limited quantities of media generally associated with information system\n                  components in operational environments (e.g., portable storage devices, mobile\n                  devices). Organizations have the flexibility to either encrypt all information on\n                  storage devices (i.e., full disk encryption) or encrypt specific data structures\n                  (e.g., files, records, or fields). Organizations employing cryptographic\n                  mechanisms to protect information at rest also consider cryptographic key\n                  management solutions.",
-                    "links": [
-                      {
-                        "href": "#ac-19",
-                        "rel": "related",
-                        "text": "AC-19"
-                      },
-                      {
-                        "href": "#sc-12",
-                        "rel": "related",
-                        "text": "SC-12"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-28.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "sc-28.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-28(1)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines information requiring cryptographic protection;"
-                      },
-                      {
-                        "id": "sc-28.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-28(1)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines information system components with\n                     organization-defined information requiring cryptographic protection; and"
-                      },
-                      {
-                        "id": "sc-28.1_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-28(1)[3]"
-                          }
-                        ],
-                        "prose": "the information system employs cryptographic mechanisms to prevent unauthorized\n                     disclosure and modification of organization-defined information on\n                     organization-defined information system components."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing protection of information at rest\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic mechanisms and associated configuration documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Cryptographic mechanisms implementing confidentiality and integrity protections\n                     for information at rest"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-39",
-            "class": "SP800-53",
-            "title": "Process Isolation",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-39"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-39"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-39_smt",
-                "name": "statement",
-                "prose": "The information system maintains a separate execution domain for each executing\n               process."
-              },
-              {
-                "id": "sc-39_gdn",
-                "name": "guidance",
-                "prose": "Information systems can maintain separate execution domains for each executing\n               process by assigning each process a separate address space. Each information system\n               process has a distinct address space so that communication between processes is\n               performed in a manner controlled through the security functions, and one process\n               cannot modify the executing code of another process. Maintaining separate execution\n               domains for executing processes can be achieved, for example, by implementing\n               separate address spaces. This capability is available in most commercial operating\n               systems that employ multi-state processor technologies.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  },
-                  {
-                    "href": "#sc-2",
-                    "rel": "related",
-                    "text": "SC-2"
-                  },
-                  {
-                    "href": "#sc-3",
-                    "rel": "related",
-                    "text": "SC-3"
-                  }
-                ]
-              },
-              {
-                "id": "sc-39_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system maintains a separate execution domain for each\n               executing process."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system design documentation\\n\\ninformation system architecture\\n\\nindependent verification and validation documentation\\n\\ntesting and evaluation documentation, other relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system developers/integrators\\n\\ninformation system security architect"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing separate execution domains for\n                  each executing process"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "si",
-        "class": "family",
-        "title": "System and Information Integrity",
-        "controls": [
-          {
-            "id": "si-1",
-            "class": "SP800-53",
-            "title": "System and Information Integrity Policy and Procedures",
-            "parameters": [
-              {
-                "id": "si-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "si-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "si-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually or whenever a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SI-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ si-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "si-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A system and information integrity policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "si-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the system and information\n                     integrity policy and associated system and information integrity controls;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "si-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "System and information integrity policy {{ si-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "si-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "System and information integrity procedures {{ si-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SI\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "si-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a system and information integrity policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "si-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "si-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the system and information integrity\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "si-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the system and information integrity policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        system and information integrity policy and associated system and\n                        information integrity controls;"
-                          },
-                          {
-                            "id": "si-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "si-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and\n                        information integrity policy;"
-                          },
-                          {
-                            "id": "si-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and information integrity policy with\n                        the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and\n                        information integrity procedures; and"
-                          },
-                          {
-                            "id": "si-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and information integrity procedures\n                        with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and information integrity\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-2",
-            "class": "SP800-53",
-            "title": "Flaw Remediation",
-            "parameters": [
-              {
-                "id": "si-2_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "thirty (30) days of release of updates"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SI-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-40"
-              },
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Identifies, reports, and corrects information system flaws;"
-                  },
-                  {
-                    "id": "si-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Tests software and firmware updates related to flaw remediation for effectiveness\n                  and potential side effects before installation;"
-                  },
-                  {
-                    "id": "si-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Installs security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and"
-                  },
-                  {
-                    "id": "si-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Incorporates flaw remediation into the organizational configuration management\n                  process."
-                  }
-                ]
-              },
-              {
-                "id": "si-2_gdn",
-                "name": "guidance",
-                "prose": "Organizations identify information systems affected by announced software flaws\n               including potential vulnerabilities resulting from those flaws, and report this\n               information to designated organizational personnel with information security\n               responsibilities. Security-relevant software updates include, for example, patches,\n               service packs, hot fixes, and anti-virus signatures. Organizations also address flaws\n               discovered during security assessments, continuous monitoring, incident response\n               activities, and system error handling. Organizations take advantage of available\n               resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and\n               Exposures (CVE) databases in remediating flaws discovered in organizational\n               information systems. By incorporating flaw remediation into ongoing configuration\n               management processes, required/anticipated remediation actions can be tracked and\n               verified. Flaw remediation actions that can be tracked and verified include, for\n               example, determining whether organizations follow US-CERT guidance and Information\n               Assurance Vulnerability Alerts. Organization-defined time periods for updating\n               security-relevant software and firmware may vary based on a variety of factors\n               including, for example, the security category of the information system or the\n               criticality of the update (i.e., severity of the vulnerability related to the\n               discovered flaw). Some types of flaw remediation may require more testing than other\n               types. Organizations determine the degree and type of testing needed for the specific\n               type of flaw remediation activity under consideration and also the types of changes\n               that are to be configuration-managed. In some situations, organizations may determine\n               that the testing of software and/or firmware updates is not necessary or practical,\n               for example, when implementing simple anti-virus signature updates. Organizations may\n               also consider in testing decisions, whether security-relevant software or firmware\n               updates are obtained from authorized sources with appropriate digital signatures.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#ma-2",
-                    "rel": "related",
-                    "text": "MA-2"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sa-10",
-                    "rel": "related",
-                    "text": "SA-10"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#si-11",
-                    "rel": "related",
-                    "text": "SI-11"
-                  }
-                ]
-              },
-              {
-                "id": "si-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(a)[1]"
-                          }
-                        ],
-                        "prose": "identifies information system flaws;"
-                      },
-                      {
-                        "id": "si-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(a)[2]"
-                          }
-                        ],
-                        "prose": "reports information system flaws;"
-                      },
-                      {
-                        "id": "si-2.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(a)[3]"
-                          }
-                        ],
-                        "prose": "corrects information system flaws;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(b)[1]"
-                          }
-                        ],
-                        "prose": "tests software updates related to flaw remediation for effectiveness and\n                     potential side effects before installation;"
-                      },
-                      {
-                        "id": "si-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(b)[2]"
-                          }
-                        ],
-                        "prose": "tests firmware updates related to flaw remediation for effectiveness and\n                     potential side effects before installation;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the time period within which to install security-relevant software\n                     updates after the release of the updates;"
-                      },
-                      {
-                        "id": "si-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(c)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which to install security-relevant firmware\n                     updates after the release of the updates;"
-                      },
-                      {
-                        "id": "si-2.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(c)[3]"
-                          }
-                        ],
-                        "prose": "installs software updates within the organization-defined time period of the\n                     release of the updates;"
-                      },
-                      {
-                        "id": "si-2.c_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(c)[4]"
-                          }
-                        ],
-                        "prose": "installs firmware updates within the organization-defined time period of the\n                     release of the updates; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-2(d)"
-                      }
-                    ],
-                    "prose": "incorporates flaw remediation into the organizational configuration management\n                  process."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nprocedures addressing flaw remediation\\n\\nprocedures addressing configuration management\\n\\nlist of flaws and vulnerabilities potentially affecting the information system\\n\\nlist of recent security flaw remediation actions performed on the information\n                  system (e.g., list of installed patches, service packs, hot fixes, and other\n                  software updates to correct information system flaws)\\n\\ntest results from the installation of software and firmware updates to correct\n                  information system flaws\\n\\ninstallation/change control records for security-relevant software and firmware\n                  updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility for flaw remediation\\n\\norganizational personnel with configuration management responsibility"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for identifying, reporting, and correcting information\n                  system flaws\\n\\norganizational process for installing software and firmware updates\\n\\nautomated mechanisms supporting and/or implementing reporting, and correcting\n                  information system flaws\\n\\nautomated mechanisms supporting and/or implementing testing software and firmware\n                  updates"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "si-2.1",
-                "class": "SP800-53-enhancement",
-                "title": "Central Management",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-2(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-02.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-2.1_smt",
-                    "name": "statement",
-                    "prose": "The organization centrally manages the flaw remediation process."
-                  },
-                  {
-                    "id": "si-2.1_gdn",
-                    "name": "guidance",
-                    "prose": "Central management is the organization-wide management and implementation of flaw\n                  remediation processes. Central management includes planning, implementing,\n                  assessing, authorizing, and monitoring the organization-defined, centrally managed\n                  flaw remediation security controls."
-                  },
-                  {
-                    "id": "si-2.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization centrally manages the flaw remediation process."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing flaw remediation\\n\\nautomated mechanisms supporting centralized management of flaw remediation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for flaw remediation"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for central management of the flaw remediation\n                     process\\n\\nautomated mechanisms supporting and/or implementing central management of the\n                     flaw remediation process"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-2.2",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Flaw Remediation Status",
-                "parameters": [
-                  {
-                    "id": "si-2.2_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least monthly"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "SI-2(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-02.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-2.2_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms {{ si-2.2_prm_1 }} to\n                  determine the state of information system components with regard to flaw\n                  remediation."
-                  },
-                  {
-                    "id": "si-2.2_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#cm-6",
-                        "rel": "related",
-                        "text": "CM-6"
-                      },
-                      {
-                        "href": "#si-4",
-                        "rel": "related",
-                        "text": "SI-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-2.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "si-2.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(2)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency to employ automated mechanisms to determine the state of\n                     information system components with regard to flaw remediation; and"
-                      },
-                      {
-                        "id": "si-2.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(2)[2]"
-                          }
-                        ],
-                        "prose": "employs automated mechanisms with the organization-defined frequency to\n                     determine the state of information system components with regard to flaw\n                     remediation."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing flaw remediation\\n\\nautomated mechanisms supporting centralized management of flaw remediation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for flaw remediation"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms used to determine the state of information system\n                     components with regard to flaw remediation"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-2.3",
-                "class": "SP800-53-enhancement",
-                "title": "Time to Remediate Flaws / Benchmarks for Corrective Actions",
-                "parameters": [
-                  {
-                    "id": "si-2.3_prm_1",
-                    "label": "organization-defined benchmarks"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-2(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-02.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-2.3_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "si-2.3_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Measures the time between flaw identification and flaw remediation; and"
-                      },
-                      {
-                        "id": "si-2.3_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Establishes {{ si-2.3_prm_1 }} for taking corrective\n                     actions."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-2.3_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement requires organizations to determine the current time it\n                  takes on the average to correct information system flaws after such flaws have\n                  been identified, and subsequently establish organizational benchmarks (i.e., time\n                  frames) for taking corrective actions. Benchmarks can be established by type of\n                  flaw and/or severity of the potential vulnerability if the flaw can be\n                  exploited."
-                  },
-                  {
-                    "id": "si-2.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "si-2.3.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(3)(a)"
-                          }
-                        ],
-                        "prose": "measures the time between flaw identification and flaw remediation;",
-                        "links": [
-                          {
-                            "href": "#si-2.3_smt.a",
-                            "rel": "corresp",
-                            "text": "SI-2(3)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-2.3.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-2(3)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-2.3.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-2(3)(b)[1]"
-                              }
-                            ],
-                            "prose": "defines benchmarks for taking corrective actions; and"
-                          },
-                          {
-                            "id": "si-2.3.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-2(3)(b)[2]"
-                              }
-                            ],
-                            "prose": "establishes organization-defined benchmarks for taking corrective\n                        actions."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#si-2.3_smt.b",
-                            "rel": "corresp",
-                            "text": "SI-2(3)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing flaw remediation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of benchmarks for taking corrective action on flaws identified\\n\\nrecords providing time stamps of flaw identification and subsequent flaw\n                     remediation activities\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for flaw remediation"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for identifying, reporting, and correcting information\n                     system flaws\\n\\nautomated mechanisms used to measure the time between flaw identification and\n                     flaw remediation"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-3",
-            "class": "SP800-53",
-            "title": "Malicious Code Protection",
-            "parameters": [
-              {
-                "id": "si-3_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least weekly"
-                  }
-                ]
-              },
-              {
-                "id": "si-3_prm_2",
-                "constraints": [
-                  {
-                    "detail": "to include endpoints"
-                  }
-                ]
-              },
-              {
-                "id": "si-3_prm_3",
-                "constraints": [
-                  {
-                    "detail": "to include blocking and quarantining malicious code and alerting administrator or defined security personnel near-realtime"
-                  }
-                ]
-              },
-              {
-                "id": "si-3_prm_4",
-                "depends-on": "si-3_prm_3",
-                "label": "organization-defined action"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SI-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#6d431fee-658f-4a0e-9f2e-a38b5d398fab",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-83"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Employs malicious code protection mechanisms at information system entry and exit\n                  points to detect and eradicate malicious code;"
-                  },
-                  {
-                    "id": "si-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Updates malicious code protection mechanisms whenever new releases are available\n                  in accordance with organizational configuration management policy and\n                  procedures;"
-                  },
-                  {
-                    "id": "si-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Configures malicious code protection mechanisms to:",
-                    "parts": [
-                      {
-                        "id": "si-3_smt.c.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Perform periodic scans of the information system {{ si-3_prm_1 }} and real-time scans of files from external sources at {{ si-3_prm_2 }} as the files are downloaded, opened, or executed in\n                     accordance with organizational security policy; and"
-                      },
-                      {
-                        "id": "si-3_smt.c.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "\n                     {{ si-3_prm_3 }} in response to malicious code detection;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-3_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Addresses the receipt of false positives during malicious code detection and\n                  eradication and the resulting potential impact on the availability of the\n                  information system."
-                  }
-                ]
-              },
-              {
-                "id": "si-3_gdn",
-                "name": "guidance",
-                "prose": "Information system entry and exit points include, for example, firewalls, electronic\n               mail servers, web servers, proxy servers, remote-access servers, workstations,\n               notebook computers, and mobile devices. Malicious code includes, for example,\n               viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in\n               various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden\n               files, or hidden in files using steganography. Malicious code can be transported by\n               different means including, for example, web accesses, electronic mail, electronic\n               mail attachments, and portable storage devices. Malicious code insertions occur\n               through the exploitation of information system vulnerabilities. Malicious code\n               protection mechanisms include, for example, anti-virus signature definitions and\n               reputation-based technologies. A variety of technologies and methods exist to limit\n               or eliminate the effects of malicious code. Pervasive configuration management and\n               comprehensive software integrity controls may be effective in preventing execution of\n               unauthorized code. In addition to commercial off-the-shelf software, malicious code\n               may also be present in custom-built software. This could include, for example, logic\n               bombs, back doors, and other types of cyber attacks that could affect organizational\n               missions/business functions. Traditional malicious code protection mechanisms cannot\n               always detect such code. In these situations, organizations rely instead on other\n               safeguards including, for example, secure coding practices, configuration management\n               and control, trusted procurement processes, and monitoring practices to help ensure\n               that software does not perform functions other than the functions intended.\n               Organizations may determine that in response to the detection of malicious code,\n               different actions may be warranted. For example, organizations can define actions in\n               response to malicious code detection during periodic scans, actions in response to\n               detection of malicious downloads, and/or actions in response to detection of\n               maliciousness when attempting to open or execute files.",
-                "links": [
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#sa-13",
-                    "rel": "related",
-                    "text": "SA-13"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-26",
-                    "rel": "related",
-                    "text": "SC-26"
-                  },
-                  {
-                    "href": "#sc-44",
-                    "rel": "related",
-                    "text": "SC-44"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "si-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-3(a)"
-                      }
-                    ],
-                    "prose": "employs malicious code protection mechanisms to detect and eradicate malicious\n                  code at information system:",
-                    "parts": [
-                      {
-                        "id": "si-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-3(a)[1]"
-                          }
-                        ],
-                        "prose": "entry points;"
-                      },
-                      {
-                        "id": "si-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-3(a)[2]"
-                          }
-                        ],
-                        "prose": "exit points;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-3(b)"
-                      }
-                    ],
-                    "prose": "updates malicious code protection mechanisms whenever new releases are available\n                  in accordance with organizational configuration management policy and procedures\n                  (as identified in CM-1);"
-                  },
-                  {
-                    "id": "si-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency for malicious code protection mechanisms to perform\n                     periodic scans of the information system;"
-                      },
-                      {
-                        "id": "si-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-3(c)[2]"
-                          }
-                        ],
-                        "prose": "defines action to be initiated by malicious protection mechanisms in response\n                     to malicious code detection;"
-                      },
-                      {
-                        "id": "si-3.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-3(c)[3]"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-3.c.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-3(c)[3](1)"
-                              }
-                            ],
-                            "prose": "configures malicious code protection mechanisms to:",
-                            "parts": [
-                              {
-                                "id": "si-3.c.1_obj.3.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](1)[a]"
-                                  }
-                                ],
-                                "prose": "perform periodic scans of the information system with the\n                           organization-defined frequency;"
-                              },
-                              {
-                                "id": "si-3.c.1_obj.3.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](1)[b]"
-                                  }
-                                ],
-                                "prose": "perform real-time scans of files from external sources at endpoint and/or\n                           network entry/exit points as the files are downloaded, opened, or\n                           executed in accordance with organizational security policy;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "si-3.c.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-3(c)[3](2)"
-                              }
-                            ],
-                            "prose": "configures malicious code protection mechanisms to do one or more of the\n                        following:",
-                            "parts": [
-                              {
-                                "id": "si-3.c.2_obj.3.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](2)[a]"
-                                  }
-                                ],
-                                "prose": "block malicious code in response to malicious code detection;"
-                              },
-                              {
-                                "id": "si-3.c.2_obj.3.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](2)[b]"
-                                  }
-                                ],
-                                "prose": "quarantine malicious code in response to malicious code detection;"
-                              },
-                              {
-                                "id": "si-3.c.2_obj.3.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](2)[c]"
-                                  }
-                                ],
-                                "prose": "send alert to administrator in response to malicious code detection;\n                           and/or"
-                              },
-                              {
-                                "id": "si-3.c.2_obj.3.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](2)[d]"
-                                  }
-                                ],
-                                "prose": "initiate organization-defined action in response to malicious code\n                           detection;"
-                              }
-                            ]
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-3.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-3(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-3.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-3(d)[1]"
-                          }
-                        ],
-                        "prose": "addresses the receipt of false positives during malicious code detection and\n                     eradication; and"
-                      },
-                      {
-                        "id": "si-3.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-3(d)[2]"
-                          }
-                        ],
-                        "prose": "addresses the resulting potential impact on the availability of the information\n                     system."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nconfiguration management policy and procedures\\n\\nprocedures addressing malicious code protection\\n\\nmalicious code protection mechanisms\\n\\nrecords of malicious code protection updates\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nscan results from malicious code protection mechanisms\\n\\nrecord of actions initiated by malicious code protection mechanisms in response to\n                  malicious code detection\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility for malicious code protection\\n\\norganizational personnel with configuration management responsibility"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for employing, updating, and configuring malicious code\n                  protection mechanisms\\n\\norganizational process for addressing false positives and resulting potential\n                  impact\\n\\nautomated mechanisms supporting and/or implementing employing, updating, and\n                  configuring malicious code protection mechanisms\\n\\nautomated mechanisms supporting and/or implementing malicious code scanning and\n                  subsequent actions"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "si-3.1",
-                "class": "SP800-53-enhancement",
-                "title": "Central Management",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-3(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-03.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-3.1_smt",
-                    "name": "statement",
-                    "prose": "The organization centrally manages malicious code protection mechanisms."
-                  },
-                  {
-                    "id": "si-3.1_gdn",
-                    "name": "guidance",
-                    "prose": "Central management is the organization-wide management and implementation of\n                  malicious code protection mechanisms. Central management includes planning,\n                  implementing, assessing, authorizing, and monitoring the organization-defined,\n                  centrally managed flaw malicious code protection security controls.",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      },
-                      {
-                        "href": "#si-8",
-                        "rel": "related",
-                        "text": "SI-8"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-3.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization centrally manages malicious code protection\n                  mechanisms."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing malicious code protection\\n\\nautomated mechanisms supporting centralized management of malicious code\n                     protection mechanisms\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for malicious code protection"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for central management of malicious code protection\n                     mechanisms\\n\\nautomated mechanisms supporting and/or implementing central management of\n                     malicious code protection mechanisms"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-3.2",
-                "class": "SP800-53-enhancement",
-                "title": "Automatic Updates",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-3(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-03.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-3.2_smt",
-                    "name": "statement",
-                    "prose": "The information system automatically updates malicious code protection\n                  mechanisms."
-                  },
-                  {
-                    "id": "si-3.2_gdn",
-                    "name": "guidance",
-                    "prose": "Malicious code protection mechanisms include, for example, signature definitions.\n                  Due to information system integrity and availability concerns, organizations give\n                  careful consideration to the methodology used to carry out automatic updates.",
-                    "links": [
-                      {
-                        "href": "#si-8",
-                        "rel": "related",
-                        "text": "SI-8"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-3.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system automatically updates malicious code\n                  protection mechanisms."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing malicious code protection\\n\\nautomated mechanisms supporting centralized management of malicious code\n                     protection mechanisms\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for malicious code protection"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing automatic updates to\n                     malicious code protection capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-3.7",
-                "class": "SP800-53-enhancement",
-                "title": "Nonsignature-based Detection",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-3(7)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-03.07"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-3.7_smt",
-                    "name": "statement",
-                    "prose": "The information system implements nonsignature-based malicious code detection\n                  mechanisms."
-                  },
-                  {
-                    "id": "si-3.7_gdn",
-                    "name": "guidance",
-                    "prose": "Nonsignature-based detection mechanisms include, for example, the use of\n                  heuristics to detect, analyze, and describe the characteristics or behavior of\n                  malicious code and to provide safeguards against malicious code for which\n                  signatures do not yet exist or for which existing signatures may not be effective.\n                  This includes polymorphic malicious code (i.e., code that changes signatures when\n                  it replicates). This control enhancement does not preclude the use of\n                  signature-based detection mechanisms."
-                  },
-                  {
-                    "id": "si-3.7_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system implements non signature-based malicious code\n                  detection mechanisms."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing malicious code protection\\n\\ninformation system design documentation\\n\\nmalicious code protection mechanisms\\n\\nrecords of malicious code protection updates\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for malicious code protection"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing nonsignature-based\n                     malicious code protection capability"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-4",
-            "class": "SP800-53",
-            "title": "Information System Monitoring",
-            "parameters": [
-              {
-                "id": "si-4_prm_1",
-                "label": "organization-defined monitoring objectives"
-              },
-              {
-                "id": "si-4_prm_2",
-                "label": "organization-defined techniques and methods"
-              },
-              {
-                "id": "si-4_prm_3",
-                "label": "organization-defined information system monitoring information"
-              },
-              {
-                "id": "si-4_prm_4",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "si-4_prm_5"
-              },
-              {
-                "id": "si-4_prm_6",
-                "depends-on": "si-4_prm_5",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SI-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              },
-              {
-                "href": "#6d431fee-658f-4a0e-9f2e-a38b5d398fab",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-83"
-              },
-              {
-                "href": "#672fd561-b92b-4713-b9cf-6c9d9456728b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-92"
-              },
-              {
-                "href": "#d1b1d689-0f66-4474-9924-c81119758dc1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-94"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Monitors the information system to detect:",
-                    "parts": [
-                      {
-                        "id": "si-4_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Attacks and indicators of potential attacks in accordance with {{ si-4_prm_1 }}; and"
-                      },
-                      {
-                        "id": "si-4_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Unauthorized local, network, and remote connections;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Identifies unauthorized use of the information system through {{ si-4_prm_2 }};"
-                  },
-                  {
-                    "id": "si-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Deploys monitoring devices:",
-                    "parts": [
-                      {
-                        "id": "si-4_smt.c.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Strategically within the information system to collect organization-determined\n                     essential information; and"
-                      },
-                      {
-                        "id": "si-4_smt.c.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "At ad hoc locations within the system to track specific types of transactions\n                     of interest to the organization;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Protects information obtained from intrusion-monitoring tools from unauthorized\n                  access, modification, and deletion;"
-                  },
-                  {
-                    "id": "si-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Heightens the level of information system monitoring activity whenever there is an\n                  indication of increased risk to organizational operations and assets, individuals,\n                  other organizations, or the Nation based on law enforcement information,\n                  intelligence information, or other credible sources of information;"
-                  },
-                  {
-                    "id": "si-4_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Obtains legal opinion with regard to information system monitoring activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  or regulations; and"
-                  },
-                  {
-                    "id": "si-4_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Provides {{ si-4_prm_3 }} to {{ si-4_prm_4 }}\n                  {{ si-4_prm_5 }}."
-                  },
-                  {
-                    "id": "si-4_fr",
-                    "name": "item",
-                    "title": "SI-4 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "si-4_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "See US-CERT Incident Response Reporting Guidelines."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4_gdn",
-                "name": "guidance",
-                "prose": "Information system monitoring includes external and internal monitoring. External\n               monitoring includes the observation of events occurring at the information system\n               boundary (i.e., part of perimeter defense and boundary protection). Internal\n               monitoring includes the observation of events occurring within the information\n               system. Organizations can monitor information systems, for example, by observing\n               audit activities in real time or by observing other system aspects such as access\n               patterns, characteristics of access, and other actions. The monitoring objectives may\n               guide determination of the events. Information system monitoring capability is\n               achieved through a variety of tools and techniques (e.g., intrusion detection\n               systems, intrusion prevention systems, malicious code protection software, scanning\n               tools, audit record monitoring software, network monitoring software). Strategic\n               locations for monitoring devices include, for example, selected perimeter locations\n               and near server farms supporting critical applications, with such devices typically\n               being employed at the managed interfaces associated with controls SC-7 and AC-17.\n               Einstein network monitoring devices from the Department of Homeland Security can also\n               be included as monitoring devices. The granularity of monitoring information\n               collected is based on organizational monitoring objectives and the capability of\n               information systems to support such objectives. Specific types of transactions of\n               interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that\n               bypasses HTTP proxies. Information system monitoring is an integral part of\n               organizational continuous monitoring and incident response programs. Output from\n               system monitoring serves as input to continuous monitoring and incident response\n               programs. A network connection is any connection with a device that communicates\n               through a network (e.g., local area network, Internet). A remote connection is any\n               connection with a device communicating through an external network (e.g., the\n               Internet). Local, network, and remote connections can be either wired or\n               wireless.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-8",
-                    "rel": "related",
-                    "text": "AC-8"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#au-7",
-                    "rel": "related",
-                    "text": "AU-7"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-26",
-                    "rel": "related",
-                    "text": "SC-26"
-                  },
-                  {
-                    "href": "#sc-35",
-                    "rel": "related",
-                    "text": "SC-35"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "si-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-4.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-4.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines monitoring objectives to detect attacks and indicators of potential\n                        attacks on the information system;"
-                          },
-                          {
-                            "id": "si-4.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "monitors the information system to detect, in accordance with\n                        organization-defined monitoring objectives,:",
-                            "parts": [
-                              {
-                                "id": "si-4.a.1_obj.2.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-4(a)(1)[2][a]"
-                                  }
-                                ],
-                                "prose": "attacks;"
-                              },
-                              {
-                                "id": "si-4.a.1_obj.2.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-4(a)(1)[2][b]"
-                                  }
-                                ],
-                                "prose": "indicators of potential attacks;"
-                              }
-                            ]
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-4.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(a)(2)"
-                          }
-                        ],
-                        "prose": "monitors the information system to detect unauthorized:",
-                        "parts": [
-                          {
-                            "id": "si-4.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "local connections;"
-                          },
-                          {
-                            "id": "si-4.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "network connections;"
-                          },
-                          {
-                            "id": "si-4.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "remote connections;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-4(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-4.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(b)(1)"
-                          }
-                        ],
-                        "prose": "defines techniques and methods to identify unauthorized use of the information\n                     system;"
-                      },
-                      {
-                        "id": "si-4.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(b)(2)"
-                          }
-                        ],
-                        "prose": "identifies unauthorized use of the information system through\n                     organization-defined techniques and methods;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-4(c)"
-                      }
-                    ],
-                    "prose": "deploys monitoring devices:",
-                    "parts": [
-                      {
-                        "id": "si-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(c)[1]"
-                          }
-                        ],
-                        "prose": "strategically within the information system to collect organization-determined\n                     essential information;"
-                      },
-                      {
-                        "id": "si-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(c)[2]"
-                          }
-                        ],
-                        "prose": "at ad hoc locations within the system to track specific types of transactions\n                     of interest to the organization;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-4(d)"
-                      }
-                    ],
-                    "prose": "protects information obtained from intrusion-monitoring tools from\n                  unauthorized:",
-                    "parts": [
-                      {
-                        "id": "si-4.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(d)[1]"
-                          }
-                        ],
-                        "prose": "access;"
-                      },
-                      {
-                        "id": "si-4.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(d)[2]"
-                          }
-                        ],
-                        "prose": "modification;"
-                      },
-                      {
-                        "id": "si-4.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(d)[3]"
-                          }
-                        ],
-                        "prose": "deletion;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-4(e)"
-                      }
-                    ],
-                    "prose": "heightens the level of information system monitoring activity whenever there is an\n                  indication of increased risk to organizational operations and assets, individuals,\n                  other organizations, or the Nation based on law enforcement information,\n                  intelligence information, or other credible sources of information;"
-                  },
-                  {
-                    "id": "si-4.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-4(f)"
-                      }
-                    ],
-                    "prose": "obtains legal opinion with regard to information system monitoring activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  or regulations;"
-                  },
-                  {
-                    "id": "si-4.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-4(g)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-4.g_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(g)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom information system monitoring information is\n                     to be provided;"
-                      },
-                      {
-                        "id": "si-4.g_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(g)[2]"
-                          }
-                        ],
-                        "prose": "defines information system monitoring information to be provided to\n                     organization-defined personnel or roles;"
-                      },
-                      {
-                        "id": "si-4.g_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(g)[3]"
-                          }
-                        ],
-                        "prose": "defines a frequency to provide organization-defined information system\n                     monitoring to organization-defined personnel or roles;"
-                      },
-                      {
-                        "id": "si-4.g_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(g)[4]"
-                          }
-                        ],
-                        "prose": "provides organization-defined information system monitoring information to\n                     organization-defined personnel or roles one or more of the following:",
-                        "parts": [
-                          {
-                            "id": "si-4.g_obj.4.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(g)[4][a]"
-                              }
-                            ],
-                            "prose": "as needed; and/or"
-                          },
-                          {
-                            "id": "si-4.g_obj.4.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(g)[4][b]"
-                              }
-                            ],
-                            "prose": "with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Continuous monitoring strategy\\n\\nsystem and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\nfacility diagram/layout\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\nlocations within information system where monitoring devices are deployed\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility monitoring the information system"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing information system monitoring\n                  capability"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "si-4.1",
-                "class": "SP800-53-enhancement",
-                "title": "System-wide Intrusion Detection System",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-4(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.1_smt",
-                    "name": "statement",
-                    "prose": "The organization connects and configures individual intrusion detection tools into\n                  an information system-wide intrusion detection system."
-                  },
-                  {
-                    "id": "si-4.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "si-4.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(1)[1]"
-                          }
-                        ],
-                        "prose": "connects individual intrusion detection tools into an information system-wide\n                     intrusion detection system; and"
-                      },
-                      {
-                        "id": "si-4.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(1)[2]"
-                          }
-                        ],
-                        "prose": "configures individual intrusion detection tools into an information system-wide\n                     intrusion detection system."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion detection\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4.2",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Tools for Real-time Analysis",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-4(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.2_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated tools to support near real-time analysis of\n                  events."
-                  },
-                  {
-                    "id": "si-4.2_gdn",
-                    "name": "guidance",
-                    "prose": "Automated tools include, for example, host-based, network-based, transport-based,\n                  or storage-based event monitoring tools or Security Information and Event\n                  Management (SIEM) technologies that provide real time analysis of alerts and/or\n                  notifications generated by organizational information systems."
-                  },
-                  {
-                    "id": "si-4.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs automated tools to support near real-time\n                  analysis of events."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for incident\n                     response/management"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for near real-time analysis of events\\n\\norganizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing information system\n                     monitoring\\n\\nautomated mechanisms/tools supporting and/or implementing analysis of\n                     events"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4.4",
-                "class": "SP800-53-enhancement",
-                "title": "Inbound and Outbound Communications Traffic",
-                "parameters": [
-                  {
-                    "id": "si-4.4_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "continuously"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "SI-4(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.4_smt",
-                    "name": "statement",
-                    "prose": "The information system monitors inbound and outbound communications traffic\n                     {{ si-4.4_prm_1 }} for unusual or unauthorized activities or\n                  conditions."
-                  },
-                  {
-                    "id": "si-4.4_gdn",
-                    "name": "guidance",
-                    "prose": "Unusual/unauthorized activities or conditions related to information system\n                  inbound and outbound communications traffic include, for example, internal traffic\n                  that indicates the presence of malicious code within organizational information\n                  systems or propagating among system components, the unauthorized exporting of\n                  information, or signaling to external information systems. Evidence of malicious\n                  code is used to identify potentially compromised information systems or\n                  information system components."
-                  },
-                  {
-                    "id": "si-4.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "si-4.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(4)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency to monitor:",
-                        "parts": [
-                          {
-                            "id": "si-4.4_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(4)[1][a]"
-                              }
-                            ],
-                            "prose": "inbound communications traffic for unusual or unauthorized activities or\n                        conditions;"
-                          },
-                          {
-                            "id": "si-4.4_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(4)[1][b]"
-                              }
-                            ],
-                            "prose": "outbound communications traffic for unusual or unauthorized activities or\n                        conditions;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-4.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(4)[2]"
-                          }
-                        ],
-                        "prose": "monitors, with the organization-defined frequency:",
-                        "parts": [
-                          {
-                            "id": "si-4.4_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(4)[2][a]"
-                              }
-                            ],
-                            "prose": "inbound communications traffic for unusual or unauthorized activities or\n                        conditions; and"
-                          },
-                          {
-                            "id": "si-4.4_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(4)[2][b]"
-                              }
-                            ],
-                            "prose": "outbound communications traffic for unusual or unauthorized activities or\n                        conditions."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system protocols\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion detection\n                     capability/information system monitoring\\n\\nautomated mechanisms supporting and/or implementing monitoring of\n                     inbound/outbound communications traffic"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4.5",
-                "class": "SP800-53-enhancement",
-                "title": "System-generated Alerts",
-                "parameters": [
-                  {
-                    "id": "si-4.5_prm_1",
-                    "label": "organization-defined personnel or roles"
-                  },
-                  {
-                    "id": "si-4.5_prm_2",
-                    "label": "organization-defined compromise indicators"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-4(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.5_smt",
-                    "name": "statement",
-                    "prose": "The information system alerts {{ si-4.5_prm_1 }} when the following\n                  indications of compromise or potential compromise occur: {{ si-4.5_prm_2 }}.",
-                    "parts": [
-                      {
-                        "id": "si-4.5_fr",
-                        "name": "item",
-                        "title": "SI-4 (5) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "si-4.5_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "In accordance with the incident response plan."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.5_gdn",
-                    "name": "guidance",
-                    "prose": "Alerts may be generated from a variety of sources, including, for example, audit\n                  records or inputs from malicious code protection mechanisms, intrusion detection\n                  or prevention mechanisms, or boundary protection devices such as firewalls,\n                  gateways, and routers. Alerts can be transmitted, for example, telephonically, by\n                  electronic mail messages, or by text messaging. Organizational personnel on the\n                  notification list can include, for example, system administrators,\n                  mission/business owners, system owners, or information system security\n                  officers.",
-                    "links": [
-                      {
-                        "href": "#au-5",
-                        "rel": "related",
-                        "text": "AU-5"
-                      },
-                      {
-                        "href": "#pe-6",
-                        "rel": "related",
-                        "text": "PE-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "si-4.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(5)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines compromise indicators for the information system;"
-                      },
-                      {
-                        "id": "si-4.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(5)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines personnel or roles to be alerted when indications of\n                     compromise or potential compromise occur; and"
-                      },
-                      {
-                        "id": "si-4.5_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(5)[3]"
-                          }
-                        ],
-                        "prose": "the information system alerts organization-defined personnel or roles when\n                     organization-defined compromise indicators occur."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nalerts/notifications generated based on compromise indicators\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion\n                     detection/information system monitoring capability\\n\\nautomated mechanisms supporting and/or implementing alerts for compromise\n                     indicators"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4.11",
-                "class": "SP800-53-enhancement",
-                "title": "Analyze Communications Traffic Anomalies",
-                "parameters": [
-                  {
-                    "id": "si-4.11_prm_1",
-                    "label": "organization-defined interior points within the system (e.g., subnetworks,\n                  subsystems)"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-4(11)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.11"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.11_smt",
-                    "name": "statement",
-                    "prose": "The organization analyzes outbound communications traffic at the external boundary\n                  of the information system and selected {{ si-4.11_prm_1 }} to\n                  discover anomalies."
-                  },
-                  {
-                    "id": "si-4.11_gdn",
-                    "name": "guidance",
-                    "prose": "Anomalies within organizational information systems include, for example, large\n                  file transfers, long-time persistent connections, unusual protocols and ports in\n                  use, and attempted communications with suspected malicious external addresses."
-                  },
-                  {
-                    "id": "si-4.11_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "si-4.11_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(11)[1]"
-                          }
-                        ],
-                        "prose": "defines interior points within the system (e.g., subnetworks, subsystems) where\n                     communications traffic is to be analyzed;"
-                      },
-                      {
-                        "id": "si-4.11_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(11)[2]"
-                          }
-                        ],
-                        "prose": "analyzes outbound communications traffic to discover anomalies at:",
-                        "parts": [
-                          {
-                            "id": "si-4.11_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(11)[2][a]"
-                              }
-                            ],
-                            "prose": "the external boundary of the information system; and"
-                          },
-                          {
-                            "id": "si-4.11_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(11)[2][b]"
-                              }
-                            ],
-                            "prose": "selected organization-defined interior points within the system."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\nnetwork diagram\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system monitoring logs or records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion\n                     detection/information system monitoring capability\\n\\nautomated mechanisms supporting and/or implementing analysis of communications\n                     traffic"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4.14",
-                "class": "SP800-53-enhancement",
-                "title": "Wireless Intrusion Detection",
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "SI-4(14)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.14"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.14_smt",
-                    "name": "statement",
-                    "prose": "The organization employs a wireless intrusion detection system to identify rogue\n                  wireless devices and to detect attack attempts and potential compromises/breaches\n                  to the information system."
-                  },
-                  {
-                    "id": "si-4.14_gdn",
-                    "name": "guidance",
-                    "prose": "Wireless signals may radiate beyond the confines of organization-controlled\n                  facilities. Organizations proactively search for unauthorized wireless connections\n                  including the conduct of thorough scans for unauthorized wireless access points.\n                  Scans are not limited to those areas within facilities containing information\n                  systems, but also include areas outside of facilities as needed, to verify that\n                  unauthorized wireless access points are not connected to the systems.",
-                    "links": [
-                      {
-                        "href": "#ac-18",
-                        "rel": "related",
-                        "text": "AC-18"
-                      },
-                      {
-                        "href": "#ia-3",
-                        "rel": "related",
-                        "text": "IA-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.14_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization employs a wireless intrusion detection system\n                  to:",
-                    "parts": [
-                      {
-                        "id": "si-4.14_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(14)[1]"
-                          }
-                        ],
-                        "prose": "identify rogue wireless devices;"
-                      },
-                      {
-                        "id": "si-4.14_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(14)[2]"
-                          }
-                        ],
-                        "prose": "detect attack attempts to the information system; and"
-                      },
-                      {
-                        "id": "si-4.14_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(14)[3]"
-                          }
-                        ],
-                        "prose": "detect potential compromises/breaches to the information system."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system protocols\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for intrusion detection\\n\\nautomated mechanisms supporting and/or implementing wireless intrusion\n                     detection capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4.16",
-                "class": "SP800-53-enhancement",
-                "title": "Correlate Monitoring Information",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-4(16)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.16"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.16_smt",
-                    "name": "statement",
-                    "prose": "The organization correlates information from monitoring tools employed throughout\n                  the information system."
-                  },
-                  {
-                    "id": "si-4.16_gdn",
-                    "name": "guidance",
-                    "prose": "Correlating information from different monitoring tools can provide a more\n                  comprehensive view of information system activity. The correlation of monitoring\n                  tools that usually work in isolation (e.g., host monitoring, network monitoring,\n                  anti-virus software) can provide an organization-wide view and in so doing, may\n                  reveal otherwise unseen attack patterns. Understanding the\n                  capabilities/limitations of diverse monitoring tools and how to maximize the\n                  utility of information generated by those tools can help organizations to build,\n                  operate, and maintain effective monitoring programs.",
-                    "links": [
-                      {
-                        "href": "#au-6",
-                        "rel": "related",
-                        "text": "AU-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.16_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization correlates information from monitoring tools\n                  employed throughout the information system."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nevent correlation logs or records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion\n                     detection/information system monitoring capability\\n\\nautomated mechanisms supporting and/or implementing correlation of information\n                     from monitoring tools"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4.18",
-                "class": "SP800-53-enhancement",
-                "title": "Analyze Traffic / Covert Exfiltration",
-                "parameters": [
-                  {
-                    "id": "si-4.18_prm_1",
-                    "label": "organization-defined interior points within the system (e.g., subsystems,\n                  subnetworks)"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-4(18)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.18"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.18_smt",
-                    "name": "statement",
-                    "prose": "The organization analyzes outbound communications traffic at the external boundary\n                  of the information system (i.e., system perimeter) and at {{ si-4.18_prm_1 }} to detect covert exfiltration of information."
-                  },
-                  {
-                    "id": "si-4.18_gdn",
-                    "name": "guidance",
-                    "prose": "Covert means that can be used for the unauthorized exfiltration of organizational\n                  information include, for example, steganography."
-                  },
-                  {
-                    "id": "si-4.18_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "si-4.18_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(18)[1]"
-                          }
-                        ],
-                        "prose": "defines interior points within the system (e.g., subsystems, subnetworks) where\n                     communications traffic is to be analyzed;"
-                      },
-                      {
-                        "id": "si-4.18_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(18)[2]"
-                          }
-                        ],
-                        "prose": "to detect covert exfiltration of information, analyzes outbound communications\n                     traffic at:",
-                        "parts": [
-                          {
-                            "id": "si-4.18_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(18)[2][a]"
-                              }
-                            ],
-                            "prose": "the external boundary of the information system (i.e., system perimeter);\n                        and"
-                          },
-                          {
-                            "id": "si-4.18_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(18)[2][b]"
-                              }
-                            ],
-                            "prose": "organization-defined interior points within the system."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\nnetwork diagram\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system monitoring logs or records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion detection/system\n                     monitoring capability\\n\\nautomated mechanisms supporting and/or implementing analysis of outbound\n                     communications traffic"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4.19",
-                "class": "SP800-53-enhancement",
-                "title": "Individuals Posing Greater Risk",
-                "parameters": [
-                  {
-                    "id": "si-4.19_prm_1",
-                    "label": "organization-defined additional monitoring"
-                  },
-                  {
-                    "id": "si-4.19_prm_2",
-                    "label": "organization-defined sources"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-4(19)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.19"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.19_smt",
-                    "name": "statement",
-                    "prose": "The organization implements {{ si-4.19_prm_1 }} of individuals who\n                  have been identified by {{ si-4.19_prm_2 }} as posing an increased\n                  level of risk."
-                  },
-                  {
-                    "id": "si-4.19_gdn",
-                    "name": "guidance",
-                    "prose": "Indications of increased risk from individuals can be obtained from a variety of\n                  sources including, for example, human resource records, intelligence agencies, law\n                  enforcement organizations, and/or other credible sources. The monitoring of\n                  individuals is closely coordinated with management, legal, security, and human\n                  resources officials within organizations conducting such monitoring and complies\n                  with federal legislation, Executive Orders, policies, directives, regulations, and\n                  standards."
-                  },
-                  {
-                    "id": "si-4.19_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "si-4.19_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(19)[1]"
-                          }
-                        ],
-                        "prose": "defines sources that identify individuals who pose an increased level of\n                     risk;"
-                      },
-                      {
-                        "id": "si-4.19_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(19)[2]"
-                          }
-                        ],
-                        "prose": "defines additional monitoring to be implemented on individuals who have been\n                     identified by organization-defined sources as posing an increased level of\n                     risk; and"
-                      },
-                      {
-                        "id": "si-4.19_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(19)[3]"
-                          }
-                        ],
-                        "prose": "implements organization-defined additional monitoring of individuals who have\n                     been identified by organization-defined sources as posing an increased level of\n                     risk."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring\\n\\ninformation system design documentation\\n\\nlist of individuals who have been identified as posing an increased level of\n                     risk\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing system monitoring\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4.20",
-                "class": "SP800-53-enhancement",
-                "title": "Privileged Users",
-                "parameters": [
-                  {
-                    "id": "si-4.20_prm_1",
-                    "label": "organization-defined additional monitoring"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-4(20)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.20"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.20_smt",
-                    "name": "statement",
-                    "prose": "The organization implements {{ si-4.20_prm_1 }} of privileged\n                  users."
-                  },
-                  {
-                    "id": "si-4.20_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "si-4.20_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(20)[1]"
-                          }
-                        ],
-                        "prose": "defines additional monitoring to be implemented on privileged users; and"
-                      },
-                      {
-                        "id": "si-4.20_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(20)[2]"
-                          }
-                        ],
-                        "prose": "implements organization-defined additional monitoring of privileged users;"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\nlist of privileged users\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system monitoring logs or records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing system monitoring\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4.22",
-                "class": "SP800-53-enhancement",
-                "title": "Unauthorized Network Services",
-                "parameters": [
-                  {
-                    "id": "si-4.22_prm_1",
-                    "label": "organization-defined authorization or approval processes"
-                  },
-                  {
-                    "id": "si-4.22_prm_2"
-                  },
-                  {
-                    "id": "si-4.22_prm_3",
-                    "depends-on": "si-4.22_prm_2",
-                    "label": "organization-defined personnel or roles"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-4(22)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.22"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.22_smt",
-                    "name": "statement",
-                    "prose": "The information system detects network services that have not been authorized or\n                  approved by {{ si-4.22_prm_1 }} and {{ si-4.22_prm_2 }}."
-                  },
-                  {
-                    "id": "si-4.22_gdn",
-                    "name": "guidance",
-                    "prose": "Unauthorized or unapproved network services include, for example, services in\n                  service-oriented architectures that lack organizational verification or validation\n                  and therefore may be unreliable or serve as malicious rogues for valid\n                  services.",
-                    "links": [
-                      {
-                        "href": "#ac-6",
-                        "rel": "related",
-                        "text": "AC-6"
-                      },
-                      {
-                        "href": "#cm-7",
-                        "rel": "related",
-                        "text": "CM-7"
-                      },
-                      {
-                        "href": "#sa-5",
-                        "rel": "related",
-                        "text": "SA-5"
-                      },
-                      {
-                        "href": "#sa-9",
-                        "rel": "related",
-                        "text": "SA-9"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.22_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "si-4.22_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(22)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines authorization or approval processes for network\n                     services;"
-                      },
-                      {
-                        "id": "si-4.22_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(22)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines personnel or roles to be alerted upon detection of\n                     network services that have not been authorized or approved by\n                     organization-defined authorization or approval processes;"
-                      },
-                      {
-                        "id": "si-4.22_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(22)[3]"
-                          }
-                        ],
-                        "prose": "the information system detects network services that have not been authorized\n                     or approved by organization-defined authorization or approval processes and\n                     does one or more of the following:",
-                        "parts": [
-                          {
-                            "id": "si-4.22_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(22)[3][a]"
-                              }
-                            ],
-                            "prose": "audits; and/or"
-                          },
-                          {
-                            "id": "si-4.22_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(22)[3][b]"
-                              }
-                            ],
-                            "prose": "alerts organization-defined personnel or roles."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ndocumented authorization/approval of network services\\n\\nnotifications or alerts of unauthorized network services\\n\\ninformation system monitoring logs or records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing system monitoring\n                     capability\\n\\nautomated mechanisms for auditing network services\\n\\nautomated mechanisms for providing alerts"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4.23",
-                "class": "SP800-53-enhancement",
-                "title": "Host-based Devices",
-                "parameters": [
-                  {
-                    "id": "si-4.23_prm_1",
-                    "label": "organization-defined host-based monitoring mechanisms"
-                  },
-                  {
-                    "id": "si-4.23_prm_2",
-                    "label": "organization-defined information system components"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-4(23)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.23"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.23_smt",
-                    "name": "statement",
-                    "prose": "The organization implements {{ si-4.23_prm_1 }} at {{ si-4.23_prm_2 }}."
-                  },
-                  {
-                    "id": "si-4.23_gdn",
-                    "name": "guidance",
-                    "prose": "Information system components where host-based monitoring can be implemented\n                  include, for example, servers, workstations, and mobile devices. Organizations\n                  consider employing host-based monitoring mechanisms from multiple information\n                  technology product developers."
-                  },
-                  {
-                    "id": "si-4.23_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "si-4.23_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(23)[1]"
-                          }
-                        ],
-                        "prose": "defines host-based monitoring mechanisms to be implemented;"
-                      },
-                      {
-                        "id": "si-4.23_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(23)[2]"
-                          }
-                        ],
-                        "prose": "defines information system components where organization-defined host-based\n                     monitoring is to be implemented; and"
-                      },
-                      {
-                        "id": "si-4.23_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(23)[3]"
-                          }
-                        ],
-                        "prose": "implements organization-defined host-based monitoring mechanisms at\n                     organization-defined information system components."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\nhost-based monitoring mechanisms\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system components requiring host-based monitoring\\n\\ninformation system monitoring logs or records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring information system\n                     hosts"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing host-based monitoring\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4.24",
-                "class": "SP800-53-enhancement",
-                "title": "Indicators of Compromise",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-4(24)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.24"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.24_smt",
-                    "name": "statement",
-                    "prose": "The information system discovers, collects, distributes, and uses indicators of\n                  compromise."
-                  },
-                  {
-                    "id": "si-4.24_gdn",
-                    "name": "guidance",
-                    "prose": "Indicators of compromise (IOC) are forensic artifacts from intrusions that are\n                  identified on organizational information systems (at the host or network level).\n                  IOCs provide organizations with valuable information on objects or information\n                  systems that have been compromised. IOCs for the discovery of compromised hosts\n                  can include for example, the creation of registry key values. IOCs for network\n                  traffic include, for example, Universal Resource Locator (URL) or protocol\n                  elements that indicate malware command and control servers. The rapid distribution\n                  and adoption of IOCs can improve information security by reducing the time that\n                  information systems and organizations are vulnerable to the same exploit or\n                  attack."
-                  },
-                  {
-                    "id": "si-4.24_obj",
-                    "name": "objective",
-                    "prose": "Determine if the information system:",
-                    "parts": [
-                      {
-                        "id": "si-4.24_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(24)[1]"
-                          }
-                        ],
-                        "prose": "discovers indicators of compromise;"
-                      },
-                      {
-                        "id": "si-4.24_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(24)[2]"
-                          }
-                        ],
-                        "prose": "collects indicators of compromise;"
-                      },
-                      {
-                        "id": "si-4.24_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(24)[3]"
-                          }
-                        ],
-                        "prose": "distributes indicators of compromise; and"
-                      },
-                      {
-                        "id": "si-4.24_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(24)[4]"
-                          }
-                        ],
-                        "prose": "uses indicators of compromise."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system monitoring logs or records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring information system\n                     hosts"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for information system monitoring\\n\\norganizational processes for discovery, collection, distribution, and use of\n                     indicators of compromise\\n\\nautomated mechanisms supporting and/or implementing system monitoring\n                     capability\\n\\nautomated mechanisms supporting and/or implementing the discovery, collection,\n                     distribution, and use of indicators of compromise"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-5",
-            "class": "SP800-53",
-            "title": "Security Alerts, Advisories, and Directives",
-            "parameters": [
-              {
-                "id": "si-5_prm_1",
-                "label": "organization-defined external organizations",
-                "constraints": [
-                  {
-                    "detail": "to include US-CERT"
-                  }
-                ]
-              },
-              {
-                "id": "si-5_prm_2",
-                "constraints": [
-                  {
-                    "detail": "to include system security personnel and administrators with configuration/patch-management responsibilities"
-                  }
-                ]
-              },
-              {
-                "id": "si-5_prm_3",
-                "depends-on": "si-5_prm_2",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "si-5_prm_4",
-                "depends-on": "si-5_prm_2",
-                "label": "organization-defined elements within the organization"
-              },
-              {
-                "id": "si-5_prm_5",
-                "depends-on": "si-5_prm_2",
-                "label": "organization-defined external organizations"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-05"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-40"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Receives information system security alerts, advisories, and directives from\n                     {{ si-5_prm_1 }} on an ongoing basis;"
-                  },
-                  {
-                    "id": "si-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Generates internal security alerts, advisories, and directives as deemed\n                  necessary;"
-                  },
-                  {
-                    "id": "si-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Disseminates security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and"
-                  },
-                  {
-                    "id": "si-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Implements security directives in accordance with established time frames, or\n                  notifies the issuing organization of the degree of noncompliance."
-                  }
-                ]
-              },
-              {
-                "id": "si-5_gdn",
-                "name": "guidance",
-                "prose": "The United States Computer Emergency Readiness Team (US-CERT) generates security\n               alerts and advisories to maintain situational awareness across the federal\n               government. Security directives are issued by OMB or other designated organizations\n               with the responsibility and authority to issue such directives. Compliance to\n               security directives is essential due to the critical nature of many of these\n               directives and the potential immediate adverse effects on organizational operations\n               and assets, individuals, other organizations, and the Nation should the directives\n               not be implemented in a timely manner. External organizations include, for example,\n               external mission/business partners, supply chain partners, external service\n               providers, and other peer/supporting organizations.",
-                "links": [
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "si-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-5(a)[1]"
-                          }
-                        ],
-                        "prose": "defines external organizations from whom information system security alerts,\n                     advisories and directives are to be received;"
-                      },
-                      {
-                        "id": "si-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-5(a)[2]"
-                          }
-                        ],
-                        "prose": "receives information system security alerts, advisories, and directives from\n                     organization-defined external organizations on an ongoing basis;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-5(b)"
-                      }
-                    ],
-                    "prose": "generates internal security alerts, advisories, and directives as deemed\n                  necessary;"
-                  },
-                  {
-                    "id": "si-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-5(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-5.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-5(c)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom security alerts, advisories, and directives\n                     are to be provided;"
-                      },
-                      {
-                        "id": "si-5.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-5(c)[2]"
-                          }
-                        ],
-                        "prose": "defines elements within the organization to whom security alerts, advisories,\n                     and directives are to be provided;"
-                      },
-                      {
-                        "id": "si-5.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-5(c)[3]"
-                          }
-                        ],
-                        "prose": "defines external organizations to whom security alerts, advisories, and\n                     directives are to be provided;"
-                      },
-                      {
-                        "id": "si-5.c_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-5(c)[4]"
-                          }
-                        ],
-                        "prose": "disseminates security alerts, advisories, and directives to one or more of the\n                     following:",
-                        "parts": [
-                          {
-                            "id": "si-5.c_obj.4.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-5(c)[4][a]"
-                              }
-                            ],
-                            "prose": "organization-defined personnel or roles;"
-                          },
-                          {
-                            "id": "si-5.c_obj.4.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-5(c)[4][b]"
-                              }
-                            ],
-                            "prose": "organization-defined elements within the organization; and/or"
-                          },
-                          {
-                            "id": "si-5.c_obj.4.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-5(c)[4][c]"
-                              }
-                            ],
-                            "prose": "organization-defined external organizations; and"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-5(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-5.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-5(d)[1]"
-                          }
-                        ],
-                        "prose": "implements security directives in accordance with established time frames;\n                     or"
-                      },
-                      {
-                        "id": "si-5.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-5(d)[2]"
-                          }
-                        ],
-                        "prose": "notifies the issuing organization of the degree of noncompliance."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nprocedures addressing security alerts, advisories, and directives\\n\\nrecords of security alerts and advisories\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security alert and advisory responsibilities\\n\\norganizational personnel implementing, operating, maintaining, and using the\n                  information system\\n\\norganizational personnel, organizational elements, and/or external organizations\n                  to whom alerts, advisories, and directives are to be disseminated\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for defining, receiving, generating, disseminating, and\n                  complying with security alerts, advisories, and directives\\n\\nautomated mechanisms supporting and/or implementing definition, receipt,\n                  generation, and dissemination of security alerts, advisories, and directives\\n\\nautomated mechanisms supporting and/or implementing security directives"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "si-5.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Alerts and Advisories",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-5(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-05.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-5.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to make security alert and advisory\n                  information available throughout the organization."
-                  },
-                  {
-                    "id": "si-5.1_gdn",
-                    "name": "guidance",
-                    "prose": "The significant number of changes to organizational information systems and the\n                  environments in which those systems operate requires the dissemination of\n                  security-related information to a variety of organizational entities that have a\n                  direct interest in the success of organizational missions and business functions.\n                  Based on the information provided by the security alerts and advisories, changes\n                  may be required at one or more of the three tiers related to the management of\n                  information security risk including the governance level, mission/business\n                  process/enterprise architecture level, and the information system level."
-                  },
-                  {
-                    "id": "si-5.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs automated mechanisms to make security alert\n                  and advisory information available throughout the organization."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing security alerts, advisories, and directives\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nautomated mechanisms supporting the distribution of security alert and advisory\n                     information\\n\\nrecords of security alerts and advisories\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with security alert and advisory responsibilities\\n\\norganizational personnel implementing, operating, maintaining, and using the\n                     information system\\n\\norganizational personnel, organizational elements, and/or external\n                     organizations to whom alerts and advisories are to be disseminated\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for defining, receiving, generating, and disseminating\n                     security alerts and advisories\\n\\nautomated mechanisms supporting and/or implementing dissemination of security\n                     alerts and advisories"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-6",
-            "class": "SP800-53",
-            "title": "Security Function Verification",
-            "parameters": [
-              {
-                "id": "si-6_prm_1",
-                "label": "organization-defined security functions"
-              },
-              {
-                "id": "si-6_prm_2"
-              },
-              {
-                "id": "si-6_prm_3",
-                "depends-on": "si-6_prm_2",
-                "label": "organization-defined system transitional states",
-                "constraints": [
-                  {
-                    "detail": "to include upon system startup and/or restart"
-                  }
-                ]
-              },
-              {
-                "id": "si-6_prm_4",
-                "depends-on": "si-6_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least monthly"
-                  }
-                ]
-              },
-              {
-                "id": "si-6_prm_5",
-                "label": "organization-defined personnel or roles",
-                "constraints": [
-                  {
-                    "detail": "to include system administrators and security personnel"
-                  }
-                ]
-              },
-              {
-                "id": "si-6_prm_6"
-              },
-              {
-                "id": "si-6_prm_7",
-                "depends-on": "si-6_prm_6",
-                "label": "organization-defined alternative action(s)",
-                "constraints": [
-                  {
-                    "detail": "to include notification of system administrators and security personnel"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SI-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-6_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "si-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Verifies the correct operation of {{ si-6_prm_1 }};"
-                  },
-                  {
-                    "id": "si-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Performs this verification {{ si-6_prm_2 }};"
-                  },
-                  {
-                    "id": "si-6_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Notifies {{ si-6_prm_5 }} of failed security verification tests;\n                  and"
-                  },
-                  {
-                    "id": "si-6_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "\n                  {{ si-6_prm_6 }} when anomalies are discovered."
-                  }
-                ]
-              },
-              {
-                "id": "si-6_gdn",
-                "name": "guidance",
-                "prose": "Transitional states for information systems include, for example, system startup,\n               restart, shutdown, and abort. Notifications provided by information systems include,\n               for example, electronic alerts to system administrators, messages to local computer\n               consoles, and/or hardware indications such as lights.",
-                "links": [
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  }
-                ]
-              },
-              {
-                "id": "si-6_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "si-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-6(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-6.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-6(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines security functions to be verified for correct\n                     operation;"
-                      },
-                      {
-                        "id": "si-6.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-6(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system verifies the correct operation of organization-defined\n                     security functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-6(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-6.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-6(b)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines system transitional states requiring verification of\n                     organization-defined security functions;"
-                      },
-                      {
-                        "id": "si-6.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-6(b)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines a frequency to verify the correct operation of\n                     organization-defined security functions;"
-                      },
-                      {
-                        "id": "si-6.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-6(b)[3]"
-                          }
-                        ],
-                        "prose": "the information system performs this verification one or more of the\n                     following:",
-                        "parts": [
-                          {
-                            "id": "si-6.b_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-6(b)[3][a]"
-                              }
-                            ],
-                            "prose": "at organization-defined system transitional states;"
-                          },
-                          {
-                            "id": "si-6.b_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-6(b)[3][b]"
-                              }
-                            ],
-                            "prose": "upon command by user with appropriate privilege; and/or"
-                          },
-                          {
-                            "id": "si-6.b_obj.3.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-6(b)[3][c]"
-                              }
-                            ],
-                            "prose": "with the organization-defined frequency;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-6.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-6(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-6.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-6(c)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines personnel or roles to be notified of failed security\n                     verification tests;"
-                      },
-                      {
-                        "id": "si-6.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-6(c)[2]"
-                          }
-                        ],
-                        "prose": "the information system notifies organization-defined personnel or roles of\n                     failed security verification tests;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-6.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-6(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-6.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-6(d)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines alternative action(s) to be performed when anomalies\n                     are discovered;"
-                      },
-                      {
-                        "id": "si-6.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-6(d)[2]"
-                          }
-                        ],
-                        "prose": "the information system performs one or more of the following actions when\n                     anomalies are discovered:",
-                        "parts": [
-                          {
-                            "id": "si-6.d_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-6(d)[2][a]"
-                              }
-                            ],
-                            "prose": "shuts the information system down;"
-                          },
-                          {
-                            "id": "si-6.d_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-6(d)[2][b]"
-                              }
-                            ],
-                            "prose": "restarts the information system; and/or"
-                          },
-                          {
-                            "id": "si-6.d_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-6(d)[2][c]"
-                              }
-                            ],
-                            "prose": "performs organization-defined alternative action(s)."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nprocedures addressing security function verification\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nalerts/notifications of failed security verification tests\\n\\nlist of system transition states requiring security functionality verification\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security function verification responsibilities\\n\\norganizational personnel implementing, operating, and maintaining the information\n                  system\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for security function verification\\n\\nautomated mechanisms supporting and/or implementing security function verification\n                  capability"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-7",
-            "class": "SP800-53",
-            "title": "Software, Firmware, and Information Integrity",
-            "parameters": [
-              {
-                "id": "si-7_prm_1",
-                "label": "organization-defined software, firmware, and information"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#6bf8d24a-78dc-4727-a2ac-0e64d71c495c",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-147"
-              },
-              {
-                "href": "#3878cc04-144a-483e-af62-8fe6f4ad6c7a",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-155"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-7_smt",
-                "name": "statement",
-                "prose": "The organization employs integrity verification tools to detect unauthorized changes\n               to {{ si-7_prm_1 }}."
-              },
-              {
-                "id": "si-7_gdn",
-                "name": "guidance",
-                "prose": "Unauthorized changes to software, firmware, and information can occur due to errors\n               or malicious activity (e.g., tampering). Software includes, for example, operating\n               systems (with key internal components such as kernels, drivers), middleware, and\n               applications. Firmware includes, for example, the Basic Input Output System (BIOS).\n               Information includes metadata such as security attributes associated with\n               information. State-of-the-practice integrity-checking mechanisms (e.g., parity\n               checks, cyclical redundancy checks, cryptographic hashes) and associated tools can\n               automatically monitor the integrity of information systems and hosted\n               applications.",
-                "links": [
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  }
-                ]
-              },
-              {
-                "id": "si-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-7_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-7[1]"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-7_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7[1][a]"
-                          }
-                        ],
-                        "prose": "defines software requiring integrity verification tools to be employed to\n                     detect unauthorized changes;"
-                      },
-                      {
-                        "id": "si-7_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7[1][b]"
-                          }
-                        ],
-                        "prose": "defines firmware requiring integrity verification tools to be employed to\n                     detect unauthorized changes;"
-                      },
-                      {
-                        "id": "si-7_obj.1.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7[1][c]"
-                          }
-                        ],
-                        "prose": "defines information requiring integrity verification tools to be employed to\n                     detect unauthorized changes;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-7_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-7[2]"
-                      }
-                    ],
-                    "prose": "employs integrity verification tools to detect unauthorized changes to\n                  organization-defined:",
-                    "parts": [
-                      {
-                        "id": "si-7_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-7[2][a]"
-                          }
-                        ],
-                        "prose": "software;"
-                      },
-                      {
-                        "id": "si-7_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-7[2][b]"
-                          }
-                        ],
-                        "prose": "firmware; and"
-                      },
-                      {
-                        "id": "si-7_obj.2.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-7[2][c]"
-                          }
-                        ],
-                        "prose": "information."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nprocedures addressing software, firmware, and information integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nintegrity verification tools and associated documentation\\n\\nrecords generated/triggered from integrity verification tools regarding\n                  unauthorized software, firmware, and information changes\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for software, firmware, and/or\n                  information integrity\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Software, firmware, and information integrity verification tools"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "si-7.1",
-                "class": "SP800-53-enhancement",
-                "title": "Integrity Checks",
-                "parameters": [
-                  {
-                    "id": "si-7.1_prm_1",
-                    "label": "organization-defined software, firmware, and information"
-                  },
-                  {
-                    "id": "si-7.1_prm_2"
-                  },
-                  {
-                    "id": "si-7.1_prm_3",
-                    "depends-on": "si-7.1_prm_2",
-                    "label": "organization-defined transitional states or security-relevant events",
-                    "constraints": [
-                      {
-                        "detail": "selection to include security relevant events"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-7.1_prm_4",
-                    "depends-on": "si-7.1_prm_2",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least monthly"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "SI-7(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-07.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-7.1_smt",
-                    "name": "statement",
-                    "prose": "The information system performs an integrity check of {{ si-7.1_prm_1 }}\n                  {{ si-7.1_prm_2 }}."
-                  },
-                  {
-                    "id": "si-7.1_gdn",
-                    "name": "guidance",
-                    "prose": "Security-relevant events include, for example, the identification of a new threat\n                  to which organizational information systems are susceptible, and the installation\n                  of new hardware, software, or firmware. Transitional states include, for example,\n                  system startup, restart, shutdown, and abort."
-                  },
-                  {
-                    "id": "si-7.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "si-7.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7(1)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines:",
-                        "parts": [
-                          {
-                            "id": "si-7.1_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[1][a]"
-                              }
-                            ],
-                            "prose": "software requiring integrity checks to be performed;"
-                          },
-                          {
-                            "id": "si-7.1_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[1][b]"
-                              }
-                            ],
-                            "prose": "firmware requiring integrity checks to be performed;"
-                          },
-                          {
-                            "id": "si-7.1_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[1][c]"
-                              }
-                            ],
-                            "prose": "information requiring integrity checks to be performed;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-7.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7(1)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines transitional states or security-relevant events\n                     requiring integrity checks of organization-defined:",
-                        "parts": [
-                          {
-                            "id": "si-7.1_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[2][a]"
-                              }
-                            ],
-                            "prose": "software;"
-                          },
-                          {
-                            "id": "si-7.1_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[2][b]"
-                              }
-                            ],
-                            "prose": "firmware;"
-                          },
-                          {
-                            "id": "si-7.1_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[2][c]"
-                              }
-                            ],
-                            "prose": "information;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-7.1_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7(1)[3]"
-                          }
-                        ],
-                        "prose": "the organization defines a frequency with which to perform an integrity check\n                     of organization-defined:",
-                        "parts": [
-                          {
-                            "id": "si-7.1_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[3][a]"
-                              }
-                            ],
-                            "prose": "software;"
-                          },
-                          {
-                            "id": "si-7.1_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[3][b]"
-                              }
-                            ],
-                            "prose": "firmware;"
-                          },
-                          {
-                            "id": "si-7.1_obj.3.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[3][c]"
-                              }
-                            ],
-                            "prose": "information;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-7.1_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7(1)[4]"
-                          }
-                        ],
-                        "prose": "the information system performs an integrity check of organization-defined\n                     software, firmware, and information one or more of the following:",
-                        "parts": [
-                          {
-                            "id": "si-7.1_obj.4.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[4][a]"
-                              }
-                            ],
-                            "prose": "at startup;"
-                          },
-                          {
-                            "id": "si-7.1_obj.4.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[4][b]"
-                              }
-                            ],
-                            "prose": "at organization-defined transitional states or security-relevant events;\n                        and/or"
-                          },
-                          {
-                            "id": "si-7.1_obj.4.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[4][c]"
-                              }
-                            ],
-                            "prose": "with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing software, firmware, and information integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nintegrity verification tools and associated documentation\\n\\nrecords of integrity scans\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for software, firmware, and/or\n                     information integrity\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Software, firmware, and information integrity verification tools"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-7.2",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Notifications of Integrity Violations",
-                "parameters": [
-                  {
-                    "id": "si-7.2_prm_1",
-                    "label": "organization-defined personnel or roles"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-7(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-07.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-7.2_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated tools that provide notification to {{ si-7.2_prm_1 }} upon discovering discrepancies during integrity\n                  verification."
-                  },
-                  {
-                    "id": "si-7.2_gdn",
-                    "name": "guidance",
-                    "prose": "The use of automated tools to report integrity violations and to notify\n                  organizational personnel in a timely matter is an essential precursor to effective\n                  risk response. Personnel having an interest in integrity violations include, for\n                  example, mission/business owners, information system owners, systems\n                  administrators, software developers, systems integrators, and information security\n                  officers."
-                  },
-                  {
-                    "id": "si-7.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "si-7.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7(2)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom notification is to be provided upon\n                     discovering discrepancies during integrity verification; and"
-                      },
-                      {
-                        "id": "si-7.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7(2)[2]"
-                          }
-                        ],
-                        "prose": "employs automated tools that provide notification to organization-defined\n                     personnel or roles upon discovering discrepancies during integrity\n                     verification."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing software, firmware, and information integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nintegrity verification tools and associated documentation\\n\\nrecords of integrity scans\\n\\nautomated tools supporting alerts and notifications for integrity\n                     discrepancies\\n\\nalerts/notifications provided upon discovering discrepancies during integrity\n                     verifications\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for software, firmware, and/or\n                     information integrity\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Software, firmware, and information integrity verification tools\\n\\nautomated mechanisms providing integrity discrepancy notifications"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-7.5",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Response to Integrity Violations",
-                "parameters": [
-                  {
-                    "id": "si-7.5_prm_1"
-                  },
-                  {
-                    "id": "si-7.5_prm_2",
-                    "depends-on": "si-7.5_prm_1",
-                    "label": "organization-defined security safeguards"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-7(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-07.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-7.5_smt",
-                    "name": "statement",
-                    "prose": "The information system automatically {{ si-7.5_prm_1 }} when\n                  integrity violations are discovered."
-                  },
-                  {
-                    "id": "si-7.5_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations may define different integrity checking and anomaly responses: (i)\n                  by type of information (e.g., firmware, software, user data); (ii) by specific\n                  information (e.g., boot firmware, boot firmware for a specific types of machines);\n                  or (iii) a combination of both. Automatic implementation of specific safeguards\n                  within organizational information systems includes, for example, reversing the\n                  changes, halting the information system, or triggering audit alerts when\n                  unauthorized modifications to critical security files occur."
-                  },
-                  {
-                    "id": "si-7.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "si-7.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7(5)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines security safeguards to be implemented when integrity\n                     violations are discovered;"
-                      },
-                      {
-                        "id": "si-7.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7(5)[2]"
-                          }
-                        ],
-                        "prose": "the information system automatically performs one or more of the following\n                     actions when integrity violations are discovered:",
-                        "parts": [
-                          {
-                            "id": "si-7.5_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(5)[2][a]"
-                              }
-                            ],
-                            "prose": "shuts the information system down;"
-                          },
-                          {
-                            "id": "si-7.5_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(5)[2][b]"
-                              }
-                            ],
-                            "prose": "restarts the information system; and/or"
-                          },
-                          {
-                            "id": "si-7.5_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(5)[2][c]"
-                              }
-                            ],
-                            "prose": "implements the organization-defined security safeguards."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing software, firmware, and information integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nintegrity verification tools and associated documentation\\n\\nrecords of integrity scans\\n\\nrecords of integrity checks and responses to integrity violations\\n\\ninformation audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for software, firmware, and/or\n                     information integrity\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Software, firmware, and information integrity verification tools\\n\\nautomated mechanisms providing an automated response to integrity\n                     violations\\n\\nautomated mechanisms supporting and/or implementing security safeguards to be\n                     implemented when integrity violations are discovered"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-7.7",
-                "class": "SP800-53-enhancement",
-                "title": "Integration of Detection and Response",
-                "parameters": [
-                  {
-                    "id": "si-7.7_prm_1",
-                    "label": "organization-defined security-relevant changes to the information\n                  system"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-7(7)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-07.07"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-7.7_smt",
-                    "name": "statement",
-                    "prose": "The organization incorporates the detection of unauthorized {{ si-7.7_prm_1 }} into the organizational incident response\n                  capability."
-                  },
-                  {
-                    "id": "si-7.7_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement helps to ensure that detected events are tracked,\n                  monitored, corrected, and available for historical purposes. Maintaining\n                  historical records is important both for being able to identify and discern\n                  adversary actions over an extended period of time and for possible legal actions.\n                  Security-relevant changes include, for example, unauthorized changes to\n                  established configuration settings or unauthorized elevation of information system\n                  privileges.",
-                    "links": [
-                      {
-                        "href": "#ir-4",
-                        "rel": "related",
-                        "text": "IR-4"
-                      },
-                      {
-                        "href": "#ir-5",
-                        "rel": "related",
-                        "text": "IR-5"
-                      },
-                      {
-                        "href": "#si-4",
-                        "rel": "related",
-                        "text": "SI-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-7.7_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "si-7.7_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7(7)[1]"
-                          }
-                        ],
-                        "prose": "defines unauthorized security-relevant changes to the information system;\n                     and"
-                      },
-                      {
-                        "id": "si-7.7_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7(7)[2]"
-                          }
-                        ],
-                        "prose": "incorporates the detection of unauthorized organization-defined\n                     security-relevant changes to the information system into the organizational\n                     incident response capability."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing software, firmware, and information integrity\\n\\nprocedures addressing incident response\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nincident response records\\n\\ninformation audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for software, firmware, and/or\n                     information integrity\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with incident response responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for incorporating detection of unauthorized\n                     security-relevant changes into the incident response capability\\n\\nsoftware, firmware, and information integrity verification tools\\n\\nautomated mechanisms supporting and/or implementing incorporation of detection\n                     of unauthorized security-relevant changes into the incident response\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-7.14",
-                "class": "SP800-53-enhancement",
-                "title": "Binary or Machine Executable Code",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-7(14)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-07.14"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-7.14_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "si-7.14_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Prohibits the use of binary or machine-executable code from sources with\n                     limited or no warranty and without the provision of source code; and"
-                      },
-                      {
-                        "id": "si-7.14_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Provides exceptions to the source code requirement only for compelling\n                     mission/operational requirements and with the approval of the authorizing\n                     official."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-7.14_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement applies to all sources of binary or machine-executable\n                  code including, for example, commercial software/firmware and open source\n                  software. Organizations assess software products without accompanying source code\n                  from sources with limited or no warranty for potential security impacts. The\n                  assessments address the fact that these types of software products may be very\n                  difficult to review, repair, or extend, given that organizations, in most cases,\n                  do not have access to the original source code, and there may be no owners who\n                  could make such repairs on behalf of organizations.",
-                    "links": [
-                      {
-                        "href": "#sa-5",
-                        "rel": "related",
-                        "text": "SA-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-7.14_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "si-7.14.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-7(14)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-7.14.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-7(14)(a)[1]"
-                              }
-                            ],
-                            "prose": "prohibits the use of binary or machine-executable code from sources with\n                        limited or no warranty;"
-                          },
-                          {
-                            "id": "si-7.14.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-7(14)(a)[2]"
-                              }
-                            ],
-                            "prose": "prohibits the use of binary or machine-executable code without the provision\n                        of source code;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#si-7.14_smt.a",
-                            "rel": "corresp",
-                            "text": "SI-7(14)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-7.14.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-7(14)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-7.14.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-7(14)(b)[1]"
-                              }
-                            ],
-                            "prose": "provides exceptions to the source code requirement only for compelling\n                        mission/operational requirements; and"
-                          },
-                          {
-                            "id": "si-7.14.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-7(14)(b)[2]"
-                              }
-                            ],
-                            "prose": "provides exceptions to the source code requirement only with the approval of\n                        the authorizing official."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#si-7.14_smt.b",
-                            "rel": "corresp",
-                            "text": "SI-7(14)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing software, firmware, and information integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\napproval records for execution of binary and machine-executable code\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for software, firmware, and/or\n                     information integrity\\n\\norganizational personnel with information security responsibilities\\n\\nauthorizing official\\n\\nsystem/network administrators\\n\\nsystem developer"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing prohibition of the\n                     execution of binary or machine-executable code"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-8",
-            "class": "SP800-53",
-            "title": "Spam Protection",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-08"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c6e95ca0-5828-420e-b095-00895b72b5e8",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-45"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Employs spam protection mechanisms at information system entry and exit points to\n                  detect and take action on unsolicited messages; and"
-                  },
-                  {
-                    "id": "si-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Updates spam protection mechanisms when new releases are available in accordance\n                  with organizational configuration management policy and procedures."
-                  }
-                ]
-              },
-              {
-                "id": "si-8_gdn",
-                "name": "guidance",
-                "prose": "Information system entry and exit points include, for example, firewalls, electronic\n               mail servers, web servers, proxy servers, remote-access servers, workstations, mobile\n               devices, and notebook/laptop computers. Spam can be transported by different means\n               including, for example, electronic mail, electronic mail attachments, and web\n               accesses. Spam protection mechanisms include, for example, signature definitions.",
-                "links": [
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#sc-5",
-                    "rel": "related",
-                    "text": "SC-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  }
-                ]
-              },
-              {
-                "id": "si-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-8(a)"
-                      }
-                    ],
-                    "prose": "employs spam protection mechanisms:",
-                    "parts": [
-                      {
-                        "id": "si-8.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-8(a)[1]"
-                          }
-                        ],
-                        "prose": "at information system entry points to detect unsolicited messages;"
-                      },
-                      {
-                        "id": "si-8.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-8(a)[2]"
-                          }
-                        ],
-                        "prose": "at information system entry points to take action on unsolicited messages;"
-                      },
-                      {
-                        "id": "si-8.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-8(a)[3]"
-                          }
-                        ],
-                        "prose": "at information system exit points to detect unsolicited messages;"
-                      },
-                      {
-                        "id": "si-8.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-8(a)[4]"
-                          }
-                        ],
-                        "prose": "at information system exit points to take action on unsolicited messages;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-8(b)"
-                      }
-                    ],
-                    "prose": "updates spam protection mechanisms when new releases are available in accordance\n                  with organizational configuration management policy and procedures."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nconfiguration management policy and procedures (CM-1)\\n\\nprocedures addressing spam protection\\n\\nspam protection mechanisms\\n\\nrecords of spam protection updates\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for spam protection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for implementing spam protection\\n\\nautomated mechanisms supporting and/or implementing spam protection"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "si-8.1",
-                "class": "SP800-53-enhancement",
-                "title": "Central Management",
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "SI-8(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-08.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-8.1_smt",
-                    "name": "statement",
-                    "prose": "The organization centrally manages spam protection mechanisms."
-                  },
-                  {
-                    "id": "si-8.1_gdn",
-                    "name": "guidance",
-                    "prose": "Central management is the organization-wide management and implementation of spam\n                  protection mechanisms. Central management includes planning, implementing,\n                  assessing, authorizing, and monitoring the organization-defined, centrally managed\n                  spam protection security controls.",
-                    "links": [
-                      {
-                        "href": "#au-3",
-                        "rel": "related",
-                        "text": "AU-3"
-                      },
-                      {
-                        "href": "#si-2",
-                        "rel": "related",
-                        "text": "SI-2"
-                      },
-                      {
-                        "href": "#si-7",
-                        "rel": "related",
-                        "text": "SI-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-8.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization centrally manages spam protection mechanisms."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing spam protection\\n\\nspam protection mechanisms\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for spam protection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for central management of spam protection\\n\\nautomated mechanisms supporting and/or implementing central management of spam\n                     protection"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-8.2",
-                "class": "SP800-53-enhancement",
-                "title": "Automatic Updates",
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "SI-8(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-08.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-8.2_smt",
-                    "name": "statement",
-                    "prose": "The information system automatically updates spam protection mechanisms."
-                  },
-                  {
-                    "id": "si-8.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system automatically updates spam protection\n                  mechanisms."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing spam protection\\n\\nspam protection mechanisms\\n\\nrecords of spam protection updates\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for spam protection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for spam protection\\n\\nautomated mechanisms supporting and/or implementing automatic updates to spam\n                     protection mechanisms"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-10",
-            "class": "SP800-53",
-            "title": "Information Input Validation",
-            "parameters": [
-              {
-                "id": "si-10_prm_1",
-                "label": "organization-defined information inputs"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-10"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-10"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-10_smt",
-                "name": "statement",
-                "prose": "The information system checks the validity of {{ si-10_prm_1 }}."
-              },
-              {
-                "id": "si-10_gdn",
-                "name": "guidance",
-                "prose": "Checking the valid syntax and semantics of information system inputs (e.g., character\n               set, length, numerical range, and acceptable values) verifies that inputs match\n               specified definitions for format and content. Software applications typically follow\n               well-defined protocols that use structured messages (i.e., commands or queries) to\n               communicate between software modules or system components. Structured messages can\n               contain raw or unstructured data interspersed with metadata or control information.\n               If software applications use attacker-supplied inputs to construct structured\n               messages without properly encoding such messages, then the attacker could insert\n               malicious commands or special characters that can cause the data to be interpreted as\n               control information or metadata. Consequently, the module or component that receives\n               the tainted output will perform the wrong operations or otherwise interpret the data\n               incorrectly. Prescreening inputs prior to passing to interpreters prevents the\n               content from being unintentionally interpreted as commands. Input validation helps to\n               ensure accurate and correct inputs and prevent attacks such as cross-site scripting\n               and a variety of injection attacks."
-              },
-              {
-                "id": "si-10_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "si-10_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-10[1]"
-                      }
-                    ],
-                    "prose": "the organization defines information inputs requiring validity checks; and"
-                  },
-                  {
-                    "id": "si-10_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-10[2]"
-                      }
-                    ],
-                    "prose": "the information system checks the validity of organization-defined information\n                  inputs."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\naccess control policy and procedures\\n\\nseparation of duties policy and procedures\\n\\nprocedures addressing information input validation\\n\\ndocumentation for automated tools and applications to verify validity of\n                  information\\n\\nlist of information inputs requiring validity checks\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for information input validation\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing validity checks on information\n                  inputs"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-11",
-            "class": "SP800-53",
-            "title": "Error Handling",
-            "parameters": [
-              {
-                "id": "si-11_prm_1",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-11"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-11"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-11_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "si-11_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Generates error messages that provide information necessary for corrective actions\n                  without revealing information that could be exploited by adversaries; and"
-                  },
-                  {
-                    "id": "si-11_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reveals error messages only to {{ si-11_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "si-11_gdn",
-                "name": "guidance",
-                "prose": "Organizations carefully consider the structure/content of error messages. The extent\n               to which information systems are able to identify and handle error conditions is\n               guided by organizational policy and operational requirements. Information that could\n               be exploited by adversaries includes, for example, erroneous logon attempts with\n               passwords entered by mistake as the username, mission/business information that can\n               be derived from (if not stated explicitly by) information recorded, and personal\n               information such as account numbers, social security numbers, and credit card\n               numbers. In addition, error messages may provide a covert channel for transmitting\n               information.",
-                "links": [
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-3",
-                    "rel": "related",
-                    "text": "AU-3"
-                  },
-                  {
-                    "href": "#sc-31",
-                    "rel": "related",
-                    "text": "SC-31"
-                  }
-                ]
-              },
-              {
-                "id": "si-11_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "si-11.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-11(a)"
-                      }
-                    ],
-                    "prose": "the information system generates error messages that provide information necessary\n                  for corrective actions without revealing information that could be exploited by\n                  adversaries;"
-                  },
-                  {
-                    "id": "si-11.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-11(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-11.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-11(b)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines personnel or roles to whom error messages are to be\n                     revealed; and"
-                      },
-                      {
-                        "id": "si-11.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-11(b)[2]"
-                          }
-                        ],
-                        "prose": "the information system reveals error messages only to organization-defined\n                     personnel or roles."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nprocedures addressing information system error handling\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ndocumentation providing structure/content of error messages\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for information input validation\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for error handling\\n\\nautomated mechanisms supporting and/or implementing error handling\\n\\nautomated mechanisms supporting and/or implementing management of error\n                  messages"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-12",
-            "class": "SP800-53",
-            "title": "Information Handling and Retention",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-12"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-12"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-12_smt",
-                "name": "statement",
-                "prose": "The organization handles and retains information within the information system and\n               information output from the system in accordance with applicable federal laws,\n               Executive Orders, directives, policies, regulations, standards, and operational\n               requirements."
-              },
-              {
-                "id": "si-12_gdn",
-                "name": "guidance",
-                "prose": "Information handling and retention requirements cover the full life cycle of\n               information, in some cases extending beyond the disposal of information systems. The\n               National Archives and Records Administration provides guidance on records\n               retention.",
-                "links": [
-                  {
-                    "href": "#ac-16",
-                    "rel": "related",
-                    "text": "AC-16"
-                  },
-                  {
-                    "href": "#au-5",
-                    "rel": "related",
-                    "text": "AU-5"
-                  },
-                  {
-                    "href": "#au-11",
-                    "rel": "related",
-                    "text": "AU-11"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  }
-                ]
-              },
-              {
-                "id": "si-12_obj",
-                "name": "objective",
-                "prose": "Determine if the organization, in accordance with applicable federal laws, Executive\n               Orders, directives, policies, regulations, standards, and operational\n               requirements:",
-                "parts": [
-                  {
-                    "id": "si-12_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-12[1]"
-                      }
-                    ],
-                    "prose": "handles information within the information system;"
-                  },
-                  {
-                    "id": "si-12_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-12[2]"
-                      }
-                    ],
-                    "prose": "handles output from the information system;"
-                  },
-                  {
-                    "id": "si-12_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-12[3]"
-                      }
-                    ],
-                    "prose": "retains information within the information system; and"
-                  },
-                  {
-                    "id": "si-12_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-12[4]"
-                      }
-                    ],
-                    "prose": "retains output from the information system."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nfederal laws, Executive Orders, directives, policies, regulations, standards, and\n                  operational requirements applicable to information handling and retention\\n\\nmedia protection policy and procedures\\n\\nprocedures addressing information system output handling and retention\\n\\ninformation retention records, other relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for information handling and\n                  retention\\n\\norganizational personnel with information security responsibilities/network\n                  administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for information handling and retention\\n\\nautomated mechanisms supporting and/or implementing information handling and\n                  retention"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-16",
-            "class": "SP800-53",
-            "title": "Memory Protection",
-            "parameters": [
-              {
-                "id": "si-16_prm_1",
-                "label": "organization-defined security safeguards"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-16"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-16"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-16_smt",
-                "name": "statement",
-                "prose": "The information system implements {{ si-16_prm_1 }} to protect its\n               memory from unauthorized code execution."
-              },
-              {
-                "id": "si-16_gdn",
-                "name": "guidance",
-                "prose": "Some adversaries launch attacks with the intent of executing code in non-executable\n               regions of memory or in memory locations that are prohibited. Security safeguards\n               employed to protect memory include, for example, data execution prevention and\n               address space layout randomization. Data execution prevention safeguards can either\n               be hardware-enforced or software-enforced with hardware providing the greater\n               strength of mechanism.",
-                "links": [
-                  {
-                    "href": "#ac-25",
-                    "rel": "related",
-                    "text": "AC-25"
-                  },
-                  {
-                    "href": "#sc-3",
-                    "rel": "related",
-                    "text": "SC-3"
-                  }
-                ]
-              },
-              {
-                "id": "si-16_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "si-16_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-16[1]"
-                      }
-                    ],
-                    "prose": "the organization defines security safeguards to be implemented to protect\n                  information system memory from unauthorized code execution; and"
-                  },
-                  {
-                    "id": "si-16_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-16[2]"
-                      }
-                    ],
-                    "prose": "the information system implements organization-defined security safeguards to\n                  protect its memory from unauthorized code execution."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nprocedures addressing memory protection for the information system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of security safeguards protecting information system memory from unauthorized\n                  code execution\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for memory protection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing safeguards to protect\n                  information system memory from unauthorized code execution"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      }
-    ],
-    "back-matter": {
-      "resources": [
-        {
-          "uuid": "0c97e60b-325a-4efa-ba2b-90f20ccd5abc",
-          "title": "5 C.F.R. 731.106",
-          "citation": {
-            "text": "Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106,\n               Designation of Public Trust Positions and Investigative Requirements (5 C.F.R.\n               731.106)."
-          },
-          "rlinks": [
-            {
-              "href": "http://www.gpo.gov/fdsys/granule/CFR-2012-title5-vol2/CFR-2012-title5-vol2-sec731-106/content-detail.html"
-            }
-          ]
-        },
-        {
-          "uuid": "bb61234b-46c3-4211-8c2b-9869222a720d",
-          "title": "C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)",
-          "citation": {
-            "text": "C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.gpo.gov/fdsys/granule/CFR-2009-title5-vol2/CFR-2009-title5-vol2-sec930-301/content-detail.html"
-            }
-          ]
-        },
-        {
-          "uuid": "a4aa9645-9a8a-4b51-90a9-e223250f9a75",
-          "title": "CNSS Policy 15",
-          "citation": {
-            "text": "CNSS Policy 15"
-          },
-          "rlinks": [
-            {
-              "href": "https://www.cnss.gov/policies.html"
-            }
-          ]
-        },
-        {
-          "uuid": "2d8b14e9-c8b5-4d3d-8bdc-155078f3281b",
-          "title": "DoD Information Assurance Vulnerability Alerts",
-          "citation": {
-            "text": "DoD Information Assurance Vulnerability Alerts"
-          }
-        },
-        {
-          "uuid": "61081e7f-041d-4033-96a7-44a439071683",
-          "title": "DoD Instruction 5200.39",
-          "citation": {
-            "text": "DoD Instruction 5200.39"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dtic.mil/whs/directives/corres/ins1.html"
-            }
-          ]
-        },
-        {
-          "uuid": "e42b2099-3e1c-415b-952c-61c96533c12e",
-          "title": "DoD Instruction 8551.01",
-          "citation": {
-            "text": "DoD Instruction 8551.01"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dtic.mil/whs/directives/corres/ins1.html"
-            }
-          ]
-        },
-        {
-          "uuid": "e6522953-6714-435d-a0d3-140df554c186",
-          "title": "DoD Instruction 8552.01",
-          "citation": {
-            "text": "DoD Instruction 8552.01"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dtic.mil/whs/directives/corres/ins1.html"
-            }
-          ]
-        },
-        {
-          "uuid": "c5034e0c-eba6-4ecd-a541-79f0678f4ba4",
-          "title": "Executive Order 13587",
-          "citation": {
-            "text": "Executive Order 13587"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net"
-            }
-          ]
-        },
-        {
-          "uuid": "56d671da-6b7b-4abf-8296-84b61980390a",
-          "title": "Federal Acquisition Regulation",
-          "citation": {
-            "text": "Federal Acquisition Regulation"
-          },
-          "rlinks": [
-            {
-              "href": "https://acquisition.gov/far"
-            }
-          ]
-        },
-        {
-          "uuid": "023104bc-6f75-4cd5-b7d0-fc92326f8007",
-          "title": "Federal Continuity Directive 1",
-          "citation": {
-            "text": "Federal Continuity Directive 1"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.fema.gov/pdf/about/offices/fcd1.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "ba557c91-ba3e-4792-adc6-a4ae479b39ff",
-          "title": "FICAM Roadmap and Implementation Guidance",
-          "citation": {
-            "text": "FICAM Roadmap and Implementation Guidance"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.idmanagement.gov/documents/ficam-roadmap-and-implementation-guidance"
-            }
-          ]
-        },
-        {
-          "uuid": "39f9087d-7687-46d2-8eda-b6f4b7a4d8a9",
-          "title": "FIPS Publication 140",
-          "citation": {
-            "text": "FIPS Publication 140"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html"
-            }
-          ]
-        },
-        {
-          "uuid": "d715b234-9b5b-4e07-b1ed-99836727664d",
-          "title": "FIPS Publication 140-2",
-          "citation": {
-            "text": "FIPS Publication 140-2"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html#140-2"
-            }
-          ]
-        },
-        {
-          "uuid": "f2dbd4ec-c413-4714-b85b-6b7184d1c195",
-          "title": "FIPS Publication 197",
-          "citation": {
-            "text": "FIPS Publication 197"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html#197"
-            }
-          ]
-        },
-        {
-          "uuid": "e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-          "title": "FIPS Publication 199",
-          "citation": {
-            "text": "FIPS Publication 199"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html#199"
-            }
-          ]
-        },
-        {
-          "uuid": "c80c10b3-1294-4984-a4cc-d1733ca432b9",
-          "title": "FIPS Publication 201",
-          "citation": {
-            "text": "FIPS Publication 201"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html#201"
-            }
-          ]
-        },
-        {
-          "uuid": "ad733a42-a7ed-4774-b988-4930c28852f3",
-          "title": "HSPD-12",
-          "citation": {
-            "text": "HSPD-12"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dhs.gov/homeland-security-presidential-directive-12"
-            }
-          ]
-        },
-        {
-          "uuid": "4ef539ba-b767-4666-b0d3-168c53005fa3",
-          "title": "http://capec.mitre.org",
-          "citation": {
-            "text": "http://capec.mitre.org"
-          },
-          "rlinks": [
-            {
-              "href": "http://capec.mitre.org"
-            }
-          ]
-        },
-        {
-          "uuid": "e95dd121-2733-413e-bf1e-f1eb49f20a98",
-          "title": "http://checklists.nist.gov",
-          "citation": {
-            "text": "http://checklists.nist.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://checklists.nist.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "6a1041fc-054e-4230-946b-2e6f4f3731bb",
-          "title": "http://csrc.nist.gov/cryptval",
-          "citation": {
-            "text": "http://csrc.nist.gov/cryptval"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/cryptval"
-            }
-          ]
-        },
-        {
-          "uuid": "b09d1a31-d3c9-4138-a4f4-4c63816afd7d",
-          "title": "http://csrc.nist.gov/groups/STM/cmvp/index.html",
-          "citation": {
-            "text": "http://csrc.nist.gov/groups/STM/cmvp/index.html"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/groups/STM/cmvp/index.html"
-            }
-          ]
-        },
-        {
-          "uuid": "0931209f-00ae-4132-b92c-bc645847e8f9",
-          "title": "http://cve.mitre.org",
-          "citation": {
-            "text": "http://cve.mitre.org"
-          },
-          "rlinks": [
-            {
-              "href": "http://cve.mitre.org"
-            }
-          ]
-        },
-        {
-          "uuid": "15522e92-9192-463d-9646-6a01982db8ca",
-          "title": "http://cwe.mitre.org",
-          "citation": {
-            "text": "http://cwe.mitre.org"
-          },
-          "rlinks": [
-            {
-              "href": "http://cwe.mitre.org"
-            }
-          ]
-        },
-        {
-          "uuid": "5ed1f4d5-1494-421b-97ed-39d3c88ab51f",
-          "title": "http://fips201ep.cio.gov",
-          "citation": {
-            "text": "http://fips201ep.cio.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://fips201ep.cio.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "85280698-0417-489d-b214-12bb935fb939",
-          "title": "http://idmanagement.gov",
-          "citation": {
-            "text": "http://idmanagement.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://idmanagement.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "275cc052-0f7f-423c-bdb6-ed503dc36228",
-          "title": "http://nvd.nist.gov",
-          "citation": {
-            "text": "http://nvd.nist.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://nvd.nist.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "bbd50dd1-54ce-4432-959d-63ea564b1bb4",
-          "title": "http://www.acquisition.gov/far",
-          "citation": {
-            "text": "http://www.acquisition.gov/far"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.acquisition.gov/far"
-            }
-          ]
-        },
-        {
-          "uuid": "9b97ed27-3dd6-4f9a-ade5-1b43e9669794",
-          "title": "http://www.cnss.gov",
-          "citation": {
-            "text": "http://www.cnss.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.cnss.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "3ac12e79-f54f-4a63-9f4b-ee4bcd4df604",
-          "title": "http://www.dhs.gov/telecommunications-service-priority-tsp",
-          "citation": {
-            "text": "http://www.dhs.gov/telecommunications-service-priority-tsp"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dhs.gov/telecommunications-service-priority-tsp"
-            }
-          ]
-        },
-        {
-          "uuid": "c95a9986-3cd6-4a98-931b-ccfc56cb11e5",
-          "title": "http://www.niap-ccevs.org",
-          "citation": {
-            "text": "http://www.niap-ccevs.org"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.niap-ccevs.org"
-            }
-          ]
-        },
-        {
-          "uuid": "647b6de3-81d0-4d22-bec1-5f1333e34380",
-          "title": "http://www.nsa.gov",
-          "citation": {
-            "text": "http://www.nsa.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.nsa.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "a47466c4-c837-4f06-a39f-e68412a5f73d",
-          "title": "http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml",
-          "citation": {
-            "text": "http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"
-            }
-          ]
-        },
-        {
-          "uuid": "02631467-668b-4233-989b-3dfded2fd184",
-          "title": "http://www.us-cert.gov",
-          "citation": {
-            "text": "http://www.us-cert.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.us-cert.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "6caa237b-531b-43ac-9711-d8f6b97b0377",
-          "title": "ICD 704",
-          "citation": {
-            "text": "ICD 704"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"
-            }
-          ]
-        },
-        {
-          "uuid": "398e33fd-f404-4e5c-b90e-2d50d3181244",
-          "title": "ICD 705",
-          "citation": {
-            "text": "ICD 705"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"
-            }
-          ]
-        },
-        {
-          "uuid": "1737a687-52fb-4008-b900-cbfa836f7b65",
-          "title": "ISO/IEC 15408",
-          "citation": {
-            "text": "ISO/IEC 15408"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.iso.org/iso/iso_catalog/catalog_tc/catalog_detail.htm?csnumber=50341"
-            }
-          ]
-        },
-        {
-          "uuid": "fb5844de-ff96-47c0-b258-4f52bcc2f30d",
-          "title": "National Communications Systems Directive 3-10",
-          "citation": {
-            "text": "National Communications Systems Directive 3-10"
-          }
-        },
-        {
-          "uuid": "654f21e2-f3bc-43b2-abdc-60ab8d09744b",
-          "title": "National Strategy for Trusted Identities in Cyberspace",
-          "citation": {
-            "text": "National Strategy for Trusted Identities in Cyberspace"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.nist.gov/nstic"
-            }
-          ]
-        },
-        {
-          "uuid": "bdd2f49e-edf7-491f-a178-4487898228f3",
-          "title": "NIST Interagency Report 7622",
-          "citation": {
-            "text": "NIST Interagency Report 7622"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7622"
-            }
-          ]
-        },
-        {
-          "uuid": "9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-          "title": "NIST Special Publication 800-100",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-100"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-100"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-100"
-            }
-          ]
-        },
-        {
-          "uuid": "3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e",
-          "title": "NIST Special Publication 800-111",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-111"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-111"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-111"
-            }
-          ]
-        },
-        {
-          "uuid": "349fe082-502d-464a-aa0c-1443c6a5cf40",
-          "title": "NIST Special Publication 800-113",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-113"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-113"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-113"
-            }
-          ]
-        },
-        {
-          "uuid": "1201fcf3-afb1-4675-915a-fb4ae0435717",
-          "title": "NIST Special Publication 800-114 Rev. 1",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-114r1"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-114 Rev. 1"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-114r1"
-            }
-          ]
-        },
-        {
-          "uuid": "c4691b88-57d1-463b-9053-2d0087913f31",
-          "title": "NIST Special Publication 800-115",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-115"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-115"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-115"
-            }
-          ]
-        },
-        {
-          "uuid": "2157bb7e-192c-4eaa-877f-93ef6b0a3292",
-          "title": "NIST Special Publication 800-116 Rev. 1",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-116r1"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-116 Rev. 1"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-116r1"
-            }
-          ]
-        },
-        {
-          "uuid": "5c201b63-0768-417b-ac22-3f014e3941b2",
-          "title": "NIST Special Publication 800-12 Rev. 1",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-12r1"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-12 Rev. 1"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-12r1"
-            }
-          ]
-        },
-        {
-          "uuid": "d1a4e2a9-e512-4132-8795-5357aba29254",
-          "title": "NIST Special Publication 800-121",
-          "citation": {
-            "text": "NIST Special Publication 800-121"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-121"
-            }
-          ]
-        },
-        {
-          "uuid": "0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589",
-          "title": "NIST Special Publication 800-124",
-          "citation": {
-            "text": "NIST Special Publication 800-124"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-124"
-            }
-          ]
-        },
-        {
-          "uuid": "080f8068-5e3e-435e-9790-d22ba4722693",
-          "title": "NIST Special Publication 800-128",
-          "citation": {
-            "text": "NIST Special Publication 800-128"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-128"
-            }
-          ]
-        },
-        {
-          "uuid": "cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-          "title": "NIST Special Publication 800-137",
-          "citation": {
-            "text": "NIST Special Publication 800-137"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-137"
-            }
-          ]
-        },
-        {
-          "uuid": "6bf8d24a-78dc-4727-a2ac-0e64d71c495c",
-          "title": "NIST Special Publication 800-147",
-          "citation": {
-            "text": "NIST Special Publication 800-147"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-147"
-            }
-          ]
-        },
-        {
-          "uuid": "3878cc04-144a-483e-af62-8fe6f4ad6c7a",
-          "title": "NIST Special Publication 800-155",
-          "citation": {
-            "text": "NIST Special Publication 800-155"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-155"
-            }
-          ]
-        },
-        {
-          "uuid": "825438c3-248d-4e30-a51e-246473ce6ada",
-          "title": "NIST Special Publication 800-16",
-          "citation": {
-            "text": "NIST Special Publication 800-16"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-16"
-            }
-          ]
-        },
-        {
-          "uuid": "8ab6bcdc-339b-4068-b45e-994814a6e187",
-          "title": "NIST Special Publication 800-161",
-          "citation": {
-            "text": "NIST Special Publication 800-161"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-161"
-            }
-          ]
-        },
-        {
-          "uuid": "6513e480-fada-4876-abba-1397084dfb26",
-          "title": "NIST Special Publication 800-164",
-          "citation": {
-            "text": "NIST Special Publication 800-164"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-164"
-            }
-          ]
-        },
-        {
-          "uuid": "9c5c9e8c-dc81-4f55-a11c-d71d7487790f",
-          "title": "NIST Special Publication 800-18",
-          "citation": {
-            "text": "NIST Special Publication 800-18"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-18"
-            }
-          ]
-        },
-        {
-          "uuid": "0a5db899-f033-467f-8631-f5a8ba971475",
-          "title": "NIST Special Publication 800-23",
-          "citation": {
-            "text": "NIST Special Publication 800-23"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-23"
-            }
-          ]
-        },
-        {
-          "uuid": "21b1ed35-56d2-40a8-bdfe-b461fffe322f",
-          "title": "NIST Special Publication 800-27",
-          "citation": {
-            "text": "NIST Special Publication 800-27"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-27"
-            }
-          ]
-        },
-        {
-          "uuid": "e716cd51-d1d5-4c6a-967a-22e9fbbc42f1",
-          "title": "NIST Special Publication 800-28",
-          "citation": {
-            "text": "NIST Special Publication 800-28"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-28"
-            }
-          ]
-        },
-        {
-          "uuid": "a466121b-f0e2-41f0-a5f9-deb0b5fe6b15",
-          "title": "NIST Special Publication 800-30",
-          "citation": {
-            "text": "NIST Special Publication 800-30"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-30"
-            }
-          ]
-        },
-        {
-          "uuid": "8f174e91-844e-4cf1-a72a-45c119a3a8dd",
-          "title": "NIST Special Publication 800-32",
-          "citation": {
-            "text": "NIST Special Publication 800-32"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-32"
-            }
-          ]
-        },
-        {
-          "uuid": "748a81b9-9cad-463f-abde-8b368167e70d",
-          "title": "NIST Special Publication 800-34",
-          "citation": {
-            "text": "NIST Special Publication 800-34"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-34"
-            }
-          ]
-        },
-        {
-          "uuid": "0c775bc3-bfc3-42c7-a382-88949f503171",
-          "title": "NIST Special Publication 800-35",
-          "citation": {
-            "text": "NIST Special Publication 800-35"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-35"
-            }
-          ]
-        },
-        {
-          "uuid": "d818efd3-db31-4953-8afa-9e76afe83ce2",
-          "title": "NIST Special Publication 800-36",
-          "citation": {
-            "text": "NIST Special Publication 800-36"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-36"
-            }
-          ]
-        },
-        {
-          "uuid": "0a0c26b6-fd44-4274-8b36-93442d49d998",
-          "title": "NIST Special Publication 800-37",
-          "citation": {
-            "text": "NIST Special Publication 800-37"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-37"
-            }
-          ]
-        },
-        {
-          "uuid": "d480aa6a-7a88-424e-a10c-ad1c7870354b",
-          "title": "NIST Special Publication 800-39",
-          "citation": {
-            "text": "NIST Special Publication 800-39"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-39"
-            }
-          ]
-        },
-        {
-          "uuid": "bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d",
-          "title": "NIST Special Publication 800-40",
-          "citation": {
-            "text": "NIST Special Publication 800-40"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-40"
-            }
-          ]
-        },
-        {
-          "uuid": "756a8e86-57d5-4701-8382-f7a40439665a",
-          "title": "NIST Special Publication 800-41",
-          "citation": {
-            "text": "NIST Special Publication 800-41"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-41"
-            }
-          ]
-        },
-        {
-          "uuid": "c6e95ca0-5828-420e-b095-00895b72b5e8",
-          "title": "NIST Special Publication 800-45",
-          "citation": {
-            "text": "NIST Special Publication 800-45"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-45"
-            }
-          ]
-        },
-        {
-          "uuid": "5309d4d0-46f8-4213-a749-e7584164e5e8",
-          "title": "NIST Special Publication 800-46",
-          "citation": {
-            "text": "NIST Special Publication 800-46"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-46"
-            }
-          ]
-        },
-        {
-          "uuid": "2711f068-734e-4afd-94ba-0b22247fbc88",
-          "title": "NIST Special Publication 800-47",
-          "citation": {
-            "text": "NIST Special Publication 800-47"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-47"
-            }
-          ]
-        },
-        {
-          "uuid": "238ed479-eccb-49f6-82ec-ab74a7a428cf",
-          "title": "NIST Special Publication 800-48",
-          "citation": {
-            "text": "NIST Special Publication 800-48"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-48"
-            }
-          ]
-        },
-        {
-          "uuid": "e12b5738-de74-4fb3-8317-a3995a8a1898",
-          "title": "NIST Special Publication 800-50",
-          "citation": {
-            "text": "NIST Special Publication 800-50"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-50"
-            }
-          ]
-        },
-        {
-          "uuid": "90c5bc98-f9c4-44c9-98b7-787422f0999c",
-          "title": "NIST Special Publication 800-52",
-          "citation": {
-            "text": "NIST Special Publication 800-52"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-52"
-            }
-          ]
-        },
-        {
-          "uuid": "cd4cf751-3312-4a55-b1a9-fad2f1db9119",
-          "title": "NIST Special Publication 800-53A",
-          "citation": {
-            "text": "NIST Special Publication 800-53A"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-53A"
-            }
-          ]
-        },
-        {
-          "uuid": "81f09e01-d0b0-4ae2-aa6a-064ed9950070",
-          "title": "NIST Special Publication 800-56",
-          "citation": {
-            "text": "NIST Special Publication 800-56"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-56"
-            }
-          ]
-        },
-        {
-          "uuid": "a6c774c0-bf50-4590-9841-2a5c1c91ac6f",
-          "title": "NIST Special Publication 800-57",
-          "citation": {
-            "text": "NIST Special Publication 800-57"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-57"
-            }
-          ]
-        },
-        {
-          "uuid": "7783f3e7-09b3-478b-9aa2-4a76dfd0ea90",
-          "title": "NIST Special Publication 800-58",
-          "citation": {
-            "text": "NIST Special Publication 800-58"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-58"
-            }
-          ]
-        },
-        {
-          "uuid": "f152844f-b1ef-4836-8729-6277078ebee1",
-          "title": "NIST Special Publication 800-60",
-          "citation": {
-            "text": "NIST Special Publication 800-60"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-60"
-            }
-          ]
-        },
-        {
-          "uuid": "be95fb85-a53f-4624-bdbb-140075500aa3",
-          "title": "NIST Special Publication 800-61",
-          "citation": {
-            "text": "NIST Special Publication 800-61"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-61"
-            }
-          ]
-        },
-        {
-          "uuid": "644f44a9-a2de-4494-9c04-cd37fba45471",
-          "title": "NIST Special Publication 800-63",
-          "citation": {
-            "text": "NIST Special Publication 800-63"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-63"
-            }
-          ]
-        },
-        {
-          "uuid": "abd950ae-092f-4b7a-b374-1c7c67fe9350",
-          "title": "NIST Special Publication 800-64",
-          "citation": {
-            "text": "NIST Special Publication 800-64"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-64"
-            }
-          ]
-        },
-        {
-          "uuid": "29fcfe59-33cd-494a-8756-5907ae3a8f92",
-          "title": "NIST Special Publication 800-65",
-          "citation": {
-            "text": "NIST Special Publication 800-65"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-65"
-            }
-          ]
-        },
-        {
-          "uuid": "84a37532-6db6-477b-9ea8-f9085ebca0fc",
-          "title": "NIST Special Publication 800-70",
-          "citation": {
-            "text": "NIST Special Publication 800-70"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-70"
-            }
-          ]
-        },
-        {
-          "uuid": "ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-          "title": "NIST Special Publication 800-73",
-          "citation": {
-            "text": "NIST Special Publication 800-73"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-73"
-            }
-          ]
-        },
-        {
-          "uuid": "2a71298a-ee90-490e-80ff-48c967173a47",
-          "title": "NIST Special Publication 800-76",
-          "citation": {
-            "text": "NIST Special Publication 800-76"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-76"
-            }
-          ]
-        },
-        {
-          "uuid": "99f331f2-a9f0-46c2-9856-a3cbb9b89442",
-          "title": "NIST Special Publication 800-77",
-          "citation": {
-            "text": "NIST Special Publication 800-77"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-77"
-            }
-          ]
-        },
-        {
-          "uuid": "2042d97b-f7f6-4c74-84f8-981867684659",
-          "title": "NIST Special Publication 800-78",
-          "citation": {
-            "text": "NIST Special Publication 800-78"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-78"
-            }
-          ]
-        },
-        {
-          "uuid": "6af1e841-672c-46c4-b121-96f603d04be3",
-          "title": "NIST Special Publication 800-81",
-          "citation": {
-            "text": "NIST Special Publication 800-81"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-81"
-            }
-          ]
-        },
-        {
-          "uuid": "6d431fee-658f-4a0e-9f2e-a38b5d398fab",
-          "title": "NIST Special Publication 800-83",
-          "citation": {
-            "text": "NIST Special Publication 800-83"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-83"
-            }
-          ]
-        },
-        {
-          "uuid": "0243a05a-e8a3-4d51-9364-4a9d20b0dcdf",
-          "title": "NIST Special Publication 800-84",
-          "citation": {
-            "text": "NIST Special Publication 800-84"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-84"
-            }
-          ]
-        },
-        {
-          "uuid": "263823e0-a971-4b00-959d-315b26278b22",
-          "title": "NIST Special Publication 800-88",
-          "citation": {
-            "text": "NIST Special Publication 800-88"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-88"
-            }
-          ]
-        },
-        {
-          "uuid": "672fd561-b92b-4713-b9cf-6c9d9456728b",
-          "title": "NIST Special Publication 800-92",
-          "citation": {
-            "text": "NIST Special Publication 800-92"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-92"
-            }
-          ]
-        },
-        {
-          "uuid": "d1b1d689-0f66-4474-9924-c81119758dc1",
-          "title": "NIST Special Publication 800-94",
-          "citation": {
-            "text": "NIST Special Publication 800-94"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-94"
-            }
-          ]
-        },
-        {
-          "uuid": "1ebdf782-d95d-4a7b-8ec7-ee860951eced",
-          "title": "NIST Special Publication 800-95",
-          "citation": {
-            "text": "NIST Special Publication 800-95"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-95"
-            }
-          ]
-        },
-        {
-          "uuid": "6f336ecd-f2a0-4c84-9699-0491d81b6e0d",
-          "title": "NIST Special Publication 800-97",
-          "citation": {
-            "text": "NIST Special Publication 800-97"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-97"
-            }
-          ]
-        },
-        {
-          "uuid": "06dff0ea-3848-4945-8d91-e955ee69f05d",
-          "title": "NSTISSI No. 7003",
-          "citation": {
-            "text": "NSTISSI No. 7003"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.cnss.gov/Assets/pdf/nstissi_7003.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab",
-          "title": "OMB Circular A-130",
-          "citation": {
-            "text": "OMB Circular A-130"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/omb/circulars_a130_a130trans4"
-            }
-          ]
-        },
-        {
-          "uuid": "2c5884cd-7b96-425c-862a-99877e1cf909",
-          "title": "OMB Memorandum 02-01",
-          "citation": {
-            "text": "OMB Memorandum 02-01"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/omb/memoranda_m02-01"
-            }
-          ]
-        },
-        {
-          "uuid": "ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-          "title": "OMB Memorandum 04-04",
-          "citation": {
-            "text": "OMB Memorandum 04-04"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy04/m04-04.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "58ad6f27-af99-429f-86a8-8bb767b014b9",
-          "title": "OMB Memorandum 05-24",
-          "citation": {
-            "text": "OMB Memorandum 05-24"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2005/m05-24.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "4da24a96-6cf8-435d-9d1f-c73247cad109",
-          "title": "OMB Memorandum 06-16",
-          "citation": {
-            "text": "OMB Memorandum 06-16"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2006/m06-16.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "990268bf-f4a9-4c81-91ae-dc7d3115f4b1",
-          "title": "OMB Memorandum 07-11",
-          "citation": {
-            "text": "OMB Memorandum 07-11"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-11.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "0b3d8ba9-051f-498d-81ea-97f0f018c612",
-          "title": "OMB Memorandum 07-18",
-          "citation": {
-            "text": "OMB Memorandum 07-18"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-18.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "0916ef02-3618-411b-a525-565c088849a6",
-          "title": "OMB Memorandum 08-22",
-          "citation": {
-            "text": "OMB Memorandum 08-22"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-22.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "28115a56-da6b-4d44-b1df-51dd7f048a3e",
-          "title": "OMB Memorandum 08-23",
-          "citation": {
-            "text": "OMB Memorandum 08-23"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "599fe9ba-4750-4450-9eeb-b95bd19a5e8f",
-          "title": "OMB Memorandum 10-06-2011",
-          "citation": {
-            "text": "OMB Memorandum 10-06-2011"
-          }
-        },
-        {
-          "uuid": "74e740a4-c45d-49f3-a86e-eb747c549e01",
-          "title": "OMB Memorandum 11-11",
-          "citation": {
-            "text": "OMB Memorandum 11-11"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "bedb15b7-ec5c-4a68-807f-385125751fcd",
-          "title": "OMB Memorandum 11-33",
-          "citation": {
-            "text": "OMB Memorandum 11-33"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "dd2f5acd-08f1-435a-9837-f8203088dc1a",
-          "title": "Personal Identity Verification (PIV) in Enterprise Physical Access Control System\n            (E-PACS)",
-          "citation": {
-            "text": "Personal Identity Verification (PIV) in Enterprise Physical Access Control System\n               (E-PACS)"
-          }
-        },
-        {
-          "uuid": "8ade2fbe-e468-4ca8-9a40-54d7f23c32bb",
-          "title": "US-CERT Technical Cyber Security Alerts",
-          "citation": {
-            "text": "US-CERT Technical Cyber Security Alerts"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.us-cert.gov/ncas/alerts"
-            }
-          ]
-        },
-        {
-          "uuid": "985475ee-d4d6-4581-8fdf-d84d3d8caa48",
-          "title": "FedRAMP Applicable Laws and Regulations",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-citations"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"
-            }
-          ]
-        },
-        {
-          "uuid": "1a23a771-d481-4594-9a1a-71d584fa4123",
-          "title": "FedRAMP Master Acronym and Glossary",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-acronyms"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "a2381e87-3d04-4108-a30b-b4d2f36d001f",
-          "desc": "FedRAMP Logo",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-logo"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/img/logo-main-fedramp.png"
-            }
-          ]
-        },
-        {
-          "uuid": "ad005eae-cc63-4e64-9109-3905a9a825e4",
-          "title": "NIST Special Publication (SP) 800-53",
-          "properties": [
-            {
-              "name": "version",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "Revision 4"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://raw.githubusercontent.com/usnistgov/OSCAL/v1.0.0-milestone3/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml",
-              "media-type": "application/xml"
-            }
-          ]
-        }
-      ]
-    }
-  }
-}
diff --git a/content/fedramp.gov/json/FedRAMP_HIGH-baseline_profile-min.json b/content/fedramp.gov/json/FedRAMP_HIGH-baseline_profile-min.json
deleted file mode 100644
index d89c20ddbb..0000000000
--- a/content/fedramp.gov/json/FedRAMP_HIGH-baseline_profile-min.json
+++ /dev/null
@@ -1 +0,0 @@
-{"profile":{"uuid":"b11dba1c-0c68-4724-9eaf-02de2d5bbb89","metadata":{"title":"FedRAMP High Baseline","published":"2020-06-01T00:00:00.000-04:00","last-modified":"2020-06-01T10:00:00.000-04:00","version":"1.2","oscal-version":"1.0.0-milestone3","roles":[{"id":"parpared-by","title":"Document creator"},{"id":"fedramp-pmo","title":"The FedRAMP Program Management Office (PMO)","short-name":"CSP"},{"id":"fedramp-jab","title":"The FedRAMP Joint Authorization Board (JAB)","short-name":"CSP"}],"parties":[{"uuid":"8cc0b8e5-9650-4d5f-9796-316f05fa9a2d","type":"organization","party-name":"Federal Risk and Authorization Management Program: Program Management Office","short-name":"FedRAMP PMO","links":[{"href":"https://fedramp.gov","rel":"homepage","text":""}],"addresses":[{"type":"work","postal-address":["1800 F St. NW",""],"city":"Washington","state":"DC","postal-code":"","country":"US"}],"email-addresses":["info@fedramp.gov"]},{"uuid":"ca9ba80e-1342-4bfd-b32a-abac468c24b4","type":"organization","party-name":"Federal Risk and Authorization Management Program: Joint Authorization Board","short-name":"FedRAMP JAB"}],"responsible-parties":{"prepared-by":{"party-uuids":["4aa7b203-318b-4cde-96cf-feaeffc3a4b7"]},"fedramp-pmo":{"party-uuids":["4aa7b203-318b-4cde-96cf-feaeffc3a4b7"]},"fedramp-jab":{"party-uuids":["ca9ba80e-1342-4bfd-b32a-abac468c24b4"]}}},"imports":[{"href":"#ad005eae-cc63-4e64-9109-3905a9a825e4","include":{"id-selectors":[{"control-id":"ac-1"},{"control-id":"ac-2"},{"control-id":"ac-2.1"},{"control-id":"ac-2.2"},{"control-id":"ac-2.3"},{"control-id":"ac-2.4"},{"control-id":"ac-2.5"},{"control-id":"ac-2.7"},{"control-id":"ac-2.9"},{"control-id":"ac-2.10"},{"control-id":"ac-2.11"},{"control-id":"ac-2.12"},{"control-id":"ac-2.13"},{"control-id":"ac-3"},{"control-id":"ac-4"},{"control-id":"ac-4.8"},{"control-id":"ac-4.21"},{"control-id":"ac-5"},{"control-id":"ac-6"},{"control-id":"ac-6.1"},{"control-id":"ac-6.2"},{"control-id":"ac-6.3"},{"control-id":"ac-6.5"},{"control-id":"ac-6.7"},{"control-id":"ac-6.8"},{"control-id":"ac-6.9"},{"control-id":"ac-6.10"},{"control-id":"ac-7"},{"control-id":"ac-7.2"},{"control-id":"ac-8"},{"control-id":"ac-10"},{"control-id":"ac-11"},{"control-id":"ac-11.1"},{"control-id":"ac-12"},{"control-id":"ac-12.1"},{"control-id":"ac-14"},{"control-id":"ac-17"},{"control-id":"ac-17.1"},{"control-id":"ac-17.2"},{"control-id":"ac-17.3"},{"control-id":"ac-17.4"},{"control-id":"ac-17.9"},{"control-id":"ac-18"},{"control-id":"ac-18.1"},{"control-id":"ac-18.3"},{"control-id":"ac-18.4"},{"control-id":"ac-18.5"},{"control-id":"ac-19"},{"control-id":"ac-19.5"},{"control-id":"ac-20"},{"control-id":"ac-20.1"},{"control-id":"ac-20.2"},{"control-id":"ac-21"},{"control-id":"ac-22"},{"control-id":"at-1"},{"control-id":"at-2"},{"control-id":"at-2.2"},{"control-id":"at-3"},{"control-id":"at-3.3"},{"control-id":"at-3.4"},{"control-id":"at-4"},{"control-id":"au-1"},{"control-id":"au-2"},{"control-id":"au-2.3"},{"control-id":"au-3"},{"control-id":"au-3.1"},{"control-id":"au-3.2"},{"control-id":"au-4"},{"control-id":"au-5"},{"control-id":"au-5.1"},{"control-id":"au-5.2"},{"control-id":"au-6"},{"control-id":"au-6.1"},{"control-id":"au-6.3"},{"control-id":"au-6.4"},{"control-id":"au-6.5"},{"control-id":"au-6.6"},{"control-id":"au-6.7"},{"control-id":"au-6.10"},{"control-id":"au-7"},{"control-id":"au-7.1"},{"control-id":"au-8"},{"control-id":"au-8.1"},{"control-id":"au-9"},{"control-id":"au-9.2"},{"control-id":"au-9.3"},{"control-id":"au-9.4"},{"control-id":"au-10"},{"control-id":"au-11"},{"control-id":"au-12"},{"control-id":"au-12.1"},{"control-id":"au-12.3"},{"control-id":"ca-1"},{"control-id":"ca-2"},{"control-id":"ca-2.1"},{"control-id":"ca-2.2"},{"control-id":"ca-2.3"},{"control-id":"ca-3"},{"control-id":"ca-3.3"},{"control-id":"ca-3.5"},{"control-id":"ca-5"},{"control-id":"ca-6"},{"control-id":"ca-7"},{"control-id":"ca-7.1"},{"control-id":"ca-7.3"},{"control-id":"ca-8"},{"control-id":"ca-8.1"},{"control-id":"ca-9"},{"control-id":"cm-1"},{"control-id":"cm-2"},{"control-id":"cm-2.1"},{"control-id":"cm-2.2"},{"control-id":"cm-2.3"},{"control-id":"cm-2.7"},{"control-id":"cm-3"},{"control-id":"cm-3.1"},{"control-id":"cm-3.2"},{"control-id":"cm-3.4"},{"control-id":"cm-3.6"},{"control-id":"cm-4"},{"control-id":"cm-4.1"},{"control-id":"cm-5"},{"control-id":"cm-5.1"},{"control-id":"cm-5.2"},{"control-id":"cm-5.3"},{"control-id":"cm-5.5"},{"control-id":"cm-6"},{"control-id":"cm-6.1"},{"control-id":"cm-6.2"},{"control-id":"cm-7"},{"control-id":"cm-7.1"},{"control-id":"cm-7.2"},{"control-id":"cm-7.5"},{"control-id":"cm-8"},{"control-id":"cm-8.1"},{"control-id":"cm-8.2"},{"control-id":"cm-8.3"},{"control-id":"cm-8.4"},{"control-id":"cm-8.5"},{"control-id":"cm-9"},{"control-id":"cm-10"},{"control-id":"cm-10.1"},{"control-id":"cm-11"},{"control-id":"cm-11.1"},{"control-id":"cp-1"},{"control-id":"cp-2"},{"control-id":"cp-2.1"},{"control-id":"cp-2.2"},{"control-id":"cp-2.3"},{"control-id":"cp-2.4"},{"control-id":"cp-2.5"},{"control-id":"cp-2.8"},{"control-id":"cp-3"},{"control-id":"cp-3.1"},{"control-id":"cp-4"},{"control-id":"cp-4.1"},{"control-id":"cp-4.2"},{"control-id":"cp-6"},{"control-id":"cp-6.1"},{"control-id":"cp-6.2"},{"control-id":"cp-6.3"},{"control-id":"cp-7"},{"control-id":"cp-7.1"},{"control-id":"cp-7.2"},{"control-id":"cp-7.3"},{"control-id":"cp-7.4"},{"control-id":"cp-8"},{"control-id":"cp-8.1"},{"control-id":"cp-8.2"},{"control-id":"cp-8.3"},{"control-id":"cp-8.4"},{"control-id":"cp-9"},{"control-id":"cp-9.1"},{"control-id":"cp-9.2"},{"control-id":"cp-9.3"},{"control-id":"cp-9.5"},{"control-id":"cp-10"},{"control-id":"cp-10.2"},{"control-id":"cp-10.4"},{"control-id":"ia-1"},{"control-id":"ia-2"},{"control-id":"ia-2.1"},{"control-id":"ia-2.2"},{"control-id":"ia-2.3"},{"control-id":"ia-2.4"},{"control-id":"ia-2.5"},{"control-id":"ia-2.8"},{"control-id":"ia-2.9"},{"control-id":"ia-2.11"},{"control-id":"ia-2.12"},{"control-id":"ia-3"},{"control-id":"ia-4"},{"control-id":"ia-4.4"},{"control-id":"ia-5"},{"control-id":"ia-5.1"},{"control-id":"ia-5.2"},{"control-id":"ia-5.3"},{"control-id":"ia-5.4"},{"control-id":"ia-5.6"},{"control-id":"ia-5.7"},{"control-id":"ia-5.8"},{"control-id":"ia-5.11"},{"control-id":"ia-5.13"},{"control-id":"ia-6"},{"control-id":"ia-7"},{"control-id":"ia-8"},{"control-id":"ia-8.1"},{"control-id":"ia-8.2"},{"control-id":"ia-8.3"},{"control-id":"ia-8.4"},{"control-id":"ir-1"},{"control-id":"ir-2"},{"control-id":"ir-2.1"},{"control-id":"ir-2.2"},{"control-id":"ir-3"},{"control-id":"ir-3.2"},{"control-id":"ir-4"},{"control-id":"ir-4.1"},{"control-id":"ir-4.2"},{"control-id":"ir-4.3"},{"control-id":"ir-4.4"},{"control-id":"ir-4.6"},{"control-id":"ir-4.8"},{"control-id":"ir-5"},{"control-id":"ir-5.1"},{"control-id":"ir-6"},{"control-id":"ir-6.1"},{"control-id":"ir-7"},{"control-id":"ir-7.1"},{"control-id":"ir-7.2"},{"control-id":"ir-8"},{"control-id":"ir-9"},{"control-id":"ir-9.1"},{"control-id":"ir-9.2"},{"control-id":"ir-9.3"},{"control-id":"ir-9.4"},{"control-id":"ma-1"},{"control-id":"ma-2"},{"control-id":"ma-2.2"},{"control-id":"ma-3"},{"control-id":"ma-3.1"},{"control-id":"ma-3.2"},{"control-id":"ma-3.3"},{"control-id":"ma-4"},{"control-id":"ma-4.2"},{"control-id":"ma-4.3"},{"control-id":"ma-4.6"},{"control-id":"ma-5"},{"control-id":"ma-5.1"},{"control-id":"ma-6"},{"control-id":"mp-1"},{"control-id":"mp-2"},{"control-id":"mp-3"},{"control-id":"mp-4"},{"control-id":"mp-5"},{"control-id":"mp-5.4"},{"control-id":"mp-6"},{"control-id":"mp-6.1"},{"control-id":"mp-6.2"},{"control-id":"mp-6.3"},{"control-id":"mp-7"},{"control-id":"mp-7.1"},{"control-id":"pe-1"},{"control-id":"pe-2"},{"control-id":"pe-3"},{"control-id":"pe-3.1"},{"control-id":"pe-4"},{"control-id":"pe-5"},{"control-id":"pe-6"},{"control-id":"pe-6.1"},{"control-id":"pe-6.4"},{"control-id":"pe-8"},{"control-id":"pe-8.1"},{"control-id":"pe-9"},{"control-id":"pe-10"},{"control-id":"pe-11"},{"control-id":"pe-11.1"},{"control-id":"pe-12"},{"control-id":"pe-13"},{"control-id":"pe-13.1"},{"control-id":"pe-13.2"},{"control-id":"pe-13.3"},{"control-id":"pe-14"},{"control-id":"pe-14.2"},{"control-id":"pe-15"},{"control-id":"pe-15.1"},{"control-id":"pe-16"},{"control-id":"pe-17"},{"control-id":"pe-18"},{"control-id":"pl-1"},{"control-id":"pl-2"},{"control-id":"pl-2.3"},{"control-id":"pl-4"},{"control-id":"pl-4.1"},{"control-id":"pl-8"},{"control-id":"ps-1"},{"control-id":"ps-2"},{"control-id":"ps-3"},{"control-id":"ps-3.3"},{"control-id":"ps-4"},{"control-id":"ps-4.2"},{"control-id":"ps-5"},{"control-id":"ps-6"},{"control-id":"ps-7"},{"control-id":"ps-8"},{"control-id":"ra-1"},{"control-id":"ra-2"},{"control-id":"ra-3"},{"control-id":"ra-5"},{"control-id":"ra-5.1"},{"control-id":"ra-5.2"},{"control-id":"ra-5.3"},{"control-id":"ra-5.4"},{"control-id":"ra-5.5"},{"control-id":"ra-5.6"},{"control-id":"ra-5.8"},{"control-id":"ra-5.10"},{"control-id":"sa-1"},{"control-id":"sa-2"},{"control-id":"sa-3"},{"control-id":"sa-4"},{"control-id":"sa-4.1"},{"control-id":"sa-4.2"},{"control-id":"sa-4.8"},{"control-id":"sa-4.9"},{"control-id":"sa-4.10"},{"control-id":"sa-5"},{"control-id":"sa-8"},{"control-id":"sa-9"},{"control-id":"sa-9.1"},{"control-id":"sa-9.2"},{"control-id":"sa-9.4"},{"control-id":"sa-9.5"},{"control-id":"sa-10"},{"control-id":"sa-10.1"},{"control-id":"sa-11"},{"control-id":"sa-11.1"},{"control-id":"sa-11.2"},{"control-id":"sa-11.8"},{"control-id":"sa-12"},{"control-id":"sa-15"},{"control-id":"sa-16"},{"control-id":"sa-17"},{"control-id":"sc-1"},{"control-id":"sc-2"},{"control-id":"sc-3"},{"control-id":"sc-4"},{"control-id":"sc-5"},{"control-id":"sc-6"},{"control-id":"sc-7"},{"control-id":"sc-7.3"},{"control-id":"sc-7.4"},{"control-id":"sc-7.5"},{"control-id":"sc-7.7"},{"control-id":"sc-7.8"},{"control-id":"sc-7.10"},{"control-id":"sc-7.12"},{"control-id":"sc-7.13"},{"control-id":"sc-7.18"},{"control-id":"sc-7.20"},{"control-id":"sc-7.21"},{"control-id":"sc-8"},{"control-id":"sc-8.1"},{"control-id":"sc-10"},{"control-id":"sc-12"},{"control-id":"sc-12.1"},{"control-id":"sc-12.2"},{"control-id":"sc-12.3"},{"control-id":"sc-13"},{"control-id":"sc-15"},{"control-id":"sc-17"},{"control-id":"sc-18"},{"control-id":"sc-19"},{"control-id":"sc-20"},{"control-id":"sc-21"},{"control-id":"sc-22"},{"control-id":"sc-23"},{"control-id":"sc-23.1"},{"control-id":"sc-24"},{"control-id":"sc-28"},{"control-id":"sc-28.1"},{"control-id":"sc-39"},{"control-id":"si-1"},{"control-id":"si-2"},{"control-id":"si-2.1"},{"control-id":"si-2.2"},{"control-id":"si-2.3"},{"control-id":"si-3"},{"control-id":"si-3.1"},{"control-id":"si-3.2"},{"control-id":"si-3.7"},{"control-id":"si-4"},{"control-id":"si-4.1"},{"control-id":"si-4.2"},{"control-id":"si-4.4"},{"control-id":"si-4.5"},{"control-id":"si-4.11"},{"control-id":"si-4.14"},{"control-id":"si-4.16"},{"control-id":"si-4.18"},{"control-id":"si-4.19"},{"control-id":"si-4.20"},{"control-id":"si-4.22"},{"control-id":"si-4.23"},{"control-id":"si-4.24"},{"control-id":"si-5"},{"control-id":"si-5.1"},{"control-id":"si-6"},{"control-id":"si-7"},{"control-id":"si-7.1"},{"control-id":"si-7.2"},{"control-id":"si-7.5"},{"control-id":"si-7.7"},{"control-id":"si-7.14"},{"control-id":"si-8"},{"control-id":"si-8.1"},{"control-id":"si-8.2"},{"control-id":"si-10"},{"control-id":"si-11"},{"control-id":"si-12"},{"control-id":"si-16"}]}}],"merge":{"combine":{"method":"keep"},"as-is":true},"modify":{"parameter-settings":{"ac-1_prm_2":{"constraints":[{"detail":"at least annually"}]},"ac-1_prm_3":{"constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},"ac-2_prm_4":{"constraints":[{"detail":"monthly for privileged accessed, every six (6) months for non-privileged access"}]},"ac-2.2_prm_1":{"constraints":[{"detail":"Selection: disables"}]},"ac-2.2_prm_2":{"constraints":[{"detail":"24 hours from last use"}]},"ac-2.3_prm_1":{"constraints":[{"detail":"35 days for user accounts"}]},"ac-2.4_prm_1":{"constraints":[{"detail":"organization and/or service provider system owner"}]},"ac-2.5_prm_1":{"constraints":[{"detail":"inactivity is anticipated to exceed Fifteen (15) minutes"}]},"ac-2.7_prm_1":{"constraints":[{"detail":"disables/revokes access within a organization-specified timeframe"}]},"ac-2.9_prm_1":{"constraints":[{"detail":"organization-defined need with justification statement that explains why such accounts are necessary"}]},"ac-2.12_prm_2":{"constraints":[{"detail":"at a minimum, the ISSO and/or similar role within the organization"}]},"ac-2.13_prm_1":{"constraints":[{"detail":"one (1) hour"}]},"ac-6.1_prm_1":{"constraints":[{"detail":"all functions not publicly accessible and all security-relevant information not publicly available"}]},"ac-6.2_prm_1":{"constraints":[{"detail":"all security functions"}]},"ac-6.3_prm_1":{"constraints":[{"detail":"all privileged commands"}]},"ac-6.7_prm_1":{"constraints":[{"detail":"at a minimum, annually"}]},"ac-6.7_prm_2":{"constraints":[{"detail":"all users with privileges"}]},"ac-6.8_prm_1":{"constraints":[{"detail":"any software except software explicitly documented"}]},"ac-7_prm_1":{"constraints":[{"detail":"not more than three (3)"}]},"ac-7_prm_2":{"constraints":[{"detail":"fifteen (15) minutes"}]},"ac-7_prm_4":{"constraints":[{"detail":"locks the account/node for a minimum of three (3) hours or until unlocked by an administrator"}]},"ac-7.2_prm_1":{"constraints":[{"detail":"mobile devices as defined by organization policy"}]},"ac-7.2_prm_3":{"constraints":[{"detail":"three (3)"}]},"ac-8_prm_1":{"constraints":[{"detail":"see additional Requirements and Guidance"}]},"ac-8_prm_2":{"constraints":[{"detail":"see additional Requirements and Guidance"}]},"ac-10_prm_2":{"constraints":[{"detail":"three (3) sessions for privileged access and two (2) sessions for non-privileged access"}]},"ac-11_prm_1":{"constraints":[{"detail":"fifteen (15) minutes"}]},"ac-17.9_prm_1":{"constraints":[{"detail":"fifteen (15) minutes"}]},"ac-22_prm_1":{"constraints":[{"detail":"at least quarterly"}]},"at-1_prm_2":{"constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},"at-1_prm_3":{"constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},"at-2_prm_1":{"constraints":[{"detail":"at least annually"}]},"at-3_prm_1":{"constraints":[{"detail":"at least annually"}]},"at-3.4_prm_1":{"constraints":[{"detail":"malicious code indicators as defined by organization incident policy/capability."}]},"at-4_prm_1":{"constraints":[{"detail":"five (5) years or 5 years after completion of a specific training program"}]},"au-1_prm_2":{"constraints":[{"detail":"at least annually"}]},"au-1_prm_3":{"constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},"au-2_prm_1":{"constraints":[{"detail":"successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes"}]},"au-2_prm_2":{"constraints":[{"detail":"organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event"}]},"au-2.3_prm_1":{"constraints":[{"detail":"annually or whenever there is a change in the threat environment"}]},"au-3.1_prm_1":{"constraints":[{"detail":"session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands"}]},"au-3.2_prm_1":{"constraints":[{"detail":"all network, data storage, and computing devices"}]},"au-5_prm_2":{"constraints":[{"detail":"organization-defined actions to be taken (overwrite oldest record)"}]},"au-5.2_prm_1":{"constraints":[{"detail":"real-time"}]},"au-5.2_prm_2":{"constraints":[{"detail":"service provider personnel with authority to address failed audit events"}]},"au-5.2_prm_3":{"constraints":[{"detail":"audit failure events requiring real-time alerts, as defined by organization audit policy"}]},"au-6_prm_1":{"constraints":[{"detail":"at least weekly"}]},"au-6.5_prm_2":{"constraints":[{"detail":"Possibly to include penetration test data."}]},"au-6.7_prm_1":{"constraints":[{"detail":"information system process; role; user"}]},"au-8_prm_1":{"constraints":[{"detail":"one second granularity of time measurement"}]},"au-8.1_prm_1":{"constraints":[{"detail":"At least hourly"}]},"au-8.1_prm_2":{"constraints":[{"detail":"http://tf.nist.gov/tf-cgi/servers.cgi"}]},"au-9.2_prm_1":{"constraints":[{"detail":"at least weekly"}]},"au-10_prm_1":{"constraints":[{"detail":"minimum actions including the addition, modification, deletion, approval, sending, or receiving of data"}]},"au-11_prm_1":{"constraints":[{"detail":"at least one (1) year"}]},"au-12_prm_1":{"constraints":[{"detail":"all information system and network components where audit capability is deployed/available"}]},"au-12.1_prm_1":{"constraints":[{"detail":"all network, data storage, and computing devices"}]},"au-12.3_prm_1":{"constraints":[{"detail":"service provider-defined individuals or roles with audit configuration responsibilities"}]},"au-12.3_prm_2":{"constraints":[{"detail":"all network, data storage, and computing devices"}]},"ca-1_prm_2":{"constraints":[{"detail":"at least annually"}]},"ca-1_prm_3":{"constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},"ca-2_prm_1":{"constraints":[{"detail":"at least annually"}]},"ca-2_prm_2":{"constraints":[{"detail":"individuals or roles to include FedRAMP PMO"}]},"ca-2.2_prm_1":{"constraints":[{"detail":"at least annually"}]},"ca-2.3_prm_1":{"constraints":[{"detail":"any FedRAMP Accredited 3PAO"}]},"ca-2.3_prm_2":{"constraints":[{"detail":"any FedRAMP Accredited 3PAO"}]},"ca-2.3_prm_3":{"constraints":[{"detail":"the conditions of the JAB/AO in the FedRAMP Repository"}]},"ca-3_prm_1":{"constraints":[{"detail":"At least annually and on input from FedRAMP"}]},"ca-3.3_prm_2":{"constraints":[{"detail":"boundary protections which meet the Trusted Internet Connection (TIC) requirements"}]},"ca-3.5_prm_1":{"constraints":[{"detail":"deny-all, permit by exception"}]},"ca-3.5_prm_2":{"constraints":[{"detail":"any systems"}]},"ca-5_prm_1":{"constraints":[{"detail":"at least monthly"}]},"ca-6_prm_1":{"constraints":[{"detail":"at least every three (3) years or when a significant change occurs"}]},"ca-7_prm_4":{"constraints":[{"detail":"to meet Federal and FedRAMP requirements (See additional guidance)"}]},"ca-7_prm_5":{"constraints":[{"detail":"to meet Federal and FedRAMP requirements (See additional guidance)"}]},"ca-8_prm_1":{"constraints":[{"detail":"at least annually"}]},"cm-1_prm_2":{"constraints":[{"detail":"at least annually"}]},"cm-1_prm_3":{"constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},"cm-2.1_prm_1":{"constraints":[{"detail":"at least annually or when a significant change occurs"}]},"cm-2.1_prm_2":{"constraints":[{"detail":"to include when directed by the JAB"}]},"cm-2.3_prm_1":{"constraints":[{"detail":"organization-defined previous versions of baseline configurations of the previously approved baseline configuration of IS components"}]},"cm-3.1_prm_2":{"constraints":[{"detail":"organization agreed upon time period"}]},"cm-3.1_prm_3":{"constraints":[{"detail":"organization defined configuration management approval authorities"}]},"cm-3.4_prm_1":{"constraints":[{"detail":"Configuration control board (CCB) or similar (as defined in CM-3)"}]},"cm-3.6_prm_1":{"constraints":[{"detail":"All security safeguards that rely on cryptography"}]},"cm-5.2_prm_1":{"constraints":[{"detail":"at least every thirty (30) days"}]},"cm-5.5_prm_1":{"constraints":[{"detail":"at least quarterly"}]},"cm-6_prm_1":{"guidance":[{"prose":"See CM-6(a) Additional FedRAMP Requirements and Guidance"}]},"cm-7_prm_1":{"constraints":[{"detail":"United States Government Configuration Baseline (USGCB)"}]},"cm-7.1_prm_1":{"constraints":[{"detail":"at least monthly"}]},"cm-7.5_prm_2":{"constraints":[{"detail":"at least quarterly or when there is a change"}]},"cm-8_prm_2":{"constraints":[{"detail":"at least monthly"}]},"cm-8.3_prm_1":{"constraints":[{"detail":"Continuously, using automated mechanisms with a maximum five-minute delay in detection."}]},"cm-8.4_prm_1":{"constraints":[{"detail":"position and role"}]},"cm-11_prm_3":{"constraints":[{"detail":"Continuously (via CM-7 (5))"}]},"cp-1_prm_2":{"constraints":[{"detail":"at least annually"}]},"cp-1_prm_3":{"constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},"cp-2_prm_3":{"constraints":[{"detail":"at least annually"}]},"cp-2.4_prm_1":{"constraints":[{"detail":"time period defined in service provider and organization SLA"}]},"cp-3_prm_1":{"constraints":[{"detail":"ten (10) days"}]},"cp-3_prm_2":{"constraints":[{"detail":"at least annually"}]},"cp-4_prm_1":{"constraints":[{"detail":"at least annually"}]},"cp-4_prm_2":{"constraints":[{"detail":"functional exercises"}]},"cp-8.4_prm_1":{"constraints":[{"detail":"annually"}]},"cp-9_prm_1":{"constraints":[{"detail":"daily incremental; weekly full"}]},"cp-9_prm_2":{"constraints":[{"detail":"daily incremental; weekly full"}]},"cp-9_prm_3":{"constraints":[{"detail":"daily incremental; weekly full"}]},"cp-9.1_prm_1":{"constraints":[{"detail":"at least monthly"}]},"cp-9.5_prm_1":{"constraints":[{"detail":"time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA"}]},"cp-10.4_prm_1":{"constraints":[{"detail":"time period consistent with the restoration time-periods defined in the service provider and organization SLA"}]},"ia-1_prm_2":{"constraints":[{"detail":"at least annually"}]},"ia-1_prm_3":{"constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},"ia-2.11_prm_1":{"constraints":[{"detail":"FIPS 140-2, NIAP Certification, or NSA approval"}]},"ia-4_prm_1":{"constraints":[{"detail":"at a minimum, the ISSO (or similar role within the organization)"}]},"ia-4_prm_2":{"constraints":[{"detail":"at least two (2) years"}]},"ia-4_prm_3":{"constraints":[{"detail":"thirty-five (35) days (See additional requirements and guidance.)"}]},"ia-4.4_prm_1":{"constraints":[{"detail":"contractors; foreign nationals]"}]},"ia-5.1_prm_2":{"constraints":[{"detail":"at least fifty percent (50%)"}]},"ia-5.1_prm_4":{"constraints":[{"detail":"twenty four (24)"}]},"ia-5.3_prm_1":{"constraints":[{"detail":"All hardware/biometric (multifactor authenticators)"}]},"ia-5.3_prm_2":{"constraints":[{"detail":"in person"}]},"ia-5.4_prm_1":{"constraints":[{"detail":"complexity as identified in IA-5 (1) Control Enhancement Part (a)"}]},"ia-5.8_prm_1":{"constraints":[{"detail":"different authenticators on different systems"}]},"ir-1_prm_2":{"constraints":[{"detail":"at least annually"}]},"ir-1_prm_3":{"constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},"ir-2_prm_1":{"constraints":[{"detail":"within ten (10) days"}]},"ir-2_prm_2":{"constraints":[{"detail":"at least annually"}]},"ir-3_prm_1":{"constraints":[{"detail":"at least every six (6) months"}]},"ir-4.2_prm_1":{"constraints":[{"detail":"all network, data storage, and computing devices"}]},"ir-4.8_prm_1":{"constraints":[{"detail":"external organizations including consumer incident responders and network defenders and the appropriate CIRT/CERT (such as US-CERT, DOD CERT, IC CERT)"}]},"ir-6_prm_1":{"constraints":[{"detail":"US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)"}]},"ir-8_prm_2":{"constraints":[{"detail":"see additional FedRAMP Requirements and Guidance"}]},"ir-8_prm_3":{"constraints":[{"detail":"at least annually"}]},"ir-8_prm_4":{"constraints":[{"detail":"see additional FedRAMP Requirements and Guidance"}]},"ir-9.2_prm_1":{"constraints":[{"detail":"at least annually"}]},"ma-1_prm_2":{"constraints":[{"detail":"at least annually"}]},"ma-1_prm_3":{"constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},"ma-3.3_prm_1":{"constraints":[{"detail":"the information owner explicitly authorizing removal of the equipment from the facility"}]},"mp-1_prm_2":{"constraints":[{"detail":"at least annually"}]},"mp-1_prm_3":{"constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},"mp-2_prm_1":{"constraints":[{"detail":"any digital and non-digital media deemed sensitive"}]},"mp-3_prm_1":{"constraints":[{"detail":"no removable media types"}]},"mp-3_prm_2":{"constraints":[{"detail":"organization-defined security safeguards not applicable"}]},"mp-4_prm_1":{"constraints":[{"detail":"all types of digital and non-digital media with sensitive information"}]},"mp-4_prm_2":{"constraints":[{"detail":"see additional FedRAMP requirements and guidance"}]},"mp-5_prm_1":{"constraints":[{"detail":"all media with sensitive information"}]},"mp-5_prm_2":{"constraints":[{"detail":"prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container"}]},"mp-6_prm_2":{"constraints":[{"detail":"techniques and procedures IAW NIST SP 800-88 R1, Appendix A - Minimum Sanitization Recommendations"}]},"mp-6.2_prm_1":{"constraints":[{"detail":"at least every six (6) months"}]},"pe-1_prm_2":{"constraints":[{"detail":"at least annually"}]},"pe-1_prm_3":{"constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},"pe-2_prm_1":{"constraints":[{"detail":"at least every ninety (90) days"}]},"pe-3_prm_2":{"constraints":[{"detail":"CSP defined physical access control systems/devices AND guards"}]},"pe-3_prm_3":{"constraints":[{"detail":"CSP defined physical access control systems/devices"}]},"pe-3_prm_6":{"constraints":[{"detail":"in all circumstances within restricted access area where the information system resides"}]},"pe-3_prm_8":{"constraints":[{"detail":"at least annually"}]},"pe-3_prm_9":{"constraints":[{"detail":"at least annually"}]},"pe-6_prm_1":{"constraints":[{"detail":"at least monthly"}]},"pe-8_prm_1":{"constraints":[{"detail":"for a minimum of one (1) year"}]},"pe-8_prm_2":{"constraints":[{"detail":"at least monthly"}]},"pe-13.1_prm_1":{"constraints":[{"detail":"service provider building maintenance/physical security personnel"}]},"pe-13.1_prm_2":{"constraints":[{"detail":"service provider emergency responders with incident response responsibilities"}]},"pe-14_prm_1":{"constraints":[{"detail":"consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments"}]},"pe-14_prm_2":{"constraints":[{"detail":"continuously"}]},"pe-15.1_prm_1":{"constraints":[{"detail":"service provider building maintenance/physical security personnel"}]},"pe-16_prm_1":{"constraints":[{"detail":"all information system components"}]},"pe-18_prm_1":{"constraints":[{"detail":"physical and environmental hazards identified during threat assessment"}]},"pl-1_prm_2":{"constraints":[{"detail":"at least annually"}]},"pl-1_prm_3":{"constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},"pl-2_prm_2":{"constraints":[{"detail":"at least annually"}]},"pl-4_prm_1":{"constraints":[{"detail":"annually"}]},"pl-8_prm_1":{"constraints":[{"detail":"at least annually or when a significant change occurs"}]},"ps-1_prm_2":{"constraints":[{"detail":"at least annually"}]},"ps-1_prm_3":{"constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},"ps-2_prm_1":{"constraints":[{"detail":"at least annually"}]},"ps-3_prm_1":{"constraints":[{"detail":"for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions"}]},"ps-3.3_prm_1":{"constraints":[{"detail":"personnel screening criteria - as required by specific information"}]},"ps-4_prm_1":{"constraints":[{"detail":"eight (8) hours"}]},"ps-4.2_prm_1":{"constraints":[{"detail":"access control personnel responsible for disabling access to the system"}]},"ps-5_prm_2":{"constraints":[{"detail":"twenty-four (24) hours"}]},"ps-5_prm_4":{"constraints":[{"detail":"twenty-four (24) hours"}]},"ps-6_prm_1":{"constraints":[{"detail":"at least annually"}]},"ps-6_prm_2":{"constraints":[{"detail":"at least annually and any time there is a change to the user's level of access"}]},"ps-7_prm_2":{"constraints":[{"detail":"terminations: immediately; transfers: within twenty-four (24) hours"}]},"ps-8_prm_1":{"constraints":[{"detail":"at a minimum, the ISSO and/or similar role within the organization"}]},"ra-1_prm_2":{"constraints":[{"detail":"at least annually"}]},"ra-1_prm_3":{"constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},"ra-3_prm_2":{"constraints":[{"detail":"security assessment report"}]},"ra-3_prm_3":{"constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},"ra-3_prm_5":{"constraints":[{"detail":"annually"}]},"ra-5_prm_1":{"constraints":[{"detail":"monthly operating system/infrastructure; monthly web applications and databases"}]},"ra-5_prm_2":{"constraints":[{"detail":"high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery"}]},"ra-5.2_prm_1":{"constraints":[{"detail":"prior to a new scan"}]},"ra-5.4_prm_1":{"constraints":[{"detail":"notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions"}]},"ra-5.5_prm_1":{"constraints":[{"detail":"operating systems / web applications / databases"}]},"ra-5.5_prm_2":{"constraints":[{"detail":"all scans"}]},"sa-1_prm_2":{"constraints":[{"detail":"at least annually"}]},"sa-1_prm_3":{"constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},"sa-4.2_prm_1":{"constraints":[{"detail":"at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram; [organization-defined design/implementation information]"}]},"sa-4.8_prm_1":{"constraints":[{"detail":"at least the minimum requirement as defined in control CA-7"}]},"sa-5_prm_2":{"constraints":[{"detail":"at a minimum, the ISSO (or similar role within the organization)"}]},"sa-9_prm_1":{"constraints":[{"detail":"FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system"}]},"sa-9_prm_2":{"constraints":[{"detail":"Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored"}]},"sa-9.2_prm_1":{"constraints":[{"detail":"all external systems where Federal information is processed or stored"}]},"sa-9.4_prm_2":{"constraints":[{"detail":"all external systems where Federal information is processed or stored"}]},"sa-9.5_prm_1":{"constraints":[{"detail":"information processing, information data, AND information services"}]},"sa-9.5_prm_2":{"constraints":[{"detail":"U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction"}]},"sa-9.5_prm_3":{"constraints":[{"detail":"all High Impact Data, Systems, or Services"}]},"sa-10_prm_1":{"constraints":[{"detail":"development, implementation, AND operation"}]},"sa-12_prm_1":{"constraints":[{"detail":"organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures"}]},"sa-15_prm_1":{"constraints":[{"detail":"as needed and as dictated by the current threat posture"}]},"sa-15_prm_2":{"constraints":[{"detail":"organization and service provider- defined security requirements"}]},"sc-1_prm_2":{"constraints":[{"detail":"at least annually"}]},"sc-1_prm_3":{"constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},"sc-7.4_prm_1":{"constraints":[{"detail":"at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions"}]},"sc-7.12_prm_1":{"constraints":[{"detail":"Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall"}]},"sc-8_prm_1":{"constraints":[{"detail":"confidentiality AND integrity"}]},"sc-8.1_prm_1":{"constraints":[{"detail":"prevent unauthorized disclosure of information AND detect changes to information"}]},"sc-8.1_prm_2":{"constraints":[{"detail":"a hardened or alarmed carrier Protective Distribution System (PDS)"}]},"sc-10_prm_1":{"constraints":[{"detail":"no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions"}]},"sc-12.2_prm_1":{"constraints":[{"detail":"NIST FIPS-compliant"}]},"sc-13_prm_1":{"constraints":[{"detail":"FIPS-validated or NSA-approved cryptography"}]},"sc-15_prm_1":{"constraints":[{"detail":"no exceptions"}]},"sc-28_prm_1":{"constraints":[{"detail":"confidentiality AND integrity"}]},"sc-28.1_prm_2":{"constraints":[{"detail":"all information system components storing customer data deemed sensitive"}]},"si-1_prm_2":{"constraints":[{"detail":"at least annually"}]},"si-1_prm_3":{"constraints":[{"detail":"at least annually or whenever a significant change occurs"}]},"si-2_prm_1":{"constraints":[{"detail":"thirty (30) days of release of updates"}]},"si-2.2_prm_1":{"constraints":[{"detail":"at least monthly"}]},"si-3_prm_1":{"constraints":[{"detail":"at least weekly"}]},"si-3_prm_2":{"constraints":[{"detail":"to include endpoints"}]},"si-3_prm_3":{"constraints":[{"detail":"to include blocking and quarantining malicious code and alerting administrator or defined security personnel near-realtime"}]},"si-4.4_prm_1":{"constraints":[{"detail":"continuously"}]},"si-5_prm_1":{"constraints":[{"detail":"to include US-CERT"}]},"si-5_prm_2":{"constraints":[{"detail":"to include system security personnel and administrators with configuration/patch-management responsibilities"}]},"si-6_prm_3":{"constraints":[{"detail":"to include upon system startup and/or restart"}]},"si-6_prm_4":{"constraints":[{"detail":"at least monthly"}]},"si-6_prm_5":{"constraints":[{"detail":"to include system administrators and security personnel"}]},"si-6_prm_7":{"constraints":[{"detail":"to include notification of system administrators and security personnel"}]},"si-7.1_prm_3":{"constraints":[{"detail":"selection to include security relevant events"}]},"si-7.1_prm_4":{"constraints":[{"detail":"at least monthly"}]}},"alterations":[{"control-id":"ac-1","additions":[{"position":"starting","id-ref":"ac-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ac-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ac-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ac-10","additions":[{"position":"starting","id-ref":"ac-10_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-10_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-10_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-11","additions":[{"position":"starting","id-ref":"ac-11","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-11.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-11.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-11.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-11.1","additions":[{"position":"starting","id-ref":"ac-11.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-12","additions":[{"position":"starting","id-ref":"ac-12","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-12.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-12_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-12.1","additions":[{"position":"ending","id-ref":"ac-12.1_smt","parts":[{"id":"ac-12.1_fr","name":"item","title":"AC-12 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-12.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"https://www.owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-006%29"}]}]},{"position":"starting","id-ref":"ac-12.1.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-12.1.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-12.1.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-14","additions":[{"position":"starting","id-ref":"ac-14.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-14.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ac-14.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ac-17","additions":[{"position":"starting","id-ref":"ac-17","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-17.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-17.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-17.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-17.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-17.1","additions":[{"position":"starting","id-ref":"ac-17.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-17.2","additions":[{"position":"starting","id-ref":"ac-17.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-17.3","additions":[{"position":"starting","id-ref":"ac-17.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-17.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-17.4","additions":[{"position":"starting","id-ref":"ac-17.4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-17.4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-17.4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ac-17.9","additions":[{"position":"starting","id-ref":"ac-17.9","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-17.9_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-17.9_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-18","additions":[{"position":"starting","id-ref":"ac-18","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-18.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-18.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-18.1","additions":[{"position":"starting","id-ref":"ac-18.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-18.3","additions":[{"position":"starting","id-ref":"ac-18.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-18.4","additions":[{"position":"starting","id-ref":"ac-18.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-18.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-18.5","additions":[{"position":"starting","id-ref":"ac-18.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-18.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-19","additions":[{"position":"starting","id-ref":"ac-19","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-19.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-19.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-19.5","additions":[{"position":"starting","id-ref":"ac-19.5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-19.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-19.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2","additions":[{"position":"starting","id-ref":"ac-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ac-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ac-2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.g_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.h_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.i_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.j_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.j_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.k_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ac-2.1","additions":[{"position":"starting","id-ref":"ac-2.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2.10","additions":[{"position":"ending","id-ref":"ac-2.10_smt","parts":[{"id":"ac-2.10_fr","name":"item","title":"AC-2 (10) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2.10_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Required if shared/group accounts are deployed"}]}]},{"position":"starting","id-ref":"ac-2.10_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2.11","additions":[{"position":"starting","id-ref":"ac-2.11_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.11_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.11_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2.12","additions":[{"position":"ending","id-ref":"ac-2.12_smt","parts":[{"id":"ac-2.12_fr","name":"item","title":"AC-2 (12) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2.12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"(a) Guidance:"}],"prose":"Required for privileged accounts."},{"id":"ac-2.12_fr_gdn.2","name":"guidance","properties":[{"name":"label","value":"(b) Guidance:"}],"prose":"Required for privileged accounts."}]}]},{"position":"starting","id-ref":"ac-2.12","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-2.12.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.12.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.12.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.12.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2.13","additions":[{"position":"starting","id-ref":"ac-2.13_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.13_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2.2","additions":[{"position":"starting","id-ref":"ac-2.2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-2.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2.3","additions":[{"position":"ending","id-ref":"ac-2.3_smt","parts":[{"id":"ac-2.3_fr","name":"item","title":"AC-2 (3) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2.3_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available."}]}]},{"position":"starting","id-ref":"ac-2.3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-2.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2.4","additions":[{"position":"starting","id-ref":"ac-2.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.4_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2.5","additions":[{"position":"ending","id-ref":"ac-2.5_smt","parts":[{"id":"ac-2.5_fr","name":"item","title":"AC-2 (5) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2.5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Should use a shorter timeframe than AC-12."}]}]},{"position":"starting","id-ref":"ac-2.5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-2.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2.7","additions":[{"position":"starting","id-ref":"ac-2.7.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.7.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.7.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.7.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2.9","additions":[{"position":"ending","id-ref":"ac-2.9_smt","parts":[{"id":"ac-2.9_fr","name":"item","title":"AC-2 (9) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2.9_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Required if shared/group accounts are deployed"}]}]},{"position":"starting","id-ref":"ac-2.9_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.9_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-20","additions":[{"position":"starting","id-ref":"ac-20.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-20.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-20.1","additions":[{"position":"starting","id-ref":"ac-20.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-20.2","additions":[{"position":"starting","id-ref":"ac-20.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-21","additions":[{"position":"starting","id-ref":"ac-21.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-21.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-21.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-21.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-22","additions":[{"position":"starting","id-ref":"ac-22","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-22.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-22.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-22.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-22.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-22.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-22.d_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-3","additions":[{"position":"starting","id-ref":"ac-3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-4","additions":[{"position":"starting","id-ref":"ac-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-4.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-4.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-4.21","additions":[{"position":"starting","id-ref":"ac-4.21_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-4.21_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-4.21_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-4.8","additions":[{"position":"starting","id-ref":"ac-4.8_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-4.8_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-4.8_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-5","additions":[{"position":"ending","id-ref":"ac-5_smt","parts":[{"id":"ac-5_fr","name":"item","title":"AC-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP."}]}]},{"position":"starting","id-ref":"ac-5.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-5.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-5.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-5.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ac-6","additions":[{"position":"starting","id-ref":"ac-6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-6.1","additions":[{"position":"starting","id-ref":"ac-6.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-6.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-6.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-6.10","additions":[{"position":"starting","id-ref":"ac-6.10_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-6.2","additions":[{"position":"ending","id-ref":"ac-6.2_smt","parts":[{"id":"ac-6.2_fr","name":"item","title":"AC-6 (2) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-6.2_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions."}]}]},{"position":"starting","id-ref":"ac-6.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-6.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-6.3","additions":[{"position":"starting","id-ref":"ac-6.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-6.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-6.3_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-6.3_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ac-6.5","additions":[{"position":"starting","id-ref":"ac-6.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-6.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-6.7","additions":[{"position":"starting","id-ref":"ac-6.7.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-6.7.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-6.7.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ac-6.7.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-6.8","additions":[{"position":"starting","id-ref":"ac-6.8_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-6.8_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-6.9","additions":[{"position":"starting","id-ref":"ac-6.9","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-6.9_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-7","additions":[{"position":"starting","id-ref":"ac-7","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-7.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-7.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-7.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-7.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-7.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-7.2","additions":[{"position":"starting","id-ref":"ac-7.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-7.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-7.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-7.2_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-8","additions":[{"position":"ending","id-ref":"ac-8_smt","parts":[{"id":"ac-8_fr","name":"item","title":"AC-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO."},{"id":"ac-8_fr_smt.2","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided."},{"id":"ac-8_fr_smt.3","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO."}]}]},{"position":"starting","id-ref":"ac-8.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-8.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-8.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-8.c.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-8.c.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-8.c.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-8.c.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"at-1","additions":[{"position":"starting","id-ref":"at-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"at-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"at-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"at-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"at-2","additions":[{"position":"starting","id-ref":"at-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"at-2.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"at-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"at-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"at-2.2","additions":[{"position":"starting","id-ref":"at-2.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"at-3","additions":[{"position":"starting","id-ref":"at-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"at-3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"at-3.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"at-3.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-3.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"at-3.3","additions":[{"position":"starting","id-ref":"at-3.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"at-3.4","additions":[{"position":"starting","id-ref":"at-3.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-3.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"at-4","additions":[{"position":"starting","id-ref":"at-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"at-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"at-4.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-4.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-1","additions":[{"position":"starting","id-ref":"au-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"au-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"au-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"au-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"au-10","additions":[{"position":"starting","id-ref":"au-10.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-10.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-11","additions":[{"position":"ending","id-ref":"au-11_smt","parts":[{"id":"au-11_fr","name":"item","title":"AU-11 Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-11_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements."}]}]},{"position":"starting","id-ref":"au-11","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"au-11.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-11_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"au-12","additions":[{"position":"starting","id-ref":"au-12.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-12.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-12.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-12.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-12.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-12.1","additions":[{"position":"starting","id-ref":"au-12.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-12.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-12.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-12.3","additions":[{"position":"starting","id-ref":"au-12.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-12.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-12.3_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-12.3_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-12.3_obj.5","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-2","additions":[{"position":"ending","id-ref":"au-2_smt","parts":[{"id":"au-2_fr","name":"item","title":"AU-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-2_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Coordination between service provider and consumer shall be documented and accepted by the JAB/AO."}]}]},{"position":"starting","id-ref":"au-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"au-2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"au-2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-2.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-2.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"au-2.d_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"au-2.3","additions":[{"position":"ending","id-ref":"au-2.3_smt","parts":[{"id":"au-2.3_fr","name":"item","title":"AU-2 (3) Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-2.3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO."}]}]},{"position":"starting","id-ref":"au-2.3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"au-2.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-2.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-3","additions":[{"position":"starting","id-ref":"au-3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-3.1","additions":[{"position":"ending","id-ref":"au-3.1_smt","parts":[{"id":"au-3.1_fr","name":"item","title":"AU-3 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-3.1_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines audit record types *[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]*.  The audit record types are approved and accepted by the JAB/AO."},{"id":"au-3.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry."}]}]},{"position":"starting","id-ref":"au-3.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-3.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-3.2","additions":[{"position":"starting","id-ref":"au-3.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-3.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-4","additions":[{"position":"starting","id-ref":"au-4.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-5","additions":[{"position":"starting","id-ref":"au-5.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-5.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-5.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-5.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-5.1","additions":[{"position":"starting","id-ref":"au-5.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-5.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-5.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-5.1_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-5.2","additions":[{"position":"starting","id-ref":"au-5.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-5.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-5.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-5.2_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-6","additions":[{"position":"ending","id-ref":"au-6_smt","parts":[{"id":"au-6_fr","name":"item","title":"AU-6 Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented."}]}]},{"position":"starting","id-ref":"au-6","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"au-6.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-6.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-6.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"au-6.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-6.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"au-6.1","additions":[{"position":"starting","id-ref":"au-6.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-6.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"au-6.10","additions":[{"position":"starting","id-ref":"au-6.10_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-6.3","additions":[{"position":"starting","id-ref":"au-6.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-6.4","additions":[{"position":"starting","id-ref":"au-6.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-6.5","additions":[{"position":"starting","id-ref":"au-6.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-6.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-6.5_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-6.6","additions":[{"position":"ending","id-ref":"au-6.6_smt","parts":[{"id":"au-6.6_fr","name":"item","title":"AU-6 (6) Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-6.6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Coordination between service provider and consumer shall be documented and accepted by the JAB/AO."}]}]},{"position":"starting","id-ref":"au-6.6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-6.7","additions":[{"position":"starting","id-ref":"au-6.7_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-7","additions":[{"position":"starting","id-ref":"au-7.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"au-7.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-7.1","additions":[{"position":"starting","id-ref":"au-7.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-7.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-8","additions":[{"position":"starting","id-ref":"au-8.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-8.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-8.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-8.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-8.1","additions":[{"position":"ending","id-ref":"au-8.1_smt","parts":[{"id":"au-8.1_fr","name":"item","title":"AU-8 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-8.1_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server."},{"id":"au-8.1_fr_smt.2","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server."},{"id":"au-8.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Synchronization of system clocks improves the accuracy of log analysis."}]}]},{"position":"starting","id-ref":"au-8.1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"au-8.1.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-8.1.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-8.1.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-8.1.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-8.1.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-9","additions":[{"position":"starting","id-ref":"au-9.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-9.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-9.2","additions":[{"position":"starting","id-ref":"au-9.2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"au-9.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-9.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-9.3","additions":[{"position":"starting","id-ref":"au-9.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-9.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-9.4","additions":[{"position":"starting","id-ref":"au-9.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-9.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-1","additions":[{"position":"starting","id-ref":"ca-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ca-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ca-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ca-2","additions":[{"position":"ending","id-ref":"ca-2_smt","parts":[{"id":"ca-2_fr","name":"item","title":"CA-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-2_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "}]}]},{"position":"starting","id-ref":"ca-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-2.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-2.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-2.1","additions":[{"position":"ending","id-ref":"ca-2.1_smt","parts":[{"id":"ca-2.1_fr","name":"item","title":"CA-2 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-2.1_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO)."}]}]},{"position":"starting","id-ref":"ca-2.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ca-2.2","additions":[{"position":"ending","id-ref":"ca-2.2_smt","parts":[{"id":"ca-2.2_fr","name":"item","title":"CA-2 (2) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-2.2_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"To include 'announced', 'vulnerability scanning'"}]}]},{"position":"starting","id-ref":"ca-2.2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-2.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.2_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-2.3","additions":[{"position":"starting","id-ref":"ca-2.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.3_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.3_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ca-3","additions":[{"position":"starting","id-ref":"ca-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ca-3.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-3.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-3.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ca-3.3","additions":[{"position":"ending","id-ref":"ca-3.3_smt","parts":[{"id":"ca-3.3_fr","name":"item","title":"CA-3 (3) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-3.3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document."}]}]},{"position":"starting","id-ref":"ca-3.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ca-3.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-3.3_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-3.5","additions":[{"position":"ending","id-ref":"ca-3.5_smt","parts":[{"id":"ca-3.5_fr","name":"item","title":"CA-3 (5) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-3.5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing"}]}]},{"position":"starting","id-ref":"ca-3.5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-3.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-3.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-5","additions":[{"position":"ending","id-ref":"ca-5_smt","parts":[{"id":"ca-5_fr","name":"item","title":"CA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-5_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Plan of Action & Milestones (POA&M) must be provided at least monthly."},{"id":"ca-5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "}]}]},{"position":"starting","id-ref":"ca-5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-5.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ca-5.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-5.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-6","additions":[{"position":"ending","id-ref":"ca-6_smt","parts":[{"id":"ca-6_fr","name":"item","title":"CA-6(c) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO."}]}]},{"position":"starting","id-ref":"ca-6.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-6.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-6.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-6.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-7","additions":[{"position":"ending","id-ref":"ca-7_smt","parts":[{"id":"ca-7_fr","name":"item","title":"CA-7 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-7_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually."},{"id":"ca-7_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates."},{"id":"ca-7_fr_gdn.2","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "}]}]},{"position":"starting","id-ref":"ca-7","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-7.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-7.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.b_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-7.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-7.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-7.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-7.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-7.g_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.g_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.g_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.g_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-7.1","additions":[{"position":"starting","id-ref":"ca-7.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ca-7.3","additions":[{"position":"starting","id-ref":"ca-7.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ca-8","additions":[{"position":"ending","id-ref":"ca-8_smt","parts":[{"id":"ca-8_fr","name":"item","title":"CA-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-8_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance [https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/)\n                  "}]}]},{"position":"starting","id-ref":"ca-8","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-8.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-8.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-8_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-8.1","additions":[{"position":"starting","id-ref":"ca-8.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ca-9","additions":[{"position":"starting","id-ref":"ca-9","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-9.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-9.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ca-9.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"cm-1","additions":[{"position":"starting","id-ref":"cm-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-1.a.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cm-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cm-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"cm-10","additions":[{"position":"starting","id-ref":"cm-10.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-10.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-10.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-10.1","additions":[{"position":"starting","id-ref":"cm-10.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-10.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-11","additions":[{"position":"starting","id-ref":"cm-11.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-11.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-11.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-11.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-11.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-11.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-11.1","additions":[{"position":"starting","id-ref":"cm-11.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-11.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-2","additions":[{"position":"starting","id-ref":"cm-2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cm-2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-2.1","additions":[{"position":"ending","id-ref":"cm-2.1_smt","parts":[{"id":"cm-2.1_fr","name":"item","title":"CM-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-2.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"(a) Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7."}]}]},{"position":"starting","id-ref":"cm-2.1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-2.1.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-2.1.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-2.1.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-2.1.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-2.1.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-2.2","additions":[{"position":"starting","id-ref":"cm-2.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-2.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-2.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-2.2_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-2.3","additions":[{"position":"starting","id-ref":"cm-2.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-2.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-2.7","additions":[{"position":"starting","id-ref":"cm-2.7.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-2.7.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-2.7.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-2.7.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-2.7.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-3","additions":[{"position":"ending","id-ref":"cm-3_smt","parts":[{"id":"cm-3_fr","name":"item","title":"CM-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-3_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO."},{"id":"cm-3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"(e) Guidance:"}],"prose":"In accordance with record retention policies and procedures."}]}]},{"position":"starting","id-ref":"cm-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-3.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cm-3.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cm-3.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-3.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-3.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-3.f_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-3.g_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-3.g_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-3.g_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-3.g_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-3.1","additions":[{"position":"starting","id-ref":"cm-3.1.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-3.1.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-3.1.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-3.1.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-3.1.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-3.1.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-3.1.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-3.1.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-3.1.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-3.2","additions":[{"position":"starting","id-ref":"cm-3.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-3.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-3.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"cm-3.4","additions":[{"position":"starting","id-ref":"cm-3.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cm-3.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-3.6","additions":[{"position":"starting","id-ref":"cm-3.6_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-3.6_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-4","additions":[{"position":"starting","id-ref":"cm-4.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-4.1","additions":[{"position":"starting","id-ref":"cm-4.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-4.1_obj.2.a","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-4.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-4.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-4.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-5","additions":[{"position":"starting","id-ref":"cm-5.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-5.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-5.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-5.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cm-5.5_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-5.6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-5_obj.7","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-5_obj.8","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-5.1","additions":[{"position":"starting","id-ref":"cm-5.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-5.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-5.2","additions":[{"position":"starting","id-ref":"cm-5.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-5.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-5.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-5.2_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-5.3","additions":[{"position":"ending","id-ref":"cm-5.3_smt","parts":[{"id":"cm-5.3_fr","name":"item","title":"CM-5 (3) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-5.3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized."}]}]},{"position":"starting","id-ref":"cm-5.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-5.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-5.5","additions":[{"position":"starting","id-ref":"cm-5.5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-5.5.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-5.5.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-5.5.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"cm-6","additions":[{"position":"ending","id-ref":"cm-6_smt","parts":[{"id":"cm-6_fr","name":"item","title":"CM-6(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement 1:"}],"prose":"The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. "},{"id":"cm-6_fr_smt.2","name":"item","properties":[{"name":"label","value":"Requirement 2:"}],"prose":"The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available)."},{"id":"cm-6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)."}]}]},{"position":"starting","id-ref":"cm-6","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-6.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-6.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cm-6.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-6.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-6.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-6.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-6.c_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-6.c_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-6.c_obj.5","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-6.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-6.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-6.1","additions":[{"position":"starting","id-ref":"cm-6.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-6.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-6.2","additions":[{"position":"starting","id-ref":"cm-6.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-6.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-6.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-7","additions":[{"position":"ending","id-ref":"cm-7_smt","parts":[{"id":"cm-7_fr","name":"item","title":"CM-7 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-7_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available."},{"id":"cm-7_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Information on the USGCB checklists can be found at: [http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc](http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc). Partially derived from AC-17(8)."}]}]},{"position":"starting","id-ref":"cm-7.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-7.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-7.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-7.1","additions":[{"position":"starting","id-ref":"cm-7.1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-7.1.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-7.1.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-7.1.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-7.1.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-7.2","additions":[{"position":"ending","id-ref":"cm-7.2_smt","parts":[{"id":"cm-7.2_fr","name":"item","title":"CM-7 (2) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-7.2_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run."}]}]},{"position":"starting","id-ref":"cm-7.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-7.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-7.5","additions":[{"position":"starting","id-ref":"cm-7.5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-7.5.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-7.5.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-7.5.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-7.5.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-8","additions":[{"position":"ending","id-ref":"cm-8_smt","parts":[{"id":"cm-8_fr","name":"item","title":"CM-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Must be provided at least monthly or when there is a change."}]}]},{"position":"starting","id-ref":"cm-8","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-8.a.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.a.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.a.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.a.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.a.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-8.1","additions":[{"position":"starting","id-ref":"cm-8.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-8.2","additions":[{"position":"starting","id-ref":"cm-8.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-8.3","additions":[{"position":"starting","id-ref":"cm-8.3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-8.3.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.3.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-8.3.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.3.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-8.4","additions":[{"position":"starting","id-ref":"cm-8.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-8.5","additions":[{"position":"starting","id-ref":"cm-8.5_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-9","additions":[{"position":"starting","id-ref":"cm-9","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-9.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-9.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-9.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-9.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-9.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-1","additions":[{"position":"starting","id-ref":"cp-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cp-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"cp-10","additions":[{"position":"starting","id-ref":"cp-10_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-10.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-10.2","additions":[{"position":"starting","id-ref":"cp-10.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-10.4","additions":[{"position":"starting","id-ref":"cp-10.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-10.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-2","additions":[{"position":"ending","id-ref":"cp-2_smt","parts":[{"id":"cp-2_fr","name":"item","title":"CP-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-2_fr_smt.1","name":"item","properties":[{"name":"label","value":"CP-2 Requirement:"}],"prose":"For JAB authorizations the contingency lists include designated FedRAMP personnel."}]}]},{"position":"starting","id-ref":"cp-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cp-2.a.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.a.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.a.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.a.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.a.5_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.a.6_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.a.6_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-2.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-2.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-2.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-2.g_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-2.1","additions":[{"position":"starting","id-ref":"cp-2.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-2.2","additions":[{"position":"starting","id-ref":"cp-2.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-2.3","additions":[{"position":"starting","id-ref":"cp-2.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-2.4","additions":[{"position":"starting","id-ref":"cp-2.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-2.5","additions":[{"position":"starting","id-ref":"cp-2.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-2.8","additions":[{"position":"starting","id-ref":"cp-2.8_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-3","additions":[{"position":"starting","id-ref":"cp-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cp-3.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-3.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-3.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-3.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-3.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-3.1","additions":[{"position":"starting","id-ref":"cp-3.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-4","additions":[{"position":"ending","id-ref":"cp-4_smt","parts":[{"id":"cp-4_fr","name":"item","title":"CP-4(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-4_fr_smt.a","name":"item","properties":[{"name":"label","value":"CP-4(a) Requirement:"}],"prose":"The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing."}]}]},{"position":"starting","id-ref":"cp-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cp-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-4.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-4.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-4.1","additions":[{"position":"starting","id-ref":"cp-4.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-4.2","additions":[{"position":"starting","id-ref":"cp-4.2.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-4.2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-6","additions":[{"position":"starting","id-ref":"cp-6.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-6.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-6.1","additions":[{"position":"starting","id-ref":"cp-6.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-6.2","additions":[{"position":"starting","id-ref":"cp-6.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-6.3","additions":[{"position":"starting","id-ref":"cp-6.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-6.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-7","additions":[{"position":"ending","id-ref":"cp-7_smt","parts":[{"id":"cp-7_fr","name":"item","title":"CP-7 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-7_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider defines a time period consistent with the recovery time objectives and business impact analysis."}]}]},{"position":"starting","id-ref":"cp-7","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cp-7.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-7.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-7.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-7.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-7.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-7.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-7.1","additions":[{"position":"ending","id-ref":"cp-7.1_smt","parts":[{"id":"cp-7.1_fr","name":"item","title":"CP-7 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-7.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant."}]}]},{"position":"starting","id-ref":"cp-7.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-7.2","additions":[{"position":"starting","id-ref":"cp-7.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-7.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-7.3","additions":[{"position":"starting","id-ref":"cp-7.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-7.4","additions":[{"position":"starting","id-ref":"cp-7.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-8","additions":[{"position":"ending","id-ref":"cp-8_smt","parts":[{"id":"cp-8_fr","name":"item","title":"CP-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines a time period consistent with the recovery time objectives and business impact analysis."}]}]},{"position":"starting","id-ref":"cp-8.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-8.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-8.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-8.1","additions":[{"position":"starting","id-ref":"cp-8.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-8.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-8.2","additions":[{"position":"starting","id-ref":"cp-8.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-8.3","additions":[{"position":"starting","id-ref":"cp-8.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-8.4","additions":[{"position":"starting","id-ref":"cp-8.4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-8.4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-8.4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-8.4.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-8.4.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-9","additions":[{"position":"ending","id-ref":"cp-9_smt","parts":[{"id":"cp-9_fr","name":"item","title":"CP-9 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-9_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check."},{"id":"cp-9_fr_smt.a","name":"item","properties":[{"name":"label","value":"CP-9(a) Requirement:"}],"prose":"The service provider maintains at least three backup copies of user-level information (at least one of which is available online)."},{"id":"cp-9_fr_smt.b","name":"item","properties":[{"name":"label","value":"CP-9(b)Requirement:"}],"prose":"The service provider maintains at least three backup copies of system-level information (at least one of which is available online)."},{"id":"cp-9_fr_smt.c","name":"item","properties":[{"name":"label","value":"CP-9(c)Requirement:"}],"prose":"The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online)."}]}]},{"position":"starting","id-ref":"cp-9","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cp-9.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-9.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-9.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-9.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-9.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-9.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-9.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-9.1","additions":[{"position":"starting","id-ref":"cp-9.1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cp-9.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-9.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-9.2","additions":[{"position":"starting","id-ref":"cp-9.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-9.3","additions":[{"position":"starting","id-ref":"cp-9.3_obj.1.a","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-9.3_obj.1.b","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-9.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-9.5","additions":[{"position":"starting","id-ref":"cp-9.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-9.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-9.5_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-1","additions":[{"position":"starting","id-ref":"ia-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ia-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ia-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ia-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ia-2","additions":[{"position":"starting","id-ref":"ia-2.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-2.1","additions":[{"position":"starting","id-ref":"ia-2.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-2.11","additions":[{"position":"ending","id-ref":"ia-2.11_smt","parts":[{"id":"ia-2.11_fr","name":"item","title":"IA-2 (11) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-2.11_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials."}]}]},{"position":"starting","id-ref":"ia-2.11_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-2.11_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-2.11_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-2.11_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-2.11_obj.5","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-2.11_obj.6","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-2.12","additions":[{"position":"ending","id-ref":"ia-2.12_smt","parts":[{"id":"ia-2.12_fr","name":"item","title":"IA-2 (12) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-2.12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12."}]}]},{"position":"starting","id-ref":"ia-2.12_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-2.12_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-2.2","additions":[{"position":"starting","id-ref":"ia-2.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-2.3","additions":[{"position":"starting","id-ref":"ia-2.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-2.4","additions":[{"position":"starting","id-ref":"ia-2.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-2.5","additions":[{"position":"starting","id-ref":"ia-2.5_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-2.8","additions":[{"position":"starting","id-ref":"ia-2.8_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-2.9","additions":[{"position":"starting","id-ref":"ia-2.9_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-3","additions":[{"position":"starting","id-ref":"ia-3.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-4","additions":[{"position":"ending","id-ref":"ia-4_smt","parts":[{"id":"ia-4_fr","name":"item","title":"IA-4(e) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-4_fr_smt.e","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines the time period of inactivity for device identifiers."},{"id":"ia-4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP [http://iase.disa.mil/cloud_security/Pages/index.aspx](http://iase.disa.mil/cloud_security/Pages/index.aspx)."}]}]},{"position":"starting","id-ref":"ia-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ia-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-4.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-4.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-4.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-4.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-4.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-4.4","additions":[{"position":"starting","id-ref":"ia-4.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-4.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-5","additions":[{"position":"ending","id-ref":"ia-5_smt","parts":[{"id":"ia-5_fr","name":"item","title":"IA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-5_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link [https://pages.nist.gov/800-63-3](https://pages.nist.gov/800-63-3)."}]}]},{"position":"starting","id-ref":"ia-5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ia-5.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.d_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.f_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.g_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.g_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.h_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.i_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ia-5.i_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.j_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-5.1","additions":[{"position":"ending","id-ref":"ia-5.1_smt","parts":[{"id":"ia-5.1_fr","name":"item","title":"IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-5.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"(a) (d) Guidance:"}],"prose":"If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant."}]}]},{"position":"starting","id-ref":"ia-5.1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ia-5.1.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.a_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.a_obj.5","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.1.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.1.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.1.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.d_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.1.d_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.1.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.1.f_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-5.11","additions":[{"position":"starting","id-ref":"ia-5.11_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.11_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-5.13","additions":[{"position":"starting","id-ref":"ia-5.13_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.13_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-5.2","additions":[{"position":"starting","id-ref":"ia-5.2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.2.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.2.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-5.3","additions":[{"position":"starting","id-ref":"ia-5.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.3_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.3_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.3_obj.5","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ia-5.4","additions":[{"position":"ending","id-ref":"ia-5.4_smt","parts":[{"id":"ia-5.4_fr","name":"item","title":"IA-5 (4) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-5.4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators."}]}]},{"position":"starting","id-ref":"ia-5.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-5.6","additions":[{"position":"starting","id-ref":"ia-5.6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-5.7","additions":[{"position":"starting","id-ref":"ia-5.7_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-5.8","additions":[{"position":"starting","id-ref":"ia-5.8_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.8_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-6","additions":[{"position":"starting","id-ref":"ia-6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-7","additions":[{"position":"starting","id-ref":"ia-7_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-8","additions":[{"position":"starting","id-ref":"ia-8.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-8.1","additions":[{"position":"starting","id-ref":"ia-8.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-8.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-8.2","additions":[{"position":"starting","id-ref":"ia-8.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-8.3","additions":[{"position":"starting","id-ref":"ia-8.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-8.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-8.4","additions":[{"position":"starting","id-ref":"ia-8.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-1","additions":[{"position":"starting","id-ref":"ir-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ir-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ir-2","additions":[{"position":"starting","id-ref":"ir-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ir-2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ir-2.1","additions":[{"position":"starting","id-ref":"ir-2.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-2.2","additions":[{"position":"starting","id-ref":"ir-2.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-3","additions":[{"position":"ending","id-ref":"ir-3_smt","parts":[{"id":"ir-3_fr","name":"item","title":"IR-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-3_fr_smt.1","name":"item","properties":[{"name":"label","value":"IR-3 -2 Requirement:"}],"prose":"The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing."}]}]},{"position":"starting","id-ref":"ir-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ir-3.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-3.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-3_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ir-3.2","additions":[{"position":"starting","id-ref":"ir-3.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ir-4","additions":[{"position":"ending","id-ref":"ir-4_smt","parts":[{"id":"ir-4_fr","name":"item","title":"IR-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-4_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system."}]}]},{"position":"starting","id-ref":"ir-4.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-4.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-4.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-4.1","additions":[{"position":"starting","id-ref":"ir-4.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-4.2","additions":[{"position":"starting","id-ref":"ir-4.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-4.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-4.3","additions":[{"position":"starting","id-ref":"ir-4.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-4.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-4.3_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-4.4","additions":[{"position":"starting","id-ref":"ir-4.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-4.6","additions":[{"position":"starting","id-ref":"ir-4.6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-4.8","additions":[{"position":"starting","id-ref":"ir-4.8_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-4.8_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-4.8_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-5","additions":[{"position":"starting","id-ref":"ir-5.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-5.1","additions":[{"position":"starting","id-ref":"ir-5.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-6","additions":[{"position":"ending","id-ref":"ir-6_smt","parts":[{"id":"ir-6_fr","name":"item","title":"IR-6 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Report security incident information according to FedRAMP Incident Communications Procedure."}]}]},{"position":"starting","id-ref":"ir-6","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ir-6.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-6.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-6.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-6.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-6.1","additions":[{"position":"starting","id-ref":"ir-6.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-7","additions":[{"position":"starting","id-ref":"ir-7.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-7.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-7.1","additions":[{"position":"starting","id-ref":"ir-7.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-7.2","additions":[{"position":"starting","id-ref":"ir-7.2.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-7.2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ir-8","additions":[{"position":"ending","id-ref":"ir-8_smt","parts":[{"id":"ir-8_fr","name":"item","title":"IR-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-8_fr_smt.b","name":"item","properties":[{"name":"label","value":"(b) Requirement:"}],"prose":"The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."},{"id":"ir-8_fr_smt.e","name":"item","properties":[{"name":"label","value":"(e) Requirement:"}],"prose":"The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."}]}]},{"position":"starting","id-ref":"ir-8","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ir-8.a.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.5_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-8.a.7_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.8_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.8_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-8.b_obj.1.a","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.b_obj.1.b","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-8.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-8.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-8.e_obj.1.a","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.e_obj.1.b","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-8.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-8.f_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-9","additions":[{"position":"starting","id-ref":"ir-9.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-9.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-9.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-9.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-9.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-9.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-9.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-9.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-9.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-9.1","additions":[{"position":"starting","id-ref":"ir-9.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-9.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ir-9.2","additions":[{"position":"starting","id-ref":"ir-9.2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ir-9.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-9.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ir-9.3","additions":[{"position":"starting","id-ref":"ir-9.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-9.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-9.4","additions":[{"position":"starting","id-ref":"ir-9.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-9.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ma-1","additions":[{"position":"starting","id-ref":"ma-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ma-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ma-2","additions":[{"position":"starting","id-ref":"ma-2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-2.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-2.a_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-2.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-2.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-2.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-2.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-2.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-2.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ma-2.2","additions":[{"position":"starting","id-ref":"ma-2.2.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-2.2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ma-3","additions":[{"position":"starting","id-ref":"ma-3.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-3.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-3.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ma-3.1","additions":[{"position":"starting","id-ref":"ma-3.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ma-3.2","additions":[{"position":"starting","id-ref":"ma-3.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ma-3.3","additions":[{"position":"starting","id-ref":"ma-3.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ma-4","additions":[{"position":"starting","id-ref":"ma-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ma-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-4.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-4.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-4.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-4.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ma-4.2","additions":[{"position":"starting","id-ref":"ma-4.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-4.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ma-4.3","additions":[{"position":"starting","id-ref":"ma-4.3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-4.3.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ma-4.6","additions":[{"position":"starting","id-ref":"ma-4.6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ma-5","additions":[{"position":"starting","id-ref":"ma-5.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-5.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-5.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-5.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ma-5.1","additions":[{"position":"starting","id-ref":"ma-5.1.a.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-5.1.a.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-5.1.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ma-6","additions":[{"position":"starting","id-ref":"ma-6.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-6.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-6.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-1","additions":[{"position":"starting","id-ref":"mp-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"mp-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"mp-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"mp-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"mp-2","additions":[{"position":"starting","id-ref":"mp-2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-3","additions":[{"position":"ending","id-ref":"mp-3_smt","parts":[{"id":"mp-3_fr","name":"item","title":"MP-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"mp-3_fr_gdn.b","name":"guidance","properties":[{"name":"label","value":"(b) Guidance:"}],"prose":"Second parameter not-applicable"}]}]},{"position":"starting","id-ref":"mp-3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"mp-3.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-3.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-3.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-4","additions":[{"position":"ending","id-ref":"mp-4_smt","parts":[{"id":"mp-4_fr","name":"item","title":"MP-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"mp-4_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider defines controlled areas within facilities where the information and information system reside."}]}]},{"position":"starting","id-ref":"mp-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-4.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"mp-4.a_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"mp-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-5","additions":[{"position":"ending","id-ref":"mp-5_smt","parts":[{"id":"mp-5_fr","name":"item","title":"MP-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"mp-5_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider defines security measures to protect digital and non-digital media in transport.  The security measures are approved and accepted by the JAB."}]}]},{"position":"starting","id-ref":"mp-5.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-5.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-5.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"mp-5.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"mp-5.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-5.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-5.4","additions":[{"position":"starting","id-ref":"mp-5.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-6","additions":[{"position":"starting","id-ref":"mp-6.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-6.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-6.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"mp-6.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-6.1","additions":[{"position":"starting","id-ref":"mp-6.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-6.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-6.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-6.1_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-6.1_obj.5","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-6.2","additions":[{"position":"ending","id-ref":"mp-6.2_smt","parts":[{"id":"mp-6.2_fr","name":"item","title":"MP-6 (2) Additional FedRAMP Requirements and Guidance","parts":[{"id":"mp-6.2_fr_gdn.a","name":"guidance","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"Equipment and procedures may be tested or validated for effectiveness"}]}]},{"position":"starting","id-ref":"mp-6.2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"mp-6.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-6.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-6.3","additions":[{"position":"starting","id-ref":"mp-6.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-6.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-7","additions":[{"position":"starting","id-ref":"mp-7.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-7.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-7_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-7_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-7.1","additions":[{"position":"starting","id-ref":"mp-7.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-1","additions":[{"position":"starting","id-ref":"pe-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pe-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"pe-10","additions":[{"position":"starting","id-ref":"pe-10.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-10.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-10.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-10.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-11","additions":[{"position":"starting","id-ref":"pe-11_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-11.1","additions":[{"position":"starting","id-ref":"pe-11.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-12","additions":[{"position":"starting","id-ref":"pe-12.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-12_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-13","additions":[{"position":"starting","id-ref":"pe-13.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-13.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-13.1","additions":[{"position":"starting","id-ref":"pe-13.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-13.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-13.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-13.2","additions":[{"position":"starting","id-ref":"pe-13.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-13.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-13.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-13.3","additions":[{"position":"starting","id-ref":"pe-13.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-14","additions":[{"position":"ending","id-ref":"pe-14_smt","parts":[{"id":"pe-14_fr","name":"item","title":"PE-14(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"pe-14_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider measures temperature at server inlets and humidity levels by dew point."}]}]},{"position":"starting","id-ref":"pe-14.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-14.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-14.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-14.a_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-14.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-14.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-14.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-14.b_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-14.2","additions":[{"position":"starting","id-ref":"pe-14.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-14.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-15","additions":[{"position":"starting","id-ref":"pe-15_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-15.1","additions":[{"position":"starting","id-ref":"pe-15.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-15.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-15.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-16","additions":[{"position":"starting","id-ref":"pe-16_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-16_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-16_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-16_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-16_obj.5","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-16_obj.6","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-16_obj.7","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-16_obj.8","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-16_obj.9","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"pe-17","additions":[{"position":"starting","id-ref":"pe-17.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-17.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-17.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-17.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-18","additions":[{"position":"starting","id-ref":"pe-18.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-18_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-18_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-18_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-2","additions":[{"position":"starting","id-ref":"pe-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pe-2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-2.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-2.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-3","additions":[{"position":"starting","id-ref":"pe-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pe-3.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.e_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.f_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.g_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.g_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-3.1","additions":[{"position":"starting","id-ref":"pe-3.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-4","additions":[{"position":"starting","id-ref":"pe-4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-4_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-5","additions":[{"position":"starting","id-ref":"pe-5_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-6","additions":[{"position":"starting","id-ref":"pe-6","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pe-6.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-6.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-6.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-6.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-6.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"pe-6.1","additions":[{"position":"starting","id-ref":"pe-6.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-6.4","additions":[{"position":"starting","id-ref":"pe-6.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-6.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-8","additions":[{"position":"starting","id-ref":"pe-8","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pe-8.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-8.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-8.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-8.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-8.1","additions":[{"position":"starting","id-ref":"pe-8.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-9","additions":[{"position":"starting","id-ref":"pe-9_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pl-1","additions":[{"position":"starting","id-ref":"pl-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pl-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pl-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pl-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"pl-2","additions":[{"position":"starting","id-ref":"pl-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pl-2.a.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.5_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.7_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.8_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.9_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-2.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-2.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pl-2.3","additions":[{"position":"starting","id-ref":"pl-2.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"pl-4","additions":[{"position":"starting","id-ref":"pl-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-4.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-4.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-4.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pl-4.1","additions":[{"position":"starting","id-ref":"pl-4.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-4.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pl-8","additions":[{"position":"ending","id-ref":"pl-8_smt","parts":[{"id":"pl-8_fr","name":"item","title":"PL-8(b) Additional FedRAMP Requirements and Guidance","parts":[{"id":"pl-8_fr_gdn.b","name":"guidance","properties":[{"name":"label","value":"(b) Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7."}]}]},{"position":"starting","id-ref":"pl-8","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pl-8.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-8.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-8.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-8.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-1","additions":[{"position":"starting","id-ref":"ps-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ps-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ps-2","additions":[{"position":"starting","id-ref":"ps-2.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-3","additions":[{"position":"starting","id-ref":"ps-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ps-3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-3.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-3.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-3.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-3.3","additions":[{"position":"starting","id-ref":"ps-3.3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ps-3.3.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-3.3.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-4","additions":[{"position":"starting","id-ref":"ps-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ps-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ps-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ps-4.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-4.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-4.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-4.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-4.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-4.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-4.f_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-4.2","additions":[{"position":"starting","id-ref":"ps-4.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-4.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-5","additions":[{"position":"starting","id-ref":"ps-5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ps-5.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-5.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-5.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-5.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-5.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ps-5.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ps-5.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-5.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-5.d_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-6","additions":[{"position":"starting","id-ref":"ps-6","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ps-6.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-6.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-6.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-6.c.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ps-6.c.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-6.c.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-7","additions":[{"position":"starting","id-ref":"ps-7","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ps-7.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-7.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-7.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-7.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-7.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-7.d_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-7.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-8","additions":[{"position":"starting","id-ref":"ps-8.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-8.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-8.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-8.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-1","additions":[{"position":"starting","id-ref":"ra-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ra-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ra-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ra-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ra-2","additions":[{"position":"starting","id-ref":"ra-2.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-3","additions":[{"position":"ending","id-ref":"ra-3_smt","parts":[{"id":"ra-3_fr","name":"item","title":"RA-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F"},{"id":"ra-3_fr_smt.d","name":"item","properties":[{"name":"label","value":"RA-3 (d) Requirement:"}],"prose":"Include all Authorizing Officials; for JAB authorizations to include FedRAMP."}]}]},{"position":"starting","id-ref":"ra-3.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-3.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-3.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-3.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-3.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-3.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-3.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-3.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-3.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-3.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-5","additions":[{"id-ref":"ra-5_smt","parts":[{"id":"ra-5_fr_smt.a","name":"item","title":"RA-5(a) Additional FedRAMP Requirements and Guidance","properties":[{"name":"label","value":"RA-5 (a)Requirement:"}],"prose":"An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually."},{"id":"ra-5_fr_smt.e","name":"item","title":"RA-5(e) Additional FedRAMP Requirements and Guidance","properties":[{"name":"label","value":"RA-5 (e)Requirement:"}],"prose":"To include all Authorizing Officials; for JAB authorizations to include FedRAMP."},{"id":"ra-5_fr","name":"item","title":"RA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"\n                     **See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))"}]}]},{"position":"starting","id-ref":"ra-5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ra-5.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-5.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.b.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.b.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.b.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-5.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-5.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.e_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-5.1","additions":[{"position":"starting","id-ref":"ra-5.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-5.10","additions":[{"position":"ending","id-ref":"ra-5.10_smt","parts":[{"id":"ra-5.10_fr","name":"item","title":"RA-5 (10) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-5.10_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"If multiple tools are not used, this control is not applicable."}]}]},{"position":"starting","id-ref":"ra-5.10_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-5.2","additions":[{"position":"starting","id-ref":"ra-5.2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ra-5.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-5.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-5.3","additions":[{"position":"starting","id-ref":"ra-5.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-5.4","additions":[{"position":"starting","id-ref":"ra-5.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-5.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.4_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-5.5","additions":[{"position":"starting","id-ref":"ra-5.5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ra-5.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-5.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-5.5_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-5.6","additions":[{"position":"ending","id-ref":"ra-5.6_smt","parts":[{"id":"ra-5.6_fr","name":"item","title":"RA-5 (6) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-5.6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Include in Continuous Monitoring ISSO digest/report to JAB/AO"}]}]},{"position":"starting","id-ref":"ra-5.6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-5.8","additions":[{"position":"ending","id-ref":"ra-5.8_smt","parts":[{"id":"ra-5.8_fr","name":"item","title":"RA-5 (8) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-5.8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"This enhancement is required for all high vulnerability scan findings."},{"id":"ra-5.8_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability."}]}]},{"position":"starting","id-ref":"ra-5.8_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-1","additions":[{"position":"starting","id-ref":"sa-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"sa-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"sa-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"sa-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"sa-10","additions":[{"position":"ending","id-ref":"sa-10_smt","parts":[{"id":"sa-10_fr","name":"item","title":"SA-10 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-10_fr_smt.1","name":"item","properties":[{"name":"label","value":"(e)  Requirement:"}],"prose":"For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP."}]}]},{"position":"starting","id-ref":"sa-10.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-10.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-10.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-10.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-10.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-10.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-10.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-10.1","additions":[{"position":"starting","id-ref":"sa-10.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-11","additions":[{"position":"starting","id-ref":"sa-11.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-11.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-11.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-11.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-11.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-11.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-11.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-11.1","additions":[{"position":"ending","id-ref":"sa-11.1_smt","parts":[{"id":"sa-11.1_fr","name":"item","title":"SA-11 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-11.1_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed."}]}]},{"position":"starting","id-ref":"sa-11.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-11.2","additions":[{"position":"starting","id-ref":"sa-11.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-11.8","additions":[{"position":"ending","id-ref":"sa-11.8_smt","parts":[{"id":"sa-11.8_fr","name":"item","title":"SA-11 (8) Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-11.8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed."}]}]},{"position":"starting","id-ref":"sa-11.8_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-12","additions":[{"position":"starting","id-ref":"sa-12.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-12.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-15","additions":[{"position":"starting","id-ref":"sa-15.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-15.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-15.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-15.b_obj.3.a","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"sa-15.b_obj.3.b","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"sa-15.b_obj.3.c","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"sa-15.b_obj.3.d","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"sa-16","additions":[{"position":"starting","id-ref":"sa-16_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-16_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"sa-17","additions":[{"position":"starting","id-ref":"sa-17.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"sa-17.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"sa-17.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"sa-2","additions":[{"position":"starting","id-ref":"sa-2.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-3","additions":[{"position":"starting","id-ref":"sa-3.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-3.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-3.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-3.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-3.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-4","additions":[{"position":"ending","id-ref":"sa-4_smt","parts":[{"id":"sa-4_fr","name":"item","title":"SA-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See [http://www.niap-ccevs.org/vpl](http://www.niap-ccevs.org/vpl) or [http://www.commoncriteriaportal.org/products.html](http://www.commoncriteriaportal.org/products.html)."}]}]},{"position":"starting","id-ref":"sa-4.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-4.1","additions":[{"position":"starting","id-ref":"sa-4.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-4.10","additions":[{"position":"starting","id-ref":"sa-4.10_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-4.2","additions":[{"position":"starting","id-ref":"sa-4.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-4.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-4.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-4.8","additions":[{"position":"ending","id-ref":"sa-4.8_smt","parts":[{"id":"sa-4.8_fr","name":"item","title":"SA-4 (8) Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-4.8_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"CSP must use the same security standards regardless of where the system component or information system service is acquired."}]}]},{"position":"starting","id-ref":"sa-4.8_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-4.8_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-4.9","additions":[{"position":"starting","id-ref":"sa-4.9_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"sa-5","additions":[{"position":"starting","id-ref":"sa-5.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-5.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-5.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-5.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-5.c_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-5.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-5.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-5.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-8","additions":[{"position":"starting","id-ref":"sa-8_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-9","additions":[{"position":"starting","id-ref":"sa-9.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-9.1","additions":[{"position":"starting","id-ref":"sa-9.1.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-9.1.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.1.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-9.2","additions":[{"position":"starting","id-ref":"sa-9.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"sa-9.4","additions":[{"position":"starting","id-ref":"sa-9.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.4_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-9.5","additions":[{"position":"starting","id-ref":"sa-9.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.5_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-1","additions":[{"position":"starting","id-ref":"sc-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"sc-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"sc-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"sc-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"sc-10","additions":[{"position":"starting","id-ref":"sc-10_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-10_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-12","additions":[{"position":"ending","id-ref":"sc-12_smt","parts":[{"id":"sc-12_fr","name":"item","title":"SC-12 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Federally approved and validated cryptography."}]}]},{"position":"starting","id-ref":"sc-12.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-12.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-12.1","additions":[{"position":"starting","id-ref":"sc-12.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-12.2","additions":[{"position":"starting","id-ref":"sc-12.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-12.3","additions":[{"position":"starting","id-ref":"sc-12.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-13","additions":[{"position":"starting","id-ref":"sc-13","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"sc-13_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-13_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-13_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-15","additions":[{"position":"ending","id-ref":"sc-15_smt","parts":[{"id":"sc-15_fr","name":"item","title":"SC-15 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-15_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use."}]}]},{"position":"starting","id-ref":"sc-15.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-15.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-15.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-17","additions":[{"position":"starting","id-ref":"sc-17_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-17_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-18","additions":[{"position":"starting","id-ref":"sc-18.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-18.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-18.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-18.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-18.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-18.c_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-19","additions":[{"position":"starting","id-ref":"sc-19.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-19.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-19.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-19.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-19.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-2","additions":[{"position":"starting","id-ref":"sc-2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-20","additions":[{"position":"starting","id-ref":"sc-20.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-20.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-21","additions":[{"position":"starting","id-ref":"sc-21_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-21_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-21_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-21_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-22","additions":[{"position":"starting","id-ref":"sc-22_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-22_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-23","additions":[{"position":"starting","id-ref":"sc-23_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-23.1","additions":[{"position":"starting","id-ref":"sc-23.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-24","additions":[{"position":"starting","id-ref":"sc-24_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-24_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-24_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-24_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-24_obj.5","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-28","additions":[{"position":"ending","id-ref":"sc-28_smt","parts":[{"id":"sc-28_fr","name":"item","title":"SC-28 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-28_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"The organization supports the capability to use cryptographic mechanisms to protect information at rest."}]}]},{"position":"starting","id-ref":"sc-28.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-28.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-28.1","additions":[{"position":"starting","id-ref":"sc-28.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-28.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-28.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-3","additions":[{"position":"starting","id-ref":"sc-3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-39","additions":[{"position":"starting","id-ref":"sc-39_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-4","additions":[{"position":"starting","id-ref":"sc-4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-5","additions":[{"position":"starting","id-ref":"sc-5.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-5.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-5.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-6","additions":[{"position":"starting","id-ref":"sc-6_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-6_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-6_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7","additions":[{"position":"starting","id-ref":"sc-7.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.a_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7.10","additions":[{"position":"starting","id-ref":"sc-7.10_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7.12","additions":[{"position":"starting","id-ref":"sc-7.12_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.12_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.12_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7.13","additions":[{"position":"ending","id-ref":"sc-7.13_smt","parts":[{"id":"sc-7.13_fr","name":"item","title":"SC-7 (13) Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-7.13_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets."},{"id":"sc-7.13_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Examples include: information security tools, mechanisms, and support components such as, but not limited to PKI, patching infrastructure, cyber defense tools, special purpose gateway, vulnerability tracking systems, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc."}]}]},{"position":"starting","id-ref":"sc-7.13_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.13_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7.18","additions":[{"position":"starting","id-ref":"sc-7.18_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7.20","additions":[{"position":"starting","id-ref":"sc-7.20_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.20_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7.21","additions":[{"position":"starting","id-ref":"sc-7.21_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.21_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.21_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7.3","additions":[{"position":"starting","id-ref":"sc-7.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7.4","additions":[{"position":"starting","id-ref":"sc-7.4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"sc-7.4.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.4.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.4.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.4.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.4.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.4.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.4.e_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7.5","additions":[{"position":"starting","id-ref":"sc-7.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7.7","additions":[{"position":"starting","id-ref":"sc-7.7_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7.8","additions":[{"position":"starting","id-ref":"sc-7.8_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.8_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.8_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-8","additions":[{"position":"starting","id-ref":"sc-8_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-8.1","additions":[{"position":"starting","id-ref":"sc-8.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-8.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-1","additions":[{"position":"starting","id-ref":"si-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"si-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"si-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"si-10","additions":[{"position":"starting","id-ref":"si-10_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-10_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-11","additions":[{"position":"starting","id-ref":"si-11.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-11.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-11.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-12","additions":[{"position":"starting","id-ref":"si-12_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-16","additions":[{"position":"starting","id-ref":"si-16_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-16_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-2","additions":[{"position":"starting","id-ref":"si-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-2.c_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.c_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-2.1","additions":[{"position":"starting","id-ref":"si-2.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-2.2","additions":[{"position":"starting","id-ref":"si-2.2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-2.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-2.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-2.3","additions":[{"position":"starting","id-ref":"si-2.3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.3.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-2.3.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"si-3","additions":[{"position":"starting","id-ref":"si-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-3.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-3.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-3.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-3.c.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-3.c.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-3.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-3.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-3.1","additions":[{"position":"starting","id-ref":"si-3.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-3.2","additions":[{"position":"starting","id-ref":"si-3.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-3.7","additions":[{"position":"starting","id-ref":"si-3.7_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4","additions":[{"position":"ending","id-ref":"si-4_smt","parts":[{"id":"si-4_fr","name":"item","title":"SI-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"si-4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See US-CERT Incident Response Reporting Guidelines."}]}]},{"position":"starting","id-ref":"si-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-4.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.a.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.b.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.b.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.f_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"si-4.g_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.g_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.g_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.g_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.1","additions":[{"position":"starting","id-ref":"si-4.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.11","additions":[{"position":"starting","id-ref":"si-4.11_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.11_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.14","additions":[{"position":"starting","id-ref":"si-4.14","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-4.14_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.14_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.14_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.16","additions":[{"position":"starting","id-ref":"si-4.16_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.18","additions":[{"position":"starting","id-ref":"si-4.18_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.18_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.19","additions":[{"position":"starting","id-ref":"si-4.19_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.19_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.19_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.2","additions":[{"position":"starting","id-ref":"si-4.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.20","additions":[{"position":"starting","id-ref":"si-4.20_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.20_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.22","additions":[{"position":"starting","id-ref":"si-4.22_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.22_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.22_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.23","additions":[{"position":"starting","id-ref":"si-4.23_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.23_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.23_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.24","additions":[{"position":"starting","id-ref":"si-4.24_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.4","additions":[{"position":"starting","id-ref":"si-4.4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-4.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.5","additions":[{"position":"ending","id-ref":"si-4.5_smt","parts":[{"id":"si-4.5_fr","name":"item","title":"SI-4 (5) Additional FedRAMP Requirements and Guidance","parts":[{"id":"si-4.5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"In accordance with the incident response plan."}]}]},{"position":"starting","id-ref":"si-4.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.5_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-5","additions":[{"position":"starting","id-ref":"si-5.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-5.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-5.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-5.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-5.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-5.c_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-5.c_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-5.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-5.1","additions":[{"position":"starting","id-ref":"si-5.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-6","additions":[{"position":"starting","id-ref":"si-6","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-6.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-6.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-6.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-6.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-6.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-6.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-6.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-6.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-6.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-7","additions":[{"position":"starting","id-ref":"si-7_obj.1.a","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-7_obj.1.b","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-7_obj.1.c","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-7.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-7.1","additions":[{"position":"starting","id-ref":"si-7.1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-7.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-7.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-7.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-7.1_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-7.14","additions":[{"position":"starting","id-ref":"si-7.14.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-7.14.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-7.14.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-7.14.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-7.2","additions":[{"position":"starting","id-ref":"si-7.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-7.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-7.5","additions":[{"position":"starting","id-ref":"si-7.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-7.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-7.7","additions":[{"position":"starting","id-ref":"si-7.7_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-7.7_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-8","additions":[{"position":"starting","id-ref":"si-8.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-8.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-8.1","additions":[{"position":"starting","id-ref":"si-8.1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-8.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-8.2","additions":[{"position":"starting","id-ref":"si-8.2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-8.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]}]},"back-matter":{"resources":[{"uuid":"985475ee-d4d6-4581-8fdf-d84d3d8caa48","title":"FedRAMP Applicable Laws and Regulations","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-citations"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"}]},{"uuid":"1a23a771-d481-4594-9a1a-71d584fa4123","title":"FedRAMP Master Acronym and Glossary","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-acronyms"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"}]},{"uuid":"a2381e87-3d04-4108-a30b-b4d2f36d001f","desc":"FedRAMP Logo","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-logo"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/img/logo-main-fedramp.png"}]},{"uuid":"ad005eae-cc63-4e64-9109-3905a9a825e4","title":"NIST Special Publication (SP) 800-53","properties":[{"name":"version","ns":"https://fedramp.gov/ns/oscal","value":"Revision 4"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://raw.githubusercontent.com/usnistgov/OSCAL/v1.0.0-milestone3/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml","media-type":"application/xml"}]}]}}}
\ No newline at end of file
diff --git a/content/fedramp.gov/json/FedRAMP_HIGH-baseline_profile.json b/content/fedramp.gov/json/FedRAMP_HIGH-baseline_profile.json
deleted file mode 100644
index ab3ebdd5a7..0000000000
--- a/content/fedramp.gov/json/FedRAMP_HIGH-baseline_profile.json
+++ /dev/null
@@ -1,35474 +0,0 @@
-{
-  "profile": {
-    "uuid": "b11dba1c-0c68-4724-9eaf-02de2d5bbb89",
-    "metadata": {
-      "title": "FedRAMP High Baseline",
-      "published": "2020-06-01T00:00:00.000-04:00",
-      "last-modified": "2020-06-01T10:00:00.000-04:00",
-      "version": "1.2",
-      "oscal-version": "1.0.0-milestone3",
-      "roles": [
-        {
-          "id": "parpared-by",
-          "title": "Document creator"
-        },
-        {
-          "id": "fedramp-pmo",
-          "title": "The FedRAMP Program Management Office (PMO)",
-          "short-name": "CSP"
-        },
-        {
-          "id": "fedramp-jab",
-          "title": "The FedRAMP Joint Authorization Board (JAB)",
-          "short-name": "CSP"
-        }
-      ],
-      "parties": [
-        {
-          "uuid": "8cc0b8e5-9650-4d5f-9796-316f05fa9a2d",
-          "type": "organization",
-          "party-name": "Federal Risk and Authorization Management Program: Program Management Office",
-          "short-name": "FedRAMP PMO",
-          "links": [
-            {
-              "href": "https://fedramp.gov",
-              "rel": "homepage",
-              "text": ""
-            }
-          ],
-          "addresses": [
-            {
-              "type": "work",
-              "postal-address": [
-                "1800 F St. NW",
-                ""
-              ],
-              "city": "Washington",
-              "state": "DC",
-              "postal-code": "",
-              "country": "US"
-            }
-          ],
-          "email-addresses": [
-            "info@fedramp.gov"
-          ]
-        },
-        {
-          "uuid": "ca9ba80e-1342-4bfd-b32a-abac468c24b4",
-          "type": "organization",
-          "party-name": "Federal Risk and Authorization Management Program: Joint Authorization Board",
-          "short-name": "FedRAMP JAB"
-        }
-      ],
-      "responsible-parties": {
-        "prepared-by": {
-          "party-uuids": [
-            "4aa7b203-318b-4cde-96cf-feaeffc3a4b7"
-          ]
-        },
-        "fedramp-pmo": {
-          "party-uuids": [
-            "4aa7b203-318b-4cde-96cf-feaeffc3a4b7"
-          ]
-        },
-        "fedramp-jab": {
-          "party-uuids": [
-            "ca9ba80e-1342-4bfd-b32a-abac468c24b4"
-          ]
-        }
-      }
-    },
-    "imports": [
-      {
-        "href": "#ad005eae-cc63-4e64-9109-3905a9a825e4",
-        "include": {
-          "id-selectors": [
-            {
-              "control-id": "ac-1"
-            },
-            {
-              "control-id": "ac-2"
-            },
-            {
-              "control-id": "ac-2.1"
-            },
-            {
-              "control-id": "ac-2.2"
-            },
-            {
-              "control-id": "ac-2.3"
-            },
-            {
-              "control-id": "ac-2.4"
-            },
-            {
-              "control-id": "ac-2.5"
-            },
-            {
-              "control-id": "ac-2.7"
-            },
-            {
-              "control-id": "ac-2.9"
-            },
-            {
-              "control-id": "ac-2.10"
-            },
-            {
-              "control-id": "ac-2.11"
-            },
-            {
-              "control-id": "ac-2.12"
-            },
-            {
-              "control-id": "ac-2.13"
-            },
-            {
-              "control-id": "ac-3"
-            },
-            {
-              "control-id": "ac-4"
-            },
-            {
-              "control-id": "ac-4.8"
-            },
-            {
-              "control-id": "ac-4.21"
-            },
-            {
-              "control-id": "ac-5"
-            },
-            {
-              "control-id": "ac-6"
-            },
-            {
-              "control-id": "ac-6.1"
-            },
-            {
-              "control-id": "ac-6.2"
-            },
-            {
-              "control-id": "ac-6.3"
-            },
-            {
-              "control-id": "ac-6.5"
-            },
-            {
-              "control-id": "ac-6.7"
-            },
-            {
-              "control-id": "ac-6.8"
-            },
-            {
-              "control-id": "ac-6.9"
-            },
-            {
-              "control-id": "ac-6.10"
-            },
-            {
-              "control-id": "ac-7"
-            },
-            {
-              "control-id": "ac-7.2"
-            },
-            {
-              "control-id": "ac-8"
-            },
-            {
-              "control-id": "ac-10"
-            },
-            {
-              "control-id": "ac-11"
-            },
-            {
-              "control-id": "ac-11.1"
-            },
-            {
-              "control-id": "ac-12"
-            },
-            {
-              "control-id": "ac-12.1"
-            },
-            {
-              "control-id": "ac-14"
-            },
-            {
-              "control-id": "ac-17"
-            },
-            {
-              "control-id": "ac-17.1"
-            },
-            {
-              "control-id": "ac-17.2"
-            },
-            {
-              "control-id": "ac-17.3"
-            },
-            {
-              "control-id": "ac-17.4"
-            },
-            {
-              "control-id": "ac-17.9"
-            },
-            {
-              "control-id": "ac-18"
-            },
-            {
-              "control-id": "ac-18.1"
-            },
-            {
-              "control-id": "ac-18.3"
-            },
-            {
-              "control-id": "ac-18.4"
-            },
-            {
-              "control-id": "ac-18.5"
-            },
-            {
-              "control-id": "ac-19"
-            },
-            {
-              "control-id": "ac-19.5"
-            },
-            {
-              "control-id": "ac-20"
-            },
-            {
-              "control-id": "ac-20.1"
-            },
-            {
-              "control-id": "ac-20.2"
-            },
-            {
-              "control-id": "ac-21"
-            },
-            {
-              "control-id": "ac-22"
-            },
-            {
-              "control-id": "at-1"
-            },
-            {
-              "control-id": "at-2"
-            },
-            {
-              "control-id": "at-2.2"
-            },
-            {
-              "control-id": "at-3"
-            },
-            {
-              "control-id": "at-3.3"
-            },
-            {
-              "control-id": "at-3.4"
-            },
-            {
-              "control-id": "at-4"
-            },
-            {
-              "control-id": "au-1"
-            },
-            {
-              "control-id": "au-2"
-            },
-            {
-              "control-id": "au-2.3"
-            },
-            {
-              "control-id": "au-3"
-            },
-            {
-              "control-id": "au-3.1"
-            },
-            {
-              "control-id": "au-3.2"
-            },
-            {
-              "control-id": "au-4"
-            },
-            {
-              "control-id": "au-5"
-            },
-            {
-              "control-id": "au-5.1"
-            },
-            {
-              "control-id": "au-5.2"
-            },
-            {
-              "control-id": "au-6"
-            },
-            {
-              "control-id": "au-6.1"
-            },
-            {
-              "control-id": "au-6.3"
-            },
-            {
-              "control-id": "au-6.4"
-            },
-            {
-              "control-id": "au-6.5"
-            },
-            {
-              "control-id": "au-6.6"
-            },
-            {
-              "control-id": "au-6.7"
-            },
-            {
-              "control-id": "au-6.10"
-            },
-            {
-              "control-id": "au-7"
-            },
-            {
-              "control-id": "au-7.1"
-            },
-            {
-              "control-id": "au-8"
-            },
-            {
-              "control-id": "au-8.1"
-            },
-            {
-              "control-id": "au-9"
-            },
-            {
-              "control-id": "au-9.2"
-            },
-            {
-              "control-id": "au-9.3"
-            },
-            {
-              "control-id": "au-9.4"
-            },
-            {
-              "control-id": "au-10"
-            },
-            {
-              "control-id": "au-11"
-            },
-            {
-              "control-id": "au-12"
-            },
-            {
-              "control-id": "au-12.1"
-            },
-            {
-              "control-id": "au-12.3"
-            },
-            {
-              "control-id": "ca-1"
-            },
-            {
-              "control-id": "ca-2"
-            },
-            {
-              "control-id": "ca-2.1"
-            },
-            {
-              "control-id": "ca-2.2"
-            },
-            {
-              "control-id": "ca-2.3"
-            },
-            {
-              "control-id": "ca-3"
-            },
-            {
-              "control-id": "ca-3.3"
-            },
-            {
-              "control-id": "ca-3.5"
-            },
-            {
-              "control-id": "ca-5"
-            },
-            {
-              "control-id": "ca-6"
-            },
-            {
-              "control-id": "ca-7"
-            },
-            {
-              "control-id": "ca-7.1"
-            },
-            {
-              "control-id": "ca-7.3"
-            },
-            {
-              "control-id": "ca-8"
-            },
-            {
-              "control-id": "ca-8.1"
-            },
-            {
-              "control-id": "ca-9"
-            },
-            {
-              "control-id": "cm-1"
-            },
-            {
-              "control-id": "cm-2"
-            },
-            {
-              "control-id": "cm-2.1"
-            },
-            {
-              "control-id": "cm-2.2"
-            },
-            {
-              "control-id": "cm-2.3"
-            },
-            {
-              "control-id": "cm-2.7"
-            },
-            {
-              "control-id": "cm-3"
-            },
-            {
-              "control-id": "cm-3.1"
-            },
-            {
-              "control-id": "cm-3.2"
-            },
-            {
-              "control-id": "cm-3.4"
-            },
-            {
-              "control-id": "cm-3.6"
-            },
-            {
-              "control-id": "cm-4"
-            },
-            {
-              "control-id": "cm-4.1"
-            },
-            {
-              "control-id": "cm-5"
-            },
-            {
-              "control-id": "cm-5.1"
-            },
-            {
-              "control-id": "cm-5.2"
-            },
-            {
-              "control-id": "cm-5.3"
-            },
-            {
-              "control-id": "cm-5.5"
-            },
-            {
-              "control-id": "cm-6"
-            },
-            {
-              "control-id": "cm-6.1"
-            },
-            {
-              "control-id": "cm-6.2"
-            },
-            {
-              "control-id": "cm-7"
-            },
-            {
-              "control-id": "cm-7.1"
-            },
-            {
-              "control-id": "cm-7.2"
-            },
-            {
-              "control-id": "cm-7.5"
-            },
-            {
-              "control-id": "cm-8"
-            },
-            {
-              "control-id": "cm-8.1"
-            },
-            {
-              "control-id": "cm-8.2"
-            },
-            {
-              "control-id": "cm-8.3"
-            },
-            {
-              "control-id": "cm-8.4"
-            },
-            {
-              "control-id": "cm-8.5"
-            },
-            {
-              "control-id": "cm-9"
-            },
-            {
-              "control-id": "cm-10"
-            },
-            {
-              "control-id": "cm-10.1"
-            },
-            {
-              "control-id": "cm-11"
-            },
-            {
-              "control-id": "cm-11.1"
-            },
-            {
-              "control-id": "cp-1"
-            },
-            {
-              "control-id": "cp-2"
-            },
-            {
-              "control-id": "cp-2.1"
-            },
-            {
-              "control-id": "cp-2.2"
-            },
-            {
-              "control-id": "cp-2.3"
-            },
-            {
-              "control-id": "cp-2.4"
-            },
-            {
-              "control-id": "cp-2.5"
-            },
-            {
-              "control-id": "cp-2.8"
-            },
-            {
-              "control-id": "cp-3"
-            },
-            {
-              "control-id": "cp-3.1"
-            },
-            {
-              "control-id": "cp-4"
-            },
-            {
-              "control-id": "cp-4.1"
-            },
-            {
-              "control-id": "cp-4.2"
-            },
-            {
-              "control-id": "cp-6"
-            },
-            {
-              "control-id": "cp-6.1"
-            },
-            {
-              "control-id": "cp-6.2"
-            },
-            {
-              "control-id": "cp-6.3"
-            },
-            {
-              "control-id": "cp-7"
-            },
-            {
-              "control-id": "cp-7.1"
-            },
-            {
-              "control-id": "cp-7.2"
-            },
-            {
-              "control-id": "cp-7.3"
-            },
-            {
-              "control-id": "cp-7.4"
-            },
-            {
-              "control-id": "cp-8"
-            },
-            {
-              "control-id": "cp-8.1"
-            },
-            {
-              "control-id": "cp-8.2"
-            },
-            {
-              "control-id": "cp-8.3"
-            },
-            {
-              "control-id": "cp-8.4"
-            },
-            {
-              "control-id": "cp-9"
-            },
-            {
-              "control-id": "cp-9.1"
-            },
-            {
-              "control-id": "cp-9.2"
-            },
-            {
-              "control-id": "cp-9.3"
-            },
-            {
-              "control-id": "cp-9.5"
-            },
-            {
-              "control-id": "cp-10"
-            },
-            {
-              "control-id": "cp-10.2"
-            },
-            {
-              "control-id": "cp-10.4"
-            },
-            {
-              "control-id": "ia-1"
-            },
-            {
-              "control-id": "ia-2"
-            },
-            {
-              "control-id": "ia-2.1"
-            },
-            {
-              "control-id": "ia-2.2"
-            },
-            {
-              "control-id": "ia-2.3"
-            },
-            {
-              "control-id": "ia-2.4"
-            },
-            {
-              "control-id": "ia-2.5"
-            },
-            {
-              "control-id": "ia-2.8"
-            },
-            {
-              "control-id": "ia-2.9"
-            },
-            {
-              "control-id": "ia-2.11"
-            },
-            {
-              "control-id": "ia-2.12"
-            },
-            {
-              "control-id": "ia-3"
-            },
-            {
-              "control-id": "ia-4"
-            },
-            {
-              "control-id": "ia-4.4"
-            },
-            {
-              "control-id": "ia-5"
-            },
-            {
-              "control-id": "ia-5.1"
-            },
-            {
-              "control-id": "ia-5.2"
-            },
-            {
-              "control-id": "ia-5.3"
-            },
-            {
-              "control-id": "ia-5.4"
-            },
-            {
-              "control-id": "ia-5.6"
-            },
-            {
-              "control-id": "ia-5.7"
-            },
-            {
-              "control-id": "ia-5.8"
-            },
-            {
-              "control-id": "ia-5.11"
-            },
-            {
-              "control-id": "ia-5.13"
-            },
-            {
-              "control-id": "ia-6"
-            },
-            {
-              "control-id": "ia-7"
-            },
-            {
-              "control-id": "ia-8"
-            },
-            {
-              "control-id": "ia-8.1"
-            },
-            {
-              "control-id": "ia-8.2"
-            },
-            {
-              "control-id": "ia-8.3"
-            },
-            {
-              "control-id": "ia-8.4"
-            },
-            {
-              "control-id": "ir-1"
-            },
-            {
-              "control-id": "ir-2"
-            },
-            {
-              "control-id": "ir-2.1"
-            },
-            {
-              "control-id": "ir-2.2"
-            },
-            {
-              "control-id": "ir-3"
-            },
-            {
-              "control-id": "ir-3.2"
-            },
-            {
-              "control-id": "ir-4"
-            },
-            {
-              "control-id": "ir-4.1"
-            },
-            {
-              "control-id": "ir-4.2"
-            },
-            {
-              "control-id": "ir-4.3"
-            },
-            {
-              "control-id": "ir-4.4"
-            },
-            {
-              "control-id": "ir-4.6"
-            },
-            {
-              "control-id": "ir-4.8"
-            },
-            {
-              "control-id": "ir-5"
-            },
-            {
-              "control-id": "ir-5.1"
-            },
-            {
-              "control-id": "ir-6"
-            },
-            {
-              "control-id": "ir-6.1"
-            },
-            {
-              "control-id": "ir-7"
-            },
-            {
-              "control-id": "ir-7.1"
-            },
-            {
-              "control-id": "ir-7.2"
-            },
-            {
-              "control-id": "ir-8"
-            },
-            {
-              "control-id": "ir-9"
-            },
-            {
-              "control-id": "ir-9.1"
-            },
-            {
-              "control-id": "ir-9.2"
-            },
-            {
-              "control-id": "ir-9.3"
-            },
-            {
-              "control-id": "ir-9.4"
-            },
-            {
-              "control-id": "ma-1"
-            },
-            {
-              "control-id": "ma-2"
-            },
-            {
-              "control-id": "ma-2.2"
-            },
-            {
-              "control-id": "ma-3"
-            },
-            {
-              "control-id": "ma-3.1"
-            },
-            {
-              "control-id": "ma-3.2"
-            },
-            {
-              "control-id": "ma-3.3"
-            },
-            {
-              "control-id": "ma-4"
-            },
-            {
-              "control-id": "ma-4.2"
-            },
-            {
-              "control-id": "ma-4.3"
-            },
-            {
-              "control-id": "ma-4.6"
-            },
-            {
-              "control-id": "ma-5"
-            },
-            {
-              "control-id": "ma-5.1"
-            },
-            {
-              "control-id": "ma-6"
-            },
-            {
-              "control-id": "mp-1"
-            },
-            {
-              "control-id": "mp-2"
-            },
-            {
-              "control-id": "mp-3"
-            },
-            {
-              "control-id": "mp-4"
-            },
-            {
-              "control-id": "mp-5"
-            },
-            {
-              "control-id": "mp-5.4"
-            },
-            {
-              "control-id": "mp-6"
-            },
-            {
-              "control-id": "mp-6.1"
-            },
-            {
-              "control-id": "mp-6.2"
-            },
-            {
-              "control-id": "mp-6.3"
-            },
-            {
-              "control-id": "mp-7"
-            },
-            {
-              "control-id": "mp-7.1"
-            },
-            {
-              "control-id": "pe-1"
-            },
-            {
-              "control-id": "pe-2"
-            },
-            {
-              "control-id": "pe-3"
-            },
-            {
-              "control-id": "pe-3.1"
-            },
-            {
-              "control-id": "pe-4"
-            },
-            {
-              "control-id": "pe-5"
-            },
-            {
-              "control-id": "pe-6"
-            },
-            {
-              "control-id": "pe-6.1"
-            },
-            {
-              "control-id": "pe-6.4"
-            },
-            {
-              "control-id": "pe-8"
-            },
-            {
-              "control-id": "pe-8.1"
-            },
-            {
-              "control-id": "pe-9"
-            },
-            {
-              "control-id": "pe-10"
-            },
-            {
-              "control-id": "pe-11"
-            },
-            {
-              "control-id": "pe-11.1"
-            },
-            {
-              "control-id": "pe-12"
-            },
-            {
-              "control-id": "pe-13"
-            },
-            {
-              "control-id": "pe-13.1"
-            },
-            {
-              "control-id": "pe-13.2"
-            },
-            {
-              "control-id": "pe-13.3"
-            },
-            {
-              "control-id": "pe-14"
-            },
-            {
-              "control-id": "pe-14.2"
-            },
-            {
-              "control-id": "pe-15"
-            },
-            {
-              "control-id": "pe-15.1"
-            },
-            {
-              "control-id": "pe-16"
-            },
-            {
-              "control-id": "pe-17"
-            },
-            {
-              "control-id": "pe-18"
-            },
-            {
-              "control-id": "pl-1"
-            },
-            {
-              "control-id": "pl-2"
-            },
-            {
-              "control-id": "pl-2.3"
-            },
-            {
-              "control-id": "pl-4"
-            },
-            {
-              "control-id": "pl-4.1"
-            },
-            {
-              "control-id": "pl-8"
-            },
-            {
-              "control-id": "ps-1"
-            },
-            {
-              "control-id": "ps-2"
-            },
-            {
-              "control-id": "ps-3"
-            },
-            {
-              "control-id": "ps-3.3"
-            },
-            {
-              "control-id": "ps-4"
-            },
-            {
-              "control-id": "ps-4.2"
-            },
-            {
-              "control-id": "ps-5"
-            },
-            {
-              "control-id": "ps-6"
-            },
-            {
-              "control-id": "ps-7"
-            },
-            {
-              "control-id": "ps-8"
-            },
-            {
-              "control-id": "ra-1"
-            },
-            {
-              "control-id": "ra-2"
-            },
-            {
-              "control-id": "ra-3"
-            },
-            {
-              "control-id": "ra-5"
-            },
-            {
-              "control-id": "ra-5.1"
-            },
-            {
-              "control-id": "ra-5.2"
-            },
-            {
-              "control-id": "ra-5.3"
-            },
-            {
-              "control-id": "ra-5.4"
-            },
-            {
-              "control-id": "ra-5.5"
-            },
-            {
-              "control-id": "ra-5.6"
-            },
-            {
-              "control-id": "ra-5.8"
-            },
-            {
-              "control-id": "ra-5.10"
-            },
-            {
-              "control-id": "sa-1"
-            },
-            {
-              "control-id": "sa-2"
-            },
-            {
-              "control-id": "sa-3"
-            },
-            {
-              "control-id": "sa-4"
-            },
-            {
-              "control-id": "sa-4.1"
-            },
-            {
-              "control-id": "sa-4.2"
-            },
-            {
-              "control-id": "sa-4.8"
-            },
-            {
-              "control-id": "sa-4.9"
-            },
-            {
-              "control-id": "sa-4.10"
-            },
-            {
-              "control-id": "sa-5"
-            },
-            {
-              "control-id": "sa-8"
-            },
-            {
-              "control-id": "sa-9"
-            },
-            {
-              "control-id": "sa-9.1"
-            },
-            {
-              "control-id": "sa-9.2"
-            },
-            {
-              "control-id": "sa-9.4"
-            },
-            {
-              "control-id": "sa-9.5"
-            },
-            {
-              "control-id": "sa-10"
-            },
-            {
-              "control-id": "sa-10.1"
-            },
-            {
-              "control-id": "sa-11"
-            },
-            {
-              "control-id": "sa-11.1"
-            },
-            {
-              "control-id": "sa-11.2"
-            },
-            {
-              "control-id": "sa-11.8"
-            },
-            {
-              "control-id": "sa-12"
-            },
-            {
-              "control-id": "sa-15"
-            },
-            {
-              "control-id": "sa-16"
-            },
-            {
-              "control-id": "sa-17"
-            },
-            {
-              "control-id": "sc-1"
-            },
-            {
-              "control-id": "sc-2"
-            },
-            {
-              "control-id": "sc-3"
-            },
-            {
-              "control-id": "sc-4"
-            },
-            {
-              "control-id": "sc-5"
-            },
-            {
-              "control-id": "sc-6"
-            },
-            {
-              "control-id": "sc-7"
-            },
-            {
-              "control-id": "sc-7.3"
-            },
-            {
-              "control-id": "sc-7.4"
-            },
-            {
-              "control-id": "sc-7.5"
-            },
-            {
-              "control-id": "sc-7.7"
-            },
-            {
-              "control-id": "sc-7.8"
-            },
-            {
-              "control-id": "sc-7.10"
-            },
-            {
-              "control-id": "sc-7.12"
-            },
-            {
-              "control-id": "sc-7.13"
-            },
-            {
-              "control-id": "sc-7.18"
-            },
-            {
-              "control-id": "sc-7.20"
-            },
-            {
-              "control-id": "sc-7.21"
-            },
-            {
-              "control-id": "sc-8"
-            },
-            {
-              "control-id": "sc-8.1"
-            },
-            {
-              "control-id": "sc-10"
-            },
-            {
-              "control-id": "sc-12"
-            },
-            {
-              "control-id": "sc-12.1"
-            },
-            {
-              "control-id": "sc-12.2"
-            },
-            {
-              "control-id": "sc-12.3"
-            },
-            {
-              "control-id": "sc-13"
-            },
-            {
-              "control-id": "sc-15"
-            },
-            {
-              "control-id": "sc-17"
-            },
-            {
-              "control-id": "sc-18"
-            },
-            {
-              "control-id": "sc-19"
-            },
-            {
-              "control-id": "sc-20"
-            },
-            {
-              "control-id": "sc-21"
-            },
-            {
-              "control-id": "sc-22"
-            },
-            {
-              "control-id": "sc-23"
-            },
-            {
-              "control-id": "sc-23.1"
-            },
-            {
-              "control-id": "sc-24"
-            },
-            {
-              "control-id": "sc-28"
-            },
-            {
-              "control-id": "sc-28.1"
-            },
-            {
-              "control-id": "sc-39"
-            },
-            {
-              "control-id": "si-1"
-            },
-            {
-              "control-id": "si-2"
-            },
-            {
-              "control-id": "si-2.1"
-            },
-            {
-              "control-id": "si-2.2"
-            },
-            {
-              "control-id": "si-2.3"
-            },
-            {
-              "control-id": "si-3"
-            },
-            {
-              "control-id": "si-3.1"
-            },
-            {
-              "control-id": "si-3.2"
-            },
-            {
-              "control-id": "si-3.7"
-            },
-            {
-              "control-id": "si-4"
-            },
-            {
-              "control-id": "si-4.1"
-            },
-            {
-              "control-id": "si-4.2"
-            },
-            {
-              "control-id": "si-4.4"
-            },
-            {
-              "control-id": "si-4.5"
-            },
-            {
-              "control-id": "si-4.11"
-            },
-            {
-              "control-id": "si-4.14"
-            },
-            {
-              "control-id": "si-4.16"
-            },
-            {
-              "control-id": "si-4.18"
-            },
-            {
-              "control-id": "si-4.19"
-            },
-            {
-              "control-id": "si-4.20"
-            },
-            {
-              "control-id": "si-4.22"
-            },
-            {
-              "control-id": "si-4.23"
-            },
-            {
-              "control-id": "si-4.24"
-            },
-            {
-              "control-id": "si-5"
-            },
-            {
-              "control-id": "si-5.1"
-            },
-            {
-              "control-id": "si-6"
-            },
-            {
-              "control-id": "si-7"
-            },
-            {
-              "control-id": "si-7.1"
-            },
-            {
-              "control-id": "si-7.2"
-            },
-            {
-              "control-id": "si-7.5"
-            },
-            {
-              "control-id": "si-7.7"
-            },
-            {
-              "control-id": "si-7.14"
-            },
-            {
-              "control-id": "si-8"
-            },
-            {
-              "control-id": "si-8.1"
-            },
-            {
-              "control-id": "si-8.2"
-            },
-            {
-              "control-id": "si-10"
-            },
-            {
-              "control-id": "si-11"
-            },
-            {
-              "control-id": "si-12"
-            },
-            {
-              "control-id": "si-16"
-            }
-          ]
-        }
-      }
-    ],
-    "merge": {
-      "combine": {
-        "method": "keep"
-      },
-      "as-is": true
-    },
-    "modify": {
-      "parameter-settings": {
-        "ac-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ac-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually or whenever a significant change occurs"
-            }
-          ]
-        },
-        "ac-2_prm_4": {
-          "constraints": [
-            {
-              "detail": "monthly for privileged accessed, every six (6) months for non-privileged access"
-            }
-          ]
-        },
-        "ac-2.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "Selection: disables"
-            }
-          ]
-        },
-        "ac-2.2_prm_2": {
-          "constraints": [
-            {
-              "detail": "24 hours from last use"
-            }
-          ]
-        },
-        "ac-2.3_prm_1": {
-          "constraints": [
-            {
-              "detail": "35 days for user accounts"
-            }
-          ]
-        },
-        "ac-2.4_prm_1": {
-          "constraints": [
-            {
-              "detail": "organization and/or service provider system owner"
-            }
-          ]
-        },
-        "ac-2.5_prm_1": {
-          "constraints": [
-            {
-              "detail": "inactivity is anticipated to exceed Fifteen (15) minutes"
-            }
-          ]
-        },
-        "ac-2.7_prm_1": {
-          "constraints": [
-            {
-              "detail": "disables/revokes access within a organization-specified timeframe"
-            }
-          ]
-        },
-        "ac-2.9_prm_1": {
-          "constraints": [
-            {
-              "detail": "organization-defined need with justification statement that explains why such accounts are necessary"
-            }
-          ]
-        },
-        "ac-2.12_prm_2": {
-          "constraints": [
-            {
-              "detail": "at a minimum, the ISSO and/or similar role within the organization"
-            }
-          ]
-        },
-        "ac-2.13_prm_1": {
-          "constraints": [
-            {
-              "detail": "one (1) hour"
-            }
-          ]
-        },
-        "ac-6.1_prm_1": {
-          "constraints": [
-            {
-              "detail": "all functions not publicly accessible and all security-relevant information not publicly available"
-            }
-          ]
-        },
-        "ac-6.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "all security functions"
-            }
-          ]
-        },
-        "ac-6.3_prm_1": {
-          "constraints": [
-            {
-              "detail": "all privileged commands"
-            }
-          ]
-        },
-        "ac-6.7_prm_1": {
-          "constraints": [
-            {
-              "detail": "at a minimum, annually"
-            }
-          ]
-        },
-        "ac-6.7_prm_2": {
-          "constraints": [
-            {
-              "detail": "all users with privileges"
-            }
-          ]
-        },
-        "ac-6.8_prm_1": {
-          "constraints": [
-            {
-              "detail": "any software except software explicitly documented"
-            }
-          ]
-        },
-        "ac-7_prm_1": {
-          "constraints": [
-            {
-              "detail": "not more than three (3)"
-            }
-          ]
-        },
-        "ac-7_prm_2": {
-          "constraints": [
-            {
-              "detail": "fifteen (15) minutes"
-            }
-          ]
-        },
-        "ac-7_prm_4": {
-          "constraints": [
-            {
-              "detail": "locks the account/node for a minimum of three (3) hours or until unlocked by an administrator"
-            }
-          ]
-        },
-        "ac-7.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "mobile devices as defined by organization policy"
-            }
-          ]
-        },
-        "ac-7.2_prm_3": {
-          "constraints": [
-            {
-              "detail": "three (3)"
-            }
-          ]
-        },
-        "ac-8_prm_1": {
-          "constraints": [
-            {
-              "detail": "see additional Requirements and Guidance"
-            }
-          ]
-        },
-        "ac-8_prm_2": {
-          "constraints": [
-            {
-              "detail": "see additional Requirements and Guidance"
-            }
-          ]
-        },
-        "ac-10_prm_2": {
-          "constraints": [
-            {
-              "detail": "three (3) sessions for privileged access and two (2) sessions for non-privileged access"
-            }
-          ]
-        },
-        "ac-11_prm_1": {
-          "constraints": [
-            {
-              "detail": "fifteen (15) minutes"
-            }
-          ]
-        },
-        "ac-17.9_prm_1": {
-          "constraints": [
-            {
-              "detail": "fifteen (15) minutes"
-            }
-          ]
-        },
-        "ac-22_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least quarterly"
-            }
-          ]
-        },
-        "at-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually or whenever a significant change occurs"
-            }
-          ]
-        },
-        "at-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually or whenever a significant change occurs"
-            }
-          ]
-        },
-        "at-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "at-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "at-3.4_prm_1": {
-          "constraints": [
-            {
-              "detail": "malicious code indicators as defined by organization incident policy/capability."
-            }
-          ]
-        },
-        "at-4_prm_1": {
-          "constraints": [
-            {
-              "detail": "five (5) years or 5 years after completion of a specific training program"
-            }
-          ]
-        },
-        "au-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "au-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually or whenever a significant change occurs"
-            }
-          ]
-        },
-        "au-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes"
-            }
-          ]
-        },
-        "au-2_prm_2": {
-          "constraints": [
-            {
-              "detail": "organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event"
-            }
-          ]
-        },
-        "au-2.3_prm_1": {
-          "constraints": [
-            {
-              "detail": "annually or whenever there is a change in the threat environment"
-            }
-          ]
-        },
-        "au-3.1_prm_1": {
-          "constraints": [
-            {
-              "detail": "session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands"
-            }
-          ]
-        },
-        "au-3.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "all network, data storage, and computing devices"
-            }
-          ]
-        },
-        "au-5_prm_2": {
-          "constraints": [
-            {
-              "detail": "organization-defined actions to be taken (overwrite oldest record)"
-            }
-          ]
-        },
-        "au-5.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "real-time"
-            }
-          ]
-        },
-        "au-5.2_prm_2": {
-          "constraints": [
-            {
-              "detail": "service provider personnel with authority to address failed audit events"
-            }
-          ]
-        },
-        "au-5.2_prm_3": {
-          "constraints": [
-            {
-              "detail": "audit failure events requiring real-time alerts, as defined by organization audit policy"
-            }
-          ]
-        },
-        "au-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least weekly"
-            }
-          ]
-        },
-        "au-6.5_prm_2": {
-          "constraints": [
-            {
-              "detail": "Possibly to include penetration test data."
-            }
-          ]
-        },
-        "au-6.7_prm_1": {
-          "constraints": [
-            {
-              "detail": "information system process; role; user"
-            }
-          ]
-        },
-        "au-8_prm_1": {
-          "constraints": [
-            {
-              "detail": "one second granularity of time measurement"
-            }
-          ]
-        },
-        "au-8.1_prm_1": {
-          "constraints": [
-            {
-              "detail": "At least hourly"
-            }
-          ]
-        },
-        "au-8.1_prm_2": {
-          "constraints": [
-            {
-              "detail": "http://tf.nist.gov/tf-cgi/servers.cgi"
-            }
-          ]
-        },
-        "au-9.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least weekly"
-            }
-          ]
-        },
-        "au-10_prm_1": {
-          "constraints": [
-            {
-              "detail": "minimum actions including the addition, modification, deletion, approval, sending, or receiving of data"
-            }
-          ]
-        },
-        "au-11_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least one (1) year"
-            }
-          ]
-        },
-        "au-12_prm_1": {
-          "constraints": [
-            {
-              "detail": "all information system and network components where audit capability is deployed/available"
-            }
-          ]
-        },
-        "au-12.1_prm_1": {
-          "constraints": [
-            {
-              "detail": "all network, data storage, and computing devices"
-            }
-          ]
-        },
-        "au-12.3_prm_1": {
-          "constraints": [
-            {
-              "detail": "service provider-defined individuals or roles with audit configuration responsibilities"
-            }
-          ]
-        },
-        "au-12.3_prm_2": {
-          "constraints": [
-            {
-              "detail": "all network, data storage, and computing devices"
-            }
-          ]
-        },
-        "ca-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ca-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually or whenever a significant change occurs"
-            }
-          ]
-        },
-        "ca-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ca-2_prm_2": {
-          "constraints": [
-            {
-              "detail": "individuals or roles to include FedRAMP PMO"
-            }
-          ]
-        },
-        "ca-2.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ca-2.3_prm_1": {
-          "constraints": [
-            {
-              "detail": "any FedRAMP Accredited 3PAO"
-            }
-          ]
-        },
-        "ca-2.3_prm_2": {
-          "constraints": [
-            {
-              "detail": "any FedRAMP Accredited 3PAO"
-            }
-          ]
-        },
-        "ca-2.3_prm_3": {
-          "constraints": [
-            {
-              "detail": "the conditions of the JAB/AO in the FedRAMP Repository"
-            }
-          ]
-        },
-        "ca-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "At least annually and on input from FedRAMP"
-            }
-          ]
-        },
-        "ca-3.3_prm_2": {
-          "constraints": [
-            {
-              "detail": "boundary protections which meet the Trusted Internet Connection (TIC) requirements"
-            }
-          ]
-        },
-        "ca-3.5_prm_1": {
-          "constraints": [
-            {
-              "detail": "deny-all, permit by exception"
-            }
-          ]
-        },
-        "ca-3.5_prm_2": {
-          "constraints": [
-            {
-              "detail": "any systems"
-            }
-          ]
-        },
-        "ca-5_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "ca-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least every three (3) years or when a significant change occurs"
-            }
-          ]
-        },
-        "ca-7_prm_4": {
-          "constraints": [
-            {
-              "detail": "to meet Federal and FedRAMP requirements (See additional guidance)"
-            }
-          ]
-        },
-        "ca-7_prm_5": {
-          "constraints": [
-            {
-              "detail": "to meet Federal and FedRAMP requirements (See additional guidance)"
-            }
-          ]
-        },
-        "ca-8_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "cm-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "cm-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually or whenever a significant change occurs"
-            }
-          ]
-        },
-        "cm-2.1_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually or when a significant change occurs"
-            }
-          ]
-        },
-        "cm-2.1_prm_2": {
-          "constraints": [
-            {
-              "detail": "to include when directed by the JAB"
-            }
-          ]
-        },
-        "cm-2.3_prm_1": {
-          "constraints": [
-            {
-              "detail": "organization-defined previous versions of baseline configurations of the previously approved baseline configuration of IS components"
-            }
-          ]
-        },
-        "cm-3.1_prm_2": {
-          "constraints": [
-            {
-              "detail": "organization agreed upon time period"
-            }
-          ]
-        },
-        "cm-3.1_prm_3": {
-          "constraints": [
-            {
-              "detail": "organization defined configuration management approval authorities"
-            }
-          ]
-        },
-        "cm-3.4_prm_1": {
-          "constraints": [
-            {
-              "detail": "Configuration control board (CCB) or similar (as defined in CM-3)"
-            }
-          ]
-        },
-        "cm-3.6_prm_1": {
-          "constraints": [
-            {
-              "detail": "All security safeguards that rely on cryptography"
-            }
-          ]
-        },
-        "cm-5.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least every thirty (30) days"
-            }
-          ]
-        },
-        "cm-5.5_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least quarterly"
-            }
-          ]
-        },
-        "cm-6_prm_1": {
-          "guidance": [
-            {
-              "prose": "See CM-6(a) Additional FedRAMP Requirements and Guidance"
-            }
-          ]
-        },
-        "cm-7_prm_1": {
-          "constraints": [
-            {
-              "detail": "United States Government Configuration Baseline (USGCB)"
-            }
-          ]
-        },
-        "cm-7.1_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "cm-7.5_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least quarterly or when there is a change"
-            }
-          ]
-        },
-        "cm-8_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "cm-8.3_prm_1": {
-          "constraints": [
-            {
-              "detail": "Continuously, using automated mechanisms with a maximum five-minute delay in detection."
-            }
-          ]
-        },
-        "cm-8.4_prm_1": {
-          "constraints": [
-            {
-              "detail": "position and role"
-            }
-          ]
-        },
-        "cm-11_prm_3": {
-          "constraints": [
-            {
-              "detail": "Continuously (via CM-7 (5))"
-            }
-          ]
-        },
-        "cp-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "cp-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually or whenever a significant change occurs"
-            }
-          ]
-        },
-        "cp-2_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "cp-2.4_prm_1": {
-          "constraints": [
-            {
-              "detail": "time period defined in service provider and organization SLA"
-            }
-          ]
-        },
-        "cp-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "ten (10) days"
-            }
-          ]
-        },
-        "cp-3_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "cp-4_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "cp-4_prm_2": {
-          "constraints": [
-            {
-              "detail": "functional exercises"
-            }
-          ]
-        },
-        "cp-8.4_prm_1": {
-          "constraints": [
-            {
-              "detail": "annually"
-            }
-          ]
-        },
-        "cp-9_prm_1": {
-          "constraints": [
-            {
-              "detail": "daily incremental; weekly full"
-            }
-          ]
-        },
-        "cp-9_prm_2": {
-          "constraints": [
-            {
-              "detail": "daily incremental; weekly full"
-            }
-          ]
-        },
-        "cp-9_prm_3": {
-          "constraints": [
-            {
-              "detail": "daily incremental; weekly full"
-            }
-          ]
-        },
-        "cp-9.1_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "cp-9.5_prm_1": {
-          "constraints": [
-            {
-              "detail": "time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA"
-            }
-          ]
-        },
-        "cp-10.4_prm_1": {
-          "constraints": [
-            {
-              "detail": "time period consistent with the restoration time-periods defined in the service provider and organization SLA"
-            }
-          ]
-        },
-        "ia-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ia-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually or whenever a significant change occurs"
-            }
-          ]
-        },
-        "ia-2.11_prm_1": {
-          "constraints": [
-            {
-              "detail": "FIPS 140-2, NIAP Certification, or NSA approval"
-            }
-          ]
-        },
-        "ia-4_prm_1": {
-          "constraints": [
-            {
-              "detail": "at a minimum, the ISSO (or similar role within the organization)"
-            }
-          ]
-        },
-        "ia-4_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least two (2) years"
-            }
-          ]
-        },
-        "ia-4_prm_3": {
-          "constraints": [
-            {
-              "detail": "thirty-five (35) days (See additional requirements and guidance.)"
-            }
-          ]
-        },
-        "ia-4.4_prm_1": {
-          "constraints": [
-            {
-              "detail": "contractors; foreign nationals]"
-            }
-          ]
-        },
-        "ia-5.1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least fifty percent (50%)"
-            }
-          ]
-        },
-        "ia-5.1_prm_4": {
-          "constraints": [
-            {
-              "detail": "twenty four (24)"
-            }
-          ]
-        },
-        "ia-5.3_prm_1": {
-          "constraints": [
-            {
-              "detail": "All hardware/biometric (multifactor authenticators)"
-            }
-          ]
-        },
-        "ia-5.3_prm_2": {
-          "constraints": [
-            {
-              "detail": "in person"
-            }
-          ]
-        },
-        "ia-5.4_prm_1": {
-          "constraints": [
-            {
-              "detail": "complexity as identified in IA-5 (1) Control Enhancement Part (a)"
-            }
-          ]
-        },
-        "ia-5.8_prm_1": {
-          "constraints": [
-            {
-              "detail": "different authenticators on different systems"
-            }
-          ]
-        },
-        "ir-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ir-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually or whenever a significant change occurs"
-            }
-          ]
-        },
-        "ir-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "within ten (10) days"
-            }
-          ]
-        },
-        "ir-2_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ir-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least every six (6) months"
-            }
-          ]
-        },
-        "ir-4.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "all network, data storage, and computing devices"
-            }
-          ]
-        },
-        "ir-4.8_prm_1": {
-          "constraints": [
-            {
-              "detail": "external organizations including consumer incident responders and network defenders and the appropriate CIRT/CERT (such as US-CERT, DOD CERT, IC CERT)"
-            }
-          ]
-        },
-        "ir-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)"
-            }
-          ]
-        },
-        "ir-8_prm_2": {
-          "constraints": [
-            {
-              "detail": "see additional FedRAMP Requirements and Guidance"
-            }
-          ]
-        },
-        "ir-8_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ir-8_prm_4": {
-          "constraints": [
-            {
-              "detail": "see additional FedRAMP Requirements and Guidance"
-            }
-          ]
-        },
-        "ir-9.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ma-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ma-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually or whenever a significant change occurs"
-            }
-          ]
-        },
-        "ma-3.3_prm_1": {
-          "constraints": [
-            {
-              "detail": "the information owner explicitly authorizing removal of the equipment from the facility"
-            }
-          ]
-        },
-        "mp-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "mp-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually or whenever a significant change occurs"
-            }
-          ]
-        },
-        "mp-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "any digital and non-digital media deemed sensitive"
-            }
-          ]
-        },
-        "mp-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "no removable media types"
-            }
-          ]
-        },
-        "mp-3_prm_2": {
-          "constraints": [
-            {
-              "detail": "organization-defined security safeguards not applicable"
-            }
-          ]
-        },
-        "mp-4_prm_1": {
-          "constraints": [
-            {
-              "detail": "all types of digital and non-digital media with sensitive information"
-            }
-          ]
-        },
-        "mp-4_prm_2": {
-          "constraints": [
-            {
-              "detail": "see additional FedRAMP requirements and guidance"
-            }
-          ]
-        },
-        "mp-5_prm_1": {
-          "constraints": [
-            {
-              "detail": "all media with sensitive information"
-            }
-          ]
-        },
-        "mp-5_prm_2": {
-          "constraints": [
-            {
-              "detail": "prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container"
-            }
-          ]
-        },
-        "mp-6_prm_2": {
-          "constraints": [
-            {
-              "detail": "techniques and procedures IAW NIST SP 800-88 R1, Appendix A - Minimum Sanitization Recommendations"
-            }
-          ]
-        },
-        "mp-6.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least every six (6) months"
-            }
-          ]
-        },
-        "pe-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pe-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually or whenever a significant change occurs"
-            }
-          ]
-        },
-        "pe-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least every ninety (90) days"
-            }
-          ]
-        },
-        "pe-3_prm_2": {
-          "constraints": [
-            {
-              "detail": "CSP defined physical access control systems/devices AND guards"
-            }
-          ]
-        },
-        "pe-3_prm_3": {
-          "constraints": [
-            {
-              "detail": "CSP defined physical access control systems/devices"
-            }
-          ]
-        },
-        "pe-3_prm_6": {
-          "constraints": [
-            {
-              "detail": "in all circumstances within restricted access area where the information system resides"
-            }
-          ]
-        },
-        "pe-3_prm_8": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pe-3_prm_9": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pe-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "pe-8_prm_1": {
-          "constraints": [
-            {
-              "detail": "for a minimum of one (1) year"
-            }
-          ]
-        },
-        "pe-8_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "pe-13.1_prm_1": {
-          "constraints": [
-            {
-              "detail": "service provider building maintenance/physical security personnel"
-            }
-          ]
-        },
-        "pe-13.1_prm_2": {
-          "constraints": [
-            {
-              "detail": "service provider emergency responders with incident response responsibilities"
-            }
-          ]
-        },
-        "pe-14_prm_1": {
-          "constraints": [
-            {
-              "detail": "consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments"
-            }
-          ]
-        },
-        "pe-14_prm_2": {
-          "constraints": [
-            {
-              "detail": "continuously"
-            }
-          ]
-        },
-        "pe-15.1_prm_1": {
-          "constraints": [
-            {
-              "detail": "service provider building maintenance/physical security personnel"
-            }
-          ]
-        },
-        "pe-16_prm_1": {
-          "constraints": [
-            {
-              "detail": "all information system components"
-            }
-          ]
-        },
-        "pe-18_prm_1": {
-          "constraints": [
-            {
-              "detail": "physical and environmental hazards identified during threat assessment"
-            }
-          ]
-        },
-        "pl-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pl-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually or whenever a significant change occurs"
-            }
-          ]
-        },
-        "pl-2_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pl-4_prm_1": {
-          "constraints": [
-            {
-              "detail": "annually"
-            }
-          ]
-        },
-        "pl-8_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually or when a significant change occurs"
-            }
-          ]
-        },
-        "ps-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ps-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually or whenever a significant change occurs"
-            }
-          ]
-        },
-        "ps-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ps-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions"
-            }
-          ]
-        },
-        "ps-3.3_prm_1": {
-          "constraints": [
-            {
-              "detail": "personnel screening criteria - as required by specific information"
-            }
-          ]
-        },
-        "ps-4_prm_1": {
-          "constraints": [
-            {
-              "detail": "eight (8) hours"
-            }
-          ]
-        },
-        "ps-4.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "access control personnel responsible for disabling access to the system"
-            }
-          ]
-        },
-        "ps-5_prm_2": {
-          "constraints": [
-            {
-              "detail": "twenty-four (24) hours"
-            }
-          ]
-        },
-        "ps-5_prm_4": {
-          "constraints": [
-            {
-              "detail": "twenty-four (24) hours"
-            }
-          ]
-        },
-        "ps-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ps-6_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually and any time there is a change to the user's level of access"
-            }
-          ]
-        },
-        "ps-7_prm_2": {
-          "constraints": [
-            {
-              "detail": "terminations: immediately; transfers: within twenty-four (24) hours"
-            }
-          ]
-        },
-        "ps-8_prm_1": {
-          "constraints": [
-            {
-              "detail": "at a minimum, the ISSO and/or similar role within the organization"
-            }
-          ]
-        },
-        "ra-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ra-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually or whenever a significant change occurs"
-            }
-          ]
-        },
-        "ra-3_prm_2": {
-          "constraints": [
-            {
-              "detail": "security assessment report"
-            }
-          ]
-        },
-        "ra-3_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually or whenever a significant change occurs"
-            }
-          ]
-        },
-        "ra-3_prm_5": {
-          "constraints": [
-            {
-              "detail": "annually"
-            }
-          ]
-        },
-        "ra-5_prm_1": {
-          "constraints": [
-            {
-              "detail": "monthly operating system/infrastructure; monthly web applications and databases"
-            }
-          ]
-        },
-        "ra-5_prm_2": {
-          "constraints": [
-            {
-              "detail": "high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery"
-            }
-          ]
-        },
-        "ra-5.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "prior to a new scan"
-            }
-          ]
-        },
-        "ra-5.4_prm_1": {
-          "constraints": [
-            {
-              "detail": "notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions"
-            }
-          ]
-        },
-        "ra-5.5_prm_1": {
-          "constraints": [
-            {
-              "detail": "operating systems / web applications / databases"
-            }
-          ]
-        },
-        "ra-5.5_prm_2": {
-          "constraints": [
-            {
-              "detail": "all scans"
-            }
-          ]
-        },
-        "sa-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "sa-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually or whenever a significant change occurs"
-            }
-          ]
-        },
-        "sa-4.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram; [organization-defined design/implementation information]"
-            }
-          ]
-        },
-        "sa-4.8_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least the minimum requirement as defined in control CA-7"
-            }
-          ]
-        },
-        "sa-5_prm_2": {
-          "constraints": [
-            {
-              "detail": "at a minimum, the ISSO (or similar role within the organization)"
-            }
-          ]
-        },
-        "sa-9_prm_1": {
-          "constraints": [
-            {
-              "detail": "FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system"
-            }
-          ]
-        },
-        "sa-9_prm_2": {
-          "constraints": [
-            {
-              "detail": "Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored"
-            }
-          ]
-        },
-        "sa-9.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "all external systems where Federal information is processed or stored"
-            }
-          ]
-        },
-        "sa-9.4_prm_2": {
-          "constraints": [
-            {
-              "detail": "all external systems where Federal information is processed or stored"
-            }
-          ]
-        },
-        "sa-9.5_prm_1": {
-          "constraints": [
-            {
-              "detail": "information processing, information data, AND information services"
-            }
-          ]
-        },
-        "sa-9.5_prm_2": {
-          "constraints": [
-            {
-              "detail": "U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction"
-            }
-          ]
-        },
-        "sa-9.5_prm_3": {
-          "constraints": [
-            {
-              "detail": "all High Impact Data, Systems, or Services"
-            }
-          ]
-        },
-        "sa-10_prm_1": {
-          "constraints": [
-            {
-              "detail": "development, implementation, AND operation"
-            }
-          ]
-        },
-        "sa-12_prm_1": {
-          "constraints": [
-            {
-              "detail": "organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures"
-            }
-          ]
-        },
-        "sa-15_prm_1": {
-          "constraints": [
-            {
-              "detail": "as needed and as dictated by the current threat posture"
-            }
-          ]
-        },
-        "sa-15_prm_2": {
-          "constraints": [
-            {
-              "detail": "organization and service provider- defined security requirements"
-            }
-          ]
-        },
-        "sc-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "sc-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually or whenever a significant change occurs"
-            }
-          ]
-        },
-        "sc-7.4_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions"
-            }
-          ]
-        },
-        "sc-7.12_prm_1": {
-          "constraints": [
-            {
-              "detail": "Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall"
-            }
-          ]
-        },
-        "sc-8_prm_1": {
-          "constraints": [
-            {
-              "detail": "confidentiality AND integrity"
-            }
-          ]
-        },
-        "sc-8.1_prm_1": {
-          "constraints": [
-            {
-              "detail": "prevent unauthorized disclosure of information AND detect changes to information"
-            }
-          ]
-        },
-        "sc-8.1_prm_2": {
-          "constraints": [
-            {
-              "detail": "a hardened or alarmed carrier Protective Distribution System (PDS)"
-            }
-          ]
-        },
-        "sc-10_prm_1": {
-          "constraints": [
-            {
-              "detail": "no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions"
-            }
-          ]
-        },
-        "sc-12.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "NIST FIPS-compliant"
-            }
-          ]
-        },
-        "sc-13_prm_1": {
-          "constraints": [
-            {
-              "detail": "FIPS-validated or NSA-approved cryptography"
-            }
-          ]
-        },
-        "sc-15_prm_1": {
-          "constraints": [
-            {
-              "detail": "no exceptions"
-            }
-          ]
-        },
-        "sc-28_prm_1": {
-          "constraints": [
-            {
-              "detail": "confidentiality AND integrity"
-            }
-          ]
-        },
-        "sc-28.1_prm_2": {
-          "constraints": [
-            {
-              "detail": "all information system components storing customer data deemed sensitive"
-            }
-          ]
-        },
-        "si-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "si-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually or whenever a significant change occurs"
-            }
-          ]
-        },
-        "si-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "thirty (30) days of release of updates"
-            }
-          ]
-        },
-        "si-2.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "si-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least weekly"
-            }
-          ]
-        },
-        "si-3_prm_2": {
-          "constraints": [
-            {
-              "detail": "to include endpoints"
-            }
-          ]
-        },
-        "si-3_prm_3": {
-          "constraints": [
-            {
-              "detail": "to include blocking and quarantining malicious code and alerting administrator or defined security personnel near-realtime"
-            }
-          ]
-        },
-        "si-4.4_prm_1": {
-          "constraints": [
-            {
-              "detail": "continuously"
-            }
-          ]
-        },
-        "si-5_prm_1": {
-          "constraints": [
-            {
-              "detail": "to include US-CERT"
-            }
-          ]
-        },
-        "si-5_prm_2": {
-          "constraints": [
-            {
-              "detail": "to include system security personnel and administrators with configuration/patch-management responsibilities"
-            }
-          ]
-        },
-        "si-6_prm_3": {
-          "constraints": [
-            {
-              "detail": "to include upon system startup and/or restart"
-            }
-          ]
-        },
-        "si-6_prm_4": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "si-6_prm_5": {
-          "constraints": [
-            {
-              "detail": "to include system administrators and security personnel"
-            }
-          ]
-        },
-        "si-6_prm_7": {
-          "constraints": [
-            {
-              "detail": "to include notification of system administrators and security personnel"
-            }
-          ]
-        },
-        "si-7.1_prm_3": {
-          "constraints": [
-            {
-              "detail": "selection to include security relevant events"
-            }
-          ]
-        },
-        "si-7.1_prm_4": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        }
-      },
-      "alterations": [
-        {
-          "control-id": "ac-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-10_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-10_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-10_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-11",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-11",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-11.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-11.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-11.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-11.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-11.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-12",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-12",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-12.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-12_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-12.1",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ac-12.1_smt",
-              "parts": [
-                {
-                  "id": "ac-12.1_fr",
-                  "name": "item",
-                  "title": "AC-12 (1) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ac-12.1_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "https://www.owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-006%29"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-12.1.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-12.1.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-12.1.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-14",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-14.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-14.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-14.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-17",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-17",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-17.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-17.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-17.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-17.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-17.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-17.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-17.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-17.4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-17.9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-17.9",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.9_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.9_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-18",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-18",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-18.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-18.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-18.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-18.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-18.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-18.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-18.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-18.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-18.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-18.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-18.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-18.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-19",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-19",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-19.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-19.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-19.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-19.5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-19.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-19.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.g_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.h_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.i_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.j_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.j_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.k_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-2.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.10",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ac-2.10_smt",
-              "parts": [
-                {
-                  "id": "ac-2.10_fr",
-                  "name": "item",
-                  "title": "AC-2 (10) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ac-2.10_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Required if shared/group accounts are deployed"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.10_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.11",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-2.11_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.11_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.11_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.12",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ac-2.12_smt",
-              "parts": [
-                {
-                  "id": "ac-2.12_fr",
-                  "name": "item",
-                  "title": "AC-2 (12) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ac-2.12_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(a) Guidance:"
-                        }
-                      ],
-                      "prose": "Required for privileged accounts."
-                    },
-                    {
-                      "id": "ac-2.12_fr_gdn.2",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(b) Guidance:"
-                        }
-                      ],
-                      "prose": "Required for privileged accounts."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.12",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.12.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.12.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.12.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.12.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.13",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-2.13_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.13_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-2.2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.3",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ac-2.3_smt",
-              "parts": [
-                {
-                  "id": "ac-2.3_fr",
-                  "name": "item",
-                  "title": "AC-2 (3) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ac-2.3_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-2.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.4_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.5",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ac-2.5_smt",
-              "parts": [
-                {
-                  "id": "ac-2.5_fr",
-                  "name": "item",
-                  "title": "AC-2 (5) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ac-2.5_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Should use a shorter timeframe than AC-12."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-2.7.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.7.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.7.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.7.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.9",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ac-2.9_smt",
-              "parts": [
-                {
-                  "id": "ac-2.9_fr",
-                  "name": "item",
-                  "title": "AC-2 (9) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ac-2.9_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Required if shared/group accounts are deployed"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.9_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.9_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-20",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-20.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-20.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-20.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-20.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-20.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-20.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-21",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-21.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-21.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-21.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-21.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-22",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-22",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-22.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-22.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-22.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-22.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-22.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-22.d_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-4.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-4.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-4.21",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-4.21_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-4.21_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-4.21_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-4.8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-4.8_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-4.8_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-4.8_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-5",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ac-5_smt",
-              "parts": [
-                {
-                  "id": "ac-5_fr",
-                  "name": "item",
-                  "title": "AC-5 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ac-5_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-5.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-5.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-5.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-5.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-6.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-6.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-6.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-6.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-6.10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-6.10_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-6.2",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ac-6.2_smt",
-              "parts": [
-                {
-                  "id": "ac-6.2_fr",
-                  "name": "item",
-                  "title": "AC-6 (2) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ac-6.2_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-6.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-6.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-6.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-6.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-6.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-6.3_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-6.3_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-6.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-6.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-6.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-6.7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-6.7.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-6.7.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-6.7.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-6.7.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-6.8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-6.8_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-6.8_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-6.9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-6.9",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-6.9_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-7",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-7.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-7.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-7.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-7.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-7.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-7.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-7.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-7.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-7.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-7.2_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ac-8_smt",
-              "parts": [
-                {
-                  "id": "ac-8_fr",
-                  "name": "item",
-                  "title": "AC-8 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ac-8_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO."
-                    },
-                    {
-                      "id": "ac-8_fr_smt.2",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided."
-                    },
-                    {
-                      "id": "ac-8_fr_smt.3",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.c.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.c.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.c.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.c.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "at-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "at-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-2.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-2.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "at-2.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "at-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-3.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-3.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-3.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-3.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "at-3.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-3.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "at-3.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-3.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "at-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-4.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-4.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-10.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-10.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-11",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "au-11_smt",
-              "parts": [
-                {
-                  "id": "au-11_fr",
-                  "name": "item",
-                  "title": "AU-11 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "au-11_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-11",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-11.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-11_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-12",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-12.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-12.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-12.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-12.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-12.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-12.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-12.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-12.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-12.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-12.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-12.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-12.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-12.3_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-12.3_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-12.3_obj.5",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-2",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "au-2_smt",
-              "parts": [
-                {
-                  "id": "au-2_fr",
-                  "name": "item",
-                  "title": "AU-2 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "au-2_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.d_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-2.3",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "au-2.3_smt",
-              "parts": [
-                {
-                  "id": "au-2.3_fr",
-                  "name": "item",
-                  "title": "AU-2 (3) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "au-2.3_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-3.1",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "au-3.1_smt",
-              "parts": [
-                {
-                  "id": "au-3.1_fr",
-                  "name": "item",
-                  "title": "AU-3 (1) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "au-3.1_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines audit record types *[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]*.  The audit record types are approved and accepted by the JAB/AO."
-                    },
-                    {
-                      "id": "au-3.1_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-3.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-3.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-3.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-3.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-3.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-4.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-5.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-5.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-5.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-5.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-5.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-5.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-5.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-5.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-5.1_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-5.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-5.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-5.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-5.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-5.2_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-6",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "au-6_smt",
-              "parts": [
-                {
-                  "id": "au-6_fr",
-                  "name": "item",
-                  "title": "AU-6 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "au-6_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-6.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-6.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-6.10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-6.10_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-6.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-6.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-6.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-6.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-6.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-6.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.5_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-6.6",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "au-6.6_smt",
-              "parts": [
-                {
-                  "id": "au-6.6_fr",
-                  "name": "item",
-                  "title": "AU-6 (6) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "au-6.6_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-6.7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-6.7_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-7.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-7.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-7.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-7.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-7.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-8.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-8.1",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "au-8.1_smt",
-              "parts": [
-                {
-                  "id": "au-8.1_fr",
-                  "name": "item",
-                  "title": "AU-8 (1) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "au-8.1_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server."
-                    },
-                    {
-                      "id": "au-8.1_fr_smt.2",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server."
-                    },
-                    {
-                      "id": "au-8.1_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Synchronization of system clocks improves the accuracy of log analysis."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.1.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.1.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.1.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.1.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.1.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-9.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-9.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-9.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-9.2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-9.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-9.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-9.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-9.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-9.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-9.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-9.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-9.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ca-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-2",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-2_smt",
-              "parts": [
-                {
-                  "id": "ca-2_fr",
-                  "name": "item",
-                  "title": "CA-2 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-2_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-2.1",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-2.1_smt",
-              "parts": [
-                {
-                  "id": "ca-2.1_fr",
-                  "name": "item",
-                  "title": "CA-2 (1) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-2.1_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-2.2",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-2.2_smt",
-              "parts": [
-                {
-                  "id": "ca-2.2_fr",
-                  "name": "item",
-                  "title": "CA-2 (2) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-2.2_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "To include 'announced', 'vulnerability scanning'"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.2_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-2.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ca-2.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.3_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.3_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ca-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-3.3",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-3.3_smt",
-              "parts": [
-                {
-                  "id": "ca-3.3_fr",
-                  "name": "item",
-                  "title": "CA-3 (3) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-3.3_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.3_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-3.5",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-3.5_smt",
-              "parts": [
-                {
-                  "id": "ca-3.5_fr",
-                  "name": "item",
-                  "title": "CA-3 (5) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-3.5_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-5",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-5_smt",
-              "parts": [
-                {
-                  "id": "ca-5_fr",
-                  "name": "item",
-                  "title": "CA-5 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-5_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Plan of Action & Milestones (POA&M) must be provided at least monthly."
-                    },
-                    {
-                      "id": "ca-5_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-5.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-5.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-5.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-6",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-6_smt",
-              "parts": [
-                {
-                  "id": "ca-6_fr",
-                  "name": "item",
-                  "title": "CA-6(c) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-6_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-6.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-6.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-6.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-6.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-7",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-7_smt",
-              "parts": [
-                {
-                  "id": "ca-7_fr",
-                  "name": "item",
-                  "title": "CA-7 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-7_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually."
-                    },
-                    {
-                      "id": "ca-7_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates."
-                    },
-                    {
-                      "id": "ca-7_fr_gdn.2",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.b_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.g_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.g_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.g_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.g_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-7.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ca-7.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-7.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ca-7.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-8_smt",
-              "parts": [
-                {
-                  "id": "ca-8_fr",
-                  "name": "item",
-                  "title": "CA-8 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-8_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance [https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/)\n                  "
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-8",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-8.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-8.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-8_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-8.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ca-8.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ca-9",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-9.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-9.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-9.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.a.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-10.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-10.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-10.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-10.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-10.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-10.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-11",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-11.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-11.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-11.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-11.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-11.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-11.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-11.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-11.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-11.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-2.1",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cm-2.1_smt",
-              "parts": [
-                {
-                  "id": "cm-2.1_fr",
-                  "name": "item",
-                  "title": "CM-8 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cm-2.1_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(a) Guidance:"
-                        }
-                      ],
-                      "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.1.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.1.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.1.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.1.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.1.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-2.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-2.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.2_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-2.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-2.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-2.7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-2.7.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.7.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.7.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.7.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.7.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-3",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cm-3_smt",
-              "parts": [
-                {
-                  "id": "cm-3_fr",
-                  "name": "item",
-                  "title": "CM-3 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cm-3_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO."
-                    },
-                    {
-                      "id": "cm-3_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(e) Guidance:"
-                        }
-                      ],
-                      "prose": "In accordance with record retention policies and procedures."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.f_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.g_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.g_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.g_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.g_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-3.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-3.1.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.1.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.1.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.1.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.1.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.1.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.1.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.1.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.1.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-3.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-3.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-3.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-3.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-3.6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-3.6_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.6_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-4.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-4.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-4.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-4.1_obj.2.a",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-4.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-4.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-4.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-5.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.5_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5_obj.7",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5_obj.8",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-5.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-5.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-5.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-5.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.2_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-5.3",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cm-5.3_smt",
-              "parts": [
-                {
-                  "id": "cm-5.3_fr",
-                  "name": "item",
-                  "title": "CM-5 (3) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cm-5.3_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-5.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-5.5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.5.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.5.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.5.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-6",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cm-6_smt",
-              "parts": [
-                {
-                  "id": "cm-6_fr",
-                  "name": "item",
-                  "title": "CM-6(a) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cm-6_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement 1:"
-                        }
-                      ],
-                      "prose": "The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. "
-                    },
-                    {
-                      "id": "cm-6_fr_smt.2",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement 2:"
-                        }
-                      ],
-                      "prose": "The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available)."
-                    },
-                    {
-                      "id": "cm-6_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.c_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.c_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.c_obj.5",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-6.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-6.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-6.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-6.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-7",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cm-7_smt",
-              "parts": [
-                {
-                  "id": "cm-7_fr",
-                  "name": "item",
-                  "title": "CM-7 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cm-7_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available."
-                    },
-                    {
-                      "id": "cm-7_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Information on the USGCB checklists can be found at: [http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc](http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc). Partially derived from AC-17(8)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-7.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-7.1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.1.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.1.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.1.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.1.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-7.2",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cm-7.2_smt",
-              "parts": [
-                {
-                  "id": "cm-7.2_fr",
-                  "name": "item",
-                  "title": "CM-7 (2) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cm-7.2_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-7.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-7.5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.5.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.5.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.5.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.5.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cm-8_smt",
-              "parts": [
-                {
-                  "id": "cm-8_fr",
-                  "name": "item",
-                  "title": "CM-8 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cm-8_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Must be provided at least monthly or when there is a change."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.a.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.a.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.a.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.a.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.a.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-8.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-8.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-8.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-8.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-8.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-8.3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.3.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.3.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.3.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.3.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-8.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-8.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-8.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-8.5_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-9",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-9.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-9.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-9.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-9.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-9.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-10_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-10.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-10.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-10.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-10.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-10.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-10.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-2",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cp-2_smt",
-              "parts": [
-                {
-                  "id": "cp-2_fr",
-                  "name": "item",
-                  "title": "CP-2 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cp-2_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "CP-2 Requirement:"
-                        }
-                      ],
-                      "prose": "For JAB authorizations the contingency lists include designated FedRAMP personnel."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.5_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.6_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.6_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.g_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-2.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-2.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-2.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-2.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-2.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-2.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-2.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-2.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-2.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-2.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-2.8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-2.8_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-3.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-3.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-3.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-3.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-3.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-3.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-3.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-4",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cp-4_smt",
-              "parts": [
-                {
-                  "id": "cp-4_fr",
-                  "name": "item",
-                  "title": "CP-4(a) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cp-4_fr_smt.a",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "CP-4(a) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-4.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-4.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-4.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-4.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-4.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-4.2.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-4.2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-6.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-6.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-6.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-6.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-6.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-6.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-6.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-6.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-6.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-7",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cp-7_smt",
-              "parts": [
-                {
-                  "id": "cp-7_fr",
-                  "name": "item",
-                  "title": "CP-7 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cp-7_fr_smt.a",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(a) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines a time period consistent with the recovery time objectives and business impact analysis."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-7",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-7.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-7.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-7.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-7.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-7.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-7.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-7.1",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cp-7.1_smt",
-              "parts": [
-                {
-                  "id": "cp-7.1_fr",
-                  "name": "item",
-                  "title": "CP-7 (1) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cp-7.1_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-7.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-7.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-7.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-7.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-7.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-7.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-7.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-7.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cp-8_smt",
-              "parts": [
-                {
-                  "id": "cp-8_fr",
-                  "name": "item",
-                  "title": "CP-8 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cp-8_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines a time period consistent with the recovery time objectives and business impact analysis."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-8.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-8.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-8.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-8.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-8.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-8.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-8.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-8.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-8.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-8.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-8.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-8.4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-8.4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-8.4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-8.4.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-8.4.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-9",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cp-9_smt",
-              "parts": [
-                {
-                  "id": "cp-9_fr",
-                  "name": "item",
-                  "title": "CP-9 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cp-9_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check."
-                    },
-                    {
-                      "id": "cp-9_fr_smt.a",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "CP-9(a) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider maintains at least three backup copies of user-level information (at least one of which is available online)."
-                    },
-                    {
-                      "id": "cp-9_fr_smt.b",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "CP-9(b)Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider maintains at least three backup copies of system-level information (at least one of which is available online)."
-                    },
-                    {
-                      "id": "cp-9_fr_smt.c",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "CP-9(c)Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-9.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-9.1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-9.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-9.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-9.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-9.3_obj.1.a",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.3_obj.1.b",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-9.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-9.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.5_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-2.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-2.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.11",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ia-2.11_smt",
-              "parts": [
-                {
-                  "id": "ia-2.11_fr",
-                  "name": "item",
-                  "title": "IA-2 (11) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ia-2.11_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-2.11_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-2.11_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-2.11_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-2.11_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-2.11_obj.5",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-2.11_obj.6",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.12",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ia-2.12_smt",
-              "parts": [
-                {
-                  "id": "ia-2.12_fr",
-                  "name": "item",
-                  "title": "IA-2 (12) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ia-2.12_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-2.12_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-2.12_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-2.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-2.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-2.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-2.5_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-2.8_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-2.9_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-3.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-4",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ia-4_smt",
-              "parts": [
-                {
-                  "id": "ia-4_fr",
-                  "name": "item",
-                  "title": "IA-4(e) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ia-4_fr_smt.e",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines the time period of inactivity for device identifiers."
-                    },
-                    {
-                      "id": "ia-4_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP [http://iase.disa.mil/cloud_security/Pages/index.aspx](http://iase.disa.mil/cloud_security/Pages/index.aspx)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-4.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-4.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ia-5_smt",
-              "parts": [
-                {
-                  "id": "ia-5_fr",
-                  "name": "item",
-                  "title": "IA-5 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ia-5_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link [https://pages.nist.gov/800-63-3](https://pages.nist.gov/800-63-3)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.d_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.f_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.g_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.g_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.h_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.i_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.i_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.j_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.1",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ia-5.1_smt",
-              "parts": [
-                {
-                  "id": "ia-5.1_fr",
-                  "name": "item",
-                  "title": "IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ia-5.1_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(a) (d) Guidance:"
-                        }
-                      ],
-                      "prose": "If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.a_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.a_obj.5",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.d_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.d_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.f_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.11",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-5.11_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.11_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.13",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-5.13_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.13_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-5.2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.2.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.2.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-5.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.3_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.3_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.3_obj.5",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.4",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ia-5.4_smt",
-              "parts": [
-                {
-                  "id": "ia-5.4_fr",
-                  "name": "item",
-                  "title": "IA-5 (4) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ia-5.4_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-5.6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-5.7_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-5.8_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.8_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-7_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-8.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-8.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-8.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-8.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-8.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-8.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-8.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-2.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-2.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-2.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-2.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-3",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ir-3_smt",
-              "parts": [
-                {
-                  "id": "ir-3_fr",
-                  "name": "item",
-                  "title": "IR-3 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ir-3_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "IR-3 -2 Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-3.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-3.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-3_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-3.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-3.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-4",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ir-4_smt",
-              "parts": [
-                {
-                  "id": "ir-4_fr",
-                  "name": "item",
-                  "title": "IR-4 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ir-4_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-4.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-4.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-4.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-4.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-4.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-4.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-4.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-4.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-4.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-4.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-4.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-4.3_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-4.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-4.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-4.6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-4.6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-4.8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-4.8_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-4.8_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-4.8_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-5.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-5.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-5.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-6",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ir-6_smt",
-              "parts": [
-                {
-                  "id": "ir-6_fr",
-                  "name": "item",
-                  "title": "IR-6 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ir-6_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Report security incident information according to FedRAMP Incident Communications Procedure."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-6",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-6.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-6.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-6.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-6.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-6.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-6.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-7.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-7.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-7.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-7.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-7.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-7.2.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-7.2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ir-8_smt",
-              "parts": [
-                {
-                  "id": "ir-8_fr",
-                  "name": "item",
-                  "title": "IR-8 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ir-8_fr_smt.b",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(b) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."
-                    },
-                    {
-                      "id": "ir-8_fr_smt.e",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(e) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.5_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.7_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.8_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.8_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.b_obj.1.a",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.b_obj.1.b",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.e_obj.1.a",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.e_obj.1.b",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.f_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-9.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-9.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-9.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-9.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-9.2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-9.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-9.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-9.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-9.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.a_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-2.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-2.2.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-3.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-3.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-3.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-3.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-3.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-3.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-3.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-3.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-3.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-4.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-4.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-4.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-4.3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.3.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-4.6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-4.6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-5.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-5.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-5.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-5.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-5.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-5.1.a.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-5.1.a.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-5.1.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-6.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-6.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-6.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "mp-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "mp-2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-3",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "mp-3_smt",
-              "parts": [
-                {
-                  "id": "mp-3_fr",
-                  "name": "item",
-                  "title": "MP-3 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "mp-3_fr_gdn.b",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(b) Guidance:"
-                        }
-                      ],
-                      "prose": "Second parameter not-applicable"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-3.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-3.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-3.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-4",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "mp-4_smt",
-              "parts": [
-                {
-                  "id": "mp-4_fr",
-                  "name": "item",
-                  "title": "MP-4 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "mp-4_fr_smt.a",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(a) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines controlled areas within facilities where the information and information system reside."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-4.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-4.a_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-5",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "mp-5_smt",
-              "parts": [
-                {
-                  "id": "mp-5_fr",
-                  "name": "item",
-                  "title": "MP-5 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "mp-5_fr_smt.a",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(a) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines security measures to protect digital and non-digital media in transport.  The security measures are approved and accepted by the JAB."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-5.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-5.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-5.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-5.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-5.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-5.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-5.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "mp-5.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "mp-6.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-6.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "mp-6.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.1_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.1_obj.5",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-6.2",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "mp-6.2_smt",
-              "parts": [
-                {
-                  "id": "mp-6.2_fr",
-                  "name": "item",
-                  "title": "MP-6 (2) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "mp-6.2_fr_gdn.a",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(a) Requirement:"
-                        }
-                      ],
-                      "prose": "Equipment and procedures may be tested or validated for effectiveness"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-6.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "mp-6.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "mp-7.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-7.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-7_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-7_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-7.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "mp-7.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-10.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-10.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-10.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-10.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-11",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-11_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-11.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-11.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-12",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-12.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-12_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-13",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-13.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-13.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-13.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-13.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-13.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-13.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-13.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-13.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-13.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-13.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-13.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-13.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-14",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "pe-14_smt",
-              "parts": [
-                {
-                  "id": "pe-14_fr",
-                  "name": "item",
-                  "title": "PE-14(a) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "pe-14_fr_smt.a",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(a) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider measures temperature at server inlets and humidity levels by dew point."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.a_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.b_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-14.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-14.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-15",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-15_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-15.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-15.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-15.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-15.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-16",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.5",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.6",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.7",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.8",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.9",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-17",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-17.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-17.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-17.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-17.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-18",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-18.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-18_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-18_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-18_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.e_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.f_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.g_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.g_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-3.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-3.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-4_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-5_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-6",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-6.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-6.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-6.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-6.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-6.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-6.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-6.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-6.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-6.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-6.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-8",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-8.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-8.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-8.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-8.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-8.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-8.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-9_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pl-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pl-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pl-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pl-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.5_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.7_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.8_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.9_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pl-2.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pl-2.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pl-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pl-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-4.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-4.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-4.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pl-4.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pl-4.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-4.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pl-8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "pl-8_smt",
-              "parts": [
-                {
-                  "id": "pl-8_fr",
-                  "name": "item",
-                  "title": "PL-8(b) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "pl-8_fr_gdn.b",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(b) Guidance:"
-                        }
-                      ],
-                      "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-8",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-8.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-8.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-8.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-8.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-2.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-3.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-3.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-3.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-3.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-3.3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-3.3.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-3.3.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.f_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-4.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-4.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.d_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-6",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-6.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-6.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-6.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-6.c.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-6.c.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-6.c.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-7",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.d_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-8.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-8.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-8.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-8.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ra-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ra-2.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-3",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ra-3_smt",
-              "parts": [
-                {
-                  "id": "ra-3_fr",
-                  "name": "item",
-                  "title": "RA-3 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ra-3_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F"
-                    },
-                    {
-                      "id": "ra-3_fr_smt.d",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "RA-3 (d) Requirement:"
-                        }
-                      ],
-                      "prose": "Include all Authorizing Officials; for JAB authorizations to include FedRAMP."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-5",
-          "additions": [
-            {
-              "id-ref": "ra-5_smt",
-              "parts": [
-                {
-                  "id": "ra-5_fr_smt.a",
-                  "name": "item",
-                  "title": "RA-5(a) Additional FedRAMP Requirements and Guidance",
-                  "properties": [
-                    {
-                      "name": "label",
-                      "value": "RA-5 (a)Requirement:"
-                    }
-                  ],
-                  "prose": "An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually."
-                },
-                {
-                  "id": "ra-5_fr_smt.e",
-                  "name": "item",
-                  "title": "RA-5(e) Additional FedRAMP Requirements and Guidance",
-                  "properties": [
-                    {
-                      "name": "label",
-                      "value": "RA-5 (e)Requirement:"
-                    }
-                  ],
-                  "prose": "To include all Authorizing Officials; for JAB authorizations to include FedRAMP."
-                },
-                {
-                  "id": "ra-5_fr",
-                  "name": "item",
-                  "title": "RA-5 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ra-5_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "\n                     **See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.b.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.b.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.b.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.e_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-5.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ra-5.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-5.10",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ra-5.10_smt",
-              "parts": [
-                {
-                  "id": "ra-5.10_fr",
-                  "name": "item",
-                  "title": "RA-5 (10) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ra-5.10_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "If multiple tools are not used, this control is not applicable."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.10_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-5.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ra-5.2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-5.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ra-5.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-5.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ra-5.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.4_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-5.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ra-5.5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.5_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-5.6",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ra-5.6_smt",
-              "parts": [
-                {
-                  "id": "ra-5.6_fr",
-                  "name": "item",
-                  "title": "RA-5 (6) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ra-5.6_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Include in Continuous Monitoring ISSO digest/report to JAB/AO"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-5.8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ra-5.8_smt",
-              "parts": [
-                {
-                  "id": "ra-5.8_fr",
-                  "name": "item",
-                  "title": "RA-5 (8) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ra-5.8_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "This enhancement is required for all high vulnerability scan findings."
-                    },
-                    {
-                      "id": "ra-5.8_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.8_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-10",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sa-10_smt",
-              "parts": [
-                {
-                  "id": "sa-10_fr",
-                  "name": "item",
-                  "title": "SA-10 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sa-10_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(e)  Requirement:"
-                        }
-                      ],
-                      "prose": "For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-10.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-10.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-10.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-10.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-10.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-10.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-10.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-10.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-10.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-11",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-11.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-11.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-11.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-11.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-11.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-11.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-11.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-11.1",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sa-11.1_smt",
-              "parts": [
-                {
-                  "id": "sa-11.1_fr",
-                  "name": "item",
-                  "title": "SA-11 (1) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sa-11.1_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-11.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-11.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-11.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-11.8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sa-11.8_smt",
-              "parts": [
-                {
-                  "id": "sa-11.8_fr",
-                  "name": "item",
-                  "title": "SA-11 (8) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sa-11.8_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-11.8_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-12",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-12.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-12.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-15",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-15.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-15.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-15.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-15.b_obj.3.a",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-15.b_obj.3.b",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-15.b_obj.3.c",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-15.b_obj.3.d",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-16",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-16_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-16_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-17",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-17.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-17.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-17.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-2.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-3.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-3.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-3.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-3.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-3.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-4",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sa-4_smt",
-              "parts": [
-                {
-                  "id": "sa-4_fr",
-                  "name": "item",
-                  "title": "SA-4 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sa-4_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See [http://www.niap-ccevs.org/vpl](http://www.niap-ccevs.org/vpl) or [http://www.commoncriteriaportal.org/products.html](http://www.commoncriteriaportal.org/products.html)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-4.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-4.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-4.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-4.10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-4.10_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-4.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-4.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-4.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-4.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-4.8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sa-4.8_smt",
-              "parts": [
-                {
-                  "id": "sa-4.8_fr",
-                  "name": "item",
-                  "title": "SA-4 (8) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sa-4.8_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "CSP must use the same security standards regardless of where the system component or information system service is acquired."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-4.8_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-4.8_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-4.9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-4.9_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-5.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.c_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-8_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-9.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-9.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-9.1.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.1.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.1.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-9.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-9.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-9.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-9.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.4_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-9.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-9.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.5_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-10_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-10_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-12",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sc-12_smt",
-              "parts": [
-                {
-                  "id": "sc-12_fr",
-                  "name": "item",
-                  "title": "SC-12 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sc-12_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Federally approved and validated cryptography."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-12.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-12.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-12.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-12.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-12.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-12.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-12.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-12.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-13",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-13",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-13_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-13_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-13_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-15",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sc-15_smt",
-              "parts": [
-                {
-                  "id": "sc-15_fr",
-                  "name": "item",
-                  "title": "SC-15 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sc-15_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-15.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-15.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-15.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-17",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-17_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-17_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-18",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-18.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-18.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-18.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-18.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-18.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-18.c_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-19",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-19.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-19.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-19.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-19.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-19.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-20",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-20.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-20.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-21",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-21_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-21_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-21_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-21_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-22",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-22_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-22_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-23",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-23_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-23.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-23.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-24",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-24_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-24_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-24_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-24_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-24_obj.5",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-28",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sc-28_smt",
-              "parts": [
-                {
-                  "id": "sc-28_fr",
-                  "name": "item",
-                  "title": "SC-28 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sc-28_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "The organization supports the capability to use cryptographic mechanisms to protect information at rest."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-28.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-28.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-28.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-28.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-28.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-28.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-39",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-39_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-5.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-5.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-5.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-6_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-6_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-6_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.a_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7.10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.10_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7.12",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.12_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.12_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.12_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7.13",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sc-7.13_smt",
-              "parts": [
-                {
-                  "id": "sc-7.13_fr",
-                  "name": "item",
-                  "title": "SC-7 (13) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sc-7.13_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets."
-                    },
-                    {
-                      "id": "sc-7.13_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Examples include: information security tools, mechanisms, and support components such as, but not limited to PKI, patching infrastructure, cyber defense tools, special purpose gateway, vulnerability tracking systems, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.13_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.13_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7.18",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.18_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7.20",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.20_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.20_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7.21",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.21_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.21_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.21_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.4.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.4.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.4.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.4.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.4.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.4.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.4.e_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7.7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.7_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7.8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.8_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.8_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.8_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-8_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-8.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-8.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-8.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-10_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-10_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-11",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-11.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-11.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-11.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-12",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-12_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-16",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-16_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-16_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.c_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.c_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-2.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-2.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-2.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-2.2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-2.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-2.3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.3.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.3.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.c.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.c.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-3.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-3.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-3.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-3.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-3.7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-3.7_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "si-4_smt",
-              "parts": [
-                {
-                  "id": "si-4_fr",
-                  "name": "item",
-                  "title": "SI-4 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "si-4_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "See US-CERT Incident Response Reporting Guidelines."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.a.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.b.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.b.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.f_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.g_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.g_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.g_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.g_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-4.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.11",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-4.11_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.11_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.14",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-4.14",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.14_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.14_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.14_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.16",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-4.16_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.18",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-4.18_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.18_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.19",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-4.19_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.19_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.19_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-4.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.20",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-4.20_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.20_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.22",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-4.22_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.22_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.22_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.23",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-4.23_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.23_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.23_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.24",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-4.24_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-4.4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.5",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "si-4.5_smt",
-              "parts": [
-                {
-                  "id": "si-4.5_fr",
-                  "name": "item",
-                  "title": "SI-4 (5) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "si-4.5_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "In accordance with the incident response plan."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.5_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-5.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.c_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.c_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-5.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-5.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-6",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-6.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-6.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-6.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-6.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-6.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-6.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-6.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-6.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-6.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-7_obj.1.a",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7_obj.1.b",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7_obj.1.c",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-7.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-7.1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7.1_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-7.14",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-7.14.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7.14.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7.14.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7.14.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-7.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-7.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-7.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-7.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-7.7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-7.7_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7.7_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-8.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-8.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-8.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-8.1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-8.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-8.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-8.2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-8.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        }
-      ]
-    },
-    "back-matter": {
-      "resources": [
-        {
-          "uuid": "985475ee-d4d6-4581-8fdf-d84d3d8caa48",
-          "title": "FedRAMP Applicable Laws and Regulations",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-citations"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"
-            }
-          ]
-        },
-        {
-          "uuid": "1a23a771-d481-4594-9a1a-71d584fa4123",
-          "title": "FedRAMP Master Acronym and Glossary",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-acronyms"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "a2381e87-3d04-4108-a30b-b4d2f36d001f",
-          "desc": "FedRAMP Logo",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-logo"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/img/logo-main-fedramp.png"
-            }
-          ]
-        },
-        {
-          "uuid": "ad005eae-cc63-4e64-9109-3905a9a825e4",
-          "title": "NIST Special Publication (SP) 800-53",
-          "properties": [
-            {
-              "name": "version",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "Revision 4"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://raw.githubusercontent.com/usnistgov/OSCAL/v1.0.0-milestone3/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml",
-              "media-type": "application/xml"
-            }
-          ]
-        }
-      ]
-    }
-  }
-}
diff --git a/content/fedramp.gov/json/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog-min.json b/content/fedramp.gov/json/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog-min.json
deleted file mode 100644
index d475442895..0000000000
--- a/content/fedramp.gov/json/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog-min.json
+++ /dev/null
@@ -1 +0,0 @@
-{"catalog":{"uuid":"7ec7633b-cbd4-4e1d-9015-e5b3d44c2550","metadata":{"title":"FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline","published":"2020-02-02T00:00:00.000-05:00","last-modified":"2020-06-01T10:00:00.000-05:00","version":"1.2","oscal-version":"1.0.0-milestone3","properties":[{"name":"resolution-timestamp","value":"2020-08-31T17:38:37.186738Z"}],"links":[{"href":"FedRAMP_LI-SaaS-baseline_profile.xml","rel":"resolution-source","text":"FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline"}],"roles":[{"id":"parpared-by","title":"Document creator"},{"id":"fedramp-pmo","title":"The FedRAMP Program Management Office (PMO)","short-name":"CSP"},{"id":"fedramp-jab","title":"The FedRAMP Joint Authorization Board (JAB)","short-name":"CSP"}],"parties":[{"uuid":"8cc0b8e5-9650-4d5f-9796-316f05fa9a2d","type":"organization","party-name":"Federal Risk and Authorization Management Program: Program Management Office","short-name":"FedRAMP PMO","links":[{"href":"https://fedramp.gov","rel":"homepage","text":""}],"addresses":[{"type":"work","postal-address":["1800 F St. NW",""],"city":"Washington","state":"DC","postal-code":"","country":"US"}],"email-addresses":["info@fedramp.gov"]},{"uuid":"ca9ba80e-1342-4bfd-b32a-abac468c24b4","type":"organization","party-name":"Federal Risk and Authorization Management Program: Joint Authorization Board","short-name":"FedRAMP JAB"}],"responsible-parties":{"prepared-by":{"party-uuids":["4aa7b203-318b-4cde-96cf-feaeffc3a4b7"]},"fedramp-pmo":{"party-uuids":["4aa7b203-318b-4cde-96cf-feaeffc3a4b7"]},"fedramp-jab":{"party-uuids":["ca9ba80e-1342-4bfd-b32a-abac468c24b4"]}}},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Access Control Policy and Procedures","parameters":[{"id":"ac-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ac-1_prm_2","label":"organization-defined frequency"},{"id":"ac-1_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AC-1"},{"name":"sort-id","value":"ac-01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ac-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"An access control policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ac-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and\n                     associated access controls; and"}]},{"id":"ac-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ac-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Access control policy {{ ac-1_prm_2 }}; and"},{"id":"ac-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Access control procedures {{ ac-1_prm_3 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AC\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ac-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-1.a_obj","name":"objective","properties":[{"name":"label","value":"AC-1(a)"}],"parts":[{"id":"ac-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)"}],"parts":[{"id":"ac-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1]"}],"prose":"develops and documents an access control policy that addresses:","parts":[{"id":"ac-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ac-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ac-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ac-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ac-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ac-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ac-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ac-1.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the access control policy are to be\n                        disseminated;"},{"id":"ac-1.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[3]"}],"prose":"disseminates the access control policy to organization-defined personnel or\n                        roles;"}]},{"id":"ac-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"AC-1(a)(2)"}],"parts":[{"id":"ac-1.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"AC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        access control policy and associated access control controls;"},{"id":"ac-1.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"AC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ac-1.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"AC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ac-1.b_obj","name":"objective","properties":[{"name":"label","value":"AC-1(b)"}],"parts":[{"id":"ac-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"AC-1(b)(1)"}],"parts":[{"id":"ac-1.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"AC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current access control\n                        policy;"},{"id":"ac-1.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"AC-1(b)(1)[2]"}],"prose":"reviews and updates the current access control policy with the\n                        organization-defined frequency;"}]},{"id":"ac-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"AC-1(b)(2)"}],"parts":[{"id":"ac-1.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"AC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current access control\n                        procedures; and"},{"id":"ac-1.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"AC-1(b)(2)[2]"}],"prose":"reviews and updates the current access control procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","parameters":[{"id":"ac-2_prm_1","label":"organization-defined information system account types"},{"id":"ac-2_prm_2","label":"organization-defined personnel or roles"},{"id":"ac-2_prm_3","label":"organization-defined procedures or conditions"},{"id":"ac-2_prm_4","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AC-2"},{"name":"sort-id","value":"ac-02"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"id":"ac-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identifies and selects the following types of information system accounts to\n                  support organizational missions/business functions: {{ ac-2_prm_1 }};"},{"id":"ac-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Creates, enables, modifies, disables, and removes information system accounts in\n                  accordance with {{ ac-2_prm_3 }};"},{"id":"ac-2_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Monitors the use of information system accounts;"},{"id":"ac-2_smt.h","name":"item","properties":[{"name":"label","value":"h."}],"prose":"Notifies account managers:","parts":[{"id":"ac-2_smt.h.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"When accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"When users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"When individual information system usage or need-to-know changes;"}]}]},{"id":"ac-2_gdn","name":"guidance","prose":"Information system account types include, for example, individual, shared, group,\n               system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and\n               service. Some of the account management requirements listed above can be implemented\n               by organizational information systems. The identification of authorized users of the\n               information system and the specification of access privileges reflects the\n               requirements in other security controls in the security plan. Users requiring\n               administrative privileges on information system accounts receive additional scrutiny\n               by appropriate organizational personnel (e.g., system owner, mission/business owner,\n               or chief information security officer) responsible for approving such accounts and\n               privileged access. Organizations may choose to define access privileges or other\n               attributes by account, by type of account, or a combination of both. Other attributes\n               required for authorizing access include, for example, restrictions on time-of-day,\n               day-of-week, and point-of-origin. In defining other account attributes, organizations\n               consider system-related requirements (e.g., scheduled maintenance, system upgrades)\n               and mission/business requirements, (e.g., time zone differences, customer\n               requirements, remote access to support travel requirements). Failure to consider\n               these factors could affect information system availability. Temporary and emergency\n               accounts are accounts intended for short-term use. Organizations establish temporary\n               accounts as a part of normal account activation procedures when there is a need for\n               short-term accounts without the demand for immediacy in account activation.\n               Organizations establish emergency accounts in response to crisis situations and with\n               the need for rapid account activation. Therefore, emergency account activation may\n               bypass normal account authorization processes. Emergency and temporary accounts are\n               not to be confused with infrequently used accounts (e.g., local logon accounts used\n               for special tasks defined by organizations or when network resources are\n               unavailable). Such accounts remain available and are not subject to automatic\n               disabling or removal dates. Conditions for disabling or deactivating accounts\n               include, for example: (i) when shared/group, emergency, or temporary accounts are no\n               longer required; or (ii) when individuals are transferred or terminated. Some types\n               of information system accounts may require specialized training.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-10","rel":"related","text":"AC-10"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"ac-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.a_obj","name":"objective","properties":[{"name":"label","value":"AC-2(a)"}],"parts":[{"id":"ac-2.a_obj.1","name":"objective","properties":[{"name":"label","value":"AC-2(a)[1]"}],"prose":"defines information system account types to be identified and selected to\n                     support organizational missions/business functions;"},{"id":"ac-2.a_obj.2","name":"objective","properties":[{"name":"label","value":"AC-2(a)[2]"}],"prose":"identifies and selects organization-defined information system account types to\n                     support organizational missions/business functions;"}]},{"id":"ac-2.b_obj","name":"objective","properties":[{"name":"label","value":"AC-2(b)"}],"prose":"assigns account managers for information system accounts;"},{"id":"ac-2.c_obj","name":"objective","properties":[{"name":"label","value":"AC-2(c)"}],"prose":"establishes conditions for group and role membership;"},{"id":"ac-2.d_obj","name":"objective","properties":[{"name":"label","value":"AC-2(d)"}],"prose":"specifies for each account (as required):","parts":[{"id":"ac-2.d_obj.1","name":"objective","properties":[{"name":"label","value":"AC-2(d)[1]"}],"prose":"authorized users of the information system;"},{"id":"ac-2.d_obj.2","name":"objective","properties":[{"name":"label","value":"AC-2(d)[2]"}],"prose":"group and role membership;"},{"id":"ac-2.d_obj.3","name":"objective","properties":[{"name":"label","value":"AC-2(d)[3]"}],"prose":"access authorizations (i.e., privileges);"},{"id":"ac-2.d_obj.4","name":"objective","properties":[{"name":"label","value":"AC-2(d)[4]"}],"prose":"other attributes;"}]},{"id":"ac-2.e_obj","name":"objective","properties":[{"name":"label","value":"AC-2(e)"}],"parts":[{"id":"ac-2.e_obj.1","name":"objective","properties":[{"name":"label","value":"AC-2(e)[1]"}],"prose":"defines personnel or roles required to approve requests to create information\n                     system accounts;"},{"id":"ac-2.e_obj.2","name":"objective","properties":[{"name":"label","value":"AC-2(e)[2]"}],"prose":"requires approvals by organization-defined personnel or roles for requests to\n                     create information system accounts;"}]},{"id":"ac-2.f_obj","name":"objective","properties":[{"name":"label","value":"AC-2(f)"}],"parts":[{"id":"ac-2.f_obj.1","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1]"}],"prose":"defines procedures or conditions to:","parts":[{"id":"ac-2.f_obj.1.a","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][a]"}],"prose":"create information system accounts;"},{"id":"ac-2.f_obj.1.b","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][b]"}],"prose":"enable information system accounts;"},{"id":"ac-2.f_obj.1.c","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][c]"}],"prose":"modify information system accounts;"},{"id":"ac-2.f_obj.1.d","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][d]"}],"prose":"disable information system accounts;"},{"id":"ac-2.f_obj.1.e","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][e]"}],"prose":"remove information system accounts;"}]},{"id":"ac-2.f_obj.2","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2]"}],"prose":"in accordance with organization-defined procedures or conditions:","parts":[{"id":"ac-2.f_obj.2.a","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][a]"}],"prose":"creates information system accounts;"},{"id":"ac-2.f_obj.2.b","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][b]"}],"prose":"enables information system accounts;"},{"id":"ac-2.f_obj.2.c","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][c]"}],"prose":"modifies information system accounts;"},{"id":"ac-2.f_obj.2.d","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][d]"}],"prose":"disables information system accounts;"},{"id":"ac-2.f_obj.2.e","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][e]"}],"prose":"removes information system accounts;"}]}]},{"id":"ac-2.g_obj","name":"objective","properties":[{"name":"label","value":"AC-2(g)"}],"prose":"monitors the use of information system accounts;"},{"id":"ac-2.h_obj","name":"objective","properties":[{"name":"label","value":"AC-2(h)"}],"prose":"notifies account managers:","parts":[{"id":"ac-2.h.1_obj","name":"objective","properties":[{"name":"label","value":"AC-2(h)(1)"}],"prose":"when accounts are no longer required;"},{"id":"ac-2.h.2_obj","name":"objective","properties":[{"name":"label","value":"AC-2(h)(2)"}],"prose":"when users are terminated or transferred;"},{"id":"ac-2.h.3_obj","name":"objective","properties":[{"name":"label","value":"AC-2(h)(3)"}],"prose":"when individual information system usage or need to know changes;"}]},{"id":"ac-2.i_obj","name":"objective","properties":[{"name":"label","value":"AC-2(i)"}],"prose":"authorizes access to the information system based on;","parts":[{"id":"ac-2.i.1_obj","name":"objective","properties":[{"name":"label","value":"AC-2(i)(1)"}],"prose":"a valid access authorization;"},{"id":"ac-2.i.2_obj","name":"objective","properties":[{"name":"label","value":"AC-2(i)(2)"}],"prose":"intended system usage;"},{"id":"ac-2.i.3_obj","name":"objective","properties":[{"name":"label","value":"AC-2(i)(3)"}],"prose":"other attributes as required by the organization or associated\n                     missions/business functions;"}]},{"id":"ac-2.j_obj","name":"objective","properties":[{"name":"label","value":"AC-2(j)"}],"parts":[{"id":"ac-2.j_obj.1","name":"objective","properties":[{"name":"label","value":"AC-2(j)[1]"}],"prose":"defines the frequency to review accounts for compliance with account management\n                     requirements;"},{"id":"ac-2.j_obj.2","name":"objective","properties":[{"name":"label","value":"AC-2(j)[2]"}],"prose":"reviews accounts for compliance with account management requirements with the\n                     organization-defined frequency; and"}]},{"id":"ac-2.k_obj","name":"objective","properties":[{"name":"label","value":"AC-2(k)"}],"prose":"establishes a process for reissuing shared/group account credentials (if deployed)\n                  when individuals are removed from the group."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of active system accounts along with the name of the individual associated\n                  with each account\\n\\nlist of conditions for group and role membership\\n\\nnotifications or records of recently transferred, separated, or terminated\n                  employees\\n\\nlist of recently disabled information system accounts along with the name of the\n                  individual associated with each account\\n\\naccess authorization records\\n\\naccount management compliance reviews\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes account management on the information system\\n\\nautomated mechanisms for implementing account management"}]},{"id":"ac-2_fr","name":"item","title":"AC-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Parts (b), (c), (d), (e), (i), (j), and (k) are excluded from FedRAMP Tailored\n                     for LI-SaaS."}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","properties":[{"name":"label","value":"AC-3"},{"name":"sort-id","value":"ac-03"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"The information system enforces approved authorizations for logical access to\n               information and system resources in accordance with applicable access control\n               policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies (e.g., identity-based policies, role-based policies, control\n               matrices, cryptography) control access between active entities or subjects (i.e.,\n               users or processes acting on behalf of users) and passive entities or objects (e.g.,\n               devices, files, records, domains) in information systems. In addition to enforcing\n               authorized access at the information system level and recognizing that information\n               systems can host many applications and services in support of organizational missions\n               and business operations, access enforcement mechanisms can also be employed at the\n               application and service level to provide increased information security.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ac-21","rel":"related","text":"AC-21"},{"href":"#ac-22","rel":"related","text":"AC-22"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-3","rel":"related","text":"PE-3"}]},{"id":"ac-3_obj","name":"objective","prose":"Determine if the information system enforces approved authorizations for logical\n               access to information and system resources in accordance with applicable access\n               control policies."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing access enforcement\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of approved authorizations (user privileges)\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access enforcement responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy"}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","parameters":[{"id":"ac-7_prm_1","label":"organization-defined number"},{"id":"ac-7_prm_2","label":"organization-defined time period"},{"id":"ac-7_prm_3"},{"id":"ac-7_prm_4","depends-on":"ac-7_prm_3","label":"organization-defined time period"},{"id":"ac-7_prm_5","depends-on":"ac-7_prm_3","label":"organization-defined delay algorithm"}],"properties":[{"name":"label","value":"AC-7"},{"name":"sort-id","value":"ac-07"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"id":"ac-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Enforces a limit of {{ ac-7_prm_1 }} consecutive invalid logon\n                  attempts by a user during a {{ ac-7_prm_2 }}; and"},{"id":"ac-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Automatically {{ ac-7_prm_3 }} when the maximum number of\n                  unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"This control applies regardless of whether the logon occurs via a local or network\n               connection. Due to the potential for denial of service, automatic lockouts initiated\n               by information systems are usually temporary and automatically release after a\n               predetermined time period established by organizations. If a delay algorithm is\n               selected, organizations may choose to employ different algorithms for different\n               information system components based on the capabilities of those components.\n               Responses to unsuccessful logon attempts may be implemented at both the operating\n               system and the application levels.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-9","rel":"related","text":"AC-9"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ia-5","rel":"related","text":"IA-5"}]},{"id":"ac-7_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"ac-7.a_obj","name":"objective","properties":[{"name":"label","value":"AC-7(a)"}],"parts":[{"id":"ac-7.a_obj.1","name":"objective","properties":[{"name":"label","value":"AC-7(a)[1]"}],"prose":"the organization defines the number of consecutive invalid logon attempts\n                     allowed to the information system by a user during an organization-defined time\n                     period;"},{"id":"ac-7.a_obj.2","name":"objective","properties":[{"name":"label","value":"AC-7(a)[2]"}],"prose":"the organization defines the time period allowed by a user of the information\n                     system for an organization-defined number of consecutive invalid logon\n                     attempts;"},{"id":"ac-7.a_obj.3","name":"objective","properties":[{"name":"label","value":"AC-7(a)[3]"}],"prose":"the information system enforces a limit of organization-defined number of\n                     consecutive invalid logon attempts by a user during an organization-defined\n                     time period;"}]},{"id":"ac-7.b_obj","name":"objective","properties":[{"name":"label","value":"AC-7(b)"}],"parts":[{"id":"ac-7.b_obj.1","name":"objective","properties":[{"name":"label","value":"AC-7(b)[1]"}],"prose":"the organization defines account/node lockout time period or logon delay\n                     algorithm to be automatically enforced by the information system when the\n                     maximum number of unsuccessful logon attempts is exceeded;"},{"id":"ac-7.b_obj.2","name":"objective","properties":[{"name":"label","value":"AC-7(b)[2]"}],"prose":"the information system, when the maximum number of unsuccessful logon attempts\n                     is exceeded, automatically:","parts":[{"id":"ac-7.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"AC-7(b)[2][a]"}],"prose":"locks the account/node for the organization-defined time period;"},{"id":"ac-7.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"AC-7(b)[2][b]"}],"prose":"locks the account/node until released by an administrator; or"},{"id":"ac-7.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"AC-7(b)[2][c]"}],"prose":"delays next logon prompt according to the organization-defined delay\n                        algorithm."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing unsuccessful logon attempts\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem developers\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for unsuccessful logon\n                  attempts"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO for non-privileged users. Attestation for privileged users related to\n                  multi-factor identification and authentication."}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","parameters":[{"id":"ac-8_prm_1","label":"organization-defined system use notification message or banner"},{"id":"ac-8_prm_2","label":"organization-defined conditions"}],"properties":[{"name":"label","value":"AC-8"},{"name":"sort-id","value":"ac-08"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"FED"}],"parts":[{"id":"ac-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Displays to users {{ ac-8_prm_1 }} before granting access to the\n                  system that provides privacy and security notices consistent with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance and states that:","parts":[{"id":"ac-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government information system;"},{"id":"ac-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Information system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the information system is prohibited and subject to\n                     criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Use of the information system indicates consent to monitoring and\n                     recording;"}]},{"id":"ac-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retains the notification message or banner on the screen until users acknowledge\n                  the usage conditions and take explicit actions to log on to or further access the\n                  information system; and"},{"id":"ac-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Displays system use information {{ ac-8_prm_2 }}, before\n                     granting further access;"},{"id":"ac-8_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Displays references, if any, to monitoring, recording, or auditing that are\n                     consistent with privacy accommodations for such systems that generally prohibit\n                     those activities; and"},{"id":"ac-8_smt.c.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Includes a description of the authorized uses of the system."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners\n               displayed before individuals log in to information systems. System use notifications\n               are used only for access via logon interfaces with human users and are not required\n               when such human interfaces do not exist. Organizations consider system use\n               notification messages/banners displayed in multiple languages based on specific\n               organizational needs and the demographics of information system users. Organizations\n               also consult with the Office of the General Counsel for legal review and approval of\n               warning banner content."},{"id":"ac-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-8.a_obj","name":"objective","properties":[{"name":"label","value":"AC-8(a)"}],"parts":[{"id":"ac-8.a_obj.1","name":"objective","properties":[{"name":"label","value":"AC-8(a)[1]"}],"prose":"the organization defines a system use notification message or banner to be\n                     displayed by the information system to users before granting access to the\n                     system;"},{"id":"ac-8.a_obj.2","name":"objective","properties":[{"name":"label","value":"AC-8(a)[2]"}],"prose":"the information system displays to users the organization-defined system use\n                     notification message or banner before granting access to the information system\n                     that provides privacy and security notices consistent with applicable federal\n                     laws, Executive Orders, directives, policies, regulations, standards, and\n                     guidance, and states that:","parts":[{"id":"ac-8.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"AC-8(a)[2](1)"}],"prose":"users are accessing a U.S. Government information system;"},{"id":"ac-8.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"AC-8(a)[2](2)"}],"prose":"information system usage may be monitored, recorded, and subject to\n                        audit;"},{"id":"ac-8.a.3_obj.2","name":"objective","properties":[{"name":"label","value":"AC-8(a)[2](3)"}],"prose":"unauthorized use of the information system is prohibited and subject to\n                        criminal and civil penalties;"},{"id":"ac-8.a.4_obj.2","name":"objective","properties":[{"name":"label","value":"AC-8(a)[2](4)"}],"prose":"use of the information system indicates consent to monitoring and\n                        recording;"}]}]},{"id":"ac-8.b_obj","name":"objective","properties":[{"name":"label","value":"AC-8(b)"}],"prose":"the information system retains the notification message or banner on the screen\n                  until users acknowledge the usage conditions and take explicit actions to log on\n                  to or further access the information system;"},{"id":"ac-8.c_obj","name":"objective","properties":[{"name":"label","value":"AC-8(c)"}],"prose":"for publicly accessible systems:","parts":[{"id":"ac-8.c.1_obj","name":"objective","properties":[{"name":"label","value":"AC-8(c)(1)"}],"parts":[{"id":"ac-8.c.1_obj.1","name":"objective","properties":[{"name":"label","value":"AC-8(c)(1)[1]"}],"prose":"the organization defines conditions for system use to be displayed by the\n                        information system before granting further access;"},{"id":"ac-8.c.1_obj.2","name":"objective","properties":[{"name":"label","value":"AC-8(c)(1)[2]"}],"prose":"the information system displays organization-defined conditions before\n                        granting further access;"}]},{"id":"ac-8.c.2_obj","name":"objective","properties":[{"name":"label","value":"AC-8(c)(2)"}],"prose":"the information system displays references, if any, to monitoring, recording,\n                     or auditing that are consistent with privacy accommodations for such systems\n                     that generally prohibit those activities; and"},{"id":"ac-8.c.3_obj","name":"objective","properties":[{"name":"label","value":"AC-8(c)(3)"}],"prose":"the information system includes a description of the authorized uses of the\n                     system."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprivacy and security policies, procedures addressing system use notification\\n\\ndocumented approval of information system use notification messages or banners\\n\\ninformation system audit records\\n\\nuser acknowledgements of notification message or banner\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system use notification messages\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for providing legal advice\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing system use notification"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"FED - This is related to agency data and agency policy solution."}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","parameters":[{"id":"ac-14_prm_1","label":"organization-defined user actions"}],"properties":[{"name":"label","value":"AC-14"},{"name":"sort-id","value":"ac-14"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"FED"}],"parts":[{"id":"ac-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-14_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identifies {{ ac-14_prm_1 }} that can be performed on the\n                  information system without identification or authentication consistent with\n                  organizational missions/business functions; and"},{"id":"ac-14_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents and provides supporting rationale in the security plan for the\n                  information system, user actions not requiring identification or\n                  authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"This control addresses situations in which organizations determine that no\n               identification or authentication is required in organizational information systems.\n               Organizations may allow a limited number of user actions without identification or\n               authentication including, for example, when individuals access public websites or\n               other publicly accessible federal information systems, when individuals use mobile\n               phones to receive calls, or when facsimiles are received. Organizations also identify\n               actions that normally require identification or authentication but may under certain\n               circumstances (e.g., emergencies), allow identification or authentication mechanisms\n               to be bypassed. Such bypasses may occur, for example, via a software-readable\n               physical switch that commands bypass of the logon functionality and is protected from\n               accidental or unmonitored use. This control does not apply to situations where\n               identification and authentication have already occurred and are not repeated, but\n               rather to situations where identification and authentication have not yet occurred.\n               Organizations may decide that there are no user actions that can be performed on\n               organizational information systems without identification and authentication and\n               thus, the values for assignment statements can be none.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ia-2","rel":"related","text":"IA-2"}]},{"id":"ac-14_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-14.a_obj","name":"objective","properties":[{"name":"label","value":"AC-14(a)"}],"parts":[{"id":"ac-14.a_obj.1","name":"objective","properties":[{"name":"label","value":"AC-14(a)[1]"}],"prose":"defines user actions that can be performed on the information system without\n                     identification or authentication consistent with organizational\n                     missions/business functions;"},{"id":"ac-14.a_obj.2","name":"objective","properties":[{"name":"label","value":"AC-14(a)[2]"}],"prose":"identifies organization-defined user actions that can be performed on the\n                     information system without identification or authentication consistent with\n                     organizational missions/business functions; and"}]},{"id":"ac-14.b_obj","name":"objective","properties":[{"name":"label","value":"AC-14(b)"}],"prose":"documents and provides supporting rationale in the security plan for the\n                  information system, user actions not requiring identification or\n                  authentication."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing permitted actions without identification or\n                  authentication\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\nlist of user actions that can be performed without identification or\n                  authentication\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"FED - This is related to agency data and agency policy solution."}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","properties":[{"name":"label","value":"AC-17"},{"name":"sort-id","value":"ac-17"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#5309d4d0-46f8-4213-a749-e7584164e5e8","rel":"reference","text":"NIST Special Publication 800-46"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference","text":"NIST Special Publication 800-77"},{"href":"#349fe082-502d-464a-aa0c-1443c6a5cf40","rel":"reference","text":"NIST Special Publication 800-113"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference","text":"NIST Special Publication 800-114"},{"href":"#d1a4e2a9-e512-4132-8795-5357aba29254","rel":"reference","text":"NIST Special Publication 800-121"}],"parts":[{"id":"ac-17_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-17_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes and documents usage restrictions, configuration/connection\n                  requirements, and implementation guidance for each type of remote access allowed;\n                  and"},{"id":"ac-17_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorizes remote access to the information system prior to allowing such\n                  connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational information systems by users (or processes\n               acting on behalf of users) communicating through external networks (e.g., the\n               Internet). Remote access methods include, for example, dial-up, broadband, and\n               wireless. Organizations often employ encrypted virtual private networks (VPNs) to\n               enhance confidentiality and integrity over remote connections. The use of encrypted\n               VPNs does not make the access non-remote; however, the use of VPNs, when adequately\n               provisioned with appropriate security controls (e.g., employing appropriate\n               encryption techniques for confidentiality and integrity protection) may provide\n               sufficient assurance to the organization that it can effectively treat such\n               connections as internal networks. Still, VPN connections traverse external networks,\n               and the encrypted VPN does not enhance the availability of remote connections. Also,\n               VPNs with encrypted tunnels can affect the organizational capability to adequately\n               monitor network communications traffic for malicious code. Remote access controls\n               apply to information systems other than public web servers or systems designed for\n               public access. This control addresses authorization prior to allowing remote access\n               without specifying the formats for such authorization. While organizations may use\n               interconnection security agreements to authorize remote access connections, such\n               agreements are not required by this control. Enforcing access restrictions for remote\n               connections is addressed in AC-3.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-17","rel":"related","text":"PE-17"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-10","rel":"related","text":"SC-10"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ac-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-17.a_obj","name":"objective","properties":[{"name":"label","value":"AC-17(a)"}],"parts":[{"id":"ac-17.a_obj.1","name":"objective","properties":[{"name":"label","value":"AC-17(a)[1]"}],"prose":"identifies the types of remote access allowed to the information system;"},{"id":"ac-17.a_obj.2","name":"objective","properties":[{"name":"label","value":"AC-17(a)[2]"}],"prose":"establishes for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"AC-17(a)[2][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"AC-17(a)[2][b]"}],"prose":"configuration/connection requirements;"},{"id":"ac-17.a_obj.2.c","name":"objective","properties":[{"name":"label","value":"AC-17(a)[2][c]"}],"prose":"implementation guidance;"}]},{"id":"ac-17.a_obj.3","name":"objective","properties":[{"name":"label","value":"AC-17(a)[3]"}],"prose":"documents for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.3.a","name":"objective","properties":[{"name":"label","value":"AC-17(a)[3][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.3.b","name":"objective","properties":[{"name":"label","value":"AC-17(a)[3][b]"}],"prose":"configuration/connection requirements;"},{"id":"ac-17.a_obj.3.c","name":"objective","properties":[{"name":"label","value":"AC-17(a)[3][c]"}],"prose":"implementation guidance; and"}]}]},{"id":"ac-17.b_obj","name":"objective","properties":[{"name":"label","value":"AC-17(b)"}],"prose":"authorizes remote access to the information system prior to allowing such\n                  connections."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing remote access implementation and usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\nremote access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing remote access\n                  connections\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Remote access management capability for the information system"}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","properties":[{"name":"label","value":"AC-18"},{"name":"sort-id","value":"ac-18"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"links":[{"href":"#238ed479-eccb-49f6-82ec-ab74a7a428cf","rel":"reference","text":"NIST Special Publication 800-48"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference","text":"NIST Special Publication 800-94"},{"href":"#6f336ecd-f2a0-4c84-9699-0491d81b6e0d","rel":"reference","text":"NIST Special Publication 800-97"}],"parts":[{"id":"ac-18_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-18_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration/connection requirements, and\n                  implementation guidance for wireless access; and"},{"id":"ac-18_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorizes wireless access to the information system prior to allowing such\n                  connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include, for example, microwave, packet radio (UHF/VHF),\n               802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g.,\n               EAP/TLS, PEAP), which provide credential protection and mutual authentication.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ac-18_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-18.a_obj","name":"objective","properties":[{"name":"label","value":"AC-18(a)"}],"prose":"establishes for wireless access:","parts":[{"id":"ac-18.a_obj.1","name":"objective","properties":[{"name":"label","value":"AC-18(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-18.a_obj.2","name":"objective","properties":[{"name":"label","value":"AC-18(a)[2]"}],"prose":"configuration/connection requirement;"},{"id":"ac-18.a_obj.3","name":"objective","properties":[{"name":"label","value":"AC-18(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-18.b_obj","name":"objective","properties":[{"name":"label","value":"AC-18(b)"}],"prose":"authorizes wireless access to the information system prior to allowing such\n                  connections."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing wireless access implementation and usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nwireless access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing wireless access\n                  connections\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Wireless access management capability for the information system"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - All access to Cloud SaaS are via web services and/or API. The device\n                  accessed from or whether via wired or wireless connection is out of scope.\n                  Regardless of device accessed from, must utilize approved remote access methods\n                  (AC-17), secure communication with strong encryption (SC-13), key management\n                  (SC-12), and multi-factor authentication for privileged access (IA-2[1])."}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","properties":[{"name":"label","value":"AC-19"},{"name":"sort-id","value":"ac-19"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"links":[{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference","text":"OMB Memorandum 06-16"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference","text":"NIST Special Publication 800-114"},{"href":"#0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","rel":"reference","text":"NIST Special Publication 800-124"},{"href":"#6513e480-fada-4876-abba-1397084dfb26","rel":"reference","text":"NIST Special Publication 800-164"}],"parts":[{"id":"ac-19_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-19_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration requirements, connection\n                  requirements, and implementation guidance for organization-controlled mobile\n                  devices; and"},{"id":"ac-19_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorizes the connection of mobile devices to organizational information\n                  systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that: (i) has a small form factor such that it\n               can easily be carried by a single individual; (ii) is designed to operate without a\n               physical connection (e.g., wirelessly transmit or receive information); (iii)\n               possesses local, non-removable or removable data storage; and (iv) includes a\n               self-contained power source. Mobile devices may also include voice communication\n               capabilities, on-board sensors that allow the device to capture information, and/or\n               built-in features for synchronizing local data with remote locations. Examples\n               include smart phones, E-readers, and tablets. Mobile devices are typically associated\n               with a single individual and the device is usually in close proximity to the\n               individual; however, the degree of proximity can vary depending upon on the form\n               factor and size of the device. The processing, storage, and transmission capability\n               of the mobile device may be comparable to or merely a subset of desktop systems,\n               depending upon the nature and intended purpose of the device. Due to the large\n               variety of mobile devices with different technical characteristics and capabilities,\n               organizational restrictions may vary for the different classes/types of such devices.\n               Usage restrictions and specific implementation guidance for mobile devices include,\n               for example, configuration management, device identification and authentication,\n               implementation of mandatory protective software (e.g., malicious code detection,\n               firewall), scanning devices for malicious code, updating virus protection software,\n               scanning for critical software updates and patches, conducting primary operating\n               system (and possibly other resident software) integrity checks, and disabling\n               unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the\n               need to provide adequate security for mobile devices goes beyond the requirements in\n               this control. Many safeguards and countermeasures for mobile devices are reflected in\n               other security controls in the catalog allocated in the initial control baselines as\n               starting points for the development of security plans and overlays using the\n               tailoring process. There may also be some degree of overlap in the requirements\n               articulated by the security controls within the different families of controls. AC-20\n               addresses mobile devices that are not organization-controlled.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ac-19_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-19.a_obj","name":"objective","properties":[{"name":"label","value":"AC-19(a)"}],"prose":"establishes for organization-controlled mobile devices:","parts":[{"id":"ac-19.a_obj.1","name":"objective","properties":[{"name":"label","value":"AC-19(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-19.a_obj.2","name":"objective","properties":[{"name":"label","value":"AC-19(a)[2]"}],"prose":"configuration/connection requirement;"},{"id":"ac-19.a_obj.3","name":"objective","properties":[{"name":"label","value":"AC-19(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-19.b_obj","name":"objective","properties":[{"name":"label","value":"AC-19(b)"}],"prose":"authorizes the connection of mobile devices to organizational information\n                  systems."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing access control for mobile device usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nauthorizations for mobile device connections to organizational information\n                  systems\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel using mobile devices to access organizational information\n                  systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Access control capability authorizing mobile device connections to organizational\n                  information systems"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - All access to Cloud SaaS are via web service and/or API. The device accessed\n                  from is out of the scope. Regardless of device accessed from, must utilize\n                  approved remote access methods (AC-17), secure communication with strong\n                  encryption (SC-13), key management (SC-12), and multi-factor authentication for\n                  privileged access (IA-2 [1])."}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Information Systems","properties":[{"name":"label","value":"AC-20"},{"name":"sort-id","value":"ac-20"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"}],"parts":[{"id":"ac-20_smt","name":"statement","prose":"The organization establishes terms and conditions, consistent with any trust\n               relationships established with other organizations owning, operating, and/or\n               maintaining external information systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Access the information system from external information systems; and"},{"id":"ac-20_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Process, store, or transmit organization-controlled information using external\n                  information systems."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External information systems are information systems or components of information\n               systems that are outside of the authorization boundary established by organizations\n               and for which organizations typically have no direct supervision and authority over\n               the application of required security controls or the assessment of control\n               effectiveness. External information systems include, for example: (i) personally\n               owned information systems/devices (e.g., notebook computers, smart phones, tablets,\n               personal digital assistants); (ii) privately owned computing and communications\n               devices resident in commercial or public facilities (e.g., hotels, train stations,\n               convention centers, shopping malls, or airports); (iii) information systems owned or\n               controlled by nonfederal governmental organizations; and (iv) federal information\n               systems that are not owned by, operated by, or under the direct supervision and\n               authority of organizations. This control also addresses the use of external\n               information systems for the processing, storage, or transmission of organizational\n               information, including, for example, accessing cloud services (e.g., infrastructure\n               as a service, platform as a service, or software as a service) from organizational\n               information systems. For some external information systems (i.e., information systems\n               operated by other federal agencies, including organizations subordinate to those\n               agencies), the trust relationships that have been established between those\n               organizations and the originating organization may be such, that no explicit terms\n               and conditions are required. Information systems within these organizations would not\n               be considered external. These situations occur when, for example, there are\n               pre-existing sharing/trust agreements (either implicit or explicit) established\n               between federal agencies or organizations subordinate to those agencies, or when such\n               trust agreements are specified by applicable laws, Executive Orders, directives, or\n               policies. Authorized individuals include, for example, organizational personnel,\n               contractors, or other individuals with authorized access to organizational\n               information systems and over which organizations have the authority to impose rules\n               of behavior with regard to system access. Restrictions that organizations impose on\n               authorized individuals need not be uniform, as those restrictions may vary depending\n               upon the trust relationships between organizations. Therefore, organizations may\n               choose to impose different security restrictions on contractors than on state, local,\n               or tribal governments. This control does not apply to the use of external information\n               systems to access public interfaces to organizational information systems (e.g.,\n               individuals accessing federal information through www.usa.gov). Organizations\n               establish terms and conditions for the use of external information systems in\n               accordance with organizational security policies and procedures. Terms and conditions\n               address as a minimum: types of applications that can be accessed on organizational\n               information systems from external information systems; and the highest security\n               category of information that can be processed, stored, or transmitted on external\n               information systems. If terms and conditions with the owners of external information\n               systems cannot be established, organizations may impose restrictions on\n               organizational personnel using those external systems.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sa-9","rel":"related","text":"SA-9"}]},{"id":"ac-20_obj","name":"objective","prose":"Determine if the organization establishes terms and conditions, consistent with any\n               trust relationships established with other organizations owning, operating, and/or\n               maintaining external information systems, allowing authorized individuals to: ","parts":[{"id":"ac-20.a_obj","name":"objective","properties":[{"name":"label","value":"AC-20(a)"}],"prose":"access the information system from the external information systems; and"},{"id":"ac-20.b_obj","name":"objective","properties":[{"name":"label","value":"AC-20(b)"}],"prose":"process, store, or transmit organization-controlled information using external\n                  information systems."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing the use of external information systems\\n\\nexternal information systems terms and conditions\\n\\nlist of types of applications accessible from external information systems\\n\\nmaximum security categorization for information processed, stored, or transmitted\n                  on external information systems\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining terms and conditions\n                  for use of external information systems to access organizational systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing terms and conditions on use of external\n                  information systems"}]}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","parameters":[{"id":"ac-22_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least quarterly"}]}],"properties":[{"name":"label","value":"AC-22"},{"name":"sort-id","value":"ac-22"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"id":"ac-22_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-22_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Designates individuals authorized to post information onto a publicly accessible\n                  information system;"},{"id":"ac-22_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Trains authorized individuals to ensure that publicly accessible information does\n                  not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews the proposed content of information prior to posting onto the publicly\n                  accessible information system to ensure that nonpublic information is not\n                  included; and"},{"id":"ac-22_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Reviews the content on the publicly accessible information system for nonpublic\n                  information {{ ac-22_prm_1 }} and removes such information, if\n                  discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with federal laws, Executive Orders, directives, policies, regulations,\n               standards, and/or guidance, the general public is not authorized access to nonpublic\n               information (e.g., information protected under the Privacy Act and proprietary\n               information). This control addresses information systems that are controlled by the\n               organization and accessible to the general public, typically without identification\n               or authentication. The posting of information on non-organization information systems\n               is covered by organizational policy.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-13","rel":"related","text":"AU-13"}]},{"id":"ac-22_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ac-22.a_obj","name":"objective","properties":[{"name":"label","value":"AC-22(a)"}],"prose":"designates individuals authorized to post information onto a publicly accessible\n                  information system;"},{"id":"ac-22.b_obj","name":"objective","properties":[{"name":"label","value":"AC-22(b)"}],"prose":"trains authorized individuals to ensure that publicly accessible information does\n                  not contain nonpublic information;"},{"id":"ac-22.c_obj","name":"objective","properties":[{"name":"label","value":"AC-22(c)"}],"prose":"reviews the proposed content of information prior to posting onto the publicly\n                  accessible information system to ensure that nonpublic information is not\n                  included;"},{"id":"ac-22.d_obj","name":"objective","properties":[{"name":"label","value":"AC-22(d)"}],"parts":[{"id":"ac-22.d_obj.1","name":"objective","properties":[{"name":"label","value":"AC-22(d)[1]"}],"prose":"defines the frequency to review the content on the publicly accessible\n                     information system for nonpublic information;"},{"id":"ac-22.d_obj.2","name":"objective","properties":[{"name":"label","value":"AC-22(d)[2]"}],"prose":"reviews the content on the publicly accessible information system for nonpublic\n                     information with the organization-defined frequency; and"},{"id":"ac-22.d_obj.3","name":"objective","properties":[{"name":"label","value":"AC-22(d)[3]"}],"prose":"removes nonpublic information from the publicly accessible information system,\n                     if discovered."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing publicly accessible content\\n\\nlist of users authorized to post publicly accessible content on organizational\n                  information systems\\n\\ntraining materials and/or records\\n\\nrecords of publicly accessible information reviews\\n\\nrecords of response to nonpublic information on public websites\\n\\nsystem audit logs\\n\\nsecurity awareness training records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing publicly accessible\n                  information posted on organizational information systems\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing management of publicly accessible content"}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Security Awareness and Training Policy and Procedures","parameters":[{"id":"at-1_prm_1","label":"organization-defined personnel or roles"},{"id":"at-1_prm_2","label":"organization-defined frequency"},{"id":"at-1_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AT-1"},{"name":"sort-id","value":"at-01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference","text":"NIST Special Publication 800-16"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"at-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A security awareness and training policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"at-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security awareness and\n                     training policy and associated security awareness and training controls;\n                     and"}]},{"id":"at-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"at-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security awareness and training policy {{ at-1_prm_2 }}; and"},{"id":"at-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Security awareness and training procedures {{ at-1_prm_3 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AT\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"at-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-1.a_obj","name":"objective","properties":[{"name":"label","value":"AT-1(a)"}],"parts":[{"id":"at-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)"}],"parts":[{"id":"at-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1]"}],"prose":"develops and documents an security awareness and training policy that\n                        addresses:","parts":[{"id":"at-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"at-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"at-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"at-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"at-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"at-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"at-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"at-1.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security awareness and training\n                        policy are to be disseminated;"},{"id":"at-1.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[3]"}],"prose":"disseminates the security awareness and training policy to\n                        organization-defined personnel or roles;"}]},{"id":"at-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"AT-1(a)(2)"}],"parts":[{"id":"at-1.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"AT-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        security awareness and training policy and associated awareness and training\n                        controls;"},{"id":"at-1.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"AT-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"at-1.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"AT-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"at-1.b_obj","name":"objective","properties":[{"name":"label","value":"AT-1(b)"}],"parts":[{"id":"at-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"AT-1(b)(1)"}],"parts":[{"id":"at-1.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"AT-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security awareness\n                        and training policy;"},{"id":"at-1.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"AT-1(b)(1)[2]"}],"prose":"reviews and updates the current security awareness and training policy with\n                        the organization-defined frequency;"}]},{"id":"at-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"AT-1(b)(2)"}],"parts":[{"id":"at-1.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"AT-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security awareness\n                        and training procedures; and"},{"id":"at-1.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"AT-1(b)(2)[2]"}],"prose":"reviews and updates the current security awareness and training procedures\n                        with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security awareness and training responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Security Awareness Training","parameters":[{"id":"at-2_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AT-2"},{"name":"sort-id","value":"at-02"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference","text":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"},{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference","text":"Executive Order 13587"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"}],"parts":[{"id":"at-2_smt","name":"statement","prose":"The organization provides basic security awareness training to information system\n               users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"As part of initial training for new users;"},{"id":"at-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n                  {{ at-2_prm_1 }} thereafter."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security awareness training and\n               security awareness techniques based on the specific organizational requirements and\n               the information systems to which personnel have authorized access. The content\n               includes a basic understanding of the need for information security and user actions\n               to maintain security and to respond to suspected security incidents. The content also\n               addresses awareness of the need for operations security. Security awareness\n               techniques can include, for example, displaying posters, offering supplies inscribed\n               with security reminders, generating email advisories/notices from senior\n               organizational officials, displaying logon screen messages, and conducting\n               information security awareness events.","links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#pl-4","rel":"related","text":"PL-4"}]},{"id":"at-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-2.a_obj","name":"objective","properties":[{"name":"label","value":"AT-2(a)"}],"prose":"provides basic security awareness training to information system users (including\n                  managers, senior executives, and contractors) as part of initial training for new\n                  users;"},{"id":"at-2.b_obj","name":"objective","properties":[{"name":"label","value":"AT-2(b)"}],"prose":"provides basic security awareness training to information system users (including\n                  managers, senior executives, and contractors) when required by information system\n                  changes; and"},{"id":"at-2.c_obj","name":"objective","properties":[{"name":"label","value":"AT-2(c)"}],"parts":[{"id":"at-2.c_obj.1","name":"objective","properties":[{"name":"label","value":"AT-2(c)[1]"}],"prose":"defines the frequency to provide refresher security awareness training\n                     thereafter to information system users (including managers, senior executives,\n                     and contractors); and"},{"id":"at-2.c_obj.2","name":"objective","properties":[{"name":"label","value":"AT-2(c)[2]"}],"prose":"provides refresher security awareness training to information users (including\n                     managers, senior executives, and contractors) with the organization-defined\n                     frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\\n\\nprocedures addressing security awareness training implementation\\n\\nappropriate codes of federal regulations\\n\\nsecurity awareness training curriculum\\n\\nsecurity awareness training materials\\n\\nsecurity plan\\n\\ntraining records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for security awareness training\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel comprising the general information system user\n                  community"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing security awareness training"}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Security Training","parameters":[{"id":"at-3_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AT-3"},{"name":"sort-id","value":"at-03"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference","text":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference","text":"NIST Special Publication 800-16"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"}],"parts":[{"id":"at-3_smt","name":"statement","prose":"The organization provides role-based security training to personnel with assigned\n               security roles and responsibilities:","parts":[{"id":"at-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Before authorizing access to the information system or performing assigned\n                  duties;"},{"id":"at-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n                  {{ at-3_prm_1 }} thereafter."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security training based on the\n               assigned roles and responsibilities of individuals and the specific security\n               requirements of organizations and the information systems to which personnel have\n               authorized access. In addition, organizations provide enterprise architects,\n               information system developers, software developers, acquisition/procurement\n               officials, information system managers, system/network administrators, personnel\n               conducting configuration management and auditing activities, personnel performing\n               independent verification and validation activities, security control assessors, and\n               other personnel having access to system-level software, adequate security-related\n               technical training specifically tailored for their assigned duties. Comprehensive\n               role-based training addresses management, operational, and technical roles and\n               responsibilities covering physical, personnel, and technical safeguards and\n               countermeasures. Such training can include for example, policies, procedures, tools,\n               and artifacts for the organizational security roles defined. Organizations also\n               provide the training necessary for individuals to carry out their responsibilities\n               related to operations and supply chain security within the context of organizational\n               information security programs. Role-based security training also applies to\n               contractors providing services to federal agencies.","links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#sa-16","rel":"related","text":"SA-16"}]},{"id":"at-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-3.a_obj","name":"objective","properties":[{"name":"label","value":"AT-3(a)"}],"prose":"provides role-based security training to personnel with assigned security roles\n                  and responsibilities before authorizing access to the information system or\n                  performing assigned duties;"},{"id":"at-3.b_obj","name":"objective","properties":[{"name":"label","value":"AT-3(b)"}],"prose":"provides role-based security training to personnel with assigned security roles\n                  and responsibilities when required by information system changes; and"},{"id":"at-3.c_obj","name":"objective","properties":[{"name":"label","value":"AT-3(c)"}],"parts":[{"id":"at-3.c_obj.1","name":"objective","properties":[{"name":"label","value":"AT-3(c)[1]"}],"prose":"defines the frequency to provide refresher role-based security training\n                     thereafter to personnel with assigned security roles and responsibilities;\n                     and"},{"id":"at-3.c_obj.2","name":"objective","properties":[{"name":"label","value":"AT-3(c)[2]"}],"prose":"provides refresher role-based security training to personnel with assigned\n                     security roles and responsibilities with the organization-defined\n                     frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\\n\\nprocedures addressing security training implementation\\n\\ncodes of federal regulations\\n\\nsecurity training curriculum\\n\\nsecurity training materials\\n\\nsecurity plan\\n\\ntraining records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for role-based security\n                  training\\n\\norganizational personnel with assigned information system security roles and\n                  responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing role-based security training"}]}]},{"id":"at-4","class":"SP800-53","title":"Security Training Records","parameters":[{"id":"at-4_prm_1","label":"organization-defined time period"}],"properties":[{"name":"label","value":"AT-4"},{"name":"sort-id","value":"at-04"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"id":"at-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Documents and monitors individual information system security training activities\n                  including basic security awareness training and specific information system\n                  security training; and"},{"id":"at-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retains individual training records for {{ at-4_prm_1 }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at\n               the option of the organization.","links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pm-14","rel":"related","text":"PM-14"}]},{"id":"at-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-4.a_obj","name":"objective","properties":[{"name":"label","value":"AT-4(a)"}],"parts":[{"id":"at-4.a_obj.1","name":"objective","properties":[{"name":"label","value":"AT-4(a)[1]"}],"prose":"documents individual information system security training activities\n                     including:","parts":[{"id":"at-4.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"AT-4(a)[1][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"AT-4(a)[1][b]"}],"prose":"specific role-based information system security training;"}]},{"id":"at-4.a_obj.2","name":"objective","properties":[{"name":"label","value":"AT-4(a)[2]"}],"prose":"monitors individual information system security training activities\n                     including:","parts":[{"id":"at-4.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"AT-4(a)[2][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"AT-4(a)[2][b]"}],"prose":"specific role-based information system security training;"}]}]},{"id":"at-4.b_obj","name":"objective","properties":[{"name":"label","value":"AT-4(b)"}],"parts":[{"id":"at-4.b_obj.1","name":"objective","properties":[{"name":"label","value":"AT-4(b)[1]"}],"prose":"defines a time period to retain individual training records; and"},{"id":"at-4.b_obj.2","name":"objective","properties":[{"name":"label","value":"AT-4(b)[2]"}],"prose":"retains individual training records for the organization-defined time\n                     period."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\\n\\nprocedures addressing security training records\\n\\nsecurity awareness and training records\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security training record retention\n                  responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting management of security training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Audit and Accountability Policy and Procedures","parameters":[{"id":"au-1_prm_1","label":"organization-defined personnel or roles"},{"id":"au-1_prm_2","label":"organization-defined frequency"},{"id":"au-1_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"AU-1"},{"name":"sort-id","value":"au-01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"au-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"An audit and accountability policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"au-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability\n                     policy and associated audit and accountability controls; and"}]},{"id":"au-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"au-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Audit and accountability policy {{ au-1_prm_2 }}; and"},{"id":"au-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Audit and accountability procedures {{ au-1_prm_3 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AU\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"au-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-1.a_obj","name":"objective","properties":[{"name":"label","value":"AU-1(a)"}],"parts":[{"id":"au-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)"}],"parts":[{"id":"au-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1]"}],"prose":"develops and documents an audit and accountability policy that\n                        addresses:","parts":[{"id":"au-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"au-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"au-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"au-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"au-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"au-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"au-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"au-1.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the audit and accountability policy are\n                        to be disseminated;"},{"id":"au-1.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[3]"}],"prose":"disseminates the audit and accountability policy to organization-defined\n                        personnel or roles;"}]},{"id":"au-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"AU-1(a)(2)"}],"parts":[{"id":"au-1.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"AU-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        audit and accountability policy and associated audit and accountability\n                        controls;"},{"id":"au-1.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"AU-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"au-1.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"AU-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"au-1.b_obj","name":"objective","properties":[{"name":"label","value":"AU-1(b)"}],"parts":[{"id":"au-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"AU-1(b)(1)"}],"parts":[{"id":"au-1.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"AU-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current audit and\n                        accountability policy;"},{"id":"au-1.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"AU-1(b)(1)[2]"}],"prose":"reviews and updates the current audit and accountability policy with the\n                        organization-defined frequency;"}]},{"id":"au-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"AU-1(b)(2)"}],"parts":[{"id":"au-1.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"AU-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current audit and\n                        accountability procedures; and"},{"id":"au-1.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"AU-1(b)(2)[2]"}],"prose":"reviews and updates the current audit and accountability procedures in\n                        accordance with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Audit Events","parameters":[{"id":"au-2_prm_1","label":"organization-defined auditable events"},{"id":"au-2_prm_2","label":"organization-defined audited events (the subset of the auditable events defined\n               in AU-2 a.) along with the frequency of (or situation requiring) auditing for each\n               identified event"}],"properties":[{"name":"label","value":"AU-2"},{"name":"sort-id","value":"au-02"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference","text":"NIST Special Publication 800-92"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"au-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determines that the information system is capable of auditing the following\n                  events: {{ au-2_prm_1 }};"},{"id":"au-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Coordinates the security audit function with other organizational entities\n                  requiring audit-related information to enhance mutual support and to help guide\n                  the selection of auditable events;"},{"id":"au-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Provides a rationale for why the auditable events are deemed to be adequate to\n                  support after-the-fact investigations of security incidents; and"},{"id":"au-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Determines that the following events are to be audited within the information\n                  system: {{ au-2_prm_2 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is any observable occurrence in an organizational information system.\n               Organizations identify audit events as those events which are significant and\n               relevant to the security of information systems and the environments in which those\n               systems operate in order to meet specific and ongoing audit needs. Audit events can\n               include, for example, password changes, failed logons, or failed accesses related to\n               information systems, administrative privilege usage, PIV credential usage, or\n               third-party credential usage. In determining the set of auditable events,\n               organizations consider the auditing appropriate for each of the security controls to\n               be implemented. To balance auditing requirements with other information system needs,\n               this control also requires identifying that subset of auditable events that are\n               audited at a given point in time. For example, organizations may determine that\n               information systems must have the capability to log every file access both successful\n               and unsuccessful, but not activate that capability except for specific circumstances\n               due to the potential burden on system performance. Auditing requirements, including\n               the need for auditable events, may be referenced in other security controls and\n               control enhancements. Organizations also include auditable events that are required\n               by applicable federal laws, Executive Orders, directives, policies, regulations, and\n               standards. Audit records can be generated at various levels of abstraction, including\n               at the packet level as information traverses the network. Selecting the appropriate\n               level of abstraction is a critical aspect of an audit capability and can facilitate\n               the identification of root causes to problems. Organizations consider in the\n               definition of auditable events, the auditing necessary to cover related events such\n               as the steps in distributed, transaction-based processes (e.g., processes that are\n               distributed across multiple organizations) and actions that occur in service-oriented\n               architectures.","links":[{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"au-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-2.a_obj","name":"objective","properties":[{"name":"label","value":"AU-2(a)"}],"parts":[{"id":"au-2.a_obj.1","name":"objective","properties":[{"name":"label","value":"AU-2(a)[1]"}],"prose":"defines the auditable events that the information system must be capable of\n                     auditing;"},{"id":"au-2.a_obj.2","name":"objective","properties":[{"name":"label","value":"AU-2(a)[2]"}],"prose":"determines that the information system is capable of auditing\n                     organization-defined auditable events;"}]},{"id":"au-2.b_obj","name":"objective","properties":[{"name":"label","value":"AU-2(b)"}],"prose":"coordinates the security audit function with other organizational entities\n                  requiring audit-related information to enhance mutual support and to help guide\n                  the selection of auditable events;"},{"id":"au-2.c_obj","name":"objective","properties":[{"name":"label","value":"AU-2(c)"}],"prose":"provides a rationale for why the auditable events are deemed to be adequate to\n                  support after-the-fact investigations of security incidents;"},{"id":"au-2.d_obj","name":"objective","properties":[{"name":"label","value":"AU-2(d)"}],"parts":[{"id":"au-2.d_obj.1","name":"objective","properties":[{"name":"label","value":"AU-2(d)[1]"}],"prose":"defines the subset of auditable events defined in AU-2a that are to be audited\n                     within the information system;"},{"id":"au-2.d_obj.2","name":"objective","properties":[{"name":"label","value":"AU-2(d)[2]"}],"prose":"determines that the subset of auditable events defined in AU-2a are to be\n                     audited within the information system; and"},{"id":"au-2.d_obj.3","name":"objective","properties":[{"name":"label","value":"AU-2(d)[3]"}],"prose":"determines the frequency of (or situation requiring) auditing for each\n                     identified event."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing auditable events\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\ninformation system auditable events\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing"}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","properties":[{"name":"label","value":"AU-3"},{"name":"sort-id","value":"au-03"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"The information system generates audit records containing information that\n               establishes what type of event occurred, when the event occurred, where the event\n               occurred, the source of the event, the outcome of the event, and the identity of any\n               individuals or subjects associated with the event."},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to satisfy the requirement of this\n               control, includes, for example, time stamps, source and destination addresses,\n               user/process identifiers, event descriptions, success/fail indications, filenames\n               involved, and access control or flow control rules invoked. Event outcomes can\n               include indicators of event success or failure and event-specific results (e.g., the\n               security state of the information system after the event occurred).","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-8","rel":"related","text":"AU-8"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#si-11","rel":"related","text":"SI-11"}]},{"id":"au-3_obj","name":"objective","prose":"Determine if the information system generates audit records containing information\n               that establishes: ","parts":[{"id":"au-3_obj.1","name":"objective","properties":[{"name":"label","value":"AU-3[1]"}],"prose":"what type of event occurred;"},{"id":"au-3_obj.2","name":"objective","properties":[{"name":"label","value":"AU-3[2]"}],"prose":"when the event occurred;"},{"id":"au-3_obj.3","name":"objective","properties":[{"name":"label","value":"AU-3[3]"}],"prose":"where the event occurred;"},{"id":"au-3_obj.4","name":"objective","properties":[{"name":"label","value":"AU-3[4]"}],"prose":"the source of the event;"},{"id":"au-3_obj.5","name":"objective","properties":[{"name":"label","value":"AU-3[5]"}],"prose":"the outcome of the event; and"},{"id":"au-3_obj.6","name":"objective","properties":[{"name":"label","value":"AU-3[6]"}],"prose":"the identity of any individuals or subjects associated with the event."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing content of audit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of organization-defined auditable events\\n\\ninformation system audit records\\n\\ninformation system incident reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing of auditable\n                  events"}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Storage Capacity","parameters":[{"id":"au-4_prm_1","label":"organization-defined audit record storage requirements"}],"properties":[{"name":"label","value":"AU-4"},{"name":"sort-id","value":"au-04"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"The organization allocates audit record storage capacity in accordance with {{ au-4_prm_1 }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of auditing to be performed and the audit processing\n               requirements when allocating audit storage capacity. Allocating sufficient audit\n               storage capacity reduces the likelihood of such capacity being exceeded and resulting\n               in the potential loss or reduction of auditing capability.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"au-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-4_obj.1","name":"objective","properties":[{"name":"label","value":"AU-4[1]"}],"prose":"defines audit record storage requirements; and"},{"id":"au-4_obj.2","name":"objective","properties":[{"name":"label","value":"AU-4[2]"}],"prose":"allocates audit record storage capacity in accordance with the\n                  organization-defined audit record storage requirements."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit storage capacity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit record storage requirements\\n\\naudit record storage capability for information system components\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit record storage capacity and related configuration settings"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Loss of availability of the audit data has been determined to have little or\n                  no impact to government business/mission needs."}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Processing Failures","parameters":[{"id":"au-5_prm_1","label":"organization-defined personnel or roles"},{"id":"au-5_prm_2","label":"organization-defined actions to be taken (e.g., shut down information system,\n               overwrite oldest audit records, stop generating audit records)","constraints":[{"detail":"organization-defined actions to be taken (overwrite oldest record)"}]}],"properties":[{"name":"label","value":"AU-5"},{"name":"sort-id","value":"au-05"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"id":"au-5_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Alerts {{ au-5_prm_1 }} in the event of an audit processing\n                  failure; and"},{"id":"au-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Takes the following additional actions: {{ au-5_prm_2 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit processing failures include, for example, software/hardware errors, failures in\n               the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n               Organizations may choose to define additional actions for different audit processing\n               failures (e.g., by type, by location, by severity, or a combination of such factors).\n               This control applies to each audit data storage repository (i.e., distinct\n               information system component where audit records are stored), the total audit storage\n               capacity of organizations (i.e., all audit data storage repositories combined), or\n               both.","links":[{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#si-12","rel":"related","text":"SI-12"}]},{"id":"au-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-5.a_obj","name":"objective","properties":[{"name":"label","value":"AU-5(a)"}],"parts":[{"id":"au-5.a_obj.1","name":"objective","properties":[{"name":"label","value":"AU-5(a)[1]"}],"prose":"the organization defines the personnel or roles to be alerted in the event of\n                     an audit processing failure;"},{"id":"au-5.a_obj.2","name":"objective","properties":[{"name":"label","value":"AU-5(a)[2]"}],"prose":"the information system alerts the organization-defined personnel or roles in\n                     the event of an audit processing failure;"}]},{"id":"au-5.b_obj","name":"objective","properties":[{"name":"label","value":"AU-5(b)"}],"parts":[{"id":"au-5.b_obj.1","name":"objective","properties":[{"name":"label","value":"AU-5(b)[1]"}],"prose":"the organization defines additional actions to be taken (e.g., shutdown\n                     information system, overwrite oldest audit records, stop generating audit\n                     records) in the event of an audit processing failure; and"},{"id":"au-5.b_obj.2","name":"objective","properties":[{"name":"label","value":"AU-5(b)[2]"}],"prose":"the information system takes the additional organization-defined actions in the\n                     event of an audit processing failure."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing response to audit processing failures\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of personnel to be notified in case of an audit processing failure\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system response to audit processing\n                  failures"}]}]},{"id":"au-6","class":"SP800-53","title":"Audit Review, Analysis, and Reporting","parameters":[{"id":"au-6_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least weekly"}]},{"id":"au-6_prm_2","label":"organization-defined inappropriate or unusual activity"},{"id":"au-6_prm_3","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"AU-6"},{"name":"sort-id","value":"au-06"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"id":"au-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Reviews and analyzes information system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }};\n                  and"},{"id":"au-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reports findings to {{ au-6_prm_3 }}."}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit review, analysis, and reporting covers information security-related auditing\n               performed by organizations including, for example, auditing that results from\n               monitoring of account usage, remote access, wireless connectivity, mobile device\n               connection, configuration settings, system component inventory, use of maintenance\n               tools and nonlocal maintenance, physical access, temperature and humidity, equipment\n               delivery and removal, communications at the information system boundaries, use of\n               mobile code, and use of VoIP. Findings can be reported to organizational entities\n               that include, for example, incident response team, help desk, information security\n               group/department. If organizations are prohibited from reviewing and analyzing audit\n               information or unable to conduct such activities (e.g., in certain national security\n               applications or systems), the review/analysis may be carried out by other\n               organizations granted such authority.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-16","rel":"related","text":"AU-16"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-10","rel":"related","text":"CM-10"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pe-14","rel":"related","text":"PE-14"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#sc-19","rel":"related","text":"SC-19"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"au-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-6.a_obj","name":"objective","properties":[{"name":"label","value":"AU-6(a)"}],"parts":[{"id":"au-6.a_obj.1","name":"objective","properties":[{"name":"label","value":"AU-6(a)[1]"}],"prose":"defines the types of inappropriate or unusual activity to look for when\n                     information system audit records are reviewed and analyzed;"},{"id":"au-6.a_obj.2","name":"objective","properties":[{"name":"label","value":"AU-6(a)[2]"}],"prose":"defines the frequency to review and analyze information system audit records\n                     for indications of organization-defined inappropriate or unusual activity;"},{"id":"au-6.a_obj.3","name":"objective","properties":[{"name":"label","value":"AU-6(a)[3]"}],"prose":"reviews and analyzes information system audit records for indications of\n                     organization-defined inappropriate or unusual activity with the\n                     organization-defined frequency;"}]},{"id":"au-6.b_obj","name":"objective","properties":[{"name":"label","value":"AU-6(b)"}],"parts":[{"id":"au-6.b_obj.1","name":"objective","properties":[{"name":"label","value":"AU-6(b)[1]"}],"prose":"defines personnel or roles to whom findings resulting from reviews and analysis\n                     of information system audit records are to be reported; and"},{"id":"au-6.b_obj.2","name":"objective","properties":[{"name":"label","value":"AU-6(b)[2]"}],"prose":"reports findings to organization-defined personnel or roles."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\nreports of audit findings\\n\\nrecords of actions taken in response to reviews/analyses of audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","parameters":[{"id":"au-8_prm_1","label":"organization-defined granularity of time measurement"}],"properties":[{"name":"label","value":"AU-8"},{"name":"sort-id","value":"au-08"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"id":"au-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Uses internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Records time stamps for audit records that can be mapped to Coordinated Universal\n                  Time (UTC) or Greenwich Mean Time (GMT) and meets {{ au-8_prm_1 }}."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the information system include date and time. Time is\n               commonly expressed in Coordinated Universal Time (UTC), a modern continuation of\n               Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time\n               measurements refers to the degree of synchronization between information system\n               clocks and reference clocks, for example, clocks synchronizing within hundreds of\n               milliseconds or within tens of milliseconds. Organizations may define different time\n               granularities for different system components. Time service can also be critical to\n               other security capabilities such as access control and identification and\n               authentication, depending on the nature of the mechanisms used to support those\n               capabilities.","links":[{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-12","rel":"related","text":"AU-12"}]},{"id":"au-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-8.a_obj","name":"objective","properties":[{"name":"label","value":"AU-8(a)"}],"prose":"the information system uses internal system clocks to generate time stamps for\n                  audit records;"},{"id":"au-8.b_obj","name":"objective","properties":[{"name":"label","value":"AU-8(b)"}],"parts":[{"id":"au-8.b_obj.1","name":"objective","properties":[{"name":"label","value":"AU-8(b)[1]"}],"prose":"the information system records time stamps for audit records that can be mapped\n                     to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);"},{"id":"au-8.b_obj.2","name":"objective","properties":[{"name":"label","value":"AU-8(b)[2]"}],"prose":"the organization defines the granularity of time measurement to be met when\n                     recording time stamps for audit records; and"},{"id":"au-8.b_obj.3","name":"objective","properties":[{"name":"label","value":"AU-8(b)[3]"}],"prose":"the organization records time stamps for audit records that meet the\n                     organization-defined granularity of time measurement."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing time stamp generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing time stamp generation"}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","properties":[{"name":"label","value":"AU-9"},{"name":"sort-id","value":"au-09"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"id":"au-9_smt","name":"statement","prose":"The information system protects audit information and audit tools from unauthorized\n               access, modification, and deletion."},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information (e.g., audit records, audit settings, and\n               audit reports) needed to successfully audit information system activity. This control\n               focuses on technical protection of audit information. Physical protection of audit\n               information is addressed by media protection controls and physical and environmental\n               protection controls.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"}]},{"id":"au-9_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"au-9_obj.1","name":"objective","properties":[{"name":"label","value":"AU-9[1]"}],"prose":"the information system protects audit information from unauthorized:","parts":[{"id":"au-9_obj.1.a","name":"objective","properties":[{"name":"label","value":"AU-9[1][a]"}],"prose":"access;"},{"id":"au-9_obj.1.b","name":"objective","properties":[{"name":"label","value":"AU-9[1][b]"}],"prose":"modification;"},{"id":"au-9_obj.1.c","name":"objective","properties":[{"name":"label","value":"AU-9[1][c]"}],"prose":"deletion;"}]},{"id":"au-9_obj.2","name":"objective","properties":[{"name":"label","value":"AU-9[2]"}],"prose":"the information system protects audit tools from unauthorized:","parts":[{"id":"au-9_obj.2.a","name":"objective","properties":[{"name":"label","value":"AU-9[2][a]"}],"prose":"access;"},{"id":"au-9_obj.2.b","name":"objective","properties":[{"name":"label","value":"AU-9[2][b]"}],"prose":"modification; and"},{"id":"au-9_obj.2.c","name":"objective","properties":[{"name":"label","value":"AU-9[2][c]"}],"prose":"deletion."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\naccess control policy and procedures\\n\\nprocedures addressing protection of audit information\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation,\n                  information system audit records\\n\\naudit tools\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit information protection"}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","parameters":[{"id":"au-11_prm_1","label":"organization-defined time period consistent with records retention policy"}],"properties":[{"name":"label","value":"AU-11"},{"name":"sort-id","value":"au-11"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"The organization retains audit records for {{ au-11_prm_1 }} to\n               provide support for after-the-fact investigations of security incidents and to meet\n               regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that they are no longer\n               needed for administrative, legal, audit, or other operational purposes. This\n               includes, for example, retention and availability of audit records relative to\n               Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions.\n               Organizations develop standard categories of audit records relative to such types of\n               actions and standard response processes for each type of action. The National\n               Archives and Records Administration (NARA) General Records Schedules provide federal\n               policy on record retention.","links":[{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#mp-6","rel":"related","text":"MP-6"}]},{"id":"au-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-11_obj.1","name":"objective","properties":[{"name":"label","value":"AU-11[1]"}],"prose":"defines a time period to retain audit records that is consistent with records\n                  retention policy;"},{"id":"au-11_obj.2","name":"objective","properties":[{"name":"label","value":"AU-11[2]"}],"prose":"retains audit records for the organization-defined time period consistent with\n                  records retention policy to:","parts":[{"id":"au-11_obj.2.a","name":"objective","properties":[{"name":"label","value":"AU-11[2][a]"}],"prose":"provide support for after-the-fact investigations of security incidents;\n                     and"},{"id":"au-11_obj.2.b","name":"objective","properties":[{"name":"label","value":"AU-11[2][b]"}],"prose":"meet regulatory and organizational information retention requirements."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\naudit record retention policy and procedures\\n\\nsecurity plan\\n\\norganization-defined retention period for audit records\\n\\naudit record archives\\n\\naudit logs\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record retention responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Loss of availability of the audit data has been determined as little or no\n                  impact to government business/mission needs."}]},{"id":"au-12","class":"SP800-53","title":"Audit Generation","parameters":[{"id":"au-12_prm_1","label":"organization-defined information system components"},{"id":"au-12_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"AU-12"},{"name":"sort-id","value":"au-12"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"id":"au-12_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-12_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provides audit record generation capability for the auditable events defined in\n                  AU-2 a. at {{ au-12_prm_1 }};"},{"id":"au-12_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Allows {{ au-12_prm_2 }} to select which auditable events are to be\n                  audited by specific components of the information system; and"},{"id":"au-12_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Generates audit records for the events defined in AU-2 d. with the content defined\n                  in AU-3."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different information system components. The\n               list of audited events is the set of events for which audits are to be generated.\n               These events are typically a subset of all events for which the information system is\n               capable of generating audit records.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"}]},{"id":"au-12_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-12.a_obj","name":"objective","properties":[{"name":"label","value":"AU-12(a)"}],"parts":[{"id":"au-12.a_obj.1","name":"objective","properties":[{"name":"label","value":"AU-12(a)[1]"}],"prose":"the organization defines the information system components which are to provide\n                     audit record generation capability for the auditable events defined in\n                     AU-2a;"},{"id":"au-12.a_obj.2","name":"objective","properties":[{"name":"label","value":"AU-12(a)[2]"}],"prose":"the information system provides audit record generation capability, for the\n                     auditable events defined in AU-2a, at organization-defined information system\n                     components;"}]},{"id":"au-12.b_obj","name":"objective","properties":[{"name":"label","value":"AU-12(b)"}],"parts":[{"id":"au-12.b_obj.1","name":"objective","properties":[{"name":"label","value":"AU-12(b)[1]"}],"prose":"the organization defines the personnel or roles allowed to select which\n                     auditable events are to be audited by specific components of the information\n                     system;"},{"id":"au-12.b_obj.2","name":"objective","properties":[{"name":"label","value":"AU-12(b)[2]"}],"prose":"the information system allows the organization-defined personnel or roles to\n                     select which auditable events are to be audited by specific components of the\n                     system; and"}]},{"id":"au-12.c_obj","name":"objective","properties":[{"name":"label","value":"AU-12(c)"}],"prose":"the information system generates audit records for the events defined in AU-2d\n                  with the content in defined in AU-3."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit record generation\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of auditable events\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record generation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit record generation capability"}]}]}]},{"id":"ca","class":"family","title":"Security Assessment and Authorization","controls":[{"id":"ca-1","class":"SP800-53","title":"Security Assessment and Authorization Policy and Procedures","parameters":[{"id":"ca-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ca-1_prm_2","label":"organization-defined frequency"},{"id":"ca-1_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CA-1"},{"name":"sort-id","value":"ca-01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference","text":"NIST Special Publication 800-53A"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ca-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A security assessment and authorization policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"},{"id":"ca-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security assessment and\n                     authorization policy and associated security assessment and authorization\n                     controls; and"}]},{"id":"ca-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ca-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security assessment and authorization policy {{ ca-1_prm_2 }};\n                     and"},{"id":"ca-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Security assessment and authorization procedures {{ ca-1_prm_3 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ca-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-1.a_obj","name":"objective","properties":[{"name":"label","value":"CA-1(a)"}],"parts":[{"id":"ca-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)"}],"parts":[{"id":"ca-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1]"}],"prose":"develops and documents a security assessment and authorization policy that\n                        addresses:","parts":[{"id":"ca-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ca-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ca-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ca-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ca-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ca-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ca-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ca-1.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security assessment and authorization\n                        policy is to be disseminated;"},{"id":"ca-1.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[3]"}],"prose":"disseminates the security assessment and authorization policy to\n                        organization-defined personnel or roles;"}]},{"id":"ca-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"CA-1(a)(2)"}],"parts":[{"id":"ca-1.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"CA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        security assessment and authorization policy and associated assessment and\n                        authorization controls;"},{"id":"ca-1.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"CA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ca-1.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"CA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ca-1.b_obj","name":"objective","properties":[{"name":"label","value":"CA-1(b)"}],"parts":[{"id":"ca-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"CA-1(b)(1)"}],"parts":[{"id":"ca-1.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"CA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security assessment\n                        and authorization policy;"},{"id":"ca-1.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"CA-1(b)(1)[2]"}],"prose":"reviews and updates the current security assessment and authorization policy\n                        with the organization-defined frequency;"}]},{"id":"ca-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"CA-1(b)(2)"}],"parts":[{"id":"ca-1.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"CA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security assessment\n                        and authorization procedures; and"},{"id":"ca-1.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"CA-1(b)(2)[2]"}],"prose":"reviews and updates the current security assessment and authorization\n                        procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment and authorization\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Security Assessments","parameters":[{"id":"ca-2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ca-2_prm_2","label":"organization-defined individuals or roles","constraints":[{"detail":"individuals or roles to include FedRAMP PMO"}]}],"properties":[{"name":"label","value":"CA-2"},{"name":"sort-id","value":"ca-02"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference","text":"Executive Order 13587"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference","text":"NIST Special Publication 800-39"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference","text":"NIST Special Publication 800-53A"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference","text":"NIST Special Publication 800-115"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"}],"parts":[{"id":"ca-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a security assessment plan that describes the scope of the assessment\n                  including:","parts":[{"id":"ca-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security controls and control enhancements under assessment;"},{"id":"ca-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine security control effectiveness;\n                     and"},{"id":"ca-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and\n                     responsibilities;"}]},{"id":"ca-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Assesses the security controls in the information system and its environment of\n                  operation {{ ca-2_prm_1 }} to determine the extent to which the\n                  controls are implemented correctly, operating as intended, and producing the\n                  desired outcome with respect to meeting established security requirements;"},{"id":"ca-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Produces a security assessment report that documents the results of the\n                  assessment; and"},{"id":"ca-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Provides the results of the security control assessment to {{ ca-2_prm_2 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations assess security controls in organizational information systems and the\n               environments in which those systems operate as part of: (i) initial and ongoing\n               security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring;\n               and (iv) system development life cycle activities. Security assessments: (i) ensure\n               that information security is built into organizational information systems; (ii)\n               identify weaknesses and deficiencies early in the development process; (iii) provide\n               essential information needed to make risk-based decisions as part of security\n               authorization processes; and (iv) ensure compliance to vulnerability mitigation\n               procedures. Assessments are conducted on the implemented security controls from\n               Appendix F (main catalog) and Appendix G (Program Management controls) as documented\n               in System Security Plans and Information Security Program Plans. Organizations can\n               use other types of assessment activities such as vulnerability scanning and system\n               monitoring to maintain the security posture of information systems during the entire\n               life cycle. Security assessment reports document assessment results in sufficient\n               detail as deemed necessary by organizations, to determine the accuracy and\n               completeness of the reports and whether the security controls are implemented\n               correctly, operating as intended, and producing the desired outcome with respect to\n               meeting security requirements. The FISMA requirement for assessing security controls\n               at least annually does not require additional assessment activities to those\n               activities already in place in organizational security authorization processes.\n               Security assessment results are provided to the individuals or roles appropriate for\n               the types of assessments being conducted. For example, assessments conducted in\n               support of security authorization decisions are provided to authorizing officials or\n               authorizing official designated representatives. To satisfy annual assessment\n               requirements, organizations can use assessment results from the following sources:\n               (i) initial or ongoing information system authorizations; (ii) continuous monitoring;\n               or (iii) system development life cycle activities. Organizations ensure that security\n               assessment results are current, relevant to the determination of security control\n               effectiveness, and obtained with the appropriate level of assessor independence.\n               Existing security control assessment results can be reused to the extent that the\n               results are still valid and can also be supplemented with additional assessments as\n               needed. Subsequent to initial authorizations and in accordance with OMB policy,\n               organizations assess security controls during continuous monitoring. Organizations\n               establish the frequency for ongoing security control assessments in accordance with\n               organizational continuous monitoring strategies. Information Assurance Vulnerability\n               Alerts provide useful examples of vulnerability mitigation procedures. External\n               audits (e.g., audits by external entities such as regulatory agencies) are outside\n               the scope of this control.","links":[{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ca-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.a_obj","name":"objective","properties":[{"name":"label","value":"CA-2(a)"}],"prose":"develops a security assessment plan that describes the scope of the assessment\n                  including:","parts":[{"id":"ca-2.a.1_obj","name":"objective","properties":[{"name":"label","value":"CA-2(a)(1)"}],"prose":"security controls and control enhancements under assessment;"},{"id":"ca-2.a.2_obj","name":"objective","properties":[{"name":"label","value":"CA-2(a)(2)"}],"prose":"assessment procedures to be used to determine security control\n                     effectiveness;"},{"id":"ca-2.a.3_obj","name":"objective","properties":[{"name":"label","value":"CA-2(a)(3)"}],"parts":[{"id":"ca-2.a.3_obj.1","name":"objective","properties":[{"name":"label","value":"CA-2(a)(3)[1]"}],"prose":"assessment environment;"},{"id":"ca-2.a.3_obj.2","name":"objective","properties":[{"name":"label","value":"CA-2(a)(3)[2]"}],"prose":"assessment team;"},{"id":"ca-2.a.3_obj.3","name":"objective","properties":[{"name":"label","value":"CA-2(a)(3)[3]"}],"prose":"assessment roles and responsibilities;"}]}]},{"id":"ca-2.b_obj","name":"objective","properties":[{"name":"label","value":"CA-2(b)"}],"parts":[{"id":"ca-2.b_obj.1","name":"objective","properties":[{"name":"label","value":"CA-2(b)[1]"}],"prose":"defines the frequency to assess the security controls in the information system\n                     and its environment of operation;"},{"id":"ca-2.b_obj.2","name":"objective","properties":[{"name":"label","value":"CA-2(b)[2]"}],"prose":"assesses the security controls in the information system with the\n                     organization-defined frequency to determine the extent to which the controls\n                     are implemented correctly, operating as intended, and producing the desired\n                     outcome with respect to meeting established security requirements;"}]},{"id":"ca-2.c_obj","name":"objective","properties":[{"name":"label","value":"CA-2(c)"}],"prose":"produces a security assessment report that documents the results of the\n                  assessment;"},{"id":"ca-2.d_obj","name":"objective","properties":[{"name":"label","value":"CA-2(d)"}],"parts":[{"id":"ca-2.d_obj.1","name":"objective","properties":[{"name":"label","value":"CA-2(d)[1]"}],"prose":"defines individuals or roles to whom the results of the security control\n                     assessment are to be provided; and"},{"id":"ca-2.d_obj.2","name":"objective","properties":[{"name":"label","value":"CA-2(d)[2]"}],"prose":"provides the results of the security control assessment to organization-defined\n                     individuals or roles."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing security assessment planning\\n\\nprocedures addressing security assessments\\n\\nsecurity assessment plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting security assessment, security assessment plan\n                  development, and/or security assessment reporting"}]},{"id":"ca-2_fr","name":"item","title":"CA-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-2_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP)\n                     Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n               "}]}],"controls":[{"id":"ca-2.1","class":"SP800-53-enhancement","title":"Independent Assessors","parameters":[{"id":"ca-2.1_prm_1","label":"organization-defined level of independence"}],"properties":[{"name":"label","value":"CA-2(1)"},{"name":"sort-id","value":"ca-02.01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"id":"ca-2.1_smt","name":"statement","prose":"The organization employs assessors or assessment teams with {{ ca-2.1_prm_1 }} to conduct security control assessments."},{"id":"ca-2.1_gdn","name":"guidance","prose":"Independent assessors or assessment teams are individuals or groups who conduct\n                  impartial assessments of organizational information systems. Impartiality implies\n                  that assessors are free from any perceived or actual conflicts of interest with\n                  regard to the development, operation, or management of the organizational\n                  information systems under assessment or to the determination of security control\n                  effectiveness. To achieve impartiality, assessors should not: (i) create a mutual\n                  or conflicting interest with the organizations where the assessments are being\n                  conducted; (ii) assess their own work; (iii) act as management or employees of the\n                  organizations they are serving; or (iv) place themselves in positions of advocacy\n                  for the organizations acquiring their services. Independent assessments can be\n                  obtained from elements within organizations or can be contracted to public or\n                  private sector entities outside of organizations. Authorizing officials determine\n                  the required level of independence based on the security categories of information\n                  systems and/or the ultimate risk to organizational operations, organizational\n                  assets, or individuals. Authorizing officials also determine if the level of\n                  assessor independence provides sufficient assurance that the results are sound and\n                  can be used to make credible, risk-based decisions. This includes determining\n                  whether contracted security assessment services have sufficient independence, for\n                  example, when information system owners are not directly involved in contracting\n                  processes or cannot unduly influence the impartiality of assessors conducting\n                  assessments. In special situations, for example, when organizations that own the\n                  information systems are small or organizational structures require that\n                  assessments are conducted by individuals that are in the developmental,\n                  operational, or management chain of system owners, independence in assessment\n                  processes can be achieved by ensuring that assessment results are carefully\n                  reviewed and analyzed by independent teams of experts to validate the\n                  completeness, accuracy, integrity, and reliability of the results. Organizations\n                  recognize that assessments performed for purposes other than direct support to\n                  authorization decisions are, when performed by assessors with sufficient\n                  independence, more likely to be useable for such decisions, thereby reducing the\n                  need to repeat assessments."},{"id":"ca-2.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.1_obj.1","name":"objective","properties":[{"name":"label","value":"CA-2(1)[1]"}],"prose":"defines the level of independence to be employed to conduct security control\n                     assessments; and"},{"id":"ca-2.1_obj.2","name":"objective","properties":[{"name":"label","value":"CA-2(1)[2]"}],"prose":"employs assessors or assessment teams with the organization-defined level of\n                     independence to conduct security control assessments."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing security assessments\\n\\nsecurity authorization package (including security plan, security assessment\n                     plan, security assessment report, plan of action and milestones, authorization\n                     statement)\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ca-3","class":"SP800-53","title":"System Interconnections","parameters":[{"id":"ca-3_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually and on input from FedRAMP"}]}],"properties":[{"name":"label","value":"CA-3"},{"name":"sort-id","value":"ca-03"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#2711f068-734e-4afd-94ba-0b22247fbc88","rel":"reference","text":"NIST Special Publication 800-47"}],"parts":[{"id":"ca-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Authorizes connections from the information system to other information systems\n                  through the use of Interconnection Security Agreements;"},{"id":"ca-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents, for each interconnection, the interface characteristics, security\n                  requirements, and the nature of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews and updates Interconnection Security Agreements {{ ca-3_prm_1 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"This control applies to dedicated connections between information systems (i.e.,\n               system interconnections) and does not apply to transitory, user-controlled\n               connections such as email and website browsing. Organizations carefully consider the\n               risks that may be introduced when information systems are connected to other systems\n               with different security requirements and security controls, both within organizations\n               and external to organizations. Authorizing officials determine the risk associated\n               with information system connections and the appropriate controls employed. If\n               interconnecting systems have the same authorizing official, organizations do not need\n               to develop Interconnection Security Agreements. Instead, organizations can describe\n               the interface characteristics between those interconnecting systems in their\n               respective security plans. If interconnecting systems have different authorizing\n               officials within the same organization, organizations can either develop\n               Interconnection Security Agreements or describe the interface characteristics between\n               systems in the security plans for the respective systems. Organizations may also\n               incorporate Interconnection Security Agreement information into formal contracts,\n               especially for interconnections established between federal agencies and nonfederal\n               (i.e., private sector) organizations. Risk considerations also include information\n               systems sharing the same networks. For certain technologies (e.g., space, unmanned\n               aerial vehicles, and medical devices), there may be specialized connections in place\n               during preoperational testing. Such connections may require Interconnection Security\n               Agreements and be subject to additional security controls.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-16","rel":"related","text":"AU-16"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ca-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-3.a_obj","name":"objective","properties":[{"name":"label","value":"CA-3(a)"}],"prose":"authorizes connections from the information system to other information systems\n                  through the use of Interconnection Security Agreements;"},{"id":"ca-3.b_obj","name":"objective","properties":[{"name":"label","value":"CA-3(b)"}],"prose":"documents, for each interconnection:","parts":[{"id":"ca-3.b_obj.1","name":"objective","properties":[{"name":"label","value":"CA-3(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-3.b_obj.2","name":"objective","properties":[{"name":"label","value":"CA-3(b)[2]"}],"prose":"the security requirements;"},{"id":"ca-3.b_obj.3","name":"objective","properties":[{"name":"label","value":"CA-3(b)[3]"}],"prose":"the nature of the information communicated;"}]},{"id":"ca-3.c_obj","name":"objective","properties":[{"name":"label","value":"CA-3(c)"}],"parts":[{"id":"ca-3.c_obj.1","name":"objective","properties":[{"name":"label","value":"CA-3(c)[1]"}],"prose":"defines the frequency to review and update Interconnection Security Agreements;\n                     and"},{"id":"ca-3.c_obj.2","name":"objective","properties":[{"name":"label","value":"CA-3(c)[2]"}],"prose":"reviews and updates Interconnection Security Agreements with the\n                     organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\ninformation system Interconnection Security Agreements\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or\n                  approving information system interconnection agreements\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel managing the system(s) to which the Interconnection Security Agreement\n                  applies"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: There are connection(s) to external systems. Connections (if any) shall\n                  be authorized and must: 1) Identify the interface/connection. 2) Detail what data\n                  is involved and its sensitivity. 3) Determine whether the connection is one-way or\n                  bi-directional. 4) Identify how the connection is secured."}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","parameters":[{"id":"ca-5_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]}],"properties":[{"name":"label","value":"CA-5"},{"name":"sort-id","value":"ca-05"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#2c5884cd-7b96-425c-862a-99877e1cf909","rel":"reference","text":"OMB Memorandum 02-01"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"}],"parts":[{"id":"ca-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a plan of action and milestones for the information system to document\n                  the organization’s planned remedial actions to correct weaknesses or deficiencies\n                  noted during the assessment of the security controls and to reduce or eliminate\n                  known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Updates existing plan of action and milestones {{ ca-5_prm_1 }}\n                  based on the findings from security controls assessments, security impact\n                  analyses, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are key documents in security authorization packages\n               and are subject to federal reporting requirements established by OMB.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#pm-4","rel":"related","text":"PM-4"}]},{"id":"ca-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-5.a_obj","name":"objective","properties":[{"name":"label","value":"CA-5(a)"}],"prose":"develops a plan of action and milestones for the information system to:","parts":[{"id":"ca-5.a_obj.1","name":"objective","properties":[{"name":"label","value":"CA-5(a)[1]"}],"prose":"document the organization’s planned remedial actions to correct weaknesses or\n                     deficiencies noted during the assessment of the security controls;"},{"id":"ca-5.a_obj.2","name":"objective","properties":[{"name":"label","value":"CA-5(a)[2]"}],"prose":"reduce or eliminate known vulnerabilities in the system;"}]},{"id":"ca-5.b_obj","name":"objective","properties":[{"name":"label","value":"CA-5(b)"}],"parts":[{"id":"ca-5.b_obj.1","name":"objective","properties":[{"name":"label","value":"CA-5(b)[1]"}],"prose":"defines the frequency to update the existing plan of action and milestones;"},{"id":"ca-5.b_obj.2","name":"objective","properties":[{"name":"label","value":"CA-5(b)[2]"}],"prose":"updates the existing plan of action and milestones with the\n                     organization-defined frequency based on the findings from:","parts":[{"id":"ca-5.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"CA-5(b)[2][a]"}],"prose":"security controls assessments;"},{"id":"ca-5.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"CA-5(b)[2][b]"}],"prose":"security impact analyses; and"},{"id":"ca-5.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"CA-5(b)[2][c]"}],"prose":"continuous monitoring activities."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing plan of action and milestones\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nplan of action and milestones\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with plan of action and milestones development and\n                  implementation responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms for developing, implementing, and maintaining plan of action\n                  and milestones"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring\n                  Requirements."}]},{"id":"ca-6","class":"SP800-53","title":"Security Authorization","parameters":[{"id":"ca-6_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least every three years or when a significant change occurs"}]}],"properties":[{"name":"label","value":"CA-6"},{"name":"sort-id","value":"ca-06"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","rel":"reference","text":"OMB Circular A-130"},{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference","text":"OMB Memorandum 11-33"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"}],"parts":[{"id":"ca-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Assigns a senior-level executive or manager as the authorizing official for the\n                  information system;"},{"id":"ca-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensures that the authorizing official authorizes the information system for\n                  processing before commencing operations; and"},{"id":"ca-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Updates the security authorization {{ ca-6_prm_1 }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Security authorizations are official management decisions, conveyed through\n               authorization decision documents, by senior organizational officials or executives\n               (i.e., authorizing officials) to authorize operation of information systems and to\n               explicitly accept the risk to organizational operations and assets, individuals,\n               other organizations, and the Nation based on the implementation of agreed-upon\n               security controls. Authorizing officials provide budgetary oversight for\n               organizational information systems or assume responsibility for the mission/business\n               operations supported by those systems. The security authorization process is an\n               inherently federal responsibility and therefore, authorizing officials must be\n               federal employees. Through the security authorization process, authorizing officials\n               assume responsibility and are accountable for security risks associated with the\n               operation and use of organizational information systems. Accordingly, authorizing\n               officials are in positions with levels of authority commensurate with understanding\n               and accepting such information security-related risks. OMB policy requires that\n               organizations conduct ongoing authorizations of information systems by implementing\n               continuous monitoring programs. Continuous monitoring programs can satisfy three-year\n               reauthorization requirements, so separate reauthorization processes are not\n               necessary. Through the employment of comprehensive continuous monitoring processes,\n               critical information contained in authorization packages (i.e., security plans,\n               security assessment reports, and plans of action and milestones) is updated on an\n               ongoing basis, providing authorizing officials and information system owners with an\n               up-to-date status of the security state of organizational information systems and\n               environments of operation. To reduce the administrative cost of security\n               reauthorization, authorizing officials use the results of continuous monitoring\n               processes to the maximum extent possible as the basis for rendering reauthorization\n               decisions.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"}]},{"id":"ca-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-6.a_obj","name":"objective","properties":[{"name":"label","value":"CA-6(a)"}],"prose":"assigns a senior-level executive or manager as the authorizing official for the\n                  information system;"},{"id":"ca-6.b_obj","name":"objective","properties":[{"name":"label","value":"CA-6(b)"}],"prose":"ensures that the authorizing official authorizes the information system for\n                  processing before commencing operations;"},{"id":"ca-6.c_obj","name":"objective","properties":[{"name":"label","value":"CA-6(c)"}],"parts":[{"id":"ca-6.c_obj.1","name":"objective","properties":[{"name":"label","value":"CA-6(c)[1]"}],"prose":"defines the frequency to update the security authorization; and"},{"id":"ca-6.c_obj.2","name":"objective","properties":[{"name":"label","value":"CA-6(c)[2]"}],"prose":"updates the security authorization with the organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing security authorization\\n\\nsecurity authorization package (including security plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\nauthorization statement)\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security authorization responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that facilitate security authorizations and updates"}]},{"id":"ca-6_fr","name":"item","title":"CA-6(c) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1,\n                     Appendix F. The service provider describes the types of changes to the\n                     information system or the environment of operations that would impact the risk\n                     posture. The types of changes are approved and accepted by the Authorizing\n                     Official."}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","parameters":[{"id":"ca-7_prm_1","label":"organization-defined metrics"},{"id":"ca-7_prm_2","label":"organization-defined frequencies"},{"id":"ca-7_prm_3","label":"organization-defined frequencies"},{"id":"ca-7_prm_4","label":"organization-defined personnel or roles","constraints":[{"detail":"to meet Federal and FedRAMP requirements (See additional guidance)"}]},{"id":"ca-7_prm_5","label":"organization-defined frequency","constraints":[{"detail":"to meet Federal and FedRAMP requirements (See additional guidance)"}]}],"properties":[{"name":"label","value":"CA-7"},{"name":"sort-id","value":"ca-07"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference","text":"OMB Memorandum 11-33"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference","text":"NIST Special Publication 800-39"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference","text":"NIST Special Publication 800-53A"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference","text":"NIST Special Publication 800-115"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"},{"href":"#8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","rel":"reference","text":"US-CERT Technical Cyber Security Alerts"},{"href":"#2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","rel":"reference","text":"DoD Information Assurance Vulnerability Alerts"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"The organization develops a continuous monitoring strategy and implements a\n               continuous monitoring program that includes:","parts":[{"id":"ca-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishment of {{ ca-7_prm_1 }} to be monitored;"},{"id":"ca-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishment of {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessments supporting such monitoring;"},{"id":"ca-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ongoing security control assessments in accordance with the organizational\n                  continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Ongoing security status monitoring of organization-defined metrics in accordance\n                  with the organizational continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of security-related information generated by assessments\n                  and monitoring;"},{"id":"ca-7_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of security-related\n                  information; and"},{"id":"ca-7_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Reporting the security status of organization and the information system to\n                     {{ ca-7_prm_4 }}\n                  {{ ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring programs facilitate ongoing awareness of threats,\n               vulnerabilities, and information security to support organizational risk management\n               decisions. The terms continuous and ongoing imply that organizations assess/analyze\n               security controls and information security-related risks at a frequency sufficient to\n               support organizational risk-based decisions. The results of continuous monitoring\n               programs generate appropriate risk response actions by organizations. Continuous\n               monitoring programs also allow organizations to maintain the security authorizations\n               of information systems and common controls over time in highly dynamic environments\n               of operation with changing mission/business needs, threats, vulnerabilities, and\n               technologies. Having access to security-related information on a continuing basis\n               through reports/dashboards gives organizational officials the capability to make more\n               effective and timely risk management decisions, including ongoing security\n               authorization decisions. Automation supports more frequent updates to security\n               authorization packages, hardware/software/firmware inventories, and other system\n               information. Effectiveness is further enhanced when continuous monitoring outputs are\n               formatted to provide information that is specific, measurable, actionable, relevant,\n               and timely. Continuous monitoring activities are scaled in accordance with the\n               security categories of information systems.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#pm-6","rel":"related","text":"PM-6"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ca-7_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ca-7.a_obj","name":"objective","properties":[{"name":"label","value":"CA-7(a)"}],"parts":[{"id":"ca-7.a_obj.1","name":"objective","properties":[{"name":"label","value":"CA-7(a)[1]"}],"prose":"develops a continuous monitoring strategy that defines metrics to be\n                     monitored;"},{"id":"ca-7.a_obj.2","name":"objective","properties":[{"name":"label","value":"CA-7(a)[2]"}],"prose":"develops a continuous monitoring strategy that includes monitoring of\n                     organization-defined metrics;"},{"id":"ca-7.a_obj.3","name":"objective","properties":[{"name":"label","value":"CA-7(a)[3]"}],"prose":"implements a continuous monitoring program that includes monitoring of\n                     organization-defined metrics in accordance with the organizational continuous\n                     monitoring strategy;"}]},{"id":"ca-7.b_obj","name":"objective","properties":[{"name":"label","value":"CA-7(b)"}],"parts":[{"id":"ca-7.b_obj.1","name":"objective","properties":[{"name":"label","value":"CA-7(b)[1]"}],"prose":"develops a continuous monitoring strategy that defines frequencies for\n                     monitoring;"},{"id":"ca-7.b_obj.2","name":"objective","properties":[{"name":"label","value":"CA-7(b)[2]"}],"prose":"defines frequencies for assessments supporting monitoring;"},{"id":"ca-7.b_obj.3","name":"objective","properties":[{"name":"label","value":"CA-7(b)[3]"}],"prose":"develops a continuous monitoring strategy that includes establishment of the\n                     organization-defined frequencies for monitoring and for assessments supporting\n                     monitoring;"},{"id":"ca-7.b_obj.4","name":"objective","properties":[{"name":"label","value":"CA-7(b)[4]"}],"prose":"implements a continuous monitoring program that includes establishment of\n                     organization-defined frequencies for monitoring and for assessments supporting\n                     such monitoring in accordance with the organizational continuous monitoring\n                     strategy;"}]},{"id":"ca-7.c_obj","name":"objective","properties":[{"name":"label","value":"CA-7(c)"}],"parts":[{"id":"ca-7.c_obj.1","name":"objective","properties":[{"name":"label","value":"CA-7(c)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security\n                     control assessments;"},{"id":"ca-7.c_obj.2","name":"objective","properties":[{"name":"label","value":"CA-7(c)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security\n                     control assessments in accordance with the organizational continuous monitoring\n                     strategy;"}]},{"id":"ca-7.d_obj","name":"objective","properties":[{"name":"label","value":"CA-7(d)"}],"parts":[{"id":"ca-7.d_obj.1","name":"objective","properties":[{"name":"label","value":"CA-7(d)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security status\n                     monitoring of organization-defined metrics;"},{"id":"ca-7.d_obj.2","name":"objective","properties":[{"name":"label","value":"CA-7(d)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security\n                     status monitoring of organization-defined metrics in accordance with the\n                     organizational continuous monitoring strategy;"}]},{"id":"ca-7.e_obj","name":"objective","properties":[{"name":"label","value":"CA-7(e)"}],"parts":[{"id":"ca-7.e_obj.1","name":"objective","properties":[{"name":"label","value":"CA-7(e)[1]"}],"prose":"develops a continuous monitoring strategy that includes correlation and\n                     analysis of security-related information generated by assessments and\n                     monitoring;"},{"id":"ca-7.e_obj.2","name":"objective","properties":[{"name":"label","value":"CA-7(e)[2]"}],"prose":"implements a continuous monitoring program that includes correlation and\n                     analysis of security-related information generated by assessments and\n                     monitoring in accordance with the organizational continuous monitoring\n                     strategy;"}]},{"id":"ca-7.f_obj","name":"objective","properties":[{"name":"label","value":"CA-7(f)"}],"parts":[{"id":"ca-7.f_obj.1","name":"objective","properties":[{"name":"label","value":"CA-7(f)[1]"}],"prose":"develops a continuous monitoring strategy that includes response actions to\n                     address results of the analysis of security-related information;"},{"id":"ca-7.f_obj.2","name":"objective","properties":[{"name":"label","value":"CA-7(f)[2]"}],"prose":"implements a continuous monitoring program that includes response actions to\n                     address results of the analysis of security-related information in accordance\n                     with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.g_obj","name":"objective","properties":[{"name":"label","value":"CA-7(g)"}],"parts":[{"id":"ca-7.g_obj.1","name":"objective","properties":[{"name":"label","value":"CA-7(g)[1]"}],"prose":"develops a continuous monitoring strategy that defines the personnel or roles\n                     to whom the security status of the organization and information system are to\n                     be reported;"},{"id":"ca-7.g_obj.2","name":"objective","properties":[{"name":"label","value":"CA-7(g)[2]"}],"prose":"develops a continuous monitoring strategy that defines the frequency to report\n                     the security status of the organization and information system to\n                     organization-defined personnel or roles;"},{"id":"ca-7.g_obj.3","name":"objective","properties":[{"name":"label","value":"CA-7(g)[3]"}],"prose":"develops a continuous monitoring strategy that includes reporting the security\n                     status of the organization or information system to organizational-defined\n                     personnel or roles with the organization-defined frequency; and"},{"id":"ca-7.g_obj.4","name":"objective","properties":[{"name":"label","value":"CA-7(g)[4]"}],"prose":"implements a continuous monitoring program that includes reporting the security\n                     status of the organization and information system to organization-defined\n                     personnel or roles with the organization-defined frequency in accordance with\n                     the organizational continuous monitoring strategy."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing continuous monitoring of information system security\n                  controls\\n\\nprocedures addressing configuration management\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\ninformation system monitoring records\\n\\nconfiguration management records, security impact analyses\\n\\nstatus reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Mechanisms implementing continuous monitoring"}]},{"id":"ca-7_fr","name":"item","title":"CA-7 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-7_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"CSPs must provide evidence of closure and remediation of high vulnerabilities\n                     within the timeframe for standard POA&M updates."},{"id":"ca-7_fr_gdn.2","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP)\n                     Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n               "}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","parameters":[{"id":"ca-9_prm_1","label":"organization-defined information system components or classes of\n               components"}],"properties":[{"name":"label","value":"CA-9"},{"name":"sort-id","value":"ca-09"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"id":"ca-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Authorizes internal connections of {{ ca-9_prm_1 }} to the\n                  information system; and"},{"id":"ca-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents, for each internal connection, the interface characteristics, security\n                  requirements, and the nature of the information communicated."}]},{"id":"ca-9_gdn","name":"guidance","prose":"This control applies to connections between organizational information systems and\n               (separate) constituent system components (i.e., intra-system connections) including,\n               for example, system connections with mobile devices, notebook/desktop computers,\n               printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of\n               authorizing each individual internal connection, organizations can authorize internal\n               connections for a class of components with common characteristics and/or\n               configurations, for example, all digital printers, scanners, and copiers with a\n               specified processing, storage, and transmission capability or all smart phones with a\n               specific baseline configuration.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ca-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-9.a_obj","name":"objective","properties":[{"name":"label","value":"CA-9(a)"}],"parts":[{"id":"ca-9.a_obj.1","name":"objective","properties":[{"name":"label","value":"CA-9(a)[1]"}],"prose":"defines information system components or classes of components to be authorized\n                     as internal connections to the information system;"},{"id":"ca-9.a_obj.2","name":"objective","properties":[{"name":"label","value":"CA-9(a)[2]"}],"prose":"authorizes internal connections of organization-defined information system\n                     components or classes of components to the information system;"}]},{"id":"ca-9.b_obj","name":"objective","properties":[{"name":"label","value":"CA-9(b)"}],"prose":"documents, for each internal connection:","parts":[{"id":"ca-9.b_obj.1","name":"objective","properties":[{"name":"label","value":"CA-9(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-9.b_obj.2","name":"objective","properties":[{"name":"label","value":"CA-9(b)[2]"}],"prose":"the security requirements; and"},{"id":"ca-9.b_obj.3","name":"objective","properties":[{"name":"label","value":"CA-9(b)[3]"}],"prose":"the nature of the information communicated."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of components or classes of components authorized as internal system\n                  connections\\n\\nsecurity assessment report\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or\n                  authorizing internal system connections\\n\\norganizational personnel with information security responsibilities"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: There are connection(s) to external systems. Connections (if any) shall\n                  be authorized and must: 1) Identify the interface/connection. 2) Detail what data\n                  is involved and its sensitivity. 3) Determine whether the connection is one-way or\n                  bi-directional. 4) Identify how the connection is secured."}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Configuration Management Policy and Procedures","parameters":[{"id":"cm-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cm-1_prm_2","label":"organization-defined frequency"},{"id":"cm-1_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CM-1"},{"name":"sort-id","value":"cm-01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"cm-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A configuration management policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"cm-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management\n                     policy and associated configuration management controls; and"}]},{"id":"cm-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cm-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Configuration management policy {{ cm-1_prm_2 }}; and"},{"id":"cm-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Configuration management procedures {{ cm-1_prm_3 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CM\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"cm-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-1.a_obj","name":"objective","properties":[{"name":"label","value":"CM-1(a)"}],"parts":[{"id":"cm-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)"}],"parts":[{"id":"cm-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1]"}],"prose":"develops and documents a configuration management policy that addresses:","parts":[{"id":"cm-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cm-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cm-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cm-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cm-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cm-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cm-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cm-1.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the configuration management policy is to\n                        be disseminated;"},{"id":"cm-1.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[3]"}],"prose":"disseminates the configuration management policy to organization-defined\n                        personnel or roles;"}]},{"id":"cm-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"CM-1(a)(2)"}],"parts":[{"id":"cm-1.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"CM-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        configuration management policy and associated configuration management\n                        controls;"},{"id":"cm-1.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"CM-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"cm-1.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"CM-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"cm-1.b_obj","name":"objective","properties":[{"name":"label","value":"CM-1(b)"}],"parts":[{"id":"cm-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"CM-1(b)(1)"}],"parts":[{"id":"cm-1.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"CM-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current configuration\n                        management policy;"},{"id":"cm-1.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"CM-1(b)(1)[2]"}],"prose":"reviews and updates the current configuration management policy with the\n                        organization-defined frequency;"}]},{"id":"cm-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"CM-1(b)(2)"}],"parts":[{"id":"cm-1.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"CM-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current configuration\n                        management procedures; and"},{"id":"cm-1.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"CM-1(b)(2)[2]"}],"prose":"reviews and updates the current configuration management procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","properties":[{"name":"label","value":"CM-2"},{"name":"sort-id","value":"cm-02"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"cm-2_smt","name":"statement","prose":"The organization develops, documents, and maintains under configuration control, a\n               current baseline configuration of the information system."},{"id":"cm-2_gdn","name":"guidance","prose":"This control establishes baseline configurations for information systems and system\n               components including communications and connectivity-related aspects of systems.\n               Baseline configurations are documented, formally reviewed and agreed-upon sets of\n               specifications for information systems or configuration items within those systems.\n               Baseline configurations serve as a basis for future builds, releases, and/or changes\n               to information systems. Baseline configurations include information about information\n               system components (e.g., standard software packages installed on workstations,\n               notebook computers, servers, network components, or mobile devices; current version\n               numbers and patch information on operating systems and applications; and\n               configuration settings/parameters), network topology, and the logical placement of\n               those components within the system architecture. Maintaining baseline configurations\n               requires creating new baselines as organizational information systems change over\n               time. Baseline configurations of information systems reflect the current enterprise\n               architecture.","links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#pm-7","rel":"related","text":"PM-7"}]},{"id":"cm-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2_obj.1","name":"objective","properties":[{"name":"label","value":"CM-2[1]"}],"prose":"develops and documents a current baseline configuration of the information system;\n                  and"},{"id":"cm-2_obj.2","name":"objective","properties":[{"name":"label","value":"CM-2[2]"}],"prose":"maintains, under configuration control, a current baseline configuration of the\n                  information system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nconfiguration management plan\\n\\nenterprise architecture documentation\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\\n\\nautomated mechanisms supporting configuration control of the baseline\n                  configuration"}]}]},{"id":"cm-4","class":"SP800-53","title":"Security Impact Analysis","properties":[{"name":"label","value":"CM-4"},{"name":"sort-id","value":"cm-04"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"The organization analyzes changes to the information system to determine potential\n               security impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with information security responsibilities (e.g.,\n               Information System Administrators, Information System Security Officers, Information\n               System Security Managers, and Information System Security Engineers) conduct security\n               impact analyses. Individuals conducting security impact analyses possess the\n               necessary skills/technical expertise to analyze the changes to information systems\n               and the associated security ramifications. Security impact analysis may include, for\n               example, reviewing security plans to understand security control requirements and\n               reviewing system design documentation to understand control implementation and how\n               specific changes might affect the controls. Security impact analyses may also include\n               assessments of risk to better understand the impact of the changes and to determine\n               if additional security controls are required. Security impact analyses are scaled in\n               accordance with the security categories of the information systems.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"cm-4_obj","name":"objective","prose":"Determine if the organization analyzes changes to the information system to determine\n               potential security impacts prior to change implementation."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing security impact analysis for changes to the information\n                  system\\n\\nconfiguration management plan\\n\\nsecurity impact analysis documentation\\n\\nanalysis tools and associated outputs\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for conducting security impact\n                  analysis\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security impact analysis"}]}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","parameters":[{"id":"cm-6_prm_1","label":"organization-defined security configuration checklists","constraints":[{"detail":"see CM-6(a) Additional FedRAMP Requirements and Guidance"}]},{"id":"cm-6_prm_2","label":"organization-defined information system components"},{"id":"cm-6_prm_3","label":"organization-defined operational requirements"}],"properties":[{"name":"label","value":"CM-6"},{"name":"sort-id","value":"cm-06"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#990268bf-f4a9-4c81-91ae-dc7d3115f4b1","rel":"reference","text":"OMB Memorandum 07-11"},{"href":"#0b3d8ba9-051f-498d-81ea-97f0f018c612","rel":"reference","text":"OMB Memorandum 07-18"},{"href":"#0916ef02-3618-411b-a525-565c088849a6","rel":"reference","text":"OMB Memorandum 08-22"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference","text":"NIST Special Publication 800-70"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference","text":"http://nvd.nist.gov"},{"href":"#e95dd121-2733-413e-bf1e-f1eb49f20a98","rel":"reference","text":"http://checklists.nist.gov"},{"href":"#647b6de3-81d0-4d22-bec1-5f1333e34380","rel":"reference","text":"http://www.nsa.gov"}],"parts":[{"id":"cm-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes and documents configuration settings for information technology\n                  products employed within the information system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with\n                  operational requirements;"},{"id":"cm-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implements the configuration settings;"},{"id":"cm-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Identifies, documents, and approves any deviations from established configuration\n                  settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and"},{"id":"cm-6_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Monitors and controls changes to the configuration settings in accordance with\n                  organizational policies and procedures."}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the set of parameters that can be changed in hardware,\n               software, or firmware components of the information system that affect the security\n               posture and/or functionality of the system. Information technology products for which\n               security-related configuration settings can be defined include, for example,\n               mainframe computers, servers (e.g., database, electronic mail, authentication, web,\n               proxy, file, domain name), workstations, input/output devices (e.g., scanners,\n               copiers, and printers), network components (e.g., firewalls, routers, gateways, voice\n               and data switches, wireless access points, network appliances, sensors), operating\n               systems, middleware, and applications. Security-related parameters are those\n               parameters impacting the security state of information systems including the\n               parameters required to satisfy other security control requirements. Security-related\n               parameters include, for example: (i) registry settings; (ii) account, file, directory\n               permission settings; and (iii) settings for functions, ports, protocols, services,\n               and remote connections. Organizations establish organization-wide configuration\n               settings and subsequently derive specific settings for information systems. The\n               established settings become part of the systems configuration baseline. Common secure\n               configurations (also referred to as security configuration checklists, lockdown and\n               hardening guides, security reference guides, security technical implementation\n               guides) provide recognized, standardized, and established benchmarks that stipulate\n               secure configuration settings for specific information technology platforms/products\n               and instructions for configuring those information system components to meet\n               operational requirements. Common secure configurations can be developed by a variety\n               of organizations including, for example, information technology product developers,\n               manufacturers, vendors, consortia, academia, industry, federal agencies, and other\n               organizations in the public and private sectors. Common secure configurations include\n               the United States Government Configuration Baseline (USGCB) which affects the\n               implementation of CM-6 and other controls such as AC-19 and CM-7. The Security\n               Content Automation Protocol (SCAP) and the defined standards within the protocol\n               (e.g., Common Configuration Enumeration) provide an effective method to uniquely\n               identify, track, and control configuration settings. OMB establishes federal policy\n               on configuration requirements for federal information systems.","links":[{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"cm-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-6.a_obj","name":"objective","properties":[{"name":"label","value":"CM-6(a)"}],"parts":[{"id":"cm-6.a_obj.1","name":"objective","properties":[{"name":"label","value":"CM-6(a)[1]"}],"prose":"defines security configuration checklists to be used to establish and document\n                     configuration settings for the information technology products employed;"},{"id":"cm-6.a_obj.2","name":"objective","properties":[{"name":"label","value":"CM-6(a)[2]"}],"prose":"ensures the defined security configuration checklists reflect the most\n                     restrictive mode consistent with operational requirements;"},{"id":"cm-6.a_obj.3","name":"objective","properties":[{"name":"label","value":"CM-6(a)[3]"}],"prose":"establishes and documents configuration settings for information technology\n                     products employed within the information system using organization-defined\n                     security configuration checklists;"}]},{"id":"cm-6.b_obj","name":"objective","properties":[{"name":"label","value":"CM-6(b)"}],"prose":"implements the configuration settings established/documented in CM-6(a);;"},{"id":"cm-6.c_obj","name":"objective","properties":[{"name":"label","value":"CM-6(c)"}],"parts":[{"id":"cm-6.c_obj.1","name":"objective","properties":[{"name":"label","value":"CM-6(c)[1]"}],"prose":"defines information system components for which any deviations from established\n                     configuration settings must be:","parts":[{"id":"cm-6.c_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-6(c)[1][a]"}],"prose":"identified;"},{"id":"cm-6.c_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-6(c)[1][b]"}],"prose":"documented;"},{"id":"cm-6.c_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-6(c)[1][c]"}],"prose":"approved;"}]},{"id":"cm-6.c_obj.2","name":"objective","properties":[{"name":"label","value":"CM-6(c)[2]"}],"prose":"defines operational requirements to support:","parts":[{"id":"cm-6.c_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-6(c)[2][a]"}],"prose":"the identification of any deviations from established configuration\n                        settings;"},{"id":"cm-6.c_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-6(c)[2][b]"}],"prose":"the documentation of any deviations from established configuration\n                        settings;"},{"id":"cm-6.c_obj.2.c","name":"objective","properties":[{"name":"label","value":"CM-6(c)[2][c]"}],"prose":"the approval of any deviations from established configuration settings;"}]},{"id":"cm-6.c_obj.3","name":"objective","properties":[{"name":"label","value":"CM-6(c)[3]"}],"prose":"identifies any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"},{"id":"cm-6.c_obj.4","name":"objective","properties":[{"name":"label","value":"CM-6(c)[4]"}],"prose":"documents any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"},{"id":"cm-6.c_obj.5","name":"objective","properties":[{"name":"label","value":"CM-6(c)[5]"}],"prose":"approves any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"}]},{"id":"cm-6.d_obj","name":"objective","properties":[{"name":"label","value":"CM-6(d)"}],"parts":[{"id":"cm-6.d_obj.1","name":"objective","properties":[{"name":"label","value":"CM-6(d)[1]"}],"prose":"monitors changes to the configuration settings in accordance with\n                     organizational policies and procedures; and"},{"id":"cm-6.d_obj.2","name":"objective","properties":[{"name":"label","value":"CM-6(d)[2]"}],"prose":"controls changes to the configuration settings in accordance with\n                     organizational policies and procedures."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing configuration settings for the information system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nevidence supporting approved deviations from established configuration\n                  settings\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing configuration settings\\n\\nautomated mechanisms that implement, monitor, and/or control information system\n                  configuration settings\\n\\nautomated mechanisms that identify and/or document deviations from established\n                  configuration settings"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Required - Specifically include details of least functionality."},{"id":"cm-6_fr","name":"item","title":"CM-6(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement 1:"}],"prose":"The service provider shall use the Center for Internet Security guidelines\n                     (Level 1) to establish configuration settings or establishes its own\n                     configuration settings if USGCB is not available. "},{"id":"cm-6_fr_smt.2","name":"item","properties":[{"name":"label","value":"Requirement 2:"}],"prose":"The service provider shall ensure that checklists for configuration settings\n                     are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP\n                     compatible (if validated checklists are not available)."},{"id":"cm-6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)."}]}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","parameters":[{"id":"cm-7_prm_1","label":"organization-defined prohibited or restricted functions, ports, protocols, and/or\n               services"}],"properties":[{"name":"label","value":"CM-7"},{"name":"sort-id","value":"cm-07"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#e42b2099-3e1c-415b-952c-61c96533c12e","rel":"reference","text":"DoD Instruction 8551.01"}],"parts":[{"id":"cm-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Configures the information system to provide only essential capabilities; and"},{"id":"cm-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Prohibits or restricts the use of the following functions, ports, protocols,\n                  and/or services: {{ cm-7_prm_1 }}."}]},{"id":"cm-7_gdn","name":"guidance","prose":"Information systems can provide a wide variety of functions and services. Some of the\n               functions and services, provided by default, may not be necessary to support\n               essential organizational operations (e.g., key missions, functions). Additionally, it\n               is sometimes convenient to provide multiple services from single information system\n               components, but doing so increases risk over limiting the services provided by any\n               one component. Where feasible, organizations limit component functionality to a\n               single function per device (e.g., email servers or web servers, but not both).\n               Organizations review functions and services provided by information systems or\n               individual components of information systems, to determine which functions and\n               services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant\n               Messaging, auto-execute, and file sharing). Organizations consider disabling unused\n               or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File\n               Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to\n               prevent unauthorized connection of devices, unauthorized transfer of information, or\n               unauthorized tunneling. Organizations can utilize network scanning tools, intrusion\n               detection and prevention systems, and end-point protections such as firewalls and\n               host-based intrusion detection systems to identify and prevent the use of prohibited\n               functions, ports, protocols, and services.","links":[{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sc-7","rel":"related","text":"SC-7"}]},{"id":"cm-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.a_obj","name":"objective","properties":[{"name":"label","value":"CM-7(a)"}],"prose":"configures the information system to provide only essential capabilities;"},{"id":"cm-7.b_obj","name":"objective","properties":[{"name":"label","value":"CM-7(b)"}],"parts":[{"id":"cm-7.b_obj.1","name":"objective","properties":[{"name":"label","value":"CM-7(b)[1]"}],"prose":"defines prohibited or restricted:","parts":[{"id":"cm-7.b_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-7(b)[1][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-7(b)[1][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-7(b)[1][c]"}],"prose":"protocols; and/or"},{"id":"cm-7.b_obj.1.d","name":"objective","properties":[{"name":"label","value":"CM-7(b)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.b_obj.2","name":"objective","properties":[{"name":"label","value":"CM-7(b)[2]"}],"prose":"prohibits or restricts the use of organization-defined:","parts":[{"id":"cm-7.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-7(b)[2][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-7(b)[2][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"CM-7(b)[2][c]"}],"prose":"protocols; and/or"},{"id":"cm-7.b_obj.2.d","name":"objective","properties":[{"name":"label","value":"CM-7(b)[2][d]"}],"prose":"services."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing least functionality in the information system\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes prohibiting or restricting functions, ports, protocols,\n                  and/or services\\n\\nautomated mechanisms implementing restrictions or prohibition of functions, ports,\n                  protocols, and/or services"}]}]},{"id":"cm-8","class":"SP800-53","title":"Information System Component Inventory","parameters":[{"id":"cm-8_prm_1","label":"organization-defined information deemed necessary to achieve effective\n               information system component accountability"},{"id":"cm-8_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]}],"properties":[{"name":"label","value":"CM-8"},{"name":"sort-id","value":"cm-08"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"cm-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops and documents an inventory of information system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Accurately reflects the current information system;"},{"id":"cm-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Includes all components within the authorization boundary of the information\n                     system;"},{"id":"cm-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting;\n                     and"},{"id":"cm-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Includes {{ cm-8_prm_1 }}; and"}]},{"id":"cm-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the information system component inventory {{ cm-8_prm_2 }}."}]},{"id":"cm-8_gdn","name":"guidance","prose":"Organizations may choose to implement centralized information system component\n               inventories that include components from all organizational information systems. In\n               such situations, organizations ensure that the resulting inventories include\n               system-specific information required for proper component accountability (e.g.,\n               information system association, information system owner). Information deemed\n               necessary for effective accountability of information system components includes, for\n               example, hardware inventory specifications, software license information, software\n               version numbers, component owners, and for networked components or devices, machine\n               names and network addresses. Inventory specifications include, for example,\n               manufacturer, device type, model, serial number, and physical location.","links":[{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#pm-5","rel":"related","text":"PM-5"}]},{"id":"cm-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-8.a_obj","name":"objective","properties":[{"name":"label","value":"CM-8(a)"}],"parts":[{"id":"cm-8.a.1_obj","name":"objective","properties":[{"name":"label","value":"CM-8(a)(1)"}],"prose":"develops and documents an inventory of information system components that\n                     accurately reflects the current information system;"},{"id":"cm-8.a.2_obj","name":"objective","properties":[{"name":"label","value":"CM-8(a)(2)"}],"prose":"develops and documents an inventory of information system components that\n                     includes all components within the authorization boundary of the information\n                     system;"},{"id":"cm-8.a.3_obj","name":"objective","properties":[{"name":"label","value":"CM-8(a)(3)"}],"prose":"develops and documents an inventory of information system components that is at\n                     the level of granularity deemed necessary for tracking and reporting;"},{"id":"cm-8.a.4_obj","name":"objective","properties":[{"name":"label","value":"CM-8(a)(4)"}],"parts":[{"id":"cm-8.a.4_obj.1","name":"objective","properties":[{"name":"label","value":"CM-8(a)(4)[1]"}],"prose":"defines the information deemed necessary to achieve effective information\n                        system component accountability;"},{"id":"cm-8.a.4_obj.2","name":"objective","properties":[{"name":"label","value":"CM-8(a)(4)[2]"}],"prose":"develops and documents an inventory of information system components that\n                        includes organization-defined information deemed necessary to achieve\n                        effective information system component accountability;"}]}]},{"id":"cm-8.b_obj","name":"objective","properties":[{"name":"label","value":"CM-8(b)"}],"parts":[{"id":"cm-8.b_obj.1","name":"objective","properties":[{"name":"label","value":"CM-8(b)[1]"}],"prose":"defines the frequency to review and update the information system component\n                     inventory; and"},{"id":"cm-8.b_obj.2","name":"objective","properties":[{"name":"label","value":"CM-8(b)[2]"}],"prose":"reviews and updates the information system component inventory with the\n                     organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system inventory records\\n\\ninventory reviews and update records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system component\n                  inventory\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing and documenting an inventory of\n                  information system components\\n\\nautomated mechanisms supporting and/or implementing the information system\n                  component inventory"}]},{"id":"cm-8_fr","name":"item","title":"CM-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Must be provided at least monthly or when there is a change."}]}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","properties":[{"name":"label","value":"CM-10"},{"name":"sort-id","value":"cm-10"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"parts":[{"id":"cm-10_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-10_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Uses software and associated documentation in accordance with contract agreements\n                  and copyright laws;"},{"id":"cm-10_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Tracks the use of software and associated documentation protected by quantity\n                  licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Controls and documents the use of peer-to-peer file sharing technology to ensure\n                  that this capability is not used for the unauthorized distribution, display,\n                  performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual methods (e.g., simple\n               spreadsheets) or automated methods (e.g., specialized tracking applications)\n               depending on organizational needs.","links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#sc-7","rel":"related","text":"SC-7"}]},{"id":"cm-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-10.a_obj","name":"objective","properties":[{"name":"label","value":"CM-10(a)"}],"prose":"uses software and associated documentation in accordance with contract agreements\n                  and copyright laws;"},{"id":"cm-10.b_obj","name":"objective","properties":[{"name":"label","value":"CM-10(b)"}],"prose":"tracks the use of software and associated documentation protected by quantity\n                  licenses to control copying and distribution; and"},{"id":"cm-10.c_obj","name":"objective","properties":[{"name":"label","value":"CM-10(c)"}],"prose":"controls and documents the use of peer-to-peer file sharing technology to ensure\n                  that this capability is not used for the unauthorized distribution, display,\n                  performance, or reproduction of copyrighted work."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing software usage restrictions\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nsoftware contract agreements and copyright laws\\n\\nsite license documentation\\n\\nlist of software usage restrictions\\n\\nsoftware license tracking reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\norganizational personnel with software license management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for tracking the use of software protected by quantity\n                  licenses\\n\\norganization process for controlling/documenting the use of peer-to-peer file\n                  sharing technology\\n\\nautomated mechanisms implementing software license tracking\\n\\nautomated mechanisms implementing and controlling the use of peer-to-peer files\n                  sharing technology"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO- Not directly related to protection of the data."}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","parameters":[{"id":"cm-11_prm_1","label":"organization-defined policies"},{"id":"cm-11_prm_2","label":"organization-defined methods"},{"id":"cm-11_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CM-11"},{"name":"sort-id","value":"cm-11"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"parts":[{"id":"cm-11_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes {{ cm-11_prm_1 }} governing the installation of\n                  software by users;"},{"id":"cm-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Enforces software installation policies through {{ cm-11_prm_2 }};\n                  and"},{"id":"cm-11_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Monitors policy compliance at {{ cm-11_prm_3 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users have the ability to install software in\n               organizational information systems. To maintain control over the types of software\n               installed, organizations identify permitted and prohibited actions regarding software\n               installation. Permitted software installations may include, for example, updates and\n               security patches to existing software and downloading applications from\n               organization-approved “app stores” Prohibited software installations may include, for\n               example, software with unknown or suspect pedigrees or software that organizations\n               consider potentially malicious. The policies organizations select governing\n               user-installed software may be organization-developed or provided by some external\n               entity. Policy enforcement methods include procedural methods (e.g., periodic\n               examination of user accounts), automated methods (e.g., configuration settings\n               implemented on organizational information systems), or both.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#pl-4","rel":"related","text":"PL-4"}]},{"id":"cm-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-11.a_obj","name":"objective","properties":[{"name":"label","value":"CM-11(a)"}],"parts":[{"id":"cm-11.a_obj.1","name":"objective","properties":[{"name":"label","value":"CM-11(a)[1]"}],"prose":"defines policies to govern the installation of software by users;"},{"id":"cm-11.a_obj.2","name":"objective","properties":[{"name":"label","value":"CM-11(a)[2]"}],"prose":"establishes organization-defined policies governing the installation of\n                     software by users;"}]},{"id":"cm-11.b_obj","name":"objective","properties":[{"name":"label","value":"CM-11(b)"}],"parts":[{"id":"cm-11.b_obj.1","name":"objective","properties":[{"name":"label","value":"CM-11(b)[1]"}],"prose":"defines methods to enforce software installation policies;"},{"id":"cm-11.b_obj.2","name":"objective","properties":[{"name":"label","value":"CM-11(b)[2]"}],"prose":"enforces software installation policies through organization-defined\n                     methods;"}]},{"id":"cm-11.c_obj","name":"objective","properties":[{"name":"label","value":"CM-11(c)"}],"parts":[{"id":"cm-11.c_obj.1","name":"objective","properties":[{"name":"label","value":"CM-11(c)[1]"}],"prose":"defines frequency to monitor policy compliance; and"},{"id":"cm-11.c_obj.2","name":"objective","properties":[{"name":"label","value":"CM-11(c)[2]"}],"prose":"monitors policy compliance at organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing user installed software\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of rules governing user installed software\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records\\n\\ncontinuous monitoring strategy"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for governing user-installed\n                  software\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\norganizational personnel monitoring compliance with user-installed software\n                  policy\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes governing user-installed software on the information\n                  system\\n\\nautomated mechanisms enforcing rules/methods for governing the installation of\n                  software by users\\n\\nautomated mechanisms monitoring policy compliance"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Boundary is specific to SaaS environment; all access is via web services;\n                  users' machine or internal network are not contemplated. External services (SA-9),\n                  internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and\n                  SC-13), and privileged authentication (IA-2[1]) are considerations."}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Contingency Planning Policy and Procedures","parameters":[{"id":"cp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-1_prm_2","label":"organization-defined frequency"},{"id":"cp-1_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CP-1"},{"name":"sort-id","value":"cp-01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"cp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A contingency planning policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"cp-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy\n                     and associated contingency planning controls; and"}]},{"id":"cp-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cp-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Contingency planning policy {{ cp-1_prm_2 }}; and"},{"id":"cp-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Contingency planning procedures {{ cp-1_prm_3 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CP\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"cp-1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cp-1.a_obj","name":"objective","properties":[{"name":"label","value":"CP-1(a)"}],"parts":[{"id":"cp-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)"}],"parts":[{"id":"cp-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1]"}],"prose":"the organization develops and documents a contingency planning policy that\n                        addresses:","parts":[{"id":"cp-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cp-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cp-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cp-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cp-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cp-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cp-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cp-1.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[2]"}],"prose":"the organization defines personnel or roles to whom the contingency planning\n                        policy is to be disseminated;"},{"id":"cp-1.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[3]"}],"prose":"the organization disseminates the contingency planning policy to\n                        organization-defined personnel or roles;"}]},{"id":"cp-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"CP-1(a)(2)"}],"parts":[{"id":"cp-1.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"CP-1(a)(2)[1]"}],"prose":"the organization develops and documents procedures to facilitate the\n                        implementation of the contingency planning policy and associated contingency\n                        planning controls;"},{"id":"cp-1.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"CP-1(a)(2)[2]"}],"prose":"the organization defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"cp-1.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"CP-1(a)(2)[3]"}],"prose":"the organization disseminates the procedures to organization-defined\n                        personnel or roles;"}]}]},{"id":"cp-1.b_obj","name":"objective","properties":[{"name":"label","value":"CP-1(b)"}],"parts":[{"id":"cp-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"CP-1(b)(1)"}],"parts":[{"id":"cp-1.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"CP-1(b)(1)[1]"}],"prose":"the organization defines the frequency to review and update the current\n                        contingency planning policy;"},{"id":"cp-1.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"CP-1(b)(1)[2]"}],"prose":"the organization reviews and updates the current contingency planning with\n                        the organization-defined frequency;"}]},{"id":"cp-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"CP-1(b)(2)"}],"parts":[{"id":"cp-1.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"CP-1(b)(2)[1]"}],"prose":"the organization defines the frequency to review and update the current\n                        contingency planning procedures; and"},{"id":"cp-1.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"CP-1(b)(2)[2]"}],"prose":"the organization reviews and updates the current contingency planning\n                        procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","parameters":[{"id":"cp-2_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","label":"organization-defined key contingency personnel (identified by name and/or by\n               role) and organizational elements"},{"id":"cp-2_prm_3","label":"organization-defined frequency"},{"id":"cp-2_prm_4","label":"organization-defined key contingency personnel (identified by name and/or by\n               role) and organizational elements"}],"properties":[{"name":"label","value":"CP-2"},{"name":"sort-id","value":"cp-02"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"}],"parts":[{"id":"cp-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a contingency plan for the information system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Identifies essential missions and business functions and associated contingency\n                     requirements;"},{"id":"cp-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with\n                     contact information;"},{"id":"cp-2_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential missions and business functions despite an\n                     information system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full information system restoration without deterioration\n                     of the security safeguards originally planned and implemented; and"},{"id":"cp-2_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Is reviewed and approved by {{ cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distributes copies of the contingency plan to {{ cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Reviews the contingency plan for the information system {{ cp-2_prm_3 }};"},{"id":"cp-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Updates the contingency plan to address changes to the organization, information\n                  system, or environment of operation and problems encountered during contingency\n                  plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Communicates contingency plan changes to {{ cp-2_prm_4 }}; and"},{"id":"cp-2_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Protects the contingency plan from unauthorized disclosure and modification."}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for information systems is part of an overall organizational\n               program for achieving continuity of operations for mission/business functions.\n               Contingency planning addresses both information system restoration and implementation\n               of alternative mission/business processes when systems are compromised. The\n               effectiveness of contingency planning is maximized by considering such planning\n               throughout the phases of the system development life cycle. Performing contingency\n               planning on hardware, software, and firmware development can be an effective means of\n               achieving information system resiliency. Contingency plans reflect the degree of\n               restoration required for organizational information systems since not all systems may\n               need to fully recover to achieve the level of continuity of operations desired.\n               Information system recovery objectives reflect applicable laws, Executive Orders,\n               directives, policies, standards, regulations, and guidelines. In addition to\n               information system availability, contingency plans also address other\n               security-related events resulting in a reduction in mission and/or business\n               effectiveness, such as malicious attacks compromising the confidentiality or\n               integrity of information systems. Actions addressed in contingency plans include, for\n               example, orderly/graceful degradation, information system shutdown, fallback to a\n               manual mode, alternate information flows, and operating in modes reserved for when\n               systems are under attack. By closely coordinating contingency planning with incident\n               handling activities, organizations can ensure that the necessary contingency planning\n               activities are in place and activated in the event of a security incident.","links":[{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-11","rel":"related","text":"PM-11"}]},{"id":"cp-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.a_obj","name":"objective","properties":[{"name":"label","value":"CP-2(a)"}],"prose":"develops and documents a contingency plan for the information system that:","parts":[{"id":"cp-2.a.1_obj","name":"objective","properties":[{"name":"label","value":"CP-2(a)(1)"}],"prose":"identifies essential missions and business functions and associated contingency\n                     requirements;"},{"id":"cp-2.a.2_obj","name":"objective","properties":[{"name":"label","value":"CP-2(a)(2)"}],"parts":[{"id":"cp-2.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"CP-2(a)(2)[1]"}],"prose":"provides recovery objectives;"},{"id":"cp-2.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"CP-2(a)(2)[2]"}],"prose":"provides restoration priorities;"},{"id":"cp-2.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"CP-2(a)(2)[3]"}],"prose":"provides metrics;"}]},{"id":"cp-2.a.3_obj","name":"objective","properties":[{"name":"label","value":"CP-2(a)(3)"}],"parts":[{"id":"cp-2.a.3_obj.1","name":"objective","properties":[{"name":"label","value":"CP-2(a)(3)[1]"}],"prose":"addresses contingency roles;"},{"id":"cp-2.a.3_obj.2","name":"objective","properties":[{"name":"label","value":"CP-2(a)(3)[2]"}],"prose":"addresses contingency responsibilities;"},{"id":"cp-2.a.3_obj.3","name":"objective","properties":[{"name":"label","value":"CP-2(a)(3)[3]"}],"prose":"addresses assigned individuals with contact information;"}]},{"id":"cp-2.a.4_obj","name":"objective","properties":[{"name":"label","value":"CP-2(a)(4)"}],"prose":"addresses maintaining essential missions and business functions despite an\n                     information system disruption, compromise, or failure;"},{"id":"cp-2.a.5_obj","name":"objective","properties":[{"name":"label","value":"CP-2(a)(5)"}],"prose":"addresses eventual, full information system restoration without deterioration\n                     of the security safeguards originally planned and implemented;"},{"id":"cp-2.a.6_obj","name":"objective","properties":[{"name":"label","value":"CP-2(a)(6)"}],"parts":[{"id":"cp-2.a.6_obj.1","name":"objective","properties":[{"name":"label","value":"CP-2(a)(6)[1]"}],"prose":"defines personnel or roles to review and approve the contingency plan for\n                        the information system;"},{"id":"cp-2.a.6_obj.2","name":"objective","properties":[{"name":"label","value":"CP-2(a)(6)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"cp-2.b_obj","name":"objective","properties":[{"name":"label","value":"CP-2(b)"}],"parts":[{"id":"cp-2.b_obj.1","name":"objective","properties":[{"name":"label","value":"CP-2(b)[1]"}],"prose":"defines key contingency personnel (identified by name and/or by role) and\n                     organizational elements to whom copies of the contingency plan are to be\n                     distributed;"},{"id":"cp-2.b_obj.2","name":"objective","properties":[{"name":"label","value":"CP-2(b)[2]"}],"prose":"distributes copies of the contingency plan to organization-defined key\n                     contingency personnel and organizational elements;"}]},{"id":"cp-2.c_obj","name":"objective","properties":[{"name":"label","value":"CP-2(c)"}],"prose":"coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2.d_obj","name":"objective","properties":[{"name":"label","value":"CP-2(d)"}],"parts":[{"id":"cp-2.d_obj.1","name":"objective","properties":[{"name":"label","value":"CP-2(d)[1]"}],"prose":"defines a frequency to review the contingency plan for the information\n                     system;"},{"id":"cp-2.d_obj.2","name":"objective","properties":[{"name":"label","value":"CP-2(d)[2]"}],"prose":"reviews the contingency plan with the organization-defined frequency;"}]},{"id":"cp-2.e_obj","name":"objective","properties":[{"name":"label","value":"CP-2(e)"}],"prose":"updates the contingency plan to address:","parts":[{"id":"cp-2.e_obj.1","name":"objective","properties":[{"name":"label","value":"CP-2(e)[1]"}],"prose":"changes to the organization, information system, or environment of\n                     operation;"},{"id":"cp-2.e_obj.2","name":"objective","properties":[{"name":"label","value":"CP-2(e)[2]"}],"prose":"problems encountered during plan implementation, execution, and testing;"}]},{"id":"cp-2.f_obj","name":"objective","properties":[{"name":"label","value":"CP-2(f)"}],"parts":[{"id":"cp-2.f_obj.1","name":"objective","properties":[{"name":"label","value":"CP-2(f)[1]"}],"prose":"defines key contingency personnel (identified by name and/or by role) and\n                     organizational elements to whom contingency plan changes are to be\n                     communicated;"},{"id":"cp-2.f_obj.2","name":"objective","properties":[{"name":"label","value":"CP-2(f)[2]"}],"prose":"communicates contingency plan changes to organization-defined key contingency\n                     personnel and organizational elements; and"}]},{"id":"cp-2.g_obj","name":"objective","properties":[{"name":"label","value":"CP-2(g)"}],"prose":"protects the contingency plan from unauthorized disclosure and modification."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nevidence of contingency plan reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan development, review, update, and\n                  protection\\n\\nautomated mechanisms for developing, reviewing, updating and/or protecting the\n                  contingency plan"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Loss of availability of the SaaS has been determined as little or no impact\n                  to government business/mission needs."}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","parameters":[{"id":"cp-3_prm_1","label":"organization-defined time period"},{"id":"cp-3_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"CP-3"},{"name":"sort-id","value":"cp-03"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference","text":"NIST Special Publication 800-16"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"}],"parts":[{"id":"cp-3_smt","name":"statement","prose":"The organization provides contingency training to information system users consistent\n               with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Within {{ cp-3_prm_1 }} of assuming a contingency role or\n                  responsibility;"},{"id":"cp-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"cp-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n                  {{ cp-3_prm_2 }} thereafter."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and\n               responsibilities of organizational personnel to ensure that the appropriate content\n               and level of detail is included in such training. For example, regular users may only\n               need to know when and where to report for duty during contingency operations and if\n               normal duties are affected; system administrators may require additional training on\n               how to set up information systems at alternate processing and storage sites; and\n               managers/senior leaders may receive more specific training on how to conduct\n               mission-essential functions in designated off-site locations and how to establish\n               communications with other governmental entities for purposes of coordination on\n               contingency-related activities. Training for contingency roles/responsibilities\n               reflects the specific continuity requirements in the contingency plan.","links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-2","rel":"related","text":"IR-2"}]},{"id":"cp-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-3.a_obj","name":"objective","properties":[{"name":"label","value":"CP-3(a)"}],"parts":[{"id":"cp-3.a_obj.1","name":"objective","properties":[{"name":"label","value":"CP-3(a)[1]"}],"prose":"defines a time period within which contingency training is to be provided to\n                     information system users assuming a contingency role or responsibility;"},{"id":"cp-3.a_obj.2","name":"objective","properties":[{"name":"label","value":"CP-3(a)[2]"}],"prose":"provides contingency training to information system users consistent with\n                     assigned roles and responsibilities within the organization-defined time period\n                     of assuming a contingency role or responsibility;"}]},{"id":"cp-3.b_obj","name":"objective","properties":[{"name":"label","value":"CP-3(b)"}],"prose":"provides contingency training to information system users consistent with assigned\n                  roles and responsibilities when required by information system changes;"},{"id":"cp-3.c_obj","name":"objective","properties":[{"name":"label","value":"CP-3(c)"}],"parts":[{"id":"cp-3.c_obj.1","name":"objective","properties":[{"name":"label","value":"CP-3(c)[1]"}],"prose":"defines the frequency for contingency training thereafter; and"},{"id":"cp-3.c_obj.2","name":"objective","properties":[{"name":"label","value":"CP-3(c)[2]"}],"prose":"provides contingency training to information system users consistent with\n                     assigned roles and responsibilities with the organization-defined frequency\n                     thereafter."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency training\\n\\ncontingency plan\\n\\ncontingency training curriculum\\n\\ncontingency training material\\n\\nsecurity plan\\n\\ncontingency training records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, plan implementation, and\n                  training responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency training"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Loss of availability of the SaaS has been determined as little or no impact\n                  to government business/mission needs."}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","parameters":[{"id":"cp-4_prm_1","label":"organization-defined frequency"},{"id":"cp-4_prm_2","label":"organization-defined tests"}],"properties":[{"name":"label","value":"CP-4"},{"name":"sort-id","value":"cp-04"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"},{"href":"#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","rel":"reference","text":"NIST Special Publication 800-84"}],"parts":[{"id":"cp-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Tests the contingency plan for the information system {{ cp-4_prm_1 }} using {{ cp-4_prm_2 }} to determine the\n                  effectiveness of the plan and the organizational readiness to execute the\n                  plan;"},{"id":"cp-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Initiates corrective actions, if needed."}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and\n               to identify potential weaknesses in the plans include, for example, walk-through and\n               tabletop exercises, checklists, simulations (parallel, full interrupt), and\n               comprehensive exercises. Organizations conduct testing based on the continuity\n               requirements in contingency plans and include a determination of the effects on\n               organizational operations, assets, and individuals arising due to contingency\n               operations. Organizations have flexibility and discretion in the breadth, depth, and\n               timelines of corrective actions.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ir-3","rel":"related","text":"IR-3"}]},{"id":"cp-4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-4.a_obj","name":"objective","properties":[{"name":"label","value":"CP-4(a)"}],"parts":[{"id":"cp-4.a_obj.1","name":"objective","properties":[{"name":"label","value":"CP-4(a)[1]"}],"prose":"defines tests to determine the effectiveness of the contingency plan and the\n                     organizational readiness to execute the plan;"},{"id":"cp-4.a_obj.2","name":"objective","properties":[{"name":"label","value":"CP-4(a)[2]"}],"prose":"defines a frequency to test the contingency plan for the information\n                     system;"},{"id":"cp-4.a_obj.3","name":"objective","properties":[{"name":"label","value":"CP-4(a)[3]"}],"prose":"tests the contingency plan for the information system with the\n                     organization-defined frequency, using organization-defined tests to determine\n                     the effectiveness of the plan and the organizational readiness to execute the\n                     plan;"}]},{"id":"cp-4.b_obj","name":"objective","properties":[{"name":"label","value":"CP-4(b)"}],"prose":"reviews the contingency plan test results; and"},{"id":"cp-4.c_obj","name":"objective","properties":[{"name":"label","value":"CP-4(c)"}],"prose":"initiates corrective actions, if needed."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency plan testing\\n\\ncontingency plan\\n\\nsecurity plan\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for contingency plan testing,\n                  reviewing or responding to contingency plan tests\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan testing\\n\\nautomated mechanisms supporting the contingency plan and/or contingency plan\n                  testing"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Loss of availability of the SaaS has been determined as little or no impact\n                  to government business/mission needs."}]},{"id":"cp-9","class":"SP800-53","title":"Information System Backup","parameters":[{"id":"cp-9_prm_1","label":"organization-defined frequency consistent with recovery time and recovery point\n               objectives","constraints":[{"detail":"daily incremental; weekly full"}]},{"id":"cp-9_prm_2","label":"organization-defined frequency consistent with recovery time and recovery point\n               objectives","constraints":[{"detail":"daily incremental; weekly full"}]},{"id":"cp-9_prm_3","label":"organization-defined frequency consistent with recovery time and recovery point\n               objectives","constraints":[{"detail":"daily incremental; weekly full"}]}],"properties":[{"name":"label","value":"CP-9"},{"name":"sort-id","value":"cp-09"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"}],"parts":[{"id":"cp-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Conducts backups of user-level information contained in the information system\n                     {{ cp-9_prm_1 }};"},{"id":"cp-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Conducts backups of system-level information contained in the information system\n                     {{ cp-9_prm_2 }};"},{"id":"cp-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Conducts backups of information system documentation including security-related\n                  documentation {{ cp-9_prm_3 }}; and"},{"id":"cp-9_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protects the confidentiality, integrity, and availability of backup information at\n                  storage locations."}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes, for example, system-state information, operating\n               system and application software, and licenses. User-level information includes any\n               information other than system-level information. Mechanisms employed by organizations\n               to protect the integrity of information system backups include, for example, digital\n               signatures and cryptographic hashes. Protection of system backup information while in\n               transit is beyond the scope of this control. Information system backups reflect the\n               requirements in contingency plans as well as other organizational requirements for\n               backing up information.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"cp-9_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-9.a_obj","name":"objective","properties":[{"name":"label","value":"CP-9(a)"}],"parts":[{"id":"cp-9.a_obj.1","name":"objective","properties":[{"name":"label","value":"CP-9(a)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of user-level information contained in the information\n                     system;"},{"id":"cp-9.a_obj.2","name":"objective","properties":[{"name":"label","value":"CP-9(a)[2]"}],"prose":"conducts backups of user-level information contained in the information system\n                     with the organization-defined frequency;"}]},{"id":"cp-9.b_obj","name":"objective","properties":[{"name":"label","value":"CP-9(b)"}],"parts":[{"id":"cp-9.b_obj.1","name":"objective","properties":[{"name":"label","value":"CP-9(b)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of system-level information contained in the information\n                     system;"},{"id":"cp-9.b_obj.2","name":"objective","properties":[{"name":"label","value":"CP-9(b)[2]"}],"prose":"conducts backups of system-level information contained in the information\n                     system with the organization-defined frequency;"}]},{"id":"cp-9.c_obj","name":"objective","properties":[{"name":"label","value":"CP-9(c)"}],"parts":[{"id":"cp-9.c_obj.1","name":"objective","properties":[{"name":"label","value":"CP-9(c)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of information system documentation including security-related\n                     documentation;"},{"id":"cp-9.c_obj.2","name":"objective","properties":[{"name":"label","value":"CP-9(c)[2]"}],"prose":"conducts backups of information system documentation, including\n                     security-related documentation, with the organization-defined frequency;\n                     and"}]},{"id":"cp-9.d_obj","name":"objective","properties":[{"name":"label","value":"CP-9(d)"}],"prose":"protects the confidentiality, integrity, and availability of backup information at\n                  storage locations."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\nbackup storage location(s)\\n\\ninformation system backup logs or records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups\\n\\nautomated mechanisms supporting and/or implementing information system backups"}]},{"id":"cp-9_fr","name":"item","title":"CP-9 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-9_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine what elements of the cloud environment\n                     require the Information System Backup control. The service provider shall\n                     determine how Information System Backup is going to be verified and appropriate\n                     periodicity of the check."},{"id":"cp-9_fr_smt.a","name":"item","properties":[{"name":"label","value":"CP-9(a) Requirement:"}],"prose":"The service provider maintains at least three backup copies of user-level\n                     information (at least one of which is available online)."},{"id":"cp-9_fr_smt.b","name":"item","properties":[{"name":"label","value":"CP-9(b)Requirement:"}],"prose":"The service provider maintains at least three backup copies of system-level\n                     information (at least one of which is available online)."},{"id":"cp-9_fr_smt.c","name":"item","properties":[{"name":"label","value":"CP-9(c)Requirement:"}],"prose":"The service provider maintains at least three backup copies of information\n                     system documentation including security information (at least one of which is\n                     available online)."}]}]},{"id":"cp-10","class":"SP800-53","title":"Information System Recovery and Reconstitution","properties":[{"name":"label","value":"CP-10"},{"name":"sort-id","value":"cp-10"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"The organization provides for the recovery and reconstitution of the information\n               system to a known state after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing information system contingency plan activities to restore\n               organizational missions/business functions. Reconstitution takes place following\n               recovery and includes activities for returning organizational information systems to\n               fully operational states. Recovery and reconstitution operations reflect mission and\n               business priorities, recovery point/time and reconstitution objectives, and\n               established organizational metrics consistent with contingency plan requirements.\n               Reconstitution includes the deactivation of any interim information system\n               capabilities that may have been needed during recovery operations. Reconstitution\n               also includes assessments of fully restored information system capabilities,\n               reestablishment of continuous monitoring activities, potential information system\n               reauthorizations, and activities to prepare the systems against future disruptions,\n               compromises, or failures. Recovery/reconstitution capabilities employed by\n               organizations can include both automated mechanisms and manual procedures.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#sc-24","rel":"related","text":"SC-24"}]},{"id":"cp-10_obj","name":"objective","prose":"Determine if the organization provides for: ","parts":[{"id":"cp-10_obj.1","name":"objective","properties":[{"name":"label","value":"CP-10[1]"}],"prose":"the recovery of the information system to a known state after:","parts":[{"id":"cp-10_obj.1.a","name":"objective","properties":[{"name":"label","value":"CP-10[1][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.1.b","name":"objective","properties":[{"name":"label","value":"CP-10[1][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.1.c","name":"objective","properties":[{"name":"label","value":"CP-10[1][c]"}],"prose":"a failure;"}]},{"id":"cp-10_obj.2","name":"objective","properties":[{"name":"label","value":"CP-10[2]"}],"prose":"the reconstitution of the information system to a known state after:","parts":[{"id":"cp-10_obj.2.a","name":"objective","properties":[{"name":"label","value":"CP-10[2][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.2.b","name":"objective","properties":[{"name":"label","value":"CP-10[2][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.2.c","name":"objective","properties":[{"name":"label","value":"CP-10[2][c]"}],"prose":"a failure."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\ninformation system backup test results\\n\\ncontingency plan test results\\n\\ncontingency plan test documentation\\n\\nredundant secondary system for information system backups\\n\\nlocation(s) of redundant secondary backup system(s)\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, recovery, and/or\n                  reconstitution responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes implementing information system recovery and\n                  reconstitution operations\\n\\nautomated mechanisms supporting and/or implementing information system recovery\n                  and reconstitution operations"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Loss of availability of the SaaS has been determined as little or no impact\n                  to government business/mission needs."}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Identification and Authentication Policy and Procedures","parameters":[{"id":"ia-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-1_prm_2","label":"organization-defined frequency"},{"id":"ia-1_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"IA-1"},{"name":"sort-id","value":"ia-01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ia-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ia-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"An identification and authentication policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"},{"id":"ia-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and\n                     authentication policy and associated identification and authentication\n                     controls; and"}]},{"id":"ia-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ia-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Identification and authentication policy {{ ia-1_prm_2 }};\n                     and"},{"id":"ia-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Identification and authentication procedures {{ ia-1_prm_3 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the IA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ia-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-1.a_obj","name":"objective","properties":[{"name":"label","value":"IA-1(a)"}],"parts":[{"id":"ia-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)"}],"parts":[{"id":"ia-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1]"}],"prose":"develops and documents an identification and authentication policy that\n                        addresses:","parts":[{"id":"ia-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ia-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ia-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ia-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ia-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ia-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ia-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ia-1.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the identification and authentication\n                        policy is to be disseminated; and"},{"id":"ia-1.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[3]"}],"prose":"disseminates the identification and authentication policy to\n                        organization-defined personnel or roles;"}]},{"id":"ia-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"IA-1(a)(2)"}],"parts":[{"id":"ia-1.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"IA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        identification and authentication policy and associated identification and\n                        authentication controls;"},{"id":"ia-1.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"IA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ia-1.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"IA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ia-1.b_obj","name":"objective","properties":[{"name":"label","value":"IA-1(b)"}],"parts":[{"id":"ia-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"IA-1(b)(1)"}],"parts":[{"id":"ia-1.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"IA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current identification and\n                        authentication policy;"},{"id":"ia-1.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"IA-1(b)(1)[2]"}],"prose":"reviews and updates the current identification and authentication policy\n                        with the organization-defined frequency; and"}]},{"id":"ia-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"IA-1(b)(2)"}],"parts":[{"id":"ia-1.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"IA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current identification and\n                        authentication procedures; and"},{"id":"ia-1.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"IA-1(b)(2)[2]"}],"prose":"reviews and updates the current identification and authentication procedures\n                        with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identification and authentication\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (organizational Users)","properties":[{"name":"label","value":"IA-2"},{"name":"sort-id","value":"ia-02"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference","text":"HSPD-12"},{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference","text":"OMB Memorandum 04-04"},{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference","text":"OMB Memorandum 06-16"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference","text":"OMB Memorandum 11-11"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference","text":"FICAM Roadmap and Implementation Guidance"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"The information system uniquely identifies and authenticates organizational users (or\n               processes acting on behalf of organizational users)."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizational users include employees or individuals that organizations deem to have\n               equivalent status of employees (e.g., contractors, guest researchers). This control\n               applies to all accesses other than: (i) accesses that are explicitly identified and\n               documented in AC-14; and (ii) accesses that occur through authorized use of group\n               authenticators without individual authentication. Organizations may require unique\n               identification of individuals in group accounts (e.g., shared privilege accounts) or\n               for detailed accountability of individual activity. Organizations employ passwords,\n               tokens, or biometrics to authenticate user identities, or in the case multifactor\n               authentication, or some combination thereof. Access to organizational information\n               systems is defined as either local access or network access. Local access is any\n               access to organizational information systems by users (or processes acting on behalf\n               of users) where such access is obtained by direct connections without the use of\n               networks. Network access is access to organizational information systems by users (or\n               processes acting on behalf of users) where such access is obtained through network\n               connections (i.e., nonlocal accesses). Remote access is a type of network access that\n               involves communication through external networks (e.g., the Internet). Internal\n               networks include local area networks and wide area networks. In addition, the use of\n               encrypted virtual private networks (VPNs) for network connections between\n               organization-controlled endpoints and non-organization controlled endpoints may be\n               treated as internal networks from the perspective of protecting the confidentiality\n               and integrity of information traversing the network. Organizations can satisfy the\n               identification and authentication requirements in this control by complying with the\n               requirements in Homeland Security Presidential Directive 12 consistent with the\n               specific organizational implementation plans. Multifactor authentication requires the\n               use of two or more different factors to achieve authentication. The factors are\n               defined as: (i) something you know (e.g., password, personal identification number\n               [PIN]); (ii) something you have (e.g., cryptographic identification device, token);\n               or (iii) something you are (e.g., biometric). Multifactor solutions that require\n               devices separate from information systems gaining access include, for example,\n               hardware tokens providing time-based or challenge-response authenticators and smart\n               cards such as the U.S. Government Personal Identity Verification card and the DoD\n               common access card. In addition to identifying and authenticating users at the\n               information system level (i.e., at logon), organizations also employ identification\n               and authentication mechanisms at the application level, when necessary, to provide\n               increased information security. Identification and authentication requirements for\n               other than organizational users are described in IA-8.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"}]},{"id":"ia-2_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates\n               organizational users (or processes acting on behalf of organizational users)."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for uniquely identifying and authenticating users\\n\\nautomated mechanisms supporting and/or implementing identification and\n                  authentication capability"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO for non-privileged users. Attestation for privileged users related to\n                  multi-factor identification and authentication - specifically include description\n                  of management of service accounts."}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Network Access to Privileged Accounts","properties":[{"name":"label","value":"IA-2(1)"},{"name":"sort-id","value":"ia-02.01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"The information system implements multifactor authentication for network access to\n                  privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related","text":"AC-6"}]},{"id":"ia-2.1_obj","name":"objective","prose":"Determine if the information system implements multifactor authentication for\n                  network access to privileged accounts."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing multifactor authentication\n                     capability"}]}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","properties":[{"name":"label","value":"IA-2(12)"},{"name":"sort-id","value":"ia-02.12"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity\n                  Verification (PIV) credentials."},{"id":"ia-2.12_gdn","name":"guidance","prose":"This control enhancement applies to organizations implementing logical access\n                  control systems (LACS) and physical access control systems (PACS). Personal\n                  Identity Verification (PIV) credentials are those credentials issued by federal\n                  agencies that conform to FIPS Publication 201 and supporting guidance documents.\n                  OMB Memorandum 11-11 requires federal agencies to continue implementing the\n                  requirements specified in HSPD-12 to enable agency-wide use of PIV\n                  credentials.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"ia-2.12_obj","name":"objective","prose":"Determine if the information system: ","parts":[{"id":"ia-2.12_obj.1","name":"objective","properties":[{"name":"label","value":"IA-2(12)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials; and"},{"id":"ia-2.12_obj.2","name":"objective","properties":[{"name":"label","value":"IA-2(12)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nPIV verification records\\n\\nevidence of PIV credentials\\n\\nPIV credential authorizations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing acceptance and verification\n                     of PIV credentials"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Must document and assess for privileged users. May attest to this\n                  control for non-privileged users. FedRAMP requires a minimum of multi-factor\n                  authentication for all Federal privileged users, if acceptance of PIV credentials\n                  is not supported. The implementation status and details of how this control is\n                  implemented must be clearly defined by the CSP."},{"id":"ia-2.12_fr","name":"item","title":"IA-2 (12) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-2.12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Include Common Access Card (CAC), i.e., the DoD technical implementation of\n                     PIV/FIPS 201/HSPD-12."}]}]}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","parameters":[{"id":"ia-4_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-4_prm_2","label":"organization-defined time period"},{"id":"ia-4_prm_3","label":"organization-defined time period of inactivity"}],"properties":[{"name":"label","value":"IA-4"},{"name":"sort-id","value":"ia-04"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"The organization manages information system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ ia-4_prm_1 }} to assign an\n                  individual, group, role, or device identifier;"},{"id":"ia-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, or device;"},{"id":"ia-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, or device;"},{"id":"ia-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ ia-4_prm_2 }}; and"},{"id":"ia-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Disabling the identifier after {{ ia-4_prm_3 }}."}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include, for example, media access control (MAC), Internet\n               protocol (IP) addresses, or device-unique token identifiers. Management of individual\n               identifiers is not applicable to shared information system accounts (e.g., guest and\n               anonymous accounts). Typically, individual identifiers are the user names of the\n               information system accounts assigned to those individuals. In such instances, the\n               account management activities of AC-2 use account names provided by IA-4. This\n               control also addresses individual identifiers not necessarily associated with\n               information system accounts (e.g., identifiers used in physical security control\n               databases accessed by badge reader systems for access to information systems).\n               Preventing reuse of identifiers implies preventing the assignment of previously used\n               individual, group, role, or device identifiers to different individuals, groups,\n               roles, or devices.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#sc-37","rel":"related","text":"SC-37"}]},{"id":"ia-4_obj","name":"objective","prose":"Determine if the organization manages information system identifiers by: ","parts":[{"id":"ia-4.a_obj","name":"objective","properties":[{"name":"label","value":"IA-4(a)"}],"parts":[{"id":"ia-4.a_obj.1","name":"objective","properties":[{"name":"label","value":"IA-4(a)[1]"}],"prose":"defining personnel or roles from whom authorization must be received to\n                     assign:","parts":[{"id":"ia-4.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"IA-4(a)[1][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"IA-4(a)[1][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.1.c","name":"objective","properties":[{"name":"label","value":"IA-4(a)[1][c]"}],"prose":"a role identifier; and/or"},{"id":"ia-4.a_obj.1.d","name":"objective","properties":[{"name":"label","value":"IA-4(a)[1][d]"}],"prose":"a device identifier;"}]},{"id":"ia-4.a_obj.2","name":"objective","properties":[{"name":"label","value":"IA-4(a)[2]"}],"prose":"receiving authorization from organization-defined personnel or roles to\n                     assign:","parts":[{"id":"ia-4.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"IA-4(a)[2][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"IA-4(a)[2][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.2.c","name":"objective","properties":[{"name":"label","value":"IA-4(a)[2][c]"}],"prose":"a role identifier; and/or"},{"id":"ia-4.a_obj.2.d","name":"objective","properties":[{"name":"label","value":"IA-4(a)[2][d]"}],"prose":"a device identifier;"}]}]},{"id":"ia-4.b_obj","name":"objective","properties":[{"name":"label","value":"IA-4(b)"}],"prose":"selecting an identifier that identifies:","parts":[{"id":"ia-4.b_obj.1","name":"objective","properties":[{"name":"label","value":"IA-4(b)[1]"}],"prose":"an individual;"},{"id":"ia-4.b_obj.2","name":"objective","properties":[{"name":"label","value":"IA-4(b)[2]"}],"prose":"a group;"},{"id":"ia-4.b_obj.3","name":"objective","properties":[{"name":"label","value":"IA-4(b)[3]"}],"prose":"a role; and/or"},{"id":"ia-4.b_obj.4","name":"objective","properties":[{"name":"label","value":"IA-4(b)[4]"}],"prose":"a device;"}]},{"id":"ia-4.c_obj","name":"objective","properties":[{"name":"label","value":"IA-4(c)"}],"prose":"assigning the identifier to the intended:","parts":[{"id":"ia-4.c_obj.1","name":"objective","properties":[{"name":"label","value":"IA-4(c)[1]"}],"prose":"individual;"},{"id":"ia-4.c_obj.2","name":"objective","properties":[{"name":"label","value":"IA-4(c)[2]"}],"prose":"group;"},{"id":"ia-4.c_obj.3","name":"objective","properties":[{"name":"label","value":"IA-4(c)[3]"}],"prose":"role; and/or"},{"id":"ia-4.c_obj.4","name":"objective","properties":[{"name":"label","value":"IA-4(c)[4]"}],"prose":"device;"}]},{"id":"ia-4.d_obj","name":"objective","properties":[{"name":"label","value":"IA-4(d)"}],"parts":[{"id":"ia-4.d_obj.1","name":"objective","properties":[{"name":"label","value":"IA-4(d)[1]"}],"prose":"defining a time period for preventing reuse of identifiers;"},{"id":"ia-4.d_obj.2","name":"objective","properties":[{"name":"label","value":"IA-4(d)[2]"}],"prose":"preventing reuse of identifiers for the organization-defined time period;"}]},{"id":"ia-4.e_obj","name":"objective","properties":[{"name":"label","value":"IA-4(e)"}],"parts":[{"id":"ia-4.e_obj.1","name":"objective","properties":[{"name":"label","value":"IA-4(e)[1]"}],"prose":"defining a time period of inactivity to disable the identifier; and"},{"id":"ia-4.e_obj.2","name":"objective","properties":[{"name":"label","value":"IA-4(e)[2]"}],"prose":"disabling the identifier after the organization-defined time period of\n                     inactivity."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing identifier management\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system accounts\\n\\nlist of identifiers generated from physical access control devices\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identifier management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identifier management"}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","parameters":[{"id":"ia-5_prm_1","label":"organization-defined time period by authenticator type"}],"properties":[{"name":"label","value":"IA-5"},{"name":"sort-id","value":"ia-05"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference","text":"OMB Memorandum 04-04"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference","text":"OMB Memorandum 11-11"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference","text":"FICAM Roadmap and Implementation Guidance"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"The organization manages information system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the\n                  individual, group, role, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for authenticators defined by the\n                  organization;"},{"id":"ia-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their\n                  intended use;"},{"id":"ia-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator\n                  distribution, for lost/compromised or damaged authenticators, and for revoking\n                  authenticators;"},{"id":"ia-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Changing default content of authenticators prior to information system\n                  installation;"},{"id":"ia-5_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Establishing minimum and maximum lifetime restrictions and reuse conditions for\n                  authenticators;"},{"id":"ia-5_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Changing/refreshing authenticators {{ ia-5_prm_1 }};"},{"id":"ia-5_smt.h","name":"item","properties":[{"name":"label","value":"h."}],"prose":"Protecting authenticator content from unauthorized disclosure and\n                  modification;"},{"id":"ia-5_smt.i","name":"item","properties":[{"name":"label","value":"i."}],"prose":"Requiring individuals to take, and having devices implement, specific security\n                  safeguards to protect authenticators; and"},{"id":"ia-5_smt.j","name":"item","properties":[{"name":"label","value":"j."}],"prose":"Changing authenticators for group/role accounts when membership to those accounts\n                  changes."}]},{"id":"ia-5_gdn","name":"guidance","prose":"Individual authenticators include, for example, passwords, tokens, biometrics, PKI\n               certificates, and key cards. Initial authenticator content is the actual content\n               (e.g., the initial password) as opposed to requirements about authenticator content\n               (e.g., minimum password length). In many cases, developers ship information system\n               components with factory default authentication credentials to allow for initial\n               installation and configuration. Default authentication credentials are often well\n               known, easily discoverable, and present a significant security risk. The requirement\n               to protect individual authenticators may be implemented via control PL-4 or PS-6 for\n               authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28\n               for authenticators stored within organizational information systems (e.g., passwords\n               stored in hashed or encrypted formats, files containing encrypted or hashed passwords\n               accessible with administrator privileges). Information systems support individual\n               authenticator management by organization-defined settings and restrictions for\n               various authenticator characteristics including, for example, minimum password\n               length, password composition, validation time window for time synchronous one-time\n               tokens, and number of allowed rejections during the verification stage of biometric\n               authentication. Specific actions that can be taken to safeguard authenticators\n               include, for example, maintaining possession of individual authenticators, not\n               loaning or sharing individual authenticators with others, and reporting lost, stolen,\n               or compromised authenticators immediately. Authenticator management includes issuing\n               and revoking, when no longer needed, authenticators for temporary access such as that\n               required for remote maintenance. Device authenticators include, for example,\n               certificates and passwords.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-17","rel":"related","text":"SC-17"},{"href":"#sc-28","rel":"related","text":"SC-28"}]},{"id":"ia-5_obj","name":"objective","prose":"Determine if the organization manages information system authenticators by: ","parts":[{"id":"ia-5.a_obj","name":"objective","properties":[{"name":"label","value":"IA-5(a)"}],"prose":"verifying, as part of the initial authenticator distribution, the identity of:","parts":[{"id":"ia-5.a_obj.1","name":"objective","properties":[{"name":"label","value":"IA-5(a)[1]"}],"prose":"the individual receiving the authenticator;"},{"id":"ia-5.a_obj.2","name":"objective","properties":[{"name":"label","value":"IA-5(a)[2]"}],"prose":"the group receiving the authenticator;"},{"id":"ia-5.a_obj.3","name":"objective","properties":[{"name":"label","value":"IA-5(a)[3]"}],"prose":"the role receiving the authenticator; and/or"},{"id":"ia-5.a_obj.4","name":"objective","properties":[{"name":"label","value":"IA-5(a)[4]"}],"prose":"the device receiving the authenticator;"}]},{"id":"ia-5.b_obj","name":"objective","properties":[{"name":"label","value":"IA-5(b)"}],"prose":"establishing initial authenticator content for authenticators defined by the\n                  organization;"},{"id":"ia-5.c_obj","name":"objective","properties":[{"name":"label","value":"IA-5(c)"}],"prose":"ensuring that authenticators have sufficient strength of mechanism for their\n                  intended use;"},{"id":"ia-5.d_obj","name":"objective","properties":[{"name":"label","value":"IA-5(d)"}],"parts":[{"id":"ia-5.d_obj.1","name":"objective","properties":[{"name":"label","value":"IA-5(d)[1]"}],"prose":"establishing and implementing administrative procedures for initial\n                     authenticator distribution;"},{"id":"ia-5.d_obj.2","name":"objective","properties":[{"name":"label","value":"IA-5(d)[2]"}],"prose":"establishing and implementing administrative procedures for lost/compromised or\n                     damaged authenticators;"},{"id":"ia-5.d_obj.3","name":"objective","properties":[{"name":"label","value":"IA-5(d)[3]"}],"prose":"establishing and implementing administrative procedures for revoking\n                     authenticators;"}]},{"id":"ia-5.e_obj","name":"objective","properties":[{"name":"label","value":"IA-5(e)"}],"prose":"changing default content of authenticators prior to information system\n                  installation;"},{"id":"ia-5.f_obj","name":"objective","properties":[{"name":"label","value":"IA-5(f)"}],"parts":[{"id":"ia-5.f_obj.1","name":"objective","properties":[{"name":"label","value":"IA-5(f)[1]"}],"prose":"establishing minimum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.2","name":"objective","properties":[{"name":"label","value":"IA-5(f)[2]"}],"prose":"establishing maximum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.3","name":"objective","properties":[{"name":"label","value":"IA-5(f)[3]"}],"prose":"establishing reuse conditions for authenticators;"}]},{"id":"ia-5.g_obj","name":"objective","properties":[{"name":"label","value":"IA-5(g)"}],"parts":[{"id":"ia-5.g_obj.1","name":"objective","properties":[{"name":"label","value":"IA-5(g)[1]"}],"prose":"defining a time period (by authenticator type) for changing/refreshing\n                     authenticators;"},{"id":"ia-5.g_obj.2","name":"objective","properties":[{"name":"label","value":"IA-5(g)[2]"}],"prose":"changing/refreshing authenticators with the organization-defined time period by\n                     authenticator type;"}]},{"id":"ia-5.h_obj","name":"objective","properties":[{"name":"label","value":"IA-5(h)"}],"prose":"protecting authenticator content from unauthorized:","parts":[{"id":"ia-5.h_obj.1","name":"objective","properties":[{"name":"label","value":"IA-5(h)[1]"}],"prose":"disclosure;"},{"id":"ia-5.h_obj.2","name":"objective","properties":[{"name":"label","value":"IA-5(h)[2]"}],"prose":"modification;"}]},{"id":"ia-5.i_obj","name":"objective","properties":[{"name":"label","value":"IA-5(i)"}],"parts":[{"id":"ia-5.i_obj.1","name":"objective","properties":[{"name":"label","value":"IA-5(i)[1]"}],"prose":"requiring individuals to take specific security safeguards to protect\n                     authenticators;"},{"id":"ia-5.i_obj.2","name":"objective","properties":[{"name":"label","value":"IA-5(i)[2]"}],"prose":"having devices implement specific security safeguards to protect\n                     authenticators; and"}]},{"id":"ia-5.j_obj","name":"objective","properties":[{"name":"label","value":"IA-5(j)"}],"prose":"changing authenticators for group/role accounts when membership to those accounts\n                  changes."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system authenticator types\\n\\nchange control records associated with managing information system\n                  authenticators\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing authenticator management\n                  capability"}]}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","parameters":[{"id":"ia-5.1_prm_1","label":"organization-defined requirements for case sensitivity, number of characters,\n                  mix of upper-case letters, lower-case letters, numbers, and special characters,\n                  including minimum requirements for each type"},{"id":"ia-5.1_prm_2","label":"organization-defined number"},{"id":"ia-5.1_prm_3","label":"organization-defined numbers for lifetime minimum, lifetime maximum"},{"id":"ia-5.1_prm_4","label":"organization-defined number"}],"properties":[{"name":"label","value":"IA-5(1)"},{"name":"sort-id","value":"ia-05.01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"The information system, for password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Enforces minimum password complexity of {{ ia-5.1_prm_1 }};"},{"id":"ia-5.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Enforces at least the following number of changed characters when new passwords\n                     are created: {{ ia-5.1_prm_2 }};"},{"id":"ia-5.1_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Stores and transmits only cryptographically-protected passwords;"},{"id":"ia-5.1_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Enforces password minimum and maximum lifetime restrictions of {{ ia-5.1_prm_3 }};"},{"id":"ia-5.1_smt.e","name":"item","properties":[{"name":"label","value":"(e)"}],"prose":"Prohibits password reuse for {{ ia-5.1_prm_4 }} generations;\n                     and"},{"id":"ia-5.1_smt.f","name":"item","properties":[{"name":"label","value":"(f)"}],"prose":"Allows the use of a temporary password for system logons with an immediate\n                     change to a permanent password."}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"This control enhancement applies to single-factor authentication of individuals\n                  using passwords as individual or group authenticators, and in a similar manner,\n                  when passwords are part of multifactor authenticators. This control enhancement\n                  does not apply when passwords are used to unlock hardware authenticators (e.g.,\n                  Personal Identity Verification cards). The implementation of such password\n                  mechanisms may not meet all of the requirements in the enhancement.\n                  Cryptographically-protected passwords include, for example, encrypted versions of\n                  passwords and one-way cryptographic hashes of passwords. The number of changed\n                  characters refers to the number of changes required with respect to the total\n                  number of positions in the current password. Password lifetime restrictions do not\n                  apply to temporary passwords. To mitigate certain brute force attacks against\n                  passwords, organizations may also consider salting passwords.","links":[{"href":"#ia-6","rel":"related","text":"IA-6"}]},{"id":"ia-5.1_obj","name":"objective","prose":"Determine if, for password-based authentication: ","parts":[{"id":"ia-5.1.a_obj","name":"objective","properties":[{"name":"label","value":"IA-5(1)(a)"}],"parts":[{"id":"ia-5.1.a_obj.1","name":"objective","properties":[{"name":"label","value":"IA-5(1)(a)[1]"}],"prose":"the organization defines requirements for case sensitivity;"},{"id":"ia-5.1.a_obj.2","name":"objective","properties":[{"name":"label","value":"IA-5(1)(a)[2]"}],"prose":"the organization defines requirements for number of characters;"},{"id":"ia-5.1.a_obj.3","name":"objective","properties":[{"name":"label","value":"IA-5(1)(a)[3]"}],"prose":"the organization defines requirements for the mix of upper-case letters,\n                        lower-case letters, numbers and special characters;"},{"id":"ia-5.1.a_obj.4","name":"objective","properties":[{"name":"label","value":"IA-5(1)(a)[4]"}],"prose":"the organization defines minimum requirements for each type of\n                        character;"},{"id":"ia-5.1.a_obj.5","name":"objective","properties":[{"name":"label","value":"IA-5(1)(a)[5]"}],"prose":"the information system enforces minimum password complexity of\n                        organization-defined requirements for case sensitivity, number of\n                        characters, mix of upper-case letters, lower-case letters, numbers, and\n                        special characters, including minimum requirements for each type;"}],"links":[{"href":"#ia-5.1_smt.a","rel":"corresp","text":"IA-5(1)(a)"}]},{"id":"ia-5.1.b_obj","name":"objective","properties":[{"name":"label","value":"IA-5(1)(b)"}],"parts":[{"id":"ia-5.1.b_obj.1","name":"objective","properties":[{"name":"label","value":"IA-5(1)(b)[1]"}],"prose":"the organization defines a minimum number of changed characters to be\n                        enforced when new passwords are created;"},{"id":"ia-5.1.b_obj.2","name":"objective","properties":[{"name":"label","value":"IA-5(1)(b)[2]"}],"prose":"the information system enforces at least the organization-defined minimum\n                        number of characters that must be changed when new passwords are\n                        created;"}],"links":[{"href":"#ia-5.1_smt.b","rel":"corresp","text":"IA-5(1)(b)"}]},{"id":"ia-5.1.c_obj","name":"objective","properties":[{"name":"label","value":"IA-5(1)(c)"}],"prose":"the information system stores and transmits only encrypted representations of\n                     passwords;","links":[{"href":"#ia-5.1_smt.c","rel":"corresp","text":"IA-5(1)(c)"}]},{"id":"ia-5.1.d_obj","name":"objective","properties":[{"name":"label","value":"IA-5(1)(d)"}],"parts":[{"id":"ia-5.1.d_obj.1","name":"objective","properties":[{"name":"label","value":"IA-5(1)(d)[1]"}],"prose":"the organization defines numbers for password minimum lifetime restrictions\n                        to be enforced for passwords;"},{"id":"ia-5.1.d_obj.2","name":"objective","properties":[{"name":"label","value":"IA-5(1)(d)[2]"}],"prose":"the organization defines numbers for password maximum lifetime restrictions\n                        to be enforced for passwords;"},{"id":"ia-5.1.d_obj.3","name":"objective","properties":[{"name":"label","value":"IA-5(1)(d)[3]"}],"prose":"the information system enforces password minimum lifetime restrictions of\n                        organization-defined numbers for lifetime minimum;"},{"id":"ia-5.1.d_obj.4","name":"objective","properties":[{"name":"label","value":"IA-5(1)(d)[4]"}],"prose":"the information system enforces password maximum lifetime restrictions of\n                        organization-defined numbers for lifetime maximum;"}],"links":[{"href":"#ia-5.1_smt.d","rel":"corresp","text":"IA-5(1)(d)"}]},{"id":"ia-5.1.e_obj","name":"objective","properties":[{"name":"label","value":"IA-5(1)(e)"}],"parts":[{"id":"ia-5.1.e_obj.1","name":"objective","properties":[{"name":"label","value":"IA-5(1)(e)[1]"}],"prose":"the organization defines the number of password generations to be prohibited\n                        from password reuse;"},{"id":"ia-5.1.e_obj.2","name":"objective","properties":[{"name":"label","value":"IA-5(1)(e)[2]"}],"prose":"the information system prohibits password reuse for the organization-defined\n                        number of generations; and"}],"links":[{"href":"#ia-5.1_smt.e","rel":"corresp","text":"IA-5(1)(e)"}]},{"id":"ia-5.1.f_obj","name":"objective","properties":[{"name":"label","value":"IA-5(1)(f)"}],"prose":"the information system allows the use of a temporary password for system logons\n                     with an immediate change to a permanent password.","links":[{"href":"#ia-5.1_smt.f","rel":"corresp","text":"IA-5(1)(f)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\npassword policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\npassword configurations and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing password-based\n                     authenticator management capability"}]}]},{"id":"ia-5.11","class":"SP800-53-enhancement","title":"Hardware Token-based Authentication","parameters":[{"id":"ia-5.11_prm_1","label":"organization-defined token quality requirements"}],"properties":[{"name":"label","value":"IA-5(11)"},{"name":"sort-id","value":"ia-05.11"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"FED"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"id":"ia-5.11_smt","name":"statement","prose":"The information system, for hardware token-based authentication, employs\n                  mechanisms that satisfy {{ ia-5.11_prm_1 }}."},{"id":"ia-5.11_gdn","name":"guidance","prose":"Hardware token-based authentication typically refers to the use of PKI-based\n                  tokens, such as the U.S. Government Personal Identity Verification (PIV) card.\n                  Organizations define specific requirements for tokens, such as working with a\n                  particular PKI."},{"id":"ia-5.11_obj","name":"objective","prose":"Determine if, for hardware token-based authentication: ","parts":[{"id":"ia-5.11_obj.1","name":"objective","properties":[{"name":"label","value":"IA-5(11)[1]"}],"prose":"the organization defines token quality requirements to be satisfied; and"},{"id":"ia-5.11_obj.2","name":"objective","properties":[{"name":"label","value":"IA-5(11)[2]"}],"prose":"the information system employs mechanisms that satisfy organization-defined\n                     token quality requirements."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\nautomated mechanisms employing hardware token-based authentication for the\n                     information system\\n\\nlist of token quality requirements\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing hardware token-based\n                     authenticator management capability"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"FED - for Federal privileged users. Condition - Must document and assess for\n                  privileged users. May attest to this control for non-privileged users."}]}]},{"id":"ia-6","class":"SP800-53","title":"Authenticator Feedback","properties":[{"name":"label","value":"IA-6"},{"name":"sort-id","value":"ia-06"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"The information system obscures feedback of authentication information during the\n               authentication process to protect the information from possible exploitation/use by\n               unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"The feedback from information systems does not provide information that would allow\n               unauthorized individuals to compromise authentication mechanisms. For some types of\n               information systems or system components, for example, desktops/notebooks with\n               relatively large monitors, the threat (often referred to as shoulder surfing) may be\n               significant. For other types of systems or components, for example, mobile devices\n               with 2-4 inch screens, this threat may be less significant, and may need to be\n               balanced against the increased likelihood of typographic input errors due to the\n               small keyboards. Therefore, the means for obscuring the authenticator feedback is\n               selected accordingly. Obscuring the feedback of authentication information includes,\n               for example, displaying asterisks when users type passwords into input devices, or\n               displaying feedback for a very limited time before fully obscuring it.","links":[{"href":"#pe-18","rel":"related","text":"PE-18"}]},{"id":"ia-6_obj","name":"objective","prose":"Determine if the information system obscures feedback of authentication information\n               during the authentication process to protect the information from possible\n               exploitation/use by unauthorized individuals."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator feedback\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing the obscuring of feedback of\n                  authentication information during authentication"}]}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","properties":[{"name":"label","value":"IA-7"},{"name":"sort-id","value":"ia-07"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference","text":"FIPS Publication 140"},{"href":"#b09d1a31-d3c9-4138-a4f4-4c63816afd7d","rel":"reference","text":"http://csrc.nist.gov/groups/STM/cmvp/index.html"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"The information system implements mechanisms for authentication to a cryptographic\n               module that meet the requirements of applicable federal laws, Executive Orders,\n               directives, policies, regulations, standards, and guidance for such\n               authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to\n               authenticate an operator accessing the module and to verify that the operator is\n               authorized to assume the requested role and perform services within that role.","links":[{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"ia-7_obj","name":"objective","prose":"Determine if the information system implements mechanisms for authentication to a\n               cryptographic module that meet the requirements of applicable federal laws, Executive\n               Orders, directives, policies, regulations, standards, and guidance for such\n               authentication."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing cryptographic module authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for cryptographic module\n                  authentication\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing cryptographic module\n                  authentication"}]}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (non-organizational Users)","properties":[{"name":"label","value":"IA-8"},{"name":"sort-id","value":"ia-08"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference","text":"OMB Memorandum 04-04"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference","text":"OMB Memorandum 11-11"},{"href":"#599fe9ba-4750-4450-9eeb-b95bd19a5e8f","rel":"reference","text":"OMB Memorandum 10-06-2011"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference","text":"FICAM Roadmap and Implementation Guidance"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference","text":"NIST Special Publication 800-116"},{"href":"#654f21e2-f3bc-43b2-abdc-60ab8d09744b","rel":"reference","text":"National Strategy for Trusted Identities in\n            Cyberspace"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"The information system uniquely identifies and authenticates non-organizational users\n               (or processes acting on behalf of non-organizational users)."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include information system users other than organizational\n               users explicitly covered by IA-2. These individuals are uniquely identified and\n               authenticated for accesses other than those accesses explicitly identified and\n               documented in AC-14. In accordance with the E-Authentication E-Government initiative,\n               authentication of non-organizational users accessing federal information systems may\n               be required to protect federal, proprietary, or privacy-related information (with\n               exceptions noted for national security systems). Organizations use risk assessments\n               to determine authentication needs and consider scalability, practicality, and\n               security in balancing the need to ensure ease of use for access to federal\n               information and information systems with the need to protect and adequately mitigate\n               risk. IA-2 addresses identification and authentication requirements for access to\n               information systems by organizational users.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#sc-8","rel":"related","text":"SC-8"}]},{"id":"ia-8_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates\n               non-organizational users (or processes acting on behalf of non-organizational\n               users)."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                  authentication capability"}]}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","properties":[{"name":"label","value":"IA-8(1)"},{"name":"sort-id","value":"ia-08.01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity\n                  Verification (PIV) credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"This control enhancement applies to logical access control systems (LACS) and\n                  physical access control systems (PACS). Personal Identity Verification (PIV)\n                  credentials are those credentials issued by federal agencies that conform to FIPS\n                  Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires\n                  federal agencies to continue implementing the requirements specified in HSPD-12 to\n                  enable agency-wide use of PIV credentials.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"ia-8.1_obj","name":"objective","prose":"Determine if the information system: ","parts":[{"id":"ia-8.1_obj.1","name":"objective","properties":[{"name":"label","value":"IA-8(1)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials from other agencies;\n                     and"},{"id":"ia-8.1_obj.2","name":"objective","properties":[{"name":"label","value":"IA-8(1)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials from\n                     other agencies."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nPIV verification records\\n\\nevidence of PIV credentials\\n\\nPIV credential authorizations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms that accept and verify PIV credentials"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Must document and assess for privileged users. May attest to this\n                  control for non-privileged users. FedRAMP requires a minimum of multi-factor\n                  authentication for all Federal privileged users, if acceptance of PIV credentials\n                  is not supported. The implementation status and details of how this control is\n                  implemented must be clearly defined by the CSP."}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of Third-party Credentials","properties":[{"name":"label","value":"IA-8(2)"},{"name":"sort-id","value":"ia-08.02"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"id":"ia-8.2_smt","name":"statement","prose":"The information system accepts only FICAM-approved third-party credentials."},{"id":"ia-8.2_gdn","name":"guidance","prose":"This control enhancement typically applies to organizational information systems\n                  that are accessible to the general public, for example, public-facing websites.\n                  Third-party credentials are those credentials issued by nonfederal government\n                  entities approved by the Federal Identity, Credential, and Access Management\n                  (FICAM) Trust Framework Solutions initiative. Approved third-party credentials\n                  meet or exceed the set of minimum federal government-wide technical, security,\n                  privacy, and organizational maturity requirements. This allows federal government\n                  relying parties to trust such credentials at their approved assurance levels.","links":[{"href":"#au-2","rel":"related","text":"AU-2"}]},{"id":"ia-8.2_obj","name":"objective","prose":"Determine if the information system accepts only FICAM-approved third-party\n                  credentials. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FICAM-approved, third-party credentialing products, components, or\n                     services procured and implemented by organization\\n\\nthird-party credential verification records\\n\\nevidence of FICAM-approved third-party credentials\\n\\nthird-party credential authorizations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms that accept FICAM-approved credentials"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Must document and assess for privileged users. May attest to this\n                  control for non-privileged users. FedRAMP requires a minimum of multi-factor\n                  authentication for all Federal privileged users, if acceptance of PIV credentials\n                  is not supported. The implementation status and details of how this control is\n                  implemented must be clearly defined by the CSP."}]},{"id":"ia-8.3","class":"SP800-53-enhancement","title":"Use of Ficam-approved Products","parameters":[{"id":"ia-8.3_prm_1","label":"organization-defined information systems"}],"properties":[{"name":"label","value":"IA-8(3)"},{"name":"sort-id","value":"ia-08.03"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"id":"ia-8.3_smt","name":"statement","prose":"The organization employs only FICAM-approved information system components in\n                     {{ ia-8.3_prm_1 }} to accept third-party credentials."},{"id":"ia-8.3_gdn","name":"guidance","prose":"This control enhancement typically applies to information systems that are\n                  accessible to the general public, for example, public-facing websites.\n                  FICAM-approved information system components include, for example, information\n                  technology products and software libraries that have been approved by the Federal\n                  Identity, Credential, and Access Management conformance program.","links":[{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"ia-8.3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ia-8.3_obj.1","name":"objective","properties":[{"name":"label","value":"IA-8(3)[1]"}],"prose":"defines information systems in which only FICAM-approved information system\n                     components are to be employed to accept third-party credentials; and"},{"id":"ia-8.3_obj.2","name":"objective","properties":[{"name":"label","value":"IA-8(3)[2]"}],"prose":"employs only FICAM-approved information system components in\n                     organization-defined information systems to accept third-party credentials."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nsystem and services acquisition policy\\n\\nprocedures addressing user identification and authentication\\n\\nprocedures addressing the integration of security requirements into the\n                     acquisition process\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nthird-party credential validations\\n\\nthird-party credential authorizations\\n\\nthird-party credential records\\n\\nlist of FICAM-approved information system components procured and implemented\n                     by organization\\n\\nacquisition documentation\\n\\nacquisition contracts for information system procurements or services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information system security, acquisition, and\n                     contracting responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability"}]}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Ficam-issued Profiles","properties":[{"name":"label","value":"IA-8(4)"},{"name":"sort-id","value":"ia-08.04"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"The information system conforms to FICAM-issued profiles."},{"id":"ia-8.4_gdn","name":"guidance","prose":"This control enhancement addresses open identity management standards. To ensure\n                  that these standards are viable, robust, reliable, sustainable (e.g., available in\n                  commercial information technology products), and interoperable as documented, the\n                  United States Government assesses and scopes identity management standards and\n                  technology implementations against applicable federal legislation, directives,\n                  policies, and requirements. The result is FICAM-issued implementation profiles of\n                  approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and\n                  OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute\n                  Exchange).","links":[{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"ia-8.4_obj","name":"objective","prose":"Determine if the information system conforms to FICAM-issued profiles. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nsystem and services acquisition policy\\n\\nprocedures addressing user identification and authentication\\n\\nprocedures addressing the integration of security requirements into the\n                     acquisition process\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FICAM-issued profiles and associated, approved protocols\\n\\nacquisition documentation\\n\\nacquisition contracts for information system procurements or services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms supporting and/or implementing conformance with\n                     FICAM-issued profiles"}]}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Incident Response Policy and Procedures","parameters":[{"id":"ir-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-1_prm_2","label":"organization-defined frequency"},{"id":"ir-1_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"IR-1"},{"name":"sort-id","value":"ir-01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference","text":"NIST Special Publication 800-83"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ir-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"An incident response policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ir-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and\n                     associated incident response controls; and"}]},{"id":"ir-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ir-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Incident response policy {{ ir-1_prm_2 }}; and"},{"id":"ir-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Incident response procedures {{ ir-1_prm_3 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the IR\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ir-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-1.a_obj","name":"objective","properties":[{"name":"label","value":"IR-1(a)"}],"parts":[{"id":"ir-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)"}],"parts":[{"id":"ir-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1]"}],"prose":"develops and documents an incident response policy that addresses:","parts":[{"id":"ir-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ir-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ir-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ir-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ir-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ir-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ir-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ir-1.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the incident response policy is to be\n                        disseminated;"},{"id":"ir-1.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[3]"}],"prose":"disseminates the incident response policy to organization-defined personnel\n                        or roles;"}]},{"id":"ir-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"IR-1(a)(2)"}],"parts":[{"id":"ir-1.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"IR-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        incident response policy and associated incident response controls;"},{"id":"ir-1.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"IR-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ir-1.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"IR-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ir-1.b_obj","name":"objective","properties":[{"name":"label","value":"IR-1(b)"}],"parts":[{"id":"ir-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"IR-1(b)(1)"}],"parts":[{"id":"ir-1.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"IR-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current incident response\n                        policy;"},{"id":"ir-1.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"IR-1(b)(1)[2]"}],"prose":"reviews and updates the current incident response policy with the\n                        organization-defined frequency;"}]},{"id":"ir-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"IR-1(b)(2)"}],"parts":[{"id":"ir-1.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"IR-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current incident response\n                        procedures; and"},{"id":"ir-1.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"IR-1(b)(2)[2]"}],"prose":"reviews and updates the current incident response procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","parameters":[{"id":"ir-2_prm_1","label":"organization-defined time period"},{"id":"ir-2_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"IR-2"},{"name":"sort-id","value":"ir-02"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference","text":"NIST Special Publication 800-16"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"}],"parts":[{"id":"ir-2_smt","name":"statement","prose":"The organization provides incident response training to information system users\n               consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Within {{ ir-2_prm_1 }} of assuming an incident response role or\n                  responsibility;"},{"id":"ir-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"ir-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n                  {{ ir-2_prm_2 }} thereafter."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training provided by organizations is linked to the assigned roles\n               and responsibilities of organizational personnel to ensure the appropriate content\n               and level of detail is included in such training. For example, regular users may only\n               need to know who to call or how to recognize an incident on the information system;\n               system administrators may require additional training on how to handle/remediate\n               incidents; and incident responders may receive more specific training on forensics,\n               reporting, system recovery, and restoration. Incident response training includes user\n               training in the identification and reporting of suspicious activities, both from\n               external and internal sources.","links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ir-8","rel":"related","text":"IR-8"}]},{"id":"ir-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-2.a_obj","name":"objective","properties":[{"name":"label","value":"IR-2(a)"}],"parts":[{"id":"ir-2.a_obj.1","name":"objective","properties":[{"name":"label","value":"IR-2(a)[1]"}],"prose":"defines a time period within which incident response training is to be provided\n                     to information system users assuming an incident response role or\n                     responsibility;"},{"id":"ir-2.a_obj.2","name":"objective","properties":[{"name":"label","value":"IR-2(a)[2]"}],"prose":"provides incident response training to information system users consistent with\n                     assigned roles and responsibilities within the organization-defined time period\n                     of assuming an incident response role or responsibility;"}]},{"id":"ir-2.b_obj","name":"objective","properties":[{"name":"label","value":"IR-2(b)"}],"prose":"provides incident response training to information system users consistent with\n                  assigned roles and responsibilities when required by information system\n                  changes;"},{"id":"ir-2.c_obj","name":"objective","properties":[{"name":"label","value":"IR-2(c)"}],"parts":[{"id":"ir-2.c_obj.1","name":"objective","properties":[{"name":"label","value":"IR-2(c)[1]"}],"prose":"defines the frequency to provide refresher incident response training to\n                     information system users consistent with assigned roles or responsibilities;\n                     and"},{"id":"ir-2.c_obj.2","name":"objective","properties":[{"name":"label","value":"IR-2(c)[2]"}],"prose":"after the initial incident response training, provides refresher incident\n                     response training to information system users consistent with assigned roles\n                     and responsibilities in accordance with the organization-defined frequency to\n                     provide refresher training."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident response training\\n\\nincident response training curriculum\\n\\nincident response training materials\\n\\nsecurity plan\\n\\nincident response plan\\n\\nsecurity plan\\n\\nincident response training records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response training and operational\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","properties":[{"name":"label","value":"IR-4"},{"name":"sort-id","value":"ir-04"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference","text":"Executive Order 13587"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"}],"parts":[{"id":"ir-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Implements an incident handling capability for security incidents that includes\n                  preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Coordinates incident handling activities with contingency planning activities;\n                  and"},{"id":"ir-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Incorporates lessons learned from ongoing incident handling activities into\n                  incident response procedures, training, and testing, and implements the resulting\n                  changes accordingly."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capability is dependent on the\n               capabilities of organizational information systems and the mission/business processes\n               being supported by those systems. Therefore, organizations consider incident response\n               as part of the definition, design, and development of mission/business processes and\n               information systems. Incident-related information can be obtained from a variety of\n               sources including, for example, audit monitoring, network monitoring, physical access\n               monitoring, user/administrator reports, and reported supply chain events. Effective\n               incident handling capability includes coordination among many organizational entities\n               including, for example, mission/business owners, information system owners,\n               authorizing officials, human resources offices, physical and personnel security\n               offices, legal departments, operations personnel, procurement offices, and the risk\n               executive (function).","links":[{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-3","rel":"related","text":"IR-3"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"ir-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-4.a_obj","name":"objective","properties":[{"name":"label","value":"IR-4(a)"}],"prose":"implements an incident handling capability for security incidents that\n                  includes:","parts":[{"id":"ir-4.a_obj.1","name":"objective","properties":[{"name":"label","value":"IR-4(a)[1]"}],"prose":"preparation;"},{"id":"ir-4.a_obj.2","name":"objective","properties":[{"name":"label","value":"IR-4(a)[2]"}],"prose":"detection and analysis;"},{"id":"ir-4.a_obj.3","name":"objective","properties":[{"name":"label","value":"IR-4(a)[3]"}],"prose":"containment;"},{"id":"ir-4.a_obj.4","name":"objective","properties":[{"name":"label","value":"IR-4(a)[4]"}],"prose":"eradication;"},{"id":"ir-4.a_obj.5","name":"objective","properties":[{"name":"label","value":"IR-4(a)[5]"}],"prose":"recovery;"}]},{"id":"ir-4.b_obj","name":"objective","properties":[{"name":"label","value":"IR-4(b)"}],"prose":"coordinates incident handling activities with contingency planning activities;"},{"id":"ir-4.c_obj","name":"objective","properties":[{"name":"label","value":"IR-4(c)"}],"parts":[{"id":"ir-4.c_obj.1","name":"objective","properties":[{"name":"label","value":"IR-4(c)[1]"}],"prose":"incorporates lessons learned from ongoing incident handling activities\n                     into:","parts":[{"id":"ir-4.c_obj.1.a","name":"objective","properties":[{"name":"label","value":"IR-4(c)[1][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.1.b","name":"objective","properties":[{"name":"label","value":"IR-4(c)[1][b]"}],"prose":"training;"},{"id":"ir-4.c_obj.1.c","name":"objective","properties":[{"name":"label","value":"IR-4(c)[1][c]"}],"prose":"testing/exercises;"}]},{"id":"ir-4.c_obj.2","name":"objective","properties":[{"name":"label","value":"IR-4(c)[2]"}],"prose":"implements the resulting changes accordingly to:","parts":[{"id":"ir-4.c_obj.2.a","name":"objective","properties":[{"name":"label","value":"IR-4(c)[2][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.2.b","name":"objective","properties":[{"name":"label","value":"IR-4(c)[2][b]"}],"prose":"training; and"},{"id":"ir-4.c_obj.2.c","name":"objective","properties":[{"name":"label","value":"IR-4(c)[2][c]"}],"prose":"testing/exercises."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\ncontingency planning policy\\n\\nprocedures addressing incident handling\\n\\nincident response plan\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with contingency planning responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident handling capability for the organization"}]},{"id":"ir-4_fr","name":"item","title":"IR-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-4_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider ensures that individuals conducting incident handling meet\n                     personnel security requirements commensurate with the criticality/sensitivity\n                     of the information being processed, stored, and transmitted by the information\n                     system."}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","properties":[{"name":"label","value":"IR-5"},{"name":"sort-id","value":"ir-05"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"The organization tracks and documents information system security incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting information system security incidents includes, for example, maintaining\n               records about each incident, the status of the incident, and other pertinent\n               information necessary for forensics, evaluating incident details, trends, and\n               handling. Incident information can be obtained from a variety of sources including,\n               for example, incident reports, incident response teams, audit monitoring, network\n               monitoring, physical access monitoring, and user/administrator reports.","links":[{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"ir-5_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ir-5_obj.1","name":"objective","properties":[{"name":"label","value":"IR-5[1]"}],"prose":"tracks information system security incidents; and"},{"id":"ir-5_obj.2","name":"objective","properties":[{"name":"label","value":"IR-5[2]"}],"prose":"documents information system security incidents."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident monitoring\\n\\nincident response records and documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident monitoring capability for the organization\\n\\nautomated mechanisms supporting and/or implementing tracking and documenting of\n                  system security incidents"}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","parameters":[{"id":"ir-6_prm_1","label":"organization-defined time period","constraints":[{"detail":"US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)"}]},{"id":"ir-6_prm_2","label":"organization-defined authorities"}],"properties":[{"name":"label","value":"IR-6"},{"name":"sort-id","value":"ir-06"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"},{"href":"#02631467-668b-4233-989b-3dfded2fd184","rel":"reference","text":"http://www.us-cert.gov"}],"parts":[{"id":"ir-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Requires personnel to report suspected security incidents to the organizational\n                  incident response capability within {{ ir-6_prm_1 }}; and"},{"id":"ir-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reports security incident information to {{ ir-6_prm_2 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The intent of this control is to address both specific incident reporting\n               requirements within an organization and the formal incident reporting requirements\n               for federal agencies and their subordinate organizations. Suspected security\n               incidents include, for example, the receipt of suspicious email communications that\n               can potentially contain malicious code. The types of security incidents reported, the\n               content and timeliness of the reports, and the designated reporting authorities\n               reflect applicable federal laws, Executive Orders, directives, regulations, policies,\n               standards, and guidance. Current federal policy requires that all federal agencies\n               (unless specifically exempted from such requirements) report security incidents to\n               the United States Computer Emergency Readiness Team (US-CERT) within specified time\n               frames designated in the US-CERT Concept of Operations for Federal Cyber Security\n               Incident Handling.","links":[{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ir-8","rel":"related","text":"IR-8"}]},{"id":"ir-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-6.a_obj","name":"objective","properties":[{"name":"label","value":"IR-6(a)"}],"parts":[{"id":"ir-6.a_obj.1","name":"objective","properties":[{"name":"label","value":"IR-6(a)[1]"}],"prose":"defines the time period within which personnel report suspected security\n                     incidents to the organizational incident response capability;"},{"id":"ir-6.a_obj.2","name":"objective","properties":[{"name":"label","value":"IR-6(a)[2]"}],"prose":"requires personnel to report suspected security incidents to the organizational\n                     incident response capability within the organization-defined time period;"}]},{"id":"ir-6.b_obj","name":"objective","properties":[{"name":"label","value":"IR-6(b)"}],"parts":[{"id":"ir-6.b_obj.1","name":"objective","properties":[{"name":"label","value":"IR-6(b)[1]"}],"prose":"defines authorities to whom security incident information is to be reported;\n                     and"},{"id":"ir-6.b_obj.2","name":"objective","properties":[{"name":"label","value":"IR-6(b)[2]"}],"prose":"reports security incident information to organization-defined authorities."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident reporting\\n\\nincident reporting records and documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident reporting responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel who have/should have reported incidents\\n\\npersonnel (authorities) to whom incident information is to be reported"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident reporting\\n\\nautomated mechanisms supporting and/or implementing incident reporting"}]},{"id":"ir-6_fr","name":"item","title":"IR-6 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Report security incident information according to FedRAMP Incident\n                     Communications Procedure."}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","properties":[{"name":"label","value":"IR-7"},{"name":"sort-id","value":"ir-07"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"The organization provides an incident response support resource, integral to the\n               organizational incident response capability that offers advice and assistance to\n               users of the information system for the handling and reporting of security\n               incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include, for example,\n               help desks, assistance groups, and access to forensics services, when required.","links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#sa-9","rel":"related","text":"SA-9"}]},{"id":"ir-7_obj","name":"objective","prose":"Determine if the organization provides an incident response support resource:","parts":[{"id":"ir-7_obj.1","name":"objective","properties":[{"name":"label","value":"IR-7[1]"}],"prose":"that is integral to the organizational incident response capability; and"},{"id":"ir-7_obj.2","name":"objective","properties":[{"name":"label","value":"IR-7[2]"}],"prose":"that offers advice and assistance to users of the information system for the\n                  handling and reporting of security incidents."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident response assistance\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response assistance and support\n                  responsibilities\\n\\norganizational personnel with access to incident response support and assistance\n                  capability\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident response assistance\\n\\nautomated mechanisms supporting and/or implementing incident response\n                  assistance"}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","parameters":[{"id":"ir-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-8_prm_2","label":"organization-defined incident response personnel (identified by name and/or by\n               role) and organizational elements"},{"id":"ir-8_prm_3","label":"organization-defined frequency"},{"id":"ir-8_prm_4","label":"organization-defined incident response personnel (identified by name and/or by\n               role) and organizational elements"}],"properties":[{"name":"label","value":"IR-8"},{"name":"sort-id","value":"ir-08"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"}],"parts":[{"id":"ir-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response\n                     capability;"},{"id":"ir-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response\n                     capability;"},{"id":"ir-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits\n                     into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission,\n                     size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the\n                     organization;"},{"id":"ir-8_smt.a.7","name":"item","properties":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and\n                     mature an incident response capability; and"},{"id":"ir-8_smt.a.8","name":"item","properties":[{"name":"label","value":"8."}],"prose":"Is reviewed and approved by {{ ir-8_prm_1 }};"}]},{"id":"ir-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distributes copies of the incident response plan to {{ ir-8_prm_2 }};"},{"id":"ir-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews the incident response plan {{ ir-8_prm_3 }};"},{"id":"ir-8_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Updates the incident response plan to address system/organizational changes or\n                  problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Communicates incident response plan changes to {{ ir-8_prm_4 }};\n                  and"},{"id":"ir-8_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Protects the incident response plan from unauthorized disclosure and\n                  modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to\n               incident response. Organizational missions, business functions, strategies, goals,\n               and objectives for incident response help to determine the structure of incident\n               response capabilities. As part of a comprehensive incident response capability,\n               organizations consider the coordination and sharing of information with external\n               organizations, including, for example, external service providers and organizations\n               involved in the supply chain for organizational information systems.","links":[{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"}]},{"id":"ir-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-8.a_obj","name":"objective","properties":[{"name":"label","value":"IR-8(a)"}],"prose":"develops an incident response plan that:","parts":[{"id":"ir-8.a.1_obj","name":"objective","properties":[{"name":"label","value":"IR-8(a)(1)"}],"prose":"provides the organization with a roadmap for implementing its incident response\n                     capability;"},{"id":"ir-8.a.2_obj","name":"objective","properties":[{"name":"label","value":"IR-8(a)(2)"}],"prose":"describes the structure and organization of the incident response\n                     capability;"},{"id":"ir-8.a.3_obj","name":"objective","properties":[{"name":"label","value":"IR-8(a)(3)"}],"prose":"provides a high-level approach for how the incident response capability fits\n                     into the overall organization;"},{"id":"ir-8.a.4_obj","name":"objective","properties":[{"name":"label","value":"IR-8(a)(4)"}],"prose":"meets the unique requirements of the organization, which relate to:","parts":[{"id":"ir-8.a.4_obj.1","name":"objective","properties":[{"name":"label","value":"IR-8(a)(4)[1]"}],"prose":"mission;"},{"id":"ir-8.a.4_obj.2","name":"objective","properties":[{"name":"label","value":"IR-8(a)(4)[2]"}],"prose":"size;"},{"id":"ir-8.a.4_obj.3","name":"objective","properties":[{"name":"label","value":"IR-8(a)(4)[3]"}],"prose":"structure;"},{"id":"ir-8.a.4_obj.4","name":"objective","properties":[{"name":"label","value":"IR-8(a)(4)[4]"}],"prose":"functions;"}]},{"id":"ir-8.a.5_obj","name":"objective","properties":[{"name":"label","value":"IR-8(a)(5)"}],"prose":"defines reportable incidents;"},{"id":"ir-8.a.6_obj","name":"objective","properties":[{"name":"label","value":"IR-8(a)(6)"}],"prose":"provides metrics for measuring the incident response capability within the\n                     organization;"},{"id":"ir-8.a.7_obj","name":"objective","properties":[{"name":"label","value":"IR-8(a)(7)"}],"prose":"defines the resources and management support needed to effectively maintain and\n                     mature an incident response capability;"},{"id":"ir-8.a.8_obj","name":"objective","properties":[{"name":"label","value":"IR-8(a)(8)"}],"parts":[{"id":"ir-8.a.8_obj.1","name":"objective","properties":[{"name":"label","value":"IR-8(a)(8)[1]"}],"prose":"defines personnel or roles to review and approve the incident response\n                        plan;"},{"id":"ir-8.a.8_obj.2","name":"objective","properties":[{"name":"label","value":"IR-8(a)(8)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"ir-8.b_obj","name":"objective","properties":[{"name":"label","value":"IR-8(b)"}],"parts":[{"id":"ir-8.b_obj.1","name":"objective","properties":[{"name":"label","value":"IR-8(b)[1]"}],"parts":[{"id":"ir-8.b_obj.1.a","name":"objective","properties":[{"name":"label","value":"IR-8(b)[1][a]"}],"prose":"defines incident response personnel (identified by name and/or by role) to\n                        whom copies of the incident response plan are to be distributed;"},{"id":"ir-8.b_obj.1.b","name":"objective","properties":[{"name":"label","value":"IR-8(b)[1][b]"}],"prose":"defines organizational elements to whom copies of the incident response plan\n                        are to be distributed;"}]},{"id":"ir-8.b_obj.2","name":"objective","properties":[{"name":"label","value":"IR-8(b)[2]"}],"prose":"distributes copies of the incident response plan to organization-defined\n                     incident response personnel (identified by name and/or by role) and\n                     organizational elements;"}]},{"id":"ir-8.c_obj","name":"objective","properties":[{"name":"label","value":"IR-8(c)"}],"parts":[{"id":"ir-8.c_obj.1","name":"objective","properties":[{"name":"label","value":"IR-8(c)[1]"}],"prose":"defines the frequency to review the incident response plan;"},{"id":"ir-8.c_obj.2","name":"objective","properties":[{"name":"label","value":"IR-8(c)[2]"}],"prose":"reviews the incident response plan with the organization-defined frequency;"}]},{"id":"ir-8.d_obj","name":"objective","properties":[{"name":"label","value":"IR-8(d)"}],"prose":"updates the incident response plan to address system/organizational changes or\n                  problems encountered during plan:","parts":[{"id":"ir-8.d_obj.1","name":"objective","properties":[{"name":"label","value":"IR-8(d)[1]"}],"prose":"implementation;"},{"id":"ir-8.d_obj.2","name":"objective","properties":[{"name":"label","value":"IR-8(d)[2]"}],"prose":"execution; or"},{"id":"ir-8.d_obj.3","name":"objective","properties":[{"name":"label","value":"IR-8(d)[3]"}],"prose":"testing;"}]},{"id":"ir-8.e_obj","name":"objective","properties":[{"name":"label","value":"IR-8(e)"}],"parts":[{"id":"ir-8.e_obj.1","name":"objective","properties":[{"name":"label","value":"IR-8(e)[1]"}],"parts":[{"id":"ir-8.e_obj.1.a","name":"objective","properties":[{"name":"label","value":"IR-8(e)[1][a]"}],"prose":"defines incident response personnel (identified by name and/or by role) to\n                        whom incident response plan changes are to be communicated;"},{"id":"ir-8.e_obj.1.b","name":"objective","properties":[{"name":"label","value":"IR-8(e)[1][b]"}],"prose":"defines organizational elements to whom incident response plan changes are\n                        to be communicated;"}]},{"id":"ir-8.e_obj.2","name":"objective","properties":[{"name":"label","value":"IR-8(e)[2]"}],"prose":"communicates incident response plan changes to organization-defined incident\n                     response personnel (identified by name and/or by role) and organizational\n                     elements; and"}]},{"id":"ir-8.f_obj","name":"objective","properties":[{"name":"label","value":"IR-8(f)"}],"prose":"protects the incident response plan from unauthorized disclosure and\n                  modification."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident response planning\\n\\nincident response plan\\n\\nrecords of incident response plan reviews and approvals\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response planning responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational incident response plan and related organizational processes"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Attestation - Specifically attest to US-CERT compliance."}]},{"id":"ir-9","class":"SP800-53","title":"Information Spillage Response","parameters":[{"id":"ir-9_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-9_prm_2","label":"organization-defined actions"}],"properties":[{"name":"label","value":"IR-9"},{"name":"sort-id","value":"ir-09"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"id":"ir-9_smt","name":"statement","prose":"The organization responds to information spills by:","parts":[{"id":"ir-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identifying the specific information involved in the information system\n                  contamination;"},{"id":"ir-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Alerting {{ ir-9_prm_1 }} of the information spill using a method\n                  of communication not associated with the spill;"},{"id":"ir-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Isolating the contaminated information system or system component;"},{"id":"ir-9_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Eradicating the information from the contaminated information system or\n                  component;"},{"id":"ir-9_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Identifying other information systems or system components that may have been\n                  subsequently contaminated; and"},{"id":"ir-9_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Performing other {{ ir-9_prm_2 }}."}]},{"id":"ir-9_gdn","name":"guidance","prose":"Information spillage refers to instances where either classified or sensitive\n               information is inadvertently placed on information systems that are not authorized to\n               process such information. Such information spills often occur when information that\n               is initially thought to be of lower sensitivity is transmitted to an information\n               system and then is subsequently determined to be of higher sensitivity. At that\n               point, corrective action is required. The nature of the organizational response is\n               generally based upon the degree of sensitivity of the spilled information (e.g.,\n               security category or classification level), the security capabilities of the\n               information system, the specific nature of contaminated storage media, and the access\n               authorizations (e.g., security clearances) of individuals with authorized access to\n               the contaminated system. The methods used to communicate information about the spill\n               after the fact do not involve methods directly associated with the actual spill to\n               minimize the risk of further spreading the contamination before such contamination is\n               isolated and eradicated."},{"id":"ir-9_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ir-9.a_obj","name":"objective","properties":[{"name":"label","value":"IR-9(a)"}],"prose":"responds to information spills by identifying the specific information causing the\n                  information system contamination;"},{"id":"ir-9.b_obj","name":"objective","properties":[{"name":"label","value":"IR-9(b)"}],"parts":[{"id":"ir-9.b_obj.1","name":"objective","properties":[{"name":"label","value":"IR-9(b)[1]"}],"prose":"defines personnel to be alerted of the information spillage;"},{"id":"ir-9.b_obj.2","name":"objective","properties":[{"name":"label","value":"IR-9(b)[2]"}],"prose":"identifies a method of communication not associated with the information spill\n                     to use to alert organization-defined personnel of the spill;"},{"id":"ir-9.b_obj.3","name":"objective","properties":[{"name":"label","value":"IR-9(b)[3]"}],"prose":"responds to information spills by alerting organization-defined personnel of\n                     the information spill using a method of communication not associated with the\n                     spill;"}]},{"id":"ir-9.c_obj","name":"objective","properties":[{"name":"label","value":"IR-9(c)"}],"prose":"responds to information spills by isolating the contaminated information\n                  system;"},{"id":"ir-9.d_obj","name":"objective","properties":[{"name":"label","value":"IR-9(d)"}],"prose":"responds to information spills by eradicating the information from the\n                  contaminated information system;"},{"id":"ir-9.e_obj","name":"objective","properties":[{"name":"label","value":"IR-9(e)"}],"prose":"responds to information spills by identifying other information systems that may\n                  have been subsequently contaminated;"},{"id":"ir-9.f_obj","name":"objective","properties":[{"name":"label","value":"IR-9(f)"}],"parts":[{"id":"ir-9.f_obj.1","name":"objective","properties":[{"name":"label","value":"IR-9(f)[1]"}],"prose":"defines other actions to be performed in response to information spills;\n                     and"},{"id":"ir-9.f_obj.2","name":"objective","properties":[{"name":"label","value":"IR-9(f)[2]"}],"prose":"responds to information spills by performing other organization-defined\n                     actions."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing information spillage\\n\\nincident response plan\\n\\nrecords of information spillage alerts/notifications, list of personnel who should\n                  receive alerts of information spillage\\n\\nlist of actions to be performed regarding information spillage\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information spillage response\\n\\nautomated mechanisms supporting and/or implementing information spillage response\n                  actions and related communications"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Attestation - Specifically describe information spillage response processes."}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"System Maintenance Policy and Procedures","parameters":[{"id":"ma-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-1_prm_2","label":"organization-defined frequency"},{"id":"ma-1_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"MA-1"},{"name":"sort-id","value":"ma-01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ma-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A system maintenance policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ma-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system maintenance policy\n                     and associated system maintenance controls; and"}]},{"id":"ma-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ma-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"System maintenance policy {{ ma-1_prm_2 }}; and"},{"id":"ma-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"System maintenance procedures {{ ma-1_prm_3 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the MA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ma-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-1.a_obj","name":"objective","properties":[{"name":"label","value":"MA-1(a)"}],"parts":[{"id":"ma-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)"}],"parts":[{"id":"ma-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1]"}],"prose":"develops and documents a system maintenance policy that addresses:","parts":[{"id":"ma-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ma-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ma-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ma-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ma-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ma-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ma-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ma-1.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system maintenance policy is to be\n                        disseminated;"},{"id":"ma-1.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[3]"}],"prose":"disseminates the system maintenance policy to organization-defined personnel\n                        or roles;"}]},{"id":"ma-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"MA-1(a)(2)"}],"parts":[{"id":"ma-1.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"MA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        maintenance policy and associated system maintenance controls;"},{"id":"ma-1.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"MA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ma-1.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"MA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ma-1.b_obj","name":"objective","properties":[{"name":"label","value":"MA-1(b)"}],"parts":[{"id":"ma-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"MA-1(b)(1)"}],"parts":[{"id":"ma-1.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"MA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system maintenance\n                        policy;"},{"id":"ma-1.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"MA-1(b)(1)[2]"}],"prose":"reviews and updates the current system maintenance policy with the\n                        organization-defined frequency;"}]},{"id":"ma-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"MA-1(b)(2)"}],"parts":[{"id":"ma-1.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"MA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system maintenance\n                        procedures; and"},{"id":"ma-1.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"MA-1(b)(2)[2]"}],"prose":"reviews and updates the current system maintenance procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Maintenance policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","parameters":[{"id":"ma-2_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-2_prm_2","label":"organization-defined maintenance-related information"}],"properties":[{"name":"label","value":"MA-2"},{"name":"sort-id","value":"ma-02"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"id":"ma-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Schedules, performs, documents, and reviews records of maintenance and repairs on\n                  information system components in accordance with manufacturer or vendor\n                  specifications and/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Approves and monitors all maintenance activities, whether performed on site or\n                  remotely and whether the equipment is serviced on site or removed to another\n                  location;"},{"id":"ma-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Requires that {{ ma-2_prm_1 }} explicitly approve the removal of\n                  the information system or system components from organizational facilities for\n                  off-site maintenance or repairs;"},{"id":"ma-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Sanitizes equipment to remove all information from associated media prior to\n                  removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Checks all potentially impacted security controls to verify that the controls are\n                  still functioning properly following maintenance or repair actions; and"},{"id":"ma-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Includes {{ ma-2_prm_2 }} in organizational maintenance\n                  records."}]},{"id":"ma-2_gdn","name":"guidance","prose":"This control addresses the information security aspects of the information system\n               maintenance program and applies to all types of maintenance to any system component\n               (including applications) conducted by any local or nonlocal entity (e.g.,\n               in-contract, warranty, in-house, software maintenance agreement). System maintenance\n               also includes those components not directly associated with information processing\n               and/or data/information retention such as scanners, copiers, and printers.\n               Information necessary for creating effective maintenance records includes, for\n               example: (i) date and time of maintenance; (ii) name of individuals or group\n               performing the maintenance; (iii) name of escort, if necessary; (iv) a description of\n               the maintenance performed; and (v) information system components/equipment removed or\n               replaced (including identification numbers, if applicable). The level of detail\n               included in maintenance records can be informed by the security categories of\n               organizational information systems. Organizations consider supply chain issues\n               associated with replacement components for information systems.","links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"ma-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-2.a_obj","name":"objective","properties":[{"name":"label","value":"MA-2(a)"}],"parts":[{"id":"ma-2.a_obj.1","name":"objective","properties":[{"name":"label","value":"MA-2(a)[1]"}],"prose":"schedules maintenance and repairs on information system components in\n                     accordance with:","parts":[{"id":"ma-2.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"MA-2(a)[1][a]"}],"prose":"manufacturer or vendor specifications; and/or"},{"id":"ma-2.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"MA-2(a)[1][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.2","name":"objective","properties":[{"name":"label","value":"MA-2(a)[2]"}],"prose":"performs maintenance and repairs on information system components in accordance\n                     with:","parts":[{"id":"ma-2.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"MA-2(a)[2][a]"}],"prose":"manufacturer or vendor specifications; and/or"},{"id":"ma-2.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"MA-2(a)[2][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.3","name":"objective","properties":[{"name":"label","value":"MA-2(a)[3]"}],"prose":"documents maintenance and repairs on information system components in\n                     accordance with:","parts":[{"id":"ma-2.a_obj.3.a","name":"objective","properties":[{"name":"label","value":"MA-2(a)[3][a]"}],"prose":"manufacturer or vendor specifications; and/or"},{"id":"ma-2.a_obj.3.b","name":"objective","properties":[{"name":"label","value":"MA-2(a)[3][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.4","name":"objective","properties":[{"name":"label","value":"MA-2(a)[4]"}],"prose":"reviews records of maintenance and repairs on information system components in\n                     accordance with:","parts":[{"id":"ma-2.a_obj.4.a","name":"objective","properties":[{"name":"label","value":"MA-2(a)[4][a]"}],"prose":"manufacturer or vendor specifications; and/or"},{"id":"ma-2.a_obj.4.b","name":"objective","properties":[{"name":"label","value":"MA-2(a)[4][b]"}],"prose":"organizational requirements;"}]}]},{"id":"ma-2.b_obj","name":"objective","properties":[{"name":"label","value":"MA-2(b)"}],"parts":[{"id":"ma-2.b_obj.1","name":"objective","properties":[{"name":"label","value":"MA-2(b)[1]"}],"prose":"approves all maintenance activities, whether performed on site or remotely and\n                     whether the equipment is serviced on site or removed to another location;"},{"id":"ma-2.b_obj.2","name":"objective","properties":[{"name":"label","value":"MA-2(b)[2]"}],"prose":"monitors all maintenance activities, whether performed on site or remotely and\n                     whether the equipment is serviced on site or removed to another location;"}]},{"id":"ma-2.c_obj","name":"objective","properties":[{"name":"label","value":"MA-2(c)"}],"parts":[{"id":"ma-2.c_obj.1","name":"objective","properties":[{"name":"label","value":"MA-2(c)[1]"}],"prose":"defines personnel or roles required to explicitly approve the removal of the\n                     information system or system components from organizational facilities for\n                     off-site maintenance or repairs;"},{"id":"ma-2.c_obj.2","name":"objective","properties":[{"name":"label","value":"MA-2(c)[2]"}],"prose":"requires that organization-defined personnel or roles explicitly approve the\n                     removal of the information system or system components from organizational\n                     facilities for off-site maintenance or repairs;"}]},{"id":"ma-2.d_obj","name":"objective","properties":[{"name":"label","value":"MA-2(d)"}],"prose":"sanitizes equipment to remove all information from associated media prior to\n                  removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2.e_obj","name":"objective","properties":[{"name":"label","value":"MA-2(e)"}],"prose":"checks all potentially impacted security controls to verify that the controls are\n                  still functioning properly following maintenance or repair actions;"},{"id":"ma-2.f_obj","name":"objective","properties":[{"name":"label","value":"MA-2(f)"}],"parts":[{"id":"ma-2.f_obj.1","name":"objective","properties":[{"name":"label","value":"MA-2(f)[1]"}],"prose":"defines maintenance-related information to be included in organizational\n                     maintenance records; and"},{"id":"ma-2.f_obj.2","name":"objective","properties":[{"name":"label","value":"MA-2(f)[2]"}],"prose":"includes organization-defined maintenance-related information in organizational\n                     maintenance records."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing controlled information system maintenance\\n\\nmaintenance records\\n\\nmanufacturer/vendor maintenance specifications\\n\\nequipment sanitization records\\n\\nmedia sanitization records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel responsible for media sanitization\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for scheduling, performing, documenting, reviewing,\n                  approving, and monitoring maintenance and repairs for the information system\\n\\norganizational processes for sanitizing information system components\\n\\nautomated mechanisms supporting and/or implementing controlled maintenance\\n\\nautomated mechanisms implementing sanitization of information system\n                  components"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","properties":[{"name":"label","value":"MA-4"},{"name":"sort-id","value":"ma-04"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference","text":"FIPS Publication 140-2"},{"href":"#f2dbd4ec-c413-4714-b85b-6b7184d1c195","rel":"reference","text":"FIPS Publication 197"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference","text":"NIST Special Publication 800-88"},{"href":"#a4aa9645-9a8a-4b51-90a9-e223250f9a75","rel":"reference","text":"CNSS Policy 15"}],"parts":[{"id":"ma-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Approves and monitors nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Allows the use of nonlocal maintenance and diagnostic tools only as consistent\n                  with organizational policy and documented in the security plan for the information\n                  system;"},{"id":"ma-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Employs strong authenticators in the establishment of nonlocal maintenance and\n                  diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Maintains records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Terminates session and network connections when nonlocal maintenance is\n                  completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are those activities conducted by\n               individuals communicating through a network, either an external network (e.g., the\n               Internet) or an internal network. Local maintenance and diagnostic activities are\n               those activities carried out by individuals physically present at the information\n               system or information system component and not communicating across a network\n               connection. Authentication techniques used in the establishment of nonlocal\n               maintenance and diagnostic sessions reflect the network access requirements in IA-2.\n               Typically, strong authentication requires authenticators that are resistant to replay\n               attacks and employ multifactor authentication. Strong authenticators include, for\n               example, PKI where certificates are stored on a token protected by a password,\n               passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by\n               other controls.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-10","rel":"related","text":"SC-10"},{"href":"#sc-17","rel":"related","text":"SC-17"}]},{"id":"ma-4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ma-4.a_obj","name":"objective","properties":[{"name":"label","value":"MA-4(a)"}],"parts":[{"id":"ma-4.a_obj.1","name":"objective","properties":[{"name":"label","value":"MA-4(a)[1]"}],"prose":"approves nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.a_obj.2","name":"objective","properties":[{"name":"label","value":"MA-4(a)[2]"}],"prose":"monitors nonlocal maintenance and diagnostic activities;"}]},{"id":"ma-4.b_obj","name":"objective","properties":[{"name":"label","value":"MA-4(b)"}],"prose":"allows the use of nonlocal maintenance and diagnostic tools only:","parts":[{"id":"ma-4.b_obj.1","name":"objective","properties":[{"name":"label","value":"MA-4(b)[1]"}],"prose":"as consistent with organizational policy;"},{"id":"ma-4.b_obj.2","name":"objective","properties":[{"name":"label","value":"MA-4(b)[2]"}],"prose":"as documented in the security plan for the information system;"}]},{"id":"ma-4.c_obj","name":"objective","properties":[{"name":"label","value":"MA-4(c)"}],"prose":"employs strong authenticators in the establishment of nonlocal maintenance and\n                  diagnostic sessions;"},{"id":"ma-4.d_obj","name":"objective","properties":[{"name":"label","value":"MA-4(d)"}],"prose":"maintains records for nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.e_obj","name":"objective","properties":[{"name":"label","value":"MA-4(e)"}],"parts":[{"id":"ma-4.e_obj.1","name":"objective","properties":[{"name":"label","value":"MA-4(e)[1]"}],"prose":"terminates sessions when nonlocal maintenance or diagnostics is completed;\n                     and"},{"id":"ma-4.e_obj.2","name":"objective","properties":[{"name":"label","value":"MA-4(e)[2]"}],"prose":"terminates network connections when nonlocal maintenance or diagnostics is\n                     completed."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing nonlocal information system maintenance\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nmaintenance records\\n\\ndiagnostic records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing nonlocal maintenance\\n\\nautomated mechanisms implementing, supporting, and/or managing nonlocal\n                  maintenance\\n\\nautomated mechanisms for strong authentication of nonlocal maintenance diagnostic\n                  sessions\\n\\nautomated mechanisms for terminating nonlocal maintenance sessions and network\n                  connections"}]}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","properties":[{"name":"label","value":"MA-5"},{"name":"sort-id","value":"ma-05"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"id":"ma-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes a process for maintenance personnel authorization and maintains a list\n                  of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensures that non-escorted personnel performing maintenance on the information\n                  system have required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Designates organizational personnel with required access authorizations and\n                  technical competence to supervise the maintenance activities of personnel who do\n                  not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"This control applies to individuals performing hardware or software maintenance on\n               organizational information systems, while PE-2 addresses physical access for\n               individuals whose maintenance duties place them within the physical protection\n               perimeter of the systems (e.g., custodial staff, physical plant maintenance\n               personnel). Technical competence of supervising individuals relates to the\n               maintenance performed on the information systems while having required access\n               authorizations refers to maintenance on and near the systems. Individuals not\n               previously identified as authorized maintenance personnel, such as information\n               technology manufacturers, vendors, systems integrators, and consultants, may require\n               privileged access to organizational information systems, for example, when required\n               to conduct maintenance activities with little or no notice. Based on organizational\n               assessments of risk, organizations may issue temporary credentials to these\n               individuals. Temporary credentials may be for one-time use or for very limited time\n               periods.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"ma-5_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ma-5.a_obj","name":"objective","properties":[{"name":"label","value":"MA-5(a)"}],"parts":[{"id":"ma-5.a_obj.1","name":"objective","properties":[{"name":"label","value":"MA-5(a)[1]"}],"prose":"establishes a process for maintenance personnel authorization;"},{"id":"ma-5.a_obj.2","name":"objective","properties":[{"name":"label","value":"MA-5(a)[2]"}],"prose":"maintains a list of authorized maintenance organizations or personnel;"}]},{"id":"ma-5.b_obj","name":"objective","properties":[{"name":"label","value":"MA-5(b)"}],"prose":"ensures that non-escorted personnel performing maintenance on the information\n                  system have required access authorizations; and"},{"id":"ma-5.c_obj","name":"objective","properties":[{"name":"label","value":"MA-5(c)"}],"prose":"designates organizational personnel with required access authorizations and\n                  technical competence to supervise the maintenance activities of personnel who do\n                  not possess the required access authorizations."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing maintenance personnel\\n\\nservice provider contracts\\n\\nservice-level agreements\\n\\nlist of authorized personnel\\n\\nmaintenance records\\n\\naccess control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for authorizing and managing maintenance personnel\\n\\nautomated mechanisms supporting and/or implementing authorization of maintenance\n                  personnel"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Media Protection Policy and Procedures","parameters":[{"id":"mp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"mp-1_prm_2","label":"organization-defined frequency"},{"id":"mp-1_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"MP-1"},{"name":"sort-id","value":"mp-01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"mp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A media protection policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"mp-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and\n                     associated media protection controls; and"}]},{"id":"mp-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"mp-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Media protection policy {{ mp-1_prm_2 }}; and"},{"id":"mp-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Media protection procedures {{ mp-1_prm_3 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the MP\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"mp-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-1.a_obj","name":"objective","properties":[{"name":"label","value":"MP-1(a)"}],"parts":[{"id":"mp-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)"}],"parts":[{"id":"mp-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1]"}],"prose":"develops and documents a media protection policy that addresses:","parts":[{"id":"mp-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"mp-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"mp-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"mp-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"mp-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"mp-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"mp-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"mp-1.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the media protection policy is to be\n                        disseminated;"},{"id":"mp-1.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[3]"}],"prose":"disseminates the media protection policy to organization-defined personnel\n                        or roles;"}]},{"id":"mp-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"MP-1(a)(2)"}],"parts":[{"id":"mp-1.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"MP-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        media protection policy and associated media protection controls;"},{"id":"mp-1.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"MP-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"mp-1.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"MP-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"mp-1.b_obj","name":"objective","properties":[{"name":"label","value":"MP-1(b)"}],"parts":[{"id":"mp-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"MP-1(b)(1)"}],"parts":[{"id":"mp-1.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"MP-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current media protection\n                        policy;"},{"id":"mp-1.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"MP-1(b)(1)[2]"}],"prose":"reviews and updates the current media protection policy with the\n                        organization-defined frequency;"}]},{"id":"mp-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"MP-1(b)(2)"}],"parts":[{"id":"mp-1.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"MP-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current media protection\n                        procedures; and"},{"id":"mp-1.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"MP-1(b)(2)[2]"}],"prose":"reviews and updates the current media protection procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Media protection policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media protection responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","parameters":[{"id":"mp-2_prm_1","label":"organization-defined types of digital and/or non-digital media"},{"id":"mp-2_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"MP-2"},{"name":"sort-id","value":"mp-02"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference","text":"NIST Special Publication 800-111"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"The organization restricts access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. Restricting non-digital media access\n               includes, for example, denying access to patient medical records in a community\n               hospital unless the individuals seeking access to such records are authorized\n               healthcare providers. Restricting access to digital media includes, for example,\n               limiting access to design specifications stored on compact disks in the media library\n               to the project leader and the individuals on the development team.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pl-2","rel":"related","text":"PL-2"}]},{"id":"mp-2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-2_obj.1","name":"objective","properties":[{"name":"label","value":"MP-2[1]"}],"prose":"defines types of digital and/or non-digital media requiring restricted access;"},{"id":"mp-2_obj.2","name":"objective","properties":[{"name":"label","value":"MP-2[2]"}],"prose":"defines personnel or roles authorized to access organization-defined types of\n                  digital and/or non-digital media; and"},{"id":"mp-2_obj.3","name":"objective","properties":[{"name":"label","value":"MP-2[3]"}],"prose":"restricts access to organization-defined types of digital and/or non-digital media\n                  to organization-defined personnel or roles."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media access restrictions\\n\\naccess control policy and procedures\\n\\nphysical and environmental protection policy and procedures\\n\\nmedia storage facilities\\n\\naccess control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for restricting information media\\n\\nautomated mechanisms supporting and/or implementing media access restrictions"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","parameters":[{"id":"mp-6_prm_1","label":"organization-defined information system media"},{"id":"mp-6_prm_2","label":"organization-defined sanitization techniques and procedures"}],"properties":[{"name":"label","value":"MP-6"},{"name":"sort-id","value":"mp-06"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference","text":"NIST Special Publication 800-60"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference","text":"NIST Special Publication 800-88"},{"href":"#a47466c4-c837-4f06-a39f-e68412a5f73d","rel":"reference","text":"http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"}],"parts":[{"id":"mp-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Sanitizes {{ mp-6_prm_1 }} prior to disposal, release out of\n                  organizational control, or release for reuse using {{ mp-6_prm_2 }}\n                  in accordance with applicable federal and organizational standards and policies;\n                  and"},{"id":"mp-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employs sanitization mechanisms with the strength and integrity commensurate with\n                  the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"This control applies to all information system media, both digital and non-digital,\n               subject to disposal or reuse, whether or not the media is considered removable.\n               Examples include media found in scanners, copiers, printers, notebook computers,\n               workstations, network components, and mobile devices. The sanitization process\n               removes information from the media such that the information cannot be retrieved or\n               reconstructed. Sanitization techniques, including clearing, purging, cryptographic\n               erase, and destruction, prevent the disclosure of information to unauthorized\n               individuals when such media is reused or released for disposal. Organizations\n               determine the appropriate sanitization methods recognizing that destruction is\n               sometimes necessary when other methods cannot be applied to media requiring\n               sanitization. Organizations use discretion on the employment of approved sanitization\n               techniques and procedures for media containing information deemed to be in the public\n               domain or publicly releasable, or deemed to have no adverse impact on organizations\n               or individuals if released for reuse or disposal. Sanitization of non-digital media\n               includes, for example, removing a classified appendix from an otherwise unclassified\n               document, or redacting selected sections or words from a document by obscuring the\n               redacted sections/words in a manner equivalent in effectiveness to removing them from\n               the document. NSA standards and policies control the sanitization process for media\n               containing classified information.","links":[{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sc-4","rel":"related","text":"SC-4"}]},{"id":"mp-6_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-6.a_obj","name":"objective","properties":[{"name":"label","value":"MP-6(a)"}],"parts":[{"id":"mp-6.a_obj.1","name":"objective","properties":[{"name":"label","value":"MP-6(a)[1]"}],"prose":"defines information system media to be sanitized prior to:","parts":[{"id":"mp-6.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"MP-6(a)[1][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"MP-6(a)[1][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.1.c","name":"objective","properties":[{"name":"label","value":"MP-6(a)[1][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.2","name":"objective","properties":[{"name":"label","value":"MP-6(a)[2]"}],"prose":"defines sanitization techniques or procedures to be used for sanitizing\n                     organization-defined information system media prior to:","parts":[{"id":"mp-6.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"MP-6(a)[2][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"MP-6(a)[2][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.2.c","name":"objective","properties":[{"name":"label","value":"MP-6(a)[2][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.3","name":"objective","properties":[{"name":"label","value":"MP-6(a)[3]"}],"prose":"sanitizes organization-defined information system media prior to disposal,\n                     release out of organizational control, or release for reuse using\n                     organization-defined sanitization techniques or procedures in accordance with\n                     applicable federal and organizational standards and policies; and"}]},{"id":"mp-6.b_obj","name":"objective","properties":[{"name":"label","value":"MP-6(b)"}],"prose":"employs sanitization mechanisms with strength and integrity commensurate with the\n                  security category or classification of the information."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media sanitization and disposal\\n\\napplicable federal standards and policies addressing media sanitization\\n\\nmedia sanitization records\\n\\naudit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media sanitization responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization\\n\\nautomated mechanisms supporting and/or implementing media sanitization"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","parameters":[{"id":"mp-7_prm_1"},{"id":"mp-7_prm_2","label":"organization-defined types of information system media"},{"id":"mp-7_prm_3","label":"organization-defined information systems or system components"},{"id":"mp-7_prm_4","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"MP-7"},{"name":"sort-id","value":"mp-07"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference","text":"NIST Special Publication 800-111"}],"parts":[{"id":"mp-7_smt","name":"statement","prose":"The organization {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}."},{"id":"mp-7_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. This control also applies to mobile\n               devices with information storage capability (e.g., smart phones, tablets, E-readers).\n               In contrast to MP-2, which restricts user access to media, this control restricts the\n               use of certain types of media on information systems, for example,\n               restricting/prohibiting the use of flash drives or external hard disk drives.\n               Organizations can employ technical and nontechnical safeguards (e.g., policies,\n               procedures, rules of behavior) to restrict the use of information system media.\n               Organizations may restrict the use of portable storage devices, for example, by using\n               physical cages on workstations to prohibit access to certain external ports, or\n               disabling/removing the ability to insert, read or write to such devices.\n               Organizations may also limit the use of portable storage devices to only approved\n               devices including, for example, devices provided by the organization, devices\n               provided by other approved organizations, and devices that are not personally owned.\n               Finally, organizations may restrict the use of portable storage devices based on the\n               type of device, for example, prohibiting the use of writeable, portable storage\n               devices, and implementing this restriction by disabling or removing the capability to\n               write to such devices.","links":[{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#pl-4","rel":"related","text":"PL-4"}]},{"id":"mp-7_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-7_obj.1","name":"objective","properties":[{"name":"label","value":"MP-7[1]"}],"prose":"defines types of information system media to be:","parts":[{"id":"mp-7_obj.1.a","name":"objective","properties":[{"name":"label","value":"MP-7[1][a]"}],"prose":"restricted on information systems or system components; or"},{"id":"mp-7_obj.1.b","name":"objective","properties":[{"name":"label","value":"MP-7[1][b]"}],"prose":"prohibited from use on information systems or system components;"}]},{"id":"mp-7_obj.2","name":"objective","properties":[{"name":"label","value":"MP-7[2]"}],"prose":"defines information systems or system components on which the use of\n                  organization-defined types of information system media is to be one of the\n                  following:","parts":[{"id":"mp-7_obj.2.a","name":"objective","properties":[{"name":"label","value":"MP-7[2][a]"}],"prose":"restricted; or"},{"id":"mp-7_obj.2.b","name":"objective","properties":[{"name":"label","value":"MP-7[2][b]"}],"prose":"prohibited;"}]},{"id":"mp-7_obj.3","name":"objective","properties":[{"name":"label","value":"MP-7[3]"}],"prose":"defines security safeguards to be employed to restrict or prohibit the use of\n                  organization-defined types of information system media on organization-defined\n                  information systems or system components; and"},{"id":"mp-7_obj.4","name":"objective","properties":[{"name":"label","value":"MP-7[4]"}],"prose":"restricts or prohibits the use of organization-defined information system media on\n                  organization-defined information systems or system components using\n                  organization-defined security safeguards."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nsystem use policy\\n\\nprocedures addressing media usage restrictions\\n\\nsecurity plan\\n\\nrules of behavior\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media use responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media use\\n\\nautomated mechanisms restricting or prohibiting use of information system media on\n                  information systems or system components"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Physical and Environmental Protection Policy and Procedures","parameters":[{"id":"pe-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-1_prm_2","label":"organization-defined frequency"},{"id":"pe-1_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PE-1"},{"name":"sort-id","value":"pe-01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"pe-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A physical and environmental protection policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"},{"id":"pe-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental\n                     protection policy and associated physical and environmental protection\n                     controls; and"}]},{"id":"pe-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pe-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Physical and environmental protection policy {{ pe-1_prm_2 }};\n                     and"},{"id":"pe-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Physical and environmental protection procedures {{ pe-1_prm_3 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PE\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"pe-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-1.a_obj","name":"objective","properties":[{"name":"label","value":"PE-1(a)"}],"parts":[{"id":"pe-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)"}],"parts":[{"id":"pe-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1]"}],"prose":"develops and documents a physical and environmental protection policy that\n                        addresses:","parts":[{"id":"pe-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pe-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pe-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pe-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pe-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pe-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pe-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pe-1.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the physical and environmental protection\n                        policy is to be disseminated;"},{"id":"pe-1.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[3]"}],"prose":"disseminates the physical and environmental protection policy to\n                        organization-defined personnel or roles;"}]},{"id":"pe-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"PE-1(a)(2)"}],"parts":[{"id":"pe-1.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"PE-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        physical and environmental protection policy and associated physical and\n                        environmental protection controls;"},{"id":"pe-1.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"PE-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"pe-1.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"PE-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pe-1.b_obj","name":"objective","properties":[{"name":"label","value":"PE-1(b)"}],"parts":[{"id":"pe-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"PE-1(b)(1)"}],"parts":[{"id":"pe-1.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"PE-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current physical and\n                        environmental protection policy;"},{"id":"pe-1.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"PE-1(b)(1)[2]"}],"prose":"reviews and updates the current physical and environmental protection policy\n                        with the organization-defined frequency;"}]},{"id":"pe-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"PE-1(b)(2)"}],"parts":[{"id":"pe-1.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"PE-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current physical and\n                        environmental protection procedures; and"},{"id":"pe-1.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"PE-1(b)(2)[2]"}],"prose":"reviews and updates the current physical and environmental protection\n                        procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical and environmental protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","parameters":[{"id":"pe-2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"label","value":"PE-2"},{"name":"sort-id","value":"pe-02"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"id":"pe-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, approves, and maintains a list of individuals with authorized access to\n                  the facility where the information system resides;"},{"id":"pe-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Issues authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews the access list detailing authorized facility access by individuals\n                     {{ pe-2_prm_1 }}; and"},{"id":"pe-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Removes individuals from the facility access list when access is no longer\n                  required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g.,\n               employees, contractors, and others) with permanent physical access authorization\n               credentials are not considered visitors. Authorization credentials include, for\n               example, badges, identification cards, and smart cards. Organizations determine the\n               strength of authorization credentials needed (including level of forge-proof badges,\n               smart cards, or identification cards) consistent with federal standards, policies,\n               and procedures. This control only applies to areas within facilities that have not\n               been designated as publicly accessible.","links":[{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#ps-3","rel":"related","text":"PS-3"}]},{"id":"pe-2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-2.a_obj","name":"objective","properties":[{"name":"label","value":"PE-2(a)"}],"parts":[{"id":"pe-2.a_obj.1","name":"objective","properties":[{"name":"label","value":"PE-2(a)[1]"}],"prose":"develops a list of individuals with authorized access to the facility where the\n                     information system resides;"},{"id":"pe-2.a_obj.2","name":"objective","properties":[{"name":"label","value":"PE-2(a)[2]"}],"prose":"approves a list of individuals with authorized access to the facility where the\n                     information system resides;"},{"id":"pe-2.a_obj.3","name":"objective","properties":[{"name":"label","value":"PE-2(a)[3]"}],"prose":"maintains a list of individuals with authorized access to the facility where\n                     the information system resides;"}]},{"id":"pe-2.b_obj","name":"objective","properties":[{"name":"label","value":"PE-2(b)"}],"prose":"issues authorization credentials for facility access;"},{"id":"pe-2.c_obj","name":"objective","properties":[{"name":"label","value":"PE-2(c)"}],"parts":[{"id":"pe-2.c_obj.1","name":"objective","properties":[{"name":"label","value":"PE-2(c)[1]"}],"prose":"defines the frequency to review the access list detailing authorized facility\n                     access by individuals;"},{"id":"pe-2.c_obj.2","name":"objective","properties":[{"name":"label","value":"PE-2(c)[2]"}],"prose":"reviews the access list detailing authorized facility access by individuals\n                     with the organization-defined frequency; and"}]},{"id":"pe-2.d_obj","name":"objective","properties":[{"name":"label","value":"PE-2(d)"}],"prose":"removes individuals from the facility access list when access is no longer\n                  required."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing physical access authorizations\\n\\nsecurity plan\\n\\nauthorized personnel access list\\n\\nauthorization credentials\\n\\nphysical access list reviews\\n\\nphysical access termination records and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities\\n\\norganizational personnel with physical access to information system facility\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access authorizations\\n\\nautomated mechanisms supporting and/or implementing physical access\n                  authorizations"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","parameters":[{"id":"pe-3_prm_1","label":"organization-defined entry/exit points to the facility where the information\n               system resides"},{"id":"pe-3_prm_2","constraints":[{"detail":"CSP defined physical access control systems/devices AND guards"}]},{"id":"pe-3_prm_3","depends-on":"pe-3_prm_2","label":"organization-defined physical access control systems/devices"},{"id":"pe-3_prm_4","label":"organization-defined entry/exit points"},{"id":"pe-3_prm_5","label":"organization-defined security safeguards"},{"id":"pe-3_prm_6","label":"organization-defined circumstances requiring visitor escorts and\n               monitoring","constraints":[{"detail":"in all circumstances within restricted access area where the information system resides"}]},{"id":"pe-3_prm_7","label":"organization-defined physical access devices"},{"id":"pe-3_prm_8","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"pe-3_prm_9","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"label","value":"PE-3"},{"name":"sort-id","value":"pe-03"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference","text":"NIST Special Publication 800-116"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference","text":"ICD 704"},{"href":"#398e33fd-f404-4e5c-b90e-2d50d3181244","rel":"reference","text":"ICD 705"},{"href":"#61081e7f-041d-4033-96a7-44a439071683","rel":"reference","text":"DoD Instruction 5200.39"},{"href":"#dd2f5acd-08f1-435a-9837-f8203088dc1a","rel":"reference","text":"Personal Identity Verification (PIV) in Enterprise\n            Physical Access Control System (E-PACS)"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference","text":"http://fips201ep.cio.gov"}],"parts":[{"id":"pe-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Enforces physical access authorizations at {{ pe-3_prm_1 }} by;","parts":[{"id":"pe-3_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the\n                     facility; and"},{"id":"pe-3_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Controlling ingress/egress to the facility using {{ pe-3_prm_2 }};"}]},{"id":"pe-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Maintains physical access audit logs for {{ pe-3_prm_4 }};"},{"id":"pe-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Provides {{ pe-3_prm_5 }} to control access to areas within the\n                  facility officially designated as publicly accessible;"},{"id":"pe-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Escorts visitors and monitors visitor activity {{ pe-3_prm_6 }};"},{"id":"pe-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Secures keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Inventories {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }};\n                  and"},{"id":"pe-3_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Changes combinations and keys {{ pe-3_prm_9 }} and/or when keys are\n                  lost, combinations are compromised, or individuals are transferred or\n                  terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g.,\n               employees, contractors, and others) with permanent physical access authorization\n               credentials are not considered visitors. Organizations determine the types of\n               facility guards needed including, for example, professional physical security staff\n               or other personnel such as administrative staff or information system users. Physical\n               access devices include, for example, keys, locks, combinations, and card readers.\n               Safeguards for publicly accessible areas within organizational facilities include,\n               for example, cameras, monitoring by guards, and isolating selected information\n               systems and/or system components in secured areas. Physical access control systems\n               comply with applicable federal laws, Executive Orders, directives, policies,\n               regulations, standards, and guidance. The Federal Identity, Credential, and Access\n               Management Program provides implementation guidance for identity, credential, and\n               access management capabilities for physical access control systems. Organizations\n               have flexibility in the types of audit logs employed. Audit logs can be procedural\n               (e.g., a written log of individuals accessing the facility and when such access\n               occurred), automated (e.g., capturing ID provided by a PIV card), or some combination\n               thereof. Physical access points can include facility access points, interior access\n               points to information systems and/or components requiring supplemental access\n               controls, or both. Components of organizational information systems (e.g.,\n               workstations, terminals) may be located in areas designated as publicly accessible\n               with organizations safeguarding access to such devices.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#pe-5","rel":"related","text":"PE-5"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"pe-3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-3.a_obj","name":"objective","properties":[{"name":"label","value":"PE-3(a)"}],"parts":[{"id":"pe-3.a_obj.1","name":"objective","properties":[{"name":"label","value":"PE-3(a)[1]"}],"prose":"defines entry/exit points to the facility where the information system\n                     resides;"},{"id":"pe-3.a_obj.2","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2]"}],"prose":"enforces physical access authorizations at organization-defined entry/exit\n                     points to the facility where the information system resides by:","parts":[{"id":"pe-3.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](1)"}],"prose":"verifying individual access authorizations before granting access to the\n                        facility;"},{"id":"pe-3.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](2)"}],"parts":[{"id":"pe-3.a.2_obj.2.a","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](2)[a]"}],"prose":"defining physical access control systems/devices to be employed to\n                           control ingress/egress to the facility where the information system\n                           resides;"},{"id":"pe-3.a.2_obj.2.b","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](2)[b]"}],"prose":"using one or more of the following ways to control ingress/egress to the\n                           facility:","parts":[{"id":"pe-3.a.2_obj.2.b.1","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](2)[b][1]"}],"prose":"organization-defined physical access control systems/devices;\n                              and/or"},{"id":"pe-3.a.2_obj.2.b.2","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](2)[b][2]"}],"prose":"guards;"}]}]}]}]},{"id":"pe-3.b_obj","name":"objective","properties":[{"name":"label","value":"PE-3(b)"}],"parts":[{"id":"pe-3.b_obj.1","name":"objective","properties":[{"name":"label","value":"PE-3(b)[1]"}],"prose":"defines entry/exit points for which physical access audit logs are to be\n                     maintained;"},{"id":"pe-3.b_obj.2","name":"objective","properties":[{"name":"label","value":"PE-3(b)[2]"}],"prose":"maintains physical access audit logs for organization-defined entry/exit\n                     points;"}]},{"id":"pe-3.c_obj","name":"objective","properties":[{"name":"label","value":"PE-3(c)"}],"parts":[{"id":"pe-3.c_obj.1","name":"objective","properties":[{"name":"label","value":"PE-3(c)[1]"}],"prose":"defines security safeguards to be employed to control access to areas within\n                     the facility officially designated as publicly accessible;"},{"id":"pe-3.c_obj.2","name":"objective","properties":[{"name":"label","value":"PE-3(c)[2]"}],"prose":"provides organization-defined security safeguards to control access to areas\n                     within the facility officially designated as publicly accessible;"}]},{"id":"pe-3.d_obj","name":"objective","properties":[{"name":"label","value":"PE-3(d)"}],"parts":[{"id":"pe-3.d_obj.1","name":"objective","properties":[{"name":"label","value":"PE-3(d)[1]"}],"prose":"defines circumstances requiring visitor:","parts":[{"id":"pe-3.d_obj.1.a","name":"objective","properties":[{"name":"label","value":"PE-3(d)[1][a]"}],"prose":"escorts;"},{"id":"pe-3.d_obj.1.b","name":"objective","properties":[{"name":"label","value":"PE-3(d)[1][b]"}],"prose":"monitoring;"}]},{"id":"pe-3.d_obj.2","name":"objective","properties":[{"name":"label","value":"PE-3(d)[2]"}],"prose":"in accordance with organization-defined circumstances requiring visitor escorts\n                     and monitoring:","parts":[{"id":"pe-3.d_obj.2.a","name":"objective","properties":[{"name":"label","value":"PE-3(d)[2][a]"}],"prose":"escorts visitors;"},{"id":"pe-3.d_obj.2.b","name":"objective","properties":[{"name":"label","value":"PE-3(d)[2][b]"}],"prose":"monitors visitor activities;"}]}]},{"id":"pe-3.e_obj","name":"objective","properties":[{"name":"label","value":"PE-3(e)"}],"parts":[{"id":"pe-3.e_obj.1","name":"objective","properties":[{"name":"label","value":"PE-3(e)[1]"}],"prose":"secures keys;"},{"id":"pe-3.e_obj.2","name":"objective","properties":[{"name":"label","value":"PE-3(e)[2]"}],"prose":"secures combinations;"},{"id":"pe-3.e_obj.3","name":"objective","properties":[{"name":"label","value":"PE-3(e)[3]"}],"prose":"secures other physical access devices;"}]},{"id":"pe-3.f_obj","name":"objective","properties":[{"name":"label","value":"PE-3(f)"}],"parts":[{"id":"pe-3.f_obj.1","name":"objective","properties":[{"name":"label","value":"PE-3(f)[1]"}],"prose":"defines physical access devices to be inventoried;"},{"id":"pe-3.f_obj.2","name":"objective","properties":[{"name":"label","value":"PE-3(f)[2]"}],"prose":"defines the frequency to inventory organization-defined physical access\n                     devices;"},{"id":"pe-3.f_obj.3","name":"objective","properties":[{"name":"label","value":"PE-3(f)[3]"}],"prose":"inventories the organization-defined physical access devices with the\n                     organization-defined frequency;"}]},{"id":"pe-3.g_obj","name":"objective","properties":[{"name":"label","value":"PE-3(g)"}],"parts":[{"id":"pe-3.g_obj.1","name":"objective","properties":[{"name":"label","value":"PE-3(g)[1]"}],"prose":"defines the frequency to change combinations and keys; and"},{"id":"pe-3.g_obj.2","name":"objective","properties":[{"name":"label","value":"PE-3(g)[2]"}],"prose":"changes combinations and keys with the organization-defined frequency and/or\n                     when:","parts":[{"id":"pe-3.g_obj.2.a","name":"objective","properties":[{"name":"label","value":"PE-3(g)[2][a]"}],"prose":"keys are lost;"},{"id":"pe-3.g_obj.2.b","name":"objective","properties":[{"name":"label","value":"PE-3(g)[2][b]"}],"prose":"combinations are compromised;"},{"id":"pe-3.g_obj.2.c","name":"objective","properties":[{"name":"label","value":"PE-3(g)[2][c]"}],"prose":"individuals are transferred or terminated."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing physical access control\\n\\nsecurity plan\\n\\nphysical access control logs or records\\n\\ninventory records of physical access control devices\\n\\ninformation system entry and exit points\\n\\nrecords of key and lock combination changes\\n\\nstorage locations for physical access control devices\\n\\nphysical access control devices\\n\\nlist of security safeguards controlling access to designated publicly accessible\n                  areas within facility\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access control\\n\\nautomated mechanisms supporting and/or implementing physical access control\\n\\nphysical access control devices"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","parameters":[{"id":"pe-6_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]},{"id":"pe-6_prm_2","label":"organization-defined events or potential indications of events"}],"properties":[{"name":"label","value":"PE-6"},{"name":"sort-id","value":"pe-06"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"id":"pe-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitors physical access to the facility where the information system resides to\n                  detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews physical access logs {{ pe-6_prm_1 }} and upon occurrence\n                  of {{ pe-6_prm_2 }}; and"},{"id":"pe-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Coordinates results of reviews and investigations with the organizational incident\n                  response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Organizational incident response capabilities include investigations of and responses\n               to detected physical security incidents. Security incidents include, for example,\n               apparent security violations or suspicious physical access activities. Suspicious\n               physical access activities include, for example: (i) accesses outside of normal work\n               hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for\n               unusual lengths of time; and (iv) out-of-sequence accesses.","links":[{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"}]},{"id":"pe-6_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-6.a_obj","name":"objective","properties":[{"name":"label","value":"PE-6(a)"}],"prose":"monitors physical access to the facility where the information system resides to\n                  detect and respond to physical security incidents;"},{"id":"pe-6.b_obj","name":"objective","properties":[{"name":"label","value":"PE-6(b)"}],"parts":[{"id":"pe-6.b_obj.1","name":"objective","properties":[{"name":"label","value":"PE-6(b)[1]"}],"prose":"defines the frequency to review physical access logs;"},{"id":"pe-6.b_obj.2","name":"objective","properties":[{"name":"label","value":"PE-6(b)[2]"}],"prose":"defines events or potential indication of events requiring physical access logs\n                     to be reviewed;"},{"id":"pe-6.b_obj.3","name":"objective","properties":[{"name":"label","value":"PE-6(b)[3]"}],"prose":"reviews physical access logs with the organization-defined frequency and upon\n                     occurrence of organization-defined events or potential indications of events;\n                     and"}]},{"id":"pe-6.c_obj","name":"objective","properties":[{"name":"label","value":"PE-6(c)"}],"prose":"coordinates results of reviews and investigations with the organizational incident\n                  response capability."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing physical access monitoring\\n\\nsecurity plan\\n\\nphysical access logs or records\\n\\nphysical access monitoring records\\n\\nphysical access log reviews\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access monitoring responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring physical access\\n\\nautomated mechanisms supporting and/or implementing physical access monitoring\\n\\nautomated mechanisms supporting and/or implementing reviewing of physical access\n                  logs"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","parameters":[{"id":"pe-8_prm_1","label":"organization-defined time period","constraints":[{"detail":"for a minimum of one (1) year"}]},{"id":"pe-8_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]}],"properties":[{"name":"label","value":"PE-8"},{"name":"sort-id","value":"pe-08"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"id":"pe-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Maintains visitor access records to the facility where the information system\n                  resides for {{ pe-8_prm_1 }}; and"},{"id":"pe-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews visitor access records {{ pe-8_prm_2 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include, for example, names and organizations of persons\n               visiting, visitor signatures, forms of identification, dates of access, entry and\n               departure times, purposes of visits, and names and organizations of persons visited.\n               Visitor access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-8.a_obj","name":"objective","properties":[{"name":"label","value":"PE-8(a)"}],"parts":[{"id":"pe-8.a_obj.1","name":"objective","properties":[{"name":"label","value":"PE-8(a)[1]"}],"prose":"defines the time period to maintain visitor access records to the facility\n                     where the information system resides;"},{"id":"pe-8.a_obj.2","name":"objective","properties":[{"name":"label","value":"PE-8(a)[2]"}],"prose":"maintains visitor access records to the facility where the information system\n                     resides for the organization-defined time period;"}]},{"id":"pe-8.b_obj","name":"objective","properties":[{"name":"label","value":"PE-8(b)"}],"parts":[{"id":"pe-8.b_obj.1","name":"objective","properties":[{"name":"label","value":"PE-8(b)[1]"}],"prose":"defines the frequency to review visitor access records; and"},{"id":"pe-8.b_obj.2","name":"objective","properties":[{"name":"label","value":"PE-8(b)[2]"}],"prose":"reviews visitor access records with the organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing visitor access records\\n\\nsecurity plan\\n\\nvisitor access control logs or records\\n\\nvisitor access record or log reviews\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with visitor access records responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining and reviewing visitor access records\\n\\nautomated mechanisms supporting and/or implementing maintenance and review of\n                  visitor access records"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","properties":[{"name":"label","value":"PE-12"},{"name":"sort-id","value":"pe-12"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"The organization employs and maintains automatic emergency lighting for the\n               information system that activates in the event of a power outage or disruption and\n               that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-7","rel":"related","text":"CP-7"}]},{"id":"pe-12_obj","name":"objective","prose":"Determine if the organization employs and maintains automatic emergency lighting for\n               the information system that: ","parts":[{"id":"pe-12_obj.1","name":"objective","properties":[{"name":"label","value":"PE-12[1]"}],"prose":"activates in the event of a power outage or disruption; and"},{"id":"pe-12_obj.2","name":"objective","properties":[{"name":"label","value":"PE-12[2]"}],"prose":"covers emergency exits and evacuation routes within the facility."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing emergency lighting\\n\\nemergency lighting documentation\\n\\nemergency lighting test records\\n\\nemergency exits and evacuation routes\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency lighting and/or\n                  planning\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing emergency lighting\n                  capability"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","properties":[{"name":"label","value":"PE-13"},{"name":"sort-id","value":"pe-13"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"The organization employs and maintains fire suppression and detection devices/systems\n               for the information system that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms. Fire suppression and detection devices/systems include, for example,\n               sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke\n               detectors."},{"id":"pe-13_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-13_obj.1","name":"objective","properties":[{"name":"label","value":"PE-13[1]"}],"prose":"employs fire suppression and detection devices/systems for the information system\n                  that are supported by an independent energy source; and"},{"id":"pe-13_obj.2","name":"objective","properties":[{"name":"label","value":"PE-13[2]"}],"prose":"maintains fire suppression and detection devices/systems for the information\n                  system that are supported by an independent energy source."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing fire protection\\n\\nfire suppression and detection devices/systems\\n\\nfire suppression and detection devices/systems documentation\\n\\ntest records of fire suppression and detection devices/systems\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and suppression\n                  devices/systems\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing fire suppression/detection\n                  devices/systems"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]},{"id":"pe-14","class":"SP800-53","title":"Temperature and Humidity Controls","parameters":[{"id":"pe-14_prm_1","label":"organization-defined acceptable levels","constraints":[{"detail":"consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments"}]},{"id":"pe-14_prm_2","label":"organization-defined frequency","constraints":[{"detail":"continuously"}]}],"properties":[{"name":"label","value":"PE-14"},{"name":"sort-id","value":"pe-14"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"id":"pe-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-14_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Maintains temperature and humidity levels within the facility where the\n                  information system resides at {{ pe-14_prm_1 }}; and"},{"id":"pe-14_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Monitors temperature and humidity levels {{ pe-14_prm_2 }}."}]},{"id":"pe-14_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information\n               system resources, for example, data centers, server rooms, and mainframe computer\n               rooms.","links":[{"href":"#at-3","rel":"related","text":"AT-3"}]},{"id":"pe-14_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-14.a_obj","name":"objective","properties":[{"name":"label","value":"PE-14(a)"}],"parts":[{"id":"pe-14.a_obj.1","name":"objective","properties":[{"name":"label","value":"PE-14(a)[1]"}],"prose":"defines acceptable temperature levels to be maintained within the facility\n                     where the information system resides;"},{"id":"pe-14.a_obj.2","name":"objective","properties":[{"name":"label","value":"PE-14(a)[2]"}],"prose":"defines acceptable humidity levels to be maintained within the facility where\n                     the information system resides;"},{"id":"pe-14.a_obj.3","name":"objective","properties":[{"name":"label","value":"PE-14(a)[3]"}],"prose":"maintains temperature levels within the facility where the information system\n                     resides at the organization-defined levels;"},{"id":"pe-14.a_obj.4","name":"objective","properties":[{"name":"label","value":"PE-14(a)[4]"}],"prose":"maintains humidity levels within the facility where the information system\n                     resides at the organization-defined levels;"}]},{"id":"pe-14.b_obj","name":"objective","properties":[{"name":"label","value":"PE-14(b)"}],"parts":[{"id":"pe-14.b_obj.1","name":"objective","properties":[{"name":"label","value":"PE-14(b)[1]"}],"prose":"defines the frequency to monitor temperature levels;"},{"id":"pe-14.b_obj.2","name":"objective","properties":[{"name":"label","value":"PE-14(b)[2]"}],"prose":"defines the frequency to monitor humidity levels;"},{"id":"pe-14.b_obj.3","name":"objective","properties":[{"name":"label","value":"PE-14(b)[3]"}],"prose":"monitors temperature levels with the organization-defined frequency; and"},{"id":"pe-14.b_obj.4","name":"objective","properties":[{"name":"label","value":"PE-14(b)[4]"}],"prose":"monitors humidity levels with the organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing temperature and humidity control\\n\\nsecurity plan\\n\\ntemperature and humidity controls\\n\\nfacility housing the information system\\n\\ntemperature and humidity controls documentation\\n\\ntemperature and humidity records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system\n                  environmental controls\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing maintenance and monitoring of\n                  temperature and humidity levels"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."},{"id":"pe-14_fr","name":"item","title":"PE-14(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"pe-14_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider measures temperature at server inlets and humidity levels\n                     by dew point."}]}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","properties":[{"name":"label","value":"PE-15"},{"name":"sort-id","value":"pe-15"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"The organization protects the information system from damage resulting from water\n               leakage by providing master shutoff or isolation valves that are accessible, working\n               properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms. Isolation valves can be employed in addition to or in lieu of master\n               shutoff valves to shut off water supplies in specific areas of concern, without\n               affecting entire organizations.","links":[{"href":"#at-3","rel":"related","text":"AT-3"}]},{"id":"pe-15_obj","name":"objective","prose":"Determine if the organization protects the information system from damage resulting\n               from water leakage by providing master shutoff or isolation valves that are: ","parts":[{"id":"pe-15_obj.1","name":"objective","properties":[{"name":"label","value":"PE-15[1]"}],"prose":"accessible;"},{"id":"pe-15_obj.2","name":"objective","properties":[{"name":"label","value":"PE-15[2]"}],"prose":"working properly; and"},{"id":"pe-15_obj.3","name":"objective","properties":[{"name":"label","value":"PE-15[3]"}],"prose":"known to key personnel."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing water damage protection\\n\\nfacility housing the information system\\n\\nmaster shutoff valves\\n\\nlist of key personnel with knowledge of location and activation procedures for\n                  master shutoff valves for the plumbing system\\n\\nmaster shutoff valve documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system\n                  environmental controls\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Master water-shutoff valves\\n\\norganizational process for activating master water-shutoff"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","parameters":[{"id":"pe-16_prm_1","label":"organization-defined types of information system components","constraints":[{"detail":"all information system components"}]}],"properties":[{"name":"label","value":"PE-16"},{"name":"sort-id","value":"pe-16"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"id":"pe-16_smt","name":"statement","prose":"The organization authorizes, monitors, and controls {{ pe-16_prm_1 }}\n               entering and exiting the facility and maintains records of those items."},{"id":"pe-16_gdn","name":"guidance","prose":"Effectively enforcing authorizations for entry and exit of information system\n               components may require restricting access to delivery areas and possibly isolating\n               the areas from the information system and media libraries.","links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sa-12","rel":"related","text":"SA-12"}]},{"id":"pe-16_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-16_obj.1","name":"objective","properties":[{"name":"label","value":"PE-16[1]"}],"prose":"defines types of information system components to be authorized, monitored, and\n                  controlled as such components are entering and exiting the facility;"},{"id":"pe-16_obj.2","name":"objective","properties":[{"name":"label","value":"PE-16[2]"}],"prose":"authorizes organization-defined information system components entering the\n                  facility;"},{"id":"pe-16_obj.3","name":"objective","properties":[{"name":"label","value":"PE-16[3]"}],"prose":"monitors organization-defined information system components entering the\n                  facility;"},{"id":"pe-16_obj.4","name":"objective","properties":[{"name":"label","value":"PE-16[4]"}],"prose":"controls organization-defined information system components entering the\n                  facility;"},{"id":"pe-16_obj.5","name":"objective","properties":[{"name":"label","value":"PE-16[5]"}],"prose":"authorizes organization-defined information system components exiting the\n                  facility;"},{"id":"pe-16_obj.6","name":"objective","properties":[{"name":"label","value":"PE-16[6]"}],"prose":"monitors organization-defined information system components exiting the\n                  facility;"},{"id":"pe-16_obj.7","name":"objective","properties":[{"name":"label","value":"PE-16[7]"}],"prose":"controls organization-defined information system components exiting the\n                  facility;"},{"id":"pe-16_obj.8","name":"objective","properties":[{"name":"label","value":"PE-16[8]"}],"prose":"maintains records of information system components entering the facility; and"},{"id":"pe-16_obj.9","name":"objective","properties":[{"name":"label","value":"PE-16[9]"}],"prose":"maintains records of information system components exiting the facility."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing delivery and removal of information system components from\n                  the facility\\n\\nsecurity plan\\n\\nfacility housing the information system\\n\\nrecords of items entering and exiting the facility\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for controlling information system\n                  components entering and exiting the facility\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for authorizing, monitoring, and controlling information\n                  system-related items entering and exiting the facility\\n\\nautomated mechanisms supporting and/or implementing authorizing, monitoring, and\n                  controlling information system-related items entering and exiting the facility"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Security Planning Policy and Procedures","parameters":[{"id":"pl-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-1_prm_2","label":"organization-defined frequency"},{"id":"pl-1_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PL-1"},{"name":"sort-id","value":"pl-01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference","text":"NIST Special Publication 800-18"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"pl-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A security planning policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"pl-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security planning policy and\n                     associated security planning controls; and"}]},{"id":"pl-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pl-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security planning policy {{ pl-1_prm_2 }}; and"},{"id":"pl-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Security planning procedures {{ pl-1_prm_3 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PL\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"pl-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-1.a_obj","name":"objective","properties":[{"name":"label","value":"PL-1(a)"}],"parts":[{"id":"pl-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)"}],"parts":[{"id":"pl-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1]"}],"prose":"develops and documents a planning policy that addresses:","parts":[{"id":"pl-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pl-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pl-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pl-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pl-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pl-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pl-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pl-1.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the planning policy is to be\n                        disseminated;"},{"id":"pl-1.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[3]"}],"prose":"disseminates the planning policy to organization-defined personnel or\n                        roles;"}]},{"id":"pl-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"PL-1(a)(2)"}],"parts":[{"id":"pl-1.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"PL-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        planning policy and associated planning controls;"},{"id":"pl-1.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"PL-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"pl-1.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"PL-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pl-1.b_obj","name":"objective","properties":[{"name":"label","value":"PL-1(b)"}],"parts":[{"id":"pl-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"PL-1(b)(1)"}],"parts":[{"id":"pl-1.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"PL-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current planning policy;"},{"id":"pl-1.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"PL-1(b)(1)[2]"}],"prose":"reviews and updates the current planning policy with the\n                        organization-defined frequency;"}]},{"id":"pl-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"PL-1(b)(2)"}],"parts":[{"id":"pl-1.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"PL-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current planning procedures;\n                        and"},{"id":"pl-1.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"PL-1(b)(2)[2]"}],"prose":"reviews and updates the current planning procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Planning policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with planning responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security Plan","parameters":[{"id":"pl-2_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-2_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"label","value":"PL-2"},{"name":"sort-id","value":"pl-02"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference","text":"NIST Special Publication 800-18"}],"parts":[{"id":"pl-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a security plan for the information system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Is consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Explicitly defines the authorization boundary for the system;"},{"id":"pl-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Describes the operational context of the information system in terms of\n                     missions and business processes;"},{"id":"pl-2_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Provides the security categorization of the information system including\n                     supporting rationale;"},{"id":"pl-2_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Describes the operational environment for the information system and\n                     relationships with or connections to other information systems;"},{"id":"pl-2_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Provides an overview of the security requirements for the system;"},{"id":"pl-2_smt.a.7","name":"item","properties":[{"name":"label","value":"7."}],"prose":"Identifies any relevant overlays, if applicable;"},{"id":"pl-2_smt.a.8","name":"item","properties":[{"name":"label","value":"8."}],"prose":"Describes the security controls in place or planned for meeting those\n                     requirements including a rationale for the tailoring decisions; and"},{"id":"pl-2_smt.a.9","name":"item","properties":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by the authorizing official or designated\n                     representative prior to plan implementation;"}]},{"id":"pl-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distributes copies of the security plan and communicates subsequent changes to the\n                  plan to {{ pl-2_prm_1 }};"},{"id":"pl-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews the security plan for the information system {{ pl-2_prm_2 }};"},{"id":"pl-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Updates the plan to address changes to the information system/environment of\n                  operation or problems identified during plan implementation or security control\n                  assessments; and"},{"id":"pl-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Protects the security plan from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"Security plans relate security requirements to a set of security controls and control\n               enhancements. Security plans also describe, at a high level, how the security\n               controls and control enhancements meet those security requirements, but do not\n               provide detailed, technical descriptions of the specific design or implementation of\n               the controls/enhancements. Security plans contain sufficient information (including\n               the specification of parameter values for assignment and selection statements either\n               explicitly or by reference) to enable a design and implementation that is\n               unambiguously compliant with the intent of the plans and subsequent determinations of\n               risk to organizational operations and assets, individuals, other organizations, and\n               the Nation if the plan is implemented as intended. Organizations can also apply\n               tailoring guidance to the security control baselines in Appendix D and CNSS\n               Instruction 1253 to develop overlays for community-wide use or to address specialized\n               requirements, technologies, or missions/environments of operation (e.g.,\n               DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and\n               Access Management, space operations). Appendix I provides guidance on developing\n               overlays. Security plans need not be single documents; the plans can be a collection\n               of various documents including documents that already exist. Effective security plans\n               make extensive use of references to policies, procedures, and additional documents\n               (e.g., design and implementation specifications) where more detailed information can\n               be obtained. This reduces the documentation requirements associated with security\n               programs and maintains security-related information in other established\n               management/operational areas related to enterprise architecture, system development\n               life cycle, systems engineering, and acquisition. For example, security plans do not\n               contain detailed contingency plan or incident response plan information but instead\n               provide explicitly or by reference, sufficient information to define what needs to be\n               accomplished by those plans.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pl-7","rel":"related","text":"PL-7"},{"href":"#pm-1","rel":"related","text":"PM-1"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-17","rel":"related","text":"SA-17"}]},{"id":"pl-2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pl-2.a_obj","name":"objective","properties":[{"name":"label","value":"PL-2(a)"}],"prose":"develops a security plan for the information system that:","parts":[{"id":"pl-2.a.1_obj","name":"objective","properties":[{"name":"label","value":"PL-2(a)(1)"}],"prose":"is consistent with the organization’s enterprise architecture;"},{"id":"pl-2.a.2_obj","name":"objective","properties":[{"name":"label","value":"PL-2(a)(2)"}],"prose":"explicitly defines the authorization boundary for the system;"},{"id":"pl-2.a.3_obj","name":"objective","properties":[{"name":"label","value":"PL-2(a)(3)"}],"prose":"describes the operational context of the information system in terms of\n                     missions and business processes;"},{"id":"pl-2.a.4_obj","name":"objective","properties":[{"name":"label","value":"PL-2(a)(4)"}],"prose":"provides the security categorization of the information system including\n                     supporting rationale;"},{"id":"pl-2.a.5_obj","name":"objective","properties":[{"name":"label","value":"PL-2(a)(5)"}],"prose":"describes the operational environment for the information system and\n                     relationships with or connections to other information systems;"},{"id":"pl-2.a.6_obj","name":"objective","properties":[{"name":"label","value":"PL-2(a)(6)"}],"prose":"provides an overview of the security requirements for the system;"},{"id":"pl-2.a.7_obj","name":"objective","properties":[{"name":"label","value":"PL-2(a)(7)"}],"prose":"identifies any relevant overlays, if applicable;"},{"id":"pl-2.a.8_obj","name":"objective","properties":[{"name":"label","value":"PL-2(a)(8)"}],"prose":"describes the security controls in place or planned for meeting those\n                     requirements including a rationale for the tailoring and supplemental\n                     decisions;"},{"id":"pl-2.a.9_obj","name":"objective","properties":[{"name":"label","value":"PL-2(a)(9)"}],"prose":"is reviewed and approved by the authorizing official or designated\n                     representative prior to plan implementation;"}]},{"id":"pl-2.b_obj","name":"objective","properties":[{"name":"label","value":"PL-2(b)"}],"parts":[{"id":"pl-2.b_obj.1","name":"objective","properties":[{"name":"label","value":"PL-2(b)[1]"}],"prose":"defines personnel or roles to whom copies of the security plan are to be\n                     distributed and subsequent changes to the plan are to be communicated;"},{"id":"pl-2.b_obj.2","name":"objective","properties":[{"name":"label","value":"PL-2(b)[2]"}],"prose":"distributes copies of the security plan and communicates subsequent changes to\n                     the plan to organization-defined personnel or roles;"}]},{"id":"pl-2.c_obj","name":"objective","properties":[{"name":"label","value":"PL-2(c)"}],"parts":[{"id":"pl-2.c_obj.1","name":"objective","properties":[{"name":"label","value":"PL-2(c)[1]"}],"prose":"defines the frequency to review the security plan for the information\n                     system;"},{"id":"pl-2.c_obj.2","name":"objective","properties":[{"name":"label","value":"PL-2(c)[2]"}],"prose":"reviews the security plan for the information system with the\n                     organization-defined frequency;"}]},{"id":"pl-2.d_obj","name":"objective","properties":[{"name":"label","value":"PL-2(d)"}],"prose":"updates the plan to address:","parts":[{"id":"pl-2.d_obj.1","name":"objective","properties":[{"name":"label","value":"PL-2(d)[1]"}],"prose":"changes to the information system/environment of operation;"},{"id":"pl-2.d_obj.2","name":"objective","properties":[{"name":"label","value":"PL-2(d)[2]"}],"prose":"problems identified during plan implementation;"},{"id":"pl-2.d_obj.3","name":"objective","properties":[{"name":"label","value":"PL-2(d)[3]"}],"prose":"problems identified during security control assessments;"}]},{"id":"pl-2.e_obj","name":"objective","properties":[{"name":"label","value":"PL-2(e)"}],"prose":"protects the security plan from unauthorized:","parts":[{"id":"pl-2.e_obj.1","name":"objective","properties":[{"name":"label","value":"PL-2(e)[1]"}],"prose":"disclosure; and"},{"id":"pl-2.e_obj.2","name":"objective","properties":[{"name":"label","value":"PL-2(e)[2]"}],"prose":"modification."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\\n\\nprocedures addressing security plan development and implementation\\n\\nprocedures addressing security plan reviews and updates\\n\\nenterprise architecture documentation\\n\\nsecurity plan for the information system\\n\\nrecords of security plan reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security plan development/review/update/approval\\n\\nautomated mechanisms supporting the information system security plan"}]}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","parameters":[{"id":"pl-4_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PL-4"},{"name":"sort-id","value":"pl-04"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference","text":"NIST Special Publication 800-18"}],"parts":[{"id":"pl-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes and makes readily available to individuals requiring access to the\n                  information system, the rules that describe their responsibilities and expected\n                  behavior with regard to information and information system usage;"},{"id":"pl-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Receives a signed acknowledgment from such individuals, indicating that they have\n                  read, understand, and agree to abide by the rules of behavior, before authorizing\n                  access to information and the information system;"},{"id":"pl-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews and updates the rules of behavior {{ pl-4_prm_1 }}; and"},{"id":"pl-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Requires individuals who have signed a previous version of the rules of behavior\n                  to read and re-sign when the rules of behavior are revised/updated."}]},{"id":"pl-4_gdn","name":"guidance","prose":"This control enhancement applies to organizational users. Organizations consider\n               rules of behavior based on individual user roles and responsibilities,\n               differentiating, for example, between rules that apply to privileged users and rules\n               that apply to general users. Establishing rules of behavior for some types of\n               non-organizational users including, for example, individuals who simply receive\n               data/information from federal information systems, is often not feasible given the\n               large number of such users and the limited nature of their interactions with the\n               systems. Rules of behavior for both organizational and non-organizational users can\n               also be established in AC-8, System Use Notification. PL-4 b. (the signed\n               acknowledgment portion of this control) may be satisfied by the security awareness\n               training and role-based security training programs conducted by organizations if such\n               training includes rules of behavior. Organizations can use electronic signatures for\n               acknowledging rules of behavior.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ac-9","rel":"related","text":"AC-9"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-5","rel":"related","text":"SA-5"}]},{"id":"pl-4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pl-4.a_obj","name":"objective","properties":[{"name":"label","value":"PL-4(a)"}],"parts":[{"id":"pl-4.a_obj.1","name":"objective","properties":[{"name":"label","value":"PL-4(a)[1]"}],"prose":"establishes, for individuals requiring access to the information system, the\n                     rules that describe their responsibilities and expected behavior with regard to\n                     information and information system usage;"},{"id":"pl-4.a_obj.2","name":"objective","properties":[{"name":"label","value":"PL-4(a)[2]"}],"prose":"makes readily available to individuals requiring access to the information\n                     system, the rules that describe their responsibilities and expected behavior\n                     with regard to information and information system usage;"}]},{"id":"pl-4.b_obj","name":"objective","properties":[{"name":"label","value":"PL-4(b)"}],"prose":"receives a signed acknowledgement from such individuals, indicating that they have\n                  read, understand, and agree to abide by the rules of behavior, before authorizing\n                  access to information and the information system;"},{"id":"pl-4.c_obj","name":"objective","properties":[{"name":"label","value":"PL-4(c)"}],"parts":[{"id":"pl-4.c_obj.1","name":"objective","properties":[{"name":"label","value":"PL-4(c)[1]"}],"prose":"defines the frequency to review and update the rules of behavior;"},{"id":"pl-4.c_obj.2","name":"objective","properties":[{"name":"label","value":"PL-4(c)[2]"}],"prose":"reviews and updates the rules of behavior with the organization-defined\n                     frequency; and"}]},{"id":"pl-4.d_obj","name":"objective","properties":[{"name":"label","value":"PL-4(d)"}],"prose":"requires individuals who have signed a previous version of the rules of behavior\n                  to read and resign when the rules of behavior are revised/updated."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\\n\\nprocedures addressing rules of behavior for information system users\\n\\nrules of behavior\\n\\nsigned acknowledgements\\n\\nrecords for rules of behavior reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and\n                  updating rules of behavior\\n\\norganizational personnel who are authorized users of the information system and\n                  have signed and resigned rules of behavior\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating\n                  rules of behavior\\n\\nautomated mechanisms supporting and/or implementing the establishment, review,\n                  dissemination, and update of rules of behavior"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Personnel Security Policy and Procedures","parameters":[{"id":"ps-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-1_prm_2","label":"organization-defined frequency"},{"id":"ps-1_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PS-1"},{"name":"sort-id","value":"ps-01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ps-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A personnel security policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ps-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy\n                     and associated personnel security controls; and"}]},{"id":"ps-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ps-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Personnel security policy {{ ps-1_prm_2 }}; and"},{"id":"ps-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Personnel security procedures {{ ps-1_prm_3 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PS\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ps-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-1.a_obj","name":"objective","properties":[{"name":"label","value":"PS-1(a)"}],"parts":[{"id":"ps-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)"}],"parts":[{"id":"ps-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1]"}],"prose":"develops and documents an personnel security policy that addresses:","parts":[{"id":"ps-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ps-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ps-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ps-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ps-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ps-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ps-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ps-1.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the personnel security policy is to be\n                        disseminated;"},{"id":"ps-1.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[3]"}],"prose":"disseminates the personnel security policy to organization-defined personnel\n                        or roles;"}]},{"id":"ps-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"PS-1(a)(2)"}],"parts":[{"id":"ps-1.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"PS-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        personnel security policy and associated personnel security controls;"},{"id":"ps-1.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"PS-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ps-1.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"PS-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ps-1.b_obj","name":"objective","properties":[{"name":"label","value":"PS-1(b)"}],"parts":[{"id":"ps-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"PS-1(b)(1)"}],"parts":[{"id":"ps-1.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"PS-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current personnel security\n                        policy;"},{"id":"ps-1.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"PS-1(b)(1)[2]"}],"prose":"reviews and updates the current personnel security policy with the\n                        organization-defined frequency;"}]},{"id":"ps-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"PS-1(b)(2)"}],"parts":[{"id":"ps-1.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"PS-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current personnel security\n                        procedures; and"},{"id":"ps-1.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"PS-1(b)(2)[2]"}],"prose":"reviews and updates the current personnel security procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","parameters":[{"id":"ps-2_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PS-2"},{"name":"sort-id","value":"ps-02"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"FED"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference","text":"5 C.F.R. 731.106"}],"parts":[{"id":"ps-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Assigns a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishes screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews and updates position risk designations {{ ps-2_prm_1 }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management policy and\n               guidance. Risk designations can guide and inform the types of authorizations\n               individuals receive when accessing organizational information and information\n               systems. Position screening criteria include explicit information security role\n               appointment requirements (e.g., training, security clearances).","links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#ps-3","rel":"related","text":"PS-3"}]},{"id":"ps-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-2.a_obj","name":"objective","properties":[{"name":"label","value":"PS-2(a)"}],"prose":"assigns a risk designation to all organizational positions;"},{"id":"ps-2.b_obj","name":"objective","properties":[{"name":"label","value":"PS-2(b)"}],"prose":"establishes screening criteria for individuals filling those positions;"},{"id":"ps-2.c_obj","name":"objective","properties":[{"name":"label","value":"PS-2(c)"}],"parts":[{"id":"ps-2.c_obj.1","name":"objective","properties":[{"name":"label","value":"PS-2(c)[1]"}],"prose":"defines the frequency to review and update position risk designations; and"},{"id":"ps-2.c_obj.2","name":"objective","properties":[{"name":"label","value":"PS-2(c)[2]"}],"prose":"reviews and updates position risk designations with the organization-defined\n                     frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing position categorization\\n\\nappropriate codes of federal regulations\\n\\nlist of risk designations for organizational positions\\n\\nsecurity plan\\n\\nrecords of position risk designation reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for assigning, reviewing, and updating position risk\n                  designations\\n\\norganizational processes for establishing screening criteria"}]}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","parameters":[{"id":"ps-3_prm_1","label":"organization-defined conditions requiring rescreening and, where rescreening is\n               so indicated, the frequency of such rescreening","constraints":[{"detail":"For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions."}]}],"properties":[{"name":"label","value":"PS-3"},{"name":"sort-id","value":"ps-03"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference","text":"5 C.F.R. 731.106"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference","text":"NIST Special Publication 800-60"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference","text":"ICD 704"}],"parts":[{"id":"ps-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Screens individuals prior to authorizing access to the information system; and"},{"id":"ps-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Rescreens individuals according to {{ ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable federal laws,\n               Executive Orders, directives, regulations, policies, standards, guidance, and\n               specific criteria established for the risk designations of assigned positions.\n               Organizations may define different rescreening conditions and frequencies for\n               personnel accessing information systems based on types of information processed,\n               stored, or transmitted by the systems.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#ps-2","rel":"related","text":"PS-2"}]},{"id":"ps-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-3.a_obj","name":"objective","properties":[{"name":"label","value":"PS-3(a)"}],"prose":"screens individuals prior to authorizing access to the information system;"},{"id":"ps-3.b_obj","name":"objective","properties":[{"name":"label","value":"PS-3(b)"}],"parts":[{"id":"ps-3.b_obj.1","name":"objective","properties":[{"name":"label","value":"PS-3(b)[1]"}],"prose":"defines conditions requiring re-screening;"},{"id":"ps-3.b_obj.2","name":"objective","properties":[{"name":"label","value":"PS-3(b)[2]"}],"prose":"defines the frequency of re-screening where it is so indicated; and"},{"id":"ps-3.b_obj.3","name":"objective","properties":[{"name":"label","value":"PS-3(b)[3]"}],"prose":"re-screens individuals in accordance with organization-defined conditions\n                     requiring re-screening and, where re-screening is so indicated, with the\n                     organization-defined frequency of such re-screening."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing personnel screening\\n\\nrecords of screened personnel\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel screening"}]}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","parameters":[{"id":"ps-4_prm_1","label":"organization-defined time period"},{"id":"ps-4_prm_2","label":"organization-defined information security topics"},{"id":"ps-4_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-4_prm_4","label":"organization-defined time period"}],"properties":[{"name":"label","value":"PS-4"},{"name":"sort-id","value":"ps-04"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"The organization, upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Disables information system access within {{ ps-4_prm_1 }};"},{"id":"ps-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Terminates/revokes any authenticators/credentials associated with the\n                  individual;"},{"id":"ps-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Conducts exit interviews that include a discussion of {{ ps-4_prm_2 }};"},{"id":"ps-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Retrieves all security-related organizational information system-related\n                  property;"},{"id":"ps-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Retains access to organizational information and information systems formerly\n                  controlled by terminated individual; and"},{"id":"ps-4_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Notifies {{ ps-4_prm_3 }} within {{ ps-4_prm_4 }}."}]},{"id":"ps-4_gdn","name":"guidance","prose":"Information system-related property includes, for example, hardware authentication\n               tokens, system administration technical manuals, keys, identification cards, and\n               building passes. Exit interviews ensure that terminated individuals understand the\n               security constraints imposed by being former employees and that proper accountability\n               is achieved for information system-related property. Security topics of interest at\n               exit interviews can include, for example, reminding terminated individuals of\n               nondisclosure agreements and potential limitations on future employment. Exit\n               interviews may not be possible for some terminated individuals, for example, in cases\n               related to job abandonment, illnesses, and nonavailability of supervisors. Exit\n               interviews are important for individuals with security clearances. Timely execution\n               of termination actions is essential for individuals terminated for cause. In certain\n               situations, organizations consider disabling the information system accounts of\n               individuals that are being terminated prior to the individuals being notified.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-6","rel":"related","text":"PS-6"}]},{"id":"ps-4_obj","name":"objective","prose":"Determine if the organization, upon termination of individual employment,:","parts":[{"id":"ps-4.a_obj","name":"objective","properties":[{"name":"label","value":"PS-4(a)"}],"parts":[{"id":"ps-4.a_obj.1","name":"objective","properties":[{"name":"label","value":"PS-4(a)[1]"}],"prose":"defines a time period within which to disable information system access;"},{"id":"ps-4.a_obj.2","name":"objective","properties":[{"name":"label","value":"PS-4(a)[2]"}],"prose":"disables information system access within the organization-defined time\n                     period;"}]},{"id":"ps-4.b_obj","name":"objective","properties":[{"name":"label","value":"PS-4(b)"}],"prose":"terminates/revokes any authenticators/credentials associated with the\n                  individual;"},{"id":"ps-4.c_obj","name":"objective","properties":[{"name":"label","value":"PS-4(c)"}],"parts":[{"id":"ps-4.c_obj.1","name":"objective","properties":[{"name":"label","value":"PS-4(c)[1]"}],"prose":"defines information security topics to be discussed when conducting exit\n                     interviews;"},{"id":"ps-4.c_obj.2","name":"objective","properties":[{"name":"label","value":"PS-4(c)[2]"}],"prose":"conducts exit interviews that include a discussion of organization-defined\n                     information security topics;"}]},{"id":"ps-4.d_obj","name":"objective","properties":[{"name":"label","value":"PS-4(d)"}],"prose":"retrieves all security-related organizational information system-related\n                  property;"},{"id":"ps-4.e_obj","name":"objective","properties":[{"name":"label","value":"PS-4(e)"}],"prose":"retains access to organizational information and information systems formerly\n                  controlled by the terminated individual;"},{"id":"ps-4.f_obj","name":"objective","properties":[{"name":"label","value":"PS-4(f)"}],"parts":[{"id":"ps-4.f_obj.1","name":"objective","properties":[{"name":"label","value":"PS-4(f)[1]"}],"prose":"defines personnel or roles to be notified of the termination;"},{"id":"ps-4.f_obj.2","name":"objective","properties":[{"name":"label","value":"PS-4(f)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel\n                     or roles; and"},{"id":"ps-4.f_obj.3","name":"objective","properties":[{"name":"label","value":"PS-4(f)[3]"}],"prose":"notifies organization-defined personnel or roles within the\n                     organization-defined time period."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing personnel termination\\n\\nrecords of personnel termination actions\\n\\nlist of information system accounts\\n\\nrecords of terminated or revoked authenticators/credentials\\n\\nrecords of exit interviews\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel termination\\n\\nautomated mechanisms supporting and/or implementing personnel termination\n                  notifications\\n\\nautomated mechanisms for disabling information system access/revoking\n                  authenticators"}]}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","parameters":[{"id":"ps-5_prm_1","label":"organization-defined transfer or reassignment actions"},{"id":"ps-5_prm_2","label":"organization-defined time period following the formal transfer action"},{"id":"ps-5_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-5_prm_4","label":"organization-defined time period"}],"properties":[{"name":"label","value":"PS-5"},{"name":"sort-id","value":"ps-05"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"id":"ps-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Reviews and confirms ongoing operational need for current logical and physical\n                  access authorizations to information systems/facilities when individuals are\n                  reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Initiates {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }};"},{"id":"ps-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Modifies access authorization as needed to correspond with any changes in\n                  operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Notifies {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"This control applies when reassignments or transfers of individuals are permanent or\n               of such extended durations as to make the actions warranted. Organizations define\n               actions appropriate for the types of reassignments or transfers, whether permanent or\n               extended. Actions that may be required for personnel transfers or reassignments to\n               other positions within organizations include, for example: (i) returning old and\n               issuing new keys, identification cards, and building passes; (ii) closing information\n               system accounts and establishing new accounts; (iii) changing information system\n               access authorizations (i.e., privileges); and (iv) providing for access to official\n               records to which individuals had access at previous work locations and in previous\n               information system accounts.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#ps-4","rel":"related","text":"PS-4"}]},{"id":"ps-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-5.a_obj","name":"objective","properties":[{"name":"label","value":"PS-5(a)"}],"prose":"when individuals are reassigned or transferred to other positions within the\n                  organization, reviews and confirms ongoing operational need for current:","parts":[{"id":"ps-5.a_obj.1","name":"objective","properties":[{"name":"label","value":"PS-5(a)[1]"}],"prose":"logical access authorizations to information systems;"},{"id":"ps-5.a_obj.2","name":"objective","properties":[{"name":"label","value":"PS-5(a)[2]"}],"prose":"physical access authorizations to information systems and facilities;"}]},{"id":"ps-5.b_obj","name":"objective","properties":[{"name":"label","value":"PS-5(b)"}],"parts":[{"id":"ps-5.b_obj.1","name":"objective","properties":[{"name":"label","value":"PS-5(b)[1]"}],"prose":"defines transfer or reassignment actions to be initiated following transfer or\n                     reassignment;"},{"id":"ps-5.b_obj.2","name":"objective","properties":[{"name":"label","value":"PS-5(b)[2]"}],"prose":"defines the time period within which transfer or reassignment actions must\n                     occur following transfer or reassignment;"},{"id":"ps-5.b_obj.3","name":"objective","properties":[{"name":"label","value":"PS-5(b)[3]"}],"prose":"initiates organization-defined transfer or reassignment actions within the\n                     organization-defined time period following transfer or reassignment;"}]},{"id":"ps-5.c_obj","name":"objective","properties":[{"name":"label","value":"PS-5(c)"}],"prose":"modifies access authorization as needed to correspond with any changes in\n                  operational need due to reassignment or transfer;"},{"id":"ps-5.d_obj","name":"objective","properties":[{"name":"label","value":"PS-5(d)"}],"parts":[{"id":"ps-5.d_obj.1","name":"objective","properties":[{"name":"label","value":"PS-5(d)[1]"}],"prose":"defines personnel or roles to be notified when individuals are reassigned or\n                     transferred to other positions within the organization;"},{"id":"ps-5.d_obj.2","name":"objective","properties":[{"name":"label","value":"PS-5(d)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel\n                     or roles when individuals are reassigned or transferred to other positions\n                     within the organization; and"},{"id":"ps-5.d_obj.3","name":"objective","properties":[{"name":"label","value":"PS-5(d)[3]"}],"prose":"notifies organization-defined personnel or roles within the\n                     organization-defined time period when individuals are reassigned or transferred\n                     to other positions within the organization."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing personnel transfer\\n\\nsecurity plan\\n\\nrecords of personnel transfer actions\\n\\nlist of information system and facility access authorizations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities organizational\n                  personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel transfer\\n\\nautomated mechanisms supporting and/or implementing personnel transfer\n                  notifications\\n\\nautomated mechanisms for disabling information system access/revoking\n                  authenticators"}]}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","parameters":[{"id":"ps-6_prm_1","label":"organization-defined frequency"},{"id":"ps-6_prm_2","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"PS-6"},{"name":"sort-id","value":"ps-06"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"id":"ps-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops and documents access agreements for organizational information\n                  systems;"},{"id":"ps-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the access agreements {{ ps-6_prm_1 }}; and"},{"id":"ps-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensures that individuals requiring access to organizational information and\n                  information systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational information\n                     systems when access agreements have been updated or {{ ps-6_prm_2 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include, for example, nondisclosure agreements, acceptable use\n               agreements, rules of behavior, and conflict-of-interest agreements. Signed access\n               agreements include an acknowledgement that individuals have read, understand, and\n               agree to abide by the constraints associated with organizational information systems\n               to which access is authorized. Organizations can use electronic signatures to\n               acknowledge access agreements unless specifically prohibited by organizational\n               policy.","links":[{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-8","rel":"related","text":"PS-8"}]},{"id":"ps-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-6.a_obj","name":"objective","properties":[{"name":"label","value":"PS-6(a)"}],"prose":"develops and documents access agreements for organizational information\n                  systems;"},{"id":"ps-6.b_obj","name":"objective","properties":[{"name":"label","value":"PS-6(b)"}],"parts":[{"id":"ps-6.b_obj.1","name":"objective","properties":[{"name":"label","value":"PS-6(b)[1]"}],"prose":"defines the frequency to review and update the access agreements;"},{"id":"ps-6.b_obj.2","name":"objective","properties":[{"name":"label","value":"PS-6(b)[2]"}],"prose":"reviews and updates the access agreements with the organization-defined\n                     frequency;"}]},{"id":"ps-6.c_obj","name":"objective","properties":[{"name":"label","value":"PS-6(c)"}],"parts":[{"id":"ps-6.c.1_obj","name":"objective","properties":[{"name":"label","value":"PS-6(c)(1)"}],"prose":"ensures that individuals requiring access to organizational information and\n                     information systems sign appropriate access agreements prior to being granted\n                     access;"},{"id":"ps-6.c.2_obj","name":"objective","properties":[{"name":"label","value":"PS-6(c)(2)"}],"parts":[{"id":"ps-6.c.2_obj.1","name":"objective","properties":[{"name":"label","value":"PS-6(c)(2)[1]"}],"prose":"defines the frequency to re-sign access agreements to maintain access to\n                        organizational information systems when access agreements have been\n                        updated;"},{"id":"ps-6.c.2_obj.2","name":"objective","properties":[{"name":"label","value":"PS-6(c)(2)[2]"}],"prose":"ensures that individuals requiring access to organizational information and\n                        information systems re-sign access agreements to maintain access to\n                        organizational information systems when access agreements have been updated\n                        or with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing access agreements for organizational information and\n                  information systems\\n\\nsecurity plan\\n\\naccess agreements\\n\\nrecords of access agreement reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel who have signed/resigned access agreements\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access agreements\\n\\nautomated mechanisms supporting access agreements"}]}]},{"id":"ps-7","class":"SP800-53","title":"Third-party Personnel Security","parameters":[{"id":"ps-7_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-7_prm_2","label":"organization-defined time period"}],"properties":[{"name":"label","value":"PS-7"},{"name":"sort-id","value":"ps-07"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference","text":"NIST Special Publication 800-35"}],"parts":[{"id":"ps-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes personnel security requirements including security roles and\n                  responsibilities for third-party providers;"},{"id":"ps-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Requires third-party providers to comply with personnel security policies and\n                  procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Documents personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Requires third-party providers to notify {{ ps-7_prm_1 }} of any\n                  personnel transfers or terminations of third-party personnel who possess\n                  organizational credentials and/or badges, or who have information system\n                  privileges within {{ ps-7_prm_2 }}; and"},{"id":"ps-7_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Monitors provider compliance."}]},{"id":"ps-7_gdn","name":"guidance","prose":"Third-party providers include, for example, service bureaus, contractors, and other\n               organizations providing information system development, information technology\n               services, outsourced applications, and network and security management. Organizations\n               explicitly include personnel security requirements in acquisition-related documents.\n               Third-party providers may have personnel working at organizational facilities with\n               credentials, badges, or information system privileges issued by organizations.\n               Notifications of third-party personnel changes ensure appropriate termination of\n               privileges and credentials. Organizations define the transfers and terminations\n               deemed reportable by security-related characteristics that include, for example,\n               functions, roles, and nature of credentials/privileges associated with individuals\n               transferred or terminated.","links":[{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-21","rel":"related","text":"SA-21"}]},{"id":"ps-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-7.a_obj","name":"objective","properties":[{"name":"label","value":"PS-7(a)"}],"prose":"establishes personnel security requirements, including security roles and\n                  responsibilities, for third-party providers;"},{"id":"ps-7.b_obj","name":"objective","properties":[{"name":"label","value":"PS-7(b)"}],"prose":"requires third-party providers to comply with personnel security policies and\n                  procedures established by the organization;"},{"id":"ps-7.c_obj","name":"objective","properties":[{"name":"label","value":"PS-7(c)"}],"prose":"documents personnel security requirements;"},{"id":"ps-7.d_obj","name":"objective","properties":[{"name":"label","value":"PS-7(d)"}],"parts":[{"id":"ps-7.d_obj.1","name":"objective","properties":[{"name":"label","value":"PS-7(d)[1]"}],"prose":"defines personnel or roles to be notified of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.2","name":"objective","properties":[{"name":"label","value":"PS-7(d)[2]"}],"prose":"defines the time period within which third-party providers are required to\n                     notify organization-defined personnel or roles of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.3","name":"objective","properties":[{"name":"label","value":"PS-7(d)[3]"}],"prose":"requires third-party providers to notify organization-defined personnel or\n                     roles within the organization-defined time period of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges; and"}]},{"id":"ps-7.e_obj","name":"objective","properties":[{"name":"label","value":"PS-7(e)"}],"prose":"monitors provider compliance."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing third-party personnel security\\n\\nlist of personnel security requirements\\n\\nacquisition documents\\n\\nservice-level agreements\\n\\ncompliance monitoring process\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\nthird-party providers\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing and monitoring third-party personnel\n                  security\\n\\nautomated mechanisms supporting and/or implementing monitoring of provider\n                  compliance"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Attestation - Specifically stating that any third-party security personnel are\n                  treated as CSP employees."}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","parameters":[{"id":"ps-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-8_prm_2","label":"organization-defined time period"}],"properties":[{"name":"label","value":"PS-8"},{"name":"sort-id","value":"ps-08"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"id":"ps-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Employs a formal sanctions process for individuals failing to comply with\n                  established information security policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Notifies {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }}\n                  when a formal employee sanctions process is initiated, identifying the individual\n                  sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions processes reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Sanctions processes are\n               described in access agreements and can be included as part of general personnel\n               policies and procedures for organizations. Organizations consult with the Office of\n               the General Counsel regarding matters of employee sanctions.","links":[{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-6","rel":"related","text":"PS-6"}]},{"id":"ps-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-8.a_obj","name":"objective","properties":[{"name":"label","value":"PS-8(a)"}],"prose":"employs a formal sanctions process for individuals failing to comply with\n                  established information security policies and procedures;"},{"id":"ps-8.b_obj","name":"objective","properties":[{"name":"label","value":"PS-8(b)"}],"parts":[{"id":"ps-8.b_obj.1","name":"objective","properties":[{"name":"label","value":"PS-8(b)[1]"}],"prose":"defines personnel or roles to be notified when a formal employee sanctions\n                     process is initiated;"},{"id":"ps-8.b_obj.2","name":"objective","properties":[{"name":"label","value":"PS-8(b)[2]"}],"prose":"defines the time period within which organization-defined personnel or roles\n                     must be notified when a formal employee sanctions process is initiated; and"},{"id":"ps-8.b_obj.3","name":"objective","properties":[{"name":"label","value":"PS-8(b)[3]"}],"prose":"notifies organization-defined personnel or roles within the\n                     organization-defined time period when a formal employee sanctions process is\n                     initiated, identifying the individual sanctioned and the reason for the\n                     sanction."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing personnel sanctions\\n\\nrules of behavior\\n\\nrecords of formal sanctions\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing personnel sanctions\\n\\nautomated mechanisms supporting and/or implementing notifications"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Risk Assessment Policy and Procedures","parameters":[{"id":"ra-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ra-1_prm_2","label":"organization-defined frequency"},{"id":"ra-1_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"RA-1"},{"name":"sort-id","value":"ra-01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference","text":"NIST Special Publication 800-30"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ra-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A risk assessment policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ra-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and\n                     associated risk assessment controls; and"}]},{"id":"ra-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ra-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Risk assessment policy {{ ra-1_prm_2 }}; and"},{"id":"ra-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Risk assessment procedures {{ ra-1_prm_3 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the RA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ra-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-1.a_obj","name":"objective","properties":[{"name":"label","value":"RA-1(a)"}],"parts":[{"id":"ra-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)"}],"parts":[{"id":"ra-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1]"}],"prose":"develops and documents a risk assessment policy that addresses:","parts":[{"id":"ra-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ra-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ra-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ra-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ra-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ra-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ra-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ra-1.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the risk assessment policy is to be\n                        disseminated;"},{"id":"ra-1.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[3]"}],"prose":"disseminates the risk assessment policy to organization-defined personnel or\n                        roles;"}]},{"id":"ra-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"RA-1(a)(2)"}],"parts":[{"id":"ra-1.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"RA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        risk assessment policy and associated risk assessment controls;"},{"id":"ra-1.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"RA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ra-1.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"RA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ra-1.b_obj","name":"objective","properties":[{"name":"label","value":"RA-1(b)"}],"parts":[{"id":"ra-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"RA-1(b)(1)"}],"parts":[{"id":"ra-1.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"RA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current risk assessment\n                        policy;"},{"id":"ra-1.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"RA-1(b)(1)[2]"}],"prose":"reviews and updates the current risk assessment policy with the\n                        organization-defined frequency;"}]},{"id":"ra-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"RA-1(b)(2)"}],"parts":[{"id":"ra-1.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"RA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current risk assessment\n                        procedures; and"},{"id":"ra-1.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"RA-1(b)(2)[2]"}],"prose":"reviews and updates the current risk assessment procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"risk assessment policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","properties":[{"name":"label","value":"RA-2"},{"name":"sort-id","value":"ra-02"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference","text":"NIST Special Publication 800-30"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference","text":"NIST Special Publication 800-39"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference","text":"NIST Special Publication 800-60"}],"parts":[{"id":"ra-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Categorizes information and the information system in accordance with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance;"},{"id":"ra-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents the security categorization results (including supporting rationale) in\n                  the security plan for the information system; and"},{"id":"ra-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensures that the authorizing official or authorizing official designated\n                  representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective security\n               categorization decisions. Security categories describe the potential adverse impacts\n               to organizational operations, organizational assets, and individuals if\n               organizational information and information systems are comprised through a loss of\n               confidentiality, integrity, or availability. Organizations conduct the security\n               categorization process as an organization-wide activity with the involvement of chief\n               information officers, senior information security officers, information system\n               owners, mission/business owners, and information owners/stewards. Organizations also\n               consider the potential adverse impacts to other organizations and, in accordance with\n               the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential\n               national-level adverse impacts. Security categorization processes carried out by\n               organizations facilitate the development of inventories of information assets, and\n               along with CM-8, mappings to specific information system components where information\n               is processed, stored, or transmitted.","links":[{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sc-7","rel":"related","text":"SC-7"}]},{"id":"ra-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-2.a_obj","name":"objective","properties":[{"name":"label","value":"RA-2(a)"}],"prose":"categorizes information and the information system in accordance with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance;"},{"id":"ra-2.b_obj","name":"objective","properties":[{"name":"label","value":"RA-2(b)"}],"prose":"documents the security categorization results (including supporting rationale) in\n                  the security plan for the information system; and"},{"id":"ra-2.c_obj","name":"objective","properties":[{"name":"label","value":"RA-2(c)"}],"prose":"ensures the authorizing official or authorizing official designated representative\n                  reviews and approves the security categorization decision."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\\n\\nsecurity planning policy and procedures\\n\\nprocedures addressing security categorization of organizational information and\n                  information systems\\n\\nsecurity plan\\n\\nsecurity categorization documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security categorization and risk assessment\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security categorization"}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","parameters":[{"id":"ra-3_prm_1"},{"id":"ra-3_prm_2","depends-on":"ra-3_prm_1","label":"organization-defined document","constraints":[{"detail":"security assessment report"}]},{"id":"ra-3_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least every three (3) years or when a significant change occurs"}]},{"id":"ra-3_prm_4","label":"organization-defined personnel or roles"},{"id":"ra-3_prm_5","label":"organization-defined frequency","constraints":[{"detail":"at least every three (3) years or when a significant change occurs"}]}],"properties":[{"name":"label","value":"RA-3"},{"name":"sort-id","value":"ra-03"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference","text":"OMB Memorandum 04-04"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference","text":"NIST Special Publication 800-30"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference","text":"NIST Special Publication 800-39"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"ra-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Conducts an assessment of risk, including the likelihood and magnitude of harm,\n                  from the unauthorized access, use, disclosure, disruption, modification, or\n                  destruction of the information system and the information it processes, stores, or\n                  transmits;"},{"id":"ra-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents risk assessment results in {{ ra-3_prm_1 }};"},{"id":"ra-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews risk assessment results {{ ra-3_prm_3 }};"},{"id":"ra-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Disseminates risk assessment results to {{ ra-3_prm_4 }}; and"},{"id":"ra-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Updates the risk assessment {{ ra-3_prm_5 }} or whenever there are\n                  significant changes to the information system or environment of operation\n                  (including the identification of new threats and vulnerabilities), or other\n                  conditions that may impact the security state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective risk\n               assessments. Risk assessments take into account threats, vulnerabilities, likelihood,\n               and impact to organizational operations and assets, individuals, other organizations,\n               and the Nation based on the operation and use of information systems. Risk\n               assessments also take into account risk from external parties (e.g., service\n               providers, contractors operating information systems on behalf of the organization,\n               individuals accessing organizational information systems, outsourcing entities). In\n               accordance with OMB policy and related E-authentication initiatives, authentication\n               of public users accessing federal information systems may also be required to protect\n               nonpublic or privacy-related information. As such, organizational assessments of risk\n               also address public access to federal information systems. Risk assessments (either\n               formal or informal) can be conducted at all three tiers in the risk management\n               hierarchy (i.e., organization level, mission/business process level, or information\n               system level) and at any phase in the system development life cycle. Risk assessments\n               can also be conducted at various steps in the Risk Management Framework, including\n               categorization, security control selection, security control implementation, security\n               control assessment, information system authorization, and security control\n               monitoring. RA-3 is noteworthy in that the control must be partially implemented\n               prior to the implementation of other controls in order to complete the first two\n               steps in the Risk Management Framework. Risk assessments can play an important role\n               in security control selection processes, particularly during the application of\n               tailoring guidance, which includes security control supplementation.","links":[{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ra-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-3.a_obj","name":"objective","properties":[{"name":"label","value":"RA-3(a)"}],"prose":"conducts an assessment of risk, including the likelihood and magnitude of harm,\n                  from the unauthorized access, use, disclosure, disruption, modification, or\n                  destruction of:","parts":[{"id":"ra-3.a_obj.1","name":"objective","properties":[{"name":"label","value":"RA-3(a)[1]"}],"prose":"the information system;"},{"id":"ra-3.a_obj.2","name":"objective","properties":[{"name":"label","value":"RA-3(a)[2]"}],"prose":"the information the system processes, stores, or transmits;"}]},{"id":"ra-3.b_obj","name":"objective","properties":[{"name":"label","value":"RA-3(b)"}],"parts":[{"id":"ra-3.b_obj.1","name":"objective","properties":[{"name":"label","value":"RA-3(b)[1]"}],"prose":"defines a document in which risk assessment results are to be documented (if\n                     not documented in the security plan or risk assessment report);"},{"id":"ra-3.b_obj.2","name":"objective","properties":[{"name":"label","value":"RA-3(b)[2]"}],"prose":"documents risk assessment results in one of the following:","parts":[{"id":"ra-3.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"RA-3(b)[2][a]"}],"prose":"the security plan;"},{"id":"ra-3.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"RA-3(b)[2][b]"}],"prose":"the risk assessment report; or"},{"id":"ra-3.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"RA-3(b)[2][c]"}],"prose":"the organization-defined document;"}]}]},{"id":"ra-3.c_obj","name":"objective","properties":[{"name":"label","value":"RA-3(c)"}],"parts":[{"id":"ra-3.c_obj.1","name":"objective","properties":[{"name":"label","value":"RA-3(c)[1]"}],"prose":"defines the frequency to review risk assessment results;"},{"id":"ra-3.c_obj.2","name":"objective","properties":[{"name":"label","value":"RA-3(c)[2]"}],"prose":"reviews risk assessment results with the organization-defined frequency;"}]},{"id":"ra-3.d_obj","name":"objective","properties":[{"name":"label","value":"RA-3(d)"}],"parts":[{"id":"ra-3.d_obj.1","name":"objective","properties":[{"name":"label","value":"RA-3(d)[1]"}],"prose":"defines personnel or roles to whom risk assessment results are to be\n                     disseminated;"},{"id":"ra-3.d_obj.2","name":"objective","properties":[{"name":"label","value":"RA-3(d)[2]"}],"prose":"disseminates risk assessment results to organization-defined personnel or\n                     roles;"}]},{"id":"ra-3.e_obj","name":"objective","properties":[{"name":"label","value":"RA-3(e)"}],"parts":[{"id":"ra-3.e_obj.1","name":"objective","properties":[{"name":"label","value":"RA-3(e)[1]"}],"prose":"defines the frequency to update the risk assessment;"},{"id":"ra-3.e_obj.2","name":"objective","properties":[{"name":"label","value":"RA-3(e)[2]"}],"prose":"updates the risk assessment:","parts":[{"id":"ra-3.e_obj.2.a","name":"objective","properties":[{"name":"label","value":"RA-3(e)[2][a]"}],"prose":"with the organization-defined frequency;"},{"id":"ra-3.e_obj.2.b","name":"objective","properties":[{"name":"label","value":"RA-3(e)[2][b]"}],"prose":"whenever there are significant changes to the information system or\n                        environment of operation (including the identification of new threats and\n                        vulnerabilities); and"},{"id":"ra-3.e_obj.2.c","name":"objective","properties":[{"name":"label","value":"RA-3(e)[2][c]"}],"prose":"whenever there are other conditions that may impact the security state of\n                        the system."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\\n\\nsecurity planning policy and procedures\\n\\nprocedures addressing organizational assessments of risk\\n\\nsecurity plan\\n\\nrisk assessment\\n\\nrisk assessment results\\n\\nrisk assessment reviews\\n\\nrisk assessment updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for risk assessment\\n\\nautomated mechanisms supporting and/or for conducting, documenting, reviewing,\n                  disseminating, and updating the risk assessment"}]},{"id":"ra-3_fr","name":"item","title":"RA-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1,\n                     Appendix F"},{"id":"ra-3_fr_smt.d","name":"item","properties":[{"name":"label","value":"RA-3 (d) Requirement:"}],"prose":"Include all Authorizing Officials; for JAB authorizations to include\n                     FedRAMP."}]}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Scanning","parameters":[{"id":"ra-5_prm_1","label":"organization-defined frequency and/or randomly in accordance with\n               organization-defined process","constraints":[{"detail":"monthly operating system/infrastructure; monthly web applications and databases"}]},{"id":"ra-5_prm_2","label":"organization-defined response times","constraints":[{"detail":"[high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery."}]},{"id":"ra-5_prm_3","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"RA-5"},{"name":"sort-id","value":"ra-05"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference","text":"NIST Special Publication 800-40"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference","text":"NIST Special Publication 800-70"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference","text":"NIST Special Publication 800-115"},{"href":"#15522e92-9192-463d-9646-6a01982db8ca","rel":"reference","text":"http://cwe.mitre.org"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference","text":"http://nvd.nist.gov"}],"parts":[{"id":"ra-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Scans for vulnerabilities in the information system and hosted applications\n                     {{ ra-5_prm_1 }} and when new vulnerabilities potentially\n                  affecting the system/applications are identified and reported;"},{"id":"ra-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employs vulnerability scanning tools and techniques that facilitate\n                  interoperability among tools and automate parts of the vulnerability management\n                  process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Analyzes vulnerability scan reports and results from security control\n                  assessments;"},{"id":"ra-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Remediates legitimate vulnerabilities {{ ra-5_prm_2 }} in\n                  accordance with an organizational assessment of risk; and"},{"id":"ra-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Shares information obtained from the vulnerability scanning process and security\n                  control assessments with {{ ra-5_prm_3 }} to help eliminate similar\n                  vulnerabilities in other information systems (i.e., systemic weaknesses or\n                  deficiencies)."}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information systems guides the frequency and\n               comprehensiveness of vulnerability scans. Organizations determine the required\n               vulnerability scanning for all information system components, ensuring that potential\n               sources of vulnerabilities such as networked printers, scanners, and copiers are not\n               overlooked. Vulnerability analyses for custom software applications may require\n               additional approaches such as static analysis, dynamic analysis, binary analysis, or\n               a hybrid of the three approaches. Organizations can employ these analysis approaches\n               in a variety of tools (e.g., web-based application scanners, static analysis tools,\n               binary analyzers) and in source code reviews. Vulnerability scanning includes, for\n               example: (i) scanning for patch levels; (ii) scanning for functions, ports,\n               protocols, and services that should not be accessible to users or devices; and (iii)\n               scanning for improperly configured or incorrectly operating information flow control\n               mechanisms. Organizations consider using tools that express vulnerabilities in the\n               Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open\n               Vulnerability Assessment Language (OVAL) to determine/test for the presence of\n               vulnerabilities. Suggested sources for vulnerability information include the Common\n               Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In\n               addition, security control assessments such as red team exercises provide other\n               sources of potential vulnerabilities for which to scan. Organizations also consider\n               using tools that express vulnerability impact by the Common Vulnerability Scoring\n               System (CVSS).","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"ra-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-5.a_obj","name":"objective","properties":[{"name":"label","value":"RA-5(a)"}],"parts":[{"id":"ra-5.a_obj.1","name":"objective","properties":[{"name":"label","value":"RA-5(a)[1]"}],"parts":[{"id":"ra-5.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"RA-5(a)[1][a]"}],"prose":"defines the frequency for conducting vulnerability scans on the information\n                        system and hosted applications; and/or"},{"id":"ra-5.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"RA-5(a)[1][b]"}],"prose":"defines the process for conducting random vulnerability scans on the\n                        information system and hosted applications;"}]},{"id":"ra-5.a_obj.2","name":"objective","properties":[{"name":"label","value":"RA-5(a)[2]"}],"prose":"in accordance with the organization-defined frequency and/or\n                     organization-defined process for conducting random scans, scans for\n                     vulnerabilities in:","parts":[{"id":"ra-5.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"RA-5(a)[2][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"RA-5(a)[2][b]"}],"prose":"hosted applications;"}]},{"id":"ra-5.a_obj.3","name":"objective","properties":[{"name":"label","value":"RA-5(a)[3]"}],"prose":"when new vulnerabilities potentially affecting the system/applications are\n                     identified and reported, scans for vulnerabilities in:","parts":[{"id":"ra-5.a_obj.3.a","name":"objective","properties":[{"name":"label","value":"RA-5(a)[3][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.3.b","name":"objective","properties":[{"name":"label","value":"RA-5(a)[3][b]"}],"prose":"hosted applications;"}]}]},{"id":"ra-5.b_obj","name":"objective","properties":[{"name":"label","value":"RA-5(b)"}],"prose":"employs vulnerability scanning tools and techniques that facilitate\n                  interoperability among tools and automate parts of the vulnerability management\n                  process by using standards for:","parts":[{"id":"ra-5.b.1_obj","name":"objective","properties":[{"name":"label","value":"RA-5(b)(1)"}],"parts":[{"id":"ra-5.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"RA-5(b)(1)[1]"}],"prose":"enumerating platforms;"},{"id":"ra-5.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"RA-5(b)(1)[2]"}],"prose":"enumerating software flaws;"},{"id":"ra-5.b.1_obj.3","name":"objective","properties":[{"name":"label","value":"RA-5(b)(1)[3]"}],"prose":"enumerating improper configurations;"}]},{"id":"ra-5.b.2_obj","name":"objective","properties":[{"name":"label","value":"RA-5(b)(2)"}],"parts":[{"id":"ra-5.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"RA-5(b)(2)[1]"}],"prose":"formatting checklists;"},{"id":"ra-5.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"RA-5(b)(2)[2]"}],"prose":"formatting test procedures;"}]},{"id":"ra-5.b.3_obj","name":"objective","properties":[{"name":"label","value":"RA-5(b)(3)"}],"prose":"measuring vulnerability impact;"}]},{"id":"ra-5.c_obj","name":"objective","properties":[{"name":"label","value":"RA-5(c)"}],"parts":[{"id":"ra-5.c_obj.1","name":"objective","properties":[{"name":"label","value":"RA-5(c)[1]"}],"prose":"analyzes vulnerability scan reports;"},{"id":"ra-5.c_obj.2","name":"objective","properties":[{"name":"label","value":"RA-5(c)[2]"}],"prose":"analyzes results from security control assessments;"}]},{"id":"ra-5.d_obj","name":"objective","properties":[{"name":"label","value":"RA-5(d)"}],"parts":[{"id":"ra-5.d_obj.1","name":"objective","properties":[{"name":"label","value":"RA-5(d)[1]"}],"prose":"defines response times to remediate legitimate vulnerabilities in accordance\n                     with an organizational assessment of risk;"},{"id":"ra-5.d_obj.2","name":"objective","properties":[{"name":"label","value":"RA-5(d)[2]"}],"prose":"remediates legitimate vulnerabilities within the organization-defined response\n                     times in accordance with an organizational assessment of risk;"}]},{"id":"ra-5.e_obj","name":"objective","properties":[{"name":"label","value":"RA-5(e)"}],"parts":[{"id":"ra-5.e_obj.1","name":"objective","properties":[{"name":"label","value":"RA-5(e)[1]"}],"prose":"defines personnel or roles with whom information obtained from the\n                     vulnerability scanning process and security control assessments is to be\n                     shared;"},{"id":"ra-5.e_obj.2","name":"objective","properties":[{"name":"label","value":"RA-5(e)[2]"}],"prose":"shares information obtained from the vulnerability scanning process with\n                     organization-defined personnel or roles to help eliminate similar\n                     vulnerabilities in other information systems (i.e., systemic weaknesses or\n                     deficiencies); and"},{"id":"ra-5.e_obj.3","name":"objective","properties":[{"name":"label","value":"RA-5(e)[3]"}],"prose":"shares information obtained from security control assessments with\n                     organization-defined personnel or roles to help eliminate similar\n                     vulnerabilities in other information systems (i.e., systemic weaknesses or\n                     deficiencies)."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\nrisk assessment\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment, security control assessment and\n                  vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with vulnerability remediation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning, analysis, remediation, and\n                  information sharing\\n\\nautomated mechanisms supporting and/or implementing vulnerability scanning,\n                  analysis, remediation, and information sharing"}]},{"id":"ra-5_fr_smt.a","name":"item","title":"RA-5(a) Additional FedRAMP Requirements and Guidance","properties":[{"name":"label","value":"RA-5 (a)Requirement:"}],"prose":"An accredited independent assessor scans operating systems/infrastructure, web\n                  applications, and databases once annually."},{"id":"ra-5_fr_smt.e","name":"item","title":"RA-5(e) Additional FedRAMP Requirements and Guidance","properties":[{"name":"label","value":"RA-5 (e)Requirement:"}],"prose":"To include all Authorizing Officials; for JAB authorizations to include\n                  FedRAMP."},{"id":"ra-5_fr","name":"item","title":"RA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"\n                  **See the FedRAMP Documents page under Key Cloud Service Provider (CSP)\n                        Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))"}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"System and Services Acquisition Policy and Procedures","parameters":[{"id":"sa-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sa-1_prm_2","label":"organization-defined frequency"},{"id":"sa-1_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SA-1"},{"name":"sort-id","value":"sa-01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"sa-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A system and services acquisition policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"sa-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services\n                     acquisition policy and associated system and services acquisition controls;\n                     and"}]},{"id":"sa-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sa-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"System and services acquisition policy {{ sa-1_prm_2 }}; and"},{"id":"sa-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"System and services acquisition procedures {{ sa-1_prm_3 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"sa-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-1.a_obj","name":"objective","properties":[{"name":"label","value":"SA-1(a)"}],"parts":[{"id":"sa-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)"}],"parts":[{"id":"sa-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1]"}],"prose":"develops and documents a system and services acquisition policy that\n                        addresses:","parts":[{"id":"sa-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sa-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sa-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sa-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sa-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sa-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sa-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sa-1.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and services acquisition\n                        policy is to be disseminated;"},{"id":"sa-1.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[3]"}],"prose":"disseminates the system and services acquisition policy to\n                        organization-defined personnel or roles;"}]},{"id":"sa-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"SA-1(a)(2)"}],"parts":[{"id":"sa-1.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"SA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        system and services acquisition policy and associated system and services\n                        acquisition controls;"},{"id":"sa-1.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"SA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"sa-1.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"SA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sa-1.b_obj","name":"objective","properties":[{"name":"label","value":"SA-1(b)"}],"parts":[{"id":"sa-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"SA-1(b)(1)"}],"parts":[{"id":"sa-1.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"SA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and services\n                        acquisition policy;"},{"id":"sa-1.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"SA-1(b)(1)[2]"}],"prose":"reviews and updates the current system and services acquisition policy with\n                        the organization-defined frequency;"}]},{"id":"sa-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"SA-1(b)(2)"}],"parts":[{"id":"sa-1.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"SA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and services\n                        acquisition procedures; and"},{"id":"sa-1.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"SA-1(b)(2)[2]"}],"prose":"reviews and updates the current system and services acquisition procedures\n                        with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","properties":[{"name":"label","value":"SA-2"},{"name":"sort-id","value":"sa-02"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#29fcfe59-33cd-494a-8756-5907ae3a8f92","rel":"reference","text":"NIST Special Publication 800-65"}],"parts":[{"id":"sa-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determines information security requirements for the information system or\n                  information system service in mission/business process planning;"},{"id":"sa-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Determines, documents, and allocates the resources required to protect the\n                  information system or information system service as part of its capital planning\n                  and investment control process; and"},{"id":"sa-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Establishes a discrete line item for information security in organizational\n                  programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security includes funding for the initial\n               information system or information system service acquisition and funding for the\n               sustainment of the system/service.","links":[{"href":"#pm-3","rel":"related","text":"PM-3"},{"href":"#pm-11","rel":"related","text":"PM-11"}]},{"id":"sa-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-2.a_obj","name":"objective","properties":[{"name":"label","value":"SA-2(a)"}],"prose":"determines information security requirements for the information system or\n                  information system service in mission/business process planning;"},{"id":"sa-2.b_obj","name":"objective","properties":[{"name":"label","value":"SA-2(b)"}],"prose":"to protect the information system or information system service as part of its\n                  capital planning and investment control process:","parts":[{"id":"sa-2.b_obj.1","name":"objective","properties":[{"name":"label","value":"SA-2(b)[1]"}],"prose":"determines the resources required;"},{"id":"sa-2.b_obj.2","name":"objective","properties":[{"name":"label","value":"SA-2(b)[2]"}],"prose":"documents the resources required;"},{"id":"sa-2.b_obj.3","name":"objective","properties":[{"name":"label","value":"SA-2(b)[3]"}],"prose":"allocates the resources required; and"}]},{"id":"sa-2.c_obj","name":"objective","properties":[{"name":"label","value":"SA-2(c)"}],"prose":"establishes a discrete line item for information security in organizational\n                  programming and budgeting documentation."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the allocation of resources to information security\n                  requirements\\n\\nprocedures addressing capital planning and investment control\\n\\norganizational programming and budgeting documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with capital planning, investment control, organizational\n                  programming and budgeting responsibilities\\n\\norganizational personnel responsible for determining information security\n                  requirements for information systems/services\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information security requirements\\n\\norganizational processes for capital planning, programming, and budgeting\\n\\nautomated mechanisms supporting and/or implementing organizational capital\n                  planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","parameters":[{"id":"sa-3_prm_1","label":"organization-defined system development life cycle"}],"properties":[{"name":"label","value":"SA-3"},{"name":"sort-id","value":"sa-03"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference","text":"NIST Special Publication 800-64"}],"parts":[{"id":"sa-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Manages the information system using {{ sa-3_prm_1 }} that\n                  incorporates information security considerations;"},{"id":"sa-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Defines and documents information security roles and responsibilities throughout\n                  the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Identifies individuals having information security roles and responsibilities;\n                  and"},{"id":"sa-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Integrates the organizational information security risk management process into\n                  system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A well-defined system development life cycle provides the foundation for the\n               successful development, implementation, and operation of organizational information\n               systems. To apply the required security controls within the system development life\n               cycle requires a basic understanding of information security, threats,\n               vulnerabilities, adverse impacts, and risk to critical missions/business functions.\n               The security engineering principles in SA-8 cannot be properly applied if individuals\n               that design, code, and test information systems and system components (including\n               information technology products) do not understand security. Therefore, organizations\n               include qualified personnel, for example, chief information security officers,\n               security architects, security engineers, and information system security officers in\n               system development life cycle activities to ensure that security requirements are\n               incorporated into organizational information systems. It is equally important that\n               developers include individuals on the development team that possess the requisite\n               security expertise and skills to ensure that needed security capabilities are\n               effectively integrated into the information system. Security awareness and training\n               programs can help ensure that individuals having key security roles and\n               responsibilities have the appropriate experience, skills, and expertise to conduct\n               assigned system development life cycle activities. The effective integration of\n               security requirements into enterprise architecture also helps to ensure that\n               important security considerations are addressed early in the system development life\n               cycle and that those considerations are directly related to the organizational\n               mission/business processes. This process also facilitates the integration of the\n               information security architecture into the enterprise architecture, consistent with\n               organizational risk management and information security strategies.","links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#sa-8","rel":"related","text":"SA-8"}]},{"id":"sa-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-3.a_obj","name":"objective","properties":[{"name":"label","value":"SA-3(a)"}],"parts":[{"id":"sa-3.a_obj.1","name":"objective","properties":[{"name":"label","value":"SA-3(a)[1]"}],"prose":"defines a system development life cycle that incorporates information security\n                     considerations to be used to manage the information system;"},{"id":"sa-3.a_obj.2","name":"objective","properties":[{"name":"label","value":"SA-3(a)[2]"}],"prose":"manages the information system using the organization-defined system\n                     development life cycle;"}]},{"id":"sa-3.b_obj","name":"objective","properties":[{"name":"label","value":"SA-3(b)"}],"prose":"defines and documents information security roles and responsibilities throughout\n                  the system development life cycle;"},{"id":"sa-3.c_obj","name":"objective","properties":[{"name":"label","value":"SA-3(c)"}],"prose":"identifies individuals having information security roles and responsibilities;\n                  and"},{"id":"sa-3.d_obj","name":"objective","properties":[{"name":"label","value":"SA-3(d)"}],"prose":"integrates the organizational information security risk management process into\n                  system development life cycle activities."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the integration of information security into the system\n                  development life cycle process\\n\\ninformation system development life cycle documentation\\n\\ninformation security risk management strategy/program documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security and system life cycle\n                  development responsibilities\\n\\norganizational personnel with information security risk management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining and documenting the SDLC\\n\\norganizational processes for identifying SDLC roles and responsibilities\\n\\norganizational process for integrating information security risk management into\n                  the SDLC\\n\\nautomated mechanisms supporting and/or implementing the SDLC"}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","properties":[{"name":"label","value":"SA-4"},{"name":"sort-id","value":"sa-04"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference","text":"HSPD-12"},{"href":"#1737a687-52fb-4008-b900-cbfa836f7b65","rel":"reference","text":"ISO/IEC 15408"},{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference","text":"FIPS Publication 140-2"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#0a5db899-f033-467f-8631-f5a8ba971475","rel":"reference","text":"NIST Special Publication 800-23"},{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference","text":"NIST Special Publication 800-35"},{"href":"#d818efd3-db31-4953-8afa-9e76afe83ce2","rel":"reference","text":"NIST Special Publication 800-36"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference","text":"NIST Special Publication 800-64"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference","text":"NIST Special Publication 800-70"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"},{"href":"#56d671da-6b7b-4abf-8296-84b61980390a","rel":"reference","text":"Federal Acquisition Regulation"},{"href":"#c95a9986-3cd6-4a98-931b-ccfc56cb11e5","rel":"reference","text":"http://www.niap-ccevs.org"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference","text":"http://fips201ep.cio.gov"},{"href":"#bbd50dd1-54ce-4432-959d-63ea564b1bb4","rel":"reference","text":"http://www.acquisition.gov/far"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"The organization includes the following requirements, descriptions, and criteria,\n               explicitly or by reference, in the acquisition contract for the information system,\n               system component, or information system service in accordance with applicable federal\n               laws, Executive Orders, directives, policies, regulations, standards, guidelines, and\n               organizational mission/business needs:","parts":[{"id":"sa-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Security functional requirements;"},{"id":"sa-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Security strength requirements;"},{"id":"sa-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Security assurance requirements;"},{"id":"sa-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Security-related documentation requirements;"},{"id":"sa-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Requirements for protecting security-related documentation;"},{"id":"sa-4_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Description of the information system development environment and environment in\n                  which the system is intended to operate; and"},{"id":"sa-4_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Information system components are discrete, identifiable information technology\n               assets (e.g., hardware, software, or firmware) that represent the building blocks of\n               an information system. Information system components include commercial information\n               technology products. Security functional requirements include security capabilities,\n               security functions, and security mechanisms. Security strength requirements\n               associated with such capabilities, functions, and mechanisms include degree of\n               correctness, completeness, resistance to direct attack, and resistance to tampering\n               or bypass. Security assurance requirements include: (i) development processes,\n               procedures, practices, and methodologies; and (ii) evidence from development and\n               assessment activities providing grounds for confidence that the required security\n               functionality has been implemented and the required security strength has been\n               achieved. Security documentation requirements address all phases of the system\n               development life cycle. Security functionality, assurance, and documentation\n               requirements are expressed in terms of security controls and control enhancements\n               that have been selected through the tailoring process. The security control tailoring\n               process includes, for example, the specification of parameter values through the use\n               of assignment and selection statements and the specification of platform dependencies\n               and implementation information. Security documentation provides user and\n               administrator guidance regarding the implementation and operation of security\n               controls. The level of detail required in security documentation is based on the\n               security category or classification level of the information system and the degree to\n               which organizations depend on the stated security capability, functions, or\n               mechanisms to meet overall risk response expectations (as defined in the\n               organizational risk management strategy). Security requirements can also include\n               organizationally mandated configuration settings specifying allowed functions, ports,\n               protocols, and services. Acceptance criteria for information systems, information\n               system components, and information system services are defined in the same manner as\n               such criteria for any organizational acquisition or procurement. The Federal\n               Acquisition Regulation (FAR) Section 7.103 contains information security requirements\n               from FISMA.","links":[{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-12","rel":"related","text":"SA-12"}]},{"id":"sa-4_obj","name":"objective","prose":"Determine if the organization includes the following requirements, descriptions, and\n               criteria, explicitly or by reference, in the acquisition contracts for the\n               information system, system component, or information system service in accordance\n               with applicable federal laws, Executive Orders, directives, policies, regulations,\n               standards, guidelines, and organizational mission/business needs:","parts":[{"id":"sa-4.a_obj","name":"objective","properties":[{"name":"label","value":"SA-4(a)"}],"prose":"security functional requirements;"},{"id":"sa-4.b_obj","name":"objective","properties":[{"name":"label","value":"SA-4(b)"}],"prose":"security strength requirements;"},{"id":"sa-4.c_obj","name":"objective","properties":[{"name":"label","value":"SA-4(c)"}],"prose":"security assurance requirements;"},{"id":"sa-4.d_obj","name":"objective","properties":[{"name":"label","value":"SA-4(d)"}],"prose":"security-related documentation requirements;"},{"id":"sa-4.e_obj","name":"objective","properties":[{"name":"label","value":"SA-4(e)"}],"prose":"requirements for protecting security-related documentation;"},{"id":"sa-4.f_obj","name":"objective","properties":[{"name":"label","value":"SA-4(f)"}],"prose":"description of:","parts":[{"id":"sa-4.f_obj.1","name":"objective","properties":[{"name":"label","value":"SA-4(f)[1]"}],"prose":"the information system development environment;"},{"id":"sa-4.f_obj.2","name":"objective","properties":[{"name":"label","value":"SA-4(f)[2]"}],"prose":"the environment in which the system is intended to operate; and"}]},{"id":"sa-4.g_obj","name":"objective","properties":[{"name":"label","value":"SA-4(g)"}],"prose":"acceptance criteria."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                  descriptions, and criteria into the acquisition process\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\ninformation system design documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security functional, strength, and assurance requirements\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information system security functional,\n                  strength, and assurance requirements\\n\\norganizational processes for developing acquisition contracts\\n\\nautomated mechanisms supporting and/or implementing acquisitions and inclusion of\n                  security requirements in contracts"}]}],"controls":[{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","properties":[{"name":"label","value":"SA-4(10)"},{"name":"sort-id","value":"sa-04.10"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"The organization employs only information technology products on the FIPS\n                  201-approved products list for Personal Identity Verification (PIV) capability\n                  implemented within organizational information systems."},{"id":"sa-4.10_gdn","name":"guidance","links":[{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-8","rel":"related","text":"IA-8"}]},{"id":"sa-4.10_obj","name":"objective","prose":"Determine if the organization employs only information technology products on the\n                  FIPS 201-approved products list for Personal Identity Verification (PIV)\n                  capability implemented within organizational information systems. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nservice-level agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security requirements\\n\\norganizational personnel with responsibility for ensuring only FIPS\n                     201-approved products are implemented\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for selecting and employing FIPS 201-approved\n                     products"}]}]}]},{"id":"sa-5","class":"SP800-53","title":"Information System Documentation","parameters":[{"id":"sa-5_prm_1","label":"organization-defined actions"},{"id":"sa-5_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SA-5"},{"name":"sort-id","value":"sa-05"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"id":"sa-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Obtains administrator documentation for the information system, system component,\n                  or information system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or\n                     service;"},{"id":"sa-5_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security functions/mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative (i.e.,\n                     privileged) functions;"}]},{"id":"sa-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Obtains user documentation for the information system, system component, or\n                  information system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"User-accessible security functions/mechanisms and how to effectively use those\n                     security functions/mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system,\n                     component, or service in a more secure manner; and"},{"id":"sa-5_smt.b.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or\n                     service;"}]},{"id":"sa-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Documents attempts to obtain information system, system component, or information\n                  system service documentation when such documentation is either unavailable or\n                  nonexistent and takes {{ sa-5_prm_1 }} in response;"},{"id":"sa-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protects documentation as required, in accordance with the risk management\n                  strategy; and"},{"id":"sa-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Distributes documentation to {{ sa-5_prm_2 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"This control helps organizational personnel understand the implementation and\n               operation of security controls associated with information systems, system\n               components, and information system services. Organizations consider establishing\n               specific measures to determine the quality/completeness of the content provided. The\n               inability to obtain needed documentation may occur, for example, due to the age of\n               the information system/component or lack of support from developers and contractors.\n               In those situations, organizations may need to recreate selected documentation if\n               such documentation is essential to the effective implementation or operation of\n               security controls. The level of protection provided for selected information system,\n               component, or service documentation is commensurate with the security category or\n               classification of the system. For example, documentation associated with a key DoD\n               weapons system or command and control system would typically require a higher level\n               of protection than a routine administrative system. Documentation that addresses\n               information system vulnerabilities may also require an increased level of protection.\n               Secure operation of the information system, includes, for example, initially starting\n               the system and resuming secure system operation after any lapse in system\n               operation.","links":[{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"sa-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-5.a_obj","name":"objective","properties":[{"name":"label","value":"SA-5(a)"}],"prose":"obtains administrator documentation for the information system, system component,\n                  or information system service that describes:","parts":[{"id":"sa-5.a.1_obj","name":"objective","properties":[{"name":"label","value":"SA-5(a)(1)"}],"parts":[{"id":"sa-5.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"SA-5(a)(1)[1]"}],"prose":"secure configuration of the system, system component, or service;"},{"id":"sa-5.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"SA-5(a)(1)[2]"}],"prose":"secure installation of the system, system component, or service;"},{"id":"sa-5.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"SA-5(a)(1)[3]"}],"prose":"secure operation of the system, system component, or service;"}]},{"id":"sa-5.a.2_obj","name":"objective","properties":[{"name":"label","value":"SA-5(a)(2)"}],"parts":[{"id":"sa-5.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"SA-5(a)(2)[1]"}],"prose":"effective use of the security features/mechanisms;"},{"id":"sa-5.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"SA-5(a)(2)[2]"}],"prose":"effective maintenance of the security features/mechanisms;"}]},{"id":"sa-5.a.3_obj","name":"objective","properties":[{"name":"label","value":"SA-5(a)(3)"}],"prose":"known vulnerabilities regarding configuration and use of administrative (i.e.,\n                     privileged) functions;"}]},{"id":"sa-5.b_obj","name":"objective","properties":[{"name":"label","value":"SA-5(b)"}],"prose":"obtains user documentation for the information system, system component, or\n                  information system service that describes:","parts":[{"id":"sa-5.b.1_obj","name":"objective","properties":[{"name":"label","value":"SA-5(b)(1)"}],"parts":[{"id":"sa-5.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"SA-5(b)(1)[1]"}],"prose":"user-accessible security functions/mechanisms;"},{"id":"sa-5.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"SA-5(b)(1)[2]"}],"prose":"how to effectively use those functions/mechanisms;"}]},{"id":"sa-5.b.2_obj","name":"objective","properties":[{"name":"label","value":"SA-5(b)(2)"}],"prose":"methods for user interaction, which enables individuals to use the system,\n                     component, or service in a more secure manner;"},{"id":"sa-5.b.3_obj","name":"objective","properties":[{"name":"label","value":"SA-5(b)(3)"}],"prose":"user responsibilities in maintaining the security of the system, component, or\n                     service;"}]},{"id":"sa-5.c_obj","name":"objective","properties":[{"name":"label","value":"SA-5(c)"}],"parts":[{"id":"sa-5.c_obj.1","name":"objective","properties":[{"name":"label","value":"SA-5(c)[1]"}],"prose":"defines actions to be taken after documented attempts to obtain information\n                     system, system component, or information system service documentation when such\n                     documentation is either unavailable or nonexistent;"},{"id":"sa-5.c_obj.2","name":"objective","properties":[{"name":"label","value":"SA-5(c)[2]"}],"prose":"documents attempts to obtain information system, system component, or\n                     information system service documentation when such documentation is either\n                     unavailable or nonexistent;"},{"id":"sa-5.c_obj.3","name":"objective","properties":[{"name":"label","value":"SA-5(c)[3]"}],"prose":"takes organization-defined actions in response;"}]},{"id":"sa-5.d_obj","name":"objective","properties":[{"name":"label","value":"SA-5(d)"}],"prose":"protects documentation as required, in accordance with the risk management\n                  strategy;"},{"id":"sa-5.e_obj","name":"objective","properties":[{"name":"label","value":"SA-5(e)"}],"parts":[{"id":"sa-5.e_obj.1","name":"objective","properties":[{"name":"label","value":"SA-5(e)[1]"}],"prose":"defines personnel or roles to whom documentation is to be distributed; and"},{"id":"sa-5.e_obj.2","name":"objective","properties":[{"name":"label","value":"SA-5(e)[2]"}],"prose":"distributes documentation to organization-defined personnel or roles."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing information system documentation\\n\\ninformation system documentation including administrator and user guides\\n\\nrecords documenting attempts to obtain unavailable or nonexistent information\n                  system documentation\\n\\nlist of actions to be taken in response to documented attempts to obtain\n                  information system, system component, or information system service\n                  documentation\\n\\nrisk management strategy documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security requirements\\n\\nsystem administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for obtaining, protecting, and distributing information\n                  system administrator and user documentation"}]}]},{"id":"sa-9","class":"SP800-53","title":"External Information System Services","parameters":[{"id":"sa-9_prm_1","label":"organization-defined security controls","constraints":[{"detail":"FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system"}]},{"id":"sa-9_prm_2","label":"organization-defined processes, methods, and techniques","constraints":[{"detail":"Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored"}]}],"properties":[{"name":"label","value":"SA-9"},{"name":"sort-id","value":"sa-09"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference","text":"NIST Special Publication 800-35"}],"parts":[{"id":"sa-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Requires that providers of external information system services comply with\n                  organizational information security requirements and employ {{ sa-9_prm_1 }} in accordance with applicable federal laws, Executive\n                  Orders, directives, policies, regulations, standards, and guidance;"},{"id":"sa-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Defines and documents government oversight and user roles and responsibilities\n                  with regard to external information system services; and"},{"id":"sa-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Employs {{ sa-9_prm_2 }} to monitor security control compliance by\n                  external service providers on an ongoing basis."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External information system services are services that are implemented outside of the\n               authorization boundaries of organizational information systems. This includes\n               services that are used by, but not a part of, organizational information systems.\n               FISMA and OMB policy require that organizations using external service providers that\n               are processing, storing, or transmitting federal information or operating information\n               systems on behalf of the federal government ensure that such providers meet the same\n               security requirements that federal agencies are required to meet. Organizations\n               establish relationships with external service providers in a variety of ways\n               including, for example, through joint ventures, business partnerships, contracts,\n               interagency agreements, lines of business arrangements, licensing agreements, and\n               supply chain exchanges. The responsibility for managing risks from the use of\n               external information system services remains with authorizing officials. For services\n               external to organizations, a chain of trust requires that organizations establish and\n               retain a level of confidence that each participating provider in the potentially\n               complex consumer-provider relationship provides adequate protection for the services\n               rendered. The extent and nature of this chain of trust varies based on the\n               relationships between organizations and the external providers. Organizations\n               document the basis for trust relationships so the relationships can be monitored over\n               time. External information system services documentation includes government, service\n               providers, end user security roles and responsibilities, and service-level\n               agreements. Service-level agreements define expectations of performance for security\n               controls, describe measurable outcomes, and identify remedies and response\n               requirements for identified instances of noncompliance.","links":[{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ps-7","rel":"related","text":"PS-7"}]},{"id":"sa-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.a_obj","name":"objective","properties":[{"name":"label","value":"SA-9(a)"}],"parts":[{"id":"sa-9.a_obj.1","name":"objective","properties":[{"name":"label","value":"SA-9(a)[1]"}],"prose":"defines security controls to be employed by providers of external information\n                     system services;"},{"id":"sa-9.a_obj.2","name":"objective","properties":[{"name":"label","value":"SA-9(a)[2]"}],"prose":"requires that providers of external information system services comply with\n                     organizational information security requirements;"},{"id":"sa-9.a_obj.3","name":"objective","properties":[{"name":"label","value":"SA-9(a)[3]"}],"prose":"requires that providers of external information system services employ\n                     organization-defined security controls in accordance with applicable federal\n                     laws, Executive Orders, directives, policies, regulations, standards, and\n                     guidance;"}]},{"id":"sa-9.b_obj","name":"objective","properties":[{"name":"label","value":"SA-9(b)"}],"parts":[{"id":"sa-9.b_obj.1","name":"objective","properties":[{"name":"label","value":"SA-9(b)[1]"}],"prose":"defines and documents government oversight with regard to external information\n                     system services;"},{"id":"sa-9.b_obj.2","name":"objective","properties":[{"name":"label","value":"SA-9(b)[2]"}],"prose":"defines and documents user roles and responsibilities with regard to external\n                     information system services;"}]},{"id":"sa-9.c_obj","name":"objective","properties":[{"name":"label","value":"SA-9(c)"}],"parts":[{"id":"sa-9.c_obj.1","name":"objective","properties":[{"name":"label","value":"SA-9(c)[1]"}],"prose":"defines processes, methods, and techniques to be employed to monitor security\n                     control compliance by external service providers; and"},{"id":"sa-9.c_obj.2","name":"objective","properties":[{"name":"label","value":"SA-9(c)[2]"}],"prose":"employs organization-defined processes, methods, and techniques to monitor\n                     security control compliance by external service providers on an ongoing\n                     basis."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nprocedures addressing methods and techniques for monitoring security control\n                  compliance by external service providers of information system services\\n\\nacquisition contracts, service-level agreements\\n\\norganizational security requirements and security specifications for external\n                  provider services\\n\\nsecurity control assessment evidence from external providers of information system\n                  services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\\n\\nexternal providers of information system services\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring security control compliance by external\n                  service providers on an ongoing basis\\n\\nautomated mechanisms for monitoring security control compliance by external\n                  service providers on an ongoing basis"}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"System and Communications Protection Policy and Procedures","parameters":[{"id":"sc-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sc-1_prm_2","label":"organization-defined frequency"},{"id":"sc-1_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SC-1"},{"name":"sort-id","value":"sc-01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"sc-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A system and communications protection policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"},{"id":"sc-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications\n                     protection policy and associated system and communications protection controls;\n                     and"}]},{"id":"sc-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sc-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"System and communications protection policy {{ sc-1_prm_2 }};\n                     and"},{"id":"sc-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"System and communications protection procedures {{ sc-1_prm_3 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SC\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"sc-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-1.a_obj","name":"objective","properties":[{"name":"label","value":"SC-1(a)"}],"parts":[{"id":"sc-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)"}],"parts":[{"id":"sc-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1]"}],"prose":"develops and documents a system and communications protection policy that\n                        addresses:","parts":[{"id":"sc-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sc-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sc-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sc-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sc-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sc-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sc-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sc-1.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and communications protection\n                        policy is to be disseminated;"},{"id":"sc-1.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[3]"}],"prose":"disseminates the system and communications protection policy to\n                        organization-defined personnel or roles;"}]},{"id":"sc-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"SC-1(a)(2)"}],"parts":[{"id":"sc-1.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"SC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        system and communications protection policy and associated system and\n                        communications protection controls;"},{"id":"sc-1.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"SC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"sc-1.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"SC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sc-1.b_obj","name":"objective","properties":[{"name":"label","value":"SC-1(b)"}],"parts":[{"id":"sc-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"SC-1(b)(1)"}],"parts":[{"id":"sc-1.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"SC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and\n                        communications protection policy;"},{"id":"sc-1.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"SC-1(b)(1)[2]"}],"prose":"reviews and updates the current system and communications protection policy\n                        with the organization-defined frequency;"}]},{"id":"sc-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"SC-1(b)(2)"}],"parts":[{"id":"sc-1.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"SC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and\n                        communications protection procedures; and"},{"id":"sc-1.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"SC-1(b)(2)[2]"}],"prose":"reviews and updates the current system and communications protection\n                        procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and communications protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"sc-5","class":"SP800-53","title":"Denial of Service Protection","parameters":[{"id":"sc-5_prm_1","label":"organization-defined types of denial of service attacks or references to sources\n               for such information"},{"id":"sc-5_prm_2","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"SC-5"},{"name":"sort-id","value":"sc-05"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"id":"sc-5_smt","name":"statement","prose":"The information system protects against or limits the effects of the following types\n               of denial of service attacks: {{ sc-5_prm_1 }} by employing {{ sc-5_prm_2 }}."},{"id":"sc-5_gdn","name":"guidance","prose":"A variety of technologies exist to limit, or in some cases, eliminate the effects of\n               denial of service attacks. For example, boundary protection devices can filter\n               certain types of packets to protect information system components on internal\n               organizational networks from being directly affected by denial of service attacks.\n               Employing increased capacity and bandwidth combined with service redundancy may also\n               reduce the susceptibility to denial of service attacks.","links":[{"href":"#sc-6","rel":"related","text":"SC-6"},{"href":"#sc-7","rel":"related","text":"SC-7"}]},{"id":"sc-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-5_obj.1","name":"objective","properties":[{"name":"label","value":"SC-5[1]"}],"prose":"the organization defines types of denial of service attacks or reference to source\n                  of such information for the information system to protect against or limit the\n                  effects;"},{"id":"sc-5_obj.2","name":"objective","properties":[{"name":"label","value":"SC-5[2]"}],"prose":"the organization defines security safeguards to be employed by the information\n                  system to protect against or limit the effects of organization-defined types of\n                  denial of service attacks; and"},{"id":"sc-5_obj.3","name":"objective","properties":[{"name":"label","value":"SC-5[3]"}],"prose":"the information system protects against or limits the effects of the\n                  organization-defined denial or service attacks (or reference to source for such\n                  information) by employing organization-defined security safeguards."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing denial of service protection\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\nlist of denial of services attacks requiring employment of security safeguards to\n                  protect against or limit effects of such attacks\\n\\nlist of security safeguards protecting against or limiting the effects of denial\n                  of service attacks\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms protecting against or limiting the effects of denial of\n                  service attacks"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: If availability is a requirement, define protections in place as per\n                  control requirement."}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","parameters":[{"id":"sc-7_prm_1"}],"properties":[{"name":"label","value":"SC-7"},{"name":"sort-id","value":"sc-07"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#756a8e86-57d5-4701-8382-f7a40439665a","rel":"reference","text":"NIST Special Publication 800-41"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference","text":"NIST Special Publication 800-77"}],"parts":[{"id":"sc-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitors and controls communications at the external boundary of the system and at\n                  key internal boundaries within the system;"},{"id":"sc-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implements subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks;\n                  and"},{"id":"sc-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Connects to external networks or information systems only through managed\n                  interfaces consisting of boundary protection devices arranged in accordance with\n                  an organizational security architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include, for example, gateways, routers, firewalls, guards,\n               network-based malicious code analysis and virtualization systems, or encrypted\n               tunnels implemented within a security architecture (e.g., routers protecting\n               firewalls or application gateways residing on protected subnetworks). Subnetworks\n               that are physically or logically separated from internal networks are referred to as\n               demilitarized zones or DMZs. Restricting or prohibiting interfaces within\n               organizational information systems includes, for example, restricting external web\n               traffic to designated web servers within managed interfaces and prohibiting external\n               traffic that appears to be spoofing internal addresses. Organizations consider the\n               shared nature of commercial telecommunications services in the implementation of\n               security controls associated with the use of such services. Commercial\n               telecommunications services are commonly based on network components and consolidated\n               management systems shared by all attached commercial customers, and may also include\n               third party-provided access lines and other service elements. Such transmission\n               services may represent sources of increased risk despite contract security\n               provisions.","links":[{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"sc-7_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-7.a_obj","name":"objective","properties":[{"name":"label","value":"SC-7(a)"}],"parts":[{"id":"sc-7.a_obj.1","name":"objective","properties":[{"name":"label","value":"SC-7(a)[1]"}],"prose":"monitors communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.2","name":"objective","properties":[{"name":"label","value":"SC-7(a)[2]"}],"prose":"monitors communications at key internal boundaries within the system;"},{"id":"sc-7.a_obj.3","name":"objective","properties":[{"name":"label","value":"SC-7(a)[3]"}],"prose":"controls communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.4","name":"objective","properties":[{"name":"label","value":"SC-7(a)[4]"}],"prose":"controls communications at key internal boundaries within the system;"}]},{"id":"sc-7.b_obj","name":"objective","properties":[{"name":"label","value":"SC-7(b)"}],"prose":"implements subnetworks for publicly accessible system components that are\n                  either:","parts":[{"id":"sc-7.b_obj.1","name":"objective","properties":[{"name":"label","value":"SC-7(b)[1]"}],"prose":"physically separated from internal organizational networks; and/or"},{"id":"sc-7.b_obj.2","name":"objective","properties":[{"name":"label","value":"SC-7(b)[2]"}],"prose":"logically separated from internal organizational networks; and"}]},{"id":"sc-7.c_obj","name":"objective","properties":[{"name":"label","value":"SC-7(c)"}],"prose":"connects to external networks or information systems only through managed\n                  interfaces consisting of boundary protection devices arranged in accordance with\n                  an organizational security architecture."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\nlist of key internal boundaries of the information system\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system configuration settings and associated documentation\\n\\nenterprise security architecture documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability"}]}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","parameters":[{"id":"sc-12_prm_1","label":"organization-defined requirements for key generation, distribution, storage,\n               access, and destruction"}],"properties":[{"name":"label","value":"SC-12"},{"name":"sort-id","value":"sc-12"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference","text":"NIST Special Publication 800-56"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference","text":"NIST Special Publication 800-57"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"The organization establishes and manages cryptographic keys for required cryptography\n               employed within the information system in accordance with {{ sc-12_prm_1 }}."},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual\n               procedures or automated mechanisms with supporting manual procedures. Organizations\n               define key management requirements in accordance with applicable federal laws,\n               Executive Orders, directives, regulations, policies, standards, and guidance,\n               specifying appropriate options, levels, and parameters. Organizations manage trust\n               stores to ensure that only approved trust anchors are in such trust stores. This\n               includes certificates with visibility external to organizational information systems\n               and certificates related to the internal operations of systems.","links":[{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-17","rel":"related","text":"SC-17"}]},{"id":"sc-12_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-12_obj.1","name":"objective","properties":[{"name":"label","value":"SC-12[1]"}],"prose":"defines requirements for cryptographic key:","parts":[{"id":"sc-12_obj.1.a","name":"objective","properties":[{"name":"label","value":"SC-12[1][a]"}],"prose":"generation;"},{"id":"sc-12_obj.1.b","name":"objective","properties":[{"name":"label","value":"SC-12[1][b]"}],"prose":"distribution;"},{"id":"sc-12_obj.1.c","name":"objective","properties":[{"name":"label","value":"SC-12[1][c]"}],"prose":"storage;"},{"id":"sc-12_obj.1.d","name":"objective","properties":[{"name":"label","value":"SC-12[1][d]"}],"prose":"access;"},{"id":"sc-12_obj.1.e","name":"objective","properties":[{"name":"label","value":"SC-12[1][e]"}],"prose":"destruction; and"}]},{"id":"sc-12_obj.2","name":"objective","properties":[{"name":"label","value":"SC-12[2]"}],"prose":"establishes and manages cryptographic keys for required cryptography employed\n                  within the information system in accordance with organization-defined requirements\n                  for key generation, distribution, storage, access, and destruction."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing cryptographic key establishment and management\\n\\ninformation system design documentation\\n\\ncryptographic mechanisms\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for cryptographic key establishment\n                  and/or management"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing cryptographic key\n                  establishment and management"}]},{"id":"sc-12_fr","name":"item","title":"SC-12 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Federally approved cryptography."}]}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","parameters":[{"id":"sc-13_prm_1","label":"organization-defined cryptographic uses and type of cryptography required for\n               each use","constraints":[{"detail":"FIPS-validated or NSA-approved cryptography"}]}],"properties":[{"name":"label","value":"SC-13"},{"name":"sort-id","value":"sc-13"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference","text":"FIPS Publication 140"},{"href":"#6a1041fc-054e-4230-946b-2e6f4f3731bb","rel":"reference","text":"http://csrc.nist.gov/cryptval"},{"href":"#9b97ed27-3dd6-4f9a-ade5-1b43e9669794","rel":"reference","text":"http://www.cnss.gov"}],"parts":[{"id":"sc-13_smt","name":"statement","prose":"The information system implements {{ sc-13_prm_1 }} in accordance with\n               applicable federal laws, Executive Orders, directives, policies, regulations, and\n               standards."},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions including,\n               for example, the protection of classified and Controlled Unclassified Information,\n               the provision of digital signatures, and the enforcement of information separation\n               when authorized individuals have the necessary clearances for such information but\n               lack the necessary formal access approvals. Cryptography can also be used to support\n               random number generation and hash generation. Generally applicable cryptographic\n               standards include FIPS-validated cryptography and NSA-approved cryptography. This\n               control does not impose any requirements on organizations to use cryptography.\n               However, if cryptography is required based on the selection of other security\n               controls, organizations define each type of cryptographic use and the type of\n               cryptography required (e.g., protection of classified information: NSA-approved\n               cryptography; provision of digital signatures: FIPS-validated cryptography).","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-7","rel":"related","text":"IA-7"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"sc-13_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-13_obj.1","name":"objective","properties":[{"name":"label","value":"SC-13[1]"}],"prose":"the organization defines cryptographic uses; and"},{"id":"sc-13_obj.2","name":"objective","properties":[{"name":"label","value":"SC-13[2]"}],"prose":"the organization defines the type of cryptography required for each use; and"},{"id":"sc-13_obj.3","name":"objective","properties":[{"name":"label","value":"SC-13[3]"}],"prose":"the information system implements the organization-defined cryptographic uses and\n                  type of cryptography required for each use in accordance with applicable federal\n                  laws, Executive Orders, directives, policies, regulations, and standards."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing cryptographic protection\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic module validation certificates\\n\\nlist of FIPS validated cryptographic modules\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for cryptographic protection"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing cryptographic protection"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: If implementing need to detail how they meet it or don't meet it."}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices","parameters":[{"id":"sc-15_prm_1","label":"organization-defined exceptions where remote activation is to be allowed"}],"properties":[{"name":"label","value":"SC-15"},{"name":"sort-id","value":"sc-15"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"parts":[{"id":"sc-15_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-15_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Prohibits remote activation of collaborative computing devices with the following\n                  exceptions: {{ sc-15_prm_1 }}; and"},{"id":"sc-15_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Provides an explicit indication of use to users physically present at the\n                  devices."}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices include, for example, networked white boards,\n               cameras, and microphones. Explicit indication of use includes, for example, signals\n               to users when collaborative computing devices are activated.","links":[{"href":"#ac-21","rel":"related","text":"AC-21"}]},{"id":"sc-15_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-15.a_obj","name":"objective","properties":[{"name":"label","value":"SC-15(a)"}],"parts":[{"id":"sc-15.a_obj.1","name":"objective","properties":[{"name":"label","value":"SC-15(a)[1]"}],"prose":"the organization defines exceptions where remote activation of collaborative\n                     computing devices is to be allowed;"},{"id":"sc-15.a_obj.2","name":"objective","properties":[{"name":"label","value":"SC-15(a)[2]"}],"prose":"the information system prohibits remote activation of collaborative computing\n                     devices, except for organization-defined exceptions where remote activation is\n                     to be allowed; and"}]},{"id":"sc-15.b_obj","name":"objective","properties":[{"name":"label","value":"SC-15(b)"}],"prose":"the information system provides an explicit indication of use to users physically\n                  present at the devices."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing collaborative computing\\n\\naccess control policy and procedures\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for managing collaborative\n                  computing devices"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing management of remote\n                  activation of collaborative computing devices\\n\\nautomated mechanisms providing an indication of use of collaborative computing\n                  devices"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Not directly related to the security of the SaaS."}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name / Address Resolution Service (authoritative Source)","properties":[{"name":"label","value":"SC-20"},{"name":"sort-id","value":"sc-20"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#28115a56-da6b-4d44-b1df-51dd7f048a3e","rel":"reference","text":"OMB Memorandum 08-23"},{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference","text":"NIST Special Publication 800-81"}],"parts":[{"id":"sc-20_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-20_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provides additional data origin authentication and integrity verification\n                  artifacts along with the authoritative name resolution data the system returns in\n                  response to external name/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Provides the means to indicate the security status of child zones and (if the\n                  child supports secure resolution services) to enable verification of a chain of\n                  trust among parent and child domains, when operating as part of a distributed,\n                  hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"This control enables external clients including, for example, remote Internet\n               clients, to obtain origin authentication and integrity verification assurances for\n               the host/service name to network address resolution information obtained through the\n               service. Information systems that provide name and address resolution services\n               include, for example, domain name system (DNS) servers. Additional artifacts include,\n               for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS\n               resource records are examples of authoritative data. The means to indicate the\n               security status of child zones includes, for example, the use of delegation signer\n               resource records in the DNS. The DNS security controls reflect (and are referenced\n               from) OMB Memorandum 08-23. Information systems that use technologies other than the\n               DNS to map between host/service names and network addresses provide other means to\n               assure the authenticity and integrity of response data.","links":[{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-21","rel":"related","text":"SC-21"},{"href":"#sc-22","rel":"related","text":"SC-22"}]},{"id":"sc-20_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-20.a_obj","name":"objective","properties":[{"name":"label","value":"SC-20(a)"}],"prose":"provides additional data origin and integrity verification artifacts along with\n                  the authoritative name resolution data the system returns in response to external\n                  name/address resolution queries;"},{"id":"sc-20.b_obj","name":"objective","properties":[{"name":"label","value":"SC-20(b)"}],"prose":"provides the means to, when operating as part of a distributed, hierarchical\n                  namespace:","parts":[{"id":"sc-20.b_obj.1","name":"objective","properties":[{"name":"label","value":"SC-20(b)[1]"}],"prose":"indicate the security status of child zones; and"},{"id":"sc-20.b_obj.2","name":"objective","properties":[{"name":"label","value":"SC-20(b)[2]"}],"prose":"enable verification of a chain of trust among parent and child domains (if the\n                     child supports secure resolution services)."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing secure name/address resolution service (authoritative\n                  source)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing secure name/address resolution\n                  service"}]}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name / Address Resolution Service (recursive or Caching Resolver)","properties":[{"name":"label","value":"SC-21"},{"name":"sort-id","value":"sc-21"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference","text":"NIST Special Publication 800-81"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"The information system requests and performs data origin authentication and data\n               integrity verification on the name/address resolution responses the system receives\n               from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own,\n               or has authenticated channels to trusted validation providers. Information systems\n               that provide name and address resolution services for local clients include, for\n               example, recursive resolving or caching domain name system (DNS) servers. DNS client\n               resolvers either perform validation of DNSSEC signatures, or clients use\n               authenticated channels to recursive resolvers that perform such validations.\n               Information systems that use technologies other than the DNS to map between\n               host/service names and network addresses provide other means to enable clients to\n               verify the authenticity and integrity of response data.","links":[{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-22","rel":"related","text":"SC-22"}]},{"id":"sc-21_obj","name":"objective","prose":"Determine if the information system: ","parts":[{"id":"sc-21_obj.1","name":"objective","properties":[{"name":"label","value":"SC-21[1]"}],"prose":"requests data origin authentication on the name/address resolution responses the\n                  system receives from authoritative sources;"},{"id":"sc-21_obj.2","name":"objective","properties":[{"name":"label","value":"SC-21[2]"}],"prose":"requests data integrity verification on the name/address resolution responses the\n                  system receives from authoritative sources;"},{"id":"sc-21_obj.3","name":"objective","properties":[{"name":"label","value":"SC-21[3]"}],"prose":"performs data origin authentication on the name/address resolution responses the\n                  system receives from authoritative sources; and"},{"id":"sc-21_obj.4","name":"objective","properties":[{"name":"label","value":"SC-21[4]"}],"prose":"performs data integrity verification on the name/address resolution responses the\n                  system receives from authoritative sources."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing secure name/address resolution service (recursive or caching\n                  resolver)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing data origin authentication and\n                  data integrity verification for name/address resolution services"}]}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name / Address Resolution Service","properties":[{"name":"label","value":"SC-22"},{"name":"sort-id","value":"sc-22"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference","text":"NIST Special Publication 800-81"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"The information systems that collectively provide name/address resolution service for\n               an organization are fault-tolerant and implement internal/external role\n               separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Information systems that provide name and address resolution services include, for\n               example, domain name system (DNS) servers. To eliminate single points of failure and\n               to enhance redundancy, organizations employ at least two authoritative domain name\n               system servers, one configured as the primary server and the other configured as the\n               secondary server. Additionally, organizations typically deploy the servers in two\n               geographically separated network subnetworks (i.e., not located in the same physical\n               facility). For role separation, DNS servers with internal roles only process name and\n               address resolution requests from within organizations (i.e., from internal clients).\n               DNS servers with external roles only process name and address resolution information\n               requests from clients external to organizations (i.e., on external networks including\n               the Internet). Organizations specify clients that can access authoritative DNS\n               servers in particular roles (e.g., by address ranges, explicit lists).","links":[{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-21","rel":"related","text":"SC-21"},{"href":"#sc-24","rel":"related","text":"SC-24"}]},{"id":"sc-22_obj","name":"objective","prose":"Determine if the information systems that collectively provide name/address\n               resolution service for an organization: ","parts":[{"id":"sc-22_obj.1","name":"objective","properties":[{"name":"label","value":"SC-22[1]"}],"prose":"are fault tolerant; and"},{"id":"sc-22_obj.2","name":"objective","properties":[{"name":"label","value":"SC-22[2]"}],"prose":"implement internal/external role separation."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing architecture and provisioning for name/address resolution\n                  service\\n\\naccess control policy and procedures\\n\\ninformation system design documentation\\n\\nassessment results from independent, testing organizations\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing name/address resolution\n                  service for fault tolerance and role separation"}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","properties":[{"name":"label","value":"SC-39"},{"name":"sort-id","value":"sc-39"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"The information system maintains a separate execution domain for each executing\n               process."},{"id":"sc-39_gdn","name":"guidance","prose":"Information systems can maintain separate execution domains for each executing\n               process by assigning each process a separate address space. Each information system\n               process has a distinct address space so that communication between processes is\n               performed in a manner controlled through the security functions, and one process\n               cannot modify the executing code of another process. Maintaining separate execution\n               domains for executing processes can be achieved, for example, by implementing\n               separate address spaces. This capability is available in most commercial operating\n               systems that employ multi-state processor technologies.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"}]},{"id":"sc-39_obj","name":"objective","prose":"Determine if the information system maintains a separate execution domain for each\n               executing process."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system design documentation\\n\\ninformation system architecture\\n\\nindependent verification and validation documentation\\n\\ntesting and evaluation documentation, other relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Information system developers/integrators\\n\\ninformation system security architect"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing separate execution domains for\n                  each executing process"}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"System and Information Integrity Policy and Procedures","parameters":[{"id":"si-1_prm_1","label":"organization-defined personnel or roles"},{"id":"si-1_prm_2","label":"organization-defined frequency"},{"id":"si-1_prm_3","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SI-1"},{"name":"sort-id","value":"si-01"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"si-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A system and information integrity policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"si-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information\n                     integrity policy and associated system and information integrity controls;\n                     and"}]},{"id":"si-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"si-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"System and information integrity policy {{ si-1_prm_2 }};\n                     and"},{"id":"si-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"System and information integrity procedures {{ si-1_prm_3 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SI\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"si-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-1.a_obj","name":"objective","properties":[{"name":"label","value":"SI-1(a)"}],"parts":[{"id":"si-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)"}],"parts":[{"id":"si-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1]"}],"prose":"develops and documents a system and information integrity policy that\n                        addresses:","parts":[{"id":"si-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"si-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"si-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"si-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"si-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"si-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"si-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"si-1.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and information integrity\n                        policy is to be disseminated;"},{"id":"si-1.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[3]"}],"prose":"disseminates the system and information integrity policy to\n                        organization-defined personnel or roles;"}]},{"id":"si-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"SI-1(a)(2)"}],"parts":[{"id":"si-1.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"SI-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        system and information integrity policy and associated system and\n                        information integrity controls;"},{"id":"si-1.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"SI-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"si-1.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"SI-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"si-1.b_obj","name":"objective","properties":[{"name":"label","value":"SI-1(b)"}],"parts":[{"id":"si-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"SI-1(b)(1)"}],"parts":[{"id":"si-1.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"SI-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and\n                        information integrity policy;"},{"id":"si-1.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"SI-1(b)(1)[2]"}],"prose":"reviews and updates the current system and information integrity policy with\n                        the organization-defined frequency;"}]},{"id":"si-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"SI-1(b)(2)"}],"parts":[{"id":"si-1.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"SI-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and\n                        information integrity procedures; and"},{"id":"si-1.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"SI-1(b)(2)[2]"}],"prose":"reviews and updates the current system and information integrity procedures\n                        with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and information integrity\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","parameters":[{"id":"si-2_prm_1","label":"organization-defined time period","constraints":[{"detail":"within 30 days of release of updates"}]}],"properties":[{"name":"label","value":"SI-2"},{"name":"sort-id","value":"si-02"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference","text":"NIST Special Publication 800-40"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"si-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identifies, reports, and corrects information system flaws;"},{"id":"si-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Tests software and firmware updates related to flaw remediation for effectiveness\n                  and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Installs security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Incorporates flaw remediation into the organizational configuration management\n                  process."}]},{"id":"si-2_gdn","name":"guidance","prose":"Organizations identify information systems affected by announced software flaws\n               including potential vulnerabilities resulting from those flaws, and report this\n               information to designated organizational personnel with information security\n               responsibilities. Security-relevant software updates include, for example, patches,\n               service packs, hot fixes, and anti-virus signatures. Organizations also address flaws\n               discovered during security assessments, continuous monitoring, incident response\n               activities, and system error handling. Organizations take advantage of available\n               resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and\n               Exposures (CVE) databases in remediating flaws discovered in organizational\n               information systems. By incorporating flaw remediation into ongoing configuration\n               management processes, required/anticipated remediation actions can be tracked and\n               verified. Flaw remediation actions that can be tracked and verified include, for\n               example, determining whether organizations follow US-CERT guidance and Information\n               Assurance Vulnerability Alerts. Organization-defined time periods for updating\n               security-relevant software and firmware may vary based on a variety of factors\n               including, for example, the security category of the information system or the\n               criticality of the update (i.e., severity of the vulnerability related to the\n               discovered flaw). Some types of flaw remediation may require more testing than other\n               types. Organizations determine the degree and type of testing needed for the specific\n               type of flaw remediation activity under consideration and also the types of changes\n               that are to be configuration-managed. In some situations, organizations may determine\n               that the testing of software and/or firmware updates is not necessary or practical,\n               for example, when implementing simple anti-virus signature updates. Organizations may\n               also consider in testing decisions, whether security-relevant software or firmware\n               updates are obtained from authorized sources with appropriate digital signatures.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#si-11","rel":"related","text":"SI-11"}]},{"id":"si-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-2.a_obj","name":"objective","properties":[{"name":"label","value":"SI-2(a)"}],"parts":[{"id":"si-2.a_obj.1","name":"objective","properties":[{"name":"label","value":"SI-2(a)[1]"}],"prose":"identifies information system flaws;"},{"id":"si-2.a_obj.2","name":"objective","properties":[{"name":"label","value":"SI-2(a)[2]"}],"prose":"reports information system flaws;"},{"id":"si-2.a_obj.3","name":"objective","properties":[{"name":"label","value":"SI-2(a)[3]"}],"prose":"corrects information system flaws;"}]},{"id":"si-2.b_obj","name":"objective","properties":[{"name":"label","value":"SI-2(b)"}],"parts":[{"id":"si-2.b_obj.1","name":"objective","properties":[{"name":"label","value":"SI-2(b)[1]"}],"prose":"tests software updates related to flaw remediation for effectiveness and\n                     potential side effects before installation;"},{"id":"si-2.b_obj.2","name":"objective","properties":[{"name":"label","value":"SI-2(b)[2]"}],"prose":"tests firmware updates related to flaw remediation for effectiveness and\n                     potential side effects before installation;"}]},{"id":"si-2.c_obj","name":"objective","properties":[{"name":"label","value":"SI-2(c)"}],"parts":[{"id":"si-2.c_obj.1","name":"objective","properties":[{"name":"label","value":"SI-2(c)[1]"}],"prose":"defines the time period within which to install security-relevant software\n                     updates after the release of the updates;"},{"id":"si-2.c_obj.2","name":"objective","properties":[{"name":"label","value":"SI-2(c)[2]"}],"prose":"defines the time period within which to install security-relevant firmware\n                     updates after the release of the updates;"},{"id":"si-2.c_obj.3","name":"objective","properties":[{"name":"label","value":"SI-2(c)[3]"}],"prose":"installs software updates within the organization-defined time period of the\n                     release of the updates;"},{"id":"si-2.c_obj.4","name":"objective","properties":[{"name":"label","value":"SI-2(c)[4]"}],"prose":"installs firmware updates within the organization-defined time period of the\n                     release of the updates; and"}]},{"id":"si-2.d_obj","name":"objective","properties":[{"name":"label","value":"SI-2(d)"}],"prose":"incorporates flaw remediation into the organizational configuration management\n                  process."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing flaw remediation\\n\\nprocedures addressing configuration management\\n\\nlist of flaws and vulnerabilities potentially affecting the information system\\n\\nlist of recent security flaw remediation actions performed on the information\n                  system (e.g., list of installed patches, service packs, hot fixes, and other\n                  software updates to correct information system flaws)\\n\\ntest results from the installation of software and firmware updates to correct\n                  information system flaws\\n\\ninstallation/change control records for security-relevant software and firmware\n                  updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility for flaw remediation\\n\\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for identifying, reporting, and correcting information\n                  system flaws\\n\\norganizational process for installing software and firmware updates\\n\\nautomated mechanisms supporting and/or implementing reporting, and correcting\n                  information system flaws\\n\\nautomated mechanisms supporting and/or implementing testing software and firmware\n                  updates"}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","parameters":[{"id":"si-3_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least weekly"}]},{"id":"si-3_prm_2","constraints":[{"detail":"to include endpoints"}]},{"id":"si-3_prm_3","constraints":[{"detail":"to include alerting administrator or defined security personnel"}]},{"id":"si-3_prm_4","depends-on":"si-3_prm_3","label":"organization-defined action"}],"properties":[{"name":"label","value":"SI-3"},{"name":"sort-id","value":"si-03"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference","text":"NIST Special Publication 800-83"}],"parts":[{"id":"si-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Employs malicious code protection mechanisms at information system entry and exit\n                  points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Updates malicious code protection mechanisms whenever new releases are available\n                  in accordance with organizational configuration management policy and\n                  procedures;"},{"id":"si-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Configures malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the information system {{ si-3_prm_1 }} and real-time scans of files from external sources at {{ si-3_prm_2 }} as the files are downloaded, opened, or executed in\n                     accordance with organizational security policy; and"},{"id":"si-3_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"\n                     {{ si-3_prm_3 }} in response to malicious code detection;\n                     and"}]},{"id":"si-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Addresses the receipt of false positives during malicious code detection and\n                  eradication and the resulting potential impact on the availability of the\n                  information system."}]},{"id":"si-3_gdn","name":"guidance","prose":"Information system entry and exit points include, for example, firewalls, electronic\n               mail servers, web servers, proxy servers, remote-access servers, workstations,\n               notebook computers, and mobile devices. Malicious code includes, for example,\n               viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in\n               various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden\n               files, or hidden in files using steganography. Malicious code can be transported by\n               different means including, for example, web accesses, electronic mail, electronic\n               mail attachments, and portable storage devices. Malicious code insertions occur\n               through the exploitation of information system vulnerabilities. Malicious code\n               protection mechanisms include, for example, anti-virus signature definitions and\n               reputation-based technologies. A variety of technologies and methods exist to limit\n               or eliminate the effects of malicious code. Pervasive configuration management and\n               comprehensive software integrity controls may be effective in preventing execution of\n               unauthorized code. In addition to commercial off-the-shelf software, malicious code\n               may also be present in custom-built software. This could include, for example, logic\n               bombs, back doors, and other types of cyber attacks that could affect organizational\n               missions/business functions. Traditional malicious code protection mechanisms cannot\n               always detect such code. In these situations, organizations rely instead on other\n               safeguards including, for example, secure coding practices, configuration management\n               and control, trusted procurement processes, and monitoring practices to help ensure\n               that software does not perform functions other than the functions intended.\n               Organizations may determine that in response to the detection of malicious code,\n               different actions may be warranted. For example, organizations can define actions in\n               response to malicious code detection during periodic scans, actions in response to\n               detection of malicious downloads, and/or actions in response to detection of\n               maliciousness when attempting to open or execute files.","links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#sa-13","rel":"related","text":"SA-13"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-26","rel":"related","text":"SC-26"},{"href":"#sc-44","rel":"related","text":"SC-44"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"si-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-3.a_obj","name":"objective","properties":[{"name":"label","value":"SI-3(a)"}],"prose":"employs malicious code protection mechanisms to detect and eradicate malicious\n                  code at information system:","parts":[{"id":"si-3.a_obj.1","name":"objective","properties":[{"name":"label","value":"SI-3(a)[1]"}],"prose":"entry points;"},{"id":"si-3.a_obj.2","name":"objective","properties":[{"name":"label","value":"SI-3(a)[2]"}],"prose":"exit points;"}]},{"id":"si-3.b_obj","name":"objective","properties":[{"name":"label","value":"SI-3(b)"}],"prose":"updates malicious code protection mechanisms whenever new releases are available\n                  in accordance with organizational configuration management policy and procedures\n                  (as identified in CM-1);"},{"id":"si-3.c_obj","name":"objective","properties":[{"name":"label","value":"SI-3(c)"}],"parts":[{"id":"si-3.c_obj.1","name":"objective","properties":[{"name":"label","value":"SI-3(c)[1]"}],"prose":"defines a frequency for malicious code protection mechanisms to perform\n                     periodic scans of the information system;"},{"id":"si-3.c_obj.2","name":"objective","properties":[{"name":"label","value":"SI-3(c)[2]"}],"prose":"defines action to be initiated by malicious protection mechanisms in response\n                     to malicious code detection;"},{"id":"si-3.c_obj.3","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3]"}],"parts":[{"id":"si-3.c.1_obj.3","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](1)"}],"prose":"configures malicious code protection mechanisms to:","parts":[{"id":"si-3.c.1_obj.3.a","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](1)[a]"}],"prose":"perform periodic scans of the information system with the\n                           organization-defined frequency;"},{"id":"si-3.c.1_obj.3.b","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](1)[b]"}],"prose":"perform real-time scans of files from external sources at endpoint and/or\n                           network entry/exit points as the files are downloaded, opened, or\n                           executed in accordance with organizational security policy;"}]},{"id":"si-3.c.2_obj.3","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](2)"}],"prose":"configures malicious code protection mechanisms to do one or more of the\n                        following:","parts":[{"id":"si-3.c.2_obj.3.a","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](2)[a]"}],"prose":"block malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.b","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](2)[b]"}],"prose":"quarantine malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.c","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](2)[c]"}],"prose":"send alert to administrator in response to malicious code detection;\n                           and/or"},{"id":"si-3.c.2_obj.3.d","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](2)[d]"}],"prose":"initiate organization-defined action in response to malicious code\n                           detection;"}]}]}]},{"id":"si-3.d_obj","name":"objective","properties":[{"name":"label","value":"SI-3(d)"}],"parts":[{"id":"si-3.d_obj.1","name":"objective","properties":[{"name":"label","value":"SI-3(d)[1]"}],"prose":"addresses the receipt of false positives during malicious code detection and\n                     eradication; and"},{"id":"si-3.d_obj.2","name":"objective","properties":[{"name":"label","value":"SI-3(d)[2]"}],"prose":"addresses the resulting potential impact on the availability of the information\n                     system."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nconfiguration management policy and procedures\\n\\nprocedures addressing malicious code protection\\n\\nmalicious code protection mechanisms\\n\\nrecords of malicious code protection updates\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nscan results from malicious code protection mechanisms\\n\\nrecord of actions initiated by malicious code protection mechanisms in response to\n                  malicious code detection\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility for malicious code protection\\n\\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for employing, updating, and configuring malicious code\n                  protection mechanisms\\n\\norganizational process for addressing false positives and resulting potential\n                  impact\\n\\nautomated mechanisms supporting and/or implementing employing, updating, and\n                  configuring malicious code protection mechanisms\\n\\nautomated mechanisms supporting and/or implementing malicious code scanning and\n                  subsequent actions"}]}]},{"id":"si-4","class":"SP800-53","title":"Information System Monitoring","parameters":[{"id":"si-4_prm_1","label":"organization-defined monitoring objectives"},{"id":"si-4_prm_2","label":"organization-defined techniques and methods"},{"id":"si-4_prm_3","label":"organization-defined information system monitoring information"},{"id":"si-4_prm_4","label":"organization-defined personnel or roles"},{"id":"si-4_prm_5"},{"id":"si-4_prm_6","depends-on":"si-4_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"label","value":"SI-4"},{"name":"sort-id","value":"si-04"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference","text":"NIST Special Publication 800-83"},{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference","text":"NIST Special Publication 800-92"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference","text":"NIST Special Publication 800-94"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"}],"parts":[{"id":"si-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitors the information system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with {{ si-4_prm_1 }}; and"},{"id":"si-4_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Identifies unauthorized use of the information system through {{ si-4_prm_2 }};"},{"id":"si-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Deploys monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Strategically within the information system to collect organization-determined\n                     essential information; and"},{"id":"si-4_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions\n                     of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protects information obtained from intrusion-monitoring tools from unauthorized\n                  access, modification, and deletion;"},{"id":"si-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Heightens the level of information system monitoring activity whenever there is an\n                  indication of increased risk to organizational operations and assets, individuals,\n                  other organizations, or the Nation based on law enforcement information,\n                  intelligence information, or other credible sources of information;"},{"id":"si-4_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Obtains legal opinion with regard to information system monitoring activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  or regulations; and"},{"id":"si-4_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Provides {{ si-4_prm_3 }} to {{ si-4_prm_4 }}\n                  {{ si-4_prm_5 }}."}]},{"id":"si-4_gdn","name":"guidance","prose":"Information system monitoring includes external and internal monitoring. External\n               monitoring includes the observation of events occurring at the information system\n               boundary (i.e., part of perimeter defense and boundary protection). Internal\n               monitoring includes the observation of events occurring within the information\n               system. Organizations can monitor information systems, for example, by observing\n               audit activities in real time or by observing other system aspects such as access\n               patterns, characteristics of access, and other actions. The monitoring objectives may\n               guide determination of the events. Information system monitoring capability is\n               achieved through a variety of tools and techniques (e.g., intrusion detection\n               systems, intrusion prevention systems, malicious code protection software, scanning\n               tools, audit record monitoring software, network monitoring software). Strategic\n               locations for monitoring devices include, for example, selected perimeter locations\n               and near server farms supporting critical applications, with such devices typically\n               being employed at the managed interfaces associated with controls SC-7 and AC-17.\n               Einstein network monitoring devices from the Department of Homeland Security can also\n               be included as monitoring devices. The granularity of monitoring information\n               collected is based on organizational monitoring objectives and the capability of\n               information systems to support such objectives. Specific types of transactions of\n               interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that\n               bypasses HTTP proxies. Information system monitoring is an integral part of\n               organizational continuous monitoring and incident response programs. Output from\n               system monitoring serves as input to continuous monitoring and incident response\n               programs. A network connection is any connection with a device that communicates\n               through a network (e.g., local area network, Internet). A remote connection is any\n               connection with a device communicating through an external network (e.g., the\n               Internet). Local, network, and remote connections can be either wired or\n               wireless.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-26","rel":"related","text":"SC-26"},{"href":"#sc-35","rel":"related","text":"SC-35"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"si-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.a_obj","name":"objective","properties":[{"name":"label","value":"SI-4(a)"}],"parts":[{"id":"si-4.a.1_obj","name":"objective","properties":[{"name":"label","value":"SI-4(a)(1)"}],"parts":[{"id":"si-4.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"SI-4(a)(1)[1]"}],"prose":"defines monitoring objectives to detect attacks and indicators of potential\n                        attacks on the information system;"},{"id":"si-4.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"SI-4(a)(1)[2]"}],"prose":"monitors the information system to detect, in accordance with\n                        organization-defined monitoring objectives,:","parts":[{"id":"si-4.a.1_obj.2.a","name":"objective","properties":[{"name":"label","value":"SI-4(a)(1)[2][a]"}],"prose":"attacks;"},{"id":"si-4.a.1_obj.2.b","name":"objective","properties":[{"name":"label","value":"SI-4(a)(1)[2][b]"}],"prose":"indicators of potential attacks;"}]}]},{"id":"si-4.a.2_obj","name":"objective","properties":[{"name":"label","value":"SI-4(a)(2)"}],"prose":"monitors the information system to detect unauthorized:","parts":[{"id":"si-4.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"SI-4(a)(2)[1]"}],"prose":"local connections;"},{"id":"si-4.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"SI-4(a)(2)[2]"}],"prose":"network connections;"},{"id":"si-4.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"SI-4(a)(2)[3]"}],"prose":"remote connections;"}]}]},{"id":"si-4.b_obj","name":"objective","properties":[{"name":"label","value":"SI-4(b)"}],"parts":[{"id":"si-4.b.1_obj","name":"objective","properties":[{"name":"label","value":"SI-4(b)(1)"}],"prose":"defines techniques and methods to identify unauthorized use of the information\n                     system;"},{"id":"si-4.b.2_obj","name":"objective","properties":[{"name":"label","value":"SI-4(b)(2)"}],"prose":"identifies unauthorized use of the information system through\n                     organization-defined techniques and methods;"}]},{"id":"si-4.c_obj","name":"objective","properties":[{"name":"label","value":"SI-4(c)"}],"prose":"deploys monitoring devices:","parts":[{"id":"si-4.c_obj.1","name":"objective","properties":[{"name":"label","value":"SI-4(c)[1]"}],"prose":"strategically within the information system to collect organization-determined\n                     essential information;"},{"id":"si-4.c_obj.2","name":"objective","properties":[{"name":"label","value":"SI-4(c)[2]"}],"prose":"at ad hoc locations within the system to track specific types of transactions\n                     of interest to the organization;"}]},{"id":"si-4.d_obj","name":"objective","properties":[{"name":"label","value":"SI-4(d)"}],"prose":"protects information obtained from intrusion-monitoring tools from\n                  unauthorized:","parts":[{"id":"si-4.d_obj.1","name":"objective","properties":[{"name":"label","value":"SI-4(d)[1]"}],"prose":"access;"},{"id":"si-4.d_obj.2","name":"objective","properties":[{"name":"label","value":"SI-4(d)[2]"}],"prose":"modification;"},{"id":"si-4.d_obj.3","name":"objective","properties":[{"name":"label","value":"SI-4(d)[3]"}],"prose":"deletion;"}]},{"id":"si-4.e_obj","name":"objective","properties":[{"name":"label","value":"SI-4(e)"}],"prose":"heightens the level of information system monitoring activity whenever there is an\n                  indication of increased risk to organizational operations and assets, individuals,\n                  other organizations, or the Nation based on law enforcement information,\n                  intelligence information, or other credible sources of information;"},{"id":"si-4.f_obj","name":"objective","properties":[{"name":"label","value":"SI-4(f)"}],"prose":"obtains legal opinion with regard to information system monitoring activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  or regulations;"},{"id":"si-4.g_obj","name":"objective","properties":[{"name":"label","value":"SI-4(g)"}],"parts":[{"id":"si-4.g_obj.1","name":"objective","properties":[{"name":"label","value":"SI-4(g)[1]"}],"prose":"defines personnel or roles to whom information system monitoring information is\n                     to be provided;"},{"id":"si-4.g_obj.2","name":"objective","properties":[{"name":"label","value":"SI-4(g)[2]"}],"prose":"defines information system monitoring information to be provided to\n                     organization-defined personnel or roles;"},{"id":"si-4.g_obj.3","name":"objective","properties":[{"name":"label","value":"SI-4(g)[3]"}],"prose":"defines a frequency to provide organization-defined information system\n                     monitoring to organization-defined personnel or roles;"},{"id":"si-4.g_obj.4","name":"objective","properties":[{"name":"label","value":"SI-4(g)[4]"}],"prose":"provides organization-defined information system monitoring information to\n                     organization-defined personnel or roles one or more of the following:","parts":[{"id":"si-4.g_obj.4.a","name":"objective","properties":[{"name":"label","value":"SI-4(g)[4][a]"}],"prose":"as needed; and/or"},{"id":"si-4.g_obj.4.b","name":"objective","properties":[{"name":"label","value":"SI-4(g)[4][b]"}],"prose":"with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Continuous monitoring strategy\\n\\nsystem and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\nfacility diagram/layout\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\nlocations within information system where monitoring devices are deployed\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility monitoring the information system"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing information system monitoring\n                  capability"}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","parameters":[{"id":"si-5_prm_1","label":"organization-defined external organizations"},{"id":"si-5_prm_2"},{"id":"si-5_prm_3","depends-on":"si-5_prm_2","label":"organization-defined personnel or roles"},{"id":"si-5_prm_4","depends-on":"si-5_prm_2","label":"organization-defined elements within the organization"},{"id":"si-5_prm_5","depends-on":"si-5_prm_2","label":"organization-defined external organizations"}],"properties":[{"name":"label","value":"SI-5"},{"name":"sort-id","value":"si-05"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference","text":"NIST Special Publication 800-40"}],"parts":[{"id":"si-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Receives information system security alerts, advisories, and directives from\n                     {{ si-5_prm_1 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Generates internal security alerts, advisories, and directives as deemed\n                  necessary;"},{"id":"si-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Disseminates security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and"},{"id":"si-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Implements security directives in accordance with established time frames, or\n                  notifies the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The United States Computer Emergency Readiness Team (US-CERT) generates security\n               alerts and advisories to maintain situational awareness across the federal\n               government. Security directives are issued by OMB or other designated organizations\n               with the responsibility and authority to issue such directives. Compliance to\n               security directives is essential due to the critical nature of many of these\n               directives and the potential immediate adverse effects on organizational operations\n               and assets, individuals, other organizations, and the Nation should the directives\n               not be implemented in a timely manner. External organizations include, for example,\n               external mission/business partners, supply chain partners, external service\n               providers, and other peer/supporting organizations.","links":[{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"si-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-5.a_obj","name":"objective","properties":[{"name":"label","value":"SI-5(a)"}],"parts":[{"id":"si-5.a_obj.1","name":"objective","properties":[{"name":"label","value":"SI-5(a)[1]"}],"prose":"defines external organizations from whom information system security alerts,\n                     advisories and directives are to be received;"},{"id":"si-5.a_obj.2","name":"objective","properties":[{"name":"label","value":"SI-5(a)[2]"}],"prose":"receives information system security alerts, advisories, and directives from\n                     organization-defined external organizations on an ongoing basis;"}]},{"id":"si-5.b_obj","name":"objective","properties":[{"name":"label","value":"SI-5(b)"}],"prose":"generates internal security alerts, advisories, and directives as deemed\n                  necessary;"},{"id":"si-5.c_obj","name":"objective","properties":[{"name":"label","value":"SI-5(c)"}],"parts":[{"id":"si-5.c_obj.1","name":"objective","properties":[{"name":"label","value":"SI-5(c)[1]"}],"prose":"defines personnel or roles to whom security alerts, advisories, and directives\n                     are to be provided;"},{"id":"si-5.c_obj.2","name":"objective","properties":[{"name":"label","value":"SI-5(c)[2]"}],"prose":"defines elements within the organization to whom security alerts, advisories,\n                     and directives are to be provided;"},{"id":"si-5.c_obj.3","name":"objective","properties":[{"name":"label","value":"SI-5(c)[3]"}],"prose":"defines external organizations to whom security alerts, advisories, and\n                     directives are to be provided;"},{"id":"si-5.c_obj.4","name":"objective","properties":[{"name":"label","value":"SI-5(c)[4]"}],"prose":"disseminates security alerts, advisories, and directives to one or more of the\n                     following:","parts":[{"id":"si-5.c_obj.4.a","name":"objective","properties":[{"name":"label","value":"SI-5(c)[4][a]"}],"prose":"organization-defined personnel or roles;"},{"id":"si-5.c_obj.4.b","name":"objective","properties":[{"name":"label","value":"SI-5(c)[4][b]"}],"prose":"organization-defined elements within the organization; and/or"},{"id":"si-5.c_obj.4.c","name":"objective","properties":[{"name":"label","value":"SI-5(c)[4][c]"}],"prose":"organization-defined external organizations; and"}]}]},{"id":"si-5.d_obj","name":"objective","properties":[{"name":"label","value":"SI-5(d)"}],"parts":[{"id":"si-5.d_obj.1","name":"objective","properties":[{"name":"label","value":"SI-5(d)[1]"}],"prose":"implements security directives in accordance with established time frames;\n                     or"},{"id":"si-5.d_obj.2","name":"objective","properties":[{"name":"label","value":"SI-5(d)[2]"}],"prose":"notifies the issuing organization of the degree of noncompliance."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing security alerts, advisories, and directives\\n\\nrecords of security alerts and advisories\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security alert and advisory responsibilities\\n\\norganizational personnel implementing, operating, maintaining, and using the\n                  information system\\n\\norganizational personnel, organizational elements, and/or external organizations\n                  to whom alerts, advisories, and directives are to be disseminated\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining, receiving, generating, disseminating, and\n                  complying with security alerts, advisories, and directives\\n\\nautomated mechanisms supporting and/or implementing definition, receipt,\n                  generation, and dissemination of security alerts, advisories, and directives\\n\\nautomated mechanisms supporting and/or implementing security directives"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Handling and Retention","properties":[{"name":"label","value":"SI-12"},{"name":"sort-id","value":"si-12"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"The organization handles and retains information within the information system and\n               information output from the system in accordance with applicable federal laws,\n               Executive Orders, directives, policies, regulations, standards, and operational\n               requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information handling and retention requirements cover the full life cycle of\n               information, in some cases extending beyond the disposal of information systems. The\n               National Archives and Records Administration provides guidance on records\n               retention.","links":[{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"}]},{"id":"si-12_obj","name":"objective","prose":"Determine if the organization, in accordance with applicable federal laws, Executive\n               Orders, directives, policies, regulations, standards, and operational\n               requirements:","parts":[{"id":"si-12_obj.1","name":"objective","properties":[{"name":"label","value":"SI-12[1]"}],"prose":"handles information within the information system;"},{"id":"si-12_obj.2","name":"objective","properties":[{"name":"label","value":"SI-12[2]"}],"prose":"handles output from the information system;"},{"id":"si-12_obj.3","name":"objective","properties":[{"name":"label","value":"SI-12[3]"}],"prose":"retains information within the information system; and"},{"id":"si-12_obj.4","name":"objective","properties":[{"name":"label","value":"SI-12[4]"}],"prose":"retains output from the information system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nfederal laws, Executive Orders, directives, policies, regulations, standards, and\n                  operational requirements applicable to information handling and retention\\n\\nmedia protection policy and procedures\\n\\nprocedures addressing information system output handling and retention\\n\\ninformation retention records, other relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information handling and\n                  retention\\n\\norganizational personnel with information security responsibilities/network\n                  administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information handling and retention\\n\\nautomated mechanisms supporting and/or implementing information handling and\n                  retention"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Attestation - Specifically related to US-CERT and FedRAMP communications\n                  procedures."}]}]}],"back-matter":{"resources":[{"uuid":"0c97e60b-325a-4efa-ba2b-90f20ccd5abc","title":"5 C.F.R. 731.106","citation":{"text":"Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106,\n               Designation of Public Trust Positions and Investigative Requirements (5 C.F.R.\n               731.106)."},"rlinks":[{"href":"http://www.gpo.gov/fdsys/granule/CFR-2012-title5-vol2/CFR-2012-title5-vol2-sec731-106/content-detail.html"}]},{"uuid":"bb61234b-46c3-4211-8c2b-9869222a720d","title":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)","citation":{"text":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"},"rlinks":[{"href":"http://www.gpo.gov/fdsys/granule/CFR-2009-title5-vol2/CFR-2009-title5-vol2-sec930-301/content-detail.html"}]},{"uuid":"a4aa9645-9a8a-4b51-90a9-e223250f9a75","title":"CNSS Policy 15","citation":{"text":"CNSS Policy 15"},"rlinks":[{"href":"https://www.cnss.gov/policies.html"}]},{"uuid":"2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","title":"DoD Information Assurance Vulnerability Alerts","citation":{"text":"DoD Information Assurance Vulnerability Alerts"}},{"uuid":"61081e7f-041d-4033-96a7-44a439071683","title":"DoD Instruction 5200.39","citation":{"text":"DoD Instruction 5200.39"},"rlinks":[{"href":"http://www.dtic.mil/whs/directives/corres/ins1.html"}]},{"uuid":"e42b2099-3e1c-415b-952c-61c96533c12e","title":"DoD Instruction 8551.01","citation":{"text":"DoD Instruction 8551.01"},"rlinks":[{"href":"http://www.dtic.mil/whs/directives/corres/ins1.html"}]},{"uuid":"c5034e0c-eba6-4ecd-a541-79f0678f4ba4","title":"Executive Order 13587","citation":{"text":"Executive Order 13587"},"rlinks":[{"href":"http://www.whitehouse.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"56d671da-6b7b-4abf-8296-84b61980390a","title":"Federal Acquisition Regulation","citation":{"text":"Federal Acquisition Regulation"},"rlinks":[{"href":"https://acquisition.gov/far"}]},{"uuid":"023104bc-6f75-4cd5-b7d0-fc92326f8007","title":"Federal Continuity Directive 1","citation":{"text":"Federal Continuity Directive 1"},"rlinks":[{"href":"http://www.fema.gov/pdf/about/offices/fcd1.pdf"}]},{"uuid":"ba557c91-ba3e-4792-adc6-a4ae479b39ff","title":"FICAM Roadmap and Implementation Guidance","citation":{"text":"FICAM Roadmap and Implementation Guidance"},"rlinks":[{"href":"http://www.idmanagement.gov/documents/ficam-roadmap-and-implementation-guidance"}]},{"uuid":"39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","title":"FIPS Publication 140","citation":{"text":"FIPS Publication 140"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html"}]},{"uuid":"d715b234-9b5b-4e07-b1ed-99836727664d","title":"FIPS Publication 140-2","citation":{"text":"FIPS Publication 140-2"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html#140-2"}]},{"uuid":"f2dbd4ec-c413-4714-b85b-6b7184d1c195","title":"FIPS Publication 197","citation":{"text":"FIPS Publication 197"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html#197"}]},{"uuid":"e85cdb3f-7f0a-4083-8639-f13f70d3760b","title":"FIPS Publication 199","citation":{"text":"FIPS Publication 199"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html#199"}]},{"uuid":"c80c10b3-1294-4984-a4cc-d1733ca432b9","title":"FIPS Publication 201","citation":{"text":"FIPS Publication 201"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html#201"}]},{"uuid":"ad733a42-a7ed-4774-b988-4930c28852f3","title":"HSPD-12","citation":{"text":"HSPD-12"},"rlinks":[{"href":"http://www.dhs.gov/homeland-security-presidential-directive-12"}]},{"uuid":"e95dd121-2733-413e-bf1e-f1eb49f20a98","title":"http://checklists.nist.gov","citation":{"text":"http://checklists.nist.gov"},"rlinks":[{"href":"http://checklists.nist.gov"}]},{"uuid":"6a1041fc-054e-4230-946b-2e6f4f3731bb","title":"http://csrc.nist.gov/cryptval","citation":{"text":"http://csrc.nist.gov/cryptval"},"rlinks":[{"href":"http://csrc.nist.gov/cryptval"}]},{"uuid":"b09d1a31-d3c9-4138-a4f4-4c63816afd7d","title":"http://csrc.nist.gov/groups/STM/cmvp/index.html","citation":{"text":"http://csrc.nist.gov/groups/STM/cmvp/index.html"},"rlinks":[{"href":"http://csrc.nist.gov/groups/STM/cmvp/index.html"}]},{"uuid":"15522e92-9192-463d-9646-6a01982db8ca","title":"http://cwe.mitre.org","citation":{"text":"http://cwe.mitre.org"},"rlinks":[{"href":"http://cwe.mitre.org"}]},{"uuid":"5ed1f4d5-1494-421b-97ed-39d3c88ab51f","title":"http://fips201ep.cio.gov","citation":{"text":"http://fips201ep.cio.gov"},"rlinks":[{"href":"http://fips201ep.cio.gov"}]},{"uuid":"85280698-0417-489d-b214-12bb935fb939","title":"http://idmanagement.gov","citation":{"text":"http://idmanagement.gov"},"rlinks":[{"href":"http://idmanagement.gov"}]},{"uuid":"275cc052-0f7f-423c-bdb6-ed503dc36228","title":"http://nvd.nist.gov","citation":{"text":"http://nvd.nist.gov"},"rlinks":[{"href":"http://nvd.nist.gov"}]},{"uuid":"bbd50dd1-54ce-4432-959d-63ea564b1bb4","title":"http://www.acquisition.gov/far","citation":{"text":"http://www.acquisition.gov/far"},"rlinks":[{"href":"http://www.acquisition.gov/far"}]},{"uuid":"9b97ed27-3dd6-4f9a-ade5-1b43e9669794","title":"http://www.cnss.gov","citation":{"text":"http://www.cnss.gov"},"rlinks":[{"href":"http://www.cnss.gov"}]},{"uuid":"c95a9986-3cd6-4a98-931b-ccfc56cb11e5","title":"http://www.niap-ccevs.org","citation":{"text":"http://www.niap-ccevs.org"},"rlinks":[{"href":"http://www.niap-ccevs.org"}]},{"uuid":"647b6de3-81d0-4d22-bec1-5f1333e34380","title":"http://www.nsa.gov","citation":{"text":"http://www.nsa.gov"},"rlinks":[{"href":"http://www.nsa.gov"}]},{"uuid":"a47466c4-c837-4f06-a39f-e68412a5f73d","title":"http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml","citation":{"text":"http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"},"rlinks":[{"href":"http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"}]},{"uuid":"02631467-668b-4233-989b-3dfded2fd184","title":"http://www.us-cert.gov","citation":{"text":"http://www.us-cert.gov"},"rlinks":[{"href":"http://www.us-cert.gov"}]},{"uuid":"6caa237b-531b-43ac-9711-d8f6b97b0377","title":"ICD 704","citation":{"text":"ICD 704"},"rlinks":[{"href":"http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"}]},{"uuid":"398e33fd-f404-4e5c-b90e-2d50d3181244","title":"ICD 705","citation":{"text":"ICD 705"},"rlinks":[{"href":"http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"}]},{"uuid":"1737a687-52fb-4008-b900-cbfa836f7b65","title":"ISO/IEC 15408","citation":{"text":"ISO/IEC 15408"},"rlinks":[{"href":"http://www.iso.org/iso/iso_catalog/catalog_tc/catalog_detail.htm?csnumber=50341"}]},{"uuid":"654f21e2-f3bc-43b2-abdc-60ab8d09744b","title":"National Strategy for Trusted Identities in Cyberspace","citation":{"text":"National Strategy for Trusted Identities in Cyberspace"},"rlinks":[{"href":"http://www.nist.gov/nstic"}]},{"uuid":"9cb3d8fe-2127-48ba-821e-cdd2d7aee921","title":"NIST Special Publication 800-100","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-100"}],"citation":{"text":"NIST Special Publication 800-100"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-100"}]},{"uuid":"3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","title":"NIST Special Publication 800-111","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-111"}],"citation":{"text":"NIST Special Publication 800-111"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-111"}]},{"uuid":"349fe082-502d-464a-aa0c-1443c6a5cf40","title":"NIST Special Publication 800-113","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-113"}],"citation":{"text":"NIST Special Publication 800-113"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-113"}]},{"uuid":"1201fcf3-afb1-4675-915a-fb4ae0435717","title":"NIST Special Publication 800-114 Rev. 1","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-114r1"}],"citation":{"text":"NIST Special Publication 800-114 Rev. 1"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-114r1"}]},{"uuid":"c4691b88-57d1-463b-9053-2d0087913f31","title":"NIST Special Publication 800-115","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-115"}],"citation":{"text":"NIST Special Publication 800-115"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-115"}]},{"uuid":"2157bb7e-192c-4eaa-877f-93ef6b0a3292","title":"NIST Special Publication 800-116 Rev. 1","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-116r1"}],"citation":{"text":"NIST Special Publication 800-116 Rev. 1"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-116r1"}]},{"uuid":"5c201b63-0768-417b-ac22-3f014e3941b2","title":"NIST Special Publication 800-12 Rev. 1","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-12r1"}],"citation":{"text":"NIST Special Publication 800-12 Rev. 1"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-12r1"}]},{"uuid":"d1a4e2a9-e512-4132-8795-5357aba29254","title":"NIST Special Publication 800-121","citation":{"text":"NIST Special Publication 800-121"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-121"}]},{"uuid":"0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","title":"NIST Special Publication 800-124","citation":{"text":"NIST Special Publication 800-124"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-124"}]},{"uuid":"080f8068-5e3e-435e-9790-d22ba4722693","title":"NIST Special Publication 800-128","citation":{"text":"NIST Special Publication 800-128"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-128"}]},{"uuid":"cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","title":"NIST Special Publication 800-137","citation":{"text":"NIST Special Publication 800-137"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-137"}]},{"uuid":"825438c3-248d-4e30-a51e-246473ce6ada","title":"NIST Special Publication 800-16","citation":{"text":"NIST Special Publication 800-16"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-16"}]},{"uuid":"6513e480-fada-4876-abba-1397084dfb26","title":"NIST Special Publication 800-164","citation":{"text":"NIST Special Publication 800-164"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-164"}]},{"uuid":"9c5c9e8c-dc81-4f55-a11c-d71d7487790f","title":"NIST Special Publication 800-18","citation":{"text":"NIST Special Publication 800-18"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-18"}]},{"uuid":"0a5db899-f033-467f-8631-f5a8ba971475","title":"NIST Special Publication 800-23","citation":{"text":"NIST Special Publication 800-23"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-23"}]},{"uuid":"a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","title":"NIST Special Publication 800-30","citation":{"text":"NIST Special Publication 800-30"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-30"}]},{"uuid":"748a81b9-9cad-463f-abde-8b368167e70d","title":"NIST Special Publication 800-34","citation":{"text":"NIST Special Publication 800-34"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-34"}]},{"uuid":"0c775bc3-bfc3-42c7-a382-88949f503171","title":"NIST Special Publication 800-35","citation":{"text":"NIST Special Publication 800-35"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-35"}]},{"uuid":"d818efd3-db31-4953-8afa-9e76afe83ce2","title":"NIST Special Publication 800-36","citation":{"text":"NIST Special Publication 800-36"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-36"}]},{"uuid":"0a0c26b6-fd44-4274-8b36-93442d49d998","title":"NIST Special Publication 800-37","citation":{"text":"NIST Special Publication 800-37"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-37"}]},{"uuid":"d480aa6a-7a88-424e-a10c-ad1c7870354b","title":"NIST Special Publication 800-39","citation":{"text":"NIST Special Publication 800-39"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-39"}]},{"uuid":"bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","title":"NIST Special Publication 800-40","citation":{"text":"NIST Special Publication 800-40"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-40"}]},{"uuid":"756a8e86-57d5-4701-8382-f7a40439665a","title":"NIST Special Publication 800-41","citation":{"text":"NIST Special Publication 800-41"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-41"}]},{"uuid":"5309d4d0-46f8-4213-a749-e7584164e5e8","title":"NIST Special Publication 800-46","citation":{"text":"NIST Special Publication 800-46"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-46"}]},{"uuid":"2711f068-734e-4afd-94ba-0b22247fbc88","title":"NIST Special Publication 800-47","citation":{"text":"NIST Special Publication 800-47"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-47"}]},{"uuid":"238ed479-eccb-49f6-82ec-ab74a7a428cf","title":"NIST Special Publication 800-48","citation":{"text":"NIST Special Publication 800-48"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-48"}]},{"uuid":"e12b5738-de74-4fb3-8317-a3995a8a1898","title":"NIST Special Publication 800-50","citation":{"text":"NIST Special Publication 800-50"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-50"}]},{"uuid":"cd4cf751-3312-4a55-b1a9-fad2f1db9119","title":"NIST Special Publication 800-53A","citation":{"text":"NIST Special Publication 800-53A"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-53A"}]},{"uuid":"81f09e01-d0b0-4ae2-aa6a-064ed9950070","title":"NIST Special Publication 800-56","citation":{"text":"NIST Special Publication 800-56"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-56"}]},{"uuid":"a6c774c0-bf50-4590-9841-2a5c1c91ac6f","title":"NIST Special Publication 800-57","citation":{"text":"NIST Special Publication 800-57"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-57"}]},{"uuid":"f152844f-b1ef-4836-8729-6277078ebee1","title":"NIST Special Publication 800-60","citation":{"text":"NIST Special Publication 800-60"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-60"}]},{"uuid":"be95fb85-a53f-4624-bdbb-140075500aa3","title":"NIST Special Publication 800-61","citation":{"text":"NIST Special Publication 800-61"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-61"}]},{"uuid":"644f44a9-a2de-4494-9c04-cd37fba45471","title":"NIST Special Publication 800-63","citation":{"text":"NIST Special Publication 800-63"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-63"}]},{"uuid":"abd950ae-092f-4b7a-b374-1c7c67fe9350","title":"NIST Special Publication 800-64","citation":{"text":"NIST Special Publication 800-64"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-64"}]},{"uuid":"29fcfe59-33cd-494a-8756-5907ae3a8f92","title":"NIST Special Publication 800-65","citation":{"text":"NIST Special Publication 800-65"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-65"}]},{"uuid":"84a37532-6db6-477b-9ea8-f9085ebca0fc","title":"NIST Special Publication 800-70","citation":{"text":"NIST Special Publication 800-70"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-70"}]},{"uuid":"ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","title":"NIST Special Publication 800-73","citation":{"text":"NIST Special Publication 800-73"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-73"}]},{"uuid":"2a71298a-ee90-490e-80ff-48c967173a47","title":"NIST Special Publication 800-76","citation":{"text":"NIST Special Publication 800-76"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-76"}]},{"uuid":"99f331f2-a9f0-46c2-9856-a3cbb9b89442","title":"NIST Special Publication 800-77","citation":{"text":"NIST Special Publication 800-77"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-77"}]},{"uuid":"2042d97b-f7f6-4c74-84f8-981867684659","title":"NIST Special Publication 800-78","citation":{"text":"NIST Special Publication 800-78"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-78"}]},{"uuid":"6af1e841-672c-46c4-b121-96f603d04be3","title":"NIST Special Publication 800-81","citation":{"text":"NIST Special Publication 800-81"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-81"}]},{"uuid":"6d431fee-658f-4a0e-9f2e-a38b5d398fab","title":"NIST Special Publication 800-83","citation":{"text":"NIST Special Publication 800-83"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-83"}]},{"uuid":"0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","title":"NIST Special Publication 800-84","citation":{"text":"NIST Special Publication 800-84"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-84"}]},{"uuid":"263823e0-a971-4b00-959d-315b26278b22","title":"NIST Special Publication 800-88","citation":{"text":"NIST Special Publication 800-88"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-88"}]},{"uuid":"672fd561-b92b-4713-b9cf-6c9d9456728b","title":"NIST Special Publication 800-92","citation":{"text":"NIST Special Publication 800-92"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-92"}]},{"uuid":"d1b1d689-0f66-4474-9924-c81119758dc1","title":"NIST Special Publication 800-94","citation":{"text":"NIST Special Publication 800-94"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-94"}]},{"uuid":"6f336ecd-f2a0-4c84-9699-0491d81b6e0d","title":"NIST Special Publication 800-97","citation":{"text":"NIST Special Publication 800-97"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-97"}]},{"uuid":"9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","title":"OMB Circular A-130","citation":{"text":"OMB Circular A-130"},"rlinks":[{"href":"http://www.whitehouse.gov/omb/circulars_a130_a130trans4"}]},{"uuid":"2c5884cd-7b96-425c-862a-99877e1cf909","title":"OMB Memorandum 02-01","citation":{"text":"OMB Memorandum 02-01"},"rlinks":[{"href":"http://www.whitehouse.gov/omb/memoranda_m02-01"}]},{"uuid":"ff3bfb02-79b2-411f-8735-98dfe5af2ab0","title":"OMB Memorandum 04-04","citation":{"text":"OMB Memorandum 04-04"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy04/m04-04.pdf"}]},{"uuid":"4da24a96-6cf8-435d-9d1f-c73247cad109","title":"OMB Memorandum 06-16","citation":{"text":"OMB Memorandum 06-16"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2006/m06-16.pdf"}]},{"uuid":"990268bf-f4a9-4c81-91ae-dc7d3115f4b1","title":"OMB Memorandum 07-11","citation":{"text":"OMB Memorandum 07-11"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-11.pdf"}]},{"uuid":"0b3d8ba9-051f-498d-81ea-97f0f018c612","title":"OMB Memorandum 07-18","citation":{"text":"OMB Memorandum 07-18"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-18.pdf"}]},{"uuid":"0916ef02-3618-411b-a525-565c088849a6","title":"OMB Memorandum 08-22","citation":{"text":"OMB Memorandum 08-22"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-22.pdf"}]},{"uuid":"28115a56-da6b-4d44-b1df-51dd7f048a3e","title":"OMB Memorandum 08-23","citation":{"text":"OMB Memorandum 08-23"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf"}]},{"uuid":"599fe9ba-4750-4450-9eeb-b95bd19a5e8f","title":"OMB Memorandum 10-06-2011","citation":{"text":"OMB Memorandum 10-06-2011"}},{"uuid":"74e740a4-c45d-49f3-a86e-eb747c549e01","title":"OMB Memorandum 11-11","citation":{"text":"OMB Memorandum 11-11"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf"}]},{"uuid":"bedb15b7-ec5c-4a68-807f-385125751fcd","title":"OMB Memorandum 11-33","citation":{"text":"OMB Memorandum 11-33"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf"}]},{"uuid":"dd2f5acd-08f1-435a-9837-f8203088dc1a","title":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System\n            (E-PACS)","citation":{"text":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System\n               (E-PACS)"}},{"uuid":"8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","title":"US-CERT Technical Cyber Security Alerts","citation":{"text":"US-CERT Technical Cyber Security Alerts"},"rlinks":[{"href":"http://www.us-cert.gov/ncas/alerts"}]},{"uuid":"985475ee-d4d6-4581-8fdf-d84d3d8caa48","title":"FedRAMP Applicable Laws and Regulations","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-citations"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"}]},{"uuid":"1a23a771-d481-4594-9a1a-71d584fa4123","title":"FedRAMP Master Acronym and Glossary","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-acronyms"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"}]},{"uuid":"a2381e87-3d04-4108-a30b-b4d2f36d001f","desc":"FedRAMP Logo","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-logo"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/img/logo-main-fedramp.png"}]},{"uuid":"ad005eae-cc63-4e64-9109-3905a9a825e4","title":"NIST Special Publication (SP) 800-53","properties":[{"name":"version","ns":"https://fedramp.gov/ns/oscal","value":"Revision 4"},{"name":"keep","value":"always"}],"rlinks":[{"href":"../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json","media-type":"application/xml"}]}]}}}
\ No newline at end of file
diff --git a/content/fedramp.gov/json/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.json b/content/fedramp.gov/json/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.json
deleted file mode 100644
index d29f169702..0000000000
--- a/content/fedramp.gov/json/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.json
+++ /dev/null
@@ -1,38994 +0,0 @@
-{
-  "catalog": {
-    "uuid": "7ec7633b-cbd4-4e1d-9015-e5b3d44c2550",
-    "metadata": {
-      "title": "FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline",
-      "published": "2020-02-02T00:00:00.000-05:00",
-      "last-modified": "2020-06-01T10:00:00.000-05:00",
-      "version": "1.2",
-      "oscal-version": "1.0.0-milestone3",
-      "properties": [
-        {
-          "name": "resolution-timestamp",
-          "value": "2020-08-31T17:38:37.186738Z"
-        }
-      ],
-      "links": [
-        {
-          "href": "FedRAMP_LI-SaaS-baseline_profile.xml",
-          "rel": "resolution-source",
-          "text": "FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline"
-        }
-      ],
-      "roles": [
-        {
-          "id": "parpared-by",
-          "title": "Document creator"
-        },
-        {
-          "id": "fedramp-pmo",
-          "title": "The FedRAMP Program Management Office (PMO)",
-          "short-name": "CSP"
-        },
-        {
-          "id": "fedramp-jab",
-          "title": "The FedRAMP Joint Authorization Board (JAB)",
-          "short-name": "CSP"
-        }
-      ],
-      "parties": [
-        {
-          "uuid": "8cc0b8e5-9650-4d5f-9796-316f05fa9a2d",
-          "type": "organization",
-          "party-name": "Federal Risk and Authorization Management Program: Program Management Office",
-          "short-name": "FedRAMP PMO",
-          "links": [
-            {
-              "href": "https://fedramp.gov",
-              "rel": "homepage",
-              "text": ""
-            }
-          ],
-          "addresses": [
-            {
-              "type": "work",
-              "postal-address": [
-                "1800 F St. NW",
-                ""
-              ],
-              "city": "Washington",
-              "state": "DC",
-              "postal-code": "",
-              "country": "US"
-            }
-          ],
-          "email-addresses": [
-            "info@fedramp.gov"
-          ]
-        },
-        {
-          "uuid": "ca9ba80e-1342-4bfd-b32a-abac468c24b4",
-          "type": "organization",
-          "party-name": "Federal Risk and Authorization Management Program: Joint Authorization Board",
-          "short-name": "FedRAMP JAB"
-        }
-      ],
-      "responsible-parties": {
-        "prepared-by": {
-          "party-uuids": [
-            "4aa7b203-318b-4cde-96cf-feaeffc3a4b7"
-          ]
-        },
-        "fedramp-pmo": {
-          "party-uuids": [
-            "4aa7b203-318b-4cde-96cf-feaeffc3a4b7"
-          ]
-        },
-        "fedramp-jab": {
-          "party-uuids": [
-            "ca9ba80e-1342-4bfd-b32a-abac468c24b4"
-          ]
-        }
-      }
-    },
-    "groups": [
-      {
-        "id": "ac",
-        "class": "family",
-        "title": "Access Control",
-        "controls": [
-          {
-            "id": "ac-1",
-            "class": "SP800-53",
-            "title": "Access Control Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ac-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ac-1_prm_2",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "ac-1_prm_3",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-01"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ac-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ac-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "An access control policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ac-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the access control policy and\n                     associated access controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ac-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Access control policy {{ ac-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ac-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Access control procedures {{ ac-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AC\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ac-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an access control policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ac-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ac-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the access control policy are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ac-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the access control policy to organization-defined personnel or\n                        roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        access control policy and associated access control controls;"
-                          },
-                          {
-                            "id": "ac-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ac-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current access control\n                        policy;"
-                          },
-                          {
-                            "id": "ac-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current access control policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current access control\n                        procedures; and"
-                          },
-                          {
-                            "id": "ac-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current access control procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with access control responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-2",
-            "class": "SP800-53",
-            "title": "Account Management",
-            "parameters": [
-              {
-                "id": "ac-2_prm_1",
-                "label": "organization-defined information system account types"
-              },
-              {
-                "id": "ac-2_prm_2",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ac-2_prm_3",
-                "label": "organization-defined procedures or conditions"
-              },
-              {
-                "id": "ac-2_prm_4",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-02"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Identifies and selects the following types of information system accounts to\n                  support organizational missions/business functions: {{ ac-2_prm_1 }};"
-                  },
-                  {
-                    "id": "ac-2_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Creates, enables, modifies, disables, and removes information system accounts in\n                  accordance with {{ ac-2_prm_3 }};"
-                  },
-                  {
-                    "id": "ac-2_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Monitors the use of information system accounts;"
-                  },
-                  {
-                    "id": "ac-2_smt.h",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "h."
-                      }
-                    ],
-                    "prose": "Notifies account managers:",
-                    "parts": [
-                      {
-                        "id": "ac-2_smt.h.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "When accounts are no longer required;"
-                      },
-                      {
-                        "id": "ac-2_smt.h.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "When users are terminated or transferred; and"
-                      },
-                      {
-                        "id": "ac-2_smt.h.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "When individual information system usage or need-to-know changes;"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-2_gdn",
-                "name": "guidance",
-                "prose": "Information system account types include, for example, individual, shared, group,\n               system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and\n               service. Some of the account management requirements listed above can be implemented\n               by organizational information systems. The identification of authorized users of the\n               information system and the specification of access privileges reflects the\n               requirements in other security controls in the security plan. Users requiring\n               administrative privileges on information system accounts receive additional scrutiny\n               by appropriate organizational personnel (e.g., system owner, mission/business owner,\n               or chief information security officer) responsible for approving such accounts and\n               privileged access. Organizations may choose to define access privileges or other\n               attributes by account, by type of account, or a combination of both. Other attributes\n               required for authorizing access include, for example, restrictions on time-of-day,\n               day-of-week, and point-of-origin. In defining other account attributes, organizations\n               consider system-related requirements (e.g., scheduled maintenance, system upgrades)\n               and mission/business requirements, (e.g., time zone differences, customer\n               requirements, remote access to support travel requirements). Failure to consider\n               these factors could affect information system availability. Temporary and emergency\n               accounts are accounts intended for short-term use. Organizations establish temporary\n               accounts as a part of normal account activation procedures when there is a need for\n               short-term accounts without the demand for immediacy in account activation.\n               Organizations establish emergency accounts in response to crisis situations and with\n               the need for rapid account activation. Therefore, emergency account activation may\n               bypass normal account authorization processes. Emergency and temporary accounts are\n               not to be confused with infrequently used accounts (e.g., local logon accounts used\n               for special tasks defined by organizations or when network resources are\n               unavailable). Such accounts remain available and are not subject to automatic\n               disabling or removal dates. Conditions for disabling or deactivating accounts\n               include, for example: (i) when shared/group, emergency, or temporary accounts are no\n               longer required; or (ii) when individuals are transferred or terminated. Some types\n               of information system accounts may require specialized training.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-5",
-                    "rel": "related",
-                    "text": "AC-5"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-10",
-                    "rel": "related",
-                    "text": "AC-10"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#ma-3",
-                    "rel": "related",
-                    "text": "MA-3"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ma-5",
-                    "rel": "related",
-                    "text": "MA-5"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  }
-                ]
-              },
-              {
-                "id": "ac-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(a)[1]"
-                          }
-                        ],
-                        "prose": "defines information system account types to be identified and selected to\n                     support organizational missions/business functions;"
-                      },
-                      {
-                        "id": "ac-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(a)[2]"
-                          }
-                        ],
-                        "prose": "identifies and selects organization-defined information system account types to\n                     support organizational missions/business functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(b)"
-                      }
-                    ],
-                    "prose": "assigns account managers for information system accounts;"
-                  },
-                  {
-                    "id": "ac-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(c)"
-                      }
-                    ],
-                    "prose": "establishes conditions for group and role membership;"
-                  },
-                  {
-                    "id": "ac-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(d)"
-                      }
-                    ],
-                    "prose": "specifies for each account (as required):",
-                    "parts": [
-                      {
-                        "id": "ac-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(d)[1]"
-                          }
-                        ],
-                        "prose": "authorized users of the information system;"
-                      },
-                      {
-                        "id": "ac-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(d)[2]"
-                          }
-                        ],
-                        "prose": "group and role membership;"
-                      },
-                      {
-                        "id": "ac-2.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(d)[3]"
-                          }
-                        ],
-                        "prose": "access authorizations (i.e., privileges);"
-                      },
-                      {
-                        "id": "ac-2.d_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(d)[4]"
-                          }
-                        ],
-                        "prose": "other attributes;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-2.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(e)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles required to approve requests to create information\n                     system accounts;"
-                      },
-                      {
-                        "id": "ac-2.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(e)[2]"
-                          }
-                        ],
-                        "prose": "requires approvals by organization-defined personnel or roles for requests to\n                     create information system accounts;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-2.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(f)[1]"
-                          }
-                        ],
-                        "prose": "defines procedures or conditions to:",
-                        "parts": [
-                          {
-                            "id": "ac-2.f_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][a]"
-                              }
-                            ],
-                            "prose": "create information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][b]"
-                              }
-                            ],
-                            "prose": "enable information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][c]"
-                              }
-                            ],
-                            "prose": "modify information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.1.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][d]"
-                              }
-                            ],
-                            "prose": "disable information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.1.e",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][e]"
-                              }
-                            ],
-                            "prose": "remove information system accounts;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-2.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(f)[2]"
-                          }
-                        ],
-                        "prose": "in accordance with organization-defined procedures or conditions:",
-                        "parts": [
-                          {
-                            "id": "ac-2.f_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][a]"
-                              }
-                            ],
-                            "prose": "creates information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][b]"
-                              }
-                            ],
-                            "prose": "enables information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][c]"
-                              }
-                            ],
-                            "prose": "modifies information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][d]"
-                              }
-                            ],
-                            "prose": "disables information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.2.e",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][e]"
-                              }
-                            ],
-                            "prose": "removes information system accounts;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(g)"
-                      }
-                    ],
-                    "prose": "monitors the use of information system accounts;"
-                  },
-                  {
-                    "id": "ac-2.h_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(h)"
-                      }
-                    ],
-                    "prose": "notifies account managers:",
-                    "parts": [
-                      {
-                        "id": "ac-2.h.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(h)(1)"
-                          }
-                        ],
-                        "prose": "when accounts are no longer required;"
-                      },
-                      {
-                        "id": "ac-2.h.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(h)(2)"
-                          }
-                        ],
-                        "prose": "when users are terminated or transferred;"
-                      },
-                      {
-                        "id": "ac-2.h.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(h)(3)"
-                          }
-                        ],
-                        "prose": "when individual information system usage or need to know changes;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.i_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(i)"
-                      }
-                    ],
-                    "prose": "authorizes access to the information system based on;",
-                    "parts": [
-                      {
-                        "id": "ac-2.i.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(i)(1)"
-                          }
-                        ],
-                        "prose": "a valid access authorization;"
-                      },
-                      {
-                        "id": "ac-2.i.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(i)(2)"
-                          }
-                        ],
-                        "prose": "intended system usage;"
-                      },
-                      {
-                        "id": "ac-2.i.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(i)(3)"
-                          }
-                        ],
-                        "prose": "other attributes as required by the organization or associated\n                     missions/business functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.j_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(j)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-2.j_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(j)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review accounts for compliance with account management\n                     requirements;"
-                      },
-                      {
-                        "id": "ac-2.j_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(j)[2]"
-                          }
-                        ],
-                        "prose": "reviews accounts for compliance with account management requirements with the\n                     organization-defined frequency; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.k_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(k)"
-                      }
-                    ],
-                    "prose": "establishes a process for reissuing shared/group account credentials (if deployed)\n                  when individuals are removed from the group."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of active system accounts along with the name of the individual associated\n                  with each account\\n\\nlist of conditions for group and role membership\\n\\nnotifications or records of recently transferred, separated, or terminated\n                  employees\\n\\nlist of recently disabled information system accounts along with the name of the\n                  individual associated with each account\\n\\naccess authorization records\\n\\naccount management compliance reviews\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes account management on the information system\\n\\nautomated mechanisms for implementing account management"
-                  }
-                ]
-              },
-              {
-                "id": "ac-2_fr",
-                "name": "item",
-                "title": "AC-2 Additional FedRAMP Requirements and Guidance",
-                "parts": [
-                  {
-                    "id": "ac-2_fr_gdn.1",
-                    "name": "guidance",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "Guidance:"
-                      }
-                    ],
-                    "prose": "Parts (b), (c), (d), (e), (i), (j), and (k) are excluded from FedRAMP Tailored\n                     for LI-SaaS."
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-3",
-            "class": "SP800-53",
-            "title": "Access Enforcement",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-03"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-3_smt",
-                "name": "statement",
-                "prose": "The information system enforces approved authorizations for logical access to\n               information and system resources in accordance with applicable access control\n               policies."
-              },
-              {
-                "id": "ac-3_gdn",
-                "name": "guidance",
-                "prose": "Access control policies (e.g., identity-based policies, role-based policies, control\n               matrices, cryptography) control access between active entities or subjects (i.e.,\n               users or processes acting on behalf of users) and passive entities or objects (e.g.,\n               devices, files, records, domains) in information systems. In addition to enforcing\n               authorized access at the information system level and recognizing that information\n               systems can host many applications and services in support of organizational missions\n               and business operations, access enforcement mechanisms can also be employed at the\n               application and service level to provide increased information security.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-5",
-                    "rel": "related",
-                    "text": "AC-5"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-16",
-                    "rel": "related",
-                    "text": "AC-16"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#ac-21",
-                    "rel": "related",
-                    "text": "AC-21"
-                  },
-                  {
-                    "href": "#ac-22",
-                    "rel": "related",
-                    "text": "AC-22"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#ma-3",
-                    "rel": "related",
-                    "text": "MA-3"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ma-5",
-                    "rel": "related",
-                    "text": "MA-5"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  }
-                ]
-              },
-              {
-                "id": "ac-3_obj",
-                "name": "objective",
-                "prose": "Determine if the information system enforces approved authorizations for logical\n               access to information and system resources in accordance with applicable access\n               control policies."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing access enforcement\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of approved authorizations (user privileges)\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with access enforcement responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing access control policy"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-7",
-            "class": "SP800-53",
-            "title": "Unsuccessful Logon Attempts",
-            "parameters": [
-              {
-                "id": "ac-7_prm_1",
-                "label": "organization-defined number"
-              },
-              {
-                "id": "ac-7_prm_2",
-                "label": "organization-defined time period"
-              },
-              {
-                "id": "ac-7_prm_3"
-              },
-              {
-                "id": "ac-7_prm_4",
-                "depends-on": "ac-7_prm_3",
-                "label": "organization-defined time period"
-              },
-              {
-                "id": "ac-7_prm_5",
-                "depends-on": "ac-7_prm_3",
-                "label": "organization-defined delay algorithm"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-07"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "NSO"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-7_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "ac-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Enforces a limit of {{ ac-7_prm_1 }} consecutive invalid logon\n                  attempts by a user during a {{ ac-7_prm_2 }}; and"
-                  },
-                  {
-                    "id": "ac-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Automatically {{ ac-7_prm_3 }} when the maximum number of\n                  unsuccessful attempts is exceeded."
-                  }
-                ]
-              },
-              {
-                "id": "ac-7_gdn",
-                "name": "guidance",
-                "prose": "This control applies regardless of whether the logon occurs via a local or network\n               connection. Due to the potential for denial of service, automatic lockouts initiated\n               by information systems are usually temporary and automatically release after a\n               predetermined time period established by organizations. If a delay algorithm is\n               selected, organizations may choose to employ different algorithms for different\n               information system components based on the capabilities of those components.\n               Responses to unsuccessful logon attempts may be implemented at both the operating\n               system and the application levels.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-9",
-                    "rel": "related",
-                    "text": "AC-9"
-                  },
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  }
-                ]
-              },
-              {
-                "id": "ac-7_obj",
-                "name": "objective",
-                "prose": "Determine if: ",
-                "parts": [
-                  {
-                    "id": "ac-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-7(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-7.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-7(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the number of consecutive invalid logon attempts\n                     allowed to the information system by a user during an organization-defined time\n                     period;"
-                      },
-                      {
-                        "id": "ac-7.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-7(a)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines the time period allowed by a user of the information\n                     system for an organization-defined number of consecutive invalid logon\n                     attempts;"
-                      },
-                      {
-                        "id": "ac-7.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-7(a)[3]"
-                          }
-                        ],
-                        "prose": "the information system enforces a limit of organization-defined number of\n                     consecutive invalid logon attempts by a user during an organization-defined\n                     time period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-7(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-7.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-7(b)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines account/node lockout time period or logon delay\n                     algorithm to be automatically enforced by the information system when the\n                     maximum number of unsuccessful logon attempts is exceeded;"
-                      },
-                      {
-                        "id": "ac-7.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-7(b)[2]"
-                          }
-                        ],
-                        "prose": "the information system, when the maximum number of unsuccessful logon attempts\n                     is exceeded, automatically:",
-                        "parts": [
-                          {
-                            "id": "ac-7.b_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-7(b)[2][a]"
-                              }
-                            ],
-                            "prose": "locks the account/node for the organization-defined time period;"
-                          },
-                          {
-                            "id": "ac-7.b_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-7(b)[2][b]"
-                              }
-                            ],
-                            "prose": "locks the account/node until released by an administrator; or"
-                          },
-                          {
-                            "id": "ac-7.b_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-7(b)[2][c]"
-                              }
-                            ],
-                            "prose": "delays next logon prompt according to the organization-defined delay\n                        algorithm."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing unsuccessful logon attempts\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security responsibilities\\n\\nsystem developers\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing access control policy for unsuccessful logon\n                  attempts"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "NSO for non-privileged users. Attestation for privileged users related to\n                  multi-factor identification and authentication."
-              }
-            ]
-          },
-          {
-            "id": "ac-8",
-            "class": "SP800-53",
-            "title": "System Use Notification",
-            "parameters": [
-              {
-                "id": "ac-8_prm_1",
-                "label": "organization-defined system use notification message or banner"
-              },
-              {
-                "id": "ac-8_prm_2",
-                "label": "organization-defined conditions"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-08"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "FED"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-8_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "ac-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Displays to users {{ ac-8_prm_1 }} before granting access to the\n                  system that provides privacy and security notices consistent with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance and states that:",
-                    "parts": [
-                      {
-                        "id": "ac-8_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Users are accessing a U.S. Government information system;"
-                      },
-                      {
-                        "id": "ac-8_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Information system usage may be monitored, recorded, and subject to audit;"
-                      },
-                      {
-                        "id": "ac-8_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Unauthorized use of the information system is prohibited and subject to\n                     criminal and civil penalties; and"
-                      },
-                      {
-                        "id": "ac-8_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Use of the information system indicates consent to monitoring and\n                     recording;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Retains the notification message or banner on the screen until users acknowledge\n                  the usage conditions and take explicit actions to log on to or further access the\n                  information system; and"
-                  },
-                  {
-                    "id": "ac-8_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "For publicly accessible systems:",
-                    "parts": [
-                      {
-                        "id": "ac-8_smt.c.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Displays system use information {{ ac-8_prm_2 }}, before\n                     granting further access;"
-                      },
-                      {
-                        "id": "ac-8_smt.c.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Displays references, if any, to monitoring, recording, or auditing that are\n                     consistent with privacy accommodations for such systems that generally prohibit\n                     those activities; and"
-                      },
-                      {
-                        "id": "ac-8_smt.c.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Includes a description of the authorized uses of the system."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-8_gdn",
-                "name": "guidance",
-                "prose": "System use notifications can be implemented using messages or warning banners\n               displayed before individuals log in to information systems. System use notifications\n               are used only for access via logon interfaces with human users and are not required\n               when such human interfaces do not exist. Organizations consider system use\n               notification messages/banners displayed in multiple languages based on specific\n               organizational needs and the demographics of information system users. Organizations\n               also consult with the Office of the General Counsel for legal review and approval of\n               warning banner content."
-              },
-              {
-                "id": "ac-8_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "ac-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-8(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-8.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-8(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines a system use notification message or banner to be\n                     displayed by the information system to users before granting access to the\n                     system;"
-                      },
-                      {
-                        "id": "ac-8.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-8(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system displays to users the organization-defined system use\n                     notification message or banner before granting access to the information system\n                     that provides privacy and security notices consistent with applicable federal\n                     laws, Executive Orders, directives, policies, regulations, standards, and\n                     guidance, and states that:",
-                        "parts": [
-                          {
-                            "id": "ac-8.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-8(a)[2](1)"
-                              }
-                            ],
-                            "prose": "users are accessing a U.S. Government information system;"
-                          },
-                          {
-                            "id": "ac-8.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-8(a)[2](2)"
-                              }
-                            ],
-                            "prose": "information system usage may be monitored, recorded, and subject to\n                        audit;"
-                          },
-                          {
-                            "id": "ac-8.a.3_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-8(a)[2](3)"
-                              }
-                            ],
-                            "prose": "unauthorized use of the information system is prohibited and subject to\n                        criminal and civil penalties;"
-                          },
-                          {
-                            "id": "ac-8.a.4_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-8(a)[2](4)"
-                              }
-                            ],
-                            "prose": "use of the information system indicates consent to monitoring and\n                        recording;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-8(b)"
-                      }
-                    ],
-                    "prose": "the information system retains the notification message or banner on the screen\n                  until users acknowledge the usage conditions and take explicit actions to log on\n                  to or further access the information system;"
-                  },
-                  {
-                    "id": "ac-8.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-8(c)"
-                      }
-                    ],
-                    "prose": "for publicly accessible systems:",
-                    "parts": [
-                      {
-                        "id": "ac-8.c.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-8(c)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-8.c.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-8(c)(1)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines conditions for system use to be displayed by the\n                        information system before granting further access;"
-                          },
-                          {
-                            "id": "ac-8.c.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-8(c)(1)[2]"
-                              }
-                            ],
-                            "prose": "the information system displays organization-defined conditions before\n                        granting further access;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-8.c.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-8(c)(2)"
-                          }
-                        ],
-                        "prose": "the information system displays references, if any, to monitoring, recording,\n                     or auditing that are consistent with privacy accommodations for such systems\n                     that generally prohibit those activities; and"
-                      },
-                      {
-                        "id": "ac-8.c.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-8(c)(3)"
-                          }
-                        ],
-                        "prose": "the information system includes a description of the authorized uses of the\n                     system."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprivacy and security policies, procedures addressing system use notification\\n\\ndocumented approval of information system use notification messages or banners\\n\\ninformation system audit records\\n\\nuser acknowledgements of notification message or banner\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system use notification messages\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for providing legal advice\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing system use notification"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "FED - This is related to agency data and agency policy solution."
-              }
-            ]
-          },
-          {
-            "id": "ac-14",
-            "class": "SP800-53",
-            "title": "Permitted Actions Without Identification or Authentication",
-            "parameters": [
-              {
-                "id": "ac-14_prm_1",
-                "label": "organization-defined user actions"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-14"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-14"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "FED"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-14_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-14_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Identifies {{ ac-14_prm_1 }} that can be performed on the\n                  information system without identification or authentication consistent with\n                  organizational missions/business functions; and"
-                  },
-                  {
-                    "id": "ac-14_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents and provides supporting rationale in the security plan for the\n                  information system, user actions not requiring identification or\n                  authentication."
-                  }
-                ]
-              },
-              {
-                "id": "ac-14_gdn",
-                "name": "guidance",
-                "prose": "This control addresses situations in which organizations determine that no\n               identification or authentication is required in organizational information systems.\n               Organizations may allow a limited number of user actions without identification or\n               authentication including, for example, when individuals access public websites or\n               other publicly accessible federal information systems, when individuals use mobile\n               phones to receive calls, or when facsimiles are received. Organizations also identify\n               actions that normally require identification or authentication but may under certain\n               circumstances (e.g., emergencies), allow identification or authentication mechanisms\n               to be bypassed. Such bypasses may occur, for example, via a software-readable\n               physical switch that commands bypass of the logon functionality and is protected from\n               accidental or unmonitored use. This control does not apply to situations where\n               identification and authentication have already occurred and are not repeated, but\n               rather to situations where identification and authentication have not yet occurred.\n               Organizations may decide that there are no user actions that can be performed on\n               organizational information systems without identification and authentication and\n               thus, the values for assignment statements can be none.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  }
-                ]
-              },
-              {
-                "id": "ac-14_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-14.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-14(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-14.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-14(a)[1]"
-                          }
-                        ],
-                        "prose": "defines user actions that can be performed on the information system without\n                     identification or authentication consistent with organizational\n                     missions/business functions;"
-                      },
-                      {
-                        "id": "ac-14.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-14(a)[2]"
-                          }
-                        ],
-                        "prose": "identifies organization-defined user actions that can be performed on the\n                     information system without identification or authentication consistent with\n                     organizational missions/business functions; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-14.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-14(b)"
-                      }
-                    ],
-                    "prose": "documents and provides supporting rationale in the security plan for the\n                  information system, user actions not requiring identification or\n                  authentication."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing permitted actions without identification or\n                  authentication\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\nlist of user actions that can be performed without identification or\n                  authentication\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "FED - This is related to agency data and agency policy solution."
-              }
-            ]
-          },
-          {
-            "id": "ac-17",
-            "class": "SP800-53",
-            "title": "Remote Access",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-17"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-17"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5309d4d0-46f8-4213-a749-e7584164e5e8",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-46"
-              },
-              {
-                "href": "#99f331f2-a9f0-46c2-9856-a3cbb9b89442",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-77"
-              },
-              {
-                "href": "#349fe082-502d-464a-aa0c-1443c6a5cf40",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-113"
-              },
-              {
-                "href": "#1201fcf3-afb1-4675-915a-fb4ae0435717",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-114"
-              },
-              {
-                "href": "#d1a4e2a9-e512-4132-8795-5357aba29254",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-121"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-17_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-17_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes and documents usage restrictions, configuration/connection\n                  requirements, and implementation guidance for each type of remote access allowed;\n                  and"
-                  },
-                  {
-                    "id": "ac-17_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Authorizes remote access to the information system prior to allowing such\n                  connections."
-                  }
-                ]
-              },
-              {
-                "id": "ac-17_gdn",
-                "name": "guidance",
-                "prose": "Remote access is access to organizational information systems by users (or processes\n               acting on behalf of users) communicating through external networks (e.g., the\n               Internet). Remote access methods include, for example, dial-up, broadband, and\n               wireless. Organizations often employ encrypted virtual private networks (VPNs) to\n               enhance confidentiality and integrity over remote connections. The use of encrypted\n               VPNs does not make the access non-remote; however, the use of VPNs, when adequately\n               provisioned with appropriate security controls (e.g., employing appropriate\n               encryption techniques for confidentiality and integrity protection) may provide\n               sufficient assurance to the organization that it can effectively treat such\n               connections as internal networks. Still, VPN connections traverse external networks,\n               and the encrypted VPN does not enhance the availability of remote connections. Also,\n               VPNs with encrypted tunnels can affect the organizational capability to adequately\n               monitor network communications traffic for malicious code. Remote access controls\n               apply to information systems other than public web servers or systems designed for\n               public access. This control addresses authorization prior to allowing remote access\n               without specifying the formats for such authorization. While organizations may use\n               interconnection security agreements to authorize remote access connections, such\n               agreements are not required by this control. Enforcing access restrictions for remote\n               connections is addressed in AC-3.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#pe-17",
-                    "rel": "related",
-                    "text": "PE-17"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#sc-10",
-                    "rel": "related",
-                    "text": "SC-10"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ac-17_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-17.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-17(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-17.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-17(a)[1]"
-                          }
-                        ],
-                        "prose": "identifies the types of remote access allowed to the information system;"
-                      },
-                      {
-                        "id": "ac-17.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-17(a)[2]"
-                          }
-                        ],
-                        "prose": "establishes for each type of remote access allowed:",
-                        "parts": [
-                          {
-                            "id": "ac-17.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[2][a]"
-                              }
-                            ],
-                            "prose": "usage restrictions;"
-                          },
-                          {
-                            "id": "ac-17.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[2][b]"
-                              }
-                            ],
-                            "prose": "configuration/connection requirements;"
-                          },
-                          {
-                            "id": "ac-17.a_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[2][c]"
-                              }
-                            ],
-                            "prose": "implementation guidance;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-17.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-17(a)[3]"
-                          }
-                        ],
-                        "prose": "documents for each type of remote access allowed:",
-                        "parts": [
-                          {
-                            "id": "ac-17.a_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[3][a]"
-                              }
-                            ],
-                            "prose": "usage restrictions;"
-                          },
-                          {
-                            "id": "ac-17.a_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[3][b]"
-                              }
-                            ],
-                            "prose": "configuration/connection requirements;"
-                          },
-                          {
-                            "id": "ac-17.a_obj.3.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[3][c]"
-                              }
-                            ],
-                            "prose": "implementation guidance; and"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-17.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-17(b)"
-                      }
-                    ],
-                    "prose": "authorizes remote access to the information system prior to allowing such\n                  connections."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing remote access implementation and usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\nremote access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for managing remote access\n                  connections\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Remote access management capability for the information system"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-18",
-            "class": "SP800-53",
-            "title": "Wireless Access",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-18"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-18"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "NSO"
-              }
-            ],
-            "links": [
-              {
-                "href": "#238ed479-eccb-49f6-82ec-ab74a7a428cf",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-48"
-              },
-              {
-                "href": "#d1b1d689-0f66-4474-9924-c81119758dc1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-94"
-              },
-              {
-                "href": "#6f336ecd-f2a0-4c84-9699-0491d81b6e0d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-97"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-18_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-18_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes usage restrictions, configuration/connection requirements, and\n                  implementation guidance for wireless access; and"
-                  },
-                  {
-                    "id": "ac-18_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Authorizes wireless access to the information system prior to allowing such\n                  connections."
-                  }
-                ]
-              },
-              {
-                "id": "ac-18_gdn",
-                "name": "guidance",
-                "prose": "Wireless technologies include, for example, microwave, packet radio (UHF/VHF),\n               802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g.,\n               EAP/TLS, PEAP), which provide credential protection and mutual authentication.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ac-18_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-18.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-18(a)"
-                      }
-                    ],
-                    "prose": "establishes for wireless access:",
-                    "parts": [
-                      {
-                        "id": "ac-18.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-18(a)[1]"
-                          }
-                        ],
-                        "prose": "usage restrictions;"
-                      },
-                      {
-                        "id": "ac-18.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-18(a)[2]"
-                          }
-                        ],
-                        "prose": "configuration/connection requirement;"
-                      },
-                      {
-                        "id": "ac-18.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-18(a)[3]"
-                          }
-                        ],
-                        "prose": "implementation guidance; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-18.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-18(b)"
-                      }
-                    ],
-                    "prose": "authorizes wireless access to the information system prior to allowing such\n                  connections."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing wireless access implementation and usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nwireless access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for managing wireless access\n                  connections\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Wireless access management capability for the information system"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "NSO - All access to Cloud SaaS are via web services and/or API. The device\n                  accessed from or whether via wired or wireless connection is out of scope.\n                  Regardless of device accessed from, must utilize approved remote access methods\n                  (AC-17), secure communication with strong encryption (SC-13), key management\n                  (SC-12), and multi-factor authentication for privileged access (IA-2[1])."
-              }
-            ]
-          },
-          {
-            "id": "ac-19",
-            "class": "SP800-53",
-            "title": "Access Control for Mobile Devices",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-19"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-19"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "NSO"
-              }
-            ],
-            "links": [
-              {
-                "href": "#4da24a96-6cf8-435d-9d1f-c73247cad109",
-                "rel": "reference",
-                "text": "OMB Memorandum 06-16"
-              },
-              {
-                "href": "#1201fcf3-afb1-4675-915a-fb4ae0435717",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-114"
-              },
-              {
-                "href": "#0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-124"
-              },
-              {
-                "href": "#6513e480-fada-4876-abba-1397084dfb26",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-164"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-19_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-19_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes usage restrictions, configuration requirements, connection\n                  requirements, and implementation guidance for organization-controlled mobile\n                  devices; and"
-                  },
-                  {
-                    "id": "ac-19_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Authorizes the connection of mobile devices to organizational information\n                  systems."
-                  }
-                ]
-              },
-              {
-                "id": "ac-19_gdn",
-                "name": "guidance",
-                "prose": "A mobile device is a computing device that: (i) has a small form factor such that it\n               can easily be carried by a single individual; (ii) is designed to operate without a\n               physical connection (e.g., wirelessly transmit or receive information); (iii)\n               possesses local, non-removable or removable data storage; and (iv) includes a\n               self-contained power source. Mobile devices may also include voice communication\n               capabilities, on-board sensors that allow the device to capture information, and/or\n               built-in features for synchronizing local data with remote locations. Examples\n               include smart phones, E-readers, and tablets. Mobile devices are typically associated\n               with a single individual and the device is usually in close proximity to the\n               individual; however, the degree of proximity can vary depending upon on the form\n               factor and size of the device. The processing, storage, and transmission capability\n               of the mobile device may be comparable to or merely a subset of desktop systems,\n               depending upon the nature and intended purpose of the device. Due to the large\n               variety of mobile devices with different technical characteristics and capabilities,\n               organizational restrictions may vary for the different classes/types of such devices.\n               Usage restrictions and specific implementation guidance for mobile devices include,\n               for example, configuration management, device identification and authentication,\n               implementation of mandatory protective software (e.g., malicious code detection,\n               firewall), scanning devices for malicious code, updating virus protection software,\n               scanning for critical software updates and patches, conducting primary operating\n               system (and possibly other resident software) integrity checks, and disabling\n               unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the\n               need to provide adequate security for mobile devices goes beyond the requirements in\n               this control. Many safeguards and countermeasures for mobile devices are reflected in\n               other security controls in the catalog allocated in the initial control baselines as\n               starting points for the development of security plans and overlays using the\n               tailoring process. There may also be some degree of overlap in the requirements\n               articulated by the security controls within the different families of controls. AC-20\n               addresses mobile devices that are not organization-controlled.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-7",
-                    "rel": "related",
-                    "text": "AC-7"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#ca-9",
-                    "rel": "related",
-                    "text": "CA-9"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-43",
-                    "rel": "related",
-                    "text": "SC-43"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ac-19_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-19.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-19(a)"
-                      }
-                    ],
-                    "prose": "establishes for organization-controlled mobile devices:",
-                    "parts": [
-                      {
-                        "id": "ac-19.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-19(a)[1]"
-                          }
-                        ],
-                        "prose": "usage restrictions;"
-                      },
-                      {
-                        "id": "ac-19.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-19(a)[2]"
-                          }
-                        ],
-                        "prose": "configuration/connection requirement;"
-                      },
-                      {
-                        "id": "ac-19.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-19(a)[3]"
-                          }
-                        ],
-                        "prose": "implementation guidance; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-19.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-19(b)"
-                      }
-                    ],
-                    "prose": "authorizes the connection of mobile devices to organizational information\n                  systems."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing access control for mobile device usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nauthorizations for mobile device connections to organizational information\n                  systems\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel using mobile devices to access organizational information\n                  systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control capability authorizing mobile device connections to organizational\n                  information systems"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "NSO - All access to Cloud SaaS are via web service and/or API. The device accessed\n                  from is out of the scope. Regardless of device accessed from, must utilize\n                  approved remote access methods (AC-17), secure communication with strong\n                  encryption (SC-13), key management (SC-12), and multi-factor authentication for\n                  privileged access (IA-2 [1])."
-              }
-            ]
-          },
-          {
-            "id": "ac-20",
-            "class": "SP800-53",
-            "title": "Use of External Information Systems",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-20"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-20"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-20_smt",
-                "name": "statement",
-                "prose": "The organization establishes terms and conditions, consistent with any trust\n               relationships established with other organizations owning, operating, and/or\n               maintaining external information systems, allowing authorized individuals to:",
-                "parts": [
-                  {
-                    "id": "ac-20_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Access the information system from external information systems; and"
-                  },
-                  {
-                    "id": "ac-20_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Process, store, or transmit organization-controlled information using external\n                  information systems."
-                  }
-                ]
-              },
-              {
-                "id": "ac-20_gdn",
-                "name": "guidance",
-                "prose": "External information systems are information systems or components of information\n               systems that are outside of the authorization boundary established by organizations\n               and for which organizations typically have no direct supervision and authority over\n               the application of required security controls or the assessment of control\n               effectiveness. External information systems include, for example: (i) personally\n               owned information systems/devices (e.g., notebook computers, smart phones, tablets,\n               personal digital assistants); (ii) privately owned computing and communications\n               devices resident in commercial or public facilities (e.g., hotels, train stations,\n               convention centers, shopping malls, or airports); (iii) information systems owned or\n               controlled by nonfederal governmental organizations; and (iv) federal information\n               systems that are not owned by, operated by, or under the direct supervision and\n               authority of organizations. This control also addresses the use of external\n               information systems for the processing, storage, or transmission of organizational\n               information, including, for example, accessing cloud services (e.g., infrastructure\n               as a service, platform as a service, or software as a service) from organizational\n               information systems. For some external information systems (i.e., information systems\n               operated by other federal agencies, including organizations subordinate to those\n               agencies), the trust relationships that have been established between those\n               organizations and the originating organization may be such, that no explicit terms\n               and conditions are required. Information systems within these organizations would not\n               be considered external. These situations occur when, for example, there are\n               pre-existing sharing/trust agreements (either implicit or explicit) established\n               between federal agencies or organizations subordinate to those agencies, or when such\n               trust agreements are specified by applicable laws, Executive Orders, directives, or\n               policies. Authorized individuals include, for example, organizational personnel,\n               contractors, or other individuals with authorized access to organizational\n               information systems and over which organizations have the authority to impose rules\n               of behavior with regard to system access. Restrictions that organizations impose on\n               authorized individuals need not be uniform, as those restrictions may vary depending\n               upon the trust relationships between organizations. Therefore, organizations may\n               choose to impose different security restrictions on contractors than on state, local,\n               or tribal governments. This control does not apply to the use of external information\n               systems to access public interfaces to organizational information systems (e.g.,\n               individuals accessing federal information through www.usa.gov). Organizations\n               establish terms and conditions for the use of external information systems in\n               accordance with organizational security policies and procedures. Terms and conditions\n               address as a minimum: types of applications that can be accessed on organizational\n               information systems from external information systems; and the highest security\n               category of information that can be processed, stored, or transmitted on external\n               information systems. If terms and conditions with the owners of external information\n               systems cannot be established, organizations may impose restrictions on\n               organizational personnel using those external systems.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#sa-9",
-                    "rel": "related",
-                    "text": "SA-9"
-                  }
-                ]
-              },
-              {
-                "id": "ac-20_obj",
-                "name": "objective",
-                "prose": "Determine if the organization establishes terms and conditions, consistent with any\n               trust relationships established with other organizations owning, operating, and/or\n               maintaining external information systems, allowing authorized individuals to: ",
-                "parts": [
-                  {
-                    "id": "ac-20.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-20(a)"
-                      }
-                    ],
-                    "prose": "access the information system from the external information systems; and"
-                  },
-                  {
-                    "id": "ac-20.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-20(b)"
-                      }
-                    ],
-                    "prose": "process, store, or transmit organization-controlled information using external\n                  information systems."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing the use of external information systems\\n\\nexternal information systems terms and conditions\\n\\nlist of types of applications accessible from external information systems\\n\\nmaximum security categorization for information processed, stored, or transmitted\n                  on external information systems\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for defining terms and conditions\n                  for use of external information systems to access organizational systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing terms and conditions on use of external\n                  information systems"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-22",
-            "class": "SP800-53",
-            "title": "Publicly Accessible Content",
-            "parameters": [
-              {
-                "id": "ac-22_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least quarterly"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-22"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-22"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-22_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-22_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Designates individuals authorized to post information onto a publicly accessible\n                  information system;"
-                  },
-                  {
-                    "id": "ac-22_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Trains authorized individuals to ensure that publicly accessible information does\n                  not contain nonpublic information;"
-                  },
-                  {
-                    "id": "ac-22_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews the proposed content of information prior to posting onto the publicly\n                  accessible information system to ensure that nonpublic information is not\n                  included; and"
-                  },
-                  {
-                    "id": "ac-22_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Reviews the content on the publicly accessible information system for nonpublic\n                  information {{ ac-22_prm_1 }} and removes such information, if\n                  discovered."
-                  }
-                ]
-              },
-              {
-                "id": "ac-22_gdn",
-                "name": "guidance",
-                "prose": "In accordance with federal laws, Executive Orders, directives, policies, regulations,\n               standards, and/or guidance, the general public is not authorized access to nonpublic\n               information (e.g., information protected under the Privacy Act and proprietary\n               information). This control addresses information systems that are controlled by the\n               organization and accessible to the general public, typically without identification\n               or authentication. The posting of information on non-organization information systems\n               is covered by organizational policy.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#au-13",
-                    "rel": "related",
-                    "text": "AU-13"
-                  }
-                ]
-              },
-              {
-                "id": "ac-22_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ac-22.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-22(a)"
-                      }
-                    ],
-                    "prose": "designates individuals authorized to post information onto a publicly accessible\n                  information system;"
-                  },
-                  {
-                    "id": "ac-22.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-22(b)"
-                      }
-                    ],
-                    "prose": "trains authorized individuals to ensure that publicly accessible information does\n                  not contain nonpublic information;"
-                  },
-                  {
-                    "id": "ac-22.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-22(c)"
-                      }
-                    ],
-                    "prose": "reviews the proposed content of information prior to posting onto the publicly\n                  accessible information system to ensure that nonpublic information is not\n                  included;"
-                  },
-                  {
-                    "id": "ac-22.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-22(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-22.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-22(d)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review the content on the publicly accessible\n                     information system for nonpublic information;"
-                      },
-                      {
-                        "id": "ac-22.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-22(d)[2]"
-                          }
-                        ],
-                        "prose": "reviews the content on the publicly accessible information system for nonpublic\n                     information with the organization-defined frequency; and"
-                      },
-                      {
-                        "id": "ac-22.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-22(d)[3]"
-                          }
-                        ],
-                        "prose": "removes nonpublic information from the publicly accessible information system,\n                     if discovered."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing publicly accessible content\\n\\nlist of users authorized to post publicly accessible content on organizational\n                  information systems\\n\\ntraining materials and/or records\\n\\nrecords of publicly accessible information reviews\\n\\nrecords of response to nonpublic information on public websites\\n\\nsystem audit logs\\n\\nsecurity awareness training records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for managing publicly accessible\n                  information posted on organizational information systems\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing management of publicly accessible content"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "at",
-        "class": "family",
-        "title": "Awareness and Training",
-        "controls": [
-          {
-            "id": "at-1",
-            "class": "SP800-53",
-            "title": "Security Awareness and Training Policy and Procedures",
-            "parameters": [
-              {
-                "id": "at-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "at-1_prm_2",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "at-1_prm_3",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AT-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "at-01"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#825438c3-248d-4e30-a51e-246473ce6ada",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-16"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "at-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "at-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ at-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "at-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A security awareness and training policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "at-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the security awareness and\n                     training policy and associated security awareness and training controls;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "at-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "at-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Security awareness and training policy {{ at-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "at-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Security awareness and training procedures {{ at-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "at-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AT\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "at-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "at-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "at-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an security awareness and training policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "at-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "at-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the security awareness and training\n                        policy are to be disseminated;"
-                          },
-                          {
-                            "id": "at-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the security awareness and training policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "at-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "at-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        security awareness and training policy and associated awareness and training\n                        controls;"
-                          },
-                          {
-                            "id": "at-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "at-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "at-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "at-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current security awareness\n                        and training policy;"
-                          },
-                          {
-                            "id": "at-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current security awareness and training policy with\n                        the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "at-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "at-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current security awareness\n                        and training procedures; and"
-                          },
-                          {
-                            "id": "at-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current security awareness and training procedures\n                        with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security awareness and training policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security awareness and training responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "at-2",
-            "class": "SP800-53",
-            "title": "Security Awareness Training",
-            "parameters": [
-              {
-                "id": "at-2_prm_1",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AT-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "at-02"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bb61234b-46c3-4211-8c2b-9869222a720d",
-                "rel": "reference",
-                "text": "C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"
-              },
-              {
-                "href": "#c5034e0c-eba6-4ecd-a541-79f0678f4ba4",
-                "rel": "reference",
-                "text": "Executive Order 13587"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              }
-            ],
-            "parts": [
-              {
-                "id": "at-2_smt",
-                "name": "statement",
-                "prose": "The organization provides basic security awareness training to information system\n               users (including managers, senior executives, and contractors):",
-                "parts": [
-                  {
-                    "id": "at-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "As part of initial training for new users;"
-                  },
-                  {
-                    "id": "at-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "When required by information system changes; and"
-                  },
-                  {
-                    "id": "at-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "\n                  {{ at-2_prm_1 }} thereafter."
-                  }
-                ]
-              },
-              {
-                "id": "at-2_gdn",
-                "name": "guidance",
-                "prose": "Organizations determine the appropriate content of security awareness training and\n               security awareness techniques based on the specific organizational requirements and\n               the information systems to which personnel have authorized access. The content\n               includes a basic understanding of the need for information security and user actions\n               to maintain security and to respond to suspected security incidents. The content also\n               addresses awareness of the need for operations security. Security awareness\n               techniques can include, for example, displaying posters, offering supplies inscribed\n               with security reminders, generating email advisories/notices from senior\n               organizational officials, displaying logon screen messages, and conducting\n               information security awareness events.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#at-4",
-                    "rel": "related",
-                    "text": "AT-4"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  }
-                ]
-              },
-              {
-                "id": "at-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "at-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-2(a)"
-                      }
-                    ],
-                    "prose": "provides basic security awareness training to information system users (including\n                  managers, senior executives, and contractors) as part of initial training for new\n                  users;"
-                  },
-                  {
-                    "id": "at-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-2(b)"
-                      }
-                    ],
-                    "prose": "provides basic security awareness training to information system users (including\n                  managers, senior executives, and contractors) when required by information system\n                  changes; and"
-                  },
-                  {
-                    "id": "at-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to provide refresher security awareness training\n                     thereafter to information system users (including managers, senior executives,\n                     and contractors); and"
-                      },
-                      {
-                        "id": "at-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-2(c)[2]"
-                          }
-                        ],
-                        "prose": "provides refresher security awareness training to information users (including\n                     managers, senior executives, and contractors) with the organization-defined\n                     frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security awareness and training policy\\n\\nprocedures addressing security awareness training implementation\\n\\nappropriate codes of federal regulations\\n\\nsecurity awareness training curriculum\\n\\nsecurity awareness training materials\\n\\nsecurity plan\\n\\ntraining records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for security awareness training\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel comprising the general information system user\n                  community"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms managing security awareness training"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "at-3",
-            "class": "SP800-53",
-            "title": "Role-based Security Training",
-            "parameters": [
-              {
-                "id": "at-3_prm_1",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AT-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "at-03"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bb61234b-46c3-4211-8c2b-9869222a720d",
-                "rel": "reference",
-                "text": "C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"
-              },
-              {
-                "href": "#825438c3-248d-4e30-a51e-246473ce6ada",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-16"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              }
-            ],
-            "parts": [
-              {
-                "id": "at-3_smt",
-                "name": "statement",
-                "prose": "The organization provides role-based security training to personnel with assigned\n               security roles and responsibilities:",
-                "parts": [
-                  {
-                    "id": "at-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Before authorizing access to the information system or performing assigned\n                  duties;"
-                  },
-                  {
-                    "id": "at-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "When required by information system changes; and"
-                  },
-                  {
-                    "id": "at-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "\n                  {{ at-3_prm_1 }} thereafter."
-                  }
-                ]
-              },
-              {
-                "id": "at-3_gdn",
-                "name": "guidance",
-                "prose": "Organizations determine the appropriate content of security training based on the\n               assigned roles and responsibilities of individuals and the specific security\n               requirements of organizations and the information systems to which personnel have\n               authorized access. In addition, organizations provide enterprise architects,\n               information system developers, software developers, acquisition/procurement\n               officials, information system managers, system/network administrators, personnel\n               conducting configuration management and auditing activities, personnel performing\n               independent verification and validation activities, security control assessors, and\n               other personnel having access to system-level software, adequate security-related\n               technical training specifically tailored for their assigned duties. Comprehensive\n               role-based training addresses management, operational, and technical roles and\n               responsibilities covering physical, personnel, and technical safeguards and\n               countermeasures. Such training can include for example, policies, procedures, tools,\n               and artifacts for the organizational security roles defined. Organizations also\n               provide the training necessary for individuals to carry out their responsibilities\n               related to operations and supply chain security within the context of organizational\n               information security programs. Role-based security training also applies to\n               contractors providing services to federal agencies.",
-                "links": [
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-4",
-                    "rel": "related",
-                    "text": "AT-4"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-7",
-                    "rel": "related",
-                    "text": "PS-7"
-                  },
-                  {
-                    "href": "#sa-3",
-                    "rel": "related",
-                    "text": "SA-3"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#sa-16",
-                    "rel": "related",
-                    "text": "SA-16"
-                  }
-                ]
-              },
-              {
-                "id": "at-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "at-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-3(a)"
-                      }
-                    ],
-                    "prose": "provides role-based security training to personnel with assigned security roles\n                  and responsibilities before authorizing access to the information system or\n                  performing assigned duties;"
-                  },
-                  {
-                    "id": "at-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-3(b)"
-                      }
-                    ],
-                    "prose": "provides role-based security training to personnel with assigned security roles\n                  and responsibilities when required by information system changes; and"
-                  },
-                  {
-                    "id": "at-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to provide refresher role-based security training\n                     thereafter to personnel with assigned security roles and responsibilities;\n                     and"
-                      },
-                      {
-                        "id": "at-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-3(c)[2]"
-                          }
-                        ],
-                        "prose": "provides refresher role-based security training to personnel with assigned\n                     security roles and responsibilities with the organization-defined\n                     frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security awareness and training policy\\n\\nprocedures addressing security training implementation\\n\\ncodes of federal regulations\\n\\nsecurity training curriculum\\n\\nsecurity training materials\\n\\nsecurity plan\\n\\ntraining records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for role-based security\n                  training\\n\\norganizational personnel with assigned information system security roles and\n                  responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms managing role-based security training"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "at-4",
-            "class": "SP800-53",
-            "title": "Security Training Records",
-            "parameters": [
-              {
-                "id": "at-4_prm_1",
-                "label": "organization-defined time period"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AT-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "at-04"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "parts": [
-              {
-                "id": "at-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "at-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Documents and monitors individual information system security training activities\n                  including basic security awareness training and specific information system\n                  security training; and"
-                  },
-                  {
-                    "id": "at-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Retains individual training records for {{ at-4_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "at-4_gdn",
-                "name": "guidance",
-                "prose": "Documentation for specialized training may be maintained by individual supervisors at\n               the option of the organization.",
-                "links": [
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#pm-14",
-                    "rel": "related",
-                    "text": "PM-14"
-                  }
-                ]
-              },
-              {
-                "id": "at-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "at-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-4(a)[1]"
-                          }
-                        ],
-                        "prose": "documents individual information system security training activities\n                     including:",
-                        "parts": [
-                          {
-                            "id": "at-4.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-4(a)[1][a]"
-                              }
-                            ],
-                            "prose": "basic security awareness training;"
-                          },
-                          {
-                            "id": "at-4.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-4(a)[1][b]"
-                              }
-                            ],
-                            "prose": "specific role-based information system security training;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "at-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-4(a)[2]"
-                          }
-                        ],
-                        "prose": "monitors individual information system security training activities\n                     including:",
-                        "parts": [
-                          {
-                            "id": "at-4.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-4(a)[2][a]"
-                              }
-                            ],
-                            "prose": "basic security awareness training;"
-                          },
-                          {
-                            "id": "at-4.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-4(a)[2][b]"
-                              }
-                            ],
-                            "prose": "specific role-based information system security training;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "at-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-4(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-4.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-4(b)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period to retain individual training records; and"
-                      },
-                      {
-                        "id": "at-4.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-4(b)[2]"
-                          }
-                        ],
-                        "prose": "retains individual training records for the organization-defined time\n                     period."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security awareness and training policy\\n\\nprocedures addressing security training records\\n\\nsecurity awareness and training records\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security training record retention\n                  responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting management of security training records"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "au",
-        "class": "family",
-        "title": "Audit and Accountability",
-        "controls": [
-          {
-            "id": "au-1",
-            "class": "SP800-53",
-            "title": "Audit and Accountability Policy and Procedures",
-            "parameters": [
-              {
-                "id": "au-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "au-1_prm_2",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "au-1_prm_3",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-01"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "au-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ au-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "au-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "An audit and accountability policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "au-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the audit and accountability\n                     policy and associated audit and accountability controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "au-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Audit and accountability policy {{ au-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "au-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Audit and accountability procedures {{ au-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AU\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "au-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an audit and accountability policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "au-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "au-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the audit and accountability policy are\n                        to be disseminated;"
-                          },
-                          {
-                            "id": "au-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the audit and accountability policy to organization-defined\n                        personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "au-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        audit and accountability policy and associated audit and accountability\n                        controls;"
-                          },
-                          {
-                            "id": "au-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "au-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current audit and\n                        accountability policy;"
-                          },
-                          {
-                            "id": "au-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current audit and accountability policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "au-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current audit and\n                        accountability procedures; and"
-                          },
-                          {
-                            "id": "au-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current audit and accountability procedures in\n                        accordance with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-2",
-            "class": "SP800-53",
-            "title": "Audit Events",
-            "parameters": [
-              {
-                "id": "au-2_prm_1",
-                "label": "organization-defined auditable events"
-              },
-              {
-                "id": "au-2_prm_2",
-                "label": "organization-defined audited events (the subset of the auditable events defined\n               in AU-2 a.) along with the frequency of (or situation requiring) auditing for each\n               identified event"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-02"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#672fd561-b92b-4713-b9cf-6c9d9456728b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-92"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "au-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Determines that the information system is capable of auditing the following\n                  events: {{ au-2_prm_1 }};"
-                  },
-                  {
-                    "id": "au-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Coordinates the security audit function with other organizational entities\n                  requiring audit-related information to enhance mutual support and to help guide\n                  the selection of auditable events;"
-                  },
-                  {
-                    "id": "au-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Provides a rationale for why the auditable events are deemed to be adequate to\n                  support after-the-fact investigations of security incidents; and"
-                  },
-                  {
-                    "id": "au-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Determines that the following events are to be audited within the information\n                  system: {{ au-2_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "au-2_gdn",
-                "name": "guidance",
-                "prose": "An event is any observable occurrence in an organizational information system.\n               Organizations identify audit events as those events which are significant and\n               relevant to the security of information systems and the environments in which those\n               systems operate in order to meet specific and ongoing audit needs. Audit events can\n               include, for example, password changes, failed logons, or failed accesses related to\n               information systems, administrative privilege usage, PIV credential usage, or\n               third-party credential usage. In determining the set of auditable events,\n               organizations consider the auditing appropriate for each of the security controls to\n               be implemented. To balance auditing requirements with other information system needs,\n               this control also requires identifying that subset of auditable events that are\n               audited at a given point in time. For example, organizations may determine that\n               information systems must have the capability to log every file access both successful\n               and unsuccessful, but not activate that capability except for specific circumstances\n               due to the potential burden on system performance. Auditing requirements, including\n               the need for auditable events, may be referenced in other security controls and\n               control enhancements. Organizations also include auditable events that are required\n               by applicable federal laws, Executive Orders, directives, policies, regulations, and\n               standards. Audit records can be generated at various levels of abstraction, including\n               at the packet level as information traverses the network. Selecting the appropriate\n               level of abstraction is a critical aspect of an audit capability and can facilitate\n               the identification of root causes to problems. Organizations consider in the\n               definition of auditable events, the auditing necessary to cover related events such\n               as the steps in distributed, transaction-based processes (e.g., processes that are\n               distributed across multiple organizations) and actions that occur in service-oriented\n               architectures.",
-                "links": [
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#au-3",
-                    "rel": "related",
-                    "text": "AU-3"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "au-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-2(a)[1]"
-                          }
-                        ],
-                        "prose": "defines the auditable events that the information system must be capable of\n                     auditing;"
-                      },
-                      {
-                        "id": "au-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-2(a)[2]"
-                          }
-                        ],
-                        "prose": "determines that the information system is capable of auditing\n                     organization-defined auditable events;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-2(b)"
-                      }
-                    ],
-                    "prose": "coordinates the security audit function with other organizational entities\n                  requiring audit-related information to enhance mutual support and to help guide\n                  the selection of auditable events;"
-                  },
-                  {
-                    "id": "au-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-2(c)"
-                      }
-                    ],
-                    "prose": "provides a rationale for why the auditable events are deemed to be adequate to\n                  support after-the-fact investigations of security incidents;"
-                  },
-                  {
-                    "id": "au-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-2(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-2(d)[1]"
-                          }
-                        ],
-                        "prose": "defines the subset of auditable events defined in AU-2a that are to be audited\n                     within the information system;"
-                      },
-                      {
-                        "id": "au-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-2(d)[2]"
-                          }
-                        ],
-                        "prose": "determines that the subset of auditable events defined in AU-2a are to be\n                     audited within the information system; and"
-                      },
-                      {
-                        "id": "au-2.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-2(d)[3]"
-                          }
-                        ],
-                        "prose": "determines the frequency of (or situation requiring) auditing for each\n                     identified event."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing auditable events\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\ninformation system auditable events\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing information system auditing"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-3",
-            "class": "SP800-53",
-            "title": "Content of Audit Records",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-03"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-3_smt",
-                "name": "statement",
-                "prose": "The information system generates audit records containing information that\n               establishes what type of event occurred, when the event occurred, where the event\n               occurred, the source of the event, the outcome of the event, and the identity of any\n               individuals or subjects associated with the event."
-              },
-              {
-                "id": "au-3_gdn",
-                "name": "guidance",
-                "prose": "Audit record content that may be necessary to satisfy the requirement of this\n               control, includes, for example, time stamps, source and destination addresses,\n               user/process identifiers, event descriptions, success/fail indications, filenames\n               involved, and access control or flow control rules invoked. Event outcomes can\n               include indicators of event success or failure and event-specific results (e.g., the\n               security state of the information system after the event occurred).",
-                "links": [
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-8",
-                    "rel": "related",
-                    "text": "AU-8"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#si-11",
-                    "rel": "related",
-                    "text": "SI-11"
-                  }
-                ]
-              },
-              {
-                "id": "au-3_obj",
-                "name": "objective",
-                "prose": "Determine if the information system generates audit records containing information\n               that establishes: ",
-                "parts": [
-                  {
-                    "id": "au-3_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[1]"
-                      }
-                    ],
-                    "prose": "what type of event occurred;"
-                  },
-                  {
-                    "id": "au-3_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[2]"
-                      }
-                    ],
-                    "prose": "when the event occurred;"
-                  },
-                  {
-                    "id": "au-3_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[3]"
-                      }
-                    ],
-                    "prose": "where the event occurred;"
-                  },
-                  {
-                    "id": "au-3_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[4]"
-                      }
-                    ],
-                    "prose": "the source of the event;"
-                  },
-                  {
-                    "id": "au-3_obj.5",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[5]"
-                      }
-                    ],
-                    "prose": "the outcome of the event; and"
-                  },
-                  {
-                    "id": "au-3_obj.6",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[6]"
-                      }
-                    ],
-                    "prose": "the identity of any individuals or subjects associated with the event."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing content of audit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of organization-defined auditable events\\n\\ninformation system audit records\\n\\ninformation system incident reports\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing information system auditing of auditable\n                  events"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-4",
-            "class": "SP800-53",
-            "title": "Audit Storage Capacity",
-            "parameters": [
-              {
-                "id": "au-4_prm_1",
-                "label": "organization-defined audit record storage requirements"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-04"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "NSO"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-4_smt",
-                "name": "statement",
-                "prose": "The organization allocates audit record storage capacity in accordance with {{ au-4_prm_1 }}."
-              },
-              {
-                "id": "au-4_gdn",
-                "name": "guidance",
-                "prose": "Organizations consider the types of auditing to be performed and the audit processing\n               requirements when allocating audit storage capacity. Allocating sufficient audit\n               storage capacity reduces the likelihood of such capacity being exceeded and resulting\n               in the potential loss or reduction of auditing capability.",
-                "links": [
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-5",
-                    "rel": "related",
-                    "text": "AU-5"
-                  },
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#au-7",
-                    "rel": "related",
-                    "text": "AU-7"
-                  },
-                  {
-                    "href": "#au-11",
-                    "rel": "related",
-                    "text": "AU-11"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "au-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-4_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-4[1]"
-                      }
-                    ],
-                    "prose": "defines audit record storage requirements; and"
-                  },
-                  {
-                    "id": "au-4_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-4[2]"
-                      }
-                    ],
-                    "prose": "allocates audit record storage capacity in accordance with the\n                  organization-defined audit record storage requirements."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing audit storage capacity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit record storage requirements\\n\\naudit record storage capability for information system components\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit record storage capacity and related configuration settings"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "NSO - Loss of availability of the audit data has been determined to have little or\n                  no impact to government business/mission needs."
-              }
-            ]
-          },
-          {
-            "id": "au-5",
-            "class": "SP800-53",
-            "title": "Response to Audit Processing Failures",
-            "parameters": [
-              {
-                "id": "au-5_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "au-5_prm_2",
-                "label": "organization-defined actions to be taken (e.g., shut down information system,\n               overwrite oldest audit records, stop generating audit records)",
-                "constraints": [
-                  {
-                    "detail": "organization-defined actions to be taken (overwrite oldest record)"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-05"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-5_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "au-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Alerts {{ au-5_prm_1 }} in the event of an audit processing\n                  failure; and"
-                  },
-                  {
-                    "id": "au-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Takes the following additional actions: {{ au-5_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "au-5_gdn",
-                "name": "guidance",
-                "prose": "Audit processing failures include, for example, software/hardware errors, failures in\n               the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n               Organizations may choose to define additional actions for different audit processing\n               failures (e.g., by type, by location, by severity, or a combination of such factors).\n               This control applies to each audit data storage repository (i.e., distinct\n               information system component where audit records are stored), the total audit storage\n               capacity of organizations (i.e., all audit data storage repositories combined), or\n               both.",
-                "links": [
-                  {
-                    "href": "#au-4",
-                    "rel": "related",
-                    "text": "AU-4"
-                  },
-                  {
-                    "href": "#si-12",
-                    "rel": "related",
-                    "text": "SI-12"
-                  }
-                ]
-              },
-              {
-                "id": "au-5_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "au-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-5(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the personnel or roles to be alerted in the event of\n                     an audit processing failure;"
-                      },
-                      {
-                        "id": "au-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-5(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system alerts the organization-defined personnel or roles in\n                     the event of an audit processing failure;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-5(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-5.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-5(b)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines additional actions to be taken (e.g., shutdown\n                     information system, overwrite oldest audit records, stop generating audit\n                     records) in the event of an audit processing failure; and"
-                      },
-                      {
-                        "id": "au-5.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-5(b)[2]"
-                          }
-                        ],
-                        "prose": "the information system takes the additional organization-defined actions in the\n                     event of an audit processing failure."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing response to audit processing failures\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of personnel to be notified in case of an audit processing failure\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing information system response to audit processing\n                  failures"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-6",
-            "class": "SP800-53",
-            "title": "Audit Review, Analysis, and Reporting",
-            "parameters": [
-              {
-                "id": "au-6_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least weekly"
-                  }
-                ]
-              },
-              {
-                "id": "au-6_prm_2",
-                "label": "organization-defined inappropriate or unusual activity"
-              },
-              {
-                "id": "au-6_prm_3",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-06"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "au-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Reviews and analyzes information system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }};\n                  and"
-                  },
-                  {
-                    "id": "au-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reports findings to {{ au-6_prm_3 }}."
-                  }
-                ]
-              },
-              {
-                "id": "au-6_gdn",
-                "name": "guidance",
-                "prose": "Audit review, analysis, and reporting covers information security-related auditing\n               performed by organizations including, for example, auditing that results from\n               monitoring of account usage, remote access, wireless connectivity, mobile device\n               connection, configuration settings, system component inventory, use of maintenance\n               tools and nonlocal maintenance, physical access, temperature and humidity, equipment\n               delivery and removal, communications at the information system boundaries, use of\n               mobile code, and use of VoIP. Findings can be reported to organizational entities\n               that include, for example, incident response team, help desk, information security\n               group/department. If organizations are prohibited from reviewing and analyzing audit\n               information or unable to conduct such activities (e.g., in certain national security\n               applications or systems), the review/analysis may be carried out by other\n               organizations granted such authority.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#au-7",
-                    "rel": "related",
-                    "text": "AU-7"
-                  },
-                  {
-                    "href": "#au-16",
-                    "rel": "related",
-                    "text": "AU-16"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-10",
-                    "rel": "related",
-                    "text": "CM-10"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ir-5",
-                    "rel": "related",
-                    "text": "IR-5"
-                  },
-                  {
-                    "href": "#ir-6",
-                    "rel": "related",
-                    "text": "IR-6"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-6",
-                    "rel": "related",
-                    "text": "PE-6"
-                  },
-                  {
-                    "href": "#pe-14",
-                    "rel": "related",
-                    "text": "PE-14"
-                  },
-                  {
-                    "href": "#pe-16",
-                    "rel": "related",
-                    "text": "PE-16"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-18",
-                    "rel": "related",
-                    "text": "SC-18"
-                  },
-                  {
-                    "href": "#sc-19",
-                    "rel": "related",
-                    "text": "SC-19"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "au-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-6(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-6.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-6(a)[1]"
-                          }
-                        ],
-                        "prose": "defines the types of inappropriate or unusual activity to look for when\n                     information system audit records are reviewed and analyzed;"
-                      },
-                      {
-                        "id": "au-6.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-6(a)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and analyze information system audit records\n                     for indications of organization-defined inappropriate or unusual activity;"
-                      },
-                      {
-                        "id": "au-6.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-6(a)[3]"
-                          }
-                        ],
-                        "prose": "reviews and analyzes information system audit records for indications of\n                     organization-defined inappropriate or unusual activity with the\n                     organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-6(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-6.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-6(b)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom findings resulting from reviews and analysis\n                     of information system audit records are to be reported; and"
-                      },
-                      {
-                        "id": "au-6.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-6(b)[2]"
-                          }
-                        ],
-                        "prose": "reports findings to organization-defined personnel or roles."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\nreports of audit findings\\n\\nrecords of actions taken in response to reviews/analyses of audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit review, analysis, and reporting\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-8",
-            "class": "SP800-53",
-            "title": "Time Stamps",
-            "parameters": [
-              {
-                "id": "au-8_prm_1",
-                "label": "organization-defined granularity of time measurement"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-08"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-8_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "au-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Uses internal system clocks to generate time stamps for audit records; and"
-                  },
-                  {
-                    "id": "au-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Records time stamps for audit records that can be mapped to Coordinated Universal\n                  Time (UTC) or Greenwich Mean Time (GMT) and meets {{ au-8_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "au-8_gdn",
-                "name": "guidance",
-                "prose": "Time stamps generated by the information system include date and time. Time is\n               commonly expressed in Coordinated Universal Time (UTC), a modern continuation of\n               Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time\n               measurements refers to the degree of synchronization between information system\n               clocks and reference clocks, for example, clocks synchronizing within hundreds of\n               milliseconds or within tens of milliseconds. Organizations may define different time\n               granularities for different system components. Time service can also be critical to\n               other security capabilities such as access control and identification and\n               authentication, depending on the nature of the mechanisms used to support those\n               capabilities.",
-                "links": [
-                  {
-                    "href": "#au-3",
-                    "rel": "related",
-                    "text": "AU-3"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  }
-                ]
-              },
-              {
-                "id": "au-8_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "au-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-8(a)"
-                      }
-                    ],
-                    "prose": "the information system uses internal system clocks to generate time stamps for\n                  audit records;"
-                  },
-                  {
-                    "id": "au-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-8(b)[1]"
-                          }
-                        ],
-                        "prose": "the information system records time stamps for audit records that can be mapped\n                     to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);"
-                      },
-                      {
-                        "id": "au-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-8(b)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines the granularity of time measurement to be met when\n                     recording time stamps for audit records; and"
-                      },
-                      {
-                        "id": "au-8.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-8(b)[3]"
-                          }
-                        ],
-                        "prose": "the organization records time stamps for audit records that meet the\n                     organization-defined granularity of time measurement."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing time stamp generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing time stamp generation"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-9",
-            "class": "SP800-53",
-            "title": "Protection of Audit Information",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-09"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-9_smt",
-                "name": "statement",
-                "prose": "The information system protects audit information and audit tools from unauthorized\n               access, modification, and deletion."
-              },
-              {
-                "id": "au-9_gdn",
-                "name": "guidance",
-                "prose": "Audit information includes all information (e.g., audit records, audit settings, and\n               audit reports) needed to successfully audit information system activity. This control\n               focuses on technical protection of audit information. Physical protection of audit\n               information is addressed by media protection controls and physical and environmental\n               protection controls.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-6",
-                    "rel": "related",
-                    "text": "PE-6"
-                  }
-                ]
-              },
-              {
-                "id": "au-9_obj",
-                "name": "objective",
-                "prose": "Determine if: ",
-                "parts": [
-                  {
-                    "id": "au-9_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-9[1]"
-                      }
-                    ],
-                    "prose": "the information system protects audit information from unauthorized:",
-                    "parts": [
-                      {
-                        "id": "au-9_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[1][a]"
-                          }
-                        ],
-                        "prose": "access;"
-                      },
-                      {
-                        "id": "au-9_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[1][b]"
-                          }
-                        ],
-                        "prose": "modification;"
-                      },
-                      {
-                        "id": "au-9_obj.1.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[1][c]"
-                          }
-                        ],
-                        "prose": "deletion;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-9_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-9[2]"
-                      }
-                    ],
-                    "prose": "the information system protects audit tools from unauthorized:",
-                    "parts": [
-                      {
-                        "id": "au-9_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[2][a]"
-                          }
-                        ],
-                        "prose": "access;"
-                      },
-                      {
-                        "id": "au-9_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[2][b]"
-                          }
-                        ],
-                        "prose": "modification; and"
-                      },
-                      {
-                        "id": "au-9_obj.2.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[2][c]"
-                          }
-                        ],
-                        "prose": "deletion."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\naccess control policy and procedures\\n\\nprocedures addressing protection of audit information\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation,\n                  information system audit records\\n\\naudit tools\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing audit information protection"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-11",
-            "class": "SP800-53",
-            "title": "Audit Record Retention",
-            "parameters": [
-              {
-                "id": "au-11_prm_1",
-                "label": "organization-defined time period consistent with records retention policy"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-11"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-11"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "NSO"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-11_smt",
-                "name": "statement",
-                "prose": "The organization retains audit records for {{ au-11_prm_1 }} to\n               provide support for after-the-fact investigations of security incidents and to meet\n               regulatory and organizational information retention requirements."
-              },
-              {
-                "id": "au-11_gdn",
-                "name": "guidance",
-                "prose": "Organizations retain audit records until it is determined that they are no longer\n               needed for administrative, legal, audit, or other operational purposes. This\n               includes, for example, retention and availability of audit records relative to\n               Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions.\n               Organizations develop standard categories of audit records relative to such types of\n               actions and standard response processes for each type of action. The National\n               Archives and Records Administration (NARA) General Records Schedules provide federal\n               policy on record retention.",
-                "links": [
-                  {
-                    "href": "#au-4",
-                    "rel": "related",
-                    "text": "AU-4"
-                  },
-                  {
-                    "href": "#au-5",
-                    "rel": "related",
-                    "text": "AU-5"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#mp-6",
-                    "rel": "related",
-                    "text": "MP-6"
-                  }
-                ]
-              },
-              {
-                "id": "au-11_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-11_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-11[1]"
-                      }
-                    ],
-                    "prose": "defines a time period to retain audit records that is consistent with records\n                  retention policy;"
-                  },
-                  {
-                    "id": "au-11_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-11[2]"
-                      }
-                    ],
-                    "prose": "retains audit records for the organization-defined time period consistent with\n                  records retention policy to:",
-                    "parts": [
-                      {
-                        "id": "au-11_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-11[2][a]"
-                          }
-                        ],
-                        "prose": "provide support for after-the-fact investigations of security incidents;\n                     and"
-                      },
-                      {
-                        "id": "au-11_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-11[2][b]"
-                          }
-                        ],
-                        "prose": "meet regulatory and organizational information retention requirements."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\naudit record retention policy and procedures\\n\\nsecurity plan\\n\\norganization-defined retention period for audit records\\n\\naudit record archives\\n\\naudit logs\\n\\naudit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit record retention responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "NSO - Loss of availability of the audit data has been determined as little or no\n                  impact to government business/mission needs."
-              }
-            ]
-          },
-          {
-            "id": "au-12",
-            "class": "SP800-53",
-            "title": "Audit Generation",
-            "parameters": [
-              {
-                "id": "au-12_prm_1",
-                "label": "organization-defined information system components"
-              },
-              {
-                "id": "au-12_prm_2",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-12"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-12"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-12_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "au-12_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Provides audit record generation capability for the auditable events defined in\n                  AU-2 a. at {{ au-12_prm_1 }};"
-                  },
-                  {
-                    "id": "au-12_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Allows {{ au-12_prm_2 }} to select which auditable events are to be\n                  audited by specific components of the information system; and"
-                  },
-                  {
-                    "id": "au-12_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Generates audit records for the events defined in AU-2 d. with the content defined\n                  in AU-3."
-                  }
-                ]
-              },
-              {
-                "id": "au-12_gdn",
-                "name": "guidance",
-                "prose": "Audit records can be generated from many different information system components. The\n               list of audited events is the set of events for which audits are to be generated.\n               These events are typically a subset of all events for which the information system is\n               capable of generating audit records.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-3",
-                    "rel": "related",
-                    "text": "AU-3"
-                  },
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#au-7",
-                    "rel": "related",
-                    "text": "AU-7"
-                  }
-                ]
-              },
-              {
-                "id": "au-12_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "au-12.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-12(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-12.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-12(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the information system components which are to provide\n                     audit record generation capability for the auditable events defined in\n                     AU-2a;"
-                      },
-                      {
-                        "id": "au-12.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-12(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system provides audit record generation capability, for the\n                     auditable events defined in AU-2a, at organization-defined information system\n                     components;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-12.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-12(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-12.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-12(b)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the personnel or roles allowed to select which\n                     auditable events are to be audited by specific components of the information\n                     system;"
-                      },
-                      {
-                        "id": "au-12.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-12(b)[2]"
-                          }
-                        ],
-                        "prose": "the information system allows the organization-defined personnel or roles to\n                     select which auditable events are to be audited by specific components of the\n                     system; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-12.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-12(c)"
-                      }
-                    ],
-                    "prose": "the information system generates audit records for the events defined in AU-2d\n                  with the content in defined in AU-3."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing audit record generation\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of auditable events\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit record generation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing audit record generation capability"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ca",
-        "class": "family",
-        "title": "Security Assessment and Authorization",
-        "controls": [
-          {
-            "id": "ca-1",
-            "class": "SP800-53",
-            "title": "Security Assessment and Authorization Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ca-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ca-1_prm_2",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "ca-1_prm_3",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-01"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#cd4cf751-3312-4a55-b1a9-fad2f1db9119",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-53A"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ca-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ca-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A security assessment and authorization policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"
-                      },
-                      {
-                        "id": "ca-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the security assessment and\n                     authorization policy and associated security assessment and authorization\n                     controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ca-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Security assessment and authorization policy {{ ca-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "ca-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Security assessment and authorization procedures {{ ca-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ca-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a security assessment and authorization policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "ca-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ca-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the security assessment and authorization\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "ca-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the security assessment and authorization policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ca-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        security assessment and authorization policy and associated assessment and\n                        authorization controls;"
-                          },
-                          {
-                            "id": "ca-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ca-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current security assessment\n                        and authorization policy;"
-                          },
-                          {
-                            "id": "ca-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current security assessment and authorization policy\n                        with the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ca-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current security assessment\n                        and authorization procedures; and"
-                          },
-                          {
-                            "id": "ca-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current security assessment and authorization\n                        procedures with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security assessment and authorization\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-2",
-            "class": "SP800-53",
-            "title": "Security Assessments",
-            "parameters": [
-              {
-                "id": "ca-2_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ca-2_prm_2",
-                "label": "organization-defined individuals or roles",
-                "constraints": [
-                  {
-                    "detail": "individuals or roles to include FedRAMP PMO"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-02"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c5034e0c-eba6-4ecd-a541-79f0678f4ba4",
-                "rel": "reference",
-                "text": "Executive Order 13587"
-              },
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#d480aa6a-7a88-424e-a10c-ad1c7870354b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-39"
-              },
-              {
-                "href": "#cd4cf751-3312-4a55-b1a9-fad2f1db9119",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-53A"
-              },
-              {
-                "href": "#c4691b88-57d1-463b-9053-2d0087913f31",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-115"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops a security assessment plan that describes the scope of the assessment\n                  including:",
-                    "parts": [
-                      {
-                        "id": "ca-2_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Security controls and control enhancements under assessment;"
-                      },
-                      {
-                        "id": "ca-2_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Assessment procedures to be used to determine security control effectiveness;\n                     and"
-                      },
-                      {
-                        "id": "ca-2_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Assessment environment, assessment team, and assessment roles and\n                     responsibilities;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Assesses the security controls in the information system and its environment of\n                  operation {{ ca-2_prm_1 }} to determine the extent to which the\n                  controls are implemented correctly, operating as intended, and producing the\n                  desired outcome with respect to meeting established security requirements;"
-                  },
-                  {
-                    "id": "ca-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Produces a security assessment report that documents the results of the\n                  assessment; and"
-                  },
-                  {
-                    "id": "ca-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Provides the results of the security control assessment to {{ ca-2_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ca-2_gdn",
-                "name": "guidance",
-                "prose": "Organizations assess security controls in organizational information systems and the\n               environments in which those systems operate as part of: (i) initial and ongoing\n               security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring;\n               and (iv) system development life cycle activities. Security assessments: (i) ensure\n               that information security is built into organizational information systems; (ii)\n               identify weaknesses and deficiencies early in the development process; (iii) provide\n               essential information needed to make risk-based decisions as part of security\n               authorization processes; and (iv) ensure compliance to vulnerability mitigation\n               procedures. Assessments are conducted on the implemented security controls from\n               Appendix F (main catalog) and Appendix G (Program Management controls) as documented\n               in System Security Plans and Information Security Program Plans. Organizations can\n               use other types of assessment activities such as vulnerability scanning and system\n               monitoring to maintain the security posture of information systems during the entire\n               life cycle. Security assessment reports document assessment results in sufficient\n               detail as deemed necessary by organizations, to determine the accuracy and\n               completeness of the reports and whether the security controls are implemented\n               correctly, operating as intended, and producing the desired outcome with respect to\n               meeting security requirements. The FISMA requirement for assessing security controls\n               at least annually does not require additional assessment activities to those\n               activities already in place in organizational security authorization processes.\n               Security assessment results are provided to the individuals or roles appropriate for\n               the types of assessments being conducted. For example, assessments conducted in\n               support of security authorization decisions are provided to authorizing officials or\n               authorizing official designated representatives. To satisfy annual assessment\n               requirements, organizations can use assessment results from the following sources:\n               (i) initial or ongoing information system authorizations; (ii) continuous monitoring;\n               or (iii) system development life cycle activities. Organizations ensure that security\n               assessment results are current, relevant to the determination of security control\n               effectiveness, and obtained with the appropriate level of assessor independence.\n               Existing security control assessment results can be reused to the extent that the\n               results are still valid and can also be supplemented with additional assessments as\n               needed. Subsequent to initial authorizations and in accordance with OMB policy,\n               organizations assess security controls during continuous monitoring. Organizations\n               establish the frequency for ongoing security control assessments in accordance with\n               organizational continuous monitoring strategies. Information Assurance Vulnerability\n               Alerts provide useful examples of vulnerability mitigation procedures. External\n               audits (e.g., audits by external entities such as regulatory agencies) are outside\n               the scope of this control.",
-                "links": [
-                  {
-                    "href": "#ca-5",
-                    "rel": "related",
-                    "text": "CA-5"
-                  },
-                  {
-                    "href": "#ca-6",
-                    "rel": "related",
-                    "text": "CA-6"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-2(a)"
-                      }
-                    ],
-                    "prose": "develops a security assessment plan that describes the scope of the assessment\n                  including:",
-                    "parts": [
-                      {
-                        "id": "ca-2.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-2(a)(1)"
-                          }
-                        ],
-                        "prose": "security controls and control enhancements under assessment;"
-                      },
-                      {
-                        "id": "ca-2.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-2(a)(2)"
-                          }
-                        ],
-                        "prose": "assessment procedures to be used to determine security control\n                     effectiveness;"
-                      },
-                      {
-                        "id": "ca-2.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-2(a)(3)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-2.a.3_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(a)(3)[1]"
-                              }
-                            ],
-                            "prose": "assessment environment;"
-                          },
-                          {
-                            "id": "ca-2.a.3_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(a)(3)[2]"
-                              }
-                            ],
-                            "prose": "assessment team;"
-                          },
-                          {
-                            "id": "ca-2.a.3_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(a)(3)[3]"
-                              }
-                            ],
-                            "prose": "assessment roles and responsibilities;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-2(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to assess the security controls in the information system\n                     and its environment of operation;"
-                      },
-                      {
-                        "id": "ca-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-2(b)[2]"
-                          }
-                        ],
-                        "prose": "assesses the security controls in the information system with the\n                     organization-defined frequency to determine the extent to which the controls\n                     are implemented correctly, operating as intended, and producing the desired\n                     outcome with respect to meeting established security requirements;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-2(c)"
-                      }
-                    ],
-                    "prose": "produces a security assessment report that documents the results of the\n                  assessment;"
-                  },
-                  {
-                    "id": "ca-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-2(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-2(d)[1]"
-                          }
-                        ],
-                        "prose": "defines individuals or roles to whom the results of the security control\n                     assessment are to be provided; and"
-                      },
-                      {
-                        "id": "ca-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-2(d)[2]"
-                          }
-                        ],
-                        "prose": "provides the results of the security control assessment to organization-defined\n                     individuals or roles."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy\\n\\nprocedures addressing security assessment planning\\n\\nprocedures addressing security assessments\\n\\nsecurity assessment plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting security assessment, security assessment plan\n                  development, and/or security assessment reporting"
-                  }
-                ]
-              },
-              {
-                "id": "ca-2_fr",
-                "name": "item",
-                "title": "CA-2 Additional FedRAMP Requirements and Guidance",
-                "parts": [
-                  {
-                    "id": "ca-2_fr_gdn.1",
-                    "name": "guidance",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "Guidance:"
-                      }
-                    ],
-                    "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP)\n                     Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n               "
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ca-2.1",
-                "class": "SP800-53-enhancement",
-                "title": "Independent Assessors",
-                "parameters": [
-                  {
-                    "id": "ca-2.1_prm_1",
-                    "label": "organization-defined level of independence"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CA-2(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ca-02.01"
-                  },
-                  {
-                    "name": "method",
-                    "class": "FedRAMP-Tailored-LI-SaaS",
-                    "value": "ATTEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ca-2.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs assessors or assessment teams with {{ ca-2.1_prm_1 }} to conduct security control assessments."
-                  },
-                  {
-                    "id": "ca-2.1_gdn",
-                    "name": "guidance",
-                    "prose": "Independent assessors or assessment teams are individuals or groups who conduct\n                  impartial assessments of organizational information systems. Impartiality implies\n                  that assessors are free from any perceived or actual conflicts of interest with\n                  regard to the development, operation, or management of the organizational\n                  information systems under assessment or to the determination of security control\n                  effectiveness. To achieve impartiality, assessors should not: (i) create a mutual\n                  or conflicting interest with the organizations where the assessments are being\n                  conducted; (ii) assess their own work; (iii) act as management or employees of the\n                  organizations they are serving; or (iv) place themselves in positions of advocacy\n                  for the organizations acquiring their services. Independent assessments can be\n                  obtained from elements within organizations or can be contracted to public or\n                  private sector entities outside of organizations. Authorizing officials determine\n                  the required level of independence based on the security categories of information\n                  systems and/or the ultimate risk to organizational operations, organizational\n                  assets, or individuals. Authorizing officials also determine if the level of\n                  assessor independence provides sufficient assurance that the results are sound and\n                  can be used to make credible, risk-based decisions. This includes determining\n                  whether contracted security assessment services have sufficient independence, for\n                  example, when information system owners are not directly involved in contracting\n                  processes or cannot unduly influence the impartiality of assessors conducting\n                  assessments. In special situations, for example, when organizations that own the\n                  information systems are small or organizational structures require that\n                  assessments are conducted by individuals that are in the developmental,\n                  operational, or management chain of system owners, independence in assessment\n                  processes can be achieved by ensuring that assessment results are carefully\n                  reviewed and analyzed by independent teams of experts to validate the\n                  completeness, accuracy, integrity, and reliability of the results. Organizations\n                  recognize that assessments performed for purposes other than direct support to\n                  authorization decisions are, when performed by assessors with sufficient\n                  independence, more likely to be useable for such decisions, thereby reducing the\n                  need to repeat assessments."
-                  },
-                  {
-                    "id": "ca-2.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ca-2.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-2(1)[1]"
-                          }
-                        ],
-                        "prose": "defines the level of independence to be employed to conduct security control\n                     assessments; and"
-                      },
-                      {
-                        "id": "ca-2.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-2(1)[2]"
-                          }
-                        ],
-                        "prose": "employs assessors or assessment teams with the organization-defined level of\n                     independence to conduct security control assessments."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security assessment and authorization policy\\n\\nprocedures addressing security assessments\\n\\nsecurity authorization package (including security plan, security assessment\n                     plan, security assessment report, plan of action and milestones, authorization\n                     statement)\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-3",
-            "class": "SP800-53",
-            "title": "System Interconnections",
-            "parameters": [
-              {
-                "id": "ca-3_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually and on input from FedRAMP"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CA-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-03"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "CONDITIONAL"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#2711f068-734e-4afd-94ba-0b22247fbc88",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-47"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Authorizes connections from the information system to other information systems\n                  through the use of Interconnection Security Agreements;"
-                  },
-                  {
-                    "id": "ca-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents, for each interconnection, the interface characteristics, security\n                  requirements, and the nature of the information communicated; and"
-                  },
-                  {
-                    "id": "ca-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews and updates Interconnection Security Agreements {{ ca-3_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ca-3_gdn",
-                "name": "guidance",
-                "prose": "This control applies to dedicated connections between information systems (i.e.,\n               system interconnections) and does not apply to transitory, user-controlled\n               connections such as email and website browsing. Organizations carefully consider the\n               risks that may be introduced when information systems are connected to other systems\n               with different security requirements and security controls, both within organizations\n               and external to organizations. Authorizing officials determine the risk associated\n               with information system connections and the appropriate controls employed. If\n               interconnecting systems have the same authorizing official, organizations do not need\n               to develop Interconnection Security Agreements. Instead, organizations can describe\n               the interface characteristics between those interconnecting systems in their\n               respective security plans. If interconnecting systems have different authorizing\n               officials within the same organization, organizations can either develop\n               Interconnection Security Agreements or describe the interface characteristics between\n               systems in the security plans for the respective systems. Organizations may also\n               incorporate Interconnection Security Agreement information into formal contracts,\n               especially for interconnections established between federal agencies and nonfederal\n               (i.e., private sector) organizations. Risk considerations also include information\n               systems sharing the same networks. For certain technologies (e.g., space, unmanned\n               aerial vehicles, and medical devices), there may be specialized connections in place\n               during preoperational testing. Such connections may require Interconnection Security\n               Agreements and be subject to additional security controls.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#au-16",
-                    "rel": "related",
-                    "text": "AU-16"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#sa-9",
-                    "rel": "related",
-                    "text": "SA-9"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-3(a)"
-                      }
-                    ],
-                    "prose": "authorizes connections from the information system to other information systems\n                  through the use of Interconnection Security Agreements;"
-                  },
-                  {
-                    "id": "ca-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-3(b)"
-                      }
-                    ],
-                    "prose": "documents, for each interconnection:",
-                    "parts": [
-                      {
-                        "id": "ca-3.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-3(b)[1]"
-                          }
-                        ],
-                        "prose": "the interface characteristics;"
-                      },
-                      {
-                        "id": "ca-3.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-3(b)[2]"
-                          }
-                        ],
-                        "prose": "the security requirements;"
-                      },
-                      {
-                        "id": "ca-3.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-3(b)[3]"
-                          }
-                        ],
-                        "prose": "the nature of the information communicated;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update Interconnection Security Agreements;\n                     and"
-                      },
-                      {
-                        "id": "ca-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-3(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates Interconnection Security Agreements with the\n                     organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\ninformation system Interconnection Security Agreements\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for developing, implementing, or\n                  approving information system interconnection agreements\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel managing the system(s) to which the Interconnection Security Agreement\n                  applies"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Condition: There are connection(s) to external systems. Connections (if any) shall\n                  be authorized and must: 1) Identify the interface/connection. 2) Detail what data\n                  is involved and its sensitivity. 3) Determine whether the connection is one-way or\n                  bi-directional. 4) Identify how the connection is secured."
-              }
-            ]
-          },
-          {
-            "id": "ca-5",
-            "class": "SP800-53",
-            "title": "Plan of Action and Milestones",
-            "parameters": [
-              {
-                "id": "ca-5_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least monthly"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-05"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#2c5884cd-7b96-425c-862a-99877e1cf909",
-                "rel": "reference",
-                "text": "OMB Memorandum 02-01"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops a plan of action and milestones for the information system to document\n                  the organization’s planned remedial actions to correct weaknesses or deficiencies\n                  noted during the assessment of the security controls and to reduce or eliminate\n                  known vulnerabilities in the system; and"
-                  },
-                  {
-                    "id": "ca-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Updates existing plan of action and milestones {{ ca-5_prm_1 }}\n                  based on the findings from security controls assessments, security impact\n                  analyses, and continuous monitoring activities."
-                  }
-                ]
-              },
-              {
-                "id": "ca-5_gdn",
-                "name": "guidance",
-                "prose": "Plans of action and milestones are key documents in security authorization packages\n               and are subject to federal reporting requirements established by OMB.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#pm-4",
-                    "rel": "related",
-                    "text": "PM-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-5(a)"
-                      }
-                    ],
-                    "prose": "develops a plan of action and milestones for the information system to:",
-                    "parts": [
-                      {
-                        "id": "ca-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-5(a)[1]"
-                          }
-                        ],
-                        "prose": "document the organization’s planned remedial actions to correct weaknesses or\n                     deficiencies noted during the assessment of the security controls;"
-                      },
-                      {
-                        "id": "ca-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-5(a)[2]"
-                          }
-                        ],
-                        "prose": "reduce or eliminate known vulnerabilities in the system;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-5(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-5.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-5(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to update the existing plan of action and milestones;"
-                      },
-                      {
-                        "id": "ca-5.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-5(b)[2]"
-                          }
-                        ],
-                        "prose": "updates the existing plan of action and milestones with the\n                     organization-defined frequency based on the findings from:",
-                        "parts": [
-                          {
-                            "id": "ca-5.b_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-5(b)[2][a]"
-                              }
-                            ],
-                            "prose": "security controls assessments;"
-                          },
-                          {
-                            "id": "ca-5.b_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-5(b)[2][b]"
-                              }
-                            ],
-                            "prose": "security impact analyses; and"
-                          },
-                          {
-                            "id": "ca-5.b_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-5(b)[2][c]"
-                              }
-                            ],
-                            "prose": "continuous monitoring activities."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy\\n\\nprocedures addressing plan of action and milestones\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nplan of action and milestones\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with plan of action and milestones development and\n                  implementation responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms for developing, implementing, and maintaining plan of action\n                  and milestones"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring\n                  Requirements."
-              }
-            ]
-          },
-          {
-            "id": "ca-6",
-            "class": "SP800-53",
-            "title": "Security Authorization",
-            "parameters": [
-              {
-                "id": "ca-6_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every three years or when a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CA-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-06"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab",
-                "rel": "reference",
-                "text": "OMB Circular A-130"
-              },
-              {
-                "href": "#bedb15b7-ec5c-4a68-807f-385125751fcd",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-33"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Assigns a senior-level executive or manager as the authorizing official for the\n                  information system;"
-                  },
-                  {
-                    "id": "ca-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Ensures that the authorizing official authorizes the information system for\n                  processing before commencing operations; and"
-                  },
-                  {
-                    "id": "ca-6_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Updates the security authorization {{ ca-6_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ca-6_gdn",
-                "name": "guidance",
-                "prose": "Security authorizations are official management decisions, conveyed through\n               authorization decision documents, by senior organizational officials or executives\n               (i.e., authorizing officials) to authorize operation of information systems and to\n               explicitly accept the risk to organizational operations and assets, individuals,\n               other organizations, and the Nation based on the implementation of agreed-upon\n               security controls. Authorizing officials provide budgetary oversight for\n               organizational information systems or assume responsibility for the mission/business\n               operations supported by those systems. The security authorization process is an\n               inherently federal responsibility and therefore, authorizing officials must be\n               federal employees. Through the security authorization process, authorizing officials\n               assume responsibility and are accountable for security risks associated with the\n               operation and use of organizational information systems. Accordingly, authorizing\n               officials are in positions with levels of authority commensurate with understanding\n               and accepting such information security-related risks. OMB policy requires that\n               organizations conduct ongoing authorizations of information systems by implementing\n               continuous monitoring programs. Continuous monitoring programs can satisfy three-year\n               reauthorization requirements, so separate reauthorization processes are not\n               necessary. Through the employment of comprehensive continuous monitoring processes,\n               critical information contained in authorization packages (i.e., security plans,\n               security assessment reports, and plans of action and milestones) is updated on an\n               ongoing basis, providing authorizing officials and information system owners with an\n               up-to-date status of the security state of organizational information systems and\n               environments of operation. To reduce the administrative cost of security\n               reauthorization, authorizing officials use the results of continuous monitoring\n               processes to the maximum extent possible as the basis for rendering reauthorization\n               decisions.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  },
-                  {
-                    "href": "#pm-10",
-                    "rel": "related",
-                    "text": "PM-10"
-                  }
-                ]
-              },
-              {
-                "id": "ca-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-6(a)"
-                      }
-                    ],
-                    "prose": "assigns a senior-level executive or manager as the authorizing official for the\n                  information system;"
-                  },
-                  {
-                    "id": "ca-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-6(b)"
-                      }
-                    ],
-                    "prose": "ensures that the authorizing official authorizes the information system for\n                  processing before commencing operations;"
-                  },
-                  {
-                    "id": "ca-6.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-6(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-6.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-6(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to update the security authorization; and"
-                      },
-                      {
-                        "id": "ca-6.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-6(c)[2]"
-                          }
-                        ],
-                        "prose": "updates the security authorization with the organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy\\n\\nprocedures addressing security authorization\\n\\nsecurity authorization package (including security plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\nauthorization statement)\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security authorization responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms that facilitate security authorizations and updates"
-                  }
-                ]
-              },
-              {
-                "id": "ca-6_fr",
-                "name": "item",
-                "title": "CA-6(c) Additional FedRAMP Requirements and Guidance",
-                "parts": [
-                  {
-                    "id": "ca-6_fr_gdn.1",
-                    "name": "guidance",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "Guidance:"
-                      }
-                    ],
-                    "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1,\n                     Appendix F. The service provider describes the types of changes to the\n                     information system or the environment of operations that would impact the risk\n                     posture. The types of changes are approved and accepted by the Authorizing\n                     Official."
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-7",
-            "class": "SP800-53",
-            "title": "Continuous Monitoring",
-            "parameters": [
-              {
-                "id": "ca-7_prm_1",
-                "label": "organization-defined metrics"
-              },
-              {
-                "id": "ca-7_prm_2",
-                "label": "organization-defined frequencies"
-              },
-              {
-                "id": "ca-7_prm_3",
-                "label": "organization-defined frequencies"
-              },
-              {
-                "id": "ca-7_prm_4",
-                "label": "organization-defined personnel or roles",
-                "constraints": [
-                  {
-                    "detail": "to meet Federal and FedRAMP requirements (See additional guidance)"
-                  }
-                ]
-              },
-              {
-                "id": "ca-7_prm_5",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "to meet Federal and FedRAMP requirements (See additional guidance)"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CA-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-07"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bedb15b7-ec5c-4a68-807f-385125751fcd",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-33"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#d480aa6a-7a88-424e-a10c-ad1c7870354b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-39"
-              },
-              {
-                "href": "#cd4cf751-3312-4a55-b1a9-fad2f1db9119",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-53A"
-              },
-              {
-                "href": "#c4691b88-57d1-463b-9053-2d0087913f31",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-115"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              },
-              {
-                "href": "#8ade2fbe-e468-4ca8-9a40-54d7f23c32bb",
-                "rel": "reference",
-                "text": "US-CERT Technical Cyber Security Alerts"
-              },
-              {
-                "href": "#2d8b14e9-c8b5-4d3d-8bdc-155078f3281b",
-                "rel": "reference",
-                "text": "DoD Information Assurance Vulnerability Alerts"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-7_smt",
-                "name": "statement",
-                "prose": "The organization develops a continuous monitoring strategy and implements a\n               continuous monitoring program that includes:",
-                "parts": [
-                  {
-                    "id": "ca-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishment of {{ ca-7_prm_1 }} to be monitored;"
-                  },
-                  {
-                    "id": "ca-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Establishment of {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessments supporting such monitoring;"
-                  },
-                  {
-                    "id": "ca-7_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ongoing security control assessments in accordance with the organizational\n                  continuous monitoring strategy;"
-                  },
-                  {
-                    "id": "ca-7_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Ongoing security status monitoring of organization-defined metrics in accordance\n                  with the organizational continuous monitoring strategy;"
-                  },
-                  {
-                    "id": "ca-7_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Correlation and analysis of security-related information generated by assessments\n                  and monitoring;"
-                  },
-                  {
-                    "id": "ca-7_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Response actions to address results of the analysis of security-related\n                  information; and"
-                  },
-                  {
-                    "id": "ca-7_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Reporting the security status of organization and the information system to\n                     {{ ca-7_prm_4 }}\n                  {{ ca-7_prm_5 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ca-7_gdn",
-                "name": "guidance",
-                "prose": "Continuous monitoring programs facilitate ongoing awareness of threats,\n               vulnerabilities, and information security to support organizational risk management\n               decisions. The terms continuous and ongoing imply that organizations assess/analyze\n               security controls and information security-related risks at a frequency sufficient to\n               support organizational risk-based decisions. The results of continuous monitoring\n               programs generate appropriate risk response actions by organizations. Continuous\n               monitoring programs also allow organizations to maintain the security authorizations\n               of information systems and common controls over time in highly dynamic environments\n               of operation with changing mission/business needs, threats, vulnerabilities, and\n               technologies. Having access to security-related information on a continuing basis\n               through reports/dashboards gives organizational officials the capability to make more\n               effective and timely risk management decisions, including ongoing security\n               authorization decisions. Automation supports more frequent updates to security\n               authorization packages, hardware/software/firmware inventories, and other system\n               information. Effectiveness is further enhanced when continuous monitoring outputs are\n               formatted to provide information that is specific, measurable, actionable, relevant,\n               and timely. Continuous monitoring activities are scaled in accordance with the\n               security categories of information systems.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-5",
-                    "rel": "related",
-                    "text": "CA-5"
-                  },
-                  {
-                    "href": "#ca-6",
-                    "rel": "related",
-                    "text": "CA-6"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#pm-6",
-                    "rel": "related",
-                    "text": "PM-6"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ca-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(a)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that defines metrics to be\n                     monitored;"
-                      },
-                      {
-                        "id": "ca-7.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(a)[2]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes monitoring of\n                     organization-defined metrics;"
-                      },
-                      {
-                        "id": "ca-7.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(a)[3]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes monitoring of\n                     organization-defined metrics in accordance with the organizational continuous\n                     monitoring strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(b)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that defines frequencies for\n                     monitoring;"
-                      },
-                      {
-                        "id": "ca-7.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(b)[2]"
-                          }
-                        ],
-                        "prose": "defines frequencies for assessments supporting monitoring;"
-                      },
-                      {
-                        "id": "ca-7.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(b)[3]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes establishment of the\n                     organization-defined frequencies for monitoring and for assessments supporting\n                     monitoring;"
-                      },
-                      {
-                        "id": "ca-7.b_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(b)[4]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes establishment of\n                     organization-defined frequencies for monitoring and for assessments supporting\n                     such monitoring in accordance with the organizational continuous monitoring\n                     strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(c)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes ongoing security\n                     control assessments;"
-                      },
-                      {
-                        "id": "ca-7.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(c)[2]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes ongoing security\n                     control assessments in accordance with the organizational continuous monitoring\n                     strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(d)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes ongoing security status\n                     monitoring of organization-defined metrics;"
-                      },
-                      {
-                        "id": "ca-7.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(d)[2]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes ongoing security\n                     status monitoring of organization-defined metrics in accordance with the\n                     organizational continuous monitoring strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(e)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes correlation and\n                     analysis of security-related information generated by assessments and\n                     monitoring;"
-                      },
-                      {
-                        "id": "ca-7.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(e)[2]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes correlation and\n                     analysis of security-related information generated by assessments and\n                     monitoring in accordance with the organizational continuous monitoring\n                     strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(f)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes response actions to\n                     address results of the analysis of security-related information;"
-                      },
-                      {
-                        "id": "ca-7.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(f)[2]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes response actions to\n                     address results of the analysis of security-related information in accordance\n                     with the organizational continuous monitoring strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(g)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.g_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(g)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that defines the personnel or roles\n                     to whom the security status of the organization and information system are to\n                     be reported;"
-                      },
-                      {
-                        "id": "ca-7.g_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(g)[2]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that defines the frequency to report\n                     the security status of the organization and information system to\n                     organization-defined personnel or roles;"
-                      },
-                      {
-                        "id": "ca-7.g_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(g)[3]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes reporting the security\n                     status of the organization or information system to organizational-defined\n                     personnel or roles with the organization-defined frequency; and"
-                      },
-                      {
-                        "id": "ca-7.g_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-7(g)[4]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes reporting the security\n                     status of the organization and information system to organization-defined\n                     personnel or roles with the organization-defined frequency in accordance with\n                     the organizational continuous monitoring strategy."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy\\n\\nprocedures addressing continuous monitoring of information system security\n                  controls\\n\\nprocedures addressing configuration management\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\ninformation system monitoring records\\n\\nconfiguration management records, security impact analyses\\n\\nstatus reports\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Mechanisms implementing continuous monitoring"
-                  }
-                ]
-              },
-              {
-                "id": "ca-7_fr",
-                "name": "item",
-                "title": "CA-7 Additional FedRAMP Requirements and Guidance",
-                "parts": [
-                  {
-                    "id": "ca-7_fr_gdn.1",
-                    "name": "guidance",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "Guidance:"
-                      }
-                    ],
-                    "prose": "CSPs must provide evidence of closure and remediation of high vulnerabilities\n                     within the timeframe for standard POA&M updates."
-                  },
-                  {
-                    "id": "ca-7_fr_gdn.2",
-                    "name": "guidance",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "Guidance:"
-                      }
-                    ],
-                    "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP)\n                     Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n               "
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-9",
-            "class": "SP800-53",
-            "title": "Internal System Connections",
-            "parameters": [
-              {
-                "id": "ca-9_prm_1",
-                "label": "organization-defined information system components or classes of\n               components"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CA-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-09"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "CONDITIONAL"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-9_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-9_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Authorizes internal connections of {{ ca-9_prm_1 }} to the\n                  information system; and"
-                  },
-                  {
-                    "id": "ca-9_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents, for each internal connection, the interface characteristics, security\n                  requirements, and the nature of the information communicated."
-                  }
-                ]
-              },
-              {
-                "id": "ca-9_gdn",
-                "name": "guidance",
-                "prose": "This control applies to connections between organizational information systems and\n               (separate) constituent system components (i.e., intra-system connections) including,\n               for example, system connections with mobile devices, notebook/desktop computers,\n               printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of\n               authorizing each individual internal connection, organizations can authorize internal\n               connections for a class of components with common characteristics and/or\n               configurations, for example, all digital printers, scanners, and copiers with a\n               specified processing, storage, and transmission capability or all smart phones with a\n               specific baseline configuration.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-9_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-9.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-9(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-9.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-9(a)[1]"
-                          }
-                        ],
-                        "prose": "defines information system components or classes of components to be authorized\n                     as internal connections to the information system;"
-                      },
-                      {
-                        "id": "ca-9.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-9(a)[2]"
-                          }
-                        ],
-                        "prose": "authorizes internal connections of organization-defined information system\n                     components or classes of components to the information system;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-9.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-9(b)"
-                      }
-                    ],
-                    "prose": "documents, for each internal connection:",
-                    "parts": [
-                      {
-                        "id": "ca-9.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-9(b)[1]"
-                          }
-                        ],
-                        "prose": "the interface characteristics;"
-                      },
-                      {
-                        "id": "ca-9.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-9(b)[2]"
-                          }
-                        ],
-                        "prose": "the security requirements; and"
-                      },
-                      {
-                        "id": "ca-9.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-9(b)[3]"
-                          }
-                        ],
-                        "prose": "the nature of the information communicated."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of components or classes of components authorized as internal system\n                  connections\\n\\nsecurity assessment report\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for developing, implementing, or\n                  authorizing internal system connections\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Condition: There are connection(s) to external systems. Connections (if any) shall\n                  be authorized and must: 1) Identify the interface/connection. 2) Detail what data\n                  is involved and its sensitivity. 3) Determine whether the connection is one-way or\n                  bi-directional. 4) Identify how the connection is secured."
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "cm",
-        "class": "family",
-        "title": "Configuration Management",
-        "controls": [
-          {
-            "id": "cm-1",
-            "class": "SP800-53",
-            "title": "Configuration Management Policy and Procedures",
-            "parameters": [
-              {
-                "id": "cm-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "cm-1_prm_2",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "cm-1_prm_3",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-01"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ cm-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "cm-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A configuration management policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "cm-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the configuration management\n                     policy and associated configuration management controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "cm-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Configuration management policy {{ cm-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "cm-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Configuration management procedures {{ cm-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CM\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "cm-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a configuration management policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "cm-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "cm-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the configuration management policy is to\n                        be disseminated;"
-                          },
-                          {
-                            "id": "cm-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the configuration management policy to organization-defined\n                        personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        configuration management policy and associated configuration management\n                        controls;"
-                          },
-                          {
-                            "id": "cm-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "cm-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current configuration\n                        management policy;"
-                          },
-                          {
-                            "id": "cm-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current configuration management policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current configuration\n                        management procedures; and"
-                          },
-                          {
-                            "id": "cm-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current configuration management procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-2",
-            "class": "SP800-53",
-            "title": "Baseline Configuration",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-02"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-2_smt",
-                "name": "statement",
-                "prose": "The organization develops, documents, and maintains under configuration control, a\n               current baseline configuration of the information system."
-              },
-              {
-                "id": "cm-2_gdn",
-                "name": "guidance",
-                "prose": "This control establishes baseline configurations for information systems and system\n               components including communications and connectivity-related aspects of systems.\n               Baseline configurations are documented, formally reviewed and agreed-upon sets of\n               specifications for information systems or configuration items within those systems.\n               Baseline configurations serve as a basis for future builds, releases, and/or changes\n               to information systems. Baseline configurations include information about information\n               system components (e.g., standard software packages installed on workstations,\n               notebook computers, servers, network components, or mobile devices; current version\n               numbers and patch information on operating systems and applications; and\n               configuration settings/parameters), network topology, and the logical placement of\n               those components within the system architecture. Maintaining baseline configurations\n               requires creating new baselines as organizational information systems change over\n               time. Baseline configurations of information systems reflect the current enterprise\n               architecture.",
-                "links": [
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#cm-9",
-                    "rel": "related",
-                    "text": "CM-9"
-                  },
-                  {
-                    "href": "#sa-10",
-                    "rel": "related",
-                    "text": "SA-10"
-                  },
-                  {
-                    "href": "#pm-5",
-                    "rel": "related",
-                    "text": "PM-5"
-                  },
-                  {
-                    "href": "#pm-7",
-                    "rel": "related",
-                    "text": "PM-7"
-                  }
-                ]
-              },
-              {
-                "id": "cm-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-2_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-2[1]"
-                      }
-                    ],
-                    "prose": "develops and documents a current baseline configuration of the information system;\n                  and"
-                  },
-                  {
-                    "id": "cm-2_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-2[2]"
-                      }
-                    ],
-                    "prose": "maintains, under configuration control, a current baseline configuration of the\n                  information system."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nconfiguration management plan\\n\\nenterprise architecture documentation\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing baseline configurations\\n\\nautomated mechanisms supporting configuration control of the baseline\n                  configuration"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-4",
-            "class": "SP800-53",
-            "title": "Security Impact Analysis",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-04"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-4_smt",
-                "name": "statement",
-                "prose": "The organization analyzes changes to the information system to determine potential\n               security impacts prior to change implementation."
-              },
-              {
-                "id": "cm-4_gdn",
-                "name": "guidance",
-                "prose": "Organizational personnel with information security responsibilities (e.g.,\n               Information System Administrators, Information System Security Officers, Information\n               System Security Managers, and Information System Security Engineers) conduct security\n               impact analyses. Individuals conducting security impact analyses possess the\n               necessary skills/technical expertise to analyze the changes to information systems\n               and the associated security ramifications. Security impact analysis may include, for\n               example, reviewing security plans to understand security control requirements and\n               reviewing system design documentation to understand control implementation and how\n               specific changes might affect the controls. Security impact analyses may also include\n               assessments of risk to better understand the impact of the changes and to determine\n               if additional security controls are required. Security impact analyses are scaled in\n               accordance with the security categories of the information systems.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-9",
-                    "rel": "related",
-                    "text": "CM-9"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sa-10",
-                    "rel": "related",
-                    "text": "SA-10"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "cm-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization analyzes changes to the information system to determine\n               potential security impacts prior to change implementation."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing security impact analysis for changes to the information\n                  system\\n\\nconfiguration management plan\\n\\nsecurity impact analysis documentation\\n\\nanalysis tools and associated outputs\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for conducting security impact\n                  analysis\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for security impact analysis"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-6",
-            "class": "SP800-53",
-            "title": "Configuration Settings",
-            "parameters": [
-              {
-                "id": "cm-6_prm_1",
-                "label": "organization-defined security configuration checklists",
-                "constraints": [
-                  {
-                    "detail": "see CM-6(a) Additional FedRAMP Requirements and Guidance"
-                  }
-                ]
-              },
-              {
-                "id": "cm-6_prm_2",
-                "label": "organization-defined information system components"
-              },
-              {
-                "id": "cm-6_prm_3",
-                "label": "organization-defined operational requirements"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-06"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#990268bf-f4a9-4c81-91ae-dc7d3115f4b1",
-                "rel": "reference",
-                "text": "OMB Memorandum 07-11"
-              },
-              {
-                "href": "#0b3d8ba9-051f-498d-81ea-97f0f018c612",
-                "rel": "reference",
-                "text": "OMB Memorandum 07-18"
-              },
-              {
-                "href": "#0916ef02-3618-411b-a525-565c088849a6",
-                "rel": "reference",
-                "text": "OMB Memorandum 08-22"
-              },
-              {
-                "href": "#84a37532-6db6-477b-9ea8-f9085ebca0fc",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-70"
-              },
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              },
-              {
-                "href": "#275cc052-0f7f-423c-bdb6-ed503dc36228",
-                "rel": "reference",
-                "text": "http://nvd.nist.gov"
-              },
-              {
-                "href": "#e95dd121-2733-413e-bf1e-f1eb49f20a98",
-                "rel": "reference",
-                "text": "http://checklists.nist.gov"
-              },
-              {
-                "href": "#647b6de3-81d0-4d22-bec1-5f1333e34380",
-                "rel": "reference",
-                "text": "http://www.nsa.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes and documents configuration settings for information technology\n                  products employed within the information system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with\n                  operational requirements;"
-                  },
-                  {
-                    "id": "cm-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Implements the configuration settings;"
-                  },
-                  {
-                    "id": "cm-6_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Identifies, documents, and approves any deviations from established configuration\n                  settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and"
-                  },
-                  {
-                    "id": "cm-6_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Monitors and controls changes to the configuration settings in accordance with\n                  organizational policies and procedures."
-                  }
-                ]
-              },
-              {
-                "id": "cm-6_gdn",
-                "name": "guidance",
-                "prose": "Configuration settings are the set of parameters that can be changed in hardware,\n               software, or firmware components of the information system that affect the security\n               posture and/or functionality of the system. Information technology products for which\n               security-related configuration settings can be defined include, for example,\n               mainframe computers, servers (e.g., database, electronic mail, authentication, web,\n               proxy, file, domain name), workstations, input/output devices (e.g., scanners,\n               copiers, and printers), network components (e.g., firewalls, routers, gateways, voice\n               and data switches, wireless access points, network appliances, sensors), operating\n               systems, middleware, and applications. Security-related parameters are those\n               parameters impacting the security state of information systems including the\n               parameters required to satisfy other security control requirements. Security-related\n               parameters include, for example: (i) registry settings; (ii) account, file, directory\n               permission settings; and (iii) settings for functions, ports, protocols, services,\n               and remote connections. Organizations establish organization-wide configuration\n               settings and subsequently derive specific settings for information systems. The\n               established settings become part of the systems configuration baseline. Common secure\n               configurations (also referred to as security configuration checklists, lockdown and\n               hardening guides, security reference guides, security technical implementation\n               guides) provide recognized, standardized, and established benchmarks that stipulate\n               secure configuration settings for specific information technology platforms/products\n               and instructions for configuring those information system components to meet\n               operational requirements. Common secure configurations can be developed by a variety\n               of organizations including, for example, information technology product developers,\n               manufacturers, vendors, consortia, academia, industry, federal agencies, and other\n               organizations in the public and private sectors. Common secure configurations include\n               the United States Government Configuration Baseline (USGCB) which affects the\n               implementation of CM-6 and other controls such as AC-19 and CM-7. The Security\n               Content Automation Protocol (SCAP) and the defined standards within the protocol\n               (e.g., Common Configuration Enumeration) provide an effective method to uniquely\n               identify, track, and control configuration settings. OMB establishes federal policy\n               on configuration requirements for federal information systems.",
-                "links": [
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-7",
-                    "rel": "related",
-                    "text": "CM-7"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "cm-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-6(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-6.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-6(a)[1]"
-                          }
-                        ],
-                        "prose": "defines security configuration checklists to be used to establish and document\n                     configuration settings for the information technology products employed;"
-                      },
-                      {
-                        "id": "cm-6.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-6(a)[2]"
-                          }
-                        ],
-                        "prose": "ensures the defined security configuration checklists reflect the most\n                     restrictive mode consistent with operational requirements;"
-                      },
-                      {
-                        "id": "cm-6.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-6(a)[3]"
-                          }
-                        ],
-                        "prose": "establishes and documents configuration settings for information technology\n                     products employed within the information system using organization-defined\n                     security configuration checklists;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-6(b)"
-                      }
-                    ],
-                    "prose": "implements the configuration settings established/documented in CM-6(a);;"
-                  },
-                  {
-                    "id": "cm-6.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-6(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-6.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[1]"
-                          }
-                        ],
-                        "prose": "defines information system components for which any deviations from established\n                     configuration settings must be:",
-                        "parts": [
-                          {
-                            "id": "cm-6.c_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[1][a]"
-                              }
-                            ],
-                            "prose": "identified;"
-                          },
-                          {
-                            "id": "cm-6.c_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[1][b]"
-                              }
-                            ],
-                            "prose": "documented;"
-                          },
-                          {
-                            "id": "cm-6.c_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[1][c]"
-                              }
-                            ],
-                            "prose": "approved;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-6.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[2]"
-                          }
-                        ],
-                        "prose": "defines operational requirements to support:",
-                        "parts": [
-                          {
-                            "id": "cm-6.c_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[2][a]"
-                              }
-                            ],
-                            "prose": "the identification of any deviations from established configuration\n                        settings;"
-                          },
-                          {
-                            "id": "cm-6.c_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[2][b]"
-                              }
-                            ],
-                            "prose": "the documentation of any deviations from established configuration\n                        settings;"
-                          },
-                          {
-                            "id": "cm-6.c_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[2][c]"
-                              }
-                            ],
-                            "prose": "the approval of any deviations from established configuration settings;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-6.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[3]"
-                          }
-                        ],
-                        "prose": "identifies any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"
-                      },
-                      {
-                        "id": "cm-6.c_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[4]"
-                          }
-                        ],
-                        "prose": "documents any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"
-                      },
-                      {
-                        "id": "cm-6.c_obj.5",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[5]"
-                          }
-                        ],
-                        "prose": "approves any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-6.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-6(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-6.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-6(d)[1]"
-                          }
-                        ],
-                        "prose": "monitors changes to the configuration settings in accordance with\n                     organizational policies and procedures; and"
-                      },
-                      {
-                        "id": "cm-6.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-6(d)[2]"
-                          }
-                        ],
-                        "prose": "controls changes to the configuration settings in accordance with\n                     organizational policies and procedures."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing configuration settings for the information system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nevidence supporting approved deviations from established configuration\n                  settings\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security configuration management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing configuration settings\\n\\nautomated mechanisms that implement, monitor, and/or control information system\n                  configuration settings\\n\\nautomated mechanisms that identify and/or document deviations from established\n                  configuration settings"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Required - Specifically include details of least functionality."
-              },
-              {
-                "id": "cm-6_fr",
-                "name": "item",
-                "title": "CM-6(a) Additional FedRAMP Requirements and Guidance",
-                "parts": [
-                  {
-                    "id": "cm-6_fr_smt.1",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "Requirement 1:"
-                      }
-                    ],
-                    "prose": "The service provider shall use the Center for Internet Security guidelines\n                     (Level 1) to establish configuration settings or establishes its own\n                     configuration settings if USGCB is not available. "
-                  },
-                  {
-                    "id": "cm-6_fr_smt.2",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "Requirement 2:"
-                      }
-                    ],
-                    "prose": "The service provider shall ensure that checklists for configuration settings\n                     are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP\n                     compatible (if validated checklists are not available)."
-                  },
-                  {
-                    "id": "cm-6_fr_gdn.1",
-                    "name": "guidance",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "Guidance:"
-                      }
-                    ],
-                    "prose": "Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)."
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-7",
-            "class": "SP800-53",
-            "title": "Least Functionality",
-            "parameters": [
-              {
-                "id": "cm-7_prm_1",
-                "label": "organization-defined prohibited or restricted functions, ports, protocols, and/or\n               services"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-07"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e42b2099-3e1c-415b-952c-61c96533c12e",
-                "rel": "reference",
-                "text": "DoD Instruction 8551.01"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-7_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Configures the information system to provide only essential capabilities; and"
-                  },
-                  {
-                    "id": "cm-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Prohibits or restricts the use of the following functions, ports, protocols,\n                  and/or services: {{ cm-7_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "cm-7_gdn",
-                "name": "guidance",
-                "prose": "Information systems can provide a wide variety of functions and services. Some of the\n               functions and services, provided by default, may not be necessary to support\n               essential organizational operations (e.g., key missions, functions). Additionally, it\n               is sometimes convenient to provide multiple services from single information system\n               components, but doing so increases risk over limiting the services provided by any\n               one component. Where feasible, organizations limit component functionality to a\n               single function per device (e.g., email servers or web servers, but not both).\n               Organizations review functions and services provided by information systems or\n               individual components of information systems, to determine which functions and\n               services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant\n               Messaging, auto-execute, and file sharing). Organizations consider disabling unused\n               or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File\n               Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to\n               prevent unauthorized connection of devices, unauthorized transfer of information, or\n               unauthorized tunneling. Organizations can utilize network scanning tools, intrusion\n               detection and prevention systems, and end-point protections such as firewalls and\n               host-based intrusion detection systems to identify and prevent the use of prohibited\n               functions, ports, protocols, and services.",
-                "links": [
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  }
-                ]
-              },
-              {
-                "id": "cm-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-7(a)"
-                      }
-                    ],
-                    "prose": "configures the information system to provide only essential capabilities;"
-                  },
-                  {
-                    "id": "cm-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-7(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-7.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-7(b)[1]"
-                          }
-                        ],
-                        "prose": "defines prohibited or restricted:",
-                        "parts": [
-                          {
-                            "id": "cm-7.b_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[1][a]"
-                              }
-                            ],
-                            "prose": "functions;"
-                          },
-                          {
-                            "id": "cm-7.b_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[1][b]"
-                              }
-                            ],
-                            "prose": "ports;"
-                          },
-                          {
-                            "id": "cm-7.b_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[1][c]"
-                              }
-                            ],
-                            "prose": "protocols; and/or"
-                          },
-                          {
-                            "id": "cm-7.b_obj.1.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[1][d]"
-                              }
-                            ],
-                            "prose": "services;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-7.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-7(b)[2]"
-                          }
-                        ],
-                        "prose": "prohibits or restricts the use of organization-defined:",
-                        "parts": [
-                          {
-                            "id": "cm-7.b_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[2][a]"
-                              }
-                            ],
-                            "prose": "functions;"
-                          },
-                          {
-                            "id": "cm-7.b_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[2][b]"
-                              }
-                            ],
-                            "prose": "ports;"
-                          },
-                          {
-                            "id": "cm-7.b_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[2][c]"
-                              }
-                            ],
-                            "prose": "protocols; and/or"
-                          },
-                          {
-                            "id": "cm-7.b_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[2][d]"
-                              }
-                            ],
-                            "prose": "services."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing least functionality in the information system\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security configuration management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes prohibiting or restricting functions, ports, protocols,\n                  and/or services\\n\\nautomated mechanisms implementing restrictions or prohibition of functions, ports,\n                  protocols, and/or services"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-8",
-            "class": "SP800-53",
-            "title": "Information System Component Inventory",
-            "parameters": [
-              {
-                "id": "cm-8_prm_1",
-                "label": "organization-defined information deemed necessary to achieve effective\n               information system component accountability"
-              },
-              {
-                "id": "cm-8_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least monthly"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-08"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops and documents an inventory of information system components that:",
-                    "parts": [
-                      {
-                        "id": "cm-8_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Accurately reflects the current information system;"
-                      },
-                      {
-                        "id": "cm-8_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Includes all components within the authorization boundary of the information\n                     system;"
-                      },
-                      {
-                        "id": "cm-8_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Is at the level of granularity deemed necessary for tracking and reporting;\n                     and"
-                      },
-                      {
-                        "id": "cm-8_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Includes {{ cm-8_prm_1 }}; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the information system component inventory {{ cm-8_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "cm-8_gdn",
-                "name": "guidance",
-                "prose": "Organizations may choose to implement centralized information system component\n               inventories that include components from all organizational information systems. In\n               such situations, organizations ensure that the resulting inventories include\n               system-specific information required for proper component accountability (e.g.,\n               information system association, information system owner). Information deemed\n               necessary for effective accountability of information system components includes, for\n               example, hardware inventory specifications, software license information, software\n               version numbers, component owners, and for networked components or devices, machine\n               names and network addresses. Inventory specifications include, for example,\n               manufacturer, device type, model, serial number, and physical location.",
-                "links": [
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#pm-5",
-                    "rel": "related",
-                    "text": "PM-5"
-                  }
-                ]
-              },
-              {
-                "id": "cm-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-8(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-8.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(a)(1)"
-                          }
-                        ],
-                        "prose": "develops and documents an inventory of information system components that\n                     accurately reflects the current information system;"
-                      },
-                      {
-                        "id": "cm-8.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(a)(2)"
-                          }
-                        ],
-                        "prose": "develops and documents an inventory of information system components that\n                     includes all components within the authorization boundary of the information\n                     system;"
-                      },
-                      {
-                        "id": "cm-8.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(a)(3)"
-                          }
-                        ],
-                        "prose": "develops and documents an inventory of information system components that is at\n                     the level of granularity deemed necessary for tracking and reporting;"
-                      },
-                      {
-                        "id": "cm-8.a.4_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(a)(4)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-8.a.4_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-8(a)(4)[1]"
-                              }
-                            ],
-                            "prose": "defines the information deemed necessary to achieve effective information\n                        system component accountability;"
-                          },
-                          {
-                            "id": "cm-8.a.4_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-8(a)(4)[2]"
-                              }
-                            ],
-                            "prose": "develops and documents an inventory of information system components that\n                        includes organization-defined information deemed necessary to achieve\n                        effective information system component accountability;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update the information system component\n                     inventory; and"
-                      },
-                      {
-                        "id": "cm-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(b)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates the information system component inventory with the\n                     organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system inventory records\\n\\ninventory reviews and update records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for information system component\n                  inventory\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for developing and documenting an inventory of\n                  information system components\\n\\nautomated mechanisms supporting and/or implementing the information system\n                  component inventory"
-                  }
-                ]
-              },
-              {
-                "id": "cm-8_fr",
-                "name": "item",
-                "title": "CM-8 Additional FedRAMP Requirements and Guidance",
-                "parts": [
-                  {
-                    "id": "cm-8_fr_smt.1",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "Requirement:"
-                      }
-                    ],
-                    "prose": "Must be provided at least monthly or when there is a change."
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-10",
-            "class": "SP800-53",
-            "title": "Software Usage Restrictions",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-10"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-10"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "NSO"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-10_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-10_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Uses software and associated documentation in accordance with contract agreements\n                  and copyright laws;"
-                  },
-                  {
-                    "id": "cm-10_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Tracks the use of software and associated documentation protected by quantity\n                  licenses to control copying and distribution; and"
-                  },
-                  {
-                    "id": "cm-10_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Controls and documents the use of peer-to-peer file sharing technology to ensure\n                  that this capability is not used for the unauthorized distribution, display,\n                  performance, or reproduction of copyrighted work."
-                  }
-                ]
-              },
-              {
-                "id": "cm-10_gdn",
-                "name": "guidance",
-                "prose": "Software license tracking can be accomplished by manual methods (e.g., simple\n               spreadsheets) or automated methods (e.g., specialized tracking applications)\n               depending on organizational needs.",
-                "links": [
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  }
-                ]
-              },
-              {
-                "id": "cm-10_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-10.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-10(a)"
-                      }
-                    ],
-                    "prose": "uses software and associated documentation in accordance with contract agreements\n                  and copyright laws;"
-                  },
-                  {
-                    "id": "cm-10.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-10(b)"
-                      }
-                    ],
-                    "prose": "tracks the use of software and associated documentation protected by quantity\n                  licenses to control copying and distribution; and"
-                  },
-                  {
-                    "id": "cm-10.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-10(c)"
-                      }
-                    ],
-                    "prose": "controls and documents the use of peer-to-peer file sharing technology to ensure\n                  that this capability is not used for the unauthorized distribution, display,\n                  performance, or reproduction of copyrighted work."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing software usage restrictions\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nsoftware contract agreements and copyright laws\\n\\nsite license documentation\\n\\nlist of software usage restrictions\\n\\nsoftware license tracking reports\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\norganizational personnel with software license management responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational process for tracking the use of software protected by quantity\n                  licenses\\n\\norganization process for controlling/documenting the use of peer-to-peer file\n                  sharing technology\\n\\nautomated mechanisms implementing software license tracking\\n\\nautomated mechanisms implementing and controlling the use of peer-to-peer files\n                  sharing technology"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "NSO- Not directly related to protection of the data."
-              }
-            ]
-          },
-          {
-            "id": "cm-11",
-            "class": "SP800-53",
-            "title": "User-installed Software",
-            "parameters": [
-              {
-                "id": "cm-11_prm_1",
-                "label": "organization-defined policies"
-              },
-              {
-                "id": "cm-11_prm_2",
-                "label": "organization-defined methods"
-              },
-              {
-                "id": "cm-11_prm_3",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-11"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-11"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "NSO"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-11_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-11_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes {{ cm-11_prm_1 }} governing the installation of\n                  software by users;"
-                  },
-                  {
-                    "id": "cm-11_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Enforces software installation policies through {{ cm-11_prm_2 }};\n                  and"
-                  },
-                  {
-                    "id": "cm-11_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Monitors policy compliance at {{ cm-11_prm_3 }}."
-                  }
-                ]
-              },
-              {
-                "id": "cm-11_gdn",
-                "name": "guidance",
-                "prose": "If provided the necessary privileges, users have the ability to install software in\n               organizational information systems. To maintain control over the types of software\n               installed, organizations identify permitted and prohibited actions regarding software\n               installation. Permitted software installations may include, for example, updates and\n               security patches to existing software and downloading applications from\n               organization-approved “app stores” Prohibited software installations may include, for\n               example, software with unknown or suspect pedigrees or software that organizations\n               consider potentially malicious. The policies organizations select governing\n               user-installed software may be organization-developed or provided by some external\n               entity. Policy enforcement methods include procedural methods (e.g., periodic\n               examination of user accounts), automated methods (e.g., configuration settings\n               implemented on organizational information systems), or both.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-7",
-                    "rel": "related",
-                    "text": "CM-7"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  }
-                ]
-              },
-              {
-                "id": "cm-11_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-11.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-11(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-11.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-11(a)[1]"
-                          }
-                        ],
-                        "prose": "defines policies to govern the installation of software by users;"
-                      },
-                      {
-                        "id": "cm-11.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-11(a)[2]"
-                          }
-                        ],
-                        "prose": "establishes organization-defined policies governing the installation of\n                     software by users;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-11.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-11(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-11.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-11(b)[1]"
-                          }
-                        ],
-                        "prose": "defines methods to enforce software installation policies;"
-                      },
-                      {
-                        "id": "cm-11.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-11(b)[2]"
-                          }
-                        ],
-                        "prose": "enforces software installation policies through organization-defined\n                     methods;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-11.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-11(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-11.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-11(c)[1]"
-                          }
-                        ],
-                        "prose": "defines frequency to monitor policy compliance; and"
-                      },
-                      {
-                        "id": "cm-11.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-11(c)[2]"
-                          }
-                        ],
-                        "prose": "monitors policy compliance at organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing user installed software\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of rules governing user installed software\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records\\n\\ncontinuous monitoring strategy"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for governing user-installed\n                  software\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\norganizational personnel monitoring compliance with user-installed software\n                  policy\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes governing user-installed software on the information\n                  system\\n\\nautomated mechanisms enforcing rules/methods for governing the installation of\n                  software by users\\n\\nautomated mechanisms monitoring policy compliance"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "NSO - Boundary is specific to SaaS environment; all access is via web services;\n                  users' machine or internal network are not contemplated. External services (SA-9),\n                  internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and\n                  SC-13), and privileged authentication (IA-2[1]) are considerations."
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "cp",
-        "class": "family",
-        "title": "Contingency Planning",
-        "controls": [
-          {
-            "id": "cp-1",
-            "class": "SP800-53",
-            "title": "Contingency Planning Policy and Procedures",
-            "parameters": [
-              {
-                "id": "cp-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "cp-1_prm_2",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "cp-1_prm_3",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CP-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-01"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ cp-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "cp-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A contingency planning policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "cp-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the contingency planning policy\n                     and associated contingency planning controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "cp-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Contingency planning policy {{ cp-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "cp-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Contingency planning procedures {{ cp-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CP\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "cp-1_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "cp-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "the organization develops and documents a contingency planning policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "cp-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "cp-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "the organization defines personnel or roles to whom the contingency planning\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "cp-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "the organization disseminates the contingency planning policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "the organization develops and documents procedures to facilitate the\n                        implementation of the contingency planning policy and associated contingency\n                        planning controls;"
-                          },
-                          {
-                            "id": "cp-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "the organization defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "cp-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "the organization disseminates the procedures to organization-defined\n                        personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines the frequency to review and update the current\n                        contingency planning policy;"
-                          },
-                          {
-                            "id": "cp-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "the organization reviews and updates the current contingency planning with\n                        the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines the frequency to review and update the current\n                        contingency planning procedures; and"
-                          },
-                          {
-                            "id": "cp-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "the organization reviews and updates the current contingency planning\n                        procedures with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency planning responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-2",
-            "class": "SP800-53",
-            "title": "Contingency Plan",
-            "parameters": [
-              {
-                "id": "cp-2_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "cp-2_prm_2",
-                "label": "organization-defined key contingency personnel (identified by name and/or by\n               role) and organizational elements"
-              },
-              {
-                "id": "cp-2_prm_3",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "cp-2_prm_4",
-                "label": "organization-defined key contingency personnel (identified by name and/or by\n               role) and organizational elements"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CP-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-02"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "NSO"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops a contingency plan for the information system that:",
-                    "parts": [
-                      {
-                        "id": "cp-2_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Identifies essential missions and business functions and associated contingency\n                     requirements;"
-                      },
-                      {
-                        "id": "cp-2_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Provides recovery objectives, restoration priorities, and metrics;"
-                      },
-                      {
-                        "id": "cp-2_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Addresses contingency roles, responsibilities, assigned individuals with\n                     contact information;"
-                      },
-                      {
-                        "id": "cp-2_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Addresses maintaining essential missions and business functions despite an\n                     information system disruption, compromise, or failure;"
-                      },
-                      {
-                        "id": "cp-2_smt.a.5",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "5."
-                          }
-                        ],
-                        "prose": "Addresses eventual, full information system restoration without deterioration\n                     of the security safeguards originally planned and implemented; and"
-                      },
-                      {
-                        "id": "cp-2_smt.a.6",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "6."
-                          }
-                        ],
-                        "prose": "Is reviewed and approved by {{ cp-2_prm_1 }};"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Distributes copies of the contingency plan to {{ cp-2_prm_2 }};"
-                  },
-                  {
-                    "id": "cp-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Coordinates contingency planning activities with incident handling activities;"
-                  },
-                  {
-                    "id": "cp-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Reviews the contingency plan for the information system {{ cp-2_prm_3 }};"
-                  },
-                  {
-                    "id": "cp-2_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Updates the contingency plan to address changes to the organization, information\n                  system, or environment of operation and problems encountered during contingency\n                  plan implementation, execution, or testing;"
-                  },
-                  {
-                    "id": "cp-2_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Communicates contingency plan changes to {{ cp-2_prm_4 }}; and"
-                  },
-                  {
-                    "id": "cp-2_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Protects the contingency plan from unauthorized disclosure and modification."
-                  }
-                ]
-              },
-              {
-                "id": "cp-2_gdn",
-                "name": "guidance",
-                "prose": "Contingency planning for information systems is part of an overall organizational\n               program for achieving continuity of operations for mission/business functions.\n               Contingency planning addresses both information system restoration and implementation\n               of alternative mission/business processes when systems are compromised. The\n               effectiveness of contingency planning is maximized by considering such planning\n               throughout the phases of the system development life cycle. Performing contingency\n               planning on hardware, software, and firmware development can be an effective means of\n               achieving information system resiliency. Contingency plans reflect the degree of\n               restoration required for organizational information systems since not all systems may\n               need to fully recover to achieve the level of continuity of operations desired.\n               Information system recovery objectives reflect applicable laws, Executive Orders,\n               directives, policies, standards, regulations, and guidelines. In addition to\n               information system availability, contingency plans also address other\n               security-related events resulting in a reduction in mission and/or business\n               effectiveness, such as malicious attacks compromising the confidentiality or\n               integrity of information systems. Actions addressed in contingency plans include, for\n               example, orderly/graceful degradation, information system shutdown, fallback to a\n               manual mode, alternate information flows, and operating in modes reserved for when\n               systems are under attack. By closely coordinating contingency planning with incident\n               handling activities, organizations can ensure that the necessary contingency planning\n               activities are in place and activated in the event of a security incident.",
-                "links": [
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#cp-6",
-                    "rel": "related",
-                    "text": "CP-6"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  },
-                  {
-                    "href": "#cp-8",
-                    "rel": "related",
-                    "text": "CP-8"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#cp-10",
-                    "rel": "related",
-                    "text": "CP-10"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#pm-8",
-                    "rel": "related",
-                    "text": "PM-8"
-                  },
-                  {
-                    "href": "#pm-11",
-                    "rel": "related",
-                    "text": "PM-11"
-                  }
-                ]
-              },
-              {
-                "id": "cp-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cp-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(a)"
-                      }
-                    ],
-                    "prose": "develops and documents a contingency plan for the information system that:",
-                    "parts": [
-                      {
-                        "id": "cp-2.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(1)"
-                          }
-                        ],
-                        "prose": "identifies essential missions and business functions and associated contingency\n                     requirements;"
-                      },
-                      {
-                        "id": "cp-2.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-2.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "provides recovery objectives;"
-                          },
-                          {
-                            "id": "cp-2.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "provides restoration priorities;"
-                          },
-                          {
-                            "id": "cp-2.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "provides metrics;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-2.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(3)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-2.a.3_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(3)[1]"
-                              }
-                            ],
-                            "prose": "addresses contingency roles;"
-                          },
-                          {
-                            "id": "cp-2.a.3_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(3)[2]"
-                              }
-                            ],
-                            "prose": "addresses contingency responsibilities;"
-                          },
-                          {
-                            "id": "cp-2.a.3_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(3)[3]"
-                              }
-                            ],
-                            "prose": "addresses assigned individuals with contact information;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-2.a.4_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(4)"
-                          }
-                        ],
-                        "prose": "addresses maintaining essential missions and business functions despite an\n                     information system disruption, compromise, or failure;"
-                      },
-                      {
-                        "id": "cp-2.a.5_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(5)"
-                          }
-                        ],
-                        "prose": "addresses eventual, full information system restoration without deterioration\n                     of the security safeguards originally planned and implemented;"
-                      },
-                      {
-                        "id": "cp-2.a.6_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(6)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-2.a.6_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(6)[1]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to review and approve the contingency plan for\n                        the information system;"
-                          },
-                          {
-                            "id": "cp-2.a.6_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(6)[2]"
-                              }
-                            ],
-                            "prose": "is reviewed and approved by organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(b)[1]"
-                          }
-                        ],
-                        "prose": "defines key contingency personnel (identified by name and/or by role) and\n                     organizational elements to whom copies of the contingency plan are to be\n                     distributed;"
-                      },
-                      {
-                        "id": "cp-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(b)[2]"
-                          }
-                        ],
-                        "prose": "distributes copies of the contingency plan to organization-defined key\n                     contingency personnel and organizational elements;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(c)"
-                      }
-                    ],
-                    "prose": "coordinates contingency planning activities with incident handling activities;"
-                  },
-                  {
-                    "id": "cp-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(d)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency to review the contingency plan for the information\n                     system;"
-                      },
-                      {
-                        "id": "cp-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(d)[2]"
-                          }
-                        ],
-                        "prose": "reviews the contingency plan with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(e)"
-                      }
-                    ],
-                    "prose": "updates the contingency plan to address:",
-                    "parts": [
-                      {
-                        "id": "cp-2.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(e)[1]"
-                          }
-                        ],
-                        "prose": "changes to the organization, information system, or environment of\n                     operation;"
-                      },
-                      {
-                        "id": "cp-2.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(e)[2]"
-                          }
-                        ],
-                        "prose": "problems encountered during plan implementation, execution, and testing;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-2.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(f)[1]"
-                          }
-                        ],
-                        "prose": "defines key contingency personnel (identified by name and/or by role) and\n                     organizational elements to whom contingency plan changes are to be\n                     communicated;"
-                      },
-                      {
-                        "id": "cp-2.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(f)[2]"
-                          }
-                        ],
-                        "prose": "communicates contingency plan changes to organization-defined key contingency\n                     personnel and organizational elements; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(g)"
-                      }
-                    ],
-                    "prose": "protects the contingency plan from unauthorized disclosure and modification."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nevidence of contingency plan reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for contingency plan development, review, update, and\n                  protection\\n\\nautomated mechanisms for developing, reviewing, updating and/or protecting the\n                  contingency plan"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "NSO - Loss of availability of the SaaS has been determined as little or no impact\n                  to government business/mission needs."
-              }
-            ]
-          },
-          {
-            "id": "cp-3",
-            "class": "SP800-53",
-            "title": "Contingency Training",
-            "parameters": [
-              {
-                "id": "cp-3_prm_1",
-                "label": "organization-defined time period"
-              },
-              {
-                "id": "cp-3_prm_2",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CP-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-03"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "NSO"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#825438c3-248d-4e30-a51e-246473ce6ada",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-16"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-3_smt",
-                "name": "statement",
-                "prose": "The organization provides contingency training to information system users consistent\n               with assigned roles and responsibilities:",
-                "parts": [
-                  {
-                    "id": "cp-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Within {{ cp-3_prm_1 }} of assuming a contingency role or\n                  responsibility;"
-                  },
-                  {
-                    "id": "cp-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "When required by information system changes; and"
-                  },
-                  {
-                    "id": "cp-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "\n                  {{ cp-3_prm_2 }} thereafter."
-                  }
-                ]
-              },
-              {
-                "id": "cp-3_gdn",
-                "name": "guidance",
-                "prose": "Contingency training provided by organizations is linked to the assigned roles and\n               responsibilities of organizational personnel to ensure that the appropriate content\n               and level of detail is included in such training. For example, regular users may only\n               need to know when and where to report for duty during contingency operations and if\n               normal duties are affected; system administrators may require additional training on\n               how to set up information systems at alternate processing and storage sites; and\n               managers/senior leaders may receive more specific training on how to conduct\n               mission-essential functions in designated off-site locations and how to establish\n               communications with other governmental entities for purposes of coordination on\n               contingency-related activities. Training for contingency roles/responsibilities\n               reflects the specific continuity requirements in the contingency plan.",
-                "links": [
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#ir-2",
-                    "rel": "related",
-                    "text": "IR-2"
-                  }
-                ]
-              },
-              {
-                "id": "cp-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cp-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-3(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-3(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period within which contingency training is to be provided to\n                     information system users assuming a contingency role or responsibility;"
-                      },
-                      {
-                        "id": "cp-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-3(a)[2]"
-                          }
-                        ],
-                        "prose": "provides contingency training to information system users consistent with\n                     assigned roles and responsibilities within the organization-defined time period\n                     of assuming a contingency role or responsibility;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-3(b)"
-                      }
-                    ],
-                    "prose": "provides contingency training to information system users consistent with assigned\n                  roles and responsibilities when required by information system changes;"
-                  },
-                  {
-                    "id": "cp-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency for contingency training thereafter; and"
-                      },
-                      {
-                        "id": "cp-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-3(c)[2]"
-                          }
-                        ],
-                        "prose": "provides contingency training to information system users consistent with\n                     assigned roles and responsibilities with the organization-defined frequency\n                     thereafter."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing contingency training\\n\\ncontingency plan\\n\\ncontingency training curriculum\\n\\ncontingency training material\\n\\nsecurity plan\\n\\ncontingency training records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency planning, plan implementation, and\n                  training responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for contingency training"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "NSO - Loss of availability of the SaaS has been determined as little or no impact\n                  to government business/mission needs."
-              }
-            ]
-          },
-          {
-            "id": "cp-4",
-            "class": "SP800-53",
-            "title": "Contingency Plan Testing",
-            "parameters": [
-              {
-                "id": "cp-4_prm_1",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "cp-4_prm_2",
-                "label": "organization-defined tests"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CP-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-04"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "NSO"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              },
-              {
-                "href": "#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-84"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Tests the contingency plan for the information system {{ cp-4_prm_1 }} using {{ cp-4_prm_2 }} to determine the\n                  effectiveness of the plan and the organizational readiness to execute the\n                  plan;"
-                  },
-                  {
-                    "id": "cp-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews the contingency plan test results; and"
-                  },
-                  {
-                    "id": "cp-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Initiates corrective actions, if needed."
-                  }
-                ]
-              },
-              {
-                "id": "cp-4_gdn",
-                "name": "guidance",
-                "prose": "Methods for testing contingency plans to determine the effectiveness of the plans and\n               to identify potential weaknesses in the plans include, for example, walk-through and\n               tabletop exercises, checklists, simulations (parallel, full interrupt), and\n               comprehensive exercises. Organizations conduct testing based on the continuity\n               requirements in contingency plans and include a determination of the effects on\n               organizational operations, assets, and individuals arising due to contingency\n               operations. Organizations have flexibility and discretion in the breadth, depth, and\n               timelines of corrective actions.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-3",
-                    "rel": "related",
-                    "text": "CP-3"
-                  },
-                  {
-                    "href": "#ir-3",
-                    "rel": "related",
-                    "text": "IR-3"
-                  }
-                ]
-              },
-              {
-                "id": "cp-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "cp-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-4(a)[1]"
-                          }
-                        ],
-                        "prose": "defines tests to determine the effectiveness of the contingency plan and the\n                     organizational readiness to execute the plan;"
-                      },
-                      {
-                        "id": "cp-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-4(a)[2]"
-                          }
-                        ],
-                        "prose": "defines a frequency to test the contingency plan for the information\n                     system;"
-                      },
-                      {
-                        "id": "cp-4.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-4(a)[3]"
-                          }
-                        ],
-                        "prose": "tests the contingency plan for the information system with the\n                     organization-defined frequency, using organization-defined tests to determine\n                     the effectiveness of the plan and the organizational readiness to execute the\n                     plan;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-4(b)"
-                      }
-                    ],
-                    "prose": "reviews the contingency plan test results; and"
-                  },
-                  {
-                    "id": "cp-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-4(c)"
-                      }
-                    ],
-                    "prose": "initiates corrective actions, if needed."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing contingency plan testing\\n\\ncontingency plan\\n\\nsecurity plan\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for contingency plan testing,\n                  reviewing or responding to contingency plan tests\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for contingency plan testing\\n\\nautomated mechanisms supporting the contingency plan and/or contingency plan\n                  testing"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "NSO - Loss of availability of the SaaS has been determined as little or no impact\n                  to government business/mission needs."
-              }
-            ]
-          },
-          {
-            "id": "cp-9",
-            "class": "SP800-53",
-            "title": "Information System Backup",
-            "parameters": [
-              {
-                "id": "cp-9_prm_1",
-                "label": "organization-defined frequency consistent with recovery time and recovery point\n               objectives",
-                "constraints": [
-                  {
-                    "detail": "daily incremental; weekly full"
-                  }
-                ]
-              },
-              {
-                "id": "cp-9_prm_2",
-                "label": "organization-defined frequency consistent with recovery time and recovery point\n               objectives",
-                "constraints": [
-                  {
-                    "detail": "daily incremental; weekly full"
-                  }
-                ]
-              },
-              {
-                "id": "cp-9_prm_3",
-                "label": "organization-defined frequency consistent with recovery time and recovery point\n               objectives",
-                "constraints": [
-                  {
-                    "detail": "daily incremental; weekly full"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CP-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-09"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-9_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-9_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Conducts backups of user-level information contained in the information system\n                     {{ cp-9_prm_1 }};"
-                  },
-                  {
-                    "id": "cp-9_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Conducts backups of system-level information contained in the information system\n                     {{ cp-9_prm_2 }};"
-                  },
-                  {
-                    "id": "cp-9_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Conducts backups of information system documentation including security-related\n                  documentation {{ cp-9_prm_3 }}; and"
-                  },
-                  {
-                    "id": "cp-9_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Protects the confidentiality, integrity, and availability of backup information at\n                  storage locations."
-                  }
-                ]
-              },
-              {
-                "id": "cp-9_gdn",
-                "name": "guidance",
-                "prose": "System-level information includes, for example, system-state information, operating\n               system and application software, and licenses. User-level information includes any\n               information other than system-level information. Mechanisms employed by organizations\n               to protect the integrity of information system backups include, for example, digital\n               signatures and cryptographic hashes. Protection of system backup information while in\n               transit is beyond the scope of this control. Information system backups reflect the\n               requirements in contingency plans as well as other organizational requirements for\n               backing up information.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-6",
-                    "rel": "related",
-                    "text": "CP-6"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  }
-                ]
-              },
-              {
-                "id": "cp-9_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "cp-9.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-9(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-9.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-9(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of user-level information contained in the information\n                     system;"
-                      },
-                      {
-                        "id": "cp-9.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-9(a)[2]"
-                          }
-                        ],
-                        "prose": "conducts backups of user-level information contained in the information system\n                     with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-9.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-9(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-9.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-9(b)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of system-level information contained in the information\n                     system;"
-                      },
-                      {
-                        "id": "cp-9.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-9(b)[2]"
-                          }
-                        ],
-                        "prose": "conducts backups of system-level information contained in the information\n                     system with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-9.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-9(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-9.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-9(c)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of information system documentation including security-related\n                     documentation;"
-                      },
-                      {
-                        "id": "cp-9.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-9(c)[2]"
-                          }
-                        ],
-                        "prose": "conducts backups of information system documentation, including\n                     security-related documentation, with the organization-defined frequency;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-9.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-9(d)"
-                      }
-                    ],
-                    "prose": "protects the confidentiality, integrity, and availability of backup information at\n                  storage locations."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\nbackup storage location(s)\\n\\ninformation system backup logs or records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system backup responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for conducting information system backups\\n\\nautomated mechanisms supporting and/or implementing information system backups"
-                  }
-                ]
-              },
-              {
-                "id": "cp-9_fr",
-                "name": "item",
-                "title": "CP-9 Additional FedRAMP Requirements and Guidance",
-                "parts": [
-                  {
-                    "id": "cp-9_fr_smt.1",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "Requirement:"
-                      }
-                    ],
-                    "prose": "The service provider shall determine what elements of the cloud environment\n                     require the Information System Backup control. The service provider shall\n                     determine how Information System Backup is going to be verified and appropriate\n                     periodicity of the check."
-                  },
-                  {
-                    "id": "cp-9_fr_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-9(a) Requirement:"
-                      }
-                    ],
-                    "prose": "The service provider maintains at least three backup copies of user-level\n                     information (at least one of which is available online)."
-                  },
-                  {
-                    "id": "cp-9_fr_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-9(b)Requirement:"
-                      }
-                    ],
-                    "prose": "The service provider maintains at least three backup copies of system-level\n                     information (at least one of which is available online)."
-                  },
-                  {
-                    "id": "cp-9_fr_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-9(c)Requirement:"
-                      }
-                    ],
-                    "prose": "The service provider maintains at least three backup copies of information\n                     system documentation including security information (at least one of which is\n                     available online)."
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-10",
-            "class": "SP800-53",
-            "title": "Information System Recovery and Reconstitution",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CP-10"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-10"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "NSO"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-10_smt",
-                "name": "statement",
-                "prose": "The organization provides for the recovery and reconstitution of the information\n               system to a known state after a disruption, compromise, or failure."
-              },
-              {
-                "id": "cp-10_gdn",
-                "name": "guidance",
-                "prose": "Recovery is executing information system contingency plan activities to restore\n               organizational missions/business functions. Reconstitution takes place following\n               recovery and includes activities for returning organizational information systems to\n               fully operational states. Recovery and reconstitution operations reflect mission and\n               business priorities, recovery point/time and reconstitution objectives, and\n               established organizational metrics consistent with contingency plan requirements.\n               Reconstitution includes the deactivation of any interim information system\n               capabilities that may have been needed during recovery operations. Reconstitution\n               also includes assessments of fully restored information system capabilities,\n               reestablishment of continuous monitoring activities, potential information system\n               reauthorizations, and activities to prepare the systems against future disruptions,\n               compromises, or failures. Recovery/reconstitution capabilities employed by\n               organizations can include both automated mechanisms and manual procedures.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-6",
-                    "rel": "related",
-                    "text": "CA-6"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-6",
-                    "rel": "related",
-                    "text": "CP-6"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#sc-24",
-                    "rel": "related",
-                    "text": "SC-24"
-                  }
-                ]
-              },
-              {
-                "id": "cp-10_obj",
-                "name": "objective",
-                "prose": "Determine if the organization provides for: ",
-                "parts": [
-                  {
-                    "id": "cp-10_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-10[1]"
-                      }
-                    ],
-                    "prose": "the recovery of the information system to a known state after:",
-                    "parts": [
-                      {
-                        "id": "cp-10_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[1][a]"
-                          }
-                        ],
-                        "prose": "a disruption;"
-                      },
-                      {
-                        "id": "cp-10_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[1][b]"
-                          }
-                        ],
-                        "prose": "a compromise; or"
-                      },
-                      {
-                        "id": "cp-10_obj.1.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[1][c]"
-                          }
-                        ],
-                        "prose": "a failure;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-10_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-10[2]"
-                      }
-                    ],
-                    "prose": "the reconstitution of the information system to a known state after:",
-                    "parts": [
-                      {
-                        "id": "cp-10_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[2][a]"
-                          }
-                        ],
-                        "prose": "a disruption;"
-                      },
-                      {
-                        "id": "cp-10_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[2][b]"
-                          }
-                        ],
-                        "prose": "a compromise; or"
-                      },
-                      {
-                        "id": "cp-10_obj.2.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[2][c]"
-                          }
-                        ],
-                        "prose": "a failure."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\ninformation system backup test results\\n\\ncontingency plan test results\\n\\ncontingency plan test documentation\\n\\nredundant secondary system for information system backups\\n\\nlocation(s) of redundant secondary backup system(s)\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency planning, recovery, and/or\n                  reconstitution responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes implementing information system recovery and\n                  reconstitution operations\\n\\nautomated mechanisms supporting and/or implementing information system recovery\n                  and reconstitution operations"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "NSO - Loss of availability of the SaaS has been determined as little or no impact\n                  to government business/mission needs."
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ia",
-        "class": "family",
-        "title": "Identification and Authentication",
-        "controls": [
-          {
-            "id": "ia-1",
-            "class": "SP800-53",
-            "title": "Identification and Authentication Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ia-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ia-1_prm_2",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "ia-1_prm_3",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-01"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ia-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ia-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ia-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "An identification and authentication policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"
-                      },
-                      {
-                        "id": "ia-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the identification and\n                     authentication policy and associated identification and authentication\n                     controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ia-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Identification and authentication policy {{ ia-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "ia-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Identification and authentication procedures {{ ia-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the IA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ia-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ia-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an identification and authentication policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "ia-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ia-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the identification and authentication\n                        policy is to be disseminated; and"
-                          },
-                          {
-                            "id": "ia-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the identification and authentication policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        identification and authentication policy and associated identification and\n                        authentication controls;"
-                          },
-                          {
-                            "id": "ia-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ia-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current identification and\n                        authentication policy;"
-                          },
-                          {
-                            "id": "ia-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current identification and authentication policy\n                        with the organization-defined frequency; and"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current identification and\n                        authentication procedures; and"
-                          },
-                          {
-                            "id": "ia-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current identification and authentication procedures\n                        with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with identification and authentication\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-2",
-            "class": "SP800-53",
-            "title": "Identification and Authentication (organizational Users)",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-02"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "NSO"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ad733a42-a7ed-4774-b988-4930c28852f3",
-                "rel": "reference",
-                "text": "HSPD-12"
-              },
-              {
-                "href": "#ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-                "rel": "reference",
-                "text": "OMB Memorandum 04-04"
-              },
-              {
-                "href": "#4da24a96-6cf8-435d-9d1f-c73247cad109",
-                "rel": "reference",
-                "text": "OMB Memorandum 06-16"
-              },
-              {
-                "href": "#74e740a4-c45d-49f3-a86e-eb747c549e01",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-11"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#ba557c91-ba3e-4792-adc6-a4ae479b39ff",
-                "rel": "reference",
-                "text": "FICAM Roadmap and Implementation Guidance"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-2_smt",
-                "name": "statement",
-                "prose": "The information system uniquely identifies and authenticates organizational users (or\n               processes acting on behalf of organizational users)."
-              },
-              {
-                "id": "ia-2_gdn",
-                "name": "guidance",
-                "prose": "Organizational users include employees or individuals that organizations deem to have\n               equivalent status of employees (e.g., contractors, guest researchers). This control\n               applies to all accesses other than: (i) accesses that are explicitly identified and\n               documented in AC-14; and (ii) accesses that occur through authorized use of group\n               authenticators without individual authentication. Organizations may require unique\n               identification of individuals in group accounts (e.g., shared privilege accounts) or\n               for detailed accountability of individual activity. Organizations employ passwords,\n               tokens, or biometrics to authenticate user identities, or in the case multifactor\n               authentication, or some combination thereof. Access to organizational information\n               systems is defined as either local access or network access. Local access is any\n               access to organizational information systems by users (or processes acting on behalf\n               of users) where such access is obtained by direct connections without the use of\n               networks. Network access is access to organizational information systems by users (or\n               processes acting on behalf of users) where such access is obtained through network\n               connections (i.e., nonlocal accesses). Remote access is a type of network access that\n               involves communication through external networks (e.g., the Internet). Internal\n               networks include local area networks and wide area networks. In addition, the use of\n               encrypted virtual private networks (VPNs) for network connections between\n               organization-controlled endpoints and non-organization controlled endpoints may be\n               treated as internal networks from the perspective of protecting the confidentiality\n               and integrity of information traversing the network. Organizations can satisfy the\n               identification and authentication requirements in this control by complying with the\n               requirements in Homeland Security Presidential Directive 12 consistent with the\n               specific organizational implementation plans. Multifactor authentication requires the\n               use of two or more different factors to achieve authentication. The factors are\n               defined as: (i) something you know (e.g., password, personal identification number\n               [PIN]); (ii) something you have (e.g., cryptographic identification device, token);\n               or (iii) something you are (e.g., biometric). Multifactor solutions that require\n               devices separate from information systems gaining access include, for example,\n               hardware tokens providing time-based or challenge-response authenticators and smart\n               cards such as the U.S. Government Personal Identity Verification card and the DoD\n               common access card. In addition to identifying and authenticating users at the\n               information system level (i.e., at logon), organizations also employ identification\n               and authentication mechanisms at the application level, when necessary, to provide\n               increased information security. Identification and authentication requirements for\n               other than organizational users are described in IA-8.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  }
-                ]
-              },
-              {
-                "id": "ia-2_obj",
-                "name": "objective",
-                "prose": "Determine if the information system uniquely identifies and authenticates\n               organizational users (or processes acting on behalf of organizational users)."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system operations responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for uniquely identifying and authenticating users\\n\\nautomated mechanisms supporting and/or implementing identification and\n                  authentication capability"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "NSO for non-privileged users. Attestation for privileged users related to\n                  multi-factor identification and authentication - specifically include description\n                  of management of service accounts."
-              }
-            ],
-            "controls": [
-              {
-                "id": "ia-2.1",
-                "class": "SP800-53-enhancement",
-                "title": "Network Access to Privileged Accounts",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.01"
-                  },
-                  {
-                    "name": "method",
-                    "class": "FedRAMP-Tailored-LI-SaaS",
-                    "value": "ASSESS"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.1_smt",
-                    "name": "statement",
-                    "prose": "The information system implements multifactor authentication for network access to\n                  privileged accounts."
-                  },
-                  {
-                    "id": "ia-2.1_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ac-6",
-                        "rel": "related",
-                        "text": "AC-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-2.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the information system implements multifactor authentication for\n                  network access to privileged accounts."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing multifactor authentication\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-2.12",
-                "class": "SP800-53-enhancement",
-                "title": "Acceptance of PIV Credentials",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(12)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.12"
-                  },
-                  {
-                    "name": "method",
-                    "class": "FedRAMP-Tailored-LI-SaaS",
-                    "value": "CONDITIONAL"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.12_smt",
-                    "name": "statement",
-                    "prose": "The information system accepts and electronically verifies Personal Identity\n                  Verification (PIV) credentials."
-                  },
-                  {
-                    "id": "ia-2.12_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement applies to organizations implementing logical access\n                  control systems (LACS) and physical access control systems (PACS). Personal\n                  Identity Verification (PIV) credentials are those credentials issued by federal\n                  agencies that conform to FIPS Publication 201 and supporting guidance documents.\n                  OMB Memorandum 11-11 requires federal agencies to continue implementing the\n                  requirements specified in HSPD-12 to enable agency-wide use of PIV\n                  credentials.",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      },
-                      {
-                        "href": "#pe-3",
-                        "rel": "related",
-                        "text": "PE-3"
-                      },
-                      {
-                        "href": "#sa-4",
-                        "rel": "related",
-                        "text": "SA-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-2.12_obj",
-                    "name": "objective",
-                    "prose": "Determine if the information system: ",
-                    "parts": [
-                      {
-                        "id": "ia-2.12_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-2(12)[1]"
-                          }
-                        ],
-                        "prose": "accepts Personal Identity Verification (PIV) credentials; and"
-                      },
-                      {
-                        "id": "ia-2.12_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-2(12)[2]"
-                          }
-                        ],
-                        "prose": "electronically verifies Personal Identity Verification (PIV) credentials."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nPIV verification records\\n\\nevidence of PIV credentials\\n\\nPIV credential authorizations\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing acceptance and verification\n                     of PIV credentials"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "guidance",
-                    "class": "FedRAMP-Tailored-LI-SaaS",
-                    "prose": "Condition: Must document and assess for privileged users. May attest to this\n                  control for non-privileged users. FedRAMP requires a minimum of multi-factor\n                  authentication for all Federal privileged users, if acceptance of PIV credentials\n                  is not supported. The implementation status and details of how this control is\n                  implemented must be clearly defined by the CSP."
-                  },
-                  {
-                    "id": "ia-2.12_fr",
-                    "name": "item",
-                    "title": "IA-2 (12) Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ia-2.12_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "Include Common Access Card (CAC), i.e., the DoD technical implementation of\n                     PIV/FIPS 201/HSPD-12."
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-4",
-            "class": "SP800-53",
-            "title": "Identifier Management",
-            "parameters": [
-              {
-                "id": "ia-4_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ia-4_prm_2",
-                "label": "organization-defined time period"
-              },
-              {
-                "id": "ia-4_prm_3",
-                "label": "organization-defined time period of inactivity"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-04"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-4_smt",
-                "name": "statement",
-                "prose": "The organization manages information system identifiers by:",
-                "parts": [
-                  {
-                    "id": "ia-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Receiving authorization from {{ ia-4_prm_1 }} to assign an\n                  individual, group, role, or device identifier;"
-                  },
-                  {
-                    "id": "ia-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Selecting an identifier that identifies an individual, group, role, or device;"
-                  },
-                  {
-                    "id": "ia-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Assigning the identifier to the intended individual, group, role, or device;"
-                  },
-                  {
-                    "id": "ia-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Preventing reuse of identifiers for {{ ia-4_prm_2 }}; and"
-                  },
-                  {
-                    "id": "ia-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Disabling the identifier after {{ ia-4_prm_3 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ia-4_gdn",
-                "name": "guidance",
-                "prose": "Common device identifiers include, for example, media access control (MAC), Internet\n               protocol (IP) addresses, or device-unique token identifiers. Management of individual\n               identifiers is not applicable to shared information system accounts (e.g., guest and\n               anonymous accounts). Typically, individual identifiers are the user names of the\n               information system accounts assigned to those individuals. In such instances, the\n               account management activities of AC-2 use account names provided by IA-4. This\n               control also addresses individual identifiers not necessarily associated with\n               information system accounts (e.g., identifiers used in physical security control\n               databases accessed by badge reader systems for access to information systems).\n               Preventing reuse of identifiers implies preventing the assignment of previously used\n               individual, group, role, or device identifiers to different individuals, groups,\n               roles, or devices.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#sc-37",
-                    "rel": "related",
-                    "text": "SC-37"
-                  }
-                ]
-              },
-              {
-                "id": "ia-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization manages information system identifiers by: ",
-                "parts": [
-                  {
-                    "id": "ia-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(a)[1]"
-                          }
-                        ],
-                        "prose": "defining personnel or roles from whom authorization must be received to\n                     assign:",
-                        "parts": [
-                          {
-                            "id": "ia-4.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[1][a]"
-                              }
-                            ],
-                            "prose": "an individual identifier;"
-                          },
-                          {
-                            "id": "ia-4.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[1][b]"
-                              }
-                            ],
-                            "prose": "a group identifier;"
-                          },
-                          {
-                            "id": "ia-4.a_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[1][c]"
-                              }
-                            ],
-                            "prose": "a role identifier; and/or"
-                          },
-                          {
-                            "id": "ia-4.a_obj.1.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[1][d]"
-                              }
-                            ],
-                            "prose": "a device identifier;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(a)[2]"
-                          }
-                        ],
-                        "prose": "receiving authorization from organization-defined personnel or roles to\n                     assign:",
-                        "parts": [
-                          {
-                            "id": "ia-4.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[2][a]"
-                              }
-                            ],
-                            "prose": "an individual identifier;"
-                          },
-                          {
-                            "id": "ia-4.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[2][b]"
-                              }
-                            ],
-                            "prose": "a group identifier;"
-                          },
-                          {
-                            "id": "ia-4.a_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[2][c]"
-                              }
-                            ],
-                            "prose": "a role identifier; and/or"
-                          },
-                          {
-                            "id": "ia-4.a_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[2][d]"
-                              }
-                            ],
-                            "prose": "a device identifier;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-4(b)"
-                      }
-                    ],
-                    "prose": "selecting an identifier that identifies:",
-                    "parts": [
-                      {
-                        "id": "ia-4.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(b)[1]"
-                          }
-                        ],
-                        "prose": "an individual;"
-                      },
-                      {
-                        "id": "ia-4.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(b)[2]"
-                          }
-                        ],
-                        "prose": "a group;"
-                      },
-                      {
-                        "id": "ia-4.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(b)[3]"
-                          }
-                        ],
-                        "prose": "a role; and/or"
-                      },
-                      {
-                        "id": "ia-4.b_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(b)[4]"
-                          }
-                        ],
-                        "prose": "a device;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-4(c)"
-                      }
-                    ],
-                    "prose": "assigning the identifier to the intended:",
-                    "parts": [
-                      {
-                        "id": "ia-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(c)[1]"
-                          }
-                        ],
-                        "prose": "individual;"
-                      },
-                      {
-                        "id": "ia-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(c)[2]"
-                          }
-                        ],
-                        "prose": "group;"
-                      },
-                      {
-                        "id": "ia-4.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(c)[3]"
-                          }
-                        ],
-                        "prose": "role; and/or"
-                      },
-                      {
-                        "id": "ia-4.c_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(c)[4]"
-                          }
-                        ],
-                        "prose": "device;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-4(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-4.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(d)[1]"
-                          }
-                        ],
-                        "prose": "defining a time period for preventing reuse of identifiers;"
-                      },
-                      {
-                        "id": "ia-4.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(d)[2]"
-                          }
-                        ],
-                        "prose": "preventing reuse of identifiers for the organization-defined time period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-4(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-4.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(e)[1]"
-                          }
-                        ],
-                        "prose": "defining a time period of inactivity to disable the identifier; and"
-                      },
-                      {
-                        "id": "ia-4.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(e)[2]"
-                          }
-                        ],
-                        "prose": "disabling the identifier after the organization-defined time period of\n                     inactivity."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing identifier management\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system accounts\\n\\nlist of identifiers generated from physical access control devices\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with identifier management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing identifier management"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-5",
-            "class": "SP800-53",
-            "title": "Authenticator Management",
-            "parameters": [
-              {
-                "id": "ia-5_prm_1",
-                "label": "organization-defined time period by authenticator type"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-05"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-                "rel": "reference",
-                "text": "OMB Memorandum 04-04"
-              },
-              {
-                "href": "#74e740a4-c45d-49f3-a86e-eb747c549e01",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-11"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#ba557c91-ba3e-4792-adc6-a4ae479b39ff",
-                "rel": "reference",
-                "text": "FICAM Roadmap and Implementation Guidance"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-5_smt",
-                "name": "statement",
-                "prose": "The organization manages information system authenticators by:",
-                "parts": [
-                  {
-                    "id": "ia-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Verifying, as part of the initial authenticator distribution, the identity of the\n                  individual, group, role, or device receiving the authenticator;"
-                  },
-                  {
-                    "id": "ia-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Establishing initial authenticator content for authenticators defined by the\n                  organization;"
-                  },
-                  {
-                    "id": "ia-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ensuring that authenticators have sufficient strength of mechanism for their\n                  intended use;"
-                  },
-                  {
-                    "id": "ia-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Establishing and implementing administrative procedures for initial authenticator\n                  distribution, for lost/compromised or damaged authenticators, and for revoking\n                  authenticators;"
-                  },
-                  {
-                    "id": "ia-5_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Changing default content of authenticators prior to information system\n                  installation;"
-                  },
-                  {
-                    "id": "ia-5_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Establishing minimum and maximum lifetime restrictions and reuse conditions for\n                  authenticators;"
-                  },
-                  {
-                    "id": "ia-5_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Changing/refreshing authenticators {{ ia-5_prm_1 }};"
-                  },
-                  {
-                    "id": "ia-5_smt.h",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "h."
-                      }
-                    ],
-                    "prose": "Protecting authenticator content from unauthorized disclosure and\n                  modification;"
-                  },
-                  {
-                    "id": "ia-5_smt.i",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "i."
-                      }
-                    ],
-                    "prose": "Requiring individuals to take, and having devices implement, specific security\n                  safeguards to protect authenticators; and"
-                  },
-                  {
-                    "id": "ia-5_smt.j",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "j."
-                      }
-                    ],
-                    "prose": "Changing authenticators for group/role accounts when membership to those accounts\n                  changes."
-                  }
-                ]
-              },
-              {
-                "id": "ia-5_gdn",
-                "name": "guidance",
-                "prose": "Individual authenticators include, for example, passwords, tokens, biometrics, PKI\n               certificates, and key cards. Initial authenticator content is the actual content\n               (e.g., the initial password) as opposed to requirements about authenticator content\n               (e.g., minimum password length). In many cases, developers ship information system\n               components with factory default authentication credentials to allow for initial\n               installation and configuration. Default authentication credentials are often well\n               known, easily discoverable, and present a significant security risk. The requirement\n               to protect individual authenticators may be implemented via control PL-4 or PS-6 for\n               authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28\n               for authenticators stored within organizational information systems (e.g., passwords\n               stored in hashed or encrypted formats, files containing encrypted or hashed passwords\n               accessible with administrator privileges). Information systems support individual\n               authenticator management by organization-defined settings and restrictions for\n               various authenticator characteristics including, for example, minimum password\n               length, password composition, validation time window for time synchronous one-time\n               tokens, and number of allowed rejections during the verification stage of biometric\n               authentication. Specific actions that can be taken to safeguard authenticators\n               include, for example, maintaining possession of individual authenticators, not\n               loaning or sharing individual authenticators with others, and reporting lost, stolen,\n               or compromised authenticators immediately. Authenticator management includes issuing\n               and revoking, when no longer needed, authenticators for temporary access such as that\n               required for remote maintenance. Device authenticators include, for example,\n               certificates and passwords.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-5",
-                    "rel": "related",
-                    "text": "PS-5"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  },
-                  {
-                    "href": "#sc-12",
-                    "rel": "related",
-                    "text": "SC-12"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  },
-                  {
-                    "href": "#sc-17",
-                    "rel": "related",
-                    "text": "SC-17"
-                  },
-                  {
-                    "href": "#sc-28",
-                    "rel": "related",
-                    "text": "SC-28"
-                  }
-                ]
-              },
-              {
-                "id": "ia-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization manages information system authenticators by: ",
-                "parts": [
-                  {
-                    "id": "ia-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(a)"
-                      }
-                    ],
-                    "prose": "verifying, as part of the initial authenticator distribution, the identity of:",
-                    "parts": [
-                      {
-                        "id": "ia-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(a)[1]"
-                          }
-                        ],
-                        "prose": "the individual receiving the authenticator;"
-                      },
-                      {
-                        "id": "ia-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(a)[2]"
-                          }
-                        ],
-                        "prose": "the group receiving the authenticator;"
-                      },
-                      {
-                        "id": "ia-5.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(a)[3]"
-                          }
-                        ],
-                        "prose": "the role receiving the authenticator; and/or"
-                      },
-                      {
-                        "id": "ia-5.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(a)[4]"
-                          }
-                        ],
-                        "prose": "the device receiving the authenticator;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(b)"
-                      }
-                    ],
-                    "prose": "establishing initial authenticator content for authenticators defined by the\n                  organization;"
-                  },
-                  {
-                    "id": "ia-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(c)"
-                      }
-                    ],
-                    "prose": "ensuring that authenticators have sufficient strength of mechanism for their\n                  intended use;"
-                  },
-                  {
-                    "id": "ia-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-5.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(d)[1]"
-                          }
-                        ],
-                        "prose": "establishing and implementing administrative procedures for initial\n                     authenticator distribution;"
-                      },
-                      {
-                        "id": "ia-5.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(d)[2]"
-                          }
-                        ],
-                        "prose": "establishing and implementing administrative procedures for lost/compromised or\n                     damaged authenticators;"
-                      },
-                      {
-                        "id": "ia-5.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(d)[3]"
-                          }
-                        ],
-                        "prose": "establishing and implementing administrative procedures for revoking\n                     authenticators;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(e)"
-                      }
-                    ],
-                    "prose": "changing default content of authenticators prior to information system\n                  installation;"
-                  },
-                  {
-                    "id": "ia-5.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-5.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(f)[1]"
-                          }
-                        ],
-                        "prose": "establishing minimum lifetime restrictions for authenticators;"
-                      },
-                      {
-                        "id": "ia-5.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(f)[2]"
-                          }
-                        ],
-                        "prose": "establishing maximum lifetime restrictions for authenticators;"
-                      },
-                      {
-                        "id": "ia-5.f_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(f)[3]"
-                          }
-                        ],
-                        "prose": "establishing reuse conditions for authenticators;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(g)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-5.g_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(g)[1]"
-                          }
-                        ],
-                        "prose": "defining a time period (by authenticator type) for changing/refreshing\n                     authenticators;"
-                      },
-                      {
-                        "id": "ia-5.g_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(g)[2]"
-                          }
-                        ],
-                        "prose": "changing/refreshing authenticators with the organization-defined time period by\n                     authenticator type;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.h_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(h)"
-                      }
-                    ],
-                    "prose": "protecting authenticator content from unauthorized:",
-                    "parts": [
-                      {
-                        "id": "ia-5.h_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(h)[1]"
-                          }
-                        ],
-                        "prose": "disclosure;"
-                      },
-                      {
-                        "id": "ia-5.h_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(h)[2]"
-                          }
-                        ],
-                        "prose": "modification;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.i_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(i)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-5.i_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(i)[1]"
-                          }
-                        ],
-                        "prose": "requiring individuals to take specific security safeguards to protect\n                     authenticators;"
-                      },
-                      {
-                        "id": "ia-5.i_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(i)[2]"
-                          }
-                        ],
-                        "prose": "having devices implement specific security safeguards to protect\n                     authenticators; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.j_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(j)"
-                      }
-                    ],
-                    "prose": "changing authenticators for group/role accounts when membership to those accounts\n                  changes."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system authenticator types\\n\\nchange control records associated with managing information system\n                  authenticators\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing authenticator management\n                  capability"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ia-5.1",
-                "class": "SP800-53-enhancement",
-                "title": "Password-based Authentication",
-                "parameters": [
-                  {
-                    "id": "ia-5.1_prm_1",
-                    "label": "organization-defined requirements for case sensitivity, number of characters,\n                  mix of upper-case letters, lower-case letters, numbers, and special characters,\n                  including minimum requirements for each type"
-                  },
-                  {
-                    "id": "ia-5.1_prm_2",
-                    "label": "organization-defined number"
-                  },
-                  {
-                    "id": "ia-5.1_prm_3",
-                    "label": "organization-defined numbers for lifetime minimum, lifetime maximum"
-                  },
-                  {
-                    "id": "ia-5.1_prm_4",
-                    "label": "organization-defined number"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-5(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.01"
-                  },
-                  {
-                    "name": "method",
-                    "class": "FedRAMP-Tailored-LI-SaaS",
-                    "value": "ATTEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.1_smt",
-                    "name": "statement",
-                    "prose": "The information system, for password-based authentication:",
-                    "parts": [
-                      {
-                        "id": "ia-5.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Enforces minimum password complexity of {{ ia-5.1_prm_1 }};"
-                      },
-                      {
-                        "id": "ia-5.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Enforces at least the following number of changed characters when new passwords\n                     are created: {{ ia-5.1_prm_2 }};"
-                      },
-                      {
-                        "id": "ia-5.1_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(c)"
-                          }
-                        ],
-                        "prose": "Stores and transmits only cryptographically-protected passwords;"
-                      },
-                      {
-                        "id": "ia-5.1_smt.d",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(d)"
-                          }
-                        ],
-                        "prose": "Enforces password minimum and maximum lifetime restrictions of {{ ia-5.1_prm_3 }};"
-                      },
-                      {
-                        "id": "ia-5.1_smt.e",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(e)"
-                          }
-                        ],
-                        "prose": "Prohibits password reuse for {{ ia-5.1_prm_4 }} generations;\n                     and"
-                      },
-                      {
-                        "id": "ia-5.1_smt.f",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(f)"
-                          }
-                        ],
-                        "prose": "Allows the use of a temporary password for system logons with an immediate\n                     change to a permanent password."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement applies to single-factor authentication of individuals\n                  using passwords as individual or group authenticators, and in a similar manner,\n                  when passwords are part of multifactor authenticators. This control enhancement\n                  does not apply when passwords are used to unlock hardware authenticators (e.g.,\n                  Personal Identity Verification cards). The implementation of such password\n                  mechanisms may not meet all of the requirements in the enhancement.\n                  Cryptographically-protected passwords include, for example, encrypted versions of\n                  passwords and one-way cryptographic hashes of passwords. The number of changed\n                  characters refers to the number of changes required with respect to the total\n                  number of positions in the current password. Password lifetime restrictions do not\n                  apply to temporary passwords. To mitigate certain brute force attacks against\n                  passwords, organizations may also consider salting passwords.",
-                    "links": [
-                      {
-                        "href": "#ia-6",
-                        "rel": "related",
-                        "text": "IA-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if, for password-based authentication: ",
-                    "parts": [
-                      {
-                        "id": "ia-5.1.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-5.1.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines requirements for case sensitivity;"
-                          },
-                          {
-                            "id": "ia-5.1.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[2]"
-                              }
-                            ],
-                            "prose": "the organization defines requirements for number of characters;"
-                          },
-                          {
-                            "id": "ia-5.1.a_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[3]"
-                              }
-                            ],
-                            "prose": "the organization defines requirements for the mix of upper-case letters,\n                        lower-case letters, numbers and special characters;"
-                          },
-                          {
-                            "id": "ia-5.1.a_obj.4",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[4]"
-                              }
-                            ],
-                            "prose": "the organization defines minimum requirements for each type of\n                        character;"
-                          },
-                          {
-                            "id": "ia-5.1.a_obj.5",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[5]"
-                              }
-                            ],
-                            "prose": "the information system enforces minimum password complexity of\n                        organization-defined requirements for case sensitivity, number of\n                        characters, mix of upper-case letters, lower-case letters, numbers, and\n                        special characters, including minimum requirements for each type;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.a",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-5.1.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(b)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines a minimum number of changed characters to be\n                        enforced when new passwords are created;"
-                          },
-                          {
-                            "id": "ia-5.1.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(b)[2]"
-                              }
-                            ],
-                            "prose": "the information system enforces at least the organization-defined minimum\n                        number of characters that must be changed when new passwords are\n                        created;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.b",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(b)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.c_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(c)"
-                          }
-                        ],
-                        "prose": "the information system stores and transmits only encrypted representations of\n                     passwords;",
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.c",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(c)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.d_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(d)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-5.1.d_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(d)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines numbers for password minimum lifetime restrictions\n                        to be enforced for passwords;"
-                          },
-                          {
-                            "id": "ia-5.1.d_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(d)[2]"
-                              }
-                            ],
-                            "prose": "the organization defines numbers for password maximum lifetime restrictions\n                        to be enforced for passwords;"
-                          },
-                          {
-                            "id": "ia-5.1.d_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(d)[3]"
-                              }
-                            ],
-                            "prose": "the information system enforces password minimum lifetime restrictions of\n                        organization-defined numbers for lifetime minimum;"
-                          },
-                          {
-                            "id": "ia-5.1.d_obj.4",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(d)[4]"
-                              }
-                            ],
-                            "prose": "the information system enforces password maximum lifetime restrictions of\n                        organization-defined numbers for lifetime maximum;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.d",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(d)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.e_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(e)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-5.1.e_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(e)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines the number of password generations to be prohibited\n                        from password reuse;"
-                          },
-                          {
-                            "id": "ia-5.1.e_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(e)[2]"
-                              }
-                            ],
-                            "prose": "the information system prohibits password reuse for the organization-defined\n                        number of generations; and"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.e",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(e)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.f_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(f)"
-                          }
-                        ],
-                        "prose": "the information system allows the use of a temporary password for system logons\n                     with an immediate change to a permanent password.",
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.f",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(f)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\npassword policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\npassword configurations and associated documentation\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing password-based\n                     authenticator management capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-5.11",
-                "class": "SP800-53-enhancement",
-                "title": "Hardware Token-based Authentication",
-                "parameters": [
-                  {
-                    "id": "ia-5.11_prm_1",
-                    "label": "organization-defined token quality requirements"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-5(11)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.11"
-                  },
-                  {
-                    "name": "method",
-                    "class": "FedRAMP-Tailored-LI-SaaS",
-                    "value": "FED"
-                  },
-                  {
-                    "name": "method",
-                    "class": "FedRAMP-Tailored-LI-SaaS",
-                    "value": "CONDITIONAL"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.11_smt",
-                    "name": "statement",
-                    "prose": "The information system, for hardware token-based authentication, employs\n                  mechanisms that satisfy {{ ia-5.11_prm_1 }}."
-                  },
-                  {
-                    "id": "ia-5.11_gdn",
-                    "name": "guidance",
-                    "prose": "Hardware token-based authentication typically refers to the use of PKI-based\n                  tokens, such as the U.S. Government Personal Identity Verification (PIV) card.\n                  Organizations define specific requirements for tokens, such as working with a\n                  particular PKI."
-                  },
-                  {
-                    "id": "ia-5.11_obj",
-                    "name": "objective",
-                    "prose": "Determine if, for hardware token-based authentication: ",
-                    "parts": [
-                      {
-                        "id": "ia-5.11_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(11)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines token quality requirements to be satisfied; and"
-                      },
-                      {
-                        "id": "ia-5.11_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(11)[2]"
-                          }
-                        ],
-                        "prose": "the information system employs mechanisms that satisfy organization-defined\n                     token quality requirements."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\nautomated mechanisms employing hardware token-based authentication for the\n                     information system\\n\\nlist of token quality requirements\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing hardware token-based\n                     authenticator management capability"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "guidance",
-                    "class": "FedRAMP-Tailored-LI-SaaS",
-                    "prose": "FED - for Federal privileged users. Condition - Must document and assess for\n                  privileged users. May attest to this control for non-privileged users."
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-6",
-            "class": "SP800-53",
-            "title": "Authenticator Feedback",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-06"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-6_smt",
-                "name": "statement",
-                "prose": "The information system obscures feedback of authentication information during the\n               authentication process to protect the information from possible exploitation/use by\n               unauthorized individuals."
-              },
-              {
-                "id": "ia-6_gdn",
-                "name": "guidance",
-                "prose": "The feedback from information systems does not provide information that would allow\n               unauthorized individuals to compromise authentication mechanisms. For some types of\n               information systems or system components, for example, desktops/notebooks with\n               relatively large monitors, the threat (often referred to as shoulder surfing) may be\n               significant. For other types of systems or components, for example, mobile devices\n               with 2-4 inch screens, this threat may be less significant, and may need to be\n               balanced against the increased likelihood of typographic input errors due to the\n               small keyboards. Therefore, the means for obscuring the authenticator feedback is\n               selected accordingly. Obscuring the feedback of authentication information includes,\n               for example, displaying asterisks when users type passwords into input devices, or\n               displaying feedback for a very limited time before fully obscuring it.",
-                "links": [
-                  {
-                    "href": "#pe-18",
-                    "rel": "related",
-                    "text": "PE-18"
-                  }
-                ]
-              },
-              {
-                "id": "ia-6_obj",
-                "name": "objective",
-                "prose": "Determine if the information system obscures feedback of authentication information\n               during the authentication process to protect the information from possible\n               exploitation/use by unauthorized individuals."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator feedback\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing the obscuring of feedback of\n                  authentication information during authentication"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-7",
-            "class": "SP800-53",
-            "title": "Cryptographic Module Authentication",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-07"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9",
-                "rel": "reference",
-                "text": "FIPS Publication 140"
-              },
-              {
-                "href": "#b09d1a31-d3c9-4138-a4f4-4c63816afd7d",
-                "rel": "reference",
-                "text": "http://csrc.nist.gov/groups/STM/cmvp/index.html"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-7_smt",
-                "name": "statement",
-                "prose": "The information system implements mechanisms for authentication to a cryptographic\n               module that meet the requirements of applicable federal laws, Executive Orders,\n               directives, policies, regulations, standards, and guidance for such\n               authentication."
-              },
-              {
-                "id": "ia-7_gdn",
-                "name": "guidance",
-                "prose": "Authentication mechanisms may be required within a cryptographic module to\n               authenticate an operator accessing the module and to verify that the operator is\n               authorized to assume the requested role and perform services within that role.",
-                "links": [
-                  {
-                    "href": "#sc-12",
-                    "rel": "related",
-                    "text": "SC-12"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  }
-                ]
-              },
-              {
-                "id": "ia-7_obj",
-                "name": "objective",
-                "prose": "Determine if the information system implements mechanisms for authentication to a\n               cryptographic module that meet the requirements of applicable federal laws, Executive\n               Orders, directives, policies, regulations, standards, and guidance for such\n               authentication."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing cryptographic module authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for cryptographic module\n                  authentication\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing cryptographic module\n                  authentication"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-8",
-            "class": "SP800-53",
-            "title": "Identification and Authentication (non-organizational Users)",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-08"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-                "rel": "reference",
-                "text": "OMB Memorandum 04-04"
-              },
-              {
-                "href": "#74e740a4-c45d-49f3-a86e-eb747c549e01",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-11"
-              },
-              {
-                "href": "#599fe9ba-4750-4450-9eeb-b95bd19a5e8f",
-                "rel": "reference",
-                "text": "OMB Memorandum 10-06-2011"
-              },
-              {
-                "href": "#ba557c91-ba3e-4792-adc6-a4ae479b39ff",
-                "rel": "reference",
-                "text": "FICAM Roadmap and Implementation Guidance"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#2157bb7e-192c-4eaa-877f-93ef6b0a3292",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-116"
-              },
-              {
-                "href": "#654f21e2-f3bc-43b2-abdc-60ab8d09744b",
-                "rel": "reference",
-                "text": "National Strategy for Trusted Identities in\n            Cyberspace"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-8_smt",
-                "name": "statement",
-                "prose": "The information system uniquely identifies and authenticates non-organizational users\n               (or processes acting on behalf of non-organizational users)."
-              },
-              {
-                "id": "ia-8_gdn",
-                "name": "guidance",
-                "prose": "Non-organizational users include information system users other than organizational\n               users explicitly covered by IA-2. These individuals are uniquely identified and\n               authenticated for accesses other than those accesses explicitly identified and\n               documented in AC-14. In accordance with the E-Authentication E-Government initiative,\n               authentication of non-organizational users accessing federal information systems may\n               be required to protect federal, proprietary, or privacy-related information (with\n               exceptions noted for national security systems). Organizations use risk assessments\n               to determine authentication needs and consider scalability, practicality, and\n               security in balancing the need to ensure ease of use for access to federal\n               information and information systems with the need to protect and adequately mitigate\n               risk. IA-2 addresses identification and authentication requirements for access to\n               information systems by organizational users.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  }
-                ]
-              },
-              {
-                "id": "ia-8_obj",
-                "name": "objective",
-                "prose": "Determine if the information system uniquely identifies and authenticates\n               non-organizational users (or processes acting on behalf of non-organizational\n               users)."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system operations responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing identification and\n                  authentication capability"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ia-8.1",
-                "class": "SP800-53-enhancement",
-                "title": "Acceptance of PIV Credentials from Other Agencies",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-8(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-08.01"
-                  },
-                  {
-                    "name": "method",
-                    "class": "FedRAMP-Tailored-LI-SaaS",
-                    "value": "CONDITIONAL"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-8.1_smt",
-                    "name": "statement",
-                    "prose": "The information system accepts and electronically verifies Personal Identity\n                  Verification (PIV) credentials from other federal agencies."
-                  },
-                  {
-                    "id": "ia-8.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement applies to logical access control systems (LACS) and\n                  physical access control systems (PACS). Personal Identity Verification (PIV)\n                  credentials are those credentials issued by federal agencies that conform to FIPS\n                  Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires\n                  federal agencies to continue implementing the requirements specified in HSPD-12 to\n                  enable agency-wide use of PIV credentials.",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      },
-                      {
-                        "href": "#pe-3",
-                        "rel": "related",
-                        "text": "PE-3"
-                      },
-                      {
-                        "href": "#sa-4",
-                        "rel": "related",
-                        "text": "SA-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-8.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the information system: ",
-                    "parts": [
-                      {
-                        "id": "ia-8.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-8(1)[1]"
-                          }
-                        ],
-                        "prose": "accepts Personal Identity Verification (PIV) credentials from other agencies;\n                     and"
-                      },
-                      {
-                        "id": "ia-8.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-8(1)[2]"
-                          }
-                        ],
-                        "prose": "electronically verifies Personal Identity Verification (PIV) credentials from\n                     other agencies."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nPIV verification records\\n\\nevidence of PIV credentials\\n\\nPIV credential authorizations\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms that accept and verify PIV credentials"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "guidance",
-                    "class": "FedRAMP-Tailored-LI-SaaS",
-                    "prose": "Condition: Must document and assess for privileged users. May attest to this\n                  control for non-privileged users. FedRAMP requires a minimum of multi-factor\n                  authentication for all Federal privileged users, if acceptance of PIV credentials\n                  is not supported. The implementation status and details of how this control is\n                  implemented must be clearly defined by the CSP."
-                  }
-                ]
-              },
-              {
-                "id": "ia-8.2",
-                "class": "SP800-53-enhancement",
-                "title": "Acceptance of Third-party Credentials",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-8(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-08.02"
-                  },
-                  {
-                    "name": "method",
-                    "class": "FedRAMP-Tailored-LI-SaaS",
-                    "value": "CONDITIONAL"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-8.2_smt",
-                    "name": "statement",
-                    "prose": "The information system accepts only FICAM-approved third-party credentials."
-                  },
-                  {
-                    "id": "ia-8.2_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement typically applies to organizational information systems\n                  that are accessible to the general public, for example, public-facing websites.\n                  Third-party credentials are those credentials issued by nonfederal government\n                  entities approved by the Federal Identity, Credential, and Access Management\n                  (FICAM) Trust Framework Solutions initiative. Approved third-party credentials\n                  meet or exceed the set of minimum federal government-wide technical, security,\n                  privacy, and organizational maturity requirements. This allows federal government\n                  relying parties to trust such credentials at their approved assurance levels.",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-8.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the information system accepts only FICAM-approved third-party\n                  credentials. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FICAM-approved, third-party credentialing products, components, or\n                     services procured and implemented by organization\\n\\nthird-party credential verification records\\n\\nevidence of FICAM-approved third-party credentials\\n\\nthird-party credential authorizations\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms that accept FICAM-approved credentials"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "guidance",
-                    "class": "FedRAMP-Tailored-LI-SaaS",
-                    "prose": "Condition: Must document and assess for privileged users. May attest to this\n                  control for non-privileged users. FedRAMP requires a minimum of multi-factor\n                  authentication for all Federal privileged users, if acceptance of PIV credentials\n                  is not supported. The implementation status and details of how this control is\n                  implemented must be clearly defined by the CSP."
-                  }
-                ]
-              },
-              {
-                "id": "ia-8.3",
-                "class": "SP800-53-enhancement",
-                "title": "Use of Ficam-approved Products",
-                "parameters": [
-                  {
-                    "id": "ia-8.3_prm_1",
-                    "label": "organization-defined information systems"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-8(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-08.03"
-                  },
-                  {
-                    "name": "method",
-                    "class": "FedRAMP-Tailored-LI-SaaS",
-                    "value": "ATTEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-8.3_smt",
-                    "name": "statement",
-                    "prose": "The organization employs only FICAM-approved information system components in\n                     {{ ia-8.3_prm_1 }} to accept third-party credentials."
-                  },
-                  {
-                    "id": "ia-8.3_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement typically applies to information systems that are\n                  accessible to the general public, for example, public-facing websites.\n                  FICAM-approved information system components include, for example, information\n                  technology products and software libraries that have been approved by the Federal\n                  Identity, Credential, and Access Management conformance program.",
-                    "links": [
-                      {
-                        "href": "#sa-4",
-                        "rel": "related",
-                        "text": "SA-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-8.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ia-8.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-8(3)[1]"
-                          }
-                        ],
-                        "prose": "defines information systems in which only FICAM-approved information system\n                     components are to be employed to accept third-party credentials; and"
-                      },
-                      {
-                        "id": "ia-8.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-8(3)[2]"
-                          }
-                        ],
-                        "prose": "employs only FICAM-approved information system components in\n                     organization-defined information systems to accept third-party credentials."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nsystem and services acquisition policy\\n\\nprocedures addressing user identification and authentication\\n\\nprocedures addressing the integration of security requirements into the\n                     acquisition process\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nthird-party credential validations\\n\\nthird-party credential authorizations\\n\\nthird-party credential records\\n\\nlist of FICAM-approved information system components procured and implemented\n                     by organization\\n\\nacquisition documentation\\n\\nacquisition contracts for information system procurements or services\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information system security, acquisition, and\n                     contracting responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-8.4",
-                "class": "SP800-53-enhancement",
-                "title": "Use of Ficam-issued Profiles",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-8(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-08.04"
-                  },
-                  {
-                    "name": "method",
-                    "class": "FedRAMP-Tailored-LI-SaaS",
-                    "value": "ATTEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-8.4_smt",
-                    "name": "statement",
-                    "prose": "The information system conforms to FICAM-issued profiles."
-                  },
-                  {
-                    "id": "ia-8.4_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement addresses open identity management standards. To ensure\n                  that these standards are viable, robust, reliable, sustainable (e.g., available in\n                  commercial information technology products), and interoperable as documented, the\n                  United States Government assesses and scopes identity management standards and\n                  technology implementations against applicable federal legislation, directives,\n                  policies, and requirements. The result is FICAM-issued implementation profiles of\n                  approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and\n                  OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute\n                  Exchange).",
-                    "links": [
-                      {
-                        "href": "#sa-4",
-                        "rel": "related",
-                        "text": "SA-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-8.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the information system conforms to FICAM-issued profiles. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nsystem and services acquisition policy\\n\\nprocedures addressing user identification and authentication\\n\\nprocedures addressing the integration of security requirements into the\n                     acquisition process\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FICAM-issued profiles and associated, approved protocols\\n\\nacquisition documentation\\n\\nacquisition contracts for information system procurements or services\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms supporting and/or implementing conformance with\n                     FICAM-issued profiles"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ir",
-        "class": "family",
-        "title": "Incident Response",
-        "controls": [
-          {
-            "id": "ir-1",
-            "class": "SP800-53",
-            "title": "Incident Response Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ir-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ir-1_prm_2",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "ir-1_prm_3",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "IR-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-01"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              },
-              {
-                "href": "#6d431fee-658f-4a0e-9f2e-a38b5d398fab",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-83"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ir-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ir-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ir-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "An incident response policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ir-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the incident response policy and\n                     associated incident response controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ir-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Incident response policy {{ ir-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ir-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Incident response procedures {{ ir-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the IR\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ir-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an incident response policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ir-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ir-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the incident response policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ir-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the incident response policy to organization-defined personnel\n                        or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        incident response policy and associated incident response controls;"
-                          },
-                          {
-                            "id": "ir-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ir-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current incident response\n                        policy;"
-                          },
-                          {
-                            "id": "ir-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current incident response policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current incident response\n                        procedures; and"
-                          },
-                          {
-                            "id": "ir-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current incident response procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-2",
-            "class": "SP800-53",
-            "title": "Incident Response Training",
-            "parameters": [
-              {
-                "id": "ir-2_prm_1",
-                "label": "organization-defined time period"
-              },
-              {
-                "id": "ir-2_prm_2",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "IR-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-02"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#825438c3-248d-4e30-a51e-246473ce6ada",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-16"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-2_smt",
-                "name": "statement",
-                "prose": "The organization provides incident response training to information system users\n               consistent with assigned roles and responsibilities:",
-                "parts": [
-                  {
-                    "id": "ir-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Within {{ ir-2_prm_1 }} of assuming an incident response role or\n                  responsibility;"
-                  },
-                  {
-                    "id": "ir-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "When required by information system changes; and"
-                  },
-                  {
-                    "id": "ir-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "\n                  {{ ir-2_prm_2 }} thereafter."
-                  }
-                ]
-              },
-              {
-                "id": "ir-2_gdn",
-                "name": "guidance",
-                "prose": "Incident response training provided by organizations is linked to the assigned roles\n               and responsibilities of organizational personnel to ensure the appropriate content\n               and level of detail is included in such training. For example, regular users may only\n               need to know who to call or how to recognize an incident on the information system;\n               system administrators may require additional training on how to handle/remediate\n               incidents; and incident responders may receive more specific training on forensics,\n               reporting, system recovery, and restoration. Incident response training includes user\n               training in the identification and reporting of suspicious activities, both from\n               external and internal sources.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#cp-3",
-                    "rel": "related",
-                    "text": "CP-3"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  }
-                ]
-              },
-              {
-                "id": "ir-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-2(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period within which incident response training is to be provided\n                     to information system users assuming an incident response role or\n                     responsibility;"
-                      },
-                      {
-                        "id": "ir-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-2(a)[2]"
-                          }
-                        ],
-                        "prose": "provides incident response training to information system users consistent with\n                     assigned roles and responsibilities within the organization-defined time period\n                     of assuming an incident response role or responsibility;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-2(b)"
-                      }
-                    ],
-                    "prose": "provides incident response training to information system users consistent with\n                  assigned roles and responsibilities when required by information system\n                  changes;"
-                  },
-                  {
-                    "id": "ir-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to provide refresher incident response training to\n                     information system users consistent with assigned roles or responsibilities;\n                     and"
-                      },
-                      {
-                        "id": "ir-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-2(c)[2]"
-                          }
-                        ],
-                        "prose": "after the initial incident response training, provides refresher incident\n                     response training to information system users consistent with assigned roles\n                     and responsibilities in accordance with the organization-defined frequency to\n                     provide refresher training."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident response training\\n\\nincident response training curriculum\\n\\nincident response training materials\\n\\nsecurity plan\\n\\nincident response plan\\n\\nsecurity plan\\n\\nincident response training records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response training and operational\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-4",
-            "class": "SP800-53",
-            "title": "Incident Handling",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IR-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-04"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c5034e0c-eba6-4ecd-a541-79f0678f4ba4",
-                "rel": "reference",
-                "text": "Executive Order 13587"
-              },
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ir-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Implements an incident handling capability for security incidents that includes\n                  preparation, detection and analysis, containment, eradication, and recovery;"
-                  },
-                  {
-                    "id": "ir-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Coordinates incident handling activities with contingency planning activities;\n                  and"
-                  },
-                  {
-                    "id": "ir-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Incorporates lessons learned from ongoing incident handling activities into\n                  incident response procedures, training, and testing, and implements the resulting\n                  changes accordingly."
-                  }
-                ]
-              },
-              {
-                "id": "ir-4_gdn",
-                "name": "guidance",
-                "prose": "Organizations recognize that incident response capability is dependent on the\n               capabilities of organizational information systems and the mission/business processes\n               being supported by those systems. Therefore, organizations consider incident response\n               as part of the definition, design, and development of mission/business processes and\n               information systems. Incident-related information can be obtained from a variety of\n               sources including, for example, audit monitoring, network monitoring, physical access\n               monitoring, user/administrator reports, and reported supply chain events. Effective\n               incident handling capability includes coordination among many organizational entities\n               including, for example, mission/business owners, information system owners,\n               authorizing officials, human resources offices, physical and personnel security\n               offices, legal departments, operations personnel, procurement offices, and the risk\n               executive (function).",
-                "links": [
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-4",
-                    "rel": "related",
-                    "text": "CP-4"
-                  },
-                  {
-                    "href": "#ir-2",
-                    "rel": "related",
-                    "text": "IR-2"
-                  },
-                  {
-                    "href": "#ir-3",
-                    "rel": "related",
-                    "text": "IR-3"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#pe-6",
-                    "rel": "related",
-                    "text": "PE-6"
-                  },
-                  {
-                    "href": "#sc-5",
-                    "rel": "related",
-                    "text": "SC-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "ir-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-4(a)"
-                      }
-                    ],
-                    "prose": "implements an incident handling capability for security incidents that\n                  includes:",
-                    "parts": [
-                      {
-                        "id": "ir-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[1]"
-                          }
-                        ],
-                        "prose": "preparation;"
-                      },
-                      {
-                        "id": "ir-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[2]"
-                          }
-                        ],
-                        "prose": "detection and analysis;"
-                      },
-                      {
-                        "id": "ir-4.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[3]"
-                          }
-                        ],
-                        "prose": "containment;"
-                      },
-                      {
-                        "id": "ir-4.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[4]"
-                          }
-                        ],
-                        "prose": "eradication;"
-                      },
-                      {
-                        "id": "ir-4.a_obj.5",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[5]"
-                          }
-                        ],
-                        "prose": "recovery;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-4(b)"
-                      }
-                    ],
-                    "prose": "coordinates incident handling activities with contingency planning activities;"
-                  },
-                  {
-                    "id": "ir-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-4(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(c)[1]"
-                          }
-                        ],
-                        "prose": "incorporates lessons learned from ongoing incident handling activities\n                     into:",
-                        "parts": [
-                          {
-                            "id": "ir-4.c_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[1][a]"
-                              }
-                            ],
-                            "prose": "incident response procedures;"
-                          },
-                          {
-                            "id": "ir-4.c_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[1][b]"
-                              }
-                            ],
-                            "prose": "training;"
-                          },
-                          {
-                            "id": "ir-4.c_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[1][c]"
-                              }
-                            ],
-                            "prose": "testing/exercises;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(c)[2]"
-                          }
-                        ],
-                        "prose": "implements the resulting changes accordingly to:",
-                        "parts": [
-                          {
-                            "id": "ir-4.c_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[2][a]"
-                              }
-                            ],
-                            "prose": "incident response procedures;"
-                          },
-                          {
-                            "id": "ir-4.c_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[2][b]"
-                              }
-                            ],
-                            "prose": "training; and"
-                          },
-                          {
-                            "id": "ir-4.c_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[2][c]"
-                              }
-                            ],
-                            "prose": "testing/exercises."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\ncontingency planning policy\\n\\nprocedures addressing incident handling\\n\\nincident response plan\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with contingency planning responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident handling capability for the organization"
-                  }
-                ]
-              },
-              {
-                "id": "ir-4_fr",
-                "name": "item",
-                "title": "IR-4 Additional FedRAMP Requirements and Guidance",
-                "parts": [
-                  {
-                    "id": "ir-4_fr_smt.1",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "Requirement:"
-                      }
-                    ],
-                    "prose": "The service provider ensures that individuals conducting incident handling meet\n                     personnel security requirements commensurate with the criticality/sensitivity\n                     of the information being processed, stored, and transmitted by the information\n                     system."
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-5",
-            "class": "SP800-53",
-            "title": "Incident Monitoring",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IR-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-05"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-5_smt",
-                "name": "statement",
-                "prose": "The organization tracks and documents information system security incidents."
-              },
-              {
-                "id": "ir-5_gdn",
-                "name": "guidance",
-                "prose": "Documenting information system security incidents includes, for example, maintaining\n               records about each incident, the status of the incident, and other pertinent\n               information necessary for forensics, evaluating incident details, trends, and\n               handling. Incident information can be obtained from a variety of sources including,\n               for example, incident reports, incident response teams, audit monitoring, network\n               monitoring, physical access monitoring, and user/administrator reports.",
-                "links": [
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#pe-6",
-                    "rel": "related",
-                    "text": "PE-6"
-                  },
-                  {
-                    "href": "#sc-5",
-                    "rel": "related",
-                    "text": "SC-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "ir-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ir-5_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-5[1]"
-                      }
-                    ],
-                    "prose": "tracks information system security incidents; and"
-                  },
-                  {
-                    "id": "ir-5_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-5[2]"
-                      }
-                    ],
-                    "prose": "documents information system security incidents."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident monitoring\\n\\nincident response records and documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident monitoring capability for the organization\\n\\nautomated mechanisms supporting and/or implementing tracking and documenting of\n                  system security incidents"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-6",
-            "class": "SP800-53",
-            "title": "Incident Reporting",
-            "parameters": [
-              {
-                "id": "ir-6_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)"
-                  }
-                ]
-              },
-              {
-                "id": "ir-6_prm_2",
-                "label": "organization-defined authorities"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "IR-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-06"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              },
-              {
-                "href": "#02631467-668b-4233-989b-3dfded2fd184",
-                "rel": "reference",
-                "text": "http://www.us-cert.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ir-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Requires personnel to report suspected security incidents to the organizational\n                  incident response capability within {{ ir-6_prm_1 }}; and"
-                  },
-                  {
-                    "id": "ir-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reports security incident information to {{ ir-6_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ir-6_gdn",
-                "name": "guidance",
-                "prose": "The intent of this control is to address both specific incident reporting\n               requirements within an organization and the formal incident reporting requirements\n               for federal agencies and their subordinate organizations. Suspected security\n               incidents include, for example, the receipt of suspicious email communications that\n               can potentially contain malicious code. The types of security incidents reported, the\n               content and timeliness of the reports, and the designated reporting authorities\n               reflect applicable federal laws, Executive Orders, directives, regulations, policies,\n               standards, and guidance. Current federal policy requires that all federal agencies\n               (unless specifically exempted from such requirements) report security incidents to\n               the United States Computer Emergency Readiness Team (US-CERT) within specified time\n               frames designated in the US-CERT Concept of Operations for Federal Cyber Security\n               Incident Handling.",
-                "links": [
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ir-5",
-                    "rel": "related",
-                    "text": "IR-5"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  }
-                ]
-              },
-              {
-                "id": "ir-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-6(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-6.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-6(a)[1]"
-                          }
-                        ],
-                        "prose": "defines the time period within which personnel report suspected security\n                     incidents to the organizational incident response capability;"
-                      },
-                      {
-                        "id": "ir-6.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-6(a)[2]"
-                          }
-                        ],
-                        "prose": "requires personnel to report suspected security incidents to the organizational\n                     incident response capability within the organization-defined time period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-6(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-6.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-6(b)[1]"
-                          }
-                        ],
-                        "prose": "defines authorities to whom security incident information is to be reported;\n                     and"
-                      },
-                      {
-                        "id": "ir-6.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-6(b)[2]"
-                          }
-                        ],
-                        "prose": "reports security incident information to organization-defined authorities."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident reporting\\n\\nincident reporting records and documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident reporting responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel who have/should have reported incidents\\n\\npersonnel (authorities) to whom incident information is to be reported"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for incident reporting\\n\\nautomated mechanisms supporting and/or implementing incident reporting"
-                  }
-                ]
-              },
-              {
-                "id": "ir-6_fr",
-                "name": "item",
-                "title": "IR-6 Additional FedRAMP Requirements and Guidance",
-                "parts": [
-                  {
-                    "id": "ir-6_fr_smt.1",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "Requirement:"
-                      }
-                    ],
-                    "prose": "Report security incident information according to FedRAMP Incident\n                     Communications Procedure."
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-7",
-            "class": "SP800-53",
-            "title": "Incident Response Assistance",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IR-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-07"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-7_smt",
-                "name": "statement",
-                "prose": "The organization provides an incident response support resource, integral to the\n               organizational incident response capability that offers advice and assistance to\n               users of the information system for the handling and reporting of security\n               incidents."
-              },
-              {
-                "id": "ir-7_gdn",
-                "name": "guidance",
-                "prose": "Incident response support resources provided by organizations include, for example,\n               help desks, assistance groups, and access to forensics services, when required.",
-                "links": [
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ir-6",
-                    "rel": "related",
-                    "text": "IR-6"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#sa-9",
-                    "rel": "related",
-                    "text": "SA-9"
-                  }
-                ]
-              },
-              {
-                "id": "ir-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization provides an incident response support resource:",
-                "parts": [
-                  {
-                    "id": "ir-7_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-7[1]"
-                      }
-                    ],
-                    "prose": "that is integral to the organizational incident response capability; and"
-                  },
-                  {
-                    "id": "ir-7_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-7[2]"
-                      }
-                    ],
-                    "prose": "that offers advice and assistance to users of the information system for the\n                  handling and reporting of security incidents."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident response assistance\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response assistance and support\n                  responsibilities\\n\\norganizational personnel with access to incident response support and assistance\n                  capability\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for incident response assistance\\n\\nautomated mechanisms supporting and/or implementing incident response\n                  assistance"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-8",
-            "class": "SP800-53",
-            "title": "Incident Response Plan",
-            "parameters": [
-              {
-                "id": "ir-8_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ir-8_prm_2",
-                "label": "organization-defined incident response personnel (identified by name and/or by\n               role) and organizational elements"
-              },
-              {
-                "id": "ir-8_prm_3",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "ir-8_prm_4",
-                "label": "organization-defined incident response personnel (identified by name and/or by\n               role) and organizational elements"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "IR-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-08"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ir-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops an incident response plan that:",
-                    "parts": [
-                      {
-                        "id": "ir-8_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Provides the organization with a roadmap for implementing its incident response\n                     capability;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Describes the structure and organization of the incident response\n                     capability;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Provides a high-level approach for how the incident response capability fits\n                     into the overall organization;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Meets the unique requirements of the organization, which relate to mission,\n                     size, structure, and functions;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.5",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "5."
-                          }
-                        ],
-                        "prose": "Defines reportable incidents;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.6",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "6."
-                          }
-                        ],
-                        "prose": "Provides metrics for measuring the incident response capability within the\n                     organization;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.7",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "7."
-                          }
-                        ],
-                        "prose": "Defines the resources and management support needed to effectively maintain and\n                     mature an incident response capability; and"
-                      },
-                      {
-                        "id": "ir-8_smt.a.8",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "8."
-                          }
-                        ],
-                        "prose": "Is reviewed and approved by {{ ir-8_prm_1 }};"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Distributes copies of the incident response plan to {{ ir-8_prm_2 }};"
-                  },
-                  {
-                    "id": "ir-8_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews the incident response plan {{ ir-8_prm_3 }};"
-                  },
-                  {
-                    "id": "ir-8_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Updates the incident response plan to address system/organizational changes or\n                  problems encountered during plan implementation, execution, or testing;"
-                  },
-                  {
-                    "id": "ir-8_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Communicates incident response plan changes to {{ ir-8_prm_4 }};\n                  and"
-                  },
-                  {
-                    "id": "ir-8_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Protects the incident response plan from unauthorized disclosure and\n                  modification."
-                  }
-                ]
-              },
-              {
-                "id": "ir-8_gdn",
-                "name": "guidance",
-                "prose": "It is important that organizations develop and implement a coordinated approach to\n               incident response. Organizational missions, business functions, strategies, goals,\n               and objectives for incident response help to determine the structure of incident\n               response capabilities. As part of a comprehensive incident response capability,\n               organizations consider the coordination and sharing of information with external\n               organizations, including, for example, external service providers and organizations\n               involved in the supply chain for organizational information systems.",
-                "links": [
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  }
-                ]
-              },
-              {
-                "id": "ir-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-8(a)"
-                      }
-                    ],
-                    "prose": "develops an incident response plan that:",
-                    "parts": [
-                      {
-                        "id": "ir-8.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(1)"
-                          }
-                        ],
-                        "prose": "provides the organization with a roadmap for implementing its incident response\n                     capability;"
-                      },
-                      {
-                        "id": "ir-8.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(2)"
-                          }
-                        ],
-                        "prose": "describes the structure and organization of the incident response\n                     capability;"
-                      },
-                      {
-                        "id": "ir-8.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(3)"
-                          }
-                        ],
-                        "prose": "provides a high-level approach for how the incident response capability fits\n                     into the overall organization;"
-                      },
-                      {
-                        "id": "ir-8.a.4_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(4)"
-                          }
-                        ],
-                        "prose": "meets the unique requirements of the organization, which relate to:",
-                        "parts": [
-                          {
-                            "id": "ir-8.a.4_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(4)[1]"
-                              }
-                            ],
-                            "prose": "mission;"
-                          },
-                          {
-                            "id": "ir-8.a.4_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(4)[2]"
-                              }
-                            ],
-                            "prose": "size;"
-                          },
-                          {
-                            "id": "ir-8.a.4_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(4)[3]"
-                              }
-                            ],
-                            "prose": "structure;"
-                          },
-                          {
-                            "id": "ir-8.a.4_obj.4",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(4)[4]"
-                              }
-                            ],
-                            "prose": "functions;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-8.a.5_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(5)"
-                          }
-                        ],
-                        "prose": "defines reportable incidents;"
-                      },
-                      {
-                        "id": "ir-8.a.6_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(6)"
-                          }
-                        ],
-                        "prose": "provides metrics for measuring the incident response capability within the\n                     organization;"
-                      },
-                      {
-                        "id": "ir-8.a.7_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(7)"
-                          }
-                        ],
-                        "prose": "defines the resources and management support needed to effectively maintain and\n                     mature an incident response capability;"
-                      },
-                      {
-                        "id": "ir-8.a.8_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(8)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-8.a.8_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(8)[1]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to review and approve the incident response\n                        plan;"
-                          },
-                          {
-                            "id": "ir-8.a.8_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(8)[2]"
-                              }
-                            ],
-                            "prose": "is reviewed and approved by organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(b)[1]"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-8.b_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(b)[1][a]"
-                              }
-                            ],
-                            "prose": "defines incident response personnel (identified by name and/or by role) to\n                        whom copies of the incident response plan are to be distributed;"
-                          },
-                          {
-                            "id": "ir-8.b_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(b)[1][b]"
-                              }
-                            ],
-                            "prose": "defines organizational elements to whom copies of the incident response plan\n                        are to be distributed;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(b)[2]"
-                          }
-                        ],
-                        "prose": "distributes copies of the incident response plan to organization-defined\n                     incident response personnel (identified by name and/or by role) and\n                     organizational elements;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-8(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-8.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review the incident response plan;"
-                      },
-                      {
-                        "id": "ir-8.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews the incident response plan with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-8(d)"
-                      }
-                    ],
-                    "prose": "updates the incident response plan to address system/organizational changes or\n                  problems encountered during plan:",
-                    "parts": [
-                      {
-                        "id": "ir-8.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(d)[1]"
-                          }
-                        ],
-                        "prose": "implementation;"
-                      },
-                      {
-                        "id": "ir-8.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(d)[2]"
-                          }
-                        ],
-                        "prose": "execution; or"
-                      },
-                      {
-                        "id": "ir-8.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(d)[3]"
-                          }
-                        ],
-                        "prose": "testing;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-8(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-8.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(e)[1]"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-8.e_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(e)[1][a]"
-                              }
-                            ],
-                            "prose": "defines incident response personnel (identified by name and/or by role) to\n                        whom incident response plan changes are to be communicated;"
-                          },
-                          {
-                            "id": "ir-8.e_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(e)[1][b]"
-                              }
-                            ],
-                            "prose": "defines organizational elements to whom incident response plan changes are\n                        to be communicated;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-8.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(e)[2]"
-                          }
-                        ],
-                        "prose": "communicates incident response plan changes to organization-defined incident\n                     response personnel (identified by name and/or by role) and organizational\n                     elements; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-8(f)"
-                      }
-                    ],
-                    "prose": "protects the incident response plan from unauthorized disclosure and\n                  modification."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident response planning\\n\\nincident response plan\\n\\nrecords of incident response plan reviews and approvals\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response planning responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational incident response plan and related organizational processes"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Attestation - Specifically attest to US-CERT compliance."
-              }
-            ]
-          },
-          {
-            "id": "ir-9",
-            "class": "SP800-53",
-            "title": "Information Spillage Response",
-            "parameters": [
-              {
-                "id": "ir-9_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ir-9_prm_2",
-                "label": "organization-defined actions"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "IR-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-09"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-9_smt",
-                "name": "statement",
-                "prose": "The organization responds to information spills by:",
-                "parts": [
-                  {
-                    "id": "ir-9_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Identifying the specific information involved in the information system\n                  contamination;"
-                  },
-                  {
-                    "id": "ir-9_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Alerting {{ ir-9_prm_1 }} of the information spill using a method\n                  of communication not associated with the spill;"
-                  },
-                  {
-                    "id": "ir-9_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Isolating the contaminated information system or system component;"
-                  },
-                  {
-                    "id": "ir-9_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Eradicating the information from the contaminated information system or\n                  component;"
-                  },
-                  {
-                    "id": "ir-9_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Identifying other information systems or system components that may have been\n                  subsequently contaminated; and"
-                  },
-                  {
-                    "id": "ir-9_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Performing other {{ ir-9_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ir-9_gdn",
-                "name": "guidance",
-                "prose": "Information spillage refers to instances where either classified or sensitive\n               information is inadvertently placed on information systems that are not authorized to\n               process such information. Such information spills often occur when information that\n               is initially thought to be of lower sensitivity is transmitted to an information\n               system and then is subsequently determined to be of higher sensitivity. At that\n               point, corrective action is required. The nature of the organizational response is\n               generally based upon the degree of sensitivity of the spilled information (e.g.,\n               security category or classification level), the security capabilities of the\n               information system, the specific nature of contaminated storage media, and the access\n               authorizations (e.g., security clearances) of individuals with authorized access to\n               the contaminated system. The methods used to communicate information about the spill\n               after the fact do not involve methods directly associated with the actual spill to\n               minimize the risk of further spreading the contamination before such contamination is\n               isolated and eradicated."
-              },
-              {
-                "id": "ir-9_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ir-9.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-9(a)"
-                      }
-                    ],
-                    "prose": "responds to information spills by identifying the specific information causing the\n                  information system contamination;"
-                  },
-                  {
-                    "id": "ir-9.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-9(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-9.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-9(b)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel to be alerted of the information spillage;"
-                      },
-                      {
-                        "id": "ir-9.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-9(b)[2]"
-                          }
-                        ],
-                        "prose": "identifies a method of communication not associated with the information spill\n                     to use to alert organization-defined personnel of the spill;"
-                      },
-                      {
-                        "id": "ir-9.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-9(b)[3]"
-                          }
-                        ],
-                        "prose": "responds to information spills by alerting organization-defined personnel of\n                     the information spill using a method of communication not associated with the\n                     spill;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-9.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-9(c)"
-                      }
-                    ],
-                    "prose": "responds to information spills by isolating the contaminated information\n                  system;"
-                  },
-                  {
-                    "id": "ir-9.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-9(d)"
-                      }
-                    ],
-                    "prose": "responds to information spills by eradicating the information from the\n                  contaminated information system;"
-                  },
-                  {
-                    "id": "ir-9.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-9(e)"
-                      }
-                    ],
-                    "prose": "responds to information spills by identifying other information systems that may\n                  have been subsequently contaminated;"
-                  },
-                  {
-                    "id": "ir-9.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-9(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-9.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-9(f)[1]"
-                          }
-                        ],
-                        "prose": "defines other actions to be performed in response to information spills;\n                     and"
-                      },
-                      {
-                        "id": "ir-9.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-9(f)[2]"
-                          }
-                        ],
-                        "prose": "responds to information spills by performing other organization-defined\n                     actions."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing information spillage\\n\\nincident response plan\\n\\nrecords of information spillage alerts/notifications, list of personnel who should\n                  receive alerts of information spillage\\n\\nlist of actions to be performed regarding information spillage\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for information spillage response\\n\\nautomated mechanisms supporting and/or implementing information spillage response\n                  actions and related communications"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Attestation - Specifically describe information spillage response processes."
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ma",
-        "class": "family",
-        "title": "Maintenance",
-        "controls": [
-          {
-            "id": "ma-1",
-            "class": "SP800-53",
-            "title": "System Maintenance Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ma-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ma-1_prm_2",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "ma-1_prm_3",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-01"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ma-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ma-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ma-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A system maintenance policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ma-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the system maintenance policy\n                     and associated system maintenance controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ma-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "System maintenance policy {{ ma-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ma-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "System maintenance procedures {{ ma-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ma-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the MA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ma-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ma-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ma-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a system maintenance policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ma-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ma-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the system maintenance policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ma-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the system maintenance policy to organization-defined personnel\n                        or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ma-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        maintenance policy and associated system maintenance controls;"
-                          },
-                          {
-                            "id": "ma-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ma-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ma-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system maintenance\n                        policy;"
-                          },
-                          {
-                            "id": "ma-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system maintenance policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ma-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system maintenance\n                        procedures; and"
-                          },
-                          {
-                            "id": "ma-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system maintenance procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Maintenance policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ma-2",
-            "class": "SP800-53",
-            "title": "Controlled Maintenance",
-            "parameters": [
-              {
-                "id": "ma-2_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ma-2_prm_2",
-                "label": "organization-defined maintenance-related information"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-02"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "CONDITIONAL"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ma-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Schedules, performs, documents, and reviews records of maintenance and repairs on\n                  information system components in accordance with manufacturer or vendor\n                  specifications and/or organizational requirements;"
-                  },
-                  {
-                    "id": "ma-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Approves and monitors all maintenance activities, whether performed on site or\n                  remotely and whether the equipment is serviced on site or removed to another\n                  location;"
-                  },
-                  {
-                    "id": "ma-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Requires that {{ ma-2_prm_1 }} explicitly approve the removal of\n                  the information system or system components from organizational facilities for\n                  off-site maintenance or repairs;"
-                  },
-                  {
-                    "id": "ma-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Sanitizes equipment to remove all information from associated media prior to\n                  removal from organizational facilities for off-site maintenance or repairs;"
-                  },
-                  {
-                    "id": "ma-2_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Checks all potentially impacted security controls to verify that the controls are\n                  still functioning properly following maintenance or repair actions; and"
-                  },
-                  {
-                    "id": "ma-2_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Includes {{ ma-2_prm_2 }} in organizational maintenance\n                  records."
-                  }
-                ]
-              },
-              {
-                "id": "ma-2_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the information security aspects of the information system\n               maintenance program and applies to all types of maintenance to any system component\n               (including applications) conducted by any local or nonlocal entity (e.g.,\n               in-contract, warranty, in-house, software maintenance agreement). System maintenance\n               also includes those components not directly associated with information processing\n               and/or data/information retention such as scanners, copiers, and printers.\n               Information necessary for creating effective maintenance records includes, for\n               example: (i) date and time of maintenance; (ii) name of individuals or group\n               performing the maintenance; (iii) name of escort, if necessary; (iv) a description of\n               the maintenance performed; and (v) information system components/equipment removed or\n               replaced (including identification numbers, if applicable). The level of detail\n               included in maintenance records can be informed by the security categories of\n               organizational information systems. Organizations consider supply chain issues\n               associated with replacement components for information systems.",
-                "links": [
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#mp-6",
-                    "rel": "related",
-                    "text": "MP-6"
-                  },
-                  {
-                    "href": "#pe-16",
-                    "rel": "related",
-                    "text": "PE-16"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "ma-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ma-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-2(a)[1]"
-                          }
-                        ],
-                        "prose": "schedules maintenance and repairs on information system components in\n                     accordance with:",
-                        "parts": [
-                          {
-                            "id": "ma-2.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[1][a]"
-                              }
-                            ],
-                            "prose": "manufacturer or vendor specifications; and/or"
-                          },
-                          {
-                            "id": "ma-2.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[1][b]"
-                              }
-                            ],
-                            "prose": "organizational requirements;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-2(a)[2]"
-                          }
-                        ],
-                        "prose": "performs maintenance and repairs on information system components in accordance\n                     with:",
-                        "parts": [
-                          {
-                            "id": "ma-2.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[2][a]"
-                              }
-                            ],
-                            "prose": "manufacturer or vendor specifications; and/or"
-                          },
-                          {
-                            "id": "ma-2.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[2][b]"
-                              }
-                            ],
-                            "prose": "organizational requirements;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-2.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-2(a)[3]"
-                          }
-                        ],
-                        "prose": "documents maintenance and repairs on information system components in\n                     accordance with:",
-                        "parts": [
-                          {
-                            "id": "ma-2.a_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[3][a]"
-                              }
-                            ],
-                            "prose": "manufacturer or vendor specifications; and/or"
-                          },
-                          {
-                            "id": "ma-2.a_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[3][b]"
-                              }
-                            ],
-                            "prose": "organizational requirements;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-2.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-2(a)[4]"
-                          }
-                        ],
-                        "prose": "reviews records of maintenance and repairs on information system components in\n                     accordance with:",
-                        "parts": [
-                          {
-                            "id": "ma-2.a_obj.4.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[4][a]"
-                              }
-                            ],
-                            "prose": "manufacturer or vendor specifications; and/or"
-                          },
-                          {
-                            "id": "ma-2.a_obj.4.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[4][b]"
-                              }
-                            ],
-                            "prose": "organizational requirements;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-2(b)[1]"
-                          }
-                        ],
-                        "prose": "approves all maintenance activities, whether performed on site or remotely and\n                     whether the equipment is serviced on site or removed to another location;"
-                      },
-                      {
-                        "id": "ma-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-2(b)[2]"
-                          }
-                        ],
-                        "prose": "monitors all maintenance activities, whether performed on site or remotely and\n                     whether the equipment is serviced on site or removed to another location;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles required to explicitly approve the removal of the\n                     information system or system components from organizational facilities for\n                     off-site maintenance or repairs;"
-                      },
-                      {
-                        "id": "ma-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-2(c)[2]"
-                          }
-                        ],
-                        "prose": "requires that organization-defined personnel or roles explicitly approve the\n                     removal of the information system or system components from organizational\n                     facilities for off-site maintenance or repairs;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-2(d)"
-                      }
-                    ],
-                    "prose": "sanitizes equipment to remove all information from associated media prior to\n                  removal from organizational facilities for off-site maintenance or repairs;"
-                  },
-                  {
-                    "id": "ma-2.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-2(e)"
-                      }
-                    ],
-                    "prose": "checks all potentially impacted security controls to verify that the controls are\n                  still functioning properly following maintenance or repair actions;"
-                  },
-                  {
-                    "id": "ma-2.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-2(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-2.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-2(f)[1]"
-                          }
-                        ],
-                        "prose": "defines maintenance-related information to be included in organizational\n                     maintenance records; and"
-                      },
-                      {
-                        "id": "ma-2.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-2(f)[2]"
-                          }
-                        ],
-                        "prose": "includes organization-defined maintenance-related information in organizational\n                     maintenance records."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system maintenance policy\\n\\nprocedures addressing controlled information system maintenance\\n\\nmaintenance records\\n\\nmanufacturer/vendor maintenance specifications\\n\\nequipment sanitization records\\n\\nmedia sanitization records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel responsible for media sanitization\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for scheduling, performing, documenting, reviewing,\n                  approving, and monitoring maintenance and repairs for the information system\\n\\norganizational processes for sanitizing information system components\\n\\nautomated mechanisms supporting and/or implementing controlled maintenance\\n\\nautomated mechanisms implementing sanitization of information system\n                  components"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-              }
-            ]
-          },
-          {
-            "id": "ma-4",
-            "class": "SP800-53",
-            "title": "Nonlocal Maintenance",
-            "properties": [
-              {
-                "name": "label",
-                "value": "MA-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-04"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#d715b234-9b5b-4e07-b1ed-99836727664d",
-                "rel": "reference",
-                "text": "FIPS Publication 140-2"
-              },
-              {
-                "href": "#f2dbd4ec-c413-4714-b85b-6b7184d1c195",
-                "rel": "reference",
-                "text": "FIPS Publication 197"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#263823e0-a971-4b00-959d-315b26278b22",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-88"
-              },
-              {
-                "href": "#a4aa9645-9a8a-4b51-90a9-e223250f9a75",
-                "rel": "reference",
-                "text": "CNSS Policy 15"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ma-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Approves and monitors nonlocal maintenance and diagnostic activities;"
-                  },
-                  {
-                    "id": "ma-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Allows the use of nonlocal maintenance and diagnostic tools only as consistent\n                  with organizational policy and documented in the security plan for the information\n                  system;"
-                  },
-                  {
-                    "id": "ma-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Employs strong authenticators in the establishment of nonlocal maintenance and\n                  diagnostic sessions;"
-                  },
-                  {
-                    "id": "ma-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Maintains records for nonlocal maintenance and diagnostic activities; and"
-                  },
-                  {
-                    "id": "ma-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Terminates session and network connections when nonlocal maintenance is\n                  completed."
-                  }
-                ]
-              },
-              {
-                "id": "ma-4_gdn",
-                "name": "guidance",
-                "prose": "Nonlocal maintenance and diagnostic activities are those activities conducted by\n               individuals communicating through a network, either an external network (e.g., the\n               Internet) or an internal network. Local maintenance and diagnostic activities are\n               those activities carried out by individuals physically present at the information\n               system or information system component and not communicating across a network\n               connection. Authentication techniques used in the establishment of nonlocal\n               maintenance and diagnostic sessions reflect the network access requirements in IA-2.\n               Typically, strong authentication requires authenticators that are resistant to replay\n               attacks and employ multifactor authentication. Strong authenticators include, for\n               example, PKI where certificates are stored on a token protected by a password,\n               passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by\n               other controls.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-3",
-                    "rel": "related",
-                    "text": "AU-3"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#ma-2",
-                    "rel": "related",
-                    "text": "MA-2"
-                  },
-                  {
-                    "href": "#ma-5",
-                    "rel": "related",
-                    "text": "MA-5"
-                  },
-                  {
-                    "href": "#mp-6",
-                    "rel": "related",
-                    "text": "MP-6"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-10",
-                    "rel": "related",
-                    "text": "SC-10"
-                  },
-                  {
-                    "href": "#sc-17",
-                    "rel": "related",
-                    "text": "SC-17"
-                  }
-                ]
-              },
-              {
-                "id": "ma-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ma-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-4(a)[1]"
-                          }
-                        ],
-                        "prose": "approves nonlocal maintenance and diagnostic activities;"
-                      },
-                      {
-                        "id": "ma-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-4(a)[2]"
-                          }
-                        ],
-                        "prose": "monitors nonlocal maintenance and diagnostic activities;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-4(b)"
-                      }
-                    ],
-                    "prose": "allows the use of nonlocal maintenance and diagnostic tools only:",
-                    "parts": [
-                      {
-                        "id": "ma-4.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-4(b)[1]"
-                          }
-                        ],
-                        "prose": "as consistent with organizational policy;"
-                      },
-                      {
-                        "id": "ma-4.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-4(b)[2]"
-                          }
-                        ],
-                        "prose": "as documented in the security plan for the information system;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-4(c)"
-                      }
-                    ],
-                    "prose": "employs strong authenticators in the establishment of nonlocal maintenance and\n                  diagnostic sessions;"
-                  },
-                  {
-                    "id": "ma-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-4(d)"
-                      }
-                    ],
-                    "prose": "maintains records for nonlocal maintenance and diagnostic activities;"
-                  },
-                  {
-                    "id": "ma-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-4(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-4.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-4(e)[1]"
-                          }
-                        ],
-                        "prose": "terminates sessions when nonlocal maintenance or diagnostics is completed;\n                     and"
-                      },
-                      {
-                        "id": "ma-4.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-4(e)[2]"
-                          }
-                        ],
-                        "prose": "terminates network connections when nonlocal maintenance or diagnostics is\n                     completed."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system maintenance policy\\n\\nprocedures addressing nonlocal information system maintenance\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nmaintenance records\\n\\ndiagnostic records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing nonlocal maintenance\\n\\nautomated mechanisms implementing, supporting, and/or managing nonlocal\n                  maintenance\\n\\nautomated mechanisms for strong authentication of nonlocal maintenance diagnostic\n                  sessions\\n\\nautomated mechanisms for terminating nonlocal maintenance sessions and network\n                  connections"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ma-5",
-            "class": "SP800-53",
-            "title": "Maintenance Personnel",
-            "properties": [
-              {
-                "name": "label",
-                "value": "MA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-05"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "CONDITIONAL"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ma-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes a process for maintenance personnel authorization and maintains a list\n                  of authorized maintenance organizations or personnel;"
-                  },
-                  {
-                    "id": "ma-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Ensures that non-escorted personnel performing maintenance on the information\n                  system have required access authorizations; and"
-                  },
-                  {
-                    "id": "ma-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Designates organizational personnel with required access authorizations and\n                  technical competence to supervise the maintenance activities of personnel who do\n                  not possess the required access authorizations."
-                  }
-                ]
-              },
-              {
-                "id": "ma-5_gdn",
-                "name": "guidance",
-                "prose": "This control applies to individuals performing hardware or software maintenance on\n               organizational information systems, while PE-2 addresses physical access for\n               individuals whose maintenance duties place them within the physical protection\n               perimeter of the systems (e.g., custodial staff, physical plant maintenance\n               personnel). Technical competence of supervising individuals relates to the\n               maintenance performed on the information systems while having required access\n               authorizations refers to maintenance on and near the systems. Individuals not\n               previously identified as authorized maintenance personnel, such as information\n               technology manufacturers, vendors, systems integrators, and consultants, may require\n               privileged access to organizational information systems, for example, when required\n               to conduct maintenance activities with little or no notice. Based on organizational\n               assessments of risk, organizations may issue temporary credentials to these\n               individuals. Temporary credentials may be for one-time use or for very limited time\n               periods.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  }
-                ]
-              },
-              {
-                "id": "ma-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ma-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-5(a)[1]"
-                          }
-                        ],
-                        "prose": "establishes a process for maintenance personnel authorization;"
-                      },
-                      {
-                        "id": "ma-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-5(a)[2]"
-                          }
-                        ],
-                        "prose": "maintains a list of authorized maintenance organizations or personnel;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-5(b)"
-                      }
-                    ],
-                    "prose": "ensures that non-escorted personnel performing maintenance on the information\n                  system have required access authorizations; and"
-                  },
-                  {
-                    "id": "ma-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-5(c)"
-                      }
-                    ],
-                    "prose": "designates organizational personnel with required access authorizations and\n                  technical competence to supervise the maintenance activities of personnel who do\n                  not possess the required access authorizations."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system maintenance policy\\n\\nprocedures addressing maintenance personnel\\n\\nservice provider contracts\\n\\nservice-level agreements\\n\\nlist of authorized personnel\\n\\nmaintenance records\\n\\naccess control records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for authorizing and managing maintenance personnel\\n\\nautomated mechanisms supporting and/or implementing authorization of maintenance\n                  personnel"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "mp",
-        "class": "family",
-        "title": "Media Protection",
-        "controls": [
-          {
-            "id": "mp-1",
-            "class": "SP800-53",
-            "title": "Media Protection Policy and Procedures",
-            "parameters": [
-              {
-                "id": "mp-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "mp-1_prm_2",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "mp-1_prm_3",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MP-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-01"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "mp-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ mp-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "mp-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A media protection policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "mp-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the media protection policy and\n                     associated media protection controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "mp-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Media protection policy {{ mp-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "mp-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Media protection procedures {{ mp-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "mp-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the MP\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "mp-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "mp-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "mp-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "mp-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a media protection policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "mp-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "mp-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the media protection policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "mp-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the media protection policy to organization-defined personnel\n                        or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "mp-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "mp-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        media protection policy and associated media protection controls;"
-                          },
-                          {
-                            "id": "mp-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "mp-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "mp-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "mp-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current media protection\n                        policy;"
-                          },
-                          {
-                            "id": "mp-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current media protection policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "mp-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "mp-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current media protection\n                        procedures; and"
-                          },
-                          {
-                            "id": "mp-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current media protection procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Media protection policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with media protection responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "mp-2",
-            "class": "SP800-53",
-            "title": "Media Access",
-            "parameters": [
-              {
-                "id": "mp-2_prm_1",
-                "label": "organization-defined types of digital and/or non-digital media"
-              },
-              {
-                "id": "mp-2_prm_2",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MP-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-02"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "CONDITIONAL"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-111"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-2_smt",
-                "name": "statement",
-                "prose": "The organization restricts access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}."
-              },
-              {
-                "id": "mp-2_gdn",
-                "name": "guidance",
-                "prose": "Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. Restricting non-digital media access\n               includes, for example, denying access to patient medical records in a community\n               hospital unless the individuals seeking access to such records are authorized\n               healthcare providers. Restricting access to digital media includes, for example,\n               limiting access to design specifications stored on compact disks in the media library\n               to the project leader and the individuals on the development team.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  }
-                ]
-              },
-              {
-                "id": "mp-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "mp-2_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-2[1]"
-                      }
-                    ],
-                    "prose": "defines types of digital and/or non-digital media requiring restricted access;"
-                  },
-                  {
-                    "id": "mp-2_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-2[2]"
-                      }
-                    ],
-                    "prose": "defines personnel or roles authorized to access organization-defined types of\n                  digital and/or non-digital media; and"
-                  },
-                  {
-                    "id": "mp-2_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-2[3]"
-                      }
-                    ],
-                    "prose": "restricts access to organization-defined types of digital and/or non-digital media\n                  to organization-defined personnel or roles."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system media protection policy\\n\\nprocedures addressing media access restrictions\\n\\naccess control policy and procedures\\n\\nphysical and environmental protection policy and procedures\\n\\nmedia storage facilities\\n\\naccess control records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system media protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for restricting information media\\n\\nautomated mechanisms supporting and/or implementing media access restrictions"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-              }
-            ]
-          },
-          {
-            "id": "mp-6",
-            "class": "SP800-53",
-            "title": "Media Sanitization",
-            "parameters": [
-              {
-                "id": "mp-6_prm_1",
-                "label": "organization-defined information system media"
-              },
-              {
-                "id": "mp-6_prm_2",
-                "label": "organization-defined sanitization techniques and procedures"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MP-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-06"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "CONDITIONAL"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#f152844f-b1ef-4836-8729-6277078ebee1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-60"
-              },
-              {
-                "href": "#263823e0-a971-4b00-959d-315b26278b22",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-88"
-              },
-              {
-                "href": "#a47466c4-c837-4f06-a39f-e68412a5f73d",
-                "rel": "reference",
-                "text": "http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "mp-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Sanitizes {{ mp-6_prm_1 }} prior to disposal, release out of\n                  organizational control, or release for reuse using {{ mp-6_prm_2 }}\n                  in accordance with applicable federal and organizational standards and policies;\n                  and"
-                  },
-                  {
-                    "id": "mp-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Employs sanitization mechanisms with the strength and integrity commensurate with\n                  the security category or classification of the information."
-                  }
-                ]
-              },
-              {
-                "id": "mp-6_gdn",
-                "name": "guidance",
-                "prose": "This control applies to all information system media, both digital and non-digital,\n               subject to disposal or reuse, whether or not the media is considered removable.\n               Examples include media found in scanners, copiers, printers, notebook computers,\n               workstations, network components, and mobile devices. The sanitization process\n               removes information from the media such that the information cannot be retrieved or\n               reconstructed. Sanitization techniques, including clearing, purging, cryptographic\n               erase, and destruction, prevent the disclosure of information to unauthorized\n               individuals when such media is reused or released for disposal. Organizations\n               determine the appropriate sanitization methods recognizing that destruction is\n               sometimes necessary when other methods cannot be applied to media requiring\n               sanitization. Organizations use discretion on the employment of approved sanitization\n               techniques and procedures for media containing information deemed to be in the public\n               domain or publicly releasable, or deemed to have no adverse impact on organizations\n               or individuals if released for reuse or disposal. Sanitization of non-digital media\n               includes, for example, removing a classified appendix from an otherwise unclassified\n               document, or redacting selected sections or words from a document by obscuring the\n               redacted sections/words in a manner equivalent in effectiveness to removing them from\n               the document. NSA standards and policies control the sanitization process for media\n               containing classified information.",
-                "links": [
-                  {
-                    "href": "#ma-2",
-                    "rel": "related",
-                    "text": "MA-2"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sc-4",
-                    "rel": "related",
-                    "text": "SC-4"
-                  }
-                ]
-              },
-              {
-                "id": "mp-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "mp-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-6(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "mp-6.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-6(a)[1]"
-                          }
-                        ],
-                        "prose": "defines information system media to be sanitized prior to:",
-                        "parts": [
-                          {
-                            "id": "mp-6.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[1][a]"
-                              }
-                            ],
-                            "prose": "disposal;"
-                          },
-                          {
-                            "id": "mp-6.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[1][b]"
-                              }
-                            ],
-                            "prose": "release out of organizational control; or"
-                          },
-                          {
-                            "id": "mp-6.a_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[1][c]"
-                              }
-                            ],
-                            "prose": "release for reuse;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "mp-6.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-6(a)[2]"
-                          }
-                        ],
-                        "prose": "defines sanitization techniques or procedures to be used for sanitizing\n                     organization-defined information system media prior to:",
-                        "parts": [
-                          {
-                            "id": "mp-6.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[2][a]"
-                              }
-                            ],
-                            "prose": "disposal;"
-                          },
-                          {
-                            "id": "mp-6.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[2][b]"
-                              }
-                            ],
-                            "prose": "release out of organizational control; or"
-                          },
-                          {
-                            "id": "mp-6.a_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[2][c]"
-                              }
-                            ],
-                            "prose": "release for reuse;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "mp-6.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-6(a)[3]"
-                          }
-                        ],
-                        "prose": "sanitizes organization-defined information system media prior to disposal,\n                     release out of organizational control, or release for reuse using\n                     organization-defined sanitization techniques or procedures in accordance with\n                     applicable federal and organizational standards and policies; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-6(b)"
-                      }
-                    ],
-                    "prose": "employs sanitization mechanisms with strength and integrity commensurate with the\n                  security category or classification of the information."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system media protection policy\\n\\nprocedures addressing media sanitization and disposal\\n\\napplicable federal standards and policies addressing media sanitization\\n\\nmedia sanitization records\\n\\naudit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with media sanitization responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for media sanitization\\n\\nautomated mechanisms supporting and/or implementing media sanitization"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-              }
-            ]
-          },
-          {
-            "id": "mp-7",
-            "class": "SP800-53",
-            "title": "Media Use",
-            "parameters": [
-              {
-                "id": "mp-7_prm_1"
-              },
-              {
-                "id": "mp-7_prm_2",
-                "label": "organization-defined types of information system media"
-              },
-              {
-                "id": "mp-7_prm_3",
-                "label": "organization-defined information systems or system components"
-              },
-              {
-                "id": "mp-7_prm_4",
-                "label": "organization-defined security safeguards"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MP-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-07"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "CONDITIONAL"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-111"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-7_smt",
-                "name": "statement",
-                "prose": "The organization {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}."
-              },
-              {
-                "id": "mp-7_gdn",
-                "name": "guidance",
-                "prose": "Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. This control also applies to mobile\n               devices with information storage capability (e.g., smart phones, tablets, E-readers).\n               In contrast to MP-2, which restricts user access to media, this control restricts the\n               use of certain types of media on information systems, for example,\n               restricting/prohibiting the use of flash drives or external hard disk drives.\n               Organizations can employ technical and nontechnical safeguards (e.g., policies,\n               procedures, rules of behavior) to restrict the use of information system media.\n               Organizations may restrict the use of portable storage devices, for example, by using\n               physical cages on workstations to prohibit access to certain external ports, or\n               disabling/removing the ability to insert, read or write to such devices.\n               Organizations may also limit the use of portable storage devices to only approved\n               devices including, for example, devices provided by the organization, devices\n               provided by other approved organizations, and devices that are not personally owned.\n               Finally, organizations may restrict the use of portable storage devices based on the\n               type of device, for example, prohibiting the use of writeable, portable storage\n               devices, and implementing this restriction by disabling or removing the capability to\n               write to such devices.",
-                "links": [
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  }
-                ]
-              },
-              {
-                "id": "mp-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "mp-7_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-7[1]"
-                      }
-                    ],
-                    "prose": "defines types of information system media to be:",
-                    "parts": [
-                      {
-                        "id": "mp-7_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-7[1][a]"
-                          }
-                        ],
-                        "prose": "restricted on information systems or system components; or"
-                      },
-                      {
-                        "id": "mp-7_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-7[1][b]"
-                          }
-                        ],
-                        "prose": "prohibited from use on information systems or system components;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-7_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-7[2]"
-                      }
-                    ],
-                    "prose": "defines information systems or system components on which the use of\n                  organization-defined types of information system media is to be one of the\n                  following:",
-                    "parts": [
-                      {
-                        "id": "mp-7_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-7[2][a]"
-                          }
-                        ],
-                        "prose": "restricted; or"
-                      },
-                      {
-                        "id": "mp-7_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-7[2][b]"
-                          }
-                        ],
-                        "prose": "prohibited;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-7_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-7[3]"
-                      }
-                    ],
-                    "prose": "defines security safeguards to be employed to restrict or prohibit the use of\n                  organization-defined types of information system media on organization-defined\n                  information systems or system components; and"
-                  },
-                  {
-                    "id": "mp-7_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-7[4]"
-                      }
-                    ],
-                    "prose": "restricts or prohibits the use of organization-defined information system media on\n                  organization-defined information systems or system components using\n                  organization-defined security safeguards."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system media protection policy\\n\\nsystem use policy\\n\\nprocedures addressing media usage restrictions\\n\\nsecurity plan\\n\\nrules of behavior\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system media use responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for media use\\n\\nautomated mechanisms restricting or prohibiting use of information system media on\n                  information systems or system components"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "pe",
-        "class": "family",
-        "title": "Physical and Environmental Protection",
-        "controls": [
-          {
-            "id": "pe-1",
-            "class": "SP800-53",
-            "title": "Physical and Environmental Protection Policy and Procedures",
-            "parameters": [
-              {
-                "id": "pe-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "pe-1_prm_2",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "pe-1_prm_3",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-01"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ pe-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "pe-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A physical and environmental protection policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"
-                      },
-                      {
-                        "id": "pe-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the physical and environmental\n                     protection policy and associated physical and environmental protection\n                     controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "pe-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Physical and environmental protection policy {{ pe-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "pe-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Physical and environmental protection procedures {{ pe-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "pe-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PE\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "pe-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "pe-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pe-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a physical and environmental protection policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "pe-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "pe-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the physical and environmental protection\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "pe-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the physical and environmental protection policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pe-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pe-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        physical and environmental protection policy and associated physical and\n                        environmental protection controls;"
-                          },
-                          {
-                            "id": "pe-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "pe-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pe-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current physical and\n                        environmental protection policy;"
-                          },
-                          {
-                            "id": "pe-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current physical and environmental protection policy\n                        with the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pe-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pe-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current physical and\n                        environmental protection procedures; and"
-                          },
-                          {
-                            "id": "pe-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current physical and environmental protection\n                        procedures with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical and environmental protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-2",
-            "class": "SP800-53",
-            "title": "Physical Access Authorizations",
-            "parameters": [
-              {
-                "id": "pe-2_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-02"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "CONDITIONAL"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, approves, and maintains a list of individuals with authorized access to\n                  the facility where the information system resides;"
-                  },
-                  {
-                    "id": "pe-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Issues authorization credentials for facility access;"
-                  },
-                  {
-                    "id": "pe-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews the access list detailing authorized facility access by individuals\n                     {{ pe-2_prm_1 }}; and"
-                  },
-                  {
-                    "id": "pe-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Removes individuals from the facility access list when access is no longer\n                  required."
-                  }
-                ]
-              },
-              {
-                "id": "pe-2_gdn",
-                "name": "guidance",
-                "prose": "This control applies to organizational employees and visitors. Individuals (e.g.,\n               employees, contractors, and others) with permanent physical access authorization\n               credentials are not considered visitors. Authorization credentials include, for\n               example, badges, identification cards, and smart cards. Organizations determine the\n               strength of authorization credentials needed (including level of forge-proof badges,\n               smart cards, or identification cards) consistent with federal standards, policies,\n               and procedures. This control only applies to areas within facilities that have not\n               been designated as publicly accessible.",
-                "links": [
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  }
-                ]
-              },
-              {
-                "id": "pe-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-2(a)[1]"
-                          }
-                        ],
-                        "prose": "develops a list of individuals with authorized access to the facility where the\n                     information system resides;"
-                      },
-                      {
-                        "id": "pe-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-2(a)[2]"
-                          }
-                        ],
-                        "prose": "approves a list of individuals with authorized access to the facility where the\n                     information system resides;"
-                      },
-                      {
-                        "id": "pe-2.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-2(a)[3]"
-                          }
-                        ],
-                        "prose": "maintains a list of individuals with authorized access to the facility where\n                     the information system resides;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-2(b)"
-                      }
-                    ],
-                    "prose": "issues authorization credentials for facility access;"
-                  },
-                  {
-                    "id": "pe-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review the access list detailing authorized facility\n                     access by individuals;"
-                      },
-                      {
-                        "id": "pe-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-2(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews the access list detailing authorized facility access by individuals\n                     with the organization-defined frequency; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-2(d)"
-                      }
-                    ],
-                    "prose": "removes individuals from the facility access list when access is no longer\n                  required."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing physical access authorizations\\n\\nsecurity plan\\n\\nauthorized personnel access list\\n\\nauthorization credentials\\n\\nphysical access list reviews\\n\\nphysical access termination records and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical access authorization responsibilities\\n\\norganizational personnel with physical access to information system facility\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for physical access authorizations\\n\\nautomated mechanisms supporting and/or implementing physical access\n                  authorizations"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-              }
-            ]
-          },
-          {
-            "id": "pe-3",
-            "class": "SP800-53",
-            "title": "Physical Access Control",
-            "parameters": [
-              {
-                "id": "pe-3_prm_1",
-                "label": "organization-defined entry/exit points to the facility where the information\n               system resides"
-              },
-              {
-                "id": "pe-3_prm_2",
-                "constraints": [
-                  {
-                    "detail": "CSP defined physical access control systems/devices AND guards"
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_prm_3",
-                "depends-on": "pe-3_prm_2",
-                "label": "organization-defined physical access control systems/devices"
-              },
-              {
-                "id": "pe-3_prm_4",
-                "label": "organization-defined entry/exit points"
-              },
-              {
-                "id": "pe-3_prm_5",
-                "label": "organization-defined security safeguards"
-              },
-              {
-                "id": "pe-3_prm_6",
-                "label": "organization-defined circumstances requiring visitor escorts and\n               monitoring",
-                "constraints": [
-                  {
-                    "detail": "in all circumstances within restricted access area where the information system resides"
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_prm_7",
-                "label": "organization-defined physical access devices"
-              },
-              {
-                "id": "pe-3_prm_8",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_prm_9",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-03"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "CONDITIONAL"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#2157bb7e-192c-4eaa-877f-93ef6b0a3292",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-116"
-              },
-              {
-                "href": "#6caa237b-531b-43ac-9711-d8f6b97b0377",
-                "rel": "reference",
-                "text": "ICD 704"
-              },
-              {
-                "href": "#398e33fd-f404-4e5c-b90e-2d50d3181244",
-                "rel": "reference",
-                "text": "ICD 705"
-              },
-              {
-                "href": "#61081e7f-041d-4033-96a7-44a439071683",
-                "rel": "reference",
-                "text": "DoD Instruction 5200.39"
-              },
-              {
-                "href": "#dd2f5acd-08f1-435a-9837-f8203088dc1a",
-                "rel": "reference",
-                "text": "Personal Identity Verification (PIV) in Enterprise\n            Physical Access Control System (E-PACS)"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              },
-              {
-                "href": "#5ed1f4d5-1494-421b-97ed-39d3c88ab51f",
-                "rel": "reference",
-                "text": "http://fips201ep.cio.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Enforces physical access authorizations at {{ pe-3_prm_1 }} by;",
-                    "parts": [
-                      {
-                        "id": "pe-3_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Verifying individual access authorizations before granting access to the\n                     facility; and"
-                      },
-                      {
-                        "id": "pe-3_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Controlling ingress/egress to the facility using {{ pe-3_prm_2 }};"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Maintains physical access audit logs for {{ pe-3_prm_4 }};"
-                  },
-                  {
-                    "id": "pe-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Provides {{ pe-3_prm_5 }} to control access to areas within the\n                  facility officially designated as publicly accessible;"
-                  },
-                  {
-                    "id": "pe-3_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Escorts visitors and monitors visitor activity {{ pe-3_prm_6 }};"
-                  },
-                  {
-                    "id": "pe-3_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Secures keys, combinations, and other physical access devices;"
-                  },
-                  {
-                    "id": "pe-3_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Inventories {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }};\n                  and"
-                  },
-                  {
-                    "id": "pe-3_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Changes combinations and keys {{ pe-3_prm_9 }} and/or when keys are\n                  lost, combinations are compromised, or individuals are transferred or\n                  terminated."
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_gdn",
-                "name": "guidance",
-                "prose": "This control applies to organizational employees and visitors. Individuals (e.g.,\n               employees, contractors, and others) with permanent physical access authorization\n               credentials are not considered visitors. Organizations determine the types of\n               facility guards needed including, for example, professional physical security staff\n               or other personnel such as administrative staff or information system users. Physical\n               access devices include, for example, keys, locks, combinations, and card readers.\n               Safeguards for publicly accessible areas within organizational facilities include,\n               for example, cameras, monitoring by guards, and isolating selected information\n               systems and/or system components in secured areas. Physical access control systems\n               comply with applicable federal laws, Executive Orders, directives, policies,\n               regulations, standards, and guidance. The Federal Identity, Credential, and Access\n               Management Program provides implementation guidance for identity, credential, and\n               access management capabilities for physical access control systems. Organizations\n               have flexibility in the types of audit logs employed. Audit logs can be procedural\n               (e.g., a written log of individuals accessing the facility and when such access\n               occurred), automated (e.g., capturing ID provided by a PIV card), or some combination\n               thereof. Physical access points can include facility access points, interior access\n               points to information systems and/or components requiring supplemental access\n               controls, or both. Components of organizational information systems (e.g.,\n               workstations, terminals) may be located in areas designated as publicly accessible\n               with organizations safeguarding access to such devices.",
-                "links": [
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  },
-                  {
-                    "href": "#pe-5",
-                    "rel": "related",
-                    "text": "PE-5"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-3(a)[1]"
-                          }
-                        ],
-                        "prose": "defines entry/exit points to the facility where the information system\n                     resides;"
-                      },
-                      {
-                        "id": "pe-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-3(a)[2]"
-                          }
-                        ],
-                        "prose": "enforces physical access authorizations at organization-defined entry/exit\n                     points to the facility where the information system resides by:",
-                        "parts": [
-                          {
-                            "id": "pe-3.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(a)[2](1)"
-                              }
-                            ],
-                            "prose": "verifying individual access authorizations before granting access to the\n                        facility;"
-                          },
-                          {
-                            "id": "pe-3.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(a)[2](2)"
-                              }
-                            ],
-                            "parts": [
-                              {
-                                "id": "pe-3.a.2_obj.2.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-3(a)[2](2)[a]"
-                                  }
-                                ],
-                                "prose": "defining physical access control systems/devices to be employed to\n                           control ingress/egress to the facility where the information system\n                           resides;"
-                              },
-                              {
-                                "id": "pe-3.a.2_obj.2.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-3(a)[2](2)[b]"
-                                  }
-                                ],
-                                "prose": "using one or more of the following ways to control ingress/egress to the\n                           facility:",
-                                "parts": [
-                                  {
-                                    "id": "pe-3.a.2_obj.2.b.1",
-                                    "name": "objective",
-                                    "properties": [
-                                      {
-                                        "name": "label",
-                                        "value": "PE-3(a)[2](2)[b][1]"
-                                      }
-                                    ],
-                                    "prose": "organization-defined physical access control systems/devices;\n                              and/or"
-                                  },
-                                  {
-                                    "id": "pe-3.a.2_obj.2.b.2",
-                                    "name": "objective",
-                                    "properties": [
-                                      {
-                                        "name": "label",
-                                        "value": "PE-3(a)[2](2)[b][2]"
-                                      }
-                                    ],
-                                    "prose": "guards;"
-                                  }
-                                ]
-                              }
-                            ]
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-3(b)[1]"
-                          }
-                        ],
-                        "prose": "defines entry/exit points for which physical access audit logs are to be\n                     maintained;"
-                      },
-                      {
-                        "id": "pe-3.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-3(b)[2]"
-                          }
-                        ],
-                        "prose": "maintains physical access audit logs for organization-defined entry/exit\n                     points;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines security safeguards to be employed to control access to areas within\n                     the facility officially designated as publicly accessible;"
-                      },
-                      {
-                        "id": "pe-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-3(c)[2]"
-                          }
-                        ],
-                        "prose": "provides organization-defined security safeguards to control access to areas\n                     within the facility officially designated as publicly accessible;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-3(d)[1]"
-                          }
-                        ],
-                        "prose": "defines circumstances requiring visitor:",
-                        "parts": [
-                          {
-                            "id": "pe-3.d_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(d)[1][a]"
-                              }
-                            ],
-                            "prose": "escorts;"
-                          },
-                          {
-                            "id": "pe-3.d_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(d)[1][b]"
-                              }
-                            ],
-                            "prose": "monitoring;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pe-3.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-3(d)[2]"
-                          }
-                        ],
-                        "prose": "in accordance with organization-defined circumstances requiring visitor escorts\n                     and monitoring:",
-                        "parts": [
-                          {
-                            "id": "pe-3.d_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(d)[2][a]"
-                              }
-                            ],
-                            "prose": "escorts visitors;"
-                          },
-                          {
-                            "id": "pe-3.d_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(d)[2][b]"
-                              }
-                            ],
-                            "prose": "monitors visitor activities;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-3(e)[1]"
-                          }
-                        ],
-                        "prose": "secures keys;"
-                      },
-                      {
-                        "id": "pe-3.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-3(e)[2]"
-                          }
-                        ],
-                        "prose": "secures combinations;"
-                      },
-                      {
-                        "id": "pe-3.e_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-3(e)[3]"
-                          }
-                        ],
-                        "prose": "secures other physical access devices;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-3(f)[1]"
-                          }
-                        ],
-                        "prose": "defines physical access devices to be inventoried;"
-                      },
-                      {
-                        "id": "pe-3.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-3(f)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency to inventory organization-defined physical access\n                     devices;"
-                      },
-                      {
-                        "id": "pe-3.f_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-3(f)[3]"
-                          }
-                        ],
-                        "prose": "inventories the organization-defined physical access devices with the\n                     organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(g)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.g_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-3(g)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to change combinations and keys; and"
-                      },
-                      {
-                        "id": "pe-3.g_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-3(g)[2]"
-                          }
-                        ],
-                        "prose": "changes combinations and keys with the organization-defined frequency and/or\n                     when:",
-                        "parts": [
-                          {
-                            "id": "pe-3.g_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(g)[2][a]"
-                              }
-                            ],
-                            "prose": "keys are lost;"
-                          },
-                          {
-                            "id": "pe-3.g_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(g)[2][b]"
-                              }
-                            ],
-                            "prose": "combinations are compromised;"
-                          },
-                          {
-                            "id": "pe-3.g_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(g)[2][c]"
-                              }
-                            ],
-                            "prose": "individuals are transferred or terminated."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing physical access control\\n\\nsecurity plan\\n\\nphysical access control logs or records\\n\\ninventory records of physical access control devices\\n\\ninformation system entry and exit points\\n\\nrecords of key and lock combination changes\\n\\nstorage locations for physical access control devices\\n\\nphysical access control devices\\n\\nlist of security safeguards controlling access to designated publicly accessible\n                  areas within facility\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for physical access control\\n\\nautomated mechanisms supporting and/or implementing physical access control\\n\\nphysical access control devices"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-              }
-            ]
-          },
-          {
-            "id": "pe-6",
-            "class": "SP800-53",
-            "title": "Monitoring Physical Access",
-            "parameters": [
-              {
-                "id": "pe-6_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least monthly"
-                  }
-                ]
-              },
-              {
-                "id": "pe-6_prm_2",
-                "label": "organization-defined events or potential indications of events"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-06"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "CONDITIONAL"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Monitors physical access to the facility where the information system resides to\n                  detect and respond to physical security incidents;"
-                  },
-                  {
-                    "id": "pe-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews physical access logs {{ pe-6_prm_1 }} and upon occurrence\n                  of {{ pe-6_prm_2 }}; and"
-                  },
-                  {
-                    "id": "pe-6_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Coordinates results of reviews and investigations with the organizational incident\n                  response capability."
-                  }
-                ]
-              },
-              {
-                "id": "pe-6_gdn",
-                "name": "guidance",
-                "prose": "Organizational incident response capabilities include investigations of and responses\n               to detected physical security incidents. Security incidents include, for example,\n               apparent security violations or suspicious physical access activities. Suspicious\n               physical access activities include, for example: (i) accesses outside of normal work\n               hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for\n               unusual lengths of time; and (iv) out-of-sequence accesses.",
-                "links": [
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  }
-                ]
-              },
-              {
-                "id": "pe-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-6(a)"
-                      }
-                    ],
-                    "prose": "monitors physical access to the facility where the information system resides to\n                  detect and respond to physical security incidents;"
-                  },
-                  {
-                    "id": "pe-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-6(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-6.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-6(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review physical access logs;"
-                      },
-                      {
-                        "id": "pe-6.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-6(b)[2]"
-                          }
-                        ],
-                        "prose": "defines events or potential indication of events requiring physical access logs\n                     to be reviewed;"
-                      },
-                      {
-                        "id": "pe-6.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-6(b)[3]"
-                          }
-                        ],
-                        "prose": "reviews physical access logs with the organization-defined frequency and upon\n                     occurrence of organization-defined events or potential indications of events;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-6.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-6(c)"
-                      }
-                    ],
-                    "prose": "coordinates results of reviews and investigations with the organizational incident\n                  response capability."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing physical access monitoring\\n\\nsecurity plan\\n\\nphysical access logs or records\\n\\nphysical access monitoring records\\n\\nphysical access log reviews\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical access monitoring responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for monitoring physical access\\n\\nautomated mechanisms supporting and/or implementing physical access monitoring\\n\\nautomated mechanisms supporting and/or implementing reviewing of physical access\n                  logs"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-              }
-            ]
-          },
-          {
-            "id": "pe-8",
-            "class": "SP800-53",
-            "title": "Visitor Access Records",
-            "parameters": [
-              {
-                "id": "pe-8_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "for a minimum of one (1) year"
-                  }
-                ]
-              },
-              {
-                "id": "pe-8_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least monthly"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-08"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "CONDITIONAL"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Maintains visitor access records to the facility where the information system\n                  resides for {{ pe-8_prm_1 }}; and"
-                  },
-                  {
-                    "id": "pe-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews visitor access records {{ pe-8_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "pe-8_gdn",
-                "name": "guidance",
-                "prose": "Visitor access records include, for example, names and organizations of persons\n               visiting, visitor signatures, forms of identification, dates of access, entry and\n               departure times, purposes of visits, and names and organizations of persons visited.\n               Visitor access records are not required for publicly accessible areas."
-              },
-              {
-                "id": "pe-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-8(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-8.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-8(a)[1]"
-                          }
-                        ],
-                        "prose": "defines the time period to maintain visitor access records to the facility\n                     where the information system resides;"
-                      },
-                      {
-                        "id": "pe-8.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-8(a)[2]"
-                          }
-                        ],
-                        "prose": "maintains visitor access records to the facility where the information system\n                     resides for the organization-defined time period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-8(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review visitor access records; and"
-                      },
-                      {
-                        "id": "pe-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-8(b)[2]"
-                          }
-                        ],
-                        "prose": "reviews visitor access records with the organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing visitor access records\\n\\nsecurity plan\\n\\nvisitor access control logs or records\\n\\nvisitor access record or log reviews\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with visitor access records responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for maintaining and reviewing visitor access records\\n\\nautomated mechanisms supporting and/or implementing maintenance and review of\n                  visitor access records"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-              }
-            ]
-          },
-          {
-            "id": "pe-12",
-            "class": "SP800-53",
-            "title": "Emergency Lighting",
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-12"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-12"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "CONDITIONAL"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-12_smt",
-                "name": "statement",
-                "prose": "The organization employs and maintains automatic emergency lighting for the\n               information system that activates in the event of a power outage or disruption and\n               that covers emergency exits and evacuation routes within the facility."
-              },
-              {
-                "id": "pe-12_gdn",
-                "name": "guidance",
-                "prose": "This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  }
-                ]
-              },
-              {
-                "id": "pe-12_obj",
-                "name": "objective",
-                "prose": "Determine if the organization employs and maintains automatic emergency lighting for\n               the information system that: ",
-                "parts": [
-                  {
-                    "id": "pe-12_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-12[1]"
-                      }
-                    ],
-                    "prose": "activates in the event of a power outage or disruption; and"
-                  },
-                  {
-                    "id": "pe-12_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-12[2]"
-                      }
-                    ],
-                    "prose": "covers emergency exits and evacuation routes within the facility."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing emergency lighting\\n\\nemergency lighting documentation\\n\\nemergency lighting test records\\n\\nemergency exits and evacuation routes\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for emergency lighting and/or\n                  planning\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing emergency lighting\n                  capability"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-              }
-            ]
-          },
-          {
-            "id": "pe-13",
-            "class": "SP800-53",
-            "title": "Fire Protection",
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-13"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-13"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "CONDITIONAL"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-13_smt",
-                "name": "statement",
-                "prose": "The organization employs and maintains fire suppression and detection devices/systems\n               for the information system that are supported by an independent energy source."
-              },
-              {
-                "id": "pe-13_gdn",
-                "name": "guidance",
-                "prose": "This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms. Fire suppression and detection devices/systems include, for example,\n               sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke\n               detectors."
-              },
-              {
-                "id": "pe-13_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-13_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-13[1]"
-                      }
-                    ],
-                    "prose": "employs fire suppression and detection devices/systems for the information system\n                  that are supported by an independent energy source; and"
-                  },
-                  {
-                    "id": "pe-13_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-13[2]"
-                      }
-                    ],
-                    "prose": "maintains fire suppression and detection devices/systems for the information\n                  system that are supported by an independent energy source."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing fire protection\\n\\nfire suppression and detection devices/systems\\n\\nfire suppression and detection devices/systems documentation\\n\\ntest records of fire suppression and detection devices/systems\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for fire detection and suppression\n                  devices/systems\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing fire suppression/detection\n                  devices/systems"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-              }
-            ]
-          },
-          {
-            "id": "pe-14",
-            "class": "SP800-53",
-            "title": "Temperature and Humidity Controls",
-            "parameters": [
-              {
-                "id": "pe-14_prm_1",
-                "label": "organization-defined acceptable levels",
-                "constraints": [
-                  {
-                    "detail": "consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments"
-                  }
-                ]
-              },
-              {
-                "id": "pe-14_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "continuously"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-14"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-14"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "CONDITIONAL"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-14_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-14_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Maintains temperature and humidity levels within the facility where the\n                  information system resides at {{ pe-14_prm_1 }}; and"
-                  },
-                  {
-                    "id": "pe-14_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Monitors temperature and humidity levels {{ pe-14_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "pe-14_gdn",
-                "name": "guidance",
-                "prose": "This control applies primarily to facilities containing concentrations of information\n               system resources, for example, data centers, server rooms, and mainframe computer\n               rooms.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  }
-                ]
-              },
-              {
-                "id": "pe-14_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-14.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-14(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-14.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-14(a)[1]"
-                          }
-                        ],
-                        "prose": "defines acceptable temperature levels to be maintained within the facility\n                     where the information system resides;"
-                      },
-                      {
-                        "id": "pe-14.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-14(a)[2]"
-                          }
-                        ],
-                        "prose": "defines acceptable humidity levels to be maintained within the facility where\n                     the information system resides;"
-                      },
-                      {
-                        "id": "pe-14.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-14(a)[3]"
-                          }
-                        ],
-                        "prose": "maintains temperature levels within the facility where the information system\n                     resides at the organization-defined levels;"
-                      },
-                      {
-                        "id": "pe-14.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-14(a)[4]"
-                          }
-                        ],
-                        "prose": "maintains humidity levels within the facility where the information system\n                     resides at the organization-defined levels;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-14.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-14(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-14.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-14(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to monitor temperature levels;"
-                      },
-                      {
-                        "id": "pe-14.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-14(b)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency to monitor humidity levels;"
-                      },
-                      {
-                        "id": "pe-14.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-14(b)[3]"
-                          }
-                        ],
-                        "prose": "monitors temperature levels with the organization-defined frequency; and"
-                      },
-                      {
-                        "id": "pe-14.b_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-14(b)[4]"
-                          }
-                        ],
-                        "prose": "monitors humidity levels with the organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing temperature and humidity control\\n\\nsecurity plan\\n\\ntemperature and humidity controls\\n\\nfacility housing the information system\\n\\ntemperature and humidity controls documentation\\n\\ntemperature and humidity records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for information system\n                  environmental controls\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing maintenance and monitoring of\n                  temperature and humidity levels"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-              },
-              {
-                "id": "pe-14_fr",
-                "name": "item",
-                "title": "PE-14(a) Additional FedRAMP Requirements and Guidance",
-                "parts": [
-                  {
-                    "id": "pe-14_fr_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "(a) Requirement:"
-                      }
-                    ],
-                    "prose": "The service provider measures temperature at server inlets and humidity levels\n                     by dew point."
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-15",
-            "class": "SP800-53",
-            "title": "Water Damage Protection",
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-15"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-15"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "CONDITIONAL"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-15_smt",
-                "name": "statement",
-                "prose": "The organization protects the information system from damage resulting from water\n               leakage by providing master shutoff or isolation valves that are accessible, working\n               properly, and known to key personnel."
-              },
-              {
-                "id": "pe-15_gdn",
-                "name": "guidance",
-                "prose": "This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms. Isolation valves can be employed in addition to or in lieu of master\n               shutoff valves to shut off water supplies in specific areas of concern, without\n               affecting entire organizations.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  }
-                ]
-              },
-              {
-                "id": "pe-15_obj",
-                "name": "objective",
-                "prose": "Determine if the organization protects the information system from damage resulting\n               from water leakage by providing master shutoff or isolation valves that are: ",
-                "parts": [
-                  {
-                    "id": "pe-15_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-15[1]"
-                      }
-                    ],
-                    "prose": "accessible;"
-                  },
-                  {
-                    "id": "pe-15_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-15[2]"
-                      }
-                    ],
-                    "prose": "working properly; and"
-                  },
-                  {
-                    "id": "pe-15_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-15[3]"
-                      }
-                    ],
-                    "prose": "known to key personnel."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing water damage protection\\n\\nfacility housing the information system\\n\\nmaster shutoff valves\\n\\nlist of key personnel with knowledge of location and activation procedures for\n                  master shutoff valves for the plumbing system\\n\\nmaster shutoff valve documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for information system\n                  environmental controls\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Master water-shutoff valves\\n\\norganizational process for activating master water-shutoff"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-              }
-            ]
-          },
-          {
-            "id": "pe-16",
-            "class": "SP800-53",
-            "title": "Delivery and Removal",
-            "parameters": [
-              {
-                "id": "pe-16_prm_1",
-                "label": "organization-defined types of information system components",
-                "constraints": [
-                  {
-                    "detail": "all information system components"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-16"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-16"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "CONDITIONAL"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-16_smt",
-                "name": "statement",
-                "prose": "The organization authorizes, monitors, and controls {{ pe-16_prm_1 }}\n               entering and exiting the facility and maintains records of those items."
-              },
-              {
-                "id": "pe-16_gdn",
-                "name": "guidance",
-                "prose": "Effectively enforcing authorizations for entry and exit of information system\n               components may require restricting access to delivery areas and possibly isolating\n               the areas from the information system and media libraries.",
-                "links": [
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#ma-2",
-                    "rel": "related",
-                    "text": "MA-2"
-                  },
-                  {
-                    "href": "#ma-3",
-                    "rel": "related",
-                    "text": "MA-3"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  }
-                ]
-              },
-              {
-                "id": "pe-16_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-16_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-16[1]"
-                      }
-                    ],
-                    "prose": "defines types of information system components to be authorized, monitored, and\n                  controlled as such components are entering and exiting the facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-16[2]"
-                      }
-                    ],
-                    "prose": "authorizes organization-defined information system components entering the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-16[3]"
-                      }
-                    ],
-                    "prose": "monitors organization-defined information system components entering the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-16[4]"
-                      }
-                    ],
-                    "prose": "controls organization-defined information system components entering the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.5",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-16[5]"
-                      }
-                    ],
-                    "prose": "authorizes organization-defined information system components exiting the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.6",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-16[6]"
-                      }
-                    ],
-                    "prose": "monitors organization-defined information system components exiting the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.7",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-16[7]"
-                      }
-                    ],
-                    "prose": "controls organization-defined information system components exiting the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.8",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-16[8]"
-                      }
-                    ],
-                    "prose": "maintains records of information system components entering the facility; and"
-                  },
-                  {
-                    "id": "pe-16_obj.9",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-16[9]"
-                      }
-                    ],
-                    "prose": "maintains records of information system components exiting the facility."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing delivery and removal of information system components from\n                  the facility\\n\\nsecurity plan\\n\\nfacility housing the information system\\n\\nrecords of items entering and exiting the facility\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for controlling information system\n                  components entering and exiting the facility\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational process for authorizing, monitoring, and controlling information\n                  system-related items entering and exiting the facility\\n\\nautomated mechanisms supporting and/or implementing authorizing, monitoring, and\n                  controlling information system-related items entering and exiting the facility"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "pl",
-        "class": "family",
-        "title": "Planning",
-        "controls": [
-          {
-            "id": "pl-1",
-            "class": "SP800-53",
-            "title": "Security Planning Policy and Procedures",
-            "parameters": [
-              {
-                "id": "pl-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "pl-1_prm_2",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "pl-1_prm_3",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PL-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "pl-01"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9c5c9e8c-dc81-4f55-a11c-d71d7487790f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-18"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pl-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pl-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ pl-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "pl-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A security planning policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "pl-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the security planning policy and\n                     associated security planning controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "pl-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Security planning policy {{ pl-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "pl-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Security planning procedures {{ pl-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "pl-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PL\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "pl-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "pl-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pl-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a planning policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "pl-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "pl-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the planning policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "pl-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the planning policy to organization-defined personnel or\n                        roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pl-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pl-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        planning policy and associated planning controls;"
-                          },
-                          {
-                            "id": "pl-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "pl-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pl-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PL-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current planning policy;"
-                          },
-                          {
-                            "id": "pl-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PL-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current planning policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pl-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pl-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PL-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current planning procedures;\n                        and"
-                          },
-                          {
-                            "id": "pl-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PL-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current planning procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Planning policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with planning responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pl-2",
-            "class": "SP800-53",
-            "title": "System Security Plan",
-            "parameters": [
-              {
-                "id": "pl-2_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "pl-2_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PL-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "pl-02"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#9c5c9e8c-dc81-4f55-a11c-d71d7487790f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-18"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pl-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pl-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops a security plan for the information system that:",
-                    "parts": [
-                      {
-                        "id": "pl-2_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Is consistent with the organization’s enterprise architecture;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Explicitly defines the authorization boundary for the system;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Describes the operational context of the information system in terms of\n                     missions and business processes;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Provides the security categorization of the information system including\n                     supporting rationale;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.5",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "5."
-                          }
-                        ],
-                        "prose": "Describes the operational environment for the information system and\n                     relationships with or connections to other information systems;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.6",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "6."
-                          }
-                        ],
-                        "prose": "Provides an overview of the security requirements for the system;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.7",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "7."
-                          }
-                        ],
-                        "prose": "Identifies any relevant overlays, if applicable;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.8",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "8."
-                          }
-                        ],
-                        "prose": "Describes the security controls in place or planned for meeting those\n                     requirements including a rationale for the tailoring decisions; and"
-                      },
-                      {
-                        "id": "pl-2_smt.a.9",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "9."
-                          }
-                        ],
-                        "prose": "Is reviewed and approved by the authorizing official or designated\n                     representative prior to plan implementation;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Distributes copies of the security plan and communicates subsequent changes to the\n                  plan to {{ pl-2_prm_1 }};"
-                  },
-                  {
-                    "id": "pl-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews the security plan for the information system {{ pl-2_prm_2 }};"
-                  },
-                  {
-                    "id": "pl-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Updates the plan to address changes to the information system/environment of\n                  operation or problems identified during plan implementation or security control\n                  assessments; and"
-                  },
-                  {
-                    "id": "pl-2_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Protects the security plan from unauthorized disclosure and modification."
-                  }
-                ]
-              },
-              {
-                "id": "pl-2_gdn",
-                "name": "guidance",
-                "prose": "Security plans relate security requirements to a set of security controls and control\n               enhancements. Security plans also describe, at a high level, how the security\n               controls and control enhancements meet those security requirements, but do not\n               provide detailed, technical descriptions of the specific design or implementation of\n               the controls/enhancements. Security plans contain sufficient information (including\n               the specification of parameter values for assignment and selection statements either\n               explicitly or by reference) to enable a design and implementation that is\n               unambiguously compliant with the intent of the plans and subsequent determinations of\n               risk to organizational operations and assets, individuals, other organizations, and\n               the Nation if the plan is implemented as intended. Organizations can also apply\n               tailoring guidance to the security control baselines in Appendix D and CNSS\n               Instruction 1253 to develop overlays for community-wide use or to address specialized\n               requirements, technologies, or missions/environments of operation (e.g.,\n               DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and\n               Access Management, space operations). Appendix I provides guidance on developing\n               overlays. Security plans need not be single documents; the plans can be a collection\n               of various documents including documents that already exist. Effective security plans\n               make extensive use of references to policies, procedures, and additional documents\n               (e.g., design and implementation specifications) where more detailed information can\n               be obtained. This reduces the documentation requirements associated with security\n               programs and maintains security-related information in other established\n               management/operational areas related to enterprise architecture, system development\n               life cycle, systems engineering, and acquisition. For example, security plans do not\n               contain detailed contingency plan or incident response plan information but instead\n               provide explicitly or by reference, sufficient information to define what needs to be\n               accomplished by those plans.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-9",
-                    "rel": "related",
-                    "text": "CM-9"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ma-5",
-                    "rel": "related",
-                    "text": "MA-5"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#pl-7",
-                    "rel": "related",
-                    "text": "PL-7"
-                  },
-                  {
-                    "href": "#pm-1",
-                    "rel": "related",
-                    "text": "PM-1"
-                  },
-                  {
-                    "href": "#pm-7",
-                    "rel": "related",
-                    "text": "PM-7"
-                  },
-                  {
-                    "href": "#pm-8",
-                    "rel": "related",
-                    "text": "PM-8"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  },
-                  {
-                    "href": "#pm-11",
-                    "rel": "related",
-                    "text": "PM-11"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sa-17",
-                    "rel": "related",
-                    "text": "SA-17"
-                  }
-                ]
-              },
-              {
-                "id": "pl-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pl-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-2(a)"
-                      }
-                    ],
-                    "prose": "develops a security plan for the information system that:",
-                    "parts": [
-                      {
-                        "id": "pl-2.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(1)"
-                          }
-                        ],
-                        "prose": "is consistent with the organization’s enterprise architecture;"
-                      },
-                      {
-                        "id": "pl-2.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(2)"
-                          }
-                        ],
-                        "prose": "explicitly defines the authorization boundary for the system;"
-                      },
-                      {
-                        "id": "pl-2.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(3)"
-                          }
-                        ],
-                        "prose": "describes the operational context of the information system in terms of\n                     missions and business processes;"
-                      },
-                      {
-                        "id": "pl-2.a.4_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(4)"
-                          }
-                        ],
-                        "prose": "provides the security categorization of the information system including\n                     supporting rationale;"
-                      },
-                      {
-                        "id": "pl-2.a.5_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(5)"
-                          }
-                        ],
-                        "prose": "describes the operational environment for the information system and\n                     relationships with or connections to other information systems;"
-                      },
-                      {
-                        "id": "pl-2.a.6_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(6)"
-                          }
-                        ],
-                        "prose": "provides an overview of the security requirements for the system;"
-                      },
-                      {
-                        "id": "pl-2.a.7_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(7)"
-                          }
-                        ],
-                        "prose": "identifies any relevant overlays, if applicable;"
-                      },
-                      {
-                        "id": "pl-2.a.8_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(8)"
-                          }
-                        ],
-                        "prose": "describes the security controls in place or planned for meeting those\n                     requirements including a rationale for the tailoring and supplemental\n                     decisions;"
-                      },
-                      {
-                        "id": "pl-2.a.9_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(9)"
-                          }
-                        ],
-                        "prose": "is reviewed and approved by the authorizing official or designated\n                     representative prior to plan implementation;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(b)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom copies of the security plan are to be\n                     distributed and subsequent changes to the plan are to be communicated;"
-                      },
-                      {
-                        "id": "pl-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(b)[2]"
-                          }
-                        ],
-                        "prose": "distributes copies of the security plan and communicates subsequent changes to\n                     the plan to organization-defined personnel or roles;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review the security plan for the information\n                     system;"
-                      },
-                      {
-                        "id": "pl-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews the security plan for the information system with the\n                     organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-2(d)"
-                      }
-                    ],
-                    "prose": "updates the plan to address:",
-                    "parts": [
-                      {
-                        "id": "pl-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(d)[1]"
-                          }
-                        ],
-                        "prose": "changes to the information system/environment of operation;"
-                      },
-                      {
-                        "id": "pl-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(d)[2]"
-                          }
-                        ],
-                        "prose": "problems identified during plan implementation;"
-                      },
-                      {
-                        "id": "pl-2.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(d)[3]"
-                          }
-                        ],
-                        "prose": "problems identified during security control assessments;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-2(e)"
-                      }
-                    ],
-                    "prose": "protects the security plan from unauthorized:",
-                    "parts": [
-                      {
-                        "id": "pl-2.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(e)[1]"
-                          }
-                        ],
-                        "prose": "disclosure; and"
-                      },
-                      {
-                        "id": "pl-2.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(e)[2]"
-                          }
-                        ],
-                        "prose": "modification."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security planning policy\\n\\nprocedures addressing security plan development and implementation\\n\\nprocedures addressing security plan reviews and updates\\n\\nenterprise architecture documentation\\n\\nsecurity plan for the information system\\n\\nrecords of security plan reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for security plan development/review/update/approval\\n\\nautomated mechanisms supporting the information system security plan"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pl-4",
-            "class": "SP800-53",
-            "title": "Rules of Behavior",
-            "parameters": [
-              {
-                "id": "pl-4_prm_1",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PL-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "pl-04"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#9c5c9e8c-dc81-4f55-a11c-d71d7487790f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-18"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pl-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pl-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes and makes readily available to individuals requiring access to the\n                  information system, the rules that describe their responsibilities and expected\n                  behavior with regard to information and information system usage;"
-                  },
-                  {
-                    "id": "pl-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Receives a signed acknowledgment from such individuals, indicating that they have\n                  read, understand, and agree to abide by the rules of behavior, before authorizing\n                  access to information and the information system;"
-                  },
-                  {
-                    "id": "pl-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews and updates the rules of behavior {{ pl-4_prm_1 }}; and"
-                  },
-                  {
-                    "id": "pl-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Requires individuals who have signed a previous version of the rules of behavior\n                  to read and re-sign when the rules of behavior are revised/updated."
-                  }
-                ]
-              },
-              {
-                "id": "pl-4_gdn",
-                "name": "guidance",
-                "prose": "This control enhancement applies to organizational users. Organizations consider\n               rules of behavior based on individual user roles and responsibilities,\n               differentiating, for example, between rules that apply to privileged users and rules\n               that apply to general users. Establishing rules of behavior for some types of\n               non-organizational users including, for example, individuals who simply receive\n               data/information from federal information systems, is often not feasible given the\n               large number of such users and the limited nature of their interactions with the\n               systems. Rules of behavior for both organizational and non-organizational users can\n               also be established in AC-8, System Use Notification. PL-4 b. (the signed\n               acknowledgment portion of this control) may be satisfied by the security awareness\n               training and role-based security training programs conducted by organizations if such\n               training includes rules of behavior. Organizations can use electronic signatures for\n               acknowledging rules of behavior.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-8",
-                    "rel": "related",
-                    "text": "AC-8"
-                  },
-                  {
-                    "href": "#ac-9",
-                    "rel": "related",
-                    "text": "AC-9"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#mp-7",
-                    "rel": "related",
-                    "text": "MP-7"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  },
-                  {
-                    "href": "#ps-8",
-                    "rel": "related",
-                    "text": "PS-8"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  }
-                ]
-              },
-              {
-                "id": "pl-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pl-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-4(a)[1]"
-                          }
-                        ],
-                        "prose": "establishes, for individuals requiring access to the information system, the\n                     rules that describe their responsibilities and expected behavior with regard to\n                     information and information system usage;"
-                      },
-                      {
-                        "id": "pl-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-4(a)[2]"
-                          }
-                        ],
-                        "prose": "makes readily available to individuals requiring access to the information\n                     system, the rules that describe their responsibilities and expected behavior\n                     with regard to information and information system usage;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-4(b)"
-                      }
-                    ],
-                    "prose": "receives a signed acknowledgement from such individuals, indicating that they have\n                  read, understand, and agree to abide by the rules of behavior, before authorizing\n                  access to information and the information system;"
-                  },
-                  {
-                    "id": "pl-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-4(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-4(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update the rules of behavior;"
-                      },
-                      {
-                        "id": "pl-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-4(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates the rules of behavior with the organization-defined\n                     frequency; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-4(d)"
-                      }
-                    ],
-                    "prose": "requires individuals who have signed a previous version of the rules of behavior\n                  to read and resign when the rules of behavior are revised/updated."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security planning policy\\n\\nprocedures addressing rules of behavior for information system users\\n\\nrules of behavior\\n\\nsigned acknowledgements\\n\\nrecords for rules of behavior reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for establishing, reviewing, and\n                  updating rules of behavior\\n\\norganizational personnel who are authorized users of the information system and\n                  have signed and resigned rules of behavior\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for establishing, reviewing, disseminating, and updating\n                  rules of behavior\\n\\nautomated mechanisms supporting and/or implementing the establishment, review,\n                  dissemination, and update of rules of behavior"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ps",
-        "class": "family",
-        "title": "Personnel Security",
-        "controls": [
-          {
-            "id": "ps-1",
-            "class": "SP800-53",
-            "title": "Personnel Security Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ps-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ps-1_prm_2",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "ps-1_prm_3",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PS-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-01"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ps-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ps-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A personnel security policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ps-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the personnel security policy\n                     and associated personnel security controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ps-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Personnel security policy {{ ps-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ps-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Personnel security procedures {{ ps-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ps-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PS\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ps-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an personnel security policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ps-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ps-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the personnel security policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ps-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the personnel security policy to organization-defined personnel\n                        or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ps-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        personnel security policy and associated personnel security controls;"
-                          },
-                          {
-                            "id": "ps-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ps-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PS-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current personnel security\n                        policy;"
-                          },
-                          {
-                            "id": "ps-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PS-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current personnel security policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ps-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PS-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current personnel security\n                        procedures; and"
-                          },
-                          {
-                            "id": "ps-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PS-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current personnel security procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with access control responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-2",
-            "class": "SP800-53",
-            "title": "Position Risk Designation",
-            "parameters": [
-              {
-                "id": "ps-2_prm_1",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PS-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-02"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "FED"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0c97e60b-325a-4efa-ba2b-90f20ccd5abc",
-                "rel": "reference",
-                "text": "5 C.F.R. 731.106"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Assigns a risk designation to all organizational positions;"
-                  },
-                  {
-                    "id": "ps-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Establishes screening criteria for individuals filling those positions; and"
-                  },
-                  {
-                    "id": "ps-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews and updates position risk designations {{ ps-2_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ps-2_gdn",
-                "name": "guidance",
-                "prose": "Position risk designations reflect Office of Personnel Management policy and\n               guidance. Risk designations can guide and inform the types of authorizations\n               individuals receive when accessing organizational information and information\n               systems. Position screening criteria include explicit information security role\n               appointment requirements (e.g., training, security clearances).",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  }
-                ]
-              },
-              {
-                "id": "ps-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-2(a)"
-                      }
-                    ],
-                    "prose": "assigns a risk designation to all organizational positions;"
-                  },
-                  {
-                    "id": "ps-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-2(b)"
-                      }
-                    ],
-                    "prose": "establishes screening criteria for individuals filling those positions;"
-                  },
-                  {
-                    "id": "ps-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update position risk designations; and"
-                      },
-                      {
-                        "id": "ps-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-2(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates position risk designations with the organization-defined\n                     frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing position categorization\\n\\nappropriate codes of federal regulations\\n\\nlist of risk designations for organizational positions\\n\\nsecurity plan\\n\\nrecords of position risk designation reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for assigning, reviewing, and updating position risk\n                  designations\\n\\norganizational processes for establishing screening criteria"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-3",
-            "class": "SP800-53",
-            "title": "Personnel Screening",
-            "parameters": [
-              {
-                "id": "ps-3_prm_1",
-                "label": "organization-defined conditions requiring rescreening and, where rescreening is\n               so indicated, the frequency of such rescreening",
-                "constraints": [
-                  {
-                    "detail": "For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions."
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PS-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-03"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0c97e60b-325a-4efa-ba2b-90f20ccd5abc",
-                "rel": "reference",
-                "text": "5 C.F.R. 731.106"
-              },
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#f152844f-b1ef-4836-8729-6277078ebee1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-60"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#6caa237b-531b-43ac-9711-d8f6b97b0377",
-                "rel": "reference",
-                "text": "ICD 704"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Screens individuals prior to authorizing access to the information system; and"
-                  },
-                  {
-                    "id": "ps-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Rescreens individuals according to {{ ps-3_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ps-3_gdn",
-                "name": "guidance",
-                "prose": "Personnel screening and rescreening activities reflect applicable federal laws,\n               Executive Orders, directives, regulations, policies, standards, guidance, and\n               specific criteria established for the risk designations of assigned positions.\n               Organizations may define different rescreening conditions and frequencies for\n               personnel accessing information systems based on types of information processed,\n               stored, or transmitted by the systems.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#ps-2",
-                    "rel": "related",
-                    "text": "PS-2"
-                  }
-                ]
-              },
-              {
-                "id": "ps-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-3(a)"
-                      }
-                    ],
-                    "prose": "screens individuals prior to authorizing access to the information system;"
-                  },
-                  {
-                    "id": "ps-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-3(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-3.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-3(b)[1]"
-                          }
-                        ],
-                        "prose": "defines conditions requiring re-screening;"
-                      },
-                      {
-                        "id": "ps-3.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-3(b)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency of re-screening where it is so indicated; and"
-                      },
-                      {
-                        "id": "ps-3.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-3(b)[3]"
-                          }
-                        ],
-                        "prose": "re-screens individuals in accordance with organization-defined conditions\n                     requiring re-screening and, where re-screening is so indicated, with the\n                     organization-defined frequency of such re-screening."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing personnel screening\\n\\nrecords of screened personnel\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for personnel screening"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-4",
-            "class": "SP800-53",
-            "title": "Personnel Termination",
-            "parameters": [
-              {
-                "id": "ps-4_prm_1",
-                "label": "organization-defined time period"
-              },
-              {
-                "id": "ps-4_prm_2",
-                "label": "organization-defined information security topics"
-              },
-              {
-                "id": "ps-4_prm_3",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ps-4_prm_4",
-                "label": "organization-defined time period"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PS-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-04"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-4_smt",
-                "name": "statement",
-                "prose": "The organization, upon termination of individual employment:",
-                "parts": [
-                  {
-                    "id": "ps-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Disables information system access within {{ ps-4_prm_1 }};"
-                  },
-                  {
-                    "id": "ps-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Terminates/revokes any authenticators/credentials associated with the\n                  individual;"
-                  },
-                  {
-                    "id": "ps-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Conducts exit interviews that include a discussion of {{ ps-4_prm_2 }};"
-                  },
-                  {
-                    "id": "ps-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Retrieves all security-related organizational information system-related\n                  property;"
-                  },
-                  {
-                    "id": "ps-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Retains access to organizational information and information systems formerly\n                  controlled by terminated individual; and"
-                  },
-                  {
-                    "id": "ps-4_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Notifies {{ ps-4_prm_3 }} within {{ ps-4_prm_4 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ps-4_gdn",
-                "name": "guidance",
-                "prose": "Information system-related property includes, for example, hardware authentication\n               tokens, system administration technical manuals, keys, identification cards, and\n               building passes. Exit interviews ensure that terminated individuals understand the\n               security constraints imposed by being former employees and that proper accountability\n               is achieved for information system-related property. Security topics of interest at\n               exit interviews can include, for example, reminding terminated individuals of\n               nondisclosure agreements and potential limitations on future employment. Exit\n               interviews may not be possible for some terminated individuals, for example, in cases\n               related to job abandonment, illnesses, and nonavailability of supervisors. Exit\n               interviews are important for individuals with security clearances. Timely execution\n               of termination actions is essential for individuals terminated for cause. In certain\n               situations, organizations consider disabling the information system accounts of\n               individuals that are being terminated prior to the individuals being notified.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#ps-5",
-                    "rel": "related",
-                    "text": "PS-5"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  }
-                ]
-              },
-              {
-                "id": "ps-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization, upon termination of individual employment,:",
-                "parts": [
-                  {
-                    "id": "ps-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-4(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period within which to disable information system access;"
-                      },
-                      {
-                        "id": "ps-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-4(a)[2]"
-                          }
-                        ],
-                        "prose": "disables information system access within the organization-defined time\n                     period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-4(b)"
-                      }
-                    ],
-                    "prose": "terminates/revokes any authenticators/credentials associated with the\n                  individual;"
-                  },
-                  {
-                    "id": "ps-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-4(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-4(c)[1]"
-                          }
-                        ],
-                        "prose": "defines information security topics to be discussed when conducting exit\n                     interviews;"
-                      },
-                      {
-                        "id": "ps-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-4(c)[2]"
-                          }
-                        ],
-                        "prose": "conducts exit interviews that include a discussion of organization-defined\n                     information security topics;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-4(d)"
-                      }
-                    ],
-                    "prose": "retrieves all security-related organizational information system-related\n                  property;"
-                  },
-                  {
-                    "id": "ps-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-4(e)"
-                      }
-                    ],
-                    "prose": "retains access to organizational information and information systems formerly\n                  controlled by the terminated individual;"
-                  },
-                  {
-                    "id": "ps-4.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-4(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-4.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-4(f)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be notified of the termination;"
-                      },
-                      {
-                        "id": "ps-4.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-4(f)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which to notify organization-defined personnel\n                     or roles; and"
-                      },
-                      {
-                        "id": "ps-4.f_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-4(f)[3]"
-                          }
-                        ],
-                        "prose": "notifies organization-defined personnel or roles within the\n                     organization-defined time period."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing personnel termination\\n\\nrecords of personnel termination actions\\n\\nlist of information system accounts\\n\\nrecords of terminated or revoked authenticators/credentials\\n\\nrecords of exit interviews\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for personnel termination\\n\\nautomated mechanisms supporting and/or implementing personnel termination\n                  notifications\\n\\nautomated mechanisms for disabling information system access/revoking\n                  authenticators"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-5",
-            "class": "SP800-53",
-            "title": "Personnel Transfer",
-            "parameters": [
-              {
-                "id": "ps-5_prm_1",
-                "label": "organization-defined transfer or reassignment actions"
-              },
-              {
-                "id": "ps-5_prm_2",
-                "label": "organization-defined time period following the formal transfer action"
-              },
-              {
-                "id": "ps-5_prm_3",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ps-5_prm_4",
-                "label": "organization-defined time period"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PS-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-05"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Reviews and confirms ongoing operational need for current logical and physical\n                  access authorizations to information systems/facilities when individuals are\n                  reassigned or transferred to other positions within the organization;"
-                  },
-                  {
-                    "id": "ps-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Initiates {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }};"
-                  },
-                  {
-                    "id": "ps-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Modifies access authorization as needed to correspond with any changes in\n                  operational need due to reassignment or transfer; and"
-                  },
-                  {
-                    "id": "ps-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Notifies {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ps-5_gdn",
-                "name": "guidance",
-                "prose": "This control applies when reassignments or transfers of individuals are permanent or\n               of such extended durations as to make the actions warranted. Organizations define\n               actions appropriate for the types of reassignments or transfers, whether permanent or\n               extended. Actions that may be required for personnel transfers or reassignments to\n               other positions within organizations include, for example: (i) returning old and\n               issuing new keys, identification cards, and building passes; (ii) closing information\n               system accounts and establishing new accounts; (iii) changing information system\n               access authorizations (i.e., privileges); and (iv) providing for access to official\n               records to which individuals had access at previous work locations and in previous\n               information system accounts.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#ps-4",
-                    "rel": "related",
-                    "text": "PS-4"
-                  }
-                ]
-              },
-              {
-                "id": "ps-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-5(a)"
-                      }
-                    ],
-                    "prose": "when individuals are reassigned or transferred to other positions within the\n                  organization, reviews and confirms ongoing operational need for current:",
-                    "parts": [
-                      {
-                        "id": "ps-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-5(a)[1]"
-                          }
-                        ],
-                        "prose": "logical access authorizations to information systems;"
-                      },
-                      {
-                        "id": "ps-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-5(a)[2]"
-                          }
-                        ],
-                        "prose": "physical access authorizations to information systems and facilities;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-5(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-5.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-5(b)[1]"
-                          }
-                        ],
-                        "prose": "defines transfer or reassignment actions to be initiated following transfer or\n                     reassignment;"
-                      },
-                      {
-                        "id": "ps-5.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-5(b)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which transfer or reassignment actions must\n                     occur following transfer or reassignment;"
-                      },
-                      {
-                        "id": "ps-5.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-5(b)[3]"
-                          }
-                        ],
-                        "prose": "initiates organization-defined transfer or reassignment actions within the\n                     organization-defined time period following transfer or reassignment;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-5(c)"
-                      }
-                    ],
-                    "prose": "modifies access authorization as needed to correspond with any changes in\n                  operational need due to reassignment or transfer;"
-                  },
-                  {
-                    "id": "ps-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-5(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-5.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-5(d)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be notified when individuals are reassigned or\n                     transferred to other positions within the organization;"
-                      },
-                      {
-                        "id": "ps-5.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-5(d)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which to notify organization-defined personnel\n                     or roles when individuals are reassigned or transferred to other positions\n                     within the organization; and"
-                      },
-                      {
-                        "id": "ps-5.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-5(d)[3]"
-                          }
-                        ],
-                        "prose": "notifies organization-defined personnel or roles within the\n                     organization-defined time period when individuals are reassigned or transferred\n                     to other positions within the organization."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing personnel transfer\\n\\nsecurity plan\\n\\nrecords of personnel transfer actions\\n\\nlist of information system and facility access authorizations\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities organizational\n                  personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for personnel transfer\\n\\nautomated mechanisms supporting and/or implementing personnel transfer\n                  notifications\\n\\nautomated mechanisms for disabling information system access/revoking\n                  authenticators"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-6",
-            "class": "SP800-53",
-            "title": "Access Agreements",
-            "parameters": [
-              {
-                "id": "ps-6_prm_1",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "ps-6_prm_2",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PS-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-06"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops and documents access agreements for organizational information\n                  systems;"
-                  },
-                  {
-                    "id": "ps-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the access agreements {{ ps-6_prm_1 }}; and"
-                  },
-                  {
-                    "id": "ps-6_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ensures that individuals requiring access to organizational information and\n                  information systems:",
-                    "parts": [
-                      {
-                        "id": "ps-6_smt.c.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Sign appropriate access agreements prior to being granted access; and"
-                      },
-                      {
-                        "id": "ps-6_smt.c.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Re-sign access agreements to maintain access to organizational information\n                     systems when access agreements have been updated or {{ ps-6_prm_2 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ps-6_gdn",
-                "name": "guidance",
-                "prose": "Access agreements include, for example, nondisclosure agreements, acceptable use\n               agreements, rules of behavior, and conflict-of-interest agreements. Signed access\n               agreements include an acknowledgement that individuals have read, understand, and\n               agree to abide by the constraints associated with organizational information systems\n               to which access is authorized. Organizations can use electronic signatures to\n               acknowledge access agreements unless specifically prohibited by organizational\n               policy.",
-                "links": [
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-2",
-                    "rel": "related",
-                    "text": "PS-2"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  },
-                  {
-                    "href": "#ps-4",
-                    "rel": "related",
-                    "text": "PS-4"
-                  },
-                  {
-                    "href": "#ps-8",
-                    "rel": "related",
-                    "text": "PS-8"
-                  }
-                ]
-              },
-              {
-                "id": "ps-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-6(a)"
-                      }
-                    ],
-                    "prose": "develops and documents access agreements for organizational information\n                  systems;"
-                  },
-                  {
-                    "id": "ps-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-6(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-6.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-6(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update the access agreements;"
-                      },
-                      {
-                        "id": "ps-6.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-6(b)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates the access agreements with the organization-defined\n                     frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-6.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-6(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-6.c.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-6(c)(1)"
-                          }
-                        ],
-                        "prose": "ensures that individuals requiring access to organizational information and\n                     information systems sign appropriate access agreements prior to being granted\n                     access;"
-                      },
-                      {
-                        "id": "ps-6.c.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-6(c)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-6.c.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PS-6(c)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to re-sign access agreements to maintain access to\n                        organizational information systems when access agreements have been\n                        updated;"
-                          },
-                          {
-                            "id": "ps-6.c.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PS-6(c)(2)[2]"
-                              }
-                            ],
-                            "prose": "ensures that individuals requiring access to organizational information and\n                        information systems re-sign access agreements to maintain access to\n                        organizational information systems when access agreements have been updated\n                        or with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing access agreements for organizational information and\n                  information systems\\n\\nsecurity plan\\n\\naccess agreements\\n\\nrecords of access agreement reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel who have signed/resigned access agreements\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for access agreements\\n\\nautomated mechanisms supporting access agreements"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-7",
-            "class": "SP800-53",
-            "title": "Third-party Personnel Security",
-            "parameters": [
-              {
-                "id": "ps-7_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ps-7_prm_2",
-                "label": "organization-defined time period"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PS-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-07"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0c775bc3-bfc3-42c7-a382-88949f503171",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-35"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-7_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes personnel security requirements including security roles and\n                  responsibilities for third-party providers;"
-                  },
-                  {
-                    "id": "ps-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Requires third-party providers to comply with personnel security policies and\n                  procedures established by the organization;"
-                  },
-                  {
-                    "id": "ps-7_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Documents personnel security requirements;"
-                  },
-                  {
-                    "id": "ps-7_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Requires third-party providers to notify {{ ps-7_prm_1 }} of any\n                  personnel transfers or terminations of third-party personnel who possess\n                  organizational credentials and/or badges, or who have information system\n                  privileges within {{ ps-7_prm_2 }}; and"
-                  },
-                  {
-                    "id": "ps-7_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Monitors provider compliance."
-                  }
-                ]
-              },
-              {
-                "id": "ps-7_gdn",
-                "name": "guidance",
-                "prose": "Third-party providers include, for example, service bureaus, contractors, and other\n               organizations providing information system development, information technology\n               services, outsourced applications, and network and security management. Organizations\n               explicitly include personnel security requirements in acquisition-related documents.\n               Third-party providers may have personnel working at organizational facilities with\n               credentials, badges, or information system privileges issued by organizations.\n               Notifications of third-party personnel changes ensure appropriate termination of\n               privileges and credentials. Organizations define the transfers and terminations\n               deemed reportable by security-related characteristics that include, for example,\n               functions, roles, and nature of credentials/privileges associated with individuals\n               transferred or terminated.",
-                "links": [
-                  {
-                    "href": "#ps-2",
-                    "rel": "related",
-                    "text": "PS-2"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  },
-                  {
-                    "href": "#ps-4",
-                    "rel": "related",
-                    "text": "PS-4"
-                  },
-                  {
-                    "href": "#ps-5",
-                    "rel": "related",
-                    "text": "PS-5"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  },
-                  {
-                    "href": "#sa-9",
-                    "rel": "related",
-                    "text": "SA-9"
-                  },
-                  {
-                    "href": "#sa-21",
-                    "rel": "related",
-                    "text": "SA-21"
-                  }
-                ]
-              },
-              {
-                "id": "ps-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-7(a)"
-                      }
-                    ],
-                    "prose": "establishes personnel security requirements, including security roles and\n                  responsibilities, for third-party providers;"
-                  },
-                  {
-                    "id": "ps-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-7(b)"
-                      }
-                    ],
-                    "prose": "requires third-party providers to comply with personnel security policies and\n                  procedures established by the organization;"
-                  },
-                  {
-                    "id": "ps-7.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-7(c)"
-                      }
-                    ],
-                    "prose": "documents personnel security requirements;"
-                  },
-                  {
-                    "id": "ps-7.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-7(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-7.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-7(d)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be notified of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges;"
-                      },
-                      {
-                        "id": "ps-7.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-7(d)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which third-party providers are required to\n                     notify organization-defined personnel or roles of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges;"
-                      },
-                      {
-                        "id": "ps-7.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-7(d)[3]"
-                          }
-                        ],
-                        "prose": "requires third-party providers to notify organization-defined personnel or\n                     roles within the organization-defined time period of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-7.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-7(e)"
-                      }
-                    ],
-                    "prose": "monitors provider compliance."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing third-party personnel security\\n\\nlist of personnel security requirements\\n\\nacquisition documents\\n\\nservice-level agreements\\n\\ncompliance monitoring process\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\nthird-party providers\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing and monitoring third-party personnel\n                  security\\n\\nautomated mechanisms supporting and/or implementing monitoring of provider\n                  compliance"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Attestation - Specifically stating that any third-party security personnel are\n                  treated as CSP employees."
-              }
-            ]
-          },
-          {
-            "id": "ps-8",
-            "class": "SP800-53",
-            "title": "Personnel Sanctions",
-            "parameters": [
-              {
-                "id": "ps-8_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ps-8_prm_2",
-                "label": "organization-defined time period"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PS-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-08"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Employs a formal sanctions process for individuals failing to comply with\n                  established information security policies and procedures; and"
-                  },
-                  {
-                    "id": "ps-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Notifies {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }}\n                  when a formal employee sanctions process is initiated, identifying the individual\n                  sanctioned and the reason for the sanction."
-                  }
-                ]
-              },
-              {
-                "id": "ps-8_gdn",
-                "name": "guidance",
-                "prose": "Organizational sanctions processes reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Sanctions processes are\n               described in access agreements and can be included as part of general personnel\n               policies and procedures for organizations. Organizations consult with the Office of\n               the General Counsel regarding matters of employee sanctions.",
-                "links": [
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  }
-                ]
-              },
-              {
-                "id": "ps-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-8(a)"
-                      }
-                    ],
-                    "prose": "employs a formal sanctions process for individuals failing to comply with\n                  established information security policies and procedures;"
-                  },
-                  {
-                    "id": "ps-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-8(b)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be notified when a formal employee sanctions\n                     process is initiated;"
-                      },
-                      {
-                        "id": "ps-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-8(b)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which organization-defined personnel or roles\n                     must be notified when a formal employee sanctions process is initiated; and"
-                      },
-                      {
-                        "id": "ps-8.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-8(b)[3]"
-                          }
-                        ],
-                        "prose": "notifies organization-defined personnel or roles within the\n                     organization-defined time period when a formal employee sanctions process is\n                     initiated, identifying the individual sanctioned and the reason for the\n                     sanction."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing personnel sanctions\\n\\nrules of behavior\\n\\nrecords of formal sanctions\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing personnel sanctions\\n\\nautomated mechanisms supporting and/or implementing notifications"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ra",
-        "class": "family",
-        "title": "Risk Assessment",
-        "controls": [
-          {
-            "id": "ra-1",
-            "class": "SP800-53",
-            "title": "Risk Assessment Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ra-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ra-1_prm_2",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "ra-1_prm_3",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "RA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ra-01"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-30"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ra-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ra-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ra-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ra-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A risk assessment policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ra-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the risk assessment policy and\n                     associated risk assessment controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ra-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Risk assessment policy {{ ra-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ra-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Risk assessment procedures {{ ra-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the RA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ra-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ra-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a risk assessment policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ra-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ra-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the risk assessment policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ra-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the risk assessment policy to organization-defined personnel or\n                        roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        risk assessment policy and associated risk assessment controls;"
-                          },
-                          {
-                            "id": "ra-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ra-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current risk assessment\n                        policy;"
-                          },
-                          {
-                            "id": "ra-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current risk assessment policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current risk assessment\n                        procedures; and"
-                          },
-                          {
-                            "id": "ra-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current risk assessment procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "risk assessment policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with risk assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ra-2",
-            "class": "SP800-53",
-            "title": "Security Categorization",
-            "properties": [
-              {
-                "name": "label",
-                "value": "RA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ra-02"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-30"
-              },
-              {
-                "href": "#d480aa6a-7a88-424e-a10c-ad1c7870354b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-39"
-              },
-              {
-                "href": "#f152844f-b1ef-4836-8729-6277078ebee1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-60"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ra-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ra-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Categorizes information and the information system in accordance with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance;"
-                  },
-                  {
-                    "id": "ra-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents the security categorization results (including supporting rationale) in\n                  the security plan for the information system; and"
-                  },
-                  {
-                    "id": "ra-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ensures that the authorizing official or authorizing official designated\n                  representative reviews and approves the security categorization decision."
-                  }
-                ]
-              },
-              {
-                "id": "ra-2_gdn",
-                "name": "guidance",
-                "prose": "Clearly defined authorization boundaries are a prerequisite for effective security\n               categorization decisions. Security categories describe the potential adverse impacts\n               to organizational operations, organizational assets, and individuals if\n               organizational information and information systems are comprised through a loss of\n               confidentiality, integrity, or availability. Organizations conduct the security\n               categorization process as an organization-wide activity with the involvement of chief\n               information officers, senior information security officers, information system\n               owners, mission/business owners, and information owners/stewards. Organizations also\n               consider the potential adverse impacts to other organizations and, in accordance with\n               the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential\n               national-level adverse impacts. Security categorization processes carried out by\n               organizations facilitate the development of inventories of information assets, and\n               along with CM-8, mappings to specific information system components where information\n               is processed, stored, or transmitted.",
-                "links": [
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  }
-                ]
-              },
-              {
-                "id": "ra-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ra-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-2(a)"
-                      }
-                    ],
-                    "prose": "categorizes information and the information system in accordance with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance;"
-                  },
-                  {
-                    "id": "ra-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-2(b)"
-                      }
-                    ],
-                    "prose": "documents the security categorization results (including supporting rationale) in\n                  the security plan for the information system; and"
-                  },
-                  {
-                    "id": "ra-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-2(c)"
-                      }
-                    ],
-                    "prose": "ensures the authorizing official or authorizing official designated representative\n                  reviews and approves the security categorization decision."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Risk assessment policy\\n\\nsecurity planning policy and procedures\\n\\nprocedures addressing security categorization of organizational information and\n                  information systems\\n\\nsecurity plan\\n\\nsecurity categorization documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security categorization and risk assessment\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for security categorization"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ra-3",
-            "class": "SP800-53",
-            "title": "Risk Assessment",
-            "parameters": [
-              {
-                "id": "ra-3_prm_1"
-              },
-              {
-                "id": "ra-3_prm_2",
-                "depends-on": "ra-3_prm_1",
-                "label": "organization-defined document",
-                "constraints": [
-                  {
-                    "detail": "security assessment report"
-                  }
-                ]
-              },
-              {
-                "id": "ra-3_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every three (3) years or when a significant change occurs"
-                  }
-                ]
-              },
-              {
-                "id": "ra-3_prm_4",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ra-3_prm_5",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every three (3) years or when a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "RA-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ra-03"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-                "rel": "reference",
-                "text": "OMB Memorandum 04-04"
-              },
-              {
-                "href": "#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-30"
-              },
-              {
-                "href": "#d480aa6a-7a88-424e-a10c-ad1c7870354b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-39"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ra-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ra-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Conducts an assessment of risk, including the likelihood and magnitude of harm,\n                  from the unauthorized access, use, disclosure, disruption, modification, or\n                  destruction of the information system and the information it processes, stores, or\n                  transmits;"
-                  },
-                  {
-                    "id": "ra-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents risk assessment results in {{ ra-3_prm_1 }};"
-                  },
-                  {
-                    "id": "ra-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews risk assessment results {{ ra-3_prm_3 }};"
-                  },
-                  {
-                    "id": "ra-3_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Disseminates risk assessment results to {{ ra-3_prm_4 }}; and"
-                  },
-                  {
-                    "id": "ra-3_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Updates the risk assessment {{ ra-3_prm_5 }} or whenever there are\n                  significant changes to the information system or environment of operation\n                  (including the identification of new threats and vulnerabilities), or other\n                  conditions that may impact the security state of the system."
-                  }
-                ]
-              },
-              {
-                "id": "ra-3_gdn",
-                "name": "guidance",
-                "prose": "Clearly defined authorization boundaries are a prerequisite for effective risk\n               assessments. Risk assessments take into account threats, vulnerabilities, likelihood,\n               and impact to organizational operations and assets, individuals, other organizations,\n               and the Nation based on the operation and use of information systems. Risk\n               assessments also take into account risk from external parties (e.g., service\n               providers, contractors operating information systems on behalf of the organization,\n               individuals accessing organizational information systems, outsourcing entities). In\n               accordance with OMB policy and related E-authentication initiatives, authentication\n               of public users accessing federal information systems may also be required to protect\n               nonpublic or privacy-related information. As such, organizational assessments of risk\n               also address public access to federal information systems. Risk assessments (either\n               formal or informal) can be conducted at all three tiers in the risk management\n               hierarchy (i.e., organization level, mission/business process level, or information\n               system level) and at any phase in the system development life cycle. Risk assessments\n               can also be conducted at various steps in the Risk Management Framework, including\n               categorization, security control selection, security control implementation, security\n               control assessment, information system authorization, and security control\n               monitoring. RA-3 is noteworthy in that the control must be partially implemented\n               prior to the implementation of other controls in order to complete the first two\n               steps in the Risk Management Framework. Risk assessments can play an important role\n               in security control selection processes, particularly during the application of\n               tailoring guidance, which includes security control supplementation.",
-                "links": [
-                  {
-                    "href": "#ra-2",
-                    "rel": "related",
-                    "text": "RA-2"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ra-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ra-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(a)"
-                      }
-                    ],
-                    "prose": "conducts an assessment of risk, including the likelihood and magnitude of harm,\n                  from the unauthorized access, use, disclosure, disruption, modification, or\n                  destruction of:",
-                    "parts": [
-                      {
-                        "id": "ra-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-3(a)[1]"
-                          }
-                        ],
-                        "prose": "the information system;"
-                      },
-                      {
-                        "id": "ra-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-3(a)[2]"
-                          }
-                        ],
-                        "prose": "the information the system processes, stores, or transmits;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-3.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-3(b)[1]"
-                          }
-                        ],
-                        "prose": "defines a document in which risk assessment results are to be documented (if\n                     not documented in the security plan or risk assessment report);"
-                      },
-                      {
-                        "id": "ra-3.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-3(b)[2]"
-                          }
-                        ],
-                        "prose": "documents risk assessment results in one of the following:",
-                        "parts": [
-                          {
-                            "id": "ra-3.b_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(b)[2][a]"
-                              }
-                            ],
-                            "prose": "the security plan;"
-                          },
-                          {
-                            "id": "ra-3.b_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(b)[2][b]"
-                              }
-                            ],
-                            "prose": "the risk assessment report; or"
-                          },
-                          {
-                            "id": "ra-3.b_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(b)[2][c]"
-                              }
-                            ],
-                            "prose": "the organization-defined document;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review risk assessment results;"
-                      },
-                      {
-                        "id": "ra-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-3(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews risk assessment results with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-3.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-3.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-3(d)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom risk assessment results are to be\n                     disseminated;"
-                      },
-                      {
-                        "id": "ra-3.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-3(d)[2]"
-                          }
-                        ],
-                        "prose": "disseminates risk assessment results to organization-defined personnel or\n                     roles;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-3.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-3.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-3(e)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to update the risk assessment;"
-                      },
-                      {
-                        "id": "ra-3.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-3(e)[2]"
-                          }
-                        ],
-                        "prose": "updates the risk assessment:",
-                        "parts": [
-                          {
-                            "id": "ra-3.e_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(e)[2][a]"
-                              }
-                            ],
-                            "prose": "with the organization-defined frequency;"
-                          },
-                          {
-                            "id": "ra-3.e_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(e)[2][b]"
-                              }
-                            ],
-                            "prose": "whenever there are significant changes to the information system or\n                        environment of operation (including the identification of new threats and\n                        vulnerabilities); and"
-                          },
-                          {
-                            "id": "ra-3.e_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(e)[2][c]"
-                              }
-                            ],
-                            "prose": "whenever there are other conditions that may impact the security state of\n                        the system."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Risk assessment policy\\n\\nsecurity planning policy and procedures\\n\\nprocedures addressing organizational assessments of risk\\n\\nsecurity plan\\n\\nrisk assessment\\n\\nrisk assessment results\\n\\nrisk assessment reviews\\n\\nrisk assessment updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with risk assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for risk assessment\\n\\nautomated mechanisms supporting and/or for conducting, documenting, reviewing,\n                  disseminating, and updating the risk assessment"
-                  }
-                ]
-              },
-              {
-                "id": "ra-3_fr",
-                "name": "item",
-                "title": "RA-3 Additional FedRAMP Requirements and Guidance",
-                "parts": [
-                  {
-                    "id": "ra-3_fr_gdn.1",
-                    "name": "guidance",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "Guidance:"
-                      }
-                    ],
-                    "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1,\n                     Appendix F"
-                  },
-                  {
-                    "id": "ra-3_fr_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3 (d) Requirement:"
-                      }
-                    ],
-                    "prose": "Include all Authorizing Officials; for JAB authorizations to include\n                     FedRAMP."
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ra-5",
-            "class": "SP800-53",
-            "title": "Vulnerability Scanning",
-            "parameters": [
-              {
-                "id": "ra-5_prm_1",
-                "label": "organization-defined frequency and/or randomly in accordance with\n               organization-defined process",
-                "constraints": [
-                  {
-                    "detail": "monthly operating system/infrastructure; monthly web applications and databases"
-                  }
-                ]
-              },
-              {
-                "id": "ra-5_prm_2",
-                "label": "organization-defined response times",
-                "constraints": [
-                  {
-                    "detail": "[high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery."
-                  }
-                ]
-              },
-              {
-                "id": "ra-5_prm_3",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "RA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ra-05"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-40"
-              },
-              {
-                "href": "#84a37532-6db6-477b-9ea8-f9085ebca0fc",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-70"
-              },
-              {
-                "href": "#c4691b88-57d1-463b-9053-2d0087913f31",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-115"
-              },
-              {
-                "href": "#15522e92-9192-463d-9646-6a01982db8ca",
-                "rel": "reference",
-                "text": "http://cwe.mitre.org"
-              },
-              {
-                "href": "#275cc052-0f7f-423c-bdb6-ed503dc36228",
-                "rel": "reference",
-                "text": "http://nvd.nist.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ra-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ra-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Scans for vulnerabilities in the information system and hosted applications\n                     {{ ra-5_prm_1 }} and when new vulnerabilities potentially\n                  affecting the system/applications are identified and reported;"
-                  },
-                  {
-                    "id": "ra-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Employs vulnerability scanning tools and techniques that facilitate\n                  interoperability among tools and automate parts of the vulnerability management\n                  process by using standards for:",
-                    "parts": [
-                      {
-                        "id": "ra-5_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Enumerating platforms, software flaws, and improper configurations;"
-                      },
-                      {
-                        "id": "ra-5_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Formatting checklists and test procedures; and"
-                      },
-                      {
-                        "id": "ra-5_smt.b.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Measuring vulnerability impact;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Analyzes vulnerability scan reports and results from security control\n                  assessments;"
-                  },
-                  {
-                    "id": "ra-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Remediates legitimate vulnerabilities {{ ra-5_prm_2 }} in\n                  accordance with an organizational assessment of risk; and"
-                  },
-                  {
-                    "id": "ra-5_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Shares information obtained from the vulnerability scanning process and security\n                  control assessments with {{ ra-5_prm_3 }} to help eliminate similar\n                  vulnerabilities in other information systems (i.e., systemic weaknesses or\n                  deficiencies)."
-                  }
-                ]
-              },
-              {
-                "id": "ra-5_gdn",
-                "name": "guidance",
-                "prose": "Security categorization of information systems guides the frequency and\n               comprehensiveness of vulnerability scans. Organizations determine the required\n               vulnerability scanning for all information system components, ensuring that potential\n               sources of vulnerabilities such as networked printers, scanners, and copiers are not\n               overlooked. Vulnerability analyses for custom software applications may require\n               additional approaches such as static analysis, dynamic analysis, binary analysis, or\n               a hybrid of the three approaches. Organizations can employ these analysis approaches\n               in a variety of tools (e.g., web-based application scanners, static analysis tools,\n               binary analyzers) and in source code reviews. Vulnerability scanning includes, for\n               example: (i) scanning for patch levels; (ii) scanning for functions, ports,\n               protocols, and services that should not be accessible to users or devices; and (iii)\n               scanning for improperly configured or incorrectly operating information flow control\n               mechanisms. Organizations consider using tools that express vulnerabilities in the\n               Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open\n               Vulnerability Assessment Language (OVAL) to determine/test for the presence of\n               vulnerabilities. Suggested sources for vulnerability information include the Common\n               Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In\n               addition, security control assessments such as red team exercises provide other\n               sources of potential vulnerabilities for which to scan. Organizations also consider\n               using tools that express vulnerability impact by the Common Vulnerability Scoring\n               System (CVSS).",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#ra-2",
-                    "rel": "related",
-                    "text": "RA-2"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "ra-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ra-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-5(a)[1]"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-5.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[1][a]"
-                              }
-                            ],
-                            "prose": "defines the frequency for conducting vulnerability scans on the information\n                        system and hosted applications; and/or"
-                          },
-                          {
-                            "id": "ra-5.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[1][b]"
-                              }
-                            ],
-                            "prose": "defines the process for conducting random vulnerability scans on the\n                        information system and hosted applications;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-5(a)[2]"
-                          }
-                        ],
-                        "prose": "in accordance with the organization-defined frequency and/or\n                     organization-defined process for conducting random scans, scans for\n                     vulnerabilities in:",
-                        "parts": [
-                          {
-                            "id": "ra-5.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[2][a]"
-                              }
-                            ],
-                            "prose": "the information system;"
-                          },
-                          {
-                            "id": "ra-5.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[2][b]"
-                              }
-                            ],
-                            "prose": "hosted applications;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-5.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-5(a)[3]"
-                          }
-                        ],
-                        "prose": "when new vulnerabilities potentially affecting the system/applications are\n                     identified and reported, scans for vulnerabilities in:",
-                        "parts": [
-                          {
-                            "id": "ra-5.a_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[3][a]"
-                              }
-                            ],
-                            "prose": "the information system;"
-                          },
-                          {
-                            "id": "ra-5.a_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[3][b]"
-                              }
-                            ],
-                            "prose": "hosted applications;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(b)"
-                      }
-                    ],
-                    "prose": "employs vulnerability scanning tools and techniques that facilitate\n                  interoperability among tools and automate parts of the vulnerability management\n                  process by using standards for:",
-                    "parts": [
-                      {
-                        "id": "ra-5.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-5(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-5.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "enumerating platforms;"
-                          },
-                          {
-                            "id": "ra-5.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "enumerating software flaws;"
-                          },
-                          {
-                            "id": "ra-5.b.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(1)[3]"
-                              }
-                            ],
-                            "prose": "enumerating improper configurations;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-5.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-5(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-5.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "formatting checklists;"
-                          },
-                          {
-                            "id": "ra-5.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "formatting test procedures;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-5.b.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-5(b)(3)"
-                          }
-                        ],
-                        "prose": "measuring vulnerability impact;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-5.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-5(c)[1]"
-                          }
-                        ],
-                        "prose": "analyzes vulnerability scan reports;"
-                      },
-                      {
-                        "id": "ra-5.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-5(c)[2]"
-                          }
-                        ],
-                        "prose": "analyzes results from security control assessments;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-5.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-5(d)[1]"
-                          }
-                        ],
-                        "prose": "defines response times to remediate legitimate vulnerabilities in accordance\n                     with an organizational assessment of risk;"
-                      },
-                      {
-                        "id": "ra-5.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-5(d)[2]"
-                          }
-                        ],
-                        "prose": "remediates legitimate vulnerabilities within the organization-defined response\n                     times in accordance with an organizational assessment of risk;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-5.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-5(e)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles with whom information obtained from the\n                     vulnerability scanning process and security control assessments is to be\n                     shared;"
-                      },
-                      {
-                        "id": "ra-5.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-5(e)[2]"
-                          }
-                        ],
-                        "prose": "shares information obtained from the vulnerability scanning process with\n                     organization-defined personnel or roles to help eliminate similar\n                     vulnerabilities in other information systems (i.e., systemic weaknesses or\n                     deficiencies); and"
-                      },
-                      {
-                        "id": "ra-5.e_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-5(e)[3]"
-                          }
-                        ],
-                        "prose": "shares information obtained from security control assessments with\n                     organization-defined personnel or roles to help eliminate similar\n                     vulnerabilities in other information systems (i.e., systemic weaknesses or\n                     deficiencies)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\nrisk assessment\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with risk assessment, security control assessment and\n                  vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with vulnerability remediation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for vulnerability scanning, analysis, remediation, and\n                  information sharing\\n\\nautomated mechanisms supporting and/or implementing vulnerability scanning,\n                  analysis, remediation, and information sharing"
-                  }
-                ]
-              },
-              {
-                "id": "ra-5_fr_smt.a",
-                "name": "item",
-                "title": "RA-5(a) Additional FedRAMP Requirements and Guidance",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "RA-5 (a)Requirement:"
-                  }
-                ],
-                "prose": "An accredited independent assessor scans operating systems/infrastructure, web\n                  applications, and databases once annually."
-              },
-              {
-                "id": "ra-5_fr_smt.e",
-                "name": "item",
-                "title": "RA-5(e) Additional FedRAMP Requirements and Guidance",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "RA-5 (e)Requirement:"
-                  }
-                ],
-                "prose": "To include all Authorizing Officials; for JAB authorizations to include\n                  FedRAMP."
-              },
-              {
-                "id": "ra-5_fr",
-                "name": "item",
-                "title": "RA-5 Additional FedRAMP Requirements and Guidance",
-                "parts": [
-                  {
-                    "id": "ra-5_fr_gdn.1",
-                    "name": "guidance",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "Guidance:"
-                      }
-                    ],
-                    "prose": "\n                  **See the FedRAMP Documents page under Key Cloud Service Provider (CSP)\n                        Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "sa",
-        "class": "family",
-        "title": "System and Services Acquisition",
-        "controls": [
-          {
-            "id": "sa-1",
-            "class": "SP800-53",
-            "title": "System and Services Acquisition Policy and Procedures",
-            "parameters": [
-              {
-                "id": "sa-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "sa-1_prm_2",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "sa-1_prm_3",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-01"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ sa-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "sa-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A system and services acquisition policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "sa-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the system and services\n                     acquisition policy and associated system and services acquisition controls;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "sa-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "System and services acquisition policy {{ sa-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "sa-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "System and services acquisition procedures {{ sa-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "sa-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a system and services acquisition policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "sa-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "sa-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the system and services acquisition\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "sa-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the system and services acquisition policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        system and services acquisition policy and associated system and services\n                        acquisition controls;"
-                          },
-                          {
-                            "id": "sa-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "sa-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and services\n                        acquisition policy;"
-                          },
-                          {
-                            "id": "sa-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and services acquisition policy with\n                        the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and services\n                        acquisition procedures; and"
-                          },
-                          {
-                            "id": "sa-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and services acquisition procedures\n                        with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-2",
-            "class": "SP800-53",
-            "title": "Allocation of Resources",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-02"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#29fcfe59-33cd-494a-8756-5907ae3a8f92",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-65"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Determines information security requirements for the information system or\n                  information system service in mission/business process planning;"
-                  },
-                  {
-                    "id": "sa-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Determines, documents, and allocates the resources required to protect the\n                  information system or information system service as part of its capital planning\n                  and investment control process; and"
-                  },
-                  {
-                    "id": "sa-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Establishes a discrete line item for information security in organizational\n                  programming and budgeting documentation."
-                  }
-                ]
-              },
-              {
-                "id": "sa-2_gdn",
-                "name": "guidance",
-                "prose": "Resource allocation for information security includes funding for the initial\n               information system or information system service acquisition and funding for the\n               sustainment of the system/service.",
-                "links": [
-                  {
-                    "href": "#pm-3",
-                    "rel": "related",
-                    "text": "PM-3"
-                  },
-                  {
-                    "href": "#pm-11",
-                    "rel": "related",
-                    "text": "PM-11"
-                  }
-                ]
-              },
-              {
-                "id": "sa-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-2(a)"
-                      }
-                    ],
-                    "prose": "determines information security requirements for the information system or\n                  information system service in mission/business process planning;"
-                  },
-                  {
-                    "id": "sa-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-2(b)"
-                      }
-                    ],
-                    "prose": "to protect the information system or information system service as part of its\n                  capital planning and investment control process:",
-                    "parts": [
-                      {
-                        "id": "sa-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-2(b)[1]"
-                          }
-                        ],
-                        "prose": "determines the resources required;"
-                      },
-                      {
-                        "id": "sa-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-2(b)[2]"
-                          }
-                        ],
-                        "prose": "documents the resources required;"
-                      },
-                      {
-                        "id": "sa-2.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-2(b)[3]"
-                          }
-                        ],
-                        "prose": "allocates the resources required; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-2(c)"
-                      }
-                    ],
-                    "prose": "establishes a discrete line item for information security in organizational\n                  programming and budgeting documentation."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing the allocation of resources to information security\n                  requirements\\n\\nprocedures addressing capital planning and investment control\\n\\norganizational programming and budgeting documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with capital planning, investment control, organizational\n                  programming and budgeting responsibilities\\n\\norganizational personnel responsible for determining information security\n                  requirements for information systems/services\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for determining information security requirements\\n\\norganizational processes for capital planning, programming, and budgeting\\n\\nautomated mechanisms supporting and/or implementing organizational capital\n                  planning, programming, and budgeting"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-3",
-            "class": "SP800-53",
-            "title": "System Development Life Cycle",
-            "parameters": [
-              {
-                "id": "sa-3_prm_1",
-                "label": "organization-defined system development life cycle"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-03"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#abd950ae-092f-4b7a-b374-1c7c67fe9350",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-64"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Manages the information system using {{ sa-3_prm_1 }} that\n                  incorporates information security considerations;"
-                  },
-                  {
-                    "id": "sa-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Defines and documents information security roles and responsibilities throughout\n                  the system development life cycle;"
-                  },
-                  {
-                    "id": "sa-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Identifies individuals having information security roles and responsibilities;\n                  and"
-                  },
-                  {
-                    "id": "sa-3_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Integrates the organizational information security risk management process into\n                  system development life cycle activities."
-                  }
-                ]
-              },
-              {
-                "id": "sa-3_gdn",
-                "name": "guidance",
-                "prose": "A well-defined system development life cycle provides the foundation for the\n               successful development, implementation, and operation of organizational information\n               systems. To apply the required security controls within the system development life\n               cycle requires a basic understanding of information security, threats,\n               vulnerabilities, adverse impacts, and risk to critical missions/business functions.\n               The security engineering principles in SA-8 cannot be properly applied if individuals\n               that design, code, and test information systems and system components (including\n               information technology products) do not understand security. Therefore, organizations\n               include qualified personnel, for example, chief information security officers,\n               security architects, security engineers, and information system security officers in\n               system development life cycle activities to ensure that security requirements are\n               incorporated into organizational information systems. It is equally important that\n               developers include individuals on the development team that possess the requisite\n               security expertise and skills to ensure that needed security capabilities are\n               effectively integrated into the information system. Security awareness and training\n               programs can help ensure that individuals having key security roles and\n               responsibilities have the appropriate experience, skills, and expertise to conduct\n               assigned system development life cycle activities. The effective integration of\n               security requirements into enterprise architecture also helps to ensure that\n               important security considerations are addressed early in the system development life\n               cycle and that those considerations are directly related to the organizational\n               mission/business processes. This process also facilitates the integration of the\n               information security architecture into the enterprise architecture, consistent with\n               organizational risk management and information security strategies.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#pm-7",
-                    "rel": "related",
-                    "text": "PM-7"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  }
-                ]
-              },
-              {
-                "id": "sa-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-3(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-3(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a system development life cycle that incorporates information security\n                     considerations to be used to manage the information system;"
-                      },
-                      {
-                        "id": "sa-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-3(a)[2]"
-                          }
-                        ],
-                        "prose": "manages the information system using the organization-defined system\n                     development life cycle;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-3(b)"
-                      }
-                    ],
-                    "prose": "defines and documents information security roles and responsibilities throughout\n                  the system development life cycle;"
-                  },
-                  {
-                    "id": "sa-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-3(c)"
-                      }
-                    ],
-                    "prose": "identifies individuals having information security roles and responsibilities;\n                  and"
-                  },
-                  {
-                    "id": "sa-3.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-3(d)"
-                      }
-                    ],
-                    "prose": "integrates the organizational information security risk management process into\n                  system development life cycle activities."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing the integration of information security into the system\n                  development life cycle process\\n\\ninformation system development life cycle documentation\\n\\ninformation security risk management strategy/program documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security and system life cycle\n                  development responsibilities\\n\\norganizational personnel with information security risk management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for defining and documenting the SDLC\\n\\norganizational processes for identifying SDLC roles and responsibilities\\n\\norganizational process for integrating information security risk management into\n                  the SDLC\\n\\nautomated mechanisms supporting and/or implementing the SDLC"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-4",
-            "class": "SP800-53",
-            "title": "Acquisition Process",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-04"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ad733a42-a7ed-4774-b988-4930c28852f3",
-                "rel": "reference",
-                "text": "HSPD-12"
-              },
-              {
-                "href": "#1737a687-52fb-4008-b900-cbfa836f7b65",
-                "rel": "reference",
-                "text": "ISO/IEC 15408"
-              },
-              {
-                "href": "#d715b234-9b5b-4e07-b1ed-99836727664d",
-                "rel": "reference",
-                "text": "FIPS Publication 140-2"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#0a5db899-f033-467f-8631-f5a8ba971475",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-23"
-              },
-              {
-                "href": "#0c775bc3-bfc3-42c7-a382-88949f503171",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-35"
-              },
-              {
-                "href": "#d818efd3-db31-4953-8afa-9e76afe83ce2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-36"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#abd950ae-092f-4b7a-b374-1c7c67fe9350",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-64"
-              },
-              {
-                "href": "#84a37532-6db6-477b-9ea8-f9085ebca0fc",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-70"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              },
-              {
-                "href": "#56d671da-6b7b-4abf-8296-84b61980390a",
-                "rel": "reference",
-                "text": "Federal Acquisition Regulation"
-              },
-              {
-                "href": "#c95a9986-3cd6-4a98-931b-ccfc56cb11e5",
-                "rel": "reference",
-                "text": "http://www.niap-ccevs.org"
-              },
-              {
-                "href": "#5ed1f4d5-1494-421b-97ed-39d3c88ab51f",
-                "rel": "reference",
-                "text": "http://fips201ep.cio.gov"
-              },
-              {
-                "href": "#bbd50dd1-54ce-4432-959d-63ea564b1bb4",
-                "rel": "reference",
-                "text": "http://www.acquisition.gov/far"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-4_smt",
-                "name": "statement",
-                "prose": "The organization includes the following requirements, descriptions, and criteria,\n               explicitly or by reference, in the acquisition contract for the information system,\n               system component, or information system service in accordance with applicable federal\n               laws, Executive Orders, directives, policies, regulations, standards, guidelines, and\n               organizational mission/business needs:",
-                "parts": [
-                  {
-                    "id": "sa-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Security functional requirements;"
-                  },
-                  {
-                    "id": "sa-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Security strength requirements;"
-                  },
-                  {
-                    "id": "sa-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Security assurance requirements;"
-                  },
-                  {
-                    "id": "sa-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Security-related documentation requirements;"
-                  },
-                  {
-                    "id": "sa-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Requirements for protecting security-related documentation;"
-                  },
-                  {
-                    "id": "sa-4_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Description of the information system development environment and environment in\n                  which the system is intended to operate; and"
-                  },
-                  {
-                    "id": "sa-4_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Acceptance criteria."
-                  }
-                ]
-              },
-              {
-                "id": "sa-4_gdn",
-                "name": "guidance",
-                "prose": "Information system components are discrete, identifiable information technology\n               assets (e.g., hardware, software, or firmware) that represent the building blocks of\n               an information system. Information system components include commercial information\n               technology products. Security functional requirements include security capabilities,\n               security functions, and security mechanisms. Security strength requirements\n               associated with such capabilities, functions, and mechanisms include degree of\n               correctness, completeness, resistance to direct attack, and resistance to tampering\n               or bypass. Security assurance requirements include: (i) development processes,\n               procedures, practices, and methodologies; and (ii) evidence from development and\n               assessment activities providing grounds for confidence that the required security\n               functionality has been implemented and the required security strength has been\n               achieved. Security documentation requirements address all phases of the system\n               development life cycle. Security functionality, assurance, and documentation\n               requirements are expressed in terms of security controls and control enhancements\n               that have been selected through the tailoring process. The security control tailoring\n               process includes, for example, the specification of parameter values through the use\n               of assignment and selection statements and the specification of platform dependencies\n               and implementation information. Security documentation provides user and\n               administrator guidance regarding the implementation and operation of security\n               controls. The level of detail required in security documentation is based on the\n               security category or classification level of the information system and the degree to\n               which organizations depend on the stated security capability, functions, or\n               mechanisms to meet overall risk response expectations (as defined in the\n               organizational risk management strategy). Security requirements can also include\n               organizationally mandated configuration settings specifying allowed functions, ports,\n               protocols, and services. Acceptance criteria for information systems, information\n               system components, and information system services are defined in the same manner as\n               such criteria for any organizational acquisition or procurement. The Federal\n               Acquisition Regulation (FAR) Section 7.103 contains information security requirements\n               from FISMA.",
-                "links": [
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#ps-7",
-                    "rel": "related",
-                    "text": "PS-7"
-                  },
-                  {
-                    "href": "#sa-3",
-                    "rel": "related",
-                    "text": "SA-3"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  }
-                ]
-              },
-              {
-                "id": "sa-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization includes the following requirements, descriptions, and\n               criteria, explicitly or by reference, in the acquisition contracts for the\n               information system, system component, or information system service in accordance\n               with applicable federal laws, Executive Orders, directives, policies, regulations,\n               standards, guidelines, and organizational mission/business needs:",
-                "parts": [
-                  {
-                    "id": "sa-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(a)"
-                      }
-                    ],
-                    "prose": "security functional requirements;"
-                  },
-                  {
-                    "id": "sa-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(b)"
-                      }
-                    ],
-                    "prose": "security strength requirements;"
-                  },
-                  {
-                    "id": "sa-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(c)"
-                      }
-                    ],
-                    "prose": "security assurance requirements;"
-                  },
-                  {
-                    "id": "sa-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(d)"
-                      }
-                    ],
-                    "prose": "security-related documentation requirements;"
-                  },
-                  {
-                    "id": "sa-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(e)"
-                      }
-                    ],
-                    "prose": "requirements for protecting security-related documentation;"
-                  },
-                  {
-                    "id": "sa-4.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(f)"
-                      }
-                    ],
-                    "prose": "description of:",
-                    "parts": [
-                      {
-                        "id": "sa-4.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-4(f)[1]"
-                          }
-                        ],
-                        "prose": "the information system development environment;"
-                      },
-                      {
-                        "id": "sa-4.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-4(f)[2]"
-                          }
-                        ],
-                        "prose": "the environment in which the system is intended to operate; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-4.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(g)"
-                      }
-                    ],
-                    "prose": "acceptance criteria."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                  descriptions, and criteria into the acquisition process\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\ninformation system design documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security functional, strength, and assurance requirements\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for determining information system security functional,\n                  strength, and assurance requirements\\n\\norganizational processes for developing acquisition contracts\\n\\nautomated mechanisms supporting and/or implementing acquisitions and inclusion of\n                  security requirements in contracts"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "sa-4.10",
-                "class": "SP800-53-enhancement",
-                "title": "Use of Approved PIV Products",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-4(10)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-04.10"
-                  },
-                  {
-                    "name": "method",
-                    "class": "FedRAMP-Tailored-LI-SaaS",
-                    "value": "ATTEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-4.10_smt",
-                    "name": "statement",
-                    "prose": "The organization employs only information technology products on the FIPS\n                  201-approved products list for Personal Identity Verification (PIV) capability\n                  implemented within organizational information systems."
-                  },
-                  {
-                    "id": "sa-4.10_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ia-2",
-                        "rel": "related",
-                        "text": "IA-2"
-                      },
-                      {
-                        "href": "#ia-8",
-                        "rel": "related",
-                        "text": "IA-8"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-4.10_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization employs only information technology products on the\n                  FIPS 201-approved products list for Personal Identity Verification (PIV)\n                  capability implemented within organizational information systems. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nservice-level agreements\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security requirements\\n\\norganizational personnel with responsibility for ensuring only FIPS\n                     201-approved products are implemented\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for selecting and employing FIPS 201-approved\n                     products"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-5",
-            "class": "SP800-53",
-            "title": "Information System Documentation",
-            "parameters": [
-              {
-                "id": "sa-5_prm_1",
-                "label": "organization-defined actions"
-              },
-              {
-                "id": "sa-5_prm_2",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-05"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Obtains administrator documentation for the information system, system component,\n                  or information system service that describes:",
-                    "parts": [
-                      {
-                        "id": "sa-5_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Secure configuration, installation, and operation of the system, component, or\n                     service;"
-                      },
-                      {
-                        "id": "sa-5_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Effective use and maintenance of security functions/mechanisms; and"
-                      },
-                      {
-                        "id": "sa-5_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Known vulnerabilities regarding configuration and use of administrative (i.e.,\n                     privileged) functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Obtains user documentation for the information system, system component, or\n                  information system service that describes:",
-                    "parts": [
-                      {
-                        "id": "sa-5_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "User-accessible security functions/mechanisms and how to effectively use those\n                     security functions/mechanisms;"
-                      },
-                      {
-                        "id": "sa-5_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Methods for user interaction, which enables individuals to use the system,\n                     component, or service in a more secure manner; and"
-                      },
-                      {
-                        "id": "sa-5_smt.b.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "User responsibilities in maintaining the security of the system, component, or\n                     service;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Documents attempts to obtain information system, system component, or information\n                  system service documentation when such documentation is either unavailable or\n                  nonexistent and takes {{ sa-5_prm_1 }} in response;"
-                  },
-                  {
-                    "id": "sa-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Protects documentation as required, in accordance with the risk management\n                  strategy; and"
-                  },
-                  {
-                    "id": "sa-5_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Distributes documentation to {{ sa-5_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "sa-5_gdn",
-                "name": "guidance",
-                "prose": "This control helps organizational personnel understand the implementation and\n               operation of security controls associated with information systems, system\n               components, and information system services. Organizations consider establishing\n               specific measures to determine the quality/completeness of the content provided. The\n               inability to obtain needed documentation may occur, for example, due to the age of\n               the information system/component or lack of support from developers and contractors.\n               In those situations, organizations may need to recreate selected documentation if\n               such documentation is essential to the effective implementation or operation of\n               security controls. The level of protection provided for selected information system,\n               component, or service documentation is commensurate with the security category or\n               classification of the system. For example, documentation associated with a key DoD\n               weapons system or command and control system would typically require a higher level\n               of protection than a routine administrative system. Documentation that addresses\n               information system vulnerabilities may also require an increased level of protection.\n               Secure operation of the information system, includes, for example, initially starting\n               the system and resuming secure system operation after any lapse in system\n               operation.",
-                "links": [
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-2",
-                    "rel": "related",
-                    "text": "PS-2"
-                  },
-                  {
-                    "href": "#sa-3",
-                    "rel": "related",
-                    "text": "SA-3"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  }
-                ]
-              },
-              {
-                "id": "sa-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-5(a)"
-                      }
-                    ],
-                    "prose": "obtains administrator documentation for the information system, system component,\n                  or information system service that describes:",
-                    "parts": [
-                      {
-                        "id": "sa-5.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-5.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "secure configuration of the system, system component, or service;"
-                          },
-                          {
-                            "id": "sa-5.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "secure installation of the system, system component, or service;"
-                          },
-                          {
-                            "id": "sa-5.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "secure operation of the system, system component, or service;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-5.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-5.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "effective use of the security features/mechanisms;"
-                          },
-                          {
-                            "id": "sa-5.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "effective maintenance of the security features/mechanisms;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-5.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(a)(3)"
-                          }
-                        ],
-                        "prose": "known vulnerabilities regarding configuration and use of administrative (i.e.,\n                     privileged) functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-5(b)"
-                      }
-                    ],
-                    "prose": "obtains user documentation for the information system, system component, or\n                  information system service that describes:",
-                    "parts": [
-                      {
-                        "id": "sa-5.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-5.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "user-accessible security functions/mechanisms;"
-                          },
-                          {
-                            "id": "sa-5.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "how to effectively use those functions/mechanisms;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-5.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(b)(2)"
-                          }
-                        ],
-                        "prose": "methods for user interaction, which enables individuals to use the system,\n                     component, or service in a more secure manner;"
-                      },
-                      {
-                        "id": "sa-5.b.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(b)(3)"
-                          }
-                        ],
-                        "prose": "user responsibilities in maintaining the security of the system, component, or\n                     service;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-5(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-5.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(c)[1]"
-                          }
-                        ],
-                        "prose": "defines actions to be taken after documented attempts to obtain information\n                     system, system component, or information system service documentation when such\n                     documentation is either unavailable or nonexistent;"
-                      },
-                      {
-                        "id": "sa-5.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(c)[2]"
-                          }
-                        ],
-                        "prose": "documents attempts to obtain information system, system component, or\n                     information system service documentation when such documentation is either\n                     unavailable or nonexistent;"
-                      },
-                      {
-                        "id": "sa-5.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(c)[3]"
-                          }
-                        ],
-                        "prose": "takes organization-defined actions in response;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-5(d)"
-                      }
-                    ],
-                    "prose": "protects documentation as required, in accordance with the risk management\n                  strategy;"
-                  },
-                  {
-                    "id": "sa-5.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-5(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-5.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(e)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom documentation is to be distributed; and"
-                      },
-                      {
-                        "id": "sa-5.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(e)[2]"
-                          }
-                        ],
-                        "prose": "distributes documentation to organization-defined personnel or roles."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing information system documentation\\n\\ninformation system documentation including administrator and user guides\\n\\nrecords documenting attempts to obtain unavailable or nonexistent information\n                  system documentation\\n\\nlist of actions to be taken in response to documented attempts to obtain\n                  information system, system component, or information system service\n                  documentation\\n\\nrisk management strategy documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security requirements\\n\\nsystem administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for obtaining, protecting, and distributing information\n                  system administrator and user documentation"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-9",
-            "class": "SP800-53",
-            "title": "External Information System Services",
-            "parameters": [
-              {
-                "id": "sa-9_prm_1",
-                "label": "organization-defined security controls",
-                "constraints": [
-                  {
-                    "detail": "FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system"
-                  }
-                ]
-              },
-              {
-                "id": "sa-9_prm_2",
-                "label": "organization-defined processes, methods, and techniques",
-                "constraints": [
-                  {
-                    "detail": "Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-09"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0c775bc3-bfc3-42c7-a382-88949f503171",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-35"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-9_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-9_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Requires that providers of external information system services comply with\n                  organizational information security requirements and employ {{ sa-9_prm_1 }} in accordance with applicable federal laws, Executive\n                  Orders, directives, policies, regulations, standards, and guidance;"
-                  },
-                  {
-                    "id": "sa-9_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Defines and documents government oversight and user roles and responsibilities\n                  with regard to external information system services; and"
-                  },
-                  {
-                    "id": "sa-9_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Employs {{ sa-9_prm_2 }} to monitor security control compliance by\n                  external service providers on an ongoing basis."
-                  }
-                ]
-              },
-              {
-                "id": "sa-9_gdn",
-                "name": "guidance",
-                "prose": "External information system services are services that are implemented outside of the\n               authorization boundaries of organizational information systems. This includes\n               services that are used by, but not a part of, organizational information systems.\n               FISMA and OMB policy require that organizations using external service providers that\n               are processing, storing, or transmitting federal information or operating information\n               systems on behalf of the federal government ensure that such providers meet the same\n               security requirements that federal agencies are required to meet. Organizations\n               establish relationships with external service providers in a variety of ways\n               including, for example, through joint ventures, business partnerships, contracts,\n               interagency agreements, lines of business arrangements, licensing agreements, and\n               supply chain exchanges. The responsibility for managing risks from the use of\n               external information system services remains with authorizing officials. For services\n               external to organizations, a chain of trust requires that organizations establish and\n               retain a level of confidence that each participating provider in the potentially\n               complex consumer-provider relationship provides adequate protection for the services\n               rendered. The extent and nature of this chain of trust varies based on the\n               relationships between organizations and the external providers. Organizations\n               document the basis for trust relationships so the relationships can be monitored over\n               time. External information system services documentation includes government, service\n               providers, end user security roles and responsibilities, and service-level\n               agreements. Service-level agreements define expectations of performance for security\n               controls, describe measurable outcomes, and identify remedies and response\n               requirements for identified instances of noncompliance.",
-                "links": [
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#ir-7",
-                    "rel": "related",
-                    "text": "IR-7"
-                  },
-                  {
-                    "href": "#ps-7",
-                    "rel": "related",
-                    "text": "PS-7"
-                  }
-                ]
-              },
-              {
-                "id": "sa-9_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-9.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-9(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-9.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-9(a)[1]"
-                          }
-                        ],
-                        "prose": "defines security controls to be employed by providers of external information\n                     system services;"
-                      },
-                      {
-                        "id": "sa-9.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-9(a)[2]"
-                          }
-                        ],
-                        "prose": "requires that providers of external information system services comply with\n                     organizational information security requirements;"
-                      },
-                      {
-                        "id": "sa-9.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-9(a)[3]"
-                          }
-                        ],
-                        "prose": "requires that providers of external information system services employ\n                     organization-defined security controls in accordance with applicable federal\n                     laws, Executive Orders, directives, policies, regulations, standards, and\n                     guidance;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-9.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-9(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-9.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-9(b)[1]"
-                          }
-                        ],
-                        "prose": "defines and documents government oversight with regard to external information\n                     system services;"
-                      },
-                      {
-                        "id": "sa-9.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-9(b)[2]"
-                          }
-                        ],
-                        "prose": "defines and documents user roles and responsibilities with regard to external\n                     information system services;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-9.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-9(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-9.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-9(c)[1]"
-                          }
-                        ],
-                        "prose": "defines processes, methods, and techniques to be employed to monitor security\n                     control compliance by external service providers; and"
-                      },
-                      {
-                        "id": "sa-9.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-9(c)[2]"
-                          }
-                        ],
-                        "prose": "employs organization-defined processes, methods, and techniques to monitor\n                     security control compliance by external service providers on an ongoing\n                     basis."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nprocedures addressing methods and techniques for monitoring security control\n                  compliance by external service providers of information system services\\n\\nacquisition contracts, service-level agreements\\n\\norganizational security requirements and security specifications for external\n                  provider services\\n\\nsecurity control assessment evidence from external providers of information system\n                  services\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and services acquisition responsibilities\\n\\nexternal providers of information system services\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for monitoring security control compliance by external\n                  service providers on an ongoing basis\\n\\nautomated mechanisms for monitoring security control compliance by external\n                  service providers on an ongoing basis"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "sc",
-        "class": "family",
-        "title": "System and Communications Protection",
-        "controls": [
-          {
-            "id": "sc-1",
-            "class": "SP800-53",
-            "title": "System and Communications Protection Policy and Procedures",
-            "parameters": [
-              {
-                "id": "sc-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "sc-1_prm_2",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "sc-1_prm_3",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-01"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sc-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ sc-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "sc-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A system and communications protection policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"
-                      },
-                      {
-                        "id": "sc-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the system and communications\n                     protection policy and associated system and communications protection controls;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "sc-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "System and communications protection policy {{ sc-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "sc-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "System and communications protection procedures {{ sc-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SC\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "sc-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sc-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sc-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a system and communications protection policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "sc-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "sc-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the system and communications protection\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "sc-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the system and communications protection policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sc-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sc-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        system and communications protection policy and associated system and\n                        communications protection controls;"
-                          },
-                          {
-                            "id": "sc-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "sc-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sc-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SC-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and\n                        communications protection policy;"
-                          },
-                          {
-                            "id": "sc-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SC-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and communications protection policy\n                        with the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sc-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sc-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SC-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and\n                        communications protection procedures; and"
-                          },
-                          {
-                            "id": "sc-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SC-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and communications protection\n                        procedures with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and communications protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-5",
-            "class": "SP800-53",
-            "title": "Denial of Service Protection",
-            "parameters": [
-              {
-                "id": "sc-5_prm_1",
-                "label": "organization-defined types of denial of service attacks or references to sources\n               for such information"
-              },
-              {
-                "id": "sc-5_prm_2",
-                "label": "organization-defined security safeguards"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-05"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "CONDITIONAL"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-5_smt",
-                "name": "statement",
-                "prose": "The information system protects against or limits the effects of the following types\n               of denial of service attacks: {{ sc-5_prm_1 }} by employing {{ sc-5_prm_2 }}."
-              },
-              {
-                "id": "sc-5_gdn",
-                "name": "guidance",
-                "prose": "A variety of technologies exist to limit, or in some cases, eliminate the effects of\n               denial of service attacks. For example, boundary protection devices can filter\n               certain types of packets to protect information system components on internal\n               organizational networks from being directly affected by denial of service attacks.\n               Employing increased capacity and bandwidth combined with service redundancy may also\n               reduce the susceptibility to denial of service attacks.",
-                "links": [
-                  {
-                    "href": "#sc-6",
-                    "rel": "related",
-                    "text": "SC-6"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  }
-                ]
-              },
-              {
-                "id": "sc-5_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "sc-5_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-5[1]"
-                      }
-                    ],
-                    "prose": "the organization defines types of denial of service attacks or reference to source\n                  of such information for the information system to protect against or limit the\n                  effects;"
-                  },
-                  {
-                    "id": "sc-5_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-5[2]"
-                      }
-                    ],
-                    "prose": "the organization defines security safeguards to be employed by the information\n                  system to protect against or limit the effects of organization-defined types of\n                  denial of service attacks; and"
-                  },
-                  {
-                    "id": "sc-5_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-5[3]"
-                      }
-                    ],
-                    "prose": "the information system protects against or limits the effects of the\n                  organization-defined denial or service attacks (or reference to source for such\n                  information) by employing organization-defined security safeguards."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing denial of service protection\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\nlist of denial of services attacks requiring employment of security safeguards to\n                  protect against or limit effects of such attacks\\n\\nlist of security safeguards protecting against or limiting the effects of denial\n                  of service attacks\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms protecting against or limiting the effects of denial of\n                  service attacks"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Condition: If availability is a requirement, define protections in place as per\n                  control requirement."
-              }
-            ]
-          },
-          {
-            "id": "sc-7",
-            "class": "SP800-53",
-            "title": "Boundary Protection",
-            "parameters": [
-              {
-                "id": "sc-7_prm_1"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-07"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#756a8e86-57d5-4701-8382-f7a40439665a",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-41"
-              },
-              {
-                "href": "#99f331f2-a9f0-46c2-9856-a3cbb9b89442",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-77"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-7_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "sc-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Monitors and controls communications at the external boundary of the system and at\n                  key internal boundaries within the system;"
-                  },
-                  {
-                    "id": "sc-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Implements subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks;\n                  and"
-                  },
-                  {
-                    "id": "sc-7_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Connects to external networks or information systems only through managed\n                  interfaces consisting of boundary protection devices arranged in accordance with\n                  an organizational security architecture."
-                  }
-                ]
-              },
-              {
-                "id": "sc-7_gdn",
-                "name": "guidance",
-                "prose": "Managed interfaces include, for example, gateways, routers, firewalls, guards,\n               network-based malicious code analysis and virtualization systems, or encrypted\n               tunnels implemented within a security architecture (e.g., routers protecting\n               firewalls or application gateways residing on protected subnetworks). Subnetworks\n               that are physically or logically separated from internal networks are referred to as\n               demilitarized zones or DMZs. Restricting or prohibiting interfaces within\n               organizational information systems includes, for example, restricting external web\n               traffic to designated web servers within managed interfaces and prohibiting external\n               traffic that appears to be spoofing internal addresses. Organizations consider the\n               shared nature of commercial telecommunications services in the implementation of\n               security controls associated with the use of such services. Commercial\n               telecommunications services are commonly based on network components and consolidated\n               management systems shared by all attached commercial customers, and may also include\n               third party-provided access lines and other service elements. Such transmission\n               services may represent sources of increased risk despite contract security\n               provisions.",
-                "links": [
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#cm-7",
-                    "rel": "related",
-                    "text": "CM-7"
-                  },
-                  {
-                    "href": "#cp-8",
-                    "rel": "related",
-                    "text": "CP-8"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sc-5",
-                    "rel": "related",
-                    "text": "SC-5"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  }
-                ]
-              },
-              {
-                "id": "sc-7_obj",
-                "name": "objective",
-                "prose": "Determine if the information system:",
-                "parts": [
-                  {
-                    "id": "sc-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-7(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-7.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-7(a)[1]"
-                          }
-                        ],
-                        "prose": "monitors communications at the external boundary of the information system;"
-                      },
-                      {
-                        "id": "sc-7.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-7(a)[2]"
-                          }
-                        ],
-                        "prose": "monitors communications at key internal boundaries within the system;"
-                      },
-                      {
-                        "id": "sc-7.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-7(a)[3]"
-                          }
-                        ],
-                        "prose": "controls communications at the external boundary of the information system;"
-                      },
-                      {
-                        "id": "sc-7.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-7(a)[4]"
-                          }
-                        ],
-                        "prose": "controls communications at key internal boundaries within the system;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-7(b)"
-                      }
-                    ],
-                    "prose": "implements subnetworks for publicly accessible system components that are\n                  either:",
-                    "parts": [
-                      {
-                        "id": "sc-7.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-7(b)[1]"
-                          }
-                        ],
-                        "prose": "physically separated from internal organizational networks; and/or"
-                      },
-                      {
-                        "id": "sc-7.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-7(b)[2]"
-                          }
-                        ],
-                        "prose": "logically separated from internal organizational networks; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-7(c)"
-                      }
-                    ],
-                    "prose": "connects to external networks or information systems only through managed\n                  interfaces consisting of boundary protection devices arranged in accordance with\n                  an organizational security architecture."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\nlist of key internal boundaries of the information system\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system configuration settings and associated documentation\\n\\nenterprise security architecture documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing boundary protection capability"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-12",
-            "class": "SP800-53",
-            "title": "Cryptographic Key Establishment and Management",
-            "parameters": [
-              {
-                "id": "sc-12_prm_1",
-                "label": "organization-defined requirements for key generation, distribution, storage,\n               access, and destruction"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-12"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-12"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#81f09e01-d0b0-4ae2-aa6a-064ed9950070",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-56"
-              },
-              {
-                "href": "#a6c774c0-bf50-4590-9841-2a5c1c91ac6f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-57"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-12_smt",
-                "name": "statement",
-                "prose": "The organization establishes and manages cryptographic keys for required cryptography\n               employed within the information system in accordance with {{ sc-12_prm_1 }}."
-              },
-              {
-                "id": "sc-12_gdn",
-                "name": "guidance",
-                "prose": "Cryptographic key management and establishment can be performed using manual\n               procedures or automated mechanisms with supporting manual procedures. Organizations\n               define key management requirements in accordance with applicable federal laws,\n               Executive Orders, directives, regulations, policies, standards, and guidance,\n               specifying appropriate options, levels, and parameters. Organizations manage trust\n               stores to ensure that only approved trust anchors are in such trust stores. This\n               includes certificates with visibility external to organizational information systems\n               and certificates related to the internal operations of systems.",
-                "links": [
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  },
-                  {
-                    "href": "#sc-17",
-                    "rel": "related",
-                    "text": "SC-17"
-                  }
-                ]
-              },
-              {
-                "id": "sc-12_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sc-12_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-12[1]"
-                      }
-                    ],
-                    "prose": "defines requirements for cryptographic key:",
-                    "parts": [
-                      {
-                        "id": "sc-12_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][a]"
-                          }
-                        ],
-                        "prose": "generation;"
-                      },
-                      {
-                        "id": "sc-12_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][b]"
-                          }
-                        ],
-                        "prose": "distribution;"
-                      },
-                      {
-                        "id": "sc-12_obj.1.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][c]"
-                          }
-                        ],
-                        "prose": "storage;"
-                      },
-                      {
-                        "id": "sc-12_obj.1.d",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][d]"
-                          }
-                        ],
-                        "prose": "access;"
-                      },
-                      {
-                        "id": "sc-12_obj.1.e",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][e]"
-                          }
-                        ],
-                        "prose": "destruction; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-12_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-12[2]"
-                      }
-                    ],
-                    "prose": "establishes and manages cryptographic keys for required cryptography employed\n                  within the information system in accordance with organization-defined requirements\n                  for key generation, distribution, storage, access, and destruction."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing cryptographic key establishment and management\\n\\ninformation system design documentation\\n\\ncryptographic mechanisms\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for cryptographic key establishment\n                  and/or management"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing cryptographic key\n                  establishment and management"
-                  }
-                ]
-              },
-              {
-                "id": "sc-12_fr",
-                "name": "item",
-                "title": "SC-12 Additional FedRAMP Requirements and Guidance",
-                "parts": [
-                  {
-                    "id": "sc-12_fr_gdn.1",
-                    "name": "guidance",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "Guidance:"
-                      }
-                    ],
-                    "prose": "Federally approved cryptography."
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-13",
-            "class": "SP800-53",
-            "title": "Cryptographic Protection",
-            "parameters": [
-              {
-                "id": "sc-13_prm_1",
-                "label": "organization-defined cryptographic uses and type of cryptography required for\n               each use",
-                "constraints": [
-                  {
-                    "detail": "FIPS-validated or NSA-approved cryptography"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-13"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-13"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "CONDITIONAL"
-              }
-            ],
-            "links": [
-              {
-                "href": "#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9",
-                "rel": "reference",
-                "text": "FIPS Publication 140"
-              },
-              {
-                "href": "#6a1041fc-054e-4230-946b-2e6f4f3731bb",
-                "rel": "reference",
-                "text": "http://csrc.nist.gov/cryptval"
-              },
-              {
-                "href": "#9b97ed27-3dd6-4f9a-ade5-1b43e9669794",
-                "rel": "reference",
-                "text": "http://www.cnss.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-13_smt",
-                "name": "statement",
-                "prose": "The information system implements {{ sc-13_prm_1 }} in accordance with\n               applicable federal laws, Executive Orders, directives, policies, regulations, and\n               standards."
-              },
-              {
-                "id": "sc-13_gdn",
-                "name": "guidance",
-                "prose": "Cryptography can be employed to support a variety of security solutions including,\n               for example, the protection of classified and Controlled Unclassified Information,\n               the provision of digital signatures, and the enforcement of information separation\n               when authorized individuals have the necessary clearances for such information but\n               lack the necessary formal access approvals. Cryptography can also be used to support\n               random number generation and hash generation. Generally applicable cryptographic\n               standards include FIPS-validated cryptography and NSA-approved cryptography. This\n               control does not impose any requirements on organizations to use cryptography.\n               However, if cryptography is required based on the selection of other security\n               controls, organizations define each type of cryptographic use and the type of\n               cryptography required (e.g., protection of classified information: NSA-approved\n               cryptography; provision of digital signatures: FIPS-validated cryptography).",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-7",
-                    "rel": "related",
-                    "text": "AC-7"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#au-10",
-                    "rel": "related",
-                    "text": "AU-10"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-7",
-                    "rel": "related",
-                    "text": "IA-7"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  },
-                  {
-                    "href": "#sc-12",
-                    "rel": "related",
-                    "text": "SC-12"
-                  },
-                  {
-                    "href": "#sc-28",
-                    "rel": "related",
-                    "text": "SC-28"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "sc-13_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "sc-13_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-13[1]"
-                      }
-                    ],
-                    "prose": "the organization defines cryptographic uses; and"
-                  },
-                  {
-                    "id": "sc-13_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-13[2]"
-                      }
-                    ],
-                    "prose": "the organization defines the type of cryptography required for each use; and"
-                  },
-                  {
-                    "id": "sc-13_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-13[3]"
-                      }
-                    ],
-                    "prose": "the information system implements the organization-defined cryptographic uses and\n                  type of cryptography required for each use in accordance with applicable federal\n                  laws, Executive Orders, directives, policies, regulations, and standards."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing cryptographic protection\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic module validation certificates\\n\\nlist of FIPS validated cryptographic modules\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for cryptographic protection"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing cryptographic protection"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Condition: If implementing need to detail how they meet it or don't meet it."
-              }
-            ]
-          },
-          {
-            "id": "sc-15",
-            "class": "SP800-53",
-            "title": "Collaborative Computing Devices",
-            "parameters": [
-              {
-                "id": "sc-15_prm_1",
-                "label": "organization-defined exceptions where remote activation is to be allowed"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-15"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-15"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "NSO"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-15_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "sc-15_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Prohibits remote activation of collaborative computing devices with the following\n                  exceptions: {{ sc-15_prm_1 }}; and"
-                  },
-                  {
-                    "id": "sc-15_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Provides an explicit indication of use to users physically present at the\n                  devices."
-                  }
-                ]
-              },
-              {
-                "id": "sc-15_gdn",
-                "name": "guidance",
-                "prose": "Collaborative computing devices include, for example, networked white boards,\n               cameras, and microphones. Explicit indication of use includes, for example, signals\n               to users when collaborative computing devices are activated.",
-                "links": [
-                  {
-                    "href": "#ac-21",
-                    "rel": "related",
-                    "text": "AC-21"
-                  }
-                ]
-              },
-              {
-                "id": "sc-15_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "sc-15.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-15(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-15.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-15(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines exceptions where remote activation of collaborative\n                     computing devices is to be allowed;"
-                      },
-                      {
-                        "id": "sc-15.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-15(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system prohibits remote activation of collaborative computing\n                     devices, except for organization-defined exceptions where remote activation is\n                     to be allowed; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-15.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-15(b)"
-                      }
-                    ],
-                    "prose": "the information system provides an explicit indication of use to users physically\n                  present at the devices."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing collaborative computing\\n\\naccess control policy and procedures\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for managing collaborative\n                  computing devices"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing management of remote\n                  activation of collaborative computing devices\\n\\nautomated mechanisms providing an indication of use of collaborative computing\n                  devices"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "NSO - Not directly related to the security of the SaaS."
-              }
-            ]
-          },
-          {
-            "id": "sc-20",
-            "class": "SP800-53",
-            "title": "Secure Name / Address Resolution Service (authoritative Source)",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-20"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-20"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#28115a56-da6b-4d44-b1df-51dd7f048a3e",
-                "rel": "reference",
-                "text": "OMB Memorandum 08-23"
-              },
-              {
-                "href": "#6af1e841-672c-46c4-b121-96f603d04be3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-81"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-20_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "sc-20_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Provides additional data origin authentication and integrity verification\n                  artifacts along with the authoritative name resolution data the system returns in\n                  response to external name/address resolution queries; and"
-                  },
-                  {
-                    "id": "sc-20_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Provides the means to indicate the security status of child zones and (if the\n                  child supports secure resolution services) to enable verification of a chain of\n                  trust among parent and child domains, when operating as part of a distributed,\n                  hierarchical namespace."
-                  }
-                ]
-              },
-              {
-                "id": "sc-20_gdn",
-                "name": "guidance",
-                "prose": "This control enables external clients including, for example, remote Internet\n               clients, to obtain origin authentication and integrity verification assurances for\n               the host/service name to network address resolution information obtained through the\n               service. Information systems that provide name and address resolution services\n               include, for example, domain name system (DNS) servers. Additional artifacts include,\n               for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS\n               resource records are examples of authoritative data. The means to indicate the\n               security status of child zones includes, for example, the use of delegation signer\n               resource records in the DNS. The DNS security controls reflect (and are referenced\n               from) OMB Memorandum 08-23. Information systems that use technologies other than the\n               DNS to map between host/service names and network addresses provide other means to\n               assure the authenticity and integrity of response data.",
-                "links": [
-                  {
-                    "href": "#au-10",
-                    "rel": "related",
-                    "text": "AU-10"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  },
-                  {
-                    "href": "#sc-12",
-                    "rel": "related",
-                    "text": "SC-12"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  },
-                  {
-                    "href": "#sc-21",
-                    "rel": "related",
-                    "text": "SC-21"
-                  },
-                  {
-                    "href": "#sc-22",
-                    "rel": "related",
-                    "text": "SC-22"
-                  }
-                ]
-              },
-              {
-                "id": "sc-20_obj",
-                "name": "objective",
-                "prose": "Determine if the information system:",
-                "parts": [
-                  {
-                    "id": "sc-20.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-20(a)"
-                      }
-                    ],
-                    "prose": "provides additional data origin and integrity verification artifacts along with\n                  the authoritative name resolution data the system returns in response to external\n                  name/address resolution queries;"
-                  },
-                  {
-                    "id": "sc-20.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-20(b)"
-                      }
-                    ],
-                    "prose": "provides the means to, when operating as part of a distributed, hierarchical\n                  namespace:",
-                    "parts": [
-                      {
-                        "id": "sc-20.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-20(b)[1]"
-                          }
-                        ],
-                        "prose": "indicate the security status of child zones; and"
-                      },
-                      {
-                        "id": "sc-20.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-20(b)[2]"
-                          }
-                        ],
-                        "prose": "enable verification of a chain of trust among parent and child domains (if the\n                     child supports secure resolution services)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing secure name/address resolution service (authoritative\n                  source)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing secure name/address resolution\n                  service"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-21",
-            "class": "SP800-53",
-            "title": "Secure Name / Address Resolution Service (recursive or Caching Resolver)",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-21"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-21"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#6af1e841-672c-46c4-b121-96f603d04be3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-81"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-21_smt",
-                "name": "statement",
-                "prose": "The information system requests and performs data origin authentication and data\n               integrity verification on the name/address resolution responses the system receives\n               from authoritative sources."
-              },
-              {
-                "id": "sc-21_gdn",
-                "name": "guidance",
-                "prose": "Each client of name resolution services either performs this validation on its own,\n               or has authenticated channels to trusted validation providers. Information systems\n               that provide name and address resolution services for local clients include, for\n               example, recursive resolving or caching domain name system (DNS) servers. DNS client\n               resolvers either perform validation of DNSSEC signatures, or clients use\n               authenticated channels to recursive resolvers that perform such validations.\n               Information systems that use technologies other than the DNS to map between\n               host/service names and network addresses provide other means to enable clients to\n               verify the authenticity and integrity of response data.",
-                "links": [
-                  {
-                    "href": "#sc-20",
-                    "rel": "related",
-                    "text": "SC-20"
-                  },
-                  {
-                    "href": "#sc-22",
-                    "rel": "related",
-                    "text": "SC-22"
-                  }
-                ]
-              },
-              {
-                "id": "sc-21_obj",
-                "name": "objective",
-                "prose": "Determine if the information system: ",
-                "parts": [
-                  {
-                    "id": "sc-21_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-21[1]"
-                      }
-                    ],
-                    "prose": "requests data origin authentication on the name/address resolution responses the\n                  system receives from authoritative sources;"
-                  },
-                  {
-                    "id": "sc-21_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-21[2]"
-                      }
-                    ],
-                    "prose": "requests data integrity verification on the name/address resolution responses the\n                  system receives from authoritative sources;"
-                  },
-                  {
-                    "id": "sc-21_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-21[3]"
-                      }
-                    ],
-                    "prose": "performs data origin authentication on the name/address resolution responses the\n                  system receives from authoritative sources; and"
-                  },
-                  {
-                    "id": "sc-21_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-21[4]"
-                      }
-                    ],
-                    "prose": "performs data integrity verification on the name/address resolution responses the\n                  system receives from authoritative sources."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing secure name/address resolution service (recursive or caching\n                  resolver)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing data origin authentication and\n                  data integrity verification for name/address resolution services"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-22",
-            "class": "SP800-53",
-            "title": "Architecture and Provisioning for Name / Address Resolution Service",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-22"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-22"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#6af1e841-672c-46c4-b121-96f603d04be3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-81"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-22_smt",
-                "name": "statement",
-                "prose": "The information systems that collectively provide name/address resolution service for\n               an organization are fault-tolerant and implement internal/external role\n               separation."
-              },
-              {
-                "id": "sc-22_gdn",
-                "name": "guidance",
-                "prose": "Information systems that provide name and address resolution services include, for\n               example, domain name system (DNS) servers. To eliminate single points of failure and\n               to enhance redundancy, organizations employ at least two authoritative domain name\n               system servers, one configured as the primary server and the other configured as the\n               secondary server. Additionally, organizations typically deploy the servers in two\n               geographically separated network subnetworks (i.e., not located in the same physical\n               facility). For role separation, DNS servers with internal roles only process name and\n               address resolution requests from within organizations (i.e., from internal clients).\n               DNS servers with external roles only process name and address resolution information\n               requests from clients external to organizations (i.e., on external networks including\n               the Internet). Organizations specify clients that can access authoritative DNS\n               servers in particular roles (e.g., by address ranges, explicit lists).",
-                "links": [
-                  {
-                    "href": "#sc-2",
-                    "rel": "related",
-                    "text": "SC-2"
-                  },
-                  {
-                    "href": "#sc-20",
-                    "rel": "related",
-                    "text": "SC-20"
-                  },
-                  {
-                    "href": "#sc-21",
-                    "rel": "related",
-                    "text": "SC-21"
-                  },
-                  {
-                    "href": "#sc-24",
-                    "rel": "related",
-                    "text": "SC-24"
-                  }
-                ]
-              },
-              {
-                "id": "sc-22_obj",
-                "name": "objective",
-                "prose": "Determine if the information systems that collectively provide name/address\n               resolution service for an organization: ",
-                "parts": [
-                  {
-                    "id": "sc-22_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-22[1]"
-                      }
-                    ],
-                    "prose": "are fault tolerant; and"
-                  },
-                  {
-                    "id": "sc-22_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-22[2]"
-                      }
-                    ],
-                    "prose": "implement internal/external role separation."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing architecture and provisioning for name/address resolution\n                  service\\n\\naccess control policy and procedures\\n\\ninformation system design documentation\\n\\nassessment results from independent, testing organizations\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing name/address resolution\n                  service for fault tolerance and role separation"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-39",
-            "class": "SP800-53",
-            "title": "Process Isolation",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-39"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-39"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-39_smt",
-                "name": "statement",
-                "prose": "The information system maintains a separate execution domain for each executing\n               process."
-              },
-              {
-                "id": "sc-39_gdn",
-                "name": "guidance",
-                "prose": "Information systems can maintain separate execution domains for each executing\n               process by assigning each process a separate address space. Each information system\n               process has a distinct address space so that communication between processes is\n               performed in a manner controlled through the security functions, and one process\n               cannot modify the executing code of another process. Maintaining separate execution\n               domains for executing processes can be achieved, for example, by implementing\n               separate address spaces. This capability is available in most commercial operating\n               systems that employ multi-state processor technologies.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  },
-                  {
-                    "href": "#sc-2",
-                    "rel": "related",
-                    "text": "SC-2"
-                  },
-                  {
-                    "href": "#sc-3",
-                    "rel": "related",
-                    "text": "SC-3"
-                  }
-                ]
-              },
-              {
-                "id": "sc-39_obj",
-                "name": "objective",
-                "prose": "Determine if the information system maintains a separate execution domain for each\n               executing process."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system design documentation\\n\\ninformation system architecture\\n\\nindependent verification and validation documentation\\n\\ntesting and evaluation documentation, other relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system developers/integrators\\n\\ninformation system security architect"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing separate execution domains for\n                  each executing process"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "si",
-        "class": "family",
-        "title": "System and Information Integrity",
-        "controls": [
-          {
-            "id": "si-1",
-            "class": "SP800-53",
-            "title": "System and Information Integrity Policy and Procedures",
-            "parameters": [
-              {
-                "id": "si-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "si-1_prm_2",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "si-1_prm_3",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-01"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ si-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "si-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A system and information integrity policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "si-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the system and information\n                     integrity policy and associated system and information integrity controls;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "si-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "System and information integrity policy {{ si-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "si-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "System and information integrity procedures {{ si-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SI\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "si-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a system and information integrity policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "si-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "si-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the system and information integrity\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "si-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the system and information integrity policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        system and information integrity policy and associated system and\n                        information integrity controls;"
-                          },
-                          {
-                            "id": "si-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "si-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and\n                        information integrity policy;"
-                          },
-                          {
-                            "id": "si-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and information integrity policy with\n                        the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and\n                        information integrity procedures; and"
-                          },
-                          {
-                            "id": "si-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and information integrity procedures\n                        with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and information integrity\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-2",
-            "class": "SP800-53",
-            "title": "Flaw Remediation",
-            "parameters": [
-              {
-                "id": "si-2_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "within 30 days of release of updates"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-02"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-40"
-              },
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Identifies, reports, and corrects information system flaws;"
-                  },
-                  {
-                    "id": "si-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Tests software and firmware updates related to flaw remediation for effectiveness\n                  and potential side effects before installation;"
-                  },
-                  {
-                    "id": "si-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Installs security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and"
-                  },
-                  {
-                    "id": "si-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Incorporates flaw remediation into the organizational configuration management\n                  process."
-                  }
-                ]
-              },
-              {
-                "id": "si-2_gdn",
-                "name": "guidance",
-                "prose": "Organizations identify information systems affected by announced software flaws\n               including potential vulnerabilities resulting from those flaws, and report this\n               information to designated organizational personnel with information security\n               responsibilities. Security-relevant software updates include, for example, patches,\n               service packs, hot fixes, and anti-virus signatures. Organizations also address flaws\n               discovered during security assessments, continuous monitoring, incident response\n               activities, and system error handling. Organizations take advantage of available\n               resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and\n               Exposures (CVE) databases in remediating flaws discovered in organizational\n               information systems. By incorporating flaw remediation into ongoing configuration\n               management processes, required/anticipated remediation actions can be tracked and\n               verified. Flaw remediation actions that can be tracked and verified include, for\n               example, determining whether organizations follow US-CERT guidance and Information\n               Assurance Vulnerability Alerts. Organization-defined time periods for updating\n               security-relevant software and firmware may vary based on a variety of factors\n               including, for example, the security category of the information system or the\n               criticality of the update (i.e., severity of the vulnerability related to the\n               discovered flaw). Some types of flaw remediation may require more testing than other\n               types. Organizations determine the degree and type of testing needed for the specific\n               type of flaw remediation activity under consideration and also the types of changes\n               that are to be configuration-managed. In some situations, organizations may determine\n               that the testing of software and/or firmware updates is not necessary or practical,\n               for example, when implementing simple anti-virus signature updates. Organizations may\n               also consider in testing decisions, whether security-relevant software or firmware\n               updates are obtained from authorized sources with appropriate digital signatures.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#ma-2",
-                    "rel": "related",
-                    "text": "MA-2"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sa-10",
-                    "rel": "related",
-                    "text": "SA-10"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#si-11",
-                    "rel": "related",
-                    "text": "SI-11"
-                  }
-                ]
-              },
-              {
-                "id": "si-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-2(a)[1]"
-                          }
-                        ],
-                        "prose": "identifies information system flaws;"
-                      },
-                      {
-                        "id": "si-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-2(a)[2]"
-                          }
-                        ],
-                        "prose": "reports information system flaws;"
-                      },
-                      {
-                        "id": "si-2.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-2(a)[3]"
-                          }
-                        ],
-                        "prose": "corrects information system flaws;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-2(b)[1]"
-                          }
-                        ],
-                        "prose": "tests software updates related to flaw remediation for effectiveness and\n                     potential side effects before installation;"
-                      },
-                      {
-                        "id": "si-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-2(b)[2]"
-                          }
-                        ],
-                        "prose": "tests firmware updates related to flaw remediation for effectiveness and\n                     potential side effects before installation;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the time period within which to install security-relevant software\n                     updates after the release of the updates;"
-                      },
-                      {
-                        "id": "si-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-2(c)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which to install security-relevant firmware\n                     updates after the release of the updates;"
-                      },
-                      {
-                        "id": "si-2.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-2(c)[3]"
-                          }
-                        ],
-                        "prose": "installs software updates within the organization-defined time period of the\n                     release of the updates;"
-                      },
-                      {
-                        "id": "si-2.c_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-2(c)[4]"
-                          }
-                        ],
-                        "prose": "installs firmware updates within the organization-defined time period of the\n                     release of the updates; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-2(d)"
-                      }
-                    ],
-                    "prose": "incorporates flaw remediation into the organizational configuration management\n                  process."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nprocedures addressing flaw remediation\\n\\nprocedures addressing configuration management\\n\\nlist of flaws and vulnerabilities potentially affecting the information system\\n\\nlist of recent security flaw remediation actions performed on the information\n                  system (e.g., list of installed patches, service packs, hot fixes, and other\n                  software updates to correct information system flaws)\\n\\ntest results from the installation of software and firmware updates to correct\n                  information system flaws\\n\\ninstallation/change control records for security-relevant software and firmware\n                  updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility for flaw remediation\\n\\norganizational personnel with configuration management responsibility"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for identifying, reporting, and correcting information\n                  system flaws\\n\\norganizational process for installing software and firmware updates\\n\\nautomated mechanisms supporting and/or implementing reporting, and correcting\n                  information system flaws\\n\\nautomated mechanisms supporting and/or implementing testing software and firmware\n                  updates"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-3",
-            "class": "SP800-53",
-            "title": "Malicious Code Protection",
-            "parameters": [
-              {
-                "id": "si-3_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least weekly"
-                  }
-                ]
-              },
-              {
-                "id": "si-3_prm_2",
-                "constraints": [
-                  {
-                    "detail": "to include endpoints"
-                  }
-                ]
-              },
-              {
-                "id": "si-3_prm_3",
-                "constraints": [
-                  {
-                    "detail": "to include alerting administrator or defined security personnel"
-                  }
-                ]
-              },
-              {
-                "id": "si-3_prm_4",
-                "depends-on": "si-3_prm_3",
-                "label": "organization-defined action"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-03"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#6d431fee-658f-4a0e-9f2e-a38b5d398fab",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-83"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Employs malicious code protection mechanisms at information system entry and exit\n                  points to detect and eradicate malicious code;"
-                  },
-                  {
-                    "id": "si-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Updates malicious code protection mechanisms whenever new releases are available\n                  in accordance with organizational configuration management policy and\n                  procedures;"
-                  },
-                  {
-                    "id": "si-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Configures malicious code protection mechanisms to:",
-                    "parts": [
-                      {
-                        "id": "si-3_smt.c.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Perform periodic scans of the information system {{ si-3_prm_1 }} and real-time scans of files from external sources at {{ si-3_prm_2 }} as the files are downloaded, opened, or executed in\n                     accordance with organizational security policy; and"
-                      },
-                      {
-                        "id": "si-3_smt.c.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "\n                     {{ si-3_prm_3 }} in response to malicious code detection;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-3_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Addresses the receipt of false positives during malicious code detection and\n                  eradication and the resulting potential impact on the availability of the\n                  information system."
-                  }
-                ]
-              },
-              {
-                "id": "si-3_gdn",
-                "name": "guidance",
-                "prose": "Information system entry and exit points include, for example, firewalls, electronic\n               mail servers, web servers, proxy servers, remote-access servers, workstations,\n               notebook computers, and mobile devices. Malicious code includes, for example,\n               viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in\n               various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden\n               files, or hidden in files using steganography. Malicious code can be transported by\n               different means including, for example, web accesses, electronic mail, electronic\n               mail attachments, and portable storage devices. Malicious code insertions occur\n               through the exploitation of information system vulnerabilities. Malicious code\n               protection mechanisms include, for example, anti-virus signature definitions and\n               reputation-based technologies. A variety of technologies and methods exist to limit\n               or eliminate the effects of malicious code. Pervasive configuration management and\n               comprehensive software integrity controls may be effective in preventing execution of\n               unauthorized code. In addition to commercial off-the-shelf software, malicious code\n               may also be present in custom-built software. This could include, for example, logic\n               bombs, back doors, and other types of cyber attacks that could affect organizational\n               missions/business functions. Traditional malicious code protection mechanisms cannot\n               always detect such code. In these situations, organizations rely instead on other\n               safeguards including, for example, secure coding practices, configuration management\n               and control, trusted procurement processes, and monitoring practices to help ensure\n               that software does not perform functions other than the functions intended.\n               Organizations may determine that in response to the detection of malicious code,\n               different actions may be warranted. For example, organizations can define actions in\n               response to malicious code detection during periodic scans, actions in response to\n               detection of malicious downloads, and/or actions in response to detection of\n               maliciousness when attempting to open or execute files.",
-                "links": [
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#sa-13",
-                    "rel": "related",
-                    "text": "SA-13"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-26",
-                    "rel": "related",
-                    "text": "SC-26"
-                  },
-                  {
-                    "href": "#sc-44",
-                    "rel": "related",
-                    "text": "SC-44"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "si-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-3(a)"
-                      }
-                    ],
-                    "prose": "employs malicious code protection mechanisms to detect and eradicate malicious\n                  code at information system:",
-                    "parts": [
-                      {
-                        "id": "si-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-3(a)[1]"
-                          }
-                        ],
-                        "prose": "entry points;"
-                      },
-                      {
-                        "id": "si-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-3(a)[2]"
-                          }
-                        ],
-                        "prose": "exit points;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-3(b)"
-                      }
-                    ],
-                    "prose": "updates malicious code protection mechanisms whenever new releases are available\n                  in accordance with organizational configuration management policy and procedures\n                  (as identified in CM-1);"
-                  },
-                  {
-                    "id": "si-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency for malicious code protection mechanisms to perform\n                     periodic scans of the information system;"
-                      },
-                      {
-                        "id": "si-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-3(c)[2]"
-                          }
-                        ],
-                        "prose": "defines action to be initiated by malicious protection mechanisms in response\n                     to malicious code detection;"
-                      },
-                      {
-                        "id": "si-3.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-3(c)[3]"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-3.c.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-3(c)[3](1)"
-                              }
-                            ],
-                            "prose": "configures malicious code protection mechanisms to:",
-                            "parts": [
-                              {
-                                "id": "si-3.c.1_obj.3.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](1)[a]"
-                                  }
-                                ],
-                                "prose": "perform periodic scans of the information system with the\n                           organization-defined frequency;"
-                              },
-                              {
-                                "id": "si-3.c.1_obj.3.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](1)[b]"
-                                  }
-                                ],
-                                "prose": "perform real-time scans of files from external sources at endpoint and/or\n                           network entry/exit points as the files are downloaded, opened, or\n                           executed in accordance with organizational security policy;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "si-3.c.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-3(c)[3](2)"
-                              }
-                            ],
-                            "prose": "configures malicious code protection mechanisms to do one or more of the\n                        following:",
-                            "parts": [
-                              {
-                                "id": "si-3.c.2_obj.3.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](2)[a]"
-                                  }
-                                ],
-                                "prose": "block malicious code in response to malicious code detection;"
-                              },
-                              {
-                                "id": "si-3.c.2_obj.3.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](2)[b]"
-                                  }
-                                ],
-                                "prose": "quarantine malicious code in response to malicious code detection;"
-                              },
-                              {
-                                "id": "si-3.c.2_obj.3.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](2)[c]"
-                                  }
-                                ],
-                                "prose": "send alert to administrator in response to malicious code detection;\n                           and/or"
-                              },
-                              {
-                                "id": "si-3.c.2_obj.3.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](2)[d]"
-                                  }
-                                ],
-                                "prose": "initiate organization-defined action in response to malicious code\n                           detection;"
-                              }
-                            ]
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-3.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-3(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-3.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-3(d)[1]"
-                          }
-                        ],
-                        "prose": "addresses the receipt of false positives during malicious code detection and\n                     eradication; and"
-                      },
-                      {
-                        "id": "si-3.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-3(d)[2]"
-                          }
-                        ],
-                        "prose": "addresses the resulting potential impact on the availability of the information\n                     system."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nconfiguration management policy and procedures\\n\\nprocedures addressing malicious code protection\\n\\nmalicious code protection mechanisms\\n\\nrecords of malicious code protection updates\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nscan results from malicious code protection mechanisms\\n\\nrecord of actions initiated by malicious code protection mechanisms in response to\n                  malicious code detection\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility for malicious code protection\\n\\norganizational personnel with configuration management responsibility"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for employing, updating, and configuring malicious code\n                  protection mechanisms\\n\\norganizational process for addressing false positives and resulting potential\n                  impact\\n\\nautomated mechanisms supporting and/or implementing employing, updating, and\n                  configuring malicious code protection mechanisms\\n\\nautomated mechanisms supporting and/or implementing malicious code scanning and\n                  subsequent actions"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-4",
-            "class": "SP800-53",
-            "title": "Information System Monitoring",
-            "parameters": [
-              {
-                "id": "si-4_prm_1",
-                "label": "organization-defined monitoring objectives"
-              },
-              {
-                "id": "si-4_prm_2",
-                "label": "organization-defined techniques and methods"
-              },
-              {
-                "id": "si-4_prm_3",
-                "label": "organization-defined information system monitoring information"
-              },
-              {
-                "id": "si-4_prm_4",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "si-4_prm_5"
-              },
-              {
-                "id": "si-4_prm_6",
-                "depends-on": "si-4_prm_5",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-04"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ASSESS"
-              }
-            ],
-            "links": [
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              },
-              {
-                "href": "#6d431fee-658f-4a0e-9f2e-a38b5d398fab",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-83"
-              },
-              {
-                "href": "#672fd561-b92b-4713-b9cf-6c9d9456728b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-92"
-              },
-              {
-                "href": "#d1b1d689-0f66-4474-9924-c81119758dc1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-94"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Monitors the information system to detect:",
-                    "parts": [
-                      {
-                        "id": "si-4_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Attacks and indicators of potential attacks in accordance with {{ si-4_prm_1 }}; and"
-                      },
-                      {
-                        "id": "si-4_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Unauthorized local, network, and remote connections;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Identifies unauthorized use of the information system through {{ si-4_prm_2 }};"
-                  },
-                  {
-                    "id": "si-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Deploys monitoring devices:",
-                    "parts": [
-                      {
-                        "id": "si-4_smt.c.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Strategically within the information system to collect organization-determined\n                     essential information; and"
-                      },
-                      {
-                        "id": "si-4_smt.c.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "At ad hoc locations within the system to track specific types of transactions\n                     of interest to the organization;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Protects information obtained from intrusion-monitoring tools from unauthorized\n                  access, modification, and deletion;"
-                  },
-                  {
-                    "id": "si-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Heightens the level of information system monitoring activity whenever there is an\n                  indication of increased risk to organizational operations and assets, individuals,\n                  other organizations, or the Nation based on law enforcement information,\n                  intelligence information, or other credible sources of information;"
-                  },
-                  {
-                    "id": "si-4_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Obtains legal opinion with regard to information system monitoring activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  or regulations; and"
-                  },
-                  {
-                    "id": "si-4_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Provides {{ si-4_prm_3 }} to {{ si-4_prm_4 }}\n                  {{ si-4_prm_5 }}."
-                  }
-                ]
-              },
-              {
-                "id": "si-4_gdn",
-                "name": "guidance",
-                "prose": "Information system monitoring includes external and internal monitoring. External\n               monitoring includes the observation of events occurring at the information system\n               boundary (i.e., part of perimeter defense and boundary protection). Internal\n               monitoring includes the observation of events occurring within the information\n               system. Organizations can monitor information systems, for example, by observing\n               audit activities in real time or by observing other system aspects such as access\n               patterns, characteristics of access, and other actions. The monitoring objectives may\n               guide determination of the events. Information system monitoring capability is\n               achieved through a variety of tools and techniques (e.g., intrusion detection\n               systems, intrusion prevention systems, malicious code protection software, scanning\n               tools, audit record monitoring software, network monitoring software). Strategic\n               locations for monitoring devices include, for example, selected perimeter locations\n               and near server farms supporting critical applications, with such devices typically\n               being employed at the managed interfaces associated with controls SC-7 and AC-17.\n               Einstein network monitoring devices from the Department of Homeland Security can also\n               be included as monitoring devices. The granularity of monitoring information\n               collected is based on organizational monitoring objectives and the capability of\n               information systems to support such objectives. Specific types of transactions of\n               interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that\n               bypasses HTTP proxies. Information system monitoring is an integral part of\n               organizational continuous monitoring and incident response programs. Output from\n               system monitoring serves as input to continuous monitoring and incident response\n               programs. A network connection is any connection with a device that communicates\n               through a network (e.g., local area network, Internet). A remote connection is any\n               connection with a device communicating through an external network (e.g., the\n               Internet). Local, network, and remote connections can be either wired or\n               wireless.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-8",
-                    "rel": "related",
-                    "text": "AC-8"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#au-7",
-                    "rel": "related",
-                    "text": "AU-7"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-26",
-                    "rel": "related",
-                    "text": "SC-26"
-                  },
-                  {
-                    "href": "#sc-35",
-                    "rel": "related",
-                    "text": "SC-35"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "si-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-4.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-4.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines monitoring objectives to detect attacks and indicators of potential\n                        attacks on the information system;"
-                          },
-                          {
-                            "id": "si-4.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "monitors the information system to detect, in accordance with\n                        organization-defined monitoring objectives,:",
-                            "parts": [
-                              {
-                                "id": "si-4.a.1_obj.2.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-4(a)(1)[2][a]"
-                                  }
-                                ],
-                                "prose": "attacks;"
-                              },
-                              {
-                                "id": "si-4.a.1_obj.2.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-4(a)(1)[2][b]"
-                                  }
-                                ],
-                                "prose": "indicators of potential attacks;"
-                              }
-                            ]
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-4.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(a)(2)"
-                          }
-                        ],
-                        "prose": "monitors the information system to detect unauthorized:",
-                        "parts": [
-                          {
-                            "id": "si-4.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "local connections;"
-                          },
-                          {
-                            "id": "si-4.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "network connections;"
-                          },
-                          {
-                            "id": "si-4.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "remote connections;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-4(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-4.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(b)(1)"
-                          }
-                        ],
-                        "prose": "defines techniques and methods to identify unauthorized use of the information\n                     system;"
-                      },
-                      {
-                        "id": "si-4.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(b)(2)"
-                          }
-                        ],
-                        "prose": "identifies unauthorized use of the information system through\n                     organization-defined techniques and methods;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-4(c)"
-                      }
-                    ],
-                    "prose": "deploys monitoring devices:",
-                    "parts": [
-                      {
-                        "id": "si-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(c)[1]"
-                          }
-                        ],
-                        "prose": "strategically within the information system to collect organization-determined\n                     essential information;"
-                      },
-                      {
-                        "id": "si-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(c)[2]"
-                          }
-                        ],
-                        "prose": "at ad hoc locations within the system to track specific types of transactions\n                     of interest to the organization;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-4(d)"
-                      }
-                    ],
-                    "prose": "protects information obtained from intrusion-monitoring tools from\n                  unauthorized:",
-                    "parts": [
-                      {
-                        "id": "si-4.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(d)[1]"
-                          }
-                        ],
-                        "prose": "access;"
-                      },
-                      {
-                        "id": "si-4.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(d)[2]"
-                          }
-                        ],
-                        "prose": "modification;"
-                      },
-                      {
-                        "id": "si-4.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(d)[3]"
-                          }
-                        ],
-                        "prose": "deletion;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-4(e)"
-                      }
-                    ],
-                    "prose": "heightens the level of information system monitoring activity whenever there is an\n                  indication of increased risk to organizational operations and assets, individuals,\n                  other organizations, or the Nation based on law enforcement information,\n                  intelligence information, or other credible sources of information;"
-                  },
-                  {
-                    "id": "si-4.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-4(f)"
-                      }
-                    ],
-                    "prose": "obtains legal opinion with regard to information system monitoring activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  or regulations;"
-                  },
-                  {
-                    "id": "si-4.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-4(g)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-4.g_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(g)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom information system monitoring information is\n                     to be provided;"
-                      },
-                      {
-                        "id": "si-4.g_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(g)[2]"
-                          }
-                        ],
-                        "prose": "defines information system monitoring information to be provided to\n                     organization-defined personnel or roles;"
-                      },
-                      {
-                        "id": "si-4.g_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(g)[3]"
-                          }
-                        ],
-                        "prose": "defines a frequency to provide organization-defined information system\n                     monitoring to organization-defined personnel or roles;"
-                      },
-                      {
-                        "id": "si-4.g_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(g)[4]"
-                          }
-                        ],
-                        "prose": "provides organization-defined information system monitoring information to\n                     organization-defined personnel or roles one or more of the following:",
-                        "parts": [
-                          {
-                            "id": "si-4.g_obj.4.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(g)[4][a]"
-                              }
-                            ],
-                            "prose": "as needed; and/or"
-                          },
-                          {
-                            "id": "si-4.g_obj.4.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(g)[4][b]"
-                              }
-                            ],
-                            "prose": "with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Continuous monitoring strategy\\n\\nsystem and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\nfacility diagram/layout\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\nlocations within information system where monitoring devices are deployed\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility monitoring the information system"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing information system monitoring\n                  capability"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-5",
-            "class": "SP800-53",
-            "title": "Security Alerts, Advisories, and Directives",
-            "parameters": [
-              {
-                "id": "si-5_prm_1",
-                "label": "organization-defined external organizations"
-              },
-              {
-                "id": "si-5_prm_2"
-              },
-              {
-                "id": "si-5_prm_3",
-                "depends-on": "si-5_prm_2",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "si-5_prm_4",
-                "depends-on": "si-5_prm_2",
-                "label": "organization-defined elements within the organization"
-              },
-              {
-                "id": "si-5_prm_5",
-                "depends-on": "si-5_prm_2",
-                "label": "organization-defined external organizations"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-05"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-40"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Receives information system security alerts, advisories, and directives from\n                     {{ si-5_prm_1 }} on an ongoing basis;"
-                  },
-                  {
-                    "id": "si-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Generates internal security alerts, advisories, and directives as deemed\n                  necessary;"
-                  },
-                  {
-                    "id": "si-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Disseminates security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and"
-                  },
-                  {
-                    "id": "si-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Implements security directives in accordance with established time frames, or\n                  notifies the issuing organization of the degree of noncompliance."
-                  }
-                ]
-              },
-              {
-                "id": "si-5_gdn",
-                "name": "guidance",
-                "prose": "The United States Computer Emergency Readiness Team (US-CERT) generates security\n               alerts and advisories to maintain situational awareness across the federal\n               government. Security directives are issued by OMB or other designated organizations\n               with the responsibility and authority to issue such directives. Compliance to\n               security directives is essential due to the critical nature of many of these\n               directives and the potential immediate adverse effects on organizational operations\n               and assets, individuals, other organizations, and the Nation should the directives\n               not be implemented in a timely manner. External organizations include, for example,\n               external mission/business partners, supply chain partners, external service\n               providers, and other peer/supporting organizations.",
-                "links": [
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "si-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-5(a)[1]"
-                          }
-                        ],
-                        "prose": "defines external organizations from whom information system security alerts,\n                     advisories and directives are to be received;"
-                      },
-                      {
-                        "id": "si-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-5(a)[2]"
-                          }
-                        ],
-                        "prose": "receives information system security alerts, advisories, and directives from\n                     organization-defined external organizations on an ongoing basis;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-5(b)"
-                      }
-                    ],
-                    "prose": "generates internal security alerts, advisories, and directives as deemed\n                  necessary;"
-                  },
-                  {
-                    "id": "si-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-5(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-5.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-5(c)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom security alerts, advisories, and directives\n                     are to be provided;"
-                      },
-                      {
-                        "id": "si-5.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-5(c)[2]"
-                          }
-                        ],
-                        "prose": "defines elements within the organization to whom security alerts, advisories,\n                     and directives are to be provided;"
-                      },
-                      {
-                        "id": "si-5.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-5(c)[3]"
-                          }
-                        ],
-                        "prose": "defines external organizations to whom security alerts, advisories, and\n                     directives are to be provided;"
-                      },
-                      {
-                        "id": "si-5.c_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-5(c)[4]"
-                          }
-                        ],
-                        "prose": "disseminates security alerts, advisories, and directives to one or more of the\n                     following:",
-                        "parts": [
-                          {
-                            "id": "si-5.c_obj.4.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-5(c)[4][a]"
-                              }
-                            ],
-                            "prose": "organization-defined personnel or roles;"
-                          },
-                          {
-                            "id": "si-5.c_obj.4.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-5(c)[4][b]"
-                              }
-                            ],
-                            "prose": "organization-defined elements within the organization; and/or"
-                          },
-                          {
-                            "id": "si-5.c_obj.4.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-5(c)[4][c]"
-                              }
-                            ],
-                            "prose": "organization-defined external organizations; and"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-5(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-5.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-5(d)[1]"
-                          }
-                        ],
-                        "prose": "implements security directives in accordance with established time frames;\n                     or"
-                      },
-                      {
-                        "id": "si-5.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-5(d)[2]"
-                          }
-                        ],
-                        "prose": "notifies the issuing organization of the degree of noncompliance."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nprocedures addressing security alerts, advisories, and directives\\n\\nrecords of security alerts and advisories\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security alert and advisory responsibilities\\n\\norganizational personnel implementing, operating, maintaining, and using the\n                  information system\\n\\norganizational personnel, organizational elements, and/or external organizations\n                  to whom alerts, advisories, and directives are to be disseminated\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for defining, receiving, generating, disseminating, and\n                  complying with security alerts, advisories, and directives\\n\\nautomated mechanisms supporting and/or implementing definition, receipt,\n                  generation, and dissemination of security alerts, advisories, and directives\\n\\nautomated mechanisms supporting and/or implementing security directives"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-12",
-            "class": "SP800-53",
-            "title": "Information Handling and Retention",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-12"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-12"
-              },
-              {
-                "name": "method",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "value": "ATTEST"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-12_smt",
-                "name": "statement",
-                "prose": "The organization handles and retains information within the information system and\n               information output from the system in accordance with applicable federal laws,\n               Executive Orders, directives, policies, regulations, standards, and operational\n               requirements."
-              },
-              {
-                "id": "si-12_gdn",
-                "name": "guidance",
-                "prose": "Information handling and retention requirements cover the full life cycle of\n               information, in some cases extending beyond the disposal of information systems. The\n               National Archives and Records Administration provides guidance on records\n               retention.",
-                "links": [
-                  {
-                    "href": "#ac-16",
-                    "rel": "related",
-                    "text": "AC-16"
-                  },
-                  {
-                    "href": "#au-5",
-                    "rel": "related",
-                    "text": "AU-5"
-                  },
-                  {
-                    "href": "#au-11",
-                    "rel": "related",
-                    "text": "AU-11"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  }
-                ]
-              },
-              {
-                "id": "si-12_obj",
-                "name": "objective",
-                "prose": "Determine if the organization, in accordance with applicable federal laws, Executive\n               Orders, directives, policies, regulations, standards, and operational\n               requirements:",
-                "parts": [
-                  {
-                    "id": "si-12_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-12[1]"
-                      }
-                    ],
-                    "prose": "handles information within the information system;"
-                  },
-                  {
-                    "id": "si-12_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-12[2]"
-                      }
-                    ],
-                    "prose": "handles output from the information system;"
-                  },
-                  {
-                    "id": "si-12_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-12[3]"
-                      }
-                    ],
-                    "prose": "retains information within the information system; and"
-                  },
-                  {
-                    "id": "si-12_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-12[4]"
-                      }
-                    ],
-                    "prose": "retains output from the information system."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nfederal laws, Executive Orders, directives, policies, regulations, standards, and\n                  operational requirements applicable to information handling and retention\\n\\nmedia protection policy and procedures\\n\\nprocedures addressing information system output handling and retention\\n\\ninformation retention records, other relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for information handling and\n                  retention\\n\\norganizational personnel with information security responsibilities/network\n                  administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for information handling and retention\\n\\nautomated mechanisms supporting and/or implementing information handling and\n                  retention"
-                  }
-                ]
-              },
-              {
-                "name": "guidance",
-                "class": "FedRAMP-Tailored-LI-SaaS",
-                "prose": "Attestation - Specifically related to US-CERT and FedRAMP communications\n                  procedures."
-              }
-            ]
-          }
-        ]
-      }
-    ],
-    "back-matter": {
-      "resources": [
-        {
-          "uuid": "0c97e60b-325a-4efa-ba2b-90f20ccd5abc",
-          "title": "5 C.F.R. 731.106",
-          "citation": {
-            "text": "Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106,\n               Designation of Public Trust Positions and Investigative Requirements (5 C.F.R.\n               731.106)."
-          },
-          "rlinks": [
-            {
-              "href": "http://www.gpo.gov/fdsys/granule/CFR-2012-title5-vol2/CFR-2012-title5-vol2-sec731-106/content-detail.html"
-            }
-          ]
-        },
-        {
-          "uuid": "bb61234b-46c3-4211-8c2b-9869222a720d",
-          "title": "C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)",
-          "citation": {
-            "text": "C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.gpo.gov/fdsys/granule/CFR-2009-title5-vol2/CFR-2009-title5-vol2-sec930-301/content-detail.html"
-            }
-          ]
-        },
-        {
-          "uuid": "a4aa9645-9a8a-4b51-90a9-e223250f9a75",
-          "title": "CNSS Policy 15",
-          "citation": {
-            "text": "CNSS Policy 15"
-          },
-          "rlinks": [
-            {
-              "href": "https://www.cnss.gov/policies.html"
-            }
-          ]
-        },
-        {
-          "uuid": "2d8b14e9-c8b5-4d3d-8bdc-155078f3281b",
-          "title": "DoD Information Assurance Vulnerability Alerts",
-          "citation": {
-            "text": "DoD Information Assurance Vulnerability Alerts"
-          }
-        },
-        {
-          "uuid": "61081e7f-041d-4033-96a7-44a439071683",
-          "title": "DoD Instruction 5200.39",
-          "citation": {
-            "text": "DoD Instruction 5200.39"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dtic.mil/whs/directives/corres/ins1.html"
-            }
-          ]
-        },
-        {
-          "uuid": "e42b2099-3e1c-415b-952c-61c96533c12e",
-          "title": "DoD Instruction 8551.01",
-          "citation": {
-            "text": "DoD Instruction 8551.01"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dtic.mil/whs/directives/corres/ins1.html"
-            }
-          ]
-        },
-        {
-          "uuid": "c5034e0c-eba6-4ecd-a541-79f0678f4ba4",
-          "title": "Executive Order 13587",
-          "citation": {
-            "text": "Executive Order 13587"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net"
-            }
-          ]
-        },
-        {
-          "uuid": "56d671da-6b7b-4abf-8296-84b61980390a",
-          "title": "Federal Acquisition Regulation",
-          "citation": {
-            "text": "Federal Acquisition Regulation"
-          },
-          "rlinks": [
-            {
-              "href": "https://acquisition.gov/far"
-            }
-          ]
-        },
-        {
-          "uuid": "023104bc-6f75-4cd5-b7d0-fc92326f8007",
-          "title": "Federal Continuity Directive 1",
-          "citation": {
-            "text": "Federal Continuity Directive 1"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.fema.gov/pdf/about/offices/fcd1.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "ba557c91-ba3e-4792-adc6-a4ae479b39ff",
-          "title": "FICAM Roadmap and Implementation Guidance",
-          "citation": {
-            "text": "FICAM Roadmap and Implementation Guidance"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.idmanagement.gov/documents/ficam-roadmap-and-implementation-guidance"
-            }
-          ]
-        },
-        {
-          "uuid": "39f9087d-7687-46d2-8eda-b6f4b7a4d8a9",
-          "title": "FIPS Publication 140",
-          "citation": {
-            "text": "FIPS Publication 140"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html"
-            }
-          ]
-        },
-        {
-          "uuid": "d715b234-9b5b-4e07-b1ed-99836727664d",
-          "title": "FIPS Publication 140-2",
-          "citation": {
-            "text": "FIPS Publication 140-2"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html#140-2"
-            }
-          ]
-        },
-        {
-          "uuid": "f2dbd4ec-c413-4714-b85b-6b7184d1c195",
-          "title": "FIPS Publication 197",
-          "citation": {
-            "text": "FIPS Publication 197"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html#197"
-            }
-          ]
-        },
-        {
-          "uuid": "e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-          "title": "FIPS Publication 199",
-          "citation": {
-            "text": "FIPS Publication 199"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html#199"
-            }
-          ]
-        },
-        {
-          "uuid": "c80c10b3-1294-4984-a4cc-d1733ca432b9",
-          "title": "FIPS Publication 201",
-          "citation": {
-            "text": "FIPS Publication 201"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html#201"
-            }
-          ]
-        },
-        {
-          "uuid": "ad733a42-a7ed-4774-b988-4930c28852f3",
-          "title": "HSPD-12",
-          "citation": {
-            "text": "HSPD-12"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dhs.gov/homeland-security-presidential-directive-12"
-            }
-          ]
-        },
-        {
-          "uuid": "e95dd121-2733-413e-bf1e-f1eb49f20a98",
-          "title": "http://checklists.nist.gov",
-          "citation": {
-            "text": "http://checklists.nist.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://checklists.nist.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "6a1041fc-054e-4230-946b-2e6f4f3731bb",
-          "title": "http://csrc.nist.gov/cryptval",
-          "citation": {
-            "text": "http://csrc.nist.gov/cryptval"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/cryptval"
-            }
-          ]
-        },
-        {
-          "uuid": "b09d1a31-d3c9-4138-a4f4-4c63816afd7d",
-          "title": "http://csrc.nist.gov/groups/STM/cmvp/index.html",
-          "citation": {
-            "text": "http://csrc.nist.gov/groups/STM/cmvp/index.html"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/groups/STM/cmvp/index.html"
-            }
-          ]
-        },
-        {
-          "uuid": "15522e92-9192-463d-9646-6a01982db8ca",
-          "title": "http://cwe.mitre.org",
-          "citation": {
-            "text": "http://cwe.mitre.org"
-          },
-          "rlinks": [
-            {
-              "href": "http://cwe.mitre.org"
-            }
-          ]
-        },
-        {
-          "uuid": "5ed1f4d5-1494-421b-97ed-39d3c88ab51f",
-          "title": "http://fips201ep.cio.gov",
-          "citation": {
-            "text": "http://fips201ep.cio.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://fips201ep.cio.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "85280698-0417-489d-b214-12bb935fb939",
-          "title": "http://idmanagement.gov",
-          "citation": {
-            "text": "http://idmanagement.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://idmanagement.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "275cc052-0f7f-423c-bdb6-ed503dc36228",
-          "title": "http://nvd.nist.gov",
-          "citation": {
-            "text": "http://nvd.nist.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://nvd.nist.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "bbd50dd1-54ce-4432-959d-63ea564b1bb4",
-          "title": "http://www.acquisition.gov/far",
-          "citation": {
-            "text": "http://www.acquisition.gov/far"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.acquisition.gov/far"
-            }
-          ]
-        },
-        {
-          "uuid": "9b97ed27-3dd6-4f9a-ade5-1b43e9669794",
-          "title": "http://www.cnss.gov",
-          "citation": {
-            "text": "http://www.cnss.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.cnss.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "c95a9986-3cd6-4a98-931b-ccfc56cb11e5",
-          "title": "http://www.niap-ccevs.org",
-          "citation": {
-            "text": "http://www.niap-ccevs.org"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.niap-ccevs.org"
-            }
-          ]
-        },
-        {
-          "uuid": "647b6de3-81d0-4d22-bec1-5f1333e34380",
-          "title": "http://www.nsa.gov",
-          "citation": {
-            "text": "http://www.nsa.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.nsa.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "a47466c4-c837-4f06-a39f-e68412a5f73d",
-          "title": "http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml",
-          "citation": {
-            "text": "http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"
-            }
-          ]
-        },
-        {
-          "uuid": "02631467-668b-4233-989b-3dfded2fd184",
-          "title": "http://www.us-cert.gov",
-          "citation": {
-            "text": "http://www.us-cert.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.us-cert.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "6caa237b-531b-43ac-9711-d8f6b97b0377",
-          "title": "ICD 704",
-          "citation": {
-            "text": "ICD 704"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"
-            }
-          ]
-        },
-        {
-          "uuid": "398e33fd-f404-4e5c-b90e-2d50d3181244",
-          "title": "ICD 705",
-          "citation": {
-            "text": "ICD 705"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"
-            }
-          ]
-        },
-        {
-          "uuid": "1737a687-52fb-4008-b900-cbfa836f7b65",
-          "title": "ISO/IEC 15408",
-          "citation": {
-            "text": "ISO/IEC 15408"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.iso.org/iso/iso_catalog/catalog_tc/catalog_detail.htm?csnumber=50341"
-            }
-          ]
-        },
-        {
-          "uuid": "654f21e2-f3bc-43b2-abdc-60ab8d09744b",
-          "title": "National Strategy for Trusted Identities in Cyberspace",
-          "citation": {
-            "text": "National Strategy for Trusted Identities in Cyberspace"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.nist.gov/nstic"
-            }
-          ]
-        },
-        {
-          "uuid": "9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-          "title": "NIST Special Publication 800-100",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-100"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-100"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-100"
-            }
-          ]
-        },
-        {
-          "uuid": "3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e",
-          "title": "NIST Special Publication 800-111",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-111"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-111"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-111"
-            }
-          ]
-        },
-        {
-          "uuid": "349fe082-502d-464a-aa0c-1443c6a5cf40",
-          "title": "NIST Special Publication 800-113",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-113"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-113"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-113"
-            }
-          ]
-        },
-        {
-          "uuid": "1201fcf3-afb1-4675-915a-fb4ae0435717",
-          "title": "NIST Special Publication 800-114 Rev. 1",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-114r1"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-114 Rev. 1"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-114r1"
-            }
-          ]
-        },
-        {
-          "uuid": "c4691b88-57d1-463b-9053-2d0087913f31",
-          "title": "NIST Special Publication 800-115",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-115"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-115"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-115"
-            }
-          ]
-        },
-        {
-          "uuid": "2157bb7e-192c-4eaa-877f-93ef6b0a3292",
-          "title": "NIST Special Publication 800-116 Rev. 1",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-116r1"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-116 Rev. 1"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-116r1"
-            }
-          ]
-        },
-        {
-          "uuid": "5c201b63-0768-417b-ac22-3f014e3941b2",
-          "title": "NIST Special Publication 800-12 Rev. 1",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-12r1"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-12 Rev. 1"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-12r1"
-            }
-          ]
-        },
-        {
-          "uuid": "d1a4e2a9-e512-4132-8795-5357aba29254",
-          "title": "NIST Special Publication 800-121",
-          "citation": {
-            "text": "NIST Special Publication 800-121"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-121"
-            }
-          ]
-        },
-        {
-          "uuid": "0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589",
-          "title": "NIST Special Publication 800-124",
-          "citation": {
-            "text": "NIST Special Publication 800-124"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-124"
-            }
-          ]
-        },
-        {
-          "uuid": "080f8068-5e3e-435e-9790-d22ba4722693",
-          "title": "NIST Special Publication 800-128",
-          "citation": {
-            "text": "NIST Special Publication 800-128"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-128"
-            }
-          ]
-        },
-        {
-          "uuid": "cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-          "title": "NIST Special Publication 800-137",
-          "citation": {
-            "text": "NIST Special Publication 800-137"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-137"
-            }
-          ]
-        },
-        {
-          "uuid": "825438c3-248d-4e30-a51e-246473ce6ada",
-          "title": "NIST Special Publication 800-16",
-          "citation": {
-            "text": "NIST Special Publication 800-16"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-16"
-            }
-          ]
-        },
-        {
-          "uuid": "6513e480-fada-4876-abba-1397084dfb26",
-          "title": "NIST Special Publication 800-164",
-          "citation": {
-            "text": "NIST Special Publication 800-164"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-164"
-            }
-          ]
-        },
-        {
-          "uuid": "9c5c9e8c-dc81-4f55-a11c-d71d7487790f",
-          "title": "NIST Special Publication 800-18",
-          "citation": {
-            "text": "NIST Special Publication 800-18"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-18"
-            }
-          ]
-        },
-        {
-          "uuid": "0a5db899-f033-467f-8631-f5a8ba971475",
-          "title": "NIST Special Publication 800-23",
-          "citation": {
-            "text": "NIST Special Publication 800-23"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-23"
-            }
-          ]
-        },
-        {
-          "uuid": "a466121b-f0e2-41f0-a5f9-deb0b5fe6b15",
-          "title": "NIST Special Publication 800-30",
-          "citation": {
-            "text": "NIST Special Publication 800-30"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-30"
-            }
-          ]
-        },
-        {
-          "uuid": "748a81b9-9cad-463f-abde-8b368167e70d",
-          "title": "NIST Special Publication 800-34",
-          "citation": {
-            "text": "NIST Special Publication 800-34"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-34"
-            }
-          ]
-        },
-        {
-          "uuid": "0c775bc3-bfc3-42c7-a382-88949f503171",
-          "title": "NIST Special Publication 800-35",
-          "citation": {
-            "text": "NIST Special Publication 800-35"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-35"
-            }
-          ]
-        },
-        {
-          "uuid": "d818efd3-db31-4953-8afa-9e76afe83ce2",
-          "title": "NIST Special Publication 800-36",
-          "citation": {
-            "text": "NIST Special Publication 800-36"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-36"
-            }
-          ]
-        },
-        {
-          "uuid": "0a0c26b6-fd44-4274-8b36-93442d49d998",
-          "title": "NIST Special Publication 800-37",
-          "citation": {
-            "text": "NIST Special Publication 800-37"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-37"
-            }
-          ]
-        },
-        {
-          "uuid": "d480aa6a-7a88-424e-a10c-ad1c7870354b",
-          "title": "NIST Special Publication 800-39",
-          "citation": {
-            "text": "NIST Special Publication 800-39"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-39"
-            }
-          ]
-        },
-        {
-          "uuid": "bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d",
-          "title": "NIST Special Publication 800-40",
-          "citation": {
-            "text": "NIST Special Publication 800-40"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-40"
-            }
-          ]
-        },
-        {
-          "uuid": "756a8e86-57d5-4701-8382-f7a40439665a",
-          "title": "NIST Special Publication 800-41",
-          "citation": {
-            "text": "NIST Special Publication 800-41"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-41"
-            }
-          ]
-        },
-        {
-          "uuid": "5309d4d0-46f8-4213-a749-e7584164e5e8",
-          "title": "NIST Special Publication 800-46",
-          "citation": {
-            "text": "NIST Special Publication 800-46"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-46"
-            }
-          ]
-        },
-        {
-          "uuid": "2711f068-734e-4afd-94ba-0b22247fbc88",
-          "title": "NIST Special Publication 800-47",
-          "citation": {
-            "text": "NIST Special Publication 800-47"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-47"
-            }
-          ]
-        },
-        {
-          "uuid": "238ed479-eccb-49f6-82ec-ab74a7a428cf",
-          "title": "NIST Special Publication 800-48",
-          "citation": {
-            "text": "NIST Special Publication 800-48"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-48"
-            }
-          ]
-        },
-        {
-          "uuid": "e12b5738-de74-4fb3-8317-a3995a8a1898",
-          "title": "NIST Special Publication 800-50",
-          "citation": {
-            "text": "NIST Special Publication 800-50"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-50"
-            }
-          ]
-        },
-        {
-          "uuid": "cd4cf751-3312-4a55-b1a9-fad2f1db9119",
-          "title": "NIST Special Publication 800-53A",
-          "citation": {
-            "text": "NIST Special Publication 800-53A"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-53A"
-            }
-          ]
-        },
-        {
-          "uuid": "81f09e01-d0b0-4ae2-aa6a-064ed9950070",
-          "title": "NIST Special Publication 800-56",
-          "citation": {
-            "text": "NIST Special Publication 800-56"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-56"
-            }
-          ]
-        },
-        {
-          "uuid": "a6c774c0-bf50-4590-9841-2a5c1c91ac6f",
-          "title": "NIST Special Publication 800-57",
-          "citation": {
-            "text": "NIST Special Publication 800-57"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-57"
-            }
-          ]
-        },
-        {
-          "uuid": "f152844f-b1ef-4836-8729-6277078ebee1",
-          "title": "NIST Special Publication 800-60",
-          "citation": {
-            "text": "NIST Special Publication 800-60"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-60"
-            }
-          ]
-        },
-        {
-          "uuid": "be95fb85-a53f-4624-bdbb-140075500aa3",
-          "title": "NIST Special Publication 800-61",
-          "citation": {
-            "text": "NIST Special Publication 800-61"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-61"
-            }
-          ]
-        },
-        {
-          "uuid": "644f44a9-a2de-4494-9c04-cd37fba45471",
-          "title": "NIST Special Publication 800-63",
-          "citation": {
-            "text": "NIST Special Publication 800-63"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-63"
-            }
-          ]
-        },
-        {
-          "uuid": "abd950ae-092f-4b7a-b374-1c7c67fe9350",
-          "title": "NIST Special Publication 800-64",
-          "citation": {
-            "text": "NIST Special Publication 800-64"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-64"
-            }
-          ]
-        },
-        {
-          "uuid": "29fcfe59-33cd-494a-8756-5907ae3a8f92",
-          "title": "NIST Special Publication 800-65",
-          "citation": {
-            "text": "NIST Special Publication 800-65"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-65"
-            }
-          ]
-        },
-        {
-          "uuid": "84a37532-6db6-477b-9ea8-f9085ebca0fc",
-          "title": "NIST Special Publication 800-70",
-          "citation": {
-            "text": "NIST Special Publication 800-70"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-70"
-            }
-          ]
-        },
-        {
-          "uuid": "ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-          "title": "NIST Special Publication 800-73",
-          "citation": {
-            "text": "NIST Special Publication 800-73"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-73"
-            }
-          ]
-        },
-        {
-          "uuid": "2a71298a-ee90-490e-80ff-48c967173a47",
-          "title": "NIST Special Publication 800-76",
-          "citation": {
-            "text": "NIST Special Publication 800-76"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-76"
-            }
-          ]
-        },
-        {
-          "uuid": "99f331f2-a9f0-46c2-9856-a3cbb9b89442",
-          "title": "NIST Special Publication 800-77",
-          "citation": {
-            "text": "NIST Special Publication 800-77"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-77"
-            }
-          ]
-        },
-        {
-          "uuid": "2042d97b-f7f6-4c74-84f8-981867684659",
-          "title": "NIST Special Publication 800-78",
-          "citation": {
-            "text": "NIST Special Publication 800-78"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-78"
-            }
-          ]
-        },
-        {
-          "uuid": "6af1e841-672c-46c4-b121-96f603d04be3",
-          "title": "NIST Special Publication 800-81",
-          "citation": {
-            "text": "NIST Special Publication 800-81"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-81"
-            }
-          ]
-        },
-        {
-          "uuid": "6d431fee-658f-4a0e-9f2e-a38b5d398fab",
-          "title": "NIST Special Publication 800-83",
-          "citation": {
-            "text": "NIST Special Publication 800-83"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-83"
-            }
-          ]
-        },
-        {
-          "uuid": "0243a05a-e8a3-4d51-9364-4a9d20b0dcdf",
-          "title": "NIST Special Publication 800-84",
-          "citation": {
-            "text": "NIST Special Publication 800-84"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-84"
-            }
-          ]
-        },
-        {
-          "uuid": "263823e0-a971-4b00-959d-315b26278b22",
-          "title": "NIST Special Publication 800-88",
-          "citation": {
-            "text": "NIST Special Publication 800-88"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-88"
-            }
-          ]
-        },
-        {
-          "uuid": "672fd561-b92b-4713-b9cf-6c9d9456728b",
-          "title": "NIST Special Publication 800-92",
-          "citation": {
-            "text": "NIST Special Publication 800-92"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-92"
-            }
-          ]
-        },
-        {
-          "uuid": "d1b1d689-0f66-4474-9924-c81119758dc1",
-          "title": "NIST Special Publication 800-94",
-          "citation": {
-            "text": "NIST Special Publication 800-94"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-94"
-            }
-          ]
-        },
-        {
-          "uuid": "6f336ecd-f2a0-4c84-9699-0491d81b6e0d",
-          "title": "NIST Special Publication 800-97",
-          "citation": {
-            "text": "NIST Special Publication 800-97"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-97"
-            }
-          ]
-        },
-        {
-          "uuid": "9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab",
-          "title": "OMB Circular A-130",
-          "citation": {
-            "text": "OMB Circular A-130"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/omb/circulars_a130_a130trans4"
-            }
-          ]
-        },
-        {
-          "uuid": "2c5884cd-7b96-425c-862a-99877e1cf909",
-          "title": "OMB Memorandum 02-01",
-          "citation": {
-            "text": "OMB Memorandum 02-01"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/omb/memoranda_m02-01"
-            }
-          ]
-        },
-        {
-          "uuid": "ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-          "title": "OMB Memorandum 04-04",
-          "citation": {
-            "text": "OMB Memorandum 04-04"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy04/m04-04.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "4da24a96-6cf8-435d-9d1f-c73247cad109",
-          "title": "OMB Memorandum 06-16",
-          "citation": {
-            "text": "OMB Memorandum 06-16"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2006/m06-16.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "990268bf-f4a9-4c81-91ae-dc7d3115f4b1",
-          "title": "OMB Memorandum 07-11",
-          "citation": {
-            "text": "OMB Memorandum 07-11"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-11.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "0b3d8ba9-051f-498d-81ea-97f0f018c612",
-          "title": "OMB Memorandum 07-18",
-          "citation": {
-            "text": "OMB Memorandum 07-18"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-18.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "0916ef02-3618-411b-a525-565c088849a6",
-          "title": "OMB Memorandum 08-22",
-          "citation": {
-            "text": "OMB Memorandum 08-22"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-22.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "28115a56-da6b-4d44-b1df-51dd7f048a3e",
-          "title": "OMB Memorandum 08-23",
-          "citation": {
-            "text": "OMB Memorandum 08-23"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "599fe9ba-4750-4450-9eeb-b95bd19a5e8f",
-          "title": "OMB Memorandum 10-06-2011",
-          "citation": {
-            "text": "OMB Memorandum 10-06-2011"
-          }
-        },
-        {
-          "uuid": "74e740a4-c45d-49f3-a86e-eb747c549e01",
-          "title": "OMB Memorandum 11-11",
-          "citation": {
-            "text": "OMB Memorandum 11-11"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "bedb15b7-ec5c-4a68-807f-385125751fcd",
-          "title": "OMB Memorandum 11-33",
-          "citation": {
-            "text": "OMB Memorandum 11-33"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "dd2f5acd-08f1-435a-9837-f8203088dc1a",
-          "title": "Personal Identity Verification (PIV) in Enterprise Physical Access Control System\n            (E-PACS)",
-          "citation": {
-            "text": "Personal Identity Verification (PIV) in Enterprise Physical Access Control System\n               (E-PACS)"
-          }
-        },
-        {
-          "uuid": "8ade2fbe-e468-4ca8-9a40-54d7f23c32bb",
-          "title": "US-CERT Technical Cyber Security Alerts",
-          "citation": {
-            "text": "US-CERT Technical Cyber Security Alerts"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.us-cert.gov/ncas/alerts"
-            }
-          ]
-        },
-        {
-          "uuid": "985475ee-d4d6-4581-8fdf-d84d3d8caa48",
-          "title": "FedRAMP Applicable Laws and Regulations",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-citations"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"
-            }
-          ]
-        },
-        {
-          "uuid": "1a23a771-d481-4594-9a1a-71d584fa4123",
-          "title": "FedRAMP Master Acronym and Glossary",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-acronyms"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "a2381e87-3d04-4108-a30b-b4d2f36d001f",
-          "desc": "FedRAMP Logo",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-logo"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/img/logo-main-fedramp.png"
-            }
-          ]
-        },
-        {
-          "uuid": "ad005eae-cc63-4e64-9109-3905a9a825e4",
-          "title": "NIST Special Publication (SP) 800-53",
-          "properties": [
-            {
-              "name": "version",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "Revision 4"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json",
-              "media-type": "application/xml"
-            }
-          ]
-        }
-      ]
-    }
-  }
-}
diff --git a/content/fedramp.gov/json/FedRAMP_LI-SaaS-baseline_profile-min.json b/content/fedramp.gov/json/FedRAMP_LI-SaaS-baseline_profile-min.json
deleted file mode 100644
index d1f44cc8c8..0000000000
--- a/content/fedramp.gov/json/FedRAMP_LI-SaaS-baseline_profile-min.json
+++ /dev/null
@@ -1 +0,0 @@
-{"profile":{"uuid":"48d3387b-e554-4232-97bc-a8617cf238d9","metadata":{"title":"FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline","published":"2020-02-02T00:00:00.000-05:00","last-modified":"2020-06-01T10:00:00.000-05:00","version":"1.2","oscal-version":"1.0.0-milestone3","roles":[{"id":"parpared-by","title":"Document creator"},{"id":"fedramp-pmo","title":"The FedRAMP Program Management Office (PMO)","short-name":"CSP"},{"id":"fedramp-jab","title":"The FedRAMP Joint Authorization Board (JAB)","short-name":"CSP"}],"parties":[{"uuid":"8cc0b8e5-9650-4d5f-9796-316f05fa9a2d","type":"organization","party-name":"Federal Risk and Authorization Management Program: Program Management Office","short-name":"FedRAMP PMO","links":[{"href":"https://fedramp.gov","rel":"homepage","text":""}],"addresses":[{"type":"work","postal-address":["1800 F St. NW",""],"city":"Washington","state":"DC","postal-code":"","country":"US"}],"email-addresses":["info@fedramp.gov"]},{"uuid":"ca9ba80e-1342-4bfd-b32a-abac468c24b4","type":"organization","party-name":"Federal Risk and Authorization Management Program: Joint Authorization Board","short-name":"FedRAMP JAB"}],"responsible-parties":{"prepared-by":{"party-uuids":["4aa7b203-318b-4cde-96cf-feaeffc3a4b7"]},"fedramp-pmo":{"party-uuids":["4aa7b203-318b-4cde-96cf-feaeffc3a4b7"]},"fedramp-jab":{"party-uuids":["ca9ba80e-1342-4bfd-b32a-abac468c24b4"]}}},"imports":[{"href":"#ad005eae-cc63-4e64-9109-3905a9a825e4","include":{"id-selectors":[{"control-id":"ac-1"},{"control-id":"ac-2"},{"control-id":"ac-3"},{"control-id":"ac-7"},{"control-id":"ac-8"},{"control-id":"ac-14"},{"control-id":"ac-17"},{"control-id":"ac-18"},{"control-id":"ac-19"},{"control-id":"ac-20"},{"control-id":"ac-22"},{"control-id":"at-1"},{"control-id":"at-2"},{"control-id":"at-3"},{"control-id":"at-4"},{"control-id":"au-1"},{"control-id":"au-2"},{"control-id":"au-3"},{"control-id":"au-4"},{"control-id":"au-5"},{"control-id":"au-6"},{"control-id":"au-8"},{"control-id":"au-9"},{"control-id":"au-11"},{"control-id":"au-12"},{"control-id":"ca-1"},{"control-id":"ca-2"},{"control-id":"ca-2.1"},{"control-id":"ca-3"},{"control-id":"ca-5"},{"control-id":"ca-6"},{"control-id":"ca-7"},{"control-id":"ca-9"},{"control-id":"cm-1"},{"control-id":"cm-2"},{"control-id":"cm-4"},{"control-id":"cm-6"},{"control-id":"cm-7"},{"control-id":"cm-8"},{"control-id":"cm-10"},{"control-id":"cm-11"},{"control-id":"cp-1"},{"control-id":"cp-2"},{"control-id":"cp-3"},{"control-id":"cp-4"},{"control-id":"cp-9"},{"control-id":"cp-10"},{"control-id":"ia-1"},{"control-id":"ia-2"},{"control-id":"ia-2.1"},{"control-id":"ia-2.12"},{"control-id":"ia-4"},{"control-id":"ia-5"},{"control-id":"ia-5.1"},{"control-id":"ia-5.11"},{"control-id":"ia-6"},{"control-id":"ia-7"},{"control-id":"ia-8"},{"control-id":"ia-8.1"},{"control-id":"ia-8.2"},{"control-id":"ia-8.3"},{"control-id":"ia-8.4"},{"control-id":"ir-1"},{"control-id":"ir-2"},{"control-id":"ir-4"},{"control-id":"ir-5"},{"control-id":"ir-6"},{"control-id":"ir-7"},{"control-id":"ir-8"},{"control-id":"ir-9"},{"control-id":"ma-1"},{"control-id":"ma-2"},{"control-id":"ma-4"},{"control-id":"ma-5"},{"control-id":"mp-1"},{"control-id":"mp-2"},{"control-id":"mp-6"},{"control-id":"mp-7"},{"control-id":"pe-1"},{"control-id":"pe-2"},{"control-id":"pe-3"},{"control-id":"pe-6"},{"control-id":"pe-8"},{"control-id":"pe-12"},{"control-id":"pe-13"},{"control-id":"pe-14"},{"control-id":"pe-15"},{"control-id":"pe-16"},{"control-id":"pl-1"},{"control-id":"pl-2"},{"control-id":"pl-4"},{"control-id":"ps-1"},{"control-id":"ps-2"},{"control-id":"ps-3"},{"control-id":"ps-4"},{"control-id":"ps-5"},{"control-id":"ps-6"},{"control-id":"ps-7"},{"control-id":"ps-8"},{"control-id":"ra-1"},{"control-id":"ra-2"},{"control-id":"ra-3"},{"control-id":"ra-5"},{"control-id":"sa-1"},{"control-id":"sa-2"},{"control-id":"sa-3"},{"control-id":"sa-4"},{"control-id":"sa-4.10"},{"control-id":"sa-5"},{"control-id":"sa-9"},{"control-id":"sc-1"},{"control-id":"sc-5"},{"control-id":"sc-7"},{"control-id":"sc-12"},{"control-id":"sc-13"},{"control-id":"sc-15"},{"control-id":"sc-20"},{"control-id":"sc-21"},{"control-id":"sc-22"},{"control-id":"sc-39"},{"control-id":"si-1"},{"control-id":"si-2"},{"control-id":"si-3"},{"control-id":"si-4"},{"control-id":"si-5"},{"control-id":"si-12"}]}}],"merge":{"combine":{"method":"keep"},"as-is":true},"modify":{"parameter-settings":{"ac-22_prm_1":{"constraints":[{"detail":"at least quarterly"}]},"au-5_prm_2":{"constraints":[{"detail":"organization-defined actions to be taken (overwrite oldest record)"}]},"au-6_prm_1":{"constraints":[{"detail":"at least weekly"}]},"ca-2_prm_1":{"constraints":[{"detail":"at least annually"}]},"ca-2_prm_2":{"constraints":[{"detail":"individuals or roles to include FedRAMP PMO"}]},"ca-3_prm_1":{"constraints":[{"detail":"at least annually and on input from FedRAMP"}]},"ca-5_prm_1":{"constraints":[{"detail":"at least monthly"}]},"ca-6_prm_1":{"constraints":[{"detail":"at least every three years or when a significant change occurs"}]},"ca-7_prm_4":{"constraints":[{"detail":"to meet Federal and FedRAMP requirements (See additional guidance)"}]},"ca-7_prm_5":{"constraints":[{"detail":"to meet Federal and FedRAMP requirements (See additional guidance)"}]},"cm-6_prm_1":{"constraints":[{"detail":"see CM-6(a) Additional FedRAMP Requirements and Guidance"}]},"cm-8_prm_2":{"constraints":[{"detail":"at least monthly"}]},"cp-9_prm_1":{"constraints":[{"detail":"daily incremental; weekly full"}]},"cp-9_prm_2":{"constraints":[{"detail":"daily incremental; weekly full"}]},"cp-9_prm_3":{"constraints":[{"detail":"daily incremental; weekly full"}]},"ir-6_prm_1":{"constraints":[{"detail":"US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)"}]},"pe-2_prm_1":{"constraints":[{"detail":"at least annually"}]},"pe-3_prm_2":{"constraints":[{"detail":"CSP defined physical access control systems/devices AND guards"}]},"pe-3_prm_6":{"constraints":[{"detail":"in all circumstances within restricted access area where the information system resides"}]},"pe-3_prm_8":{"constraints":[{"detail":"at least annually"}]},"pe-3_prm_9":{"constraints":[{"detail":"at least annually"}]},"pe-6_prm_1":{"constraints":[{"detail":"at least monthly"}]},"pe-8_prm_1":{"constraints":[{"detail":"for a minimum of one (1) year"}]},"pe-8_prm_2":{"constraints":[{"detail":"at least monthly"}]},"pe-14_prm_1":{"constraints":[{"detail":"consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments"}]},"pe-14_prm_2":{"constraints":[{"detail":"continuously"}]},"pe-16_prm_1":{"constraints":[{"detail":"all information system components"}]},"pl-2_prm_2":{"constraints":[{"detail":"at least annually"}]},"ps-3_prm_1":{"constraints":[{"detail":"For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions."}]},"ra-3_prm_2":{"constraints":[{"detail":"security assessment report"}]},"ra-3_prm_3":{"constraints":[{"detail":"at least every three (3) years or when a significant change occurs"}]},"ra-3_prm_5":{"constraints":[{"detail":"at least every three (3) years or when a significant change occurs"}]},"ra-5_prm_1":{"constraints":[{"detail":"monthly operating system/infrastructure; monthly web applications and databases"}]},"ra-5_prm_2":{"constraints":[{"detail":"[high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery."}]},"sa-9_prm_1":{"constraints":[{"detail":"FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system"}]},"sa-9_prm_2":{"constraints":[{"detail":"Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored"}]},"sc-13_prm_1":{"constraints":[{"detail":"FIPS-validated or NSA-approved cryptography"}]},"si-2_prm_1":{"constraints":[{"detail":"within 30 days of release of updates"}]},"si-3_prm_1":{"constraints":[{"detail":"at least weekly"}]},"si-3_prm_2":{"constraints":[{"detail":"to include endpoints"}]},"si-3_prm_3":{"constraints":[{"detail":"to include alerting administrator or defined security personnel"}]}},"alterations":[{"control-id":"ac-1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ac-2","removals":[{"id-ref":"ac-2_smt.b"},{"id-ref":"ac-2_smt.c"},{"id-ref":"ac-2_smt.d"},{"id-ref":"ac-2_smt.e"},{"id-ref":"ac-2_smt.i"},{"id-ref":"ac-2_smt.j"},{"id-ref":"ac-2_smt.k"},{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"id":"ac-2_fr","name":"item","title":"AC-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Parts (b), (c), (d), (e), (i), (j), and (k) are excluded from FedRAMP Tailored\n                     for LI-SaaS."}]}]}]},{"control-id":"ac-3","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}]}]},{"control-id":"ac-7","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO for non-privileged users. Attestation for privileged users related to\n                  multi-factor identification and authentication."}]}]},{"control-id":"ac-8","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"FED"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"FED - This is related to agency data and agency policy solution."}]}]},{"control-id":"ac-14","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"FED"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"FED - This is related to agency data and agency policy solution."}]}]},{"control-id":"ac-17","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}]}]},{"control-id":"ac-18","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - All access to Cloud SaaS are via web services and/or API. The device\n                  accessed from or whether via wired or wireless connection is out of scope.\n                  Regardless of device accessed from, must utilize approved remote access methods\n                  (AC-17), secure communication with strong encryption (SC-13), key management\n                  (SC-12), and multi-factor authentication for privileged access (IA-2[1])."}]}]},{"control-id":"ac-19","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - All access to Cloud SaaS are via web service and/or API. The device accessed\n                  from is out of the scope. Regardless of device accessed from, must utilize\n                  approved remote access methods (AC-17), secure communication with strong\n                  encryption (SC-13), key management (SC-12), and multi-factor authentication for\n                  privileged access (IA-2 [1])."}]}]},{"control-id":"ac-20","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ac-22","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}]}]},{"control-id":"at-1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"at-2","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"at-3","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"at-4","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"au-1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"au-2","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"au-3","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}]}]},{"control-id":"au-4","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Loss of availability of the audit data has been determined to have little or\n                  no impact to government business/mission needs."}]}]},{"control-id":"au-5","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}]}]},{"control-id":"au-6","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}]}]},{"control-id":"au-8","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"au-9","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"au-11","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Loss of availability of the audit data has been determined as little or no\n                  impact to government business/mission needs."}]}]},{"control-id":"au-12","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ca-1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ca-2","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"id":"ca-2_fr","name":"item","title":"CA-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-2_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP)\n                     Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)"}]}]}]},{"control-id":"ca-2.1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ca-3","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: There are connection(s) to external systems. Connections (if any) shall\n                  be authorized and must: 1) Identify the interface/connection. 2) Detail what data\n                  is involved and its sensitivity. 3) Determine whether the connection is one-way or\n                  bi-directional. 4) Identify how the connection is secured."}]}]},{"control-id":"ca-5","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring\n                  Requirements."}]}]},{"control-id":"ca-6","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"id":"ca-6_fr","name":"item","title":"CA-6(c) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1,\n                     Appendix F. The service provider describes the types of changes to the\n                     information system or the environment of operations that would impact the risk\n                     posture. The types of changes are approved and accepted by the Authorizing\n                     Official."}]}]}]},{"control-id":"ca-7","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"id":"ca-7_fr","name":"item","title":"CA-7 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-7_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"CSPs must provide evidence of closure and remediation of high vulnerabilities\n                     within the timeframe for standard POA&M updates."},{"id":"ca-7_fr_gdn.2","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP)\n                     Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)"}]}]}]},{"control-id":"ca-9","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: There are connection(s) to external systems. Connections (if any) shall\n                  be authorized and must: 1) Identify the interface/connection. 2) Detail what data\n                  is involved and its sensitivity. 3) Determine whether the connection is one-way or\n                  bi-directional. 4) Identify how the connection is secured."}]}]},{"control-id":"cm-1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"cm-2","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"cm-4","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}]}]},{"control-id":"cm-6","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Required - Specifically include details of least functionality."},{"id":"cm-6_fr","name":"item","title":"CM-6(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement 1:"}],"prose":"The service provider shall use the Center for Internet Security guidelines\n                     (Level 1) to establish configuration settings or establishes its own\n                     configuration settings if USGCB is not available. "},{"id":"cm-6_fr_smt.2","name":"item","properties":[{"name":"label","value":"Requirement 2:"}],"prose":"The service provider shall ensure that checklists for configuration settings\n                     are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP\n                     compatible (if validated checklists are not available)."},{"id":"cm-6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)."}]}]}]},{"control-id":"cm-7","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"cm-8","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"id":"cm-8_fr","name":"item","title":"CM-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Must be provided at least monthly or when there is a change."}]}]}]},{"control-id":"cm-10","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO- Not directly related to protection of the data."}]}]},{"control-id":"cm-11","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Boundary is specific to SaaS environment; all access is via web services;\n                  users' machine or internal network are not contemplated. External services (SA-9),\n                  internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and\n                  SC-13), and privileged authentication (IA-2[1]) are considerations."}]}]},{"control-id":"cp-1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"cp-2","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Loss of availability of the SaaS has been determined as little or no impact\n                  to government business/mission needs."}]}]},{"control-id":"cp-3","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Loss of availability of the SaaS has been determined as little or no impact\n                  to government business/mission needs."}]}]},{"control-id":"cp-4","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Loss of availability of the SaaS has been determined as little or no impact\n                  to government business/mission needs."}]}]},{"control-id":"cp-9","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"id":"cp-9_fr","name":"item","title":"CP-9 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-9_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine what elements of the cloud environment\n                     require the Information System Backup control. The service provider shall\n                     determine how Information System Backup is going to be verified and appropriate\n                     periodicity of the check."},{"id":"cp-9_fr_smt.a","name":"item","properties":[{"name":"label","value":"CP-9(a) Requirement:"}],"prose":"The service provider maintains at least three backup copies of user-level\n                     information (at least one of which is available online)."},{"id":"cp-9_fr_smt.b","name":"item","properties":[{"name":"label","value":"CP-9(b)Requirement:"}],"prose":"The service provider maintains at least three backup copies of system-level\n                     information (at least one of which is available online)."},{"id":"cp-9_fr_smt.c","name":"item","properties":[{"name":"label","value":"CP-9(c)Requirement:"}],"prose":"The service provider maintains at least three backup copies of information\n                     system documentation including security information (at least one of which is\n                     available online)."}]}]}]},{"control-id":"cp-10","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Loss of availability of the SaaS has been determined as little or no impact\n                  to government business/mission needs."}]}]},{"control-id":"ia-1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ia-2","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO for non-privileged users. Attestation for privileged users related to\n                  multi-factor identification and authentication - specifically include description\n                  of management of service accounts."}]}]},{"control-id":"ia-2.1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}]}]},{"control-id":"ia-2.12","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Must document and assess for privileged users. May attest to this\n                  control for non-privileged users. FedRAMP requires a minimum of multi-factor\n                  authentication for all Federal privileged users, if acceptance of PIV credentials\n                  is not supported. The implementation status and details of how this control is\n                  implemented must be clearly defined by the CSP."},{"id":"ia-2.12_fr","name":"item","title":"IA-2 (12) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-2.12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Include Common Access Card (CAC), i.e., the DoD technical implementation of\n                     PIV/FIPS 201/HSPD-12."}]}]}]},{"control-id":"ia-4","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ia-5","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ia-5.1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ia-5.11","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"FED"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"FED - for Federal privileged users. Condition - Must document and assess for\n                  privileged users. May attest to this control for non-privileged users."}]}]},{"control-id":"ia-6","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}]}]},{"control-id":"ia-7","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ia-8","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ia-8.1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Must document and assess for privileged users. May attest to this\n                  control for non-privileged users. FedRAMP requires a minimum of multi-factor\n                  authentication for all Federal privileged users, if acceptance of PIV credentials\n                  is not supported. The implementation status and details of how this control is\n                  implemented must be clearly defined by the CSP."}]}]},{"control-id":"ia-8.2","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Must document and assess for privileged users. May attest to this\n                  control for non-privileged users. FedRAMP requires a minimum of multi-factor\n                  authentication for all Federal privileged users, if acceptance of PIV credentials\n                  is not supported. The implementation status and details of how this control is\n                  implemented must be clearly defined by the CSP."}]}]},{"control-id":"ia-8.3","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ia-8.4","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ir-1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ir-2","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ir-4","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"id":"ir-4_fr","name":"item","title":"IR-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-4_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider ensures that individuals conducting incident handling meet\n                     personnel security requirements commensurate with the criticality/sensitivity\n                     of the information being processed, stored, and transmitted by the information\n                     system."}]}]}]},{"control-id":"ir-5","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ir-6","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"id":"ir-6_fr","name":"item","title":"IR-6 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Report security incident information according to FedRAMP Incident\n                     Communications Procedure."}]}]}]},{"control-id":"ir-7","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ir-8","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Attestation - Specifically attest to US-CERT compliance."}]}]},{"control-id":"ir-9","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Attestation - Specifically describe information spillage response processes."}]}]},{"control-id":"ma-1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ma-2","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]}]},{"control-id":"ma-4","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ma-5","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]}]},{"control-id":"mp-1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"mp-2","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]}]},{"control-id":"mp-6","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]}]},{"control-id":"mp-7","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]}]},{"control-id":"pe-1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"pe-2","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]}]},{"control-id":"pe-3","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]}]},{"control-id":"pe-6","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]}]},{"control-id":"pe-8","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]}]},{"control-id":"pe-12","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]}]},{"control-id":"pe-13","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]}]},{"control-id":"pe-14","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."},{"id":"pe-14_fr","name":"item","title":"PE-14(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"pe-14_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider measures temperature at server inlets and humidity levels\n                     by dew point."}]}]}]},{"control-id":"pe-15","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]}]},{"control-id":"pe-16","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}]}]},{"control-id":"pl-1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"pl-2","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}]}]},{"control-id":"pl-4","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ps-1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ps-2","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"FED"}]}]},{"control-id":"ps-3","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}]}]},{"control-id":"ps-4","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ps-5","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ps-6","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ps-7","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Attestation - Specifically stating that any third-party security personnel are\n                  treated as CSP employees."}]}]},{"control-id":"ps-8","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ra-1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"ra-2","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}]}]},{"control-id":"ra-3","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"id":"ra-3_fr","name":"item","title":"RA-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1,\n                     Appendix F"},{"id":"ra-3_fr_smt.d","name":"item","properties":[{"name":"label","value":"RA-3 (d) Requirement:"}],"prose":"Include all Authorizing Officials; for JAB authorizations to include\n                     FedRAMP."}]}]}]},{"control-id":"ra-5","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"id":"ra-5_fr_smt.a","name":"item","title":"RA-5(a) Additional FedRAMP Requirements and Guidance","properties":[{"name":"label","value":"RA-5 (a)Requirement:"}],"prose":"An accredited independent assessor scans operating systems/infrastructure, web\n                  applications, and databases once annually."},{"id":"ra-5_fr_smt.e","name":"item","title":"RA-5(e) Additional FedRAMP Requirements and Guidance","properties":[{"name":"label","value":"RA-5 (e)Requirement:"}],"prose":"To include all Authorizing Officials; for JAB authorizations to include\n                  FedRAMP."},{"id":"ra-5_fr","name":"item","title":"RA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"**See the FedRAMP Documents page under Key Cloud Service Provider (CSP)\n                        Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))"}]}]}]},{"control-id":"sa-1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"sa-2","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"sa-3","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"sa-4","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"sa-4.10","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"sa-5","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"sa-9","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}]}]},{"control-id":"sc-1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"sc-5","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: If availability is a requirement, define protections in place as per\n                  control requirement."}]}]},{"control-id":"sc-7","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}]}]},{"control-id":"sc-12","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"parts":[{"id":"sc-12_fr","name":"item","title":"SC-12 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Federally approved cryptography."}]}]}]},{"control-id":"sc-13","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: If implementing need to detail how they meet it or don't meet it."}]}]},{"control-id":"sc-15","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Not directly related to the security of the SaaS."}]}]},{"control-id":"sc-20","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"sc-21","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"sc-22","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"sc-39","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"si-1","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"si-2","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}]}]},{"control-id":"si-3","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}]}]},{"control-id":"si-4","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}]}]},{"control-id":"si-5","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}]}]},{"control-id":"si-12","removals":[{"name-ref":"objective"},{"name-ref":"assessment"}],"additions":[{"position":"ending","properties":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Attestation - Specifically related to US-CERT and FedRAMP communications\n                  procedures."}]}]}]},"back-matter":{"resources":[{"uuid":"985475ee-d4d6-4581-8fdf-d84d3d8caa48","title":"FedRAMP Applicable Laws and Regulations","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-citations"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"}]},{"uuid":"1a23a771-d481-4594-9a1a-71d584fa4123","title":"FedRAMP Master Acronym and Glossary","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-acronyms"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"}]},{"uuid":"a2381e87-3d04-4108-a30b-b4d2f36d001f","desc":"FedRAMP Logo","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-logo"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/img/logo-main-fedramp.png"}]},{"uuid":"ad005eae-cc63-4e64-9109-3905a9a825e4","title":"NIST Special Publication (SP) 800-53","properties":[{"name":"version","ns":"https://fedramp.gov/ns/oscal","value":"Revision 4"},{"name":"keep","value":"always"}],"rlinks":[{"href":"../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json","media-type":"application/xml"}]}]}}}
\ No newline at end of file
diff --git a/content/fedramp.gov/json/FedRAMP_LI-SaaS-baseline_profile.json b/content/fedramp.gov/json/FedRAMP_LI-SaaS-baseline_profile.json
deleted file mode 100644
index 8732afaa17..0000000000
--- a/content/fedramp.gov/json/FedRAMP_LI-SaaS-baseline_profile.json
+++ /dev/null
@@ -1,4462 +0,0 @@
-{
-  "profile": {
-    "uuid": "48d3387b-e554-4232-97bc-a8617cf238d9",
-    "metadata": {
-      "title": "FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline",
-      "published": "2020-02-02T00:00:00.000-05:00",
-      "last-modified": "2020-06-01T10:00:00.000-05:00",
-      "version": "1.2",
-      "oscal-version": "1.0.0-milestone3",
-      "roles": [
-        {
-          "id": "parpared-by",
-          "title": "Document creator"
-        },
-        {
-          "id": "fedramp-pmo",
-          "title": "The FedRAMP Program Management Office (PMO)",
-          "short-name": "CSP"
-        },
-        {
-          "id": "fedramp-jab",
-          "title": "The FedRAMP Joint Authorization Board (JAB)",
-          "short-name": "CSP"
-        }
-      ],
-      "parties": [
-        {
-          "uuid": "8cc0b8e5-9650-4d5f-9796-316f05fa9a2d",
-          "type": "organization",
-          "party-name": "Federal Risk and Authorization Management Program: Program Management Office",
-          "short-name": "FedRAMP PMO",
-          "links": [
-            {
-              "href": "https://fedramp.gov",
-              "rel": "homepage",
-              "text": ""
-            }
-          ],
-          "addresses": [
-            {
-              "type": "work",
-              "postal-address": [
-                "1800 F St. NW",
-                ""
-              ],
-              "city": "Washington",
-              "state": "DC",
-              "postal-code": "",
-              "country": "US"
-            }
-          ],
-          "email-addresses": [
-            "info@fedramp.gov"
-          ]
-        },
-        {
-          "uuid": "ca9ba80e-1342-4bfd-b32a-abac468c24b4",
-          "type": "organization",
-          "party-name": "Federal Risk and Authorization Management Program: Joint Authorization Board",
-          "short-name": "FedRAMP JAB"
-        }
-      ],
-      "responsible-parties": {
-        "prepared-by": {
-          "party-uuids": [
-            "4aa7b203-318b-4cde-96cf-feaeffc3a4b7"
-          ]
-        },
-        "fedramp-pmo": {
-          "party-uuids": [
-            "4aa7b203-318b-4cde-96cf-feaeffc3a4b7"
-          ]
-        },
-        "fedramp-jab": {
-          "party-uuids": [
-            "ca9ba80e-1342-4bfd-b32a-abac468c24b4"
-          ]
-        }
-      }
-    },
-    "imports": [
-      {
-        "href": "#ad005eae-cc63-4e64-9109-3905a9a825e4",
-        "include": {
-          "id-selectors": [
-            {
-              "control-id": "ac-1"
-            },
-            {
-              "control-id": "ac-2"
-            },
-            {
-              "control-id": "ac-3"
-            },
-            {
-              "control-id": "ac-7"
-            },
-            {
-              "control-id": "ac-8"
-            },
-            {
-              "control-id": "ac-14"
-            },
-            {
-              "control-id": "ac-17"
-            },
-            {
-              "control-id": "ac-18"
-            },
-            {
-              "control-id": "ac-19"
-            },
-            {
-              "control-id": "ac-20"
-            },
-            {
-              "control-id": "ac-22"
-            },
-            {
-              "control-id": "at-1"
-            },
-            {
-              "control-id": "at-2"
-            },
-            {
-              "control-id": "at-3"
-            },
-            {
-              "control-id": "at-4"
-            },
-            {
-              "control-id": "au-1"
-            },
-            {
-              "control-id": "au-2"
-            },
-            {
-              "control-id": "au-3"
-            },
-            {
-              "control-id": "au-4"
-            },
-            {
-              "control-id": "au-5"
-            },
-            {
-              "control-id": "au-6"
-            },
-            {
-              "control-id": "au-8"
-            },
-            {
-              "control-id": "au-9"
-            },
-            {
-              "control-id": "au-11"
-            },
-            {
-              "control-id": "au-12"
-            },
-            {
-              "control-id": "ca-1"
-            },
-            {
-              "control-id": "ca-2"
-            },
-            {
-              "control-id": "ca-2.1"
-            },
-            {
-              "control-id": "ca-3"
-            },
-            {
-              "control-id": "ca-5"
-            },
-            {
-              "control-id": "ca-6"
-            },
-            {
-              "control-id": "ca-7"
-            },
-            {
-              "control-id": "ca-9"
-            },
-            {
-              "control-id": "cm-1"
-            },
-            {
-              "control-id": "cm-2"
-            },
-            {
-              "control-id": "cm-4"
-            },
-            {
-              "control-id": "cm-6"
-            },
-            {
-              "control-id": "cm-7"
-            },
-            {
-              "control-id": "cm-8"
-            },
-            {
-              "control-id": "cm-10"
-            },
-            {
-              "control-id": "cm-11"
-            },
-            {
-              "control-id": "cp-1"
-            },
-            {
-              "control-id": "cp-2"
-            },
-            {
-              "control-id": "cp-3"
-            },
-            {
-              "control-id": "cp-4"
-            },
-            {
-              "control-id": "cp-9"
-            },
-            {
-              "control-id": "cp-10"
-            },
-            {
-              "control-id": "ia-1"
-            },
-            {
-              "control-id": "ia-2"
-            },
-            {
-              "control-id": "ia-2.1"
-            },
-            {
-              "control-id": "ia-2.12"
-            },
-            {
-              "control-id": "ia-4"
-            },
-            {
-              "control-id": "ia-5"
-            },
-            {
-              "control-id": "ia-5.1"
-            },
-            {
-              "control-id": "ia-5.11"
-            },
-            {
-              "control-id": "ia-6"
-            },
-            {
-              "control-id": "ia-7"
-            },
-            {
-              "control-id": "ia-8"
-            },
-            {
-              "control-id": "ia-8.1"
-            },
-            {
-              "control-id": "ia-8.2"
-            },
-            {
-              "control-id": "ia-8.3"
-            },
-            {
-              "control-id": "ia-8.4"
-            },
-            {
-              "control-id": "ir-1"
-            },
-            {
-              "control-id": "ir-2"
-            },
-            {
-              "control-id": "ir-4"
-            },
-            {
-              "control-id": "ir-5"
-            },
-            {
-              "control-id": "ir-6"
-            },
-            {
-              "control-id": "ir-7"
-            },
-            {
-              "control-id": "ir-8"
-            },
-            {
-              "control-id": "ir-9"
-            },
-            {
-              "control-id": "ma-1"
-            },
-            {
-              "control-id": "ma-2"
-            },
-            {
-              "control-id": "ma-4"
-            },
-            {
-              "control-id": "ma-5"
-            },
-            {
-              "control-id": "mp-1"
-            },
-            {
-              "control-id": "mp-2"
-            },
-            {
-              "control-id": "mp-6"
-            },
-            {
-              "control-id": "mp-7"
-            },
-            {
-              "control-id": "pe-1"
-            },
-            {
-              "control-id": "pe-2"
-            },
-            {
-              "control-id": "pe-3"
-            },
-            {
-              "control-id": "pe-6"
-            },
-            {
-              "control-id": "pe-8"
-            },
-            {
-              "control-id": "pe-12"
-            },
-            {
-              "control-id": "pe-13"
-            },
-            {
-              "control-id": "pe-14"
-            },
-            {
-              "control-id": "pe-15"
-            },
-            {
-              "control-id": "pe-16"
-            },
-            {
-              "control-id": "pl-1"
-            },
-            {
-              "control-id": "pl-2"
-            },
-            {
-              "control-id": "pl-4"
-            },
-            {
-              "control-id": "ps-1"
-            },
-            {
-              "control-id": "ps-2"
-            },
-            {
-              "control-id": "ps-3"
-            },
-            {
-              "control-id": "ps-4"
-            },
-            {
-              "control-id": "ps-5"
-            },
-            {
-              "control-id": "ps-6"
-            },
-            {
-              "control-id": "ps-7"
-            },
-            {
-              "control-id": "ps-8"
-            },
-            {
-              "control-id": "ra-1"
-            },
-            {
-              "control-id": "ra-2"
-            },
-            {
-              "control-id": "ra-3"
-            },
-            {
-              "control-id": "ra-5"
-            },
-            {
-              "control-id": "sa-1"
-            },
-            {
-              "control-id": "sa-2"
-            },
-            {
-              "control-id": "sa-3"
-            },
-            {
-              "control-id": "sa-4"
-            },
-            {
-              "control-id": "sa-4.10"
-            },
-            {
-              "control-id": "sa-5"
-            },
-            {
-              "control-id": "sa-9"
-            },
-            {
-              "control-id": "sc-1"
-            },
-            {
-              "control-id": "sc-5"
-            },
-            {
-              "control-id": "sc-7"
-            },
-            {
-              "control-id": "sc-12"
-            },
-            {
-              "control-id": "sc-13"
-            },
-            {
-              "control-id": "sc-15"
-            },
-            {
-              "control-id": "sc-20"
-            },
-            {
-              "control-id": "sc-21"
-            },
-            {
-              "control-id": "sc-22"
-            },
-            {
-              "control-id": "sc-39"
-            },
-            {
-              "control-id": "si-1"
-            },
-            {
-              "control-id": "si-2"
-            },
-            {
-              "control-id": "si-3"
-            },
-            {
-              "control-id": "si-4"
-            },
-            {
-              "control-id": "si-5"
-            },
-            {
-              "control-id": "si-12"
-            }
-          ]
-        }
-      }
-    ],
-    "merge": {
-      "combine": {
-        "method": "keep"
-      },
-      "as-is": true
-    },
-    "modify": {
-      "parameter-settings": {
-        "ac-22_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least quarterly"
-            }
-          ]
-        },
-        "au-5_prm_2": {
-          "constraints": [
-            {
-              "detail": "organization-defined actions to be taken (overwrite oldest record)"
-            }
-          ]
-        },
-        "au-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least weekly"
-            }
-          ]
-        },
-        "ca-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ca-2_prm_2": {
-          "constraints": [
-            {
-              "detail": "individuals or roles to include FedRAMP PMO"
-            }
-          ]
-        },
-        "ca-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually and on input from FedRAMP"
-            }
-          ]
-        },
-        "ca-5_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "ca-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least every three years or when a significant change occurs"
-            }
-          ]
-        },
-        "ca-7_prm_4": {
-          "constraints": [
-            {
-              "detail": "to meet Federal and FedRAMP requirements (See additional guidance)"
-            }
-          ]
-        },
-        "ca-7_prm_5": {
-          "constraints": [
-            {
-              "detail": "to meet Federal and FedRAMP requirements (See additional guidance)"
-            }
-          ]
-        },
-        "cm-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "see CM-6(a) Additional FedRAMP Requirements and Guidance"
-            }
-          ]
-        },
-        "cm-8_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "cp-9_prm_1": {
-          "constraints": [
-            {
-              "detail": "daily incremental; weekly full"
-            }
-          ]
-        },
-        "cp-9_prm_2": {
-          "constraints": [
-            {
-              "detail": "daily incremental; weekly full"
-            }
-          ]
-        },
-        "cp-9_prm_3": {
-          "constraints": [
-            {
-              "detail": "daily incremental; weekly full"
-            }
-          ]
-        },
-        "ir-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)"
-            }
-          ]
-        },
-        "pe-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pe-3_prm_2": {
-          "constraints": [
-            {
-              "detail": "CSP defined physical access control systems/devices AND guards"
-            }
-          ]
-        },
-        "pe-3_prm_6": {
-          "constraints": [
-            {
-              "detail": "in all circumstances within restricted access area where the information system resides"
-            }
-          ]
-        },
-        "pe-3_prm_8": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pe-3_prm_9": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pe-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "pe-8_prm_1": {
-          "constraints": [
-            {
-              "detail": "for a minimum of one (1) year"
-            }
-          ]
-        },
-        "pe-8_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "pe-14_prm_1": {
-          "constraints": [
-            {
-              "detail": "consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments"
-            }
-          ]
-        },
-        "pe-14_prm_2": {
-          "constraints": [
-            {
-              "detail": "continuously"
-            }
-          ]
-        },
-        "pe-16_prm_1": {
-          "constraints": [
-            {
-              "detail": "all information system components"
-            }
-          ]
-        },
-        "pl-2_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ps-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions."
-            }
-          ]
-        },
-        "ra-3_prm_2": {
-          "constraints": [
-            {
-              "detail": "security assessment report"
-            }
-          ]
-        },
-        "ra-3_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least every three (3) years or when a significant change occurs"
-            }
-          ]
-        },
-        "ra-3_prm_5": {
-          "constraints": [
-            {
-              "detail": "at least every three (3) years or when a significant change occurs"
-            }
-          ]
-        },
-        "ra-5_prm_1": {
-          "constraints": [
-            {
-              "detail": "monthly operating system/infrastructure; monthly web applications and databases"
-            }
-          ]
-        },
-        "ra-5_prm_2": {
-          "constraints": [
-            {
-              "detail": "[high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery."
-            }
-          ]
-        },
-        "sa-9_prm_1": {
-          "constraints": [
-            {
-              "detail": "FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system"
-            }
-          ]
-        },
-        "sa-9_prm_2": {
-          "constraints": [
-            {
-              "detail": "Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored"
-            }
-          ]
-        },
-        "sc-13_prm_1": {
-          "constraints": [
-            {
-              "detail": "FIPS-validated or NSA-approved cryptography"
-            }
-          ]
-        },
-        "si-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "within 30 days of release of updates"
-            }
-          ]
-        },
-        "si-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least weekly"
-            }
-          ]
-        },
-        "si-3_prm_2": {
-          "constraints": [
-            {
-              "detail": "to include endpoints"
-            }
-          ]
-        },
-        "si-3_prm_3": {
-          "constraints": [
-            {
-              "detail": "to include alerting administrator or defined security personnel"
-            }
-          ]
-        }
-      },
-      "alterations": [
-        {
-          "control-id": "ac-1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2",
-          "removals": [
-            {
-              "id-ref": "ac-2_smt.b"
-            },
-            {
-              "id-ref": "ac-2_smt.c"
-            },
-            {
-              "id-ref": "ac-2_smt.d"
-            },
-            {
-              "id-ref": "ac-2_smt.e"
-            },
-            {
-              "id-ref": "ac-2_smt.i"
-            },
-            {
-              "id-ref": "ac-2_smt.j"
-            },
-            {
-              "id-ref": "ac-2_smt.k"
-            },
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ],
-              "parts": [
-                {
-                  "id": "ac-2_fr",
-                  "name": "item",
-                  "title": "AC-2 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ac-2_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Parts (b), (c), (d), (e), (i), (j), and (k) are excluded from FedRAMP Tailored\n                     for LI-SaaS."
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-3",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-7",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "NSO"
-                },
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "NSO for non-privileged users. Attestation for privileged users related to\n                  multi-factor identification and authentication."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-8",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "FED"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "FED - This is related to agency data and agency policy solution."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-14",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "FED"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "FED - This is related to agency data and agency policy solution."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-17",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-18",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "NSO"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "NSO - All access to Cloud SaaS are via web services and/or API. The device\n                  accessed from or whether via wired or wireless connection is out of scope.\n                  Regardless of device accessed from, must utilize approved remote access methods\n                  (AC-17), secure communication with strong encryption (SC-13), key management\n                  (SC-12), and multi-factor authentication for privileged access (IA-2[1])."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-19",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "NSO"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "NSO - All access to Cloud SaaS are via web service and/or API. The device accessed\n                  from is out of the scope. Regardless of device accessed from, must utilize\n                  approved remote access methods (AC-17), secure communication with strong\n                  encryption (SC-13), key management (SC-12), and multi-factor authentication for\n                  privileged access (IA-2 [1])."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-20",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-22",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-2",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-3",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-4",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-2",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-3",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-4",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "NSO"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "NSO - Loss of availability of the audit data has been determined to have little or\n                  no impact to government business/mission needs."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-5",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-6",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-8",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-9",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-11",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "NSO"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "NSO - Loss of availability of the audit data has been determined as little or no\n                  impact to government business/mission needs."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-12",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-2",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ],
-              "parts": [
-                {
-                  "id": "ca-2_fr",
-                  "name": "item",
-                  "title": "CA-2 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-2_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP)\n                     Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)"
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-2.1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-3",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: There are connection(s) to external systems. Connections (if any) shall\n                  be authorized and must: 1) Identify the interface/connection. 2) Detail what data\n                  is involved and its sensitivity. 3) Determine whether the connection is one-way or\n                  bi-directional. 4) Identify how the connection is secured."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-5",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring\n                  Requirements."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-6",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ],
-              "parts": [
-                {
-                  "id": "ca-6_fr",
-                  "name": "item",
-                  "title": "CA-6(c) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-6_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1,\n                     Appendix F. The service provider describes the types of changes to the\n                     information system or the environment of operations that would impact the risk\n                     posture. The types of changes are approved and accepted by the Authorizing\n                     Official."
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-7",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ],
-              "parts": [
-                {
-                  "id": "ca-7_fr",
-                  "name": "item",
-                  "title": "CA-7 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-7_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "CSPs must provide evidence of closure and remediation of high vulnerabilities\n                     within the timeframe for standard POA&M updates."
-                    },
-                    {
-                      "id": "ca-7_fr_gdn.2",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP)\n                     Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)"
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-9",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: There are connection(s) to external systems. Connections (if any) shall\n                  be authorized and must: 1) Identify the interface/connection. 2) Detail what data\n                  is involved and its sensitivity. 3) Determine whether the connection is one-way or\n                  bi-directional. 4) Identify how the connection is secured."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-2",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-4",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-6",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Required - Specifically include details of least functionality."
-                },
-                {
-                  "id": "cm-6_fr",
-                  "name": "item",
-                  "title": "CM-6(a) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cm-6_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement 1:"
-                        }
-                      ],
-                      "prose": "The service provider shall use the Center for Internet Security guidelines\n                     (Level 1) to establish configuration settings or establishes its own\n                     configuration settings if USGCB is not available. "
-                    },
-                    {
-                      "id": "cm-6_fr_smt.2",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement 2:"
-                        }
-                      ],
-                      "prose": "The service provider shall ensure that checklists for configuration settings\n                     are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP\n                     compatible (if validated checklists are not available)."
-                    },
-                    {
-                      "id": "cm-6_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)."
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-7",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-8",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ],
-              "parts": [
-                {
-                  "id": "cm-8_fr",
-                  "name": "item",
-                  "title": "CM-8 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cm-8_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Must be provided at least monthly or when there is a change."
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-10",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "NSO"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "NSO- Not directly related to protection of the data."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-11",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "NSO"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "NSO - Boundary is specific to SaaS environment; all access is via web services;\n                  users' machine or internal network are not contemplated. External services (SA-9),\n                  internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and\n                  SC-13), and privileged authentication (IA-2[1]) are considerations."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-2",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "NSO"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "NSO - Loss of availability of the SaaS has been determined as little or no impact\n                  to government business/mission needs."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-3",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "NSO"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "NSO - Loss of availability of the SaaS has been determined as little or no impact\n                  to government business/mission needs."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-4",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "NSO"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "NSO - Loss of availability of the SaaS has been determined as little or no impact\n                  to government business/mission needs."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-9",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ],
-              "parts": [
-                {
-                  "id": "cp-9_fr",
-                  "name": "item",
-                  "title": "CP-9 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cp-9_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider shall determine what elements of the cloud environment\n                     require the Information System Backup control. The service provider shall\n                     determine how Information System Backup is going to be verified and appropriate\n                     periodicity of the check."
-                    },
-                    {
-                      "id": "cp-9_fr_smt.a",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "CP-9(a) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider maintains at least three backup copies of user-level\n                     information (at least one of which is available online)."
-                    },
-                    {
-                      "id": "cp-9_fr_smt.b",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "CP-9(b)Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider maintains at least three backup copies of system-level\n                     information (at least one of which is available online)."
-                    },
-                    {
-                      "id": "cp-9_fr_smt.c",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "CP-9(c)Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider maintains at least three backup copies of information\n                     system documentation including security information (at least one of which is\n                     available online)."
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-10",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "NSO"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "NSO - Loss of availability of the SaaS has been determined as little or no impact\n                  to government business/mission needs."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "NSO"
-                },
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "NSO for non-privileged users. Attestation for privileged users related to\n                  multi-factor identification and authentication - specifically include description\n                  of management of service accounts."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.12",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: Must document and assess for privileged users. May attest to this\n                  control for non-privileged users. FedRAMP requires a minimum of multi-factor\n                  authentication for all Federal privileged users, if acceptance of PIV credentials\n                  is not supported. The implementation status and details of how this control is\n                  implemented must be clearly defined by the CSP."
-                },
-                {
-                  "id": "ia-2.12_fr",
-                  "name": "item",
-                  "title": "IA-2 (12) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ia-2.12_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Include Common Access Card (CAC), i.e., the DoD technical implementation of\n                     PIV/FIPS 201/HSPD-12."
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-4",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.11",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "FED"
-                },
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "FED - for Federal privileged users. Condition - Must document and assess for\n                  privileged users. May attest to this control for non-privileged users."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-6",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-7",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8.1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: Must document and assess for privileged users. May attest to this\n                  control for non-privileged users. FedRAMP requires a minimum of multi-factor\n                  authentication for all Federal privileged users, if acceptance of PIV credentials\n                  is not supported. The implementation status and details of how this control is\n                  implemented must be clearly defined by the CSP."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8.2",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: Must document and assess for privileged users. May attest to this\n                  control for non-privileged users. FedRAMP requires a minimum of multi-factor\n                  authentication for all Federal privileged users, if acceptance of PIV credentials\n                  is not supported. The implementation status and details of how this control is\n                  implemented must be clearly defined by the CSP."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8.3",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8.4",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-2",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-4",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ],
-              "parts": [
-                {
-                  "id": "ir-4_fr",
-                  "name": "item",
-                  "title": "IR-4 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ir-4_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider ensures that individuals conducting incident handling meet\n                     personnel security requirements commensurate with the criticality/sensitivity\n                     of the information being processed, stored, and transmitted by the information\n                     system."
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-5",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-6",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ],
-              "parts": [
-                {
-                  "id": "ir-6_fr",
-                  "name": "item",
-                  "title": "IR-6 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ir-6_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Report security incident information according to FedRAMP Incident\n                     Communications Procedure."
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-7",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-8",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Attestation - Specifically attest to US-CERT compliance."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-9",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Attestation - Specifically describe information spillage response processes."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-2",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-4",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-5",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-2",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-6",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-7",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-2",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-3",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-6",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-8",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-12",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-13",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-14",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-                },
-                {
-                  "id": "pe-14_fr",
-                  "name": "item",
-                  "title": "PE-14(a) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "pe-14_fr_smt.a",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(a) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider measures temperature at server inlets and humidity levels\n                     by dew point."
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-15",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-16",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pl-1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pl-2",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pl-4",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-2",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "FED"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-3",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-4",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-5",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-6",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-7",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Attestation - Specifically stating that any third-party security personnel are\n                  treated as CSP employees."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-8",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-2",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-3",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ],
-              "parts": [
-                {
-                  "id": "ra-3_fr",
-                  "name": "item",
-                  "title": "RA-3 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ra-3_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1,\n                     Appendix F"
-                    },
-                    {
-                      "id": "ra-3_fr_smt.d",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "RA-3 (d) Requirement:"
-                        }
-                      ],
-                      "prose": "Include all Authorizing Officials; for JAB authorizations to include\n                     FedRAMP."
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-5",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ],
-              "parts": [
-                {
-                  "id": "ra-5_fr_smt.a",
-                  "name": "item",
-                  "title": "RA-5(a) Additional FedRAMP Requirements and Guidance",
-                  "properties": [
-                    {
-                      "name": "label",
-                      "value": "RA-5 (a)Requirement:"
-                    }
-                  ],
-                  "prose": "An accredited independent assessor scans operating systems/infrastructure, web\n                  applications, and databases once annually."
-                },
-                {
-                  "id": "ra-5_fr_smt.e",
-                  "name": "item",
-                  "title": "RA-5(e) Additional FedRAMP Requirements and Guidance",
-                  "properties": [
-                    {
-                      "name": "label",
-                      "value": "RA-5 (e)Requirement:"
-                    }
-                  ],
-                  "prose": "To include all Authorizing Officials; for JAB authorizations to include\n                  FedRAMP."
-                },
-                {
-                  "id": "ra-5_fr",
-                  "name": "item",
-                  "title": "RA-5 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ra-5_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "**See the FedRAMP Documents page under Key Cloud Service Provider (CSP)\n                        Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))"
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-2",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-3",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-4",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-4.10",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-5",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-9",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-5",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: If availability is a requirement, define protections in place as per\n                  control requirement."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-12",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ],
-              "parts": [
-                {
-                  "id": "sc-12_fr",
-                  "name": "item",
-                  "title": "SC-12 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sc-12_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Federally approved cryptography."
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-13",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "CONDITIONAL"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Condition: If implementing need to detail how they meet it or don't meet it."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-15",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "NSO"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "NSO - Not directly related to the security of the SaaS."
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-20",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-21",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-22",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-39",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-1",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-2",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-3",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ASSESS"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-5",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-12",
-          "removals": [
-            {
-              "name-ref": "objective"
-            },
-            {
-              "name-ref": "assessment"
-            }
-          ],
-          "additions": [
-            {
-              "position": "ending",
-              "properties": [
-                {
-                  "name": "method",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "value": "ATTEST"
-                }
-              ],
-              "parts": [
-                {
-                  "name": "guidance",
-                  "class": "FedRAMP-Tailored-LI-SaaS",
-                  "prose": "Attestation - Specifically related to US-CERT and FedRAMP communications\n                  procedures."
-                }
-              ]
-            }
-          ]
-        }
-      ]
-    },
-    "back-matter": {
-      "resources": [
-        {
-          "uuid": "985475ee-d4d6-4581-8fdf-d84d3d8caa48",
-          "title": "FedRAMP Applicable Laws and Regulations",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-citations"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"
-            }
-          ]
-        },
-        {
-          "uuid": "1a23a771-d481-4594-9a1a-71d584fa4123",
-          "title": "FedRAMP Master Acronym and Glossary",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-acronyms"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "a2381e87-3d04-4108-a30b-b4d2f36d001f",
-          "desc": "FedRAMP Logo",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-logo"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/img/logo-main-fedramp.png"
-            }
-          ]
-        },
-        {
-          "uuid": "ad005eae-cc63-4e64-9109-3905a9a825e4",
-          "title": "NIST Special Publication (SP) 800-53",
-          "properties": [
-            {
-              "name": "version",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "Revision 4"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json",
-              "media-type": "application/xml"
-            }
-          ]
-        }
-      ]
-    }
-  }
-}
diff --git a/content/fedramp.gov/json/FedRAMP_LOW-baseline-resolved-profile_catalog-min.json b/content/fedramp.gov/json/FedRAMP_LOW-baseline-resolved-profile_catalog-min.json
deleted file mode 100644
index ea239455c9..0000000000
--- a/content/fedramp.gov/json/FedRAMP_LOW-baseline-resolved-profile_catalog-min.json
+++ /dev/null
@@ -1 +0,0 @@
-{"catalog":{"uuid":"d320d731-1aea-4d48-a4df-05b1c9f48c04","metadata":{"title":"FedRAMP Low Baseline","published":"2020-06-01T00:00:00.000-04:00","last-modified":"2020-06-01T10:00:00.000-04:00","version":"1.2","oscal-version":"1.0.0-milestone3","properties":[{"name":"resolution-timestamp","value":"2020-08-31T17:38:45.129825Z"}],"links":[{"href":"FedRAMP_LOW-baseline_profile.xml","rel":"resolution-source","text":"FedRAMP Low Baseline"}],"roles":[{"id":"parpared-by","title":"Document creator"},{"id":"fedramp-pmo","title":"The FedRAMP Program Management Office (PMO)","short-name":"CSP"},{"id":"fedramp-jab","title":"The FedRAMP Joint Authorization Board (JAB)","short-name":"CSP"}],"parties":[{"uuid":"8cc0b8e5-9650-4d5f-9796-316f05fa9a2d","type":"organization","party-name":"Federal Risk and Authorization Management Program: Program Management Office","short-name":"FedRAMP PMO","links":[{"href":"https://fedramp.gov","rel":"homepage","text":""}],"addresses":[{"type":"work","postal-address":["1800 F St. NW",""],"city":"Washington","state":"DC","postal-code":"","country":"US"}],"email-addresses":["info@fedramp.gov"]},{"uuid":"ca9ba80e-1342-4bfd-b32a-abac468c24b4","type":"organization","party-name":"Federal Risk and Authorization Management Program: Joint Authorization Board","short-name":"FedRAMP JAB"}],"responsible-parties":{"prepared-by":{"party-uuids":["4aa7b203-318b-4cde-96cf-feaeffc3a4b7"]},"fedramp-pmo":{"party-uuids":["4aa7b203-318b-4cde-96cf-feaeffc3a4b7"]},"fedramp-jab":{"party-uuids":["ca9ba80e-1342-4bfd-b32a-abac468c24b4"]}}},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Access Control Policy and Procedures","parameters":[{"id":"ac-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ac-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"ac-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-1"},{"name":"sort-id","value":"ac-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ac-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"An access control policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ac-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and\n                     associated access controls; and"}]},{"id":"ac-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ac-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Access control policy {{ ac-1_prm_2 }}; and"},{"id":"ac-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Access control procedures {{ ac-1_prm_3 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AC\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ac-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-1.a_obj","name":"objective","properties":[{"name":"label","value":"AC-1(a)"}],"parts":[{"id":"ac-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)"}],"parts":[{"id":"ac-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(a)(1)[1]"}],"prose":"develops and documents an access control policy that addresses:","parts":[{"id":"ac-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ac-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ac-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ac-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ac-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ac-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ac-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ac-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the access control policy are to be\n                        disseminated;"},{"id":"ac-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AC-1(a)(1)[3]"}],"prose":"disseminates the access control policy to organization-defined personnel or\n                        roles;"}]},{"id":"ac-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"AC-1(a)(2)"}],"parts":[{"id":"ac-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        access control policy and associated access control controls;"},{"id":"ac-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ac-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ac-1.b_obj","name":"objective","properties":[{"name":"label","value":"AC-1(b)"}],"parts":[{"id":"ac-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"AC-1(b)(1)"}],"parts":[{"id":"ac-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current access control\n                        policy;"},{"id":"ac-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(b)(1)[2]"}],"prose":"reviews and updates the current access control policy with the\n                        organization-defined frequency;"}]},{"id":"ac-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"AC-1(b)(2)"}],"parts":[{"id":"ac-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current access control\n                        procedures; and"},{"id":"ac-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(b)(2)[2]"}],"prose":"reviews and updates the current access control procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","parameters":[{"id":"ac-2_prm_1","label":"organization-defined information system account types"},{"id":"ac-2_prm_2","label":"organization-defined personnel or roles"},{"id":"ac-2_prm_3","label":"organization-defined procedures or conditions"},{"id":"ac-2_prm_4","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-2"},{"name":"sort-id","value":"ac-02"}],"parts":[{"id":"ac-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identifies and selects the following types of information system accounts to\n                  support organizational missions/business functions: {{ ac-2_prm_1 }};"},{"id":"ac-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Assigns account managers for information system accounts;"},{"id":"ac-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Establishes conditions for group and role membership;"},{"id":"ac-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Specifies authorized users of the information system, group and role membership,\n                  and access authorizations (i.e., privileges) and other attributes (as required)\n                  for each account;"},{"id":"ac-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Requires approvals by {{ ac-2_prm_2 }} for requests to create\n                  information system accounts;"},{"id":"ac-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Creates, enables, modifies, disables, and removes information system accounts in\n                  accordance with {{ ac-2_prm_3 }};"},{"id":"ac-2_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Monitors the use of information system accounts;"},{"id":"ac-2_smt.h","name":"item","properties":[{"name":"label","value":"h."}],"prose":"Notifies account managers:","parts":[{"id":"ac-2_smt.h.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"When accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"When users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"When individual information system usage or need-to-know changes;"}]},{"id":"ac-2_smt.i","name":"item","properties":[{"name":"label","value":"i."}],"prose":"Authorizes access to the information system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Other attributes as required by the organization or associated\n                     missions/business functions;"}]},{"id":"ac-2_smt.j","name":"item","properties":[{"name":"label","value":"j."}],"prose":"Reviews accounts for compliance with account management requirements {{ ac-2_prm_4 }}; and"},{"id":"ac-2_smt.k","name":"item","properties":[{"name":"label","value":"k."}],"prose":"Establishes a process for reissuing shared/group account credentials (if deployed)\n                  when individuals are removed from the group."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Information system account types include, for example, individual, shared, group,\n               system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and\n               service. Some of the account management requirements listed above can be implemented\n               by organizational information systems. The identification of authorized users of the\n               information system and the specification of access privileges reflects the\n               requirements in other security controls in the security plan. Users requiring\n               administrative privileges on information system accounts receive additional scrutiny\n               by appropriate organizational personnel (e.g., system owner, mission/business owner,\n               or chief information security officer) responsible for approving such accounts and\n               privileged access. Organizations may choose to define access privileges or other\n               attributes by account, by type of account, or a combination of both. Other attributes\n               required for authorizing access include, for example, restrictions on time-of-day,\n               day-of-week, and point-of-origin. In defining other account attributes, organizations\n               consider system-related requirements (e.g., scheduled maintenance, system upgrades)\n               and mission/business requirements, (e.g., time zone differences, customer\n               requirements, remote access to support travel requirements). Failure to consider\n               these factors could affect information system availability. Temporary and emergency\n               accounts are accounts intended for short-term use. Organizations establish temporary\n               accounts as a part of normal account activation procedures when there is a need for\n               short-term accounts without the demand for immediacy in account activation.\n               Organizations establish emergency accounts in response to crisis situations and with\n               the need for rapid account activation. Therefore, emergency account activation may\n               bypass normal account authorization processes. Emergency and temporary accounts are\n               not to be confused with infrequently used accounts (e.g., local logon accounts used\n               for special tasks defined by organizations or when network resources are\n               unavailable). Such accounts remain available and are not subject to automatic\n               disabling or removal dates. Conditions for disabling or deactivating accounts\n               include, for example: (i) when shared/group, emergency, or temporary accounts are no\n               longer required; or (ii) when individuals are transferred or terminated. Some types\n               of information system accounts may require specialized training.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-10","rel":"related","text":"AC-10"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"ac-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.a_obj","name":"objective","properties":[{"name":"label","value":"AC-2(a)"}],"parts":[{"id":"ac-2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(a)[1]"}],"prose":"defines information system account types to be identified and selected to\n                     support organizational missions/business functions;"},{"id":"ac-2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AC-2(a)[2]"}],"prose":"identifies and selects organization-defined information system account types to\n                     support organizational missions/business functions;"}]},{"id":"ac-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AC-2(b)"}],"prose":"assigns account managers for information system accounts;"},{"id":"ac-2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(c)"}],"prose":"establishes conditions for group and role membership;"},{"id":"ac-2.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(d)"}],"prose":"specifies for each account (as required):","parts":[{"id":"ac-2.d_obj.1","name":"objective","properties":[{"name":"label","value":"AC-2(d)[1]"}],"prose":"authorized users of the information system;"},{"id":"ac-2.d_obj.2","name":"objective","properties":[{"name":"label","value":"AC-2(d)[2]"}],"prose":"group and role membership;"},{"id":"ac-2.d_obj.3","name":"objective","properties":[{"name":"label","value":"AC-2(d)[3]"}],"prose":"access authorizations (i.e., privileges);"},{"id":"ac-2.d_obj.4","name":"objective","properties":[{"name":"label","value":"AC-2(d)[4]"}],"prose":"other attributes;"}]},{"id":"ac-2.e_obj","name":"objective","properties":[{"name":"label","value":"AC-2(e)"}],"parts":[{"id":"ac-2.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(e)[1]"}],"prose":"defines personnel or roles required to approve requests to create information\n                     system accounts;"},{"id":"ac-2.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(e)[2]"}],"prose":"requires approvals by organization-defined personnel or roles for requests to\n                     create information system accounts;"}]},{"id":"ac-2.f_obj","name":"objective","properties":[{"name":"label","value":"AC-2(f)"}],"parts":[{"id":"ac-2.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(f)[1]"}],"prose":"defines procedures or conditions to:","parts":[{"id":"ac-2.f_obj.1.a","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][a]"}],"prose":"create information system accounts;"},{"id":"ac-2.f_obj.1.b","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][b]"}],"prose":"enable information system accounts;"},{"id":"ac-2.f_obj.1.c","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][c]"}],"prose":"modify information system accounts;"},{"id":"ac-2.f_obj.1.d","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][d]"}],"prose":"disable information system accounts;"},{"id":"ac-2.f_obj.1.e","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][e]"}],"prose":"remove information system accounts;"}]},{"id":"ac-2.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(f)[2]"}],"prose":"in accordance with organization-defined procedures or conditions:","parts":[{"id":"ac-2.f_obj.2.a","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][a]"}],"prose":"creates information system accounts;"},{"id":"ac-2.f_obj.2.b","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][b]"}],"prose":"enables information system accounts;"},{"id":"ac-2.f_obj.2.c","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][c]"}],"prose":"modifies information system accounts;"},{"id":"ac-2.f_obj.2.d","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][d]"}],"prose":"disables information system accounts;"},{"id":"ac-2.f_obj.2.e","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][e]"}],"prose":"removes information system accounts;"}]}]},{"id":"ac-2.g_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(g)"}],"prose":"monitors the use of information system accounts;"},{"id":"ac-2.h_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(h)"}],"prose":"notifies account managers:","parts":[{"id":"ac-2.h.1_obj","name":"objective","properties":[{"name":"label","value":"AC-2(h)(1)"}],"prose":"when accounts are no longer required;"},{"id":"ac-2.h.2_obj","name":"objective","properties":[{"name":"label","value":"AC-2(h)(2)"}],"prose":"when users are terminated or transferred;"},{"id":"ac-2.h.3_obj","name":"objective","properties":[{"name":"label","value":"AC-2(h)(3)"}],"prose":"when individual information system usage or need to know changes;"}]},{"id":"ac-2.i_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(i)"}],"prose":"authorizes access to the information system based on;","parts":[{"id":"ac-2.i.1_obj","name":"objective","properties":[{"name":"label","value":"AC-2(i)(1)"}],"prose":"a valid access authorization;"},{"id":"ac-2.i.2_obj","name":"objective","properties":[{"name":"label","value":"AC-2(i)(2)"}],"prose":"intended system usage;"},{"id":"ac-2.i.3_obj","name":"objective","properties":[{"name":"label","value":"AC-2(i)(3)"}],"prose":"other attributes as required by the organization or associated\n                     missions/business functions;"}]},{"id":"ac-2.j_obj","name":"objective","properties":[{"name":"label","value":"AC-2(j)"}],"parts":[{"id":"ac-2.j_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(j)[1]"}],"prose":"defines the frequency to review accounts for compliance with account management\n                     requirements;"},{"id":"ac-2.j_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(j)[2]"}],"prose":"reviews accounts for compliance with account management requirements with the\n                     organization-defined frequency; and"}]},{"id":"ac-2.k_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(k)"}],"prose":"establishes a process for reissuing shared/group account credentials (if deployed)\n                  when individuals are removed from the group."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of active system accounts along with the name of the individual associated\n                  with each account\\n\\nlist of conditions for group and role membership\\n\\nnotifications or records of recently transferred, separated, or terminated\n                  employees\\n\\nlist of recently disabled information system accounts along with the name of the\n                  individual associated with each account\\n\\naccess authorization records\\n\\naccount management compliance reviews\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes account management on the information system\\n\\nautomated mechanisms for implementing account management"}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","properties":[{"name":"label","value":"AC-3"},{"name":"sort-id","value":"ac-03"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"The information system enforces approved authorizations for logical access to\n               information and system resources in accordance with applicable access control\n               policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies (e.g., identity-based policies, role-based policies, control\n               matrices, cryptography) control access between active entities or subjects (i.e.,\n               users or processes acting on behalf of users) and passive entities or objects (e.g.,\n               devices, files, records, domains) in information systems. In addition to enforcing\n               authorized access at the information system level and recognizing that information\n               systems can host many applications and services in support of organizational missions\n               and business operations, access enforcement mechanisms can also be employed at the\n               application and service level to provide increased information security.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ac-21","rel":"related","text":"AC-21"},{"href":"#ac-22","rel":"related","text":"AC-22"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-3","rel":"related","text":"PE-3"}]},{"id":"ac-3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system enforces approved authorizations for logical\n               access to information and system resources in accordance with applicable access\n               control policies."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing access enforcement\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of approved authorizations (user privileges)\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access enforcement responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy"}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","parameters":[{"id":"ac-7_prm_1","label":"organization-defined number","constraints":[{"detail":"not more than three (3)"}]},{"id":"ac-7_prm_2","label":"organization-defined time period","constraints":[{"detail":"fifteen (15) minutes"}]},{"id":"ac-7_prm_3"},{"id":"ac-7_prm_4","depends-on":"ac-7_prm_3","label":"organization-defined time period","constraints":[{"detail":"thirty (30) minutes"}]},{"id":"ac-7_prm_5","depends-on":"ac-7_prm_3","label":"organization-defined delay algorithm"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-7"},{"name":"sort-id","value":"ac-07"}],"parts":[{"id":"ac-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Enforces a limit of {{ ac-7_prm_1 }} consecutive invalid logon\n                  attempts by a user during a {{ ac-7_prm_2 }}; and"},{"id":"ac-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Automatically {{ ac-7_prm_3 }} when the maximum number of\n                  unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"This control applies regardless of whether the logon occurs via a local or network\n               connection. Due to the potential for denial of service, automatic lockouts initiated\n               by information systems are usually temporary and automatically release after a\n               predetermined time period established by organizations. If a delay algorithm is\n               selected, organizations may choose to employ different algorithms for different\n               information system components based on the capabilities of those components.\n               Responses to unsuccessful logon attempts may be implemented at both the operating\n               system and the application levels.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-9","rel":"related","text":"AC-9"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ia-5","rel":"related","text":"IA-5"}]},{"id":"ac-7_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"ac-7.a_obj","name":"objective","properties":[{"name":"label","value":"AC-7(a)"}],"parts":[{"id":"ac-7.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-7(a)[1]"}],"prose":"the organization defines the number of consecutive invalid logon attempts\n                     allowed to the information system by a user during an organization-defined time\n                     period;"},{"id":"ac-7.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-7(a)[2]"}],"prose":"the organization defines the time period allowed by a user of the information\n                     system for an organization-defined number of consecutive invalid logon\n                     attempts;"},{"id":"ac-7.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-7(a)[3]"}],"prose":"the information system enforces a limit of organization-defined number of\n                     consecutive invalid logon attempts by a user during an organization-defined\n                     time period;"}]},{"id":"ac-7.b_obj","name":"objective","properties":[{"name":"label","value":"AC-7(b)"}],"parts":[{"id":"ac-7.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-7(b)[1]"}],"prose":"the organization defines account/node lockout time period or logon delay\n                     algorithm to be automatically enforced by the information system when the\n                     maximum number of unsuccessful logon attempts is exceeded;"},{"id":"ac-7.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-7(b)[2]"}],"prose":"the information system, when the maximum number of unsuccessful logon attempts\n                     is exceeded, automatically:","parts":[{"id":"ac-7.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"AC-7(b)[2][a]"}],"prose":"locks the account/node for the organization-defined time period;"},{"id":"ac-7.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"AC-7(b)[2][b]"}],"prose":"locks the account/node until released by an administrator; or"},{"id":"ac-7.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"AC-7(b)[2][c]"}],"prose":"delays next logon prompt according to the organization-defined delay\n                        algorithm."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing unsuccessful logon attempts\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem developers\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for unsuccessful logon\n                  attempts"}]}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","parameters":[{"id":"ac-8_prm_1","label":"organization-defined system use notification message or banner","constraints":[{"detail":"see additional Requirements and Guidance"}]},{"id":"ac-8_prm_2","label":"organization-defined conditions","constraints":[{"detail":"see additional Requirements and Guidance"}]}],"properties":[{"name":"label","value":"AC-8"},{"name":"sort-id","value":"ac-08"}],"parts":[{"id":"ac-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Displays to users {{ ac-8_prm_1 }} before granting access to the\n                  system that provides privacy and security notices consistent with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance and states that:","parts":[{"id":"ac-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government information system;"},{"id":"ac-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Information system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the information system is prohibited and subject to\n                     criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Use of the information system indicates consent to monitoring and\n                     recording;"}]},{"id":"ac-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retains the notification message or banner on the screen until users acknowledge\n                  the usage conditions and take explicit actions to log on to or further access the\n                  information system; and"},{"id":"ac-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Displays system use information {{ ac-8_prm_2 }}, before\n                     granting further access;"},{"id":"ac-8_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Displays references, if any, to monitoring, recording, or auditing that are\n                     consistent with privacy accommodations for such systems that generally prohibit\n                     those activities; and"},{"id":"ac-8_smt.c.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Includes a description of the authorized uses of the system."}]},{"id":"ac-8_fr","name":"item","title":"AC-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO."},{"id":"ac-8_fr_smt.2","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided."},{"id":"ac-8_fr_smt.3","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners\n               displayed before individuals log in to information systems. System use notifications\n               are used only for access via logon interfaces with human users and are not required\n               when such human interfaces do not exist. Organizations consider system use\n               notification messages/banners displayed in multiple languages based on specific\n               organizational needs and the demographics of information system users. Organizations\n               also consult with the Office of the General Counsel for legal review and approval of\n               warning banner content."},{"id":"ac-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-8.a_obj","name":"objective","properties":[{"name":"label","value":"AC-8(a)"}],"parts":[{"id":"ac-8.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-8(a)[1]"}],"prose":"the organization defines a system use notification message or banner to be\n                     displayed by the information system to users before granting access to the\n                     system;"},{"id":"ac-8.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-8(a)[2]"}],"prose":"the information system displays to users the organization-defined system use\n                     notification message or banner before granting access to the information system\n                     that provides privacy and security notices consistent with applicable federal\n                     laws, Executive Orders, directives, policies, regulations, standards, and\n                     guidance, and states that:","parts":[{"id":"ac-8.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"AC-8(a)[2](1)"}],"prose":"users are accessing a U.S. Government information system;"},{"id":"ac-8.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"AC-8(a)[2](2)"}],"prose":"information system usage may be monitored, recorded, and subject to\n                        audit;"},{"id":"ac-8.a.3_obj.2","name":"objective","properties":[{"name":"label","value":"AC-8(a)[2](3)"}],"prose":"unauthorized use of the information system is prohibited and subject to\n                        criminal and civil penalties;"},{"id":"ac-8.a.4_obj.2","name":"objective","properties":[{"name":"label","value":"AC-8(a)[2](4)"}],"prose":"use of the information system indicates consent to monitoring and\n                        recording;"}]}]},{"id":"ac-8.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-8(b)"}],"prose":"the information system retains the notification message or banner on the screen\n                  until users acknowledge the usage conditions and take explicit actions to log on\n                  to or further access the information system;"},{"id":"ac-8.c_obj","name":"objective","properties":[{"name":"label","value":"AC-8(c)"}],"prose":"for publicly accessible systems:","parts":[{"id":"ac-8.c.1_obj","name":"objective","properties":[{"name":"label","value":"AC-8(c)(1)"}],"parts":[{"id":"ac-8.c.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-8(c)(1)[1]"}],"prose":"the organization defines conditions for system use to be displayed by the\n                        information system before granting further access;"},{"id":"ac-8.c.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-8(c)(1)[2]"}],"prose":"the information system displays organization-defined conditions before\n                        granting further access;"}]},{"id":"ac-8.c.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-8(c)(2)"}],"prose":"the information system displays references, if any, to monitoring, recording,\n                     or auditing that are consistent with privacy accommodations for such systems\n                     that generally prohibit those activities; and"},{"id":"ac-8.c.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-8(c)(3)"}],"prose":"the information system includes a description of the authorized uses of the\n                     system."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprivacy and security policies, procedures addressing system use notification\\n\\ndocumented approval of information system use notification messages or banners\\n\\ninformation system audit records\\n\\nuser acknowledgements of notification message or banner\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system use notification messages\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for providing legal advice\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing system use notification"}]}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","parameters":[{"id":"ac-14_prm_1","label":"organization-defined user actions"}],"properties":[{"name":"label","value":"AC-14"},{"name":"sort-id","value":"ac-14"}],"parts":[{"id":"ac-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-14_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identifies {{ ac-14_prm_1 }} that can be performed on the\n                  information system without identification or authentication consistent with\n                  organizational missions/business functions; and"},{"id":"ac-14_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents and provides supporting rationale in the security plan for the\n                  information system, user actions not requiring identification or\n                  authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"This control addresses situations in which organizations determine that no\n               identification or authentication is required in organizational information systems.\n               Organizations may allow a limited number of user actions without identification or\n               authentication including, for example, when individuals access public websites or\n               other publicly accessible federal information systems, when individuals use mobile\n               phones to receive calls, or when facsimiles are received. Organizations also identify\n               actions that normally require identification or authentication but may under certain\n               circumstances (e.g., emergencies), allow identification or authentication mechanisms\n               to be bypassed. Such bypasses may occur, for example, via a software-readable\n               physical switch that commands bypass of the logon functionality and is protected from\n               accidental or unmonitored use. This control does not apply to situations where\n               identification and authentication have already occurred and are not repeated, but\n               rather to situations where identification and authentication have not yet occurred.\n               Organizations may decide that there are no user actions that can be performed on\n               organizational information systems without identification and authentication and\n               thus, the values for assignment statements can be none.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ia-2","rel":"related","text":"IA-2"}]},{"id":"ac-14_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-14.a_obj","name":"objective","properties":[{"name":"label","value":"AC-14(a)"}],"parts":[{"id":"ac-14.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-14(a)[1]"}],"prose":"defines user actions that can be performed on the information system without\n                     identification or authentication consistent with organizational\n                     missions/business functions;"},{"id":"ac-14.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AC-14(a)[2]"}],"prose":"identifies organization-defined user actions that can be performed on the\n                     information system without identification or authentication consistent with\n                     organizational missions/business functions; and"}]},{"id":"ac-14.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-14(b)"}],"prose":"documents and provides supporting rationale in the security plan for the\n                  information system, user actions not requiring identification or\n                  authentication."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing permitted actions without identification or\n                  authentication\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\nlist of user actions that can be performed without identification or\n                  authentication\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-17"},{"name":"sort-id","value":"ac-17"}],"links":[{"href":"#5309d4d0-46f8-4213-a749-e7584164e5e8","rel":"reference","text":"NIST Special Publication 800-46"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference","text":"NIST Special Publication 800-77"},{"href":"#349fe082-502d-464a-aa0c-1443c6a5cf40","rel":"reference","text":"NIST Special Publication 800-113"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference","text":"NIST Special Publication 800-114"},{"href":"#d1a4e2a9-e512-4132-8795-5357aba29254","rel":"reference","text":"NIST Special Publication 800-121"}],"parts":[{"id":"ac-17_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-17_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes and documents usage restrictions, configuration/connection\n                  requirements, and implementation guidance for each type of remote access allowed;\n                  and"},{"id":"ac-17_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorizes remote access to the information system prior to allowing such\n                  connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational information systems by users (or processes\n               acting on behalf of users) communicating through external networks (e.g., the\n               Internet). Remote access methods include, for example, dial-up, broadband, and\n               wireless. Organizations often employ encrypted virtual private networks (VPNs) to\n               enhance confidentiality and integrity over remote connections. The use of encrypted\n               VPNs does not make the access non-remote; however, the use of VPNs, when adequately\n               provisioned with appropriate security controls (e.g., employing appropriate\n               encryption techniques for confidentiality and integrity protection) may provide\n               sufficient assurance to the organization that it can effectively treat such\n               connections as internal networks. Still, VPN connections traverse external networks,\n               and the encrypted VPN does not enhance the availability of remote connections. Also,\n               VPNs with encrypted tunnels can affect the organizational capability to adequately\n               monitor network communications traffic for malicious code. Remote access controls\n               apply to information systems other than public web servers or systems designed for\n               public access. This control addresses authorization prior to allowing remote access\n               without specifying the formats for such authorization. While organizations may use\n               interconnection security agreements to authorize remote access connections, such\n               agreements are not required by this control. Enforcing access restrictions for remote\n               connections is addressed in AC-3.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-17","rel":"related","text":"PE-17"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-10","rel":"related","text":"SC-10"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ac-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-17.a_obj","name":"objective","properties":[{"name":"label","value":"AC-17(a)"}],"parts":[{"id":"ac-17.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-17(a)[1]"}],"prose":"identifies the types of remote access allowed to the information system;"},{"id":"ac-17.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-17(a)[2]"}],"prose":"establishes for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"AC-17(a)[2][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"AC-17(a)[2][b]"}],"prose":"configuration/connection requirements;"},{"id":"ac-17.a_obj.2.c","name":"objective","properties":[{"name":"label","value":"AC-17(a)[2][c]"}],"prose":"implementation guidance;"}]},{"id":"ac-17.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-17(a)[3]"}],"prose":"documents for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.3.a","name":"objective","properties":[{"name":"label","value":"AC-17(a)[3][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.3.b","name":"objective","properties":[{"name":"label","value":"AC-17(a)[3][b]"}],"prose":"configuration/connection requirements;"},{"id":"ac-17.a_obj.3.c","name":"objective","properties":[{"name":"label","value":"AC-17(a)[3][c]"}],"prose":"implementation guidance; and"}]}]},{"id":"ac-17.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-17(b)"}],"prose":"authorizes remote access to the information system prior to allowing such\n                  connections."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing remote access implementation and usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\nremote access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing remote access\n                  connections\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Remote access management capability for the information system"}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-18"},{"name":"sort-id","value":"ac-18"}],"links":[{"href":"#238ed479-eccb-49f6-82ec-ab74a7a428cf","rel":"reference","text":"NIST Special Publication 800-48"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference","text":"NIST Special Publication 800-94"},{"href":"#6f336ecd-f2a0-4c84-9699-0491d81b6e0d","rel":"reference","text":"NIST Special Publication 800-97"}],"parts":[{"id":"ac-18_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-18_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration/connection requirements, and\n                  implementation guidance for wireless access; and"},{"id":"ac-18_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorizes wireless access to the information system prior to allowing such\n                  connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include, for example, microwave, packet radio (UHF/VHF),\n               802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g.,\n               EAP/TLS, PEAP), which provide credential protection and mutual authentication.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ac-18_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-18.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-18(a)"}],"prose":"establishes for wireless access:","parts":[{"id":"ac-18.a_obj.1","name":"objective","properties":[{"name":"label","value":"AC-18(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-18.a_obj.2","name":"objective","properties":[{"name":"label","value":"AC-18(a)[2]"}],"prose":"configuration/connection requirement;"},{"id":"ac-18.a_obj.3","name":"objective","properties":[{"name":"label","value":"AC-18(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-18.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-18(b)"}],"prose":"authorizes wireless access to the information system prior to allowing such\n                  connections."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing wireless access implementation and usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nwireless access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing wireless access\n                  connections\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Wireless access management capability for the information system"}]}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-19"},{"name":"sort-id","value":"ac-19"}],"links":[{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference","text":"OMB Memorandum 06-16"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference","text":"NIST Special Publication 800-114"},{"href":"#0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","rel":"reference","text":"NIST Special Publication 800-124"},{"href":"#6513e480-fada-4876-abba-1397084dfb26","rel":"reference","text":"NIST Special Publication 800-164"}],"parts":[{"id":"ac-19_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-19_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration requirements, connection\n                  requirements, and implementation guidance for organization-controlled mobile\n                  devices; and"},{"id":"ac-19_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorizes the connection of mobile devices to organizational information\n                  systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that: (i) has a small form factor such that it\n               can easily be carried by a single individual; (ii) is designed to operate without a\n               physical connection (e.g., wirelessly transmit or receive information); (iii)\n               possesses local, non-removable or removable data storage; and (iv) includes a\n               self-contained power source. Mobile devices may also include voice communication\n               capabilities, on-board sensors that allow the device to capture information, and/or\n               built-in features for synchronizing local data with remote locations. Examples\n               include smart phones, E-readers, and tablets. Mobile devices are typically associated\n               with a single individual and the device is usually in close proximity to the\n               individual; however, the degree of proximity can vary depending upon on the form\n               factor and size of the device. The processing, storage, and transmission capability\n               of the mobile device may be comparable to or merely a subset of desktop systems,\n               depending upon the nature and intended purpose of the device. Due to the large\n               variety of mobile devices with different technical characteristics and capabilities,\n               organizational restrictions may vary for the different classes/types of such devices.\n               Usage restrictions and specific implementation guidance for mobile devices include,\n               for example, configuration management, device identification and authentication,\n               implementation of mandatory protective software (e.g., malicious code detection,\n               firewall), scanning devices for malicious code, updating virus protection software,\n               scanning for critical software updates and patches, conducting primary operating\n               system (and possibly other resident software) integrity checks, and disabling\n               unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the\n               need to provide adequate security for mobile devices goes beyond the requirements in\n               this control. Many safeguards and countermeasures for mobile devices are reflected in\n               other security controls in the catalog allocated in the initial control baselines as\n               starting points for the development of security plans and overlays using the\n               tailoring process. There may also be some degree of overlap in the requirements\n               articulated by the security controls within the different families of controls. AC-20\n               addresses mobile devices that are not organization-controlled.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ac-19_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-19.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-19(a)"}],"prose":"establishes for organization-controlled mobile devices:","parts":[{"id":"ac-19.a_obj.1","name":"objective","properties":[{"name":"label","value":"AC-19(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-19.a_obj.2","name":"objective","properties":[{"name":"label","value":"AC-19(a)[2]"}],"prose":"configuration/connection requirement;"},{"id":"ac-19.a_obj.3","name":"objective","properties":[{"name":"label","value":"AC-19(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-19.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-19(b)"}],"prose":"authorizes the connection of mobile devices to organizational information\n                  systems."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing access control for mobile device usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nauthorizations for mobile device connections to organizational information\n                  systems\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel using mobile devices to access organizational information\n                  systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Access control capability authorizing mobile device connections to organizational\n                  information systems"}]}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Information Systems","properties":[{"name":"label","value":"AC-20"},{"name":"sort-id","value":"ac-20"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"}],"parts":[{"id":"ac-20_smt","name":"statement","prose":"The organization establishes terms and conditions, consistent with any trust\n               relationships established with other organizations owning, operating, and/or\n               maintaining external information systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Access the information system from external information systems; and"},{"id":"ac-20_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Process, store, or transmit organization-controlled information using external\n                  information systems."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External information systems are information systems or components of information\n               systems that are outside of the authorization boundary established by organizations\n               and for which organizations typically have no direct supervision and authority over\n               the application of required security controls or the assessment of control\n               effectiveness. External information systems include, for example: (i) personally\n               owned information systems/devices (e.g., notebook computers, smart phones, tablets,\n               personal digital assistants); (ii) privately owned computing and communications\n               devices resident in commercial or public facilities (e.g., hotels, train stations,\n               convention centers, shopping malls, or airports); (iii) information systems owned or\n               controlled by nonfederal governmental organizations; and (iv) federal information\n               systems that are not owned by, operated by, or under the direct supervision and\n               authority of organizations. This control also addresses the use of external\n               information systems for the processing, storage, or transmission of organizational\n               information, including, for example, accessing cloud services (e.g., infrastructure\n               as a service, platform as a service, or software as a service) from organizational\n               information systems. For some external information systems (i.e., information systems\n               operated by other federal agencies, including organizations subordinate to those\n               agencies), the trust relationships that have been established between those\n               organizations and the originating organization may be such, that no explicit terms\n               and conditions are required. Information systems within these organizations would not\n               be considered external. These situations occur when, for example, there are\n               pre-existing sharing/trust agreements (either implicit or explicit) established\n               between federal agencies or organizations subordinate to those agencies, or when such\n               trust agreements are specified by applicable laws, Executive Orders, directives, or\n               policies. Authorized individuals include, for example, organizational personnel,\n               contractors, or other individuals with authorized access to organizational\n               information systems and over which organizations have the authority to impose rules\n               of behavior with regard to system access. Restrictions that organizations impose on\n               authorized individuals need not be uniform, as those restrictions may vary depending\n               upon the trust relationships between organizations. Therefore, organizations may\n               choose to impose different security restrictions on contractors than on state, local,\n               or tribal governments. This control does not apply to the use of external information\n               systems to access public interfaces to organizational information systems (e.g.,\n               individuals accessing federal information through www.usa.gov). Organizations\n               establish terms and conditions for the use of external information systems in\n               accordance with organizational security policies and procedures. Terms and conditions\n               address as a minimum: types of applications that can be accessed on organizational\n               information systems from external information systems; and the highest security\n               category of information that can be processed, stored, or transmitted on external\n               information systems. If terms and conditions with the owners of external information\n               systems cannot be established, organizations may impose restrictions on\n               organizational personnel using those external systems.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sa-9","rel":"related","text":"SA-9"}]},{"id":"ac-20_obj","name":"objective","prose":"Determine if the organization establishes terms and conditions, consistent with any\n               trust relationships established with other organizations owning, operating, and/or\n               maintaining external information systems, allowing authorized individuals to: ","parts":[{"id":"ac-20.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-20(a)"}],"prose":"access the information system from the external information systems; and"},{"id":"ac-20.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-20(b)"}],"prose":"process, store, or transmit organization-controlled information using external\n                  information systems."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing the use of external information systems\\n\\nexternal information systems terms and conditions\\n\\nlist of types of applications accessible from external information systems\\n\\nmaximum security categorization for information processed, stored, or transmitted\n                  on external information systems\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining terms and conditions\n                  for use of external information systems to access organizational systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing terms and conditions on use of external\n                  information systems"}]}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","parameters":[{"id":"ac-22_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least quarterly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-22"},{"name":"sort-id","value":"ac-22"}],"parts":[{"id":"ac-22_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-22_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Designates individuals authorized to post information onto a publicly accessible\n                  information system;"},{"id":"ac-22_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Trains authorized individuals to ensure that publicly accessible information does\n                  not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews the proposed content of information prior to posting onto the publicly\n                  accessible information system to ensure that nonpublic information is not\n                  included; and"},{"id":"ac-22_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Reviews the content on the publicly accessible information system for nonpublic\n                  information {{ ac-22_prm_1 }} and removes such information, if\n                  discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with federal laws, Executive Orders, directives, policies, regulations,\n               standards, and/or guidance, the general public is not authorized access to nonpublic\n               information (e.g., information protected under the Privacy Act and proprietary\n               information). This control addresses information systems that are controlled by the\n               organization and accessible to the general public, typically without identification\n               or authentication. The posting of information on non-organization information systems\n               is covered by organizational policy.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-13","rel":"related","text":"AU-13"}]},{"id":"ac-22_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ac-22.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-22(a)"}],"prose":"designates individuals authorized to post information onto a publicly accessible\n                  information system;"},{"id":"ac-22.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-22(b)"}],"prose":"trains authorized individuals to ensure that publicly accessible information does\n                  not contain nonpublic information;"},{"id":"ac-22.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-22(c)"}],"prose":"reviews the proposed content of information prior to posting onto the publicly\n                  accessible information system to ensure that nonpublic information is not\n                  included;"},{"id":"ac-22.d_obj","name":"objective","properties":[{"name":"label","value":"AC-22(d)"}],"parts":[{"id":"ac-22.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-22(d)[1]"}],"prose":"defines the frequency to review the content on the publicly accessible\n                     information system for nonpublic information;"},{"id":"ac-22.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-22(d)[2]"}],"prose":"reviews the content on the publicly accessible information system for nonpublic\n                     information with the organization-defined frequency; and"},{"id":"ac-22.d_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-22(d)[3]"}],"prose":"removes nonpublic information from the publicly accessible information system,\n                     if discovered."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing publicly accessible content\\n\\nlist of users authorized to post publicly accessible content on organizational\n                  information systems\\n\\ntraining materials and/or records\\n\\nrecords of publicly accessible information reviews\\n\\nrecords of response to nonpublic information on public websites\\n\\nsystem audit logs\\n\\nsecurity awareness training records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing publicly accessible\n                  information posted on organizational information systems\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing management of publicly accessible content"}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Security Awareness and Training Policy and Procedures","parameters":[{"id":"at-1_prm_1","label":"organization-defined personnel or roles"},{"id":"at-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"at-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AT-1"},{"name":"sort-id","value":"at-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference","text":"NIST Special Publication 800-16"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"at-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A security awareness and training policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"at-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security awareness and\n                     training policy and associated security awareness and training controls;\n                     and"}]},{"id":"at-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"at-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security awareness and training policy {{ at-1_prm_2 }}; and"},{"id":"at-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Security awareness and training procedures {{ at-1_prm_3 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AT\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"at-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-1.a_obj","name":"objective","properties":[{"name":"label","value":"AT-1(a)"}],"parts":[{"id":"at-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)"}],"parts":[{"id":"at-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(a)(1)[1]"}],"prose":"develops and documents an security awareness and training policy that\n                        addresses:","parts":[{"id":"at-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"at-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"at-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"at-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"at-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"at-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"at-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"at-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security awareness and training\n                        policy are to be disseminated;"},{"id":"at-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AT-1(a)(1)[3]"}],"prose":"disseminates the security awareness and training policy to\n                        organization-defined personnel or roles;"}]},{"id":"at-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"AT-1(a)(2)"}],"parts":[{"id":"at-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        security awareness and training policy and associated awareness and training\n                        controls;"},{"id":"at-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"at-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AT-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"at-1.b_obj","name":"objective","properties":[{"name":"label","value":"AT-1(b)"}],"parts":[{"id":"at-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"AT-1(b)(1)"}],"parts":[{"id":"at-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security awareness\n                        and training policy;"},{"id":"at-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(b)(1)[2]"}],"prose":"reviews and updates the current security awareness and training policy with\n                        the organization-defined frequency;"}]},{"id":"at-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"AT-1(b)(2)"}],"parts":[{"id":"at-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security awareness\n                        and training procedures; and"},{"id":"at-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(b)(2)[2]"}],"prose":"reviews and updates the current security awareness and training procedures\n                        with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security awareness and training responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Security Awareness Training","parameters":[{"id":"at-2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AT-2"},{"name":"sort-id","value":"at-02"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference","text":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"},{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference","text":"Executive Order 13587"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"}],"parts":[{"id":"at-2_smt","name":"statement","prose":"The organization provides basic security awareness training to information system\n               users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"As part of initial training for new users;"},{"id":"at-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n                  {{ at-2_prm_1 }} thereafter."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security awareness training and\n               security awareness techniques based on the specific organizational requirements and\n               the information systems to which personnel have authorized access. The content\n               includes a basic understanding of the need for information security and user actions\n               to maintain security and to respond to suspected security incidents. The content also\n               addresses awareness of the need for operations security. Security awareness\n               techniques can include, for example, displaying posters, offering supplies inscribed\n               with security reminders, generating email advisories/notices from senior\n               organizational officials, displaying logon screen messages, and conducting\n               information security awareness events.","links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#pl-4","rel":"related","text":"PL-4"}]},{"id":"at-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-2.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AT-2(a)"}],"prose":"provides basic security awareness training to information system users (including\n                  managers, senior executives, and contractors) as part of initial training for new\n                  users;"},{"id":"at-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AT-2(b)"}],"prose":"provides basic security awareness training to information system users (including\n                  managers, senior executives, and contractors) when required by information system\n                  changes; and"},{"id":"at-2.c_obj","name":"objective","properties":[{"name":"label","value":"AT-2(c)"}],"parts":[{"id":"at-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-2(c)[1]"}],"prose":"defines the frequency to provide refresher security awareness training\n                     thereafter to information system users (including managers, senior executives,\n                     and contractors); and"},{"id":"at-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AT-2(c)[2]"}],"prose":"provides refresher security awareness training to information users (including\n                     managers, senior executives, and contractors) with the organization-defined\n                     frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\\n\\nprocedures addressing security awareness training implementation\\n\\nappropriate codes of federal regulations\\n\\nsecurity awareness training curriculum\\n\\nsecurity awareness training materials\\n\\nsecurity plan\\n\\ntraining records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for security awareness training\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel comprising the general information system user\n                  community"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing security awareness training"}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Security Training","parameters":[{"id":"at-3_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AT-3"},{"name":"sort-id","value":"at-03"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference","text":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference","text":"NIST Special Publication 800-16"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"}],"parts":[{"id":"at-3_smt","name":"statement","prose":"The organization provides role-based security training to personnel with assigned\n               security roles and responsibilities:","parts":[{"id":"at-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Before authorizing access to the information system or performing assigned\n                  duties;"},{"id":"at-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n                  {{ at-3_prm_1 }} thereafter."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security training based on the\n               assigned roles and responsibilities of individuals and the specific security\n               requirements of organizations and the information systems to which personnel have\n               authorized access. In addition, organizations provide enterprise architects,\n               information system developers, software developers, acquisition/procurement\n               officials, information system managers, system/network administrators, personnel\n               conducting configuration management and auditing activities, personnel performing\n               independent verification and validation activities, security control assessors, and\n               other personnel having access to system-level software, adequate security-related\n               technical training specifically tailored for their assigned duties. Comprehensive\n               role-based training addresses management, operational, and technical roles and\n               responsibilities covering physical, personnel, and technical safeguards and\n               countermeasures. Such training can include for example, policies, procedures, tools,\n               and artifacts for the organizational security roles defined. Organizations also\n               provide the training necessary for individuals to carry out their responsibilities\n               related to operations and supply chain security within the context of organizational\n               information security programs. Role-based security training also applies to\n               contractors providing services to federal agencies.","links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#sa-16","rel":"related","text":"SA-16"}]},{"id":"at-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AT-3(a)"}],"prose":"provides role-based security training to personnel with assigned security roles\n                  and responsibilities before authorizing access to the information system or\n                  performing assigned duties;"},{"id":"at-3.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AT-3(b)"}],"prose":"provides role-based security training to personnel with assigned security roles\n                  and responsibilities when required by information system changes; and"},{"id":"at-3.c_obj","name":"objective","properties":[{"name":"label","value":"AT-3(c)"}],"parts":[{"id":"at-3.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-3(c)[1]"}],"prose":"defines the frequency to provide refresher role-based security training\n                     thereafter to personnel with assigned security roles and responsibilities;\n                     and"},{"id":"at-3.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AT-3(c)[2]"}],"prose":"provides refresher role-based security training to personnel with assigned\n                     security roles and responsibilities with the organization-defined\n                     frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\\n\\nprocedures addressing security training implementation\\n\\ncodes of federal regulations\\n\\nsecurity training curriculum\\n\\nsecurity training materials\\n\\nsecurity plan\\n\\ntraining records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for role-based security\n                  training\\n\\norganizational personnel with assigned information system security roles and\n                  responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing role-based security training"}]}]},{"id":"at-4","class":"SP800-53","title":"Security Training Records","parameters":[{"id":"at-4_prm_1","label":"organization-defined time period","constraints":[{"detail":"At least one year"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AT-4"},{"name":"sort-id","value":"at-04"}],"parts":[{"id":"at-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Documents and monitors individual information system security training activities\n                  including basic security awareness training and specific information system\n                  security training; and"},{"id":"at-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retains individual training records for {{ at-4_prm_1 }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at\n               the option of the organization.","links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pm-14","rel":"related","text":"PM-14"}]},{"id":"at-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-4.a_obj","name":"objective","properties":[{"name":"label","value":"AT-4(a)"}],"parts":[{"id":"at-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-4(a)[1]"}],"prose":"documents individual information system security training activities\n                     including:","parts":[{"id":"at-4.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"AT-4(a)[1][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"AT-4(a)[1][b]"}],"prose":"specific role-based information system security training;"}]},{"id":"at-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AT-4(a)[2]"}],"prose":"monitors individual information system security training activities\n                     including:","parts":[{"id":"at-4.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"AT-4(a)[2][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"AT-4(a)[2][b]"}],"prose":"specific role-based information system security training;"}]}]},{"id":"at-4.b_obj","name":"objective","properties":[{"name":"label","value":"AT-4(b)"}],"parts":[{"id":"at-4.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-4(b)[1]"}],"prose":"defines a time period to retain individual training records; and"},{"id":"at-4.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AT-4(b)[2]"}],"prose":"retains individual training records for the organization-defined time\n                     period."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\\n\\nprocedures addressing security training records\\n\\nsecurity awareness and training records\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security training record retention\n                  responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting management of security training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Audit and Accountability Policy and Procedures","parameters":[{"id":"au-1_prm_1","label":"organization-defined personnel or roles"},{"id":"au-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"au-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AU-1"},{"name":"sort-id","value":"au-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"au-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"An audit and accountability policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"au-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability\n                     policy and associated audit and accountability controls; and"}]},{"id":"au-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"au-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Audit and accountability policy {{ au-1_prm_2 }}; and"},{"id":"au-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Audit and accountability procedures {{ au-1_prm_3 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AU\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"au-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-1.a_obj","name":"objective","properties":[{"name":"label","value":"AU-1(a)"}],"parts":[{"id":"au-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)"}],"parts":[{"id":"au-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(a)(1)[1]"}],"prose":"develops and documents an audit and accountability policy that\n                        addresses:","parts":[{"id":"au-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"au-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"au-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"au-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"au-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"au-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"au-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"au-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the audit and accountability policy are\n                        to be disseminated;"},{"id":"au-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-1(a)(1)[3]"}],"prose":"disseminates the audit and accountability policy to organization-defined\n                        personnel or roles;"}]},{"id":"au-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"AU-1(a)(2)"}],"parts":[{"id":"au-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        audit and accountability policy and associated audit and accountability\n                        controls;"},{"id":"au-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"au-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"au-1.b_obj","name":"objective","properties":[{"name":"label","value":"AU-1(b)"}],"parts":[{"id":"au-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"AU-1(b)(1)"}],"parts":[{"id":"au-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current audit and\n                        accountability policy;"},{"id":"au-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(b)(1)[2]"}],"prose":"reviews and updates the current audit and accountability policy with the\n                        organization-defined frequency;"}]},{"id":"au-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"AU-1(b)(2)"}],"parts":[{"id":"au-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current audit and\n                        accountability procedures; and"},{"id":"au-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(b)(2)[2]"}],"prose":"reviews and updates the current audit and accountability procedures in\n                        accordance with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Audit Events","parameters":[{"id":"au-2_prm_1","label":"organization-defined auditable events","constraints":[{"detail":"Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes"}]},{"id":"au-2_prm_2","label":"organization-defined audited events (the subset of the auditable events defined\n               in AU-2 a.) along with the frequency of (or situation requiring) auditing for each\n               identified event","constraints":[{"detail":"organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AU-2"},{"name":"sort-id","value":"au-02"}],"links":[{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference","text":"NIST Special Publication 800-92"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"au-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determines that the information system is capable of auditing the following\n                  events: {{ au-2_prm_1 }};"},{"id":"au-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Coordinates the security audit function with other organizational entities\n                  requiring audit-related information to enhance mutual support and to help guide\n                  the selection of auditable events;"},{"id":"au-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Provides a rationale for why the auditable events are deemed to be adequate to\n                  support after-the-fact investigations of security incidents; and"},{"id":"au-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Determines that the following events are to be audited within the information\n                  system: {{ au-2_prm_2 }}."},{"id":"au-2_fr","name":"item","title":"AU-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-2_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Coordination between service provider and consumer shall be documented and accepted by the JAB/AO."}]}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is any observable occurrence in an organizational information system.\n               Organizations identify audit events as those events which are significant and\n               relevant to the security of information systems and the environments in which those\n               systems operate in order to meet specific and ongoing audit needs. Audit events can\n               include, for example, password changes, failed logons, or failed accesses related to\n               information systems, administrative privilege usage, PIV credential usage, or\n               third-party credential usage. In determining the set of auditable events,\n               organizations consider the auditing appropriate for each of the security controls to\n               be implemented. To balance auditing requirements with other information system needs,\n               this control also requires identifying that subset of auditable events that are\n               audited at a given point in time. For example, organizations may determine that\n               information systems must have the capability to log every file access both successful\n               and unsuccessful, but not activate that capability except for specific circumstances\n               due to the potential burden on system performance. Auditing requirements, including\n               the need for auditable events, may be referenced in other security controls and\n               control enhancements. Organizations also include auditable events that are required\n               by applicable federal laws, Executive Orders, directives, policies, regulations, and\n               standards. Audit records can be generated at various levels of abstraction, including\n               at the packet level as information traverses the network. Selecting the appropriate\n               level of abstraction is a critical aspect of an audit capability and can facilitate\n               the identification of root causes to problems. Organizations consider in the\n               definition of auditable events, the auditing necessary to cover related events such\n               as the steps in distributed, transaction-based processes (e.g., processes that are\n               distributed across multiple organizations) and actions that occur in service-oriented\n               architectures.","links":[{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"au-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-2.a_obj","name":"objective","properties":[{"name":"label","value":"AU-2(a)"}],"parts":[{"id":"au-2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-2(a)[1]"}],"prose":"defines the auditable events that the information system must be capable of\n                     auditing;"},{"id":"au-2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-2(a)[2]"}],"prose":"determines that the information system is capable of auditing\n                     organization-defined auditable events;"}]},{"id":"au-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-2(b)"}],"prose":"coordinates the security audit function with other organizational entities\n                  requiring audit-related information to enhance mutual support and to help guide\n                  the selection of auditable events;"},{"id":"au-2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-2(c)"}],"prose":"provides a rationale for why the auditable events are deemed to be adequate to\n                  support after-the-fact investigations of security incidents;"},{"id":"au-2.d_obj","name":"objective","properties":[{"name":"label","value":"AU-2(d)"}],"parts":[{"id":"au-2.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-2(d)[1]"}],"prose":"defines the subset of auditable events defined in AU-2a that are to be audited\n                     within the information system;"},{"id":"au-2.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-2(d)[2]"}],"prose":"determines that the subset of auditable events defined in AU-2a are to be\n                     audited within the information system; and"},{"id":"au-2.d_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-2(d)[3]"}],"prose":"determines the frequency of (or situation requiring) auditing for each\n                     identified event."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing auditable events\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\ninformation system auditable events\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing"}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","properties":[{"name":"label","value":"AU-3"},{"name":"sort-id","value":"au-03"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"The information system generates audit records containing information that\n               establishes what type of event occurred, when the event occurred, where the event\n               occurred, the source of the event, the outcome of the event, and the identity of any\n               individuals or subjects associated with the event."},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to satisfy the requirement of this\n               control, includes, for example, time stamps, source and destination addresses,\n               user/process identifiers, event descriptions, success/fail indications, filenames\n               involved, and access control or flow control rules invoked. Event outcomes can\n               include indicators of event success or failure and event-specific results (e.g., the\n               security state of the information system after the event occurred).","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-8","rel":"related","text":"AU-8"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#si-11","rel":"related","text":"SI-11"}]},{"id":"au-3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system generates audit records containing information\n               that establishes: ","parts":[{"id":"au-3_obj.1","name":"objective","properties":[{"name":"label","value":"AU-3[1]"}],"prose":"what type of event occurred;"},{"id":"au-3_obj.2","name":"objective","properties":[{"name":"label","value":"AU-3[2]"}],"prose":"when the event occurred;"},{"id":"au-3_obj.3","name":"objective","properties":[{"name":"label","value":"AU-3[3]"}],"prose":"where the event occurred;"},{"id":"au-3_obj.4","name":"objective","properties":[{"name":"label","value":"AU-3[4]"}],"prose":"the source of the event;"},{"id":"au-3_obj.5","name":"objective","properties":[{"name":"label","value":"AU-3[5]"}],"prose":"the outcome of the event; and"},{"id":"au-3_obj.6","name":"objective","properties":[{"name":"label","value":"AU-3[6]"}],"prose":"the identity of any individuals or subjects associated with the event."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing content of audit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of organization-defined auditable events\\n\\ninformation system audit records\\n\\ninformation system incident reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing of auditable\n                  events"}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Storage Capacity","parameters":[{"id":"au-4_prm_1","label":"organization-defined audit record storage requirements"}],"properties":[{"name":"label","value":"AU-4"},{"name":"sort-id","value":"au-04"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"The organization allocates audit record storage capacity in accordance with {{ au-4_prm_1 }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of auditing to be performed and the audit processing\n               requirements when allocating audit storage capacity. Allocating sufficient audit\n               storage capacity reduces the likelihood of such capacity being exceeded and resulting\n               in the potential loss or reduction of auditing capability.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"au-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-4_obj.1","name":"objective","properties":[{"name":"label","value":"AU-4[1]"}],"prose":"defines audit record storage requirements; and"},{"id":"au-4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-4[2]"}],"prose":"allocates audit record storage capacity in accordance with the\n                  organization-defined audit record storage requirements."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit storage capacity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit record storage requirements\\n\\naudit record storage capability for information system components\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit record storage capacity and related configuration settings"}]}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Processing Failures","parameters":[{"id":"au-5_prm_1","label":"organization-defined personnel or roles"},{"id":"au-5_prm_2","label":"organization-defined actions to be taken (e.g., shut down information system,\n               overwrite oldest audit records, stop generating audit records)","constraints":[{"detail":"organization-defined actions to be taken (overwrite oldest record)"}]}],"properties":[{"name":"label","value":"AU-5"},{"name":"sort-id","value":"au-05"}],"parts":[{"id":"au-5_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Alerts {{ au-5_prm_1 }} in the event of an audit processing\n                  failure; and"},{"id":"au-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Takes the following additional actions: {{ au-5_prm_2 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit processing failures include, for example, software/hardware errors, failures in\n               the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n               Organizations may choose to define additional actions for different audit processing\n               failures (e.g., by type, by location, by severity, or a combination of such factors).\n               This control applies to each audit data storage repository (i.e., distinct\n               information system component where audit records are stored), the total audit storage\n               capacity of organizations (i.e., all audit data storage repositories combined), or\n               both.","links":[{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#si-12","rel":"related","text":"SI-12"}]},{"id":"au-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-5.a_obj","name":"objective","properties":[{"name":"label","value":"AU-5(a)"}],"parts":[{"id":"au-5.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-5(a)[1]"}],"prose":"the organization defines the personnel or roles to be alerted in the event of\n                     an audit processing failure;"},{"id":"au-5.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-5(a)[2]"}],"prose":"the information system alerts the organization-defined personnel or roles in\n                     the event of an audit processing failure;"}]},{"id":"au-5.b_obj","name":"objective","properties":[{"name":"label","value":"AU-5(b)"}],"parts":[{"id":"au-5.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-5(b)[1]"}],"prose":"the organization defines additional actions to be taken (e.g., shutdown\n                     information system, overwrite oldest audit records, stop generating audit\n                     records) in the event of an audit processing failure; and"},{"id":"au-5.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-5(b)[2]"}],"prose":"the information system takes the additional organization-defined actions in the\n                     event of an audit processing failure."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing response to audit processing failures\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of personnel to be notified in case of an audit processing failure\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system response to audit processing\n                  failures"}]}]},{"id":"au-6","class":"SP800-53","title":"Audit Review, Analysis, and Reporting","parameters":[{"id":"au-6_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least weekly"}]},{"id":"au-6_prm_2","label":"organization-defined inappropriate or unusual activity"},{"id":"au-6_prm_3","label":"organization-defined personnel or roles"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AU-6"},{"name":"sort-id","value":"au-06"}],"parts":[{"id":"au-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Reviews and analyzes information system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }};\n                  and"},{"id":"au-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reports findings to {{ au-6_prm_3 }}."},{"id":"au-6_fr","name":"item","title":"AU-6 Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented."}]}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit review, analysis, and reporting covers information security-related auditing\n               performed by organizations including, for example, auditing that results from\n               monitoring of account usage, remote access, wireless connectivity, mobile device\n               connection, configuration settings, system component inventory, use of maintenance\n               tools and nonlocal maintenance, physical access, temperature and humidity, equipment\n               delivery and removal, communications at the information system boundaries, use of\n               mobile code, and use of VoIP. Findings can be reported to organizational entities\n               that include, for example, incident response team, help desk, information security\n               group/department. If organizations are prohibited from reviewing and analyzing audit\n               information or unable to conduct such activities (e.g., in certain national security\n               applications or systems), the review/analysis may be carried out by other\n               organizations granted such authority.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-16","rel":"related","text":"AU-16"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-10","rel":"related","text":"CM-10"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pe-14","rel":"related","text":"PE-14"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#sc-19","rel":"related","text":"SC-19"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"au-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-6.a_obj","name":"objective","properties":[{"name":"label","value":"AU-6(a)"}],"parts":[{"id":"au-6.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-6(a)[1]"}],"prose":"defines the types of inappropriate or unusual activity to look for when\n                     information system audit records are reviewed and analyzed;"},{"id":"au-6.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-6(a)[2]"}],"prose":"defines the frequency to review and analyze information system audit records\n                     for indications of organization-defined inappropriate or unusual activity;"},{"id":"au-6.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-6(a)[3]"}],"prose":"reviews and analyzes information system audit records for indications of\n                     organization-defined inappropriate or unusual activity with the\n                     organization-defined frequency;"}]},{"id":"au-6.b_obj","name":"objective","properties":[{"name":"label","value":"AU-6(b)"}],"parts":[{"id":"au-6.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-6(b)[1]"}],"prose":"defines personnel or roles to whom findings resulting from reviews and analysis\n                     of information system audit records are to be reported; and"},{"id":"au-6.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-6(b)[2]"}],"prose":"reports findings to organization-defined personnel or roles."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\nreports of audit findings\\n\\nrecords of actions taken in response to reviews/analyses of audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","parameters":[{"id":"au-8_prm_1","label":"organization-defined granularity of time measurement"}],"properties":[{"name":"label","value":"AU-8"},{"name":"sort-id","value":"au-08"}],"parts":[{"id":"au-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Uses internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Records time stamps for audit records that can be mapped to Coordinated Universal\n                  Time (UTC) or Greenwich Mean Time (GMT) and meets {{ au-8_prm_1 }}."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the information system include date and time. Time is\n               commonly expressed in Coordinated Universal Time (UTC), a modern continuation of\n               Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time\n               measurements refers to the degree of synchronization between information system\n               clocks and reference clocks, for example, clocks synchronizing within hundreds of\n               milliseconds or within tens of milliseconds. Organizations may define different time\n               granularities for different system components. Time service can also be critical to\n               other security capabilities such as access control and identification and\n               authentication, depending on the nature of the mechanisms used to support those\n               capabilities.","links":[{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-12","rel":"related","text":"AU-12"}]},{"id":"au-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-8.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-8(a)"}],"prose":"the information system uses internal system clocks to generate time stamps for\n                  audit records;"},{"id":"au-8.b_obj","name":"objective","properties":[{"name":"label","value":"AU-8(b)"}],"parts":[{"id":"au-8.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-8(b)[1]"}],"prose":"the information system records time stamps for audit records that can be mapped\n                     to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);"},{"id":"au-8.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-8(b)[2]"}],"prose":"the organization defines the granularity of time measurement to be met when\n                     recording time stamps for audit records; and"},{"id":"au-8.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-8(b)[3]"}],"prose":"the organization records time stamps for audit records that meet the\n                     organization-defined granularity of time measurement."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing time stamp generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing time stamp generation"}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","properties":[{"name":"label","value":"AU-9"},{"name":"sort-id","value":"au-09"}],"parts":[{"id":"au-9_smt","name":"statement","prose":"The information system protects audit information and audit tools from unauthorized\n               access, modification, and deletion."},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information (e.g., audit records, audit settings, and\n               audit reports) needed to successfully audit information system activity. This control\n               focuses on technical protection of audit information. Physical protection of audit\n               information is addressed by media protection controls and physical and environmental\n               protection controls.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"}]},{"id":"au-9_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"au-9_obj.1","name":"objective","properties":[{"name":"label","value":"AU-9[1]"}],"prose":"the information system protects audit information from unauthorized:","parts":[{"id":"au-9_obj.1.a","name":"objective","properties":[{"name":"label","value":"AU-9[1][a]"}],"prose":"access;"},{"id":"au-9_obj.1.b","name":"objective","properties":[{"name":"label","value":"AU-9[1][b]"}],"prose":"modification;"},{"id":"au-9_obj.1.c","name":"objective","properties":[{"name":"label","value":"AU-9[1][c]"}],"prose":"deletion;"}]},{"id":"au-9_obj.2","name":"objective","properties":[{"name":"label","value":"AU-9[2]"}],"prose":"the information system protects audit tools from unauthorized:","parts":[{"id":"au-9_obj.2.a","name":"objective","properties":[{"name":"label","value":"AU-9[2][a]"}],"prose":"access;"},{"id":"au-9_obj.2.b","name":"objective","properties":[{"name":"label","value":"AU-9[2][b]"}],"prose":"modification; and"},{"id":"au-9_obj.2.c","name":"objective","properties":[{"name":"label","value":"AU-9[2][c]"}],"prose":"deletion."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\naccess control policy and procedures\\n\\nprocedures addressing protection of audit information\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation,\n                  information system audit records\\n\\naudit tools\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit information protection"}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","parameters":[{"id":"au-11_prm_1","label":"organization-defined time period consistent with records retention policy","constraints":[{"detail":"at least ninety days"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AU-11"},{"name":"sort-id","value":"au-11"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"The organization retains audit records for {{ au-11_prm_1 }} to\n               provide support for after-the-fact investigations of security incidents and to meet\n               regulatory and organizational information retention requirements.","parts":[{"id":"au-11_fr","name":"item","title":"AU-11 Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-11_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements."}]}]},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that they are no longer\n               needed for administrative, legal, audit, or other operational purposes. This\n               includes, for example, retention and availability of audit records relative to\n               Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions.\n               Organizations develop standard categories of audit records relative to such types of\n               actions and standard response processes for each type of action. The National\n               Archives and Records Administration (NARA) General Records Schedules provide federal\n               policy on record retention.","links":[{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#mp-6","rel":"related","text":"MP-6"}]},{"id":"au-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-11_obj.1","name":"objective","properties":[{"name":"label","value":"AU-11[1]"}],"prose":"defines a time period to retain audit records that is consistent with records\n                  retention policy;"},{"id":"au-11_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-11[2]"}],"prose":"retains audit records for the organization-defined time period consistent with\n                  records retention policy to:","parts":[{"id":"au-11_obj.2.a","name":"objective","properties":[{"name":"label","value":"AU-11[2][a]"}],"prose":"provide support for after-the-fact investigations of security incidents;\n                     and"},{"id":"au-11_obj.2.b","name":"objective","properties":[{"name":"label","value":"AU-11[2][b]"}],"prose":"meet regulatory and organizational information retention requirements."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\naudit record retention policy and procedures\\n\\nsecurity plan\\n\\norganization-defined retention period for audit records\\n\\naudit record archives\\n\\naudit logs\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record retention responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]}]},{"id":"au-12","class":"SP800-53","title":"Audit Generation","parameters":[{"id":"au-12_prm_1","label":"organization-defined information system components","constraints":[{"detail":"all information system and network components where audit capability is deployed/available"}]},{"id":"au-12_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"AU-12"},{"name":"sort-id","value":"au-12"}],"parts":[{"id":"au-12_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-12_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provides audit record generation capability for the auditable events defined in\n                  AU-2 a. at {{ au-12_prm_1 }};"},{"id":"au-12_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Allows {{ au-12_prm_2 }} to select which auditable events are to be\n                  audited by specific components of the information system; and"},{"id":"au-12_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Generates audit records for the events defined in AU-2 d. with the content defined\n                  in AU-3."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different information system components. The\n               list of audited events is the set of events for which audits are to be generated.\n               These events are typically a subset of all events for which the information system is\n               capable of generating audit records.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"}]},{"id":"au-12_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-12.a_obj","name":"objective","properties":[{"name":"label","value":"AU-12(a)"}],"parts":[{"id":"au-12.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-12(a)[1]"}],"prose":"the organization defines the information system components which are to provide\n                     audit record generation capability for the auditable events defined in\n                     AU-2a;"},{"id":"au-12.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-12(a)[2]"}],"prose":"the information system provides audit record generation capability, for the\n                     auditable events defined in AU-2a, at organization-defined information system\n                     components;"}]},{"id":"au-12.b_obj","name":"objective","properties":[{"name":"label","value":"AU-12(b)"}],"parts":[{"id":"au-12.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-12(b)[1]"}],"prose":"the organization defines the personnel or roles allowed to select which\n                     auditable events are to be audited by specific components of the information\n                     system;"},{"id":"au-12.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-12(b)[2]"}],"prose":"the information system allows the organization-defined personnel or roles to\n                     select which auditable events are to be audited by specific components of the\n                     system; and"}]},{"id":"au-12.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-12(c)"}],"prose":"the information system generates audit records for the events defined in AU-2d\n                  with the content in defined in AU-3."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit record generation\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of auditable events\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record generation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit record generation capability"}]}]}]},{"id":"ca","class":"family","title":"Security Assessment and Authorization","controls":[{"id":"ca-1","class":"SP800-53","title":"Security Assessment and Authorization Policy and Procedures","parameters":[{"id":"ca-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ca-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"ca-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-1"},{"name":"sort-id","value":"ca-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference","text":"NIST Special Publication 800-53A"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ca-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A security assessment and authorization policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"},{"id":"ca-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security assessment and\n                     authorization policy and associated security assessment and authorization\n                     controls; and"}]},{"id":"ca-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ca-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security assessment and authorization policy {{ ca-1_prm_2 }};\n                     and"},{"id":"ca-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Security assessment and authorization procedures {{ ca-1_prm_3 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ca-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-1.a_obj","name":"objective","properties":[{"name":"label","value":"CA-1(a)"}],"parts":[{"id":"ca-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)"}],"parts":[{"id":"ca-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(a)(1)[1]"}],"prose":"develops and documents a security assessment and authorization policy that\n                        addresses:","parts":[{"id":"ca-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ca-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ca-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ca-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ca-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ca-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ca-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ca-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security assessment and authorization\n                        policy is to be disseminated;"},{"id":"ca-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-1(a)(1)[3]"}],"prose":"disseminates the security assessment and authorization policy to\n                        organization-defined personnel or roles;"}]},{"id":"ca-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"CA-1(a)(2)"}],"parts":[{"id":"ca-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        security assessment and authorization policy and associated assessment and\n                        authorization controls;"},{"id":"ca-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ca-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ca-1.b_obj","name":"objective","properties":[{"name":"label","value":"CA-1(b)"}],"parts":[{"id":"ca-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"CA-1(b)(1)"}],"parts":[{"id":"ca-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security assessment\n                        and authorization policy;"},{"id":"ca-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(b)(1)[2]"}],"prose":"reviews and updates the current security assessment and authorization policy\n                        with the organization-defined frequency;"}]},{"id":"ca-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"CA-1(b)(2)"}],"parts":[{"id":"ca-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security assessment\n                        and authorization procedures; and"},{"id":"ca-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(b)(2)[2]"}],"prose":"reviews and updates the current security assessment and authorization\n                        procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment and authorization\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Security Assessments","parameters":[{"id":"ca-2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ca-2_prm_2","label":"organization-defined individuals or roles","constraints":[{"detail":"individuals or roles to include FedRAMP PMO"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-2"},{"name":"sort-id","value":"ca-02"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference","text":"Executive Order 13587"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference","text":"NIST Special Publication 800-39"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference","text":"NIST Special Publication 800-53A"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference","text":"NIST Special Publication 800-115"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"}],"parts":[{"id":"ca-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a security assessment plan that describes the scope of the assessment\n                  including:","parts":[{"id":"ca-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security controls and control enhancements under assessment;"},{"id":"ca-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine security control effectiveness;\n                     and"},{"id":"ca-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and\n                     responsibilities;"}]},{"id":"ca-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Assesses the security controls in the information system and its environment of\n                  operation {{ ca-2_prm_1 }} to determine the extent to which the\n                  controls are implemented correctly, operating as intended, and producing the\n                  desired outcome with respect to meeting established security requirements;"},{"id":"ca-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Produces a security assessment report that documents the results of the\n                  assessment; and"},{"id":"ca-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Provides the results of the security control assessment to {{ ca-2_prm_2 }}."},{"id":"ca-2_fr","name":"item","title":"CA-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-2_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "}]}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations assess security controls in organizational information systems and the\n               environments in which those systems operate as part of: (i) initial and ongoing\n               security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring;\n               and (iv) system development life cycle activities. Security assessments: (i) ensure\n               that information security is built into organizational information systems; (ii)\n               identify weaknesses and deficiencies early in the development process; (iii) provide\n               essential information needed to make risk-based decisions as part of security\n               authorization processes; and (iv) ensure compliance to vulnerability mitigation\n               procedures. Assessments are conducted on the implemented security controls from\n               Appendix F (main catalog) and Appendix G (Program Management controls) as documented\n               in System Security Plans and Information Security Program Plans. Organizations can\n               use other types of assessment activities such as vulnerability scanning and system\n               monitoring to maintain the security posture of information systems during the entire\n               life cycle. Security assessment reports document assessment results in sufficient\n               detail as deemed necessary by organizations, to determine the accuracy and\n               completeness of the reports and whether the security controls are implemented\n               correctly, operating as intended, and producing the desired outcome with respect to\n               meeting security requirements. The FISMA requirement for assessing security controls\n               at least annually does not require additional assessment activities to those\n               activities already in place in organizational security authorization processes.\n               Security assessment results are provided to the individuals or roles appropriate for\n               the types of assessments being conducted. For example, assessments conducted in\n               support of security authorization decisions are provided to authorizing officials or\n               authorizing official designated representatives. To satisfy annual assessment\n               requirements, organizations can use assessment results from the following sources:\n               (i) initial or ongoing information system authorizations; (ii) continuous monitoring;\n               or (iii) system development life cycle activities. Organizations ensure that security\n               assessment results are current, relevant to the determination of security control\n               effectiveness, and obtained with the appropriate level of assessor independence.\n               Existing security control assessment results can be reused to the extent that the\n               results are still valid and can also be supplemented with additional assessments as\n               needed. Subsequent to initial authorizations and in accordance with OMB policy,\n               organizations assess security controls during continuous monitoring. Organizations\n               establish the frequency for ongoing security control assessments in accordance with\n               organizational continuous monitoring strategies. Information Assurance Vulnerability\n               Alerts provide useful examples of vulnerability mitigation procedures. External\n               audits (e.g., audits by external entities such as regulatory agencies) are outside\n               the scope of this control.","links":[{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ca-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(a)"}],"prose":"develops a security assessment plan that describes the scope of the assessment\n                  including:","parts":[{"id":"ca-2.a.1_obj","name":"objective","properties":[{"name":"label","value":"CA-2(a)(1)"}],"prose":"security controls and control enhancements under assessment;"},{"id":"ca-2.a.2_obj","name":"objective","properties":[{"name":"label","value":"CA-2(a)(2)"}],"prose":"assessment procedures to be used to determine security control\n                     effectiveness;"},{"id":"ca-2.a.3_obj","name":"objective","properties":[{"name":"label","value":"CA-2(a)(3)"}],"parts":[{"id":"ca-2.a.3_obj.1","name":"objective","properties":[{"name":"label","value":"CA-2(a)(3)[1]"}],"prose":"assessment environment;"},{"id":"ca-2.a.3_obj.2","name":"objective","properties":[{"name":"label","value":"CA-2(a)(3)[2]"}],"prose":"assessment team;"},{"id":"ca-2.a.3_obj.3","name":"objective","properties":[{"name":"label","value":"CA-2(a)(3)[3]"}],"prose":"assessment roles and responsibilities;"}]}]},{"id":"ca-2.b_obj","name":"objective","properties":[{"name":"label","value":"CA-2(b)"}],"parts":[{"id":"ca-2.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(b)[1]"}],"prose":"defines the frequency to assess the security controls in the information system\n                     and its environment of operation;"},{"id":"ca-2.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-2(b)[2]"}],"prose":"assesses the security controls in the information system with the\n                     organization-defined frequency to determine the extent to which the controls\n                     are implemented correctly, operating as intended, and producing the desired\n                     outcome with respect to meeting established security requirements;"}]},{"id":"ca-2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-2(c)"}],"prose":"produces a security assessment report that documents the results of the\n                  assessment;"},{"id":"ca-2.d_obj","name":"objective","properties":[{"name":"label","value":"CA-2(d)"}],"parts":[{"id":"ca-2.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(d)[1]"}],"prose":"defines individuals or roles to whom the results of the security control\n                     assessment are to be provided; and"},{"id":"ca-2.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-2(d)[2]"}],"prose":"provides the results of the security control assessment to organization-defined\n                     individuals or roles."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing security assessment planning\\n\\nprocedures addressing security assessments\\n\\nsecurity assessment plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting security assessment, security assessment plan\n                  development, and/or security assessment reporting"}]}],"controls":[{"id":"ca-2.1","class":"SP800-53-enhancement","title":"Independent Assessors","parameters":[{"id":"ca-2.1_prm_1","label":"organization-defined level of independence"}],"properties":[{"name":"label","value":"CA-2(1)"},{"name":"sort-id","value":"ca-02.01"}],"parts":[{"id":"ca-2.1_smt","name":"statement","prose":"The organization employs assessors or assessment teams with {{ ca-2.1_prm_1 }} to conduct security control assessments.","parts":[{"id":"ca-2.1_fr","name":"item","title":"CA-2 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-2.1_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO)."}]}]},{"id":"ca-2.1_gdn","name":"guidance","prose":"Independent assessors or assessment teams are individuals or groups who conduct\n                  impartial assessments of organizational information systems. Impartiality implies\n                  that assessors are free from any perceived or actual conflicts of interest with\n                  regard to the development, operation, or management of the organizational\n                  information systems under assessment or to the determination of security control\n                  effectiveness. To achieve impartiality, assessors should not: (i) create a mutual\n                  or conflicting interest with the organizations where the assessments are being\n                  conducted; (ii) assess their own work; (iii) act as management or employees of the\n                  organizations they are serving; or (iv) place themselves in positions of advocacy\n                  for the organizations acquiring their services. Independent assessments can be\n                  obtained from elements within organizations or can be contracted to public or\n                  private sector entities outside of organizations. Authorizing officials determine\n                  the required level of independence based on the security categories of information\n                  systems and/or the ultimate risk to organizational operations, organizational\n                  assets, or individuals. Authorizing officials also determine if the level of\n                  assessor independence provides sufficient assurance that the results are sound and\n                  can be used to make credible, risk-based decisions. This includes determining\n                  whether contracted security assessment services have sufficient independence, for\n                  example, when information system owners are not directly involved in contracting\n                  processes or cannot unduly influence the impartiality of assessors conducting\n                  assessments. In special situations, for example, when organizations that own the\n                  information systems are small or organizational structures require that\n                  assessments are conducted by individuals that are in the developmental,\n                  operational, or management chain of system owners, independence in assessment\n                  processes can be achieved by ensuring that assessment results are carefully\n                  reviewed and analyzed by independent teams of experts to validate the\n                  completeness, accuracy, integrity, and reliability of the results. Organizations\n                  recognize that assessments performed for purposes other than direct support to\n                  authorization decisions are, when performed by assessors with sufficient\n                  independence, more likely to be useable for such decisions, thereby reducing the\n                  need to repeat assessments."},{"id":"ca-2.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(1)[1]"}],"prose":"defines the level of independence to be employed to conduct security control\n                     assessments; and"},{"id":"ca-2.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-2(1)[2]"}],"prose":"employs assessors or assessment teams with the organization-defined level of\n                     independence to conduct security control assessments."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing security assessments\\n\\nsecurity authorization package (including security plan, security assessment\n                     plan, security assessment report, plan of action and milestones, authorization\n                     statement)\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ca-3","class":"SP800-53","title":"System Interconnections","parameters":[{"id":"ca-3_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually and on input from FedRAMP"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-3"},{"name":"sort-id","value":"ca-03"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#2711f068-734e-4afd-94ba-0b22247fbc88","rel":"reference","text":"NIST Special Publication 800-47"}],"parts":[{"id":"ca-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Authorizes connections from the information system to other information systems\n                  through the use of Interconnection Security Agreements;"},{"id":"ca-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents, for each interconnection, the interface characteristics, security\n                  requirements, and the nature of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews and updates Interconnection Security Agreements {{ ca-3_prm_1 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"This control applies to dedicated connections between information systems (i.e.,\n               system interconnections) and does not apply to transitory, user-controlled\n               connections such as email and website browsing. Organizations carefully consider the\n               risks that may be introduced when information systems are connected to other systems\n               with different security requirements and security controls, both within organizations\n               and external to organizations. Authorizing officials determine the risk associated\n               with information system connections and the appropriate controls employed. If\n               interconnecting systems have the same authorizing official, organizations do not need\n               to develop Interconnection Security Agreements. Instead, organizations can describe\n               the interface characteristics between those interconnecting systems in their\n               respective security plans. If interconnecting systems have different authorizing\n               officials within the same organization, organizations can either develop\n               Interconnection Security Agreements or describe the interface characteristics between\n               systems in the security plans for the respective systems. Organizations may also\n               incorporate Interconnection Security Agreement information into formal contracts,\n               especially for interconnections established between federal agencies and nonfederal\n               (i.e., private sector) organizations. Risk considerations also include information\n               systems sharing the same networks. For certain technologies (e.g., space, unmanned\n               aerial vehicles, and medical devices), there may be specialized connections in place\n               during preoperational testing. Such connections may require Interconnection Security\n               Agreements and be subject to additional security controls.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-16","rel":"related","text":"AU-16"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ca-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-3(a)"}],"prose":"authorizes connections from the information system to other information systems\n                  through the use of Interconnection Security Agreements;"},{"id":"ca-3.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-3(b)"}],"prose":"documents, for each interconnection:","parts":[{"id":"ca-3.b_obj.1","name":"objective","properties":[{"name":"label","value":"CA-3(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-3.b_obj.2","name":"objective","properties":[{"name":"label","value":"CA-3(b)[2]"}],"prose":"the security requirements;"},{"id":"ca-3.b_obj.3","name":"objective","properties":[{"name":"label","value":"CA-3(b)[3]"}],"prose":"the nature of the information communicated;"}]},{"id":"ca-3.c_obj","name":"objective","properties":[{"name":"label","value":"CA-3(c)"}],"parts":[{"id":"ca-3.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-3(c)[1]"}],"prose":"defines the frequency to review and update Interconnection Security Agreements;\n                     and"},{"id":"ca-3.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-3(c)[2]"}],"prose":"reviews and updates Interconnection Security Agreements with the\n                     organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\ninformation system Interconnection Security Agreements\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or\n                  approving information system interconnection agreements\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel managing the system(s) to which the Interconnection Security Agreement\n                  applies"}]}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","parameters":[{"id":"ca-5_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-5"},{"name":"sort-id","value":"ca-05"}],"links":[{"href":"#2c5884cd-7b96-425c-862a-99877e1cf909","rel":"reference","text":"OMB Memorandum 02-01"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"}],"parts":[{"id":"ca-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a plan of action and milestones for the information system to document\n                  the organization’s planned remedial actions to correct weaknesses or deficiencies\n                  noted during the assessment of the security controls and to reduce or eliminate\n                  known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Updates existing plan of action and milestones {{ ca-5_prm_1 }}\n                  based on the findings from security controls assessments, security impact\n                  analyses, and continuous monitoring activities."},{"id":"ca-5_fr","name":"item","title":"CA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-5_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Plan of Action & Milestones (POA&M) must be provided at least monthly."},{"id":"ca-5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "}]}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are key documents in security authorization packages\n               and are subject to federal reporting requirements established by OMB.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#pm-4","rel":"related","text":"PM-4"}]},{"id":"ca-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-5.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-5(a)"}],"prose":"develops a plan of action and milestones for the information system to:","parts":[{"id":"ca-5.a_obj.1","name":"objective","properties":[{"name":"label","value":"CA-5(a)[1]"}],"prose":"document the organization’s planned remedial actions to correct weaknesses or\n                     deficiencies noted during the assessment of the security controls;"},{"id":"ca-5.a_obj.2","name":"objective","properties":[{"name":"label","value":"CA-5(a)[2]"}],"prose":"reduce or eliminate known vulnerabilities in the system;"}]},{"id":"ca-5.b_obj","name":"objective","properties":[{"name":"label","value":"CA-5(b)"}],"parts":[{"id":"ca-5.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-5(b)[1]"}],"prose":"defines the frequency to update the existing plan of action and milestones;"},{"id":"ca-5.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-5(b)[2]"}],"prose":"updates the existing plan of action and milestones with the\n                     organization-defined frequency based on the findings from:","parts":[{"id":"ca-5.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"CA-5(b)[2][a]"}],"prose":"security controls assessments;"},{"id":"ca-5.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"CA-5(b)[2][b]"}],"prose":"security impact analyses; and"},{"id":"ca-5.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"CA-5(b)[2][c]"}],"prose":"continuous monitoring activities."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing plan of action and milestones\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nplan of action and milestones\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with plan of action and milestones development and\n                  implementation responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms for developing, implementing, and maintaining plan of action\n                  and milestones"}]}]},{"id":"ca-6","class":"SP800-53","title":"Security Authorization","parameters":[{"id":"ca-6_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least every three years or when a significant change occurs"}]}],"properties":[{"name":"label","value":"CA-6"},{"name":"sort-id","value":"ca-06"}],"links":[{"href":"#9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","rel":"reference","text":"OMB Circular A-130"},{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference","text":"OMB Memorandum 11-33"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"}],"parts":[{"id":"ca-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Assigns a senior-level executive or manager as the authorizing official for the\n                  information system;"},{"id":"ca-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensures that the authorizing official authorizes the information system for\n                  processing before commencing operations; and"},{"id":"ca-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Updates the security authorization {{ ca-6_prm_1 }}."},{"id":"ca-6_fr","name":"item","title":"CA-6(c) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO."}]}]},{"id":"ca-6_gdn","name":"guidance","prose":"Security authorizations are official management decisions, conveyed through\n               authorization decision documents, by senior organizational officials or executives\n               (i.e., authorizing officials) to authorize operation of information systems and to\n               explicitly accept the risk to organizational operations and assets, individuals,\n               other organizations, and the Nation based on the implementation of agreed-upon\n               security controls. Authorizing officials provide budgetary oversight for\n               organizational information systems or assume responsibility for the mission/business\n               operations supported by those systems. The security authorization process is an\n               inherently federal responsibility and therefore, authorizing officials must be\n               federal employees. Through the security authorization process, authorizing officials\n               assume responsibility and are accountable for security risks associated with the\n               operation and use of organizational information systems. Accordingly, authorizing\n               officials are in positions with levels of authority commensurate with understanding\n               and accepting such information security-related risks. OMB policy requires that\n               organizations conduct ongoing authorizations of information systems by implementing\n               continuous monitoring programs. Continuous monitoring programs can satisfy three-year\n               reauthorization requirements, so separate reauthorization processes are not\n               necessary. Through the employment of comprehensive continuous monitoring processes,\n               critical information contained in authorization packages (i.e., security plans,\n               security assessment reports, and plans of action and milestones) is updated on an\n               ongoing basis, providing authorizing officials and information system owners with an\n               up-to-date status of the security state of organizational information systems and\n               environments of operation. To reduce the administrative cost of security\n               reauthorization, authorizing officials use the results of continuous monitoring\n               processes to the maximum extent possible as the basis for rendering reauthorization\n               decisions.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"}]},{"id":"ca-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-6.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-6(a)"}],"prose":"assigns a senior-level executive or manager as the authorizing official for the\n                  information system;"},{"id":"ca-6.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-6(b)"}],"prose":"ensures that the authorizing official authorizes the information system for\n                  processing before commencing operations;"},{"id":"ca-6.c_obj","name":"objective","properties":[{"name":"label","value":"CA-6(c)"}],"parts":[{"id":"ca-6.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-6(c)[1]"}],"prose":"defines the frequency to update the security authorization; and"},{"id":"ca-6.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-6(c)[2]"}],"prose":"updates the security authorization with the organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing security authorization\\n\\nsecurity authorization package (including security plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\nauthorization statement)\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security authorization responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that facilitate security authorizations and updates"}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","parameters":[{"id":"ca-7_prm_1","label":"organization-defined metrics"},{"id":"ca-7_prm_2","label":"organization-defined frequencies"},{"id":"ca-7_prm_3","label":"organization-defined frequencies"},{"id":"ca-7_prm_4","label":"organization-defined personnel or roles","constraints":[{"detail":"to meet Federal and FedRAMP requirements (See additional guidance)"}]},{"id":"ca-7_prm_5","label":"organization-defined frequency","constraints":[{"detail":"to meet Federal and FedRAMP requirements (See additional guidance)"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-7"},{"name":"sort-id","value":"ca-07"}],"links":[{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference","text":"OMB Memorandum 11-33"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference","text":"NIST Special Publication 800-39"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference","text":"NIST Special Publication 800-53A"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference","text":"NIST Special Publication 800-115"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"},{"href":"#8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","rel":"reference","text":"US-CERT Technical Cyber Security Alerts"},{"href":"#2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","rel":"reference","text":"DoD Information Assurance Vulnerability Alerts"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"The organization develops a continuous monitoring strategy and implements a\n               continuous monitoring program that includes:","parts":[{"id":"ca-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishment of {{ ca-7_prm_1 }} to be monitored;"},{"id":"ca-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishment of {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessments supporting such monitoring;"},{"id":"ca-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ongoing security control assessments in accordance with the organizational\n                  continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Ongoing security status monitoring of organization-defined metrics in accordance\n                  with the organizational continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of security-related information generated by assessments\n                  and monitoring;"},{"id":"ca-7_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of security-related\n                  information; and"},{"id":"ca-7_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Reporting the security status of organization and the information system to\n                     {{ ca-7_prm_4 }}\n                  {{ ca-7_prm_5 }}."},{"id":"ca-7_fr","name":"item","title":"CA-7 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-7_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually."},{"id":"ca-7_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates."},{"id":"ca-7_fr_gdn.2","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "}]}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring programs facilitate ongoing awareness of threats,\n               vulnerabilities, and information security to support organizational risk management\n               decisions. The terms continuous and ongoing imply that organizations assess/analyze\n               security controls and information security-related risks at a frequency sufficient to\n               support organizational risk-based decisions. The results of continuous monitoring\n               programs generate appropriate risk response actions by organizations. Continuous\n               monitoring programs also allow organizations to maintain the security authorizations\n               of information systems and common controls over time in highly dynamic environments\n               of operation with changing mission/business needs, threats, vulnerabilities, and\n               technologies. Having access to security-related information on a continuing basis\n               through reports/dashboards gives organizational officials the capability to make more\n               effective and timely risk management decisions, including ongoing security\n               authorization decisions. Automation supports more frequent updates to security\n               authorization packages, hardware/software/firmware inventories, and other system\n               information. Effectiveness is further enhanced when continuous monitoring outputs are\n               formatted to provide information that is specific, measurable, actionable, relevant,\n               and timely. Continuous monitoring activities are scaled in accordance with the\n               security categories of information systems.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#pm-6","rel":"related","text":"PM-6"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ca-7_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ca-7.a_obj","name":"objective","properties":[{"name":"label","value":"CA-7(a)"}],"parts":[{"id":"ca-7.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(a)[1]"}],"prose":"develops a continuous monitoring strategy that defines metrics to be\n                     monitored;"},{"id":"ca-7.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(a)[2]"}],"prose":"develops a continuous monitoring strategy that includes monitoring of\n                     organization-defined metrics;"},{"id":"ca-7.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(a)[3]"}],"prose":"implements a continuous monitoring program that includes monitoring of\n                     organization-defined metrics in accordance with the organizational continuous\n                     monitoring strategy;"}]},{"id":"ca-7.b_obj","name":"objective","properties":[{"name":"label","value":"CA-7(b)"}],"parts":[{"id":"ca-7.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(b)[1]"}],"prose":"develops a continuous monitoring strategy that defines frequencies for\n                     monitoring;"},{"id":"ca-7.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(b)[2]"}],"prose":"defines frequencies for assessments supporting monitoring;"},{"id":"ca-7.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(b)[3]"}],"prose":"develops a continuous monitoring strategy that includes establishment of the\n                     organization-defined frequencies for monitoring and for assessments supporting\n                     monitoring;"},{"id":"ca-7.b_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(b)[4]"}],"prose":"implements a continuous monitoring program that includes establishment of\n                     organization-defined frequencies for monitoring and for assessments supporting\n                     such monitoring in accordance with the organizational continuous monitoring\n                     strategy;"}]},{"id":"ca-7.c_obj","name":"objective","properties":[{"name":"label","value":"CA-7(c)"}],"parts":[{"id":"ca-7.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(c)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security\n                     control assessments;"},{"id":"ca-7.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(c)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security\n                     control assessments in accordance with the organizational continuous monitoring\n                     strategy;"}]},{"id":"ca-7.d_obj","name":"objective","properties":[{"name":"label","value":"CA-7(d)"}],"parts":[{"id":"ca-7.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(d)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security status\n                     monitoring of organization-defined metrics;"},{"id":"ca-7.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(d)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security\n                     status monitoring of organization-defined metrics in accordance with the\n                     organizational continuous monitoring strategy;"}]},{"id":"ca-7.e_obj","name":"objective","properties":[{"name":"label","value":"CA-7(e)"}],"parts":[{"id":"ca-7.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(e)[1]"}],"prose":"develops a continuous monitoring strategy that includes correlation and\n                     analysis of security-related information generated by assessments and\n                     monitoring;"},{"id":"ca-7.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(e)[2]"}],"prose":"implements a continuous monitoring program that includes correlation and\n                     analysis of security-related information generated by assessments and\n                     monitoring in accordance with the organizational continuous monitoring\n                     strategy;"}]},{"id":"ca-7.f_obj","name":"objective","properties":[{"name":"label","value":"CA-7(f)"}],"parts":[{"id":"ca-7.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(f)[1]"}],"prose":"develops a continuous monitoring strategy that includes response actions to\n                     address results of the analysis of security-related information;"},{"id":"ca-7.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(f)[2]"}],"prose":"implements a continuous monitoring program that includes response actions to\n                     address results of the analysis of security-related information in accordance\n                     with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.g_obj","name":"objective","properties":[{"name":"label","value":"CA-7(g)"}],"parts":[{"id":"ca-7.g_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(g)[1]"}],"prose":"develops a continuous monitoring strategy that defines the personnel or roles\n                     to whom the security status of the organization and information system are to\n                     be reported;"},{"id":"ca-7.g_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(g)[2]"}],"prose":"develops a continuous monitoring strategy that defines the frequency to report\n                     the security status of the organization and information system to\n                     organization-defined personnel or roles;"},{"id":"ca-7.g_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(g)[3]"}],"prose":"develops a continuous monitoring strategy that includes reporting the security\n                     status of the organization or information system to organizational-defined\n                     personnel or roles with the organization-defined frequency; and"},{"id":"ca-7.g_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(g)[4]"}],"prose":"implements a continuous monitoring program that includes reporting the security\n                     status of the organization and information system to organization-defined\n                     personnel or roles with the organization-defined frequency in accordance with\n                     the organizational continuous monitoring strategy."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing continuous monitoring of information system security\n                  controls\\n\\nprocedures addressing configuration management\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\ninformation system monitoring records\\n\\nconfiguration management records, security impact analyses\\n\\nstatus reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Mechanisms implementing continuous monitoring"}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","parameters":[{"id":"ca-9_prm_1","label":"organization-defined information system components or classes of\n               components"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-9"},{"name":"sort-id","value":"ca-09"}],"parts":[{"id":"ca-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Authorizes internal connections of {{ ca-9_prm_1 }} to the\n                  information system; and"},{"id":"ca-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents, for each internal connection, the interface characteristics, security\n                  requirements, and the nature of the information communicated."}]},{"id":"ca-9_gdn","name":"guidance","prose":"This control applies to connections between organizational information systems and\n               (separate) constituent system components (i.e., intra-system connections) including,\n               for example, system connections with mobile devices, notebook/desktop computers,\n               printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of\n               authorizing each individual internal connection, organizations can authorize internal\n               connections for a class of components with common characteristics and/or\n               configurations, for example, all digital printers, scanners, and copiers with a\n               specified processing, storage, and transmission capability or all smart phones with a\n               specific baseline configuration.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ca-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-9.a_obj","name":"objective","properties":[{"name":"label","value":"CA-9(a)"}],"parts":[{"id":"ca-9.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-9(a)[1]"}],"prose":"defines information system components or classes of components to be authorized\n                     as internal connections to the information system;"},{"id":"ca-9.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-9(a)[2]"}],"prose":"authorizes internal connections of organization-defined information system\n                     components or classes of components to the information system;"}]},{"id":"ca-9.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-9(b)"}],"prose":"documents, for each internal connection:","parts":[{"id":"ca-9.b_obj.1","name":"objective","properties":[{"name":"label","value":"CA-9(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-9.b_obj.2","name":"objective","properties":[{"name":"label","value":"CA-9(b)[2]"}],"prose":"the security requirements; and"},{"id":"ca-9.b_obj.3","name":"objective","properties":[{"name":"label","value":"CA-9(b)[3]"}],"prose":"the nature of the information communicated."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of components or classes of components authorized as internal system\n                  connections\\n\\nsecurity assessment report\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or\n                  authorizing internal system connections\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Configuration Management Policy and Procedures","parameters":[{"id":"cm-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cm-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"cm-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-1"},{"name":"sort-id","value":"cm-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"cm-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A configuration management policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"cm-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management\n                     policy and associated configuration management controls; and"}]},{"id":"cm-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cm-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Configuration management policy {{ cm-1_prm_2 }}; and"},{"id":"cm-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Configuration management procedures {{ cm-1_prm_3 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CM\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"cm-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-1.a_obj","name":"objective","properties":[{"name":"label","value":"CM-1(a)"}],"parts":[{"id":"cm-1.a.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(a)(1)"}],"parts":[{"id":"cm-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1]"}],"prose":"develops and documents a configuration management policy that addresses:","parts":[{"id":"cm-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cm-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cm-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cm-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cm-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cm-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cm-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cm-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the configuration management policy is to\n                        be disseminated;"},{"id":"cm-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CM-1(a)(1)[3]"}],"prose":"disseminates the configuration management policy to organization-defined\n                        personnel or roles;"}]},{"id":"cm-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"CM-1(a)(2)"}],"parts":[{"id":"cm-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        configuration management policy and associated configuration management\n                        controls;"},{"id":"cm-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"cm-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CM-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"cm-1.b_obj","name":"objective","properties":[{"name":"label","value":"CM-1(b)"}],"parts":[{"id":"cm-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"CM-1(b)(1)"}],"parts":[{"id":"cm-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current configuration\n                        management policy;"},{"id":"cm-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(b)(1)[2]"}],"prose":"reviews and updates the current configuration management policy with the\n                        organization-defined frequency;"}]},{"id":"cm-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"CM-1(b)(2)"}],"parts":[{"id":"cm-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current configuration\n                        management procedures; and"},{"id":"cm-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(b)(2)[2]"}],"prose":"reviews and updates the current configuration management procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","properties":[{"name":"label","value":"CM-2"},{"name":"sort-id","value":"cm-02"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"cm-2_smt","name":"statement","prose":"The organization develops, documents, and maintains under configuration control, a\n               current baseline configuration of the information system."},{"id":"cm-2_gdn","name":"guidance","prose":"This control establishes baseline configurations for information systems and system\n               components including communications and connectivity-related aspects of systems.\n               Baseline configurations are documented, formally reviewed and agreed-upon sets of\n               specifications for information systems or configuration items within those systems.\n               Baseline configurations serve as a basis for future builds, releases, and/or changes\n               to information systems. Baseline configurations include information about information\n               system components (e.g., standard software packages installed on workstations,\n               notebook computers, servers, network components, or mobile devices; current version\n               numbers and patch information on operating systems and applications; and\n               configuration settings/parameters), network topology, and the logical placement of\n               those components within the system architecture. Maintaining baseline configurations\n               requires creating new baselines as organizational information systems change over\n               time. Baseline configurations of information systems reflect the current enterprise\n               architecture.","links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#pm-7","rel":"related","text":"PM-7"}]},{"id":"cm-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CM-2[1]"}],"prose":"develops and documents a current baseline configuration of the information system;\n                  and"},{"id":"cm-2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2[2]"}],"prose":"maintains, under configuration control, a current baseline configuration of the\n                  information system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nconfiguration management plan\\n\\nenterprise architecture documentation\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\\n\\nautomated mechanisms supporting configuration control of the baseline\n                  configuration"}]}]},{"id":"cm-4","class":"SP800-53","title":"Security Impact Analysis","properties":[{"name":"label","value":"CM-4"},{"name":"sort-id","value":"cm-04"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"The organization analyzes changes to the information system to determine potential\n               security impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with information security responsibilities (e.g.,\n               Information System Administrators, Information System Security Officers, Information\n               System Security Managers, and Information System Security Engineers) conduct security\n               impact analyses. Individuals conducting security impact analyses possess the\n               necessary skills/technical expertise to analyze the changes to information systems\n               and the associated security ramifications. Security impact analysis may include, for\n               example, reviewing security plans to understand security control requirements and\n               reviewing system design documentation to understand control implementation and how\n               specific changes might affect the controls. Security impact analyses may also include\n               assessments of risk to better understand the impact of the changes and to determine\n               if additional security controls are required. Security impact analyses are scaled in\n               accordance with the security categories of the information systems.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"cm-4_obj","name":"objective","prose":"Determine if the organization analyzes changes to the information system to determine\n               potential security impacts prior to change implementation."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing security impact analysis for changes to the information\n                  system\\n\\nconfiguration management plan\\n\\nsecurity impact analysis documentation\\n\\nanalysis tools and associated outputs\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for conducting security impact\n                  analysis\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security impact analysis"}]}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","parameters":[{"id":"cm-6_prm_1","label":"organization-defined security configuration checklists","constraints":[{"detail":"United States Government Configuration Baseline (USGCB)"}]},{"id":"cm-6_prm_2","label":"organization-defined information system components"},{"id":"cm-6_prm_3","label":"organization-defined operational requirements"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-6"},{"name":"sort-id","value":"cm-06"}],"links":[{"href":"#990268bf-f4a9-4c81-91ae-dc7d3115f4b1","rel":"reference","text":"OMB Memorandum 07-11"},{"href":"#0b3d8ba9-051f-498d-81ea-97f0f018c612","rel":"reference","text":"OMB Memorandum 07-18"},{"href":"#0916ef02-3618-411b-a525-565c088849a6","rel":"reference","text":"OMB Memorandum 08-22"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference","text":"NIST Special Publication 800-70"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference","text":"http://nvd.nist.gov"},{"href":"#e95dd121-2733-413e-bf1e-f1eb49f20a98","rel":"reference","text":"http://checklists.nist.gov"},{"href":"#647b6de3-81d0-4d22-bec1-5f1333e34380","rel":"reference","text":"http://www.nsa.gov"}],"parts":[{"id":"cm-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes and documents configuration settings for information technology\n                  products employed within the information system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with\n                  operational requirements;"},{"id":"cm-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implements the configuration settings;"},{"id":"cm-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Identifies, documents, and approves any deviations from established configuration\n                  settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and"},{"id":"cm-6_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Monitors and controls changes to the configuration settings in accordance with\n                  organizational policies and procedures."},{"id":"cm-6_fr","name":"item","title":"CM-6(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement 1:"}],"prose":"The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. "},{"id":"cm-6_fr_smt.2","name":"item","properties":[{"name":"label","value":"Requirement 2:"}],"prose":"The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available)."},{"id":"cm-6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)."}]}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the set of parameters that can be changed in hardware,\n               software, or firmware components of the information system that affect the security\n               posture and/or functionality of the system. Information technology products for which\n               security-related configuration settings can be defined include, for example,\n               mainframe computers, servers (e.g., database, electronic mail, authentication, web,\n               proxy, file, domain name), workstations, input/output devices (e.g., scanners,\n               copiers, and printers), network components (e.g., firewalls, routers, gateways, voice\n               and data switches, wireless access points, network appliances, sensors), operating\n               systems, middleware, and applications. Security-related parameters are those\n               parameters impacting the security state of information systems including the\n               parameters required to satisfy other security control requirements. Security-related\n               parameters include, for example: (i) registry settings; (ii) account, file, directory\n               permission settings; and (iii) settings for functions, ports, protocols, services,\n               and remote connections. Organizations establish organization-wide configuration\n               settings and subsequently derive specific settings for information systems. The\n               established settings become part of the systems configuration baseline. Common secure\n               configurations (also referred to as security configuration checklists, lockdown and\n               hardening guides, security reference guides, security technical implementation\n               guides) provide recognized, standardized, and established benchmarks that stipulate\n               secure configuration settings for specific information technology platforms/products\n               and instructions for configuring those information system components to meet\n               operational requirements. Common secure configurations can be developed by a variety\n               of organizations including, for example, information technology product developers,\n               manufacturers, vendors, consortia, academia, industry, federal agencies, and other\n               organizations in the public and private sectors. Common secure configurations include\n               the United States Government Configuration Baseline (USGCB) which affects the\n               implementation of CM-6 and other controls such as AC-19 and CM-7. The Security\n               Content Automation Protocol (SCAP) and the defined standards within the protocol\n               (e.g., Common Configuration Enumeration) provide an effective method to uniquely\n               identify, track, and control configuration settings. OMB establishes federal policy\n               on configuration requirements for federal information systems.","links":[{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"cm-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-6.a_obj","name":"objective","properties":[{"name":"label","value":"CM-6(a)"}],"parts":[{"id":"cm-6.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-6(a)[1]"}],"prose":"defines security configuration checklists to be used to establish and document\n                     configuration settings for the information technology products employed;"},{"id":"cm-6.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CM-6(a)[2]"}],"prose":"ensures the defined security configuration checklists reflect the most\n                     restrictive mode consistent with operational requirements;"},{"id":"cm-6.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-6(a)[3]"}],"prose":"establishes and documents configuration settings for information technology\n                     products employed within the information system using organization-defined\n                     security configuration checklists;"}]},{"id":"cm-6.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-6(b)"}],"prose":"implements the configuration settings established/documented in CM-6(a);;"},{"id":"cm-6.c_obj","name":"objective","properties":[{"name":"label","value":"CM-6(c)"}],"parts":[{"id":"cm-6.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-6(c)[1]"}],"prose":"defines information system components for which any deviations from established\n                     configuration settings must be:","parts":[{"id":"cm-6.c_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-6(c)[1][a]"}],"prose":"identified;"},{"id":"cm-6.c_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-6(c)[1][b]"}],"prose":"documented;"},{"id":"cm-6.c_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-6(c)[1][c]"}],"prose":"approved;"}]},{"id":"cm-6.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-6(c)[2]"}],"prose":"defines operational requirements to support:","parts":[{"id":"cm-6.c_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-6(c)[2][a]"}],"prose":"the identification of any deviations from established configuration\n                        settings;"},{"id":"cm-6.c_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-6(c)[2][b]"}],"prose":"the documentation of any deviations from established configuration\n                        settings;"},{"id":"cm-6.c_obj.2.c","name":"objective","properties":[{"name":"label","value":"CM-6(c)[2][c]"}],"prose":"the approval of any deviations from established configuration settings;"}]},{"id":"cm-6.c_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-6(c)[3]"}],"prose":"identifies any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"},{"id":"cm-6.c_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-6(c)[4]"}],"prose":"documents any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"},{"id":"cm-6.c_obj.5","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-6(c)[5]"}],"prose":"approves any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"}]},{"id":"cm-6.d_obj","name":"objective","properties":[{"name":"label","value":"CM-6(d)"}],"parts":[{"id":"cm-6.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-6(d)[1]"}],"prose":"monitors changes to the configuration settings in accordance with\n                     organizational policies and procedures; and"},{"id":"cm-6.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-6(d)[2]"}],"prose":"controls changes to the configuration settings in accordance with\n                     organizational policies and procedures."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing configuration settings for the information system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nevidence supporting approved deviations from established configuration\n                  settings\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing configuration settings\\n\\nautomated mechanisms that implement, monitor, and/or control information system\n                  configuration settings\\n\\nautomated mechanisms that identify and/or document deviations from established\n                  configuration settings"}]}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","parameters":[{"id":"cm-7_prm_1","label":"organization-defined prohibited or restricted functions, ports, protocols, and/or\n               services","constraints":[{"detail":"United States Government Configuration Baseline (USGCB)"}]}],"properties":[{"name":"label","value":"CM-7"},{"name":"sort-id","value":"cm-07"}],"links":[{"href":"#e42b2099-3e1c-415b-952c-61c96533c12e","rel":"reference","text":"DoD Instruction 8551.01"}],"parts":[{"id":"cm-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Configures the information system to provide only essential capabilities; and"},{"id":"cm-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Prohibits or restricts the use of the following functions, ports, protocols,\n                  and/or services: {{ cm-7_prm_1 }}."},{"id":"cm-7_fr","name":"item","title":"CM-7 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-7_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available."},{"id":"cm-7_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Information on the USGCB checklists can be found at: [http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc](http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc)\n\t\t\t\t\t\t\tPartially derived from AC-17(8)."}]}]},{"id":"cm-7_gdn","name":"guidance","prose":"Information systems can provide a wide variety of functions and services. Some of the\n               functions and services, provided by default, may not be necessary to support\n               essential organizational operations (e.g., key missions, functions). Additionally, it\n               is sometimes convenient to provide multiple services from single information system\n               components, but doing so increases risk over limiting the services provided by any\n               one component. Where feasible, organizations limit component functionality to a\n               single function per device (e.g., email servers or web servers, but not both).\n               Organizations review functions and services provided by information systems or\n               individual components of information systems, to determine which functions and\n               services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant\n               Messaging, auto-execute, and file sharing). Organizations consider disabling unused\n               or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File\n               Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to\n               prevent unauthorized connection of devices, unauthorized transfer of information, or\n               unauthorized tunneling. Organizations can utilize network scanning tools, intrusion\n               detection and prevention systems, and end-point protections such as firewalls and\n               host-based intrusion detection systems to identify and prevent the use of prohibited\n               functions, ports, protocols, and services.","links":[{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sc-7","rel":"related","text":"SC-7"}]},{"id":"cm-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-7(a)"}],"prose":"configures the information system to provide only essential capabilities;"},{"id":"cm-7.b_obj","name":"objective","properties":[{"name":"label","value":"CM-7(b)"}],"parts":[{"id":"cm-7.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-7(b)[1]"}],"prose":"defines prohibited or restricted:","parts":[{"id":"cm-7.b_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-7(b)[1][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-7(b)[1][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-7(b)[1][c]"}],"prose":"protocols; and/or"},{"id":"cm-7.b_obj.1.d","name":"objective","properties":[{"name":"label","value":"CM-7(b)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-7(b)[2]"}],"prose":"prohibits or restricts the use of organization-defined:","parts":[{"id":"cm-7.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-7(b)[2][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-7(b)[2][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"CM-7(b)[2][c]"}],"prose":"protocols; and/or"},{"id":"cm-7.b_obj.2.d","name":"objective","properties":[{"name":"label","value":"CM-7(b)[2][d]"}],"prose":"services."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing least functionality in the information system\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes prohibiting or restricting functions, ports, protocols,\n                  and/or services\\n\\nautomated mechanisms implementing restrictions or prohibition of functions, ports,\n                  protocols, and/or services"}]}]},{"id":"cm-8","class":"SP800-53","title":"Information System Component Inventory","parameters":[{"id":"cm-8_prm_1","label":"organization-defined information deemed necessary to achieve effective\n               information system component accountability"},{"id":"cm-8_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-8"},{"name":"sort-id","value":"cm-08"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"cm-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops and documents an inventory of information system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Accurately reflects the current information system;"},{"id":"cm-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Includes all components within the authorization boundary of the information\n                     system;"},{"id":"cm-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting;\n                     and"},{"id":"cm-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Includes {{ cm-8_prm_1 }}; and"}]},{"id":"cm-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the information system component inventory {{ cm-8_prm_2 }}."},{"id":"cm-8_fr","name":"item","title":"CM-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Must be provided at least monthly or when there is a change."}]}]},{"id":"cm-8_gdn","name":"guidance","prose":"Organizations may choose to implement centralized information system component\n               inventories that include components from all organizational information systems. In\n               such situations, organizations ensure that the resulting inventories include\n               system-specific information required for proper component accountability (e.g.,\n               information system association, information system owner). Information deemed\n               necessary for effective accountability of information system components includes, for\n               example, hardware inventory specifications, software license information, software\n               version numbers, component owners, and for networked components or devices, machine\n               names and network addresses. Inventory specifications include, for example,\n               manufacturer, device type, model, serial number, and physical location.","links":[{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#pm-5","rel":"related","text":"PM-5"}]},{"id":"cm-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-8.a_obj","name":"objective","properties":[{"name":"label","value":"CM-8(a)"}],"parts":[{"id":"cm-8.a.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(a)(1)"}],"prose":"develops and documents an inventory of information system components that\n                     accurately reflects the current information system;"},{"id":"cm-8.a.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(a)(2)"}],"prose":"develops and documents an inventory of information system components that\n                     includes all components within the authorization boundary of the information\n                     system;"},{"id":"cm-8.a.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(a)(3)"}],"prose":"develops and documents an inventory of information system components that is at\n                     the level of granularity deemed necessary for tracking and reporting;"},{"id":"cm-8.a.4_obj","name":"objective","properties":[{"name":"label","value":"CM-8(a)(4)"}],"parts":[{"id":"cm-8.a.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(a)(4)[1]"}],"prose":"defines the information deemed necessary to achieve effective information\n                        system component accountability;"},{"id":"cm-8.a.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(a)(4)[2]"}],"prose":"develops and documents an inventory of information system components that\n                        includes organization-defined information deemed necessary to achieve\n                        effective information system component accountability;"}]}]},{"id":"cm-8.b_obj","name":"objective","properties":[{"name":"label","value":"CM-8(b)"}],"parts":[{"id":"cm-8.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(b)[1]"}],"prose":"defines the frequency to review and update the information system component\n                     inventory; and"},{"id":"cm-8.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-8(b)[2]"}],"prose":"reviews and updates the information system component inventory with the\n                     organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system inventory records\\n\\ninventory reviews and update records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system component\n                  inventory\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing and documenting an inventory of\n                  information system components\\n\\nautomated mechanisms supporting and/or implementing the information system\n                  component inventory"}]}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","properties":[{"name":"label","value":"CM-10"},{"name":"sort-id","value":"cm-10"}],"parts":[{"id":"cm-10_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-10_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Uses software and associated documentation in accordance with contract agreements\n                  and copyright laws;"},{"id":"cm-10_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Tracks the use of software and associated documentation protected by quantity\n                  licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Controls and documents the use of peer-to-peer file sharing technology to ensure\n                  that this capability is not used for the unauthorized distribution, display,\n                  performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual methods (e.g., simple\n               spreadsheets) or automated methods (e.g., specialized tracking applications)\n               depending on organizational needs.","links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#sc-7","rel":"related","text":"SC-7"}]},{"id":"cm-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-10.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-10(a)"}],"prose":"uses software and associated documentation in accordance with contract agreements\n                  and copyright laws;"},{"id":"cm-10.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-10(b)"}],"prose":"tracks the use of software and associated documentation protected by quantity\n                  licenses to control copying and distribution; and"},{"id":"cm-10.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-10(c)"}],"prose":"controls and documents the use of peer-to-peer file sharing technology to ensure\n                  that this capability is not used for the unauthorized distribution, display,\n                  performance, or reproduction of copyrighted work."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing software usage restrictions\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nsoftware contract agreements and copyright laws\\n\\nsite license documentation\\n\\nlist of software usage restrictions\\n\\nsoftware license tracking reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\norganizational personnel with software license management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for tracking the use of software protected by quantity\n                  licenses\\n\\norganization process for controlling/documenting the use of peer-to-peer file\n                  sharing technology\\n\\nautomated mechanisms implementing software license tracking\\n\\nautomated mechanisms implementing and controlling the use of peer-to-peer files\n                  sharing technology"}]}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","parameters":[{"id":"cm-11_prm_1","label":"organization-defined policies"},{"id":"cm-11_prm_2","label":"organization-defined methods"},{"id":"cm-11_prm_3","label":"organization-defined frequency","constraints":[{"detail":"Continuously (via CM-7 (5))"}]}],"properties":[{"name":"label","value":"CM-11"},{"name":"sort-id","value":"cm-11"}],"parts":[{"id":"cm-11_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes {{ cm-11_prm_1 }} governing the installation of\n                  software by users;"},{"id":"cm-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Enforces software installation policies through {{ cm-11_prm_2 }};\n                  and"},{"id":"cm-11_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Monitors policy compliance at {{ cm-11_prm_3 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users have the ability to install software in\n               organizational information systems. To maintain control over the types of software\n               installed, organizations identify permitted and prohibited actions regarding software\n               installation. Permitted software installations may include, for example, updates and\n               security patches to existing software and downloading applications from\n               organization-approved “app stores” Prohibited software installations may include, for\n               example, software with unknown or suspect pedigrees or software that organizations\n               consider potentially malicious. The policies organizations select governing\n               user-installed software may be organization-developed or provided by some external\n               entity. Policy enforcement methods include procedural methods (e.g., periodic\n               examination of user accounts), automated methods (e.g., configuration settings\n               implemented on organizational information systems), or both.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#pl-4","rel":"related","text":"PL-4"}]},{"id":"cm-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-11.a_obj","name":"objective","properties":[{"name":"label","value":"CM-11(a)"}],"parts":[{"id":"cm-11.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-11(a)[1]"}],"prose":"defines policies to govern the installation of software by users;"},{"id":"cm-11.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-11(a)[2]"}],"prose":"establishes organization-defined policies governing the installation of\n                     software by users;"}]},{"id":"cm-11.b_obj","name":"objective","properties":[{"name":"label","value":"CM-11(b)"}],"parts":[{"id":"cm-11.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-11(b)[1]"}],"prose":"defines methods to enforce software installation policies;"},{"id":"cm-11.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-11(b)[2]"}],"prose":"enforces software installation policies through organization-defined\n                     methods;"}]},{"id":"cm-11.c_obj","name":"objective","properties":[{"name":"label","value":"CM-11(c)"}],"parts":[{"id":"cm-11.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-11(c)[1]"}],"prose":"defines frequency to monitor policy compliance; and"},{"id":"cm-11.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-11(c)[2]"}],"prose":"monitors policy compliance at organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing user installed software\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of rules governing user installed software\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records\\n\\ncontinuous monitoring strategy"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for governing user-installed\n                  software\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\norganizational personnel monitoring compliance with user-installed software\n                  policy\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes governing user-installed software on the information\n                  system\\n\\nautomated mechanisms enforcing rules/methods for governing the installation of\n                  software by users\\n\\nautomated mechanisms monitoring policy compliance"}]}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Contingency Planning Policy and Procedures","parameters":[{"id":"cp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"cp-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CP-1"},{"name":"sort-id","value":"cp-01"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"cp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A contingency planning policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"cp-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy\n                     and associated contingency planning controls; and"}]},{"id":"cp-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cp-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Contingency planning policy {{ cp-1_prm_2 }}; and"},{"id":"cp-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Contingency planning procedures {{ cp-1_prm_3 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CP\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"cp-1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cp-1.a_obj","name":"objective","properties":[{"name":"label","value":"CP-1(a)"}],"parts":[{"id":"cp-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)"}],"parts":[{"id":"cp-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(a)(1)[1]"}],"prose":"the organization develops and documents a contingency planning policy that\n                        addresses:","parts":[{"id":"cp-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cp-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cp-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cp-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cp-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cp-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cp-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cp-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(a)(1)[2]"}],"prose":"the organization defines personnel or roles to whom the contingency planning\n                        policy is to be disseminated;"},{"id":"cp-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-1(a)(1)[3]"}],"prose":"the organization disseminates the contingency planning policy to\n                        organization-defined personnel or roles;"}]},{"id":"cp-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"CP-1(a)(2)"}],"parts":[{"id":"cp-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(a)(2)[1]"}],"prose":"the organization develops and documents procedures to facilitate the\n                        implementation of the contingency planning policy and associated contingency\n                        planning controls;"},{"id":"cp-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(a)(2)[2]"}],"prose":"the organization defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"cp-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-1(a)(2)[3]"}],"prose":"the organization disseminates the procedures to organization-defined\n                        personnel or roles;"}]}]},{"id":"cp-1.b_obj","name":"objective","properties":[{"name":"label","value":"CP-1(b)"}],"parts":[{"id":"cp-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"CP-1(b)(1)"}],"parts":[{"id":"cp-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(b)(1)[1]"}],"prose":"the organization defines the frequency to review and update the current\n                        contingency planning policy;"},{"id":"cp-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(b)(1)[2]"}],"prose":"the organization reviews and updates the current contingency planning with\n                        the organization-defined frequency;"}]},{"id":"cp-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"CP-1(b)(2)"}],"parts":[{"id":"cp-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(b)(2)[1]"}],"prose":"the organization defines the frequency to review and update the current\n                        contingency planning procedures; and"},{"id":"cp-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(b)(2)[2]"}],"prose":"the organization reviews and updates the current contingency planning\n                        procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","parameters":[{"id":"cp-2_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","label":"organization-defined key contingency personnel (identified by name and/or by\n               role) and organizational elements"},{"id":"cp-2_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"cp-2_prm_4","label":"organization-defined key contingency personnel (identified by name and/or by\n               role) and organizational elements"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CP-2"},{"name":"sort-id","value":"cp-02"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"}],"parts":[{"id":"cp-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a contingency plan for the information system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Identifies essential missions and business functions and associated contingency\n                     requirements;"},{"id":"cp-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with\n                     contact information;"},{"id":"cp-2_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential missions and business functions despite an\n                     information system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full information system restoration without deterioration\n                     of the security safeguards originally planned and implemented; and"},{"id":"cp-2_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Is reviewed and approved by {{ cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distributes copies of the contingency plan to {{ cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Reviews the contingency plan for the information system {{ cp-2_prm_3 }};"},{"id":"cp-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Updates the contingency plan to address changes to the organization, information\n                  system, or environment of operation and problems encountered during contingency\n                  plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Communicates contingency plan changes to {{ cp-2_prm_4 }}; and"},{"id":"cp-2_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Protects the contingency plan from unauthorized disclosure and modification."},{"id":"cp-2_fr","name":"item","title":"CP-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-2_fr_smt.1","name":"item","properties":[{"name":"label","value":"CP-2 Requirement:"}],"prose":"For JAB authorizations the contingency lists include designated FedRAMP personnel."}]}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for information systems is part of an overall organizational\n               program for achieving continuity of operations for mission/business functions.\n               Contingency planning addresses both information system restoration and implementation\n               of alternative mission/business processes when systems are compromised. The\n               effectiveness of contingency planning is maximized by considering such planning\n               throughout the phases of the system development life cycle. Performing contingency\n               planning on hardware, software, and firmware development can be an effective means of\n               achieving information system resiliency. Contingency plans reflect the degree of\n               restoration required for organizational information systems since not all systems may\n               need to fully recover to achieve the level of continuity of operations desired.\n               Information system recovery objectives reflect applicable laws, Executive Orders,\n               directives, policies, standards, regulations, and guidelines. In addition to\n               information system availability, contingency plans also address other\n               security-related events resulting in a reduction in mission and/or business\n               effectiveness, such as malicious attacks compromising the confidentiality or\n               integrity of information systems. Actions addressed in contingency plans include, for\n               example, orderly/graceful degradation, information system shutdown, fallback to a\n               manual mode, alternate information flows, and operating in modes reserved for when\n               systems are under attack. By closely coordinating contingency planning with incident\n               handling activities, organizations can ensure that the necessary contingency planning\n               activities are in place and activated in the event of a security incident.","links":[{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-11","rel":"related","text":"PM-11"}]},{"id":"cp-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.a_obj","name":"objective","properties":[{"name":"label","value":"CP-2(a)"}],"prose":"develops and documents a contingency plan for the information system that:","parts":[{"id":"cp-2.a.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(1)"}],"prose":"identifies essential missions and business functions and associated contingency\n                     requirements;"},{"id":"cp-2.a.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(2)"}],"parts":[{"id":"cp-2.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"CP-2(a)(2)[1]"}],"prose":"provides recovery objectives;"},{"id":"cp-2.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"CP-2(a)(2)[2]"}],"prose":"provides restoration priorities;"},{"id":"cp-2.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"CP-2(a)(2)[3]"}],"prose":"provides metrics;"}]},{"id":"cp-2.a.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(3)"}],"parts":[{"id":"cp-2.a.3_obj.1","name":"objective","properties":[{"name":"label","value":"CP-2(a)(3)[1]"}],"prose":"addresses contingency roles;"},{"id":"cp-2.a.3_obj.2","name":"objective","properties":[{"name":"label","value":"CP-2(a)(3)[2]"}],"prose":"addresses contingency responsibilities;"},{"id":"cp-2.a.3_obj.3","name":"objective","properties":[{"name":"label","value":"CP-2(a)(3)[3]"}],"prose":"addresses assigned individuals with contact information;"}]},{"id":"cp-2.a.4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(4)"}],"prose":"addresses maintaining essential missions and business functions despite an\n                     information system disruption, compromise, or failure;"},{"id":"cp-2.a.5_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(5)"}],"prose":"addresses eventual, full information system restoration without deterioration\n                     of the security safeguards originally planned and implemented;"},{"id":"cp-2.a.6_obj","name":"objective","properties":[{"name":"label","value":"CP-2(a)(6)"}],"parts":[{"id":"cp-2.a.6_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(6)[1]"}],"prose":"defines personnel or roles to review and approve the contingency plan for\n                        the information system;"},{"id":"cp-2.a.6_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(6)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"cp-2.b_obj","name":"objective","properties":[{"name":"label","value":"CP-2(b)"}],"parts":[{"id":"cp-2.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(b)[1]"}],"prose":"defines key contingency personnel (identified by name and/or by role) and\n                     organizational elements to whom copies of the contingency plan are to be\n                     distributed;"},{"id":"cp-2.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-2(b)[2]"}],"prose":"distributes copies of the contingency plan to organization-defined key\n                     contingency personnel and organizational elements;"}]},{"id":"cp-2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-2(c)"}],"prose":"coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2.d_obj","name":"objective","properties":[{"name":"label","value":"CP-2(d)"}],"parts":[{"id":"cp-2.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(d)[1]"}],"prose":"defines a frequency to review the contingency plan for the information\n                     system;"},{"id":"cp-2.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(d)[2]"}],"prose":"reviews the contingency plan with the organization-defined frequency;"}]},{"id":"cp-2.e_obj","name":"objective","properties":[{"name":"label","value":"CP-2(e)"}],"prose":"updates the contingency plan to address:","parts":[{"id":"cp-2.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-2(e)[1]"}],"prose":"changes to the organization, information system, or environment of\n                     operation;"},{"id":"cp-2.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-2(e)[2]"}],"prose":"problems encountered during plan implementation, execution, and testing;"}]},{"id":"cp-2.f_obj","name":"objective","properties":[{"name":"label","value":"CP-2(f)"}],"parts":[{"id":"cp-2.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(f)[1]"}],"prose":"defines key contingency personnel (identified by name and/or by role) and\n                     organizational elements to whom contingency plan changes are to be\n                     communicated;"},{"id":"cp-2.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-2(f)[2]"}],"prose":"communicates contingency plan changes to organization-defined key contingency\n                     personnel and organizational elements; and"}]},{"id":"cp-2.g_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-2(g)"}],"prose":"protects the contingency plan from unauthorized disclosure and modification."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nevidence of contingency plan reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan development, review, update, and\n                  protection\\n\\nautomated mechanisms for developing, reviewing, updating and/or protecting the\n                  contingency plan"}]}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","parameters":[{"id":"cp-3_prm_1","label":"organization-defined time period","constraints":[{"detail":"ten (10) days"}]},{"id":"cp-3_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CP-3"},{"name":"sort-id","value":"cp-03"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference","text":"NIST Special Publication 800-16"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"}],"parts":[{"id":"cp-3_smt","name":"statement","prose":"The organization provides contingency training to information system users consistent\n               with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Within {{ cp-3_prm_1 }} of assuming a contingency role or\n                  responsibility;"},{"id":"cp-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"cp-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n                  {{ cp-3_prm_2 }} thereafter."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and\n               responsibilities of organizational personnel to ensure that the appropriate content\n               and level of detail is included in such training. For example, regular users may only\n               need to know when and where to report for duty during contingency operations and if\n               normal duties are affected; system administrators may require additional training on\n               how to set up information systems at alternate processing and storage sites; and\n               managers/senior leaders may receive more specific training on how to conduct\n               mission-essential functions in designated off-site locations and how to establish\n               communications with other governmental entities for purposes of coordination on\n               contingency-related activities. Training for contingency roles/responsibilities\n               reflects the specific continuity requirements in the contingency plan.","links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-2","rel":"related","text":"IR-2"}]},{"id":"cp-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-3.a_obj","name":"objective","properties":[{"name":"label","value":"CP-3(a)"}],"parts":[{"id":"cp-3.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-3(a)[1]"}],"prose":"defines a time period within which contingency training is to be provided to\n                     information system users assuming a contingency role or responsibility;"},{"id":"cp-3.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-3(a)[2]"}],"prose":"provides contingency training to information system users consistent with\n                     assigned roles and responsibilities within the organization-defined time period\n                     of assuming a contingency role or responsibility;"}]},{"id":"cp-3.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-3(b)"}],"prose":"provides contingency training to information system users consistent with assigned\n                  roles and responsibilities when required by information system changes;"},{"id":"cp-3.c_obj","name":"objective","properties":[{"name":"label","value":"CP-3(c)"}],"parts":[{"id":"cp-3.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-3(c)[1]"}],"prose":"defines the frequency for contingency training thereafter; and"},{"id":"cp-3.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-3(c)[2]"}],"prose":"provides contingency training to information system users consistent with\n                     assigned roles and responsibilities with the organization-defined frequency\n                     thereafter."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency training\\n\\ncontingency plan\\n\\ncontingency training curriculum\\n\\ncontingency training material\\n\\nsecurity plan\\n\\ncontingency training records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, plan implementation, and\n                  training responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency training"}]}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","parameters":[{"id":"cp-4_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least every three years"}]},{"id":"cp-4_prm_2","label":"organization-defined tests","constraints":[{"detail":"classroom exercises/table top written tests"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CP-4"},{"name":"sort-id","value":"cp-04"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"},{"href":"#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","rel":"reference","text":"NIST Special Publication 800-84"}],"parts":[{"id":"cp-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Tests the contingency plan for the information system {{ cp-4_prm_1 }} using {{ cp-4_prm_2 }} to determine the\n                  effectiveness of the plan and the organizational readiness to execute the\n                  plan;"},{"id":"cp-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Initiates corrective actions, if needed."},{"id":"cp-4_fr","name":"item","title":"CP-4(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-4_fr_smt.a","name":"item","properties":[{"name":"label","value":"CP-4(a) Requirement:"}],"prose":"The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing."}]}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and\n               to identify potential weaknesses in the plans include, for example, walk-through and\n               tabletop exercises, checklists, simulations (parallel, full interrupt), and\n               comprehensive exercises. Organizations conduct testing based on the continuity\n               requirements in contingency plans and include a determination of the effects on\n               organizational operations, assets, and individuals arising due to contingency\n               operations. Organizations have flexibility and discretion in the breadth, depth, and\n               timelines of corrective actions.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ir-3","rel":"related","text":"IR-3"}]},{"id":"cp-4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-4.a_obj","name":"objective","properties":[{"name":"label","value":"CP-4(a)"}],"parts":[{"id":"cp-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-4(a)[1]"}],"prose":"defines tests to determine the effectiveness of the contingency plan and the\n                     organizational readiness to execute the plan;"},{"id":"cp-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-4(a)[2]"}],"prose":"defines a frequency to test the contingency plan for the information\n                     system;"},{"id":"cp-4.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-4(a)[3]"}],"prose":"tests the contingency plan for the information system with the\n                     organization-defined frequency, using organization-defined tests to determine\n                     the effectiveness of the plan and the organizational readiness to execute the\n                     plan;"}]},{"id":"cp-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-4(b)"}],"prose":"reviews the contingency plan test results; and"},{"id":"cp-4.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-4(c)"}],"prose":"initiates corrective actions, if needed."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency plan testing\\n\\ncontingency plan\\n\\nsecurity plan\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for contingency plan testing,\n                  reviewing or responding to contingency plan tests\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan testing\\n\\nautomated mechanisms supporting the contingency plan and/or contingency plan\n                  testing"}]}]},{"id":"cp-9","class":"SP800-53","title":"Information System Backup","parameters":[{"id":"cp-9_prm_1","label":"organization-defined frequency consistent with recovery time and recovery point\n               objectives","constraints":[{"detail":"daily incremental; weekly full"}]},{"id":"cp-9_prm_2","label":"organization-defined frequency consistent with recovery time and recovery point\n               objectives","constraints":[{"detail":"daily incremental; weekly full"}]},{"id":"cp-9_prm_3","label":"organization-defined frequency consistent with recovery time and recovery point\n               objectives","constraints":[{"detail":"daily incremental; weekly full"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CP-9"},{"name":"sort-id","value":"cp-09"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"}],"parts":[{"id":"cp-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Conducts backups of user-level information contained in the information system\n                     {{ cp-9_prm_1 }};"},{"id":"cp-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Conducts backups of system-level information contained in the information system\n                     {{ cp-9_prm_2 }};"},{"id":"cp-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Conducts backups of information system documentation including security-related\n                  documentation {{ cp-9_prm_3 }}; and"},{"id":"cp-9_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protects the confidentiality, integrity, and availability of backup information at\n                  storage locations."},{"id":"cp-9_fr","name":"item","title":"CP-9 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-9_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check."},{"id":"cp-9_fr_smt.a","name":"item","properties":[{"name":"label","value":"CP-9(a) Requirement:"}],"prose":"The service provider maintains at least three backup copies of user-level information (at least one of which is available online)."},{"id":"cp-9_fr_smt.b","name":"item","properties":[{"name":"label","value":"CP-9(b)Requirement:"}],"prose":"The service provider maintains at least three backup copies of system-level information (at least one of which is available online)."},{"id":"cp-9_fr_smt.c","name":"item","properties":[{"name":"label","value":"CP-9(c)Requirement:"}],"prose":"The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online)."}]}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes, for example, system-state information, operating\n               system and application software, and licenses. User-level information includes any\n               information other than system-level information. Mechanisms employed by organizations\n               to protect the integrity of information system backups include, for example, digital\n               signatures and cryptographic hashes. Protection of system backup information while in\n               transit is beyond the scope of this control. Information system backups reflect the\n               requirements in contingency plans as well as other organizational requirements for\n               backing up information.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"cp-9_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-9.a_obj","name":"objective","properties":[{"name":"label","value":"CP-9(a)"}],"parts":[{"id":"cp-9.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-9(a)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of user-level information contained in the information\n                     system;"},{"id":"cp-9.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-9(a)[2]"}],"prose":"conducts backups of user-level information contained in the information system\n                     with the organization-defined frequency;"}]},{"id":"cp-9.b_obj","name":"objective","properties":[{"name":"label","value":"CP-9(b)"}],"parts":[{"id":"cp-9.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-9(b)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of system-level information contained in the information\n                     system;"},{"id":"cp-9.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-9(b)[2]"}],"prose":"conducts backups of system-level information contained in the information\n                     system with the organization-defined frequency;"}]},{"id":"cp-9.c_obj","name":"objective","properties":[{"name":"label","value":"CP-9(c)"}],"parts":[{"id":"cp-9.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-9(c)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of information system documentation including security-related\n                     documentation;"},{"id":"cp-9.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-9(c)[2]"}],"prose":"conducts backups of information system documentation, including\n                     security-related documentation, with the organization-defined frequency;\n                     and"}]},{"id":"cp-9.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-9(d)"}],"prose":"protects the confidentiality, integrity, and availability of backup information at\n                  storage locations."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\nbackup storage location(s)\\n\\ninformation system backup logs or records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups\\n\\nautomated mechanisms supporting and/or implementing information system backups"}]}]},{"id":"cp-10","class":"SP800-53","title":"Information System Recovery and Reconstitution","properties":[{"name":"label","value":"CP-10"},{"name":"sort-id","value":"cp-10"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"The organization provides for the recovery and reconstitution of the information\n               system to a known state after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing information system contingency plan activities to restore\n               organizational missions/business functions. Reconstitution takes place following\n               recovery and includes activities for returning organizational information systems to\n               fully operational states. Recovery and reconstitution operations reflect mission and\n               business priorities, recovery point/time and reconstitution objectives, and\n               established organizational metrics consistent with contingency plan requirements.\n               Reconstitution includes the deactivation of any interim information system\n               capabilities that may have been needed during recovery operations. Reconstitution\n               also includes assessments of fully restored information system capabilities,\n               reestablishment of continuous monitoring activities, potential information system\n               reauthorizations, and activities to prepare the systems against future disruptions,\n               compromises, or failures. Recovery/reconstitution capabilities employed by\n               organizations can include both automated mechanisms and manual procedures.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#sc-24","rel":"related","text":"SC-24"}]},{"id":"cp-10_obj","name":"objective","prose":"Determine if the organization provides for: ","parts":[{"id":"cp-10_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-10[1]"}],"prose":"the recovery of the information system to a known state after:","parts":[{"id":"cp-10_obj.1.a","name":"objective","properties":[{"name":"label","value":"CP-10[1][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.1.b","name":"objective","properties":[{"name":"label","value":"CP-10[1][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.1.c","name":"objective","properties":[{"name":"label","value":"CP-10[1][c]"}],"prose":"a failure;"}]},{"id":"cp-10_obj.2","name":"objective","properties":[{"name":"label","value":"CP-10[2]"}],"prose":"the reconstitution of the information system to a known state after:","parts":[{"id":"cp-10_obj.2.a","name":"objective","properties":[{"name":"label","value":"CP-10[2][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.2.b","name":"objective","properties":[{"name":"label","value":"CP-10[2][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.2.c","name":"objective","properties":[{"name":"label","value":"CP-10[2][c]"}],"prose":"a failure."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\ninformation system backup test results\\n\\ncontingency plan test results\\n\\ncontingency plan test documentation\\n\\nredundant secondary system for information system backups\\n\\nlocation(s) of redundant secondary backup system(s)\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, recovery, and/or\n                  reconstitution responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes implementing information system recovery and\n                  reconstitution operations\\n\\nautomated mechanisms supporting and/or implementing information system recovery\n                  and reconstitution operations"}]}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Identification and Authentication Policy and Procedures","parameters":[{"id":"ia-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"ia-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IA-1"},{"name":"sort-id","value":"ia-01"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ia-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ia-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"An identification and authentication policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"},{"id":"ia-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and\n                     authentication policy and associated identification and authentication\n                     controls; and"}]},{"id":"ia-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ia-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Identification and authentication policy {{ ia-1_prm_2 }};\n                     and"},{"id":"ia-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Identification and authentication procedures {{ ia-1_prm_3 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the IA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ia-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-1.a_obj","name":"objective","properties":[{"name":"label","value":"IA-1(a)"}],"parts":[{"id":"ia-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)"}],"parts":[{"id":"ia-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(a)(1)[1]"}],"prose":"develops and documents an identification and authentication policy that\n                        addresses:","parts":[{"id":"ia-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ia-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ia-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ia-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ia-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ia-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ia-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ia-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the identification and authentication\n                        policy is to be disseminated; and"},{"id":"ia-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IA-1(a)(1)[3]"}],"prose":"disseminates the identification and authentication policy to\n                        organization-defined personnel or roles;"}]},{"id":"ia-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"IA-1(a)(2)"}],"parts":[{"id":"ia-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        identification and authentication policy and associated identification and\n                        authentication controls;"},{"id":"ia-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ia-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ia-1.b_obj","name":"objective","properties":[{"name":"label","value":"IA-1(b)"}],"parts":[{"id":"ia-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"IA-1(b)(1)"}],"parts":[{"id":"ia-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current identification and\n                        authentication policy;"},{"id":"ia-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(b)(1)[2]"}],"prose":"reviews and updates the current identification and authentication policy\n                        with the organization-defined frequency; and"}]},{"id":"ia-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"IA-1(b)(2)"}],"parts":[{"id":"ia-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current identification and\n                        authentication procedures; and"},{"id":"ia-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(b)(2)[2]"}],"prose":"reviews and updates the current identification and authentication procedures\n                        with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identification and authentication\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (organizational Users)","properties":[{"name":"label","value":"IA-2"},{"name":"sort-id","value":"ia-02"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference","text":"HSPD-12"},{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference","text":"OMB Memorandum 04-04"},{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference","text":"OMB Memorandum 06-16"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference","text":"OMB Memorandum 11-11"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference","text":"FICAM Roadmap and Implementation Guidance"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"The information system uniquely identifies and authenticates organizational users (or\n               processes acting on behalf of organizational users)."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizational users include employees or individuals that organizations deem to have\n               equivalent status of employees (e.g., contractors, guest researchers). This control\n               applies to all accesses other than: (i) accesses that are explicitly identified and\n               documented in AC-14; and (ii) accesses that occur through authorized use of group\n               authenticators without individual authentication. Organizations may require unique\n               identification of individuals in group accounts (e.g., shared privilege accounts) or\n               for detailed accountability of individual activity. Organizations employ passwords,\n               tokens, or biometrics to authenticate user identities, or in the case multifactor\n               authentication, or some combination thereof. Access to organizational information\n               systems is defined as either local access or network access. Local access is any\n               access to organizational information systems by users (or processes acting on behalf\n               of users) where such access is obtained by direct connections without the use of\n               networks. Network access is access to organizational information systems by users (or\n               processes acting on behalf of users) where such access is obtained through network\n               connections (i.e., nonlocal accesses). Remote access is a type of network access that\n               involves communication through external networks (e.g., the Internet). Internal\n               networks include local area networks and wide area networks. In addition, the use of\n               encrypted virtual private networks (VPNs) for network connections between\n               organization-controlled endpoints and non-organization controlled endpoints may be\n               treated as internal networks from the perspective of protecting the confidentiality\n               and integrity of information traversing the network. Organizations can satisfy the\n               identification and authentication requirements in this control by complying with the\n               requirements in Homeland Security Presidential Directive 12 consistent with the\n               specific organizational implementation plans. Multifactor authentication requires the\n               use of two or more different factors to achieve authentication. The factors are\n               defined as: (i) something you know (e.g., password, personal identification number\n               [PIN]); (ii) something you have (e.g., cryptographic identification device, token);\n               or (iii) something you are (e.g., biometric). Multifactor solutions that require\n               devices separate from information systems gaining access include, for example,\n               hardware tokens providing time-based or challenge-response authenticators and smart\n               cards such as the U.S. Government Personal Identity Verification card and the DoD\n               common access card. In addition to identifying and authenticating users at the\n               information system level (i.e., at logon), organizations also employ identification\n               and authentication mechanisms at the application level, when necessary, to provide\n               increased information security. Identification and authentication requirements for\n               other than organizational users are described in IA-8.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"}]},{"id":"ia-2_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates\n               organizational users (or processes acting on behalf of organizational users)."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for uniquely identifying and authenticating users\\n\\nautomated mechanisms supporting and/or implementing identification and\n                  authentication capability"}]}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Network Access to Privileged Accounts","properties":[{"name":"label","value":"IA-2(1)"},{"name":"sort-id","value":"ia-02.01"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"The information system implements multifactor authentication for network access to\n                  privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related","text":"AC-6"}]},{"id":"ia-2.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements multifactor authentication for\n                  network access to privileged accounts."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing multifactor authentication\n                     capability"}]}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","properties":[{"name":"label","value":"IA-2(12)"},{"name":"sort-id","value":"ia-02.12"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity\n                  Verification (PIV) credentials.","parts":[{"id":"ia-2.12_fr","name":"item","title":"IA-2 (12) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-2.12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12."}]}]},{"id":"ia-2.12_gdn","name":"guidance","prose":"This control enhancement applies to organizations implementing logical access\n                  control systems (LACS) and physical access control systems (PACS). Personal\n                  Identity Verification (PIV) credentials are those credentials issued by federal\n                  agencies that conform to FIPS Publication 201 and supporting guidance documents.\n                  OMB Memorandum 11-11 requires federal agencies to continue implementing the\n                  requirements specified in HSPD-12 to enable agency-wide use of PIV\n                  credentials.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"ia-2.12_obj","name":"objective","prose":"Determine if the information system: ","parts":[{"id":"ia-2.12_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-2(12)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials; and"},{"id":"ia-2.12_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-2(12)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nPIV verification records\\n\\nevidence of PIV credentials\\n\\nPIV credential authorizations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing acceptance and verification\n                     of PIV credentials"}]}]}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","parameters":[{"id":"ia-4_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-4_prm_2","label":"organization-defined time period","constraints":[{"detail":"IA-4 (d) [at least two years]"}]},{"id":"ia-4_prm_3","label":"organization-defined time period of inactivity","constraints":[{"detail":"ninety days for user identifiers (See additional requirements and guidance)"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IA-4"},{"name":"sort-id","value":"ia-04"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"The organization manages information system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ ia-4_prm_1 }} to assign an\n                  individual, group, role, or device identifier;"},{"id":"ia-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, or device;"},{"id":"ia-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, or device;"},{"id":"ia-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ ia-4_prm_2 }}; and"},{"id":"ia-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Disabling the identifier after {{ ia-4_prm_3 }}."},{"id":"ia-4_fr","name":"item","title":"IA-4(e) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-4_fr_smt.e","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines the time period of inactivity for device identifiers."},{"id":"ia-4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP [http://iase.disa.mil/cloud_security/Pages/index.aspx](http://iase.disa.mil/cloud_security/Pages/index.aspx)."}]}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include, for example, media access control (MAC), Internet\n               protocol (IP) addresses, or device-unique token identifiers. Management of individual\n               identifiers is not applicable to shared information system accounts (e.g., guest and\n               anonymous accounts). Typically, individual identifiers are the user names of the\n               information system accounts assigned to those individuals. In such instances, the\n               account management activities of AC-2 use account names provided by IA-4. This\n               control also addresses individual identifiers not necessarily associated with\n               information system accounts (e.g., identifiers used in physical security control\n               databases accessed by badge reader systems for access to information systems).\n               Preventing reuse of identifiers implies preventing the assignment of previously used\n               individual, group, role, or device identifiers to different individuals, groups,\n               roles, or devices.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#sc-37","rel":"related","text":"SC-37"}]},{"id":"ia-4_obj","name":"objective","prose":"Determine if the organization manages information system identifiers by: ","parts":[{"id":"ia-4.a_obj","name":"objective","properties":[{"name":"label","value":"IA-4(a)"}],"parts":[{"id":"ia-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-4(a)[1]"}],"prose":"defining personnel or roles from whom authorization must be received to\n                     assign:","parts":[{"id":"ia-4.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"IA-4(a)[1][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"IA-4(a)[1][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.1.c","name":"objective","properties":[{"name":"label","value":"IA-4(a)[1][c]"}],"prose":"a role identifier; and/or"},{"id":"ia-4.a_obj.1.d","name":"objective","properties":[{"name":"label","value":"IA-4(a)[1][d]"}],"prose":"a device identifier;"}]},{"id":"ia-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-4(a)[2]"}],"prose":"receiving authorization from organization-defined personnel or roles to\n                     assign:","parts":[{"id":"ia-4.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"IA-4(a)[2][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"IA-4(a)[2][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.2.c","name":"objective","properties":[{"name":"label","value":"IA-4(a)[2][c]"}],"prose":"a role identifier; and/or"},{"id":"ia-4.a_obj.2.d","name":"objective","properties":[{"name":"label","value":"IA-4(a)[2][d]"}],"prose":"a device identifier;"}]}]},{"id":"ia-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-4(b)"}],"prose":"selecting an identifier that identifies:","parts":[{"id":"ia-4.b_obj.1","name":"objective","properties":[{"name":"label","value":"IA-4(b)[1]"}],"prose":"an individual;"},{"id":"ia-4.b_obj.2","name":"objective","properties":[{"name":"label","value":"IA-4(b)[2]"}],"prose":"a group;"},{"id":"ia-4.b_obj.3","name":"objective","properties":[{"name":"label","value":"IA-4(b)[3]"}],"prose":"a role; and/or"},{"id":"ia-4.b_obj.4","name":"objective","properties":[{"name":"label","value":"IA-4(b)[4]"}],"prose":"a device;"}]},{"id":"ia-4.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-4(c)"}],"prose":"assigning the identifier to the intended:","parts":[{"id":"ia-4.c_obj.1","name":"objective","properties":[{"name":"label","value":"IA-4(c)[1]"}],"prose":"individual;"},{"id":"ia-4.c_obj.2","name":"objective","properties":[{"name":"label","value":"IA-4(c)[2]"}],"prose":"group;"},{"id":"ia-4.c_obj.3","name":"objective","properties":[{"name":"label","value":"IA-4(c)[3]"}],"prose":"role; and/or"},{"id":"ia-4.c_obj.4","name":"objective","properties":[{"name":"label","value":"IA-4(c)[4]"}],"prose":"device;"}]},{"id":"ia-4.d_obj","name":"objective","properties":[{"name":"label","value":"IA-4(d)"}],"parts":[{"id":"ia-4.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-4(d)[1]"}],"prose":"defining a time period for preventing reuse of identifiers;"},{"id":"ia-4.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-4(d)[2]"}],"prose":"preventing reuse of identifiers for the organization-defined time period;"}]},{"id":"ia-4.e_obj","name":"objective","properties":[{"name":"label","value":"IA-4(e)"}],"parts":[{"id":"ia-4.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-4(e)[1]"}],"prose":"defining a time period of inactivity to disable the identifier; and"},{"id":"ia-4.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-4(e)[2]"}],"prose":"disabling the identifier after the organization-defined time period of\n                     inactivity."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing identifier management\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system accounts\\n\\nlist of identifiers generated from physical access control devices\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identifier management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identifier management"}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","parameters":[{"id":"ia-5_prm_1","label":"organization-defined time period by authenticator type"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IA-5"},{"name":"sort-id","value":"ia-05"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference","text":"OMB Memorandum 04-04"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference","text":"OMB Memorandum 11-11"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference","text":"FICAM Roadmap and Implementation Guidance"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"The organization manages information system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the\n                  individual, group, role, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for authenticators defined by the\n                  organization;"},{"id":"ia-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their\n                  intended use;"},{"id":"ia-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator\n                  distribution, for lost/compromised or damaged authenticators, and for revoking\n                  authenticators;"},{"id":"ia-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Changing default content of authenticators prior to information system\n                  installation;"},{"id":"ia-5_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Establishing minimum and maximum lifetime restrictions and reuse conditions for\n                  authenticators;"},{"id":"ia-5_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Changing/refreshing authenticators {{ ia-5_prm_1 }};"},{"id":"ia-5_smt.h","name":"item","properties":[{"name":"label","value":"h."}],"prose":"Protecting authenticator content from unauthorized disclosure and\n                  modification;"},{"id":"ia-5_smt.i","name":"item","properties":[{"name":"label","value":"i."}],"prose":"Requiring individuals to take, and having devices implement, specific security\n                  safeguards to protect authenticators; and"},{"id":"ia-5_smt.j","name":"item","properties":[{"name":"label","value":"j."}],"prose":"Changing authenticators for group/role accounts when membership to those accounts\n                  changes."},{"id":"ia-5_fr","name":"item","title":"IA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-5_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link [https://pages.nist.gov/800-63-3](https://pages.nist.gov/800-63-3)."}]}]},{"id":"ia-5_gdn","name":"guidance","prose":"Individual authenticators include, for example, passwords, tokens, biometrics, PKI\n               certificates, and key cards. Initial authenticator content is the actual content\n               (e.g., the initial password) as opposed to requirements about authenticator content\n               (e.g., minimum password length). In many cases, developers ship information system\n               components with factory default authentication credentials to allow for initial\n               installation and configuration. Default authentication credentials are often well\n               known, easily discoverable, and present a significant security risk. The requirement\n               to protect individual authenticators may be implemented via control PL-4 or PS-6 for\n               authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28\n               for authenticators stored within organizational information systems (e.g., passwords\n               stored in hashed or encrypted formats, files containing encrypted or hashed passwords\n               accessible with administrator privileges). Information systems support individual\n               authenticator management by organization-defined settings and restrictions for\n               various authenticator characteristics including, for example, minimum password\n               length, password composition, validation time window for time synchronous one-time\n               tokens, and number of allowed rejections during the verification stage of biometric\n               authentication. Specific actions that can be taken to safeguard authenticators\n               include, for example, maintaining possession of individual authenticators, not\n               loaning or sharing individual authenticators with others, and reporting lost, stolen,\n               or compromised authenticators immediately. Authenticator management includes issuing\n               and revoking, when no longer needed, authenticators for temporary access such as that\n               required for remote maintenance. Device authenticators include, for example,\n               certificates and passwords.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-17","rel":"related","text":"SC-17"},{"href":"#sc-28","rel":"related","text":"SC-28"}]},{"id":"ia-5_obj","name":"objective","prose":"Determine if the organization manages information system authenticators by: ","parts":[{"id":"ia-5.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(a)"}],"prose":"verifying, as part of the initial authenticator distribution, the identity of:","parts":[{"id":"ia-5.a_obj.1","name":"objective","properties":[{"name":"label","value":"IA-5(a)[1]"}],"prose":"the individual receiving the authenticator;"},{"id":"ia-5.a_obj.2","name":"objective","properties":[{"name":"label","value":"IA-5(a)[2]"}],"prose":"the group receiving the authenticator;"},{"id":"ia-5.a_obj.3","name":"objective","properties":[{"name":"label","value":"IA-5(a)[3]"}],"prose":"the role receiving the authenticator; and/or"},{"id":"ia-5.a_obj.4","name":"objective","properties":[{"name":"label","value":"IA-5(a)[4]"}],"prose":"the device receiving the authenticator;"}]},{"id":"ia-5.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(b)"}],"prose":"establishing initial authenticator content for authenticators defined by the\n                  organization;"},{"id":"ia-5.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(c)"}],"prose":"ensuring that authenticators have sufficient strength of mechanism for their\n                  intended use;"},{"id":"ia-5.d_obj","name":"objective","properties":[{"name":"label","value":"IA-5(d)"}],"parts":[{"id":"ia-5.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(d)[1]"}],"prose":"establishing and implementing administrative procedures for initial\n                     authenticator distribution;"},{"id":"ia-5.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(d)[2]"}],"prose":"establishing and implementing administrative procedures for lost/compromised or\n                     damaged authenticators;"},{"id":"ia-5.d_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(d)[3]"}],"prose":"establishing and implementing administrative procedures for revoking\n                     authenticators;"}]},{"id":"ia-5.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(e)"}],"prose":"changing default content of authenticators prior to information system\n                  installation;"},{"id":"ia-5.f_obj","name":"objective","properties":[{"name":"label","value":"IA-5(f)"}],"parts":[{"id":"ia-5.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(f)[1]"}],"prose":"establishing minimum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(f)[2]"}],"prose":"establishing maximum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(f)[3]"}],"prose":"establishing reuse conditions for authenticators;"}]},{"id":"ia-5.g_obj","name":"objective","properties":[{"name":"label","value":"IA-5(g)"}],"parts":[{"id":"ia-5.g_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(g)[1]"}],"prose":"defining a time period (by authenticator type) for changing/refreshing\n                     authenticators;"},{"id":"ia-5.g_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(g)[2]"}],"prose":"changing/refreshing authenticators with the organization-defined time period by\n                     authenticator type;"}]},{"id":"ia-5.h_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(h)"}],"prose":"protecting authenticator content from unauthorized:","parts":[{"id":"ia-5.h_obj.1","name":"objective","properties":[{"name":"label","value":"IA-5(h)[1]"}],"prose":"disclosure;"},{"id":"ia-5.h_obj.2","name":"objective","properties":[{"name":"label","value":"IA-5(h)[2]"}],"prose":"modification;"}]},{"id":"ia-5.i_obj","name":"objective","properties":[{"name":"label","value":"IA-5(i)"}],"parts":[{"id":"ia-5.i_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IA-5(i)[1]"}],"prose":"requiring individuals to take specific security safeguards to protect\n                     authenticators;"},{"id":"ia-5.i_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(i)[2]"}],"prose":"having devices implement specific security safeguards to protect\n                     authenticators; and"}]},{"id":"ia-5.j_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(j)"}],"prose":"changing authenticators for group/role accounts when membership to those accounts\n                  changes."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system authenticator types\\n\\nchange control records associated with managing information system\n                  authenticators\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing authenticator management\n                  capability"}]}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","parameters":[{"id":"ia-5.1_prm_1","label":"organization-defined requirements for case sensitivity, number of characters,\n                  mix of upper-case letters, lower-case letters, numbers, and special characters,\n                  including minimum requirements for each type"},{"id":"ia-5.1_prm_2","label":"organization-defined number","constraints":[{"detail":"at least one"}]},{"id":"ia-5.1_prm_3","label":"organization-defined numbers for lifetime minimum, lifetime maximum"},{"id":"ia-5.1_prm_4","label":"organization-defined number","constraints":[{"detail":"twenty four"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IA-5(1)"},{"name":"sort-id","value":"ia-05.01"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"The information system, for password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Enforces minimum password complexity of {{ ia-5.1_prm_1 }};"},{"id":"ia-5.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Enforces at least the following number of changed characters when new passwords\n                     are created: {{ ia-5.1_prm_2 }};"},{"id":"ia-5.1_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Stores and transmits only cryptographically-protected passwords;"},{"id":"ia-5.1_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Enforces password minimum and maximum lifetime restrictions of {{ ia-5.1_prm_3 }};"},{"id":"ia-5.1_smt.e","name":"item","properties":[{"name":"label","value":"(e)"}],"prose":"Prohibits password reuse for {{ ia-5.1_prm_4 }} generations;\n                     and"},{"id":"ia-5.1_smt.f","name":"item","properties":[{"name":"label","value":"(f)"}],"prose":"Allows the use of a temporary password for system logons with an immediate\n                     change to a permanent password."},{"id":"ia-5.1_fr","name":"item","title":"IA-5 (1) (a) and (d) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-5.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance (a) (d):"}],"prose":"If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant."}]}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"This control enhancement applies to single-factor authentication of individuals\n                  using passwords as individual or group authenticators, and in a similar manner,\n                  when passwords are part of multifactor authenticators. This control enhancement\n                  does not apply when passwords are used to unlock hardware authenticators (e.g.,\n                  Personal Identity Verification cards). The implementation of such password\n                  mechanisms may not meet all of the requirements in the enhancement.\n                  Cryptographically-protected passwords include, for example, encrypted versions of\n                  passwords and one-way cryptographic hashes of passwords. The number of changed\n                  characters refers to the number of changes required with respect to the total\n                  number of positions in the current password. Password lifetime restrictions do not\n                  apply to temporary passwords. To mitigate certain brute force attacks against\n                  passwords, organizations may also consider salting passwords.","links":[{"href":"#ia-6","rel":"related","text":"IA-6"}]},{"id":"ia-5.1_obj","name":"objective","prose":"Determine if, for password-based authentication: ","parts":[{"id":"ia-5.1.a_obj","name":"objective","properties":[{"name":"label","value":"IA-5(1)(a)"}],"parts":[{"id":"ia-5.1.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(a)[1]"}],"prose":"the organization defines requirements for case sensitivity;"},{"id":"ia-5.1.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(a)[2]"}],"prose":"the organization defines requirements for number of characters;"},{"id":"ia-5.1.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(a)[3]"}],"prose":"the organization defines requirements for the mix of upper-case letters,\n                        lower-case letters, numbers and special characters;"},{"id":"ia-5.1.a_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(a)[4]"}],"prose":"the organization defines minimum requirements for each type of\n                        character;"},{"id":"ia-5.1.a_obj.5","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(a)[5]"}],"prose":"the information system enforces minimum password complexity of\n                        organization-defined requirements for case sensitivity, number of\n                        characters, mix of upper-case letters, lower-case letters, numbers, and\n                        special characters, including minimum requirements for each type;"}],"links":[{"href":"#ia-5.1_smt.a","rel":"corresp","text":"IA-5(1)(a)"}]},{"id":"ia-5.1.b_obj","name":"objective","properties":[{"name":"label","value":"IA-5(1)(b)"}],"parts":[{"id":"ia-5.1.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(b)[1]"}],"prose":"the organization defines a minimum number of changed characters to be\n                        enforced when new passwords are created;"},{"id":"ia-5.1.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(b)[2]"}],"prose":"the information system enforces at least the organization-defined minimum\n                        number of characters that must be changed when new passwords are\n                        created;"}],"links":[{"href":"#ia-5.1_smt.b","rel":"corresp","text":"IA-5(1)(b)"}]},{"id":"ia-5.1.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(c)"}],"prose":"the information system stores and transmits only encrypted representations of\n                     passwords;","links":[{"href":"#ia-5.1_smt.c","rel":"corresp","text":"IA-5(1)(c)"}]},{"id":"ia-5.1.d_obj","name":"objective","properties":[{"name":"label","value":"IA-5(1)(d)"}],"parts":[{"id":"ia-5.1.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(d)[1]"}],"prose":"the organization defines numbers for password minimum lifetime restrictions\n                        to be enforced for passwords;"},{"id":"ia-5.1.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(d)[2]"}],"prose":"the organization defines numbers for password maximum lifetime restrictions\n                        to be enforced for passwords;"},{"id":"ia-5.1.d_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(d)[3]"}],"prose":"the information system enforces password minimum lifetime restrictions of\n                        organization-defined numbers for lifetime minimum;"},{"id":"ia-5.1.d_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(d)[4]"}],"prose":"the information system enforces password maximum lifetime restrictions of\n                        organization-defined numbers for lifetime maximum;"}],"links":[{"href":"#ia-5.1_smt.d","rel":"corresp","text":"IA-5(1)(d)"}]},{"id":"ia-5.1.e_obj","name":"objective","properties":[{"name":"label","value":"IA-5(1)(e)"}],"parts":[{"id":"ia-5.1.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(e)[1]"}],"prose":"the organization defines the number of password generations to be prohibited\n                        from password reuse;"},{"id":"ia-5.1.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(e)[2]"}],"prose":"the information system prohibits password reuse for the organization-defined\n                        number of generations; and"}],"links":[{"href":"#ia-5.1_smt.e","rel":"corresp","text":"IA-5(1)(e)"}]},{"id":"ia-5.1.f_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(f)"}],"prose":"the information system allows the use of a temporary password for system logons\n                     with an immediate change to a permanent password.","links":[{"href":"#ia-5.1_smt.f","rel":"corresp","text":"IA-5(1)(f)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\npassword policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\npassword configurations and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing password-based\n                     authenticator management capability"}]}]},{"id":"ia-5.11","class":"SP800-53-enhancement","title":"Hardware Token-based Authentication","parameters":[{"id":"ia-5.11_prm_1","label":"organization-defined token quality requirements"}],"properties":[{"name":"label","value":"IA-5(11)"},{"name":"sort-id","value":"ia-05.11"}],"parts":[{"id":"ia-5.11_smt","name":"statement","prose":"The information system, for hardware token-based authentication, employs\n                  mechanisms that satisfy {{ ia-5.11_prm_1 }}."},{"id":"ia-5.11_gdn","name":"guidance","prose":"Hardware token-based authentication typically refers to the use of PKI-based\n                  tokens, such as the U.S. Government Personal Identity Verification (PIV) card.\n                  Organizations define specific requirements for tokens, such as working with a\n                  particular PKI."},{"id":"ia-5.11_obj","name":"objective","prose":"Determine if, for hardware token-based authentication: ","parts":[{"id":"ia-5.11_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(11)[1]"}],"prose":"the organization defines token quality requirements to be satisfied; and"},{"id":"ia-5.11_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(11)[2]"}],"prose":"the information system employs mechanisms that satisfy organization-defined\n                     token quality requirements."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\nautomated mechanisms employing hardware token-based authentication for the\n                     information system\\n\\nlist of token quality requirements\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing hardware token-based\n                     authenticator management capability"}]}]}]},{"id":"ia-6","class":"SP800-53","title":"Authenticator Feedback","properties":[{"name":"label","value":"IA-6"},{"name":"sort-id","value":"ia-06"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"The information system obscures feedback of authentication information during the\n               authentication process to protect the information from possible exploitation/use by\n               unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"The feedback from information systems does not provide information that would allow\n               unauthorized individuals to compromise authentication mechanisms. For some types of\n               information systems or system components, for example, desktops/notebooks with\n               relatively large monitors, the threat (often referred to as shoulder surfing) may be\n               significant. For other types of systems or components, for example, mobile devices\n               with 2-4 inch screens, this threat may be less significant, and may need to be\n               balanced against the increased likelihood of typographic input errors due to the\n               small keyboards. Therefore, the means for obscuring the authenticator feedback is\n               selected accordingly. Obscuring the feedback of authentication information includes,\n               for example, displaying asterisks when users type passwords into input devices, or\n               displaying feedback for a very limited time before fully obscuring it.","links":[{"href":"#pe-18","rel":"related","text":"PE-18"}]},{"id":"ia-6_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system obscures feedback of authentication information\n               during the authentication process to protect the information from possible\n               exploitation/use by unauthorized individuals."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator feedback\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing the obscuring of feedback of\n                  authentication information during authentication"}]}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","properties":[{"name":"label","value":"IA-7"},{"name":"sort-id","value":"ia-07"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference","text":"FIPS Publication 140"},{"href":"#b09d1a31-d3c9-4138-a4f4-4c63816afd7d","rel":"reference","text":"http://csrc.nist.gov/groups/STM/cmvp/index.html"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"The information system implements mechanisms for authentication to a cryptographic\n               module that meet the requirements of applicable federal laws, Executive Orders,\n               directives, policies, regulations, standards, and guidance for such\n               authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to\n               authenticate an operator accessing the module and to verify that the operator is\n               authorized to assume the requested role and perform services within that role.","links":[{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"ia-7_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements mechanisms for authentication to a\n               cryptographic module that meet the requirements of applicable federal laws, Executive\n               Orders, directives, policies, regulations, standards, and guidance for such\n               authentication."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing cryptographic module authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for cryptographic module\n                  authentication\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing cryptographic module\n                  authentication"}]}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (non-organizational Users)","properties":[{"name":"label","value":"IA-8"},{"name":"sort-id","value":"ia-08"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference","text":"OMB Memorandum 04-04"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference","text":"OMB Memorandum 11-11"},{"href":"#599fe9ba-4750-4450-9eeb-b95bd19a5e8f","rel":"reference","text":"OMB Memorandum 10-06-2011"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference","text":"FICAM Roadmap and Implementation Guidance"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference","text":"NIST Special Publication 800-116"},{"href":"#654f21e2-f3bc-43b2-abdc-60ab8d09744b","rel":"reference","text":"National Strategy for Trusted Identities in\n            Cyberspace"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"The information system uniquely identifies and authenticates non-organizational users\n               (or processes acting on behalf of non-organizational users)."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include information system users other than organizational\n               users explicitly covered by IA-2. These individuals are uniquely identified and\n               authenticated for accesses other than those accesses explicitly identified and\n               documented in AC-14. In accordance with the E-Authentication E-Government initiative,\n               authentication of non-organizational users accessing federal information systems may\n               be required to protect federal, proprietary, or privacy-related information (with\n               exceptions noted for national security systems). Organizations use risk assessments\n               to determine authentication needs and consider scalability, practicality, and\n               security in balancing the need to ensure ease of use for access to federal\n               information and information systems with the need to protect and adequately mitigate\n               risk. IA-2 addresses identification and authentication requirements for access to\n               information systems by organizational users.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#sc-8","rel":"related","text":"SC-8"}]},{"id":"ia-8_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates\n               non-organizational users (or processes acting on behalf of non-organizational\n               users)."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                  authentication capability"}]}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","properties":[{"name":"label","value":"IA-8(1)"},{"name":"sort-id","value":"ia-08.01"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity\n                  Verification (PIV) credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"This control enhancement applies to logical access control systems (LACS) and\n                  physical access control systems (PACS). Personal Identity Verification (PIV)\n                  credentials are those credentials issued by federal agencies that conform to FIPS\n                  Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires\n                  federal agencies to continue implementing the requirements specified in HSPD-12 to\n                  enable agency-wide use of PIV credentials.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"ia-8.1_obj","name":"objective","prose":"Determine if the information system: ","parts":[{"id":"ia-8.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-8(1)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials from other agencies;\n                     and"},{"id":"ia-8.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-8(1)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials from\n                     other agencies."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nPIV verification records\\n\\nevidence of PIV credentials\\n\\nPIV credential authorizations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms that accept and verify PIV credentials"}]}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of Third-party Credentials","properties":[{"name":"label","value":"IA-8(2)"},{"name":"sort-id","value":"ia-08.02"}],"parts":[{"id":"ia-8.2_smt","name":"statement","prose":"The information system accepts only FICAM-approved third-party credentials."},{"id":"ia-8.2_gdn","name":"guidance","prose":"This control enhancement typically applies to organizational information systems\n                  that are accessible to the general public, for example, public-facing websites.\n                  Third-party credentials are those credentials issued by nonfederal government\n                  entities approved by the Federal Identity, Credential, and Access Management\n                  (FICAM) Trust Framework Solutions initiative. Approved third-party credentials\n                  meet or exceed the set of minimum federal government-wide technical, security,\n                  privacy, and organizational maturity requirements. This allows federal government\n                  relying parties to trust such credentials at their approved assurance levels.","links":[{"href":"#au-2","rel":"related","text":"AU-2"}]},{"id":"ia-8.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system accepts only FICAM-approved third-party\n                  credentials. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FICAM-approved, third-party credentialing products, components, or\n                     services procured and implemented by organization\\n\\nthird-party credential verification records\\n\\nevidence of FICAM-approved third-party credentials\\n\\nthird-party credential authorizations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms that accept FICAM-approved credentials"}]}]},{"id":"ia-8.3","class":"SP800-53-enhancement","title":"Use of Ficam-approved Products","parameters":[{"id":"ia-8.3_prm_1","label":"organization-defined information systems"}],"properties":[{"name":"label","value":"IA-8(3)"},{"name":"sort-id","value":"ia-08.03"}],"parts":[{"id":"ia-8.3_smt","name":"statement","prose":"The organization employs only FICAM-approved information system components in\n                     {{ ia-8.3_prm_1 }} to accept third-party credentials."},{"id":"ia-8.3_gdn","name":"guidance","prose":"This control enhancement typically applies to information systems that are\n                  accessible to the general public, for example, public-facing websites.\n                  FICAM-approved information system components include, for example, information\n                  technology products and software libraries that have been approved by the Federal\n                  Identity, Credential, and Access Management conformance program.","links":[{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"ia-8.3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ia-8.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-8(3)[1]"}],"prose":"defines information systems in which only FICAM-approved information system\n                     components are to be employed to accept third-party credentials; and"},{"id":"ia-8.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-8(3)[2]"}],"prose":"employs only FICAM-approved information system components in\n                     organization-defined information systems to accept third-party credentials."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nsystem and services acquisition policy\\n\\nprocedures addressing user identification and authentication\\n\\nprocedures addressing the integration of security requirements into the\n                     acquisition process\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nthird-party credential validations\\n\\nthird-party credential authorizations\\n\\nthird-party credential records\\n\\nlist of FICAM-approved information system components procured and implemented\n                     by organization\\n\\nacquisition documentation\\n\\nacquisition contracts for information system procurements or services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information system security, acquisition, and\n                     contracting responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability"}]}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Ficam-issued Profiles","properties":[{"name":"label","value":"IA-8(4)"},{"name":"sort-id","value":"ia-08.04"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"The information system conforms to FICAM-issued profiles."},{"id":"ia-8.4_gdn","name":"guidance","prose":"This control enhancement addresses open identity management standards. To ensure\n                  that these standards are viable, robust, reliable, sustainable (e.g., available in\n                  commercial information technology products), and interoperable as documented, the\n                  United States Government assesses and scopes identity management standards and\n                  technology implementations against applicable federal legislation, directives,\n                  policies, and requirements. The result is FICAM-issued implementation profiles of\n                  approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and\n                  OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute\n                  Exchange).","links":[{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"ia-8.4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system conforms to FICAM-issued profiles. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nsystem and services acquisition policy\\n\\nprocedures addressing user identification and authentication\\n\\nprocedures addressing the integration of security requirements into the\n                     acquisition process\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FICAM-issued profiles and associated, approved protocols\\n\\nacquisition documentation\\n\\nacquisition contracts for information system procurements or services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms supporting and/or implementing conformance with\n                     FICAM-issued profiles"}]}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Incident Response Policy and Procedures","parameters":[{"id":"ir-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"ir-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IR-1"},{"name":"sort-id","value":"ir-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference","text":"NIST Special Publication 800-83"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ir-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"An incident response policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ir-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and\n                     associated incident response controls; and"}]},{"id":"ir-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ir-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Incident response policy {{ ir-1_prm_2 }}; and"},{"id":"ir-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Incident response procedures {{ ir-1_prm_3 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the IR\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ir-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-1.a_obj","name":"objective","properties":[{"name":"label","value":"IR-1(a)"}],"parts":[{"id":"ir-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)"}],"parts":[{"id":"ir-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(a)(1)[1]"}],"prose":"develops and documents an incident response policy that addresses:","parts":[{"id":"ir-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ir-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ir-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ir-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ir-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ir-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ir-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ir-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the incident response policy is to be\n                        disseminated;"},{"id":"ir-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-1(a)(1)[3]"}],"prose":"disseminates the incident response policy to organization-defined personnel\n                        or roles;"}]},{"id":"ir-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"IR-1(a)(2)"}],"parts":[{"id":"ir-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        incident response policy and associated incident response controls;"},{"id":"ir-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ir-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ir-1.b_obj","name":"objective","properties":[{"name":"label","value":"IR-1(b)"}],"parts":[{"id":"ir-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"IR-1(b)(1)"}],"parts":[{"id":"ir-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current incident response\n                        policy;"},{"id":"ir-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(b)(1)[2]"}],"prose":"reviews and updates the current incident response policy with the\n                        organization-defined frequency;"}]},{"id":"ir-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"IR-1(b)(2)"}],"parts":[{"id":"ir-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current incident response\n                        procedures; and"},{"id":"ir-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(b)(2)[2]"}],"prose":"reviews and updates the current incident response procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","parameters":[{"id":"ir-2_prm_1","label":"organization-defined time period"},{"id":"ir-2_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IR-2"},{"name":"sort-id","value":"ir-02"}],"links":[{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference","text":"NIST Special Publication 800-16"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"}],"parts":[{"id":"ir-2_smt","name":"statement","prose":"The organization provides incident response training to information system users\n               consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Within {{ ir-2_prm_1 }} of assuming an incident response role or\n                  responsibility;"},{"id":"ir-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"ir-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n                  {{ ir-2_prm_2 }} thereafter."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training provided by organizations is linked to the assigned roles\n               and responsibilities of organizational personnel to ensure the appropriate content\n               and level of detail is included in such training. For example, regular users may only\n               need to know who to call or how to recognize an incident on the information system;\n               system administrators may require additional training on how to handle/remediate\n               incidents; and incident responders may receive more specific training on forensics,\n               reporting, system recovery, and restoration. Incident response training includes user\n               training in the identification and reporting of suspicious activities, both from\n               external and internal sources.","links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ir-8","rel":"related","text":"IR-8"}]},{"id":"ir-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-2.a_obj","name":"objective","properties":[{"name":"label","value":"IR-2(a)"}],"parts":[{"id":"ir-2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-2(a)[1]"}],"prose":"defines a time period within which incident response training is to be provided\n                     to information system users assuming an incident response role or\n                     responsibility;"},{"id":"ir-2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-2(a)[2]"}],"prose":"provides incident response training to information system users consistent with\n                     assigned roles and responsibilities within the organization-defined time period\n                     of assuming an incident response role or responsibility;"}]},{"id":"ir-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-2(b)"}],"prose":"provides incident response training to information system users consistent with\n                  assigned roles and responsibilities when required by information system\n                  changes;"},{"id":"ir-2.c_obj","name":"objective","properties":[{"name":"label","value":"IR-2(c)"}],"parts":[{"id":"ir-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-2(c)[1]"}],"prose":"defines the frequency to provide refresher incident response training to\n                     information system users consistent with assigned roles or responsibilities;\n                     and"},{"id":"ir-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-2(c)[2]"}],"prose":"after the initial incident response training, provides refresher incident\n                     response training to information system users consistent with assigned roles\n                     and responsibilities in accordance with the organization-defined frequency to\n                     provide refresher training."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident response training\\n\\nincident response training curriculum\\n\\nincident response training materials\\n\\nsecurity plan\\n\\nincident response plan\\n\\nsecurity plan\\n\\nincident response training records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response training and operational\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","properties":[{"name":"label","value":"IR-4"},{"name":"sort-id","value":"ir-04"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference","text":"Executive Order 13587"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"}],"parts":[{"id":"ir-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Implements an incident handling capability for security incidents that includes\n                  preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Coordinates incident handling activities with contingency planning activities;\n                  and"},{"id":"ir-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Incorporates lessons learned from ongoing incident handling activities into\n                  incident response procedures, training, and testing, and implements the resulting\n                  changes accordingly."},{"id":"ir-4_fr","name":"item","title":"IR-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-4_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system."}]}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capability is dependent on the\n               capabilities of organizational information systems and the mission/business processes\n               being supported by those systems. Therefore, organizations consider incident response\n               as part of the definition, design, and development of mission/business processes and\n               information systems. Incident-related information can be obtained from a variety of\n               sources including, for example, audit monitoring, network monitoring, physical access\n               monitoring, user/administrator reports, and reported supply chain events. Effective\n               incident handling capability includes coordination among many organizational entities\n               including, for example, mission/business owners, information system owners,\n               authorizing officials, human resources offices, physical and personnel security\n               offices, legal departments, operations personnel, procurement offices, and the risk\n               executive (function).","links":[{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-3","rel":"related","text":"IR-3"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"ir-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-4.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-4(a)"}],"prose":"implements an incident handling capability for security incidents that\n                  includes:","parts":[{"id":"ir-4.a_obj.1","name":"objective","properties":[{"name":"label","value":"IR-4(a)[1]"}],"prose":"preparation;"},{"id":"ir-4.a_obj.2","name":"objective","properties":[{"name":"label","value":"IR-4(a)[2]"}],"prose":"detection and analysis;"},{"id":"ir-4.a_obj.3","name":"objective","properties":[{"name":"label","value":"IR-4(a)[3]"}],"prose":"containment;"},{"id":"ir-4.a_obj.4","name":"objective","properties":[{"name":"label","value":"IR-4(a)[4]"}],"prose":"eradication;"},{"id":"ir-4.a_obj.5","name":"objective","properties":[{"name":"label","value":"IR-4(a)[5]"}],"prose":"recovery;"}]},{"id":"ir-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-4(b)"}],"prose":"coordinates incident handling activities with contingency planning activities;"},{"id":"ir-4.c_obj","name":"objective","properties":[{"name":"label","value":"IR-4(c)"}],"parts":[{"id":"ir-4.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-4(c)[1]"}],"prose":"incorporates lessons learned from ongoing incident handling activities\n                     into:","parts":[{"id":"ir-4.c_obj.1.a","name":"objective","properties":[{"name":"label","value":"IR-4(c)[1][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.1.b","name":"objective","properties":[{"name":"label","value":"IR-4(c)[1][b]"}],"prose":"training;"},{"id":"ir-4.c_obj.1.c","name":"objective","properties":[{"name":"label","value":"IR-4(c)[1][c]"}],"prose":"testing/exercises;"}]},{"id":"ir-4.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-4(c)[2]"}],"prose":"implements the resulting changes accordingly to:","parts":[{"id":"ir-4.c_obj.2.a","name":"objective","properties":[{"name":"label","value":"IR-4(c)[2][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.2.b","name":"objective","properties":[{"name":"label","value":"IR-4(c)[2][b]"}],"prose":"training; and"},{"id":"ir-4.c_obj.2.c","name":"objective","properties":[{"name":"label","value":"IR-4(c)[2][c]"}],"prose":"testing/exercises."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\ncontingency planning policy\\n\\nprocedures addressing incident handling\\n\\nincident response plan\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with contingency planning responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident handling capability for the organization"}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","properties":[{"name":"label","value":"IR-5"},{"name":"sort-id","value":"ir-05"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"The organization tracks and documents information system security incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting information system security incidents includes, for example, maintaining\n               records about each incident, the status of the incident, and other pertinent\n               information necessary for forensics, evaluating incident details, trends, and\n               handling. Incident information can be obtained from a variety of sources including,\n               for example, incident reports, incident response teams, audit monitoring, network\n               monitoring, physical access monitoring, and user/administrator reports.","links":[{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"ir-5_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ir-5_obj.1","name":"objective","properties":[{"name":"label","value":"IR-5[1]"}],"prose":"tracks information system security incidents; and"},{"id":"ir-5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-5[2]"}],"prose":"documents information system security incidents."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident monitoring\\n\\nincident response records and documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident monitoring capability for the organization\\n\\nautomated mechanisms supporting and/or implementing tracking and documenting of\n                  system security incidents"}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","parameters":[{"id":"ir-6_prm_1","label":"organization-defined time period","constraints":[{"detail":"US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)"}]},{"id":"ir-6_prm_2","label":"organization-defined authorities"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IR-6"},{"name":"sort-id","value":"ir-06"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"},{"href":"#02631467-668b-4233-989b-3dfded2fd184","rel":"reference","text":"http://www.us-cert.gov"}],"parts":[{"id":"ir-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Requires personnel to report suspected security incidents to the organizational\n                  incident response capability within {{ ir-6_prm_1 }}; and"},{"id":"ir-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reports security incident information to {{ ir-6_prm_2 }}."},{"id":"ir-6_fr","name":"item","title":"IR-6 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Report security incident information according to FedRAMP Incident Communications Procedure."}]}]},{"id":"ir-6_gdn","name":"guidance","prose":"The intent of this control is to address both specific incident reporting\n               requirements within an organization and the formal incident reporting requirements\n               for federal agencies and their subordinate organizations. Suspected security\n               incidents include, for example, the receipt of suspicious email communications that\n               can potentially contain malicious code. The types of security incidents reported, the\n               content and timeliness of the reports, and the designated reporting authorities\n               reflect applicable federal laws, Executive Orders, directives, regulations, policies,\n               standards, and guidance. Current federal policy requires that all federal agencies\n               (unless specifically exempted from such requirements) report security incidents to\n               the United States Computer Emergency Readiness Team (US-CERT) within specified time\n               frames designated in the US-CERT Concept of Operations for Federal Cyber Security\n               Incident Handling.","links":[{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ir-8","rel":"related","text":"IR-8"}]},{"id":"ir-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-6.a_obj","name":"objective","properties":[{"name":"label","value":"IR-6(a)"}],"parts":[{"id":"ir-6.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-6(a)[1]"}],"prose":"defines the time period within which personnel report suspected security\n                     incidents to the organizational incident response capability;"},{"id":"ir-6.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-6(a)[2]"}],"prose":"requires personnel to report suspected security incidents to the organizational\n                     incident response capability within the organization-defined time period;"}]},{"id":"ir-6.b_obj","name":"objective","properties":[{"name":"label","value":"IR-6(b)"}],"parts":[{"id":"ir-6.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-6(b)[1]"}],"prose":"defines authorities to whom security incident information is to be reported;\n                     and"},{"id":"ir-6.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-6(b)[2]"}],"prose":"reports security incident information to organization-defined authorities."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident reporting\\n\\nincident reporting records and documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident reporting responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel who have/should have reported incidents\\n\\npersonnel (authorities) to whom incident information is to be reported"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident reporting\\n\\nautomated mechanisms supporting and/or implementing incident reporting"}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","properties":[{"name":"label","value":"IR-7"},{"name":"sort-id","value":"ir-07"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"The organization provides an incident response support resource, integral to the\n               organizational incident response capability that offers advice and assistance to\n               users of the information system for the handling and reporting of security\n               incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include, for example,\n               help desks, assistance groups, and access to forensics services, when required.","links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#sa-9","rel":"related","text":"SA-9"}]},{"id":"ir-7_obj","name":"objective","prose":"Determine if the organization provides an incident response support resource:","parts":[{"id":"ir-7_obj.1","name":"objective","properties":[{"name":"label","value":"IR-7[1]"}],"prose":"that is integral to the organizational incident response capability; and"},{"id":"ir-7_obj.2","name":"objective","properties":[{"name":"label","value":"IR-7[2]"}],"prose":"that offers advice and assistance to users of the information system for the\n                  handling and reporting of security incidents."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident response assistance\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response assistance and support\n                  responsibilities\\n\\norganizational personnel with access to incident response support and assistance\n                  capability\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident response assistance\\n\\nautomated mechanisms supporting and/or implementing incident response\n                  assistance"}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","parameters":[{"id":"ir-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-8_prm_2","label":"organization-defined incident response personnel (identified by name and/or by\n               role) and organizational elements","constraints":[{"detail":"see additional FedRAMP Requirements and Guidance"}]},{"id":"ir-8_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ir-8_prm_4","label":"organization-defined incident response personnel (identified by name and/or by\n               role) and organizational elements","constraints":[{"detail":"see additional FedRAMP Requirements and Guidance"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IR-8"},{"name":"sort-id","value":"ir-08"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"}],"parts":[{"id":"ir-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response\n                     capability;"},{"id":"ir-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response\n                     capability;"},{"id":"ir-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits\n                     into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission,\n                     size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the\n                     organization;"},{"id":"ir-8_smt.a.7","name":"item","properties":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and\n                     mature an incident response capability; and"},{"id":"ir-8_smt.a.8","name":"item","properties":[{"name":"label","value":"8."}],"prose":"Is reviewed and approved by {{ ir-8_prm_1 }};"}]},{"id":"ir-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distributes copies of the incident response plan to {{ ir-8_prm_2 }};"},{"id":"ir-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews the incident response plan {{ ir-8_prm_3 }};"},{"id":"ir-8_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Updates the incident response plan to address system/organizational changes or\n                  problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Communicates incident response plan changes to {{ ir-8_prm_4 }};\n                  and"},{"id":"ir-8_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Protects the incident response plan from unauthorized disclosure and\n                  modification."},{"id":"ir-8_fr","name":"item","title":"IR-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-8_fr_smt.b","name":"item","properties":[{"name":"label","value":"(b) Requirement:"}],"prose":"The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."},{"id":"ir-8_fr_smt.e","name":"item","properties":[{"name":"label","value":"(e) Requirement:"}],"prose":"The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."}]}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to\n               incident response. Organizational missions, business functions, strategies, goals,\n               and objectives for incident response help to determine the structure of incident\n               response capabilities. As part of a comprehensive incident response capability,\n               organizations consider the coordination and sharing of information with external\n               organizations, including, for example, external service providers and organizations\n               involved in the supply chain for organizational information systems.","links":[{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"}]},{"id":"ir-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-8.a_obj","name":"objective","properties":[{"name":"label","value":"IR-8(a)"}],"prose":"develops an incident response plan that:","parts":[{"id":"ir-8.a.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(1)"}],"prose":"provides the organization with a roadmap for implementing its incident response\n                     capability;"},{"id":"ir-8.a.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(2)"}],"prose":"describes the structure and organization of the incident response\n                     capability;"},{"id":"ir-8.a.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(3)"}],"prose":"provides a high-level approach for how the incident response capability fits\n                     into the overall organization;"},{"id":"ir-8.a.4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(4)"}],"prose":"meets the unique requirements of the organization, which relate to:","parts":[{"id":"ir-8.a.4_obj.1","name":"objective","properties":[{"name":"label","value":"IR-8(a)(4)[1]"}],"prose":"mission;"},{"id":"ir-8.a.4_obj.2","name":"objective","properties":[{"name":"label","value":"IR-8(a)(4)[2]"}],"prose":"size;"},{"id":"ir-8.a.4_obj.3","name":"objective","properties":[{"name":"label","value":"IR-8(a)(4)[3]"}],"prose":"structure;"},{"id":"ir-8.a.4_obj.4","name":"objective","properties":[{"name":"label","value":"IR-8(a)(4)[4]"}],"prose":"functions;"}]},{"id":"ir-8.a.5_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(5)"}],"prose":"defines reportable incidents;"},{"id":"ir-8.a.6_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-8(a)(6)"}],"prose":"provides metrics for measuring the incident response capability within the\n                     organization;"},{"id":"ir-8.a.7_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(7)"}],"prose":"defines the resources and management support needed to effectively maintain and\n                     mature an incident response capability;"},{"id":"ir-8.a.8_obj","name":"objective","properties":[{"name":"label","value":"IR-8(a)(8)"}],"parts":[{"id":"ir-8.a.8_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(8)[1]"}],"prose":"defines personnel or roles to review and approve the incident response\n                        plan;"},{"id":"ir-8.a.8_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-8(a)(8)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"ir-8.b_obj","name":"objective","properties":[{"name":"label","value":"IR-8(b)"}],"parts":[{"id":"ir-8.b_obj.1","name":"objective","properties":[{"name":"label","value":"IR-8(b)[1]"}],"parts":[{"id":"ir-8.b_obj.1.a","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(b)[1][a]"}],"prose":"defines incident response personnel (identified by name and/or by role) to\n                        whom copies of the incident response plan are to be distributed;"},{"id":"ir-8.b_obj.1.b","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(b)[1][b]"}],"prose":"defines organizational elements to whom copies of the incident response plan\n                        are to be distributed;"}]},{"id":"ir-8.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-8(b)[2]"}],"prose":"distributes copies of the incident response plan to organization-defined\n                     incident response personnel (identified by name and/or by role) and\n                     organizational elements;"}]},{"id":"ir-8.c_obj","name":"objective","properties":[{"name":"label","value":"IR-8(c)"}],"parts":[{"id":"ir-8.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(c)[1]"}],"prose":"defines the frequency to review the incident response plan;"},{"id":"ir-8.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-8(c)[2]"}],"prose":"reviews the incident response plan with the organization-defined frequency;"}]},{"id":"ir-8.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-8(d)"}],"prose":"updates the incident response plan to address system/organizational changes or\n                  problems encountered during plan:","parts":[{"id":"ir-8.d_obj.1","name":"objective","properties":[{"name":"label","value":"IR-8(d)[1]"}],"prose":"implementation;"},{"id":"ir-8.d_obj.2","name":"objective","properties":[{"name":"label","value":"IR-8(d)[2]"}],"prose":"execution; or"},{"id":"ir-8.d_obj.3","name":"objective","properties":[{"name":"label","value":"IR-8(d)[3]"}],"prose":"testing;"}]},{"id":"ir-8.e_obj","name":"objective","properties":[{"name":"label","value":"IR-8(e)"}],"parts":[{"id":"ir-8.e_obj.1","name":"objective","properties":[{"name":"label","value":"IR-8(e)[1]"}],"parts":[{"id":"ir-8.e_obj.1.a","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(e)[1][a]"}],"prose":"defines incident response personnel (identified by name and/or by role) to\n                        whom incident response plan changes are to be communicated;"},{"id":"ir-8.e_obj.1.b","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-8(e)[1][b]"}],"prose":"defines organizational elements to whom incident response plan changes are\n                        to be communicated;"}]},{"id":"ir-8.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-8(e)[2]"}],"prose":"communicates incident response plan changes to organization-defined incident\n                     response personnel (identified by name and/or by role) and organizational\n                     elements; and"}]},{"id":"ir-8.f_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-8(f)"}],"prose":"protects the incident response plan from unauthorized disclosure and\n                  modification."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident response planning\\n\\nincident response plan\\n\\nrecords of incident response plan reviews and approvals\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response planning responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational incident response plan and related organizational processes"}]}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"System Maintenance Policy and Procedures","parameters":[{"id":"ma-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"ma-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"MA-1"},{"name":"sort-id","value":"ma-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ma-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A system maintenance policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ma-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system maintenance policy\n                     and associated system maintenance controls; and"}]},{"id":"ma-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ma-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"System maintenance policy {{ ma-1_prm_2 }}; and"},{"id":"ma-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"System maintenance procedures {{ ma-1_prm_3 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the MA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ma-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-1.a_obj","name":"objective","properties":[{"name":"label","value":"MA-1(a)"}],"parts":[{"id":"ma-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)"}],"parts":[{"id":"ma-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(a)(1)[1]"}],"prose":"develops and documents a system maintenance policy that addresses:","parts":[{"id":"ma-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ma-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ma-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ma-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ma-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ma-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ma-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ma-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system maintenance policy is to be\n                        disseminated;"},{"id":"ma-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MA-1(a)(1)[3]"}],"prose":"disseminates the system maintenance policy to organization-defined personnel\n                        or roles;"}]},{"id":"ma-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"MA-1(a)(2)"}],"parts":[{"id":"ma-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        maintenance policy and associated system maintenance controls;"},{"id":"ma-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ma-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ma-1.b_obj","name":"objective","properties":[{"name":"label","value":"MA-1(b)"}],"parts":[{"id":"ma-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"MA-1(b)(1)"}],"parts":[{"id":"ma-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system maintenance\n                        policy;"},{"id":"ma-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(b)(1)[2]"}],"prose":"reviews and updates the current system maintenance policy with the\n                        organization-defined frequency;"}]},{"id":"ma-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"MA-1(b)(2)"}],"parts":[{"id":"ma-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system maintenance\n                        procedures; and"},{"id":"ma-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(b)(2)[2]"}],"prose":"reviews and updates the current system maintenance procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Maintenance policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","parameters":[{"id":"ma-2_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-2_prm_2","label":"organization-defined maintenance-related information"}],"properties":[{"name":"label","value":"MA-2"},{"name":"sort-id","value":"ma-02"}],"parts":[{"id":"ma-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Schedules, performs, documents, and reviews records of maintenance and repairs on\n                  information system components in accordance with manufacturer or vendor\n                  specifications and/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Approves and monitors all maintenance activities, whether performed on site or\n                  remotely and whether the equipment is serviced on site or removed to another\n                  location;"},{"id":"ma-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Requires that {{ ma-2_prm_1 }} explicitly approve the removal of\n                  the information system or system components from organizational facilities for\n                  off-site maintenance or repairs;"},{"id":"ma-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Sanitizes equipment to remove all information from associated media prior to\n                  removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Checks all potentially impacted security controls to verify that the controls are\n                  still functioning properly following maintenance or repair actions; and"},{"id":"ma-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Includes {{ ma-2_prm_2 }} in organizational maintenance\n                  records."}]},{"id":"ma-2_gdn","name":"guidance","prose":"This control addresses the information security aspects of the information system\n               maintenance program and applies to all types of maintenance to any system component\n               (including applications) conducted by any local or nonlocal entity (e.g.,\n               in-contract, warranty, in-house, software maintenance agreement). System maintenance\n               also includes those components not directly associated with information processing\n               and/or data/information retention such as scanners, copiers, and printers.\n               Information necessary for creating effective maintenance records includes, for\n               example: (i) date and time of maintenance; (ii) name of individuals or group\n               performing the maintenance; (iii) name of escort, if necessary; (iv) a description of\n               the maintenance performed; and (v) information system components/equipment removed or\n               replaced (including identification numbers, if applicable). The level of detail\n               included in maintenance records can be informed by the security categories of\n               organizational information systems. Organizations consider supply chain issues\n               associated with replacement components for information systems.","links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"ma-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-2.a_obj","name":"objective","properties":[{"name":"label","value":"MA-2(a)"}],"parts":[{"id":"ma-2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-2(a)[1]"}],"prose":"schedules maintenance and repairs on information system components in\n                     accordance with:","parts":[{"id":"ma-2.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"MA-2(a)[1][a]"}],"prose":"manufacturer or vendor specifications; and/or"},{"id":"ma-2.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"MA-2(a)[1][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MA-2(a)[2]"}],"prose":"performs maintenance and repairs on information system components in accordance\n                     with:","parts":[{"id":"ma-2.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"MA-2(a)[2][a]"}],"prose":"manufacturer or vendor specifications; and/or"},{"id":"ma-2.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"MA-2(a)[2][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-2(a)[3]"}],"prose":"documents maintenance and repairs on information system components in\n                     accordance with:","parts":[{"id":"ma-2.a_obj.3.a","name":"objective","properties":[{"name":"label","value":"MA-2(a)[3][a]"}],"prose":"manufacturer or vendor specifications; and/or"},{"id":"ma-2.a_obj.3.b","name":"objective","properties":[{"name":"label","value":"MA-2(a)[3][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MA-2(a)[4]"}],"prose":"reviews records of maintenance and repairs on information system components in\n                     accordance with:","parts":[{"id":"ma-2.a_obj.4.a","name":"objective","properties":[{"name":"label","value":"MA-2(a)[4][a]"}],"prose":"manufacturer or vendor specifications; and/or"},{"id":"ma-2.a_obj.4.b","name":"objective","properties":[{"name":"label","value":"MA-2(a)[4][b]"}],"prose":"organizational requirements;"}]}]},{"id":"ma-2.b_obj","name":"objective","properties":[{"name":"label","value":"MA-2(b)"}],"parts":[{"id":"ma-2.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MA-2(b)[1]"}],"prose":"approves all maintenance activities, whether performed on site or remotely and\n                     whether the equipment is serviced on site or removed to another location;"},{"id":"ma-2.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-2(b)[2]"}],"prose":"monitors all maintenance activities, whether performed on site or remotely and\n                     whether the equipment is serviced on site or removed to another location;"}]},{"id":"ma-2.c_obj","name":"objective","properties":[{"name":"label","value":"MA-2(c)"}],"parts":[{"id":"ma-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-2(c)[1]"}],"prose":"defines personnel or roles required to explicitly approve the removal of the\n                     information system or system components from organizational facilities for\n                     off-site maintenance or repairs;"},{"id":"ma-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-2(c)[2]"}],"prose":"requires that organization-defined personnel or roles explicitly approve the\n                     removal of the information system or system components from organizational\n                     facilities for off-site maintenance or repairs;"}]},{"id":"ma-2.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-2(d)"}],"prose":"sanitizes equipment to remove all information from associated media prior to\n                  removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-2(e)"}],"prose":"checks all potentially impacted security controls to verify that the controls are\n                  still functioning properly following maintenance or repair actions;"},{"id":"ma-2.f_obj","name":"objective","properties":[{"name":"label","value":"MA-2(f)"}],"parts":[{"id":"ma-2.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-2(f)[1]"}],"prose":"defines maintenance-related information to be included in organizational\n                     maintenance records; and"},{"id":"ma-2.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-2(f)[2]"}],"prose":"includes organization-defined maintenance-related information in organizational\n                     maintenance records."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing controlled information system maintenance\\n\\nmaintenance records\\n\\nmanufacturer/vendor maintenance specifications\\n\\nequipment sanitization records\\n\\nmedia sanitization records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel responsible for media sanitization\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for scheduling, performing, documenting, reviewing,\n                  approving, and monitoring maintenance and repairs for the information system\\n\\norganizational processes for sanitizing information system components\\n\\nautomated mechanisms supporting and/or implementing controlled maintenance\\n\\nautomated mechanisms implementing sanitization of information system\n                  components"}]}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"MA-4"},{"name":"sort-id","value":"ma-04"}],"links":[{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference","text":"FIPS Publication 140-2"},{"href":"#f2dbd4ec-c413-4714-b85b-6b7184d1c195","rel":"reference","text":"FIPS Publication 197"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference","text":"NIST Special Publication 800-88"},{"href":"#a4aa9645-9a8a-4b51-90a9-e223250f9a75","rel":"reference","text":"CNSS Policy 15"}],"parts":[{"id":"ma-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Approves and monitors nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Allows the use of nonlocal maintenance and diagnostic tools only as consistent\n                  with organizational policy and documented in the security plan for the information\n                  system;"},{"id":"ma-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Employs strong authenticators in the establishment of nonlocal maintenance and\n                  diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Maintains records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Terminates session and network connections when nonlocal maintenance is\n                  completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are those activities conducted by\n               individuals communicating through a network, either an external network (e.g., the\n               Internet) or an internal network. Local maintenance and diagnostic activities are\n               those activities carried out by individuals physically present at the information\n               system or information system component and not communicating across a network\n               connection. Authentication techniques used in the establishment of nonlocal\n               maintenance and diagnostic sessions reflect the network access requirements in IA-2.\n               Typically, strong authentication requires authenticators that are resistant to replay\n               attacks and employ multifactor authentication. Strong authenticators include, for\n               example, PKI where certificates are stored on a token protected by a password,\n               passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by\n               other controls.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-10","rel":"related","text":"SC-10"},{"href":"#sc-17","rel":"related","text":"SC-17"}]},{"id":"ma-4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ma-4.a_obj","name":"objective","properties":[{"name":"label","value":"MA-4(a)"}],"parts":[{"id":"ma-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-4(a)[1]"}],"prose":"approves nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-4(a)[2]"}],"prose":"monitors nonlocal maintenance and diagnostic activities;"}]},{"id":"ma-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-4(b)"}],"prose":"allows the use of nonlocal maintenance and diagnostic tools only:","parts":[{"id":"ma-4.b_obj.1","name":"objective","properties":[{"name":"label","value":"MA-4(b)[1]"}],"prose":"as consistent with organizational policy;"},{"id":"ma-4.b_obj.2","name":"objective","properties":[{"name":"label","value":"MA-4(b)[2]"}],"prose":"as documented in the security plan for the information system;"}]},{"id":"ma-4.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-4(c)"}],"prose":"employs strong authenticators in the establishment of nonlocal maintenance and\n                  diagnostic sessions;"},{"id":"ma-4.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-4(d)"}],"prose":"maintains records for nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.e_obj","name":"objective","properties":[{"name":"label","value":"MA-4(e)"}],"parts":[{"id":"ma-4.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-4(e)[1]"}],"prose":"terminates sessions when nonlocal maintenance or diagnostics is completed;\n                     and"},{"id":"ma-4.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-4(e)[2]"}],"prose":"terminates network connections when nonlocal maintenance or diagnostics is\n                     completed."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing nonlocal information system maintenance\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nmaintenance records\\n\\ndiagnostic records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing nonlocal maintenance\\n\\nautomated mechanisms implementing, supporting, and/or managing nonlocal\n                  maintenance\\n\\nautomated mechanisms for strong authentication of nonlocal maintenance diagnostic\n                  sessions\\n\\nautomated mechanisms for terminating nonlocal maintenance sessions and network\n                  connections"}]}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","properties":[{"name":"label","value":"MA-5"},{"name":"sort-id","value":"ma-05"}],"parts":[{"id":"ma-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes a process for maintenance personnel authorization and maintains a list\n                  of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensures that non-escorted personnel performing maintenance on the information\n                  system have required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Designates organizational personnel with required access authorizations and\n                  technical competence to supervise the maintenance activities of personnel who do\n                  not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"This control applies to individuals performing hardware or software maintenance on\n               organizational information systems, while PE-2 addresses physical access for\n               individuals whose maintenance duties place them within the physical protection\n               perimeter of the systems (e.g., custodial staff, physical plant maintenance\n               personnel). Technical competence of supervising individuals relates to the\n               maintenance performed on the information systems while having required access\n               authorizations refers to maintenance on and near the systems. Individuals not\n               previously identified as authorized maintenance personnel, such as information\n               technology manufacturers, vendors, systems integrators, and consultants, may require\n               privileged access to organizational information systems, for example, when required\n               to conduct maintenance activities with little or no notice. Based on organizational\n               assessments of risk, organizations may issue temporary credentials to these\n               individuals. Temporary credentials may be for one-time use or for very limited time\n               periods.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"ma-5_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ma-5.a_obj","name":"objective","properties":[{"name":"label","value":"MA-5(a)"}],"parts":[{"id":"ma-5.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-5(a)[1]"}],"prose":"establishes a process for maintenance personnel authorization;"},{"id":"ma-5.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-5(a)[2]"}],"prose":"maintains a list of authorized maintenance organizations or personnel;"}]},{"id":"ma-5.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-5(b)"}],"prose":"ensures that non-escorted personnel performing maintenance on the information\n                  system have required access authorizations; and"},{"id":"ma-5.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-5(c)"}],"prose":"designates organizational personnel with required access authorizations and\n                  technical competence to supervise the maintenance activities of personnel who do\n                  not possess the required access authorizations."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing maintenance personnel\\n\\nservice provider contracts\\n\\nservice-level agreements\\n\\nlist of authorized personnel\\n\\nmaintenance records\\n\\naccess control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for authorizing and managing maintenance personnel\\n\\nautomated mechanisms supporting and/or implementing authorization of maintenance\n                  personnel"}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Media Protection Policy and Procedures","parameters":[{"id":"mp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"mp-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"mp-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"MP-1"},{"name":"sort-id","value":"mp-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"mp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A media protection policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"mp-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and\n                     associated media protection controls; and"}]},{"id":"mp-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"mp-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Media protection policy {{ mp-1_prm_2 }}; and"},{"id":"mp-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Media protection procedures {{ mp-1_prm_3 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the MP\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"mp-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-1.a_obj","name":"objective","properties":[{"name":"label","value":"MP-1(a)"}],"parts":[{"id":"mp-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)"}],"parts":[{"id":"mp-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(a)(1)[1]"}],"prose":"develops and documents a media protection policy that addresses:","parts":[{"id":"mp-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"mp-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"mp-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"mp-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"mp-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"mp-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"mp-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"mp-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the media protection policy is to be\n                        disseminated;"},{"id":"mp-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MP-1(a)(1)[3]"}],"prose":"disseminates the media protection policy to organization-defined personnel\n                        or roles;"}]},{"id":"mp-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"MP-1(a)(2)"}],"parts":[{"id":"mp-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        media protection policy and associated media protection controls;"},{"id":"mp-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"mp-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MP-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"mp-1.b_obj","name":"objective","properties":[{"name":"label","value":"MP-1(b)"}],"parts":[{"id":"mp-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"MP-1(b)(1)"}],"parts":[{"id":"mp-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current media protection\n                        policy;"},{"id":"mp-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(b)(1)[2]"}],"prose":"reviews and updates the current media protection policy with the\n                        organization-defined frequency;"}]},{"id":"mp-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"MP-1(b)(2)"}],"parts":[{"id":"mp-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current media protection\n                        procedures; and"},{"id":"mp-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(b)(2)[2]"}],"prose":"reviews and updates the current media protection procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Media protection policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media protection responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","parameters":[{"id":"mp-2_prm_1","label":"organization-defined types of digital and/or non-digital media"},{"id":"mp-2_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"MP-2"},{"name":"sort-id","value":"mp-02"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference","text":"NIST Special Publication 800-111"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"The organization restricts access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. Restricting non-digital media access\n               includes, for example, denying access to patient medical records in a community\n               hospital unless the individuals seeking access to such records are authorized\n               healthcare providers. Restricting access to digital media includes, for example,\n               limiting access to design specifications stored on compact disks in the media library\n               to the project leader and the individuals on the development team.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pl-2","rel":"related","text":"PL-2"}]},{"id":"mp-2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-2[1]"}],"prose":"defines types of digital and/or non-digital media requiring restricted access;"},{"id":"mp-2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-2[2]"}],"prose":"defines personnel or roles authorized to access organization-defined types of\n                  digital and/or non-digital media; and"},{"id":"mp-2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-2[3]"}],"prose":"restricts access to organization-defined types of digital and/or non-digital media\n                  to organization-defined personnel or roles."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media access restrictions\\n\\naccess control policy and procedures\\n\\nphysical and environmental protection policy and procedures\\n\\nmedia storage facilities\\n\\naccess control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for restricting information media\\n\\nautomated mechanisms supporting and/or implementing media access restrictions"}]}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","parameters":[{"id":"mp-6_prm_1","label":"organization-defined information system media"},{"id":"mp-6_prm_2","label":"organization-defined sanitization techniques and procedures"}],"properties":[{"name":"label","value":"MP-6"},{"name":"sort-id","value":"mp-06"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference","text":"NIST Special Publication 800-60"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference","text":"NIST Special Publication 800-88"},{"href":"#a47466c4-c837-4f06-a39f-e68412a5f73d","rel":"reference","text":"http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"}],"parts":[{"id":"mp-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Sanitizes {{ mp-6_prm_1 }} prior to disposal, release out of\n                  organizational control, or release for reuse using {{ mp-6_prm_2 }}\n                  in accordance with applicable federal and organizational standards and policies;\n                  and"},{"id":"mp-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employs sanitization mechanisms with the strength and integrity commensurate with\n                  the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"This control applies to all information system media, both digital and non-digital,\n               subject to disposal or reuse, whether or not the media is considered removable.\n               Examples include media found in scanners, copiers, printers, notebook computers,\n               workstations, network components, and mobile devices. The sanitization process\n               removes information from the media such that the information cannot be retrieved or\n               reconstructed. Sanitization techniques, including clearing, purging, cryptographic\n               erase, and destruction, prevent the disclosure of information to unauthorized\n               individuals when such media is reused or released for disposal. Organizations\n               determine the appropriate sanitization methods recognizing that destruction is\n               sometimes necessary when other methods cannot be applied to media requiring\n               sanitization. Organizations use discretion on the employment of approved sanitization\n               techniques and procedures for media containing information deemed to be in the public\n               domain or publicly releasable, or deemed to have no adverse impact on organizations\n               or individuals if released for reuse or disposal. Sanitization of non-digital media\n               includes, for example, removing a classified appendix from an otherwise unclassified\n               document, or redacting selected sections or words from a document by obscuring the\n               redacted sections/words in a manner equivalent in effectiveness to removing them from\n               the document. NSA standards and policies control the sanitization process for media\n               containing classified information.","links":[{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sc-4","rel":"related","text":"SC-4"}]},{"id":"mp-6_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-6.a_obj","name":"objective","properties":[{"name":"label","value":"MP-6(a)"}],"parts":[{"id":"mp-6.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-6(a)[1]"}],"prose":"defines information system media to be sanitized prior to:","parts":[{"id":"mp-6.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"MP-6(a)[1][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"MP-6(a)[1][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.1.c","name":"objective","properties":[{"name":"label","value":"MP-6(a)[1][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-6(a)[2]"}],"prose":"defines sanitization techniques or procedures to be used for sanitizing\n                     organization-defined information system media prior to:","parts":[{"id":"mp-6.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"MP-6(a)[2][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"MP-6(a)[2][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.2.c","name":"objective","properties":[{"name":"label","value":"MP-6(a)[2][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-6(a)[3]"}],"prose":"sanitizes organization-defined information system media prior to disposal,\n                     release out of organizational control, or release for reuse using\n                     organization-defined sanitization techniques or procedures in accordance with\n                     applicable federal and organizational standards and policies; and"}]},{"id":"mp-6.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-6(b)"}],"prose":"employs sanitization mechanisms with strength and integrity commensurate with the\n                  security category or classification of the information."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media sanitization and disposal\\n\\napplicable federal standards and policies addressing media sanitization\\n\\nmedia sanitization records\\n\\naudit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media sanitization responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization\\n\\nautomated mechanisms supporting and/or implementing media sanitization"}]}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","parameters":[{"id":"mp-7_prm_1"},{"id":"mp-7_prm_2","label":"organization-defined types of information system media"},{"id":"mp-7_prm_3","label":"organization-defined information systems or system components"},{"id":"mp-7_prm_4","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"MP-7"},{"name":"sort-id","value":"mp-07"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference","text":"NIST Special Publication 800-111"}],"parts":[{"id":"mp-7_smt","name":"statement","prose":"The organization {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}."},{"id":"mp-7_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. This control also applies to mobile\n               devices with information storage capability (e.g., smart phones, tablets, E-readers).\n               In contrast to MP-2, which restricts user access to media, this control restricts the\n               use of certain types of media on information systems, for example,\n               restricting/prohibiting the use of flash drives or external hard disk drives.\n               Organizations can employ technical and nontechnical safeguards (e.g., policies,\n               procedures, rules of behavior) to restrict the use of information system media.\n               Organizations may restrict the use of portable storage devices, for example, by using\n               physical cages on workstations to prohibit access to certain external ports, or\n               disabling/removing the ability to insert, read or write to such devices.\n               Organizations may also limit the use of portable storage devices to only approved\n               devices including, for example, devices provided by the organization, devices\n               provided by other approved organizations, and devices that are not personally owned.\n               Finally, organizations may restrict the use of portable storage devices based on the\n               type of device, for example, prohibiting the use of writeable, portable storage\n               devices, and implementing this restriction by disabling or removing the capability to\n               write to such devices.","links":[{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#pl-4","rel":"related","text":"PL-4"}]},{"id":"mp-7_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-7_obj.1","name":"objective","properties":[{"name":"label","value":"MP-7[1]"}],"prose":"defines types of information system media to be:","parts":[{"id":"mp-7_obj.1.a","name":"objective","properties":[{"name":"label","value":"MP-7[1][a]"}],"prose":"restricted on information systems or system components; or"},{"id":"mp-7_obj.1.b","name":"objective","properties":[{"name":"label","value":"MP-7[1][b]"}],"prose":"prohibited from use on information systems or system components;"}]},{"id":"mp-7_obj.2","name":"objective","properties":[{"name":"label","value":"MP-7[2]"}],"prose":"defines information systems or system components on which the use of\n                  organization-defined types of information system media is to be one of the\n                  following:","parts":[{"id":"mp-7_obj.2.a","name":"objective","properties":[{"name":"label","value":"MP-7[2][a]"}],"prose":"restricted; or"},{"id":"mp-7_obj.2.b","name":"objective","properties":[{"name":"label","value":"MP-7[2][b]"}],"prose":"prohibited;"}]},{"id":"mp-7_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-7[3]"}],"prose":"defines security safeguards to be employed to restrict or prohibit the use of\n                  organization-defined types of information system media on organization-defined\n                  information systems or system components; and"},{"id":"mp-7_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-7[4]"}],"prose":"restricts or prohibits the use of organization-defined information system media on\n                  organization-defined information systems or system components using\n                  organization-defined security safeguards."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nsystem use policy\\n\\nprocedures addressing media usage restrictions\\n\\nsecurity plan\\n\\nrules of behavior\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media use responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media use\\n\\nautomated mechanisms restricting or prohibiting use of information system media on\n                  information systems or system components"}]}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Physical and Environmental Protection Policy and Procedures","parameters":[{"id":"pe-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"pe-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PE-1"},{"name":"sort-id","value":"pe-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"pe-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A physical and environmental protection policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"},{"id":"pe-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental\n                     protection policy and associated physical and environmental protection\n                     controls; and"}]},{"id":"pe-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pe-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Physical and environmental protection policy {{ pe-1_prm_2 }};\n                     and"},{"id":"pe-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Physical and environmental protection procedures {{ pe-1_prm_3 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PE\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"pe-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-1.a_obj","name":"objective","properties":[{"name":"label","value":"PE-1(a)"}],"parts":[{"id":"pe-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)"}],"parts":[{"id":"pe-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(a)(1)[1]"}],"prose":"develops and documents a physical and environmental protection policy that\n                        addresses:","parts":[{"id":"pe-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pe-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pe-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pe-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pe-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pe-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pe-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pe-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the physical and environmental protection\n                        policy is to be disseminated;"},{"id":"pe-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-1(a)(1)[3]"}],"prose":"disseminates the physical and environmental protection policy to\n                        organization-defined personnel or roles;"}]},{"id":"pe-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"PE-1(a)(2)"}],"parts":[{"id":"pe-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        physical and environmental protection policy and associated physical and\n                        environmental protection controls;"},{"id":"pe-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"pe-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pe-1.b_obj","name":"objective","properties":[{"name":"label","value":"PE-1(b)"}],"parts":[{"id":"pe-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"PE-1(b)(1)"}],"parts":[{"id":"pe-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current physical and\n                        environmental protection policy;"},{"id":"pe-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(b)(1)[2]"}],"prose":"reviews and updates the current physical and environmental protection policy\n                        with the organization-defined frequency;"}]},{"id":"pe-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"PE-1(b)(2)"}],"parts":[{"id":"pe-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current physical and\n                        environmental protection procedures; and"},{"id":"pe-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(b)(2)[2]"}],"prose":"reviews and updates the current physical and environmental protection\n                        procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical and environmental protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","parameters":[{"id":"pe-2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PE-2"},{"name":"sort-id","value":"pe-02"}],"parts":[{"id":"pe-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, approves, and maintains a list of individuals with authorized access to\n                  the facility where the information system resides;"},{"id":"pe-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Issues authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews the access list detailing authorized facility access by individuals\n                     {{ pe-2_prm_1 }}; and"},{"id":"pe-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Removes individuals from the facility access list when access is no longer\n                  required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g.,\n               employees, contractors, and others) with permanent physical access authorization\n               credentials are not considered visitors. Authorization credentials include, for\n               example, badges, identification cards, and smart cards. Organizations determine the\n               strength of authorization credentials needed (including level of forge-proof badges,\n               smart cards, or identification cards) consistent with federal standards, policies,\n               and procedures. This control only applies to areas within facilities that have not\n               been designated as publicly accessible.","links":[{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#ps-3","rel":"related","text":"PS-3"}]},{"id":"pe-2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-2.a_obj","name":"objective","properties":[{"name":"label","value":"PE-2(a)"}],"parts":[{"id":"pe-2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-2(a)[1]"}],"prose":"develops a list of individuals with authorized access to the facility where the\n                     information system resides;"},{"id":"pe-2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-2(a)[2]"}],"prose":"approves a list of individuals with authorized access to the facility where the\n                     information system resides;"},{"id":"pe-2.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-2(a)[3]"}],"prose":"maintains a list of individuals with authorized access to the facility where\n                     the information system resides;"}]},{"id":"pe-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-2(b)"}],"prose":"issues authorization credentials for facility access;"},{"id":"pe-2.c_obj","name":"objective","properties":[{"name":"label","value":"PE-2(c)"}],"parts":[{"id":"pe-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-2(c)[1]"}],"prose":"defines the frequency to review the access list detailing authorized facility\n                     access by individuals;"},{"id":"pe-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-2(c)[2]"}],"prose":"reviews the access list detailing authorized facility access by individuals\n                     with the organization-defined frequency; and"}]},{"id":"pe-2.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-2(d)"}],"prose":"removes individuals from the facility access list when access is no longer\n                  required."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing physical access authorizations\\n\\nsecurity plan\\n\\nauthorized personnel access list\\n\\nauthorization credentials\\n\\nphysical access list reviews\\n\\nphysical access termination records and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities\\n\\norganizational personnel with physical access to information system facility\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access authorizations\\n\\nautomated mechanisms supporting and/or implementing physical access\n                  authorizations"}]}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","parameters":[{"id":"pe-3_prm_1","label":"organization-defined entry/exit points to the facility where the information\n               system resides"},{"id":"pe-3_prm_2","constraints":[{"detail":"CSP defined physical access control systems/devices AND guards"}]},{"id":"pe-3_prm_3","depends-on":"pe-3_prm_2","label":"organization-defined physical access control systems/devices","constraints":[{"detail":"CSP defined physical access control systems/devices"}]},{"id":"pe-3_prm_4","label":"organization-defined entry/exit points"},{"id":"pe-3_prm_5","label":"organization-defined security safeguards"},{"id":"pe-3_prm_6","label":"organization-defined circumstances requiring visitor escorts and\n               monitoring","constraints":[{"detail":"in all circumstances within restricted access area where the information system resides"}]},{"id":"pe-3_prm_7","label":"organization-defined physical access devices"},{"id":"pe-3_prm_8","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"pe-3_prm_9","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PE-3"},{"name":"sort-id","value":"pe-03"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference","text":"NIST Special Publication 800-116"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference","text":"ICD 704"},{"href":"#398e33fd-f404-4e5c-b90e-2d50d3181244","rel":"reference","text":"ICD 705"},{"href":"#61081e7f-041d-4033-96a7-44a439071683","rel":"reference","text":"DoD Instruction 5200.39"},{"href":"#dd2f5acd-08f1-435a-9837-f8203088dc1a","rel":"reference","text":"Personal Identity Verification (PIV) in Enterprise\n            Physical Access Control System (E-PACS)"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference","text":"http://fips201ep.cio.gov"}],"parts":[{"id":"pe-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Enforces physical access authorizations at {{ pe-3_prm_1 }} by;","parts":[{"id":"pe-3_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the\n                     facility; and"},{"id":"pe-3_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Controlling ingress/egress to the facility using {{ pe-3_prm_2 }};"}]},{"id":"pe-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Maintains physical access audit logs for {{ pe-3_prm_4 }};"},{"id":"pe-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Provides {{ pe-3_prm_5 }} to control access to areas within the\n                  facility officially designated as publicly accessible;"},{"id":"pe-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Escorts visitors and monitors visitor activity {{ pe-3_prm_6 }};"},{"id":"pe-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Secures keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Inventories {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }};\n                  and"},{"id":"pe-3_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Changes combinations and keys {{ pe-3_prm_9 }} and/or when keys are\n                  lost, combinations are compromised, or individuals are transferred or\n                  terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g.,\n               employees, contractors, and others) with permanent physical access authorization\n               credentials are not considered visitors. Organizations determine the types of\n               facility guards needed including, for example, professional physical security staff\n               or other personnel such as administrative staff or information system users. Physical\n               access devices include, for example, keys, locks, combinations, and card readers.\n               Safeguards for publicly accessible areas within organizational facilities include,\n               for example, cameras, monitoring by guards, and isolating selected information\n               systems and/or system components in secured areas. Physical access control systems\n               comply with applicable federal laws, Executive Orders, directives, policies,\n               regulations, standards, and guidance. The Federal Identity, Credential, and Access\n               Management Program provides implementation guidance for identity, credential, and\n               access management capabilities for physical access control systems. Organizations\n               have flexibility in the types of audit logs employed. Audit logs can be procedural\n               (e.g., a written log of individuals accessing the facility and when such access\n               occurred), automated (e.g., capturing ID provided by a PIV card), or some combination\n               thereof. Physical access points can include facility access points, interior access\n               points to information systems and/or components requiring supplemental access\n               controls, or both. Components of organizational information systems (e.g.,\n               workstations, terminals) may be located in areas designated as publicly accessible\n               with organizations safeguarding access to such devices.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#pe-5","rel":"related","text":"PE-5"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"pe-3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-3.a_obj","name":"objective","properties":[{"name":"label","value":"PE-3(a)"}],"parts":[{"id":"pe-3.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(a)[1]"}],"prose":"defines entry/exit points to the facility where the information system\n                     resides;"},{"id":"pe-3.a_obj.2","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2]"}],"prose":"enforces physical access authorizations at organization-defined entry/exit\n                     points to the facility where the information system resides by:","parts":[{"id":"pe-3.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](1)"}],"prose":"verifying individual access authorizations before granting access to the\n                        facility;"},{"id":"pe-3.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(a)[2](2)"}],"parts":[{"id":"pe-3.a.2_obj.2.a","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](2)[a]"}],"prose":"defining physical access control systems/devices to be employed to\n                           control ingress/egress to the facility where the information system\n                           resides;"},{"id":"pe-3.a.2_obj.2.b","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](2)[b]"}],"prose":"using one or more of the following ways to control ingress/egress to the\n                           facility:","parts":[{"id":"pe-3.a.2_obj.2.b.1","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](2)[b][1]"}],"prose":"organization-defined physical access control systems/devices;\n                              and/or"},{"id":"pe-3.a.2_obj.2.b.2","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](2)[b][2]"}],"prose":"guards;"}]}]}]}]},{"id":"pe-3.b_obj","name":"objective","properties":[{"name":"label","value":"PE-3(b)"}],"parts":[{"id":"pe-3.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(b)[1]"}],"prose":"defines entry/exit points for which physical access audit logs are to be\n                     maintained;"},{"id":"pe-3.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(b)[2]"}],"prose":"maintains physical access audit logs for organization-defined entry/exit\n                     points;"}]},{"id":"pe-3.c_obj","name":"objective","properties":[{"name":"label","value":"PE-3(c)"}],"parts":[{"id":"pe-3.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(c)[1]"}],"prose":"defines security safeguards to be employed to control access to areas within\n                     the facility officially designated as publicly accessible;"},{"id":"pe-3.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(c)[2]"}],"prose":"provides organization-defined security safeguards to control access to areas\n                     within the facility officially designated as publicly accessible;"}]},{"id":"pe-3.d_obj","name":"objective","properties":[{"name":"label","value":"PE-3(d)"}],"parts":[{"id":"pe-3.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(d)[1]"}],"prose":"defines circumstances requiring visitor:","parts":[{"id":"pe-3.d_obj.1.a","name":"objective","properties":[{"name":"label","value":"PE-3(d)[1][a]"}],"prose":"escorts;"},{"id":"pe-3.d_obj.1.b","name":"objective","properties":[{"name":"label","value":"PE-3(d)[1][b]"}],"prose":"monitoring;"}]},{"id":"pe-3.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(d)[2]"}],"prose":"in accordance with organization-defined circumstances requiring visitor escorts\n                     and monitoring:","parts":[{"id":"pe-3.d_obj.2.a","name":"objective","properties":[{"name":"label","value":"PE-3(d)[2][a]"}],"prose":"escorts visitors;"},{"id":"pe-3.d_obj.2.b","name":"objective","properties":[{"name":"label","value":"PE-3(d)[2][b]"}],"prose":"monitors visitor activities;"}]}]},{"id":"pe-3.e_obj","name":"objective","properties":[{"name":"label","value":"PE-3(e)"}],"parts":[{"id":"pe-3.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(e)[1]"}],"prose":"secures keys;"},{"id":"pe-3.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(e)[2]"}],"prose":"secures combinations;"},{"id":"pe-3.e_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(e)[3]"}],"prose":"secures other physical access devices;"}]},{"id":"pe-3.f_obj","name":"objective","properties":[{"name":"label","value":"PE-3(f)"}],"parts":[{"id":"pe-3.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(f)[1]"}],"prose":"defines physical access devices to be inventoried;"},{"id":"pe-3.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(f)[2]"}],"prose":"defines the frequency to inventory organization-defined physical access\n                     devices;"},{"id":"pe-3.f_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(f)[3]"}],"prose":"inventories the organization-defined physical access devices with the\n                     organization-defined frequency;"}]},{"id":"pe-3.g_obj","name":"objective","properties":[{"name":"label","value":"PE-3(g)"}],"parts":[{"id":"pe-3.g_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(g)[1]"}],"prose":"defines the frequency to change combinations and keys; and"},{"id":"pe-3.g_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(g)[2]"}],"prose":"changes combinations and keys with the organization-defined frequency and/or\n                     when:","parts":[{"id":"pe-3.g_obj.2.a","name":"objective","properties":[{"name":"label","value":"PE-3(g)[2][a]"}],"prose":"keys are lost;"},{"id":"pe-3.g_obj.2.b","name":"objective","properties":[{"name":"label","value":"PE-3(g)[2][b]"}],"prose":"combinations are compromised;"},{"id":"pe-3.g_obj.2.c","name":"objective","properties":[{"name":"label","value":"PE-3(g)[2][c]"}],"prose":"individuals are transferred or terminated."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing physical access control\\n\\nsecurity plan\\n\\nphysical access control logs or records\\n\\ninventory records of physical access control devices\\n\\ninformation system entry and exit points\\n\\nrecords of key and lock combination changes\\n\\nstorage locations for physical access control devices\\n\\nphysical access control devices\\n\\nlist of security safeguards controlling access to designated publicly accessible\n                  areas within facility\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access control\\n\\nautomated mechanisms supporting and/or implementing physical access control\\n\\nphysical access control devices"}]}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","parameters":[{"id":"pe-6_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]},{"id":"pe-6_prm_2","label":"organization-defined events or potential indications of events"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PE-6"},{"name":"sort-id","value":"pe-06"}],"parts":[{"id":"pe-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitors physical access to the facility where the information system resides to\n                  detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews physical access logs {{ pe-6_prm_1 }} and upon occurrence\n                  of {{ pe-6_prm_2 }}; and"},{"id":"pe-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Coordinates results of reviews and investigations with the organizational incident\n                  response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Organizational incident response capabilities include investigations of and responses\n               to detected physical security incidents. Security incidents include, for example,\n               apparent security violations or suspicious physical access activities. Suspicious\n               physical access activities include, for example: (i) accesses outside of normal work\n               hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for\n               unusual lengths of time; and (iv) out-of-sequence accesses.","links":[{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"}]},{"id":"pe-6_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-6.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-6(a)"}],"prose":"monitors physical access to the facility where the information system resides to\n                  detect and respond to physical security incidents;"},{"id":"pe-6.b_obj","name":"objective","properties":[{"name":"label","value":"PE-6(b)"}],"parts":[{"id":"pe-6.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-6(b)[1]"}],"prose":"defines the frequency to review physical access logs;"},{"id":"pe-6.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-6(b)[2]"}],"prose":"defines events or potential indication of events requiring physical access logs\n                     to be reviewed;"},{"id":"pe-6.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-6(b)[3]"}],"prose":"reviews physical access logs with the organization-defined frequency and upon\n                     occurrence of organization-defined events or potential indications of events;\n                     and"}]},{"id":"pe-6.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-6(c)"}],"prose":"coordinates results of reviews and investigations with the organizational incident\n                  response capability."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing physical access monitoring\\n\\nsecurity plan\\n\\nphysical access logs or records\\n\\nphysical access monitoring records\\n\\nphysical access log reviews\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access monitoring responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring physical access\\n\\nautomated mechanisms supporting and/or implementing physical access monitoring\\n\\nautomated mechanisms supporting and/or implementing reviewing of physical access\n                  logs"}]}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","parameters":[{"id":"pe-8_prm_1","label":"organization-defined time period","constraints":[{"detail":"for a minimum of one (1) year"}]},{"id":"pe-8_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PE-8"},{"name":"sort-id","value":"pe-08"}],"parts":[{"id":"pe-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Maintains visitor access records to the facility where the information system\n                  resides for {{ pe-8_prm_1 }}; and"},{"id":"pe-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews visitor access records {{ pe-8_prm_2 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include, for example, names and organizations of persons\n               visiting, visitor signatures, forms of identification, dates of access, entry and\n               departure times, purposes of visits, and names and organizations of persons visited.\n               Visitor access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-8.a_obj","name":"objective","properties":[{"name":"label","value":"PE-8(a)"}],"parts":[{"id":"pe-8.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-8(a)[1]"}],"prose":"defines the time period to maintain visitor access records to the facility\n                     where the information system resides;"},{"id":"pe-8.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-8(a)[2]"}],"prose":"maintains visitor access records to the facility where the information system\n                     resides for the organization-defined time period;"}]},{"id":"pe-8.b_obj","name":"objective","properties":[{"name":"label","value":"PE-8(b)"}],"parts":[{"id":"pe-8.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-8(b)[1]"}],"prose":"defines the frequency to review visitor access records; and"},{"id":"pe-8.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-8(b)[2]"}],"prose":"reviews visitor access records with the organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing visitor access records\\n\\nsecurity plan\\n\\nvisitor access control logs or records\\n\\nvisitor access record or log reviews\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with visitor access records responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining and reviewing visitor access records\\n\\nautomated mechanisms supporting and/or implementing maintenance and review of\n                  visitor access records"}]}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","properties":[{"name":"label","value":"PE-12"},{"name":"sort-id","value":"pe-12"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"The organization employs and maintains automatic emergency lighting for the\n               information system that activates in the event of a power outage or disruption and\n               that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-7","rel":"related","text":"CP-7"}]},{"id":"pe-12_obj","name":"objective","prose":"Determine if the organization employs and maintains automatic emergency lighting for\n               the information system that: ","parts":[{"id":"pe-12_obj.1","name":"objective","properties":[{"name":"label","value":"PE-12[1]"}],"prose":"activates in the event of a power outage or disruption; and"},{"id":"pe-12_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-12[2]"}],"prose":"covers emergency exits and evacuation routes within the facility."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing emergency lighting\\n\\nemergency lighting documentation\\n\\nemergency lighting test records\\n\\nemergency exits and evacuation routes\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency lighting and/or\n                  planning\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing emergency lighting\n                  capability"}]}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","properties":[{"name":"label","value":"PE-13"},{"name":"sort-id","value":"pe-13"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"The organization employs and maintains fire suppression and detection devices/systems\n               for the information system that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms. Fire suppression and detection devices/systems include, for example,\n               sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke\n               detectors."},{"id":"pe-13_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-13_obj.1","name":"objective","properties":[{"name":"label","value":"PE-13[1]"}],"prose":"employs fire suppression and detection devices/systems for the information system\n                  that are supported by an independent energy source; and"},{"id":"pe-13_obj.2","name":"objective","properties":[{"name":"label","value":"PE-13[2]"}],"prose":"maintains fire suppression and detection devices/systems for the information\n                  system that are supported by an independent energy source."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing fire protection\\n\\nfire suppression and detection devices/systems\\n\\nfire suppression and detection devices/systems documentation\\n\\ntest records of fire suppression and detection devices/systems\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and suppression\n                  devices/systems\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing fire suppression/detection\n                  devices/systems"}]}]},{"id":"pe-14","class":"SP800-53","title":"Temperature and Humidity Controls","parameters":[{"id":"pe-14_prm_1","label":"organization-defined acceptable levels","constraints":[{"detail":"consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments"}]},{"id":"pe-14_prm_2","label":"organization-defined frequency","constraints":[{"detail":"continuously"}]}],"properties":[{"name":"label","value":"PE-14"},{"name":"sort-id","value":"pe-14"}],"parts":[{"id":"pe-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-14_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Maintains temperature and humidity levels within the facility where the\n                  information system resides at {{ pe-14_prm_1 }}; and"},{"id":"pe-14_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Monitors temperature and humidity levels {{ pe-14_prm_2 }}."},{"id":"pe-14_fr","name":"item","title":"PE-14(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"pe-14_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider measures temperature at server inlets and humidity levels by dew point."}]}]},{"id":"pe-14_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information\n               system resources, for example, data centers, server rooms, and mainframe computer\n               rooms.","links":[{"href":"#at-3","rel":"related","text":"AT-3"}]},{"id":"pe-14_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-14.a_obj","name":"objective","properties":[{"name":"label","value":"PE-14(a)"}],"parts":[{"id":"pe-14.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-14(a)[1]"}],"prose":"defines acceptable temperature levels to be maintained within the facility\n                     where the information system resides;"},{"id":"pe-14.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-14(a)[2]"}],"prose":"defines acceptable humidity levels to be maintained within the facility where\n                     the information system resides;"},{"id":"pe-14.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-14(a)[3]"}],"prose":"maintains temperature levels within the facility where the information system\n                     resides at the organization-defined levels;"},{"id":"pe-14.a_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-14(a)[4]"}],"prose":"maintains humidity levels within the facility where the information system\n                     resides at the organization-defined levels;"}]},{"id":"pe-14.b_obj","name":"objective","properties":[{"name":"label","value":"PE-14(b)"}],"parts":[{"id":"pe-14.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-14(b)[1]"}],"prose":"defines the frequency to monitor temperature levels;"},{"id":"pe-14.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-14(b)[2]"}],"prose":"defines the frequency to monitor humidity levels;"},{"id":"pe-14.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-14(b)[3]"}],"prose":"monitors temperature levels with the organization-defined frequency; and"},{"id":"pe-14.b_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-14(b)[4]"}],"prose":"monitors humidity levels with the organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing temperature and humidity control\\n\\nsecurity plan\\n\\ntemperature and humidity controls\\n\\nfacility housing the information system\\n\\ntemperature and humidity controls documentation\\n\\ntemperature and humidity records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system\n                  environmental controls\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing maintenance and monitoring of\n                  temperature and humidity levels"}]}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","properties":[{"name":"label","value":"PE-15"},{"name":"sort-id","value":"pe-15"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"The organization protects the information system from damage resulting from water\n               leakage by providing master shutoff or isolation valves that are accessible, working\n               properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms. Isolation valves can be employed in addition to or in lieu of master\n               shutoff valves to shut off water supplies in specific areas of concern, without\n               affecting entire organizations.","links":[{"href":"#at-3","rel":"related","text":"AT-3"}]},{"id":"pe-15_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization protects the information system from damage resulting\n               from water leakage by providing master shutoff or isolation valves that are: ","parts":[{"id":"pe-15_obj.1","name":"objective","properties":[{"name":"label","value":"PE-15[1]"}],"prose":"accessible;"},{"id":"pe-15_obj.2","name":"objective","properties":[{"name":"label","value":"PE-15[2]"}],"prose":"working properly; and"},{"id":"pe-15_obj.3","name":"objective","properties":[{"name":"label","value":"PE-15[3]"}],"prose":"known to key personnel."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing water damage protection\\n\\nfacility housing the information system\\n\\nmaster shutoff valves\\n\\nlist of key personnel with knowledge of location and activation procedures for\n                  master shutoff valves for the plumbing system\\n\\nmaster shutoff valve documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system\n                  environmental controls\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Master water-shutoff valves\\n\\norganizational process for activating master water-shutoff"}]}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","parameters":[{"id":"pe-16_prm_1","label":"organization-defined types of information system components","constraints":[{"detail":"all information system components"}]}],"properties":[{"name":"label","value":"PE-16"},{"name":"sort-id","value":"pe-16"}],"parts":[{"id":"pe-16_smt","name":"statement","prose":"The organization authorizes, monitors, and controls {{ pe-16_prm_1 }}\n               entering and exiting the facility and maintains records of those items."},{"id":"pe-16_gdn","name":"guidance","prose":"Effectively enforcing authorizations for entry and exit of information system\n               components may require restricting access to delivery areas and possibly isolating\n               the areas from the information system and media libraries.","links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sa-12","rel":"related","text":"SA-12"}]},{"id":"pe-16_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-16_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-16[1]"}],"prose":"defines types of information system components to be authorized, monitored, and\n                  controlled as such components are entering and exiting the facility;"},{"id":"pe-16_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-16[2]"}],"prose":"authorizes organization-defined information system components entering the\n                  facility;"},{"id":"pe-16_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-16[3]"}],"prose":"monitors organization-defined information system components entering the\n                  facility;"},{"id":"pe-16_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-16[4]"}],"prose":"controls organization-defined information system components entering the\n                  facility;"},{"id":"pe-16_obj.5","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-16[5]"}],"prose":"authorizes organization-defined information system components exiting the\n                  facility;"},{"id":"pe-16_obj.6","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-16[6]"}],"prose":"monitors organization-defined information system components exiting the\n                  facility;"},{"id":"pe-16_obj.7","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-16[7]"}],"prose":"controls organization-defined information system components exiting the\n                  facility;"},{"id":"pe-16_obj.8","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-16[8]"}],"prose":"maintains records of information system components entering the facility; and"},{"id":"pe-16_obj.9","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-16[9]"}],"prose":"maintains records of information system components exiting the facility."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing delivery and removal of information system components from\n                  the facility\\n\\nsecurity plan\\n\\nfacility housing the information system\\n\\nrecords of items entering and exiting the facility\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for controlling information system\n                  components entering and exiting the facility\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for authorizing, monitoring, and controlling information\n                  system-related items entering and exiting the facility\\n\\nautomated mechanisms supporting and/or implementing authorizing, monitoring, and\n                  controlling information system-related items entering and exiting the facility"}]}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Security Planning Policy and Procedures","parameters":[{"id":"pl-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"pl-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PL-1"},{"name":"sort-id","value":"pl-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference","text":"NIST Special Publication 800-18"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"pl-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A security planning policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"pl-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security planning policy and\n                     associated security planning controls; and"}]},{"id":"pl-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pl-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security planning policy {{ pl-1_prm_2 }}; and"},{"id":"pl-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Security planning procedures {{ pl-1_prm_3 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PL\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"pl-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-1.a_obj","name":"objective","properties":[{"name":"label","value":"PL-1(a)"}],"parts":[{"id":"pl-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)"}],"parts":[{"id":"pl-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(a)(1)[1]"}],"prose":"develops and documents a planning policy that addresses:","parts":[{"id":"pl-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pl-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pl-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pl-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pl-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pl-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pl-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pl-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the planning policy is to be\n                        disseminated;"},{"id":"pl-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PL-1(a)(1)[3]"}],"prose":"disseminates the planning policy to organization-defined personnel or\n                        roles;"}]},{"id":"pl-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"PL-1(a)(2)"}],"parts":[{"id":"pl-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        planning policy and associated planning controls;"},{"id":"pl-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"pl-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PL-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pl-1.b_obj","name":"objective","properties":[{"name":"label","value":"PL-1(b)"}],"parts":[{"id":"pl-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"PL-1(b)(1)"}],"parts":[{"id":"pl-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current planning policy;"},{"id":"pl-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(b)(1)[2]"}],"prose":"reviews and updates the current planning policy with the\n                        organization-defined frequency;"}]},{"id":"pl-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"PL-1(b)(2)"}],"parts":[{"id":"pl-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current planning procedures;\n                        and"},{"id":"pl-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(b)(2)[2]"}],"prose":"reviews and updates the current planning procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Planning policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with planning responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security Plan","parameters":[{"id":"pl-2_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-2_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PL-2"},{"name":"sort-id","value":"pl-02"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference","text":"NIST Special Publication 800-18"}],"parts":[{"id":"pl-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a security plan for the information system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Is consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Explicitly defines the authorization boundary for the system;"},{"id":"pl-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Describes the operational context of the information system in terms of\n                     missions and business processes;"},{"id":"pl-2_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Provides the security categorization of the information system including\n                     supporting rationale;"},{"id":"pl-2_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Describes the operational environment for the information system and\n                     relationships with or connections to other information systems;"},{"id":"pl-2_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Provides an overview of the security requirements for the system;"},{"id":"pl-2_smt.a.7","name":"item","properties":[{"name":"label","value":"7."}],"prose":"Identifies any relevant overlays, if applicable;"},{"id":"pl-2_smt.a.8","name":"item","properties":[{"name":"label","value":"8."}],"prose":"Describes the security controls in place or planned for meeting those\n                     requirements including a rationale for the tailoring decisions; and"},{"id":"pl-2_smt.a.9","name":"item","properties":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by the authorizing official or designated\n                     representative prior to plan implementation;"}]},{"id":"pl-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distributes copies of the security plan and communicates subsequent changes to the\n                  plan to {{ pl-2_prm_1 }};"},{"id":"pl-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews the security plan for the information system {{ pl-2_prm_2 }};"},{"id":"pl-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Updates the plan to address changes to the information system/environment of\n                  operation or problems identified during plan implementation or security control\n                  assessments; and"},{"id":"pl-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Protects the security plan from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"Security plans relate security requirements to a set of security controls and control\n               enhancements. Security plans also describe, at a high level, how the security\n               controls and control enhancements meet those security requirements, but do not\n               provide detailed, technical descriptions of the specific design or implementation of\n               the controls/enhancements. Security plans contain sufficient information (including\n               the specification of parameter values for assignment and selection statements either\n               explicitly or by reference) to enable a design and implementation that is\n               unambiguously compliant with the intent of the plans and subsequent determinations of\n               risk to organizational operations and assets, individuals, other organizations, and\n               the Nation if the plan is implemented as intended. Organizations can also apply\n               tailoring guidance to the security control baselines in Appendix D and CNSS\n               Instruction 1253 to develop overlays for community-wide use or to address specialized\n               requirements, technologies, or missions/environments of operation (e.g.,\n               DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and\n               Access Management, space operations). Appendix I provides guidance on developing\n               overlays. Security plans need not be single documents; the plans can be a collection\n               of various documents including documents that already exist. Effective security plans\n               make extensive use of references to policies, procedures, and additional documents\n               (e.g., design and implementation specifications) where more detailed information can\n               be obtained. This reduces the documentation requirements associated with security\n               programs and maintains security-related information in other established\n               management/operational areas related to enterprise architecture, system development\n               life cycle, systems engineering, and acquisition. For example, security plans do not\n               contain detailed contingency plan or incident response plan information but instead\n               provide explicitly or by reference, sufficient information to define what needs to be\n               accomplished by those plans.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pl-7","rel":"related","text":"PL-7"},{"href":"#pm-1","rel":"related","text":"PM-1"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-17","rel":"related","text":"SA-17"}]},{"id":"pl-2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pl-2.a_obj","name":"objective","properties":[{"name":"label","value":"PL-2(a)"}],"prose":"develops a security plan for the information system that:","parts":[{"id":"pl-2.a.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(1)"}],"prose":"is consistent with the organization’s enterprise architecture;"},{"id":"pl-2.a.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(2)"}],"prose":"explicitly defines the authorization boundary for the system;"},{"id":"pl-2.a.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(3)"}],"prose":"describes the operational context of the information system in terms of\n                     missions and business processes;"},{"id":"pl-2.a.4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(4)"}],"prose":"provides the security categorization of the information system including\n                     supporting rationale;"},{"id":"pl-2.a.5_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(5)"}],"prose":"describes the operational environment for the information system and\n                     relationships with or connections to other information systems;"},{"id":"pl-2.a.6_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(6)"}],"prose":"provides an overview of the security requirements for the system;"},{"id":"pl-2.a.7_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(7)"}],"prose":"identifies any relevant overlays, if applicable;"},{"id":"pl-2.a.8_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(8)"}],"prose":"describes the security controls in place or planned for meeting those\n                     requirements including a rationale for the tailoring and supplemental\n                     decisions;"},{"id":"pl-2.a.9_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-2(a)(9)"}],"prose":"is reviewed and approved by the authorizing official or designated\n                     representative prior to plan implementation;"}]},{"id":"pl-2.b_obj","name":"objective","properties":[{"name":"label","value":"PL-2(b)"}],"parts":[{"id":"pl-2.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(b)[1]"}],"prose":"defines personnel or roles to whom copies of the security plan are to be\n                     distributed and subsequent changes to the plan are to be communicated;"},{"id":"pl-2.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-2(b)[2]"}],"prose":"distributes copies of the security plan and communicates subsequent changes to\n                     the plan to organization-defined personnel or roles;"}]},{"id":"pl-2.c_obj","name":"objective","properties":[{"name":"label","value":"PL-2(c)"}],"parts":[{"id":"pl-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(c)[1]"}],"prose":"defines the frequency to review the security plan for the information\n                     system;"},{"id":"pl-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(c)[2]"}],"prose":"reviews the security plan for the information system with the\n                     organization-defined frequency;"}]},{"id":"pl-2.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-2(d)"}],"prose":"updates the plan to address:","parts":[{"id":"pl-2.d_obj.1","name":"objective","properties":[{"name":"label","value":"PL-2(d)[1]"}],"prose":"changes to the information system/environment of operation;"},{"id":"pl-2.d_obj.2","name":"objective","properties":[{"name":"label","value":"PL-2(d)[2]"}],"prose":"problems identified during plan implementation;"},{"id":"pl-2.d_obj.3","name":"objective","properties":[{"name":"label","value":"PL-2(d)[3]"}],"prose":"problems identified during security control assessments;"}]},{"id":"pl-2.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-2(e)"}],"prose":"protects the security plan from unauthorized:","parts":[{"id":"pl-2.e_obj.1","name":"objective","properties":[{"name":"label","value":"PL-2(e)[1]"}],"prose":"disclosure; and"},{"id":"pl-2.e_obj.2","name":"objective","properties":[{"name":"label","value":"PL-2(e)[2]"}],"prose":"modification."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\\n\\nprocedures addressing security plan development and implementation\\n\\nprocedures addressing security plan reviews and updates\\n\\nenterprise architecture documentation\\n\\nsecurity plan for the information system\\n\\nrecords of security plan reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security plan development/review/update/approval\\n\\nautomated mechanisms supporting the information system security plan"}]}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","parameters":[{"id":"pl-4_prm_1","label":"organization-defined frequency","constraints":[{"detail":"At least every 3 years"}]}],"properties":[{"name":"label","value":"PL-4"},{"name":"sort-id","value":"pl-04"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference","text":"NIST Special Publication 800-18"}],"parts":[{"id":"pl-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes and makes readily available to individuals requiring access to the\n                  information system, the rules that describe their responsibilities and expected\n                  behavior with regard to information and information system usage;"},{"id":"pl-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Receives a signed acknowledgment from such individuals, indicating that they have\n                  read, understand, and agree to abide by the rules of behavior, before authorizing\n                  access to information and the information system;"},{"id":"pl-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews and updates the rules of behavior {{ pl-4_prm_1 }}; and"},{"id":"pl-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Requires individuals who have signed a previous version of the rules of behavior\n                  to read and re-sign when the rules of behavior are revised/updated."}]},{"id":"pl-4_gdn","name":"guidance","prose":"This control enhancement applies to organizational users. Organizations consider\n               rules of behavior based on individual user roles and responsibilities,\n               differentiating, for example, between rules that apply to privileged users and rules\n               that apply to general users. Establishing rules of behavior for some types of\n               non-organizational users including, for example, individuals who simply receive\n               data/information from federal information systems, is often not feasible given the\n               large number of such users and the limited nature of their interactions with the\n               systems. Rules of behavior for both organizational and non-organizational users can\n               also be established in AC-8, System Use Notification. PL-4 b. (the signed\n               acknowledgment portion of this control) may be satisfied by the security awareness\n               training and role-based security training programs conducted by organizations if such\n               training includes rules of behavior. Organizations can use electronic signatures for\n               acknowledging rules of behavior.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ac-9","rel":"related","text":"AC-9"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-5","rel":"related","text":"SA-5"}]},{"id":"pl-4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pl-4.a_obj","name":"objective","properties":[{"name":"label","value":"PL-4(a)"}],"parts":[{"id":"pl-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-4(a)[1]"}],"prose":"establishes, for individuals requiring access to the information system, the\n                     rules that describe their responsibilities and expected behavior with regard to\n                     information and information system usage;"},{"id":"pl-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-4(a)[2]"}],"prose":"makes readily available to individuals requiring access to the information\n                     system, the rules that describe their responsibilities and expected behavior\n                     with regard to information and information system usage;"}]},{"id":"pl-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-4(b)"}],"prose":"receives a signed acknowledgement from such individuals, indicating that they have\n                  read, understand, and agree to abide by the rules of behavior, before authorizing\n                  access to information and the information system;"},{"id":"pl-4.c_obj","name":"objective","properties":[{"name":"label","value":"PL-4(c)"}],"parts":[{"id":"pl-4.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-4(c)[1]"}],"prose":"defines the frequency to review and update the rules of behavior;"},{"id":"pl-4.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-4(c)[2]"}],"prose":"reviews and updates the rules of behavior with the organization-defined\n                     frequency; and"}]},{"id":"pl-4.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-4(d)"}],"prose":"requires individuals who have signed a previous version of the rules of behavior\n                  to read and resign when the rules of behavior are revised/updated."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\\n\\nprocedures addressing rules of behavior for information system users\\n\\nrules of behavior\\n\\nsigned acknowledgements\\n\\nrecords for rules of behavior reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and\n                  updating rules of behavior\\n\\norganizational personnel who are authorized users of the information system and\n                  have signed and resigned rules of behavior\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating\n                  rules of behavior\\n\\nautomated mechanisms supporting and/or implementing the establishment, review,\n                  dissemination, and update of rules of behavior"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Personnel Security Policy and Procedures","parameters":[{"id":"ps-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"ps-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PS-1"},{"name":"sort-id","value":"ps-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ps-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A personnel security policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ps-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy\n                     and associated personnel security controls; and"}]},{"id":"ps-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ps-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Personnel security policy {{ ps-1_prm_2 }}; and"},{"id":"ps-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Personnel security procedures {{ ps-1_prm_3 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PS\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ps-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-1.a_obj","name":"objective","properties":[{"name":"label","value":"PS-1(a)"}],"parts":[{"id":"ps-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)"}],"parts":[{"id":"ps-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(a)(1)[1]"}],"prose":"develops and documents an personnel security policy that addresses:","parts":[{"id":"ps-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ps-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ps-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ps-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ps-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ps-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ps-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ps-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the personnel security policy is to be\n                        disseminated;"},{"id":"ps-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-1(a)(1)[3]"}],"prose":"disseminates the personnel security policy to organization-defined personnel\n                        or roles;"}]},{"id":"ps-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"PS-1(a)(2)"}],"parts":[{"id":"ps-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        personnel security policy and associated personnel security controls;"},{"id":"ps-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ps-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ps-1.b_obj","name":"objective","properties":[{"name":"label","value":"PS-1(b)"}],"parts":[{"id":"ps-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"PS-1(b)(1)"}],"parts":[{"id":"ps-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current personnel security\n                        policy;"},{"id":"ps-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(b)(1)[2]"}],"prose":"reviews and updates the current personnel security policy with the\n                        organization-defined frequency;"}]},{"id":"ps-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"PS-1(b)(2)"}],"parts":[{"id":"ps-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current personnel security\n                        procedures; and"},{"id":"ps-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(b)(2)[2]"}],"prose":"reviews and updates the current personnel security procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","parameters":[{"id":"ps-2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least every three years"}]}],"properties":[{"name":"label","value":"PS-2"},{"name":"sort-id","value":"ps-02"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference","text":"5 C.F.R. 731.106"}],"parts":[{"id":"ps-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Assigns a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishes screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews and updates position risk designations {{ ps-2_prm_1 }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management policy and\n               guidance. Risk designations can guide and inform the types of authorizations\n               individuals receive when accessing organizational information and information\n               systems. Position screening criteria include explicit information security role\n               appointment requirements (e.g., training, security clearances).","links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#ps-3","rel":"related","text":"PS-3"}]},{"id":"ps-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-2.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-2(a)"}],"prose":"assigns a risk designation to all organizational positions;"},{"id":"ps-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-2(b)"}],"prose":"establishes screening criteria for individuals filling those positions;"},{"id":"ps-2.c_obj","name":"objective","properties":[{"name":"label","value":"PS-2(c)"}],"parts":[{"id":"ps-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-2(c)[1]"}],"prose":"defines the frequency to review and update position risk designations; and"},{"id":"ps-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-2(c)[2]"}],"prose":"reviews and updates position risk designations with the organization-defined\n                     frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing position categorization\\n\\nappropriate codes of federal regulations\\n\\nlist of risk designations for organizational positions\\n\\nsecurity plan\\n\\nrecords of position risk designation reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for assigning, reviewing, and updating position risk\n                  designations\\n\\norganizational processes for establishing screening criteria"}]}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","parameters":[{"id":"ps-3_prm_1","label":"organization-defined conditions requiring rescreening and, where rescreening is\n               so indicated, the frequency of such rescreening","constraints":[{"detail":"For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions."}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PS-3"},{"name":"sort-id","value":"ps-03"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference","text":"5 C.F.R. 731.106"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference","text":"NIST Special Publication 800-60"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference","text":"ICD 704"}],"parts":[{"id":"ps-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Screens individuals prior to authorizing access to the information system; and"},{"id":"ps-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Rescreens individuals according to {{ ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable federal laws,\n               Executive Orders, directives, regulations, policies, standards, guidance, and\n               specific criteria established for the risk designations of assigned positions.\n               Organizations may define different rescreening conditions and frequencies for\n               personnel accessing information systems based on types of information processed,\n               stored, or transmitted by the systems.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#ps-2","rel":"related","text":"PS-2"}]},{"id":"ps-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-3(a)"}],"prose":"screens individuals prior to authorizing access to the information system;"},{"id":"ps-3.b_obj","name":"objective","properties":[{"name":"label","value":"PS-3(b)"}],"parts":[{"id":"ps-3.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-3(b)[1]"}],"prose":"defines conditions requiring re-screening;"},{"id":"ps-3.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-3(b)[2]"}],"prose":"defines the frequency of re-screening where it is so indicated; and"},{"id":"ps-3.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-3(b)[3]"}],"prose":"re-screens individuals in accordance with organization-defined conditions\n                     requiring re-screening and, where re-screening is so indicated, with the\n                     organization-defined frequency of such re-screening."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing personnel screening\\n\\nrecords of screened personnel\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel screening"}]}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","parameters":[{"id":"ps-4_prm_1","label":"organization-defined time period","constraints":[{"detail":"same day"}]},{"id":"ps-4_prm_2","label":"organization-defined information security topics"},{"id":"ps-4_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-4_prm_4","label":"organization-defined time period"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PS-4"},{"name":"sort-id","value":"ps-04"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"The organization, upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Disables information system access within {{ ps-4_prm_1 }};"},{"id":"ps-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Terminates/revokes any authenticators/credentials associated with the\n                  individual;"},{"id":"ps-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Conducts exit interviews that include a discussion of {{ ps-4_prm_2 }};"},{"id":"ps-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Retrieves all security-related organizational information system-related\n                  property;"},{"id":"ps-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Retains access to organizational information and information systems formerly\n                  controlled by terminated individual; and"},{"id":"ps-4_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Notifies {{ ps-4_prm_3 }} within {{ ps-4_prm_4 }}."}]},{"id":"ps-4_gdn","name":"guidance","prose":"Information system-related property includes, for example, hardware authentication\n               tokens, system administration technical manuals, keys, identification cards, and\n               building passes. Exit interviews ensure that terminated individuals understand the\n               security constraints imposed by being former employees and that proper accountability\n               is achieved for information system-related property. Security topics of interest at\n               exit interviews can include, for example, reminding terminated individuals of\n               nondisclosure agreements and potential limitations on future employment. Exit\n               interviews may not be possible for some terminated individuals, for example, in cases\n               related to job abandonment, illnesses, and nonavailability of supervisors. Exit\n               interviews are important for individuals with security clearances. Timely execution\n               of termination actions is essential for individuals terminated for cause. In certain\n               situations, organizations consider disabling the information system accounts of\n               individuals that are being terminated prior to the individuals being notified.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-6","rel":"related","text":"PS-6"}]},{"id":"ps-4_obj","name":"objective","prose":"Determine if the organization, upon termination of individual employment,:","parts":[{"id":"ps-4.a_obj","name":"objective","properties":[{"name":"label","value":"PS-4(a)"}],"parts":[{"id":"ps-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-4(a)[1]"}],"prose":"defines a time period within which to disable information system access;"},{"id":"ps-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-4(a)[2]"}],"prose":"disables information system access within the organization-defined time\n                     period;"}]},{"id":"ps-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-4(b)"}],"prose":"terminates/revokes any authenticators/credentials associated with the\n                  individual;"},{"id":"ps-4.c_obj","name":"objective","properties":[{"name":"label","value":"PS-4(c)"}],"parts":[{"id":"ps-4.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-4(c)[1]"}],"prose":"defines information security topics to be discussed when conducting exit\n                     interviews;"},{"id":"ps-4.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-4(c)[2]"}],"prose":"conducts exit interviews that include a discussion of organization-defined\n                     information security topics;"}]},{"id":"ps-4.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-4(d)"}],"prose":"retrieves all security-related organizational information system-related\n                  property;"},{"id":"ps-4.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-4(e)"}],"prose":"retains access to organizational information and information systems formerly\n                  controlled by the terminated individual;"},{"id":"ps-4.f_obj","name":"objective","properties":[{"name":"label","value":"PS-4(f)"}],"parts":[{"id":"ps-4.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-4(f)[1]"}],"prose":"defines personnel or roles to be notified of the termination;"},{"id":"ps-4.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-4(f)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel\n                     or roles; and"},{"id":"ps-4.f_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-4(f)[3]"}],"prose":"notifies organization-defined personnel or roles within the\n                     organization-defined time period."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing personnel termination\\n\\nrecords of personnel termination actions\\n\\nlist of information system accounts\\n\\nrecords of terminated or revoked authenticators/credentials\\n\\nrecords of exit interviews\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel termination\\n\\nautomated mechanisms supporting and/or implementing personnel termination\n                  notifications\\n\\nautomated mechanisms for disabling information system access/revoking\n                  authenticators"}]}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","parameters":[{"id":"ps-5_prm_1","label":"organization-defined transfer or reassignment actions"},{"id":"ps-5_prm_2","label":"organization-defined time period following the formal transfer action"},{"id":"ps-5_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-5_prm_4","label":"organization-defined time period","constraints":[{"detail":"five days of the time period following the formal transfer action (DoD 24 hours)"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PS-5"},{"name":"sort-id","value":"ps-05"}],"parts":[{"id":"ps-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Reviews and confirms ongoing operational need for current logical and physical\n                  access authorizations to information systems/facilities when individuals are\n                  reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Initiates {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }};"},{"id":"ps-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Modifies access authorization as needed to correspond with any changes in\n                  operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Notifies {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"This control applies when reassignments or transfers of individuals are permanent or\n               of such extended durations as to make the actions warranted. Organizations define\n               actions appropriate for the types of reassignments or transfers, whether permanent or\n               extended. Actions that may be required for personnel transfers or reassignments to\n               other positions within organizations include, for example: (i) returning old and\n               issuing new keys, identification cards, and building passes; (ii) closing information\n               system accounts and establishing new accounts; (iii) changing information system\n               access authorizations (i.e., privileges); and (iv) providing for access to official\n               records to which individuals had access at previous work locations and in previous\n               information system accounts.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#ps-4","rel":"related","text":"PS-4"}]},{"id":"ps-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-5.a_obj","name":"objective","properties":[{"name":"label","value":"PS-5(a)"}],"prose":"when individuals are reassigned or transferred to other positions within the\n                  organization, reviews and confirms ongoing operational need for current:","parts":[{"id":"ps-5.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-5(a)[1]"}],"prose":"logical access authorizations to information systems;"},{"id":"ps-5.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-5(a)[2]"}],"prose":"physical access authorizations to information systems and facilities;"}]},{"id":"ps-5.b_obj","name":"objective","properties":[{"name":"label","value":"PS-5(b)"}],"parts":[{"id":"ps-5.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-5(b)[1]"}],"prose":"defines transfer or reassignment actions to be initiated following transfer or\n                     reassignment;"},{"id":"ps-5.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-5(b)[2]"}],"prose":"defines the time period within which transfer or reassignment actions must\n                     occur following transfer or reassignment;"},{"id":"ps-5.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-5(b)[3]"}],"prose":"initiates organization-defined transfer or reassignment actions within the\n                     organization-defined time period following transfer or reassignment;"}]},{"id":"ps-5.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-5(c)"}],"prose":"modifies access authorization as needed to correspond with any changes in\n                  operational need due to reassignment or transfer;"},{"id":"ps-5.d_obj","name":"objective","properties":[{"name":"label","value":"PS-5(d)"}],"parts":[{"id":"ps-5.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-5(d)[1]"}],"prose":"defines personnel or roles to be notified when individuals are reassigned or\n                     transferred to other positions within the organization;"},{"id":"ps-5.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-5(d)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel\n                     or roles when individuals are reassigned or transferred to other positions\n                     within the organization; and"},{"id":"ps-5.d_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-5(d)[3]"}],"prose":"notifies organization-defined personnel or roles within the\n                     organization-defined time period when individuals are reassigned or transferred\n                     to other positions within the organization."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing personnel transfer\\n\\nsecurity plan\\n\\nrecords of personnel transfer actions\\n\\nlist of information system and facility access authorizations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities organizational\n                  personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel transfer\\n\\nautomated mechanisms supporting and/or implementing personnel transfer\n                  notifications\\n\\nautomated mechanisms for disabling information system access/revoking\n                  authenticators"}]}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","parameters":[{"id":"ps-6_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ps-6_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PS-6"},{"name":"sort-id","value":"ps-06"}],"parts":[{"id":"ps-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops and documents access agreements for organizational information\n                  systems;"},{"id":"ps-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the access agreements {{ ps-6_prm_1 }}; and"},{"id":"ps-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensures that individuals requiring access to organizational information and\n                  information systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational information\n                     systems when access agreements have been updated or {{ ps-6_prm_2 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include, for example, nondisclosure agreements, acceptable use\n               agreements, rules of behavior, and conflict-of-interest agreements. Signed access\n               agreements include an acknowledgement that individuals have read, understand, and\n               agree to abide by the constraints associated with organizational information systems\n               to which access is authorized. Organizations can use electronic signatures to\n               acknowledge access agreements unless specifically prohibited by organizational\n               policy.","links":[{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-8","rel":"related","text":"PS-8"}]},{"id":"ps-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-6.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-6(a)"}],"prose":"develops and documents access agreements for organizational information\n                  systems;"},{"id":"ps-6.b_obj","name":"objective","properties":[{"name":"label","value":"PS-6(b)"}],"parts":[{"id":"ps-6.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-6(b)[1]"}],"prose":"defines the frequency to review and update the access agreements;"},{"id":"ps-6.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-6(b)[2]"}],"prose":"reviews and updates the access agreements with the organization-defined\n                     frequency;"}]},{"id":"ps-6.c_obj","name":"objective","properties":[{"name":"label","value":"PS-6(c)"}],"parts":[{"id":"ps-6.c.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-6(c)(1)"}],"prose":"ensures that individuals requiring access to organizational information and\n                     information systems sign appropriate access agreements prior to being granted\n                     access;"},{"id":"ps-6.c.2_obj","name":"objective","properties":[{"name":"label","value":"PS-6(c)(2)"}],"parts":[{"id":"ps-6.c.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-6(c)(2)[1]"}],"prose":"defines the frequency to re-sign access agreements to maintain access to\n                        organizational information systems when access agreements have been\n                        updated;"},{"id":"ps-6.c.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-6(c)(2)[2]"}],"prose":"ensures that individuals requiring access to organizational information and\n                        information systems re-sign access agreements to maintain access to\n                        organizational information systems when access agreements have been updated\n                        or with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing access agreements for organizational information and\n                  information systems\\n\\nsecurity plan\\n\\naccess agreements\\n\\nrecords of access agreement reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel who have signed/resigned access agreements\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access agreements\\n\\nautomated mechanisms supporting access agreements"}]}]},{"id":"ps-7","class":"SP800-53","title":"Third-party Personnel Security","parameters":[{"id":"ps-7_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-7_prm_2","label":"organization-defined time period","constraints":[{"detail":"organization-defined time period - same day"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PS-7"},{"name":"sort-id","value":"ps-07"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference","text":"NIST Special Publication 800-35"}],"parts":[{"id":"ps-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes personnel security requirements including security roles and\n                  responsibilities for third-party providers;"},{"id":"ps-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Requires third-party providers to comply with personnel security policies and\n                  procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Documents personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Requires third-party providers to notify {{ ps-7_prm_1 }} of any\n                  personnel transfers or terminations of third-party personnel who possess\n                  organizational credentials and/or badges, or who have information system\n                  privileges within {{ ps-7_prm_2 }}; and"},{"id":"ps-7_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Monitors provider compliance."}]},{"id":"ps-7_gdn","name":"guidance","prose":"Third-party providers include, for example, service bureaus, contractors, and other\n               organizations providing information system development, information technology\n               services, outsourced applications, and network and security management. Organizations\n               explicitly include personnel security requirements in acquisition-related documents.\n               Third-party providers may have personnel working at organizational facilities with\n               credentials, badges, or information system privileges issued by organizations.\n               Notifications of third-party personnel changes ensure appropriate termination of\n               privileges and credentials. Organizations define the transfers and terminations\n               deemed reportable by security-related characteristics that include, for example,\n               functions, roles, and nature of credentials/privileges associated with individuals\n               transferred or terminated.","links":[{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-21","rel":"related","text":"SA-21"}]},{"id":"ps-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-7.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-7(a)"}],"prose":"establishes personnel security requirements, including security roles and\n                  responsibilities, for third-party providers;"},{"id":"ps-7.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-7(b)"}],"prose":"requires third-party providers to comply with personnel security policies and\n                  procedures established by the organization;"},{"id":"ps-7.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-7(c)"}],"prose":"documents personnel security requirements;"},{"id":"ps-7.d_obj","name":"objective","properties":[{"name":"label","value":"PS-7(d)"}],"parts":[{"id":"ps-7.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-7(d)[1]"}],"prose":"defines personnel or roles to be notified of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-7(d)[2]"}],"prose":"defines the time period within which third-party providers are required to\n                     notify organization-defined personnel or roles of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-7(d)[3]"}],"prose":"requires third-party providers to notify organization-defined personnel or\n                     roles within the organization-defined time period of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges; and"}]},{"id":"ps-7.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-7(e)"}],"prose":"monitors provider compliance."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing third-party personnel security\\n\\nlist of personnel security requirements\\n\\nacquisition documents\\n\\nservice-level agreements\\n\\ncompliance monitoring process\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\nthird-party providers\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing and monitoring third-party personnel\n                  security\\n\\nautomated mechanisms supporting and/or implementing monitoring of provider\n                  compliance"}]}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","parameters":[{"id":"ps-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-8_prm_2","label":"organization-defined time period"}],"properties":[{"name":"label","value":"PS-8"},{"name":"sort-id","value":"ps-08"}],"parts":[{"id":"ps-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Employs a formal sanctions process for individuals failing to comply with\n                  established information security policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Notifies {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }}\n                  when a formal employee sanctions process is initiated, identifying the individual\n                  sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions processes reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Sanctions processes are\n               described in access agreements and can be included as part of general personnel\n               policies and procedures for organizations. Organizations consult with the Office of\n               the General Counsel regarding matters of employee sanctions.","links":[{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-6","rel":"related","text":"PS-6"}]},{"id":"ps-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-8.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-8(a)"}],"prose":"employs a formal sanctions process for individuals failing to comply with\n                  established information security policies and procedures;"},{"id":"ps-8.b_obj","name":"objective","properties":[{"name":"label","value":"PS-8(b)"}],"parts":[{"id":"ps-8.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-8(b)[1]"}],"prose":"defines personnel or roles to be notified when a formal employee sanctions\n                     process is initiated;"},{"id":"ps-8.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-8(b)[2]"}],"prose":"defines the time period within which organization-defined personnel or roles\n                     must be notified when a formal employee sanctions process is initiated; and"},{"id":"ps-8.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-8(b)[3]"}],"prose":"notifies organization-defined personnel or roles within the\n                     organization-defined time period when a formal employee sanctions process is\n                     initiated, identifying the individual sanctioned and the reason for the\n                     sanction."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing personnel sanctions\\n\\nrules of behavior\\n\\nrecords of formal sanctions\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing personnel sanctions\\n\\nautomated mechanisms supporting and/or implementing notifications"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Risk Assessment Policy and Procedures","parameters":[{"id":"ra-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ra-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"ra-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"RA-1"},{"name":"sort-id","value":"ra-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference","text":"NIST Special Publication 800-30"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ra-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A risk assessment policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ra-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and\n                     associated risk assessment controls; and"}]},{"id":"ra-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ra-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Risk assessment policy {{ ra-1_prm_2 }}; and"},{"id":"ra-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Risk assessment procedures {{ ra-1_prm_3 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the RA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ra-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-1.a_obj","name":"objective","properties":[{"name":"label","value":"RA-1(a)"}],"parts":[{"id":"ra-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)"}],"parts":[{"id":"ra-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(a)(1)[1]"}],"prose":"develops and documents a risk assessment policy that addresses:","parts":[{"id":"ra-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ra-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ra-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ra-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ra-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ra-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ra-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ra-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the risk assessment policy is to be\n                        disseminated;"},{"id":"ra-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"RA-1(a)(1)[3]"}],"prose":"disseminates the risk assessment policy to organization-defined personnel or\n                        roles;"}]},{"id":"ra-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"RA-1(a)(2)"}],"parts":[{"id":"ra-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        risk assessment policy and associated risk assessment controls;"},{"id":"ra-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ra-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"RA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ra-1.b_obj","name":"objective","properties":[{"name":"label","value":"RA-1(b)"}],"parts":[{"id":"ra-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"RA-1(b)(1)"}],"parts":[{"id":"ra-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current risk assessment\n                        policy;"},{"id":"ra-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(b)(1)[2]"}],"prose":"reviews and updates the current risk assessment policy with the\n                        organization-defined frequency;"}]},{"id":"ra-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"RA-1(b)(2)"}],"parts":[{"id":"ra-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current risk assessment\n                        procedures; and"},{"id":"ra-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(b)(2)[2]"}],"prose":"reviews and updates the current risk assessment procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"risk assessment policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","properties":[{"name":"label","value":"RA-2"},{"name":"sort-id","value":"ra-02"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference","text":"NIST Special Publication 800-30"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference","text":"NIST Special Publication 800-39"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference","text":"NIST Special Publication 800-60"}],"parts":[{"id":"ra-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Categorizes information and the information system in accordance with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance;"},{"id":"ra-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents the security categorization results (including supporting rationale) in\n                  the security plan for the information system; and"},{"id":"ra-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensures that the authorizing official or authorizing official designated\n                  representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective security\n               categorization decisions. Security categories describe the potential adverse impacts\n               to organizational operations, organizational assets, and individuals if\n               organizational information and information systems are comprised through a loss of\n               confidentiality, integrity, or availability. Organizations conduct the security\n               categorization process as an organization-wide activity with the involvement of chief\n               information officers, senior information security officers, information system\n               owners, mission/business owners, and information owners/stewards. Organizations also\n               consider the potential adverse impacts to other organizations and, in accordance with\n               the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential\n               national-level adverse impacts. Security categorization processes carried out by\n               organizations facilitate the development of inventories of information assets, and\n               along with CM-8, mappings to specific information system components where information\n               is processed, stored, or transmitted.","links":[{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sc-7","rel":"related","text":"SC-7"}]},{"id":"ra-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-2.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-2(a)"}],"prose":"categorizes information and the information system in accordance with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance;"},{"id":"ra-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-2(b)"}],"prose":"documents the security categorization results (including supporting rationale) in\n                  the security plan for the information system; and"},{"id":"ra-2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-2(c)"}],"prose":"ensures the authorizing official or authorizing official designated representative\n                  reviews and approves the security categorization decision."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\\n\\nsecurity planning policy and procedures\\n\\nprocedures addressing security categorization of organizational information and\n                  information systems\\n\\nsecurity plan\\n\\nsecurity categorization documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security categorization and risk assessment\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security categorization"}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","parameters":[{"id":"ra-3_prm_1"},{"id":"ra-3_prm_2","depends-on":"ra-3_prm_1","label":"organization-defined document","constraints":[{"detail":"security assessment report"}]},{"id":"ra-3_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least every three (3) years or when a significant change occurs"}]},{"id":"ra-3_prm_4","label":"organization-defined personnel or roles"},{"id":"ra-3_prm_5","label":"organization-defined frequency","constraints":[{"detail":"at least every three (3) years or when a significant change occurs"}]}],"properties":[{"name":"label","value":"RA-3"},{"name":"sort-id","value":"ra-03"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference","text":"OMB Memorandum 04-04"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference","text":"NIST Special Publication 800-30"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference","text":"NIST Special Publication 800-39"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"ra-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Conducts an assessment of risk, including the likelihood and magnitude of harm,\n                  from the unauthorized access, use, disclosure, disruption, modification, or\n                  destruction of the information system and the information it processes, stores, or\n                  transmits;"},{"id":"ra-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents risk assessment results in {{ ra-3_prm_1 }};"},{"id":"ra-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews risk assessment results {{ ra-3_prm_3 }};"},{"id":"ra-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Disseminates risk assessment results to {{ ra-3_prm_4 }}; and"},{"id":"ra-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Updates the risk assessment {{ ra-3_prm_5 }} or whenever there are\n                  significant changes to the information system or environment of operation\n                  (including the identification of new threats and vulnerabilities), or other\n                  conditions that may impact the security state of the system."},{"id":"ra-3_fr","name":"item","title":"RA-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F"},{"id":"ra-3_fr_smt.d","name":"item","properties":[{"name":"label","value":"RA-3 (d) Requirement:"}],"prose":"Include all Authorizing Officials; for JAB authorizations to include FedRAMP."}]}]},{"id":"ra-3_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective risk\n               assessments. Risk assessments take into account threats, vulnerabilities, likelihood,\n               and impact to organizational operations and assets, individuals, other organizations,\n               and the Nation based on the operation and use of information systems. Risk\n               assessments also take into account risk from external parties (e.g., service\n               providers, contractors operating information systems on behalf of the organization,\n               individuals accessing organizational information systems, outsourcing entities). In\n               accordance with OMB policy and related E-authentication initiatives, authentication\n               of public users accessing federal information systems may also be required to protect\n               nonpublic or privacy-related information. As such, organizational assessments of risk\n               also address public access to federal information systems. Risk assessments (either\n               formal or informal) can be conducted at all three tiers in the risk management\n               hierarchy (i.e., organization level, mission/business process level, or information\n               system level) and at any phase in the system development life cycle. Risk assessments\n               can also be conducted at various steps in the Risk Management Framework, including\n               categorization, security control selection, security control implementation, security\n               control assessment, information system authorization, and security control\n               monitoring. RA-3 is noteworthy in that the control must be partially implemented\n               prior to the implementation of other controls in order to complete the first two\n               steps in the Risk Management Framework. Risk assessments can play an important role\n               in security control selection processes, particularly during the application of\n               tailoring guidance, which includes security control supplementation.","links":[{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ra-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-3.a_obj","name":"objective","properties":[{"name":"label","value":"RA-3(a)"}],"prose":"conducts an assessment of risk, including the likelihood and magnitude of harm,\n                  from the unauthorized access, use, disclosure, disruption, modification, or\n                  destruction of:","parts":[{"id":"ra-3.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-3(a)[1]"}],"prose":"the information system;"},{"id":"ra-3.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-3(a)[2]"}],"prose":"the information the system processes, stores, or transmits;"}]},{"id":"ra-3.b_obj","name":"objective","properties":[{"name":"label","value":"RA-3(b)"}],"parts":[{"id":"ra-3.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-3(b)[1]"}],"prose":"defines a document in which risk assessment results are to be documented (if\n                     not documented in the security plan or risk assessment report);"},{"id":"ra-3.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-3(b)[2]"}],"prose":"documents risk assessment results in one of the following:","parts":[{"id":"ra-3.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"RA-3(b)[2][a]"}],"prose":"the security plan;"},{"id":"ra-3.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"RA-3(b)[2][b]"}],"prose":"the risk assessment report; or"},{"id":"ra-3.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"RA-3(b)[2][c]"}],"prose":"the organization-defined document;"}]}]},{"id":"ra-3.c_obj","name":"objective","properties":[{"name":"label","value":"RA-3(c)"}],"parts":[{"id":"ra-3.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-3(c)[1]"}],"prose":"defines the frequency to review risk assessment results;"},{"id":"ra-3.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-3(c)[2]"}],"prose":"reviews risk assessment results with the organization-defined frequency;"}]},{"id":"ra-3.d_obj","name":"objective","properties":[{"name":"label","value":"RA-3(d)"}],"parts":[{"id":"ra-3.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-3(d)[1]"}],"prose":"defines personnel or roles to whom risk assessment results are to be\n                     disseminated;"},{"id":"ra-3.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-3(d)[2]"}],"prose":"disseminates risk assessment results to organization-defined personnel or\n                     roles;"}]},{"id":"ra-3.e_obj","name":"objective","properties":[{"name":"label","value":"RA-3(e)"}],"parts":[{"id":"ra-3.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-3(e)[1]"}],"prose":"defines the frequency to update the risk assessment;"},{"id":"ra-3.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-3(e)[2]"}],"prose":"updates the risk assessment:","parts":[{"id":"ra-3.e_obj.2.a","name":"objective","properties":[{"name":"label","value":"RA-3(e)[2][a]"}],"prose":"with the organization-defined frequency;"},{"id":"ra-3.e_obj.2.b","name":"objective","properties":[{"name":"label","value":"RA-3(e)[2][b]"}],"prose":"whenever there are significant changes to the information system or\n                        environment of operation (including the identification of new threats and\n                        vulnerabilities); and"},{"id":"ra-3.e_obj.2.c","name":"objective","properties":[{"name":"label","value":"RA-3(e)[2][c]"}],"prose":"whenever there are other conditions that may impact the security state of\n                        the system."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\\n\\nsecurity planning policy and procedures\\n\\nprocedures addressing organizational assessments of risk\\n\\nsecurity plan\\n\\nrisk assessment\\n\\nrisk assessment results\\n\\nrisk assessment reviews\\n\\nrisk assessment updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for risk assessment\\n\\nautomated mechanisms supporting and/or for conducting, documenting, reviewing,\n                  disseminating, and updating the risk assessment"}]}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Scanning","parameters":[{"id":"ra-5_prm_1","label":"organization-defined frequency and/or randomly in accordance with\n               organization-defined process","constraints":[{"detail":"monthly operating system/infrastructure; monthly web applications and databases"}]},{"id":"ra-5_prm_2","label":"organization-defined response times","constraints":[{"detail":"[high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery."}]},{"id":"ra-5_prm_3","label":"organization-defined personnel or roles"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"RA-5"},{"name":"sort-id","value":"ra-05"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference","text":"NIST Special Publication 800-40"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference","text":"NIST Special Publication 800-70"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference","text":"NIST Special Publication 800-115"},{"href":"#15522e92-9192-463d-9646-6a01982db8ca","rel":"reference","text":"http://cwe.mitre.org"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference","text":"http://nvd.nist.gov"}],"parts":[{"id":"ra-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Scans for vulnerabilities in the information system and hosted applications\n                     {{ ra-5_prm_1 }} and when new vulnerabilities potentially\n                  affecting the system/applications are identified and reported;"},{"id":"ra-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employs vulnerability scanning tools and techniques that facilitate\n                  interoperability among tools and automate parts of the vulnerability management\n                  process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Analyzes vulnerability scan reports and results from security control\n                  assessments;"},{"id":"ra-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Remediates legitimate vulnerabilities {{ ra-5_prm_2 }} in\n                  accordance with an organizational assessment of risk; and"},{"id":"ra-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Shares information obtained from the vulnerability scanning process and security\n                  control assessments with {{ ra-5_prm_3 }} to help eliminate similar\n                  vulnerabilities in other information systems (i.e., systemic weaknesses or\n                  deficiencies)."},{"id":"ra-5_fr_smt.a","name":"item","title":"RA-5(a) Additional FedRAMP Requirements and Guidance","properties":[{"name":"label","value":"RA-5 (a)Requirement:"}],"prose":"An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually."},{"id":"ra-5_fr_smt.e","name":"item","title":"RA-5(e) Additional FedRAMP Requirements and Guidance","properties":[{"name":"label","value":"RA-5 (e)Requirement:"}],"prose":"To include all Authorizing Officials; for JAB authorizations to include FedRAMP."},{"id":"ra-5_fr","name":"item","title":"RA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"\n                     **See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))"}]}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information systems guides the frequency and\n               comprehensiveness of vulnerability scans. Organizations determine the required\n               vulnerability scanning for all information system components, ensuring that potential\n               sources of vulnerabilities such as networked printers, scanners, and copiers are not\n               overlooked. Vulnerability analyses for custom software applications may require\n               additional approaches such as static analysis, dynamic analysis, binary analysis, or\n               a hybrid of the three approaches. Organizations can employ these analysis approaches\n               in a variety of tools (e.g., web-based application scanners, static analysis tools,\n               binary analyzers) and in source code reviews. Vulnerability scanning includes, for\n               example: (i) scanning for patch levels; (ii) scanning for functions, ports,\n               protocols, and services that should not be accessible to users or devices; and (iii)\n               scanning for improperly configured or incorrectly operating information flow control\n               mechanisms. Organizations consider using tools that express vulnerabilities in the\n               Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open\n               Vulnerability Assessment Language (OVAL) to determine/test for the presence of\n               vulnerabilities. Suggested sources for vulnerability information include the Common\n               Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In\n               addition, security control assessments such as red team exercises provide other\n               sources of potential vulnerabilities for which to scan. Organizations also consider\n               using tools that express vulnerability impact by the Common Vulnerability Scoring\n               System (CVSS).","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"ra-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-5.a_obj","name":"objective","properties":[{"name":"label","value":"RA-5(a)"}],"parts":[{"id":"ra-5.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-5(a)[1]"}],"parts":[{"id":"ra-5.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"RA-5(a)[1][a]"}],"prose":"defines the frequency for conducting vulnerability scans on the information\n                        system and hosted applications; and/or"},{"id":"ra-5.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"RA-5(a)[1][b]"}],"prose":"defines the process for conducting random vulnerability scans on the\n                        information system and hosted applications;"}]},{"id":"ra-5.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(a)[2]"}],"prose":"in accordance with the organization-defined frequency and/or\n                     organization-defined process for conducting random scans, scans for\n                     vulnerabilities in:","parts":[{"id":"ra-5.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"RA-5(a)[2][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"RA-5(a)[2][b]"}],"prose":"hosted applications;"}]},{"id":"ra-5.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(a)[3]"}],"prose":"when new vulnerabilities potentially affecting the system/applications are\n                     identified and reported, scans for vulnerabilities in:","parts":[{"id":"ra-5.a_obj.3.a","name":"objective","properties":[{"name":"label","value":"RA-5(a)[3][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.3.b","name":"objective","properties":[{"name":"label","value":"RA-5(a)[3][b]"}],"prose":"hosted applications;"}]}]},{"id":"ra-5.b_obj","name":"objective","properties":[{"name":"label","value":"RA-5(b)"}],"prose":"employs vulnerability scanning tools and techniques that facilitate\n                  interoperability among tools and automate parts of the vulnerability management\n                  process by using standards for:","parts":[{"id":"ra-5.b.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(b)(1)"}],"parts":[{"id":"ra-5.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"RA-5(b)(1)[1]"}],"prose":"enumerating platforms;"},{"id":"ra-5.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"RA-5(b)(1)[2]"}],"prose":"enumerating software flaws;"},{"id":"ra-5.b.1_obj.3","name":"objective","properties":[{"name":"label","value":"RA-5(b)(1)[3]"}],"prose":"enumerating improper configurations;"}]},{"id":"ra-5.b.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(b)(2)"}],"parts":[{"id":"ra-5.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"RA-5(b)(2)[1]"}],"prose":"formatting checklists;"},{"id":"ra-5.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"RA-5(b)(2)[2]"}],"prose":"formatting test procedures;"}]},{"id":"ra-5.b.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(b)(3)"}],"prose":"measuring vulnerability impact;"}]},{"id":"ra-5.c_obj","name":"objective","properties":[{"name":"label","value":"RA-5(c)"}],"parts":[{"id":"ra-5.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(c)[1]"}],"prose":"analyzes vulnerability scan reports;"},{"id":"ra-5.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(c)[2]"}],"prose":"analyzes results from security control assessments;"}]},{"id":"ra-5.d_obj","name":"objective","properties":[{"name":"label","value":"RA-5(d)"}],"parts":[{"id":"ra-5.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-5(d)[1]"}],"prose":"defines response times to remediate legitimate vulnerabilities in accordance\n                     with an organizational assessment of risk;"},{"id":"ra-5.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(d)[2]"}],"prose":"remediates legitimate vulnerabilities within the organization-defined response\n                     times in accordance with an organizational assessment of risk;"}]},{"id":"ra-5.e_obj","name":"objective","properties":[{"name":"label","value":"RA-5(e)"}],"parts":[{"id":"ra-5.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-5(e)[1]"}],"prose":"defines personnel or roles with whom information obtained from the\n                     vulnerability scanning process and security control assessments is to be\n                     shared;"},{"id":"ra-5.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(e)[2]"}],"prose":"shares information obtained from the vulnerability scanning process with\n                     organization-defined personnel or roles to help eliminate similar\n                     vulnerabilities in other information systems (i.e., systemic weaknesses or\n                     deficiencies); and"},{"id":"ra-5.e_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(e)[3]"}],"prose":"shares information obtained from security control assessments with\n                     organization-defined personnel or roles to help eliminate similar\n                     vulnerabilities in other information systems (i.e., systemic weaknesses or\n                     deficiencies)."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\nrisk assessment\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment, security control assessment and\n                  vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with vulnerability remediation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning, analysis, remediation, and\n                  information sharing\\n\\nautomated mechanisms supporting and/or implementing vulnerability scanning,\n                  analysis, remediation, and information sharing"}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"System and Services Acquisition Policy and Procedures","parameters":[{"id":"sa-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sa-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"sa-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SA-1"},{"name":"sort-id","value":"sa-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"sa-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A system and services acquisition policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"sa-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services\n                     acquisition policy and associated system and services acquisition controls;\n                     and"}]},{"id":"sa-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sa-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"System and services acquisition policy {{ sa-1_prm_2 }}; and"},{"id":"sa-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"System and services acquisition procedures {{ sa-1_prm_3 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"sa-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-1.a_obj","name":"objective","properties":[{"name":"label","value":"SA-1(a)"}],"parts":[{"id":"sa-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)"}],"parts":[{"id":"sa-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(a)(1)[1]"}],"prose":"develops and documents a system and services acquisition policy that\n                        addresses:","parts":[{"id":"sa-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sa-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sa-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sa-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sa-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sa-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sa-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sa-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and services acquisition\n                        policy is to be disseminated;"},{"id":"sa-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SA-1(a)(1)[3]"}],"prose":"disseminates the system and services acquisition policy to\n                        organization-defined personnel or roles;"}]},{"id":"sa-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"SA-1(a)(2)"}],"parts":[{"id":"sa-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        system and services acquisition policy and associated system and services\n                        acquisition controls;"},{"id":"sa-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"sa-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sa-1.b_obj","name":"objective","properties":[{"name":"label","value":"SA-1(b)"}],"parts":[{"id":"sa-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"SA-1(b)(1)"}],"parts":[{"id":"sa-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and services\n                        acquisition policy;"},{"id":"sa-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(b)(1)[2]"}],"prose":"reviews and updates the current system and services acquisition policy with\n                        the organization-defined frequency;"}]},{"id":"sa-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"SA-1(b)(2)"}],"parts":[{"id":"sa-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and services\n                        acquisition procedures; and"},{"id":"sa-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(b)(2)[2]"}],"prose":"reviews and updates the current system and services acquisition procedures\n                        with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","properties":[{"name":"label","value":"SA-2"},{"name":"sort-id","value":"sa-02"}],"links":[{"href":"#29fcfe59-33cd-494a-8756-5907ae3a8f92","rel":"reference","text":"NIST Special Publication 800-65"}],"parts":[{"id":"sa-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determines information security requirements for the information system or\n                  information system service in mission/business process planning;"},{"id":"sa-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Determines, documents, and allocates the resources required to protect the\n                  information system or information system service as part of its capital planning\n                  and investment control process; and"},{"id":"sa-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Establishes a discrete line item for information security in organizational\n                  programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security includes funding for the initial\n               information system or information system service acquisition and funding for the\n               sustainment of the system/service.","links":[{"href":"#pm-3","rel":"related","text":"PM-3"},{"href":"#pm-11","rel":"related","text":"PM-11"}]},{"id":"sa-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-2.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-2(a)"}],"prose":"determines information security requirements for the information system or\n                  information system service in mission/business process planning;"},{"id":"sa-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-2(b)"}],"prose":"to protect the information system or information system service as part of its\n                  capital planning and investment control process:","parts":[{"id":"sa-2.b_obj.1","name":"objective","properties":[{"name":"label","value":"SA-2(b)[1]"}],"prose":"determines the resources required;"},{"id":"sa-2.b_obj.2","name":"objective","properties":[{"name":"label","value":"SA-2(b)[2]"}],"prose":"documents the resources required;"},{"id":"sa-2.b_obj.3","name":"objective","properties":[{"name":"label","value":"SA-2(b)[3]"}],"prose":"allocates the resources required; and"}]},{"id":"sa-2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-2(c)"}],"prose":"establishes a discrete line item for information security in organizational\n                  programming and budgeting documentation."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the allocation of resources to information security\n                  requirements\\n\\nprocedures addressing capital planning and investment control\\n\\norganizational programming and budgeting documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with capital planning, investment control, organizational\n                  programming and budgeting responsibilities\\n\\norganizational personnel responsible for determining information security\n                  requirements for information systems/services\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information security requirements\\n\\norganizational processes for capital planning, programming, and budgeting\\n\\nautomated mechanisms supporting and/or implementing organizational capital\n                  planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","parameters":[{"id":"sa-3_prm_1","label":"organization-defined system development life cycle"}],"properties":[{"name":"label","value":"SA-3"},{"name":"sort-id","value":"sa-03"}],"links":[{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference","text":"NIST Special Publication 800-64"}],"parts":[{"id":"sa-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Manages the information system using {{ sa-3_prm_1 }} that\n                  incorporates information security considerations;"},{"id":"sa-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Defines and documents information security roles and responsibilities throughout\n                  the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Identifies individuals having information security roles and responsibilities;\n                  and"},{"id":"sa-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Integrates the organizational information security risk management process into\n                  system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A well-defined system development life cycle provides the foundation for the\n               successful development, implementation, and operation of organizational information\n               systems. To apply the required security controls within the system development life\n               cycle requires a basic understanding of information security, threats,\n               vulnerabilities, adverse impacts, and risk to critical missions/business functions.\n               The security engineering principles in SA-8 cannot be properly applied if individuals\n               that design, code, and test information systems and system components (including\n               information technology products) do not understand security. Therefore, organizations\n               include qualified personnel, for example, chief information security officers,\n               security architects, security engineers, and information system security officers in\n               system development life cycle activities to ensure that security requirements are\n               incorporated into organizational information systems. It is equally important that\n               developers include individuals on the development team that possess the requisite\n               security expertise and skills to ensure that needed security capabilities are\n               effectively integrated into the information system. Security awareness and training\n               programs can help ensure that individuals having key security roles and\n               responsibilities have the appropriate experience, skills, and expertise to conduct\n               assigned system development life cycle activities. The effective integration of\n               security requirements into enterprise architecture also helps to ensure that\n               important security considerations are addressed early in the system development life\n               cycle and that those considerations are directly related to the organizational\n               mission/business processes. This process also facilitates the integration of the\n               information security architecture into the enterprise architecture, consistent with\n               organizational risk management and information security strategies.","links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#sa-8","rel":"related","text":"SA-8"}]},{"id":"sa-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-3.a_obj","name":"objective","properties":[{"name":"label","value":"SA-3(a)"}],"parts":[{"id":"sa-3.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-3(a)[1]"}],"prose":"defines a system development life cycle that incorporates information security\n                     considerations to be used to manage the information system;"},{"id":"sa-3.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-3(a)[2]"}],"prose":"manages the information system using the organization-defined system\n                     development life cycle;"}]},{"id":"sa-3.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-3(b)"}],"prose":"defines and documents information security roles and responsibilities throughout\n                  the system development life cycle;"},{"id":"sa-3.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-3(c)"}],"prose":"identifies individuals having information security roles and responsibilities;\n                  and"},{"id":"sa-3.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-3(d)"}],"prose":"integrates the organizational information security risk management process into\n                  system development life cycle activities."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the integration of information security into the system\n                  development life cycle process\\n\\ninformation system development life cycle documentation\\n\\ninformation security risk management strategy/program documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security and system life cycle\n                  development responsibilities\\n\\norganizational personnel with information security risk management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining and documenting the SDLC\\n\\norganizational processes for identifying SDLC roles and responsibilities\\n\\norganizational process for integrating information security risk management into\n                  the SDLC\\n\\nautomated mechanisms supporting and/or implementing the SDLC"}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","properties":[{"name":"label","value":"SA-4"},{"name":"sort-id","value":"sa-04"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference","text":"HSPD-12"},{"href":"#1737a687-52fb-4008-b900-cbfa836f7b65","rel":"reference","text":"ISO/IEC 15408"},{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference","text":"FIPS Publication 140-2"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#0a5db899-f033-467f-8631-f5a8ba971475","rel":"reference","text":"NIST Special Publication 800-23"},{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference","text":"NIST Special Publication 800-35"},{"href":"#d818efd3-db31-4953-8afa-9e76afe83ce2","rel":"reference","text":"NIST Special Publication 800-36"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference","text":"NIST Special Publication 800-64"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference","text":"NIST Special Publication 800-70"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"},{"href":"#56d671da-6b7b-4abf-8296-84b61980390a","rel":"reference","text":"Federal Acquisition Regulation"},{"href":"#c95a9986-3cd6-4a98-931b-ccfc56cb11e5","rel":"reference","text":"http://www.niap-ccevs.org"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference","text":"http://fips201ep.cio.gov"},{"href":"#bbd50dd1-54ce-4432-959d-63ea564b1bb4","rel":"reference","text":"http://www.acquisition.gov/far"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"The organization includes the following requirements, descriptions, and criteria,\n               explicitly or by reference, in the acquisition contract for the information system,\n               system component, or information system service in accordance with applicable federal\n               laws, Executive Orders, directives, policies, regulations, standards, guidelines, and\n               organizational mission/business needs:","parts":[{"id":"sa-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Security functional requirements;"},{"id":"sa-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Security strength requirements;"},{"id":"sa-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Security assurance requirements;"},{"id":"sa-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Security-related documentation requirements;"},{"id":"sa-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Requirements for protecting security-related documentation;"},{"id":"sa-4_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Description of the information system development environment and environment in\n                  which the system is intended to operate; and"},{"id":"sa-4_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Acceptance criteria."},{"id":"sa-4_fr","name":"item","title":"SA-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See [http://www.niap-ccevs.org/vpl](http://www.niap-ccevs.org/vpl) or [http://www.commoncriteriaportal.org/products.html](http://www.commoncriteriaportal.org/products.html)."}]}]},{"id":"sa-4_gdn","name":"guidance","prose":"Information system components are discrete, identifiable information technology\n               assets (e.g., hardware, software, or firmware) that represent the building blocks of\n               an information system. Information system components include commercial information\n               technology products. Security functional requirements include security capabilities,\n               security functions, and security mechanisms. Security strength requirements\n               associated with such capabilities, functions, and mechanisms include degree of\n               correctness, completeness, resistance to direct attack, and resistance to tampering\n               or bypass. Security assurance requirements include: (i) development processes,\n               procedures, practices, and methodologies; and (ii) evidence from development and\n               assessment activities providing grounds for confidence that the required security\n               functionality has been implemented and the required security strength has been\n               achieved. Security documentation requirements address all phases of the system\n               development life cycle. Security functionality, assurance, and documentation\n               requirements are expressed in terms of security controls and control enhancements\n               that have been selected through the tailoring process. The security control tailoring\n               process includes, for example, the specification of parameter values through the use\n               of assignment and selection statements and the specification of platform dependencies\n               and implementation information. Security documentation provides user and\n               administrator guidance regarding the implementation and operation of security\n               controls. The level of detail required in security documentation is based on the\n               security category or classification level of the information system and the degree to\n               which organizations depend on the stated security capability, functions, or\n               mechanisms to meet overall risk response expectations (as defined in the\n               organizational risk management strategy). Security requirements can also include\n               organizationally mandated configuration settings specifying allowed functions, ports,\n               protocols, and services. Acceptance criteria for information systems, information\n               system components, and information system services are defined in the same manner as\n               such criteria for any organizational acquisition or procurement. The Federal\n               Acquisition Regulation (FAR) Section 7.103 contains information security requirements\n               from FISMA.","links":[{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-12","rel":"related","text":"SA-12"}]},{"id":"sa-4_obj","name":"objective","prose":"Determine if the organization includes the following requirements, descriptions, and\n               criteria, explicitly or by reference, in the acquisition contracts for the\n               information system, system component, or information system service in accordance\n               with applicable federal laws, Executive Orders, directives, policies, regulations,\n               standards, guidelines, and organizational mission/business needs:","parts":[{"id":"sa-4.a_obj","name":"objective","properties":[{"name":"label","value":"SA-4(a)"}],"prose":"security functional requirements;"},{"id":"sa-4.b_obj","name":"objective","properties":[{"name":"label","value":"SA-4(b)"}],"prose":"security strength requirements;"},{"id":"sa-4.c_obj","name":"objective","properties":[{"name":"label","value":"SA-4(c)"}],"prose":"security assurance requirements;"},{"id":"sa-4.d_obj","name":"objective","properties":[{"name":"label","value":"SA-4(d)"}],"prose":"security-related documentation requirements;"},{"id":"sa-4.e_obj","name":"objective","properties":[{"name":"label","value":"SA-4(e)"}],"prose":"requirements for protecting security-related documentation;"},{"id":"sa-4.f_obj","name":"objective","properties":[{"name":"label","value":"SA-4(f)"}],"prose":"description of:","parts":[{"id":"sa-4.f_obj.1","name":"objective","properties":[{"name":"label","value":"SA-4(f)[1]"}],"prose":"the information system development environment;"},{"id":"sa-4.f_obj.2","name":"objective","properties":[{"name":"label","value":"SA-4(f)[2]"}],"prose":"the environment in which the system is intended to operate; and"}]},{"id":"sa-4.g_obj","name":"objective","properties":[{"name":"label","value":"SA-4(g)"}],"prose":"acceptance criteria."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                  descriptions, and criteria into the acquisition process\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\ninformation system design documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security functional, strength, and assurance requirements\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information system security functional,\n                  strength, and assurance requirements\\n\\norganizational processes for developing acquisition contracts\\n\\nautomated mechanisms supporting and/or implementing acquisitions and inclusion of\n                  security requirements in contracts"}]}]},{"id":"sa-5","class":"SP800-53","title":"Information System Documentation","parameters":[{"id":"sa-5_prm_1","label":"organization-defined actions"},{"id":"sa-5_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SA-5"},{"name":"sort-id","value":"sa-05"}],"parts":[{"id":"sa-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Obtains administrator documentation for the information system, system component,\n                  or information system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or\n                     service;"},{"id":"sa-5_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security functions/mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative (i.e.,\n                     privileged) functions;"}]},{"id":"sa-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Obtains user documentation for the information system, system component, or\n                  information system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"User-accessible security functions/mechanisms and how to effectively use those\n                     security functions/mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system,\n                     component, or service in a more secure manner; and"},{"id":"sa-5_smt.b.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or\n                     service;"}]},{"id":"sa-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Documents attempts to obtain information system, system component, or information\n                  system service documentation when such documentation is either unavailable or\n                  nonexistent and takes {{ sa-5_prm_1 }} in response;"},{"id":"sa-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protects documentation as required, in accordance with the risk management\n                  strategy; and"},{"id":"sa-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Distributes documentation to {{ sa-5_prm_2 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"This control helps organizational personnel understand the implementation and\n               operation of security controls associated with information systems, system\n               components, and information system services. Organizations consider establishing\n               specific measures to determine the quality/completeness of the content provided. The\n               inability to obtain needed documentation may occur, for example, due to the age of\n               the information system/component or lack of support from developers and contractors.\n               In those situations, organizations may need to recreate selected documentation if\n               such documentation is essential to the effective implementation or operation of\n               security controls. The level of protection provided for selected information system,\n               component, or service documentation is commensurate with the security category or\n               classification of the system. For example, documentation associated with a key DoD\n               weapons system or command and control system would typically require a higher level\n               of protection than a routine administrative system. Documentation that addresses\n               information system vulnerabilities may also require an increased level of protection.\n               Secure operation of the information system, includes, for example, initially starting\n               the system and resuming secure system operation after any lapse in system\n               operation.","links":[{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"sa-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-5.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-5(a)"}],"prose":"obtains administrator documentation for the information system, system component,\n                  or information system service that describes:","parts":[{"id":"sa-5.a.1_obj","name":"objective","properties":[{"name":"label","value":"SA-5(a)(1)"}],"parts":[{"id":"sa-5.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"SA-5(a)(1)[1]"}],"prose":"secure configuration of the system, system component, or service;"},{"id":"sa-5.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"SA-5(a)(1)[2]"}],"prose":"secure installation of the system, system component, or service;"},{"id":"sa-5.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"SA-5(a)(1)[3]"}],"prose":"secure operation of the system, system component, or service;"}]},{"id":"sa-5.a.2_obj","name":"objective","properties":[{"name":"label","value":"SA-5(a)(2)"}],"parts":[{"id":"sa-5.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"SA-5(a)(2)[1]"}],"prose":"effective use of the security features/mechanisms;"},{"id":"sa-5.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"SA-5(a)(2)[2]"}],"prose":"effective maintenance of the security features/mechanisms;"}]},{"id":"sa-5.a.3_obj","name":"objective","properties":[{"name":"label","value":"SA-5(a)(3)"}],"prose":"known vulnerabilities regarding configuration and use of administrative (i.e.,\n                     privileged) functions;"}]},{"id":"sa-5.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-5(b)"}],"prose":"obtains user documentation for the information system, system component, or\n                  information system service that describes:","parts":[{"id":"sa-5.b.1_obj","name":"objective","properties":[{"name":"label","value":"SA-5(b)(1)"}],"parts":[{"id":"sa-5.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"SA-5(b)(1)[1]"}],"prose":"user-accessible security functions/mechanisms;"},{"id":"sa-5.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"SA-5(b)(1)[2]"}],"prose":"how to effectively use those functions/mechanisms;"}]},{"id":"sa-5.b.2_obj","name":"objective","properties":[{"name":"label","value":"SA-5(b)(2)"}],"prose":"methods for user interaction, which enables individuals to use the system,\n                     component, or service in a more secure manner;"},{"id":"sa-5.b.3_obj","name":"objective","properties":[{"name":"label","value":"SA-5(b)(3)"}],"prose":"user responsibilities in maintaining the security of the system, component, or\n                     service;"}]},{"id":"sa-5.c_obj","name":"objective","properties":[{"name":"label","value":"SA-5(c)"}],"parts":[{"id":"sa-5.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-5(c)[1]"}],"prose":"defines actions to be taken after documented attempts to obtain information\n                     system, system component, or information system service documentation when such\n                     documentation is either unavailable or nonexistent;"},{"id":"sa-5.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-5(c)[2]"}],"prose":"documents attempts to obtain information system, system component, or\n                     information system service documentation when such documentation is either\n                     unavailable or nonexistent;"},{"id":"sa-5.c_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-5(c)[3]"}],"prose":"takes organization-defined actions in response;"}]},{"id":"sa-5.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-5(d)"}],"prose":"protects documentation as required, in accordance with the risk management\n                  strategy;"},{"id":"sa-5.e_obj","name":"objective","properties":[{"name":"label","value":"SA-5(e)"}],"parts":[{"id":"sa-5.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-5(e)[1]"}],"prose":"defines personnel or roles to whom documentation is to be distributed; and"},{"id":"sa-5.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-5(e)[2]"}],"prose":"distributes documentation to organization-defined personnel or roles."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing information system documentation\\n\\ninformation system documentation including administrator and user guides\\n\\nrecords documenting attempts to obtain unavailable or nonexistent information\n                  system documentation\\n\\nlist of actions to be taken in response to documented attempts to obtain\n                  information system, system component, or information system service\n                  documentation\\n\\nrisk management strategy documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security requirements\\n\\nsystem administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for obtaining, protecting, and distributing information\n                  system administrator and user documentation"}]}]},{"id":"sa-9","class":"SP800-53","title":"External Information System Services","parameters":[{"id":"sa-9_prm_1","label":"organization-defined security controls","constraints":[{"detail":"FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system"}]},{"id":"sa-9_prm_2","label":"organization-defined processes, methods, and techniques","constraints":[{"detail":"Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored"}]}],"properties":[{"name":"label","value":"SA-9"},{"name":"sort-id","value":"sa-09"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference","text":"NIST Special Publication 800-35"}],"parts":[{"id":"sa-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Requires that providers of external information system services comply with\n                  organizational information security requirements and employ {{ sa-9_prm_1 }} in accordance with applicable federal laws, Executive\n                  Orders, directives, policies, regulations, standards, and guidance;"},{"id":"sa-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Defines and documents government oversight and user roles and responsibilities\n                  with regard to external information system services; and"},{"id":"sa-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Employs {{ sa-9_prm_2 }} to monitor security control compliance by\n                  external service providers on an ongoing basis."},{"id":"sa-9_fr","name":"item","title":"SA-9 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-9_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Continuous Monitoring Strategy Guide [https://www.FedRAMP.gov/documents](https://www.FedRAMP.gov/documents)\n                  "},{"id":"sa-9_fr_gdn.2","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Independent Assessors should assess the risk associated with the use of external services. See the FedRAMP page under Key Cloud Service Provider (CSP) Documents>FedRAMP Authorization Boundary Guidance"}]}]},{"id":"sa-9_gdn","name":"guidance","prose":"External information system services are services that are implemented outside of the\n               authorization boundaries of organizational information systems. This includes\n               services that are used by, but not a part of, organizational information systems.\n               FISMA and OMB policy require that organizations using external service providers that\n               are processing, storing, or transmitting federal information or operating information\n               systems on behalf of the federal government ensure that such providers meet the same\n               security requirements that federal agencies are required to meet. Organizations\n               establish relationships with external service providers in a variety of ways\n               including, for example, through joint ventures, business partnerships, contracts,\n               interagency agreements, lines of business arrangements, licensing agreements, and\n               supply chain exchanges. The responsibility for managing risks from the use of\n               external information system services remains with authorizing officials. For services\n               external to organizations, a chain of trust requires that organizations establish and\n               retain a level of confidence that each participating provider in the potentially\n               complex consumer-provider relationship provides adequate protection for the services\n               rendered. The extent and nature of this chain of trust varies based on the\n               relationships between organizations and the external providers. Organizations\n               document the basis for trust relationships so the relationships can be monitored over\n               time. External information system services documentation includes government, service\n               providers, end user security roles and responsibilities, and service-level\n               agreements. Service-level agreements define expectations of performance for security\n               controls, describe measurable outcomes, and identify remedies and response\n               requirements for identified instances of noncompliance.","links":[{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ps-7","rel":"related","text":"PS-7"}]},{"id":"sa-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.a_obj","name":"objective","properties":[{"name":"label","value":"SA-9(a)"}],"parts":[{"id":"sa-9.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(a)[1]"}],"prose":"defines security controls to be employed by providers of external information\n                     system services;"},{"id":"sa-9.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(a)[2]"}],"prose":"requires that providers of external information system services comply with\n                     organizational information security requirements;"},{"id":"sa-9.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(a)[3]"}],"prose":"requires that providers of external information system services employ\n                     organization-defined security controls in accordance with applicable federal\n                     laws, Executive Orders, directives, policies, regulations, standards, and\n                     guidance;"}]},{"id":"sa-9.b_obj","name":"objective","properties":[{"name":"label","value":"SA-9(b)"}],"parts":[{"id":"sa-9.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(b)[1]"}],"prose":"defines and documents government oversight with regard to external information\n                     system services;"},{"id":"sa-9.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(b)[2]"}],"prose":"defines and documents user roles and responsibilities with regard to external\n                     information system services;"}]},{"id":"sa-9.c_obj","name":"objective","properties":[{"name":"label","value":"SA-9(c)"}],"parts":[{"id":"sa-9.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(c)[1]"}],"prose":"defines processes, methods, and techniques to be employed to monitor security\n                     control compliance by external service providers; and"},{"id":"sa-9.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-9(c)[2]"}],"prose":"employs organization-defined processes, methods, and techniques to monitor\n                     security control compliance by external service providers on an ongoing\n                     basis."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nprocedures addressing methods and techniques for monitoring security control\n                  compliance by external service providers of information system services\\n\\nacquisition contracts, service-level agreements\\n\\norganizational security requirements and security specifications for external\n                  provider services\\n\\nsecurity control assessment evidence from external providers of information system\n                  services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\\n\\nexternal providers of information system services\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring security control compliance by external\n                  service providers on an ongoing basis\\n\\nautomated mechanisms for monitoring security control compliance by external\n                  service providers on an ongoing basis"}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"System and Communications Protection Policy and Procedures","parameters":[{"id":"sc-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sc-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"sc-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SC-1"},{"name":"sort-id","value":"sc-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"sc-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A system and communications protection policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"},{"id":"sc-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications\n                     protection policy and associated system and communications protection controls;\n                     and"}]},{"id":"sc-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sc-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"System and communications protection policy {{ sc-1_prm_2 }};\n                     and"},{"id":"sc-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"System and communications protection procedures {{ sc-1_prm_3 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SC\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"sc-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-1.a_obj","name":"objective","properties":[{"name":"label","value":"SC-1(a)"}],"parts":[{"id":"sc-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)"}],"parts":[{"id":"sc-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(a)(1)[1]"}],"prose":"develops and documents a system and communications protection policy that\n                        addresses:","parts":[{"id":"sc-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sc-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sc-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sc-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sc-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sc-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sc-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sc-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and communications protection\n                        policy is to be disseminated;"},{"id":"sc-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SC-1(a)(1)[3]"}],"prose":"disseminates the system and communications protection policy to\n                        organization-defined personnel or roles;"}]},{"id":"sc-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"SC-1(a)(2)"}],"parts":[{"id":"sc-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        system and communications protection policy and associated system and\n                        communications protection controls;"},{"id":"sc-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"sc-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sc-1.b_obj","name":"objective","properties":[{"name":"label","value":"SC-1(b)"}],"parts":[{"id":"sc-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"SC-1(b)(1)"}],"parts":[{"id":"sc-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and\n                        communications protection policy;"},{"id":"sc-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(b)(1)[2]"}],"prose":"reviews and updates the current system and communications protection policy\n                        with the organization-defined frequency;"}]},{"id":"sc-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"SC-1(b)(2)"}],"parts":[{"id":"sc-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and\n                        communications protection procedures; and"},{"id":"sc-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(b)(2)[2]"}],"prose":"reviews and updates the current system and communications protection\n                        procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and communications protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"sc-5","class":"SP800-53","title":"Denial of Service Protection","parameters":[{"id":"sc-5_prm_1","label":"organization-defined types of denial of service attacks or references to sources\n               for such information"},{"id":"sc-5_prm_2","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"SC-5"},{"name":"sort-id","value":"sc-05"}],"parts":[{"id":"sc-5_smt","name":"statement","prose":"The information system protects against or limits the effects of the following types\n               of denial of service attacks: {{ sc-5_prm_1 }} by employing {{ sc-5_prm_2 }}."},{"id":"sc-5_gdn","name":"guidance","prose":"A variety of technologies exist to limit, or in some cases, eliminate the effects of\n               denial of service attacks. For example, boundary protection devices can filter\n               certain types of packets to protect information system components on internal\n               organizational networks from being directly affected by denial of service attacks.\n               Employing increased capacity and bandwidth combined with service redundancy may also\n               reduce the susceptibility to denial of service attacks.","links":[{"href":"#sc-6","rel":"related","text":"SC-6"},{"href":"#sc-7","rel":"related","text":"SC-7"}]},{"id":"sc-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-5_obj.1","name":"objective","properties":[{"name":"label","value":"SC-5[1]"}],"prose":"the organization defines types of denial of service attacks or reference to source\n                  of such information for the information system to protect against or limit the\n                  effects;"},{"id":"sc-5_obj.2","name":"objective","properties":[{"name":"label","value":"SC-5[2]"}],"prose":"the organization defines security safeguards to be employed by the information\n                  system to protect against or limit the effects of organization-defined types of\n                  denial of service attacks; and"},{"id":"sc-5_obj.3","name":"objective","properties":[{"name":"label","value":"SC-5[3]"}],"prose":"the information system protects against or limits the effects of the\n                  organization-defined denial or service attacks (or reference to source for such\n                  information) by employing organization-defined security safeguards."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing denial of service protection\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\nlist of denial of services attacks requiring employment of security safeguards to\n                  protect against or limit effects of such attacks\\n\\nlist of security safeguards protecting against or limiting the effects of denial\n                  of service attacks\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms protecting against or limiting the effects of denial of\n                  service attacks"}]}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","parameters":[{"id":"sc-7_prm_1"}],"properties":[{"name":"label","value":"SC-7"},{"name":"sort-id","value":"sc-07"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#756a8e86-57d5-4701-8382-f7a40439665a","rel":"reference","text":"NIST Special Publication 800-41"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference","text":"NIST Special Publication 800-77"}],"parts":[{"id":"sc-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitors and controls communications at the external boundary of the system and at\n                  key internal boundaries within the system;"},{"id":"sc-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implements subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks;\n                  and"},{"id":"sc-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Connects to external networks or information systems only through managed\n                  interfaces consisting of boundary protection devices arranged in accordance with\n                  an organizational security architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include, for example, gateways, routers, firewalls, guards,\n               network-based malicious code analysis and virtualization systems, or encrypted\n               tunnels implemented within a security architecture (e.g., routers protecting\n               firewalls or application gateways residing on protected subnetworks). Subnetworks\n               that are physically or logically separated from internal networks are referred to as\n               demilitarized zones or DMZs. Restricting or prohibiting interfaces within\n               organizational information systems includes, for example, restricting external web\n               traffic to designated web servers within managed interfaces and prohibiting external\n               traffic that appears to be spoofing internal addresses. Organizations consider the\n               shared nature of commercial telecommunications services in the implementation of\n               security controls associated with the use of such services. Commercial\n               telecommunications services are commonly based on network components and consolidated\n               management systems shared by all attached commercial customers, and may also include\n               third party-provided access lines and other service elements. Such transmission\n               services may represent sources of increased risk despite contract security\n               provisions.","links":[{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"sc-7_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-7.a_obj","name":"objective","properties":[{"name":"label","value":"SC-7(a)"}],"parts":[{"id":"sc-7.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(a)[1]"}],"prose":"monitors communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(a)[2]"}],"prose":"monitors communications at key internal boundaries within the system;"},{"id":"sc-7.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(a)[3]"}],"prose":"controls communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(a)[4]"}],"prose":"controls communications at key internal boundaries within the system;"}]},{"id":"sc-7.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(b)"}],"prose":"implements subnetworks for publicly accessible system components that are\n                  either:","parts":[{"id":"sc-7.b_obj.1","name":"objective","properties":[{"name":"label","value":"SC-7(b)[1]"}],"prose":"physically separated from internal organizational networks; and/or"},{"id":"sc-7.b_obj.2","name":"objective","properties":[{"name":"label","value":"SC-7(b)[2]"}],"prose":"logically separated from internal organizational networks; and"}]},{"id":"sc-7.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(c)"}],"prose":"connects to external networks or information systems only through managed\n                  interfaces consisting of boundary protection devices arranged in accordance with\n                  an organizational security architecture."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\nlist of key internal boundaries of the information system\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system configuration settings and associated documentation\\n\\nenterprise security architecture documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability"}]}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","parameters":[{"id":"sc-12_prm_1","label":"organization-defined requirements for key generation, distribution, storage,\n               access, and destruction"}],"properties":[{"name":"label","value":"SC-12"},{"name":"sort-id","value":"sc-12"}],"links":[{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference","text":"NIST Special Publication 800-56"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference","text":"NIST Special Publication 800-57"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"The organization establishes and manages cryptographic keys for required cryptography\n               employed within the information system in accordance with {{ sc-12_prm_1 }}.","parts":[{"id":"sc-12_fr","name":"item","title":"SC-12 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Federally approved and validated cryptography."}]}]},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual\n               procedures or automated mechanisms with supporting manual procedures. Organizations\n               define key management requirements in accordance with applicable federal laws,\n               Executive Orders, directives, regulations, policies, standards, and guidance,\n               specifying appropriate options, levels, and parameters. Organizations manage trust\n               stores to ensure that only approved trust anchors are in such trust stores. This\n               includes certificates with visibility external to organizational information systems\n               and certificates related to the internal operations of systems.","links":[{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-17","rel":"related","text":"SC-17"}]},{"id":"sc-12_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-12_obj.1","name":"objective","properties":[{"name":"label","value":"SC-12[1]"}],"prose":"defines requirements for cryptographic key:","parts":[{"id":"sc-12_obj.1.a","name":"objective","properties":[{"name":"label","value":"SC-12[1][a]"}],"prose":"generation;"},{"id":"sc-12_obj.1.b","name":"objective","properties":[{"name":"label","value":"SC-12[1][b]"}],"prose":"distribution;"},{"id":"sc-12_obj.1.c","name":"objective","properties":[{"name":"label","value":"SC-12[1][c]"}],"prose":"storage;"},{"id":"sc-12_obj.1.d","name":"objective","properties":[{"name":"label","value":"SC-12[1][d]"}],"prose":"access;"},{"id":"sc-12_obj.1.e","name":"objective","properties":[{"name":"label","value":"SC-12[1][e]"}],"prose":"destruction; and"}]},{"id":"sc-12_obj.2","name":"objective","properties":[{"name":"label","value":"SC-12[2]"}],"prose":"establishes and manages cryptographic keys for required cryptography employed\n                  within the information system in accordance with organization-defined requirements\n                  for key generation, distribution, storage, access, and destruction."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing cryptographic key establishment and management\\n\\ninformation system design documentation\\n\\ncryptographic mechanisms\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for cryptographic key establishment\n                  and/or management"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing cryptographic key\n                  establishment and management"}]}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","parameters":[{"id":"sc-13_prm_1","label":"organization-defined cryptographic uses and type of cryptography required for\n               each use","constraints":[{"detail":"FIPS-validated or NSA-approved cryptography"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SC-13"},{"name":"sort-id","value":"sc-13"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference","text":"FIPS Publication 140"},{"href":"#6a1041fc-054e-4230-946b-2e6f4f3731bb","rel":"reference","text":"http://csrc.nist.gov/cryptval"},{"href":"#9b97ed27-3dd6-4f9a-ade5-1b43e9669794","rel":"reference","text":"http://www.cnss.gov"}],"parts":[{"id":"sc-13_smt","name":"statement","prose":"The information system implements {{ sc-13_prm_1 }} in accordance with\n               applicable federal laws, Executive Orders, directives, policies, regulations, and\n               standards."},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions including,\n               for example, the protection of classified and Controlled Unclassified Information,\n               the provision of digital signatures, and the enforcement of information separation\n               when authorized individuals have the necessary clearances for such information but\n               lack the necessary formal access approvals. Cryptography can also be used to support\n               random number generation and hash generation. Generally applicable cryptographic\n               standards include FIPS-validated cryptography and NSA-approved cryptography. This\n               control does not impose any requirements on organizations to use cryptography.\n               However, if cryptography is required based on the selection of other security\n               controls, organizations define each type of cryptographic use and the type of\n               cryptography required (e.g., protection of classified information: NSA-approved\n               cryptography; provision of digital signatures: FIPS-validated cryptography).","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-7","rel":"related","text":"IA-7"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"sc-13_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-13_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-13[1]"}],"prose":"the organization defines cryptographic uses; and"},{"id":"sc-13_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-13[2]"}],"prose":"the organization defines the type of cryptography required for each use; and"},{"id":"sc-13_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-13[3]"}],"prose":"the information system implements the organization-defined cryptographic uses and\n                  type of cryptography required for each use in accordance with applicable federal\n                  laws, Executive Orders, directives, policies, regulations, and standards."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing cryptographic protection\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic module validation certificates\\n\\nlist of FIPS validated cryptographic modules\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for cryptographic protection"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing cryptographic protection"}]}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices","parameters":[{"id":"sc-15_prm_1","label":"organization-defined exceptions where remote activation is to be allowed","constraints":[{"detail":"no exceptions"}]}],"properties":[{"name":"label","value":"SC-15"},{"name":"sort-id","value":"sc-15"}],"parts":[{"id":"sc-15_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-15_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Prohibits remote activation of collaborative computing devices with the following\n                  exceptions: {{ sc-15_prm_1 }}; and"},{"id":"sc-15_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Provides an explicit indication of use to users physically present at the\n                  devices."},{"id":"sc-15_fr","name":"item","title":"SC-15 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-15_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use."}]}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices include, for example, networked white boards,\n               cameras, and microphones. Explicit indication of use includes, for example, signals\n               to users when collaborative computing devices are activated.","links":[{"href":"#ac-21","rel":"related","text":"AC-21"}]},{"id":"sc-15_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-15.a_obj","name":"objective","properties":[{"name":"label","value":"SC-15(a)"}],"parts":[{"id":"sc-15.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-15(a)[1]"}],"prose":"the organization defines exceptions where remote activation of collaborative\n                     computing devices is to be allowed;"},{"id":"sc-15.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-15(a)[2]"}],"prose":"the information system prohibits remote activation of collaborative computing\n                     devices, except for organization-defined exceptions where remote activation is\n                     to be allowed; and"}]},{"id":"sc-15.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-15(b)"}],"prose":"the information system provides an explicit indication of use to users physically\n                  present at the devices."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing collaborative computing\\n\\naccess control policy and procedures\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for managing collaborative\n                  computing devices"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing management of remote\n                  activation of collaborative computing devices\\n\\nautomated mechanisms providing an indication of use of collaborative computing\n                  devices"}]}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name / Address Resolution Service (authoritative Source)","properties":[{"name":"label","value":"SC-20"},{"name":"sort-id","value":"sc-20"}],"links":[{"href":"#28115a56-da6b-4d44-b1df-51dd7f048a3e","rel":"reference","text":"OMB Memorandum 08-23"},{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference","text":"NIST Special Publication 800-81"}],"parts":[{"id":"sc-20_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-20_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provides additional data origin authentication and integrity verification\n                  artifacts along with the authoritative name resolution data the system returns in\n                  response to external name/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Provides the means to indicate the security status of child zones and (if the\n                  child supports secure resolution services) to enable verification of a chain of\n                  trust among parent and child domains, when operating as part of a distributed,\n                  hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"This control enables external clients including, for example, remote Internet\n               clients, to obtain origin authentication and integrity verification assurances for\n               the host/service name to network address resolution information obtained through the\n               service. Information systems that provide name and address resolution services\n               include, for example, domain name system (DNS) servers. Additional artifacts include,\n               for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS\n               resource records are examples of authoritative data. The means to indicate the\n               security status of child zones includes, for example, the use of delegation signer\n               resource records in the DNS. The DNS security controls reflect (and are referenced\n               from) OMB Memorandum 08-23. Information systems that use technologies other than the\n               DNS to map between host/service names and network addresses provide other means to\n               assure the authenticity and integrity of response data.","links":[{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-21","rel":"related","text":"SC-21"},{"href":"#sc-22","rel":"related","text":"SC-22"}]},{"id":"sc-20_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-20.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-20(a)"}],"prose":"provides additional data origin and integrity verification artifacts along with\n                  the authoritative name resolution data the system returns in response to external\n                  name/address resolution queries;"},{"id":"sc-20.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-20(b)"}],"prose":"provides the means to, when operating as part of a distributed, hierarchical\n                  namespace:","parts":[{"id":"sc-20.b_obj.1","name":"objective","properties":[{"name":"label","value":"SC-20(b)[1]"}],"prose":"indicate the security status of child zones; and"},{"id":"sc-20.b_obj.2","name":"objective","properties":[{"name":"label","value":"SC-20(b)[2]"}],"prose":"enable verification of a chain of trust among parent and child domains (if the\n                     child supports secure resolution services)."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing secure name/address resolution service (authoritative\n                  source)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing secure name/address resolution\n                  service"}]}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name / Address Resolution Service (recursive or Caching Resolver)","properties":[{"name":"label","value":"SC-21"},{"name":"sort-id","value":"sc-21"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference","text":"NIST Special Publication 800-81"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"The information system requests and performs data origin authentication and data\n               integrity verification on the name/address resolution responses the system receives\n               from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own,\n               or has authenticated channels to trusted validation providers. Information systems\n               that provide name and address resolution services for local clients include, for\n               example, recursive resolving or caching domain name system (DNS) servers. DNS client\n               resolvers either perform validation of DNSSEC signatures, or clients use\n               authenticated channels to recursive resolvers that perform such validations.\n               Information systems that use technologies other than the DNS to map between\n               host/service names and network addresses provide other means to enable clients to\n               verify the authenticity and integrity of response data.","links":[{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-22","rel":"related","text":"SC-22"}]},{"id":"sc-21_obj","name":"objective","prose":"Determine if the information system: ","parts":[{"id":"sc-21_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-21[1]"}],"prose":"requests data origin authentication on the name/address resolution responses the\n                  system receives from authoritative sources;"},{"id":"sc-21_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-21[2]"}],"prose":"requests data integrity verification on the name/address resolution responses the\n                  system receives from authoritative sources;"},{"id":"sc-21_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-21[3]"}],"prose":"performs data origin authentication on the name/address resolution responses the\n                  system receives from authoritative sources; and"},{"id":"sc-21_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-21[4]"}],"prose":"performs data integrity verification on the name/address resolution responses the\n                  system receives from authoritative sources."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing secure name/address resolution service (recursive or caching\n                  resolver)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing data origin authentication and\n                  data integrity verification for name/address resolution services"}]}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name / Address Resolution Service","properties":[{"name":"label","value":"SC-22"},{"name":"sort-id","value":"sc-22"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference","text":"NIST Special Publication 800-81"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"The information systems that collectively provide name/address resolution service for\n               an organization are fault-tolerant and implement internal/external role\n               separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Information systems that provide name and address resolution services include, for\n               example, domain name system (DNS) servers. To eliminate single points of failure and\n               to enhance redundancy, organizations employ at least two authoritative domain name\n               system servers, one configured as the primary server and the other configured as the\n               secondary server. Additionally, organizations typically deploy the servers in two\n               geographically separated network subnetworks (i.e., not located in the same physical\n               facility). For role separation, DNS servers with internal roles only process name and\n               address resolution requests from within organizations (i.e., from internal clients).\n               DNS servers with external roles only process name and address resolution information\n               requests from clients external to organizations (i.e., on external networks including\n               the Internet). Organizations specify clients that can access authoritative DNS\n               servers in particular roles (e.g., by address ranges, explicit lists).","links":[{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-21","rel":"related","text":"SC-21"},{"href":"#sc-24","rel":"related","text":"SC-24"}]},{"id":"sc-22_obj","name":"objective","prose":"Determine if the information systems that collectively provide name/address\n               resolution service for an organization: ","parts":[{"id":"sc-22_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-22[1]"}],"prose":"are fault tolerant; and"},{"id":"sc-22_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-22[2]"}],"prose":"implement internal/external role separation."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing architecture and provisioning for name/address resolution\n                  service\\n\\naccess control policy and procedures\\n\\ninformation system design documentation\\n\\nassessment results from independent, testing organizations\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing name/address resolution\n                  service for fault tolerance and role separation"}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","properties":[{"name":"label","value":"SC-39"},{"name":"sort-id","value":"sc-39"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"The information system maintains a separate execution domain for each executing\n               process."},{"id":"sc-39_gdn","name":"guidance","prose":"Information systems can maintain separate execution domains for each executing\n               process by assigning each process a separate address space. Each information system\n               process has a distinct address space so that communication between processes is\n               performed in a manner controlled through the security functions, and one process\n               cannot modify the executing code of another process. Maintaining separate execution\n               domains for executing processes can be achieved, for example, by implementing\n               separate address spaces. This capability is available in most commercial operating\n               systems that employ multi-state processor technologies.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"}]},{"id":"sc-39_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system maintains a separate execution domain for each\n               executing process."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system design documentation\\n\\ninformation system architecture\\n\\nindependent verification and validation documentation\\n\\ntesting and evaluation documentation, other relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Information system developers/integrators\\n\\ninformation system security architect"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing separate execution domains for\n                  each executing process"}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"System and Information Integrity Policy and Procedures","parameters":[{"id":"si-1_prm_1","label":"organization-defined personnel or roles"},{"id":"si-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"si-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-1"},{"name":"sort-id","value":"si-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"si-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A system and information integrity policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"si-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information\n                     integrity policy and associated system and information integrity controls;\n                     and"}]},{"id":"si-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"si-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"System and information integrity policy {{ si-1_prm_2 }};\n                     and"},{"id":"si-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"System and information integrity procedures {{ si-1_prm_3 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SI\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"si-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-1.a_obj","name":"objective","properties":[{"name":"label","value":"SI-1(a)"}],"parts":[{"id":"si-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)"}],"parts":[{"id":"si-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(a)(1)[1]"}],"prose":"develops and documents a system and information integrity policy that\n                        addresses:","parts":[{"id":"si-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"si-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"si-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"si-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"si-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"si-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"si-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"si-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and information integrity\n                        policy is to be disseminated;"},{"id":"si-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SI-1(a)(1)[3]"}],"prose":"disseminates the system and information integrity policy to\n                        organization-defined personnel or roles;"}]},{"id":"si-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"SI-1(a)(2)"}],"parts":[{"id":"si-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        system and information integrity policy and associated system and\n                        information integrity controls;"},{"id":"si-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"si-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SI-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"si-1.b_obj","name":"objective","properties":[{"name":"label","value":"SI-1(b)"}],"parts":[{"id":"si-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"SI-1(b)(1)"}],"parts":[{"id":"si-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and\n                        information integrity policy;"},{"id":"si-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(b)(1)[2]"}],"prose":"reviews and updates the current system and information integrity policy with\n                        the organization-defined frequency;"}]},{"id":"si-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"SI-1(b)(2)"}],"parts":[{"id":"si-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and\n                        information integrity procedures; and"},{"id":"si-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(b)(2)[2]"}],"prose":"reviews and updates the current system and information integrity procedures\n                        with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and information integrity\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","parameters":[{"id":"si-2_prm_1","label":"organization-defined time period","constraints":[{"detail":"within 30 days of release of updates"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-2"},{"name":"sort-id","value":"si-02"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference","text":"NIST Special Publication 800-40"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"si-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identifies, reports, and corrects information system flaws;"},{"id":"si-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Tests software and firmware updates related to flaw remediation for effectiveness\n                  and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Installs security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Incorporates flaw remediation into the organizational configuration management\n                  process."}]},{"id":"si-2_gdn","name":"guidance","prose":"Organizations identify information systems affected by announced software flaws\n               including potential vulnerabilities resulting from those flaws, and report this\n               information to designated organizational personnel with information security\n               responsibilities. Security-relevant software updates include, for example, patches,\n               service packs, hot fixes, and anti-virus signatures. Organizations also address flaws\n               discovered during security assessments, continuous monitoring, incident response\n               activities, and system error handling. Organizations take advantage of available\n               resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and\n               Exposures (CVE) databases in remediating flaws discovered in organizational\n               information systems. By incorporating flaw remediation into ongoing configuration\n               management processes, required/anticipated remediation actions can be tracked and\n               verified. Flaw remediation actions that can be tracked and verified include, for\n               example, determining whether organizations follow US-CERT guidance and Information\n               Assurance Vulnerability Alerts. Organization-defined time periods for updating\n               security-relevant software and firmware may vary based on a variety of factors\n               including, for example, the security category of the information system or the\n               criticality of the update (i.e., severity of the vulnerability related to the\n               discovered flaw). Some types of flaw remediation may require more testing than other\n               types. Organizations determine the degree and type of testing needed for the specific\n               type of flaw remediation activity under consideration and also the types of changes\n               that are to be configuration-managed. In some situations, organizations may determine\n               that the testing of software and/or firmware updates is not necessary or practical,\n               for example, when implementing simple anti-virus signature updates. Organizations may\n               also consider in testing decisions, whether security-relevant software or firmware\n               updates are obtained from authorized sources with appropriate digital signatures.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#si-11","rel":"related","text":"SI-11"}]},{"id":"si-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-2.a_obj","name":"objective","properties":[{"name":"label","value":"SI-2(a)"}],"parts":[{"id":"si-2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(a)[1]"}],"prose":"identifies information system flaws;"},{"id":"si-2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(a)[2]"}],"prose":"reports information system flaws;"},{"id":"si-2.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(a)[3]"}],"prose":"corrects information system flaws;"}]},{"id":"si-2.b_obj","name":"objective","properties":[{"name":"label","value":"SI-2(b)"}],"parts":[{"id":"si-2.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(b)[1]"}],"prose":"tests software updates related to flaw remediation for effectiveness and\n                     potential side effects before installation;"},{"id":"si-2.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(b)[2]"}],"prose":"tests firmware updates related to flaw remediation for effectiveness and\n                     potential side effects before installation;"}]},{"id":"si-2.c_obj","name":"objective","properties":[{"name":"label","value":"SI-2(c)"}],"parts":[{"id":"si-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-2(c)[1]"}],"prose":"defines the time period within which to install security-relevant software\n                     updates after the release of the updates;"},{"id":"si-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-2(c)[2]"}],"prose":"defines the time period within which to install security-relevant firmware\n                     updates after the release of the updates;"},{"id":"si-2.c_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(c)[3]"}],"prose":"installs software updates within the organization-defined time period of the\n                     release of the updates;"},{"id":"si-2.c_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(c)[4]"}],"prose":"installs firmware updates within the organization-defined time period of the\n                     release of the updates; and"}]},{"id":"si-2.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(d)"}],"prose":"incorporates flaw remediation into the organizational configuration management\n                  process."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing flaw remediation\\n\\nprocedures addressing configuration management\\n\\nlist of flaws and vulnerabilities potentially affecting the information system\\n\\nlist of recent security flaw remediation actions performed on the information\n                  system (e.g., list of installed patches, service packs, hot fixes, and other\n                  software updates to correct information system flaws)\\n\\ntest results from the installation of software and firmware updates to correct\n                  information system flaws\\n\\ninstallation/change control records for security-relevant software and firmware\n                  updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility for flaw remediation\\n\\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for identifying, reporting, and correcting information\n                  system flaws\\n\\norganizational process for installing software and firmware updates\\n\\nautomated mechanisms supporting and/or implementing reporting, and correcting\n                  information system flaws\\n\\nautomated mechanisms supporting and/or implementing testing software and firmware\n                  updates"}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","parameters":[{"id":"si-3_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least weekly"}]},{"id":"si-3_prm_2","constraints":[{"detail":"to include endpoints"}]},{"id":"si-3_prm_3","constraints":[{"detail":"to include alerting administrator or defined security personnel"}]},{"id":"si-3_prm_4","depends-on":"si-3_prm_3","label":"organization-defined action"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-3"},{"name":"sort-id","value":"si-03"}],"links":[{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference","text":"NIST Special Publication 800-83"}],"parts":[{"id":"si-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Employs malicious code protection mechanisms at information system entry and exit\n                  points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Updates malicious code protection mechanisms whenever new releases are available\n                  in accordance with organizational configuration management policy and\n                  procedures;"},{"id":"si-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Configures malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the information system {{ si-3_prm_1 }} and real-time scans of files from external sources at {{ si-3_prm_2 }} as the files are downloaded, opened, or executed in\n                     accordance with organizational security policy; and"},{"id":"si-3_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"\n                     {{ si-3_prm_3 }} in response to malicious code detection;\n                     and"}]},{"id":"si-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Addresses the receipt of false positives during malicious code detection and\n                  eradication and the resulting potential impact on the availability of the\n                  information system."}]},{"id":"si-3_gdn","name":"guidance","prose":"Information system entry and exit points include, for example, firewalls, electronic\n               mail servers, web servers, proxy servers, remote-access servers, workstations,\n               notebook computers, and mobile devices. Malicious code includes, for example,\n               viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in\n               various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden\n               files, or hidden in files using steganography. Malicious code can be transported by\n               different means including, for example, web accesses, electronic mail, electronic\n               mail attachments, and portable storage devices. Malicious code insertions occur\n               through the exploitation of information system vulnerabilities. Malicious code\n               protection mechanisms include, for example, anti-virus signature definitions and\n               reputation-based technologies. A variety of technologies and methods exist to limit\n               or eliminate the effects of malicious code. Pervasive configuration management and\n               comprehensive software integrity controls may be effective in preventing execution of\n               unauthorized code. In addition to commercial off-the-shelf software, malicious code\n               may also be present in custom-built software. This could include, for example, logic\n               bombs, back doors, and other types of cyber attacks that could affect organizational\n               missions/business functions. Traditional malicious code protection mechanisms cannot\n               always detect such code. In these situations, organizations rely instead on other\n               safeguards including, for example, secure coding practices, configuration management\n               and control, trusted procurement processes, and monitoring practices to help ensure\n               that software does not perform functions other than the functions intended.\n               Organizations may determine that in response to the detection of malicious code,\n               different actions may be warranted. For example, organizations can define actions in\n               response to malicious code detection during periodic scans, actions in response to\n               detection of malicious downloads, and/or actions in response to detection of\n               maliciousness when attempting to open or execute files.","links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#sa-13","rel":"related","text":"SA-13"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-26","rel":"related","text":"SC-26"},{"href":"#sc-44","rel":"related","text":"SC-44"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"si-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-3(a)"}],"prose":"employs malicious code protection mechanisms to detect and eradicate malicious\n                  code at information system:","parts":[{"id":"si-3.a_obj.1","name":"objective","properties":[{"name":"label","value":"SI-3(a)[1]"}],"prose":"entry points;"},{"id":"si-3.a_obj.2","name":"objective","properties":[{"name":"label","value":"SI-3(a)[2]"}],"prose":"exit points;"}]},{"id":"si-3.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-3(b)"}],"prose":"updates malicious code protection mechanisms whenever new releases are available\n                  in accordance with organizational configuration management policy and procedures\n                  (as identified in CM-1);"},{"id":"si-3.c_obj","name":"objective","properties":[{"name":"label","value":"SI-3(c)"}],"parts":[{"id":"si-3.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-3(c)[1]"}],"prose":"defines a frequency for malicious code protection mechanisms to perform\n                     periodic scans of the information system;"},{"id":"si-3.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-3(c)[2]"}],"prose":"defines action to be initiated by malicious protection mechanisms in response\n                     to malicious code detection;"},{"id":"si-3.c_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-3(c)[3]"}],"parts":[{"id":"si-3.c.1_obj.3","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](1)"}],"prose":"configures malicious code protection mechanisms to:","parts":[{"id":"si-3.c.1_obj.3.a","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](1)[a]"}],"prose":"perform periodic scans of the information system with the\n                           organization-defined frequency;"},{"id":"si-3.c.1_obj.3.b","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](1)[b]"}],"prose":"perform real-time scans of files from external sources at endpoint and/or\n                           network entry/exit points as the files are downloaded, opened, or\n                           executed in accordance with organizational security policy;"}]},{"id":"si-3.c.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-3(c)[3](2)"}],"prose":"configures malicious code protection mechanisms to do one or more of the\n                        following:","parts":[{"id":"si-3.c.2_obj.3.a","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](2)[a]"}],"prose":"block malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.b","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](2)[b]"}],"prose":"quarantine malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.c","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](2)[c]"}],"prose":"send alert to administrator in response to malicious code detection;\n                           and/or"},{"id":"si-3.c.2_obj.3.d","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](2)[d]"}],"prose":"initiate organization-defined action in response to malicious code\n                           detection;"}]}]}]},{"id":"si-3.d_obj","name":"objective","properties":[{"name":"label","value":"SI-3(d)"}],"parts":[{"id":"si-3.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-3(d)[1]"}],"prose":"addresses the receipt of false positives during malicious code detection and\n                     eradication; and"},{"id":"si-3.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-3(d)[2]"}],"prose":"addresses the resulting potential impact on the availability of the information\n                     system."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nconfiguration management policy and procedures\\n\\nprocedures addressing malicious code protection\\n\\nmalicious code protection mechanisms\\n\\nrecords of malicious code protection updates\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nscan results from malicious code protection mechanisms\\n\\nrecord of actions initiated by malicious code protection mechanisms in response to\n                  malicious code detection\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility for malicious code protection\\n\\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for employing, updating, and configuring malicious code\n                  protection mechanisms\\n\\norganizational process for addressing false positives and resulting potential\n                  impact\\n\\nautomated mechanisms supporting and/or implementing employing, updating, and\n                  configuring malicious code protection mechanisms\\n\\nautomated mechanisms supporting and/or implementing malicious code scanning and\n                  subsequent actions"}]}]},{"id":"si-4","class":"SP800-53","title":"Information System Monitoring","parameters":[{"id":"si-4_prm_1","label":"organization-defined monitoring objectives"},{"id":"si-4_prm_2","label":"organization-defined techniques and methods"},{"id":"si-4_prm_3","label":"organization-defined information system monitoring information"},{"id":"si-4_prm_4","label":"organization-defined personnel or roles"},{"id":"si-4_prm_5"},{"id":"si-4_prm_6","depends-on":"si-4_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-4"},{"name":"sort-id","value":"si-04"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference","text":"NIST Special Publication 800-83"},{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference","text":"NIST Special Publication 800-92"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference","text":"NIST Special Publication 800-94"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"}],"parts":[{"id":"si-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitors the information system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with {{ si-4_prm_1 }}; and"},{"id":"si-4_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Identifies unauthorized use of the information system through {{ si-4_prm_2 }};"},{"id":"si-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Deploys monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Strategically within the information system to collect organization-determined\n                     essential information; and"},{"id":"si-4_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions\n                     of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protects information obtained from intrusion-monitoring tools from unauthorized\n                  access, modification, and deletion;"},{"id":"si-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Heightens the level of information system monitoring activity whenever there is an\n                  indication of increased risk to organizational operations and assets, individuals,\n                  other organizations, or the Nation based on law enforcement information,\n                  intelligence information, or other credible sources of information;"},{"id":"si-4_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Obtains legal opinion with regard to information system monitoring activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  or regulations; and"},{"id":"si-4_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Provides {{ si-4_prm_3 }} to {{ si-4_prm_4 }}\n                  {{ si-4_prm_5 }}."},{"id":"si-4_fr","name":"item","title":"SI-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"si-4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See US-CERT Incident Response Reporting Guidelines."}]}]},{"id":"si-4_gdn","name":"guidance","prose":"Information system monitoring includes external and internal monitoring. External\n               monitoring includes the observation of events occurring at the information system\n               boundary (i.e., part of perimeter defense and boundary protection). Internal\n               monitoring includes the observation of events occurring within the information\n               system. Organizations can monitor information systems, for example, by observing\n               audit activities in real time or by observing other system aspects such as access\n               patterns, characteristics of access, and other actions. The monitoring objectives may\n               guide determination of the events. Information system monitoring capability is\n               achieved through a variety of tools and techniques (e.g., intrusion detection\n               systems, intrusion prevention systems, malicious code protection software, scanning\n               tools, audit record monitoring software, network monitoring software). Strategic\n               locations for monitoring devices include, for example, selected perimeter locations\n               and near server farms supporting critical applications, with such devices typically\n               being employed at the managed interfaces associated with controls SC-7 and AC-17.\n               Einstein network monitoring devices from the Department of Homeland Security can also\n               be included as monitoring devices. The granularity of monitoring information\n               collected is based on organizational monitoring objectives and the capability of\n               information systems to support such objectives. Specific types of transactions of\n               interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that\n               bypasses HTTP proxies. Information system monitoring is an integral part of\n               organizational continuous monitoring and incident response programs. Output from\n               system monitoring serves as input to continuous monitoring and incident response\n               programs. A network connection is any connection with a device that communicates\n               through a network (e.g., local area network, Internet). A remote connection is any\n               connection with a device communicating through an external network (e.g., the\n               Internet). Local, network, and remote connections can be either wired or\n               wireless.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-26","rel":"related","text":"SC-26"},{"href":"#sc-35","rel":"related","text":"SC-35"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"si-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.a_obj","name":"objective","properties":[{"name":"label","value":"SI-4(a)"}],"parts":[{"id":"si-4.a.1_obj","name":"objective","properties":[{"name":"label","value":"SI-4(a)(1)"}],"parts":[{"id":"si-4.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(a)(1)[1]"}],"prose":"defines monitoring objectives to detect attacks and indicators of potential\n                        attacks on the information system;"},{"id":"si-4.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(a)(1)[2]"}],"prose":"monitors the information system to detect, in accordance with\n                        organization-defined monitoring objectives,:","parts":[{"id":"si-4.a.1_obj.2.a","name":"objective","properties":[{"name":"label","value":"SI-4(a)(1)[2][a]"}],"prose":"attacks;"},{"id":"si-4.a.1_obj.2.b","name":"objective","properties":[{"name":"label","value":"SI-4(a)(1)[2][b]"}],"prose":"indicators of potential attacks;"}]}]},{"id":"si-4.a.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(a)(2)"}],"prose":"monitors the information system to detect unauthorized:","parts":[{"id":"si-4.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"SI-4(a)(2)[1]"}],"prose":"local connections;"},{"id":"si-4.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"SI-4(a)(2)[2]"}],"prose":"network connections;"},{"id":"si-4.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"SI-4(a)(2)[3]"}],"prose":"remote connections;"}]}]},{"id":"si-4.b_obj","name":"objective","properties":[{"name":"label","value":"SI-4(b)"}],"parts":[{"id":"si-4.b.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(b)(1)"}],"prose":"defines techniques and methods to identify unauthorized use of the information\n                     system;"},{"id":"si-4.b.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(b)(2)"}],"prose":"identifies unauthorized use of the information system through\n                     organization-defined techniques and methods;"}]},{"id":"si-4.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(c)"}],"prose":"deploys monitoring devices:","parts":[{"id":"si-4.c_obj.1","name":"objective","properties":[{"name":"label","value":"SI-4(c)[1]"}],"prose":"strategically within the information system to collect organization-determined\n                     essential information;"},{"id":"si-4.c_obj.2","name":"objective","properties":[{"name":"label","value":"SI-4(c)[2]"}],"prose":"at ad hoc locations within the system to track specific types of transactions\n                     of interest to the organization;"}]},{"id":"si-4.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(d)"}],"prose":"protects information obtained from intrusion-monitoring tools from\n                  unauthorized:","parts":[{"id":"si-4.d_obj.1","name":"objective","properties":[{"name":"label","value":"SI-4(d)[1]"}],"prose":"access;"},{"id":"si-4.d_obj.2","name":"objective","properties":[{"name":"label","value":"SI-4(d)[2]"}],"prose":"modification;"},{"id":"si-4.d_obj.3","name":"objective","properties":[{"name":"label","value":"SI-4(d)[3]"}],"prose":"deletion;"}]},{"id":"si-4.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(e)"}],"prose":"heightens the level of information system monitoring activity whenever there is an\n                  indication of increased risk to organizational operations and assets, individuals,\n                  other organizations, or the Nation based on law enforcement information,\n                  intelligence information, or other credible sources of information;"},{"id":"si-4.f_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SI-4(f)"}],"prose":"obtains legal opinion with regard to information system monitoring activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  or regulations;"},{"id":"si-4.g_obj","name":"objective","properties":[{"name":"label","value":"SI-4(g)"}],"parts":[{"id":"si-4.g_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(g)[1]"}],"prose":"defines personnel or roles to whom information system monitoring information is\n                     to be provided;"},{"id":"si-4.g_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(g)[2]"}],"prose":"defines information system monitoring information to be provided to\n                     organization-defined personnel or roles;"},{"id":"si-4.g_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(g)[3]"}],"prose":"defines a frequency to provide organization-defined information system\n                     monitoring to organization-defined personnel or roles;"},{"id":"si-4.g_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(g)[4]"}],"prose":"provides organization-defined information system monitoring information to\n                     organization-defined personnel or roles one or more of the following:","parts":[{"id":"si-4.g_obj.4.a","name":"objective","properties":[{"name":"label","value":"SI-4(g)[4][a]"}],"prose":"as needed; and/or"},{"id":"si-4.g_obj.4.b","name":"objective","properties":[{"name":"label","value":"SI-4(g)[4][b]"}],"prose":"with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Continuous monitoring strategy\\n\\nsystem and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\nfacility diagram/layout\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\nlocations within information system where monitoring devices are deployed\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility monitoring the information system"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing information system monitoring\n                  capability"}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","parameters":[{"id":"si-5_prm_1","label":"organization-defined external organizations","constraints":[{"detail":"to include US-CERT"}]},{"id":"si-5_prm_2","constraints":[{"detail":"to include system security personnel and administrators with configuration/patch-management responsibilities"}]},{"id":"si-5_prm_3","depends-on":"si-5_prm_2","label":"organization-defined personnel or roles"},{"id":"si-5_prm_4","depends-on":"si-5_prm_2","label":"organization-defined elements within the organization"},{"id":"si-5_prm_5","depends-on":"si-5_prm_2","label":"organization-defined external organizations"}],"properties":[{"name":"label","value":"SI-5"},{"name":"sort-id","value":"si-05"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference","text":"NIST Special Publication 800-40"}],"parts":[{"id":"si-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Receives information system security alerts, advisories, and directives from\n                     {{ si-5_prm_1 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Generates internal security alerts, advisories, and directives as deemed\n                  necessary;"},{"id":"si-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Disseminates security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and"},{"id":"si-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Implements security directives in accordance with established time frames, or\n                  notifies the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The United States Computer Emergency Readiness Team (US-CERT) generates security\n               alerts and advisories to maintain situational awareness across the federal\n               government. Security directives are issued by OMB or other designated organizations\n               with the responsibility and authority to issue such directives. Compliance to\n               security directives is essential due to the critical nature of many of these\n               directives and the potential immediate adverse effects on organizational operations\n               and assets, individuals, other organizations, and the Nation should the directives\n               not be implemented in a timely manner. External organizations include, for example,\n               external mission/business partners, supply chain partners, external service\n               providers, and other peer/supporting organizations.","links":[{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"si-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-5.a_obj","name":"objective","properties":[{"name":"label","value":"SI-5(a)"}],"parts":[{"id":"si-5.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-5(a)[1]"}],"prose":"defines external organizations from whom information system security alerts,\n                     advisories and directives are to be received;"},{"id":"si-5.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-5(a)[2]"}],"prose":"receives information system security alerts, advisories, and directives from\n                     organization-defined external organizations on an ongoing basis;"}]},{"id":"si-5.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-5(b)"}],"prose":"generates internal security alerts, advisories, and directives as deemed\n                  necessary;"},{"id":"si-5.c_obj","name":"objective","properties":[{"name":"label","value":"SI-5(c)"}],"parts":[{"id":"si-5.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-5(c)[1]"}],"prose":"defines personnel or roles to whom security alerts, advisories, and directives\n                     are to be provided;"},{"id":"si-5.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-5(c)[2]"}],"prose":"defines elements within the organization to whom security alerts, advisories,\n                     and directives are to be provided;"},{"id":"si-5.c_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-5(c)[3]"}],"prose":"defines external organizations to whom security alerts, advisories, and\n                     directives are to be provided;"},{"id":"si-5.c_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-5(c)[4]"}],"prose":"disseminates security alerts, advisories, and directives to one or more of the\n                     following:","parts":[{"id":"si-5.c_obj.4.a","name":"objective","properties":[{"name":"label","value":"SI-5(c)[4][a]"}],"prose":"organization-defined personnel or roles;"},{"id":"si-5.c_obj.4.b","name":"objective","properties":[{"name":"label","value":"SI-5(c)[4][b]"}],"prose":"organization-defined elements within the organization; and/or"},{"id":"si-5.c_obj.4.c","name":"objective","properties":[{"name":"label","value":"SI-5(c)[4][c]"}],"prose":"organization-defined external organizations; and"}]}]},{"id":"si-5.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-5(d)"}],"parts":[{"id":"si-5.d_obj.1","name":"objective","properties":[{"name":"label","value":"SI-5(d)[1]"}],"prose":"implements security directives in accordance with established time frames;\n                     or"},{"id":"si-5.d_obj.2","name":"objective","properties":[{"name":"label","value":"SI-5(d)[2]"}],"prose":"notifies the issuing organization of the degree of noncompliance."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing security alerts, advisories, and directives\\n\\nrecords of security alerts and advisories\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security alert and advisory responsibilities\\n\\norganizational personnel implementing, operating, maintaining, and using the\n                  information system\\n\\norganizational personnel, organizational elements, and/or external organizations\n                  to whom alerts, advisories, and directives are to be disseminated\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining, receiving, generating, disseminating, and\n                  complying with security alerts, advisories, and directives\\n\\nautomated mechanisms supporting and/or implementing definition, receipt,\n                  generation, and dissemination of security alerts, advisories, and directives\\n\\nautomated mechanisms supporting and/or implementing security directives"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Handling and Retention","properties":[{"name":"label","value":"SI-12"},{"name":"sort-id","value":"si-12"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"The organization handles and retains information within the information system and\n               information output from the system in accordance with applicable federal laws,\n               Executive Orders, directives, policies, regulations, standards, and operational\n               requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information handling and retention requirements cover the full life cycle of\n               information, in some cases extending beyond the disposal of information systems. The\n               National Archives and Records Administration provides guidance on records\n               retention.","links":[{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"}]},{"id":"si-12_obj","name":"objective","prose":"Determine if the organization, in accordance with applicable federal laws, Executive\n               Orders, directives, policies, regulations, standards, and operational\n               requirements:","parts":[{"id":"si-12_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-12[1]"}],"prose":"handles information within the information system;"},{"id":"si-12_obj.2","name":"objective","properties":[{"name":"label","value":"SI-12[2]"}],"prose":"handles output from the information system;"},{"id":"si-12_obj.3","name":"objective","properties":[{"name":"label","value":"SI-12[3]"}],"prose":"retains information within the information system; and"},{"id":"si-12_obj.4","name":"objective","properties":[{"name":"label","value":"SI-12[4]"}],"prose":"retains output from the information system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nfederal laws, Executive Orders, directives, policies, regulations, standards, and\n                  operational requirements applicable to information handling and retention\\n\\nmedia protection policy and procedures\\n\\nprocedures addressing information system output handling and retention\\n\\ninformation retention records, other relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information handling and\n                  retention\\n\\norganizational personnel with information security responsibilities/network\n                  administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information handling and retention\\n\\nautomated mechanisms supporting and/or implementing information handling and\n                  retention"}]}]},{"id":"si-16","class":"SP800-53","title":"Memory Protection","parameters":[{"id":"si-16_prm_1","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"SI-16"},{"name":"sort-id","value":"si-16"}],"parts":[{"id":"si-16_smt","name":"statement","prose":"The information system implements {{ si-16_prm_1 }} to protect its\n               memory from unauthorized code execution."},{"id":"si-16_gdn","name":"guidance","prose":"Some adversaries launch attacks with the intent of executing code in non-executable\n               regions of memory or in memory locations that are prohibited. Security safeguards\n               employed to protect memory include, for example, data execution prevention and\n               address space layout randomization. Data execution prevention safeguards can either\n               be hardware-enforced or software-enforced with hardware providing the greater\n               strength of mechanism.","links":[{"href":"#ac-25","rel":"related","text":"AC-25"},{"href":"#sc-3","rel":"related","text":"SC-3"}]},{"id":"si-16_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-16_obj.1","name":"objective","properties":[{"name":"label","value":"SI-16[1]"}],"prose":"the organization defines security safeguards to be implemented to protect\n                  information system memory from unauthorized code execution; and"},{"id":"si-16_obj.2","name":"objective","properties":[{"name":"label","value":"SI-16[2]"}],"prose":"the information system implements organization-defined security safeguards to\n                  protect its memory from unauthorized code execution."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing memory protection for the information system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of security safeguards protecting information system memory from unauthorized\n                  code execution\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for memory protection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing safeguards to protect\n                  information system memory from unauthorized code execution"}]}]}]}],"back-matter":{"resources":[{"uuid":"0c97e60b-325a-4efa-ba2b-90f20ccd5abc","title":"5 C.F.R. 731.106","citation":{"text":"Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106,\n               Designation of Public Trust Positions and Investigative Requirements (5 C.F.R.\n               731.106)."},"rlinks":[{"href":"http://www.gpo.gov/fdsys/granule/CFR-2012-title5-vol2/CFR-2012-title5-vol2-sec731-106/content-detail.html"}]},{"uuid":"bb61234b-46c3-4211-8c2b-9869222a720d","title":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)","citation":{"text":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"},"rlinks":[{"href":"http://www.gpo.gov/fdsys/granule/CFR-2009-title5-vol2/CFR-2009-title5-vol2-sec930-301/content-detail.html"}]},{"uuid":"a4aa9645-9a8a-4b51-90a9-e223250f9a75","title":"CNSS Policy 15","citation":{"text":"CNSS Policy 15"},"rlinks":[{"href":"https://www.cnss.gov/policies.html"}]},{"uuid":"2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","title":"DoD Information Assurance Vulnerability Alerts","citation":{"text":"DoD Information Assurance Vulnerability Alerts"}},{"uuid":"61081e7f-041d-4033-96a7-44a439071683","title":"DoD Instruction 5200.39","citation":{"text":"DoD Instruction 5200.39"},"rlinks":[{"href":"http://www.dtic.mil/whs/directives/corres/ins1.html"}]},{"uuid":"e42b2099-3e1c-415b-952c-61c96533c12e","title":"DoD Instruction 8551.01","citation":{"text":"DoD Instruction 8551.01"},"rlinks":[{"href":"http://www.dtic.mil/whs/directives/corres/ins1.html"}]},{"uuid":"c5034e0c-eba6-4ecd-a541-79f0678f4ba4","title":"Executive Order 13587","citation":{"text":"Executive Order 13587"},"rlinks":[{"href":"http://www.whitehouse.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"56d671da-6b7b-4abf-8296-84b61980390a","title":"Federal Acquisition Regulation","citation":{"text":"Federal Acquisition Regulation"},"rlinks":[{"href":"https://acquisition.gov/far"}]},{"uuid":"023104bc-6f75-4cd5-b7d0-fc92326f8007","title":"Federal Continuity Directive 1","citation":{"text":"Federal Continuity Directive 1"},"rlinks":[{"href":"http://www.fema.gov/pdf/about/offices/fcd1.pdf"}]},{"uuid":"ba557c91-ba3e-4792-adc6-a4ae479b39ff","title":"FICAM Roadmap and Implementation Guidance","citation":{"text":"FICAM Roadmap and Implementation Guidance"},"rlinks":[{"href":"http://www.idmanagement.gov/documents/ficam-roadmap-and-implementation-guidance"}]},{"uuid":"39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","title":"FIPS Publication 140","citation":{"text":"FIPS Publication 140"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html"}]},{"uuid":"d715b234-9b5b-4e07-b1ed-99836727664d","title":"FIPS Publication 140-2","citation":{"text":"FIPS Publication 140-2"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html#140-2"}]},{"uuid":"f2dbd4ec-c413-4714-b85b-6b7184d1c195","title":"FIPS Publication 197","citation":{"text":"FIPS Publication 197"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html#197"}]},{"uuid":"e85cdb3f-7f0a-4083-8639-f13f70d3760b","title":"FIPS Publication 199","citation":{"text":"FIPS Publication 199"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html#199"}]},{"uuid":"c80c10b3-1294-4984-a4cc-d1733ca432b9","title":"FIPS Publication 201","citation":{"text":"FIPS Publication 201"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html#201"}]},{"uuid":"ad733a42-a7ed-4774-b988-4930c28852f3","title":"HSPD-12","citation":{"text":"HSPD-12"},"rlinks":[{"href":"http://www.dhs.gov/homeland-security-presidential-directive-12"}]},{"uuid":"e95dd121-2733-413e-bf1e-f1eb49f20a98","title":"http://checklists.nist.gov","citation":{"text":"http://checklists.nist.gov"},"rlinks":[{"href":"http://checklists.nist.gov"}]},{"uuid":"6a1041fc-054e-4230-946b-2e6f4f3731bb","title":"http://csrc.nist.gov/cryptval","citation":{"text":"http://csrc.nist.gov/cryptval"},"rlinks":[{"href":"http://csrc.nist.gov/cryptval"}]},{"uuid":"b09d1a31-d3c9-4138-a4f4-4c63816afd7d","title":"http://csrc.nist.gov/groups/STM/cmvp/index.html","citation":{"text":"http://csrc.nist.gov/groups/STM/cmvp/index.html"},"rlinks":[{"href":"http://csrc.nist.gov/groups/STM/cmvp/index.html"}]},{"uuid":"15522e92-9192-463d-9646-6a01982db8ca","title":"http://cwe.mitre.org","citation":{"text":"http://cwe.mitre.org"},"rlinks":[{"href":"http://cwe.mitre.org"}]},{"uuid":"5ed1f4d5-1494-421b-97ed-39d3c88ab51f","title":"http://fips201ep.cio.gov","citation":{"text":"http://fips201ep.cio.gov"},"rlinks":[{"href":"http://fips201ep.cio.gov"}]},{"uuid":"85280698-0417-489d-b214-12bb935fb939","title":"http://idmanagement.gov","citation":{"text":"http://idmanagement.gov"},"rlinks":[{"href":"http://idmanagement.gov"}]},{"uuid":"275cc052-0f7f-423c-bdb6-ed503dc36228","title":"http://nvd.nist.gov","citation":{"text":"http://nvd.nist.gov"},"rlinks":[{"href":"http://nvd.nist.gov"}]},{"uuid":"bbd50dd1-54ce-4432-959d-63ea564b1bb4","title":"http://www.acquisition.gov/far","citation":{"text":"http://www.acquisition.gov/far"},"rlinks":[{"href":"http://www.acquisition.gov/far"}]},{"uuid":"9b97ed27-3dd6-4f9a-ade5-1b43e9669794","title":"http://www.cnss.gov","citation":{"text":"http://www.cnss.gov"},"rlinks":[{"href":"http://www.cnss.gov"}]},{"uuid":"c95a9986-3cd6-4a98-931b-ccfc56cb11e5","title":"http://www.niap-ccevs.org","citation":{"text":"http://www.niap-ccevs.org"},"rlinks":[{"href":"http://www.niap-ccevs.org"}]},{"uuid":"647b6de3-81d0-4d22-bec1-5f1333e34380","title":"http://www.nsa.gov","citation":{"text":"http://www.nsa.gov"},"rlinks":[{"href":"http://www.nsa.gov"}]},{"uuid":"a47466c4-c837-4f06-a39f-e68412a5f73d","title":"http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml","citation":{"text":"http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"},"rlinks":[{"href":"http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"}]},{"uuid":"02631467-668b-4233-989b-3dfded2fd184","title":"http://www.us-cert.gov","citation":{"text":"http://www.us-cert.gov"},"rlinks":[{"href":"http://www.us-cert.gov"}]},{"uuid":"6caa237b-531b-43ac-9711-d8f6b97b0377","title":"ICD 704","citation":{"text":"ICD 704"},"rlinks":[{"href":"http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"}]},{"uuid":"398e33fd-f404-4e5c-b90e-2d50d3181244","title":"ICD 705","citation":{"text":"ICD 705"},"rlinks":[{"href":"http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"}]},{"uuid":"1737a687-52fb-4008-b900-cbfa836f7b65","title":"ISO/IEC 15408","citation":{"text":"ISO/IEC 15408"},"rlinks":[{"href":"http://www.iso.org/iso/iso_catalog/catalog_tc/catalog_detail.htm?csnumber=50341"}]},{"uuid":"654f21e2-f3bc-43b2-abdc-60ab8d09744b","title":"National Strategy for Trusted Identities in Cyberspace","citation":{"text":"National Strategy for Trusted Identities in Cyberspace"},"rlinks":[{"href":"http://www.nist.gov/nstic"}]},{"uuid":"9cb3d8fe-2127-48ba-821e-cdd2d7aee921","title":"NIST Special Publication 800-100","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-100"}],"citation":{"text":"NIST Special Publication 800-100"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-100"}]},{"uuid":"3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","title":"NIST Special Publication 800-111","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-111"}],"citation":{"text":"NIST Special Publication 800-111"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-111"}]},{"uuid":"349fe082-502d-464a-aa0c-1443c6a5cf40","title":"NIST Special Publication 800-113","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-113"}],"citation":{"text":"NIST Special Publication 800-113"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-113"}]},{"uuid":"1201fcf3-afb1-4675-915a-fb4ae0435717","title":"NIST Special Publication 800-114 Rev. 1","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-114r1"}],"citation":{"text":"NIST Special Publication 800-114 Rev. 1"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-114r1"}]},{"uuid":"c4691b88-57d1-463b-9053-2d0087913f31","title":"NIST Special Publication 800-115","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-115"}],"citation":{"text":"NIST Special Publication 800-115"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-115"}]},{"uuid":"2157bb7e-192c-4eaa-877f-93ef6b0a3292","title":"NIST Special Publication 800-116 Rev. 1","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-116r1"}],"citation":{"text":"NIST Special Publication 800-116 Rev. 1"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-116r1"}]},{"uuid":"5c201b63-0768-417b-ac22-3f014e3941b2","title":"NIST Special Publication 800-12 Rev. 1","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-12r1"}],"citation":{"text":"NIST Special Publication 800-12 Rev. 1"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-12r1"}]},{"uuid":"d1a4e2a9-e512-4132-8795-5357aba29254","title":"NIST Special Publication 800-121","citation":{"text":"NIST Special Publication 800-121"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-121"}]},{"uuid":"0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","title":"NIST Special Publication 800-124","citation":{"text":"NIST Special Publication 800-124"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-124"}]},{"uuid":"080f8068-5e3e-435e-9790-d22ba4722693","title":"NIST Special Publication 800-128","citation":{"text":"NIST Special Publication 800-128"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-128"}]},{"uuid":"cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","title":"NIST Special Publication 800-137","citation":{"text":"NIST Special Publication 800-137"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-137"}]},{"uuid":"825438c3-248d-4e30-a51e-246473ce6ada","title":"NIST Special Publication 800-16","citation":{"text":"NIST Special Publication 800-16"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-16"}]},{"uuid":"6513e480-fada-4876-abba-1397084dfb26","title":"NIST Special Publication 800-164","citation":{"text":"NIST Special Publication 800-164"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-164"}]},{"uuid":"9c5c9e8c-dc81-4f55-a11c-d71d7487790f","title":"NIST Special Publication 800-18","citation":{"text":"NIST Special Publication 800-18"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-18"}]},{"uuid":"0a5db899-f033-467f-8631-f5a8ba971475","title":"NIST Special Publication 800-23","citation":{"text":"NIST Special Publication 800-23"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-23"}]},{"uuid":"a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","title":"NIST Special Publication 800-30","citation":{"text":"NIST Special Publication 800-30"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-30"}]},{"uuid":"748a81b9-9cad-463f-abde-8b368167e70d","title":"NIST Special Publication 800-34","citation":{"text":"NIST Special Publication 800-34"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-34"}]},{"uuid":"0c775bc3-bfc3-42c7-a382-88949f503171","title":"NIST Special Publication 800-35","citation":{"text":"NIST Special Publication 800-35"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-35"}]},{"uuid":"d818efd3-db31-4953-8afa-9e76afe83ce2","title":"NIST Special Publication 800-36","citation":{"text":"NIST Special Publication 800-36"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-36"}]},{"uuid":"0a0c26b6-fd44-4274-8b36-93442d49d998","title":"NIST Special Publication 800-37","citation":{"text":"NIST Special Publication 800-37"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-37"}]},{"uuid":"d480aa6a-7a88-424e-a10c-ad1c7870354b","title":"NIST Special Publication 800-39","citation":{"text":"NIST Special Publication 800-39"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-39"}]},{"uuid":"bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","title":"NIST Special Publication 800-40","citation":{"text":"NIST Special Publication 800-40"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-40"}]},{"uuid":"756a8e86-57d5-4701-8382-f7a40439665a","title":"NIST Special Publication 800-41","citation":{"text":"NIST Special Publication 800-41"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-41"}]},{"uuid":"5309d4d0-46f8-4213-a749-e7584164e5e8","title":"NIST Special Publication 800-46","citation":{"text":"NIST Special Publication 800-46"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-46"}]},{"uuid":"2711f068-734e-4afd-94ba-0b22247fbc88","title":"NIST Special Publication 800-47","citation":{"text":"NIST Special Publication 800-47"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-47"}]},{"uuid":"238ed479-eccb-49f6-82ec-ab74a7a428cf","title":"NIST Special Publication 800-48","citation":{"text":"NIST Special Publication 800-48"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-48"}]},{"uuid":"e12b5738-de74-4fb3-8317-a3995a8a1898","title":"NIST Special Publication 800-50","citation":{"text":"NIST Special Publication 800-50"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-50"}]},{"uuid":"cd4cf751-3312-4a55-b1a9-fad2f1db9119","title":"NIST Special Publication 800-53A","citation":{"text":"NIST Special Publication 800-53A"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-53A"}]},{"uuid":"81f09e01-d0b0-4ae2-aa6a-064ed9950070","title":"NIST Special Publication 800-56","citation":{"text":"NIST Special Publication 800-56"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-56"}]},{"uuid":"a6c774c0-bf50-4590-9841-2a5c1c91ac6f","title":"NIST Special Publication 800-57","citation":{"text":"NIST Special Publication 800-57"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-57"}]},{"uuid":"f152844f-b1ef-4836-8729-6277078ebee1","title":"NIST Special Publication 800-60","citation":{"text":"NIST Special Publication 800-60"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-60"}]},{"uuid":"be95fb85-a53f-4624-bdbb-140075500aa3","title":"NIST Special Publication 800-61","citation":{"text":"NIST Special Publication 800-61"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-61"}]},{"uuid":"644f44a9-a2de-4494-9c04-cd37fba45471","title":"NIST Special Publication 800-63","citation":{"text":"NIST Special Publication 800-63"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-63"}]},{"uuid":"abd950ae-092f-4b7a-b374-1c7c67fe9350","title":"NIST Special Publication 800-64","citation":{"text":"NIST Special Publication 800-64"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-64"}]},{"uuid":"29fcfe59-33cd-494a-8756-5907ae3a8f92","title":"NIST Special Publication 800-65","citation":{"text":"NIST Special Publication 800-65"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-65"}]},{"uuid":"84a37532-6db6-477b-9ea8-f9085ebca0fc","title":"NIST Special Publication 800-70","citation":{"text":"NIST Special Publication 800-70"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-70"}]},{"uuid":"ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","title":"NIST Special Publication 800-73","citation":{"text":"NIST Special Publication 800-73"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-73"}]},{"uuid":"2a71298a-ee90-490e-80ff-48c967173a47","title":"NIST Special Publication 800-76","citation":{"text":"NIST Special Publication 800-76"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-76"}]},{"uuid":"99f331f2-a9f0-46c2-9856-a3cbb9b89442","title":"NIST Special Publication 800-77","citation":{"text":"NIST Special Publication 800-77"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-77"}]},{"uuid":"2042d97b-f7f6-4c74-84f8-981867684659","title":"NIST Special Publication 800-78","citation":{"text":"NIST Special Publication 800-78"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-78"}]},{"uuid":"6af1e841-672c-46c4-b121-96f603d04be3","title":"NIST Special Publication 800-81","citation":{"text":"NIST Special Publication 800-81"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-81"}]},{"uuid":"6d431fee-658f-4a0e-9f2e-a38b5d398fab","title":"NIST Special Publication 800-83","citation":{"text":"NIST Special Publication 800-83"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-83"}]},{"uuid":"0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","title":"NIST Special Publication 800-84","citation":{"text":"NIST Special Publication 800-84"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-84"}]},{"uuid":"263823e0-a971-4b00-959d-315b26278b22","title":"NIST Special Publication 800-88","citation":{"text":"NIST Special Publication 800-88"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-88"}]},{"uuid":"672fd561-b92b-4713-b9cf-6c9d9456728b","title":"NIST Special Publication 800-92","citation":{"text":"NIST Special Publication 800-92"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-92"}]},{"uuid":"d1b1d689-0f66-4474-9924-c81119758dc1","title":"NIST Special Publication 800-94","citation":{"text":"NIST Special Publication 800-94"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-94"}]},{"uuid":"6f336ecd-f2a0-4c84-9699-0491d81b6e0d","title":"NIST Special Publication 800-97","citation":{"text":"NIST Special Publication 800-97"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-97"}]},{"uuid":"9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","title":"OMB Circular A-130","citation":{"text":"OMB Circular A-130"},"rlinks":[{"href":"http://www.whitehouse.gov/omb/circulars_a130_a130trans4"}]},{"uuid":"2c5884cd-7b96-425c-862a-99877e1cf909","title":"OMB Memorandum 02-01","citation":{"text":"OMB Memorandum 02-01"},"rlinks":[{"href":"http://www.whitehouse.gov/omb/memoranda_m02-01"}]},{"uuid":"ff3bfb02-79b2-411f-8735-98dfe5af2ab0","title":"OMB Memorandum 04-04","citation":{"text":"OMB Memorandum 04-04"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy04/m04-04.pdf"}]},{"uuid":"4da24a96-6cf8-435d-9d1f-c73247cad109","title":"OMB Memorandum 06-16","citation":{"text":"OMB Memorandum 06-16"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2006/m06-16.pdf"}]},{"uuid":"990268bf-f4a9-4c81-91ae-dc7d3115f4b1","title":"OMB Memorandum 07-11","citation":{"text":"OMB Memorandum 07-11"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-11.pdf"}]},{"uuid":"0b3d8ba9-051f-498d-81ea-97f0f018c612","title":"OMB Memorandum 07-18","citation":{"text":"OMB Memorandum 07-18"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-18.pdf"}]},{"uuid":"0916ef02-3618-411b-a525-565c088849a6","title":"OMB Memorandum 08-22","citation":{"text":"OMB Memorandum 08-22"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-22.pdf"}]},{"uuid":"28115a56-da6b-4d44-b1df-51dd7f048a3e","title":"OMB Memorandum 08-23","citation":{"text":"OMB Memorandum 08-23"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf"}]},{"uuid":"599fe9ba-4750-4450-9eeb-b95bd19a5e8f","title":"OMB Memorandum 10-06-2011","citation":{"text":"OMB Memorandum 10-06-2011"}},{"uuid":"74e740a4-c45d-49f3-a86e-eb747c549e01","title":"OMB Memorandum 11-11","citation":{"text":"OMB Memorandum 11-11"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf"}]},{"uuid":"bedb15b7-ec5c-4a68-807f-385125751fcd","title":"OMB Memorandum 11-33","citation":{"text":"OMB Memorandum 11-33"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf"}]},{"uuid":"dd2f5acd-08f1-435a-9837-f8203088dc1a","title":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System\n            (E-PACS)","citation":{"text":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System\n               (E-PACS)"}},{"uuid":"8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","title":"US-CERT Technical Cyber Security Alerts","citation":{"text":"US-CERT Technical Cyber Security Alerts"},"rlinks":[{"href":"http://www.us-cert.gov/ncas/alerts"}]},{"uuid":"985475ee-d4d6-4581-8fdf-d84d3d8caa48","title":"FedRAMP Applicable Laws and Regulations","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-citations"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"}]},{"uuid":"1a23a771-d481-4594-9a1a-71d584fa4123","title":"FedRAMP Master Acronym and Glossary","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-acronyms"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"}]},{"uuid":"a2381e87-3d04-4108-a30b-b4d2f36d001f","desc":"FedRAMP Logo","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-logo"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/img/logo-main-fedramp.png"}]},{"uuid":"ad005eae-cc63-4e64-9109-3905a9a825e4","title":"NIST Special Publication (SP) 800-53","properties":[{"name":"version","ns":"https://fedramp.gov/ns/oscal","value":"Revision 4"},{"name":"keep","value":"always"}],"rlinks":[{"href":"../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json","media-type":"application/xml"}]}]}}}
\ No newline at end of file
diff --git a/content/fedramp.gov/json/FedRAMP_LOW-baseline-resolved-profile_catalog.json b/content/fedramp.gov/json/FedRAMP_LOW-baseline-resolved-profile_catalog.json
deleted file mode 100644
index 650a910215..0000000000
--- a/content/fedramp.gov/json/FedRAMP_LOW-baseline-resolved-profile_catalog.json
+++ /dev/null
@@ -1,47817 +0,0 @@
-{
-  "catalog": {
-    "uuid": "d320d731-1aea-4d48-a4df-05b1c9f48c04",
-    "metadata": {
-      "title": "FedRAMP Low Baseline",
-      "published": "2020-06-01T00:00:00.000-04:00",
-      "last-modified": "2020-06-01T10:00:00.000-04:00",
-      "version": "1.2",
-      "oscal-version": "1.0.0-milestone3",
-      "properties": [
-        {
-          "name": "resolution-timestamp",
-          "value": "2020-08-31T17:38:45.129825Z"
-        }
-      ],
-      "links": [
-        {
-          "href": "FedRAMP_LOW-baseline_profile.xml",
-          "rel": "resolution-source",
-          "text": "FedRAMP Low Baseline"
-        }
-      ],
-      "roles": [
-        {
-          "id": "parpared-by",
-          "title": "Document creator"
-        },
-        {
-          "id": "fedramp-pmo",
-          "title": "The FedRAMP Program Management Office (PMO)",
-          "short-name": "CSP"
-        },
-        {
-          "id": "fedramp-jab",
-          "title": "The FedRAMP Joint Authorization Board (JAB)",
-          "short-name": "CSP"
-        }
-      ],
-      "parties": [
-        {
-          "uuid": "8cc0b8e5-9650-4d5f-9796-316f05fa9a2d",
-          "type": "organization",
-          "party-name": "Federal Risk and Authorization Management Program: Program Management Office",
-          "short-name": "FedRAMP PMO",
-          "links": [
-            {
-              "href": "https://fedramp.gov",
-              "rel": "homepage",
-              "text": ""
-            }
-          ],
-          "addresses": [
-            {
-              "type": "work",
-              "postal-address": [
-                "1800 F St. NW",
-                ""
-              ],
-              "city": "Washington",
-              "state": "DC",
-              "postal-code": "",
-              "country": "US"
-            }
-          ],
-          "email-addresses": [
-            "info@fedramp.gov"
-          ]
-        },
-        {
-          "uuid": "ca9ba80e-1342-4bfd-b32a-abac468c24b4",
-          "type": "organization",
-          "party-name": "Federal Risk and Authorization Management Program: Joint Authorization Board",
-          "short-name": "FedRAMP JAB"
-        }
-      ],
-      "responsible-parties": {
-        "prepared-by": {
-          "party-uuids": [
-            "4aa7b203-318b-4cde-96cf-feaeffc3a4b7"
-          ]
-        },
-        "fedramp-pmo": {
-          "party-uuids": [
-            "4aa7b203-318b-4cde-96cf-feaeffc3a4b7"
-          ]
-        },
-        "fedramp-jab": {
-          "party-uuids": [
-            "ca9ba80e-1342-4bfd-b32a-abac468c24b4"
-          ]
-        }
-      }
-    },
-    "groups": [
-      {
-        "id": "ac",
-        "class": "family",
-        "title": "Access Control",
-        "controls": [
-          {
-            "id": "ac-1",
-            "class": "SP800-53",
-            "title": "Access Control Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ac-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ac-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "ac-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ac-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ac-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "An access control policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ac-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the access control policy and\n                     associated access controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ac-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Access control policy {{ ac-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ac-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Access control procedures {{ ac-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AC\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ac-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an access control policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ac-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ac-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the access control policy are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ac-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the access control policy to organization-defined personnel or\n                        roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        access control policy and associated access control controls;"
-                          },
-                          {
-                            "id": "ac-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ac-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current access control\n                        policy;"
-                          },
-                          {
-                            "id": "ac-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current access control policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current access control\n                        procedures; and"
-                          },
-                          {
-                            "id": "ac-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current access control procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with access control responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-2",
-            "class": "SP800-53",
-            "title": "Account Management",
-            "parameters": [
-              {
-                "id": "ac-2_prm_1",
-                "label": "organization-defined information system account types"
-              },
-              {
-                "id": "ac-2_prm_2",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ac-2_prm_3",
-                "label": "organization-defined procedures or conditions"
-              },
-              {
-                "id": "ac-2_prm_4",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-02"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Identifies and selects the following types of information system accounts to\n                  support organizational missions/business functions: {{ ac-2_prm_1 }};"
-                  },
-                  {
-                    "id": "ac-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Assigns account managers for information system accounts;"
-                  },
-                  {
-                    "id": "ac-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Establishes conditions for group and role membership;"
-                  },
-                  {
-                    "id": "ac-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Specifies authorized users of the information system, group and role membership,\n                  and access authorizations (i.e., privileges) and other attributes (as required)\n                  for each account;"
-                  },
-                  {
-                    "id": "ac-2_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Requires approvals by {{ ac-2_prm_2 }} for requests to create\n                  information system accounts;"
-                  },
-                  {
-                    "id": "ac-2_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Creates, enables, modifies, disables, and removes information system accounts in\n                  accordance with {{ ac-2_prm_3 }};"
-                  },
-                  {
-                    "id": "ac-2_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Monitors the use of information system accounts;"
-                  },
-                  {
-                    "id": "ac-2_smt.h",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "h."
-                      }
-                    ],
-                    "prose": "Notifies account managers:",
-                    "parts": [
-                      {
-                        "id": "ac-2_smt.h.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "When accounts are no longer required;"
-                      },
-                      {
-                        "id": "ac-2_smt.h.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "When users are terminated or transferred; and"
-                      },
-                      {
-                        "id": "ac-2_smt.h.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "When individual information system usage or need-to-know changes;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2_smt.i",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "i."
-                      }
-                    ],
-                    "prose": "Authorizes access to the information system based on:",
-                    "parts": [
-                      {
-                        "id": "ac-2_smt.i.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A valid access authorization;"
-                      },
-                      {
-                        "id": "ac-2_smt.i.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Intended system usage; and"
-                      },
-                      {
-                        "id": "ac-2_smt.i.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Other attributes as required by the organization or associated\n                     missions/business functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2_smt.j",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "j."
-                      }
-                    ],
-                    "prose": "Reviews accounts for compliance with account management requirements {{ ac-2_prm_4 }}; and"
-                  },
-                  {
-                    "id": "ac-2_smt.k",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "k."
-                      }
-                    ],
-                    "prose": "Establishes a process for reissuing shared/group account credentials (if deployed)\n                  when individuals are removed from the group."
-                  }
-                ]
-              },
-              {
-                "id": "ac-2_gdn",
-                "name": "guidance",
-                "prose": "Information system account types include, for example, individual, shared, group,\n               system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and\n               service. Some of the account management requirements listed above can be implemented\n               by organizational information systems. The identification of authorized users of the\n               information system and the specification of access privileges reflects the\n               requirements in other security controls in the security plan. Users requiring\n               administrative privileges on information system accounts receive additional scrutiny\n               by appropriate organizational personnel (e.g., system owner, mission/business owner,\n               or chief information security officer) responsible for approving such accounts and\n               privileged access. Organizations may choose to define access privileges or other\n               attributes by account, by type of account, or a combination of both. Other attributes\n               required for authorizing access include, for example, restrictions on time-of-day,\n               day-of-week, and point-of-origin. In defining other account attributes, organizations\n               consider system-related requirements (e.g., scheduled maintenance, system upgrades)\n               and mission/business requirements, (e.g., time zone differences, customer\n               requirements, remote access to support travel requirements). Failure to consider\n               these factors could affect information system availability. Temporary and emergency\n               accounts are accounts intended for short-term use. Organizations establish temporary\n               accounts as a part of normal account activation procedures when there is a need for\n               short-term accounts without the demand for immediacy in account activation.\n               Organizations establish emergency accounts in response to crisis situations and with\n               the need for rapid account activation. Therefore, emergency account activation may\n               bypass normal account authorization processes. Emergency and temporary accounts are\n               not to be confused with infrequently used accounts (e.g., local logon accounts used\n               for special tasks defined by organizations or when network resources are\n               unavailable). Such accounts remain available and are not subject to automatic\n               disabling or removal dates. Conditions for disabling or deactivating accounts\n               include, for example: (i) when shared/group, emergency, or temporary accounts are no\n               longer required; or (ii) when individuals are transferred or terminated. Some types\n               of information system accounts may require specialized training.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-5",
-                    "rel": "related",
-                    "text": "AC-5"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-10",
-                    "rel": "related",
-                    "text": "AC-10"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#ma-3",
-                    "rel": "related",
-                    "text": "MA-3"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ma-5",
-                    "rel": "related",
-                    "text": "MA-5"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  }
-                ]
-              },
-              {
-                "id": "ac-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(a)[1]"
-                          }
-                        ],
-                        "prose": "defines information system account types to be identified and selected to\n                     support organizational missions/business functions;"
-                      },
-                      {
-                        "id": "ac-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(a)[2]"
-                          }
-                        ],
-                        "prose": "identifies and selects organization-defined information system account types to\n                     support organizational missions/business functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(b)"
-                      }
-                    ],
-                    "prose": "assigns account managers for information system accounts;"
-                  },
-                  {
-                    "id": "ac-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(c)"
-                      }
-                    ],
-                    "prose": "establishes conditions for group and role membership;"
-                  },
-                  {
-                    "id": "ac-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(d)"
-                      }
-                    ],
-                    "prose": "specifies for each account (as required):",
-                    "parts": [
-                      {
-                        "id": "ac-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(d)[1]"
-                          }
-                        ],
-                        "prose": "authorized users of the information system;"
-                      },
-                      {
-                        "id": "ac-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(d)[2]"
-                          }
-                        ],
-                        "prose": "group and role membership;"
-                      },
-                      {
-                        "id": "ac-2.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(d)[3]"
-                          }
-                        ],
-                        "prose": "access authorizations (i.e., privileges);"
-                      },
-                      {
-                        "id": "ac-2.d_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(d)[4]"
-                          }
-                        ],
-                        "prose": "other attributes;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-2.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(e)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles required to approve requests to create information\n                     system accounts;"
-                      },
-                      {
-                        "id": "ac-2.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(e)[2]"
-                          }
-                        ],
-                        "prose": "requires approvals by organization-defined personnel or roles for requests to\n                     create information system accounts;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-2.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(f)[1]"
-                          }
-                        ],
-                        "prose": "defines procedures or conditions to:",
-                        "parts": [
-                          {
-                            "id": "ac-2.f_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][a]"
-                              }
-                            ],
-                            "prose": "create information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][b]"
-                              }
-                            ],
-                            "prose": "enable information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][c]"
-                              }
-                            ],
-                            "prose": "modify information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.1.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][d]"
-                              }
-                            ],
-                            "prose": "disable information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.1.e",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][e]"
-                              }
-                            ],
-                            "prose": "remove information system accounts;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-2.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(f)[2]"
-                          }
-                        ],
-                        "prose": "in accordance with organization-defined procedures or conditions:",
-                        "parts": [
-                          {
-                            "id": "ac-2.f_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][a]"
-                              }
-                            ],
-                            "prose": "creates information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][b]"
-                              }
-                            ],
-                            "prose": "enables information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][c]"
-                              }
-                            ],
-                            "prose": "modifies information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][d]"
-                              }
-                            ],
-                            "prose": "disables information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.2.e",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][e]"
-                              }
-                            ],
-                            "prose": "removes information system accounts;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(g)"
-                      }
-                    ],
-                    "prose": "monitors the use of information system accounts;"
-                  },
-                  {
-                    "id": "ac-2.h_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(h)"
-                      }
-                    ],
-                    "prose": "notifies account managers:",
-                    "parts": [
-                      {
-                        "id": "ac-2.h.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(h)(1)"
-                          }
-                        ],
-                        "prose": "when accounts are no longer required;"
-                      },
-                      {
-                        "id": "ac-2.h.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(h)(2)"
-                          }
-                        ],
-                        "prose": "when users are terminated or transferred;"
-                      },
-                      {
-                        "id": "ac-2.h.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(h)(3)"
-                          }
-                        ],
-                        "prose": "when individual information system usage or need to know changes;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.i_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(i)"
-                      }
-                    ],
-                    "prose": "authorizes access to the information system based on;",
-                    "parts": [
-                      {
-                        "id": "ac-2.i.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(i)(1)"
-                          }
-                        ],
-                        "prose": "a valid access authorization;"
-                      },
-                      {
-                        "id": "ac-2.i.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(i)(2)"
-                          }
-                        ],
-                        "prose": "intended system usage;"
-                      },
-                      {
-                        "id": "ac-2.i.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(i)(3)"
-                          }
-                        ],
-                        "prose": "other attributes as required by the organization or associated\n                     missions/business functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.j_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(j)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-2.j_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(j)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review accounts for compliance with account management\n                     requirements;"
-                      },
-                      {
-                        "id": "ac-2.j_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(j)[2]"
-                          }
-                        ],
-                        "prose": "reviews accounts for compliance with account management requirements with the\n                     organization-defined frequency; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.k_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(k)"
-                      }
-                    ],
-                    "prose": "establishes a process for reissuing shared/group account credentials (if deployed)\n                  when individuals are removed from the group."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of active system accounts along with the name of the individual associated\n                  with each account\\n\\nlist of conditions for group and role membership\\n\\nnotifications or records of recently transferred, separated, or terminated\n                  employees\\n\\nlist of recently disabled information system accounts along with the name of the\n                  individual associated with each account\\n\\naccess authorization records\\n\\naccount management compliance reviews\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes account management on the information system\\n\\nautomated mechanisms for implementing account management"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-3",
-            "class": "SP800-53",
-            "title": "Access Enforcement",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-03"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-3_smt",
-                "name": "statement",
-                "prose": "The information system enforces approved authorizations for logical access to\n               information and system resources in accordance with applicable access control\n               policies."
-              },
-              {
-                "id": "ac-3_gdn",
-                "name": "guidance",
-                "prose": "Access control policies (e.g., identity-based policies, role-based policies, control\n               matrices, cryptography) control access between active entities or subjects (i.e.,\n               users or processes acting on behalf of users) and passive entities or objects (e.g.,\n               devices, files, records, domains) in information systems. In addition to enforcing\n               authorized access at the information system level and recognizing that information\n               systems can host many applications and services in support of organizational missions\n               and business operations, access enforcement mechanisms can also be employed at the\n               application and service level to provide increased information security.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-5",
-                    "rel": "related",
-                    "text": "AC-5"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-16",
-                    "rel": "related",
-                    "text": "AC-16"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#ac-21",
-                    "rel": "related",
-                    "text": "AC-21"
-                  },
-                  {
-                    "href": "#ac-22",
-                    "rel": "related",
-                    "text": "AC-22"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#ma-3",
-                    "rel": "related",
-                    "text": "MA-3"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ma-5",
-                    "rel": "related",
-                    "text": "MA-5"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  }
-                ]
-              },
-              {
-                "id": "ac-3_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system enforces approved authorizations for logical\n               access to information and system resources in accordance with applicable access\n               control policies."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing access enforcement\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of approved authorizations (user privileges)\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with access enforcement responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing access control policy"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-7",
-            "class": "SP800-53",
-            "title": "Unsuccessful Logon Attempts",
-            "parameters": [
-              {
-                "id": "ac-7_prm_1",
-                "label": "organization-defined number",
-                "constraints": [
-                  {
-                    "detail": "not more than three (3)"
-                  }
-                ]
-              },
-              {
-                "id": "ac-7_prm_2",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "fifteen (15) minutes"
-                  }
-                ]
-              },
-              {
-                "id": "ac-7_prm_3"
-              },
-              {
-                "id": "ac-7_prm_4",
-                "depends-on": "ac-7_prm_3",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "thirty (30) minutes"
-                  }
-                ]
-              },
-              {
-                "id": "ac-7_prm_5",
-                "depends-on": "ac-7_prm_3",
-                "label": "organization-defined delay algorithm"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-07"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-7_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "ac-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Enforces a limit of {{ ac-7_prm_1 }} consecutive invalid logon\n                  attempts by a user during a {{ ac-7_prm_2 }}; and"
-                  },
-                  {
-                    "id": "ac-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Automatically {{ ac-7_prm_3 }} when the maximum number of\n                  unsuccessful attempts is exceeded."
-                  }
-                ]
-              },
-              {
-                "id": "ac-7_gdn",
-                "name": "guidance",
-                "prose": "This control applies regardless of whether the logon occurs via a local or network\n               connection. Due to the potential for denial of service, automatic lockouts initiated\n               by information systems are usually temporary and automatically release after a\n               predetermined time period established by organizations. If a delay algorithm is\n               selected, organizations may choose to employ different algorithms for different\n               information system components based on the capabilities of those components.\n               Responses to unsuccessful logon attempts may be implemented at both the operating\n               system and the application levels.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-9",
-                    "rel": "related",
-                    "text": "AC-9"
-                  },
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  }
-                ]
-              },
-              {
-                "id": "ac-7_obj",
-                "name": "objective",
-                "prose": "Determine if: ",
-                "parts": [
-                  {
-                    "id": "ac-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-7(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-7.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-7(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the number of consecutive invalid logon attempts\n                     allowed to the information system by a user during an organization-defined time\n                     period;"
-                      },
-                      {
-                        "id": "ac-7.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-7(a)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines the time period allowed by a user of the information\n                     system for an organization-defined number of consecutive invalid logon\n                     attempts;"
-                      },
-                      {
-                        "id": "ac-7.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-7(a)[3]"
-                          }
-                        ],
-                        "prose": "the information system enforces a limit of organization-defined number of\n                     consecutive invalid logon attempts by a user during an organization-defined\n                     time period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-7(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-7.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-7(b)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines account/node lockout time period or logon delay\n                     algorithm to be automatically enforced by the information system when the\n                     maximum number of unsuccessful logon attempts is exceeded;"
-                      },
-                      {
-                        "id": "ac-7.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-7(b)[2]"
-                          }
-                        ],
-                        "prose": "the information system, when the maximum number of unsuccessful logon attempts\n                     is exceeded, automatically:",
-                        "parts": [
-                          {
-                            "id": "ac-7.b_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-7(b)[2][a]"
-                              }
-                            ],
-                            "prose": "locks the account/node for the organization-defined time period;"
-                          },
-                          {
-                            "id": "ac-7.b_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-7(b)[2][b]"
-                              }
-                            ],
-                            "prose": "locks the account/node until released by an administrator; or"
-                          },
-                          {
-                            "id": "ac-7.b_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-7(b)[2][c]"
-                              }
-                            ],
-                            "prose": "delays next logon prompt according to the organization-defined delay\n                        algorithm."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing unsuccessful logon attempts\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security responsibilities\\n\\nsystem developers\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing access control policy for unsuccessful logon\n                  attempts"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-8",
-            "class": "SP800-53",
-            "title": "System Use Notification",
-            "parameters": [
-              {
-                "id": "ac-8_prm_1",
-                "label": "organization-defined system use notification message or banner",
-                "constraints": [
-                  {
-                    "detail": "see additional Requirements and Guidance"
-                  }
-                ]
-              },
-              {
-                "id": "ac-8_prm_2",
-                "label": "organization-defined conditions",
-                "constraints": [
-                  {
-                    "detail": "see additional Requirements and Guidance"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-08"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-8_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "ac-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Displays to users {{ ac-8_prm_1 }} before granting access to the\n                  system that provides privacy and security notices consistent with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance and states that:",
-                    "parts": [
-                      {
-                        "id": "ac-8_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Users are accessing a U.S. Government information system;"
-                      },
-                      {
-                        "id": "ac-8_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Information system usage may be monitored, recorded, and subject to audit;"
-                      },
-                      {
-                        "id": "ac-8_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Unauthorized use of the information system is prohibited and subject to\n                     criminal and civil penalties; and"
-                      },
-                      {
-                        "id": "ac-8_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Use of the information system indicates consent to monitoring and\n                     recording;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Retains the notification message or banner on the screen until users acknowledge\n                  the usage conditions and take explicit actions to log on to or further access the\n                  information system; and"
-                  },
-                  {
-                    "id": "ac-8_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "For publicly accessible systems:",
-                    "parts": [
-                      {
-                        "id": "ac-8_smt.c.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Displays system use information {{ ac-8_prm_2 }}, before\n                     granting further access;"
-                      },
-                      {
-                        "id": "ac-8_smt.c.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Displays references, if any, to monitoring, recording, or auditing that are\n                     consistent with privacy accommodations for such systems that generally prohibit\n                     those activities; and"
-                      },
-                      {
-                        "id": "ac-8_smt.c.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Includes a description of the authorized uses of the system."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-8_fr",
-                    "name": "item",
-                    "title": "AC-8 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ac-8_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO."
-                      },
-                      {
-                        "id": "ac-8_fr_smt.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided."
-                      },
-                      {
-                        "id": "ac-8_fr_smt.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-8_gdn",
-                "name": "guidance",
-                "prose": "System use notifications can be implemented using messages or warning banners\n               displayed before individuals log in to information systems. System use notifications\n               are used only for access via logon interfaces with human users and are not required\n               when such human interfaces do not exist. Organizations consider system use\n               notification messages/banners displayed in multiple languages based on specific\n               organizational needs and the demographics of information system users. Organizations\n               also consult with the Office of the General Counsel for legal review and approval of\n               warning banner content."
-              },
-              {
-                "id": "ac-8_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "ac-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-8(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-8.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-8(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines a system use notification message or banner to be\n                     displayed by the information system to users before granting access to the\n                     system;"
-                      },
-                      {
-                        "id": "ac-8.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-8(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system displays to users the organization-defined system use\n                     notification message or banner before granting access to the information system\n                     that provides privacy and security notices consistent with applicable federal\n                     laws, Executive Orders, directives, policies, regulations, standards, and\n                     guidance, and states that:",
-                        "parts": [
-                          {
-                            "id": "ac-8.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-8(a)[2](1)"
-                              }
-                            ],
-                            "prose": "users are accessing a U.S. Government information system;"
-                          },
-                          {
-                            "id": "ac-8.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-8(a)[2](2)"
-                              }
-                            ],
-                            "prose": "information system usage may be monitored, recorded, and subject to\n                        audit;"
-                          },
-                          {
-                            "id": "ac-8.a.3_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-8(a)[2](3)"
-                              }
-                            ],
-                            "prose": "unauthorized use of the information system is prohibited and subject to\n                        criminal and civil penalties;"
-                          },
-                          {
-                            "id": "ac-8.a.4_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-8(a)[2](4)"
-                              }
-                            ],
-                            "prose": "use of the information system indicates consent to monitoring and\n                        recording;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-8(b)"
-                      }
-                    ],
-                    "prose": "the information system retains the notification message or banner on the screen\n                  until users acknowledge the usage conditions and take explicit actions to log on\n                  to or further access the information system;"
-                  },
-                  {
-                    "id": "ac-8.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-8(c)"
-                      }
-                    ],
-                    "prose": "for publicly accessible systems:",
-                    "parts": [
-                      {
-                        "id": "ac-8.c.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-8(c)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-8.c.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-8(c)(1)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines conditions for system use to be displayed by the\n                        information system before granting further access;"
-                          },
-                          {
-                            "id": "ac-8.c.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-8(c)(1)[2]"
-                              }
-                            ],
-                            "prose": "the information system displays organization-defined conditions before\n                        granting further access;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-8.c.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-8(c)(2)"
-                          }
-                        ],
-                        "prose": "the information system displays references, if any, to monitoring, recording,\n                     or auditing that are consistent with privacy accommodations for such systems\n                     that generally prohibit those activities; and"
-                      },
-                      {
-                        "id": "ac-8.c.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-8(c)(3)"
-                          }
-                        ],
-                        "prose": "the information system includes a description of the authorized uses of the\n                     system."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprivacy and security policies, procedures addressing system use notification\\n\\ndocumented approval of information system use notification messages or banners\\n\\ninformation system audit records\\n\\nuser acknowledgements of notification message or banner\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system use notification messages\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for providing legal advice\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing system use notification"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-14",
-            "class": "SP800-53",
-            "title": "Permitted Actions Without Identification or Authentication",
-            "parameters": [
-              {
-                "id": "ac-14_prm_1",
-                "label": "organization-defined user actions"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-14"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-14"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-14_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-14_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Identifies {{ ac-14_prm_1 }} that can be performed on the\n                  information system without identification or authentication consistent with\n                  organizational missions/business functions; and"
-                  },
-                  {
-                    "id": "ac-14_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents and provides supporting rationale in the security plan for the\n                  information system, user actions not requiring identification or\n                  authentication."
-                  }
-                ]
-              },
-              {
-                "id": "ac-14_gdn",
-                "name": "guidance",
-                "prose": "This control addresses situations in which organizations determine that no\n               identification or authentication is required in organizational information systems.\n               Organizations may allow a limited number of user actions without identification or\n               authentication including, for example, when individuals access public websites or\n               other publicly accessible federal information systems, when individuals use mobile\n               phones to receive calls, or when facsimiles are received. Organizations also identify\n               actions that normally require identification or authentication but may under certain\n               circumstances (e.g., emergencies), allow identification or authentication mechanisms\n               to be bypassed. Such bypasses may occur, for example, via a software-readable\n               physical switch that commands bypass of the logon functionality and is protected from\n               accidental or unmonitored use. This control does not apply to situations where\n               identification and authentication have already occurred and are not repeated, but\n               rather to situations where identification and authentication have not yet occurred.\n               Organizations may decide that there are no user actions that can be performed on\n               organizational information systems without identification and authentication and\n               thus, the values for assignment statements can be none.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  }
-                ]
-              },
-              {
-                "id": "ac-14_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-14.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-14(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-14.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-14(a)[1]"
-                          }
-                        ],
-                        "prose": "defines user actions that can be performed on the information system without\n                     identification or authentication consistent with organizational\n                     missions/business functions;"
-                      },
-                      {
-                        "id": "ac-14.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-14(a)[2]"
-                          }
-                        ],
-                        "prose": "identifies organization-defined user actions that can be performed on the\n                     information system without identification or authentication consistent with\n                     organizational missions/business functions; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-14.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-14(b)"
-                      }
-                    ],
-                    "prose": "documents and provides supporting rationale in the security plan for the\n                  information system, user actions not requiring identification or\n                  authentication."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing permitted actions without identification or\n                  authentication\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\nlist of user actions that can be performed without identification or\n                  authentication\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-17",
-            "class": "SP800-53",
-            "title": "Remote Access",
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-17"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-17"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5309d4d0-46f8-4213-a749-e7584164e5e8",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-46"
-              },
-              {
-                "href": "#99f331f2-a9f0-46c2-9856-a3cbb9b89442",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-77"
-              },
-              {
-                "href": "#349fe082-502d-464a-aa0c-1443c6a5cf40",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-113"
-              },
-              {
-                "href": "#1201fcf3-afb1-4675-915a-fb4ae0435717",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-114"
-              },
-              {
-                "href": "#d1a4e2a9-e512-4132-8795-5357aba29254",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-121"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-17_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-17_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes and documents usage restrictions, configuration/connection\n                  requirements, and implementation guidance for each type of remote access allowed;\n                  and"
-                  },
-                  {
-                    "id": "ac-17_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Authorizes remote access to the information system prior to allowing such\n                  connections."
-                  }
-                ]
-              },
-              {
-                "id": "ac-17_gdn",
-                "name": "guidance",
-                "prose": "Remote access is access to organizational information systems by users (or processes\n               acting on behalf of users) communicating through external networks (e.g., the\n               Internet). Remote access methods include, for example, dial-up, broadband, and\n               wireless. Organizations often employ encrypted virtual private networks (VPNs) to\n               enhance confidentiality and integrity over remote connections. The use of encrypted\n               VPNs does not make the access non-remote; however, the use of VPNs, when adequately\n               provisioned with appropriate security controls (e.g., employing appropriate\n               encryption techniques for confidentiality and integrity protection) may provide\n               sufficient assurance to the organization that it can effectively treat such\n               connections as internal networks. Still, VPN connections traverse external networks,\n               and the encrypted VPN does not enhance the availability of remote connections. Also,\n               VPNs with encrypted tunnels can affect the organizational capability to adequately\n               monitor network communications traffic for malicious code. Remote access controls\n               apply to information systems other than public web servers or systems designed for\n               public access. This control addresses authorization prior to allowing remote access\n               without specifying the formats for such authorization. While organizations may use\n               interconnection security agreements to authorize remote access connections, such\n               agreements are not required by this control. Enforcing access restrictions for remote\n               connections is addressed in AC-3.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#pe-17",
-                    "rel": "related",
-                    "text": "PE-17"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#sc-10",
-                    "rel": "related",
-                    "text": "SC-10"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ac-17_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-17.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-17(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-17.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-17(a)[1]"
-                          }
-                        ],
-                        "prose": "identifies the types of remote access allowed to the information system;"
-                      },
-                      {
-                        "id": "ac-17.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-17(a)[2]"
-                          }
-                        ],
-                        "prose": "establishes for each type of remote access allowed:",
-                        "parts": [
-                          {
-                            "id": "ac-17.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[2][a]"
-                              }
-                            ],
-                            "prose": "usage restrictions;"
-                          },
-                          {
-                            "id": "ac-17.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[2][b]"
-                              }
-                            ],
-                            "prose": "configuration/connection requirements;"
-                          },
-                          {
-                            "id": "ac-17.a_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[2][c]"
-                              }
-                            ],
-                            "prose": "implementation guidance;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-17.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-17(a)[3]"
-                          }
-                        ],
-                        "prose": "documents for each type of remote access allowed:",
-                        "parts": [
-                          {
-                            "id": "ac-17.a_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[3][a]"
-                              }
-                            ],
-                            "prose": "usage restrictions;"
-                          },
-                          {
-                            "id": "ac-17.a_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[3][b]"
-                              }
-                            ],
-                            "prose": "configuration/connection requirements;"
-                          },
-                          {
-                            "id": "ac-17.a_obj.3.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[3][c]"
-                              }
-                            ],
-                            "prose": "implementation guidance; and"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-17.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-17(b)"
-                      }
-                    ],
-                    "prose": "authorizes remote access to the information system prior to allowing such\n                  connections."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing remote access implementation and usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\nremote access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for managing remote access\n                  connections\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Remote access management capability for the information system"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-18",
-            "class": "SP800-53",
-            "title": "Wireless Access",
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-18"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-18"
-              }
-            ],
-            "links": [
-              {
-                "href": "#238ed479-eccb-49f6-82ec-ab74a7a428cf",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-48"
-              },
-              {
-                "href": "#d1b1d689-0f66-4474-9924-c81119758dc1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-94"
-              },
-              {
-                "href": "#6f336ecd-f2a0-4c84-9699-0491d81b6e0d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-97"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-18_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-18_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes usage restrictions, configuration/connection requirements, and\n                  implementation guidance for wireless access; and"
-                  },
-                  {
-                    "id": "ac-18_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Authorizes wireless access to the information system prior to allowing such\n                  connections."
-                  }
-                ]
-              },
-              {
-                "id": "ac-18_gdn",
-                "name": "guidance",
-                "prose": "Wireless technologies include, for example, microwave, packet radio (UHF/VHF),\n               802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g.,\n               EAP/TLS, PEAP), which provide credential protection and mutual authentication.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ac-18_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-18.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-18(a)"
-                      }
-                    ],
-                    "prose": "establishes for wireless access:",
-                    "parts": [
-                      {
-                        "id": "ac-18.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-18(a)[1]"
-                          }
-                        ],
-                        "prose": "usage restrictions;"
-                      },
-                      {
-                        "id": "ac-18.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-18(a)[2]"
-                          }
-                        ],
-                        "prose": "configuration/connection requirement;"
-                      },
-                      {
-                        "id": "ac-18.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-18(a)[3]"
-                          }
-                        ],
-                        "prose": "implementation guidance; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-18.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-18(b)"
-                      }
-                    ],
-                    "prose": "authorizes wireless access to the information system prior to allowing such\n                  connections."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing wireless access implementation and usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nwireless access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for managing wireless access\n                  connections\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Wireless access management capability for the information system"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-19",
-            "class": "SP800-53",
-            "title": "Access Control for Mobile Devices",
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-19"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-19"
-              }
-            ],
-            "links": [
-              {
-                "href": "#4da24a96-6cf8-435d-9d1f-c73247cad109",
-                "rel": "reference",
-                "text": "OMB Memorandum 06-16"
-              },
-              {
-                "href": "#1201fcf3-afb1-4675-915a-fb4ae0435717",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-114"
-              },
-              {
-                "href": "#0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-124"
-              },
-              {
-                "href": "#6513e480-fada-4876-abba-1397084dfb26",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-164"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-19_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-19_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes usage restrictions, configuration requirements, connection\n                  requirements, and implementation guidance for organization-controlled mobile\n                  devices; and"
-                  },
-                  {
-                    "id": "ac-19_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Authorizes the connection of mobile devices to organizational information\n                  systems."
-                  }
-                ]
-              },
-              {
-                "id": "ac-19_gdn",
-                "name": "guidance",
-                "prose": "A mobile device is a computing device that: (i) has a small form factor such that it\n               can easily be carried by a single individual; (ii) is designed to operate without a\n               physical connection (e.g., wirelessly transmit or receive information); (iii)\n               possesses local, non-removable or removable data storage; and (iv) includes a\n               self-contained power source. Mobile devices may also include voice communication\n               capabilities, on-board sensors that allow the device to capture information, and/or\n               built-in features for synchronizing local data with remote locations. Examples\n               include smart phones, E-readers, and tablets. Mobile devices are typically associated\n               with a single individual and the device is usually in close proximity to the\n               individual; however, the degree of proximity can vary depending upon on the form\n               factor and size of the device. The processing, storage, and transmission capability\n               of the mobile device may be comparable to or merely a subset of desktop systems,\n               depending upon the nature and intended purpose of the device. Due to the large\n               variety of mobile devices with different technical characteristics and capabilities,\n               organizational restrictions may vary for the different classes/types of such devices.\n               Usage restrictions and specific implementation guidance for mobile devices include,\n               for example, configuration management, device identification and authentication,\n               implementation of mandatory protective software (e.g., malicious code detection,\n               firewall), scanning devices for malicious code, updating virus protection software,\n               scanning for critical software updates and patches, conducting primary operating\n               system (and possibly other resident software) integrity checks, and disabling\n               unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the\n               need to provide adequate security for mobile devices goes beyond the requirements in\n               this control. Many safeguards and countermeasures for mobile devices are reflected in\n               other security controls in the catalog allocated in the initial control baselines as\n               starting points for the development of security plans and overlays using the\n               tailoring process. There may also be some degree of overlap in the requirements\n               articulated by the security controls within the different families of controls. AC-20\n               addresses mobile devices that are not organization-controlled.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-7",
-                    "rel": "related",
-                    "text": "AC-7"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#ca-9",
-                    "rel": "related",
-                    "text": "CA-9"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-43",
-                    "rel": "related",
-                    "text": "SC-43"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ac-19_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-19.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-19(a)"
-                      }
-                    ],
-                    "prose": "establishes for organization-controlled mobile devices:",
-                    "parts": [
-                      {
-                        "id": "ac-19.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-19(a)[1]"
-                          }
-                        ],
-                        "prose": "usage restrictions;"
-                      },
-                      {
-                        "id": "ac-19.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-19(a)[2]"
-                          }
-                        ],
-                        "prose": "configuration/connection requirement;"
-                      },
-                      {
-                        "id": "ac-19.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-19(a)[3]"
-                          }
-                        ],
-                        "prose": "implementation guidance; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-19.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-19(b)"
-                      }
-                    ],
-                    "prose": "authorizes the connection of mobile devices to organizational information\n                  systems."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing access control for mobile device usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nauthorizations for mobile device connections to organizational information\n                  systems\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel using mobile devices to access organizational information\n                  systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control capability authorizing mobile device connections to organizational\n                  information systems"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-20",
-            "class": "SP800-53",
-            "title": "Use of External Information Systems",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-20"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-20"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-20_smt",
-                "name": "statement",
-                "prose": "The organization establishes terms and conditions, consistent with any trust\n               relationships established with other organizations owning, operating, and/or\n               maintaining external information systems, allowing authorized individuals to:",
-                "parts": [
-                  {
-                    "id": "ac-20_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Access the information system from external information systems; and"
-                  },
-                  {
-                    "id": "ac-20_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Process, store, or transmit organization-controlled information using external\n                  information systems."
-                  }
-                ]
-              },
-              {
-                "id": "ac-20_gdn",
-                "name": "guidance",
-                "prose": "External information systems are information systems or components of information\n               systems that are outside of the authorization boundary established by organizations\n               and for which organizations typically have no direct supervision and authority over\n               the application of required security controls or the assessment of control\n               effectiveness. External information systems include, for example: (i) personally\n               owned information systems/devices (e.g., notebook computers, smart phones, tablets,\n               personal digital assistants); (ii) privately owned computing and communications\n               devices resident in commercial or public facilities (e.g., hotels, train stations,\n               convention centers, shopping malls, or airports); (iii) information systems owned or\n               controlled by nonfederal governmental organizations; and (iv) federal information\n               systems that are not owned by, operated by, or under the direct supervision and\n               authority of organizations. This control also addresses the use of external\n               information systems for the processing, storage, or transmission of organizational\n               information, including, for example, accessing cloud services (e.g., infrastructure\n               as a service, platform as a service, or software as a service) from organizational\n               information systems. For some external information systems (i.e., information systems\n               operated by other federal agencies, including organizations subordinate to those\n               agencies), the trust relationships that have been established between those\n               organizations and the originating organization may be such, that no explicit terms\n               and conditions are required. Information systems within these organizations would not\n               be considered external. These situations occur when, for example, there are\n               pre-existing sharing/trust agreements (either implicit or explicit) established\n               between federal agencies or organizations subordinate to those agencies, or when such\n               trust agreements are specified by applicable laws, Executive Orders, directives, or\n               policies. Authorized individuals include, for example, organizational personnel,\n               contractors, or other individuals with authorized access to organizational\n               information systems and over which organizations have the authority to impose rules\n               of behavior with regard to system access. Restrictions that organizations impose on\n               authorized individuals need not be uniform, as those restrictions may vary depending\n               upon the trust relationships between organizations. Therefore, organizations may\n               choose to impose different security restrictions on contractors than on state, local,\n               or tribal governments. This control does not apply to the use of external information\n               systems to access public interfaces to organizational information systems (e.g.,\n               individuals accessing federal information through www.usa.gov). Organizations\n               establish terms and conditions for the use of external information systems in\n               accordance with organizational security policies and procedures. Terms and conditions\n               address as a minimum: types of applications that can be accessed on organizational\n               information systems from external information systems; and the highest security\n               category of information that can be processed, stored, or transmitted on external\n               information systems. If terms and conditions with the owners of external information\n               systems cannot be established, organizations may impose restrictions on\n               organizational personnel using those external systems.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#sa-9",
-                    "rel": "related",
-                    "text": "SA-9"
-                  }
-                ]
-              },
-              {
-                "id": "ac-20_obj",
-                "name": "objective",
-                "prose": "Determine if the organization establishes terms and conditions, consistent with any\n               trust relationships established with other organizations owning, operating, and/or\n               maintaining external information systems, allowing authorized individuals to: ",
-                "parts": [
-                  {
-                    "id": "ac-20.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-20(a)"
-                      }
-                    ],
-                    "prose": "access the information system from the external information systems; and"
-                  },
-                  {
-                    "id": "ac-20.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-20(b)"
-                      }
-                    ],
-                    "prose": "process, store, or transmit organization-controlled information using external\n                  information systems."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing the use of external information systems\\n\\nexternal information systems terms and conditions\\n\\nlist of types of applications accessible from external information systems\\n\\nmaximum security categorization for information processed, stored, or transmitted\n                  on external information systems\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for defining terms and conditions\n                  for use of external information systems to access organizational systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing terms and conditions on use of external\n                  information systems"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-22",
-            "class": "SP800-53",
-            "title": "Publicly Accessible Content",
-            "parameters": [
-              {
-                "id": "ac-22_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least quarterly"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-22"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-22"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-22_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-22_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Designates individuals authorized to post information onto a publicly accessible\n                  information system;"
-                  },
-                  {
-                    "id": "ac-22_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Trains authorized individuals to ensure that publicly accessible information does\n                  not contain nonpublic information;"
-                  },
-                  {
-                    "id": "ac-22_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews the proposed content of information prior to posting onto the publicly\n                  accessible information system to ensure that nonpublic information is not\n                  included; and"
-                  },
-                  {
-                    "id": "ac-22_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Reviews the content on the publicly accessible information system for nonpublic\n                  information {{ ac-22_prm_1 }} and removes such information, if\n                  discovered."
-                  }
-                ]
-              },
-              {
-                "id": "ac-22_gdn",
-                "name": "guidance",
-                "prose": "In accordance with federal laws, Executive Orders, directives, policies, regulations,\n               standards, and/or guidance, the general public is not authorized access to nonpublic\n               information (e.g., information protected under the Privacy Act and proprietary\n               information). This control addresses information systems that are controlled by the\n               organization and accessible to the general public, typically without identification\n               or authentication. The posting of information on non-organization information systems\n               is covered by organizational policy.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#au-13",
-                    "rel": "related",
-                    "text": "AU-13"
-                  }
-                ]
-              },
-              {
-                "id": "ac-22_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ac-22.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-22(a)"
-                      }
-                    ],
-                    "prose": "designates individuals authorized to post information onto a publicly accessible\n                  information system;"
-                  },
-                  {
-                    "id": "ac-22.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-22(b)"
-                      }
-                    ],
-                    "prose": "trains authorized individuals to ensure that publicly accessible information does\n                  not contain nonpublic information;"
-                  },
-                  {
-                    "id": "ac-22.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-22(c)"
-                      }
-                    ],
-                    "prose": "reviews the proposed content of information prior to posting onto the publicly\n                  accessible information system to ensure that nonpublic information is not\n                  included;"
-                  },
-                  {
-                    "id": "ac-22.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-22(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-22.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-22(d)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review the content on the publicly accessible\n                     information system for nonpublic information;"
-                      },
-                      {
-                        "id": "ac-22.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-22(d)[2]"
-                          }
-                        ],
-                        "prose": "reviews the content on the publicly accessible information system for nonpublic\n                     information with the organization-defined frequency; and"
-                      },
-                      {
-                        "id": "ac-22.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-22(d)[3]"
-                          }
-                        ],
-                        "prose": "removes nonpublic information from the publicly accessible information system,\n                     if discovered."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing publicly accessible content\\n\\nlist of users authorized to post publicly accessible content on organizational\n                  information systems\\n\\ntraining materials and/or records\\n\\nrecords of publicly accessible information reviews\\n\\nrecords of response to nonpublic information on public websites\\n\\nsystem audit logs\\n\\nsecurity awareness training records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for managing publicly accessible\n                  information posted on organizational information systems\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing management of publicly accessible content"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "at",
-        "class": "family",
-        "title": "Awareness and Training",
-        "controls": [
-          {
-            "id": "at-1",
-            "class": "SP800-53",
-            "title": "Security Awareness and Training Policy and Procedures",
-            "parameters": [
-              {
-                "id": "at-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "at-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "at-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AT-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "at-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#825438c3-248d-4e30-a51e-246473ce6ada",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-16"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "at-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "at-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ at-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "at-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A security awareness and training policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "at-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the security awareness and\n                     training policy and associated security awareness and training controls;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "at-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "at-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Security awareness and training policy {{ at-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "at-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Security awareness and training procedures {{ at-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "at-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AT\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "at-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "at-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "at-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an security awareness and training policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "at-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "at-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the security awareness and training\n                        policy are to be disseminated;"
-                          },
-                          {
-                            "id": "at-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the security awareness and training policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "at-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "at-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        security awareness and training policy and associated awareness and training\n                        controls;"
-                          },
-                          {
-                            "id": "at-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "at-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "at-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "at-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current security awareness\n                        and training policy;"
-                          },
-                          {
-                            "id": "at-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current security awareness and training policy with\n                        the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "at-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "at-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current security awareness\n                        and training procedures; and"
-                          },
-                          {
-                            "id": "at-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current security awareness and training procedures\n                        with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security awareness and training policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security awareness and training responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "at-2",
-            "class": "SP800-53",
-            "title": "Security Awareness Training",
-            "parameters": [
-              {
-                "id": "at-2_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AT-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "at-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bb61234b-46c3-4211-8c2b-9869222a720d",
-                "rel": "reference",
-                "text": "C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"
-              },
-              {
-                "href": "#c5034e0c-eba6-4ecd-a541-79f0678f4ba4",
-                "rel": "reference",
-                "text": "Executive Order 13587"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              }
-            ],
-            "parts": [
-              {
-                "id": "at-2_smt",
-                "name": "statement",
-                "prose": "The organization provides basic security awareness training to information system\n               users (including managers, senior executives, and contractors):",
-                "parts": [
-                  {
-                    "id": "at-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "As part of initial training for new users;"
-                  },
-                  {
-                    "id": "at-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "When required by information system changes; and"
-                  },
-                  {
-                    "id": "at-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "\n                  {{ at-2_prm_1 }} thereafter."
-                  }
-                ]
-              },
-              {
-                "id": "at-2_gdn",
-                "name": "guidance",
-                "prose": "Organizations determine the appropriate content of security awareness training and\n               security awareness techniques based on the specific organizational requirements and\n               the information systems to which personnel have authorized access. The content\n               includes a basic understanding of the need for information security and user actions\n               to maintain security and to respond to suspected security incidents. The content also\n               addresses awareness of the need for operations security. Security awareness\n               techniques can include, for example, displaying posters, offering supplies inscribed\n               with security reminders, generating email advisories/notices from senior\n               organizational officials, displaying logon screen messages, and conducting\n               information security awareness events.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#at-4",
-                    "rel": "related",
-                    "text": "AT-4"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  }
-                ]
-              },
-              {
-                "id": "at-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "at-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AT-2(a)"
-                      }
-                    ],
-                    "prose": "provides basic security awareness training to information system users (including\n                  managers, senior executives, and contractors) as part of initial training for new\n                  users;"
-                  },
-                  {
-                    "id": "at-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AT-2(b)"
-                      }
-                    ],
-                    "prose": "provides basic security awareness training to information system users (including\n                  managers, senior executives, and contractors) when required by information system\n                  changes; and"
-                  },
-                  {
-                    "id": "at-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to provide refresher security awareness training\n                     thereafter to information system users (including managers, senior executives,\n                     and contractors); and"
-                      },
-                      {
-                        "id": "at-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-2(c)[2]"
-                          }
-                        ],
-                        "prose": "provides refresher security awareness training to information users (including\n                     managers, senior executives, and contractors) with the organization-defined\n                     frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security awareness and training policy\\n\\nprocedures addressing security awareness training implementation\\n\\nappropriate codes of federal regulations\\n\\nsecurity awareness training curriculum\\n\\nsecurity awareness training materials\\n\\nsecurity plan\\n\\ntraining records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for security awareness training\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel comprising the general information system user\n                  community"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms managing security awareness training"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "at-3",
-            "class": "SP800-53",
-            "title": "Role-based Security Training",
-            "parameters": [
-              {
-                "id": "at-3_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AT-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "at-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bb61234b-46c3-4211-8c2b-9869222a720d",
-                "rel": "reference",
-                "text": "C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"
-              },
-              {
-                "href": "#825438c3-248d-4e30-a51e-246473ce6ada",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-16"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              }
-            ],
-            "parts": [
-              {
-                "id": "at-3_smt",
-                "name": "statement",
-                "prose": "The organization provides role-based security training to personnel with assigned\n               security roles and responsibilities:",
-                "parts": [
-                  {
-                    "id": "at-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Before authorizing access to the information system or performing assigned\n                  duties;"
-                  },
-                  {
-                    "id": "at-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "When required by information system changes; and"
-                  },
-                  {
-                    "id": "at-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "\n                  {{ at-3_prm_1 }} thereafter."
-                  }
-                ]
-              },
-              {
-                "id": "at-3_gdn",
-                "name": "guidance",
-                "prose": "Organizations determine the appropriate content of security training based on the\n               assigned roles and responsibilities of individuals and the specific security\n               requirements of organizations and the information systems to which personnel have\n               authorized access. In addition, organizations provide enterprise architects,\n               information system developers, software developers, acquisition/procurement\n               officials, information system managers, system/network administrators, personnel\n               conducting configuration management and auditing activities, personnel performing\n               independent verification and validation activities, security control assessors, and\n               other personnel having access to system-level software, adequate security-related\n               technical training specifically tailored for their assigned duties. Comprehensive\n               role-based training addresses management, operational, and technical roles and\n               responsibilities covering physical, personnel, and technical safeguards and\n               countermeasures. Such training can include for example, policies, procedures, tools,\n               and artifacts for the organizational security roles defined. Organizations also\n               provide the training necessary for individuals to carry out their responsibilities\n               related to operations and supply chain security within the context of organizational\n               information security programs. Role-based security training also applies to\n               contractors providing services to federal agencies.",
-                "links": [
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-4",
-                    "rel": "related",
-                    "text": "AT-4"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-7",
-                    "rel": "related",
-                    "text": "PS-7"
-                  },
-                  {
-                    "href": "#sa-3",
-                    "rel": "related",
-                    "text": "SA-3"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#sa-16",
-                    "rel": "related",
-                    "text": "SA-16"
-                  }
-                ]
-              },
-              {
-                "id": "at-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "at-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AT-3(a)"
-                      }
-                    ],
-                    "prose": "provides role-based security training to personnel with assigned security roles\n                  and responsibilities before authorizing access to the information system or\n                  performing assigned duties;"
-                  },
-                  {
-                    "id": "at-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AT-3(b)"
-                      }
-                    ],
-                    "prose": "provides role-based security training to personnel with assigned security roles\n                  and responsibilities when required by information system changes; and"
-                  },
-                  {
-                    "id": "at-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to provide refresher role-based security training\n                     thereafter to personnel with assigned security roles and responsibilities;\n                     and"
-                      },
-                      {
-                        "id": "at-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-3(c)[2]"
-                          }
-                        ],
-                        "prose": "provides refresher role-based security training to personnel with assigned\n                     security roles and responsibilities with the organization-defined\n                     frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security awareness and training policy\\n\\nprocedures addressing security training implementation\\n\\ncodes of federal regulations\\n\\nsecurity training curriculum\\n\\nsecurity training materials\\n\\nsecurity plan\\n\\ntraining records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for role-based security\n                  training\\n\\norganizational personnel with assigned information system security roles and\n                  responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms managing role-based security training"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "at-4",
-            "class": "SP800-53",
-            "title": "Security Training Records",
-            "parameters": [
-              {
-                "id": "at-4_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "At least one year"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AT-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "at-04"
-              }
-            ],
-            "parts": [
-              {
-                "id": "at-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "at-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Documents and monitors individual information system security training activities\n                  including basic security awareness training and specific information system\n                  security training; and"
-                  },
-                  {
-                    "id": "at-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Retains individual training records for {{ at-4_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "at-4_gdn",
-                "name": "guidance",
-                "prose": "Documentation for specialized training may be maintained by individual supervisors at\n               the option of the organization.",
-                "links": [
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#pm-14",
-                    "rel": "related",
-                    "text": "PM-14"
-                  }
-                ]
-              },
-              {
-                "id": "at-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "at-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-4(a)[1]"
-                          }
-                        ],
-                        "prose": "documents individual information system security training activities\n                     including:",
-                        "parts": [
-                          {
-                            "id": "at-4.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-4(a)[1][a]"
-                              }
-                            ],
-                            "prose": "basic security awareness training;"
-                          },
-                          {
-                            "id": "at-4.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-4(a)[1][b]"
-                              }
-                            ],
-                            "prose": "specific role-based information system security training;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "at-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-4(a)[2]"
-                          }
-                        ],
-                        "prose": "monitors individual information system security training activities\n                     including:",
-                        "parts": [
-                          {
-                            "id": "at-4.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-4(a)[2][a]"
-                              }
-                            ],
-                            "prose": "basic security awareness training;"
-                          },
-                          {
-                            "id": "at-4.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-4(a)[2][b]"
-                              }
-                            ],
-                            "prose": "specific role-based information system security training;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "at-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-4(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-4.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-4(b)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period to retain individual training records; and"
-                      },
-                      {
-                        "id": "at-4.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-4(b)[2]"
-                          }
-                        ],
-                        "prose": "retains individual training records for the organization-defined time\n                     period."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security awareness and training policy\\n\\nprocedures addressing security training records\\n\\nsecurity awareness and training records\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security training record retention\n                  responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting management of security training records"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "au",
-        "class": "family",
-        "title": "Audit and Accountability",
-        "controls": [
-          {
-            "id": "au-1",
-            "class": "SP800-53",
-            "title": "Audit and Accountability Policy and Procedures",
-            "parameters": [
-              {
-                "id": "au-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "au-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "au-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AU-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "au-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ au-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "au-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "An audit and accountability policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "au-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the audit and accountability\n                     policy and associated audit and accountability controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "au-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Audit and accountability policy {{ au-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "au-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Audit and accountability procedures {{ au-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AU\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "au-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an audit and accountability policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "au-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "au-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the audit and accountability policy are\n                        to be disseminated;"
-                          },
-                          {
-                            "id": "au-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the audit and accountability policy to organization-defined\n                        personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "au-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        audit and accountability policy and associated audit and accountability\n                        controls;"
-                          },
-                          {
-                            "id": "au-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "au-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current audit and\n                        accountability policy;"
-                          },
-                          {
-                            "id": "au-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current audit and accountability policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "au-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current audit and\n                        accountability procedures; and"
-                          },
-                          {
-                            "id": "au-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current audit and accountability procedures in\n                        accordance with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-2",
-            "class": "SP800-53",
-            "title": "Audit Events",
-            "parameters": [
-              {
-                "id": "au-2_prm_1",
-                "label": "organization-defined auditable events",
-                "constraints": [
-                  {
-                    "detail": "Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes"
-                  }
-                ]
-              },
-              {
-                "id": "au-2_prm_2",
-                "label": "organization-defined audited events (the subset of the auditable events defined\n               in AU-2 a.) along with the frequency of (or situation requiring) auditing for each\n               identified event",
-                "constraints": [
-                  {
-                    "detail": "organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AU-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#672fd561-b92b-4713-b9cf-6c9d9456728b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-92"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "au-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Determines that the information system is capable of auditing the following\n                  events: {{ au-2_prm_1 }};"
-                  },
-                  {
-                    "id": "au-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Coordinates the security audit function with other organizational entities\n                  requiring audit-related information to enhance mutual support and to help guide\n                  the selection of auditable events;"
-                  },
-                  {
-                    "id": "au-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Provides a rationale for why the auditable events are deemed to be adequate to\n                  support after-the-fact investigations of security incidents; and"
-                  },
-                  {
-                    "id": "au-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Determines that the following events are to be audited within the information\n                  system: {{ au-2_prm_2 }}."
-                  },
-                  {
-                    "id": "au-2_fr",
-                    "name": "item",
-                    "title": "AU-2 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "au-2_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-2_gdn",
-                "name": "guidance",
-                "prose": "An event is any observable occurrence in an organizational information system.\n               Organizations identify audit events as those events which are significant and\n               relevant to the security of information systems and the environments in which those\n               systems operate in order to meet specific and ongoing audit needs. Audit events can\n               include, for example, password changes, failed logons, or failed accesses related to\n               information systems, administrative privilege usage, PIV credential usage, or\n               third-party credential usage. In determining the set of auditable events,\n               organizations consider the auditing appropriate for each of the security controls to\n               be implemented. To balance auditing requirements with other information system needs,\n               this control also requires identifying that subset of auditable events that are\n               audited at a given point in time. For example, organizations may determine that\n               information systems must have the capability to log every file access both successful\n               and unsuccessful, but not activate that capability except for specific circumstances\n               due to the potential burden on system performance. Auditing requirements, including\n               the need for auditable events, may be referenced in other security controls and\n               control enhancements. Organizations also include auditable events that are required\n               by applicable federal laws, Executive Orders, directives, policies, regulations, and\n               standards. Audit records can be generated at various levels of abstraction, including\n               at the packet level as information traverses the network. Selecting the appropriate\n               level of abstraction is a critical aspect of an audit capability and can facilitate\n               the identification of root causes to problems. Organizations consider in the\n               definition of auditable events, the auditing necessary to cover related events such\n               as the steps in distributed, transaction-based processes (e.g., processes that are\n               distributed across multiple organizations) and actions that occur in service-oriented\n               architectures.",
-                "links": [
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#au-3",
-                    "rel": "related",
-                    "text": "AU-3"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "au-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-2(a)[1]"
-                          }
-                        ],
-                        "prose": "defines the auditable events that the information system must be capable of\n                     auditing;"
-                      },
-                      {
-                        "id": "au-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-2(a)[2]"
-                          }
-                        ],
-                        "prose": "determines that the information system is capable of auditing\n                     organization-defined auditable events;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-2(b)"
-                      }
-                    ],
-                    "prose": "coordinates the security audit function with other organizational entities\n                  requiring audit-related information to enhance mutual support and to help guide\n                  the selection of auditable events;"
-                  },
-                  {
-                    "id": "au-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-2(c)"
-                      }
-                    ],
-                    "prose": "provides a rationale for why the auditable events are deemed to be adequate to\n                  support after-the-fact investigations of security incidents;"
-                  },
-                  {
-                    "id": "au-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-2(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-2(d)[1]"
-                          }
-                        ],
-                        "prose": "defines the subset of auditable events defined in AU-2a that are to be audited\n                     within the information system;"
-                      },
-                      {
-                        "id": "au-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-2(d)[2]"
-                          }
-                        ],
-                        "prose": "determines that the subset of auditable events defined in AU-2a are to be\n                     audited within the information system; and"
-                      },
-                      {
-                        "id": "au-2.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-2(d)[3]"
-                          }
-                        ],
-                        "prose": "determines the frequency of (or situation requiring) auditing for each\n                     identified event."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing auditable events\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\ninformation system auditable events\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing information system auditing"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-3",
-            "class": "SP800-53",
-            "title": "Content of Audit Records",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-03"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-3_smt",
-                "name": "statement",
-                "prose": "The information system generates audit records containing information that\n               establishes what type of event occurred, when the event occurred, where the event\n               occurred, the source of the event, the outcome of the event, and the identity of any\n               individuals or subjects associated with the event."
-              },
-              {
-                "id": "au-3_gdn",
-                "name": "guidance",
-                "prose": "Audit record content that may be necessary to satisfy the requirement of this\n               control, includes, for example, time stamps, source and destination addresses,\n               user/process identifiers, event descriptions, success/fail indications, filenames\n               involved, and access control or flow control rules invoked. Event outcomes can\n               include indicators of event success or failure and event-specific results (e.g., the\n               security state of the information system after the event occurred).",
-                "links": [
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-8",
-                    "rel": "related",
-                    "text": "AU-8"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#si-11",
-                    "rel": "related",
-                    "text": "SI-11"
-                  }
-                ]
-              },
-              {
-                "id": "au-3_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system generates audit records containing information\n               that establishes: ",
-                "parts": [
-                  {
-                    "id": "au-3_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[1]"
-                      }
-                    ],
-                    "prose": "what type of event occurred;"
-                  },
-                  {
-                    "id": "au-3_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[2]"
-                      }
-                    ],
-                    "prose": "when the event occurred;"
-                  },
-                  {
-                    "id": "au-3_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[3]"
-                      }
-                    ],
-                    "prose": "where the event occurred;"
-                  },
-                  {
-                    "id": "au-3_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[4]"
-                      }
-                    ],
-                    "prose": "the source of the event;"
-                  },
-                  {
-                    "id": "au-3_obj.5",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[5]"
-                      }
-                    ],
-                    "prose": "the outcome of the event; and"
-                  },
-                  {
-                    "id": "au-3_obj.6",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[6]"
-                      }
-                    ],
-                    "prose": "the identity of any individuals or subjects associated with the event."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing content of audit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of organization-defined auditable events\\n\\ninformation system audit records\\n\\ninformation system incident reports\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing information system auditing of auditable\n                  events"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-4",
-            "class": "SP800-53",
-            "title": "Audit Storage Capacity",
-            "parameters": [
-              {
-                "id": "au-4_prm_1",
-                "label": "organization-defined audit record storage requirements"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-04"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-4_smt",
-                "name": "statement",
-                "prose": "The organization allocates audit record storage capacity in accordance with {{ au-4_prm_1 }}."
-              },
-              {
-                "id": "au-4_gdn",
-                "name": "guidance",
-                "prose": "Organizations consider the types of auditing to be performed and the audit processing\n               requirements when allocating audit storage capacity. Allocating sufficient audit\n               storage capacity reduces the likelihood of such capacity being exceeded and resulting\n               in the potential loss or reduction of auditing capability.",
-                "links": [
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-5",
-                    "rel": "related",
-                    "text": "AU-5"
-                  },
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#au-7",
-                    "rel": "related",
-                    "text": "AU-7"
-                  },
-                  {
-                    "href": "#au-11",
-                    "rel": "related",
-                    "text": "AU-11"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "au-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-4_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-4[1]"
-                      }
-                    ],
-                    "prose": "defines audit record storage requirements; and"
-                  },
-                  {
-                    "id": "au-4_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-4[2]"
-                      }
-                    ],
-                    "prose": "allocates audit record storage capacity in accordance with the\n                  organization-defined audit record storage requirements."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing audit storage capacity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit record storage requirements\\n\\naudit record storage capability for information system components\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit record storage capacity and related configuration settings"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-5",
-            "class": "SP800-53",
-            "title": "Response to Audit Processing Failures",
-            "parameters": [
-              {
-                "id": "au-5_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "au-5_prm_2",
-                "label": "organization-defined actions to be taken (e.g., shut down information system,\n               overwrite oldest audit records, stop generating audit records)",
-                "constraints": [
-                  {
-                    "detail": "organization-defined actions to be taken (overwrite oldest record)"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-5_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "au-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Alerts {{ au-5_prm_1 }} in the event of an audit processing\n                  failure; and"
-                  },
-                  {
-                    "id": "au-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Takes the following additional actions: {{ au-5_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "au-5_gdn",
-                "name": "guidance",
-                "prose": "Audit processing failures include, for example, software/hardware errors, failures in\n               the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n               Organizations may choose to define additional actions for different audit processing\n               failures (e.g., by type, by location, by severity, or a combination of such factors).\n               This control applies to each audit data storage repository (i.e., distinct\n               information system component where audit records are stored), the total audit storage\n               capacity of organizations (i.e., all audit data storage repositories combined), or\n               both.",
-                "links": [
-                  {
-                    "href": "#au-4",
-                    "rel": "related",
-                    "text": "AU-4"
-                  },
-                  {
-                    "href": "#si-12",
-                    "rel": "related",
-                    "text": "SI-12"
-                  }
-                ]
-              },
-              {
-                "id": "au-5_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "au-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the personnel or roles to be alerted in the event of\n                     an audit processing failure;"
-                      },
-                      {
-                        "id": "au-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system alerts the organization-defined personnel or roles in\n                     the event of an audit processing failure;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-5(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-5.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(b)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines additional actions to be taken (e.g., shutdown\n                     information system, overwrite oldest audit records, stop generating audit\n                     records) in the event of an audit processing failure; and"
-                      },
-                      {
-                        "id": "au-5.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(b)[2]"
-                          }
-                        ],
-                        "prose": "the information system takes the additional organization-defined actions in the\n                     event of an audit processing failure."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing response to audit processing failures\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of personnel to be notified in case of an audit processing failure\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing information system response to audit processing\n                  failures"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-6",
-            "class": "SP800-53",
-            "title": "Audit Review, Analysis, and Reporting",
-            "parameters": [
-              {
-                "id": "au-6_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least weekly"
-                  }
-                ]
-              },
-              {
-                "id": "au-6_prm_2",
-                "label": "organization-defined inappropriate or unusual activity"
-              },
-              {
-                "id": "au-6_prm_3",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AU-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "au-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Reviews and analyzes information system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }};\n                  and"
-                  },
-                  {
-                    "id": "au-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reports findings to {{ au-6_prm_3 }}."
-                  },
-                  {
-                    "id": "au-6_fr",
-                    "name": "item",
-                    "title": "AU-6 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "au-6_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-6_gdn",
-                "name": "guidance",
-                "prose": "Audit review, analysis, and reporting covers information security-related auditing\n               performed by organizations including, for example, auditing that results from\n               monitoring of account usage, remote access, wireless connectivity, mobile device\n               connection, configuration settings, system component inventory, use of maintenance\n               tools and nonlocal maintenance, physical access, temperature and humidity, equipment\n               delivery and removal, communications at the information system boundaries, use of\n               mobile code, and use of VoIP. Findings can be reported to organizational entities\n               that include, for example, incident response team, help desk, information security\n               group/department. If organizations are prohibited from reviewing and analyzing audit\n               information or unable to conduct such activities (e.g., in certain national security\n               applications or systems), the review/analysis may be carried out by other\n               organizations granted such authority.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#au-7",
-                    "rel": "related",
-                    "text": "AU-7"
-                  },
-                  {
-                    "href": "#au-16",
-                    "rel": "related",
-                    "text": "AU-16"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-10",
-                    "rel": "related",
-                    "text": "CM-10"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ir-5",
-                    "rel": "related",
-                    "text": "IR-5"
-                  },
-                  {
-                    "href": "#ir-6",
-                    "rel": "related",
-                    "text": "IR-6"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-6",
-                    "rel": "related",
-                    "text": "PE-6"
-                  },
-                  {
-                    "href": "#pe-14",
-                    "rel": "related",
-                    "text": "PE-14"
-                  },
-                  {
-                    "href": "#pe-16",
-                    "rel": "related",
-                    "text": "PE-16"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-18",
-                    "rel": "related",
-                    "text": "SC-18"
-                  },
-                  {
-                    "href": "#sc-19",
-                    "rel": "related",
-                    "text": "SC-19"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "au-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-6(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-6.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(a)[1]"
-                          }
-                        ],
-                        "prose": "defines the types of inappropriate or unusual activity to look for when\n                     information system audit records are reviewed and analyzed;"
-                      },
-                      {
-                        "id": "au-6.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(a)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and analyze information system audit records\n                     for indications of organization-defined inappropriate or unusual activity;"
-                      },
-                      {
-                        "id": "au-6.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(a)[3]"
-                          }
-                        ],
-                        "prose": "reviews and analyzes information system audit records for indications of\n                     organization-defined inappropriate or unusual activity with the\n                     organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-6(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-6.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(b)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom findings resulting from reviews and analysis\n                     of information system audit records are to be reported; and"
-                      },
-                      {
-                        "id": "au-6.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(b)[2]"
-                          }
-                        ],
-                        "prose": "reports findings to organization-defined personnel or roles."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\nreports of audit findings\\n\\nrecords of actions taken in response to reviews/analyses of audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit review, analysis, and reporting\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-8",
-            "class": "SP800-53",
-            "title": "Time Stamps",
-            "parameters": [
-              {
-                "id": "au-8_prm_1",
-                "label": "organization-defined granularity of time measurement"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-08"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-8_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "au-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Uses internal system clocks to generate time stamps for audit records; and"
-                  },
-                  {
-                    "id": "au-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Records time stamps for audit records that can be mapped to Coordinated Universal\n                  Time (UTC) or Greenwich Mean Time (GMT) and meets {{ au-8_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "au-8_gdn",
-                "name": "guidance",
-                "prose": "Time stamps generated by the information system include date and time. Time is\n               commonly expressed in Coordinated Universal Time (UTC), a modern continuation of\n               Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time\n               measurements refers to the degree of synchronization between information system\n               clocks and reference clocks, for example, clocks synchronizing within hundreds of\n               milliseconds or within tens of milliseconds. Organizations may define different time\n               granularities for different system components. Time service can also be critical to\n               other security capabilities such as access control and identification and\n               authentication, depending on the nature of the mechanisms used to support those\n               capabilities.",
-                "links": [
-                  {
-                    "href": "#au-3",
-                    "rel": "related",
-                    "text": "AU-3"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  }
-                ]
-              },
-              {
-                "id": "au-8_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "au-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-8(a)"
-                      }
-                    ],
-                    "prose": "the information system uses internal system clocks to generate time stamps for\n                  audit records;"
-                  },
-                  {
-                    "id": "au-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-8(b)[1]"
-                          }
-                        ],
-                        "prose": "the information system records time stamps for audit records that can be mapped\n                     to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);"
-                      },
-                      {
-                        "id": "au-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-8(b)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines the granularity of time measurement to be met when\n                     recording time stamps for audit records; and"
-                      },
-                      {
-                        "id": "au-8.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-8(b)[3]"
-                          }
-                        ],
-                        "prose": "the organization records time stamps for audit records that meet the\n                     organization-defined granularity of time measurement."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing time stamp generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing time stamp generation"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-9",
-            "class": "SP800-53",
-            "title": "Protection of Audit Information",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-09"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-9_smt",
-                "name": "statement",
-                "prose": "The information system protects audit information and audit tools from unauthorized\n               access, modification, and deletion."
-              },
-              {
-                "id": "au-9_gdn",
-                "name": "guidance",
-                "prose": "Audit information includes all information (e.g., audit records, audit settings, and\n               audit reports) needed to successfully audit information system activity. This control\n               focuses on technical protection of audit information. Physical protection of audit\n               information is addressed by media protection controls and physical and environmental\n               protection controls.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-6",
-                    "rel": "related",
-                    "text": "PE-6"
-                  }
-                ]
-              },
-              {
-                "id": "au-9_obj",
-                "name": "objective",
-                "prose": "Determine if: ",
-                "parts": [
-                  {
-                    "id": "au-9_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-9[1]"
-                      }
-                    ],
-                    "prose": "the information system protects audit information from unauthorized:",
-                    "parts": [
-                      {
-                        "id": "au-9_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[1][a]"
-                          }
-                        ],
-                        "prose": "access;"
-                      },
-                      {
-                        "id": "au-9_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[1][b]"
-                          }
-                        ],
-                        "prose": "modification;"
-                      },
-                      {
-                        "id": "au-9_obj.1.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[1][c]"
-                          }
-                        ],
-                        "prose": "deletion;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-9_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-9[2]"
-                      }
-                    ],
-                    "prose": "the information system protects audit tools from unauthorized:",
-                    "parts": [
-                      {
-                        "id": "au-9_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[2][a]"
-                          }
-                        ],
-                        "prose": "access;"
-                      },
-                      {
-                        "id": "au-9_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[2][b]"
-                          }
-                        ],
-                        "prose": "modification; and"
-                      },
-                      {
-                        "id": "au-9_obj.2.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[2][c]"
-                          }
-                        ],
-                        "prose": "deletion."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\naccess control policy and procedures\\n\\nprocedures addressing protection of audit information\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation,\n                  information system audit records\\n\\naudit tools\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing audit information protection"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-11",
-            "class": "SP800-53",
-            "title": "Audit Record Retention",
-            "parameters": [
-              {
-                "id": "au-11_prm_1",
-                "label": "organization-defined time period consistent with records retention policy",
-                "constraints": [
-                  {
-                    "detail": "at least ninety days"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AU-11"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-11"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-11_smt",
-                "name": "statement",
-                "prose": "The organization retains audit records for {{ au-11_prm_1 }} to\n               provide support for after-the-fact investigations of security incidents and to meet\n               regulatory and organizational information retention requirements.",
-                "parts": [
-                  {
-                    "id": "au-11_fr",
-                    "name": "item",
-                    "title": "AU-11 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "au-11_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-11_gdn",
-                "name": "guidance",
-                "prose": "Organizations retain audit records until it is determined that they are no longer\n               needed for administrative, legal, audit, or other operational purposes. This\n               includes, for example, retention and availability of audit records relative to\n               Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions.\n               Organizations develop standard categories of audit records relative to such types of\n               actions and standard response processes for each type of action. The National\n               Archives and Records Administration (NARA) General Records Schedules provide federal\n               policy on record retention.",
-                "links": [
-                  {
-                    "href": "#au-4",
-                    "rel": "related",
-                    "text": "AU-4"
-                  },
-                  {
-                    "href": "#au-5",
-                    "rel": "related",
-                    "text": "AU-5"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#mp-6",
-                    "rel": "related",
-                    "text": "MP-6"
-                  }
-                ]
-              },
-              {
-                "id": "au-11_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-11_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-11[1]"
-                      }
-                    ],
-                    "prose": "defines a time period to retain audit records that is consistent with records\n                  retention policy;"
-                  },
-                  {
-                    "id": "au-11_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-11[2]"
-                      }
-                    ],
-                    "prose": "retains audit records for the organization-defined time period consistent with\n                  records retention policy to:",
-                    "parts": [
-                      {
-                        "id": "au-11_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-11[2][a]"
-                          }
-                        ],
-                        "prose": "provide support for after-the-fact investigations of security incidents;\n                     and"
-                      },
-                      {
-                        "id": "au-11_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-11[2][b]"
-                          }
-                        ],
-                        "prose": "meet regulatory and organizational information retention requirements."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\naudit record retention policy and procedures\\n\\nsecurity plan\\n\\norganization-defined retention period for audit records\\n\\naudit record archives\\n\\naudit logs\\n\\naudit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit record retention responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-12",
-            "class": "SP800-53",
-            "title": "Audit Generation",
-            "parameters": [
-              {
-                "id": "au-12_prm_1",
-                "label": "organization-defined information system components",
-                "constraints": [
-                  {
-                    "detail": "all information system and network components where audit capability is deployed/available"
-                  }
-                ]
-              },
-              {
-                "id": "au-12_prm_2",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-12"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-12"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-12_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "au-12_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Provides audit record generation capability for the auditable events defined in\n                  AU-2 a. at {{ au-12_prm_1 }};"
-                  },
-                  {
-                    "id": "au-12_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Allows {{ au-12_prm_2 }} to select which auditable events are to be\n                  audited by specific components of the information system; and"
-                  },
-                  {
-                    "id": "au-12_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Generates audit records for the events defined in AU-2 d. with the content defined\n                  in AU-3."
-                  }
-                ]
-              },
-              {
-                "id": "au-12_gdn",
-                "name": "guidance",
-                "prose": "Audit records can be generated from many different information system components. The\n               list of audited events is the set of events for which audits are to be generated.\n               These events are typically a subset of all events for which the information system is\n               capable of generating audit records.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-3",
-                    "rel": "related",
-                    "text": "AU-3"
-                  },
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#au-7",
-                    "rel": "related",
-                    "text": "AU-7"
-                  }
-                ]
-              },
-              {
-                "id": "au-12_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "au-12.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-12(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-12.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the information system components which are to provide\n                     audit record generation capability for the auditable events defined in\n                     AU-2a;"
-                      },
-                      {
-                        "id": "au-12.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system provides audit record generation capability, for the\n                     auditable events defined in AU-2a, at organization-defined information system\n                     components;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-12.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-12(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-12.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(b)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the personnel or roles allowed to select which\n                     auditable events are to be audited by specific components of the information\n                     system;"
-                      },
-                      {
-                        "id": "au-12.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(b)[2]"
-                          }
-                        ],
-                        "prose": "the information system allows the organization-defined personnel or roles to\n                     select which auditable events are to be audited by specific components of the\n                     system; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-12.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-12(c)"
-                      }
-                    ],
-                    "prose": "the information system generates audit records for the events defined in AU-2d\n                  with the content in defined in AU-3."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing audit record generation\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of auditable events\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit record generation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing audit record generation capability"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ca",
-        "class": "family",
-        "title": "Security Assessment and Authorization",
-        "controls": [
-          {
-            "id": "ca-1",
-            "class": "SP800-53",
-            "title": "Security Assessment and Authorization Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ca-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ca-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "ca-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#cd4cf751-3312-4a55-b1a9-fad2f1db9119",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-53A"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ca-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ca-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A security assessment and authorization policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"
-                      },
-                      {
-                        "id": "ca-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the security assessment and\n                     authorization policy and associated security assessment and authorization\n                     controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ca-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Security assessment and authorization policy {{ ca-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "ca-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Security assessment and authorization procedures {{ ca-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ca-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a security assessment and authorization policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "ca-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ca-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the security assessment and authorization\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "ca-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the security assessment and authorization policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ca-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        security assessment and authorization policy and associated assessment and\n                        authorization controls;"
-                          },
-                          {
-                            "id": "ca-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ca-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current security assessment\n                        and authorization policy;"
-                          },
-                          {
-                            "id": "ca-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current security assessment and authorization policy\n                        with the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ca-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current security assessment\n                        and authorization procedures; and"
-                          },
-                          {
-                            "id": "ca-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current security assessment and authorization\n                        procedures with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security assessment and authorization\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-2",
-            "class": "SP800-53",
-            "title": "Security Assessments",
-            "parameters": [
-              {
-                "id": "ca-2_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ca-2_prm_2",
-                "label": "organization-defined individuals or roles",
-                "constraints": [
-                  {
-                    "detail": "individuals or roles to include FedRAMP PMO"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c5034e0c-eba6-4ecd-a541-79f0678f4ba4",
-                "rel": "reference",
-                "text": "Executive Order 13587"
-              },
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#d480aa6a-7a88-424e-a10c-ad1c7870354b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-39"
-              },
-              {
-                "href": "#cd4cf751-3312-4a55-b1a9-fad2f1db9119",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-53A"
-              },
-              {
-                "href": "#c4691b88-57d1-463b-9053-2d0087913f31",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-115"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops a security assessment plan that describes the scope of the assessment\n                  including:",
-                    "parts": [
-                      {
-                        "id": "ca-2_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Security controls and control enhancements under assessment;"
-                      },
-                      {
-                        "id": "ca-2_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Assessment procedures to be used to determine security control effectiveness;\n                     and"
-                      },
-                      {
-                        "id": "ca-2_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Assessment environment, assessment team, and assessment roles and\n                     responsibilities;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Assesses the security controls in the information system and its environment of\n                  operation {{ ca-2_prm_1 }} to determine the extent to which the\n                  controls are implemented correctly, operating as intended, and producing the\n                  desired outcome with respect to meeting established security requirements;"
-                  },
-                  {
-                    "id": "ca-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Produces a security assessment report that documents the results of the\n                  assessment; and"
-                  },
-                  {
-                    "id": "ca-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Provides the results of the security control assessment to {{ ca-2_prm_2 }}."
-                  },
-                  {
-                    "id": "ca-2_fr",
-                    "name": "item",
-                    "title": "CA-2 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ca-2_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-2_gdn",
-                "name": "guidance",
-                "prose": "Organizations assess security controls in organizational information systems and the\n               environments in which those systems operate as part of: (i) initial and ongoing\n               security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring;\n               and (iv) system development life cycle activities. Security assessments: (i) ensure\n               that information security is built into organizational information systems; (ii)\n               identify weaknesses and deficiencies early in the development process; (iii) provide\n               essential information needed to make risk-based decisions as part of security\n               authorization processes; and (iv) ensure compliance to vulnerability mitigation\n               procedures. Assessments are conducted on the implemented security controls from\n               Appendix F (main catalog) and Appendix G (Program Management controls) as documented\n               in System Security Plans and Information Security Program Plans. Organizations can\n               use other types of assessment activities such as vulnerability scanning and system\n               monitoring to maintain the security posture of information systems during the entire\n               life cycle. Security assessment reports document assessment results in sufficient\n               detail as deemed necessary by organizations, to determine the accuracy and\n               completeness of the reports and whether the security controls are implemented\n               correctly, operating as intended, and producing the desired outcome with respect to\n               meeting security requirements. The FISMA requirement for assessing security controls\n               at least annually does not require additional assessment activities to those\n               activities already in place in organizational security authorization processes.\n               Security assessment results are provided to the individuals or roles appropriate for\n               the types of assessments being conducted. For example, assessments conducted in\n               support of security authorization decisions are provided to authorizing officials or\n               authorizing official designated representatives. To satisfy annual assessment\n               requirements, organizations can use assessment results from the following sources:\n               (i) initial or ongoing information system authorizations; (ii) continuous monitoring;\n               or (iii) system development life cycle activities. Organizations ensure that security\n               assessment results are current, relevant to the determination of security control\n               effectiveness, and obtained with the appropriate level of assessor independence.\n               Existing security control assessment results can be reused to the extent that the\n               results are still valid and can also be supplemented with additional assessments as\n               needed. Subsequent to initial authorizations and in accordance with OMB policy,\n               organizations assess security controls during continuous monitoring. Organizations\n               establish the frequency for ongoing security control assessments in accordance with\n               organizational continuous monitoring strategies. Information Assurance Vulnerability\n               Alerts provide useful examples of vulnerability mitigation procedures. External\n               audits (e.g., audits by external entities such as regulatory agencies) are outside\n               the scope of this control.",
-                "links": [
-                  {
-                    "href": "#ca-5",
-                    "rel": "related",
-                    "text": "CA-5"
-                  },
-                  {
-                    "href": "#ca-6",
-                    "rel": "related",
-                    "text": "CA-6"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-2(a)"
-                      }
-                    ],
-                    "prose": "develops a security assessment plan that describes the scope of the assessment\n                  including:",
-                    "parts": [
-                      {
-                        "id": "ca-2.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-2(a)(1)"
-                          }
-                        ],
-                        "prose": "security controls and control enhancements under assessment;"
-                      },
-                      {
-                        "id": "ca-2.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-2(a)(2)"
-                          }
-                        ],
-                        "prose": "assessment procedures to be used to determine security control\n                     effectiveness;"
-                      },
-                      {
-                        "id": "ca-2.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-2(a)(3)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-2.a.3_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(a)(3)[1]"
-                              }
-                            ],
-                            "prose": "assessment environment;"
-                          },
-                          {
-                            "id": "ca-2.a.3_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(a)(3)[2]"
-                              }
-                            ],
-                            "prose": "assessment team;"
-                          },
-                          {
-                            "id": "ca-2.a.3_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(a)(3)[3]"
-                              }
-                            ],
-                            "prose": "assessment roles and responsibilities;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to assess the security controls in the information system\n                     and its environment of operation;"
-                      },
-                      {
-                        "id": "ca-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(b)[2]"
-                          }
-                        ],
-                        "prose": "assesses the security controls in the information system with the\n                     organization-defined frequency to determine the extent to which the controls\n                     are implemented correctly, operating as intended, and producing the desired\n                     outcome with respect to meeting established security requirements;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-2(c)"
-                      }
-                    ],
-                    "prose": "produces a security assessment report that documents the results of the\n                  assessment;"
-                  },
-                  {
-                    "id": "ca-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-2(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(d)[1]"
-                          }
-                        ],
-                        "prose": "defines individuals or roles to whom the results of the security control\n                     assessment are to be provided; and"
-                      },
-                      {
-                        "id": "ca-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(d)[2]"
-                          }
-                        ],
-                        "prose": "provides the results of the security control assessment to organization-defined\n                     individuals or roles."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy\\n\\nprocedures addressing security assessment planning\\n\\nprocedures addressing security assessments\\n\\nsecurity assessment plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting security assessment, security assessment plan\n                  development, and/or security assessment reporting"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ca-2.1",
-                "class": "SP800-53-enhancement",
-                "title": "Independent Assessors",
-                "parameters": [
-                  {
-                    "id": "ca-2.1_prm_1",
-                    "label": "organization-defined level of independence"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CA-2(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ca-02.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ca-2.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs assessors or assessment teams with {{ ca-2.1_prm_1 }} to conduct security control assessments.",
-                    "parts": [
-                      {
-                        "id": "ca-2.1_fr",
-                        "name": "item",
-                        "title": "CA-2 (1) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ca-2.1_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO)."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.1_gdn",
-                    "name": "guidance",
-                    "prose": "Independent assessors or assessment teams are individuals or groups who conduct\n                  impartial assessments of organizational information systems. Impartiality implies\n                  that assessors are free from any perceived or actual conflicts of interest with\n                  regard to the development, operation, or management of the organizational\n                  information systems under assessment or to the determination of security control\n                  effectiveness. To achieve impartiality, assessors should not: (i) create a mutual\n                  or conflicting interest with the organizations where the assessments are being\n                  conducted; (ii) assess their own work; (iii) act as management or employees of the\n                  organizations they are serving; or (iv) place themselves in positions of advocacy\n                  for the organizations acquiring their services. Independent assessments can be\n                  obtained from elements within organizations or can be contracted to public or\n                  private sector entities outside of organizations. Authorizing officials determine\n                  the required level of independence based on the security categories of information\n                  systems and/or the ultimate risk to organizational operations, organizational\n                  assets, or individuals. Authorizing officials also determine if the level of\n                  assessor independence provides sufficient assurance that the results are sound and\n                  can be used to make credible, risk-based decisions. This includes determining\n                  whether contracted security assessment services have sufficient independence, for\n                  example, when information system owners are not directly involved in contracting\n                  processes or cannot unduly influence the impartiality of assessors conducting\n                  assessments. In special situations, for example, when organizations that own the\n                  information systems are small or organizational structures require that\n                  assessments are conducted by individuals that are in the developmental,\n                  operational, or management chain of system owners, independence in assessment\n                  processes can be achieved by ensuring that assessment results are carefully\n                  reviewed and analyzed by independent teams of experts to validate the\n                  completeness, accuracy, integrity, and reliability of the results. Organizations\n                  recognize that assessments performed for purposes other than direct support to\n                  authorization decisions are, when performed by assessors with sufficient\n                  independence, more likely to be useable for such decisions, thereby reducing the\n                  need to repeat assessments."
-                  },
-                  {
-                    "id": "ca-2.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ca-2.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(1)[1]"
-                          }
-                        ],
-                        "prose": "defines the level of independence to be employed to conduct security control\n                     assessments; and"
-                      },
-                      {
-                        "id": "ca-2.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(1)[2]"
-                          }
-                        ],
-                        "prose": "employs assessors or assessment teams with the organization-defined level of\n                     independence to conduct security control assessments."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security assessment and authorization policy\\n\\nprocedures addressing security assessments\\n\\nsecurity authorization package (including security plan, security assessment\n                     plan, security assessment report, plan of action and milestones, authorization\n                     statement)\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-3",
-            "class": "SP800-53",
-            "title": "System Interconnections",
-            "parameters": [
-              {
-                "id": "ca-3_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually and on input from FedRAMP"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#2711f068-734e-4afd-94ba-0b22247fbc88",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-47"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Authorizes connections from the information system to other information systems\n                  through the use of Interconnection Security Agreements;"
-                  },
-                  {
-                    "id": "ca-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents, for each interconnection, the interface characteristics, security\n                  requirements, and the nature of the information communicated; and"
-                  },
-                  {
-                    "id": "ca-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews and updates Interconnection Security Agreements {{ ca-3_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ca-3_gdn",
-                "name": "guidance",
-                "prose": "This control applies to dedicated connections between information systems (i.e.,\n               system interconnections) and does not apply to transitory, user-controlled\n               connections such as email and website browsing. Organizations carefully consider the\n               risks that may be introduced when information systems are connected to other systems\n               with different security requirements and security controls, both within organizations\n               and external to organizations. Authorizing officials determine the risk associated\n               with information system connections and the appropriate controls employed. If\n               interconnecting systems have the same authorizing official, organizations do not need\n               to develop Interconnection Security Agreements. Instead, organizations can describe\n               the interface characteristics between those interconnecting systems in their\n               respective security plans. If interconnecting systems have different authorizing\n               officials within the same organization, organizations can either develop\n               Interconnection Security Agreements or describe the interface characteristics between\n               systems in the security plans for the respective systems. Organizations may also\n               incorporate Interconnection Security Agreement information into formal contracts,\n               especially for interconnections established between federal agencies and nonfederal\n               (i.e., private sector) organizations. Risk considerations also include information\n               systems sharing the same networks. For certain technologies (e.g., space, unmanned\n               aerial vehicles, and medical devices), there may be specialized connections in place\n               during preoperational testing. Such connections may require Interconnection Security\n               Agreements and be subject to additional security controls.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#au-16",
-                    "rel": "related",
-                    "text": "AU-16"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#sa-9",
-                    "rel": "related",
-                    "text": "SA-9"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-3(a)"
-                      }
-                    ],
-                    "prose": "authorizes connections from the information system to other information systems\n                  through the use of Interconnection Security Agreements;"
-                  },
-                  {
-                    "id": "ca-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-3(b)"
-                      }
-                    ],
-                    "prose": "documents, for each interconnection:",
-                    "parts": [
-                      {
-                        "id": "ca-3.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-3(b)[1]"
-                          }
-                        ],
-                        "prose": "the interface characteristics;"
-                      },
-                      {
-                        "id": "ca-3.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-3(b)[2]"
-                          }
-                        ],
-                        "prose": "the security requirements;"
-                      },
-                      {
-                        "id": "ca-3.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-3(b)[3]"
-                          }
-                        ],
-                        "prose": "the nature of the information communicated;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update Interconnection Security Agreements;\n                     and"
-                      },
-                      {
-                        "id": "ca-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-3(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates Interconnection Security Agreements with the\n                     organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\ninformation system Interconnection Security Agreements\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for developing, implementing, or\n                  approving information system interconnection agreements\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel managing the system(s) to which the Interconnection Security Agreement\n                  applies"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-5",
-            "class": "SP800-53",
-            "title": "Plan of Action and Milestones",
-            "parameters": [
-              {
-                "id": "ca-5_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least monthly"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-05"
-              }
-            ],
-            "links": [
-              {
-                "href": "#2c5884cd-7b96-425c-862a-99877e1cf909",
-                "rel": "reference",
-                "text": "OMB Memorandum 02-01"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops a plan of action and milestones for the information system to document\n                  the organization’s planned remedial actions to correct weaknesses or deficiencies\n                  noted during the assessment of the security controls and to reduce or eliminate\n                  known vulnerabilities in the system; and"
-                  },
-                  {
-                    "id": "ca-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Updates existing plan of action and milestones {{ ca-5_prm_1 }}\n                  based on the findings from security controls assessments, security impact\n                  analyses, and continuous monitoring activities."
-                  },
-                  {
-                    "id": "ca-5_fr",
-                    "name": "item",
-                    "title": "CA-5 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ca-5_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Plan of Action & Milestones (POA&M) must be provided at least monthly."
-                      },
-                      {
-                        "id": "ca-5_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-5_gdn",
-                "name": "guidance",
-                "prose": "Plans of action and milestones are key documents in security authorization packages\n               and are subject to federal reporting requirements established by OMB.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#pm-4",
-                    "rel": "related",
-                    "text": "PM-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-5(a)"
-                      }
-                    ],
-                    "prose": "develops a plan of action and milestones for the information system to:",
-                    "parts": [
-                      {
-                        "id": "ca-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-5(a)[1]"
-                          }
-                        ],
-                        "prose": "document the organization’s planned remedial actions to correct weaknesses or\n                     deficiencies noted during the assessment of the security controls;"
-                      },
-                      {
-                        "id": "ca-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-5(a)[2]"
-                          }
-                        ],
-                        "prose": "reduce or eliminate known vulnerabilities in the system;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-5(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-5.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-5(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to update the existing plan of action and milestones;"
-                      },
-                      {
-                        "id": "ca-5.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-5(b)[2]"
-                          }
-                        ],
-                        "prose": "updates the existing plan of action and milestones with the\n                     organization-defined frequency based on the findings from:",
-                        "parts": [
-                          {
-                            "id": "ca-5.b_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-5(b)[2][a]"
-                              }
-                            ],
-                            "prose": "security controls assessments;"
-                          },
-                          {
-                            "id": "ca-5.b_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-5(b)[2][b]"
-                              }
-                            ],
-                            "prose": "security impact analyses; and"
-                          },
-                          {
-                            "id": "ca-5.b_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-5(b)[2][c]"
-                              }
-                            ],
-                            "prose": "continuous monitoring activities."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy\\n\\nprocedures addressing plan of action and milestones\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nplan of action and milestones\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with plan of action and milestones development and\n                  implementation responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms for developing, implementing, and maintaining plan of action\n                  and milestones"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-6",
-            "class": "SP800-53",
-            "title": "Security Authorization",
-            "parameters": [
-              {
-                "id": "ca-6_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every three years or when a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CA-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-06"
-              }
-            ],
-            "links": [
-              {
-                "href": "#9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab",
-                "rel": "reference",
-                "text": "OMB Circular A-130"
-              },
-              {
-                "href": "#bedb15b7-ec5c-4a68-807f-385125751fcd",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-33"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Assigns a senior-level executive or manager as the authorizing official for the\n                  information system;"
-                  },
-                  {
-                    "id": "ca-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Ensures that the authorizing official authorizes the information system for\n                  processing before commencing operations; and"
-                  },
-                  {
-                    "id": "ca-6_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Updates the security authorization {{ ca-6_prm_1 }}."
-                  },
-                  {
-                    "id": "ca-6_fr",
-                    "name": "item",
-                    "title": "CA-6(c) Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ca-6_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-6_gdn",
-                "name": "guidance",
-                "prose": "Security authorizations are official management decisions, conveyed through\n               authorization decision documents, by senior organizational officials or executives\n               (i.e., authorizing officials) to authorize operation of information systems and to\n               explicitly accept the risk to organizational operations and assets, individuals,\n               other organizations, and the Nation based on the implementation of agreed-upon\n               security controls. Authorizing officials provide budgetary oversight for\n               organizational information systems or assume responsibility for the mission/business\n               operations supported by those systems. The security authorization process is an\n               inherently federal responsibility and therefore, authorizing officials must be\n               federal employees. Through the security authorization process, authorizing officials\n               assume responsibility and are accountable for security risks associated with the\n               operation and use of organizational information systems. Accordingly, authorizing\n               officials are in positions with levels of authority commensurate with understanding\n               and accepting such information security-related risks. OMB policy requires that\n               organizations conduct ongoing authorizations of information systems by implementing\n               continuous monitoring programs. Continuous monitoring programs can satisfy three-year\n               reauthorization requirements, so separate reauthorization processes are not\n               necessary. Through the employment of comprehensive continuous monitoring processes,\n               critical information contained in authorization packages (i.e., security plans,\n               security assessment reports, and plans of action and milestones) is updated on an\n               ongoing basis, providing authorizing officials and information system owners with an\n               up-to-date status of the security state of organizational information systems and\n               environments of operation. To reduce the administrative cost of security\n               reauthorization, authorizing officials use the results of continuous monitoring\n               processes to the maximum extent possible as the basis for rendering reauthorization\n               decisions.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  },
-                  {
-                    "href": "#pm-10",
-                    "rel": "related",
-                    "text": "PM-10"
-                  }
-                ]
-              },
-              {
-                "id": "ca-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-6(a)"
-                      }
-                    ],
-                    "prose": "assigns a senior-level executive or manager as the authorizing official for the\n                  information system;"
-                  },
-                  {
-                    "id": "ca-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-6(b)"
-                      }
-                    ],
-                    "prose": "ensures that the authorizing official authorizes the information system for\n                  processing before commencing operations;"
-                  },
-                  {
-                    "id": "ca-6.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-6(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-6.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-6(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to update the security authorization; and"
-                      },
-                      {
-                        "id": "ca-6.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-6(c)[2]"
-                          }
-                        ],
-                        "prose": "updates the security authorization with the organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy\\n\\nprocedures addressing security authorization\\n\\nsecurity authorization package (including security plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\nauthorization statement)\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security authorization responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms that facilitate security authorizations and updates"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-7",
-            "class": "SP800-53",
-            "title": "Continuous Monitoring",
-            "parameters": [
-              {
-                "id": "ca-7_prm_1",
-                "label": "organization-defined metrics"
-              },
-              {
-                "id": "ca-7_prm_2",
-                "label": "organization-defined frequencies"
-              },
-              {
-                "id": "ca-7_prm_3",
-                "label": "organization-defined frequencies"
-              },
-              {
-                "id": "ca-7_prm_4",
-                "label": "organization-defined personnel or roles",
-                "constraints": [
-                  {
-                    "detail": "to meet Federal and FedRAMP requirements (See additional guidance)"
-                  }
-                ]
-              },
-              {
-                "id": "ca-7_prm_5",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "to meet Federal and FedRAMP requirements (See additional guidance)"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bedb15b7-ec5c-4a68-807f-385125751fcd",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-33"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#d480aa6a-7a88-424e-a10c-ad1c7870354b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-39"
-              },
-              {
-                "href": "#cd4cf751-3312-4a55-b1a9-fad2f1db9119",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-53A"
-              },
-              {
-                "href": "#c4691b88-57d1-463b-9053-2d0087913f31",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-115"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              },
-              {
-                "href": "#8ade2fbe-e468-4ca8-9a40-54d7f23c32bb",
-                "rel": "reference",
-                "text": "US-CERT Technical Cyber Security Alerts"
-              },
-              {
-                "href": "#2d8b14e9-c8b5-4d3d-8bdc-155078f3281b",
-                "rel": "reference",
-                "text": "DoD Information Assurance Vulnerability Alerts"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-7_smt",
-                "name": "statement",
-                "prose": "The organization develops a continuous monitoring strategy and implements a\n               continuous monitoring program that includes:",
-                "parts": [
-                  {
-                    "id": "ca-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishment of {{ ca-7_prm_1 }} to be monitored;"
-                  },
-                  {
-                    "id": "ca-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Establishment of {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessments supporting such monitoring;"
-                  },
-                  {
-                    "id": "ca-7_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ongoing security control assessments in accordance with the organizational\n                  continuous monitoring strategy;"
-                  },
-                  {
-                    "id": "ca-7_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Ongoing security status monitoring of organization-defined metrics in accordance\n                  with the organizational continuous monitoring strategy;"
-                  },
-                  {
-                    "id": "ca-7_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Correlation and analysis of security-related information generated by assessments\n                  and monitoring;"
-                  },
-                  {
-                    "id": "ca-7_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Response actions to address results of the analysis of security-related\n                  information; and"
-                  },
-                  {
-                    "id": "ca-7_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Reporting the security status of organization and the information system to\n                     {{ ca-7_prm_4 }}\n                  {{ ca-7_prm_5 }}."
-                  },
-                  {
-                    "id": "ca-7_fr",
-                    "name": "item",
-                    "title": "CA-7 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ca-7_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually."
-                      },
-                      {
-                        "id": "ca-7_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates."
-                      },
-                      {
-                        "id": "ca-7_fr_gdn.2",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-7_gdn",
-                "name": "guidance",
-                "prose": "Continuous monitoring programs facilitate ongoing awareness of threats,\n               vulnerabilities, and information security to support organizational risk management\n               decisions. The terms continuous and ongoing imply that organizations assess/analyze\n               security controls and information security-related risks at a frequency sufficient to\n               support organizational risk-based decisions. The results of continuous monitoring\n               programs generate appropriate risk response actions by organizations. Continuous\n               monitoring programs also allow organizations to maintain the security authorizations\n               of information systems and common controls over time in highly dynamic environments\n               of operation with changing mission/business needs, threats, vulnerabilities, and\n               technologies. Having access to security-related information on a continuing basis\n               through reports/dashboards gives organizational officials the capability to make more\n               effective and timely risk management decisions, including ongoing security\n               authorization decisions. Automation supports more frequent updates to security\n               authorization packages, hardware/software/firmware inventories, and other system\n               information. Effectiveness is further enhanced when continuous monitoring outputs are\n               formatted to provide information that is specific, measurable, actionable, relevant,\n               and timely. Continuous monitoring activities are scaled in accordance with the\n               security categories of information systems.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-5",
-                    "rel": "related",
-                    "text": "CA-5"
-                  },
-                  {
-                    "href": "#ca-6",
-                    "rel": "related",
-                    "text": "CA-6"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#pm-6",
-                    "rel": "related",
-                    "text": "PM-6"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ca-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(a)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that defines metrics to be\n                     monitored;"
-                      },
-                      {
-                        "id": "ca-7.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(a)[2]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes monitoring of\n                     organization-defined metrics;"
-                      },
-                      {
-                        "id": "ca-7.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(a)[3]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes monitoring of\n                     organization-defined metrics in accordance with the organizational continuous\n                     monitoring strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(b)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that defines frequencies for\n                     monitoring;"
-                      },
-                      {
-                        "id": "ca-7.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(b)[2]"
-                          }
-                        ],
-                        "prose": "defines frequencies for assessments supporting monitoring;"
-                      },
-                      {
-                        "id": "ca-7.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(b)[3]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes establishment of the\n                     organization-defined frequencies for monitoring and for assessments supporting\n                     monitoring;"
-                      },
-                      {
-                        "id": "ca-7.b_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(b)[4]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes establishment of\n                     organization-defined frequencies for monitoring and for assessments supporting\n                     such monitoring in accordance with the organizational continuous monitoring\n                     strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(c)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes ongoing security\n                     control assessments;"
-                      },
-                      {
-                        "id": "ca-7.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(c)[2]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes ongoing security\n                     control assessments in accordance with the organizational continuous monitoring\n                     strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(d)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes ongoing security status\n                     monitoring of organization-defined metrics;"
-                      },
-                      {
-                        "id": "ca-7.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(d)[2]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes ongoing security\n                     status monitoring of organization-defined metrics in accordance with the\n                     organizational continuous monitoring strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(e)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes correlation and\n                     analysis of security-related information generated by assessments and\n                     monitoring;"
-                      },
-                      {
-                        "id": "ca-7.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(e)[2]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes correlation and\n                     analysis of security-related information generated by assessments and\n                     monitoring in accordance with the organizational continuous monitoring\n                     strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(f)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes response actions to\n                     address results of the analysis of security-related information;"
-                      },
-                      {
-                        "id": "ca-7.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(f)[2]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes response actions to\n                     address results of the analysis of security-related information in accordance\n                     with the organizational continuous monitoring strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(g)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.g_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(g)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that defines the personnel or roles\n                     to whom the security status of the organization and information system are to\n                     be reported;"
-                      },
-                      {
-                        "id": "ca-7.g_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(g)[2]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that defines the frequency to report\n                     the security status of the organization and information system to\n                     organization-defined personnel or roles;"
-                      },
-                      {
-                        "id": "ca-7.g_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(g)[3]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes reporting the security\n                     status of the organization or information system to organizational-defined\n                     personnel or roles with the organization-defined frequency; and"
-                      },
-                      {
-                        "id": "ca-7.g_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(g)[4]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes reporting the security\n                     status of the organization and information system to organization-defined\n                     personnel or roles with the organization-defined frequency in accordance with\n                     the organizational continuous monitoring strategy."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy\\n\\nprocedures addressing continuous monitoring of information system security\n                  controls\\n\\nprocedures addressing configuration management\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\ninformation system monitoring records\\n\\nconfiguration management records, security impact analyses\\n\\nstatus reports\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Mechanisms implementing continuous monitoring"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-9",
-            "class": "SP800-53",
-            "title": "Internal System Connections",
-            "parameters": [
-              {
-                "id": "ca-9_prm_1",
-                "label": "organization-defined information system components or classes of\n               components"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-09"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-9_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-9_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Authorizes internal connections of {{ ca-9_prm_1 }} to the\n                  information system; and"
-                  },
-                  {
-                    "id": "ca-9_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents, for each internal connection, the interface characteristics, security\n                  requirements, and the nature of the information communicated."
-                  }
-                ]
-              },
-              {
-                "id": "ca-9_gdn",
-                "name": "guidance",
-                "prose": "This control applies to connections between organizational information systems and\n               (separate) constituent system components (i.e., intra-system connections) including,\n               for example, system connections with mobile devices, notebook/desktop computers,\n               printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of\n               authorizing each individual internal connection, organizations can authorize internal\n               connections for a class of components with common characteristics and/or\n               configurations, for example, all digital printers, scanners, and copiers with a\n               specified processing, storage, and transmission capability or all smart phones with a\n               specific baseline configuration.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-9_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-9.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-9(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-9.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-9(a)[1]"
-                          }
-                        ],
-                        "prose": "defines information system components or classes of components to be authorized\n                     as internal connections to the information system;"
-                      },
-                      {
-                        "id": "ca-9.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-9(a)[2]"
-                          }
-                        ],
-                        "prose": "authorizes internal connections of organization-defined information system\n                     components or classes of components to the information system;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-9.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-9(b)"
-                      }
-                    ],
-                    "prose": "documents, for each internal connection:",
-                    "parts": [
-                      {
-                        "id": "ca-9.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-9(b)[1]"
-                          }
-                        ],
-                        "prose": "the interface characteristics;"
-                      },
-                      {
-                        "id": "ca-9.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-9(b)[2]"
-                          }
-                        ],
-                        "prose": "the security requirements; and"
-                      },
-                      {
-                        "id": "ca-9.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-9(b)[3]"
-                          }
-                        ],
-                        "prose": "the nature of the information communicated."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of components or classes of components authorized as internal system\n                  connections\\n\\nsecurity assessment report\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for developing, implementing, or\n                  authorizing internal system connections\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "cm",
-        "class": "family",
-        "title": "Configuration Management",
-        "controls": [
-          {
-            "id": "cm-1",
-            "class": "SP800-53",
-            "title": "Configuration Management Policy and Procedures",
-            "parameters": [
-              {
-                "id": "cm-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "cm-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "cm-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CM-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ cm-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "cm-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A configuration management policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "cm-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the configuration management\n                     policy and associated configuration management controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "cm-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Configuration management policy {{ cm-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "cm-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Configuration management procedures {{ cm-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CM\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "cm-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a configuration management policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "cm-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "cm-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the configuration management policy is to\n                        be disseminated;"
-                          },
-                          {
-                            "id": "cm-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the configuration management policy to organization-defined\n                        personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        configuration management policy and associated configuration management\n                        controls;"
-                          },
-                          {
-                            "id": "cm-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "cm-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current configuration\n                        management policy;"
-                          },
-                          {
-                            "id": "cm-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current configuration management policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current configuration\n                        management procedures; and"
-                          },
-                          {
-                            "id": "cm-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current configuration management procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-2",
-            "class": "SP800-53",
-            "title": "Baseline Configuration",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-2_smt",
-                "name": "statement",
-                "prose": "The organization develops, documents, and maintains under configuration control, a\n               current baseline configuration of the information system."
-              },
-              {
-                "id": "cm-2_gdn",
-                "name": "guidance",
-                "prose": "This control establishes baseline configurations for information systems and system\n               components including communications and connectivity-related aspects of systems.\n               Baseline configurations are documented, formally reviewed and agreed-upon sets of\n               specifications for information systems or configuration items within those systems.\n               Baseline configurations serve as a basis for future builds, releases, and/or changes\n               to information systems. Baseline configurations include information about information\n               system components (e.g., standard software packages installed on workstations,\n               notebook computers, servers, network components, or mobile devices; current version\n               numbers and patch information on operating systems and applications; and\n               configuration settings/parameters), network topology, and the logical placement of\n               those components within the system architecture. Maintaining baseline configurations\n               requires creating new baselines as organizational information systems change over\n               time. Baseline configurations of information systems reflect the current enterprise\n               architecture.",
-                "links": [
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#cm-9",
-                    "rel": "related",
-                    "text": "CM-9"
-                  },
-                  {
-                    "href": "#sa-10",
-                    "rel": "related",
-                    "text": "SA-10"
-                  },
-                  {
-                    "href": "#pm-5",
-                    "rel": "related",
-                    "text": "PM-5"
-                  },
-                  {
-                    "href": "#pm-7",
-                    "rel": "related",
-                    "text": "PM-7"
-                  }
-                ]
-              },
-              {
-                "id": "cm-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-2_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-2[1]"
-                      }
-                    ],
-                    "prose": "develops and documents a current baseline configuration of the information system;\n                  and"
-                  },
-                  {
-                    "id": "cm-2_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-2[2]"
-                      }
-                    ],
-                    "prose": "maintains, under configuration control, a current baseline configuration of the\n                  information system."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nconfiguration management plan\\n\\nenterprise architecture documentation\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing baseline configurations\\n\\nautomated mechanisms supporting configuration control of the baseline\n                  configuration"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-4",
-            "class": "SP800-53",
-            "title": "Security Impact Analysis",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-4_smt",
-                "name": "statement",
-                "prose": "The organization analyzes changes to the information system to determine potential\n               security impacts prior to change implementation."
-              },
-              {
-                "id": "cm-4_gdn",
-                "name": "guidance",
-                "prose": "Organizational personnel with information security responsibilities (e.g.,\n               Information System Administrators, Information System Security Officers, Information\n               System Security Managers, and Information System Security Engineers) conduct security\n               impact analyses. Individuals conducting security impact analyses possess the\n               necessary skills/technical expertise to analyze the changes to information systems\n               and the associated security ramifications. Security impact analysis may include, for\n               example, reviewing security plans to understand security control requirements and\n               reviewing system design documentation to understand control implementation and how\n               specific changes might affect the controls. Security impact analyses may also include\n               assessments of risk to better understand the impact of the changes and to determine\n               if additional security controls are required. Security impact analyses are scaled in\n               accordance with the security categories of the information systems.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-9",
-                    "rel": "related",
-                    "text": "CM-9"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sa-10",
-                    "rel": "related",
-                    "text": "SA-10"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "cm-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization analyzes changes to the information system to determine\n               potential security impacts prior to change implementation."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing security impact analysis for changes to the information\n                  system\\n\\nconfiguration management plan\\n\\nsecurity impact analysis documentation\\n\\nanalysis tools and associated outputs\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for conducting security impact\n                  analysis\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for security impact analysis"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-6",
-            "class": "SP800-53",
-            "title": "Configuration Settings",
-            "parameters": [
-              {
-                "id": "cm-6_prm_1",
-                "label": "organization-defined security configuration checklists",
-                "constraints": [
-                  {
-                    "detail": "United States Government Configuration Baseline (USGCB)"
-                  }
-                ]
-              },
-              {
-                "id": "cm-6_prm_2",
-                "label": "organization-defined information system components"
-              },
-              {
-                "id": "cm-6_prm_3",
-                "label": "organization-defined operational requirements"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CM-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-06"
-              }
-            ],
-            "links": [
-              {
-                "href": "#990268bf-f4a9-4c81-91ae-dc7d3115f4b1",
-                "rel": "reference",
-                "text": "OMB Memorandum 07-11"
-              },
-              {
-                "href": "#0b3d8ba9-051f-498d-81ea-97f0f018c612",
-                "rel": "reference",
-                "text": "OMB Memorandum 07-18"
-              },
-              {
-                "href": "#0916ef02-3618-411b-a525-565c088849a6",
-                "rel": "reference",
-                "text": "OMB Memorandum 08-22"
-              },
-              {
-                "href": "#84a37532-6db6-477b-9ea8-f9085ebca0fc",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-70"
-              },
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              },
-              {
-                "href": "#275cc052-0f7f-423c-bdb6-ed503dc36228",
-                "rel": "reference",
-                "text": "http://nvd.nist.gov"
-              },
-              {
-                "href": "#e95dd121-2733-413e-bf1e-f1eb49f20a98",
-                "rel": "reference",
-                "text": "http://checklists.nist.gov"
-              },
-              {
-                "href": "#647b6de3-81d0-4d22-bec1-5f1333e34380",
-                "rel": "reference",
-                "text": "http://www.nsa.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes and documents configuration settings for information technology\n                  products employed within the information system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with\n                  operational requirements;"
-                  },
-                  {
-                    "id": "cm-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Implements the configuration settings;"
-                  },
-                  {
-                    "id": "cm-6_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Identifies, documents, and approves any deviations from established configuration\n                  settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and"
-                  },
-                  {
-                    "id": "cm-6_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Monitors and controls changes to the configuration settings in accordance with\n                  organizational policies and procedures."
-                  },
-                  {
-                    "id": "cm-6_fr",
-                    "name": "item",
-                    "title": "CM-6(a) Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cm-6_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement 1:"
-                          }
-                        ],
-                        "prose": "The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. "
-                      },
-                      {
-                        "id": "cm-6_fr_smt.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement 2:"
-                          }
-                        ],
-                        "prose": "The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available)."
-                      },
-                      {
-                        "id": "cm-6_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-6_gdn",
-                "name": "guidance",
-                "prose": "Configuration settings are the set of parameters that can be changed in hardware,\n               software, or firmware components of the information system that affect the security\n               posture and/or functionality of the system. Information technology products for which\n               security-related configuration settings can be defined include, for example,\n               mainframe computers, servers (e.g., database, electronic mail, authentication, web,\n               proxy, file, domain name), workstations, input/output devices (e.g., scanners,\n               copiers, and printers), network components (e.g., firewalls, routers, gateways, voice\n               and data switches, wireless access points, network appliances, sensors), operating\n               systems, middleware, and applications. Security-related parameters are those\n               parameters impacting the security state of information systems including the\n               parameters required to satisfy other security control requirements. Security-related\n               parameters include, for example: (i) registry settings; (ii) account, file, directory\n               permission settings; and (iii) settings for functions, ports, protocols, services,\n               and remote connections. Organizations establish organization-wide configuration\n               settings and subsequently derive specific settings for information systems. The\n               established settings become part of the systems configuration baseline. Common secure\n               configurations (also referred to as security configuration checklists, lockdown and\n               hardening guides, security reference guides, security technical implementation\n               guides) provide recognized, standardized, and established benchmarks that stipulate\n               secure configuration settings for specific information technology platforms/products\n               and instructions for configuring those information system components to meet\n               operational requirements. Common secure configurations can be developed by a variety\n               of organizations including, for example, information technology product developers,\n               manufacturers, vendors, consortia, academia, industry, federal agencies, and other\n               organizations in the public and private sectors. Common secure configurations include\n               the United States Government Configuration Baseline (USGCB) which affects the\n               implementation of CM-6 and other controls such as AC-19 and CM-7. The Security\n               Content Automation Protocol (SCAP) and the defined standards within the protocol\n               (e.g., Common Configuration Enumeration) provide an effective method to uniquely\n               identify, track, and control configuration settings. OMB establishes federal policy\n               on configuration requirements for federal information systems.",
-                "links": [
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-7",
-                    "rel": "related",
-                    "text": "CM-7"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "cm-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-6(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-6.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(a)[1]"
-                          }
-                        ],
-                        "prose": "defines security configuration checklists to be used to establish and document\n                     configuration settings for the information technology products employed;"
-                      },
-                      {
-                        "id": "cm-6.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(a)[2]"
-                          }
-                        ],
-                        "prose": "ensures the defined security configuration checklists reflect the most\n                     restrictive mode consistent with operational requirements;"
-                      },
-                      {
-                        "id": "cm-6.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(a)[3]"
-                          }
-                        ],
-                        "prose": "establishes and documents configuration settings for information technology\n                     products employed within the information system using organization-defined\n                     security configuration checklists;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-6(b)"
-                      }
-                    ],
-                    "prose": "implements the configuration settings established/documented in CM-6(a);;"
-                  },
-                  {
-                    "id": "cm-6.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-6(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-6.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[1]"
-                          }
-                        ],
-                        "prose": "defines information system components for which any deviations from established\n                     configuration settings must be:",
-                        "parts": [
-                          {
-                            "id": "cm-6.c_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[1][a]"
-                              }
-                            ],
-                            "prose": "identified;"
-                          },
-                          {
-                            "id": "cm-6.c_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[1][b]"
-                              }
-                            ],
-                            "prose": "documented;"
-                          },
-                          {
-                            "id": "cm-6.c_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[1][c]"
-                              }
-                            ],
-                            "prose": "approved;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-6.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[2]"
-                          }
-                        ],
-                        "prose": "defines operational requirements to support:",
-                        "parts": [
-                          {
-                            "id": "cm-6.c_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[2][a]"
-                              }
-                            ],
-                            "prose": "the identification of any deviations from established configuration\n                        settings;"
-                          },
-                          {
-                            "id": "cm-6.c_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[2][b]"
-                              }
-                            ],
-                            "prose": "the documentation of any deviations from established configuration\n                        settings;"
-                          },
-                          {
-                            "id": "cm-6.c_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[2][c]"
-                              }
-                            ],
-                            "prose": "the approval of any deviations from established configuration settings;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-6.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[3]"
-                          }
-                        ],
-                        "prose": "identifies any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"
-                      },
-                      {
-                        "id": "cm-6.c_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[4]"
-                          }
-                        ],
-                        "prose": "documents any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"
-                      },
-                      {
-                        "id": "cm-6.c_obj.5",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[5]"
-                          }
-                        ],
-                        "prose": "approves any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-6.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-6(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-6.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(d)[1]"
-                          }
-                        ],
-                        "prose": "monitors changes to the configuration settings in accordance with\n                     organizational policies and procedures; and"
-                      },
-                      {
-                        "id": "cm-6.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(d)[2]"
-                          }
-                        ],
-                        "prose": "controls changes to the configuration settings in accordance with\n                     organizational policies and procedures."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing configuration settings for the information system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nevidence supporting approved deviations from established configuration\n                  settings\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security configuration management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing configuration settings\\n\\nautomated mechanisms that implement, monitor, and/or control information system\n                  configuration settings\\n\\nautomated mechanisms that identify and/or document deviations from established\n                  configuration settings"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-7",
-            "class": "SP800-53",
-            "title": "Least Functionality",
-            "parameters": [
-              {
-                "id": "cm-7_prm_1",
-                "label": "organization-defined prohibited or restricted functions, ports, protocols, and/or\n               services",
-                "constraints": [
-                  {
-                    "detail": "United States Government Configuration Baseline (USGCB)"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e42b2099-3e1c-415b-952c-61c96533c12e",
-                "rel": "reference",
-                "text": "DoD Instruction 8551.01"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-7_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Configures the information system to provide only essential capabilities; and"
-                  },
-                  {
-                    "id": "cm-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Prohibits or restricts the use of the following functions, ports, protocols,\n                  and/or services: {{ cm-7_prm_1 }}."
-                  },
-                  {
-                    "id": "cm-7_fr",
-                    "name": "item",
-                    "title": "CM-7 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cm-7_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available."
-                      },
-                      {
-                        "id": "cm-7_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "Information on the USGCB checklists can be found at: [http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc](http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc)\n\t\t\t\t\t\t\tPartially derived from AC-17(8)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-7_gdn",
-                "name": "guidance",
-                "prose": "Information systems can provide a wide variety of functions and services. Some of the\n               functions and services, provided by default, may not be necessary to support\n               essential organizational operations (e.g., key missions, functions). Additionally, it\n               is sometimes convenient to provide multiple services from single information system\n               components, but doing so increases risk over limiting the services provided by any\n               one component. Where feasible, organizations limit component functionality to a\n               single function per device (e.g., email servers or web servers, but not both).\n               Organizations review functions and services provided by information systems or\n               individual components of information systems, to determine which functions and\n               services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant\n               Messaging, auto-execute, and file sharing). Organizations consider disabling unused\n               or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File\n               Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to\n               prevent unauthorized connection of devices, unauthorized transfer of information, or\n               unauthorized tunneling. Organizations can utilize network scanning tools, intrusion\n               detection and prevention systems, and end-point protections such as firewalls and\n               host-based intrusion detection systems to identify and prevent the use of prohibited\n               functions, ports, protocols, and services.",
-                "links": [
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  }
-                ]
-              },
-              {
-                "id": "cm-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-7(a)"
-                      }
-                    ],
-                    "prose": "configures the information system to provide only essential capabilities;"
-                  },
-                  {
-                    "id": "cm-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-7(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-7.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-7(b)[1]"
-                          }
-                        ],
-                        "prose": "defines prohibited or restricted:",
-                        "parts": [
-                          {
-                            "id": "cm-7.b_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[1][a]"
-                              }
-                            ],
-                            "prose": "functions;"
-                          },
-                          {
-                            "id": "cm-7.b_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[1][b]"
-                              }
-                            ],
-                            "prose": "ports;"
-                          },
-                          {
-                            "id": "cm-7.b_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[1][c]"
-                              }
-                            ],
-                            "prose": "protocols; and/or"
-                          },
-                          {
-                            "id": "cm-7.b_obj.1.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[1][d]"
-                              }
-                            ],
-                            "prose": "services;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-7.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-7(b)[2]"
-                          }
-                        ],
-                        "prose": "prohibits or restricts the use of organization-defined:",
-                        "parts": [
-                          {
-                            "id": "cm-7.b_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[2][a]"
-                              }
-                            ],
-                            "prose": "functions;"
-                          },
-                          {
-                            "id": "cm-7.b_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[2][b]"
-                              }
-                            ],
-                            "prose": "ports;"
-                          },
-                          {
-                            "id": "cm-7.b_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[2][c]"
-                              }
-                            ],
-                            "prose": "protocols; and/or"
-                          },
-                          {
-                            "id": "cm-7.b_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[2][d]"
-                              }
-                            ],
-                            "prose": "services."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing least functionality in the information system\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security configuration management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes prohibiting or restricting functions, ports, protocols,\n                  and/or services\\n\\nautomated mechanisms implementing restrictions or prohibition of functions, ports,\n                  protocols, and/or services"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-8",
-            "class": "SP800-53",
-            "title": "Information System Component Inventory",
-            "parameters": [
-              {
-                "id": "cm-8_prm_1",
-                "label": "organization-defined information deemed necessary to achieve effective\n               information system component accountability"
-              },
-              {
-                "id": "cm-8_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least monthly"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CM-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-08"
-              }
-            ],
-            "links": [
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops and documents an inventory of information system components that:",
-                    "parts": [
-                      {
-                        "id": "cm-8_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Accurately reflects the current information system;"
-                      },
-                      {
-                        "id": "cm-8_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Includes all components within the authorization boundary of the information\n                     system;"
-                      },
-                      {
-                        "id": "cm-8_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Is at the level of granularity deemed necessary for tracking and reporting;\n                     and"
-                      },
-                      {
-                        "id": "cm-8_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Includes {{ cm-8_prm_1 }}; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the information system component inventory {{ cm-8_prm_2 }}."
-                  },
-                  {
-                    "id": "cm-8_fr",
-                    "name": "item",
-                    "title": "CM-8 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cm-8_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Must be provided at least monthly or when there is a change."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-8_gdn",
-                "name": "guidance",
-                "prose": "Organizations may choose to implement centralized information system component\n               inventories that include components from all organizational information systems. In\n               such situations, organizations ensure that the resulting inventories include\n               system-specific information required for proper component accountability (e.g.,\n               information system association, information system owner). Information deemed\n               necessary for effective accountability of information system components includes, for\n               example, hardware inventory specifications, software license information, software\n               version numbers, component owners, and for networked components or devices, machine\n               names and network addresses. Inventory specifications include, for example,\n               manufacturer, device type, model, serial number, and physical location.",
-                "links": [
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#pm-5",
-                    "rel": "related",
-                    "text": "PM-5"
-                  }
-                ]
-              },
-              {
-                "id": "cm-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-8(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-8.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-8(a)(1)"
-                          }
-                        ],
-                        "prose": "develops and documents an inventory of information system components that\n                     accurately reflects the current information system;"
-                      },
-                      {
-                        "id": "cm-8.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-8(a)(2)"
-                          }
-                        ],
-                        "prose": "develops and documents an inventory of information system components that\n                     includes all components within the authorization boundary of the information\n                     system;"
-                      },
-                      {
-                        "id": "cm-8.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-8(a)(3)"
-                          }
-                        ],
-                        "prose": "develops and documents an inventory of information system components that is at\n                     the level of granularity deemed necessary for tracking and reporting;"
-                      },
-                      {
-                        "id": "cm-8.a.4_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(a)(4)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-8.a.4_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-8(a)(4)[1]"
-                              }
-                            ],
-                            "prose": "defines the information deemed necessary to achieve effective information\n                        system component accountability;"
-                          },
-                          {
-                            "id": "cm-8.a.4_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-8(a)(4)[2]"
-                              }
-                            ],
-                            "prose": "develops and documents an inventory of information system components that\n                        includes organization-defined information deemed necessary to achieve\n                        effective information system component accountability;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-8(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update the information system component\n                     inventory; and"
-                      },
-                      {
-                        "id": "cm-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-8(b)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates the information system component inventory with the\n                     organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system inventory records\\n\\ninventory reviews and update records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for information system component\n                  inventory\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for developing and documenting an inventory of\n                  information system components\\n\\nautomated mechanisms supporting and/or implementing the information system\n                  component inventory"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-10",
-            "class": "SP800-53",
-            "title": "Software Usage Restrictions",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-10"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-10"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-10_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-10_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Uses software and associated documentation in accordance with contract agreements\n                  and copyright laws;"
-                  },
-                  {
-                    "id": "cm-10_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Tracks the use of software and associated documentation protected by quantity\n                  licenses to control copying and distribution; and"
-                  },
-                  {
-                    "id": "cm-10_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Controls and documents the use of peer-to-peer file sharing technology to ensure\n                  that this capability is not used for the unauthorized distribution, display,\n                  performance, or reproduction of copyrighted work."
-                  }
-                ]
-              },
-              {
-                "id": "cm-10_gdn",
-                "name": "guidance",
-                "prose": "Software license tracking can be accomplished by manual methods (e.g., simple\n               spreadsheets) or automated methods (e.g., specialized tracking applications)\n               depending on organizational needs.",
-                "links": [
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  }
-                ]
-              },
-              {
-                "id": "cm-10_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-10.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-10(a)"
-                      }
-                    ],
-                    "prose": "uses software and associated documentation in accordance with contract agreements\n                  and copyright laws;"
-                  },
-                  {
-                    "id": "cm-10.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-10(b)"
-                      }
-                    ],
-                    "prose": "tracks the use of software and associated documentation protected by quantity\n                  licenses to control copying and distribution; and"
-                  },
-                  {
-                    "id": "cm-10.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-10(c)"
-                      }
-                    ],
-                    "prose": "controls and documents the use of peer-to-peer file sharing technology to ensure\n                  that this capability is not used for the unauthorized distribution, display,\n                  performance, or reproduction of copyrighted work."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing software usage restrictions\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nsoftware contract agreements and copyright laws\\n\\nsite license documentation\\n\\nlist of software usage restrictions\\n\\nsoftware license tracking reports\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\norganizational personnel with software license management responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational process for tracking the use of software protected by quantity\n                  licenses\\n\\norganization process for controlling/documenting the use of peer-to-peer file\n                  sharing technology\\n\\nautomated mechanisms implementing software license tracking\\n\\nautomated mechanisms implementing and controlling the use of peer-to-peer files\n                  sharing technology"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-11",
-            "class": "SP800-53",
-            "title": "User-installed Software",
-            "parameters": [
-              {
-                "id": "cm-11_prm_1",
-                "label": "organization-defined policies"
-              },
-              {
-                "id": "cm-11_prm_2",
-                "label": "organization-defined methods"
-              },
-              {
-                "id": "cm-11_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "Continuously (via CM-7 (5))"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-11"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-11"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-11_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-11_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes {{ cm-11_prm_1 }} governing the installation of\n                  software by users;"
-                  },
-                  {
-                    "id": "cm-11_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Enforces software installation policies through {{ cm-11_prm_2 }};\n                  and"
-                  },
-                  {
-                    "id": "cm-11_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Monitors policy compliance at {{ cm-11_prm_3 }}."
-                  }
-                ]
-              },
-              {
-                "id": "cm-11_gdn",
-                "name": "guidance",
-                "prose": "If provided the necessary privileges, users have the ability to install software in\n               organizational information systems. To maintain control over the types of software\n               installed, organizations identify permitted and prohibited actions regarding software\n               installation. Permitted software installations may include, for example, updates and\n               security patches to existing software and downloading applications from\n               organization-approved “app stores” Prohibited software installations may include, for\n               example, software with unknown or suspect pedigrees or software that organizations\n               consider potentially malicious. The policies organizations select governing\n               user-installed software may be organization-developed or provided by some external\n               entity. Policy enforcement methods include procedural methods (e.g., periodic\n               examination of user accounts), automated methods (e.g., configuration settings\n               implemented on organizational information systems), or both.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-7",
-                    "rel": "related",
-                    "text": "CM-7"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  }
-                ]
-              },
-              {
-                "id": "cm-11_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-11.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-11(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-11.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(a)[1]"
-                          }
-                        ],
-                        "prose": "defines policies to govern the installation of software by users;"
-                      },
-                      {
-                        "id": "cm-11.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(a)[2]"
-                          }
-                        ],
-                        "prose": "establishes organization-defined policies governing the installation of\n                     software by users;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-11.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-11(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-11.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(b)[1]"
-                          }
-                        ],
-                        "prose": "defines methods to enforce software installation policies;"
-                      },
-                      {
-                        "id": "cm-11.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(b)[2]"
-                          }
-                        ],
-                        "prose": "enforces software installation policies through organization-defined\n                     methods;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-11.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-11(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-11.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(c)[1]"
-                          }
-                        ],
-                        "prose": "defines frequency to monitor policy compliance; and"
-                      },
-                      {
-                        "id": "cm-11.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(c)[2]"
-                          }
-                        ],
-                        "prose": "monitors policy compliance at organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing user installed software\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of rules governing user installed software\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records\\n\\ncontinuous monitoring strategy"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for governing user-installed\n                  software\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\norganizational personnel monitoring compliance with user-installed software\n                  policy\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes governing user-installed software on the information\n                  system\\n\\nautomated mechanisms enforcing rules/methods for governing the installation of\n                  software by users\\n\\nautomated mechanisms monitoring policy compliance"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "cp",
-        "class": "family",
-        "title": "Contingency Planning",
-        "controls": [
-          {
-            "id": "cp-1",
-            "class": "SP800-53",
-            "title": "Contingency Planning Policy and Procedures",
-            "parameters": [
-              {
-                "id": "cp-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "cp-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "cp-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CP-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ cp-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "cp-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A contingency planning policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "cp-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the contingency planning policy\n                     and associated contingency planning controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "cp-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Contingency planning policy {{ cp-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "cp-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Contingency planning procedures {{ cp-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CP\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "cp-1_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "cp-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "the organization develops and documents a contingency planning policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "cp-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "cp-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "the organization defines personnel or roles to whom the contingency planning\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "cp-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "the organization disseminates the contingency planning policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "the organization develops and documents procedures to facilitate the\n                        implementation of the contingency planning policy and associated contingency\n                        planning controls;"
-                          },
-                          {
-                            "id": "cp-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "the organization defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "cp-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "the organization disseminates the procedures to organization-defined\n                        personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines the frequency to review and update the current\n                        contingency planning policy;"
-                          },
-                          {
-                            "id": "cp-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "the organization reviews and updates the current contingency planning with\n                        the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines the frequency to review and update the current\n                        contingency planning procedures; and"
-                          },
-                          {
-                            "id": "cp-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "the organization reviews and updates the current contingency planning\n                        procedures with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency planning responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-2",
-            "class": "SP800-53",
-            "title": "Contingency Plan",
-            "parameters": [
-              {
-                "id": "cp-2_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "cp-2_prm_2",
-                "label": "organization-defined key contingency personnel (identified by name and/or by\n               role) and organizational elements"
-              },
-              {
-                "id": "cp-2_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "cp-2_prm_4",
-                "label": "organization-defined key contingency personnel (identified by name and/or by\n               role) and organizational elements"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CP-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops a contingency plan for the information system that:",
-                    "parts": [
-                      {
-                        "id": "cp-2_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Identifies essential missions and business functions and associated contingency\n                     requirements;"
-                      },
-                      {
-                        "id": "cp-2_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Provides recovery objectives, restoration priorities, and metrics;"
-                      },
-                      {
-                        "id": "cp-2_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Addresses contingency roles, responsibilities, assigned individuals with\n                     contact information;"
-                      },
-                      {
-                        "id": "cp-2_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Addresses maintaining essential missions and business functions despite an\n                     information system disruption, compromise, or failure;"
-                      },
-                      {
-                        "id": "cp-2_smt.a.5",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "5."
-                          }
-                        ],
-                        "prose": "Addresses eventual, full information system restoration without deterioration\n                     of the security safeguards originally planned and implemented; and"
-                      },
-                      {
-                        "id": "cp-2_smt.a.6",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "6."
-                          }
-                        ],
-                        "prose": "Is reviewed and approved by {{ cp-2_prm_1 }};"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Distributes copies of the contingency plan to {{ cp-2_prm_2 }};"
-                  },
-                  {
-                    "id": "cp-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Coordinates contingency planning activities with incident handling activities;"
-                  },
-                  {
-                    "id": "cp-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Reviews the contingency plan for the information system {{ cp-2_prm_3 }};"
-                  },
-                  {
-                    "id": "cp-2_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Updates the contingency plan to address changes to the organization, information\n                  system, or environment of operation and problems encountered during contingency\n                  plan implementation, execution, or testing;"
-                  },
-                  {
-                    "id": "cp-2_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Communicates contingency plan changes to {{ cp-2_prm_4 }}; and"
-                  },
-                  {
-                    "id": "cp-2_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Protects the contingency plan from unauthorized disclosure and modification."
-                  },
-                  {
-                    "id": "cp-2_fr",
-                    "name": "item",
-                    "title": "CP-2 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cp-2_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2 Requirement:"
-                          }
-                        ],
-                        "prose": "For JAB authorizations the contingency lists include designated FedRAMP personnel."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-2_gdn",
-                "name": "guidance",
-                "prose": "Contingency planning for information systems is part of an overall organizational\n               program for achieving continuity of operations for mission/business functions.\n               Contingency planning addresses both information system restoration and implementation\n               of alternative mission/business processes when systems are compromised. The\n               effectiveness of contingency planning is maximized by considering such planning\n               throughout the phases of the system development life cycle. Performing contingency\n               planning on hardware, software, and firmware development can be an effective means of\n               achieving information system resiliency. Contingency plans reflect the degree of\n               restoration required for organizational information systems since not all systems may\n               need to fully recover to achieve the level of continuity of operations desired.\n               Information system recovery objectives reflect applicable laws, Executive Orders,\n               directives, policies, standards, regulations, and guidelines. In addition to\n               information system availability, contingency plans also address other\n               security-related events resulting in a reduction in mission and/or business\n               effectiveness, such as malicious attacks compromising the confidentiality or\n               integrity of information systems. Actions addressed in contingency plans include, for\n               example, orderly/graceful degradation, information system shutdown, fallback to a\n               manual mode, alternate information flows, and operating in modes reserved for when\n               systems are under attack. By closely coordinating contingency planning with incident\n               handling activities, organizations can ensure that the necessary contingency planning\n               activities are in place and activated in the event of a security incident.",
-                "links": [
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#cp-6",
-                    "rel": "related",
-                    "text": "CP-6"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  },
-                  {
-                    "href": "#cp-8",
-                    "rel": "related",
-                    "text": "CP-8"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#cp-10",
-                    "rel": "related",
-                    "text": "CP-10"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#pm-8",
-                    "rel": "related",
-                    "text": "PM-8"
-                  },
-                  {
-                    "href": "#pm-11",
-                    "rel": "related",
-                    "text": "PM-11"
-                  }
-                ]
-              },
-              {
-                "id": "cp-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cp-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(a)"
-                      }
-                    ],
-                    "prose": "develops and documents a contingency plan for the information system that:",
-                    "parts": [
-                      {
-                        "id": "cp-2.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(1)"
-                          }
-                        ],
-                        "prose": "identifies essential missions and business functions and associated contingency\n                     requirements;"
-                      },
-                      {
-                        "id": "cp-2.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-2.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "provides recovery objectives;"
-                          },
-                          {
-                            "id": "cp-2.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "provides restoration priorities;"
-                          },
-                          {
-                            "id": "cp-2.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "provides metrics;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-2.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(3)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-2.a.3_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(3)[1]"
-                              }
-                            ],
-                            "prose": "addresses contingency roles;"
-                          },
-                          {
-                            "id": "cp-2.a.3_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(3)[2]"
-                              }
-                            ],
-                            "prose": "addresses contingency responsibilities;"
-                          },
-                          {
-                            "id": "cp-2.a.3_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(3)[3]"
-                              }
-                            ],
-                            "prose": "addresses assigned individuals with contact information;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-2.a.4_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(4)"
-                          }
-                        ],
-                        "prose": "addresses maintaining essential missions and business functions despite an\n                     information system disruption, compromise, or failure;"
-                      },
-                      {
-                        "id": "cp-2.a.5_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(5)"
-                          }
-                        ],
-                        "prose": "addresses eventual, full information system restoration without deterioration\n                     of the security safeguards originally planned and implemented;"
-                      },
-                      {
-                        "id": "cp-2.a.6_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(6)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-2.a.6_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(6)[1]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to review and approve the contingency plan for\n                        the information system;"
-                          },
-                          {
-                            "id": "cp-2.a.6_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(6)[2]"
-                              }
-                            ],
-                            "prose": "is reviewed and approved by organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(b)[1]"
-                          }
-                        ],
-                        "prose": "defines key contingency personnel (identified by name and/or by role) and\n                     organizational elements to whom copies of the contingency plan are to be\n                     distributed;"
-                      },
-                      {
-                        "id": "cp-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(b)[2]"
-                          }
-                        ],
-                        "prose": "distributes copies of the contingency plan to organization-defined key\n                     contingency personnel and organizational elements;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-2(c)"
-                      }
-                    ],
-                    "prose": "coordinates contingency planning activities with incident handling activities;"
-                  },
-                  {
-                    "id": "cp-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(d)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency to review the contingency plan for the information\n                     system;"
-                      },
-                      {
-                        "id": "cp-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(d)[2]"
-                          }
-                        ],
-                        "prose": "reviews the contingency plan with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(e)"
-                      }
-                    ],
-                    "prose": "updates the contingency plan to address:",
-                    "parts": [
-                      {
-                        "id": "cp-2.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(e)[1]"
-                          }
-                        ],
-                        "prose": "changes to the organization, information system, or environment of\n                     operation;"
-                      },
-                      {
-                        "id": "cp-2.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(e)[2]"
-                          }
-                        ],
-                        "prose": "problems encountered during plan implementation, execution, and testing;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-2.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(f)[1]"
-                          }
-                        ],
-                        "prose": "defines key contingency personnel (identified by name and/or by role) and\n                     organizational elements to whom contingency plan changes are to be\n                     communicated;"
-                      },
-                      {
-                        "id": "cp-2.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(f)[2]"
-                          }
-                        ],
-                        "prose": "communicates contingency plan changes to organization-defined key contingency\n                     personnel and organizational elements; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-2(g)"
-                      }
-                    ],
-                    "prose": "protects the contingency plan from unauthorized disclosure and modification."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nevidence of contingency plan reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for contingency plan development, review, update, and\n                  protection\\n\\nautomated mechanisms for developing, reviewing, updating and/or protecting the\n                  contingency plan"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-3",
-            "class": "SP800-53",
-            "title": "Contingency Training",
-            "parameters": [
-              {
-                "id": "cp-3_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "ten (10) days"
-                  }
-                ]
-              },
-              {
-                "id": "cp-3_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CP-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#825438c3-248d-4e30-a51e-246473ce6ada",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-16"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-3_smt",
-                "name": "statement",
-                "prose": "The organization provides contingency training to information system users consistent\n               with assigned roles and responsibilities:",
-                "parts": [
-                  {
-                    "id": "cp-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Within {{ cp-3_prm_1 }} of assuming a contingency role or\n                  responsibility;"
-                  },
-                  {
-                    "id": "cp-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "When required by information system changes; and"
-                  },
-                  {
-                    "id": "cp-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "\n                  {{ cp-3_prm_2 }} thereafter."
-                  }
-                ]
-              },
-              {
-                "id": "cp-3_gdn",
-                "name": "guidance",
-                "prose": "Contingency training provided by organizations is linked to the assigned roles and\n               responsibilities of organizational personnel to ensure that the appropriate content\n               and level of detail is included in such training. For example, regular users may only\n               need to know when and where to report for duty during contingency operations and if\n               normal duties are affected; system administrators may require additional training on\n               how to set up information systems at alternate processing and storage sites; and\n               managers/senior leaders may receive more specific training on how to conduct\n               mission-essential functions in designated off-site locations and how to establish\n               communications with other governmental entities for purposes of coordination on\n               contingency-related activities. Training for contingency roles/responsibilities\n               reflects the specific continuity requirements in the contingency plan.",
-                "links": [
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#ir-2",
-                    "rel": "related",
-                    "text": "IR-2"
-                  }
-                ]
-              },
-              {
-                "id": "cp-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cp-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-3(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-3(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period within which contingency training is to be provided to\n                     information system users assuming a contingency role or responsibility;"
-                      },
-                      {
-                        "id": "cp-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-3(a)[2]"
-                          }
-                        ],
-                        "prose": "provides contingency training to information system users consistent with\n                     assigned roles and responsibilities within the organization-defined time period\n                     of assuming a contingency role or responsibility;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-3(b)"
-                      }
-                    ],
-                    "prose": "provides contingency training to information system users consistent with assigned\n                  roles and responsibilities when required by information system changes;"
-                  },
-                  {
-                    "id": "cp-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency for contingency training thereafter; and"
-                      },
-                      {
-                        "id": "cp-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-3(c)[2]"
-                          }
-                        ],
-                        "prose": "provides contingency training to information system users consistent with\n                     assigned roles and responsibilities with the organization-defined frequency\n                     thereafter."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing contingency training\\n\\ncontingency plan\\n\\ncontingency training curriculum\\n\\ncontingency training material\\n\\nsecurity plan\\n\\ncontingency training records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency planning, plan implementation, and\n                  training responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for contingency training"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-4",
-            "class": "SP800-53",
-            "title": "Contingency Plan Testing",
-            "parameters": [
-              {
-                "id": "cp-4_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every three years"
-                  }
-                ]
-              },
-              {
-                "id": "cp-4_prm_2",
-                "label": "organization-defined tests",
-                "constraints": [
-                  {
-                    "detail": "classroom exercises/table top written tests"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CP-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              },
-              {
-                "href": "#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-84"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Tests the contingency plan for the information system {{ cp-4_prm_1 }} using {{ cp-4_prm_2 }} to determine the\n                  effectiveness of the plan and the organizational readiness to execute the\n                  plan;"
-                  },
-                  {
-                    "id": "cp-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews the contingency plan test results; and"
-                  },
-                  {
-                    "id": "cp-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Initiates corrective actions, if needed."
-                  },
-                  {
-                    "id": "cp-4_fr",
-                    "name": "item",
-                    "title": "CP-4(a) Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cp-4_fr_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-4(a) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-4_gdn",
-                "name": "guidance",
-                "prose": "Methods for testing contingency plans to determine the effectiveness of the plans and\n               to identify potential weaknesses in the plans include, for example, walk-through and\n               tabletop exercises, checklists, simulations (parallel, full interrupt), and\n               comprehensive exercises. Organizations conduct testing based on the continuity\n               requirements in contingency plans and include a determination of the effects on\n               organizational operations, assets, and individuals arising due to contingency\n               operations. Organizations have flexibility and discretion in the breadth, depth, and\n               timelines of corrective actions.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-3",
-                    "rel": "related",
-                    "text": "CP-3"
-                  },
-                  {
-                    "href": "#ir-3",
-                    "rel": "related",
-                    "text": "IR-3"
-                  }
-                ]
-              },
-              {
-                "id": "cp-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "cp-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-4(a)[1]"
-                          }
-                        ],
-                        "prose": "defines tests to determine the effectiveness of the contingency plan and the\n                     organizational readiness to execute the plan;"
-                      },
-                      {
-                        "id": "cp-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-4(a)[2]"
-                          }
-                        ],
-                        "prose": "defines a frequency to test the contingency plan for the information\n                     system;"
-                      },
-                      {
-                        "id": "cp-4.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-4(a)[3]"
-                          }
-                        ],
-                        "prose": "tests the contingency plan for the information system with the\n                     organization-defined frequency, using organization-defined tests to determine\n                     the effectiveness of the plan and the organizational readiness to execute the\n                     plan;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-4(b)"
-                      }
-                    ],
-                    "prose": "reviews the contingency plan test results; and"
-                  },
-                  {
-                    "id": "cp-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-4(c)"
-                      }
-                    ],
-                    "prose": "initiates corrective actions, if needed."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing contingency plan testing\\n\\ncontingency plan\\n\\nsecurity plan\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for contingency plan testing,\n                  reviewing or responding to contingency plan tests\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for contingency plan testing\\n\\nautomated mechanisms supporting the contingency plan and/or contingency plan\n                  testing"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-9",
-            "class": "SP800-53",
-            "title": "Information System Backup",
-            "parameters": [
-              {
-                "id": "cp-9_prm_1",
-                "label": "organization-defined frequency consistent with recovery time and recovery point\n               objectives",
-                "constraints": [
-                  {
-                    "detail": "daily incremental; weekly full"
-                  }
-                ]
-              },
-              {
-                "id": "cp-9_prm_2",
-                "label": "organization-defined frequency consistent with recovery time and recovery point\n               objectives",
-                "constraints": [
-                  {
-                    "detail": "daily incremental; weekly full"
-                  }
-                ]
-              },
-              {
-                "id": "cp-9_prm_3",
-                "label": "organization-defined frequency consistent with recovery time and recovery point\n               objectives",
-                "constraints": [
-                  {
-                    "detail": "daily incremental; weekly full"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CP-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-09"
-              }
-            ],
-            "links": [
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-9_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-9_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Conducts backups of user-level information contained in the information system\n                     {{ cp-9_prm_1 }};"
-                  },
-                  {
-                    "id": "cp-9_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Conducts backups of system-level information contained in the information system\n                     {{ cp-9_prm_2 }};"
-                  },
-                  {
-                    "id": "cp-9_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Conducts backups of information system documentation including security-related\n                  documentation {{ cp-9_prm_3 }}; and"
-                  },
-                  {
-                    "id": "cp-9_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Protects the confidentiality, integrity, and availability of backup information at\n                  storage locations."
-                  },
-                  {
-                    "id": "cp-9_fr",
-                    "name": "item",
-                    "title": "CP-9 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cp-9_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check."
-                      },
-                      {
-                        "id": "cp-9_fr_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-9(a) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider maintains at least three backup copies of user-level information (at least one of which is available online)."
-                      },
-                      {
-                        "id": "cp-9_fr_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-9(b)Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider maintains at least three backup copies of system-level information (at least one of which is available online)."
-                      },
-                      {
-                        "id": "cp-9_fr_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-9(c)Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-9_gdn",
-                "name": "guidance",
-                "prose": "System-level information includes, for example, system-state information, operating\n               system and application software, and licenses. User-level information includes any\n               information other than system-level information. Mechanisms employed by organizations\n               to protect the integrity of information system backups include, for example, digital\n               signatures and cryptographic hashes. Protection of system backup information while in\n               transit is beyond the scope of this control. Information system backups reflect the\n               requirements in contingency plans as well as other organizational requirements for\n               backing up information.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-6",
-                    "rel": "related",
-                    "text": "CP-6"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  }
-                ]
-              },
-              {
-                "id": "cp-9_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "cp-9.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-9(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-9.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of user-level information contained in the information\n                     system;"
-                      },
-                      {
-                        "id": "cp-9.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(a)[2]"
-                          }
-                        ],
-                        "prose": "conducts backups of user-level information contained in the information system\n                     with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-9.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-9(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-9.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(b)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of system-level information contained in the information\n                     system;"
-                      },
-                      {
-                        "id": "cp-9.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(b)[2]"
-                          }
-                        ],
-                        "prose": "conducts backups of system-level information contained in the information\n                     system with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-9.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-9(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-9.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(c)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of information system documentation including security-related\n                     documentation;"
-                      },
-                      {
-                        "id": "cp-9.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(c)[2]"
-                          }
-                        ],
-                        "prose": "conducts backups of information system documentation, including\n                     security-related documentation, with the organization-defined frequency;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-9.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-9(d)"
-                      }
-                    ],
-                    "prose": "protects the confidentiality, integrity, and availability of backup information at\n                  storage locations."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\nbackup storage location(s)\\n\\ninformation system backup logs or records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system backup responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for conducting information system backups\\n\\nautomated mechanisms supporting and/or implementing information system backups"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-10",
-            "class": "SP800-53",
-            "title": "Information System Recovery and Reconstitution",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CP-10"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-10"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-10_smt",
-                "name": "statement",
-                "prose": "The organization provides for the recovery and reconstitution of the information\n               system to a known state after a disruption, compromise, or failure."
-              },
-              {
-                "id": "cp-10_gdn",
-                "name": "guidance",
-                "prose": "Recovery is executing information system contingency plan activities to restore\n               organizational missions/business functions. Reconstitution takes place following\n               recovery and includes activities for returning organizational information systems to\n               fully operational states. Recovery and reconstitution operations reflect mission and\n               business priorities, recovery point/time and reconstitution objectives, and\n               established organizational metrics consistent with contingency plan requirements.\n               Reconstitution includes the deactivation of any interim information system\n               capabilities that may have been needed during recovery operations. Reconstitution\n               also includes assessments of fully restored information system capabilities,\n               reestablishment of continuous monitoring activities, potential information system\n               reauthorizations, and activities to prepare the systems against future disruptions,\n               compromises, or failures. Recovery/reconstitution capabilities employed by\n               organizations can include both automated mechanisms and manual procedures.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-6",
-                    "rel": "related",
-                    "text": "CA-6"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-6",
-                    "rel": "related",
-                    "text": "CP-6"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#sc-24",
-                    "rel": "related",
-                    "text": "SC-24"
-                  }
-                ]
-              },
-              {
-                "id": "cp-10_obj",
-                "name": "objective",
-                "prose": "Determine if the organization provides for: ",
-                "parts": [
-                  {
-                    "id": "cp-10_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-10[1]"
-                      }
-                    ],
-                    "prose": "the recovery of the information system to a known state after:",
-                    "parts": [
-                      {
-                        "id": "cp-10_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[1][a]"
-                          }
-                        ],
-                        "prose": "a disruption;"
-                      },
-                      {
-                        "id": "cp-10_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[1][b]"
-                          }
-                        ],
-                        "prose": "a compromise; or"
-                      },
-                      {
-                        "id": "cp-10_obj.1.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[1][c]"
-                          }
-                        ],
-                        "prose": "a failure;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-10_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-10[2]"
-                      }
-                    ],
-                    "prose": "the reconstitution of the information system to a known state after:",
-                    "parts": [
-                      {
-                        "id": "cp-10_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[2][a]"
-                          }
-                        ],
-                        "prose": "a disruption;"
-                      },
-                      {
-                        "id": "cp-10_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[2][b]"
-                          }
-                        ],
-                        "prose": "a compromise; or"
-                      },
-                      {
-                        "id": "cp-10_obj.2.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[2][c]"
-                          }
-                        ],
-                        "prose": "a failure."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\ninformation system backup test results\\n\\ncontingency plan test results\\n\\ncontingency plan test documentation\\n\\nredundant secondary system for information system backups\\n\\nlocation(s) of redundant secondary backup system(s)\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency planning, recovery, and/or\n                  reconstitution responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes implementing information system recovery and\n                  reconstitution operations\\n\\nautomated mechanisms supporting and/or implementing information system recovery\n                  and reconstitution operations"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ia",
-        "class": "family",
-        "title": "Identification and Authentication",
-        "controls": [
-          {
-            "id": "ia-1",
-            "class": "SP800-53",
-            "title": "Identification and Authentication Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ia-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ia-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "ia-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ia-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ia-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ia-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "An identification and authentication policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"
-                      },
-                      {
-                        "id": "ia-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the identification and\n                     authentication policy and associated identification and authentication\n                     controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ia-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Identification and authentication policy {{ ia-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "ia-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Identification and authentication procedures {{ ia-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the IA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ia-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ia-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an identification and authentication policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "ia-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ia-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the identification and authentication\n                        policy is to be disseminated; and"
-                          },
-                          {
-                            "id": "ia-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the identification and authentication policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        identification and authentication policy and associated identification and\n                        authentication controls;"
-                          },
-                          {
-                            "id": "ia-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ia-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current identification and\n                        authentication policy;"
-                          },
-                          {
-                            "id": "ia-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current identification and authentication policy\n                        with the organization-defined frequency; and"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current identification and\n                        authentication procedures; and"
-                          },
-                          {
-                            "id": "ia-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current identification and authentication procedures\n                        with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with identification and authentication\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-2",
-            "class": "SP800-53",
-            "title": "Identification and Authentication (organizational Users)",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ad733a42-a7ed-4774-b988-4930c28852f3",
-                "rel": "reference",
-                "text": "HSPD-12"
-              },
-              {
-                "href": "#ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-                "rel": "reference",
-                "text": "OMB Memorandum 04-04"
-              },
-              {
-                "href": "#4da24a96-6cf8-435d-9d1f-c73247cad109",
-                "rel": "reference",
-                "text": "OMB Memorandum 06-16"
-              },
-              {
-                "href": "#74e740a4-c45d-49f3-a86e-eb747c549e01",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-11"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#ba557c91-ba3e-4792-adc6-a4ae479b39ff",
-                "rel": "reference",
-                "text": "FICAM Roadmap and Implementation Guidance"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-2_smt",
-                "name": "statement",
-                "prose": "The information system uniquely identifies and authenticates organizational users (or\n               processes acting on behalf of organizational users)."
-              },
-              {
-                "id": "ia-2_gdn",
-                "name": "guidance",
-                "prose": "Organizational users include employees or individuals that organizations deem to have\n               equivalent status of employees (e.g., contractors, guest researchers). This control\n               applies to all accesses other than: (i) accesses that are explicitly identified and\n               documented in AC-14; and (ii) accesses that occur through authorized use of group\n               authenticators without individual authentication. Organizations may require unique\n               identification of individuals in group accounts (e.g., shared privilege accounts) or\n               for detailed accountability of individual activity. Organizations employ passwords,\n               tokens, or biometrics to authenticate user identities, or in the case multifactor\n               authentication, or some combination thereof. Access to organizational information\n               systems is defined as either local access or network access. Local access is any\n               access to organizational information systems by users (or processes acting on behalf\n               of users) where such access is obtained by direct connections without the use of\n               networks. Network access is access to organizational information systems by users (or\n               processes acting on behalf of users) where such access is obtained through network\n               connections (i.e., nonlocal accesses). Remote access is a type of network access that\n               involves communication through external networks (e.g., the Internet). Internal\n               networks include local area networks and wide area networks. In addition, the use of\n               encrypted virtual private networks (VPNs) for network connections between\n               organization-controlled endpoints and non-organization controlled endpoints may be\n               treated as internal networks from the perspective of protecting the confidentiality\n               and integrity of information traversing the network. Organizations can satisfy the\n               identification and authentication requirements in this control by complying with the\n               requirements in Homeland Security Presidential Directive 12 consistent with the\n               specific organizational implementation plans. Multifactor authentication requires the\n               use of two or more different factors to achieve authentication. The factors are\n               defined as: (i) something you know (e.g., password, personal identification number\n               [PIN]); (ii) something you have (e.g., cryptographic identification device, token);\n               or (iii) something you are (e.g., biometric). Multifactor solutions that require\n               devices separate from information systems gaining access include, for example,\n               hardware tokens providing time-based or challenge-response authenticators and smart\n               cards such as the U.S. Government Personal Identity Verification card and the DoD\n               common access card. In addition to identifying and authenticating users at the\n               information system level (i.e., at logon), organizations also employ identification\n               and authentication mechanisms at the application level, when necessary, to provide\n               increased information security. Identification and authentication requirements for\n               other than organizational users are described in IA-8.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  }
-                ]
-              },
-              {
-                "id": "ia-2_obj",
-                "name": "objective",
-                "prose": "Determine if the information system uniquely identifies and authenticates\n               organizational users (or processes acting on behalf of organizational users)."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system operations responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for uniquely identifying and authenticating users\\n\\nautomated mechanisms supporting and/or implementing identification and\n                  authentication capability"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ia-2.1",
-                "class": "SP800-53-enhancement",
-                "title": "Network Access to Privileged Accounts",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.1_smt",
-                    "name": "statement",
-                    "prose": "The information system implements multifactor authentication for network access to\n                  privileged accounts."
-                  },
-                  {
-                    "id": "ia-2.1_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ac-6",
-                        "rel": "related",
-                        "text": "AC-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-2.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system implements multifactor authentication for\n                  network access to privileged accounts."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing multifactor authentication\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-2.12",
-                "class": "SP800-53-enhancement",
-                "title": "Acceptance of PIV Credentials",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(12)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.12"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.12_smt",
-                    "name": "statement",
-                    "prose": "The information system accepts and electronically verifies Personal Identity\n                  Verification (PIV) credentials.",
-                    "parts": [
-                      {
-                        "id": "ia-2.12_fr",
-                        "name": "item",
-                        "title": "IA-2 (12) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ia-2.12_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-2.12_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement applies to organizations implementing logical access\n                  control systems (LACS) and physical access control systems (PACS). Personal\n                  Identity Verification (PIV) credentials are those credentials issued by federal\n                  agencies that conform to FIPS Publication 201 and supporting guidance documents.\n                  OMB Memorandum 11-11 requires federal agencies to continue implementing the\n                  requirements specified in HSPD-12 to enable agency-wide use of PIV\n                  credentials.",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      },
-                      {
-                        "href": "#pe-3",
-                        "rel": "related",
-                        "text": "PE-3"
-                      },
-                      {
-                        "href": "#sa-4",
-                        "rel": "related",
-                        "text": "SA-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-2.12_obj",
-                    "name": "objective",
-                    "prose": "Determine if the information system: ",
-                    "parts": [
-                      {
-                        "id": "ia-2.12_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-2(12)[1]"
-                          }
-                        ],
-                        "prose": "accepts Personal Identity Verification (PIV) credentials; and"
-                      },
-                      {
-                        "id": "ia-2.12_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-2(12)[2]"
-                          }
-                        ],
-                        "prose": "electronically verifies Personal Identity Verification (PIV) credentials."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nPIV verification records\\n\\nevidence of PIV credentials\\n\\nPIV credential authorizations\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing acceptance and verification\n                     of PIV credentials"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-4",
-            "class": "SP800-53",
-            "title": "Identifier Management",
-            "parameters": [
-              {
-                "id": "ia-4_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ia-4_prm_2",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "IA-4 (d) [at least two years]"
-                  }
-                ]
-              },
-              {
-                "id": "ia-4_prm_3",
-                "label": "organization-defined time period of inactivity",
-                "constraints": [
-                  {
-                    "detail": "ninety days for user identifiers (See additional requirements and guidance)"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IA-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-4_smt",
-                "name": "statement",
-                "prose": "The organization manages information system identifiers by:",
-                "parts": [
-                  {
-                    "id": "ia-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Receiving authorization from {{ ia-4_prm_1 }} to assign an\n                  individual, group, role, or device identifier;"
-                  },
-                  {
-                    "id": "ia-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Selecting an identifier that identifies an individual, group, role, or device;"
-                  },
-                  {
-                    "id": "ia-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Assigning the identifier to the intended individual, group, role, or device;"
-                  },
-                  {
-                    "id": "ia-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Preventing reuse of identifiers for {{ ia-4_prm_2 }}; and"
-                  },
-                  {
-                    "id": "ia-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Disabling the identifier after {{ ia-4_prm_3 }}."
-                  },
-                  {
-                    "id": "ia-4_fr",
-                    "name": "item",
-                    "title": "IA-4(e) Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ia-4_fr_smt.e",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider defines the time period of inactivity for device identifiers."
-                      },
-                      {
-                        "id": "ia-4_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP [http://iase.disa.mil/cloud_security/Pages/index.aspx](http://iase.disa.mil/cloud_security/Pages/index.aspx)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-4_gdn",
-                "name": "guidance",
-                "prose": "Common device identifiers include, for example, media access control (MAC), Internet\n               protocol (IP) addresses, or device-unique token identifiers. Management of individual\n               identifiers is not applicable to shared information system accounts (e.g., guest and\n               anonymous accounts). Typically, individual identifiers are the user names of the\n               information system accounts assigned to those individuals. In such instances, the\n               account management activities of AC-2 use account names provided by IA-4. This\n               control also addresses individual identifiers not necessarily associated with\n               information system accounts (e.g., identifiers used in physical security control\n               databases accessed by badge reader systems for access to information systems).\n               Preventing reuse of identifiers implies preventing the assignment of previously used\n               individual, group, role, or device identifiers to different individuals, groups,\n               roles, or devices.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#sc-37",
-                    "rel": "related",
-                    "text": "SC-37"
-                  }
-                ]
-              },
-              {
-                "id": "ia-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization manages information system identifiers by: ",
-                "parts": [
-                  {
-                    "id": "ia-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(a)[1]"
-                          }
-                        ],
-                        "prose": "defining personnel or roles from whom authorization must be received to\n                     assign:",
-                        "parts": [
-                          {
-                            "id": "ia-4.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[1][a]"
-                              }
-                            ],
-                            "prose": "an individual identifier;"
-                          },
-                          {
-                            "id": "ia-4.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[1][b]"
-                              }
-                            ],
-                            "prose": "a group identifier;"
-                          },
-                          {
-                            "id": "ia-4.a_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[1][c]"
-                              }
-                            ],
-                            "prose": "a role identifier; and/or"
-                          },
-                          {
-                            "id": "ia-4.a_obj.1.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[1][d]"
-                              }
-                            ],
-                            "prose": "a device identifier;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(a)[2]"
-                          }
-                        ],
-                        "prose": "receiving authorization from organization-defined personnel or roles to\n                     assign:",
-                        "parts": [
-                          {
-                            "id": "ia-4.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[2][a]"
-                              }
-                            ],
-                            "prose": "an individual identifier;"
-                          },
-                          {
-                            "id": "ia-4.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[2][b]"
-                              }
-                            ],
-                            "prose": "a group identifier;"
-                          },
-                          {
-                            "id": "ia-4.a_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[2][c]"
-                              }
-                            ],
-                            "prose": "a role identifier; and/or"
-                          },
-                          {
-                            "id": "ia-4.a_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[2][d]"
-                              }
-                            ],
-                            "prose": "a device identifier;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-4(b)"
-                      }
-                    ],
-                    "prose": "selecting an identifier that identifies:",
-                    "parts": [
-                      {
-                        "id": "ia-4.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(b)[1]"
-                          }
-                        ],
-                        "prose": "an individual;"
-                      },
-                      {
-                        "id": "ia-4.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(b)[2]"
-                          }
-                        ],
-                        "prose": "a group;"
-                      },
-                      {
-                        "id": "ia-4.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(b)[3]"
-                          }
-                        ],
-                        "prose": "a role; and/or"
-                      },
-                      {
-                        "id": "ia-4.b_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(b)[4]"
-                          }
-                        ],
-                        "prose": "a device;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-4(c)"
-                      }
-                    ],
-                    "prose": "assigning the identifier to the intended:",
-                    "parts": [
-                      {
-                        "id": "ia-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(c)[1]"
-                          }
-                        ],
-                        "prose": "individual;"
-                      },
-                      {
-                        "id": "ia-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(c)[2]"
-                          }
-                        ],
-                        "prose": "group;"
-                      },
-                      {
-                        "id": "ia-4.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(c)[3]"
-                          }
-                        ],
-                        "prose": "role; and/or"
-                      },
-                      {
-                        "id": "ia-4.c_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(c)[4]"
-                          }
-                        ],
-                        "prose": "device;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-4(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-4.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(d)[1]"
-                          }
-                        ],
-                        "prose": "defining a time period for preventing reuse of identifiers;"
-                      },
-                      {
-                        "id": "ia-4.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(d)[2]"
-                          }
-                        ],
-                        "prose": "preventing reuse of identifiers for the organization-defined time period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-4(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-4.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(e)[1]"
-                          }
-                        ],
-                        "prose": "defining a time period of inactivity to disable the identifier; and"
-                      },
-                      {
-                        "id": "ia-4.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(e)[2]"
-                          }
-                        ],
-                        "prose": "disabling the identifier after the organization-defined time period of\n                     inactivity."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing identifier management\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system accounts\\n\\nlist of identifiers generated from physical access control devices\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with identifier management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing identifier management"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-5",
-            "class": "SP800-53",
-            "title": "Authenticator Management",
-            "parameters": [
-              {
-                "id": "ia-5_prm_1",
-                "label": "organization-defined time period by authenticator type"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-05"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-                "rel": "reference",
-                "text": "OMB Memorandum 04-04"
-              },
-              {
-                "href": "#74e740a4-c45d-49f3-a86e-eb747c549e01",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-11"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#ba557c91-ba3e-4792-adc6-a4ae479b39ff",
-                "rel": "reference",
-                "text": "FICAM Roadmap and Implementation Guidance"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-5_smt",
-                "name": "statement",
-                "prose": "The organization manages information system authenticators by:",
-                "parts": [
-                  {
-                    "id": "ia-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Verifying, as part of the initial authenticator distribution, the identity of the\n                  individual, group, role, or device receiving the authenticator;"
-                  },
-                  {
-                    "id": "ia-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Establishing initial authenticator content for authenticators defined by the\n                  organization;"
-                  },
-                  {
-                    "id": "ia-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ensuring that authenticators have sufficient strength of mechanism for their\n                  intended use;"
-                  },
-                  {
-                    "id": "ia-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Establishing and implementing administrative procedures for initial authenticator\n                  distribution, for lost/compromised or damaged authenticators, and for revoking\n                  authenticators;"
-                  },
-                  {
-                    "id": "ia-5_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Changing default content of authenticators prior to information system\n                  installation;"
-                  },
-                  {
-                    "id": "ia-5_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Establishing minimum and maximum lifetime restrictions and reuse conditions for\n                  authenticators;"
-                  },
-                  {
-                    "id": "ia-5_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Changing/refreshing authenticators {{ ia-5_prm_1 }};"
-                  },
-                  {
-                    "id": "ia-5_smt.h",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "h."
-                      }
-                    ],
-                    "prose": "Protecting authenticator content from unauthorized disclosure and\n                  modification;"
-                  },
-                  {
-                    "id": "ia-5_smt.i",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "i."
-                      }
-                    ],
-                    "prose": "Requiring individuals to take, and having devices implement, specific security\n                  safeguards to protect authenticators; and"
-                  },
-                  {
-                    "id": "ia-5_smt.j",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "j."
-                      }
-                    ],
-                    "prose": "Changing authenticators for group/role accounts when membership to those accounts\n                  changes."
-                  },
-                  {
-                    "id": "ia-5_fr",
-                    "name": "item",
-                    "title": "IA-5 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ia-5_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link [https://pages.nist.gov/800-63-3](https://pages.nist.gov/800-63-3)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-5_gdn",
-                "name": "guidance",
-                "prose": "Individual authenticators include, for example, passwords, tokens, biometrics, PKI\n               certificates, and key cards. Initial authenticator content is the actual content\n               (e.g., the initial password) as opposed to requirements about authenticator content\n               (e.g., minimum password length). In many cases, developers ship information system\n               components with factory default authentication credentials to allow for initial\n               installation and configuration. Default authentication credentials are often well\n               known, easily discoverable, and present a significant security risk. The requirement\n               to protect individual authenticators may be implemented via control PL-4 or PS-6 for\n               authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28\n               for authenticators stored within organizational information systems (e.g., passwords\n               stored in hashed or encrypted formats, files containing encrypted or hashed passwords\n               accessible with administrator privileges). Information systems support individual\n               authenticator management by organization-defined settings and restrictions for\n               various authenticator characteristics including, for example, minimum password\n               length, password composition, validation time window for time synchronous one-time\n               tokens, and number of allowed rejections during the verification stage of biometric\n               authentication. Specific actions that can be taken to safeguard authenticators\n               include, for example, maintaining possession of individual authenticators, not\n               loaning or sharing individual authenticators with others, and reporting lost, stolen,\n               or compromised authenticators immediately. Authenticator management includes issuing\n               and revoking, when no longer needed, authenticators for temporary access such as that\n               required for remote maintenance. Device authenticators include, for example,\n               certificates and passwords.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-5",
-                    "rel": "related",
-                    "text": "PS-5"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  },
-                  {
-                    "href": "#sc-12",
-                    "rel": "related",
-                    "text": "SC-12"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  },
-                  {
-                    "href": "#sc-17",
-                    "rel": "related",
-                    "text": "SC-17"
-                  },
-                  {
-                    "href": "#sc-28",
-                    "rel": "related",
-                    "text": "SC-28"
-                  }
-                ]
-              },
-              {
-                "id": "ia-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization manages information system authenticators by: ",
-                "parts": [
-                  {
-                    "id": "ia-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-5(a)"
-                      }
-                    ],
-                    "prose": "verifying, as part of the initial authenticator distribution, the identity of:",
-                    "parts": [
-                      {
-                        "id": "ia-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(a)[1]"
-                          }
-                        ],
-                        "prose": "the individual receiving the authenticator;"
-                      },
-                      {
-                        "id": "ia-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(a)[2]"
-                          }
-                        ],
-                        "prose": "the group receiving the authenticator;"
-                      },
-                      {
-                        "id": "ia-5.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(a)[3]"
-                          }
-                        ],
-                        "prose": "the role receiving the authenticator; and/or"
-                      },
-                      {
-                        "id": "ia-5.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(a)[4]"
-                          }
-                        ],
-                        "prose": "the device receiving the authenticator;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-5(b)"
-                      }
-                    ],
-                    "prose": "establishing initial authenticator content for authenticators defined by the\n                  organization;"
-                  },
-                  {
-                    "id": "ia-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-5(c)"
-                      }
-                    ],
-                    "prose": "ensuring that authenticators have sufficient strength of mechanism for their\n                  intended use;"
-                  },
-                  {
-                    "id": "ia-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-5.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(d)[1]"
-                          }
-                        ],
-                        "prose": "establishing and implementing administrative procedures for initial\n                     authenticator distribution;"
-                      },
-                      {
-                        "id": "ia-5.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(d)[2]"
-                          }
-                        ],
-                        "prose": "establishing and implementing administrative procedures for lost/compromised or\n                     damaged authenticators;"
-                      },
-                      {
-                        "id": "ia-5.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(d)[3]"
-                          }
-                        ],
-                        "prose": "establishing and implementing administrative procedures for revoking\n                     authenticators;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-5(e)"
-                      }
-                    ],
-                    "prose": "changing default content of authenticators prior to information system\n                  installation;"
-                  },
-                  {
-                    "id": "ia-5.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-5.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(f)[1]"
-                          }
-                        ],
-                        "prose": "establishing minimum lifetime restrictions for authenticators;"
-                      },
-                      {
-                        "id": "ia-5.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(f)[2]"
-                          }
-                        ],
-                        "prose": "establishing maximum lifetime restrictions for authenticators;"
-                      },
-                      {
-                        "id": "ia-5.f_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(f)[3]"
-                          }
-                        ],
-                        "prose": "establishing reuse conditions for authenticators;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(g)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-5.g_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(g)[1]"
-                          }
-                        ],
-                        "prose": "defining a time period (by authenticator type) for changing/refreshing\n                     authenticators;"
-                      },
-                      {
-                        "id": "ia-5.g_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(g)[2]"
-                          }
-                        ],
-                        "prose": "changing/refreshing authenticators with the organization-defined time period by\n                     authenticator type;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.h_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-5(h)"
-                      }
-                    ],
-                    "prose": "protecting authenticator content from unauthorized:",
-                    "parts": [
-                      {
-                        "id": "ia-5.h_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(h)[1]"
-                          }
-                        ],
-                        "prose": "disclosure;"
-                      },
-                      {
-                        "id": "ia-5.h_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(h)[2]"
-                          }
-                        ],
-                        "prose": "modification;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.i_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(i)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-5.i_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(i)[1]"
-                          }
-                        ],
-                        "prose": "requiring individuals to take specific security safeguards to protect\n                     authenticators;"
-                      },
-                      {
-                        "id": "ia-5.i_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(i)[2]"
-                          }
-                        ],
-                        "prose": "having devices implement specific security safeguards to protect\n                     authenticators; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.j_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-5(j)"
-                      }
-                    ],
-                    "prose": "changing authenticators for group/role accounts when membership to those accounts\n                  changes."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system authenticator types\\n\\nchange control records associated with managing information system\n                  authenticators\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing authenticator management\n                  capability"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ia-5.1",
-                "class": "SP800-53-enhancement",
-                "title": "Password-based Authentication",
-                "parameters": [
-                  {
-                    "id": "ia-5.1_prm_1",
-                    "label": "organization-defined requirements for case sensitivity, number of characters,\n                  mix of upper-case letters, lower-case letters, numbers, and special characters,\n                  including minimum requirements for each type"
-                  },
-                  {
-                    "id": "ia-5.1_prm_2",
-                    "label": "organization-defined number",
-                    "constraints": [
-                      {
-                        "detail": "at least one"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.1_prm_3",
-                    "label": "organization-defined numbers for lifetime minimum, lifetime maximum"
-                  },
-                  {
-                    "id": "ia-5.1_prm_4",
-                    "label": "organization-defined number",
-                    "constraints": [
-                      {
-                        "detail": "twenty four"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "IA-5(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.1_smt",
-                    "name": "statement",
-                    "prose": "The information system, for password-based authentication:",
-                    "parts": [
-                      {
-                        "id": "ia-5.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Enforces minimum password complexity of {{ ia-5.1_prm_1 }};"
-                      },
-                      {
-                        "id": "ia-5.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Enforces at least the following number of changed characters when new passwords\n                     are created: {{ ia-5.1_prm_2 }};"
-                      },
-                      {
-                        "id": "ia-5.1_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(c)"
-                          }
-                        ],
-                        "prose": "Stores and transmits only cryptographically-protected passwords;"
-                      },
-                      {
-                        "id": "ia-5.1_smt.d",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(d)"
-                          }
-                        ],
-                        "prose": "Enforces password minimum and maximum lifetime restrictions of {{ ia-5.1_prm_3 }};"
-                      },
-                      {
-                        "id": "ia-5.1_smt.e",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(e)"
-                          }
-                        ],
-                        "prose": "Prohibits password reuse for {{ ia-5.1_prm_4 }} generations;\n                     and"
-                      },
-                      {
-                        "id": "ia-5.1_smt.f",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(f)"
-                          }
-                        ],
-                        "prose": "Allows the use of a temporary password for system logons with an immediate\n                     change to a permanent password."
-                      },
-                      {
-                        "id": "ia-5.1_fr",
-                        "name": "item",
-                        "title": "IA-5 (1) (a) and (d) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ia-5.1_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance (a) (d):"
-                              }
-                            ],
-                            "prose": "If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement applies to single-factor authentication of individuals\n                  using passwords as individual or group authenticators, and in a similar manner,\n                  when passwords are part of multifactor authenticators. This control enhancement\n                  does not apply when passwords are used to unlock hardware authenticators (e.g.,\n                  Personal Identity Verification cards). The implementation of such password\n                  mechanisms may not meet all of the requirements in the enhancement.\n                  Cryptographically-protected passwords include, for example, encrypted versions of\n                  passwords and one-way cryptographic hashes of passwords. The number of changed\n                  characters refers to the number of changes required with respect to the total\n                  number of positions in the current password. Password lifetime restrictions do not\n                  apply to temporary passwords. To mitigate certain brute force attacks against\n                  passwords, organizations may also consider salting passwords.",
-                    "links": [
-                      {
-                        "href": "#ia-6",
-                        "rel": "related",
-                        "text": "IA-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if, for password-based authentication: ",
-                    "parts": [
-                      {
-                        "id": "ia-5.1.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-5.1.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines requirements for case sensitivity;"
-                          },
-                          {
-                            "id": "ia-5.1.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[2]"
-                              }
-                            ],
-                            "prose": "the organization defines requirements for number of characters;"
-                          },
-                          {
-                            "id": "ia-5.1.a_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[3]"
-                              }
-                            ],
-                            "prose": "the organization defines requirements for the mix of upper-case letters,\n                        lower-case letters, numbers and special characters;"
-                          },
-                          {
-                            "id": "ia-5.1.a_obj.4",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[4]"
-                              }
-                            ],
-                            "prose": "the organization defines minimum requirements for each type of\n                        character;"
-                          },
-                          {
-                            "id": "ia-5.1.a_obj.5",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[5]"
-                              }
-                            ],
-                            "prose": "the information system enforces minimum password complexity of\n                        organization-defined requirements for case sensitivity, number of\n                        characters, mix of upper-case letters, lower-case letters, numbers, and\n                        special characters, including minimum requirements for each type;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.a",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-5.1.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(b)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines a minimum number of changed characters to be\n                        enforced when new passwords are created;"
-                          },
-                          {
-                            "id": "ia-5.1.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(b)[2]"
-                              }
-                            ],
-                            "prose": "the information system enforces at least the organization-defined minimum\n                        number of characters that must be changed when new passwords are\n                        created;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.b",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(b)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.c_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(c)"
-                          }
-                        ],
-                        "prose": "the information system stores and transmits only encrypted representations of\n                     passwords;",
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.c",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(c)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.d_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(d)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-5.1.d_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(d)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines numbers for password minimum lifetime restrictions\n                        to be enforced for passwords;"
-                          },
-                          {
-                            "id": "ia-5.1.d_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(d)[2]"
-                              }
-                            ],
-                            "prose": "the organization defines numbers for password maximum lifetime restrictions\n                        to be enforced for passwords;"
-                          },
-                          {
-                            "id": "ia-5.1.d_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(d)[3]"
-                              }
-                            ],
-                            "prose": "the information system enforces password minimum lifetime restrictions of\n                        organization-defined numbers for lifetime minimum;"
-                          },
-                          {
-                            "id": "ia-5.1.d_obj.4",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(d)[4]"
-                              }
-                            ],
-                            "prose": "the information system enforces password maximum lifetime restrictions of\n                        organization-defined numbers for lifetime maximum;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.d",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(d)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.e_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(e)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-5.1.e_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(e)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines the number of password generations to be prohibited\n                        from password reuse;"
-                          },
-                          {
-                            "id": "ia-5.1.e_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(e)[2]"
-                              }
-                            ],
-                            "prose": "the information system prohibits password reuse for the organization-defined\n                        number of generations; and"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.e",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(e)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.f_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(f)"
-                          }
-                        ],
-                        "prose": "the information system allows the use of a temporary password for system logons\n                     with an immediate change to a permanent password.",
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.f",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(f)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\npassword policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\npassword configurations and associated documentation\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing password-based\n                     authenticator management capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-5.11",
-                "class": "SP800-53-enhancement",
-                "title": "Hardware Token-based Authentication",
-                "parameters": [
-                  {
-                    "id": "ia-5.11_prm_1",
-                    "label": "organization-defined token quality requirements"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-5(11)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.11"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.11_smt",
-                    "name": "statement",
-                    "prose": "The information system, for hardware token-based authentication, employs\n                  mechanisms that satisfy {{ ia-5.11_prm_1 }}."
-                  },
-                  {
-                    "id": "ia-5.11_gdn",
-                    "name": "guidance",
-                    "prose": "Hardware token-based authentication typically refers to the use of PKI-based\n                  tokens, such as the U.S. Government Personal Identity Verification (PIV) card.\n                  Organizations define specific requirements for tokens, such as working with a\n                  particular PKI."
-                  },
-                  {
-                    "id": "ia-5.11_obj",
-                    "name": "objective",
-                    "prose": "Determine if, for hardware token-based authentication: ",
-                    "parts": [
-                      {
-                        "id": "ia-5.11_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(11)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines token quality requirements to be satisfied; and"
-                      },
-                      {
-                        "id": "ia-5.11_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(11)[2]"
-                          }
-                        ],
-                        "prose": "the information system employs mechanisms that satisfy organization-defined\n                     token quality requirements."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\nautomated mechanisms employing hardware token-based authentication for the\n                     information system\\n\\nlist of token quality requirements\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing hardware token-based\n                     authenticator management capability"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-6",
-            "class": "SP800-53",
-            "title": "Authenticator Feedback",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-6_smt",
-                "name": "statement",
-                "prose": "The information system obscures feedback of authentication information during the\n               authentication process to protect the information from possible exploitation/use by\n               unauthorized individuals."
-              },
-              {
-                "id": "ia-6_gdn",
-                "name": "guidance",
-                "prose": "The feedback from information systems does not provide information that would allow\n               unauthorized individuals to compromise authentication mechanisms. For some types of\n               information systems or system components, for example, desktops/notebooks with\n               relatively large monitors, the threat (often referred to as shoulder surfing) may be\n               significant. For other types of systems or components, for example, mobile devices\n               with 2-4 inch screens, this threat may be less significant, and may need to be\n               balanced against the increased likelihood of typographic input errors due to the\n               small keyboards. Therefore, the means for obscuring the authenticator feedback is\n               selected accordingly. Obscuring the feedback of authentication information includes,\n               for example, displaying asterisks when users type passwords into input devices, or\n               displaying feedback for a very limited time before fully obscuring it.",
-                "links": [
-                  {
-                    "href": "#pe-18",
-                    "rel": "related",
-                    "text": "PE-18"
-                  }
-                ]
-              },
-              {
-                "id": "ia-6_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system obscures feedback of authentication information\n               during the authentication process to protect the information from possible\n               exploitation/use by unauthorized individuals."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator feedback\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing the obscuring of feedback of\n                  authentication information during authentication"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-7",
-            "class": "SP800-53",
-            "title": "Cryptographic Module Authentication",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9",
-                "rel": "reference",
-                "text": "FIPS Publication 140"
-              },
-              {
-                "href": "#b09d1a31-d3c9-4138-a4f4-4c63816afd7d",
-                "rel": "reference",
-                "text": "http://csrc.nist.gov/groups/STM/cmvp/index.html"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-7_smt",
-                "name": "statement",
-                "prose": "The information system implements mechanisms for authentication to a cryptographic\n               module that meet the requirements of applicable federal laws, Executive Orders,\n               directives, policies, regulations, standards, and guidance for such\n               authentication."
-              },
-              {
-                "id": "ia-7_gdn",
-                "name": "guidance",
-                "prose": "Authentication mechanisms may be required within a cryptographic module to\n               authenticate an operator accessing the module and to verify that the operator is\n               authorized to assume the requested role and perform services within that role.",
-                "links": [
-                  {
-                    "href": "#sc-12",
-                    "rel": "related",
-                    "text": "SC-12"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  }
-                ]
-              },
-              {
-                "id": "ia-7_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system implements mechanisms for authentication to a\n               cryptographic module that meet the requirements of applicable federal laws, Executive\n               Orders, directives, policies, regulations, standards, and guidance for such\n               authentication."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing cryptographic module authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for cryptographic module\n                  authentication\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing cryptographic module\n                  authentication"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-8",
-            "class": "SP800-53",
-            "title": "Identification and Authentication (non-organizational Users)",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-08"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-                "rel": "reference",
-                "text": "OMB Memorandum 04-04"
-              },
-              {
-                "href": "#74e740a4-c45d-49f3-a86e-eb747c549e01",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-11"
-              },
-              {
-                "href": "#599fe9ba-4750-4450-9eeb-b95bd19a5e8f",
-                "rel": "reference",
-                "text": "OMB Memorandum 10-06-2011"
-              },
-              {
-                "href": "#ba557c91-ba3e-4792-adc6-a4ae479b39ff",
-                "rel": "reference",
-                "text": "FICAM Roadmap and Implementation Guidance"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#2157bb7e-192c-4eaa-877f-93ef6b0a3292",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-116"
-              },
-              {
-                "href": "#654f21e2-f3bc-43b2-abdc-60ab8d09744b",
-                "rel": "reference",
-                "text": "National Strategy for Trusted Identities in\n            Cyberspace"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-8_smt",
-                "name": "statement",
-                "prose": "The information system uniquely identifies and authenticates non-organizational users\n               (or processes acting on behalf of non-organizational users)."
-              },
-              {
-                "id": "ia-8_gdn",
-                "name": "guidance",
-                "prose": "Non-organizational users include information system users other than organizational\n               users explicitly covered by IA-2. These individuals are uniquely identified and\n               authenticated for accesses other than those accesses explicitly identified and\n               documented in AC-14. In accordance with the E-Authentication E-Government initiative,\n               authentication of non-organizational users accessing federal information systems may\n               be required to protect federal, proprietary, or privacy-related information (with\n               exceptions noted for national security systems). Organizations use risk assessments\n               to determine authentication needs and consider scalability, practicality, and\n               security in balancing the need to ensure ease of use for access to federal\n               information and information systems with the need to protect and adequately mitigate\n               risk. IA-2 addresses identification and authentication requirements for access to\n               information systems by organizational users.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  }
-                ]
-              },
-              {
-                "id": "ia-8_obj",
-                "name": "objective",
-                "prose": "Determine if the information system uniquely identifies and authenticates\n               non-organizational users (or processes acting on behalf of non-organizational\n               users)."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system operations responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing identification and\n                  authentication capability"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ia-8.1",
-                "class": "SP800-53-enhancement",
-                "title": "Acceptance of PIV Credentials from Other Agencies",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-8(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-08.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-8.1_smt",
-                    "name": "statement",
-                    "prose": "The information system accepts and electronically verifies Personal Identity\n                  Verification (PIV) credentials from other federal agencies."
-                  },
-                  {
-                    "id": "ia-8.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement applies to logical access control systems (LACS) and\n                  physical access control systems (PACS). Personal Identity Verification (PIV)\n                  credentials are those credentials issued by federal agencies that conform to FIPS\n                  Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires\n                  federal agencies to continue implementing the requirements specified in HSPD-12 to\n                  enable agency-wide use of PIV credentials.",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      },
-                      {
-                        "href": "#pe-3",
-                        "rel": "related",
-                        "text": "PE-3"
-                      },
-                      {
-                        "href": "#sa-4",
-                        "rel": "related",
-                        "text": "SA-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-8.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the information system: ",
-                    "parts": [
-                      {
-                        "id": "ia-8.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-8(1)[1]"
-                          }
-                        ],
-                        "prose": "accepts Personal Identity Verification (PIV) credentials from other agencies;\n                     and"
-                      },
-                      {
-                        "id": "ia-8.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-8(1)[2]"
-                          }
-                        ],
-                        "prose": "electronically verifies Personal Identity Verification (PIV) credentials from\n                     other agencies."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nPIV verification records\\n\\nevidence of PIV credentials\\n\\nPIV credential authorizations\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms that accept and verify PIV credentials"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-8.2",
-                "class": "SP800-53-enhancement",
-                "title": "Acceptance of Third-party Credentials",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-8(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-08.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-8.2_smt",
-                    "name": "statement",
-                    "prose": "The information system accepts only FICAM-approved third-party credentials."
-                  },
-                  {
-                    "id": "ia-8.2_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement typically applies to organizational information systems\n                  that are accessible to the general public, for example, public-facing websites.\n                  Third-party credentials are those credentials issued by nonfederal government\n                  entities approved by the Federal Identity, Credential, and Access Management\n                  (FICAM) Trust Framework Solutions initiative. Approved third-party credentials\n                  meet or exceed the set of minimum federal government-wide technical, security,\n                  privacy, and organizational maturity requirements. This allows federal government\n                  relying parties to trust such credentials at their approved assurance levels.",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-8.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system accepts only FICAM-approved third-party\n                  credentials. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FICAM-approved, third-party credentialing products, components, or\n                     services procured and implemented by organization\\n\\nthird-party credential verification records\\n\\nevidence of FICAM-approved third-party credentials\\n\\nthird-party credential authorizations\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms that accept FICAM-approved credentials"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-8.3",
-                "class": "SP800-53-enhancement",
-                "title": "Use of Ficam-approved Products",
-                "parameters": [
-                  {
-                    "id": "ia-8.3_prm_1",
-                    "label": "organization-defined information systems"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-8(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-08.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-8.3_smt",
-                    "name": "statement",
-                    "prose": "The organization employs only FICAM-approved information system components in\n                     {{ ia-8.3_prm_1 }} to accept third-party credentials."
-                  },
-                  {
-                    "id": "ia-8.3_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement typically applies to information systems that are\n                  accessible to the general public, for example, public-facing websites.\n                  FICAM-approved information system components include, for example, information\n                  technology products and software libraries that have been approved by the Federal\n                  Identity, Credential, and Access Management conformance program.",
-                    "links": [
-                      {
-                        "href": "#sa-4",
-                        "rel": "related",
-                        "text": "SA-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-8.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ia-8.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-8(3)[1]"
-                          }
-                        ],
-                        "prose": "defines information systems in which only FICAM-approved information system\n                     components are to be employed to accept third-party credentials; and"
-                      },
-                      {
-                        "id": "ia-8.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-8(3)[2]"
-                          }
-                        ],
-                        "prose": "employs only FICAM-approved information system components in\n                     organization-defined information systems to accept third-party credentials."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nsystem and services acquisition policy\\n\\nprocedures addressing user identification and authentication\\n\\nprocedures addressing the integration of security requirements into the\n                     acquisition process\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nthird-party credential validations\\n\\nthird-party credential authorizations\\n\\nthird-party credential records\\n\\nlist of FICAM-approved information system components procured and implemented\n                     by organization\\n\\nacquisition documentation\\n\\nacquisition contracts for information system procurements or services\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information system security, acquisition, and\n                     contracting responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-8.4",
-                "class": "SP800-53-enhancement",
-                "title": "Use of Ficam-issued Profiles",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-8(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-08.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-8.4_smt",
-                    "name": "statement",
-                    "prose": "The information system conforms to FICAM-issued profiles."
-                  },
-                  {
-                    "id": "ia-8.4_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement addresses open identity management standards. To ensure\n                  that these standards are viable, robust, reliable, sustainable (e.g., available in\n                  commercial information technology products), and interoperable as documented, the\n                  United States Government assesses and scopes identity management standards and\n                  technology implementations against applicable federal legislation, directives,\n                  policies, and requirements. The result is FICAM-issued implementation profiles of\n                  approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and\n                  OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute\n                  Exchange).",
-                    "links": [
-                      {
-                        "href": "#sa-4",
-                        "rel": "related",
-                        "text": "SA-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-8.4_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system conforms to FICAM-issued profiles. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nsystem and services acquisition policy\\n\\nprocedures addressing user identification and authentication\\n\\nprocedures addressing the integration of security requirements into the\n                     acquisition process\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FICAM-issued profiles and associated, approved protocols\\n\\nacquisition documentation\\n\\nacquisition contracts for information system procurements or services\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms supporting and/or implementing conformance with\n                     FICAM-issued profiles"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ir",
-        "class": "family",
-        "title": "Incident Response",
-        "controls": [
-          {
-            "id": "ir-1",
-            "class": "SP800-53",
-            "title": "Incident Response Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ir-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ir-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "ir-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IR-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              },
-              {
-                "href": "#6d431fee-658f-4a0e-9f2e-a38b5d398fab",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-83"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ir-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ir-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ir-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "An incident response policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ir-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the incident response policy and\n                     associated incident response controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ir-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Incident response policy {{ ir-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ir-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Incident response procedures {{ ir-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the IR\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ir-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an incident response policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ir-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ir-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the incident response policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ir-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the incident response policy to organization-defined personnel\n                        or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        incident response policy and associated incident response controls;"
-                          },
-                          {
-                            "id": "ir-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ir-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current incident response\n                        policy;"
-                          },
-                          {
-                            "id": "ir-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current incident response policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current incident response\n                        procedures; and"
-                          },
-                          {
-                            "id": "ir-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current incident response procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-2",
-            "class": "SP800-53",
-            "title": "Incident Response Training",
-            "parameters": [
-              {
-                "id": "ir-2_prm_1",
-                "label": "organization-defined time period"
-              },
-              {
-                "id": "ir-2_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IR-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#825438c3-248d-4e30-a51e-246473ce6ada",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-16"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-2_smt",
-                "name": "statement",
-                "prose": "The organization provides incident response training to information system users\n               consistent with assigned roles and responsibilities:",
-                "parts": [
-                  {
-                    "id": "ir-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Within {{ ir-2_prm_1 }} of assuming an incident response role or\n                  responsibility;"
-                  },
-                  {
-                    "id": "ir-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "When required by information system changes; and"
-                  },
-                  {
-                    "id": "ir-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "\n                  {{ ir-2_prm_2 }} thereafter."
-                  }
-                ]
-              },
-              {
-                "id": "ir-2_gdn",
-                "name": "guidance",
-                "prose": "Incident response training provided by organizations is linked to the assigned roles\n               and responsibilities of organizational personnel to ensure the appropriate content\n               and level of detail is included in such training. For example, regular users may only\n               need to know who to call or how to recognize an incident on the information system;\n               system administrators may require additional training on how to handle/remediate\n               incidents; and incident responders may receive more specific training on forensics,\n               reporting, system recovery, and restoration. Incident response training includes user\n               training in the identification and reporting of suspicious activities, both from\n               external and internal sources.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#cp-3",
-                    "rel": "related",
-                    "text": "CP-3"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  }
-                ]
-              },
-              {
-                "id": "ir-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-2(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period within which incident response training is to be provided\n                     to information system users assuming an incident response role or\n                     responsibility;"
-                      },
-                      {
-                        "id": "ir-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-2(a)[2]"
-                          }
-                        ],
-                        "prose": "provides incident response training to information system users consistent with\n                     assigned roles and responsibilities within the organization-defined time period\n                     of assuming an incident response role or responsibility;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-2(b)"
-                      }
-                    ],
-                    "prose": "provides incident response training to information system users consistent with\n                  assigned roles and responsibilities when required by information system\n                  changes;"
-                  },
-                  {
-                    "id": "ir-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to provide refresher incident response training to\n                     information system users consistent with assigned roles or responsibilities;\n                     and"
-                      },
-                      {
-                        "id": "ir-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-2(c)[2]"
-                          }
-                        ],
-                        "prose": "after the initial incident response training, provides refresher incident\n                     response training to information system users consistent with assigned roles\n                     and responsibilities in accordance with the organization-defined frequency to\n                     provide refresher training."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident response training\\n\\nincident response training curriculum\\n\\nincident response training materials\\n\\nsecurity plan\\n\\nincident response plan\\n\\nsecurity plan\\n\\nincident response training records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response training and operational\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-4",
-            "class": "SP800-53",
-            "title": "Incident Handling",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IR-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c5034e0c-eba6-4ecd-a541-79f0678f4ba4",
-                "rel": "reference",
-                "text": "Executive Order 13587"
-              },
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ir-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Implements an incident handling capability for security incidents that includes\n                  preparation, detection and analysis, containment, eradication, and recovery;"
-                  },
-                  {
-                    "id": "ir-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Coordinates incident handling activities with contingency planning activities;\n                  and"
-                  },
-                  {
-                    "id": "ir-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Incorporates lessons learned from ongoing incident handling activities into\n                  incident response procedures, training, and testing, and implements the resulting\n                  changes accordingly."
-                  },
-                  {
-                    "id": "ir-4_fr",
-                    "name": "item",
-                    "title": "IR-4 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ir-4_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-4_gdn",
-                "name": "guidance",
-                "prose": "Organizations recognize that incident response capability is dependent on the\n               capabilities of organizational information systems and the mission/business processes\n               being supported by those systems. Therefore, organizations consider incident response\n               as part of the definition, design, and development of mission/business processes and\n               information systems. Incident-related information can be obtained from a variety of\n               sources including, for example, audit monitoring, network monitoring, physical access\n               monitoring, user/administrator reports, and reported supply chain events. Effective\n               incident handling capability includes coordination among many organizational entities\n               including, for example, mission/business owners, information system owners,\n               authorizing officials, human resources offices, physical and personnel security\n               offices, legal departments, operations personnel, procurement offices, and the risk\n               executive (function).",
-                "links": [
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-4",
-                    "rel": "related",
-                    "text": "CP-4"
-                  },
-                  {
-                    "href": "#ir-2",
-                    "rel": "related",
-                    "text": "IR-2"
-                  },
-                  {
-                    "href": "#ir-3",
-                    "rel": "related",
-                    "text": "IR-3"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#pe-6",
-                    "rel": "related",
-                    "text": "PE-6"
-                  },
-                  {
-                    "href": "#sc-5",
-                    "rel": "related",
-                    "text": "SC-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "ir-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-4(a)"
-                      }
-                    ],
-                    "prose": "implements an incident handling capability for security incidents that\n                  includes:",
-                    "parts": [
-                      {
-                        "id": "ir-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[1]"
-                          }
-                        ],
-                        "prose": "preparation;"
-                      },
-                      {
-                        "id": "ir-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[2]"
-                          }
-                        ],
-                        "prose": "detection and analysis;"
-                      },
-                      {
-                        "id": "ir-4.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[3]"
-                          }
-                        ],
-                        "prose": "containment;"
-                      },
-                      {
-                        "id": "ir-4.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[4]"
-                          }
-                        ],
-                        "prose": "eradication;"
-                      },
-                      {
-                        "id": "ir-4.a_obj.5",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[5]"
-                          }
-                        ],
-                        "prose": "recovery;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-4(b)"
-                      }
-                    ],
-                    "prose": "coordinates incident handling activities with contingency planning activities;"
-                  },
-                  {
-                    "id": "ir-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-4(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-4(c)[1]"
-                          }
-                        ],
-                        "prose": "incorporates lessons learned from ongoing incident handling activities\n                     into:",
-                        "parts": [
-                          {
-                            "id": "ir-4.c_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[1][a]"
-                              }
-                            ],
-                            "prose": "incident response procedures;"
-                          },
-                          {
-                            "id": "ir-4.c_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[1][b]"
-                              }
-                            ],
-                            "prose": "training;"
-                          },
-                          {
-                            "id": "ir-4.c_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[1][c]"
-                              }
-                            ],
-                            "prose": "testing/exercises;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-4(c)[2]"
-                          }
-                        ],
-                        "prose": "implements the resulting changes accordingly to:",
-                        "parts": [
-                          {
-                            "id": "ir-4.c_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[2][a]"
-                              }
-                            ],
-                            "prose": "incident response procedures;"
-                          },
-                          {
-                            "id": "ir-4.c_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[2][b]"
-                              }
-                            ],
-                            "prose": "training; and"
-                          },
-                          {
-                            "id": "ir-4.c_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[2][c]"
-                              }
-                            ],
-                            "prose": "testing/exercises."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\ncontingency planning policy\\n\\nprocedures addressing incident handling\\n\\nincident response plan\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with contingency planning responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident handling capability for the organization"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-5",
-            "class": "SP800-53",
-            "title": "Incident Monitoring",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IR-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-05"
-              }
-            ],
-            "links": [
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-5_smt",
-                "name": "statement",
-                "prose": "The organization tracks and documents information system security incidents."
-              },
-              {
-                "id": "ir-5_gdn",
-                "name": "guidance",
-                "prose": "Documenting information system security incidents includes, for example, maintaining\n               records about each incident, the status of the incident, and other pertinent\n               information necessary for forensics, evaluating incident details, trends, and\n               handling. Incident information can be obtained from a variety of sources including,\n               for example, incident reports, incident response teams, audit monitoring, network\n               monitoring, physical access monitoring, and user/administrator reports.",
-                "links": [
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#pe-6",
-                    "rel": "related",
-                    "text": "PE-6"
-                  },
-                  {
-                    "href": "#sc-5",
-                    "rel": "related",
-                    "text": "SC-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "ir-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ir-5_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-5[1]"
-                      }
-                    ],
-                    "prose": "tracks information system security incidents; and"
-                  },
-                  {
-                    "id": "ir-5_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-5[2]"
-                      }
-                    ],
-                    "prose": "documents information system security incidents."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident monitoring\\n\\nincident response records and documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident monitoring capability for the organization\\n\\nautomated mechanisms supporting and/or implementing tracking and documenting of\n                  system security incidents"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-6",
-            "class": "SP800-53",
-            "title": "Incident Reporting",
-            "parameters": [
-              {
-                "id": "ir-6_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)"
-                  }
-                ]
-              },
-              {
-                "id": "ir-6_prm_2",
-                "label": "organization-defined authorities"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IR-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-06"
-              }
-            ],
-            "links": [
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              },
-              {
-                "href": "#02631467-668b-4233-989b-3dfded2fd184",
-                "rel": "reference",
-                "text": "http://www.us-cert.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ir-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Requires personnel to report suspected security incidents to the organizational\n                  incident response capability within {{ ir-6_prm_1 }}; and"
-                  },
-                  {
-                    "id": "ir-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reports security incident information to {{ ir-6_prm_2 }}."
-                  },
-                  {
-                    "id": "ir-6_fr",
-                    "name": "item",
-                    "title": "IR-6 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ir-6_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Report security incident information according to FedRAMP Incident Communications Procedure."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-6_gdn",
-                "name": "guidance",
-                "prose": "The intent of this control is to address both specific incident reporting\n               requirements within an organization and the formal incident reporting requirements\n               for federal agencies and their subordinate organizations. Suspected security\n               incidents include, for example, the receipt of suspicious email communications that\n               can potentially contain malicious code. The types of security incidents reported, the\n               content and timeliness of the reports, and the designated reporting authorities\n               reflect applicable federal laws, Executive Orders, directives, regulations, policies,\n               standards, and guidance. Current federal policy requires that all federal agencies\n               (unless specifically exempted from such requirements) report security incidents to\n               the United States Computer Emergency Readiness Team (US-CERT) within specified time\n               frames designated in the US-CERT Concept of Operations for Federal Cyber Security\n               Incident Handling.",
-                "links": [
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ir-5",
-                    "rel": "related",
-                    "text": "IR-5"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  }
-                ]
-              },
-              {
-                "id": "ir-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-6(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-6.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-6(a)[1]"
-                          }
-                        ],
-                        "prose": "defines the time period within which personnel report suspected security\n                     incidents to the organizational incident response capability;"
-                      },
-                      {
-                        "id": "ir-6.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-6(a)[2]"
-                          }
-                        ],
-                        "prose": "requires personnel to report suspected security incidents to the organizational\n                     incident response capability within the organization-defined time period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-6(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-6.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-6(b)[1]"
-                          }
-                        ],
-                        "prose": "defines authorities to whom security incident information is to be reported;\n                     and"
-                      },
-                      {
-                        "id": "ir-6.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-6(b)[2]"
-                          }
-                        ],
-                        "prose": "reports security incident information to organization-defined authorities."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident reporting\\n\\nincident reporting records and documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident reporting responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel who have/should have reported incidents\\n\\npersonnel (authorities) to whom incident information is to be reported"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for incident reporting\\n\\nautomated mechanisms supporting and/or implementing incident reporting"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-7",
-            "class": "SP800-53",
-            "title": "Incident Response Assistance",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IR-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-07"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-7_smt",
-                "name": "statement",
-                "prose": "The organization provides an incident response support resource, integral to the\n               organizational incident response capability that offers advice and assistance to\n               users of the information system for the handling and reporting of security\n               incidents."
-              },
-              {
-                "id": "ir-7_gdn",
-                "name": "guidance",
-                "prose": "Incident response support resources provided by organizations include, for example,\n               help desks, assistance groups, and access to forensics services, when required.",
-                "links": [
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ir-6",
-                    "rel": "related",
-                    "text": "IR-6"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#sa-9",
-                    "rel": "related",
-                    "text": "SA-9"
-                  }
-                ]
-              },
-              {
-                "id": "ir-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization provides an incident response support resource:",
-                "parts": [
-                  {
-                    "id": "ir-7_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-7[1]"
-                      }
-                    ],
-                    "prose": "that is integral to the organizational incident response capability; and"
-                  },
-                  {
-                    "id": "ir-7_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-7[2]"
-                      }
-                    ],
-                    "prose": "that offers advice and assistance to users of the information system for the\n                  handling and reporting of security incidents."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident response assistance\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response assistance and support\n                  responsibilities\\n\\norganizational personnel with access to incident response support and assistance\n                  capability\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for incident response assistance\\n\\nautomated mechanisms supporting and/or implementing incident response\n                  assistance"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-8",
-            "class": "SP800-53",
-            "title": "Incident Response Plan",
-            "parameters": [
-              {
-                "id": "ir-8_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ir-8_prm_2",
-                "label": "organization-defined incident response personnel (identified by name and/or by\n               role) and organizational elements",
-                "constraints": [
-                  {
-                    "detail": "see additional FedRAMP Requirements and Guidance"
-                  }
-                ]
-              },
-              {
-                "id": "ir-8_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ir-8_prm_4",
-                "label": "organization-defined incident response personnel (identified by name and/or by\n               role) and organizational elements",
-                "constraints": [
-                  {
-                    "detail": "see additional FedRAMP Requirements and Guidance"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IR-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-08"
-              }
-            ],
-            "links": [
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ir-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops an incident response plan that:",
-                    "parts": [
-                      {
-                        "id": "ir-8_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Provides the organization with a roadmap for implementing its incident response\n                     capability;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Describes the structure and organization of the incident response\n                     capability;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Provides a high-level approach for how the incident response capability fits\n                     into the overall organization;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Meets the unique requirements of the organization, which relate to mission,\n                     size, structure, and functions;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.5",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "5."
-                          }
-                        ],
-                        "prose": "Defines reportable incidents;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.6",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "6."
-                          }
-                        ],
-                        "prose": "Provides metrics for measuring the incident response capability within the\n                     organization;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.7",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "7."
-                          }
-                        ],
-                        "prose": "Defines the resources and management support needed to effectively maintain and\n                     mature an incident response capability; and"
-                      },
-                      {
-                        "id": "ir-8_smt.a.8",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "8."
-                          }
-                        ],
-                        "prose": "Is reviewed and approved by {{ ir-8_prm_1 }};"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Distributes copies of the incident response plan to {{ ir-8_prm_2 }};"
-                  },
-                  {
-                    "id": "ir-8_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews the incident response plan {{ ir-8_prm_3 }};"
-                  },
-                  {
-                    "id": "ir-8_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Updates the incident response plan to address system/organizational changes or\n                  problems encountered during plan implementation, execution, or testing;"
-                  },
-                  {
-                    "id": "ir-8_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Communicates incident response plan changes to {{ ir-8_prm_4 }};\n                  and"
-                  },
-                  {
-                    "id": "ir-8_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Protects the incident response plan from unauthorized disclosure and\n                  modification."
-                  },
-                  {
-                    "id": "ir-8_fr",
-                    "name": "item",
-                    "title": "IR-8 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ir-8_fr_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."
-                      },
-                      {
-                        "id": "ir-8_fr_smt.e",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(e) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-8_gdn",
-                "name": "guidance",
-                "prose": "It is important that organizations develop and implement a coordinated approach to\n               incident response. Organizational missions, business functions, strategies, goals,\n               and objectives for incident response help to determine the structure of incident\n               response capabilities. As part of a comprehensive incident response capability,\n               organizations consider the coordination and sharing of information with external\n               organizations, including, for example, external service providers and organizations\n               involved in the supply chain for organizational information systems.",
-                "links": [
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  }
-                ]
-              },
-              {
-                "id": "ir-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-8(a)"
-                      }
-                    ],
-                    "prose": "develops an incident response plan that:",
-                    "parts": [
-                      {
-                        "id": "ir-8.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(1)"
-                          }
-                        ],
-                        "prose": "provides the organization with a roadmap for implementing its incident response\n                     capability;"
-                      },
-                      {
-                        "id": "ir-8.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(2)"
-                          }
-                        ],
-                        "prose": "describes the structure and organization of the incident response\n                     capability;"
-                      },
-                      {
-                        "id": "ir-8.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(3)"
-                          }
-                        ],
-                        "prose": "provides a high-level approach for how the incident response capability fits\n                     into the overall organization;"
-                      },
-                      {
-                        "id": "ir-8.a.4_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(4)"
-                          }
-                        ],
-                        "prose": "meets the unique requirements of the organization, which relate to:",
-                        "parts": [
-                          {
-                            "id": "ir-8.a.4_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(4)[1]"
-                              }
-                            ],
-                            "prose": "mission;"
-                          },
-                          {
-                            "id": "ir-8.a.4_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(4)[2]"
-                              }
-                            ],
-                            "prose": "size;"
-                          },
-                          {
-                            "id": "ir-8.a.4_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(4)[3]"
-                              }
-                            ],
-                            "prose": "structure;"
-                          },
-                          {
-                            "id": "ir-8.a.4_obj.4",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(4)[4]"
-                              }
-                            ],
-                            "prose": "functions;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-8.a.5_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(5)"
-                          }
-                        ],
-                        "prose": "defines reportable incidents;"
-                      },
-                      {
-                        "id": "ir-8.a.6_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(6)"
-                          }
-                        ],
-                        "prose": "provides metrics for measuring the incident response capability within the\n                     organization;"
-                      },
-                      {
-                        "id": "ir-8.a.7_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(7)"
-                          }
-                        ],
-                        "prose": "defines the resources and management support needed to effectively maintain and\n                     mature an incident response capability;"
-                      },
-                      {
-                        "id": "ir-8.a.8_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(8)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-8.a.8_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(8)[1]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to review and approve the incident response\n                        plan;"
-                          },
-                          {
-                            "id": "ir-8.a.8_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(8)[2]"
-                              }
-                            ],
-                            "prose": "is reviewed and approved by organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(b)[1]"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-8.b_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-8(b)[1][a]"
-                              }
-                            ],
-                            "prose": "defines incident response personnel (identified by name and/or by role) to\n                        whom copies of the incident response plan are to be distributed;"
-                          },
-                          {
-                            "id": "ir-8.b_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-8(b)[1][b]"
-                              }
-                            ],
-                            "prose": "defines organizational elements to whom copies of the incident response plan\n                        are to be distributed;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(b)[2]"
-                          }
-                        ],
-                        "prose": "distributes copies of the incident response plan to organization-defined\n                     incident response personnel (identified by name and/or by role) and\n                     organizational elements;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-8(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-8.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review the incident response plan;"
-                      },
-                      {
-                        "id": "ir-8.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews the incident response plan with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-8(d)"
-                      }
-                    ],
-                    "prose": "updates the incident response plan to address system/organizational changes or\n                  problems encountered during plan:",
-                    "parts": [
-                      {
-                        "id": "ir-8.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(d)[1]"
-                          }
-                        ],
-                        "prose": "implementation;"
-                      },
-                      {
-                        "id": "ir-8.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(d)[2]"
-                          }
-                        ],
-                        "prose": "execution; or"
-                      },
-                      {
-                        "id": "ir-8.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(d)[3]"
-                          }
-                        ],
-                        "prose": "testing;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-8(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-8.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(e)[1]"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-8.e_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-8(e)[1][a]"
-                              }
-                            ],
-                            "prose": "defines incident response personnel (identified by name and/or by role) to\n                        whom incident response plan changes are to be communicated;"
-                          },
-                          {
-                            "id": "ir-8.e_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-8(e)[1][b]"
-                              }
-                            ],
-                            "prose": "defines organizational elements to whom incident response plan changes are\n                        to be communicated;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-8.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(e)[2]"
-                          }
-                        ],
-                        "prose": "communicates incident response plan changes to organization-defined incident\n                     response personnel (identified by name and/or by role) and organizational\n                     elements; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-8(f)"
-                      }
-                    ],
-                    "prose": "protects the incident response plan from unauthorized disclosure and\n                  modification."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident response planning\\n\\nincident response plan\\n\\nrecords of incident response plan reviews and approvals\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response planning responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational incident response plan and related organizational processes"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ma",
-        "class": "family",
-        "title": "Maintenance",
-        "controls": [
-          {
-            "id": "ma-1",
-            "class": "SP800-53",
-            "title": "System Maintenance Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ma-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ma-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "ma-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "MA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ma-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ma-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ma-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A system maintenance policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ma-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the system maintenance policy\n                     and associated system maintenance controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ma-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "System maintenance policy {{ ma-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ma-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "System maintenance procedures {{ ma-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ma-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the MA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ma-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ma-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ma-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a system maintenance policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ma-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ma-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the system maintenance policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ma-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the system maintenance policy to organization-defined personnel\n                        or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ma-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        maintenance policy and associated system maintenance controls;"
-                          },
-                          {
-                            "id": "ma-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ma-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ma-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system maintenance\n                        policy;"
-                          },
-                          {
-                            "id": "ma-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system maintenance policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ma-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system maintenance\n                        procedures; and"
-                          },
-                          {
-                            "id": "ma-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system maintenance procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Maintenance policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ma-2",
-            "class": "SP800-53",
-            "title": "Controlled Maintenance",
-            "parameters": [
-              {
-                "id": "ma-2_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ma-2_prm_2",
-                "label": "organization-defined maintenance-related information"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-02"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ma-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Schedules, performs, documents, and reviews records of maintenance and repairs on\n                  information system components in accordance with manufacturer or vendor\n                  specifications and/or organizational requirements;"
-                  },
-                  {
-                    "id": "ma-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Approves and monitors all maintenance activities, whether performed on site or\n                  remotely and whether the equipment is serviced on site or removed to another\n                  location;"
-                  },
-                  {
-                    "id": "ma-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Requires that {{ ma-2_prm_1 }} explicitly approve the removal of\n                  the information system or system components from organizational facilities for\n                  off-site maintenance or repairs;"
-                  },
-                  {
-                    "id": "ma-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Sanitizes equipment to remove all information from associated media prior to\n                  removal from organizational facilities for off-site maintenance or repairs;"
-                  },
-                  {
-                    "id": "ma-2_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Checks all potentially impacted security controls to verify that the controls are\n                  still functioning properly following maintenance or repair actions; and"
-                  },
-                  {
-                    "id": "ma-2_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Includes {{ ma-2_prm_2 }} in organizational maintenance\n                  records."
-                  }
-                ]
-              },
-              {
-                "id": "ma-2_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the information security aspects of the information system\n               maintenance program and applies to all types of maintenance to any system component\n               (including applications) conducted by any local or nonlocal entity (e.g.,\n               in-contract, warranty, in-house, software maintenance agreement). System maintenance\n               also includes those components not directly associated with information processing\n               and/or data/information retention such as scanners, copiers, and printers.\n               Information necessary for creating effective maintenance records includes, for\n               example: (i) date and time of maintenance; (ii) name of individuals or group\n               performing the maintenance; (iii) name of escort, if necessary; (iv) a description of\n               the maintenance performed; and (v) information system components/equipment removed or\n               replaced (including identification numbers, if applicable). The level of detail\n               included in maintenance records can be informed by the security categories of\n               organizational information systems. Organizations consider supply chain issues\n               associated with replacement components for information systems.",
-                "links": [
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#mp-6",
-                    "rel": "related",
-                    "text": "MP-6"
-                  },
-                  {
-                    "href": "#pe-16",
-                    "rel": "related",
-                    "text": "PE-16"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "ma-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ma-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(a)[1]"
-                          }
-                        ],
-                        "prose": "schedules maintenance and repairs on information system components in\n                     accordance with:",
-                        "parts": [
-                          {
-                            "id": "ma-2.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[1][a]"
-                              }
-                            ],
-                            "prose": "manufacturer or vendor specifications; and/or"
-                          },
-                          {
-                            "id": "ma-2.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[1][b]"
-                              }
-                            ],
-                            "prose": "organizational requirements;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(a)[2]"
-                          }
-                        ],
-                        "prose": "performs maintenance and repairs on information system components in accordance\n                     with:",
-                        "parts": [
-                          {
-                            "id": "ma-2.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[2][a]"
-                              }
-                            ],
-                            "prose": "manufacturer or vendor specifications; and/or"
-                          },
-                          {
-                            "id": "ma-2.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[2][b]"
-                              }
-                            ],
-                            "prose": "organizational requirements;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-2.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(a)[3]"
-                          }
-                        ],
-                        "prose": "documents maintenance and repairs on information system components in\n                     accordance with:",
-                        "parts": [
-                          {
-                            "id": "ma-2.a_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[3][a]"
-                              }
-                            ],
-                            "prose": "manufacturer or vendor specifications; and/or"
-                          },
-                          {
-                            "id": "ma-2.a_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[3][b]"
-                              }
-                            ],
-                            "prose": "organizational requirements;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-2.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(a)[4]"
-                          }
-                        ],
-                        "prose": "reviews records of maintenance and repairs on information system components in\n                     accordance with:",
-                        "parts": [
-                          {
-                            "id": "ma-2.a_obj.4.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[4][a]"
-                              }
-                            ],
-                            "prose": "manufacturer or vendor specifications; and/or"
-                          },
-                          {
-                            "id": "ma-2.a_obj.4.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[4][b]"
-                              }
-                            ],
-                            "prose": "organizational requirements;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(b)[1]"
-                          }
-                        ],
-                        "prose": "approves all maintenance activities, whether performed on site or remotely and\n                     whether the equipment is serviced on site or removed to another location;"
-                      },
-                      {
-                        "id": "ma-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(b)[2]"
-                          }
-                        ],
-                        "prose": "monitors all maintenance activities, whether performed on site or remotely and\n                     whether the equipment is serviced on site or removed to another location;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles required to explicitly approve the removal of the\n                     information system or system components from organizational facilities for\n                     off-site maintenance or repairs;"
-                      },
-                      {
-                        "id": "ma-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(c)[2]"
-                          }
-                        ],
-                        "prose": "requires that organization-defined personnel or roles explicitly approve the\n                     removal of the information system or system components from organizational\n                     facilities for off-site maintenance or repairs;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-2(d)"
-                      }
-                    ],
-                    "prose": "sanitizes equipment to remove all information from associated media prior to\n                  removal from organizational facilities for off-site maintenance or repairs;"
-                  },
-                  {
-                    "id": "ma-2.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-2(e)"
-                      }
-                    ],
-                    "prose": "checks all potentially impacted security controls to verify that the controls are\n                  still functioning properly following maintenance or repair actions;"
-                  },
-                  {
-                    "id": "ma-2.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-2(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-2.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(f)[1]"
-                          }
-                        ],
-                        "prose": "defines maintenance-related information to be included in organizational\n                     maintenance records; and"
-                      },
-                      {
-                        "id": "ma-2.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(f)[2]"
-                          }
-                        ],
-                        "prose": "includes organization-defined maintenance-related information in organizational\n                     maintenance records."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system maintenance policy\\n\\nprocedures addressing controlled information system maintenance\\n\\nmaintenance records\\n\\nmanufacturer/vendor maintenance specifications\\n\\nequipment sanitization records\\n\\nmedia sanitization records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel responsible for media sanitization\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for scheduling, performing, documenting, reviewing,\n                  approving, and monitoring maintenance and repairs for the information system\\n\\norganizational processes for sanitizing information system components\\n\\nautomated mechanisms supporting and/or implementing controlled maintenance\\n\\nautomated mechanisms implementing sanitization of information system\n                  components"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ma-4",
-            "class": "SP800-53",
-            "title": "Nonlocal Maintenance",
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "MA-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#d715b234-9b5b-4e07-b1ed-99836727664d",
-                "rel": "reference",
-                "text": "FIPS Publication 140-2"
-              },
-              {
-                "href": "#f2dbd4ec-c413-4714-b85b-6b7184d1c195",
-                "rel": "reference",
-                "text": "FIPS Publication 197"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#263823e0-a971-4b00-959d-315b26278b22",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-88"
-              },
-              {
-                "href": "#a4aa9645-9a8a-4b51-90a9-e223250f9a75",
-                "rel": "reference",
-                "text": "CNSS Policy 15"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ma-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Approves and monitors nonlocal maintenance and diagnostic activities;"
-                  },
-                  {
-                    "id": "ma-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Allows the use of nonlocal maintenance and diagnostic tools only as consistent\n                  with organizational policy and documented in the security plan for the information\n                  system;"
-                  },
-                  {
-                    "id": "ma-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Employs strong authenticators in the establishment of nonlocal maintenance and\n                  diagnostic sessions;"
-                  },
-                  {
-                    "id": "ma-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Maintains records for nonlocal maintenance and diagnostic activities; and"
-                  },
-                  {
-                    "id": "ma-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Terminates session and network connections when nonlocal maintenance is\n                  completed."
-                  }
-                ]
-              },
-              {
-                "id": "ma-4_gdn",
-                "name": "guidance",
-                "prose": "Nonlocal maintenance and diagnostic activities are those activities conducted by\n               individuals communicating through a network, either an external network (e.g., the\n               Internet) or an internal network. Local maintenance and diagnostic activities are\n               those activities carried out by individuals physically present at the information\n               system or information system component and not communicating across a network\n               connection. Authentication techniques used in the establishment of nonlocal\n               maintenance and diagnostic sessions reflect the network access requirements in IA-2.\n               Typically, strong authentication requires authenticators that are resistant to replay\n               attacks and employ multifactor authentication. Strong authenticators include, for\n               example, PKI where certificates are stored on a token protected by a password,\n               passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by\n               other controls.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-3",
-                    "rel": "related",
-                    "text": "AU-3"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#ma-2",
-                    "rel": "related",
-                    "text": "MA-2"
-                  },
-                  {
-                    "href": "#ma-5",
-                    "rel": "related",
-                    "text": "MA-5"
-                  },
-                  {
-                    "href": "#mp-6",
-                    "rel": "related",
-                    "text": "MP-6"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-10",
-                    "rel": "related",
-                    "text": "SC-10"
-                  },
-                  {
-                    "href": "#sc-17",
-                    "rel": "related",
-                    "text": "SC-17"
-                  }
-                ]
-              },
-              {
-                "id": "ma-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ma-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-4(a)[1]"
-                          }
-                        ],
-                        "prose": "approves nonlocal maintenance and diagnostic activities;"
-                      },
-                      {
-                        "id": "ma-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-4(a)[2]"
-                          }
-                        ],
-                        "prose": "monitors nonlocal maintenance and diagnostic activities;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-4(b)"
-                      }
-                    ],
-                    "prose": "allows the use of nonlocal maintenance and diagnostic tools only:",
-                    "parts": [
-                      {
-                        "id": "ma-4.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-4(b)[1]"
-                          }
-                        ],
-                        "prose": "as consistent with organizational policy;"
-                      },
-                      {
-                        "id": "ma-4.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-4(b)[2]"
-                          }
-                        ],
-                        "prose": "as documented in the security plan for the information system;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-4(c)"
-                      }
-                    ],
-                    "prose": "employs strong authenticators in the establishment of nonlocal maintenance and\n                  diagnostic sessions;"
-                  },
-                  {
-                    "id": "ma-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-4(d)"
-                      }
-                    ],
-                    "prose": "maintains records for nonlocal maintenance and diagnostic activities;"
-                  },
-                  {
-                    "id": "ma-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-4(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-4.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-4(e)[1]"
-                          }
-                        ],
-                        "prose": "terminates sessions when nonlocal maintenance or diagnostics is completed;\n                     and"
-                      },
-                      {
-                        "id": "ma-4.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-4(e)[2]"
-                          }
-                        ],
-                        "prose": "terminates network connections when nonlocal maintenance or diagnostics is\n                     completed."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system maintenance policy\\n\\nprocedures addressing nonlocal information system maintenance\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nmaintenance records\\n\\ndiagnostic records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing nonlocal maintenance\\n\\nautomated mechanisms implementing, supporting, and/or managing nonlocal\n                  maintenance\\n\\nautomated mechanisms for strong authentication of nonlocal maintenance diagnostic\n                  sessions\\n\\nautomated mechanisms for terminating nonlocal maintenance sessions and network\n                  connections"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ma-5",
-            "class": "SP800-53",
-            "title": "Maintenance Personnel",
-            "properties": [
-              {
-                "name": "label",
-                "value": "MA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ma-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes a process for maintenance personnel authorization and maintains a list\n                  of authorized maintenance organizations or personnel;"
-                  },
-                  {
-                    "id": "ma-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Ensures that non-escorted personnel performing maintenance on the information\n                  system have required access authorizations; and"
-                  },
-                  {
-                    "id": "ma-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Designates organizational personnel with required access authorizations and\n                  technical competence to supervise the maintenance activities of personnel who do\n                  not possess the required access authorizations."
-                  }
-                ]
-              },
-              {
-                "id": "ma-5_gdn",
-                "name": "guidance",
-                "prose": "This control applies to individuals performing hardware or software maintenance on\n               organizational information systems, while PE-2 addresses physical access for\n               individuals whose maintenance duties place them within the physical protection\n               perimeter of the systems (e.g., custodial staff, physical plant maintenance\n               personnel). Technical competence of supervising individuals relates to the\n               maintenance performed on the information systems while having required access\n               authorizations refers to maintenance on and near the systems. Individuals not\n               previously identified as authorized maintenance personnel, such as information\n               technology manufacturers, vendors, systems integrators, and consultants, may require\n               privileged access to organizational information systems, for example, when required\n               to conduct maintenance activities with little or no notice. Based on organizational\n               assessments of risk, organizations may issue temporary credentials to these\n               individuals. Temporary credentials may be for one-time use or for very limited time\n               periods.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  }
-                ]
-              },
-              {
-                "id": "ma-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ma-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-5(a)[1]"
-                          }
-                        ],
-                        "prose": "establishes a process for maintenance personnel authorization;"
-                      },
-                      {
-                        "id": "ma-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-5(a)[2]"
-                          }
-                        ],
-                        "prose": "maintains a list of authorized maintenance organizations or personnel;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-5(b)"
-                      }
-                    ],
-                    "prose": "ensures that non-escorted personnel performing maintenance on the information\n                  system have required access authorizations; and"
-                  },
-                  {
-                    "id": "ma-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-5(c)"
-                      }
-                    ],
-                    "prose": "designates organizational personnel with required access authorizations and\n                  technical competence to supervise the maintenance activities of personnel who do\n                  not possess the required access authorizations."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system maintenance policy\\n\\nprocedures addressing maintenance personnel\\n\\nservice provider contracts\\n\\nservice-level agreements\\n\\nlist of authorized personnel\\n\\nmaintenance records\\n\\naccess control records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for authorizing and managing maintenance personnel\\n\\nautomated mechanisms supporting and/or implementing authorization of maintenance\n                  personnel"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "mp",
-        "class": "family",
-        "title": "Media Protection",
-        "controls": [
-          {
-            "id": "mp-1",
-            "class": "SP800-53",
-            "title": "Media Protection Policy and Procedures",
-            "parameters": [
-              {
-                "id": "mp-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "mp-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "mp-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "MP-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "mp-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ mp-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "mp-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A media protection policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "mp-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the media protection policy and\n                     associated media protection controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "mp-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Media protection policy {{ mp-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "mp-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Media protection procedures {{ mp-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "mp-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the MP\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "mp-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "mp-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "mp-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "mp-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a media protection policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "mp-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "mp-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the media protection policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "mp-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the media protection policy to organization-defined personnel\n                        or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "mp-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "mp-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        media protection policy and associated media protection controls;"
-                          },
-                          {
-                            "id": "mp-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "mp-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "mp-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "mp-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current media protection\n                        policy;"
-                          },
-                          {
-                            "id": "mp-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current media protection policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "mp-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "mp-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current media protection\n                        procedures; and"
-                          },
-                          {
-                            "id": "mp-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current media protection procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Media protection policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with media protection responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "mp-2",
-            "class": "SP800-53",
-            "title": "Media Access",
-            "parameters": [
-              {
-                "id": "mp-2_prm_1",
-                "label": "organization-defined types of digital and/or non-digital media"
-              },
-              {
-                "id": "mp-2_prm_2",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MP-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-111"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-2_smt",
-                "name": "statement",
-                "prose": "The organization restricts access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}."
-              },
-              {
-                "id": "mp-2_gdn",
-                "name": "guidance",
-                "prose": "Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. Restricting non-digital media access\n               includes, for example, denying access to patient medical records in a community\n               hospital unless the individuals seeking access to such records are authorized\n               healthcare providers. Restricting access to digital media includes, for example,\n               limiting access to design specifications stored on compact disks in the media library\n               to the project leader and the individuals on the development team.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  }
-                ]
-              },
-              {
-                "id": "mp-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "mp-2_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-2[1]"
-                      }
-                    ],
-                    "prose": "defines types of digital and/or non-digital media requiring restricted access;"
-                  },
-                  {
-                    "id": "mp-2_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-2[2]"
-                      }
-                    ],
-                    "prose": "defines personnel or roles authorized to access organization-defined types of\n                  digital and/or non-digital media; and"
-                  },
-                  {
-                    "id": "mp-2_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-2[3]"
-                      }
-                    ],
-                    "prose": "restricts access to organization-defined types of digital and/or non-digital media\n                  to organization-defined personnel or roles."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system media protection policy\\n\\nprocedures addressing media access restrictions\\n\\naccess control policy and procedures\\n\\nphysical and environmental protection policy and procedures\\n\\nmedia storage facilities\\n\\naccess control records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system media protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for restricting information media\\n\\nautomated mechanisms supporting and/or implementing media access restrictions"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "mp-6",
-            "class": "SP800-53",
-            "title": "Media Sanitization",
-            "parameters": [
-              {
-                "id": "mp-6_prm_1",
-                "label": "organization-defined information system media"
-              },
-              {
-                "id": "mp-6_prm_2",
-                "label": "organization-defined sanitization techniques and procedures"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MP-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-06"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#f152844f-b1ef-4836-8729-6277078ebee1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-60"
-              },
-              {
-                "href": "#263823e0-a971-4b00-959d-315b26278b22",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-88"
-              },
-              {
-                "href": "#a47466c4-c837-4f06-a39f-e68412a5f73d",
-                "rel": "reference",
-                "text": "http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "mp-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Sanitizes {{ mp-6_prm_1 }} prior to disposal, release out of\n                  organizational control, or release for reuse using {{ mp-6_prm_2 }}\n                  in accordance with applicable federal and organizational standards and policies;\n                  and"
-                  },
-                  {
-                    "id": "mp-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Employs sanitization mechanisms with the strength and integrity commensurate with\n                  the security category or classification of the information."
-                  }
-                ]
-              },
-              {
-                "id": "mp-6_gdn",
-                "name": "guidance",
-                "prose": "This control applies to all information system media, both digital and non-digital,\n               subject to disposal or reuse, whether or not the media is considered removable.\n               Examples include media found in scanners, copiers, printers, notebook computers,\n               workstations, network components, and mobile devices. The sanitization process\n               removes information from the media such that the information cannot be retrieved or\n               reconstructed. Sanitization techniques, including clearing, purging, cryptographic\n               erase, and destruction, prevent the disclosure of information to unauthorized\n               individuals when such media is reused or released for disposal. Organizations\n               determine the appropriate sanitization methods recognizing that destruction is\n               sometimes necessary when other methods cannot be applied to media requiring\n               sanitization. Organizations use discretion on the employment of approved sanitization\n               techniques and procedures for media containing information deemed to be in the public\n               domain or publicly releasable, or deemed to have no adverse impact on organizations\n               or individuals if released for reuse or disposal. Sanitization of non-digital media\n               includes, for example, removing a classified appendix from an otherwise unclassified\n               document, or redacting selected sections or words from a document by obscuring the\n               redacted sections/words in a manner equivalent in effectiveness to removing them from\n               the document. NSA standards and policies control the sanitization process for media\n               containing classified information.",
-                "links": [
-                  {
-                    "href": "#ma-2",
-                    "rel": "related",
-                    "text": "MA-2"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sc-4",
-                    "rel": "related",
-                    "text": "SC-4"
-                  }
-                ]
-              },
-              {
-                "id": "mp-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "mp-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-6(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "mp-6.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(a)[1]"
-                          }
-                        ],
-                        "prose": "defines information system media to be sanitized prior to:",
-                        "parts": [
-                          {
-                            "id": "mp-6.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[1][a]"
-                              }
-                            ],
-                            "prose": "disposal;"
-                          },
-                          {
-                            "id": "mp-6.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[1][b]"
-                              }
-                            ],
-                            "prose": "release out of organizational control; or"
-                          },
-                          {
-                            "id": "mp-6.a_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[1][c]"
-                              }
-                            ],
-                            "prose": "release for reuse;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "mp-6.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(a)[2]"
-                          }
-                        ],
-                        "prose": "defines sanitization techniques or procedures to be used for sanitizing\n                     organization-defined information system media prior to:",
-                        "parts": [
-                          {
-                            "id": "mp-6.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[2][a]"
-                              }
-                            ],
-                            "prose": "disposal;"
-                          },
-                          {
-                            "id": "mp-6.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[2][b]"
-                              }
-                            ],
-                            "prose": "release out of organizational control; or"
-                          },
-                          {
-                            "id": "mp-6.a_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[2][c]"
-                              }
-                            ],
-                            "prose": "release for reuse;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "mp-6.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(a)[3]"
-                          }
-                        ],
-                        "prose": "sanitizes organization-defined information system media prior to disposal,\n                     release out of organizational control, or release for reuse using\n                     organization-defined sanitization techniques or procedures in accordance with\n                     applicable federal and organizational standards and policies; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-6(b)"
-                      }
-                    ],
-                    "prose": "employs sanitization mechanisms with strength and integrity commensurate with the\n                  security category or classification of the information."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system media protection policy\\n\\nprocedures addressing media sanitization and disposal\\n\\napplicable federal standards and policies addressing media sanitization\\n\\nmedia sanitization records\\n\\naudit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with media sanitization responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for media sanitization\\n\\nautomated mechanisms supporting and/or implementing media sanitization"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "mp-7",
-            "class": "SP800-53",
-            "title": "Media Use",
-            "parameters": [
-              {
-                "id": "mp-7_prm_1"
-              },
-              {
-                "id": "mp-7_prm_2",
-                "label": "organization-defined types of information system media"
-              },
-              {
-                "id": "mp-7_prm_3",
-                "label": "organization-defined information systems or system components"
-              },
-              {
-                "id": "mp-7_prm_4",
-                "label": "organization-defined security safeguards"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MP-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-111"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-7_smt",
-                "name": "statement",
-                "prose": "The organization {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}."
-              },
-              {
-                "id": "mp-7_gdn",
-                "name": "guidance",
-                "prose": "Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. This control also applies to mobile\n               devices with information storage capability (e.g., smart phones, tablets, E-readers).\n               In contrast to MP-2, which restricts user access to media, this control restricts the\n               use of certain types of media on information systems, for example,\n               restricting/prohibiting the use of flash drives or external hard disk drives.\n               Organizations can employ technical and nontechnical safeguards (e.g., policies,\n               procedures, rules of behavior) to restrict the use of information system media.\n               Organizations may restrict the use of portable storage devices, for example, by using\n               physical cages on workstations to prohibit access to certain external ports, or\n               disabling/removing the ability to insert, read or write to such devices.\n               Organizations may also limit the use of portable storage devices to only approved\n               devices including, for example, devices provided by the organization, devices\n               provided by other approved organizations, and devices that are not personally owned.\n               Finally, organizations may restrict the use of portable storage devices based on the\n               type of device, for example, prohibiting the use of writeable, portable storage\n               devices, and implementing this restriction by disabling or removing the capability to\n               write to such devices.",
-                "links": [
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  }
-                ]
-              },
-              {
-                "id": "mp-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "mp-7_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-7[1]"
-                      }
-                    ],
-                    "prose": "defines types of information system media to be:",
-                    "parts": [
-                      {
-                        "id": "mp-7_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-7[1][a]"
-                          }
-                        ],
-                        "prose": "restricted on information systems or system components; or"
-                      },
-                      {
-                        "id": "mp-7_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-7[1][b]"
-                          }
-                        ],
-                        "prose": "prohibited from use on information systems or system components;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-7_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-7[2]"
-                      }
-                    ],
-                    "prose": "defines information systems or system components on which the use of\n                  organization-defined types of information system media is to be one of the\n                  following:",
-                    "parts": [
-                      {
-                        "id": "mp-7_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-7[2][a]"
-                          }
-                        ],
-                        "prose": "restricted; or"
-                      },
-                      {
-                        "id": "mp-7_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-7[2][b]"
-                          }
-                        ],
-                        "prose": "prohibited;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-7_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-7[3]"
-                      }
-                    ],
-                    "prose": "defines security safeguards to be employed to restrict or prohibit the use of\n                  organization-defined types of information system media on organization-defined\n                  information systems or system components; and"
-                  },
-                  {
-                    "id": "mp-7_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-7[4]"
-                      }
-                    ],
-                    "prose": "restricts or prohibits the use of organization-defined information system media on\n                  organization-defined information systems or system components using\n                  organization-defined security safeguards."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system media protection policy\\n\\nsystem use policy\\n\\nprocedures addressing media usage restrictions\\n\\nsecurity plan\\n\\nrules of behavior\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system media use responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for media use\\n\\nautomated mechanisms restricting or prohibiting use of information system media on\n                  information systems or system components"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "pe",
-        "class": "family",
-        "title": "Physical and Environmental Protection",
-        "controls": [
-          {
-            "id": "pe-1",
-            "class": "SP800-53",
-            "title": "Physical and Environmental Protection Policy and Procedures",
-            "parameters": [
-              {
-                "id": "pe-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "pe-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "pe-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PE-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ pe-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "pe-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A physical and environmental protection policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"
-                      },
-                      {
-                        "id": "pe-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the physical and environmental\n                     protection policy and associated physical and environmental protection\n                     controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "pe-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Physical and environmental protection policy {{ pe-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "pe-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Physical and environmental protection procedures {{ pe-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "pe-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PE\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "pe-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "pe-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pe-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a physical and environmental protection policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "pe-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "pe-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the physical and environmental protection\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "pe-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the physical and environmental protection policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pe-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pe-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        physical and environmental protection policy and associated physical and\n                        environmental protection controls;"
-                          },
-                          {
-                            "id": "pe-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "pe-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pe-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current physical and\n                        environmental protection policy;"
-                          },
-                          {
-                            "id": "pe-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current physical and environmental protection policy\n                        with the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pe-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pe-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current physical and\n                        environmental protection procedures; and"
-                          },
-                          {
-                            "id": "pe-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current physical and environmental protection\n                        procedures with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical and environmental protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-2",
-            "class": "SP800-53",
-            "title": "Physical Access Authorizations",
-            "parameters": [
-              {
-                "id": "pe-2_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PE-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-02"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, approves, and maintains a list of individuals with authorized access to\n                  the facility where the information system resides;"
-                  },
-                  {
-                    "id": "pe-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Issues authorization credentials for facility access;"
-                  },
-                  {
-                    "id": "pe-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews the access list detailing authorized facility access by individuals\n                     {{ pe-2_prm_1 }}; and"
-                  },
-                  {
-                    "id": "pe-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Removes individuals from the facility access list when access is no longer\n                  required."
-                  }
-                ]
-              },
-              {
-                "id": "pe-2_gdn",
-                "name": "guidance",
-                "prose": "This control applies to organizational employees and visitors. Individuals (e.g.,\n               employees, contractors, and others) with permanent physical access authorization\n               credentials are not considered visitors. Authorization credentials include, for\n               example, badges, identification cards, and smart cards. Organizations determine the\n               strength of authorization credentials needed (including level of forge-proof badges,\n               smart cards, or identification cards) consistent with federal standards, policies,\n               and procedures. This control only applies to areas within facilities that have not\n               been designated as publicly accessible.",
-                "links": [
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  }
-                ]
-              },
-              {
-                "id": "pe-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-2(a)[1]"
-                          }
-                        ],
-                        "prose": "develops a list of individuals with authorized access to the facility where the\n                     information system resides;"
-                      },
-                      {
-                        "id": "pe-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-2(a)[2]"
-                          }
-                        ],
-                        "prose": "approves a list of individuals with authorized access to the facility where the\n                     information system resides;"
-                      },
-                      {
-                        "id": "pe-2.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-2(a)[3]"
-                          }
-                        ],
-                        "prose": "maintains a list of individuals with authorized access to the facility where\n                     the information system resides;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-2(b)"
-                      }
-                    ],
-                    "prose": "issues authorization credentials for facility access;"
-                  },
-                  {
-                    "id": "pe-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review the access list detailing authorized facility\n                     access by individuals;"
-                      },
-                      {
-                        "id": "pe-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-2(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews the access list detailing authorized facility access by individuals\n                     with the organization-defined frequency; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-2(d)"
-                      }
-                    ],
-                    "prose": "removes individuals from the facility access list when access is no longer\n                  required."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing physical access authorizations\\n\\nsecurity plan\\n\\nauthorized personnel access list\\n\\nauthorization credentials\\n\\nphysical access list reviews\\n\\nphysical access termination records and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical access authorization responsibilities\\n\\norganizational personnel with physical access to information system facility\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for physical access authorizations\\n\\nautomated mechanisms supporting and/or implementing physical access\n                  authorizations"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-3",
-            "class": "SP800-53",
-            "title": "Physical Access Control",
-            "parameters": [
-              {
-                "id": "pe-3_prm_1",
-                "label": "organization-defined entry/exit points to the facility where the information\n               system resides"
-              },
-              {
-                "id": "pe-3_prm_2",
-                "constraints": [
-                  {
-                    "detail": "CSP defined physical access control systems/devices AND guards"
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_prm_3",
-                "depends-on": "pe-3_prm_2",
-                "label": "organization-defined physical access control systems/devices",
-                "constraints": [
-                  {
-                    "detail": "CSP defined physical access control systems/devices"
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_prm_4",
-                "label": "organization-defined entry/exit points"
-              },
-              {
-                "id": "pe-3_prm_5",
-                "label": "organization-defined security safeguards"
-              },
-              {
-                "id": "pe-3_prm_6",
-                "label": "organization-defined circumstances requiring visitor escorts and\n               monitoring",
-                "constraints": [
-                  {
-                    "detail": "in all circumstances within restricted access area where the information system resides"
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_prm_7",
-                "label": "organization-defined physical access devices"
-              },
-              {
-                "id": "pe-3_prm_8",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_prm_9",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PE-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#2157bb7e-192c-4eaa-877f-93ef6b0a3292",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-116"
-              },
-              {
-                "href": "#6caa237b-531b-43ac-9711-d8f6b97b0377",
-                "rel": "reference",
-                "text": "ICD 704"
-              },
-              {
-                "href": "#398e33fd-f404-4e5c-b90e-2d50d3181244",
-                "rel": "reference",
-                "text": "ICD 705"
-              },
-              {
-                "href": "#61081e7f-041d-4033-96a7-44a439071683",
-                "rel": "reference",
-                "text": "DoD Instruction 5200.39"
-              },
-              {
-                "href": "#dd2f5acd-08f1-435a-9837-f8203088dc1a",
-                "rel": "reference",
-                "text": "Personal Identity Verification (PIV) in Enterprise\n            Physical Access Control System (E-PACS)"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              },
-              {
-                "href": "#5ed1f4d5-1494-421b-97ed-39d3c88ab51f",
-                "rel": "reference",
-                "text": "http://fips201ep.cio.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Enforces physical access authorizations at {{ pe-3_prm_1 }} by;",
-                    "parts": [
-                      {
-                        "id": "pe-3_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Verifying individual access authorizations before granting access to the\n                     facility; and"
-                      },
-                      {
-                        "id": "pe-3_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Controlling ingress/egress to the facility using {{ pe-3_prm_2 }};"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Maintains physical access audit logs for {{ pe-3_prm_4 }};"
-                  },
-                  {
-                    "id": "pe-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Provides {{ pe-3_prm_5 }} to control access to areas within the\n                  facility officially designated as publicly accessible;"
-                  },
-                  {
-                    "id": "pe-3_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Escorts visitors and monitors visitor activity {{ pe-3_prm_6 }};"
-                  },
-                  {
-                    "id": "pe-3_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Secures keys, combinations, and other physical access devices;"
-                  },
-                  {
-                    "id": "pe-3_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Inventories {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }};\n                  and"
-                  },
-                  {
-                    "id": "pe-3_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Changes combinations and keys {{ pe-3_prm_9 }} and/or when keys are\n                  lost, combinations are compromised, or individuals are transferred or\n                  terminated."
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_gdn",
-                "name": "guidance",
-                "prose": "This control applies to organizational employees and visitors. Individuals (e.g.,\n               employees, contractors, and others) with permanent physical access authorization\n               credentials are not considered visitors. Organizations determine the types of\n               facility guards needed including, for example, professional physical security staff\n               or other personnel such as administrative staff or information system users. Physical\n               access devices include, for example, keys, locks, combinations, and card readers.\n               Safeguards for publicly accessible areas within organizational facilities include,\n               for example, cameras, monitoring by guards, and isolating selected information\n               systems and/or system components in secured areas. Physical access control systems\n               comply with applicable federal laws, Executive Orders, directives, policies,\n               regulations, standards, and guidance. The Federal Identity, Credential, and Access\n               Management Program provides implementation guidance for identity, credential, and\n               access management capabilities for physical access control systems. Organizations\n               have flexibility in the types of audit logs employed. Audit logs can be procedural\n               (e.g., a written log of individuals accessing the facility and when such access\n               occurred), automated (e.g., capturing ID provided by a PIV card), or some combination\n               thereof. Physical access points can include facility access points, interior access\n               points to information systems and/or components requiring supplemental access\n               controls, or both. Components of organizational information systems (e.g.,\n               workstations, terminals) may be located in areas designated as publicly accessible\n               with organizations safeguarding access to such devices.",
-                "links": [
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  },
-                  {
-                    "href": "#pe-5",
-                    "rel": "related",
-                    "text": "PE-5"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(a)[1]"
-                          }
-                        ],
-                        "prose": "defines entry/exit points to the facility where the information system\n                     resides;"
-                      },
-                      {
-                        "id": "pe-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-3(a)[2]"
-                          }
-                        ],
-                        "prose": "enforces physical access authorizations at organization-defined entry/exit\n                     points to the facility where the information system resides by:",
-                        "parts": [
-                          {
-                            "id": "pe-3.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(a)[2](1)"
-                              }
-                            ],
-                            "prose": "verifying individual access authorizations before granting access to the\n                        facility;"
-                          },
-                          {
-                            "id": "pe-3.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-3(a)[2](2)"
-                              }
-                            ],
-                            "parts": [
-                              {
-                                "id": "pe-3.a.2_obj.2.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-3(a)[2](2)[a]"
-                                  }
-                                ],
-                                "prose": "defining physical access control systems/devices to be employed to\n                           control ingress/egress to the facility where the information system\n                           resides;"
-                              },
-                              {
-                                "id": "pe-3.a.2_obj.2.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-3(a)[2](2)[b]"
-                                  }
-                                ],
-                                "prose": "using one or more of the following ways to control ingress/egress to the\n                           facility:",
-                                "parts": [
-                                  {
-                                    "id": "pe-3.a.2_obj.2.b.1",
-                                    "name": "objective",
-                                    "properties": [
-                                      {
-                                        "name": "label",
-                                        "value": "PE-3(a)[2](2)[b][1]"
-                                      }
-                                    ],
-                                    "prose": "organization-defined physical access control systems/devices;\n                              and/or"
-                                  },
-                                  {
-                                    "id": "pe-3.a.2_obj.2.b.2",
-                                    "name": "objective",
-                                    "properties": [
-                                      {
-                                        "name": "label",
-                                        "value": "PE-3(a)[2](2)[b][2]"
-                                      }
-                                    ],
-                                    "prose": "guards;"
-                                  }
-                                ]
-                              }
-                            ]
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(b)[1]"
-                          }
-                        ],
-                        "prose": "defines entry/exit points for which physical access audit logs are to be\n                     maintained;"
-                      },
-                      {
-                        "id": "pe-3.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(b)[2]"
-                          }
-                        ],
-                        "prose": "maintains physical access audit logs for organization-defined entry/exit\n                     points;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines security safeguards to be employed to control access to areas within\n                     the facility officially designated as publicly accessible;"
-                      },
-                      {
-                        "id": "pe-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(c)[2]"
-                          }
-                        ],
-                        "prose": "provides organization-defined security safeguards to control access to areas\n                     within the facility officially designated as publicly accessible;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(d)[1]"
-                          }
-                        ],
-                        "prose": "defines circumstances requiring visitor:",
-                        "parts": [
-                          {
-                            "id": "pe-3.d_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(d)[1][a]"
-                              }
-                            ],
-                            "prose": "escorts;"
-                          },
-                          {
-                            "id": "pe-3.d_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(d)[1][b]"
-                              }
-                            ],
-                            "prose": "monitoring;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pe-3.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(d)[2]"
-                          }
-                        ],
-                        "prose": "in accordance with organization-defined circumstances requiring visitor escorts\n                     and monitoring:",
-                        "parts": [
-                          {
-                            "id": "pe-3.d_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(d)[2][a]"
-                              }
-                            ],
-                            "prose": "escorts visitors;"
-                          },
-                          {
-                            "id": "pe-3.d_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(d)[2][b]"
-                              }
-                            ],
-                            "prose": "monitors visitor activities;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(e)[1]"
-                          }
-                        ],
-                        "prose": "secures keys;"
-                      },
-                      {
-                        "id": "pe-3.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(e)[2]"
-                          }
-                        ],
-                        "prose": "secures combinations;"
-                      },
-                      {
-                        "id": "pe-3.e_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(e)[3]"
-                          }
-                        ],
-                        "prose": "secures other physical access devices;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(f)[1]"
-                          }
-                        ],
-                        "prose": "defines physical access devices to be inventoried;"
-                      },
-                      {
-                        "id": "pe-3.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(f)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency to inventory organization-defined physical access\n                     devices;"
-                      },
-                      {
-                        "id": "pe-3.f_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(f)[3]"
-                          }
-                        ],
-                        "prose": "inventories the organization-defined physical access devices with the\n                     organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(g)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.g_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(g)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to change combinations and keys; and"
-                      },
-                      {
-                        "id": "pe-3.g_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(g)[2]"
-                          }
-                        ],
-                        "prose": "changes combinations and keys with the organization-defined frequency and/or\n                     when:",
-                        "parts": [
-                          {
-                            "id": "pe-3.g_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(g)[2][a]"
-                              }
-                            ],
-                            "prose": "keys are lost;"
-                          },
-                          {
-                            "id": "pe-3.g_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(g)[2][b]"
-                              }
-                            ],
-                            "prose": "combinations are compromised;"
-                          },
-                          {
-                            "id": "pe-3.g_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(g)[2][c]"
-                              }
-                            ],
-                            "prose": "individuals are transferred or terminated."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing physical access control\\n\\nsecurity plan\\n\\nphysical access control logs or records\\n\\ninventory records of physical access control devices\\n\\ninformation system entry and exit points\\n\\nrecords of key and lock combination changes\\n\\nstorage locations for physical access control devices\\n\\nphysical access control devices\\n\\nlist of security safeguards controlling access to designated publicly accessible\n                  areas within facility\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for physical access control\\n\\nautomated mechanisms supporting and/or implementing physical access control\\n\\nphysical access control devices"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-6",
-            "class": "SP800-53",
-            "title": "Monitoring Physical Access",
-            "parameters": [
-              {
-                "id": "pe-6_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least monthly"
-                  }
-                ]
-              },
-              {
-                "id": "pe-6_prm_2",
-                "label": "organization-defined events or potential indications of events"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PE-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Monitors physical access to the facility where the information system resides to\n                  detect and respond to physical security incidents;"
-                  },
-                  {
-                    "id": "pe-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews physical access logs {{ pe-6_prm_1 }} and upon occurrence\n                  of {{ pe-6_prm_2 }}; and"
-                  },
-                  {
-                    "id": "pe-6_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Coordinates results of reviews and investigations with the organizational incident\n                  response capability."
-                  }
-                ]
-              },
-              {
-                "id": "pe-6_gdn",
-                "name": "guidance",
-                "prose": "Organizational incident response capabilities include investigations of and responses\n               to detected physical security incidents. Security incidents include, for example,\n               apparent security violations or suspicious physical access activities. Suspicious\n               physical access activities include, for example: (i) accesses outside of normal work\n               hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for\n               unusual lengths of time; and (iv) out-of-sequence accesses.",
-                "links": [
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  }
-                ]
-              },
-              {
-                "id": "pe-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-6(a)"
-                      }
-                    ],
-                    "prose": "monitors physical access to the facility where the information system resides to\n                  detect and respond to physical security incidents;"
-                  },
-                  {
-                    "id": "pe-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-6(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-6.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-6(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review physical access logs;"
-                      },
-                      {
-                        "id": "pe-6.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-6(b)[2]"
-                          }
-                        ],
-                        "prose": "defines events or potential indication of events requiring physical access logs\n                     to be reviewed;"
-                      },
-                      {
-                        "id": "pe-6.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-6(b)[3]"
-                          }
-                        ],
-                        "prose": "reviews physical access logs with the organization-defined frequency and upon\n                     occurrence of organization-defined events or potential indications of events;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-6.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-6(c)"
-                      }
-                    ],
-                    "prose": "coordinates results of reviews and investigations with the organizational incident\n                  response capability."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing physical access monitoring\\n\\nsecurity plan\\n\\nphysical access logs or records\\n\\nphysical access monitoring records\\n\\nphysical access log reviews\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical access monitoring responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for monitoring physical access\\n\\nautomated mechanisms supporting and/or implementing physical access monitoring\\n\\nautomated mechanisms supporting and/or implementing reviewing of physical access\n                  logs"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-8",
-            "class": "SP800-53",
-            "title": "Visitor Access Records",
-            "parameters": [
-              {
-                "id": "pe-8_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "for a minimum of one (1) year"
-                  }
-                ]
-              },
-              {
-                "id": "pe-8_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least monthly"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PE-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-08"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Maintains visitor access records to the facility where the information system\n                  resides for {{ pe-8_prm_1 }}; and"
-                  },
-                  {
-                    "id": "pe-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews visitor access records {{ pe-8_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "pe-8_gdn",
-                "name": "guidance",
-                "prose": "Visitor access records include, for example, names and organizations of persons\n               visiting, visitor signatures, forms of identification, dates of access, entry and\n               departure times, purposes of visits, and names and organizations of persons visited.\n               Visitor access records are not required for publicly accessible areas."
-              },
-              {
-                "id": "pe-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-8(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-8.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-8(a)[1]"
-                          }
-                        ],
-                        "prose": "defines the time period to maintain visitor access records to the facility\n                     where the information system resides;"
-                      },
-                      {
-                        "id": "pe-8.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-8(a)[2]"
-                          }
-                        ],
-                        "prose": "maintains visitor access records to the facility where the information system\n                     resides for the organization-defined time period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-8(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review visitor access records; and"
-                      },
-                      {
-                        "id": "pe-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-8(b)[2]"
-                          }
-                        ],
-                        "prose": "reviews visitor access records with the organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing visitor access records\\n\\nsecurity plan\\n\\nvisitor access control logs or records\\n\\nvisitor access record or log reviews\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with visitor access records responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for maintaining and reviewing visitor access records\\n\\nautomated mechanisms supporting and/or implementing maintenance and review of\n                  visitor access records"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-12",
-            "class": "SP800-53",
-            "title": "Emergency Lighting",
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-12"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-12"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-12_smt",
-                "name": "statement",
-                "prose": "The organization employs and maintains automatic emergency lighting for the\n               information system that activates in the event of a power outage or disruption and\n               that covers emergency exits and evacuation routes within the facility."
-              },
-              {
-                "id": "pe-12_gdn",
-                "name": "guidance",
-                "prose": "This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  }
-                ]
-              },
-              {
-                "id": "pe-12_obj",
-                "name": "objective",
-                "prose": "Determine if the organization employs and maintains automatic emergency lighting for\n               the information system that: ",
-                "parts": [
-                  {
-                    "id": "pe-12_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-12[1]"
-                      }
-                    ],
-                    "prose": "activates in the event of a power outage or disruption; and"
-                  },
-                  {
-                    "id": "pe-12_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-12[2]"
-                      }
-                    ],
-                    "prose": "covers emergency exits and evacuation routes within the facility."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing emergency lighting\\n\\nemergency lighting documentation\\n\\nemergency lighting test records\\n\\nemergency exits and evacuation routes\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for emergency lighting and/or\n                  planning\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing emergency lighting\n                  capability"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-13",
-            "class": "SP800-53",
-            "title": "Fire Protection",
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-13"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-13"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-13_smt",
-                "name": "statement",
-                "prose": "The organization employs and maintains fire suppression and detection devices/systems\n               for the information system that are supported by an independent energy source."
-              },
-              {
-                "id": "pe-13_gdn",
-                "name": "guidance",
-                "prose": "This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms. Fire suppression and detection devices/systems include, for example,\n               sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke\n               detectors."
-              },
-              {
-                "id": "pe-13_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-13_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-13[1]"
-                      }
-                    ],
-                    "prose": "employs fire suppression and detection devices/systems for the information system\n                  that are supported by an independent energy source; and"
-                  },
-                  {
-                    "id": "pe-13_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-13[2]"
-                      }
-                    ],
-                    "prose": "maintains fire suppression and detection devices/systems for the information\n                  system that are supported by an independent energy source."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing fire protection\\n\\nfire suppression and detection devices/systems\\n\\nfire suppression and detection devices/systems documentation\\n\\ntest records of fire suppression and detection devices/systems\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for fire detection and suppression\n                  devices/systems\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing fire suppression/detection\n                  devices/systems"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-14",
-            "class": "SP800-53",
-            "title": "Temperature and Humidity Controls",
-            "parameters": [
-              {
-                "id": "pe-14_prm_1",
-                "label": "organization-defined acceptable levels",
-                "constraints": [
-                  {
-                    "detail": "consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments"
-                  }
-                ]
-              },
-              {
-                "id": "pe-14_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "continuously"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-14"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-14"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-14_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-14_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Maintains temperature and humidity levels within the facility where the\n                  information system resides at {{ pe-14_prm_1 }}; and"
-                  },
-                  {
-                    "id": "pe-14_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Monitors temperature and humidity levels {{ pe-14_prm_2 }}."
-                  },
-                  {
-                    "id": "pe-14_fr",
-                    "name": "item",
-                    "title": "PE-14(a) Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "pe-14_fr_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider measures temperature at server inlets and humidity levels by dew point."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "pe-14_gdn",
-                "name": "guidance",
-                "prose": "This control applies primarily to facilities containing concentrations of information\n               system resources, for example, data centers, server rooms, and mainframe computer\n               rooms.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  }
-                ]
-              },
-              {
-                "id": "pe-14_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-14.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-14(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-14.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(a)[1]"
-                          }
-                        ],
-                        "prose": "defines acceptable temperature levels to be maintained within the facility\n                     where the information system resides;"
-                      },
-                      {
-                        "id": "pe-14.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(a)[2]"
-                          }
-                        ],
-                        "prose": "defines acceptable humidity levels to be maintained within the facility where\n                     the information system resides;"
-                      },
-                      {
-                        "id": "pe-14.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(a)[3]"
-                          }
-                        ],
-                        "prose": "maintains temperature levels within the facility where the information system\n                     resides at the organization-defined levels;"
-                      },
-                      {
-                        "id": "pe-14.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(a)[4]"
-                          }
-                        ],
-                        "prose": "maintains humidity levels within the facility where the information system\n                     resides at the organization-defined levels;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-14.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-14(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-14.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to monitor temperature levels;"
-                      },
-                      {
-                        "id": "pe-14.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(b)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency to monitor humidity levels;"
-                      },
-                      {
-                        "id": "pe-14.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(b)[3]"
-                          }
-                        ],
-                        "prose": "monitors temperature levels with the organization-defined frequency; and"
-                      },
-                      {
-                        "id": "pe-14.b_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(b)[4]"
-                          }
-                        ],
-                        "prose": "monitors humidity levels with the organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing temperature and humidity control\\n\\nsecurity plan\\n\\ntemperature and humidity controls\\n\\nfacility housing the information system\\n\\ntemperature and humidity controls documentation\\n\\ntemperature and humidity records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for information system\n                  environmental controls\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing maintenance and monitoring of\n                  temperature and humidity levels"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-15",
-            "class": "SP800-53",
-            "title": "Water Damage Protection",
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-15"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-15"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-15_smt",
-                "name": "statement",
-                "prose": "The organization protects the information system from damage resulting from water\n               leakage by providing master shutoff or isolation valves that are accessible, working\n               properly, and known to key personnel."
-              },
-              {
-                "id": "pe-15_gdn",
-                "name": "guidance",
-                "prose": "This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms. Isolation valves can be employed in addition to or in lieu of master\n               shutoff valves to shut off water supplies in specific areas of concern, without\n               affecting entire organizations.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  }
-                ]
-              },
-              {
-                "id": "pe-15_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the organization protects the information system from damage resulting\n               from water leakage by providing master shutoff or isolation valves that are: ",
-                "parts": [
-                  {
-                    "id": "pe-15_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-15[1]"
-                      }
-                    ],
-                    "prose": "accessible;"
-                  },
-                  {
-                    "id": "pe-15_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-15[2]"
-                      }
-                    ],
-                    "prose": "working properly; and"
-                  },
-                  {
-                    "id": "pe-15_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-15[3]"
-                      }
-                    ],
-                    "prose": "known to key personnel."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing water damage protection\\n\\nfacility housing the information system\\n\\nmaster shutoff valves\\n\\nlist of key personnel with knowledge of location and activation procedures for\n                  master shutoff valves for the plumbing system\\n\\nmaster shutoff valve documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for information system\n                  environmental controls\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Master water-shutoff valves\\n\\norganizational process for activating master water-shutoff"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-16",
-            "class": "SP800-53",
-            "title": "Delivery and Removal",
-            "parameters": [
-              {
-                "id": "pe-16_prm_1",
-                "label": "organization-defined types of information system components",
-                "constraints": [
-                  {
-                    "detail": "all information system components"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-16"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-16"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-16_smt",
-                "name": "statement",
-                "prose": "The organization authorizes, monitors, and controls {{ pe-16_prm_1 }}\n               entering and exiting the facility and maintains records of those items."
-              },
-              {
-                "id": "pe-16_gdn",
-                "name": "guidance",
-                "prose": "Effectively enforcing authorizations for entry and exit of information system\n               components may require restricting access to delivery areas and possibly isolating\n               the areas from the information system and media libraries.",
-                "links": [
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#ma-2",
-                    "rel": "related",
-                    "text": "MA-2"
-                  },
-                  {
-                    "href": "#ma-3",
-                    "rel": "related",
-                    "text": "MA-3"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  }
-                ]
-              },
-              {
-                "id": "pe-16_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-16_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[1]"
-                      }
-                    ],
-                    "prose": "defines types of information system components to be authorized, monitored, and\n                  controlled as such components are entering and exiting the facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[2]"
-                      }
-                    ],
-                    "prose": "authorizes organization-defined information system components entering the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[3]"
-                      }
-                    ],
-                    "prose": "monitors organization-defined information system components entering the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[4]"
-                      }
-                    ],
-                    "prose": "controls organization-defined information system components entering the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.5",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[5]"
-                      }
-                    ],
-                    "prose": "authorizes organization-defined information system components exiting the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.6",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[6]"
-                      }
-                    ],
-                    "prose": "monitors organization-defined information system components exiting the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.7",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[7]"
-                      }
-                    ],
-                    "prose": "controls organization-defined information system components exiting the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.8",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[8]"
-                      }
-                    ],
-                    "prose": "maintains records of information system components entering the facility; and"
-                  },
-                  {
-                    "id": "pe-16_obj.9",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[9]"
-                      }
-                    ],
-                    "prose": "maintains records of information system components exiting the facility."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing delivery and removal of information system components from\n                  the facility\\n\\nsecurity plan\\n\\nfacility housing the information system\\n\\nrecords of items entering and exiting the facility\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for controlling information system\n                  components entering and exiting the facility\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational process for authorizing, monitoring, and controlling information\n                  system-related items entering and exiting the facility\\n\\nautomated mechanisms supporting and/or implementing authorizing, monitoring, and\n                  controlling information system-related items entering and exiting the facility"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "pl",
-        "class": "family",
-        "title": "Planning",
-        "controls": [
-          {
-            "id": "pl-1",
-            "class": "SP800-53",
-            "title": "Security Planning Policy and Procedures",
-            "parameters": [
-              {
-                "id": "pl-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "pl-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "pl-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PL-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "pl-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9c5c9e8c-dc81-4f55-a11c-d71d7487790f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-18"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pl-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pl-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ pl-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "pl-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A security planning policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "pl-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the security planning policy and\n                     associated security planning controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "pl-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Security planning policy {{ pl-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "pl-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Security planning procedures {{ pl-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "pl-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PL\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "pl-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "pl-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pl-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a planning policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "pl-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "pl-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the planning policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "pl-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the planning policy to organization-defined personnel or\n                        roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pl-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pl-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        planning policy and associated planning controls;"
-                          },
-                          {
-                            "id": "pl-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "pl-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pl-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current planning policy;"
-                          },
-                          {
-                            "id": "pl-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current planning policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pl-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pl-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current planning procedures;\n                        and"
-                          },
-                          {
-                            "id": "pl-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current planning procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Planning policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with planning responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pl-2",
-            "class": "SP800-53",
-            "title": "System Security Plan",
-            "parameters": [
-              {
-                "id": "pl-2_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "pl-2_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PL-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "pl-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#9c5c9e8c-dc81-4f55-a11c-d71d7487790f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-18"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pl-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pl-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops a security plan for the information system that:",
-                    "parts": [
-                      {
-                        "id": "pl-2_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Is consistent with the organization’s enterprise architecture;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Explicitly defines the authorization boundary for the system;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Describes the operational context of the information system in terms of\n                     missions and business processes;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Provides the security categorization of the information system including\n                     supporting rationale;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.5",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "5."
-                          }
-                        ],
-                        "prose": "Describes the operational environment for the information system and\n                     relationships with or connections to other information systems;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.6",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "6."
-                          }
-                        ],
-                        "prose": "Provides an overview of the security requirements for the system;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.7",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "7."
-                          }
-                        ],
-                        "prose": "Identifies any relevant overlays, if applicable;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.8",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "8."
-                          }
-                        ],
-                        "prose": "Describes the security controls in place or planned for meeting those\n                     requirements including a rationale for the tailoring decisions; and"
-                      },
-                      {
-                        "id": "pl-2_smt.a.9",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "9."
-                          }
-                        ],
-                        "prose": "Is reviewed and approved by the authorizing official or designated\n                     representative prior to plan implementation;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Distributes copies of the security plan and communicates subsequent changes to the\n                  plan to {{ pl-2_prm_1 }};"
-                  },
-                  {
-                    "id": "pl-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews the security plan for the information system {{ pl-2_prm_2 }};"
-                  },
-                  {
-                    "id": "pl-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Updates the plan to address changes to the information system/environment of\n                  operation or problems identified during plan implementation or security control\n                  assessments; and"
-                  },
-                  {
-                    "id": "pl-2_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Protects the security plan from unauthorized disclosure and modification."
-                  }
-                ]
-              },
-              {
-                "id": "pl-2_gdn",
-                "name": "guidance",
-                "prose": "Security plans relate security requirements to a set of security controls and control\n               enhancements. Security plans also describe, at a high level, how the security\n               controls and control enhancements meet those security requirements, but do not\n               provide detailed, technical descriptions of the specific design or implementation of\n               the controls/enhancements. Security plans contain sufficient information (including\n               the specification of parameter values for assignment and selection statements either\n               explicitly or by reference) to enable a design and implementation that is\n               unambiguously compliant with the intent of the plans and subsequent determinations of\n               risk to organizational operations and assets, individuals, other organizations, and\n               the Nation if the plan is implemented as intended. Organizations can also apply\n               tailoring guidance to the security control baselines in Appendix D and CNSS\n               Instruction 1253 to develop overlays for community-wide use or to address specialized\n               requirements, technologies, or missions/environments of operation (e.g.,\n               DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and\n               Access Management, space operations). Appendix I provides guidance on developing\n               overlays. Security plans need not be single documents; the plans can be a collection\n               of various documents including documents that already exist. Effective security plans\n               make extensive use of references to policies, procedures, and additional documents\n               (e.g., design and implementation specifications) where more detailed information can\n               be obtained. This reduces the documentation requirements associated with security\n               programs and maintains security-related information in other established\n               management/operational areas related to enterprise architecture, system development\n               life cycle, systems engineering, and acquisition. For example, security plans do not\n               contain detailed contingency plan or incident response plan information but instead\n               provide explicitly or by reference, sufficient information to define what needs to be\n               accomplished by those plans.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-9",
-                    "rel": "related",
-                    "text": "CM-9"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ma-5",
-                    "rel": "related",
-                    "text": "MA-5"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#pl-7",
-                    "rel": "related",
-                    "text": "PL-7"
-                  },
-                  {
-                    "href": "#pm-1",
-                    "rel": "related",
-                    "text": "PM-1"
-                  },
-                  {
-                    "href": "#pm-7",
-                    "rel": "related",
-                    "text": "PM-7"
-                  },
-                  {
-                    "href": "#pm-8",
-                    "rel": "related",
-                    "text": "PM-8"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  },
-                  {
-                    "href": "#pm-11",
-                    "rel": "related",
-                    "text": "PM-11"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sa-17",
-                    "rel": "related",
-                    "text": "SA-17"
-                  }
-                ]
-              },
-              {
-                "id": "pl-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pl-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-2(a)"
-                      }
-                    ],
-                    "prose": "develops a security plan for the information system that:",
-                    "parts": [
-                      {
-                        "id": "pl-2.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(1)"
-                          }
-                        ],
-                        "prose": "is consistent with the organization’s enterprise architecture;"
-                      },
-                      {
-                        "id": "pl-2.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(2)"
-                          }
-                        ],
-                        "prose": "explicitly defines the authorization boundary for the system;"
-                      },
-                      {
-                        "id": "pl-2.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(3)"
-                          }
-                        ],
-                        "prose": "describes the operational context of the information system in terms of\n                     missions and business processes;"
-                      },
-                      {
-                        "id": "pl-2.a.4_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(4)"
-                          }
-                        ],
-                        "prose": "provides the security categorization of the information system including\n                     supporting rationale;"
-                      },
-                      {
-                        "id": "pl-2.a.5_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(5)"
-                          }
-                        ],
-                        "prose": "describes the operational environment for the information system and\n                     relationships with or connections to other information systems;"
-                      },
-                      {
-                        "id": "pl-2.a.6_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(6)"
-                          }
-                        ],
-                        "prose": "provides an overview of the security requirements for the system;"
-                      },
-                      {
-                        "id": "pl-2.a.7_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(7)"
-                          }
-                        ],
-                        "prose": "identifies any relevant overlays, if applicable;"
-                      },
-                      {
-                        "id": "pl-2.a.8_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(8)"
-                          }
-                        ],
-                        "prose": "describes the security controls in place or planned for meeting those\n                     requirements including a rationale for the tailoring and supplemental\n                     decisions;"
-                      },
-                      {
-                        "id": "pl-2.a.9_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(9)"
-                          }
-                        ],
-                        "prose": "is reviewed and approved by the authorizing official or designated\n                     representative prior to plan implementation;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(b)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom copies of the security plan are to be\n                     distributed and subsequent changes to the plan are to be communicated;"
-                      },
-                      {
-                        "id": "pl-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(b)[2]"
-                          }
-                        ],
-                        "prose": "distributes copies of the security plan and communicates subsequent changes to\n                     the plan to organization-defined personnel or roles;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review the security plan for the information\n                     system;"
-                      },
-                      {
-                        "id": "pl-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews the security plan for the information system with the\n                     organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PL-2(d)"
-                      }
-                    ],
-                    "prose": "updates the plan to address:",
-                    "parts": [
-                      {
-                        "id": "pl-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(d)[1]"
-                          }
-                        ],
-                        "prose": "changes to the information system/environment of operation;"
-                      },
-                      {
-                        "id": "pl-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(d)[2]"
-                          }
-                        ],
-                        "prose": "problems identified during plan implementation;"
-                      },
-                      {
-                        "id": "pl-2.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(d)[3]"
-                          }
-                        ],
-                        "prose": "problems identified during security control assessments;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PL-2(e)"
-                      }
-                    ],
-                    "prose": "protects the security plan from unauthorized:",
-                    "parts": [
-                      {
-                        "id": "pl-2.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(e)[1]"
-                          }
-                        ],
-                        "prose": "disclosure; and"
-                      },
-                      {
-                        "id": "pl-2.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(e)[2]"
-                          }
-                        ],
-                        "prose": "modification."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security planning policy\\n\\nprocedures addressing security plan development and implementation\\n\\nprocedures addressing security plan reviews and updates\\n\\nenterprise architecture documentation\\n\\nsecurity plan for the information system\\n\\nrecords of security plan reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for security plan development/review/update/approval\\n\\nautomated mechanisms supporting the information system security plan"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pl-4",
-            "class": "SP800-53",
-            "title": "Rules of Behavior",
-            "parameters": [
-              {
-                "id": "pl-4_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "At least every 3 years"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PL-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "pl-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#9c5c9e8c-dc81-4f55-a11c-d71d7487790f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-18"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pl-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pl-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes and makes readily available to individuals requiring access to the\n                  information system, the rules that describe their responsibilities and expected\n                  behavior with regard to information and information system usage;"
-                  },
-                  {
-                    "id": "pl-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Receives a signed acknowledgment from such individuals, indicating that they have\n                  read, understand, and agree to abide by the rules of behavior, before authorizing\n                  access to information and the information system;"
-                  },
-                  {
-                    "id": "pl-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews and updates the rules of behavior {{ pl-4_prm_1 }}; and"
-                  },
-                  {
-                    "id": "pl-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Requires individuals who have signed a previous version of the rules of behavior\n                  to read and re-sign when the rules of behavior are revised/updated."
-                  }
-                ]
-              },
-              {
-                "id": "pl-4_gdn",
-                "name": "guidance",
-                "prose": "This control enhancement applies to organizational users. Organizations consider\n               rules of behavior based on individual user roles and responsibilities,\n               differentiating, for example, between rules that apply to privileged users and rules\n               that apply to general users. Establishing rules of behavior for some types of\n               non-organizational users including, for example, individuals who simply receive\n               data/information from federal information systems, is often not feasible given the\n               large number of such users and the limited nature of their interactions with the\n               systems. Rules of behavior for both organizational and non-organizational users can\n               also be established in AC-8, System Use Notification. PL-4 b. (the signed\n               acknowledgment portion of this control) may be satisfied by the security awareness\n               training and role-based security training programs conducted by organizations if such\n               training includes rules of behavior. Organizations can use electronic signatures for\n               acknowledging rules of behavior.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-8",
-                    "rel": "related",
-                    "text": "AC-8"
-                  },
-                  {
-                    "href": "#ac-9",
-                    "rel": "related",
-                    "text": "AC-9"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#mp-7",
-                    "rel": "related",
-                    "text": "MP-7"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  },
-                  {
-                    "href": "#ps-8",
-                    "rel": "related",
-                    "text": "PS-8"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  }
-                ]
-              },
-              {
-                "id": "pl-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pl-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-4(a)[1]"
-                          }
-                        ],
-                        "prose": "establishes, for individuals requiring access to the information system, the\n                     rules that describe their responsibilities and expected behavior with regard to\n                     information and information system usage;"
-                      },
-                      {
-                        "id": "pl-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-4(a)[2]"
-                          }
-                        ],
-                        "prose": "makes readily available to individuals requiring access to the information\n                     system, the rules that describe their responsibilities and expected behavior\n                     with regard to information and information system usage;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PL-4(b)"
-                      }
-                    ],
-                    "prose": "receives a signed acknowledgement from such individuals, indicating that they have\n                  read, understand, and agree to abide by the rules of behavior, before authorizing\n                  access to information and the information system;"
-                  },
-                  {
-                    "id": "pl-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-4(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-4(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update the rules of behavior;"
-                      },
-                      {
-                        "id": "pl-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-4(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates the rules of behavior with the organization-defined\n                     frequency; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PL-4(d)"
-                      }
-                    ],
-                    "prose": "requires individuals who have signed a previous version of the rules of behavior\n                  to read and resign when the rules of behavior are revised/updated."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security planning policy\\n\\nprocedures addressing rules of behavior for information system users\\n\\nrules of behavior\\n\\nsigned acknowledgements\\n\\nrecords for rules of behavior reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for establishing, reviewing, and\n                  updating rules of behavior\\n\\norganizational personnel who are authorized users of the information system and\n                  have signed and resigned rules of behavior\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for establishing, reviewing, disseminating, and updating\n                  rules of behavior\\n\\nautomated mechanisms supporting and/or implementing the establishment, review,\n                  dissemination, and update of rules of behavior"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ps",
-        "class": "family",
-        "title": "Personnel Security",
-        "controls": [
-          {
-            "id": "ps-1",
-            "class": "SP800-53",
-            "title": "Personnel Security Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ps-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ps-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "ps-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PS-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ps-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ps-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A personnel security policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ps-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the personnel security policy\n                     and associated personnel security controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ps-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Personnel security policy {{ ps-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ps-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Personnel security procedures {{ ps-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ps-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PS\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ps-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an personnel security policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ps-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ps-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the personnel security policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ps-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the personnel security policy to organization-defined personnel\n                        or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ps-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        personnel security policy and associated personnel security controls;"
-                          },
-                          {
-                            "id": "ps-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ps-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current personnel security\n                        policy;"
-                          },
-                          {
-                            "id": "ps-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current personnel security policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ps-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current personnel security\n                        procedures; and"
-                          },
-                          {
-                            "id": "ps-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current personnel security procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with access control responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-2",
-            "class": "SP800-53",
-            "title": "Position Risk Designation",
-            "parameters": [
-              {
-                "id": "ps-2_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every three years"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PS-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0c97e60b-325a-4efa-ba2b-90f20ccd5abc",
-                "rel": "reference",
-                "text": "5 C.F.R. 731.106"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Assigns a risk designation to all organizational positions;"
-                  },
-                  {
-                    "id": "ps-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Establishes screening criteria for individuals filling those positions; and"
-                  },
-                  {
-                    "id": "ps-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews and updates position risk designations {{ ps-2_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ps-2_gdn",
-                "name": "guidance",
-                "prose": "Position risk designations reflect Office of Personnel Management policy and\n               guidance. Risk designations can guide and inform the types of authorizations\n               individuals receive when accessing organizational information and information\n               systems. Position screening criteria include explicit information security role\n               appointment requirements (e.g., training, security clearances).",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  }
-                ]
-              },
-              {
-                "id": "ps-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-2(a)"
-                      }
-                    ],
-                    "prose": "assigns a risk designation to all organizational positions;"
-                  },
-                  {
-                    "id": "ps-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-2(b)"
-                      }
-                    ],
-                    "prose": "establishes screening criteria for individuals filling those positions;"
-                  },
-                  {
-                    "id": "ps-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update position risk designations; and"
-                      },
-                      {
-                        "id": "ps-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-2(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates position risk designations with the organization-defined\n                     frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing position categorization\\n\\nappropriate codes of federal regulations\\n\\nlist of risk designations for organizational positions\\n\\nsecurity plan\\n\\nrecords of position risk designation reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for assigning, reviewing, and updating position risk\n                  designations\\n\\norganizational processes for establishing screening criteria"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-3",
-            "class": "SP800-53",
-            "title": "Personnel Screening",
-            "parameters": [
-              {
-                "id": "ps-3_prm_1",
-                "label": "organization-defined conditions requiring rescreening and, where rescreening is\n               so indicated, the frequency of such rescreening",
-                "constraints": [
-                  {
-                    "detail": "For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions."
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PS-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0c97e60b-325a-4efa-ba2b-90f20ccd5abc",
-                "rel": "reference",
-                "text": "5 C.F.R. 731.106"
-              },
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#f152844f-b1ef-4836-8729-6277078ebee1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-60"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#6caa237b-531b-43ac-9711-d8f6b97b0377",
-                "rel": "reference",
-                "text": "ICD 704"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Screens individuals prior to authorizing access to the information system; and"
-                  },
-                  {
-                    "id": "ps-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Rescreens individuals according to {{ ps-3_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ps-3_gdn",
-                "name": "guidance",
-                "prose": "Personnel screening and rescreening activities reflect applicable federal laws,\n               Executive Orders, directives, regulations, policies, standards, guidance, and\n               specific criteria established for the risk designations of assigned positions.\n               Organizations may define different rescreening conditions and frequencies for\n               personnel accessing information systems based on types of information processed,\n               stored, or transmitted by the systems.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#ps-2",
-                    "rel": "related",
-                    "text": "PS-2"
-                  }
-                ]
-              },
-              {
-                "id": "ps-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-3(a)"
-                      }
-                    ],
-                    "prose": "screens individuals prior to authorizing access to the information system;"
-                  },
-                  {
-                    "id": "ps-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-3(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-3.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-3(b)[1]"
-                          }
-                        ],
-                        "prose": "defines conditions requiring re-screening;"
-                      },
-                      {
-                        "id": "ps-3.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-3(b)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency of re-screening where it is so indicated; and"
-                      },
-                      {
-                        "id": "ps-3.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-3(b)[3]"
-                          }
-                        ],
-                        "prose": "re-screens individuals in accordance with organization-defined conditions\n                     requiring re-screening and, where re-screening is so indicated, with the\n                     organization-defined frequency of such re-screening."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing personnel screening\\n\\nrecords of screened personnel\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for personnel screening"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-4",
-            "class": "SP800-53",
-            "title": "Personnel Termination",
-            "parameters": [
-              {
-                "id": "ps-4_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "same day"
-                  }
-                ]
-              },
-              {
-                "id": "ps-4_prm_2",
-                "label": "organization-defined information security topics"
-              },
-              {
-                "id": "ps-4_prm_3",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ps-4_prm_4",
-                "label": "organization-defined time period"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PS-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-04"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-4_smt",
-                "name": "statement",
-                "prose": "The organization, upon termination of individual employment:",
-                "parts": [
-                  {
-                    "id": "ps-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Disables information system access within {{ ps-4_prm_1 }};"
-                  },
-                  {
-                    "id": "ps-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Terminates/revokes any authenticators/credentials associated with the\n                  individual;"
-                  },
-                  {
-                    "id": "ps-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Conducts exit interviews that include a discussion of {{ ps-4_prm_2 }};"
-                  },
-                  {
-                    "id": "ps-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Retrieves all security-related organizational information system-related\n                  property;"
-                  },
-                  {
-                    "id": "ps-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Retains access to organizational information and information systems formerly\n                  controlled by terminated individual; and"
-                  },
-                  {
-                    "id": "ps-4_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Notifies {{ ps-4_prm_3 }} within {{ ps-4_prm_4 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ps-4_gdn",
-                "name": "guidance",
-                "prose": "Information system-related property includes, for example, hardware authentication\n               tokens, system administration technical manuals, keys, identification cards, and\n               building passes. Exit interviews ensure that terminated individuals understand the\n               security constraints imposed by being former employees and that proper accountability\n               is achieved for information system-related property. Security topics of interest at\n               exit interviews can include, for example, reminding terminated individuals of\n               nondisclosure agreements and potential limitations on future employment. Exit\n               interviews may not be possible for some terminated individuals, for example, in cases\n               related to job abandonment, illnesses, and nonavailability of supervisors. Exit\n               interviews are important for individuals with security clearances. Timely execution\n               of termination actions is essential for individuals terminated for cause. In certain\n               situations, organizations consider disabling the information system accounts of\n               individuals that are being terminated prior to the individuals being notified.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#ps-5",
-                    "rel": "related",
-                    "text": "PS-5"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  }
-                ]
-              },
-              {
-                "id": "ps-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization, upon termination of individual employment,:",
-                "parts": [
-                  {
-                    "id": "ps-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period within which to disable information system access;"
-                      },
-                      {
-                        "id": "ps-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(a)[2]"
-                          }
-                        ],
-                        "prose": "disables information system access within the organization-defined time\n                     period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-4(b)"
-                      }
-                    ],
-                    "prose": "terminates/revokes any authenticators/credentials associated with the\n                  individual;"
-                  },
-                  {
-                    "id": "ps-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-4(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(c)[1]"
-                          }
-                        ],
-                        "prose": "defines information security topics to be discussed when conducting exit\n                     interviews;"
-                      },
-                      {
-                        "id": "ps-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(c)[2]"
-                          }
-                        ],
-                        "prose": "conducts exit interviews that include a discussion of organization-defined\n                     information security topics;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-4(d)"
-                      }
-                    ],
-                    "prose": "retrieves all security-related organizational information system-related\n                  property;"
-                  },
-                  {
-                    "id": "ps-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-4(e)"
-                      }
-                    ],
-                    "prose": "retains access to organizational information and information systems formerly\n                  controlled by the terminated individual;"
-                  },
-                  {
-                    "id": "ps-4.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-4(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-4.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(f)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be notified of the termination;"
-                      },
-                      {
-                        "id": "ps-4.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(f)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which to notify organization-defined personnel\n                     or roles; and"
-                      },
-                      {
-                        "id": "ps-4.f_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(f)[3]"
-                          }
-                        ],
-                        "prose": "notifies organization-defined personnel or roles within the\n                     organization-defined time period."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing personnel termination\\n\\nrecords of personnel termination actions\\n\\nlist of information system accounts\\n\\nrecords of terminated or revoked authenticators/credentials\\n\\nrecords of exit interviews\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for personnel termination\\n\\nautomated mechanisms supporting and/or implementing personnel termination\n                  notifications\\n\\nautomated mechanisms for disabling information system access/revoking\n                  authenticators"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-5",
-            "class": "SP800-53",
-            "title": "Personnel Transfer",
-            "parameters": [
-              {
-                "id": "ps-5_prm_1",
-                "label": "organization-defined transfer or reassignment actions"
-              },
-              {
-                "id": "ps-5_prm_2",
-                "label": "organization-defined time period following the formal transfer action"
-              },
-              {
-                "id": "ps-5_prm_3",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ps-5_prm_4",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "five days of the time period following the formal transfer action (DoD 24 hours)"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PS-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Reviews and confirms ongoing operational need for current logical and physical\n                  access authorizations to information systems/facilities when individuals are\n                  reassigned or transferred to other positions within the organization;"
-                  },
-                  {
-                    "id": "ps-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Initiates {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }};"
-                  },
-                  {
-                    "id": "ps-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Modifies access authorization as needed to correspond with any changes in\n                  operational need due to reassignment or transfer; and"
-                  },
-                  {
-                    "id": "ps-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Notifies {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ps-5_gdn",
-                "name": "guidance",
-                "prose": "This control applies when reassignments or transfers of individuals are permanent or\n               of such extended durations as to make the actions warranted. Organizations define\n               actions appropriate for the types of reassignments or transfers, whether permanent or\n               extended. Actions that may be required for personnel transfers or reassignments to\n               other positions within organizations include, for example: (i) returning old and\n               issuing new keys, identification cards, and building passes; (ii) closing information\n               system accounts and establishing new accounts; (iii) changing information system\n               access authorizations (i.e., privileges); and (iv) providing for access to official\n               records to which individuals had access at previous work locations and in previous\n               information system accounts.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#ps-4",
-                    "rel": "related",
-                    "text": "PS-4"
-                  }
-                ]
-              },
-              {
-                "id": "ps-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-5(a)"
-                      }
-                    ],
-                    "prose": "when individuals are reassigned or transferred to other positions within the\n                  organization, reviews and confirms ongoing operational need for current:",
-                    "parts": [
-                      {
-                        "id": "ps-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(a)[1]"
-                          }
-                        ],
-                        "prose": "logical access authorizations to information systems;"
-                      },
-                      {
-                        "id": "ps-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(a)[2]"
-                          }
-                        ],
-                        "prose": "physical access authorizations to information systems and facilities;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-5(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-5.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(b)[1]"
-                          }
-                        ],
-                        "prose": "defines transfer or reassignment actions to be initiated following transfer or\n                     reassignment;"
-                      },
-                      {
-                        "id": "ps-5.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(b)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which transfer or reassignment actions must\n                     occur following transfer or reassignment;"
-                      },
-                      {
-                        "id": "ps-5.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(b)[3]"
-                          }
-                        ],
-                        "prose": "initiates organization-defined transfer or reassignment actions within the\n                     organization-defined time period following transfer or reassignment;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-5(c)"
-                      }
-                    ],
-                    "prose": "modifies access authorization as needed to correspond with any changes in\n                  operational need due to reassignment or transfer;"
-                  },
-                  {
-                    "id": "ps-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-5(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-5.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(d)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be notified when individuals are reassigned or\n                     transferred to other positions within the organization;"
-                      },
-                      {
-                        "id": "ps-5.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(d)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which to notify organization-defined personnel\n                     or roles when individuals are reassigned or transferred to other positions\n                     within the organization; and"
-                      },
-                      {
-                        "id": "ps-5.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(d)[3]"
-                          }
-                        ],
-                        "prose": "notifies organization-defined personnel or roles within the\n                     organization-defined time period when individuals are reassigned or transferred\n                     to other positions within the organization."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing personnel transfer\\n\\nsecurity plan\\n\\nrecords of personnel transfer actions\\n\\nlist of information system and facility access authorizations\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities organizational\n                  personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for personnel transfer\\n\\nautomated mechanisms supporting and/or implementing personnel transfer\n                  notifications\\n\\nautomated mechanisms for disabling information system access/revoking\n                  authenticators"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-6",
-            "class": "SP800-53",
-            "title": "Access Agreements",
-            "parameters": [
-              {
-                "id": "ps-6_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ps-6_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PS-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops and documents access agreements for organizational information\n                  systems;"
-                  },
-                  {
-                    "id": "ps-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the access agreements {{ ps-6_prm_1 }}; and"
-                  },
-                  {
-                    "id": "ps-6_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ensures that individuals requiring access to organizational information and\n                  information systems:",
-                    "parts": [
-                      {
-                        "id": "ps-6_smt.c.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Sign appropriate access agreements prior to being granted access; and"
-                      },
-                      {
-                        "id": "ps-6_smt.c.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Re-sign access agreements to maintain access to organizational information\n                     systems when access agreements have been updated or {{ ps-6_prm_2 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ps-6_gdn",
-                "name": "guidance",
-                "prose": "Access agreements include, for example, nondisclosure agreements, acceptable use\n               agreements, rules of behavior, and conflict-of-interest agreements. Signed access\n               agreements include an acknowledgement that individuals have read, understand, and\n               agree to abide by the constraints associated with organizational information systems\n               to which access is authorized. Organizations can use electronic signatures to\n               acknowledge access agreements unless specifically prohibited by organizational\n               policy.",
-                "links": [
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-2",
-                    "rel": "related",
-                    "text": "PS-2"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  },
-                  {
-                    "href": "#ps-4",
-                    "rel": "related",
-                    "text": "PS-4"
-                  },
-                  {
-                    "href": "#ps-8",
-                    "rel": "related",
-                    "text": "PS-8"
-                  }
-                ]
-              },
-              {
-                "id": "ps-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-6(a)"
-                      }
-                    ],
-                    "prose": "develops and documents access agreements for organizational information\n                  systems;"
-                  },
-                  {
-                    "id": "ps-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-6(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-6.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-6(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update the access agreements;"
-                      },
-                      {
-                        "id": "ps-6.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-6(b)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates the access agreements with the organization-defined\n                     frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-6.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-6(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-6.c.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-6(c)(1)"
-                          }
-                        ],
-                        "prose": "ensures that individuals requiring access to organizational information and\n                     information systems sign appropriate access agreements prior to being granted\n                     access;"
-                      },
-                      {
-                        "id": "ps-6.c.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-6(c)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-6.c.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-6(c)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to re-sign access agreements to maintain access to\n                        organizational information systems when access agreements have been\n                        updated;"
-                          },
-                          {
-                            "id": "ps-6.c.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-6(c)(2)[2]"
-                              }
-                            ],
-                            "prose": "ensures that individuals requiring access to organizational information and\n                        information systems re-sign access agreements to maintain access to\n                        organizational information systems when access agreements have been updated\n                        or with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing access agreements for organizational information and\n                  information systems\\n\\nsecurity plan\\n\\naccess agreements\\n\\nrecords of access agreement reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel who have signed/resigned access agreements\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for access agreements\\n\\nautomated mechanisms supporting access agreements"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-7",
-            "class": "SP800-53",
-            "title": "Third-party Personnel Security",
-            "parameters": [
-              {
-                "id": "ps-7_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ps-7_prm_2",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "organization-defined time period - same day"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PS-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0c775bc3-bfc3-42c7-a382-88949f503171",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-35"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-7_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes personnel security requirements including security roles and\n                  responsibilities for third-party providers;"
-                  },
-                  {
-                    "id": "ps-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Requires third-party providers to comply with personnel security policies and\n                  procedures established by the organization;"
-                  },
-                  {
-                    "id": "ps-7_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Documents personnel security requirements;"
-                  },
-                  {
-                    "id": "ps-7_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Requires third-party providers to notify {{ ps-7_prm_1 }} of any\n                  personnel transfers or terminations of third-party personnel who possess\n                  organizational credentials and/or badges, or who have information system\n                  privileges within {{ ps-7_prm_2 }}; and"
-                  },
-                  {
-                    "id": "ps-7_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Monitors provider compliance."
-                  }
-                ]
-              },
-              {
-                "id": "ps-7_gdn",
-                "name": "guidance",
-                "prose": "Third-party providers include, for example, service bureaus, contractors, and other\n               organizations providing information system development, information technology\n               services, outsourced applications, and network and security management. Organizations\n               explicitly include personnel security requirements in acquisition-related documents.\n               Third-party providers may have personnel working at organizational facilities with\n               credentials, badges, or information system privileges issued by organizations.\n               Notifications of third-party personnel changes ensure appropriate termination of\n               privileges and credentials. Organizations define the transfers and terminations\n               deemed reportable by security-related characteristics that include, for example,\n               functions, roles, and nature of credentials/privileges associated with individuals\n               transferred or terminated.",
-                "links": [
-                  {
-                    "href": "#ps-2",
-                    "rel": "related",
-                    "text": "PS-2"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  },
-                  {
-                    "href": "#ps-4",
-                    "rel": "related",
-                    "text": "PS-4"
-                  },
-                  {
-                    "href": "#ps-5",
-                    "rel": "related",
-                    "text": "PS-5"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  },
-                  {
-                    "href": "#sa-9",
-                    "rel": "related",
-                    "text": "SA-9"
-                  },
-                  {
-                    "href": "#sa-21",
-                    "rel": "related",
-                    "text": "SA-21"
-                  }
-                ]
-              },
-              {
-                "id": "ps-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-7(a)"
-                      }
-                    ],
-                    "prose": "establishes personnel security requirements, including security roles and\n                  responsibilities, for third-party providers;"
-                  },
-                  {
-                    "id": "ps-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-7(b)"
-                      }
-                    ],
-                    "prose": "requires third-party providers to comply with personnel security policies and\n                  procedures established by the organization;"
-                  },
-                  {
-                    "id": "ps-7.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-7(c)"
-                      }
-                    ],
-                    "prose": "documents personnel security requirements;"
-                  },
-                  {
-                    "id": "ps-7.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-7(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-7.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-7(d)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be notified of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges;"
-                      },
-                      {
-                        "id": "ps-7.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-7(d)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which third-party providers are required to\n                     notify organization-defined personnel or roles of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges;"
-                      },
-                      {
-                        "id": "ps-7.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-7(d)[3]"
-                          }
-                        ],
-                        "prose": "requires third-party providers to notify organization-defined personnel or\n                     roles within the organization-defined time period of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-7.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-7(e)"
-                      }
-                    ],
-                    "prose": "monitors provider compliance."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing third-party personnel security\\n\\nlist of personnel security requirements\\n\\nacquisition documents\\n\\nservice-level agreements\\n\\ncompliance monitoring process\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\nthird-party providers\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing and monitoring third-party personnel\n                  security\\n\\nautomated mechanisms supporting and/or implementing monitoring of provider\n                  compliance"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-8",
-            "class": "SP800-53",
-            "title": "Personnel Sanctions",
-            "parameters": [
-              {
-                "id": "ps-8_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ps-8_prm_2",
-                "label": "organization-defined time period"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PS-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-08"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Employs a formal sanctions process for individuals failing to comply with\n                  established information security policies and procedures; and"
-                  },
-                  {
-                    "id": "ps-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Notifies {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }}\n                  when a formal employee sanctions process is initiated, identifying the individual\n                  sanctioned and the reason for the sanction."
-                  }
-                ]
-              },
-              {
-                "id": "ps-8_gdn",
-                "name": "guidance",
-                "prose": "Organizational sanctions processes reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Sanctions processes are\n               described in access agreements and can be included as part of general personnel\n               policies and procedures for organizations. Organizations consult with the Office of\n               the General Counsel regarding matters of employee sanctions.",
-                "links": [
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  }
-                ]
-              },
-              {
-                "id": "ps-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-8(a)"
-                      }
-                    ],
-                    "prose": "employs a formal sanctions process for individuals failing to comply with\n                  established information security policies and procedures;"
-                  },
-                  {
-                    "id": "ps-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-8(b)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be notified when a formal employee sanctions\n                     process is initiated;"
-                      },
-                      {
-                        "id": "ps-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-8(b)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which organization-defined personnel or roles\n                     must be notified when a formal employee sanctions process is initiated; and"
-                      },
-                      {
-                        "id": "ps-8.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-8(b)[3]"
-                          }
-                        ],
-                        "prose": "notifies organization-defined personnel or roles within the\n                     organization-defined time period when a formal employee sanctions process is\n                     initiated, identifying the individual sanctioned and the reason for the\n                     sanction."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing personnel sanctions\\n\\nrules of behavior\\n\\nrecords of formal sanctions\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing personnel sanctions\\n\\nautomated mechanisms supporting and/or implementing notifications"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ra",
-        "class": "family",
-        "title": "Risk Assessment",
-        "controls": [
-          {
-            "id": "ra-1",
-            "class": "SP800-53",
-            "title": "Risk Assessment Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ra-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ra-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "ra-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "RA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ra-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-30"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ra-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ra-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ra-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ra-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A risk assessment policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ra-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the risk assessment policy and\n                     associated risk assessment controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ra-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Risk assessment policy {{ ra-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ra-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Risk assessment procedures {{ ra-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the RA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ra-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ra-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a risk assessment policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ra-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ra-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the risk assessment policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ra-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the risk assessment policy to organization-defined personnel or\n                        roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        risk assessment policy and associated risk assessment controls;"
-                          },
-                          {
-                            "id": "ra-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ra-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current risk assessment\n                        policy;"
-                          },
-                          {
-                            "id": "ra-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current risk assessment policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current risk assessment\n                        procedures; and"
-                          },
-                          {
-                            "id": "ra-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current risk assessment procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "risk assessment policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with risk assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ra-2",
-            "class": "SP800-53",
-            "title": "Security Categorization",
-            "properties": [
-              {
-                "name": "label",
-                "value": "RA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ra-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-30"
-              },
-              {
-                "href": "#d480aa6a-7a88-424e-a10c-ad1c7870354b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-39"
-              },
-              {
-                "href": "#f152844f-b1ef-4836-8729-6277078ebee1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-60"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ra-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ra-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Categorizes information and the information system in accordance with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance;"
-                  },
-                  {
-                    "id": "ra-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents the security categorization results (including supporting rationale) in\n                  the security plan for the information system; and"
-                  },
-                  {
-                    "id": "ra-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ensures that the authorizing official or authorizing official designated\n                  representative reviews and approves the security categorization decision."
-                  }
-                ]
-              },
-              {
-                "id": "ra-2_gdn",
-                "name": "guidance",
-                "prose": "Clearly defined authorization boundaries are a prerequisite for effective security\n               categorization decisions. Security categories describe the potential adverse impacts\n               to organizational operations, organizational assets, and individuals if\n               organizational information and information systems are comprised through a loss of\n               confidentiality, integrity, or availability. Organizations conduct the security\n               categorization process as an organization-wide activity with the involvement of chief\n               information officers, senior information security officers, information system\n               owners, mission/business owners, and information owners/stewards. Organizations also\n               consider the potential adverse impacts to other organizations and, in accordance with\n               the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential\n               national-level adverse impacts. Security categorization processes carried out by\n               organizations facilitate the development of inventories of information assets, and\n               along with CM-8, mappings to specific information system components where information\n               is processed, stored, or transmitted.",
-                "links": [
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  }
-                ]
-              },
-              {
-                "id": "ra-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ra-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "RA-2(a)"
-                      }
-                    ],
-                    "prose": "categorizes information and the information system in accordance with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance;"
-                  },
-                  {
-                    "id": "ra-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "RA-2(b)"
-                      }
-                    ],
-                    "prose": "documents the security categorization results (including supporting rationale) in\n                  the security plan for the information system; and"
-                  },
-                  {
-                    "id": "ra-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "RA-2(c)"
-                      }
-                    ],
-                    "prose": "ensures the authorizing official or authorizing official designated representative\n                  reviews and approves the security categorization decision."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Risk assessment policy\\n\\nsecurity planning policy and procedures\\n\\nprocedures addressing security categorization of organizational information and\n                  information systems\\n\\nsecurity plan\\n\\nsecurity categorization documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security categorization and risk assessment\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for security categorization"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ra-3",
-            "class": "SP800-53",
-            "title": "Risk Assessment",
-            "parameters": [
-              {
-                "id": "ra-3_prm_1"
-              },
-              {
-                "id": "ra-3_prm_2",
-                "depends-on": "ra-3_prm_1",
-                "label": "organization-defined document",
-                "constraints": [
-                  {
-                    "detail": "security assessment report"
-                  }
-                ]
-              },
-              {
-                "id": "ra-3_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every three (3) years or when a significant change occurs"
-                  }
-                ]
-              },
-              {
-                "id": "ra-3_prm_4",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ra-3_prm_5",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every three (3) years or when a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "RA-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ra-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-                "rel": "reference",
-                "text": "OMB Memorandum 04-04"
-              },
-              {
-                "href": "#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-30"
-              },
-              {
-                "href": "#d480aa6a-7a88-424e-a10c-ad1c7870354b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-39"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ra-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ra-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Conducts an assessment of risk, including the likelihood and magnitude of harm,\n                  from the unauthorized access, use, disclosure, disruption, modification, or\n                  destruction of the information system and the information it processes, stores, or\n                  transmits;"
-                  },
-                  {
-                    "id": "ra-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents risk assessment results in {{ ra-3_prm_1 }};"
-                  },
-                  {
-                    "id": "ra-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews risk assessment results {{ ra-3_prm_3 }};"
-                  },
-                  {
-                    "id": "ra-3_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Disseminates risk assessment results to {{ ra-3_prm_4 }}; and"
-                  },
-                  {
-                    "id": "ra-3_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Updates the risk assessment {{ ra-3_prm_5 }} or whenever there are\n                  significant changes to the information system or environment of operation\n                  (including the identification of new threats and vulnerabilities), or other\n                  conditions that may impact the security state of the system."
-                  },
-                  {
-                    "id": "ra-3_fr",
-                    "name": "item",
-                    "title": "RA-3 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ra-3_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F"
-                      },
-                      {
-                        "id": "ra-3_fr_smt.d",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-3 (d) Requirement:"
-                          }
-                        ],
-                        "prose": "Include all Authorizing Officials; for JAB authorizations to include FedRAMP."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-3_gdn",
-                "name": "guidance",
-                "prose": "Clearly defined authorization boundaries are a prerequisite for effective risk\n               assessments. Risk assessments take into account threats, vulnerabilities, likelihood,\n               and impact to organizational operations and assets, individuals, other organizations,\n               and the Nation based on the operation and use of information systems. Risk\n               assessments also take into account risk from external parties (e.g., service\n               providers, contractors operating information systems on behalf of the organization,\n               individuals accessing organizational information systems, outsourcing entities). In\n               accordance with OMB policy and related E-authentication initiatives, authentication\n               of public users accessing federal information systems may also be required to protect\n               nonpublic or privacy-related information. As such, organizational assessments of risk\n               also address public access to federal information systems. Risk assessments (either\n               formal or informal) can be conducted at all three tiers in the risk management\n               hierarchy (i.e., organization level, mission/business process level, or information\n               system level) and at any phase in the system development life cycle. Risk assessments\n               can also be conducted at various steps in the Risk Management Framework, including\n               categorization, security control selection, security control implementation, security\n               control assessment, information system authorization, and security control\n               monitoring. RA-3 is noteworthy in that the control must be partially implemented\n               prior to the implementation of other controls in order to complete the first two\n               steps in the Risk Management Framework. Risk assessments can play an important role\n               in security control selection processes, particularly during the application of\n               tailoring guidance, which includes security control supplementation.",
-                "links": [
-                  {
-                    "href": "#ra-2",
-                    "rel": "related",
-                    "text": "RA-2"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ra-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ra-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(a)"
-                      }
-                    ],
-                    "prose": "conducts an assessment of risk, including the likelihood and magnitude of harm,\n                  from the unauthorized access, use, disclosure, disruption, modification, or\n                  destruction of:",
-                    "parts": [
-                      {
-                        "id": "ra-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(a)[1]"
-                          }
-                        ],
-                        "prose": "the information system;"
-                      },
-                      {
-                        "id": "ra-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(a)[2]"
-                          }
-                        ],
-                        "prose": "the information the system processes, stores, or transmits;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-3.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(b)[1]"
-                          }
-                        ],
-                        "prose": "defines a document in which risk assessment results are to be documented (if\n                     not documented in the security plan or risk assessment report);"
-                      },
-                      {
-                        "id": "ra-3.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(b)[2]"
-                          }
-                        ],
-                        "prose": "documents risk assessment results in one of the following:",
-                        "parts": [
-                          {
-                            "id": "ra-3.b_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(b)[2][a]"
-                              }
-                            ],
-                            "prose": "the security plan;"
-                          },
-                          {
-                            "id": "ra-3.b_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(b)[2][b]"
-                              }
-                            ],
-                            "prose": "the risk assessment report; or"
-                          },
-                          {
-                            "id": "ra-3.b_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(b)[2][c]"
-                              }
-                            ],
-                            "prose": "the organization-defined document;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review risk assessment results;"
-                      },
-                      {
-                        "id": "ra-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews risk assessment results with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-3.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-3.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(d)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom risk assessment results are to be\n                     disseminated;"
-                      },
-                      {
-                        "id": "ra-3.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(d)[2]"
-                          }
-                        ],
-                        "prose": "disseminates risk assessment results to organization-defined personnel or\n                     roles;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-3.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-3.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(e)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to update the risk assessment;"
-                      },
-                      {
-                        "id": "ra-3.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(e)[2]"
-                          }
-                        ],
-                        "prose": "updates the risk assessment:",
-                        "parts": [
-                          {
-                            "id": "ra-3.e_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(e)[2][a]"
-                              }
-                            ],
-                            "prose": "with the organization-defined frequency;"
-                          },
-                          {
-                            "id": "ra-3.e_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(e)[2][b]"
-                              }
-                            ],
-                            "prose": "whenever there are significant changes to the information system or\n                        environment of operation (including the identification of new threats and\n                        vulnerabilities); and"
-                          },
-                          {
-                            "id": "ra-3.e_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(e)[2][c]"
-                              }
-                            ],
-                            "prose": "whenever there are other conditions that may impact the security state of\n                        the system."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Risk assessment policy\\n\\nsecurity planning policy and procedures\\n\\nprocedures addressing organizational assessments of risk\\n\\nsecurity plan\\n\\nrisk assessment\\n\\nrisk assessment results\\n\\nrisk assessment reviews\\n\\nrisk assessment updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with risk assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for risk assessment\\n\\nautomated mechanisms supporting and/or for conducting, documenting, reviewing,\n                  disseminating, and updating the risk assessment"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ra-5",
-            "class": "SP800-53",
-            "title": "Vulnerability Scanning",
-            "parameters": [
-              {
-                "id": "ra-5_prm_1",
-                "label": "organization-defined frequency and/or randomly in accordance with\n               organization-defined process",
-                "constraints": [
-                  {
-                    "detail": "monthly operating system/infrastructure; monthly web applications and databases"
-                  }
-                ]
-              },
-              {
-                "id": "ra-5_prm_2",
-                "label": "organization-defined response times",
-                "constraints": [
-                  {
-                    "detail": "[high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery."
-                  }
-                ]
-              },
-              {
-                "id": "ra-5_prm_3",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "RA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ra-05"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-40"
-              },
-              {
-                "href": "#84a37532-6db6-477b-9ea8-f9085ebca0fc",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-70"
-              },
-              {
-                "href": "#c4691b88-57d1-463b-9053-2d0087913f31",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-115"
-              },
-              {
-                "href": "#15522e92-9192-463d-9646-6a01982db8ca",
-                "rel": "reference",
-                "text": "http://cwe.mitre.org"
-              },
-              {
-                "href": "#275cc052-0f7f-423c-bdb6-ed503dc36228",
-                "rel": "reference",
-                "text": "http://nvd.nist.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ra-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ra-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Scans for vulnerabilities in the information system and hosted applications\n                     {{ ra-5_prm_1 }} and when new vulnerabilities potentially\n                  affecting the system/applications are identified and reported;"
-                  },
-                  {
-                    "id": "ra-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Employs vulnerability scanning tools and techniques that facilitate\n                  interoperability among tools and automate parts of the vulnerability management\n                  process by using standards for:",
-                    "parts": [
-                      {
-                        "id": "ra-5_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Enumerating platforms, software flaws, and improper configurations;"
-                      },
-                      {
-                        "id": "ra-5_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Formatting checklists and test procedures; and"
-                      },
-                      {
-                        "id": "ra-5_smt.b.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Measuring vulnerability impact;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Analyzes vulnerability scan reports and results from security control\n                  assessments;"
-                  },
-                  {
-                    "id": "ra-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Remediates legitimate vulnerabilities {{ ra-5_prm_2 }} in\n                  accordance with an organizational assessment of risk; and"
-                  },
-                  {
-                    "id": "ra-5_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Shares information obtained from the vulnerability scanning process and security\n                  control assessments with {{ ra-5_prm_3 }} to help eliminate similar\n                  vulnerabilities in other information systems (i.e., systemic weaknesses or\n                  deficiencies)."
-                  },
-                  {
-                    "id": "ra-5_fr_smt.a",
-                    "name": "item",
-                    "title": "RA-5(a) Additional FedRAMP Requirements and Guidance",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5 (a)Requirement:"
-                      }
-                    ],
-                    "prose": "An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually."
-                  },
-                  {
-                    "id": "ra-5_fr_smt.e",
-                    "name": "item",
-                    "title": "RA-5(e) Additional FedRAMP Requirements and Guidance",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5 (e)Requirement:"
-                      }
-                    ],
-                    "prose": "To include all Authorizing Officials; for JAB authorizations to include FedRAMP."
-                  },
-                  {
-                    "id": "ra-5_fr",
-                    "name": "item",
-                    "title": "RA-5 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ra-5_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "\n                     **See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-5_gdn",
-                "name": "guidance",
-                "prose": "Security categorization of information systems guides the frequency and\n               comprehensiveness of vulnerability scans. Organizations determine the required\n               vulnerability scanning for all information system components, ensuring that potential\n               sources of vulnerabilities such as networked printers, scanners, and copiers are not\n               overlooked. Vulnerability analyses for custom software applications may require\n               additional approaches such as static analysis, dynamic analysis, binary analysis, or\n               a hybrid of the three approaches. Organizations can employ these analysis approaches\n               in a variety of tools (e.g., web-based application scanners, static analysis tools,\n               binary analyzers) and in source code reviews. Vulnerability scanning includes, for\n               example: (i) scanning for patch levels; (ii) scanning for functions, ports,\n               protocols, and services that should not be accessible to users or devices; and (iii)\n               scanning for improperly configured or incorrectly operating information flow control\n               mechanisms. Organizations consider using tools that express vulnerabilities in the\n               Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open\n               Vulnerability Assessment Language (OVAL) to determine/test for the presence of\n               vulnerabilities. Suggested sources for vulnerability information include the Common\n               Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In\n               addition, security control assessments such as red team exercises provide other\n               sources of potential vulnerabilities for which to scan. Organizations also consider\n               using tools that express vulnerability impact by the Common Vulnerability Scoring\n               System (CVSS).",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#ra-2",
-                    "rel": "related",
-                    "text": "RA-2"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "ra-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ra-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(a)[1]"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-5.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[1][a]"
-                              }
-                            ],
-                            "prose": "defines the frequency for conducting vulnerability scans on the information\n                        system and hosted applications; and/or"
-                          },
-                          {
-                            "id": "ra-5.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[1][b]"
-                              }
-                            ],
-                            "prose": "defines the process for conducting random vulnerability scans on the\n                        information system and hosted applications;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(a)[2]"
-                          }
-                        ],
-                        "prose": "in accordance with the organization-defined frequency and/or\n                     organization-defined process for conducting random scans, scans for\n                     vulnerabilities in:",
-                        "parts": [
-                          {
-                            "id": "ra-5.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[2][a]"
-                              }
-                            ],
-                            "prose": "the information system;"
-                          },
-                          {
-                            "id": "ra-5.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[2][b]"
-                              }
-                            ],
-                            "prose": "hosted applications;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-5.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(a)[3]"
-                          }
-                        ],
-                        "prose": "when new vulnerabilities potentially affecting the system/applications are\n                     identified and reported, scans for vulnerabilities in:",
-                        "parts": [
-                          {
-                            "id": "ra-5.a_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[3][a]"
-                              }
-                            ],
-                            "prose": "the information system;"
-                          },
-                          {
-                            "id": "ra-5.a_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[3][b]"
-                              }
-                            ],
-                            "prose": "hosted applications;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(b)"
-                      }
-                    ],
-                    "prose": "employs vulnerability scanning tools and techniques that facilitate\n                  interoperability among tools and automate parts of the vulnerability management\n                  process by using standards for:",
-                    "parts": [
-                      {
-                        "id": "ra-5.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-5.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "enumerating platforms;"
-                          },
-                          {
-                            "id": "ra-5.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "enumerating software flaws;"
-                          },
-                          {
-                            "id": "ra-5.b.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(1)[3]"
-                              }
-                            ],
-                            "prose": "enumerating improper configurations;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-5.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-5.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "formatting checklists;"
-                          },
-                          {
-                            "id": "ra-5.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "formatting test procedures;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-5.b.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(b)(3)"
-                          }
-                        ],
-                        "prose": "measuring vulnerability impact;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-5.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(c)[1]"
-                          }
-                        ],
-                        "prose": "analyzes vulnerability scan reports;"
-                      },
-                      {
-                        "id": "ra-5.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(c)[2]"
-                          }
-                        ],
-                        "prose": "analyzes results from security control assessments;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-5.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(d)[1]"
-                          }
-                        ],
-                        "prose": "defines response times to remediate legitimate vulnerabilities in accordance\n                     with an organizational assessment of risk;"
-                      },
-                      {
-                        "id": "ra-5.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(d)[2]"
-                          }
-                        ],
-                        "prose": "remediates legitimate vulnerabilities within the organization-defined response\n                     times in accordance with an organizational assessment of risk;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-5.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(e)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles with whom information obtained from the\n                     vulnerability scanning process and security control assessments is to be\n                     shared;"
-                      },
-                      {
-                        "id": "ra-5.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(e)[2]"
-                          }
-                        ],
-                        "prose": "shares information obtained from the vulnerability scanning process with\n                     organization-defined personnel or roles to help eliminate similar\n                     vulnerabilities in other information systems (i.e., systemic weaknesses or\n                     deficiencies); and"
-                      },
-                      {
-                        "id": "ra-5.e_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(e)[3]"
-                          }
-                        ],
-                        "prose": "shares information obtained from security control assessments with\n                     organization-defined personnel or roles to help eliminate similar\n                     vulnerabilities in other information systems (i.e., systemic weaknesses or\n                     deficiencies)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\nrisk assessment\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with risk assessment, security control assessment and\n                  vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with vulnerability remediation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for vulnerability scanning, analysis, remediation, and\n                  information sharing\\n\\nautomated mechanisms supporting and/or implementing vulnerability scanning,\n                  analysis, remediation, and information sharing"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "sa",
-        "class": "family",
-        "title": "System and Services Acquisition",
-        "controls": [
-          {
-            "id": "sa-1",
-            "class": "SP800-53",
-            "title": "System and Services Acquisition Policy and Procedures",
-            "parameters": [
-              {
-                "id": "sa-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "sa-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "sa-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ sa-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "sa-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A system and services acquisition policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "sa-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the system and services\n                     acquisition policy and associated system and services acquisition controls;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "sa-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "System and services acquisition policy {{ sa-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "sa-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "System and services acquisition procedures {{ sa-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "sa-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a system and services acquisition policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "sa-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "sa-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the system and services acquisition\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "sa-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the system and services acquisition policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        system and services acquisition policy and associated system and services\n                        acquisition controls;"
-                          },
-                          {
-                            "id": "sa-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "sa-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and services\n                        acquisition policy;"
-                          },
-                          {
-                            "id": "sa-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and services acquisition policy with\n                        the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and services\n                        acquisition procedures; and"
-                          },
-                          {
-                            "id": "sa-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and services acquisition procedures\n                        with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-2",
-            "class": "SP800-53",
-            "title": "Allocation of Resources",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#29fcfe59-33cd-494a-8756-5907ae3a8f92",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-65"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Determines information security requirements for the information system or\n                  information system service in mission/business process planning;"
-                  },
-                  {
-                    "id": "sa-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Determines, documents, and allocates the resources required to protect the\n                  information system or information system service as part of its capital planning\n                  and investment control process; and"
-                  },
-                  {
-                    "id": "sa-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Establishes a discrete line item for information security in organizational\n                  programming and budgeting documentation."
-                  }
-                ]
-              },
-              {
-                "id": "sa-2_gdn",
-                "name": "guidance",
-                "prose": "Resource allocation for information security includes funding for the initial\n               information system or information system service acquisition and funding for the\n               sustainment of the system/service.",
-                "links": [
-                  {
-                    "href": "#pm-3",
-                    "rel": "related",
-                    "text": "PM-3"
-                  },
-                  {
-                    "href": "#pm-11",
-                    "rel": "related",
-                    "text": "PM-11"
-                  }
-                ]
-              },
-              {
-                "id": "sa-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-2(a)"
-                      }
-                    ],
-                    "prose": "determines information security requirements for the information system or\n                  information system service in mission/business process planning;"
-                  },
-                  {
-                    "id": "sa-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-2(b)"
-                      }
-                    ],
-                    "prose": "to protect the information system or information system service as part of its\n                  capital planning and investment control process:",
-                    "parts": [
-                      {
-                        "id": "sa-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-2(b)[1]"
-                          }
-                        ],
-                        "prose": "determines the resources required;"
-                      },
-                      {
-                        "id": "sa-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-2(b)[2]"
-                          }
-                        ],
-                        "prose": "documents the resources required;"
-                      },
-                      {
-                        "id": "sa-2.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-2(b)[3]"
-                          }
-                        ],
-                        "prose": "allocates the resources required; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-2(c)"
-                      }
-                    ],
-                    "prose": "establishes a discrete line item for information security in organizational\n                  programming and budgeting documentation."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing the allocation of resources to information security\n                  requirements\\n\\nprocedures addressing capital planning and investment control\\n\\norganizational programming and budgeting documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with capital planning, investment control, organizational\n                  programming and budgeting responsibilities\\n\\norganizational personnel responsible for determining information security\n                  requirements for information systems/services\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for determining information security requirements\\n\\norganizational processes for capital planning, programming, and budgeting\\n\\nautomated mechanisms supporting and/or implementing organizational capital\n                  planning, programming, and budgeting"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-3",
-            "class": "SP800-53",
-            "title": "System Development Life Cycle",
-            "parameters": [
-              {
-                "id": "sa-3_prm_1",
-                "label": "organization-defined system development life cycle"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#abd950ae-092f-4b7a-b374-1c7c67fe9350",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-64"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Manages the information system using {{ sa-3_prm_1 }} that\n                  incorporates information security considerations;"
-                  },
-                  {
-                    "id": "sa-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Defines and documents information security roles and responsibilities throughout\n                  the system development life cycle;"
-                  },
-                  {
-                    "id": "sa-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Identifies individuals having information security roles and responsibilities;\n                  and"
-                  },
-                  {
-                    "id": "sa-3_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Integrates the organizational information security risk management process into\n                  system development life cycle activities."
-                  }
-                ]
-              },
-              {
-                "id": "sa-3_gdn",
-                "name": "guidance",
-                "prose": "A well-defined system development life cycle provides the foundation for the\n               successful development, implementation, and operation of organizational information\n               systems. To apply the required security controls within the system development life\n               cycle requires a basic understanding of information security, threats,\n               vulnerabilities, adverse impacts, and risk to critical missions/business functions.\n               The security engineering principles in SA-8 cannot be properly applied if individuals\n               that design, code, and test information systems and system components (including\n               information technology products) do not understand security. Therefore, organizations\n               include qualified personnel, for example, chief information security officers,\n               security architects, security engineers, and information system security officers in\n               system development life cycle activities to ensure that security requirements are\n               incorporated into organizational information systems. It is equally important that\n               developers include individuals on the development team that possess the requisite\n               security expertise and skills to ensure that needed security capabilities are\n               effectively integrated into the information system. Security awareness and training\n               programs can help ensure that individuals having key security roles and\n               responsibilities have the appropriate experience, skills, and expertise to conduct\n               assigned system development life cycle activities. The effective integration of\n               security requirements into enterprise architecture also helps to ensure that\n               important security considerations are addressed early in the system development life\n               cycle and that those considerations are directly related to the organizational\n               mission/business processes. This process also facilitates the integration of the\n               information security architecture into the enterprise architecture, consistent with\n               organizational risk management and information security strategies.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#pm-7",
-                    "rel": "related",
-                    "text": "PM-7"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  }
-                ]
-              },
-              {
-                "id": "sa-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-3(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-3(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a system development life cycle that incorporates information security\n                     considerations to be used to manage the information system;"
-                      },
-                      {
-                        "id": "sa-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-3(a)[2]"
-                          }
-                        ],
-                        "prose": "manages the information system using the organization-defined system\n                     development life cycle;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-3(b)"
-                      }
-                    ],
-                    "prose": "defines and documents information security roles and responsibilities throughout\n                  the system development life cycle;"
-                  },
-                  {
-                    "id": "sa-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-3(c)"
-                      }
-                    ],
-                    "prose": "identifies individuals having information security roles and responsibilities;\n                  and"
-                  },
-                  {
-                    "id": "sa-3.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-3(d)"
-                      }
-                    ],
-                    "prose": "integrates the organizational information security risk management process into\n                  system development life cycle activities."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing the integration of information security into the system\n                  development life cycle process\\n\\ninformation system development life cycle documentation\\n\\ninformation security risk management strategy/program documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security and system life cycle\n                  development responsibilities\\n\\norganizational personnel with information security risk management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for defining and documenting the SDLC\\n\\norganizational processes for identifying SDLC roles and responsibilities\\n\\norganizational process for integrating information security risk management into\n                  the SDLC\\n\\nautomated mechanisms supporting and/or implementing the SDLC"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-4",
-            "class": "SP800-53",
-            "title": "Acquisition Process",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ad733a42-a7ed-4774-b988-4930c28852f3",
-                "rel": "reference",
-                "text": "HSPD-12"
-              },
-              {
-                "href": "#1737a687-52fb-4008-b900-cbfa836f7b65",
-                "rel": "reference",
-                "text": "ISO/IEC 15408"
-              },
-              {
-                "href": "#d715b234-9b5b-4e07-b1ed-99836727664d",
-                "rel": "reference",
-                "text": "FIPS Publication 140-2"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#0a5db899-f033-467f-8631-f5a8ba971475",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-23"
-              },
-              {
-                "href": "#0c775bc3-bfc3-42c7-a382-88949f503171",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-35"
-              },
-              {
-                "href": "#d818efd3-db31-4953-8afa-9e76afe83ce2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-36"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#abd950ae-092f-4b7a-b374-1c7c67fe9350",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-64"
-              },
-              {
-                "href": "#84a37532-6db6-477b-9ea8-f9085ebca0fc",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-70"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              },
-              {
-                "href": "#56d671da-6b7b-4abf-8296-84b61980390a",
-                "rel": "reference",
-                "text": "Federal Acquisition Regulation"
-              },
-              {
-                "href": "#c95a9986-3cd6-4a98-931b-ccfc56cb11e5",
-                "rel": "reference",
-                "text": "http://www.niap-ccevs.org"
-              },
-              {
-                "href": "#5ed1f4d5-1494-421b-97ed-39d3c88ab51f",
-                "rel": "reference",
-                "text": "http://fips201ep.cio.gov"
-              },
-              {
-                "href": "#bbd50dd1-54ce-4432-959d-63ea564b1bb4",
-                "rel": "reference",
-                "text": "http://www.acquisition.gov/far"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-4_smt",
-                "name": "statement",
-                "prose": "The organization includes the following requirements, descriptions, and criteria,\n               explicitly or by reference, in the acquisition contract for the information system,\n               system component, or information system service in accordance with applicable federal\n               laws, Executive Orders, directives, policies, regulations, standards, guidelines, and\n               organizational mission/business needs:",
-                "parts": [
-                  {
-                    "id": "sa-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Security functional requirements;"
-                  },
-                  {
-                    "id": "sa-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Security strength requirements;"
-                  },
-                  {
-                    "id": "sa-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Security assurance requirements;"
-                  },
-                  {
-                    "id": "sa-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Security-related documentation requirements;"
-                  },
-                  {
-                    "id": "sa-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Requirements for protecting security-related documentation;"
-                  },
-                  {
-                    "id": "sa-4_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Description of the information system development environment and environment in\n                  which the system is intended to operate; and"
-                  },
-                  {
-                    "id": "sa-4_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Acceptance criteria."
-                  },
-                  {
-                    "id": "sa-4_fr",
-                    "name": "item",
-                    "title": "SA-4 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "sa-4_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See [http://www.niap-ccevs.org/vpl](http://www.niap-ccevs.org/vpl) or [http://www.commoncriteriaportal.org/products.html](http://www.commoncriteriaportal.org/products.html)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-4_gdn",
-                "name": "guidance",
-                "prose": "Information system components are discrete, identifiable information technology\n               assets (e.g., hardware, software, or firmware) that represent the building blocks of\n               an information system. Information system components include commercial information\n               technology products. Security functional requirements include security capabilities,\n               security functions, and security mechanisms. Security strength requirements\n               associated with such capabilities, functions, and mechanisms include degree of\n               correctness, completeness, resistance to direct attack, and resistance to tampering\n               or bypass. Security assurance requirements include: (i) development processes,\n               procedures, practices, and methodologies; and (ii) evidence from development and\n               assessment activities providing grounds for confidence that the required security\n               functionality has been implemented and the required security strength has been\n               achieved. Security documentation requirements address all phases of the system\n               development life cycle. Security functionality, assurance, and documentation\n               requirements are expressed in terms of security controls and control enhancements\n               that have been selected through the tailoring process. The security control tailoring\n               process includes, for example, the specification of parameter values through the use\n               of assignment and selection statements and the specification of platform dependencies\n               and implementation information. Security documentation provides user and\n               administrator guidance regarding the implementation and operation of security\n               controls. The level of detail required in security documentation is based on the\n               security category or classification level of the information system and the degree to\n               which organizations depend on the stated security capability, functions, or\n               mechanisms to meet overall risk response expectations (as defined in the\n               organizational risk management strategy). Security requirements can also include\n               organizationally mandated configuration settings specifying allowed functions, ports,\n               protocols, and services. Acceptance criteria for information systems, information\n               system components, and information system services are defined in the same manner as\n               such criteria for any organizational acquisition or procurement. The Federal\n               Acquisition Regulation (FAR) Section 7.103 contains information security requirements\n               from FISMA.",
-                "links": [
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#ps-7",
-                    "rel": "related",
-                    "text": "PS-7"
-                  },
-                  {
-                    "href": "#sa-3",
-                    "rel": "related",
-                    "text": "SA-3"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  }
-                ]
-              },
-              {
-                "id": "sa-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization includes the following requirements, descriptions, and\n               criteria, explicitly or by reference, in the acquisition contracts for the\n               information system, system component, or information system service in accordance\n               with applicable federal laws, Executive Orders, directives, policies, regulations,\n               standards, guidelines, and organizational mission/business needs:",
-                "parts": [
-                  {
-                    "id": "sa-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(a)"
-                      }
-                    ],
-                    "prose": "security functional requirements;"
-                  },
-                  {
-                    "id": "sa-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(b)"
-                      }
-                    ],
-                    "prose": "security strength requirements;"
-                  },
-                  {
-                    "id": "sa-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(c)"
-                      }
-                    ],
-                    "prose": "security assurance requirements;"
-                  },
-                  {
-                    "id": "sa-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(d)"
-                      }
-                    ],
-                    "prose": "security-related documentation requirements;"
-                  },
-                  {
-                    "id": "sa-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(e)"
-                      }
-                    ],
-                    "prose": "requirements for protecting security-related documentation;"
-                  },
-                  {
-                    "id": "sa-4.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(f)"
-                      }
-                    ],
-                    "prose": "description of:",
-                    "parts": [
-                      {
-                        "id": "sa-4.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-4(f)[1]"
-                          }
-                        ],
-                        "prose": "the information system development environment;"
-                      },
-                      {
-                        "id": "sa-4.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-4(f)[2]"
-                          }
-                        ],
-                        "prose": "the environment in which the system is intended to operate; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-4.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(g)"
-                      }
-                    ],
-                    "prose": "acceptance criteria."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                  descriptions, and criteria into the acquisition process\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\ninformation system design documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security functional, strength, and assurance requirements\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for determining information system security functional,\n                  strength, and assurance requirements\\n\\norganizational processes for developing acquisition contracts\\n\\nautomated mechanisms supporting and/or implementing acquisitions and inclusion of\n                  security requirements in contracts"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-5",
-            "class": "SP800-53",
-            "title": "Information System Documentation",
-            "parameters": [
-              {
-                "id": "sa-5_prm_1",
-                "label": "organization-defined actions"
-              },
-              {
-                "id": "sa-5_prm_2",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Obtains administrator documentation for the information system, system component,\n                  or information system service that describes:",
-                    "parts": [
-                      {
-                        "id": "sa-5_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Secure configuration, installation, and operation of the system, component, or\n                     service;"
-                      },
-                      {
-                        "id": "sa-5_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Effective use and maintenance of security functions/mechanisms; and"
-                      },
-                      {
-                        "id": "sa-5_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Known vulnerabilities regarding configuration and use of administrative (i.e.,\n                     privileged) functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Obtains user documentation for the information system, system component, or\n                  information system service that describes:",
-                    "parts": [
-                      {
-                        "id": "sa-5_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "User-accessible security functions/mechanisms and how to effectively use those\n                     security functions/mechanisms;"
-                      },
-                      {
-                        "id": "sa-5_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Methods for user interaction, which enables individuals to use the system,\n                     component, or service in a more secure manner; and"
-                      },
-                      {
-                        "id": "sa-5_smt.b.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "User responsibilities in maintaining the security of the system, component, or\n                     service;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Documents attempts to obtain information system, system component, or information\n                  system service documentation when such documentation is either unavailable or\n                  nonexistent and takes {{ sa-5_prm_1 }} in response;"
-                  },
-                  {
-                    "id": "sa-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Protects documentation as required, in accordance with the risk management\n                  strategy; and"
-                  },
-                  {
-                    "id": "sa-5_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Distributes documentation to {{ sa-5_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "sa-5_gdn",
-                "name": "guidance",
-                "prose": "This control helps organizational personnel understand the implementation and\n               operation of security controls associated with information systems, system\n               components, and information system services. Organizations consider establishing\n               specific measures to determine the quality/completeness of the content provided. The\n               inability to obtain needed documentation may occur, for example, due to the age of\n               the information system/component or lack of support from developers and contractors.\n               In those situations, organizations may need to recreate selected documentation if\n               such documentation is essential to the effective implementation or operation of\n               security controls. The level of protection provided for selected information system,\n               component, or service documentation is commensurate with the security category or\n               classification of the system. For example, documentation associated with a key DoD\n               weapons system or command and control system would typically require a higher level\n               of protection than a routine administrative system. Documentation that addresses\n               information system vulnerabilities may also require an increased level of protection.\n               Secure operation of the information system, includes, for example, initially starting\n               the system and resuming secure system operation after any lapse in system\n               operation.",
-                "links": [
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-2",
-                    "rel": "related",
-                    "text": "PS-2"
-                  },
-                  {
-                    "href": "#sa-3",
-                    "rel": "related",
-                    "text": "SA-3"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  }
-                ]
-              },
-              {
-                "id": "sa-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-5(a)"
-                      }
-                    ],
-                    "prose": "obtains administrator documentation for the information system, system component,\n                  or information system service that describes:",
-                    "parts": [
-                      {
-                        "id": "sa-5.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-5.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "secure configuration of the system, system component, or service;"
-                          },
-                          {
-                            "id": "sa-5.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "secure installation of the system, system component, or service;"
-                          },
-                          {
-                            "id": "sa-5.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "secure operation of the system, system component, or service;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-5.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-5.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "effective use of the security features/mechanisms;"
-                          },
-                          {
-                            "id": "sa-5.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "effective maintenance of the security features/mechanisms;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-5.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(a)(3)"
-                          }
-                        ],
-                        "prose": "known vulnerabilities regarding configuration and use of administrative (i.e.,\n                     privileged) functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-5(b)"
-                      }
-                    ],
-                    "prose": "obtains user documentation for the information system, system component, or\n                  information system service that describes:",
-                    "parts": [
-                      {
-                        "id": "sa-5.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-5.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "user-accessible security functions/mechanisms;"
-                          },
-                          {
-                            "id": "sa-5.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "how to effectively use those functions/mechanisms;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-5.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(b)(2)"
-                          }
-                        ],
-                        "prose": "methods for user interaction, which enables individuals to use the system,\n                     component, or service in a more secure manner;"
-                      },
-                      {
-                        "id": "sa-5.b.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(b)(3)"
-                          }
-                        ],
-                        "prose": "user responsibilities in maintaining the security of the system, component, or\n                     service;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-5(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-5.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-5(c)[1]"
-                          }
-                        ],
-                        "prose": "defines actions to be taken after documented attempts to obtain information\n                     system, system component, or information system service documentation when such\n                     documentation is either unavailable or nonexistent;"
-                      },
-                      {
-                        "id": "sa-5.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-5(c)[2]"
-                          }
-                        ],
-                        "prose": "documents attempts to obtain information system, system component, or\n                     information system service documentation when such documentation is either\n                     unavailable or nonexistent;"
-                      },
-                      {
-                        "id": "sa-5.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-5(c)[3]"
-                          }
-                        ],
-                        "prose": "takes organization-defined actions in response;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-5(d)"
-                      }
-                    ],
-                    "prose": "protects documentation as required, in accordance with the risk management\n                  strategy;"
-                  },
-                  {
-                    "id": "sa-5.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-5(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-5.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-5(e)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom documentation is to be distributed; and"
-                      },
-                      {
-                        "id": "sa-5.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-5(e)[2]"
-                          }
-                        ],
-                        "prose": "distributes documentation to organization-defined personnel or roles."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing information system documentation\\n\\ninformation system documentation including administrator and user guides\\n\\nrecords documenting attempts to obtain unavailable or nonexistent information\n                  system documentation\\n\\nlist of actions to be taken in response to documented attempts to obtain\n                  information system, system component, or information system service\n                  documentation\\n\\nrisk management strategy documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security requirements\\n\\nsystem administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for obtaining, protecting, and distributing information\n                  system administrator and user documentation"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-9",
-            "class": "SP800-53",
-            "title": "External Information System Services",
-            "parameters": [
-              {
-                "id": "sa-9_prm_1",
-                "label": "organization-defined security controls",
-                "constraints": [
-                  {
-                    "detail": "FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system"
-                  }
-                ]
-              },
-              {
-                "id": "sa-9_prm_2",
-                "label": "organization-defined processes, methods, and techniques",
-                "constraints": [
-                  {
-                    "detail": "Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-09"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0c775bc3-bfc3-42c7-a382-88949f503171",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-35"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-9_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-9_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Requires that providers of external information system services comply with\n                  organizational information security requirements and employ {{ sa-9_prm_1 }} in accordance with applicable federal laws, Executive\n                  Orders, directives, policies, regulations, standards, and guidance;"
-                  },
-                  {
-                    "id": "sa-9_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Defines and documents government oversight and user roles and responsibilities\n                  with regard to external information system services; and"
-                  },
-                  {
-                    "id": "sa-9_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Employs {{ sa-9_prm_2 }} to monitor security control compliance by\n                  external service providers on an ongoing basis."
-                  },
-                  {
-                    "id": "sa-9_fr",
-                    "name": "item",
-                    "title": "SA-9 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "sa-9_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Continuous Monitoring Strategy Guide [https://www.FedRAMP.gov/documents](https://www.FedRAMP.gov/documents)\n                  "
-                      },
-                      {
-                        "id": "sa-9_fr_gdn.2",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "Independent Assessors should assess the risk associated with the use of external services. See the FedRAMP page under Key Cloud Service Provider (CSP) Documents>FedRAMP Authorization Boundary Guidance"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-9_gdn",
-                "name": "guidance",
-                "prose": "External information system services are services that are implemented outside of the\n               authorization boundaries of organizational information systems. This includes\n               services that are used by, but not a part of, organizational information systems.\n               FISMA and OMB policy require that organizations using external service providers that\n               are processing, storing, or transmitting federal information or operating information\n               systems on behalf of the federal government ensure that such providers meet the same\n               security requirements that federal agencies are required to meet. Organizations\n               establish relationships with external service providers in a variety of ways\n               including, for example, through joint ventures, business partnerships, contracts,\n               interagency agreements, lines of business arrangements, licensing agreements, and\n               supply chain exchanges. The responsibility for managing risks from the use of\n               external information system services remains with authorizing officials. For services\n               external to organizations, a chain of trust requires that organizations establish and\n               retain a level of confidence that each participating provider in the potentially\n               complex consumer-provider relationship provides adequate protection for the services\n               rendered. The extent and nature of this chain of trust varies based on the\n               relationships between organizations and the external providers. Organizations\n               document the basis for trust relationships so the relationships can be monitored over\n               time. External information system services documentation includes government, service\n               providers, end user security roles and responsibilities, and service-level\n               agreements. Service-level agreements define expectations of performance for security\n               controls, describe measurable outcomes, and identify remedies and response\n               requirements for identified instances of noncompliance.",
-                "links": [
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#ir-7",
-                    "rel": "related",
-                    "text": "IR-7"
-                  },
-                  {
-                    "href": "#ps-7",
-                    "rel": "related",
-                    "text": "PS-7"
-                  }
-                ]
-              },
-              {
-                "id": "sa-9_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-9.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-9(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-9.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(a)[1]"
-                          }
-                        ],
-                        "prose": "defines security controls to be employed by providers of external information\n                     system services;"
-                      },
-                      {
-                        "id": "sa-9.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(a)[2]"
-                          }
-                        ],
-                        "prose": "requires that providers of external information system services comply with\n                     organizational information security requirements;"
-                      },
-                      {
-                        "id": "sa-9.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(a)[3]"
-                          }
-                        ],
-                        "prose": "requires that providers of external information system services employ\n                     organization-defined security controls in accordance with applicable federal\n                     laws, Executive Orders, directives, policies, regulations, standards, and\n                     guidance;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-9.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-9(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-9.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(b)[1]"
-                          }
-                        ],
-                        "prose": "defines and documents government oversight with regard to external information\n                     system services;"
-                      },
-                      {
-                        "id": "sa-9.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(b)[2]"
-                          }
-                        ],
-                        "prose": "defines and documents user roles and responsibilities with regard to external\n                     information system services;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-9.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-9(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-9.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(c)[1]"
-                          }
-                        ],
-                        "prose": "defines processes, methods, and techniques to be employed to monitor security\n                     control compliance by external service providers; and"
-                      },
-                      {
-                        "id": "sa-9.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(c)[2]"
-                          }
-                        ],
-                        "prose": "employs organization-defined processes, methods, and techniques to monitor\n                     security control compliance by external service providers on an ongoing\n                     basis."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nprocedures addressing methods and techniques for monitoring security control\n                  compliance by external service providers of information system services\\n\\nacquisition contracts, service-level agreements\\n\\norganizational security requirements and security specifications for external\n                  provider services\\n\\nsecurity control assessment evidence from external providers of information system\n                  services\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and services acquisition responsibilities\\n\\nexternal providers of information system services\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for monitoring security control compliance by external\n                  service providers on an ongoing basis\\n\\nautomated mechanisms for monitoring security control compliance by external\n                  service providers on an ongoing basis"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "sc",
-        "class": "family",
-        "title": "System and Communications Protection",
-        "controls": [
-          {
-            "id": "sc-1",
-            "class": "SP800-53",
-            "title": "System and Communications Protection Policy and Procedures",
-            "parameters": [
-              {
-                "id": "sc-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "sc-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "sc-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SC-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sc-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ sc-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "sc-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A system and communications protection policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"
-                      },
-                      {
-                        "id": "sc-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the system and communications\n                     protection policy and associated system and communications protection controls;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "sc-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "System and communications protection policy {{ sc-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "sc-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "System and communications protection procedures {{ sc-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SC\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "sc-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sc-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sc-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a system and communications protection policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "sc-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "sc-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the system and communications protection\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "sc-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the system and communications protection policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sc-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sc-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        system and communications protection policy and associated system and\n                        communications protection controls;"
-                          },
-                          {
-                            "id": "sc-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "sc-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sc-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and\n                        communications protection policy;"
-                          },
-                          {
-                            "id": "sc-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and communications protection policy\n                        with the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sc-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sc-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and\n                        communications protection procedures; and"
-                          },
-                          {
-                            "id": "sc-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and communications protection\n                        procedures with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and communications protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-5",
-            "class": "SP800-53",
-            "title": "Denial of Service Protection",
-            "parameters": [
-              {
-                "id": "sc-5_prm_1",
-                "label": "organization-defined types of denial of service attacks or references to sources\n               for such information"
-              },
-              {
-                "id": "sc-5_prm_2",
-                "label": "organization-defined security safeguards"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-5_smt",
-                "name": "statement",
-                "prose": "The information system protects against or limits the effects of the following types\n               of denial of service attacks: {{ sc-5_prm_1 }} by employing {{ sc-5_prm_2 }}."
-              },
-              {
-                "id": "sc-5_gdn",
-                "name": "guidance",
-                "prose": "A variety of technologies exist to limit, or in some cases, eliminate the effects of\n               denial of service attacks. For example, boundary protection devices can filter\n               certain types of packets to protect information system components on internal\n               organizational networks from being directly affected by denial of service attacks.\n               Employing increased capacity and bandwidth combined with service redundancy may also\n               reduce the susceptibility to denial of service attacks.",
-                "links": [
-                  {
-                    "href": "#sc-6",
-                    "rel": "related",
-                    "text": "SC-6"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  }
-                ]
-              },
-              {
-                "id": "sc-5_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "sc-5_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-5[1]"
-                      }
-                    ],
-                    "prose": "the organization defines types of denial of service attacks or reference to source\n                  of such information for the information system to protect against or limit the\n                  effects;"
-                  },
-                  {
-                    "id": "sc-5_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-5[2]"
-                      }
-                    ],
-                    "prose": "the organization defines security safeguards to be employed by the information\n                  system to protect against or limit the effects of organization-defined types of\n                  denial of service attacks; and"
-                  },
-                  {
-                    "id": "sc-5_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-5[3]"
-                      }
-                    ],
-                    "prose": "the information system protects against or limits the effects of the\n                  organization-defined denial or service attacks (or reference to source for such\n                  information) by employing organization-defined security safeguards."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing denial of service protection\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\nlist of denial of services attacks requiring employment of security safeguards to\n                  protect against or limit effects of such attacks\\n\\nlist of security safeguards protecting against or limiting the effects of denial\n                  of service attacks\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms protecting against or limiting the effects of denial of\n                  service attacks"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-7",
-            "class": "SP800-53",
-            "title": "Boundary Protection",
-            "parameters": [
-              {
-                "id": "sc-7_prm_1"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#756a8e86-57d5-4701-8382-f7a40439665a",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-41"
-              },
-              {
-                "href": "#99f331f2-a9f0-46c2-9856-a3cbb9b89442",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-77"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-7_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "sc-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Monitors and controls communications at the external boundary of the system and at\n                  key internal boundaries within the system;"
-                  },
-                  {
-                    "id": "sc-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Implements subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks;\n                  and"
-                  },
-                  {
-                    "id": "sc-7_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Connects to external networks or information systems only through managed\n                  interfaces consisting of boundary protection devices arranged in accordance with\n                  an organizational security architecture."
-                  }
-                ]
-              },
-              {
-                "id": "sc-7_gdn",
-                "name": "guidance",
-                "prose": "Managed interfaces include, for example, gateways, routers, firewalls, guards,\n               network-based malicious code analysis and virtualization systems, or encrypted\n               tunnels implemented within a security architecture (e.g., routers protecting\n               firewalls or application gateways residing on protected subnetworks). Subnetworks\n               that are physically or logically separated from internal networks are referred to as\n               demilitarized zones or DMZs. Restricting or prohibiting interfaces within\n               organizational information systems includes, for example, restricting external web\n               traffic to designated web servers within managed interfaces and prohibiting external\n               traffic that appears to be spoofing internal addresses. Organizations consider the\n               shared nature of commercial telecommunications services in the implementation of\n               security controls associated with the use of such services. Commercial\n               telecommunications services are commonly based on network components and consolidated\n               management systems shared by all attached commercial customers, and may also include\n               third party-provided access lines and other service elements. Such transmission\n               services may represent sources of increased risk despite contract security\n               provisions.",
-                "links": [
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#cm-7",
-                    "rel": "related",
-                    "text": "CM-7"
-                  },
-                  {
-                    "href": "#cp-8",
-                    "rel": "related",
-                    "text": "CP-8"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sc-5",
-                    "rel": "related",
-                    "text": "SC-5"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  }
-                ]
-              },
-              {
-                "id": "sc-7_obj",
-                "name": "objective",
-                "prose": "Determine if the information system:",
-                "parts": [
-                  {
-                    "id": "sc-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-7(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-7.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(a)[1]"
-                          }
-                        ],
-                        "prose": "monitors communications at the external boundary of the information system;"
-                      },
-                      {
-                        "id": "sc-7.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(a)[2]"
-                          }
-                        ],
-                        "prose": "monitors communications at key internal boundaries within the system;"
-                      },
-                      {
-                        "id": "sc-7.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(a)[3]"
-                          }
-                        ],
-                        "prose": "controls communications at the external boundary of the information system;"
-                      },
-                      {
-                        "id": "sc-7.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(a)[4]"
-                          }
-                        ],
-                        "prose": "controls communications at key internal boundaries within the system;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-7(b)"
-                      }
-                    ],
-                    "prose": "implements subnetworks for publicly accessible system components that are\n                  either:",
-                    "parts": [
-                      {
-                        "id": "sc-7.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-7(b)[1]"
-                          }
-                        ],
-                        "prose": "physically separated from internal organizational networks; and/or"
-                      },
-                      {
-                        "id": "sc-7.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-7(b)[2]"
-                          }
-                        ],
-                        "prose": "logically separated from internal organizational networks; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-7(c)"
-                      }
-                    ],
-                    "prose": "connects to external networks or information systems only through managed\n                  interfaces consisting of boundary protection devices arranged in accordance with\n                  an organizational security architecture."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\nlist of key internal boundaries of the information system\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system configuration settings and associated documentation\\n\\nenterprise security architecture documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing boundary protection capability"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-12",
-            "class": "SP800-53",
-            "title": "Cryptographic Key Establishment and Management",
-            "parameters": [
-              {
-                "id": "sc-12_prm_1",
-                "label": "organization-defined requirements for key generation, distribution, storage,\n               access, and destruction"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-12"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-12"
-              }
-            ],
-            "links": [
-              {
-                "href": "#81f09e01-d0b0-4ae2-aa6a-064ed9950070",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-56"
-              },
-              {
-                "href": "#a6c774c0-bf50-4590-9841-2a5c1c91ac6f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-57"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-12_smt",
-                "name": "statement",
-                "prose": "The organization establishes and manages cryptographic keys for required cryptography\n               employed within the information system in accordance with {{ sc-12_prm_1 }}.",
-                "parts": [
-                  {
-                    "id": "sc-12_fr",
-                    "name": "item",
-                    "title": "SC-12 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "sc-12_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "Federally approved and validated cryptography."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-12_gdn",
-                "name": "guidance",
-                "prose": "Cryptographic key management and establishment can be performed using manual\n               procedures or automated mechanisms with supporting manual procedures. Organizations\n               define key management requirements in accordance with applicable federal laws,\n               Executive Orders, directives, regulations, policies, standards, and guidance,\n               specifying appropriate options, levels, and parameters. Organizations manage trust\n               stores to ensure that only approved trust anchors are in such trust stores. This\n               includes certificates with visibility external to organizational information systems\n               and certificates related to the internal operations of systems.",
-                "links": [
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  },
-                  {
-                    "href": "#sc-17",
-                    "rel": "related",
-                    "text": "SC-17"
-                  }
-                ]
-              },
-              {
-                "id": "sc-12_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sc-12_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-12[1]"
-                      }
-                    ],
-                    "prose": "defines requirements for cryptographic key:",
-                    "parts": [
-                      {
-                        "id": "sc-12_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][a]"
-                          }
-                        ],
-                        "prose": "generation;"
-                      },
-                      {
-                        "id": "sc-12_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][b]"
-                          }
-                        ],
-                        "prose": "distribution;"
-                      },
-                      {
-                        "id": "sc-12_obj.1.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][c]"
-                          }
-                        ],
-                        "prose": "storage;"
-                      },
-                      {
-                        "id": "sc-12_obj.1.d",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][d]"
-                          }
-                        ],
-                        "prose": "access;"
-                      },
-                      {
-                        "id": "sc-12_obj.1.e",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][e]"
-                          }
-                        ],
-                        "prose": "destruction; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-12_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-12[2]"
-                      }
-                    ],
-                    "prose": "establishes and manages cryptographic keys for required cryptography employed\n                  within the information system in accordance with organization-defined requirements\n                  for key generation, distribution, storage, access, and destruction."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing cryptographic key establishment and management\\n\\ninformation system design documentation\\n\\ncryptographic mechanisms\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for cryptographic key establishment\n                  and/or management"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing cryptographic key\n                  establishment and management"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-13",
-            "class": "SP800-53",
-            "title": "Cryptographic Protection",
-            "parameters": [
-              {
-                "id": "sc-13_prm_1",
-                "label": "organization-defined cryptographic uses and type of cryptography required for\n               each use",
-                "constraints": [
-                  {
-                    "detail": "FIPS-validated or NSA-approved cryptography"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SC-13"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-13"
-              }
-            ],
-            "links": [
-              {
-                "href": "#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9",
-                "rel": "reference",
-                "text": "FIPS Publication 140"
-              },
-              {
-                "href": "#6a1041fc-054e-4230-946b-2e6f4f3731bb",
-                "rel": "reference",
-                "text": "http://csrc.nist.gov/cryptval"
-              },
-              {
-                "href": "#9b97ed27-3dd6-4f9a-ade5-1b43e9669794",
-                "rel": "reference",
-                "text": "http://www.cnss.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-13_smt",
-                "name": "statement",
-                "prose": "The information system implements {{ sc-13_prm_1 }} in accordance with\n               applicable federal laws, Executive Orders, directives, policies, regulations, and\n               standards."
-              },
-              {
-                "id": "sc-13_gdn",
-                "name": "guidance",
-                "prose": "Cryptography can be employed to support a variety of security solutions including,\n               for example, the protection of classified and Controlled Unclassified Information,\n               the provision of digital signatures, and the enforcement of information separation\n               when authorized individuals have the necessary clearances for such information but\n               lack the necessary formal access approvals. Cryptography can also be used to support\n               random number generation and hash generation. Generally applicable cryptographic\n               standards include FIPS-validated cryptography and NSA-approved cryptography. This\n               control does not impose any requirements on organizations to use cryptography.\n               However, if cryptography is required based on the selection of other security\n               controls, organizations define each type of cryptographic use and the type of\n               cryptography required (e.g., protection of classified information: NSA-approved\n               cryptography; provision of digital signatures: FIPS-validated cryptography).",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-7",
-                    "rel": "related",
-                    "text": "AC-7"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#au-10",
-                    "rel": "related",
-                    "text": "AU-10"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-7",
-                    "rel": "related",
-                    "text": "IA-7"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  },
-                  {
-                    "href": "#sc-12",
-                    "rel": "related",
-                    "text": "SC-12"
-                  },
-                  {
-                    "href": "#sc-28",
-                    "rel": "related",
-                    "text": "SC-28"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "sc-13_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "sc-13_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-13[1]"
-                      }
-                    ],
-                    "prose": "the organization defines cryptographic uses; and"
-                  },
-                  {
-                    "id": "sc-13_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-13[2]"
-                      }
-                    ],
-                    "prose": "the organization defines the type of cryptography required for each use; and"
-                  },
-                  {
-                    "id": "sc-13_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-13[3]"
-                      }
-                    ],
-                    "prose": "the information system implements the organization-defined cryptographic uses and\n                  type of cryptography required for each use in accordance with applicable federal\n                  laws, Executive Orders, directives, policies, regulations, and standards."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing cryptographic protection\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic module validation certificates\\n\\nlist of FIPS validated cryptographic modules\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for cryptographic protection"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing cryptographic protection"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-15",
-            "class": "SP800-53",
-            "title": "Collaborative Computing Devices",
-            "parameters": [
-              {
-                "id": "sc-15_prm_1",
-                "label": "organization-defined exceptions where remote activation is to be allowed",
-                "constraints": [
-                  {
-                    "detail": "no exceptions"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-15"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-15"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-15_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "sc-15_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Prohibits remote activation of collaborative computing devices with the following\n                  exceptions: {{ sc-15_prm_1 }}; and"
-                  },
-                  {
-                    "id": "sc-15_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Provides an explicit indication of use to users physically present at the\n                  devices."
-                  },
-                  {
-                    "id": "sc-15_fr",
-                    "name": "item",
-                    "title": "SC-15 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "sc-15_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-15_gdn",
-                "name": "guidance",
-                "prose": "Collaborative computing devices include, for example, networked white boards,\n               cameras, and microphones. Explicit indication of use includes, for example, signals\n               to users when collaborative computing devices are activated.",
-                "links": [
-                  {
-                    "href": "#ac-21",
-                    "rel": "related",
-                    "text": "AC-21"
-                  }
-                ]
-              },
-              {
-                "id": "sc-15_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "sc-15.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-15(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-15.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-15(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines exceptions where remote activation of collaborative\n                     computing devices is to be allowed;"
-                      },
-                      {
-                        "id": "sc-15.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-15(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system prohibits remote activation of collaborative computing\n                     devices, except for organization-defined exceptions where remote activation is\n                     to be allowed; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-15.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-15(b)"
-                      }
-                    ],
-                    "prose": "the information system provides an explicit indication of use to users physically\n                  present at the devices."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing collaborative computing\\n\\naccess control policy and procedures\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for managing collaborative\n                  computing devices"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing management of remote\n                  activation of collaborative computing devices\\n\\nautomated mechanisms providing an indication of use of collaborative computing\n                  devices"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-20",
-            "class": "SP800-53",
-            "title": "Secure Name / Address Resolution Service (authoritative Source)",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-20"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-20"
-              }
-            ],
-            "links": [
-              {
-                "href": "#28115a56-da6b-4d44-b1df-51dd7f048a3e",
-                "rel": "reference",
-                "text": "OMB Memorandum 08-23"
-              },
-              {
-                "href": "#6af1e841-672c-46c4-b121-96f603d04be3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-81"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-20_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "sc-20_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Provides additional data origin authentication and integrity verification\n                  artifacts along with the authoritative name resolution data the system returns in\n                  response to external name/address resolution queries; and"
-                  },
-                  {
-                    "id": "sc-20_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Provides the means to indicate the security status of child zones and (if the\n                  child supports secure resolution services) to enable verification of a chain of\n                  trust among parent and child domains, when operating as part of a distributed,\n                  hierarchical namespace."
-                  }
-                ]
-              },
-              {
-                "id": "sc-20_gdn",
-                "name": "guidance",
-                "prose": "This control enables external clients including, for example, remote Internet\n               clients, to obtain origin authentication and integrity verification assurances for\n               the host/service name to network address resolution information obtained through the\n               service. Information systems that provide name and address resolution services\n               include, for example, domain name system (DNS) servers. Additional artifacts include,\n               for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS\n               resource records are examples of authoritative data. The means to indicate the\n               security status of child zones includes, for example, the use of delegation signer\n               resource records in the DNS. The DNS security controls reflect (and are referenced\n               from) OMB Memorandum 08-23. Information systems that use technologies other than the\n               DNS to map between host/service names and network addresses provide other means to\n               assure the authenticity and integrity of response data.",
-                "links": [
-                  {
-                    "href": "#au-10",
-                    "rel": "related",
-                    "text": "AU-10"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  },
-                  {
-                    "href": "#sc-12",
-                    "rel": "related",
-                    "text": "SC-12"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  },
-                  {
-                    "href": "#sc-21",
-                    "rel": "related",
-                    "text": "SC-21"
-                  },
-                  {
-                    "href": "#sc-22",
-                    "rel": "related",
-                    "text": "SC-22"
-                  }
-                ]
-              },
-              {
-                "id": "sc-20_obj",
-                "name": "objective",
-                "prose": "Determine if the information system:",
-                "parts": [
-                  {
-                    "id": "sc-20.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-20(a)"
-                      }
-                    ],
-                    "prose": "provides additional data origin and integrity verification artifacts along with\n                  the authoritative name resolution data the system returns in response to external\n                  name/address resolution queries;"
-                  },
-                  {
-                    "id": "sc-20.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-20(b)"
-                      }
-                    ],
-                    "prose": "provides the means to, when operating as part of a distributed, hierarchical\n                  namespace:",
-                    "parts": [
-                      {
-                        "id": "sc-20.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-20(b)[1]"
-                          }
-                        ],
-                        "prose": "indicate the security status of child zones; and"
-                      },
-                      {
-                        "id": "sc-20.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-20(b)[2]"
-                          }
-                        ],
-                        "prose": "enable verification of a chain of trust among parent and child domains (if the\n                     child supports secure resolution services)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing secure name/address resolution service (authoritative\n                  source)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing secure name/address resolution\n                  service"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-21",
-            "class": "SP800-53",
-            "title": "Secure Name / Address Resolution Service (recursive or Caching Resolver)",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-21"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-21"
-              }
-            ],
-            "links": [
-              {
-                "href": "#6af1e841-672c-46c4-b121-96f603d04be3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-81"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-21_smt",
-                "name": "statement",
-                "prose": "The information system requests and performs data origin authentication and data\n               integrity verification on the name/address resolution responses the system receives\n               from authoritative sources."
-              },
-              {
-                "id": "sc-21_gdn",
-                "name": "guidance",
-                "prose": "Each client of name resolution services either performs this validation on its own,\n               or has authenticated channels to trusted validation providers. Information systems\n               that provide name and address resolution services for local clients include, for\n               example, recursive resolving or caching domain name system (DNS) servers. DNS client\n               resolvers either perform validation of DNSSEC signatures, or clients use\n               authenticated channels to recursive resolvers that perform such validations.\n               Information systems that use technologies other than the DNS to map between\n               host/service names and network addresses provide other means to enable clients to\n               verify the authenticity and integrity of response data.",
-                "links": [
-                  {
-                    "href": "#sc-20",
-                    "rel": "related",
-                    "text": "SC-20"
-                  },
-                  {
-                    "href": "#sc-22",
-                    "rel": "related",
-                    "text": "SC-22"
-                  }
-                ]
-              },
-              {
-                "id": "sc-21_obj",
-                "name": "objective",
-                "prose": "Determine if the information system: ",
-                "parts": [
-                  {
-                    "id": "sc-21_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-21[1]"
-                      }
-                    ],
-                    "prose": "requests data origin authentication on the name/address resolution responses the\n                  system receives from authoritative sources;"
-                  },
-                  {
-                    "id": "sc-21_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-21[2]"
-                      }
-                    ],
-                    "prose": "requests data integrity verification on the name/address resolution responses the\n                  system receives from authoritative sources;"
-                  },
-                  {
-                    "id": "sc-21_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-21[3]"
-                      }
-                    ],
-                    "prose": "performs data origin authentication on the name/address resolution responses the\n                  system receives from authoritative sources; and"
-                  },
-                  {
-                    "id": "sc-21_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-21[4]"
-                      }
-                    ],
-                    "prose": "performs data integrity verification on the name/address resolution responses the\n                  system receives from authoritative sources."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing secure name/address resolution service (recursive or caching\n                  resolver)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing data origin authentication and\n                  data integrity verification for name/address resolution services"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-22",
-            "class": "SP800-53",
-            "title": "Architecture and Provisioning for Name / Address Resolution Service",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-22"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-22"
-              }
-            ],
-            "links": [
-              {
-                "href": "#6af1e841-672c-46c4-b121-96f603d04be3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-81"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-22_smt",
-                "name": "statement",
-                "prose": "The information systems that collectively provide name/address resolution service for\n               an organization are fault-tolerant and implement internal/external role\n               separation."
-              },
-              {
-                "id": "sc-22_gdn",
-                "name": "guidance",
-                "prose": "Information systems that provide name and address resolution services include, for\n               example, domain name system (DNS) servers. To eliminate single points of failure and\n               to enhance redundancy, organizations employ at least two authoritative domain name\n               system servers, one configured as the primary server and the other configured as the\n               secondary server. Additionally, organizations typically deploy the servers in two\n               geographically separated network subnetworks (i.e., not located in the same physical\n               facility). For role separation, DNS servers with internal roles only process name and\n               address resolution requests from within organizations (i.e., from internal clients).\n               DNS servers with external roles only process name and address resolution information\n               requests from clients external to organizations (i.e., on external networks including\n               the Internet). Organizations specify clients that can access authoritative DNS\n               servers in particular roles (e.g., by address ranges, explicit lists).",
-                "links": [
-                  {
-                    "href": "#sc-2",
-                    "rel": "related",
-                    "text": "SC-2"
-                  },
-                  {
-                    "href": "#sc-20",
-                    "rel": "related",
-                    "text": "SC-20"
-                  },
-                  {
-                    "href": "#sc-21",
-                    "rel": "related",
-                    "text": "SC-21"
-                  },
-                  {
-                    "href": "#sc-24",
-                    "rel": "related",
-                    "text": "SC-24"
-                  }
-                ]
-              },
-              {
-                "id": "sc-22_obj",
-                "name": "objective",
-                "prose": "Determine if the information systems that collectively provide name/address\n               resolution service for an organization: ",
-                "parts": [
-                  {
-                    "id": "sc-22_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-22[1]"
-                      }
-                    ],
-                    "prose": "are fault tolerant; and"
-                  },
-                  {
-                    "id": "sc-22_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-22[2]"
-                      }
-                    ],
-                    "prose": "implement internal/external role separation."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing architecture and provisioning for name/address resolution\n                  service\\n\\naccess control policy and procedures\\n\\ninformation system design documentation\\n\\nassessment results from independent, testing organizations\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing name/address resolution\n                  service for fault tolerance and role separation"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-39",
-            "class": "SP800-53",
-            "title": "Process Isolation",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-39"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-39"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-39_smt",
-                "name": "statement",
-                "prose": "The information system maintains a separate execution domain for each executing\n               process."
-              },
-              {
-                "id": "sc-39_gdn",
-                "name": "guidance",
-                "prose": "Information systems can maintain separate execution domains for each executing\n               process by assigning each process a separate address space. Each information system\n               process has a distinct address space so that communication between processes is\n               performed in a manner controlled through the security functions, and one process\n               cannot modify the executing code of another process. Maintaining separate execution\n               domains for executing processes can be achieved, for example, by implementing\n               separate address spaces. This capability is available in most commercial operating\n               systems that employ multi-state processor technologies.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  },
-                  {
-                    "href": "#sc-2",
-                    "rel": "related",
-                    "text": "SC-2"
-                  },
-                  {
-                    "href": "#sc-3",
-                    "rel": "related",
-                    "text": "SC-3"
-                  }
-                ]
-              },
-              {
-                "id": "sc-39_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system maintains a separate execution domain for each\n               executing process."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system design documentation\\n\\ninformation system architecture\\n\\nindependent verification and validation documentation\\n\\ntesting and evaluation documentation, other relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system developers/integrators\\n\\ninformation system security architect"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing separate execution domains for\n                  each executing process"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "si",
-        "class": "family",
-        "title": "System and Information Integrity",
-        "controls": [
-          {
-            "id": "si-1",
-            "class": "SP800-53",
-            "title": "System and Information Integrity Policy and Procedures",
-            "parameters": [
-              {
-                "id": "si-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "si-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "si-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SI-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ si-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "si-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A system and information integrity policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "si-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the system and information\n                     integrity policy and associated system and information integrity controls;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "si-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "System and information integrity policy {{ si-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "si-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "System and information integrity procedures {{ si-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SI\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "si-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a system and information integrity policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "si-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "si-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the system and information integrity\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "si-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the system and information integrity policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        system and information integrity policy and associated system and\n                        information integrity controls;"
-                          },
-                          {
-                            "id": "si-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "si-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and\n                        information integrity policy;"
-                          },
-                          {
-                            "id": "si-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and information integrity policy with\n                        the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and\n                        information integrity procedures; and"
-                          },
-                          {
-                            "id": "si-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and information integrity procedures\n                        with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and information integrity\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-2",
-            "class": "SP800-53",
-            "title": "Flaw Remediation",
-            "parameters": [
-              {
-                "id": "si-2_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "within 30 days of release of updates"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SI-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-40"
-              },
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Identifies, reports, and corrects information system flaws;"
-                  },
-                  {
-                    "id": "si-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Tests software and firmware updates related to flaw remediation for effectiveness\n                  and potential side effects before installation;"
-                  },
-                  {
-                    "id": "si-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Installs security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and"
-                  },
-                  {
-                    "id": "si-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Incorporates flaw remediation into the organizational configuration management\n                  process."
-                  }
-                ]
-              },
-              {
-                "id": "si-2_gdn",
-                "name": "guidance",
-                "prose": "Organizations identify information systems affected by announced software flaws\n               including potential vulnerabilities resulting from those flaws, and report this\n               information to designated organizational personnel with information security\n               responsibilities. Security-relevant software updates include, for example, patches,\n               service packs, hot fixes, and anti-virus signatures. Organizations also address flaws\n               discovered during security assessments, continuous monitoring, incident response\n               activities, and system error handling. Organizations take advantage of available\n               resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and\n               Exposures (CVE) databases in remediating flaws discovered in organizational\n               information systems. By incorporating flaw remediation into ongoing configuration\n               management processes, required/anticipated remediation actions can be tracked and\n               verified. Flaw remediation actions that can be tracked and verified include, for\n               example, determining whether organizations follow US-CERT guidance and Information\n               Assurance Vulnerability Alerts. Organization-defined time periods for updating\n               security-relevant software and firmware may vary based on a variety of factors\n               including, for example, the security category of the information system or the\n               criticality of the update (i.e., severity of the vulnerability related to the\n               discovered flaw). Some types of flaw remediation may require more testing than other\n               types. Organizations determine the degree and type of testing needed for the specific\n               type of flaw remediation activity under consideration and also the types of changes\n               that are to be configuration-managed. In some situations, organizations may determine\n               that the testing of software and/or firmware updates is not necessary or practical,\n               for example, when implementing simple anti-virus signature updates. Organizations may\n               also consider in testing decisions, whether security-relevant software or firmware\n               updates are obtained from authorized sources with appropriate digital signatures.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#ma-2",
-                    "rel": "related",
-                    "text": "MA-2"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sa-10",
-                    "rel": "related",
-                    "text": "SA-10"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#si-11",
-                    "rel": "related",
-                    "text": "SI-11"
-                  }
-                ]
-              },
-              {
-                "id": "si-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(a)[1]"
-                          }
-                        ],
-                        "prose": "identifies information system flaws;"
-                      },
-                      {
-                        "id": "si-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(a)[2]"
-                          }
-                        ],
-                        "prose": "reports information system flaws;"
-                      },
-                      {
-                        "id": "si-2.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(a)[3]"
-                          }
-                        ],
-                        "prose": "corrects information system flaws;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(b)[1]"
-                          }
-                        ],
-                        "prose": "tests software updates related to flaw remediation for effectiveness and\n                     potential side effects before installation;"
-                      },
-                      {
-                        "id": "si-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(b)[2]"
-                          }
-                        ],
-                        "prose": "tests firmware updates related to flaw remediation for effectiveness and\n                     potential side effects before installation;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the time period within which to install security-relevant software\n                     updates after the release of the updates;"
-                      },
-                      {
-                        "id": "si-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(c)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which to install security-relevant firmware\n                     updates after the release of the updates;"
-                      },
-                      {
-                        "id": "si-2.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(c)[3]"
-                          }
-                        ],
-                        "prose": "installs software updates within the organization-defined time period of the\n                     release of the updates;"
-                      },
-                      {
-                        "id": "si-2.c_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(c)[4]"
-                          }
-                        ],
-                        "prose": "installs firmware updates within the organization-defined time period of the\n                     release of the updates; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-2(d)"
-                      }
-                    ],
-                    "prose": "incorporates flaw remediation into the organizational configuration management\n                  process."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nprocedures addressing flaw remediation\\n\\nprocedures addressing configuration management\\n\\nlist of flaws and vulnerabilities potentially affecting the information system\\n\\nlist of recent security flaw remediation actions performed on the information\n                  system (e.g., list of installed patches, service packs, hot fixes, and other\n                  software updates to correct information system flaws)\\n\\ntest results from the installation of software and firmware updates to correct\n                  information system flaws\\n\\ninstallation/change control records for security-relevant software and firmware\n                  updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility for flaw remediation\\n\\norganizational personnel with configuration management responsibility"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for identifying, reporting, and correcting information\n                  system flaws\\n\\norganizational process for installing software and firmware updates\\n\\nautomated mechanisms supporting and/or implementing reporting, and correcting\n                  information system flaws\\n\\nautomated mechanisms supporting and/or implementing testing software and firmware\n                  updates"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-3",
-            "class": "SP800-53",
-            "title": "Malicious Code Protection",
-            "parameters": [
-              {
-                "id": "si-3_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least weekly"
-                  }
-                ]
-              },
-              {
-                "id": "si-3_prm_2",
-                "constraints": [
-                  {
-                    "detail": "to include endpoints"
-                  }
-                ]
-              },
-              {
-                "id": "si-3_prm_3",
-                "constraints": [
-                  {
-                    "detail": "to include alerting administrator or defined security personnel"
-                  }
-                ]
-              },
-              {
-                "id": "si-3_prm_4",
-                "depends-on": "si-3_prm_3",
-                "label": "organization-defined action"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SI-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#6d431fee-658f-4a0e-9f2e-a38b5d398fab",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-83"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Employs malicious code protection mechanisms at information system entry and exit\n                  points to detect and eradicate malicious code;"
-                  },
-                  {
-                    "id": "si-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Updates malicious code protection mechanisms whenever new releases are available\n                  in accordance with organizational configuration management policy and\n                  procedures;"
-                  },
-                  {
-                    "id": "si-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Configures malicious code protection mechanisms to:",
-                    "parts": [
-                      {
-                        "id": "si-3_smt.c.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Perform periodic scans of the information system {{ si-3_prm_1 }} and real-time scans of files from external sources at {{ si-3_prm_2 }} as the files are downloaded, opened, or executed in\n                     accordance with organizational security policy; and"
-                      },
-                      {
-                        "id": "si-3_smt.c.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "\n                     {{ si-3_prm_3 }} in response to malicious code detection;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-3_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Addresses the receipt of false positives during malicious code detection and\n                  eradication and the resulting potential impact on the availability of the\n                  information system."
-                  }
-                ]
-              },
-              {
-                "id": "si-3_gdn",
-                "name": "guidance",
-                "prose": "Information system entry and exit points include, for example, firewalls, electronic\n               mail servers, web servers, proxy servers, remote-access servers, workstations,\n               notebook computers, and mobile devices. Malicious code includes, for example,\n               viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in\n               various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden\n               files, or hidden in files using steganography. Malicious code can be transported by\n               different means including, for example, web accesses, electronic mail, electronic\n               mail attachments, and portable storage devices. Malicious code insertions occur\n               through the exploitation of information system vulnerabilities. Malicious code\n               protection mechanisms include, for example, anti-virus signature definitions and\n               reputation-based technologies. A variety of technologies and methods exist to limit\n               or eliminate the effects of malicious code. Pervasive configuration management and\n               comprehensive software integrity controls may be effective in preventing execution of\n               unauthorized code. In addition to commercial off-the-shelf software, malicious code\n               may also be present in custom-built software. This could include, for example, logic\n               bombs, back doors, and other types of cyber attacks that could affect organizational\n               missions/business functions. Traditional malicious code protection mechanisms cannot\n               always detect such code. In these situations, organizations rely instead on other\n               safeguards including, for example, secure coding practices, configuration management\n               and control, trusted procurement processes, and monitoring practices to help ensure\n               that software does not perform functions other than the functions intended.\n               Organizations may determine that in response to the detection of malicious code,\n               different actions may be warranted. For example, organizations can define actions in\n               response to malicious code detection during periodic scans, actions in response to\n               detection of malicious downloads, and/or actions in response to detection of\n               maliciousness when attempting to open or execute files.",
-                "links": [
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#sa-13",
-                    "rel": "related",
-                    "text": "SA-13"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-26",
-                    "rel": "related",
-                    "text": "SC-26"
-                  },
-                  {
-                    "href": "#sc-44",
-                    "rel": "related",
-                    "text": "SC-44"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "si-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-3(a)"
-                      }
-                    ],
-                    "prose": "employs malicious code protection mechanisms to detect and eradicate malicious\n                  code at information system:",
-                    "parts": [
-                      {
-                        "id": "si-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-3(a)[1]"
-                          }
-                        ],
-                        "prose": "entry points;"
-                      },
-                      {
-                        "id": "si-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-3(a)[2]"
-                          }
-                        ],
-                        "prose": "exit points;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-3(b)"
-                      }
-                    ],
-                    "prose": "updates malicious code protection mechanisms whenever new releases are available\n                  in accordance with organizational configuration management policy and procedures\n                  (as identified in CM-1);"
-                  },
-                  {
-                    "id": "si-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency for malicious code protection mechanisms to perform\n                     periodic scans of the information system;"
-                      },
-                      {
-                        "id": "si-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-3(c)[2]"
-                          }
-                        ],
-                        "prose": "defines action to be initiated by malicious protection mechanisms in response\n                     to malicious code detection;"
-                      },
-                      {
-                        "id": "si-3.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-3(c)[3]"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-3.c.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-3(c)[3](1)"
-                              }
-                            ],
-                            "prose": "configures malicious code protection mechanisms to:",
-                            "parts": [
-                              {
-                                "id": "si-3.c.1_obj.3.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](1)[a]"
-                                  }
-                                ],
-                                "prose": "perform periodic scans of the information system with the\n                           organization-defined frequency;"
-                              },
-                              {
-                                "id": "si-3.c.1_obj.3.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](1)[b]"
-                                  }
-                                ],
-                                "prose": "perform real-time scans of files from external sources at endpoint and/or\n                           network entry/exit points as the files are downloaded, opened, or\n                           executed in accordance with organizational security policy;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "si-3.c.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-3(c)[3](2)"
-                              }
-                            ],
-                            "prose": "configures malicious code protection mechanisms to do one or more of the\n                        following:",
-                            "parts": [
-                              {
-                                "id": "si-3.c.2_obj.3.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](2)[a]"
-                                  }
-                                ],
-                                "prose": "block malicious code in response to malicious code detection;"
-                              },
-                              {
-                                "id": "si-3.c.2_obj.3.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](2)[b]"
-                                  }
-                                ],
-                                "prose": "quarantine malicious code in response to malicious code detection;"
-                              },
-                              {
-                                "id": "si-3.c.2_obj.3.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](2)[c]"
-                                  }
-                                ],
-                                "prose": "send alert to administrator in response to malicious code detection;\n                           and/or"
-                              },
-                              {
-                                "id": "si-3.c.2_obj.3.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](2)[d]"
-                                  }
-                                ],
-                                "prose": "initiate organization-defined action in response to malicious code\n                           detection;"
-                              }
-                            ]
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-3.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-3(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-3.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-3(d)[1]"
-                          }
-                        ],
-                        "prose": "addresses the receipt of false positives during malicious code detection and\n                     eradication; and"
-                      },
-                      {
-                        "id": "si-3.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-3(d)[2]"
-                          }
-                        ],
-                        "prose": "addresses the resulting potential impact on the availability of the information\n                     system."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nconfiguration management policy and procedures\\n\\nprocedures addressing malicious code protection\\n\\nmalicious code protection mechanisms\\n\\nrecords of malicious code protection updates\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nscan results from malicious code protection mechanisms\\n\\nrecord of actions initiated by malicious code protection mechanisms in response to\n                  malicious code detection\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility for malicious code protection\\n\\norganizational personnel with configuration management responsibility"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for employing, updating, and configuring malicious code\n                  protection mechanisms\\n\\norganizational process for addressing false positives and resulting potential\n                  impact\\n\\nautomated mechanisms supporting and/or implementing employing, updating, and\n                  configuring malicious code protection mechanisms\\n\\nautomated mechanisms supporting and/or implementing malicious code scanning and\n                  subsequent actions"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-4",
-            "class": "SP800-53",
-            "title": "Information System Monitoring",
-            "parameters": [
-              {
-                "id": "si-4_prm_1",
-                "label": "organization-defined monitoring objectives"
-              },
-              {
-                "id": "si-4_prm_2",
-                "label": "organization-defined techniques and methods"
-              },
-              {
-                "id": "si-4_prm_3",
-                "label": "organization-defined information system monitoring information"
-              },
-              {
-                "id": "si-4_prm_4",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "si-4_prm_5"
-              },
-              {
-                "id": "si-4_prm_6",
-                "depends-on": "si-4_prm_5",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SI-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              },
-              {
-                "href": "#6d431fee-658f-4a0e-9f2e-a38b5d398fab",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-83"
-              },
-              {
-                "href": "#672fd561-b92b-4713-b9cf-6c9d9456728b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-92"
-              },
-              {
-                "href": "#d1b1d689-0f66-4474-9924-c81119758dc1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-94"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Monitors the information system to detect:",
-                    "parts": [
-                      {
-                        "id": "si-4_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Attacks and indicators of potential attacks in accordance with {{ si-4_prm_1 }}; and"
-                      },
-                      {
-                        "id": "si-4_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Unauthorized local, network, and remote connections;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Identifies unauthorized use of the information system through {{ si-4_prm_2 }};"
-                  },
-                  {
-                    "id": "si-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Deploys monitoring devices:",
-                    "parts": [
-                      {
-                        "id": "si-4_smt.c.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Strategically within the information system to collect organization-determined\n                     essential information; and"
-                      },
-                      {
-                        "id": "si-4_smt.c.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "At ad hoc locations within the system to track specific types of transactions\n                     of interest to the organization;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Protects information obtained from intrusion-monitoring tools from unauthorized\n                  access, modification, and deletion;"
-                  },
-                  {
-                    "id": "si-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Heightens the level of information system monitoring activity whenever there is an\n                  indication of increased risk to organizational operations and assets, individuals,\n                  other organizations, or the Nation based on law enforcement information,\n                  intelligence information, or other credible sources of information;"
-                  },
-                  {
-                    "id": "si-4_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Obtains legal opinion with regard to information system monitoring activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  or regulations; and"
-                  },
-                  {
-                    "id": "si-4_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Provides {{ si-4_prm_3 }} to {{ si-4_prm_4 }}\n                  {{ si-4_prm_5 }}."
-                  },
-                  {
-                    "id": "si-4_fr",
-                    "name": "item",
-                    "title": "SI-4 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "si-4_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "See US-CERT Incident Response Reporting Guidelines."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4_gdn",
-                "name": "guidance",
-                "prose": "Information system monitoring includes external and internal monitoring. External\n               monitoring includes the observation of events occurring at the information system\n               boundary (i.e., part of perimeter defense and boundary protection). Internal\n               monitoring includes the observation of events occurring within the information\n               system. Organizations can monitor information systems, for example, by observing\n               audit activities in real time or by observing other system aspects such as access\n               patterns, characteristics of access, and other actions. The monitoring objectives may\n               guide determination of the events. Information system monitoring capability is\n               achieved through a variety of tools and techniques (e.g., intrusion detection\n               systems, intrusion prevention systems, malicious code protection software, scanning\n               tools, audit record monitoring software, network monitoring software). Strategic\n               locations for monitoring devices include, for example, selected perimeter locations\n               and near server farms supporting critical applications, with such devices typically\n               being employed at the managed interfaces associated with controls SC-7 and AC-17.\n               Einstein network monitoring devices from the Department of Homeland Security can also\n               be included as monitoring devices. The granularity of monitoring information\n               collected is based on organizational monitoring objectives and the capability of\n               information systems to support such objectives. Specific types of transactions of\n               interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that\n               bypasses HTTP proxies. Information system monitoring is an integral part of\n               organizational continuous monitoring and incident response programs. Output from\n               system monitoring serves as input to continuous monitoring and incident response\n               programs. A network connection is any connection with a device that communicates\n               through a network (e.g., local area network, Internet). A remote connection is any\n               connection with a device communicating through an external network (e.g., the\n               Internet). Local, network, and remote connections can be either wired or\n               wireless.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-8",
-                    "rel": "related",
-                    "text": "AC-8"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#au-7",
-                    "rel": "related",
-                    "text": "AU-7"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-26",
-                    "rel": "related",
-                    "text": "SC-26"
-                  },
-                  {
-                    "href": "#sc-35",
-                    "rel": "related",
-                    "text": "SC-35"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "si-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-4.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-4.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines monitoring objectives to detect attacks and indicators of potential\n                        attacks on the information system;"
-                          },
-                          {
-                            "id": "si-4.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "monitors the information system to detect, in accordance with\n                        organization-defined monitoring objectives,:",
-                            "parts": [
-                              {
-                                "id": "si-4.a.1_obj.2.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-4(a)(1)[2][a]"
-                                  }
-                                ],
-                                "prose": "attacks;"
-                              },
-                              {
-                                "id": "si-4.a.1_obj.2.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-4(a)(1)[2][b]"
-                                  }
-                                ],
-                                "prose": "indicators of potential attacks;"
-                              }
-                            ]
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-4.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(a)(2)"
-                          }
-                        ],
-                        "prose": "monitors the information system to detect unauthorized:",
-                        "parts": [
-                          {
-                            "id": "si-4.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "local connections;"
-                          },
-                          {
-                            "id": "si-4.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "network connections;"
-                          },
-                          {
-                            "id": "si-4.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "remote connections;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-4(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-4.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(b)(1)"
-                          }
-                        ],
-                        "prose": "defines techniques and methods to identify unauthorized use of the information\n                     system;"
-                      },
-                      {
-                        "id": "si-4.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(b)(2)"
-                          }
-                        ],
-                        "prose": "identifies unauthorized use of the information system through\n                     organization-defined techniques and methods;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-4(c)"
-                      }
-                    ],
-                    "prose": "deploys monitoring devices:",
-                    "parts": [
-                      {
-                        "id": "si-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(c)[1]"
-                          }
-                        ],
-                        "prose": "strategically within the information system to collect organization-determined\n                     essential information;"
-                      },
-                      {
-                        "id": "si-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(c)[2]"
-                          }
-                        ],
-                        "prose": "at ad hoc locations within the system to track specific types of transactions\n                     of interest to the organization;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-4(d)"
-                      }
-                    ],
-                    "prose": "protects information obtained from intrusion-monitoring tools from\n                  unauthorized:",
-                    "parts": [
-                      {
-                        "id": "si-4.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(d)[1]"
-                          }
-                        ],
-                        "prose": "access;"
-                      },
-                      {
-                        "id": "si-4.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(d)[2]"
-                          }
-                        ],
-                        "prose": "modification;"
-                      },
-                      {
-                        "id": "si-4.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(d)[3]"
-                          }
-                        ],
-                        "prose": "deletion;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-4(e)"
-                      }
-                    ],
-                    "prose": "heightens the level of information system monitoring activity whenever there is an\n                  indication of increased risk to organizational operations and assets, individuals,\n                  other organizations, or the Nation based on law enforcement information,\n                  intelligence information, or other credible sources of information;"
-                  },
-                  {
-                    "id": "si-4.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-4(f)"
-                      }
-                    ],
-                    "prose": "obtains legal opinion with regard to information system monitoring activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  or regulations;"
-                  },
-                  {
-                    "id": "si-4.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-4(g)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-4.g_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(g)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom information system monitoring information is\n                     to be provided;"
-                      },
-                      {
-                        "id": "si-4.g_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(g)[2]"
-                          }
-                        ],
-                        "prose": "defines information system monitoring information to be provided to\n                     organization-defined personnel or roles;"
-                      },
-                      {
-                        "id": "si-4.g_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(g)[3]"
-                          }
-                        ],
-                        "prose": "defines a frequency to provide organization-defined information system\n                     monitoring to organization-defined personnel or roles;"
-                      },
-                      {
-                        "id": "si-4.g_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(g)[4]"
-                          }
-                        ],
-                        "prose": "provides organization-defined information system monitoring information to\n                     organization-defined personnel or roles one or more of the following:",
-                        "parts": [
-                          {
-                            "id": "si-4.g_obj.4.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(g)[4][a]"
-                              }
-                            ],
-                            "prose": "as needed; and/or"
-                          },
-                          {
-                            "id": "si-4.g_obj.4.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(g)[4][b]"
-                              }
-                            ],
-                            "prose": "with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Continuous monitoring strategy\\n\\nsystem and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\nfacility diagram/layout\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\nlocations within information system where monitoring devices are deployed\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility monitoring the information system"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing information system monitoring\n                  capability"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-5",
-            "class": "SP800-53",
-            "title": "Security Alerts, Advisories, and Directives",
-            "parameters": [
-              {
-                "id": "si-5_prm_1",
-                "label": "organization-defined external organizations",
-                "constraints": [
-                  {
-                    "detail": "to include US-CERT"
-                  }
-                ]
-              },
-              {
-                "id": "si-5_prm_2",
-                "constraints": [
-                  {
-                    "detail": "to include system security personnel and administrators with configuration/patch-management responsibilities"
-                  }
-                ]
-              },
-              {
-                "id": "si-5_prm_3",
-                "depends-on": "si-5_prm_2",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "si-5_prm_4",
-                "depends-on": "si-5_prm_2",
-                "label": "organization-defined elements within the organization"
-              },
-              {
-                "id": "si-5_prm_5",
-                "depends-on": "si-5_prm_2",
-                "label": "organization-defined external organizations"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-05"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-40"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Receives information system security alerts, advisories, and directives from\n                     {{ si-5_prm_1 }} on an ongoing basis;"
-                  },
-                  {
-                    "id": "si-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Generates internal security alerts, advisories, and directives as deemed\n                  necessary;"
-                  },
-                  {
-                    "id": "si-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Disseminates security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and"
-                  },
-                  {
-                    "id": "si-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Implements security directives in accordance with established time frames, or\n                  notifies the issuing organization of the degree of noncompliance."
-                  }
-                ]
-              },
-              {
-                "id": "si-5_gdn",
-                "name": "guidance",
-                "prose": "The United States Computer Emergency Readiness Team (US-CERT) generates security\n               alerts and advisories to maintain situational awareness across the federal\n               government. Security directives are issued by OMB or other designated organizations\n               with the responsibility and authority to issue such directives. Compliance to\n               security directives is essential due to the critical nature of many of these\n               directives and the potential immediate adverse effects on organizational operations\n               and assets, individuals, other organizations, and the Nation should the directives\n               not be implemented in a timely manner. External organizations include, for example,\n               external mission/business partners, supply chain partners, external service\n               providers, and other peer/supporting organizations.",
-                "links": [
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "si-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-5(a)[1]"
-                          }
-                        ],
-                        "prose": "defines external organizations from whom information system security alerts,\n                     advisories and directives are to be received;"
-                      },
-                      {
-                        "id": "si-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-5(a)[2]"
-                          }
-                        ],
-                        "prose": "receives information system security alerts, advisories, and directives from\n                     organization-defined external organizations on an ongoing basis;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-5(b)"
-                      }
-                    ],
-                    "prose": "generates internal security alerts, advisories, and directives as deemed\n                  necessary;"
-                  },
-                  {
-                    "id": "si-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-5(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-5.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-5(c)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom security alerts, advisories, and directives\n                     are to be provided;"
-                      },
-                      {
-                        "id": "si-5.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-5(c)[2]"
-                          }
-                        ],
-                        "prose": "defines elements within the organization to whom security alerts, advisories,\n                     and directives are to be provided;"
-                      },
-                      {
-                        "id": "si-5.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-5(c)[3]"
-                          }
-                        ],
-                        "prose": "defines external organizations to whom security alerts, advisories, and\n                     directives are to be provided;"
-                      },
-                      {
-                        "id": "si-5.c_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-5(c)[4]"
-                          }
-                        ],
-                        "prose": "disseminates security alerts, advisories, and directives to one or more of the\n                     following:",
-                        "parts": [
-                          {
-                            "id": "si-5.c_obj.4.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-5(c)[4][a]"
-                              }
-                            ],
-                            "prose": "organization-defined personnel or roles;"
-                          },
-                          {
-                            "id": "si-5.c_obj.4.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-5(c)[4][b]"
-                              }
-                            ],
-                            "prose": "organization-defined elements within the organization; and/or"
-                          },
-                          {
-                            "id": "si-5.c_obj.4.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-5(c)[4][c]"
-                              }
-                            ],
-                            "prose": "organization-defined external organizations; and"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-5(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-5.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-5(d)[1]"
-                          }
-                        ],
-                        "prose": "implements security directives in accordance with established time frames;\n                     or"
-                      },
-                      {
-                        "id": "si-5.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-5(d)[2]"
-                          }
-                        ],
-                        "prose": "notifies the issuing organization of the degree of noncompliance."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nprocedures addressing security alerts, advisories, and directives\\n\\nrecords of security alerts and advisories\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security alert and advisory responsibilities\\n\\norganizational personnel implementing, operating, maintaining, and using the\n                  information system\\n\\norganizational personnel, organizational elements, and/or external organizations\n                  to whom alerts, advisories, and directives are to be disseminated\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for defining, receiving, generating, disseminating, and\n                  complying with security alerts, advisories, and directives\\n\\nautomated mechanisms supporting and/or implementing definition, receipt,\n                  generation, and dissemination of security alerts, advisories, and directives\\n\\nautomated mechanisms supporting and/or implementing security directives"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-12",
-            "class": "SP800-53",
-            "title": "Information Handling and Retention",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-12"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-12"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-12_smt",
-                "name": "statement",
-                "prose": "The organization handles and retains information within the information system and\n               information output from the system in accordance with applicable federal laws,\n               Executive Orders, directives, policies, regulations, standards, and operational\n               requirements."
-              },
-              {
-                "id": "si-12_gdn",
-                "name": "guidance",
-                "prose": "Information handling and retention requirements cover the full life cycle of\n               information, in some cases extending beyond the disposal of information systems. The\n               National Archives and Records Administration provides guidance on records\n               retention.",
-                "links": [
-                  {
-                    "href": "#ac-16",
-                    "rel": "related",
-                    "text": "AC-16"
-                  },
-                  {
-                    "href": "#au-5",
-                    "rel": "related",
-                    "text": "AU-5"
-                  },
-                  {
-                    "href": "#au-11",
-                    "rel": "related",
-                    "text": "AU-11"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  }
-                ]
-              },
-              {
-                "id": "si-12_obj",
-                "name": "objective",
-                "prose": "Determine if the organization, in accordance with applicable federal laws, Executive\n               Orders, directives, policies, regulations, standards, and operational\n               requirements:",
-                "parts": [
-                  {
-                    "id": "si-12_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-12[1]"
-                      }
-                    ],
-                    "prose": "handles information within the information system;"
-                  },
-                  {
-                    "id": "si-12_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-12[2]"
-                      }
-                    ],
-                    "prose": "handles output from the information system;"
-                  },
-                  {
-                    "id": "si-12_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-12[3]"
-                      }
-                    ],
-                    "prose": "retains information within the information system; and"
-                  },
-                  {
-                    "id": "si-12_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-12[4]"
-                      }
-                    ],
-                    "prose": "retains output from the information system."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nfederal laws, Executive Orders, directives, policies, regulations, standards, and\n                  operational requirements applicable to information handling and retention\\n\\nmedia protection policy and procedures\\n\\nprocedures addressing information system output handling and retention\\n\\ninformation retention records, other relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for information handling and\n                  retention\\n\\norganizational personnel with information security responsibilities/network\n                  administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for information handling and retention\\n\\nautomated mechanisms supporting and/or implementing information handling and\n                  retention"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-16",
-            "class": "SP800-53",
-            "title": "Memory Protection",
-            "parameters": [
-              {
-                "id": "si-16_prm_1",
-                "label": "organization-defined security safeguards"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-16"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-16"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-16_smt",
-                "name": "statement",
-                "prose": "The information system implements {{ si-16_prm_1 }} to protect its\n               memory from unauthorized code execution."
-              },
-              {
-                "id": "si-16_gdn",
-                "name": "guidance",
-                "prose": "Some adversaries launch attacks with the intent of executing code in non-executable\n               regions of memory or in memory locations that are prohibited. Security safeguards\n               employed to protect memory include, for example, data execution prevention and\n               address space layout randomization. Data execution prevention safeguards can either\n               be hardware-enforced or software-enforced with hardware providing the greater\n               strength of mechanism.",
-                "links": [
-                  {
-                    "href": "#ac-25",
-                    "rel": "related",
-                    "text": "AC-25"
-                  },
-                  {
-                    "href": "#sc-3",
-                    "rel": "related",
-                    "text": "SC-3"
-                  }
-                ]
-              },
-              {
-                "id": "si-16_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "si-16_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-16[1]"
-                      }
-                    ],
-                    "prose": "the organization defines security safeguards to be implemented to protect\n                  information system memory from unauthorized code execution; and"
-                  },
-                  {
-                    "id": "si-16_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-16[2]"
-                      }
-                    ],
-                    "prose": "the information system implements organization-defined security safeguards to\n                  protect its memory from unauthorized code execution."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nprocedures addressing memory protection for the information system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of security safeguards protecting information system memory from unauthorized\n                  code execution\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for memory protection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing safeguards to protect\n                  information system memory from unauthorized code execution"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      }
-    ],
-    "back-matter": {
-      "resources": [
-        {
-          "uuid": "0c97e60b-325a-4efa-ba2b-90f20ccd5abc",
-          "title": "5 C.F.R. 731.106",
-          "citation": {
-            "text": "Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106,\n               Designation of Public Trust Positions and Investigative Requirements (5 C.F.R.\n               731.106)."
-          },
-          "rlinks": [
-            {
-              "href": "http://www.gpo.gov/fdsys/granule/CFR-2012-title5-vol2/CFR-2012-title5-vol2-sec731-106/content-detail.html"
-            }
-          ]
-        },
-        {
-          "uuid": "bb61234b-46c3-4211-8c2b-9869222a720d",
-          "title": "C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)",
-          "citation": {
-            "text": "C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.gpo.gov/fdsys/granule/CFR-2009-title5-vol2/CFR-2009-title5-vol2-sec930-301/content-detail.html"
-            }
-          ]
-        },
-        {
-          "uuid": "a4aa9645-9a8a-4b51-90a9-e223250f9a75",
-          "title": "CNSS Policy 15",
-          "citation": {
-            "text": "CNSS Policy 15"
-          },
-          "rlinks": [
-            {
-              "href": "https://www.cnss.gov/policies.html"
-            }
-          ]
-        },
-        {
-          "uuid": "2d8b14e9-c8b5-4d3d-8bdc-155078f3281b",
-          "title": "DoD Information Assurance Vulnerability Alerts",
-          "citation": {
-            "text": "DoD Information Assurance Vulnerability Alerts"
-          }
-        },
-        {
-          "uuid": "61081e7f-041d-4033-96a7-44a439071683",
-          "title": "DoD Instruction 5200.39",
-          "citation": {
-            "text": "DoD Instruction 5200.39"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dtic.mil/whs/directives/corres/ins1.html"
-            }
-          ]
-        },
-        {
-          "uuid": "e42b2099-3e1c-415b-952c-61c96533c12e",
-          "title": "DoD Instruction 8551.01",
-          "citation": {
-            "text": "DoD Instruction 8551.01"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dtic.mil/whs/directives/corres/ins1.html"
-            }
-          ]
-        },
-        {
-          "uuid": "c5034e0c-eba6-4ecd-a541-79f0678f4ba4",
-          "title": "Executive Order 13587",
-          "citation": {
-            "text": "Executive Order 13587"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net"
-            }
-          ]
-        },
-        {
-          "uuid": "56d671da-6b7b-4abf-8296-84b61980390a",
-          "title": "Federal Acquisition Regulation",
-          "citation": {
-            "text": "Federal Acquisition Regulation"
-          },
-          "rlinks": [
-            {
-              "href": "https://acquisition.gov/far"
-            }
-          ]
-        },
-        {
-          "uuid": "023104bc-6f75-4cd5-b7d0-fc92326f8007",
-          "title": "Federal Continuity Directive 1",
-          "citation": {
-            "text": "Federal Continuity Directive 1"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.fema.gov/pdf/about/offices/fcd1.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "ba557c91-ba3e-4792-adc6-a4ae479b39ff",
-          "title": "FICAM Roadmap and Implementation Guidance",
-          "citation": {
-            "text": "FICAM Roadmap and Implementation Guidance"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.idmanagement.gov/documents/ficam-roadmap-and-implementation-guidance"
-            }
-          ]
-        },
-        {
-          "uuid": "39f9087d-7687-46d2-8eda-b6f4b7a4d8a9",
-          "title": "FIPS Publication 140",
-          "citation": {
-            "text": "FIPS Publication 140"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html"
-            }
-          ]
-        },
-        {
-          "uuid": "d715b234-9b5b-4e07-b1ed-99836727664d",
-          "title": "FIPS Publication 140-2",
-          "citation": {
-            "text": "FIPS Publication 140-2"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html#140-2"
-            }
-          ]
-        },
-        {
-          "uuid": "f2dbd4ec-c413-4714-b85b-6b7184d1c195",
-          "title": "FIPS Publication 197",
-          "citation": {
-            "text": "FIPS Publication 197"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html#197"
-            }
-          ]
-        },
-        {
-          "uuid": "e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-          "title": "FIPS Publication 199",
-          "citation": {
-            "text": "FIPS Publication 199"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html#199"
-            }
-          ]
-        },
-        {
-          "uuid": "c80c10b3-1294-4984-a4cc-d1733ca432b9",
-          "title": "FIPS Publication 201",
-          "citation": {
-            "text": "FIPS Publication 201"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html#201"
-            }
-          ]
-        },
-        {
-          "uuid": "ad733a42-a7ed-4774-b988-4930c28852f3",
-          "title": "HSPD-12",
-          "citation": {
-            "text": "HSPD-12"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dhs.gov/homeland-security-presidential-directive-12"
-            }
-          ]
-        },
-        {
-          "uuid": "e95dd121-2733-413e-bf1e-f1eb49f20a98",
-          "title": "http://checklists.nist.gov",
-          "citation": {
-            "text": "http://checklists.nist.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://checklists.nist.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "6a1041fc-054e-4230-946b-2e6f4f3731bb",
-          "title": "http://csrc.nist.gov/cryptval",
-          "citation": {
-            "text": "http://csrc.nist.gov/cryptval"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/cryptval"
-            }
-          ]
-        },
-        {
-          "uuid": "b09d1a31-d3c9-4138-a4f4-4c63816afd7d",
-          "title": "http://csrc.nist.gov/groups/STM/cmvp/index.html",
-          "citation": {
-            "text": "http://csrc.nist.gov/groups/STM/cmvp/index.html"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/groups/STM/cmvp/index.html"
-            }
-          ]
-        },
-        {
-          "uuid": "15522e92-9192-463d-9646-6a01982db8ca",
-          "title": "http://cwe.mitre.org",
-          "citation": {
-            "text": "http://cwe.mitre.org"
-          },
-          "rlinks": [
-            {
-              "href": "http://cwe.mitre.org"
-            }
-          ]
-        },
-        {
-          "uuid": "5ed1f4d5-1494-421b-97ed-39d3c88ab51f",
-          "title": "http://fips201ep.cio.gov",
-          "citation": {
-            "text": "http://fips201ep.cio.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://fips201ep.cio.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "85280698-0417-489d-b214-12bb935fb939",
-          "title": "http://idmanagement.gov",
-          "citation": {
-            "text": "http://idmanagement.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://idmanagement.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "275cc052-0f7f-423c-bdb6-ed503dc36228",
-          "title": "http://nvd.nist.gov",
-          "citation": {
-            "text": "http://nvd.nist.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://nvd.nist.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "bbd50dd1-54ce-4432-959d-63ea564b1bb4",
-          "title": "http://www.acquisition.gov/far",
-          "citation": {
-            "text": "http://www.acquisition.gov/far"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.acquisition.gov/far"
-            }
-          ]
-        },
-        {
-          "uuid": "9b97ed27-3dd6-4f9a-ade5-1b43e9669794",
-          "title": "http://www.cnss.gov",
-          "citation": {
-            "text": "http://www.cnss.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.cnss.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "c95a9986-3cd6-4a98-931b-ccfc56cb11e5",
-          "title": "http://www.niap-ccevs.org",
-          "citation": {
-            "text": "http://www.niap-ccevs.org"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.niap-ccevs.org"
-            }
-          ]
-        },
-        {
-          "uuid": "647b6de3-81d0-4d22-bec1-5f1333e34380",
-          "title": "http://www.nsa.gov",
-          "citation": {
-            "text": "http://www.nsa.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.nsa.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "a47466c4-c837-4f06-a39f-e68412a5f73d",
-          "title": "http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml",
-          "citation": {
-            "text": "http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"
-            }
-          ]
-        },
-        {
-          "uuid": "02631467-668b-4233-989b-3dfded2fd184",
-          "title": "http://www.us-cert.gov",
-          "citation": {
-            "text": "http://www.us-cert.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.us-cert.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "6caa237b-531b-43ac-9711-d8f6b97b0377",
-          "title": "ICD 704",
-          "citation": {
-            "text": "ICD 704"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"
-            }
-          ]
-        },
-        {
-          "uuid": "398e33fd-f404-4e5c-b90e-2d50d3181244",
-          "title": "ICD 705",
-          "citation": {
-            "text": "ICD 705"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"
-            }
-          ]
-        },
-        {
-          "uuid": "1737a687-52fb-4008-b900-cbfa836f7b65",
-          "title": "ISO/IEC 15408",
-          "citation": {
-            "text": "ISO/IEC 15408"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.iso.org/iso/iso_catalog/catalog_tc/catalog_detail.htm?csnumber=50341"
-            }
-          ]
-        },
-        {
-          "uuid": "654f21e2-f3bc-43b2-abdc-60ab8d09744b",
-          "title": "National Strategy for Trusted Identities in Cyberspace",
-          "citation": {
-            "text": "National Strategy for Trusted Identities in Cyberspace"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.nist.gov/nstic"
-            }
-          ]
-        },
-        {
-          "uuid": "9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-          "title": "NIST Special Publication 800-100",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-100"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-100"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-100"
-            }
-          ]
-        },
-        {
-          "uuid": "3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e",
-          "title": "NIST Special Publication 800-111",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-111"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-111"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-111"
-            }
-          ]
-        },
-        {
-          "uuid": "349fe082-502d-464a-aa0c-1443c6a5cf40",
-          "title": "NIST Special Publication 800-113",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-113"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-113"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-113"
-            }
-          ]
-        },
-        {
-          "uuid": "1201fcf3-afb1-4675-915a-fb4ae0435717",
-          "title": "NIST Special Publication 800-114 Rev. 1",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-114r1"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-114 Rev. 1"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-114r1"
-            }
-          ]
-        },
-        {
-          "uuid": "c4691b88-57d1-463b-9053-2d0087913f31",
-          "title": "NIST Special Publication 800-115",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-115"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-115"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-115"
-            }
-          ]
-        },
-        {
-          "uuid": "2157bb7e-192c-4eaa-877f-93ef6b0a3292",
-          "title": "NIST Special Publication 800-116 Rev. 1",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-116r1"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-116 Rev. 1"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-116r1"
-            }
-          ]
-        },
-        {
-          "uuid": "5c201b63-0768-417b-ac22-3f014e3941b2",
-          "title": "NIST Special Publication 800-12 Rev. 1",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-12r1"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-12 Rev. 1"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-12r1"
-            }
-          ]
-        },
-        {
-          "uuid": "d1a4e2a9-e512-4132-8795-5357aba29254",
-          "title": "NIST Special Publication 800-121",
-          "citation": {
-            "text": "NIST Special Publication 800-121"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-121"
-            }
-          ]
-        },
-        {
-          "uuid": "0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589",
-          "title": "NIST Special Publication 800-124",
-          "citation": {
-            "text": "NIST Special Publication 800-124"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-124"
-            }
-          ]
-        },
-        {
-          "uuid": "080f8068-5e3e-435e-9790-d22ba4722693",
-          "title": "NIST Special Publication 800-128",
-          "citation": {
-            "text": "NIST Special Publication 800-128"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-128"
-            }
-          ]
-        },
-        {
-          "uuid": "cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-          "title": "NIST Special Publication 800-137",
-          "citation": {
-            "text": "NIST Special Publication 800-137"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-137"
-            }
-          ]
-        },
-        {
-          "uuid": "825438c3-248d-4e30-a51e-246473ce6ada",
-          "title": "NIST Special Publication 800-16",
-          "citation": {
-            "text": "NIST Special Publication 800-16"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-16"
-            }
-          ]
-        },
-        {
-          "uuid": "6513e480-fada-4876-abba-1397084dfb26",
-          "title": "NIST Special Publication 800-164",
-          "citation": {
-            "text": "NIST Special Publication 800-164"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-164"
-            }
-          ]
-        },
-        {
-          "uuid": "9c5c9e8c-dc81-4f55-a11c-d71d7487790f",
-          "title": "NIST Special Publication 800-18",
-          "citation": {
-            "text": "NIST Special Publication 800-18"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-18"
-            }
-          ]
-        },
-        {
-          "uuid": "0a5db899-f033-467f-8631-f5a8ba971475",
-          "title": "NIST Special Publication 800-23",
-          "citation": {
-            "text": "NIST Special Publication 800-23"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-23"
-            }
-          ]
-        },
-        {
-          "uuid": "a466121b-f0e2-41f0-a5f9-deb0b5fe6b15",
-          "title": "NIST Special Publication 800-30",
-          "citation": {
-            "text": "NIST Special Publication 800-30"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-30"
-            }
-          ]
-        },
-        {
-          "uuid": "748a81b9-9cad-463f-abde-8b368167e70d",
-          "title": "NIST Special Publication 800-34",
-          "citation": {
-            "text": "NIST Special Publication 800-34"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-34"
-            }
-          ]
-        },
-        {
-          "uuid": "0c775bc3-bfc3-42c7-a382-88949f503171",
-          "title": "NIST Special Publication 800-35",
-          "citation": {
-            "text": "NIST Special Publication 800-35"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-35"
-            }
-          ]
-        },
-        {
-          "uuid": "d818efd3-db31-4953-8afa-9e76afe83ce2",
-          "title": "NIST Special Publication 800-36",
-          "citation": {
-            "text": "NIST Special Publication 800-36"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-36"
-            }
-          ]
-        },
-        {
-          "uuid": "0a0c26b6-fd44-4274-8b36-93442d49d998",
-          "title": "NIST Special Publication 800-37",
-          "citation": {
-            "text": "NIST Special Publication 800-37"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-37"
-            }
-          ]
-        },
-        {
-          "uuid": "d480aa6a-7a88-424e-a10c-ad1c7870354b",
-          "title": "NIST Special Publication 800-39",
-          "citation": {
-            "text": "NIST Special Publication 800-39"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-39"
-            }
-          ]
-        },
-        {
-          "uuid": "bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d",
-          "title": "NIST Special Publication 800-40",
-          "citation": {
-            "text": "NIST Special Publication 800-40"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-40"
-            }
-          ]
-        },
-        {
-          "uuid": "756a8e86-57d5-4701-8382-f7a40439665a",
-          "title": "NIST Special Publication 800-41",
-          "citation": {
-            "text": "NIST Special Publication 800-41"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-41"
-            }
-          ]
-        },
-        {
-          "uuid": "5309d4d0-46f8-4213-a749-e7584164e5e8",
-          "title": "NIST Special Publication 800-46",
-          "citation": {
-            "text": "NIST Special Publication 800-46"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-46"
-            }
-          ]
-        },
-        {
-          "uuid": "2711f068-734e-4afd-94ba-0b22247fbc88",
-          "title": "NIST Special Publication 800-47",
-          "citation": {
-            "text": "NIST Special Publication 800-47"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-47"
-            }
-          ]
-        },
-        {
-          "uuid": "238ed479-eccb-49f6-82ec-ab74a7a428cf",
-          "title": "NIST Special Publication 800-48",
-          "citation": {
-            "text": "NIST Special Publication 800-48"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-48"
-            }
-          ]
-        },
-        {
-          "uuid": "e12b5738-de74-4fb3-8317-a3995a8a1898",
-          "title": "NIST Special Publication 800-50",
-          "citation": {
-            "text": "NIST Special Publication 800-50"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-50"
-            }
-          ]
-        },
-        {
-          "uuid": "cd4cf751-3312-4a55-b1a9-fad2f1db9119",
-          "title": "NIST Special Publication 800-53A",
-          "citation": {
-            "text": "NIST Special Publication 800-53A"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-53A"
-            }
-          ]
-        },
-        {
-          "uuid": "81f09e01-d0b0-4ae2-aa6a-064ed9950070",
-          "title": "NIST Special Publication 800-56",
-          "citation": {
-            "text": "NIST Special Publication 800-56"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-56"
-            }
-          ]
-        },
-        {
-          "uuid": "a6c774c0-bf50-4590-9841-2a5c1c91ac6f",
-          "title": "NIST Special Publication 800-57",
-          "citation": {
-            "text": "NIST Special Publication 800-57"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-57"
-            }
-          ]
-        },
-        {
-          "uuid": "f152844f-b1ef-4836-8729-6277078ebee1",
-          "title": "NIST Special Publication 800-60",
-          "citation": {
-            "text": "NIST Special Publication 800-60"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-60"
-            }
-          ]
-        },
-        {
-          "uuid": "be95fb85-a53f-4624-bdbb-140075500aa3",
-          "title": "NIST Special Publication 800-61",
-          "citation": {
-            "text": "NIST Special Publication 800-61"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-61"
-            }
-          ]
-        },
-        {
-          "uuid": "644f44a9-a2de-4494-9c04-cd37fba45471",
-          "title": "NIST Special Publication 800-63",
-          "citation": {
-            "text": "NIST Special Publication 800-63"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-63"
-            }
-          ]
-        },
-        {
-          "uuid": "abd950ae-092f-4b7a-b374-1c7c67fe9350",
-          "title": "NIST Special Publication 800-64",
-          "citation": {
-            "text": "NIST Special Publication 800-64"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-64"
-            }
-          ]
-        },
-        {
-          "uuid": "29fcfe59-33cd-494a-8756-5907ae3a8f92",
-          "title": "NIST Special Publication 800-65",
-          "citation": {
-            "text": "NIST Special Publication 800-65"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-65"
-            }
-          ]
-        },
-        {
-          "uuid": "84a37532-6db6-477b-9ea8-f9085ebca0fc",
-          "title": "NIST Special Publication 800-70",
-          "citation": {
-            "text": "NIST Special Publication 800-70"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-70"
-            }
-          ]
-        },
-        {
-          "uuid": "ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-          "title": "NIST Special Publication 800-73",
-          "citation": {
-            "text": "NIST Special Publication 800-73"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-73"
-            }
-          ]
-        },
-        {
-          "uuid": "2a71298a-ee90-490e-80ff-48c967173a47",
-          "title": "NIST Special Publication 800-76",
-          "citation": {
-            "text": "NIST Special Publication 800-76"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-76"
-            }
-          ]
-        },
-        {
-          "uuid": "99f331f2-a9f0-46c2-9856-a3cbb9b89442",
-          "title": "NIST Special Publication 800-77",
-          "citation": {
-            "text": "NIST Special Publication 800-77"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-77"
-            }
-          ]
-        },
-        {
-          "uuid": "2042d97b-f7f6-4c74-84f8-981867684659",
-          "title": "NIST Special Publication 800-78",
-          "citation": {
-            "text": "NIST Special Publication 800-78"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-78"
-            }
-          ]
-        },
-        {
-          "uuid": "6af1e841-672c-46c4-b121-96f603d04be3",
-          "title": "NIST Special Publication 800-81",
-          "citation": {
-            "text": "NIST Special Publication 800-81"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-81"
-            }
-          ]
-        },
-        {
-          "uuid": "6d431fee-658f-4a0e-9f2e-a38b5d398fab",
-          "title": "NIST Special Publication 800-83",
-          "citation": {
-            "text": "NIST Special Publication 800-83"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-83"
-            }
-          ]
-        },
-        {
-          "uuid": "0243a05a-e8a3-4d51-9364-4a9d20b0dcdf",
-          "title": "NIST Special Publication 800-84",
-          "citation": {
-            "text": "NIST Special Publication 800-84"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-84"
-            }
-          ]
-        },
-        {
-          "uuid": "263823e0-a971-4b00-959d-315b26278b22",
-          "title": "NIST Special Publication 800-88",
-          "citation": {
-            "text": "NIST Special Publication 800-88"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-88"
-            }
-          ]
-        },
-        {
-          "uuid": "672fd561-b92b-4713-b9cf-6c9d9456728b",
-          "title": "NIST Special Publication 800-92",
-          "citation": {
-            "text": "NIST Special Publication 800-92"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-92"
-            }
-          ]
-        },
-        {
-          "uuid": "d1b1d689-0f66-4474-9924-c81119758dc1",
-          "title": "NIST Special Publication 800-94",
-          "citation": {
-            "text": "NIST Special Publication 800-94"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-94"
-            }
-          ]
-        },
-        {
-          "uuid": "6f336ecd-f2a0-4c84-9699-0491d81b6e0d",
-          "title": "NIST Special Publication 800-97",
-          "citation": {
-            "text": "NIST Special Publication 800-97"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-97"
-            }
-          ]
-        },
-        {
-          "uuid": "9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab",
-          "title": "OMB Circular A-130",
-          "citation": {
-            "text": "OMB Circular A-130"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/omb/circulars_a130_a130trans4"
-            }
-          ]
-        },
-        {
-          "uuid": "2c5884cd-7b96-425c-862a-99877e1cf909",
-          "title": "OMB Memorandum 02-01",
-          "citation": {
-            "text": "OMB Memorandum 02-01"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/omb/memoranda_m02-01"
-            }
-          ]
-        },
-        {
-          "uuid": "ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-          "title": "OMB Memorandum 04-04",
-          "citation": {
-            "text": "OMB Memorandum 04-04"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy04/m04-04.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "4da24a96-6cf8-435d-9d1f-c73247cad109",
-          "title": "OMB Memorandum 06-16",
-          "citation": {
-            "text": "OMB Memorandum 06-16"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2006/m06-16.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "990268bf-f4a9-4c81-91ae-dc7d3115f4b1",
-          "title": "OMB Memorandum 07-11",
-          "citation": {
-            "text": "OMB Memorandum 07-11"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-11.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "0b3d8ba9-051f-498d-81ea-97f0f018c612",
-          "title": "OMB Memorandum 07-18",
-          "citation": {
-            "text": "OMB Memorandum 07-18"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-18.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "0916ef02-3618-411b-a525-565c088849a6",
-          "title": "OMB Memorandum 08-22",
-          "citation": {
-            "text": "OMB Memorandum 08-22"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-22.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "28115a56-da6b-4d44-b1df-51dd7f048a3e",
-          "title": "OMB Memorandum 08-23",
-          "citation": {
-            "text": "OMB Memorandum 08-23"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "599fe9ba-4750-4450-9eeb-b95bd19a5e8f",
-          "title": "OMB Memorandum 10-06-2011",
-          "citation": {
-            "text": "OMB Memorandum 10-06-2011"
-          }
-        },
-        {
-          "uuid": "74e740a4-c45d-49f3-a86e-eb747c549e01",
-          "title": "OMB Memorandum 11-11",
-          "citation": {
-            "text": "OMB Memorandum 11-11"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "bedb15b7-ec5c-4a68-807f-385125751fcd",
-          "title": "OMB Memorandum 11-33",
-          "citation": {
-            "text": "OMB Memorandum 11-33"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "dd2f5acd-08f1-435a-9837-f8203088dc1a",
-          "title": "Personal Identity Verification (PIV) in Enterprise Physical Access Control System\n            (E-PACS)",
-          "citation": {
-            "text": "Personal Identity Verification (PIV) in Enterprise Physical Access Control System\n               (E-PACS)"
-          }
-        },
-        {
-          "uuid": "8ade2fbe-e468-4ca8-9a40-54d7f23c32bb",
-          "title": "US-CERT Technical Cyber Security Alerts",
-          "citation": {
-            "text": "US-CERT Technical Cyber Security Alerts"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.us-cert.gov/ncas/alerts"
-            }
-          ]
-        },
-        {
-          "uuid": "985475ee-d4d6-4581-8fdf-d84d3d8caa48",
-          "title": "FedRAMP Applicable Laws and Regulations",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-citations"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"
-            }
-          ]
-        },
-        {
-          "uuid": "1a23a771-d481-4594-9a1a-71d584fa4123",
-          "title": "FedRAMP Master Acronym and Glossary",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-acronyms"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "a2381e87-3d04-4108-a30b-b4d2f36d001f",
-          "desc": "FedRAMP Logo",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-logo"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/img/logo-main-fedramp.png"
-            }
-          ]
-        },
-        {
-          "uuid": "ad005eae-cc63-4e64-9109-3905a9a825e4",
-          "title": "NIST Special Publication (SP) 800-53",
-          "properties": [
-            {
-              "name": "version",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "Revision 4"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json",
-              "media-type": "application/xml"
-            }
-          ]
-        }
-      ]
-    }
-  }
-}
diff --git a/content/fedramp.gov/json/FedRAMP_LOW-baseline_profile-min.json b/content/fedramp.gov/json/FedRAMP_LOW-baseline_profile-min.json
deleted file mode 100644
index a1429407ef..0000000000
--- a/content/fedramp.gov/json/FedRAMP_LOW-baseline_profile-min.json
+++ /dev/null
@@ -1 +0,0 @@
-{"profile":{"uuid":"4678df89-bdc1-4804-bdfd-0bb1fc5bba1a","metadata":{"title":"FedRAMP Low Baseline","published":"2020-06-01T00:00:00.000-04:00","last-modified":"2020-06-01T10:00:00.000-04:00","version":"1.2","oscal-version":"1.0.0-milestone3","roles":[{"id":"parpared-by","title":"Document creator"},{"id":"fedramp-pmo","title":"The FedRAMP Program Management Office (PMO)","short-name":"CSP"},{"id":"fedramp-jab","title":"The FedRAMP Joint Authorization Board (JAB)","short-name":"CSP"}],"parties":[{"uuid":"8cc0b8e5-9650-4d5f-9796-316f05fa9a2d","type":"organization","party-name":"Federal Risk and Authorization Management Program: Program Management Office","short-name":"FedRAMP PMO","links":[{"href":"https://fedramp.gov","rel":"homepage","text":""}],"addresses":[{"type":"work","postal-address":["1800 F St. NW",""],"city":"Washington","state":"DC","postal-code":"","country":"US"}],"email-addresses":["info@fedramp.gov"]},{"uuid":"ca9ba80e-1342-4bfd-b32a-abac468c24b4","type":"organization","party-name":"Federal Risk and Authorization Management Program: Joint Authorization Board","short-name":"FedRAMP JAB"}],"responsible-parties":{"prepared-by":{"party-uuids":["4aa7b203-318b-4cde-96cf-feaeffc3a4b7"]},"fedramp-pmo":{"party-uuids":["4aa7b203-318b-4cde-96cf-feaeffc3a4b7"]},"fedramp-jab":{"party-uuids":["ca9ba80e-1342-4bfd-b32a-abac468c24b4"]}}},"imports":[{"href":"#ad005eae-cc63-4e64-9109-3905a9a825e4","include":{"id-selectors":[{"control-id":"ac-1"},{"control-id":"ac-2"},{"control-id":"ac-3"},{"control-id":"ac-7"},{"control-id":"ac-8"},{"control-id":"ac-14"},{"control-id":"ac-17"},{"control-id":"ac-18"},{"control-id":"ac-19"},{"control-id":"ac-20"},{"control-id":"ac-22"},{"control-id":"at-1"},{"control-id":"at-2"},{"control-id":"at-3"},{"control-id":"at-4"},{"control-id":"au-1"},{"control-id":"au-2"},{"control-id":"au-3"},{"control-id":"au-4"},{"control-id":"au-5"},{"control-id":"au-6"},{"control-id":"au-8"},{"control-id":"au-9"},{"control-id":"au-11"},{"control-id":"au-12"},{"control-id":"ca-1"},{"control-id":"ca-2"},{"control-id":"ca-2.1"},{"control-id":"ca-3"},{"control-id":"ca-5"},{"control-id":"ca-6"},{"control-id":"ca-7"},{"control-id":"ca-9"},{"control-id":"cm-1"},{"control-id":"cm-2"},{"control-id":"cm-4"},{"control-id":"cm-6"},{"control-id":"cm-7"},{"control-id":"cm-8"},{"control-id":"cm-10"},{"control-id":"cm-11"},{"control-id":"cp-1"},{"control-id":"cp-2"},{"control-id":"cp-3"},{"control-id":"cp-4"},{"control-id":"cp-9"},{"control-id":"cp-10"},{"control-id":"ia-1"},{"control-id":"ia-2"},{"control-id":"ia-2.1"},{"control-id":"ia-2.12"},{"control-id":"ia-4"},{"control-id":"ia-5"},{"control-id":"ia-5.1"},{"control-id":"ia-5.11"},{"control-id":"ia-6"},{"control-id":"ia-7"},{"control-id":"ia-8"},{"control-id":"ia-8.1"},{"control-id":"ia-8.2"},{"control-id":"ia-8.3"},{"control-id":"ia-8.4"},{"control-id":"ir-1"},{"control-id":"ir-2"},{"control-id":"ir-4"},{"control-id":"ir-5"},{"control-id":"ir-6"},{"control-id":"ir-7"},{"control-id":"ir-8"},{"control-id":"ma-1"},{"control-id":"ma-2"},{"control-id":"ma-4"},{"control-id":"ma-5"},{"control-id":"mp-1"},{"control-id":"mp-2"},{"control-id":"mp-6"},{"control-id":"mp-7"},{"control-id":"pe-1"},{"control-id":"pe-2"},{"control-id":"pe-3"},{"control-id":"pe-6"},{"control-id":"pe-8"},{"control-id":"pe-12"},{"control-id":"pe-13"},{"control-id":"pe-14"},{"control-id":"pe-15"},{"control-id":"pe-16"},{"control-id":"pl-1"},{"control-id":"pl-2"},{"control-id":"pl-4"},{"control-id":"ps-1"},{"control-id":"ps-2"},{"control-id":"ps-3"},{"control-id":"ps-4"},{"control-id":"ps-5"},{"control-id":"ps-6"},{"control-id":"ps-7"},{"control-id":"ps-8"},{"control-id":"ra-1"},{"control-id":"ra-2"},{"control-id":"ra-3"},{"control-id":"ra-5"},{"control-id":"sa-1"},{"control-id":"sa-2"},{"control-id":"sa-3"},{"control-id":"sa-4"},{"control-id":"sa-5"},{"control-id":"sa-9"},{"control-id":"sc-1"},{"control-id":"sc-5"},{"control-id":"sc-7"},{"control-id":"sc-12"},{"control-id":"sc-13"},{"control-id":"sc-15"},{"control-id":"sc-20"},{"control-id":"sc-21"},{"control-id":"sc-22"},{"control-id":"sc-39"},{"control-id":"si-1"},{"control-id":"si-2"},{"control-id":"si-3"},{"control-id":"si-4"},{"control-id":"si-5"},{"control-id":"si-12"},{"control-id":"si-16"}]}}],"merge":{"combine":{"method":"keep"},"as-is":true},"modify":{"parameter-settings":{"ac-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"ac-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"ac-2_prm_4":{"constraints":[{"detail":"at least annually"}]},"ac-7_prm_1":{"constraints":[{"detail":"not more than three (3)"}]},"ac-7_prm_2":{"constraints":[{"detail":"fifteen (15) minutes"}]},"ac-7_prm_4":{"constraints":[{"detail":"thirty (30) minutes"}]},"ac-8_prm_1":{"constraints":[{"detail":"see additional Requirements and Guidance"}]},"ac-8_prm_2":{"constraints":[{"detail":"see additional Requirements and Guidance"}]},"ac-22_prm_1":{"constraints":[{"detail":"at least quarterly"}]},"at-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"at-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"at-2_prm_1":{"constraints":[{"detail":"at least annually"}]},"at-3_prm_1":{"constraints":[{"detail":"at least annually"}]},"at-4_prm_1":{"constraints":[{"detail":"At least one year"}]},"au-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"au-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"au-2_prm_1":{"constraints":[{"detail":"Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes"}]},"au-2_prm_2":{"constraints":[{"detail":"organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event"}]},"au-5_prm_2":{"constraints":[{"detail":"organization-defined actions to be taken (overwrite oldest record)"}]},"au-6_prm_1":{"constraints":[{"detail":"at least weekly"}]},"au-11_prm_1":{"constraints":[{"detail":"at least ninety days"}]},"au-12_prm_1":{"constraints":[{"detail":"all information system and network components where audit capability is deployed/available"}]},"ca-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"ca-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"ca-2_prm_1":{"constraints":[{"detail":"at least annually"}]},"ca-2_prm_2":{"constraints":[{"detail":"individuals or roles to include FedRAMP PMO"}]},"ca-3_prm_1":{"constraints":[{"detail":"at least annually and on input from FedRAMP"}]},"ca-5_prm_1":{"constraints":[{"detail":"at least monthly"}]},"ca-6_prm_1":{"constraints":[{"detail":"at least every three years or when a significant change occurs"}]},"ca-7_prm_4":{"constraints":[{"detail":"to meet Federal and FedRAMP requirements (See additional guidance)"}]},"ca-7_prm_5":{"constraints":[{"detail":"to meet Federal and FedRAMP requirements (See additional guidance)"}]},"cm-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"cm-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"cm-6_prm_1":{"constraints":[{"detail":"United States Government Configuration Baseline (USGCB)"}]},"cm-7_prm_1":{"constraints":[{"detail":"United States Government Configuration Baseline (USGCB)"}]},"cm-8_prm_2":{"constraints":[{"detail":"at least monthly"}]},"cm-11_prm_3":{"constraints":[{"detail":"Continuously (via CM-7 (5))"}]},"cp-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"cp-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"cp-2_prm_3":{"constraints":[{"detail":"at least annually"}]},"cp-3_prm_1":{"constraints":[{"detail":"ten (10) days"}]},"cp-3_prm_2":{"constraints":[{"detail":"at least annually"}]},"cp-4_prm_1":{"constraints":[{"detail":"at least every three years"}]},"cp-4_prm_2":{"constraints":[{"detail":"classroom exercises/table top written tests"}]},"cp-9_prm_1":{"constraints":[{"detail":"daily incremental; weekly full"}]},"cp-9_prm_2":{"constraints":[{"detail":"daily incremental; weekly full"}]},"cp-9_prm_3":{"constraints":[{"detail":"daily incremental; weekly full"}]},"ia-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"ia-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"ia-4_prm_2":{"constraints":[{"detail":"IA-4 (d) [at least two years]"}]},"ia-4_prm_3":{"constraints":[{"detail":"ninety days for user identifiers (See additional requirements and guidance)"}]},"ia-5.1_prm_2":{"constraints":[{"detail":"at least one"}]},"ia-5.1_prm_4":{"constraints":[{"detail":"twenty four"}]},"ir-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"ir-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"ir-2_prm_2":{"constraints":[{"detail":"at least annually"}]},"ir-6_prm_1":{"constraints":[{"detail":"US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)"}]},"ir-8_prm_2":{"constraints":[{"detail":"see additional FedRAMP Requirements and Guidance"}]},"ir-8_prm_3":{"constraints":[{"detail":"at least annually"}]},"ir-8_prm_4":{"constraints":[{"detail":"see additional FedRAMP Requirements and Guidance"}]},"ma-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"ma-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"mp-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"mp-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"pe-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"pe-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"pe-2_prm_1":{"constraints":[{"detail":"at least annually"}]},"pe-3_prm_2":{"constraints":[{"detail":"CSP defined physical access control systems/devices AND guards"}]},"pe-3_prm_3":{"constraints":[{"detail":"CSP defined physical access control systems/devices"}]},"pe-3_prm_6":{"constraints":[{"detail":"in all circumstances within restricted access area where the information system resides"}]},"pe-3_prm_8":{"constraints":[{"detail":"at least annually"}]},"pe-3_prm_9":{"constraints":[{"detail":"at least annually"}]},"pe-6_prm_1":{"constraints":[{"detail":"at least monthly"}]},"pe-8_prm_1":{"constraints":[{"detail":"for a minimum of one (1) year"}]},"pe-8_prm_2":{"constraints":[{"detail":"at least monthly"}]},"pe-14_prm_1":{"constraints":[{"detail":"consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments"}]},"pe-14_prm_2":{"constraints":[{"detail":"continuously"}]},"pe-16_prm_1":{"constraints":[{"detail":"all information system components"}]},"pl-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"pl-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"pl-2_prm_2":{"constraints":[{"detail":"at least annually"}]},"pl-4_prm_1":{"constraints":[{"detail":"At least every 3 years"}]},"ps-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"ps-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"ps-2_prm_1":{"constraints":[{"detail":"at least every three years"}]},"ps-3_prm_1":{"constraints":[{"detail":"For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions."}]},"ps-4_prm_1":{"constraints":[{"detail":"same day"}]},"ps-5_prm_4":{"constraints":[{"detail":"five days of the time period following the formal transfer action (DoD 24 hours)"}]},"ps-6_prm_1":{"constraints":[{"detail":"at least annually"}]},"ps-6_prm_2":{"constraints":[{"detail":"at least annually"}]},"ps-7_prm_2":{"constraints":[{"detail":"organization-defined time period - same day"}]},"ra-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"ra-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"ra-3_prm_2":{"constraints":[{"detail":"security assessment report"}]},"ra-3_prm_3":{"constraints":[{"detail":"at least every three (3) years or when a significant change occurs"}]},"ra-3_prm_5":{"constraints":[{"detail":"at least every three (3) years or when a significant change occurs"}]},"ra-5_prm_1":{"constraints":[{"detail":"monthly operating system/infrastructure; monthly web applications and databases"}]},"ra-5_prm_2":{"constraints":[{"detail":"[high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery."}]},"sa-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"sa-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"sa-9_prm_1":{"constraints":[{"detail":"FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system"}]},"sa-9_prm_2":{"constraints":[{"detail":"Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored"}]},"sc-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"sc-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"sc-13_prm_1":{"constraints":[{"detail":"FIPS-validated or NSA-approved cryptography"}]},"sc-15_prm_1":{"constraints":[{"detail":"no exceptions"}]},"si-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"si-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"si-2_prm_1":{"constraints":[{"detail":"within 30 days of release of updates"}]},"si-3_prm_1":{"constraints":[{"detail":"at least weekly"}]},"si-3_prm_2":{"constraints":[{"detail":"to include endpoints"}]},"si-3_prm_3":{"constraints":[{"detail":"to include alerting administrator or defined security personnel"}]},"si-5_prm_1":{"constraints":[{"detail":"to include US-CERT"}]},"si-5_prm_2":{"constraints":[{"detail":"to include system security personnel and administrators with configuration/patch-management responsibilities"}]}},"alterations":[{"control-id":"ac-1","additions":[{"position":"starting","id-ref":"ac-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ac-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ac-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ac-14","additions":[{"position":"starting","id-ref":"ac-14.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-14.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ac-14.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ac-17","additions":[{"position":"starting","id-ref":"ac-17","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-17.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-17.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-17.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-17.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-18","additions":[{"position":"starting","id-ref":"ac-18","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-18.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-18.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-19","additions":[{"position":"starting","id-ref":"ac-19","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-19.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-19.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2","additions":[{"position":"starting","id-ref":"ac-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ac-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ac-2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.g_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.h_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.i_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.j_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.j_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.k_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ac-20","additions":[{"position":"starting","id-ref":"ac-20.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-20.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-22","additions":[{"position":"starting","id-ref":"ac-22","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-22.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-22.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-22.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-22.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-22.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-22.d_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-3","additions":[{"position":"starting","id-ref":"ac-3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-7","additions":[{"position":"starting","id-ref":"ac-7","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-7.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-7.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-7.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-7.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-7.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-8","additions":[{"position":"ending","id-ref":"ac-8_smt","parts":[{"id":"ac-8_fr","name":"item","title":"AC-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO."},{"id":"ac-8_fr_smt.2","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided."},{"id":"ac-8_fr_smt.3","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO."}]}]},{"position":"starting","id-ref":"ac-8.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-8.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-8.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-8.c.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-8.c.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-8.c.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-8.c.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"at-1","additions":[{"position":"starting","id-ref":"at-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"at-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"at-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"at-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"at-2","additions":[{"position":"starting","id-ref":"at-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"at-2.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"at-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"at-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"at-3","additions":[{"position":"starting","id-ref":"at-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"at-3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"at-3.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"at-3.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-3.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"at-4","additions":[{"position":"starting","id-ref":"at-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"at-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"at-4.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-4.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-1","additions":[{"position":"starting","id-ref":"au-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"au-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"au-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"au-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"au-11","additions":[{"position":"ending","id-ref":"au-11_smt","parts":[{"id":"au-11_fr","name":"item","title":"AU-11 Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-11_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements."}]}]},{"position":"starting","id-ref":"au-11","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"au-11.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-11_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"au-12","additions":[{"position":"starting","id-ref":"au-12.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-12.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-12.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-12.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-12.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-2","additions":[{"position":"ending","id-ref":"au-2_smt","parts":[{"id":"au-2_fr","name":"item","title":"AU-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-2_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Coordination between service provider and consumer shall be documented and accepted by the JAB/AO."}]}]},{"position":"starting","id-ref":"au-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"au-2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"au-2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-2.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-2.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"au-2.d_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"au-3","additions":[{"position":"starting","id-ref":"au-3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-4","additions":[{"position":"starting","id-ref":"au-4.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-5","additions":[{"position":"starting","id-ref":"au-5.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-5.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-5.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-5.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-6","additions":[{"position":"ending","id-ref":"au-6_smt","parts":[{"id":"au-6_fr","name":"item","title":"AU-6 Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented."}]}]},{"position":"starting","id-ref":"au-6","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"au-6.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-6.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-6.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"au-6.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-6.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"au-8","additions":[{"position":"starting","id-ref":"au-8.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-8.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-8.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-8.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-9","additions":[{"position":"starting","id-ref":"au-9.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-9.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-1","additions":[{"position":"starting","id-ref":"ca-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ca-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ca-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ca-2","additions":[{"position":"ending","id-ref":"ca-2_smt","parts":[{"id":"ca-2_fr","name":"item","title":"CA-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-2_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "}]}]},{"position":"starting","id-ref":"ca-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-2.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-2.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-2.1","additions":[{"position":"ending","id-ref":"ca-2.1_smt","parts":[{"id":"ca-2.1_fr","name":"item","title":"CA-2 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-2.1_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO)."}]}]},{"position":"starting","id-ref":"ca-2.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ca-3","additions":[{"position":"starting","id-ref":"ca-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ca-3.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-3.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-3.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ca-5","additions":[{"position":"ending","id-ref":"ca-5_smt","parts":[{"id":"ca-5_fr","name":"item","title":"CA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-5_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Plan of Action & Milestones (POA&M) must be provided at least monthly."},{"id":"ca-5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "}]}]},{"position":"starting","id-ref":"ca-5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-5.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ca-5.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-5.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-6","additions":[{"position":"ending","id-ref":"ca-6_smt","parts":[{"id":"ca-6_fr","name":"item","title":"CA-6(c) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO."}]}]},{"position":"starting","id-ref":"ca-6.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-6.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-6.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-6.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-7","additions":[{"position":"ending","id-ref":"ca-7_smt","parts":[{"id":"ca-7_fr","name":"item","title":"CA-7 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-7_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually."},{"id":"ca-7_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates."},{"id":"ca-7_fr_gdn.2","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "}]}]},{"position":"starting","id-ref":"ca-7","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-7.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-7.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.b_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-7.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-7.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-7.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-7.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-7.g_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.g_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.g_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.g_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-9","additions":[{"position":"starting","id-ref":"ca-9","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-9.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-9.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ca-9.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"cm-1","additions":[{"position":"starting","id-ref":"cm-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-1.a.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cm-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cm-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"cm-10","additions":[{"position":"starting","id-ref":"cm-10.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-10.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-10.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-11","additions":[{"position":"starting","id-ref":"cm-11.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-11.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-11.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-11.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-11.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-11.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-2","additions":[{"position":"starting","id-ref":"cm-2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cm-2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-4","additions":[{"position":"starting","id-ref":"cm-4.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-6","additions":[{"position":"ending","id-ref":"cm-6_smt","parts":[{"id":"cm-6_fr","name":"item","title":"CM-6(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement 1:"}],"prose":"The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. "},{"id":"cm-6_fr_smt.2","name":"item","properties":[{"name":"label","value":"Requirement 2:"}],"prose":"The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available)."},{"id":"cm-6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)."}]}]},{"position":"starting","id-ref":"cm-6","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-6.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-6.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cm-6.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-6.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-6.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-6.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-6.c_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-6.c_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-6.c_obj.5","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-6.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-6.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-7","additions":[{"position":"ending","id-ref":"cm-7_smt","parts":[{"id":"cm-7_fr","name":"item","title":"CM-7 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-7_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available."},{"id":"cm-7_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Information on the USGCB checklists can be found at: [http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc](http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc)\n\t\t\t\t\t\t\tPartially derived from AC-17(8)."}]}]},{"position":"starting","id-ref":"cm-7.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-7.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-7.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-8","additions":[{"position":"ending","id-ref":"cm-8_smt","parts":[{"id":"cm-8_fr","name":"item","title":"CM-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Must be provided at least monthly or when there is a change."}]}]},{"position":"starting","id-ref":"cm-8","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-8.a.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.a.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.a.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.a.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.a.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-1","additions":[{"position":"starting","id-ref":"cp-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cp-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"cp-10","additions":[{"position":"starting","id-ref":"cp-10_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-10.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-2","additions":[{"position":"ending","id-ref":"cp-2_smt","parts":[{"id":"cp-2_fr","name":"item","title":"CP-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-2_fr_smt.1","name":"item","properties":[{"name":"label","value":"CP-2 Requirement:"}],"prose":"For JAB authorizations the contingency lists include designated FedRAMP personnel."}]}]},{"position":"starting","id-ref":"cp-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cp-2.a.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.a.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.a.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.a.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.a.5_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.a.6_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.a.6_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-2.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-2.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-2.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-2.g_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-3","additions":[{"position":"starting","id-ref":"cp-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cp-3.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-3.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-3.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-3.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-3.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-4","additions":[{"position":"ending","id-ref":"cp-4_smt","parts":[{"id":"cp-4_fr","name":"item","title":"CP-4(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-4_fr_smt.a","name":"item","properties":[{"name":"label","value":"CP-4(a) Requirement:"}],"prose":"The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing."}]}]},{"position":"starting","id-ref":"cp-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cp-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-4.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-4.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-9","additions":[{"position":"ending","id-ref":"cp-9_smt","parts":[{"id":"cp-9_fr","name":"item","title":"CP-9 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-9_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check."},{"id":"cp-9_fr_smt.a","name":"item","properties":[{"name":"label","value":"CP-9(a) Requirement:"}],"prose":"The service provider maintains at least three backup copies of user-level information (at least one of which is available online)."},{"id":"cp-9_fr_smt.b","name":"item","properties":[{"name":"label","value":"CP-9(b)Requirement:"}],"prose":"The service provider maintains at least three backup copies of system-level information (at least one of which is available online)."},{"id":"cp-9_fr_smt.c","name":"item","properties":[{"name":"label","value":"CP-9(c)Requirement:"}],"prose":"The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online)."}]}]},{"position":"starting","id-ref":"cp-9","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cp-9.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-9.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-9.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-9.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-9.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-9.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-9.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-1","additions":[{"position":"starting","id-ref":"ia-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ia-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ia-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ia-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ia-2","additions":[{"position":"starting","id-ref":"ia-2.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-2.1","additions":[{"position":"starting","id-ref":"ia-2.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-2.12","additions":[{"position":"ending","id-ref":"ia-2.12_smt","parts":[{"id":"ia-2.12_fr","name":"item","title":"IA-2 (12) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-2.12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12."}]}]},{"position":"starting","id-ref":"ia-2.12_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-2.12_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-4","additions":[{"position":"ending","id-ref":"ia-4_smt","parts":[{"id":"ia-4_fr","name":"item","title":"IA-4(e) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-4_fr_smt.e","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines the time period of inactivity for device identifiers."},{"id":"ia-4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP [http://iase.disa.mil/cloud_security/Pages/index.aspx](http://iase.disa.mil/cloud_security/Pages/index.aspx)."}]}]},{"position":"starting","id-ref":"ia-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ia-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-4.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-4.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-4.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-4.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-4.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-5","additions":[{"position":"ending","id-ref":"ia-5_smt","parts":[{"id":"ia-5_fr","name":"item","title":"IA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-5_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link [https://pages.nist.gov/800-63-3](https://pages.nist.gov/800-63-3)."}]}]},{"position":"starting","id-ref":"ia-5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ia-5.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.d_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.f_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.g_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.g_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.h_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.i_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ia-5.i_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.j_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-5.1","additions":[{"position":"ending","id-ref":"ia-5.1_smt","parts":[{"id":"ia-5.1_fr","name":"item","title":"IA-5 (1) (a) and (d) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-5.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance (a) (d):"}],"prose":"If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant."}]}]},{"position":"starting","id-ref":"ia-5.1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ia-5.1.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.a_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.a_obj.5","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.1.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.1.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.1.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.d_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.1.d_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.1.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.1.f_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-5.11","additions":[{"position":"starting","id-ref":"ia-5.11_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.11_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-6","additions":[{"position":"starting","id-ref":"ia-6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-7","additions":[{"position":"starting","id-ref":"ia-7_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-8","additions":[{"position":"starting","id-ref":"ia-8.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-8.1","additions":[{"position":"starting","id-ref":"ia-8.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-8.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-8.2","additions":[{"position":"starting","id-ref":"ia-8.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-8.3","additions":[{"position":"starting","id-ref":"ia-8.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-8.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-8.4","additions":[{"position":"starting","id-ref":"ia-8.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-1","additions":[{"position":"starting","id-ref":"ir-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ir-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ir-2","additions":[{"position":"starting","id-ref":"ir-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ir-2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ir-4","additions":[{"position":"ending","id-ref":"ir-4_smt","parts":[{"id":"ir-4_fr","name":"item","title":"IR-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-4_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system."}]}]},{"position":"starting","id-ref":"ir-4.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-4.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-4.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-5","additions":[{"position":"starting","id-ref":"ir-5.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-6","additions":[{"position":"ending","id-ref":"ir-6_smt","parts":[{"id":"ir-6_fr","name":"item","title":"IR-6 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Report security incident information according to FedRAMP Incident Communications Procedure."}]}]},{"position":"starting","id-ref":"ir-6","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ir-6.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-6.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-6.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-6.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-7","additions":[{"position":"starting","id-ref":"ir-7.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-7.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-8","additions":[{"position":"ending","id-ref":"ir-8_smt","parts":[{"id":"ir-8_fr","name":"item","title":"IR-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-8_fr_smt.b","name":"item","properties":[{"name":"label","value":"(b) Requirement:"}],"prose":"The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."},{"id":"ir-8_fr_smt.e","name":"item","properties":[{"name":"label","value":"(e) Requirement:"}],"prose":"The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."}]}]},{"position":"starting","id-ref":"ir-8","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ir-8.a.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.5_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-8.a.7_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.8_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.8_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-8.b_obj.1.a","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.b_obj.1.b","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-8.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-8.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-8.e_obj.1.a","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.e_obj.1.b","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-8.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-8.f_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ma-1","additions":[{"position":"starting","id-ref":"ma-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ma-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ma-2","additions":[{"position":"starting","id-ref":"ma-2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-2.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-2.a_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-2.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-2.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-2.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-2.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-2.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-2.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ma-4","additions":[{"position":"starting","id-ref":"ma-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ma-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-4.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-4.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-4.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-4.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ma-5","additions":[{"position":"starting","id-ref":"ma-5.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-5.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-5.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-5.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"mp-1","additions":[{"position":"starting","id-ref":"mp-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"mp-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"mp-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"mp-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"mp-2","additions":[{"position":"starting","id-ref":"mp-2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-6","additions":[{"position":"starting","id-ref":"mp-6.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-6.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-6.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"mp-6.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-7","additions":[{"position":"starting","id-ref":"mp-7.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-7.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-7_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-7_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-1","additions":[{"position":"starting","id-ref":"pe-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pe-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"pe-12","additions":[{"position":"starting","id-ref":"pe-12.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-12_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-13","additions":[{"position":"starting","id-ref":"pe-13.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-13.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-14","additions":[{"position":"ending","id-ref":"pe-14_smt","parts":[{"id":"pe-14_fr","name":"item","title":"PE-14(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"pe-14_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider measures temperature at server inlets and humidity levels by dew point."}]}]},{"position":"starting","id-ref":"pe-14.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-14.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-14.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-14.a_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-14.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-14.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-14.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-14.b_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-15","additions":[{"position":"starting","id-ref":"pe-15_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-16","additions":[{"position":"starting","id-ref":"pe-16_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-16_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-16_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-16_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-16_obj.5","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-16_obj.6","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-16_obj.7","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-16_obj.8","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-16_obj.9","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"pe-2","additions":[{"position":"starting","id-ref":"pe-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pe-2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-2.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-2.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-3","additions":[{"position":"starting","id-ref":"pe-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pe-3.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.e_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.f_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.g_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.g_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-6","additions":[{"position":"starting","id-ref":"pe-6","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pe-6.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-6.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-6.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-6.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-6.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"pe-8","additions":[{"position":"starting","id-ref":"pe-8","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pe-8.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-8.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-8.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-8.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pl-1","additions":[{"position":"starting","id-ref":"pl-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pl-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pl-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pl-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"pl-2","additions":[{"position":"starting","id-ref":"pl-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pl-2.a.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.5_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.7_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.8_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.9_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-2.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-2.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pl-4","additions":[{"position":"starting","id-ref":"pl-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-4.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-4.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-4.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-1","additions":[{"position":"starting","id-ref":"ps-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ps-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ps-2","additions":[{"position":"starting","id-ref":"ps-2.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-3","additions":[{"position":"starting","id-ref":"ps-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ps-3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-3.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-3.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-3.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-4","additions":[{"position":"starting","id-ref":"ps-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ps-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ps-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ps-4.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-4.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-4.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-4.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-4.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-4.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-4.f_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-5","additions":[{"position":"starting","id-ref":"ps-5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ps-5.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-5.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-5.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-5.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-5.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ps-5.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ps-5.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-5.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-5.d_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-6","additions":[{"position":"starting","id-ref":"ps-6","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ps-6.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-6.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-6.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-6.c.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ps-6.c.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-6.c.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-7","additions":[{"position":"starting","id-ref":"ps-7","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ps-7.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-7.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-7.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-7.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-7.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-7.d_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-7.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-8","additions":[{"position":"starting","id-ref":"ps-8.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-8.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-8.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-8.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-1","additions":[{"position":"starting","id-ref":"ra-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ra-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ra-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ra-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ra-2","additions":[{"position":"starting","id-ref":"ra-2.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-3","additions":[{"position":"ending","id-ref":"ra-3_smt","parts":[{"id":"ra-3_fr","name":"item","title":"RA-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F"},{"id":"ra-3_fr_smt.d","name":"item","properties":[{"name":"label","value":"RA-3 (d) Requirement:"}],"prose":"Include all Authorizing Officials; for JAB authorizations to include FedRAMP."}]}]},{"position":"starting","id-ref":"ra-3.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-3.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-3.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-3.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-3.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-3.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-3.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-3.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-3.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-3.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-5","additions":[{"id-ref":"ra-5_smt","parts":[{"id":"ra-5_fr_smt.a","name":"item","title":"RA-5(a) Additional FedRAMP Requirements and Guidance","properties":[{"name":"label","value":"RA-5 (a)Requirement:"}],"prose":"An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually."},{"id":"ra-5_fr_smt.e","name":"item","title":"RA-5(e) Additional FedRAMP Requirements and Guidance","properties":[{"name":"label","value":"RA-5 (e)Requirement:"}],"prose":"To include all Authorizing Officials; for JAB authorizations to include FedRAMP."},{"id":"ra-5_fr","name":"item","title":"RA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"\n                     **See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))"}]}]},{"position":"starting","id-ref":"ra-5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ra-5.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-5.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.b.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.b.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.b.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-5.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-5.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.e_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-1","additions":[{"position":"starting","id-ref":"sa-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"sa-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"sa-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"sa-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"sa-2","additions":[{"position":"starting","id-ref":"sa-2.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-3","additions":[{"position":"starting","id-ref":"sa-3.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-3.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-3.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-3.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-3.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-4","additions":[{"position":"ending","id-ref":"sa-4_smt","parts":[{"id":"sa-4_fr","name":"item","title":"SA-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See [http://www.niap-ccevs.org/vpl](http://www.niap-ccevs.org/vpl) or [http://www.commoncriteriaportal.org/products.html](http://www.commoncriteriaportal.org/products.html)."}]}]},{"position":"starting","id-ref":"sa-4.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-4.10","additions":[{"position":"starting","id-ref":"sa-4.10_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-5","additions":[{"position":"starting","id-ref":"sa-5.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-5.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-5.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-5.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-5.c_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-5.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-5.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-5.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-9","additions":[{"position":"ending","id-ref":"sa-9_smt","parts":[{"id":"sa-9_fr","name":"item","title":"SA-9 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-9_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Continuous Monitoring Strategy Guide [https://www.FedRAMP.gov/documents](https://www.FedRAMP.gov/documents)\n                  "},{"id":"sa-9_fr_gdn.2","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Independent Assessors should assess the risk associated with the use of external services. See the FedRAMP page under Key Cloud Service Provider (CSP) Documents>FedRAMP Authorization Boundary Guidance"}]}]},{"position":"starting","id-ref":"sa-9.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-1","additions":[{"position":"starting","id-ref":"sc-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"sc-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"sc-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"sc-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"sc-12","additions":[{"position":"ending","id-ref":"sc-12_smt","parts":[{"id":"sc-12_fr","name":"item","title":"SC-12 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Federally approved and validated cryptography."}]}]},{"position":"starting","id-ref":"sc-12.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-12.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-13","additions":[{"position":"starting","id-ref":"sc-13","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"sc-13_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-13_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-13_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-15","additions":[{"position":"ending","id-ref":"sc-15_smt","parts":[{"id":"sc-15_fr","name":"item","title":"SC-15 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-15_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use."}]}]},{"position":"starting","id-ref":"sc-15.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-15.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-15.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-20","additions":[{"position":"starting","id-ref":"sc-20.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-20.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-21","additions":[{"position":"starting","id-ref":"sc-21_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-21_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-21_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-21_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-22","additions":[{"position":"starting","id-ref":"sc-22_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-22_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-39","additions":[{"position":"starting","id-ref":"sc-39_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-5","additions":[{"position":"starting","id-ref":"sc-5.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-5.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-5.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7","additions":[{"position":"starting","id-ref":"sc-7.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.a_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-1","additions":[{"position":"starting","id-ref":"si-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"si-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"si-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"si-12","additions":[{"position":"starting","id-ref":"si-12_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-2","additions":[{"position":"starting","id-ref":"si-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-2.c_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.c_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-3","additions":[{"position":"starting","id-ref":"si-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-3.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-3.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-3.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-3.c_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-3.c.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-3.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-3.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4","additions":[{"position":"ending","id-ref":"si-4_smt","parts":[{"id":"si-4_fr","name":"item","title":"SI-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"si-4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See US-CERT Incident Response Reporting Guidelines."}]}]},{"position":"starting","id-ref":"si-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-4.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.a.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.b.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.b.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.f_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"si-4.g_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.g_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.g_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.g_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-5","additions":[{"position":"starting","id-ref":"si-5.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-5.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-5.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-5.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-5.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-5.c_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-5.c_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-5.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]}]},"back-matter":{"resources":[{"uuid":"985475ee-d4d6-4581-8fdf-d84d3d8caa48","title":"FedRAMP Applicable Laws and Regulations","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-citations"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"}]},{"uuid":"1a23a771-d481-4594-9a1a-71d584fa4123","title":"FedRAMP Master Acronym and Glossary","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-acronyms"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"}]},{"uuid":"a2381e87-3d04-4108-a30b-b4d2f36d001f","desc":"FedRAMP Logo","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-logo"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/img/logo-main-fedramp.png"}]},{"uuid":"ad005eae-cc63-4e64-9109-3905a9a825e4","title":"NIST Special Publication (SP) 800-53","properties":[{"name":"version","ns":"https://fedramp.gov/ns/oscal","value":"Revision 4"},{"name":"keep","value":"always"}],"rlinks":[{"href":"../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json","media-type":"application/xml"}]}]}}}
\ No newline at end of file
diff --git a/content/fedramp.gov/json/FedRAMP_LOW-baseline_profile.json b/content/fedramp.gov/json/FedRAMP_LOW-baseline_profile.json
deleted file mode 100644
index 25d6f27a1e..0000000000
--- a/content/fedramp.gov/json/FedRAMP_LOW-baseline_profile.json
+++ /dev/null
@@ -1,17083 +0,0 @@
-{
-  "profile": {
-    "uuid": "4678df89-bdc1-4804-bdfd-0bb1fc5bba1a",
-    "metadata": {
-      "title": "FedRAMP Low Baseline",
-      "published": "2020-06-01T00:00:00.000-04:00",
-      "last-modified": "2020-06-01T10:00:00.000-04:00",
-      "version": "1.2",
-      "oscal-version": "1.0.0-milestone3",
-      "roles": [
-        {
-          "id": "parpared-by",
-          "title": "Document creator"
-        },
-        {
-          "id": "fedramp-pmo",
-          "title": "The FedRAMP Program Management Office (PMO)",
-          "short-name": "CSP"
-        },
-        {
-          "id": "fedramp-jab",
-          "title": "The FedRAMP Joint Authorization Board (JAB)",
-          "short-name": "CSP"
-        }
-      ],
-      "parties": [
-        {
-          "uuid": "8cc0b8e5-9650-4d5f-9796-316f05fa9a2d",
-          "type": "organization",
-          "party-name": "Federal Risk and Authorization Management Program: Program Management Office",
-          "short-name": "FedRAMP PMO",
-          "links": [
-            {
-              "href": "https://fedramp.gov",
-              "rel": "homepage",
-              "text": ""
-            }
-          ],
-          "addresses": [
-            {
-              "type": "work",
-              "postal-address": [
-                "1800 F St. NW",
-                ""
-              ],
-              "city": "Washington",
-              "state": "DC",
-              "postal-code": "",
-              "country": "US"
-            }
-          ],
-          "email-addresses": [
-            "info@fedramp.gov"
-          ]
-        },
-        {
-          "uuid": "ca9ba80e-1342-4bfd-b32a-abac468c24b4",
-          "type": "organization",
-          "party-name": "Federal Risk and Authorization Management Program: Joint Authorization Board",
-          "short-name": "FedRAMP JAB"
-        }
-      ],
-      "responsible-parties": {
-        "prepared-by": {
-          "party-uuids": [
-            "4aa7b203-318b-4cde-96cf-feaeffc3a4b7"
-          ]
-        },
-        "fedramp-pmo": {
-          "party-uuids": [
-            "4aa7b203-318b-4cde-96cf-feaeffc3a4b7"
-          ]
-        },
-        "fedramp-jab": {
-          "party-uuids": [
-            "ca9ba80e-1342-4bfd-b32a-abac468c24b4"
-          ]
-        }
-      }
-    },
-    "imports": [
-      {
-        "href": "#ad005eae-cc63-4e64-9109-3905a9a825e4",
-        "include": {
-          "id-selectors": [
-            {
-              "control-id": "ac-1"
-            },
-            {
-              "control-id": "ac-2"
-            },
-            {
-              "control-id": "ac-3"
-            },
-            {
-              "control-id": "ac-7"
-            },
-            {
-              "control-id": "ac-8"
-            },
-            {
-              "control-id": "ac-14"
-            },
-            {
-              "control-id": "ac-17"
-            },
-            {
-              "control-id": "ac-18"
-            },
-            {
-              "control-id": "ac-19"
-            },
-            {
-              "control-id": "ac-20"
-            },
-            {
-              "control-id": "ac-22"
-            },
-            {
-              "control-id": "at-1"
-            },
-            {
-              "control-id": "at-2"
-            },
-            {
-              "control-id": "at-3"
-            },
-            {
-              "control-id": "at-4"
-            },
-            {
-              "control-id": "au-1"
-            },
-            {
-              "control-id": "au-2"
-            },
-            {
-              "control-id": "au-3"
-            },
-            {
-              "control-id": "au-4"
-            },
-            {
-              "control-id": "au-5"
-            },
-            {
-              "control-id": "au-6"
-            },
-            {
-              "control-id": "au-8"
-            },
-            {
-              "control-id": "au-9"
-            },
-            {
-              "control-id": "au-11"
-            },
-            {
-              "control-id": "au-12"
-            },
-            {
-              "control-id": "ca-1"
-            },
-            {
-              "control-id": "ca-2"
-            },
-            {
-              "control-id": "ca-2.1"
-            },
-            {
-              "control-id": "ca-3"
-            },
-            {
-              "control-id": "ca-5"
-            },
-            {
-              "control-id": "ca-6"
-            },
-            {
-              "control-id": "ca-7"
-            },
-            {
-              "control-id": "ca-9"
-            },
-            {
-              "control-id": "cm-1"
-            },
-            {
-              "control-id": "cm-2"
-            },
-            {
-              "control-id": "cm-4"
-            },
-            {
-              "control-id": "cm-6"
-            },
-            {
-              "control-id": "cm-7"
-            },
-            {
-              "control-id": "cm-8"
-            },
-            {
-              "control-id": "cm-10"
-            },
-            {
-              "control-id": "cm-11"
-            },
-            {
-              "control-id": "cp-1"
-            },
-            {
-              "control-id": "cp-2"
-            },
-            {
-              "control-id": "cp-3"
-            },
-            {
-              "control-id": "cp-4"
-            },
-            {
-              "control-id": "cp-9"
-            },
-            {
-              "control-id": "cp-10"
-            },
-            {
-              "control-id": "ia-1"
-            },
-            {
-              "control-id": "ia-2"
-            },
-            {
-              "control-id": "ia-2.1"
-            },
-            {
-              "control-id": "ia-2.12"
-            },
-            {
-              "control-id": "ia-4"
-            },
-            {
-              "control-id": "ia-5"
-            },
-            {
-              "control-id": "ia-5.1"
-            },
-            {
-              "control-id": "ia-5.11"
-            },
-            {
-              "control-id": "ia-6"
-            },
-            {
-              "control-id": "ia-7"
-            },
-            {
-              "control-id": "ia-8"
-            },
-            {
-              "control-id": "ia-8.1"
-            },
-            {
-              "control-id": "ia-8.2"
-            },
-            {
-              "control-id": "ia-8.3"
-            },
-            {
-              "control-id": "ia-8.4"
-            },
-            {
-              "control-id": "ir-1"
-            },
-            {
-              "control-id": "ir-2"
-            },
-            {
-              "control-id": "ir-4"
-            },
-            {
-              "control-id": "ir-5"
-            },
-            {
-              "control-id": "ir-6"
-            },
-            {
-              "control-id": "ir-7"
-            },
-            {
-              "control-id": "ir-8"
-            },
-            {
-              "control-id": "ma-1"
-            },
-            {
-              "control-id": "ma-2"
-            },
-            {
-              "control-id": "ma-4"
-            },
-            {
-              "control-id": "ma-5"
-            },
-            {
-              "control-id": "mp-1"
-            },
-            {
-              "control-id": "mp-2"
-            },
-            {
-              "control-id": "mp-6"
-            },
-            {
-              "control-id": "mp-7"
-            },
-            {
-              "control-id": "pe-1"
-            },
-            {
-              "control-id": "pe-2"
-            },
-            {
-              "control-id": "pe-3"
-            },
-            {
-              "control-id": "pe-6"
-            },
-            {
-              "control-id": "pe-8"
-            },
-            {
-              "control-id": "pe-12"
-            },
-            {
-              "control-id": "pe-13"
-            },
-            {
-              "control-id": "pe-14"
-            },
-            {
-              "control-id": "pe-15"
-            },
-            {
-              "control-id": "pe-16"
-            },
-            {
-              "control-id": "pl-1"
-            },
-            {
-              "control-id": "pl-2"
-            },
-            {
-              "control-id": "pl-4"
-            },
-            {
-              "control-id": "ps-1"
-            },
-            {
-              "control-id": "ps-2"
-            },
-            {
-              "control-id": "ps-3"
-            },
-            {
-              "control-id": "ps-4"
-            },
-            {
-              "control-id": "ps-5"
-            },
-            {
-              "control-id": "ps-6"
-            },
-            {
-              "control-id": "ps-7"
-            },
-            {
-              "control-id": "ps-8"
-            },
-            {
-              "control-id": "ra-1"
-            },
-            {
-              "control-id": "ra-2"
-            },
-            {
-              "control-id": "ra-3"
-            },
-            {
-              "control-id": "ra-5"
-            },
-            {
-              "control-id": "sa-1"
-            },
-            {
-              "control-id": "sa-2"
-            },
-            {
-              "control-id": "sa-3"
-            },
-            {
-              "control-id": "sa-4"
-            },
-            {
-              "control-id": "sa-5"
-            },
-            {
-              "control-id": "sa-9"
-            },
-            {
-              "control-id": "sc-1"
-            },
-            {
-              "control-id": "sc-5"
-            },
-            {
-              "control-id": "sc-7"
-            },
-            {
-              "control-id": "sc-12"
-            },
-            {
-              "control-id": "sc-13"
-            },
-            {
-              "control-id": "sc-15"
-            },
-            {
-              "control-id": "sc-20"
-            },
-            {
-              "control-id": "sc-21"
-            },
-            {
-              "control-id": "sc-22"
-            },
-            {
-              "control-id": "sc-39"
-            },
-            {
-              "control-id": "si-1"
-            },
-            {
-              "control-id": "si-2"
-            },
-            {
-              "control-id": "si-3"
-            },
-            {
-              "control-id": "si-4"
-            },
-            {
-              "control-id": "si-5"
-            },
-            {
-              "control-id": "si-12"
-            },
-            {
-              "control-id": "si-16"
-            }
-          ]
-        }
-      }
-    ],
-    "merge": {
-      "combine": {
-        "method": "keep"
-      },
-      "as-is": true
-    },
-    "modify": {
-      "parameter-settings": {
-        "ac-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "ac-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ac-2_prm_4": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ac-7_prm_1": {
-          "constraints": [
-            {
-              "detail": "not more than three (3)"
-            }
-          ]
-        },
-        "ac-7_prm_2": {
-          "constraints": [
-            {
-              "detail": "fifteen (15) minutes"
-            }
-          ]
-        },
-        "ac-7_prm_4": {
-          "constraints": [
-            {
-              "detail": "thirty (30) minutes"
-            }
-          ]
-        },
-        "ac-8_prm_1": {
-          "constraints": [
-            {
-              "detail": "see additional Requirements and Guidance"
-            }
-          ]
-        },
-        "ac-8_prm_2": {
-          "constraints": [
-            {
-              "detail": "see additional Requirements and Guidance"
-            }
-          ]
-        },
-        "ac-22_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least quarterly"
-            }
-          ]
-        },
-        "at-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "at-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "at-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "at-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "at-4_prm_1": {
-          "constraints": [
-            {
-              "detail": "At least one year"
-            }
-          ]
-        },
-        "au-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "au-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "au-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes"
-            }
-          ]
-        },
-        "au-2_prm_2": {
-          "constraints": [
-            {
-              "detail": "organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event"
-            }
-          ]
-        },
-        "au-5_prm_2": {
-          "constraints": [
-            {
-              "detail": "organization-defined actions to be taken (overwrite oldest record)"
-            }
-          ]
-        },
-        "au-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least weekly"
-            }
-          ]
-        },
-        "au-11_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least ninety days"
-            }
-          ]
-        },
-        "au-12_prm_1": {
-          "constraints": [
-            {
-              "detail": "all information system and network components where audit capability is deployed/available"
-            }
-          ]
-        },
-        "ca-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "ca-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ca-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ca-2_prm_2": {
-          "constraints": [
-            {
-              "detail": "individuals or roles to include FedRAMP PMO"
-            }
-          ]
-        },
-        "ca-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually and on input from FedRAMP"
-            }
-          ]
-        },
-        "ca-5_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "ca-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least every three years or when a significant change occurs"
-            }
-          ]
-        },
-        "ca-7_prm_4": {
-          "constraints": [
-            {
-              "detail": "to meet Federal and FedRAMP requirements (See additional guidance)"
-            }
-          ]
-        },
-        "ca-7_prm_5": {
-          "constraints": [
-            {
-              "detail": "to meet Federal and FedRAMP requirements (See additional guidance)"
-            }
-          ]
-        },
-        "cm-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "cm-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "cm-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "United States Government Configuration Baseline (USGCB)"
-            }
-          ]
-        },
-        "cm-7_prm_1": {
-          "constraints": [
-            {
-              "detail": "United States Government Configuration Baseline (USGCB)"
-            }
-          ]
-        },
-        "cm-8_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "cm-11_prm_3": {
-          "constraints": [
-            {
-              "detail": "Continuously (via CM-7 (5))"
-            }
-          ]
-        },
-        "cp-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "cp-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "cp-2_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "cp-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "ten (10) days"
-            }
-          ]
-        },
-        "cp-3_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "cp-4_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least every three years"
-            }
-          ]
-        },
-        "cp-4_prm_2": {
-          "constraints": [
-            {
-              "detail": "classroom exercises/table top written tests"
-            }
-          ]
-        },
-        "cp-9_prm_1": {
-          "constraints": [
-            {
-              "detail": "daily incremental; weekly full"
-            }
-          ]
-        },
-        "cp-9_prm_2": {
-          "constraints": [
-            {
-              "detail": "daily incremental; weekly full"
-            }
-          ]
-        },
-        "cp-9_prm_3": {
-          "constraints": [
-            {
-              "detail": "daily incremental; weekly full"
-            }
-          ]
-        },
-        "ia-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "ia-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ia-4_prm_2": {
-          "constraints": [
-            {
-              "detail": "IA-4 (d) [at least two years]"
-            }
-          ]
-        },
-        "ia-4_prm_3": {
-          "constraints": [
-            {
-              "detail": "ninety days for user identifiers (See additional requirements and guidance)"
-            }
-          ]
-        },
-        "ia-5.1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least one"
-            }
-          ]
-        },
-        "ia-5.1_prm_4": {
-          "constraints": [
-            {
-              "detail": "twenty four"
-            }
-          ]
-        },
-        "ir-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "ir-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ir-2_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ir-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)"
-            }
-          ]
-        },
-        "ir-8_prm_2": {
-          "constraints": [
-            {
-              "detail": "see additional FedRAMP Requirements and Guidance"
-            }
-          ]
-        },
-        "ir-8_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ir-8_prm_4": {
-          "constraints": [
-            {
-              "detail": "see additional FedRAMP Requirements and Guidance"
-            }
-          ]
-        },
-        "ma-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "ma-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "mp-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "mp-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pe-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "pe-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pe-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pe-3_prm_2": {
-          "constraints": [
-            {
-              "detail": "CSP defined physical access control systems/devices AND guards"
-            }
-          ]
-        },
-        "pe-3_prm_3": {
-          "constraints": [
-            {
-              "detail": "CSP defined physical access control systems/devices"
-            }
-          ]
-        },
-        "pe-3_prm_6": {
-          "constraints": [
-            {
-              "detail": "in all circumstances within restricted access area where the information system resides"
-            }
-          ]
-        },
-        "pe-3_prm_8": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pe-3_prm_9": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pe-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "pe-8_prm_1": {
-          "constraints": [
-            {
-              "detail": "for a minimum of one (1) year"
-            }
-          ]
-        },
-        "pe-8_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "pe-14_prm_1": {
-          "constraints": [
-            {
-              "detail": "consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments"
-            }
-          ]
-        },
-        "pe-14_prm_2": {
-          "constraints": [
-            {
-              "detail": "continuously"
-            }
-          ]
-        },
-        "pe-16_prm_1": {
-          "constraints": [
-            {
-              "detail": "all information system components"
-            }
-          ]
-        },
-        "pl-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "pl-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pl-2_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pl-4_prm_1": {
-          "constraints": [
-            {
-              "detail": "At least every 3 years"
-            }
-          ]
-        },
-        "ps-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "ps-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ps-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least every three years"
-            }
-          ]
-        },
-        "ps-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions."
-            }
-          ]
-        },
-        "ps-4_prm_1": {
-          "constraints": [
-            {
-              "detail": "same day"
-            }
-          ]
-        },
-        "ps-5_prm_4": {
-          "constraints": [
-            {
-              "detail": "five days of the time period following the formal transfer action (DoD 24 hours)"
-            }
-          ]
-        },
-        "ps-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ps-6_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ps-7_prm_2": {
-          "constraints": [
-            {
-              "detail": "organization-defined time period - same day"
-            }
-          ]
-        },
-        "ra-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "ra-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ra-3_prm_2": {
-          "constraints": [
-            {
-              "detail": "security assessment report"
-            }
-          ]
-        },
-        "ra-3_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least every three (3) years or when a significant change occurs"
-            }
-          ]
-        },
-        "ra-3_prm_5": {
-          "constraints": [
-            {
-              "detail": "at least every three (3) years or when a significant change occurs"
-            }
-          ]
-        },
-        "ra-5_prm_1": {
-          "constraints": [
-            {
-              "detail": "monthly operating system/infrastructure; monthly web applications and databases"
-            }
-          ]
-        },
-        "ra-5_prm_2": {
-          "constraints": [
-            {
-              "detail": "[high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery."
-            }
-          ]
-        },
-        "sa-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "sa-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "sa-9_prm_1": {
-          "constraints": [
-            {
-              "detail": "FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system"
-            }
-          ]
-        },
-        "sa-9_prm_2": {
-          "constraints": [
-            {
-              "detail": "Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored"
-            }
-          ]
-        },
-        "sc-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "sc-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "sc-13_prm_1": {
-          "constraints": [
-            {
-              "detail": "FIPS-validated or NSA-approved cryptography"
-            }
-          ]
-        },
-        "sc-15_prm_1": {
-          "constraints": [
-            {
-              "detail": "no exceptions"
-            }
-          ]
-        },
-        "si-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "si-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "si-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "within 30 days of release of updates"
-            }
-          ]
-        },
-        "si-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least weekly"
-            }
-          ]
-        },
-        "si-3_prm_2": {
-          "constraints": [
-            {
-              "detail": "to include endpoints"
-            }
-          ]
-        },
-        "si-3_prm_3": {
-          "constraints": [
-            {
-              "detail": "to include alerting administrator or defined security personnel"
-            }
-          ]
-        },
-        "si-5_prm_1": {
-          "constraints": [
-            {
-              "detail": "to include US-CERT"
-            }
-          ]
-        },
-        "si-5_prm_2": {
-          "constraints": [
-            {
-              "detail": "to include system security personnel and administrators with configuration/patch-management responsibilities"
-            }
-          ]
-        }
-      },
-      "alterations": [
-        {
-          "control-id": "ac-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-14",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-14.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-14.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-14.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-17",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-17",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-18",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-18",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-18.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-18.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-19",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-19",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-19.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-19.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.g_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.h_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.i_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.j_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.j_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.k_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-20",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-20.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-20.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-22",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-22",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-22.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-22.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-22.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-22.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-22.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-22.d_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-7",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-7.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-7.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-7.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-7.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-7.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ac-8_smt",
-              "parts": [
-                {
-                  "id": "ac-8_fr",
-                  "name": "item",
-                  "title": "AC-8 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ac-8_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO."
-                    },
-                    {
-                      "id": "ac-8_fr_smt.2",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided."
-                    },
-                    {
-                      "id": "ac-8_fr_smt.3",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.c.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.c.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.c.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.c.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "at-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "at-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-2.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "at-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-3.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-3.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-3.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "at-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-4.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-4.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-11",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "au-11_smt",
-              "parts": [
-                {
-                  "id": "au-11_fr",
-                  "name": "item",
-                  "title": "AU-11 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "au-11_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-11",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-11.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-11_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-12",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-12.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-12.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-12.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-12.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-12.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-2",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "au-2_smt",
-              "parts": [
-                {
-                  "id": "au-2_fr",
-                  "name": "item",
-                  "title": "AU-2 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "au-2_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.d_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-4.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-5.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-5.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-5.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-5.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-6",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "au-6_smt",
-              "parts": [
-                {
-                  "id": "au-6_fr",
-                  "name": "item",
-                  "title": "AU-6 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "au-6_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-8.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-9.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-9.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ca-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-2",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-2_smt",
-              "parts": [
-                {
-                  "id": "ca-2_fr",
-                  "name": "item",
-                  "title": "CA-2 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-2_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-2.1",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-2.1_smt",
-              "parts": [
-                {
-                  "id": "ca-2.1_fr",
-                  "name": "item",
-                  "title": "CA-2 (1) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-2.1_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ca-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-5",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-5_smt",
-              "parts": [
-                {
-                  "id": "ca-5_fr",
-                  "name": "item",
-                  "title": "CA-5 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-5_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Plan of Action & Milestones (POA&M) must be provided at least monthly."
-                    },
-                    {
-                      "id": "ca-5_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-5.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-5.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-5.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-6",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-6_smt",
-              "parts": [
-                {
-                  "id": "ca-6_fr",
-                  "name": "item",
-                  "title": "CA-6(c) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-6_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-6.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-6.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-6.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-6.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-7",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-7_smt",
-              "parts": [
-                {
-                  "id": "ca-7_fr",
-                  "name": "item",
-                  "title": "CA-7 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-7_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually."
-                    },
-                    {
-                      "id": "ca-7_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates."
-                    },
-                    {
-                      "id": "ca-7_fr_gdn.2",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.b_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.g_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.g_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.g_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.g_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ca-9",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-9.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-9.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-9.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.a.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-10.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-10.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-10.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-11",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-11.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-11.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-11.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-11.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-11.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-11.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-4.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-6",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cm-6_smt",
-              "parts": [
-                {
-                  "id": "cm-6_fr",
-                  "name": "item",
-                  "title": "CM-6(a) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cm-6_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement 1:"
-                        }
-                      ],
-                      "prose": "The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. "
-                    },
-                    {
-                      "id": "cm-6_fr_smt.2",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement 2:"
-                        }
-                      ],
-                      "prose": "The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available)."
-                    },
-                    {
-                      "id": "cm-6_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.c_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.c_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.c_obj.5",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-7",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cm-7_smt",
-              "parts": [
-                {
-                  "id": "cm-7_fr",
-                  "name": "item",
-                  "title": "CM-7 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cm-7_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available."
-                    },
-                    {
-                      "id": "cm-7_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Information on the USGCB checklists can be found at: [http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc](http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc)\n\t\t\t\t\t\t\tPartially derived from AC-17(8)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cm-8_smt",
-              "parts": [
-                {
-                  "id": "cm-8_fr",
-                  "name": "item",
-                  "title": "CM-8 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cm-8_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Must be provided at least monthly or when there is a change."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.a.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.a.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.a.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.a.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.a.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-10_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-10.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-2",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cp-2_smt",
-              "parts": [
-                {
-                  "id": "cp-2_fr",
-                  "name": "item",
-                  "title": "CP-2 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cp-2_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "CP-2 Requirement:"
-                        }
-                      ],
-                      "prose": "For JAB authorizations the contingency lists include designated FedRAMP personnel."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.5_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.6_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.6_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.g_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-3.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-3.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-3.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-3.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-3.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-4",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cp-4_smt",
-              "parts": [
-                {
-                  "id": "cp-4_fr",
-                  "name": "item",
-                  "title": "CP-4(a) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cp-4_fr_smt.a",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "CP-4(a) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-4.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-4.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-9",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cp-9_smt",
-              "parts": [
-                {
-                  "id": "cp-9_fr",
-                  "name": "item",
-                  "title": "CP-9 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cp-9_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check."
-                    },
-                    {
-                      "id": "cp-9_fr_smt.a",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "CP-9(a) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider maintains at least three backup copies of user-level information (at least one of which is available online)."
-                    },
-                    {
-                      "id": "cp-9_fr_smt.b",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "CP-9(b)Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider maintains at least three backup copies of system-level information (at least one of which is available online)."
-                    },
-                    {
-                      "id": "cp-9_fr_smt.c",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "CP-9(c)Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-2.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-2.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.12",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ia-2.12_smt",
-              "parts": [
-                {
-                  "id": "ia-2.12_fr",
-                  "name": "item",
-                  "title": "IA-2 (12) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ia-2.12_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-2.12_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-2.12_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-4",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ia-4_smt",
-              "parts": [
-                {
-                  "id": "ia-4_fr",
-                  "name": "item",
-                  "title": "IA-4(e) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ia-4_fr_smt.e",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines the time period of inactivity for device identifiers."
-                    },
-                    {
-                      "id": "ia-4_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP [http://iase.disa.mil/cloud_security/Pages/index.aspx](http://iase.disa.mil/cloud_security/Pages/index.aspx)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ia-5_smt",
-              "parts": [
-                {
-                  "id": "ia-5_fr",
-                  "name": "item",
-                  "title": "IA-5 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ia-5_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link [https://pages.nist.gov/800-63-3](https://pages.nist.gov/800-63-3)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.d_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.f_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.g_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.g_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.h_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.i_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.i_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.j_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.1",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ia-5.1_smt",
-              "parts": [
-                {
-                  "id": "ia-5.1_fr",
-                  "name": "item",
-                  "title": "IA-5 (1) (a) and (d) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ia-5.1_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance (a) (d):"
-                        }
-                      ],
-                      "prose": "If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.a_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.a_obj.5",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.d_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.d_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.f_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.11",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-5.11_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.11_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-7_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-8.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-8.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-8.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-8.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-8.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-8.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-8.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-4",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ir-4_smt",
-              "parts": [
-                {
-                  "id": "ir-4_fr",
-                  "name": "item",
-                  "title": "IR-4 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ir-4_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-4.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-4.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-4.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-5.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-6",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ir-6_smt",
-              "parts": [
-                {
-                  "id": "ir-6_fr",
-                  "name": "item",
-                  "title": "IR-6 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ir-6_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Report security incident information according to FedRAMP Incident Communications Procedure."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-6",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-6.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-6.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-6.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-6.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-7.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-7.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ir-8_smt",
-              "parts": [
-                {
-                  "id": "ir-8_fr",
-                  "name": "item",
-                  "title": "IR-8 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ir-8_fr_smt.b",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(b) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."
-                    },
-                    {
-                      "id": "ir-8_fr_smt.e",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(e) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.5_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.7_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.8_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.8_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.b_obj.1.a",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.b_obj.1.b",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.e_obj.1.a",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.e_obj.1.b",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.f_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.a_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-5.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-5.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-5.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-5.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "mp-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "mp-2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "mp-6.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "mp-7.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-7.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-7_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-7_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-12",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-12.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-12_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-13",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-13.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-13.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-14",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "pe-14_smt",
-              "parts": [
-                {
-                  "id": "pe-14_fr",
-                  "name": "item",
-                  "title": "PE-14(a) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "pe-14_fr_smt.a",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(a) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider measures temperature at server inlets and humidity levels by dew point."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.a_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.b_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-15",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-15_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-16",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.5",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.6",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.7",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.8",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.9",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.e_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.f_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.g_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.g_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-6",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-6.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-6.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-6.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-6.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-6.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-8",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-8.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-8.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-8.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-8.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pl-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pl-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pl-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pl-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.5_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.7_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.8_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.9_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pl-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pl-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-4.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-4.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-4.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-2.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-3.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-3.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-3.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.f_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.d_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-6",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-6.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-6.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-6.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-6.c.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-6.c.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-6.c.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-7",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.d_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-8.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-8.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-8.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-8.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ra-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ra-2.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-3",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ra-3_smt",
-              "parts": [
-                {
-                  "id": "ra-3_fr",
-                  "name": "item",
-                  "title": "RA-3 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ra-3_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F"
-                    },
-                    {
-                      "id": "ra-3_fr_smt.d",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "RA-3 (d) Requirement:"
-                        }
-                      ],
-                      "prose": "Include all Authorizing Officials; for JAB authorizations to include FedRAMP."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-5",
-          "additions": [
-            {
-              "id-ref": "ra-5_smt",
-              "parts": [
-                {
-                  "id": "ra-5_fr_smt.a",
-                  "name": "item",
-                  "title": "RA-5(a) Additional FedRAMP Requirements and Guidance",
-                  "properties": [
-                    {
-                      "name": "label",
-                      "value": "RA-5 (a)Requirement:"
-                    }
-                  ],
-                  "prose": "An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually."
-                },
-                {
-                  "id": "ra-5_fr_smt.e",
-                  "name": "item",
-                  "title": "RA-5(e) Additional FedRAMP Requirements and Guidance",
-                  "properties": [
-                    {
-                      "name": "label",
-                      "value": "RA-5 (e)Requirement:"
-                    }
-                  ],
-                  "prose": "To include all Authorizing Officials; for JAB authorizations to include FedRAMP."
-                },
-                {
-                  "id": "ra-5_fr",
-                  "name": "item",
-                  "title": "RA-5 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ra-5_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "\n                     **See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.b.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.b.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.b.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.e_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-2.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-3.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-3.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-3.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-3.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-3.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-4",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sa-4_smt",
-              "parts": [
-                {
-                  "id": "sa-4_fr",
-                  "name": "item",
-                  "title": "SA-4 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sa-4_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See [http://www.niap-ccevs.org/vpl](http://www.niap-ccevs.org/vpl) or [http://www.commoncriteriaportal.org/products.html](http://www.commoncriteriaportal.org/products.html)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-4.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-4.10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-4.10_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-5.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.c_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-9",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sa-9_smt",
-              "parts": [
-                {
-                  "id": "sa-9_fr",
-                  "name": "item",
-                  "title": "SA-9 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sa-9_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Continuous Monitoring Strategy Guide [https://www.FedRAMP.gov/documents](https://www.FedRAMP.gov/documents)\n                  "
-                    },
-                    {
-                      "id": "sa-9_fr_gdn.2",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Independent Assessors should assess the risk associated with the use of external services. See the FedRAMP page under Key Cloud Service Provider (CSP) Documents>FedRAMP Authorization Boundary Guidance"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-12",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sc-12_smt",
-              "parts": [
-                {
-                  "id": "sc-12_fr",
-                  "name": "item",
-                  "title": "SC-12 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sc-12_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Federally approved and validated cryptography."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-12.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-12.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-13",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-13",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-13_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-13_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-13_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-15",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sc-15_smt",
-              "parts": [
-                {
-                  "id": "sc-15_fr",
-                  "name": "item",
-                  "title": "SC-15 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sc-15_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-15.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-15.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-15.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-20",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-20.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-20.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-21",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-21_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-21_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-21_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-21_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-22",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-22_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-22_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-39",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-39_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-5.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-5.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-5.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.a_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-12",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-12_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.c_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.c_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.c_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.c.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "si-4_smt",
-              "parts": [
-                {
-                  "id": "si-4_fr",
-                  "name": "item",
-                  "title": "SI-4 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "si-4_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "See US-CERT Incident Response Reporting Guidelines."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.a.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.b.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.b.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.f_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.g_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.g_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.g_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.g_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-5.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.c_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.c_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        }
-      ]
-    },
-    "back-matter": {
-      "resources": [
-        {
-          "uuid": "985475ee-d4d6-4581-8fdf-d84d3d8caa48",
-          "title": "FedRAMP Applicable Laws and Regulations",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-citations"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"
-            }
-          ]
-        },
-        {
-          "uuid": "1a23a771-d481-4594-9a1a-71d584fa4123",
-          "title": "FedRAMP Master Acronym and Glossary",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-acronyms"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "a2381e87-3d04-4108-a30b-b4d2f36d001f",
-          "desc": "FedRAMP Logo",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-logo"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/img/logo-main-fedramp.png"
-            }
-          ]
-        },
-        {
-          "uuid": "ad005eae-cc63-4e64-9109-3905a9a825e4",
-          "title": "NIST Special Publication (SP) 800-53",
-          "properties": [
-            {
-              "name": "version",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "Revision 4"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json",
-              "media-type": "application/xml"
-            }
-          ]
-        }
-      ]
-    }
-  }
-}
diff --git a/content/fedramp.gov/json/FedRAMP_MODERATE-baseline-resolved-profile_catalog-min.json b/content/fedramp.gov/json/FedRAMP_MODERATE-baseline-resolved-profile_catalog-min.json
deleted file mode 100644
index 3f0ee626e8..0000000000
--- a/content/fedramp.gov/json/FedRAMP_MODERATE-baseline-resolved-profile_catalog-min.json
+++ /dev/null
@@ -1 +0,0 @@
-{"catalog":{"uuid":"c9301b61-9f2b-431e-9c7f-c8ffcd110388","metadata":{"title":"FedRAMP Moderate Baseline","published":"2020-06-01T00:00:00.000-04:00","last-modified":"2020-06-01T10:00:00.000-04:00","version":"1.2","oscal-version":"1.0.0-milestone3","properties":[{"name":"resolution-timestamp","value":"2020-08-31T17:38:53.967424Z"}],"links":[{"href":"FedRAMP_MODERATE-baseline_profile.xml","rel":"resolution-source","text":"FedRAMP Moderate Baseline"}],"roles":[{"id":"parpared-by","title":"Document creator"},{"id":"fedramp-pmo","title":"The FedRAMP Program Management Office (PMO)","short-name":"CSP"},{"id":"fedramp-jab","title":"The FedRAMP Joint Authorization Board (JAB)","short-name":"CSP"}],"parties":[{"uuid":"8cc0b8e5-9650-4d5f-9796-316f05fa9a2d","type":"organization","party-name":"Federal Risk and Authorization Management Program: Program Management Office","short-name":"FedRAMP PMO","links":[{"href":"https://fedramp.gov","rel":"homepage","text":""}],"addresses":[{"type":"work","postal-address":["1800 F St. NW",""],"city":"Washington","state":"DC","postal-code":"","country":"US"}],"email-addresses":["info@fedramp.gov"]},{"uuid":"ca9ba80e-1342-4bfd-b32a-abac468c24b4","type":"organization","party-name":"Federal Risk and Authorization Management Program: Joint Authorization Board","short-name":"FedRAMP JAB"}],"responsible-parties":{"prepared-by":{"party-uuids":["4aa7b203-318b-4cde-96cf-feaeffc3a4b7"]},"fedramp-pmo":{"party-uuids":["4aa7b203-318b-4cde-96cf-feaeffc3a4b7"]},"fedramp-jab":{"party-uuids":["ca9ba80e-1342-4bfd-b32a-abac468c24b4"]}}},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Access Control Policy and Procedures","parameters":[{"id":"ac-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ac-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"ac-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-1"},{"name":"sort-id","value":"ac-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ac-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"An access control policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ac-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and\n                     associated access controls; and"}]},{"id":"ac-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ac-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Access control policy {{ ac-1_prm_2 }}; and"},{"id":"ac-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Access control procedures {{ ac-1_prm_3 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AC\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ac-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-1.a_obj","name":"objective","properties":[{"name":"label","value":"AC-1(a)"}],"parts":[{"id":"ac-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)"}],"parts":[{"id":"ac-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(a)(1)[1]"}],"prose":"develops and documents an access control policy that addresses:","parts":[{"id":"ac-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ac-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ac-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ac-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ac-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ac-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ac-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"AC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ac-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the access control policy are to be\n                        disseminated;"},{"id":"ac-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AC-1(a)(1)[3]"}],"prose":"disseminates the access control policy to organization-defined personnel or\n                        roles;"}]},{"id":"ac-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"AC-1(a)(2)"}],"parts":[{"id":"ac-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        access control policy and associated access control controls;"},{"id":"ac-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ac-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ac-1.b_obj","name":"objective","properties":[{"name":"label","value":"AC-1(b)"}],"parts":[{"id":"ac-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"AC-1(b)(1)"}],"parts":[{"id":"ac-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current access control\n                        policy;"},{"id":"ac-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(b)(1)[2]"}],"prose":"reviews and updates the current access control policy with the\n                        organization-defined frequency;"}]},{"id":"ac-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"AC-1(b)(2)"}],"parts":[{"id":"ac-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current access control\n                        procedures; and"},{"id":"ac-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-1(b)(2)[2]"}],"prose":"reviews and updates the current access control procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","parameters":[{"id":"ac-2_prm_1","label":"organization-defined information system account types"},{"id":"ac-2_prm_2","label":"organization-defined personnel or roles"},{"id":"ac-2_prm_3","label":"organization-defined procedures or conditions"},{"id":"ac-2_prm_4","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-2"},{"name":"sort-id","value":"ac-02"}],"parts":[{"id":"ac-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identifies and selects the following types of information system accounts to\n                  support organizational missions/business functions: {{ ac-2_prm_1 }};"},{"id":"ac-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Assigns account managers for information system accounts;"},{"id":"ac-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Establishes conditions for group and role membership;"},{"id":"ac-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Specifies authorized users of the information system, group and role membership,\n                  and access authorizations (i.e., privileges) and other attributes (as required)\n                  for each account;"},{"id":"ac-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Requires approvals by {{ ac-2_prm_2 }} for requests to create\n                  information system accounts;"},{"id":"ac-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Creates, enables, modifies, disables, and removes information system accounts in\n                  accordance with {{ ac-2_prm_3 }};"},{"id":"ac-2_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Monitors the use of information system accounts;"},{"id":"ac-2_smt.h","name":"item","properties":[{"name":"label","value":"h."}],"prose":"Notifies account managers:","parts":[{"id":"ac-2_smt.h.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"When accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"When users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"When individual information system usage or need-to-know changes;"}]},{"id":"ac-2_smt.i","name":"item","properties":[{"name":"label","value":"i."}],"prose":"Authorizes access to the information system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Other attributes as required by the organization or associated\n                     missions/business functions;"}]},{"id":"ac-2_smt.j","name":"item","properties":[{"name":"label","value":"j."}],"prose":"Reviews accounts for compliance with account management requirements {{ ac-2_prm_4 }}; and"},{"id":"ac-2_smt.k","name":"item","properties":[{"name":"label","value":"k."}],"prose":"Establishes a process for reissuing shared/group account credentials (if deployed)\n                  when individuals are removed from the group."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Information system account types include, for example, individual, shared, group,\n               system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and\n               service. Some of the account management requirements listed above can be implemented\n               by organizational information systems. The identification of authorized users of the\n               information system and the specification of access privileges reflects the\n               requirements in other security controls in the security plan. Users requiring\n               administrative privileges on information system accounts receive additional scrutiny\n               by appropriate organizational personnel (e.g., system owner, mission/business owner,\n               or chief information security officer) responsible for approving such accounts and\n               privileged access. Organizations may choose to define access privileges or other\n               attributes by account, by type of account, or a combination of both. Other attributes\n               required for authorizing access include, for example, restrictions on time-of-day,\n               day-of-week, and point-of-origin. In defining other account attributes, organizations\n               consider system-related requirements (e.g., scheduled maintenance, system upgrades)\n               and mission/business requirements, (e.g., time zone differences, customer\n               requirements, remote access to support travel requirements). Failure to consider\n               these factors could affect information system availability. Temporary and emergency\n               accounts are accounts intended for short-term use. Organizations establish temporary\n               accounts as a part of normal account activation procedures when there is a need for\n               short-term accounts without the demand for immediacy in account activation.\n               Organizations establish emergency accounts in response to crisis situations and with\n               the need for rapid account activation. Therefore, emergency account activation may\n               bypass normal account authorization processes. Emergency and temporary accounts are\n               not to be confused with infrequently used accounts (e.g., local logon accounts used\n               for special tasks defined by organizations or when network resources are\n               unavailable). Such accounts remain available and are not subject to automatic\n               disabling or removal dates. Conditions for disabling or deactivating accounts\n               include, for example: (i) when shared/group, emergency, or temporary accounts are no\n               longer required; or (ii) when individuals are transferred or terminated. Some types\n               of information system accounts may require specialized training.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-10","rel":"related","text":"AC-10"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"ac-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.a_obj","name":"objective","properties":[{"name":"label","value":"AC-2(a)"}],"parts":[{"id":"ac-2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(a)[1]"}],"prose":"defines information system account types to be identified and selected to\n                     support organizational missions/business functions;"},{"id":"ac-2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AC-2(a)[2]"}],"prose":"identifies and selects organization-defined information system account types to\n                     support organizational missions/business functions;"}]},{"id":"ac-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AC-2(b)"}],"prose":"assigns account managers for information system accounts;"},{"id":"ac-2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(c)"}],"prose":"establishes conditions for group and role membership;"},{"id":"ac-2.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(d)"}],"prose":"specifies for each account (as required):","parts":[{"id":"ac-2.d_obj.1","name":"objective","properties":[{"name":"label","value":"AC-2(d)[1]"}],"prose":"authorized users of the information system;"},{"id":"ac-2.d_obj.2","name":"objective","properties":[{"name":"label","value":"AC-2(d)[2]"}],"prose":"group and role membership;"},{"id":"ac-2.d_obj.3","name":"objective","properties":[{"name":"label","value":"AC-2(d)[3]"}],"prose":"access authorizations (i.e., privileges);"},{"id":"ac-2.d_obj.4","name":"objective","properties":[{"name":"label","value":"AC-2(d)[4]"}],"prose":"other attributes;"}]},{"id":"ac-2.e_obj","name":"objective","properties":[{"name":"label","value":"AC-2(e)"}],"parts":[{"id":"ac-2.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(e)[1]"}],"prose":"defines personnel or roles required to approve requests to create information\n                     system accounts;"},{"id":"ac-2.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(e)[2]"}],"prose":"requires approvals by organization-defined personnel or roles for requests to\n                     create information system accounts;"}]},{"id":"ac-2.f_obj","name":"objective","properties":[{"name":"label","value":"AC-2(f)"}],"parts":[{"id":"ac-2.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(f)[1]"}],"prose":"defines procedures or conditions to:","parts":[{"id":"ac-2.f_obj.1.a","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][a]"}],"prose":"create information system accounts;"},{"id":"ac-2.f_obj.1.b","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][b]"}],"prose":"enable information system accounts;"},{"id":"ac-2.f_obj.1.c","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][c]"}],"prose":"modify information system accounts;"},{"id":"ac-2.f_obj.1.d","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][d]"}],"prose":"disable information system accounts;"},{"id":"ac-2.f_obj.1.e","name":"objective","properties":[{"name":"label","value":"AC-2(f)[1][e]"}],"prose":"remove information system accounts;"}]},{"id":"ac-2.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(f)[2]"}],"prose":"in accordance with organization-defined procedures or conditions:","parts":[{"id":"ac-2.f_obj.2.a","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][a]"}],"prose":"creates information system accounts;"},{"id":"ac-2.f_obj.2.b","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][b]"}],"prose":"enables information system accounts;"},{"id":"ac-2.f_obj.2.c","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][c]"}],"prose":"modifies information system accounts;"},{"id":"ac-2.f_obj.2.d","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][d]"}],"prose":"disables information system accounts;"},{"id":"ac-2.f_obj.2.e","name":"objective","properties":[{"name":"label","value":"AC-2(f)[2][e]"}],"prose":"removes information system accounts;"}]}]},{"id":"ac-2.g_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(g)"}],"prose":"monitors the use of information system accounts;"},{"id":"ac-2.h_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(h)"}],"prose":"notifies account managers:","parts":[{"id":"ac-2.h.1_obj","name":"objective","properties":[{"name":"label","value":"AC-2(h)(1)"}],"prose":"when accounts are no longer required;"},{"id":"ac-2.h.2_obj","name":"objective","properties":[{"name":"label","value":"AC-2(h)(2)"}],"prose":"when users are terminated or transferred;"},{"id":"ac-2.h.3_obj","name":"objective","properties":[{"name":"label","value":"AC-2(h)(3)"}],"prose":"when individual information system usage or need to know changes;"}]},{"id":"ac-2.i_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(i)"}],"prose":"authorizes access to the information system based on;","parts":[{"id":"ac-2.i.1_obj","name":"objective","properties":[{"name":"label","value":"AC-2(i)(1)"}],"prose":"a valid access authorization;"},{"id":"ac-2.i.2_obj","name":"objective","properties":[{"name":"label","value":"AC-2(i)(2)"}],"prose":"intended system usage;"},{"id":"ac-2.i.3_obj","name":"objective","properties":[{"name":"label","value":"AC-2(i)(3)"}],"prose":"other attributes as required by the organization or associated\n                     missions/business functions;"}]},{"id":"ac-2.j_obj","name":"objective","properties":[{"name":"label","value":"AC-2(j)"}],"parts":[{"id":"ac-2.j_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(j)[1]"}],"prose":"defines the frequency to review accounts for compliance with account management\n                     requirements;"},{"id":"ac-2.j_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(j)[2]"}],"prose":"reviews accounts for compliance with account management requirements with the\n                     organization-defined frequency; and"}]},{"id":"ac-2.k_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(k)"}],"prose":"establishes a process for reissuing shared/group account credentials (if deployed)\n                  when individuals are removed from the group."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of active system accounts along with the name of the individual associated\n                  with each account\\n\\nlist of conditions for group and role membership\\n\\nnotifications or records of recently transferred, separated, or terminated\n                  employees\\n\\nlist of recently disabled information system accounts along with the name of the\n                  individual associated with each account\\n\\naccess authorization records\\n\\naccount management compliance reviews\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes account management on the information system\\n\\nautomated mechanisms for implementing account management"}]}],"controls":[{"id":"ac-2.1","class":"SP800-53-enhancement","title":"Automated System Account Management","properties":[{"name":"label","value":"AC-2(1)"},{"name":"sort-id","value":"ac-02.01"}],"parts":[{"id":"ac-2.1_smt","name":"statement","prose":"The organization employs automated mechanisms to support the management of\n                  information system accounts."},{"id":"ac-2.1_gdn","name":"guidance","prose":"The use of automated mechanisms can include, for example: using email or text\n                  messaging to automatically notify account managers when users are terminated or\n                  transferred; using the information system to monitor account usage; and using\n                  telephonic notification to report atypical system account usage."},{"id":"ac-2.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs automated mechanisms to support the\n                  management of information system accounts."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.2","class":"SP800-53-enhancement","title":"Removal of Temporary / Emergency Accounts","parameters":[{"id":"ac-2.2_prm_1"},{"id":"ac-2.2_prm_2","label":"organization-defined time period for each type of account","constraints":[{"detail":"no more than 30 days for temporary and emergency account types"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-2(2)"},{"name":"sort-id","value":"ac-02.02"}],"parts":[{"id":"ac-2.2_smt","name":"statement","prose":"The information system automatically {{ ac-2.2_prm_1 }} temporary\n                  and emergency accounts after {{ ac-2.2_prm_2 }}."},{"id":"ac-2.2_gdn","name":"guidance","prose":"This control enhancement requires the removal of both temporary and emergency\n                  accounts automatically after a predefined period of time has elapsed, rather than\n                  at the convenience of the systems administrator."},{"id":"ac-2.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(2)[1]"}],"prose":"the organization defines the time period after which the information system\n                     automatically removes or disables temporary and emergency accounts; and"},{"id":"ac-2.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(2)[2]"}],"prose":"the information system automatically removes or disables temporary and\n                     emergency accounts after the organization-defined time period for each type of\n                     account."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system-generated list of temporary accounts removed and/or\n                     disabled\\n\\ninformation system-generated list of emergency accounts removed and/or\n                     disabled\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.3","class":"SP800-53-enhancement","title":"Disable Inactive Accounts","parameters":[{"id":"ac-2.3_prm_1","label":"organization-defined time period","constraints":[{"detail":"90 days for user accounts"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-2(3)"},{"name":"sort-id","value":"ac-02.03"}],"parts":[{"id":"ac-2.3_smt","name":"statement","prose":"The information system automatically disables inactive accounts after {{ ac-2.3_prm_1 }}."},{"id":"ac-2.3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(3)[1]"}],"prose":"the organization defines the time period after which the information system\n                     automatically disables inactive accounts; and"},{"id":"ac-2.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(3)[2]"}],"prose":"the information system automatically disables inactive accounts after the\n                     organization-defined time period."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system-generated list of temporary accounts removed and/or\n                     disabled\\n\\ninformation system-generated list of emergency accounts removed and/or\n                     disabled\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.4","class":"SP800-53-enhancement","title":"Automated Audit Actions","parameters":[{"id":"ac-2.4_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"AC-2(4)"},{"name":"sort-id","value":"ac-02.04"}],"parts":[{"id":"ac-2.4_smt","name":"statement","prose":"The information system automatically audits account creation, modification,\n                  enabling, disabling, and removal actions, and notifies {{ ac-2.4_prm_1 }}."},{"id":"ac-2.4_gdn","name":"guidance","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"}]},{"id":"ac-2.4_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(4)[1]"}],"prose":"the information system automatically audits the following account actions:","parts":[{"id":"ac-2.4_obj.1.a","name":"objective","properties":[{"name":"label","value":"AC-2(4)[1][a]"}],"prose":"creation;"},{"id":"ac-2.4_obj.1.b","name":"objective","properties":[{"name":"label","value":"AC-2(4)[1][b]"}],"prose":"modification;"},{"id":"ac-2.4_obj.1.c","name":"objective","properties":[{"name":"label","value":"AC-2(4)[1][c]"}],"prose":"enabling;"},{"id":"ac-2.4_obj.1.d","name":"objective","properties":[{"name":"label","value":"AC-2(4)[1][d]"}],"prose":"disabling;"},{"id":"ac-2.4_obj.1.e","name":"objective","properties":[{"name":"label","value":"AC-2(4)[1][e]"}],"prose":"removal;"}]},{"id":"ac-2.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(4)[2]"}],"prose":"the organization defines personnel or roles to be notified of the following\n                     account actions:","parts":[{"id":"ac-2.4_obj.2.a","name":"objective","properties":[{"name":"label","value":"AC-2(4)[2][a]"}],"prose":"creation;"},{"id":"ac-2.4_obj.2.b","name":"objective","properties":[{"name":"label","value":"AC-2(4)[2][b]"}],"prose":"modification;"},{"id":"ac-2.4_obj.2.c","name":"objective","properties":[{"name":"label","value":"AC-2(4)[2][c]"}],"prose":"enabling;"},{"id":"ac-2.4_obj.2.d","name":"objective","properties":[{"name":"label","value":"AC-2(4)[2][d]"}],"prose":"disabling;"},{"id":"ac-2.4_obj.2.e","name":"objective","properties":[{"name":"label","value":"AC-2(4)[2][e]"}],"prose":"removal;"}]},{"id":"ac-2.4_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(4)[3]"}],"prose":"the information system notifies organization-defined personnel or roles of the\n                     following account actions:","parts":[{"id":"ac-2.4_obj.3.a","name":"objective","properties":[{"name":"label","value":"AC-2(4)[3][a]"}],"prose":"creation;"},{"id":"ac-2.4_obj.3.b","name":"objective","properties":[{"name":"label","value":"AC-2(4)[3][b]"}],"prose":"modification;"},{"id":"ac-2.4_obj.3.c","name":"objective","properties":[{"name":"label","value":"AC-2(4)[3][c]"}],"prose":"enabling;"},{"id":"ac-2.4_obj.3.d","name":"objective","properties":[{"name":"label","value":"AC-2(4)[3][d]"}],"prose":"disabling; and"},{"id":"ac-2.4_obj.3.e","name":"objective","properties":[{"name":"label","value":"AC-2(4)[3][e]"}],"prose":"removal."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nnotifications/alerts of account creation, modification, enabling, disabling,\n                     and removal actions\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.5","class":"SP800-53-enhancement","title":"Inactivity Logout","parameters":[{"id":"ac-2.5_prm_1","label":"organization-defined time-period of expected inactivity or description of when\n                  to log out"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-2(5)"},{"name":"sort-id","value":"ac-02.05"}],"parts":[{"id":"ac-2.5_smt","name":"statement","prose":"The organization requires that users log out when {{ ac-2.5_prm_1 }}.","parts":[{"id":"ac-2.5_fr","name":"item","title":"AC-2 (5) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2.5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Should use a shorter timeframe than AC-12."}]}]},{"id":"ac-2.5_gdn","name":"guidance","links":[{"href":"#sc-23","rel":"related","text":"SC-23"}]},{"id":"ac-2.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(5)[1]"}],"prose":"defines either the time period of expected inactivity that requires users to\n                     log out or the description of when users are required to log out; and"},{"id":"ac-2.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(5)[2]"}],"prose":"requires that users log out when the organization-defined time period of\n                     inactivity is reached or in accordance with organization-defined description of\n                     when to log out."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity violation reports\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nusers that must comply with inactivity logout policy"}]}]},{"id":"ac-2.7","class":"SP800-53-enhancement","title":"Role-based Schemes","parameters":[{"id":"ac-2.7_prm_1","label":"organization-defined actions"}],"properties":[{"name":"label","value":"AC-2(7)"},{"name":"sort-id","value":"ac-02.07"}],"parts":[{"id":"ac-2.7_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-2.7_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Establishes and administers privileged user accounts in accordance with a\n                     role-based access scheme that organizes allowed information system access and\n                     privileges into roles;"},{"id":"ac-2.7_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Monitors privileged role assignments; and"},{"id":"ac-2.7_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Takes {{ ac-2.7_prm_1 }} when privileged role assignments are no\n                     longer appropriate."}]},{"id":"ac-2.7_gdn","name":"guidance","prose":"Privileged roles are organization-defined roles assigned to individuals that allow\n                  those individuals to perform certain security-relevant functions that ordinary\n                  users are not authorized to perform. These privileged roles include, for example,\n                  key management, account management, network and system administration, database\n                  administration, and web administration."},{"id":"ac-2.7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.7.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(7)(a)"}],"prose":"establishes and administers privileged user accounts in accordance with a\n                     role-based access scheme that organizes allowed information system access and\n                     privileges into roles;","links":[{"href":"#ac-2.7_smt.a","rel":"corresp","text":"AC-2(7)(a)"}]},{"id":"ac-2.7.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(7)(b)"}],"prose":"monitors privileged role assignments;","links":[{"href":"#ac-2.7_smt.b","rel":"corresp","text":"AC-2(7)(b)"}]},{"id":"ac-2.7.c_obj","name":"objective","properties":[{"name":"label","value":"AC-2(7)(c)"}],"parts":[{"id":"ac-2.7.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(7)(c)[1]"}],"prose":"defines actions to be taken when privileged role assignments are no longer\n                        appropriate; and"},{"id":"ac-2.7.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(7)(c)[2]"}],"prose":"takes organization-defined actions when privileged role assignments are no\n                        longer appropriate."}],"links":[{"href":"#ac-2.7_smt.c","rel":"corresp","text":"AC-2(7)(c)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system-generated list of privileged user accounts and associated\n                     role\\n\\nrecords of actions taken when privileged role assignments are no longer\n                     appropriate\\n\\ninformation system audit records\\n\\naudit tracking and monitoring reports\\n\\ninformation system monitoring records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions\\n\\nautomated mechanisms monitoring privileged role assignments"}]}]},{"id":"ac-2.9","class":"SP800-53-enhancement","title":"Restrictions On Use of Shared / Group Accounts","parameters":[{"id":"ac-2.9_prm_1","label":"organization-defined conditions for establishing shared/group accounts"}],"properties":[{"name":"label","value":"AC-2(9)"},{"name":"sort-id","value":"ac-02.09"}],"parts":[{"id":"ac-2.9_smt","name":"statement","prose":"The organization only permits the use of shared/group accounts that meet {{ ac-2.9_prm_1 }}.","parts":[{"id":"ac-2.9_fr","name":"item","title":"AC-2 (9) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2.9_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Required if shared/group accounts are deployed"}]}]},{"id":"ac-2.9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.9_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(9)[1]"}],"prose":"defines conditions for establishing shared/group accounts; and"},{"id":"ac-2.9_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(9)[2]"}],"prose":"only permits the use of shared/group accounts that meet organization-defined\n                     conditions for establishing shared/group accounts."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsystem-generated list of shared/group accounts and associated role\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing management of shared/group accounts"}]}]},{"id":"ac-2.10","class":"SP800-53-enhancement","title":"Shared / Group Account Credential Termination","properties":[{"name":"label","value":"AC-2(10)"},{"name":"sort-id","value":"ac-02.10"}],"parts":[{"id":"ac-2.10_smt","name":"statement","prose":"The information system terminates shared/group account credentials when members\n                  leave the group.","parts":[{"id":"ac-2.10_fr","name":"item","title":"AC-2 (10) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2.10_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Required if shared/group accounts are deployed"}]}]},{"id":"ac-2.10_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system terminates shared/group account credentials\n                  when members leave the group."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naccount access termination records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.12","class":"SP800-53-enhancement","title":"Account Monitoring / Atypical Usage","parameters":[{"id":"ac-2.12_prm_1","label":"organization-defined atypical usage"},{"id":"ac-2.12_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-2(12)"},{"name":"sort-id","value":"ac-02.12"}],"parts":[{"id":"ac-2.12_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-2.12_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Monitors information system accounts for {{ ac-2.12_prm_1 }};\n                     and"},{"id":"ac-2.12_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Reports atypical usage of information system accounts to {{ ac-2.12_prm_2 }}."},{"id":"ac-2.12_fr","name":"item","title":"AC-2 (12) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2.12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"(a) Guidance:"}],"prose":"Required for privileged accounts."},{"id":"ac-2.12_fr_gdn.2","name":"guidance","properties":[{"name":"label","value":"(b) Guidance:"}],"prose":"Required for privileged accounts."}]}]},{"id":"ac-2.12_gdn","name":"guidance","prose":"Atypical usage includes, for example, accessing information systems at certain\n                  times of the day and from locations that are not consistent with the normal usage\n                  patterns of individuals working in organizations.","links":[{"href":"#ca-7","rel":"related","text":"CA-7"}]},{"id":"ac-2.12_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.12.a_obj","name":"objective","properties":[{"name":"label","value":"AC-2(12)(a)"}],"parts":[{"id":"ac-2.12.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(12)(a)[1]"}],"prose":"defines atypical usage to be monitored for information system accounts;"},{"id":"ac-2.12.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(12)(a)[2]"}],"prose":"monitors information system accounts for organization-defined atypical\n                        usage;"}],"links":[{"href":"#ac-2.12_smt.a","rel":"corresp","text":"AC-2(12)(a)"}]},{"id":"ac-2.12.b_obj","name":"objective","properties":[{"name":"label","value":"AC-2(12)(b)"}],"parts":[{"id":"ac-2.12.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-2(12)(b)[1]"}],"prose":"defines personnel or roles to whom atypical usage of information system\n                        accounts are to be reported; and"},{"id":"ac-2.12.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-2(12)(b)[2]"}],"prose":"reports atypical usage of information system accounts to\n                        organization-defined personnel or roles."}],"links":[{"href":"#ac-2.12_smt.b","rel":"corresp","text":"AC-2(12)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\naudit tracking and monitoring reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","properties":[{"name":"label","value":"AC-3"},{"name":"sort-id","value":"ac-03"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"The information system enforces approved authorizations for logical access to\n               information and system resources in accordance with applicable access control\n               policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies (e.g., identity-based policies, role-based policies, control\n               matrices, cryptography) control access between active entities or subjects (i.e.,\n               users or processes acting on behalf of users) and passive entities or objects (e.g.,\n               devices, files, records, domains) in information systems. In addition to enforcing\n               authorized access at the information system level and recognizing that information\n               systems can host many applications and services in support of organizational missions\n               and business operations, access enforcement mechanisms can also be employed at the\n               application and service level to provide increased information security.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ac-21","rel":"related","text":"AC-21"},{"href":"#ac-22","rel":"related","text":"AC-22"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#pe-3","rel":"related","text":"PE-3"}]},{"id":"ac-3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system enforces approved authorizations for logical\n               access to information and system resources in accordance with applicable access\n               control policies."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing access enforcement\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of approved authorizations (user privileges)\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access enforcement responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy"}]}]},{"id":"ac-4","class":"SP800-53","title":"Information Flow Enforcement","parameters":[{"id":"ac-4_prm_1","label":"organization-defined information flow control policies"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-4"},{"name":"sort-id","value":"ac-04"}],"parts":[{"id":"ac-4_smt","name":"statement","prose":"The information system enforces approved authorizations for controlling the flow of\n               information within the system and between interconnected systems based on {{ ac-4_prm_1 }}."},{"id":"ac-4_gdn","name":"guidance","prose":"Information flow control regulates where information is allowed to travel within an\n               information system and between information systems (as opposed to who is allowed to\n               access the information) and without explicit regard to subsequent accesses to that\n               information. Flow control restrictions include, for example, keeping\n               export-controlled information from being transmitted in the clear to the Internet,\n               blocking outside traffic that claims to be from within the organization, restricting\n               web requests to the Internet that are not from the internal web proxy server, and\n               limiting information transfers between organizations based on data structures and\n               content. Transferring information between information systems representing different\n               security domains with different security policies introduces risk that such transfers\n               violate one or more domain security policies. In such situations, information\n               owners/stewards provide guidance at designated policy enforcement points between\n               interconnected systems. Organizations consider mandating specific architectural\n               solutions when required to enforce specific security policies. Enforcement includes,\n               for example: (i) prohibiting information transfers between interconnected systems\n               (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way\n               information flows; and (iii) implementing trustworthy regrading mechanisms to\n               reassign security attributes and security labels. Organizations commonly employ\n               information flow control policies and enforcement mechanisms to control the flow of\n               information between designated sources and destinations (e.g., networks, individuals,\n               and devices) within information systems and between interconnected systems. Flow\n               control is based on the characteristics of the information and/or the information\n               path. Enforcement occurs, for example, in boundary protection devices (e.g.,\n               gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or\n               establish configuration settings that restrict information system services, provide a\n               packet-filtering capability based on header information, or message-filtering\n               capability based on message content (e.g., implementing key word searches or using\n               document characteristics). Organizations also consider the trustworthiness of\n               filtering/inspection mechanisms (i.e., hardware, firmware, and software components)\n               that are critical to information flow enforcement. Control enhancements 3 through 22\n               primarily address cross-domain solution needs which focus on more advanced filtering\n               techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented\n               in cross-domain products, for example, high-assurance guards. Such capabilities are\n               generally not available in commercial off-the-shelf information technology\n               products.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-21","rel":"related","text":"AC-21"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"}]},{"id":"ac-4_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-4_obj.1","name":"objective","properties":[{"name":"label","value":"AC-4[1]"}],"prose":"the organization defines information flow control policies to control the flow of\n                  information within the system and between interconnected systems; and"},{"id":"ac-4_obj.2","name":"objective","properties":[{"name":"label","value":"AC-4[2]"}],"prose":"the information system enforces approved authorizations for controlling the flow\n                  of information within the system and between interconnected systems based on\n                  organization-defined information flow control policies."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\ninformation flow control policies\\n\\nprocedures addressing information flow enforcement\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system baseline configuration\\n\\nlist of information flow authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information flow enforcement policy"}]}],"controls":[{"id":"ac-4.21","class":"SP800-53-enhancement","title":"Physical / Logical Separation of Information Flows","parameters":[{"id":"ac-4.21_prm_1","label":"organization-defined mechanisms and/or techniques"},{"id":"ac-4.21_prm_2","label":"organization-defined required separations by types of information"}],"properties":[{"name":"label","value":"AC-4(21)"},{"name":"sort-id","value":"ac-04.21"}],"parts":[{"id":"ac-4.21_smt","name":"statement","prose":"The information system separates information flows logically or physically using\n                     {{ ac-4.21_prm_1 }} to accomplish {{ ac-4.21_prm_2 }}."},{"id":"ac-4.21_gdn","name":"guidance","prose":"Enforcing the separation of information flows by type can enhance protection by\n                  ensuring that information is not commingled while in transit and by enabling flow\n                  control by transmission paths perhaps not otherwise achievable. Types of separable\n                  information include, for example, inbound and outbound communications traffic,\n                  service requests and responses, and information of differing security\n                  categories."},{"id":"ac-4.21_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"ac-4.21_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-4(21)[1]"}],"prose":"the organization defines the required separations of information flows by types\n                     of information;"},{"id":"ac-4.21_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-4(21)[2]"}],"prose":"the organization defines the mechanisms and/or techniques to be used to\n                     separate information flows logically or physically; and"},{"id":"ac-4.21_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-4(21)[3]"}],"prose":"the information system separates information flows logically or physically\n                     using organization-defined mechanisms and/or techniques to accomplish\n                     organization-defined required separations by types of information."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information flow enforcement policy\\n\\ninformation flow control policies\\n\\nprocedures addressing information flow enforcement\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of required separation of information flows by information types\\n\\nlist of mechanisms and/or techniques used to logically or physically separate\n                     information flows\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information flow enforcement responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information flow enforcement functions"}]}]}]},{"id":"ac-5","class":"SP800-53","title":"Separation of Duties","parameters":[{"id":"ac-5_prm_1","label":"organization-defined duties of individuals"}],"properties":[{"name":"label","value":"AC-5"},{"name":"sort-id","value":"ac-05"}],"parts":[{"id":"ac-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Separates {{ ac-5_prm_1 }};"},{"id":"ac-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents separation of duties of individuals; and"},{"id":"ac-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Defines information system access authorizations to support separation of\n                  duties."},{"id":"ac-5_fr","name":"item","title":"AC-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac.5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP."}]}]},{"id":"ac-5_gdn","name":"guidance","prose":"Separation of duties addresses the potential for abuse of authorized privileges and\n               helps to reduce the risk of malevolent activity without collusion. Separation of\n               duties includes, for example: (i) dividing mission functions and information system\n               support functions among different individuals and/or roles; (ii) conducting\n               information system support functions with different individuals (e.g., system\n               management, programming, configuration management, quality assurance and testing, and\n               network security); and (iii) ensuring security personnel administering access control\n               functions do not also administer audit functions.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#ps-2","rel":"related","text":"PS-2"}]},{"id":"ac-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-5.a_obj","name":"objective","properties":[{"name":"label","value":"AC-5(a)"}],"parts":[{"id":"ac-5.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-5(a)[1]"}],"prose":"defines duties of individuals to be separated;"},{"id":"ac-5.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-5(a)[2]"}],"prose":"separates organization-defined duties of individuals;"}]},{"id":"ac-5.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-5(b)"}],"prose":"documents separation of duties; and"},{"id":"ac-5.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-5(c)"}],"prose":"defines information system access authorizations to support separation of\n                  duties."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing divisions of responsibility and separation of duties\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of divisions of responsibility and separation of duties\\n\\ninformation system access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining appropriate divisions\n                  of responsibility and separation of duties\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing separation of duties policy"}]}]},{"id":"ac-6","class":"SP800-53","title":"Least Privilege","properties":[{"name":"label","value":"AC-6"},{"name":"sort-id","value":"ac-06"}],"parts":[{"id":"ac-6_smt","name":"statement","prose":"The organization employs the principle of least privilege, allowing only authorized\n               accesses for users (or processes acting on behalf of users) which are necessary to\n               accomplish assigned tasks in accordance with organizational missions and business\n               functions."},{"id":"ac-6_gdn","name":"guidance","prose":"Organizations employ least privilege for specific duties and information systems. The\n               principle of least privilege is also applied to information system processes,\n               ensuring that the processes operate at privilege levels no higher than necessary to\n               accomplish required organizational missions/business functions. Organizations\n               consider the creation of additional processes, roles, and information system accounts\n               as necessary, to achieve least privilege. Organizations also apply least privilege to\n               the development, implementation, and operation of organizational information\n               systems.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-5","rel":"related","text":"AC-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#pl-2","rel":"related","text":"PL-2"}]},{"id":"ac-6_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs the principle of least privilege, allowing only\n               authorized access for users (and processes acting on behalf of users) which are\n               necessary to accomplish assigned tasks in accordance with organizational missions and\n               business functions. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of assigned access authorizations (user privileges)\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges\n                  necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}],"controls":[{"id":"ac-6.1","class":"SP800-53-enhancement","title":"Authorize Access to Security Functions","parameters":[{"id":"ac-6.1_prm_1","label":"organization-defined security functions (deployed in hardware, software, and\n                  firmware) and security-relevant information"}],"properties":[{"name":"label","value":"AC-6(1)"},{"name":"sort-id","value":"ac-06.01"}],"parts":[{"id":"ac-6.1_smt","name":"statement","prose":"The organization explicitly authorizes access to {{ ac-6.1_prm_1 }}."},{"id":"ac-6.1_gdn","name":"guidance","prose":"Security functions include, for example, establishing system accounts, configuring\n                  access authorizations (i.e., permissions, privileges), setting events to be\n                  audited, and setting intrusion detection parameters. Security-relevant information\n                  includes, for example, filtering rules for routers/firewalls, cryptographic key\n                  management information, configuration parameters for security services, and access\n                  control lists. Explicitly authorized personnel include, for example, security\n                  administrators, system and network administrators, system security officers,\n                  system maintenance personnel, system programmers, and other privileged users.","links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"}]},{"id":"ac-6.1_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ac-6.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-6(1)[1]"}],"prose":"defines security-relevant information for which access must be explicitly\n                     authorized;"},{"id":"ac-6.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-6(1)[2]"}],"prose":"defines security functions deployed in:","parts":[{"id":"ac-6.1_obj.2.a","name":"objective","properties":[{"name":"label","value":"AC-6(1)[2][a]"}],"prose":"hardware;"},{"id":"ac-6.1_obj.2.b","name":"objective","properties":[{"name":"label","value":"AC-6(1)[2][b]"}],"prose":"software;"},{"id":"ac-6.1_obj.2.c","name":"objective","properties":[{"name":"label","value":"AC-6(1)[2][c]"}],"prose":"firmware;"}]},{"id":"ac-6.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-6(1)[3]"}],"prose":"explicitly authorizes access to:","parts":[{"id":"ac-6.1_obj.3.a","name":"objective","properties":[{"name":"label","value":"AC-6(1)[3][a]"}],"prose":"organization-defined security functions; and"},{"id":"ac-6.1_obj.3.b","name":"objective","properties":[{"name":"label","value":"AC-6(1)[3][b]"}],"prose":"security-relevant information."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of security functions (deployed in hardware, software, and firmware) and\n                     security-relevant information for which access must be explicitly\n                     authorized\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.2","class":"SP800-53-enhancement","title":"Non-privileged Access for Nonsecurity Functions","parameters":[{"id":"ac-6.2_prm_1","label":"organization-defined security functions or security-relevant\n                  information","constraints":[{"detail":"all security functions"}]}],"properties":[{"name":"label","value":"AC-6(2)"},{"name":"sort-id","value":"ac-06.02"}],"parts":[{"id":"ac-6.2_smt","name":"statement","prose":"The organization requires that users of information system accounts, or roles,\n                  with access to {{ ac-6.2_prm_1 }}, use non-privileged accounts or\n                  roles, when accessing nonsecurity functions.","parts":[{"id":"ac-6.2_fr","name":"item","title":"AC-6 (2) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-6.2_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions."}]}]},{"id":"ac-6.2_gdn","name":"guidance","prose":"This control enhancement limits exposure when operating from within privileged\n                  accounts or roles. The inclusion of roles addresses situations where organizations\n                  implement access control policies such as role-based access control and where a\n                  change of role provides the same degree of assurance in the change of access\n                  authorizations for both the user and all processes acting on behalf of the user as\n                  would be provided by a change between a privileged and non-privileged account.","links":[{"href":"#pl-4","rel":"related","text":"PL-4"}]},{"id":"ac-6.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-6.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-6(2)[1]"}],"prose":"defines security functions or security-relevant information to which users of\n                     information system accounts, or roles, have access; and"},{"id":"ac-6.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-6(2)[2]"}],"prose":"requires that users of information system accounts, or roles, with access to\n                     organization-defined security functions or security-relevant information, use\n                     non-privileged accounts, or roles, when accessing nonsecurity functions."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of system-generated security functions or security-relevant information\n                     assigned to information system accounts or roles\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.5","class":"SP800-53-enhancement","title":"Privileged Accounts","parameters":[{"id":"ac-6.5_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"AC-6(5)"},{"name":"sort-id","value":"ac-06.05"}],"parts":[{"id":"ac-6.5_smt","name":"statement","prose":"The organization restricts privileged accounts on the information system to\n                     {{ ac-6.5_prm_1 }}."},{"id":"ac-6.5_gdn","name":"guidance","prose":"Privileged accounts, including super user accounts, are typically described as\n                  system administrator for various types of commercial off-the-shelf operating\n                  systems. Restricting privileged accounts to specific personnel or roles prevents\n                  day-to-day users from having access to privileged information/functions.\n                  Organizations may differentiate in the application of this control enhancement\n                  between allowed privileges for local accounts and for domain accounts provided\n                  organizations retain the ability to control information system configurations for\n                  key security parameters and as otherwise necessary to sufficiently mitigate\n                  risk.","links":[{"href":"#cm-6","rel":"related","text":"CM-6"}]},{"id":"ac-6.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-6.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-6(5)[1]"}],"prose":"defines personnel or roles for which privileged accounts on the information\n                     system are to be restricted; and"},{"id":"ac-6.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-6(5)[2]"}],"prose":"restricts privileged accounts on the information system to organization-defined\n                     personnel or roles."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of system-generated privileged accounts\\n\\nlist of system administration personnel\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.9","class":"SP800-53-enhancement","title":"Auditing Use of Privileged Functions","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-6(9)"},{"name":"sort-id","value":"ac-06.09"}],"parts":[{"id":"ac-6.9_smt","name":"statement","prose":"The information system audits the execution of privileged functions."},{"id":"ac-6.9_gdn","name":"guidance","prose":"Misuse of privileged functions, either intentionally or unintentionally by\n                  authorized users, or by unauthorized external entities that have compromised\n                  information system accounts, is a serious and ongoing concern and can have\n                  significant adverse impacts on organizations. Auditing the use of privileged\n                  functions is one way to detect such misuse, and in doing so, help mitigate the\n                  risk from insider threats and the advanced persistent threat (APT).","links":[{"href":"#au-2","rel":"related","text":"AU-2"}]},{"id":"ac-6.9_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system audits the execution of privileged functions.\n               "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing least privilege\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of privileged functions to be audited\\n\\nlist of audited events\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for reviewing least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms auditing the execution of least privilege functions"}]}]},{"id":"ac-6.10","class":"SP800-53-enhancement","title":"Prohibit Non-privileged Users from Executing Privileged Functions","properties":[{"name":"label","value":"AC-6(10)"},{"name":"sort-id","value":"ac-06.10"}],"parts":[{"id":"ac-6.10_smt","name":"statement","prose":"The information system prevents non-privileged users from executing privileged\n                  functions to include disabling, circumventing, or altering implemented security\n                  safeguards/countermeasures."},{"id":"ac-6.10_gdn","name":"guidance","prose":"Privileged functions include, for example, establishing information system\n                  accounts, performing system integrity checks, or administering cryptographic key\n                  management activities. Non-privileged users are individuals that do not possess\n                  appropriate authorizations. Circumventing intrusion detection and prevention\n                  mechanisms or malicious code protection mechanisms are examples of privileged\n                  functions that require protection from non-privileged users."},{"id":"ac-6.10_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system prevents non-privileged users from executing\n                  privileged functions to include:","parts":[{"id":"ac-6.10_obj.1","name":"objective","properties":[{"name":"label","value":"AC-6(10)[1]"}],"prose":"disabling implemented security safeguards/countermeasures;"},{"id":"ac-6.10_obj.2","name":"objective","properties":[{"name":"label","value":"AC-6(10)[2]"}],"prose":"circumventing security safeguards/countermeasures; or"},{"id":"ac-6.10_obj.3","name":"objective","properties":[{"name":"label","value":"AC-6(10)[3]"}],"prose":"altering implemented security safeguards/countermeasures."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing least privilege\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of privileged functions and associated user account assignments\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions for non-privileged\n                     users"}]}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","parameters":[{"id":"ac-7_prm_1","label":"organization-defined number","constraints":[{"detail":"not more than three (3)"}]},{"id":"ac-7_prm_2","label":"organization-defined time period","constraints":[{"detail":"fifteen (15) minutes"}]},{"id":"ac-7_prm_3"},{"id":"ac-7_prm_4","depends-on":"ac-7_prm_3","label":"organization-defined time period","constraints":[{"detail":"locks the account/node for thirty minutes"}]},{"id":"ac-7_prm_5","depends-on":"ac-7_prm_3","label":"organization-defined delay algorithm"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-7"},{"name":"sort-id","value":"ac-07"}],"parts":[{"id":"ac-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Enforces a limit of {{ ac-7_prm_1 }} consecutive invalid logon\n                  attempts by a user during a {{ ac-7_prm_2 }}; and"},{"id":"ac-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Automatically {{ ac-7_prm_3 }} when the maximum number of\n                  unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"This control applies regardless of whether the logon occurs via a local or network\n               connection. Due to the potential for denial of service, automatic lockouts initiated\n               by information systems are usually temporary and automatically release after a\n               predetermined time period established by organizations. If a delay algorithm is\n               selected, organizations may choose to employ different algorithms for different\n               information system components based on the capabilities of those components.\n               Responses to unsuccessful logon attempts may be implemented at both the operating\n               system and the application levels.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-9","rel":"related","text":"AC-9"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ia-5","rel":"related","text":"IA-5"}]},{"id":"ac-7_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"ac-7.a_obj","name":"objective","properties":[{"name":"label","value":"AC-7(a)"}],"parts":[{"id":"ac-7.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-7(a)[1]"}],"prose":"the organization defines the number of consecutive invalid logon attempts\n                     allowed to the information system by a user during an organization-defined time\n                     period;"},{"id":"ac-7.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-7(a)[2]"}],"prose":"the organization defines the time period allowed by a user of the information\n                     system for an organization-defined number of consecutive invalid logon\n                     attempts;"},{"id":"ac-7.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-7(a)[3]"}],"prose":"the information system enforces a limit of organization-defined number of\n                     consecutive invalid logon attempts by a user during an organization-defined\n                     time period;"}]},{"id":"ac-7.b_obj","name":"objective","properties":[{"name":"label","value":"AC-7(b)"}],"parts":[{"id":"ac-7.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-7(b)[1]"}],"prose":"the organization defines account/node lockout time period or logon delay\n                     algorithm to be automatically enforced by the information system when the\n                     maximum number of unsuccessful logon attempts is exceeded;"},{"id":"ac-7.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-7(b)[2]"}],"prose":"the information system, when the maximum number of unsuccessful logon attempts\n                     is exceeded, automatically:","parts":[{"id":"ac-7.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"AC-7(b)[2][a]"}],"prose":"locks the account/node for the organization-defined time period;"},{"id":"ac-7.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"AC-7(b)[2][b]"}],"prose":"locks the account/node until released by an administrator; or"},{"id":"ac-7.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"AC-7(b)[2][c]"}],"prose":"delays next logon prompt according to the organization-defined delay\n                        algorithm."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing unsuccessful logon attempts\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem developers\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for unsuccessful logon\n                  attempts"}]}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","parameters":[{"id":"ac-8_prm_1","label":"organization-defined system use notification message or banner","constraints":[{"detail":"see additional Requirements and Guidance"}]},{"id":"ac-8_prm_2","label":"organization-defined conditions","constraints":[{"detail":"see additional Requirements and Guidance]"}]}],"properties":[{"name":"label","value":"AC-8"},{"name":"sort-id","value":"ac-08"}],"parts":[{"id":"ac-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Displays to users {{ ac-8_prm_1 }} before granting access to the\n                  system that provides privacy and security notices consistent with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance and states that:","parts":[{"id":"ac-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government information system;"},{"id":"ac-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Information system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the information system is prohibited and subject to\n                     criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Use of the information system indicates consent to monitoring and\n                     recording;"}]},{"id":"ac-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retains the notification message or banner on the screen until users acknowledge\n                  the usage conditions and take explicit actions to log on to or further access the\n                  information system; and"},{"id":"ac-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Displays system use information {{ ac-8_prm_2 }}, before\n                     granting further access;"},{"id":"ac-8_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Displays references, if any, to monitoring, recording, or auditing that are\n                     consistent with privacy accommodations for such systems that generally prohibit\n                     those activities; and"},{"id":"ac-8_smt.c.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Includes a description of the authorized uses of the system."}]},{"id":"ac-8_fr","name":"item","title":"AC-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO."},{"id":"ac-8_fr_smt.2","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided."},{"id":"ac-8_fr_smt.3","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners\n               displayed before individuals log in to information systems. System use notifications\n               are used only for access via logon interfaces with human users and are not required\n               when such human interfaces do not exist. Organizations consider system use\n               notification messages/banners displayed in multiple languages based on specific\n               organizational needs and the demographics of information system users. Organizations\n               also consult with the Office of the General Counsel for legal review and approval of\n               warning banner content."},{"id":"ac-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-8.a_obj","name":"objective","properties":[{"name":"label","value":"AC-8(a)"}],"parts":[{"id":"ac-8.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-8(a)[1]"}],"prose":"the organization defines a system use notification message or banner to be\n                     displayed by the information system to users before granting access to the\n                     system;"},{"id":"ac-8.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-8(a)[2]"}],"prose":"the information system displays to users the organization-defined system use\n                     notification message or banner before granting access to the information system\n                     that provides privacy and security notices consistent with applicable federal\n                     laws, Executive Orders, directives, policies, regulations, standards, and\n                     guidance, and states that:","parts":[{"id":"ac-8.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"AC-8(a)[2](1)"}],"prose":"users are accessing a U.S. Government information system;"},{"id":"ac-8.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"AC-8(a)[2](2)"}],"prose":"information system usage may be monitored, recorded, and subject to\n                        audit;"},{"id":"ac-8.a.3_obj.2","name":"objective","properties":[{"name":"label","value":"AC-8(a)[2](3)"}],"prose":"unauthorized use of the information system is prohibited and subject to\n                        criminal and civil penalties;"},{"id":"ac-8.a.4_obj.2","name":"objective","properties":[{"name":"label","value":"AC-8(a)[2](4)"}],"prose":"use of the information system indicates consent to monitoring and\n                        recording;"}]}]},{"id":"ac-8.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-8(b)"}],"prose":"the information system retains the notification message or banner on the screen\n                  until users acknowledge the usage conditions and take explicit actions to log on\n                  to or further access the information system;"},{"id":"ac-8.c_obj","name":"objective","properties":[{"name":"label","value":"AC-8(c)"}],"prose":"for publicly accessible systems:","parts":[{"id":"ac-8.c.1_obj","name":"objective","properties":[{"name":"label","value":"AC-8(c)(1)"}],"parts":[{"id":"ac-8.c.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-8(c)(1)[1]"}],"prose":"the organization defines conditions for system use to be displayed by the\n                        information system before granting further access;"},{"id":"ac-8.c.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-8(c)(1)[2]"}],"prose":"the information system displays organization-defined conditions before\n                        granting further access;"}]},{"id":"ac-8.c.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-8(c)(2)"}],"prose":"the information system displays references, if any, to monitoring, recording,\n                     or auditing that are consistent with privacy accommodations for such systems\n                     that generally prohibit those activities; and"},{"id":"ac-8.c.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-8(c)(3)"}],"prose":"the information system includes a description of the authorized uses of the\n                     system."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprivacy and security policies, procedures addressing system use notification\\n\\ndocumented approval of information system use notification messages or banners\\n\\ninformation system audit records\\n\\nuser acknowledgements of notification message or banner\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system use notification messages\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for providing legal advice\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing system use notification"}]}]},{"id":"ac-10","class":"SP800-53","title":"Concurrent Session Control","parameters":[{"id":"ac-10_prm_1","label":"organization-defined account and/or account type"},{"id":"ac-10_prm_2","label":"organization-defined number","constraints":[{"detail":"three (3) sessions for privileged access and two (2) sessions for non-privileged access"}]}],"properties":[{"name":"label","value":"AC-10"},{"name":"sort-id","value":"ac-10"}],"parts":[{"id":"ac-10_smt","name":"statement","prose":"The information system limits the number of concurrent sessions for each {{ ac-10_prm_1 }} to {{ ac-10_prm_2 }}."},{"id":"ac-10_gdn","name":"guidance","prose":"Organizations may define the maximum number of concurrent sessions for information\n               system accounts globally, by account type (e.g., privileged user, non-privileged\n               user, domain, specific application), by account, or a combination. For example,\n               organizations may limit the number of concurrent sessions for system administrators\n               or individuals working in particularly sensitive domains or mission-critical\n               applications. This control addresses concurrent sessions for information system\n               accounts and does not address concurrent sessions by single users via multiple system\n               accounts."},{"id":"ac-10_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-10_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-10[1]"}],"prose":"the organization defines account and/or account types for the information\n                  system;"},{"id":"ac-10_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-10[2]"}],"prose":"the organization defines the number of concurrent sessions to be allowed for each\n                  organization-defined account and/or account type; and"},{"id":"ac-10_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-10[3]"}],"prose":"the information system limits the number of concurrent sessions for each\n                  organization-defined account and/or account type to the organization-defined\n                  number of concurrent sessions allowed."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing concurrent session control\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for concurrent session\n                  control"}]}]},{"id":"ac-11","class":"SP800-53","title":"Session Lock","parameters":[{"id":"ac-11_prm_1","label":"organization-defined time period","constraints":[{"detail":"fifteen (15) minutes"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-11"},{"name":"sort-id","value":"ac-11"}],"links":[{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference","text":"OMB Memorandum 06-16"}],"parts":[{"id":"ac-11_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Prevents further access to the system by initiating a session lock after {{ ac-11_prm_1 }} of inactivity or upon receiving a request from a user;\n                  and"},{"id":"ac-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retains the session lock until the user reestablishes access using established\n                  identification and authentication procedures."}]},{"id":"ac-11_gdn","name":"guidance","prose":"Session locks are temporary actions taken when users stop work and move away from the\n               immediate vicinity of information systems but do not want to log out because of the\n               temporary nature of their absences. Session locks are implemented where session\n               activities can be determined. This is typically at the operating system level, but\n               can also be at the application level. Session locks are not an acceptable substitute\n               for logging out of information systems, for example, if organizations require users\n               to log out at the end of workdays.","links":[{"href":"#ac-7","rel":"related","text":"AC-7"}]},{"id":"ac-11_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-11.a_obj","name":"objective","properties":[{"name":"label","value":"AC-11(a)"}],"parts":[{"id":"ac-11.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-11(a)[1]"}],"prose":"the organization defines the time period of user inactivity after which the\n                     information system initiates a session lock;"},{"id":"ac-11.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-11(a)[2]"}],"prose":"the information system prevents further access to the system by initiating a\n                     session lock after organization-defined time period of user inactivity or upon\n                     receiving a request from a user; and"}]},{"id":"ac-11.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-11(b)"}],"prose":"the information system retains the session lock until the user reestablishes\n                  access using established identification and authentication procedures."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing session lock\\n\\nprocedures addressing identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for session lock"}]}],"controls":[{"id":"ac-11.1","class":"SP800-53-enhancement","title":"Pattern-hiding Displays","properties":[{"name":"label","value":"AC-11(1)"},{"name":"sort-id","value":"ac-11.01"}],"parts":[{"id":"ac-11.1_smt","name":"statement","prose":"The information system conceals, via the session lock, information previously\n                  visible on the display with a publicly viewable image."},{"id":"ac-11.1_gdn","name":"guidance","prose":"Publicly viewable images can include static or dynamic images, for example,\n                  patterns used with screen savers, photographic images, solid colors, clock,\n                  battery life indicator, or a blank screen, with the additional caveat that none of\n                  the images convey sensitive information."},{"id":"ac-11.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system conceals, via the session lock, information\n                  previously visible on the display with a publicly viewable image."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing session lock\\n\\ndisplay screen with session lock activated\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Information system session lock mechanisms"}]}]}]},{"id":"ac-12","class":"SP800-53","title":"Session Termination","parameters":[{"id":"ac-12_prm_1","label":"organization-defined conditions or trigger events requiring session\n               disconnect"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-12"},{"name":"sort-id","value":"ac-12"}],"parts":[{"id":"ac-12_smt","name":"statement","prose":"The information system automatically terminates a user session after {{ ac-12_prm_1 }}."},{"id":"ac-12_gdn","name":"guidance","prose":"This control addresses the termination of user-initiated logical sessions in contrast\n               to SC-10 which addresses the termination of network connections that are associated\n               with communications sessions (i.e., network disconnect). A logical session (for\n               local, network, and remote access) is initiated whenever a user (or process acting on\n               behalf of a user) accesses an organizational information system. Such user sessions\n               can be terminated (and thus terminate user access) without terminating network\n               sessions. Session termination terminates all processes associated with a user’s\n               logical session except those processes that are specifically created by the user\n               (i.e., session owner) to continue after the session is terminated. Conditions or\n               trigger events requiring automatic session termination can include, for example,\n               organization-defined periods of user inactivity, targeted responses to certain types\n               of incidents, time-of-day restrictions on information system use.","links":[{"href":"#sc-10","rel":"related","text":"SC-10"},{"href":"#sc-23","rel":"related","text":"SC-23"}]},{"id":"ac-12_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-12_obj.1","name":"objective","properties":[{"name":"label","value":"AC-12[1]"}],"prose":"the organization defines conditions or trigger events requiring session\n                  disconnect; and"},{"id":"ac-12_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-12[2]"}],"prose":"the information system automatically terminates a user session after\n                  organization-defined conditions or trigger events requiring session disconnect\n                  occurs."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing session termination\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of conditions or trigger events requiring session disconnect\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing user session termination"}]}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","parameters":[{"id":"ac-14_prm_1","label":"organization-defined user actions"}],"properties":[{"name":"label","value":"AC-14"},{"name":"sort-id","value":"ac-14"}],"parts":[{"id":"ac-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-14_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identifies {{ ac-14_prm_1 }} that can be performed on the\n                  information system without identification or authentication consistent with\n                  organizational missions/business functions; and"},{"id":"ac-14_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents and provides supporting rationale in the security plan for the\n                  information system, user actions not requiring identification or\n                  authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"This control addresses situations in which organizations determine that no\n               identification or authentication is required in organizational information systems.\n               Organizations may allow a limited number of user actions without identification or\n               authentication including, for example, when individuals access public websites or\n               other publicly accessible federal information systems, when individuals use mobile\n               phones to receive calls, or when facsimiles are received. Organizations also identify\n               actions that normally require identification or authentication but may under certain\n               circumstances (e.g., emergencies), allow identification or authentication mechanisms\n               to be bypassed. Such bypasses may occur, for example, via a software-readable\n               physical switch that commands bypass of the logon functionality and is protected from\n               accidental or unmonitored use. This control does not apply to situations where\n               identification and authentication have already occurred and are not repeated, but\n               rather to situations where identification and authentication have not yet occurred.\n               Organizations may decide that there are no user actions that can be performed on\n               organizational information systems without identification and authentication and\n               thus, the values for assignment statements can be none.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ia-2","rel":"related","text":"IA-2"}]},{"id":"ac-14_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-14.a_obj","name":"objective","properties":[{"name":"label","value":"AC-14(a)"}],"parts":[{"id":"ac-14.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-14(a)[1]"}],"prose":"defines user actions that can be performed on the information system without\n                     identification or authentication consistent with organizational\n                     missions/business functions;"},{"id":"ac-14.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AC-14(a)[2]"}],"prose":"identifies organization-defined user actions that can be performed on the\n                     information system without identification or authentication consistent with\n                     organizational missions/business functions; and"}]},{"id":"ac-14.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-14(b)"}],"prose":"documents and provides supporting rationale in the security plan for the\n                  information system, user actions not requiring identification or\n                  authentication."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing permitted actions without identification or\n                  authentication\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\nlist of user actions that can be performed without identification or\n                  authentication\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-17"},{"name":"sort-id","value":"ac-17"}],"links":[{"href":"#5309d4d0-46f8-4213-a749-e7584164e5e8","rel":"reference","text":"NIST Special Publication 800-46"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference","text":"NIST Special Publication 800-77"},{"href":"#349fe082-502d-464a-aa0c-1443c6a5cf40","rel":"reference","text":"NIST Special Publication 800-113"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference","text":"NIST Special Publication 800-114"},{"href":"#d1a4e2a9-e512-4132-8795-5357aba29254","rel":"reference","text":"NIST Special Publication 800-121"}],"parts":[{"id":"ac-17_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-17_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes and documents usage restrictions, configuration/connection\n                  requirements, and implementation guidance for each type of remote access allowed;\n                  and"},{"id":"ac-17_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorizes remote access to the information system prior to allowing such\n                  connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational information systems by users (or processes\n               acting on behalf of users) communicating through external networks (e.g., the\n               Internet). Remote access methods include, for example, dial-up, broadband, and\n               wireless. Organizations often employ encrypted virtual private networks (VPNs) to\n               enhance confidentiality and integrity over remote connections. The use of encrypted\n               VPNs does not make the access non-remote; however, the use of VPNs, when adequately\n               provisioned with appropriate security controls (e.g., employing appropriate\n               encryption techniques for confidentiality and integrity protection) may provide\n               sufficient assurance to the organization that it can effectively treat such\n               connections as internal networks. Still, VPN connections traverse external networks,\n               and the encrypted VPN does not enhance the availability of remote connections. Also,\n               VPNs with encrypted tunnels can affect the organizational capability to adequately\n               monitor network communications traffic for malicious code. Remote access controls\n               apply to information systems other than public web servers or systems designed for\n               public access. This control addresses authorization prior to allowing remote access\n               without specifying the formats for such authorization. While organizations may use\n               interconnection security agreements to authorize remote access connections, such\n               agreements are not required by this control. Enforcing access restrictions for remote\n               connections is addressed in AC-3.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#pe-17","rel":"related","text":"PE-17"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-10","rel":"related","text":"SC-10"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ac-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-17.a_obj","name":"objective","properties":[{"name":"label","value":"AC-17(a)"}],"parts":[{"id":"ac-17.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-17(a)[1]"}],"prose":"identifies the types of remote access allowed to the information system;"},{"id":"ac-17.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-17(a)[2]"}],"prose":"establishes for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"AC-17(a)[2][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"AC-17(a)[2][b]"}],"prose":"configuration/connection requirements;"},{"id":"ac-17.a_obj.2.c","name":"objective","properties":[{"name":"label","value":"AC-17(a)[2][c]"}],"prose":"implementation guidance;"}]},{"id":"ac-17.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-17(a)[3]"}],"prose":"documents for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.3.a","name":"objective","properties":[{"name":"label","value":"AC-17(a)[3][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.3.b","name":"objective","properties":[{"name":"label","value":"AC-17(a)[3][b]"}],"prose":"configuration/connection requirements;"},{"id":"ac-17.a_obj.3.c","name":"objective","properties":[{"name":"label","value":"AC-17(a)[3][c]"}],"prose":"implementation guidance; and"}]}]},{"id":"ac-17.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-17(b)"}],"prose":"authorizes remote access to the information system prior to allowing such\n                  connections."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing remote access implementation and usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\nremote access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing remote access\n                  connections\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Remote access management capability for the information system"}]}],"controls":[{"id":"ac-17.1","class":"SP800-53-enhancement","title":"Automated Monitoring / Control","properties":[{"name":"label","value":"AC-17(1)"},{"name":"sort-id","value":"ac-17.01"}],"parts":[{"id":"ac-17.1_smt","name":"statement","prose":"The information system monitors and controls remote access methods."},{"id":"ac-17.1_gdn","name":"guidance","prose":"Automated monitoring and control of remote access sessions allows organizations to\n                  detect cyber attacks and also ensure ongoing compliance with remote access\n                  policies by auditing connection activities of remote users on a variety of\n                  information system components (e.g., servers, workstations, notebook computers,\n                  smart phones, and tablets).","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"}]},{"id":"ac-17.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system monitors and controls remote access methods.\n               "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing remote access to the information system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\ninformation system monitoring records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms monitoring and controlling remote access methods"}]}]},{"id":"ac-17.2","class":"SP800-53-enhancement","title":"Protection of Confidentiality / Integrity Using Encryption","properties":[{"name":"label","value":"AC-17(2)"},{"name":"sort-id","value":"ac-17.02"}],"parts":[{"id":"ac-17.2_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to protect the\n                  confidentiality and integrity of remote access sessions."},{"id":"ac-17.2_gdn","name":"guidance","prose":"The encryption strength of mechanism is selected based on the security\n                  categorization of the information.","links":[{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"ac-17.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements cryptographic mechanisms to protect\n                  the confidentiality and integrity of remote access sessions. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing remote access to the information system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic mechanisms and associated configuration documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms protecting confidentiality and integrity of remote\n                     access sessions"}]}]},{"id":"ac-17.3","class":"SP800-53-enhancement","title":"Managed Access Control Points","parameters":[{"id":"ac-17.3_prm_1","label":"organization-defined number"}],"properties":[{"name":"label","value":"AC-17(3)"},{"name":"sort-id","value":"ac-17.03"}],"parts":[{"id":"ac-17.3_smt","name":"statement","prose":"The information system routes all remote accesses through {{ ac-17.3_prm_1 }} managed network access control points."},{"id":"ac-17.3_gdn","name":"guidance","prose":"Limiting the number of access control points for remote accesses reduces the\n                  attack surface for organizations. Organizations consider the Trusted Internet\n                  Connections (TIC) initiative requirements for external network connections.","links":[{"href":"#sc-7","rel":"related","text":"SC-7"}]},{"id":"ac-17.3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-17.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-17(3)[1]"}],"prose":"the organization defines the number of managed network access control points\n                     through which all remote accesses are to be routed; and"},{"id":"ac-17.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-17(3)[2]"}],"prose":"the information system routes all remote accesses through the\n                     organization-defined number of managed network access control points."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing remote access to the information system\\n\\ninformation system design documentation\\n\\nlist of all managed network access control points\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms routing all remote accesses through managed network access\n                     control points"}]}]},{"id":"ac-17.4","class":"SP800-53-enhancement","title":"Privileged Commands / Access","parameters":[{"id":"ac-17.4_prm_1","label":"organization-defined needs"}],"properties":[{"name":"label","value":"AC-17(4)"},{"name":"sort-id","value":"ac-17.04"}],"parts":[{"id":"ac-17.4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-17.4_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Authorizes the execution of privileged commands and access to security-relevant\n                     information via remote access only for {{ ac-17.4_prm_1 }};\n                     and"},{"id":"ac-17.4_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Documents the rationale for such access in the security plan for the\n                     information system."}]},{"id":"ac-17.4_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related","text":"AC-6"}]},{"id":"ac-17.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-17.4.a_obj","name":"objective","properties":[{"name":"label","value":"AC-17(4)(a)"}],"parts":[{"id":"ac-17.4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-17(4)(a)[1]"}],"prose":"defines needs to authorize the execution of privileged commands and access\n                        to security-relevant information via remote access;"},{"id":"ac-17.4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-17(4)(a)[2]"}],"prose":"authorizes the execution of privileged commands and access to\n                        security-relevant information via remote access only for\n                        organization-defined needs; and"}],"links":[{"href":"#ac-17.4_smt.a","rel":"corresp","text":"AC-17(4)(a)"}]},{"id":"ac-17.4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-17(4)(b)"}],"prose":"documents the rationale for such access in the information system security\n                     plan.","links":[{"href":"#ac-17.4_smt.b","rel":"corresp","text":"AC-17(4)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing remote access to the information system\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing remote access management"}]}]},{"id":"ac-17.9","class":"SP800-53-enhancement","title":"Disconnect / Disable Access","parameters":[{"id":"ac-17.9_prm_1","label":"organization-defined time period","constraints":[{"detail":"fifteen 15 minutes"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-17(9)"},{"name":"sort-id","value":"ac-17.09"}],"parts":[{"id":"ac-17.9_smt","name":"statement","prose":"The organization provides the capability to expeditiously disconnect or disable\n                  remote access to the information system within {{ ac-17.9_prm_1 }}."},{"id":"ac-17.9_gdn","name":"guidance","prose":"This control enhancement requires organizations to have the capability to rapidly\n                  disconnect current users remotely accessing the information system and/or disable\n                  further remote access. The speed of disconnect or disablement varies based on the\n                  criticality of missions/business functions and the need to eliminate immediate or\n                  future remote access to organizational information systems."},{"id":"ac-17.9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-17.9_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-17(9)[1]"}],"prose":"defines the time period within which to expeditiously disconnect or disable\n                     remote access to the information system; and"},{"id":"ac-17.9_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-17(9)[2]"}],"prose":"provides the capability to expeditiously disconnect or disable remote access to\n                     the information system within the organization-defined time period."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing disconnecting or disabling remote access to the\n                     information system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan, information system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing capability to disconnect or disable remote\n                     access to information system"}]}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-18"},{"name":"sort-id","value":"ac-18"}],"links":[{"href":"#238ed479-eccb-49f6-82ec-ab74a7a428cf","rel":"reference","text":"NIST Special Publication 800-48"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference","text":"NIST Special Publication 800-94"},{"href":"#6f336ecd-f2a0-4c84-9699-0491d81b6e0d","rel":"reference","text":"NIST Special Publication 800-97"}],"parts":[{"id":"ac-18_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-18_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration/connection requirements, and\n                  implementation guidance for wireless access; and"},{"id":"ac-18_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorizes wireless access to the information system prior to allowing such\n                  connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include, for example, microwave, packet radio (UHF/VHF),\n               802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g.,\n               EAP/TLS, PEAP), which provide credential protection and mutual authentication.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ac-18_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-18.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-18(a)"}],"prose":"establishes for wireless access:","parts":[{"id":"ac-18.a_obj.1","name":"objective","properties":[{"name":"label","value":"AC-18(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-18.a_obj.2","name":"objective","properties":[{"name":"label","value":"AC-18(a)[2]"}],"prose":"configuration/connection requirement;"},{"id":"ac-18.a_obj.3","name":"objective","properties":[{"name":"label","value":"AC-18(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-18.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-18(b)"}],"prose":"authorizes wireless access to the information system prior to allowing such\n                  connections."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing wireless access implementation and usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nwireless access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing wireless access\n                  connections\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Wireless access management capability for the information system"}]}],"controls":[{"id":"ac-18.1","class":"SP800-53-enhancement","title":"Authentication and Encryption","parameters":[{"id":"ac-18.1_prm_1"}],"properties":[{"name":"label","value":"AC-18(1)"},{"name":"sort-id","value":"ac-18.01"}],"parts":[{"id":"ac-18.1_smt","name":"statement","prose":"The information system protects wireless access to the system using authentication\n                  of {{ ac-18.1_prm_1 }} and encryption."},{"id":"ac-18.1_gdn","name":"guidance","links":[{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"ac-18.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system protects wireless access to the system using\n                  encryption and one or more of the following:","parts":[{"id":"ac-18.1_obj.1","name":"objective","properties":[{"name":"label","value":"AC-18(1)[1]"}],"prose":"authentication of users; and/or"},{"id":"ac-18.1_obj.2","name":"objective","properties":[{"name":"label","value":"AC-18(1)[2]"}],"prose":"authentication of devices."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing wireless implementation and usage (including\n                     restrictions)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing wireless access protections to the\n                     information system"}]}]}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-19"},{"name":"sort-id","value":"ac-19"}],"links":[{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference","text":"OMB Memorandum 06-16"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference","text":"NIST Special Publication 800-114"},{"href":"#0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","rel":"reference","text":"NIST Special Publication 800-124"},{"href":"#6513e480-fada-4876-abba-1397084dfb26","rel":"reference","text":"NIST Special Publication 800-164"}],"parts":[{"id":"ac-19_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-19_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration requirements, connection\n                  requirements, and implementation guidance for organization-controlled mobile\n                  devices; and"},{"id":"ac-19_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorizes the connection of mobile devices to organizational information\n                  systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that: (i) has a small form factor such that it\n               can easily be carried by a single individual; (ii) is designed to operate without a\n               physical connection (e.g., wirelessly transmit or receive information); (iii)\n               possesses local, non-removable or removable data storage; and (iv) includes a\n               self-contained power source. Mobile devices may also include voice communication\n               capabilities, on-board sensors that allow the device to capture information, and/or\n               built-in features for synchronizing local data with remote locations. Examples\n               include smart phones, E-readers, and tablets. Mobile devices are typically associated\n               with a single individual and the device is usually in close proximity to the\n               individual; however, the degree of proximity can vary depending upon on the form\n               factor and size of the device. The processing, storage, and transmission capability\n               of the mobile device may be comparable to or merely a subset of desktop systems,\n               depending upon the nature and intended purpose of the device. Due to the large\n               variety of mobile devices with different technical characteristics and capabilities,\n               organizational restrictions may vary for the different classes/types of such devices.\n               Usage restrictions and specific implementation guidance for mobile devices include,\n               for example, configuration management, device identification and authentication,\n               implementation of mandatory protective software (e.g., malicious code detection,\n               firewall), scanning devices for malicious code, updating virus protection software,\n               scanning for critical software updates and patches, conducting primary operating\n               system (and possibly other resident software) integrity checks, and disabling\n               unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the\n               need to provide adequate security for mobile devices goes beyond the requirements in\n               this control. Many safeguards and countermeasures for mobile devices are reflected in\n               other security controls in the catalog allocated in the initial control baselines as\n               starting points for the development of security plans and overlays using the\n               tailoring process. There may also be some degree of overlap in the requirements\n               articulated by the security controls within the different families of controls. AC-20\n               addresses mobile devices that are not organization-controlled.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-9","rel":"related","text":"CA-9"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-43","rel":"related","text":"SC-43"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ac-19_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-19.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-19(a)"}],"prose":"establishes for organization-controlled mobile devices:","parts":[{"id":"ac-19.a_obj.1","name":"objective","properties":[{"name":"label","value":"AC-19(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-19.a_obj.2","name":"objective","properties":[{"name":"label","value":"AC-19(a)[2]"}],"prose":"configuration/connection requirement;"},{"id":"ac-19.a_obj.3","name":"objective","properties":[{"name":"label","value":"AC-19(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-19.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-19(b)"}],"prose":"authorizes the connection of mobile devices to organizational information\n                  systems."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing access control for mobile device usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nauthorizations for mobile device connections to organizational information\n                  systems\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel using mobile devices to access organizational information\n                  systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Access control capability authorizing mobile device connections to organizational\n                  information systems"}]}],"controls":[{"id":"ac-19.5","class":"SP800-53-enhancement","title":"Full Device / Container-based Encryption","parameters":[{"id":"ac-19.5_prm_1"},{"id":"ac-19.5_prm_2","label":"organization-defined mobile devices"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-19(5)"},{"name":"sort-id","value":"ac-19.05"}],"parts":[{"id":"ac-19.5_smt","name":"statement","prose":"The organization employs {{ ac-19.5_prm_1 }} to protect the\n                  confidentiality and integrity of information on {{ ac-19.5_prm_2 }}."},{"id":"ac-19.5_gdn","name":"guidance","prose":"Container-based encryption provides a more fine-grained approach to the encryption\n                  of data/information on mobile devices, including for example, encrypting selected\n                  data structures such as files, records, or fields.","links":[{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-28","rel":"related","text":"SC-28"}]},{"id":"ac-19.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-19.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-19(5)[1]"}],"prose":"defines mobile devices for which full-device encryption or container encryption\n                     is required to protect the confidentiality and integrity of information on such\n                     devices; and"},{"id":"ac-19.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-19(5)[2]"}],"prose":"employs full-device encryption or container encryption to protect the\n                     confidentiality and integrity of information on organization-defined mobile\n                     devices."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing access control for mobile devices\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nencryption mechanism s and associated configuration documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities for mobile\n                     devices\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Encryption mechanisms protecting confidentiality and integrity of information\n                     on mobile devices"}]}]}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Information Systems","properties":[{"name":"label","value":"AC-20"},{"name":"sort-id","value":"ac-20"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"}],"parts":[{"id":"ac-20_smt","name":"statement","prose":"The organization establishes terms and conditions, consistent with any trust\n               relationships established with other organizations owning, operating, and/or\n               maintaining external information systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Access the information system from external information systems; and"},{"id":"ac-20_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Process, store, or transmit organization-controlled information using external\n                  information systems."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External information systems are information systems or components of information\n               systems that are outside of the authorization boundary established by organizations\n               and for which organizations typically have no direct supervision and authority over\n               the application of required security controls or the assessment of control\n               effectiveness. External information systems include, for example: (i) personally\n               owned information systems/devices (e.g., notebook computers, smart phones, tablets,\n               personal digital assistants); (ii) privately owned computing and communications\n               devices resident in commercial or public facilities (e.g., hotels, train stations,\n               convention centers, shopping malls, or airports); (iii) information systems owned or\n               controlled by nonfederal governmental organizations; and (iv) federal information\n               systems that are not owned by, operated by, or under the direct supervision and\n               authority of organizations. This control also addresses the use of external\n               information systems for the processing, storage, or transmission of organizational\n               information, including, for example, accessing cloud services (e.g., infrastructure\n               as a service, platform as a service, or software as a service) from organizational\n               information systems. For some external information systems (i.e., information systems\n               operated by other federal agencies, including organizations subordinate to those\n               agencies), the trust relationships that have been established between those\n               organizations and the originating organization may be such, that no explicit terms\n               and conditions are required. Information systems within these organizations would not\n               be considered external. These situations occur when, for example, there are\n               pre-existing sharing/trust agreements (either implicit or explicit) established\n               between federal agencies or organizations subordinate to those agencies, or when such\n               trust agreements are specified by applicable laws, Executive Orders, directives, or\n               policies. Authorized individuals include, for example, organizational personnel,\n               contractors, or other individuals with authorized access to organizational\n               information systems and over which organizations have the authority to impose rules\n               of behavior with regard to system access. Restrictions that organizations impose on\n               authorized individuals need not be uniform, as those restrictions may vary depending\n               upon the trust relationships between organizations. Therefore, organizations may\n               choose to impose different security restrictions on contractors than on state, local,\n               or tribal governments. This control does not apply to the use of external information\n               systems to access public interfaces to organizational information systems (e.g.,\n               individuals accessing federal information through www.usa.gov). Organizations\n               establish terms and conditions for the use of external information systems in\n               accordance with organizational security policies and procedures. Terms and conditions\n               address as a minimum: types of applications that can be accessed on organizational\n               information systems from external information systems; and the highest security\n               category of information that can be processed, stored, or transmitted on external\n               information systems. If terms and conditions with the owners of external information\n               systems cannot be established, organizations may impose restrictions on\n               organizational personnel using those external systems.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#sa-9","rel":"related","text":"SA-9"}]},{"id":"ac-20_obj","name":"objective","prose":"Determine if the organization establishes terms and conditions, consistent with any\n               trust relationships established with other organizations owning, operating, and/or\n               maintaining external information systems, allowing authorized individuals to: ","parts":[{"id":"ac-20.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-20(a)"}],"prose":"access the information system from the external information systems; and"},{"id":"ac-20.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-20(b)"}],"prose":"process, store, or transmit organization-controlled information using external\n                  information systems."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing the use of external information systems\\n\\nexternal information systems terms and conditions\\n\\nlist of types of applications accessible from external information systems\\n\\nmaximum security categorization for information processed, stored, or transmitted\n                  on external information systems\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining terms and conditions\n                  for use of external information systems to access organizational systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing terms and conditions on use of external\n                  information systems"}]}],"controls":[{"id":"ac-20.1","class":"SP800-53-enhancement","title":"Limits On Authorized Use","properties":[{"name":"label","value":"AC-20(1)"},{"name":"sort-id","value":"ac-20.01"}],"parts":[{"id":"ac-20.1_smt","name":"statement","prose":"The organization permits authorized individuals to use an external information\n                  system to access the information system or to process, store, or transmit\n                  organization-controlled information only when the organization:","parts":[{"id":"ac-20.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Verifies the implementation of required security controls on the external\n                     system as specified in the organization’s information security policy and\n                     security plan; or"},{"id":"ac-20.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Retains approved information system connection or processing agreements with\n                     the organizational entity hosting the external information system."}]},{"id":"ac-20.1_gdn","name":"guidance","prose":"This control enhancement recognizes that there are circumstances where individuals\n                  using external information systems (e.g., contractors, coalition partners) need to\n                  access organizational information systems. In those situations, organizations need\n                  confidence that the external information systems contain the necessary security\n                  safeguards (i.e., security controls), so as not to compromise, damage, or\n                  otherwise harm organizational information systems. Verification that the required\n                  security controls have been implemented can be achieved, for example, by\n                  third-party, independent assessments, attestations, or other means, depending on\n                  the confidence level required by organizations.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"}]},{"id":"ac-20.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization permits authorized individuals to use an external\n                  information system to access the information system or to process, store, or\n                  transmit organization-controlled information only when the organization: ","parts":[{"id":"ac-20.1.a_obj","name":"objective","properties":[{"name":"label","value":"AC-20(1)(a)"}],"prose":"verifies the implementation of required security controls on the external\n                     system as specified in the organization’s information security policy and\n                     security plan; or","links":[{"href":"#ac-20.1_smt.a","rel":"corresp","text":"AC-20(1)(a)"}]},{"id":"ac-20.1.b_obj","name":"objective","properties":[{"name":"label","value":"AC-20(1)(b)"}],"prose":"retains approved information system connection or processing agreements with\n                     the organizational entity hosting the external information system.","links":[{"href":"#ac-20.1_smt.b","rel":"corresp","text":"AC-20(1)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing the use of external information systems\\n\\nsecurity plan\\n\\ninformation system connection or processing agreements\\n\\naccount management documents\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing limits on use of external information\n                     systems"}]}]},{"id":"ac-20.2","class":"SP800-53-enhancement","title":"Portable Storage Devices","parameters":[{"id":"ac-20.2_prm_1"}],"properties":[{"name":"label","value":"AC-20(2)"},{"name":"sort-id","value":"ac-20.02"}],"parts":[{"id":"ac-20.2_smt","name":"statement","prose":"The organization {{ ac-20.2_prm_1 }} the use of\n                  organization-controlled portable storage devices by authorized individuals on\n                  external information systems."},{"id":"ac-20.2_gdn","name":"guidance","prose":"Limits on the use of organization-controlled portable storage devices in external\n                  information systems include, for example, complete prohibition of the use of such\n                  devices or restrictions on how the devices may be used and under what conditions\n                  the devices may be used."},{"id":"ac-20.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization restricts or prohibits the use of\n                  organization-controlled portable storage devices by authorized individuals on\n                  external information systems. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing the use of external information systems\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system connection or processing agreements\\n\\naccount management documents\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for restricting or prohibiting\n                     use of organization-controlled storage devices on external information\n                     systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing restrictions on use of portable storage\n                     devices"}]}]}]},{"id":"ac-21","class":"SP800-53","title":"Information Sharing","parameters":[{"id":"ac-21_prm_1","label":"organization-defined information sharing circumstances where user discretion is\n               required"},{"id":"ac-21_prm_2","label":"organization-defined automated mechanisms or manual processes"}],"properties":[{"name":"label","value":"AC-21"},{"name":"sort-id","value":"ac-21"}],"parts":[{"id":"ac-21_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-21_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Facilitates information sharing by enabling authorized users to determine whether\n                  access authorizations assigned to the sharing partner match the access\n                  restrictions on the information for {{ ac-21_prm_1 }}; and"},{"id":"ac-21_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employs {{ ac-21_prm_2 }} to assist users in making information\n                  sharing/collaboration decisions."}]},{"id":"ac-21_gdn","name":"guidance","prose":"This control applies to information that may be restricted in some manner (e.g.,\n               privileged medical information, contract-sensitive information, proprietary\n               information, personally identifiable information, classified information related to\n               special access programs or compartments) based on some formal or administrative\n               determination. Depending on the particular information-sharing circumstances, sharing\n               partners may be defined at the individual, group, or organizational level.\n               Information may be defined by content, type, security category, or special access\n               program/compartment.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"}]},{"id":"ac-21_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ac-21.a_obj","name":"objective","properties":[{"name":"label","value":"AC-21(a)"}],"parts":[{"id":"ac-21.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-21(a)[1]"}],"prose":"defines information sharing circumstances where user discretion is\n                     required;"},{"id":"ac-21.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-21(a)[2]"}],"prose":"facilitates information sharing by enabling authorized users to determine\n                     whether access authorizations assigned to the sharing partner match the access\n                     restrictions on the information for organization-defined information sharing\n                     circumstances;"}]},{"id":"ac-21.b_obj","name":"objective","properties":[{"name":"label","value":"AC-21(b)"}],"parts":[{"id":"ac-21.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-21(b)[1]"}],"prose":"defines automated mechanisms or manual processes to be employed to assist users\n                     in making information sharing/collaboration decisions; and"},{"id":"ac-21.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-21(b)[2]"}],"prose":"employs organization-defined automated mechanisms or manual processes to assist\n                     users in making information sharing/collaboration decisions."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing user-based collaboration and information sharing (including\n                  restrictions)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of users authorized to make information sharing/collaboration decisions\\n\\nlist of information sharing circumstances requiring user discretion\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel responsible for making information sharing/collaboration\n                  decisions\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms or manual process implementing access authorizations\n                  supporting information sharing/user collaboration decisions"}]}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","parameters":[{"id":"ac-22_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least quarterly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AC-22"},{"name":"sort-id","value":"ac-22"}],"parts":[{"id":"ac-22_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-22_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Designates individuals authorized to post information onto a publicly accessible\n                  information system;"},{"id":"ac-22_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Trains authorized individuals to ensure that publicly accessible information does\n                  not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews the proposed content of information prior to posting onto the publicly\n                  accessible information system to ensure that nonpublic information is not\n                  included; and"},{"id":"ac-22_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Reviews the content on the publicly accessible information system for nonpublic\n                  information {{ ac-22_prm_1 }} and removes such information, if\n                  discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with federal laws, Executive Orders, directives, policies, regulations,\n               standards, and/or guidance, the general public is not authorized access to nonpublic\n               information (e.g., information protected under the Privacy Act and proprietary\n               information). This control addresses information systems that are controlled by the\n               organization and accessible to the general public, typically without identification\n               or authentication. The posting of information on non-organization information systems\n               is covered by organizational policy.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-13","rel":"related","text":"AU-13"}]},{"id":"ac-22_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ac-22.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-22(a)"}],"prose":"designates individuals authorized to post information onto a publicly accessible\n                  information system;"},{"id":"ac-22.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-22(b)"}],"prose":"trains authorized individuals to ensure that publicly accessible information does\n                  not contain nonpublic information;"},{"id":"ac-22.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-22(c)"}],"prose":"reviews the proposed content of information prior to posting onto the publicly\n                  accessible information system to ensure that nonpublic information is not\n                  included;"},{"id":"ac-22.d_obj","name":"objective","properties":[{"name":"label","value":"AC-22(d)"}],"parts":[{"id":"ac-22.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AC-22(d)[1]"}],"prose":"defines the frequency to review the content on the publicly accessible\n                     information system for nonpublic information;"},{"id":"ac-22.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-22(d)[2]"}],"prose":"reviews the content on the publicly accessible information system for nonpublic\n                     information with the organization-defined frequency; and"},{"id":"ac-22.d_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AC-22(d)[3]"}],"prose":"removes nonpublic information from the publicly accessible information system,\n                     if discovered."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing publicly accessible content\\n\\nlist of users authorized to post publicly accessible content on organizational\n                  information systems\\n\\ntraining materials and/or records\\n\\nrecords of publicly accessible information reviews\\n\\nrecords of response to nonpublic information on public websites\\n\\nsystem audit logs\\n\\nsecurity awareness training records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing publicly accessible\n                  information posted on organizational information systems\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing management of publicly accessible content"}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Security Awareness and Training Policy and Procedures","parameters":[{"id":"at-1_prm_1","label":"organization-defined personnel or roles"},{"id":"at-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"at-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AT-1"},{"name":"sort-id","value":"at-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference","text":"NIST Special Publication 800-16"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"at-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A security awareness and training policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"at-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security awareness and\n                     training policy and associated security awareness and training controls;\n                     and"}]},{"id":"at-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"at-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security awareness and training policy {{ at-1_prm_2 }}; and"},{"id":"at-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Security awareness and training procedures {{ at-1_prm_3 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AT\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"at-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-1.a_obj","name":"objective","properties":[{"name":"label","value":"AT-1(a)"}],"parts":[{"id":"at-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)"}],"parts":[{"id":"at-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(a)(1)[1]"}],"prose":"develops and documents an security awareness and training policy that\n                        addresses:","parts":[{"id":"at-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"at-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"at-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"at-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"at-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"at-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"at-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"AT-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"at-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security awareness and training\n                        policy are to be disseminated;"},{"id":"at-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AT-1(a)(1)[3]"}],"prose":"disseminates the security awareness and training policy to\n                        organization-defined personnel or roles;"}]},{"id":"at-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"AT-1(a)(2)"}],"parts":[{"id":"at-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        security awareness and training policy and associated awareness and training\n                        controls;"},{"id":"at-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"at-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AT-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"at-1.b_obj","name":"objective","properties":[{"name":"label","value":"AT-1(b)"}],"parts":[{"id":"at-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"AT-1(b)(1)"}],"parts":[{"id":"at-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security awareness\n                        and training policy;"},{"id":"at-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(b)(1)[2]"}],"prose":"reviews and updates the current security awareness and training policy with\n                        the organization-defined frequency;"}]},{"id":"at-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"AT-1(b)(2)"}],"parts":[{"id":"at-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security awareness\n                        and training procedures; and"},{"id":"at-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-1(b)(2)[2]"}],"prose":"reviews and updates the current security awareness and training procedures\n                        with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security awareness and training responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Security Awareness Training","parameters":[{"id":"at-2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AT-2"},{"name":"sort-id","value":"at-02"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference","text":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"},{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference","text":"Executive Order 13587"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"}],"parts":[{"id":"at-2_smt","name":"statement","prose":"The organization provides basic security awareness training to information system\n               users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"As part of initial training for new users;"},{"id":"at-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n                  {{ at-2_prm_1 }} thereafter."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security awareness training and\n               security awareness techniques based on the specific organizational requirements and\n               the information systems to which personnel have authorized access. The content\n               includes a basic understanding of the need for information security and user actions\n               to maintain security and to respond to suspected security incidents. The content also\n               addresses awareness of the need for operations security. Security awareness\n               techniques can include, for example, displaying posters, offering supplies inscribed\n               with security reminders, generating email advisories/notices from senior\n               organizational officials, displaying logon screen messages, and conducting\n               information security awareness events.","links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#pl-4","rel":"related","text":"PL-4"}]},{"id":"at-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-2.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AT-2(a)"}],"prose":"provides basic security awareness training to information system users (including\n                  managers, senior executives, and contractors) as part of initial training for new\n                  users;"},{"id":"at-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AT-2(b)"}],"prose":"provides basic security awareness training to information system users (including\n                  managers, senior executives, and contractors) when required by information system\n                  changes; and"},{"id":"at-2.c_obj","name":"objective","properties":[{"name":"label","value":"AT-2(c)"}],"parts":[{"id":"at-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-2(c)[1]"}],"prose":"defines the frequency to provide refresher security awareness training\n                     thereafter to information system users (including managers, senior executives,\n                     and contractors); and"},{"id":"at-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AT-2(c)[2]"}],"prose":"provides refresher security awareness training to information users (including\n                     managers, senior executives, and contractors) with the organization-defined\n                     frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\\n\\nprocedures addressing security awareness training implementation\\n\\nappropriate codes of federal regulations\\n\\nsecurity awareness training curriculum\\n\\nsecurity awareness training materials\\n\\nsecurity plan\\n\\ntraining records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for security awareness training\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel comprising the general information system user\n                  community"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing security awareness training"}]}],"controls":[{"id":"at-2.2","class":"SP800-53-enhancement","title":"Insider Threat","properties":[{"name":"label","value":"AT-2(2)"},{"name":"sort-id","value":"at-02.02"}],"parts":[{"id":"at-2.2_smt","name":"statement","prose":"The organization includes security awareness training on recognizing and reporting\n                  potential indicators of insider threat."},{"id":"at-2.2_gdn","name":"guidance","prose":"Potential indicators and possible precursors of insider threat can include\n                  behaviors such as inordinate, long-term job dissatisfaction, attempts to gain\n                  access to information not required for job performance, unexplained access to\n                  financial resources, bullying or sexual harassment of fellow employees, workplace\n                  violence, and other serious violations of organizational policies, procedures,\n                  directives, rules, or practices. Security awareness training includes how to\n                  communicate employee and management concerns regarding potential indicators of\n                  insider threat through appropriate organizational channels in accordance with\n                  established organizational policies and procedures.","links":[{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#pm-12","rel":"related","text":"PM-12"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-6","rel":"related","text":"PS-6"}]},{"id":"at-2.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization includes security awareness training on recognizing\n                  and reporting potential indicators of insider threat. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\\n\\nprocedures addressing security awareness training implementation\\n\\nsecurity awareness training curriculum\\n\\nsecurity awareness training materials\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel that participate in security awareness training\\n\\norganizational personnel with responsibilities for basic security awareness\n                     training\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Security Training","parameters":[{"id":"at-3_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AT-3"},{"name":"sort-id","value":"at-03"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference","text":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference","text":"NIST Special Publication 800-16"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"}],"parts":[{"id":"at-3_smt","name":"statement","prose":"The organization provides role-based security training to personnel with assigned\n               security roles and responsibilities:","parts":[{"id":"at-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Before authorizing access to the information system or performing assigned\n                  duties;"},{"id":"at-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n                  {{ at-3_prm_1 }} thereafter."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security training based on the\n               assigned roles and responsibilities of individuals and the specific security\n               requirements of organizations and the information systems to which personnel have\n               authorized access. In addition, organizations provide enterprise architects,\n               information system developers, software developers, acquisition/procurement\n               officials, information system managers, system/network administrators, personnel\n               conducting configuration management and auditing activities, personnel performing\n               independent verification and validation activities, security control assessors, and\n               other personnel having access to system-level software, adequate security-related\n               technical training specifically tailored for their assigned duties. Comprehensive\n               role-based training addresses management, operational, and technical roles and\n               responsibilities covering physical, personnel, and technical safeguards and\n               countermeasures. Such training can include for example, policies, procedures, tools,\n               and artifacts for the organizational security roles defined. Organizations also\n               provide the training necessary for individuals to carry out their responsibilities\n               related to operations and supply chain security within the context of organizational\n               information security programs. Role-based security training also applies to\n               contractors providing services to federal agencies.","links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-4","rel":"related","text":"AT-4"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#sa-16","rel":"related","text":"SA-16"}]},{"id":"at-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AT-3(a)"}],"prose":"provides role-based security training to personnel with assigned security roles\n                  and responsibilities before authorizing access to the information system or\n                  performing assigned duties;"},{"id":"at-3.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AT-3(b)"}],"prose":"provides role-based security training to personnel with assigned security roles\n                  and responsibilities when required by information system changes; and"},{"id":"at-3.c_obj","name":"objective","properties":[{"name":"label","value":"AT-3(c)"}],"parts":[{"id":"at-3.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-3(c)[1]"}],"prose":"defines the frequency to provide refresher role-based security training\n                     thereafter to personnel with assigned security roles and responsibilities;\n                     and"},{"id":"at-3.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AT-3(c)[2]"}],"prose":"provides refresher role-based security training to personnel with assigned\n                     security roles and responsibilities with the organization-defined\n                     frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\\n\\nprocedures addressing security training implementation\\n\\ncodes of federal regulations\\n\\nsecurity training curriculum\\n\\nsecurity training materials\\n\\nsecurity plan\\n\\ntraining records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for role-based security\n                  training\\n\\norganizational personnel with assigned information system security roles and\n                  responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing role-based security training"}]}]},{"id":"at-4","class":"SP800-53","title":"Security Training Records","parameters":[{"id":"at-4_prm_1","label":"organization-defined time period","constraints":[{"detail":"At least one year"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AT-4"},{"name":"sort-id","value":"at-04"}],"parts":[{"id":"at-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Documents and monitors individual information system security training activities\n                  including basic security awareness training and specific information system\n                  security training; and"},{"id":"at-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Retains individual training records for {{ at-4_prm_1 }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at\n               the option of the organization.","links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pm-14","rel":"related","text":"PM-14"}]},{"id":"at-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-4.a_obj","name":"objective","properties":[{"name":"label","value":"AT-4(a)"}],"parts":[{"id":"at-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-4(a)[1]"}],"prose":"documents individual information system security training activities\n                     including:","parts":[{"id":"at-4.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"AT-4(a)[1][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"AT-4(a)[1][b]"}],"prose":"specific role-based information system security training;"}]},{"id":"at-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AT-4(a)[2]"}],"prose":"monitors individual information system security training activities\n                     including:","parts":[{"id":"at-4.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"AT-4(a)[2][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"AT-4(a)[2][b]"}],"prose":"specific role-based information system security training;"}]}]},{"id":"at-4.b_obj","name":"objective","properties":[{"name":"label","value":"AT-4(b)"}],"parts":[{"id":"at-4.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AT-4(b)[1]"}],"prose":"defines a time period to retain individual training records; and"},{"id":"at-4.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AT-4(b)[2]"}],"prose":"retains individual training records for the organization-defined time\n                     period."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\\n\\nprocedures addressing security training records\\n\\nsecurity awareness and training records\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security training record retention\n                  responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting management of security training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Audit and Accountability Policy and Procedures","parameters":[{"id":"au-1_prm_1","label":"organization-defined personnel or roles"},{"id":"au-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"au-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AU-1"},{"name":"sort-id","value":"au-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"au-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"An audit and accountability policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"au-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability\n                     policy and associated audit and accountability controls; and"}]},{"id":"au-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"au-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Audit and accountability policy {{ au-1_prm_2 }}; and"},{"id":"au-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Audit and accountability procedures {{ au-1_prm_3 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AU\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"au-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-1.a_obj","name":"objective","properties":[{"name":"label","value":"AU-1(a)"}],"parts":[{"id":"au-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)"}],"parts":[{"id":"au-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(a)(1)[1]"}],"prose":"develops and documents an audit and accountability policy that\n                        addresses:","parts":[{"id":"au-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"au-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"au-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"au-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"au-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"au-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"au-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"AU-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"au-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the audit and accountability policy are\n                        to be disseminated;"},{"id":"au-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-1(a)(1)[3]"}],"prose":"disseminates the audit and accountability policy to organization-defined\n                        personnel or roles;"}]},{"id":"au-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"AU-1(a)(2)"}],"parts":[{"id":"au-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        audit and accountability policy and associated audit and accountability\n                        controls;"},{"id":"au-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"au-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"au-1.b_obj","name":"objective","properties":[{"name":"label","value":"AU-1(b)"}],"parts":[{"id":"au-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"AU-1(b)(1)"}],"parts":[{"id":"au-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current audit and\n                        accountability policy;"},{"id":"au-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(b)(1)[2]"}],"prose":"reviews and updates the current audit and accountability policy with the\n                        organization-defined frequency;"}]},{"id":"au-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"AU-1(b)(2)"}],"parts":[{"id":"au-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current audit and\n                        accountability procedures; and"},{"id":"au-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-1(b)(2)[2]"}],"prose":"reviews and updates the current audit and accountability procedures in\n                        accordance with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Audit Events","parameters":[{"id":"au-2_prm_1","label":"organization-defined auditable events","constraints":[{"detail":"successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes"}]},{"id":"au-2_prm_2","label":"organization-defined audited events (the subset of the auditable events defined\n               in AU-2 a.) along with the frequency of (or situation requiring) auditing for each\n               identified event","constraints":[{"detail":"organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AU-2"},{"name":"sort-id","value":"au-02"}],"links":[{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference","text":"NIST Special Publication 800-92"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"au-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determines that the information system is capable of auditing the following\n                  events: {{ au-2_prm_1 }};"},{"id":"au-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Coordinates the security audit function with other organizational entities\n                  requiring audit-related information to enhance mutual support and to help guide\n                  the selection of auditable events;"},{"id":"au-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Provides a rationale for why the auditable events are deemed to be adequate to\n                  support after-the-fact investigations of security incidents; and"},{"id":"au-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Determines that the following events are to be audited within the information\n                  system: {{ au-2_prm_2 }}."},{"id":"au-2_fr","name":"item","title":"AU-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-2_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Coordination between service provider and consumer shall be documented and accepted by the JAB/AO."}]}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is any observable occurrence in an organizational information system.\n               Organizations identify audit events as those events which are significant and\n               relevant to the security of information systems and the environments in which those\n               systems operate in order to meet specific and ongoing audit needs. Audit events can\n               include, for example, password changes, failed logons, or failed accesses related to\n               information systems, administrative privilege usage, PIV credential usage, or\n               third-party credential usage. In determining the set of auditable events,\n               organizations consider the auditing appropriate for each of the security controls to\n               be implemented. To balance auditing requirements with other information system needs,\n               this control also requires identifying that subset of auditable events that are\n               audited at a given point in time. For example, organizations may determine that\n               information systems must have the capability to log every file access both successful\n               and unsuccessful, but not activate that capability except for specific circumstances\n               due to the potential burden on system performance. Auditing requirements, including\n               the need for auditable events, may be referenced in other security controls and\n               control enhancements. Organizations also include auditable events that are required\n               by applicable federal laws, Executive Orders, directives, policies, regulations, and\n               standards. Audit records can be generated at various levels of abstraction, including\n               at the packet level as information traverses the network. Selecting the appropriate\n               level of abstraction is a critical aspect of an audit capability and can facilitate\n               the identification of root causes to problems. Organizations consider in the\n               definition of auditable events, the auditing necessary to cover related events such\n               as the steps in distributed, transaction-based processes (e.g., processes that are\n               distributed across multiple organizations) and actions that occur in service-oriented\n               architectures.","links":[{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"au-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-2.a_obj","name":"objective","properties":[{"name":"label","value":"AU-2(a)"}],"parts":[{"id":"au-2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-2(a)[1]"}],"prose":"defines the auditable events that the information system must be capable of\n                     auditing;"},{"id":"au-2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-2(a)[2]"}],"prose":"determines that the information system is capable of auditing\n                     organization-defined auditable events;"}]},{"id":"au-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-2(b)"}],"prose":"coordinates the security audit function with other organizational entities\n                  requiring audit-related information to enhance mutual support and to help guide\n                  the selection of auditable events;"},{"id":"au-2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-2(c)"}],"prose":"provides a rationale for why the auditable events are deemed to be adequate to\n                  support after-the-fact investigations of security incidents;"},{"id":"au-2.d_obj","name":"objective","properties":[{"name":"label","value":"AU-2(d)"}],"parts":[{"id":"au-2.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-2(d)[1]"}],"prose":"defines the subset of auditable events defined in AU-2a that are to be audited\n                     within the information system;"},{"id":"au-2.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-2(d)[2]"}],"prose":"determines that the subset of auditable events defined in AU-2a are to be\n                     audited within the information system; and"},{"id":"au-2.d_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-2(d)[3]"}],"prose":"determines the frequency of (or situation requiring) auditing for each\n                     identified event."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing auditable events\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\ninformation system auditable events\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing"}]}],"controls":[{"id":"au-2.3","class":"SP800-53-enhancement","title":"Reviews and Updates","parameters":[{"id":"au-2.3_prm_1","label":"organization-defined frequency","constraints":[{"detail":"annually or whenever there is a change in the threat environment"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AU-2(3)"},{"name":"sort-id","value":"au-02.03"}],"parts":[{"id":"au-2.3_smt","name":"statement","prose":"The organization reviews and updates the audited events {{ au-2.3_prm_1 }}.","parts":[{"id":"au-2.3_fr","name":"item","title":"AU-2 (3) Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-2.3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO."}]}]},{"id":"au-2.3_gdn","name":"guidance","prose":"Over time, the events that organizations believe should be audited may change.\n                  Reviewing and updating the set of audited events periodically is necessary to\n                  ensure that the current set is still necessary and sufficient."},{"id":"au-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-2.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-2(3)[1]"}],"prose":"defines the frequency to review and update the audited events; and"},{"id":"au-2.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-2(3)[2]"}],"prose":"reviews and updates the auditable events with organization-defined\n                     frequency."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing auditable events\\n\\nsecurity plan\\n\\nlist of organization-defined auditable events\\n\\nauditable events review and update records\\n\\ninformation system audit records\\n\\ninformation system incident reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting review and update of auditable events"}]}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","properties":[{"name":"label","value":"AU-3"},{"name":"sort-id","value":"au-03"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"The information system generates audit records containing information that\n               establishes what type of event occurred, when the event occurred, where the event\n               occurred, the source of the event, the outcome of the event, and the identity of any\n               individuals or subjects associated with the event."},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to satisfy the requirement of this\n               control, includes, for example, time stamps, source and destination addresses,\n               user/process identifiers, event descriptions, success/fail indications, filenames\n               involved, and access control or flow control rules invoked. Event outcomes can\n               include indicators of event success or failure and event-specific results (e.g., the\n               security state of the information system after the event occurred).","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-8","rel":"related","text":"AU-8"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#si-11","rel":"related","text":"SI-11"}]},{"id":"au-3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system generates audit records containing information\n               that establishes: ","parts":[{"id":"au-3_obj.1","name":"objective","properties":[{"name":"label","value":"AU-3[1]"}],"prose":"what type of event occurred;"},{"id":"au-3_obj.2","name":"objective","properties":[{"name":"label","value":"AU-3[2]"}],"prose":"when the event occurred;"},{"id":"au-3_obj.3","name":"objective","properties":[{"name":"label","value":"AU-3[3]"}],"prose":"where the event occurred;"},{"id":"au-3_obj.4","name":"objective","properties":[{"name":"label","value":"AU-3[4]"}],"prose":"the source of the event;"},{"id":"au-3_obj.5","name":"objective","properties":[{"name":"label","value":"AU-3[5]"}],"prose":"the outcome of the event; and"},{"id":"au-3_obj.6","name":"objective","properties":[{"name":"label","value":"AU-3[6]"}],"prose":"the identity of any individuals or subjects associated with the event."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing content of audit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of organization-defined auditable events\\n\\ninformation system audit records\\n\\ninformation system incident reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing of auditable\n                  events"}]}],"controls":[{"id":"au-3.1","class":"SP800-53-enhancement","title":"Additional Audit Information","parameters":[{"id":"au-3.1_prm_1","label":"organization-defined additional, more detailed information","constraints":[{"detail":"session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon"}]}],"properties":[{"name":"label","value":"AU-3(1)"},{"name":"sort-id","value":"au-03.01"}],"parts":[{"id":"au-3.1_smt","name":"statement","prose":"The information system generates audit records containing the following additional\n                  information: {{ au-3.1_prm_1 }}.","parts":[{"id":"au-3.1_fr","name":"item","title":"AU-3 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-3.1_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines audit record types *[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]*.  The audit record types are approved and accepted by the JAB/AO."},{"id":"au-3.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry."}]}]},{"id":"au-3.1_gdn","name":"guidance","prose":"Detailed information that organizations may consider in audit records includes,\n                  for example, full text recording of privileged commands or the individual\n                  identities of group account users. Organizations consider limiting the additional\n                  audit information to only that information explicitly needed for specific audit\n                  requirements. This facilitates the use of audit trails and audit logs by not\n                  including information that could potentially be misleading or could make it more\n                  difficult to locate information of interest."},{"id":"au-3.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-3.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-3(1)[1]"}],"prose":"the organization defines additional, more detailed information to be contained\n                     in audit records that the information system generates; and"},{"id":"au-3.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-3(1)[2]"}],"prose":"the information system generates audit records containing the\n                     organization-defined additional, more detailed information."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing content of audit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of organization-defined auditable events\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Information system audit capability"}]}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Storage Capacity","parameters":[{"id":"au-4_prm_1","label":"organization-defined audit record storage requirements"}],"properties":[{"name":"label","value":"AU-4"},{"name":"sort-id","value":"au-04"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"The organization allocates audit record storage capacity in accordance with {{ au-4_prm_1 }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of auditing to be performed and the audit processing\n               requirements when allocating audit storage capacity. Allocating sufficient audit\n               storage capacity reduces the likelihood of such capacity being exceeded and resulting\n               in the potential loss or reduction of auditing capability.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"au-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-4_obj.1","name":"objective","properties":[{"name":"label","value":"AU-4[1]"}],"prose":"defines audit record storage requirements; and"},{"id":"au-4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-4[2]"}],"prose":"allocates audit record storage capacity in accordance with the\n                  organization-defined audit record storage requirements."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit storage capacity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit record storage requirements\\n\\naudit record storage capability for information system components\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit record storage capacity and related configuration settings"}]}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Processing Failures","parameters":[{"id":"au-5_prm_1","label":"organization-defined personnel or roles"},{"id":"au-5_prm_2","label":"organization-defined actions to be taken (e.g., shut down information system,\n               overwrite oldest audit records, stop generating audit records)","constraints":[{"detail":"organization-defined actions to be taken (overwrite oldest record)"}]}],"properties":[{"name":"label","value":"AU-5"},{"name":"sort-id","value":"au-05"}],"parts":[{"id":"au-5_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Alerts {{ au-5_prm_1 }} in the event of an audit processing\n                  failure; and"},{"id":"au-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Takes the following additional actions: {{ au-5_prm_2 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit processing failures include, for example, software/hardware errors, failures in\n               the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n               Organizations may choose to define additional actions for different audit processing\n               failures (e.g., by type, by location, by severity, or a combination of such factors).\n               This control applies to each audit data storage repository (i.e., distinct\n               information system component where audit records are stored), the total audit storage\n               capacity of organizations (i.e., all audit data storage repositories combined), or\n               both.","links":[{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#si-12","rel":"related","text":"SI-12"}]},{"id":"au-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-5.a_obj","name":"objective","properties":[{"name":"label","value":"AU-5(a)"}],"parts":[{"id":"au-5.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-5(a)[1]"}],"prose":"the organization defines the personnel or roles to be alerted in the event of\n                     an audit processing failure;"},{"id":"au-5.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-5(a)[2]"}],"prose":"the information system alerts the organization-defined personnel or roles in\n                     the event of an audit processing failure;"}]},{"id":"au-5.b_obj","name":"objective","properties":[{"name":"label","value":"AU-5(b)"}],"parts":[{"id":"au-5.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-5(b)[1]"}],"prose":"the organization defines additional actions to be taken (e.g., shutdown\n                     information system, overwrite oldest audit records, stop generating audit\n                     records) in the event of an audit processing failure; and"},{"id":"au-5.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-5(b)[2]"}],"prose":"the information system takes the additional organization-defined actions in the\n                     event of an audit processing failure."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing response to audit processing failures\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of personnel to be notified in case of an audit processing failure\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system response to audit processing\n                  failures"}]}]},{"id":"au-6","class":"SP800-53","title":"Audit Review, Analysis, and Reporting","parameters":[{"id":"au-6_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least weekly"}]},{"id":"au-6_prm_2","label":"organization-defined inappropriate or unusual activity"},{"id":"au-6_prm_3","label":"organization-defined personnel or roles"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AU-6"},{"name":"sort-id","value":"au-06"}],"parts":[{"id":"au-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Reviews and analyzes information system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }};\n                  and"},{"id":"au-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reports findings to {{ au-6_prm_3 }}."},{"id":"au-6_fr","name":"item","title":"AU-6 Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented."}]}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit review, analysis, and reporting covers information security-related auditing\n               performed by organizations including, for example, auditing that results from\n               monitoring of account usage, remote access, wireless connectivity, mobile device\n               connection, configuration settings, system component inventory, use of maintenance\n               tools and nonlocal maintenance, physical access, temperature and humidity, equipment\n               delivery and removal, communications at the information system boundaries, use of\n               mobile code, and use of VoIP. Findings can be reported to organizational entities\n               that include, for example, incident response team, help desk, information security\n               group/department. If organizations are prohibited from reviewing and analyzing audit\n               information or unable to conduct such activities (e.g., in certain national security\n               applications or systems), the review/analysis may be carried out by other\n               organizations granted such authority.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-16","rel":"related","text":"AU-16"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-10","rel":"related","text":"CM-10"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#pe-14","rel":"related","text":"PE-14"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-18","rel":"related","text":"SC-18"},{"href":"#sc-19","rel":"related","text":"SC-19"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"au-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-6.a_obj","name":"objective","properties":[{"name":"label","value":"AU-6(a)"}],"parts":[{"id":"au-6.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-6(a)[1]"}],"prose":"defines the types of inappropriate or unusual activity to look for when\n                     information system audit records are reviewed and analyzed;"},{"id":"au-6.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-6(a)[2]"}],"prose":"defines the frequency to review and analyze information system audit records\n                     for indications of organization-defined inappropriate or unusual activity;"},{"id":"au-6.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-6(a)[3]"}],"prose":"reviews and analyzes information system audit records for indications of\n                     organization-defined inappropriate or unusual activity with the\n                     organization-defined frequency;"}]},{"id":"au-6.b_obj","name":"objective","properties":[{"name":"label","value":"AU-6(b)"}],"parts":[{"id":"au-6.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-6(b)[1]"}],"prose":"defines personnel or roles to whom findings resulting from reviews and analysis\n                     of information system audit records are to be reported; and"},{"id":"au-6.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-6(b)[2]"}],"prose":"reports findings to organization-defined personnel or roles."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\nreports of audit findings\\n\\nrecords of actions taken in response to reviews/analyses of audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}],"controls":[{"id":"au-6.1","class":"SP800-53-enhancement","title":"Process Integration","properties":[{"name":"label","value":"AU-6(1)"},{"name":"sort-id","value":"au-06.01"}],"parts":[{"id":"au-6.1_smt","name":"statement","prose":"The organization employs automated mechanisms to integrate audit review, analysis,\n                  and reporting processes to support organizational processes for investigation and\n                  response to suspicious activities."},{"id":"au-6.1_gdn","name":"guidance","prose":"Organizational processes benefiting from integrated audit review, analysis, and\n                  reporting include, for example, incident response, continuous monitoring,\n                  contingency planning, and Inspector General audits.","links":[{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#pm-7","rel":"related","text":"PM-7"}]},{"id":"au-6.1_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"au-6.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-6(1)[1]"}],"prose":"employs automated mechanisms to integrate:","parts":[{"id":"au-6.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"AU-6(1)[1][a]"}],"prose":"audit review;"},{"id":"au-6.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"AU-6(1)[1][b]"}],"prose":"analysis;"},{"id":"au-6.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"AU-6(1)[1][c]"}],"prose":"reporting processes;"}]},{"id":"au-6.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-6(1)[2]"}],"prose":"uses integrated audit review, analysis and reporting processes to support\n                     organizational processes for:","parts":[{"id":"au-6.1_obj.2.a","name":"objective","properties":[{"name":"label","value":"AU-6(1)[2][a]"}],"prose":"investigation of suspicious activities; and"},{"id":"au-6.1_obj.2.b","name":"objective","properties":[{"name":"label","value":"AU-6(1)[2][b]"}],"prose":"response to suspicious activities."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\nprocedures addressing investigation and response to suspicious activities\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms integrating audit review, analysis, and reporting\n                     processes"}]}]},{"id":"au-6.3","class":"SP800-53-enhancement","title":"Correlate Audit Repositories","properties":[{"name":"label","value":"AU-6(3)"},{"name":"sort-id","value":"au-06.03"}],"parts":[{"id":"au-6.3_smt","name":"statement","prose":"The organization analyzes and correlates audit records across different\n                  repositories to gain organization-wide situational awareness."},{"id":"au-6.3_gdn","name":"guidance","prose":"Organization-wide situational awareness includes awareness across all three tiers\n                  of risk management (i.e., organizational, mission/business process, and\n                  information system) and supports cross-organization awareness.","links":[{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ir-4","rel":"related","text":"IR-4"}]},{"id":"au-6.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization analyzes and correlates audit records across\n                  different repositories to gain organization-wide situational awareness. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records across different repositories\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting analysis and correlation of audit records"}]}]}]},{"id":"au-7","class":"SP800-53","title":"Audit Reduction and Report Generation","properties":[{"name":"label","value":"AU-7"},{"name":"sort-id","value":"au-07"}],"parts":[{"id":"au-7_smt","name":"statement","prose":"The information system provides an audit reduction and report generation capability\n               that:","parts":[{"id":"au-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Supports on-demand audit review, analysis, and reporting requirements and\n                  after-the-fact investigations of security incidents; and"},{"id":"au-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Does not alter the original content or time ordering of audit records."}]},{"id":"au-7_gdn","name":"guidance","prose":"Audit reduction is a process that manipulates collected audit information and\n               organizes such information in a summary format that is more meaningful to analysts.\n               Audit reduction and report generation capabilities do not always emanate from the\n               same information system or from the same organizational entities conducting auditing\n               activities. Audit reduction capability can include, for example, modern data mining\n               techniques with advanced data filters to identify anomalous behavior in audit\n               records. The report generation capability provided by the information system can\n               generate customizable reports. Time ordering of audit records can be a significant\n               issue if the granularity of the timestamp in the record is insufficient.","links":[{"href":"#au-6","rel":"related","text":"AU-6"}]},{"id":"au-7_obj","name":"objective","prose":"Determine if the information system provides an audit reduction and report generation\n               capability that supports:","parts":[{"id":"au-7.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-7(a)"}],"parts":[{"id":"au-7.a_obj.1","name":"objective","properties":[{"name":"label","value":"AU-7(a)[1]"}],"prose":"on-demand audit review;"},{"id":"au-7.a_obj.2","name":"objective","properties":[{"name":"label","value":"AU-7(a)[2]"}],"prose":"analysis;"},{"id":"au-7.a_obj.3","name":"objective","properties":[{"name":"label","value":"AU-7(a)[3]"}],"prose":"reporting requirements;"},{"id":"au-7.a_obj.4","name":"objective","properties":[{"name":"label","value":"AU-7(a)[4]"}],"prose":"after-the-fact investigations of security incidents; and"}]},{"id":"au-7.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-7(b)"}],"prose":"does not alter the original content or time ordering of audit records."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit reduction and report generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit reduction, review, analysis, and reporting tools\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit reduction and report generation\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit reduction and report generation capability"}]}],"controls":[{"id":"au-7.1","class":"SP800-53-enhancement","title":"Automatic Processing","parameters":[{"id":"au-7.1_prm_1","label":"organization-defined audit fields within audit records"}],"properties":[{"name":"label","value":"AU-7(1)"},{"name":"sort-id","value":"au-07.01"}],"parts":[{"id":"au-7.1_smt","name":"statement","prose":"The information system provides the capability to process audit records for events\n                  of interest based on {{ au-7.1_prm_1 }}."},{"id":"au-7.1_gdn","name":"guidance","prose":"Events of interest can be identified by the content of specific audit record\n                  fields including, for example, identities of individuals, event types, event\n                  locations, event times, event dates, system resources involved, IP addresses\n                  involved, or information objects accessed. Organizations may define audit event\n                  criteria to any degree of granularity required, for example, locations selectable\n                  by general networking location (e.g., by network or subnetwork) or selectable by\n                  specific information system component.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"}]},{"id":"au-7.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-7.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-7(1)[1]"}],"prose":"the organization defines audit fields within audit records in order to process\n                     audit records for events of interest; and"},{"id":"au-7.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-7(1)[2]"}],"prose":"the information system provides the capability to process audit records for\n                     events of interest based on the organization-defined audit fields within audit\n                     records."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit reduction and report generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit reduction, review, analysis, and reporting tools\\n\\naudit record criteria (fields) establishing events of interest\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit reduction and report generation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit reduction and report generation capability"}]}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","parameters":[{"id":"au-8_prm_1","label":"organization-defined granularity of time measurement"}],"properties":[{"name":"label","value":"AU-8"},{"name":"sort-id","value":"au-08"}],"parts":[{"id":"au-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Uses internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Records time stamps for audit records that can be mapped to Coordinated Universal\n                  Time (UTC) or Greenwich Mean Time (GMT) and meets {{ au-8_prm_1 }}."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the information system include date and time. Time is\n               commonly expressed in Coordinated Universal Time (UTC), a modern continuation of\n               Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time\n               measurements refers to the degree of synchronization between information system\n               clocks and reference clocks, for example, clocks synchronizing within hundreds of\n               milliseconds or within tens of milliseconds. Organizations may define different time\n               granularities for different system components. Time service can also be critical to\n               other security capabilities such as access control and identification and\n               authentication, depending on the nature of the mechanisms used to support those\n               capabilities.","links":[{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-12","rel":"related","text":"AU-12"}]},{"id":"au-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-8.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-8(a)"}],"prose":"the information system uses internal system clocks to generate time stamps for\n                  audit records;"},{"id":"au-8.b_obj","name":"objective","properties":[{"name":"label","value":"AU-8(b)"}],"parts":[{"id":"au-8.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-8(b)[1]"}],"prose":"the information system records time stamps for audit records that can be mapped\n                     to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);"},{"id":"au-8.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-8(b)[2]"}],"prose":"the organization defines the granularity of time measurement to be met when\n                     recording time stamps for audit records; and"},{"id":"au-8.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-8(b)[3]"}],"prose":"the organization records time stamps for audit records that meet the\n                     organization-defined granularity of time measurement."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing time stamp generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing time stamp generation"}]}],"controls":[{"id":"au-8.1","class":"SP800-53-enhancement","title":"Synchronization with Authoritative Time Source","parameters":[{"id":"au-8.1_prm_1","label":"organization-defined frequency","constraints":[{"detail":"At least hourly"}]},{"id":"au-8.1_prm_2","label":"organization-defined authoritative time source","constraints":[{"detail":"http://tf.nist.gov/tf-cgi/servers.cgi"}]},{"id":"au-8.1_prm_3","label":"organization-defined time period"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AU-8(1)"},{"name":"sort-id","value":"au-08.01"}],"parts":[{"id":"au-8.1_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-8.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Compares the internal information system clocks {{ au-8.1_prm_1 }} with {{ au-8.1_prm_2 }}; and"},{"id":"au-8.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Synchronizes the internal system clocks to the authoritative time source when\n                     the time difference is greater than {{ au-8.1_prm_3 }}."},{"id":"au-8.1_fr","name":"item","title":"AU-8 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-8.1_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server."},{"id":"au-8.1_fr_smt.2","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server."},{"id":"au-8.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Synchronization of system clocks improves the accuracy of log analysis."}]}]},{"id":"au-8.1_gdn","name":"guidance","prose":"This control enhancement provides uniformity of time stamps for information\n                  systems with multiple system clocks and systems connected over a network."},{"id":"au-8.1_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"au-8.1.a_obj","name":"objective","properties":[{"name":"label","value":"AU-8(1)(a)"}],"parts":[{"id":"au-8.1.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-8(1)(a)[1]"}],"prose":"the organization defines the authoritative time source to which internal\n                        information system clocks are to be compared;"},{"id":"au-8.1.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-8(1)(a)[2]"}],"prose":"the organization defines the frequency to compare the internal information\n                        system clocks with the organization-defined authoritative time source;\n                        and"},{"id":"au-8.1.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-8(1)(a)[3]"}],"prose":"the information system compares the internal information system clocks with\n                        the organization-defined authoritative time source with organization-defined\n                        frequency; and"}],"links":[{"href":"#au-8.1_smt.a","rel":"corresp","text":"AU-8(1)(a)"}]},{"id":"au-8.1.b_obj","name":"objective","properties":[{"name":"label","value":"AU-8(1)(b)"}],"parts":[{"id":"au-8.1.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-8(1)(b)[1]"}],"prose":"the organization defines the time period that, if exceeded by the time\n                        difference between the internal system clocks and the authoritative time\n                        source, will result in the internal system clocks being synchronized to the\n                        authoritative time source; and"},{"id":"au-8.1.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-8(1)(b)[2]"}],"prose":"the information system synchronizes the internal information system clocks\n                        to the authoritative time source when the time difference is greater than\n                        the organization-defined time period."}],"links":[{"href":"#au-8.1_smt.b","rel":"corresp","text":"AU-8(1)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing time stamp generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing internal information system clock\n                     synchronization"}]}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","properties":[{"name":"label","value":"AU-9"},{"name":"sort-id","value":"au-09"}],"parts":[{"id":"au-9_smt","name":"statement","prose":"The information system protects audit information and audit tools from unauthorized\n               access, modification, and deletion."},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information (e.g., audit records, audit settings, and\n               audit reports) needed to successfully audit information system activity. This control\n               focuses on technical protection of audit information. Physical protection of audit\n               information is addressed by media protection controls and physical and environmental\n               protection controls.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-6","rel":"related","text":"PE-6"}]},{"id":"au-9_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"au-9_obj.1","name":"objective","properties":[{"name":"label","value":"AU-9[1]"}],"prose":"the information system protects audit information from unauthorized:","parts":[{"id":"au-9_obj.1.a","name":"objective","properties":[{"name":"label","value":"AU-9[1][a]"}],"prose":"access;"},{"id":"au-9_obj.1.b","name":"objective","properties":[{"name":"label","value":"AU-9[1][b]"}],"prose":"modification;"},{"id":"au-9_obj.1.c","name":"objective","properties":[{"name":"label","value":"AU-9[1][c]"}],"prose":"deletion;"}]},{"id":"au-9_obj.2","name":"objective","properties":[{"name":"label","value":"AU-9[2]"}],"prose":"the information system protects audit tools from unauthorized:","parts":[{"id":"au-9_obj.2.a","name":"objective","properties":[{"name":"label","value":"AU-9[2][a]"}],"prose":"access;"},{"id":"au-9_obj.2.b","name":"objective","properties":[{"name":"label","value":"AU-9[2][b]"}],"prose":"modification; and"},{"id":"au-9_obj.2.c","name":"objective","properties":[{"name":"label","value":"AU-9[2][c]"}],"prose":"deletion."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\naccess control policy and procedures\\n\\nprocedures addressing protection of audit information\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation,\n                  information system audit records\\n\\naudit tools\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit information protection"}]}],"controls":[{"id":"au-9.2","class":"SP800-53-enhancement","title":"Audit Backup On Separate Physical Systems / Components","parameters":[{"id":"au-9.2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least weekly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AU-9(2)"},{"name":"sort-id","value":"au-09.02"}],"parts":[{"id":"au-9.2_smt","name":"statement","prose":"The information system backs up audit records {{ au-9.2_prm_1 }}\n                  onto a physically different system or system component than the system or\n                  component being audited."},{"id":"au-9.2_gdn","name":"guidance","prose":"This control enhancement helps to ensure that a compromise of the information\n                  system being audited does not also result in a compromise of the audit\n                  records.","links":[{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-11","rel":"related","text":"AU-11"}]},{"id":"au-9.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-9.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-9(2)[1]"}],"prose":"the organization defines the frequency to back up audit records onto a\n                     physically different system or system component than the system or component\n                     being audited; and"},{"id":"au-9.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-9(2)[2]"}],"prose":"the information system backs up audit records with the organization-defined\n                     frequency, onto a physically different system or system component than the\n                     system or component being audited."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing protection of audit information\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation, system\n                     or media storing backups of information system audit records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing the backing up of audit records"}]}]},{"id":"au-9.4","class":"SP800-53-enhancement","title":"Access by Subset of Privileged Users","parameters":[{"id":"au-9.4_prm_1","label":"organization-defined subset of privileged users"}],"properties":[{"name":"label","value":"AU-9(4)"},{"name":"sort-id","value":"au-09.04"}],"parts":[{"id":"au-9.4_smt","name":"statement","prose":"The organization authorizes access to management of audit functionality to only\n                     {{ au-9.4_prm_1 }}."},{"id":"au-9.4_gdn","name":"guidance","prose":"Individuals with privileged access to an information system and who are also the\n                  subject of an audit by that system, may affect the reliability of audit\n                  information by inhibiting audit activities or modifying audit records. This\n                  control enhancement requires that privileged access be further defined between\n                  audit-related privileges and other privileges, thus limiting the users with\n                  audit-related privileges.","links":[{"href":"#ac-5","rel":"related","text":"AC-5"}]},{"id":"au-9.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-9.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-9(4)[1]"}],"prose":"defines a subset of privileged users to be authorized access to management of\n                     audit functionality; and"},{"id":"au-9.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-9(4)[2]"}],"prose":"authorizes access to management of audit functionality to only the\n                     organization-defined subset of privileged users."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\naccess control policy and procedures\\n\\nprocedures addressing protection of audit information\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation,\n                     system-generated list of privileged users with access to management of audit\n                     functionality\\n\\naccess authorizations\\n\\naccess control list\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing access to audit functionality"}]}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","parameters":[{"id":"au-11_prm_1","label":"organization-defined time period consistent with records retention policy","constraints":[{"detail":"at least ninety days"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"AU-11"},{"name":"sort-id","value":"au-11"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"The organization retains audit records for {{ au-11_prm_1 }} to\n               provide support for after-the-fact investigations of security incidents and to meet\n               regulatory and organizational information retention requirements.","parts":[{"id":"au-11_fr","name":"item","title":"AU-11 Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-11_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements."}]}]},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that they are no longer\n               needed for administrative, legal, audit, or other operational purposes. This\n               includes, for example, retention and availability of audit records relative to\n               Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions.\n               Organizations develop standard categories of audit records relative to such types of\n               actions and standard response processes for each type of action. The National\n               Archives and Records Administration (NARA) General Records Schedules provide federal\n               policy on record retention.","links":[{"href":"#au-4","rel":"related","text":"AU-4"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#mp-6","rel":"related","text":"MP-6"}]},{"id":"au-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-11_obj.1","name":"objective","properties":[{"name":"label","value":"AU-11[1]"}],"prose":"defines a time period to retain audit records that is consistent with records\n                  retention policy;"},{"id":"au-11_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"AU-11[2]"}],"prose":"retains audit records for the organization-defined time period consistent with\n                  records retention policy to:","parts":[{"id":"au-11_obj.2.a","name":"objective","properties":[{"name":"label","value":"AU-11[2][a]"}],"prose":"provide support for after-the-fact investigations of security incidents;\n                     and"},{"id":"au-11_obj.2.b","name":"objective","properties":[{"name":"label","value":"AU-11[2][b]"}],"prose":"meet regulatory and organizational information retention requirements."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\naudit record retention policy and procedures\\n\\nsecurity plan\\n\\norganization-defined retention period for audit records\\n\\naudit record archives\\n\\naudit logs\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record retention responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]}]},{"id":"au-12","class":"SP800-53","title":"Audit Generation","parameters":[{"id":"au-12_prm_1","label":"organization-defined information system components","constraints":[{"detail":"all information system and network components where audit capability is deployed/available"}]},{"id":"au-12_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"AU-12"},{"name":"sort-id","value":"au-12"}],"parts":[{"id":"au-12_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-12_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provides audit record generation capability for the auditable events defined in\n                  AU-2 a. at {{ au-12_prm_1 }};"},{"id":"au-12_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Allows {{ au-12_prm_2 }} to select which auditable events are to be\n                  audited by specific components of the information system; and"},{"id":"au-12_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Generates audit records for the events defined in AU-2 d. with the content defined\n                  in AU-3."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different information system components. The\n               list of audited events is the set of events for which audits are to be generated.\n               These events are typically a subset of all events for which the information system is\n               capable of generating audit records.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"}]},{"id":"au-12_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-12.a_obj","name":"objective","properties":[{"name":"label","value":"AU-12(a)"}],"parts":[{"id":"au-12.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-12(a)[1]"}],"prose":"the organization defines the information system components which are to provide\n                     audit record generation capability for the auditable events defined in\n                     AU-2a;"},{"id":"au-12.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-12(a)[2]"}],"prose":"the information system provides audit record generation capability, for the\n                     auditable events defined in AU-2a, at organization-defined information system\n                     components;"}]},{"id":"au-12.b_obj","name":"objective","properties":[{"name":"label","value":"AU-12(b)"}],"parts":[{"id":"au-12.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"AU-12(b)[1]"}],"prose":"the organization defines the personnel or roles allowed to select which\n                     auditable events are to be audited by specific components of the information\n                     system;"},{"id":"au-12.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-12(b)[2]"}],"prose":"the information system allows the organization-defined personnel or roles to\n                     select which auditable events are to be audited by specific components of the\n                     system; and"}]},{"id":"au-12.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"AU-12(c)"}],"prose":"the information system generates audit records for the events defined in AU-2d\n                  with the content in defined in AU-3."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\\n\\nprocedures addressing audit record generation\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of auditable events\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record generation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit record generation capability"}]}]}]},{"id":"ca","class":"family","title":"Security Assessment and Authorization","controls":[{"id":"ca-1","class":"SP800-53","title":"Security Assessment and Authorization Policy and Procedures","parameters":[{"id":"ca-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ca-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"ca-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-1"},{"name":"sort-id","value":"ca-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference","text":"NIST Special Publication 800-53A"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ca-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A security assessment and authorization policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"},{"id":"ca-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security assessment and\n                     authorization policy and associated security assessment and authorization\n                     controls; and"}]},{"id":"ca-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ca-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security assessment and authorization policy {{ ca-1_prm_2 }};\n                     and"},{"id":"ca-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Security assessment and authorization procedures {{ ca-1_prm_3 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ca-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-1.a_obj","name":"objective","properties":[{"name":"label","value":"CA-1(a)"}],"parts":[{"id":"ca-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)"}],"parts":[{"id":"ca-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(a)(1)[1]"}],"prose":"develops and documents a security assessment and authorization policy that\n                        addresses:","parts":[{"id":"ca-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ca-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ca-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ca-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ca-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ca-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ca-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"CA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ca-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security assessment and authorization\n                        policy is to be disseminated;"},{"id":"ca-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-1(a)(1)[3]"}],"prose":"disseminates the security assessment and authorization policy to\n                        organization-defined personnel or roles;"}]},{"id":"ca-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"CA-1(a)(2)"}],"parts":[{"id":"ca-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        security assessment and authorization policy and associated assessment and\n                        authorization controls;"},{"id":"ca-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ca-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ca-1.b_obj","name":"objective","properties":[{"name":"label","value":"CA-1(b)"}],"parts":[{"id":"ca-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"CA-1(b)(1)"}],"parts":[{"id":"ca-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security assessment\n                        and authorization policy;"},{"id":"ca-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(b)(1)[2]"}],"prose":"reviews and updates the current security assessment and authorization policy\n                        with the organization-defined frequency;"}]},{"id":"ca-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"CA-1(b)(2)"}],"parts":[{"id":"ca-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security assessment\n                        and authorization procedures; and"},{"id":"ca-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-1(b)(2)[2]"}],"prose":"reviews and updates the current security assessment and authorization\n                        procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment and authorization\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Security Assessments","parameters":[{"id":"ca-2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ca-2_prm_2","label":"organization-defined individuals or roles","constraints":[{"detail":"individuals or roles to include FedRAMP PMO"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-2"},{"name":"sort-id","value":"ca-02"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference","text":"Executive Order 13587"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference","text":"NIST Special Publication 800-39"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference","text":"NIST Special Publication 800-53A"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference","text":"NIST Special Publication 800-115"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"}],"parts":[{"id":"ca-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a security assessment plan that describes the scope of the assessment\n                  including:","parts":[{"id":"ca-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security controls and control enhancements under assessment;"},{"id":"ca-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine security control effectiveness;\n                     and"},{"id":"ca-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and\n                     responsibilities;"}]},{"id":"ca-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Assesses the security controls in the information system and its environment of\n                  operation {{ ca-2_prm_1 }} to determine the extent to which the\n                  controls are implemented correctly, operating as intended, and producing the\n                  desired outcome with respect to meeting established security requirements;"},{"id":"ca-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Produces a security assessment report that documents the results of the\n                  assessment; and"},{"id":"ca-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Provides the results of the security control assessment to {{ ca-2_prm_2 }}."},{"id":"ca-2_fr","name":"item","title":"CA-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-2_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "}]}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations assess security controls in organizational information systems and the\n               environments in which those systems operate as part of: (i) initial and ongoing\n               security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring;\n               and (iv) system development life cycle activities. Security assessments: (i) ensure\n               that information security is built into organizational information systems; (ii)\n               identify weaknesses and deficiencies early in the development process; (iii) provide\n               essential information needed to make risk-based decisions as part of security\n               authorization processes; and (iv) ensure compliance to vulnerability mitigation\n               procedures. Assessments are conducted on the implemented security controls from\n               Appendix F (main catalog) and Appendix G (Program Management controls) as documented\n               in System Security Plans and Information Security Program Plans. Organizations can\n               use other types of assessment activities such as vulnerability scanning and system\n               monitoring to maintain the security posture of information systems during the entire\n               life cycle. Security assessment reports document assessment results in sufficient\n               detail as deemed necessary by organizations, to determine the accuracy and\n               completeness of the reports and whether the security controls are implemented\n               correctly, operating as intended, and producing the desired outcome with respect to\n               meeting security requirements. The FISMA requirement for assessing security controls\n               at least annually does not require additional assessment activities to those\n               activities already in place in organizational security authorization processes.\n               Security assessment results are provided to the individuals or roles appropriate for\n               the types of assessments being conducted. For example, assessments conducted in\n               support of security authorization decisions are provided to authorizing officials or\n               authorizing official designated representatives. To satisfy annual assessment\n               requirements, organizations can use assessment results from the following sources:\n               (i) initial or ongoing information system authorizations; (ii) continuous monitoring;\n               or (iii) system development life cycle activities. Organizations ensure that security\n               assessment results are current, relevant to the determination of security control\n               effectiveness, and obtained with the appropriate level of assessor independence.\n               Existing security control assessment results can be reused to the extent that the\n               results are still valid and can also be supplemented with additional assessments as\n               needed. Subsequent to initial authorizations and in accordance with OMB policy,\n               organizations assess security controls during continuous monitoring. Organizations\n               establish the frequency for ongoing security control assessments in accordance with\n               organizational continuous monitoring strategies. Information Assurance Vulnerability\n               Alerts provide useful examples of vulnerability mitigation procedures. External\n               audits (e.g., audits by external entities such as regulatory agencies) are outside\n               the scope of this control.","links":[{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ca-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(a)"}],"prose":"develops a security assessment plan that describes the scope of the assessment\n                  including:","parts":[{"id":"ca-2.a.1_obj","name":"objective","properties":[{"name":"label","value":"CA-2(a)(1)"}],"prose":"security controls and control enhancements under assessment;"},{"id":"ca-2.a.2_obj","name":"objective","properties":[{"name":"label","value":"CA-2(a)(2)"}],"prose":"assessment procedures to be used to determine security control\n                     effectiveness;"},{"id":"ca-2.a.3_obj","name":"objective","properties":[{"name":"label","value":"CA-2(a)(3)"}],"parts":[{"id":"ca-2.a.3_obj.1","name":"objective","properties":[{"name":"label","value":"CA-2(a)(3)[1]"}],"prose":"assessment environment;"},{"id":"ca-2.a.3_obj.2","name":"objective","properties":[{"name":"label","value":"CA-2(a)(3)[2]"}],"prose":"assessment team;"},{"id":"ca-2.a.3_obj.3","name":"objective","properties":[{"name":"label","value":"CA-2(a)(3)[3]"}],"prose":"assessment roles and responsibilities;"}]}]},{"id":"ca-2.b_obj","name":"objective","properties":[{"name":"label","value":"CA-2(b)"}],"parts":[{"id":"ca-2.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(b)[1]"}],"prose":"defines the frequency to assess the security controls in the information system\n                     and its environment of operation;"},{"id":"ca-2.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-2(b)[2]"}],"prose":"assesses the security controls in the information system with the\n                     organization-defined frequency to determine the extent to which the controls\n                     are implemented correctly, operating as intended, and producing the desired\n                     outcome with respect to meeting established security requirements;"}]},{"id":"ca-2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-2(c)"}],"prose":"produces a security assessment report that documents the results of the\n                  assessment;"},{"id":"ca-2.d_obj","name":"objective","properties":[{"name":"label","value":"CA-2(d)"}],"parts":[{"id":"ca-2.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(d)[1]"}],"prose":"defines individuals or roles to whom the results of the security control\n                     assessment are to be provided; and"},{"id":"ca-2.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-2(d)[2]"}],"prose":"provides the results of the security control assessment to organization-defined\n                     individuals or roles."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing security assessment planning\\n\\nprocedures addressing security assessments\\n\\nsecurity assessment plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting security assessment, security assessment plan\n                  development, and/or security assessment reporting"}]}],"controls":[{"id":"ca-2.1","class":"SP800-53-enhancement","title":"Independent Assessors","parameters":[{"id":"ca-2.1_prm_1","label":"organization-defined level of independence"}],"properties":[{"name":"label","value":"CA-2(1)"},{"name":"sort-id","value":"ca-02.01"}],"parts":[{"id":"ca-2.1_smt","name":"statement","prose":"The organization employs assessors or assessment teams with {{ ca-2.1_prm_1 }} to conduct security control assessments.","parts":[{"id":"ca-2.1_fr","name":"item","title":"CA-2 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-2.1_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO)."}]}]},{"id":"ca-2.1_gdn","name":"guidance","prose":"Independent assessors or assessment teams are individuals or groups who conduct\n                  impartial assessments of organizational information systems. Impartiality implies\n                  that assessors are free from any perceived or actual conflicts of interest with\n                  regard to the development, operation, or management of the organizational\n                  information systems under assessment or to the determination of security control\n                  effectiveness. To achieve impartiality, assessors should not: (i) create a mutual\n                  or conflicting interest with the organizations where the assessments are being\n                  conducted; (ii) assess their own work; (iii) act as management or employees of the\n                  organizations they are serving; or (iv) place themselves in positions of advocacy\n                  for the organizations acquiring their services. Independent assessments can be\n                  obtained from elements within organizations or can be contracted to public or\n                  private sector entities outside of organizations. Authorizing officials determine\n                  the required level of independence based on the security categories of information\n                  systems and/or the ultimate risk to organizational operations, organizational\n                  assets, or individuals. Authorizing officials also determine if the level of\n                  assessor independence provides sufficient assurance that the results are sound and\n                  can be used to make credible, risk-based decisions. This includes determining\n                  whether contracted security assessment services have sufficient independence, for\n                  example, when information system owners are not directly involved in contracting\n                  processes or cannot unduly influence the impartiality of assessors conducting\n                  assessments. In special situations, for example, when organizations that own the\n                  information systems are small or organizational structures require that\n                  assessments are conducted by individuals that are in the developmental,\n                  operational, or management chain of system owners, independence in assessment\n                  processes can be achieved by ensuring that assessment results are carefully\n                  reviewed and analyzed by independent teams of experts to validate the\n                  completeness, accuracy, integrity, and reliability of the results. Organizations\n                  recognize that assessments performed for purposes other than direct support to\n                  authorization decisions are, when performed by assessors with sufficient\n                  independence, more likely to be useable for such decisions, thereby reducing the\n                  need to repeat assessments."},{"id":"ca-2.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(1)[1]"}],"prose":"defines the level of independence to be employed to conduct security control\n                     assessments; and"},{"id":"ca-2.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-2(1)[2]"}],"prose":"employs assessors or assessment teams with the organization-defined level of\n                     independence to conduct security control assessments."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing security assessments\\n\\nsecurity authorization package (including security plan, security assessment\n                     plan, security assessment report, plan of action and milestones, authorization\n                     statement)\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ca-2.2","class":"SP800-53-enhancement","title":"Specialized Assessments","parameters":[{"id":"ca-2.2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ca-2.2_prm_2"},{"id":"ca-2.2_prm_3"},{"id":"ca-2.2_prm_4","depends-on":"ca-2.2_prm_3","label":"organization-defined other forms of security assessment"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-2(2)"},{"name":"sort-id","value":"ca-02.02"}],"parts":[{"id":"ca-2.2_smt","name":"statement","prose":"The organization includes as part of security control assessments, {{ ca-2.2_prm_1 }}, {{ ca-2.2_prm_2 }}, {{ ca-2.2_prm_3 }}.","parts":[{"id":"ca-2.2_fr","name":"item","title":"CA-2 (2) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-2.2_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"To include 'announced', 'vulnerability scanning'"}]}]},{"id":"ca-2.2_gdn","name":"guidance","prose":"Organizations can employ information system monitoring, insider threat\n                  assessments, malicious user testing, and other forms of testing (e.g.,\n                  verification and validation) to improve readiness by exercising organizational\n                  capabilities and indicating current performance levels as a means of focusing\n                  actions to improve security. Organizations conduct assessment activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  regulations, and standards. Authorizing officials approve the assessment methods\n                  in coordination with the organizational risk executive function. Organizations can\n                  incorporate vulnerabilities uncovered during assessments into vulnerability\n                  remediation processes.","links":[{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"ca-2.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(2)[1]"}],"prose":"selects one or more of the following forms of specialized security assessment\n                     to be included as part of security control assessments:","parts":[{"id":"ca-2.2_obj.1.a","name":"objective","properties":[{"name":"label","value":"CA-2(2)[1][a]"}],"prose":"in-depth monitoring;"},{"id":"ca-2.2_obj.1.b","name":"objective","properties":[{"name":"label","value":"CA-2(2)[1][b]"}],"prose":"vulnerability scanning;"},{"id":"ca-2.2_obj.1.c","name":"objective","properties":[{"name":"label","value":"CA-2(2)[1][c]"}],"prose":"malicious user testing;"},{"id":"ca-2.2_obj.1.d","name":"objective","properties":[{"name":"label","value":"CA-2(2)[1][d]"}],"prose":"insider threat assessment;"},{"id":"ca-2.2_obj.1.e","name":"objective","properties":[{"name":"label","value":"CA-2(2)[1][e]"}],"prose":"performance/load testing; and/or"},{"id":"ca-2.2_obj.1.f","name":"objective","properties":[{"name":"label","value":"CA-2(2)[1][f]"}],"prose":"other forms of organization-defined specialized security assessment;"}]},{"id":"ca-2.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(2)[2]"}],"prose":"defines the frequency for conducting the selected form(s) of specialized\n                     security assessment;"},{"id":"ca-2.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(2)[3]"}],"prose":"defines whether the specialized security assessment will be announced or\n                     unannounced; and"},{"id":"ca-2.2_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-2(2)[4]"}],"prose":"conducts announced or unannounced organization-defined forms of specialized\n                     security assessments with the organization-defined frequency as part of\n                     security control assessments."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing security assessments\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting security control assessment"}]}]},{"id":"ca-2.3","class":"SP800-53-enhancement","title":"External Organizations","parameters":[{"id":"ca-2.3_prm_1","label":"organization-defined information system","constraints":[{"detail":"any FedRAMP Accredited 3PAO"}]},{"id":"ca-2.3_prm_2","label":"organization-defined external organization","constraints":[{"detail":"any FedRAMP Accredited 3PAO"}]},{"id":"ca-2.3_prm_3","label":"organization-defined requirements","constraints":[{"detail":"the conditions of the JAB/AO in the FedRAMP Repository"}]}],"properties":[{"name":"label","value":"CA-2(3)"},{"name":"sort-id","value":"ca-02.03"}],"parts":[{"id":"ca-2.3_smt","name":"statement","prose":"The organization accepts the results of an assessment of {{ ca-2.3_prm_1 }} performed by {{ ca-2.3_prm_2 }} when\n                  the assessment meets {{ ca-2.3_prm_3 }}."},{"id":"ca-2.3_gdn","name":"guidance","prose":"Organizations may often rely on assessments of specific information systems by\n                  other (external) organizations. Utilizing such existing assessments (i.e., reusing\n                  existing assessment evidence) can significantly decrease the time and resources\n                  required for organizational assessments by limiting the amount of independent\n                  assessment activities that organizations need to perform. The factors that\n                  organizations may consider in determining whether to accept assessment results\n                  from external organizations can vary. Determinations for accepting assessment\n                  results can be based on, for example, past assessment experiences one organization\n                  has had with another organization, the reputation that organizations have with\n                  regard to assessments, the level of detail of supporting assessment documentation\n                  provided, or mandates imposed upon organizations by federal legislation, policies,\n                  or directives."},{"id":"ca-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(3)[1]"}],"prose":"defines an information system for which the results of a security assessment\n                     performed by an external organization are to be accepted;"},{"id":"ca-2.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(3)[2]"}],"prose":"defines an external organization from which to accept a security assessment\n                     performed on an organization-defined information system;"},{"id":"ca-2.3_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-2(3)[3]"}],"prose":"defines the requirements to be met by a security assessment performed by\n                     organization-defined external organization on organization-defined information\n                     system; and"},{"id":"ca-2.3_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-2(3)[4]"}],"prose":"accepts the results of an assessment of an organization-defined information\n                     system performed by an organization-defined external organization when the\n                     assessment meets organization-defined requirements."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing security assessments\\n\\nsecurity plan\\n\\nsecurity assessment requirements\\n\\nsecurity assessment plan\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nplan of action and milestones\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel performing security assessments for the specified external\n                     organization"}]}]}]},{"id":"ca-3","class":"SP800-53","title":"System Interconnections","parameters":[{"id":"ca-3_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually and on input from FedRAMP"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-3"},{"name":"sort-id","value":"ca-03"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#2711f068-734e-4afd-94ba-0b22247fbc88","rel":"reference","text":"NIST Special Publication 800-47"}],"parts":[{"id":"ca-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Authorizes connections from the information system to other information systems\n                  through the use of Interconnection Security Agreements;"},{"id":"ca-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents, for each interconnection, the interface characteristics, security\n                  requirements, and the nature of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews and updates Interconnection Security Agreements {{ ca-3_prm_1 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"This control applies to dedicated connections between information systems (i.e.,\n               system interconnections) and does not apply to transitory, user-controlled\n               connections such as email and website browsing. Organizations carefully consider the\n               risks that may be introduced when information systems are connected to other systems\n               with different security requirements and security controls, both within organizations\n               and external to organizations. Authorizing officials determine the risk associated\n               with information system connections and the appropriate controls employed. If\n               interconnecting systems have the same authorizing official, organizations do not need\n               to develop Interconnection Security Agreements. Instead, organizations can describe\n               the interface characteristics between those interconnecting systems in their\n               respective security plans. If interconnecting systems have different authorizing\n               officials within the same organization, organizations can either develop\n               Interconnection Security Agreements or describe the interface characteristics between\n               systems in the security plans for the respective systems. Organizations may also\n               incorporate Interconnection Security Agreement information into formal contracts,\n               especially for interconnections established between federal agencies and nonfederal\n               (i.e., private sector) organizations. Risk considerations also include information\n               systems sharing the same networks. For certain technologies (e.g., space, unmanned\n               aerial vehicles, and medical devices), there may be specialized connections in place\n               during preoperational testing. Such connections may require Interconnection Security\n               Agreements and be subject to additional security controls.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-16","rel":"related","text":"AU-16"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ca-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-3(a)"}],"prose":"authorizes connections from the information system to other information systems\n                  through the use of Interconnection Security Agreements;"},{"id":"ca-3.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-3(b)"}],"prose":"documents, for each interconnection:","parts":[{"id":"ca-3.b_obj.1","name":"objective","properties":[{"name":"label","value":"CA-3(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-3.b_obj.2","name":"objective","properties":[{"name":"label","value":"CA-3(b)[2]"}],"prose":"the security requirements;"},{"id":"ca-3.b_obj.3","name":"objective","properties":[{"name":"label","value":"CA-3(b)[3]"}],"prose":"the nature of the information communicated;"}]},{"id":"ca-3.c_obj","name":"objective","properties":[{"name":"label","value":"CA-3(c)"}],"parts":[{"id":"ca-3.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-3(c)[1]"}],"prose":"defines the frequency to review and update Interconnection Security Agreements;\n                     and"},{"id":"ca-3.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-3(c)[2]"}],"prose":"reviews and updates Interconnection Security Agreements with the\n                     organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\ninformation system Interconnection Security Agreements\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or\n                  approving information system interconnection agreements\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel managing the system(s) to which the Interconnection Security Agreement\n                  applies"}]}],"controls":[{"id":"ca-3.3","class":"SP800-53-enhancement","title":"Unclassified Non-national Security System Connections","parameters":[{"id":"ca-3.3_prm_1","label":"organization-defined unclassified, non-national security system"},{"id":"ca-3.3_prm_2","label":"Assignment; organization-defined boundary protection device","constraints":[{"detail":"Boundary Protections which meet the Trusted Internet Connection (TIC) requirements"}]}],"properties":[{"name":"label","value":"CA-3(3)"},{"name":"sort-id","value":"ca-03.03"}],"parts":[{"id":"ca-3.3_smt","name":"statement","prose":"The organization prohibits the direct connection of an {{ ca-3.3_prm_1 }} to an external network without the use of {{ ca-3.3_prm_2 }}.","parts":[{"id":"ca-3.3_fr","name":"item","title":"CA-3 (3) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-3.3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document."}]}]},{"id":"ca-3.3_gdn","name":"guidance","prose":"Organizations typically do not have control over external networks (e.g., the\n                  Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate\n                  communications (i.e., information flows) between unclassified non-national\n                  security systems and external networks. This control enhancement is required for\n                  organizations processing, storing, or transmitting Controlled Unclassified\n                  Information (CUI)."},{"id":"ca-3.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-3.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-3(3)[1]"}],"prose":"defines an unclassified, non-national security system whose direct connection\n                     to an external network is to be prohibited without the use of approved boundary\n                     protection device;"},{"id":"ca-3.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-3(3)[2]"}],"prose":"defines a boundary protection device to be used to establish the direct\n                     connection of an organization-defined unclassified, non-national security\n                     system to an external network; and"},{"id":"ca-3.3_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-3(3)[3]"}],"prose":"prohibits the direct connection of an organization-defined unclassified,\n                     non-national security system to an external network without the use of an\n                     organization-defined boundary protection device."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\ninformation system interconnection security agreements\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity assessment report\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for managing direct connections to\n                     external networks\\n\\nnetwork administrators\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel managing directly connected external networks"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting the management of external network\n                     connections"}]}]},{"id":"ca-3.5","class":"SP800-53-enhancement","title":"Restrictions On External System Connections","parameters":[{"id":"ca-3.5_prm_1"},{"id":"ca-3.5_prm_2","label":"organization-defined information systems"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-3(5)"},{"name":"sort-id","value":"ca-03.05"}],"parts":[{"id":"ca-3.5_smt","name":"statement","prose":"The organization employs {{ ca-3.5_prm_1 }} policy for allowing\n                     {{ ca-3.5_prm_2 }} to connect to external information\n                  systems.","parts":[{"id":"ca-3.5_fr","name":"item","title":"CA-3 (5) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-3.5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing"}]}]},{"id":"ca-3.5_gdn","name":"guidance","prose":"Organizations can constrain information system connectivity to external domains\n                  (e.g., websites) by employing one of two policies with regard to such\n                  connectivity: (i) allow-all, deny by exception, also known as blacklisting (the\n                  weaker of the two policies); or (ii) deny-all, allow by exception, also known as\n                  whitelisting (the stronger of the two policies). For either policy, organizations\n                  determine what exceptions, if any, are acceptable.","links":[{"href":"#cm-7","rel":"related","text":"CM-7"}]},{"id":"ca-3.5_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ca-3.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-3(5)[1]"}],"prose":"defines information systems to be allowed to connect to external information\n                     systems;"},{"id":"ca-3.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-3(5)[2]"}],"prose":"employs one of the following policies for allowing organization-defined\n                     information systems to connect to external information systems:","parts":[{"id":"ca-3.5_obj.2.a","name":"objective","properties":[{"name":"label","value":"CA-3(5)[2][a]"}],"prose":"allow-all policy;"},{"id":"ca-3.5_obj.2.b","name":"objective","properties":[{"name":"label","value":"CA-3(5)[2][b]"}],"prose":"deny-by-exception policy;"},{"id":"ca-3.5_obj.2.c","name":"objective","properties":[{"name":"label","value":"CA-3(5)[2][c]"}],"prose":"deny-all policy; or"},{"id":"ca-3.5_obj.2.d","name":"objective","properties":[{"name":"label","value":"CA-3(5)[2][d]"}],"prose":"permit-by-exception policy."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\ninformation system interconnection agreements\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity assessment report\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for managing connections to\n                     external information systems\\n\\nnetwork administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing restrictions on external system\n                     connections"}]}]}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","parameters":[{"id":"ca-5_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-5"},{"name":"sort-id","value":"ca-05"}],"links":[{"href":"#2c5884cd-7b96-425c-862a-99877e1cf909","rel":"reference","text":"OMB Memorandum 02-01"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"}],"parts":[{"id":"ca-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a plan of action and milestones for the information system to document\n                  the organization’s planned remedial actions to correct weaknesses or deficiencies\n                  noted during the assessment of the security controls and to reduce or eliminate\n                  known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Updates existing plan of action and milestones {{ ca-5_prm_1 }}\n                  based on the findings from security controls assessments, security impact\n                  analyses, and continuous monitoring activities."},{"id":"ca-5_fr","name":"item","title":"CA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-5_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Plan of Action & Milestones (POA&M) must be provided at least monthly."},{"id":"ca-5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "}]}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are key documents in security authorization packages\n               and are subject to federal reporting requirements established by OMB.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#pm-4","rel":"related","text":"PM-4"}]},{"id":"ca-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-5.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-5(a)"}],"prose":"develops a plan of action and milestones for the information system to:","parts":[{"id":"ca-5.a_obj.1","name":"objective","properties":[{"name":"label","value":"CA-5(a)[1]"}],"prose":"document the organization’s planned remedial actions to correct weaknesses or\n                     deficiencies noted during the assessment of the security controls;"},{"id":"ca-5.a_obj.2","name":"objective","properties":[{"name":"label","value":"CA-5(a)[2]"}],"prose":"reduce or eliminate known vulnerabilities in the system;"}]},{"id":"ca-5.b_obj","name":"objective","properties":[{"name":"label","value":"CA-5(b)"}],"parts":[{"id":"ca-5.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-5(b)[1]"}],"prose":"defines the frequency to update the existing plan of action and milestones;"},{"id":"ca-5.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-5(b)[2]"}],"prose":"updates the existing plan of action and milestones with the\n                     organization-defined frequency based on the findings from:","parts":[{"id":"ca-5.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"CA-5(b)[2][a]"}],"prose":"security controls assessments;"},{"id":"ca-5.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"CA-5(b)[2][b]"}],"prose":"security impact analyses; and"},{"id":"ca-5.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"CA-5(b)[2][c]"}],"prose":"continuous monitoring activities."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing plan of action and milestones\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nplan of action and milestones\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with plan of action and milestones development and\n                  implementation responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms for developing, implementing, and maintaining plan of action\n                  and milestones"}]}]},{"id":"ca-6","class":"SP800-53","title":"Security Authorization","parameters":[{"id":"ca-6_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least every three (3) years or when a significant change occurs"}]}],"properties":[{"name":"label","value":"CA-6"},{"name":"sort-id","value":"ca-06"}],"links":[{"href":"#9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","rel":"reference","text":"OMB Circular A-130"},{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference","text":"OMB Memorandum 11-33"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"}],"parts":[{"id":"ca-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Assigns a senior-level executive or manager as the authorizing official for the\n                  information system;"},{"id":"ca-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensures that the authorizing official authorizes the information system for\n                  processing before commencing operations; and"},{"id":"ca-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Updates the security authorization {{ ca-6_prm_1 }}."},{"id":"ca-6_fr","name":"item","title":"CA-6(c) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO."}]}]},{"id":"ca-6_gdn","name":"guidance","prose":"Security authorizations are official management decisions, conveyed through\n               authorization decision documents, by senior organizational officials or executives\n               (i.e., authorizing officials) to authorize operation of information systems and to\n               explicitly accept the risk to organizational operations and assets, individuals,\n               other organizations, and the Nation based on the implementation of agreed-upon\n               security controls. Authorizing officials provide budgetary oversight for\n               organizational information systems or assume responsibility for the mission/business\n               operations supported by those systems. The security authorization process is an\n               inherently federal responsibility and therefore, authorizing officials must be\n               federal employees. Through the security authorization process, authorizing officials\n               assume responsibility and are accountable for security risks associated with the\n               operation and use of organizational information systems. Accordingly, authorizing\n               officials are in positions with levels of authority commensurate with understanding\n               and accepting such information security-related risks. OMB policy requires that\n               organizations conduct ongoing authorizations of information systems by implementing\n               continuous monitoring programs. Continuous monitoring programs can satisfy three-year\n               reauthorization requirements, so separate reauthorization processes are not\n               necessary. Through the employment of comprehensive continuous monitoring processes,\n               critical information contained in authorization packages (i.e., security plans,\n               security assessment reports, and plans of action and milestones) is updated on an\n               ongoing basis, providing authorizing officials and information system owners with an\n               up-to-date status of the security state of organizational information systems and\n               environments of operation. To reduce the administrative cost of security\n               reauthorization, authorizing officials use the results of continuous monitoring\n               processes to the maximum extent possible as the basis for rendering reauthorization\n               decisions.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-10","rel":"related","text":"PM-10"}]},{"id":"ca-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-6.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-6(a)"}],"prose":"assigns a senior-level executive or manager as the authorizing official for the\n                  information system;"},{"id":"ca-6.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-6(b)"}],"prose":"ensures that the authorizing official authorizes the information system for\n                  processing before commencing operations;"},{"id":"ca-6.c_obj","name":"objective","properties":[{"name":"label","value":"CA-6(c)"}],"parts":[{"id":"ca-6.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-6(c)[1]"}],"prose":"defines the frequency to update the security authorization; and"},{"id":"ca-6.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-6(c)[2]"}],"prose":"updates the security authorization with the organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing security authorization\\n\\nsecurity authorization package (including security plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\nauthorization statement)\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security authorization responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that facilitate security authorizations and updates"}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","parameters":[{"id":"ca-7_prm_1","label":"organization-defined metrics"},{"id":"ca-7_prm_2","label":"organization-defined frequencies"},{"id":"ca-7_prm_3","label":"organization-defined frequencies"},{"id":"ca-7_prm_4","label":"organization-defined personnel or roles","constraints":[{"detail":"to meet Federal and FedRAMP requirements (See additional guidance)"}]},{"id":"ca-7_prm_5","label":"organization-defined frequency","constraints":[{"detail":"to meet Federal and FedRAMP requirements (See additional guidance)"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-7"},{"name":"sort-id","value":"ca-07"}],"links":[{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference","text":"OMB Memorandum 11-33"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference","text":"NIST Special Publication 800-39"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference","text":"NIST Special Publication 800-53A"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference","text":"NIST Special Publication 800-115"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"},{"href":"#8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","rel":"reference","text":"US-CERT Technical Cyber Security Alerts"},{"href":"#2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","rel":"reference","text":"DoD Information Assurance Vulnerability Alerts"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"The organization develops a continuous monitoring strategy and implements a\n               continuous monitoring program that includes:","parts":[{"id":"ca-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishment of {{ ca-7_prm_1 }} to be monitored;"},{"id":"ca-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishment of {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessments supporting such monitoring;"},{"id":"ca-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ongoing security control assessments in accordance with the organizational\n                  continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Ongoing security status monitoring of organization-defined metrics in accordance\n                  with the organizational continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of security-related information generated by assessments\n                  and monitoring;"},{"id":"ca-7_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of security-related\n                  information; and"},{"id":"ca-7_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Reporting the security status of organization and the information system to\n                     {{ ca-7_prm_4 }}\n                  {{ ca-7_prm_5 }}."},{"id":"ca-7_fr","name":"item","title":"CA-7 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-7_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually."},{"id":"ca-7_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates."},{"id":"ca-7_fr_gdn.2","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "}]}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring programs facilitate ongoing awareness of threats,\n               vulnerabilities, and information security to support organizational risk management\n               decisions. The terms continuous and ongoing imply that organizations assess/analyze\n               security controls and information security-related risks at a frequency sufficient to\n               support organizational risk-based decisions. The results of continuous monitoring\n               programs generate appropriate risk response actions by organizations. Continuous\n               monitoring programs also allow organizations to maintain the security authorizations\n               of information systems and common controls over time in highly dynamic environments\n               of operation with changing mission/business needs, threats, vulnerabilities, and\n               technologies. Having access to security-related information on a continuing basis\n               through reports/dashboards gives organizational officials the capability to make more\n               effective and timely risk management decisions, including ongoing security\n               authorization decisions. Automation supports more frequent updates to security\n               authorization packages, hardware/software/firmware inventories, and other system\n               information. Effectiveness is further enhanced when continuous monitoring outputs are\n               formatted to provide information that is specific, measurable, actionable, relevant,\n               and timely. Continuous monitoring activities are scaled in accordance with the\n               security categories of information systems.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-5","rel":"related","text":"CA-5"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#pm-6","rel":"related","text":"PM-6"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ca-7_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ca-7.a_obj","name":"objective","properties":[{"name":"label","value":"CA-7(a)"}],"parts":[{"id":"ca-7.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(a)[1]"}],"prose":"develops a continuous monitoring strategy that defines metrics to be\n                     monitored;"},{"id":"ca-7.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(a)[2]"}],"prose":"develops a continuous monitoring strategy that includes monitoring of\n                     organization-defined metrics;"},{"id":"ca-7.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(a)[3]"}],"prose":"implements a continuous monitoring program that includes monitoring of\n                     organization-defined metrics in accordance with the organizational continuous\n                     monitoring strategy;"}]},{"id":"ca-7.b_obj","name":"objective","properties":[{"name":"label","value":"CA-7(b)"}],"parts":[{"id":"ca-7.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(b)[1]"}],"prose":"develops a continuous monitoring strategy that defines frequencies for\n                     monitoring;"},{"id":"ca-7.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(b)[2]"}],"prose":"defines frequencies for assessments supporting monitoring;"},{"id":"ca-7.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(b)[3]"}],"prose":"develops a continuous monitoring strategy that includes establishment of the\n                     organization-defined frequencies for monitoring and for assessments supporting\n                     monitoring;"},{"id":"ca-7.b_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(b)[4]"}],"prose":"implements a continuous monitoring program that includes establishment of\n                     organization-defined frequencies for monitoring and for assessments supporting\n                     such monitoring in accordance with the organizational continuous monitoring\n                     strategy;"}]},{"id":"ca-7.c_obj","name":"objective","properties":[{"name":"label","value":"CA-7(c)"}],"parts":[{"id":"ca-7.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(c)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security\n                     control assessments;"},{"id":"ca-7.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(c)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security\n                     control assessments in accordance with the organizational continuous monitoring\n                     strategy;"}]},{"id":"ca-7.d_obj","name":"objective","properties":[{"name":"label","value":"CA-7(d)"}],"parts":[{"id":"ca-7.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(d)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security status\n                     monitoring of organization-defined metrics;"},{"id":"ca-7.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(d)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security\n                     status monitoring of organization-defined metrics in accordance with the\n                     organizational continuous monitoring strategy;"}]},{"id":"ca-7.e_obj","name":"objective","properties":[{"name":"label","value":"CA-7(e)"}],"parts":[{"id":"ca-7.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(e)[1]"}],"prose":"develops a continuous monitoring strategy that includes correlation and\n                     analysis of security-related information generated by assessments and\n                     monitoring;"},{"id":"ca-7.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(e)[2]"}],"prose":"implements a continuous monitoring program that includes correlation and\n                     analysis of security-related information generated by assessments and\n                     monitoring in accordance with the organizational continuous monitoring\n                     strategy;"}]},{"id":"ca-7.f_obj","name":"objective","properties":[{"name":"label","value":"CA-7(f)"}],"parts":[{"id":"ca-7.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(f)[1]"}],"prose":"develops a continuous monitoring strategy that includes response actions to\n                     address results of the analysis of security-related information;"},{"id":"ca-7.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(f)[2]"}],"prose":"implements a continuous monitoring program that includes response actions to\n                     address results of the analysis of security-related information in accordance\n                     with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.g_obj","name":"objective","properties":[{"name":"label","value":"CA-7(g)"}],"parts":[{"id":"ca-7.g_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(g)[1]"}],"prose":"develops a continuous monitoring strategy that defines the personnel or roles\n                     to whom the security status of the organization and information system are to\n                     be reported;"},{"id":"ca-7.g_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(g)[2]"}],"prose":"develops a continuous monitoring strategy that defines the frequency to report\n                     the security status of the organization and information system to\n                     organization-defined personnel or roles;"},{"id":"ca-7.g_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(g)[3]"}],"prose":"develops a continuous monitoring strategy that includes reporting the security\n                     status of the organization or information system to organizational-defined\n                     personnel or roles with the organization-defined frequency; and"},{"id":"ca-7.g_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-7(g)[4]"}],"prose":"implements a continuous monitoring program that includes reporting the security\n                     status of the organization and information system to organization-defined\n                     personnel or roles with the organization-defined frequency in accordance with\n                     the organizational continuous monitoring strategy."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing continuous monitoring of information system security\n                  controls\\n\\nprocedures addressing configuration management\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\ninformation system monitoring records\\n\\nconfiguration management records, security impact analyses\\n\\nstatus reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Mechanisms implementing continuous monitoring"}]}],"controls":[{"id":"ca-7.1","class":"SP800-53-enhancement","title":"Independent Assessment","parameters":[{"id":"ca-7.1_prm_1","label":"organization-defined level of independence"}],"properties":[{"name":"label","value":"CA-7(1)"},{"name":"sort-id","value":"ca-07.01"}],"parts":[{"id":"ca-7.1_smt","name":"statement","prose":"The organization employs assessors or assessment teams with {{ ca-7.1_prm_1 }} to monitor the security controls in the information\n                  system on an ongoing basis."},{"id":"ca-7.1_gdn","name":"guidance","prose":"Organizations can maximize the value of assessments of security controls during\n                  the continuous monitoring process by requiring that such assessments be conducted\n                  by assessors or assessment teams with appropriate levels of independence based on\n                  continuous monitoring strategies. Assessor independence provides a degree of\n                  impartiality to the monitoring process. To achieve such impartiality, assessors\n                  should not: (i) create a mutual or conflicting interest with the organizations\n                  where the assessments are being conducted; (ii) assess their own work; (iii) act\n                  as management or employees of the organizations they are serving; or (iv) place\n                  themselves in advocacy positions for the organizations acquiring their\n                  services."},{"id":"ca-7.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-7.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-7(1)[1]"}],"prose":"defines a level of independence to be employed to monitor the security controls\n                     in the information system on an ongoing basis; and"},{"id":"ca-7.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-7(1)[2]"}],"prose":"employs assessors or assessment teams with the organization-defined level of\n                     independence to monitor the security controls in the information system on an\n                     ongoing basis."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing continuous monitoring of information system security\n                     controls\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\ninformation system monitoring records\\n\\nsecurity impact analyses\\n\\nstatus reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ca-8","class":"SP800-53","title":"Penetration Testing","parameters":[{"id":"ca-8_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ca-8_prm_2","label":"organization-defined information systems or system components"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-8"},{"name":"sort-id","value":"ca-08"}],"parts":[{"id":"ca-8_smt","name":"statement","prose":"The organization conducts penetration testing {{ ca-8_prm_1 }} on\n                  {{ ca-8_prm_2 }}.","parts":[{"id":"ca-8_fr","name":"item","title":"CA-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-8_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance [https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/)\n                  "}]}]},{"id":"ca-8_gdn","name":"guidance","prose":"Penetration testing is a specialized type of assessment conducted on information\n               systems or individual system components to identify vulnerabilities that could be\n               exploited by adversaries. Such testing can be used to either validate vulnerabilities\n               or determine the degree of resistance organizational information systems have to\n               adversaries within a set of specified constraints (e.g., time, resources, and/or\n               skills). Penetration testing attempts to duplicate the actions of adversaries in\n               carrying out hostile cyber attacks against organizations and provides a more in-depth\n               analysis of security-related weaknesses/deficiencies. Organizations can also use the\n               results of vulnerability analyses to support penetration testing activities.\n               Penetration testing can be conducted on the hardware, software, or firmware\n               components of an information system and can exercise both physical and technical\n               security controls. A standard method for penetration testing includes, for example:\n               (i) pretest analysis based on full knowledge of the target system; (ii) pretest\n               identification of potential vulnerabilities based on pretest analysis; and (iii)\n               testing designed to determine exploitability of identified vulnerabilities. All\n               parties agree to the rules of engagement before the commencement of penetration\n               testing scenarios. Organizations correlate the penetration testing rules of\n               engagement with the tools, techniques, and procedures that are anticipated to be\n               employed by adversaries carrying out attacks. Organizational risk assessments guide\n               decisions on the level of independence required for personnel conducting penetration\n               testing.","links":[{"href":"#sa-12","rel":"related","text":"SA-12"}]},{"id":"ca-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-8_obj.1","name":"objective","properties":[{"name":"label","value":"CA-8[1]"}],"prose":"defines information systems or system components on which penetration testing is\n                  to be conducted;"},{"id":"ca-8_obj.2","name":"objective","properties":[{"name":"label","value":"CA-8[2]"}],"prose":"defines the frequency to conduct penetration testing on organization-defined\n                  information systems or system components; and"},{"id":"ca-8_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CA-8[3]"}],"prose":"conducts penetration testing on organization-defined information systems or system\n                  components with the organization-defined frequency."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing penetration testing\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\npenetration test report\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities,\n                  system/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting penetration testing"}]}],"controls":[{"id":"ca-8.1","class":"SP800-53-enhancement","title":"Independent Penetration Agent or Team","properties":[{"name":"label","value":"CA-8(1)"},{"name":"sort-id","value":"ca-08.01"}],"parts":[{"id":"ca-8.1_smt","name":"statement","prose":"The organization employs an independent penetration agent or penetration team to\n                  perform penetration testing on the information system or system components."},{"id":"ca-8.1_gdn","name":"guidance","prose":"Independent penetration agents or teams are individuals or groups who conduct\n                  impartial penetration testing of organizational information systems. Impartiality\n                  implies that penetration agents or teams are free from any perceived or actual\n                  conflicts of interest with regard to the development, operation, or management of\n                  the information systems that are the targets of the penetration testing.\n                  Supplemental guidance for CA-2 (1) provides additional information regarding\n                  independent assessments that can be applied to penetration testing.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"}]},{"id":"ca-8.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization employs an independent penetration agent or\n                  penetration team to perform penetration testing on the information system or\n                  system components. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\\n\\nprocedures addressing penetration testing\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\npenetration test report\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","parameters":[{"id":"ca-9_prm_1","label":"organization-defined information system components or classes of\n               components"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CA-9"},{"name":"sort-id","value":"ca-09"}],"parts":[{"id":"ca-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Authorizes internal connections of {{ ca-9_prm_1 }} to the\n                  information system; and"},{"id":"ca-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents, for each internal connection, the interface characteristics, security\n                  requirements, and the nature of the information communicated."}]},{"id":"ca-9_gdn","name":"guidance","prose":"This control applies to connections between organizational information systems and\n               (separate) constituent system components (i.e., intra-system connections) including,\n               for example, system connections with mobile devices, notebook/desktop computers,\n               printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of\n               authorizing each individual internal connection, organizations can authorize internal\n               connections for a class of components with common characteristics and/or\n               configurations, for example, all digital printers, scanners, and copiers with a\n               specified processing, storage, and transmission capability or all smart phones with a\n               specific baseline configuration.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ca-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-9.a_obj","name":"objective","properties":[{"name":"label","value":"CA-9(a)"}],"parts":[{"id":"ca-9.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-9(a)[1]"}],"prose":"defines information system components or classes of components to be authorized\n                     as internal connections to the information system;"},{"id":"ca-9.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CA-9(a)[2]"}],"prose":"authorizes internal connections of organization-defined information system\n                     components or classes of components to the information system;"}]},{"id":"ca-9.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CA-9(b)"}],"prose":"documents, for each internal connection:","parts":[{"id":"ca-9.b_obj.1","name":"objective","properties":[{"name":"label","value":"CA-9(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-9.b_obj.2","name":"objective","properties":[{"name":"label","value":"CA-9(b)[2]"}],"prose":"the security requirements; and"},{"id":"ca-9.b_obj.3","name":"objective","properties":[{"name":"label","value":"CA-9(b)[3]"}],"prose":"the nature of the information communicated."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of components or classes of components authorized as internal system\n                  connections\\n\\nsecurity assessment report\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or\n                  authorizing internal system connections\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Configuration Management Policy and Procedures","parameters":[{"id":"cm-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cm-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"cm-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-1"},{"name":"sort-id","value":"cm-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"cm-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A configuration management policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"cm-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management\n                     policy and associated configuration management controls; and"}]},{"id":"cm-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cm-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Configuration management policy {{ cm-1_prm_2 }}; and"},{"id":"cm-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Configuration management procedures {{ cm-1_prm_3 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CM\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"cm-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-1.a_obj","name":"objective","properties":[{"name":"label","value":"CM-1(a)"}],"parts":[{"id":"cm-1.a.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(a)(1)"}],"parts":[{"id":"cm-1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1]"}],"prose":"develops and documents a configuration management policy that addresses:","parts":[{"id":"cm-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cm-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cm-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cm-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cm-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cm-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cm-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"CM-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cm-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the configuration management policy is to\n                        be disseminated;"},{"id":"cm-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CM-1(a)(1)[3]"}],"prose":"disseminates the configuration management policy to organization-defined\n                        personnel or roles;"}]},{"id":"cm-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"CM-1(a)(2)"}],"parts":[{"id":"cm-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        configuration management policy and associated configuration management\n                        controls;"},{"id":"cm-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"cm-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CM-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"cm-1.b_obj","name":"objective","properties":[{"name":"label","value":"CM-1(b)"}],"parts":[{"id":"cm-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"CM-1(b)(1)"}],"parts":[{"id":"cm-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current configuration\n                        management policy;"},{"id":"cm-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(b)(1)[2]"}],"prose":"reviews and updates the current configuration management policy with the\n                        organization-defined frequency;"}]},{"id":"cm-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"CM-1(b)(2)"}],"parts":[{"id":"cm-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current configuration\n                        management procedures; and"},{"id":"cm-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-1(b)(2)[2]"}],"prose":"reviews and updates the current configuration management procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","properties":[{"name":"label","value":"CM-2"},{"name":"sort-id","value":"cm-02"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"cm-2_smt","name":"statement","prose":"The organization develops, documents, and maintains under configuration control, a\n               current baseline configuration of the information system."},{"id":"cm-2_gdn","name":"guidance","prose":"This control establishes baseline configurations for information systems and system\n               components including communications and connectivity-related aspects of systems.\n               Baseline configurations are documented, formally reviewed and agreed-upon sets of\n               specifications for information systems or configuration items within those systems.\n               Baseline configurations serve as a basis for future builds, releases, and/or changes\n               to information systems. Baseline configurations include information about information\n               system components (e.g., standard software packages installed on workstations,\n               notebook computers, servers, network components, or mobile devices; current version\n               numbers and patch information on operating systems and applications; and\n               configuration settings/parameters), network topology, and the logical placement of\n               those components within the system architecture. Maintaining baseline configurations\n               requires creating new baselines as organizational information systems change over\n               time. Baseline configurations of information systems reflect the current enterprise\n               architecture.","links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#pm-7","rel":"related","text":"PM-7"}]},{"id":"cm-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CM-2[1]"}],"prose":"develops and documents a current baseline configuration of the information system;\n                  and"},{"id":"cm-2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2[2]"}],"prose":"maintains, under configuration control, a current baseline configuration of the\n                  information system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nconfiguration management plan\\n\\nenterprise architecture documentation\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\\n\\nautomated mechanisms supporting configuration control of the baseline\n                  configuration"}]}],"controls":[{"id":"cm-2.1","class":"SP800-53-enhancement","title":"Reviews and Updates","parameters":[{"id":"cm-2.1_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually or when a significant change occurs"}]},{"id":"cm-2.1_prm_2","label":"Assignment organization-defined circumstances","constraints":[{"detail":"to include when directed by the JAB"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-2(1)"},{"name":"sort-id","value":"cm-02.01"}],"parts":[{"id":"cm-2.1_smt","name":"statement","prose":"The organization reviews and updates the baseline configuration of the information\n                  system:","parts":[{"id":"cm-2.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"\n                     {{ cm-2.1_prm_1 }};"},{"id":"cm-2.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"When required due to {{ cm-2.1_prm_2 }}; and"},{"id":"cm-2.1_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"As an integral part of information system component installations and\n                     upgrades."}]},{"id":"cm-2.1_gdn","name":"guidance","links":[{"href":"#cm-5","rel":"related","text":"CM-5"}]},{"id":"cm-2.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2.1.a_obj","name":"objective","properties":[{"name":"label","value":"CM-2(1)(a)"}],"parts":[{"id":"cm-2.1.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-2(1)(a)[1]"}],"prose":"defines the frequency to review and update the baseline configuration of the\n                        information system;"},{"id":"cm-2.1.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(1)(a)[2]"}],"prose":"reviews and updates the baseline configuration of the information system\n                        with the organization-defined frequency;"}],"links":[{"href":"#cm-2.1_smt.a","rel":"corresp","text":"CM-2(1)(a)"}]},{"id":"cm-2.1.b_obj","name":"objective","properties":[{"name":"label","value":"CM-2(1)(b)"}],"parts":[{"id":"cm-2.1.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-2(1)(b)[1]"}],"prose":"defines circumstances that require the baseline configuration of the\n                        information system to be reviewed and updated;"},{"id":"cm-2.1.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(1)(b)[2]"}],"prose":"reviews and updates the baseline configuration of the information system\n                        when required due to organization-defined circumstances; and"}],"links":[{"href":"#cm-2.1_smt.b","rel":"corresp","text":"CM-2(1)(b)"}]},{"id":"cm-2.1.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(1)(c)"}],"prose":"reviews and updates the baseline configuration of the information system as an\n                     integral part of information system component installations and upgrades.","links":[{"href":"#cm-2.1_smt.c","rel":"corresp","text":"CM-2(1)(c)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nprocedures addressing information system component installations and\n                     upgrades\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nrecords of information system baseline configuration reviews and updates\\n\\ninformation system component installations/upgrades and associated records\\n\\nchange control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\\n\\nautomated mechanisms supporting review and update of the baseline\n                     configuration"}]}]},{"id":"cm-2.2","class":"SP800-53-enhancement","title":"Automation Support for Accuracy / Currency","properties":[{"name":"label","value":"CM-2(2)"},{"name":"sort-id","value":"cm-02.02"}],"parts":[{"id":"cm-2.2_smt","name":"statement","prose":"The organization employs automated mechanisms to maintain an up-to-date, complete,\n                  accurate, and readily available baseline configuration of the information\n                  system."},{"id":"cm-2.2_gdn","name":"guidance","prose":"Automated mechanisms that help organizations maintain consistent baseline\n                  configurations for information systems include, for example, hardware and software\n                  inventory tools, configuration management tools, and network management tools.\n                  Such tools can be deployed and/or allocated as common controls, at the information\n                  system level, or at the operating system or component level (e.g., on\n                  workstations, servers, notebook computers, network components, or mobile devices).\n                  Tools can be used, for example, to track version numbers on operating system\n                  applications, types of software installed, and current patch levels. This control\n                  enhancement can be satisfied by the implementation of CM-8 (2) for organizations\n                  that choose to combine information system component inventory and baseline\n                  configuration activities.","links":[{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#ra-5","rel":"related","text":"RA-5"}]},{"id":"cm-2.2_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to maintain: ","parts":[{"id":"cm-2.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(2)[1]"}],"prose":"an up-to-date baseline configuration of the information system;"},{"id":"cm-2.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(2)[2]"}],"prose":"a complete baseline configuration of the information system;"},{"id":"cm-2.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(2)[3]"}],"prose":"an accurate baseline configuration of the information system; and"},{"id":"cm-2.2_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(2)[4]"}],"prose":"a readily available baseline configuration of the information system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nconfiguration management plan\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nconfiguration change control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\\n\\nautomated mechanisms implementing baseline configuration maintenance"}]}]},{"id":"cm-2.3","class":"SP800-53-enhancement","title":"Retention of Previous Configurations","parameters":[{"id":"cm-2.3_prm_1","label":"organization-defined previous versions of baseline configurations of the\n                  information system"}],"properties":[{"name":"label","value":"CM-2(3)"},{"name":"sort-id","value":"cm-02.03"}],"parts":[{"id":"cm-2.3_smt","name":"statement","prose":"The organization retains {{ cm-2.3_prm_1 }} to support\n                  rollback."},{"id":"cm-2.3_gdn","name":"guidance","prose":"Retaining previous versions of baseline configurations to support rollback may\n                  include, for example, hardware, software, firmware, configuration files, and\n                  configuration records."},{"id":"cm-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-2(3)[1]"}],"prose":"defines previous versions of baseline configurations of the information system\n                     to be retained to support rollback; and"},{"id":"cm-2.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(3)[2]"}],"prose":"retains organization-defined previous versions of baseline configurations of\n                     the information system to support rollback."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nconfiguration management plan\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncopies of previous baseline configuration versions\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations"}]}]},{"id":"cm-2.7","class":"SP800-53-enhancement","title":"Configure Systems, Components, or Devices for High-risk Areas","parameters":[{"id":"cm-2.7_prm_1","label":"organization-defined information systems, system components, or\n                  devices"},{"id":"cm-2.7_prm_2","label":"organization-defined configurations"},{"id":"cm-2.7_prm_3","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"CM-2(7)"},{"name":"sort-id","value":"cm-02.07"}],"parts":[{"id":"cm-2.7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-2.7_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Issues {{ cm-2.7_prm_1 }} with {{ cm-2.7_prm_2 }}\n                     to individuals traveling to locations that the organization deems to be of\n                     significant risk; and"},{"id":"cm-2.7_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Applies {{ cm-2.7_prm_3 }} to the devices when the individuals\n                     return."}]},{"id":"cm-2.7_gdn","name":"guidance","prose":"When it is known that information systems, system components, or devices (e.g.,\n                  notebook computers, mobile devices) will be located in high-risk areas, additional\n                  security controls may be implemented to counter the greater threat in such areas\n                  coupled with the lack of physical security relative to organizational-controlled\n                  areas. For example, organizational policies and procedures for notebook computers\n                  used by individuals departing on and returning from travel include, for example,\n                  determining which locations are of concern, defining required configurations for\n                  the devices, ensuring that the devices are configured as intended before travel is\n                  initiated, and applying specific safeguards to the device after travel is\n                  completed. Specially configured notebook computers include, for example, computers\n                  with sanitized hard drives, limited applications, and additional hardening (e.g.,\n                  more stringent configuration settings). Specified safeguards applied to mobile\n                  devices upon return from travel include, for example, examining the device for\n                  signs of physical tampering and purging/reimaging the hard disk drive. Protecting\n                  information residing on mobile devices is covered in the media protection\n                  family."},{"id":"cm-2.7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2.7.a_obj","name":"objective","properties":[{"name":"label","value":"CM-2(7)(a)"}],"parts":[{"id":"cm-2.7.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-2(7)(a)[1]"}],"prose":"defines information systems, system components, or devices to be issued to\n                        individuals traveling to locations that the organization deems to be of\n                        significant risk;"},{"id":"cm-2.7.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-2(7)(a)[2]"}],"prose":"defines configurations to be employed on organization-defined information\n                        systems, system components, or devices issued to individuals traveling to\n                        such locations;"},{"id":"cm-2.7.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(7)(a)[3]"}],"prose":"issues organization-defined information systems, system components, or\n                        devices with organization-defined configurations to individuals traveling to\n                        locations that the organization deems to be of significant risk;"}],"links":[{"href":"#cm-2.7_smt.a","rel":"corresp","text":"CM-2(7)(a)"}]},{"id":"cm-2.7.b_obj","name":"objective","properties":[{"name":"label","value":"CM-2(7)(b)"}],"parts":[{"id":"cm-2.7.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-2(7)(b)[1]"}],"prose":"defines security safeguards to be applied to the devices when the\n                        individuals return; and"},{"id":"cm-2.7.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-2(7)(b)[2]"}],"prose":"applies organization-defined safeguards to the devices when the individuals\n                        return."}],"links":[{"href":"#cm-2.7_smt.b","rel":"corresp","text":"CM-2(7)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nprocedures addressing information system component installations and\n                     upgrades\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nrecords of information system baseline configuration reviews and updates\\n\\ninformation system component installations/upgrades and associated records\\n\\nchange control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations"}]}]}]},{"id":"cm-3","class":"SP800-53","title":"Configuration Change Control","parameters":[{"id":"cm-3_prm_1","label":"organization-defined time period"},{"id":"cm-3_prm_2","label":"organization-defined configuration change control element (e.g., committee,\n               board)"},{"id":"cm-3_prm_3"},{"id":"cm-3_prm_4","depends-on":"cm-3_prm_3","label":"organization-defined frequency"},{"id":"cm-3_prm_5","depends-on":"cm-3_prm_3","label":"organization-defined configuration change conditions"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-3"},{"name":"sort-id","value":"cm-03"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"cm-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determines the types of changes to the information system that are\n                  configuration-controlled;"},{"id":"cm-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews proposed configuration-controlled changes to the information system and\n                  approves or disapproves such changes with explicit consideration for security\n                  impact analyses;"},{"id":"cm-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Documents configuration change decisions associated with the information\n                  system;"},{"id":"cm-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Implements approved configuration-controlled changes to the information\n                  system;"},{"id":"cm-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Retains records of configuration-controlled changes to the information system for\n                     {{ cm-3_prm_1 }};"},{"id":"cm-3_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Audits and reviews activities associated with configuration-controlled changes to\n                  the information system; and"},{"id":"cm-3_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Coordinates and provides oversight for configuration change control activities\n                  through {{ cm-3_prm_2 }} that convenes {{ cm-3_prm_3 }}."},{"id":"cm-3_fr","name":"item","title":"CM-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-3_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO."},{"id":"cm-3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"(e) Guidance:"}],"prose":"In accordance with record retention policies and procedures."}]}]},{"id":"cm-3_gdn","name":"guidance","prose":"Configuration change controls for organizational information systems involve the\n               systematic proposal, justification, implementation, testing, review, and disposition\n               of changes to the systems, including system upgrades and modifications. Configuration\n               change control includes changes to baseline configurations for components and\n               configuration items of information systems, changes to configuration settings for\n               information technology products (e.g., operating systems, applications, firewalls,\n               routers, and mobile devices), unscheduled/unauthorized changes, and changes to\n               remediate vulnerabilities. Typical processes for managing configuration changes to\n               information systems include, for example, Configuration Control Boards that approve\n               proposed changes to systems. For new development information systems or systems\n               undergoing major upgrades, organizations consider including representatives from\n               development organizations on the Configuration Control Boards. Auditing of changes\n               includes activities before and after changes are made to organizational information\n               systems and the auditing activities required to implement such changes.","links":[{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-12","rel":"related","text":"SI-12"}]},{"id":"cm-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-3(a)"}],"prose":"determines the type of changes to the information system that must be\n                  configuration-controlled;"},{"id":"cm-3.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CM-3(b)"}],"prose":"reviews proposed configuration-controlled changes to the information system and\n                  approves or disapproves such changes with explicit consideration for security\n                  impact analyses;"},{"id":"cm-3.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CM-3(c)"}],"prose":"documents configuration change decisions associated with the information\n                  system;"},{"id":"cm-3.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-3(d)"}],"prose":"implements approved configuration-controlled changes to the information\n                  system;"},{"id":"cm-3.e_obj","name":"objective","properties":[{"name":"label","value":"CM-3(e)"}],"parts":[{"id":"cm-3.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-3(e)[1]"}],"prose":"defines a time period to retain records of configuration-controlled changes to\n                     the information system;"},{"id":"cm-3.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-3(e)[2]"}],"prose":"retains records of configuration-controlled changes to the information system\n                     for the organization-defined time period;"}]},{"id":"cm-3.f_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-3(f)"}],"prose":"audits and reviews activities associated with configuration-controlled changes to\n                  the information system;"},{"id":"cm-3.g_obj","name":"objective","properties":[{"name":"label","value":"CM-3(g)"}],"parts":[{"id":"cm-3.g_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-3(g)[1]"}],"prose":"defines a configuration change control element (e.g., committee, board)\n                     responsible for coordinating and providing oversight for configuration change\n                     control activities;"},{"id":"cm-3.g_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-3(g)[2]"}],"prose":"defines the frequency with which the configuration change control element must\n                     convene; and/or"},{"id":"cm-3.g_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-3(g)[3]"}],"prose":"defines configuration change conditions that prompt the configuration change\n                     control element to convene; and"},{"id":"cm-3.g_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-3(g)[4]"}],"prose":"coordinates and provides oversight for configuration change control activities\n                     through organization-defined configuration change control element that convenes\n                     at organization-defined frequency and/or for any organization-defined\n                     configuration change conditions."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing information system configuration change control\\n\\nconfiguration management plan\\n\\ninformation system architecture and configuration documentation\\n\\nsecurity plan\\n\\nchange control records\\n\\ninformation system audit records\\n\\nchange control audit and review reports\\n\\nagenda /minutes from configuration change control oversight meetings\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration change control responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nmembers of change control board or similar"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for configuration change control\\n\\nautomated mechanisms that implement configuration change control"}]}]},{"id":"cm-4","class":"SP800-53","title":"Security Impact Analysis","properties":[{"name":"label","value":"CM-4"},{"name":"sort-id","value":"cm-04"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"The organization analyzes changes to the information system to determine potential\n               security impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with information security responsibilities (e.g.,\n               Information System Administrators, Information System Security Officers, Information\n               System Security Managers, and Information System Security Engineers) conduct security\n               impact analyses. Individuals conducting security impact analyses possess the\n               necessary skills/technical expertise to analyze the changes to information systems\n               and the associated security ramifications. Security impact analysis may include, for\n               example, reviewing security plans to understand security control requirements and\n               reviewing system design documentation to understand control implementation and how\n               specific changes might affect the controls. Security impact analyses may also include\n               assessments of risk to better understand the impact of the changes and to determine\n               if additional security controls are required. Security impact analyses are scaled in\n               accordance with the security categories of the information systems.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"cm-4_obj","name":"objective","prose":"Determine if the organization analyzes changes to the information system to determine\n               potential security impacts prior to change implementation."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing security impact analysis for changes to the information\n                  system\\n\\nconfiguration management plan\\n\\nsecurity impact analysis documentation\\n\\nanalysis tools and associated outputs\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for conducting security impact\n                  analysis\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security impact analysis"}]}]},{"id":"cm-5","class":"SP800-53","title":"Access Restrictions for Change","properties":[{"name":"label","value":"CM-5"},{"name":"sort-id","value":"cm-05"}],"parts":[{"id":"cm-5_smt","name":"statement","prose":"The organization defines, documents, approves, and enforces physical and logical\n               access restrictions associated with changes to the information system."},{"id":"cm-5_gdn","name":"guidance","prose":"Any changes to the hardware, software, and/or firmware components of information\n               systems can potentially have significant effects on the overall security of the\n               systems. Therefore, organizations permit only qualified and authorized individuals to\n               access information systems for purposes of initiating changes, including upgrades and\n               modifications. Organizations maintain records of access to ensure that configuration\n               change control is implemented and to support after-the-fact actions should\n               organizations discover any unauthorized changes. Access restrictions for change also\n               include software libraries. Access restrictions include, for example, physical and\n               logical access controls (see AC-3 and PE-3), workflow automation, media libraries,\n               abstract layers (e.g., changes implemented into third-party interfaces rather than\n               directly into information systems), and change windows (e.g., changes occur only\n               during specified times, making unauthorized changes easy to discover).","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#pe-3","rel":"related","text":"PE-3"}]},{"id":"cm-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-5_obj.1","name":"objective","properties":[{"name":"label","value":"CM-5[1]"}],"prose":"defines physical access restrictions associated with changes to the information\n                  system;"},{"id":"cm-5_obj.2","name":"objective","properties":[{"name":"label","value":"CM-5[2]"}],"prose":"documents physical access restrictions associated with changes to the information\n                  system;"},{"id":"cm-5_obj.3","name":"objective","properties":[{"name":"label","value":"CM-5[3]"}],"prose":"approves physical access restrictions associated with changes to the information\n                  system;"},{"id":"cm-5_obj.4","name":"objective","properties":[{"name":"label","value":"CM-5[4]"}],"prose":"enforces physical access restrictions associated with changes to the information\n                  system;"},{"id":"cm-5_obj.5","name":"objective","properties":[{"name":"label","value":"CM-5[5]"}],"prose":"defines logical access restrictions associated with changes to the information\n                  system;"},{"id":"cm-5_obj.6","name":"objective","properties":[{"name":"label","value":"CM-5[6]"}],"prose":"documents logical access restrictions associated with changes to the information\n                  system;"},{"id":"cm-5_obj.7","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-5[7]"}],"prose":"approves logical access restrictions associated with changes to the information\n                  system; and"},{"id":"cm-5_obj.8","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-5[8]"}],"prose":"enforces logical access restrictions associated with changes to the information\n                  system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing access restrictions for changes to the information\n                  system\\n\\nconfiguration management plan\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlogical access approvals\\n\\nphysical access approvals\\n\\naccess credentials\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with logical access control responsibilities\\n\\norganizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing access restrictions to change\\n\\nautomated mechanisms supporting/implementing/enforcing access restrictions\n                  associated with changes to the information system"}]}],"controls":[{"id":"cm-5.1","class":"SP800-53-enhancement","title":"Automated Access Enforcement / Auditing","properties":[{"name":"label","value":"CM-5(1)"},{"name":"sort-id","value":"cm-05.01"}],"parts":[{"id":"cm-5.1_smt","name":"statement","prose":"The information system enforces access restrictions and supports auditing of the\n                  enforcement actions."},{"id":"cm-5.1_gdn","name":"guidance","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-6","rel":"related","text":"CM-6"}]},{"id":"cm-5.1_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"cm-5.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-5(1)[1]"}],"prose":"enforces access restrictions for change; and"},{"id":"cm-5.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-5(1)[2]"}],"prose":"supports auditing of the enforcement actions."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing access restrictions for changes to the information\n                     system\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing access restrictions to change\\n\\nautomated mechanisms implementing enforcement of access restrictions for\n                     changes to the information system\\n\\nautomated mechanisms supporting auditing of enforcement actions"}]}]},{"id":"cm-5.3","class":"SP800-53-enhancement","title":"Signed Components","parameters":[{"id":"cm-5.3_prm_1","label":"organization-defined software and firmware components"}],"properties":[{"name":"label","value":"CM-5(3)"},{"name":"sort-id","value":"cm-05.03"}],"parts":[{"id":"cm-5.3_smt","name":"statement","prose":"The information system prevents the installation of {{ cm-5.3_prm_1 }} without verification that the component has been\n                  digitally signed using a certificate that is recognized and approved by the\n                  organization.","parts":[{"id":"cm-5.3_fr","name":"item","title":"CM-5 (3) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-5.3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized."}]}]},{"id":"cm-5.3_gdn","name":"guidance","prose":"Software and firmware components prevented from installation unless signed with\n                  recognized and approved certificates include, for example, software and firmware\n                  version updates, patches, service packs, device drivers, and basic input output\n                  system (BIOS) updates. Organizations can identify applicable software and firmware\n                  components by type, by specific items, or a combination of both. Digital\n                  signatures and organizational verification of such signatures, is a method of code\n                  authentication.","links":[{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"cm-5.3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cm-5.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-5(3)[1]"}],"prose":"the organization defines software and firmware components that the information\n                     system will prevent from being installed without verification that such\n                     components have been digitally signed using a certificate that is recognized\n                     and approved by the organization; and"},{"id":"cm-5.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-5(3)[2]"}],"prose":"the information system prevents the installation of organization-defined\n                     software and firmware components without verification that such components have\n                     been digitally signed using a certificate that is recognized and approved by\n                     the organization."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing access restrictions for changes to the information\n                     system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nlist of software and firmware components to be prohibited from installation\n                     without a recognized and approved certificate\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing access restrictions to change\\n\\nautomated mechanisms preventing installation of software and firmware\n                     components not signed with an organization-recognized and approved\n                     certificate"}]}]},{"id":"cm-5.5","class":"SP800-53-enhancement","title":"Limit Production / Operational Privileges","parameters":[{"id":"cm-5.5_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least quarterly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-5(5)"},{"name":"sort-id","value":"cm-05.05"}],"parts":[{"id":"cm-5.5_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-5.5_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Limits privileges to change information system components and system-related\n                     information within a production or operational environment; and"},{"id":"cm-5.5_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Reviews and reevaluates privileges {{ cm-5.5_prm_1 }}."}]},{"id":"cm-5.5_gdn","name":"guidance","prose":"In many organizations, information systems support multiple core missions/business\n                  functions. Limiting privileges to change information system components with\n                  respect to operational systems is necessary because changes to a particular\n                  information system component may have far-reaching effects on mission/business\n                  processes supported by the system where the component resides. The complex,\n                  many-to-many relationships between systems and mission/business processes are in\n                  some cases, unknown to developers.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"}]},{"id":"cm-5.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-5.5.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-5(5)(a)"}],"prose":"limits privileges to change information system components and system-related\n                     information within a production or operational environment;","links":[{"href":"#cm-5.5_smt.a","rel":"corresp","text":"CM-5(5)(a)"}]},{"id":"cm-5.5.b_obj","name":"objective","properties":[{"name":"label","value":"CM-5(5)(b)"}],"parts":[{"id":"cm-5.5.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-5(5)(b)[1]"}],"prose":"defines the frequency to review and reevaluate privileges; and"},{"id":"cm-5.5.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-5(5)(b)[2]"}],"prose":"reviews and reevaluates privileges with the organization-defined\n                        frequency."}],"links":[{"href":"#cm-5.5_smt.b","rel":"corresp","text":"CM-5(5)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing access restrictions for changes to the information\n                     system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nuser privilege reviews\\n\\nuser privilege recertifications\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing access restrictions to change\\n\\nautomated mechanisms supporting and/or implementing access restrictions for\n                     change"}]}]}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","parameters":[{"id":"cm-6_prm_1","label":"organization-defined security configuration checklists","guidance":[{"prose":"See CM-6(a) Additional FedRAMP Requirements and Guidance"}]},{"id":"cm-6_prm_2","label":"organization-defined information system components"},{"id":"cm-6_prm_3","label":"organization-defined operational requirements"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-6"},{"name":"sort-id","value":"cm-06"}],"links":[{"href":"#990268bf-f4a9-4c81-91ae-dc7d3115f4b1","rel":"reference","text":"OMB Memorandum 07-11"},{"href":"#0b3d8ba9-051f-498d-81ea-97f0f018c612","rel":"reference","text":"OMB Memorandum 07-18"},{"href":"#0916ef02-3618-411b-a525-565c088849a6","rel":"reference","text":"OMB Memorandum 08-22"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference","text":"NIST Special Publication 800-70"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference","text":"http://nvd.nist.gov"},{"href":"#e95dd121-2733-413e-bf1e-f1eb49f20a98","rel":"reference","text":"http://checklists.nist.gov"},{"href":"#647b6de3-81d0-4d22-bec1-5f1333e34380","rel":"reference","text":"http://www.nsa.gov"}],"parts":[{"id":"cm-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes and documents configuration settings for information technology\n                  products employed within the information system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with\n                  operational requirements;"},{"id":"cm-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implements the configuration settings;"},{"id":"cm-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Identifies, documents, and approves any deviations from established configuration\n                  settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and"},{"id":"cm-6_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Monitors and controls changes to the configuration settings in accordance with\n                  organizational policies and procedures."},{"id":"cm-6_fr","name":"item","title":"CM-6(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement 1:"}],"prose":"The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. "},{"id":"cm-6_fr_smt.2","name":"item","properties":[{"name":"label","value":"Requirement 2:"}],"prose":"The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available)."},{"id":"cm-6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)."}]}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the set of parameters that can be changed in hardware,\n               software, or firmware components of the information system that affect the security\n               posture and/or functionality of the system. Information technology products for which\n               security-related configuration settings can be defined include, for example,\n               mainframe computers, servers (e.g., database, electronic mail, authentication, web,\n               proxy, file, domain name), workstations, input/output devices (e.g., scanners,\n               copiers, and printers), network components (e.g., firewalls, routers, gateways, voice\n               and data switches, wireless access points, network appliances, sensors), operating\n               systems, middleware, and applications. Security-related parameters are those\n               parameters impacting the security state of information systems including the\n               parameters required to satisfy other security control requirements. Security-related\n               parameters include, for example: (i) registry settings; (ii) account, file, directory\n               permission settings; and (iii) settings for functions, ports, protocols, services,\n               and remote connections. Organizations establish organization-wide configuration\n               settings and subsequently derive specific settings for information systems. The\n               established settings become part of the systems configuration baseline. Common secure\n               configurations (also referred to as security configuration checklists, lockdown and\n               hardening guides, security reference guides, security technical implementation\n               guides) provide recognized, standardized, and established benchmarks that stipulate\n               secure configuration settings for specific information technology platforms/products\n               and instructions for configuring those information system components to meet\n               operational requirements. Common secure configurations can be developed by a variety\n               of organizations including, for example, information technology product developers,\n               manufacturers, vendors, consortia, academia, industry, federal agencies, and other\n               organizations in the public and private sectors. Common secure configurations include\n               the United States Government Configuration Baseline (USGCB) which affects the\n               implementation of CM-6 and other controls such as AC-19 and CM-7. The Security\n               Content Automation Protocol (SCAP) and the defined standards within the protocol\n               (e.g., Common Configuration Enumeration) provide an effective method to uniquely\n               identify, track, and control configuration settings. OMB establishes federal policy\n               on configuration requirements for federal information systems.","links":[{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"cm-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-6.a_obj","name":"objective","properties":[{"name":"label","value":"CM-6(a)"}],"parts":[{"id":"cm-6.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-6(a)[1]"}],"prose":"defines security configuration checklists to be used to establish and document\n                     configuration settings for the information technology products employed;"},{"id":"cm-6.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CM-6(a)[2]"}],"prose":"ensures the defined security configuration checklists reflect the most\n                     restrictive mode consistent with operational requirements;"},{"id":"cm-6.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-6(a)[3]"}],"prose":"establishes and documents configuration settings for information technology\n                     products employed within the information system using organization-defined\n                     security configuration checklists;"}]},{"id":"cm-6.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-6(b)"}],"prose":"implements the configuration settings established/documented in CM-6(a);;"},{"id":"cm-6.c_obj","name":"objective","properties":[{"name":"label","value":"CM-6(c)"}],"parts":[{"id":"cm-6.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-6(c)[1]"}],"prose":"defines information system components for which any deviations from established\n                     configuration settings must be:","parts":[{"id":"cm-6.c_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-6(c)[1][a]"}],"prose":"identified;"},{"id":"cm-6.c_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-6(c)[1][b]"}],"prose":"documented;"},{"id":"cm-6.c_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-6(c)[1][c]"}],"prose":"approved;"}]},{"id":"cm-6.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-6(c)[2]"}],"prose":"defines operational requirements to support:","parts":[{"id":"cm-6.c_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-6(c)[2][a]"}],"prose":"the identification of any deviations from established configuration\n                        settings;"},{"id":"cm-6.c_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-6(c)[2][b]"}],"prose":"the documentation of any deviations from established configuration\n                        settings;"},{"id":"cm-6.c_obj.2.c","name":"objective","properties":[{"name":"label","value":"CM-6(c)[2][c]"}],"prose":"the approval of any deviations from established configuration settings;"}]},{"id":"cm-6.c_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-6(c)[3]"}],"prose":"identifies any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"},{"id":"cm-6.c_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-6(c)[4]"}],"prose":"documents any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"},{"id":"cm-6.c_obj.5","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-6(c)[5]"}],"prose":"approves any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"}]},{"id":"cm-6.d_obj","name":"objective","properties":[{"name":"label","value":"CM-6(d)"}],"parts":[{"id":"cm-6.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-6(d)[1]"}],"prose":"monitors changes to the configuration settings in accordance with\n                     organizational policies and procedures; and"},{"id":"cm-6.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-6(d)[2]"}],"prose":"controls changes to the configuration settings in accordance with\n                     organizational policies and procedures."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing configuration settings for the information system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nevidence supporting approved deviations from established configuration\n                  settings\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing configuration settings\\n\\nautomated mechanisms that implement, monitor, and/or control information system\n                  configuration settings\\n\\nautomated mechanisms that identify and/or document deviations from established\n                  configuration settings"}]}],"controls":[{"id":"cm-6.1","class":"SP800-53-enhancement","title":"Automated Central Management / Application / Verification","parameters":[{"id":"cm-6.1_prm_1","label":"organization-defined information system components"}],"properties":[{"name":"label","value":"CM-6(1)"},{"name":"sort-id","value":"cm-06.01"}],"parts":[{"id":"cm-6.1_smt","name":"statement","prose":"The organization employs automated mechanisms to centrally manage, apply, and\n                  verify configuration settings for {{ cm-6.1_prm_1 }}."},{"id":"cm-6.1_gdn","name":"guidance","links":[{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-4","rel":"related","text":"CM-4"}]},{"id":"cm-6.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-6.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-6(1)[1]"}],"prose":"defines information system components for which automated mechanisms are to be\n                     employed to:","parts":[{"id":"cm-6.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-6(1)[1][a]"}],"prose":"centrally manage configuration settings of such components;"},{"id":"cm-6.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-6(1)[1][b]"}],"prose":"apply configuration settings of such components;"},{"id":"cm-6.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-6(1)[1][c]"}],"prose":"verify configuration settings of such components;"}]},{"id":"cm-6.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-6(1)[2]"}],"prose":"employs automated mechanisms to:","parts":[{"id":"cm-6.1_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-6(1)[2][a]"}],"prose":"centrally manage configuration settings for organization-defined information\n                        system components;"},{"id":"cm-6.1_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-6(1)[2][b]"}],"prose":"apply configuration settings for organization-defined information system\n                        components; and"},{"id":"cm-6.1_obj.2.c","name":"objective","properties":[{"name":"label","value":"CM-6(1)[2][c]"}],"prose":"verify configuration settings for organization-defined information system\n                        components."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing configuration settings for the information system\\n\\nconfiguration management plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing configuration settings\\n\\nautomated mechanisms implemented to centrally manage, apply, and verify\n                     information system configuration settings"}]}]}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","parameters":[{"id":"cm-7_prm_1","label":"organization-defined prohibited or restricted functions, ports, protocols, and/or\n               services","constraints":[{"detail":"United States Government Configuration Baseline (USGCB)"}]}],"properties":[{"name":"label","value":"CM-7"},{"name":"sort-id","value":"cm-07"}],"links":[{"href":"#e42b2099-3e1c-415b-952c-61c96533c12e","rel":"reference","text":"DoD Instruction 8551.01"}],"parts":[{"id":"cm-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Configures the information system to provide only essential capabilities; and"},{"id":"cm-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Prohibits or restricts the use of the following functions, ports, protocols,\n                  and/or services: {{ cm-7_prm_1 }}."},{"id":"cm-7_fr","name":"item","title":"CM-7 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-7_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available."},{"id":"cm-7_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Information on the USGCB checklists can be found at: [http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc](http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc). Partially derived from AC-17(8)."}]}]},{"id":"cm-7_gdn","name":"guidance","prose":"Information systems can provide a wide variety of functions and services. Some of the\n               functions and services, provided by default, may not be necessary to support\n               essential organizational operations (e.g., key missions, functions). Additionally, it\n               is sometimes convenient to provide multiple services from single information system\n               components, but doing so increases risk over limiting the services provided by any\n               one component. Where feasible, organizations limit component functionality to a\n               single function per device (e.g., email servers or web servers, but not both).\n               Organizations review functions and services provided by information systems or\n               individual components of information systems, to determine which functions and\n               services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant\n               Messaging, auto-execute, and file sharing). Organizations consider disabling unused\n               or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File\n               Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to\n               prevent unauthorized connection of devices, unauthorized transfer of information, or\n               unauthorized tunneling. Organizations can utilize network scanning tools, intrusion\n               detection and prevention systems, and end-point protections such as firewalls and\n               host-based intrusion detection systems to identify and prevent the use of prohibited\n               functions, ports, protocols, and services.","links":[{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sc-7","rel":"related","text":"SC-7"}]},{"id":"cm-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-7(a)"}],"prose":"configures the information system to provide only essential capabilities;"},{"id":"cm-7.b_obj","name":"objective","properties":[{"name":"label","value":"CM-7(b)"}],"parts":[{"id":"cm-7.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-7(b)[1]"}],"prose":"defines prohibited or restricted:","parts":[{"id":"cm-7.b_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-7(b)[1][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-7(b)[1][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-7(b)[1][c]"}],"prose":"protocols; and/or"},{"id":"cm-7.b_obj.1.d","name":"objective","properties":[{"name":"label","value":"CM-7(b)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-7(b)[2]"}],"prose":"prohibits or restricts the use of organization-defined:","parts":[{"id":"cm-7.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-7(b)[2][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-7(b)[2][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"CM-7(b)[2][c]"}],"prose":"protocols; and/or"},{"id":"cm-7.b_obj.2.d","name":"objective","properties":[{"name":"label","value":"CM-7(b)[2][d]"}],"prose":"services."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing least functionality in the information system\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes prohibiting or restricting functions, ports, protocols,\n                  and/or services\\n\\nautomated mechanisms implementing restrictions or prohibition of functions, ports,\n                  protocols, and/or services"}]}],"controls":[{"id":"cm-7.1","class":"SP800-53-enhancement","title":"Periodic Review","parameters":[{"id":"cm-7.1_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]},{"id":"cm-7.1_prm_2","label":"organization-defined functions, ports, protocols, and services within the\n                  information system deemed to be unnecessary and/or nonsecure"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-7(1)"},{"name":"sort-id","value":"cm-07.01"}],"parts":[{"id":"cm-7.1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Reviews the information system {{ cm-7.1_prm_1 }} to identify\n                     unnecessary and/or nonsecure functions, ports, protocols, and services; and"},{"id":"cm-7.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Disables {{ cm-7.1_prm_2 }}."}]},{"id":"cm-7.1_gdn","name":"guidance","prose":"The organization can either make a determination of the relative security of the\n                  function, port, protocol, and/or service or base the security decision on the\n                  assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are\n                  examples of less than secure protocols.","links":[{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#ia-2","rel":"related","text":"IA-2"}]},{"id":"cm-7.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.1.a_obj","name":"objective","properties":[{"name":"label","value":"CM-7(1)(a)"}],"parts":[{"id":"cm-7.1.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-7(1)(a)[1]"}],"prose":"defines the frequency to review the information system to identify\n                        unnecessary and/or nonsecure:","parts":[{"id":"cm-7.1.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-7(1)(a)[1][a]"}],"prose":"functions;"},{"id":"cm-7.1.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-7(1)(a)[1][b]"}],"prose":"ports;"},{"id":"cm-7.1.a_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-7(1)(a)[1][c]"}],"prose":"protocols; and/or"},{"id":"cm-7.1.a_obj.1.d","name":"objective","properties":[{"name":"label","value":"CM-7(1)(a)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.1.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-7(1)(a)[2]"}],"prose":"reviews the information system with the organization-defined frequency to\n                        identify unnecessary and/or nonsecure:","parts":[{"id":"cm-7.1.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-7(1)(a)[2][a]"}],"prose":"functions;"},{"id":"cm-7.1.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-7(1)(a)[2][b]"}],"prose":"ports;"},{"id":"cm-7.1.a_obj.2.c","name":"objective","properties":[{"name":"label","value":"CM-7(1)(a)[2][c]"}],"prose":"protocols; and/or"},{"id":"cm-7.1.a_obj.2.d","name":"objective","properties":[{"name":"label","value":"CM-7(1)(a)[2][d]"}],"prose":"services;"}]}],"links":[{"href":"#cm-7.1_smt.a","rel":"corresp","text":"CM-7(1)(a)"}]},{"id":"cm-7.1.b_obj","name":"objective","properties":[{"name":"label","value":"CM-7(1)(b)"}],"parts":[{"id":"cm-7.1.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-7(1)(b)[1]"}],"prose":"defines, within the information system, unnecessary and/or nonsecure:","parts":[{"id":"cm-7.1.b_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-7(1)(b)[1][a]"}],"prose":"functions;"},{"id":"cm-7.1.b_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-7(1)(b)[1][b]"}],"prose":"ports;"},{"id":"cm-7.1.b_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-7(1)(b)[1][c]"}],"prose":"protocols; and/or"},{"id":"cm-7.1.b_obj.1.d","name":"objective","properties":[{"name":"label","value":"CM-7(1)(b)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.1.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-7(1)(b)[2]"}],"prose":"disables organization-defined unnecessary and/or nonsecure:","parts":[{"id":"cm-7.1.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-7(1)(b)[2][a]"}],"prose":"functions;"},{"id":"cm-7.1.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-7(1)(b)[2][b]"}],"prose":"ports;"},{"id":"cm-7.1.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"CM-7(1)(b)[2][c]"}],"prose":"protocols; and/or"},{"id":"cm-7.1.b_obj.2.d","name":"objective","properties":[{"name":"label","value":"CM-7(1)(b)[2][d]"}],"prose":"services."}]}],"links":[{"href":"#cm-7.1_smt.b","rel":"corresp","text":"CM-7(1)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing least functionality in the information system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\ndocumented reviews of functions, ports, protocols, and/or services\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for reviewing functions, ports,\n                     protocols, and services on the information system\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for reviewing/disabling nonsecure functions, ports,\n                     protocols, and/or services\\n\\nautomated mechanisms implementing review and disabling of nonsecure functions,\n                     ports, protocols, and/or services"}]}]},{"id":"cm-7.2","class":"SP800-53-enhancement","title":"Prevent Program Execution","parameters":[{"id":"cm-7.2_prm_1"},{"id":"cm-7.2_prm_2","depends-on":"cm-7.2_prm_1","label":"organization-defined policies regarding software program usage and\n                  restrictions"}],"properties":[{"name":"label","value":"CM-7(2)"},{"name":"sort-id","value":"cm-07.02"}],"parts":[{"id":"cm-7.2_smt","name":"statement","prose":"The information system prevents program execution in accordance with {{ cm-7.2_prm_1 }}.","parts":[{"id":"cm-7.2_fr","name":"item","title":"CM-7 (2) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-7.2_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run."}]}]},{"id":"cm-7.2_gdn","name":"guidance","links":[{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pm-5","rel":"related","text":"PM-5"}]},{"id":"cm-7.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cm-7.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-7(2)[1]"}],"prose":"the organization defines policies regarding software program usage and\n                     restrictions;"},{"id":"cm-7.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-7(2)[2]"}],"prose":"the information system prevents program execution in accordance with one or\n                     more of the following:","parts":[{"id":"cm-7.2_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-7(2)[2][a]"}],"prose":"organization-defined policies regarding program usage and restrictions;\n                        and/or"},{"id":"cm-7.2_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-7(2)[2][b]"}],"prose":"rules authorizing the terms and conditions of software program usage."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing least functionality in the information system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\nspecifications for preventing software program execution\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes preventing program execution on the information\n                     system\\n\\norganizational processes for software program usage and restrictions\\n\\nautomated mechanisms preventing program execution on the information system\\n\\nautomated mechanisms supporting and/or implementing software program usage and\n                     restrictions"}]}]},{"id":"cm-7.5","class":"SP800-53-enhancement","title":"Authorized Software / Whitelisting","parameters":[{"id":"cm-7.5_prm_1","label":"organization-defined software programs authorized to execute on the\n                  information system"},{"id":"cm-7.5_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least Annually or when there is a change"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-7(5)"},{"name":"sort-id","value":"cm-07.05"}],"parts":[{"id":"cm-7.5_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7.5_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Identifies {{ cm-7.5_prm_1 }};"},{"id":"cm-7.5_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Employs a deny-all, permit-by-exception policy to allow the execution of\n                     authorized software programs on the information system; and"},{"id":"cm-7.5_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Reviews and updates the list of authorized software programs {{ cm-7.5_prm_2 }}."}]},{"id":"cm-7.5_gdn","name":"guidance","prose":"The process used to identify software programs that are authorized to execute on\n                  organizational information systems is commonly referred to as whitelisting. In\n                  addition to whitelisting, organizations consider verifying the integrity of\n                  white-listed software programs using, for example, cryptographic checksums,\n                  digital signatures, or hash functions. Verification of white-listed software can\n                  occur either prior to execution or at system startup.","links":[{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pm-5","rel":"related","text":"PM-5"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sc-34","rel":"related","text":"SC-34"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"cm-7.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.5.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-7(5)(a)"}],"prose":"Identifies/defines software programs authorized to execute on the information\n                     system;","links":[{"href":"#cm-7.5_smt.a","rel":"corresp","text":"CM-7(5)(a)"}]},{"id":"cm-7.5.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-7(5)(b)"}],"prose":"employs a deny-all, permit-by-exception policy to allow the execution of\n                     authorized software programs on the information system;","links":[{"href":"#cm-7.5_smt.b","rel":"corresp","text":"CM-7(5)(b)"}]},{"id":"cm-7.5.c_obj","name":"objective","properties":[{"name":"label","value":"CM-7(5)(c)"}],"parts":[{"id":"cm-7.5.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-7(5)(c)[1]"}],"prose":"defines the frequency to review and update the list of authorized software\n                        programs on the information system; and"},{"id":"cm-7.5.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-7(5)(c)[2]"}],"prose":"reviews and updates the list of authorized software programs with the\n                        organization-defined frequency."}],"links":[{"href":"#cm-7.5_smt.c","rel":"corresp","text":"CM-7(5)(c)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing least functionality in the information system\\n\\nconfiguration management plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of software programs authorized to execute on the information system\\n\\nsecurity configuration checklists\\n\\nreview and update records associated with list of authorized software\n                     programs\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for identifying software\n                     authorized to execute on the information system\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for identifying, reviewing, and updating programs\n                     authorized to execute on the information system\\n\\norganizational process for implementing whitelisting\\n\\nautomated mechanisms implementing whitelisting"}]}]}]},{"id":"cm-8","class":"SP800-53","title":"Information System Component Inventory","parameters":[{"id":"cm-8_prm_1","label":"organization-defined information deemed necessary to achieve effective\n               information system component accountability"},{"id":"cm-8_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-8"},{"name":"sort-id","value":"cm-08"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"cm-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops and documents an inventory of information system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Accurately reflects the current information system;"},{"id":"cm-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Includes all components within the authorization boundary of the information\n                     system;"},{"id":"cm-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting;\n                     and"},{"id":"cm-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Includes {{ cm-8_prm_1 }}; and"}]},{"id":"cm-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the information system component inventory {{ cm-8_prm_2 }}."},{"id":"cm-8_fr","name":"item","title":"CM-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Must be provided at least monthly or when there is a change."}]}]},{"id":"cm-8_gdn","name":"guidance","prose":"Organizations may choose to implement centralized information system component\n               inventories that include components from all organizational information systems. In\n               such situations, organizations ensure that the resulting inventories include\n               system-specific information required for proper component accountability (e.g.,\n               information system association, information system owner). Information deemed\n               necessary for effective accountability of information system components includes, for\n               example, hardware inventory specifications, software license information, software\n               version numbers, component owners, and for networked components or devices, machine\n               names and network addresses. Inventory specifications include, for example,\n               manufacturer, device type, model, serial number, and physical location.","links":[{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#pm-5","rel":"related","text":"PM-5"}]},{"id":"cm-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-8.a_obj","name":"objective","properties":[{"name":"label","value":"CM-8(a)"}],"parts":[{"id":"cm-8.a.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(a)(1)"}],"prose":"develops and documents an inventory of information system components that\n                     accurately reflects the current information system;"},{"id":"cm-8.a.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(a)(2)"}],"prose":"develops and documents an inventory of information system components that\n                     includes all components within the authorization boundary of the information\n                     system;"},{"id":"cm-8.a.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(a)(3)"}],"prose":"develops and documents an inventory of information system components that is at\n                     the level of granularity deemed necessary for tracking and reporting;"},{"id":"cm-8.a.4_obj","name":"objective","properties":[{"name":"label","value":"CM-8(a)(4)"}],"parts":[{"id":"cm-8.a.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(a)(4)[1]"}],"prose":"defines the information deemed necessary to achieve effective information\n                        system component accountability;"},{"id":"cm-8.a.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(a)(4)[2]"}],"prose":"develops and documents an inventory of information system components that\n                        includes organization-defined information deemed necessary to achieve\n                        effective information system component accountability;"}]}]},{"id":"cm-8.b_obj","name":"objective","properties":[{"name":"label","value":"CM-8(b)"}],"parts":[{"id":"cm-8.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(b)[1]"}],"prose":"defines the frequency to review and update the information system component\n                     inventory; and"},{"id":"cm-8.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-8(b)[2]"}],"prose":"reviews and updates the information system component inventory with the\n                     organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system inventory records\\n\\ninventory reviews and update records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system component\n                  inventory\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing and documenting an inventory of\n                  information system components\\n\\nautomated mechanisms supporting and/or implementing the information system\n                  component inventory"}]}],"controls":[{"id":"cm-8.1","class":"SP800-53-enhancement","title":"Updates During Installations / Removals","properties":[{"name":"label","value":"CM-8(1)"},{"name":"sort-id","value":"cm-08.01"}],"parts":[{"id":"cm-8.1_smt","name":"statement","prose":"The organization updates the inventory of information system components as an\n                  integral part of component installations, removals, and information system\n                  updates."},{"id":"cm-8.1_obj","name":"objective","prose":"Determine if the organization updates the inventory of information system\n                  components as an integral part of:","parts":[{"id":"cm-8.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-8(1)[1]"}],"prose":"component installations;"},{"id":"cm-8.1_obj.2","name":"objective","properties":[{"name":"label","value":"CM-8(1)[2]"}],"prose":"component removals; and"},{"id":"cm-8.1_obj.3","name":"objective","properties":[{"name":"label","value":"CM-8(1)[3]"}],"prose":"information system updates."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system inventory records\\n\\ninventory reviews and update records\\n\\ncomponent installation records\\n\\ncomponent removal records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for updating the information\n                     system component inventory\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for updating inventory of information system\n                     components\\n\\nautomated mechanisms implementing updating of the information system component\n                     inventory"}]}]},{"id":"cm-8.3","class":"SP800-53-enhancement","title":"Automated Unauthorized Component Detection","parameters":[{"id":"cm-8.3_prm_1","label":"organization-defined frequency","constraints":[{"detail":"Continuously, using automated mechanisms with a maximum five-minute delay in detection"}]},{"id":"cm-8.3_prm_2"},{"id":"cm-8.3_prm_3","depends-on":"cm-8.3_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-8(3)"},{"name":"sort-id","value":"cm-08.03"}],"parts":[{"id":"cm-8.3_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-8.3_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Employs automated mechanisms {{ cm-8.3_prm_1 }} to detect the\n                     presence of unauthorized hardware, software, and firmware components within the\n                     information system; and"},{"id":"cm-8.3_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Takes the following actions when unauthorized components are detected: {{ cm-8.3_prm_2 }}."}]},{"id":"cm-8.3_gdn","name":"guidance","prose":"This control enhancement is applied in addition to the monitoring for unauthorized\n                  remote connections and mobile devices. Monitoring for unauthorized system\n                  components may be accomplished on an ongoing basis or by the periodic scanning of\n                  systems for that purpose. Automated mechanisms can be implemented within\n                  information systems or in other separate devices. Isolation can be achieved, for\n                  example, by placing unauthorized information system components in separate domains\n                  or subnets or otherwise quarantining such components. This type of component\n                  isolation is commonly referred to as sandboxing.","links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"},{"href":"#ra-5","rel":"related","text":"RA-5"}]},{"id":"cm-8.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-8.3.a_obj","name":"objective","properties":[{"name":"label","value":"CM-8(3)(a)"}],"parts":[{"id":"cm-8.3.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(3)(a)[1]"}],"prose":"defines the frequency to employ automated mechanisms to detect the presence\n                        of unauthorized:","parts":[{"id":"cm-8.3.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"CM-8(3)(a)[1][a]"}],"prose":"hardware components within the information system;"},{"id":"cm-8.3.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"CM-8(3)(a)[1][b]"}],"prose":"software components within the information system;"},{"id":"cm-8.3.a_obj.1.c","name":"objective","properties":[{"name":"label","value":"CM-8(3)(a)[1][c]"}],"prose":"firmware components within the information system;"}]},{"id":"cm-8.3.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-8(3)(a)[2]"}],"prose":"employs automated mechanisms with the organization-defined frequency to\n                        detect the presence of unauthorized:","parts":[{"id":"cm-8.3.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-8(3)(a)[2][a]"}],"prose":"hardware components within the information system;"},{"id":"cm-8.3.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-8(3)(a)[2][b]"}],"prose":"software components within the information system;"},{"id":"cm-8.3.a_obj.2.c","name":"objective","properties":[{"name":"label","value":"CM-8(3)(a)[2][c]"}],"prose":"firmware components within the information system;"}]}],"links":[{"href":"#cm-8.3_smt.a","rel":"corresp","text":"CM-8(3)(a)"}]},{"id":"cm-8.3.b_obj","name":"objective","properties":[{"name":"label","value":"CM-8(3)(b)"}],"parts":[{"id":"cm-8.3.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-8(3)(b)[1]"}],"prose":"defines personnel or roles to be notified when unauthorized components are\n                        detected;"},{"id":"cm-8.3.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-8(3)(b)[2]"}],"prose":"takes one or more of the following actions when unauthorized components are\n                        detected:","parts":[{"id":"cm-8.3.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"CM-8(3)(b)[2][a]"}],"prose":"disables network access by such components;"},{"id":"cm-8.3.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"CM-8(3)(b)[2][b]"}],"prose":"isolates the components; and/or"},{"id":"cm-8.3.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"CM-8(3)(b)[2][c]"}],"prose":"notifies organization-defined personnel or roles."}]}],"links":[{"href":"#cm-8.3_smt.b","rel":"corresp","text":"CM-8(3)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system inventory records\\n\\nalerts/notifications of unauthorized components within the information\n                     system\\n\\ninformation system monitoring records\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing the automated\n                     mechanisms implementing unauthorized information system component detection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for detection of unauthorized information system\n                     components\\n\\nautomated mechanisms implementing the detection of unauthorized information\n                     system components"}]}]},{"id":"cm-8.5","class":"SP800-53-enhancement","title":"No Duplicate Accounting of Components","properties":[{"name":"label","value":"CM-8(5)"},{"name":"sort-id","value":"cm-08.05"}],"parts":[{"id":"cm-8.5_smt","name":"statement","prose":"The organization verifies that all components within the authorization boundary of\n                  the information system are not duplicated in other information system component\n                  inventories."},{"id":"cm-8.5_gdn","name":"guidance","prose":"This control enhancement addresses the potential problem of duplicate accounting\n                  of information system components in large or complex interconnected systems."},{"id":"cm-8.5_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization verifies that all components within the\n                  authorization boundary of the information system are not duplicated in other\n                  information system inventories. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system inventory records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system inventory responsibilities\\n\\norganizational personnel with responsibilities for defining information system\n                     components within the authorization boundary of the system\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining the inventory of information system\n                     components\\n\\nautomated mechanisms implementing the information system component\n                     inventory"}]}]}]},{"id":"cm-9","class":"SP800-53","title":"Configuration Management Plan","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CM-9"},{"name":"sort-id","value":"cm-09"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"cm-9_smt","name":"statement","prose":"The organization develops, documents, and implements a configuration management plan\n               for the information system that:","parts":[{"id":"cm-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Addresses roles, responsibilities, and configuration management processes and\n                  procedures;"},{"id":"cm-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishes a process for identifying configuration items throughout the system\n                  development life cycle and for managing the configuration of the configuration\n                  items;"},{"id":"cm-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Defines the configuration items for the information system and places the\n                  configuration items under configuration management; and"},{"id":"cm-9_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protects the configuration management plan from unauthorized disclosure and\n                  modification."}]},{"id":"cm-9_gdn","name":"guidance","prose":"Configuration management plans satisfy the requirements in configuration management\n               policies while being tailored to individual information systems. Such plans define\n               detailed processes and procedures for how configuration management is used to support\n               system development life cycle activities at the information system level.\n               Configuration management plans are typically developed during the\n               development/acquisition phase of the system development life cycle. The plans\n               describe how to move changes through change management processes, how to update\n               configuration settings and baselines, how to maintain information system component\n               inventories, how to control development, test, and operational environments, and how\n               to develop, release, and update key documents. Organizations can employ templates to\n               help ensure consistent and timely development and implementation of configuration\n               management plans. Such templates can represent a master configuration management plan\n               for the organization at large with subsets of the plan implemented on a system by\n               system basis. Configuration management approval processes include designation of key\n               management stakeholders responsible for reviewing and approving proposed changes to\n               information systems, and personnel that conduct security impact analyses prior to the\n               implementation of changes to the systems. Configuration items are the information\n               system items (hardware, software, firmware, and documentation) to be\n               configuration-managed. As information systems continue through the system development\n               life cycle, new configuration items may be identified and some existing configuration\n               items may no longer need to be under configuration control.","links":[{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#sa-10","rel":"related","text":"SA-10"}]},{"id":"cm-9_obj","name":"objective","prose":"Determine if the organization develops, documents, and implements a configuration\n               management plan for the information system that:","parts":[{"id":"cm-9.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-9(a)"}],"parts":[{"id":"cm-9.a_obj.1","name":"objective","properties":[{"name":"label","value":"CM-9(a)[1]"}],"prose":"addresses roles;"},{"id":"cm-9.a_obj.2","name":"objective","properties":[{"name":"label","value":"CM-9(a)[2]"}],"prose":"addresses responsibilities;"},{"id":"cm-9.a_obj.3","name":"objective","properties":[{"name":"label","value":"CM-9(a)[3]"}],"prose":"addresses configuration management processes and procedures;"}]},{"id":"cm-9.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-9(b)"}],"prose":"establishes a process for:","parts":[{"id":"cm-9.b_obj.1","name":"objective","properties":[{"name":"label","value":"CM-9(b)[1]"}],"prose":"identifying configuration items throughout the SDLC;"},{"id":"cm-9.b_obj.2","name":"objective","properties":[{"name":"label","value":"CM-9(b)[2]"}],"prose":"managing the configuration of the configuration items;"}]},{"id":"cm-9.c_obj","name":"objective","properties":[{"name":"label","value":"CM-9(c)"}],"parts":[{"id":"cm-9.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-9(c)[1]"}],"prose":"defines the configuration items for the information system;"},{"id":"cm-9.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-9(c)[2]"}],"prose":"places the configuration items under configuration management;"}]},{"id":"cm-9.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-9(d)"}],"prose":"protects the configuration management plan from unauthorized:","parts":[{"id":"cm-9.d_obj.1","name":"objective","properties":[{"name":"label","value":"CM-9(d)[1]"}],"prose":"disclosure; and"},{"id":"cm-9.d_obj.2","name":"objective","properties":[{"name":"label","value":"CM-9(d)[2]"}],"prose":"modification."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing configuration management planning\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for developing the configuration\n                  management plan\\n\\norganizational personnel with responsibilities for implementing and managing\n                  processes defined in the configuration management plan\\n\\norganizational personnel with responsibilities for protecting the configuration\n                  management plan\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing and documenting the configuration\n                  management plan\\n\\norganizational processes for identifying and managing configuration items\\n\\norganizational processes for protecting the configuration management plan\\n\\nautomated mechanisms implementing the configuration management plan\\n\\nautomated mechanisms for managing configuration items\\n\\nautomated mechanisms for protecting the configuration management plan"}]}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","properties":[{"name":"label","value":"CM-10"},{"name":"sort-id","value":"cm-10"}],"parts":[{"id":"cm-10_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-10_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Uses software and associated documentation in accordance with contract agreements\n                  and copyright laws;"},{"id":"cm-10_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Tracks the use of software and associated documentation protected by quantity\n                  licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Controls and documents the use of peer-to-peer file sharing technology to ensure\n                  that this capability is not used for the unauthorized distribution, display,\n                  performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual methods (e.g., simple\n               spreadsheets) or automated methods (e.g., specialized tracking applications)\n               depending on organizational needs.","links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#sc-7","rel":"related","text":"SC-7"}]},{"id":"cm-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-10.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-10(a)"}],"prose":"uses software and associated documentation in accordance with contract agreements\n                  and copyright laws;"},{"id":"cm-10.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-10(b)"}],"prose":"tracks the use of software and associated documentation protected by quantity\n                  licenses to control copying and distribution; and"},{"id":"cm-10.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-10(c)"}],"prose":"controls and documents the use of peer-to-peer file sharing technology to ensure\n                  that this capability is not used for the unauthorized distribution, display,\n                  performance, or reproduction of copyrighted work."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing software usage restrictions\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nsoftware contract agreements and copyright laws\\n\\nsite license documentation\\n\\nlist of software usage restrictions\\n\\nsoftware license tracking reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\norganizational personnel with software license management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for tracking the use of software protected by quantity\n                  licenses\\n\\norganization process for controlling/documenting the use of peer-to-peer file\n                  sharing technology\\n\\nautomated mechanisms implementing software license tracking\\n\\nautomated mechanisms implementing and controlling the use of peer-to-peer files\n                  sharing technology"}]}],"controls":[{"id":"cm-10.1","class":"SP800-53-enhancement","title":"Open Source Software","parameters":[{"id":"cm-10.1_prm_1","label":"organization-defined restrictions"}],"properties":[{"name":"label","value":"CM-10(1)"},{"name":"sort-id","value":"cm-10.01"}],"parts":[{"id":"cm-10.1_smt","name":"statement","prose":"The organization establishes the following restrictions on the use of open source\n                  software: {{ cm-10.1_prm_1 }}."},{"id":"cm-10.1_gdn","name":"guidance","prose":"Open source software refers to software that is available in source code form.\n                  Certain software rights normally reserved for copyright holders are routinely\n                  provided under software license agreements that permit individuals to study,\n                  change, and improve the software. From a security perspective, the major advantage\n                  of open source software is that it provides organizations with the ability to\n                  examine the source code. However, there are also various licensing issues\n                  associated with open source software including, for example, the constraints on\n                  derivative use of such software."},{"id":"cm-10.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-10.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-10(1)[1]"}],"prose":"defines restrictions on the use of open source software; and"},{"id":"cm-10.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-10(1)[2]"}],"prose":"establishes organization-defined restrictions on the use of open source\n                     software."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing restrictions on use of open source software\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for establishing and enforcing\n                     restrictions on use of open source software\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for restricting the use of open source software\\n\\nautomated mechanisms implementing restrictions on the use of open source\n                     software"}]}]}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","parameters":[{"id":"cm-11_prm_1","label":"organization-defined policies"},{"id":"cm-11_prm_2","label":"organization-defined methods"},{"id":"cm-11_prm_3","label":"organization-defined frequency","constraints":[{"detail":"Continuously (via CM-7 (5))"}]}],"properties":[{"name":"label","value":"CM-11"},{"name":"sort-id","value":"cm-11"}],"parts":[{"id":"cm-11_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes {{ cm-11_prm_1 }} governing the installation of\n                  software by users;"},{"id":"cm-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Enforces software installation policies through {{ cm-11_prm_2 }};\n                  and"},{"id":"cm-11_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Monitors policy compliance at {{ cm-11_prm_3 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users have the ability to install software in\n               organizational information systems. To maintain control over the types of software\n               installed, organizations identify permitted and prohibited actions regarding software\n               installation. Permitted software installations may include, for example, updates and\n               security patches to existing software and downloading applications from\n               organization-approved “app stores” Prohibited software installations may include, for\n               example, software with unknown or suspect pedigrees or software that organizations\n               consider potentially malicious. The policies organizations select governing\n               user-installed software may be organization-developed or provided by some external\n               entity. Policy enforcement methods include procedural methods (e.g., periodic\n               examination of user accounts), automated methods (e.g., configuration settings\n               implemented on organizational information systems), or both.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#pl-4","rel":"related","text":"PL-4"}]},{"id":"cm-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-11.a_obj","name":"objective","properties":[{"name":"label","value":"CM-11(a)"}],"parts":[{"id":"cm-11.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-11(a)[1]"}],"prose":"defines policies to govern the installation of software by users;"},{"id":"cm-11.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-11(a)[2]"}],"prose":"establishes organization-defined policies governing the installation of\n                     software by users;"}]},{"id":"cm-11.b_obj","name":"objective","properties":[{"name":"label","value":"CM-11(b)"}],"parts":[{"id":"cm-11.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-11(b)[1]"}],"prose":"defines methods to enforce software installation policies;"},{"id":"cm-11.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-11(b)[2]"}],"prose":"enforces software installation policies through organization-defined\n                     methods;"}]},{"id":"cm-11.c_obj","name":"objective","properties":[{"name":"label","value":"CM-11(c)"}],"parts":[{"id":"cm-11.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CM-11(c)[1]"}],"prose":"defines frequency to monitor policy compliance; and"},{"id":"cm-11.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CM-11(c)[2]"}],"prose":"monitors policy compliance at organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\\n\\nprocedures addressing user installed software\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of rules governing user installed software\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records\\n\\ncontinuous monitoring strategy"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for governing user-installed\n                  software\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\norganizational personnel monitoring compliance with user-installed software\n                  policy\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes governing user-installed software on the information\n                  system\\n\\nautomated mechanisms enforcing rules/methods for governing the installation of\n                  software by users\\n\\nautomated mechanisms monitoring policy compliance"}]}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Contingency Planning Policy and Procedures","parameters":[{"id":"cp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"cp-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CP-1"},{"name":"sort-id","value":"cp-01"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"cp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A contingency planning policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"cp-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy\n                     and associated contingency planning controls; and"}]},{"id":"cp-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cp-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Contingency planning policy {{ cp-1_prm_2 }}; and"},{"id":"cp-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Contingency planning procedures {{ cp-1_prm_3 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CP\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"cp-1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cp-1.a_obj","name":"objective","properties":[{"name":"label","value":"CP-1(a)"}],"parts":[{"id":"cp-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)"}],"parts":[{"id":"cp-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(a)(1)[1]"}],"prose":"the organization develops and documents a contingency planning policy that\n                        addresses:","parts":[{"id":"cp-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cp-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cp-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cp-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cp-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cp-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cp-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"CP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cp-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(a)(1)[2]"}],"prose":"the organization defines personnel or roles to whom the contingency planning\n                        policy is to be disseminated;"},{"id":"cp-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-1(a)(1)[3]"}],"prose":"the organization disseminates the contingency planning policy to\n                        organization-defined personnel or roles;"}]},{"id":"cp-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"CP-1(a)(2)"}],"parts":[{"id":"cp-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(a)(2)[1]"}],"prose":"the organization develops and documents procedures to facilitate the\n                        implementation of the contingency planning policy and associated contingency\n                        planning controls;"},{"id":"cp-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(a)(2)[2]"}],"prose":"the organization defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"cp-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-1(a)(2)[3]"}],"prose":"the organization disseminates the procedures to organization-defined\n                        personnel or roles;"}]}]},{"id":"cp-1.b_obj","name":"objective","properties":[{"name":"label","value":"CP-1(b)"}],"parts":[{"id":"cp-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"CP-1(b)(1)"}],"parts":[{"id":"cp-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(b)(1)[1]"}],"prose":"the organization defines the frequency to review and update the current\n                        contingency planning policy;"},{"id":"cp-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(b)(1)[2]"}],"prose":"the organization reviews and updates the current contingency planning with\n                        the organization-defined frequency;"}]},{"id":"cp-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"CP-1(b)(2)"}],"parts":[{"id":"cp-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(b)(2)[1]"}],"prose":"the organization defines the frequency to review and update the current\n                        contingency planning procedures; and"},{"id":"cp-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-1(b)(2)[2]"}],"prose":"the organization reviews and updates the current contingency planning\n                        procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","parameters":[{"id":"cp-2_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","label":"organization-defined key contingency personnel (identified by name and/or by\n               role) and organizational elements"},{"id":"cp-2_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"cp-2_prm_4","label":"organization-defined key contingency personnel (identified by name and/or by\n               role) and organizational elements"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CP-2"},{"name":"sort-id","value":"cp-02"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"}],"parts":[{"id":"cp-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a contingency plan for the information system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Identifies essential missions and business functions and associated contingency\n                     requirements;"},{"id":"cp-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with\n                     contact information;"},{"id":"cp-2_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential missions and business functions despite an\n                     information system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full information system restoration without deterioration\n                     of the security safeguards originally planned and implemented; and"},{"id":"cp-2_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Is reviewed and approved by {{ cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distributes copies of the contingency plan to {{ cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Reviews the contingency plan for the information system {{ cp-2_prm_3 }};"},{"id":"cp-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Updates the contingency plan to address changes to the organization, information\n                  system, or environment of operation and problems encountered during contingency\n                  plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Communicates contingency plan changes to {{ cp-2_prm_4 }}; and"},{"id":"cp-2_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Protects the contingency plan from unauthorized disclosure and modification."},{"id":"cp-2_fr","name":"item","title":"CP-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-2_fr_smt.1","name":"item","properties":[{"name":"label","value":"CP-2 Requirement:"}],"prose":"For JAB authorizations the contingency lists include designated FedRAMP personnel."}]}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for information systems is part of an overall organizational\n               program for achieving continuity of operations for mission/business functions.\n               Contingency planning addresses both information system restoration and implementation\n               of alternative mission/business processes when systems are compromised. The\n               effectiveness of contingency planning is maximized by considering such planning\n               throughout the phases of the system development life cycle. Performing contingency\n               planning on hardware, software, and firmware development can be an effective means of\n               achieving information system resiliency. Contingency plans reflect the degree of\n               restoration required for organizational information systems since not all systems may\n               need to fully recover to achieve the level of continuity of operations desired.\n               Information system recovery objectives reflect applicable laws, Executive Orders,\n               directives, policies, standards, regulations, and guidelines. In addition to\n               information system availability, contingency plans also address other\n               security-related events resulting in a reduction in mission and/or business\n               effectiveness, such as malicious attacks compromising the confidentiality or\n               integrity of information systems. Actions addressed in contingency plans include, for\n               example, orderly/graceful degradation, information system shutdown, fallback to a\n               manual mode, alternate information flows, and operating in modes reserved for when\n               systems are under attack. By closely coordinating contingency planning with incident\n               handling activities, organizations can ensure that the necessary contingency planning\n               activities are in place and activated in the event of a security incident.","links":[{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-11","rel":"related","text":"PM-11"}]},{"id":"cp-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.a_obj","name":"objective","properties":[{"name":"label","value":"CP-2(a)"}],"prose":"develops and documents a contingency plan for the information system that:","parts":[{"id":"cp-2.a.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(1)"}],"prose":"identifies essential missions and business functions and associated contingency\n                     requirements;"},{"id":"cp-2.a.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(2)"}],"parts":[{"id":"cp-2.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"CP-2(a)(2)[1]"}],"prose":"provides recovery objectives;"},{"id":"cp-2.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"CP-2(a)(2)[2]"}],"prose":"provides restoration priorities;"},{"id":"cp-2.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"CP-2(a)(2)[3]"}],"prose":"provides metrics;"}]},{"id":"cp-2.a.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(3)"}],"parts":[{"id":"cp-2.a.3_obj.1","name":"objective","properties":[{"name":"label","value":"CP-2(a)(3)[1]"}],"prose":"addresses contingency roles;"},{"id":"cp-2.a.3_obj.2","name":"objective","properties":[{"name":"label","value":"CP-2(a)(3)[2]"}],"prose":"addresses contingency responsibilities;"},{"id":"cp-2.a.3_obj.3","name":"objective","properties":[{"name":"label","value":"CP-2(a)(3)[3]"}],"prose":"addresses assigned individuals with contact information;"}]},{"id":"cp-2.a.4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(4)"}],"prose":"addresses maintaining essential missions and business functions despite an\n                     information system disruption, compromise, or failure;"},{"id":"cp-2.a.5_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(5)"}],"prose":"addresses eventual, full information system restoration without deterioration\n                     of the security safeguards originally planned and implemented;"},{"id":"cp-2.a.6_obj","name":"objective","properties":[{"name":"label","value":"CP-2(a)(6)"}],"parts":[{"id":"cp-2.a.6_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(6)[1]"}],"prose":"defines personnel or roles to review and approve the contingency plan for\n                        the information system;"},{"id":"cp-2.a.6_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(a)(6)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"cp-2.b_obj","name":"objective","properties":[{"name":"label","value":"CP-2(b)"}],"parts":[{"id":"cp-2.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(b)[1]"}],"prose":"defines key contingency personnel (identified by name and/or by role) and\n                     organizational elements to whom copies of the contingency plan are to be\n                     distributed;"},{"id":"cp-2.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-2(b)[2]"}],"prose":"distributes copies of the contingency plan to organization-defined key\n                     contingency personnel and organizational elements;"}]},{"id":"cp-2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-2(c)"}],"prose":"coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2.d_obj","name":"objective","properties":[{"name":"label","value":"CP-2(d)"}],"parts":[{"id":"cp-2.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(d)[1]"}],"prose":"defines a frequency to review the contingency plan for the information\n                     system;"},{"id":"cp-2.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(d)[2]"}],"prose":"reviews the contingency plan with the organization-defined frequency;"}]},{"id":"cp-2.e_obj","name":"objective","properties":[{"name":"label","value":"CP-2(e)"}],"prose":"updates the contingency plan to address:","parts":[{"id":"cp-2.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-2(e)[1]"}],"prose":"changes to the organization, information system, or environment of\n                     operation;"},{"id":"cp-2.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-2(e)[2]"}],"prose":"problems encountered during plan implementation, execution, and testing;"}]},{"id":"cp-2.f_obj","name":"objective","properties":[{"name":"label","value":"CP-2(f)"}],"parts":[{"id":"cp-2.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(f)[1]"}],"prose":"defines key contingency personnel (identified by name and/or by role) and\n                     organizational elements to whom contingency plan changes are to be\n                     communicated;"},{"id":"cp-2.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-2(f)[2]"}],"prose":"communicates contingency plan changes to organization-defined key contingency\n                     personnel and organizational elements; and"}]},{"id":"cp-2.g_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-2(g)"}],"prose":"protects the contingency plan from unauthorized disclosure and modification."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nevidence of contingency plan reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan development, review, update, and\n                  protection\\n\\nautomated mechanisms for developing, reviewing, updating and/or protecting the\n                  contingency plan"}]}],"controls":[{"id":"cp-2.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","properties":[{"name":"label","value":"CP-2(1)"},{"name":"sort-id","value":"cp-02.01"}],"parts":[{"id":"cp-2.1_smt","name":"statement","prose":"The organization coordinates contingency plan development with organizational\n                  elements responsible for related plans."},{"id":"cp-2.1_gdn","name":"guidance","prose":"Plans related to contingency plans for organizational information systems include,\n                  for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of\n                  Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,\n                  Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant\n                  Emergency Plans."},{"id":"cp-2.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization coordinates contingency plan development with\n                  organizational elements responsible for related plans."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nbusiness contingency plans\\n\\ndisaster recovery plans\\n\\ncontinuity of operations plans\\n\\ncrisis communications plans\\n\\ncritical infrastructure plans\\n\\ncyber incident response plan\\n\\ninsider threat implementation plans\\n\\noccupant emergency plans\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel with responsibility for related plans"}]}]},{"id":"cp-2.2","class":"SP800-53-enhancement","title":"Capacity Planning","properties":[{"name":"label","value":"CP-2(2)"},{"name":"sort-id","value":"cp-02.02"}],"parts":[{"id":"cp-2.2_smt","name":"statement","prose":"The organization conducts capacity planning so that necessary capacity for\n                  information processing, telecommunications, and environmental support exists\n                  during contingency operations."},{"id":"cp-2.2_gdn","name":"guidance","prose":"Capacity planning is needed because different types of threats (e.g., natural\n                  disasters, targeted cyber attacks) can result in a reduction of the available\n                  processing, telecommunications, and support services originally intended to\n                  support the organizational missions/business functions. Organizations may need to\n                  anticipate degraded operations during contingency operations and factor such\n                  degradation into capacity planning."},{"id":"cp-2.2_obj","name":"objective","prose":"Determine if the organization conducts capacity planning so that necessary\n                  capacity exists during contingency operations for: ","parts":[{"id":"cp-2.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-2(2)[1]"}],"prose":"information processing;"},{"id":"cp-2.2_obj.2","name":"objective","properties":[{"name":"label","value":"CP-2(2)[2]"}],"prose":"telecommunications; and"},{"id":"cp-2.2_obj.3","name":"objective","properties":[{"name":"label","value":"CP-2(2)[3]"}],"prose":"environmental support."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\ncapacity planning documents\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2.3","class":"SP800-53-enhancement","title":"Resume Essential Missions / Business Functions","parameters":[{"id":"cp-2.3_prm_1","label":"organization-defined time period"}],"properties":[{"name":"label","value":"CP-2(3)"},{"name":"sort-id","value":"cp-02.03"}],"parts":[{"id":"cp-2.3_smt","name":"statement","prose":"The organization plans for the resumption of essential missions and business\n                  functions within {{ cp-2.3_prm_1 }} of contingency plan\n                  activation."},{"id":"cp-2.3_gdn","name":"guidance","prose":"Organizations may choose to carry out the contingency planning activities in this\n                  control enhancement as part of organizational business continuity planning\n                  including, for example, as part of business impact analyses. The time period for\n                  resumption of essential missions/business functions may be dependent on the\n                  severity/extent of disruptions to the information system and its supporting\n                  infrastructure.","links":[{"href":"#pe-12","rel":"related","text":"PE-12"}]},{"id":"cp-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-2(3)[1]"}],"prose":"defines the time period to plan for the resumption of essential missions and\n                     business functions as a result of contingency plan activation; and"},{"id":"cp-2.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-2(3)[2]"}],"prose":"plans for the resumption of essential missions and business functions within\n                     organization-defined time period of contingency plan activation."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nbusiness impact assessment\\n\\nother related plans\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for resumption of missions and business functions"}]}]},{"id":"cp-2.8","class":"SP800-53-enhancement","title":"Identify Critical Assets","properties":[{"name":"label","value":"CP-2(8)"},{"name":"sort-id","value":"cp-02.08"}],"parts":[{"id":"cp-2.8_smt","name":"statement","prose":"The organization identifies critical information system assets supporting\n                  essential missions and business functions."},{"id":"cp-2.8_gdn","name":"guidance","prose":"Organizations may choose to carry out the contingency planning activities in this\n                  control enhancement as part of organizational business continuity planning\n                  including, for example, as part of business impact analyses. Organizations\n                  identify critical information system assets so that additional safeguards and\n                  countermeasures can be employed (above and beyond those safeguards and\n                  countermeasures routinely implemented) to help ensure that organizational\n                  missions/business functions can continue to be conducted during contingency\n                  operations. In addition, the identification of critical information assets\n                  facilitates the prioritization of organizational resources. Critical information\n                  system assets include technical and operational aspects. Technical aspects\n                  include, for example, information technology services, information system\n                  components, information technology products, and mechanisms. Operational aspects\n                  include, for example, procedures (manually executed operations) and personnel\n                  (individuals operating technical safeguards and/or executing manual procedures).\n                  Organizational program protection plans can provide assistance in identifying\n                  critical assets.","links":[{"href":"#sa-14","rel":"related","text":"SA-14"},{"href":"#sa-15","rel":"related","text":"SA-15"}]},{"id":"cp-2.8_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization identifies critical information system assets\n                  supporting essential missions and business functions."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nbusiness impact assessment\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","parameters":[{"id":"cp-3_prm_1","label":"organization-defined time period","constraints":[{"detail":"ten (10) days"}]},{"id":"cp-3_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CP-3"},{"name":"sort-id","value":"cp-03"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference","text":"NIST Special Publication 800-16"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"}],"parts":[{"id":"cp-3_smt","name":"statement","prose":"The organization provides contingency training to information system users consistent\n               with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Within {{ cp-3_prm_1 }} of assuming a contingency role or\n                  responsibility;"},{"id":"cp-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"cp-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n                  {{ cp-3_prm_2 }} thereafter."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and\n               responsibilities of organizational personnel to ensure that the appropriate content\n               and level of detail is included in such training. For example, regular users may only\n               need to know when and where to report for duty during contingency operations and if\n               normal duties are affected; system administrators may require additional training on\n               how to set up information systems at alternate processing and storage sites; and\n               managers/senior leaders may receive more specific training on how to conduct\n               mission-essential functions in designated off-site locations and how to establish\n               communications with other governmental entities for purposes of coordination on\n               contingency-related activities. Training for contingency roles/responsibilities\n               reflects the specific continuity requirements in the contingency plan.","links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-2","rel":"related","text":"IR-2"}]},{"id":"cp-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-3.a_obj","name":"objective","properties":[{"name":"label","value":"CP-3(a)"}],"parts":[{"id":"cp-3.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-3(a)[1]"}],"prose":"defines a time period within which contingency training is to be provided to\n                     information system users assuming a contingency role or responsibility;"},{"id":"cp-3.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-3(a)[2]"}],"prose":"provides contingency training to information system users consistent with\n                     assigned roles and responsibilities within the organization-defined time period\n                     of assuming a contingency role or responsibility;"}]},{"id":"cp-3.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-3(b)"}],"prose":"provides contingency training to information system users consistent with assigned\n                  roles and responsibilities when required by information system changes;"},{"id":"cp-3.c_obj","name":"objective","properties":[{"name":"label","value":"CP-3(c)"}],"parts":[{"id":"cp-3.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-3(c)[1]"}],"prose":"defines the frequency for contingency training thereafter; and"},{"id":"cp-3.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-3(c)[2]"}],"prose":"provides contingency training to information system users consistent with\n                     assigned roles and responsibilities with the organization-defined frequency\n                     thereafter."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency training\\n\\ncontingency plan\\n\\ncontingency training curriculum\\n\\ncontingency training material\\n\\nsecurity plan\\n\\ncontingency training records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, plan implementation, and\n                  training responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency training"}]}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","parameters":[{"id":"cp-4_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"cp-4_prm_2","label":"organization-defined tests","constraints":[{"detail":"functional exercises"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CP-4"},{"name":"sort-id","value":"cp-04"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"},{"href":"#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","rel":"reference","text":"NIST Special Publication 800-84"}],"parts":[{"id":"cp-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Tests the contingency plan for the information system {{ cp-4_prm_1 }} using {{ cp-4_prm_2 }} to determine the\n                  effectiveness of the plan and the organizational readiness to execute the\n                  plan;"},{"id":"cp-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Initiates corrective actions, if needed."},{"id":"cp-4_fr","name":"item","title":"CP-4(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-4_fr_smt.a","name":"item","properties":[{"name":"label","value":"CP-4(a) Requirement:"}],"prose":"The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing."}]}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and\n               to identify potential weaknesses in the plans include, for example, walk-through and\n               tabletop exercises, checklists, simulations (parallel, full interrupt), and\n               comprehensive exercises. Organizations conduct testing based on the continuity\n               requirements in contingency plans and include a determination of the effects on\n               organizational operations, assets, and individuals arising due to contingency\n               operations. Organizations have flexibility and discretion in the breadth, depth, and\n               timelines of corrective actions.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ir-3","rel":"related","text":"IR-3"}]},{"id":"cp-4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-4.a_obj","name":"objective","properties":[{"name":"label","value":"CP-4(a)"}],"parts":[{"id":"cp-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-4(a)[1]"}],"prose":"defines tests to determine the effectiveness of the contingency plan and the\n                     organizational readiness to execute the plan;"},{"id":"cp-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-4(a)[2]"}],"prose":"defines a frequency to test the contingency plan for the information\n                     system;"},{"id":"cp-4.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-4(a)[3]"}],"prose":"tests the contingency plan for the information system with the\n                     organization-defined frequency, using organization-defined tests to determine\n                     the effectiveness of the plan and the organizational readiness to execute the\n                     plan;"}]},{"id":"cp-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-4(b)"}],"prose":"reviews the contingency plan test results; and"},{"id":"cp-4.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-4(c)"}],"prose":"initiates corrective actions, if needed."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing contingency plan testing\\n\\ncontingency plan\\n\\nsecurity plan\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for contingency plan testing,\n                  reviewing or responding to contingency plan tests\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan testing\\n\\nautomated mechanisms supporting the contingency plan and/or contingency plan\n                  testing"}]}],"controls":[{"id":"cp-4.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","properties":[{"name":"label","value":"CP-4(1)"},{"name":"sort-id","value":"cp-04.01"}],"parts":[{"id":"cp-4.1_smt","name":"statement","prose":"The organization coordinates contingency plan testing with organizational elements\n                  responsible for related plans."},{"id":"cp-4.1_gdn","name":"guidance","prose":"Plans related to contingency plans for organizational information systems include,\n                  for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of\n                  Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,\n                  Cyber Incident Response Plans, and Occupant Emergency Plans. This control\n                  enhancement does not require organizations to create organizational elements to\n                  handle related plans or to align such elements with specific plans. It does\n                  require, however, that if such organizational elements are responsible for related\n                  plans, organizations should coordinate with those elements.","links":[{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pm-8","rel":"related","text":"PM-8"}]},{"id":"cp-4.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization coordinates contingency plan testing with\n                  organizational elements responsible for related plans. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nincident response policy\\n\\nprocedures addressing contingency plan testing\\n\\ncontingency plan testing documentation\\n\\ncontingency plan\\n\\nbusiness continuity plans\\n\\ndisaster recovery plans\\n\\ncontinuity of operations plans\\n\\ncrisis communications plans\\n\\ncritical infrastructure plans\\n\\ncyber incident response plans\\n\\noccupant emergency plans\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan testing responsibilities\\n\\norganizational personnel\\n\\npersonnel with responsibilities for related plans\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-6","class":"SP800-53","title":"Alternate Storage Site","properties":[{"name":"label","value":"CP-6"},{"name":"sort-id","value":"cp-06"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"}],"parts":[{"id":"cp-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes an alternate storage site including necessary agreements to permit the\n                  storage and retrieval of information system backup information; and"},{"id":"cp-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensures that the alternate storage site provides information security safeguards\n                  equivalent to that of the primary site."}]},{"id":"cp-6_gdn","name":"guidance","prose":"Alternate storage sites are sites that are geographically distinct from primary\n               storage sites. An alternate storage site maintains duplicate copies of information\n               and data in the event that the primary storage site is not available. Items covered\n               by alternate storage site agreements include, for example, environmental conditions\n               at alternate sites, access rules, physical and environmental protection requirements,\n               and coordination of delivery/retrieval of backup media. Alternate storage sites\n               reflect the requirements in contingency plans so that organizations can maintain\n               essential missions/business functions despite disruption, compromise, or failure in\n               organizational information systems.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#mp-4","rel":"related","text":"MP-4"}]},{"id":"cp-6_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-6_obj.1","name":"objective","properties":[{"name":"label","value":"CP-6[1]"}],"prose":"establishes an alternate storage site including necessary agreements to permit the\n                  storage and retrieval of information system backup information; and"},{"id":"cp-6_obj.2","name":"objective","properties":[{"name":"label","value":"CP-6[2]"}],"prose":"ensures that the alternate storage site provides information security safeguards\n                  equivalent to that of the primary site."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing alternate storage sites\\n\\ncontingency plan\\n\\nalternate storage site agreements\\n\\nprimary storage site agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate storage site\n                  responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for storing and retrieving information system backup\n                  information at the alternate storage site\\n\\nautomated mechanisms supporting and/or implementing storage and retrieval of\n                  information system backup information at the alternate storage site"}]}],"controls":[{"id":"cp-6.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","properties":[{"name":"label","value":"CP-6(1)"},{"name":"sort-id","value":"cp-06.01"}],"parts":[{"id":"cp-6.1_smt","name":"statement","prose":"The organization identifies an alternate storage site that is separated from the\n                  primary storage site to reduce susceptibility to the same threats."},{"id":"cp-6.1_gdn","name":"guidance","prose":"Threats that affect alternate storage sites are typically defined in\n                  organizational assessments of risk and include, for example, natural disasters,\n                  structural failures, hostile cyber attacks, and errors of omission/commission.\n                  Organizations determine what is considered a sufficient degree of separation\n                  between primary and alternate storage sites based on the types of threats that are\n                  of concern. For one particular type of threat (i.e., hostile cyber attack), the\n                  degree of separation between sites is less relevant.","links":[{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"cp-6.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization identifies an alternate storage site that is\n                  separated from the primary storage site to reduce susceptibility to the same\n                  threats. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing alternate storage sites\\n\\ncontingency plan\\n\\nalternate storage site\\n\\nalternate storage site agreements\\n\\nprimary storage site agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate storage site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-6.3","class":"SP800-53-enhancement","title":"Accessibility","properties":[{"name":"label","value":"CP-6(3)"},{"name":"sort-id","value":"cp-06.03"}],"parts":[{"id":"cp-6.3_smt","name":"statement","prose":"The organization identifies potential accessibility problems to the alternate\n                  storage site in the event of an area-wide disruption or disaster and outlines\n                  explicit mitigation actions."},{"id":"cp-6.3_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in\n                  geographic scope (e.g., hurricane, regional power outage) with such determinations\n                  made by organizations based on organizational assessments of risk. Explicit\n                  mitigation actions include, for example: (i) duplicating backup information at\n                  other alternate storage sites if access problems occur at originally designated\n                  alternate sites; or (ii) planning for physical access to retrieve backup\n                  information if electronic accessibility to the alternate site is disrupted.","links":[{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"cp-6.3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-6.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-6(3)[1]"}],"prose":"identifies potential accessibility problems to the alternate storage site in\n                     the event of an area-wide disruption or disaster; and"},{"id":"cp-6.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-6(3)[2]"}],"prose":"outlines explicit mitigation actions for such potential accessibility problems\n                     to the alternate storage site in the event of an area-wide disruption or\n                     disaster."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing alternate storage sites\\n\\ncontingency plan\\n\\nalternate storage site\\n\\nlist of potential accessibility problems to alternate storage site\\n\\nmitigation actions for accessibility problems to alternate storage site\\n\\norganizational risk assessments\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate storage site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-7","class":"SP800-53","title":"Alternate Processing Site","parameters":[{"id":"cp-7_prm_1","label":"organization-defined information system operations"},{"id":"cp-7_prm_2","label":"organization-defined time period consistent with recovery time and recovery point\n               objectives"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CP-7"},{"name":"sort-id","value":"cp-07"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"}],"parts":[{"id":"cp-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes an alternate processing site including necessary agreements to permit\n                  the transfer and resumption of {{ cp-7_prm_1 }} for essential\n                  missions/business functions within {{ cp-7_prm_2 }} when the\n                  primary processing capabilities are unavailable;"},{"id":"cp-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensures that equipment and supplies required to transfer and resume operations are\n                  available at the alternate processing site or contracts are in place to support\n                  delivery to the site within the organization-defined time period for\n                  transfer/resumption; and"},{"id":"cp-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensures that the alternate processing site provides information security\n                  safeguards equivalent to those of the primary site."},{"id":"cp-7_fr","name":"item","title":"CP-7 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-7_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider defines a time period consistent with the recovery time objectives and business impact analysis."}]}]},{"id":"cp-7_gdn","name":"guidance","prose":"Alternate processing sites are sites that are geographically distinct from primary\n               processing sites. An alternate processing site provides processing capability in the\n               event that the primary processing site is not available. Items covered by alternate\n               processing site agreements include, for example, environmental conditions at\n               alternate sites, access rules, physical and environmental protection requirements,\n               and coordination for the transfer/assignment of personnel. Requirements are\n               specifically allocated to alternate processing sites that reflect the requirements in\n               contingency plans to maintain essential missions/business functions despite\n               disruption, compromise, or failure in organizational information systems.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#cp-10","rel":"related","text":"CP-10"},{"href":"#ma-6","rel":"related","text":"MA-6"}]},{"id":"cp-7_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-7.a_obj","name":"objective","properties":[{"name":"label","value":"CP-7(a)"}],"parts":[{"id":"cp-7.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-7(a)[1]"}],"prose":"defines information system operations requiring an alternate processing site to\n                     be established to permit the transfer and resumption of such operations;"},{"id":"cp-7.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-7(a)[2]"}],"prose":"defines the time period consistent with recovery time objectives and recovery\n                     point objectives (as specified in the information system contingency plan) for\n                     transfer/resumption of organization-defined information system operations for\n                     essential missions/business functions;"},{"id":"cp-7.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-7(a)[3]"}],"prose":"establishes an alternate processing site including necessary agreements to\n                     permit the transfer and resumption of organization-defined information system\n                     operations for essential missions/business functions, within the\n                     organization-defined time period, when the primary processing capabilities are\n                     unavailable;"}]},{"id":"cp-7.b_obj","name":"objective","properties":[{"name":"label","value":"CP-7(b)"}],"parts":[{"id":"cp-7.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-7(b)[1]"}],"prose":"ensures that equipment and supplies required to transfer and resume operations\n                     are available at the alternate processing site; or"},{"id":"cp-7.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-7(b)[2]"}],"prose":"ensures that contracts are in place to support delivery to the site within the\n                     organization-defined time period for transfer/resumption; and"}]},{"id":"cp-7.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-7(c)"}],"prose":"ensures that the alternate processing site provides information security\n                  safeguards equivalent to those of the primary site."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing alternate processing sites\\n\\ncontingency plan\\n\\nalternate processing site agreements\\n\\nprimary processing site agreements\\n\\nspare equipment and supplies inventory at alternate processing site\\n\\nequipment and supply contracts\\n\\nservice-level agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for contingency planning and/or\n                  alternate site arrangements\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for recovery at the alternate site\\n\\nautomated mechanisms supporting and/or implementing recovery at the alternate\n                  processing site"}]}],"controls":[{"id":"cp-7.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","properties":[{"name":"label","value":"CP-7(1)"},{"name":"sort-id","value":"cp-07.01"}],"parts":[{"id":"cp-7.1_smt","name":"statement","prose":"The organization identifies an alternate processing site that is separated from\n                  the primary processing site to reduce susceptibility to the same threats.","parts":[{"id":"cp-7.1_fr","name":"item","title":"CP-7 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-7.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant."}]}]},{"id":"cp-7.1_gdn","name":"guidance","prose":"Threats that affect alternate processing sites are typically defined in\n                  organizational assessments of risk and include, for example, natural disasters,\n                  structural failures, hostile cyber attacks, and errors of omission/commission.\n                  Organizations determine what is considered a sufficient degree of separation\n                  between primary and alternate processing sites based on the types of threats that\n                  are of concern. For one particular type of threat (i.e., hostile cyber attack),\n                  the degree of separation between sites is less relevant.","links":[{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"cp-7.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization identifies an alternate processing site that is\n                  separated from the primary storage site to reduce susceptibility to the same\n                  threats. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing alternate processing sites\\n\\ncontingency plan\\n\\nalternate processing site\\n\\nalternate processing site agreements\\n\\nprimary processing site agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.2","class":"SP800-53-enhancement","title":"Accessibility","properties":[{"name":"label","value":"CP-7(2)"},{"name":"sort-id","value":"cp-07.02"}],"parts":[{"id":"cp-7.2_smt","name":"statement","prose":"The organization identifies potential accessibility problems to the alternate\n                  processing site in the event of an area-wide disruption or disaster and outlines\n                  explicit mitigation actions."},{"id":"cp-7.2_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in\n                  geographic scope (e.g., hurricane, regional power outage) with such determinations\n                  made by organizations based on organizational assessments of risk.","links":[{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"cp-7.2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-7.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-7(2)[1]"}],"prose":"identifies potential accessibility problems to the alternate processing site in\n                     the event of an area-wide disruption or disaster; and"},{"id":"cp-7.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-7(2)[2]"}],"prose":"outlines explicit mitigation actions for such potential accessibility problems\n                     to the alternate processing site in the event of an area-wide disruption or\n                     disaster."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing alternate processing sites\\n\\ncontingency plan\\n\\nalternate processing site\\n\\nalternate processing site agreements\\n\\nprimary processing site agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.3","class":"SP800-53-enhancement","title":"Priority of Service","properties":[{"name":"label","value":"CP-7(3)"},{"name":"sort-id","value":"cp-07.03"}],"parts":[{"id":"cp-7.3_smt","name":"statement","prose":"The organization develops alternate processing site agreements that contain\n                  priority-of-service provisions in accordance with organizational availability\n                  requirements (including recovery time objectives)."},{"id":"cp-7.3_gdn","name":"guidance","prose":"Priority-of-service agreements refer to negotiated agreements with service\n                  providers that ensure that organizations receive priority treatment consistent\n                  with their availability requirements and the availability of information resources\n                  at the alternate processing site."},{"id":"cp-7.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization develops alternate processing site agreements that\n                  contain priority-of-service provisions in accordance with organizational\n                  availability requirements (including recovery time objectives as specified in the\n                  information system contingency plan)."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing alternate processing sites\\n\\ncontingency plan\\n\\nalternate processing site agreements\\n\\nservice-level agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for acquisitions/contractual\n                     agreements"}]}]}]},{"id":"cp-8","class":"SP800-53","title":"Telecommunications Services","parameters":[{"id":"cp-8_prm_1","label":"organization-defined information system operations"},{"id":"cp-8_prm_2","label":"organization-defined time period"}],"properties":[{"name":"label","value":"CP-8"},{"name":"sort-id","value":"cp-08"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"},{"href":"#fb5844de-ff96-47c0-b258-4f52bcc2f30d","rel":"reference","text":"National Communications Systems Directive 3-10"},{"href":"#3ac12e79-f54f-4a63-9f4b-ee4bcd4df604","rel":"reference","text":"http://www.dhs.gov/telecommunications-service-priority-tsp"}],"parts":[{"id":"cp-8_smt","name":"statement","prose":"The organization establishes alternate telecommunications services including\n               necessary agreements to permit the resumption of {{ cp-8_prm_1 }} for\n               essential missions and business functions within {{ cp-8_prm_2 }} when\n               the primary telecommunications capabilities are unavailable at either the primary or\n               alternate processing or storage sites.","parts":[{"id":"cp-8_fr","name":"item","title":"CP-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines a time period consistent with the recovery time objectives and business impact analysis."}]}]},{"id":"cp-8_gdn","name":"guidance","prose":"This control applies to telecommunications services (data and voice) for primary and\n               alternate processing and storage sites. Alternate telecommunications services reflect\n               the continuity requirements in contingency plans to maintain essential\n               missions/business functions despite the loss of primary telecommunications services.\n               Organizations may specify different time periods for primary/alternate sites.\n               Alternate telecommunications services include, for example, additional organizational\n               or commercial ground-based circuits/lines or satellites in lieu of ground-based\n               communications. Organizations consider factors such as availability, quality of\n               service, and access when entering into alternate telecommunications agreements.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"}]},{"id":"cp-8_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-8_obj.1","name":"objective","properties":[{"name":"label","value":"CP-8[1]"}],"prose":"defines information system operations requiring alternate telecommunications\n                  services to be established to permit the resumption of such operations;"},{"id":"cp-8_obj.2","name":"objective","properties":[{"name":"label","value":"CP-8[2]"}],"prose":"defines the time period to permit resumption of organization-defined information\n                  system operations for essential missions and business functions; and"},{"id":"cp-8_obj.3","name":"objective","properties":[{"name":"label","value":"CP-8[3]"}],"prose":"establishes alternate telecommunications services including necessary agreements\n                  to permit the resumption of organization-defined information system operations for\n                  essential missions and business functions, within the organization-defined time\n                  period, when the primary telecommunications capabilities are unavailable at either\n                  the primary or alternate processing or storage sites."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing alternate telecommunications services\\n\\ncontingency plan\\n\\nprimary and alternate telecommunications service agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications\n                  responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for acquisitions/contractual\n                  agreements"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting telecommunications"}]}],"controls":[{"id":"cp-8.1","class":"SP800-53-enhancement","title":"Priority of Service Provisions","properties":[{"name":"label","value":"CP-8(1)"},{"name":"sort-id","value":"cp-08.01"}],"parts":[{"id":"cp-8.1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-8.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Develops primary and alternate telecommunications service agreements that\n                     contain priority-of-service provisions in accordance with organizational\n                     availability requirements (including recovery time objectives); and"},{"id":"cp-8.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Requests Telecommunications Service Priority for all telecommunications\n                     services used for national security emergency preparedness in the event that\n                     the primary and/or alternate telecommunications services are provided by a\n                     common carrier."}]},{"id":"cp-8.1_gdn","name":"guidance","prose":"Organizations consider the potential mission/business impact in situations where\n                  telecommunications service providers are servicing other organizations with\n                  similar priority-of-service provisions."},{"id":"cp-8.1_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-8.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-8(1)[1]"}],"prose":"develops primary and alternate telecommunications service agreements that\n                     contain priority-of-service provisions in accordance with organizational\n                     availability requirements (including recovery time objectives as specified in\n                     the information system contingency plan); and"},{"id":"cp-8.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-8(1)[2]"}],"prose":"requests Telecommunications Service Priority for all telecommunications\n                     services used for national security emergency preparedness in the event that\n                     the primary and/or alternate telecommunications services are provided by a\n                     common carrier."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing primary and alternate telecommunications services\\n\\ncontingency plan\\n\\nprimary and alternate telecommunications service agreements\\n\\nTelecommunications Service Priority documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for acquisitions/contractual\n                     agreements"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting telecommunications"}]}]},{"id":"cp-8.2","class":"SP800-53-enhancement","title":"Single Points of Failure","properties":[{"name":"label","value":"CP-8(2)"},{"name":"sort-id","value":"cp-08.02"}],"parts":[{"id":"cp-8.2_smt","name":"statement","prose":"The organization obtains alternate telecommunications services to reduce the\n                  likelihood of sharing a single point of failure with primary telecommunications\n                  services."},{"id":"cp-8.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization obtains alternate telecommunications services to\n                  reduce the likelihood of sharing a single point of failure with primary\n                  telecommunications services. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing primary and alternate telecommunications services\\n\\ncontingency plan\\n\\nprimary and alternate telecommunications service agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\nprimary and alternate telecommunications service providers\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-9","class":"SP800-53","title":"Information System Backup","parameters":[{"id":"cp-9_prm_1","label":"organization-defined frequency consistent with recovery time and recovery point\n               objectives","constraints":[{"detail":"daily incremental; weekly full"}]},{"id":"cp-9_prm_2","label":"organization-defined frequency consistent with recovery time and recovery point\n               objectives","constraints":[{"detail":"daily incremental; weekly full"}]},{"id":"cp-9_prm_3","label":"organization-defined frequency consistent with recovery time and recovery point\n               objectives","constraints":[{"detail":"daily incremental; weekly full"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CP-9"},{"name":"sort-id","value":"cp-09"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"}],"parts":[{"id":"cp-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Conducts backups of user-level information contained in the information system\n                     {{ cp-9_prm_1 }};"},{"id":"cp-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Conducts backups of system-level information contained in the information system\n                     {{ cp-9_prm_2 }};"},{"id":"cp-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Conducts backups of information system documentation including security-related\n                  documentation {{ cp-9_prm_3 }}; and"},{"id":"cp-9_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protects the confidentiality, integrity, and availability of backup information at\n                  storage locations."},{"id":"cp-9_fr","name":"item","title":"CP-9 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-9_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check."},{"id":"cp-9_fr_smt.a","name":"item","properties":[{"name":"label","value":"CP-9(a) Requirement:"}],"prose":"The service provider maintains at least three backup copies of user-level information (at least one of which is available online)."},{"id":"cp-9_fr_smt.b","name":"item","properties":[{"name":"label","value":"CP-9(b)Requirement:"}],"prose":"The service provider maintains at least three backup copies of system-level information (at least one of which is available online)."},{"id":"cp-9_fr_smt.c","name":"item","properties":[{"name":"label","value":"CP-9(c)Requirement:"}],"prose":"The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online)."}]}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes, for example, system-state information, operating\n               system and application software, and licenses. User-level information includes any\n               information other than system-level information. Mechanisms employed by organizations\n               to protect the integrity of information system backups include, for example, digital\n               signatures and cryptographic hashes. Protection of system backup information while in\n               transit is beyond the scope of this control. Information system backups reflect the\n               requirements in contingency plans as well as other organizational requirements for\n               backing up information.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"cp-9_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-9.a_obj","name":"objective","properties":[{"name":"label","value":"CP-9(a)"}],"parts":[{"id":"cp-9.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-9(a)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of user-level information contained in the information\n                     system;"},{"id":"cp-9.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-9(a)[2]"}],"prose":"conducts backups of user-level information contained in the information system\n                     with the organization-defined frequency;"}]},{"id":"cp-9.b_obj","name":"objective","properties":[{"name":"label","value":"CP-9(b)"}],"parts":[{"id":"cp-9.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-9(b)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of system-level information contained in the information\n                     system;"},{"id":"cp-9.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-9(b)[2]"}],"prose":"conducts backups of system-level information contained in the information\n                     system with the organization-defined frequency;"}]},{"id":"cp-9.c_obj","name":"objective","properties":[{"name":"label","value":"CP-9(c)"}],"parts":[{"id":"cp-9.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-9(c)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of information system documentation including security-related\n                     documentation;"},{"id":"cp-9.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-9(c)[2]"}],"prose":"conducts backups of information system documentation, including\n                     security-related documentation, with the organization-defined frequency;\n                     and"}]},{"id":"cp-9.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-9(d)"}],"prose":"protects the confidentiality, integrity, and availability of backup information at\n                  storage locations."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\nbackup storage location(s)\\n\\ninformation system backup logs or records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups\\n\\nautomated mechanisms supporting and/or implementing information system backups"}]}],"controls":[{"id":"cp-9.1","class":"SP800-53-enhancement","title":"Testing for Reliability / Integrity","parameters":[{"id":"cp-9.1_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"CP-9(1)"},{"name":"sort-id","value":"cp-09.01"}],"parts":[{"id":"cp-9.1_smt","name":"statement","prose":"The organization tests backup information {{ cp-9.1_prm_1 }} to\n                  verify media reliability and information integrity."},{"id":"cp-9.1_gdn","name":"guidance","links":[{"href":"#cp-4","rel":"related","text":"CP-4"}]},{"id":"cp-9.1_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-9.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-9(1)[1]"}],"prose":"defines the frequency to test backup information to verify media reliability\n                     and information integrity; and"},{"id":"cp-9.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-9(1)[2]"}],"prose":"tests backup information with the organization-defined frequency to verify\n                     media reliability and information integrity."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\ninformation system backup test results\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups\\n\\nautomated mechanisms supporting and/or implementing information system\n                     backups"}]}]},{"id":"cp-9.3","class":"SP800-53-enhancement","title":"Separate Storage for Critical Information","parameters":[{"id":"cp-9.3_prm_1","label":"organization-defined critical information system software and other\n                  security-related information"}],"properties":[{"name":"label","value":"CP-9(3)"},{"name":"sort-id","value":"cp-09.03"}],"parts":[{"id":"cp-9.3_smt","name":"statement","prose":"The organization stores backup copies of {{ cp-9.3_prm_1 }} in a\n                  separate facility or in a fire-rated container that is not collocated with the\n                  operational system."},{"id":"cp-9.3_gdn","name":"guidance","prose":"Critical information system software includes, for example, operating systems,\n                  cryptographic key management systems, and intrusion detection/prevention systems.\n                  Security-related information includes, for example, organizational inventories of\n                  hardware, software, and firmware components. Alternate storage sites typically\n                  serve as separate storage facilities for organizations.","links":[{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-8","rel":"related","text":"CM-8"}]},{"id":"cp-9.3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"cp-9.3_obj.1","name":"objective","properties":[{"name":"label","value":"CP-9(3)[1]"}],"parts":[{"id":"cp-9.3_obj.1.a","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-9(3)[1][a]"}],"prose":"defines critical information system software and other security-related\n                        information requiring backup copies to be stored in a separate facility;\n                        or"},{"id":"cp-9.3_obj.1.b","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"CP-9(3)[1][b]"}],"prose":"defines critical information system software and other security-related\n                        information requiring backup copies to be stored in a fire-rated container\n                        that is not collocated with the operational system; and"}]},{"id":"cp-9.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"CP-9(3)[2]"}],"prose":"stores backup copies of organization-defined critical information system\n                     software and other security-related information in a separate facility or in a\n                     fire-rated container that is not collocated with the operational system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\nbackup storage location(s)\\n\\ninformation system backup configurations and associated documentation\\n\\ninformation system backup logs or records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information system backup responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-10","class":"SP800-53","title":"Information System Recovery and Reconstitution","properties":[{"name":"label","value":"CP-10"},{"name":"sort-id","value":"cp-10"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference","text":"Federal Continuity Directive 1"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference","text":"NIST Special Publication 800-34"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"The organization provides for the recovery and reconstitution of the information\n               system to a known state after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing information system contingency plan activities to restore\n               organizational missions/business functions. Reconstitution takes place following\n               recovery and includes activities for returning organizational information systems to\n               fully operational states. Recovery and reconstitution operations reflect mission and\n               business priorities, recovery point/time and reconstitution objectives, and\n               established organizational metrics consistent with contingency plan requirements.\n               Reconstitution includes the deactivation of any interim information system\n               capabilities that may have been needed during recovery operations. Reconstitution\n               also includes assessments of fully restored information system capabilities,\n               reestablishment of continuous monitoring activities, potential information system\n               reauthorizations, and activities to prepare the systems against future disruptions,\n               compromises, or failures. Recovery/reconstitution capabilities employed by\n               organizations can include both automated mechanisms and manual procedures.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#sc-24","rel":"related","text":"SC-24"}]},{"id":"cp-10_obj","name":"objective","prose":"Determine if the organization provides for: ","parts":[{"id":"cp-10_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"CP-10[1]"}],"prose":"the recovery of the information system to a known state after:","parts":[{"id":"cp-10_obj.1.a","name":"objective","properties":[{"name":"label","value":"CP-10[1][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.1.b","name":"objective","properties":[{"name":"label","value":"CP-10[1][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.1.c","name":"objective","properties":[{"name":"label","value":"CP-10[1][c]"}],"prose":"a failure;"}]},{"id":"cp-10_obj.2","name":"objective","properties":[{"name":"label","value":"CP-10[2]"}],"prose":"the reconstitution of the information system to a known state after:","parts":[{"id":"cp-10_obj.2.a","name":"objective","properties":[{"name":"label","value":"CP-10[2][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.2.b","name":"objective","properties":[{"name":"label","value":"CP-10[2][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.2.c","name":"objective","properties":[{"name":"label","value":"CP-10[2][c]"}],"prose":"a failure."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\ninformation system backup test results\\n\\ncontingency plan test results\\n\\ncontingency plan test documentation\\n\\nredundant secondary system for information system backups\\n\\nlocation(s) of redundant secondary backup system(s)\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, recovery, and/or\n                  reconstitution responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes implementing information system recovery and\n                  reconstitution operations\\n\\nautomated mechanisms supporting and/or implementing information system recovery\n                  and reconstitution operations"}]}],"controls":[{"id":"cp-10.2","class":"SP800-53-enhancement","title":"Transaction Recovery","properties":[{"name":"label","value":"CP-10(2)"},{"name":"sort-id","value":"cp-10.02"}],"parts":[{"id":"cp-10.2_smt","name":"statement","prose":"The information system implements transaction recovery for systems that are\n                  transaction-based."},{"id":"cp-10.2_gdn","name":"guidance","prose":"Transaction-based information systems include, for example, database management\n                  systems and transaction processing systems. Mechanisms supporting transaction\n                  recovery include, for example, transaction rollback and transaction\n                  journaling."},{"id":"cp-10.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements transaction recovery for systems\n                  that are transaction-based. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\\n\\nprocedures addressing information system recovery and reconstitution\\n\\ncontingency plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\ninformation system transaction recovery records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for transaction recovery\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing transaction recovery\n                     capability"}]}]}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Identification and Authentication Policy and Procedures","parameters":[{"id":"ia-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"ia-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IA-1"},{"name":"sort-id","value":"ia-01"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ia-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ia-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"An identification and authentication policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"},{"id":"ia-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and\n                     authentication policy and associated identification and authentication\n                     controls; and"}]},{"id":"ia-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ia-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Identification and authentication policy {{ ia-1_prm_2 }};\n                     and"},{"id":"ia-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Identification and authentication procedures {{ ia-1_prm_3 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the IA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ia-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-1.a_obj","name":"objective","properties":[{"name":"label","value":"IA-1(a)"}],"parts":[{"id":"ia-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)"}],"parts":[{"id":"ia-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(a)(1)[1]"}],"prose":"develops and documents an identification and authentication policy that\n                        addresses:","parts":[{"id":"ia-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ia-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ia-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ia-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ia-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ia-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ia-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"IA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ia-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the identification and authentication\n                        policy is to be disseminated; and"},{"id":"ia-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IA-1(a)(1)[3]"}],"prose":"disseminates the identification and authentication policy to\n                        organization-defined personnel or roles;"}]},{"id":"ia-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"IA-1(a)(2)"}],"parts":[{"id":"ia-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        identification and authentication policy and associated identification and\n                        authentication controls;"},{"id":"ia-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ia-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ia-1.b_obj","name":"objective","properties":[{"name":"label","value":"IA-1(b)"}],"parts":[{"id":"ia-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"IA-1(b)(1)"}],"parts":[{"id":"ia-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current identification and\n                        authentication policy;"},{"id":"ia-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(b)(1)[2]"}],"prose":"reviews and updates the current identification and authentication policy\n                        with the organization-defined frequency; and"}]},{"id":"ia-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"IA-1(b)(2)"}],"parts":[{"id":"ia-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current identification and\n                        authentication procedures; and"},{"id":"ia-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-1(b)(2)[2]"}],"prose":"reviews and updates the current identification and authentication procedures\n                        with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identification and authentication\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (organizational Users)","properties":[{"name":"label","value":"IA-2"},{"name":"sort-id","value":"ia-02"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference","text":"HSPD-12"},{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference","text":"OMB Memorandum 04-04"},{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference","text":"OMB Memorandum 06-16"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference","text":"OMB Memorandum 11-11"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference","text":"FICAM Roadmap and Implementation Guidance"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"The information system uniquely identifies and authenticates organizational users (or\n               processes acting on behalf of organizational users)."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizational users include employees or individuals that organizations deem to have\n               equivalent status of employees (e.g., contractors, guest researchers). This control\n               applies to all accesses other than: (i) accesses that are explicitly identified and\n               documented in AC-14; and (ii) accesses that occur through authorized use of group\n               authenticators without individual authentication. Organizations may require unique\n               identification of individuals in group accounts (e.g., shared privilege accounts) or\n               for detailed accountability of individual activity. Organizations employ passwords,\n               tokens, or biometrics to authenticate user identities, or in the case multifactor\n               authentication, or some combination thereof. Access to organizational information\n               systems is defined as either local access or network access. Local access is any\n               access to organizational information systems by users (or processes acting on behalf\n               of users) where such access is obtained by direct connections without the use of\n               networks. Network access is access to organizational information systems by users (or\n               processes acting on behalf of users) where such access is obtained through network\n               connections (i.e., nonlocal accesses). Remote access is a type of network access that\n               involves communication through external networks (e.g., the Internet). Internal\n               networks include local area networks and wide area networks. In addition, the use of\n               encrypted virtual private networks (VPNs) for network connections between\n               organization-controlled endpoints and non-organization controlled endpoints may be\n               treated as internal networks from the perspective of protecting the confidentiality\n               and integrity of information traversing the network. Organizations can satisfy the\n               identification and authentication requirements in this control by complying with the\n               requirements in Homeland Security Presidential Directive 12 consistent with the\n               specific organizational implementation plans. Multifactor authentication requires the\n               use of two or more different factors to achieve authentication. The factors are\n               defined as: (i) something you know (e.g., password, personal identification number\n               [PIN]); (ii) something you have (e.g., cryptographic identification device, token);\n               or (iii) something you are (e.g., biometric). Multifactor solutions that require\n               devices separate from information systems gaining access include, for example,\n               hardware tokens providing time-based or challenge-response authenticators and smart\n               cards such as the U.S. Government Personal Identity Verification card and the DoD\n               common access card. In addition to identifying and authenticating users at the\n               information system level (i.e., at logon), organizations also employ identification\n               and authentication mechanisms at the application level, when necessary, to provide\n               increased information security. Identification and authentication requirements for\n               other than organizational users are described in IA-8.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"}]},{"id":"ia-2_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates\n               organizational users (or processes acting on behalf of organizational users)."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for uniquely identifying and authenticating users\\n\\nautomated mechanisms supporting and/or implementing identification and\n                  authentication capability"}]}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Network Access to Privileged Accounts","properties":[{"name":"label","value":"IA-2(1)"},{"name":"sort-id","value":"ia-02.01"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"The information system implements multifactor authentication for network access to\n                  privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related","text":"AC-6"}]},{"id":"ia-2.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements multifactor authentication for\n                  network access to privileged accounts."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing multifactor authentication\n                     capability"}]}]},{"id":"ia-2.2","class":"SP800-53-enhancement","title":"Network Access to Non-privileged Accounts","properties":[{"name":"label","value":"IA-2(2)"},{"name":"sort-id","value":"ia-02.02"}],"parts":[{"id":"ia-2.2_smt","name":"statement","prose":"The information system implements multifactor authentication for network access to\n                  non-privileged accounts."},{"id":"ia-2.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements multifactor authentication for\n                  network access to non-privileged accounts."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing multifactor authentication\n                     capability"}]}]},{"id":"ia-2.3","class":"SP800-53-enhancement","title":"Local Access to Privileged Accounts","properties":[{"name":"label","value":"IA-2(3)"},{"name":"sort-id","value":"ia-02.03"}],"parts":[{"id":"ia-2.3_smt","name":"statement","prose":"The information system implements multifactor authentication for local access to\n                  privileged accounts."},{"id":"ia-2.3_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related","text":"AC-6"}]},{"id":"ia-2.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements multifactor authentication for\n                  local access to privileged accounts."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing multifactor authentication\n                     capability"}]}]},{"id":"ia-2.5","class":"SP800-53-enhancement","title":"Group Authentication","properties":[{"name":"label","value":"IA-2(5)"},{"name":"sort-id","value":"ia-02.05"}],"parts":[{"id":"ia-2.5_smt","name":"statement","prose":"The organization requires individuals to be authenticated with an individual\n                  authenticator when a group authenticator is employed."},{"id":"ia-2.5_gdn","name":"guidance","prose":"Requiring individuals to use individual authenticators as a second level of\n                  authentication helps organizations to mitigate the risk of using group\n                  authenticators."},{"id":"ia-2.5_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization requires individuals to be authenticated with an\n                  individual authenticator when a group authenticator is employed."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing authentication capability\n                     for group accounts"}]}]},{"id":"ia-2.8","class":"SP800-53-enhancement","title":"Network Access to Privileged Accounts - Replay Resistant","properties":[{"name":"label","value":"IA-2(8)"},{"name":"sort-id","value":"ia-02.08"}],"parts":[{"id":"ia-2.8_smt","name":"statement","prose":"The information system implements replay-resistant authentication mechanisms for\n                  network access to privileged accounts."},{"id":"ia-2.8_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve\n                  successful authentications by replaying previous authentication messages.\n                  Replay-resistant techniques include, for example, protocols that use nonces or\n                  challenges such as Transport Layer Security (TLS) and time synchronous or\n                  challenge-response one-time authenticators."},{"id":"ia-2.8_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements replay-resistant authentication\n                  mechanisms for network access to privileged accounts. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of privileged information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms supporting and/or implementing replay resistant\n                     authentication mechanisms"}]}]},{"id":"ia-2.11","class":"SP800-53-enhancement","title":"Remote Access - Separate Device","parameters":[{"id":"ia-2.11_prm_1","label":"organization-defined strength of mechanism requirements","constraints":[{"detail":"FIPS 140-2, NIAP Certification, or NSA approval"}]}],"properties":[{"name":"label","value":"IA-2(11)"},{"name":"sort-id","value":"ia-02.11"}],"parts":[{"id":"ia-2.11_smt","name":"statement","prose":"The information system implements multifactor authentication for remote access to\n                  privileged and non-privileged accounts such that one of the factors is provided by\n                  a device separate from the system gaining access and the device meets {{ ia-2.11_prm_1 }}.","parts":[{"id":"ia-2.11_fr","name":"item","title":"IA-2 (11) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-2.11_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials."}]}]},{"id":"ia-2.11_gdn","name":"guidance","prose":"For remote access to privileged/non-privileged accounts, the purpose of requiring\n                  a device that is separate from the information system gaining access for one of\n                  the factors during multifactor authentication is to reduce the likelihood of\n                  compromising authentication credentials stored on the system. For example,\n                  adversaries deploying malicious code on organizational information systems can\n                  potentially compromise such credentials resident on the system and subsequently\n                  impersonate authorized users.","links":[{"href":"#ac-6","rel":"related","text":"AC-6"}]},{"id":"ia-2.11_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"ia-2.11_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-2(11)[1]"}],"prose":"the information system implements multifactor authentication for remote access\n                     to privileged accounts such that one of the factors is provided by a device\n                     separate from the system gaining access;"},{"id":"ia-2.11_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-2(11)[2]"}],"prose":"the information system implements multifactor authentication for remote access\n                     to non-privileged accounts such that one of the factors is provided by a device\n                     separate from the system gaining access;"},{"id":"ia-2.11_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-2(11)[3]"}],"prose":"the organization defines strength of mechanism requirements to be enforced by a\n                     device separate from the system gaining remote access to privileged\n                     accounts;"},{"id":"ia-2.11_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-2(11)[4]"}],"prose":"the organization defines strength of mechanism requirements to be enforced by a\n                     device separate from the system gaining remote access to non-privileged\n                     accounts;"},{"id":"ia-2.11_obj.5","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-2(11)[5]"}],"prose":"the information system implements multifactor authentication for remote access\n                     to privileged accounts such that a device, separate from the system gaining\n                     access, meets organization-defined strength of mechanism requirements; and"},{"id":"ia-2.11_obj.6","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-2(11)[6]"}],"prose":"the information system implements multifactor authentication for remote access\n                     to non-privileged accounts such that a device, separate from the system gaining\n                     access, meets organization-defined strength of mechanism requirements."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of privileged and non-privileged information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability"}]}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","properties":[{"name":"label","value":"IA-2(12)"},{"name":"sort-id","value":"ia-02.12"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity\n                  Verification (PIV) credentials.","parts":[{"id":"ia-2.12_fr","name":"item","title":"IA-2 (12) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-2.12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12."}]}]},{"id":"ia-2.12_gdn","name":"guidance","prose":"This control enhancement applies to organizations implementing logical access\n                  control systems (LACS) and physical access control systems (PACS). Personal\n                  Identity Verification (PIV) credentials are those credentials issued by federal\n                  agencies that conform to FIPS Publication 201 and supporting guidance documents.\n                  OMB Memorandum 11-11 requires federal agencies to continue implementing the\n                  requirements specified in HSPD-12 to enable agency-wide use of PIV\n                  credentials.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"ia-2.12_obj","name":"objective","prose":"Determine if the information system: ","parts":[{"id":"ia-2.12_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-2(12)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials; and"},{"id":"ia-2.12_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-2(12)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nPIV verification records\\n\\nevidence of PIV credentials\\n\\nPIV credential authorizations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing acceptance and verification\n                     of PIV credentials"}]}]}]},{"id":"ia-3","class":"SP800-53","title":"Device Identification and Authentication","parameters":[{"id":"ia-3_prm_1","label":"organization-defined specific and/or types of devices"},{"id":"ia-3_prm_2"}],"properties":[{"name":"label","value":"IA-3"},{"name":"sort-id","value":"ia-03"}],"parts":[{"id":"ia-3_smt","name":"statement","prose":"The information system uniquely identifies and authenticates {{ ia-3_prm_1 }} before establishing a {{ ia-3_prm_2 }}\n               connection."},{"id":"ia-3_gdn","name":"guidance","prose":"Organizational devices requiring unique device-to-device identification and\n               authentication may be defined by type, by device, or by a combination of type/device.\n               Information systems typically use either shared known information (e.g., Media Access\n               Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses)\n               for device identification or organizational authentication solutions (e.g., IEEE\n               802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport\n               Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on\n               local and/or wide area networks. Organizations determine the required strength of\n               authentication mechanisms by the security categories of information systems. Because\n               of the challenges of applying this control on large scale, organizations are\n               encouraged to only apply the control to those limited number (and type) of devices\n               that truly need to support this capability.","links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"}]},{"id":"ia-3_obj","name":"objective","prose":"Determine if: ","parts":[{"id":"ia-3_obj.1","name":"objective","properties":[{"name":"label","value":"IA-3[1]"}],"prose":"the organization defines specific and/or types of devices that the information\n                  system uniquely identifies and authenticates before establishing one or more of\n                  the following:","parts":[{"id":"ia-3_obj.1.a","name":"objective","properties":[{"name":"label","value":"IA-3[1][a]"}],"prose":"a local connection;"},{"id":"ia-3_obj.1.b","name":"objective","properties":[{"name":"label","value":"IA-3[1][b]"}],"prose":"a remote connection; and/or"},{"id":"ia-3_obj.1.c","name":"objective","properties":[{"name":"label","value":"IA-3[1][c]"}],"prose":"a network connection; and"}]},{"id":"ia-3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-3[2]"}],"prose":"the information system uniquely identifies and authenticates organization-defined\n                  devices before establishing one or more of the following:","parts":[{"id":"ia-3_obj.2.a","name":"objective","properties":[{"name":"label","value":"IA-3[2][a]"}],"prose":"a local connection;"},{"id":"ia-3_obj.2.b","name":"objective","properties":[{"name":"label","value":"IA-3[2][b]"}],"prose":"a remote connection; and/or"},{"id":"ia-3_obj.2.c","name":"objective","properties":[{"name":"label","value":"IA-3[2][c]"}],"prose":"a network connection."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing device identification and authentication\\n\\ninformation system design documentation\\n\\nlist of devices requiring unique identification and authentication\\n\\ndevice connection reports\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with operational responsibilities for device\n                  identification and authentication\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing device identification and\n                  authentication capability"}]}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","parameters":[{"id":"ia-4_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-4_prm_2","label":"organization-defined time period","constraints":[{"detail":"IA-4 (d) [at least two years]"}]},{"id":"ia-4_prm_3","label":"organization-defined time period of inactivity","constraints":[{"detail":"ninety days for user identifiers (See additional requirements and guidance)"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IA-4"},{"name":"sort-id","value":"ia-04"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"The organization manages information system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ ia-4_prm_1 }} to assign an\n                  individual, group, role, or device identifier;"},{"id":"ia-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, or device;"},{"id":"ia-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, or device;"},{"id":"ia-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ ia-4_prm_2 }}; and"},{"id":"ia-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Disabling the identifier after {{ ia-4_prm_3 }}."},{"id":"ia-4_fr","name":"item","title":"IA-4(e) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-4_fr_smt.e","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines the time period of inactivity for device identifiers."},{"id":"ia-4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP [http://iase.disa.mil/cloud_security/Pages/index.aspx](http://iase.disa.mil/cloud_security/Pages/index.aspx)."}]}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include, for example, media access control (MAC), Internet\n               protocol (IP) addresses, or device-unique token identifiers. Management of individual\n               identifiers is not applicable to shared information system accounts (e.g., guest and\n               anonymous accounts). Typically, individual identifiers are the user names of the\n               information system accounts assigned to those individuals. In such instances, the\n               account management activities of AC-2 use account names provided by IA-4. This\n               control also addresses individual identifiers not necessarily associated with\n               information system accounts (e.g., identifiers used in physical security control\n               databases accessed by badge reader systems for access to information systems).\n               Preventing reuse of identifiers implies preventing the assignment of previously used\n               individual, group, role, or device identifiers to different individuals, groups,\n               roles, or devices.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#sc-37","rel":"related","text":"SC-37"}]},{"id":"ia-4_obj","name":"objective","prose":"Determine if the organization manages information system identifiers by: ","parts":[{"id":"ia-4.a_obj","name":"objective","properties":[{"name":"label","value":"IA-4(a)"}],"parts":[{"id":"ia-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-4(a)[1]"}],"prose":"defining personnel or roles from whom authorization must be received to\n                     assign:","parts":[{"id":"ia-4.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"IA-4(a)[1][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"IA-4(a)[1][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.1.c","name":"objective","properties":[{"name":"label","value":"IA-4(a)[1][c]"}],"prose":"a role identifier; and/or"},{"id":"ia-4.a_obj.1.d","name":"objective","properties":[{"name":"label","value":"IA-4(a)[1][d]"}],"prose":"a device identifier;"}]},{"id":"ia-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-4(a)[2]"}],"prose":"receiving authorization from organization-defined personnel or roles to\n                     assign:","parts":[{"id":"ia-4.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"IA-4(a)[2][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"IA-4(a)[2][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.2.c","name":"objective","properties":[{"name":"label","value":"IA-4(a)[2][c]"}],"prose":"a role identifier; and/or"},{"id":"ia-4.a_obj.2.d","name":"objective","properties":[{"name":"label","value":"IA-4(a)[2][d]"}],"prose":"a device identifier;"}]}]},{"id":"ia-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-4(b)"}],"prose":"selecting an identifier that identifies:","parts":[{"id":"ia-4.b_obj.1","name":"objective","properties":[{"name":"label","value":"IA-4(b)[1]"}],"prose":"an individual;"},{"id":"ia-4.b_obj.2","name":"objective","properties":[{"name":"label","value":"IA-4(b)[2]"}],"prose":"a group;"},{"id":"ia-4.b_obj.3","name":"objective","properties":[{"name":"label","value":"IA-4(b)[3]"}],"prose":"a role; and/or"},{"id":"ia-4.b_obj.4","name":"objective","properties":[{"name":"label","value":"IA-4(b)[4]"}],"prose":"a device;"}]},{"id":"ia-4.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-4(c)"}],"prose":"assigning the identifier to the intended:","parts":[{"id":"ia-4.c_obj.1","name":"objective","properties":[{"name":"label","value":"IA-4(c)[1]"}],"prose":"individual;"},{"id":"ia-4.c_obj.2","name":"objective","properties":[{"name":"label","value":"IA-4(c)[2]"}],"prose":"group;"},{"id":"ia-4.c_obj.3","name":"objective","properties":[{"name":"label","value":"IA-4(c)[3]"}],"prose":"role; and/or"},{"id":"ia-4.c_obj.4","name":"objective","properties":[{"name":"label","value":"IA-4(c)[4]"}],"prose":"device;"}]},{"id":"ia-4.d_obj","name":"objective","properties":[{"name":"label","value":"IA-4(d)"}],"parts":[{"id":"ia-4.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-4(d)[1]"}],"prose":"defining a time period for preventing reuse of identifiers;"},{"id":"ia-4.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-4(d)[2]"}],"prose":"preventing reuse of identifiers for the organization-defined time period;"}]},{"id":"ia-4.e_obj","name":"objective","properties":[{"name":"label","value":"IA-4(e)"}],"parts":[{"id":"ia-4.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-4(e)[1]"}],"prose":"defining a time period of inactivity to disable the identifier; and"},{"id":"ia-4.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-4(e)[2]"}],"prose":"disabling the identifier after the organization-defined time period of\n                     inactivity."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing identifier management\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system accounts\\n\\nlist of identifiers generated from physical access control devices\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identifier management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identifier management"}]}],"controls":[{"id":"ia-4.4","class":"SP800-53-enhancement","title":"Identify User Status","parameters":[{"id":"ia-4.4_prm_1","label":"organization-defined characteristic identifying individual status","constraints":[{"detail":"contractors; foreign nationals"}]}],"properties":[{"name":"label","value":"IA-4(4)"},{"name":"sort-id","value":"ia-04.04"}],"parts":[{"id":"ia-4.4_smt","name":"statement","prose":"The organization manages individual identifiers by uniquely identifying each\n                  individual as {{ ia-4.4_prm_1 }}."},{"id":"ia-4.4_gdn","name":"guidance","prose":"Characteristics identifying the status of individuals include, for example,\n                  contractors and foreign nationals. Identifying the status of individuals by\n                  specific characteristics provides additional information about the people with\n                  whom organizational personnel are communicating. For example, it might be useful\n                  for a government employee to know that one of the individuals on an email message\n                  is a contractor.","links":[{"href":"#at-2","rel":"related","text":"AT-2"}]},{"id":"ia-4.4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ia-4.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-4(4)[1]"}],"prose":"defines a characteristic to be used to identify individual status; and"},{"id":"ia-4.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-4(4)[2]"}],"prose":"manages individual identifiers by uniquely identifying each individual as the\n                     organization-defined characteristic identifying individual status."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing identifier management\\n\\nprocedures addressing account management\\n\\nlist of characteristics identifying individual status\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identifier management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identifier management"}]}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","parameters":[{"id":"ia-5_prm_1","label":"organization-defined time period by authenticator type"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IA-5"},{"name":"sort-id","value":"ia-05"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference","text":"OMB Memorandum 04-04"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference","text":"OMB Memorandum 11-11"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference","text":"FICAM Roadmap and Implementation Guidance"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"The organization manages information system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the\n                  individual, group, role, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for authenticators defined by the\n                  organization;"},{"id":"ia-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their\n                  intended use;"},{"id":"ia-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator\n                  distribution, for lost/compromised or damaged authenticators, and for revoking\n                  authenticators;"},{"id":"ia-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Changing default content of authenticators prior to information system\n                  installation;"},{"id":"ia-5_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Establishing minimum and maximum lifetime restrictions and reuse conditions for\n                  authenticators;"},{"id":"ia-5_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Changing/refreshing authenticators {{ ia-5_prm_1 }};"},{"id":"ia-5_smt.h","name":"item","properties":[{"name":"label","value":"h."}],"prose":"Protecting authenticator content from unauthorized disclosure and\n                  modification;"},{"id":"ia-5_smt.i","name":"item","properties":[{"name":"label","value":"i."}],"prose":"Requiring individuals to take, and having devices implement, specific security\n                  safeguards to protect authenticators; and"},{"id":"ia-5_smt.j","name":"item","properties":[{"name":"label","value":"j."}],"prose":"Changing authenticators for group/role accounts when membership to those accounts\n                  changes."},{"id":"ia-5_fr","name":"item","title":"IA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-5_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link [https://pages.nist.gov/800-63-3](https://pages.nist.gov/800-63-3)."}]}]},{"id":"ia-5_gdn","name":"guidance","prose":"Individual authenticators include, for example, passwords, tokens, biometrics, PKI\n               certificates, and key cards. Initial authenticator content is the actual content\n               (e.g., the initial password) as opposed to requirements about authenticator content\n               (e.g., minimum password length). In many cases, developers ship information system\n               components with factory default authentication credentials to allow for initial\n               installation and configuration. Default authentication credentials are often well\n               known, easily discoverable, and present a significant security risk. The requirement\n               to protect individual authenticators may be implemented via control PL-4 or PS-6 for\n               authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28\n               for authenticators stored within organizational information systems (e.g., passwords\n               stored in hashed or encrypted formats, files containing encrypted or hashed passwords\n               accessible with administrator privileges). Information systems support individual\n               authenticator management by organization-defined settings and restrictions for\n               various authenticator characteristics including, for example, minimum password\n               length, password composition, validation time window for time synchronous one-time\n               tokens, and number of allowed rejections during the verification stage of biometric\n               authentication. Specific actions that can be taken to safeguard authenticators\n               include, for example, maintaining possession of individual authenticators, not\n               loaning or sharing individual authenticators with others, and reporting lost, stolen,\n               or compromised authenticators immediately. Authenticator management includes issuing\n               and revoking, when no longer needed, authenticators for temporary access such as that\n               required for remote maintenance. Device authenticators include, for example,\n               certificates and passwords.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-17","rel":"related","text":"SC-17"},{"href":"#sc-28","rel":"related","text":"SC-28"}]},{"id":"ia-5_obj","name":"objective","prose":"Determine if the organization manages information system authenticators by: ","parts":[{"id":"ia-5.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(a)"}],"prose":"verifying, as part of the initial authenticator distribution, the identity of:","parts":[{"id":"ia-5.a_obj.1","name":"objective","properties":[{"name":"label","value":"IA-5(a)[1]"}],"prose":"the individual receiving the authenticator;"},{"id":"ia-5.a_obj.2","name":"objective","properties":[{"name":"label","value":"IA-5(a)[2]"}],"prose":"the group receiving the authenticator;"},{"id":"ia-5.a_obj.3","name":"objective","properties":[{"name":"label","value":"IA-5(a)[3]"}],"prose":"the role receiving the authenticator; and/or"},{"id":"ia-5.a_obj.4","name":"objective","properties":[{"name":"label","value":"IA-5(a)[4]"}],"prose":"the device receiving the authenticator;"}]},{"id":"ia-5.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(b)"}],"prose":"establishing initial authenticator content for authenticators defined by the\n                  organization;"},{"id":"ia-5.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(c)"}],"prose":"ensuring that authenticators have sufficient strength of mechanism for their\n                  intended use;"},{"id":"ia-5.d_obj","name":"objective","properties":[{"name":"label","value":"IA-5(d)"}],"parts":[{"id":"ia-5.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(d)[1]"}],"prose":"establishing and implementing administrative procedures for initial\n                     authenticator distribution;"},{"id":"ia-5.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(d)[2]"}],"prose":"establishing and implementing administrative procedures for lost/compromised or\n                     damaged authenticators;"},{"id":"ia-5.d_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(d)[3]"}],"prose":"establishing and implementing administrative procedures for revoking\n                     authenticators;"}]},{"id":"ia-5.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(e)"}],"prose":"changing default content of authenticators prior to information system\n                  installation;"},{"id":"ia-5.f_obj","name":"objective","properties":[{"name":"label","value":"IA-5(f)"}],"parts":[{"id":"ia-5.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(f)[1]"}],"prose":"establishing minimum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(f)[2]"}],"prose":"establishing maximum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(f)[3]"}],"prose":"establishing reuse conditions for authenticators;"}]},{"id":"ia-5.g_obj","name":"objective","properties":[{"name":"label","value":"IA-5(g)"}],"parts":[{"id":"ia-5.g_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(g)[1]"}],"prose":"defining a time period (by authenticator type) for changing/refreshing\n                     authenticators;"},{"id":"ia-5.g_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(g)[2]"}],"prose":"changing/refreshing authenticators with the organization-defined time period by\n                     authenticator type;"}]},{"id":"ia-5.h_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(h)"}],"prose":"protecting authenticator content from unauthorized:","parts":[{"id":"ia-5.h_obj.1","name":"objective","properties":[{"name":"label","value":"IA-5(h)[1]"}],"prose":"disclosure;"},{"id":"ia-5.h_obj.2","name":"objective","properties":[{"name":"label","value":"IA-5(h)[2]"}],"prose":"modification;"}]},{"id":"ia-5.i_obj","name":"objective","properties":[{"name":"label","value":"IA-5(i)"}],"parts":[{"id":"ia-5.i_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IA-5(i)[1]"}],"prose":"requiring individuals to take specific security safeguards to protect\n                     authenticators;"},{"id":"ia-5.i_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(i)[2]"}],"prose":"having devices implement specific security safeguards to protect\n                     authenticators; and"}]},{"id":"ia-5.j_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(j)"}],"prose":"changing authenticators for group/role accounts when membership to those accounts\n                  changes."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system authenticator types\\n\\nchange control records associated with managing information system\n                  authenticators\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing authenticator management\n                  capability"}]}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","parameters":[{"id":"ia-5.1_prm_1","label":"organization-defined requirements for case sensitivity, number of characters,\n                  mix of upper-case letters, lower-case letters, numbers, and special characters,\n                  including minimum requirements for each type"},{"id":"ia-5.1_prm_2","label":"organization-defined number","constraints":[{"detail":"at least one"}]},{"id":"ia-5.1_prm_3","label":"organization-defined numbers for lifetime minimum, lifetime maximum"},{"id":"ia-5.1_prm_4","label":"organization-defined number","constraints":[{"detail":"twenty four (24)"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IA-5(1)"},{"name":"sort-id","value":"ia-05.01"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"The information system, for password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Enforces minimum password complexity of {{ ia-5.1_prm_1 }};"},{"id":"ia-5.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Enforces at least the following number of changed characters when new passwords\n                     are created: {{ ia-5.1_prm_2 }};"},{"id":"ia-5.1_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Stores and transmits only cryptographically-protected passwords;"},{"id":"ia-5.1_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Enforces password minimum and maximum lifetime restrictions of {{ ia-5.1_prm_3 }};"},{"id":"ia-5.1_smt.e","name":"item","properties":[{"name":"label","value":"(e)"}],"prose":"Prohibits password reuse for {{ ia-5.1_prm_4 }} generations;\n                     and"},{"id":"ia-5.1_smt.f","name":"item","properties":[{"name":"label","value":"(f)"}],"prose":"Allows the use of a temporary password for system logons with an immediate\n                     change to a permanent password."},{"id":"ia-5.1_fr","name":"item","title":"IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-5.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"(a) (d) Guidance:"}],"prose":"If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant."}]}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"This control enhancement applies to single-factor authentication of individuals\n                  using passwords as individual or group authenticators, and in a similar manner,\n                  when passwords are part of multifactor authenticators. This control enhancement\n                  does not apply when passwords are used to unlock hardware authenticators (e.g.,\n                  Personal Identity Verification cards). The implementation of such password\n                  mechanisms may not meet all of the requirements in the enhancement.\n                  Cryptographically-protected passwords include, for example, encrypted versions of\n                  passwords and one-way cryptographic hashes of passwords. The number of changed\n                  characters refers to the number of changes required with respect to the total\n                  number of positions in the current password. Password lifetime restrictions do not\n                  apply to temporary passwords. To mitigate certain brute force attacks against\n                  passwords, organizations may also consider salting passwords.","links":[{"href":"#ia-6","rel":"related","text":"IA-6"}]},{"id":"ia-5.1_obj","name":"objective","prose":"Determine if, for password-based authentication: ","parts":[{"id":"ia-5.1.a_obj","name":"objective","properties":[{"name":"label","value":"IA-5(1)(a)"}],"parts":[{"id":"ia-5.1.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(a)[1]"}],"prose":"the organization defines requirements for case sensitivity;"},{"id":"ia-5.1.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(a)[2]"}],"prose":"the organization defines requirements for number of characters;"},{"id":"ia-5.1.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(a)[3]"}],"prose":"the organization defines requirements for the mix of upper-case letters,\n                        lower-case letters, numbers and special characters;"},{"id":"ia-5.1.a_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(a)[4]"}],"prose":"the organization defines minimum requirements for each type of\n                        character;"},{"id":"ia-5.1.a_obj.5","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(a)[5]"}],"prose":"the information system enforces minimum password complexity of\n                        organization-defined requirements for case sensitivity, number of\n                        characters, mix of upper-case letters, lower-case letters, numbers, and\n                        special characters, including minimum requirements for each type;"}],"links":[{"href":"#ia-5.1_smt.a","rel":"corresp","text":"IA-5(1)(a)"}]},{"id":"ia-5.1.b_obj","name":"objective","properties":[{"name":"label","value":"IA-5(1)(b)"}],"parts":[{"id":"ia-5.1.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(b)[1]"}],"prose":"the organization defines a minimum number of changed characters to be\n                        enforced when new passwords are created;"},{"id":"ia-5.1.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(b)[2]"}],"prose":"the information system enforces at least the organization-defined minimum\n                        number of characters that must be changed when new passwords are\n                        created;"}],"links":[{"href":"#ia-5.1_smt.b","rel":"corresp","text":"IA-5(1)(b)"}]},{"id":"ia-5.1.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(c)"}],"prose":"the information system stores and transmits only encrypted representations of\n                     passwords;","links":[{"href":"#ia-5.1_smt.c","rel":"corresp","text":"IA-5(1)(c)"}]},{"id":"ia-5.1.d_obj","name":"objective","properties":[{"name":"label","value":"IA-5(1)(d)"}],"parts":[{"id":"ia-5.1.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(d)[1]"}],"prose":"the organization defines numbers for password minimum lifetime restrictions\n                        to be enforced for passwords;"},{"id":"ia-5.1.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(d)[2]"}],"prose":"the organization defines numbers for password maximum lifetime restrictions\n                        to be enforced for passwords;"},{"id":"ia-5.1.d_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(d)[3]"}],"prose":"the information system enforces password minimum lifetime restrictions of\n                        organization-defined numbers for lifetime minimum;"},{"id":"ia-5.1.d_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(d)[4]"}],"prose":"the information system enforces password maximum lifetime restrictions of\n                        organization-defined numbers for lifetime maximum;"}],"links":[{"href":"#ia-5.1_smt.d","rel":"corresp","text":"IA-5(1)(d)"}]},{"id":"ia-5.1.e_obj","name":"objective","properties":[{"name":"label","value":"IA-5(1)(e)"}],"parts":[{"id":"ia-5.1.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(1)(e)[1]"}],"prose":"the organization defines the number of password generations to be prohibited\n                        from password reuse;"},{"id":"ia-5.1.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(e)[2]"}],"prose":"the information system prohibits password reuse for the organization-defined\n                        number of generations; and"}],"links":[{"href":"#ia-5.1_smt.e","rel":"corresp","text":"IA-5(1)(e)"}]},{"id":"ia-5.1.f_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(1)(f)"}],"prose":"the information system allows the use of a temporary password for system logons\n                     with an immediate change to a permanent password.","links":[{"href":"#ia-5.1_smt.f","rel":"corresp","text":"IA-5(1)(f)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\npassword policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\npassword configurations and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing password-based\n                     authenticator management capability"}]}]},{"id":"ia-5.2","class":"SP800-53-enhancement","title":"Pki-based Authentication","properties":[{"name":"label","value":"IA-5(2)"},{"name":"sort-id","value":"ia-05.02"}],"parts":[{"id":"ia-5.2_smt","name":"statement","prose":"The information system, for PKI-based authentication:","parts":[{"id":"ia-5.2_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Validates certifications by constructing and verifying a certification path to\n                     an accepted trust anchor including checking certificate status information;"},{"id":"ia-5.2_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Enforces authorized access to the corresponding private key;"},{"id":"ia-5.2_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Maps the authenticated identity to the account of the individual or group;\n                     and"},{"id":"ia-5.2_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Implements a local cache of revocation data to support path discovery and\n                     validation in case of inability to access revocation information via the\n                     network."}]},{"id":"ia-5.2_gdn","name":"guidance","prose":"Status information for certification paths includes, for example, certificate\n                  revocation lists or certificate status protocol responses. For PIV cards,\n                  validation of certifications involves the construction and verification of a\n                  certification path to the Common Policy Root trust anchor including certificate\n                  policy processing.","links":[{"href":"#ia-6","rel":"related","text":"IA-6"}]},{"id":"ia-5.2_obj","name":"objective","prose":"Determine if the information system, for PKI-based authentication: ","parts":[{"id":"ia-5.2.a_obj","name":"objective","properties":[{"name":"label","value":"IA-5(2)(a)"}],"parts":[{"id":"ia-5.2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(2)(a)[1]"}],"prose":"validates certifications by constructing a certification path to an accepted\n                        trust anchor;"},{"id":"ia-5.2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(2)(a)[2]"}],"prose":"validates certifications by verifying a certification path to an accepted\n                        trust anchor;"},{"id":"ia-5.2.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(2)(a)[3]"}],"prose":"includes checking certificate status information when constructing and\n                        verifying the certification path;"}],"links":[{"href":"#ia-5.2_smt.a","rel":"corresp","text":"IA-5(2)(a)"}]},{"id":"ia-5.2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(2)(b)"}],"prose":"enforces authorized access to the corresponding private key;","links":[{"href":"#ia-5.2_smt.b","rel":"corresp","text":"IA-5(2)(b)"}]},{"id":"ia-5.2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(2)(c)"}],"prose":"maps the authenticated identity to the account of the individual or group;\n                     and","links":[{"href":"#ia-5.2_smt.c","rel":"corresp","text":"IA-5(2)(c)"}]},{"id":"ia-5.2.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(2)(d)"}],"prose":"implements a local cache of revocation data to support path discovery and\n                     validation in case of inability to access revocation information via the\n                     network.","links":[{"href":"#ia-5.2_smt.d","rel":"corresp","text":"IA-5(2)(d)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nPKI certification validation records\\n\\nPKI certification revocation lists\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with PKI-based, authenticator management\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing PKI-based, authenticator\n                     management capability"}]}]},{"id":"ia-5.3","class":"SP800-53-enhancement","title":"In-person or Trusted Third-party Registration","parameters":[{"id":"ia-5.3_prm_1","label":"organization-defined types of and/or specific authenticators","constraints":[{"detail":"All hardware/biometric (multifactor authenticators)"}]},{"id":"ia-5.3_prm_2","constraints":[{"detail":"in person"}]},{"id":"ia-5.3_prm_3","label":"organization-defined registration authority"},{"id":"ia-5.3_prm_4","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"IA-5(3)"},{"name":"sort-id","value":"ia-05.03"}],"parts":[{"id":"ia-5.3_smt","name":"statement","prose":"The organization requires that the registration process to receive {{ ia-5.3_prm_1 }} be conducted {{ ia-5.3_prm_2 }} before\n                     {{ ia-5.3_prm_3 }} with authorization by {{ ia-5.3_prm_4 }}."},{"id":"ia-5.3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ia-5.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(3)[1]"}],"prose":"defines types of and/or specific authenticators to be received in person or by\n                     a trusted third party;"},{"id":"ia-5.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(3)[2]"}],"prose":"defines the registration authority with oversight of the registration process\n                     for receipt of organization-defined types of and/or specific\n                     authenticators;"},{"id":"ia-5.3_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(3)[3]"}],"prose":"defines personnel or roles responsible for authorizing organization-defined\n                     registration authority;"},{"id":"ia-5.3_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(3)[4]"}],"prose":"defines if the registration process is to be conducted:","parts":[{"id":"ia-5.3_obj.4.a","name":"objective","properties":[{"name":"label","value":"IA-5(3)[4][a]"}],"prose":"in person; or"},{"id":"ia-5.3_obj.4.b","name":"objective","properties":[{"name":"label","value":"IA-5(3)[4][b]"}],"prose":"by a trusted third party; and"}]},{"id":"ia-5.3_obj.5","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IA-5(3)[5]"}],"prose":"requires that the registration process to receive organization-defined types of\n                     and/or specific authenticators be conducted in person or by a trusted third\n                     party before organization-defined registration authority with authorization by\n                     organization-defined personnel or roles."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nregistration process for receiving information system authenticators\\n\\nlist of authenticators requiring in-person registration\\n\\nlist of authenticators requiring trusted third party registration\\n\\nauthenticator registration documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\nregistration authority\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ia-5.4","class":"SP800-53-enhancement","title":"Automated Support for Password Strength Determination","parameters":[{"id":"ia-5.4_prm_1","label":"organization-defined requirements"}],"properties":[{"name":"label","value":"IA-5(4)"},{"name":"sort-id","value":"ia-05.04"}],"parts":[{"id":"ia-5.4_smt","name":"statement","prose":"The organization employs automated tools to determine if password authenticators\n                  are sufficiently strong to satisfy {{ ia-5.4_prm_1 }}.","parts":[{"id":"ia-5.4_fr","name":"item","title":"IA-5 (4) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-5.4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators."}]}]},{"id":"ia-5.4_gdn","name":"guidance","prose":"This control enhancement focuses on the creation of strong passwords and the\n                  characteristics of such passwords (e.g., complexity) prior to use, the enforcement\n                  of which is carried out by organizational information systems in IA-5 (1).","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ra-5","rel":"related","text":"RA-5"}]},{"id":"ia-5.4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ia-5.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(4)[1]"}],"prose":"defines requirements to be satisfied by password authenticators; and"},{"id":"ia-5.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(4)[2]"}],"prose":"employs automated tools to determine if password authenticators are\n                     sufficiently strong to satisfy organization-defined requirements."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nautomated tools for evaluating password authenticators\\n\\npassword strength assessment results\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing password-based\n                     authenticator management capability\\n\\nautomated tools for determining password strength"}]}]},{"id":"ia-5.6","class":"SP800-53-enhancement","title":"Protection of Authenticators","properties":[{"name":"label","value":"IA-5(6)"},{"name":"sort-id","value":"ia-05.06"}],"parts":[{"id":"ia-5.6_smt","name":"statement","prose":"The organization protects authenticators commensurate with the security category\n                  of the information to which use of the authenticator permits access."},{"id":"ia-5.6_gdn","name":"guidance","prose":"For information systems containing multiple security categories of information\n                  without reliable physical or logical separation between categories, authenticators\n                  used to grant access to the systems are protected commensurate with the highest\n                  security category of information on the systems."},{"id":"ia-5.6_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization protects authenticators commensurate with the\n                  security category of the information to which use of the authenticator permits\n                  access."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity categorization documentation for the information system\\n\\nsecurity assessments of authenticator protections\\n\\nrisk assessment results\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel implementing and/or maintaining authenticator\n                     protections\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing authenticator management\n                     capability\\n\\nautomated mechanisms protecting authenticators"}]}]},{"id":"ia-5.7","class":"SP800-53-enhancement","title":"No Embedded Unencrypted Static Authenticators","properties":[{"name":"label","value":"IA-5(7)"},{"name":"sort-id","value":"ia-05.07"}],"parts":[{"id":"ia-5.7_smt","name":"statement","prose":"The organization ensures that unencrypted static authenticators are not embedded\n                  in applications or access scripts or stored on function keys."},{"id":"ia-5.7_gdn","name":"guidance","prose":"Organizations exercise caution in determining whether embedded or stored\n                  authenticators are in encrypted or unencrypted form. If authenticators are used in\n                  the manner stored, then those representations are considered unencrypted\n                  authenticators. This is irrespective of whether that representation is perhaps an\n                  encrypted version of something else (e.g., a password)."},{"id":"ia-5.7_obj","name":"objective","prose":"Determine if the organization ensures that unencrypted static authenticators are\n                  not: ","parts":[{"id":"ia-5.7_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(7)[1]"}],"prose":"embedded in applications;"},{"id":"ia-5.7_obj.2","name":"objective","properties":[{"name":"label","value":"IA-5(7)[2]"}],"prose":"embedded in access scripts; or"},{"id":"ia-5.7_obj.3","name":"objective","properties":[{"name":"label","value":"IA-5(7)[3]"}],"prose":"stored on function keys."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlogical access scripts\\n\\napplication code reviews for detecting unencrypted static authenticators\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing authenticator management\n                     capability\\n\\nautomated mechanisms implementing authentication in applications"}]}]},{"id":"ia-5.11","class":"SP800-53-enhancement","title":"Hardware Token-based Authentication","parameters":[{"id":"ia-5.11_prm_1","label":"organization-defined token quality requirements"}],"properties":[{"name":"label","value":"IA-5(11)"},{"name":"sort-id","value":"ia-05.11"}],"parts":[{"id":"ia-5.11_smt","name":"statement","prose":"The information system, for hardware token-based authentication, employs\n                  mechanisms that satisfy {{ ia-5.11_prm_1 }}."},{"id":"ia-5.11_gdn","name":"guidance","prose":"Hardware token-based authentication typically refers to the use of PKI-based\n                  tokens, such as the U.S. Government Personal Identity Verification (PIV) card.\n                  Organizations define specific requirements for tokens, such as working with a\n                  particular PKI."},{"id":"ia-5.11_obj","name":"objective","prose":"Determine if, for hardware token-based authentication: ","parts":[{"id":"ia-5.11_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-5(11)[1]"}],"prose":"the organization defines token quality requirements to be satisfied; and"},{"id":"ia-5.11_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-5(11)[2]"}],"prose":"the information system employs mechanisms that satisfy organization-defined\n                     token quality requirements."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\nautomated mechanisms employing hardware token-based authentication for the\n                     information system\\n\\nlist of token quality requirements\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing hardware token-based\n                     authenticator management capability"}]}]}]},{"id":"ia-6","class":"SP800-53","title":"Authenticator Feedback","properties":[{"name":"label","value":"IA-6"},{"name":"sort-id","value":"ia-06"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"The information system obscures feedback of authentication information during the\n               authentication process to protect the information from possible exploitation/use by\n               unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"The feedback from information systems does not provide information that would allow\n               unauthorized individuals to compromise authentication mechanisms. For some types of\n               information systems or system components, for example, desktops/notebooks with\n               relatively large monitors, the threat (often referred to as shoulder surfing) may be\n               significant. For other types of systems or components, for example, mobile devices\n               with 2-4 inch screens, this threat may be less significant, and may need to be\n               balanced against the increased likelihood of typographic input errors due to the\n               small keyboards. Therefore, the means for obscuring the authenticator feedback is\n               selected accordingly. Obscuring the feedback of authentication information includes,\n               for example, displaying asterisks when users type passwords into input devices, or\n               displaying feedback for a very limited time before fully obscuring it.","links":[{"href":"#pe-18","rel":"related","text":"PE-18"}]},{"id":"ia-6_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system obscures feedback of authentication information\n               during the authentication process to protect the information from possible\n               exploitation/use by unauthorized individuals."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing authenticator feedback\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing the obscuring of feedback of\n                  authentication information during authentication"}]}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","properties":[{"name":"label","value":"IA-7"},{"name":"sort-id","value":"ia-07"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference","text":"FIPS Publication 140"},{"href":"#b09d1a31-d3c9-4138-a4f4-4c63816afd7d","rel":"reference","text":"http://csrc.nist.gov/groups/STM/cmvp/index.html"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"The information system implements mechanisms for authentication to a cryptographic\n               module that meet the requirements of applicable federal laws, Executive Orders,\n               directives, policies, regulations, standards, and guidance for such\n               authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to\n               authenticate an operator accessing the module and to verify that the operator is\n               authorized to assume the requested role and perform services within that role.","links":[{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"ia-7_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements mechanisms for authentication to a\n               cryptographic module that meet the requirements of applicable federal laws, Executive\n               Orders, directives, policies, regulations, standards, and guidance for such\n               authentication."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing cryptographic module authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for cryptographic module\n                  authentication\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing cryptographic module\n                  authentication"}]}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (non-organizational Users)","properties":[{"name":"label","value":"IA-8"},{"name":"sort-id","value":"ia-08"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference","text":"OMB Memorandum 04-04"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference","text":"OMB Memorandum 11-11"},{"href":"#599fe9ba-4750-4450-9eeb-b95bd19a5e8f","rel":"reference","text":"OMB Memorandum 10-06-2011"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference","text":"FICAM Roadmap and Implementation Guidance"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference","text":"NIST Special Publication 800-116"},{"href":"#654f21e2-f3bc-43b2-abdc-60ab8d09744b","rel":"reference","text":"National Strategy for Trusted Identities in\n            Cyberspace"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"The information system uniquely identifies and authenticates non-organizational users\n               (or processes acting on behalf of non-organizational users)."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include information system users other than organizational\n               users explicitly covered by IA-2. These individuals are uniquely identified and\n               authenticated for accesses other than those accesses explicitly identified and\n               documented in AC-14. In accordance with the E-Authentication E-Government initiative,\n               authentication of non-organizational users accessing federal information systems may\n               be required to protect federal, proprietary, or privacy-related information (with\n               exceptions noted for national security systems). Organizations use risk assessments\n               to determine authentication needs and consider scalability, practicality, and\n               security in balancing the need to ensure ease of use for access to federal\n               information and information systems with the need to protect and adequately mitigate\n               risk. IA-2 addresses identification and authentication requirements for access to\n               information systems by organizational users.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#sc-8","rel":"related","text":"SC-8"}]},{"id":"ia-8_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates\n               non-organizational users (or processes acting on behalf of non-organizational\n               users)."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                  authentication capability"}]}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","properties":[{"name":"label","value":"IA-8(1)"},{"name":"sort-id","value":"ia-08.01"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity\n                  Verification (PIV) credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"This control enhancement applies to logical access control systems (LACS) and\n                  physical access control systems (PACS). Personal Identity Verification (PIV)\n                  credentials are those credentials issued by federal agencies that conform to FIPS\n                  Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires\n                  federal agencies to continue implementing the requirements specified in HSPD-12 to\n                  enable agency-wide use of PIV credentials.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"ia-8.1_obj","name":"objective","prose":"Determine if the information system: ","parts":[{"id":"ia-8.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-8(1)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials from other agencies;\n                     and"},{"id":"ia-8.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-8(1)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials from\n                     other agencies."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nPIV verification records\\n\\nevidence of PIV credentials\\n\\nPIV credential authorizations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms that accept and verify PIV credentials"}]}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of Third-party Credentials","properties":[{"name":"label","value":"IA-8(2)"},{"name":"sort-id","value":"ia-08.02"}],"parts":[{"id":"ia-8.2_smt","name":"statement","prose":"The information system accepts only FICAM-approved third-party credentials."},{"id":"ia-8.2_gdn","name":"guidance","prose":"This control enhancement typically applies to organizational information systems\n                  that are accessible to the general public, for example, public-facing websites.\n                  Third-party credentials are those credentials issued by nonfederal government\n                  entities approved by the Federal Identity, Credential, and Access Management\n                  (FICAM) Trust Framework Solutions initiative. Approved third-party credentials\n                  meet or exceed the set of minimum federal government-wide technical, security,\n                  privacy, and organizational maturity requirements. This allows federal government\n                  relying parties to trust such credentials at their approved assurance levels.","links":[{"href":"#au-2","rel":"related","text":"AU-2"}]},{"id":"ia-8.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system accepts only FICAM-approved third-party\n                  credentials. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FICAM-approved, third-party credentialing products, components, or\n                     services procured and implemented by organization\\n\\nthird-party credential verification records\\n\\nevidence of FICAM-approved third-party credentials\\n\\nthird-party credential authorizations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms that accept FICAM-approved credentials"}]}]},{"id":"ia-8.3","class":"SP800-53-enhancement","title":"Use of Ficam-approved Products","parameters":[{"id":"ia-8.3_prm_1","label":"organization-defined information systems"}],"properties":[{"name":"label","value":"IA-8(3)"},{"name":"sort-id","value":"ia-08.03"}],"parts":[{"id":"ia-8.3_smt","name":"statement","prose":"The organization employs only FICAM-approved information system components in\n                     {{ ia-8.3_prm_1 }} to accept third-party credentials."},{"id":"ia-8.3_gdn","name":"guidance","prose":"This control enhancement typically applies to information systems that are\n                  accessible to the general public, for example, public-facing websites.\n                  FICAM-approved information system components include, for example, information\n                  technology products and software libraries that have been approved by the Federal\n                  Identity, Credential, and Access Management conformance program.","links":[{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"ia-8.3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ia-8.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IA-8(3)[1]"}],"prose":"defines information systems in which only FICAM-approved information system\n                     components are to be employed to accept third-party credentials; and"},{"id":"ia-8.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IA-8(3)[2]"}],"prose":"employs only FICAM-approved information system components in\n                     organization-defined information systems to accept third-party credentials."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nsystem and services acquisition policy\\n\\nprocedures addressing user identification and authentication\\n\\nprocedures addressing the integration of security requirements into the\n                     acquisition process\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nthird-party credential validations\\n\\nthird-party credential authorizations\\n\\nthird-party credential records\\n\\nlist of FICAM-approved information system components procured and implemented\n                     by organization\\n\\nacquisition documentation\\n\\nacquisition contracts for information system procurements or services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information system security, acquisition, and\n                     contracting responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability"}]}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Ficam-issued Profiles","properties":[{"name":"label","value":"IA-8(4)"},{"name":"sort-id","value":"ia-08.04"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"The information system conforms to FICAM-issued profiles."},{"id":"ia-8.4_gdn","name":"guidance","prose":"This control enhancement addresses open identity management standards. To ensure\n                  that these standards are viable, robust, reliable, sustainable (e.g., available in\n                  commercial information technology products), and interoperable as documented, the\n                  United States Government assesses and scopes identity management standards and\n                  technology implementations against applicable federal legislation, directives,\n                  policies, and requirements. The result is FICAM-issued implementation profiles of\n                  approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and\n                  OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute\n                  Exchange).","links":[{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"ia-8.4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system conforms to FICAM-issued profiles. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\\n\\nsystem and services acquisition policy\\n\\nprocedures addressing user identification and authentication\\n\\nprocedures addressing the integration of security requirements into the\n                     acquisition process\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FICAM-issued profiles and associated, approved protocols\\n\\nacquisition documentation\\n\\nacquisition contracts for information system procurements or services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms supporting and/or implementing conformance with\n                     FICAM-issued profiles"}]}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Incident Response Policy and Procedures","parameters":[{"id":"ir-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"ir-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IR-1"},{"name":"sort-id","value":"ir-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference","text":"NIST Special Publication 800-83"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ir-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"An incident response policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ir-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and\n                     associated incident response controls; and"}]},{"id":"ir-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ir-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Incident response policy {{ ir-1_prm_2 }}; and"},{"id":"ir-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Incident response procedures {{ ir-1_prm_3 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the IR\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ir-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-1.a_obj","name":"objective","properties":[{"name":"label","value":"IR-1(a)"}],"parts":[{"id":"ir-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)"}],"parts":[{"id":"ir-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(a)(1)[1]"}],"prose":"develops and documents an incident response policy that addresses:","parts":[{"id":"ir-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ir-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ir-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ir-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ir-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ir-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ir-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"IR-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ir-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the incident response policy is to be\n                        disseminated;"},{"id":"ir-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-1(a)(1)[3]"}],"prose":"disseminates the incident response policy to organization-defined personnel\n                        or roles;"}]},{"id":"ir-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"IR-1(a)(2)"}],"parts":[{"id":"ir-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        incident response policy and associated incident response controls;"},{"id":"ir-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ir-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ir-1.b_obj","name":"objective","properties":[{"name":"label","value":"IR-1(b)"}],"parts":[{"id":"ir-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"IR-1(b)(1)"}],"parts":[{"id":"ir-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current incident response\n                        policy;"},{"id":"ir-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(b)(1)[2]"}],"prose":"reviews and updates the current incident response policy with the\n                        organization-defined frequency;"}]},{"id":"ir-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"IR-1(b)(2)"}],"parts":[{"id":"ir-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current incident response\n                        procedures; and"},{"id":"ir-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-1(b)(2)[2]"}],"prose":"reviews and updates the current incident response procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","parameters":[{"id":"ir-2_prm_1","label":"organization-defined time period"},{"id":"ir-2_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IR-2"},{"name":"sort-id","value":"ir-02"}],"links":[{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference","text":"NIST Special Publication 800-16"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference","text":"NIST Special Publication 800-50"}],"parts":[{"id":"ir-2_smt","name":"statement","prose":"The organization provides incident response training to information system users\n               consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Within {{ ir-2_prm_1 }} of assuming an incident response role or\n                  responsibility;"},{"id":"ir-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"ir-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"\n                  {{ ir-2_prm_2 }} thereafter."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training provided by organizations is linked to the assigned roles\n               and responsibilities of organizational personnel to ensure the appropriate content\n               and level of detail is included in such training. For example, regular users may only\n               need to know who to call or how to recognize an incident on the information system;\n               system administrators may require additional training on how to handle/remediate\n               incidents; and incident responders may receive more specific training on forensics,\n               reporting, system recovery, and restoration. Incident response training includes user\n               training in the identification and reporting of suspicious activities, both from\n               external and internal sources.","links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-3","rel":"related","text":"CP-3"},{"href":"#ir-8","rel":"related","text":"IR-8"}]},{"id":"ir-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-2.a_obj","name":"objective","properties":[{"name":"label","value":"IR-2(a)"}],"parts":[{"id":"ir-2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-2(a)[1]"}],"prose":"defines a time period within which incident response training is to be provided\n                     to information system users assuming an incident response role or\n                     responsibility;"},{"id":"ir-2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-2(a)[2]"}],"prose":"provides incident response training to information system users consistent with\n                     assigned roles and responsibilities within the organization-defined time period\n                     of assuming an incident response role or responsibility;"}]},{"id":"ir-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-2(b)"}],"prose":"provides incident response training to information system users consistent with\n                  assigned roles and responsibilities when required by information system\n                  changes;"},{"id":"ir-2.c_obj","name":"objective","properties":[{"name":"label","value":"IR-2(c)"}],"parts":[{"id":"ir-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-2(c)[1]"}],"prose":"defines the frequency to provide refresher incident response training to\n                     information system users consistent with assigned roles or responsibilities;\n                     and"},{"id":"ir-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-2(c)[2]"}],"prose":"after the initial incident response training, provides refresher incident\n                     response training to information system users consistent with assigned roles\n                     and responsibilities in accordance with the organization-defined frequency to\n                     provide refresher training."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident response training\\n\\nincident response training curriculum\\n\\nincident response training materials\\n\\nsecurity plan\\n\\nincident response plan\\n\\nsecurity plan\\n\\nincident response training records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response training and operational\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-3","class":"SP800-53","title":"Incident Response Testing","parameters":[{"id":"ir-3_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ir-3_prm_2","label":"organization-defined tests","constraints":[{"detail":"see additional FedRAMP Requirements and Guidance"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IR-3"},{"name":"sort-id","value":"ir-03"}],"links":[{"href":"#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","rel":"reference","text":"NIST Special Publication 800-84"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference","text":"NIST Special Publication 800-115"}],"parts":[{"id":"ir-3_smt","name":"statement","prose":"The organization tests the incident response capability for the information system\n                  {{ ir-3_prm_1 }} using {{ ir-3_prm_2 }} to determine\n               the incident response effectiveness and documents the results.","parts":[{"id":"ir-3_fr","name":"item","title":"IR-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-3_fr_smt.1","name":"item","properties":[{"name":"label","value":"IR-3 -2 Requirement:"}],"prose":"The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing."}]}]},{"id":"ir-3_gdn","name":"guidance","prose":"Organizations test incident response capabilities to determine the overall\n               effectiveness of the capabilities and to identify potential weaknesses or\n               deficiencies. Incident response testing includes, for example, the use of checklists,\n               walk-through or tabletop exercises, simulations (parallel/full interrupt), and\n               comprehensive exercises. Incident response testing can also include a determination\n               of the effects on organizational operations (e.g., reduction in mission\n               capabilities), organizational assets, and individuals due to incident response.","links":[{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-8","rel":"related","text":"IR-8"}]},{"id":"ir-3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ir-3_obj.1","name":"objective","properties":[{"name":"label","value":"IR-3[1]"}],"prose":"defines incident response tests to test the incident response capability for the\n                  information system;"},{"id":"ir-3_obj.2","name":"objective","properties":[{"name":"label","value":"IR-3[2]"}],"prose":"defines the frequency to test the incident response capability for the information\n                  system; and"},{"id":"ir-3_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-3[3]"}],"prose":"tests the incident response capability for the information system with the\n                  organization-defined frequency, using organization-defined tests to determine the\n                  incident response effectiveness and documents the results."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\ncontingency planning policy\\n\\nprocedures addressing incident response testing\\n\\nprocedures addressing contingency plan testing\\n\\nincident response testing material\\n\\nincident response test results\\n\\nincident response test plan\\n\\nincident response plan\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response testing responsibilities\\n\\norganizational personnel with information security responsibilities"}]}],"controls":[{"id":"ir-3.2","class":"SP800-53-enhancement","title":"Coordination with Related Plans","properties":[{"name":"label","value":"IR-3(2)"},{"name":"sort-id","value":"ir-03.02"}],"parts":[{"id":"ir-3.2_smt","name":"statement","prose":"The organization coordinates incident response testing with organizational\n                  elements responsible for related plans."},{"id":"ir-3.2_gdn","name":"guidance","prose":"Organizational plans related to incident response testing include, for example,\n                  Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity\n                  of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,\n                  and Occupant Emergency Plans."},{"id":"ir-3.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization coordinates incident response testing with\n                  organizational elements responsible for related plans. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\ncontingency planning policy\\n\\nprocedures addressing incident response testing\\n\\nincident response testing documentation\\n\\nincident response plan\\n\\nbusiness continuity plans\\n\\ncontingency plans\\n\\ndisaster recovery plans\\n\\ncontinuity of operations plans\\n\\ncrisis communications plans\\n\\ncritical infrastructure plans\\n\\noccupant emergency plans\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response testing responsibilities\\n\\norganizational personnel with responsibilities for testing organizational plans\n                     related to incident response testing\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","properties":[{"name":"label","value":"IR-4"},{"name":"sort-id","value":"ir-04"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference","text":"Executive Order 13587"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"}],"parts":[{"id":"ir-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Implements an incident handling capability for security incidents that includes\n                  preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Coordinates incident handling activities with contingency planning activities;\n                  and"},{"id":"ir-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Incorporates lessons learned from ongoing incident handling activities into\n                  incident response procedures, training, and testing, and implements the resulting\n                  changes accordingly."},{"id":"ir-4_fr","name":"item","title":"IR-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-4_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system."}]}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capability is dependent on the\n               capabilities of organizational information systems and the mission/business processes\n               being supported by those systems. Therefore, organizations consider incident response\n               as part of the definition, design, and development of mission/business processes and\n               information systems. Incident-related information can be obtained from a variety of\n               sources including, for example, audit monitoring, network monitoring, physical access\n               monitoring, user/administrator reports, and reported supply chain events. Effective\n               incident handling capability includes coordination among many organizational entities\n               including, for example, mission/business owners, information system owners,\n               authorizing officials, human resources offices, physical and personnel security\n               offices, legal departments, operations personnel, procurement offices, and the risk\n               executive (function).","links":[{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-2","rel":"related","text":"IR-2"},{"href":"#ir-3","rel":"related","text":"IR-3"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"ir-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-4.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-4(a)"}],"prose":"implements an incident handling capability for security incidents that\n                  includes:","parts":[{"id":"ir-4.a_obj.1","name":"objective","properties":[{"name":"label","value":"IR-4(a)[1]"}],"prose":"preparation;"},{"id":"ir-4.a_obj.2","name":"objective","properties":[{"name":"label","value":"IR-4(a)[2]"}],"prose":"detection and analysis;"},{"id":"ir-4.a_obj.3","name":"objective","properties":[{"name":"label","value":"IR-4(a)[3]"}],"prose":"containment;"},{"id":"ir-4.a_obj.4","name":"objective","properties":[{"name":"label","value":"IR-4(a)[4]"}],"prose":"eradication;"},{"id":"ir-4.a_obj.5","name":"objective","properties":[{"name":"label","value":"IR-4(a)[5]"}],"prose":"recovery;"}]},{"id":"ir-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-4(b)"}],"prose":"coordinates incident handling activities with contingency planning activities;"},{"id":"ir-4.c_obj","name":"objective","properties":[{"name":"label","value":"IR-4(c)"}],"parts":[{"id":"ir-4.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-4(c)[1]"}],"prose":"incorporates lessons learned from ongoing incident handling activities\n                     into:","parts":[{"id":"ir-4.c_obj.1.a","name":"objective","properties":[{"name":"label","value":"IR-4(c)[1][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.1.b","name":"objective","properties":[{"name":"label","value":"IR-4(c)[1][b]"}],"prose":"training;"},{"id":"ir-4.c_obj.1.c","name":"objective","properties":[{"name":"label","value":"IR-4(c)[1][c]"}],"prose":"testing/exercises;"}]},{"id":"ir-4.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-4(c)[2]"}],"prose":"implements the resulting changes accordingly to:","parts":[{"id":"ir-4.c_obj.2.a","name":"objective","properties":[{"name":"label","value":"IR-4(c)[2][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.2.b","name":"objective","properties":[{"name":"label","value":"IR-4(c)[2][b]"}],"prose":"training; and"},{"id":"ir-4.c_obj.2.c","name":"objective","properties":[{"name":"label","value":"IR-4(c)[2][c]"}],"prose":"testing/exercises."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\ncontingency planning policy\\n\\nprocedures addressing incident handling\\n\\nincident response plan\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with contingency planning responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident handling capability for the organization"}]}],"controls":[{"id":"ir-4.1","class":"SP800-53-enhancement","title":"Automated Incident Handling Processes","properties":[{"name":"label","value":"IR-4(1)"},{"name":"sort-id","value":"ir-04.01"}],"parts":[{"id":"ir-4.1_smt","name":"statement","prose":"The organization employs automated mechanisms to support the incident handling\n                  process."},{"id":"ir-4.1_gdn","name":"guidance","prose":"Automated mechanisms supporting incident handling processes include, for example,\n                  online incident management systems."},{"id":"ir-4.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs automated mechanisms to support the incident\n                  handling process. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident handling\\n\\nautomated mechanisms supporting incident handling\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that support and/or implement the incident handling\n                     process"}]}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","properties":[{"name":"label","value":"IR-5"},{"name":"sort-id","value":"ir-05"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"The organization tracks and documents information system security incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting information system security incidents includes, for example, maintaining\n               records about each incident, the status of the incident, and other pertinent\n               information necessary for forensics, evaluating incident details, trends, and\n               handling. Incident information can be obtained from a variety of sources including,\n               for example, incident reports, incident response teams, audit monitoring, network\n               monitoring, physical access monitoring, and user/administrator reports.","links":[{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#pe-6","rel":"related","text":"PE-6"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"ir-5_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ir-5_obj.1","name":"objective","properties":[{"name":"label","value":"IR-5[1]"}],"prose":"tracks information system security incidents; and"},{"id":"ir-5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-5[2]"}],"prose":"documents information system security incidents."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident monitoring\\n\\nincident response records and documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident monitoring capability for the organization\\n\\nautomated mechanisms supporting and/or implementing tracking and documenting of\n                  system security incidents"}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","parameters":[{"id":"ir-6_prm_1","label":"organization-defined time period","constraints":[{"detail":"US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)"}]},{"id":"ir-6_prm_2","label":"organization-defined authorities"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IR-6"},{"name":"sort-id","value":"ir-06"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"},{"href":"#02631467-668b-4233-989b-3dfded2fd184","rel":"reference","text":"http://www.us-cert.gov"}],"parts":[{"id":"ir-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Requires personnel to report suspected security incidents to the organizational\n                  incident response capability within {{ ir-6_prm_1 }}; and"},{"id":"ir-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reports security incident information to {{ ir-6_prm_2 }}."},{"id":"ir-6_fr","name":"item","title":"IR-6 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Report security incident information according to FedRAMP Incident Communications Procedure."}]}]},{"id":"ir-6_gdn","name":"guidance","prose":"The intent of this control is to address both specific incident reporting\n               requirements within an organization and the formal incident reporting requirements\n               for federal agencies and their subordinate organizations. Suspected security\n               incidents include, for example, the receipt of suspicious email communications that\n               can potentially contain malicious code. The types of security incidents reported, the\n               content and timeliness of the reports, and the designated reporting authorities\n               reflect applicable federal laws, Executive Orders, directives, regulations, policies,\n               standards, and guidance. Current federal policy requires that all federal agencies\n               (unless specifically exempted from such requirements) report security incidents to\n               the United States Computer Emergency Readiness Team (US-CERT) within specified time\n               frames designated in the US-CERT Concept of Operations for Federal Cyber Security\n               Incident Handling.","links":[{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#ir-8","rel":"related","text":"IR-8"}]},{"id":"ir-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-6.a_obj","name":"objective","properties":[{"name":"label","value":"IR-6(a)"}],"parts":[{"id":"ir-6.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-6(a)[1]"}],"prose":"defines the time period within which personnel report suspected security\n                     incidents to the organizational incident response capability;"},{"id":"ir-6.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-6(a)[2]"}],"prose":"requires personnel to report suspected security incidents to the organizational\n                     incident response capability within the organization-defined time period;"}]},{"id":"ir-6.b_obj","name":"objective","properties":[{"name":"label","value":"IR-6(b)"}],"parts":[{"id":"ir-6.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-6(b)[1]"}],"prose":"defines authorities to whom security incident information is to be reported;\n                     and"},{"id":"ir-6.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-6(b)[2]"}],"prose":"reports security incident information to organization-defined authorities."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident reporting\\n\\nincident reporting records and documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident reporting responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel who have/should have reported incidents\\n\\npersonnel (authorities) to whom incident information is to be reported"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident reporting\\n\\nautomated mechanisms supporting and/or implementing incident reporting"}]}],"controls":[{"id":"ir-6.1","class":"SP800-53-enhancement","title":"Automated Reporting","properties":[{"name":"label","value":"IR-6(1)"},{"name":"sort-id","value":"ir-06.01"}],"parts":[{"id":"ir-6.1_smt","name":"statement","prose":"The organization employs automated mechanisms to assist in the reporting of\n                  security incidents."},{"id":"ir-6.1_gdn","name":"guidance","links":[{"href":"#ir-7","rel":"related","text":"IR-7"}]},{"id":"ir-6.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs automated mechanisms to assist in the\n                  reporting of security incidents."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident reporting\\n\\nautomated mechanisms supporting incident reporting\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident reporting responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident reporting\\n\\nautomated mechanisms supporting and/or implementing reporting of security\n                     incidents"}]}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","properties":[{"name":"label","value":"IR-7"},{"name":"sort-id","value":"ir-07"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"The organization provides an incident response support resource, integral to the\n               organizational incident response capability that offers advice and assistance to\n               users of the information system for the handling and reporting of security\n               incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include, for example,\n               help desks, assistance groups, and access to forensics services, when required.","links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-6","rel":"related","text":"IR-6"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#sa-9","rel":"related","text":"SA-9"}]},{"id":"ir-7_obj","name":"objective","prose":"Determine if the organization provides an incident response support resource:","parts":[{"id":"ir-7_obj.1","name":"objective","properties":[{"name":"label","value":"IR-7[1]"}],"prose":"that is integral to the organizational incident response capability; and"},{"id":"ir-7_obj.2","name":"objective","properties":[{"name":"label","value":"IR-7[2]"}],"prose":"that offers advice and assistance to users of the information system for the\n                  handling and reporting of security incidents."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident response assistance\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response assistance and support\n                  responsibilities\\n\\norganizational personnel with access to incident response support and assistance\n                  capability\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident response assistance\\n\\nautomated mechanisms supporting and/or implementing incident response\n                  assistance"}]}],"controls":[{"id":"ir-7.1","class":"SP800-53-enhancement","title":"Automation Support for Availability of Information / Support","properties":[{"name":"label","value":"IR-7(1)"},{"name":"sort-id","value":"ir-07.01"}],"parts":[{"id":"ir-7.1_smt","name":"statement","prose":"The organization employs automated mechanisms to increase the availability of\n                  incident response-related information and support."},{"id":"ir-7.1_gdn","name":"guidance","prose":"Automated mechanisms can provide a push and/or pull capability for users to obtain\n                  incident response assistance. For example, individuals might have access to a\n                  website to query the assistance capability, or conversely, the assistance\n                  capability may have the ability to proactively send information to users (general\n                  distribution or targeted) as part of increasing understanding of current response\n                  capabilities and support."},{"id":"ir-7.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs automated mechanisms to increase the\n                  availability of incident response-related information and support."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident response assistance\\n\\nautomated mechanisms supporting incident response support and assistance\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response support and assistance\n                     responsibilities\\n\\norganizational personnel with access to incident response support and\n                     assistance capability\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident response assistance\\n\\nautomated mechanisms supporting and/or implementing an increase in the\n                     availability of incident response information and support"}]}]},{"id":"ir-7.2","class":"SP800-53-enhancement","title":"Coordination with External Providers","properties":[{"name":"label","value":"IR-7(2)"},{"name":"sort-id","value":"ir-07.02"}],"parts":[{"id":"ir-7.2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-7.2_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Establishes a direct, cooperative relationship between its incident response\n                     capability and external providers of information system protection capability;\n                     and"},{"id":"ir-7.2_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Identifies organizational incident response team members to the external\n                     providers."}]},{"id":"ir-7.2_gdn","name":"guidance","prose":"External providers of information system protection capability include, for\n                  example, the Computer Network Defense program within the U.S. Department of\n                  Defense. External providers help to protect, monitor, analyze, detect, and respond\n                  to unauthorized activity within organizational information systems and\n                  networks."},{"id":"ir-7.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-7.2.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-7(2)(a)"}],"prose":"establishes a direct, cooperative relationship between its incident response\n                     capability and external providers of information system protection capability;\n                     and","links":[{"href":"#ir-7.2_smt.a","rel":"corresp","text":"IR-7(2)(a)"}]},{"id":"ir-7.2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-7(2)(b)"}],"prose":"identifies organizational incident response team members to the external\n                     providers.","links":[{"href":"#ir-7.2_smt.b","rel":"corresp","text":"IR-7(2)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident response assistance\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response support and assistance\n                     responsibilities\\n\\nexternal providers of information system protection capability\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","parameters":[{"id":"ir-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-8_prm_2","label":"organization-defined incident response personnel (identified by name and/or by\n               role) and organizational elements","constraints":[{"detail":"see additional FedRAMP Requirements and Guidance"}]},{"id":"ir-8_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ir-8_prm_4","label":"organization-defined incident response personnel (identified by name and/or by\n               role) and organizational elements","constraints":[{"detail":"see additional FedRAMP Requirements and Guidance"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IR-8"},{"name":"sort-id","value":"ir-08"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"}],"parts":[{"id":"ir-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response\n                     capability;"},{"id":"ir-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response\n                     capability;"},{"id":"ir-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits\n                     into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission,\n                     size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the\n                     organization;"},{"id":"ir-8_smt.a.7","name":"item","properties":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and\n                     mature an incident response capability; and"},{"id":"ir-8_smt.a.8","name":"item","properties":[{"name":"label","value":"8."}],"prose":"Is reviewed and approved by {{ ir-8_prm_1 }};"}]},{"id":"ir-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distributes copies of the incident response plan to {{ ir-8_prm_2 }};"},{"id":"ir-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews the incident response plan {{ ir-8_prm_3 }};"},{"id":"ir-8_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Updates the incident response plan to address system/organizational changes or\n                  problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Communicates incident response plan changes to {{ ir-8_prm_4 }};\n                  and"},{"id":"ir-8_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Protects the incident response plan from unauthorized disclosure and\n                  modification."},{"id":"ir-8_fr","name":"item","title":"IR-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-8_fr_smt.b","name":"item","properties":[{"name":"label","value":"(b) Requirement:"}],"prose":"The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."},{"id":"ir-8_fr_smt.e","name":"item","properties":[{"name":"label","value":"(e) Requirement:"}],"prose":"The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."}]}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to\n               incident response. Organizational missions, business functions, strategies, goals,\n               and objectives for incident response help to determine the structure of incident\n               response capabilities. As part of a comprehensive incident response capability,\n               organizations consider the coordination and sharing of information with external\n               organizations, including, for example, external service providers and organizations\n               involved in the supply chain for organizational information systems.","links":[{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"}]},{"id":"ir-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-8.a_obj","name":"objective","properties":[{"name":"label","value":"IR-8(a)"}],"prose":"develops an incident response plan that:","parts":[{"id":"ir-8.a.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(1)"}],"prose":"provides the organization with a roadmap for implementing its incident response\n                     capability;"},{"id":"ir-8.a.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(2)"}],"prose":"describes the structure and organization of the incident response\n                     capability;"},{"id":"ir-8.a.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(3)"}],"prose":"provides a high-level approach for how the incident response capability fits\n                     into the overall organization;"},{"id":"ir-8.a.4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(4)"}],"prose":"meets the unique requirements of the organization, which relate to:","parts":[{"id":"ir-8.a.4_obj.1","name":"objective","properties":[{"name":"label","value":"IR-8(a)(4)[1]"}],"prose":"mission;"},{"id":"ir-8.a.4_obj.2","name":"objective","properties":[{"name":"label","value":"IR-8(a)(4)[2]"}],"prose":"size;"},{"id":"ir-8.a.4_obj.3","name":"objective","properties":[{"name":"label","value":"IR-8(a)(4)[3]"}],"prose":"structure;"},{"id":"ir-8.a.4_obj.4","name":"objective","properties":[{"name":"label","value":"IR-8(a)(4)[4]"}],"prose":"functions;"}]},{"id":"ir-8.a.5_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(5)"}],"prose":"defines reportable incidents;"},{"id":"ir-8.a.6_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-8(a)(6)"}],"prose":"provides metrics for measuring the incident response capability within the\n                     organization;"},{"id":"ir-8.a.7_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(7)"}],"prose":"defines the resources and management support needed to effectively maintain and\n                     mature an incident response capability;"},{"id":"ir-8.a.8_obj","name":"objective","properties":[{"name":"label","value":"IR-8(a)(8)"}],"parts":[{"id":"ir-8.a.8_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(a)(8)[1]"}],"prose":"defines personnel or roles to review and approve the incident response\n                        plan;"},{"id":"ir-8.a.8_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-8(a)(8)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"ir-8.b_obj","name":"objective","properties":[{"name":"label","value":"IR-8(b)"}],"parts":[{"id":"ir-8.b_obj.1","name":"objective","properties":[{"name":"label","value":"IR-8(b)[1]"}],"parts":[{"id":"ir-8.b_obj.1.a","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(b)[1][a]"}],"prose":"defines incident response personnel (identified by name and/or by role) to\n                        whom copies of the incident response plan are to be distributed;"},{"id":"ir-8.b_obj.1.b","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(b)[1][b]"}],"prose":"defines organizational elements to whom copies of the incident response plan\n                        are to be distributed;"}]},{"id":"ir-8.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-8(b)[2]"}],"prose":"distributes copies of the incident response plan to organization-defined\n                     incident response personnel (identified by name and/or by role) and\n                     organizational elements;"}]},{"id":"ir-8.c_obj","name":"objective","properties":[{"name":"label","value":"IR-8(c)"}],"parts":[{"id":"ir-8.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(c)[1]"}],"prose":"defines the frequency to review the incident response plan;"},{"id":"ir-8.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-8(c)[2]"}],"prose":"reviews the incident response plan with the organization-defined frequency;"}]},{"id":"ir-8.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-8(d)"}],"prose":"updates the incident response plan to address system/organizational changes or\n                  problems encountered during plan:","parts":[{"id":"ir-8.d_obj.1","name":"objective","properties":[{"name":"label","value":"IR-8(d)[1]"}],"prose":"implementation;"},{"id":"ir-8.d_obj.2","name":"objective","properties":[{"name":"label","value":"IR-8(d)[2]"}],"prose":"execution; or"},{"id":"ir-8.d_obj.3","name":"objective","properties":[{"name":"label","value":"IR-8(d)[3]"}],"prose":"testing;"}]},{"id":"ir-8.e_obj","name":"objective","properties":[{"name":"label","value":"IR-8(e)"}],"parts":[{"id":"ir-8.e_obj.1","name":"objective","properties":[{"name":"label","value":"IR-8(e)[1]"}],"parts":[{"id":"ir-8.e_obj.1.a","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-8(e)[1][a]"}],"prose":"defines incident response personnel (identified by name and/or by role) to\n                        whom incident response plan changes are to be communicated;"},{"id":"ir-8.e_obj.1.b","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-8(e)[1][b]"}],"prose":"defines organizational elements to whom incident response plan changes are\n                        to be communicated;"}]},{"id":"ir-8.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-8(e)[2]"}],"prose":"communicates incident response plan changes to organization-defined incident\n                     response personnel (identified by name and/or by role) and organizational\n                     elements; and"}]},{"id":"ir-8.f_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-8(f)"}],"prose":"protects the incident response plan from unauthorized disclosure and\n                  modification."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident response planning\\n\\nincident response plan\\n\\nrecords of incident response plan reviews and approvals\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response planning responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational incident response plan and related organizational processes"}]}]},{"id":"ir-9","class":"SP800-53","title":"Information Spillage Response","parameters":[{"id":"ir-9_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-9_prm_2","label":"organization-defined actions"}],"properties":[{"name":"label","value":"IR-9"},{"name":"sort-id","value":"ir-09"}],"parts":[{"id":"ir-9_smt","name":"statement","prose":"The organization responds to information spills by:","parts":[{"id":"ir-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identifying the specific information involved in the information system\n                  contamination;"},{"id":"ir-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Alerting {{ ir-9_prm_1 }} of the information spill using a method\n                  of communication not associated with the spill;"},{"id":"ir-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Isolating the contaminated information system or system component;"},{"id":"ir-9_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Eradicating the information from the contaminated information system or\n                  component;"},{"id":"ir-9_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Identifying other information systems or system components that may have been\n                  subsequently contaminated; and"},{"id":"ir-9_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Performing other {{ ir-9_prm_2 }}."}]},{"id":"ir-9_gdn","name":"guidance","prose":"Information spillage refers to instances where either classified or sensitive\n               information is inadvertently placed on information systems that are not authorized to\n               process such information. Such information spills often occur when information that\n               is initially thought to be of lower sensitivity is transmitted to an information\n               system and then is subsequently determined to be of higher sensitivity. At that\n               point, corrective action is required. The nature of the organizational response is\n               generally based upon the degree of sensitivity of the spilled information (e.g.,\n               security category or classification level), the security capabilities of the\n               information system, the specific nature of contaminated storage media, and the access\n               authorizations (e.g., security clearances) of individuals with authorized access to\n               the contaminated system. The methods used to communicate information about the spill\n               after the fact do not involve methods directly associated with the actual spill to\n               minimize the risk of further spreading the contamination before such contamination is\n               isolated and eradicated."},{"id":"ir-9_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ir-9.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-9(a)"}],"prose":"responds to information spills by identifying the specific information causing the\n                  information system contamination;"},{"id":"ir-9.b_obj","name":"objective","properties":[{"name":"label","value":"IR-9(b)"}],"parts":[{"id":"ir-9.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-9(b)[1]"}],"prose":"defines personnel to be alerted of the information spillage;"},{"id":"ir-9.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-9(b)[2]"}],"prose":"identifies a method of communication not associated with the information spill\n                     to use to alert organization-defined personnel of the spill;"},{"id":"ir-9.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-9(b)[3]"}],"prose":"responds to information spills by alerting organization-defined personnel of\n                     the information spill using a method of communication not associated with the\n                     spill;"}]},{"id":"ir-9.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-9(c)"}],"prose":"responds to information spills by isolating the contaminated information\n                  system;"},{"id":"ir-9.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-9(d)"}],"prose":"responds to information spills by eradicating the information from the\n                  contaminated information system;"},{"id":"ir-9.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-9(e)"}],"prose":"responds to information spills by identifying other information systems that may\n                  have been subsequently contaminated;"},{"id":"ir-9.f_obj","name":"objective","properties":[{"name":"label","value":"IR-9(f)"}],"parts":[{"id":"ir-9.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-9(f)[1]"}],"prose":"defines other actions to be performed in response to information spills;\n                     and"},{"id":"ir-9.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-9(f)[2]"}],"prose":"responds to information spills by performing other organization-defined\n                     actions."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing information spillage\\n\\nincident response plan\\n\\nrecords of information spillage alerts/notifications, list of personnel who should\n                  receive alerts of information spillage\\n\\nlist of actions to be performed regarding information spillage\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information spillage response\\n\\nautomated mechanisms supporting and/or implementing information spillage response\n                  actions and related communications"}]}],"controls":[{"id":"ir-9.1","class":"SP800-53-enhancement","title":"Responsible Personnel","parameters":[{"id":"ir-9.1_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"IR-9(1)"},{"name":"sort-id","value":"ir-09.01"}],"parts":[{"id":"ir-9.1_smt","name":"statement","prose":"The organization assigns {{ ir-9.1_prm_1 }} with responsibility for\n                  responding to information spills."},{"id":"ir-9.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-9.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-9(1)[1]"}],"prose":"defines personnel with responsibility for responding to information spills;\n                     and"},{"id":"ir-9.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-9(1)[2]"}],"prose":"assigns organization-defined personnel with responsibility for responding to\n                     information spills."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing information spillage\\n\\nincident response plan\\n\\nlist of personnel responsible for responding to information spillage\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-9.2","class":"SP800-53-enhancement","title":"Training","parameters":[{"id":"ir-9.2_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"IR-9(2)"},{"name":"sort-id","value":"ir-09.02"}],"parts":[{"id":"ir-9.2_smt","name":"statement","prose":"The organization provides information spillage response training {{ ir-9.2_prm_1 }}."},{"id":"ir-9.2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ir-9.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-9(2)[1]"}],"prose":"defines the frequency to provide information spillage response training;\n                     and"},{"id":"ir-9.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"IR-9(2)[2]"}],"prose":"provides information spillage response training with the organization-defined\n                     frequency."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing information spillage response training\\n\\ninformation spillage response training curriculum\\n\\ninformation spillage response training materials\\n\\nincident response plan\\n\\ninformation spillage response training records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response training responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-9.3","class":"SP800-53-enhancement","title":"Post-spill Operations","parameters":[{"id":"ir-9.3_prm_1","label":"organization-defined procedures"}],"properties":[{"name":"label","value":"IR-9(3)"},{"name":"sort-id","value":"ir-09.03"}],"parts":[{"id":"ir-9.3_smt","name":"statement","prose":"The organization implements {{ ir-9.3_prm_1 }} to ensure that\n                  organizational personnel impacted by information spills can continue to carry out\n                  assigned tasks while contaminated systems are undergoing corrective actions."},{"id":"ir-9.3_gdn","name":"guidance","prose":"Correction actions for information systems contaminated due to information\n                  spillages may be very time-consuming. During those periods, personnel may not have\n                  access to the contaminated systems, which may potentially affect their ability to\n                  conduct organizational business."},{"id":"ir-9.3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ir-9.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-9(3)[1]"}],"prose":"defines procedures that ensure organizational personnel impacted by information\n                     spills can continue to carry out assigned tasks while contaminated systems are\n                     undergoing corrective actions; and"},{"id":"ir-9.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-9(3)[2]"}],"prose":"implements organization-defined procedures to ensure that organizational\n                     personnel impacted by information spills can continue to carry out assigned\n                     tasks while contaminated systems are undergoing corrective actions."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident handling\\n\\nprocedures addressing information spillage\\n\\nincident response plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for post-spill operations"}]}]},{"id":"ir-9.4","class":"SP800-53-enhancement","title":"Exposure to Unauthorized Personnel","parameters":[{"id":"ir-9.4_prm_1","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"IR-9(4)"},{"name":"sort-id","value":"ir-09.04"}],"parts":[{"id":"ir-9.4_smt","name":"statement","prose":"The organization employs {{ ir-9.4_prm_1 }} for personnel exposed\n                  to information not within assigned access authorizations."},{"id":"ir-9.4_gdn","name":"guidance","prose":"Security safeguards include, for example, making personnel exposed to spilled\n                  information aware of the federal laws, directives, policies, and/or regulations\n                  regarding the information and the restrictions imposed based on exposure to such\n                  information."},{"id":"ir-9.4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ir-9.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"IR-9(4)[1]"}],"prose":"defines security safeguards to be employed for personnel exposed to information\n                     not within assigned access authorizations; and"},{"id":"ir-9.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"IR-9(4)[2]"}],"prose":"employs organization-defined security safeguards for personnel exposed to\n                     information not within assigned access authorizations."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\\n\\nprocedures addressing incident handling\\n\\nprocedures addressing information spillage\\n\\nincident response plan\\n\\nsecurity safeguards regarding information spillage/exposure to unauthorized\n                     personnel\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for dealing with information exposed to unauthorized\n                     personnel\\n\\nautomated mechanisms supporting and/or implementing safeguards for personnel\n                     exposed to information not within assigned access authorizations"}]}]}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"System Maintenance Policy and Procedures","parameters":[{"id":"ma-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"ma-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"MA-1"},{"name":"sort-id","value":"ma-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ma-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A system maintenance policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ma-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system maintenance policy\n                     and associated system maintenance controls; and"}]},{"id":"ma-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ma-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"System maintenance policy {{ ma-1_prm_2 }}; and"},{"id":"ma-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"System maintenance procedures {{ ma-1_prm_3 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the MA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ma-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-1.a_obj","name":"objective","properties":[{"name":"label","value":"MA-1(a)"}],"parts":[{"id":"ma-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)"}],"parts":[{"id":"ma-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(a)(1)[1]"}],"prose":"develops and documents a system maintenance policy that addresses:","parts":[{"id":"ma-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ma-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ma-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ma-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ma-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ma-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ma-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"MA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ma-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system maintenance policy is to be\n                        disseminated;"},{"id":"ma-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MA-1(a)(1)[3]"}],"prose":"disseminates the system maintenance policy to organization-defined personnel\n                        or roles;"}]},{"id":"ma-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"MA-1(a)(2)"}],"parts":[{"id":"ma-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        maintenance policy and associated system maintenance controls;"},{"id":"ma-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ma-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ma-1.b_obj","name":"objective","properties":[{"name":"label","value":"MA-1(b)"}],"parts":[{"id":"ma-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"MA-1(b)(1)"}],"parts":[{"id":"ma-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system maintenance\n                        policy;"},{"id":"ma-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(b)(1)[2]"}],"prose":"reviews and updates the current system maintenance policy with the\n                        organization-defined frequency;"}]},{"id":"ma-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"MA-1(b)(2)"}],"parts":[{"id":"ma-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system maintenance\n                        procedures; and"},{"id":"ma-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-1(b)(2)[2]"}],"prose":"reviews and updates the current system maintenance procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Maintenance policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","parameters":[{"id":"ma-2_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-2_prm_2","label":"organization-defined maintenance-related information"}],"properties":[{"name":"label","value":"MA-2"},{"name":"sort-id","value":"ma-02"}],"parts":[{"id":"ma-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Schedules, performs, documents, and reviews records of maintenance and repairs on\n                  information system components in accordance with manufacturer or vendor\n                  specifications and/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Approves and monitors all maintenance activities, whether performed on site or\n                  remotely and whether the equipment is serviced on site or removed to another\n                  location;"},{"id":"ma-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Requires that {{ ma-2_prm_1 }} explicitly approve the removal of\n                  the information system or system components from organizational facilities for\n                  off-site maintenance or repairs;"},{"id":"ma-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Sanitizes equipment to remove all information from associated media prior to\n                  removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Checks all potentially impacted security controls to verify that the controls are\n                  still functioning properly following maintenance or repair actions; and"},{"id":"ma-2_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Includes {{ ma-2_prm_2 }} in organizational maintenance\n                  records."}]},{"id":"ma-2_gdn","name":"guidance","prose":"This control addresses the information security aspects of the information system\n               maintenance program and applies to all types of maintenance to any system component\n               (including applications) conducted by any local or nonlocal entity (e.g.,\n               in-contract, warranty, in-house, software maintenance agreement). System maintenance\n               also includes those components not directly associated with information processing\n               and/or data/information retention such as scanners, copiers, and printers.\n               Information necessary for creating effective maintenance records includes, for\n               example: (i) date and time of maintenance; (ii) name of individuals or group\n               performing the maintenance; (iii) name of escort, if necessary; (iv) a description of\n               the maintenance performed; and (v) information system components/equipment removed or\n               replaced (including identification numbers, if applicable). The level of detail\n               included in maintenance records can be informed by the security categories of\n               organizational information systems. Organizations consider supply chain issues\n               associated with replacement components for information systems.","links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pe-16","rel":"related","text":"PE-16"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"ma-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-2.a_obj","name":"objective","properties":[{"name":"label","value":"MA-2(a)"}],"parts":[{"id":"ma-2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-2(a)[1]"}],"prose":"schedules maintenance and repairs on information system components in\n                     accordance with:","parts":[{"id":"ma-2.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"MA-2(a)[1][a]"}],"prose":"manufacturer or vendor specifications; and/or"},{"id":"ma-2.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"MA-2(a)[1][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MA-2(a)[2]"}],"prose":"performs maintenance and repairs on information system components in accordance\n                     with:","parts":[{"id":"ma-2.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"MA-2(a)[2][a]"}],"prose":"manufacturer or vendor specifications; and/or"},{"id":"ma-2.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"MA-2(a)[2][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-2(a)[3]"}],"prose":"documents maintenance and repairs on information system components in\n                     accordance with:","parts":[{"id":"ma-2.a_obj.3.a","name":"objective","properties":[{"name":"label","value":"MA-2(a)[3][a]"}],"prose":"manufacturer or vendor specifications; and/or"},{"id":"ma-2.a_obj.3.b","name":"objective","properties":[{"name":"label","value":"MA-2(a)[3][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MA-2(a)[4]"}],"prose":"reviews records of maintenance and repairs on information system components in\n                     accordance with:","parts":[{"id":"ma-2.a_obj.4.a","name":"objective","properties":[{"name":"label","value":"MA-2(a)[4][a]"}],"prose":"manufacturer or vendor specifications; and/or"},{"id":"ma-2.a_obj.4.b","name":"objective","properties":[{"name":"label","value":"MA-2(a)[4][b]"}],"prose":"organizational requirements;"}]}]},{"id":"ma-2.b_obj","name":"objective","properties":[{"name":"label","value":"MA-2(b)"}],"parts":[{"id":"ma-2.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MA-2(b)[1]"}],"prose":"approves all maintenance activities, whether performed on site or remotely and\n                     whether the equipment is serviced on site or removed to another location;"},{"id":"ma-2.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-2(b)[2]"}],"prose":"monitors all maintenance activities, whether performed on site or remotely and\n                     whether the equipment is serviced on site or removed to another location;"}]},{"id":"ma-2.c_obj","name":"objective","properties":[{"name":"label","value":"MA-2(c)"}],"parts":[{"id":"ma-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-2(c)[1]"}],"prose":"defines personnel or roles required to explicitly approve the removal of the\n                     information system or system components from organizational facilities for\n                     off-site maintenance or repairs;"},{"id":"ma-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-2(c)[2]"}],"prose":"requires that organization-defined personnel or roles explicitly approve the\n                     removal of the information system or system components from organizational\n                     facilities for off-site maintenance or repairs;"}]},{"id":"ma-2.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-2(d)"}],"prose":"sanitizes equipment to remove all information from associated media prior to\n                  removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-2(e)"}],"prose":"checks all potentially impacted security controls to verify that the controls are\n                  still functioning properly following maintenance or repair actions;"},{"id":"ma-2.f_obj","name":"objective","properties":[{"name":"label","value":"MA-2(f)"}],"parts":[{"id":"ma-2.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-2(f)[1]"}],"prose":"defines maintenance-related information to be included in organizational\n                     maintenance records; and"},{"id":"ma-2.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-2(f)[2]"}],"prose":"includes organization-defined maintenance-related information in organizational\n                     maintenance records."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing controlled information system maintenance\\n\\nmaintenance records\\n\\nmanufacturer/vendor maintenance specifications\\n\\nequipment sanitization records\\n\\nmedia sanitization records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel responsible for media sanitization\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for scheduling, performing, documenting, reviewing,\n                  approving, and monitoring maintenance and repairs for the information system\\n\\norganizational processes for sanitizing information system components\\n\\nautomated mechanisms supporting and/or implementing controlled maintenance\\n\\nautomated mechanisms implementing sanitization of information system\n                  components"}]}]},{"id":"ma-3","class":"SP800-53","title":"Maintenance Tools","properties":[{"name":"label","value":"MA-3"},{"name":"sort-id","value":"ma-03"}],"links":[{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference","text":"NIST Special Publication 800-88"}],"parts":[{"id":"ma-3_smt","name":"statement","prose":"The organization approves, controls, and monitors information system maintenance\n               tools."},{"id":"ma-3_gdn","name":"guidance","prose":"This control addresses security-related issues associated with maintenance tools used\n               specifically for diagnostic and repair actions on organizational information systems.\n               Maintenance tools can include hardware, software, and firmware items. Maintenance\n               tools are potential vehicles for transporting malicious code, either intentionally or\n               unintentionally, into a facility and subsequently into organizational information\n               systems. Maintenance tools can include, for example, hardware/software diagnostic\n               test equipment and hardware/software packet sniffers. This control does not cover\n               hardware/software components that may support information system maintenance, yet are\n               a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,\n               or the hardware and software implementing the monitoring port of an Ethernet\n               switch.","links":[{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-6","rel":"related","text":"MP-6"}]},{"id":"ma-3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ma-3_obj.1","name":"objective","properties":[{"name":"label","value":"MA-3[1]"}],"prose":"approves information system maintenance tools;"},{"id":"ma-3_obj.2","name":"objective","properties":[{"name":"label","value":"MA-3[2]"}],"prose":"controls information system maintenance tools; and"},{"id":"ma-3_obj.3","name":"objective","properties":[{"name":"label","value":"MA-3[3]"}],"prose":"monitors information system maintenance tools."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing information system maintenance tools\\n\\ninformation system maintenance tools and associated documentation\\n\\nmaintenance records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for approving, controlling, and monitoring maintenance\n                  tools\\n\\nautomated mechanisms supporting and/or implementing approval, control, and/or\n                  monitoring of maintenance tools"}]}],"controls":[{"id":"ma-3.1","class":"SP800-53-enhancement","title":"Inspect Tools","properties":[{"name":"label","value":"MA-3(1)"},{"name":"sort-id","value":"ma-03.01"}],"parts":[{"id":"ma-3.1_smt","name":"statement","prose":"The organization inspects the maintenance tools carried into a facility by\n                  maintenance personnel for improper or unauthorized modifications."},{"id":"ma-3.1_gdn","name":"guidance","prose":"If, upon inspection of maintenance tools, organizations determine that the tools\n                  have been modified in an improper/unauthorized manner or contain malicious code,\n                  the incident is handled consistent with organizational policies and procedures for\n                  incident handling.","links":[{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"ma-3.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization inspects the maintenance tools carried into a\n                  facility by maintenance personnel for improper or unauthorized modifications. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing information system maintenance tools\\n\\ninformation system maintenance tools and associated documentation\\n\\nmaintenance tool inspection records\\n\\nmaintenance records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for inspecting maintenance tools\\n\\nautomated mechanisms supporting and/or implementing inspection of maintenance\n                     tools"}]}]},{"id":"ma-3.2","class":"SP800-53-enhancement","title":"Inspect Media","properties":[{"name":"label","value":"MA-3(2)"},{"name":"sort-id","value":"ma-03.02"}],"parts":[{"id":"ma-3.2_smt","name":"statement","prose":"The organization checks media containing diagnostic and test programs for\n                  malicious code before the media are used in the information system."},{"id":"ma-3.2_gdn","name":"guidance","prose":"If, upon inspection of media containing maintenance diagnostic and test programs,\n                  organizations determine that the media contain malicious code, the incident is\n                  handled consistent with organizational incident handling policies and\n                  procedures.","links":[{"href":"#si-3","rel":"related","text":"SI-3"}]},{"id":"ma-3.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization checks media containing diagnostic and test programs\n                  for malicious code before the media are used in the information system. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing information system maintenance tools\\n\\ninformation system maintenance tools and associated documentation\\n\\nmaintenance records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for inspecting media for malicious code\\n\\nautomated mechanisms supporting and/or implementing inspection of media used\n                     for maintenance"}]}]},{"id":"ma-3.3","class":"SP800-53-enhancement","title":"Prevent Unauthorized Removal","parameters":[{"id":"ma-3.3_prm_1","label":"organization-defined personnel or roles","constraints":[{"detail":"the information owner explicitly authorizing removal of the equipment from the facility"}]}],"properties":[{"name":"label","value":"MA-3(3)"},{"name":"sort-id","value":"ma-03.03"}],"parts":[{"id":"ma-3.3_smt","name":"statement","prose":"The organization prevents the unauthorized removal of maintenance equipment\n                  containing organizational information by:","parts":[{"id":"ma-3.3_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Verifying that there is no organizational information contained on the\n                     equipment;"},{"id":"ma-3.3_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Sanitizing or destroying the equipment;"},{"id":"ma-3.3_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Retaining the equipment within the facility; or"},{"id":"ma-3.3_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Obtaining an exemption from {{ ma-3.3_prm_1 }} explicitly\n                     authorizing removal of the equipment from the facility."}]},{"id":"ma-3.3_gdn","name":"guidance","prose":"Organizational information includes all information specifically owned by\n                  organizations and information provided to organizations in which organizations\n                  serve as information stewards."},{"id":"ma-3.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization prevents the unauthorized removal of maintenance\n                  equipment containing organizational information by: ","parts":[{"id":"ma-3.3.a_obj","name":"objective","properties":[{"name":"label","value":"MA-3(3)(a)"}],"prose":"verifying that there is no organizational information contained on the\n                     equipment;","links":[{"href":"#ma-3.3_smt.a","rel":"corresp","text":"MA-3(3)(a)"}]},{"id":"ma-3.3.b_obj","name":"objective","properties":[{"name":"label","value":"MA-3(3)(b)"}],"prose":"sanitizing or destroying the equipment;","links":[{"href":"#ma-3.3_smt.b","rel":"corresp","text":"MA-3(3)(b)"}]},{"id":"ma-3.3.c_obj","name":"objective","properties":[{"name":"label","value":"MA-3(3)(c)"}],"prose":"retaining the equipment within the facility; or","links":[{"href":"#ma-3.3_smt.c","rel":"corresp","text":"MA-3(3)(c)"}]},{"id":"ma-3.3.d_obj","name":"objective","properties":[{"name":"label","value":"MA-3(3)(d)"}],"parts":[{"id":"ma-3.3.d_obj.1","name":"objective","properties":[{"name":"label","value":"MA-3(3)(d)[1]"}],"prose":"defining personnel or roles that can grant an exemption from explicitly\n                        authorizing removal of the equipment from the facility; and"},{"id":"ma-3.3.d_obj.2","name":"objective","properties":[{"name":"label","value":"MA-3(3)(d)[2]"}],"prose":"obtaining an exemption from organization-defined personnel or roles\n                        explicitly authorizing removal of the equipment from the facility."}],"links":[{"href":"#ma-3.3_smt.d","rel":"corresp","text":"MA-3(3)(d)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing information system maintenance tools\\n\\ninformation system maintenance tools and associated documentation\\n\\nmaintenance records\\n\\nequipment sanitization records\\n\\nmedia sanitization records\\n\\nexemptions for equipment removal\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel responsible for media sanitization"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for preventing unauthorized removal of information\\n\\nautomated mechanisms supporting media sanitization or destruction of\n                     equipment\\n\\nautomated mechanisms supporting verification of media sanitization"}]}]}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"MA-4"},{"name":"sort-id","value":"ma-04"}],"links":[{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference","text":"FIPS Publication 140-2"},{"href":"#f2dbd4ec-c413-4714-b85b-6b7184d1c195","rel":"reference","text":"FIPS Publication 197"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference","text":"NIST Special Publication 800-88"},{"href":"#a4aa9645-9a8a-4b51-90a9-e223250f9a75","rel":"reference","text":"CNSS Policy 15"}],"parts":[{"id":"ma-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Approves and monitors nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Allows the use of nonlocal maintenance and diagnostic tools only as consistent\n                  with organizational policy and documented in the security plan for the information\n                  system;"},{"id":"ma-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Employs strong authenticators in the establishment of nonlocal maintenance and\n                  diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Maintains records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Terminates session and network connections when nonlocal maintenance is\n                  completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are those activities conducted by\n               individuals communicating through a network, either an external network (e.g., the\n               Internet) or an internal network. Local maintenance and diagnostic activities are\n               those activities carried out by individuals physically present at the information\n               system or information system component and not communicating across a network\n               connection. Authentication techniques used in the establishment of nonlocal\n               maintenance and diagnostic sessions reflect the network access requirements in IA-2.\n               Typically, strong authentication requires authenticators that are resistant to replay\n               attacks and employ multifactor authentication. Strong authenticators include, for\n               example, PKI where certificates are stored on a token protected by a password,\n               passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by\n               other controls.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-10","rel":"related","text":"SC-10"},{"href":"#sc-17","rel":"related","text":"SC-17"}]},{"id":"ma-4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ma-4.a_obj","name":"objective","properties":[{"name":"label","value":"MA-4(a)"}],"parts":[{"id":"ma-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-4(a)[1]"}],"prose":"approves nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-4(a)[2]"}],"prose":"monitors nonlocal maintenance and diagnostic activities;"}]},{"id":"ma-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-4(b)"}],"prose":"allows the use of nonlocal maintenance and diagnostic tools only:","parts":[{"id":"ma-4.b_obj.1","name":"objective","properties":[{"name":"label","value":"MA-4(b)[1]"}],"prose":"as consistent with organizational policy;"},{"id":"ma-4.b_obj.2","name":"objective","properties":[{"name":"label","value":"MA-4(b)[2]"}],"prose":"as documented in the security plan for the information system;"}]},{"id":"ma-4.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-4(c)"}],"prose":"employs strong authenticators in the establishment of nonlocal maintenance and\n                  diagnostic sessions;"},{"id":"ma-4.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-4(d)"}],"prose":"maintains records for nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.e_obj","name":"objective","properties":[{"name":"label","value":"MA-4(e)"}],"parts":[{"id":"ma-4.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-4(e)[1]"}],"prose":"terminates sessions when nonlocal maintenance or diagnostics is completed;\n                     and"},{"id":"ma-4.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-4(e)[2]"}],"prose":"terminates network connections when nonlocal maintenance or diagnostics is\n                     completed."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing nonlocal information system maintenance\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nmaintenance records\\n\\ndiagnostic records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing nonlocal maintenance\\n\\nautomated mechanisms implementing, supporting, and/or managing nonlocal\n                  maintenance\\n\\nautomated mechanisms for strong authentication of nonlocal maintenance diagnostic\n                  sessions\\n\\nautomated mechanisms for terminating nonlocal maintenance sessions and network\n                  connections"}]}],"controls":[{"id":"ma-4.2","class":"SP800-53-enhancement","title":"Document Nonlocal Maintenance","properties":[{"name":"label","value":"MA-4(2)"},{"name":"sort-id","value":"ma-04.02"}],"parts":[{"id":"ma-4.2_smt","name":"statement","prose":"The organization documents in the security plan for the information system, the\n                  policies and procedures for the establishment and use of nonlocal maintenance and\n                  diagnostic connections."},{"id":"ma-4.2_obj","name":"objective","prose":"Determine if the organization documents in the security plan for the information\n                  system: ","parts":[{"id":"ma-4.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MA-4(2)[1]"}],"prose":"the policies for the establishment and use of nonlocal maintenance and\n                     diagnostic connections; and"},{"id":"ma-4.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MA-4(2)[2]"}],"prose":"the procedures for the establishment and use of nonlocal maintenance and\n                     diagnostic connections."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing non-local information system maintenance\\n\\nsecurity plan\\n\\nmaintenance records\\n\\ndiagnostic records\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","properties":[{"name":"label","value":"MA-5"},{"name":"sort-id","value":"ma-05"}],"parts":[{"id":"ma-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes a process for maintenance personnel authorization and maintains a list\n                  of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Ensures that non-escorted personnel performing maintenance on the information\n                  system have required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Designates organizational personnel with required access authorizations and\n                  technical competence to supervise the maintenance activities of personnel who do\n                  not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"This control applies to individuals performing hardware or software maintenance on\n               organizational information systems, while PE-2 addresses physical access for\n               individuals whose maintenance duties place them within the physical protection\n               perimeter of the systems (e.g., custodial staff, physical plant maintenance\n               personnel). Technical competence of supervising individuals relates to the\n               maintenance performed on the information systems while having required access\n               authorizations refers to maintenance on and near the systems. Individuals not\n               previously identified as authorized maintenance personnel, such as information\n               technology manufacturers, vendors, systems integrators, and consultants, may require\n               privileged access to organizational information systems, for example, when required\n               to conduct maintenance activities with little or no notice. Based on organizational\n               assessments of risk, organizations may issue temporary credentials to these\n               individuals. Temporary credentials may be for one-time use or for very limited time\n               periods.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-8","rel":"related","text":"IA-8"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"ma-5_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ma-5.a_obj","name":"objective","properties":[{"name":"label","value":"MA-5(a)"}],"parts":[{"id":"ma-5.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-5(a)[1]"}],"prose":"establishes a process for maintenance personnel authorization;"},{"id":"ma-5.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-5(a)[2]"}],"prose":"maintains a list of authorized maintenance organizations or personnel;"}]},{"id":"ma-5.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-5(b)"}],"prose":"ensures that non-escorted personnel performing maintenance on the information\n                  system have required access authorizations; and"},{"id":"ma-5.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MA-5(c)"}],"prose":"designates organizational personnel with required access authorizations and\n                  technical competence to supervise the maintenance activities of personnel who do\n                  not possess the required access authorizations."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing maintenance personnel\\n\\nservice provider contracts\\n\\nservice-level agreements\\n\\nlist of authorized personnel\\n\\nmaintenance records\\n\\naccess control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for authorizing and managing maintenance personnel\\n\\nautomated mechanisms supporting and/or implementing authorization of maintenance\n                  personnel"}]}],"controls":[{"id":"ma-5.1","class":"SP800-53-enhancement","title":"Individuals Without Appropriate Access","properties":[{"name":"label","value":"MA-5(1)"},{"name":"sort-id","value":"ma-05.01"}],"parts":[{"id":"ma-5.1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-5.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Implements procedures for the use of maintenance personnel that lack\n                     appropriate security clearances or are not U.S. citizens, that include the\n                     following requirements:","parts":[{"id":"ma-5.1_smt.a.1","name":"item","properties":[{"name":"label","value":"(1)"}],"prose":"Maintenance personnel who do not have needed access authorizations,\n                        clearances, or formal access approvals are escorted and supervised during\n                        the performance of maintenance and diagnostic activities on the information\n                        system by approved organizational personnel who are fully cleared, have\n                        appropriate access authorizations, and are technically qualified;"},{"id":"ma-5.1_smt.a.2","name":"item","properties":[{"name":"label","value":"(2)"}],"prose":"Prior to initiating maintenance or diagnostic activities by personnel who do\n                        not have needed access authorizations, clearances or formal access\n                        approvals, all volatile information storage components within the\n                        information system are sanitized and all nonvolatile storage media are\n                        removed or physically disconnected from the system and secured; and"}]},{"id":"ma-5.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Develops and implements alternate security safeguards in the event an\n                     information system component cannot be sanitized, removed, or disconnected from\n                     the system."},{"id":"ma-5.1_fr","name":"item","title":"MA-5 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ma-5.1_fr_smt.b","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Only MA-5 (1)(a)(1) is required by FedRAMP Moderate Baseline"}]}]},{"id":"ma-5.1_gdn","name":"guidance","prose":"This control enhancement denies individuals who lack appropriate security\n                  clearances (i.e., individuals who do not possess security clearances or possess\n                  security clearances at a lower level than required) or who are not U.S. citizens,\n                  visual and electronic access to any classified information, Controlled\n                  Unclassified Information (CUI), or any other sensitive information contained on\n                  organizational information systems. Procedures for the use of maintenance\n                  personnel can be documented in security plans for the information systems.","links":[{"href":"#mp-6","rel":"related","text":"MP-6"},{"href":"#pl-2","rel":"related","text":"PL-2"}]},{"id":"ma-5.1_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ma-5.1.a_obj","name":"objective","properties":[{"name":"label","value":"MA-5(1)(a)"}],"prose":"implements procedures for the use of maintenance personnel that lack\n                     appropriate security clearances or are not U.S. citizens, that include the\n                     following requirements:","parts":[{"id":"ma-5.1.a.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-5(1)(a)(1)"}],"prose":"maintenance personnel who do not have needed access authorizations,\n                        clearances, or formal access approvals are escorted and supervised during\n                        the performance of maintenance and diagnostic activities on the information\n                        system by approved organizational personnel who:","parts":[{"id":"ma-5.1.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"MA-5(1)(a)(1)[1]"}],"prose":"are fully cleared;"},{"id":"ma-5.1.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"MA-5(1)(a)(1)[2]"}],"prose":"have appropriate access authorizations;"},{"id":"ma-5.1.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"MA-5(1)(a)(1)[3]"}],"prose":"are technically qualified;"}],"links":[{"href":"#ma-5.1_smt.a.1","rel":"corresp","text":"MA-5(1)(a)(1)"}]},{"id":"ma-5.1.a.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-5(1)(a)(2)"}],"prose":"prior to initiating maintenance or diagnostic activities by personnel who do\n                        not have needed access authorizations, clearances, or formal access\n                        approvals:","parts":[{"id":"ma-5.1.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"MA-5(1)(a)(2)[1]"}],"prose":"all volatile information storage components within the information system\n                           are sanitized; and"},{"id":"ma-5.1.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"MA-5(1)(a)(2)[2]"}],"prose":"all nonvolatile storage media are removed; or"},{"id":"ma-5.1.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"MA-5(1)(a)(2)[3]"}],"prose":"all nonvolatile storage media are physically disconnected from the system\n                           and secured; and"}],"links":[{"href":"#ma-5.1_smt.a.2","rel":"corresp","text":"MA-5(1)(a)(2)"}]}],"links":[{"href":"#ma-5.1_smt.a","rel":"corresp","text":"MA-5(1)(a)"}]},{"id":"ma-5.1.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MA-5(1)(b)"}],"prose":"develops and implements alternative security safeguards in the event an\n                     information system component cannot be sanitized, removed, or disconnected from\n                     the system.","links":[{"href":"#ma-5.1_smt.b","rel":"corresp","text":"MA-5(1)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing maintenance personnel\\n\\ninformation system media protection policy\\n\\nphysical and environmental protection policy\\n\\nsecurity plan\\n\\nlist of maintenance personnel requiring escort/supervision\\n\\nmaintenance records\\n\\naccess control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with personnel security responsibilities\\n\\norganizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel responsible for media sanitization\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing maintenance personnel without appropriate\n                     access\\n\\nautomated mechanisms supporting and/or implementing alternative security\n                     safeguards\\n\\nautomated mechanisms supporting and/or implementing information storage\n                     component sanitization"}]}]}]},{"id":"ma-6","class":"SP800-53","title":"Timely Maintenance","parameters":[{"id":"ma-6_prm_1","label":"organization-defined information system components"},{"id":"ma-6_prm_2","label":"organization-defined time period"}],"properties":[{"name":"label","value":"MA-6"},{"name":"sort-id","value":"ma-06"}],"parts":[{"id":"ma-6_smt","name":"statement","prose":"The organization obtains maintenance support and/or spare parts for {{ ma-6_prm_1 }} within {{ ma-6_prm_2 }} of failure."},{"id":"ma-6_gdn","name":"guidance","prose":"Organizations specify the information system components that result in increased risk\n               to organizational operations and assets, individuals, other organizations, or the\n               Nation when the functionality provided by those components is not operational.\n               Organizational actions to obtain maintenance support typically include having\n               appropriate contracts in place.","links":[{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-7","rel":"related","text":"CP-7"},{"href":"#sa-14","rel":"related","text":"SA-14"},{"href":"#sa-15","rel":"related","text":"SA-15"}]},{"id":"ma-6_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ma-6_obj.1","name":"objective","properties":[{"name":"label","value":"MA-6[1]"}],"prose":"defines information system components for which maintenance support and/or spare\n                  parts are to be obtained;"},{"id":"ma-6_obj.2","name":"objective","properties":[{"name":"label","value":"MA-6[2]"}],"prose":"defines the time period within which maintenance support and/or spare parts are to\n                  be obtained after a failure;"},{"id":"ma-6_obj.3","name":"objective","properties":[{"name":"label","value":"MA-6[3]"}],"parts":[{"id":"ma-6_obj.3.a","name":"objective","properties":[{"name":"label","value":"MA-6[3][a]"}],"prose":"obtains maintenance support for organization-defined information system\n                     components within the organization-defined time period of failure; and/or"},{"id":"ma-6_obj.3.b","name":"objective","properties":[{"name":"label","value":"MA-6[3][b]"}],"prose":"obtains spare parts for organization-defined information system components\n                     within the organization-defined time period of failure."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\\n\\nprocedures addressing information system maintenance\\n\\nservice provider contracts\\n\\nservice-level agreements\\n\\ninventory and availability of spare parts\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with acquisition responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for ensuring timely maintenance"}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Media Protection Policy and Procedures","parameters":[{"id":"mp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"mp-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"mp-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"MP-1"},{"name":"sort-id","value":"mp-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"mp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A media protection policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"mp-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and\n                     associated media protection controls; and"}]},{"id":"mp-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"mp-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Media protection policy {{ mp-1_prm_2 }}; and"},{"id":"mp-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Media protection procedures {{ mp-1_prm_3 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the MP\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"mp-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-1.a_obj","name":"objective","properties":[{"name":"label","value":"MP-1(a)"}],"parts":[{"id":"mp-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)"}],"parts":[{"id":"mp-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(a)(1)[1]"}],"prose":"develops and documents a media protection policy that addresses:","parts":[{"id":"mp-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"mp-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"mp-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"mp-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"mp-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"mp-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"mp-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"MP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"mp-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the media protection policy is to be\n                        disseminated;"},{"id":"mp-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MP-1(a)(1)[3]"}],"prose":"disseminates the media protection policy to organization-defined personnel\n                        or roles;"}]},{"id":"mp-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"MP-1(a)(2)"}],"parts":[{"id":"mp-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        media protection policy and associated media protection controls;"},{"id":"mp-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"mp-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"MP-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"mp-1.b_obj","name":"objective","properties":[{"name":"label","value":"MP-1(b)"}],"parts":[{"id":"mp-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"MP-1(b)(1)"}],"parts":[{"id":"mp-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current media protection\n                        policy;"},{"id":"mp-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(b)(1)[2]"}],"prose":"reviews and updates the current media protection policy with the\n                        organization-defined frequency;"}]},{"id":"mp-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"MP-1(b)(2)"}],"parts":[{"id":"mp-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current media protection\n                        procedures; and"},{"id":"mp-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-1(b)(2)[2]"}],"prose":"reviews and updates the current media protection procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Media protection policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media protection responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","parameters":[{"id":"mp-2_prm_1","label":"organization-defined types of digital and/or non-digital media"},{"id":"mp-2_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"MP-2"},{"name":"sort-id","value":"mp-02"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference","text":"NIST Special Publication 800-111"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"The organization restricts access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. Restricting non-digital media access\n               includes, for example, denying access to patient medical records in a community\n               hospital unless the individuals seeking access to such records are authorized\n               healthcare providers. Restricting access to digital media includes, for example,\n               limiting access to design specifications stored on compact disks in the media library\n               to the project leader and the individuals on the development team.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pl-2","rel":"related","text":"PL-2"}]},{"id":"mp-2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-2[1]"}],"prose":"defines types of digital and/or non-digital media requiring restricted access;"},{"id":"mp-2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-2[2]"}],"prose":"defines personnel or roles authorized to access organization-defined types of\n                  digital and/or non-digital media; and"},{"id":"mp-2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-2[3]"}],"prose":"restricts access to organization-defined types of digital and/or non-digital media\n                  to organization-defined personnel or roles."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media access restrictions\\n\\naccess control policy and procedures\\n\\nphysical and environmental protection policy and procedures\\n\\nmedia storage facilities\\n\\naccess control records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for restricting information media\\n\\nautomated mechanisms supporting and/or implementing media access restrictions"}]}]},{"id":"mp-3","class":"SP800-53","title":"Media Marking","parameters":[{"id":"mp-3_prm_1","label":"organization-defined types of information system media","constraints":[{"detail":"no removable media types"}]},{"id":"mp-3_prm_2","label":"organization-defined controlled areas"}],"properties":[{"name":"label","value":"MP-3"},{"name":"sort-id","value":"mp-03"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"}],"parts":[{"id":"mp-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Marks information system media indicating the distribution limitations, handling\n                  caveats, and applicable security markings (if any) of the information; and"},{"id":"mp-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Exempts {{ mp-3_prm_1 }} from marking as long as the media remain\n                  within {{ mp-3_prm_2 }}."},{"id":"mp-3_fr","name":"item","title":"MP-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"mp-3_fr_gdn.b","name":"guidance","properties":[{"name":"label","value":"(b) Guidance:"}],"prose":"Second parameter not-applicable"}]}]},{"id":"mp-3_gdn","name":"guidance","prose":"The term security marking refers to the application/use of human-readable security\n               attributes. The term security labeling refers to the application/use of security\n               attributes with regard to internal data structures within information systems (see\n               AC-16). Information system media includes both digital and non-digital media. Digital\n               media includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. Security marking is generally not\n               required for media containing information determined by organizations to be in the\n               public domain or to be publicly releasable. However, some organizations may require\n               markings for public information indicating that the information is publicly\n               releasable. Marking of information system media reflects applicable federal laws,\n               Executive Orders, directives, policies, regulations, standards, and guidance.","links":[{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"mp-3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-3(a)"}],"prose":"marks information system media indicating the:","parts":[{"id":"mp-3.a_obj.1","name":"objective","properties":[{"name":"label","value":"MP-3(a)[1]"}],"prose":"distribution limitations of the information;"},{"id":"mp-3.a_obj.2","name":"objective","properties":[{"name":"label","value":"MP-3(a)[2]"}],"prose":"handling caveats of the information;"},{"id":"mp-3.a_obj.3","name":"objective","properties":[{"name":"label","value":"MP-3(a)[3]"}],"prose":"applicable security markings (if any) of the information;"}]},{"id":"mp-3.b_obj","name":"objective","properties":[{"name":"label","value":"MP-3(b)"}],"parts":[{"id":"mp-3.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-3(b)[1]"}],"prose":"defines types of information system media to be exempted from marking as long\n                     as the media remain in designated controlled areas;"},{"id":"mp-3.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-3(b)[2]"}],"prose":"defines controlled areas where organization-defined types of information system\n                     media exempt from marking are to be retained; and"},{"id":"mp-3.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-3(b)[3]"}],"prose":"exempts organization-defined types of information system media from marking as\n                     long as the media remain within organization-defined controlled areas."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media marking\\n\\nphysical and environmental protection policy and procedures\\n\\nsecurity plan\\n\\nlist of information system media marking security attributes\\n\\ndesignated controlled areas\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection and marking\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for marking information media\\n\\nautomated mechanisms supporting and/or implementing media marking"}]}]},{"id":"mp-4","class":"SP800-53","title":"Media Storage","parameters":[{"id":"mp-4_prm_1","label":"organization-defined types of digital and/or non-digital media","constraints":[{"detail":"all types of digital and non-digital media with sensitive information"}]},{"id":"mp-4_prm_2","label":"organization-defined controlled areas","constraints":[{"detail":"see additional FedRAMP requirements and guidance"}]}],"properties":[{"name":"label","value":"MP-4"},{"name":"sort-id","value":"mp-04"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference","text":"NIST Special Publication 800-56"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference","text":"NIST Special Publication 800-57"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference","text":"NIST Special Publication 800-111"}],"parts":[{"id":"mp-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Physically controls and securely stores {{ mp-4_prm_1 }} within\n                     {{ mp-4_prm_2 }}; and"},{"id":"mp-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Protects information system media until the media are destroyed or sanitized using\n                  approved equipment, techniques, and procedures."},{"id":"mp-4_fr","name":"item","title":"MP-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"mp-4_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider defines controlled areas within facilities where the information and information system reside."}]}]},{"id":"mp-4_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. Physically controlling information system\n               media includes, for example, conducting inventories, ensuring procedures are in place\n               to allow individuals to check out and return media to the media library, and\n               maintaining accountability for all stored media. Secure storage includes, for\n               example, a locked drawer, desk, or cabinet, or a controlled media library. The type\n               of media storage is commensurate with the security category and/or classification of\n               the information residing on the media. Controlled areas are areas for which\n               organizations provide sufficient physical and procedural safeguards to meet the\n               requirements established for protecting information and/or information systems. For\n               media containing information determined by organizations to be in the public domain,\n               to be publicly releasable, or to have limited or no adverse impact on organizations\n               or individuals if accessed by other than authorized personnel, fewer safeguards may\n               be needed. In these situations, physical access controls provide adequate\n               protection.","links":[{"href":"#cp-6","rel":"related","text":"CP-6"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#pe-3","rel":"related","text":"PE-3"}]},{"id":"mp-4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-4.a_obj","name":"objective","properties":[{"name":"label","value":"MP-4(a)"}],"parts":[{"id":"mp-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-4(a)[1]"}],"prose":"defines types of digital and/or non-digital media to be physically controlled\n                     and securely stored within designated controlled areas;"},{"id":"mp-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-4(a)[2]"}],"prose":"defines controlled areas designated to physically control and securely store\n                     organization-defined types of digital and/or non-digital media;"},{"id":"mp-4.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-4(a)[3]"}],"prose":"physically controls organization-defined types of digital and/or non-digital\n                     media within organization-defined controlled areas;"},{"id":"mp-4.a_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-4(a)[4]"}],"prose":"securely stores organization-defined types of digital and/or non-digital media\n                     within organization-defined controlled areas; and"}]},{"id":"mp-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-4(b)"}],"prose":"protects information system media until the media are destroyed or sanitized using\n                  approved equipment, techniques, and procedures."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media storage\\n\\nphysical and environmental protection policy and procedures\\n\\naccess control policy and procedures\\n\\nsecurity plan\\n\\ninformation system media\\n\\ndesignated controlled areas\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection and storage\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for storing information media\\n\\nautomated mechanisms supporting and/or implementing secure media storage/media\n                  protection"}]}]},{"id":"mp-5","class":"SP800-53","title":"Media Transport","parameters":[{"id":"mp-5_prm_1","label":"organization-defined types of information system media","constraints":[{"detail":"all media with sensitive information"}]},{"id":"mp-5_prm_2","label":"organization-defined security safeguards","constraints":[{"detail":"prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digitital media, secured in locked container"}]}],"properties":[{"name":"label","value":"MP-5"},{"name":"sort-id","value":"mp-05"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference","text":"NIST Special Publication 800-60"}],"parts":[{"id":"mp-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Protects and controls {{ mp-5_prm_1 }} during transport outside of\n                  controlled areas using {{ mp-5_prm_2 }};"},{"id":"mp-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Maintains accountability for information system media during transport outside of\n                  controlled areas;"},{"id":"mp-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Documents activities associated with the transport of information system media;\n                  and"},{"id":"mp-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Restricts the activities associated with the transport of information system media\n                  to authorized personnel."},{"id":"mp-5_fr","name":"item","title":"MP-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"mp-5_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB."}]}]},{"id":"mp-5_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. This control also applies to mobile\n               devices with information storage capability (e.g., smart phones, tablets, E-readers),\n               that are transported outside of controlled areas. Controlled areas are areas or\n               spaces for which organizations provide sufficient physical and/or procedural\n               safeguards to meet the requirements established for protecting information and/or\n               information systems. Physical and technical safeguards for media are commensurate\n               with the security category or classification of the information residing on the\n               media. Safeguards to protect media during transport include, for example, locked\n               containers and cryptography. Cryptographic mechanisms can provide confidentiality and\n               integrity protections depending upon the mechanisms used. Activities associated with\n               transport include the actual transport as well as those activities such as releasing\n               media for transport and ensuring that media enters the appropriate transport\n               processes. For the actual transport, authorized transport and courier personnel may\n               include individuals from outside the organization (e.g., U.S. Postal Service or a\n               commercial transport or delivery service). Maintaining accountability of media during\n               transport includes, for example, restricting transport activities to authorized\n               personnel, and tracking and/or obtaining explicit records of transport activities as\n               the media moves through the transportation system to prevent and detect loss,\n               destruction, or tampering. Organizations establish documentation requirements for\n               activities associated with the transport of information system media in accordance\n               with organizational assessments of risk to include the flexibility to define\n               different record-keeping methods for the different types of media transport as part\n               of an overall system of transport-related records.","links":[{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#mp-3","rel":"related","text":"MP-3"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-28","rel":"related","text":"SC-28"}]},{"id":"mp-5_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-5.a_obj","name":"objective","properties":[{"name":"label","value":"MP-5(a)"}],"parts":[{"id":"mp-5.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-5(a)[1]"}],"prose":"defines types of information system media to be protected and controlled during\n                     transport outside of controlled areas;"},{"id":"mp-5.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-5(a)[2]"}],"prose":"defines security safeguards to protect and control organization-defined\n                     information system media during transport outside of controlled areas;"},{"id":"mp-5.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-5(a)[3]"}],"prose":"protects and controls organization-defined information system media during\n                     transport outside of controlled areas using organization-defined security\n                     safeguards;"}]},{"id":"mp-5.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-5(b)"}],"prose":"maintains accountability for information system media during transport outside of\n                  controlled areas;"},{"id":"mp-5.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-5(c)"}],"prose":"documents activities associated with the transport of information system media;\n                  and"},{"id":"mp-5.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-5(d)"}],"prose":"restricts the activities associated with transport of information system media to\n                  authorized personnel."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media storage\\n\\nphysical and environmental protection policy and procedures\\n\\naccess control policy and procedures\\n\\nsecurity plan\\n\\ninformation system media\\n\\ndesignated controlled areas\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection and storage\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for storing information media\\n\\nautomated mechanisms supporting and/or implementing media storage/media\n                  protection"}]}],"controls":[{"id":"mp-5.4","class":"SP800-53-enhancement","title":"Cryptographic Protection","properties":[{"name":"label","value":"MP-5(4)"},{"name":"sort-id","value":"mp-05.04"}],"parts":[{"id":"mp-5.4_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to protect the\n                  confidentiality and integrity of information stored on digital media during\n                  transport outside of controlled areas."},{"id":"mp-5.4_gdn","name":"guidance","prose":"This control enhancement applies to both portable storage devices (e.g., USB\n                  memory sticks, compact disks, digital video disks, external/removable hard disk\n                  drives) and mobile devices with storage capability (e.g., smart phones, tablets,\n                  E-readers).","links":[{"href":"#mp-2","rel":"related","text":"MP-2"}]},{"id":"mp-5.4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs cryptographic mechanisms to protect the\n                  confidentiality and integrity of information stored on digital media during\n                  transport outside of controlled areas. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media transport\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system media transport records\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media transport\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms protecting information on digital media during\n                     transportation outside controlled areas"}]}]}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","parameters":[{"id":"mp-6_prm_1","label":"organization-defined information system media"},{"id":"mp-6_prm_2","label":"organization-defined sanitization techniques and procedures"}],"properties":[{"name":"label","value":"MP-6"},{"name":"sort-id","value":"mp-06"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference","text":"NIST Special Publication 800-60"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference","text":"NIST Special Publication 800-88"},{"href":"#a47466c4-c837-4f06-a39f-e68412a5f73d","rel":"reference","text":"http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"}],"parts":[{"id":"mp-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Sanitizes {{ mp-6_prm_1 }} prior to disposal, release out of\n                  organizational control, or release for reuse using {{ mp-6_prm_2 }}\n                  in accordance with applicable federal and organizational standards and policies;\n                  and"},{"id":"mp-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employs sanitization mechanisms with the strength and integrity commensurate with\n                  the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"This control applies to all information system media, both digital and non-digital,\n               subject to disposal or reuse, whether or not the media is considered removable.\n               Examples include media found in scanners, copiers, printers, notebook computers,\n               workstations, network components, and mobile devices. The sanitization process\n               removes information from the media such that the information cannot be retrieved or\n               reconstructed. Sanitization techniques, including clearing, purging, cryptographic\n               erase, and destruction, prevent the disclosure of information to unauthorized\n               individuals when such media is reused or released for disposal. Organizations\n               determine the appropriate sanitization methods recognizing that destruction is\n               sometimes necessary when other methods cannot be applied to media requiring\n               sanitization. Organizations use discretion on the employment of approved sanitization\n               techniques and procedures for media containing information deemed to be in the public\n               domain or publicly releasable, or deemed to have no adverse impact on organizations\n               or individuals if released for reuse or disposal. Sanitization of non-digital media\n               includes, for example, removing a classified appendix from an otherwise unclassified\n               document, or redacting selected sections or words from a document by obscuring the\n               redacted sections/words in a manner equivalent in effectiveness to removing them from\n               the document. NSA standards and policies control the sanitization process for media\n               containing classified information.","links":[{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sc-4","rel":"related","text":"SC-4"}]},{"id":"mp-6_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-6.a_obj","name":"objective","properties":[{"name":"label","value":"MP-6(a)"}],"parts":[{"id":"mp-6.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-6(a)[1]"}],"prose":"defines information system media to be sanitized prior to:","parts":[{"id":"mp-6.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"MP-6(a)[1][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"MP-6(a)[1][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.1.c","name":"objective","properties":[{"name":"label","value":"MP-6(a)[1][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-6(a)[2]"}],"prose":"defines sanitization techniques or procedures to be used for sanitizing\n                     organization-defined information system media prior to:","parts":[{"id":"mp-6.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"MP-6(a)[2][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"MP-6(a)[2][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.2.c","name":"objective","properties":[{"name":"label","value":"MP-6(a)[2][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-6(a)[3]"}],"prose":"sanitizes organization-defined information system media prior to disposal,\n                     release out of organizational control, or release for reuse using\n                     organization-defined sanitization techniques or procedures in accordance with\n                     applicable federal and organizational standards and policies; and"}]},{"id":"mp-6.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-6(b)"}],"prose":"employs sanitization mechanisms with strength and integrity commensurate with the\n                  security category or classification of the information."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media sanitization and disposal\\n\\napplicable federal standards and policies addressing media sanitization\\n\\nmedia sanitization records\\n\\naudit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media sanitization responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization\\n\\nautomated mechanisms supporting and/or implementing media sanitization"}]}],"controls":[{"id":"mp-6.2","class":"SP800-53-enhancement","title":"Equipment Testing","parameters":[{"id":"mp-6.2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"MP-6(2)"},{"name":"sort-id","value":"mp-06.02"}],"parts":[{"id":"mp-6.2_smt","name":"statement","prose":"The organization tests sanitization equipment and procedures {{ mp-6.2_prm_1 }} to verify that the intended sanitization is being\n                  achieved.","parts":[{"id":"mp-6.2_fr","name":"item","title":"MP-6 (2) Additional FedRAMP Requirements and Guidance","parts":[{"id":"mp-6.2_fr_gdn.a","name":"guidance","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"Equipment and procedures may be tested or validated for effectiveness"}]}]},{"id":"mp-6.2_gdn","name":"guidance","prose":"Testing of sanitization equipment and procedures may be conducted by qualified and\n                  authorized external entities (e.g., other federal agencies or external service\n                  providers)."},{"id":"mp-6.2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-6.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-6(2)[1]"}],"prose":"defines the frequency for testing sanitization equipment and procedures to\n                     verify that the intended sanitization is being achieved; and"},{"id":"mp-6.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-6(2)[2]"}],"prose":"tests sanitization equipment and procedures with the organization-defined\n                     frequency to verify that the intended sanitization is being achieved."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nprocedures addressing media sanitization and disposal\\n\\nprocedures addressing testing of media sanitization equipment\\n\\nresults of media sanitization equipment and procedures testing\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media sanitization\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization\\n\\nautomated mechanisms supporting and/or implementing media sanitization"}]}]}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","parameters":[{"id":"mp-7_prm_1"},{"id":"mp-7_prm_2","label":"organization-defined types of information system media"},{"id":"mp-7_prm_3","label":"organization-defined information systems or system components"},{"id":"mp-7_prm_4","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"MP-7"},{"name":"sort-id","value":"mp-07"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference","text":"NIST Special Publication 800-111"}],"parts":[{"id":"mp-7_smt","name":"statement","prose":"The organization {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}."},{"id":"mp-7_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. This control also applies to mobile\n               devices with information storage capability (e.g., smart phones, tablets, E-readers).\n               In contrast to MP-2, which restricts user access to media, this control restricts the\n               use of certain types of media on information systems, for example,\n               restricting/prohibiting the use of flash drives or external hard disk drives.\n               Organizations can employ technical and nontechnical safeguards (e.g., policies,\n               procedures, rules of behavior) to restrict the use of information system media.\n               Organizations may restrict the use of portable storage devices, for example, by using\n               physical cages on workstations to prohibit access to certain external ports, or\n               disabling/removing the ability to insert, read or write to such devices.\n               Organizations may also limit the use of portable storage devices to only approved\n               devices including, for example, devices provided by the organization, devices\n               provided by other approved organizations, and devices that are not personally owned.\n               Finally, organizations may restrict the use of portable storage devices based on the\n               type of device, for example, prohibiting the use of writeable, portable storage\n               devices, and implementing this restriction by disabling or removing the capability to\n               write to such devices.","links":[{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#pl-4","rel":"related","text":"PL-4"}]},{"id":"mp-7_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"mp-7_obj.1","name":"objective","properties":[{"name":"label","value":"MP-7[1]"}],"prose":"defines types of information system media to be:","parts":[{"id":"mp-7_obj.1.a","name":"objective","properties":[{"name":"label","value":"MP-7[1][a]"}],"prose":"restricted on information systems or system components; or"},{"id":"mp-7_obj.1.b","name":"objective","properties":[{"name":"label","value":"MP-7[1][b]"}],"prose":"prohibited from use on information systems or system components;"}]},{"id":"mp-7_obj.2","name":"objective","properties":[{"name":"label","value":"MP-7[2]"}],"prose":"defines information systems or system components on which the use of\n                  organization-defined types of information system media is to be one of the\n                  following:","parts":[{"id":"mp-7_obj.2.a","name":"objective","properties":[{"name":"label","value":"MP-7[2][a]"}],"prose":"restricted; or"},{"id":"mp-7_obj.2.b","name":"objective","properties":[{"name":"label","value":"MP-7[2][b]"}],"prose":"prohibited;"}]},{"id":"mp-7_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"MP-7[3]"}],"prose":"defines security safeguards to be employed to restrict or prohibit the use of\n                  organization-defined types of information system media on organization-defined\n                  information systems or system components; and"},{"id":"mp-7_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"MP-7[4]"}],"prose":"restricts or prohibits the use of organization-defined information system media on\n                  organization-defined information systems or system components using\n                  organization-defined security safeguards."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nsystem use policy\\n\\nprocedures addressing media usage restrictions\\n\\nsecurity plan\\n\\nrules of behavior\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media use responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media use\\n\\nautomated mechanisms restricting or prohibiting use of information system media on\n                  information systems or system components"}]}],"controls":[{"id":"mp-7.1","class":"SP800-53-enhancement","title":"Prohibit Use Without Owner","properties":[{"name":"label","value":"MP-7(1)"},{"name":"sort-id","value":"mp-07.01"}],"parts":[{"id":"mp-7.1_smt","name":"statement","prose":"The organization prohibits the use of portable storage devices in organizational\n                  information systems when such devices have no identifiable owner."},{"id":"mp-7.1_gdn","name":"guidance","prose":"Requiring identifiable owners (e.g., individuals, organizations, or projects) for\n                  portable storage devices reduces the risk of using such technologies by allowing\n                  organizations to assign responsibility and accountability for addressing known\n                  vulnerabilities in the devices (e.g., malicious code insertion).","links":[{"href":"#pl-4","rel":"related","text":"PL-4"}]},{"id":"mp-7.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization prohibits the use of portable storage devices in\n                  organizational information systems when such devices have no identifiable owner.\n               "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\\n\\nsystem use policy\\n\\nprocedures addressing media usage restrictions\\n\\nsecurity plan\\n\\nrules of behavior\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media use responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media use\\n\\nautomated mechanisms prohibiting use of media on information systems or system\n                     components"}]}]}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Physical and Environmental Protection Policy and Procedures","parameters":[{"id":"pe-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"pe-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PE-1"},{"name":"sort-id","value":"pe-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"pe-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A physical and environmental protection policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"},{"id":"pe-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental\n                     protection policy and associated physical and environmental protection\n                     controls; and"}]},{"id":"pe-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pe-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Physical and environmental protection policy {{ pe-1_prm_2 }};\n                     and"},{"id":"pe-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Physical and environmental protection procedures {{ pe-1_prm_3 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PE\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"pe-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-1.a_obj","name":"objective","properties":[{"name":"label","value":"PE-1(a)"}],"parts":[{"id":"pe-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)"}],"parts":[{"id":"pe-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(a)(1)[1]"}],"prose":"develops and documents a physical and environmental protection policy that\n                        addresses:","parts":[{"id":"pe-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pe-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pe-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pe-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pe-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pe-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pe-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"PE-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pe-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the physical and environmental protection\n                        policy is to be disseminated;"},{"id":"pe-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-1(a)(1)[3]"}],"prose":"disseminates the physical and environmental protection policy to\n                        organization-defined personnel or roles;"}]},{"id":"pe-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"PE-1(a)(2)"}],"parts":[{"id":"pe-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        physical and environmental protection policy and associated physical and\n                        environmental protection controls;"},{"id":"pe-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"pe-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pe-1.b_obj","name":"objective","properties":[{"name":"label","value":"PE-1(b)"}],"parts":[{"id":"pe-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"PE-1(b)(1)"}],"parts":[{"id":"pe-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current physical and\n                        environmental protection policy;"},{"id":"pe-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(b)(1)[2]"}],"prose":"reviews and updates the current physical and environmental protection policy\n                        with the organization-defined frequency;"}]},{"id":"pe-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"PE-1(b)(2)"}],"parts":[{"id":"pe-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current physical and\n                        environmental protection procedures; and"},{"id":"pe-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-1(b)(2)[2]"}],"prose":"reviews and updates the current physical and environmental protection\n                        procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical and environmental protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","parameters":[{"id":"pe-2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PE-2"},{"name":"sort-id","value":"pe-02"}],"parts":[{"id":"pe-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, approves, and maintains a list of individuals with authorized access to\n                  the facility where the information system resides;"},{"id":"pe-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Issues authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews the access list detailing authorized facility access by individuals\n                     {{ pe-2_prm_1 }}; and"},{"id":"pe-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Removes individuals from the facility access list when access is no longer\n                  required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g.,\n               employees, contractors, and others) with permanent physical access authorization\n               credentials are not considered visitors. Authorization credentials include, for\n               example, badges, identification cards, and smart cards. Organizations determine the\n               strength of authorization credentials needed (including level of forge-proof badges,\n               smart cards, or identification cards) consistent with federal standards, policies,\n               and procedures. This control only applies to areas within facilities that have not\n               been designated as publicly accessible.","links":[{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#ps-3","rel":"related","text":"PS-3"}]},{"id":"pe-2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-2.a_obj","name":"objective","properties":[{"name":"label","value":"PE-2(a)"}],"parts":[{"id":"pe-2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-2(a)[1]"}],"prose":"develops a list of individuals with authorized access to the facility where the\n                     information system resides;"},{"id":"pe-2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-2(a)[2]"}],"prose":"approves a list of individuals with authorized access to the facility where the\n                     information system resides;"},{"id":"pe-2.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-2(a)[3]"}],"prose":"maintains a list of individuals with authorized access to the facility where\n                     the information system resides;"}]},{"id":"pe-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-2(b)"}],"prose":"issues authorization credentials for facility access;"},{"id":"pe-2.c_obj","name":"objective","properties":[{"name":"label","value":"PE-2(c)"}],"parts":[{"id":"pe-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-2(c)[1]"}],"prose":"defines the frequency to review the access list detailing authorized facility\n                     access by individuals;"},{"id":"pe-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-2(c)[2]"}],"prose":"reviews the access list detailing authorized facility access by individuals\n                     with the organization-defined frequency; and"}]},{"id":"pe-2.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-2(d)"}],"prose":"removes individuals from the facility access list when access is no longer\n                  required."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing physical access authorizations\\n\\nsecurity plan\\n\\nauthorized personnel access list\\n\\nauthorization credentials\\n\\nphysical access list reviews\\n\\nphysical access termination records and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities\\n\\norganizational personnel with physical access to information system facility\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access authorizations\\n\\nautomated mechanisms supporting and/or implementing physical access\n                  authorizations"}]}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","parameters":[{"id":"pe-3_prm_1","label":"organization-defined entry/exit points to the facility where the information\n               system resides"},{"id":"pe-3_prm_2","constraints":[{"detail":"CSP defined physical access control systems/devices AND guards"}]},{"id":"pe-3_prm_3","depends-on":"pe-3_prm_2","label":"organization-defined physical access control systems/devices","constraints":[{"detail":"CSP defined physical access control systems/devices"}]},{"id":"pe-3_prm_4","label":"organization-defined entry/exit points"},{"id":"pe-3_prm_5","label":"organization-defined security safeguards"},{"id":"pe-3_prm_6","label":"organization-defined circumstances requiring visitor escorts and\n               monitoring","constraints":[{"detail":"in all circumstances within restricted access area where the information system resides"}]},{"id":"pe-3_prm_7","label":"organization-defined physical access devices"},{"id":"pe-3_prm_8","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"pe-3_prm_9","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PE-3"},{"name":"sort-id","value":"pe-03"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference","text":"NIST Special Publication 800-116"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference","text":"ICD 704"},{"href":"#398e33fd-f404-4e5c-b90e-2d50d3181244","rel":"reference","text":"ICD 705"},{"href":"#61081e7f-041d-4033-96a7-44a439071683","rel":"reference","text":"DoD Instruction 5200.39"},{"href":"#dd2f5acd-08f1-435a-9837-f8203088dc1a","rel":"reference","text":"Personal Identity Verification (PIV) in Enterprise\n            Physical Access Control System (E-PACS)"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference","text":"http://fips201ep.cio.gov"}],"parts":[{"id":"pe-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Enforces physical access authorizations at {{ pe-3_prm_1 }} by;","parts":[{"id":"pe-3_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the\n                     facility; and"},{"id":"pe-3_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Controlling ingress/egress to the facility using {{ pe-3_prm_2 }};"}]},{"id":"pe-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Maintains physical access audit logs for {{ pe-3_prm_4 }};"},{"id":"pe-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Provides {{ pe-3_prm_5 }} to control access to areas within the\n                  facility officially designated as publicly accessible;"},{"id":"pe-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Escorts visitors and monitors visitor activity {{ pe-3_prm_6 }};"},{"id":"pe-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Secures keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Inventories {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }};\n                  and"},{"id":"pe-3_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Changes combinations and keys {{ pe-3_prm_9 }} and/or when keys are\n                  lost, combinations are compromised, or individuals are transferred or\n                  terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g.,\n               employees, contractors, and others) with permanent physical access authorization\n               credentials are not considered visitors. Organizations determine the types of\n               facility guards needed including, for example, professional physical security staff\n               or other personnel such as administrative staff or information system users. Physical\n               access devices include, for example, keys, locks, combinations, and card readers.\n               Safeguards for publicly accessible areas within organizational facilities include,\n               for example, cameras, monitoring by guards, and isolating selected information\n               systems and/or system components in secured areas. Physical access control systems\n               comply with applicable federal laws, Executive Orders, directives, policies,\n               regulations, standards, and guidance. The Federal Identity, Credential, and Access\n               Management Program provides implementation guidance for identity, credential, and\n               access management capabilities for physical access control systems. Organizations\n               have flexibility in the types of audit logs employed. Audit logs can be procedural\n               (e.g., a written log of individuals accessing the facility and when such access\n               occurred), automated (e.g., capturing ID provided by a PIV card), or some combination\n               thereof. Physical access points can include facility access points, interior access\n               points to information systems and/or components requiring supplemental access\n               controls, or both. Components of organizational information systems (e.g.,\n               workstations, terminals) may be located in areas designated as publicly accessible\n               with organizations safeguarding access to such devices.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#pe-5","rel":"related","text":"PE-5"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"pe-3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-3.a_obj","name":"objective","properties":[{"name":"label","value":"PE-3(a)"}],"parts":[{"id":"pe-3.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(a)[1]"}],"prose":"defines entry/exit points to the facility where the information system\n                     resides;"},{"id":"pe-3.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(a)[2]"}],"prose":"enforces physical access authorizations at organization-defined entry/exit\n                     points to the facility where the information system resides by:","parts":[{"id":"pe-3.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](1)"}],"prose":"verifying individual access authorizations before granting access to the\n                        facility;"},{"id":"pe-3.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(a)[2](2)"}],"parts":[{"id":"pe-3.a.2_obj.2.a","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](2)[a]"}],"prose":"defining physical access control systems/devices to be employed to\n                           control ingress/egress to the facility where the information system\n                           resides;"},{"id":"pe-3.a.2_obj.2.b","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](2)[b]"}],"prose":"using one or more of the following ways to control ingress/egress to the\n                           facility:","parts":[{"id":"pe-3.a.2_obj.2.b.1","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](2)[b][1]"}],"prose":"organization-defined physical access control systems/devices;\n                              and/or"},{"id":"pe-3.a.2_obj.2.b.2","name":"objective","properties":[{"name":"label","value":"PE-3(a)[2](2)[b][2]"}],"prose":"guards;"}]}]}]}]},{"id":"pe-3.b_obj","name":"objective","properties":[{"name":"label","value":"PE-3(b)"}],"parts":[{"id":"pe-3.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(b)[1]"}],"prose":"defines entry/exit points for which physical access audit logs are to be\n                     maintained;"},{"id":"pe-3.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(b)[2]"}],"prose":"maintains physical access audit logs for organization-defined entry/exit\n                     points;"}]},{"id":"pe-3.c_obj","name":"objective","properties":[{"name":"label","value":"PE-3(c)"}],"parts":[{"id":"pe-3.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(c)[1]"}],"prose":"defines security safeguards to be employed to control access to areas within\n                     the facility officially designated as publicly accessible;"},{"id":"pe-3.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(c)[2]"}],"prose":"provides organization-defined security safeguards to control access to areas\n                     within the facility officially designated as publicly accessible;"}]},{"id":"pe-3.d_obj","name":"objective","properties":[{"name":"label","value":"PE-3(d)"}],"parts":[{"id":"pe-3.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(d)[1]"}],"prose":"defines circumstances requiring visitor:","parts":[{"id":"pe-3.d_obj.1.a","name":"objective","properties":[{"name":"label","value":"PE-3(d)[1][a]"}],"prose":"escorts;"},{"id":"pe-3.d_obj.1.b","name":"objective","properties":[{"name":"label","value":"PE-3(d)[1][b]"}],"prose":"monitoring;"}]},{"id":"pe-3.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(d)[2]"}],"prose":"in accordance with organization-defined circumstances requiring visitor escorts\n                     and monitoring:","parts":[{"id":"pe-3.d_obj.2.a","name":"objective","properties":[{"name":"label","value":"PE-3(d)[2][a]"}],"prose":"escorts visitors;"},{"id":"pe-3.d_obj.2.b","name":"objective","properties":[{"name":"label","value":"PE-3(d)[2][b]"}],"prose":"monitors visitor activities;"}]}]},{"id":"pe-3.e_obj","name":"objective","properties":[{"name":"label","value":"PE-3(e)"}],"parts":[{"id":"pe-3.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(e)[1]"}],"prose":"secures keys;"},{"id":"pe-3.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(e)[2]"}],"prose":"secures combinations;"},{"id":"pe-3.e_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(e)[3]"}],"prose":"secures other physical access devices;"}]},{"id":"pe-3.f_obj","name":"objective","properties":[{"name":"label","value":"PE-3(f)"}],"parts":[{"id":"pe-3.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(f)[1]"}],"prose":"defines physical access devices to be inventoried;"},{"id":"pe-3.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(f)[2]"}],"prose":"defines the frequency to inventory organization-defined physical access\n                     devices;"},{"id":"pe-3.f_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(f)[3]"}],"prose":"inventories the organization-defined physical access devices with the\n                     organization-defined frequency;"}]},{"id":"pe-3.g_obj","name":"objective","properties":[{"name":"label","value":"PE-3(g)"}],"parts":[{"id":"pe-3.g_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-3(g)[1]"}],"prose":"defines the frequency to change combinations and keys; and"},{"id":"pe-3.g_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-3(g)[2]"}],"prose":"changes combinations and keys with the organization-defined frequency and/or\n                     when:","parts":[{"id":"pe-3.g_obj.2.a","name":"objective","properties":[{"name":"label","value":"PE-3(g)[2][a]"}],"prose":"keys are lost;"},{"id":"pe-3.g_obj.2.b","name":"objective","properties":[{"name":"label","value":"PE-3(g)[2][b]"}],"prose":"combinations are compromised;"},{"id":"pe-3.g_obj.2.c","name":"objective","properties":[{"name":"label","value":"PE-3(g)[2][c]"}],"prose":"individuals are transferred or terminated."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing physical access control\\n\\nsecurity plan\\n\\nphysical access control logs or records\\n\\ninventory records of physical access control devices\\n\\ninformation system entry and exit points\\n\\nrecords of key and lock combination changes\\n\\nstorage locations for physical access control devices\\n\\nphysical access control devices\\n\\nlist of security safeguards controlling access to designated publicly accessible\n                  areas within facility\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access control\\n\\nautomated mechanisms supporting and/or implementing physical access control\\n\\nphysical access control devices"}]}]},{"id":"pe-4","class":"SP800-53","title":"Access Control for Transmission Medium","parameters":[{"id":"pe-4_prm_1","label":"organization-defined information system distribution and transmission\n               lines"},{"id":"pe-4_prm_2","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"PE-4"},{"name":"sort-id","value":"pe-04"}],"links":[{"href":"#06dff0ea-3848-4945-8d91-e955ee69f05d","rel":"reference","text":"NSTISSI No. 7003"}],"parts":[{"id":"pe-4_smt","name":"statement","prose":"The organization controls physical access to {{ pe-4_prm_1 }} within\n               organizational facilities using {{ pe-4_prm_2 }}."},{"id":"pe-4_gdn","name":"guidance","prose":"Physical security safeguards applied to information system distribution and\n               transmission lines help to prevent accidental damage, disruption, and physical\n               tampering. In addition, physical safeguards may be necessary to help prevent\n               eavesdropping or in transit modification of unencrypted transmissions. Security\n               safeguards to control physical access to system distribution and transmission lines\n               include, for example: (i) locked wiring closets; (ii) disconnected or locked spare\n               jacks; and/or (iii) protection of cabling by conduit or cable trays.","links":[{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-5","rel":"related","text":"PE-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-8","rel":"related","text":"SC-8"}]},{"id":"pe-4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-4[1]"}],"prose":"defines information system distribution and transmission lines requiring physical\n                  access controls;"},{"id":"pe-4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-4[2]"}],"prose":"defines security safeguards to be employed to control physical access to\n                  organization-defined information system distribution and transmission lines within\n                  organizational facilities; and"},{"id":"pe-4_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-4[3]"}],"prose":"controls physical access to organization-defined information system distribution\n                  and transmission lines within organizational facilities using organization-defined\n                  security safeguards."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing access control for transmission medium\\n\\ninformation system design documentation\\n\\nfacility communications and wiring diagrams\\n\\nlist of physical security safeguards applied to information system distribution\n                  and transmission lines\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access control to distribution and transmission\n                  lines\\n\\nautomated mechanisms/security safeguards supporting and/or implementing access\n                  control to distribution and transmission lines"}]}]},{"id":"pe-5","class":"SP800-53","title":"Access Control for Output Devices","properties":[{"name":"label","value":"PE-5"},{"name":"sort-id","value":"pe-05"}],"parts":[{"id":"pe-5_smt","name":"statement","prose":"The organization controls physical access to information system output devices to\n               prevent unauthorized individuals from obtaining the output."},{"id":"pe-5_gdn","name":"guidance","prose":"Controlling physical access to output devices includes, for example, placing output\n               devices in locked rooms or other secured areas and allowing access to authorized\n               individuals only, and placing output devices in locations that can be monitored by\n               organizational personnel. Monitors, printers, copiers, scanners, facsimile machines,\n               and audio devices are examples of information system output devices.","links":[{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#pe-4","rel":"related","text":"PE-4"},{"href":"#pe-18","rel":"related","text":"PE-18"}]},{"id":"pe-5_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization controls physical access to information system output\n               devices to prevent unauthorized individuals from obtaining the output. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing access control for display medium\\n\\nfacility layout of information system components\\n\\nactual displays from information system components\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access control to output devices\\n\\nautomated mechanisms supporting and/or implementing access control to output\n                  devices"}]}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","parameters":[{"id":"pe-6_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]},{"id":"pe-6_prm_2","label":"organization-defined events or potential indications of events"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PE-6"},{"name":"sort-id","value":"pe-06"}],"parts":[{"id":"pe-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitors physical access to the facility where the information system resides to\n                  detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews physical access logs {{ pe-6_prm_1 }} and upon occurrence\n                  of {{ pe-6_prm_2 }}; and"},{"id":"pe-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Coordinates results of reviews and investigations with the organizational incident\n                  response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Organizational incident response capabilities include investigations of and responses\n               to detected physical security incidents. Security incidents include, for example,\n               apparent security violations or suspicious physical access activities. Suspicious\n               physical access activities include, for example: (i) accesses outside of normal work\n               hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for\n               unusual lengths of time; and (iv) out-of-sequence accesses.","links":[{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-8","rel":"related","text":"IR-8"}]},{"id":"pe-6_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-6.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-6(a)"}],"prose":"monitors physical access to the facility where the information system resides to\n                  detect and respond to physical security incidents;"},{"id":"pe-6.b_obj","name":"objective","properties":[{"name":"label","value":"PE-6(b)"}],"parts":[{"id":"pe-6.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-6(b)[1]"}],"prose":"defines the frequency to review physical access logs;"},{"id":"pe-6.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-6(b)[2]"}],"prose":"defines events or potential indication of events requiring physical access logs\n                     to be reviewed;"},{"id":"pe-6.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-6(b)[3]"}],"prose":"reviews physical access logs with the organization-defined frequency and upon\n                     occurrence of organization-defined events or potential indications of events;\n                     and"}]},{"id":"pe-6.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-6(c)"}],"prose":"coordinates results of reviews and investigations with the organizational incident\n                  response capability."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing physical access monitoring\\n\\nsecurity plan\\n\\nphysical access logs or records\\n\\nphysical access monitoring records\\n\\nphysical access log reviews\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access monitoring responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring physical access\\n\\nautomated mechanisms supporting and/or implementing physical access monitoring\\n\\nautomated mechanisms supporting and/or implementing reviewing of physical access\n                  logs"}]}],"controls":[{"id":"pe-6.1","class":"SP800-53-enhancement","title":"Intrusion Alarms / Surveillance Equipment","properties":[{"name":"label","value":"PE-6(1)"},{"name":"sort-id","value":"pe-06.01"}],"parts":[{"id":"pe-6.1_smt","name":"statement","prose":"The organization monitors physical intrusion alarms and surveillance\n                  equipment."},{"id":"pe-6.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization monitors physical intrusion alarms and surveillance\n                  equipment. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing physical access monitoring\\n\\nsecurity plan\\n\\nphysical access logs or records\\n\\nphysical access monitoring records\\n\\nphysical access log reviews\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access monitoring responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring physical intrusion alarms and\n                     surveillance equipment\\n\\nautomated mechanisms supporting and/or implementing physical access\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing physical intrusion alarms\n                     and surveillance equipment"}]}]}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","parameters":[{"id":"pe-8_prm_1","label":"organization-defined time period","constraints":[{"detail":"for a minimum of one (1) year"}]},{"id":"pe-8_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PE-8"},{"name":"sort-id","value":"pe-08"}],"parts":[{"id":"pe-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Maintains visitor access records to the facility where the information system\n                  resides for {{ pe-8_prm_1 }}; and"},{"id":"pe-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews visitor access records {{ pe-8_prm_2 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include, for example, names and organizations of persons\n               visiting, visitor signatures, forms of identification, dates of access, entry and\n               departure times, purposes of visits, and names and organizations of persons visited.\n               Visitor access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-8.a_obj","name":"objective","properties":[{"name":"label","value":"PE-8(a)"}],"parts":[{"id":"pe-8.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-8(a)[1]"}],"prose":"defines the time period to maintain visitor access records to the facility\n                     where the information system resides;"},{"id":"pe-8.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-8(a)[2]"}],"prose":"maintains visitor access records to the facility where the information system\n                     resides for the organization-defined time period;"}]},{"id":"pe-8.b_obj","name":"objective","properties":[{"name":"label","value":"PE-8(b)"}],"parts":[{"id":"pe-8.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-8(b)[1]"}],"prose":"defines the frequency to review visitor access records; and"},{"id":"pe-8.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-8(b)[2]"}],"prose":"reviews visitor access records with the organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing visitor access records\\n\\nsecurity plan\\n\\nvisitor access control logs or records\\n\\nvisitor access record or log reviews\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with visitor access records responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining and reviewing visitor access records\\n\\nautomated mechanisms supporting and/or implementing maintenance and review of\n                  visitor access records"}]}]},{"id":"pe-9","class":"SP800-53","title":"Power Equipment and Cabling","properties":[{"name":"label","value":"PE-9"},{"name":"sort-id","value":"pe-09"}],"parts":[{"id":"pe-9_smt","name":"statement","prose":"The organization protects power equipment and power cabling for the information\n               system from damage and destruction."},{"id":"pe-9_gdn","name":"guidance","prose":"Organizations determine the types of protection necessary for power equipment and\n               cabling employed at different locations both internal and external to organizational\n               facilities and environments of operation. This includes, for example, generators and\n               power cabling outside of buildings, internal cabling and uninterruptable power\n               sources within an office or data center, and power sources for self-contained\n               entities such as vehicles and satellites.","links":[{"href":"#pe-4","rel":"related","text":"PE-4"}]},{"id":"pe-9_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization protects power equipment and power cabling for the\n               information system from damage and destruction. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing power equipment/cabling protection\\n\\nfacilities housing power equipment/cabling\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for protecting power\n                  equipment/cabling\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing protection of power\n                  equipment/cabling"}]}]},{"id":"pe-10","class":"SP800-53","title":"Emergency Shutoff","parameters":[{"id":"pe-10_prm_1","label":"organization-defined location by information system or system component"}],"properties":[{"name":"label","value":"PE-10"},{"name":"sort-id","value":"pe-10"}],"parts":[{"id":"pe-10_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-10_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provides the capability of shutting off power to the information system or\n                  individual system components in emergency situations;"},{"id":"pe-10_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Places emergency shutoff switches or devices in {{ pe-10_prm_1 }}\n                  to facilitate safe and easy access for personnel; and"},{"id":"pe-10_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Protects emergency power shutoff capability from unauthorized activation."}]},{"id":"pe-10_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms.","links":[{"href":"#pe-15","rel":"related","text":"PE-15"}]},{"id":"pe-10_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-10.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-10(a)"}],"prose":"provides the capability of shutting off power to the information system or\n                  individual system components in emergency situations;"},{"id":"pe-10.b_obj","name":"objective","properties":[{"name":"label","value":"PE-10(b)"}],"parts":[{"id":"pe-10.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-10(b)[1]"}],"prose":"defines the location of emergency shutoff switches or devices by information\n                     system or system component;"},{"id":"pe-10.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-10(b)[2]"}],"prose":"places emergency shutoff switches or devices in the organization-defined\n                     location by information system or system component to facilitate safe and easy\n                     access for personnel; and"}]},{"id":"pe-10.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-10(c)"}],"prose":"protects emergency power shutoff capability from unauthorized activation."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing power source emergency shutoff\\n\\nsecurity plan\\n\\nemergency shutoff controls or switches\\n\\nlocations housing emergency shutoff switches and devices\\n\\nsecurity safeguards protecting emergency power shutoff capability from\n                  unauthorized activation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency power shutoff\n                  capability (both implementing and using the capability)\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing emergency power shutoff"}]}]},{"id":"pe-11","class":"SP800-53","title":"Emergency Power","parameters":[{"id":"pe-11_prm_1"}],"properties":[{"name":"label","value":"PE-11"},{"name":"sort-id","value":"pe-11"}],"parts":[{"id":"pe-11_smt","name":"statement","prose":"The organization provides a short-term uninterruptible power supply to facilitate\n                  {{ pe-11_prm_1 }} in the event of a primary power source loss."},{"id":"pe-11_gdn","name":"guidance","links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-7","rel":"related","text":"CP-7"}]},{"id":"pe-11_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization provides a short-term uninterruptible power supply to\n               facilitate one or more of the following in the event of a primary power source loss: ","parts":[{"id":"pe-11_obj.1","name":"objective","properties":[{"name":"label","value":"PE-11[1]"}],"prose":"an orderly shutdown of the information system; and/or"},{"id":"pe-11_obj.2","name":"objective","properties":[{"name":"label","value":"PE-11[2]"}],"prose":"transition of the information system to long-term alternate power."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing emergency power\\n\\nuninterruptible power supply\\n\\nuninterruptible power supply documentation\\n\\nuninterruptible power supply test records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency power and/or\n                  planning\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing uninterruptible power\n                  supply\\n\\nthe uninterruptable power supply"}]}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","properties":[{"name":"label","value":"PE-12"},{"name":"sort-id","value":"pe-12"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"The organization employs and maintains automatic emergency lighting for the\n               information system that activates in the event of a power outage or disruption and\n               that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#cp-7","rel":"related","text":"CP-7"}]},{"id":"pe-12_obj","name":"objective","prose":"Determine if the organization employs and maintains automatic emergency lighting for\n               the information system that: ","parts":[{"id":"pe-12_obj.1","name":"objective","properties":[{"name":"label","value":"PE-12[1]"}],"prose":"activates in the event of a power outage or disruption; and"},{"id":"pe-12_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-12[2]"}],"prose":"covers emergency exits and evacuation routes within the facility."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing emergency lighting\\n\\nemergency lighting documentation\\n\\nemergency lighting test records\\n\\nemergency exits and evacuation routes\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency lighting and/or\n                  planning\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing emergency lighting\n                  capability"}]}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","properties":[{"name":"label","value":"PE-13"},{"name":"sort-id","value":"pe-13"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"The organization employs and maintains fire suppression and detection devices/systems\n               for the information system that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms. Fire suppression and detection devices/systems include, for example,\n               sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke\n               detectors."},{"id":"pe-13_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-13_obj.1","name":"objective","properties":[{"name":"label","value":"PE-13[1]"}],"prose":"employs fire suppression and detection devices/systems for the information system\n                  that are supported by an independent energy source; and"},{"id":"pe-13_obj.2","name":"objective","properties":[{"name":"label","value":"PE-13[2]"}],"prose":"maintains fire suppression and detection devices/systems for the information\n                  system that are supported by an independent energy source."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing fire protection\\n\\nfire suppression and detection devices/systems\\n\\nfire suppression and detection devices/systems documentation\\n\\ntest records of fire suppression and detection devices/systems\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and suppression\n                  devices/systems\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing fire suppression/detection\n                  devices/systems"}]}],"controls":[{"id":"pe-13.2","class":"SP800-53-enhancement","title":"Suppression Devices / Systems","parameters":[{"id":"pe-13.2_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-13.2_prm_2","label":"organization-defined emergency responders"}],"properties":[{"name":"label","value":"PE-13(2)"},{"name":"sort-id","value":"pe-13.02"}],"parts":[{"id":"pe-13.2_smt","name":"statement","prose":"The organization employs fire suppression devices/systems for the information\n                  system that provide automatic notification of any activation to {{ pe-13.2_prm_1 }} and {{ pe-13.2_prm_2 }}."},{"id":"pe-13.2_gdn","name":"guidance","prose":"Organizations can identify specific personnel, roles, and emergency responders in\n                  the event that individuals on the notification list must have appropriate access\n                  authorizations and/or clearances, for example, to obtain access to facilities\n                  where classified operations are taking place or where there are information\n                  systems containing classified information."},{"id":"pe-13.2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-13.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-13(2)[1]"}],"prose":"defines personnel or roles to be provided automatic notification of any\n                     activation of fire suppression devices/systems for the information system;"},{"id":"pe-13.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-13(2)[2]"}],"prose":"defines emergency responders to be provided automatic notification of any\n                     activation of fire suppression devices/systems for the information system;"},{"id":"pe-13.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-13(2)[3]"}],"prose":"employs fire suppression devices/systems for the information system that\n                     provide automatic notification of any activation to:","parts":[{"id":"pe-13.2_obj.3.a","name":"objective","properties":[{"name":"label","value":"PE-13(2)[3][a]"}],"prose":"organization-defined personnel or roles; and"},{"id":"pe-13.2_obj.3.b","name":"objective","properties":[{"name":"label","value":"PE-13(2)[3][b]"}],"prose":"organization-defined emergency responders."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing fire protection\\n\\nfire suppression and detection devices/systems documentation\\n\\nfacility housing the information system\\n\\nalarm service-level agreements\\n\\ntest records of fire suppression and detection devices/systems\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and\n                     suppression devices/systems\\n\\norganizational personnel with responsibilities for providing automatic\n                     notifications of any activation of fire suppression devices/systems to\n                     appropriate personnel, roles, and emergency responders\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing fire suppression\n                     devices/systems\\n\\nactivation of fire suppression devices/systems (simulated)\\n\\nautomated notifications"}]}]},{"id":"pe-13.3","class":"SP800-53-enhancement","title":"Automatic Fire Suppression","properties":[{"name":"label","value":"PE-13(3)"},{"name":"sort-id","value":"pe-13.03"}],"parts":[{"id":"pe-13.3_smt","name":"statement","prose":"The organization employs an automatic fire suppression capability for the\n                  information system when the facility is not staffed on a continuous basis."},{"id":"pe-13.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs an automatic fire suppression capability for\n                  the information system when the facility is not staffed on a continuous basis.\n               "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing fire protection\\n\\nfire suppression and detection devices/systems documentation\\n\\nfacility housing the information system\\n\\nalarm service-level agreements\\n\\ntest records of fire suppression and detection devices/systems\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and\n                     suppression devices/systems\\n\\norganizational personnel with responsibilities for providing automatic\n                     notifications of any activation of fire suppression devices/systems to\n                     appropriate personnel, roles, and emergency responders\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing fire suppression\n                     devices/systems\\n\\nactivation of fire suppression devices/systems (simulated)"}]}]}]},{"id":"pe-14","class":"SP800-53","title":"Temperature and Humidity Controls","parameters":[{"id":"pe-14_prm_1","label":"organization-defined acceptable levels","constraints":[{"detail":"consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments"}]},{"id":"pe-14_prm_2","label":"organization-defined frequency","constraints":[{"detail":"continuously"}]}],"properties":[{"name":"label","value":"PE-14"},{"name":"sort-id","value":"pe-14"}],"parts":[{"id":"pe-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-14_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Maintains temperature and humidity levels within the facility where the\n                  information system resides at {{ pe-14_prm_1 }}; and"},{"id":"pe-14_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Monitors temperature and humidity levels {{ pe-14_prm_2 }}."},{"id":"pe-14_fr","name":"item","title":"PE-14(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"pe-14_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider measures temperature at server inlets and humidity levels by dew point."}]}]},{"id":"pe-14_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information\n               system resources, for example, data centers, server rooms, and mainframe computer\n               rooms.","links":[{"href":"#at-3","rel":"related","text":"AT-3"}]},{"id":"pe-14_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-14.a_obj","name":"objective","properties":[{"name":"label","value":"PE-14(a)"}],"parts":[{"id":"pe-14.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-14(a)[1]"}],"prose":"defines acceptable temperature levels to be maintained within the facility\n                     where the information system resides;"},{"id":"pe-14.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-14(a)[2]"}],"prose":"defines acceptable humidity levels to be maintained within the facility where\n                     the information system resides;"},{"id":"pe-14.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-14(a)[3]"}],"prose":"maintains temperature levels within the facility where the information system\n                     resides at the organization-defined levels;"},{"id":"pe-14.a_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-14(a)[4]"}],"prose":"maintains humidity levels within the facility where the information system\n                     resides at the organization-defined levels;"}]},{"id":"pe-14.b_obj","name":"objective","properties":[{"name":"label","value":"PE-14(b)"}],"parts":[{"id":"pe-14.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-14(b)[1]"}],"prose":"defines the frequency to monitor temperature levels;"},{"id":"pe-14.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-14(b)[2]"}],"prose":"defines the frequency to monitor humidity levels;"},{"id":"pe-14.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-14(b)[3]"}],"prose":"monitors temperature levels with the organization-defined frequency; and"},{"id":"pe-14.b_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-14(b)[4]"}],"prose":"monitors humidity levels with the organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing temperature and humidity control\\n\\nsecurity plan\\n\\ntemperature and humidity controls\\n\\nfacility housing the information system\\n\\ntemperature and humidity controls documentation\\n\\ntemperature and humidity records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system\n                  environmental controls\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing maintenance and monitoring of\n                  temperature and humidity levels"}]}],"controls":[{"id":"pe-14.2","class":"SP800-53-enhancement","title":"Monitoring with Alarms / Notifications","properties":[{"name":"label","value":"PE-14(2)"},{"name":"sort-id","value":"pe-14.02"}],"parts":[{"id":"pe-14.2_smt","name":"statement","prose":"The organization employs temperature and humidity monitoring that provides an\n                  alarm or notification of changes potentially harmful to personnel or\n                  equipment."},{"id":"pe-14.2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-14.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-14(2)[1]"}],"prose":"employs temperature monitoring that provides an alarm of changes potentially\n                     harmful to personnel or equipment; and/or"},{"id":"pe-14.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-14(2)[2]"}],"prose":"employs temperature monitoring that provides notification of changes\n                     potentially harmful to personnel or equipment;"},{"id":"pe-14.2_obj.3","name":"objective","properties":[{"name":"label","value":"PE-14(2)[3]"}],"prose":"employs humidity monitoring that provides an alarm of changes potentially\n                     harmful to personnel or equipment; and/or"},{"id":"pe-14.2_obj.4","name":"objective","properties":[{"name":"label","value":"PE-14(2)[4]"}],"prose":"employs humidity monitoring that provides notification of changes potentially\n                     harmful to personnel or equipment."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing temperature and humidity monitoring\\n\\nfacility housing the information system\\n\\nlogs or records of temperature and humidity monitoring\\n\\nrecords of changes to temperature and humidity levels that generate alarms or\n                     notifications\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system\n                     environmental controls\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing temperature and humidity\n                     monitoring"}]}]}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","properties":[{"name":"label","value":"PE-15"},{"name":"sort-id","value":"pe-15"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"The organization protects the information system from damage resulting from water\n               leakage by providing master shutoff or isolation valves that are accessible, working\n               properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms. Isolation valves can be employed in addition to or in lieu of master\n               shutoff valves to shut off water supplies in specific areas of concern, without\n               affecting entire organizations.","links":[{"href":"#at-3","rel":"related","text":"AT-3"}]},{"id":"pe-15_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization protects the information system from damage resulting\n               from water leakage by providing master shutoff or isolation valves that are: ","parts":[{"id":"pe-15_obj.1","name":"objective","properties":[{"name":"label","value":"PE-15[1]"}],"prose":"accessible;"},{"id":"pe-15_obj.2","name":"objective","properties":[{"name":"label","value":"PE-15[2]"}],"prose":"working properly; and"},{"id":"pe-15_obj.3","name":"objective","properties":[{"name":"label","value":"PE-15[3]"}],"prose":"known to key personnel."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing water damage protection\\n\\nfacility housing the information system\\n\\nmaster shutoff valves\\n\\nlist of key personnel with knowledge of location and activation procedures for\n                  master shutoff valves for the plumbing system\\n\\nmaster shutoff valve documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system\n                  environmental controls\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Master water-shutoff valves\\n\\norganizational process for activating master water-shutoff"}]}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","parameters":[{"id":"pe-16_prm_1","label":"organization-defined types of information system components","constraints":[{"detail":"all information system components"}]}],"properties":[{"name":"label","value":"PE-16"},{"name":"sort-id","value":"pe-16"}],"parts":[{"id":"pe-16_smt","name":"statement","prose":"The organization authorizes, monitors, and controls {{ pe-16_prm_1 }}\n               entering and exiting the facility and maintains records of those items."},{"id":"pe-16_gdn","name":"guidance","prose":"Effectively enforcing authorizations for entry and exit of information system\n               components may require restricting access to delivery areas and possibly isolating\n               the areas from the information system and media libraries.","links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ma-3","rel":"related","text":"MA-3"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sa-12","rel":"related","text":"SA-12"}]},{"id":"pe-16_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-16_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-16[1]"}],"prose":"defines types of information system components to be authorized, monitored, and\n                  controlled as such components are entering and exiting the facility;"},{"id":"pe-16_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-16[2]"}],"prose":"authorizes organization-defined information system components entering the\n                  facility;"},{"id":"pe-16_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-16[3]"}],"prose":"monitors organization-defined information system components entering the\n                  facility;"},{"id":"pe-16_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-16[4]"}],"prose":"controls organization-defined information system components entering the\n                  facility;"},{"id":"pe-16_obj.5","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-16[5]"}],"prose":"authorizes organization-defined information system components exiting the\n                  facility;"},{"id":"pe-16_obj.6","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-16[6]"}],"prose":"monitors organization-defined information system components exiting the\n                  facility;"},{"id":"pe-16_obj.7","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-16[7]"}],"prose":"controls organization-defined information system components exiting the\n                  facility;"},{"id":"pe-16_obj.8","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-16[8]"}],"prose":"maintains records of information system components entering the facility; and"},{"id":"pe-16_obj.9","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-16[9]"}],"prose":"maintains records of information system components exiting the facility."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing delivery and removal of information system components from\n                  the facility\\n\\nsecurity plan\\n\\nfacility housing the information system\\n\\nrecords of items entering and exiting the facility\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for controlling information system\n                  components entering and exiting the facility\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for authorizing, monitoring, and controlling information\n                  system-related items entering and exiting the facility\\n\\nautomated mechanisms supporting and/or implementing authorizing, monitoring, and\n                  controlling information system-related items entering and exiting the facility"}]}]},{"id":"pe-17","class":"SP800-53","title":"Alternate Work Site","parameters":[{"id":"pe-17_prm_1","label":"organization-defined security controls"}],"properties":[{"name":"label","value":"PE-17"},{"name":"sort-id","value":"pe-17"}],"links":[{"href":"#5309d4d0-46f8-4213-a749-e7584164e5e8","rel":"reference","text":"NIST Special Publication 800-46"}],"parts":[{"id":"pe-17_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-17_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Employs {{ pe-17_prm_1 }} at alternate work sites;"},{"id":"pe-17_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Assesses as feasible, the effectiveness of security controls at alternate work\n                  sites; and"},{"id":"pe-17_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Provides a means for employees to communicate with information security personnel\n                  in case of security incidents or problems."}]},{"id":"pe-17_gdn","name":"guidance","prose":"Alternate work sites may include, for example, government facilities or private\n               residences of employees. While commonly distinct from alternative processing sites,\n               alternate work sites may provide readily available alternate locations as part of\n               contingency operations. Organizations may define different sets of security controls\n               for specific alternate work sites or types of sites depending on the work-related\n               activities conducted at those sites. This control supports the contingency planning\n               activities of organizations and the federal telework initiative.","links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#cp-7","rel":"related","text":"CP-7"}]},{"id":"pe-17_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pe-17.a_obj","name":"objective","properties":[{"name":"label","value":"PE-17(a)"}],"parts":[{"id":"pe-17.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PE-17(a)[1]"}],"prose":"defines security controls to be employed at alternate work sites;"},{"id":"pe-17.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-17(a)[2]"}],"prose":"employs organization-defined security controls at alternate work sites;"}]},{"id":"pe-17.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PE-17(b)"}],"prose":"assesses, as feasible, the effectiveness of security controls at alternate work\n                  sites; and"},{"id":"pe-17.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PE-17(c)"}],"prose":"provides a means for employees to communicate with information security personnel\n                  in case of security incidents or problems."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\\n\\nprocedures addressing alternate work sites for organizational personnel\\n\\nsecurity plan\\n\\nlist of security controls required for alternate work sites\\n\\nassessments of security controls at alternate work sites\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel approving use of alternate work sites\\n\\norganizational personnel using alternate work sites\\n\\norganizational personnel assessing controls at alternate work sites\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security at alternate work sites\\n\\nautomated mechanisms supporting alternate work sites\\n\\nsecurity controls employed at alternate work sites\\n\\nmeans of communications between personnel at alternate work sites and security\n                  personnel"}]}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Security Planning Policy and Procedures","parameters":[{"id":"pl-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"pl-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PL-1"},{"name":"sort-id","value":"pl-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference","text":"NIST Special Publication 800-18"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"pl-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A security planning policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"pl-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security planning policy and\n                     associated security planning controls; and"}]},{"id":"pl-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pl-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Security planning policy {{ pl-1_prm_2 }}; and"},{"id":"pl-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Security planning procedures {{ pl-1_prm_3 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PL\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"pl-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-1.a_obj","name":"objective","properties":[{"name":"label","value":"PL-1(a)"}],"parts":[{"id":"pl-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)"}],"parts":[{"id":"pl-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(a)(1)[1]"}],"prose":"develops and documents a planning policy that addresses:","parts":[{"id":"pl-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pl-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pl-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pl-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pl-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pl-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pl-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"PL-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pl-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the planning policy is to be\n                        disseminated;"},{"id":"pl-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PL-1(a)(1)[3]"}],"prose":"disseminates the planning policy to organization-defined personnel or\n                        roles;"}]},{"id":"pl-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"PL-1(a)(2)"}],"parts":[{"id":"pl-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        planning policy and associated planning controls;"},{"id":"pl-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"pl-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PL-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pl-1.b_obj","name":"objective","properties":[{"name":"label","value":"PL-1(b)"}],"parts":[{"id":"pl-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"PL-1(b)(1)"}],"parts":[{"id":"pl-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current planning policy;"},{"id":"pl-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(b)(1)[2]"}],"prose":"reviews and updates the current planning policy with the\n                        organization-defined frequency;"}]},{"id":"pl-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"PL-1(b)(2)"}],"parts":[{"id":"pl-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current planning procedures;\n                        and"},{"id":"pl-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-1(b)(2)[2]"}],"prose":"reviews and updates the current planning procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Planning policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with planning responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security Plan","parameters":[{"id":"pl-2_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-2_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PL-2"},{"name":"sort-id","value":"pl-02"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference","text":"NIST Special Publication 800-18"}],"parts":[{"id":"pl-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops a security plan for the information system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Is consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Explicitly defines the authorization boundary for the system;"},{"id":"pl-2_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Describes the operational context of the information system in terms of\n                     missions and business processes;"},{"id":"pl-2_smt.a.4","name":"item","properties":[{"name":"label","value":"4."}],"prose":"Provides the security categorization of the information system including\n                     supporting rationale;"},{"id":"pl-2_smt.a.5","name":"item","properties":[{"name":"label","value":"5."}],"prose":"Describes the operational environment for the information system and\n                     relationships with or connections to other information systems;"},{"id":"pl-2_smt.a.6","name":"item","properties":[{"name":"label","value":"6."}],"prose":"Provides an overview of the security requirements for the system;"},{"id":"pl-2_smt.a.7","name":"item","properties":[{"name":"label","value":"7."}],"prose":"Identifies any relevant overlays, if applicable;"},{"id":"pl-2_smt.a.8","name":"item","properties":[{"name":"label","value":"8."}],"prose":"Describes the security controls in place or planned for meeting those\n                     requirements including a rationale for the tailoring decisions; and"},{"id":"pl-2_smt.a.9","name":"item","properties":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by the authorizing official or designated\n                     representative prior to plan implementation;"}]},{"id":"pl-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Distributes copies of the security plan and communicates subsequent changes to the\n                  plan to {{ pl-2_prm_1 }};"},{"id":"pl-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews the security plan for the information system {{ pl-2_prm_2 }};"},{"id":"pl-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Updates the plan to address changes to the information system/environment of\n                  operation or problems identified during plan implementation or security control\n                  assessments; and"},{"id":"pl-2_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Protects the security plan from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"Security plans relate security requirements to a set of security controls and control\n               enhancements. Security plans also describe, at a high level, how the security\n               controls and control enhancements meet those security requirements, but do not\n               provide detailed, technical descriptions of the specific design or implementation of\n               the controls/enhancements. Security plans contain sufficient information (including\n               the specification of parameter values for assignment and selection statements either\n               explicitly or by reference) to enable a design and implementation that is\n               unambiguously compliant with the intent of the plans and subsequent determinations of\n               risk to organizational operations and assets, individuals, other organizations, and\n               the Nation if the plan is implemented as intended. Organizations can also apply\n               tailoring guidance to the security control baselines in Appendix D and CNSS\n               Instruction 1253 to develop overlays for community-wide use or to address specialized\n               requirements, technologies, or missions/environments of operation (e.g.,\n               DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and\n               Access Management, space operations). Appendix I provides guidance on developing\n               overlays. Security plans need not be single documents; the plans can be a collection\n               of various documents including documents that already exist. Effective security plans\n               make extensive use of references to policies, procedures, and additional documents\n               (e.g., design and implementation specifications) where more detailed information can\n               be obtained. This reduces the documentation requirements associated with security\n               programs and maintains security-related information in other established\n               management/operational areas related to enterprise architecture, system development\n               life cycle, systems engineering, and acquisition. For example, security plans do not\n               contain detailed contingency plan or incident response plan information but instead\n               provide explicitly or by reference, sufficient information to define what needs to be\n               accomplished by those plans.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-14","rel":"related","text":"AC-14"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#ir-8","rel":"related","text":"IR-8"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#ma-5","rel":"related","text":"MA-5"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#pl-7","rel":"related","text":"PL-7"},{"href":"#pm-1","rel":"related","text":"PM-1"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#pm-8","rel":"related","text":"PM-8"},{"href":"#pm-9","rel":"related","text":"PM-9"},{"href":"#pm-11","rel":"related","text":"PM-11"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-17","rel":"related","text":"SA-17"}]},{"id":"pl-2_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pl-2.a_obj","name":"objective","properties":[{"name":"label","value":"PL-2(a)"}],"prose":"develops a security plan for the information system that:","parts":[{"id":"pl-2.a.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(1)"}],"prose":"is consistent with the organization’s enterprise architecture;"},{"id":"pl-2.a.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(2)"}],"prose":"explicitly defines the authorization boundary for the system;"},{"id":"pl-2.a.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(3)"}],"prose":"describes the operational context of the information system in terms of\n                     missions and business processes;"},{"id":"pl-2.a.4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(4)"}],"prose":"provides the security categorization of the information system including\n                     supporting rationale;"},{"id":"pl-2.a.5_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(5)"}],"prose":"describes the operational environment for the information system and\n                     relationships with or connections to other information systems;"},{"id":"pl-2.a.6_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(6)"}],"prose":"provides an overview of the security requirements for the system;"},{"id":"pl-2.a.7_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(7)"}],"prose":"identifies any relevant overlays, if applicable;"},{"id":"pl-2.a.8_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(a)(8)"}],"prose":"describes the security controls in place or planned for meeting those\n                     requirements including a rationale for the tailoring and supplemental\n                     decisions;"},{"id":"pl-2.a.9_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-2(a)(9)"}],"prose":"is reviewed and approved by the authorizing official or designated\n                     representative prior to plan implementation;"}]},{"id":"pl-2.b_obj","name":"objective","properties":[{"name":"label","value":"PL-2(b)"}],"parts":[{"id":"pl-2.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(b)[1]"}],"prose":"defines personnel or roles to whom copies of the security plan are to be\n                     distributed and subsequent changes to the plan are to be communicated;"},{"id":"pl-2.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-2(b)[2]"}],"prose":"distributes copies of the security plan and communicates subsequent changes to\n                     the plan to organization-defined personnel or roles;"}]},{"id":"pl-2.c_obj","name":"objective","properties":[{"name":"label","value":"PL-2(c)"}],"parts":[{"id":"pl-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(c)[1]"}],"prose":"defines the frequency to review the security plan for the information\n                     system;"},{"id":"pl-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(c)[2]"}],"prose":"reviews the security plan for the information system with the\n                     organization-defined frequency;"}]},{"id":"pl-2.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-2(d)"}],"prose":"updates the plan to address:","parts":[{"id":"pl-2.d_obj.1","name":"objective","properties":[{"name":"label","value":"PL-2(d)[1]"}],"prose":"changes to the information system/environment of operation;"},{"id":"pl-2.d_obj.2","name":"objective","properties":[{"name":"label","value":"PL-2(d)[2]"}],"prose":"problems identified during plan implementation;"},{"id":"pl-2.d_obj.3","name":"objective","properties":[{"name":"label","value":"PL-2(d)[3]"}],"prose":"problems identified during security control assessments;"}]},{"id":"pl-2.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-2(e)"}],"prose":"protects the security plan from unauthorized:","parts":[{"id":"pl-2.e_obj.1","name":"objective","properties":[{"name":"label","value":"PL-2(e)[1]"}],"prose":"disclosure; and"},{"id":"pl-2.e_obj.2","name":"objective","properties":[{"name":"label","value":"PL-2(e)[2]"}],"prose":"modification."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\\n\\nprocedures addressing security plan development and implementation\\n\\nprocedures addressing security plan reviews and updates\\n\\nenterprise architecture documentation\\n\\nsecurity plan for the information system\\n\\nrecords of security plan reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security plan development/review/update/approval\\n\\nautomated mechanisms supporting the information system security plan"}]}],"controls":[{"id":"pl-2.3","class":"SP800-53-enhancement","title":"Plan / Coordinate with Other Organizational Entities","parameters":[{"id":"pl-2.3_prm_1","label":"organization-defined individuals or groups"}],"properties":[{"name":"label","value":"PL-2(3)"},{"name":"sort-id","value":"pl-02.03"}],"parts":[{"id":"pl-2.3_smt","name":"statement","prose":"The organization plans and coordinates security-related activities affecting the\n                  information system with {{ pl-2.3_prm_1 }} before conducting such\n                  activities in order to reduce the impact on other organizational entities."},{"id":"pl-2.3_gdn","name":"guidance","prose":"Security-related activities include, for example, security assessments, audits,\n                  hardware and software maintenance, patch management, and contingency plan testing.\n                  Advance planning and coordination includes emergency and nonemergency (i.e.,\n                  planned or nonurgent unplanned) situations. The process defined by organizations\n                  to plan and coordinate security-related activities can be included in security\n                  plans for information systems or other documents, as appropriate.","links":[{"href":"#cp-4","rel":"related","text":"CP-4"},{"href":"#ir-4","rel":"related","text":"IR-4"}]},{"id":"pl-2.3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pl-2.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-2(3)[1]"}],"prose":"defines individuals or groups with whom security-related activities affecting\n                     the information system are to be planned and coordinated before conducting such\n                     activities in order to reduce the impact on other organizational entities;\n                     and"},{"id":"pl-2.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PL-2(3)[2]"}],"prose":"plans and coordinates security-related activities affecting the information\n                     system with organization-defined individuals or groups before conducting such\n                     activities in order to reduce the impact on other organizational entities."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\\n\\naccess control policy\\n\\ncontingency planning policy\\n\\nprocedures addressing security-related activity planning for the information\n                     system\\n\\nsecurity plan for the information system\\n\\ncontingency plan for the information system\\n\\ninformation system design documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation\n                     responsibilities\\n\\norganizational individuals or groups with whom security-related activities are\n                     to be planned and coordinated\\n\\norganizational personnel with information security responsibilities"}]}]}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","parameters":[{"id":"pl-4_prm_1","label":"organization-defined frequency","constraints":[{"detail":"At least every 3 years"}]}],"properties":[{"name":"label","value":"PL-4"},{"name":"sort-id","value":"pl-04"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference","text":"NIST Special Publication 800-18"}],"parts":[{"id":"pl-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes and makes readily available to individuals requiring access to the\n                  information system, the rules that describe their responsibilities and expected\n                  behavior with regard to information and information system usage;"},{"id":"pl-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Receives a signed acknowledgment from such individuals, indicating that they have\n                  read, understand, and agree to abide by the rules of behavior, before authorizing\n                  access to information and the information system;"},{"id":"pl-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews and updates the rules of behavior {{ pl-4_prm_1 }}; and"},{"id":"pl-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Requires individuals who have signed a previous version of the rules of behavior\n                  to read and re-sign when the rules of behavior are revised/updated."}]},{"id":"pl-4_gdn","name":"guidance","prose":"This control enhancement applies to organizational users. Organizations consider\n               rules of behavior based on individual user roles and responsibilities,\n               differentiating, for example, between rules that apply to privileged users and rules\n               that apply to general users. Establishing rules of behavior for some types of\n               non-organizational users including, for example, individuals who simply receive\n               data/information from federal information systems, is often not feasible given the\n               large number of such users and the limited nature of their interactions with the\n               systems. Rules of behavior for both organizational and non-organizational users can\n               also be established in AC-8, System Use Notification. PL-4 b. (the signed\n               acknowledgment portion of this control) may be satisfied by the security awareness\n               training and role-based security training programs conducted by organizations if such\n               training includes rules of behavior. Organizations can use electronic signatures for\n               acknowledging rules of behavior.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ac-9","rel":"related","text":"AC-9"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#ac-20","rel":"related","text":"AC-20"},{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#ia-5","rel":"related","text":"IA-5"},{"href":"#mp-7","rel":"related","text":"MP-7"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#ps-8","rel":"related","text":"PS-8"},{"href":"#sa-5","rel":"related","text":"SA-5"}]},{"id":"pl-4_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pl-4.a_obj","name":"objective","properties":[{"name":"label","value":"PL-4(a)"}],"parts":[{"id":"pl-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-4(a)[1]"}],"prose":"establishes, for individuals requiring access to the information system, the\n                     rules that describe their responsibilities and expected behavior with regard to\n                     information and information system usage;"},{"id":"pl-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-4(a)[2]"}],"prose":"makes readily available to individuals requiring access to the information\n                     system, the rules that describe their responsibilities and expected behavior\n                     with regard to information and information system usage;"}]},{"id":"pl-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-4(b)"}],"prose":"receives a signed acknowledgement from such individuals, indicating that they have\n                  read, understand, and agree to abide by the rules of behavior, before authorizing\n                  access to information and the information system;"},{"id":"pl-4.c_obj","name":"objective","properties":[{"name":"label","value":"PL-4(c)"}],"parts":[{"id":"pl-4.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-4(c)[1]"}],"prose":"defines the frequency to review and update the rules of behavior;"},{"id":"pl-4.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-4(c)[2]"}],"prose":"reviews and updates the rules of behavior with the organization-defined\n                     frequency; and"}]},{"id":"pl-4.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-4(d)"}],"prose":"requires individuals who have signed a previous version of the rules of behavior\n                  to read and resign when the rules of behavior are revised/updated."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\\n\\nprocedures addressing rules of behavior for information system users\\n\\nrules of behavior\\n\\nsigned acknowledgements\\n\\nrecords for rules of behavior reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and\n                  updating rules of behavior\\n\\norganizational personnel who are authorized users of the information system and\n                  have signed and resigned rules of behavior\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating\n                  rules of behavior\\n\\nautomated mechanisms supporting and/or implementing the establishment, review,\n                  dissemination, and update of rules of behavior"}]}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and Networking Restrictions","properties":[{"name":"label","value":"PL-4(1)"},{"name":"sort-id","value":"pl-04.01"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"The organization includes in the rules of behavior, explicit restrictions on the\n                  use of social media/networking sites and posting organizational information on\n                  public websites."},{"id":"pl-4.1_gdn","name":"guidance","prose":"This control enhancement addresses rules of behavior related to the use of social\n                  media/networking sites: (i) when organizational personnel are using such sites for\n                  official duties or in the conduct of official business; (ii) when organizational\n                  information is involved in social media/networking transactions; and (iii) when\n                  personnel are accessing social media/networking sites from organizational\n                  information systems. Organizations also address specific rules that prevent\n                  unauthorized entities from obtaining and/or inferring non-public organizational\n                  information (e.g., system account information, personally identifiable\n                  information) from social media/networking sites."},{"id":"pl-4.1_obj","name":"objective","prose":"Determine if the organization includes the following in the rules of behavior: ","parts":[{"id":"pl-4.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-4(1)[1]"}],"prose":"explicit restrictions on the use of social media/networking sites; and"},{"id":"pl-4.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-4(1)[2]"}],"prose":"posting organizational information on public websites."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\\n\\nprocedures addressing rules of behavior for information system users\\n\\nrules of behavior\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and\n                     updating rules of behavior\\n\\norganizational personnel who are authorized users of the information system and\n                     have signed rules of behavior\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for establishing rules of behavior\\n\\nautomated mechanisms supporting and/or implementing the establishment of rules\n                     of behavior"}]}]}]},{"id":"pl-8","class":"SP800-53","title":"Information Security Architecture","parameters":[{"id":"pl-8_prm_1","label":"organization-defined frequency","constraints":[{"detail":"At least annually or when a significant change occurs"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PL-8"},{"name":"sort-id","value":"pl-08"}],"parts":[{"id":"pl-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops an information security architecture for the information system that:","parts":[{"id":"pl-8_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Describes the overall philosophy, requirements, and approach to be taken with\n                     regard to protecting the confidentiality, integrity, and availability of\n                     organizational information;"},{"id":"pl-8_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Describes how the information security architecture is integrated into and\n                     supports the enterprise architecture; and"},{"id":"pl-8_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Describes any information security assumptions about, and dependencies on,\n                     external services;"}]},{"id":"pl-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the information security architecture {{ pl-8_prm_1 }} to reflect updates in the enterprise architecture;\n                  and"},{"id":"pl-8_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensures that planned information security architecture changes are reflected in\n                  the security plan, the security Concept of Operations (CONOPS), and organizational\n                  procurements/acquisitions."},{"id":"pl-8_fr","name":"item","title":"PL-8(b) Additional FedRAMP Requirements and Guidance","parts":[{"id":"pl-8_fr_gdn.b","name":"guidance","properties":[{"name":"label","value":"(b) Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7."}]}]},{"id":"pl-8_gdn","name":"guidance","prose":"This control addresses actions taken by organizations in the design and development\n               of information systems. The information security architecture at the individual\n               information system level is consistent with and complements the more global,\n               organization-wide information security architecture described in PM-7 that is\n               integral to and developed as part of the enterprise architecture. The information\n               security architecture includes an architectural description, the placement/allocation\n               of security functionality (including security controls), security-related information\n               for external interfaces, information being exchanged across the interfaces, and the\n               protection mechanisms associated with each interface. In addition, the security\n               architecture can include other important security-related information, for example,\n               user roles and access privileges assigned to each role, unique security requirements,\n               the types of information processed, stored, and transmitted by the information\n               system, restoration priorities of information and information system services, and\n               any other specific protection needs. In today’s modern architecture, it is becoming\n               less common for organizations to control all information resources. There are going\n               to be key dependencies on external information services and service providers.\n               Describing such dependencies in the information security architecture is important to\n               developing a comprehensive mission/business protection strategy. Establishing,\n               developing, documenting, and maintaining under configuration control, a baseline\n               configuration for organizational information systems is critical to implementing and\n               maintaining an effective information security architecture. The development of the\n               information security architecture is coordinated with the Senior Agency Official for\n               Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to\n               support privacy requirements are identified and effectively implemented. PL-8 is\n               primarily directed at organizations (i.e., internally focused) to help ensure that\n               organizations develop an information security architecture for the information\n               system, and that the security architecture is integrated with or tightly coupled to\n               the enterprise architecture through the organization-wide information security\n               architecture. In contrast, SA-17 is primarily directed at external information\n               technology product/system developers and integrators (although SA-17 could be used\n               internally within organizations for in-house system development). SA-17, which is\n               complementary to PL-8, is selected when organizations outsource the development of\n               information systems or information system components to external entities, and there\n               is a need to demonstrate/show consistency with the organization’s enterprise\n               architecture and information security architecture.","links":[{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"https://doi.org/10.6028/NIST.SP.800-53r4","rel":"related","text":"Appendix J"}]},{"id":"pl-8_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"pl-8.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-8(a)"}],"prose":"develops an information security architecture for the information system that\n                  describes:","parts":[{"id":"pl-8.a.1_obj","name":"objective","properties":[{"name":"label","value":"PL-8(a)(1)"}],"prose":"the overall philosophy, requirements, and approach to be taken with regard to\n                     protecting the confidentiality, integrity, and availability of organizational\n                     information;"},{"id":"pl-8.a.2_obj","name":"objective","properties":[{"name":"label","value":"PL-8(a)(2)"}],"prose":"how the information security architecture is integrated into and supports the\n                     enterprise architecture;"},{"id":"pl-8.a.3_obj","name":"objective","properties":[{"name":"label","value":"PL-8(a)(3)"}],"prose":"any information security assumptions about, and dependencies on, external\n                     services;"}]},{"id":"pl-8.b_obj","name":"objective","properties":[{"name":"label","value":"PL-8(b)"}],"parts":[{"id":"pl-8.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PL-8(b)[1]"}],"prose":"defines the frequency to review and update the information security\n                     architecture;"},{"id":"pl-8.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-8(b)[2]"}],"prose":"reviews and updates the information security architecture with the\n                     organization-defined frequency to reflect updates in the enterprise\n                     architecture;"}]},{"id":"pl-8.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PL-8(c)"}],"prose":"ensures that planned information security architecture changes are reflected\n                  in:","parts":[{"id":"pl-8.c_obj.1","name":"objective","properties":[{"name":"label","value":"PL-8(c)[1]"}],"prose":"the security plan;"},{"id":"pl-8.c_obj.2","name":"objective","properties":[{"name":"label","value":"PL-8(c)[2]"}],"prose":"the security Concept of Operations (CONOPS); and"},{"id":"pl-8.c_obj.3","name":"objective","properties":[{"name":"label","value":"PL-8(c)[3]"}],"prose":"the organizational procurements/acquisitions."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\\n\\nprocedures addressing information security architecture development\\n\\nprocedures addressing information security architecture reviews and updates\\n\\nenterprise architecture documentation\\n\\ninformation security architecture documentation\\n\\nsecurity plan for the information system\\n\\nsecurity CONOPS for the information system\\n\\nrecords of information security architecture reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with information security architecture development\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing, reviewing, and updating the information\n                  security architecture\\n\\nautomated mechanisms supporting and/or implementing the development, review, and\n                  update of the information security architecture"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Personnel Security Policy and Procedures","parameters":[{"id":"ps-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"ps-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PS-1"},{"name":"sort-id","value":"ps-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ps-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A personnel security policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ps-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy\n                     and associated personnel security controls; and"}]},{"id":"ps-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ps-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Personnel security policy {{ ps-1_prm_2 }}; and"},{"id":"ps-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Personnel security procedures {{ ps-1_prm_3 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PS\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ps-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-1.a_obj","name":"objective","properties":[{"name":"label","value":"PS-1(a)"}],"parts":[{"id":"ps-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)"}],"parts":[{"id":"ps-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(a)(1)[1]"}],"prose":"develops and documents an personnel security policy that addresses:","parts":[{"id":"ps-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ps-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ps-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ps-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ps-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ps-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ps-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"PS-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ps-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the personnel security policy is to be\n                        disseminated;"},{"id":"ps-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-1(a)(1)[3]"}],"prose":"disseminates the personnel security policy to organization-defined personnel\n                        or roles;"}]},{"id":"ps-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"PS-1(a)(2)"}],"parts":[{"id":"ps-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        personnel security policy and associated personnel security controls;"},{"id":"ps-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ps-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ps-1.b_obj","name":"objective","properties":[{"name":"label","value":"PS-1(b)"}],"parts":[{"id":"ps-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"PS-1(b)(1)"}],"parts":[{"id":"ps-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current personnel security\n                        policy;"},{"id":"ps-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(b)(1)[2]"}],"prose":"reviews and updates the current personnel security policy with the\n                        organization-defined frequency;"}]},{"id":"ps-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"PS-1(b)(2)"}],"parts":[{"id":"ps-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current personnel security\n                        procedures; and"},{"id":"ps-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-1(b)(2)[2]"}],"prose":"reviews and updates the current personnel security procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","parameters":[{"id":"ps-2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least every three years"}]}],"properties":[{"name":"label","value":"PS-2"},{"name":"sort-id","value":"ps-02"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference","text":"5 C.F.R. 731.106"}],"parts":[{"id":"ps-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Assigns a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishes screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews and updates position risk designations {{ ps-2_prm_1 }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management policy and\n               guidance. Risk designations can guide and inform the types of authorizations\n               individuals receive when accessing organizational information and information\n               systems. Position screening criteria include explicit information security role\n               appointment requirements (e.g., training, security clearances).","links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#ps-3","rel":"related","text":"PS-3"}]},{"id":"ps-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-2.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-2(a)"}],"prose":"assigns a risk designation to all organizational positions;"},{"id":"ps-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-2(b)"}],"prose":"establishes screening criteria for individuals filling those positions;"},{"id":"ps-2.c_obj","name":"objective","properties":[{"name":"label","value":"PS-2(c)"}],"parts":[{"id":"ps-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-2(c)[1]"}],"prose":"defines the frequency to review and update position risk designations; and"},{"id":"ps-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-2(c)[2]"}],"prose":"reviews and updates position risk designations with the organization-defined\n                     frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing position categorization\\n\\nappropriate codes of federal regulations\\n\\nlist of risk designations for organizational positions\\n\\nsecurity plan\\n\\nrecords of position risk designation reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for assigning, reviewing, and updating position risk\n                  designations\\n\\norganizational processes for establishing screening criteria"}]}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","parameters":[{"id":"ps-3_prm_1","label":"organization-defined conditions requiring rescreening and, where rescreening is\n               so indicated, the frequency of such rescreening","constraints":[{"detail":"for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PS-3"},{"name":"sort-id","value":"ps-03"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference","text":"5 C.F.R. 731.106"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference","text":"NIST Special Publication 800-60"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference","text":"NIST Special Publication 800-73"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference","text":"NIST Special Publication 800-76"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference","text":"NIST Special Publication 800-78"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference","text":"ICD 704"}],"parts":[{"id":"ps-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Screens individuals prior to authorizing access to the information system; and"},{"id":"ps-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Rescreens individuals according to {{ ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable federal laws,\n               Executive Orders, directives, regulations, policies, standards, guidance, and\n               specific criteria established for the risk designations of assigned positions.\n               Organizations may define different rescreening conditions and frequencies for\n               personnel accessing information systems based on types of information processed,\n               stored, or transmitted by the systems.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#ps-2","rel":"related","text":"PS-2"}]},{"id":"ps-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-3(a)"}],"prose":"screens individuals prior to authorizing access to the information system;"},{"id":"ps-3.b_obj","name":"objective","properties":[{"name":"label","value":"PS-3(b)"}],"parts":[{"id":"ps-3.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-3(b)[1]"}],"prose":"defines conditions requiring re-screening;"},{"id":"ps-3.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-3(b)[2]"}],"prose":"defines the frequency of re-screening where it is so indicated; and"},{"id":"ps-3.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-3(b)[3]"}],"prose":"re-screens individuals in accordance with organization-defined conditions\n                     requiring re-screening and, where re-screening is so indicated, with the\n                     organization-defined frequency of such re-screening."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing personnel screening\\n\\nrecords of screened personnel\\n\\nsecurity plan\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel screening"}]}],"controls":[{"id":"ps-3.3","class":"SP800-53-enhancement","title":"Information with Special Protection Measures","parameters":[{"id":"ps-3.3_prm_1","label":"organization-defined additional personnel screening criteria","constraints":[{"detail":"personnel screening criteria - as required by specific information"}]}],"properties":[{"name":"label","value":"PS-3(3)"},{"name":"sort-id","value":"ps-03.03"}],"parts":[{"id":"ps-3.3_smt","name":"statement","prose":"The organization ensures that individuals accessing an information system\n                  processing, storing, or transmitting information requiring special protection:","parts":[{"id":"ps-3.3_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Have valid access authorizations that are demonstrated by assigned official\n                     government duties; and"},{"id":"ps-3.3_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Satisfy {{ ps-3.3_prm_1 }}."}]},{"id":"ps-3.3_gdn","name":"guidance","prose":"Organizational information requiring special protection includes, for example,\n                  Controlled Unclassified Information (CUI) and Sources and Methods Information\n                  (SAMI). Personnel security criteria include, for example, position sensitivity\n                  background screening requirements."},{"id":"ps-3.3_obj","name":"objective","prose":"Determine if the organization: ","parts":[{"id":"ps-3.3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-3(3)(a)"}],"prose":"ensures that individuals accessing an information system processing, storing,\n                     or transmitting information requiring special protection have valid access\n                     authorizations that are demonstrated by assigned official government\n                     duties;","links":[{"href":"#ps-3.3_smt.a","rel":"corresp","text":"PS-3(3)(a)"}]},{"id":"ps-3.3.b_obj","name":"objective","properties":[{"name":"label","value":"PS-3(3)(b)"}],"parts":[{"id":"ps-3.3.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-3(3)(b)[1]"}],"prose":"defines additional personnel screening criteria to be satisfied for\n                        individuals accessing an information system processing, storing, or\n                        transmitting information requiring special protection; and"},{"id":"ps-3.3.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-3(3)(b)[2]"}],"prose":"ensures that individuals accessing an information system processing,\n                        storing, or transmitting information requiring special protection satisfy\n                        organization-defined additional personnel screening criteria."}],"links":[{"href":"#ps-3.3_smt.b","rel":"corresp","text":"PS-3(3)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\naccess control policy, procedures addressing personnel screening\\n\\nrecords of screened personnel\\n\\nscreening criteria\\n\\nrecords of access authorizations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for ensuring valid access authorizations for\n                     information requiring special protection\\n\\norganizational process for additional personnel screening for information\n                     requiring special protection"}]}]}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","parameters":[{"id":"ps-4_prm_1","label":"organization-defined time period","constraints":[{"detail":"same day"}]},{"id":"ps-4_prm_2","label":"organization-defined information security topics"},{"id":"ps-4_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-4_prm_4","label":"organization-defined time period"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PS-4"},{"name":"sort-id","value":"ps-04"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"The organization, upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Disables information system access within {{ ps-4_prm_1 }};"},{"id":"ps-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Terminates/revokes any authenticators/credentials associated with the\n                  individual;"},{"id":"ps-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Conducts exit interviews that include a discussion of {{ ps-4_prm_2 }};"},{"id":"ps-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Retrieves all security-related organizational information system-related\n                  property;"},{"id":"ps-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Retains access to organizational information and information systems formerly\n                  controlled by terminated individual; and"},{"id":"ps-4_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Notifies {{ ps-4_prm_3 }} within {{ ps-4_prm_4 }}."}]},{"id":"ps-4_gdn","name":"guidance","prose":"Information system-related property includes, for example, hardware authentication\n               tokens, system administration technical manuals, keys, identification cards, and\n               building passes. Exit interviews ensure that terminated individuals understand the\n               security constraints imposed by being former employees and that proper accountability\n               is achieved for information system-related property. Security topics of interest at\n               exit interviews can include, for example, reminding terminated individuals of\n               nondisclosure agreements and potential limitations on future employment. Exit\n               interviews may not be possible for some terminated individuals, for example, in cases\n               related to job abandonment, illnesses, and nonavailability of supervisors. Exit\n               interviews are important for individuals with security clearances. Timely execution\n               of termination actions is essential for individuals terminated for cause. In certain\n               situations, organizations consider disabling the information system accounts of\n               individuals that are being terminated prior to the individuals being notified.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-6","rel":"related","text":"PS-6"}]},{"id":"ps-4_obj","name":"objective","prose":"Determine if the organization, upon termination of individual employment,:","parts":[{"id":"ps-4.a_obj","name":"objective","properties":[{"name":"label","value":"PS-4(a)"}],"parts":[{"id":"ps-4.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-4(a)[1]"}],"prose":"defines a time period within which to disable information system access;"},{"id":"ps-4.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-4(a)[2]"}],"prose":"disables information system access within the organization-defined time\n                     period;"}]},{"id":"ps-4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-4(b)"}],"prose":"terminates/revokes any authenticators/credentials associated with the\n                  individual;"},{"id":"ps-4.c_obj","name":"objective","properties":[{"name":"label","value":"PS-4(c)"}],"parts":[{"id":"ps-4.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-4(c)[1]"}],"prose":"defines information security topics to be discussed when conducting exit\n                     interviews;"},{"id":"ps-4.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-4(c)[2]"}],"prose":"conducts exit interviews that include a discussion of organization-defined\n                     information security topics;"}]},{"id":"ps-4.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-4(d)"}],"prose":"retrieves all security-related organizational information system-related\n                  property;"},{"id":"ps-4.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-4(e)"}],"prose":"retains access to organizational information and information systems formerly\n                  controlled by the terminated individual;"},{"id":"ps-4.f_obj","name":"objective","properties":[{"name":"label","value":"PS-4(f)"}],"parts":[{"id":"ps-4.f_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-4(f)[1]"}],"prose":"defines personnel or roles to be notified of the termination;"},{"id":"ps-4.f_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-4(f)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel\n                     or roles; and"},{"id":"ps-4.f_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-4(f)[3]"}],"prose":"notifies organization-defined personnel or roles within the\n                     organization-defined time period."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing personnel termination\\n\\nrecords of personnel termination actions\\n\\nlist of information system accounts\\n\\nrecords of terminated or revoked authenticators/credentials\\n\\nrecords of exit interviews\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel termination\\n\\nautomated mechanisms supporting and/or implementing personnel termination\n                  notifications\\n\\nautomated mechanisms for disabling information system access/revoking\n                  authenticators"}]}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","parameters":[{"id":"ps-5_prm_1","label":"organization-defined transfer or reassignment actions"},{"id":"ps-5_prm_2","label":"organization-defined time period following the formal transfer action"},{"id":"ps-5_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-5_prm_4","label":"organization-defined time period","constraints":[{"detail":"five days of the time period following the formal transfer action (DoD 24 hours)"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PS-5"},{"name":"sort-id","value":"ps-05"}],"parts":[{"id":"ps-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Reviews and confirms ongoing operational need for current logical and physical\n                  access authorizations to information systems/facilities when individuals are\n                  reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Initiates {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }};"},{"id":"ps-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Modifies access authorization as needed to correspond with any changes in\n                  operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Notifies {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"This control applies when reassignments or transfers of individuals are permanent or\n               of such extended durations as to make the actions warranted. Organizations define\n               actions appropriate for the types of reassignments or transfers, whether permanent or\n               extended. Actions that may be required for personnel transfers or reassignments to\n               other positions within organizations include, for example: (i) returning old and\n               issuing new keys, identification cards, and building passes; (ii) closing information\n               system accounts and establishing new accounts; (iii) changing information system\n               access authorizations (i.e., privileges); and (iv) providing for access to official\n               records to which individuals had access at previous work locations and in previous\n               information system accounts.","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ia-4","rel":"related","text":"IA-4"},{"href":"#pe-2","rel":"related","text":"PE-2"},{"href":"#ps-4","rel":"related","text":"PS-4"}]},{"id":"ps-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-5.a_obj","name":"objective","properties":[{"name":"label","value":"PS-5(a)"}],"prose":"when individuals are reassigned or transferred to other positions within the\n                  organization, reviews and confirms ongoing operational need for current:","parts":[{"id":"ps-5.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-5(a)[1]"}],"prose":"logical access authorizations to information systems;"},{"id":"ps-5.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-5(a)[2]"}],"prose":"physical access authorizations to information systems and facilities;"}]},{"id":"ps-5.b_obj","name":"objective","properties":[{"name":"label","value":"PS-5(b)"}],"parts":[{"id":"ps-5.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-5(b)[1]"}],"prose":"defines transfer or reassignment actions to be initiated following transfer or\n                     reassignment;"},{"id":"ps-5.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-5(b)[2]"}],"prose":"defines the time period within which transfer or reassignment actions must\n                     occur following transfer or reassignment;"},{"id":"ps-5.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-5(b)[3]"}],"prose":"initiates organization-defined transfer or reassignment actions within the\n                     organization-defined time period following transfer or reassignment;"}]},{"id":"ps-5.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-5(c)"}],"prose":"modifies access authorization as needed to correspond with any changes in\n                  operational need due to reassignment or transfer;"},{"id":"ps-5.d_obj","name":"objective","properties":[{"name":"label","value":"PS-5(d)"}],"parts":[{"id":"ps-5.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-5(d)[1]"}],"prose":"defines personnel or roles to be notified when individuals are reassigned or\n                     transferred to other positions within the organization;"},{"id":"ps-5.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-5(d)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel\n                     or roles when individuals are reassigned or transferred to other positions\n                     within the organization; and"},{"id":"ps-5.d_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-5(d)[3]"}],"prose":"notifies organization-defined personnel or roles within the\n                     organization-defined time period when individuals are reassigned or transferred\n                     to other positions within the organization."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing personnel transfer\\n\\nsecurity plan\\n\\nrecords of personnel transfer actions\\n\\nlist of information system and facility access authorizations\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities organizational\n                  personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel transfer\\n\\nautomated mechanisms supporting and/or implementing personnel transfer\n                  notifications\\n\\nautomated mechanisms for disabling information system access/revoking\n                  authenticators"}]}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","parameters":[{"id":"ps-6_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]},{"id":"ps-6_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PS-6"},{"name":"sort-id","value":"ps-06"}],"parts":[{"id":"ps-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops and documents access agreements for organizational information\n                  systems;"},{"id":"ps-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the access agreements {{ ps-6_prm_1 }}; and"},{"id":"ps-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensures that individuals requiring access to organizational information and\n                  information systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational information\n                     systems when access agreements have been updated or {{ ps-6_prm_2 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include, for example, nondisclosure agreements, acceptable use\n               agreements, rules of behavior, and conflict-of-interest agreements. Signed access\n               agreements include an acknowledgement that individuals have read, understand, and\n               agree to abide by the constraints associated with organizational information systems\n               to which access is authorized. Organizations can use electronic signatures to\n               acknowledge access agreements unless specifically prohibited by organizational\n               policy.","links":[{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-8","rel":"related","text":"PS-8"}]},{"id":"ps-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-6.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-6(a)"}],"prose":"develops and documents access agreements for organizational information\n                  systems;"},{"id":"ps-6.b_obj","name":"objective","properties":[{"name":"label","value":"PS-6(b)"}],"parts":[{"id":"ps-6.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-6(b)[1]"}],"prose":"defines the frequency to review and update the access agreements;"},{"id":"ps-6.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-6(b)[2]"}],"prose":"reviews and updates the access agreements with the organization-defined\n                     frequency;"}]},{"id":"ps-6.c_obj","name":"objective","properties":[{"name":"label","value":"PS-6(c)"}],"parts":[{"id":"ps-6.c.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-6(c)(1)"}],"prose":"ensures that individuals requiring access to organizational information and\n                     information systems sign appropriate access agreements prior to being granted\n                     access;"},{"id":"ps-6.c.2_obj","name":"objective","properties":[{"name":"label","value":"PS-6(c)(2)"}],"parts":[{"id":"ps-6.c.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-6(c)(2)[1]"}],"prose":"defines the frequency to re-sign access agreements to maintain access to\n                        organizational information systems when access agreements have been\n                        updated;"},{"id":"ps-6.c.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-6(c)(2)[2]"}],"prose":"ensures that individuals requiring access to organizational information and\n                        information systems re-sign access agreements to maintain access to\n                        organizational information systems when access agreements have been updated\n                        or with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing access agreements for organizational information and\n                  information systems\\n\\nsecurity plan\\n\\naccess agreements\\n\\nrecords of access agreement reviews and updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel who have signed/resigned access agreements\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access agreements\\n\\nautomated mechanisms supporting access agreements"}]}]},{"id":"ps-7","class":"SP800-53","title":"Third-party Personnel Security","parameters":[{"id":"ps-7_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-7_prm_2","label":"organization-defined time period","constraints":[{"detail":"organization-defined time period - same day"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"PS-7"},{"name":"sort-id","value":"ps-07"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference","text":"NIST Special Publication 800-35"}],"parts":[{"id":"ps-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes personnel security requirements including security roles and\n                  responsibilities for third-party providers;"},{"id":"ps-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Requires third-party providers to comply with personnel security policies and\n                  procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Documents personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Requires third-party providers to notify {{ ps-7_prm_1 }} of any\n                  personnel transfers or terminations of third-party personnel who possess\n                  organizational credentials and/or badges, or who have information system\n                  privileges within {{ ps-7_prm_2 }}; and"},{"id":"ps-7_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Monitors provider compliance."}]},{"id":"ps-7_gdn","name":"guidance","prose":"Third-party providers include, for example, service bureaus, contractors, and other\n               organizations providing information system development, information technology\n               services, outsourced applications, and network and security management. Organizations\n               explicitly include personnel security requirements in acquisition-related documents.\n               Third-party providers may have personnel working at organizational facilities with\n               credentials, badges, or information system privileges issued by organizations.\n               Notifications of third-party personnel changes ensure appropriate termination of\n               privileges and credentials. Organizations define the transfers and terminations\n               deemed reportable by security-related characteristics that include, for example,\n               functions, roles, and nature of credentials/privileges associated with individuals\n               transferred or terminated.","links":[{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#ps-3","rel":"related","text":"PS-3"},{"href":"#ps-4","rel":"related","text":"PS-4"},{"href":"#ps-5","rel":"related","text":"PS-5"},{"href":"#ps-6","rel":"related","text":"PS-6"},{"href":"#sa-9","rel":"related","text":"SA-9"},{"href":"#sa-21","rel":"related","text":"SA-21"}]},{"id":"ps-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-7.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-7(a)"}],"prose":"establishes personnel security requirements, including security roles and\n                  responsibilities, for third-party providers;"},{"id":"ps-7.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"PS-7(b)"}],"prose":"requires third-party providers to comply with personnel security policies and\n                  procedures established by the organization;"},{"id":"ps-7.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-7(c)"}],"prose":"documents personnel security requirements;"},{"id":"ps-7.d_obj","name":"objective","properties":[{"name":"label","value":"PS-7(d)"}],"parts":[{"id":"ps-7.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-7(d)[1]"}],"prose":"defines personnel or roles to be notified of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-7(d)[2]"}],"prose":"defines the time period within which third-party providers are required to\n                     notify organization-defined personnel or roles of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-7(d)[3]"}],"prose":"requires third-party providers to notify organization-defined personnel or\n                     roles within the organization-defined time period of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges; and"}]},{"id":"ps-7.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-7(e)"}],"prose":"monitors provider compliance."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing third-party personnel security\\n\\nlist of personnel security requirements\\n\\nacquisition documents\\n\\nservice-level agreements\\n\\ncompliance monitoring process\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\nthird-party providers\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing and monitoring third-party personnel\n                  security\\n\\nautomated mechanisms supporting and/or implementing monitoring of provider\n                  compliance"}]}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","parameters":[{"id":"ps-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-8_prm_2","label":"organization-defined time period"}],"properties":[{"name":"label","value":"PS-8"},{"name":"sort-id","value":"ps-08"}],"parts":[{"id":"ps-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Employs a formal sanctions process for individuals failing to comply with\n                  established information security policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Notifies {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }}\n                  when a formal employee sanctions process is initiated, identifying the individual\n                  sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions processes reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Sanctions processes are\n               described in access agreements and can be included as part of general personnel\n               policies and procedures for organizations. Organizations consult with the Office of\n               the General Counsel regarding matters of employee sanctions.","links":[{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-6","rel":"related","text":"PS-6"}]},{"id":"ps-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-8.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-8(a)"}],"prose":"employs a formal sanctions process for individuals failing to comply with\n                  established information security policies and procedures;"},{"id":"ps-8.b_obj","name":"objective","properties":[{"name":"label","value":"PS-8(b)"}],"parts":[{"id":"ps-8.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-8(b)[1]"}],"prose":"defines personnel or roles to be notified when a formal employee sanctions\n                     process is initiated;"},{"id":"ps-8.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"PS-8(b)[2]"}],"prose":"defines the time period within which organization-defined personnel or roles\n                     must be notified when a formal employee sanctions process is initiated; and"},{"id":"ps-8.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"PS-8(b)[3]"}],"prose":"notifies organization-defined personnel or roles within the\n                     organization-defined time period when a formal employee sanctions process is\n                     initiated, identifying the individual sanctioned and the reason for the\n                     sanction."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\\n\\nprocedures addressing personnel sanctions\\n\\nrules of behavior\\n\\nrecords of formal sanctions\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing personnel sanctions\\n\\nautomated mechanisms supporting and/or implementing notifications"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Risk Assessment Policy and Procedures","parameters":[{"id":"ra-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ra-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"ra-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"RA-1"},{"name":"sort-id","value":"ra-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference","text":"NIST Special Publication 800-30"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"ra-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A risk assessment policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"ra-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and\n                     associated risk assessment controls; and"}]},{"id":"ra-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ra-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Risk assessment policy {{ ra-1_prm_2 }}; and"},{"id":"ra-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Risk assessment procedures {{ ra-1_prm_3 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the RA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ra-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-1.a_obj","name":"objective","properties":[{"name":"label","value":"RA-1(a)"}],"parts":[{"id":"ra-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)"}],"parts":[{"id":"ra-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(a)(1)[1]"}],"prose":"develops and documents a risk assessment policy that addresses:","parts":[{"id":"ra-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ra-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ra-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ra-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ra-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ra-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ra-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"RA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ra-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the risk assessment policy is to be\n                        disseminated;"},{"id":"ra-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"RA-1(a)(1)[3]"}],"prose":"disseminates the risk assessment policy to organization-defined personnel or\n                        roles;"}]},{"id":"ra-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"RA-1(a)(2)"}],"parts":[{"id":"ra-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        risk assessment policy and associated risk assessment controls;"},{"id":"ra-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"ra-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"RA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ra-1.b_obj","name":"objective","properties":[{"name":"label","value":"RA-1(b)"}],"parts":[{"id":"ra-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"RA-1(b)(1)"}],"parts":[{"id":"ra-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current risk assessment\n                        policy;"},{"id":"ra-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(b)(1)[2]"}],"prose":"reviews and updates the current risk assessment policy with the\n                        organization-defined frequency;"}]},{"id":"ra-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"RA-1(b)(2)"}],"parts":[{"id":"ra-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current risk assessment\n                        procedures; and"},{"id":"ra-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-1(b)(2)[2]"}],"prose":"reviews and updates the current risk assessment procedures with the\n                        organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"risk assessment policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","properties":[{"name":"label","value":"RA-2"},{"name":"sort-id","value":"ra-02"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference","text":"NIST Special Publication 800-30"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference","text":"NIST Special Publication 800-39"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference","text":"NIST Special Publication 800-60"}],"parts":[{"id":"ra-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Categorizes information and the information system in accordance with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance;"},{"id":"ra-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents the security categorization results (including supporting rationale) in\n                  the security plan for the information system; and"},{"id":"ra-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Ensures that the authorizing official or authorizing official designated\n                  representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective security\n               categorization decisions. Security categories describe the potential adverse impacts\n               to organizational operations, organizational assets, and individuals if\n               organizational information and information systems are comprised through a loss of\n               confidentiality, integrity, or availability. Organizations conduct the security\n               categorization process as an organization-wide activity with the involvement of chief\n               information officers, senior information security officers, information system\n               owners, mission/business owners, and information owners/stewards. Organizations also\n               consider the potential adverse impacts to other organizations and, in accordance with\n               the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential\n               national-level adverse impacts. Security categorization processes carried out by\n               organizations facilitate the development of inventories of information assets, and\n               along with CM-8, mappings to specific information system components where information\n               is processed, stored, or transmitted.","links":[{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sc-7","rel":"related","text":"SC-7"}]},{"id":"ra-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-2.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-2(a)"}],"prose":"categorizes information and the information system in accordance with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance;"},{"id":"ra-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-2(b)"}],"prose":"documents the security categorization results (including supporting rationale) in\n                  the security plan for the information system; and"},{"id":"ra-2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-2(c)"}],"prose":"ensures the authorizing official or authorizing official designated representative\n                  reviews and approves the security categorization decision."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\\n\\nsecurity planning policy and procedures\\n\\nprocedures addressing security categorization of organizational information and\n                  information systems\\n\\nsecurity plan\\n\\nsecurity categorization documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security categorization and risk assessment\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security categorization"}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","parameters":[{"id":"ra-3_prm_1"},{"id":"ra-3_prm_2","depends-on":"ra-3_prm_1","label":"organization-defined document","constraints":[{"detail":"security assessment report"}]},{"id":"ra-3_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least every three (3) years or when a significant change occurs"}]},{"id":"ra-3_prm_4","label":"organization-defined personnel or roles"},{"id":"ra-3_prm_5","label":"organization-defined frequency","constraints":[{"detail":"at least every three (3) years or when a significant change occurs"}]}],"properties":[{"name":"label","value":"RA-3"},{"name":"sort-id","value":"ra-03"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference","text":"OMB Memorandum 04-04"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference","text":"NIST Special Publication 800-30"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference","text":"NIST Special Publication 800-39"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference","text":"http://idmanagement.gov"}],"parts":[{"id":"ra-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Conducts an assessment of risk, including the likelihood and magnitude of harm,\n                  from the unauthorized access, use, disclosure, disruption, modification, or\n                  destruction of the information system and the information it processes, stores, or\n                  transmits;"},{"id":"ra-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Documents risk assessment results in {{ ra-3_prm_1 }};"},{"id":"ra-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Reviews risk assessment results {{ ra-3_prm_3 }};"},{"id":"ra-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Disseminates risk assessment results to {{ ra-3_prm_4 }}; and"},{"id":"ra-3_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Updates the risk assessment {{ ra-3_prm_5 }} or whenever there are\n                  significant changes to the information system or environment of operation\n                  (including the identification of new threats and vulnerabilities), or other\n                  conditions that may impact the security state of the system."},{"id":"ra-3_fr","name":"item","title":"RA-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F"},{"id":"ra-3_fr_smt.d","name":"item","properties":[{"name":"label","value":"RA-3 (d) Requirement:"}],"prose":"Include all Authorizing Officials; for JAB authorizations to include FedRAMP."}]}]},{"id":"ra-3_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective risk\n               assessments. Risk assessments take into account threats, vulnerabilities, likelihood,\n               and impact to organizational operations and assets, individuals, other organizations,\n               and the Nation based on the operation and use of information systems. Risk\n               assessments also take into account risk from external parties (e.g., service\n               providers, contractors operating information systems on behalf of the organization,\n               individuals accessing organizational information systems, outsourcing entities). In\n               accordance with OMB policy and related E-authentication initiatives, authentication\n               of public users accessing federal information systems may also be required to protect\n               nonpublic or privacy-related information. As such, organizational assessments of risk\n               also address public access to federal information systems. Risk assessments (either\n               formal or informal) can be conducted at all three tiers in the risk management\n               hierarchy (i.e., organization level, mission/business process level, or information\n               system level) and at any phase in the system development life cycle. Risk assessments\n               can also be conducted at various steps in the Risk Management Framework, including\n               categorization, security control selection, security control implementation, security\n               control assessment, information system authorization, and security control\n               monitoring. RA-3 is noteworthy in that the control must be partially implemented\n               prior to the implementation of other controls in order to complete the first two\n               steps in the Risk Management Framework. Risk assessments can play an important role\n               in security control selection processes, particularly during the application of\n               tailoring guidance, which includes security control supplementation.","links":[{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"ra-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-3.a_obj","name":"objective","properties":[{"name":"label","value":"RA-3(a)"}],"prose":"conducts an assessment of risk, including the likelihood and magnitude of harm,\n                  from the unauthorized access, use, disclosure, disruption, modification, or\n                  destruction of:","parts":[{"id":"ra-3.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-3(a)[1]"}],"prose":"the information system;"},{"id":"ra-3.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-3(a)[2]"}],"prose":"the information the system processes, stores, or transmits;"}]},{"id":"ra-3.b_obj","name":"objective","properties":[{"name":"label","value":"RA-3(b)"}],"parts":[{"id":"ra-3.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-3(b)[1]"}],"prose":"defines a document in which risk assessment results are to be documented (if\n                     not documented in the security plan or risk assessment report);"},{"id":"ra-3.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-3(b)[2]"}],"prose":"documents risk assessment results in one of the following:","parts":[{"id":"ra-3.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"RA-3(b)[2][a]"}],"prose":"the security plan;"},{"id":"ra-3.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"RA-3(b)[2][b]"}],"prose":"the risk assessment report; or"},{"id":"ra-3.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"RA-3(b)[2][c]"}],"prose":"the organization-defined document;"}]}]},{"id":"ra-3.c_obj","name":"objective","properties":[{"name":"label","value":"RA-3(c)"}],"parts":[{"id":"ra-3.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-3(c)[1]"}],"prose":"defines the frequency to review risk assessment results;"},{"id":"ra-3.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-3(c)[2]"}],"prose":"reviews risk assessment results with the organization-defined frequency;"}]},{"id":"ra-3.d_obj","name":"objective","properties":[{"name":"label","value":"RA-3(d)"}],"parts":[{"id":"ra-3.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-3(d)[1]"}],"prose":"defines personnel or roles to whom risk assessment results are to be\n                     disseminated;"},{"id":"ra-3.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-3(d)[2]"}],"prose":"disseminates risk assessment results to organization-defined personnel or\n                     roles;"}]},{"id":"ra-3.e_obj","name":"objective","properties":[{"name":"label","value":"RA-3(e)"}],"parts":[{"id":"ra-3.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-3(e)[1]"}],"prose":"defines the frequency to update the risk assessment;"},{"id":"ra-3.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-3(e)[2]"}],"prose":"updates the risk assessment:","parts":[{"id":"ra-3.e_obj.2.a","name":"objective","properties":[{"name":"label","value":"RA-3(e)[2][a]"}],"prose":"with the organization-defined frequency;"},{"id":"ra-3.e_obj.2.b","name":"objective","properties":[{"name":"label","value":"RA-3(e)[2][b]"}],"prose":"whenever there are significant changes to the information system or\n                        environment of operation (including the identification of new threats and\n                        vulnerabilities); and"},{"id":"ra-3.e_obj.2.c","name":"objective","properties":[{"name":"label","value":"RA-3(e)[2][c]"}],"prose":"whenever there are other conditions that may impact the security state of\n                        the system."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\\n\\nsecurity planning policy and procedures\\n\\nprocedures addressing organizational assessments of risk\\n\\nsecurity plan\\n\\nrisk assessment\\n\\nrisk assessment results\\n\\nrisk assessment reviews\\n\\nrisk assessment updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for risk assessment\\n\\nautomated mechanisms supporting and/or for conducting, documenting, reviewing,\n                  disseminating, and updating the risk assessment"}]}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Scanning","parameters":[{"id":"ra-5_prm_1","label":"organization-defined frequency and/or randomly in accordance with\n               organization-defined process","constraints":[{"detail":"monthly operating system/infrastructure; monthly web applications and databases"}]},{"id":"ra-5_prm_2","label":"organization-defined response times","constraints":[{"detail":"high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery"}]},{"id":"ra-5_prm_3","label":"organization-defined personnel or roles"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"RA-5"},{"name":"sort-id","value":"ra-05"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference","text":"NIST Special Publication 800-40"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference","text":"NIST Special Publication 800-70"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference","text":"NIST Special Publication 800-115"},{"href":"#15522e92-9192-463d-9646-6a01982db8ca","rel":"reference","text":"http://cwe.mitre.org"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference","text":"http://nvd.nist.gov"}],"parts":[{"id":"ra-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Scans for vulnerabilities in the information system and hosted applications\n                     {{ ra-5_prm_1 }} and when new vulnerabilities potentially\n                  affecting the system/applications are identified and reported;","parts":[{"id":"ra-5_fr_smt.a","name":"item","title":"RA-5(a) Additional FedRAMP Requirements and Guidance","properties":[{"name":"label","value":"RA-5 (a)Requirement:"}],"prose":"An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually."}]},{"id":"ra-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Employs vulnerability scanning tools and techniques that facilitate\n                  interoperability among tools and automate parts of the vulnerability management\n                  process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Analyzes vulnerability scan reports and results from security control\n                  assessments;"},{"id":"ra-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Remediates legitimate vulnerabilities {{ ra-5_prm_2 }} in\n                  accordance with an organizational assessment of risk; and"},{"id":"ra-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Shares information obtained from the vulnerability scanning process and security\n                  control assessments with {{ ra-5_prm_3 }} to help eliminate similar\n                  vulnerabilities in other information systems (i.e., systemic weaknesses or\n                  deficiencies).","parts":[{"id":"ra-5_fr_smt.e","name":"item","title":"RA-5(e) Additional FedRAMP Requirements and Guidance","properties":[{"name":"label","value":"RA-5 (e)Requirement:"}],"prose":"To include all Authorizing Officials; for JAB authorizations to include FedRAMP."}]},{"id":"ra-5_fr","name":"item","title":"RA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"\n                     **See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))"}]}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information systems guides the frequency and\n               comprehensiveness of vulnerability scans. Organizations determine the required\n               vulnerability scanning for all information system components, ensuring that potential\n               sources of vulnerabilities such as networked printers, scanners, and copiers are not\n               overlooked. Vulnerability analyses for custom software applications may require\n               additional approaches such as static analysis, dynamic analysis, binary analysis, or\n               a hybrid of the three approaches. Organizations can employ these analysis approaches\n               in a variety of tools (e.g., web-based application scanners, static analysis tools,\n               binary analyzers) and in source code reviews. Vulnerability scanning includes, for\n               example: (i) scanning for patch levels; (ii) scanning for functions, ports,\n               protocols, and services that should not be accessible to users or devices; and (iii)\n               scanning for improperly configured or incorrectly operating information flow control\n               mechanisms. Organizations consider using tools that express vulnerabilities in the\n               Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open\n               Vulnerability Assessment Language (OVAL) to determine/test for the presence of\n               vulnerabilities. Suggested sources for vulnerability information include the Common\n               Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In\n               addition, security control assessments such as red team exercises provide other\n               sources of potential vulnerabilities for which to scan. Organizations also consider\n               using tools that express vulnerability impact by the Common Vulnerability Scoring\n               System (CVSS).","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#ra-2","rel":"related","text":"RA-2"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"ra-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-5.a_obj","name":"objective","properties":[{"name":"label","value":"RA-5(a)"}],"parts":[{"id":"ra-5.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-5(a)[1]"}],"parts":[{"id":"ra-5.a_obj.1.a","name":"objective","properties":[{"name":"label","value":"RA-5(a)[1][a]"}],"prose":"defines the frequency for conducting vulnerability scans on the information\n                        system and hosted applications; and/or"},{"id":"ra-5.a_obj.1.b","name":"objective","properties":[{"name":"label","value":"RA-5(a)[1][b]"}],"prose":"defines the process for conducting random vulnerability scans on the\n                        information system and hosted applications;"}]},{"id":"ra-5.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(a)[2]"}],"prose":"in accordance with the organization-defined frequency and/or\n                     organization-defined process for conducting random scans, scans for\n                     vulnerabilities in:","parts":[{"id":"ra-5.a_obj.2.a","name":"objective","properties":[{"name":"label","value":"RA-5(a)[2][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.2.b","name":"objective","properties":[{"name":"label","value":"RA-5(a)[2][b]"}],"prose":"hosted applications;"}]},{"id":"ra-5.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(a)[3]"}],"prose":"when new vulnerabilities potentially affecting the system/applications are\n                     identified and reported, scans for vulnerabilities in:","parts":[{"id":"ra-5.a_obj.3.a","name":"objective","properties":[{"name":"label","value":"RA-5(a)[3][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.3.b","name":"objective","properties":[{"name":"label","value":"RA-5(a)[3][b]"}],"prose":"hosted applications;"}]}]},{"id":"ra-5.b_obj","name":"objective","properties":[{"name":"label","value":"RA-5(b)"}],"prose":"employs vulnerability scanning tools and techniques that facilitate\n                  interoperability among tools and automate parts of the vulnerability management\n                  process by using standards for:","parts":[{"id":"ra-5.b.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(b)(1)"}],"parts":[{"id":"ra-5.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"RA-5(b)(1)[1]"}],"prose":"enumerating platforms;"},{"id":"ra-5.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"RA-5(b)(1)[2]"}],"prose":"enumerating software flaws;"},{"id":"ra-5.b.1_obj.3","name":"objective","properties":[{"name":"label","value":"RA-5(b)(1)[3]"}],"prose":"enumerating improper configurations;"}]},{"id":"ra-5.b.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(b)(2)"}],"parts":[{"id":"ra-5.b.2_obj.1","name":"objective","properties":[{"name":"label","value":"RA-5(b)(2)[1]"}],"prose":"formatting checklists;"},{"id":"ra-5.b.2_obj.2","name":"objective","properties":[{"name":"label","value":"RA-5(b)(2)[2]"}],"prose":"formatting test procedures;"}]},{"id":"ra-5.b.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(b)(3)"}],"prose":"measuring vulnerability impact;"}]},{"id":"ra-5.c_obj","name":"objective","properties":[{"name":"label","value":"RA-5(c)"}],"parts":[{"id":"ra-5.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(c)[1]"}],"prose":"analyzes vulnerability scan reports;"},{"id":"ra-5.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(c)[2]"}],"prose":"analyzes results from security control assessments;"}]},{"id":"ra-5.d_obj","name":"objective","properties":[{"name":"label","value":"RA-5(d)"}],"parts":[{"id":"ra-5.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-5(d)[1]"}],"prose":"defines response times to remediate legitimate vulnerabilities in accordance\n                     with an organizational assessment of risk;"},{"id":"ra-5.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(d)[2]"}],"prose":"remediates legitimate vulnerabilities within the organization-defined response\n                     times in accordance with an organizational assessment of risk;"}]},{"id":"ra-5.e_obj","name":"objective","properties":[{"name":"label","value":"RA-5(e)"}],"parts":[{"id":"ra-5.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-5(e)[1]"}],"prose":"defines personnel or roles with whom information obtained from the\n                     vulnerability scanning process and security control assessments is to be\n                     shared;"},{"id":"ra-5.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(e)[2]"}],"prose":"shares information obtained from the vulnerability scanning process with\n                     organization-defined personnel or roles to help eliminate similar\n                     vulnerabilities in other information systems (i.e., systemic weaknesses or\n                     deficiencies); and"},{"id":"ra-5.e_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(e)[3]"}],"prose":"shares information obtained from security control assessments with\n                     organization-defined personnel or roles to help eliminate similar\n                     vulnerabilities in other information systems (i.e., systemic weaknesses or\n                     deficiencies)."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\nrisk assessment\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment, security control assessment and\n                  vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with vulnerability remediation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning, analysis, remediation, and\n                  information sharing\\n\\nautomated mechanisms supporting and/or implementing vulnerability scanning,\n                  analysis, remediation, and information sharing"}]}],"controls":[{"id":"ra-5.1","class":"SP800-53-enhancement","title":"Update Tool Capability","properties":[{"name":"label","value":"RA-5(1)"},{"name":"sort-id","value":"ra-05.01"}],"parts":[{"id":"ra-5.1_smt","name":"statement","prose":"The organization employs vulnerability scanning tools that include the capability\n                  to readily update the information system vulnerabilities to be scanned."},{"id":"ra-5.1_gdn","name":"guidance","prose":"The vulnerabilities to be scanned need to be readily updated as new\n                  vulnerabilities are discovered, announced, and scanning methods developed. This\n                  updating process helps to ensure that potential vulnerabilities in the information\n                  system are identified and addressed as quickly as possible.","links":[{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"ra-5.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs vulnerability scanning tools that include\n                  the capability to readily update the information system vulnerabilities to be\n                  scanned."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Procedures addressing vulnerability scanning\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning"}]}]},{"id":"ra-5.2","class":"SP800-53-enhancement","title":"Update by Frequency / Prior to New Scan / When Identified","parameters":[{"id":"ra-5.2_prm_1","constraints":[{"detail":"prior to a new scan"}]},{"id":"ra-5.2_prm_2","depends-on":"ra-5.2_prm_1","label":"organization-defined frequency"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"RA-5(2)"},{"name":"sort-id","value":"ra-05.02"}],"parts":[{"id":"ra-5.2_smt","name":"statement","prose":"The organization updates the information system vulnerabilities scanned {{ ra-5.2_prm_1 }}."},{"id":"ra-5.2_gdn","name":"guidance","links":[{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-5","rel":"related","text":"SI-5"}]},{"id":"ra-5.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-5.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-5(2)[1]"}],"prose":"defines the frequency to update the information system vulnerabilities\n                     scanned;"},{"id":"ra-5.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(2)[2]"}],"prose":"updates the information system vulnerabilities scanned one or more of the\n                     following:","parts":[{"id":"ra-5.2_obj.2.a","name":"objective","properties":[{"name":"label","value":"RA-5(2)[2][a]"}],"prose":"with the organization-defined frequency;"},{"id":"ra-5.2_obj.2.b","name":"objective","properties":[{"name":"label","value":"RA-5(2)[2][b]"}],"prose":"prior to a new scan; and/or"},{"id":"ra-5.2_obj.2.c","name":"objective","properties":[{"name":"label","value":"RA-5(2)[2][c]"}],"prose":"when new vulnerabilities are identified and reported."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Procedures addressing vulnerability scanning\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning"}]}]},{"id":"ra-5.3","class":"SP800-53-enhancement","title":"Breadth / Depth of Coverage","properties":[{"name":"label","value":"RA-5(3)"},{"name":"sort-id","value":"ra-05.03"}],"parts":[{"id":"ra-5.3_smt","name":"statement","prose":"The organization employs vulnerability scanning procedures that can identify the\n                  breadth and depth of coverage (i.e., information system components scanned and\n                  vulnerabilities checked)."},{"id":"ra-5.3_obj","name":"objective","prose":"Determine if the organization employs vulnerability scanning procedures that can\n                  identify:","parts":[{"id":"ra-5.3_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(3)[1]"}],"prose":"the breadth of coverage (i.e., information system components scanned); and"},{"id":"ra-5.3_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(3)[2]"}],"prose":"the depth of coverage (i.e., vulnerabilities checked)."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Procedures addressing vulnerability scanning\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning"}]}]},{"id":"ra-5.5","class":"SP800-53-enhancement","title":"Privileged Access","parameters":[{"id":"ra-5.5_prm_1","label":"organization-identified information system components","constraints":[{"detail":"operating systems / web applications / databases"}]},{"id":"ra-5.5_prm_2","label":"organization-defined vulnerability scanning activities","constraints":[{"detail":"all scans"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"RA-5(5)"},{"name":"sort-id","value":"ra-05.05"}],"parts":[{"id":"ra-5.5_smt","name":"statement","prose":"The information system implements privileged access authorization to {{ ra-5.5_prm_1 }} for selected {{ ra-5.5_prm_2 }}."},{"id":"ra-5.5_gdn","name":"guidance","prose":"In certain situations, the nature of the vulnerability scanning may be more\n                  intrusive or the information system component that is the subject of the scanning\n                  may contain highly sensitive information. Privileged access authorization to\n                  selected system components facilitates more thorough vulnerability scanning and\n                  also protects the sensitive nature of such scanning."},{"id":"ra-5.5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ra-5.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-5(5)[1]"}],"prose":"the organization defines information system components to which privileged\n                     access is authorized for selected vulnerability scanning activities;"},{"id":"ra-5.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"RA-5(5)[2]"}],"prose":"the organization defines vulnerability scanning activities selected for\n                     privileged access authorization to organization-defined information system\n                     components; and"},{"id":"ra-5.5_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"RA-5(5)[3]"}],"prose":"the information system implements privileged access authorization to\n                     organization-defined information system components for selected\n                     organization-defined vulnerability scanning activities."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system components for vulnerability scanning\\n\\npersonnel access authorization list\\n\\nauthorization credentials\\n\\naccess authorization records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel responsible for access control to the information\n                     system\\n\\norganizational personnel responsible for configuration management of the\n                     information system\\n\\nsystem developers\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\\n\\norganizational processes for access control\\n\\nautomated mechanisms supporting and/or implementing access control\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning"}]}]},{"id":"ra-5.6","class":"SP800-53-enhancement","title":"Automated Trend Analyses","properties":[{"name":"label","value":"RA-5(6)"},{"name":"sort-id","value":"ra-05.06"}],"parts":[{"id":"ra-5.6_smt","name":"statement","prose":"The organization employs automated mechanisms to compare the results of\n                  vulnerability scans over time to determine trends in information system\n                  vulnerabilities.","parts":[{"id":"ra-5.6_fr","name":"item","title":"RA-5 (6) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-5.6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Include in Continuous Monitoring ISSO digest/report to JAB/AO"}]}]},{"id":"ra-5.6_gdn","name":"guidance","links":[{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"ra-5.6_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs automated mechanisms to compare the results\n                  of vulnerability scans over time to determine trends in information system\n                  vulnerabilities."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\ninformation system design documentation\\n\\nvulnerability scanning tools and techniques documentation\\n\\nvulnerability scanning results\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning\\n\\nautomated mechanisms supporting and/or implementing trend analysis of\n                     vulnerability scan results"}]}]},{"id":"ra-5.8","class":"SP800-53-enhancement","title":"Review Historic Audit Logs","properties":[{"name":"label","value":"RA-5(8)"},{"name":"sort-id","value":"ra-05.08"}],"parts":[{"id":"ra-5.8_smt","name":"statement","prose":"The organization reviews historic audit logs to determine if a vulnerability\n                  identified in the information system has been previously exploited.","parts":[{"id":"ra-5.8_fr","name":"item","title":"RA-5 (8) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-5.8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"This enhancement is required for all high vulnerability scan findings."},{"id":"ra-5.8_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability."}]}]},{"id":"ra-5.8_gdn","name":"guidance","links":[{"href":"#au-6","rel":"related","text":"AU-6"}]},{"id":"ra-5.8_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization reviews historic audit logs to determine if a\n                  vulnerability identified in the information system has been previously exploited.\n               "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\naudit logs\\n\\nrecords of audit log reviews\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with audit record review responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\\n\\norganizational process for audit record review and response\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning\\n\\nautomated mechanisms supporting and/or implementing audit record review"}]}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"System and Services Acquisition Policy and Procedures","parameters":[{"id":"sa-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sa-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"sa-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SA-1"},{"name":"sort-id","value":"sa-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"sa-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A system and services acquisition policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"sa-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services\n                     acquisition policy and associated system and services acquisition controls;\n                     and"}]},{"id":"sa-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sa-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"System and services acquisition policy {{ sa-1_prm_2 }}; and"},{"id":"sa-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"System and services acquisition procedures {{ sa-1_prm_3 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"sa-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-1.a_obj","name":"objective","properties":[{"name":"label","value":"SA-1(a)"}],"parts":[{"id":"sa-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)"}],"parts":[{"id":"sa-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(a)(1)[1]"}],"prose":"develops and documents a system and services acquisition policy that\n                        addresses:","parts":[{"id":"sa-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sa-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sa-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sa-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sa-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sa-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sa-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"SA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sa-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and services acquisition\n                        policy is to be disseminated;"},{"id":"sa-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SA-1(a)(1)[3]"}],"prose":"disseminates the system and services acquisition policy to\n                        organization-defined personnel or roles;"}]},{"id":"sa-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"SA-1(a)(2)"}],"parts":[{"id":"sa-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        system and services acquisition policy and associated system and services\n                        acquisition controls;"},{"id":"sa-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"sa-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sa-1.b_obj","name":"objective","properties":[{"name":"label","value":"SA-1(b)"}],"parts":[{"id":"sa-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"SA-1(b)(1)"}],"parts":[{"id":"sa-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and services\n                        acquisition policy;"},{"id":"sa-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(b)(1)[2]"}],"prose":"reviews and updates the current system and services acquisition policy with\n                        the organization-defined frequency;"}]},{"id":"sa-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"SA-1(b)(2)"}],"parts":[{"id":"sa-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and services\n                        acquisition procedures; and"},{"id":"sa-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-1(b)(2)[2]"}],"prose":"reviews and updates the current system and services acquisition procedures\n                        with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","properties":[{"name":"label","value":"SA-2"},{"name":"sort-id","value":"sa-02"}],"links":[{"href":"#29fcfe59-33cd-494a-8756-5907ae3a8f92","rel":"reference","text":"NIST Special Publication 800-65"}],"parts":[{"id":"sa-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Determines information security requirements for the information system or\n                  information system service in mission/business process planning;"},{"id":"sa-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Determines, documents, and allocates the resources required to protect the\n                  information system or information system service as part of its capital planning\n                  and investment control process; and"},{"id":"sa-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Establishes a discrete line item for information security in organizational\n                  programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security includes funding for the initial\n               information system or information system service acquisition and funding for the\n               sustainment of the system/service.","links":[{"href":"#pm-3","rel":"related","text":"PM-3"},{"href":"#pm-11","rel":"related","text":"PM-11"}]},{"id":"sa-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-2.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-2(a)"}],"prose":"determines information security requirements for the information system or\n                  information system service in mission/business process planning;"},{"id":"sa-2.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-2(b)"}],"prose":"to protect the information system or information system service as part of its\n                  capital planning and investment control process:","parts":[{"id":"sa-2.b_obj.1","name":"objective","properties":[{"name":"label","value":"SA-2(b)[1]"}],"prose":"determines the resources required;"},{"id":"sa-2.b_obj.2","name":"objective","properties":[{"name":"label","value":"SA-2(b)[2]"}],"prose":"documents the resources required;"},{"id":"sa-2.b_obj.3","name":"objective","properties":[{"name":"label","value":"SA-2(b)[3]"}],"prose":"allocates the resources required; and"}]},{"id":"sa-2.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-2(c)"}],"prose":"establishes a discrete line item for information security in organizational\n                  programming and budgeting documentation."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the allocation of resources to information security\n                  requirements\\n\\nprocedures addressing capital planning and investment control\\n\\norganizational programming and budgeting documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with capital planning, investment control, organizational\n                  programming and budgeting responsibilities\\n\\norganizational personnel responsible for determining information security\n                  requirements for information systems/services\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information security requirements\\n\\norganizational processes for capital planning, programming, and budgeting\\n\\nautomated mechanisms supporting and/or implementing organizational capital\n                  planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","parameters":[{"id":"sa-3_prm_1","label":"organization-defined system development life cycle"}],"properties":[{"name":"label","value":"SA-3"},{"name":"sort-id","value":"sa-03"}],"links":[{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference","text":"NIST Special Publication 800-64"}],"parts":[{"id":"sa-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Manages the information system using {{ sa-3_prm_1 }} that\n                  incorporates information security considerations;"},{"id":"sa-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Defines and documents information security roles and responsibilities throughout\n                  the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Identifies individuals having information security roles and responsibilities;\n                  and"},{"id":"sa-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Integrates the organizational information security risk management process into\n                  system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A well-defined system development life cycle provides the foundation for the\n               successful development, implementation, and operation of organizational information\n               systems. To apply the required security controls within the system development life\n               cycle requires a basic understanding of information security, threats,\n               vulnerabilities, adverse impacts, and risk to critical missions/business functions.\n               The security engineering principles in SA-8 cannot be properly applied if individuals\n               that design, code, and test information systems and system components (including\n               information technology products) do not understand security. Therefore, organizations\n               include qualified personnel, for example, chief information security officers,\n               security architects, security engineers, and information system security officers in\n               system development life cycle activities to ensure that security requirements are\n               incorporated into organizational information systems. It is equally important that\n               developers include individuals on the development team that possess the requisite\n               security expertise and skills to ensure that needed security capabilities are\n               effectively integrated into the information system. Security awareness and training\n               programs can help ensure that individuals having key security roles and\n               responsibilities have the appropriate experience, skills, and expertise to conduct\n               assigned system development life cycle activities. The effective integration of\n               security requirements into enterprise architecture also helps to ensure that\n               important security considerations are addressed early in the system development life\n               cycle and that those considerations are directly related to the organizational\n               mission/business processes. This process also facilitates the integration of the\n               information security architecture into the enterprise architecture, consistent with\n               organizational risk management and information security strategies.","links":[{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#sa-8","rel":"related","text":"SA-8"}]},{"id":"sa-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-3.a_obj","name":"objective","properties":[{"name":"label","value":"SA-3(a)"}],"parts":[{"id":"sa-3.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-3(a)[1]"}],"prose":"defines a system development life cycle that incorporates information security\n                     considerations to be used to manage the information system;"},{"id":"sa-3.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-3(a)[2]"}],"prose":"manages the information system using the organization-defined system\n                     development life cycle;"}]},{"id":"sa-3.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-3(b)"}],"prose":"defines and documents information security roles and responsibilities throughout\n                  the system development life cycle;"},{"id":"sa-3.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-3(c)"}],"prose":"identifies individuals having information security roles and responsibilities;\n                  and"},{"id":"sa-3.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-3(d)"}],"prose":"integrates the organizational information security risk management process into\n                  system development life cycle activities."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the integration of information security into the system\n                  development life cycle process\\n\\ninformation system development life cycle documentation\\n\\ninformation security risk management strategy/program documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security and system life cycle\n                  development responsibilities\\n\\norganizational personnel with information security risk management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining and documenting the SDLC\\n\\norganizational processes for identifying SDLC roles and responsibilities\\n\\norganizational process for integrating information security risk management into\n                  the SDLC\\n\\nautomated mechanisms supporting and/or implementing the SDLC"}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","properties":[{"name":"label","value":"SA-4"},{"name":"sort-id","value":"sa-04"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference","text":"HSPD-12"},{"href":"#1737a687-52fb-4008-b900-cbfa836f7b65","rel":"reference","text":"ISO/IEC 15408"},{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference","text":"FIPS Publication 140-2"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference","text":"FIPS Publication 201"},{"href":"#0a5db899-f033-467f-8631-f5a8ba971475","rel":"reference","text":"NIST Special Publication 800-23"},{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference","text":"NIST Special Publication 800-35"},{"href":"#d818efd3-db31-4953-8afa-9e76afe83ce2","rel":"reference","text":"NIST Special Publication 800-36"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference","text":"NIST Special Publication 800-37"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference","text":"NIST Special Publication 800-64"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference","text":"NIST Special Publication 800-70"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"},{"href":"#56d671da-6b7b-4abf-8296-84b61980390a","rel":"reference","text":"Federal Acquisition Regulation"},{"href":"#c95a9986-3cd6-4a98-931b-ccfc56cb11e5","rel":"reference","text":"http://www.niap-ccevs.org"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference","text":"http://fips201ep.cio.gov"},{"href":"#bbd50dd1-54ce-4432-959d-63ea564b1bb4","rel":"reference","text":"http://www.acquisition.gov/far"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"The organization includes the following requirements, descriptions, and criteria,\n               explicitly or by reference, in the acquisition contract for the information system,\n               system component, or information system service in accordance with applicable federal\n               laws, Executive Orders, directives, policies, regulations, standards, guidelines, and\n               organizational mission/business needs:","parts":[{"id":"sa-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Security functional requirements;"},{"id":"sa-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Security strength requirements;"},{"id":"sa-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Security assurance requirements;"},{"id":"sa-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Security-related documentation requirements;"},{"id":"sa-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Requirements for protecting security-related documentation;"},{"id":"sa-4_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Description of the information system development environment and environment in\n                  which the system is intended to operate; and"},{"id":"sa-4_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Acceptance criteria."},{"id":"sa-4_fr","name":"item","title":"SA-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See [http://www.niap-ccevs.org/vpl](http://www.niap-ccevs.org/vpl) or [http://www.commoncriteriaportal.org/products.html](http://www.commoncriteriaportal.org/products.html)."}]}]},{"id":"sa-4_gdn","name":"guidance","prose":"Information system components are discrete, identifiable information technology\n               assets (e.g., hardware, software, or firmware) that represent the building blocks of\n               an information system. Information system components include commercial information\n               technology products. Security functional requirements include security capabilities,\n               security functions, and security mechanisms. Security strength requirements\n               associated with such capabilities, functions, and mechanisms include degree of\n               correctness, completeness, resistance to direct attack, and resistance to tampering\n               or bypass. Security assurance requirements include: (i) development processes,\n               procedures, practices, and methodologies; and (ii) evidence from development and\n               assessment activities providing grounds for confidence that the required security\n               functionality has been implemented and the required security strength has been\n               achieved. Security documentation requirements address all phases of the system\n               development life cycle. Security functionality, assurance, and documentation\n               requirements are expressed in terms of security controls and control enhancements\n               that have been selected through the tailoring process. The security control tailoring\n               process includes, for example, the specification of parameter values through the use\n               of assignment and selection statements and the specification of platform dependencies\n               and implementation information. Security documentation provides user and\n               administrator guidance regarding the implementation and operation of security\n               controls. The level of detail required in security documentation is based on the\n               security category or classification level of the information system and the degree to\n               which organizations depend on the stated security capability, functions, or\n               mechanisms to meet overall risk response expectations (as defined in the\n               organizational risk management strategy). Security requirements can also include\n               organizationally mandated configuration settings specifying allowed functions, ports,\n               protocols, and services. Acceptance criteria for information systems, information\n               system components, and information system services are defined in the same manner as\n               such criteria for any organizational acquisition or procurement. The Federal\n               Acquisition Regulation (FAR) Section 7.103 contains information security requirements\n               from FISMA.","links":[{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#ps-7","rel":"related","text":"PS-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#sa-12","rel":"related","text":"SA-12"}]},{"id":"sa-4_obj","name":"objective","prose":"Determine if the organization includes the following requirements, descriptions, and\n               criteria, explicitly or by reference, in the acquisition contracts for the\n               information system, system component, or information system service in accordance\n               with applicable federal laws, Executive Orders, directives, policies, regulations,\n               standards, guidelines, and organizational mission/business needs:","parts":[{"id":"sa-4.a_obj","name":"objective","properties":[{"name":"label","value":"SA-4(a)"}],"prose":"security functional requirements;"},{"id":"sa-4.b_obj","name":"objective","properties":[{"name":"label","value":"SA-4(b)"}],"prose":"security strength requirements;"},{"id":"sa-4.c_obj","name":"objective","properties":[{"name":"label","value":"SA-4(c)"}],"prose":"security assurance requirements;"},{"id":"sa-4.d_obj","name":"objective","properties":[{"name":"label","value":"SA-4(d)"}],"prose":"security-related documentation requirements;"},{"id":"sa-4.e_obj","name":"objective","properties":[{"name":"label","value":"SA-4(e)"}],"prose":"requirements for protecting security-related documentation;"},{"id":"sa-4.f_obj","name":"objective","properties":[{"name":"label","value":"SA-4(f)"}],"prose":"description of:","parts":[{"id":"sa-4.f_obj.1","name":"objective","properties":[{"name":"label","value":"SA-4(f)[1]"}],"prose":"the information system development environment;"},{"id":"sa-4.f_obj.2","name":"objective","properties":[{"name":"label","value":"SA-4(f)[2]"}],"prose":"the environment in which the system is intended to operate; and"}]},{"id":"sa-4.g_obj","name":"objective","properties":[{"name":"label","value":"SA-4(g)"}],"prose":"acceptance criteria."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                  descriptions, and criteria into the acquisition process\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\ninformation system design documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security functional, strength, and assurance requirements\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information system security functional,\n                  strength, and assurance requirements\\n\\norganizational processes for developing acquisition contracts\\n\\nautomated mechanisms supporting and/or implementing acquisitions and inclusion of\n                  security requirements in contracts"}]}],"controls":[{"id":"sa-4.1","class":"SP800-53-enhancement","title":"Functional Properties of Security Controls","properties":[{"name":"label","value":"SA-4(1)"},{"name":"sort-id","value":"sa-04.01"}],"parts":[{"id":"sa-4.1_smt","name":"statement","prose":"The organization requires the developer of the information system, system\n                  component, or information system service to provide a description of the\n                  functional properties of the security controls to be employed."},{"id":"sa-4.1_gdn","name":"guidance","prose":"Functional properties of security controls describe the functionality (i.e.,\n                  security capability, functions, or mechanisms) visible at the interfaces of the\n                  controls and specifically exclude functionality and data structures internal to\n                  the operation of the controls.","links":[{"href":"#sa-5","rel":"related","text":"SA-5"}]},{"id":"sa-4.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization requires the developer of the information system,\n                  system component, or information system service to provide a description of the\n                  functional properties of the security controls to be employed."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\nsolicitation documents\\n\\nacquisition documentation\\n\\nacquisition contracts for the information system, system component, or\n                     information system services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security functional requirements\\n\\ninformation system developer or service provider\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information system security\n                     functional, requirements\\n\\norganizational processes for developing acquisition contracts\\n\\nautomated mechanisms supporting and/or implementing acquisitions and inclusion\n                     of security requirements in contracts"}]}]},{"id":"sa-4.2","class":"SP800-53-enhancement","title":"Design / Implementation Information for Security Controls","parameters":[{"id":"sa-4.2_prm_1","constraints":[{"detail":"to include security-relevant external system interfaces and high-level design"}]},{"id":"sa-4.2_prm_2","depends-on":"sa-4.2_prm_1","label":"organization-defined design/implementation information"},{"id":"sa-4.2_prm_3","label":"organization-defined level of detail"}],"properties":[{"name":"label","value":"SA-4(2)"},{"name":"sort-id","value":"sa-04.02"}],"parts":[{"id":"sa-4.2_smt","name":"statement","prose":"The organization requires the developer of the information system, system\n                  component, or information system service to provide design and implementation\n                  information for the security controls to be employed that includes: {{ sa-4.2_prm_1 }} at {{ sa-4.2_prm_3 }}."},{"id":"sa-4.2_gdn","name":"guidance","prose":"Organizations may require different levels of detail in design and implementation\n                  documentation for security controls employed in organizational information\n                  systems, system components, or information system services based on\n                  mission/business requirements, requirements for trustworthiness/resiliency, and\n                  requirements for analysis and testing. Information systems can be partitioned into\n                  multiple subsystems. Each subsystem within the system can contain one or more\n                  modules. The high-level design for the system is expressed in terms of multiple\n                  subsystems and the interfaces between subsystems providing security-relevant\n                  functionality. The low-level design for the system is expressed in terms of\n                  modules with particular emphasis on software and firmware (but not excluding\n                  hardware) and the interfaces between modules providing security-relevant\n                  functionality. Source code and hardware schematics are typically referred to as\n                  the implementation representation of the information system.","links":[{"href":"#sa-5","rel":"related","text":"SA-5"}]},{"id":"sa-4.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-4.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-4(2)[1]"}],"prose":"defines level of detail that the developer is required to provide in design and\n                     implementation information for the security controls to be employed in the\n                     information system, system component, or information system service;"},{"id":"sa-4.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-4(2)[2]"}],"prose":"defines design/implementation information that the developer is to provide for\n                     the security controls to be employed (if selected);"},{"id":"sa-4.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-4(2)[3]"}],"prose":"requires the developer of the information system, system component, or\n                     information system service to provide design and implementation information for\n                     the security controls to be employed that includes, at the organization-defined\n                     level of detail, one or more of the following:","parts":[{"id":"sa-4.2_obj.3.a","name":"objective","properties":[{"name":"label","value":"SA-4(2)[3][a]"}],"prose":"security-relevant external system interfaces;"},{"id":"sa-4.2_obj.3.b","name":"objective","properties":[{"name":"label","value":"SA-4(2)[3][b]"}],"prose":"high-level design;"},{"id":"sa-4.2_obj.3.c","name":"objective","properties":[{"name":"label","value":"SA-4(2)[3][c]"}],"prose":"low-level design;"},{"id":"sa-4.2_obj.3.d","name":"objective","properties":[{"name":"label","value":"SA-4(2)[3][d]"}],"prose":"source code;"},{"id":"sa-4.2_obj.3.e","name":"objective","properties":[{"name":"label","value":"SA-4(2)[3][e]"}],"prose":"hardware schematics; and/or"},{"id":"sa-4.2_obj.3.f","name":"objective","properties":[{"name":"label","value":"SA-4(2)[3][f]"}],"prose":"organization-defined design/implementation information."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\nsolicitation documents\\n\\nacquisition documentation\\n\\nacquisition contracts for the information system, system components, or\n                     information system services\\n\\ndesign and implementation information for security controls employed in the\n                     information system, system component, or information system service\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security requirements\\n\\ninformation system developer or service provider\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining level of detail for system design and\n                     security controls\\n\\norganizational processes for developing acquisition contracts\\n\\nautomated mechanisms supporting and/or implementing development of system\n                     design details"}]}]},{"id":"sa-4.8","class":"SP800-53-enhancement","title":"Continuous Monitoring Plan","parameters":[{"id":"sa-4.8_prm_1","label":"organization-defined level of detail","constraints":[{"detail":"at least the minimum requirement as defined in control CA-7"}]}],"properties":[{"name":"label","value":"SA-4(8)"},{"name":"sort-id","value":"sa-04.08"}],"parts":[{"id":"sa-4.8_smt","name":"statement","prose":"The organization requires the developer of the information system, system\n                  component, or information system service to produce a plan for the continuous\n                  monitoring of security control effectiveness that contains {{ sa-4.8_prm_1 }}.","parts":[{"id":"sa-4.8_fr","name":"item","title":"SA-4 (8) Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-4.8_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"CSP must use the same security standards regardless of where the system component or information system service is acquired."}]}]},{"id":"sa-4.8_gdn","name":"guidance","prose":"The objective of continuous monitoring plans is to determine if the complete set\n                  of planned, required, and deployed security controls within the information\n                  system, system component, or information system service continue to be effective\n                  over time based on the inevitable changes that occur. Developer continuous\n                  monitoring plans include a sufficient level of detail such that the information\n                  can be incorporated into the continuous monitoring strategies and programs\n                  implemented by organizations.","links":[{"href":"#ca-7","rel":"related","text":"CA-7"}]},{"id":"sa-4.8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-4.8_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-4(8)[1]"}],"prose":"defines the level of detail the developer of the information system, system\n                     component, or information system service is required to provide when producing\n                     a plan for the continuous monitoring of security control effectiveness; and"},{"id":"sa-4.8_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-4(8)[2]"}],"prose":"requires the developer of the information system, system component, or\n                     information system service to produce a plan for the continuous monitoring of\n                     security control effectiveness that contains the organization-defined level of\n                     detail."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing developer continuous monitoring plans\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\ndeveloper continuous monitoring plans\\n\\nsecurity assessment plans\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nacquisition documentation\\n\\nsolicitation documentation\\n\\nservice-level agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security requirements\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Vendor processes for continuous monitoring\\n\\nautomated mechanisms supporting and/or implementing developer continuous\n                     monitoring"}]}]},{"id":"sa-4.9","class":"SP800-53-enhancement","title":"Functions / Ports / Protocols / Services in Use","properties":[{"name":"label","value":"SA-4(9)"},{"name":"sort-id","value":"sa-04.09"}],"parts":[{"id":"sa-4.9_smt","name":"statement","prose":"The organization requires the developer of the information system, system\n                  component, or information system service to identify early in the system\n                  development life cycle, the functions, ports, protocols, and services intended for\n                  organizational use."},{"id":"sa-4.9_gdn","name":"guidance","prose":"The identification of functions, ports, protocols, and services early in the\n                  system development life cycle (e.g., during the initial requirements definition\n                  and design phases) allows organizations to influence the design of the information\n                  system, information system component, or information system service. This early\n                  involvement in the life cycle helps organizations to avoid or minimize the use of\n                  functions, ports, protocols, or services that pose unnecessarily high risks and\n                  understand the trade-offs involved in blocking specific ports, protocols, or\n                  services (or when requiring information system service providers to do so). Early\n                  identification of functions, ports, protocols, and services avoids costly\n                  retrofitting of security controls after the information system, system component,\n                  or information system service has been implemented. SA-9 describes requirements\n                  for external information system services with organizations identifying which\n                  functions, ports, protocols, and services are provided from external sources.","links":[{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#sa-9","rel":"related","text":"SA-9"}]},{"id":"sa-4.9_obj","name":"objective","prose":"Determine if the organization requires the developer of the information system,\n                  system component, or information system service to identify early in the system\n                  development life cycle:","parts":[{"id":"sa-4.9_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SA-4(9)[1]"}],"prose":"the functions intended for organizational use;"},{"id":"sa-4.9_obj.2","name":"objective","properties":[{"name":"label","value":"SA-4(9)[2]"}],"prose":"the ports intended for organizational use;"},{"id":"sa-4.9_obj.3","name":"objective","properties":[{"name":"label","value":"SA-4(9)[3]"}],"prose":"the protocols intended for organizational use; and"},{"id":"sa-4.9_obj.4","name":"objective","properties":[{"name":"label","value":"SA-4(9)[4]"}],"prose":"the services intended for organizational use."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\ninformation system design documentation\\n\\ninformation system documentation including functions, ports, protocols, and\n                     services intended for organizational use\\n\\nacquisition contracts for information systems or services\\n\\nacquisition documentation\\n\\nsolicitation documentation\\n\\nservice-level agreements\\n\\norganizational security requirements, descriptions, and criteria for developers\n                     of information systems, system components, and information system services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security requirements\\n\\nsystem/network administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                     system\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","properties":[{"name":"label","value":"SA-4(10)"},{"name":"sort-id","value":"sa-04.10"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"The organization employs only information technology products on the FIPS\n                  201-approved products list for Personal Identity Verification (PIV) capability\n                  implemented within organizational information systems."},{"id":"sa-4.10_gdn","name":"guidance","links":[{"href":"#ia-2","rel":"related","text":"IA-2"},{"href":"#ia-8","rel":"related","text":"IA-8"}]},{"id":"sa-4.10_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs only information technology products on the\n                  FIPS 201-approved products list for Personal Identity Verification (PIV)\n                  capability implemented within organizational information systems. "},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nservice-level agreements\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security requirements\\n\\norganizational personnel with responsibility for ensuring only FIPS\n                     201-approved products are implemented\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for selecting and employing FIPS 201-approved\n                     products"}]}]}]},{"id":"sa-5","class":"SP800-53","title":"Information System Documentation","parameters":[{"id":"sa-5_prm_1","label":"organization-defined actions"},{"id":"sa-5_prm_2","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SA-5"},{"name":"sort-id","value":"sa-05"}],"parts":[{"id":"sa-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Obtains administrator documentation for the information system, system component,\n                  or information system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or\n                     service;"},{"id":"sa-5_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security functions/mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative (i.e.,\n                     privileged) functions;"}]},{"id":"sa-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Obtains user documentation for the information system, system component, or\n                  information system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"User-accessible security functions/mechanisms and how to effectively use those\n                     security functions/mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system,\n                     component, or service in a more secure manner; and"},{"id":"sa-5_smt.b.3","name":"item","properties":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or\n                     service;"}]},{"id":"sa-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Documents attempts to obtain information system, system component, or information\n                  system service documentation when such documentation is either unavailable or\n                  nonexistent and takes {{ sa-5_prm_1 }} in response;"},{"id":"sa-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protects documentation as required, in accordance with the risk management\n                  strategy; and"},{"id":"sa-5_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Distributes documentation to {{ sa-5_prm_2 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"This control helps organizational personnel understand the implementation and\n               operation of security controls associated with information systems, system\n               components, and information system services. Organizations consider establishing\n               specific measures to determine the quality/completeness of the content provided. The\n               inability to obtain needed documentation may occur, for example, due to the age of\n               the information system/component or lack of support from developers and contractors.\n               In those situations, organizations may need to recreate selected documentation if\n               such documentation is essential to the effective implementation or operation of\n               security controls. The level of protection provided for selected information system,\n               component, or service documentation is commensurate with the security category or\n               classification of the system. For example, documentation associated with a key DoD\n               weapons system or command and control system would typically require a higher level\n               of protection than a routine administrative system. Documentation that addresses\n               information system vulnerabilities may also require an increased level of protection.\n               Secure operation of the information system, includes, for example, initially starting\n               the system and resuming secure system operation after any lapse in system\n               operation.","links":[{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#pl-2","rel":"related","text":"PL-2"},{"href":"#pl-4","rel":"related","text":"PL-4"},{"href":"#ps-2","rel":"related","text":"PS-2"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"}]},{"id":"sa-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-5.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-5(a)"}],"prose":"obtains administrator documentation for the information system, system component,\n                  or information system service that describes:","parts":[{"id":"sa-5.a.1_obj","name":"objective","properties":[{"name":"label","value":"SA-5(a)(1)"}],"parts":[{"id":"sa-5.a.1_obj.1","name":"objective","properties":[{"name":"label","value":"SA-5(a)(1)[1]"}],"prose":"secure configuration of the system, system component, or service;"},{"id":"sa-5.a.1_obj.2","name":"objective","properties":[{"name":"label","value":"SA-5(a)(1)[2]"}],"prose":"secure installation of the system, system component, or service;"},{"id":"sa-5.a.1_obj.3","name":"objective","properties":[{"name":"label","value":"SA-5(a)(1)[3]"}],"prose":"secure operation of the system, system component, or service;"}]},{"id":"sa-5.a.2_obj","name":"objective","properties":[{"name":"label","value":"SA-5(a)(2)"}],"parts":[{"id":"sa-5.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"SA-5(a)(2)[1]"}],"prose":"effective use of the security features/mechanisms;"},{"id":"sa-5.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"SA-5(a)(2)[2]"}],"prose":"effective maintenance of the security features/mechanisms;"}]},{"id":"sa-5.a.3_obj","name":"objective","properties":[{"name":"label","value":"SA-5(a)(3)"}],"prose":"known vulnerabilities regarding configuration and use of administrative (i.e.,\n                     privileged) functions;"}]},{"id":"sa-5.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-5(b)"}],"prose":"obtains user documentation for the information system, system component, or\n                  information system service that describes:","parts":[{"id":"sa-5.b.1_obj","name":"objective","properties":[{"name":"label","value":"SA-5(b)(1)"}],"parts":[{"id":"sa-5.b.1_obj.1","name":"objective","properties":[{"name":"label","value":"SA-5(b)(1)[1]"}],"prose":"user-accessible security functions/mechanisms;"},{"id":"sa-5.b.1_obj.2","name":"objective","properties":[{"name":"label","value":"SA-5(b)(1)[2]"}],"prose":"how to effectively use those functions/mechanisms;"}]},{"id":"sa-5.b.2_obj","name":"objective","properties":[{"name":"label","value":"SA-5(b)(2)"}],"prose":"methods for user interaction, which enables individuals to use the system,\n                     component, or service in a more secure manner;"},{"id":"sa-5.b.3_obj","name":"objective","properties":[{"name":"label","value":"SA-5(b)(3)"}],"prose":"user responsibilities in maintaining the security of the system, component, or\n                     service;"}]},{"id":"sa-5.c_obj","name":"objective","properties":[{"name":"label","value":"SA-5(c)"}],"parts":[{"id":"sa-5.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-5(c)[1]"}],"prose":"defines actions to be taken after documented attempts to obtain information\n                     system, system component, or information system service documentation when such\n                     documentation is either unavailable or nonexistent;"},{"id":"sa-5.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-5(c)[2]"}],"prose":"documents attempts to obtain information system, system component, or\n                     information system service documentation when such documentation is either\n                     unavailable or nonexistent;"},{"id":"sa-5.c_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-5(c)[3]"}],"prose":"takes organization-defined actions in response;"}]},{"id":"sa-5.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-5(d)"}],"prose":"protects documentation as required, in accordance with the risk management\n                  strategy;"},{"id":"sa-5.e_obj","name":"objective","properties":[{"name":"label","value":"SA-5(e)"}],"parts":[{"id":"sa-5.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-5(e)[1]"}],"prose":"defines personnel or roles to whom documentation is to be distributed; and"},{"id":"sa-5.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-5(e)[2]"}],"prose":"distributes documentation to organization-defined personnel or roles."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing information system documentation\\n\\ninformation system documentation including administrator and user guides\\n\\nrecords documenting attempts to obtain unavailable or nonexistent information\n                  system documentation\\n\\nlist of actions to be taken in response to documented attempts to obtain\n                  information system, system component, or information system service\n                  documentation\\n\\nrisk management strategy documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security requirements\\n\\nsystem administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for obtaining, protecting, and distributing information\n                  system administrator and user documentation"}]}]},{"id":"sa-8","class":"SP800-53","title":"Security Engineering Principles","properties":[{"name":"label","value":"SA-8"},{"name":"sort-id","value":"sa-08"}],"links":[{"href":"#21b1ed35-56d2-40a8-bdfe-b461fffe322f","rel":"reference","text":"NIST Special Publication 800-27"}],"parts":[{"id":"sa-8_smt","name":"statement","prose":"The organization applies information system security engineering principles in the\n               specification, design, development, implementation, and modification of the\n               information system."},{"id":"sa-8_gdn","name":"guidance","prose":"Organizations apply security engineering principles primarily to new development\n               information systems or systems undergoing major upgrades. For legacy systems,\n               organizations apply security engineering principles to system upgrades and\n               modifications to the extent feasible, given the current state of hardware, software,\n               and firmware within those systems. Security engineering principles include, for\n               example: (i) developing layered protections; (ii) establishing sound security policy,\n               architecture, and controls as the foundation for design; (iii) incorporating security\n               requirements into the system development life cycle; (iv) delineating physical and\n               logical security boundaries; (v) ensuring that system developers are trained on how\n               to build secure software; (vi) tailoring security controls to meet organizational and\n               operational needs; (vii) performing threat modeling to identify use cases, threat\n               agents, attack vectors, and attack patterns as well as compensating controls and\n               design patterns needed to mitigate risk; and (viii) reducing risk to acceptable\n               levels, thus enabling informed risk management decisions.","links":[{"href":"#pm-7","rel":"related","text":"PM-7"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-17","rel":"related","text":"SA-17"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"}]},{"id":"sa-8_obj","name":"objective","prose":"Determine if the organization applies information system security engineering\n               principles in: ","parts":[{"id":"sa-8_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-8[1]"}],"prose":"the specification of the information system;"},{"id":"sa-8_obj.2","name":"objective","properties":[{"name":"label","value":"SA-8[2]"}],"prose":"the design of the information system;"},{"id":"sa-8_obj.3","name":"objective","properties":[{"name":"label","value":"SA-8[3]"}],"prose":"the development of the information system;"},{"id":"sa-8_obj.4","name":"objective","properties":[{"name":"label","value":"SA-8[4]"}],"prose":"the implementation of the information system; and"},{"id":"sa-8_obj.5","name":"objective","properties":[{"name":"label","value":"SA-8[5]"}],"prose":"the modification of the information system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing security engineering principles used in the specification,\n                  design, development, implementation, and modification of the information\n                  system\\n\\ninformation system design documentation\\n\\ninformation security requirements and specifications for the information\n                  system\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security requirements\\n\\norganizational personnel with information system specification, design,\n                  development, implementation, and modification responsibilities\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for applying security engineering principles in\n                  information system specification, design, development, implementation, and\n                  modification\\n\\nautomated mechanisms supporting the application of security engineering principles\n                  in information system specification, design, development, implementation, and\n                  modification"}]}]},{"id":"sa-9","class":"SP800-53","title":"External Information System Services","parameters":[{"id":"sa-9_prm_1","label":"organization-defined security controls","constraints":[{"detail":"FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system"}]},{"id":"sa-9_prm_2","label":"organization-defined processes, methods, and techniques","constraints":[{"detail":"Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored"}]}],"properties":[{"name":"label","value":"SA-9"},{"name":"sort-id","value":"sa-09"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference","text":"NIST Special Publication 800-35"}],"parts":[{"id":"sa-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-9_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Requires that providers of external information system services comply with\n                  organizational information security requirements and employ {{ sa-9_prm_1 }} in accordance with applicable federal laws, Executive\n                  Orders, directives, policies, regulations, standards, and guidance;"},{"id":"sa-9_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Defines and documents government oversight and user roles and responsibilities\n                  with regard to external information system services; and"},{"id":"sa-9_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Employs {{ sa-9_prm_2 }} to monitor security control compliance by\n                  external service providers on an ongoing basis."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External information system services are services that are implemented outside of the\n               authorization boundaries of organizational information systems. This includes\n               services that are used by, but not a part of, organizational information systems.\n               FISMA and OMB policy require that organizations using external service providers that\n               are processing, storing, or transmitting federal information or operating information\n               systems on behalf of the federal government ensure that such providers meet the same\n               security requirements that federal agencies are required to meet. Organizations\n               establish relationships with external service providers in a variety of ways\n               including, for example, through joint ventures, business partnerships, contracts,\n               interagency agreements, lines of business arrangements, licensing agreements, and\n               supply chain exchanges. The responsibility for managing risks from the use of\n               external information system services remains with authorizing officials. For services\n               external to organizations, a chain of trust requires that organizations establish and\n               retain a level of confidence that each participating provider in the potentially\n               complex consumer-provider relationship provides adequate protection for the services\n               rendered. The extent and nature of this chain of trust varies based on the\n               relationships between organizations and the external providers. Organizations\n               document the basis for trust relationships so the relationships can be monitored over\n               time. External information system services documentation includes government, service\n               providers, end user security roles and responsibilities, and service-level\n               agreements. Service-level agreements define expectations of performance for security\n               controls, describe measurable outcomes, and identify remedies and response\n               requirements for identified instances of noncompliance.","links":[{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#ir-7","rel":"related","text":"IR-7"},{"href":"#ps-7","rel":"related","text":"PS-7"}]},{"id":"sa-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.a_obj","name":"objective","properties":[{"name":"label","value":"SA-9(a)"}],"parts":[{"id":"sa-9.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(a)[1]"}],"prose":"defines security controls to be employed by providers of external information\n                     system services;"},{"id":"sa-9.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(a)[2]"}],"prose":"requires that providers of external information system services comply with\n                     organizational information security requirements;"},{"id":"sa-9.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(a)[3]"}],"prose":"requires that providers of external information system services employ\n                     organization-defined security controls in accordance with applicable federal\n                     laws, Executive Orders, directives, policies, regulations, standards, and\n                     guidance;"}]},{"id":"sa-9.b_obj","name":"objective","properties":[{"name":"label","value":"SA-9(b)"}],"parts":[{"id":"sa-9.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(b)[1]"}],"prose":"defines and documents government oversight with regard to external information\n                     system services;"},{"id":"sa-9.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(b)[2]"}],"prose":"defines and documents user roles and responsibilities with regard to external\n                     information system services;"}]},{"id":"sa-9.c_obj","name":"objective","properties":[{"name":"label","value":"SA-9(c)"}],"parts":[{"id":"sa-9.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(c)[1]"}],"prose":"defines processes, methods, and techniques to be employed to monitor security\n                     control compliance by external service providers; and"},{"id":"sa-9.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-9(c)[2]"}],"prose":"employs organization-defined processes, methods, and techniques to monitor\n                     security control compliance by external service providers on an ongoing\n                     basis."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nprocedures addressing methods and techniques for monitoring security control\n                  compliance by external service providers of information system services\\n\\nacquisition contracts, service-level agreements\\n\\norganizational security requirements and security specifications for external\n                  provider services\\n\\nsecurity control assessment evidence from external providers of information system\n                  services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\\n\\nexternal providers of information system services\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring security control compliance by external\n                  service providers on an ongoing basis\\n\\nautomated mechanisms for monitoring security control compliance by external\n                  service providers on an ongoing basis"}]}],"controls":[{"id":"sa-9.1","class":"SP800-53-enhancement","title":"Risk Assessments / Organizational Approvals","parameters":[{"id":"sa-9.1_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SA-9(1)"},{"name":"sort-id","value":"sa-09.01"}],"parts":[{"id":"sa-9.1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-9.1_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Conducts an organizational assessment of risk prior to the acquisition or\n                     outsourcing of dedicated information security services; and"},{"id":"sa-9.1_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Ensures that the acquisition or outsourcing of dedicated information security\n                     services is approved by {{ sa-9.1_prm_1 }}."}]},{"id":"sa-9.1_gdn","name":"guidance","prose":"Dedicated information security services include, for example, incident monitoring,\n                  analysis and response, operation of information security-related devices such as\n                  firewalls, or key management services.","links":[{"href":"#ca-6","rel":"related","text":"CA-6"},{"href":"#ra-3","rel":"related","text":"RA-3"}]},{"id":"sa-9.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.1.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-9(1)(a)"}],"prose":"conducts an organizational assessment of risk prior to the acquisition or\n                     outsourcing of dedicated information security services;","links":[{"href":"#sa-9.1_smt.a","rel":"corresp","text":"SA-9(1)(a)"}]},{"id":"sa-9.1.b_obj","name":"objective","properties":[{"name":"label","value":"SA-9(1)(b)"}],"parts":[{"id":"sa-9.1.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(1)(b)[1]"}],"prose":"defines personnel or roles designated to approve the acquisition or\n                        outsourcing of dedicated information security services; and"},{"id":"sa-9.1.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-9(1)(b)[2]"}],"prose":"ensures that the acquisition or outsourcing of dedicated information\n                        security services is approved by organization-defined personnel or\n                        roles."}],"links":[{"href":"#sa-9.1_smt.b","rel":"corresp","text":"SA-9(1)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nacquisition documentation\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nrisk assessment reports\\n\\napproval records for acquisition or outsourcing of dedicated information\n                     security services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information system security responsibilities\\n\\nexternal providers of information system services\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting a risk assessment prior to acquiring or\n                     outsourcing dedicated information security services\\n\\norganizational processes for approving the outsourcing of dedicated information\n                     security services\\n\\nautomated mechanisms supporting and/or implementing risk assessment\\n\\nautomated mechanisms supporting and/or implementing approval processes"}]}]},{"id":"sa-9.2","class":"SP800-53-enhancement","title":"Identification of Functions / Ports / Protocols / Services","parameters":[{"id":"sa-9.2_prm_1","label":"organization-defined external information system services","constraints":[{"detail":"all external systems where Federal information is processed or stored"}]}],"properties":[{"name":"label","value":"SA-9(2)"},{"name":"sort-id","value":"sa-09.02"}],"parts":[{"id":"sa-9.2_smt","name":"statement","prose":"The organization requires providers of {{ sa-9.2_prm_1 }} to\n                  identify the functions, ports, protocols, and other services required for the use\n                  of such services."},{"id":"sa-9.2_gdn","name":"guidance","prose":"Information from external service providers regarding the specific functions,\n                  ports, protocols, and services used in the provision of such services can be\n                  particularly useful when the need arises to understand the trade-offs involved in\n                  restricting certain functions/services or blocking certain ports/protocols.","links":[{"href":"#cm-7","rel":"related","text":"CM-7"}]},{"id":"sa-9.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(2)[1]"}],"prose":"defines external information system services for which providers of such\n                     services are to identify the functions, ports, protocols, and other services\n                     required for the use of such services;"},{"id":"sa-9.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SA-9(2)[2]"}],"prose":"requires providers of organization-defined external information system services\n                     to identify:","parts":[{"id":"sa-9.2_obj.2.a","name":"objective","properties":[{"name":"label","value":"SA-9(2)[2][a]"}],"prose":"the functions required for the use of such services;"},{"id":"sa-9.2_obj.2.b","name":"objective","properties":[{"name":"label","value":"SA-9(2)[2][b]"}],"prose":"the ports required for the use of such services;"},{"id":"sa-9.2_obj.2.c","name":"objective","properties":[{"name":"label","value":"SA-9(2)[2][c]"}],"prose":"the protocols required for the use of such services; and"},{"id":"sa-9.2_obj.2.d","name":"objective","properties":[{"name":"label","value":"SA-9(2)[2][d]"}],"prose":"the other services required for the use of such services."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nacquisition documentation\\n\\nsolicitation documentation, service-level agreements\\n\\norganizational security requirements and security specifications for external\n                     service providers\\n\\nlist of required functions, ports, protocols, and other services\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nexternal providers of information system services"}]}]},{"id":"sa-9.4","class":"SP800-53-enhancement","title":"Consistent Interests of Consumers and Providers","parameters":[{"id":"sa-9.4_prm_1","label":"organization-defined security safeguards"},{"id":"sa-9.4_prm_2","label":"organization-defined external service providers","constraints":[{"detail":"all external systems where Federal information is processed or stored"}]}],"properties":[{"name":"label","value":"SA-9(4)"},{"name":"sort-id","value":"sa-09.04"}],"parts":[{"id":"sa-9.4_smt","name":"statement","prose":"The organization employs {{ sa-9.4_prm_1 }} to ensure that the\n                  interests of {{ sa-9.4_prm_2 }} are consistent with and reflect\n                  organizational interests."},{"id":"sa-9.4_gdn","name":"guidance","prose":"As organizations increasingly use external service providers, the possibility\n                  exists that the interests of the service providers may diverge from organizational\n                  interests. In such situations, simply having the correct technical, procedural, or\n                  operational safeguards in place may not be sufficient if the service providers\n                  that implement and control those safeguards are not operating in a manner\n                  consistent with the interests of the consuming organizations. Possible actions\n                  that organizations might take to address such concerns include, for example,\n                  requiring background checks for selected service provider personnel, examining\n                  ownership records, employing only trustworthy service providers (i.e., providers\n                  with which organizations have had positive experiences), and conducting\n                  periodic/unscheduled visits to service provider facilities."},{"id":"sa-9.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(4)[1]"}],"prose":"defines external service providers whose interests are to be consistent with\n                     and reflect organizational interests;"},{"id":"sa-9.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(4)[2]"}],"prose":"defines security safeguards to be employed to ensure that the interests of\n                     organization-defined external service providers are consistent with and reflect\n                     organizational interests; and"},{"id":"sa-9.4_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-9(4)[3]"}],"prose":"employs organization-defined security safeguards to ensure that the interests\n                     of organization-defined external service providers are consistent with and\n                     reflect organizational interests."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\norganizational security requirements/safeguards for external service\n                     providers\\n\\npersonnel security policies for external service providers\\n\\nassessments performed on external service providers\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nexternal providers of information system services"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining and employing safeguards to ensure\n                     consistent interests with external service providers\\n\\nautomated mechanisms supporting and/or implementing safeguards to ensure\n                     consistent interests with external service providers"}]}]},{"id":"sa-9.5","class":"SP800-53-enhancement","title":"Processing, Storage, and Service Location","parameters":[{"id":"sa-9.5_prm_1","constraints":[{"detail":"information processing, information data, AND information services"}]},{"id":"sa-9.5_prm_2","label":"organization-defined locations"},{"id":"sa-9.5_prm_3","label":"organization-defined requirements or conditions"}],"properties":[{"name":"label","value":"SA-9(5)"},{"name":"sort-id","value":"sa-09.05"}],"parts":[{"id":"sa-9.5_smt","name":"statement","prose":"The organization restricts the location of {{ sa-9.5_prm_1 }} to\n                     {{ sa-9.5_prm_2 }} based on {{ sa-9.5_prm_3 }}."},{"id":"sa-9.5_gdn","name":"guidance","prose":"The location of information processing, information/data storage, or information\n                  system services that are critical to organizations can have a direct impact on the\n                  ability of those organizations to successfully execute their missions/business\n                  functions. This situation exists when external providers control the location of\n                  processing, storage or services. The criteria external providers use for the\n                  selection of processing, storage, or service locations may be different from\n                  organizational criteria. For example, organizations may want to ensure that\n                  data/information storage locations are restricted to certain locations to\n                  facilitate incident response activities (e.g., forensic analyses, after-the-fact\n                  investigations) in case of information security breaches/compromises. Such\n                  incident response activities may be adversely affected by the governing laws or\n                  protocols in the locations where processing and storage occur and/or the locations\n                  from which information system services emanate."},{"id":"sa-9.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(5)[1]"}],"prose":"defines locations where organization-defined information processing,\n                     information/data, and/or information system services are to be restricted;"},{"id":"sa-9.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-9(5)[2]"}],"prose":"defines requirements or conditions to restrict the location of information\n                     processing, information/data, and/or information system services;"},{"id":"sa-9.5_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-9(5)[3]"}],"prose":"restricts the location of one or more of the following to organization-defined\n                     locations based on organization-defined requirements or conditions:","parts":[{"id":"sa-9.5_obj.3.a","name":"objective","properties":[{"name":"label","value":"SA-9(5)[3][a]"}],"prose":"information processing;"},{"id":"sa-9.5_obj.3.b","name":"objective","properties":[{"name":"label","value":"SA-9(5)[3][b]"}],"prose":"information/data; and/or"},{"id":"sa-9.5_obj.3.c","name":"objective","properties":[{"name":"label","value":"SA-9(5)[3][c]"}],"prose":"information services."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nrestricted locations for information processing\\n\\ninformation/data and/or information system services\\n\\ninformation processing, information/data, and/or information system services to\n                     be maintained in restricted locations\\n\\norganizational security requirements or conditions for external providers\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nexternal providers of information system services"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining requirements to restrict locations of\n                     information processing, information/data, or information services\\n\\norganizational processes for ensuring the location is restricted in accordance\n                     with requirements or conditions"}]}]}]},{"id":"sa-10","class":"SP800-53","title":"Developer Configuration Management","parameters":[{"id":"sa-10_prm_1","constraints":[{"detail":"development, implementation, AND operation"}]},{"id":"sa-10_prm_2","label":"organization-defined configuration items under configuration management"},{"id":"sa-10_prm_3","label":"organization-defined personnel"}],"properties":[{"name":"label","value":"SA-10"},{"name":"sort-id","value":"sa-10"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"sa-10_smt","name":"statement","prose":"The organization requires the developer of the information system, system component,\n               or information system service to:","parts":[{"id":"sa-10_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Perform configuration management during system, component, or service {{ sa-10_prm_1 }};"},{"id":"sa-10_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Document, manage, and control the integrity of changes to {{ sa-10_prm_2 }};"},{"id":"sa-10_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Implement only organization-approved changes to the system, component, or\n                  service;"},{"id":"sa-10_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Document approved changes to the system, component, or service and the potential\n                  security impacts of such changes; and"},{"id":"sa-10_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Track security flaws and flaw resolution within the system, component, or service\n                  and report findings to {{ sa-10_prm_3 }}."},{"id":"sa-10_fr","name":"item","title":"SA-10 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-10_fr_smt.1","name":"item","properties":[{"name":"label","value":"(e)  Requirement:"}],"prose":"For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP."}]}]},{"id":"sa-10_gdn","name":"guidance","prose":"This control also applies to organizations conducting internal information systems\n               development and integration. Organizations consider the quality and completeness of\n               the configuration management activities conducted by developers as evidence of\n               applying effective security safeguards. Safeguards include, for example, protecting\n               from unauthorized modification or destruction, the master copies of all material used\n               to generate security-relevant portions of the system hardware, software, and\n               firmware. Maintaining the integrity of changes to the information system, information\n               system component, or information system service requires configuration control\n               throughout the system development life cycle to track authorized changes and prevent\n               unauthorized changes. Configuration items that are placed under configuration\n               management (if existence/use is required by other security controls) include: the\n               formal model; the functional, high-level, and low-level design specifications; other\n               design data; implementation documentation; source code and hardware schematics; the\n               running version of the object code; tools for comparing new versions of\n               security-relevant hardware descriptions and software/firmware source code with\n               previous versions; and test fixtures and documentation. Depending on the\n               mission/business needs of organizations and the nature of the contractual\n               relationships in place, developers may provide configuration management support\n               during the operations and maintenance phases of the life cycle.","links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#cm-9","rel":"related","text":"CM-9"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"sa-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-10.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-10(a)"}],"prose":"requires the developer of the information system, system component, or information\n                  system service to perform configuration management during one or more of the\n                  following:","parts":[{"id":"sa-10.a_obj.1","name":"objective","properties":[{"name":"label","value":"SA-10(a)[1]"}],"prose":"system, component, or service design;"},{"id":"sa-10.a_obj.2","name":"objective","properties":[{"name":"label","value":"SA-10(a)[2]"}],"prose":"system, component, or service development;"},{"id":"sa-10.a_obj.3","name":"objective","properties":[{"name":"label","value":"SA-10(a)[3]"}],"prose":"system, component, or service implementation; and/or"},{"id":"sa-10.a_obj.4","name":"objective","properties":[{"name":"label","value":"SA-10(a)[4]"}],"prose":"system, component, or service operation;"}]},{"id":"sa-10.b_obj","name":"objective","properties":[{"name":"label","value":"SA-10(b)"}],"parts":[{"id":"sa-10.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-10(b)[1]"}],"prose":"defines configuration items to be placed under configuration management;"},{"id":"sa-10.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-10(b)[2]"}],"prose":"requires the developer of the information system, system component, or\n                     information system service to:","parts":[{"id":"sa-10.b_obj.2.a","name":"objective","properties":[{"name":"label","value":"SA-10(b)[2][a]"}],"prose":"document the integrity of changes to organization-defined items under\n                        configuration management;"},{"id":"sa-10.b_obj.2.b","name":"objective","properties":[{"name":"label","value":"SA-10(b)[2][b]"}],"prose":"manage the integrity of changes to organization-defined items under\n                        configuration management;"},{"id":"sa-10.b_obj.2.c","name":"objective","properties":[{"name":"label","value":"SA-10(b)[2][c]"}],"prose":"control the integrity of changes to organization-defined items under\n                        configuration management;"}]}]},{"id":"sa-10.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-10(c)"}],"prose":"requires the developer of the information system, system component, or information\n                  system service to implement only organization-approved changes to the system,\n                  component, or service;"},{"id":"sa-10.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-10(d)"}],"prose":"requires the developer of the information system, system component, or information\n                  system service to document:","parts":[{"id":"sa-10.d_obj.1","name":"objective","properties":[{"name":"label","value":"SA-10(d)[1]"}],"prose":"approved changes to the system, component, or service;"},{"id":"sa-10.d_obj.2","name":"objective","properties":[{"name":"label","value":"SA-10(d)[2]"}],"prose":"the potential security impacts of such changes;"}]},{"id":"sa-10.e_obj","name":"objective","properties":[{"name":"label","value":"SA-10(e)"}],"parts":[{"id":"sa-10.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-10(e)[1]"}],"prose":"defines personnel to whom findings, resulting from security flaws and flaw\n                     resolution tracked within the system, component, or service, are to be\n                     reported;"},{"id":"sa-10.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-10(e)[2]"}],"prose":"requires the developer of the information system, system component, or\n                     information system service to:","parts":[{"id":"sa-10.e_obj.2.a","name":"objective","properties":[{"name":"label","value":"SA-10(e)[2][a]"}],"prose":"track security flaws within the system, component, or service;"},{"id":"sa-10.e_obj.2.b","name":"objective","properties":[{"name":"label","value":"SA-10(e)[2][b]"}],"prose":"track security flaw resolution within the system, component, or service;\n                        and"},{"id":"sa-10.e_obj.2.c","name":"objective","properties":[{"name":"label","value":"SA-10(e)[2][c]"}],"prose":"report findings to organization-defined personnel."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing system developer configuration management\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\nsystem developer configuration management plan\\n\\nsecurity flaw and flaw resolution tracking records\\n\\nsystem change authorization records\\n\\nchange control records\\n\\nconfiguration management records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with configuration management responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer configuration management\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                  configuration management"}]}],"controls":[{"id":"sa-10.1","class":"SP800-53-enhancement","title":"Software / Firmware Integrity Verification","properties":[{"name":"label","value":"SA-10(1)"},{"name":"sort-id","value":"sa-10.01"}],"parts":[{"id":"sa-10.1_smt","name":"statement","prose":"The organization requires the developer of the information system, system\n                  component, or information system service to enable integrity verification of\n                  software and firmware components."},{"id":"sa-10.1_gdn","name":"guidance","prose":"This control enhancement allows organizations to detect unauthorized changes to\n                  software and firmware components through the use of tools, techniques, and/or\n                  mechanisms provided by developers. Integrity checking mechanisms can also address\n                  counterfeiting of software and firmware components. Organizations verify the\n                  integrity of software and firmware components, for example, through secure one-way\n                  hashes provided by developers. Delivered software and firmware components also\n                  include any updates to such components.","links":[{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"sa-10.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization requires the developer of the information system,\n                  system component, or information system service to enable integrity verification\n                  of software and firmware components."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing system developer configuration management\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system\\n\\nsystem component, or information system service\\n\\nsystem developer configuration management plan\\n\\nsoftware and firmware integrity verification records\\n\\nsystem change authorization records\\n\\nchange control records\\n\\nconfiguration management records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with configuration management responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer configuration management\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                     configuration management"}]}]}]},{"id":"sa-11","class":"SP800-53","title":"Developer Security Testing and Evaluation","parameters":[{"id":"sa-11_prm_1"},{"id":"sa-11_prm_2","label":"organization-defined depth and coverage"}],"properties":[{"name":"label","value":"SA-11"},{"name":"sort-id","value":"sa-11"}],"links":[{"href":"#1737a687-52fb-4008-b900-cbfa836f7b65","rel":"reference","text":"ISO/IEC 15408"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference","text":"NIST Special Publication 800-53A"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference","text":"http://nvd.nist.gov"},{"href":"#15522e92-9192-463d-9646-6a01982db8ca","rel":"reference","text":"http://cwe.mitre.org"},{"href":"#0931209f-00ae-4132-b92c-bc645847e8f9","rel":"reference","text":"http://cve.mitre.org"},{"href":"#4ef539ba-b767-4666-b0d3-168c53005fa3","rel":"reference","text":"http://capec.mitre.org"}],"parts":[{"id":"sa-11_smt","name":"statement","prose":"The organization requires the developer of the information system, system component,\n               or information system service to:","parts":[{"id":"sa-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Create and implement a security assessment plan;"},{"id":"sa-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Perform {{ sa-11_prm_1 }} testing/evaluation at {{ sa-11_prm_2 }};"},{"id":"sa-11_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Produce evidence of the execution of the security assessment plan and the results\n                  of the security testing/evaluation;"},{"id":"sa-11_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Implement a verifiable flaw remediation process; and"},{"id":"sa-11_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Correct flaws identified during security testing/evaluation."}]},{"id":"sa-11_gdn","name":"guidance","prose":"Developmental security testing/evaluation occurs at all post-design phases of the\n               system development life cycle. Such testing/evaluation confirms that the required\n               security controls are implemented correctly, operating as intended, enforcing the\n               desired security policy, and meeting established security requirements. Security\n               properties of information systems may be affected by the interconnection of system\n               components or changes to those components. These interconnections or changes (e.g.,\n               upgrading or replacing applications and operating systems) may adversely affect\n               previously implemented security controls. This control provides additional types of\n               security testing/evaluation that developers can conduct to reduce or eliminate\n               potential flaws. Testing custom software applications may require approaches such as\n               static analysis, dynamic analysis, binary analysis, or a hybrid of the three\n               approaches. Developers can employ these analysis approaches in a variety of tools\n               (e.g., web-based application scanners, static analysis tools, binary analyzers) and\n               in source code reviews. Security assessment plans provide the specific activities\n               that developers plan to carry out including the types of analyses, testing,\n               evaluation, and reviews of software and firmware components, the degree of rigor to\n               be applied, and the types of artifacts produced during those processes. The depth of\n               security testing/evaluation refers to the rigor and level of detail associated with\n               the assessment process (e.g., black box, gray box, or white box testing). The\n               coverage of security testing/evaluation refers to the scope (i.e., number and type)\n               of the artifacts included in the assessment process. Contracts specify the acceptance\n               criteria for security assessment plans, flaw remediation processes, and the evidence\n               that the plans/processes have been diligently applied. Methods for reviewing and\n               protecting assessment plans, evidence, and documentation are commensurate with the\n               security category or classification level of the information system. Contracts may\n               specify documentation protection requirements.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#cm-4","rel":"related","text":"CM-4"},{"href":"#sa-3","rel":"related","text":"SA-3"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"sa-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-11.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-11(a)"}],"prose":"requires the developer of the information system, system component, or information\n                  system service to create and implement a security plan;"},{"id":"sa-11.b_obj","name":"objective","properties":[{"name":"label","value":"SA-11(b)"}],"parts":[{"id":"sa-11.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-11(b)[1]"}],"prose":"defines the depth of testing/evaluation to be performed by the developer of the\n                     information system, system component, or information system service;"},{"id":"sa-11.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SA-11(b)[2]"}],"prose":"defines the coverage of testing/evaluation to be performed by the developer of\n                     the information system, system component, or information system service;"},{"id":"sa-11.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-11(b)[3]"}],"prose":"requires the developer of the information system, system component, or\n                     information system service to perform one or more of the following\n                     testing/evaluation at the organization-defined depth and coverage:","parts":[{"id":"sa-11.b_obj.3.a","name":"objective","properties":[{"name":"label","value":"SA-11(b)[3][a]"}],"prose":"unit testing/evaluation;"},{"id":"sa-11.b_obj.3.b","name":"objective","properties":[{"name":"label","value":"SA-11(b)[3][b]"}],"prose":"integration testing/evaluation;"},{"id":"sa-11.b_obj.3.c","name":"objective","properties":[{"name":"label","value":"SA-11(b)[3][c]"}],"prose":"system testing/evaluation; and/or"},{"id":"sa-11.b_obj.3.d","name":"objective","properties":[{"name":"label","value":"SA-11(b)[3][d]"}],"prose":"regression testing/evaluation;"}]}]},{"id":"sa-11.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-11(c)"}],"prose":"requires the developer of the information system, system component, or information\n                  system service to produce evidence of:","parts":[{"id":"sa-11.c_obj.1","name":"objective","properties":[{"name":"label","value":"SA-11(c)[1]"}],"prose":"the execution of the security assessment plan;"},{"id":"sa-11.c_obj.2","name":"objective","properties":[{"name":"label","value":"SA-11(c)[2]"}],"prose":"the results of the security testing/evaluation;"}]},{"id":"sa-11.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-11(d)"}],"prose":"requires the developer of the information system, system component, or information\n                  system service to implement a verifiable flaw remediation process; and"},{"id":"sa-11.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-11(e)"}],"prose":"requires the developer of the information system, system component, or information\n                  system service to correct flaws identified during security testing/evaluation."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing system developer security testing\\n\\nprocedures addressing flaw remediation\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\nsystem developer security test plans\\n\\nrecords of developer security testing results for the information system, system\n                  component, or information system service\\n\\nsecurity flaw and remediation tracking records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with developer security testing responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer security testing and\n                  evaluation\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                  security testing and evaluation"}]}],"controls":[{"id":"sa-11.1","class":"SP800-53-enhancement","title":"Static Code Analysis","properties":[{"name":"label","value":"SA-11(1)"},{"name":"sort-id","value":"sa-11.01"}],"parts":[{"id":"sa-11.1_smt","name":"statement","prose":"The organization requires the developer of the information system, system\n                  component, or information system service to employ static code analysis tools to\n                  identify common flaws and document the results of the analysis.","parts":[{"id":"sa-11.1_fr","name":"item","title":"SA-11 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-11.1_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed."}]}]},{"id":"sa-11.1_gdn","name":"guidance","prose":"Static code analysis provides a technology and methodology for security reviews.\n                  Such analysis can be used to identify security vulnerabilities and enforce\n                  security coding practices. Static code analysis is most effective when used early\n                  in the development process, when each code change can be automatically scanned for\n                  potential weaknesses. Static analysis can provide clear remediation guidance along\n                  with defects to enable developers to fix such defects. Evidence of correct\n                  implementation of static analysis can include, for example, aggregate defect\n                  density for critical defect types, evidence that defects were inspected by\n                  developers or security professionals, and evidence that defects were fixed. An\n                  excessively high density of ignored findings (commonly referred to as ignored or\n                  false positives) indicates a potential problem with the analysis process or tool.\n                  In such cases, organizations weigh the validity of the evidence against evidence\n                  from other sources."},{"id":"sa-11.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization requires the developer of the information system,\n                  system component, or information system service to employ static code analysis\n                  tools to identify common flaws and document the results of the analysis."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing system developer security testing\\n\\nprocedures addressing flaw remediation\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsystem developer security test plans\\n\\nsystem developer security testing results\\n\\nsecurity flaw and remediation tracking records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with developer security testing responsibilities\\n\\norganizational personnel with configuration management responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer security testing and\n                     evaluation\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                     security testing and evaluation\\n\\nstatic code analysis tools"}]}]},{"id":"sa-11.2","class":"SP800-53-enhancement","title":"Threat and Vulnerability Analyses","properties":[{"name":"label","value":"SA-11(2)"},{"name":"sort-id","value":"sa-11.02"}],"parts":[{"id":"sa-11.2_smt","name":"statement","prose":"The organization requires the developer of the information system, system\n                  component, or information system service to perform threat and vulnerability\n                  analyses and subsequent testing/evaluation of the as-built system, component, or\n                  service."},{"id":"sa-11.2_gdn","name":"guidance","prose":"Applications may deviate significantly from the functional and design\n                  specifications created during the requirements and design phases of the system\n                  development life cycle. Therefore, threat and vulnerability analyses of\n                  information systems, system components, and information system services prior to\n                  delivery are critical to the effective operation of those systems, components, and\n                  services. Threat and vulnerability analyses at this phase of the life cycle help\n                  to ensure that design or implementation changes have been accounted for, and that\n                  any new vulnerabilities created as a result of those changes have been reviewed\n                  and mitigated.","links":[{"href":"#pm-15","rel":"related","text":"PM-15"},{"href":"#ra-5","rel":"related","text":"RA-5"}]},{"id":"sa-11.2_obj","name":"objective","prose":"Determine if the organization requires the developer of the information system,\n                  system component, or information system service to perform:","parts":[{"id":"sa-11.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SA-11(2)[1]"}],"prose":"threat analyses of the as-built, system component, or service;"},{"id":"sa-11.2_obj.2","name":"objective","properties":[{"name":"label","value":"SA-11(2)[2]"}],"prose":"vulnerability analyses of the as-built, system component, or service; and"},{"id":"sa-11.2_obj.3","name":"objective","properties":[{"name":"label","value":"SA-11(2)[3]"}],"prose":"subsequent testing/evaluation of the as-built, system component, or\n                     service."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing system developer security testing\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsystem developer security test plans\\n\\nrecords of developer security testing results for the information system,\n                     system component, or information system service\\n\\nvulnerability scanning results\\n\\ninformation system risk assessment reports\\n\\nthreat and vulnerability analysis reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with developer security testing responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer security testing and\n                     evaluation\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                     security testing and evaluation"}]}]},{"id":"sa-11.8","class":"SP800-53-enhancement","title":"Dynamic Code Analysis","properties":[{"name":"label","value":"SA-11(8)"},{"name":"sort-id","value":"sa-11.08"}],"parts":[{"id":"sa-11.8_smt","name":"statement","prose":"The organization requires the developer of the information system, system\n                  component, or information system service to employ dynamic code analysis tools to\n                  identify common flaws and document the results of the analysis.","parts":[{"id":"sa-11.8_fr","name":"item","title":"SA-11 (8) Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-11.8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed."}]}]},{"id":"sa-11.8_gdn","name":"guidance","prose":"Dynamic code analysis provides run-time verification of software programs, using\n                  tools capable of monitoring programs for memory corruption, user privilege issues,\n                  and other potential security problems. Dynamic code analysis employs run-time\n                  tools to help to ensure that security functionality performs in the manner in\n                  which it was designed. A specialized type of dynamic analysis, known as fuzz\n                  testing, induces program failures by deliberately introducing malformed or random\n                  data into software programs. Fuzz testing strategies derive from the intended use\n                  of applications and the functional and design specifications for the applications.\n                  To understand the scope of dynamic code analysis and hence the assurance provided,\n                  organizations may also consider conducting code coverage analysis (checking the\n                  degree to which the code has been tested using metrics such as percent of\n                  subroutines tested or percent of program statements called during execution of the\n                  test suite) and/or concordance analysis (checking for words that are out of place\n                  in software code such as non-English language words or derogatory terms)."},{"id":"sa-11.8_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization requires the developer of the information system,\n                  system component, or information system service to employ dynamic code analysis\n                  tools to identify common flaws and document the results of the analysis."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\\n\\nprocedures addressing system developer security testing\\n\\nprocedures addressing flaw remediation\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsystem developer security test and evaluation plans\\n\\nsecurity test and evaluation results\\n\\nsecurity flaw and remediation tracking reports\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with developer security testing responsibilities\\n\\norganizational personnel with configuration management responsibilities\\n\\nsystem developers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer security testing and\n                     evaluation\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                     security testing and evaluation"}]}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"System and Communications Protection Policy and Procedures","parameters":[{"id":"sc-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sc-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"sc-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SC-1"},{"name":"sort-id","value":"sc-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"sc-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A system and communications protection policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"},{"id":"sc-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications\n                     protection policy and associated system and communications protection controls;\n                     and"}]},{"id":"sc-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sc-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"System and communications protection policy {{ sc-1_prm_2 }};\n                     and"},{"id":"sc-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"System and communications protection procedures {{ sc-1_prm_3 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SC\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"sc-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-1.a_obj","name":"objective","properties":[{"name":"label","value":"SC-1(a)"}],"parts":[{"id":"sc-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)"}],"parts":[{"id":"sc-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(a)(1)[1]"}],"prose":"develops and documents a system and communications protection policy that\n                        addresses:","parts":[{"id":"sc-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sc-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sc-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sc-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sc-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sc-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sc-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"SC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sc-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and communications protection\n                        policy is to be disseminated;"},{"id":"sc-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SC-1(a)(1)[3]"}],"prose":"disseminates the system and communications protection policy to\n                        organization-defined personnel or roles;"}]},{"id":"sc-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"SC-1(a)(2)"}],"parts":[{"id":"sc-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        system and communications protection policy and associated system and\n                        communications protection controls;"},{"id":"sc-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"sc-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sc-1.b_obj","name":"objective","properties":[{"name":"label","value":"SC-1(b)"}],"parts":[{"id":"sc-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"SC-1(b)(1)"}],"parts":[{"id":"sc-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and\n                        communications protection policy;"},{"id":"sc-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(b)(1)[2]"}],"prose":"reviews and updates the current system and communications protection policy\n                        with the organization-defined frequency;"}]},{"id":"sc-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"SC-1(b)(2)"}],"parts":[{"id":"sc-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and\n                        communications protection procedures; and"},{"id":"sc-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-1(b)(2)[2]"}],"prose":"reviews and updates the current system and communications protection\n                        procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and communications protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"sc-2","class":"SP800-53","title":"Application Partitioning","properties":[{"name":"label","value":"SC-2"},{"name":"sort-id","value":"sc-02"}],"parts":[{"id":"sc-2_smt","name":"statement","prose":"The information system separates user functionality (including user interface\n               services) from information system management functionality."},{"id":"sc-2_gdn","name":"guidance","prose":"Information system management functionality includes, for example, functions\n               necessary to administer databases, network components, workstations, or servers, and\n               typically requires privileged user access. The separation of user functionality from\n               information system management functionality is either physical or logical.\n               Organizations implement separation of system management-related functionality from\n               user functionality by using different computers, different central processing units,\n               different instances of operating systems, different network addresses, virtualization\n               techniques, or combinations of these or other methods, as appropriate. This type of\n               separation includes, for example, web administrative interfaces that use separate\n               authentication methods for users of any other information system resources.\n               Separation of system and user functionality may include isolating administrative\n               interfaces on different domains and with additional access controls.","links":[{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-3","rel":"related","text":"SC-3"}]},{"id":"sc-2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system separates user functionality (including user\n               interface services) from information system management functionality."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing application partitioning\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Separation of user functionality from information system management\n                  functionality"}]}]},{"id":"sc-4","class":"SP800-53","title":"Information in Shared Resources","properties":[{"name":"label","value":"SC-4"},{"name":"sort-id","value":"sc-04"}],"parts":[{"id":"sc-4_smt","name":"statement","prose":"The information system prevents unauthorized and unintended information transfer via\n               shared system resources."},{"id":"sc-4_gdn","name":"guidance","prose":"This control prevents information, including encrypted representations of\n               information, produced by the actions of prior users/roles (or the actions of\n               processes acting on behalf of prior users/roles) from being available to any current\n               users/roles (or current processes) that obtain access to shared system resources\n               (e.g., registers, main memory, hard disks) after those resources have been released\n               back to information systems. The control of information in shared resources is also\n               commonly referred to as object reuse and residual information protection. This\n               control does not address: (i) information remanence which refers to residual\n               representation of data that has been nominally erased or removed; (ii) covert\n               channels (including storage and/or timing channels) where shared resources are\n               manipulated to violate information flow restrictions; or (iii) components within\n               information systems for which there are only single users/roles.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#mp-6","rel":"related","text":"MP-6"}]},{"id":"sc-4_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system prevents unauthorized and unintended information\n               transfer via shared system resources."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing information protection in shared system resources\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms preventing unauthorized and unintended transfer of\n                  information via shared system resources"}]}]},{"id":"sc-5","class":"SP800-53","title":"Denial of Service Protection","parameters":[{"id":"sc-5_prm_1","label":"organization-defined types of denial of service attacks or references to sources\n               for such information"},{"id":"sc-5_prm_2","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"SC-5"},{"name":"sort-id","value":"sc-05"}],"parts":[{"id":"sc-5_smt","name":"statement","prose":"The information system protects against or limits the effects of the following types\n               of denial of service attacks: {{ sc-5_prm_1 }} by employing {{ sc-5_prm_2 }}."},{"id":"sc-5_gdn","name":"guidance","prose":"A variety of technologies exist to limit, or in some cases, eliminate the effects of\n               denial of service attacks. For example, boundary protection devices can filter\n               certain types of packets to protect information system components on internal\n               organizational networks from being directly affected by denial of service attacks.\n               Employing increased capacity and bandwidth combined with service redundancy may also\n               reduce the susceptibility to denial of service attacks.","links":[{"href":"#sc-6","rel":"related","text":"SC-6"},{"href":"#sc-7","rel":"related","text":"SC-7"}]},{"id":"sc-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-5_obj.1","name":"objective","properties":[{"name":"label","value":"SC-5[1]"}],"prose":"the organization defines types of denial of service attacks or reference to source\n                  of such information for the information system to protect against or limit the\n                  effects;"},{"id":"sc-5_obj.2","name":"objective","properties":[{"name":"label","value":"SC-5[2]"}],"prose":"the organization defines security safeguards to be employed by the information\n                  system to protect against or limit the effects of organization-defined types of\n                  denial of service attacks; and"},{"id":"sc-5_obj.3","name":"objective","properties":[{"name":"label","value":"SC-5[3]"}],"prose":"the information system protects against or limits the effects of the\n                  organization-defined denial or service attacks (or reference to source for such\n                  information) by employing organization-defined security safeguards."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing denial of service protection\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\nlist of denial of services attacks requiring employment of security safeguards to\n                  protect against or limit effects of such attacks\\n\\nlist of security safeguards protecting against or limiting the effects of denial\n                  of service attacks\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms protecting against or limiting the effects of denial of\n                  service attacks"}]}]},{"id":"sc-6","class":"SP800-53","title":"Resource Availability","parameters":[{"id":"sc-6_prm_1","label":"organization-defined resources"},{"id":"sc-6_prm_2"},{"id":"sc-6_prm_3","depends-on":"sc-6_prm_2","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"SC-6"},{"name":"sort-id","value":"sc-06"}],"parts":[{"id":"sc-6_smt","name":"statement","prose":"The information system protects the availability of resources by allocating {{ sc-6_prm_1 }} by {{ sc-6_prm_2 }}."},{"id":"sc-6_gdn","name":"guidance","prose":"Priority protection helps prevent lower-priority processes from delaying or\n               interfering with the information system servicing any higher-priority processes.\n               Quotas prevent users or processes from obtaining more than predetermined amounts of\n               resources. This control does not apply to information system components for which\n               there are only single users/roles."},{"id":"sc-6_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-6_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-6[1]"}],"prose":"the organization defines resources to be allocated to protect the availability of\n                  resources;"},{"id":"sc-6_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-6[2]"}],"prose":"the organization defines security safeguards to be employed to protect the\n                  availability of resources;"},{"id":"sc-6_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-6[3]"}],"prose":"the information system protects the availability of resources by allocating\n                  organization-defined resources by one or more of the following:","parts":[{"id":"sc-6_obj.3.a","name":"objective","properties":[{"name":"label","value":"SC-6[3][a]"}],"prose":"priority;"},{"id":"sc-6_obj.3.b","name":"objective","properties":[{"name":"label","value":"SC-6[3][b]"}],"prose":"quota; and/or"},{"id":"sc-6_obj.3.c","name":"objective","properties":[{"name":"label","value":"SC-6[3][c]"}],"prose":"organization-defined safeguards."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing prioritization of information system resources\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing resource allocation\n                  capability\\n\\nsafeguards employed to protect availability of resources"}]}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","parameters":[{"id":"sc-7_prm_1"}],"properties":[{"name":"label","value":"SC-7"},{"name":"sort-id","value":"sc-07"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference","text":"FIPS Publication 199"},{"href":"#756a8e86-57d5-4701-8382-f7a40439665a","rel":"reference","text":"NIST Special Publication 800-41"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference","text":"NIST Special Publication 800-77"}],"parts":[{"id":"sc-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-7_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitors and controls communications at the external boundary of the system and at\n                  key internal boundaries within the system;"},{"id":"sc-7_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Implements subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks;\n                  and"},{"id":"sc-7_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Connects to external networks or information systems only through managed\n                  interfaces consisting of boundary protection devices arranged in accordance with\n                  an organizational security architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include, for example, gateways, routers, firewalls, guards,\n               network-based malicious code analysis and virtualization systems, or encrypted\n               tunnels implemented within a security architecture (e.g., routers protecting\n               firewalls or application gateways residing on protected subnetworks). Subnetworks\n               that are physically or logically separated from internal networks are referred to as\n               demilitarized zones or DMZs. Restricting or prohibiting interfaces within\n               organizational information systems includes, for example, restricting external web\n               traffic to designated web servers within managed interfaces and prohibiting external\n               traffic that appears to be spoofing internal addresses. Organizations consider the\n               shared nature of commercial telecommunications services in the implementation of\n               security controls associated with the use of such services. Commercial\n               telecommunications services are commonly based on network components and consolidated\n               management systems shared by all attached commercial customers, and may also include\n               third party-provided access lines and other service elements. Such transmission\n               services may represent sources of increased risk despite contract security\n               provisions.","links":[{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ca-3","rel":"related","text":"CA-3"},{"href":"#cm-7","rel":"related","text":"CM-7"},{"href":"#cp-8","rel":"related","text":"CP-8"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ra-3","rel":"related","text":"RA-3"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"sc-7_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-7.a_obj","name":"objective","properties":[{"name":"label","value":"SC-7(a)"}],"parts":[{"id":"sc-7.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(a)[1]"}],"prose":"monitors communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(a)[2]"}],"prose":"monitors communications at key internal boundaries within the system;"},{"id":"sc-7.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(a)[3]"}],"prose":"controls communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(a)[4]"}],"prose":"controls communications at key internal boundaries within the system;"}]},{"id":"sc-7.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(b)"}],"prose":"implements subnetworks for publicly accessible system components that are\n                  either:","parts":[{"id":"sc-7.b_obj.1","name":"objective","properties":[{"name":"label","value":"SC-7(b)[1]"}],"prose":"physically separated from internal organizational networks; and/or"},{"id":"sc-7.b_obj.2","name":"objective","properties":[{"name":"label","value":"SC-7(b)[2]"}],"prose":"logically separated from internal organizational networks; and"}]},{"id":"sc-7.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(c)"}],"prose":"connects to external networks or information systems only through managed\n                  interfaces consisting of boundary protection devices arranged in accordance with\n                  an organizational security architecture."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\nlist of key internal boundaries of the information system\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system configuration settings and associated documentation\\n\\nenterprise security architecture documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability"}]}],"controls":[{"id":"sc-7.3","class":"SP800-53-enhancement","title":"Access Points","properties":[{"name":"label","value":"SC-7(3)"},{"name":"sort-id","value":"sc-07.03"}],"parts":[{"id":"sc-7.3_smt","name":"statement","prose":"The organization limits the number of external network connections to the\n                  information system."},{"id":"sc-7.3_gdn","name":"guidance","prose":"Limiting the number of external network connections facilitates more comprehensive\n                  monitoring of inbound and outbound communications traffic. The Trusted Internet\n                  Connection (TIC) initiative is an example of limiting the number of external\n                  network connections."},{"id":"sc-7.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization limits the number of external network connections to\n                  the information system."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncommunications and network traffic monitoring logs\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability\\n\\nautomated mechanisms limiting the number of external network connections to the\n                     information system"}]}]},{"id":"sc-7.4","class":"SP800-53-enhancement","title":"External Telecommunications Services","parameters":[{"id":"sc-7.4_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SC-7(4)"},{"name":"sort-id","value":"sc-07.04"}],"parts":[{"id":"sc-7.4_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-7.4_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Implements a managed interface for each external telecommunication service;"},{"id":"sc-7.4_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Establishes a traffic flow policy for each managed interface;"},{"id":"sc-7.4_smt.c","name":"item","properties":[{"name":"label","value":"(c)"}],"prose":"Protects the confidentiality and integrity of the information being transmitted\n                     across each interface;"},{"id":"sc-7.4_smt.d","name":"item","properties":[{"name":"label","value":"(d)"}],"prose":"Documents each exception to the traffic flow policy with a supporting\n                     mission/business need and duration of that need; and"},{"id":"sc-7.4_smt.e","name":"item","properties":[{"name":"label","value":"(e)"}],"prose":"Reviews exceptions to the traffic flow policy {{ sc-7.4_prm_1 }}\n                     and removes exceptions that are no longer supported by an explicit\n                     mission/business need."}]},{"id":"sc-7.4_gdn","name":"guidance","links":[{"href":"#sc-8","rel":"related","text":"SC-8"}]},{"id":"sc-7.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-7.4.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(4)(a)"}],"prose":"implements a managed interface for each external telecommunication service;","links":[{"href":"#sc-7.4_smt.a","rel":"corresp","text":"SC-7(4)(a)"}]},{"id":"sc-7.4.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(4)(b)"}],"prose":"establishes a traffic flow policy for each managed interface;","links":[{"href":"#sc-7.4_smt.b","rel":"corresp","text":"SC-7(4)(b)"}]},{"id":"sc-7.4.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(4)(c)"}],"prose":"protects the confidentiality and integrity of the information being transmitted\n                     across each interface;","links":[{"href":"#sc-7.4_smt.c","rel":"corresp","text":"SC-7(4)(c)"}]},{"id":"sc-7.4.d_obj","name":"objective","properties":[{"name":"label","value":"SC-7(4)(d)"}],"prose":"documents each exception to the traffic flow policy with:","parts":[{"id":"sc-7.4.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(4)(d)[1]"}],"prose":"a supporting mission/business need;"},{"id":"sc-7.4.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(4)(d)[2]"}],"prose":"duration of that need;"}],"links":[{"href":"#sc-7.4_smt.d","rel":"corresp","text":"SC-7(4)(d)"}]},{"id":"sc-7.4.e_obj","name":"objective","properties":[{"name":"label","value":"SC-7(4)(e)"}],"parts":[{"id":"sc-7.4.e_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(4)(e)[1]"}],"prose":"defines a frequency to review exceptions to traffic flow policy;"},{"id":"sc-7.4.e_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(4)(e)[2]"}],"prose":"reviews exceptions to the traffic flow policy with the organization-defined\n                        frequency; and"},{"id":"sc-7.4.e_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(4)(e)[3]"}],"prose":"removes traffic flow policy exceptions that are no longer supported by an\n                        explicit mission/business need"}],"links":[{"href":"#sc-7.4_smt.e","rel":"corresp","text":"SC-7(4)(e)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\ntraffic flow policy\\n\\ninformation flow control policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system security architecture\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nrecords of traffic flow policy exceptions\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for documenting and reviewing exceptions to the\n                     traffic flow policy\\n\\norganizational processes for removing exceptions to the traffic flow policy\\n\\nautomated mechanisms implementing boundary protection capability\\n\\nmanaged interfaces implementing traffic flow policy"}]}]},{"id":"sc-7.5","class":"SP800-53-enhancement","title":"Deny by Default / Allow by Exception","properties":[{"name":"label","value":"SC-7(5)"},{"name":"sort-id","value":"sc-07.05"}],"parts":[{"id":"sc-7.5_smt","name":"statement","prose":"The information system at managed interfaces denies network communications traffic\n                  by default and allows network communications traffic by exception (i.e., deny all,\n                  permit by exception)."},{"id":"sc-7.5_gdn","name":"guidance","prose":"This control enhancement applies to both inbound and outbound network\n                  communications traffic. A deny-all, permit-by-exception network communications\n                  traffic policy ensures that only those connections which are essential and\n                  approved are allowed."},{"id":"sc-7.5_obj","name":"objective","prose":"Determine if the information system, at managed interfaces:","parts":[{"id":"sc-7.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(5)[1]"}],"prose":"denies network traffic by default; and"},{"id":"sc-7.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(5)[2]"}],"prose":"allows network traffic by exception."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing traffic management at managed interfaces"}]}]},{"id":"sc-7.7","class":"SP800-53-enhancement","title":"Prevent Split Tunneling for Remote Devices","properties":[{"name":"label","value":"SC-7(7)"},{"name":"sort-id","value":"sc-07.07"}],"parts":[{"id":"sc-7.7_smt","name":"statement","prose":"The information system, in conjunction with a remote device, prevents the device\n                  from simultaneously establishing non-remote connections with the system and\n                  communicating via some other connection to resources in external networks."},{"id":"sc-7.7_gdn","name":"guidance","prose":"This control enhancement is implemented within remote devices (e.g., notebook\n                  computers) through configuration settings to disable split tunneling in those\n                  devices, and by preventing those configuration settings from being readily\n                  configurable by users. This control enhancement is implemented within the\n                  information system by the detection of split tunneling (or of configuration\n                  settings that allow split tunneling) in the remote device, and by prohibiting the\n                  connection if the remote device is using split tunneling. Split tunneling might be\n                  desirable by remote users to communicate with local information system resources\n                  such as printers/file servers. However, split tunneling would in effect allow\n                  unauthorized external connections, making the system more vulnerable to attack and\n                  to exfiltration of organizational information. The use of VPNs for remote\n                  connections, when adequately provisioned with appropriate security controls, may\n                  provide the organization with sufficient assurance that it can effectively treat\n                  such connections as non-remote connections from the confidentiality and integrity\n                  perspective. VPNs thus provide a means for allowing non-remote communications\n                  paths from remote devices. The use of an adequately provisioned VPN does not\n                  eliminate the need for preventing split tunneling."},{"id":"sc-7.7_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system, in conjunction with a remote device, prevents\n                  the device from simultaneously establishing non-remote connections with the system\n                  and communicating via some other connection to resources in external networks."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system hardware and software\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability\\n\\nautomated mechanisms supporting/restricting non-remote connections"}]}]},{"id":"sc-7.8","class":"SP800-53-enhancement","title":"Route Traffic to Authenticated Proxy Servers","parameters":[{"id":"sc-7.8_prm_1","label":"organization-defined internal communications traffic"},{"id":"sc-7.8_prm_2","label":"organization-defined external networks"}],"properties":[{"name":"label","value":"SC-7(8)"},{"name":"sort-id","value":"sc-07.08"}],"parts":[{"id":"sc-7.8_smt","name":"statement","prose":"The information system routes {{ sc-7.8_prm_1 }} to {{ sc-7.8_prm_2 }} through authenticated proxy servers at managed\n                  interfaces."},{"id":"sc-7.8_gdn","name":"guidance","prose":"External networks are networks outside of organizational control. A proxy server\n                  is a server (i.e., information system or application) that acts as an intermediary\n                  for clients requesting information system resources (e.g., files, connections, web\n                  pages, or services) from other organizational servers. Client requests established\n                  through an initial connection to the proxy server are evaluated to manage\n                  complexity and to provide additional protection by limiting direct connectivity.\n                  Web content filtering devices are one of the most common proxy servers providing\n                  access to the Internet. Proxy servers support logging individual Transmission\n                  Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators\n                  (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be\n                  configured with organization-defined lists of authorized and unauthorized\n                  websites.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#au-2","rel":"related","text":"AU-2"}]},{"id":"sc-7.8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-7.8_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(8)[1]"}],"prose":"the organization defines internal communications traffic to be routed to\n                     external networks;"},{"id":"sc-7.8_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(8)[2]"}],"prose":"the organization defines external networks to which organization-defined\n                     internal communications traffic is to be routed; and"},{"id":"sc-7.8_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(8)[3]"}],"prose":"the information system routes organization-defined internal communications\n                     traffic to organization-defined external networks through authenticated proxy\n                     servers at managed interfaces."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system hardware and software\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing traffic management through authenticated\n                     proxy servers at managed interfaces"}]}]},{"id":"sc-7.12","class":"SP800-53-enhancement","title":"Host-based Protection","parameters":[{"id":"sc-7.12_prm_1","label":"organization-defined host-based boundary protection mechanisms"},{"id":"sc-7.12_prm_2","label":"organization-defined information system components"}],"properties":[{"name":"label","value":"SC-7(12)"},{"name":"sort-id","value":"sc-07.12"}],"parts":[{"id":"sc-7.12_smt","name":"statement","prose":"The organization implements {{ sc-7.12_prm_1 }} at {{ sc-7.12_prm_2 }}."},{"id":"sc-7.12_gdn","name":"guidance","prose":"Host-based boundary protection mechanisms include, for example, host-based\n                  firewalls. Information system components employing host-based boundary protection\n                  mechanisms include, for example, servers, workstations, and mobile devices."},{"id":"sc-7.12_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-7.12_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(12)[1]"}],"prose":"defines host-based boundary protection mechanisms;"},{"id":"sc-7.12_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(12)[2]"}],"prose":"defines information system components where organization-defined host-based\n                     boundary protection mechanisms are to be implemented; and"},{"id":"sc-7.12_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(12)[3]"}],"prose":"implements organization-defined host-based boundary protection mechanisms at\n                     organization-defined information system components."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities\\n\\ninformation system users"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing host-based boundary protection\n                     capabilities"}]}]},{"id":"sc-7.13","class":"SP800-53-enhancement","title":"Isolation of Security Tools / Mechanisms / Support Components","parameters":[{"id":"sc-7.13_prm_1","label":"organization-defined information security tools, mechanisms, and support\n                  components"}],"properties":[{"name":"label","value":"SC-7(13)"},{"name":"sort-id","value":"sc-07.13"}],"parts":[{"id":"sc-7.13_smt","name":"statement","prose":"The organization isolates {{ sc-7.13_prm_1 }} from other internal\n                  information system components by implementing physically separate subnetworks with\n                  managed interfaces to other components of the system.","parts":[{"id":"sc-7.13_fr","name":"item","title":"SC-7 (13) Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-7.13_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets."}]}]},{"id":"sc-7.13_gdn","name":"guidance","prose":"Physically separate subnetworks with managed interfaces are useful, for example,\n                  in isolating computer network defenses from critical operational processing\n                  networks to prevent adversaries from discovering the analysis and forensics\n                  techniques of organizations.","links":[{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"}]},{"id":"sc-7.13_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-7.13_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-7(13)[1]"}],"prose":"defines information security tools, mechanisms, and support components to be\n                     isolated from other internal information system components; and"},{"id":"sc-7.13_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-7(13)[2]"}],"prose":"isolates organization-defined information security tools, mechanisms, and\n                     support components from other internal information system components by\n                     implementing physically separate subnetworks with managed interfaces to other\n                     components of the system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system hardware and software\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of security tools and support components to be isolated from other\n                     internal information system components\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing isolation of information\n                     security tools, mechanisms, and support components"}]}]},{"id":"sc-7.18","class":"SP800-53-enhancement","title":"Fail Secure","properties":[{"name":"label","value":"SC-7(18)"},{"name":"sort-id","value":"sc-07.18"}],"parts":[{"id":"sc-7.18_smt","name":"statement","prose":"The information system fails securely in the event of an operational failure of a\n                  boundary protection device."},{"id":"sc-7.18_gdn","name":"guidance","prose":"Fail secure is a condition achieved by employing information system mechanisms to\n                  ensure that in the event of operational failures of boundary protection devices at\n                  managed interfaces (e.g., routers, firewalls, guards, and application gateways\n                  residing on protected subnetworks commonly referred to as demilitarized zones),\n                  information systems do not enter into unsecure states where intended security\n                  properties no longer hold. Failures of boundary protection devices cannot lead to,\n                  or cause information external to the devices to enter the devices, nor can\n                  failures permit unauthorized information releases.","links":[{"href":"#cp-2","rel":"related","text":"CP-2"},{"href":"#sc-24","rel":"related","text":"SC-24"}]},{"id":"sc-7.18_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system fails securely in the event of an operational\n                  failure of a boundary protection device."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing secure failure"}]}]}]},{"id":"sc-8","class":"SP800-53","title":"Transmission Confidentiality and Integrity","parameters":[{"id":"sc-8_prm_1","constraints":[{"detail":"confidentiality AND integrity"}]}],"properties":[{"name":"label","value":"SC-8"},{"name":"sort-id","value":"sc-08"}],"links":[{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference","text":"FIPS Publication 140-2"},{"href":"#f2dbd4ec-c413-4714-b85b-6b7184d1c195","rel":"reference","text":"FIPS Publication 197"},{"href":"#90c5bc98-f9c4-44c9-98b7-787422f0999c","rel":"reference","text":"NIST Special Publication 800-52"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference","text":"NIST Special Publication 800-77"},{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference","text":"NIST Special Publication 800-81"},{"href":"#349fe082-502d-464a-aa0c-1443c6a5cf40","rel":"reference","text":"NIST Special Publication 800-113"},{"href":"#a4aa9645-9a8a-4b51-90a9-e223250f9a75","rel":"reference","text":"CNSS Policy 15"},{"href":"#06dff0ea-3848-4945-8d91-e955ee69f05d","rel":"reference","text":"NSTISSI No. 7003"}],"parts":[{"id":"sc-8_smt","name":"statement","prose":"The information system protects the {{ sc-8_prm_1 }} of transmitted\n               information."},{"id":"sc-8_gdn","name":"guidance","prose":"This control applies to both internal and external networks and all types of\n               information system components from which information can be transmitted (e.g.,\n               servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile\n               machines). Communication paths outside the physical protection of a controlled\n               boundary are exposed to the possibility of interception and modification. Protecting\n               the confidentiality and/or integrity of organizational information can be\n               accomplished by physical means (e.g., by employing protected distribution systems) or\n               by logical means (e.g., employing encryption techniques). Organizations relying on\n               commercial providers offering transmission services as commodity services rather than\n               as fully dedicated services (i.e., services which can be highly specialized to\n               individual customer needs), may find it difficult to obtain the necessary assurances\n               regarding the implementation of needed security controls for transmission\n               confidentiality/integrity. In such situations, organizations determine what types of\n               confidentiality/integrity services are available in standard, commercial\n               telecommunication service packages. If it is infeasible or impractical to obtain the\n               necessary security controls and assurances of control effectiveness through\n               appropriate contracting vehicles, organizations implement appropriate compensating\n               security controls or explicitly accept the additional risk.","links":[{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#pe-4","rel":"related","text":"PE-4"}]},{"id":"sc-8_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system protects one or more of the following:","parts":[{"id":"sc-8_obj.1","name":"objective","properties":[{"name":"label","value":"SC-8[1]"}],"prose":"confidentiality of transmitted information; and/or"},{"id":"sc-8_obj.2","name":"objective","properties":[{"name":"label","value":"SC-8[2]"}],"prose":"integrity of transmitted information."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing transmission confidentiality and integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing transmission confidentiality\n                  and/or integrity"}]}],"controls":[{"id":"sc-8.1","class":"SP800-53-enhancement","title":"Cryptographic or Alternate Physical Protection","parameters":[{"id":"sc-8.1_prm_1","constraints":[{"detail":"prevent unauthorized disclosure of information AND detect changes to information"}]},{"id":"sc-8.1_prm_2","label":"organization-defined alternative physical safeguards","constraints":[{"detail":"a hardened or alarmed carrier Protective Distribution System (PDS)"}]}],"properties":[{"name":"label","value":"SC-8(1)"},{"name":"sort-id","value":"sc-08.01"}],"parts":[{"id":"sc-8.1_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to {{ sc-8.1_prm_1 }} during transmission unless otherwise protected by\n                     {{ sc-8.1_prm_2 }}."},{"id":"sc-8.1_gdn","name":"guidance","prose":"Encrypting information for transmission protects information from unauthorized\n                  disclosure and modification. Cryptographic mechanisms implemented to protect\n                  information integrity include, for example, cryptographic hash functions which\n                  have common application in digital signatures, checksums, and message\n                  authentication codes. Alternative physical security safeguards include, for\n                  example, protected distribution systems.","links":[{"href":"#sc-13","rel":"related","text":"SC-13"}]},{"id":"sc-8.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-8.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-8(1)[1]"}],"prose":"the organization defines physical safeguards to be implemented to protect\n                     information during transmission when cryptographic mechanisms are not\n                     implemented; and"},{"id":"sc-8.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-8(1)[2]"}],"prose":"the information system implements cryptographic mechanisms to do one or more of\n                     the following during transmission unless otherwise protected by\n                     organization-defined alternative physical safeguards:","parts":[{"id":"sc-8.1_obj.2.a","name":"objective","properties":[{"name":"label","value":"SC-8(1)[2][a]"}],"prose":"prevent unauthorized disclosure of information; and/or"},{"id":"sc-8.1_obj.2.b","name":"objective","properties":[{"name":"label","value":"SC-8(1)[2][b]"}],"prose":"detect changes to information."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing transmission confidentiality and integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms supporting and/or implementing transmission\n                     confidentiality and/or integrity\\n\\nautomated mechanisms supporting and/or implementing alternative physical\n                     safeguards\\n\\norganizational processes for defining and implementing alternative physical\n                     safeguards"}]}]}]},{"id":"sc-10","class":"SP800-53","title":"Network Disconnect","parameters":[{"id":"sc-10_prm_1","label":"organization-defined time period","constraints":[{"detail":"no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-interactive user sessions"}]}],"properties":[{"name":"label","value":"SC-10"},{"name":"sort-id","value":"sc-10"}],"parts":[{"id":"sc-10_smt","name":"statement","prose":"The information system terminates the network connection associated with a\n               communications session at the end of the session or after {{ sc-10_prm_1 }} of inactivity."},{"id":"sc-10_gdn","name":"guidance","prose":"This control applies to both internal and external networks. Terminating network\n               connections associated with communications sessions include, for example,\n               de-allocating associated TCP/IP address/port pairs at the operating system level, or\n               de-allocating networking assignments at the application level if multiple application\n               sessions are using a single, operating system-level network connection. Time periods\n               of inactivity may be established by organizations and include, for example, time\n               periods by type of network access or for specific network accesses."},{"id":"sc-10_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-10_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-10[1]"}],"prose":"the organization defines a time period of inactivity after which the information\n                  system terminates a network connection associated with a communications session;\n                  and"},{"id":"sc-10_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-10[2]"}],"prose":"the information system terminates the network connection associated with a\n                  communication session at the end of the session or after the organization-defined\n                  time period of inactivity."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing network disconnect\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing network disconnect\n                  capability"}]}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","parameters":[{"id":"sc-12_prm_1","label":"organization-defined requirements for key generation, distribution, storage,\n               access, and destruction"}],"properties":[{"name":"label","value":"SC-12"},{"name":"sort-id","value":"sc-12"}],"links":[{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference","text":"NIST Special Publication 800-56"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference","text":"NIST Special Publication 800-57"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"The organization establishes and manages cryptographic keys for required cryptography\n               employed within the information system in accordance with {{ sc-12_prm_1 }}.","parts":[{"id":"sc-12_fr","name":"item","title":"SC-12 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Federally approved and validated cryptography."}]}]},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual\n               procedures or automated mechanisms with supporting manual procedures. Organizations\n               define key management requirements in accordance with applicable federal laws,\n               Executive Orders, directives, regulations, policies, standards, and guidance,\n               specifying appropriate options, levels, and parameters. Organizations manage trust\n               stores to ensure that only approved trust anchors are in such trust stores. This\n               includes certificates with visibility external to organizational information systems\n               and certificates related to the internal operations of systems.","links":[{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-17","rel":"related","text":"SC-17"}]},{"id":"sc-12_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-12_obj.1","name":"objective","properties":[{"name":"label","value":"SC-12[1]"}],"prose":"defines requirements for cryptographic key:","parts":[{"id":"sc-12_obj.1.a","name":"objective","properties":[{"name":"label","value":"SC-12[1][a]"}],"prose":"generation;"},{"id":"sc-12_obj.1.b","name":"objective","properties":[{"name":"label","value":"SC-12[1][b]"}],"prose":"distribution;"},{"id":"sc-12_obj.1.c","name":"objective","properties":[{"name":"label","value":"SC-12[1][c]"}],"prose":"storage;"},{"id":"sc-12_obj.1.d","name":"objective","properties":[{"name":"label","value":"SC-12[1][d]"}],"prose":"access;"},{"id":"sc-12_obj.1.e","name":"objective","properties":[{"name":"label","value":"SC-12[1][e]"}],"prose":"destruction; and"}]},{"id":"sc-12_obj.2","name":"objective","properties":[{"name":"label","value":"SC-12[2]"}],"prose":"establishes and manages cryptographic keys for required cryptography employed\n                  within the information system in accordance with organization-defined requirements\n                  for key generation, distribution, storage, access, and destruction."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing cryptographic key establishment and management\\n\\ninformation system design documentation\\n\\ncryptographic mechanisms\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for cryptographic key establishment\n                  and/or management"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing cryptographic key\n                  establishment and management"}]}],"controls":[{"id":"sc-12.2","class":"SP800-53-enhancement","title":"Symmetric Keys","parameters":[{"id":"sc-12.2_prm_1","constraints":[{"detail":"NIST FIPS-compliant"}]}],"properties":[{"name":"label","value":"SC-12(2)"},{"name":"sort-id","value":"sc-12.02"}],"parts":[{"id":"sc-12.2_smt","name":"statement","prose":"The organization produces, controls, and distributes symmetric cryptographic keys\n                  using {{ sc-12.2_prm_1 }} key management technology and\n                  processes."},{"id":"sc-12.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization produces, controls, and distributes symmetric\n                  cryptographic keys using one of the following: ","parts":[{"id":"sc-12.2_obj.1","name":"objective","properties":[{"name":"label","value":"SC-12(2)[1]"}],"prose":"NIST FIPS-compliant key management technology and processes; or"},{"id":"sc-12.2_obj.2","name":"objective","properties":[{"name":"label","value":"SC-12(2)[2]"}],"prose":"NSA-approved key management technology and processes."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing cryptographic key establishment and management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FIPS validated cryptographic products\\n\\nlist of NSA-approved cryptographic products\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for cryptographic key\n                     establishment or management"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing symmetric cryptographic key\n                     establishment and management"}]}]},{"id":"sc-12.3","class":"SP800-53-enhancement","title":"Asymmetric Keys","parameters":[{"id":"sc-12.3_prm_1"}],"properties":[{"name":"label","value":"SC-12(3)"},{"name":"sort-id","value":"sc-12.03"}],"parts":[{"id":"sc-12.3_smt","name":"statement","prose":"The organization produces, controls, and distributes asymmetric cryptographic keys\n                  using {{ sc-12.3_prm_1 }}."},{"id":"sc-12.3_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization produces, controls, and distributes asymmetric\n                  cryptographic keys using one of the following: ","parts":[{"id":"sc-12.3_obj.1","name":"objective","properties":[{"name":"label","value":"SC-12(3)[1]"}],"prose":"NSA-approved key management technology and processes;"},{"id":"sc-12.3_obj.2","name":"objective","properties":[{"name":"label","value":"SC-12(3)[2]"}],"prose":"approved PKI Class 3 certificates or prepositioned keying material; or"},{"id":"sc-12.3_obj.3","name":"objective","properties":[{"name":"label","value":"SC-12(3)[3]"}],"prose":"approved PKI Class 3 or Class 4 certificates and hardware security tokens that\n                     protect the user’s private key."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing cryptographic key establishment and management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of NSA-approved cryptographic products\\n\\nlist of approved PKI Class 3 and Class 4 certificates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for cryptographic key\n                     establishment or management\\n\\norganizational personnel with responsibilities for PKI certificates"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing asymmetric cryptographic\n                     key establishment and management"}]}]}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","parameters":[{"id":"sc-13_prm_1","label":"organization-defined cryptographic uses and type of cryptography required for\n               each use","constraints":[{"detail":"FIPS-validated or NSA-approved cryptography"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SC-13"},{"name":"sort-id","value":"sc-13"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference","text":"FIPS Publication 140"},{"href":"#6a1041fc-054e-4230-946b-2e6f4f3731bb","rel":"reference","text":"http://csrc.nist.gov/cryptval"},{"href":"#9b97ed27-3dd6-4f9a-ade5-1b43e9669794","rel":"reference","text":"http://www.cnss.gov"}],"parts":[{"id":"sc-13_smt","name":"statement","prose":"The information system implements {{ sc-13_prm_1 }} in accordance with\n               applicable federal laws, Executive Orders, directives, policies, regulations, and\n               standards."},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions including,\n               for example, the protection of classified and Controlled Unclassified Information,\n               the provision of digital signatures, and the enforcement of information separation\n               when authorized individuals have the necessary clearances for such information but\n               lack the necessary formal access approvals. Cryptography can also be used to support\n               random number generation and hash generation. Generally applicable cryptographic\n               standards include FIPS-validated cryptography and NSA-approved cryptography. This\n               control does not impose any requirements on organizations to use cryptography.\n               However, if cryptography is required based on the selection of other security\n               controls, organizations define each type of cryptographic use and the type of\n               cryptography required (e.g., protection of classified information: NSA-approved\n               cryptography; provision of digital signatures: FIPS-validated cryptography).","links":[{"href":"#ac-2","rel":"related","text":"AC-2"},{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-7","rel":"related","text":"AC-7"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#cm-11","rel":"related","text":"CM-11"},{"href":"#cp-9","rel":"related","text":"CP-9"},{"href":"#ia-3","rel":"related","text":"IA-3"},{"href":"#ia-7","rel":"related","text":"IA-7"},{"href":"#ma-4","rel":"related","text":"MA-4"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"},{"href":"#mp-5","rel":"related","text":"MP-5"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-28","rel":"related","text":"SC-28"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"sc-13_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-13_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-13[1]"}],"prose":"the organization defines cryptographic uses; and"},{"id":"sc-13_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-13[2]"}],"prose":"the organization defines the type of cryptography required for each use; and"},{"id":"sc-13_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-13[3]"}],"prose":"the information system implements the organization-defined cryptographic uses and\n                  type of cryptography required for each use in accordance with applicable federal\n                  laws, Executive Orders, directives, policies, regulations, and standards."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing cryptographic protection\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic module validation certificates\\n\\nlist of FIPS validated cryptographic modules\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for cryptographic protection"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing cryptographic protection"}]}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices","parameters":[{"id":"sc-15_prm_1","label":"organization-defined exceptions where remote activation is to be allowed","constraints":[{"detail":"no exceptions"}]}],"properties":[{"name":"label","value":"SC-15"},{"name":"sort-id","value":"sc-15"}],"parts":[{"id":"sc-15_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-15_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Prohibits remote activation of collaborative computing devices with the following\n                  exceptions: {{ sc-15_prm_1 }}; and"},{"id":"sc-15_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Provides an explicit indication of use to users physically present at the\n                  devices."},{"id":"sc-15_fr","name":"item","title":"SC-15 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-15_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use."}]}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices include, for example, networked white boards,\n               cameras, and microphones. Explicit indication of use includes, for example, signals\n               to users when collaborative computing devices are activated.","links":[{"href":"#ac-21","rel":"related","text":"AC-21"}]},{"id":"sc-15_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-15.a_obj","name":"objective","properties":[{"name":"label","value":"SC-15(a)"}],"parts":[{"id":"sc-15.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-15(a)[1]"}],"prose":"the organization defines exceptions where remote activation of collaborative\n                     computing devices is to be allowed;"},{"id":"sc-15.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-15(a)[2]"}],"prose":"the information system prohibits remote activation of collaborative computing\n                     devices, except for organization-defined exceptions where remote activation is\n                     to be allowed; and"}]},{"id":"sc-15.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-15(b)"}],"prose":"the information system provides an explicit indication of use to users physically\n                  present at the devices."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing collaborative computing\\n\\naccess control policy and procedures\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for managing collaborative\n                  computing devices"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing management of remote\n                  activation of collaborative computing devices\\n\\nautomated mechanisms providing an indication of use of collaborative computing\n                  devices"}]}]},{"id":"sc-17","class":"SP800-53","title":"Public Key Infrastructure Certificates","parameters":[{"id":"sc-17_prm_1","label":"organization-defined certificate policy"}],"properties":[{"name":"label","value":"SC-17"},{"name":"sort-id","value":"sc-17"}],"links":[{"href":"#58ad6f27-af99-429f-86a8-8bb767b014b9","rel":"reference","text":"OMB Memorandum 05-24"},{"href":"#8f174e91-844e-4cf1-a72a-45c119a3a8dd","rel":"reference","text":"NIST Special Publication 800-32"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference","text":"NIST Special Publication 800-63"}],"parts":[{"id":"sc-17_smt","name":"statement","prose":"The organization issues public key certificates under an {{ sc-17_prm_1 }} or obtains public key certificates from an approved\n               service provider."},{"id":"sc-17_gdn","name":"guidance","prose":"For all certificates, organizations manage information system trust stores to ensure\n               only approved trust anchors are in the trust stores. This control addresses both\n               certificates with visibility external to organizational information systems and\n               certificates related to the internal operations of systems, for example,\n               application-specific time services.","links":[{"href":"#sc-12","rel":"related","text":"SC-12"}]},{"id":"sc-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-17_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-17[1]"}],"prose":"defines a certificate policy for issuing public key certificates;"},{"id":"sc-17_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-17[2]"}],"prose":"issues public key certificates:","parts":[{"id":"sc-17_obj.2.a","name":"objective","properties":[{"name":"label","value":"SC-17[2][a]"}],"prose":"under an organization-defined certificate policy: or"},{"id":"sc-17_obj.2.b","name":"objective","properties":[{"name":"label","value":"SC-17[2][b]"}],"prose":"obtains public key certificates from an approved service provider."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing public key infrastructure certificates\\n\\npublic key certificate policy or policies\\n\\npublic key issuing process\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for issuing public key\n                  certificates\\n\\nservice providers"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing the management of public key\n                  infrastructure certificates"}]}]},{"id":"sc-18","class":"SP800-53","title":"Mobile Code","properties":[{"name":"label","value":"SC-18"},{"name":"sort-id","value":"sc-18"}],"links":[{"href":"#e716cd51-d1d5-4c6a-967a-22e9fbbc42f1","rel":"reference","text":"NIST Special Publication 800-28"},{"href":"#e6522953-6714-435d-a0d3-140df554c186","rel":"reference","text":"DoD Instruction 8552.01"}],"parts":[{"id":"sc-18_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-18_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Defines acceptable and unacceptable mobile code and mobile code technologies;"},{"id":"sc-18_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Establishes usage restrictions and implementation guidance for acceptable mobile\n                  code and mobile code technologies; and"},{"id":"sc-18_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Authorizes, monitors, and controls the use of mobile code within the information\n                  system."}]},{"id":"sc-18_gdn","name":"guidance","prose":"Decisions regarding the employment of mobile code within organizational information\n               systems are based on the potential for the code to cause damage to the systems if\n               used maliciously. Mobile code technologies include, for example, Java, JavaScript,\n               ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage\n               restrictions and implementation guidance apply to both the selection and use of\n               mobile code installed on servers and mobile code downloaded and executed on\n               individual workstations and devices (e.g., smart phones). Mobile code policy and\n               procedures address preventing the development, acquisition, or introduction of\n               unacceptable mobile code within organizational information systems.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#cm-2","rel":"related","text":"CM-2"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#si-3","rel":"related","text":"SI-3"}]},{"id":"sc-18_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-18.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-18(a)"}],"prose":"defines acceptable and unacceptable mobile code and mobile code technologies;"},{"id":"sc-18.b_obj","name":"objective","properties":[{"name":"label","value":"SC-18(b)"}],"parts":[{"id":"sc-18.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-18(b)[1]"}],"prose":"establishes usage restrictions for acceptable mobile code and mobile code\n                     technologies;"},{"id":"sc-18.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-18(b)[2]"}],"prose":"establishes implementation guidance for acceptable mobile code and mobile code\n                     technologies;"}]},{"id":"sc-18.c_obj","name":"objective","properties":[{"name":"label","value":"SC-18(c)"}],"parts":[{"id":"sc-18.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-18(c)[1]"}],"prose":"authorizes the use of mobile code within the information system;"},{"id":"sc-18.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-18(c)[2]"}],"prose":"monitors the use of mobile code within the information system; and"},{"id":"sc-18.c_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-18(c)[3]"}],"prose":"controls the use of mobile code within the information system."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing mobile code\\n\\nmobile code usage restrictions, mobile code implementation policy and\n                  procedures\\n\\nlist of acceptable mobile code and mobile code technologies\\n\\nlist of unacceptable mobile code and mobile technologies\\n\\nauthorization records\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing mobile code"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for controlling, authorizing, monitoring, and restricting\n                  mobile code\\n\\nautomated mechanisms supporting and/or implementing the management of mobile\n                  code\\n\\nautomated mechanisms supporting and/or implementing the monitoring of mobile\n                  code"}]}]},{"id":"sc-19","class":"SP800-53","title":"Voice Over Internet Protocol","properties":[{"name":"label","value":"SC-19"},{"name":"sort-id","value":"sc-19"}],"links":[{"href":"#7783f3e7-09b3-478b-9aa2-4a76dfd0ea90","rel":"reference","text":"NIST Special Publication 800-58"}],"parts":[{"id":"sc-19_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-19_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions and implementation guidance for Voice over Internet\n                  Protocol (VoIP) technologies based on the potential to cause damage to the\n                  information system if used maliciously; and"},{"id":"sc-19_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Authorizes, monitors, and controls the use of VoIP within the information\n                  system."}]},{"id":"sc-19_gdn","name":"guidance","links":[{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-15","rel":"related","text":"SC-15"}]},{"id":"sc-19_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-19.a_obj","name":"objective","properties":[{"name":"label","value":"SC-19(a)"}],"parts":[{"id":"sc-19.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-19(a)[1]"}],"prose":"establishes usage restrictions for Voice over Internet Protocol (VoIP)\n                     technologies based on the potential to cause damage to the information system\n                     if used maliciously;"},{"id":"sc-19.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-19(a)[2]"}],"prose":"establishes implementation guidance for Voice over Internet Protocol (VoIP)\n                     technologies based on the potential to cause damage to the information system\n                     if used maliciously;"}]},{"id":"sc-19.b_obj","name":"objective","properties":[{"name":"label","value":"SC-19(b)"}],"parts":[{"id":"sc-19.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-19(b)[1]"}],"prose":"authorizes the use of VoIP within the information system;"},{"id":"sc-19.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-19(b)[2]"}],"prose":"monitors the use of VoIP within the information system; and"},{"id":"sc-19.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-19(b)[3]"}],"prose":"controls the use of VoIP within the information system."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing VoIP\\n\\nVoIP usage restrictions\\n\\nVoIP implementation guidance\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing VoIP"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for authorizing, monitoring, and controlling VoIP\\n\\nautomated mechanisms supporting and/or implementing authorizing, monitoring, and\n                  controlling VoIP"}]}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name / Address Resolution Service (authoritative Source)","properties":[{"name":"label","value":"SC-20"},{"name":"sort-id","value":"sc-20"}],"links":[{"href":"#28115a56-da6b-4d44-b1df-51dd7f048a3e","rel":"reference","text":"OMB Memorandum 08-23"},{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference","text":"NIST Special Publication 800-81"}],"parts":[{"id":"sc-20_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-20_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Provides additional data origin authentication and integrity verification\n                  artifacts along with the authoritative name resolution data the system returns in\n                  response to external name/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Provides the means to indicate the security status of child zones and (if the\n                  child supports secure resolution services) to enable verification of a chain of\n                  trust among parent and child domains, when operating as part of a distributed,\n                  hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"This control enables external clients including, for example, remote Internet\n               clients, to obtain origin authentication and integrity verification assurances for\n               the host/service name to network address resolution information obtained through the\n               service. Information systems that provide name and address resolution services\n               include, for example, domain name system (DNS) servers. Additional artifacts include,\n               for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS\n               resource records are examples of authoritative data. The means to indicate the\n               security status of child zones includes, for example, the use of delegation signer\n               resource records in the DNS. The DNS security controls reflect (and are referenced\n               from) OMB Memorandum 08-23. Information systems that use technologies other than the\n               DNS to map between host/service names and network addresses provide other means to\n               assure the authenticity and integrity of response data.","links":[{"href":"#au-10","rel":"related","text":"AU-10"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-12","rel":"related","text":"SC-12"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#sc-21","rel":"related","text":"SC-21"},{"href":"#sc-22","rel":"related","text":"SC-22"}]},{"id":"sc-20_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-20.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-20(a)"}],"prose":"provides additional data origin and integrity verification artifacts along with\n                  the authoritative name resolution data the system returns in response to external\n                  name/address resolution queries;"},{"id":"sc-20.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-20(b)"}],"prose":"provides the means to, when operating as part of a distributed, hierarchical\n                  namespace:","parts":[{"id":"sc-20.b_obj.1","name":"objective","properties":[{"name":"label","value":"SC-20(b)[1]"}],"prose":"indicate the security status of child zones; and"},{"id":"sc-20.b_obj.2","name":"objective","properties":[{"name":"label","value":"SC-20(b)[2]"}],"prose":"enable verification of a chain of trust among parent and child domains (if the\n                     child supports secure resolution services)."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing secure name/address resolution service (authoritative\n                  source)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing secure name/address resolution\n                  service"}]}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name / Address Resolution Service (recursive or Caching Resolver)","properties":[{"name":"label","value":"SC-21"},{"name":"sort-id","value":"sc-21"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference","text":"NIST Special Publication 800-81"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"The information system requests and performs data origin authentication and data\n               integrity verification on the name/address resolution responses the system receives\n               from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own,\n               or has authenticated channels to trusted validation providers. Information systems\n               that provide name and address resolution services for local clients include, for\n               example, recursive resolving or caching domain name system (DNS) servers. DNS client\n               resolvers either perform validation of DNSSEC signatures, or clients use\n               authenticated channels to recursive resolvers that perform such validations.\n               Information systems that use technologies other than the DNS to map between\n               host/service names and network addresses provide other means to enable clients to\n               verify the authenticity and integrity of response data.","links":[{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-22","rel":"related","text":"SC-22"}]},{"id":"sc-21_obj","name":"objective","prose":"Determine if the information system: ","parts":[{"id":"sc-21_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-21[1]"}],"prose":"requests data origin authentication on the name/address resolution responses the\n                  system receives from authoritative sources;"},{"id":"sc-21_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-21[2]"}],"prose":"requests data integrity verification on the name/address resolution responses the\n                  system receives from authoritative sources;"},{"id":"sc-21_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-21[3]"}],"prose":"performs data origin authentication on the name/address resolution responses the\n                  system receives from authoritative sources; and"},{"id":"sc-21_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-21[4]"}],"prose":"performs data integrity verification on the name/address resolution responses the\n                  system receives from authoritative sources."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing secure name/address resolution service (recursive or caching\n                  resolver)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing data origin authentication and\n                  data integrity verification for name/address resolution services"}]}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name / Address Resolution Service","properties":[{"name":"label","value":"SC-22"},{"name":"sort-id","value":"sc-22"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference","text":"NIST Special Publication 800-81"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"The information systems that collectively provide name/address resolution service for\n               an organization are fault-tolerant and implement internal/external role\n               separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Information systems that provide name and address resolution services include, for\n               example, domain name system (DNS) servers. To eliminate single points of failure and\n               to enhance redundancy, organizations employ at least two authoritative domain name\n               system servers, one configured as the primary server and the other configured as the\n               secondary server. Additionally, organizations typically deploy the servers in two\n               geographically separated network subnetworks (i.e., not located in the same physical\n               facility). For role separation, DNS servers with internal roles only process name and\n               address resolution requests from within organizations (i.e., from internal clients).\n               DNS servers with external roles only process name and address resolution information\n               requests from clients external to organizations (i.e., on external networks including\n               the Internet). Organizations specify clients that can access authoritative DNS\n               servers in particular roles (e.g., by address ranges, explicit lists).","links":[{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-20","rel":"related","text":"SC-20"},{"href":"#sc-21","rel":"related","text":"SC-21"},{"href":"#sc-24","rel":"related","text":"SC-24"}]},{"id":"sc-22_obj","name":"objective","prose":"Determine if the information systems that collectively provide name/address\n               resolution service for an organization: ","parts":[{"id":"sc-22_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-22[1]"}],"prose":"are fault tolerant; and"},{"id":"sc-22_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-22[2]"}],"prose":"implement internal/external role separation."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing architecture and provisioning for name/address resolution\n                  service\\n\\naccess control policy and procedures\\n\\ninformation system design documentation\\n\\nassessment results from independent, testing organizations\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing name/address resolution\n                  service for fault tolerance and role separation"}]}]},{"id":"sc-23","class":"SP800-53","title":"Session Authenticity","properties":[{"name":"label","value":"SC-23"},{"name":"sort-id","value":"sc-23"}],"links":[{"href":"#90c5bc98-f9c4-44c9-98b7-787422f0999c","rel":"reference","text":"NIST Special Publication 800-52"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference","text":"NIST Special Publication 800-77"},{"href":"#1ebdf782-d95d-4a7b-8ec7-ee860951eced","rel":"reference","text":"NIST Special Publication 800-95"}],"parts":[{"id":"sc-23_smt","name":"statement","prose":"The information system protects the authenticity of communications sessions."},{"id":"sc-23_gdn","name":"guidance","prose":"This control addresses communications protection at the session, versus packet level\n               (e.g., sessions in service-oriented architectures providing web-based services) and\n               establishes grounds for confidence at both ends of communications sessions in ongoing\n               identities of other parties and in the validity of information transmitted.\n               Authenticity protection includes, for example, protecting against man-in-the-middle\n               attacks/session hijacking and the insertion of false information into sessions.","links":[{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-10","rel":"related","text":"SC-10"},{"href":"#sc-11","rel":"related","text":"SC-11"}]},{"id":"sc-23_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system protects the authenticity of communications\n               sessions."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing session authenticity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing session authenticity"}]}]},{"id":"sc-28","class":"SP800-53","title":"Protection of Information at Rest","parameters":[{"id":"sc-28_prm_1","constraints":[{"detail":"confidentiality AND integrity"}]},{"id":"sc-28_prm_2","label":"organization-defined information at rest"}],"properties":[{"name":"label","value":"SC-28"},{"name":"sort-id","value":"sc-28"}],"links":[{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference","text":"NIST Special Publication 800-56"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference","text":"NIST Special Publication 800-57"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference","text":"NIST Special Publication 800-111"}],"parts":[{"id":"sc-28_smt","name":"statement","prose":"The information system protects the {{ sc-28_prm_1 }} of {{ sc-28_prm_2 }}.","parts":[{"id":"sc-28_fr","name":"item","title":"SC-28 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-28_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"The organization supports the capability to use cryptographic mechanisms to protect information at rest."}]}]},{"id":"sc-28_gdn","name":"guidance","prose":"This control addresses the confidentiality and integrity of information at rest and\n               covers user information and system information. Information at rest refers to the\n               state of information when it is located on storage devices as specific components of\n               information systems. System-related information requiring protection includes, for\n               example, configurations or rule sets for firewalls, gateways, intrusion\n               detection/prevention systems, filtering routers, and authenticator content.\n               Organizations may employ different mechanisms to achieve confidentiality and\n               integrity protections, including the use of cryptographic mechanisms and file share\n               scanning. Integrity protection can be achieved, for example, by implementing\n               Write-Once-Read-Many (WORM) technologies. Organizations may also employ other\n               security controls including, for example, secure off-line storage in lieu of online\n               storage when adequate protection of information at rest cannot otherwise be achieved\n               and/or continuous monitoring to identify malicious code at rest.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"sc-28_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-28_obj.1","name":"objective","properties":[{"name":"label","value":"SC-28[1]"}],"prose":"the organization defines information at rest requiring one or more of the\n                  following:","parts":[{"id":"sc-28_obj.1.a","name":"objective","properties":[{"name":"label","value":"SC-28[1][a]"}],"prose":"confidentiality protection; and/or"},{"id":"sc-28_obj.1.b","name":"objective","properties":[{"name":"label","value":"SC-28[1][b]"}],"prose":"integrity protection;"}]},{"id":"sc-28_obj.2","name":"objective","properties":[{"name":"label","value":"SC-28[2]"}],"prose":"the information system protects:","parts":[{"id":"sc-28_obj.2.a","name":"objective","properties":[{"name":"label","value":"SC-28[2][a]"}],"prose":"the confidentiality of organization-defined information at rest; and/or"},{"id":"sc-28_obj.2.b","name":"objective","properties":[{"name":"label","value":"SC-28[2][b]"}],"prose":"the integrity of organization-defined information at rest."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing protection of information at rest\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic mechanisms and associated configuration documentation\\n\\nlist of information at rest requiring confidentiality and integrity\n                  protections\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing confidentiality and integrity\n                  protections for information at rest"}]}],"controls":[{"id":"sc-28.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","parameters":[{"id":"sc-28.1_prm_1","label":"organization-defined information"},{"id":"sc-28.1_prm_2","label":"organization-defined information system components"}],"properties":[{"name":"label","value":"SC-28(1)"},{"name":"sort-id","value":"sc-28.01"}],"parts":[{"id":"sc-28.1_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to prevent unauthorized\n                  disclosure and modification of {{ sc-28.1_prm_1 }} on {{ sc-28.1_prm_2 }}."},{"id":"sc-28.1_gdn","name":"guidance","prose":"Selection of cryptographic mechanisms is based on the need to protect the\n                  confidentiality and integrity of organizational information. The strength of\n                  mechanism is commensurate with the security category and/or classification of the\n                  information. This control enhancement applies to significant concentrations of\n                  digital media in organizational areas designated for media storage and also to\n                  limited quantities of media generally associated with information system\n                  components in operational environments (e.g., portable storage devices, mobile\n                  devices). Organizations have the flexibility to either encrypt all information on\n                  storage devices (i.e., full disk encryption) or encrypt specific data structures\n                  (e.g., files, records, or fields). Organizations employing cryptographic\n                  mechanisms to protect information at rest also consider cryptographic key\n                  management solutions.","links":[{"href":"#ac-19","rel":"related","text":"AC-19"},{"href":"#sc-12","rel":"related","text":"SC-12"}]},{"id":"sc-28.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-28.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-28(1)[1]"}],"prose":"the organization defines information requiring cryptographic protection;"},{"id":"sc-28.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SC-28(1)[2]"}],"prose":"the organization defines information system components with\n                     organization-defined information requiring cryptographic protection; and"},{"id":"sc-28.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SC-28(1)[3]"}],"prose":"the information system employs cryptographic mechanisms to prevent unauthorized\n                     disclosure and modification of organization-defined information on\n                     organization-defined information system components."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\\n\\nprocedures addressing protection of information at rest\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic mechanisms and associated configuration documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms implementing confidentiality and integrity protections\n                     for information at rest"}]}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","properties":[{"name":"label","value":"SC-39"},{"name":"sort-id","value":"sc-39"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"The information system maintains a separate execution domain for each executing\n               process."},{"id":"sc-39_gdn","name":"guidance","prose":"Information systems can maintain separate execution domains for each executing\n               process by assigning each process a separate address space. Each information system\n               process has a distinct address space so that communication between processes is\n               performed in a manner controlled through the security functions, and one process\n               cannot modify the executing code of another process. Maintaining separate execution\n               domains for executing processes can be achieved, for example, by implementing\n               separate address spaces. This capability is available in most commercial operating\n               systems that employ multi-state processor technologies.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-6","rel":"related","text":"AC-6"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-5","rel":"related","text":"SA-5"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sc-2","rel":"related","text":"SC-2"},{"href":"#sc-3","rel":"related","text":"SC-3"}]},{"id":"sc-39_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system maintains a separate execution domain for each\n               executing process."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system design documentation\\n\\ninformation system architecture\\n\\nindependent verification and validation documentation\\n\\ntesting and evaluation documentation, other relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Information system developers/integrators\\n\\ninformation system security architect"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing separate execution domains for\n                  each executing process"}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"System and Information Integrity Policy and Procedures","parameters":[{"id":"si-1_prm_1","label":"organization-defined personnel or roles"},{"id":"si-1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least every 3 years"}]},{"id":"si-1_prm_3","label":"organization-defined frequency","constraints":[{"detail":"at least annually"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-1"},{"name":"sort-id","value":"si-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference","text":"NIST Special Publication 800-12"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference","text":"NIST Special Publication 800-100"}],"parts":[{"id":"si-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-1_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"A system and information integrity policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"},{"id":"si-1_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information\n                     integrity policy and associated system and information integrity controls;\n                     and"}]},{"id":"si-1_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"si-1_smt.b.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"System and information integrity policy {{ si-1_prm_2 }};\n                     and"},{"id":"si-1_smt.b.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"System and information integrity procedures {{ si-1_prm_3 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SI\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related","text":"PM-9"}]},{"id":"si-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-1.a_obj","name":"objective","properties":[{"name":"label","value":"SI-1(a)"}],"parts":[{"id":"si-1.a.1_obj","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)"}],"parts":[{"id":"si-1.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(a)(1)[1]"}],"prose":"develops and documents a system and information integrity policy that\n                        addresses:","parts":[{"id":"si-1.a.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"si-1.a.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"si-1.a.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"si-1.a.1_obj.1.d","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"si-1.a.1_obj.1.e","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"si-1.a.1_obj.1.f","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"si-1.a.1_obj.1.g","name":"objective","properties":[{"name":"label","value":"SI-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"si-1.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and information integrity\n                        policy is to be disseminated;"},{"id":"si-1.a.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SI-1(a)(1)[3]"}],"prose":"disseminates the system and information integrity policy to\n                        organization-defined personnel or roles;"}]},{"id":"si-1.a.2_obj","name":"objective","properties":[{"name":"label","value":"SI-1(a)(2)"}],"parts":[{"id":"si-1.a.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the\n                        system and information integrity policy and associated system and\n                        information integrity controls;"},{"id":"si-1.a.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be\n                        disseminated;"},{"id":"si-1.a.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SI-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"si-1.b_obj","name":"objective","properties":[{"name":"label","value":"SI-1(b)"}],"parts":[{"id":"si-1.b.1_obj","name":"objective","properties":[{"name":"label","value":"SI-1(b)(1)"}],"parts":[{"id":"si-1.b.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and\n                        information integrity policy;"},{"id":"si-1.b.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(b)(1)[2]"}],"prose":"reviews and updates the current system and information integrity policy with\n                        the organization-defined frequency;"}]},{"id":"si-1.b.2_obj","name":"objective","properties":[{"name":"label","value":"SI-1(b)(2)"}],"parts":[{"id":"si-1.b.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and\n                        information integrity procedures; and"},{"id":"si-1.b.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-1(b)(2)[2]"}],"prose":"reviews and updates the current system and information integrity procedures\n                        with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy and procedures\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and information integrity\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"}]}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","parameters":[{"id":"si-2_prm_1","label":"organization-defined time period","constraints":[{"detail":"within 30 days of release of updates"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-2"},{"name":"sort-id","value":"si-02"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference","text":"NIST Special Publication 800-40"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference","text":"NIST Special Publication 800-128"}],"parts":[{"id":"si-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-2_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Identifies, reports, and corrects information system flaws;"},{"id":"si-2_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Tests software and firmware updates related to flaw remediation for effectiveness\n                  and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Installs security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Incorporates flaw remediation into the organizational configuration management\n                  process."}]},{"id":"si-2_gdn","name":"guidance","prose":"Organizations identify information systems affected by announced software flaws\n               including potential vulnerabilities resulting from those flaws, and report this\n               information to designated organizational personnel with information security\n               responsibilities. Security-relevant software updates include, for example, patches,\n               service packs, hot fixes, and anti-virus signatures. Organizations also address flaws\n               discovered during security assessments, continuous monitoring, incident response\n               activities, and system error handling. Organizations take advantage of available\n               resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and\n               Exposures (CVE) databases in remediating flaws discovered in organizational\n               information systems. By incorporating flaw remediation into ongoing configuration\n               management processes, required/anticipated remediation actions can be tracked and\n               verified. Flaw remediation actions that can be tracked and verified include, for\n               example, determining whether organizations follow US-CERT guidance and Information\n               Assurance Vulnerability Alerts. Organization-defined time periods for updating\n               security-relevant software and firmware may vary based on a variety of factors\n               including, for example, the security category of the information system or the\n               criticality of the update (i.e., severity of the vulnerability related to the\n               discovered flaw). Some types of flaw remediation may require more testing than other\n               types. Organizations determine the degree and type of testing needed for the specific\n               type of flaw remediation activity under consideration and also the types of changes\n               that are to be configuration-managed. In some situations, organizations may determine\n               that the testing of software and/or firmware updates is not necessary or practical,\n               for example, when implementing simple anti-virus signature updates. Organizations may\n               also consider in testing decisions, whether security-relevant software or firmware\n               updates are obtained from authorized sources with appropriate digital signatures.","links":[{"href":"#ca-2","rel":"related","text":"CA-2"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#cm-5","rel":"related","text":"CM-5"},{"href":"#cm-8","rel":"related","text":"CM-8"},{"href":"#ma-2","rel":"related","text":"MA-2"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sa-10","rel":"related","text":"SA-10"},{"href":"#sa-11","rel":"related","text":"SA-11"},{"href":"#si-11","rel":"related","text":"SI-11"}]},{"id":"si-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-2.a_obj","name":"objective","properties":[{"name":"label","value":"SI-2(a)"}],"parts":[{"id":"si-2.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(a)[1]"}],"prose":"identifies information system flaws;"},{"id":"si-2.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(a)[2]"}],"prose":"reports information system flaws;"},{"id":"si-2.a_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(a)[3]"}],"prose":"corrects information system flaws;"}]},{"id":"si-2.b_obj","name":"objective","properties":[{"name":"label","value":"SI-2(b)"}],"parts":[{"id":"si-2.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(b)[1]"}],"prose":"tests software updates related to flaw remediation for effectiveness and\n                     potential side effects before installation;"},{"id":"si-2.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(b)[2]"}],"prose":"tests firmware updates related to flaw remediation for effectiveness and\n                     potential side effects before installation;"}]},{"id":"si-2.c_obj","name":"objective","properties":[{"name":"label","value":"SI-2(c)"}],"parts":[{"id":"si-2.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-2(c)[1]"}],"prose":"defines the time period within which to install security-relevant software\n                     updates after the release of the updates;"},{"id":"si-2.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-2(c)[2]"}],"prose":"defines the time period within which to install security-relevant firmware\n                     updates after the release of the updates;"},{"id":"si-2.c_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(c)[3]"}],"prose":"installs software updates within the organization-defined time period of the\n                     release of the updates;"},{"id":"si-2.c_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(c)[4]"}],"prose":"installs firmware updates within the organization-defined time period of the\n                     release of the updates; and"}]},{"id":"si-2.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(d)"}],"prose":"incorporates flaw remediation into the organizational configuration management\n                  process."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing flaw remediation\\n\\nprocedures addressing configuration management\\n\\nlist of flaws and vulnerabilities potentially affecting the information system\\n\\nlist of recent security flaw remediation actions performed on the information\n                  system (e.g., list of installed patches, service packs, hot fixes, and other\n                  software updates to correct information system flaws)\\n\\ntest results from the installation of software and firmware updates to correct\n                  information system flaws\\n\\ninstallation/change control records for security-relevant software and firmware\n                  updates\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility for flaw remediation\\n\\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for identifying, reporting, and correcting information\n                  system flaws\\n\\norganizational process for installing software and firmware updates\\n\\nautomated mechanisms supporting and/or implementing reporting, and correcting\n                  information system flaws\\n\\nautomated mechanisms supporting and/or implementing testing software and firmware\n                  updates"}]}],"controls":[{"id":"si-2.2","class":"SP800-53-enhancement","title":"Automated Flaw Remediation Status","parameters":[{"id":"si-2.2_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-2(2)"},{"name":"sort-id","value":"si-02.02"}],"parts":[{"id":"si-2.2_smt","name":"statement","prose":"The organization employs automated mechanisms {{ si-2.2_prm_1 }} to\n                  determine the state of information system components with regard to flaw\n                  remediation."},{"id":"si-2.2_gdn","name":"guidance","links":[{"href":"#cm-6","rel":"related","text":"CM-6"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"si-2.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-2.2_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-2(2)[1]"}],"prose":"defines a frequency to employ automated mechanisms to determine the state of\n                     information system components with regard to flaw remediation; and"},{"id":"si-2.2_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(2)[2]"}],"prose":"employs automated mechanisms with the organization-defined frequency to\n                     determine the state of information system components with regard to flaw\n                     remediation."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing flaw remediation\\n\\nautomated mechanisms supporting centralized management of flaw remediation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for flaw remediation"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms used to determine the state of information system\n                     components with regard to flaw remediation"}]}]},{"id":"si-2.3","class":"SP800-53-enhancement","title":"Time to Remediate Flaws / Benchmarks for Corrective Actions","parameters":[{"id":"si-2.3_prm_1","label":"organization-defined benchmarks"}],"properties":[{"name":"label","value":"SI-2(3)"},{"name":"sort-id","value":"si-02.03"}],"parts":[{"id":"si-2.3_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-2.3_smt.a","name":"item","properties":[{"name":"label","value":"(a)"}],"prose":"Measures the time between flaw identification and flaw remediation; and"},{"id":"si-2.3_smt.b","name":"item","properties":[{"name":"label","value":"(b)"}],"prose":"Establishes {{ si-2.3_prm_1 }} for taking corrective\n                     actions."}]},{"id":"si-2.3_gdn","name":"guidance","prose":"This control enhancement requires organizations to determine the current time it\n                  takes on the average to correct information system flaws after such flaws have\n                  been identified, and subsequently establish organizational benchmarks (i.e., time\n                  frames) for taking corrective actions. Benchmarks can be established by type of\n                  flaw and/or severity of the potential vulnerability if the flaw can be\n                  exploited."},{"id":"si-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-2.3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-2(3)(a)"}],"prose":"measures the time between flaw identification and flaw remediation;","links":[{"href":"#si-2.3_smt.a","rel":"corresp","text":"SI-2(3)(a)"}]},{"id":"si-2.3.b_obj","name":"objective","properties":[{"name":"label","value":"SI-2(3)(b)"}],"parts":[{"id":"si-2.3.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-2(3)(b)[1]"}],"prose":"defines benchmarks for taking corrective actions; and"},{"id":"si-2.3.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-2(3)(b)[2]"}],"prose":"establishes organization-defined benchmarks for taking corrective\n                        actions."}],"links":[{"href":"#si-2.3_smt.b","rel":"corresp","text":"SI-2(3)(b)"}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing flaw remediation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of benchmarks for taking corrective action on flaws identified\\n\\nrecords providing time stamps of flaw identification and subsequent flaw\n                     remediation activities\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for flaw remediation"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for identifying, reporting, and correcting information\n                     system flaws\\n\\nautomated mechanisms used to measure the time between flaw identification and\n                     flaw remediation"}]}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","parameters":[{"id":"si-3_prm_1","label":"organization-defined frequency","constraints":[{"detail":"at least weekly"}]},{"id":"si-3_prm_2","constraints":[{"detail":"to include endpoints"}]},{"id":"si-3_prm_3","constraints":[{"detail":"to include alerting administrator or defined security personnel"}]},{"id":"si-3_prm_4","depends-on":"si-3_prm_3","label":"organization-defined action"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-3"},{"name":"sort-id","value":"si-03"}],"links":[{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference","text":"NIST Special Publication 800-83"}],"parts":[{"id":"si-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-3_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Employs malicious code protection mechanisms at information system entry and exit\n                  points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Updates malicious code protection mechanisms whenever new releases are available\n                  in accordance with organizational configuration management policy and\n                  procedures;"},{"id":"si-3_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Configures malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the information system {{ si-3_prm_1 }} and real-time scans of files from external sources at {{ si-3_prm_2 }} as the files are downloaded, opened, or executed in\n                     accordance with organizational security policy; and"},{"id":"si-3_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"\n                     {{ si-3_prm_3 }} in response to malicious code detection;\n                     and"}]},{"id":"si-3_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Addresses the receipt of false positives during malicious code detection and\n                  eradication and the resulting potential impact on the availability of the\n                  information system."}]},{"id":"si-3_gdn","name":"guidance","prose":"Information system entry and exit points include, for example, firewalls, electronic\n               mail servers, web servers, proxy servers, remote-access servers, workstations,\n               notebook computers, and mobile devices. Malicious code includes, for example,\n               viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in\n               various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden\n               files, or hidden in files using steganography. Malicious code can be transported by\n               different means including, for example, web accesses, electronic mail, electronic\n               mail attachments, and portable storage devices. Malicious code insertions occur\n               through the exploitation of information system vulnerabilities. Malicious code\n               protection mechanisms include, for example, anti-virus signature definitions and\n               reputation-based technologies. A variety of technologies and methods exist to limit\n               or eliminate the effects of malicious code. Pervasive configuration management and\n               comprehensive software integrity controls may be effective in preventing execution of\n               unauthorized code. In addition to commercial off-the-shelf software, malicious code\n               may also be present in custom-built software. This could include, for example, logic\n               bombs, back doors, and other types of cyber attacks that could affect organizational\n               missions/business functions. Traditional malicious code protection mechanisms cannot\n               always detect such code. In these situations, organizations rely instead on other\n               safeguards including, for example, secure coding practices, configuration management\n               and control, trusted procurement processes, and monitoring practices to help ensure\n               that software does not perform functions other than the functions intended.\n               Organizations may determine that in response to the detection of malicious code,\n               different actions may be warranted. For example, organizations can define actions in\n               response to malicious code detection during periodic scans, actions in response to\n               detection of malicious downloads, and/or actions in response to detection of\n               maliciousness when attempting to open or execute files.","links":[{"href":"#cm-3","rel":"related","text":"CM-3"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#sa-4","rel":"related","text":"SA-4"},{"href":"#sa-8","rel":"related","text":"SA-8"},{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#sa-13","rel":"related","text":"SA-13"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-26","rel":"related","text":"SC-26"},{"href":"#sc-44","rel":"related","text":"SC-44"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-4","rel":"related","text":"SI-4"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"si-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-3.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-3(a)"}],"prose":"employs malicious code protection mechanisms to detect and eradicate malicious\n                  code at information system:","parts":[{"id":"si-3.a_obj.1","name":"objective","properties":[{"name":"label","value":"SI-3(a)[1]"}],"prose":"entry points;"},{"id":"si-3.a_obj.2","name":"objective","properties":[{"name":"label","value":"SI-3(a)[2]"}],"prose":"exit points;"}]},{"id":"si-3.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-3(b)"}],"prose":"updates malicious code protection mechanisms whenever new releases are available\n                  in accordance with organizational configuration management policy and procedures\n                  (as identified in CM-1);"},{"id":"si-3.c_obj","name":"objective","properties":[{"name":"label","value":"SI-3(c)"}],"parts":[{"id":"si-3.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-3(c)[1]"}],"prose":"defines a frequency for malicious code protection mechanisms to perform\n                     periodic scans of the information system;"},{"id":"si-3.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-3(c)[2]"}],"prose":"defines action to be initiated by malicious protection mechanisms in response\n                     to malicious code detection;"},{"id":"si-3.c_obj.3","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3]"}],"parts":[{"id":"si-3.c.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-3(c)[3](1)"}],"prose":"configures malicious code protection mechanisms to:","parts":[{"id":"si-3.c.1_obj.3.a","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](1)[a]"}],"prose":"perform periodic scans of the information system with the\n                           organization-defined frequency;"},{"id":"si-3.c.1_obj.3.b","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](1)[b]"}],"prose":"perform real-time scans of files from external sources at endpoint and/or\n                           network entry/exit points as the files are downloaded, opened, or\n                           executed in accordance with organizational security policy;"}]},{"id":"si-3.c.2_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-3(c)[3](2)"}],"prose":"configures malicious code protection mechanisms to do one or more of the\n                        following:","parts":[{"id":"si-3.c.2_obj.3.a","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](2)[a]"}],"prose":"block malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.b","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](2)[b]"}],"prose":"quarantine malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.c","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](2)[c]"}],"prose":"send alert to administrator in response to malicious code detection;\n                           and/or"},{"id":"si-3.c.2_obj.3.d","name":"objective","properties":[{"name":"label","value":"SI-3(c)[3](2)[d]"}],"prose":"initiate organization-defined action in response to malicious code\n                           detection;"}]}]}]},{"id":"si-3.d_obj","name":"objective","properties":[{"name":"label","value":"SI-3(d)"}],"parts":[{"id":"si-3.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-3(d)[1]"}],"prose":"addresses the receipt of false positives during malicious code detection and\n                     eradication; and"},{"id":"si-3.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-3(d)[2]"}],"prose":"addresses the resulting potential impact on the availability of the information\n                     system."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nconfiguration management policy and procedures\\n\\nprocedures addressing malicious code protection\\n\\nmalicious code protection mechanisms\\n\\nrecords of malicious code protection updates\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nscan results from malicious code protection mechanisms\\n\\nrecord of actions initiated by malicious code protection mechanisms in response to\n                  malicious code detection\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility for malicious code protection\\n\\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for employing, updating, and configuring malicious code\n                  protection mechanisms\\n\\norganizational process for addressing false positives and resulting potential\n                  impact\\n\\nautomated mechanisms supporting and/or implementing employing, updating, and\n                  configuring malicious code protection mechanisms\\n\\nautomated mechanisms supporting and/or implementing malicious code scanning and\n                  subsequent actions"}]}],"controls":[{"id":"si-3.1","class":"SP800-53-enhancement","title":"Central Management","properties":[{"name":"label","value":"SI-3(1)"},{"name":"sort-id","value":"si-03.01"}],"parts":[{"id":"si-3.1_smt","name":"statement","prose":"The organization centrally manages malicious code protection mechanisms."},{"id":"si-3.1_gdn","name":"guidance","prose":"Central management is the organization-wide management and implementation of\n                  malicious code protection mechanisms. Central management includes planning,\n                  implementing, assessing, authorizing, and monitoring the organization-defined,\n                  centrally managed flaw malicious code protection security controls.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#si-8","rel":"related","text":"SI-8"}]},{"id":"si-3.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization centrally manages malicious code protection\n                  mechanisms."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing malicious code protection\\n\\nautomated mechanisms supporting centralized management of malicious code\n                     protection mechanisms\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for malicious code protection"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for central management of malicious code protection\n                     mechanisms\\n\\nautomated mechanisms supporting and/or implementing central management of\n                     malicious code protection mechanisms"}]}]},{"id":"si-3.2","class":"SP800-53-enhancement","title":"Automatic Updates","properties":[{"name":"label","value":"SI-3(2)"},{"name":"sort-id","value":"si-03.02"}],"parts":[{"id":"si-3.2_smt","name":"statement","prose":"The information system automatically updates malicious code protection\n                  mechanisms."},{"id":"si-3.2_gdn","name":"guidance","prose":"Malicious code protection mechanisms include, for example, signature definitions.\n                  Due to information system integrity and availability concerns, organizations give\n                  careful consideration to the methodology used to carry out automatic updates.","links":[{"href":"#si-8","rel":"related","text":"SI-8"}]},{"id":"si-3.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system automatically updates malicious code\n                  protection mechanisms."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing malicious code protection\\n\\nautomated mechanisms supporting centralized management of malicious code\n                     protection mechanisms\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for malicious code protection"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing automatic updates to\n                     malicious code protection capability"}]}]},{"id":"si-3.7","class":"SP800-53-enhancement","title":"Nonsignature-based Detection","properties":[{"name":"label","value":"SI-3(7)"},{"name":"sort-id","value":"si-03.07"}],"parts":[{"id":"si-3.7_smt","name":"statement","prose":"The information system implements nonsignature-based malicious code detection\n                  mechanisms."},{"id":"si-3.7_gdn","name":"guidance","prose":"Nonsignature-based detection mechanisms include, for example, the use of\n                  heuristics to detect, analyze, and describe the characteristics or behavior of\n                  malicious code and to provide safeguards against malicious code for which\n                  signatures do not yet exist or for which existing signatures may not be effective.\n                  This includes polymorphic malicious code (i.e., code that changes signatures when\n                  it replicates). This control enhancement does not preclude the use of\n                  signature-based detection mechanisms."},{"id":"si-3.7_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system implements non signature-based malicious code\n                  detection mechanisms."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing malicious code protection\\n\\ninformation system design documentation\\n\\nmalicious code protection mechanisms\\n\\nrecords of malicious code protection updates\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for malicious code protection"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing nonsignature-based\n                     malicious code protection capability"}]}]}]},{"id":"si-4","class":"SP800-53","title":"Information System Monitoring","parameters":[{"id":"si-4_prm_1","label":"organization-defined monitoring objectives"},{"id":"si-4_prm_2","label":"organization-defined techniques and methods"},{"id":"si-4_prm_3","label":"organization-defined information system monitoring information"},{"id":"si-4_prm_4","label":"organization-defined personnel or roles"},{"id":"si-4_prm_5"},{"id":"si-4_prm_6","depends-on":"si-4_prm_5","label":"organization-defined frequency"}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-4"},{"name":"sort-id","value":"si-04"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference","text":"NIST Special Publication 800-61"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference","text":"NIST Special Publication 800-83"},{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference","text":"NIST Special Publication 800-92"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference","text":"NIST Special Publication 800-94"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference","text":"NIST Special Publication 800-137"}],"parts":[{"id":"si-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-4_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Monitors the information system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with {{ si-4_prm_1 }}; and"},{"id":"si-4_smt.a.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Identifies unauthorized use of the information system through {{ si-4_prm_2 }};"},{"id":"si-4_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Deploys monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","properties":[{"name":"label","value":"1."}],"prose":"Strategically within the information system to collect organization-determined\n                     essential information; and"},{"id":"si-4_smt.c.2","name":"item","properties":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions\n                     of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Protects information obtained from intrusion-monitoring tools from unauthorized\n                  access, modification, and deletion;"},{"id":"si-4_smt.e","name":"item","properties":[{"name":"label","value":"e."}],"prose":"Heightens the level of information system monitoring activity whenever there is an\n                  indication of increased risk to organizational operations and assets, individuals,\n                  other organizations, or the Nation based on law enforcement information,\n                  intelligence information, or other credible sources of information;"},{"id":"si-4_smt.f","name":"item","properties":[{"name":"label","value":"f."}],"prose":"Obtains legal opinion with regard to information system monitoring activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  or regulations; and"},{"id":"si-4_smt.g","name":"item","properties":[{"name":"label","value":"g."}],"prose":"Provides {{ si-4_prm_3 }} to {{ si-4_prm_4 }}\n                  {{ si-4_prm_5 }}."},{"id":"si-4_fr","name":"item","title":"SI-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"si-4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See US-CERT Incident Response Reporting Guidelines."}]}]},{"id":"si-4_gdn","name":"guidance","prose":"Information system monitoring includes external and internal monitoring. External\n               monitoring includes the observation of events occurring at the information system\n               boundary (i.e., part of perimeter defense and boundary protection). Internal\n               monitoring includes the observation of events occurring within the information\n               system. Organizations can monitor information systems, for example, by observing\n               audit activities in real time or by observing other system aspects such as access\n               patterns, characteristics of access, and other actions. The monitoring objectives may\n               guide determination of the events. Information system monitoring capability is\n               achieved through a variety of tools and techniques (e.g., intrusion detection\n               systems, intrusion prevention systems, malicious code protection software, scanning\n               tools, audit record monitoring software, network monitoring software). Strategic\n               locations for monitoring devices include, for example, selected perimeter locations\n               and near server farms supporting critical applications, with such devices typically\n               being employed at the managed interfaces associated with controls SC-7 and AC-17.\n               Einstein network monitoring devices from the Department of Homeland Security can also\n               be included as monitoring devices. The granularity of monitoring information\n               collected is based on organizational monitoring objectives and the capability of\n               information systems to support such objectives. Specific types of transactions of\n               interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that\n               bypasses HTTP proxies. Information system monitoring is an integral part of\n               organizational continuous monitoring and incident response programs. Output from\n               system monitoring serves as input to continuous monitoring and incident response\n               programs. A network connection is any connection with a device that communicates\n               through a network (e.g., local area network, Internet). A remote connection is any\n               connection with a device communicating through an external network (e.g., the\n               Internet). Local, network, and remote connections can be either wired or\n               wireless.","links":[{"href":"#ac-3","rel":"related","text":"AC-3"},{"href":"#ac-4","rel":"related","text":"AC-4"},{"href":"#ac-8","rel":"related","text":"AC-8"},{"href":"#ac-17","rel":"related","text":"AC-17"},{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-6","rel":"related","text":"AU-6"},{"href":"#au-7","rel":"related","text":"AU-7"},{"href":"#au-9","rel":"related","text":"AU-9"},{"href":"#au-12","rel":"related","text":"AU-12"},{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#pe-3","rel":"related","text":"PE-3"},{"href":"#ra-5","rel":"related","text":"RA-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#sc-26","rel":"related","text":"SC-26"},{"href":"#sc-35","rel":"related","text":"SC-35"},{"href":"#si-3","rel":"related","text":"SI-3"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"si-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.a_obj","name":"objective","properties":[{"name":"label","value":"SI-4(a)"}],"parts":[{"id":"si-4.a.1_obj","name":"objective","properties":[{"name":"label","value":"SI-4(a)(1)"}],"parts":[{"id":"si-4.a.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(a)(1)[1]"}],"prose":"defines monitoring objectives to detect attacks and indicators of potential\n                        attacks on the information system;"},{"id":"si-4.a.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(a)(1)[2]"}],"prose":"monitors the information system to detect, in accordance with\n                        organization-defined monitoring objectives,:","parts":[{"id":"si-4.a.1_obj.2.a","name":"objective","properties":[{"name":"label","value":"SI-4(a)(1)[2][a]"}],"prose":"attacks;"},{"id":"si-4.a.1_obj.2.b","name":"objective","properties":[{"name":"label","value":"SI-4(a)(1)[2][b]"}],"prose":"indicators of potential attacks;"}]}]},{"id":"si-4.a.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(a)(2)"}],"prose":"monitors the information system to detect unauthorized:","parts":[{"id":"si-4.a.2_obj.1","name":"objective","properties":[{"name":"label","value":"SI-4(a)(2)[1]"}],"prose":"local connections;"},{"id":"si-4.a.2_obj.2","name":"objective","properties":[{"name":"label","value":"SI-4(a)(2)[2]"}],"prose":"network connections;"},{"id":"si-4.a.2_obj.3","name":"objective","properties":[{"name":"label","value":"SI-4(a)(2)[3]"}],"prose":"remote connections;"}]}]},{"id":"si-4.b_obj","name":"objective","properties":[{"name":"label","value":"SI-4(b)"}],"parts":[{"id":"si-4.b.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(b)(1)"}],"prose":"defines techniques and methods to identify unauthorized use of the information\n                     system;"},{"id":"si-4.b.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(b)(2)"}],"prose":"identifies unauthorized use of the information system through\n                     organization-defined techniques and methods;"}]},{"id":"si-4.c_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(c)"}],"prose":"deploys monitoring devices:","parts":[{"id":"si-4.c_obj.1","name":"objective","properties":[{"name":"label","value":"SI-4(c)[1]"}],"prose":"strategically within the information system to collect organization-determined\n                     essential information;"},{"id":"si-4.c_obj.2","name":"objective","properties":[{"name":"label","value":"SI-4(c)[2]"}],"prose":"at ad hoc locations within the system to track specific types of transactions\n                     of interest to the organization;"}]},{"id":"si-4.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(d)"}],"prose":"protects information obtained from intrusion-monitoring tools from\n                  unauthorized:","parts":[{"id":"si-4.d_obj.1","name":"objective","properties":[{"name":"label","value":"SI-4(d)[1]"}],"prose":"access;"},{"id":"si-4.d_obj.2","name":"objective","properties":[{"name":"label","value":"SI-4(d)[2]"}],"prose":"modification;"},{"id":"si-4.d_obj.3","name":"objective","properties":[{"name":"label","value":"SI-4(d)[3]"}],"prose":"deletion;"}]},{"id":"si-4.e_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(e)"}],"prose":"heightens the level of information system monitoring activity whenever there is an\n                  indication of increased risk to organizational operations and assets, individuals,\n                  other organizations, or the Nation based on law enforcement information,\n                  intelligence information, or other credible sources of information;"},{"id":"si-4.f_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"label","value":"SI-4(f)"}],"prose":"obtains legal opinion with regard to information system monitoring activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  or regulations;"},{"id":"si-4.g_obj","name":"objective","properties":[{"name":"label","value":"SI-4(g)"}],"parts":[{"id":"si-4.g_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(g)[1]"}],"prose":"defines personnel or roles to whom information system monitoring information is\n                     to be provided;"},{"id":"si-4.g_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(g)[2]"}],"prose":"defines information system monitoring information to be provided to\n                     organization-defined personnel or roles;"},{"id":"si-4.g_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(g)[3]"}],"prose":"defines a frequency to provide organization-defined information system\n                     monitoring to organization-defined personnel or roles;"},{"id":"si-4.g_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(g)[4]"}],"prose":"provides organization-defined information system monitoring information to\n                     organization-defined personnel or roles one or more of the following:","parts":[{"id":"si-4.g_obj.4.a","name":"objective","properties":[{"name":"label","value":"SI-4(g)[4][a]"}],"prose":"as needed; and/or"},{"id":"si-4.g_obj.4.b","name":"objective","properties":[{"name":"label","value":"SI-4(g)[4][b]"}],"prose":"with the organization-defined frequency."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Continuous monitoring strategy\\n\\nsystem and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\nfacility diagram/layout\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\nlocations within information system where monitoring devices are deployed\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility monitoring the information system"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing information system monitoring\n                  capability"}]}],"controls":[{"id":"si-4.1","class":"SP800-53-enhancement","title":"System-wide Intrusion Detection System","properties":[{"name":"label","value":"SI-4(1)"},{"name":"sort-id","value":"si-04.01"}],"parts":[{"id":"si-4.1_smt","name":"statement","prose":"The organization connects and configures individual intrusion detection tools into\n                  an information system-wide intrusion detection system."},{"id":"si-4.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(1)[1]"}],"prose":"connects individual intrusion detection tools into an information system-wide\n                     intrusion detection system; and"},{"id":"si-4.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(1)[2]"}],"prose":"configures individual intrusion detection tools into an information system-wide\n                     intrusion detection system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion detection\n                     capability"}]}]},{"id":"si-4.2","class":"SP800-53-enhancement","title":"Automated Tools for Real-time Analysis","properties":[{"name":"label","value":"SI-4(2)"},{"name":"sort-id","value":"si-04.02"}],"parts":[{"id":"si-4.2_smt","name":"statement","prose":"The organization employs automated tools to support near real-time analysis of\n                  events."},{"id":"si-4.2_gdn","name":"guidance","prose":"Automated tools include, for example, host-based, network-based, transport-based,\n                  or storage-based event monitoring tools or Security Information and Event\n                  Management (SIEM) technologies that provide real time analysis of alerts and/or\n                  notifications generated by organizational information systems."},{"id":"si-4.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization employs automated tools to support near real-time\n                  analysis of events."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for incident\n                     response/management"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for near real-time analysis of events\\n\\norganizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing information system\n                     monitoring\\n\\nautomated mechanisms/tools supporting and/or implementing analysis of\n                     events"}]}]},{"id":"si-4.4","class":"SP800-53-enhancement","title":"Inbound and Outbound Communications Traffic","parameters":[{"id":"si-4.4_prm_1","label":"organization-defined frequency","constraints":[{"detail":"continuously"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-4(4)"},{"name":"sort-id","value":"si-04.04"}],"parts":[{"id":"si-4.4_smt","name":"statement","prose":"The information system monitors inbound and outbound communications traffic\n                     {{ si-4.4_prm_1 }} for unusual or unauthorized activities or\n                  conditions."},{"id":"si-4.4_gdn","name":"guidance","prose":"Unusual/unauthorized activities or conditions related to information system\n                  inbound and outbound communications traffic include, for example, internal traffic\n                  that indicates the presence of malicious code within organizational information\n                  systems or propagating among system components, the unauthorized exporting of\n                  information, or signaling to external information systems. Evidence of malicious\n                  code is used to identify potentially compromised information systems or\n                  information system components."},{"id":"si-4.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.4_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(4)[1]"}],"prose":"defines a frequency to monitor:","parts":[{"id":"si-4.4_obj.1.a","name":"objective","properties":[{"name":"label","value":"SI-4(4)[1][a]"}],"prose":"inbound communications traffic for unusual or unauthorized activities or\n                        conditions;"},{"id":"si-4.4_obj.1.b","name":"objective","properties":[{"name":"label","value":"SI-4(4)[1][b]"}],"prose":"outbound communications traffic for unusual or unauthorized activities or\n                        conditions;"}]},{"id":"si-4.4_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(4)[2]"}],"prose":"monitors, with the organization-defined frequency:","parts":[{"id":"si-4.4_obj.2.a","name":"objective","properties":[{"name":"label","value":"SI-4(4)[2][a]"}],"prose":"inbound communications traffic for unusual or unauthorized activities or\n                        conditions; and"},{"id":"si-4.4_obj.2.b","name":"objective","properties":[{"name":"label","value":"SI-4(4)[2][b]"}],"prose":"outbound communications traffic for unusual or unauthorized activities or\n                        conditions."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system protocols\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion detection\n                     capability/information system monitoring\\n\\nautomated mechanisms supporting and/or implementing monitoring of\n                     inbound/outbound communications traffic"}]}]},{"id":"si-4.5","class":"SP800-53-enhancement","title":"System-generated Alerts","parameters":[{"id":"si-4.5_prm_1","label":"organization-defined personnel or roles"},{"id":"si-4.5_prm_2","label":"organization-defined compromise indicators"}],"properties":[{"name":"label","value":"SI-4(5)"},{"name":"sort-id","value":"si-04.05"}],"parts":[{"id":"si-4.5_smt","name":"statement","prose":"The information system alerts {{ si-4.5_prm_1 }} when the following\n                  indications of compromise or potential compromise occur: {{ si-4.5_prm_2 }}.","parts":[{"id":"si-4.5_fr","name":"item","title":"SI-4 (5) Additional FedRAMP Requirements and Guidance","parts":[{"id":"si-4.5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"In accordance with the incident response plan."}]}]},{"id":"si-4.5_gdn","name":"guidance","prose":"Alerts may be generated from a variety of sources, including, for example, audit\n                  records or inputs from malicious code protection mechanisms, intrusion detection\n                  or prevention mechanisms, or boundary protection devices such as firewalls,\n                  gateways, and routers. Alerts can be transmitted, for example, telephonically, by\n                  electronic mail messages, or by text messaging. Organizational personnel on the\n                  notification list can include, for example, system administrators,\n                  mission/business owners, system owners, or information system security\n                  officers.","links":[{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#pe-6","rel":"related","text":"PE-6"}]},{"id":"si-4.5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-4.5_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(5)[1]"}],"prose":"the organization defines compromise indicators for the information system;"},{"id":"si-4.5_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(5)[2]"}],"prose":"the organization defines personnel or roles to be alerted when indications of\n                     compromise or potential compromise occur; and"},{"id":"si-4.5_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(5)[3]"}],"prose":"the information system alerts organization-defined personnel or roles when\n                     organization-defined compromise indicators occur."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nalerts/notifications generated based on compromise indicators\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion\n                     detection/information system monitoring capability\\n\\nautomated mechanisms supporting and/or implementing alerts for compromise\n                     indicators"}]}]},{"id":"si-4.14","class":"SP800-53-enhancement","title":"Wireless Intrusion Detection","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-4(14)"},{"name":"sort-id","value":"si-04.14"}],"parts":[{"id":"si-4.14_smt","name":"statement","prose":"The organization employs a wireless intrusion detection system to identify rogue\n                  wireless devices and to detect attack attempts and potential compromises/breaches\n                  to the information system."},{"id":"si-4.14_gdn","name":"guidance","prose":"Wireless signals may radiate beyond the confines of organization-controlled\n                  facilities. Organizations proactively search for unauthorized wireless connections\n                  including the conduct of thorough scans for unauthorized wireless access points.\n                  Scans are not limited to those areas within facilities containing information\n                  systems, but also include areas outside of facilities as needed, to verify that\n                  unauthorized wireless access points are not connected to the systems.","links":[{"href":"#ac-18","rel":"related","text":"AC-18"},{"href":"#ia-3","rel":"related","text":"IA-3"}]},{"id":"si-4.14_obj","name":"objective","prose":"Determine if the organization employs a wireless intrusion detection system\n                  to:","parts":[{"id":"si-4.14_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(14)[1]"}],"prose":"identify rogue wireless devices;"},{"id":"si-4.14_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(14)[2]"}],"prose":"detect attack attempts to the information system; and"},{"id":"si-4.14_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(14)[3]"}],"prose":"detect potential compromises/breaches to the information system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system protocols\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection\\n\\nautomated mechanisms supporting and/or implementing wireless intrusion\n                     detection capability"}]}]},{"id":"si-4.16","class":"SP800-53-enhancement","title":"Correlate Monitoring Information","properties":[{"name":"label","value":"SI-4(16)"},{"name":"sort-id","value":"si-04.16"}],"parts":[{"id":"si-4.16_smt","name":"statement","prose":"The organization correlates information from monitoring tools employed throughout\n                  the information system."},{"id":"si-4.16_gdn","name":"guidance","prose":"Correlating information from different monitoring tools can provide a more\n                  comprehensive view of information system activity. The correlation of monitoring\n                  tools that usually work in isolation (e.g., host monitoring, network monitoring,\n                  anti-virus software) can provide an organization-wide view and in so doing, may\n                  reveal otherwise unseen attack patterns. Understanding the\n                  capabilities/limitations of diverse monitoring tools and how to maximize the\n                  utility of information generated by those tools can help organizations to build,\n                  operate, and maintain effective monitoring programs.","links":[{"href":"#au-6","rel":"related","text":"AU-6"}]},{"id":"si-4.16_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization correlates information from monitoring tools\n                  employed throughout the information system."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nevent correlation logs or records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion\n                     detection/information system monitoring capability\\n\\nautomated mechanisms supporting and/or implementing correlation of information\n                     from monitoring tools"}]}]},{"id":"si-4.23","class":"SP800-53-enhancement","title":"Host-based Devices","parameters":[{"id":"si-4.23_prm_1","label":"organization-defined host-based monitoring mechanisms"},{"id":"si-4.23_prm_2","label":"organization-defined information system components"}],"properties":[{"name":"label","value":"SI-4(23)"},{"name":"sort-id","value":"si-04.23"}],"parts":[{"id":"si-4.23_smt","name":"statement","prose":"The organization implements {{ si-4.23_prm_1 }} at {{ si-4.23_prm_2 }}."},{"id":"si-4.23_gdn","name":"guidance","prose":"Information system components where host-based monitoring can be implemented\n                  include, for example, servers, workstations, and mobile devices. Organizations\n                  consider employing host-based monitoring mechanisms from multiple information\n                  technology product developers."},{"id":"si-4.23_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.23_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(23)[1]"}],"prose":"defines host-based monitoring mechanisms to be implemented;"},{"id":"si-4.23_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-4(23)[2]"}],"prose":"defines information system components where organization-defined host-based\n                     monitoring is to be implemented; and"},{"id":"si-4.23_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-4(23)[3]"}],"prose":"implements organization-defined host-based monitoring mechanisms at\n                     organization-defined information system components."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\nhost-based monitoring mechanisms\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system components requiring host-based monitoring\\n\\ninformation system monitoring logs or records\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring information system\n                     hosts"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing host-based monitoring\n                     capability"}]}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","parameters":[{"id":"si-5_prm_1","label":"organization-defined external organizations","constraints":[{"detail":"to include US-CERT"}]},{"id":"si-5_prm_2","constraints":[{"detail":"to include system security personnel and administrators with configuration/patch-management responsibilities"}]},{"id":"si-5_prm_3","depends-on":"si-5_prm_2","label":"organization-defined personnel or roles"},{"id":"si-5_prm_4","depends-on":"si-5_prm_2","label":"organization-defined elements within the organization"},{"id":"si-5_prm_5","depends-on":"si-5_prm_2","label":"organization-defined external organizations"}],"properties":[{"name":"label","value":"SI-5"},{"name":"sort-id","value":"si-05"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference","text":"NIST Special Publication 800-40"}],"parts":[{"id":"si-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-5_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Receives information system security alerts, advisories, and directives from\n                     {{ si-5_prm_1 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Generates internal security alerts, advisories, and directives as deemed\n                  necessary;"},{"id":"si-5_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Disseminates security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and"},{"id":"si-5_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"Implements security directives in accordance with established time frames, or\n                  notifies the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The United States Computer Emergency Readiness Team (US-CERT) generates security\n               alerts and advisories to maintain situational awareness across the federal\n               government. Security directives are issued by OMB or other designated organizations\n               with the responsibility and authority to issue such directives. Compliance to\n               security directives is essential due to the critical nature of many of these\n               directives and the potential immediate adverse effects on organizational operations\n               and assets, individuals, other organizations, and the Nation should the directives\n               not be implemented in a timely manner. External organizations include, for example,\n               external mission/business partners, supply chain partners, external service\n               providers, and other peer/supporting organizations.","links":[{"href":"#si-2","rel":"related","text":"SI-2"}]},{"id":"si-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-5.a_obj","name":"objective","properties":[{"name":"label","value":"SI-5(a)"}],"parts":[{"id":"si-5.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-5(a)[1]"}],"prose":"defines external organizations from whom information system security alerts,\n                     advisories and directives are to be received;"},{"id":"si-5.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-5(a)[2]"}],"prose":"receives information system security alerts, advisories, and directives from\n                     organization-defined external organizations on an ongoing basis;"}]},{"id":"si-5.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-5(b)"}],"prose":"generates internal security alerts, advisories, and directives as deemed\n                  necessary;"},{"id":"si-5.c_obj","name":"objective","properties":[{"name":"label","value":"SI-5(c)"}],"parts":[{"id":"si-5.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-5(c)[1]"}],"prose":"defines personnel or roles to whom security alerts, advisories, and directives\n                     are to be provided;"},{"id":"si-5.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-5(c)[2]"}],"prose":"defines elements within the organization to whom security alerts, advisories,\n                     and directives are to be provided;"},{"id":"si-5.c_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-5(c)[3]"}],"prose":"defines external organizations to whom security alerts, advisories, and\n                     directives are to be provided;"},{"id":"si-5.c_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-5(c)[4]"}],"prose":"disseminates security alerts, advisories, and directives to one or more of the\n                     following:","parts":[{"id":"si-5.c_obj.4.a","name":"objective","properties":[{"name":"label","value":"SI-5(c)[4][a]"}],"prose":"organization-defined personnel or roles;"},{"id":"si-5.c_obj.4.b","name":"objective","properties":[{"name":"label","value":"SI-5(c)[4][b]"}],"prose":"organization-defined elements within the organization; and/or"},{"id":"si-5.c_obj.4.c","name":"objective","properties":[{"name":"label","value":"SI-5(c)[4][c]"}],"prose":"organization-defined external organizations; and"}]}]},{"id":"si-5.d_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-5(d)"}],"parts":[{"id":"si-5.d_obj.1","name":"objective","properties":[{"name":"label","value":"SI-5(d)[1]"}],"prose":"implements security directives in accordance with established time frames;\n                     or"},{"id":"si-5.d_obj.2","name":"objective","properties":[{"name":"label","value":"SI-5(d)[2]"}],"prose":"notifies the issuing organization of the degree of noncompliance."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing security alerts, advisories, and directives\\n\\nrecords of security alerts and advisories\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security alert and advisory responsibilities\\n\\norganizational personnel implementing, operating, maintaining, and using the\n                  information system\\n\\norganizational personnel, organizational elements, and/or external organizations\n                  to whom alerts, advisories, and directives are to be disseminated\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining, receiving, generating, disseminating, and\n                  complying with security alerts, advisories, and directives\\n\\nautomated mechanisms supporting and/or implementing definition, receipt,\n                  generation, and dissemination of security alerts, advisories, and directives\\n\\nautomated mechanisms supporting and/or implementing security directives"}]}]},{"id":"si-6","class":"SP800-53","title":"Security Function Verification","parameters":[{"id":"si-6_prm_1","label":"organization-defined security functions"},{"id":"si-6_prm_2"},{"id":"si-6_prm_3","depends-on":"si-6_prm_2","label":"organization-defined system transitional states","constraints":[{"detail":"to include upon system startup and/or restart"}]},{"id":"si-6_prm_4","depends-on":"si-6_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]},{"id":"si-6_prm_5","label":"organization-defined personnel or roles","constraints":[{"detail":"to include system administrators and security personnel"}]},{"id":"si-6_prm_6"},{"id":"si-6_prm_7","depends-on":"si-6_prm_6","label":"organization-defined alternative action(s)","constraints":[{"detail":"to include notification of system administrators and security personnel"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-6"},{"name":"sort-id","value":"si-06"}],"parts":[{"id":"si-6_smt","name":"statement","prose":"The information system:","parts":[{"id":"si-6_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Verifies the correct operation of {{ si-6_prm_1 }};"},{"id":"si-6_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Performs this verification {{ si-6_prm_2 }};"},{"id":"si-6_smt.c","name":"item","properties":[{"name":"label","value":"c."}],"prose":"Notifies {{ si-6_prm_5 }} of failed security verification tests;\n                  and"},{"id":"si-6_smt.d","name":"item","properties":[{"name":"label","value":"d."}],"prose":"\n                  {{ si-6_prm_6 }} when anomalies are discovered."}]},{"id":"si-6_gdn","name":"guidance","prose":"Transitional states for information systems include, for example, system startup,\n               restart, shutdown, and abort. Notifications provided by information systems include,\n               for example, electronic alerts to system administrators, messages to local computer\n               consoles, and/or hardware indications such as lights.","links":[{"href":"#ca-7","rel":"related","text":"CA-7"},{"href":"#cm-6","rel":"related","text":"CM-6"}]},{"id":"si-6_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-6.a_obj","name":"objective","properties":[{"name":"label","value":"SI-6(a)"}],"parts":[{"id":"si-6.a_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-6(a)[1]"}],"prose":"the organization defines security functions to be verified for correct\n                     operation;"},{"id":"si-6.a_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-6(a)[2]"}],"prose":"the information system verifies the correct operation of organization-defined\n                     security functions;"}]},{"id":"si-6.b_obj","name":"objective","properties":[{"name":"label","value":"SI-6(b)"}],"parts":[{"id":"si-6.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-6(b)[1]"}],"prose":"the organization defines system transitional states requiring verification of\n                     organization-defined security functions;"},{"id":"si-6.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-6(b)[2]"}],"prose":"the organization defines a frequency to verify the correct operation of\n                     organization-defined security functions;"},{"id":"si-6.b_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-6(b)[3]"}],"prose":"the information system performs this verification one or more of the\n                     following:","parts":[{"id":"si-6.b_obj.3.a","name":"objective","properties":[{"name":"label","value":"SI-6(b)[3][a]"}],"prose":"at organization-defined system transitional states;"},{"id":"si-6.b_obj.3.b","name":"objective","properties":[{"name":"label","value":"SI-6(b)[3][b]"}],"prose":"upon command by user with appropriate privilege; and/or"},{"id":"si-6.b_obj.3.c","name":"objective","properties":[{"name":"label","value":"SI-6(b)[3][c]"}],"prose":"with the organization-defined frequency;"}]}]},{"id":"si-6.c_obj","name":"objective","properties":[{"name":"label","value":"SI-6(c)"}],"parts":[{"id":"si-6.c_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-6(c)[1]"}],"prose":"the organization defines personnel or roles to be notified of failed security\n                     verification tests;"},{"id":"si-6.c_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-6(c)[2]"}],"prose":"the information system notifies organization-defined personnel or roles of\n                     failed security verification tests;"}]},{"id":"si-6.d_obj","name":"objective","properties":[{"name":"label","value":"SI-6(d)"}],"parts":[{"id":"si-6.d_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-6(d)[1]"}],"prose":"the organization defines alternative action(s) to be performed when anomalies\n                     are discovered;"},{"id":"si-6.d_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-6(d)[2]"}],"prose":"the information system performs one or more of the following actions when\n                     anomalies are discovered:","parts":[{"id":"si-6.d_obj.2.a","name":"objective","properties":[{"name":"label","value":"SI-6(d)[2][a]"}],"prose":"shuts the information system down;"},{"id":"si-6.d_obj.2.b","name":"objective","properties":[{"name":"label","value":"SI-6(d)[2][b]"}],"prose":"restarts the information system; and/or"},{"id":"si-6.d_obj.2.c","name":"objective","properties":[{"name":"label","value":"SI-6(d)[2][c]"}],"prose":"performs organization-defined alternative action(s)."}]}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing security function verification\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nalerts/notifications of failed security verification tests\\n\\nlist of system transition states requiring security functionality verification\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security function verification responsibilities\\n\\norganizational personnel implementing, operating, and maintaining the information\n                  system\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security function verification\\n\\nautomated mechanisms supporting and/or implementing security function verification\n                  capability"}]}]},{"id":"si-7","class":"SP800-53","title":"Software, Firmware, and Information Integrity","parameters":[{"id":"si-7_prm_1","label":"organization-defined software, firmware, and information"}],"properties":[{"name":"label","value":"SI-7"},{"name":"sort-id","value":"si-07"}],"links":[{"href":"#6bf8d24a-78dc-4727-a2ac-0e64d71c495c","rel":"reference","text":"NIST Special Publication 800-147"},{"href":"#3878cc04-144a-483e-af62-8fe6f4ad6c7a","rel":"reference","text":"NIST Special Publication 800-155"}],"parts":[{"id":"si-7_smt","name":"statement","prose":"The organization employs integrity verification tools to detect unauthorized changes\n               to {{ si-7_prm_1 }}."},{"id":"si-7_gdn","name":"guidance","prose":"Unauthorized changes to software, firmware, and information can occur due to errors\n               or malicious activity (e.g., tampering). Software includes, for example, operating\n               systems (with key internal components such as kernels, drivers), middleware, and\n               applications. Firmware includes, for example, the Basic Input Output System (BIOS).\n               Information includes metadata such as security attributes associated with\n               information. State-of-the-practice integrity-checking mechanisms (e.g., parity\n               checks, cyclical redundancy checks, cryptographic hashes) and associated tools can\n               automatically monitor the integrity of information systems and hosted\n               applications.","links":[{"href":"#sa-12","rel":"related","text":"SA-12"},{"href":"#sc-8","rel":"related","text":"SC-8"},{"href":"#sc-13","rel":"related","text":"SC-13"},{"href":"#si-3","rel":"related","text":"SI-3"}]},{"id":"si-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-7_obj.1","name":"objective","properties":[{"name":"label","value":"SI-7[1]"}],"parts":[{"id":"si-7_obj.1.a","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-7[1][a]"}],"prose":"defines software requiring integrity verification tools to be employed to\n                     detect unauthorized changes;"},{"id":"si-7_obj.1.b","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-7[1][b]"}],"prose":"defines firmware requiring integrity verification tools to be employed to\n                     detect unauthorized changes;"},{"id":"si-7_obj.1.c","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-7[1][c]"}],"prose":"defines information requiring integrity verification tools to be employed to\n                     detect unauthorized changes;"}]},{"id":"si-7_obj.2","name":"objective","properties":[{"name":"label","value":"SI-7[2]"}],"prose":"employs integrity verification tools to detect unauthorized changes to\n                  organization-defined:","parts":[{"id":"si-7_obj.2.a","name":"objective","properties":[{"name":"label","value":"SI-7[2][a]"}],"prose":"software;"},{"id":"si-7_obj.2.b","name":"objective","properties":[{"name":"label","value":"SI-7[2][b]"}],"prose":"firmware; and"},{"id":"si-7_obj.2.c","name":"objective","properties":[{"name":"label","value":"SI-7[2][c]"}],"prose":"information."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing software, firmware, and information integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nintegrity verification tools and associated documentation\\n\\nrecords generated/triggered from integrity verification tools regarding\n                  unauthorized software, firmware, and information changes\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and/or\n                  information integrity\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Software, firmware, and information integrity verification tools"}]}],"controls":[{"id":"si-7.1","class":"SP800-53-enhancement","title":"Integrity Checks","parameters":[{"id":"si-7.1_prm_1","label":"organization-defined software, firmware, and information"},{"id":"si-7.1_prm_2"},{"id":"si-7.1_prm_3","depends-on":"si-7.1_prm_2","label":"organization-defined transitional states or security-relevant events","constraints":[{"detail":"Selection to include security relevant events"}]},{"id":"si-7.1_prm_4","depends-on":"si-7.1_prm_2","label":"organization-defined frequency","constraints":[{"detail":"at least monthly"}]}],"properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-7(1)"},{"name":"sort-id","value":"si-07.01"}],"parts":[{"id":"si-7.1_smt","name":"statement","prose":"The information system performs an integrity check of {{ si-7.1_prm_1 }}\n                  {{ si-7.1_prm_2 }}."},{"id":"si-7.1_gdn","name":"guidance","prose":"Security-relevant events include, for example, the identification of a new threat\n                  to which organizational information systems are susceptible, and the installation\n                  of new hardware, software, or firmware. Transitional states include, for example,\n                  system startup, restart, shutdown, and abort."},{"id":"si-7.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-7.1_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-7(1)[1]"}],"prose":"the organization defines:","parts":[{"id":"si-7.1_obj.1.a","name":"objective","properties":[{"name":"label","value":"SI-7(1)[1][a]"}],"prose":"software requiring integrity checks to be performed;"},{"id":"si-7.1_obj.1.b","name":"objective","properties":[{"name":"label","value":"SI-7(1)[1][b]"}],"prose":"firmware requiring integrity checks to be performed;"},{"id":"si-7.1_obj.1.c","name":"objective","properties":[{"name":"label","value":"SI-7(1)[1][c]"}],"prose":"information requiring integrity checks to be performed;"}]},{"id":"si-7.1_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-7(1)[2]"}],"prose":"the organization defines transitional states or security-relevant events\n                     requiring integrity checks of organization-defined:","parts":[{"id":"si-7.1_obj.2.a","name":"objective","properties":[{"name":"label","value":"SI-7(1)[2][a]"}],"prose":"software;"},{"id":"si-7.1_obj.2.b","name":"objective","properties":[{"name":"label","value":"SI-7(1)[2][b]"}],"prose":"firmware;"},{"id":"si-7.1_obj.2.c","name":"objective","properties":[{"name":"label","value":"SI-7(1)[2][c]"}],"prose":"information;"}]},{"id":"si-7.1_obj.3","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-7(1)[3]"}],"prose":"the organization defines a frequency with which to perform an integrity check\n                     of organization-defined:","parts":[{"id":"si-7.1_obj.3.a","name":"objective","properties":[{"name":"label","value":"SI-7(1)[3][a]"}],"prose":"software;"},{"id":"si-7.1_obj.3.b","name":"objective","properties":[{"name":"label","value":"SI-7(1)[3][b]"}],"prose":"firmware;"},{"id":"si-7.1_obj.3.c","name":"objective","properties":[{"name":"label","value":"SI-7(1)[3][c]"}],"prose":"information;"}]},{"id":"si-7.1_obj.4","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-7(1)[4]"}],"prose":"the information system performs an integrity check of organization-defined\n                     software, firmware, and information one or more of the following:","parts":[{"id":"si-7.1_obj.4.a","name":"objective","properties":[{"name":"label","value":"SI-7(1)[4][a]"}],"prose":"at startup;"},{"id":"si-7.1_obj.4.b","name":"objective","properties":[{"name":"label","value":"SI-7(1)[4][b]"}],"prose":"at organization-defined transitional states or security-relevant events;\n                        and/or"},{"id":"si-7.1_obj.4.c","name":"objective","properties":[{"name":"label","value":"SI-7(1)[4][c]"}],"prose":"with the organization-defined frequency."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing software, firmware, and information integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nintegrity verification tools and associated documentation\\n\\nrecords of integrity scans\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and/or\n                     information integrity\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Software, firmware, and information integrity verification tools"}]}]},{"id":"si-7.7","class":"SP800-53-enhancement","title":"Integration of Detection and Response","parameters":[{"id":"si-7.7_prm_1","label":"organization-defined security-relevant changes to the information\n                  system"}],"properties":[{"name":"label","value":"SI-7(7)"},{"name":"sort-id","value":"si-07.07"}],"parts":[{"id":"si-7.7_smt","name":"statement","prose":"The organization incorporates the detection of unauthorized {{ si-7.7_prm_1 }} into the organizational incident response\n                  capability."},{"id":"si-7.7_gdn","name":"guidance","prose":"This control enhancement helps to ensure that detected events are tracked,\n                  monitored, corrected, and available for historical purposes. Maintaining\n                  historical records is important both for being able to identify and discern\n                  adversary actions over an extended period of time and for possible legal actions.\n                  Security-relevant changes include, for example, unauthorized changes to\n                  established configuration settings or unauthorized elevation of information system\n                  privileges.","links":[{"href":"#ir-4","rel":"related","text":"IR-4"},{"href":"#ir-5","rel":"related","text":"IR-5"},{"href":"#si-4","rel":"related","text":"SI-4"}]},{"id":"si-7.7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-7.7_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-7(7)[1]"}],"prose":"defines unauthorized security-relevant changes to the information system;\n                     and"},{"id":"si-7.7_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-7(7)[2]"}],"prose":"incorporates the detection of unauthorized organization-defined\n                     security-relevant changes to the information system into the organizational\n                     incident response capability."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing software, firmware, and information integrity\\n\\nprocedures addressing incident response\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nincident response records\\n\\ninformation audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and/or\n                     information integrity\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with incident response responsibilities"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incorporating detection of unauthorized\n                     security-relevant changes into the incident response capability\\n\\nsoftware, firmware, and information integrity verification tools\\n\\nautomated mechanisms supporting and/or implementing incorporation of detection\n                     of unauthorized security-relevant changes into the incident response\n                     capability"}]}]}]},{"id":"si-8","class":"SP800-53","title":"Spam Protection","properties":[{"name":"label","value":"SI-8"},{"name":"sort-id","value":"si-08"}],"links":[{"href":"#c6e95ca0-5828-420e-b095-00895b72b5e8","rel":"reference","text":"NIST Special Publication 800-45"}],"parts":[{"id":"si-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-8_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Employs spam protection mechanisms at information system entry and exit points to\n                  detect and take action on unsolicited messages; and"},{"id":"si-8_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Updates spam protection mechanisms when new releases are available in accordance\n                  with organizational configuration management policy and procedures."}]},{"id":"si-8_gdn","name":"guidance","prose":"Information system entry and exit points include, for example, firewalls, electronic\n               mail servers, web servers, proxy servers, remote-access servers, workstations, mobile\n               devices, and notebook/laptop computers. Spam can be transported by different means\n               including, for example, electronic mail, electronic mail attachments, and web\n               accesses. Spam protection mechanisms include, for example, signature definitions.","links":[{"href":"#at-2","rel":"related","text":"AT-2"},{"href":"#at-3","rel":"related","text":"AT-3"},{"href":"#sc-5","rel":"related","text":"SC-5"},{"href":"#sc-7","rel":"related","text":"SC-7"},{"href":"#si-3","rel":"related","text":"SI-3"}]},{"id":"si-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-8.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-8(a)"}],"prose":"employs spam protection mechanisms:","parts":[{"id":"si-8.a_obj.1","name":"objective","properties":[{"name":"label","value":"SI-8(a)[1]"}],"prose":"at information system entry points to detect unsolicited messages;"},{"id":"si-8.a_obj.2","name":"objective","properties":[{"name":"label","value":"SI-8(a)[2]"}],"prose":"at information system entry points to take action on unsolicited messages;"},{"id":"si-8.a_obj.3","name":"objective","properties":[{"name":"label","value":"SI-8(a)[3]"}],"prose":"at information system exit points to detect unsolicited messages;"},{"id":"si-8.a_obj.4","name":"objective","properties":[{"name":"label","value":"SI-8(a)[4]"}],"prose":"at information system exit points to take action on unsolicited messages;\n                     and"}]},{"id":"si-8.b_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-8(b)"}],"prose":"updates spam protection mechanisms when new releases are available in accordance\n                  with organizational configuration management policy and procedures."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nconfiguration management policy and procedures (CM-1)\\n\\nprocedures addressing spam protection\\n\\nspam protection mechanisms\\n\\nrecords of spam protection updates\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for spam protection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for implementing spam protection\\n\\nautomated mechanisms supporting and/or implementing spam protection"}]}],"controls":[{"id":"si-8.1","class":"SP800-53-enhancement","title":"Central Management","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-8(1)"},{"name":"sort-id","value":"si-08.01"}],"parts":[{"id":"si-8.1_smt","name":"statement","prose":"The organization centrally manages spam protection mechanisms."},{"id":"si-8.1_gdn","name":"guidance","prose":"Central management is the organization-wide management and implementation of spam\n                  protection mechanisms. Central management includes planning, implementing,\n                  assessing, authorizing, and monitoring the organization-defined, centrally managed\n                  spam protection security controls.","links":[{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#si-2","rel":"related","text":"SI-2"},{"href":"#si-7","rel":"related","text":"SI-7"}]},{"id":"si-8.1_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization centrally manages spam protection mechanisms."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing spam protection\\n\\nspam protection mechanisms\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for spam protection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for central management of spam protection\\n\\nautomated mechanisms supporting and/or implementing central management of spam\n                     protection"}]}]},{"id":"si-8.2","class":"SP800-53-enhancement","title":"Automatic Updates","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""},{"name":"label","value":"SI-8(2)"},{"name":"sort-id","value":"si-08.02"}],"parts":[{"id":"si-8.2_smt","name":"statement","prose":"The information system automatically updates spam protection mechanisms."},{"id":"si-8.2_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system automatically updates spam protection\n                  mechanisms."},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing spam protection\\n\\nspam protection mechanisms\\n\\nrecords of spam protection updates\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for spam protection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for spam protection\\n\\nautomated mechanisms supporting and/or implementing automatic updates to spam\n                     protection mechanisms"}]}]}]},{"id":"si-10","class":"SP800-53","title":"Information Input Validation","parameters":[{"id":"si-10_prm_1","label":"organization-defined information inputs"}],"properties":[{"name":"label","value":"SI-10"},{"name":"sort-id","value":"si-10"}],"parts":[{"id":"si-10_smt","name":"statement","prose":"The information system checks the validity of {{ si-10_prm_1 }}."},{"id":"si-10_gdn","name":"guidance","prose":"Checking the valid syntax and semantics of information system inputs (e.g., character\n               set, length, numerical range, and acceptable values) verifies that inputs match\n               specified definitions for format and content. Software applications typically follow\n               well-defined protocols that use structured messages (i.e., commands or queries) to\n               communicate between software modules or system components. Structured messages can\n               contain raw or unstructured data interspersed with metadata or control information.\n               If software applications use attacker-supplied inputs to construct structured\n               messages without properly encoding such messages, then the attacker could insert\n               malicious commands or special characters that can cause the data to be interpreted as\n               control information or metadata. Consequently, the module or component that receives\n               the tainted output will perform the wrong operations or otherwise interpret the data\n               incorrectly. Prescreening inputs prior to passing to interpreters prevents the\n               content from being unintentionally interpreted as commands. Input validation helps to\n               ensure accurate and correct inputs and prevent attacks such as cross-site scripting\n               and a variety of injection attacks."},{"id":"si-10_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-10_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-10[1]"}],"prose":"the organization defines information inputs requiring validity checks; and"},{"id":"si-10_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-10[2]"}],"prose":"the information system checks the validity of organization-defined information\n                  inputs."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\naccess control policy and procedures\\n\\nseparation of duties policy and procedures\\n\\nprocedures addressing information input validation\\n\\ndocumentation for automated tools and applications to verify validity of\n                  information\\n\\nlist of information inputs requiring validity checks\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information input validation\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing validity checks on information\n                  inputs"}]}]},{"id":"si-11","class":"SP800-53","title":"Error Handling","parameters":[{"id":"si-11_prm_1","label":"organization-defined personnel or roles"}],"properties":[{"name":"label","value":"SI-11"},{"name":"sort-id","value":"si-11"}],"parts":[{"id":"si-11_smt","name":"statement","prose":"The information system:","parts":[{"id":"si-11_smt.a","name":"item","properties":[{"name":"label","value":"a."}],"prose":"Generates error messages that provide information necessary for corrective actions\n                  without revealing information that could be exploited by adversaries; and"},{"id":"si-11_smt.b","name":"item","properties":[{"name":"label","value":"b."}],"prose":"Reveals error messages only to {{ si-11_prm_1 }}."}]},{"id":"si-11_gdn","name":"guidance","prose":"Organizations carefully consider the structure/content of error messages. The extent\n               to which information systems are able to identify and handle error conditions is\n               guided by organizational policy and operational requirements. Information that could\n               be exploited by adversaries includes, for example, erroneous logon attempts with\n               passwords entered by mistake as the username, mission/business information that can\n               be derived from (if not stated explicitly by) information recorded, and personal\n               information such as account numbers, social security numbers, and credit card\n               numbers. In addition, error messages may provide a covert channel for transmitting\n               information.","links":[{"href":"#au-2","rel":"related","text":"AU-2"},{"href":"#au-3","rel":"related","text":"AU-3"},{"href":"#sc-31","rel":"related","text":"SC-31"}]},{"id":"si-11_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-11.a_obj","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-11(a)"}],"prose":"the information system generates error messages that provide information necessary\n                  for corrective actions without revealing information that could be exploited by\n                  adversaries;"},{"id":"si-11.b_obj","name":"objective","properties":[{"name":"label","value":"SI-11(b)"}],"parts":[{"id":"si-11.b_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-11(b)[1]"}],"prose":"the organization defines personnel or roles to whom error messages are to be\n                     revealed; and"},{"id":"si-11.b_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-11(b)[2]"}],"prose":"the information system reveals error messages only to organization-defined\n                     personnel or roles."}]}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing information system error handling\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ndocumentation providing structure/content of error messages\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information input validation\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for error handling\\n\\nautomated mechanisms supporting and/or implementing error handling\\n\\nautomated mechanisms supporting and/or implementing management of error\n                  messages"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Handling and Retention","properties":[{"name":"label","value":"SI-12"},{"name":"sort-id","value":"si-12"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"The organization handles and retains information within the information system and\n               information output from the system in accordance with applicable federal laws,\n               Executive Orders, directives, policies, regulations, standards, and operational\n               requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information handling and retention requirements cover the full life cycle of\n               information, in some cases extending beyond the disposal of information systems. The\n               National Archives and Records Administration provides guidance on records\n               retention.","links":[{"href":"#ac-16","rel":"related","text":"AC-16"},{"href":"#au-5","rel":"related","text":"AU-5"},{"href":"#au-11","rel":"related","text":"AU-11"},{"href":"#mp-2","rel":"related","text":"MP-2"},{"href":"#mp-4","rel":"related","text":"MP-4"}]},{"id":"si-12_obj","name":"objective","prose":"Determine if the organization, in accordance with applicable federal laws, Executive\n               Orders, directives, policies, regulations, standards, and operational\n               requirements:","parts":[{"id":"si-12_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-12[1]"}],"prose":"handles information within the information system;"},{"id":"si-12_obj.2","name":"objective","properties":[{"name":"label","value":"SI-12[2]"}],"prose":"handles output from the information system;"},{"id":"si-12_obj.3","name":"objective","properties":[{"name":"label","value":"SI-12[3]"}],"prose":"retains information within the information system; and"},{"id":"si-12_obj.4","name":"objective","properties":[{"name":"label","value":"SI-12[4]"}],"prose":"retains output from the information system."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nfederal laws, Executive Orders, directives, policies, regulations, standards, and\n                  operational requirements applicable to information handling and retention\\n\\nmedia protection policy and procedures\\n\\nprocedures addressing information system output handling and retention\\n\\ninformation retention records, other relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information handling and\n                  retention\\n\\norganizational personnel with information security responsibilities/network\n                  administrators"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information handling and retention\\n\\nautomated mechanisms supporting and/or implementing information handling and\n                  retention"}]}]},{"id":"si-16","class":"SP800-53","title":"Memory Protection","parameters":[{"id":"si-16_prm_1","label":"organization-defined security safeguards"}],"properties":[{"name":"label","value":"SI-16"},{"name":"sort-id","value":"si-16"}],"parts":[{"id":"si-16_smt","name":"statement","prose":"The information system implements {{ si-16_prm_1 }} to protect its\n               memory from unauthorized code execution."},{"id":"si-16_gdn","name":"guidance","prose":"Some adversaries launch attacks with the intent of executing code in non-executable\n               regions of memory or in memory locations that are prohibited. Security safeguards\n               employed to protect memory include, for example, data execution prevention and\n               address space layout randomization. Data execution prevention safeguards can either\n               be hardware-enforced or software-enforced with hardware providing the greater\n               strength of mechanism.","links":[{"href":"#ac-25","rel":"related","text":"AC-25"},{"href":"#sc-3","rel":"related","text":"SC-3"}]},{"id":"si-16_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-16_obj.1","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"label","value":"SI-16[1]"}],"prose":"the organization defines security safeguards to be implemented to protect\n                  information system memory from unauthorized code execution; and"},{"id":"si-16_obj.2","name":"objective","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"},{"name":"label","value":"SI-16[2]"}],"prose":"the information system implements organization-defined security safeguards to\n                  protect its memory from unauthorized code execution."}]},{"name":"assessment","properties":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\\n\\nprocedures addressing memory protection for the information system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of security safeguards protecting information system memory from unauthorized\n                  code execution\\n\\ninformation system audit records\\n\\nother relevant documents or records"}]},{"name":"assessment","properties":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for memory protection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"}]},{"name":"assessment","properties":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing safeguards to protect\n                  information system memory from unauthorized code execution"}]}]}]}],"back-matter":{"resources":[{"uuid":"0c97e60b-325a-4efa-ba2b-90f20ccd5abc","title":"5 C.F.R. 731.106","citation":{"text":"Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106,\n               Designation of Public Trust Positions and Investigative Requirements (5 C.F.R.\n               731.106)."},"rlinks":[{"href":"http://www.gpo.gov/fdsys/granule/CFR-2012-title5-vol2/CFR-2012-title5-vol2-sec731-106/content-detail.html"}]},{"uuid":"bb61234b-46c3-4211-8c2b-9869222a720d","title":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)","citation":{"text":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"},"rlinks":[{"href":"http://www.gpo.gov/fdsys/granule/CFR-2009-title5-vol2/CFR-2009-title5-vol2-sec930-301/content-detail.html"}]},{"uuid":"a4aa9645-9a8a-4b51-90a9-e223250f9a75","title":"CNSS Policy 15","citation":{"text":"CNSS Policy 15"},"rlinks":[{"href":"https://www.cnss.gov/policies.html"}]},{"uuid":"2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","title":"DoD Information Assurance Vulnerability Alerts","citation":{"text":"DoD Information Assurance Vulnerability Alerts"}},{"uuid":"61081e7f-041d-4033-96a7-44a439071683","title":"DoD Instruction 5200.39","citation":{"text":"DoD Instruction 5200.39"},"rlinks":[{"href":"http://www.dtic.mil/whs/directives/corres/ins1.html"}]},{"uuid":"e42b2099-3e1c-415b-952c-61c96533c12e","title":"DoD Instruction 8551.01","citation":{"text":"DoD Instruction 8551.01"},"rlinks":[{"href":"http://www.dtic.mil/whs/directives/corres/ins1.html"}]},{"uuid":"e6522953-6714-435d-a0d3-140df554c186","title":"DoD Instruction 8552.01","citation":{"text":"DoD Instruction 8552.01"},"rlinks":[{"href":"http://www.dtic.mil/whs/directives/corres/ins1.html"}]},{"uuid":"c5034e0c-eba6-4ecd-a541-79f0678f4ba4","title":"Executive Order 13587","citation":{"text":"Executive Order 13587"},"rlinks":[{"href":"http://www.whitehouse.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"56d671da-6b7b-4abf-8296-84b61980390a","title":"Federal Acquisition Regulation","citation":{"text":"Federal Acquisition Regulation"},"rlinks":[{"href":"https://acquisition.gov/far"}]},{"uuid":"023104bc-6f75-4cd5-b7d0-fc92326f8007","title":"Federal Continuity Directive 1","citation":{"text":"Federal Continuity Directive 1"},"rlinks":[{"href":"http://www.fema.gov/pdf/about/offices/fcd1.pdf"}]},{"uuid":"ba557c91-ba3e-4792-adc6-a4ae479b39ff","title":"FICAM Roadmap and Implementation Guidance","citation":{"text":"FICAM Roadmap and Implementation Guidance"},"rlinks":[{"href":"http://www.idmanagement.gov/documents/ficam-roadmap-and-implementation-guidance"}]},{"uuid":"39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","title":"FIPS Publication 140","citation":{"text":"FIPS Publication 140"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html"}]},{"uuid":"d715b234-9b5b-4e07-b1ed-99836727664d","title":"FIPS Publication 140-2","citation":{"text":"FIPS Publication 140-2"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html#140-2"}]},{"uuid":"f2dbd4ec-c413-4714-b85b-6b7184d1c195","title":"FIPS Publication 197","citation":{"text":"FIPS Publication 197"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html#197"}]},{"uuid":"e85cdb3f-7f0a-4083-8639-f13f70d3760b","title":"FIPS Publication 199","citation":{"text":"FIPS Publication 199"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html#199"}]},{"uuid":"c80c10b3-1294-4984-a4cc-d1733ca432b9","title":"FIPS Publication 201","citation":{"text":"FIPS Publication 201"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsFIPS.html#201"}]},{"uuid":"ad733a42-a7ed-4774-b988-4930c28852f3","title":"HSPD-12","citation":{"text":"HSPD-12"},"rlinks":[{"href":"http://www.dhs.gov/homeland-security-presidential-directive-12"}]},{"uuid":"4ef539ba-b767-4666-b0d3-168c53005fa3","title":"http://capec.mitre.org","citation":{"text":"http://capec.mitre.org"},"rlinks":[{"href":"http://capec.mitre.org"}]},{"uuid":"e95dd121-2733-413e-bf1e-f1eb49f20a98","title":"http://checklists.nist.gov","citation":{"text":"http://checklists.nist.gov"},"rlinks":[{"href":"http://checklists.nist.gov"}]},{"uuid":"6a1041fc-054e-4230-946b-2e6f4f3731bb","title":"http://csrc.nist.gov/cryptval","citation":{"text":"http://csrc.nist.gov/cryptval"},"rlinks":[{"href":"http://csrc.nist.gov/cryptval"}]},{"uuid":"b09d1a31-d3c9-4138-a4f4-4c63816afd7d","title":"http://csrc.nist.gov/groups/STM/cmvp/index.html","citation":{"text":"http://csrc.nist.gov/groups/STM/cmvp/index.html"},"rlinks":[{"href":"http://csrc.nist.gov/groups/STM/cmvp/index.html"}]},{"uuid":"0931209f-00ae-4132-b92c-bc645847e8f9","title":"http://cve.mitre.org","citation":{"text":"http://cve.mitre.org"},"rlinks":[{"href":"http://cve.mitre.org"}]},{"uuid":"15522e92-9192-463d-9646-6a01982db8ca","title":"http://cwe.mitre.org","citation":{"text":"http://cwe.mitre.org"},"rlinks":[{"href":"http://cwe.mitre.org"}]},{"uuid":"5ed1f4d5-1494-421b-97ed-39d3c88ab51f","title":"http://fips201ep.cio.gov","citation":{"text":"http://fips201ep.cio.gov"},"rlinks":[{"href":"http://fips201ep.cio.gov"}]},{"uuid":"85280698-0417-489d-b214-12bb935fb939","title":"http://idmanagement.gov","citation":{"text":"http://idmanagement.gov"},"rlinks":[{"href":"http://idmanagement.gov"}]},{"uuid":"275cc052-0f7f-423c-bdb6-ed503dc36228","title":"http://nvd.nist.gov","citation":{"text":"http://nvd.nist.gov"},"rlinks":[{"href":"http://nvd.nist.gov"}]},{"uuid":"bbd50dd1-54ce-4432-959d-63ea564b1bb4","title":"http://www.acquisition.gov/far","citation":{"text":"http://www.acquisition.gov/far"},"rlinks":[{"href":"http://www.acquisition.gov/far"}]},{"uuid":"9b97ed27-3dd6-4f9a-ade5-1b43e9669794","title":"http://www.cnss.gov","citation":{"text":"http://www.cnss.gov"},"rlinks":[{"href":"http://www.cnss.gov"}]},{"uuid":"3ac12e79-f54f-4a63-9f4b-ee4bcd4df604","title":"http://www.dhs.gov/telecommunications-service-priority-tsp","citation":{"text":"http://www.dhs.gov/telecommunications-service-priority-tsp"},"rlinks":[{"href":"http://www.dhs.gov/telecommunications-service-priority-tsp"}]},{"uuid":"c95a9986-3cd6-4a98-931b-ccfc56cb11e5","title":"http://www.niap-ccevs.org","citation":{"text":"http://www.niap-ccevs.org"},"rlinks":[{"href":"http://www.niap-ccevs.org"}]},{"uuid":"647b6de3-81d0-4d22-bec1-5f1333e34380","title":"http://www.nsa.gov","citation":{"text":"http://www.nsa.gov"},"rlinks":[{"href":"http://www.nsa.gov"}]},{"uuid":"a47466c4-c837-4f06-a39f-e68412a5f73d","title":"http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml","citation":{"text":"http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"},"rlinks":[{"href":"http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"}]},{"uuid":"02631467-668b-4233-989b-3dfded2fd184","title":"http://www.us-cert.gov","citation":{"text":"http://www.us-cert.gov"},"rlinks":[{"href":"http://www.us-cert.gov"}]},{"uuid":"6caa237b-531b-43ac-9711-d8f6b97b0377","title":"ICD 704","citation":{"text":"ICD 704"},"rlinks":[{"href":"http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"}]},{"uuid":"398e33fd-f404-4e5c-b90e-2d50d3181244","title":"ICD 705","citation":{"text":"ICD 705"},"rlinks":[{"href":"http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"}]},{"uuid":"1737a687-52fb-4008-b900-cbfa836f7b65","title":"ISO/IEC 15408","citation":{"text":"ISO/IEC 15408"},"rlinks":[{"href":"http://www.iso.org/iso/iso_catalog/catalog_tc/catalog_detail.htm?csnumber=50341"}]},{"uuid":"fb5844de-ff96-47c0-b258-4f52bcc2f30d","title":"National Communications Systems Directive 3-10","citation":{"text":"National Communications Systems Directive 3-10"}},{"uuid":"654f21e2-f3bc-43b2-abdc-60ab8d09744b","title":"National Strategy for Trusted Identities in Cyberspace","citation":{"text":"National Strategy for Trusted Identities in Cyberspace"},"rlinks":[{"href":"http://www.nist.gov/nstic"}]},{"uuid":"9cb3d8fe-2127-48ba-821e-cdd2d7aee921","title":"NIST Special Publication 800-100","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-100"}],"citation":{"text":"NIST Special Publication 800-100"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-100"}]},{"uuid":"3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","title":"NIST Special Publication 800-111","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-111"}],"citation":{"text":"NIST Special Publication 800-111"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-111"}]},{"uuid":"349fe082-502d-464a-aa0c-1443c6a5cf40","title":"NIST Special Publication 800-113","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-113"}],"citation":{"text":"NIST Special Publication 800-113"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-113"}]},{"uuid":"1201fcf3-afb1-4675-915a-fb4ae0435717","title":"NIST Special Publication 800-114 Rev. 1","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-114r1"}],"citation":{"text":"NIST Special Publication 800-114 Rev. 1"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-114r1"}]},{"uuid":"c4691b88-57d1-463b-9053-2d0087913f31","title":"NIST Special Publication 800-115","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-115"}],"citation":{"text":"NIST Special Publication 800-115"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-115"}]},{"uuid":"2157bb7e-192c-4eaa-877f-93ef6b0a3292","title":"NIST Special Publication 800-116 Rev. 1","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-116r1"}],"citation":{"text":"NIST Special Publication 800-116 Rev. 1"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-116r1"}]},{"uuid":"5c201b63-0768-417b-ac22-3f014e3941b2","title":"NIST Special Publication 800-12 Rev. 1","document-ids":[{"type":"doi","identifier":"10.6028/NIST.SP.800-12r1"}],"citation":{"text":"NIST Special Publication 800-12 Rev. 1"},"rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-12r1"}]},{"uuid":"d1a4e2a9-e512-4132-8795-5357aba29254","title":"NIST Special Publication 800-121","citation":{"text":"NIST Special Publication 800-121"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-121"}]},{"uuid":"0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","title":"NIST Special Publication 800-124","citation":{"text":"NIST Special Publication 800-124"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-124"}]},{"uuid":"080f8068-5e3e-435e-9790-d22ba4722693","title":"NIST Special Publication 800-128","citation":{"text":"NIST Special Publication 800-128"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-128"}]},{"uuid":"cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","title":"NIST Special Publication 800-137","citation":{"text":"NIST Special Publication 800-137"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-137"}]},{"uuid":"6bf8d24a-78dc-4727-a2ac-0e64d71c495c","title":"NIST Special Publication 800-147","citation":{"text":"NIST Special Publication 800-147"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-147"}]},{"uuid":"3878cc04-144a-483e-af62-8fe6f4ad6c7a","title":"NIST Special Publication 800-155","citation":{"text":"NIST Special Publication 800-155"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-155"}]},{"uuid":"825438c3-248d-4e30-a51e-246473ce6ada","title":"NIST Special Publication 800-16","citation":{"text":"NIST Special Publication 800-16"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-16"}]},{"uuid":"6513e480-fada-4876-abba-1397084dfb26","title":"NIST Special Publication 800-164","citation":{"text":"NIST Special Publication 800-164"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-164"}]},{"uuid":"9c5c9e8c-dc81-4f55-a11c-d71d7487790f","title":"NIST Special Publication 800-18","citation":{"text":"NIST Special Publication 800-18"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-18"}]},{"uuid":"0a5db899-f033-467f-8631-f5a8ba971475","title":"NIST Special Publication 800-23","citation":{"text":"NIST Special Publication 800-23"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-23"}]},{"uuid":"21b1ed35-56d2-40a8-bdfe-b461fffe322f","title":"NIST Special Publication 800-27","citation":{"text":"NIST Special Publication 800-27"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-27"}]},{"uuid":"e716cd51-d1d5-4c6a-967a-22e9fbbc42f1","title":"NIST Special Publication 800-28","citation":{"text":"NIST Special Publication 800-28"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-28"}]},{"uuid":"a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","title":"NIST Special Publication 800-30","citation":{"text":"NIST Special Publication 800-30"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-30"}]},{"uuid":"8f174e91-844e-4cf1-a72a-45c119a3a8dd","title":"NIST Special Publication 800-32","citation":{"text":"NIST Special Publication 800-32"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-32"}]},{"uuid":"748a81b9-9cad-463f-abde-8b368167e70d","title":"NIST Special Publication 800-34","citation":{"text":"NIST Special Publication 800-34"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-34"}]},{"uuid":"0c775bc3-bfc3-42c7-a382-88949f503171","title":"NIST Special Publication 800-35","citation":{"text":"NIST Special Publication 800-35"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-35"}]},{"uuid":"d818efd3-db31-4953-8afa-9e76afe83ce2","title":"NIST Special Publication 800-36","citation":{"text":"NIST Special Publication 800-36"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-36"}]},{"uuid":"0a0c26b6-fd44-4274-8b36-93442d49d998","title":"NIST Special Publication 800-37","citation":{"text":"NIST Special Publication 800-37"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-37"}]},{"uuid":"d480aa6a-7a88-424e-a10c-ad1c7870354b","title":"NIST Special Publication 800-39","citation":{"text":"NIST Special Publication 800-39"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-39"}]},{"uuid":"bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","title":"NIST Special Publication 800-40","citation":{"text":"NIST Special Publication 800-40"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-40"}]},{"uuid":"756a8e86-57d5-4701-8382-f7a40439665a","title":"NIST Special Publication 800-41","citation":{"text":"NIST Special Publication 800-41"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-41"}]},{"uuid":"c6e95ca0-5828-420e-b095-00895b72b5e8","title":"NIST Special Publication 800-45","citation":{"text":"NIST Special Publication 800-45"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-45"}]},{"uuid":"5309d4d0-46f8-4213-a749-e7584164e5e8","title":"NIST Special Publication 800-46","citation":{"text":"NIST Special Publication 800-46"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-46"}]},{"uuid":"2711f068-734e-4afd-94ba-0b22247fbc88","title":"NIST Special Publication 800-47","citation":{"text":"NIST Special Publication 800-47"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-47"}]},{"uuid":"238ed479-eccb-49f6-82ec-ab74a7a428cf","title":"NIST Special Publication 800-48","citation":{"text":"NIST Special Publication 800-48"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-48"}]},{"uuid":"e12b5738-de74-4fb3-8317-a3995a8a1898","title":"NIST Special Publication 800-50","citation":{"text":"NIST Special Publication 800-50"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-50"}]},{"uuid":"90c5bc98-f9c4-44c9-98b7-787422f0999c","title":"NIST Special Publication 800-52","citation":{"text":"NIST Special Publication 800-52"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-52"}]},{"uuid":"cd4cf751-3312-4a55-b1a9-fad2f1db9119","title":"NIST Special Publication 800-53A","citation":{"text":"NIST Special Publication 800-53A"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-53A"}]},{"uuid":"81f09e01-d0b0-4ae2-aa6a-064ed9950070","title":"NIST Special Publication 800-56","citation":{"text":"NIST Special Publication 800-56"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-56"}]},{"uuid":"a6c774c0-bf50-4590-9841-2a5c1c91ac6f","title":"NIST Special Publication 800-57","citation":{"text":"NIST Special Publication 800-57"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-57"}]},{"uuid":"7783f3e7-09b3-478b-9aa2-4a76dfd0ea90","title":"NIST Special Publication 800-58","citation":{"text":"NIST Special Publication 800-58"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-58"}]},{"uuid":"f152844f-b1ef-4836-8729-6277078ebee1","title":"NIST Special Publication 800-60","citation":{"text":"NIST Special Publication 800-60"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-60"}]},{"uuid":"be95fb85-a53f-4624-bdbb-140075500aa3","title":"NIST Special Publication 800-61","citation":{"text":"NIST Special Publication 800-61"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-61"}]},{"uuid":"644f44a9-a2de-4494-9c04-cd37fba45471","title":"NIST Special Publication 800-63","citation":{"text":"NIST Special Publication 800-63"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-63"}]},{"uuid":"abd950ae-092f-4b7a-b374-1c7c67fe9350","title":"NIST Special Publication 800-64","citation":{"text":"NIST Special Publication 800-64"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-64"}]},{"uuid":"29fcfe59-33cd-494a-8756-5907ae3a8f92","title":"NIST Special Publication 800-65","citation":{"text":"NIST Special Publication 800-65"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-65"}]},{"uuid":"84a37532-6db6-477b-9ea8-f9085ebca0fc","title":"NIST Special Publication 800-70","citation":{"text":"NIST Special Publication 800-70"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-70"}]},{"uuid":"ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","title":"NIST Special Publication 800-73","citation":{"text":"NIST Special Publication 800-73"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-73"}]},{"uuid":"2a71298a-ee90-490e-80ff-48c967173a47","title":"NIST Special Publication 800-76","citation":{"text":"NIST Special Publication 800-76"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-76"}]},{"uuid":"99f331f2-a9f0-46c2-9856-a3cbb9b89442","title":"NIST Special Publication 800-77","citation":{"text":"NIST Special Publication 800-77"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-77"}]},{"uuid":"2042d97b-f7f6-4c74-84f8-981867684659","title":"NIST Special Publication 800-78","citation":{"text":"NIST Special Publication 800-78"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-78"}]},{"uuid":"6af1e841-672c-46c4-b121-96f603d04be3","title":"NIST Special Publication 800-81","citation":{"text":"NIST Special Publication 800-81"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-81"}]},{"uuid":"6d431fee-658f-4a0e-9f2e-a38b5d398fab","title":"NIST Special Publication 800-83","citation":{"text":"NIST Special Publication 800-83"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-83"}]},{"uuid":"0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","title":"NIST Special Publication 800-84","citation":{"text":"NIST Special Publication 800-84"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-84"}]},{"uuid":"263823e0-a971-4b00-959d-315b26278b22","title":"NIST Special Publication 800-88","citation":{"text":"NIST Special Publication 800-88"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-88"}]},{"uuid":"672fd561-b92b-4713-b9cf-6c9d9456728b","title":"NIST Special Publication 800-92","citation":{"text":"NIST Special Publication 800-92"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-92"}]},{"uuid":"d1b1d689-0f66-4474-9924-c81119758dc1","title":"NIST Special Publication 800-94","citation":{"text":"NIST Special Publication 800-94"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-94"}]},{"uuid":"1ebdf782-d95d-4a7b-8ec7-ee860951eced","title":"NIST Special Publication 800-95","citation":{"text":"NIST Special Publication 800-95"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-95"}]},{"uuid":"6f336ecd-f2a0-4c84-9699-0491d81b6e0d","title":"NIST Special Publication 800-97","citation":{"text":"NIST Special Publication 800-97"},"rlinks":[{"href":"http://csrc.nist.gov/publications/PubsSPs.html#800-97"}]},{"uuid":"06dff0ea-3848-4945-8d91-e955ee69f05d","title":"NSTISSI No. 7003","citation":{"text":"NSTISSI No. 7003"},"rlinks":[{"href":"http://www.cnss.gov/Assets/pdf/nstissi_7003.pdf"}]},{"uuid":"9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","title":"OMB Circular A-130","citation":{"text":"OMB Circular A-130"},"rlinks":[{"href":"http://www.whitehouse.gov/omb/circulars_a130_a130trans4"}]},{"uuid":"2c5884cd-7b96-425c-862a-99877e1cf909","title":"OMB Memorandum 02-01","citation":{"text":"OMB Memorandum 02-01"},"rlinks":[{"href":"http://www.whitehouse.gov/omb/memoranda_m02-01"}]},{"uuid":"ff3bfb02-79b2-411f-8735-98dfe5af2ab0","title":"OMB Memorandum 04-04","citation":{"text":"OMB Memorandum 04-04"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy04/m04-04.pdf"}]},{"uuid":"58ad6f27-af99-429f-86a8-8bb767b014b9","title":"OMB Memorandum 05-24","citation":{"text":"OMB Memorandum 05-24"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2005/m05-24.pdf"}]},{"uuid":"4da24a96-6cf8-435d-9d1f-c73247cad109","title":"OMB Memorandum 06-16","citation":{"text":"OMB Memorandum 06-16"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2006/m06-16.pdf"}]},{"uuid":"990268bf-f4a9-4c81-91ae-dc7d3115f4b1","title":"OMB Memorandum 07-11","citation":{"text":"OMB Memorandum 07-11"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-11.pdf"}]},{"uuid":"0b3d8ba9-051f-498d-81ea-97f0f018c612","title":"OMB Memorandum 07-18","citation":{"text":"OMB Memorandum 07-18"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-18.pdf"}]},{"uuid":"0916ef02-3618-411b-a525-565c088849a6","title":"OMB Memorandum 08-22","citation":{"text":"OMB Memorandum 08-22"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-22.pdf"}]},{"uuid":"28115a56-da6b-4d44-b1df-51dd7f048a3e","title":"OMB Memorandum 08-23","citation":{"text":"OMB Memorandum 08-23"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf"}]},{"uuid":"599fe9ba-4750-4450-9eeb-b95bd19a5e8f","title":"OMB Memorandum 10-06-2011","citation":{"text":"OMB Memorandum 10-06-2011"}},{"uuid":"74e740a4-c45d-49f3-a86e-eb747c549e01","title":"OMB Memorandum 11-11","citation":{"text":"OMB Memorandum 11-11"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf"}]},{"uuid":"bedb15b7-ec5c-4a68-807f-385125751fcd","title":"OMB Memorandum 11-33","citation":{"text":"OMB Memorandum 11-33"},"rlinks":[{"href":"http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf"}]},{"uuid":"dd2f5acd-08f1-435a-9837-f8203088dc1a","title":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System\n            (E-PACS)","citation":{"text":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System\n               (E-PACS)"}},{"uuid":"8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","title":"US-CERT Technical Cyber Security Alerts","citation":{"text":"US-CERT Technical Cyber Security Alerts"},"rlinks":[{"href":"http://www.us-cert.gov/ncas/alerts"}]},{"uuid":"985475ee-d4d6-4581-8fdf-d84d3d8caa48","title":"FedRAMP Applicable Laws and Regulations","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-citations"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"}]},{"uuid":"1a23a771-d481-4594-9a1a-71d584fa4123","title":"FedRAMP Master Acronym and Glossary","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-acronyms"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"}]},{"uuid":"a2381e87-3d04-4108-a30b-b4d2f36d001f","desc":"FedRAMP Logo","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-logo"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/img/logo-main-fedramp.png"}]},{"uuid":"ad005eae-cc63-4e64-9109-3905a9a825e4","title":"NIST Special Publication (SP) 800-53","properties":[{"name":"version","ns":"https://fedramp.gov/ns/oscal","value":"Revision 4"},{"name":"keep","value":"always"}],"rlinks":[{"href":"../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json","media-type":"application/xml"}]}]}}}
\ No newline at end of file
diff --git a/content/fedramp.gov/json/FedRAMP_MODERATE-baseline-resolved-profile_catalog.json b/content/fedramp.gov/json/FedRAMP_MODERATE-baseline-resolved-profile_catalog.json
deleted file mode 100644
index 93c967eaaa..0000000000
--- a/content/fedramp.gov/json/FedRAMP_MODERATE-baseline-resolved-profile_catalog.json
+++ /dev/null
@@ -1,83593 +0,0 @@
-{
-  "catalog": {
-    "uuid": "c9301b61-9f2b-431e-9c7f-c8ffcd110388",
-    "metadata": {
-      "title": "FedRAMP Moderate Baseline",
-      "published": "2020-06-01T00:00:00.000-04:00",
-      "last-modified": "2020-06-01T10:00:00.000-04:00",
-      "version": "1.2",
-      "oscal-version": "1.0.0-milestone3",
-      "properties": [
-        {
-          "name": "resolution-timestamp",
-          "value": "2020-08-31T17:38:53.967424Z"
-        }
-      ],
-      "links": [
-        {
-          "href": "FedRAMP_MODERATE-baseline_profile.xml",
-          "rel": "resolution-source",
-          "text": "FedRAMP Moderate Baseline"
-        }
-      ],
-      "roles": [
-        {
-          "id": "parpared-by",
-          "title": "Document creator"
-        },
-        {
-          "id": "fedramp-pmo",
-          "title": "The FedRAMP Program Management Office (PMO)",
-          "short-name": "CSP"
-        },
-        {
-          "id": "fedramp-jab",
-          "title": "The FedRAMP Joint Authorization Board (JAB)",
-          "short-name": "CSP"
-        }
-      ],
-      "parties": [
-        {
-          "uuid": "8cc0b8e5-9650-4d5f-9796-316f05fa9a2d",
-          "type": "organization",
-          "party-name": "Federal Risk and Authorization Management Program: Program Management Office",
-          "short-name": "FedRAMP PMO",
-          "links": [
-            {
-              "href": "https://fedramp.gov",
-              "rel": "homepage",
-              "text": ""
-            }
-          ],
-          "addresses": [
-            {
-              "type": "work",
-              "postal-address": [
-                "1800 F St. NW",
-                ""
-              ],
-              "city": "Washington",
-              "state": "DC",
-              "postal-code": "",
-              "country": "US"
-            }
-          ],
-          "email-addresses": [
-            "info@fedramp.gov"
-          ]
-        },
-        {
-          "uuid": "ca9ba80e-1342-4bfd-b32a-abac468c24b4",
-          "type": "organization",
-          "party-name": "Federal Risk and Authorization Management Program: Joint Authorization Board",
-          "short-name": "FedRAMP JAB"
-        }
-      ],
-      "responsible-parties": {
-        "prepared-by": {
-          "party-uuids": [
-            "4aa7b203-318b-4cde-96cf-feaeffc3a4b7"
-          ]
-        },
-        "fedramp-pmo": {
-          "party-uuids": [
-            "4aa7b203-318b-4cde-96cf-feaeffc3a4b7"
-          ]
-        },
-        "fedramp-jab": {
-          "party-uuids": [
-            "ca9ba80e-1342-4bfd-b32a-abac468c24b4"
-          ]
-        }
-      }
-    },
-    "groups": [
-      {
-        "id": "ac",
-        "class": "family",
-        "title": "Access Control",
-        "controls": [
-          {
-            "id": "ac-1",
-            "class": "SP800-53",
-            "title": "Access Control Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ac-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ac-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "ac-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ac-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ac-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "An access control policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ac-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the access control policy and\n                     associated access controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ac-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Access control policy {{ ac-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ac-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Access control procedures {{ ac-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AC\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ac-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an access control policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ac-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ac-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AC-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ac-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the access control policy are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ac-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the access control policy to organization-defined personnel or\n                        roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        access control policy and associated access control controls;"
-                          },
-                          {
-                            "id": "ac-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ac-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current access control\n                        policy;"
-                          },
-                          {
-                            "id": "ac-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current access control policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current access control\n                        procedures; and"
-                          },
-                          {
-                            "id": "ac-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current access control procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with access control responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-2",
-            "class": "SP800-53",
-            "title": "Account Management",
-            "parameters": [
-              {
-                "id": "ac-2_prm_1",
-                "label": "organization-defined information system account types"
-              },
-              {
-                "id": "ac-2_prm_2",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ac-2_prm_3",
-                "label": "organization-defined procedures or conditions"
-              },
-              {
-                "id": "ac-2_prm_4",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-02"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Identifies and selects the following types of information system accounts to\n                  support organizational missions/business functions: {{ ac-2_prm_1 }};"
-                  },
-                  {
-                    "id": "ac-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Assigns account managers for information system accounts;"
-                  },
-                  {
-                    "id": "ac-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Establishes conditions for group and role membership;"
-                  },
-                  {
-                    "id": "ac-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Specifies authorized users of the information system, group and role membership,\n                  and access authorizations (i.e., privileges) and other attributes (as required)\n                  for each account;"
-                  },
-                  {
-                    "id": "ac-2_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Requires approvals by {{ ac-2_prm_2 }} for requests to create\n                  information system accounts;"
-                  },
-                  {
-                    "id": "ac-2_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Creates, enables, modifies, disables, and removes information system accounts in\n                  accordance with {{ ac-2_prm_3 }};"
-                  },
-                  {
-                    "id": "ac-2_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Monitors the use of information system accounts;"
-                  },
-                  {
-                    "id": "ac-2_smt.h",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "h."
-                      }
-                    ],
-                    "prose": "Notifies account managers:",
-                    "parts": [
-                      {
-                        "id": "ac-2_smt.h.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "When accounts are no longer required;"
-                      },
-                      {
-                        "id": "ac-2_smt.h.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "When users are terminated or transferred; and"
-                      },
-                      {
-                        "id": "ac-2_smt.h.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "When individual information system usage or need-to-know changes;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2_smt.i",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "i."
-                      }
-                    ],
-                    "prose": "Authorizes access to the information system based on:",
-                    "parts": [
-                      {
-                        "id": "ac-2_smt.i.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A valid access authorization;"
-                      },
-                      {
-                        "id": "ac-2_smt.i.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Intended system usage; and"
-                      },
-                      {
-                        "id": "ac-2_smt.i.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Other attributes as required by the organization or associated\n                     missions/business functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2_smt.j",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "j."
-                      }
-                    ],
-                    "prose": "Reviews accounts for compliance with account management requirements {{ ac-2_prm_4 }}; and"
-                  },
-                  {
-                    "id": "ac-2_smt.k",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "k."
-                      }
-                    ],
-                    "prose": "Establishes a process for reissuing shared/group account credentials (if deployed)\n                  when individuals are removed from the group."
-                  }
-                ]
-              },
-              {
-                "id": "ac-2_gdn",
-                "name": "guidance",
-                "prose": "Information system account types include, for example, individual, shared, group,\n               system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and\n               service. Some of the account management requirements listed above can be implemented\n               by organizational information systems. The identification of authorized users of the\n               information system and the specification of access privileges reflects the\n               requirements in other security controls in the security plan. Users requiring\n               administrative privileges on information system accounts receive additional scrutiny\n               by appropriate organizational personnel (e.g., system owner, mission/business owner,\n               or chief information security officer) responsible for approving such accounts and\n               privileged access. Organizations may choose to define access privileges or other\n               attributes by account, by type of account, or a combination of both. Other attributes\n               required for authorizing access include, for example, restrictions on time-of-day,\n               day-of-week, and point-of-origin. In defining other account attributes, organizations\n               consider system-related requirements (e.g., scheduled maintenance, system upgrades)\n               and mission/business requirements, (e.g., time zone differences, customer\n               requirements, remote access to support travel requirements). Failure to consider\n               these factors could affect information system availability. Temporary and emergency\n               accounts are accounts intended for short-term use. Organizations establish temporary\n               accounts as a part of normal account activation procedures when there is a need for\n               short-term accounts without the demand for immediacy in account activation.\n               Organizations establish emergency accounts in response to crisis situations and with\n               the need for rapid account activation. Therefore, emergency account activation may\n               bypass normal account authorization processes. Emergency and temporary accounts are\n               not to be confused with infrequently used accounts (e.g., local logon accounts used\n               for special tasks defined by organizations or when network resources are\n               unavailable). Such accounts remain available and are not subject to automatic\n               disabling or removal dates. Conditions for disabling or deactivating accounts\n               include, for example: (i) when shared/group, emergency, or temporary accounts are no\n               longer required; or (ii) when individuals are transferred or terminated. Some types\n               of information system accounts may require specialized training.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-5",
-                    "rel": "related",
-                    "text": "AC-5"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-10",
-                    "rel": "related",
-                    "text": "AC-10"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#ma-3",
-                    "rel": "related",
-                    "text": "MA-3"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ma-5",
-                    "rel": "related",
-                    "text": "MA-5"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  }
-                ]
-              },
-              {
-                "id": "ac-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(a)[1]"
-                          }
-                        ],
-                        "prose": "defines information system account types to be identified and selected to\n                     support organizational missions/business functions;"
-                      },
-                      {
-                        "id": "ac-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(a)[2]"
-                          }
-                        ],
-                        "prose": "identifies and selects organization-defined information system account types to\n                     support organizational missions/business functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(b)"
-                      }
-                    ],
-                    "prose": "assigns account managers for information system accounts;"
-                  },
-                  {
-                    "id": "ac-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(c)"
-                      }
-                    ],
-                    "prose": "establishes conditions for group and role membership;"
-                  },
-                  {
-                    "id": "ac-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(d)"
-                      }
-                    ],
-                    "prose": "specifies for each account (as required):",
-                    "parts": [
-                      {
-                        "id": "ac-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(d)[1]"
-                          }
-                        ],
-                        "prose": "authorized users of the information system;"
-                      },
-                      {
-                        "id": "ac-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(d)[2]"
-                          }
-                        ],
-                        "prose": "group and role membership;"
-                      },
-                      {
-                        "id": "ac-2.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(d)[3]"
-                          }
-                        ],
-                        "prose": "access authorizations (i.e., privileges);"
-                      },
-                      {
-                        "id": "ac-2.d_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(d)[4]"
-                          }
-                        ],
-                        "prose": "other attributes;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-2.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(e)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles required to approve requests to create information\n                     system accounts;"
-                      },
-                      {
-                        "id": "ac-2.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(e)[2]"
-                          }
-                        ],
-                        "prose": "requires approvals by organization-defined personnel or roles for requests to\n                     create information system accounts;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-2.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(f)[1]"
-                          }
-                        ],
-                        "prose": "defines procedures or conditions to:",
-                        "parts": [
-                          {
-                            "id": "ac-2.f_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][a]"
-                              }
-                            ],
-                            "prose": "create information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][b]"
-                              }
-                            ],
-                            "prose": "enable information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][c]"
-                              }
-                            ],
-                            "prose": "modify information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.1.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][d]"
-                              }
-                            ],
-                            "prose": "disable information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.1.e",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[1][e]"
-                              }
-                            ],
-                            "prose": "remove information system accounts;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-2.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(f)[2]"
-                          }
-                        ],
-                        "prose": "in accordance with organization-defined procedures or conditions:",
-                        "parts": [
-                          {
-                            "id": "ac-2.f_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][a]"
-                              }
-                            ],
-                            "prose": "creates information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][b]"
-                              }
-                            ],
-                            "prose": "enables information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][c]"
-                              }
-                            ],
-                            "prose": "modifies information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][d]"
-                              }
-                            ],
-                            "prose": "disables information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.f_obj.2.e",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(f)[2][e]"
-                              }
-                            ],
-                            "prose": "removes information system accounts;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(g)"
-                      }
-                    ],
-                    "prose": "monitors the use of information system accounts;"
-                  },
-                  {
-                    "id": "ac-2.h_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(h)"
-                      }
-                    ],
-                    "prose": "notifies account managers:",
-                    "parts": [
-                      {
-                        "id": "ac-2.h.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(h)(1)"
-                          }
-                        ],
-                        "prose": "when accounts are no longer required;"
-                      },
-                      {
-                        "id": "ac-2.h.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(h)(2)"
-                          }
-                        ],
-                        "prose": "when users are terminated or transferred;"
-                      },
-                      {
-                        "id": "ac-2.h.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(h)(3)"
-                          }
-                        ],
-                        "prose": "when individual information system usage or need to know changes;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.i_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(i)"
-                      }
-                    ],
-                    "prose": "authorizes access to the information system based on;",
-                    "parts": [
-                      {
-                        "id": "ac-2.i.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(i)(1)"
-                          }
-                        ],
-                        "prose": "a valid access authorization;"
-                      },
-                      {
-                        "id": "ac-2.i.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(i)(2)"
-                          }
-                        ],
-                        "prose": "intended system usage;"
-                      },
-                      {
-                        "id": "ac-2.i.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(i)(3)"
-                          }
-                        ],
-                        "prose": "other attributes as required by the organization or associated\n                     missions/business functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.j_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-2(j)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-2.j_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(j)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review accounts for compliance with account management\n                     requirements;"
-                      },
-                      {
-                        "id": "ac-2.j_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(j)[2]"
-                          }
-                        ],
-                        "prose": "reviews accounts for compliance with account management requirements with the\n                     organization-defined frequency; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.k_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-2(k)"
-                      }
-                    ],
-                    "prose": "establishes a process for reissuing shared/group account credentials (if deployed)\n                  when individuals are removed from the group."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of active system accounts along with the name of the individual associated\n                  with each account\\n\\nlist of conditions for group and role membership\\n\\nnotifications or records of recently transferred, separated, or terminated\n                  employees\\n\\nlist of recently disabled information system accounts along with the name of the\n                  individual associated with each account\\n\\naccess authorization records\\n\\naccount management compliance reviews\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes account management on the information system\\n\\nautomated mechanisms for implementing account management"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ac-2.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automated System Account Management",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-2(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to support the management of\n                  information system accounts."
-                  },
-                  {
-                    "id": "ac-2.1_gdn",
-                    "name": "guidance",
-                    "prose": "The use of automated mechanisms can include, for example: using email or text\n                  messaging to automatically notify account managers when users are terminated or\n                  transferred; using the information system to monitor account usage; and using\n                  telephonic notification to report atypical system account usage."
-                  },
-                  {
-                    "id": "ac-2.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs automated mechanisms to support the\n                  management of information system accounts."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing account management functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-2.2",
-                "class": "SP800-53-enhancement",
-                "title": "Removal of Temporary / Emergency Accounts",
-                "parameters": [
-                  {
-                    "id": "ac-2.2_prm_1"
-                  },
-                  {
-                    "id": "ac-2.2_prm_2",
-                    "label": "organization-defined time period for each type of account",
-                    "constraints": [
-                      {
-                        "detail": "no more than 30 days for temporary and emergency account types"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AC-2(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.2_smt",
-                    "name": "statement",
-                    "prose": "The information system automatically {{ ac-2.2_prm_1 }} temporary\n                  and emergency accounts after {{ ac-2.2_prm_2 }}."
-                  },
-                  {
-                    "id": "ac-2.2_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement requires the removal of both temporary and emergency\n                  accounts automatically after a predefined period of time has elapsed, rather than\n                  at the convenience of the systems administrator."
-                  },
-                  {
-                    "id": "ac-2.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "ac-2.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(2)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the time period after which the information system\n                     automatically removes or disables temporary and emergency accounts; and"
-                      },
-                      {
-                        "id": "ac-2.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(2)[2]"
-                          }
-                        ],
-                        "prose": "the information system automatically removes or disables temporary and\n                     emergency accounts after the organization-defined time period for each type of\n                     account."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system-generated list of temporary accounts removed and/or\n                     disabled\\n\\ninformation system-generated list of emergency accounts removed and/or\n                     disabled\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing account management functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-2.3",
-                "class": "SP800-53-enhancement",
-                "title": "Disable Inactive Accounts",
-                "parameters": [
-                  {
-                    "id": "ac-2.3_prm_1",
-                    "label": "organization-defined time period",
-                    "constraints": [
-                      {
-                        "detail": "90 days for user accounts"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AC-2(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.3_smt",
-                    "name": "statement",
-                    "prose": "The information system automatically disables inactive accounts after {{ ac-2.3_prm_1 }}."
-                  },
-                  {
-                    "id": "ac-2.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "ac-2.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(3)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the time period after which the information system\n                     automatically disables inactive accounts; and"
-                      },
-                      {
-                        "id": "ac-2.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(3)[2]"
-                          }
-                        ],
-                        "prose": "the information system automatically disables inactive accounts after the\n                     organization-defined time period."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system-generated list of temporary accounts removed and/or\n                     disabled\\n\\ninformation system-generated list of emergency accounts removed and/or\n                     disabled\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing account management functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-2.4",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Audit Actions",
-                "parameters": [
-                  {
-                    "id": "ac-2.4_prm_1",
-                    "label": "organization-defined personnel or roles"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-2(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.4_smt",
-                    "name": "statement",
-                    "prose": "The information system automatically audits account creation, modification,\n                  enabling, disabling, and removal actions, and notifies {{ ac-2.4_prm_1 }}."
-                  },
-                  {
-                    "id": "ac-2.4_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      },
-                      {
-                        "href": "#au-12",
-                        "rel": "related",
-                        "text": "AU-12"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "ac-2.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(4)[1]"
-                          }
-                        ],
-                        "prose": "the information system automatically audits the following account actions:",
-                        "parts": [
-                          {
-                            "id": "ac-2.4_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[1][a]"
-                              }
-                            ],
-                            "prose": "creation;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[1][b]"
-                              }
-                            ],
-                            "prose": "modification;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[1][c]"
-                              }
-                            ],
-                            "prose": "enabling;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.1.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[1][d]"
-                              }
-                            ],
-                            "prose": "disabling;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.1.e",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[1][e]"
-                              }
-                            ],
-                            "prose": "removal;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-2.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(4)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines personnel or roles to be notified of the following\n                     account actions:",
-                        "parts": [
-                          {
-                            "id": "ac-2.4_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[2][a]"
-                              }
-                            ],
-                            "prose": "creation;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[2][b]"
-                              }
-                            ],
-                            "prose": "modification;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[2][c]"
-                              }
-                            ],
-                            "prose": "enabling;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[2][d]"
-                              }
-                            ],
-                            "prose": "disabling;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.2.e",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[2][e]"
-                              }
-                            ],
-                            "prose": "removal;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-2.4_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(4)[3]"
-                          }
-                        ],
-                        "prose": "the information system notifies organization-defined personnel or roles of the\n                     following account actions:",
-                        "parts": [
-                          {
-                            "id": "ac-2.4_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[3][a]"
-                              }
-                            ],
-                            "prose": "creation;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[3][b]"
-                              }
-                            ],
-                            "prose": "modification;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.3.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[3][c]"
-                              }
-                            ],
-                            "prose": "enabling;"
-                          },
-                          {
-                            "id": "ac-2.4_obj.3.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[3][d]"
-                              }
-                            ],
-                            "prose": "disabling; and"
-                          },
-                          {
-                            "id": "ac-2.4_obj.3.e",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-2(4)[3][e]"
-                              }
-                            ],
-                            "prose": "removal."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nnotifications/alerts of account creation, modification, enabling, disabling,\n                     and removal actions\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing account management functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-2.5",
-                "class": "SP800-53-enhancement",
-                "title": "Inactivity Logout",
-                "parameters": [
-                  {
-                    "id": "ac-2.5_prm_1",
-                    "label": "organization-defined time-period of expected inactivity or description of when\n                  to log out"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AC-2(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.5_smt",
-                    "name": "statement",
-                    "prose": "The organization requires that users log out when {{ ac-2.5_prm_1 }}.",
-                    "parts": [
-                      {
-                        "id": "ac-2.5_fr",
-                        "name": "item",
-                        "title": "AC-2 (5) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ac-2.5_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "Should use a shorter timeframe than AC-12."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.5_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#sc-23",
-                        "rel": "related",
-                        "text": "SC-23"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-2.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(5)[1]"
-                          }
-                        ],
-                        "prose": "defines either the time period of expected inactivity that requires users to\n                     log out or the description of when users are required to log out; and"
-                      },
-                      {
-                        "id": "ac-2.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(5)[2]"
-                          }
-                        ],
-                        "prose": "requires that users log out when the organization-defined time period of\n                     inactivity is reached or in accordance with organization-defined description of\n                     when to log out."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity violation reports\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nusers that must comply with inactivity logout policy"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-2.7",
-                "class": "SP800-53-enhancement",
-                "title": "Role-based Schemes",
-                "parameters": [
-                  {
-                    "id": "ac-2.7_prm_1",
-                    "label": "organization-defined actions"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-2(7)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.07"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.7_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "ac-2.7_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Establishes and administers privileged user accounts in accordance with a\n                     role-based access scheme that organizes allowed information system access and\n                     privileges into roles;"
-                      },
-                      {
-                        "id": "ac-2.7_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Monitors privileged role assignments; and"
-                      },
-                      {
-                        "id": "ac-2.7_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(c)"
-                          }
-                        ],
-                        "prose": "Takes {{ ac-2.7_prm_1 }} when privileged role assignments are no\n                     longer appropriate."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.7_gdn",
-                    "name": "guidance",
-                    "prose": "Privileged roles are organization-defined roles assigned to individuals that allow\n                  those individuals to perform certain security-relevant functions that ordinary\n                  users are not authorized to perform. These privileged roles include, for example,\n                  key management, account management, network and system administration, database\n                  administration, and web administration."
-                  },
-                  {
-                    "id": "ac-2.7_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-2.7.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(7)(a)"
-                          }
-                        ],
-                        "prose": "establishes and administers privileged user accounts in accordance with a\n                     role-based access scheme that organizes allowed information system access and\n                     privileges into roles;",
-                        "links": [
-                          {
-                            "href": "#ac-2.7_smt.a",
-                            "rel": "corresp",
-                            "text": "AC-2(7)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-2.7.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(7)(b)"
-                          }
-                        ],
-                        "prose": "monitors privileged role assignments;",
-                        "links": [
-                          {
-                            "href": "#ac-2.7_smt.b",
-                            "rel": "corresp",
-                            "text": "AC-2(7)(b)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-2.7.c_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(7)(c)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-2.7.c_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-2(7)(c)[1]"
-                              }
-                            ],
-                            "prose": "defines actions to be taken when privileged role assignments are no longer\n                        appropriate; and"
-                          },
-                          {
-                            "id": "ac-2.7.c_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-2(7)(c)[2]"
-                              }
-                            ],
-                            "prose": "takes organization-defined actions when privileged role assignments are no\n                        longer appropriate."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ac-2.7_smt.c",
-                            "rel": "corresp",
-                            "text": "AC-2(7)(c)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system-generated list of privileged user accounts and associated\n                     role\\n\\nrecords of actions taken when privileged role assignments are no longer\n                     appropriate\\n\\ninformation system audit records\\n\\naudit tracking and monitoring reports\\n\\ninformation system monitoring records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing account management functions\\n\\nautomated mechanisms monitoring privileged role assignments"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-2.9",
-                "class": "SP800-53-enhancement",
-                "title": "Restrictions On Use of Shared / Group Accounts",
-                "parameters": [
-                  {
-                    "id": "ac-2.9_prm_1",
-                    "label": "organization-defined conditions for establishing shared/group accounts"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-2(9)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.09"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.9_smt",
-                    "name": "statement",
-                    "prose": "The organization only permits the use of shared/group accounts that meet {{ ac-2.9_prm_1 }}.",
-                    "parts": [
-                      {
-                        "id": "ac-2.9_fr",
-                        "name": "item",
-                        "title": "AC-2 (9) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ac-2.9_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "Required if shared/group accounts are deployed"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.9_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-2.9_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(9)[1]"
-                          }
-                        ],
-                        "prose": "defines conditions for establishing shared/group accounts; and"
-                      },
-                      {
-                        "id": "ac-2.9_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-2(9)[2]"
-                          }
-                        ],
-                        "prose": "only permits the use of shared/group accounts that meet organization-defined\n                     conditions for establishing shared/group accounts."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsystem-generated list of shared/group accounts and associated role\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing management of shared/group accounts"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-2.10",
-                "class": "SP800-53-enhancement",
-                "title": "Shared / Group Account Credential Termination",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-2(10)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.10"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.10_smt",
-                    "name": "statement",
-                    "prose": "The information system terminates shared/group account credentials when members\n                  leave the group.",
-                    "parts": [
-                      {
-                        "id": "ac-2.10_fr",
-                        "name": "item",
-                        "title": "AC-2 (10) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ac-2.10_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "Required if shared/group accounts are deployed"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.10_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system terminates shared/group account credentials\n                  when members leave the group."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naccount access termination records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing account management functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-2.12",
-                "class": "SP800-53-enhancement",
-                "title": "Account Monitoring / Atypical Usage",
-                "parameters": [
-                  {
-                    "id": "ac-2.12_prm_1",
-                    "label": "organization-defined atypical usage"
-                  },
-                  {
-                    "id": "ac-2.12_prm_2",
-                    "label": "organization-defined personnel or roles"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AC-2(12)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-02.12"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-2.12_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "ac-2.12_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Monitors information system accounts for {{ ac-2.12_prm_1 }};\n                     and"
-                      },
-                      {
-                        "id": "ac-2.12_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Reports atypical usage of information system accounts to {{ ac-2.12_prm_2 }}."
-                      },
-                      {
-                        "id": "ac-2.12_fr",
-                        "name": "item",
-                        "title": "AC-2 (12) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ac-2.12_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "(a) Guidance:"
-                              }
-                            ],
-                            "prose": "Required for privileged accounts."
-                          },
-                          {
-                            "id": "ac-2.12_fr_gdn.2",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "(b) Guidance:"
-                              }
-                            ],
-                            "prose": "Required for privileged accounts."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.12_gdn",
-                    "name": "guidance",
-                    "prose": "Atypical usage includes, for example, accessing information systems at certain\n                  times of the day and from locations that are not consistent with the normal usage\n                  patterns of individuals working in organizations.",
-                    "links": [
-                      {
-                        "href": "#ca-7",
-                        "rel": "related",
-                        "text": "CA-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-2.12_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-2.12.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(12)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-2.12.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-2(12)(a)[1]"
-                              }
-                            ],
-                            "prose": "defines atypical usage to be monitored for information system accounts;"
-                          },
-                          {
-                            "id": "ac-2.12.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-2(12)(a)[2]"
-                              }
-                            ],
-                            "prose": "monitors information system accounts for organization-defined atypical\n                        usage;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ac-2.12_smt.a",
-                            "rel": "corresp",
-                            "text": "AC-2(12)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-2.12.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-2(12)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-2.12.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-2(12)(b)[1]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom atypical usage of information system\n                        accounts are to be reported; and"
-                          },
-                          {
-                            "id": "ac-2.12.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-2(12)(b)[2]"
-                              }
-                            ],
-                            "prose": "reports atypical usage of information system accounts to\n                        organization-defined personnel or roles."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ac-2.12_smt.b",
-                            "rel": "corresp",
-                            "text": "AC-2(12)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing account management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\naudit tracking and monitoring reports\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing account management functions"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-3",
-            "class": "SP800-53",
-            "title": "Access Enforcement",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-03"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-3_smt",
-                "name": "statement",
-                "prose": "The information system enforces approved authorizations for logical access to\n               information and system resources in accordance with applicable access control\n               policies."
-              },
-              {
-                "id": "ac-3_gdn",
-                "name": "guidance",
-                "prose": "Access control policies (e.g., identity-based policies, role-based policies, control\n               matrices, cryptography) control access between active entities or subjects (i.e.,\n               users or processes acting on behalf of users) and passive entities or objects (e.g.,\n               devices, files, records, domains) in information systems. In addition to enforcing\n               authorized access at the information system level and recognizing that information\n               systems can host many applications and services in support of organizational missions\n               and business operations, access enforcement mechanisms can also be employed at the\n               application and service level to provide increased information security.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-5",
-                    "rel": "related",
-                    "text": "AC-5"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-16",
-                    "rel": "related",
-                    "text": "AC-16"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#ac-21",
-                    "rel": "related",
-                    "text": "AC-21"
-                  },
-                  {
-                    "href": "#ac-22",
-                    "rel": "related",
-                    "text": "AC-22"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#ma-3",
-                    "rel": "related",
-                    "text": "MA-3"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ma-5",
-                    "rel": "related",
-                    "text": "MA-5"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  }
-                ]
-              },
-              {
-                "id": "ac-3_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system enforces approved authorizations for logical\n               access to information and system resources in accordance with applicable access\n               control policies."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing access enforcement\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of approved authorizations (user privileges)\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with access enforcement responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing access control policy"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-4",
-            "class": "SP800-53",
-            "title": "Information Flow Enforcement",
-            "parameters": [
-              {
-                "id": "ac-4_prm_1",
-                "label": "organization-defined information flow control policies"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-04"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-4_smt",
-                "name": "statement",
-                "prose": "The information system enforces approved authorizations for controlling the flow of\n               information within the system and between interconnected systems based on {{ ac-4_prm_1 }}."
-              },
-              {
-                "id": "ac-4_gdn",
-                "name": "guidance",
-                "prose": "Information flow control regulates where information is allowed to travel within an\n               information system and between information systems (as opposed to who is allowed to\n               access the information) and without explicit regard to subsequent accesses to that\n               information. Flow control restrictions include, for example, keeping\n               export-controlled information from being transmitted in the clear to the Internet,\n               blocking outside traffic that claims to be from within the organization, restricting\n               web requests to the Internet that are not from the internal web proxy server, and\n               limiting information transfers between organizations based on data structures and\n               content. Transferring information between information systems representing different\n               security domains with different security policies introduces risk that such transfers\n               violate one or more domain security policies. In such situations, information\n               owners/stewards provide guidance at designated policy enforcement points between\n               interconnected systems. Organizations consider mandating specific architectural\n               solutions when required to enforce specific security policies. Enforcement includes,\n               for example: (i) prohibiting information transfers between interconnected systems\n               (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way\n               information flows; and (iii) implementing trustworthy regrading mechanisms to\n               reassign security attributes and security labels. Organizations commonly employ\n               information flow control policies and enforcement mechanisms to control the flow of\n               information between designated sources and destinations (e.g., networks, individuals,\n               and devices) within information systems and between interconnected systems. Flow\n               control is based on the characteristics of the information and/or the information\n               path. Enforcement occurs, for example, in boundary protection devices (e.g.,\n               gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or\n               establish configuration settings that restrict information system services, provide a\n               packet-filtering capability based on header information, or message-filtering\n               capability based on message content (e.g., implementing key word searches or using\n               document characteristics). Organizations also consider the trustworthiness of\n               filtering/inspection mechanisms (i.e., hardware, firmware, and software components)\n               that are critical to information flow enforcement. Control enhancements 3 through 22\n               primarily address cross-domain solution needs which focus on more advanced filtering\n               techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented\n               in cross-domain products, for example, high-assurance guards. Such capabilities are\n               generally not available in commercial off-the-shelf information technology\n               products.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ac-21",
-                    "rel": "related",
-                    "text": "AC-21"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-7",
-                    "rel": "related",
-                    "text": "CM-7"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  },
-                  {
-                    "href": "#sc-2",
-                    "rel": "related",
-                    "text": "SC-2"
-                  },
-                  {
-                    "href": "#sc-5",
-                    "rel": "related",
-                    "text": "SC-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-18",
-                    "rel": "related",
-                    "text": "SC-18"
-                  }
-                ]
-              },
-              {
-                "id": "ac-4_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "ac-4_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-4[1]"
-                      }
-                    ],
-                    "prose": "the organization defines information flow control policies to control the flow of\n                  information within the system and between interconnected systems; and"
-                  },
-                  {
-                    "id": "ac-4_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-4[2]"
-                      }
-                    ],
-                    "prose": "the information system enforces approved authorizations for controlling the flow\n                  of information within the system and between interconnected systems based on\n                  organization-defined information flow control policies."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\ninformation flow control policies\\n\\nprocedures addressing information flow enforcement\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system baseline configuration\\n\\nlist of information flow authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing information flow enforcement policy"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ac-4.21",
-                "class": "SP800-53-enhancement",
-                "title": "Physical / Logical Separation of Information Flows",
-                "parameters": [
-                  {
-                    "id": "ac-4.21_prm_1",
-                    "label": "organization-defined mechanisms and/or techniques"
-                  },
-                  {
-                    "id": "ac-4.21_prm_2",
-                    "label": "organization-defined required separations by types of information"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-4(21)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-04.21"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-4.21_smt",
-                    "name": "statement",
-                    "prose": "The information system separates information flows logically or physically using\n                     {{ ac-4.21_prm_1 }} to accomplish {{ ac-4.21_prm_2 }}."
-                  },
-                  {
-                    "id": "ac-4.21_gdn",
-                    "name": "guidance",
-                    "prose": "Enforcing the separation of information flows by type can enhance protection by\n                  ensuring that information is not commingled while in transit and by enabling flow\n                  control by transmission paths perhaps not otherwise achievable. Types of separable\n                  information include, for example, inbound and outbound communications traffic,\n                  service requests and responses, and information of differing security\n                  categories."
-                  },
-                  {
-                    "id": "ac-4.21_obj",
-                    "name": "objective",
-                    "prose": "Determine if: ",
-                    "parts": [
-                      {
-                        "id": "ac-4.21_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-4(21)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the required separations of information flows by types\n                     of information;"
-                      },
-                      {
-                        "id": "ac-4.21_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-4(21)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines the mechanisms and/or techniques to be used to\n                     separate information flows logically or physically; and"
-                      },
-                      {
-                        "id": "ac-4.21_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-4(21)[3]"
-                          }
-                        ],
-                        "prose": "the information system separates information flows logically or physically\n                     using organization-defined mechanisms and/or techniques to accomplish\n                     organization-defined required separations by types of information."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information flow enforcement policy\\n\\ninformation flow control policies\\n\\nprocedures addressing information flow enforcement\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of required separation of information flows by information types\\n\\nlist of mechanisms and/or techniques used to logically or physically separate\n                     information flows\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information flow enforcement responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing information flow enforcement functions"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-5",
-            "class": "SP800-53",
-            "title": "Separation of Duties",
-            "parameters": [
-              {
-                "id": "ac-5_prm_1",
-                "label": "organization-defined duties of individuals"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Separates {{ ac-5_prm_1 }};"
-                  },
-                  {
-                    "id": "ac-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents separation of duties of individuals; and"
-                  },
-                  {
-                    "id": "ac-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Defines information system access authorizations to support separation of\n                  duties."
-                  },
-                  {
-                    "id": "ac-5_fr",
-                    "name": "item",
-                    "title": "AC-5 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ac.5_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-5_gdn",
-                "name": "guidance",
-                "prose": "Separation of duties addresses the potential for abuse of authorized privileges and\n               helps to reduce the risk of malevolent activity without collusion. Separation of\n               duties includes, for example: (i) dividing mission functions and information system\n               support functions among different individuals and/or roles; (ii) conducting\n               information system support functions with different individuals (e.g., system\n               management, programming, configuration management, quality assurance and testing, and\n               network security); and (iii) ensuring security personnel administering access control\n               functions do not also administer audit functions.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  },
-                  {
-                    "href": "#ps-2",
-                    "rel": "related",
-                    "text": "PS-2"
-                  }
-                ]
-              },
-              {
-                "id": "ac-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-5(a)[1]"
-                          }
-                        ],
-                        "prose": "defines duties of individuals to be separated;"
-                      },
-                      {
-                        "id": "ac-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-5(a)[2]"
-                          }
-                        ],
-                        "prose": "separates organization-defined duties of individuals;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-5(b)"
-                      }
-                    ],
-                    "prose": "documents separation of duties; and"
-                  },
-                  {
-                    "id": "ac-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-5(c)"
-                      }
-                    ],
-                    "prose": "defines information system access authorizations to support separation of\n                  duties."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing divisions of responsibility and separation of duties\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of divisions of responsibility and separation of duties\\n\\ninformation system access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for defining appropriate divisions\n                  of responsibility and separation of duties\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing separation of duties policy"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-6",
-            "class": "SP800-53",
-            "title": "Least Privilege",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-6_smt",
-                "name": "statement",
-                "prose": "The organization employs the principle of least privilege, allowing only authorized\n               accesses for users (or processes acting on behalf of users) which are necessary to\n               accomplish assigned tasks in accordance with organizational missions and business\n               functions."
-              },
-              {
-                "id": "ac-6_gdn",
-                "name": "guidance",
-                "prose": "Organizations employ least privilege for specific duties and information systems. The\n               principle of least privilege is also applied to information system processes,\n               ensuring that the processes operate at privilege levels no higher than necessary to\n               accomplish required organizational missions/business functions. Organizations\n               consider the creation of additional processes, roles, and information system accounts\n               as necessary, to achieve least privilege. Organizations also apply least privilege to\n               the development, implementation, and operation of organizational information\n               systems.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-5",
-                    "rel": "related",
-                    "text": "AC-5"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-7",
-                    "rel": "related",
-                    "text": "CM-7"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  }
-                ]
-              },
-              {
-                "id": "ac-6_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the organization employs the principle of least privilege, allowing only\n               authorized access for users (and processes acting on behalf of users) which are\n               necessary to accomplish assigned tasks in accordance with organizational missions and\n               business functions. "
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of assigned access authorizations (user privileges)\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for defining least privileges\n                  necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing least privilege functions"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ac-6.1",
-                "class": "SP800-53-enhancement",
-                "title": "Authorize Access to Security Functions",
-                "parameters": [
-                  {
-                    "id": "ac-6.1_prm_1",
-                    "label": "organization-defined security functions (deployed in hardware, software, and\n                  firmware) and security-relevant information"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-6(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-06.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-6.1_smt",
-                    "name": "statement",
-                    "prose": "The organization explicitly authorizes access to {{ ac-6.1_prm_1 }}."
-                  },
-                  {
-                    "id": "ac-6.1_gdn",
-                    "name": "guidance",
-                    "prose": "Security functions include, for example, establishing system accounts, configuring\n                  access authorizations (i.e., permissions, privileges), setting events to be\n                  audited, and setting intrusion detection parameters. Security-relevant information\n                  includes, for example, filtering rules for routers/firewalls, cryptographic key\n                  management information, configuration parameters for security services, and access\n                  control lists. Explicitly authorized personnel include, for example, security\n                  administrators, system and network administrators, system security officers,\n                  system maintenance personnel, system programmers, and other privileged users.",
-                    "links": [
-                      {
-                        "href": "#ac-17",
-                        "rel": "related",
-                        "text": "AC-17"
-                      },
-                      {
-                        "href": "#ac-18",
-                        "rel": "related",
-                        "text": "AC-18"
-                      },
-                      {
-                        "href": "#ac-19",
-                        "rel": "related",
-                        "text": "AC-19"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-6.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ac-6.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(1)[1]"
-                          }
-                        ],
-                        "prose": "defines security-relevant information for which access must be explicitly\n                     authorized;"
-                      },
-                      {
-                        "id": "ac-6.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(1)[2]"
-                          }
-                        ],
-                        "prose": "defines security functions deployed in:",
-                        "parts": [
-                          {
-                            "id": "ac-6.1_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-6(1)[2][a]"
-                              }
-                            ],
-                            "prose": "hardware;"
-                          },
-                          {
-                            "id": "ac-6.1_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-6(1)[2][b]"
-                              }
-                            ],
-                            "prose": "software;"
-                          },
-                          {
-                            "id": "ac-6.1_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-6(1)[2][c]"
-                              }
-                            ],
-                            "prose": "firmware;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-6.1_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(1)[3]"
-                          }
-                        ],
-                        "prose": "explicitly authorizes access to:",
-                        "parts": [
-                          {
-                            "id": "ac-6.1_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-6(1)[3][a]"
-                              }
-                            ],
-                            "prose": "organization-defined security functions; and"
-                          },
-                          {
-                            "id": "ac-6.1_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-6(1)[3][b]"
-                              }
-                            ],
-                            "prose": "security-relevant information."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of security functions (deployed in hardware, software, and firmware) and\n                     security-relevant information for which access must be explicitly\n                     authorized\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing least privilege functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-6.2",
-                "class": "SP800-53-enhancement",
-                "title": "Non-privileged Access for Nonsecurity Functions",
-                "parameters": [
-                  {
-                    "id": "ac-6.2_prm_1",
-                    "label": "organization-defined security functions or security-relevant\n                  information",
-                    "constraints": [
-                      {
-                        "detail": "all security functions"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-6(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-06.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-6.2_smt",
-                    "name": "statement",
-                    "prose": "The organization requires that users of information system accounts, or roles,\n                  with access to {{ ac-6.2_prm_1 }}, use non-privileged accounts or\n                  roles, when accessing nonsecurity functions.",
-                    "parts": [
-                      {
-                        "id": "ac-6.2_fr",
-                        "name": "item",
-                        "title": "AC-6 (2) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ac-6.2_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-6.2_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement limits exposure when operating from within privileged\n                  accounts or roles. The inclusion of roles addresses situations where organizations\n                  implement access control policies such as role-based access control and where a\n                  change of role provides the same degree of assurance in the change of access\n                  authorizations for both the user and all processes acting on behalf of the user as\n                  would be provided by a change between a privileged and non-privileged account.",
-                    "links": [
-                      {
-                        "href": "#pl-4",
-                        "rel": "related",
-                        "text": "PL-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-6.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-6.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(2)[1]"
-                          }
-                        ],
-                        "prose": "defines security functions or security-relevant information to which users of\n                     information system accounts, or roles, have access; and"
-                      },
-                      {
-                        "id": "ac-6.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(2)[2]"
-                          }
-                        ],
-                        "prose": "requires that users of information system accounts, or roles, with access to\n                     organization-defined security functions or security-relevant information, use\n                     non-privileged accounts, or roles, when accessing nonsecurity functions."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of system-generated security functions or security-relevant information\n                     assigned to information system accounts or roles\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing least privilege functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-6.5",
-                "class": "SP800-53-enhancement",
-                "title": "Privileged Accounts",
-                "parameters": [
-                  {
-                    "id": "ac-6.5_prm_1",
-                    "label": "organization-defined personnel or roles"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-6(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-06.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-6.5_smt",
-                    "name": "statement",
-                    "prose": "The organization restricts privileged accounts on the information system to\n                     {{ ac-6.5_prm_1 }}."
-                  },
-                  {
-                    "id": "ac-6.5_gdn",
-                    "name": "guidance",
-                    "prose": "Privileged accounts, including super user accounts, are typically described as\n                  system administrator for various types of commercial off-the-shelf operating\n                  systems. Restricting privileged accounts to specific personnel or roles prevents\n                  day-to-day users from having access to privileged information/functions.\n                  Organizations may differentiate in the application of this control enhancement\n                  between allowed privileges for local accounts and for domain accounts provided\n                  organizations retain the ability to control information system configurations for\n                  key security parameters and as otherwise necessary to sufficiently mitigate\n                  risk.",
-                    "links": [
-                      {
-                        "href": "#cm-6",
-                        "rel": "related",
-                        "text": "CM-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-6.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-6.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(5)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles for which privileged accounts on the information\n                     system are to be restricted; and"
-                      },
-                      {
-                        "id": "ac-6.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-6(5)[2]"
-                          }
-                        ],
-                        "prose": "restricts privileged accounts on the information system to organization-defined\n                     personnel or roles."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing least privilege\\n\\nlist of system-generated privileged accounts\\n\\nlist of system administration personnel\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing least privilege functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-6.9",
-                "class": "SP800-53-enhancement",
-                "title": "Auditing Use of Privileged Functions",
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AC-6(9)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-06.09"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-6.9_smt",
-                    "name": "statement",
-                    "prose": "The information system audits the execution of privileged functions."
-                  },
-                  {
-                    "id": "ac-6.9_gdn",
-                    "name": "guidance",
-                    "prose": "Misuse of privileged functions, either intentionally or unintentionally by\n                  authorized users, or by unauthorized external entities that have compromised\n                  information system accounts, is a serious and ongoing concern and can have\n                  significant adverse impacts on organizations. Auditing the use of privileged\n                  functions is one way to detect such misuse, and in doing so, help mitigate the\n                  risk from insider threats and the advanced persistent threat (APT).",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-6.9_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system audits the execution of privileged functions.\n               "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing least privilege\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of privileged functions to be audited\\n\\nlist of audited events\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for reviewing least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms auditing the execution of least privilege functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-6.10",
-                "class": "SP800-53-enhancement",
-                "title": "Prohibit Non-privileged Users from Executing Privileged Functions",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-6(10)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-06.10"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-6.10_smt",
-                    "name": "statement",
-                    "prose": "The information system prevents non-privileged users from executing privileged\n                  functions to include disabling, circumventing, or altering implemented security\n                  safeguards/countermeasures."
-                  },
-                  {
-                    "id": "ac-6.10_gdn",
-                    "name": "guidance",
-                    "prose": "Privileged functions include, for example, establishing information system\n                  accounts, performing system integrity checks, or administering cryptographic key\n                  management activities. Non-privileged users are individuals that do not possess\n                  appropriate authorizations. Circumventing intrusion detection and prevention\n                  mechanisms or malicious code protection mechanisms are examples of privileged\n                  functions that require protection from non-privileged users."
-                  },
-                  {
-                    "id": "ac-6.10_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system prevents non-privileged users from executing\n                  privileged functions to include:",
-                    "parts": [
-                      {
-                        "id": "ac-6.10_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-6(10)[1]"
-                          }
-                        ],
-                        "prose": "disabling implemented security safeguards/countermeasures;"
-                      },
-                      {
-                        "id": "ac-6.10_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-6(10)[2]"
-                          }
-                        ],
-                        "prose": "circumventing security safeguards/countermeasures; or"
-                      },
-                      {
-                        "id": "ac-6.10_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-6(10)[3]"
-                          }
-                        ],
-                        "prose": "altering implemented security safeguards/countermeasures."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing least privilege\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of privileged functions and associated user account assignments\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for defining least privileges\n                     necessary to accomplish specified tasks\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing least privilege functions for non-privileged\n                     users"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-7",
-            "class": "SP800-53",
-            "title": "Unsuccessful Logon Attempts",
-            "parameters": [
-              {
-                "id": "ac-7_prm_1",
-                "label": "organization-defined number",
-                "constraints": [
-                  {
-                    "detail": "not more than three (3)"
-                  }
-                ]
-              },
-              {
-                "id": "ac-7_prm_2",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "fifteen (15) minutes"
-                  }
-                ]
-              },
-              {
-                "id": "ac-7_prm_3"
-              },
-              {
-                "id": "ac-7_prm_4",
-                "depends-on": "ac-7_prm_3",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "locks the account/node for thirty minutes"
-                  }
-                ]
-              },
-              {
-                "id": "ac-7_prm_5",
-                "depends-on": "ac-7_prm_3",
-                "label": "organization-defined delay algorithm"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-07"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-7_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "ac-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Enforces a limit of {{ ac-7_prm_1 }} consecutive invalid logon\n                  attempts by a user during a {{ ac-7_prm_2 }}; and"
-                  },
-                  {
-                    "id": "ac-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Automatically {{ ac-7_prm_3 }} when the maximum number of\n                  unsuccessful attempts is exceeded."
-                  }
-                ]
-              },
-              {
-                "id": "ac-7_gdn",
-                "name": "guidance",
-                "prose": "This control applies regardless of whether the logon occurs via a local or network\n               connection. Due to the potential for denial of service, automatic lockouts initiated\n               by information systems are usually temporary and automatically release after a\n               predetermined time period established by organizations. If a delay algorithm is\n               selected, organizations may choose to employ different algorithms for different\n               information system components based on the capabilities of those components.\n               Responses to unsuccessful logon attempts may be implemented at both the operating\n               system and the application levels.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-9",
-                    "rel": "related",
-                    "text": "AC-9"
-                  },
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  }
-                ]
-              },
-              {
-                "id": "ac-7_obj",
-                "name": "objective",
-                "prose": "Determine if: ",
-                "parts": [
-                  {
-                    "id": "ac-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-7(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-7.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-7(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the number of consecutive invalid logon attempts\n                     allowed to the information system by a user during an organization-defined time\n                     period;"
-                      },
-                      {
-                        "id": "ac-7.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-7(a)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines the time period allowed by a user of the information\n                     system for an organization-defined number of consecutive invalid logon\n                     attempts;"
-                      },
-                      {
-                        "id": "ac-7.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-7(a)[3]"
-                          }
-                        ],
-                        "prose": "the information system enforces a limit of organization-defined number of\n                     consecutive invalid logon attempts by a user during an organization-defined\n                     time period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-7(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-7.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-7(b)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines account/node lockout time period or logon delay\n                     algorithm to be automatically enforced by the information system when the\n                     maximum number of unsuccessful logon attempts is exceeded;"
-                      },
-                      {
-                        "id": "ac-7.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-7(b)[2]"
-                          }
-                        ],
-                        "prose": "the information system, when the maximum number of unsuccessful logon attempts\n                     is exceeded, automatically:",
-                        "parts": [
-                          {
-                            "id": "ac-7.b_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-7(b)[2][a]"
-                              }
-                            ],
-                            "prose": "locks the account/node for the organization-defined time period;"
-                          },
-                          {
-                            "id": "ac-7.b_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-7(b)[2][b]"
-                              }
-                            ],
-                            "prose": "locks the account/node until released by an administrator; or"
-                          },
-                          {
-                            "id": "ac-7.b_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-7(b)[2][c]"
-                              }
-                            ],
-                            "prose": "delays next logon prompt according to the organization-defined delay\n                        algorithm."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing unsuccessful logon attempts\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security responsibilities\\n\\nsystem developers\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing access control policy for unsuccessful logon\n                  attempts"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-8",
-            "class": "SP800-53",
-            "title": "System Use Notification",
-            "parameters": [
-              {
-                "id": "ac-8_prm_1",
-                "label": "organization-defined system use notification message or banner",
-                "constraints": [
-                  {
-                    "detail": "see additional Requirements and Guidance"
-                  }
-                ]
-              },
-              {
-                "id": "ac-8_prm_2",
-                "label": "organization-defined conditions",
-                "constraints": [
-                  {
-                    "detail": "see additional Requirements and Guidance]"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-08"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-8_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "ac-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Displays to users {{ ac-8_prm_1 }} before granting access to the\n                  system that provides privacy and security notices consistent with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance and states that:",
-                    "parts": [
-                      {
-                        "id": "ac-8_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Users are accessing a U.S. Government information system;"
-                      },
-                      {
-                        "id": "ac-8_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Information system usage may be monitored, recorded, and subject to audit;"
-                      },
-                      {
-                        "id": "ac-8_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Unauthorized use of the information system is prohibited and subject to\n                     criminal and civil penalties; and"
-                      },
-                      {
-                        "id": "ac-8_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Use of the information system indicates consent to monitoring and\n                     recording;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Retains the notification message or banner on the screen until users acknowledge\n                  the usage conditions and take explicit actions to log on to or further access the\n                  information system; and"
-                  },
-                  {
-                    "id": "ac-8_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "For publicly accessible systems:",
-                    "parts": [
-                      {
-                        "id": "ac-8_smt.c.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Displays system use information {{ ac-8_prm_2 }}, before\n                     granting further access;"
-                      },
-                      {
-                        "id": "ac-8_smt.c.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Displays references, if any, to monitoring, recording, or auditing that are\n                     consistent with privacy accommodations for such systems that generally prohibit\n                     those activities; and"
-                      },
-                      {
-                        "id": "ac-8_smt.c.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Includes a description of the authorized uses of the system."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-8_fr",
-                    "name": "item",
-                    "title": "AC-8 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ac-8_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO."
-                      },
-                      {
-                        "id": "ac-8_fr_smt.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided."
-                      },
-                      {
-                        "id": "ac-8_fr_smt.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-8_gdn",
-                "name": "guidance",
-                "prose": "System use notifications can be implemented using messages or warning banners\n               displayed before individuals log in to information systems. System use notifications\n               are used only for access via logon interfaces with human users and are not required\n               when such human interfaces do not exist. Organizations consider system use\n               notification messages/banners displayed in multiple languages based on specific\n               organizational needs and the demographics of information system users. Organizations\n               also consult with the Office of the General Counsel for legal review and approval of\n               warning banner content."
-              },
-              {
-                "id": "ac-8_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "ac-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-8(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-8.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-8(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines a system use notification message or banner to be\n                     displayed by the information system to users before granting access to the\n                     system;"
-                      },
-                      {
-                        "id": "ac-8.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-8(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system displays to users the organization-defined system use\n                     notification message or banner before granting access to the information system\n                     that provides privacy and security notices consistent with applicable federal\n                     laws, Executive Orders, directives, policies, regulations, standards, and\n                     guidance, and states that:",
-                        "parts": [
-                          {
-                            "id": "ac-8.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-8(a)[2](1)"
-                              }
-                            ],
-                            "prose": "users are accessing a U.S. Government information system;"
-                          },
-                          {
-                            "id": "ac-8.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-8(a)[2](2)"
-                              }
-                            ],
-                            "prose": "information system usage may be monitored, recorded, and subject to\n                        audit;"
-                          },
-                          {
-                            "id": "ac-8.a.3_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-8(a)[2](3)"
-                              }
-                            ],
-                            "prose": "unauthorized use of the information system is prohibited and subject to\n                        criminal and civil penalties;"
-                          },
-                          {
-                            "id": "ac-8.a.4_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-8(a)[2](4)"
-                              }
-                            ],
-                            "prose": "use of the information system indicates consent to monitoring and\n                        recording;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-8(b)"
-                      }
-                    ],
-                    "prose": "the information system retains the notification message or banner on the screen\n                  until users acknowledge the usage conditions and take explicit actions to log on\n                  to or further access the information system;"
-                  },
-                  {
-                    "id": "ac-8.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-8(c)"
-                      }
-                    ],
-                    "prose": "for publicly accessible systems:",
-                    "parts": [
-                      {
-                        "id": "ac-8.c.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-8(c)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-8.c.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-8(c)(1)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines conditions for system use to be displayed by the\n                        information system before granting further access;"
-                          },
-                          {
-                            "id": "ac-8.c.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-8(c)(1)[2]"
-                              }
-                            ],
-                            "prose": "the information system displays organization-defined conditions before\n                        granting further access;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-8.c.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-8(c)(2)"
-                          }
-                        ],
-                        "prose": "the information system displays references, if any, to monitoring, recording,\n                     or auditing that are consistent with privacy accommodations for such systems\n                     that generally prohibit those activities; and"
-                      },
-                      {
-                        "id": "ac-8.c.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-8(c)(3)"
-                          }
-                        ],
-                        "prose": "the information system includes a description of the authorized uses of the\n                     system."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprivacy and security policies, procedures addressing system use notification\\n\\ndocumented approval of information system use notification messages or banners\\n\\ninformation system audit records\\n\\nuser acknowledgements of notification message or banner\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system use notification messages\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for providing legal advice\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing system use notification"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-10",
-            "class": "SP800-53",
-            "title": "Concurrent Session Control",
-            "parameters": [
-              {
-                "id": "ac-10_prm_1",
-                "label": "organization-defined account and/or account type"
-              },
-              {
-                "id": "ac-10_prm_2",
-                "label": "organization-defined number",
-                "constraints": [
-                  {
-                    "detail": "three (3) sessions for privileged access and two (2) sessions for non-privileged access"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-10"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-10"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-10_smt",
-                "name": "statement",
-                "prose": "The information system limits the number of concurrent sessions for each {{ ac-10_prm_1 }} to {{ ac-10_prm_2 }}."
-              },
-              {
-                "id": "ac-10_gdn",
-                "name": "guidance",
-                "prose": "Organizations may define the maximum number of concurrent sessions for information\n               system accounts globally, by account type (e.g., privileged user, non-privileged\n               user, domain, specific application), by account, or a combination. For example,\n               organizations may limit the number of concurrent sessions for system administrators\n               or individuals working in particularly sensitive domains or mission-critical\n               applications. This control addresses concurrent sessions for information system\n               accounts and does not address concurrent sessions by single users via multiple system\n               accounts."
-              },
-              {
-                "id": "ac-10_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "ac-10_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-10[1]"
-                      }
-                    ],
-                    "prose": "the organization defines account and/or account types for the information\n                  system;"
-                  },
-                  {
-                    "id": "ac-10_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-10[2]"
-                      }
-                    ],
-                    "prose": "the organization defines the number of concurrent sessions to be allowed for each\n                  organization-defined account and/or account type; and"
-                  },
-                  {
-                    "id": "ac-10_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-10[3]"
-                      }
-                    ],
-                    "prose": "the information system limits the number of concurrent sessions for each\n                  organization-defined account and/or account type to the organization-defined\n                  number of concurrent sessions allowed."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing concurrent session control\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing access control policy for concurrent session\n                  control"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-11",
-            "class": "SP800-53",
-            "title": "Session Lock",
-            "parameters": [
-              {
-                "id": "ac-11_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "fifteen (15) minutes"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-11"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-11"
-              }
-            ],
-            "links": [
-              {
-                "href": "#4da24a96-6cf8-435d-9d1f-c73247cad109",
-                "rel": "reference",
-                "text": "OMB Memorandum 06-16"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-11_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "ac-11_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Prevents further access to the system by initiating a session lock after {{ ac-11_prm_1 }} of inactivity or upon receiving a request from a user;\n                  and"
-                  },
-                  {
-                    "id": "ac-11_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Retains the session lock until the user reestablishes access using established\n                  identification and authentication procedures."
-                  }
-                ]
-              },
-              {
-                "id": "ac-11_gdn",
-                "name": "guidance",
-                "prose": "Session locks are temporary actions taken when users stop work and move away from the\n               immediate vicinity of information systems but do not want to log out because of the\n               temporary nature of their absences. Session locks are implemented where session\n               activities can be determined. This is typically at the operating system level, but\n               can also be at the application level. Session locks are not an acceptable substitute\n               for logging out of information systems, for example, if organizations require users\n               to log out at the end of workdays.",
-                "links": [
-                  {
-                    "href": "#ac-7",
-                    "rel": "related",
-                    "text": "AC-7"
-                  }
-                ]
-              },
-              {
-                "id": "ac-11_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "ac-11.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-11(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-11.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-11(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the time period of user inactivity after which the\n                     information system initiates a session lock;"
-                      },
-                      {
-                        "id": "ac-11.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-11(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system prevents further access to the system by initiating a\n                     session lock after organization-defined time period of user inactivity or upon\n                     receiving a request from a user; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-11.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-11(b)"
-                      }
-                    ],
-                    "prose": "the information system retains the session lock until the user reestablishes\n                  access using established identification and authentication procedures."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing session lock\\n\\nprocedures addressing identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing access control policy for session lock"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ac-11.1",
-                "class": "SP800-53-enhancement",
-                "title": "Pattern-hiding Displays",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-11(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-11.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-11.1_smt",
-                    "name": "statement",
-                    "prose": "The information system conceals, via the session lock, information previously\n                  visible on the display with a publicly viewable image."
-                  },
-                  {
-                    "id": "ac-11.1_gdn",
-                    "name": "guidance",
-                    "prose": "Publicly viewable images can include static or dynamic images, for example,\n                  patterns used with screen savers, photographic images, solid colors, clock,\n                  battery life indicator, or a blank screen, with the additional caveat that none of\n                  the images convey sensitive information."
-                  },
-                  {
-                    "id": "ac-11.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system conceals, via the session lock, information\n                  previously visible on the display with a publicly viewable image."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing session lock\\n\\ndisplay screen with session lock activated\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system session lock mechanisms"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-12",
-            "class": "SP800-53",
-            "title": "Session Termination",
-            "parameters": [
-              {
-                "id": "ac-12_prm_1",
-                "label": "organization-defined conditions or trigger events requiring session\n               disconnect"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-12"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-12"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-12_smt",
-                "name": "statement",
-                "prose": "The information system automatically terminates a user session after {{ ac-12_prm_1 }}."
-              },
-              {
-                "id": "ac-12_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the termination of user-initiated logical sessions in contrast\n               to SC-10 which addresses the termination of network connections that are associated\n               with communications sessions (i.e., network disconnect). A logical session (for\n               local, network, and remote access) is initiated whenever a user (or process acting on\n               behalf of a user) accesses an organizational information system. Such user sessions\n               can be terminated (and thus terminate user access) without terminating network\n               sessions. Session termination terminates all processes associated with a user’s\n               logical session except those processes that are specifically created by the user\n               (i.e., session owner) to continue after the session is terminated. Conditions or\n               trigger events requiring automatic session termination can include, for example,\n               organization-defined periods of user inactivity, targeted responses to certain types\n               of incidents, time-of-day restrictions on information system use.",
-                "links": [
-                  {
-                    "href": "#sc-10",
-                    "rel": "related",
-                    "text": "SC-10"
-                  },
-                  {
-                    "href": "#sc-23",
-                    "rel": "related",
-                    "text": "SC-23"
-                  }
-                ]
-              },
-              {
-                "id": "ac-12_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "ac-12_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-12[1]"
-                      }
-                    ],
-                    "prose": "the organization defines conditions or trigger events requiring session\n                  disconnect; and"
-                  },
-                  {
-                    "id": "ac-12_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-12[2]"
-                      }
-                    ],
-                    "prose": "the information system automatically terminates a user session after\n                  organization-defined conditions or trigger events requiring session disconnect\n                  occurs."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing session termination\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of conditions or trigger events requiring session disconnect\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing user session termination"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-14",
-            "class": "SP800-53",
-            "title": "Permitted Actions Without Identification or Authentication",
-            "parameters": [
-              {
-                "id": "ac-14_prm_1",
-                "label": "organization-defined user actions"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-14"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-14"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-14_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-14_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Identifies {{ ac-14_prm_1 }} that can be performed on the\n                  information system without identification or authentication consistent with\n                  organizational missions/business functions; and"
-                  },
-                  {
-                    "id": "ac-14_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents and provides supporting rationale in the security plan for the\n                  information system, user actions not requiring identification or\n                  authentication."
-                  }
-                ]
-              },
-              {
-                "id": "ac-14_gdn",
-                "name": "guidance",
-                "prose": "This control addresses situations in which organizations determine that no\n               identification or authentication is required in organizational information systems.\n               Organizations may allow a limited number of user actions without identification or\n               authentication including, for example, when individuals access public websites or\n               other publicly accessible federal information systems, when individuals use mobile\n               phones to receive calls, or when facsimiles are received. Organizations also identify\n               actions that normally require identification or authentication but may under certain\n               circumstances (e.g., emergencies), allow identification or authentication mechanisms\n               to be bypassed. Such bypasses may occur, for example, via a software-readable\n               physical switch that commands bypass of the logon functionality and is protected from\n               accidental or unmonitored use. This control does not apply to situations where\n               identification and authentication have already occurred and are not repeated, but\n               rather to situations where identification and authentication have not yet occurred.\n               Organizations may decide that there are no user actions that can be performed on\n               organizational information systems without identification and authentication and\n               thus, the values for assignment statements can be none.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  }
-                ]
-              },
-              {
-                "id": "ac-14_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-14.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-14(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-14.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-14(a)[1]"
-                          }
-                        ],
-                        "prose": "defines user actions that can be performed on the information system without\n                     identification or authentication consistent with organizational\n                     missions/business functions;"
-                      },
-                      {
-                        "id": "ac-14.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-14(a)[2]"
-                          }
-                        ],
-                        "prose": "identifies organization-defined user actions that can be performed on the\n                     information system without identification or authentication consistent with\n                     organizational missions/business functions; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-14.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-14(b)"
-                      }
-                    ],
-                    "prose": "documents and provides supporting rationale in the security plan for the\n                  information system, user actions not requiring identification or\n                  authentication."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing permitted actions without identification or\n                  authentication\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\nlist of user actions that can be performed without identification or\n                  authentication\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-17",
-            "class": "SP800-53",
-            "title": "Remote Access",
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-17"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-17"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5309d4d0-46f8-4213-a749-e7584164e5e8",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-46"
-              },
-              {
-                "href": "#99f331f2-a9f0-46c2-9856-a3cbb9b89442",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-77"
-              },
-              {
-                "href": "#349fe082-502d-464a-aa0c-1443c6a5cf40",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-113"
-              },
-              {
-                "href": "#1201fcf3-afb1-4675-915a-fb4ae0435717",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-114"
-              },
-              {
-                "href": "#d1a4e2a9-e512-4132-8795-5357aba29254",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-121"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-17_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-17_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes and documents usage restrictions, configuration/connection\n                  requirements, and implementation guidance for each type of remote access allowed;\n                  and"
-                  },
-                  {
-                    "id": "ac-17_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Authorizes remote access to the information system prior to allowing such\n                  connections."
-                  }
-                ]
-              },
-              {
-                "id": "ac-17_gdn",
-                "name": "guidance",
-                "prose": "Remote access is access to organizational information systems by users (or processes\n               acting on behalf of users) communicating through external networks (e.g., the\n               Internet). Remote access methods include, for example, dial-up, broadband, and\n               wireless. Organizations often employ encrypted virtual private networks (VPNs) to\n               enhance confidentiality and integrity over remote connections. The use of encrypted\n               VPNs does not make the access non-remote; however, the use of VPNs, when adequately\n               provisioned with appropriate security controls (e.g., employing appropriate\n               encryption techniques for confidentiality and integrity protection) may provide\n               sufficient assurance to the organization that it can effectively treat such\n               connections as internal networks. Still, VPN connections traverse external networks,\n               and the encrypted VPN does not enhance the availability of remote connections. Also,\n               VPNs with encrypted tunnels can affect the organizational capability to adequately\n               monitor network communications traffic for malicious code. Remote access controls\n               apply to information systems other than public web servers or systems designed for\n               public access. This control addresses authorization prior to allowing remote access\n               without specifying the formats for such authorization. While organizations may use\n               interconnection security agreements to authorize remote access connections, such\n               agreements are not required by this control. Enforcing access restrictions for remote\n               connections is addressed in AC-3.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#pe-17",
-                    "rel": "related",
-                    "text": "PE-17"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#sc-10",
-                    "rel": "related",
-                    "text": "SC-10"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ac-17_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-17.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-17(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-17.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-17(a)[1]"
-                          }
-                        ],
-                        "prose": "identifies the types of remote access allowed to the information system;"
-                      },
-                      {
-                        "id": "ac-17.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-17(a)[2]"
-                          }
-                        ],
-                        "prose": "establishes for each type of remote access allowed:",
-                        "parts": [
-                          {
-                            "id": "ac-17.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[2][a]"
-                              }
-                            ],
-                            "prose": "usage restrictions;"
-                          },
-                          {
-                            "id": "ac-17.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[2][b]"
-                              }
-                            ],
-                            "prose": "configuration/connection requirements;"
-                          },
-                          {
-                            "id": "ac-17.a_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[2][c]"
-                              }
-                            ],
-                            "prose": "implementation guidance;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-17.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-17(a)[3]"
-                          }
-                        ],
-                        "prose": "documents for each type of remote access allowed:",
-                        "parts": [
-                          {
-                            "id": "ac-17.a_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[3][a]"
-                              }
-                            ],
-                            "prose": "usage restrictions;"
-                          },
-                          {
-                            "id": "ac-17.a_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[3][b]"
-                              }
-                            ],
-                            "prose": "configuration/connection requirements;"
-                          },
-                          {
-                            "id": "ac-17.a_obj.3.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AC-17(a)[3][c]"
-                              }
-                            ],
-                            "prose": "implementation guidance; and"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-17.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-17(b)"
-                      }
-                    ],
-                    "prose": "authorizes remote access to the information system prior to allowing such\n                  connections."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing remote access implementation and usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\nremote access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for managing remote access\n                  connections\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Remote access management capability for the information system"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ac-17.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Monitoring / Control",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-17(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-17.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-17.1_smt",
-                    "name": "statement",
-                    "prose": "The information system monitors and controls remote access methods."
-                  },
-                  {
-                    "id": "ac-17.1_gdn",
-                    "name": "guidance",
-                    "prose": "Automated monitoring and control of remote access sessions allows organizations to\n                  detect cyber attacks and also ensure ongoing compliance with remote access\n                  policies by auditing connection activities of remote users on a variety of\n                  information system components (e.g., servers, workstations, notebook computers,\n                  smart phones, and tablets).",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      },
-                      {
-                        "href": "#au-12",
-                        "rel": "related",
-                        "text": "AU-12"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-17.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system monitors and controls remote access methods.\n               "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing remote access to the information system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\ninformation system monitoring records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms monitoring and controlling remote access methods"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-17.2",
-                "class": "SP800-53-enhancement",
-                "title": "Protection of Confidentiality / Integrity Using Encryption",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-17(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-17.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-17.2_smt",
-                    "name": "statement",
-                    "prose": "The information system implements cryptographic mechanisms to protect the\n                  confidentiality and integrity of remote access sessions."
-                  },
-                  {
-                    "id": "ac-17.2_gdn",
-                    "name": "guidance",
-                    "prose": "The encryption strength of mechanism is selected based on the security\n                  categorization of the information.",
-                    "links": [
-                      {
-                        "href": "#sc-8",
-                        "rel": "related",
-                        "text": "SC-8"
-                      },
-                      {
-                        "href": "#sc-12",
-                        "rel": "related",
-                        "text": "SC-12"
-                      },
-                      {
-                        "href": "#sc-13",
-                        "rel": "related",
-                        "text": "SC-13"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-17.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system implements cryptographic mechanisms to protect\n                  the confidentiality and integrity of remote access sessions. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing remote access to the information system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic mechanisms and associated configuration documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Cryptographic mechanisms protecting confidentiality and integrity of remote\n                     access sessions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-17.3",
-                "class": "SP800-53-enhancement",
-                "title": "Managed Access Control Points",
-                "parameters": [
-                  {
-                    "id": "ac-17.3_prm_1",
-                    "label": "organization-defined number"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-17(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-17.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-17.3_smt",
-                    "name": "statement",
-                    "prose": "The information system routes all remote accesses through {{ ac-17.3_prm_1 }} managed network access control points."
-                  },
-                  {
-                    "id": "ac-17.3_gdn",
-                    "name": "guidance",
-                    "prose": "Limiting the number of access control points for remote accesses reduces the\n                  attack surface for organizations. Organizations consider the Trusted Internet\n                  Connections (TIC) initiative requirements for external network connections.",
-                    "links": [
-                      {
-                        "href": "#sc-7",
-                        "rel": "related",
-                        "text": "SC-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-17.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "ac-17.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-17(3)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the number of managed network access control points\n                     through which all remote accesses are to be routed; and"
-                      },
-                      {
-                        "id": "ac-17.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-17(3)[2]"
-                          }
-                        ],
-                        "prose": "the information system routes all remote accesses through the\n                     organization-defined number of managed network access control points."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing remote access to the information system\\n\\ninformation system design documentation\\n\\nlist of all managed network access control points\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms routing all remote accesses through managed network access\n                     control points"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-17.4",
-                "class": "SP800-53-enhancement",
-                "title": "Privileged Commands / Access",
-                "parameters": [
-                  {
-                    "id": "ac-17.4_prm_1",
-                    "label": "organization-defined needs"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-17(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-17.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-17.4_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "ac-17.4_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Authorizes the execution of privileged commands and access to security-relevant\n                     information via remote access only for {{ ac-17.4_prm_1 }};\n                     and"
-                      },
-                      {
-                        "id": "ac-17.4_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Documents the rationale for such access in the security plan for the\n                     information system."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-17.4_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ac-6",
-                        "rel": "related",
-                        "text": "AC-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-17.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-17.4.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-17(4)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ac-17.4.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-17(4)(a)[1]"
-                              }
-                            ],
-                            "prose": "defines needs to authorize the execution of privileged commands and access\n                        to security-relevant information via remote access;"
-                          },
-                          {
-                            "id": "ac-17.4.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AC-17(4)(a)[2]"
-                              }
-                            ],
-                            "prose": "authorizes the execution of privileged commands and access to\n                        security-relevant information via remote access only for\n                        organization-defined needs; and"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ac-17.4_smt.a",
-                            "rel": "corresp",
-                            "text": "AC-17(4)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-17.4.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-17(4)(b)"
-                          }
-                        ],
-                        "prose": "documents the rationale for such access in the information system security\n                     plan.",
-                        "links": [
-                          {
-                            "href": "#ac-17.4_smt.b",
-                            "rel": "corresp",
-                            "text": "AC-17(4)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing remote access to the information system\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing remote access management"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-17.9",
-                "class": "SP800-53-enhancement",
-                "title": "Disconnect / Disable Access",
-                "parameters": [
-                  {
-                    "id": "ac-17.9_prm_1",
-                    "label": "organization-defined time period",
-                    "constraints": [
-                      {
-                        "detail": "fifteen 15 minutes"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AC-17(9)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-17.09"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-17.9_smt",
-                    "name": "statement",
-                    "prose": "The organization provides the capability to expeditiously disconnect or disable\n                  remote access to the information system within {{ ac-17.9_prm_1 }}."
-                  },
-                  {
-                    "id": "ac-17.9_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement requires organizations to have the capability to rapidly\n                  disconnect current users remotely accessing the information system and/or disable\n                  further remote access. The speed of disconnect or disablement varies based on the\n                  criticality of missions/business functions and the need to eliminate immediate or\n                  future remote access to organizational information systems."
-                  },
-                  {
-                    "id": "ac-17.9_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-17.9_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-17(9)[1]"
-                          }
-                        ],
-                        "prose": "defines the time period within which to expeditiously disconnect or disable\n                     remote access to the information system; and"
-                      },
-                      {
-                        "id": "ac-17.9_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-17(9)[2]"
-                          }
-                        ],
-                        "prose": "provides the capability to expeditiously disconnect or disable remote access to\n                     the information system within the organization-defined time period."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing disconnecting or disabling remote access to the\n                     information system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity plan, information system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing capability to disconnect or disable remote\n                     access to information system"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-18",
-            "class": "SP800-53",
-            "title": "Wireless Access",
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-18"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-18"
-              }
-            ],
-            "links": [
-              {
-                "href": "#238ed479-eccb-49f6-82ec-ab74a7a428cf",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-48"
-              },
-              {
-                "href": "#d1b1d689-0f66-4474-9924-c81119758dc1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-94"
-              },
-              {
-                "href": "#6f336ecd-f2a0-4c84-9699-0491d81b6e0d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-97"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-18_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-18_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes usage restrictions, configuration/connection requirements, and\n                  implementation guidance for wireless access; and"
-                  },
-                  {
-                    "id": "ac-18_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Authorizes wireless access to the information system prior to allowing such\n                  connections."
-                  }
-                ]
-              },
-              {
-                "id": "ac-18_gdn",
-                "name": "guidance",
-                "prose": "Wireless technologies include, for example, microwave, packet radio (UHF/VHF),\n               802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g.,\n               EAP/TLS, PEAP), which provide credential protection and mutual authentication.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ac-18_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-18.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-18(a)"
-                      }
-                    ],
-                    "prose": "establishes for wireless access:",
-                    "parts": [
-                      {
-                        "id": "ac-18.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-18(a)[1]"
-                          }
-                        ],
-                        "prose": "usage restrictions;"
-                      },
-                      {
-                        "id": "ac-18.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-18(a)[2]"
-                          }
-                        ],
-                        "prose": "configuration/connection requirement;"
-                      },
-                      {
-                        "id": "ac-18.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-18(a)[3]"
-                          }
-                        ],
-                        "prose": "implementation guidance; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-18.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-18(b)"
-                      }
-                    ],
-                    "prose": "authorizes wireless access to the information system prior to allowing such\n                  connections."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing wireless access implementation and usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nwireless access authorizations\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for managing wireless access\n                  connections\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Wireless access management capability for the information system"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ac-18.1",
-                "class": "SP800-53-enhancement",
-                "title": "Authentication and Encryption",
-                "parameters": [
-                  {
-                    "id": "ac-18.1_prm_1"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-18(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-18.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-18.1_smt",
-                    "name": "statement",
-                    "prose": "The information system protects wireless access to the system using authentication\n                  of {{ ac-18.1_prm_1 }} and encryption."
-                  },
-                  {
-                    "id": "ac-18.1_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#sc-8",
-                        "rel": "related",
-                        "text": "SC-8"
-                      },
-                      {
-                        "href": "#sc-13",
-                        "rel": "related",
-                        "text": "SC-13"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-18.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system protects wireless access to the system using\n                  encryption and one or more of the following:",
-                    "parts": [
-                      {
-                        "id": "ac-18.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-18(1)[1]"
-                          }
-                        ],
-                        "prose": "authentication of users; and/or"
-                      },
-                      {
-                        "id": "ac-18.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-18(1)[2]"
-                          }
-                        ],
-                        "prose": "authentication of devices."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing wireless implementation and usage (including\n                     restrictions)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing wireless access protections to the\n                     information system"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-19",
-            "class": "SP800-53",
-            "title": "Access Control for Mobile Devices",
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-19"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-19"
-              }
-            ],
-            "links": [
-              {
-                "href": "#4da24a96-6cf8-435d-9d1f-c73247cad109",
-                "rel": "reference",
-                "text": "OMB Memorandum 06-16"
-              },
-              {
-                "href": "#1201fcf3-afb1-4675-915a-fb4ae0435717",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-114"
-              },
-              {
-                "href": "#0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-124"
-              },
-              {
-                "href": "#6513e480-fada-4876-abba-1397084dfb26",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-164"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-19_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-19_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes usage restrictions, configuration requirements, connection\n                  requirements, and implementation guidance for organization-controlled mobile\n                  devices; and"
-                  },
-                  {
-                    "id": "ac-19_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Authorizes the connection of mobile devices to organizational information\n                  systems."
-                  }
-                ]
-              },
-              {
-                "id": "ac-19_gdn",
-                "name": "guidance",
-                "prose": "A mobile device is a computing device that: (i) has a small form factor such that it\n               can easily be carried by a single individual; (ii) is designed to operate without a\n               physical connection (e.g., wirelessly transmit or receive information); (iii)\n               possesses local, non-removable or removable data storage; and (iv) includes a\n               self-contained power source. Mobile devices may also include voice communication\n               capabilities, on-board sensors that allow the device to capture information, and/or\n               built-in features for synchronizing local data with remote locations. Examples\n               include smart phones, E-readers, and tablets. Mobile devices are typically associated\n               with a single individual and the device is usually in close proximity to the\n               individual; however, the degree of proximity can vary depending upon on the form\n               factor and size of the device. The processing, storage, and transmission capability\n               of the mobile device may be comparable to or merely a subset of desktop systems,\n               depending upon the nature and intended purpose of the device. Due to the large\n               variety of mobile devices with different technical characteristics and capabilities,\n               organizational restrictions may vary for the different classes/types of such devices.\n               Usage restrictions and specific implementation guidance for mobile devices include,\n               for example, configuration management, device identification and authentication,\n               implementation of mandatory protective software (e.g., malicious code detection,\n               firewall), scanning devices for malicious code, updating virus protection software,\n               scanning for critical software updates and patches, conducting primary operating\n               system (and possibly other resident software) integrity checks, and disabling\n               unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the\n               need to provide adequate security for mobile devices goes beyond the requirements in\n               this control. Many safeguards and countermeasures for mobile devices are reflected in\n               other security controls in the catalog allocated in the initial control baselines as\n               starting points for the development of security plans and overlays using the\n               tailoring process. There may also be some degree of overlap in the requirements\n               articulated by the security controls within the different families of controls. AC-20\n               addresses mobile devices that are not organization-controlled.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-7",
-                    "rel": "related",
-                    "text": "AC-7"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#ca-9",
-                    "rel": "related",
-                    "text": "CA-9"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-43",
-                    "rel": "related",
-                    "text": "SC-43"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ac-19_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ac-19.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-19(a)"
-                      }
-                    ],
-                    "prose": "establishes for organization-controlled mobile devices:",
-                    "parts": [
-                      {
-                        "id": "ac-19.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-19(a)[1]"
-                          }
-                        ],
-                        "prose": "usage restrictions;"
-                      },
-                      {
-                        "id": "ac-19.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-19(a)[2]"
-                          }
-                        ],
-                        "prose": "configuration/connection requirement;"
-                      },
-                      {
-                        "id": "ac-19.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-19(a)[3]"
-                          }
-                        ],
-                        "prose": "implementation guidance; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-19.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-19(b)"
-                      }
-                    ],
-                    "prose": "authorizes the connection of mobile devices to organizational information\n                  systems."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing access control for mobile device usage (including\n                  restrictions)\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nauthorizations for mobile device connections to organizational information\n                  systems\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel using mobile devices to access organizational information\n                  systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control capability authorizing mobile device connections to organizational\n                  information systems"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ac-19.5",
-                "class": "SP800-53-enhancement",
-                "title": "Full Device / Container-based Encryption",
-                "parameters": [
-                  {
-                    "id": "ac-19.5_prm_1"
-                  },
-                  {
-                    "id": "ac-19.5_prm_2",
-                    "label": "organization-defined mobile devices"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AC-19(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-19.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-19.5_smt",
-                    "name": "statement",
-                    "prose": "The organization employs {{ ac-19.5_prm_1 }} to protect the\n                  confidentiality and integrity of information on {{ ac-19.5_prm_2 }}."
-                  },
-                  {
-                    "id": "ac-19.5_gdn",
-                    "name": "guidance",
-                    "prose": "Container-based encryption provides a more fine-grained approach to the encryption\n                  of data/information on mobile devices, including for example, encrypting selected\n                  data structures such as files, records, or fields.",
-                    "links": [
-                      {
-                        "href": "#mp-5",
-                        "rel": "related",
-                        "text": "MP-5"
-                      },
-                      {
-                        "href": "#sc-13",
-                        "rel": "related",
-                        "text": "SC-13"
-                      },
-                      {
-                        "href": "#sc-28",
-                        "rel": "related",
-                        "text": "SC-28"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-19.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-19.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-19(5)[1]"
-                          }
-                        ],
-                        "prose": "defines mobile devices for which full-device encryption or container encryption\n                     is required to protect the confidentiality and integrity of information on such\n                     devices; and"
-                      },
-                      {
-                        "id": "ac-19.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-19(5)[2]"
-                          }
-                        ],
-                        "prose": "employs full-device encryption or container encryption to protect the\n                     confidentiality and integrity of information on organization-defined mobile\n                     devices."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing access control for mobile devices\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nencryption mechanism s and associated configuration documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with access control responsibilities for mobile\n                     devices\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Encryption mechanisms protecting confidentiality and integrity of information\n                     on mobile devices"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-20",
-            "class": "SP800-53",
-            "title": "Use of External Information Systems",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-20"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-20"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-20_smt",
-                "name": "statement",
-                "prose": "The organization establishes terms and conditions, consistent with any trust\n               relationships established with other organizations owning, operating, and/or\n               maintaining external information systems, allowing authorized individuals to:",
-                "parts": [
-                  {
-                    "id": "ac-20_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Access the information system from external information systems; and"
-                  },
-                  {
-                    "id": "ac-20_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Process, store, or transmit organization-controlled information using external\n                  information systems."
-                  }
-                ]
-              },
-              {
-                "id": "ac-20_gdn",
-                "name": "guidance",
-                "prose": "External information systems are information systems or components of information\n               systems that are outside of the authorization boundary established by organizations\n               and for which organizations typically have no direct supervision and authority over\n               the application of required security controls or the assessment of control\n               effectiveness. External information systems include, for example: (i) personally\n               owned information systems/devices (e.g., notebook computers, smart phones, tablets,\n               personal digital assistants); (ii) privately owned computing and communications\n               devices resident in commercial or public facilities (e.g., hotels, train stations,\n               convention centers, shopping malls, or airports); (iii) information systems owned or\n               controlled by nonfederal governmental organizations; and (iv) federal information\n               systems that are not owned by, operated by, or under the direct supervision and\n               authority of organizations. This control also addresses the use of external\n               information systems for the processing, storage, or transmission of organizational\n               information, including, for example, accessing cloud services (e.g., infrastructure\n               as a service, platform as a service, or software as a service) from organizational\n               information systems. For some external information systems (i.e., information systems\n               operated by other federal agencies, including organizations subordinate to those\n               agencies), the trust relationships that have been established between those\n               organizations and the originating organization may be such, that no explicit terms\n               and conditions are required. Information systems within these organizations would not\n               be considered external. These situations occur when, for example, there are\n               pre-existing sharing/trust agreements (either implicit or explicit) established\n               between federal agencies or organizations subordinate to those agencies, or when such\n               trust agreements are specified by applicable laws, Executive Orders, directives, or\n               policies. Authorized individuals include, for example, organizational personnel,\n               contractors, or other individuals with authorized access to organizational\n               information systems and over which organizations have the authority to impose rules\n               of behavior with regard to system access. Restrictions that organizations impose on\n               authorized individuals need not be uniform, as those restrictions may vary depending\n               upon the trust relationships between organizations. Therefore, organizations may\n               choose to impose different security restrictions on contractors than on state, local,\n               or tribal governments. This control does not apply to the use of external information\n               systems to access public interfaces to organizational information systems (e.g.,\n               individuals accessing federal information through www.usa.gov). Organizations\n               establish terms and conditions for the use of external information systems in\n               accordance with organizational security policies and procedures. Terms and conditions\n               address as a minimum: types of applications that can be accessed on organizational\n               information systems from external information systems; and the highest security\n               category of information that can be processed, stored, or transmitted on external\n               information systems. If terms and conditions with the owners of external information\n               systems cannot be established, organizations may impose restrictions on\n               organizational personnel using those external systems.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#sa-9",
-                    "rel": "related",
-                    "text": "SA-9"
-                  }
-                ]
-              },
-              {
-                "id": "ac-20_obj",
-                "name": "objective",
-                "prose": "Determine if the organization establishes terms and conditions, consistent with any\n               trust relationships established with other organizations owning, operating, and/or\n               maintaining external information systems, allowing authorized individuals to: ",
-                "parts": [
-                  {
-                    "id": "ac-20.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-20(a)"
-                      }
-                    ],
-                    "prose": "access the information system from the external information systems; and"
-                  },
-                  {
-                    "id": "ac-20.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-20(b)"
-                      }
-                    ],
-                    "prose": "process, store, or transmit organization-controlled information using external\n                  information systems."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing the use of external information systems\\n\\nexternal information systems terms and conditions\\n\\nlist of types of applications accessible from external information systems\\n\\nmaximum security categorization for information processed, stored, or transmitted\n                  on external information systems\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for defining terms and conditions\n                  for use of external information systems to access organizational systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing terms and conditions on use of external\n                  information systems"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ac-20.1",
-                "class": "SP800-53-enhancement",
-                "title": "Limits On Authorized Use",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-20(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-20.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-20.1_smt",
-                    "name": "statement",
-                    "prose": "The organization permits authorized individuals to use an external information\n                  system to access the information system or to process, store, or transmit\n                  organization-controlled information only when the organization:",
-                    "parts": [
-                      {
-                        "id": "ac-20.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Verifies the implementation of required security controls on the external\n                     system as specified in the organization’s information security policy and\n                     security plan; or"
-                      },
-                      {
-                        "id": "ac-20.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Retains approved information system connection or processing agreements with\n                     the organizational entity hosting the external information system."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-20.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement recognizes that there are circumstances where individuals\n                  using external information systems (e.g., contractors, coalition partners) need to\n                  access organizational information systems. In those situations, organizations need\n                  confidence that the external information systems contain the necessary security\n                  safeguards (i.e., security controls), so as not to compromise, damage, or\n                  otherwise harm organizational information systems. Verification that the required\n                  security controls have been implemented can be achieved, for example, by\n                  third-party, independent assessments, attestations, or other means, depending on\n                  the confidence level required by organizations.",
-                    "links": [
-                      {
-                        "href": "#ca-2",
-                        "rel": "related",
-                        "text": "CA-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-20.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization permits authorized individuals to use an external\n                  information system to access the information system or to process, store, or\n                  transmit organization-controlled information only when the organization: ",
-                    "parts": [
-                      {
-                        "id": "ac-20.1.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-20(1)(a)"
-                          }
-                        ],
-                        "prose": "verifies the implementation of required security controls on the external\n                     system as specified in the organization’s information security policy and\n                     security plan; or",
-                        "links": [
-                          {
-                            "href": "#ac-20.1_smt.a",
-                            "rel": "corresp",
-                            "text": "AC-20(1)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ac-20.1.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AC-20(1)(b)"
-                          }
-                        ],
-                        "prose": "retains approved information system connection or processing agreements with\n                     the organizational entity hosting the external information system.",
-                        "links": [
-                          {
-                            "href": "#ac-20.1_smt.b",
-                            "rel": "corresp",
-                            "text": "AC-20(1)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing the use of external information systems\\n\\nsecurity plan\\n\\ninformation system connection or processing agreements\\n\\naccount management documents\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing limits on use of external information\n                     systems"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ac-20.2",
-                "class": "SP800-53-enhancement",
-                "title": "Portable Storage Devices",
-                "parameters": [
-                  {
-                    "id": "ac-20.2_prm_1"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AC-20(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ac-20.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ac-20.2_smt",
-                    "name": "statement",
-                    "prose": "The organization {{ ac-20.2_prm_1 }} the use of\n                  organization-controlled portable storage devices by authorized individuals on\n                  external information systems."
-                  },
-                  {
-                    "id": "ac-20.2_gdn",
-                    "name": "guidance",
-                    "prose": "Limits on the use of organization-controlled portable storage devices in external\n                  information systems include, for example, complete prohibition of the use of such\n                  devices or restrictions on how the devices may be used and under what conditions\n                  the devices may be used."
-                  },
-                  {
-                    "id": "ac-20.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization restricts or prohibits the use of\n                  organization-controlled portable storage devices by authorized individuals on\n                  external information systems. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing the use of external information systems\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system connection or processing agreements\\n\\naccount management documents\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for restricting or prohibiting\n                     use of organization-controlled storage devices on external information\n                     systems\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing restrictions on use of portable storage\n                     devices"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-21",
-            "class": "SP800-53",
-            "title": "Information Sharing",
-            "parameters": [
-              {
-                "id": "ac-21_prm_1",
-                "label": "organization-defined information sharing circumstances where user discretion is\n               required"
-              },
-              {
-                "id": "ac-21_prm_2",
-                "label": "organization-defined automated mechanisms or manual processes"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AC-21"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-21"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-21_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-21_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Facilitates information sharing by enabling authorized users to determine whether\n                  access authorizations assigned to the sharing partner match the access\n                  restrictions on the information for {{ ac-21_prm_1 }}; and"
-                  },
-                  {
-                    "id": "ac-21_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Employs {{ ac-21_prm_2 }} to assist users in making information\n                  sharing/collaboration decisions."
-                  }
-                ]
-              },
-              {
-                "id": "ac-21_gdn",
-                "name": "guidance",
-                "prose": "This control applies to information that may be restricted in some manner (e.g.,\n               privileged medical information, contract-sensitive information, proprietary\n               information, personally identifiable information, classified information related to\n               special access programs or compartments) based on some formal or administrative\n               determination. Depending on the particular information-sharing circumstances, sharing\n               partners may be defined at the individual, group, or organizational level.\n               Information may be defined by content, type, security category, or special access\n               program/compartment.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  }
-                ]
-              },
-              {
-                "id": "ac-21_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ac-21.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-21(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-21.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-21(a)[1]"
-                          }
-                        ],
-                        "prose": "defines information sharing circumstances where user discretion is\n                     required;"
-                      },
-                      {
-                        "id": "ac-21.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-21(a)[2]"
-                          }
-                        ],
-                        "prose": "facilitates information sharing by enabling authorized users to determine\n                     whether access authorizations assigned to the sharing partner match the access\n                     restrictions on the information for organization-defined information sharing\n                     circumstances;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ac-21.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-21(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-21.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-21(b)[1]"
-                          }
-                        ],
-                        "prose": "defines automated mechanisms or manual processes to be employed to assist users\n                     in making information sharing/collaboration decisions; and"
-                      },
-                      {
-                        "id": "ac-21.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-21(b)[2]"
-                          }
-                        ],
-                        "prose": "employs organization-defined automated mechanisms or manual processes to assist\n                     users in making information sharing/collaboration decisions."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing user-based collaboration and information sharing (including\n                  restrictions)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of users authorized to make information sharing/collaboration decisions\\n\\nlist of information sharing circumstances requiring user discretion\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel responsible for making information sharing/collaboration\n                  decisions\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms or manual process implementing access authorizations\n                  supporting information sharing/user collaboration decisions"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ac-22",
-            "class": "SP800-53",
-            "title": "Publicly Accessible Content",
-            "parameters": [
-              {
-                "id": "ac-22_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least quarterly"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AC-22"
-              },
-              {
-                "name": "sort-id",
-                "value": "ac-22"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ac-22_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ac-22_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Designates individuals authorized to post information onto a publicly accessible\n                  information system;"
-                  },
-                  {
-                    "id": "ac-22_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Trains authorized individuals to ensure that publicly accessible information does\n                  not contain nonpublic information;"
-                  },
-                  {
-                    "id": "ac-22_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews the proposed content of information prior to posting onto the publicly\n                  accessible information system to ensure that nonpublic information is not\n                  included; and"
-                  },
-                  {
-                    "id": "ac-22_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Reviews the content on the publicly accessible information system for nonpublic\n                  information {{ ac-22_prm_1 }} and removes such information, if\n                  discovered."
-                  }
-                ]
-              },
-              {
-                "id": "ac-22_gdn",
-                "name": "guidance",
-                "prose": "In accordance with federal laws, Executive Orders, directives, policies, regulations,\n               standards, and/or guidance, the general public is not authorized access to nonpublic\n               information (e.g., information protected under the Privacy Act and proprietary\n               information). This control addresses information systems that are controlled by the\n               organization and accessible to the general public, typically without identification\n               or authentication. The posting of information on non-organization information systems\n               is covered by organizational policy.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#au-13",
-                    "rel": "related",
-                    "text": "AU-13"
-                  }
-                ]
-              },
-              {
-                "id": "ac-22_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ac-22.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-22(a)"
-                      }
-                    ],
-                    "prose": "designates individuals authorized to post information onto a publicly accessible\n                  information system;"
-                  },
-                  {
-                    "id": "ac-22.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-22(b)"
-                      }
-                    ],
-                    "prose": "trains authorized individuals to ensure that publicly accessible information does\n                  not contain nonpublic information;"
-                  },
-                  {
-                    "id": "ac-22.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AC-22(c)"
-                      }
-                    ],
-                    "prose": "reviews the proposed content of information prior to posting onto the publicly\n                  accessible information system to ensure that nonpublic information is not\n                  included;"
-                  },
-                  {
-                    "id": "ac-22.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AC-22(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ac-22.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-22(d)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review the content on the publicly accessible\n                     information system for nonpublic information;"
-                      },
-                      {
-                        "id": "ac-22.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-22(d)[2]"
-                          }
-                        ],
-                        "prose": "reviews the content on the publicly accessible information system for nonpublic\n                     information with the organization-defined frequency; and"
-                      },
-                      {
-                        "id": "ac-22.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AC-22(d)[3]"
-                          }
-                        ],
-                        "prose": "removes nonpublic information from the publicly accessible information system,\n                     if discovered."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing publicly accessible content\\n\\nlist of users authorized to post publicly accessible content on organizational\n                  information systems\\n\\ntraining materials and/or records\\n\\nrecords of publicly accessible information reviews\\n\\nrecords of response to nonpublic information on public websites\\n\\nsystem audit logs\\n\\nsecurity awareness training records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for managing publicly accessible\n                  information posted on organizational information systems\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing management of publicly accessible content"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "at",
-        "class": "family",
-        "title": "Awareness and Training",
-        "controls": [
-          {
-            "id": "at-1",
-            "class": "SP800-53",
-            "title": "Security Awareness and Training Policy and Procedures",
-            "parameters": [
-              {
-                "id": "at-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "at-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "at-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AT-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "at-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#825438c3-248d-4e30-a51e-246473ce6ada",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-16"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "at-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "at-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ at-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "at-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A security awareness and training policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "at-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the security awareness and\n                     training policy and associated security awareness and training controls;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "at-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "at-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Security awareness and training policy {{ at-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "at-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Security awareness and training procedures {{ at-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "at-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AT\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "at-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "at-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "at-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an security awareness and training policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "at-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "at-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AT-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "at-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the security awareness and training\n                        policy are to be disseminated;"
-                          },
-                          {
-                            "id": "at-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the security awareness and training policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "at-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "at-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        security awareness and training policy and associated awareness and training\n                        controls;"
-                          },
-                          {
-                            "id": "at-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "at-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "at-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "at-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current security awareness\n                        and training policy;"
-                          },
-                          {
-                            "id": "at-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current security awareness and training policy with\n                        the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "at-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AT-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "at-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current security awareness\n                        and training procedures; and"
-                          },
-                          {
-                            "id": "at-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AT-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current security awareness and training procedures\n                        with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security awareness and training policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security awareness and training responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "at-2",
-            "class": "SP800-53",
-            "title": "Security Awareness Training",
-            "parameters": [
-              {
-                "id": "at-2_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AT-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "at-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bb61234b-46c3-4211-8c2b-9869222a720d",
-                "rel": "reference",
-                "text": "C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"
-              },
-              {
-                "href": "#c5034e0c-eba6-4ecd-a541-79f0678f4ba4",
-                "rel": "reference",
-                "text": "Executive Order 13587"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              }
-            ],
-            "parts": [
-              {
-                "id": "at-2_smt",
-                "name": "statement",
-                "prose": "The organization provides basic security awareness training to information system\n               users (including managers, senior executives, and contractors):",
-                "parts": [
-                  {
-                    "id": "at-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "As part of initial training for new users;"
-                  },
-                  {
-                    "id": "at-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "When required by information system changes; and"
-                  },
-                  {
-                    "id": "at-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "\n                  {{ at-2_prm_1 }} thereafter."
-                  }
-                ]
-              },
-              {
-                "id": "at-2_gdn",
-                "name": "guidance",
-                "prose": "Organizations determine the appropriate content of security awareness training and\n               security awareness techniques based on the specific organizational requirements and\n               the information systems to which personnel have authorized access. The content\n               includes a basic understanding of the need for information security and user actions\n               to maintain security and to respond to suspected security incidents. The content also\n               addresses awareness of the need for operations security. Security awareness\n               techniques can include, for example, displaying posters, offering supplies inscribed\n               with security reminders, generating email advisories/notices from senior\n               organizational officials, displaying logon screen messages, and conducting\n               information security awareness events.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#at-4",
-                    "rel": "related",
-                    "text": "AT-4"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  }
-                ]
-              },
-              {
-                "id": "at-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "at-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AT-2(a)"
-                      }
-                    ],
-                    "prose": "provides basic security awareness training to information system users (including\n                  managers, senior executives, and contractors) as part of initial training for new\n                  users;"
-                  },
-                  {
-                    "id": "at-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AT-2(b)"
-                      }
-                    ],
-                    "prose": "provides basic security awareness training to information system users (including\n                  managers, senior executives, and contractors) when required by information system\n                  changes; and"
-                  },
-                  {
-                    "id": "at-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to provide refresher security awareness training\n                     thereafter to information system users (including managers, senior executives,\n                     and contractors); and"
-                      },
-                      {
-                        "id": "at-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-2(c)[2]"
-                          }
-                        ],
-                        "prose": "provides refresher security awareness training to information users (including\n                     managers, senior executives, and contractors) with the organization-defined\n                     frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security awareness and training policy\\n\\nprocedures addressing security awareness training implementation\\n\\nappropriate codes of federal regulations\\n\\nsecurity awareness training curriculum\\n\\nsecurity awareness training materials\\n\\nsecurity plan\\n\\ntraining records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for security awareness training\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel comprising the general information system user\n                  community"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms managing security awareness training"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "at-2.2",
-                "class": "SP800-53-enhancement",
-                "title": "Insider Threat",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AT-2(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "at-02.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "at-2.2_smt",
-                    "name": "statement",
-                    "prose": "The organization includes security awareness training on recognizing and reporting\n                  potential indicators of insider threat."
-                  },
-                  {
-                    "id": "at-2.2_gdn",
-                    "name": "guidance",
-                    "prose": "Potential indicators and possible precursors of insider threat can include\n                  behaviors such as inordinate, long-term job dissatisfaction, attempts to gain\n                  access to information not required for job performance, unexplained access to\n                  financial resources, bullying or sexual harassment of fellow employees, workplace\n                  violence, and other serious violations of organizational policies, procedures,\n                  directives, rules, or practices. Security awareness training includes how to\n                  communicate employee and management concerns regarding potential indicators of\n                  insider threat through appropriate organizational channels in accordance with\n                  established organizational policies and procedures.",
-                    "links": [
-                      {
-                        "href": "#pl-4",
-                        "rel": "related",
-                        "text": "PL-4"
-                      },
-                      {
-                        "href": "#pm-12",
-                        "rel": "related",
-                        "text": "PM-12"
-                      },
-                      {
-                        "href": "#ps-3",
-                        "rel": "related",
-                        "text": "PS-3"
-                      },
-                      {
-                        "href": "#ps-6",
-                        "rel": "related",
-                        "text": "PS-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "at-2.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization includes security awareness training on recognizing\n                  and reporting potential indicators of insider threat. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security awareness and training policy\\n\\nprocedures addressing security awareness training implementation\\n\\nsecurity awareness training curriculum\\n\\nsecurity awareness training materials\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel that participate in security awareness training\\n\\norganizational personnel with responsibilities for basic security awareness\n                     training\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "at-3",
-            "class": "SP800-53",
-            "title": "Role-based Security Training",
-            "parameters": [
-              {
-                "id": "at-3_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AT-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "at-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bb61234b-46c3-4211-8c2b-9869222a720d",
-                "rel": "reference",
-                "text": "C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"
-              },
-              {
-                "href": "#825438c3-248d-4e30-a51e-246473ce6ada",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-16"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              }
-            ],
-            "parts": [
-              {
-                "id": "at-3_smt",
-                "name": "statement",
-                "prose": "The organization provides role-based security training to personnel with assigned\n               security roles and responsibilities:",
-                "parts": [
-                  {
-                    "id": "at-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Before authorizing access to the information system or performing assigned\n                  duties;"
-                  },
-                  {
-                    "id": "at-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "When required by information system changes; and"
-                  },
-                  {
-                    "id": "at-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "\n                  {{ at-3_prm_1 }} thereafter."
-                  }
-                ]
-              },
-              {
-                "id": "at-3_gdn",
-                "name": "guidance",
-                "prose": "Organizations determine the appropriate content of security training based on the\n               assigned roles and responsibilities of individuals and the specific security\n               requirements of organizations and the information systems to which personnel have\n               authorized access. In addition, organizations provide enterprise architects,\n               information system developers, software developers, acquisition/procurement\n               officials, information system managers, system/network administrators, personnel\n               conducting configuration management and auditing activities, personnel performing\n               independent verification and validation activities, security control assessors, and\n               other personnel having access to system-level software, adequate security-related\n               technical training specifically tailored for their assigned duties. Comprehensive\n               role-based training addresses management, operational, and technical roles and\n               responsibilities covering physical, personnel, and technical safeguards and\n               countermeasures. Such training can include for example, policies, procedures, tools,\n               and artifacts for the organizational security roles defined. Organizations also\n               provide the training necessary for individuals to carry out their responsibilities\n               related to operations and supply chain security within the context of organizational\n               information security programs. Role-based security training also applies to\n               contractors providing services to federal agencies.",
-                "links": [
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-4",
-                    "rel": "related",
-                    "text": "AT-4"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-7",
-                    "rel": "related",
-                    "text": "PS-7"
-                  },
-                  {
-                    "href": "#sa-3",
-                    "rel": "related",
-                    "text": "SA-3"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#sa-16",
-                    "rel": "related",
-                    "text": "SA-16"
-                  }
-                ]
-              },
-              {
-                "id": "at-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "at-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AT-3(a)"
-                      }
-                    ],
-                    "prose": "provides role-based security training to personnel with assigned security roles\n                  and responsibilities before authorizing access to the information system or\n                  performing assigned duties;"
-                  },
-                  {
-                    "id": "at-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AT-3(b)"
-                      }
-                    ],
-                    "prose": "provides role-based security training to personnel with assigned security roles\n                  and responsibilities when required by information system changes; and"
-                  },
-                  {
-                    "id": "at-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to provide refresher role-based security training\n                     thereafter to personnel with assigned security roles and responsibilities;\n                     and"
-                      },
-                      {
-                        "id": "at-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-3(c)[2]"
-                          }
-                        ],
-                        "prose": "provides refresher role-based security training to personnel with assigned\n                     security roles and responsibilities with the organization-defined\n                     frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security awareness and training policy\\n\\nprocedures addressing security training implementation\\n\\ncodes of federal regulations\\n\\nsecurity training curriculum\\n\\nsecurity training materials\\n\\nsecurity plan\\n\\ntraining records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for role-based security\n                  training\\n\\norganizational personnel with assigned information system security roles and\n                  responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms managing role-based security training"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "at-4",
-            "class": "SP800-53",
-            "title": "Security Training Records",
-            "parameters": [
-              {
-                "id": "at-4_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "At least one year"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AT-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "at-04"
-              }
-            ],
-            "parts": [
-              {
-                "id": "at-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "at-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Documents and monitors individual information system security training activities\n                  including basic security awareness training and specific information system\n                  security training; and"
-                  },
-                  {
-                    "id": "at-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Retains individual training records for {{ at-4_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "at-4_gdn",
-                "name": "guidance",
-                "prose": "Documentation for specialized training may be maintained by individual supervisors at\n               the option of the organization.",
-                "links": [
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#pm-14",
-                    "rel": "related",
-                    "text": "PM-14"
-                  }
-                ]
-              },
-              {
-                "id": "at-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "at-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-4(a)[1]"
-                          }
-                        ],
-                        "prose": "documents individual information system security training activities\n                     including:",
-                        "parts": [
-                          {
-                            "id": "at-4.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-4(a)[1][a]"
-                              }
-                            ],
-                            "prose": "basic security awareness training;"
-                          },
-                          {
-                            "id": "at-4.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-4(a)[1][b]"
-                              }
-                            ],
-                            "prose": "specific role-based information system security training;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "at-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-4(a)[2]"
-                          }
-                        ],
-                        "prose": "monitors individual information system security training activities\n                     including:",
-                        "parts": [
-                          {
-                            "id": "at-4.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-4(a)[2][a]"
-                              }
-                            ],
-                            "prose": "basic security awareness training;"
-                          },
-                          {
-                            "id": "at-4.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AT-4(a)[2][b]"
-                              }
-                            ],
-                            "prose": "specific role-based information system security training;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "at-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AT-4(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "at-4.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-4(b)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period to retain individual training records; and"
-                      },
-                      {
-                        "id": "at-4.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AT-4(b)[2]"
-                          }
-                        ],
-                        "prose": "retains individual training records for the organization-defined time\n                     period."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security awareness and training policy\\n\\nprocedures addressing security training records\\n\\nsecurity awareness and training records\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security training record retention\n                  responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting management of security training records"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "au",
-        "class": "family",
-        "title": "Audit and Accountability",
-        "controls": [
-          {
-            "id": "au-1",
-            "class": "SP800-53",
-            "title": "Audit and Accountability Policy and Procedures",
-            "parameters": [
-              {
-                "id": "au-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "au-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "au-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AU-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "au-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ au-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "au-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "An audit and accountability policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "au-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the audit and accountability\n                     policy and associated audit and accountability controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "au-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Audit and accountability policy {{ au-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "au-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Audit and accountability procedures {{ au-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the AU\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "au-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an audit and accountability policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "au-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "au-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "AU-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "au-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the audit and accountability policy are\n                        to be disseminated;"
-                          },
-                          {
-                            "id": "au-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the audit and accountability policy to organization-defined\n                        personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "au-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        audit and accountability policy and associated audit and accountability\n                        controls;"
-                          },
-                          {
-                            "id": "au-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "au-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current audit and\n                        accountability policy;"
-                          },
-                          {
-                            "id": "au-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current audit and accountability policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "au-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current audit and\n                        accountability procedures; and"
-                          },
-                          {
-                            "id": "au-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current audit and accountability procedures in\n                        accordance with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-2",
-            "class": "SP800-53",
-            "title": "Audit Events",
-            "parameters": [
-              {
-                "id": "au-2_prm_1",
-                "label": "organization-defined auditable events",
-                "constraints": [
-                  {
-                    "detail": "successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes"
-                  }
-                ]
-              },
-              {
-                "id": "au-2_prm_2",
-                "label": "organization-defined audited events (the subset of the auditable events defined\n               in AU-2 a.) along with the frequency of (or situation requiring) auditing for each\n               identified event",
-                "constraints": [
-                  {
-                    "detail": "organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AU-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#672fd561-b92b-4713-b9cf-6c9d9456728b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-92"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "au-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Determines that the information system is capable of auditing the following\n                  events: {{ au-2_prm_1 }};"
-                  },
-                  {
-                    "id": "au-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Coordinates the security audit function with other organizational entities\n                  requiring audit-related information to enhance mutual support and to help guide\n                  the selection of auditable events;"
-                  },
-                  {
-                    "id": "au-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Provides a rationale for why the auditable events are deemed to be adequate to\n                  support after-the-fact investigations of security incidents; and"
-                  },
-                  {
-                    "id": "au-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Determines that the following events are to be audited within the information\n                  system: {{ au-2_prm_2 }}."
-                  },
-                  {
-                    "id": "au-2_fr",
-                    "name": "item",
-                    "title": "AU-2 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "au-2_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-2_gdn",
-                "name": "guidance",
-                "prose": "An event is any observable occurrence in an organizational information system.\n               Organizations identify audit events as those events which are significant and\n               relevant to the security of information systems and the environments in which those\n               systems operate in order to meet specific and ongoing audit needs. Audit events can\n               include, for example, password changes, failed logons, or failed accesses related to\n               information systems, administrative privilege usage, PIV credential usage, or\n               third-party credential usage. In determining the set of auditable events,\n               organizations consider the auditing appropriate for each of the security controls to\n               be implemented. To balance auditing requirements with other information system needs,\n               this control also requires identifying that subset of auditable events that are\n               audited at a given point in time. For example, organizations may determine that\n               information systems must have the capability to log every file access both successful\n               and unsuccessful, but not activate that capability except for specific circumstances\n               due to the potential burden on system performance. Auditing requirements, including\n               the need for auditable events, may be referenced in other security controls and\n               control enhancements. Organizations also include auditable events that are required\n               by applicable federal laws, Executive Orders, directives, policies, regulations, and\n               standards. Audit records can be generated at various levels of abstraction, including\n               at the packet level as information traverses the network. Selecting the appropriate\n               level of abstraction is a critical aspect of an audit capability and can facilitate\n               the identification of root causes to problems. Organizations consider in the\n               definition of auditable events, the auditing necessary to cover related events such\n               as the steps in distributed, transaction-based processes (e.g., processes that are\n               distributed across multiple organizations) and actions that occur in service-oriented\n               architectures.",
-                "links": [
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#au-3",
-                    "rel": "related",
-                    "text": "AU-3"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "au-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-2(a)[1]"
-                          }
-                        ],
-                        "prose": "defines the auditable events that the information system must be capable of\n                     auditing;"
-                      },
-                      {
-                        "id": "au-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-2(a)[2]"
-                          }
-                        ],
-                        "prose": "determines that the information system is capable of auditing\n                     organization-defined auditable events;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-2(b)"
-                      }
-                    ],
-                    "prose": "coordinates the security audit function with other organizational entities\n                  requiring audit-related information to enhance mutual support and to help guide\n                  the selection of auditable events;"
-                  },
-                  {
-                    "id": "au-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-2(c)"
-                      }
-                    ],
-                    "prose": "provides a rationale for why the auditable events are deemed to be adequate to\n                  support after-the-fact investigations of security incidents;"
-                  },
-                  {
-                    "id": "au-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-2(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-2(d)[1]"
-                          }
-                        ],
-                        "prose": "defines the subset of auditable events defined in AU-2a that are to be audited\n                     within the information system;"
-                      },
-                      {
-                        "id": "au-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-2(d)[2]"
-                          }
-                        ],
-                        "prose": "determines that the subset of auditable events defined in AU-2a are to be\n                     audited within the information system; and"
-                      },
-                      {
-                        "id": "au-2.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-2(d)[3]"
-                          }
-                        ],
-                        "prose": "determines the frequency of (or situation requiring) auditing for each\n                     identified event."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing auditable events\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\ninformation system auditable events\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing information system auditing"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "au-2.3",
-                "class": "SP800-53-enhancement",
-                "title": "Reviews and Updates",
-                "parameters": [
-                  {
-                    "id": "au-2.3_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "annually or whenever there is a change in the threat environment"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AU-2(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-02.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-2.3_smt",
-                    "name": "statement",
-                    "prose": "The organization reviews and updates the audited events {{ au-2.3_prm_1 }}.",
-                    "parts": [
-                      {
-                        "id": "au-2.3_fr",
-                        "name": "item",
-                        "title": "AU-2 (3) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "au-2.3_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-2.3_gdn",
-                    "name": "guidance",
-                    "prose": "Over time, the events that organizations believe should be audited may change.\n                  Reviewing and updating the set of audited events periodically is necessary to\n                  ensure that the current set is still necessary and sufficient."
-                  },
-                  {
-                    "id": "au-2.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "au-2.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-2(3)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update the audited events; and"
-                      },
-                      {
-                        "id": "au-2.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-2(3)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates the auditable events with organization-defined\n                     frequency."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing auditable events\\n\\nsecurity plan\\n\\nlist of organization-defined auditable events\\n\\nauditable events review and update records\\n\\ninformation system audit records\\n\\ninformation system incident reports\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting review and update of auditable events"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-3",
-            "class": "SP800-53",
-            "title": "Content of Audit Records",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-03"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-3_smt",
-                "name": "statement",
-                "prose": "The information system generates audit records containing information that\n               establishes what type of event occurred, when the event occurred, where the event\n               occurred, the source of the event, the outcome of the event, and the identity of any\n               individuals or subjects associated with the event."
-              },
-              {
-                "id": "au-3_gdn",
-                "name": "guidance",
-                "prose": "Audit record content that may be necessary to satisfy the requirement of this\n               control, includes, for example, time stamps, source and destination addresses,\n               user/process identifiers, event descriptions, success/fail indications, filenames\n               involved, and access control or flow control rules invoked. Event outcomes can\n               include indicators of event success or failure and event-specific results (e.g., the\n               security state of the information system after the event occurred).",
-                "links": [
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-8",
-                    "rel": "related",
-                    "text": "AU-8"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#si-11",
-                    "rel": "related",
-                    "text": "SI-11"
-                  }
-                ]
-              },
-              {
-                "id": "au-3_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system generates audit records containing information\n               that establishes: ",
-                "parts": [
-                  {
-                    "id": "au-3_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[1]"
-                      }
-                    ],
-                    "prose": "what type of event occurred;"
-                  },
-                  {
-                    "id": "au-3_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[2]"
-                      }
-                    ],
-                    "prose": "when the event occurred;"
-                  },
-                  {
-                    "id": "au-3_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[3]"
-                      }
-                    ],
-                    "prose": "where the event occurred;"
-                  },
-                  {
-                    "id": "au-3_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[4]"
-                      }
-                    ],
-                    "prose": "the source of the event;"
-                  },
-                  {
-                    "id": "au-3_obj.5",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[5]"
-                      }
-                    ],
-                    "prose": "the outcome of the event; and"
-                  },
-                  {
-                    "id": "au-3_obj.6",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-3[6]"
-                      }
-                    ],
-                    "prose": "the identity of any individuals or subjects associated with the event."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing content of audit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of organization-defined auditable events\\n\\ninformation system audit records\\n\\ninformation system incident reports\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing information system auditing of auditable\n                  events"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "au-3.1",
-                "class": "SP800-53-enhancement",
-                "title": "Additional Audit Information",
-                "parameters": [
-                  {
-                    "id": "au-3.1_prm_1",
-                    "label": "organization-defined additional, more detailed information",
-                    "constraints": [
-                      {
-                        "detail": "session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-3(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-03.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-3.1_smt",
-                    "name": "statement",
-                    "prose": "The information system generates audit records containing the following additional\n                  information: {{ au-3.1_prm_1 }}.",
-                    "parts": [
-                      {
-                        "id": "au-3.1_fr",
-                        "name": "item",
-                        "title": "AU-3 (1) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "au-3.1_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "The service provider defines audit record types *[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]*.  The audit record types are approved and accepted by the JAB/AO."
-                          },
-                          {
-                            "id": "au-3.1_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-3.1_gdn",
-                    "name": "guidance",
-                    "prose": "Detailed information that organizations may consider in audit records includes,\n                  for example, full text recording of privileged commands or the individual\n                  identities of group account users. Organizations consider limiting the additional\n                  audit information to only that information explicitly needed for specific audit\n                  requirements. This facilitates the use of audit trails and audit logs by not\n                  including information that could potentially be misleading or could make it more\n                  difficult to locate information of interest."
-                  },
-                  {
-                    "id": "au-3.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "au-3.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-3(1)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines additional, more detailed information to be contained\n                     in audit records that the information system generates; and"
-                      },
-                      {
-                        "id": "au-3.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-3(1)[2]"
-                          }
-                        ],
-                        "prose": "the information system generates audit records containing the\n                     organization-defined additional, more detailed information."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing content of audit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of organization-defined auditable events\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system audit capability"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-4",
-            "class": "SP800-53",
-            "title": "Audit Storage Capacity",
-            "parameters": [
-              {
-                "id": "au-4_prm_1",
-                "label": "organization-defined audit record storage requirements"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-04"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-4_smt",
-                "name": "statement",
-                "prose": "The organization allocates audit record storage capacity in accordance with {{ au-4_prm_1 }}."
-              },
-              {
-                "id": "au-4_gdn",
-                "name": "guidance",
-                "prose": "Organizations consider the types of auditing to be performed and the audit processing\n               requirements when allocating audit storage capacity. Allocating sufficient audit\n               storage capacity reduces the likelihood of such capacity being exceeded and resulting\n               in the potential loss or reduction of auditing capability.",
-                "links": [
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-5",
-                    "rel": "related",
-                    "text": "AU-5"
-                  },
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#au-7",
-                    "rel": "related",
-                    "text": "AU-7"
-                  },
-                  {
-                    "href": "#au-11",
-                    "rel": "related",
-                    "text": "AU-11"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "au-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-4_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-4[1]"
-                      }
-                    ],
-                    "prose": "defines audit record storage requirements; and"
-                  },
-                  {
-                    "id": "au-4_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-4[2]"
-                      }
-                    ],
-                    "prose": "allocates audit record storage capacity in accordance with the\n                  organization-defined audit record storage requirements."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing audit storage capacity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit record storage requirements\\n\\naudit record storage capability for information system components\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit record storage capacity and related configuration settings"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-5",
-            "class": "SP800-53",
-            "title": "Response to Audit Processing Failures",
-            "parameters": [
-              {
-                "id": "au-5_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "au-5_prm_2",
-                "label": "organization-defined actions to be taken (e.g., shut down information system,\n               overwrite oldest audit records, stop generating audit records)",
-                "constraints": [
-                  {
-                    "detail": "organization-defined actions to be taken (overwrite oldest record)"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-5_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "au-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Alerts {{ au-5_prm_1 }} in the event of an audit processing\n                  failure; and"
-                  },
-                  {
-                    "id": "au-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Takes the following additional actions: {{ au-5_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "au-5_gdn",
-                "name": "guidance",
-                "prose": "Audit processing failures include, for example, software/hardware errors, failures in\n               the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n               Organizations may choose to define additional actions for different audit processing\n               failures (e.g., by type, by location, by severity, or a combination of such factors).\n               This control applies to each audit data storage repository (i.e., distinct\n               information system component where audit records are stored), the total audit storage\n               capacity of organizations (i.e., all audit data storage repositories combined), or\n               both.",
-                "links": [
-                  {
-                    "href": "#au-4",
-                    "rel": "related",
-                    "text": "AU-4"
-                  },
-                  {
-                    "href": "#si-12",
-                    "rel": "related",
-                    "text": "SI-12"
-                  }
-                ]
-              },
-              {
-                "id": "au-5_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "au-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the personnel or roles to be alerted in the event of\n                     an audit processing failure;"
-                      },
-                      {
-                        "id": "au-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system alerts the organization-defined personnel or roles in\n                     the event of an audit processing failure;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-5(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-5.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(b)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines additional actions to be taken (e.g., shutdown\n                     information system, overwrite oldest audit records, stop generating audit\n                     records) in the event of an audit processing failure; and"
-                      },
-                      {
-                        "id": "au-5.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-5(b)[2]"
-                          }
-                        ],
-                        "prose": "the information system takes the additional organization-defined actions in the\n                     event of an audit processing failure."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing response to audit processing failures\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of personnel to be notified in case of an audit processing failure\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing information system response to audit processing\n                  failures"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-6",
-            "class": "SP800-53",
-            "title": "Audit Review, Analysis, and Reporting",
-            "parameters": [
-              {
-                "id": "au-6_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least weekly"
-                  }
-                ]
-              },
-              {
-                "id": "au-6_prm_2",
-                "label": "organization-defined inappropriate or unusual activity"
-              },
-              {
-                "id": "au-6_prm_3",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AU-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "au-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Reviews and analyzes information system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }};\n                  and"
-                  },
-                  {
-                    "id": "au-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reports findings to {{ au-6_prm_3 }}."
-                  },
-                  {
-                    "id": "au-6_fr",
-                    "name": "item",
-                    "title": "AU-6 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "au-6_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-6_gdn",
-                "name": "guidance",
-                "prose": "Audit review, analysis, and reporting covers information security-related auditing\n               performed by organizations including, for example, auditing that results from\n               monitoring of account usage, remote access, wireless connectivity, mobile device\n               connection, configuration settings, system component inventory, use of maintenance\n               tools and nonlocal maintenance, physical access, temperature and humidity, equipment\n               delivery and removal, communications at the information system boundaries, use of\n               mobile code, and use of VoIP. Findings can be reported to organizational entities\n               that include, for example, incident response team, help desk, information security\n               group/department. If organizations are prohibited from reviewing and analyzing audit\n               information or unable to conduct such activities (e.g., in certain national security\n               applications or systems), the review/analysis may be carried out by other\n               organizations granted such authority.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#au-7",
-                    "rel": "related",
-                    "text": "AU-7"
-                  },
-                  {
-                    "href": "#au-16",
-                    "rel": "related",
-                    "text": "AU-16"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-10",
-                    "rel": "related",
-                    "text": "CM-10"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ir-5",
-                    "rel": "related",
-                    "text": "IR-5"
-                  },
-                  {
-                    "href": "#ir-6",
-                    "rel": "related",
-                    "text": "IR-6"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-6",
-                    "rel": "related",
-                    "text": "PE-6"
-                  },
-                  {
-                    "href": "#pe-14",
-                    "rel": "related",
-                    "text": "PE-14"
-                  },
-                  {
-                    "href": "#pe-16",
-                    "rel": "related",
-                    "text": "PE-16"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-18",
-                    "rel": "related",
-                    "text": "SC-18"
-                  },
-                  {
-                    "href": "#sc-19",
-                    "rel": "related",
-                    "text": "SC-19"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "au-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-6(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-6.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(a)[1]"
-                          }
-                        ],
-                        "prose": "defines the types of inappropriate or unusual activity to look for when\n                     information system audit records are reviewed and analyzed;"
-                      },
-                      {
-                        "id": "au-6.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(a)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and analyze information system audit records\n                     for indications of organization-defined inappropriate or unusual activity;"
-                      },
-                      {
-                        "id": "au-6.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(a)[3]"
-                          }
-                        ],
-                        "prose": "reviews and analyzes information system audit records for indications of\n                     organization-defined inappropriate or unusual activity with the\n                     organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-6(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-6.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(b)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom findings resulting from reviews and analysis\n                     of information system audit records are to be reported; and"
-                      },
-                      {
-                        "id": "au-6.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(b)[2]"
-                          }
-                        ],
-                        "prose": "reports findings to organization-defined personnel or roles."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\nreports of audit findings\\n\\nrecords of actions taken in response to reviews/analyses of audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit review, analysis, and reporting\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "au-6.1",
-                "class": "SP800-53-enhancement",
-                "title": "Process Integration",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-6(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-06.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-6.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to integrate audit review, analysis,\n                  and reporting processes to support organizational processes for investigation and\n                  response to suspicious activities."
-                  },
-                  {
-                    "id": "au-6.1_gdn",
-                    "name": "guidance",
-                    "prose": "Organizational processes benefiting from integrated audit review, analysis, and\n                  reporting include, for example, incident response, continuous monitoring,\n                  contingency planning, and Inspector General audits.",
-                    "links": [
-                      {
-                        "href": "#au-12",
-                        "rel": "related",
-                        "text": "AU-12"
-                      },
-                      {
-                        "href": "#pm-7",
-                        "rel": "related",
-                        "text": "PM-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-6.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "au-6.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(1)[1]"
-                          }
-                        ],
-                        "prose": "employs automated mechanisms to integrate:",
-                        "parts": [
-                          {
-                            "id": "au-6.1_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-6(1)[1][a]"
-                              }
-                            ],
-                            "prose": "audit review;"
-                          },
-                          {
-                            "id": "au-6.1_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-6(1)[1][b]"
-                              }
-                            ],
-                            "prose": "analysis;"
-                          },
-                          {
-                            "id": "au-6.1_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-6(1)[1][c]"
-                              }
-                            ],
-                            "prose": "reporting processes;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "au-6.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-6(1)[2]"
-                          }
-                        ],
-                        "prose": "uses integrated audit review, analysis and reporting processes to support\n                     organizational processes for:",
-                        "parts": [
-                          {
-                            "id": "au-6.1_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-6(1)[2][a]"
-                              }
-                            ],
-                            "prose": "investigation of suspicious activities; and"
-                          },
-                          {
-                            "id": "au-6.1_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "AU-6(1)[2][b]"
-                              }
-                            ],
-                            "prose": "response to suspicious activities."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\nprocedures addressing investigation and response to suspicious activities\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit review, analysis, and reporting\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms integrating audit review, analysis, and reporting\n                     processes"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-6.3",
-                "class": "SP800-53-enhancement",
-                "title": "Correlate Audit Repositories",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-6(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-06.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-6.3_smt",
-                    "name": "statement",
-                    "prose": "The organization analyzes and correlates audit records across different\n                  repositories to gain organization-wide situational awareness."
-                  },
-                  {
-                    "id": "au-6.3_gdn",
-                    "name": "guidance",
-                    "prose": "Organization-wide situational awareness includes awareness across all three tiers\n                  of risk management (i.e., organizational, mission/business process, and\n                  information system) and supports cross-organization awareness.",
-                    "links": [
-                      {
-                        "href": "#au-12",
-                        "rel": "related",
-                        "text": "AU-12"
-                      },
-                      {
-                        "href": "#ir-4",
-                        "rel": "related",
-                        "text": "IR-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-6.3_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization analyzes and correlates audit records across\n                  different repositories to gain organization-wide situational awareness. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing audit review, analysis, and reporting\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records across different repositories\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit review, analysis, and reporting\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting analysis and correlation of audit records"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-7",
-            "class": "SP800-53",
-            "title": "Audit Reduction and Report Generation",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-07"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-7_smt",
-                "name": "statement",
-                "prose": "The information system provides an audit reduction and report generation capability\n               that:",
-                "parts": [
-                  {
-                    "id": "au-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Supports on-demand audit review, analysis, and reporting requirements and\n                  after-the-fact investigations of security incidents; and"
-                  },
-                  {
-                    "id": "au-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Does not alter the original content or time ordering of audit records."
-                  }
-                ]
-              },
-              {
-                "id": "au-7_gdn",
-                "name": "guidance",
-                "prose": "Audit reduction is a process that manipulates collected audit information and\n               organizes such information in a summary format that is more meaningful to analysts.\n               Audit reduction and report generation capabilities do not always emanate from the\n               same information system or from the same organizational entities conducting auditing\n               activities. Audit reduction capability can include, for example, modern data mining\n               techniques with advanced data filters to identify anomalous behavior in audit\n               records. The report generation capability provided by the information system can\n               generate customizable reports. Time ordering of audit records can be a significant\n               issue if the granularity of the timestamp in the record is insufficient.",
-                "links": [
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  }
-                ]
-              },
-              {
-                "id": "au-7_obj",
-                "name": "objective",
-                "prose": "Determine if the information system provides an audit reduction and report generation\n               capability that supports:",
-                "parts": [
-                  {
-                    "id": "au-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-7(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-7.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-7(a)[1]"
-                          }
-                        ],
-                        "prose": "on-demand audit review;"
-                      },
-                      {
-                        "id": "au-7.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-7(a)[2]"
-                          }
-                        ],
-                        "prose": "analysis;"
-                      },
-                      {
-                        "id": "au-7.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-7(a)[3]"
-                          }
-                        ],
-                        "prose": "reporting requirements;"
-                      },
-                      {
-                        "id": "au-7.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-7(a)[4]"
-                          }
-                        ],
-                        "prose": "after-the-fact investigations of security incidents; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-7(b)"
-                      }
-                    ],
-                    "prose": "does not alter the original content or time ordering of audit records."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing audit reduction and report generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit reduction, review, analysis, and reporting tools\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit reduction and report generation\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit reduction and report generation capability"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "au-7.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automatic Processing",
-                "parameters": [
-                  {
-                    "id": "au-7.1_prm_1",
-                    "label": "organization-defined audit fields within audit records"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-7(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-07.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-7.1_smt",
-                    "name": "statement",
-                    "prose": "The information system provides the capability to process audit records for events\n                  of interest based on {{ au-7.1_prm_1 }}."
-                  },
-                  {
-                    "id": "au-7.1_gdn",
-                    "name": "guidance",
-                    "prose": "Events of interest can be identified by the content of specific audit record\n                  fields including, for example, identities of individuals, event types, event\n                  locations, event times, event dates, system resources involved, IP addresses\n                  involved, or information objects accessed. Organizations may define audit event\n                  criteria to any degree of granularity required, for example, locations selectable\n                  by general networking location (e.g., by network or subnetwork) or selectable by\n                  specific information system component.",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      },
-                      {
-                        "href": "#au-12",
-                        "rel": "related",
-                        "text": "AU-12"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-7.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "au-7.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-7(1)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines audit fields within audit records in order to process\n                     audit records for events of interest; and"
-                      },
-                      {
-                        "id": "au-7.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-7(1)[2]"
-                          }
-                        ],
-                        "prose": "the information system provides the capability to process audit records for\n                     events of interest based on the organization-defined audit fields within audit\n                     records."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing audit reduction and report generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit reduction, review, analysis, and reporting tools\\n\\naudit record criteria (fields) establishing events of interest\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit reduction and report generation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit reduction and report generation capability"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-8",
-            "class": "SP800-53",
-            "title": "Time Stamps",
-            "parameters": [
-              {
-                "id": "au-8_prm_1",
-                "label": "organization-defined granularity of time measurement"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-08"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-8_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "au-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Uses internal system clocks to generate time stamps for audit records; and"
-                  },
-                  {
-                    "id": "au-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Records time stamps for audit records that can be mapped to Coordinated Universal\n                  Time (UTC) or Greenwich Mean Time (GMT) and meets {{ au-8_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "au-8_gdn",
-                "name": "guidance",
-                "prose": "Time stamps generated by the information system include date and time. Time is\n               commonly expressed in Coordinated Universal Time (UTC), a modern continuation of\n               Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time\n               measurements refers to the degree of synchronization between information system\n               clocks and reference clocks, for example, clocks synchronizing within hundreds of\n               milliseconds or within tens of milliseconds. Organizations may define different time\n               granularities for different system components. Time service can also be critical to\n               other security capabilities such as access control and identification and\n               authentication, depending on the nature of the mechanisms used to support those\n               capabilities.",
-                "links": [
-                  {
-                    "href": "#au-3",
-                    "rel": "related",
-                    "text": "AU-3"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  }
-                ]
-              },
-              {
-                "id": "au-8_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "au-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-8(a)"
-                      }
-                    ],
-                    "prose": "the information system uses internal system clocks to generate time stamps for\n                  audit records;"
-                  },
-                  {
-                    "id": "au-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-8(b)[1]"
-                          }
-                        ],
-                        "prose": "the information system records time stamps for audit records that can be mapped\n                     to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);"
-                      },
-                      {
-                        "id": "au-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-8(b)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines the granularity of time measurement to be met when\n                     recording time stamps for audit records; and"
-                      },
-                      {
-                        "id": "au-8.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-8(b)[3]"
-                          }
-                        ],
-                        "prose": "the organization records time stamps for audit records that meet the\n                     organization-defined granularity of time measurement."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing time stamp generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing time stamp generation"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "au-8.1",
-                "class": "SP800-53-enhancement",
-                "title": "Synchronization with Authoritative Time Source",
-                "parameters": [
-                  {
-                    "id": "au-8.1_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "At least hourly"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-8.1_prm_2",
-                    "label": "organization-defined authoritative time source",
-                    "constraints": [
-                      {
-                        "detail": "http://tf.nist.gov/tf-cgi/servers.cgi"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-8.1_prm_3",
-                    "label": "organization-defined time period"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AU-8(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-08.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-8.1_smt",
-                    "name": "statement",
-                    "prose": "The information system:",
-                    "parts": [
-                      {
-                        "id": "au-8.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Compares the internal information system clocks {{ au-8.1_prm_1 }} with {{ au-8.1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "au-8.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Synchronizes the internal system clocks to the authoritative time source when\n                     the time difference is greater than {{ au-8.1_prm_3 }}."
-                      },
-                      {
-                        "id": "au-8.1_fr",
-                        "name": "item",
-                        "title": "AU-8 (1) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "au-8.1_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server."
-                          },
-                          {
-                            "id": "au-8.1_fr_smt.2",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server."
-                          },
-                          {
-                            "id": "au-8.1_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "Synchronization of system clocks improves the accuracy of log analysis."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-8.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement provides uniformity of time stamps for information\n                  systems with multiple system clocks and systems connected over a network."
-                  },
-                  {
-                    "id": "au-8.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if: ",
-                    "parts": [
-                      {
-                        "id": "au-8.1.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-8(1)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-8.1.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-8(1)(a)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines the authoritative time source to which internal\n                        information system clocks are to be compared;"
-                          },
-                          {
-                            "id": "au-8.1.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-8(1)(a)[2]"
-                              }
-                            ],
-                            "prose": "the organization defines the frequency to compare the internal information\n                        system clocks with the organization-defined authoritative time source;\n                        and"
-                          },
-                          {
-                            "id": "au-8.1.a_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-8(1)(a)[3]"
-                              }
-                            ],
-                            "prose": "the information system compares the internal information system clocks with\n                        the organization-defined authoritative time source with organization-defined\n                        frequency; and"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#au-8.1_smt.a",
-                            "rel": "corresp",
-                            "text": "AU-8(1)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "au-8.1.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-8(1)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "au-8.1.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-8(1)(b)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines the time period that, if exceeded by the time\n                        difference between the internal system clocks and the authoritative time\n                        source, will result in the internal system clocks being synchronized to the\n                        authoritative time source; and"
-                          },
-                          {
-                            "id": "au-8.1.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "AU-8(1)(b)[2]"
-                              }
-                            ],
-                            "prose": "the information system synchronizes the internal information system clocks\n                        to the authoritative time source when the time difference is greater than\n                        the organization-defined time period."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#au-8.1_smt.b",
-                            "rel": "corresp",
-                            "text": "AU-8(1)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing time stamp generation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing internal information system clock\n                     synchronization"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-9",
-            "class": "SP800-53",
-            "title": "Protection of Audit Information",
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-09"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-9_smt",
-                "name": "statement",
-                "prose": "The information system protects audit information and audit tools from unauthorized\n               access, modification, and deletion."
-              },
-              {
-                "id": "au-9_gdn",
-                "name": "guidance",
-                "prose": "Audit information includes all information (e.g., audit records, audit settings, and\n               audit reports) needed to successfully audit information system activity. This control\n               focuses on technical protection of audit information. Physical protection of audit\n               information is addressed by media protection controls and physical and environmental\n               protection controls.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-6",
-                    "rel": "related",
-                    "text": "PE-6"
-                  }
-                ]
-              },
-              {
-                "id": "au-9_obj",
-                "name": "objective",
-                "prose": "Determine if: ",
-                "parts": [
-                  {
-                    "id": "au-9_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-9[1]"
-                      }
-                    ],
-                    "prose": "the information system protects audit information from unauthorized:",
-                    "parts": [
-                      {
-                        "id": "au-9_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[1][a]"
-                          }
-                        ],
-                        "prose": "access;"
-                      },
-                      {
-                        "id": "au-9_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[1][b]"
-                          }
-                        ],
-                        "prose": "modification;"
-                      },
-                      {
-                        "id": "au-9_obj.1.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[1][c]"
-                          }
-                        ],
-                        "prose": "deletion;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-9_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-9[2]"
-                      }
-                    ],
-                    "prose": "the information system protects audit tools from unauthorized:",
-                    "parts": [
-                      {
-                        "id": "au-9_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[2][a]"
-                          }
-                        ],
-                        "prose": "access;"
-                      },
-                      {
-                        "id": "au-9_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[2][b]"
-                          }
-                        ],
-                        "prose": "modification; and"
-                      },
-                      {
-                        "id": "au-9_obj.2.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-9[2][c]"
-                          }
-                        ],
-                        "prose": "deletion."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\naccess control policy and procedures\\n\\nprocedures addressing protection of audit information\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation,\n                  information system audit records\\n\\naudit tools\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing audit information protection"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "au-9.2",
-                "class": "SP800-53-enhancement",
-                "title": "Audit Backup On Separate Physical Systems / Components",
-                "parameters": [
-                  {
-                    "id": "au-9.2_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least weekly"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "AU-9(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-09.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-9.2_smt",
-                    "name": "statement",
-                    "prose": "The information system backs up audit records {{ au-9.2_prm_1 }}\n                  onto a physically different system or system component than the system or\n                  component being audited."
-                  },
-                  {
-                    "id": "au-9.2_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement helps to ensure that a compromise of the information\n                  system being audited does not also result in a compromise of the audit\n                  records.",
-                    "links": [
-                      {
-                        "href": "#au-4",
-                        "rel": "related",
-                        "text": "AU-4"
-                      },
-                      {
-                        "href": "#au-5",
-                        "rel": "related",
-                        "text": "AU-5"
-                      },
-                      {
-                        "href": "#au-11",
-                        "rel": "related",
-                        "text": "AU-11"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-9.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "au-9.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-9(2)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the frequency to back up audit records onto a\n                     physically different system or system component than the system or component\n                     being audited; and"
-                      },
-                      {
-                        "id": "au-9.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-9(2)[2]"
-                          }
-                        ],
-                        "prose": "the information system backs up audit records with the organization-defined\n                     frequency, onto a physically different system or system component than the\n                     system or component being audited."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\nprocedures addressing protection of audit information\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation, system\n                     or media storing backups of information system audit records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing the backing up of audit records"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-9.4",
-                "class": "SP800-53-enhancement",
-                "title": "Access by Subset of Privileged Users",
-                "parameters": [
-                  {
-                    "id": "au-9.4_prm_1",
-                    "label": "organization-defined subset of privileged users"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "AU-9(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "au-09.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "au-9.4_smt",
-                    "name": "statement",
-                    "prose": "The organization authorizes access to management of audit functionality to only\n                     {{ au-9.4_prm_1 }}."
-                  },
-                  {
-                    "id": "au-9.4_gdn",
-                    "name": "guidance",
-                    "prose": "Individuals with privileged access to an information system and who are also the\n                  subject of an audit by that system, may affect the reliability of audit\n                  information by inhibiting audit activities or modifying audit records. This\n                  control enhancement requires that privileged access be further defined between\n                  audit-related privileges and other privileges, thus limiting the users with\n                  audit-related privileges.",
-                    "links": [
-                      {
-                        "href": "#ac-5",
-                        "rel": "related",
-                        "text": "AC-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-9.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "au-9.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-9(4)[1]"
-                          }
-                        ],
-                        "prose": "defines a subset of privileged users to be authorized access to management of\n                     audit functionality; and"
-                      },
-                      {
-                        "id": "au-9.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-9(4)[2]"
-                          }
-                        ],
-                        "prose": "authorizes access to management of audit functionality to only the\n                     organization-defined subset of privileged users."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Audit and accountability policy\\n\\naccess control policy and procedures\\n\\nprocedures addressing protection of audit information\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation,\n                     system-generated list of privileged users with access to management of audit\n                     functionality\\n\\naccess authorizations\\n\\naccess control list\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with audit and accountability responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms managing access to audit functionality"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-11",
-            "class": "SP800-53",
-            "title": "Audit Record Retention",
-            "parameters": [
-              {
-                "id": "au-11_prm_1",
-                "label": "organization-defined time period consistent with records retention policy",
-                "constraints": [
-                  {
-                    "detail": "at least ninety days"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "AU-11"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-11"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-11_smt",
-                "name": "statement",
-                "prose": "The organization retains audit records for {{ au-11_prm_1 }} to\n               provide support for after-the-fact investigations of security incidents and to meet\n               regulatory and organizational information retention requirements.",
-                "parts": [
-                  {
-                    "id": "au-11_fr",
-                    "name": "item",
-                    "title": "AU-11 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "au-11_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "au-11_gdn",
-                "name": "guidance",
-                "prose": "Organizations retain audit records until it is determined that they are no longer\n               needed for administrative, legal, audit, or other operational purposes. This\n               includes, for example, retention and availability of audit records relative to\n               Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions.\n               Organizations develop standard categories of audit records relative to such types of\n               actions and standard response processes for each type of action. The National\n               Archives and Records Administration (NARA) General Records Schedules provide federal\n               policy on record retention.",
-                "links": [
-                  {
-                    "href": "#au-4",
-                    "rel": "related",
-                    "text": "AU-4"
-                  },
-                  {
-                    "href": "#au-5",
-                    "rel": "related",
-                    "text": "AU-5"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#mp-6",
-                    "rel": "related",
-                    "text": "MP-6"
-                  }
-                ]
-              },
-              {
-                "id": "au-11_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "au-11_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-11[1]"
-                      }
-                    ],
-                    "prose": "defines a time period to retain audit records that is consistent with records\n                  retention policy;"
-                  },
-                  {
-                    "id": "au-11_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-11[2]"
-                      }
-                    ],
-                    "prose": "retains audit records for the organization-defined time period consistent with\n                  records retention policy to:",
-                    "parts": [
-                      {
-                        "id": "au-11_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-11[2][a]"
-                          }
-                        ],
-                        "prose": "provide support for after-the-fact investigations of security incidents;\n                     and"
-                      },
-                      {
-                        "id": "au-11_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "AU-11[2][b]"
-                          }
-                        ],
-                        "prose": "meet regulatory and organizational information retention requirements."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\naudit record retention policy and procedures\\n\\nsecurity plan\\n\\norganization-defined retention period for audit records\\n\\naudit record archives\\n\\naudit logs\\n\\naudit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit record retention responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "au-12",
-            "class": "SP800-53",
-            "title": "Audit Generation",
-            "parameters": [
-              {
-                "id": "au-12_prm_1",
-                "label": "organization-defined information system components",
-                "constraints": [
-                  {
-                    "detail": "all information system and network components where audit capability is deployed/available"
-                  }
-                ]
-              },
-              {
-                "id": "au-12_prm_2",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "AU-12"
-              },
-              {
-                "name": "sort-id",
-                "value": "au-12"
-              }
-            ],
-            "parts": [
-              {
-                "id": "au-12_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "au-12_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Provides audit record generation capability for the auditable events defined in\n                  AU-2 a. at {{ au-12_prm_1 }};"
-                  },
-                  {
-                    "id": "au-12_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Allows {{ au-12_prm_2 }} to select which auditable events are to be\n                  audited by specific components of the information system; and"
-                  },
-                  {
-                    "id": "au-12_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Generates audit records for the events defined in AU-2 d. with the content defined\n                  in AU-3."
-                  }
-                ]
-              },
-              {
-                "id": "au-12_gdn",
-                "name": "guidance",
-                "prose": "Audit records can be generated from many different information system components. The\n               list of audited events is the set of events for which audits are to be generated.\n               These events are typically a subset of all events for which the information system is\n               capable of generating audit records.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-3",
-                    "rel": "related",
-                    "text": "AU-3"
-                  },
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#au-7",
-                    "rel": "related",
-                    "text": "AU-7"
-                  }
-                ]
-              },
-              {
-                "id": "au-12_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "au-12.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-12(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-12.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the information system components which are to provide\n                     audit record generation capability for the auditable events defined in\n                     AU-2a;"
-                      },
-                      {
-                        "id": "au-12.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system provides audit record generation capability, for the\n                     auditable events defined in AU-2a, at organization-defined information system\n                     components;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-12.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "AU-12(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "au-12.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(b)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines the personnel or roles allowed to select which\n                     auditable events are to be audited by specific components of the information\n                     system;"
-                      },
-                      {
-                        "id": "au-12.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "AU-12(b)[2]"
-                          }
-                        ],
-                        "prose": "the information system allows the organization-defined personnel or roles to\n                     select which auditable events are to be audited by specific components of the\n                     system; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "au-12.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "AU-12(c)"
-                      }
-                    ],
-                    "prose": "the information system generates audit records for the events defined in AU-2d\n                  with the content in defined in AU-3."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Audit and accountability policy\\n\\nprocedures addressing audit record generation\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of auditable events\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with audit record generation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing audit record generation capability"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ca",
-        "class": "family",
-        "title": "Security Assessment and Authorization",
-        "controls": [
-          {
-            "id": "ca-1",
-            "class": "SP800-53",
-            "title": "Security Assessment and Authorization Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ca-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ca-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "ca-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#cd4cf751-3312-4a55-b1a9-fad2f1db9119",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-53A"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ca-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ca-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A security assessment and authorization policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"
-                      },
-                      {
-                        "id": "ca-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the security assessment and\n                     authorization policy and associated security assessment and authorization\n                     controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ca-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Security assessment and authorization policy {{ ca-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "ca-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Security assessment and authorization procedures {{ ca-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ca-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a security assessment and authorization policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "ca-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ca-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ca-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the security assessment and authorization\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "ca-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the security assessment and authorization policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ca-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        security assessment and authorization policy and associated assessment and\n                        authorization controls;"
-                          },
-                          {
-                            "id": "ca-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ca-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current security assessment\n                        and authorization policy;"
-                          },
-                          {
-                            "id": "ca-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current security assessment and authorization policy\n                        with the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ca-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current security assessment\n                        and authorization procedures; and"
-                          },
-                          {
-                            "id": "ca-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current security assessment and authorization\n                        procedures with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security assessment and authorization\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-2",
-            "class": "SP800-53",
-            "title": "Security Assessments",
-            "parameters": [
-              {
-                "id": "ca-2_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ca-2_prm_2",
-                "label": "organization-defined individuals or roles",
-                "constraints": [
-                  {
-                    "detail": "individuals or roles to include FedRAMP PMO"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c5034e0c-eba6-4ecd-a541-79f0678f4ba4",
-                "rel": "reference",
-                "text": "Executive Order 13587"
-              },
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#d480aa6a-7a88-424e-a10c-ad1c7870354b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-39"
-              },
-              {
-                "href": "#cd4cf751-3312-4a55-b1a9-fad2f1db9119",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-53A"
-              },
-              {
-                "href": "#c4691b88-57d1-463b-9053-2d0087913f31",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-115"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops a security assessment plan that describes the scope of the assessment\n                  including:",
-                    "parts": [
-                      {
-                        "id": "ca-2_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Security controls and control enhancements under assessment;"
-                      },
-                      {
-                        "id": "ca-2_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Assessment procedures to be used to determine security control effectiveness;\n                     and"
-                      },
-                      {
-                        "id": "ca-2_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Assessment environment, assessment team, and assessment roles and\n                     responsibilities;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Assesses the security controls in the information system and its environment of\n                  operation {{ ca-2_prm_1 }} to determine the extent to which the\n                  controls are implemented correctly, operating as intended, and producing the\n                  desired outcome with respect to meeting established security requirements;"
-                  },
-                  {
-                    "id": "ca-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Produces a security assessment report that documents the results of the\n                  assessment; and"
-                  },
-                  {
-                    "id": "ca-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Provides the results of the security control assessment to {{ ca-2_prm_2 }}."
-                  },
-                  {
-                    "id": "ca-2_fr",
-                    "name": "item",
-                    "title": "CA-2 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ca-2_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-2_gdn",
-                "name": "guidance",
-                "prose": "Organizations assess security controls in organizational information systems and the\n               environments in which those systems operate as part of: (i) initial and ongoing\n               security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring;\n               and (iv) system development life cycle activities. Security assessments: (i) ensure\n               that information security is built into organizational information systems; (ii)\n               identify weaknesses and deficiencies early in the development process; (iii) provide\n               essential information needed to make risk-based decisions as part of security\n               authorization processes; and (iv) ensure compliance to vulnerability mitigation\n               procedures. Assessments are conducted on the implemented security controls from\n               Appendix F (main catalog) and Appendix G (Program Management controls) as documented\n               in System Security Plans and Information Security Program Plans. Organizations can\n               use other types of assessment activities such as vulnerability scanning and system\n               monitoring to maintain the security posture of information systems during the entire\n               life cycle. Security assessment reports document assessment results in sufficient\n               detail as deemed necessary by organizations, to determine the accuracy and\n               completeness of the reports and whether the security controls are implemented\n               correctly, operating as intended, and producing the desired outcome with respect to\n               meeting security requirements. The FISMA requirement for assessing security controls\n               at least annually does not require additional assessment activities to those\n               activities already in place in organizational security authorization processes.\n               Security assessment results are provided to the individuals or roles appropriate for\n               the types of assessments being conducted. For example, assessments conducted in\n               support of security authorization decisions are provided to authorizing officials or\n               authorizing official designated representatives. To satisfy annual assessment\n               requirements, organizations can use assessment results from the following sources:\n               (i) initial or ongoing information system authorizations; (ii) continuous monitoring;\n               or (iii) system development life cycle activities. Organizations ensure that security\n               assessment results are current, relevant to the determination of security control\n               effectiveness, and obtained with the appropriate level of assessor independence.\n               Existing security control assessment results can be reused to the extent that the\n               results are still valid and can also be supplemented with additional assessments as\n               needed. Subsequent to initial authorizations and in accordance with OMB policy,\n               organizations assess security controls during continuous monitoring. Organizations\n               establish the frequency for ongoing security control assessments in accordance with\n               organizational continuous monitoring strategies. Information Assurance Vulnerability\n               Alerts provide useful examples of vulnerability mitigation procedures. External\n               audits (e.g., audits by external entities such as regulatory agencies) are outside\n               the scope of this control.",
-                "links": [
-                  {
-                    "href": "#ca-5",
-                    "rel": "related",
-                    "text": "CA-5"
-                  },
-                  {
-                    "href": "#ca-6",
-                    "rel": "related",
-                    "text": "CA-6"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-2(a)"
-                      }
-                    ],
-                    "prose": "develops a security assessment plan that describes the scope of the assessment\n                  including:",
-                    "parts": [
-                      {
-                        "id": "ca-2.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-2(a)(1)"
-                          }
-                        ],
-                        "prose": "security controls and control enhancements under assessment;"
-                      },
-                      {
-                        "id": "ca-2.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-2(a)(2)"
-                          }
-                        ],
-                        "prose": "assessment procedures to be used to determine security control\n                     effectiveness;"
-                      },
-                      {
-                        "id": "ca-2.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-2(a)(3)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ca-2.a.3_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(a)(3)[1]"
-                              }
-                            ],
-                            "prose": "assessment environment;"
-                          },
-                          {
-                            "id": "ca-2.a.3_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(a)(3)[2]"
-                              }
-                            ],
-                            "prose": "assessment team;"
-                          },
-                          {
-                            "id": "ca-2.a.3_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(a)(3)[3]"
-                              }
-                            ],
-                            "prose": "assessment roles and responsibilities;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to assess the security controls in the information system\n                     and its environment of operation;"
-                      },
-                      {
-                        "id": "ca-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(b)[2]"
-                          }
-                        ],
-                        "prose": "assesses the security controls in the information system with the\n                     organization-defined frequency to determine the extent to which the controls\n                     are implemented correctly, operating as intended, and producing the desired\n                     outcome with respect to meeting established security requirements;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-2(c)"
-                      }
-                    ],
-                    "prose": "produces a security assessment report that documents the results of the\n                  assessment;"
-                  },
-                  {
-                    "id": "ca-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-2(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(d)[1]"
-                          }
-                        ],
-                        "prose": "defines individuals or roles to whom the results of the security control\n                     assessment are to be provided; and"
-                      },
-                      {
-                        "id": "ca-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(d)[2]"
-                          }
-                        ],
-                        "prose": "provides the results of the security control assessment to organization-defined\n                     individuals or roles."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy\\n\\nprocedures addressing security assessment planning\\n\\nprocedures addressing security assessments\\n\\nsecurity assessment plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting security assessment, security assessment plan\n                  development, and/or security assessment reporting"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ca-2.1",
-                "class": "SP800-53-enhancement",
-                "title": "Independent Assessors",
-                "parameters": [
-                  {
-                    "id": "ca-2.1_prm_1",
-                    "label": "organization-defined level of independence"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CA-2(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ca-02.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ca-2.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs assessors or assessment teams with {{ ca-2.1_prm_1 }} to conduct security control assessments.",
-                    "parts": [
-                      {
-                        "id": "ca-2.1_fr",
-                        "name": "item",
-                        "title": "CA-2 (1) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ca-2.1_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO)."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.1_gdn",
-                    "name": "guidance",
-                    "prose": "Independent assessors or assessment teams are individuals or groups who conduct\n                  impartial assessments of organizational information systems. Impartiality implies\n                  that assessors are free from any perceived or actual conflicts of interest with\n                  regard to the development, operation, or management of the organizational\n                  information systems under assessment or to the determination of security control\n                  effectiveness. To achieve impartiality, assessors should not: (i) create a mutual\n                  or conflicting interest with the organizations where the assessments are being\n                  conducted; (ii) assess their own work; (iii) act as management or employees of the\n                  organizations they are serving; or (iv) place themselves in positions of advocacy\n                  for the organizations acquiring their services. Independent assessments can be\n                  obtained from elements within organizations or can be contracted to public or\n                  private sector entities outside of organizations. Authorizing officials determine\n                  the required level of independence based on the security categories of information\n                  systems and/or the ultimate risk to organizational operations, organizational\n                  assets, or individuals. Authorizing officials also determine if the level of\n                  assessor independence provides sufficient assurance that the results are sound and\n                  can be used to make credible, risk-based decisions. This includes determining\n                  whether contracted security assessment services have sufficient independence, for\n                  example, when information system owners are not directly involved in contracting\n                  processes or cannot unduly influence the impartiality of assessors conducting\n                  assessments. In special situations, for example, when organizations that own the\n                  information systems are small or organizational structures require that\n                  assessments are conducted by individuals that are in the developmental,\n                  operational, or management chain of system owners, independence in assessment\n                  processes can be achieved by ensuring that assessment results are carefully\n                  reviewed and analyzed by independent teams of experts to validate the\n                  completeness, accuracy, integrity, and reliability of the results. Organizations\n                  recognize that assessments performed for purposes other than direct support to\n                  authorization decisions are, when performed by assessors with sufficient\n                  independence, more likely to be useable for such decisions, thereby reducing the\n                  need to repeat assessments."
-                  },
-                  {
-                    "id": "ca-2.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ca-2.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(1)[1]"
-                          }
-                        ],
-                        "prose": "defines the level of independence to be employed to conduct security control\n                     assessments; and"
-                      },
-                      {
-                        "id": "ca-2.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(1)[2]"
-                          }
-                        ],
-                        "prose": "employs assessors or assessment teams with the organization-defined level of\n                     independence to conduct security control assessments."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security assessment and authorization policy\\n\\nprocedures addressing security assessments\\n\\nsecurity authorization package (including security plan, security assessment\n                     plan, security assessment report, plan of action and milestones, authorization\n                     statement)\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-2.2",
-                "class": "SP800-53-enhancement",
-                "title": "Specialized Assessments",
-                "parameters": [
-                  {
-                    "id": "ca-2.2_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least annually"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.2_prm_2"
-                  },
-                  {
-                    "id": "ca-2.2_prm_3"
-                  },
-                  {
-                    "id": "ca-2.2_prm_4",
-                    "depends-on": "ca-2.2_prm_3",
-                    "label": "organization-defined other forms of security assessment"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "CA-2(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ca-02.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ca-2.2_smt",
-                    "name": "statement",
-                    "prose": "The organization includes as part of security control assessments, {{ ca-2.2_prm_1 }}, {{ ca-2.2_prm_2 }}, {{ ca-2.2_prm_3 }}.",
-                    "parts": [
-                      {
-                        "id": "ca-2.2_fr",
-                        "name": "item",
-                        "title": "CA-2 (2) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ca-2.2_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "To include 'announced', 'vulnerability scanning'"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.2_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations can employ information system monitoring, insider threat\n                  assessments, malicious user testing, and other forms of testing (e.g.,\n                  verification and validation) to improve readiness by exercising organizational\n                  capabilities and indicating current performance levels as a means of focusing\n                  actions to improve security. Organizations conduct assessment activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  regulations, and standards. Authorizing officials approve the assessment methods\n                  in coordination with the organizational risk executive function. Organizations can\n                  incorporate vulnerabilities uncovered during assessments into vulnerability\n                  remediation processes.",
-                    "links": [
-                      {
-                        "href": "#pe-3",
-                        "rel": "related",
-                        "text": "PE-3"
-                      },
-                      {
-                        "href": "#si-2",
-                        "rel": "related",
-                        "text": "SI-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ca-2.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(2)[1]"
-                          }
-                        ],
-                        "prose": "selects one or more of the following forms of specialized security assessment\n                     to be included as part of security control assessments:",
-                        "parts": [
-                          {
-                            "id": "ca-2.2_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(2)[1][a]"
-                              }
-                            ],
-                            "prose": "in-depth monitoring;"
-                          },
-                          {
-                            "id": "ca-2.2_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(2)[1][b]"
-                              }
-                            ],
-                            "prose": "vulnerability scanning;"
-                          },
-                          {
-                            "id": "ca-2.2_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(2)[1][c]"
-                              }
-                            ],
-                            "prose": "malicious user testing;"
-                          },
-                          {
-                            "id": "ca-2.2_obj.1.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(2)[1][d]"
-                              }
-                            ],
-                            "prose": "insider threat assessment;"
-                          },
-                          {
-                            "id": "ca-2.2_obj.1.e",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(2)[1][e]"
-                              }
-                            ],
-                            "prose": "performance/load testing; and/or"
-                          },
-                          {
-                            "id": "ca-2.2_obj.1.f",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-2(2)[1][f]"
-                              }
-                            ],
-                            "prose": "other forms of organization-defined specialized security assessment;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ca-2.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(2)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency for conducting the selected form(s) of specialized\n                     security assessment;"
-                      },
-                      {
-                        "id": "ca-2.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(2)[3]"
-                          }
-                        ],
-                        "prose": "defines whether the specialized security assessment will be announced or\n                     unannounced; and"
-                      },
-                      {
-                        "id": "ca-2.2_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(2)[4]"
-                          }
-                        ],
-                        "prose": "conducts announced or unannounced organization-defined forms of specialized\n                     security assessments with the organization-defined frequency as part of\n                     security control assessments."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security assessment and authorization policy\\n\\nprocedures addressing security assessments\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting security control assessment"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-2.3",
-                "class": "SP800-53-enhancement",
-                "title": "External Organizations",
-                "parameters": [
-                  {
-                    "id": "ca-2.3_prm_1",
-                    "label": "organization-defined information system",
-                    "constraints": [
-                      {
-                        "detail": "any FedRAMP Accredited 3PAO"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.3_prm_2",
-                    "label": "organization-defined external organization",
-                    "constraints": [
-                      {
-                        "detail": "any FedRAMP Accredited 3PAO"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-2.3_prm_3",
-                    "label": "organization-defined requirements",
-                    "constraints": [
-                      {
-                        "detail": "the conditions of the JAB/AO in the FedRAMP Repository"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CA-2(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ca-02.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ca-2.3_smt",
-                    "name": "statement",
-                    "prose": "The organization accepts the results of an assessment of {{ ca-2.3_prm_1 }} performed by {{ ca-2.3_prm_2 }} when\n                  the assessment meets {{ ca-2.3_prm_3 }}."
-                  },
-                  {
-                    "id": "ca-2.3_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations may often rely on assessments of specific information systems by\n                  other (external) organizations. Utilizing such existing assessments (i.e., reusing\n                  existing assessment evidence) can significantly decrease the time and resources\n                  required for organizational assessments by limiting the amount of independent\n                  assessment activities that organizations need to perform. The factors that\n                  organizations may consider in determining whether to accept assessment results\n                  from external organizations can vary. Determinations for accepting assessment\n                  results can be based on, for example, past assessment experiences one organization\n                  has had with another organization, the reputation that organizations have with\n                  regard to assessments, the level of detail of supporting assessment documentation\n                  provided, or mandates imposed upon organizations by federal legislation, policies,\n                  or directives."
-                  },
-                  {
-                    "id": "ca-2.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ca-2.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(3)[1]"
-                          }
-                        ],
-                        "prose": "defines an information system for which the results of a security assessment\n                     performed by an external organization are to be accepted;"
-                      },
-                      {
-                        "id": "ca-2.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(3)[2]"
-                          }
-                        ],
-                        "prose": "defines an external organization from which to accept a security assessment\n                     performed on an organization-defined information system;"
-                      },
-                      {
-                        "id": "ca-2.3_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(3)[3]"
-                          }
-                        ],
-                        "prose": "defines the requirements to be met by a security assessment performed by\n                     organization-defined external organization on organization-defined information\n                     system; and"
-                      },
-                      {
-                        "id": "ca-2.3_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-2(3)[4]"
-                          }
-                        ],
-                        "prose": "accepts the results of an assessment of an organization-defined information\n                     system performed by an organization-defined external organization when the\n                     assessment meets organization-defined requirements."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security assessment and authorization policy\\n\\nprocedures addressing security assessments\\n\\nsecurity plan\\n\\nsecurity assessment requirements\\n\\nsecurity assessment plan\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nplan of action and milestones\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel performing security assessments for the specified external\n                     organization"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-3",
-            "class": "SP800-53",
-            "title": "System Interconnections",
-            "parameters": [
-              {
-                "id": "ca-3_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually and on input from FedRAMP"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#2711f068-734e-4afd-94ba-0b22247fbc88",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-47"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Authorizes connections from the information system to other information systems\n                  through the use of Interconnection Security Agreements;"
-                  },
-                  {
-                    "id": "ca-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents, for each interconnection, the interface characteristics, security\n                  requirements, and the nature of the information communicated; and"
-                  },
-                  {
-                    "id": "ca-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews and updates Interconnection Security Agreements {{ ca-3_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ca-3_gdn",
-                "name": "guidance",
-                "prose": "This control applies to dedicated connections between information systems (i.e.,\n               system interconnections) and does not apply to transitory, user-controlled\n               connections such as email and website browsing. Organizations carefully consider the\n               risks that may be introduced when information systems are connected to other systems\n               with different security requirements and security controls, both within organizations\n               and external to organizations. Authorizing officials determine the risk associated\n               with information system connections and the appropriate controls employed. If\n               interconnecting systems have the same authorizing official, organizations do not need\n               to develop Interconnection Security Agreements. Instead, organizations can describe\n               the interface characteristics between those interconnecting systems in their\n               respective security plans. If interconnecting systems have different authorizing\n               officials within the same organization, organizations can either develop\n               Interconnection Security Agreements or describe the interface characteristics between\n               systems in the security plans for the respective systems. Organizations may also\n               incorporate Interconnection Security Agreement information into formal contracts,\n               especially for interconnections established between federal agencies and nonfederal\n               (i.e., private sector) organizations. Risk considerations also include information\n               systems sharing the same networks. For certain technologies (e.g., space, unmanned\n               aerial vehicles, and medical devices), there may be specialized connections in place\n               during preoperational testing. Such connections may require Interconnection Security\n               Agreements and be subject to additional security controls.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#au-16",
-                    "rel": "related",
-                    "text": "AU-16"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#sa-9",
-                    "rel": "related",
-                    "text": "SA-9"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-3(a)"
-                      }
-                    ],
-                    "prose": "authorizes connections from the information system to other information systems\n                  through the use of Interconnection Security Agreements;"
-                  },
-                  {
-                    "id": "ca-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-3(b)"
-                      }
-                    ],
-                    "prose": "documents, for each interconnection:",
-                    "parts": [
-                      {
-                        "id": "ca-3.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-3(b)[1]"
-                          }
-                        ],
-                        "prose": "the interface characteristics;"
-                      },
-                      {
-                        "id": "ca-3.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-3(b)[2]"
-                          }
-                        ],
-                        "prose": "the security requirements;"
-                      },
-                      {
-                        "id": "ca-3.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-3(b)[3]"
-                          }
-                        ],
-                        "prose": "the nature of the information communicated;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update Interconnection Security Agreements;\n                     and"
-                      },
-                      {
-                        "id": "ca-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-3(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates Interconnection Security Agreements with the\n                     organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\ninformation system Interconnection Security Agreements\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for developing, implementing, or\n                  approving information system interconnection agreements\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel managing the system(s) to which the Interconnection Security Agreement\n                  applies"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ca-3.3",
-                "class": "SP800-53-enhancement",
-                "title": "Unclassified Non-national Security System Connections",
-                "parameters": [
-                  {
-                    "id": "ca-3.3_prm_1",
-                    "label": "organization-defined unclassified, non-national security system"
-                  },
-                  {
-                    "id": "ca-3.3_prm_2",
-                    "label": "Assignment; organization-defined boundary protection device",
-                    "constraints": [
-                      {
-                        "detail": "Boundary Protections which meet the Trusted Internet Connection (TIC) requirements"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CA-3(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ca-03.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ca-3.3_smt",
-                    "name": "statement",
-                    "prose": "The organization prohibits the direct connection of an {{ ca-3.3_prm_1 }} to an external network without the use of {{ ca-3.3_prm_2 }}.",
-                    "parts": [
-                      {
-                        "id": "ca-3.3_fr",
-                        "name": "item",
-                        "title": "CA-3 (3) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ca-3.3_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-3.3_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations typically do not have control over external networks (e.g., the\n                  Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate\n                  communications (i.e., information flows) between unclassified non-national\n                  security systems and external networks. This control enhancement is required for\n                  organizations processing, storing, or transmitting Controlled Unclassified\n                  Information (CUI)."
-                  },
-                  {
-                    "id": "ca-3.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ca-3.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-3(3)[1]"
-                          }
-                        ],
-                        "prose": "defines an unclassified, non-national security system whose direct connection\n                     to an external network is to be prohibited without the use of approved boundary\n                     protection device;"
-                      },
-                      {
-                        "id": "ca-3.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-3(3)[2]"
-                          }
-                        ],
-                        "prose": "defines a boundary protection device to be used to establish the direct\n                     connection of an organization-defined unclassified, non-national security\n                     system to an external network; and"
-                      },
-                      {
-                        "id": "ca-3.3_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-3(3)[3]"
-                          }
-                        ],
-                        "prose": "prohibits the direct connection of an organization-defined unclassified,\n                     non-national security system to an external network without the use of an\n                     organization-defined boundary protection device."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\ninformation system interconnection security agreements\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity assessment report\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for managing direct connections to\n                     external networks\\n\\nnetwork administrators\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel managing directly connected external networks"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting the management of external network\n                     connections"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-3.5",
-                "class": "SP800-53-enhancement",
-                "title": "Restrictions On External System Connections",
-                "parameters": [
-                  {
-                    "id": "ca-3.5_prm_1"
-                  },
-                  {
-                    "id": "ca-3.5_prm_2",
-                    "label": "organization-defined information systems"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "CA-3(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ca-03.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ca-3.5_smt",
-                    "name": "statement",
-                    "prose": "The organization employs {{ ca-3.5_prm_1 }} policy for allowing\n                     {{ ca-3.5_prm_2 }} to connect to external information\n                  systems.",
-                    "parts": [
-                      {
-                        "id": "ca-3.5_fr",
-                        "name": "item",
-                        "title": "CA-3 (5) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ca-3.5_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-3.5_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations can constrain information system connectivity to external domains\n                  (e.g., websites) by employing one of two policies with regard to such\n                  connectivity: (i) allow-all, deny by exception, also known as blacklisting (the\n                  weaker of the two policies); or (ii) deny-all, allow by exception, also known as\n                  whitelisting (the stronger of the two policies). For either policy, organizations\n                  determine what exceptions, if any, are acceptable.",
-                    "links": [
-                      {
-                        "href": "#cm-7",
-                        "rel": "related",
-                        "text": "CM-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-3.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ca-3.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-3(5)[1]"
-                          }
-                        ],
-                        "prose": "defines information systems to be allowed to connect to external information\n                     systems;"
-                      },
-                      {
-                        "id": "ca-3.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-3(5)[2]"
-                          }
-                        ],
-                        "prose": "employs one of the following policies for allowing organization-defined\n                     information systems to connect to external information systems:",
-                        "parts": [
-                          {
-                            "id": "ca-3.5_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-3(5)[2][a]"
-                              }
-                            ],
-                            "prose": "allow-all policy;"
-                          },
-                          {
-                            "id": "ca-3.5_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-3(5)[2][b]"
-                              }
-                            ],
-                            "prose": "deny-by-exception policy;"
-                          },
-                          {
-                            "id": "ca-3.5_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-3(5)[2][c]"
-                              }
-                            ],
-                            "prose": "deny-all policy; or"
-                          },
-                          {
-                            "id": "ca-3.5_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-3(5)[2][d]"
-                              }
-                            ],
-                            "prose": "permit-by-exception policy."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\ninformation system interconnection agreements\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity assessment report\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for managing connections to\n                     external information systems\\n\\nnetwork administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing restrictions on external system\n                     connections"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-5",
-            "class": "SP800-53",
-            "title": "Plan of Action and Milestones",
-            "parameters": [
-              {
-                "id": "ca-5_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least monthly"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-05"
-              }
-            ],
-            "links": [
-              {
-                "href": "#2c5884cd-7b96-425c-862a-99877e1cf909",
-                "rel": "reference",
-                "text": "OMB Memorandum 02-01"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops a plan of action and milestones for the information system to document\n                  the organization’s planned remedial actions to correct weaknesses or deficiencies\n                  noted during the assessment of the security controls and to reduce or eliminate\n                  known vulnerabilities in the system; and"
-                  },
-                  {
-                    "id": "ca-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Updates existing plan of action and milestones {{ ca-5_prm_1 }}\n                  based on the findings from security controls assessments, security impact\n                  analyses, and continuous monitoring activities."
-                  },
-                  {
-                    "id": "ca-5_fr",
-                    "name": "item",
-                    "title": "CA-5 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ca-5_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Plan of Action & Milestones (POA&M) must be provided at least monthly."
-                      },
-                      {
-                        "id": "ca-5_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-5_gdn",
-                "name": "guidance",
-                "prose": "Plans of action and milestones are key documents in security authorization packages\n               and are subject to federal reporting requirements established by OMB.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#pm-4",
-                    "rel": "related",
-                    "text": "PM-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-5(a)"
-                      }
-                    ],
-                    "prose": "develops a plan of action and milestones for the information system to:",
-                    "parts": [
-                      {
-                        "id": "ca-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-5(a)[1]"
-                          }
-                        ],
-                        "prose": "document the organization’s planned remedial actions to correct weaknesses or\n                     deficiencies noted during the assessment of the security controls;"
-                      },
-                      {
-                        "id": "ca-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-5(a)[2]"
-                          }
-                        ],
-                        "prose": "reduce or eliminate known vulnerabilities in the system;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-5(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-5.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-5(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to update the existing plan of action and milestones;"
-                      },
-                      {
-                        "id": "ca-5.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-5(b)[2]"
-                          }
-                        ],
-                        "prose": "updates the existing plan of action and milestones with the\n                     organization-defined frequency based on the findings from:",
-                        "parts": [
-                          {
-                            "id": "ca-5.b_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-5(b)[2][a]"
-                              }
-                            ],
-                            "prose": "security controls assessments;"
-                          },
-                          {
-                            "id": "ca-5.b_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-5(b)[2][b]"
-                              }
-                            ],
-                            "prose": "security impact analyses; and"
-                          },
-                          {
-                            "id": "ca-5.b_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CA-5(b)[2][c]"
-                              }
-                            ],
-                            "prose": "continuous monitoring activities."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy\\n\\nprocedures addressing plan of action and milestones\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nplan of action and milestones\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with plan of action and milestones development and\n                  implementation responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms for developing, implementing, and maintaining plan of action\n                  and milestones"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-6",
-            "class": "SP800-53",
-            "title": "Security Authorization",
-            "parameters": [
-              {
-                "id": "ca-6_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every three (3) years or when a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CA-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-06"
-              }
-            ],
-            "links": [
-              {
-                "href": "#9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab",
-                "rel": "reference",
-                "text": "OMB Circular A-130"
-              },
-              {
-                "href": "#bedb15b7-ec5c-4a68-807f-385125751fcd",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-33"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Assigns a senior-level executive or manager as the authorizing official for the\n                  information system;"
-                  },
-                  {
-                    "id": "ca-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Ensures that the authorizing official authorizes the information system for\n                  processing before commencing operations; and"
-                  },
-                  {
-                    "id": "ca-6_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Updates the security authorization {{ ca-6_prm_1 }}."
-                  },
-                  {
-                    "id": "ca-6_fr",
-                    "name": "item",
-                    "title": "CA-6(c) Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ca-6_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-6_gdn",
-                "name": "guidance",
-                "prose": "Security authorizations are official management decisions, conveyed through\n               authorization decision documents, by senior organizational officials or executives\n               (i.e., authorizing officials) to authorize operation of information systems and to\n               explicitly accept the risk to organizational operations and assets, individuals,\n               other organizations, and the Nation based on the implementation of agreed-upon\n               security controls. Authorizing officials provide budgetary oversight for\n               organizational information systems or assume responsibility for the mission/business\n               operations supported by those systems. The security authorization process is an\n               inherently federal responsibility and therefore, authorizing officials must be\n               federal employees. Through the security authorization process, authorizing officials\n               assume responsibility and are accountable for security risks associated with the\n               operation and use of organizational information systems. Accordingly, authorizing\n               officials are in positions with levels of authority commensurate with understanding\n               and accepting such information security-related risks. OMB policy requires that\n               organizations conduct ongoing authorizations of information systems by implementing\n               continuous monitoring programs. Continuous monitoring programs can satisfy three-year\n               reauthorization requirements, so separate reauthorization processes are not\n               necessary. Through the employment of comprehensive continuous monitoring processes,\n               critical information contained in authorization packages (i.e., security plans,\n               security assessment reports, and plans of action and milestones) is updated on an\n               ongoing basis, providing authorizing officials and information system owners with an\n               up-to-date status of the security state of organizational information systems and\n               environments of operation. To reduce the administrative cost of security\n               reauthorization, authorizing officials use the results of continuous monitoring\n               processes to the maximum extent possible as the basis for rendering reauthorization\n               decisions.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  },
-                  {
-                    "href": "#pm-10",
-                    "rel": "related",
-                    "text": "PM-10"
-                  }
-                ]
-              },
-              {
-                "id": "ca-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-6(a)"
-                      }
-                    ],
-                    "prose": "assigns a senior-level executive or manager as the authorizing official for the\n                  information system;"
-                  },
-                  {
-                    "id": "ca-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-6(b)"
-                      }
-                    ],
-                    "prose": "ensures that the authorizing official authorizes the information system for\n                  processing before commencing operations;"
-                  },
-                  {
-                    "id": "ca-6.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-6(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-6.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-6(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to update the security authorization; and"
-                      },
-                      {
-                        "id": "ca-6.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-6(c)[2]"
-                          }
-                        ],
-                        "prose": "updates the security authorization with the organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy\\n\\nprocedures addressing security authorization\\n\\nsecurity authorization package (including security plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\nauthorization statement)\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security authorization responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms that facilitate security authorizations and updates"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-7",
-            "class": "SP800-53",
-            "title": "Continuous Monitoring",
-            "parameters": [
-              {
-                "id": "ca-7_prm_1",
-                "label": "organization-defined metrics"
-              },
-              {
-                "id": "ca-7_prm_2",
-                "label": "organization-defined frequencies"
-              },
-              {
-                "id": "ca-7_prm_3",
-                "label": "organization-defined frequencies"
-              },
-              {
-                "id": "ca-7_prm_4",
-                "label": "organization-defined personnel or roles",
-                "constraints": [
-                  {
-                    "detail": "to meet Federal and FedRAMP requirements (See additional guidance)"
-                  }
-                ]
-              },
-              {
-                "id": "ca-7_prm_5",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "to meet Federal and FedRAMP requirements (See additional guidance)"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bedb15b7-ec5c-4a68-807f-385125751fcd",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-33"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#d480aa6a-7a88-424e-a10c-ad1c7870354b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-39"
-              },
-              {
-                "href": "#cd4cf751-3312-4a55-b1a9-fad2f1db9119",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-53A"
-              },
-              {
-                "href": "#c4691b88-57d1-463b-9053-2d0087913f31",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-115"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              },
-              {
-                "href": "#8ade2fbe-e468-4ca8-9a40-54d7f23c32bb",
-                "rel": "reference",
-                "text": "US-CERT Technical Cyber Security Alerts"
-              },
-              {
-                "href": "#2d8b14e9-c8b5-4d3d-8bdc-155078f3281b",
-                "rel": "reference",
-                "text": "DoD Information Assurance Vulnerability Alerts"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-7_smt",
-                "name": "statement",
-                "prose": "The organization develops a continuous monitoring strategy and implements a\n               continuous monitoring program that includes:",
-                "parts": [
-                  {
-                    "id": "ca-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishment of {{ ca-7_prm_1 }} to be monitored;"
-                  },
-                  {
-                    "id": "ca-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Establishment of {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessments supporting such monitoring;"
-                  },
-                  {
-                    "id": "ca-7_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ongoing security control assessments in accordance with the organizational\n                  continuous monitoring strategy;"
-                  },
-                  {
-                    "id": "ca-7_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Ongoing security status monitoring of organization-defined metrics in accordance\n                  with the organizational continuous monitoring strategy;"
-                  },
-                  {
-                    "id": "ca-7_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Correlation and analysis of security-related information generated by assessments\n                  and monitoring;"
-                  },
-                  {
-                    "id": "ca-7_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Response actions to address results of the analysis of security-related\n                  information; and"
-                  },
-                  {
-                    "id": "ca-7_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Reporting the security status of organization and the information system to\n                     {{ ca-7_prm_4 }}\n                  {{ ca-7_prm_5 }}."
-                  },
-                  {
-                    "id": "ca-7_fr",
-                    "name": "item",
-                    "title": "CA-7 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ca-7_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually."
-                      },
-                      {
-                        "id": "ca-7_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates."
-                      },
-                      {
-                        "id": "ca-7_fr_gdn.2",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-7_gdn",
-                "name": "guidance",
-                "prose": "Continuous monitoring programs facilitate ongoing awareness of threats,\n               vulnerabilities, and information security to support organizational risk management\n               decisions. The terms continuous and ongoing imply that organizations assess/analyze\n               security controls and information security-related risks at a frequency sufficient to\n               support organizational risk-based decisions. The results of continuous monitoring\n               programs generate appropriate risk response actions by organizations. Continuous\n               monitoring programs also allow organizations to maintain the security authorizations\n               of information systems and common controls over time in highly dynamic environments\n               of operation with changing mission/business needs, threats, vulnerabilities, and\n               technologies. Having access to security-related information on a continuing basis\n               through reports/dashboards gives organizational officials the capability to make more\n               effective and timely risk management decisions, including ongoing security\n               authorization decisions. Automation supports more frequent updates to security\n               authorization packages, hardware/software/firmware inventories, and other system\n               information. Effectiveness is further enhanced when continuous monitoring outputs are\n               formatted to provide information that is specific, measurable, actionable, relevant,\n               and timely. Continuous monitoring activities are scaled in accordance with the\n               security categories of information systems.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-5",
-                    "rel": "related",
-                    "text": "CA-5"
-                  },
-                  {
-                    "href": "#ca-6",
-                    "rel": "related",
-                    "text": "CA-6"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#pm-6",
-                    "rel": "related",
-                    "text": "PM-6"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ca-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(a)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that defines metrics to be\n                     monitored;"
-                      },
-                      {
-                        "id": "ca-7.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(a)[2]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes monitoring of\n                     organization-defined metrics;"
-                      },
-                      {
-                        "id": "ca-7.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(a)[3]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes monitoring of\n                     organization-defined metrics in accordance with the organizational continuous\n                     monitoring strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(b)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that defines frequencies for\n                     monitoring;"
-                      },
-                      {
-                        "id": "ca-7.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(b)[2]"
-                          }
-                        ],
-                        "prose": "defines frequencies for assessments supporting monitoring;"
-                      },
-                      {
-                        "id": "ca-7.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(b)[3]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes establishment of the\n                     organization-defined frequencies for monitoring and for assessments supporting\n                     monitoring;"
-                      },
-                      {
-                        "id": "ca-7.b_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(b)[4]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes establishment of\n                     organization-defined frequencies for monitoring and for assessments supporting\n                     such monitoring in accordance with the organizational continuous monitoring\n                     strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(c)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes ongoing security\n                     control assessments;"
-                      },
-                      {
-                        "id": "ca-7.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(c)[2]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes ongoing security\n                     control assessments in accordance with the organizational continuous monitoring\n                     strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(d)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes ongoing security status\n                     monitoring of organization-defined metrics;"
-                      },
-                      {
-                        "id": "ca-7.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(d)[2]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes ongoing security\n                     status monitoring of organization-defined metrics in accordance with the\n                     organizational continuous monitoring strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(e)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes correlation and\n                     analysis of security-related information generated by assessments and\n                     monitoring;"
-                      },
-                      {
-                        "id": "ca-7.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(e)[2]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes correlation and\n                     analysis of security-related information generated by assessments and\n                     monitoring in accordance with the organizational continuous monitoring\n                     strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(f)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes response actions to\n                     address results of the analysis of security-related information;"
-                      },
-                      {
-                        "id": "ca-7.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(f)[2]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes response actions to\n                     address results of the analysis of security-related information in accordance\n                     with the organizational continuous monitoring strategy;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-7.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-7(g)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-7.g_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(g)[1]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that defines the personnel or roles\n                     to whom the security status of the organization and information system are to\n                     be reported;"
-                      },
-                      {
-                        "id": "ca-7.g_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(g)[2]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that defines the frequency to report\n                     the security status of the organization and information system to\n                     organization-defined personnel or roles;"
-                      },
-                      {
-                        "id": "ca-7.g_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(g)[3]"
-                          }
-                        ],
-                        "prose": "develops a continuous monitoring strategy that includes reporting the security\n                     status of the organization or information system to organizational-defined\n                     personnel or roles with the organization-defined frequency; and"
-                      },
-                      {
-                        "id": "ca-7.g_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(g)[4]"
-                          }
-                        ],
-                        "prose": "implements a continuous monitoring program that includes reporting the security\n                     status of the organization and information system to organization-defined\n                     personnel or roles with the organization-defined frequency in accordance with\n                     the organizational continuous monitoring strategy."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy\\n\\nprocedures addressing continuous monitoring of information system security\n                  controls\\n\\nprocedures addressing configuration management\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\ninformation system monitoring records\\n\\nconfiguration management records, security impact analyses\\n\\nstatus reports\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Mechanisms implementing continuous monitoring"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ca-7.1",
-                "class": "SP800-53-enhancement",
-                "title": "Independent Assessment",
-                "parameters": [
-                  {
-                    "id": "ca-7.1_prm_1",
-                    "label": "organization-defined level of independence"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CA-7(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ca-07.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ca-7.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs assessors or assessment teams with {{ ca-7.1_prm_1 }} to monitor the security controls in the information\n                  system on an ongoing basis."
-                  },
-                  {
-                    "id": "ca-7.1_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations can maximize the value of assessments of security controls during\n                  the continuous monitoring process by requiring that such assessments be conducted\n                  by assessors or assessment teams with appropriate levels of independence based on\n                  continuous monitoring strategies. Assessor independence provides a degree of\n                  impartiality to the monitoring process. To achieve such impartiality, assessors\n                  should not: (i) create a mutual or conflicting interest with the organizations\n                  where the assessments are being conducted; (ii) assess their own work; (iii) act\n                  as management or employees of the organizations they are serving; or (iv) place\n                  themselves in advocacy positions for the organizations acquiring their\n                  services."
-                  },
-                  {
-                    "id": "ca-7.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ca-7.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(1)[1]"
-                          }
-                        ],
-                        "prose": "defines a level of independence to be employed to monitor the security controls\n                     in the information system on an ongoing basis; and"
-                      },
-                      {
-                        "id": "ca-7.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-7(1)[2]"
-                          }
-                        ],
-                        "prose": "employs assessors or assessment teams with the organization-defined level of\n                     independence to monitor the security controls in the information system on an\n                     ongoing basis."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security assessment and authorization policy\\n\\nprocedures addressing continuous monitoring of information system security\n                     controls\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\ninformation system monitoring records\\n\\nsecurity impact analyses\\n\\nstatus reports\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-8",
-            "class": "SP800-53",
-            "title": "Penetration Testing",
-            "parameters": [
-              {
-                "id": "ca-8_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ca-8_prm_2",
-                "label": "organization-defined information systems or system components"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-08"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-8_smt",
-                "name": "statement",
-                "prose": "The organization conducts penetration testing {{ ca-8_prm_1 }} on\n                  {{ ca-8_prm_2 }}.",
-                "parts": [
-                  {
-                    "id": "ca-8_fr",
-                    "name": "item",
-                    "title": "CA-8 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ca-8_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance [https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/)\n                  "
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ca-8_gdn",
-                "name": "guidance",
-                "prose": "Penetration testing is a specialized type of assessment conducted on information\n               systems or individual system components to identify vulnerabilities that could be\n               exploited by adversaries. Such testing can be used to either validate vulnerabilities\n               or determine the degree of resistance organizational information systems have to\n               adversaries within a set of specified constraints (e.g., time, resources, and/or\n               skills). Penetration testing attempts to duplicate the actions of adversaries in\n               carrying out hostile cyber attacks against organizations and provides a more in-depth\n               analysis of security-related weaknesses/deficiencies. Organizations can also use the\n               results of vulnerability analyses to support penetration testing activities.\n               Penetration testing can be conducted on the hardware, software, or firmware\n               components of an information system and can exercise both physical and technical\n               security controls. A standard method for penetration testing includes, for example:\n               (i) pretest analysis based on full knowledge of the target system; (ii) pretest\n               identification of potential vulnerabilities based on pretest analysis; and (iii)\n               testing designed to determine exploitability of identified vulnerabilities. All\n               parties agree to the rules of engagement before the commencement of penetration\n               testing scenarios. Organizations correlate the penetration testing rules of\n               engagement with the tools, techniques, and procedures that are anticipated to be\n               employed by adversaries carrying out attacks. Organizational risk assessments guide\n               decisions on the level of independence required for personnel conducting penetration\n               testing.",
-                "links": [
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  }
-                ]
-              },
-              {
-                "id": "ca-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-8_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-8[1]"
-                      }
-                    ],
-                    "prose": "defines information systems or system components on which penetration testing is\n                  to be conducted;"
-                  },
-                  {
-                    "id": "ca-8_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-8[2]"
-                      }
-                    ],
-                    "prose": "defines the frequency to conduct penetration testing on organization-defined\n                  information systems or system components; and"
-                  },
-                  {
-                    "id": "ca-8_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-8[3]"
-                      }
-                    ],
-                    "prose": "conducts penetration testing on organization-defined information systems or system\n                  components with the organization-defined frequency."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security assessment and authorization policy\\n\\nprocedures addressing penetration testing\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\npenetration test report\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities,\n                  system/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting penetration testing"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ca-8.1",
-                "class": "SP800-53-enhancement",
-                "title": "Independent Penetration Agent or Team",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CA-8(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ca-08.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ca-8.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs an independent penetration agent or penetration team to\n                  perform penetration testing on the information system or system components."
-                  },
-                  {
-                    "id": "ca-8.1_gdn",
-                    "name": "guidance",
-                    "prose": "Independent penetration agents or teams are individuals or groups who conduct\n                  impartial penetration testing of organizational information systems. Impartiality\n                  implies that penetration agents or teams are free from any perceived or actual\n                  conflicts of interest with regard to the development, operation, or management of\n                  the information systems that are the targets of the penetration testing.\n                  Supplemental guidance for CA-2 (1) provides additional information regarding\n                  independent assessments that can be applied to penetration testing.",
-                    "links": [
-                      {
-                        "href": "#ca-2",
-                        "rel": "related",
-                        "text": "CA-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-8.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs an independent penetration agent or\n                  penetration team to perform penetration testing on the information system or\n                  system components. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security assessment and authorization policy\\n\\nprocedures addressing penetration testing\\n\\nsecurity plan\\n\\nsecurity assessment plan\\n\\npenetration test report\\n\\nsecurity assessment report\\n\\nsecurity assessment evidence\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with security assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ca-9",
-            "class": "SP800-53",
-            "title": "Internal System Connections",
-            "parameters": [
-              {
-                "id": "ca-9_prm_1",
-                "label": "organization-defined information system components or classes of\n               components"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CA-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "ca-09"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ca-9_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ca-9_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Authorizes internal connections of {{ ca-9_prm_1 }} to the\n                  information system; and"
-                  },
-                  {
-                    "id": "ca-9_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents, for each internal connection, the interface characteristics, security\n                  requirements, and the nature of the information communicated."
-                  }
-                ]
-              },
-              {
-                "id": "ca-9_gdn",
-                "name": "guidance",
-                "prose": "This control applies to connections between organizational information systems and\n               (separate) constituent system components (i.e., intra-system connections) including,\n               for example, system connections with mobile devices, notebook/desktop computers,\n               printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of\n               authorizing each individual internal connection, organizations can authorize internal\n               connections for a class of components with common characteristics and/or\n               configurations, for example, all digital printers, scanners, and copiers with a\n               specified processing, storage, and transmission capability or all smart phones with a\n               specific baseline configuration.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "ca-9_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ca-9.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CA-9(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ca-9.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-9(a)[1]"
-                          }
-                        ],
-                        "prose": "defines information system components or classes of components to be authorized\n                     as internal connections to the information system;"
-                      },
-                      {
-                        "id": "ca-9.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CA-9(a)[2]"
-                          }
-                        ],
-                        "prose": "authorizes internal connections of organization-defined information system\n                     components or classes of components to the information system;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ca-9.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CA-9(b)"
-                      }
-                    ],
-                    "prose": "documents, for each internal connection:",
-                    "parts": [
-                      {
-                        "id": "ca-9.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-9(b)[1]"
-                          }
-                        ],
-                        "prose": "the interface characteristics;"
-                      },
-                      {
-                        "id": "ca-9.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-9(b)[2]"
-                          }
-                        ],
-                        "prose": "the security requirements; and"
-                      },
-                      {
-                        "id": "ca-9.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CA-9(b)[3]"
-                          }
-                        ],
-                        "prose": "the nature of the information communicated."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Access control policy\\n\\nprocedures addressing information system connections\\n\\nsystem and communications protection policy\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of components or classes of components authorized as internal system\n                  connections\\n\\nsecurity assessment report\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for developing, implementing, or\n                  authorizing internal system connections\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "cm",
-        "class": "family",
-        "title": "Configuration Management",
-        "controls": [
-          {
-            "id": "cm-1",
-            "class": "SP800-53",
-            "title": "Configuration Management Policy and Procedures",
-            "parameters": [
-              {
-                "id": "cm-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "cm-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "cm-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CM-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ cm-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "cm-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A configuration management policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "cm-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the configuration management\n                     policy and associated configuration management controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "cm-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Configuration management policy {{ cm-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "cm-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Configuration management procedures {{ cm-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CM\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "cm-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a configuration management policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "cm-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "cm-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "cm-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the configuration management policy is to\n                        be disseminated;"
-                          },
-                          {
-                            "id": "cm-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the configuration management policy to organization-defined\n                        personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        configuration management policy and associated configuration management\n                        controls;"
-                          },
-                          {
-                            "id": "cm-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "cm-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current configuration\n                        management policy;"
-                          },
-                          {
-                            "id": "cm-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current configuration management policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current configuration\n                        management procedures; and"
-                          },
-                          {
-                            "id": "cm-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current configuration management procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-2",
-            "class": "SP800-53",
-            "title": "Baseline Configuration",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-2_smt",
-                "name": "statement",
-                "prose": "The organization develops, documents, and maintains under configuration control, a\n               current baseline configuration of the information system."
-              },
-              {
-                "id": "cm-2_gdn",
-                "name": "guidance",
-                "prose": "This control establishes baseline configurations for information systems and system\n               components including communications and connectivity-related aspects of systems.\n               Baseline configurations are documented, formally reviewed and agreed-upon sets of\n               specifications for information systems or configuration items within those systems.\n               Baseline configurations serve as a basis for future builds, releases, and/or changes\n               to information systems. Baseline configurations include information about information\n               system components (e.g., standard software packages installed on workstations,\n               notebook computers, servers, network components, or mobile devices; current version\n               numbers and patch information on operating systems and applications; and\n               configuration settings/parameters), network topology, and the logical placement of\n               those components within the system architecture. Maintaining baseline configurations\n               requires creating new baselines as organizational information systems change over\n               time. Baseline configurations of information systems reflect the current enterprise\n               architecture.",
-                "links": [
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#cm-9",
-                    "rel": "related",
-                    "text": "CM-9"
-                  },
-                  {
-                    "href": "#sa-10",
-                    "rel": "related",
-                    "text": "SA-10"
-                  },
-                  {
-                    "href": "#pm-5",
-                    "rel": "related",
-                    "text": "PM-5"
-                  },
-                  {
-                    "href": "#pm-7",
-                    "rel": "related",
-                    "text": "PM-7"
-                  }
-                ]
-              },
-              {
-                "id": "cm-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-2_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-2[1]"
-                      }
-                    ],
-                    "prose": "develops and documents a current baseline configuration of the information system;\n                  and"
-                  },
-                  {
-                    "id": "cm-2_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-2[2]"
-                      }
-                    ],
-                    "prose": "maintains, under configuration control, a current baseline configuration of the\n                  information system."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nconfiguration management plan\\n\\nenterprise architecture documentation\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing baseline configurations\\n\\nautomated mechanisms supporting configuration control of the baseline\n                  configuration"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cm-2.1",
-                "class": "SP800-53-enhancement",
-                "title": "Reviews and Updates",
-                "parameters": [
-                  {
-                    "id": "cm-2.1_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least annually or when a significant change occurs"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-2.1_prm_2",
-                    "label": "Assignment organization-defined circumstances",
-                    "constraints": [
-                      {
-                        "detail": "to include when directed by the JAB"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "CM-2(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-02.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-2.1_smt",
-                    "name": "statement",
-                    "prose": "The organization reviews and updates the baseline configuration of the information\n                  system:",
-                    "parts": [
-                      {
-                        "id": "cm-2.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "\n                     {{ cm-2.1_prm_1 }};"
-                      },
-                      {
-                        "id": "cm-2.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "When required due to {{ cm-2.1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "cm-2.1_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(c)"
-                          }
-                        ],
-                        "prose": "As an integral part of information system component installations and\n                     upgrades."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-2.1_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#cm-5",
-                        "rel": "related",
-                        "text": "CM-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-2.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-2.1.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-2(1)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-2.1.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-2(1)(a)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the baseline configuration of the\n                        information system;"
-                          },
-                          {
-                            "id": "cm-2.1.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-2(1)(a)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the baseline configuration of the information system\n                        with the organization-defined frequency;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-2.1_smt.a",
-                            "rel": "corresp",
-                            "text": "CM-2(1)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-2.1.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-2(1)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-2.1.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-2(1)(b)[1]"
-                              }
-                            ],
-                            "prose": "defines circumstances that require the baseline configuration of the\n                        information system to be reviewed and updated;"
-                          },
-                          {
-                            "id": "cm-2.1.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-2(1)(b)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the baseline configuration of the information system\n                        when required due to organization-defined circumstances; and"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-2.1_smt.b",
-                            "rel": "corresp",
-                            "text": "CM-2(1)(b)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-2.1.c_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-2(1)(c)"
-                          }
-                        ],
-                        "prose": "reviews and updates the baseline configuration of the information system as an\n                     integral part of information system component installations and upgrades.",
-                        "links": [
-                          {
-                            "href": "#cm-2.1_smt.c",
-                            "rel": "corresp",
-                            "text": "CM-2(1)(c)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nprocedures addressing information system component installations and\n                     upgrades\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nrecords of information system baseline configuration reviews and updates\\n\\ninformation system component installations/upgrades and associated records\\n\\nchange control records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for managing baseline configurations\\n\\nautomated mechanisms supporting review and update of the baseline\n                     configuration"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-2.2",
-                "class": "SP800-53-enhancement",
-                "title": "Automation Support for Accuracy / Currency",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-2(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-02.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-2.2_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to maintain an up-to-date, complete,\n                  accurate, and readily available baseline configuration of the information\n                  system."
-                  },
-                  {
-                    "id": "cm-2.2_gdn",
-                    "name": "guidance",
-                    "prose": "Automated mechanisms that help organizations maintain consistent baseline\n                  configurations for information systems include, for example, hardware and software\n                  inventory tools, configuration management tools, and network management tools.\n                  Such tools can be deployed and/or allocated as common controls, at the information\n                  system level, or at the operating system or component level (e.g., on\n                  workstations, servers, notebook computers, network components, or mobile devices).\n                  Tools can be used, for example, to track version numbers on operating system\n                  applications, types of software installed, and current patch levels. This control\n                  enhancement can be satisfied by the implementation of CM-8 (2) for organizations\n                  that choose to combine information system component inventory and baseline\n                  configuration activities.",
-                    "links": [
-                      {
-                        "href": "#cm-7",
-                        "rel": "related",
-                        "text": "CM-7"
-                      },
-                      {
-                        "href": "#ra-5",
-                        "rel": "related",
-                        "text": "RA-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-2.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization employs automated mechanisms to maintain: ",
-                    "parts": [
-                      {
-                        "id": "cm-2.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-2(2)[1]"
-                          }
-                        ],
-                        "prose": "an up-to-date baseline configuration of the information system;"
-                      },
-                      {
-                        "id": "cm-2.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-2(2)[2]"
-                          }
-                        ],
-                        "prose": "a complete baseline configuration of the information system;"
-                      },
-                      {
-                        "id": "cm-2.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-2(2)[3]"
-                          }
-                        ],
-                        "prose": "an accurate baseline configuration of the information system; and"
-                      },
-                      {
-                        "id": "cm-2.2_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-2(2)[4]"
-                          }
-                        ],
-                        "prose": "a readily available baseline configuration of the information system."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nconfiguration management plan\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nconfiguration change control records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for managing baseline configurations\\n\\nautomated mechanisms implementing baseline configuration maintenance"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-2.3",
-                "class": "SP800-53-enhancement",
-                "title": "Retention of Previous Configurations",
-                "parameters": [
-                  {
-                    "id": "cm-2.3_prm_1",
-                    "label": "organization-defined previous versions of baseline configurations of the\n                  information system"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-2(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-02.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-2.3_smt",
-                    "name": "statement",
-                    "prose": "The organization retains {{ cm-2.3_prm_1 }} to support\n                  rollback."
-                  },
-                  {
-                    "id": "cm-2.3_gdn",
-                    "name": "guidance",
-                    "prose": "Retaining previous versions of baseline configurations to support rollback may\n                  include, for example, hardware, software, firmware, configuration files, and\n                  configuration records."
-                  },
-                  {
-                    "id": "cm-2.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-2.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-2(3)[1]"
-                          }
-                        ],
-                        "prose": "defines previous versions of baseline configurations of the information system\n                     to be retained to support rollback; and"
-                      },
-                      {
-                        "id": "cm-2.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-2(3)[2]"
-                          }
-                        ],
-                        "prose": "retains organization-defined previous versions of baseline configurations of\n                     the information system to support rollback."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nconfiguration management plan\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncopies of previous baseline configuration versions\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for managing baseline configurations"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-2.7",
-                "class": "SP800-53-enhancement",
-                "title": "Configure Systems, Components, or Devices for High-risk Areas",
-                "parameters": [
-                  {
-                    "id": "cm-2.7_prm_1",
-                    "label": "organization-defined information systems, system components, or\n                  devices"
-                  },
-                  {
-                    "id": "cm-2.7_prm_2",
-                    "label": "organization-defined configurations"
-                  },
-                  {
-                    "id": "cm-2.7_prm_3",
-                    "label": "organization-defined security safeguards"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-2(7)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-02.07"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-2.7_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "cm-2.7_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Issues {{ cm-2.7_prm_1 }} with {{ cm-2.7_prm_2 }}\n                     to individuals traveling to locations that the organization deems to be of\n                     significant risk; and"
-                      },
-                      {
-                        "id": "cm-2.7_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Applies {{ cm-2.7_prm_3 }} to the devices when the individuals\n                     return."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-2.7_gdn",
-                    "name": "guidance",
-                    "prose": "When it is known that information systems, system components, or devices (e.g.,\n                  notebook computers, mobile devices) will be located in high-risk areas, additional\n                  security controls may be implemented to counter the greater threat in such areas\n                  coupled with the lack of physical security relative to organizational-controlled\n                  areas. For example, organizational policies and procedures for notebook computers\n                  used by individuals departing on and returning from travel include, for example,\n                  determining which locations are of concern, defining required configurations for\n                  the devices, ensuring that the devices are configured as intended before travel is\n                  initiated, and applying specific safeguards to the device after travel is\n                  completed. Specially configured notebook computers include, for example, computers\n                  with sanitized hard drives, limited applications, and additional hardening (e.g.,\n                  more stringent configuration settings). Specified safeguards applied to mobile\n                  devices upon return from travel include, for example, examining the device for\n                  signs of physical tampering and purging/reimaging the hard disk drive. Protecting\n                  information residing on mobile devices is covered in the media protection\n                  family."
-                  },
-                  {
-                    "id": "cm-2.7_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-2.7.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-2(7)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-2.7.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-2(7)(a)[1]"
-                              }
-                            ],
-                            "prose": "defines information systems, system components, or devices to be issued to\n                        individuals traveling to locations that the organization deems to be of\n                        significant risk;"
-                          },
-                          {
-                            "id": "cm-2.7.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-2(7)(a)[2]"
-                              }
-                            ],
-                            "prose": "defines configurations to be employed on organization-defined information\n                        systems, system components, or devices issued to individuals traveling to\n                        such locations;"
-                          },
-                          {
-                            "id": "cm-2.7.a_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-2(7)(a)[3]"
-                              }
-                            ],
-                            "prose": "issues organization-defined information systems, system components, or\n                        devices with organization-defined configurations to individuals traveling to\n                        locations that the organization deems to be of significant risk;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-2.7_smt.a",
-                            "rel": "corresp",
-                            "text": "CM-2(7)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-2.7.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-2(7)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-2.7.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-2(7)(b)[1]"
-                              }
-                            ],
-                            "prose": "defines security safeguards to be applied to the devices when the\n                        individuals return; and"
-                          },
-                          {
-                            "id": "cm-2.7.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-2(7)(b)[2]"
-                              }
-                            ],
-                            "prose": "applies organization-defined safeguards to the devices when the individuals\n                        return."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-2.7_smt.b",
-                            "rel": "corresp",
-                            "text": "CM-2(7)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing the baseline configuration of the information system\\n\\nprocedures addressing information system component installations and\n                     upgrades\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nrecords of information system baseline configuration reviews and updates\\n\\ninformation system component installations/upgrades and associated records\\n\\nchange control records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with configuration management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for managing baseline configurations"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-3",
-            "class": "SP800-53",
-            "title": "Configuration Change Control",
-            "parameters": [
-              {
-                "id": "cm-3_prm_1",
-                "label": "organization-defined time period"
-              },
-              {
-                "id": "cm-3_prm_2",
-                "label": "organization-defined configuration change control element (e.g., committee,\n               board)"
-              },
-              {
-                "id": "cm-3_prm_3"
-              },
-              {
-                "id": "cm-3_prm_4",
-                "depends-on": "cm-3_prm_3",
-                "label": "organization-defined frequency"
-              },
-              {
-                "id": "cm-3_prm_5",
-                "depends-on": "cm-3_prm_3",
-                "label": "organization-defined configuration change conditions"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CM-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Determines the types of changes to the information system that are\n                  configuration-controlled;"
-                  },
-                  {
-                    "id": "cm-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews proposed configuration-controlled changes to the information system and\n                  approves or disapproves such changes with explicit consideration for security\n                  impact analyses;"
-                  },
-                  {
-                    "id": "cm-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Documents configuration change decisions associated with the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-3_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Implements approved configuration-controlled changes to the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-3_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Retains records of configuration-controlled changes to the information system for\n                     {{ cm-3_prm_1 }};"
-                  },
-                  {
-                    "id": "cm-3_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Audits and reviews activities associated with configuration-controlled changes to\n                  the information system; and"
-                  },
-                  {
-                    "id": "cm-3_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Coordinates and provides oversight for configuration change control activities\n                  through {{ cm-3_prm_2 }} that convenes {{ cm-3_prm_3 }}."
-                  },
-                  {
-                    "id": "cm-3_fr",
-                    "name": "item",
-                    "title": "CM-3 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cm-3_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO."
-                      },
-                      {
-                        "id": "cm-3_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(e) Guidance:"
-                          }
-                        ],
-                        "prose": "In accordance with record retention policies and procedures."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-3_gdn",
-                "name": "guidance",
-                "prose": "Configuration change controls for organizational information systems involve the\n               systematic proposal, justification, implementation, testing, review, and disposition\n               of changes to the systems, including system upgrades and modifications. Configuration\n               change control includes changes to baseline configurations for components and\n               configuration items of information systems, changes to configuration settings for\n               information technology products (e.g., operating systems, applications, firewalls,\n               routers, and mobile devices), unscheduled/unauthorized changes, and changes to\n               remediate vulnerabilities. Typical processes for managing configuration changes to\n               information systems include, for example, Configuration Control Boards that approve\n               proposed changes to systems. For new development information systems or systems\n               undergoing major upgrades, organizations consider including representatives from\n               development organizations on the Configuration Control Boards. Auditing of changes\n               includes activities before and after changes are made to organizational information\n               systems and the auditing activities required to implement such changes.",
-                "links": [
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-9",
-                    "rel": "related",
-                    "text": "CM-9"
-                  },
-                  {
-                    "href": "#sa-10",
-                    "rel": "related",
-                    "text": "SA-10"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  },
-                  {
-                    "href": "#si-12",
-                    "rel": "related",
-                    "text": "SI-12"
-                  }
-                ]
-              },
-              {
-                "id": "cm-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-3(a)"
-                      }
-                    ],
-                    "prose": "determines the type of changes to the information system that must be\n                  configuration-controlled;"
-                  },
-                  {
-                    "id": "cm-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-3(b)"
-                      }
-                    ],
-                    "prose": "reviews proposed configuration-controlled changes to the information system and\n                  approves or disapproves such changes with explicit consideration for security\n                  impact analyses;"
-                  },
-                  {
-                    "id": "cm-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-3(c)"
-                      }
-                    ],
-                    "prose": "documents configuration change decisions associated with the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-3.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-3(d)"
-                      }
-                    ],
-                    "prose": "implements approved configuration-controlled changes to the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-3.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-3(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-3.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(e)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period to retain records of configuration-controlled changes to\n                     the information system;"
-                      },
-                      {
-                        "id": "cm-3.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(e)[2]"
-                          }
-                        ],
-                        "prose": "retains records of configuration-controlled changes to the information system\n                     for the organization-defined time period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-3.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-3(f)"
-                      }
-                    ],
-                    "prose": "audits and reviews activities associated with configuration-controlled changes to\n                  the information system;"
-                  },
-                  {
-                    "id": "cm-3.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-3(g)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-3.g_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(g)[1]"
-                          }
-                        ],
-                        "prose": "defines a configuration change control element (e.g., committee, board)\n                     responsible for coordinating and providing oversight for configuration change\n                     control activities;"
-                      },
-                      {
-                        "id": "cm-3.g_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(g)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency with which the configuration change control element must\n                     convene; and/or"
-                      },
-                      {
-                        "id": "cm-3.g_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(g)[3]"
-                          }
-                        ],
-                        "prose": "defines configuration change conditions that prompt the configuration change\n                     control element to convene; and"
-                      },
-                      {
-                        "id": "cm-3.g_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-3(g)[4]"
-                          }
-                        ],
-                        "prose": "coordinates and provides oversight for configuration change control activities\n                     through organization-defined configuration change control element that convenes\n                     at organization-defined frequency and/or for any organization-defined\n                     configuration change conditions."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing information system configuration change control\\n\\nconfiguration management plan\\n\\ninformation system architecture and configuration documentation\\n\\nsecurity plan\\n\\nchange control records\\n\\ninformation system audit records\\n\\nchange control audit and review reports\\n\\nagenda /minutes from configuration change control oversight meetings\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with configuration change control responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nmembers of change control board or similar"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for configuration change control\\n\\nautomated mechanisms that implement configuration change control"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-4",
-            "class": "SP800-53",
-            "title": "Security Impact Analysis",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-4_smt",
-                "name": "statement",
-                "prose": "The organization analyzes changes to the information system to determine potential\n               security impacts prior to change implementation."
-              },
-              {
-                "id": "cm-4_gdn",
-                "name": "guidance",
-                "prose": "Organizational personnel with information security responsibilities (e.g.,\n               Information System Administrators, Information System Security Officers, Information\n               System Security Managers, and Information System Security Engineers) conduct security\n               impact analyses. Individuals conducting security impact analyses possess the\n               necessary skills/technical expertise to analyze the changes to information systems\n               and the associated security ramifications. Security impact analysis may include, for\n               example, reviewing security plans to understand security control requirements and\n               reviewing system design documentation to understand control implementation and how\n               specific changes might affect the controls. Security impact analyses may also include\n               assessments of risk to better understand the impact of the changes and to determine\n               if additional security controls are required. Security impact analyses are scaled in\n               accordance with the security categories of the information systems.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-9",
-                    "rel": "related",
-                    "text": "CM-9"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sa-10",
-                    "rel": "related",
-                    "text": "SA-10"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "cm-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization analyzes changes to the information system to determine\n               potential security impacts prior to change implementation."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing security impact analysis for changes to the information\n                  system\\n\\nconfiguration management plan\\n\\nsecurity impact analysis documentation\\n\\nanalysis tools and associated outputs\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for conducting security impact\n                  analysis\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for security impact analysis"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-5",
-            "class": "SP800-53",
-            "title": "Access Restrictions for Change",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-5_smt",
-                "name": "statement",
-                "prose": "The organization defines, documents, approves, and enforces physical and logical\n               access restrictions associated with changes to the information system."
-              },
-              {
-                "id": "cm-5_gdn",
-                "name": "guidance",
-                "prose": "Any changes to the hardware, software, and/or firmware components of information\n               systems can potentially have significant effects on the overall security of the\n               systems. Therefore, organizations permit only qualified and authorized individuals to\n               access information systems for purposes of initiating changes, including upgrades and\n               modifications. Organizations maintain records of access to ensure that configuration\n               change control is implemented and to support after-the-fact actions should\n               organizations discover any unauthorized changes. Access restrictions for change also\n               include software libraries. Access restrictions include, for example, physical and\n               logical access controls (see AC-3 and PE-3), workflow automation, media libraries,\n               abstract layers (e.g., changes implemented into third-party interfaces rather than\n               directly into information systems), and change windows (e.g., changes occur only\n               during specified times, making unauthorized changes easy to discover).",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  }
-                ]
-              },
-              {
-                "id": "cm-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-5_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-5[1]"
-                      }
-                    ],
-                    "prose": "defines physical access restrictions associated with changes to the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-5_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-5[2]"
-                      }
-                    ],
-                    "prose": "documents physical access restrictions associated with changes to the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-5_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-5[3]"
-                      }
-                    ],
-                    "prose": "approves physical access restrictions associated with changes to the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-5_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-5[4]"
-                      }
-                    ],
-                    "prose": "enforces physical access restrictions associated with changes to the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-5_obj.5",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-5[5]"
-                      }
-                    ],
-                    "prose": "defines logical access restrictions associated with changes to the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-5_obj.6",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-5[6]"
-                      }
-                    ],
-                    "prose": "documents logical access restrictions associated with changes to the information\n                  system;"
-                  },
-                  {
-                    "id": "cm-5_obj.7",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-5[7]"
-                      }
-                    ],
-                    "prose": "approves logical access restrictions associated with changes to the information\n                  system; and"
-                  },
-                  {
-                    "id": "cm-5_obj.8",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-5[8]"
-                      }
-                    ],
-                    "prose": "enforces logical access restrictions associated with changes to the information\n                  system."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing access restrictions for changes to the information\n                  system\\n\\nconfiguration management plan\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlogical access approvals\\n\\nphysical access approvals\\n\\naccess credentials\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with logical access control responsibilities\\n\\norganizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing access restrictions to change\\n\\nautomated mechanisms supporting/implementing/enforcing access restrictions\n                  associated with changes to the information system"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cm-5.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Access Enforcement / Auditing",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-5(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-05.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-5.1_smt",
-                    "name": "statement",
-                    "prose": "The information system enforces access restrictions and supports auditing of the\n                  enforcement actions."
-                  },
-                  {
-                    "id": "cm-5.1_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      },
-                      {
-                        "href": "#au-12",
-                        "rel": "related",
-                        "text": "AU-12"
-                      },
-                      {
-                        "href": "#au-6",
-                        "rel": "related",
-                        "text": "AU-6"
-                      },
-                      {
-                        "href": "#cm-3",
-                        "rel": "related",
-                        "text": "CM-3"
-                      },
-                      {
-                        "href": "#cm-6",
-                        "rel": "related",
-                        "text": "CM-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-5.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the information system:",
-                    "parts": [
-                      {
-                        "id": "cm-5.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-5(1)[1]"
-                          }
-                        ],
-                        "prose": "enforces access restrictions for change; and"
-                      },
-                      {
-                        "id": "cm-5.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-5(1)[2]"
-                          }
-                        ],
-                        "prose": "supports auditing of the enforcement actions."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing access restrictions for changes to the information\n                     system\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for managing access restrictions to change\\n\\nautomated mechanisms implementing enforcement of access restrictions for\n                     changes to the information system\\n\\nautomated mechanisms supporting auditing of enforcement actions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-5.3",
-                "class": "SP800-53-enhancement",
-                "title": "Signed Components",
-                "parameters": [
-                  {
-                    "id": "cm-5.3_prm_1",
-                    "label": "organization-defined software and firmware components"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-5(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-05.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-5.3_smt",
-                    "name": "statement",
-                    "prose": "The information system prevents the installation of {{ cm-5.3_prm_1 }} without verification that the component has been\n                  digitally signed using a certificate that is recognized and approved by the\n                  organization.",
-                    "parts": [
-                      {
-                        "id": "cm-5.3_fr",
-                        "name": "item",
-                        "title": "CM-5 (3) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "cm-5.3_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-5.3_gdn",
-                    "name": "guidance",
-                    "prose": "Software and firmware components prevented from installation unless signed with\n                  recognized and approved certificates include, for example, software and firmware\n                  version updates, patches, service packs, device drivers, and basic input output\n                  system (BIOS) updates. Organizations can identify applicable software and firmware\n                  components by type, by specific items, or a combination of both. Digital\n                  signatures and organizational verification of such signatures, is a method of code\n                  authentication.",
-                    "links": [
-                      {
-                        "href": "#cm-7",
-                        "rel": "related",
-                        "text": "CM-7"
-                      },
-                      {
-                        "href": "#sc-13",
-                        "rel": "related",
-                        "text": "SC-13"
-                      },
-                      {
-                        "href": "#si-7",
-                        "rel": "related",
-                        "text": "SI-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-5.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "cm-5.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-5(3)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines software and firmware components that the information\n                     system will prevent from being installed without verification that such\n                     components have been digitally signed using a certificate that is recognized\n                     and approved by the organization; and"
-                      },
-                      {
-                        "id": "cm-5.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-5(3)[2]"
-                          }
-                        ],
-                        "prose": "the information system prevents the installation of organization-defined\n                     software and firmware components without verification that such components have\n                     been digitally signed using a certificate that is recognized and approved by\n                     the organization."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing access restrictions for changes to the information\n                     system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nlist of software and firmware components to be prohibited from installation\n                     without a recognized and approved certificate\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for managing access restrictions to change\\n\\nautomated mechanisms preventing installation of software and firmware\n                     components not signed with an organization-recognized and approved\n                     certificate"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-5.5",
-                "class": "SP800-53-enhancement",
-                "title": "Limit Production / Operational Privileges",
-                "parameters": [
-                  {
-                    "id": "cm-5.5_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least quarterly"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "CM-5(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-05.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-5.5_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "cm-5.5_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Limits privileges to change information system components and system-related\n                     information within a production or operational environment; and"
-                      },
-                      {
-                        "id": "cm-5.5_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Reviews and reevaluates privileges {{ cm-5.5_prm_1 }}."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-5.5_gdn",
-                    "name": "guidance",
-                    "prose": "In many organizations, information systems support multiple core missions/business\n                  functions. Limiting privileges to change information system components with\n                  respect to operational systems is necessary because changes to a particular\n                  information system component may have far-reaching effects on mission/business\n                  processes supported by the system where the component resides. The complex,\n                  many-to-many relationships between systems and mission/business processes are in\n                  some cases, unknown to developers.",
-                    "links": [
-                      {
-                        "href": "#ac-2",
-                        "rel": "related",
-                        "text": "AC-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-5.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-5.5.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-5(5)(a)"
-                          }
-                        ],
-                        "prose": "limits privileges to change information system components and system-related\n                     information within a production or operational environment;",
-                        "links": [
-                          {
-                            "href": "#cm-5.5_smt.a",
-                            "rel": "corresp",
-                            "text": "CM-5(5)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-5.5.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-5(5)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-5.5.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-5(5)(b)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and reevaluate privileges; and"
-                          },
-                          {
-                            "id": "cm-5.5.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-5(5)(b)[2]"
-                              }
-                            ],
-                            "prose": "reviews and reevaluates privileges with the organization-defined\n                        frequency."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-5.5_smt.b",
-                            "rel": "corresp",
-                            "text": "CM-5(5)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing access restrictions for changes to the information\n                     system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nuser privilege reviews\\n\\nuser privilege recertifications\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for managing access restrictions to change\\n\\nautomated mechanisms supporting and/or implementing access restrictions for\n                     change"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-6",
-            "class": "SP800-53",
-            "title": "Configuration Settings",
-            "parameters": [
-              {
-                "id": "cm-6_prm_1",
-                "label": "organization-defined security configuration checklists",
-                "guidance": [
-                  {
-                    "prose": "See CM-6(a) Additional FedRAMP Requirements and Guidance"
-                  }
-                ]
-              },
-              {
-                "id": "cm-6_prm_2",
-                "label": "organization-defined information system components"
-              },
-              {
-                "id": "cm-6_prm_3",
-                "label": "organization-defined operational requirements"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CM-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-06"
-              }
-            ],
-            "links": [
-              {
-                "href": "#990268bf-f4a9-4c81-91ae-dc7d3115f4b1",
-                "rel": "reference",
-                "text": "OMB Memorandum 07-11"
-              },
-              {
-                "href": "#0b3d8ba9-051f-498d-81ea-97f0f018c612",
-                "rel": "reference",
-                "text": "OMB Memorandum 07-18"
-              },
-              {
-                "href": "#0916ef02-3618-411b-a525-565c088849a6",
-                "rel": "reference",
-                "text": "OMB Memorandum 08-22"
-              },
-              {
-                "href": "#84a37532-6db6-477b-9ea8-f9085ebca0fc",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-70"
-              },
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              },
-              {
-                "href": "#275cc052-0f7f-423c-bdb6-ed503dc36228",
-                "rel": "reference",
-                "text": "http://nvd.nist.gov"
-              },
-              {
-                "href": "#e95dd121-2733-413e-bf1e-f1eb49f20a98",
-                "rel": "reference",
-                "text": "http://checklists.nist.gov"
-              },
-              {
-                "href": "#647b6de3-81d0-4d22-bec1-5f1333e34380",
-                "rel": "reference",
-                "text": "http://www.nsa.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes and documents configuration settings for information technology\n                  products employed within the information system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with\n                  operational requirements;"
-                  },
-                  {
-                    "id": "cm-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Implements the configuration settings;"
-                  },
-                  {
-                    "id": "cm-6_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Identifies, documents, and approves any deviations from established configuration\n                  settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and"
-                  },
-                  {
-                    "id": "cm-6_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Monitors and controls changes to the configuration settings in accordance with\n                  organizational policies and procedures."
-                  },
-                  {
-                    "id": "cm-6_fr",
-                    "name": "item",
-                    "title": "CM-6(a) Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cm-6_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement 1:"
-                          }
-                        ],
-                        "prose": "The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. "
-                      },
-                      {
-                        "id": "cm-6_fr_smt.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement 2:"
-                          }
-                        ],
-                        "prose": "The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available)."
-                      },
-                      {
-                        "id": "cm-6_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-6_gdn",
-                "name": "guidance",
-                "prose": "Configuration settings are the set of parameters that can be changed in hardware,\n               software, or firmware components of the information system that affect the security\n               posture and/or functionality of the system. Information technology products for which\n               security-related configuration settings can be defined include, for example,\n               mainframe computers, servers (e.g., database, electronic mail, authentication, web,\n               proxy, file, domain name), workstations, input/output devices (e.g., scanners,\n               copiers, and printers), network components (e.g., firewalls, routers, gateways, voice\n               and data switches, wireless access points, network appliances, sensors), operating\n               systems, middleware, and applications. Security-related parameters are those\n               parameters impacting the security state of information systems including the\n               parameters required to satisfy other security control requirements. Security-related\n               parameters include, for example: (i) registry settings; (ii) account, file, directory\n               permission settings; and (iii) settings for functions, ports, protocols, services,\n               and remote connections. Organizations establish organization-wide configuration\n               settings and subsequently derive specific settings for information systems. The\n               established settings become part of the systems configuration baseline. Common secure\n               configurations (also referred to as security configuration checklists, lockdown and\n               hardening guides, security reference guides, security technical implementation\n               guides) provide recognized, standardized, and established benchmarks that stipulate\n               secure configuration settings for specific information technology platforms/products\n               and instructions for configuring those information system components to meet\n               operational requirements. Common secure configurations can be developed by a variety\n               of organizations including, for example, information technology product developers,\n               manufacturers, vendors, consortia, academia, industry, federal agencies, and other\n               organizations in the public and private sectors. Common secure configurations include\n               the United States Government Configuration Baseline (USGCB) which affects the\n               implementation of CM-6 and other controls such as AC-19 and CM-7. The Security\n               Content Automation Protocol (SCAP) and the defined standards within the protocol\n               (e.g., Common Configuration Enumeration) provide an effective method to uniquely\n               identify, track, and control configuration settings. OMB establishes federal policy\n               on configuration requirements for federal information systems.",
-                "links": [
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-7",
-                    "rel": "related",
-                    "text": "CM-7"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  }
-                ]
-              },
-              {
-                "id": "cm-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-6(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-6.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(a)[1]"
-                          }
-                        ],
-                        "prose": "defines security configuration checklists to be used to establish and document\n                     configuration settings for the information technology products employed;"
-                      },
-                      {
-                        "id": "cm-6.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(a)[2]"
-                          }
-                        ],
-                        "prose": "ensures the defined security configuration checklists reflect the most\n                     restrictive mode consistent with operational requirements;"
-                      },
-                      {
-                        "id": "cm-6.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(a)[3]"
-                          }
-                        ],
-                        "prose": "establishes and documents configuration settings for information technology\n                     products employed within the information system using organization-defined\n                     security configuration checklists;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-6(b)"
-                      }
-                    ],
-                    "prose": "implements the configuration settings established/documented in CM-6(a);;"
-                  },
-                  {
-                    "id": "cm-6.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-6(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-6.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[1]"
-                          }
-                        ],
-                        "prose": "defines information system components for which any deviations from established\n                     configuration settings must be:",
-                        "parts": [
-                          {
-                            "id": "cm-6.c_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[1][a]"
-                              }
-                            ],
-                            "prose": "identified;"
-                          },
-                          {
-                            "id": "cm-6.c_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[1][b]"
-                              }
-                            ],
-                            "prose": "documented;"
-                          },
-                          {
-                            "id": "cm-6.c_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[1][c]"
-                              }
-                            ],
-                            "prose": "approved;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-6.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[2]"
-                          }
-                        ],
-                        "prose": "defines operational requirements to support:",
-                        "parts": [
-                          {
-                            "id": "cm-6.c_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[2][a]"
-                              }
-                            ],
-                            "prose": "the identification of any deviations from established configuration\n                        settings;"
-                          },
-                          {
-                            "id": "cm-6.c_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[2][b]"
-                              }
-                            ],
-                            "prose": "the documentation of any deviations from established configuration\n                        settings;"
-                          },
-                          {
-                            "id": "cm-6.c_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(c)[2][c]"
-                              }
-                            ],
-                            "prose": "the approval of any deviations from established configuration settings;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-6.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[3]"
-                          }
-                        ],
-                        "prose": "identifies any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"
-                      },
-                      {
-                        "id": "cm-6.c_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[4]"
-                          }
-                        ],
-                        "prose": "documents any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"
-                      },
-                      {
-                        "id": "cm-6.c_obj.5",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(c)[5]"
-                          }
-                        ],
-                        "prose": "approves any deviations from established configuration settings for\n                     organization-defined information system components based on\n                     organizational-defined operational requirements;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-6.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-6(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-6.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(d)[1]"
-                          }
-                        ],
-                        "prose": "monitors changes to the configuration settings in accordance with\n                     organizational policies and procedures; and"
-                      },
-                      {
-                        "id": "cm-6.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(d)[2]"
-                          }
-                        ],
-                        "prose": "controls changes to the configuration settings in accordance with\n                     organizational policies and procedures."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing configuration settings for the information system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nevidence supporting approved deviations from established configuration\n                  settings\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security configuration management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing configuration settings\\n\\nautomated mechanisms that implement, monitor, and/or control information system\n                  configuration settings\\n\\nautomated mechanisms that identify and/or document deviations from established\n                  configuration settings"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cm-6.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Central Management / Application / Verification",
-                "parameters": [
-                  {
-                    "id": "cm-6.1_prm_1",
-                    "label": "organization-defined information system components"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-6(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-06.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-6.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to centrally manage, apply, and\n                  verify configuration settings for {{ cm-6.1_prm_1 }}."
-                  },
-                  {
-                    "id": "cm-6.1_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ca-7",
-                        "rel": "related",
-                        "text": "CA-7"
-                      },
-                      {
-                        "href": "#cm-4",
-                        "rel": "related",
-                        "text": "CM-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-6.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-6.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(1)[1]"
-                          }
-                        ],
-                        "prose": "defines information system components for which automated mechanisms are to be\n                     employed to:",
-                        "parts": [
-                          {
-                            "id": "cm-6.1_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(1)[1][a]"
-                              }
-                            ],
-                            "prose": "centrally manage configuration settings of such components;"
-                          },
-                          {
-                            "id": "cm-6.1_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(1)[1][b]"
-                              }
-                            ],
-                            "prose": "apply configuration settings of such components;"
-                          },
-                          {
-                            "id": "cm-6.1_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(1)[1][c]"
-                              }
-                            ],
-                            "prose": "verify configuration settings of such components;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-6.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-6(1)[2]"
-                          }
-                        ],
-                        "prose": "employs automated mechanisms to:",
-                        "parts": [
-                          {
-                            "id": "cm-6.1_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(1)[2][a]"
-                              }
-                            ],
-                            "prose": "centrally manage configuration settings for organization-defined information\n                        system components;"
-                          },
-                          {
-                            "id": "cm-6.1_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(1)[2][b]"
-                              }
-                            ],
-                            "prose": "apply configuration settings for organization-defined information system\n                        components; and"
-                          },
-                          {
-                            "id": "cm-6.1_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-6(1)[2][c]"
-                              }
-                            ],
-                            "prose": "verify configuration settings for organization-defined information system\n                        components."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing configuration settings for the information system\\n\\nconfiguration management plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with security configuration management\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for managing configuration settings\\n\\nautomated mechanisms implemented to centrally manage, apply, and verify\n                     information system configuration settings"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-7",
-            "class": "SP800-53",
-            "title": "Least Functionality",
-            "parameters": [
-              {
-                "id": "cm-7_prm_1",
-                "label": "organization-defined prohibited or restricted functions, ports, protocols, and/or\n               services",
-                "constraints": [
-                  {
-                    "detail": "United States Government Configuration Baseline (USGCB)"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e42b2099-3e1c-415b-952c-61c96533c12e",
-                "rel": "reference",
-                "text": "DoD Instruction 8551.01"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-7_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Configures the information system to provide only essential capabilities; and"
-                  },
-                  {
-                    "id": "cm-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Prohibits or restricts the use of the following functions, ports, protocols,\n                  and/or services: {{ cm-7_prm_1 }}."
-                  },
-                  {
-                    "id": "cm-7_fr",
-                    "name": "item",
-                    "title": "CM-7 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cm-7_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available."
-                      },
-                      {
-                        "id": "cm-7_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "Information on the USGCB checklists can be found at: [http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc](http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc). Partially derived from AC-17(8)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-7_gdn",
-                "name": "guidance",
-                "prose": "Information systems can provide a wide variety of functions and services. Some of the\n               functions and services, provided by default, may not be necessary to support\n               essential organizational operations (e.g., key missions, functions). Additionally, it\n               is sometimes convenient to provide multiple services from single information system\n               components, but doing so increases risk over limiting the services provided by any\n               one component. Where feasible, organizations limit component functionality to a\n               single function per device (e.g., email servers or web servers, but not both).\n               Organizations review functions and services provided by information systems or\n               individual components of information systems, to determine which functions and\n               services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant\n               Messaging, auto-execute, and file sharing). Organizations consider disabling unused\n               or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File\n               Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to\n               prevent unauthorized connection of devices, unauthorized transfer of information, or\n               unauthorized tunneling. Organizations can utilize network scanning tools, intrusion\n               detection and prevention systems, and end-point protections such as firewalls and\n               host-based intrusion detection systems to identify and prevent the use of prohibited\n               functions, ports, protocols, and services.",
-                "links": [
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  }
-                ]
-              },
-              {
-                "id": "cm-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-7(a)"
-                      }
-                    ],
-                    "prose": "configures the information system to provide only essential capabilities;"
-                  },
-                  {
-                    "id": "cm-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-7(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-7.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-7(b)[1]"
-                          }
-                        ],
-                        "prose": "defines prohibited or restricted:",
-                        "parts": [
-                          {
-                            "id": "cm-7.b_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[1][a]"
-                              }
-                            ],
-                            "prose": "functions;"
-                          },
-                          {
-                            "id": "cm-7.b_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[1][b]"
-                              }
-                            ],
-                            "prose": "ports;"
-                          },
-                          {
-                            "id": "cm-7.b_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[1][c]"
-                              }
-                            ],
-                            "prose": "protocols; and/or"
-                          },
-                          {
-                            "id": "cm-7.b_obj.1.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[1][d]"
-                              }
-                            ],
-                            "prose": "services;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-7.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-7(b)[2]"
-                          }
-                        ],
-                        "prose": "prohibits or restricts the use of organization-defined:",
-                        "parts": [
-                          {
-                            "id": "cm-7.b_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[2][a]"
-                              }
-                            ],
-                            "prose": "functions;"
-                          },
-                          {
-                            "id": "cm-7.b_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[2][b]"
-                              }
-                            ],
-                            "prose": "ports;"
-                          },
-                          {
-                            "id": "cm-7.b_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[2][c]"
-                              }
-                            ],
-                            "prose": "protocols; and/or"
-                          },
-                          {
-                            "id": "cm-7.b_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(b)[2][d]"
-                              }
-                            ],
-                            "prose": "services."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nconfiguration management plan\\n\\nprocedures addressing least functionality in the information system\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security configuration management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes prohibiting or restricting functions, ports, protocols,\n                  and/or services\\n\\nautomated mechanisms implementing restrictions or prohibition of functions, ports,\n                  protocols, and/or services"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cm-7.1",
-                "class": "SP800-53-enhancement",
-                "title": "Periodic Review",
-                "parameters": [
-                  {
-                    "id": "cm-7.1_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least monthly"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-7.1_prm_2",
-                    "label": "organization-defined functions, ports, protocols, and services within the\n                  information system deemed to be unnecessary and/or nonsecure"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "CM-7(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-07.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-7.1_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "cm-7.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Reviews the information system {{ cm-7.1_prm_1 }} to identify\n                     unnecessary and/or nonsecure functions, ports, protocols, and services; and"
-                      },
-                      {
-                        "id": "cm-7.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Disables {{ cm-7.1_prm_2 }}."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-7.1_gdn",
-                    "name": "guidance",
-                    "prose": "The organization can either make a determination of the relative security of the\n                  function, port, protocol, and/or service or base the security decision on the\n                  assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are\n                  examples of less than secure protocols.",
-                    "links": [
-                      {
-                        "href": "#ac-18",
-                        "rel": "related",
-                        "text": "AC-18"
-                      },
-                      {
-                        "href": "#cm-7",
-                        "rel": "related",
-                        "text": "CM-7"
-                      },
-                      {
-                        "href": "#ia-2",
-                        "rel": "related",
-                        "text": "IA-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-7.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-7.1.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-7(1)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-7.1.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-7(1)(a)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review the information system to identify\n                        unnecessary and/or nonsecure:",
-                            "parts": [
-                              {
-                                "id": "cm-7.1.a_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(a)[1][a]"
-                                  }
-                                ],
-                                "prose": "functions;"
-                              },
-                              {
-                                "id": "cm-7.1.a_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(a)[1][b]"
-                                  }
-                                ],
-                                "prose": "ports;"
-                              },
-                              {
-                                "id": "cm-7.1.a_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(a)[1][c]"
-                                  }
-                                ],
-                                "prose": "protocols; and/or"
-                              },
-                              {
-                                "id": "cm-7.1.a_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(a)[1][d]"
-                                  }
-                                ],
-                                "prose": "services;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "cm-7.1.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-7(1)(a)[2]"
-                              }
-                            ],
-                            "prose": "reviews the information system with the organization-defined frequency to\n                        identify unnecessary and/or nonsecure:",
-                            "parts": [
-                              {
-                                "id": "cm-7.1.a_obj.2.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(a)[2][a]"
-                                  }
-                                ],
-                                "prose": "functions;"
-                              },
-                              {
-                                "id": "cm-7.1.a_obj.2.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(a)[2][b]"
-                                  }
-                                ],
-                                "prose": "ports;"
-                              },
-                              {
-                                "id": "cm-7.1.a_obj.2.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(a)[2][c]"
-                                  }
-                                ],
-                                "prose": "protocols; and/or"
-                              },
-                              {
-                                "id": "cm-7.1.a_obj.2.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(a)[2][d]"
-                                  }
-                                ],
-                                "prose": "services;"
-                              }
-                            ]
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-7.1_smt.a",
-                            "rel": "corresp",
-                            "text": "CM-7(1)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-7.1.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-7(1)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-7.1.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-7(1)(b)[1]"
-                              }
-                            ],
-                            "prose": "defines, within the information system, unnecessary and/or nonsecure:",
-                            "parts": [
-                              {
-                                "id": "cm-7.1.b_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(b)[1][a]"
-                                  }
-                                ],
-                                "prose": "functions;"
-                              },
-                              {
-                                "id": "cm-7.1.b_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(b)[1][b]"
-                                  }
-                                ],
-                                "prose": "ports;"
-                              },
-                              {
-                                "id": "cm-7.1.b_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(b)[1][c]"
-                                  }
-                                ],
-                                "prose": "protocols; and/or"
-                              },
-                              {
-                                "id": "cm-7.1.b_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(b)[1][d]"
-                                  }
-                                ],
-                                "prose": "services;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "cm-7.1.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-7(1)(b)[2]"
-                              }
-                            ],
-                            "prose": "disables organization-defined unnecessary and/or nonsecure:",
-                            "parts": [
-                              {
-                                "id": "cm-7.1.b_obj.2.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(b)[2][a]"
-                                  }
-                                ],
-                                "prose": "functions;"
-                              },
-                              {
-                                "id": "cm-7.1.b_obj.2.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(b)[2][b]"
-                                  }
-                                ],
-                                "prose": "ports;"
-                              },
-                              {
-                                "id": "cm-7.1.b_obj.2.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(b)[2][c]"
-                                  }
-                                ],
-                                "prose": "protocols; and/or"
-                              },
-                              {
-                                "id": "cm-7.1.b_obj.2.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-7(1)(b)[2][d]"
-                                  }
-                                ],
-                                "prose": "services."
-                              }
-                            ]
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-7.1_smt.b",
-                            "rel": "corresp",
-                            "text": "CM-7(1)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing least functionality in the information system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nsecurity configuration checklists\\n\\ndocumented reviews of functions, ports, protocols, and/or services\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for reviewing functions, ports,\n                     protocols, and services on the information system\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for reviewing/disabling nonsecure functions, ports,\n                     protocols, and/or services\\n\\nautomated mechanisms implementing review and disabling of nonsecure functions,\n                     ports, protocols, and/or services"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-7.2",
-                "class": "SP800-53-enhancement",
-                "title": "Prevent Program Execution",
-                "parameters": [
-                  {
-                    "id": "cm-7.2_prm_1"
-                  },
-                  {
-                    "id": "cm-7.2_prm_2",
-                    "depends-on": "cm-7.2_prm_1",
-                    "label": "organization-defined policies regarding software program usage and\n                  restrictions"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-7(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-07.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-7.2_smt",
-                    "name": "statement",
-                    "prose": "The information system prevents program execution in accordance with {{ cm-7.2_prm_1 }}.",
-                    "parts": [
-                      {
-                        "id": "cm-7.2_fr",
-                        "name": "item",
-                        "title": "CM-7 (2) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "cm-7.2_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-7.2_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#cm-8",
-                        "rel": "related",
-                        "text": "CM-8"
-                      },
-                      {
-                        "href": "#pm-5",
-                        "rel": "related",
-                        "text": "PM-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-7.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "cm-7.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-7(2)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines policies regarding software program usage and\n                     restrictions;"
-                      },
-                      {
-                        "id": "cm-7.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-7(2)[2]"
-                          }
-                        ],
-                        "prose": "the information system prevents program execution in accordance with one or\n                     more of the following:",
-                        "parts": [
-                          {
-                            "id": "cm-7.2_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(2)[2][a]"
-                              }
-                            ],
-                            "prose": "organization-defined policies regarding program usage and restrictions;\n                        and/or"
-                          },
-                          {
-                            "id": "cm-7.2_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CM-7(2)[2][b]"
-                              }
-                            ],
-                            "prose": "rules authorizing the terms and conditions of software program usage."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing least functionality in the information system\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\nspecifications for preventing software program execution\\n\\ninformation system configuration settings and associated documentation\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes preventing program execution on the information\n                     system\\n\\norganizational processes for software program usage and restrictions\\n\\nautomated mechanisms preventing program execution on the information system\\n\\nautomated mechanisms supporting and/or implementing software program usage and\n                     restrictions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-7.5",
-                "class": "SP800-53-enhancement",
-                "title": "Authorized Software / Whitelisting",
-                "parameters": [
-                  {
-                    "id": "cm-7.5_prm_1",
-                    "label": "organization-defined software programs authorized to execute on the\n                  information system"
-                  },
-                  {
-                    "id": "cm-7.5_prm_2",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least Annually or when there is a change"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "CM-7(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-07.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-7.5_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "cm-7.5_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Identifies {{ cm-7.5_prm_1 }};"
-                      },
-                      {
-                        "id": "cm-7.5_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Employs a deny-all, permit-by-exception policy to allow the execution of\n                     authorized software programs on the information system; and"
-                      },
-                      {
-                        "id": "cm-7.5_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(c)"
-                          }
-                        ],
-                        "prose": "Reviews and updates the list of authorized software programs {{ cm-7.5_prm_2 }}."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-7.5_gdn",
-                    "name": "guidance",
-                    "prose": "The process used to identify software programs that are authorized to execute on\n                  organizational information systems is commonly referred to as whitelisting. In\n                  addition to whitelisting, organizations consider verifying the integrity of\n                  white-listed software programs using, for example, cryptographic checksums,\n                  digital signatures, or hash functions. Verification of white-listed software can\n                  occur either prior to execution or at system startup.",
-                    "links": [
-                      {
-                        "href": "#cm-2",
-                        "rel": "related",
-                        "text": "CM-2"
-                      },
-                      {
-                        "href": "#cm-6",
-                        "rel": "related",
-                        "text": "CM-6"
-                      },
-                      {
-                        "href": "#cm-8",
-                        "rel": "related",
-                        "text": "CM-8"
-                      },
-                      {
-                        "href": "#pm-5",
-                        "rel": "related",
-                        "text": "PM-5"
-                      },
-                      {
-                        "href": "#sa-10",
-                        "rel": "related",
-                        "text": "SA-10"
-                      },
-                      {
-                        "href": "#sc-34",
-                        "rel": "related",
-                        "text": "SC-34"
-                      },
-                      {
-                        "href": "#si-7",
-                        "rel": "related",
-                        "text": "SI-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-7.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-7.5.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-7(5)(a)"
-                          }
-                        ],
-                        "prose": "Identifies/defines software programs authorized to execute on the information\n                     system;",
-                        "links": [
-                          {
-                            "href": "#cm-7.5_smt.a",
-                            "rel": "corresp",
-                            "text": "CM-7(5)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-7.5.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-7(5)(b)"
-                          }
-                        ],
-                        "prose": "employs a deny-all, permit-by-exception policy to allow the execution of\n                     authorized software programs on the information system;",
-                        "links": [
-                          {
-                            "href": "#cm-7.5_smt.b",
-                            "rel": "corresp",
-                            "text": "CM-7(5)(b)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-7.5.c_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-7(5)(c)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-7.5.c_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-7(5)(c)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the list of authorized software\n                        programs on the information system; and"
-                          },
-                          {
-                            "id": "cm-7.5.c_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-7(5)(c)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the list of authorized software programs with the\n                        organization-defined frequency."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-7.5_smt.c",
-                            "rel": "corresp",
-                            "text": "CM-7(5)(c)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing least functionality in the information system\\n\\nconfiguration management plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of software programs authorized to execute on the information system\\n\\nsecurity configuration checklists\\n\\nreview and update records associated with list of authorized software\n                     programs\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for identifying software\n                     authorized to execute on the information system\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational process for identifying, reviewing, and updating programs\n                     authorized to execute on the information system\\n\\norganizational process for implementing whitelisting\\n\\nautomated mechanisms implementing whitelisting"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-8",
-            "class": "SP800-53",
-            "title": "Information System Component Inventory",
-            "parameters": [
-              {
-                "id": "cm-8_prm_1",
-                "label": "organization-defined information deemed necessary to achieve effective\n               information system component accountability"
-              },
-              {
-                "id": "cm-8_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least monthly"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CM-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-08"
-              }
-            ],
-            "links": [
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops and documents an inventory of information system components that:",
-                    "parts": [
-                      {
-                        "id": "cm-8_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Accurately reflects the current information system;"
-                      },
-                      {
-                        "id": "cm-8_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Includes all components within the authorization boundary of the information\n                     system;"
-                      },
-                      {
-                        "id": "cm-8_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Is at the level of granularity deemed necessary for tracking and reporting;\n                     and"
-                      },
-                      {
-                        "id": "cm-8_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Includes {{ cm-8_prm_1 }}; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the information system component inventory {{ cm-8_prm_2 }}."
-                  },
-                  {
-                    "id": "cm-8_fr",
-                    "name": "item",
-                    "title": "CM-8 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cm-8_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Must be provided at least monthly or when there is a change."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-8_gdn",
-                "name": "guidance",
-                "prose": "Organizations may choose to implement centralized information system component\n               inventories that include components from all organizational information systems. In\n               such situations, organizations ensure that the resulting inventories include\n               system-specific information required for proper component accountability (e.g.,\n               information system association, information system owner). Information deemed\n               necessary for effective accountability of information system components includes, for\n               example, hardware inventory specifications, software license information, software\n               version numbers, component owners, and for networked components or devices, machine\n               names and network addresses. Inventory specifications include, for example,\n               manufacturer, device type, model, serial number, and physical location.",
-                "links": [
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#pm-5",
-                    "rel": "related",
-                    "text": "PM-5"
-                  }
-                ]
-              },
-              {
-                "id": "cm-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-8(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-8.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-8(a)(1)"
-                          }
-                        ],
-                        "prose": "develops and documents an inventory of information system components that\n                     accurately reflects the current information system;"
-                      },
-                      {
-                        "id": "cm-8.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-8(a)(2)"
-                          }
-                        ],
-                        "prose": "develops and documents an inventory of information system components that\n                     includes all components within the authorization boundary of the information\n                     system;"
-                      },
-                      {
-                        "id": "cm-8.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-8(a)(3)"
-                          }
-                        ],
-                        "prose": "develops and documents an inventory of information system components that is at\n                     the level of granularity deemed necessary for tracking and reporting;"
-                      },
-                      {
-                        "id": "cm-8.a.4_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(a)(4)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-8.a.4_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-8(a)(4)[1]"
-                              }
-                            ],
-                            "prose": "defines the information deemed necessary to achieve effective information\n                        system component accountability;"
-                          },
-                          {
-                            "id": "cm-8.a.4_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-8(a)(4)[2]"
-                              }
-                            ],
-                            "prose": "develops and documents an inventory of information system components that\n                        includes organization-defined information deemed necessary to achieve\n                        effective information system component accountability;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-8(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update the information system component\n                     inventory; and"
-                      },
-                      {
-                        "id": "cm-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-8(b)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates the information system component inventory with the\n                     organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system inventory records\\n\\ninventory reviews and update records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for information system component\n                  inventory\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for developing and documenting an inventory of\n                  information system components\\n\\nautomated mechanisms supporting and/or implementing the information system\n                  component inventory"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cm-8.1",
-                "class": "SP800-53-enhancement",
-                "title": "Updates During Installations / Removals",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-8(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-08.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-8.1_smt",
-                    "name": "statement",
-                    "prose": "The organization updates the inventory of information system components as an\n                  integral part of component installations, removals, and information system\n                  updates."
-                  },
-                  {
-                    "id": "cm-8.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization updates the inventory of information system\n                  components as an integral part of:",
-                    "parts": [
-                      {
-                        "id": "cm-8.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-8(1)[1]"
-                          }
-                        ],
-                        "prose": "component installations;"
-                      },
-                      {
-                        "id": "cm-8.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(1)[2]"
-                          }
-                        ],
-                        "prose": "component removals; and"
-                      },
-                      {
-                        "id": "cm-8.1_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(1)[3]"
-                          }
-                        ],
-                        "prose": "information system updates."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system inventory records\\n\\ninventory reviews and update records\\n\\ncomponent installation records\\n\\ncomponent removal records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for updating the information\n                     system component inventory\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for updating inventory of information system\n                     components\\n\\nautomated mechanisms implementing updating of the information system component\n                     inventory"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-8.3",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Unauthorized Component Detection",
-                "parameters": [
-                  {
-                    "id": "cm-8.3_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "Continuously, using automated mechanisms with a maximum five-minute delay in detection"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-8.3_prm_2"
-                  },
-                  {
-                    "id": "cm-8.3_prm_3",
-                    "depends-on": "cm-8.3_prm_2",
-                    "label": "organization-defined personnel or roles"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "CM-8(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-08.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-8.3_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "cm-8.3_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Employs automated mechanisms {{ cm-8.3_prm_1 }} to detect the\n                     presence of unauthorized hardware, software, and firmware components within the\n                     information system; and"
-                      },
-                      {
-                        "id": "cm-8.3_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Takes the following actions when unauthorized components are detected: {{ cm-8.3_prm_2 }}."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-8.3_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement is applied in addition to the monitoring for unauthorized\n                  remote connections and mobile devices. Monitoring for unauthorized system\n                  components may be accomplished on an ongoing basis or by the periodic scanning of\n                  systems for that purpose. Automated mechanisms can be implemented within\n                  information systems or in other separate devices. Isolation can be achieved, for\n                  example, by placing unauthorized information system components in separate domains\n                  or subnets or otherwise quarantining such components. This type of component\n                  isolation is commonly referred to as sandboxing.",
-                    "links": [
-                      {
-                        "href": "#ac-17",
-                        "rel": "related",
-                        "text": "AC-17"
-                      },
-                      {
-                        "href": "#ac-18",
-                        "rel": "related",
-                        "text": "AC-18"
-                      },
-                      {
-                        "href": "#ac-19",
-                        "rel": "related",
-                        "text": "AC-19"
-                      },
-                      {
-                        "href": "#ca-7",
-                        "rel": "related",
-                        "text": "CA-7"
-                      },
-                      {
-                        "href": "#si-3",
-                        "rel": "related",
-                        "text": "SI-3"
-                      },
-                      {
-                        "href": "#si-4",
-                        "rel": "related",
-                        "text": "SI-4"
-                      },
-                      {
-                        "href": "#si-7",
-                        "rel": "related",
-                        "text": "SI-7"
-                      },
-                      {
-                        "href": "#ra-5",
-                        "rel": "related",
-                        "text": "RA-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-8.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-8.3.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(3)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-8.3.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-8(3)(a)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to employ automated mechanisms to detect the presence\n                        of unauthorized:",
-                            "parts": [
-                              {
-                                "id": "cm-8.3.a_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-8(3)(a)[1][a]"
-                                  }
-                                ],
-                                "prose": "hardware components within the information system;"
-                              },
-                              {
-                                "id": "cm-8.3.a_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-8(3)(a)[1][b]"
-                                  }
-                                ],
-                                "prose": "software components within the information system;"
-                              },
-                              {
-                                "id": "cm-8.3.a_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-8(3)(a)[1][c]"
-                                  }
-                                ],
-                                "prose": "firmware components within the information system;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "cm-8.3.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-8(3)(a)[2]"
-                              }
-                            ],
-                            "prose": "employs automated mechanisms with the organization-defined frequency to\n                        detect the presence of unauthorized:",
-                            "parts": [
-                              {
-                                "id": "cm-8.3.a_obj.2.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-8(3)(a)[2][a]"
-                                  }
-                                ],
-                                "prose": "hardware components within the information system;"
-                              },
-                              {
-                                "id": "cm-8.3.a_obj.2.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-8(3)(a)[2][b]"
-                                  }
-                                ],
-                                "prose": "software components within the information system;"
-                              },
-                              {
-                                "id": "cm-8.3.a_obj.2.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-8(3)(a)[2][c]"
-                                  }
-                                ],
-                                "prose": "firmware components within the information system;"
-                              }
-                            ]
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-8.3_smt.a",
-                            "rel": "corresp",
-                            "text": "CM-8(3)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cm-8.3.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-8(3)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cm-8.3.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-8(3)(b)[1]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to be notified when unauthorized components are\n                        detected;"
-                          },
-                          {
-                            "id": "cm-8.3.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CM-8(3)(b)[2]"
-                              }
-                            ],
-                            "prose": "takes one or more of the following actions when unauthorized components are\n                        detected:",
-                            "parts": [
-                              {
-                                "id": "cm-8.3.b_obj.2.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-8(3)(b)[2][a]"
-                                  }
-                                ],
-                                "prose": "disables network access by such components;"
-                              },
-                              {
-                                "id": "cm-8.3.b_obj.2.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-8(3)(b)[2][b]"
-                                  }
-                                ],
-                                "prose": "isolates the components; and/or"
-                              },
-                              {
-                                "id": "cm-8.3.b_obj.2.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CM-8(3)(b)[2][c]"
-                                  }
-                                ],
-                                "prose": "notifies organization-defined personnel or roles."
-                              }
-                            ]
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#cm-8.3_smt.b",
-                            "rel": "corresp",
-                            "text": "CM-8(3)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system inventory records\\n\\nalerts/notifications of unauthorized components within the information\n                     system\\n\\ninformation system monitoring records\\n\\nchange control records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for managing the automated\n                     mechanisms implementing unauthorized information system component detection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for detection of unauthorized information system\n                     components\\n\\nautomated mechanisms implementing the detection of unauthorized information\n                     system components"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cm-8.5",
-                "class": "SP800-53-enhancement",
-                "title": "No Duplicate Accounting of Components",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-8(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-08.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-8.5_smt",
-                    "name": "statement",
-                    "prose": "The organization verifies that all components within the authorization boundary of\n                  the information system are not duplicated in other information system component\n                  inventories."
-                  },
-                  {
-                    "id": "cm-8.5_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement addresses the potential problem of duplicate accounting\n                  of information system components in large or complex interconnected systems."
-                  },
-                  {
-                    "id": "cm-8.5_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization verifies that all components within the\n                  authorization boundary of the information system are not duplicated in other\n                  information system inventories. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing information system component inventory\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system inventory records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system inventory responsibilities\\n\\norganizational personnel with responsibilities for defining information system\n                     components within the authorization boundary of the system\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for maintaining the inventory of information system\n                     components\\n\\nautomated mechanisms implementing the information system component\n                     inventory"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-9",
-            "class": "SP800-53",
-            "title": "Configuration Management Plan",
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CM-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-09"
-              }
-            ],
-            "links": [
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-9_smt",
-                "name": "statement",
-                "prose": "The organization develops, documents, and implements a configuration management plan\n               for the information system that:",
-                "parts": [
-                  {
-                    "id": "cm-9_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Addresses roles, responsibilities, and configuration management processes and\n                  procedures;"
-                  },
-                  {
-                    "id": "cm-9_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Establishes a process for identifying configuration items throughout the system\n                  development life cycle and for managing the configuration of the configuration\n                  items;"
-                  },
-                  {
-                    "id": "cm-9_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Defines the configuration items for the information system and places the\n                  configuration items under configuration management; and"
-                  },
-                  {
-                    "id": "cm-9_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Protects the configuration management plan from unauthorized disclosure and\n                  modification."
-                  }
-                ]
-              },
-              {
-                "id": "cm-9_gdn",
-                "name": "guidance",
-                "prose": "Configuration management plans satisfy the requirements in configuration management\n               policies while being tailored to individual information systems. Such plans define\n               detailed processes and procedures for how configuration management is used to support\n               system development life cycle activities at the information system level.\n               Configuration management plans are typically developed during the\n               development/acquisition phase of the system development life cycle. The plans\n               describe how to move changes through change management processes, how to update\n               configuration settings and baselines, how to maintain information system component\n               inventories, how to control development, test, and operational environments, and how\n               to develop, release, and update key documents. Organizations can employ templates to\n               help ensure consistent and timely development and implementation of configuration\n               management plans. Such templates can represent a master configuration management plan\n               for the organization at large with subsets of the plan implemented on a system by\n               system basis. Configuration management approval processes include designation of key\n               management stakeholders responsible for reviewing and approving proposed changes to\n               information systems, and personnel that conduct security impact analyses prior to the\n               implementation of changes to the systems. Configuration items are the information\n               system items (hardware, software, firmware, and documentation) to be\n               configuration-managed. As information systems continue through the system development\n               life cycle, new configuration items may be identified and some existing configuration\n               items may no longer need to be under configuration control.",
-                "links": [
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#sa-10",
-                    "rel": "related",
-                    "text": "SA-10"
-                  }
-                ]
-              },
-              {
-                "id": "cm-9_obj",
-                "name": "objective",
-                "prose": "Determine if the organization develops, documents, and implements a configuration\n               management plan for the information system that:",
-                "parts": [
-                  {
-                    "id": "cm-9.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-9(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-9.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-9(a)[1]"
-                          }
-                        ],
-                        "prose": "addresses roles;"
-                      },
-                      {
-                        "id": "cm-9.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-9(a)[2]"
-                          }
-                        ],
-                        "prose": "addresses responsibilities;"
-                      },
-                      {
-                        "id": "cm-9.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-9(a)[3]"
-                          }
-                        ],
-                        "prose": "addresses configuration management processes and procedures;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-9.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-9(b)"
-                      }
-                    ],
-                    "prose": "establishes a process for:",
-                    "parts": [
-                      {
-                        "id": "cm-9.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-9(b)[1]"
-                          }
-                        ],
-                        "prose": "identifying configuration items throughout the SDLC;"
-                      },
-                      {
-                        "id": "cm-9.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-9(b)[2]"
-                          }
-                        ],
-                        "prose": "managing the configuration of the configuration items;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-9.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-9(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-9.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-9(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the configuration items for the information system;"
-                      },
-                      {
-                        "id": "cm-9.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-9(c)[2]"
-                          }
-                        ],
-                        "prose": "places the configuration items under configuration management;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-9.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-9(d)"
-                      }
-                    ],
-                    "prose": "protects the configuration management plan from unauthorized:",
-                    "parts": [
-                      {
-                        "id": "cm-9.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-9(d)[1]"
-                          }
-                        ],
-                        "prose": "disclosure; and"
-                      },
-                      {
-                        "id": "cm-9.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CM-9(d)[2]"
-                          }
-                        ],
-                        "prose": "modification."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing configuration management planning\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for developing the configuration\n                  management plan\\n\\norganizational personnel with responsibilities for implementing and managing\n                  processes defined in the configuration management plan\\n\\norganizational personnel with responsibilities for protecting the configuration\n                  management plan\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for developing and documenting the configuration\n                  management plan\\n\\norganizational processes for identifying and managing configuration items\\n\\norganizational processes for protecting the configuration management plan\\n\\nautomated mechanisms implementing the configuration management plan\\n\\nautomated mechanisms for managing configuration items\\n\\nautomated mechanisms for protecting the configuration management plan"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-10",
-            "class": "SP800-53",
-            "title": "Software Usage Restrictions",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-10"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-10"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-10_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-10_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Uses software and associated documentation in accordance with contract agreements\n                  and copyright laws;"
-                  },
-                  {
-                    "id": "cm-10_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Tracks the use of software and associated documentation protected by quantity\n                  licenses to control copying and distribution; and"
-                  },
-                  {
-                    "id": "cm-10_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Controls and documents the use of peer-to-peer file sharing technology to ensure\n                  that this capability is not used for the unauthorized distribution, display,\n                  performance, or reproduction of copyrighted work."
-                  }
-                ]
-              },
-              {
-                "id": "cm-10_gdn",
-                "name": "guidance",
-                "prose": "Software license tracking can be accomplished by manual methods (e.g., simple\n               spreadsheets) or automated methods (e.g., specialized tracking applications)\n               depending on organizational needs.",
-                "links": [
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  }
-                ]
-              },
-              {
-                "id": "cm-10_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-10.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-10(a)"
-                      }
-                    ],
-                    "prose": "uses software and associated documentation in accordance with contract agreements\n                  and copyright laws;"
-                  },
-                  {
-                    "id": "cm-10.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-10(b)"
-                      }
-                    ],
-                    "prose": "tracks the use of software and associated documentation protected by quantity\n                  licenses to control copying and distribution; and"
-                  },
-                  {
-                    "id": "cm-10.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CM-10(c)"
-                      }
-                    ],
-                    "prose": "controls and documents the use of peer-to-peer file sharing technology to ensure\n                  that this capability is not used for the unauthorized distribution, display,\n                  performance, or reproduction of copyrighted work."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing software usage restrictions\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nsoftware contract agreements and copyright laws\\n\\nsite license documentation\\n\\nlist of software usage restrictions\\n\\nsoftware license tracking reports\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\norganizational personnel with software license management responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational process for tracking the use of software protected by quantity\n                  licenses\\n\\norganization process for controlling/documenting the use of peer-to-peer file\n                  sharing technology\\n\\nautomated mechanisms implementing software license tracking\\n\\nautomated mechanisms implementing and controlling the use of peer-to-peer files\n                  sharing technology"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cm-10.1",
-                "class": "SP800-53-enhancement",
-                "title": "Open Source Software",
-                "parameters": [
-                  {
-                    "id": "cm-10.1_prm_1",
-                    "label": "organization-defined restrictions"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CM-10(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cm-10.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cm-10.1_smt",
-                    "name": "statement",
-                    "prose": "The organization establishes the following restrictions on the use of open source\n                  software: {{ cm-10.1_prm_1 }}."
-                  },
-                  {
-                    "id": "cm-10.1_gdn",
-                    "name": "guidance",
-                    "prose": "Open source software refers to software that is available in source code form.\n                  Certain software rights normally reserved for copyright holders are routinely\n                  provided under software license agreements that permit individuals to study,\n                  change, and improve the software. From a security perspective, the major advantage\n                  of open source software is that it provides organizations with the ability to\n                  examine the source code. However, there are also various licensing issues\n                  associated with open source software including, for example, the constraints on\n                  derivative use of such software."
-                  },
-                  {
-                    "id": "cm-10.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cm-10.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-10(1)[1]"
-                          }
-                        ],
-                        "prose": "defines restrictions on the use of open source software; and"
-                      },
-                      {
-                        "id": "cm-10.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-10(1)[2]"
-                          }
-                        ],
-                        "prose": "establishes organization-defined restrictions on the use of open source\n                     software."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Configuration management policy\\n\\nprocedures addressing restrictions on use of open source software\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for establishing and enforcing\n                     restrictions on use of open source software\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational process for restricting the use of open source software\\n\\nautomated mechanisms implementing restrictions on the use of open source\n                     software"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cm-11",
-            "class": "SP800-53",
-            "title": "User-installed Software",
-            "parameters": [
-              {
-                "id": "cm-11_prm_1",
-                "label": "organization-defined policies"
-              },
-              {
-                "id": "cm-11_prm_2",
-                "label": "organization-defined methods"
-              },
-              {
-                "id": "cm-11_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "Continuously (via CM-7 (5))"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CM-11"
-              },
-              {
-                "name": "sort-id",
-                "value": "cm-11"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cm-11_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cm-11_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes {{ cm-11_prm_1 }} governing the installation of\n                  software by users;"
-                  },
-                  {
-                    "id": "cm-11_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Enforces software installation policies through {{ cm-11_prm_2 }};\n                  and"
-                  },
-                  {
-                    "id": "cm-11_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Monitors policy compliance at {{ cm-11_prm_3 }}."
-                  }
-                ]
-              },
-              {
-                "id": "cm-11_gdn",
-                "name": "guidance",
-                "prose": "If provided the necessary privileges, users have the ability to install software in\n               organizational information systems. To maintain control over the types of software\n               installed, organizations identify permitted and prohibited actions regarding software\n               installation. Permitted software installations may include, for example, updates and\n               security patches to existing software and downloading applications from\n               organization-approved “app stores” Prohibited software installations may include, for\n               example, software with unknown or suspect pedigrees or software that organizations\n               consider potentially malicious. The policies organizations select governing\n               user-installed software may be organization-developed or provided by some external\n               entity. Policy enforcement methods include procedural methods (e.g., periodic\n               examination of user accounts), automated methods (e.g., configuration settings\n               implemented on organizational information systems), or both.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-7",
-                    "rel": "related",
-                    "text": "CM-7"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  }
-                ]
-              },
-              {
-                "id": "cm-11_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cm-11.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-11(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-11.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(a)[1]"
-                          }
-                        ],
-                        "prose": "defines policies to govern the installation of software by users;"
-                      },
-                      {
-                        "id": "cm-11.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(a)[2]"
-                          }
-                        ],
-                        "prose": "establishes organization-defined policies governing the installation of\n                     software by users;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-11.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-11(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-11.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(b)[1]"
-                          }
-                        ],
-                        "prose": "defines methods to enforce software installation policies;"
-                      },
-                      {
-                        "id": "cm-11.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(b)[2]"
-                          }
-                        ],
-                        "prose": "enforces software installation policies through organization-defined\n                     methods;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cm-11.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CM-11(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cm-11.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(c)[1]"
-                          }
-                        ],
-                        "prose": "defines frequency to monitor policy compliance; and"
-                      },
-                      {
-                        "id": "cm-11.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CM-11(c)[2]"
-                          }
-                        ],
-                        "prose": "monitors policy compliance at organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Configuration management policy\\n\\nprocedures addressing user installed software\\n\\nconfiguration management plan\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of rules governing user installed software\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records\\n\\ncontinuous monitoring strategy"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for governing user-installed\n                  software\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\norganizational personnel monitoring compliance with user-installed software\n                  policy\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes governing user-installed software on the information\n                  system\\n\\nautomated mechanisms enforcing rules/methods for governing the installation of\n                  software by users\\n\\nautomated mechanisms monitoring policy compliance"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "cp",
-        "class": "family",
-        "title": "Contingency Planning",
-        "controls": [
-          {
-            "id": "cp-1",
-            "class": "SP800-53",
-            "title": "Contingency Planning Policy and Procedures",
-            "parameters": [
-              {
-                "id": "cp-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "cp-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "cp-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CP-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ cp-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "cp-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A contingency planning policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "cp-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the contingency planning policy\n                     and associated contingency planning controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "cp-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Contingency planning policy {{ cp-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "cp-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Contingency planning procedures {{ cp-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the CP\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "cp-1_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "cp-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "the organization develops and documents a contingency planning policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "cp-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "cp-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "CP-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "cp-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "the organization defines personnel or roles to whom the contingency planning\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "cp-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "the organization disseminates the contingency planning policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "the organization develops and documents procedures to facilitate the\n                        implementation of the contingency planning policy and associated contingency\n                        planning controls;"
-                          },
-                          {
-                            "id": "cp-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "the organization defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "cp-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "the organization disseminates the procedures to organization-defined\n                        personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines the frequency to review and update the current\n                        contingency planning policy;"
-                          },
-                          {
-                            "id": "cp-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "the organization reviews and updates the current contingency planning with\n                        the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines the frequency to review and update the current\n                        contingency planning procedures; and"
-                          },
-                          {
-                            "id": "cp-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "the organization reviews and updates the current contingency planning\n                        procedures with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency planning responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-2",
-            "class": "SP800-53",
-            "title": "Contingency Plan",
-            "parameters": [
-              {
-                "id": "cp-2_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "cp-2_prm_2",
-                "label": "organization-defined key contingency personnel (identified by name and/or by\n               role) and organizational elements"
-              },
-              {
-                "id": "cp-2_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "cp-2_prm_4",
-                "label": "organization-defined key contingency personnel (identified by name and/or by\n               role) and organizational elements"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CP-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops a contingency plan for the information system that:",
-                    "parts": [
-                      {
-                        "id": "cp-2_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Identifies essential missions and business functions and associated contingency\n                     requirements;"
-                      },
-                      {
-                        "id": "cp-2_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Provides recovery objectives, restoration priorities, and metrics;"
-                      },
-                      {
-                        "id": "cp-2_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Addresses contingency roles, responsibilities, assigned individuals with\n                     contact information;"
-                      },
-                      {
-                        "id": "cp-2_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Addresses maintaining essential missions and business functions despite an\n                     information system disruption, compromise, or failure;"
-                      },
-                      {
-                        "id": "cp-2_smt.a.5",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "5."
-                          }
-                        ],
-                        "prose": "Addresses eventual, full information system restoration without deterioration\n                     of the security safeguards originally planned and implemented; and"
-                      },
-                      {
-                        "id": "cp-2_smt.a.6",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "6."
-                          }
-                        ],
-                        "prose": "Is reviewed and approved by {{ cp-2_prm_1 }};"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Distributes copies of the contingency plan to {{ cp-2_prm_2 }};"
-                  },
-                  {
-                    "id": "cp-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Coordinates contingency planning activities with incident handling activities;"
-                  },
-                  {
-                    "id": "cp-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Reviews the contingency plan for the information system {{ cp-2_prm_3 }};"
-                  },
-                  {
-                    "id": "cp-2_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Updates the contingency plan to address changes to the organization, information\n                  system, or environment of operation and problems encountered during contingency\n                  plan implementation, execution, or testing;"
-                  },
-                  {
-                    "id": "cp-2_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Communicates contingency plan changes to {{ cp-2_prm_4 }}; and"
-                  },
-                  {
-                    "id": "cp-2_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Protects the contingency plan from unauthorized disclosure and modification."
-                  },
-                  {
-                    "id": "cp-2_fr",
-                    "name": "item",
-                    "title": "CP-2 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cp-2_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2 Requirement:"
-                          }
-                        ],
-                        "prose": "For JAB authorizations the contingency lists include designated FedRAMP personnel."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-2_gdn",
-                "name": "guidance",
-                "prose": "Contingency planning for information systems is part of an overall organizational\n               program for achieving continuity of operations for mission/business functions.\n               Contingency planning addresses both information system restoration and implementation\n               of alternative mission/business processes when systems are compromised. The\n               effectiveness of contingency planning is maximized by considering such planning\n               throughout the phases of the system development life cycle. Performing contingency\n               planning on hardware, software, and firmware development can be an effective means of\n               achieving information system resiliency. Contingency plans reflect the degree of\n               restoration required for organizational information systems since not all systems may\n               need to fully recover to achieve the level of continuity of operations desired.\n               Information system recovery objectives reflect applicable laws, Executive Orders,\n               directives, policies, standards, regulations, and guidelines. In addition to\n               information system availability, contingency plans also address other\n               security-related events resulting in a reduction in mission and/or business\n               effectiveness, such as malicious attacks compromising the confidentiality or\n               integrity of information systems. Actions addressed in contingency plans include, for\n               example, orderly/graceful degradation, information system shutdown, fallback to a\n               manual mode, alternate information flows, and operating in modes reserved for when\n               systems are under attack. By closely coordinating contingency planning with incident\n               handling activities, organizations can ensure that the necessary contingency planning\n               activities are in place and activated in the event of a security incident.",
-                "links": [
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#cp-6",
-                    "rel": "related",
-                    "text": "CP-6"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  },
-                  {
-                    "href": "#cp-8",
-                    "rel": "related",
-                    "text": "CP-8"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#cp-10",
-                    "rel": "related",
-                    "text": "CP-10"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#pm-8",
-                    "rel": "related",
-                    "text": "PM-8"
-                  },
-                  {
-                    "href": "#pm-11",
-                    "rel": "related",
-                    "text": "PM-11"
-                  }
-                ]
-              },
-              {
-                "id": "cp-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cp-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(a)"
-                      }
-                    ],
-                    "prose": "develops and documents a contingency plan for the information system that:",
-                    "parts": [
-                      {
-                        "id": "cp-2.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(1)"
-                          }
-                        ],
-                        "prose": "identifies essential missions and business functions and associated contingency\n                     requirements;"
-                      },
-                      {
-                        "id": "cp-2.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-2.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "provides recovery objectives;"
-                          },
-                          {
-                            "id": "cp-2.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "provides restoration priorities;"
-                          },
-                          {
-                            "id": "cp-2.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "provides metrics;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-2.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(3)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-2.a.3_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(3)[1]"
-                              }
-                            ],
-                            "prose": "addresses contingency roles;"
-                          },
-                          {
-                            "id": "cp-2.a.3_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(3)[2]"
-                              }
-                            ],
-                            "prose": "addresses contingency responsibilities;"
-                          },
-                          {
-                            "id": "cp-2.a.3_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(3)[3]"
-                              }
-                            ],
-                            "prose": "addresses assigned individuals with contact information;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-2.a.4_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(4)"
-                          }
-                        ],
-                        "prose": "addresses maintaining essential missions and business functions despite an\n                     information system disruption, compromise, or failure;"
-                      },
-                      {
-                        "id": "cp-2.a.5_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(5)"
-                          }
-                        ],
-                        "prose": "addresses eventual, full information system restoration without deterioration\n                     of the security safeguards originally planned and implemented;"
-                      },
-                      {
-                        "id": "cp-2.a.6_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(a)(6)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-2.a.6_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(6)[1]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to review and approve the contingency plan for\n                        the information system;"
-                          },
-                          {
-                            "id": "cp-2.a.6_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-2(a)(6)[2]"
-                              }
-                            ],
-                            "prose": "is reviewed and approved by organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(b)[1]"
-                          }
-                        ],
-                        "prose": "defines key contingency personnel (identified by name and/or by role) and\n                     organizational elements to whom copies of the contingency plan are to be\n                     distributed;"
-                      },
-                      {
-                        "id": "cp-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(b)[2]"
-                          }
-                        ],
-                        "prose": "distributes copies of the contingency plan to organization-defined key\n                     contingency personnel and organizational elements;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-2(c)"
-                      }
-                    ],
-                    "prose": "coordinates contingency planning activities with incident handling activities;"
-                  },
-                  {
-                    "id": "cp-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(d)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency to review the contingency plan for the information\n                     system;"
-                      },
-                      {
-                        "id": "cp-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(d)[2]"
-                          }
-                        ],
-                        "prose": "reviews the contingency plan with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(e)"
-                      }
-                    ],
-                    "prose": "updates the contingency plan to address:",
-                    "parts": [
-                      {
-                        "id": "cp-2.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(e)[1]"
-                          }
-                        ],
-                        "prose": "changes to the organization, information system, or environment of\n                     operation;"
-                      },
-                      {
-                        "id": "cp-2.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(e)[2]"
-                          }
-                        ],
-                        "prose": "problems encountered during plan implementation, execution, and testing;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-2(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-2.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(f)[1]"
-                          }
-                        ],
-                        "prose": "defines key contingency personnel (identified by name and/or by role) and\n                     organizational elements to whom contingency plan changes are to be\n                     communicated;"
-                      },
-                      {
-                        "id": "cp-2.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(f)[2]"
-                          }
-                        ],
-                        "prose": "communicates contingency plan changes to organization-defined key contingency\n                     personnel and organizational elements; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-2(g)"
-                      }
-                    ],
-                    "prose": "protects the contingency plan from unauthorized disclosure and modification."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nevidence of contingency plan reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for contingency plan development, review, update, and\n                  protection\\n\\nautomated mechanisms for developing, reviewing, updating and/or protecting the\n                  contingency plan"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cp-2.1",
-                "class": "SP800-53-enhancement",
-                "title": "Coordinate with Related Plans",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-2(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-02.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-2.1_smt",
-                    "name": "statement",
-                    "prose": "The organization coordinates contingency plan development with organizational\n                  elements responsible for related plans."
-                  },
-                  {
-                    "id": "cp-2.1_gdn",
-                    "name": "guidance",
-                    "prose": "Plans related to contingency plans for organizational information systems include,\n                  for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of\n                  Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,\n                  Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant\n                  Emergency Plans."
-                  },
-                  {
-                    "id": "cp-2.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization coordinates contingency plan development with\n                  organizational elements responsible for related plans."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nbusiness contingency plans\\n\\ndisaster recovery plans\\n\\ncontinuity of operations plans\\n\\ncrisis communications plans\\n\\ncritical infrastructure plans\\n\\ncyber incident response plan\\n\\ninsider threat implementation plans\\n\\noccupant emergency plans\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel with responsibility for related plans"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-2.2",
-                "class": "SP800-53-enhancement",
-                "title": "Capacity Planning",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-2(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-02.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-2.2_smt",
-                    "name": "statement",
-                    "prose": "The organization conducts capacity planning so that necessary capacity for\n                  information processing, telecommunications, and environmental support exists\n                  during contingency operations."
-                  },
-                  {
-                    "id": "cp-2.2_gdn",
-                    "name": "guidance",
-                    "prose": "Capacity planning is needed because different types of threats (e.g., natural\n                  disasters, targeted cyber attacks) can result in a reduction of the available\n                  processing, telecommunications, and support services originally intended to\n                  support the organizational missions/business functions. Organizations may need to\n                  anticipate degraded operations during contingency operations and factor such\n                  degradation into capacity planning."
-                  },
-                  {
-                    "id": "cp-2.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization conducts capacity planning so that necessary\n                  capacity exists during contingency operations for: ",
-                    "parts": [
-                      {
-                        "id": "cp-2.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(2)[1]"
-                          }
-                        ],
-                        "prose": "information processing;"
-                      },
-                      {
-                        "id": "cp-2.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(2)[2]"
-                          }
-                        ],
-                        "prose": "telecommunications; and"
-                      },
-                      {
-                        "id": "cp-2.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-2(2)[3]"
-                          }
-                        ],
-                        "prose": "environmental support."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\ncapacity planning documents\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-2.3",
-                "class": "SP800-53-enhancement",
-                "title": "Resume Essential Missions / Business Functions",
-                "parameters": [
-                  {
-                    "id": "cp-2.3_prm_1",
-                    "label": "organization-defined time period"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-2(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-02.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-2.3_smt",
-                    "name": "statement",
-                    "prose": "The organization plans for the resumption of essential missions and business\n                  functions within {{ cp-2.3_prm_1 }} of contingency plan\n                  activation."
-                  },
-                  {
-                    "id": "cp-2.3_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations may choose to carry out the contingency planning activities in this\n                  control enhancement as part of organizational business continuity planning\n                  including, for example, as part of business impact analyses. The time period for\n                  resumption of essential missions/business functions may be dependent on the\n                  severity/extent of disruptions to the information system and its supporting\n                  infrastructure.",
-                    "links": [
-                      {
-                        "href": "#pe-12",
-                        "rel": "related",
-                        "text": "PE-12"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "cp-2.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(3)[1]"
-                          }
-                        ],
-                        "prose": "defines the time period to plan for the resumption of essential missions and\n                     business functions as a result of contingency plan activation; and"
-                      },
-                      {
-                        "id": "cp-2.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-2(3)[2]"
-                          }
-                        ],
-                        "prose": "plans for the resumption of essential missions and business functions within\n                     organization-defined time period of contingency plan activation."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nbusiness impact assessment\\n\\nother related plans\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for resumption of missions and business functions"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-2.8",
-                "class": "SP800-53-enhancement",
-                "title": "Identify Critical Assets",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-2(8)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-02.08"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-2.8_smt",
-                    "name": "statement",
-                    "prose": "The organization identifies critical information system assets supporting\n                  essential missions and business functions."
-                  },
-                  {
-                    "id": "cp-2.8_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations may choose to carry out the contingency planning activities in this\n                  control enhancement as part of organizational business continuity planning\n                  including, for example, as part of business impact analyses. Organizations\n                  identify critical information system assets so that additional safeguards and\n                  countermeasures can be employed (above and beyond those safeguards and\n                  countermeasures routinely implemented) to help ensure that organizational\n                  missions/business functions can continue to be conducted during contingency\n                  operations. In addition, the identification of critical information assets\n                  facilitates the prioritization of organizational resources. Critical information\n                  system assets include technical and operational aspects. Technical aspects\n                  include, for example, information technology services, information system\n                  components, information technology products, and mechanisms. Operational aspects\n                  include, for example, procedures (manually executed operations) and personnel\n                  (individuals operating technical safeguards and/or executing manual procedures).\n                  Organizational program protection plans can provide assistance in identifying\n                  critical assets.",
-                    "links": [
-                      {
-                        "href": "#sa-14",
-                        "rel": "related",
-                        "text": "SA-14"
-                      },
-                      {
-                        "href": "#sa-15",
-                        "rel": "related",
-                        "text": "SA-15"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-2.8_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization identifies critical information system assets\n                  supporting essential missions and business functions."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing contingency operations for the information system\\n\\ncontingency plan\\n\\nbusiness impact assessment\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-3",
-            "class": "SP800-53",
-            "title": "Contingency Training",
-            "parameters": [
-              {
-                "id": "cp-3_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "ten (10) days"
-                  }
-                ]
-              },
-              {
-                "id": "cp-3_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CP-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#825438c3-248d-4e30-a51e-246473ce6ada",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-16"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-3_smt",
-                "name": "statement",
-                "prose": "The organization provides contingency training to information system users consistent\n               with assigned roles and responsibilities:",
-                "parts": [
-                  {
-                    "id": "cp-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Within {{ cp-3_prm_1 }} of assuming a contingency role or\n                  responsibility;"
-                  },
-                  {
-                    "id": "cp-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "When required by information system changes; and"
-                  },
-                  {
-                    "id": "cp-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "\n                  {{ cp-3_prm_2 }} thereafter."
-                  }
-                ]
-              },
-              {
-                "id": "cp-3_gdn",
-                "name": "guidance",
-                "prose": "Contingency training provided by organizations is linked to the assigned roles and\n               responsibilities of organizational personnel to ensure that the appropriate content\n               and level of detail is included in such training. For example, regular users may only\n               need to know when and where to report for duty during contingency operations and if\n               normal duties are affected; system administrators may require additional training on\n               how to set up information systems at alternate processing and storage sites; and\n               managers/senior leaders may receive more specific training on how to conduct\n               mission-essential functions in designated off-site locations and how to establish\n               communications with other governmental entities for purposes of coordination on\n               contingency-related activities. Training for contingency roles/responsibilities\n               reflects the specific continuity requirements in the contingency plan.",
-                "links": [
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#ir-2",
-                    "rel": "related",
-                    "text": "IR-2"
-                  }
-                ]
-              },
-              {
-                "id": "cp-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "cp-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-3(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-3(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period within which contingency training is to be provided to\n                     information system users assuming a contingency role or responsibility;"
-                      },
-                      {
-                        "id": "cp-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-3(a)[2]"
-                          }
-                        ],
-                        "prose": "provides contingency training to information system users consistent with\n                     assigned roles and responsibilities within the organization-defined time period\n                     of assuming a contingency role or responsibility;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-3(b)"
-                      }
-                    ],
-                    "prose": "provides contingency training to information system users consistent with assigned\n                  roles and responsibilities when required by information system changes;"
-                  },
-                  {
-                    "id": "cp-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency for contingency training thereafter; and"
-                      },
-                      {
-                        "id": "cp-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-3(c)[2]"
-                          }
-                        ],
-                        "prose": "provides contingency training to information system users consistent with\n                     assigned roles and responsibilities with the organization-defined frequency\n                     thereafter."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing contingency training\\n\\ncontingency plan\\n\\ncontingency training curriculum\\n\\ncontingency training material\\n\\nsecurity plan\\n\\ncontingency training records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency planning, plan implementation, and\n                  training responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for contingency training"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-4",
-            "class": "SP800-53",
-            "title": "Contingency Plan Testing",
-            "parameters": [
-              {
-                "id": "cp-4_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "cp-4_prm_2",
-                "label": "organization-defined tests",
-                "constraints": [
-                  {
-                    "detail": "functional exercises"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CP-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              },
-              {
-                "href": "#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-84"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Tests the contingency plan for the information system {{ cp-4_prm_1 }} using {{ cp-4_prm_2 }} to determine the\n                  effectiveness of the plan and the organizational readiness to execute the\n                  plan;"
-                  },
-                  {
-                    "id": "cp-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews the contingency plan test results; and"
-                  },
-                  {
-                    "id": "cp-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Initiates corrective actions, if needed."
-                  },
-                  {
-                    "id": "cp-4_fr",
-                    "name": "item",
-                    "title": "CP-4(a) Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cp-4_fr_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-4(a) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-4_gdn",
-                "name": "guidance",
-                "prose": "Methods for testing contingency plans to determine the effectiveness of the plans and\n               to identify potential weaknesses in the plans include, for example, walk-through and\n               tabletop exercises, checklists, simulations (parallel, full interrupt), and\n               comprehensive exercises. Organizations conduct testing based on the continuity\n               requirements in contingency plans and include a determination of the effects on\n               organizational operations, assets, and individuals arising due to contingency\n               operations. Organizations have flexibility and discretion in the breadth, depth, and\n               timelines of corrective actions.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-3",
-                    "rel": "related",
-                    "text": "CP-3"
-                  },
-                  {
-                    "href": "#ir-3",
-                    "rel": "related",
-                    "text": "IR-3"
-                  }
-                ]
-              },
-              {
-                "id": "cp-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "cp-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-4(a)[1]"
-                          }
-                        ],
-                        "prose": "defines tests to determine the effectiveness of the contingency plan and the\n                     organizational readiness to execute the plan;"
-                      },
-                      {
-                        "id": "cp-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-4(a)[2]"
-                          }
-                        ],
-                        "prose": "defines a frequency to test the contingency plan for the information\n                     system;"
-                      },
-                      {
-                        "id": "cp-4.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-4(a)[3]"
-                          }
-                        ],
-                        "prose": "tests the contingency plan for the information system with the\n                     organization-defined frequency, using organization-defined tests to determine\n                     the effectiveness of the plan and the organizational readiness to execute the\n                     plan;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-4(b)"
-                      }
-                    ],
-                    "prose": "reviews the contingency plan test results; and"
-                  },
-                  {
-                    "id": "cp-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-4(c)"
-                      }
-                    ],
-                    "prose": "initiates corrective actions, if needed."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing contingency plan testing\\n\\ncontingency plan\\n\\nsecurity plan\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for contingency plan testing,\n                  reviewing or responding to contingency plan tests\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for contingency plan testing\\n\\nautomated mechanisms supporting the contingency plan and/or contingency plan\n                  testing"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cp-4.1",
-                "class": "SP800-53-enhancement",
-                "title": "Coordinate with Related Plans",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-4(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-04.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-4.1_smt",
-                    "name": "statement",
-                    "prose": "The organization coordinates contingency plan testing with organizational elements\n                  responsible for related plans."
-                  },
-                  {
-                    "id": "cp-4.1_gdn",
-                    "name": "guidance",
-                    "prose": "Plans related to contingency plans for organizational information systems include,\n                  for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of\n                  Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,\n                  Cyber Incident Response Plans, and Occupant Emergency Plans. This control\n                  enhancement does not require organizations to create organizational elements to\n                  handle related plans or to align such elements with specific plans. It does\n                  require, however, that if such organizational elements are responsible for related\n                  plans, organizations should coordinate with those elements.",
-                    "links": [
-                      {
-                        "href": "#ir-8",
-                        "rel": "related",
-                        "text": "IR-8"
-                      },
-                      {
-                        "href": "#pm-8",
-                        "rel": "related",
-                        "text": "PM-8"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-4.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization coordinates contingency plan testing with\n                  organizational elements responsible for related plans. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nincident response policy\\n\\nprocedures addressing contingency plan testing\\n\\ncontingency plan testing documentation\\n\\ncontingency plan\\n\\nbusiness continuity plans\\n\\ndisaster recovery plans\\n\\ncontinuity of operations plans\\n\\ncrisis communications plans\\n\\ncritical infrastructure plans\\n\\ncyber incident response plans\\n\\noccupant emergency plans\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency plan testing responsibilities\\n\\norganizational personnel\\n\\npersonnel with responsibilities for related plans\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-6",
-            "class": "SP800-53",
-            "title": "Alternate Storage Site",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CP-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-06"
-              }
-            ],
-            "links": [
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes an alternate storage site including necessary agreements to permit the\n                  storage and retrieval of information system backup information; and"
-                  },
-                  {
-                    "id": "cp-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Ensures that the alternate storage site provides information security safeguards\n                  equivalent to that of the primary site."
-                  }
-                ]
-              },
-              {
-                "id": "cp-6_gdn",
-                "name": "guidance",
-                "prose": "Alternate storage sites are sites that are geographically distinct from primary\n               storage sites. An alternate storage site maintains duplicate copies of information\n               and data in the event that the primary storage site is not available. Items covered\n               by alternate storage site agreements include, for example, environmental conditions\n               at alternate sites, access rules, physical and environmental protection requirements,\n               and coordination of delivery/retrieval of backup media. Alternate storage sites\n               reflect the requirements in contingency plans so that organizations can maintain\n               essential missions/business functions despite disruption, compromise, or failure in\n               organizational information systems.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#cp-10",
-                    "rel": "related",
-                    "text": "CP-10"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  }
-                ]
-              },
-              {
-                "id": "cp-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "cp-6_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-6[1]"
-                      }
-                    ],
-                    "prose": "establishes an alternate storage site including necessary agreements to permit the\n                  storage and retrieval of information system backup information; and"
-                  },
-                  {
-                    "id": "cp-6_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-6[2]"
-                      }
-                    ],
-                    "prose": "ensures that the alternate storage site provides information security safeguards\n                  equivalent to that of the primary site."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing alternate storage sites\\n\\ncontingency plan\\n\\nalternate storage site agreements\\n\\nprimary storage site agreements\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency plan alternate storage site\n                  responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for storing and retrieving information system backup\n                  information at the alternate storage site\\n\\nautomated mechanisms supporting and/or implementing storage and retrieval of\n                  information system backup information at the alternate storage site"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cp-6.1",
-                "class": "SP800-53-enhancement",
-                "title": "Separation from Primary Site",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-6(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-06.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-6.1_smt",
-                    "name": "statement",
-                    "prose": "The organization identifies an alternate storage site that is separated from the\n                  primary storage site to reduce susceptibility to the same threats."
-                  },
-                  {
-                    "id": "cp-6.1_gdn",
-                    "name": "guidance",
-                    "prose": "Threats that affect alternate storage sites are typically defined in\n                  organizational assessments of risk and include, for example, natural disasters,\n                  structural failures, hostile cyber attacks, and errors of omission/commission.\n                  Organizations determine what is considered a sufficient degree of separation\n                  between primary and alternate storage sites based on the types of threats that are\n                  of concern. For one particular type of threat (i.e., hostile cyber attack), the\n                  degree of separation between sites is less relevant.",
-                    "links": [
-                      {
-                        "href": "#ra-3",
-                        "rel": "related",
-                        "text": "RA-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-6.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization identifies an alternate storage site that is\n                  separated from the primary storage site to reduce susceptibility to the same\n                  threats. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing alternate storage sites\\n\\ncontingency plan\\n\\nalternate storage site\\n\\nalternate storage site agreements\\n\\nprimary storage site agreements\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency plan alternate storage site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-6.3",
-                "class": "SP800-53-enhancement",
-                "title": "Accessibility",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-6(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-06.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-6.3_smt",
-                    "name": "statement",
-                    "prose": "The organization identifies potential accessibility problems to the alternate\n                  storage site in the event of an area-wide disruption or disaster and outlines\n                  explicit mitigation actions."
-                  },
-                  {
-                    "id": "cp-6.3_gdn",
-                    "name": "guidance",
-                    "prose": "Area-wide disruptions refer to those types of disruptions that are broad in\n                  geographic scope (e.g., hurricane, regional power outage) with such determinations\n                  made by organizations based on organizational assessments of risk. Explicit\n                  mitigation actions include, for example: (i) duplicating backup information at\n                  other alternate storage sites if access problems occur at originally designated\n                  alternate sites; or (ii) planning for physical access to retrieve backup\n                  information if electronic accessibility to the alternate site is disrupted.",
-                    "links": [
-                      {
-                        "href": "#ra-3",
-                        "rel": "related",
-                        "text": "RA-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-6.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "cp-6.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-6(3)[1]"
-                          }
-                        ],
-                        "prose": "identifies potential accessibility problems to the alternate storage site in\n                     the event of an area-wide disruption or disaster; and"
-                      },
-                      {
-                        "id": "cp-6.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-6(3)[2]"
-                          }
-                        ],
-                        "prose": "outlines explicit mitigation actions for such potential accessibility problems\n                     to the alternate storage site in the event of an area-wide disruption or\n                     disaster."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing alternate storage sites\\n\\ncontingency plan\\n\\nalternate storage site\\n\\nlist of potential accessibility problems to alternate storage site\\n\\nmitigation actions for accessibility problems to alternate storage site\\n\\norganizational risk assessments\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency plan alternate storage site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-7",
-            "class": "SP800-53",
-            "title": "Alternate Processing Site",
-            "parameters": [
-              {
-                "id": "cp-7_prm_1",
-                "label": "organization-defined information system operations"
-              },
-              {
-                "id": "cp-7_prm_2",
-                "label": "organization-defined time period consistent with recovery time and recovery point\n               objectives"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CP-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-7_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes an alternate processing site including necessary agreements to permit\n                  the transfer and resumption of {{ cp-7_prm_1 }} for essential\n                  missions/business functions within {{ cp-7_prm_2 }} when the\n                  primary processing capabilities are unavailable;"
-                  },
-                  {
-                    "id": "cp-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Ensures that equipment and supplies required to transfer and resume operations are\n                  available at the alternate processing site or contracts are in place to support\n                  delivery to the site within the organization-defined time period for\n                  transfer/resumption; and"
-                  },
-                  {
-                    "id": "cp-7_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ensures that the alternate processing site provides information security\n                  safeguards equivalent to those of the primary site."
-                  },
-                  {
-                    "id": "cp-7_fr",
-                    "name": "item",
-                    "title": "CP-7 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cp-7_fr_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider defines a time period consistent with the recovery time objectives and business impact analysis."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-7_gdn",
-                "name": "guidance",
-                "prose": "Alternate processing sites are sites that are geographically distinct from primary\n               processing sites. An alternate processing site provides processing capability in the\n               event that the primary processing site is not available. Items covered by alternate\n               processing site agreements include, for example, environmental conditions at\n               alternate sites, access rules, physical and environmental protection requirements,\n               and coordination for the transfer/assignment of personnel. Requirements are\n               specifically allocated to alternate processing sites that reflect the requirements in\n               contingency plans to maintain essential missions/business functions despite\n               disruption, compromise, or failure in organizational information systems.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-6",
-                    "rel": "related",
-                    "text": "CP-6"
-                  },
-                  {
-                    "href": "#cp-8",
-                    "rel": "related",
-                    "text": "CP-8"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#cp-10",
-                    "rel": "related",
-                    "text": "CP-10"
-                  },
-                  {
-                    "href": "#ma-6",
-                    "rel": "related",
-                    "text": "MA-6"
-                  }
-                ]
-              },
-              {
-                "id": "cp-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "cp-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-7(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-7.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-7(a)[1]"
-                          }
-                        ],
-                        "prose": "defines information system operations requiring an alternate processing site to\n                     be established to permit the transfer and resumption of such operations;"
-                      },
-                      {
-                        "id": "cp-7.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-7(a)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period consistent with recovery time objectives and recovery\n                     point objectives (as specified in the information system contingency plan) for\n                     transfer/resumption of organization-defined information system operations for\n                     essential missions/business functions;"
-                      },
-                      {
-                        "id": "cp-7.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-7(a)[3]"
-                          }
-                        ],
-                        "prose": "establishes an alternate processing site including necessary agreements to\n                     permit the transfer and resumption of organization-defined information system\n                     operations for essential missions/business functions, within the\n                     organization-defined time period, when the primary processing capabilities are\n                     unavailable;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-7(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-7.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-7(b)[1]"
-                          }
-                        ],
-                        "prose": "ensures that equipment and supplies required to transfer and resume operations\n                     are available at the alternate processing site; or"
-                      },
-                      {
-                        "id": "cp-7.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-7(b)[2]"
-                          }
-                        ],
-                        "prose": "ensures that contracts are in place to support delivery to the site within the\n                     organization-defined time period for transfer/resumption; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-7.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-7(c)"
-                      }
-                    ],
-                    "prose": "ensures that the alternate processing site provides information security\n                  safeguards equivalent to those of the primary site."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing alternate processing sites\\n\\ncontingency plan\\n\\nalternate processing site agreements\\n\\nprimary processing site agreements\\n\\nspare equipment and supplies inventory at alternate processing site\\n\\nequipment and supply contracts\\n\\nservice-level agreements\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for contingency planning and/or\n                  alternate site arrangements\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for recovery at the alternate site\\n\\nautomated mechanisms supporting and/or implementing recovery at the alternate\n                  processing site"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cp-7.1",
-                "class": "SP800-53-enhancement",
-                "title": "Separation from Primary Site",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-7(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-07.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-7.1_smt",
-                    "name": "statement",
-                    "prose": "The organization identifies an alternate processing site that is separated from\n                  the primary processing site to reduce susceptibility to the same threats.",
-                    "parts": [
-                      {
-                        "id": "cp-7.1_fr",
-                        "name": "item",
-                        "title": "CP-7 (1) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "cp-7.1_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-7.1_gdn",
-                    "name": "guidance",
-                    "prose": "Threats that affect alternate processing sites are typically defined in\n                  organizational assessments of risk and include, for example, natural disasters,\n                  structural failures, hostile cyber attacks, and errors of omission/commission.\n                  Organizations determine what is considered a sufficient degree of separation\n                  between primary and alternate processing sites based on the types of threats that\n                  are of concern. For one particular type of threat (i.e., hostile cyber attack),\n                  the degree of separation between sites is less relevant.",
-                    "links": [
-                      {
-                        "href": "#ra-3",
-                        "rel": "related",
-                        "text": "RA-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-7.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization identifies an alternate processing site that is\n                  separated from the primary storage site to reduce susceptibility to the same\n                  threats. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing alternate processing sites\\n\\ncontingency plan\\n\\nalternate processing site\\n\\nalternate processing site agreements\\n\\nprimary processing site agreements\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency plan alternate processing site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-7.2",
-                "class": "SP800-53-enhancement",
-                "title": "Accessibility",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-7(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-07.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-7.2_smt",
-                    "name": "statement",
-                    "prose": "The organization identifies potential accessibility problems to the alternate\n                  processing site in the event of an area-wide disruption or disaster and outlines\n                  explicit mitigation actions."
-                  },
-                  {
-                    "id": "cp-7.2_gdn",
-                    "name": "guidance",
-                    "prose": "Area-wide disruptions refer to those types of disruptions that are broad in\n                  geographic scope (e.g., hurricane, regional power outage) with such determinations\n                  made by organizations based on organizational assessments of risk.",
-                    "links": [
-                      {
-                        "href": "#ra-3",
-                        "rel": "related",
-                        "text": "RA-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-7.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "cp-7.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-7(2)[1]"
-                          }
-                        ],
-                        "prose": "identifies potential accessibility problems to the alternate processing site in\n                     the event of an area-wide disruption or disaster; and"
-                      },
-                      {
-                        "id": "cp-7.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-7(2)[2]"
-                          }
-                        ],
-                        "prose": "outlines explicit mitigation actions for such potential accessibility problems\n                     to the alternate processing site in the event of an area-wide disruption or\n                     disaster."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing alternate processing sites\\n\\ncontingency plan\\n\\nalternate processing site\\n\\nalternate processing site agreements\\n\\nprimary processing site agreements\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency plan alternate processing site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-7.3",
-                "class": "SP800-53-enhancement",
-                "title": "Priority of Service",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-7(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-07.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-7.3_smt",
-                    "name": "statement",
-                    "prose": "The organization develops alternate processing site agreements that contain\n                  priority-of-service provisions in accordance with organizational availability\n                  requirements (including recovery time objectives)."
-                  },
-                  {
-                    "id": "cp-7.3_gdn",
-                    "name": "guidance",
-                    "prose": "Priority-of-service agreements refer to negotiated agreements with service\n                  providers that ensure that organizations receive priority treatment consistent\n                  with their availability requirements and the availability of information resources\n                  at the alternate processing site."
-                  },
-                  {
-                    "id": "cp-7.3_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization develops alternate processing site agreements that\n                  contain priority-of-service provisions in accordance with organizational\n                  availability requirements (including recovery time objectives as specified in the\n                  information system contingency plan)."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing alternate processing sites\\n\\ncontingency plan\\n\\nalternate processing site agreements\\n\\nservice-level agreements\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency plan alternate processing site\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for acquisitions/contractual\n                     agreements"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-8",
-            "class": "SP800-53",
-            "title": "Telecommunications Services",
-            "parameters": [
-              {
-                "id": "cp-8_prm_1",
-                "label": "organization-defined information system operations"
-              },
-              {
-                "id": "cp-8_prm_2",
-                "label": "organization-defined time period"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "CP-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-08"
-              }
-            ],
-            "links": [
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              },
-              {
-                "href": "#fb5844de-ff96-47c0-b258-4f52bcc2f30d",
-                "rel": "reference",
-                "text": "National Communications Systems Directive 3-10"
-              },
-              {
-                "href": "#3ac12e79-f54f-4a63-9f4b-ee4bcd4df604",
-                "rel": "reference",
-                "text": "http://www.dhs.gov/telecommunications-service-priority-tsp"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-8_smt",
-                "name": "statement",
-                "prose": "The organization establishes alternate telecommunications services including\n               necessary agreements to permit the resumption of {{ cp-8_prm_1 }} for\n               essential missions and business functions within {{ cp-8_prm_2 }} when\n               the primary telecommunications capabilities are unavailable at either the primary or\n               alternate processing or storage sites.",
-                "parts": [
-                  {
-                    "id": "cp-8_fr",
-                    "name": "item",
-                    "title": "CP-8 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cp-8_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider defines a time period consistent with the recovery time objectives and business impact analysis."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-8_gdn",
-                "name": "guidance",
-                "prose": "This control applies to telecommunications services (data and voice) for primary and\n               alternate processing and storage sites. Alternate telecommunications services reflect\n               the continuity requirements in contingency plans to maintain essential\n               missions/business functions despite the loss of primary telecommunications services.\n               Organizations may specify different time periods for primary/alternate sites.\n               Alternate telecommunications services include, for example, additional organizational\n               or commercial ground-based circuits/lines or satellites in lieu of ground-based\n               communications. Organizations consider factors such as availability, quality of\n               service, and access when entering into alternate telecommunications agreements.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-6",
-                    "rel": "related",
-                    "text": "CP-6"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  }
-                ]
-              },
-              {
-                "id": "cp-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "cp-8_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-8[1]"
-                      }
-                    ],
-                    "prose": "defines information system operations requiring alternate telecommunications\n                  services to be established to permit the resumption of such operations;"
-                  },
-                  {
-                    "id": "cp-8_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-8[2]"
-                      }
-                    ],
-                    "prose": "defines the time period to permit resumption of organization-defined information\n                  system operations for essential missions and business functions; and"
-                  },
-                  {
-                    "id": "cp-8_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-8[3]"
-                      }
-                    ],
-                    "prose": "establishes alternate telecommunications services including necessary agreements\n                  to permit the resumption of organization-defined information system operations for\n                  essential missions and business functions, within the organization-defined time\n                  period, when the primary telecommunications capabilities are unavailable at either\n                  the primary or alternate processing or storage sites."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing alternate telecommunications services\\n\\ncontingency plan\\n\\nprimary and alternate telecommunications service agreements\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency plan telecommunications\n                  responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for acquisitions/contractual\n                  agreements"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting telecommunications"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cp-8.1",
-                "class": "SP800-53-enhancement",
-                "title": "Priority of Service Provisions",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-8(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-08.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-8.1_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "cp-8.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Develops primary and alternate telecommunications service agreements that\n                     contain priority-of-service provisions in accordance with organizational\n                     availability requirements (including recovery time objectives); and"
-                      },
-                      {
-                        "id": "cp-8.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Requests Telecommunications Service Priority for all telecommunications\n                     services used for national security emergency preparedness in the event that\n                     the primary and/or alternate telecommunications services are provided by a\n                     common carrier."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-8.1_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations consider the potential mission/business impact in situations where\n                  telecommunications service providers are servicing other organizations with\n                  similar priority-of-service provisions."
-                  },
-                  {
-                    "id": "cp-8.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "cp-8.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-8(1)[1]"
-                          }
-                        ],
-                        "prose": "develops primary and alternate telecommunications service agreements that\n                     contain priority-of-service provisions in accordance with organizational\n                     availability requirements (including recovery time objectives as specified in\n                     the information system contingency plan); and"
-                      },
-                      {
-                        "id": "cp-8.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-8(1)[2]"
-                          }
-                        ],
-                        "prose": "requests Telecommunications Service Priority for all telecommunications\n                     services used for national security emergency preparedness in the event that\n                     the primary and/or alternate telecommunications services are provided by a\n                     common carrier."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing primary and alternate telecommunications services\\n\\ncontingency plan\\n\\nprimary and alternate telecommunications service agreements\\n\\nTelecommunications Service Priority documentation\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency plan telecommunications\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibility for acquisitions/contractual\n                     agreements"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting telecommunications"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-8.2",
-                "class": "SP800-53-enhancement",
-                "title": "Single Points of Failure",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-8(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-08.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-8.2_smt",
-                    "name": "statement",
-                    "prose": "The organization obtains alternate telecommunications services to reduce the\n                  likelihood of sharing a single point of failure with primary telecommunications\n                  services."
-                  },
-                  {
-                    "id": "cp-8.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization obtains alternate telecommunications services to\n                  reduce the likelihood of sharing a single point of failure with primary\n                  telecommunications services. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing primary and alternate telecommunications services\\n\\ncontingency plan\\n\\nprimary and alternate telecommunications service agreements\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency plan telecommunications\n                     responsibilities\\n\\norganizational personnel with information system recovery responsibilities\\n\\nprimary and alternate telecommunications service providers\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-9",
-            "class": "SP800-53",
-            "title": "Information System Backup",
-            "parameters": [
-              {
-                "id": "cp-9_prm_1",
-                "label": "organization-defined frequency consistent with recovery time and recovery point\n               objectives",
-                "constraints": [
-                  {
-                    "detail": "daily incremental; weekly full"
-                  }
-                ]
-              },
-              {
-                "id": "cp-9_prm_2",
-                "label": "organization-defined frequency consistent with recovery time and recovery point\n               objectives",
-                "constraints": [
-                  {
-                    "detail": "daily incremental; weekly full"
-                  }
-                ]
-              },
-              {
-                "id": "cp-9_prm_3",
-                "label": "organization-defined frequency consistent with recovery time and recovery point\n               objectives",
-                "constraints": [
-                  {
-                    "detail": "daily incremental; weekly full"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "CP-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-09"
-              }
-            ],
-            "links": [
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-9_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "cp-9_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Conducts backups of user-level information contained in the information system\n                     {{ cp-9_prm_1 }};"
-                  },
-                  {
-                    "id": "cp-9_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Conducts backups of system-level information contained in the information system\n                     {{ cp-9_prm_2 }};"
-                  },
-                  {
-                    "id": "cp-9_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Conducts backups of information system documentation including security-related\n                  documentation {{ cp-9_prm_3 }}; and"
-                  },
-                  {
-                    "id": "cp-9_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Protects the confidentiality, integrity, and availability of backup information at\n                  storage locations."
-                  },
-                  {
-                    "id": "cp-9_fr",
-                    "name": "item",
-                    "title": "CP-9 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "cp-9_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check."
-                      },
-                      {
-                        "id": "cp-9_fr_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-9(a) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider maintains at least three backup copies of user-level information (at least one of which is available online)."
-                      },
-                      {
-                        "id": "cp-9_fr_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-9(b)Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider maintains at least three backup copies of system-level information (at least one of which is available online)."
-                      },
-                      {
-                        "id": "cp-9_fr_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-9(c)Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-9_gdn",
-                "name": "guidance",
-                "prose": "System-level information includes, for example, system-state information, operating\n               system and application software, and licenses. User-level information includes any\n               information other than system-level information. Mechanisms employed by organizations\n               to protect the integrity of information system backups include, for example, digital\n               signatures and cryptographic hashes. Protection of system backup information while in\n               transit is beyond the scope of this control. Information system backups reflect the\n               requirements in contingency plans as well as other organizational requirements for\n               backing up information.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-6",
-                    "rel": "related",
-                    "text": "CP-6"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  }
-                ]
-              },
-              {
-                "id": "cp-9_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "cp-9.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-9(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-9.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of user-level information contained in the information\n                     system;"
-                      },
-                      {
-                        "id": "cp-9.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(a)[2]"
-                          }
-                        ],
-                        "prose": "conducts backups of user-level information contained in the information system\n                     with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-9.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-9(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-9.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(b)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of system-level information contained in the information\n                     system;"
-                      },
-                      {
-                        "id": "cp-9.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(b)[2]"
-                          }
-                        ],
-                        "prose": "conducts backups of system-level information contained in the information\n                     system with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-9.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-9(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "cp-9.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(c)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency, consistent with recovery time objectives and recovery\n                     point objectives as specified in the information system contingency plan, to\n                     conduct backups of information system documentation including security-related\n                     documentation;"
-                      },
-                      {
-                        "id": "cp-9.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(c)[2]"
-                          }
-                        ],
-                        "prose": "conducts backups of information system documentation, including\n                     security-related documentation, with the organization-defined frequency;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-9.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-9(d)"
-                      }
-                    ],
-                    "prose": "protects the confidentiality, integrity, and availability of backup information at\n                  storage locations."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\nbackup storage location(s)\\n\\ninformation system backup logs or records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system backup responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for conducting information system backups\\n\\nautomated mechanisms supporting and/or implementing information system backups"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cp-9.1",
-                "class": "SP800-53-enhancement",
-                "title": "Testing for Reliability / Integrity",
-                "parameters": [
-                  {
-                    "id": "cp-9.1_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least annually"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "CP-9(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-09.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-9.1_smt",
-                    "name": "statement",
-                    "prose": "The organization tests backup information {{ cp-9.1_prm_1 }} to\n                  verify media reliability and information integrity."
-                  },
-                  {
-                    "id": "cp-9.1_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#cp-4",
-                        "rel": "related",
-                        "text": "CP-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-9.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "cp-9.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(1)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to test backup information to verify media reliability\n                     and information integrity; and"
-                      },
-                      {
-                        "id": "cp-9.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(1)[2]"
-                          }
-                        ],
-                        "prose": "tests backup information with the organization-defined frequency to verify\n                     media reliability and information integrity."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\ninformation system backup test results\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system backup responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for conducting information system backups\\n\\nautomated mechanisms supporting and/or implementing information system\n                     backups"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "cp-9.3",
-                "class": "SP800-53-enhancement",
-                "title": "Separate Storage for Critical Information",
-                "parameters": [
-                  {
-                    "id": "cp-9.3_prm_1",
-                    "label": "organization-defined critical information system software and other\n                  security-related information"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-9(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-09.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-9.3_smt",
-                    "name": "statement",
-                    "prose": "The organization stores backup copies of {{ cp-9.3_prm_1 }} in a\n                  separate facility or in a fire-rated container that is not collocated with the\n                  operational system."
-                  },
-                  {
-                    "id": "cp-9.3_gdn",
-                    "name": "guidance",
-                    "prose": "Critical information system software includes, for example, operating systems,\n                  cryptographic key management systems, and intrusion detection/prevention systems.\n                  Security-related information includes, for example, organizational inventories of\n                  hardware, software, and firmware components. Alternate storage sites typically\n                  serve as separate storage facilities for organizations.",
-                    "links": [
-                      {
-                        "href": "#cm-2",
-                        "rel": "related",
-                        "text": "CM-2"
-                      },
-                      {
-                        "href": "#cm-8",
-                        "rel": "related",
-                        "text": "CM-8"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-9.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "cp-9.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-9(3)[1]"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "cp-9.3_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-9(3)[1][a]"
-                              }
-                            ],
-                            "prose": "defines critical information system software and other security-related\n                        information requiring backup copies to be stored in a separate facility;\n                        or"
-                          },
-                          {
-                            "id": "cp-9.3_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "CP-9(3)[1][b]"
-                              }
-                            ],
-                            "prose": "defines critical information system software and other security-related\n                        information requiring backup copies to be stored in a fire-rated container\n                        that is not collocated with the operational system; and"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "cp-9.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "CP-9(3)[2]"
-                          }
-                        ],
-                        "prose": "stores backup copies of organization-defined critical information system\n                     software and other security-related information in a separate facility or in a\n                     fire-rated container that is not collocated with the operational system."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\nbackup storage location(s)\\n\\ninformation system backup configurations and associated documentation\\n\\ninformation system backup logs or records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with contingency planning and plan implementation\n                     responsibilities\\n\\norganizational personnel with information system backup responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "cp-10",
-            "class": "SP800-53",
-            "title": "Information System Recovery and Reconstitution",
-            "properties": [
-              {
-                "name": "label",
-                "value": "CP-10"
-              },
-              {
-                "name": "sort-id",
-                "value": "cp-10"
-              }
-            ],
-            "links": [
-              {
-                "href": "#023104bc-6f75-4cd5-b7d0-fc92326f8007",
-                "rel": "reference",
-                "text": "Federal Continuity Directive 1"
-              },
-              {
-                "href": "#748a81b9-9cad-463f-abde-8b368167e70d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-34"
-              }
-            ],
-            "parts": [
-              {
-                "id": "cp-10_smt",
-                "name": "statement",
-                "prose": "The organization provides for the recovery and reconstitution of the information\n               system to a known state after a disruption, compromise, or failure."
-              },
-              {
-                "id": "cp-10_gdn",
-                "name": "guidance",
-                "prose": "Recovery is executing information system contingency plan activities to restore\n               organizational missions/business functions. Reconstitution takes place following\n               recovery and includes activities for returning organizational information systems to\n               fully operational states. Recovery and reconstitution operations reflect mission and\n               business priorities, recovery point/time and reconstitution objectives, and\n               established organizational metrics consistent with contingency plan requirements.\n               Reconstitution includes the deactivation of any interim information system\n               capabilities that may have been needed during recovery operations. Reconstitution\n               also includes assessments of fully restored information system capabilities,\n               reestablishment of continuous monitoring activities, potential information system\n               reauthorizations, and activities to prepare the systems against future disruptions,\n               compromises, or failures. Recovery/reconstitution capabilities employed by\n               organizations can include both automated mechanisms and manual procedures.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-6",
-                    "rel": "related",
-                    "text": "CA-6"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-6",
-                    "rel": "related",
-                    "text": "CP-6"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#sc-24",
-                    "rel": "related",
-                    "text": "SC-24"
-                  }
-                ]
-              },
-              {
-                "id": "cp-10_obj",
-                "name": "objective",
-                "prose": "Determine if the organization provides for: ",
-                "parts": [
-                  {
-                    "id": "cp-10_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "CP-10[1]"
-                      }
-                    ],
-                    "prose": "the recovery of the information system to a known state after:",
-                    "parts": [
-                      {
-                        "id": "cp-10_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[1][a]"
-                          }
-                        ],
-                        "prose": "a disruption;"
-                      },
-                      {
-                        "id": "cp-10_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[1][b]"
-                          }
-                        ],
-                        "prose": "a compromise; or"
-                      },
-                      {
-                        "id": "cp-10_obj.1.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[1][c]"
-                          }
-                        ],
-                        "prose": "a failure;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "cp-10_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "CP-10[2]"
-                      }
-                    ],
-                    "prose": "the reconstitution of the information system to a known state after:",
-                    "parts": [
-                      {
-                        "id": "cp-10_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[2][a]"
-                          }
-                        ],
-                        "prose": "a disruption;"
-                      },
-                      {
-                        "id": "cp-10_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[2][b]"
-                          }
-                        ],
-                        "prose": "a compromise; or"
-                      },
-                      {
-                        "id": "cp-10_obj.2.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "CP-10[2][c]"
-                          }
-                        ],
-                        "prose": "a failure."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Contingency planning policy\\n\\nprocedures addressing information system backup\\n\\ncontingency plan\\n\\ninformation system backup test results\\n\\ncontingency plan test results\\n\\ncontingency plan test documentation\\n\\nredundant secondary system for information system backups\\n\\nlocation(s) of redundant secondary backup system(s)\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with contingency planning, recovery, and/or\n                  reconstitution responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes implementing information system recovery and\n                  reconstitution operations\\n\\nautomated mechanisms supporting and/or implementing information system recovery\n                  and reconstitution operations"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "cp-10.2",
-                "class": "SP800-53-enhancement",
-                "title": "Transaction Recovery",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "CP-10(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "cp-10.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "cp-10.2_smt",
-                    "name": "statement",
-                    "prose": "The information system implements transaction recovery for systems that are\n                  transaction-based."
-                  },
-                  {
-                    "id": "cp-10.2_gdn",
-                    "name": "guidance",
-                    "prose": "Transaction-based information systems include, for example, database management\n                  systems and transaction processing systems. Mechanisms supporting transaction\n                  recovery include, for example, transaction rollback and transaction\n                  journaling."
-                  },
-                  {
-                    "id": "cp-10.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system implements transaction recovery for systems\n                  that are transaction-based. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Contingency planning policy\\n\\nprocedures addressing information system recovery and reconstitution\\n\\ncontingency plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncontingency plan test documentation\\n\\ncontingency plan test results\\n\\ninformation system transaction recovery records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for transaction recovery\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing transaction recovery\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ia",
-        "class": "family",
-        "title": "Identification and Authentication",
-        "controls": [
-          {
-            "id": "ia-1",
-            "class": "SP800-53",
-            "title": "Identification and Authentication Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ia-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ia-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "ia-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ia-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ia-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ia-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "An identification and authentication policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"
-                      },
-                      {
-                        "id": "ia-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the identification and\n                     authentication policy and associated identification and authentication\n                     controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ia-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Identification and authentication policy {{ ia-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "ia-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Identification and authentication procedures {{ ia-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the IA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ia-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ia-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an identification and authentication policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "ia-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ia-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ia-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the identification and authentication\n                        policy is to be disseminated; and"
-                          },
-                          {
-                            "id": "ia-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the identification and authentication policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        identification and authentication policy and associated identification and\n                        authentication controls;"
-                          },
-                          {
-                            "id": "ia-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ia-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current identification and\n                        authentication policy;"
-                          },
-                          {
-                            "id": "ia-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current identification and authentication policy\n                        with the organization-defined frequency; and"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current identification and\n                        authentication procedures; and"
-                          },
-                          {
-                            "id": "ia-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current identification and authentication procedures\n                        with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with identification and authentication\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-2",
-            "class": "SP800-53",
-            "title": "Identification and Authentication (organizational Users)",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ad733a42-a7ed-4774-b988-4930c28852f3",
-                "rel": "reference",
-                "text": "HSPD-12"
-              },
-              {
-                "href": "#ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-                "rel": "reference",
-                "text": "OMB Memorandum 04-04"
-              },
-              {
-                "href": "#4da24a96-6cf8-435d-9d1f-c73247cad109",
-                "rel": "reference",
-                "text": "OMB Memorandum 06-16"
-              },
-              {
-                "href": "#74e740a4-c45d-49f3-a86e-eb747c549e01",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-11"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#ba557c91-ba3e-4792-adc6-a4ae479b39ff",
-                "rel": "reference",
-                "text": "FICAM Roadmap and Implementation Guidance"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-2_smt",
-                "name": "statement",
-                "prose": "The information system uniquely identifies and authenticates organizational users (or\n               processes acting on behalf of organizational users)."
-              },
-              {
-                "id": "ia-2_gdn",
-                "name": "guidance",
-                "prose": "Organizational users include employees or individuals that organizations deem to have\n               equivalent status of employees (e.g., contractors, guest researchers). This control\n               applies to all accesses other than: (i) accesses that are explicitly identified and\n               documented in AC-14; and (ii) accesses that occur through authorized use of group\n               authenticators without individual authentication. Organizations may require unique\n               identification of individuals in group accounts (e.g., shared privilege accounts) or\n               for detailed accountability of individual activity. Organizations employ passwords,\n               tokens, or biometrics to authenticate user identities, or in the case multifactor\n               authentication, or some combination thereof. Access to organizational information\n               systems is defined as either local access or network access. Local access is any\n               access to organizational information systems by users (or processes acting on behalf\n               of users) where such access is obtained by direct connections without the use of\n               networks. Network access is access to organizational information systems by users (or\n               processes acting on behalf of users) where such access is obtained through network\n               connections (i.e., nonlocal accesses). Remote access is a type of network access that\n               involves communication through external networks (e.g., the Internet). Internal\n               networks include local area networks and wide area networks. In addition, the use of\n               encrypted virtual private networks (VPNs) for network connections between\n               organization-controlled endpoints and non-organization controlled endpoints may be\n               treated as internal networks from the perspective of protecting the confidentiality\n               and integrity of information traversing the network. Organizations can satisfy the\n               identification and authentication requirements in this control by complying with the\n               requirements in Homeland Security Presidential Directive 12 consistent with the\n               specific organizational implementation plans. Multifactor authentication requires the\n               use of two or more different factors to achieve authentication. The factors are\n               defined as: (i) something you know (e.g., password, personal identification number\n               [PIN]); (ii) something you have (e.g., cryptographic identification device, token);\n               or (iii) something you are (e.g., biometric). Multifactor solutions that require\n               devices separate from information systems gaining access include, for example,\n               hardware tokens providing time-based or challenge-response authenticators and smart\n               cards such as the U.S. Government Personal Identity Verification card and the DoD\n               common access card. In addition to identifying and authenticating users at the\n               information system level (i.e., at logon), organizations also employ identification\n               and authentication mechanisms at the application level, when necessary, to provide\n               increased information security. Identification and authentication requirements for\n               other than organizational users are described in IA-8.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  }
-                ]
-              },
-              {
-                "id": "ia-2_obj",
-                "name": "objective",
-                "prose": "Determine if the information system uniquely identifies and authenticates\n               organizational users (or processes acting on behalf of organizational users)."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system operations responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for uniquely identifying and authenticating users\\n\\nautomated mechanisms supporting and/or implementing identification and\n                  authentication capability"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ia-2.1",
-                "class": "SP800-53-enhancement",
-                "title": "Network Access to Privileged Accounts",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.1_smt",
-                    "name": "statement",
-                    "prose": "The information system implements multifactor authentication for network access to\n                  privileged accounts."
-                  },
-                  {
-                    "id": "ia-2.1_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ac-6",
-                        "rel": "related",
-                        "text": "AC-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-2.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system implements multifactor authentication for\n                  network access to privileged accounts."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing multifactor authentication\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-2.2",
-                "class": "SP800-53-enhancement",
-                "title": "Network Access to Non-privileged Accounts",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.2_smt",
-                    "name": "statement",
-                    "prose": "The information system implements multifactor authentication for network access to\n                  non-privileged accounts."
-                  },
-                  {
-                    "id": "ia-2.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system implements multifactor authentication for\n                  network access to non-privileged accounts."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing multifactor authentication\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-2.3",
-                "class": "SP800-53-enhancement",
-                "title": "Local Access to Privileged Accounts",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.3_smt",
-                    "name": "statement",
-                    "prose": "The information system implements multifactor authentication for local access to\n                  privileged accounts."
-                  },
-                  {
-                    "id": "ia-2.3_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ac-6",
-                        "rel": "related",
-                        "text": "AC-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-2.3_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system implements multifactor authentication for\n                  local access to privileged accounts."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing multifactor authentication\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-2.5",
-                "class": "SP800-53-enhancement",
-                "title": "Group Authentication",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.5_smt",
-                    "name": "statement",
-                    "prose": "The organization requires individuals to be authenticated with an individual\n                  authenticator when a group authenticator is employed."
-                  },
-                  {
-                    "id": "ia-2.5_gdn",
-                    "name": "guidance",
-                    "prose": "Requiring individuals to use individual authenticators as a second level of\n                  authentication helps organizations to mitigate the risk of using group\n                  authenticators."
-                  },
-                  {
-                    "id": "ia-2.5_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization requires individuals to be authenticated with an\n                  individual authenticator when a group authenticator is employed."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing authentication capability\n                     for group accounts"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-2.8",
-                "class": "SP800-53-enhancement",
-                "title": "Network Access to Privileged Accounts - Replay Resistant",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(8)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.08"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.8_smt",
-                    "name": "statement",
-                    "prose": "The information system implements replay-resistant authentication mechanisms for\n                  network access to privileged accounts."
-                  },
-                  {
-                    "id": "ia-2.8_gdn",
-                    "name": "guidance",
-                    "prose": "Authentication processes resist replay attacks if it is impractical to achieve\n                  successful authentications by replaying previous authentication messages.\n                  Replay-resistant techniques include, for example, protocols that use nonces or\n                  challenges such as Transport Layer Security (TLS) and time synchronous or\n                  challenge-response one-time authenticators."
-                  },
-                  {
-                    "id": "ia-2.8_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system implements replay-resistant authentication\n                  mechanisms for network access to privileged accounts. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of privileged information system accounts\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms supporting and/or implementing replay resistant\n                     authentication mechanisms"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-2.11",
-                "class": "SP800-53-enhancement",
-                "title": "Remote Access - Separate Device",
-                "parameters": [
-                  {
-                    "id": "ia-2.11_prm_1",
-                    "label": "organization-defined strength of mechanism requirements",
-                    "constraints": [
-                      {
-                        "detail": "FIPS 140-2, NIAP Certification, or NSA approval"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(11)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.11"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.11_smt",
-                    "name": "statement",
-                    "prose": "The information system implements multifactor authentication for remote access to\n                  privileged and non-privileged accounts such that one of the factors is provided by\n                  a device separate from the system gaining access and the device meets {{ ia-2.11_prm_1 }}.",
-                    "parts": [
-                      {
-                        "id": "ia-2.11_fr",
-                        "name": "item",
-                        "title": "IA-2 (11) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ia-2.11_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-2.11_gdn",
-                    "name": "guidance",
-                    "prose": "For remote access to privileged/non-privileged accounts, the purpose of requiring\n                  a device that is separate from the information system gaining access for one of\n                  the factors during multifactor authentication is to reduce the likelihood of\n                  compromising authentication credentials stored on the system. For example,\n                  adversaries deploying malicious code on organizational information systems can\n                  potentially compromise such credentials resident on the system and subsequently\n                  impersonate authorized users.",
-                    "links": [
-                      {
-                        "href": "#ac-6",
-                        "rel": "related",
-                        "text": "AC-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-2.11_obj",
-                    "name": "objective",
-                    "prose": "Determine if: ",
-                    "parts": [
-                      {
-                        "id": "ia-2.11_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-2(11)[1]"
-                          }
-                        ],
-                        "prose": "the information system implements multifactor authentication for remote access\n                     to privileged accounts such that one of the factors is provided by a device\n                     separate from the system gaining access;"
-                      },
-                      {
-                        "id": "ia-2.11_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-2(11)[2]"
-                          }
-                        ],
-                        "prose": "the information system implements multifactor authentication for remote access\n                     to non-privileged accounts such that one of the factors is provided by a device\n                     separate from the system gaining access;"
-                      },
-                      {
-                        "id": "ia-2.11_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-2(11)[3]"
-                          }
-                        ],
-                        "prose": "the organization defines strength of mechanism requirements to be enforced by a\n                     device separate from the system gaining remote access to privileged\n                     accounts;"
-                      },
-                      {
-                        "id": "ia-2.11_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-2(11)[4]"
-                          }
-                        ],
-                        "prose": "the organization defines strength of mechanism requirements to be enforced by a\n                     device separate from the system gaining remote access to non-privileged\n                     accounts;"
-                      },
-                      {
-                        "id": "ia-2.11_obj.5",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-2(11)[5]"
-                          }
-                        ],
-                        "prose": "the information system implements multifactor authentication for remote access\n                     to privileged accounts such that a device, separate from the system gaining\n                     access, meets organization-defined strength of mechanism requirements; and"
-                      },
-                      {
-                        "id": "ia-2.11_obj.6",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-2(11)[6]"
-                          }
-                        ],
-                        "prose": "the information system implements multifactor authentication for remote access\n                     to non-privileged accounts such that a device, separate from the system gaining\n                     access, meets organization-defined strength of mechanism requirements."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of privileged and non-privileged information system accounts\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-2.12",
-                "class": "SP800-53-enhancement",
-                "title": "Acceptance of PIV Credentials",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-2(12)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-02.12"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-2.12_smt",
-                    "name": "statement",
-                    "prose": "The information system accepts and electronically verifies Personal Identity\n                  Verification (PIV) credentials.",
-                    "parts": [
-                      {
-                        "id": "ia-2.12_fr",
-                        "name": "item",
-                        "title": "IA-2 (12) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ia-2.12_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-2.12_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement applies to organizations implementing logical access\n                  control systems (LACS) and physical access control systems (PACS). Personal\n                  Identity Verification (PIV) credentials are those credentials issued by federal\n                  agencies that conform to FIPS Publication 201 and supporting guidance documents.\n                  OMB Memorandum 11-11 requires federal agencies to continue implementing the\n                  requirements specified in HSPD-12 to enable agency-wide use of PIV\n                  credentials.",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      },
-                      {
-                        "href": "#pe-3",
-                        "rel": "related",
-                        "text": "PE-3"
-                      },
-                      {
-                        "href": "#sa-4",
-                        "rel": "related",
-                        "text": "SA-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-2.12_obj",
-                    "name": "objective",
-                    "prose": "Determine if the information system: ",
-                    "parts": [
-                      {
-                        "id": "ia-2.12_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-2(12)[1]"
-                          }
-                        ],
-                        "prose": "accepts Personal Identity Verification (PIV) credentials; and"
-                      },
-                      {
-                        "id": "ia-2.12_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-2(12)[2]"
-                          }
-                        ],
-                        "prose": "electronically verifies Personal Identity Verification (PIV) credentials."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nPIV verification records\\n\\nevidence of PIV credentials\\n\\nPIV credential authorizations\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing acceptance and verification\n                     of PIV credentials"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-3",
-            "class": "SP800-53",
-            "title": "Device Identification and Authentication",
-            "parameters": [
-              {
-                "id": "ia-3_prm_1",
-                "label": "organization-defined specific and/or types of devices"
-              },
-              {
-                "id": "ia-3_prm_2"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-03"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-3_smt",
-                "name": "statement",
-                "prose": "The information system uniquely identifies and authenticates {{ ia-3_prm_1 }} before establishing a {{ ia-3_prm_2 }}\n               connection."
-              },
-              {
-                "id": "ia-3_gdn",
-                "name": "guidance",
-                "prose": "Organizational devices requiring unique device-to-device identification and\n               authentication may be defined by type, by device, or by a combination of type/device.\n               Information systems typically use either shared known information (e.g., Media Access\n               Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses)\n               for device identification or organizational authentication solutions (e.g., IEEE\n               802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport\n               Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on\n               local and/or wide area networks. Organizations determine the required strength of\n               authentication mechanisms by the security categories of information systems. Because\n               of the challenges of applying this control on large scale, organizations are\n               encouraged to only apply the control to those limited number (and type) of devices\n               that truly need to support this capability.",
-                "links": [
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  }
-                ]
-              },
-              {
-                "id": "ia-3_obj",
-                "name": "objective",
-                "prose": "Determine if: ",
-                "parts": [
-                  {
-                    "id": "ia-3_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-3[1]"
-                      }
-                    ],
-                    "prose": "the organization defines specific and/or types of devices that the information\n                  system uniquely identifies and authenticates before establishing one or more of\n                  the following:",
-                    "parts": [
-                      {
-                        "id": "ia-3_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-3[1][a]"
-                          }
-                        ],
-                        "prose": "a local connection;"
-                      },
-                      {
-                        "id": "ia-3_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-3[1][b]"
-                          }
-                        ],
-                        "prose": "a remote connection; and/or"
-                      },
-                      {
-                        "id": "ia-3_obj.1.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-3[1][c]"
-                          }
-                        ],
-                        "prose": "a network connection; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-3_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-3[2]"
-                      }
-                    ],
-                    "prose": "the information system uniquely identifies and authenticates organization-defined\n                  devices before establishing one or more of the following:",
-                    "parts": [
-                      {
-                        "id": "ia-3_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-3[2][a]"
-                          }
-                        ],
-                        "prose": "a local connection;"
-                      },
-                      {
-                        "id": "ia-3_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-3[2][b]"
-                          }
-                        ],
-                        "prose": "a remote connection; and/or"
-                      },
-                      {
-                        "id": "ia-3_obj.2.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-3[2][c]"
-                          }
-                        ],
-                        "prose": "a network connection."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing device identification and authentication\\n\\ninformation system design documentation\\n\\nlist of devices requiring unique identification and authentication\\n\\ndevice connection reports\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with operational responsibilities for device\n                  identification and authentication\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing device identification and\n                  authentication capability"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-4",
-            "class": "SP800-53",
-            "title": "Identifier Management",
-            "parameters": [
-              {
-                "id": "ia-4_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ia-4_prm_2",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "IA-4 (d) [at least two years]"
-                  }
-                ]
-              },
-              {
-                "id": "ia-4_prm_3",
-                "label": "organization-defined time period of inactivity",
-                "constraints": [
-                  {
-                    "detail": "ninety days for user identifiers (See additional requirements and guidance)"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IA-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-4_smt",
-                "name": "statement",
-                "prose": "The organization manages information system identifiers by:",
-                "parts": [
-                  {
-                    "id": "ia-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Receiving authorization from {{ ia-4_prm_1 }} to assign an\n                  individual, group, role, or device identifier;"
-                  },
-                  {
-                    "id": "ia-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Selecting an identifier that identifies an individual, group, role, or device;"
-                  },
-                  {
-                    "id": "ia-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Assigning the identifier to the intended individual, group, role, or device;"
-                  },
-                  {
-                    "id": "ia-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Preventing reuse of identifiers for {{ ia-4_prm_2 }}; and"
-                  },
-                  {
-                    "id": "ia-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Disabling the identifier after {{ ia-4_prm_3 }}."
-                  },
-                  {
-                    "id": "ia-4_fr",
-                    "name": "item",
-                    "title": "IA-4(e) Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ia-4_fr_smt.e",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider defines the time period of inactivity for device identifiers."
-                      },
-                      {
-                        "id": "ia-4_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP [http://iase.disa.mil/cloud_security/Pages/index.aspx](http://iase.disa.mil/cloud_security/Pages/index.aspx)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-4_gdn",
-                "name": "guidance",
-                "prose": "Common device identifiers include, for example, media access control (MAC), Internet\n               protocol (IP) addresses, or device-unique token identifiers. Management of individual\n               identifiers is not applicable to shared information system accounts (e.g., guest and\n               anonymous accounts). Typically, individual identifiers are the user names of the\n               information system accounts assigned to those individuals. In such instances, the\n               account management activities of AC-2 use account names provided by IA-4. This\n               control also addresses individual identifiers not necessarily associated with\n               information system accounts (e.g., identifiers used in physical security control\n               databases accessed by badge reader systems for access to information systems).\n               Preventing reuse of identifiers implies preventing the assignment of previously used\n               individual, group, role, or device identifiers to different individuals, groups,\n               roles, or devices.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#sc-37",
-                    "rel": "related",
-                    "text": "SC-37"
-                  }
-                ]
-              },
-              {
-                "id": "ia-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization manages information system identifiers by: ",
-                "parts": [
-                  {
-                    "id": "ia-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(a)[1]"
-                          }
-                        ],
-                        "prose": "defining personnel or roles from whom authorization must be received to\n                     assign:",
-                        "parts": [
-                          {
-                            "id": "ia-4.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[1][a]"
-                              }
-                            ],
-                            "prose": "an individual identifier;"
-                          },
-                          {
-                            "id": "ia-4.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[1][b]"
-                              }
-                            ],
-                            "prose": "a group identifier;"
-                          },
-                          {
-                            "id": "ia-4.a_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[1][c]"
-                              }
-                            ],
-                            "prose": "a role identifier; and/or"
-                          },
-                          {
-                            "id": "ia-4.a_obj.1.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[1][d]"
-                              }
-                            ],
-                            "prose": "a device identifier;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(a)[2]"
-                          }
-                        ],
-                        "prose": "receiving authorization from organization-defined personnel or roles to\n                     assign:",
-                        "parts": [
-                          {
-                            "id": "ia-4.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[2][a]"
-                              }
-                            ],
-                            "prose": "an individual identifier;"
-                          },
-                          {
-                            "id": "ia-4.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[2][b]"
-                              }
-                            ],
-                            "prose": "a group identifier;"
-                          },
-                          {
-                            "id": "ia-4.a_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[2][c]"
-                              }
-                            ],
-                            "prose": "a role identifier; and/or"
-                          },
-                          {
-                            "id": "ia-4.a_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-4(a)[2][d]"
-                              }
-                            ],
-                            "prose": "a device identifier;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-4(b)"
-                      }
-                    ],
-                    "prose": "selecting an identifier that identifies:",
-                    "parts": [
-                      {
-                        "id": "ia-4.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(b)[1]"
-                          }
-                        ],
-                        "prose": "an individual;"
-                      },
-                      {
-                        "id": "ia-4.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(b)[2]"
-                          }
-                        ],
-                        "prose": "a group;"
-                      },
-                      {
-                        "id": "ia-4.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(b)[3]"
-                          }
-                        ],
-                        "prose": "a role; and/or"
-                      },
-                      {
-                        "id": "ia-4.b_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(b)[4]"
-                          }
-                        ],
-                        "prose": "a device;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-4(c)"
-                      }
-                    ],
-                    "prose": "assigning the identifier to the intended:",
-                    "parts": [
-                      {
-                        "id": "ia-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(c)[1]"
-                          }
-                        ],
-                        "prose": "individual;"
-                      },
-                      {
-                        "id": "ia-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(c)[2]"
-                          }
-                        ],
-                        "prose": "group;"
-                      },
-                      {
-                        "id": "ia-4.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(c)[3]"
-                          }
-                        ],
-                        "prose": "role; and/or"
-                      },
-                      {
-                        "id": "ia-4.c_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-4(c)[4]"
-                          }
-                        ],
-                        "prose": "device;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-4(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-4.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(d)[1]"
-                          }
-                        ],
-                        "prose": "defining a time period for preventing reuse of identifiers;"
-                      },
-                      {
-                        "id": "ia-4.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(d)[2]"
-                          }
-                        ],
-                        "prose": "preventing reuse of identifiers for the organization-defined time period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-4(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-4.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(e)[1]"
-                          }
-                        ],
-                        "prose": "defining a time period of inactivity to disable the identifier; and"
-                      },
-                      {
-                        "id": "ia-4.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(e)[2]"
-                          }
-                        ],
-                        "prose": "disabling the identifier after the organization-defined time period of\n                     inactivity."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing identifier management\\n\\nprocedures addressing account management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system accounts\\n\\nlist of identifiers generated from physical access control devices\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with identifier management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing identifier management"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ia-4.4",
-                "class": "SP800-53-enhancement",
-                "title": "Identify User Status",
-                "parameters": [
-                  {
-                    "id": "ia-4.4_prm_1",
-                    "label": "organization-defined characteristic identifying individual status",
-                    "constraints": [
-                      {
-                        "detail": "contractors; foreign nationals"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-4(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-04.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-4.4_smt",
-                    "name": "statement",
-                    "prose": "The organization manages individual identifiers by uniquely identifying each\n                  individual as {{ ia-4.4_prm_1 }}."
-                  },
-                  {
-                    "id": "ia-4.4_gdn",
-                    "name": "guidance",
-                    "prose": "Characteristics identifying the status of individuals include, for example,\n                  contractors and foreign nationals. Identifying the status of individuals by\n                  specific characteristics provides additional information about the people with\n                  whom organizational personnel are communicating. For example, it might be useful\n                  for a government employee to know that one of the individuals on an email message\n                  is a contractor.",
-                    "links": [
-                      {
-                        "href": "#at-2",
-                        "rel": "related",
-                        "text": "AT-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-4.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ia-4.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(4)[1]"
-                          }
-                        ],
-                        "prose": "defines a characteristic to be used to identify individual status; and"
-                      },
-                      {
-                        "id": "ia-4.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-4(4)[2]"
-                          }
-                        ],
-                        "prose": "manages individual identifiers by uniquely identifying each individual as the\n                     organization-defined characteristic identifying individual status."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing identifier management\\n\\nprocedures addressing account management\\n\\nlist of characteristics identifying individual status\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with identifier management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identifier management"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-5",
-            "class": "SP800-53",
-            "title": "Authenticator Management",
-            "parameters": [
-              {
-                "id": "ia-5_prm_1",
-                "label": "organization-defined time period by authenticator type"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-05"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-                "rel": "reference",
-                "text": "OMB Memorandum 04-04"
-              },
-              {
-                "href": "#74e740a4-c45d-49f3-a86e-eb747c549e01",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-11"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#ba557c91-ba3e-4792-adc6-a4ae479b39ff",
-                "rel": "reference",
-                "text": "FICAM Roadmap and Implementation Guidance"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-5_smt",
-                "name": "statement",
-                "prose": "The organization manages information system authenticators by:",
-                "parts": [
-                  {
-                    "id": "ia-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Verifying, as part of the initial authenticator distribution, the identity of the\n                  individual, group, role, or device receiving the authenticator;"
-                  },
-                  {
-                    "id": "ia-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Establishing initial authenticator content for authenticators defined by the\n                  organization;"
-                  },
-                  {
-                    "id": "ia-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ensuring that authenticators have sufficient strength of mechanism for their\n                  intended use;"
-                  },
-                  {
-                    "id": "ia-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Establishing and implementing administrative procedures for initial authenticator\n                  distribution, for lost/compromised or damaged authenticators, and for revoking\n                  authenticators;"
-                  },
-                  {
-                    "id": "ia-5_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Changing default content of authenticators prior to information system\n                  installation;"
-                  },
-                  {
-                    "id": "ia-5_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Establishing minimum and maximum lifetime restrictions and reuse conditions for\n                  authenticators;"
-                  },
-                  {
-                    "id": "ia-5_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Changing/refreshing authenticators {{ ia-5_prm_1 }};"
-                  },
-                  {
-                    "id": "ia-5_smt.h",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "h."
-                      }
-                    ],
-                    "prose": "Protecting authenticator content from unauthorized disclosure and\n                  modification;"
-                  },
-                  {
-                    "id": "ia-5_smt.i",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "i."
-                      }
-                    ],
-                    "prose": "Requiring individuals to take, and having devices implement, specific security\n                  safeguards to protect authenticators; and"
-                  },
-                  {
-                    "id": "ia-5_smt.j",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "j."
-                      }
-                    ],
-                    "prose": "Changing authenticators for group/role accounts when membership to those accounts\n                  changes."
-                  },
-                  {
-                    "id": "ia-5_fr",
-                    "name": "item",
-                    "title": "IA-5 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ia-5_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link [https://pages.nist.gov/800-63-3](https://pages.nist.gov/800-63-3)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-5_gdn",
-                "name": "guidance",
-                "prose": "Individual authenticators include, for example, passwords, tokens, biometrics, PKI\n               certificates, and key cards. Initial authenticator content is the actual content\n               (e.g., the initial password) as opposed to requirements about authenticator content\n               (e.g., minimum password length). In many cases, developers ship information system\n               components with factory default authentication credentials to allow for initial\n               installation and configuration. Default authentication credentials are often well\n               known, easily discoverable, and present a significant security risk. The requirement\n               to protect individual authenticators may be implemented via control PL-4 or PS-6 for\n               authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28\n               for authenticators stored within organizational information systems (e.g., passwords\n               stored in hashed or encrypted formats, files containing encrypted or hashed passwords\n               accessible with administrator privileges). Information systems support individual\n               authenticator management by organization-defined settings and restrictions for\n               various authenticator characteristics including, for example, minimum password\n               length, password composition, validation time window for time synchronous one-time\n               tokens, and number of allowed rejections during the verification stage of biometric\n               authentication. Specific actions that can be taken to safeguard authenticators\n               include, for example, maintaining possession of individual authenticators, not\n               loaning or sharing individual authenticators with others, and reporting lost, stolen,\n               or compromised authenticators immediately. Authenticator management includes issuing\n               and revoking, when no longer needed, authenticators for temporary access such as that\n               required for remote maintenance. Device authenticators include, for example,\n               certificates and passwords.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-5",
-                    "rel": "related",
-                    "text": "PS-5"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  },
-                  {
-                    "href": "#sc-12",
-                    "rel": "related",
-                    "text": "SC-12"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  },
-                  {
-                    "href": "#sc-17",
-                    "rel": "related",
-                    "text": "SC-17"
-                  },
-                  {
-                    "href": "#sc-28",
-                    "rel": "related",
-                    "text": "SC-28"
-                  }
-                ]
-              },
-              {
-                "id": "ia-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization manages information system authenticators by: ",
-                "parts": [
-                  {
-                    "id": "ia-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-5(a)"
-                      }
-                    ],
-                    "prose": "verifying, as part of the initial authenticator distribution, the identity of:",
-                    "parts": [
-                      {
-                        "id": "ia-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(a)[1]"
-                          }
-                        ],
-                        "prose": "the individual receiving the authenticator;"
-                      },
-                      {
-                        "id": "ia-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(a)[2]"
-                          }
-                        ],
-                        "prose": "the group receiving the authenticator;"
-                      },
-                      {
-                        "id": "ia-5.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(a)[3]"
-                          }
-                        ],
-                        "prose": "the role receiving the authenticator; and/or"
-                      },
-                      {
-                        "id": "ia-5.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(a)[4]"
-                          }
-                        ],
-                        "prose": "the device receiving the authenticator;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-5(b)"
-                      }
-                    ],
-                    "prose": "establishing initial authenticator content for authenticators defined by the\n                  organization;"
-                  },
-                  {
-                    "id": "ia-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-5(c)"
-                      }
-                    ],
-                    "prose": "ensuring that authenticators have sufficient strength of mechanism for their\n                  intended use;"
-                  },
-                  {
-                    "id": "ia-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-5.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(d)[1]"
-                          }
-                        ],
-                        "prose": "establishing and implementing administrative procedures for initial\n                     authenticator distribution;"
-                      },
-                      {
-                        "id": "ia-5.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(d)[2]"
-                          }
-                        ],
-                        "prose": "establishing and implementing administrative procedures for lost/compromised or\n                     damaged authenticators;"
-                      },
-                      {
-                        "id": "ia-5.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(d)[3]"
-                          }
-                        ],
-                        "prose": "establishing and implementing administrative procedures for revoking\n                     authenticators;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-5(e)"
-                      }
-                    ],
-                    "prose": "changing default content of authenticators prior to information system\n                  installation;"
-                  },
-                  {
-                    "id": "ia-5.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-5.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(f)[1]"
-                          }
-                        ],
-                        "prose": "establishing minimum lifetime restrictions for authenticators;"
-                      },
-                      {
-                        "id": "ia-5.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(f)[2]"
-                          }
-                        ],
-                        "prose": "establishing maximum lifetime restrictions for authenticators;"
-                      },
-                      {
-                        "id": "ia-5.f_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(f)[3]"
-                          }
-                        ],
-                        "prose": "establishing reuse conditions for authenticators;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(g)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-5.g_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(g)[1]"
-                          }
-                        ],
-                        "prose": "defining a time period (by authenticator type) for changing/refreshing\n                     authenticators;"
-                      },
-                      {
-                        "id": "ia-5.g_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(g)[2]"
-                          }
-                        ],
-                        "prose": "changing/refreshing authenticators with the organization-defined time period by\n                     authenticator type;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.h_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-5(h)"
-                      }
-                    ],
-                    "prose": "protecting authenticator content from unauthorized:",
-                    "parts": [
-                      {
-                        "id": "ia-5.h_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(h)[1]"
-                          }
-                        ],
-                        "prose": "disclosure;"
-                      },
-                      {
-                        "id": "ia-5.h_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(h)[2]"
-                          }
-                        ],
-                        "prose": "modification;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.i_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IA-5(i)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ia-5.i_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(i)[1]"
-                          }
-                        ],
-                        "prose": "requiring individuals to take specific security safeguards to protect\n                     authenticators;"
-                      },
-                      {
-                        "id": "ia-5.i_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(i)[2]"
-                          }
-                        ],
-                        "prose": "having devices implement specific security safeguards to protect\n                     authenticators; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.j_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IA-5(j)"
-                      }
-                    ],
-                    "prose": "changing authenticators for group/role accounts when membership to those accounts\n                  changes."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system authenticator types\\n\\nchange control records associated with managing information system\n                  authenticators\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing authenticator management\n                  capability"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ia-5.1",
-                "class": "SP800-53-enhancement",
-                "title": "Password-based Authentication",
-                "parameters": [
-                  {
-                    "id": "ia-5.1_prm_1",
-                    "label": "organization-defined requirements for case sensitivity, number of characters,\n                  mix of upper-case letters, lower-case letters, numbers, and special characters,\n                  including minimum requirements for each type"
-                  },
-                  {
-                    "id": "ia-5.1_prm_2",
-                    "label": "organization-defined number",
-                    "constraints": [
-                      {
-                        "detail": "at least one"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.1_prm_3",
-                    "label": "organization-defined numbers for lifetime minimum, lifetime maximum"
-                  },
-                  {
-                    "id": "ia-5.1_prm_4",
-                    "label": "organization-defined number",
-                    "constraints": [
-                      {
-                        "detail": "twenty four (24)"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "IA-5(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.1_smt",
-                    "name": "statement",
-                    "prose": "The information system, for password-based authentication:",
-                    "parts": [
-                      {
-                        "id": "ia-5.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Enforces minimum password complexity of {{ ia-5.1_prm_1 }};"
-                      },
-                      {
-                        "id": "ia-5.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Enforces at least the following number of changed characters when new passwords\n                     are created: {{ ia-5.1_prm_2 }};"
-                      },
-                      {
-                        "id": "ia-5.1_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(c)"
-                          }
-                        ],
-                        "prose": "Stores and transmits only cryptographically-protected passwords;"
-                      },
-                      {
-                        "id": "ia-5.1_smt.d",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(d)"
-                          }
-                        ],
-                        "prose": "Enforces password minimum and maximum lifetime restrictions of {{ ia-5.1_prm_3 }};"
-                      },
-                      {
-                        "id": "ia-5.1_smt.e",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(e)"
-                          }
-                        ],
-                        "prose": "Prohibits password reuse for {{ ia-5.1_prm_4 }} generations;\n                     and"
-                      },
-                      {
-                        "id": "ia-5.1_smt.f",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(f)"
-                          }
-                        ],
-                        "prose": "Allows the use of a temporary password for system logons with an immediate\n                     change to a permanent password."
-                      },
-                      {
-                        "id": "ia-5.1_fr",
-                        "name": "item",
-                        "title": "IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ia-5.1_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "(a) (d) Guidance:"
-                              }
-                            ],
-                            "prose": "If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement applies to single-factor authentication of individuals\n                  using passwords as individual or group authenticators, and in a similar manner,\n                  when passwords are part of multifactor authenticators. This control enhancement\n                  does not apply when passwords are used to unlock hardware authenticators (e.g.,\n                  Personal Identity Verification cards). The implementation of such password\n                  mechanisms may not meet all of the requirements in the enhancement.\n                  Cryptographically-protected passwords include, for example, encrypted versions of\n                  passwords and one-way cryptographic hashes of passwords. The number of changed\n                  characters refers to the number of changes required with respect to the total\n                  number of positions in the current password. Password lifetime restrictions do not\n                  apply to temporary passwords. To mitigate certain brute force attacks against\n                  passwords, organizations may also consider salting passwords.",
-                    "links": [
-                      {
-                        "href": "#ia-6",
-                        "rel": "related",
-                        "text": "IA-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if, for password-based authentication: ",
-                    "parts": [
-                      {
-                        "id": "ia-5.1.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-5.1.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines requirements for case sensitivity;"
-                          },
-                          {
-                            "id": "ia-5.1.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[2]"
-                              }
-                            ],
-                            "prose": "the organization defines requirements for number of characters;"
-                          },
-                          {
-                            "id": "ia-5.1.a_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[3]"
-                              }
-                            ],
-                            "prose": "the organization defines requirements for the mix of upper-case letters,\n                        lower-case letters, numbers and special characters;"
-                          },
-                          {
-                            "id": "ia-5.1.a_obj.4",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[4]"
-                              }
-                            ],
-                            "prose": "the organization defines minimum requirements for each type of\n                        character;"
-                          },
-                          {
-                            "id": "ia-5.1.a_obj.5",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(a)[5]"
-                              }
-                            ],
-                            "prose": "the information system enforces minimum password complexity of\n                        organization-defined requirements for case sensitivity, number of\n                        characters, mix of upper-case letters, lower-case letters, numbers, and\n                        special characters, including minimum requirements for each type;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.a",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-5.1.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(b)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines a minimum number of changed characters to be\n                        enforced when new passwords are created;"
-                          },
-                          {
-                            "id": "ia-5.1.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(b)[2]"
-                              }
-                            ],
-                            "prose": "the information system enforces at least the organization-defined minimum\n                        number of characters that must be changed when new passwords are\n                        created;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.b",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(b)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.c_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(c)"
-                          }
-                        ],
-                        "prose": "the information system stores and transmits only encrypted representations of\n                     passwords;",
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.c",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(c)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.d_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(d)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-5.1.d_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(d)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines numbers for password minimum lifetime restrictions\n                        to be enforced for passwords;"
-                          },
-                          {
-                            "id": "ia-5.1.d_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(d)[2]"
-                              }
-                            ],
-                            "prose": "the organization defines numbers for password maximum lifetime restrictions\n                        to be enforced for passwords;"
-                          },
-                          {
-                            "id": "ia-5.1.d_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(d)[3]"
-                              }
-                            ],
-                            "prose": "the information system enforces password minimum lifetime restrictions of\n                        organization-defined numbers for lifetime minimum;"
-                          },
-                          {
-                            "id": "ia-5.1.d_obj.4",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(d)[4]"
-                              }
-                            ],
-                            "prose": "the information system enforces password maximum lifetime restrictions of\n                        organization-defined numbers for lifetime maximum;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.d",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(d)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.e_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(e)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-5.1.e_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(e)[1]"
-                              }
-                            ],
-                            "prose": "the organization defines the number of password generations to be prohibited\n                        from password reuse;"
-                          },
-                          {
-                            "id": "ia-5.1.e_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(1)(e)[2]"
-                              }
-                            ],
-                            "prose": "the information system prohibits password reuse for the organization-defined\n                        number of generations; and"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.e",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(e)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.1.f_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(1)(f)"
-                          }
-                        ],
-                        "prose": "the information system allows the use of a temporary password for system logons\n                     with an immediate change to a permanent password.",
-                        "links": [
-                          {
-                            "href": "#ia-5.1_smt.f",
-                            "rel": "corresp",
-                            "text": "IA-5(1)(f)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\npassword policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\npassword configurations and associated documentation\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing password-based\n                     authenticator management capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-5.2",
-                "class": "SP800-53-enhancement",
-                "title": "Pki-based Authentication",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-5(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.2_smt",
-                    "name": "statement",
-                    "prose": "The information system, for PKI-based authentication:",
-                    "parts": [
-                      {
-                        "id": "ia-5.2_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Validates certifications by constructing and verifying a certification path to\n                     an accepted trust anchor including checking certificate status information;"
-                      },
-                      {
-                        "id": "ia-5.2_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Enforces authorized access to the corresponding private key;"
-                      },
-                      {
-                        "id": "ia-5.2_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(c)"
-                          }
-                        ],
-                        "prose": "Maps the authenticated identity to the account of the individual or group;\n                     and"
-                      },
-                      {
-                        "id": "ia-5.2_smt.d",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(d)"
-                          }
-                        ],
-                        "prose": "Implements a local cache of revocation data to support path discovery and\n                     validation in case of inability to access revocation information via the\n                     network."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.2_gdn",
-                    "name": "guidance",
-                    "prose": "Status information for certification paths includes, for example, certificate\n                  revocation lists or certificate status protocol responses. For PIV cards,\n                  validation of certifications involves the construction and verification of a\n                  certification path to the Common Policy Root trust anchor including certificate\n                  policy processing.",
-                    "links": [
-                      {
-                        "href": "#ia-6",
-                        "rel": "related",
-                        "text": "IA-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the information system, for PKI-based authentication: ",
-                    "parts": [
-                      {
-                        "id": "ia-5.2.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(2)(a)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ia-5.2.a_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(2)(a)[1]"
-                              }
-                            ],
-                            "prose": "validates certifications by constructing a certification path to an accepted\n                        trust anchor;"
-                          },
-                          {
-                            "id": "ia-5.2.a_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(2)(a)[2]"
-                              }
-                            ],
-                            "prose": "validates certifications by verifying a certification path to an accepted\n                        trust anchor;"
-                          },
-                          {
-                            "id": "ia-5.2.a_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IA-5(2)(a)[3]"
-                              }
-                            ],
-                            "prose": "includes checking certificate status information when constructing and\n                        verifying the certification path;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ia-5.2_smt.a",
-                            "rel": "corresp",
-                            "text": "IA-5(2)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.2.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(2)(b)"
-                          }
-                        ],
-                        "prose": "enforces authorized access to the corresponding private key;",
-                        "links": [
-                          {
-                            "href": "#ia-5.2_smt.b",
-                            "rel": "corresp",
-                            "text": "IA-5(2)(b)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.2.c_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(2)(c)"
-                          }
-                        ],
-                        "prose": "maps the authenticated identity to the account of the individual or group;\n                     and",
-                        "links": [
-                          {
-                            "href": "#ia-5.2_smt.c",
-                            "rel": "corresp",
-                            "text": "IA-5(2)(c)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.2.d_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(2)(d)"
-                          }
-                        ],
-                        "prose": "implements a local cache of revocation data to support path discovery and\n                     validation in case of inability to access revocation information via the\n                     network.",
-                        "links": [
-                          {
-                            "href": "#ia-5.2_smt.d",
-                            "rel": "corresp",
-                            "text": "IA-5(2)(d)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nPKI certification validation records\\n\\nPKI certification revocation lists\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with PKI-based, authenticator management\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing PKI-based, authenticator\n                     management capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-5.3",
-                "class": "SP800-53-enhancement",
-                "title": "In-person or Trusted Third-party Registration",
-                "parameters": [
-                  {
-                    "id": "ia-5.3_prm_1",
-                    "label": "organization-defined types of and/or specific authenticators",
-                    "constraints": [
-                      {
-                        "detail": "All hardware/biometric (multifactor authenticators)"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.3_prm_2",
-                    "constraints": [
-                      {
-                        "detail": "in person"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.3_prm_3",
-                    "label": "organization-defined registration authority"
-                  },
-                  {
-                    "id": "ia-5.3_prm_4",
-                    "label": "organization-defined personnel or roles"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-5(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.3_smt",
-                    "name": "statement",
-                    "prose": "The organization requires that the registration process to receive {{ ia-5.3_prm_1 }} be conducted {{ ia-5.3_prm_2 }} before\n                     {{ ia-5.3_prm_3 }} with authorization by {{ ia-5.3_prm_4 }}."
-                  },
-                  {
-                    "id": "ia-5.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ia-5.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(3)[1]"
-                          }
-                        ],
-                        "prose": "defines types of and/or specific authenticators to be received in person or by\n                     a trusted third party;"
-                      },
-                      {
-                        "id": "ia-5.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(3)[2]"
-                          }
-                        ],
-                        "prose": "defines the registration authority with oversight of the registration process\n                     for receipt of organization-defined types of and/or specific\n                     authenticators;"
-                      },
-                      {
-                        "id": "ia-5.3_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(3)[3]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles responsible for authorizing organization-defined\n                     registration authority;"
-                      },
-                      {
-                        "id": "ia-5.3_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(3)[4]"
-                          }
-                        ],
-                        "prose": "defines if the registration process is to be conducted:",
-                        "parts": [
-                          {
-                            "id": "ia-5.3_obj.4.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-5(3)[4][a]"
-                              }
-                            ],
-                            "prose": "in person; or"
-                          },
-                          {
-                            "id": "ia-5.3_obj.4.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IA-5(3)[4][b]"
-                              }
-                            ],
-                            "prose": "by a trusted third party; and"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ia-5.3_obj.5",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(3)[5]"
-                          }
-                        ],
-                        "prose": "requires that the registration process to receive organization-defined types of\n                     and/or specific authenticators be conducted in person or by a trusted third\n                     party before organization-defined registration authority with authorization by\n                     organization-defined personnel or roles."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nregistration process for receiving information system authenticators\\n\\nlist of authenticators requiring in-person registration\\n\\nlist of authenticators requiring trusted third party registration\\n\\nauthenticator registration documentation\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with authenticator management responsibilities\\n\\nregistration authority\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-5.4",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Support for Password Strength Determination",
-                "parameters": [
-                  {
-                    "id": "ia-5.4_prm_1",
-                    "label": "organization-defined requirements"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-5(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.4_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated tools to determine if password authenticators\n                  are sufficiently strong to satisfy {{ ia-5.4_prm_1 }}.",
-                    "parts": [
-                      {
-                        "id": "ia-5.4_fr",
-                        "name": "item",
-                        "title": "IA-5 (4) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ia-5.4_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.4_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement focuses on the creation of strong passwords and the\n                  characteristics of such passwords (e.g., complexity) prior to use, the enforcement\n                  of which is carried out by organizational information systems in IA-5 (1).",
-                    "links": [
-                      {
-                        "href": "#ca-2",
-                        "rel": "related",
-                        "text": "CA-2"
-                      },
-                      {
-                        "href": "#ca-7",
-                        "rel": "related",
-                        "text": "CA-7"
-                      },
-                      {
-                        "href": "#ra-5",
-                        "rel": "related",
-                        "text": "RA-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-5.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ia-5.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(4)[1]"
-                          }
-                        ],
-                        "prose": "defines requirements to be satisfied by password authenticators; and"
-                      },
-                      {
-                        "id": "ia-5.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(4)[2]"
-                          }
-                        ],
-                        "prose": "employs automated tools to determine if password authenticators are\n                     sufficiently strong to satisfy organization-defined requirements."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nautomated tools for evaluating password authenticators\\n\\npassword strength assessment results\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing password-based\n                     authenticator management capability\\n\\nautomated tools for determining password strength"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-5.6",
-                "class": "SP800-53-enhancement",
-                "title": "Protection of Authenticators",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-5(6)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.06"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.6_smt",
-                    "name": "statement",
-                    "prose": "The organization protects authenticators commensurate with the security category\n                  of the information to which use of the authenticator permits access."
-                  },
-                  {
-                    "id": "ia-5.6_gdn",
-                    "name": "guidance",
-                    "prose": "For information systems containing multiple security categories of information\n                  without reliable physical or logical separation between categories, authenticators\n                  used to grant access to the systems are protected commensurate with the highest\n                  security category of information on the systems."
-                  },
-                  {
-                    "id": "ia-5.6_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization protects authenticators commensurate with the\n                  security category of the information to which use of the authenticator permits\n                  access."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity categorization documentation for the information system\\n\\nsecurity assessments of authenticator protections\\n\\nrisk assessment results\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel implementing and/or maintaining authenticator\n                     protections\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing authenticator management\n                     capability\\n\\nautomated mechanisms protecting authenticators"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-5.7",
-                "class": "SP800-53-enhancement",
-                "title": "No Embedded Unencrypted Static Authenticators",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-5(7)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.07"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.7_smt",
-                    "name": "statement",
-                    "prose": "The organization ensures that unencrypted static authenticators are not embedded\n                  in applications or access scripts or stored on function keys."
-                  },
-                  {
-                    "id": "ia-5.7_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations exercise caution in determining whether embedded or stored\n                  authenticators are in encrypted or unencrypted form. If authenticators are used in\n                  the manner stored, then those representations are considered unencrypted\n                  authenticators. This is irrespective of whether that representation is perhaps an\n                  encrypted version of something else (e.g., a password)."
-                  },
-                  {
-                    "id": "ia-5.7_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization ensures that unencrypted static authenticators are\n                  not: ",
-                    "parts": [
-                      {
-                        "id": "ia-5.7_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(7)[1]"
-                          }
-                        ],
-                        "prose": "embedded in applications;"
-                      },
-                      {
-                        "id": "ia-5.7_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(7)[2]"
-                          }
-                        ],
-                        "prose": "embedded in access scripts; or"
-                      },
-                      {
-                        "id": "ia-5.7_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IA-5(7)[3]"
-                          }
-                        ],
-                        "prose": "stored on function keys."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlogical access scripts\\n\\napplication code reviews for detecting unencrypted static authenticators\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing authenticator management\n                     capability\\n\\nautomated mechanisms implementing authentication in applications"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-5.11",
-                "class": "SP800-53-enhancement",
-                "title": "Hardware Token-based Authentication",
-                "parameters": [
-                  {
-                    "id": "ia-5.11_prm_1",
-                    "label": "organization-defined token quality requirements"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-5(11)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-05.11"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-5.11_smt",
-                    "name": "statement",
-                    "prose": "The information system, for hardware token-based authentication, employs\n                  mechanisms that satisfy {{ ia-5.11_prm_1 }}."
-                  },
-                  {
-                    "id": "ia-5.11_gdn",
-                    "name": "guidance",
-                    "prose": "Hardware token-based authentication typically refers to the use of PKI-based\n                  tokens, such as the U.S. Government Personal Identity Verification (PIV) card.\n                  Organizations define specific requirements for tokens, such as working with a\n                  particular PKI."
-                  },
-                  {
-                    "id": "ia-5.11_obj",
-                    "name": "objective",
-                    "prose": "Determine if, for hardware token-based authentication: ",
-                    "parts": [
-                      {
-                        "id": "ia-5.11_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(11)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines token quality requirements to be satisfied; and"
-                      },
-                      {
-                        "id": "ia-5.11_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-5(11)[2]"
-                          }
-                        ],
-                        "prose": "the information system employs mechanisms that satisfy organization-defined\n                     token quality requirements."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator management\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\nautomated mechanisms employing hardware token-based authentication for the\n                     information system\\n\\nlist of token quality requirements\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with authenticator management responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing hardware token-based\n                     authenticator management capability"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-6",
-            "class": "SP800-53",
-            "title": "Authenticator Feedback",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-6_smt",
-                "name": "statement",
-                "prose": "The information system obscures feedback of authentication information during the\n               authentication process to protect the information from possible exploitation/use by\n               unauthorized individuals."
-              },
-              {
-                "id": "ia-6_gdn",
-                "name": "guidance",
-                "prose": "The feedback from information systems does not provide information that would allow\n               unauthorized individuals to compromise authentication mechanisms. For some types of\n               information systems or system components, for example, desktops/notebooks with\n               relatively large monitors, the threat (often referred to as shoulder surfing) may be\n               significant. For other types of systems or components, for example, mobile devices\n               with 2-4 inch screens, this threat may be less significant, and may need to be\n               balanced against the increased likelihood of typographic input errors due to the\n               small keyboards. Therefore, the means for obscuring the authenticator feedback is\n               selected accordingly. Obscuring the feedback of authentication information includes,\n               for example, displaying asterisks when users type passwords into input devices, or\n               displaying feedback for a very limited time before fully obscuring it.",
-                "links": [
-                  {
-                    "href": "#pe-18",
-                    "rel": "related",
-                    "text": "PE-18"
-                  }
-                ]
-              },
-              {
-                "id": "ia-6_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system obscures feedback of authentication information\n               during the authentication process to protect the information from possible\n               exploitation/use by unauthorized individuals."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing authenticator feedback\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing the obscuring of feedback of\n                  authentication information during authentication"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-7",
-            "class": "SP800-53",
-            "title": "Cryptographic Module Authentication",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9",
-                "rel": "reference",
-                "text": "FIPS Publication 140"
-              },
-              {
-                "href": "#b09d1a31-d3c9-4138-a4f4-4c63816afd7d",
-                "rel": "reference",
-                "text": "http://csrc.nist.gov/groups/STM/cmvp/index.html"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-7_smt",
-                "name": "statement",
-                "prose": "The information system implements mechanisms for authentication to a cryptographic\n               module that meet the requirements of applicable federal laws, Executive Orders,\n               directives, policies, regulations, standards, and guidance for such\n               authentication."
-              },
-              {
-                "id": "ia-7_gdn",
-                "name": "guidance",
-                "prose": "Authentication mechanisms may be required within a cryptographic module to\n               authenticate an operator accessing the module and to verify that the operator is\n               authorized to assume the requested role and perform services within that role.",
-                "links": [
-                  {
-                    "href": "#sc-12",
-                    "rel": "related",
-                    "text": "SC-12"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  }
-                ]
-              },
-              {
-                "id": "ia-7_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system implements mechanisms for authentication to a\n               cryptographic module that meet the requirements of applicable federal laws, Executive\n               Orders, directives, policies, regulations, standards, and guidance for such\n               authentication."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing cryptographic module authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for cryptographic module\n                  authentication\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing cryptographic module\n                  authentication"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ia-8",
-            "class": "SP800-53",
-            "title": "Identification and Authentication (non-organizational Users)",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IA-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "ia-08"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-                "rel": "reference",
-                "text": "OMB Memorandum 04-04"
-              },
-              {
-                "href": "#74e740a4-c45d-49f3-a86e-eb747c549e01",
-                "rel": "reference",
-                "text": "OMB Memorandum 11-11"
-              },
-              {
-                "href": "#599fe9ba-4750-4450-9eeb-b95bd19a5e8f",
-                "rel": "reference",
-                "text": "OMB Memorandum 10-06-2011"
-              },
-              {
-                "href": "#ba557c91-ba3e-4792-adc6-a4ae479b39ff",
-                "rel": "reference",
-                "text": "FICAM Roadmap and Implementation Guidance"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#2157bb7e-192c-4eaa-877f-93ef6b0a3292",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-116"
-              },
-              {
-                "href": "#654f21e2-f3bc-43b2-abdc-60ab8d09744b",
-                "rel": "reference",
-                "text": "National Strategy for Trusted Identities in\n            Cyberspace"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ia-8_smt",
-                "name": "statement",
-                "prose": "The information system uniquely identifies and authenticates non-organizational users\n               (or processes acting on behalf of non-organizational users)."
-              },
-              {
-                "id": "ia-8_gdn",
-                "name": "guidance",
-                "prose": "Non-organizational users include information system users other than organizational\n               users explicitly covered by IA-2. These individuals are uniquely identified and\n               authenticated for accesses other than those accesses explicitly identified and\n               documented in AC-14. In accordance with the E-Authentication E-Government initiative,\n               authentication of non-organizational users accessing federal information systems may\n               be required to protect federal, proprietary, or privacy-related information (with\n               exceptions noted for national security systems). Organizations use risk assessments\n               to determine authentication needs and consider scalability, practicality, and\n               security in balancing the need to ensure ease of use for access to federal\n               information and information systems with the need to protect and adequately mitigate\n               risk. IA-2 addresses identification and authentication requirements for access to\n               information systems by organizational users.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  }
-                ]
-              },
-              {
-                "id": "ia-8_obj",
-                "name": "objective",
-                "prose": "Determine if the information system uniquely identifies and authenticates\n               non-organizational users (or processes acting on behalf of non-organizational\n               users)."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of information system accounts\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system operations responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing identification and\n                  authentication capability"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ia-8.1",
-                "class": "SP800-53-enhancement",
-                "title": "Acceptance of PIV Credentials from Other Agencies",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-8(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-08.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-8.1_smt",
-                    "name": "statement",
-                    "prose": "The information system accepts and electronically verifies Personal Identity\n                  Verification (PIV) credentials from other federal agencies."
-                  },
-                  {
-                    "id": "ia-8.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement applies to logical access control systems (LACS) and\n                  physical access control systems (PACS). Personal Identity Verification (PIV)\n                  credentials are those credentials issued by federal agencies that conform to FIPS\n                  Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires\n                  federal agencies to continue implementing the requirements specified in HSPD-12 to\n                  enable agency-wide use of PIV credentials.",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      },
-                      {
-                        "href": "#pe-3",
-                        "rel": "related",
-                        "text": "PE-3"
-                      },
-                      {
-                        "href": "#sa-4",
-                        "rel": "related",
-                        "text": "SA-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-8.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the information system: ",
-                    "parts": [
-                      {
-                        "id": "ia-8.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-8(1)[1]"
-                          }
-                        ],
-                        "prose": "accepts Personal Identity Verification (PIV) credentials from other agencies;\n                     and"
-                      },
-                      {
-                        "id": "ia-8.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-8(1)[2]"
-                          }
-                        ],
-                        "prose": "electronically verifies Personal Identity Verification (PIV) credentials from\n                     other agencies."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nPIV verification records\\n\\nevidence of PIV credentials\\n\\nPIV credential authorizations\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms that accept and verify PIV credentials"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-8.2",
-                "class": "SP800-53-enhancement",
-                "title": "Acceptance of Third-party Credentials",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-8(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-08.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-8.2_smt",
-                    "name": "statement",
-                    "prose": "The information system accepts only FICAM-approved third-party credentials."
-                  },
-                  {
-                    "id": "ia-8.2_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement typically applies to organizational information systems\n                  that are accessible to the general public, for example, public-facing websites.\n                  Third-party credentials are those credentials issued by nonfederal government\n                  entities approved by the Federal Identity, Credential, and Access Management\n                  (FICAM) Trust Framework Solutions initiative. Approved third-party credentials\n                  meet or exceed the set of minimum federal government-wide technical, security,\n                  privacy, and organizational maturity requirements. This allows federal government\n                  relying parties to trust such credentials at their approved assurance levels.",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-8.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system accepts only FICAM-approved third-party\n                  credentials. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nprocedures addressing user identification and authentication\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FICAM-approved, third-party credentialing products, components, or\n                     services procured and implemented by organization\\n\\nthird-party credential verification records\\n\\nevidence of FICAM-approved third-party credentials\\n\\nthird-party credential authorizations\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms that accept FICAM-approved credentials"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-8.3",
-                "class": "SP800-53-enhancement",
-                "title": "Use of Ficam-approved Products",
-                "parameters": [
-                  {
-                    "id": "ia-8.3_prm_1",
-                    "label": "organization-defined information systems"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-8(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-08.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-8.3_smt",
-                    "name": "statement",
-                    "prose": "The organization employs only FICAM-approved information system components in\n                     {{ ia-8.3_prm_1 }} to accept third-party credentials."
-                  },
-                  {
-                    "id": "ia-8.3_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement typically applies to information systems that are\n                  accessible to the general public, for example, public-facing websites.\n                  FICAM-approved information system components include, for example, information\n                  technology products and software libraries that have been approved by the Federal\n                  Identity, Credential, and Access Management conformance program.",
-                    "links": [
-                      {
-                        "href": "#sa-4",
-                        "rel": "related",
-                        "text": "SA-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-8.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ia-8.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-8(3)[1]"
-                          }
-                        ],
-                        "prose": "defines information systems in which only FICAM-approved information system\n                     components are to be employed to accept third-party credentials; and"
-                      },
-                      {
-                        "id": "ia-8.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IA-8(3)[2]"
-                          }
-                        ],
-                        "prose": "employs only FICAM-approved information system components in\n                     organization-defined information systems to accept third-party credentials."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nsystem and services acquisition policy\\n\\nprocedures addressing user identification and authentication\\n\\nprocedures addressing the integration of security requirements into the\n                     acquisition process\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nthird-party credential validations\\n\\nthird-party credential authorizations\\n\\nthird-party credential records\\n\\nlist of FICAM-approved information system components procured and implemented\n                     by organization\\n\\nacquisition documentation\\n\\nacquisition contracts for information system procurements or services\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information system security, acquisition, and\n                     contracting responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ia-8.4",
-                "class": "SP800-53-enhancement",
-                "title": "Use of Ficam-issued Profiles",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IA-8(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ia-08.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ia-8.4_smt",
-                    "name": "statement",
-                    "prose": "The information system conforms to FICAM-issued profiles."
-                  },
-                  {
-                    "id": "ia-8.4_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement addresses open identity management standards. To ensure\n                  that these standards are viable, robust, reliable, sustainable (e.g., available in\n                  commercial information technology products), and interoperable as documented, the\n                  United States Government assesses and scopes identity management standards and\n                  technology implementations against applicable federal legislation, directives,\n                  policies, and requirements. The result is FICAM-issued implementation profiles of\n                  approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and\n                  OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute\n                  Exchange).",
-                    "links": [
-                      {
-                        "href": "#sa-4",
-                        "rel": "related",
-                        "text": "SA-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ia-8.4_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system conforms to FICAM-issued profiles. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Identification and authentication policy\\n\\nsystem and services acquisition policy\\n\\nprocedures addressing user identification and authentication\\n\\nprocedures addressing the integration of security requirements into the\n                     acquisition process\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FICAM-issued profiles and associated, approved protocols\\n\\nacquisition documentation\\n\\nacquisition contracts for information system procurements or services\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system operations\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developers\\n\\norganizational personnel with account management responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing identification and\n                     authentication capability\\n\\nautomated mechanisms supporting and/or implementing conformance with\n                     FICAM-issued profiles"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ir",
-        "class": "family",
-        "title": "Incident Response",
-        "controls": [
-          {
-            "id": "ir-1",
-            "class": "SP800-53",
-            "title": "Incident Response Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ir-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ir-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "ir-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IR-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              },
-              {
-                "href": "#6d431fee-658f-4a0e-9f2e-a38b5d398fab",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-83"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ir-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ir-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ir-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "An incident response policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ir-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the incident response policy and\n                     associated incident response controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ir-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Incident response policy {{ ir-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ir-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Incident response procedures {{ ir-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the IR\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ir-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an incident response policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ir-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ir-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "IR-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ir-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the incident response policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ir-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the incident response policy to organization-defined personnel\n                        or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        incident response policy and associated incident response controls;"
-                          },
-                          {
-                            "id": "ir-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ir-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current incident response\n                        policy;"
-                          },
-                          {
-                            "id": "ir-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current incident response policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current incident response\n                        procedures; and"
-                          },
-                          {
-                            "id": "ir-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current incident response procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-2",
-            "class": "SP800-53",
-            "title": "Incident Response Training",
-            "parameters": [
-              {
-                "id": "ir-2_prm_1",
-                "label": "organization-defined time period"
-              },
-              {
-                "id": "ir-2_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IR-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#825438c3-248d-4e30-a51e-246473ce6ada",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-16"
-              },
-              {
-                "href": "#e12b5738-de74-4fb3-8317-a3995a8a1898",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-50"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-2_smt",
-                "name": "statement",
-                "prose": "The organization provides incident response training to information system users\n               consistent with assigned roles and responsibilities:",
-                "parts": [
-                  {
-                    "id": "ir-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Within {{ ir-2_prm_1 }} of assuming an incident response role or\n                  responsibility;"
-                  },
-                  {
-                    "id": "ir-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "When required by information system changes; and"
-                  },
-                  {
-                    "id": "ir-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "\n                  {{ ir-2_prm_2 }} thereafter."
-                  }
-                ]
-              },
-              {
-                "id": "ir-2_gdn",
-                "name": "guidance",
-                "prose": "Incident response training provided by organizations is linked to the assigned roles\n               and responsibilities of organizational personnel to ensure the appropriate content\n               and level of detail is included in such training. For example, regular users may only\n               need to know who to call or how to recognize an incident on the information system;\n               system administrators may require additional training on how to handle/remediate\n               incidents; and incident responders may receive more specific training on forensics,\n               reporting, system recovery, and restoration. Incident response training includes user\n               training in the identification and reporting of suspicious activities, both from\n               external and internal sources.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#cp-3",
-                    "rel": "related",
-                    "text": "CP-3"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  }
-                ]
-              },
-              {
-                "id": "ir-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-2(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period within which incident response training is to be provided\n                     to information system users assuming an incident response role or\n                     responsibility;"
-                      },
-                      {
-                        "id": "ir-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-2(a)[2]"
-                          }
-                        ],
-                        "prose": "provides incident response training to information system users consistent with\n                     assigned roles and responsibilities within the organization-defined time period\n                     of assuming an incident response role or responsibility;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-2(b)"
-                      }
-                    ],
-                    "prose": "provides incident response training to information system users consistent with\n                  assigned roles and responsibilities when required by information system\n                  changes;"
-                  },
-                  {
-                    "id": "ir-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to provide refresher incident response training to\n                     information system users consistent with assigned roles or responsibilities;\n                     and"
-                      },
-                      {
-                        "id": "ir-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-2(c)[2]"
-                          }
-                        ],
-                        "prose": "after the initial incident response training, provides refresher incident\n                     response training to information system users consistent with assigned roles\n                     and responsibilities in accordance with the organization-defined frequency to\n                     provide refresher training."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident response training\\n\\nincident response training curriculum\\n\\nincident response training materials\\n\\nsecurity plan\\n\\nincident response plan\\n\\nsecurity plan\\n\\nincident response training records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response training and operational\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-3",
-            "class": "SP800-53",
-            "title": "Incident Response Testing",
-            "parameters": [
-              {
-                "id": "ir-3_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ir-3_prm_2",
-                "label": "organization-defined tests",
-                "constraints": [
-                  {
-                    "detail": "see additional FedRAMP Requirements and Guidance"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IR-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-84"
-              },
-              {
-                "href": "#c4691b88-57d1-463b-9053-2d0087913f31",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-115"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-3_smt",
-                "name": "statement",
-                "prose": "The organization tests the incident response capability for the information system\n                  {{ ir-3_prm_1 }} using {{ ir-3_prm_2 }} to determine\n               the incident response effectiveness and documents the results.",
-                "parts": [
-                  {
-                    "id": "ir-3_fr",
-                    "name": "item",
-                    "title": "IR-3 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ir-3_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-3 -2 Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-3_gdn",
-                "name": "guidance",
-                "prose": "Organizations test incident response capabilities to determine the overall\n               effectiveness of the capabilities and to identify potential weaknesses or\n               deficiencies. Incident response testing includes, for example, the use of checklists,\n               walk-through or tabletop exercises, simulations (parallel/full interrupt), and\n               comprehensive exercises. Incident response testing can also include a determination\n               of the effects on organizational operations (e.g., reduction in mission\n               capabilities), organizational assets, and individuals due to incident response.",
-                "links": [
-                  {
-                    "href": "#cp-4",
-                    "rel": "related",
-                    "text": "CP-4"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  }
-                ]
-              },
-              {
-                "id": "ir-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ir-3_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-3[1]"
-                      }
-                    ],
-                    "prose": "defines incident response tests to test the incident response capability for the\n                  information system;"
-                  },
-                  {
-                    "id": "ir-3_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-3[2]"
-                      }
-                    ],
-                    "prose": "defines the frequency to test the incident response capability for the information\n                  system; and"
-                  },
-                  {
-                    "id": "ir-3_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-3[3]"
-                      }
-                    ],
-                    "prose": "tests the incident response capability for the information system with the\n                  organization-defined frequency, using organization-defined tests to determine the\n                  incident response effectiveness and documents the results."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\ncontingency planning policy\\n\\nprocedures addressing incident response testing\\n\\nprocedures addressing contingency plan testing\\n\\nincident response testing material\\n\\nincident response test results\\n\\nincident response test plan\\n\\nincident response plan\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response testing responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ir-3.2",
-                "class": "SP800-53-enhancement",
-                "title": "Coordination with Related Plans",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-3(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-03.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-3.2_smt",
-                    "name": "statement",
-                    "prose": "The organization coordinates incident response testing with organizational\n                  elements responsible for related plans."
-                  },
-                  {
-                    "id": "ir-3.2_gdn",
-                    "name": "guidance",
-                    "prose": "Organizational plans related to incident response testing include, for example,\n                  Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity\n                  of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,\n                  and Occupant Emergency Plans."
-                  },
-                  {
-                    "id": "ir-3.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "prose": "Determine if the organization coordinates incident response testing with\n                  organizational elements responsible for related plans. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\ncontingency planning policy\\n\\nprocedures addressing incident response testing\\n\\nincident response testing documentation\\n\\nincident response plan\\n\\nbusiness continuity plans\\n\\ncontingency plans\\n\\ndisaster recovery plans\\n\\ncontinuity of operations plans\\n\\ncrisis communications plans\\n\\ncritical infrastructure plans\\n\\noccupant emergency plans\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident response testing responsibilities\\n\\norganizational personnel with responsibilities for testing organizational plans\n                     related to incident response testing\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-4",
-            "class": "SP800-53",
-            "title": "Incident Handling",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IR-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c5034e0c-eba6-4ecd-a541-79f0678f4ba4",
-                "rel": "reference",
-                "text": "Executive Order 13587"
-              },
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ir-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Implements an incident handling capability for security incidents that includes\n                  preparation, detection and analysis, containment, eradication, and recovery;"
-                  },
-                  {
-                    "id": "ir-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Coordinates incident handling activities with contingency planning activities;\n                  and"
-                  },
-                  {
-                    "id": "ir-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Incorporates lessons learned from ongoing incident handling activities into\n                  incident response procedures, training, and testing, and implements the resulting\n                  changes accordingly."
-                  },
-                  {
-                    "id": "ir-4_fr",
-                    "name": "item",
-                    "title": "IR-4 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ir-4_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-4_gdn",
-                "name": "guidance",
-                "prose": "Organizations recognize that incident response capability is dependent on the\n               capabilities of organizational information systems and the mission/business processes\n               being supported by those systems. Therefore, organizations consider incident response\n               as part of the definition, design, and development of mission/business processes and\n               information systems. Incident-related information can be obtained from a variety of\n               sources including, for example, audit monitoring, network monitoring, physical access\n               monitoring, user/administrator reports, and reported supply chain events. Effective\n               incident handling capability includes coordination among many organizational entities\n               including, for example, mission/business owners, information system owners,\n               authorizing officials, human resources offices, physical and personnel security\n               offices, legal departments, operations personnel, procurement offices, and the risk\n               executive (function).",
-                "links": [
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-4",
-                    "rel": "related",
-                    "text": "CP-4"
-                  },
-                  {
-                    "href": "#ir-2",
-                    "rel": "related",
-                    "text": "IR-2"
-                  },
-                  {
-                    "href": "#ir-3",
-                    "rel": "related",
-                    "text": "IR-3"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#pe-6",
-                    "rel": "related",
-                    "text": "PE-6"
-                  },
-                  {
-                    "href": "#sc-5",
-                    "rel": "related",
-                    "text": "SC-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "ir-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-4(a)"
-                      }
-                    ],
-                    "prose": "implements an incident handling capability for security incidents that\n                  includes:",
-                    "parts": [
-                      {
-                        "id": "ir-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[1]"
-                          }
-                        ],
-                        "prose": "preparation;"
-                      },
-                      {
-                        "id": "ir-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[2]"
-                          }
-                        ],
-                        "prose": "detection and analysis;"
-                      },
-                      {
-                        "id": "ir-4.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[3]"
-                          }
-                        ],
-                        "prose": "containment;"
-                      },
-                      {
-                        "id": "ir-4.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[4]"
-                          }
-                        ],
-                        "prose": "eradication;"
-                      },
-                      {
-                        "id": "ir-4.a_obj.5",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-4(a)[5]"
-                          }
-                        ],
-                        "prose": "recovery;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-4(b)"
-                      }
-                    ],
-                    "prose": "coordinates incident handling activities with contingency planning activities;"
-                  },
-                  {
-                    "id": "ir-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-4(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-4(c)[1]"
-                          }
-                        ],
-                        "prose": "incorporates lessons learned from ongoing incident handling activities\n                     into:",
-                        "parts": [
-                          {
-                            "id": "ir-4.c_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[1][a]"
-                              }
-                            ],
-                            "prose": "incident response procedures;"
-                          },
-                          {
-                            "id": "ir-4.c_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[1][b]"
-                              }
-                            ],
-                            "prose": "training;"
-                          },
-                          {
-                            "id": "ir-4.c_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[1][c]"
-                              }
-                            ],
-                            "prose": "testing/exercises;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-4(c)[2]"
-                          }
-                        ],
-                        "prose": "implements the resulting changes accordingly to:",
-                        "parts": [
-                          {
-                            "id": "ir-4.c_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[2][a]"
-                              }
-                            ],
-                            "prose": "incident response procedures;"
-                          },
-                          {
-                            "id": "ir-4.c_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[2][b]"
-                              }
-                            ],
-                            "prose": "training; and"
-                          },
-                          {
-                            "id": "ir-4.c_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-4(c)[2][c]"
-                              }
-                            ],
-                            "prose": "testing/exercises."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\ncontingency planning policy\\n\\nprocedures addressing incident handling\\n\\nincident response plan\\n\\ncontingency plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with contingency planning responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident handling capability for the organization"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ir-4.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Incident Handling Processes",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-4(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-04.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-4.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to support the incident handling\n                  process."
-                  },
-                  {
-                    "id": "ir-4.1_gdn",
-                    "name": "guidance",
-                    "prose": "Automated mechanisms supporting incident handling processes include, for example,\n                  online incident management systems."
-                  },
-                  {
-                    "id": "ir-4.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs automated mechanisms to support the incident\n                  handling process. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident handling\\n\\nautomated mechanisms supporting incident handling\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident handling responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms that support and/or implement the incident handling\n                     process"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-5",
-            "class": "SP800-53",
-            "title": "Incident Monitoring",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IR-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-05"
-              }
-            ],
-            "links": [
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-5_smt",
-                "name": "statement",
-                "prose": "The organization tracks and documents information system security incidents."
-              },
-              {
-                "id": "ir-5_gdn",
-                "name": "guidance",
-                "prose": "Documenting information system security incidents includes, for example, maintaining\n               records about each incident, the status of the incident, and other pertinent\n               information necessary for forensics, evaluating incident details, trends, and\n               handling. Incident information can be obtained from a variety of sources including,\n               for example, incident reports, incident response teams, audit monitoring, network\n               monitoring, physical access monitoring, and user/administrator reports.",
-                "links": [
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#pe-6",
-                    "rel": "related",
-                    "text": "PE-6"
-                  },
-                  {
-                    "href": "#sc-5",
-                    "rel": "related",
-                    "text": "SC-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "ir-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ir-5_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-5[1]"
-                      }
-                    ],
-                    "prose": "tracks information system security incidents; and"
-                  },
-                  {
-                    "id": "ir-5_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-5[2]"
-                      }
-                    ],
-                    "prose": "documents information system security incidents."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident monitoring\\n\\nincident response records and documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident monitoring responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident monitoring capability for the organization\\n\\nautomated mechanisms supporting and/or implementing tracking and documenting of\n                  system security incidents"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-6",
-            "class": "SP800-53",
-            "title": "Incident Reporting",
-            "parameters": [
-              {
-                "id": "ir-6_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)"
-                  }
-                ]
-              },
-              {
-                "id": "ir-6_prm_2",
-                "label": "organization-defined authorities"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IR-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-06"
-              }
-            ],
-            "links": [
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              },
-              {
-                "href": "#02631467-668b-4233-989b-3dfded2fd184",
-                "rel": "reference",
-                "text": "http://www.us-cert.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ir-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Requires personnel to report suspected security incidents to the organizational\n                  incident response capability within {{ ir-6_prm_1 }}; and"
-                  },
-                  {
-                    "id": "ir-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reports security incident information to {{ ir-6_prm_2 }}."
-                  },
-                  {
-                    "id": "ir-6_fr",
-                    "name": "item",
-                    "title": "IR-6 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ir-6_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "Report security incident information according to FedRAMP Incident Communications Procedure."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-6_gdn",
-                "name": "guidance",
-                "prose": "The intent of this control is to address both specific incident reporting\n               requirements within an organization and the formal incident reporting requirements\n               for federal agencies and their subordinate organizations. Suspected security\n               incidents include, for example, the receipt of suspicious email communications that\n               can potentially contain malicious code. The types of security incidents reported, the\n               content and timeliness of the reports, and the designated reporting authorities\n               reflect applicable federal laws, Executive Orders, directives, regulations, policies,\n               standards, and guidance. Current federal policy requires that all federal agencies\n               (unless specifically exempted from such requirements) report security incidents to\n               the United States Computer Emergency Readiness Team (US-CERT) within specified time\n               frames designated in the US-CERT Concept of Operations for Federal Cyber Security\n               Incident Handling.",
-                "links": [
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ir-5",
-                    "rel": "related",
-                    "text": "IR-5"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  }
-                ]
-              },
-              {
-                "id": "ir-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-6(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-6.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-6(a)[1]"
-                          }
-                        ],
-                        "prose": "defines the time period within which personnel report suspected security\n                     incidents to the organizational incident response capability;"
-                      },
-                      {
-                        "id": "ir-6.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-6(a)[2]"
-                          }
-                        ],
-                        "prose": "requires personnel to report suspected security incidents to the organizational\n                     incident response capability within the organization-defined time period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-6(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-6.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-6(b)[1]"
-                          }
-                        ],
-                        "prose": "defines authorities to whom security incident information is to be reported;\n                     and"
-                      },
-                      {
-                        "id": "ir-6.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-6(b)[2]"
-                          }
-                        ],
-                        "prose": "reports security incident information to organization-defined authorities."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident reporting\\n\\nincident reporting records and documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident reporting responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\npersonnel who have/should have reported incidents\\n\\npersonnel (authorities) to whom incident information is to be reported"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for incident reporting\\n\\nautomated mechanisms supporting and/or implementing incident reporting"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ir-6.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Reporting",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-6(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-06.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-6.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to assist in the reporting of\n                  security incidents."
-                  },
-                  {
-                    "id": "ir-6.1_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ir-7",
-                        "rel": "related",
-                        "text": "IR-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-6.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs automated mechanisms to assist in the\n                  reporting of security incidents."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident reporting\\n\\nautomated mechanisms supporting incident reporting\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident reporting responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for incident reporting\\n\\nautomated mechanisms supporting and/or implementing reporting of security\n                     incidents"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-7",
-            "class": "SP800-53",
-            "title": "Incident Response Assistance",
-            "properties": [
-              {
-                "name": "label",
-                "value": "IR-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-07"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-7_smt",
-                "name": "statement",
-                "prose": "The organization provides an incident response support resource, integral to the\n               organizational incident response capability that offers advice and assistance to\n               users of the information system for the handling and reporting of security\n               incidents."
-              },
-              {
-                "id": "ir-7_gdn",
-                "name": "guidance",
-                "prose": "Incident response support resources provided by organizations include, for example,\n               help desks, assistance groups, and access to forensics services, when required.",
-                "links": [
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ir-6",
-                    "rel": "related",
-                    "text": "IR-6"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#sa-9",
-                    "rel": "related",
-                    "text": "SA-9"
-                  }
-                ]
-              },
-              {
-                "id": "ir-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization provides an incident response support resource:",
-                "parts": [
-                  {
-                    "id": "ir-7_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-7[1]"
-                      }
-                    ],
-                    "prose": "that is integral to the organizational incident response capability; and"
-                  },
-                  {
-                    "id": "ir-7_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-7[2]"
-                      }
-                    ],
-                    "prose": "that offers advice and assistance to users of the information system for the\n                  handling and reporting of security incidents."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident response assistance\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response assistance and support\n                  responsibilities\\n\\norganizational personnel with access to incident response support and assistance\n                  capability\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for incident response assistance\\n\\nautomated mechanisms supporting and/or implementing incident response\n                  assistance"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ir-7.1",
-                "class": "SP800-53-enhancement",
-                "title": "Automation Support for Availability of Information / Support",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-7(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-07.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-7.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to increase the availability of\n                  incident response-related information and support."
-                  },
-                  {
-                    "id": "ir-7.1_gdn",
-                    "name": "guidance",
-                    "prose": "Automated mechanisms can provide a push and/or pull capability for users to obtain\n                  incident response assistance. For example, individuals might have access to a\n                  website to query the assistance capability, or conversely, the assistance\n                  capability may have the ability to proactively send information to users (general\n                  distribution or targeted) as part of increasing understanding of current response\n                  capabilities and support."
-                  },
-                  {
-                    "id": "ir-7.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs automated mechanisms to increase the\n                  availability of incident response-related information and support."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident response assistance\\n\\nautomated mechanisms supporting incident response support and assistance\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident response support and assistance\n                     responsibilities\\n\\norganizational personnel with access to incident response support and\n                     assistance capability\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for incident response assistance\\n\\nautomated mechanisms supporting and/or implementing an increase in the\n                     availability of incident response information and support"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-7.2",
-                "class": "SP800-53-enhancement",
-                "title": "Coordination with External Providers",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-7(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-07.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-7.2_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "ir-7.2_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Establishes a direct, cooperative relationship between its incident response\n                     capability and external providers of information system protection capability;\n                     and"
-                      },
-                      {
-                        "id": "ir-7.2_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Identifies organizational incident response team members to the external\n                     providers."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-7.2_gdn",
-                    "name": "guidance",
-                    "prose": "External providers of information system protection capability include, for\n                  example, the Computer Network Defense program within the U.S. Department of\n                  Defense. External providers help to protect, monitor, analyze, detect, and respond\n                  to unauthorized activity within organizational information systems and\n                  networks."
-                  },
-                  {
-                    "id": "ir-7.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ir-7.2.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-7(2)(a)"
-                          }
-                        ],
-                        "prose": "establishes a direct, cooperative relationship between its incident response\n                     capability and external providers of information system protection capability;\n                     and",
-                        "links": [
-                          {
-                            "href": "#ir-7.2_smt.a",
-                            "rel": "corresp",
-                            "text": "IR-7(2)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-7.2.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-7(2)(b)"
-                          }
-                        ],
-                        "prose": "identifies organizational incident response team members to the external\n                     providers.",
-                        "links": [
-                          {
-                            "href": "#ir-7.2_smt.b",
-                            "rel": "corresp",
-                            "text": "IR-7(2)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident response assistance\\n\\nincident response plan\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident response support and assistance\n                     responsibilities\\n\\nexternal providers of information system protection capability\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-8",
-            "class": "SP800-53",
-            "title": "Incident Response Plan",
-            "parameters": [
-              {
-                "id": "ir-8_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ir-8_prm_2",
-                "label": "organization-defined incident response personnel (identified by name and/or by\n               role) and organizational elements",
-                "constraints": [
-                  {
-                    "detail": "see additional FedRAMP Requirements and Guidance"
-                  }
-                ]
-              },
-              {
-                "id": "ir-8_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ir-8_prm_4",
-                "label": "organization-defined incident response personnel (identified by name and/or by\n               role) and organizational elements",
-                "constraints": [
-                  {
-                    "detail": "see additional FedRAMP Requirements and Guidance"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "IR-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-08"
-              }
-            ],
-            "links": [
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ir-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops an incident response plan that:",
-                    "parts": [
-                      {
-                        "id": "ir-8_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Provides the organization with a roadmap for implementing its incident response\n                     capability;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Describes the structure and organization of the incident response\n                     capability;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Provides a high-level approach for how the incident response capability fits\n                     into the overall organization;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Meets the unique requirements of the organization, which relate to mission,\n                     size, structure, and functions;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.5",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "5."
-                          }
-                        ],
-                        "prose": "Defines reportable incidents;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.6",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "6."
-                          }
-                        ],
-                        "prose": "Provides metrics for measuring the incident response capability within the\n                     organization;"
-                      },
-                      {
-                        "id": "ir-8_smt.a.7",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "7."
-                          }
-                        ],
-                        "prose": "Defines the resources and management support needed to effectively maintain and\n                     mature an incident response capability; and"
-                      },
-                      {
-                        "id": "ir-8_smt.a.8",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "8."
-                          }
-                        ],
-                        "prose": "Is reviewed and approved by {{ ir-8_prm_1 }};"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Distributes copies of the incident response plan to {{ ir-8_prm_2 }};"
-                  },
-                  {
-                    "id": "ir-8_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews the incident response plan {{ ir-8_prm_3 }};"
-                  },
-                  {
-                    "id": "ir-8_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Updates the incident response plan to address system/organizational changes or\n                  problems encountered during plan implementation, execution, or testing;"
-                  },
-                  {
-                    "id": "ir-8_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Communicates incident response plan changes to {{ ir-8_prm_4 }};\n                  and"
-                  },
-                  {
-                    "id": "ir-8_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Protects the incident response plan from unauthorized disclosure and\n                  modification."
-                  },
-                  {
-                    "id": "ir-8_fr",
-                    "name": "item",
-                    "title": "IR-8 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ir-8_fr_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."
-                      },
-                      {
-                        "id": "ir-8_fr_smt.e",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(e) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-8_gdn",
-                "name": "guidance",
-                "prose": "It is important that organizations develop and implement a coordinated approach to\n               incident response. Organizational missions, business functions, strategies, goals,\n               and objectives for incident response help to determine the structure of incident\n               response capabilities. As part of a comprehensive incident response capability,\n               organizations consider the coordination and sharing of information with external\n               organizations, including, for example, external service providers and organizations\n               involved in the supply chain for organizational information systems.",
-                "links": [
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  }
-                ]
-              },
-              {
-                "id": "ir-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ir-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-8(a)"
-                      }
-                    ],
-                    "prose": "develops an incident response plan that:",
-                    "parts": [
-                      {
-                        "id": "ir-8.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(1)"
-                          }
-                        ],
-                        "prose": "provides the organization with a roadmap for implementing its incident response\n                     capability;"
-                      },
-                      {
-                        "id": "ir-8.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(2)"
-                          }
-                        ],
-                        "prose": "describes the structure and organization of the incident response\n                     capability;"
-                      },
-                      {
-                        "id": "ir-8.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(3)"
-                          }
-                        ],
-                        "prose": "provides a high-level approach for how the incident response capability fits\n                     into the overall organization;"
-                      },
-                      {
-                        "id": "ir-8.a.4_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(4)"
-                          }
-                        ],
-                        "prose": "meets the unique requirements of the organization, which relate to:",
-                        "parts": [
-                          {
-                            "id": "ir-8.a.4_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(4)[1]"
-                              }
-                            ],
-                            "prose": "mission;"
-                          },
-                          {
-                            "id": "ir-8.a.4_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(4)[2]"
-                              }
-                            ],
-                            "prose": "size;"
-                          },
-                          {
-                            "id": "ir-8.a.4_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(4)[3]"
-                              }
-                            ],
-                            "prose": "structure;"
-                          },
-                          {
-                            "id": "ir-8.a.4_obj.4",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(4)[4]"
-                              }
-                            ],
-                            "prose": "functions;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-8.a.5_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(5)"
-                          }
-                        ],
-                        "prose": "defines reportable incidents;"
-                      },
-                      {
-                        "id": "ir-8.a.6_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(6)"
-                          }
-                        ],
-                        "prose": "provides metrics for measuring the incident response capability within the\n                     organization;"
-                      },
-                      {
-                        "id": "ir-8.a.7_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(7)"
-                          }
-                        ],
-                        "prose": "defines the resources and management support needed to effectively maintain and\n                     mature an incident response capability;"
-                      },
-                      {
-                        "id": "ir-8.a.8_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(a)(8)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-8.a.8_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(8)[1]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to review and approve the incident response\n                        plan;"
-                          },
-                          {
-                            "id": "ir-8.a.8_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-8(a)(8)[2]"
-                              }
-                            ],
-                            "prose": "is reviewed and approved by organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(b)[1]"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-8.b_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-8(b)[1][a]"
-                              }
-                            ],
-                            "prose": "defines incident response personnel (identified by name and/or by role) to\n                        whom copies of the incident response plan are to be distributed;"
-                          },
-                          {
-                            "id": "ir-8.b_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-8(b)[1][b]"
-                              }
-                            ],
-                            "prose": "defines organizational elements to whom copies of the incident response plan\n                        are to be distributed;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(b)[2]"
-                          }
-                        ],
-                        "prose": "distributes copies of the incident response plan to organization-defined\n                     incident response personnel (identified by name and/or by role) and\n                     organizational elements;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-8(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-8.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review the incident response plan;"
-                      },
-                      {
-                        "id": "ir-8.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews the incident response plan with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-8(d)"
-                      }
-                    ],
-                    "prose": "updates the incident response plan to address system/organizational changes or\n                  problems encountered during plan:",
-                    "parts": [
-                      {
-                        "id": "ir-8.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(d)[1]"
-                          }
-                        ],
-                        "prose": "implementation;"
-                      },
-                      {
-                        "id": "ir-8.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(d)[2]"
-                          }
-                        ],
-                        "prose": "execution; or"
-                      },
-                      {
-                        "id": "ir-8.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(d)[3]"
-                          }
-                        ],
-                        "prose": "testing;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-8(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-8.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "IR-8(e)[1]"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ir-8.e_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-8(e)[1][a]"
-                              }
-                            ],
-                            "prose": "defines incident response personnel (identified by name and/or by role) to\n                        whom incident response plan changes are to be communicated;"
-                          },
-                          {
-                            "id": "ir-8.e_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "IR-8(e)[1][b]"
-                              }
-                            ],
-                            "prose": "defines organizational elements to whom incident response plan changes are\n                        to be communicated;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ir-8.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-8(e)[2]"
-                          }
-                        ],
-                        "prose": "communicates incident response plan changes to organization-defined incident\n                     response personnel (identified by name and/or by role) and organizational\n                     elements; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-8.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-8(f)"
-                      }
-                    ],
-                    "prose": "protects the incident response plan from unauthorized disclosure and\n                  modification."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing incident response planning\\n\\nincident response plan\\n\\nrecords of incident response plan reviews and approvals\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response planning responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational incident response plan and related organizational processes"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ir-9",
-            "class": "SP800-53",
-            "title": "Information Spillage Response",
-            "parameters": [
-              {
-                "id": "ir-9_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ir-9_prm_2",
-                "label": "organization-defined actions"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "IR-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "ir-09"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ir-9_smt",
-                "name": "statement",
-                "prose": "The organization responds to information spills by:",
-                "parts": [
-                  {
-                    "id": "ir-9_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Identifying the specific information involved in the information system\n                  contamination;"
-                  },
-                  {
-                    "id": "ir-9_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Alerting {{ ir-9_prm_1 }} of the information spill using a method\n                  of communication not associated with the spill;"
-                  },
-                  {
-                    "id": "ir-9_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Isolating the contaminated information system or system component;"
-                  },
-                  {
-                    "id": "ir-9_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Eradicating the information from the contaminated information system or\n                  component;"
-                  },
-                  {
-                    "id": "ir-9_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Identifying other information systems or system components that may have been\n                  subsequently contaminated; and"
-                  },
-                  {
-                    "id": "ir-9_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Performing other {{ ir-9_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ir-9_gdn",
-                "name": "guidance",
-                "prose": "Information spillage refers to instances where either classified or sensitive\n               information is inadvertently placed on information systems that are not authorized to\n               process such information. Such information spills often occur when information that\n               is initially thought to be of lower sensitivity is transmitted to an information\n               system and then is subsequently determined to be of higher sensitivity. At that\n               point, corrective action is required. The nature of the organizational response is\n               generally based upon the degree of sensitivity of the spilled information (e.g.,\n               security category or classification level), the security capabilities of the\n               information system, the specific nature of contaminated storage media, and the access\n               authorizations (e.g., security clearances) of individuals with authorized access to\n               the contaminated system. The methods used to communicate information about the spill\n               after the fact do not involve methods directly associated with the actual spill to\n               minimize the risk of further spreading the contamination before such contamination is\n               isolated and eradicated."
-              },
-              {
-                "id": "ir-9_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ir-9.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-9(a)"
-                      }
-                    ],
-                    "prose": "responds to information spills by identifying the specific information causing the\n                  information system contamination;"
-                  },
-                  {
-                    "id": "ir-9.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-9(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-9.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(b)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel to be alerted of the information spillage;"
-                      },
-                      {
-                        "id": "ir-9.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(b)[2]"
-                          }
-                        ],
-                        "prose": "identifies a method of communication not associated with the information spill\n                     to use to alert organization-defined personnel of the spill;"
-                      },
-                      {
-                        "id": "ir-9.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(b)[3]"
-                          }
-                        ],
-                        "prose": "responds to information spills by alerting organization-defined personnel of\n                     the information spill using a method of communication not associated with the\n                     spill;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ir-9.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-9(c)"
-                      }
-                    ],
-                    "prose": "responds to information spills by isolating the contaminated information\n                  system;"
-                  },
-                  {
-                    "id": "ir-9.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-9(d)"
-                      }
-                    ],
-                    "prose": "responds to information spills by eradicating the information from the\n                  contaminated information system;"
-                  },
-                  {
-                    "id": "ir-9.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "IR-9(e)"
-                      }
-                    ],
-                    "prose": "responds to information spills by identifying other information systems that may\n                  have been subsequently contaminated;"
-                  },
-                  {
-                    "id": "ir-9.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "IR-9(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ir-9.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(f)[1]"
-                          }
-                        ],
-                        "prose": "defines other actions to be performed in response to information spills;\n                     and"
-                      },
-                      {
-                        "id": "ir-9.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(f)[2]"
-                          }
-                        ],
-                        "prose": "responds to information spills by performing other organization-defined\n                     actions."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Incident response policy\\n\\nprocedures addressing information spillage\\n\\nincident response plan\\n\\nrecords of information spillage alerts/notifications, list of personnel who should\n                  receive alerts of information spillage\\n\\nlist of actions to be performed regarding information spillage\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for information spillage response\\n\\nautomated mechanisms supporting and/or implementing information spillage response\n                  actions and related communications"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ir-9.1",
-                "class": "SP800-53-enhancement",
-                "title": "Responsible Personnel",
-                "parameters": [
-                  {
-                    "id": "ir-9.1_prm_1",
-                    "label": "organization-defined personnel or roles"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-9(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-09.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-9.1_smt",
-                    "name": "statement",
-                    "prose": "The organization assigns {{ ir-9.1_prm_1 }} with responsibility for\n                  responding to information spills."
-                  },
-                  {
-                    "id": "ir-9.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ir-9.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(1)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel with responsibility for responding to information spills;\n                     and"
-                      },
-                      {
-                        "id": "ir-9.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(1)[2]"
-                          }
-                        ],
-                        "prose": "assigns organization-defined personnel with responsibility for responding to\n                     information spills."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing information spillage\\n\\nincident response plan\\n\\nlist of personnel responsible for responding to information spillage\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-9.2",
-                "class": "SP800-53-enhancement",
-                "title": "Training",
-                "parameters": [
-                  {
-                    "id": "ir-9.2_prm_1",
-                    "label": "organization-defined frequency"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "IR-9(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-09.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-9.2_smt",
-                    "name": "statement",
-                    "prose": "The organization provides information spillage response training {{ ir-9.2_prm_1 }}."
-                  },
-                  {
-                    "id": "ir-9.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ir-9.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(2)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to provide information spillage response training;\n                     and"
-                      },
-                      {
-                        "id": "ir-9.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(2)[2]"
-                          }
-                        ],
-                        "prose": "provides information spillage response training with the organization-defined\n                     frequency."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing information spillage response training\\n\\ninformation spillage response training curriculum\\n\\ninformation spillage response training materials\\n\\nincident response plan\\n\\ninformation spillage response training records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident response training responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-9.3",
-                "class": "SP800-53-enhancement",
-                "title": "Post-spill Operations",
-                "parameters": [
-                  {
-                    "id": "ir-9.3_prm_1",
-                    "label": "organization-defined procedures"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-9(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-09.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-9.3_smt",
-                    "name": "statement",
-                    "prose": "The organization implements {{ ir-9.3_prm_1 }} to ensure that\n                  organizational personnel impacted by information spills can continue to carry out\n                  assigned tasks while contaminated systems are undergoing corrective actions."
-                  },
-                  {
-                    "id": "ir-9.3_gdn",
-                    "name": "guidance",
-                    "prose": "Correction actions for information systems contaminated due to information\n                  spillages may be very time-consuming. During those periods, personnel may not have\n                  access to the contaminated systems, which may potentially affect their ability to\n                  conduct organizational business."
-                  },
-                  {
-                    "id": "ir-9.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ir-9.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(3)[1]"
-                          }
-                        ],
-                        "prose": "defines procedures that ensure organizational personnel impacted by information\n                     spills can continue to carry out assigned tasks while contaminated systems are\n                     undergoing corrective actions; and"
-                      },
-                      {
-                        "id": "ir-9.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(3)[2]"
-                          }
-                        ],
-                        "prose": "implements organization-defined procedures to ensure that organizational\n                     personnel impacted by information spills can continue to carry out assigned\n                     tasks while contaminated systems are undergoing corrective actions."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident handling\\n\\nprocedures addressing information spillage\\n\\nincident response plan\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for post-spill operations"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ir-9.4",
-                "class": "SP800-53-enhancement",
-                "title": "Exposure to Unauthorized Personnel",
-                "parameters": [
-                  {
-                    "id": "ir-9.4_prm_1",
-                    "label": "organization-defined security safeguards"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "IR-9(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ir-09.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ir-9.4_smt",
-                    "name": "statement",
-                    "prose": "The organization employs {{ ir-9.4_prm_1 }} for personnel exposed\n                  to information not within assigned access authorizations."
-                  },
-                  {
-                    "id": "ir-9.4_gdn",
-                    "name": "guidance",
-                    "prose": "Security safeguards include, for example, making personnel exposed to spilled\n                  information aware of the federal laws, directives, policies, and/or regulations\n                  regarding the information and the restrictions imposed based on exposure to such\n                  information."
-                  },
-                  {
-                    "id": "ir-9.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ir-9.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(4)[1]"
-                          }
-                        ],
-                        "prose": "defines security safeguards to be employed for personnel exposed to information\n                     not within assigned access authorizations; and"
-                      },
-                      {
-                        "id": "ir-9.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "IR-9(4)[2]"
-                          }
-                        ],
-                        "prose": "employs organization-defined security safeguards for personnel exposed to\n                     information not within assigned access authorizations."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Incident response policy\\n\\nprocedures addressing incident handling\\n\\nprocedures addressing information spillage\\n\\nincident response plan\\n\\nsecurity safeguards regarding information spillage/exposure to unauthorized\n                     personnel\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for dealing with information exposed to unauthorized\n                     personnel\\n\\nautomated mechanisms supporting and/or implementing safeguards for personnel\n                     exposed to information not within assigned access authorizations"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ma",
-        "class": "family",
-        "title": "Maintenance",
-        "controls": [
-          {
-            "id": "ma-1",
-            "class": "SP800-53",
-            "title": "System Maintenance Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ma-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ma-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "ma-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "MA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ma-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ma-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ma-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A system maintenance policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ma-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the system maintenance policy\n                     and associated system maintenance controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ma-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "System maintenance policy {{ ma-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ma-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "System maintenance procedures {{ ma-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ma-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the MA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ma-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ma-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ma-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a system maintenance policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ma-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ma-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ma-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the system maintenance policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ma-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the system maintenance policy to organization-defined personnel\n                        or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ma-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        maintenance policy and associated system maintenance controls;"
-                          },
-                          {
-                            "id": "ma-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ma-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ma-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system maintenance\n                        policy;"
-                          },
-                          {
-                            "id": "ma-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system maintenance policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ma-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system maintenance\n                        procedures; and"
-                          },
-                          {
-                            "id": "ma-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system maintenance procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Maintenance policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ma-2",
-            "class": "SP800-53",
-            "title": "Controlled Maintenance",
-            "parameters": [
-              {
-                "id": "ma-2_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ma-2_prm_2",
-                "label": "organization-defined maintenance-related information"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-02"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ma-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Schedules, performs, documents, and reviews records of maintenance and repairs on\n                  information system components in accordance with manufacturer or vendor\n                  specifications and/or organizational requirements;"
-                  },
-                  {
-                    "id": "ma-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Approves and monitors all maintenance activities, whether performed on site or\n                  remotely and whether the equipment is serviced on site or removed to another\n                  location;"
-                  },
-                  {
-                    "id": "ma-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Requires that {{ ma-2_prm_1 }} explicitly approve the removal of\n                  the information system or system components from organizational facilities for\n                  off-site maintenance or repairs;"
-                  },
-                  {
-                    "id": "ma-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Sanitizes equipment to remove all information from associated media prior to\n                  removal from organizational facilities for off-site maintenance or repairs;"
-                  },
-                  {
-                    "id": "ma-2_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Checks all potentially impacted security controls to verify that the controls are\n                  still functioning properly following maintenance or repair actions; and"
-                  },
-                  {
-                    "id": "ma-2_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Includes {{ ma-2_prm_2 }} in organizational maintenance\n                  records."
-                  }
-                ]
-              },
-              {
-                "id": "ma-2_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the information security aspects of the information system\n               maintenance program and applies to all types of maintenance to any system component\n               (including applications) conducted by any local or nonlocal entity (e.g.,\n               in-contract, warranty, in-house, software maintenance agreement). System maintenance\n               also includes those components not directly associated with information processing\n               and/or data/information retention such as scanners, copiers, and printers.\n               Information necessary for creating effective maintenance records includes, for\n               example: (i) date and time of maintenance; (ii) name of individuals or group\n               performing the maintenance; (iii) name of escort, if necessary; (iv) a description of\n               the maintenance performed; and (v) information system components/equipment removed or\n               replaced (including identification numbers, if applicable). The level of detail\n               included in maintenance records can be informed by the security categories of\n               organizational information systems. Organizations consider supply chain issues\n               associated with replacement components for information systems.",
-                "links": [
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#mp-6",
-                    "rel": "related",
-                    "text": "MP-6"
-                  },
-                  {
-                    "href": "#pe-16",
-                    "rel": "related",
-                    "text": "PE-16"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "ma-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ma-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(a)[1]"
-                          }
-                        ],
-                        "prose": "schedules maintenance and repairs on information system components in\n                     accordance with:",
-                        "parts": [
-                          {
-                            "id": "ma-2.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[1][a]"
-                              }
-                            ],
-                            "prose": "manufacturer or vendor specifications; and/or"
-                          },
-                          {
-                            "id": "ma-2.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[1][b]"
-                              }
-                            ],
-                            "prose": "organizational requirements;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(a)[2]"
-                          }
-                        ],
-                        "prose": "performs maintenance and repairs on information system components in accordance\n                     with:",
-                        "parts": [
-                          {
-                            "id": "ma-2.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[2][a]"
-                              }
-                            ],
-                            "prose": "manufacturer or vendor specifications; and/or"
-                          },
-                          {
-                            "id": "ma-2.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[2][b]"
-                              }
-                            ],
-                            "prose": "organizational requirements;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-2.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(a)[3]"
-                          }
-                        ],
-                        "prose": "documents maintenance and repairs on information system components in\n                     accordance with:",
-                        "parts": [
-                          {
-                            "id": "ma-2.a_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[3][a]"
-                              }
-                            ],
-                            "prose": "manufacturer or vendor specifications; and/or"
-                          },
-                          {
-                            "id": "ma-2.a_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[3][b]"
-                              }
-                            ],
-                            "prose": "organizational requirements;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-2.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(a)[4]"
-                          }
-                        ],
-                        "prose": "reviews records of maintenance and repairs on information system components in\n                     accordance with:",
-                        "parts": [
-                          {
-                            "id": "ma-2.a_obj.4.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[4][a]"
-                              }
-                            ],
-                            "prose": "manufacturer or vendor specifications; and/or"
-                          },
-                          {
-                            "id": "ma-2.a_obj.4.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-2(a)[4][b]"
-                              }
-                            ],
-                            "prose": "organizational requirements;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(b)[1]"
-                          }
-                        ],
-                        "prose": "approves all maintenance activities, whether performed on site or remotely and\n                     whether the equipment is serviced on site or removed to another location;"
-                      },
-                      {
-                        "id": "ma-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(b)[2]"
-                          }
-                        ],
-                        "prose": "monitors all maintenance activities, whether performed on site or remotely and\n                     whether the equipment is serviced on site or removed to another location;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles required to explicitly approve the removal of the\n                     information system or system components from organizational facilities for\n                     off-site maintenance or repairs;"
-                      },
-                      {
-                        "id": "ma-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(c)[2]"
-                          }
-                        ],
-                        "prose": "requires that organization-defined personnel or roles explicitly approve the\n                     removal of the information system or system components from organizational\n                     facilities for off-site maintenance or repairs;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-2(d)"
-                      }
-                    ],
-                    "prose": "sanitizes equipment to remove all information from associated media prior to\n                  removal from organizational facilities for off-site maintenance or repairs;"
-                  },
-                  {
-                    "id": "ma-2.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-2(e)"
-                      }
-                    ],
-                    "prose": "checks all potentially impacted security controls to verify that the controls are\n                  still functioning properly following maintenance or repair actions;"
-                  },
-                  {
-                    "id": "ma-2.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-2(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-2.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(f)[1]"
-                          }
-                        ],
-                        "prose": "defines maintenance-related information to be included in organizational\n                     maintenance records; and"
-                      },
-                      {
-                        "id": "ma-2.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-2(f)[2]"
-                          }
-                        ],
-                        "prose": "includes organization-defined maintenance-related information in organizational\n                     maintenance records."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system maintenance policy\\n\\nprocedures addressing controlled information system maintenance\\n\\nmaintenance records\\n\\nmanufacturer/vendor maintenance specifications\\n\\nequipment sanitization records\\n\\nmedia sanitization records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel responsible for media sanitization\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for scheduling, performing, documenting, reviewing,\n                  approving, and monitoring maintenance and repairs for the information system\\n\\norganizational processes for sanitizing information system components\\n\\nautomated mechanisms supporting and/or implementing controlled maintenance\\n\\nautomated mechanisms implementing sanitization of information system\n                  components"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ma-3",
-            "class": "SP800-53",
-            "title": "Maintenance Tools",
-            "properties": [
-              {
-                "name": "label",
-                "value": "MA-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#263823e0-a971-4b00-959d-315b26278b22",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-88"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-3_smt",
-                "name": "statement",
-                "prose": "The organization approves, controls, and monitors information system maintenance\n               tools."
-              },
-              {
-                "id": "ma-3_gdn",
-                "name": "guidance",
-                "prose": "This control addresses security-related issues associated with maintenance tools used\n               specifically for diagnostic and repair actions on organizational information systems.\n               Maintenance tools can include hardware, software, and firmware items. Maintenance\n               tools are potential vehicles for transporting malicious code, either intentionally or\n               unintentionally, into a facility and subsequently into organizational information\n               systems. Maintenance tools can include, for example, hardware/software diagnostic\n               test equipment and hardware/software packet sniffers. This control does not cover\n               hardware/software components that may support information system maintenance, yet are\n               a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,\n               or the hardware and software implementing the monitoring port of an Ethernet\n               switch.",
-                "links": [
-                  {
-                    "href": "#ma-2",
-                    "rel": "related",
-                    "text": "MA-2"
-                  },
-                  {
-                    "href": "#ma-5",
-                    "rel": "related",
-                    "text": "MA-5"
-                  },
-                  {
-                    "href": "#mp-6",
-                    "rel": "related",
-                    "text": "MP-6"
-                  }
-                ]
-              },
-              {
-                "id": "ma-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ma-3_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-3[1]"
-                      }
-                    ],
-                    "prose": "approves information system maintenance tools;"
-                  },
-                  {
-                    "id": "ma-3_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-3[2]"
-                      }
-                    ],
-                    "prose": "controls information system maintenance tools; and"
-                  },
-                  {
-                    "id": "ma-3_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-3[3]"
-                      }
-                    ],
-                    "prose": "monitors information system maintenance tools."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system maintenance policy\\n\\nprocedures addressing information system maintenance tools\\n\\ninformation system maintenance tools and associated documentation\\n\\nmaintenance records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for approving, controlling, and monitoring maintenance\n                  tools\\n\\nautomated mechanisms supporting and/or implementing approval, control, and/or\n                  monitoring of maintenance tools"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ma-3.1",
-                "class": "SP800-53-enhancement",
-                "title": "Inspect Tools",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "MA-3(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ma-03.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ma-3.1_smt",
-                    "name": "statement",
-                    "prose": "The organization inspects the maintenance tools carried into a facility by\n                  maintenance personnel for improper or unauthorized modifications."
-                  },
-                  {
-                    "id": "ma-3.1_gdn",
-                    "name": "guidance",
-                    "prose": "If, upon inspection of maintenance tools, organizations determine that the tools\n                  have been modified in an improper/unauthorized manner or contain malicious code,\n                  the incident is handled consistent with organizational policies and procedures for\n                  incident handling.",
-                    "links": [
-                      {
-                        "href": "#si-7",
-                        "rel": "related",
-                        "text": "SI-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-3.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization inspects the maintenance tools carried into a\n                  facility by maintenance personnel for improper or unauthorized modifications. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system maintenance policy\\n\\nprocedures addressing information system maintenance tools\\n\\ninformation system maintenance tools and associated documentation\\n\\nmaintenance tool inspection records\\n\\nmaintenance records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for inspecting maintenance tools\\n\\nautomated mechanisms supporting and/or implementing inspection of maintenance\n                     tools"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ma-3.2",
-                "class": "SP800-53-enhancement",
-                "title": "Inspect Media",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "MA-3(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ma-03.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ma-3.2_smt",
-                    "name": "statement",
-                    "prose": "The organization checks media containing diagnostic and test programs for\n                  malicious code before the media are used in the information system."
-                  },
-                  {
-                    "id": "ma-3.2_gdn",
-                    "name": "guidance",
-                    "prose": "If, upon inspection of media containing maintenance diagnostic and test programs,\n                  organizations determine that the media contain malicious code, the incident is\n                  handled consistent with organizational incident handling policies and\n                  procedures.",
-                    "links": [
-                      {
-                        "href": "#si-3",
-                        "rel": "related",
-                        "text": "SI-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-3.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization checks media containing diagnostic and test programs\n                  for malicious code before the media are used in the information system. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system maintenance policy\\n\\nprocedures addressing information system maintenance tools\\n\\ninformation system maintenance tools and associated documentation\\n\\nmaintenance records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational process for inspecting media for malicious code\\n\\nautomated mechanisms supporting and/or implementing inspection of media used\n                     for maintenance"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ma-3.3",
-                "class": "SP800-53-enhancement",
-                "title": "Prevent Unauthorized Removal",
-                "parameters": [
-                  {
-                    "id": "ma-3.3_prm_1",
-                    "label": "organization-defined personnel or roles",
-                    "constraints": [
-                      {
-                        "detail": "the information owner explicitly authorizing removal of the equipment from the facility"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "MA-3(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ma-03.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ma-3.3_smt",
-                    "name": "statement",
-                    "prose": "The organization prevents the unauthorized removal of maintenance equipment\n                  containing organizational information by:",
-                    "parts": [
-                      {
-                        "id": "ma-3.3_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Verifying that there is no organizational information contained on the\n                     equipment;"
-                      },
-                      {
-                        "id": "ma-3.3_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Sanitizing or destroying the equipment;"
-                      },
-                      {
-                        "id": "ma-3.3_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(c)"
-                          }
-                        ],
-                        "prose": "Retaining the equipment within the facility; or"
-                      },
-                      {
-                        "id": "ma-3.3_smt.d",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(d)"
-                          }
-                        ],
-                        "prose": "Obtaining an exemption from {{ ma-3.3_prm_1 }} explicitly\n                     authorizing removal of the equipment from the facility."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-3.3_gdn",
-                    "name": "guidance",
-                    "prose": "Organizational information includes all information specifically owned by\n                  organizations and information provided to organizations in which organizations\n                  serve as information stewards."
-                  },
-                  {
-                    "id": "ma-3.3_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization prevents the unauthorized removal of maintenance\n                  equipment containing organizational information by: ",
-                    "parts": [
-                      {
-                        "id": "ma-3.3.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-3(3)(a)"
-                          }
-                        ],
-                        "prose": "verifying that there is no organizational information contained on the\n                     equipment;",
-                        "links": [
-                          {
-                            "href": "#ma-3.3_smt.a",
-                            "rel": "corresp",
-                            "text": "MA-3(3)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-3.3.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-3(3)(b)"
-                          }
-                        ],
-                        "prose": "sanitizing or destroying the equipment;",
-                        "links": [
-                          {
-                            "href": "#ma-3.3_smt.b",
-                            "rel": "corresp",
-                            "text": "MA-3(3)(b)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-3.3.c_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-3(3)(c)"
-                          }
-                        ],
-                        "prose": "retaining the equipment within the facility; or",
-                        "links": [
-                          {
-                            "href": "#ma-3.3_smt.c",
-                            "rel": "corresp",
-                            "text": "MA-3(3)(c)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-3.3.d_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-3(3)(d)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ma-3.3.d_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-3(3)(d)[1]"
-                              }
-                            ],
-                            "prose": "defining personnel or roles that can grant an exemption from explicitly\n                        authorizing removal of the equipment from the facility; and"
-                          },
-                          {
-                            "id": "ma-3.3.d_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MA-3(3)(d)[2]"
-                              }
-                            ],
-                            "prose": "obtaining an exemption from organization-defined personnel or roles\n                        explicitly authorizing removal of the equipment from the facility."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ma-3.3_smt.d",
-                            "rel": "corresp",
-                            "text": "MA-3(3)(d)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system maintenance policy\\n\\nprocedures addressing information system maintenance tools\\n\\ninformation system maintenance tools and associated documentation\\n\\nmaintenance records\\n\\nequipment sanitization records\\n\\nmedia sanitization records\\n\\nexemptions for equipment removal\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel responsible for media sanitization"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational process for preventing unauthorized removal of information\\n\\nautomated mechanisms supporting media sanitization or destruction of\n                     equipment\\n\\nautomated mechanisms supporting verification of media sanitization"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ma-4",
-            "class": "SP800-53",
-            "title": "Nonlocal Maintenance",
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "MA-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#d715b234-9b5b-4e07-b1ed-99836727664d",
-                "rel": "reference",
-                "text": "FIPS Publication 140-2"
-              },
-              {
-                "href": "#f2dbd4ec-c413-4714-b85b-6b7184d1c195",
-                "rel": "reference",
-                "text": "FIPS Publication 197"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              },
-              {
-                "href": "#263823e0-a971-4b00-959d-315b26278b22",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-88"
-              },
-              {
-                "href": "#a4aa9645-9a8a-4b51-90a9-e223250f9a75",
-                "rel": "reference",
-                "text": "CNSS Policy 15"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ma-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Approves and monitors nonlocal maintenance and diagnostic activities;"
-                  },
-                  {
-                    "id": "ma-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Allows the use of nonlocal maintenance and diagnostic tools only as consistent\n                  with organizational policy and documented in the security plan for the information\n                  system;"
-                  },
-                  {
-                    "id": "ma-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Employs strong authenticators in the establishment of nonlocal maintenance and\n                  diagnostic sessions;"
-                  },
-                  {
-                    "id": "ma-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Maintains records for nonlocal maintenance and diagnostic activities; and"
-                  },
-                  {
-                    "id": "ma-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Terminates session and network connections when nonlocal maintenance is\n                  completed."
-                  }
-                ]
-              },
-              {
-                "id": "ma-4_gdn",
-                "name": "guidance",
-                "prose": "Nonlocal maintenance and diagnostic activities are those activities conducted by\n               individuals communicating through a network, either an external network (e.g., the\n               Internet) or an internal network. Local maintenance and diagnostic activities are\n               those activities carried out by individuals physically present at the information\n               system or information system component and not communicating across a network\n               connection. Authentication techniques used in the establishment of nonlocal\n               maintenance and diagnostic sessions reflect the network access requirements in IA-2.\n               Typically, strong authentication requires authenticators that are resistant to replay\n               attacks and employ multifactor authentication. Strong authenticators include, for\n               example, PKI where certificates are stored on a token protected by a password,\n               passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by\n               other controls.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-3",
-                    "rel": "related",
-                    "text": "AU-3"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#ma-2",
-                    "rel": "related",
-                    "text": "MA-2"
-                  },
-                  {
-                    "href": "#ma-5",
-                    "rel": "related",
-                    "text": "MA-5"
-                  },
-                  {
-                    "href": "#mp-6",
-                    "rel": "related",
-                    "text": "MP-6"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-10",
-                    "rel": "related",
-                    "text": "SC-10"
-                  },
-                  {
-                    "href": "#sc-17",
-                    "rel": "related",
-                    "text": "SC-17"
-                  }
-                ]
-              },
-              {
-                "id": "ma-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ma-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-4(a)[1]"
-                          }
-                        ],
-                        "prose": "approves nonlocal maintenance and diagnostic activities;"
-                      },
-                      {
-                        "id": "ma-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-4(a)[2]"
-                          }
-                        ],
-                        "prose": "monitors nonlocal maintenance and diagnostic activities;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-4(b)"
-                      }
-                    ],
-                    "prose": "allows the use of nonlocal maintenance and diagnostic tools only:",
-                    "parts": [
-                      {
-                        "id": "ma-4.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-4(b)[1]"
-                          }
-                        ],
-                        "prose": "as consistent with organizational policy;"
-                      },
-                      {
-                        "id": "ma-4.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-4(b)[2]"
-                          }
-                        ],
-                        "prose": "as documented in the security plan for the information system;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-4(c)"
-                      }
-                    ],
-                    "prose": "employs strong authenticators in the establishment of nonlocal maintenance and\n                  diagnostic sessions;"
-                  },
-                  {
-                    "id": "ma-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-4(d)"
-                      }
-                    ],
-                    "prose": "maintains records for nonlocal maintenance and diagnostic activities;"
-                  },
-                  {
-                    "id": "ma-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-4(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-4.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-4(e)[1]"
-                          }
-                        ],
-                        "prose": "terminates sessions when nonlocal maintenance or diagnostics is completed;\n                     and"
-                      },
-                      {
-                        "id": "ma-4.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-4(e)[2]"
-                          }
-                        ],
-                        "prose": "terminates network connections when nonlocal maintenance or diagnostics is\n                     completed."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system maintenance policy\\n\\nprocedures addressing nonlocal information system maintenance\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nmaintenance records\\n\\ndiagnostic records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing nonlocal maintenance\\n\\nautomated mechanisms implementing, supporting, and/or managing nonlocal\n                  maintenance\\n\\nautomated mechanisms for strong authentication of nonlocal maintenance diagnostic\n                  sessions\\n\\nautomated mechanisms for terminating nonlocal maintenance sessions and network\n                  connections"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ma-4.2",
-                "class": "SP800-53-enhancement",
-                "title": "Document Nonlocal Maintenance",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "MA-4(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ma-04.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ma-4.2_smt",
-                    "name": "statement",
-                    "prose": "The organization documents in the security plan for the information system, the\n                  policies and procedures for the establishment and use of nonlocal maintenance and\n                  diagnostic connections."
-                  },
-                  {
-                    "id": "ma-4.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization documents in the security plan for the information\n                  system: ",
-                    "parts": [
-                      {
-                        "id": "ma-4.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-4(2)[1]"
-                          }
-                        ],
-                        "prose": "the policies for the establishment and use of nonlocal maintenance and\n                     diagnostic connections; and"
-                      },
-                      {
-                        "id": "ma-4.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-4(2)[2]"
-                          }
-                        ],
-                        "prose": "the procedures for the establishment and use of nonlocal maintenance and\n                     diagnostic connections."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system maintenance policy\\n\\nprocedures addressing non-local information system maintenance\\n\\nsecurity plan\\n\\nmaintenance records\\n\\ndiagnostic records\\n\\naudit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ma-5",
-            "class": "SP800-53",
-            "title": "Maintenance Personnel",
-            "properties": [
-              {
-                "name": "label",
-                "value": "MA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ma-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes a process for maintenance personnel authorization and maintains a list\n                  of authorized maintenance organizations or personnel;"
-                  },
-                  {
-                    "id": "ma-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Ensures that non-escorted personnel performing maintenance on the information\n                  system have required access authorizations; and"
-                  },
-                  {
-                    "id": "ma-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Designates organizational personnel with required access authorizations and\n                  technical competence to supervise the maintenance activities of personnel who do\n                  not possess the required access authorizations."
-                  }
-                ]
-              },
-              {
-                "id": "ma-5_gdn",
-                "name": "guidance",
-                "prose": "This control applies to individuals performing hardware or software maintenance on\n               organizational information systems, while PE-2 addresses physical access for\n               individuals whose maintenance duties place them within the physical protection\n               perimeter of the systems (e.g., custodial staff, physical plant maintenance\n               personnel). Technical competence of supervising individuals relates to the\n               maintenance performed on the information systems while having required access\n               authorizations refers to maintenance on and near the systems. Individuals not\n               previously identified as authorized maintenance personnel, such as information\n               technology manufacturers, vendors, systems integrators, and consultants, may require\n               privileged access to organizational information systems, for example, when required\n               to conduct maintenance activities with little or no notice. Based on organizational\n               assessments of risk, organizations may issue temporary credentials to these\n               individuals. Temporary credentials may be for one-time use or for very limited time\n               periods.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-8",
-                    "rel": "related",
-                    "text": "IA-8"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  }
-                ]
-              },
-              {
-                "id": "ma-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ma-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-5(a)[1]"
-                          }
-                        ],
-                        "prose": "establishes a process for maintenance personnel authorization;"
-                      },
-                      {
-                        "id": "ma-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-5(a)[2]"
-                          }
-                        ],
-                        "prose": "maintains a list of authorized maintenance organizations or personnel;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-5(b)"
-                      }
-                    ],
-                    "prose": "ensures that non-escorted personnel performing maintenance on the information\n                  system have required access authorizations; and"
-                  },
-                  {
-                    "id": "ma-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MA-5(c)"
-                      }
-                    ],
-                    "prose": "designates organizational personnel with required access authorizations and\n                  technical competence to supervise the maintenance activities of personnel who do\n                  not possess the required access authorizations."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system maintenance policy\\n\\nprocedures addressing maintenance personnel\\n\\nservice provider contracts\\n\\nservice-level agreements\\n\\nlist of authorized personnel\\n\\nmaintenance records\\n\\naccess control records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for authorizing and managing maintenance personnel\\n\\nautomated mechanisms supporting and/or implementing authorization of maintenance\n                  personnel"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ma-5.1",
-                "class": "SP800-53-enhancement",
-                "title": "Individuals Without Appropriate Access",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "MA-5(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ma-05.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ma-5.1_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "ma-5.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Implements procedures for the use of maintenance personnel that lack\n                     appropriate security clearances or are not U.S. citizens, that include the\n                     following requirements:",
-                        "parts": [
-                          {
-                            "id": "ma-5.1_smt.a.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "(1)"
-                              }
-                            ],
-                            "prose": "Maintenance personnel who do not have needed access authorizations,\n                        clearances, or formal access approvals are escorted and supervised during\n                        the performance of maintenance and diagnostic activities on the information\n                        system by approved organizational personnel who are fully cleared, have\n                        appropriate access authorizations, and are technically qualified;"
-                          },
-                          {
-                            "id": "ma-5.1_smt.a.2",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "(2)"
-                              }
-                            ],
-                            "prose": "Prior to initiating maintenance or diagnostic activities by personnel who do\n                        not have needed access authorizations, clearances or formal access\n                        approvals, all volatile information storage components within the\n                        information system are sanitized and all nonvolatile storage media are\n                        removed or physically disconnected from the system and secured; and"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-5.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Develops and implements alternate security safeguards in the event an\n                     information system component cannot be sanitized, removed, or disconnected from\n                     the system."
-                      },
-                      {
-                        "id": "ma-5.1_fr",
-                        "name": "item",
-                        "title": "MA-5 (1) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ma-5.1_fr_smt.b",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "Only MA-5 (1)(a)(1) is required by FedRAMP Moderate Baseline"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-5.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement denies individuals who lack appropriate security\n                  clearances (i.e., individuals who do not possess security clearances or possess\n                  security clearances at a lower level than required) or who are not U.S. citizens,\n                  visual and electronic access to any classified information, Controlled\n                  Unclassified Information (CUI), or any other sensitive information contained on\n                  organizational information systems. Procedures for the use of maintenance\n                  personnel can be documented in security plans for the information systems.",
-                    "links": [
-                      {
-                        "href": "#mp-6",
-                        "rel": "related",
-                        "text": "MP-6"
-                      },
-                      {
-                        "href": "#pl-2",
-                        "rel": "related",
-                        "text": "PL-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ma-5.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ma-5.1.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-5(1)(a)"
-                          }
-                        ],
-                        "prose": "implements procedures for the use of maintenance personnel that lack\n                     appropriate security clearances or are not U.S. citizens, that include the\n                     following requirements:",
-                        "parts": [
-                          {
-                            "id": "ma-5.1.a.1_obj",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-5(1)(a)(1)"
-                              }
-                            ],
-                            "prose": "maintenance personnel who do not have needed access authorizations,\n                        clearances, or formal access approvals are escorted and supervised during\n                        the performance of maintenance and diagnostic activities on the information\n                        system by approved organizational personnel who:",
-                            "parts": [
-                              {
-                                "id": "ma-5.1.a.1_obj.1",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-5(1)(a)(1)[1]"
-                                  }
-                                ],
-                                "prose": "are fully cleared;"
-                              },
-                              {
-                                "id": "ma-5.1.a.1_obj.2",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-5(1)(a)(1)[2]"
-                                  }
-                                ],
-                                "prose": "have appropriate access authorizations;"
-                              },
-                              {
-                                "id": "ma-5.1.a.1_obj.3",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-5(1)(a)(1)[3]"
-                                  }
-                                ],
-                                "prose": "are technically qualified;"
-                              }
-                            ],
-                            "links": [
-                              {
-                                "href": "#ma-5.1_smt.a.1",
-                                "rel": "corresp",
-                                "text": "MA-5(1)(a)(1)"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ma-5.1.a.2_obj",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MA-5(1)(a)(2)"
-                              }
-                            ],
-                            "prose": "prior to initiating maintenance or diagnostic activities by personnel who do\n                        not have needed access authorizations, clearances, or formal access\n                        approvals:",
-                            "parts": [
-                              {
-                                "id": "ma-5.1.a.2_obj.1",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-5(1)(a)(2)[1]"
-                                  }
-                                ],
-                                "prose": "all volatile information storage components within the information system\n                           are sanitized; and"
-                              },
-                              {
-                                "id": "ma-5.1.a.2_obj.2",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-5(1)(a)(2)[2]"
-                                  }
-                                ],
-                                "prose": "all nonvolatile storage media are removed; or"
-                              },
-                              {
-                                "id": "ma-5.1.a.2_obj.3",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MA-5(1)(a)(2)[3]"
-                                  }
-                                ],
-                                "prose": "all nonvolatile storage media are physically disconnected from the system\n                           and secured; and"
-                              }
-                            ],
-                            "links": [
-                              {
-                                "href": "#ma-5.1_smt.a.2",
-                                "rel": "corresp",
-                                "text": "MA-5(1)(a)(2)"
-                              }
-                            ]
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ma-5.1_smt.a",
-                            "rel": "corresp",
-                            "text": "MA-5(1)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ma-5.1.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MA-5(1)(b)"
-                          }
-                        ],
-                        "prose": "develops and implements alternative security safeguards in the event an\n                     information system component cannot be sanitized, removed, or disconnected from\n                     the system.",
-                        "links": [
-                          {
-                            "href": "#ma-5.1_smt.b",
-                            "rel": "corresp",
-                            "text": "MA-5(1)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system maintenance policy\\n\\nprocedures addressing maintenance personnel\\n\\ninformation system media protection policy\\n\\nphysical and environmental protection policy\\n\\nsecurity plan\\n\\nlist of maintenance personnel requiring escort/supervision\\n\\nmaintenance records\\n\\naccess control records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system maintenance\n                     responsibilities\\n\\norganizational personnel with personnel security responsibilities\\n\\norganizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel responsible for media sanitization\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for managing maintenance personnel without appropriate\n                     access\\n\\nautomated mechanisms supporting and/or implementing alternative security\n                     safeguards\\n\\nautomated mechanisms supporting and/or implementing information storage\n                     component sanitization"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ma-6",
-            "class": "SP800-53",
-            "title": "Timely Maintenance",
-            "parameters": [
-              {
-                "id": "ma-6_prm_1",
-                "label": "organization-defined information system components"
-              },
-              {
-                "id": "ma-6_prm_2",
-                "label": "organization-defined time period"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MA-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ma-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ma-6_smt",
-                "name": "statement",
-                "prose": "The organization obtains maintenance support and/or spare parts for {{ ma-6_prm_1 }} within {{ ma-6_prm_2 }} of failure."
-              },
-              {
-                "id": "ma-6_gdn",
-                "name": "guidance",
-                "prose": "Organizations specify the information system components that result in increased risk\n               to organizational operations and assets, individuals, other organizations, or the\n               Nation when the functionality provided by those components is not operational.\n               Organizational actions to obtain maintenance support typically include having\n               appropriate contracts in place.",
-                "links": [
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  },
-                  {
-                    "href": "#sa-14",
-                    "rel": "related",
-                    "text": "SA-14"
-                  },
-                  {
-                    "href": "#sa-15",
-                    "rel": "related",
-                    "text": "SA-15"
-                  }
-                ]
-              },
-              {
-                "id": "ma-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "ma-6_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-6[1]"
-                      }
-                    ],
-                    "prose": "defines information system components for which maintenance support and/or spare\n                  parts are to be obtained;"
-                  },
-                  {
-                    "id": "ma-6_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-6[2]"
-                      }
-                    ],
-                    "prose": "defines the time period within which maintenance support and/or spare parts are to\n                  be obtained after a failure;"
-                  },
-                  {
-                    "id": "ma-6_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MA-6[3]"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ma-6_obj.3.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-6[3][a]"
-                          }
-                        ],
-                        "prose": "obtains maintenance support for organization-defined information system\n                     components within the organization-defined time period of failure; and/or"
-                      },
-                      {
-                        "id": "ma-6_obj.3.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MA-6[3][b]"
-                          }
-                        ],
-                        "prose": "obtains spare parts for organization-defined information system components\n                     within the organization-defined time period of failure."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system maintenance policy\\n\\nprocedures addressing information system maintenance\\n\\nservice provider contracts\\n\\nservice-level agreements\\n\\ninventory and availability of spare parts\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system maintenance responsibilities\\n\\norganizational personnel with acquisition responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for ensuring timely maintenance"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "mp",
-        "class": "family",
-        "title": "Media Protection",
-        "controls": [
-          {
-            "id": "mp-1",
-            "class": "SP800-53",
-            "title": "Media Protection Policy and Procedures",
-            "parameters": [
-              {
-                "id": "mp-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "mp-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "mp-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "MP-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "mp-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ mp-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "mp-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A media protection policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "mp-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the media protection policy and\n                     associated media protection controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "mp-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Media protection policy {{ mp-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "mp-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Media protection procedures {{ mp-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "mp-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the MP\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "mp-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "mp-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "mp-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "mp-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a media protection policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "mp-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "mp-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "MP-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "mp-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the media protection policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "mp-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the media protection policy to organization-defined personnel\n                        or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "mp-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "mp-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        media protection policy and associated media protection controls;"
-                          },
-                          {
-                            "id": "mp-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "mp-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "mp-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "mp-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current media protection\n                        policy;"
-                          },
-                          {
-                            "id": "mp-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current media protection policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "mp-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "mp-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current media protection\n                        procedures; and"
-                          },
-                          {
-                            "id": "mp-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "MP-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current media protection procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Media protection policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with media protection responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "mp-2",
-            "class": "SP800-53",
-            "title": "Media Access",
-            "parameters": [
-              {
-                "id": "mp-2_prm_1",
-                "label": "organization-defined types of digital and/or non-digital media"
-              },
-              {
-                "id": "mp-2_prm_2",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MP-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-111"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-2_smt",
-                "name": "statement",
-                "prose": "The organization restricts access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}."
-              },
-              {
-                "id": "mp-2_gdn",
-                "name": "guidance",
-                "prose": "Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. Restricting non-digital media access\n               includes, for example, denying access to patient medical records in a community\n               hospital unless the individuals seeking access to such records are authorized\n               healthcare providers. Restricting access to digital media includes, for example,\n               limiting access to design specifications stored on compact disks in the media library\n               to the project leader and the individuals on the development team.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  }
-                ]
-              },
-              {
-                "id": "mp-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "mp-2_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-2[1]"
-                      }
-                    ],
-                    "prose": "defines types of digital and/or non-digital media requiring restricted access;"
-                  },
-                  {
-                    "id": "mp-2_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-2[2]"
-                      }
-                    ],
-                    "prose": "defines personnel or roles authorized to access organization-defined types of\n                  digital and/or non-digital media; and"
-                  },
-                  {
-                    "id": "mp-2_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-2[3]"
-                      }
-                    ],
-                    "prose": "restricts access to organization-defined types of digital and/or non-digital media\n                  to organization-defined personnel or roles."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system media protection policy\\n\\nprocedures addressing media access restrictions\\n\\naccess control policy and procedures\\n\\nphysical and environmental protection policy and procedures\\n\\nmedia storage facilities\\n\\naccess control records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system media protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for restricting information media\\n\\nautomated mechanisms supporting and/or implementing media access restrictions"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "mp-3",
-            "class": "SP800-53",
-            "title": "Media Marking",
-            "parameters": [
-              {
-                "id": "mp-3_prm_1",
-                "label": "organization-defined types of information system media",
-                "constraints": [
-                  {
-                    "detail": "no removable media types"
-                  }
-                ]
-              },
-              {
-                "id": "mp-3_prm_2",
-                "label": "organization-defined controlled areas"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MP-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "mp-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Marks information system media indicating the distribution limitations, handling\n                  caveats, and applicable security markings (if any) of the information; and"
-                  },
-                  {
-                    "id": "mp-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Exempts {{ mp-3_prm_1 }} from marking as long as the media remain\n                  within {{ mp-3_prm_2 }}."
-                  },
-                  {
-                    "id": "mp-3_fr",
-                    "name": "item",
-                    "title": "MP-3 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "mp-3_fr_gdn.b",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b) Guidance:"
-                          }
-                        ],
-                        "prose": "Second parameter not-applicable"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "mp-3_gdn",
-                "name": "guidance",
-                "prose": "The term security marking refers to the application/use of human-readable security\n               attributes. The term security labeling refers to the application/use of security\n               attributes with regard to internal data structures within information systems (see\n               AC-16). Information system media includes both digital and non-digital media. Digital\n               media includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. Security marking is generally not\n               required for media containing information determined by organizations to be in the\n               public domain or to be publicly releasable. However, some organizations may require\n               markings for public information indicating that the information is publicly\n               releasable. Marking of information system media reflects applicable federal laws,\n               Executive Orders, directives, policies, regulations, standards, and guidance.",
-                "links": [
-                  {
-                    "href": "#ac-16",
-                    "rel": "related",
-                    "text": "AC-16"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  }
-                ]
-              },
-              {
-                "id": "mp-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "mp-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-3(a)"
-                      }
-                    ],
-                    "prose": "marks information system media indicating the:",
-                    "parts": [
-                      {
-                        "id": "mp-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-3(a)[1]"
-                          }
-                        ],
-                        "prose": "distribution limitations of the information;"
-                      },
-                      {
-                        "id": "mp-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-3(a)[2]"
-                          }
-                        ],
-                        "prose": "handling caveats of the information;"
-                      },
-                      {
-                        "id": "mp-3.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-3(a)[3]"
-                          }
-                        ],
-                        "prose": "applicable security markings (if any) of the information;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-3(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "mp-3.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-3(b)[1]"
-                          }
-                        ],
-                        "prose": "defines types of information system media to be exempted from marking as long\n                     as the media remain in designated controlled areas;"
-                      },
-                      {
-                        "id": "mp-3.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-3(b)[2]"
-                          }
-                        ],
-                        "prose": "defines controlled areas where organization-defined types of information system\n                     media exempt from marking are to be retained; and"
-                      },
-                      {
-                        "id": "mp-3.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-3(b)[3]"
-                          }
-                        ],
-                        "prose": "exempts organization-defined types of information system media from marking as\n                     long as the media remain within organization-defined controlled areas."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system media protection policy\\n\\nprocedures addressing media marking\\n\\nphysical and environmental protection policy and procedures\\n\\nsecurity plan\\n\\nlist of information system media marking security attributes\\n\\ndesignated controlled areas\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system media protection and marking\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for marking information media\\n\\nautomated mechanisms supporting and/or implementing media marking"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "mp-4",
-            "class": "SP800-53",
-            "title": "Media Storage",
-            "parameters": [
-              {
-                "id": "mp-4_prm_1",
-                "label": "organization-defined types of digital and/or non-digital media",
-                "constraints": [
-                  {
-                    "detail": "all types of digital and non-digital media with sensitive information"
-                  }
-                ]
-              },
-              {
-                "id": "mp-4_prm_2",
-                "label": "organization-defined controlled areas",
-                "constraints": [
-                  {
-                    "detail": "see additional FedRAMP requirements and guidance"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MP-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#81f09e01-d0b0-4ae2-aa6a-064ed9950070",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-56"
-              },
-              {
-                "href": "#a6c774c0-bf50-4590-9841-2a5c1c91ac6f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-57"
-              },
-              {
-                "href": "#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-111"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "mp-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Physically controls and securely stores {{ mp-4_prm_1 }} within\n                     {{ mp-4_prm_2 }}; and"
-                  },
-                  {
-                    "id": "mp-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Protects information system media until the media are destroyed or sanitized using\n                  approved equipment, techniques, and procedures."
-                  },
-                  {
-                    "id": "mp-4_fr",
-                    "name": "item",
-                    "title": "MP-4 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "mp-4_fr_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider defines controlled areas within facilities where the information and information system reside."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "mp-4_gdn",
-                "name": "guidance",
-                "prose": "Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. Physically controlling information system\n               media includes, for example, conducting inventories, ensuring procedures are in place\n               to allow individuals to check out and return media to the media library, and\n               maintaining accountability for all stored media. Secure storage includes, for\n               example, a locked drawer, desk, or cabinet, or a controlled media library. The type\n               of media storage is commensurate with the security category and/or classification of\n               the information residing on the media. Controlled areas are areas for which\n               organizations provide sufficient physical and procedural safeguards to meet the\n               requirements established for protecting information and/or information systems. For\n               media containing information determined by organizations to be in the public domain,\n               to be publicly releasable, or to have limited or no adverse impact on organizations\n               or individuals if accessed by other than authorized personnel, fewer safeguards may\n               be needed. In these situations, physical access controls provide adequate\n               protection.",
-                "links": [
-                  {
-                    "href": "#cp-6",
-                    "rel": "related",
-                    "text": "CP-6"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-7",
-                    "rel": "related",
-                    "text": "MP-7"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  }
-                ]
-              },
-              {
-                "id": "mp-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "mp-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "mp-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-4(a)[1]"
-                          }
-                        ],
-                        "prose": "defines types of digital and/or non-digital media to be physically controlled\n                     and securely stored within designated controlled areas;"
-                      },
-                      {
-                        "id": "mp-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-4(a)[2]"
-                          }
-                        ],
-                        "prose": "defines controlled areas designated to physically control and securely store\n                     organization-defined types of digital and/or non-digital media;"
-                      },
-                      {
-                        "id": "mp-4.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-4(a)[3]"
-                          }
-                        ],
-                        "prose": "physically controls organization-defined types of digital and/or non-digital\n                     media within organization-defined controlled areas;"
-                      },
-                      {
-                        "id": "mp-4.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-4(a)[4]"
-                          }
-                        ],
-                        "prose": "securely stores organization-defined types of digital and/or non-digital media\n                     within organization-defined controlled areas; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-4(b)"
-                      }
-                    ],
-                    "prose": "protects information system media until the media are destroyed or sanitized using\n                  approved equipment, techniques, and procedures."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system media protection policy\\n\\nprocedures addressing media storage\\n\\nphysical and environmental protection policy and procedures\\n\\naccess control policy and procedures\\n\\nsecurity plan\\n\\ninformation system media\\n\\ndesignated controlled areas\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system media protection and storage\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for storing information media\\n\\nautomated mechanisms supporting and/or implementing secure media storage/media\n                  protection"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "mp-5",
-            "class": "SP800-53",
-            "title": "Media Transport",
-            "parameters": [
-              {
-                "id": "mp-5_prm_1",
-                "label": "organization-defined types of information system media",
-                "constraints": [
-                  {
-                    "detail": "all media with sensitive information"
-                  }
-                ]
-              },
-              {
-                "id": "mp-5_prm_2",
-                "label": "organization-defined security safeguards",
-                "constraints": [
-                  {
-                    "detail": "prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digitital media, secured in locked container"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MP-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-05"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#f152844f-b1ef-4836-8729-6277078ebee1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-60"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "mp-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Protects and controls {{ mp-5_prm_1 }} during transport outside of\n                  controlled areas using {{ mp-5_prm_2 }};"
-                  },
-                  {
-                    "id": "mp-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Maintains accountability for information system media during transport outside of\n                  controlled areas;"
-                  },
-                  {
-                    "id": "mp-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Documents activities associated with the transport of information system media;\n                  and"
-                  },
-                  {
-                    "id": "mp-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Restricts the activities associated with the transport of information system media\n                  to authorized personnel."
-                  },
-                  {
-                    "id": "mp-5_fr",
-                    "name": "item",
-                    "title": "MP-5 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "mp-5_fr_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "mp-5_gdn",
-                "name": "guidance",
-                "prose": "Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. This control also applies to mobile\n               devices with information storage capability (e.g., smart phones, tablets, E-readers),\n               that are transported outside of controlled areas. Controlled areas are areas or\n               spaces for which organizations provide sufficient physical and/or procedural\n               safeguards to meet the requirements established for protecting information and/or\n               information systems. Physical and technical safeguards for media are commensurate\n               with the security category or classification of the information residing on the\n               media. Safeguards to protect media during transport include, for example, locked\n               containers and cryptography. Cryptographic mechanisms can provide confidentiality and\n               integrity protections depending upon the mechanisms used. Activities associated with\n               transport include the actual transport as well as those activities such as releasing\n               media for transport and ensuring that media enters the appropriate transport\n               processes. For the actual transport, authorized transport and courier personnel may\n               include individuals from outside the organization (e.g., U.S. Postal Service or a\n               commercial transport or delivery service). Maintaining accountability of media during\n               transport includes, for example, restricting transport activities to authorized\n               personnel, and tracking and/or obtaining explicit records of transport activities as\n               the media moves through the transportation system to prevent and detect loss,\n               destruction, or tampering. Organizations establish documentation requirements for\n               activities associated with the transport of information system media in accordance\n               with organizational assessments of risk to include the flexibility to define\n               different record-keeping methods for the different types of media transport as part\n               of an overall system of transport-related records.",
-                "links": [
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#mp-3",
-                    "rel": "related",
-                    "text": "MP-3"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  },
-                  {
-                    "href": "#sc-28",
-                    "rel": "related",
-                    "text": "SC-28"
-                  }
-                ]
-              },
-              {
-                "id": "mp-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "mp-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "mp-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-5(a)[1]"
-                          }
-                        ],
-                        "prose": "defines types of information system media to be protected and controlled during\n                     transport outside of controlled areas;"
-                      },
-                      {
-                        "id": "mp-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-5(a)[2]"
-                          }
-                        ],
-                        "prose": "defines security safeguards to protect and control organization-defined\n                     information system media during transport outside of controlled areas;"
-                      },
-                      {
-                        "id": "mp-5.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-5(a)[3]"
-                          }
-                        ],
-                        "prose": "protects and controls organization-defined information system media during\n                     transport outside of controlled areas using organization-defined security\n                     safeguards;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-5(b)"
-                      }
-                    ],
-                    "prose": "maintains accountability for information system media during transport outside of\n                  controlled areas;"
-                  },
-                  {
-                    "id": "mp-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-5(c)"
-                      }
-                    ],
-                    "prose": "documents activities associated with the transport of information system media;\n                  and"
-                  },
-                  {
-                    "id": "mp-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-5(d)"
-                      }
-                    ],
-                    "prose": "restricts the activities associated with transport of information system media to\n                  authorized personnel."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system media protection policy\\n\\nprocedures addressing media storage\\n\\nphysical and environmental protection policy and procedures\\n\\naccess control policy and procedures\\n\\nsecurity plan\\n\\ninformation system media\\n\\ndesignated controlled areas\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system media protection and storage\n                  responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for storing information media\\n\\nautomated mechanisms supporting and/or implementing media storage/media\n                  protection"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "mp-5.4",
-                "class": "SP800-53-enhancement",
-                "title": "Cryptographic Protection",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "MP-5(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "mp-05.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "mp-5.4_smt",
-                    "name": "statement",
-                    "prose": "The information system implements cryptographic mechanisms to protect the\n                  confidentiality and integrity of information stored on digital media during\n                  transport outside of controlled areas."
-                  },
-                  {
-                    "id": "mp-5.4_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement applies to both portable storage devices (e.g., USB\n                  memory sticks, compact disks, digital video disks, external/removable hard disk\n                  drives) and mobile devices with storage capability (e.g., smart phones, tablets,\n                  E-readers).",
-                    "links": [
-                      {
-                        "href": "#mp-2",
-                        "rel": "related",
-                        "text": "MP-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-5.4_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs cryptographic mechanisms to protect the\n                  confidentiality and integrity of information stored on digital media during\n                  transport outside of controlled areas. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system media protection policy\\n\\nprocedures addressing media transport\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system media transport records\\n\\naudit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system media transport\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Cryptographic mechanisms protecting information on digital media during\n                     transportation outside controlled areas"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "mp-6",
-            "class": "SP800-53",
-            "title": "Media Sanitization",
-            "parameters": [
-              {
-                "id": "mp-6_prm_1",
-                "label": "organization-defined information system media"
-              },
-              {
-                "id": "mp-6_prm_2",
-                "label": "organization-defined sanitization techniques and procedures"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MP-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-06"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#f152844f-b1ef-4836-8729-6277078ebee1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-60"
-              },
-              {
-                "href": "#263823e0-a971-4b00-959d-315b26278b22",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-88"
-              },
-              {
-                "href": "#a47466c4-c837-4f06-a39f-e68412a5f73d",
-                "rel": "reference",
-                "text": "http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "mp-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Sanitizes {{ mp-6_prm_1 }} prior to disposal, release out of\n                  organizational control, or release for reuse using {{ mp-6_prm_2 }}\n                  in accordance with applicable federal and organizational standards and policies;\n                  and"
-                  },
-                  {
-                    "id": "mp-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Employs sanitization mechanisms with the strength and integrity commensurate with\n                  the security category or classification of the information."
-                  }
-                ]
-              },
-              {
-                "id": "mp-6_gdn",
-                "name": "guidance",
-                "prose": "This control applies to all information system media, both digital and non-digital,\n               subject to disposal or reuse, whether or not the media is considered removable.\n               Examples include media found in scanners, copiers, printers, notebook computers,\n               workstations, network components, and mobile devices. The sanitization process\n               removes information from the media such that the information cannot be retrieved or\n               reconstructed. Sanitization techniques, including clearing, purging, cryptographic\n               erase, and destruction, prevent the disclosure of information to unauthorized\n               individuals when such media is reused or released for disposal. Organizations\n               determine the appropriate sanitization methods recognizing that destruction is\n               sometimes necessary when other methods cannot be applied to media requiring\n               sanitization. Organizations use discretion on the employment of approved sanitization\n               techniques and procedures for media containing information deemed to be in the public\n               domain or publicly releasable, or deemed to have no adverse impact on organizations\n               or individuals if released for reuse or disposal. Sanitization of non-digital media\n               includes, for example, removing a classified appendix from an otherwise unclassified\n               document, or redacting selected sections or words from a document by obscuring the\n               redacted sections/words in a manner equivalent in effectiveness to removing them from\n               the document. NSA standards and policies control the sanitization process for media\n               containing classified information.",
-                "links": [
-                  {
-                    "href": "#ma-2",
-                    "rel": "related",
-                    "text": "MA-2"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sc-4",
-                    "rel": "related",
-                    "text": "SC-4"
-                  }
-                ]
-              },
-              {
-                "id": "mp-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "mp-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-6(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "mp-6.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(a)[1]"
-                          }
-                        ],
-                        "prose": "defines information system media to be sanitized prior to:",
-                        "parts": [
-                          {
-                            "id": "mp-6.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[1][a]"
-                              }
-                            ],
-                            "prose": "disposal;"
-                          },
-                          {
-                            "id": "mp-6.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[1][b]"
-                              }
-                            ],
-                            "prose": "release out of organizational control; or"
-                          },
-                          {
-                            "id": "mp-6.a_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[1][c]"
-                              }
-                            ],
-                            "prose": "release for reuse;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "mp-6.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(a)[2]"
-                          }
-                        ],
-                        "prose": "defines sanitization techniques or procedures to be used for sanitizing\n                     organization-defined information system media prior to:",
-                        "parts": [
-                          {
-                            "id": "mp-6.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[2][a]"
-                              }
-                            ],
-                            "prose": "disposal;"
-                          },
-                          {
-                            "id": "mp-6.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[2][b]"
-                              }
-                            ],
-                            "prose": "release out of organizational control; or"
-                          },
-                          {
-                            "id": "mp-6.a_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "MP-6(a)[2][c]"
-                              }
-                            ],
-                            "prose": "release for reuse;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "mp-6.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(a)[3]"
-                          }
-                        ],
-                        "prose": "sanitizes organization-defined information system media prior to disposal,\n                     release out of organizational control, or release for reuse using\n                     organization-defined sanitization techniques or procedures in accordance with\n                     applicable federal and organizational standards and policies; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-6(b)"
-                      }
-                    ],
-                    "prose": "employs sanitization mechanisms with strength and integrity commensurate with the\n                  security category or classification of the information."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system media protection policy\\n\\nprocedures addressing media sanitization and disposal\\n\\napplicable federal standards and policies addressing media sanitization\\n\\nmedia sanitization records\\n\\naudit records\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with media sanitization responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for media sanitization\\n\\nautomated mechanisms supporting and/or implementing media sanitization"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "mp-6.2",
-                "class": "SP800-53-enhancement",
-                "title": "Equipment Testing",
-                "parameters": [
-                  {
-                    "id": "mp-6.2_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least annually"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "MP-6(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "mp-06.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "mp-6.2_smt",
-                    "name": "statement",
-                    "prose": "The organization tests sanitization equipment and procedures {{ mp-6.2_prm_1 }} to verify that the intended sanitization is being\n                  achieved.",
-                    "parts": [
-                      {
-                        "id": "mp-6.2_fr",
-                        "name": "item",
-                        "title": "MP-6 (2) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "mp-6.2_fr_gdn.a",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "(a) Requirement:"
-                              }
-                            ],
-                            "prose": "Equipment and procedures may be tested or validated for effectiveness"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-6.2_gdn",
-                    "name": "guidance",
-                    "prose": "Testing of sanitization equipment and procedures may be conducted by qualified and\n                  authorized external entities (e.g., other federal agencies or external service\n                  providers)."
-                  },
-                  {
-                    "id": "mp-6.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "mp-6.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(2)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency for testing sanitization equipment and procedures to\n                     verify that the intended sanitization is being achieved; and"
-                      },
-                      {
-                        "id": "mp-6.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "MP-6(2)[2]"
-                          }
-                        ],
-                        "prose": "tests sanitization equipment and procedures with the organization-defined\n                     frequency to verify that the intended sanitization is being achieved."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system media protection policy\\n\\nprocedures addressing media sanitization and disposal\\n\\nprocedures addressing testing of media sanitization equipment\\n\\nresults of media sanitization equipment and procedures testing\\n\\naudit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system media sanitization\n                     responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for media sanitization\\n\\nautomated mechanisms supporting and/or implementing media sanitization"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "mp-7",
-            "class": "SP800-53",
-            "title": "Media Use",
-            "parameters": [
-              {
-                "id": "mp-7_prm_1"
-              },
-              {
-                "id": "mp-7_prm_2",
-                "label": "organization-defined types of information system media"
-              },
-              {
-                "id": "mp-7_prm_3",
-                "label": "organization-defined information systems or system components"
-              },
-              {
-                "id": "mp-7_prm_4",
-                "label": "organization-defined security safeguards"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "MP-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "mp-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-111"
-              }
-            ],
-            "parts": [
-              {
-                "id": "mp-7_smt",
-                "name": "statement",
-                "prose": "The organization {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}."
-              },
-              {
-                "id": "mp-7_gdn",
-                "name": "guidance",
-                "prose": "Information system media includes both digital and non-digital media. Digital media\n               includes, for example, diskettes, magnetic tapes, external/removable hard disk\n               drives, flash drives, compact disks, and digital video disks. Non-digital media\n               includes, for example, paper and microfilm. This control also applies to mobile\n               devices with information storage capability (e.g., smart phones, tablets, E-readers).\n               In contrast to MP-2, which restricts user access to media, this control restricts the\n               use of certain types of media on information systems, for example,\n               restricting/prohibiting the use of flash drives or external hard disk drives.\n               Organizations can employ technical and nontechnical safeguards (e.g., policies,\n               procedures, rules of behavior) to restrict the use of information system media.\n               Organizations may restrict the use of portable storage devices, for example, by using\n               physical cages on workstations to prohibit access to certain external ports, or\n               disabling/removing the ability to insert, read or write to such devices.\n               Organizations may also limit the use of portable storage devices to only approved\n               devices including, for example, devices provided by the organization, devices\n               provided by other approved organizations, and devices that are not personally owned.\n               Finally, organizations may restrict the use of portable storage devices based on the\n               type of device, for example, prohibiting the use of writeable, portable storage\n               devices, and implementing this restriction by disabling or removing the capability to\n               write to such devices.",
-                "links": [
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  }
-                ]
-              },
-              {
-                "id": "mp-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "mp-7_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-7[1]"
-                      }
-                    ],
-                    "prose": "defines types of information system media to be:",
-                    "parts": [
-                      {
-                        "id": "mp-7_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-7[1][a]"
-                          }
-                        ],
-                        "prose": "restricted on information systems or system components; or"
-                      },
-                      {
-                        "id": "mp-7_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-7[1][b]"
-                          }
-                        ],
-                        "prose": "prohibited from use on information systems or system components;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-7_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "MP-7[2]"
-                      }
-                    ],
-                    "prose": "defines information systems or system components on which the use of\n                  organization-defined types of information system media is to be one of the\n                  following:",
-                    "parts": [
-                      {
-                        "id": "mp-7_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-7[2][a]"
-                          }
-                        ],
-                        "prose": "restricted; or"
-                      },
-                      {
-                        "id": "mp-7_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "MP-7[2][b]"
-                          }
-                        ],
-                        "prose": "prohibited;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-7_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-7[3]"
-                      }
-                    ],
-                    "prose": "defines security safeguards to be employed to restrict or prohibit the use of\n                  organization-defined types of information system media on organization-defined\n                  information systems or system components; and"
-                  },
-                  {
-                    "id": "mp-7_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "MP-7[4]"
-                      }
-                    ],
-                    "prose": "restricts or prohibits the use of organization-defined information system media on\n                  organization-defined information systems or system components using\n                  organization-defined security safeguards."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system media protection policy\\n\\nsystem use policy\\n\\nprocedures addressing media usage restrictions\\n\\nsecurity plan\\n\\nrules of behavior\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information system media use responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for media use\\n\\nautomated mechanisms restricting or prohibiting use of information system media on\n                  information systems or system components"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "mp-7.1",
-                "class": "SP800-53-enhancement",
-                "title": "Prohibit Use Without Owner",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "MP-7(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "mp-07.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "mp-7.1_smt",
-                    "name": "statement",
-                    "prose": "The organization prohibits the use of portable storage devices in organizational\n                  information systems when such devices have no identifiable owner."
-                  },
-                  {
-                    "id": "mp-7.1_gdn",
-                    "name": "guidance",
-                    "prose": "Requiring identifiable owners (e.g., individuals, organizations, or projects) for\n                  portable storage devices reduces the risk of using such technologies by allowing\n                  organizations to assign responsibility and accountability for addressing known\n                  vulnerabilities in the devices (e.g., malicious code insertion).",
-                    "links": [
-                      {
-                        "href": "#pl-4",
-                        "rel": "related",
-                        "text": "PL-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "mp-7.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization prohibits the use of portable storage devices in\n                  organizational information systems when such devices have no identifiable owner.\n               "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Information system media protection policy\\n\\nsystem use policy\\n\\nprocedures addressing media usage restrictions\\n\\nsecurity plan\\n\\nrules of behavior\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\naudit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with information system media use responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for media use\\n\\nautomated mechanisms prohibiting use of media on information systems or system\n                     components"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "pe",
-        "class": "family",
-        "title": "Physical and Environmental Protection",
-        "controls": [
-          {
-            "id": "pe-1",
-            "class": "SP800-53",
-            "title": "Physical and Environmental Protection Policy and Procedures",
-            "parameters": [
-              {
-                "id": "pe-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "pe-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "pe-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PE-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ pe-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "pe-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A physical and environmental protection policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"
-                      },
-                      {
-                        "id": "pe-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the physical and environmental\n                     protection policy and associated physical and environmental protection\n                     controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "pe-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Physical and environmental protection policy {{ pe-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "pe-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Physical and environmental protection procedures {{ pe-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "pe-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PE\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "pe-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "pe-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pe-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a physical and environmental protection policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "pe-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "pe-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "pe-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the physical and environmental protection\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "pe-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the physical and environmental protection policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pe-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pe-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        physical and environmental protection policy and associated physical and\n                        environmental protection controls;"
-                          },
-                          {
-                            "id": "pe-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "pe-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pe-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current physical and\n                        environmental protection policy;"
-                          },
-                          {
-                            "id": "pe-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current physical and environmental protection policy\n                        with the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pe-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pe-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current physical and\n                        environmental protection procedures; and"
-                          },
-                          {
-                            "id": "pe-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current physical and environmental protection\n                        procedures with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical and environmental protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-2",
-            "class": "SP800-53",
-            "title": "Physical Access Authorizations",
-            "parameters": [
-              {
-                "id": "pe-2_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PE-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-02"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, approves, and maintains a list of individuals with authorized access to\n                  the facility where the information system resides;"
-                  },
-                  {
-                    "id": "pe-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Issues authorization credentials for facility access;"
-                  },
-                  {
-                    "id": "pe-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews the access list detailing authorized facility access by individuals\n                     {{ pe-2_prm_1 }}; and"
-                  },
-                  {
-                    "id": "pe-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Removes individuals from the facility access list when access is no longer\n                  required."
-                  }
-                ]
-              },
-              {
-                "id": "pe-2_gdn",
-                "name": "guidance",
-                "prose": "This control applies to organizational employees and visitors. Individuals (e.g.,\n               employees, contractors, and others) with permanent physical access authorization\n               credentials are not considered visitors. Authorization credentials include, for\n               example, badges, identification cards, and smart cards. Organizations determine the\n               strength of authorization credentials needed (including level of forge-proof badges,\n               smart cards, or identification cards) consistent with federal standards, policies,\n               and procedures. This control only applies to areas within facilities that have not\n               been designated as publicly accessible.",
-                "links": [
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  }
-                ]
-              },
-              {
-                "id": "pe-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-2(a)[1]"
-                          }
-                        ],
-                        "prose": "develops a list of individuals with authorized access to the facility where the\n                     information system resides;"
-                      },
-                      {
-                        "id": "pe-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-2(a)[2]"
-                          }
-                        ],
-                        "prose": "approves a list of individuals with authorized access to the facility where the\n                     information system resides;"
-                      },
-                      {
-                        "id": "pe-2.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-2(a)[3]"
-                          }
-                        ],
-                        "prose": "maintains a list of individuals with authorized access to the facility where\n                     the information system resides;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-2(b)"
-                      }
-                    ],
-                    "prose": "issues authorization credentials for facility access;"
-                  },
-                  {
-                    "id": "pe-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review the access list detailing authorized facility\n                     access by individuals;"
-                      },
-                      {
-                        "id": "pe-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-2(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews the access list detailing authorized facility access by individuals\n                     with the organization-defined frequency; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-2(d)"
-                      }
-                    ],
-                    "prose": "removes individuals from the facility access list when access is no longer\n                  required."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing physical access authorizations\\n\\nsecurity plan\\n\\nauthorized personnel access list\\n\\nauthorization credentials\\n\\nphysical access list reviews\\n\\nphysical access termination records and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical access authorization responsibilities\\n\\norganizational personnel with physical access to information system facility\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for physical access authorizations\\n\\nautomated mechanisms supporting and/or implementing physical access\n                  authorizations"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-3",
-            "class": "SP800-53",
-            "title": "Physical Access Control",
-            "parameters": [
-              {
-                "id": "pe-3_prm_1",
-                "label": "organization-defined entry/exit points to the facility where the information\n               system resides"
-              },
-              {
-                "id": "pe-3_prm_2",
-                "constraints": [
-                  {
-                    "detail": "CSP defined physical access control systems/devices AND guards"
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_prm_3",
-                "depends-on": "pe-3_prm_2",
-                "label": "organization-defined physical access control systems/devices",
-                "constraints": [
-                  {
-                    "detail": "CSP defined physical access control systems/devices"
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_prm_4",
-                "label": "organization-defined entry/exit points"
-              },
-              {
-                "id": "pe-3_prm_5",
-                "label": "organization-defined security safeguards"
-              },
-              {
-                "id": "pe-3_prm_6",
-                "label": "organization-defined circumstances requiring visitor escorts and\n               monitoring",
-                "constraints": [
-                  {
-                    "detail": "in all circumstances within restricted access area where the information system resides"
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_prm_7",
-                "label": "organization-defined physical access devices"
-              },
-              {
-                "id": "pe-3_prm_8",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_prm_9",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PE-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#2157bb7e-192c-4eaa-877f-93ef6b0a3292",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-116"
-              },
-              {
-                "href": "#6caa237b-531b-43ac-9711-d8f6b97b0377",
-                "rel": "reference",
-                "text": "ICD 704"
-              },
-              {
-                "href": "#398e33fd-f404-4e5c-b90e-2d50d3181244",
-                "rel": "reference",
-                "text": "ICD 705"
-              },
-              {
-                "href": "#61081e7f-041d-4033-96a7-44a439071683",
-                "rel": "reference",
-                "text": "DoD Instruction 5200.39"
-              },
-              {
-                "href": "#dd2f5acd-08f1-435a-9837-f8203088dc1a",
-                "rel": "reference",
-                "text": "Personal Identity Verification (PIV) in Enterprise\n            Physical Access Control System (E-PACS)"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              },
-              {
-                "href": "#5ed1f4d5-1494-421b-97ed-39d3c88ab51f",
-                "rel": "reference",
-                "text": "http://fips201ep.cio.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Enforces physical access authorizations at {{ pe-3_prm_1 }} by;",
-                    "parts": [
-                      {
-                        "id": "pe-3_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Verifying individual access authorizations before granting access to the\n                     facility; and"
-                      },
-                      {
-                        "id": "pe-3_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Controlling ingress/egress to the facility using {{ pe-3_prm_2 }};"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Maintains physical access audit logs for {{ pe-3_prm_4 }};"
-                  },
-                  {
-                    "id": "pe-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Provides {{ pe-3_prm_5 }} to control access to areas within the\n                  facility officially designated as publicly accessible;"
-                  },
-                  {
-                    "id": "pe-3_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Escorts visitors and monitors visitor activity {{ pe-3_prm_6 }};"
-                  },
-                  {
-                    "id": "pe-3_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Secures keys, combinations, and other physical access devices;"
-                  },
-                  {
-                    "id": "pe-3_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Inventories {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }};\n                  and"
-                  },
-                  {
-                    "id": "pe-3_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Changes combinations and keys {{ pe-3_prm_9 }} and/or when keys are\n                  lost, combinations are compromised, or individuals are transferred or\n                  terminated."
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_gdn",
-                "name": "guidance",
-                "prose": "This control applies to organizational employees and visitors. Individuals (e.g.,\n               employees, contractors, and others) with permanent physical access authorization\n               credentials are not considered visitors. Organizations determine the types of\n               facility guards needed including, for example, professional physical security staff\n               or other personnel such as administrative staff or information system users. Physical\n               access devices include, for example, keys, locks, combinations, and card readers.\n               Safeguards for publicly accessible areas within organizational facilities include,\n               for example, cameras, monitoring by guards, and isolating selected information\n               systems and/or system components in secured areas. Physical access control systems\n               comply with applicable federal laws, Executive Orders, directives, policies,\n               regulations, standards, and guidance. The Federal Identity, Credential, and Access\n               Management Program provides implementation guidance for identity, credential, and\n               access management capabilities for physical access control systems. Organizations\n               have flexibility in the types of audit logs employed. Audit logs can be procedural\n               (e.g., a written log of individuals accessing the facility and when such access\n               occurred), automated (e.g., capturing ID provided by a PIV card), or some combination\n               thereof. Physical access points can include facility access points, interior access\n               points to information systems and/or components requiring supplemental access\n               controls, or both. Components of organizational information systems (e.g.,\n               workstations, terminals) may be located in areas designated as publicly accessible\n               with organizations safeguarding access to such devices.",
-                "links": [
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  },
-                  {
-                    "href": "#pe-5",
-                    "rel": "related",
-                    "text": "PE-5"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  }
-                ]
-              },
-              {
-                "id": "pe-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(a)[1]"
-                          }
-                        ],
-                        "prose": "defines entry/exit points to the facility where the information system\n                     resides;"
-                      },
-                      {
-                        "id": "pe-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(a)[2]"
-                          }
-                        ],
-                        "prose": "enforces physical access authorizations at organization-defined entry/exit\n                     points to the facility where the information system resides by:",
-                        "parts": [
-                          {
-                            "id": "pe-3.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(a)[2](1)"
-                              }
-                            ],
-                            "prose": "verifying individual access authorizations before granting access to the\n                        facility;"
-                          },
-                          {
-                            "id": "pe-3.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PE-3(a)[2](2)"
-                              }
-                            ],
-                            "parts": [
-                              {
-                                "id": "pe-3.a.2_obj.2.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-3(a)[2](2)[a]"
-                                  }
-                                ],
-                                "prose": "defining physical access control systems/devices to be employed to\n                           control ingress/egress to the facility where the information system\n                           resides;"
-                              },
-                              {
-                                "id": "pe-3.a.2_obj.2.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PE-3(a)[2](2)[b]"
-                                  }
-                                ],
-                                "prose": "using one or more of the following ways to control ingress/egress to the\n                           facility:",
-                                "parts": [
-                                  {
-                                    "id": "pe-3.a.2_obj.2.b.1",
-                                    "name": "objective",
-                                    "properties": [
-                                      {
-                                        "name": "label",
-                                        "value": "PE-3(a)[2](2)[b][1]"
-                                      }
-                                    ],
-                                    "prose": "organization-defined physical access control systems/devices;\n                              and/or"
-                                  },
-                                  {
-                                    "id": "pe-3.a.2_obj.2.b.2",
-                                    "name": "objective",
-                                    "properties": [
-                                      {
-                                        "name": "label",
-                                        "value": "PE-3(a)[2](2)[b][2]"
-                                      }
-                                    ],
-                                    "prose": "guards;"
-                                  }
-                                ]
-                              }
-                            ]
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(b)[1]"
-                          }
-                        ],
-                        "prose": "defines entry/exit points for which physical access audit logs are to be\n                     maintained;"
-                      },
-                      {
-                        "id": "pe-3.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(b)[2]"
-                          }
-                        ],
-                        "prose": "maintains physical access audit logs for organization-defined entry/exit\n                     points;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines security safeguards to be employed to control access to areas within\n                     the facility officially designated as publicly accessible;"
-                      },
-                      {
-                        "id": "pe-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(c)[2]"
-                          }
-                        ],
-                        "prose": "provides organization-defined security safeguards to control access to areas\n                     within the facility officially designated as publicly accessible;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(d)[1]"
-                          }
-                        ],
-                        "prose": "defines circumstances requiring visitor:",
-                        "parts": [
-                          {
-                            "id": "pe-3.d_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(d)[1][a]"
-                              }
-                            ],
-                            "prose": "escorts;"
-                          },
-                          {
-                            "id": "pe-3.d_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(d)[1][b]"
-                              }
-                            ],
-                            "prose": "monitoring;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pe-3.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(d)[2]"
-                          }
-                        ],
-                        "prose": "in accordance with organization-defined circumstances requiring visitor escorts\n                     and monitoring:",
-                        "parts": [
-                          {
-                            "id": "pe-3.d_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(d)[2][a]"
-                              }
-                            ],
-                            "prose": "escorts visitors;"
-                          },
-                          {
-                            "id": "pe-3.d_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(d)[2][b]"
-                              }
-                            ],
-                            "prose": "monitors visitor activities;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(e)[1]"
-                          }
-                        ],
-                        "prose": "secures keys;"
-                      },
-                      {
-                        "id": "pe-3.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(e)[2]"
-                          }
-                        ],
-                        "prose": "secures combinations;"
-                      },
-                      {
-                        "id": "pe-3.e_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(e)[3]"
-                          }
-                        ],
-                        "prose": "secures other physical access devices;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(f)[1]"
-                          }
-                        ],
-                        "prose": "defines physical access devices to be inventoried;"
-                      },
-                      {
-                        "id": "pe-3.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(f)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency to inventory organization-defined physical access\n                     devices;"
-                      },
-                      {
-                        "id": "pe-3.f_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(f)[3]"
-                          }
-                        ],
-                        "prose": "inventories the organization-defined physical access devices with the\n                     organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-3.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-3(g)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-3.g_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(g)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to change combinations and keys; and"
-                      },
-                      {
-                        "id": "pe-3.g_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-3(g)[2]"
-                          }
-                        ],
-                        "prose": "changes combinations and keys with the organization-defined frequency and/or\n                     when:",
-                        "parts": [
-                          {
-                            "id": "pe-3.g_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(g)[2][a]"
-                              }
-                            ],
-                            "prose": "keys are lost;"
-                          },
-                          {
-                            "id": "pe-3.g_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(g)[2][b]"
-                              }
-                            ],
-                            "prose": "combinations are compromised;"
-                          },
-                          {
-                            "id": "pe-3.g_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-3(g)[2][c]"
-                              }
-                            ],
-                            "prose": "individuals are transferred or terminated."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing physical access control\\n\\nsecurity plan\\n\\nphysical access control logs or records\\n\\ninventory records of physical access control devices\\n\\ninformation system entry and exit points\\n\\nrecords of key and lock combination changes\\n\\nstorage locations for physical access control devices\\n\\nphysical access control devices\\n\\nlist of security safeguards controlling access to designated publicly accessible\n                  areas within facility\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for physical access control\\n\\nautomated mechanisms supporting and/or implementing physical access control\\n\\nphysical access control devices"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-4",
-            "class": "SP800-53",
-            "title": "Access Control for Transmission Medium",
-            "parameters": [
-              {
-                "id": "pe-4_prm_1",
-                "label": "organization-defined information system distribution and transmission\n               lines"
-              },
-              {
-                "id": "pe-4_prm_2",
-                "label": "organization-defined security safeguards"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#06dff0ea-3848-4945-8d91-e955ee69f05d",
-                "rel": "reference",
-                "text": "NSTISSI No. 7003"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-4_smt",
-                "name": "statement",
-                "prose": "The organization controls physical access to {{ pe-4_prm_1 }} within\n               organizational facilities using {{ pe-4_prm_2 }}."
-              },
-              {
-                "id": "pe-4_gdn",
-                "name": "guidance",
-                "prose": "Physical security safeguards applied to information system distribution and\n               transmission lines help to prevent accidental damage, disruption, and physical\n               tampering. In addition, physical safeguards may be necessary to help prevent\n               eavesdropping or in transit modification of unencrypted transmissions. Security\n               safeguards to control physical access to system distribution and transmission lines\n               include, for example: (i) locked wiring closets; (ii) disconnected or locked spare\n               jacks; and/or (iii) protection of cabling by conduit or cable trays.",
-                "links": [
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-5",
-                    "rel": "related",
-                    "text": "PE-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  }
-                ]
-              },
-              {
-                "id": "pe-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-4_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-4[1]"
-                      }
-                    ],
-                    "prose": "defines information system distribution and transmission lines requiring physical\n                  access controls;"
-                  },
-                  {
-                    "id": "pe-4_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-4[2]"
-                      }
-                    ],
-                    "prose": "defines security safeguards to be employed to control physical access to\n                  organization-defined information system distribution and transmission lines within\n                  organizational facilities; and"
-                  },
-                  {
-                    "id": "pe-4_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-4[3]"
-                      }
-                    ],
-                    "prose": "controls physical access to organization-defined information system distribution\n                  and transmission lines within organizational facilities using organization-defined\n                  security safeguards."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing access control for transmission medium\\n\\ninformation system design documentation\\n\\nfacility communications and wiring diagrams\\n\\nlist of physical security safeguards applied to information system distribution\n                  and transmission lines\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for access control to distribution and transmission\n                  lines\\n\\nautomated mechanisms/security safeguards supporting and/or implementing access\n                  control to distribution and transmission lines"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-5",
-            "class": "SP800-53",
-            "title": "Access Control for Output Devices",
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-5_smt",
-                "name": "statement",
-                "prose": "The organization controls physical access to information system output devices to\n               prevent unauthorized individuals from obtaining the output."
-              },
-              {
-                "id": "pe-5_gdn",
-                "name": "guidance",
-                "prose": "Controlling physical access to output devices includes, for example, placing output\n               devices in locked rooms or other secured areas and allowing access to authorized\n               individuals only, and placing output devices in locations that can be monitored by\n               organizational personnel. Monitors, printers, copiers, scanners, facsimile machines,\n               and audio devices are examples of information system output devices.",
-                "links": [
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  },
-                  {
-                    "href": "#pe-18",
-                    "rel": "related",
-                    "text": "PE-18"
-                  }
-                ]
-              },
-              {
-                "id": "pe-5_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the organization controls physical access to information system output\n               devices to prevent unauthorized individuals from obtaining the output. "
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing access control for display medium\\n\\nfacility layout of information system components\\n\\nactual displays from information system components\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical access control responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for access control to output devices\\n\\nautomated mechanisms supporting and/or implementing access control to output\n                  devices"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-6",
-            "class": "SP800-53",
-            "title": "Monitoring Physical Access",
-            "parameters": [
-              {
-                "id": "pe-6_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least monthly"
-                  }
-                ]
-              },
-              {
-                "id": "pe-6_prm_2",
-                "label": "organization-defined events or potential indications of events"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PE-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Monitors physical access to the facility where the information system resides to\n                  detect and respond to physical security incidents;"
-                  },
-                  {
-                    "id": "pe-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews physical access logs {{ pe-6_prm_1 }} and upon occurrence\n                  of {{ pe-6_prm_2 }}; and"
-                  },
-                  {
-                    "id": "pe-6_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Coordinates results of reviews and investigations with the organizational incident\n                  response capability."
-                  }
-                ]
-              },
-              {
-                "id": "pe-6_gdn",
-                "name": "guidance",
-                "prose": "Organizational incident response capabilities include investigations of and responses\n               to detected physical security incidents. Security incidents include, for example,\n               apparent security violations or suspicious physical access activities. Suspicious\n               physical access activities include, for example: (i) accesses outside of normal work\n               hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for\n               unusual lengths of time; and (iv) out-of-sequence accesses.",
-                "links": [
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  }
-                ]
-              },
-              {
-                "id": "pe-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-6(a)"
-                      }
-                    ],
-                    "prose": "monitors physical access to the facility where the information system resides to\n                  detect and respond to physical security incidents;"
-                  },
-                  {
-                    "id": "pe-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-6(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-6.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-6(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review physical access logs;"
-                      },
-                      {
-                        "id": "pe-6.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-6(b)[2]"
-                          }
-                        ],
-                        "prose": "defines events or potential indication of events requiring physical access logs\n                     to be reviewed;"
-                      },
-                      {
-                        "id": "pe-6.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-6(b)[3]"
-                          }
-                        ],
-                        "prose": "reviews physical access logs with the organization-defined frequency and upon\n                     occurrence of organization-defined events or potential indications of events;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-6.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-6(c)"
-                      }
-                    ],
-                    "prose": "coordinates results of reviews and investigations with the organizational incident\n                  response capability."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing physical access monitoring\\n\\nsecurity plan\\n\\nphysical access logs or records\\n\\nphysical access monitoring records\\n\\nphysical access log reviews\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with physical access monitoring responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for monitoring physical access\\n\\nautomated mechanisms supporting and/or implementing physical access monitoring\\n\\nautomated mechanisms supporting and/or implementing reviewing of physical access\n                  logs"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "pe-6.1",
-                "class": "SP800-53-enhancement",
-                "title": "Intrusion Alarms / Surveillance Equipment",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PE-6(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "pe-06.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "pe-6.1_smt",
-                    "name": "statement",
-                    "prose": "The organization monitors physical intrusion alarms and surveillance\n                  equipment."
-                  },
-                  {
-                    "id": "pe-6.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization monitors physical intrusion alarms and surveillance\n                  equipment. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Physical and environmental protection policy\\n\\nprocedures addressing physical access monitoring\\n\\nsecurity plan\\n\\nphysical access logs or records\\n\\nphysical access monitoring records\\n\\nphysical access log reviews\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with physical access monitoring responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for monitoring physical intrusion alarms and\n                     surveillance equipment\\n\\nautomated mechanisms supporting and/or implementing physical access\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing physical intrusion alarms\n                     and surveillance equipment"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-8",
-            "class": "SP800-53",
-            "title": "Visitor Access Records",
-            "parameters": [
-              {
-                "id": "pe-8_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "for a minimum of one (1) year"
-                  }
-                ]
-              },
-              {
-                "id": "pe-8_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least monthly"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PE-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-08"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Maintains visitor access records to the facility where the information system\n                  resides for {{ pe-8_prm_1 }}; and"
-                  },
-                  {
-                    "id": "pe-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews visitor access records {{ pe-8_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "pe-8_gdn",
-                "name": "guidance",
-                "prose": "Visitor access records include, for example, names and organizations of persons\n               visiting, visitor signatures, forms of identification, dates of access, entry and\n               departure times, purposes of visits, and names and organizations of persons visited.\n               Visitor access records are not required for publicly accessible areas."
-              },
-              {
-                "id": "pe-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-8(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-8.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-8(a)[1]"
-                          }
-                        ],
-                        "prose": "defines the time period to maintain visitor access records to the facility\n                     where the information system resides;"
-                      },
-                      {
-                        "id": "pe-8.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-8(a)[2]"
-                          }
-                        ],
-                        "prose": "maintains visitor access records to the facility where the information system\n                     resides for the organization-defined time period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-8(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review visitor access records; and"
-                      },
-                      {
-                        "id": "pe-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-8(b)[2]"
-                          }
-                        ],
-                        "prose": "reviews visitor access records with the organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing visitor access records\\n\\nsecurity plan\\n\\nvisitor access control logs or records\\n\\nvisitor access record or log reviews\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with visitor access records responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for maintaining and reviewing visitor access records\\n\\nautomated mechanisms supporting and/or implementing maintenance and review of\n                  visitor access records"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-9",
-            "class": "SP800-53",
-            "title": "Power Equipment and Cabling",
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-09"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-9_smt",
-                "name": "statement",
-                "prose": "The organization protects power equipment and power cabling for the information\n               system from damage and destruction."
-              },
-              {
-                "id": "pe-9_gdn",
-                "name": "guidance",
-                "prose": "Organizations determine the types of protection necessary for power equipment and\n               cabling employed at different locations both internal and external to organizational\n               facilities and environments of operation. This includes, for example, generators and\n               power cabling outside of buildings, internal cabling and uninterruptable power\n               sources within an office or data center, and power sources for self-contained\n               entities such as vehicles and satellites.",
-                "links": [
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  }
-                ]
-              },
-              {
-                "id": "pe-9_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the organization protects power equipment and power cabling for the\n               information system from damage and destruction. "
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing power equipment/cabling protection\\n\\nfacilities housing power equipment/cabling\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for protecting power\n                  equipment/cabling\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing protection of power\n                  equipment/cabling"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-10",
-            "class": "SP800-53",
-            "title": "Emergency Shutoff",
-            "parameters": [
-              {
-                "id": "pe-10_prm_1",
-                "label": "organization-defined location by information system or system component"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-10"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-10"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-10_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-10_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Provides the capability of shutting off power to the information system or\n                  individual system components in emergency situations;"
-                  },
-                  {
-                    "id": "pe-10_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Places emergency shutoff switches or devices in {{ pe-10_prm_1 }}\n                  to facilitate safe and easy access for personnel; and"
-                  },
-                  {
-                    "id": "pe-10_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Protects emergency power shutoff capability from unauthorized activation."
-                  }
-                ]
-              },
-              {
-                "id": "pe-10_gdn",
-                "name": "guidance",
-                "prose": "This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms.",
-                "links": [
-                  {
-                    "href": "#pe-15",
-                    "rel": "related",
-                    "text": "PE-15"
-                  }
-                ]
-              },
-              {
-                "id": "pe-10_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-10.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-10(a)"
-                      }
-                    ],
-                    "prose": "provides the capability of shutting off power to the information system or\n                  individual system components in emergency situations;"
-                  },
-                  {
-                    "id": "pe-10.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-10(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-10.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-10(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the location of emergency shutoff switches or devices by information\n                     system or system component;"
-                      },
-                      {
-                        "id": "pe-10.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-10(b)[2]"
-                          }
-                        ],
-                        "prose": "places emergency shutoff switches or devices in the organization-defined\n                     location by information system or system component to facilitate safe and easy\n                     access for personnel; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-10.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-10(c)"
-                      }
-                    ],
-                    "prose": "protects emergency power shutoff capability from unauthorized activation."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing power source emergency shutoff\\n\\nsecurity plan\\n\\nemergency shutoff controls or switches\\n\\nlocations housing emergency shutoff switches and devices\\n\\nsecurity safeguards protecting emergency power shutoff capability from\n                  unauthorized activation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for emergency power shutoff\n                  capability (both implementing and using the capability)\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing emergency power shutoff"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-11",
-            "class": "SP800-53",
-            "title": "Emergency Power",
-            "parameters": [
-              {
-                "id": "pe-11_prm_1"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-11"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-11"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-11_smt",
-                "name": "statement",
-                "prose": "The organization provides a short-term uninterruptible power supply to facilitate\n                  {{ pe-11_prm_1 }} in the event of a primary power source loss."
-              },
-              {
-                "id": "pe-11_gdn",
-                "name": "guidance",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  }
-                ]
-              },
-              {
-                "id": "pe-11_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the organization provides a short-term uninterruptible power supply to\n               facilitate one or more of the following in the event of a primary power source loss: ",
-                "parts": [
-                  {
-                    "id": "pe-11_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-11[1]"
-                      }
-                    ],
-                    "prose": "an orderly shutdown of the information system; and/or"
-                  },
-                  {
-                    "id": "pe-11_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-11[2]"
-                      }
-                    ],
-                    "prose": "transition of the information system to long-term alternate power."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing emergency power\\n\\nuninterruptible power supply\\n\\nuninterruptible power supply documentation\\n\\nuninterruptible power supply test records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for emergency power and/or\n                  planning\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing uninterruptible power\n                  supply\\n\\nthe uninterruptable power supply"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-12",
-            "class": "SP800-53",
-            "title": "Emergency Lighting",
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-12"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-12"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-12_smt",
-                "name": "statement",
-                "prose": "The organization employs and maintains automatic emergency lighting for the\n               information system that activates in the event of a power outage or disruption and\n               that covers emergency exits and evacuation routes within the facility."
-              },
-              {
-                "id": "pe-12_gdn",
-                "name": "guidance",
-                "prose": "This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms.",
-                "links": [
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  }
-                ]
-              },
-              {
-                "id": "pe-12_obj",
-                "name": "objective",
-                "prose": "Determine if the organization employs and maintains automatic emergency lighting for\n               the information system that: ",
-                "parts": [
-                  {
-                    "id": "pe-12_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-12[1]"
-                      }
-                    ],
-                    "prose": "activates in the event of a power outage or disruption; and"
-                  },
-                  {
-                    "id": "pe-12_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-12[2]"
-                      }
-                    ],
-                    "prose": "covers emergency exits and evacuation routes within the facility."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing emergency lighting\\n\\nemergency lighting documentation\\n\\nemergency lighting test records\\n\\nemergency exits and evacuation routes\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for emergency lighting and/or\n                  planning\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing emergency lighting\n                  capability"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-13",
-            "class": "SP800-53",
-            "title": "Fire Protection",
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-13"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-13"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-13_smt",
-                "name": "statement",
-                "prose": "The organization employs and maintains fire suppression and detection devices/systems\n               for the information system that are supported by an independent energy source."
-              },
-              {
-                "id": "pe-13_gdn",
-                "name": "guidance",
-                "prose": "This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms. Fire suppression and detection devices/systems include, for example,\n               sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke\n               detectors."
-              },
-              {
-                "id": "pe-13_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-13_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-13[1]"
-                      }
-                    ],
-                    "prose": "employs fire suppression and detection devices/systems for the information system\n                  that are supported by an independent energy source; and"
-                  },
-                  {
-                    "id": "pe-13_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-13[2]"
-                      }
-                    ],
-                    "prose": "maintains fire suppression and detection devices/systems for the information\n                  system that are supported by an independent energy source."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing fire protection\\n\\nfire suppression and detection devices/systems\\n\\nfire suppression and detection devices/systems documentation\\n\\ntest records of fire suppression and detection devices/systems\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for fire detection and suppression\n                  devices/systems\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing fire suppression/detection\n                  devices/systems"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "pe-13.2",
-                "class": "SP800-53-enhancement",
-                "title": "Suppression Devices / Systems",
-                "parameters": [
-                  {
-                    "id": "pe-13.2_prm_1",
-                    "label": "organization-defined personnel or roles"
-                  },
-                  {
-                    "id": "pe-13.2_prm_2",
-                    "label": "organization-defined emergency responders"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PE-13(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "pe-13.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "pe-13.2_smt",
-                    "name": "statement",
-                    "prose": "The organization employs fire suppression devices/systems for the information\n                  system that provide automatic notification of any activation to {{ pe-13.2_prm_1 }} and {{ pe-13.2_prm_2 }}."
-                  },
-                  {
-                    "id": "pe-13.2_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations can identify specific personnel, roles, and emergency responders in\n                  the event that individuals on the notification list must have appropriate access\n                  authorizations and/or clearances, for example, to obtain access to facilities\n                  where classified operations are taking place or where there are information\n                  systems containing classified information."
-                  },
-                  {
-                    "id": "pe-13.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "pe-13.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-13(2)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be provided automatic notification of any\n                     activation of fire suppression devices/systems for the information system;"
-                      },
-                      {
-                        "id": "pe-13.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-13(2)[2]"
-                          }
-                        ],
-                        "prose": "defines emergency responders to be provided automatic notification of any\n                     activation of fire suppression devices/systems for the information system;"
-                      },
-                      {
-                        "id": "pe-13.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-13(2)[3]"
-                          }
-                        ],
-                        "prose": "employs fire suppression devices/systems for the information system that\n                     provide automatic notification of any activation to:",
-                        "parts": [
-                          {
-                            "id": "pe-13.2_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-13(2)[3][a]"
-                              }
-                            ],
-                            "prose": "organization-defined personnel or roles; and"
-                          },
-                          {
-                            "id": "pe-13.2_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "PE-13(2)[3][b]"
-                              }
-                            ],
-                            "prose": "organization-defined emergency responders."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Physical and environmental protection policy\\n\\nprocedures addressing fire protection\\n\\nfire suppression and detection devices/systems documentation\\n\\nfacility housing the information system\\n\\nalarm service-level agreements\\n\\ntest records of fire suppression and detection devices/systems\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for fire detection and\n                     suppression devices/systems\\n\\norganizational personnel with responsibilities for providing automatic\n                     notifications of any activation of fire suppression devices/systems to\n                     appropriate personnel, roles, and emergency responders\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing fire suppression\n                     devices/systems\\n\\nactivation of fire suppression devices/systems (simulated)\\n\\nautomated notifications"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "pe-13.3",
-                "class": "SP800-53-enhancement",
-                "title": "Automatic Fire Suppression",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PE-13(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "pe-13.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "pe-13.3_smt",
-                    "name": "statement",
-                    "prose": "The organization employs an automatic fire suppression capability for the\n                  information system when the facility is not staffed on a continuous basis."
-                  },
-                  {
-                    "id": "pe-13.3_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs an automatic fire suppression capability for\n                  the information system when the facility is not staffed on a continuous basis.\n               "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Physical and environmental protection policy\\n\\nprocedures addressing fire protection\\n\\nfire suppression and detection devices/systems documentation\\n\\nfacility housing the information system\\n\\nalarm service-level agreements\\n\\ntest records of fire suppression and detection devices/systems\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for fire detection and\n                     suppression devices/systems\\n\\norganizational personnel with responsibilities for providing automatic\n                     notifications of any activation of fire suppression devices/systems to\n                     appropriate personnel, roles, and emergency responders\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing fire suppression\n                     devices/systems\\n\\nactivation of fire suppression devices/systems (simulated)"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-14",
-            "class": "SP800-53",
-            "title": "Temperature and Humidity Controls",
-            "parameters": [
-              {
-                "id": "pe-14_prm_1",
-                "label": "organization-defined acceptable levels",
-                "constraints": [
-                  {
-                    "detail": "consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments"
-                  }
-                ]
-              },
-              {
-                "id": "pe-14_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "continuously"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-14"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-14"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-14_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-14_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Maintains temperature and humidity levels within the facility where the\n                  information system resides at {{ pe-14_prm_1 }}; and"
-                  },
-                  {
-                    "id": "pe-14_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Monitors temperature and humidity levels {{ pe-14_prm_2 }}."
-                  },
-                  {
-                    "id": "pe-14_fr",
-                    "name": "item",
-                    "title": "PE-14(a) Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "pe-14_fr_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a) Requirement:"
-                          }
-                        ],
-                        "prose": "The service provider measures temperature at server inlets and humidity levels by dew point."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "pe-14_gdn",
-                "name": "guidance",
-                "prose": "This control applies primarily to facilities containing concentrations of information\n               system resources, for example, data centers, server rooms, and mainframe computer\n               rooms.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  }
-                ]
-              },
-              {
-                "id": "pe-14_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-14.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-14(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-14.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(a)[1]"
-                          }
-                        ],
-                        "prose": "defines acceptable temperature levels to be maintained within the facility\n                     where the information system resides;"
-                      },
-                      {
-                        "id": "pe-14.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(a)[2]"
-                          }
-                        ],
-                        "prose": "defines acceptable humidity levels to be maintained within the facility where\n                     the information system resides;"
-                      },
-                      {
-                        "id": "pe-14.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(a)[3]"
-                          }
-                        ],
-                        "prose": "maintains temperature levels within the facility where the information system\n                     resides at the organization-defined levels;"
-                      },
-                      {
-                        "id": "pe-14.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(a)[4]"
-                          }
-                        ],
-                        "prose": "maintains humidity levels within the facility where the information system\n                     resides at the organization-defined levels;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-14.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-14(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-14.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to monitor temperature levels;"
-                      },
-                      {
-                        "id": "pe-14.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(b)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency to monitor humidity levels;"
-                      },
-                      {
-                        "id": "pe-14.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(b)[3]"
-                          }
-                        ],
-                        "prose": "monitors temperature levels with the organization-defined frequency; and"
-                      },
-                      {
-                        "id": "pe-14.b_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(b)[4]"
-                          }
-                        ],
-                        "prose": "monitors humidity levels with the organization-defined frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing temperature and humidity control\\n\\nsecurity plan\\n\\ntemperature and humidity controls\\n\\nfacility housing the information system\\n\\ntemperature and humidity controls documentation\\n\\ntemperature and humidity records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for information system\n                  environmental controls\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing maintenance and monitoring of\n                  temperature and humidity levels"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "pe-14.2",
-                "class": "SP800-53-enhancement",
-                "title": "Monitoring with Alarms / Notifications",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PE-14(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "pe-14.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "pe-14.2_smt",
-                    "name": "statement",
-                    "prose": "The organization employs temperature and humidity monitoring that provides an\n                  alarm or notification of changes potentially harmful to personnel or\n                  equipment."
-                  },
-                  {
-                    "id": "pe-14.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "pe-14.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(2)[1]"
-                          }
-                        ],
-                        "prose": "employs temperature monitoring that provides an alarm of changes potentially\n                     harmful to personnel or equipment; and/or"
-                      },
-                      {
-                        "id": "pe-14.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-14(2)[2]"
-                          }
-                        ],
-                        "prose": "employs temperature monitoring that provides notification of changes\n                     potentially harmful to personnel or equipment;"
-                      },
-                      {
-                        "id": "pe-14.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-14(2)[3]"
-                          }
-                        ],
-                        "prose": "employs humidity monitoring that provides an alarm of changes potentially\n                     harmful to personnel or equipment; and/or"
-                      },
-                      {
-                        "id": "pe-14.2_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PE-14(2)[4]"
-                          }
-                        ],
-                        "prose": "employs humidity monitoring that provides notification of changes potentially\n                     harmful to personnel or equipment."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Physical and environmental protection policy\\n\\nprocedures addressing temperature and humidity monitoring\\n\\nfacility housing the information system\\n\\nlogs or records of temperature and humidity monitoring\\n\\nrecords of changes to temperature and humidity levels that generate alarms or\n                     notifications\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibilities for information system\n                     environmental controls\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing temperature and humidity\n                     monitoring"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-15",
-            "class": "SP800-53",
-            "title": "Water Damage Protection",
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-15"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-15"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-15_smt",
-                "name": "statement",
-                "prose": "The organization protects the information system from damage resulting from water\n               leakage by providing master shutoff or isolation valves that are accessible, working\n               properly, and known to key personnel."
-              },
-              {
-                "id": "pe-15_gdn",
-                "name": "guidance",
-                "prose": "This control applies primarily to facilities containing concentrations of information\n               system resources including, for example, data centers, server rooms, and mainframe\n               computer rooms. Isolation valves can be employed in addition to or in lieu of master\n               shutoff valves to shut off water supplies in specific areas of concern, without\n               affecting entire organizations.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  }
-                ]
-              },
-              {
-                "id": "pe-15_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the organization protects the information system from damage resulting\n               from water leakage by providing master shutoff or isolation valves that are: ",
-                "parts": [
-                  {
-                    "id": "pe-15_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-15[1]"
-                      }
-                    ],
-                    "prose": "accessible;"
-                  },
-                  {
-                    "id": "pe-15_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-15[2]"
-                      }
-                    ],
-                    "prose": "working properly; and"
-                  },
-                  {
-                    "id": "pe-15_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-15[3]"
-                      }
-                    ],
-                    "prose": "known to key personnel."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing water damage protection\\n\\nfacility housing the information system\\n\\nmaster shutoff valves\\n\\nlist of key personnel with knowledge of location and activation procedures for\n                  master shutoff valves for the plumbing system\\n\\nmaster shutoff valve documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for information system\n                  environmental controls\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Master water-shutoff valves\\n\\norganizational process for activating master water-shutoff"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-16",
-            "class": "SP800-53",
-            "title": "Delivery and Removal",
-            "parameters": [
-              {
-                "id": "pe-16_prm_1",
-                "label": "organization-defined types of information system components",
-                "constraints": [
-                  {
-                    "detail": "all information system components"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-16"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-16"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-16_smt",
-                "name": "statement",
-                "prose": "The organization authorizes, monitors, and controls {{ pe-16_prm_1 }}\n               entering and exiting the facility and maintains records of those items."
-              },
-              {
-                "id": "pe-16_gdn",
-                "name": "guidance",
-                "prose": "Effectively enforcing authorizations for entry and exit of information system\n               components may require restricting access to delivery areas and possibly isolating\n               the areas from the information system and media libraries.",
-                "links": [
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#ma-2",
-                    "rel": "related",
-                    "text": "MA-2"
-                  },
-                  {
-                    "href": "#ma-3",
-                    "rel": "related",
-                    "text": "MA-3"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  }
-                ]
-              },
-              {
-                "id": "pe-16_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-16_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[1]"
-                      }
-                    ],
-                    "prose": "defines types of information system components to be authorized, monitored, and\n                  controlled as such components are entering and exiting the facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[2]"
-                      }
-                    ],
-                    "prose": "authorizes organization-defined information system components entering the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[3]"
-                      }
-                    ],
-                    "prose": "monitors organization-defined information system components entering the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[4]"
-                      }
-                    ],
-                    "prose": "controls organization-defined information system components entering the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.5",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[5]"
-                      }
-                    ],
-                    "prose": "authorizes organization-defined information system components exiting the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.6",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[6]"
-                      }
-                    ],
-                    "prose": "monitors organization-defined information system components exiting the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.7",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[7]"
-                      }
-                    ],
-                    "prose": "controls organization-defined information system components exiting the\n                  facility;"
-                  },
-                  {
-                    "id": "pe-16_obj.8",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[8]"
-                      }
-                    ],
-                    "prose": "maintains records of information system components entering the facility; and"
-                  },
-                  {
-                    "id": "pe-16_obj.9",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-16[9]"
-                      }
-                    ],
-                    "prose": "maintains records of information system components exiting the facility."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing delivery and removal of information system components from\n                  the facility\\n\\nsecurity plan\\n\\nfacility housing the information system\\n\\nrecords of items entering and exiting the facility\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibilities for controlling information system\n                  components entering and exiting the facility\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational process for authorizing, monitoring, and controlling information\n                  system-related items entering and exiting the facility\\n\\nautomated mechanisms supporting and/or implementing authorizing, monitoring, and\n                  controlling information system-related items entering and exiting the facility"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pe-17",
-            "class": "SP800-53",
-            "title": "Alternate Work Site",
-            "parameters": [
-              {
-                "id": "pe-17_prm_1",
-                "label": "organization-defined security controls"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PE-17"
-              },
-              {
-                "name": "sort-id",
-                "value": "pe-17"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5309d4d0-46f8-4213-a749-e7584164e5e8",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-46"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pe-17_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pe-17_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Employs {{ pe-17_prm_1 }} at alternate work sites;"
-                  },
-                  {
-                    "id": "pe-17_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Assesses as feasible, the effectiveness of security controls at alternate work\n                  sites; and"
-                  },
-                  {
-                    "id": "pe-17_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Provides a means for employees to communicate with information security personnel\n                  in case of security incidents or problems."
-                  }
-                ]
-              },
-              {
-                "id": "pe-17_gdn",
-                "name": "guidance",
-                "prose": "Alternate work sites may include, for example, government facilities or private\n               residences of employees. While commonly distinct from alternative processing sites,\n               alternate work sites may provide readily available alternate locations as part of\n               contingency operations. Organizations may define different sets of security controls\n               for specific alternate work sites or types of sites depending on the work-related\n               activities conducted at those sites. This control supports the contingency planning\n               activities of organizations and the federal telework initiative.",
-                "links": [
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#cp-7",
-                    "rel": "related",
-                    "text": "CP-7"
-                  }
-                ]
-              },
-              {
-                "id": "pe-17_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pe-17.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PE-17(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pe-17.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-17(a)[1]"
-                          }
-                        ],
-                        "prose": "defines security controls to be employed at alternate work sites;"
-                      },
-                      {
-                        "id": "pe-17.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PE-17(a)[2]"
-                          }
-                        ],
-                        "prose": "employs organization-defined security controls at alternate work sites;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pe-17.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-17(b)"
-                      }
-                    ],
-                    "prose": "assesses, as feasible, the effectiveness of security controls at alternate work\n                  sites; and"
-                  },
-                  {
-                    "id": "pe-17.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PE-17(c)"
-                      }
-                    ],
-                    "prose": "provides a means for employees to communicate with information security personnel\n                  in case of security incidents or problems."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Physical and environmental protection policy\\n\\nprocedures addressing alternate work sites for organizational personnel\\n\\nsecurity plan\\n\\nlist of security controls required for alternate work sites\\n\\nassessments of security controls at alternate work sites\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel approving use of alternate work sites\\n\\norganizational personnel using alternate work sites\\n\\norganizational personnel assessing controls at alternate work sites\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for security at alternate work sites\\n\\nautomated mechanisms supporting alternate work sites\\n\\nsecurity controls employed at alternate work sites\\n\\nmeans of communications between personnel at alternate work sites and security\n                  personnel"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "pl",
-        "class": "family",
-        "title": "Planning",
-        "controls": [
-          {
-            "id": "pl-1",
-            "class": "SP800-53",
-            "title": "Security Planning Policy and Procedures",
-            "parameters": [
-              {
-                "id": "pl-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "pl-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "pl-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PL-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "pl-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9c5c9e8c-dc81-4f55-a11c-d71d7487790f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-18"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pl-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pl-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ pl-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "pl-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A security planning policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "pl-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the security planning policy and\n                     associated security planning controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "pl-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Security planning policy {{ pl-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "pl-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Security planning procedures {{ pl-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "pl-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PL\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "pl-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "pl-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pl-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a planning policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "pl-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "pl-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PL-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "pl-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the planning policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "pl-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the planning policy to organization-defined personnel or\n                        roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pl-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pl-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        planning policy and associated planning controls;"
-                          },
-                          {
-                            "id": "pl-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "pl-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pl-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current planning policy;"
-                          },
-                          {
-                            "id": "pl-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current planning policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "pl-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "pl-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current planning procedures;\n                        and"
-                          },
-                          {
-                            "id": "pl-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PL-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current planning procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Planning policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with planning responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pl-2",
-            "class": "SP800-53",
-            "title": "System Security Plan",
-            "parameters": [
-              {
-                "id": "pl-2_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "pl-2_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PL-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "pl-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#9c5c9e8c-dc81-4f55-a11c-d71d7487790f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-18"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pl-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pl-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops a security plan for the information system that:",
-                    "parts": [
-                      {
-                        "id": "pl-2_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Is consistent with the organization’s enterprise architecture;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Explicitly defines the authorization boundary for the system;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Describes the operational context of the information system in terms of\n                     missions and business processes;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.4",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "4."
-                          }
-                        ],
-                        "prose": "Provides the security categorization of the information system including\n                     supporting rationale;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.5",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "5."
-                          }
-                        ],
-                        "prose": "Describes the operational environment for the information system and\n                     relationships with or connections to other information systems;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.6",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "6."
-                          }
-                        ],
-                        "prose": "Provides an overview of the security requirements for the system;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.7",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "7."
-                          }
-                        ],
-                        "prose": "Identifies any relevant overlays, if applicable;"
-                      },
-                      {
-                        "id": "pl-2_smt.a.8",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "8."
-                          }
-                        ],
-                        "prose": "Describes the security controls in place or planned for meeting those\n                     requirements including a rationale for the tailoring decisions; and"
-                      },
-                      {
-                        "id": "pl-2_smt.a.9",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "9."
-                          }
-                        ],
-                        "prose": "Is reviewed and approved by the authorizing official or designated\n                     representative prior to plan implementation;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Distributes copies of the security plan and communicates subsequent changes to the\n                  plan to {{ pl-2_prm_1 }};"
-                  },
-                  {
-                    "id": "pl-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews the security plan for the information system {{ pl-2_prm_2 }};"
-                  },
-                  {
-                    "id": "pl-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Updates the plan to address changes to the information system/environment of\n                  operation or problems identified during plan implementation or security control\n                  assessments; and"
-                  },
-                  {
-                    "id": "pl-2_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Protects the security plan from unauthorized disclosure and modification."
-                  }
-                ]
-              },
-              {
-                "id": "pl-2_gdn",
-                "name": "guidance",
-                "prose": "Security plans relate security requirements to a set of security controls and control\n               enhancements. Security plans also describe, at a high level, how the security\n               controls and control enhancements meet those security requirements, but do not\n               provide detailed, technical descriptions of the specific design or implementation of\n               the controls/enhancements. Security plans contain sufficient information (including\n               the specification of parameter values for assignment and selection statements either\n               explicitly or by reference) to enable a design and implementation that is\n               unambiguously compliant with the intent of the plans and subsequent determinations of\n               risk to organizational operations and assets, individuals, other organizations, and\n               the Nation if the plan is implemented as intended. Organizations can also apply\n               tailoring guidance to the security control baselines in Appendix D and CNSS\n               Instruction 1253 to develop overlays for community-wide use or to address specialized\n               requirements, technologies, or missions/environments of operation (e.g.,\n               DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and\n               Access Management, space operations). Appendix I provides guidance on developing\n               overlays. Security plans need not be single documents; the plans can be a collection\n               of various documents including documents that already exist. Effective security plans\n               make extensive use of references to policies, procedures, and additional documents\n               (e.g., design and implementation specifications) where more detailed information can\n               be obtained. This reduces the documentation requirements associated with security\n               programs and maintains security-related information in other established\n               management/operational areas related to enterprise architecture, system development\n               life cycle, systems engineering, and acquisition. For example, security plans do not\n               contain detailed contingency plan or incident response plan information but instead\n               provide explicitly or by reference, sufficient information to define what needs to be\n               accomplished by those plans.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-14",
-                    "rel": "related",
-                    "text": "AC-14"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-9",
-                    "rel": "related",
-                    "text": "CM-9"
-                  },
-                  {
-                    "href": "#cp-2",
-                    "rel": "related",
-                    "text": "CP-2"
-                  },
-                  {
-                    "href": "#ir-8",
-                    "rel": "related",
-                    "text": "IR-8"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#ma-5",
-                    "rel": "related",
-                    "text": "MA-5"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#pl-7",
-                    "rel": "related",
-                    "text": "PL-7"
-                  },
-                  {
-                    "href": "#pm-1",
-                    "rel": "related",
-                    "text": "PM-1"
-                  },
-                  {
-                    "href": "#pm-7",
-                    "rel": "related",
-                    "text": "PM-7"
-                  },
-                  {
-                    "href": "#pm-8",
-                    "rel": "related",
-                    "text": "PM-8"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  },
-                  {
-                    "href": "#pm-11",
-                    "rel": "related",
-                    "text": "PM-11"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sa-17",
-                    "rel": "related",
-                    "text": "SA-17"
-                  }
-                ]
-              },
-              {
-                "id": "pl-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pl-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-2(a)"
-                      }
-                    ],
-                    "prose": "develops a security plan for the information system that:",
-                    "parts": [
-                      {
-                        "id": "pl-2.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(1)"
-                          }
-                        ],
-                        "prose": "is consistent with the organization’s enterprise architecture;"
-                      },
-                      {
-                        "id": "pl-2.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(2)"
-                          }
-                        ],
-                        "prose": "explicitly defines the authorization boundary for the system;"
-                      },
-                      {
-                        "id": "pl-2.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(3)"
-                          }
-                        ],
-                        "prose": "describes the operational context of the information system in terms of\n                     missions and business processes;"
-                      },
-                      {
-                        "id": "pl-2.a.4_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(4)"
-                          }
-                        ],
-                        "prose": "provides the security categorization of the information system including\n                     supporting rationale;"
-                      },
-                      {
-                        "id": "pl-2.a.5_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(5)"
-                          }
-                        ],
-                        "prose": "describes the operational environment for the information system and\n                     relationships with or connections to other information systems;"
-                      },
-                      {
-                        "id": "pl-2.a.6_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(6)"
-                          }
-                        ],
-                        "prose": "provides an overview of the security requirements for the system;"
-                      },
-                      {
-                        "id": "pl-2.a.7_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(7)"
-                          }
-                        ],
-                        "prose": "identifies any relevant overlays, if applicable;"
-                      },
-                      {
-                        "id": "pl-2.a.8_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(8)"
-                          }
-                        ],
-                        "prose": "describes the security controls in place or planned for meeting those\n                     requirements including a rationale for the tailoring and supplemental\n                     decisions;"
-                      },
-                      {
-                        "id": "pl-2.a.9_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(a)(9)"
-                          }
-                        ],
-                        "prose": "is reviewed and approved by the authorizing official or designated\n                     representative prior to plan implementation;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(b)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom copies of the security plan are to be\n                     distributed and subsequent changes to the plan are to be communicated;"
-                      },
-                      {
-                        "id": "pl-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(b)[2]"
-                          }
-                        ],
-                        "prose": "distributes copies of the security plan and communicates subsequent changes to\n                     the plan to organization-defined personnel or roles;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review the security plan for the information\n                     system;"
-                      },
-                      {
-                        "id": "pl-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews the security plan for the information system with the\n                     organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PL-2(d)"
-                      }
-                    ],
-                    "prose": "updates the plan to address:",
-                    "parts": [
-                      {
-                        "id": "pl-2.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(d)[1]"
-                          }
-                        ],
-                        "prose": "changes to the information system/environment of operation;"
-                      },
-                      {
-                        "id": "pl-2.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(d)[2]"
-                          }
-                        ],
-                        "prose": "problems identified during plan implementation;"
-                      },
-                      {
-                        "id": "pl-2.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(d)[3]"
-                          }
-                        ],
-                        "prose": "problems identified during security control assessments;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PL-2(e)"
-                      }
-                    ],
-                    "prose": "protects the security plan from unauthorized:",
-                    "parts": [
-                      {
-                        "id": "pl-2.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(e)[1]"
-                          }
-                        ],
-                        "prose": "disclosure; and"
-                      },
-                      {
-                        "id": "pl-2.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-2(e)[2]"
-                          }
-                        ],
-                        "prose": "modification."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security planning policy\\n\\nprocedures addressing security plan development and implementation\\n\\nprocedures addressing security plan reviews and updates\\n\\nenterprise architecture documentation\\n\\nsecurity plan for the information system\\n\\nrecords of security plan reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for security plan development/review/update/approval\\n\\nautomated mechanisms supporting the information system security plan"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "pl-2.3",
-                "class": "SP800-53-enhancement",
-                "title": "Plan / Coordinate with Other Organizational Entities",
-                "parameters": [
-                  {
-                    "id": "pl-2.3_prm_1",
-                    "label": "organization-defined individuals or groups"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PL-2(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "pl-02.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "pl-2.3_smt",
-                    "name": "statement",
-                    "prose": "The organization plans and coordinates security-related activities affecting the\n                  information system with {{ pl-2.3_prm_1 }} before conducting such\n                  activities in order to reduce the impact on other organizational entities."
-                  },
-                  {
-                    "id": "pl-2.3_gdn",
-                    "name": "guidance",
-                    "prose": "Security-related activities include, for example, security assessments, audits,\n                  hardware and software maintenance, patch management, and contingency plan testing.\n                  Advance planning and coordination includes emergency and nonemergency (i.e.,\n                  planned or nonurgent unplanned) situations. The process defined by organizations\n                  to plan and coordinate security-related activities can be included in security\n                  plans for information systems or other documents, as appropriate.",
-                    "links": [
-                      {
-                        "href": "#cp-4",
-                        "rel": "related",
-                        "text": "CP-4"
-                      },
-                      {
-                        "href": "#ir-4",
-                        "rel": "related",
-                        "text": "IR-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-2.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "pl-2.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(3)[1]"
-                          }
-                        ],
-                        "prose": "defines individuals or groups with whom security-related activities affecting\n                     the information system are to be planned and coordinated before conducting such\n                     activities in order to reduce the impact on other organizational entities;\n                     and"
-                      },
-                      {
-                        "id": "pl-2.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-2(3)[2]"
-                          }
-                        ],
-                        "prose": "plans and coordinates security-related activities affecting the information\n                     system with organization-defined individuals or groups before conducting such\n                     activities in order to reduce the impact on other organizational entities."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security planning policy\\n\\naccess control policy\\n\\ncontingency planning policy\\n\\nprocedures addressing security-related activity planning for the information\n                     system\\n\\nsecurity plan for the information system\\n\\ncontingency plan for the information system\\n\\ninformation system design documentation\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with security planning and plan implementation\n                     responsibilities\\n\\norganizational individuals or groups with whom security-related activities are\n                     to be planned and coordinated\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pl-4",
-            "class": "SP800-53",
-            "title": "Rules of Behavior",
-            "parameters": [
-              {
-                "id": "pl-4_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "At least every 3 years"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PL-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "pl-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#9c5c9e8c-dc81-4f55-a11c-d71d7487790f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-18"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pl-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pl-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes and makes readily available to individuals requiring access to the\n                  information system, the rules that describe their responsibilities and expected\n                  behavior with regard to information and information system usage;"
-                  },
-                  {
-                    "id": "pl-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Receives a signed acknowledgment from such individuals, indicating that they have\n                  read, understand, and agree to abide by the rules of behavior, before authorizing\n                  access to information and the information system;"
-                  },
-                  {
-                    "id": "pl-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews and updates the rules of behavior {{ pl-4_prm_1 }}; and"
-                  },
-                  {
-                    "id": "pl-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Requires individuals who have signed a previous version of the rules of behavior\n                  to read and re-sign when the rules of behavior are revised/updated."
-                  }
-                ]
-              },
-              {
-                "id": "pl-4_gdn",
-                "name": "guidance",
-                "prose": "This control enhancement applies to organizational users. Organizations consider\n               rules of behavior based on individual user roles and responsibilities,\n               differentiating, for example, between rules that apply to privileged users and rules\n               that apply to general users. Establishing rules of behavior for some types of\n               non-organizational users including, for example, individuals who simply receive\n               data/information from federal information systems, is often not feasible given the\n               large number of such users and the limited nature of their interactions with the\n               systems. Rules of behavior for both organizational and non-organizational users can\n               also be established in AC-8, System Use Notification. PL-4 b. (the signed\n               acknowledgment portion of this control) may be satisfied by the security awareness\n               training and role-based security training programs conducted by organizations if such\n               training includes rules of behavior. Organizations can use electronic signatures for\n               acknowledging rules of behavior.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ac-8",
-                    "rel": "related",
-                    "text": "AC-8"
-                  },
-                  {
-                    "href": "#ac-9",
-                    "rel": "related",
-                    "text": "AC-9"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#ac-19",
-                    "rel": "related",
-                    "text": "AC-19"
-                  },
-                  {
-                    "href": "#ac-20",
-                    "rel": "related",
-                    "text": "AC-20"
-                  },
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#ia-2",
-                    "rel": "related",
-                    "text": "IA-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#ia-5",
-                    "rel": "related",
-                    "text": "IA-5"
-                  },
-                  {
-                    "href": "#mp-7",
-                    "rel": "related",
-                    "text": "MP-7"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  },
-                  {
-                    "href": "#ps-8",
-                    "rel": "related",
-                    "text": "PS-8"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  }
-                ]
-              },
-              {
-                "id": "pl-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pl-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-4(a)[1]"
-                          }
-                        ],
-                        "prose": "establishes, for individuals requiring access to the information system, the\n                     rules that describe their responsibilities and expected behavior with regard to\n                     information and information system usage;"
-                      },
-                      {
-                        "id": "pl-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-4(a)[2]"
-                          }
-                        ],
-                        "prose": "makes readily available to individuals requiring access to the information\n                     system, the rules that describe their responsibilities and expected behavior\n                     with regard to information and information system usage;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PL-4(b)"
-                      }
-                    ],
-                    "prose": "receives a signed acknowledgement from such individuals, indicating that they have\n                  read, understand, and agree to abide by the rules of behavior, before authorizing\n                  access to information and the information system;"
-                  },
-                  {
-                    "id": "pl-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-4(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-4(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update the rules of behavior;"
-                      },
-                      {
-                        "id": "pl-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-4(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates the rules of behavior with the organization-defined\n                     frequency; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PL-4(d)"
-                      }
-                    ],
-                    "prose": "requires individuals who have signed a previous version of the rules of behavior\n                  to read and resign when the rules of behavior are revised/updated."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security planning policy\\n\\nprocedures addressing rules of behavior for information system users\\n\\nrules of behavior\\n\\nsigned acknowledgements\\n\\nrecords for rules of behavior reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for establishing, reviewing, and\n                  updating rules of behavior\\n\\norganizational personnel who are authorized users of the information system and\n                  have signed and resigned rules of behavior\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for establishing, reviewing, disseminating, and updating\n                  rules of behavior\\n\\nautomated mechanisms supporting and/or implementing the establishment, review,\n                  dissemination, and update of rules of behavior"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "pl-4.1",
-                "class": "SP800-53-enhancement",
-                "title": "Social Media and Networking Restrictions",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PL-4(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "pl-04.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "pl-4.1_smt",
-                    "name": "statement",
-                    "prose": "The organization includes in the rules of behavior, explicit restrictions on the\n                  use of social media/networking sites and posting organizational information on\n                  public websites."
-                  },
-                  {
-                    "id": "pl-4.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement addresses rules of behavior related to the use of social\n                  media/networking sites: (i) when organizational personnel are using such sites for\n                  official duties or in the conduct of official business; (ii) when organizational\n                  information is involved in social media/networking transactions; and (iii) when\n                  personnel are accessing social media/networking sites from organizational\n                  information systems. Organizations also address specific rules that prevent\n                  unauthorized entities from obtaining and/or inferring non-public organizational\n                  information (e.g., system account information, personally identifiable\n                  information) from social media/networking sites."
-                  },
-                  {
-                    "id": "pl-4.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization includes the following in the rules of behavior: ",
-                    "parts": [
-                      {
-                        "id": "pl-4.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-4(1)[1]"
-                          }
-                        ],
-                        "prose": "explicit restrictions on the use of social media/networking sites; and"
-                      },
-                      {
-                        "id": "pl-4.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-4(1)[2]"
-                          }
-                        ],
-                        "prose": "posting organizational information on public websites."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Security planning policy\\n\\nprocedures addressing rules of behavior for information system users\\n\\nrules of behavior\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for establishing, reviewing, and\n                     updating rules of behavior\\n\\norganizational personnel who are authorized users of the information system and\n                     have signed rules of behavior\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for establishing rules of behavior\\n\\nautomated mechanisms supporting and/or implementing the establishment of rules\n                     of behavior"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "pl-8",
-            "class": "SP800-53",
-            "title": "Information Security Architecture",
-            "parameters": [
-              {
-                "id": "pl-8_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "At least annually or when a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PL-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "pl-08"
-              }
-            ],
-            "parts": [
-              {
-                "id": "pl-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "pl-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops an information security architecture for the information system that:",
-                    "parts": [
-                      {
-                        "id": "pl-8_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Describes the overall philosophy, requirements, and approach to be taken with\n                     regard to protecting the confidentiality, integrity, and availability of\n                     organizational information;"
-                      },
-                      {
-                        "id": "pl-8_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Describes how the information security architecture is integrated into and\n                     supports the enterprise architecture; and"
-                      },
-                      {
-                        "id": "pl-8_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Describes any information security assumptions about, and dependencies on,\n                     external services;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the information security architecture {{ pl-8_prm_1 }} to reflect updates in the enterprise architecture;\n                  and"
-                  },
-                  {
-                    "id": "pl-8_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ensures that planned information security architecture changes are reflected in\n                  the security plan, the security Concept of Operations (CONOPS), and organizational\n                  procurements/acquisitions."
-                  },
-                  {
-                    "id": "pl-8_fr",
-                    "name": "item",
-                    "title": "PL-8(b) Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "pl-8_fr_gdn.b",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b) Guidance:"
-                          }
-                        ],
-                        "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "pl-8_gdn",
-                "name": "guidance",
-                "prose": "This control addresses actions taken by organizations in the design and development\n               of information systems. The information security architecture at the individual\n               information system level is consistent with and complements the more global,\n               organization-wide information security architecture described in PM-7 that is\n               integral to and developed as part of the enterprise architecture. The information\n               security architecture includes an architectural description, the placement/allocation\n               of security functionality (including security controls), security-related information\n               for external interfaces, information being exchanged across the interfaces, and the\n               protection mechanisms associated with each interface. In addition, the security\n               architecture can include other important security-related information, for example,\n               user roles and access privileges assigned to each role, unique security requirements,\n               the types of information processed, stored, and transmitted by the information\n               system, restoration priorities of information and information system services, and\n               any other specific protection needs. In today’s modern architecture, it is becoming\n               less common for organizations to control all information resources. There are going\n               to be key dependencies on external information services and service providers.\n               Describing such dependencies in the information security architecture is important to\n               developing a comprehensive mission/business protection strategy. Establishing,\n               developing, documenting, and maintaining under configuration control, a baseline\n               configuration for organizational information systems is critical to implementing and\n               maintaining an effective information security architecture. The development of the\n               information security architecture is coordinated with the Senior Agency Official for\n               Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to\n               support privacy requirements are identified and effectively implemented. PL-8 is\n               primarily directed at organizations (i.e., internally focused) to help ensure that\n               organizations develop an information security architecture for the information\n               system, and that the security architecture is integrated with or tightly coupled to\n               the enterprise architecture through the organization-wide information security\n               architecture. In contrast, SA-17 is primarily directed at external information\n               technology product/system developers and integrators (although SA-17 could be used\n               internally within organizations for in-house system development). SA-17, which is\n               complementary to PL-8, is selected when organizations outsource the development of\n               information systems or information system components to external entities, and there\n               is a need to demonstrate/show consistency with the organization’s enterprise\n               architecture and information security architecture.",
-                "links": [
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#pm-7",
-                    "rel": "related",
-                    "text": "PM-7"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sa-17",
-                    "rel": "related",
-                    "text": "SA-17"
-                  },
-                  {
-                    "href": "https://doi.org/10.6028/NIST.SP.800-53r4",
-                    "rel": "related",
-                    "text": "Appendix J"
-                  }
-                ]
-              },
-              {
-                "id": "pl-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization: ",
-                "parts": [
-                  {
-                    "id": "pl-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PL-8(a)"
-                      }
-                    ],
-                    "prose": "develops an information security architecture for the information system that\n                  describes:",
-                    "parts": [
-                      {
-                        "id": "pl-8.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-8(a)(1)"
-                          }
-                        ],
-                        "prose": "the overall philosophy, requirements, and approach to be taken with regard to\n                     protecting the confidentiality, integrity, and availability of organizational\n                     information;"
-                      },
-                      {
-                        "id": "pl-8.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-8(a)(2)"
-                          }
-                        ],
-                        "prose": "how the information security architecture is integrated into and supports the\n                     enterprise architecture;"
-                      },
-                      {
-                        "id": "pl-8.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-8(a)(3)"
-                          }
-                        ],
-                        "prose": "any information security assumptions about, and dependencies on, external\n                     services;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PL-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "pl-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-8(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update the information security\n                     architecture;"
-                      },
-                      {
-                        "id": "pl-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PL-8(b)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates the information security architecture with the\n                     organization-defined frequency to reflect updates in the enterprise\n                     architecture;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "pl-8.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PL-8(c)"
-                      }
-                    ],
-                    "prose": "ensures that planned information security architecture changes are reflected\n                  in:",
-                    "parts": [
-                      {
-                        "id": "pl-8.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-8(c)[1]"
-                          }
-                        ],
-                        "prose": "the security plan;"
-                      },
-                      {
-                        "id": "pl-8.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-8(c)[2]"
-                          }
-                        ],
-                        "prose": "the security Concept of Operations (CONOPS); and"
-                      },
-                      {
-                        "id": "pl-8.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PL-8(c)[3]"
-                          }
-                        ],
-                        "prose": "the organizational procurements/acquisitions."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Security planning policy\\n\\nprocedures addressing information security architecture development\\n\\nprocedures addressing information security architecture reviews and updates\\n\\nenterprise architecture documentation\\n\\ninformation security architecture documentation\\n\\nsecurity plan for the information system\\n\\nsecurity CONOPS for the information system\\n\\nrecords of information security architecture reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security planning and plan implementation\n                  responsibilities\\n\\norganizational personnel with information security architecture development\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for developing, reviewing, and updating the information\n                  security architecture\\n\\nautomated mechanisms supporting and/or implementing the development, review, and\n                  update of the information security architecture"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ps",
-        "class": "family",
-        "title": "Personnel Security",
-        "controls": [
-          {
-            "id": "ps-1",
-            "class": "SP800-53",
-            "title": "Personnel Security Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ps-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ps-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "ps-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PS-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ps-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ps-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A personnel security policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ps-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the personnel security policy\n                     and associated personnel security controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ps-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Personnel security policy {{ ps-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ps-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Personnel security procedures {{ ps-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ps-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the PS\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ps-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents an personnel security policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ps-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ps-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "PS-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ps-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the personnel security policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ps-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the personnel security policy to organization-defined personnel\n                        or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ps-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        personnel security policy and associated personnel security controls;"
-                          },
-                          {
-                            "id": "ps-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ps-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current personnel security\n                        policy;"
-                          },
-                          {
-                            "id": "ps-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current personnel security policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ps-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current personnel security\n                        procedures; and"
-                          },
-                          {
-                            "id": "ps-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current personnel security procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with access control responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-2",
-            "class": "SP800-53",
-            "title": "Position Risk Designation",
-            "parameters": [
-              {
-                "id": "ps-2_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every three years"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PS-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0c97e60b-325a-4efa-ba2b-90f20ccd5abc",
-                "rel": "reference",
-                "text": "5 C.F.R. 731.106"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Assigns a risk designation to all organizational positions;"
-                  },
-                  {
-                    "id": "ps-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Establishes screening criteria for individuals filling those positions; and"
-                  },
-                  {
-                    "id": "ps-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews and updates position risk designations {{ ps-2_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ps-2_gdn",
-                "name": "guidance",
-                "prose": "Position risk designations reflect Office of Personnel Management policy and\n               guidance. Risk designations can guide and inform the types of authorizations\n               individuals receive when accessing organizational information and information\n               systems. Position screening criteria include explicit information security role\n               appointment requirements (e.g., training, security clearances).",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  }
-                ]
-              },
-              {
-                "id": "ps-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-2(a)"
-                      }
-                    ],
-                    "prose": "assigns a risk designation to all organizational positions;"
-                  },
-                  {
-                    "id": "ps-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-2(b)"
-                      }
-                    ],
-                    "prose": "establishes screening criteria for individuals filling those positions;"
-                  },
-                  {
-                    "id": "ps-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update position risk designations; and"
-                      },
-                      {
-                        "id": "ps-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-2(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates position risk designations with the organization-defined\n                     frequency."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing position categorization\\n\\nappropriate codes of federal regulations\\n\\nlist of risk designations for organizational positions\\n\\nsecurity plan\\n\\nrecords of position risk designation reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for assigning, reviewing, and updating position risk\n                  designations\\n\\norganizational processes for establishing screening criteria"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-3",
-            "class": "SP800-53",
-            "title": "Personnel Screening",
-            "parameters": [
-              {
-                "id": "ps-3_prm_1",
-                "label": "organization-defined conditions requiring rescreening and, where rescreening is\n               so indicated, the frequency of such rescreening",
-                "constraints": [
-                  {
-                    "detail": "for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PS-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0c97e60b-325a-4efa-ba2b-90f20ccd5abc",
-                "rel": "reference",
-                "text": "5 C.F.R. 731.106"
-              },
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#f152844f-b1ef-4836-8729-6277078ebee1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-60"
-              },
-              {
-                "href": "#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-73"
-              },
-              {
-                "href": "#2a71298a-ee90-490e-80ff-48c967173a47",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-76"
-              },
-              {
-                "href": "#2042d97b-f7f6-4c74-84f8-981867684659",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-78"
-              },
-              {
-                "href": "#6caa237b-531b-43ac-9711-d8f6b97b0377",
-                "rel": "reference",
-                "text": "ICD 704"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Screens individuals prior to authorizing access to the information system; and"
-                  },
-                  {
-                    "id": "ps-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Rescreens individuals according to {{ ps-3_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ps-3_gdn",
-                "name": "guidance",
-                "prose": "Personnel screening and rescreening activities reflect applicable federal laws,\n               Executive Orders, directives, regulations, policies, standards, guidance, and\n               specific criteria established for the risk designations of assigned positions.\n               Organizations may define different rescreening conditions and frequencies for\n               personnel accessing information systems based on types of information processed,\n               stored, or transmitted by the systems.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#ps-2",
-                    "rel": "related",
-                    "text": "PS-2"
-                  }
-                ]
-              },
-              {
-                "id": "ps-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-3(a)"
-                      }
-                    ],
-                    "prose": "screens individuals prior to authorizing access to the information system;"
-                  },
-                  {
-                    "id": "ps-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-3(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-3.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-3(b)[1]"
-                          }
-                        ],
-                        "prose": "defines conditions requiring re-screening;"
-                      },
-                      {
-                        "id": "ps-3.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-3(b)[2]"
-                          }
-                        ],
-                        "prose": "defines the frequency of re-screening where it is so indicated; and"
-                      },
-                      {
-                        "id": "ps-3.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-3(b)[3]"
-                          }
-                        ],
-                        "prose": "re-screens individuals in accordance with organization-defined conditions\n                     requiring re-screening and, where re-screening is so indicated, with the\n                     organization-defined frequency of such re-screening."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing personnel screening\\n\\nrecords of screened personnel\\n\\nsecurity plan\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for personnel screening"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ps-3.3",
-                "class": "SP800-53-enhancement",
-                "title": "Information with Special Protection Measures",
-                "parameters": [
-                  {
-                    "id": "ps-3.3_prm_1",
-                    "label": "organization-defined additional personnel screening criteria",
-                    "constraints": [
-                      {
-                        "detail": "personnel screening criteria - as required by specific information"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "PS-3(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ps-03.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ps-3.3_smt",
-                    "name": "statement",
-                    "prose": "The organization ensures that individuals accessing an information system\n                  processing, storing, or transmitting information requiring special protection:",
-                    "parts": [
-                      {
-                        "id": "ps-3.3_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Have valid access authorizations that are demonstrated by assigned official\n                     government duties; and"
-                      },
-                      {
-                        "id": "ps-3.3_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Satisfy {{ ps-3.3_prm_1 }}."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-3.3_gdn",
-                    "name": "guidance",
-                    "prose": "Organizational information requiring special protection includes, for example,\n                  Controlled Unclassified Information (CUI) and Sources and Methods Information\n                  (SAMI). Personnel security criteria include, for example, position sensitivity\n                  background screening requirements."
-                  },
-                  {
-                    "id": "ps-3.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization: ",
-                    "parts": [
-                      {
-                        "id": "ps-3.3.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-3(3)(a)"
-                          }
-                        ],
-                        "prose": "ensures that individuals accessing an information system processing, storing,\n                     or transmitting information requiring special protection have valid access\n                     authorizations that are demonstrated by assigned official government\n                     duties;",
-                        "links": [
-                          {
-                            "href": "#ps-3.3_smt.a",
-                            "rel": "corresp",
-                            "text": "PS-3(3)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ps-3.3.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-3(3)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-3.3.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-3(3)(b)[1]"
-                              }
-                            ],
-                            "prose": "defines additional personnel screening criteria to be satisfied for\n                        individuals accessing an information system processing, storing, or\n                        transmitting information requiring special protection; and"
-                          },
-                          {
-                            "id": "ps-3.3.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-3(3)(b)[2]"
-                              }
-                            ],
-                            "prose": "ensures that individuals accessing an information system processing,\n                        storing, or transmitting information requiring special protection satisfy\n                        organization-defined additional personnel screening criteria."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#ps-3.3_smt.b",
-                            "rel": "corresp",
-                            "text": "PS-3(3)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Personnel security policy\\n\\naccess control policy, procedures addressing personnel screening\\n\\nrecords of screened personnel\\n\\nscreening criteria\\n\\nrecords of access authorizations\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for ensuring valid access authorizations for\n                     information requiring special protection\\n\\norganizational process for additional personnel screening for information\n                     requiring special protection"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-4",
-            "class": "SP800-53",
-            "title": "Personnel Termination",
-            "parameters": [
-              {
-                "id": "ps-4_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "same day"
-                  }
-                ]
-              },
-              {
-                "id": "ps-4_prm_2",
-                "label": "organization-defined information security topics"
-              },
-              {
-                "id": "ps-4_prm_3",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ps-4_prm_4",
-                "label": "organization-defined time period"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PS-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-04"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-4_smt",
-                "name": "statement",
-                "prose": "The organization, upon termination of individual employment:",
-                "parts": [
-                  {
-                    "id": "ps-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Disables information system access within {{ ps-4_prm_1 }};"
-                  },
-                  {
-                    "id": "ps-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Terminates/revokes any authenticators/credentials associated with the\n                  individual;"
-                  },
-                  {
-                    "id": "ps-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Conducts exit interviews that include a discussion of {{ ps-4_prm_2 }};"
-                  },
-                  {
-                    "id": "ps-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Retrieves all security-related organizational information system-related\n                  property;"
-                  },
-                  {
-                    "id": "ps-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Retains access to organizational information and information systems formerly\n                  controlled by terminated individual; and"
-                  },
-                  {
-                    "id": "ps-4_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Notifies {{ ps-4_prm_3 }} within {{ ps-4_prm_4 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ps-4_gdn",
-                "name": "guidance",
-                "prose": "Information system-related property includes, for example, hardware authentication\n               tokens, system administration technical manuals, keys, identification cards, and\n               building passes. Exit interviews ensure that terminated individuals understand the\n               security constraints imposed by being former employees and that proper accountability\n               is achieved for information system-related property. Security topics of interest at\n               exit interviews can include, for example, reminding terminated individuals of\n               nondisclosure agreements and potential limitations on future employment. Exit\n               interviews may not be possible for some terminated individuals, for example, in cases\n               related to job abandonment, illnesses, and nonavailability of supervisors. Exit\n               interviews are important for individuals with security clearances. Timely execution\n               of termination actions is essential for individuals terminated for cause. In certain\n               situations, organizations consider disabling the information system accounts of\n               individuals that are being terminated prior to the individuals being notified.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#ps-5",
-                    "rel": "related",
-                    "text": "PS-5"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  }
-                ]
-              },
-              {
-                "id": "ps-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization, upon termination of individual employment,:",
-                "parts": [
-                  {
-                    "id": "ps-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-4.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a time period within which to disable information system access;"
-                      },
-                      {
-                        "id": "ps-4.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(a)[2]"
-                          }
-                        ],
-                        "prose": "disables information system access within the organization-defined time\n                     period;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-4(b)"
-                      }
-                    ],
-                    "prose": "terminates/revokes any authenticators/credentials associated with the\n                  individual;"
-                  },
-                  {
-                    "id": "ps-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-4(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(c)[1]"
-                          }
-                        ],
-                        "prose": "defines information security topics to be discussed when conducting exit\n                     interviews;"
-                      },
-                      {
-                        "id": "ps-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(c)[2]"
-                          }
-                        ],
-                        "prose": "conducts exit interviews that include a discussion of organization-defined\n                     information security topics;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-4(d)"
-                      }
-                    ],
-                    "prose": "retrieves all security-related organizational information system-related\n                  property;"
-                  },
-                  {
-                    "id": "ps-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-4(e)"
-                      }
-                    ],
-                    "prose": "retains access to organizational information and information systems formerly\n                  controlled by the terminated individual;"
-                  },
-                  {
-                    "id": "ps-4.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-4(f)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-4.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(f)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be notified of the termination;"
-                      },
-                      {
-                        "id": "ps-4.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(f)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which to notify organization-defined personnel\n                     or roles; and"
-                      },
-                      {
-                        "id": "ps-4.f_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-4(f)[3]"
-                          }
-                        ],
-                        "prose": "notifies organization-defined personnel or roles within the\n                     organization-defined time period."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing personnel termination\\n\\nrecords of personnel termination actions\\n\\nlist of information system accounts\\n\\nrecords of terminated or revoked authenticators/credentials\\n\\nrecords of exit interviews\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for personnel termination\\n\\nautomated mechanisms supporting and/or implementing personnel termination\n                  notifications\\n\\nautomated mechanisms for disabling information system access/revoking\n                  authenticators"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-5",
-            "class": "SP800-53",
-            "title": "Personnel Transfer",
-            "parameters": [
-              {
-                "id": "ps-5_prm_1",
-                "label": "organization-defined transfer or reassignment actions"
-              },
-              {
-                "id": "ps-5_prm_2",
-                "label": "organization-defined time period following the formal transfer action"
-              },
-              {
-                "id": "ps-5_prm_3",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ps-5_prm_4",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "five days of the time period following the formal transfer action (DoD 24 hours)"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PS-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Reviews and confirms ongoing operational need for current logical and physical\n                  access authorizations to information systems/facilities when individuals are\n                  reassigned or transferred to other positions within the organization;"
-                  },
-                  {
-                    "id": "ps-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Initiates {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }};"
-                  },
-                  {
-                    "id": "ps-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Modifies access authorization as needed to correspond with any changes in\n                  operational need due to reassignment or transfer; and"
-                  },
-                  {
-                    "id": "ps-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Notifies {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}."
-                  }
-                ]
-              },
-              {
-                "id": "ps-5_gdn",
-                "name": "guidance",
-                "prose": "This control applies when reassignments or transfers of individuals are permanent or\n               of such extended durations as to make the actions warranted. Organizations define\n               actions appropriate for the types of reassignments or transfers, whether permanent or\n               extended. Actions that may be required for personnel transfers or reassignments to\n               other positions within organizations include, for example: (i) returning old and\n               issuing new keys, identification cards, and building passes; (ii) closing information\n               system accounts and establishing new accounts; (iii) changing information system\n               access authorizations (i.e., privileges); and (iv) providing for access to official\n               records to which individuals had access at previous work locations and in previous\n               information system accounts.",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ia-4",
-                    "rel": "related",
-                    "text": "IA-4"
-                  },
-                  {
-                    "href": "#pe-2",
-                    "rel": "related",
-                    "text": "PE-2"
-                  },
-                  {
-                    "href": "#ps-4",
-                    "rel": "related",
-                    "text": "PS-4"
-                  }
-                ]
-              },
-              {
-                "id": "ps-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-5(a)"
-                      }
-                    ],
-                    "prose": "when individuals are reassigned or transferred to other positions within the\n                  organization, reviews and confirms ongoing operational need for current:",
-                    "parts": [
-                      {
-                        "id": "ps-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(a)[1]"
-                          }
-                        ],
-                        "prose": "logical access authorizations to information systems;"
-                      },
-                      {
-                        "id": "ps-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(a)[2]"
-                          }
-                        ],
-                        "prose": "physical access authorizations to information systems and facilities;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-5(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-5.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(b)[1]"
-                          }
-                        ],
-                        "prose": "defines transfer or reassignment actions to be initiated following transfer or\n                     reassignment;"
-                      },
-                      {
-                        "id": "ps-5.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(b)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which transfer or reassignment actions must\n                     occur following transfer or reassignment;"
-                      },
-                      {
-                        "id": "ps-5.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(b)[3]"
-                          }
-                        ],
-                        "prose": "initiates organization-defined transfer or reassignment actions within the\n                     organization-defined time period following transfer or reassignment;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-5(c)"
-                      }
-                    ],
-                    "prose": "modifies access authorization as needed to correspond with any changes in\n                  operational need due to reassignment or transfer;"
-                  },
-                  {
-                    "id": "ps-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-5(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-5.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(d)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be notified when individuals are reassigned or\n                     transferred to other positions within the organization;"
-                      },
-                      {
-                        "id": "ps-5.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(d)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which to notify organization-defined personnel\n                     or roles when individuals are reassigned or transferred to other positions\n                     within the organization; and"
-                      },
-                      {
-                        "id": "ps-5.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-5(d)[3]"
-                          }
-                        ],
-                        "prose": "notifies organization-defined personnel or roles within the\n                     organization-defined time period when individuals are reassigned or transferred\n                     to other positions within the organization."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing personnel transfer\\n\\nsecurity plan\\n\\nrecords of personnel transfer actions\\n\\nlist of information system and facility access authorizations\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities organizational\n                  personnel with account management responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for personnel transfer\\n\\nautomated mechanisms supporting and/or implementing personnel transfer\n                  notifications\\n\\nautomated mechanisms for disabling information system access/revoking\n                  authenticators"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-6",
-            "class": "SP800-53",
-            "title": "Access Agreements",
-            "parameters": [
-              {
-                "id": "ps-6_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              },
-              {
-                "id": "ps-6_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PS-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-6_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops and documents access agreements for organizational information\n                  systems;"
-                  },
-                  {
-                    "id": "ps-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the access agreements {{ ps-6_prm_1 }}; and"
-                  },
-                  {
-                    "id": "ps-6_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ensures that individuals requiring access to organizational information and\n                  information systems:",
-                    "parts": [
-                      {
-                        "id": "ps-6_smt.c.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Sign appropriate access agreements prior to being granted access; and"
-                      },
-                      {
-                        "id": "ps-6_smt.c.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Re-sign access agreements to maintain access to organizational information\n                     systems when access agreements have been updated or {{ ps-6_prm_2 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ps-6_gdn",
-                "name": "guidance",
-                "prose": "Access agreements include, for example, nondisclosure agreements, acceptable use\n               agreements, rules of behavior, and conflict-of-interest agreements. Signed access\n               agreements include an acknowledgement that individuals have read, understand, and\n               agree to abide by the constraints associated with organizational information systems\n               to which access is authorized. Organizations can use electronic signatures to\n               acknowledge access agreements unless specifically prohibited by organizational\n               policy.",
-                "links": [
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-2",
-                    "rel": "related",
-                    "text": "PS-2"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  },
-                  {
-                    "href": "#ps-4",
-                    "rel": "related",
-                    "text": "PS-4"
-                  },
-                  {
-                    "href": "#ps-8",
-                    "rel": "related",
-                    "text": "PS-8"
-                  }
-                ]
-              },
-              {
-                "id": "ps-6_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-6(a)"
-                      }
-                    ],
-                    "prose": "develops and documents access agreements for organizational information\n                  systems;"
-                  },
-                  {
-                    "id": "ps-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-6(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-6.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-6(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review and update the access agreements;"
-                      },
-                      {
-                        "id": "ps-6.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-6(b)[2]"
-                          }
-                        ],
-                        "prose": "reviews and updates the access agreements with the organization-defined\n                     frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-6.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-6(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-6.c.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-6(c)(1)"
-                          }
-                        ],
-                        "prose": "ensures that individuals requiring access to organizational information and\n                     information systems sign appropriate access agreements prior to being granted\n                     access;"
-                      },
-                      {
-                        "id": "ps-6.c.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "PS-6(c)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ps-6.c.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-6(c)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to re-sign access agreements to maintain access to\n                        organizational information systems when access agreements have been\n                        updated;"
-                          },
-                          {
-                            "id": "ps-6.c.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "PS-6(c)(2)[2]"
-                              }
-                            ],
-                            "prose": "ensures that individuals requiring access to organizational information and\n                        information systems re-sign access agreements to maintain access to\n                        organizational information systems when access agreements have been updated\n                        or with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing access agreements for organizational information and\n                  information systems\\n\\nsecurity plan\\n\\naccess agreements\\n\\nrecords of access agreement reviews and updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel who have signed/resigned access agreements\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for access agreements\\n\\nautomated mechanisms supporting access agreements"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-7",
-            "class": "SP800-53",
-            "title": "Third-party Personnel Security",
-            "parameters": [
-              {
-                "id": "ps-7_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ps-7_prm_2",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "organization-defined time period - same day"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "PS-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0c775bc3-bfc3-42c7-a382-88949f503171",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-35"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-7_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes personnel security requirements including security roles and\n                  responsibilities for third-party providers;"
-                  },
-                  {
-                    "id": "ps-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Requires third-party providers to comply with personnel security policies and\n                  procedures established by the organization;"
-                  },
-                  {
-                    "id": "ps-7_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Documents personnel security requirements;"
-                  },
-                  {
-                    "id": "ps-7_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Requires third-party providers to notify {{ ps-7_prm_1 }} of any\n                  personnel transfers or terminations of third-party personnel who possess\n                  organizational credentials and/or badges, or who have information system\n                  privileges within {{ ps-7_prm_2 }}; and"
-                  },
-                  {
-                    "id": "ps-7_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Monitors provider compliance."
-                  }
-                ]
-              },
-              {
-                "id": "ps-7_gdn",
-                "name": "guidance",
-                "prose": "Third-party providers include, for example, service bureaus, contractors, and other\n               organizations providing information system development, information technology\n               services, outsourced applications, and network and security management. Organizations\n               explicitly include personnel security requirements in acquisition-related documents.\n               Third-party providers may have personnel working at organizational facilities with\n               credentials, badges, or information system privileges issued by organizations.\n               Notifications of third-party personnel changes ensure appropriate termination of\n               privileges and credentials. Organizations define the transfers and terminations\n               deemed reportable by security-related characteristics that include, for example,\n               functions, roles, and nature of credentials/privileges associated with individuals\n               transferred or terminated.",
-                "links": [
-                  {
-                    "href": "#ps-2",
-                    "rel": "related",
-                    "text": "PS-2"
-                  },
-                  {
-                    "href": "#ps-3",
-                    "rel": "related",
-                    "text": "PS-3"
-                  },
-                  {
-                    "href": "#ps-4",
-                    "rel": "related",
-                    "text": "PS-4"
-                  },
-                  {
-                    "href": "#ps-5",
-                    "rel": "related",
-                    "text": "PS-5"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  },
-                  {
-                    "href": "#sa-9",
-                    "rel": "related",
-                    "text": "SA-9"
-                  },
-                  {
-                    "href": "#sa-21",
-                    "rel": "related",
-                    "text": "SA-21"
-                  }
-                ]
-              },
-              {
-                "id": "ps-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-7(a)"
-                      }
-                    ],
-                    "prose": "establishes personnel security requirements, including security roles and\n                  responsibilities, for third-party providers;"
-                  },
-                  {
-                    "id": "ps-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-7(b)"
-                      }
-                    ],
-                    "prose": "requires third-party providers to comply with personnel security policies and\n                  procedures established by the organization;"
-                  },
-                  {
-                    "id": "ps-7.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-7(c)"
-                      }
-                    ],
-                    "prose": "documents personnel security requirements;"
-                  },
-                  {
-                    "id": "ps-7.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-7(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-7.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-7(d)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be notified of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges;"
-                      },
-                      {
-                        "id": "ps-7.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-7(d)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which third-party providers are required to\n                     notify organization-defined personnel or roles of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges;"
-                      },
-                      {
-                        "id": "ps-7.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-7(d)[3]"
-                          }
-                        ],
-                        "prose": "requires third-party providers to notify organization-defined personnel or\n                     roles within the organization-defined time period of any personnel transfers or\n                     terminations of third-party personnel who possess organizational credentials\n                     and/or badges, or who have information system privileges; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ps-7.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-7(e)"
-                      }
-                    ],
-                    "prose": "monitors provider compliance."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing third-party personnel security\\n\\nlist of personnel security requirements\\n\\nacquisition documents\\n\\nservice-level agreements\\n\\ncompliance monitoring process\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\nthird-party providers\\n\\nsystem/network administrators\\n\\norganizational personnel with account management responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing and monitoring third-party personnel\n                  security\\n\\nautomated mechanisms supporting and/or implementing monitoring of provider\n                  compliance"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ps-8",
-            "class": "SP800-53",
-            "title": "Personnel Sanctions",
-            "parameters": [
-              {
-                "id": "ps-8_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ps-8_prm_2",
-                "label": "organization-defined time period"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "PS-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "ps-08"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ps-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ps-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Employs a formal sanctions process for individuals failing to comply with\n                  established information security policies and procedures; and"
-                  },
-                  {
-                    "id": "ps-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Notifies {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }}\n                  when a formal employee sanctions process is initiated, identifying the individual\n                  sanctioned and the reason for the sanction."
-                  }
-                ]
-              },
-              {
-                "id": "ps-8_gdn",
-                "name": "guidance",
-                "prose": "Organizational sanctions processes reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Sanctions processes are\n               described in access agreements and can be included as part of general personnel\n               policies and procedures for organizations. Organizations consult with the Office of\n               the General Counsel regarding matters of employee sanctions.",
-                "links": [
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-6",
-                    "rel": "related",
-                    "text": "PS-6"
-                  }
-                ]
-              },
-              {
-                "id": "ps-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ps-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "PS-8(a)"
-                      }
-                    ],
-                    "prose": "employs a formal sanctions process for individuals failing to comply with\n                  established information security policies and procedures;"
-                  },
-                  {
-                    "id": "ps-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "PS-8(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ps-8.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-8(b)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to be notified when a formal employee sanctions\n                     process is initiated;"
-                      },
-                      {
-                        "id": "ps-8.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-8(b)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which organization-defined personnel or roles\n                     must be notified when a formal employee sanctions process is initiated; and"
-                      },
-                      {
-                        "id": "ps-8.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "PS-8(b)[3]"
-                          }
-                        ],
-                        "prose": "notifies organization-defined personnel or roles within the\n                     organization-defined time period when a formal employee sanctions process is\n                     initiated, identifying the individual sanctioned and the reason for the\n                     sanction."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Personnel security policy\\n\\nprocedures addressing personnel sanctions\\n\\nrules of behavior\\n\\nrecords of formal sanctions\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with personnel security responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for managing personnel sanctions\\n\\nautomated mechanisms supporting and/or implementing notifications"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "ra",
-        "class": "family",
-        "title": "Risk Assessment",
-        "controls": [
-          {
-            "id": "ra-1",
-            "class": "SP800-53",
-            "title": "Risk Assessment Policy and Procedures",
-            "parameters": [
-              {
-                "id": "ra-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ra-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "ra-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "RA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "ra-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-30"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ra-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ra-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ ra-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "ra-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A risk assessment policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "ra-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the risk assessment policy and\n                     associated risk assessment controls; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "ra-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Risk assessment policy {{ ra-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "ra-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Risk assessment procedures {{ ra-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the RA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ra-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ra-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a risk assessment policy that addresses:",
-                            "parts": [
-                              {
-                                "id": "ra-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "ra-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "RA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "ra-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the risk assessment policy is to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ra-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the risk assessment policy to organization-defined personnel or\n                        roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        risk assessment policy and associated risk assessment controls;"
-                          },
-                          {
-                            "id": "ra-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "ra-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current risk assessment\n                        policy;"
-                          },
-                          {
-                            "id": "ra-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current risk assessment policy with the\n                        organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current risk assessment\n                        procedures; and"
-                          },
-                          {
-                            "id": "ra-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "RA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current risk assessment procedures with the\n                        organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "risk assessment policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with risk assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ra-2",
-            "class": "SP800-53",
-            "title": "Security Categorization",
-            "properties": [
-              {
-                "name": "label",
-                "value": "RA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "ra-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-30"
-              },
-              {
-                "href": "#d480aa6a-7a88-424e-a10c-ad1c7870354b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-39"
-              },
-              {
-                "href": "#f152844f-b1ef-4836-8729-6277078ebee1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-60"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ra-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ra-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Categorizes information and the information system in accordance with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance;"
-                  },
-                  {
-                    "id": "ra-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents the security categorization results (including supporting rationale) in\n                  the security plan for the information system; and"
-                  },
-                  {
-                    "id": "ra-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Ensures that the authorizing official or authorizing official designated\n                  representative reviews and approves the security categorization decision."
-                  }
-                ]
-              },
-              {
-                "id": "ra-2_gdn",
-                "name": "guidance",
-                "prose": "Clearly defined authorization boundaries are a prerequisite for effective security\n               categorization decisions. Security categories describe the potential adverse impacts\n               to organizational operations, organizational assets, and individuals if\n               organizational information and information systems are comprised through a loss of\n               confidentiality, integrity, or availability. Organizations conduct the security\n               categorization process as an organization-wide activity with the involvement of chief\n               information officers, senior information security officers, information system\n               owners, mission/business owners, and information owners/stewards. Organizations also\n               consider the potential adverse impacts to other organizations and, in accordance with\n               the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential\n               national-level adverse impacts. Security categorization processes carried out by\n               organizations facilitate the development of inventories of information assets, and\n               along with CM-8, mappings to specific information system components where information\n               is processed, stored, or transmitted.",
-                "links": [
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  }
-                ]
-              },
-              {
-                "id": "ra-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ra-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "RA-2(a)"
-                      }
-                    ],
-                    "prose": "categorizes information and the information system in accordance with applicable\n                  federal laws, Executive Orders, directives, policies, regulations, standards, and\n                  guidance;"
-                  },
-                  {
-                    "id": "ra-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "RA-2(b)"
-                      }
-                    ],
-                    "prose": "documents the security categorization results (including supporting rationale) in\n                  the security plan for the information system; and"
-                  },
-                  {
-                    "id": "ra-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "RA-2(c)"
-                      }
-                    ],
-                    "prose": "ensures the authorizing official or authorizing official designated representative\n                  reviews and approves the security categorization decision."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Risk assessment policy\\n\\nsecurity planning policy and procedures\\n\\nprocedures addressing security categorization of organizational information and\n                  information systems\\n\\nsecurity plan\\n\\nsecurity categorization documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security categorization and risk assessment\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for security categorization"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ra-3",
-            "class": "SP800-53",
-            "title": "Risk Assessment",
-            "parameters": [
-              {
-                "id": "ra-3_prm_1"
-              },
-              {
-                "id": "ra-3_prm_2",
-                "depends-on": "ra-3_prm_1",
-                "label": "organization-defined document",
-                "constraints": [
-                  {
-                    "detail": "security assessment report"
-                  }
-                ]
-              },
-              {
-                "id": "ra-3_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every three (3) years or when a significant change occurs"
-                  }
-                ]
-              },
-              {
-                "id": "ra-3_prm_4",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "ra-3_prm_5",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every three (3) years or when a significant change occurs"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "RA-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "ra-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-                "rel": "reference",
-                "text": "OMB Memorandum 04-04"
-              },
-              {
-                "href": "#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-30"
-              },
-              {
-                "href": "#d480aa6a-7a88-424e-a10c-ad1c7870354b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-39"
-              },
-              {
-                "href": "#85280698-0417-489d-b214-12bb935fb939",
-                "rel": "reference",
-                "text": "http://idmanagement.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ra-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ra-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Conducts an assessment of risk, including the likelihood and magnitude of harm,\n                  from the unauthorized access, use, disclosure, disruption, modification, or\n                  destruction of the information system and the information it processes, stores, or\n                  transmits;"
-                  },
-                  {
-                    "id": "ra-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Documents risk assessment results in {{ ra-3_prm_1 }};"
-                  },
-                  {
-                    "id": "ra-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Reviews risk assessment results {{ ra-3_prm_3 }};"
-                  },
-                  {
-                    "id": "ra-3_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Disseminates risk assessment results to {{ ra-3_prm_4 }}; and"
-                  },
-                  {
-                    "id": "ra-3_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Updates the risk assessment {{ ra-3_prm_5 }} or whenever there are\n                  significant changes to the information system or environment of operation\n                  (including the identification of new threats and vulnerabilities), or other\n                  conditions that may impact the security state of the system."
-                  },
-                  {
-                    "id": "ra-3_fr",
-                    "name": "item",
-                    "title": "RA-3 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ra-3_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F"
-                      },
-                      {
-                        "id": "ra-3_fr_smt.d",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-3 (d) Requirement:"
-                          }
-                        ],
-                        "prose": "Include all Authorizing Officials; for JAB authorizations to include FedRAMP."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-3_gdn",
-                "name": "guidance",
-                "prose": "Clearly defined authorization boundaries are a prerequisite for effective risk\n               assessments. Risk assessments take into account threats, vulnerabilities, likelihood,\n               and impact to organizational operations and assets, individuals, other organizations,\n               and the Nation based on the operation and use of information systems. Risk\n               assessments also take into account risk from external parties (e.g., service\n               providers, contractors operating information systems on behalf of the organization,\n               individuals accessing organizational information systems, outsourcing entities). In\n               accordance with OMB policy and related E-authentication initiatives, authentication\n               of public users accessing federal information systems may also be required to protect\n               nonpublic or privacy-related information. As such, organizational assessments of risk\n               also address public access to federal information systems. Risk assessments (either\n               formal or informal) can be conducted at all three tiers in the risk management\n               hierarchy (i.e., organization level, mission/business process level, or information\n               system level) and at any phase in the system development life cycle. Risk assessments\n               can also be conducted at various steps in the Risk Management Framework, including\n               categorization, security control selection, security control implementation, security\n               control assessment, information system authorization, and security control\n               monitoring. RA-3 is noteworthy in that the control must be partially implemented\n               prior to the implementation of other controls in order to complete the first two\n               steps in the Risk Management Framework. Risk assessments can play an important role\n               in security control selection processes, particularly during the application of\n               tailoring guidance, which includes security control supplementation.",
-                "links": [
-                  {
-                    "href": "#ra-2",
-                    "rel": "related",
-                    "text": "RA-2"
-                  },
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "ra-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ra-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(a)"
-                      }
-                    ],
-                    "prose": "conducts an assessment of risk, including the likelihood and magnitude of harm,\n                  from the unauthorized access, use, disclosure, disruption, modification, or\n                  destruction of:",
-                    "parts": [
-                      {
-                        "id": "ra-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(a)[1]"
-                          }
-                        ],
-                        "prose": "the information system;"
-                      },
-                      {
-                        "id": "ra-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(a)[2]"
-                          }
-                        ],
-                        "prose": "the information the system processes, stores, or transmits;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-3.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(b)[1]"
-                          }
-                        ],
-                        "prose": "defines a document in which risk assessment results are to be documented (if\n                     not documented in the security plan or risk assessment report);"
-                      },
-                      {
-                        "id": "ra-3.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(b)[2]"
-                          }
-                        ],
-                        "prose": "documents risk assessment results in one of the following:",
-                        "parts": [
-                          {
-                            "id": "ra-3.b_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(b)[2][a]"
-                              }
-                            ],
-                            "prose": "the security plan;"
-                          },
-                          {
-                            "id": "ra-3.b_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(b)[2][b]"
-                              }
-                            ],
-                            "prose": "the risk assessment report; or"
-                          },
-                          {
-                            "id": "ra-3.b_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(b)[2][c]"
-                              }
-                            ],
-                            "prose": "the organization-defined document;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to review risk assessment results;"
-                      },
-                      {
-                        "id": "ra-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(c)[2]"
-                          }
-                        ],
-                        "prose": "reviews risk assessment results with the organization-defined frequency;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-3.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-3.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(d)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom risk assessment results are to be\n                     disseminated;"
-                      },
-                      {
-                        "id": "ra-3.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(d)[2]"
-                          }
-                        ],
-                        "prose": "disseminates risk assessment results to organization-defined personnel or\n                     roles;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-3.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-3(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-3.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(e)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to update the risk assessment;"
-                      },
-                      {
-                        "id": "ra-3.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-3(e)[2]"
-                          }
-                        ],
-                        "prose": "updates the risk assessment:",
-                        "parts": [
-                          {
-                            "id": "ra-3.e_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(e)[2][a]"
-                              }
-                            ],
-                            "prose": "with the organization-defined frequency;"
-                          },
-                          {
-                            "id": "ra-3.e_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(e)[2][b]"
-                              }
-                            ],
-                            "prose": "whenever there are significant changes to the information system or\n                        environment of operation (including the identification of new threats and\n                        vulnerabilities); and"
-                          },
-                          {
-                            "id": "ra-3.e_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-3(e)[2][c]"
-                              }
-                            ],
-                            "prose": "whenever there are other conditions that may impact the security state of\n                        the system."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Risk assessment policy\\n\\nsecurity planning policy and procedures\\n\\nprocedures addressing organizational assessments of risk\\n\\nsecurity plan\\n\\nrisk assessment\\n\\nrisk assessment results\\n\\nrisk assessment reviews\\n\\nrisk assessment updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with risk assessment responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for risk assessment\\n\\nautomated mechanisms supporting and/or for conducting, documenting, reviewing,\n                  disseminating, and updating the risk assessment"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "ra-5",
-            "class": "SP800-53",
-            "title": "Vulnerability Scanning",
-            "parameters": [
-              {
-                "id": "ra-5_prm_1",
-                "label": "organization-defined frequency and/or randomly in accordance with\n               organization-defined process",
-                "constraints": [
-                  {
-                    "detail": "monthly operating system/infrastructure; monthly web applications and databases"
-                  }
-                ]
-              },
-              {
-                "id": "ra-5_prm_2",
-                "label": "organization-defined response times",
-                "constraints": [
-                  {
-                    "detail": "high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery"
-                  }
-                ]
-              },
-              {
-                "id": "ra-5_prm_3",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "RA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "ra-05"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-40"
-              },
-              {
-                "href": "#84a37532-6db6-477b-9ea8-f9085ebca0fc",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-70"
-              },
-              {
-                "href": "#c4691b88-57d1-463b-9053-2d0087913f31",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-115"
-              },
-              {
-                "href": "#15522e92-9192-463d-9646-6a01982db8ca",
-                "rel": "reference",
-                "text": "http://cwe.mitre.org"
-              },
-              {
-                "href": "#275cc052-0f7f-423c-bdb6-ed503dc36228",
-                "rel": "reference",
-                "text": "http://nvd.nist.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "ra-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "ra-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Scans for vulnerabilities in the information system and hosted applications\n                     {{ ra-5_prm_1 }} and when new vulnerabilities potentially\n                  affecting the system/applications are identified and reported;",
-                    "parts": [
-                      {
-                        "id": "ra-5_fr_smt.a",
-                        "name": "item",
-                        "title": "RA-5(a) Additional FedRAMP Requirements and Guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-5 (a)Requirement:"
-                          }
-                        ],
-                        "prose": "An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Employs vulnerability scanning tools and techniques that facilitate\n                  interoperability among tools and automate parts of the vulnerability management\n                  process by using standards for:",
-                    "parts": [
-                      {
-                        "id": "ra-5_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Enumerating platforms, software flaws, and improper configurations;"
-                      },
-                      {
-                        "id": "ra-5_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Formatting checklists and test procedures; and"
-                      },
-                      {
-                        "id": "ra-5_smt.b.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Measuring vulnerability impact;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Analyzes vulnerability scan reports and results from security control\n                  assessments;"
-                  },
-                  {
-                    "id": "ra-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Remediates legitimate vulnerabilities {{ ra-5_prm_2 }} in\n                  accordance with an organizational assessment of risk; and"
-                  },
-                  {
-                    "id": "ra-5_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Shares information obtained from the vulnerability scanning process and security\n                  control assessments with {{ ra-5_prm_3 }} to help eliminate similar\n                  vulnerabilities in other information systems (i.e., systemic weaknesses or\n                  deficiencies).",
-                    "parts": [
-                      {
-                        "id": "ra-5_fr_smt.e",
-                        "name": "item",
-                        "title": "RA-5(e) Additional FedRAMP Requirements and Guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "RA-5 (e)Requirement:"
-                          }
-                        ],
-                        "prose": "To include all Authorizing Officials; for JAB authorizations to include FedRAMP."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5_fr",
-                    "name": "item",
-                    "title": "RA-5 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "ra-5_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "\n                     **See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-5_gdn",
-                "name": "guidance",
-                "prose": "Security categorization of information systems guides the frequency and\n               comprehensiveness of vulnerability scans. Organizations determine the required\n               vulnerability scanning for all information system components, ensuring that potential\n               sources of vulnerabilities such as networked printers, scanners, and copiers are not\n               overlooked. Vulnerability analyses for custom software applications may require\n               additional approaches such as static analysis, dynamic analysis, binary analysis, or\n               a hybrid of the three approaches. Organizations can employ these analysis approaches\n               in a variety of tools (e.g., web-based application scanners, static analysis tools,\n               binary analyzers) and in source code reviews. Vulnerability scanning includes, for\n               example: (i) scanning for patch levels; (ii) scanning for functions, ports,\n               protocols, and services that should not be accessible to users or devices; and (iii)\n               scanning for improperly configured or incorrectly operating information flow control\n               mechanisms. Organizations consider using tools that express vulnerabilities in the\n               Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open\n               Vulnerability Assessment Language (OVAL) to determine/test for the presence of\n               vulnerabilities. Suggested sources for vulnerability information include the Common\n               Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In\n               addition, security control assessments such as red team exercises provide other\n               sources of potential vulnerabilities for which to scan. Organizations also consider\n               using tools that express vulnerability impact by the Common Vulnerability Scoring\n               System (CVSS).",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#ra-2",
-                    "rel": "related",
-                    "text": "RA-2"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "ra-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "ra-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(a)[1]"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-5.a_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[1][a]"
-                              }
-                            ],
-                            "prose": "defines the frequency for conducting vulnerability scans on the information\n                        system and hosted applications; and/or"
-                          },
-                          {
-                            "id": "ra-5.a_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[1][b]"
-                              }
-                            ],
-                            "prose": "defines the process for conducting random vulnerability scans on the\n                        information system and hosted applications;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(a)[2]"
-                          }
-                        ],
-                        "prose": "in accordance with the organization-defined frequency and/or\n                     organization-defined process for conducting random scans, scans for\n                     vulnerabilities in:",
-                        "parts": [
-                          {
-                            "id": "ra-5.a_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[2][a]"
-                              }
-                            ],
-                            "prose": "the information system;"
-                          },
-                          {
-                            "id": "ra-5.a_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[2][b]"
-                              }
-                            ],
-                            "prose": "hosted applications;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-5.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(a)[3]"
-                          }
-                        ],
-                        "prose": "when new vulnerabilities potentially affecting the system/applications are\n                     identified and reported, scans for vulnerabilities in:",
-                        "parts": [
-                          {
-                            "id": "ra-5.a_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[3][a]"
-                              }
-                            ],
-                            "prose": "the information system;"
-                          },
-                          {
-                            "id": "ra-5.a_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(a)[3][b]"
-                              }
-                            ],
-                            "prose": "hosted applications;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(b)"
-                      }
-                    ],
-                    "prose": "employs vulnerability scanning tools and techniques that facilitate\n                  interoperability among tools and automate parts of the vulnerability management\n                  process by using standards for:",
-                    "parts": [
-                      {
-                        "id": "ra-5.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-5.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "enumerating platforms;"
-                          },
-                          {
-                            "id": "ra-5.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "enumerating software flaws;"
-                          },
-                          {
-                            "id": "ra-5.b.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(1)[3]"
-                              }
-                            ],
-                            "prose": "enumerating improper configurations;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-5.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "ra-5.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "formatting checklists;"
-                          },
-                          {
-                            "id": "ra-5.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "formatting test procedures;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "ra-5.b.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(b)(3)"
-                          }
-                        ],
-                        "prose": "measuring vulnerability impact;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-5.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(c)[1]"
-                          }
-                        ],
-                        "prose": "analyzes vulnerability scan reports;"
-                      },
-                      {
-                        "id": "ra-5.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(c)[2]"
-                          }
-                        ],
-                        "prose": "analyzes results from security control assessments;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-5.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(d)[1]"
-                          }
-                        ],
-                        "prose": "defines response times to remediate legitimate vulnerabilities in accordance\n                     with an organizational assessment of risk;"
-                      },
-                      {
-                        "id": "ra-5.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(d)[2]"
-                          }
-                        ],
-                        "prose": "remediates legitimate vulnerabilities within the organization-defined response\n                     times in accordance with an organizational assessment of risk;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "RA-5(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "ra-5.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(e)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles with whom information obtained from the\n                     vulnerability scanning process and security control assessments is to be\n                     shared;"
-                      },
-                      {
-                        "id": "ra-5.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(e)[2]"
-                          }
-                        ],
-                        "prose": "shares information obtained from the vulnerability scanning process with\n                     organization-defined personnel or roles to help eliminate similar\n                     vulnerabilities in other information systems (i.e., systemic weaknesses or\n                     deficiencies); and"
-                      },
-                      {
-                        "id": "ra-5.e_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(e)[3]"
-                          }
-                        ],
-                        "prose": "shares information obtained from security control assessments with\n                     organization-defined personnel or roles to help eliminate similar\n                     vulnerabilities in other information systems (i.e., systemic weaknesses or\n                     deficiencies)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\nrisk assessment\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with risk assessment, security control assessment and\n                  vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with vulnerability remediation responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for vulnerability scanning, analysis, remediation, and\n                  information sharing\\n\\nautomated mechanisms supporting and/or implementing vulnerability scanning,\n                  analysis, remediation, and information sharing"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "ra-5.1",
-                "class": "SP800-53-enhancement",
-                "title": "Update Tool Capability",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "RA-5(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ra-05.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ra-5.1_smt",
-                    "name": "statement",
-                    "prose": "The organization employs vulnerability scanning tools that include the capability\n                  to readily update the information system vulnerabilities to be scanned."
-                  },
-                  {
-                    "id": "ra-5.1_gdn",
-                    "name": "guidance",
-                    "prose": "The vulnerabilities to be scanned need to be readily updated as new\n                  vulnerabilities are discovered, announced, and scanning methods developed. This\n                  updating process helps to ensure that potential vulnerabilities in the information\n                  system are identified and addressed as quickly as possible.",
-                    "links": [
-                      {
-                        "href": "#si-3",
-                        "rel": "related",
-                        "text": "SI-3"
-                      },
-                      {
-                        "href": "#si-7",
-                        "rel": "related",
-                        "text": "SI-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs vulnerability scanning tools that include\n                  the capability to readily update the information system vulnerabilities to be\n                  scanned."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Procedures addressing vulnerability scanning\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for vulnerability scanning\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-5.2",
-                "class": "SP800-53-enhancement",
-                "title": "Update by Frequency / Prior to New Scan / When Identified",
-                "parameters": [
-                  {
-                    "id": "ra-5.2_prm_1",
-                    "constraints": [
-                      {
-                        "detail": "prior to a new scan"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.2_prm_2",
-                    "depends-on": "ra-5.2_prm_1",
-                    "label": "organization-defined frequency"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "RA-5(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ra-05.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ra-5.2_smt",
-                    "name": "statement",
-                    "prose": "The organization updates the information system vulnerabilities scanned {{ ra-5.2_prm_1 }}."
-                  },
-                  {
-                    "id": "ra-5.2_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#si-3",
-                        "rel": "related",
-                        "text": "SI-3"
-                      },
-                      {
-                        "href": "#si-5",
-                        "rel": "related",
-                        "text": "SI-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "ra-5.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(2)[1]"
-                          }
-                        ],
-                        "prose": "defines the frequency to update the information system vulnerabilities\n                     scanned;"
-                      },
-                      {
-                        "id": "ra-5.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(2)[2]"
-                          }
-                        ],
-                        "prose": "updates the information system vulnerabilities scanned one or more of the\n                     following:",
-                        "parts": [
-                          {
-                            "id": "ra-5.2_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(2)[2][a]"
-                              }
-                            ],
-                            "prose": "with the organization-defined frequency;"
-                          },
-                          {
-                            "id": "ra-5.2_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(2)[2][b]"
-                              }
-                            ],
-                            "prose": "prior to a new scan; and/or"
-                          },
-                          {
-                            "id": "ra-5.2_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "RA-5(2)[2][c]"
-                              }
-                            ],
-                            "prose": "when new vulnerabilities are identified and reported."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Procedures addressing vulnerability scanning\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for vulnerability scanning\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-5.3",
-                "class": "SP800-53-enhancement",
-                "title": "Breadth / Depth of Coverage",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "RA-5(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ra-05.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ra-5.3_smt",
-                    "name": "statement",
-                    "prose": "The organization employs vulnerability scanning procedures that can identify the\n                  breadth and depth of coverage (i.e., information system components scanned and\n                  vulnerabilities checked)."
-                  },
-                  {
-                    "id": "ra-5.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization employs vulnerability scanning procedures that can\n                  identify:",
-                    "parts": [
-                      {
-                        "id": "ra-5.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(3)[1]"
-                          }
-                        ],
-                        "prose": "the breadth of coverage (i.e., information system components scanned); and"
-                      },
-                      {
-                        "id": "ra-5.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(3)[2]"
-                          }
-                        ],
-                        "prose": "the depth of coverage (i.e., vulnerabilities checked)."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Procedures addressing vulnerability scanning\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nvulnerability scanning tools and associated configuration documentation\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for vulnerability scanning\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-5.5",
-                "class": "SP800-53-enhancement",
-                "title": "Privileged Access",
-                "parameters": [
-                  {
-                    "id": "ra-5.5_prm_1",
-                    "label": "organization-identified information system components",
-                    "constraints": [
-                      {
-                        "detail": "operating systems / web applications / databases"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.5_prm_2",
-                    "label": "organization-defined vulnerability scanning activities",
-                    "constraints": [
-                      {
-                        "detail": "all scans"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "RA-5(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ra-05.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ra-5.5_smt",
-                    "name": "statement",
-                    "prose": "The information system implements privileged access authorization to {{ ra-5.5_prm_1 }} for selected {{ ra-5.5_prm_2 }}."
-                  },
-                  {
-                    "id": "ra-5.5_gdn",
-                    "name": "guidance",
-                    "prose": "In certain situations, the nature of the vulnerability scanning may be more\n                  intrusive or the information system component that is the subject of the scanning\n                  may contain highly sensitive information. Privileged access authorization to\n                  selected system components facilitates more thorough vulnerability scanning and\n                  also protects the sensitive nature of such scanning."
-                  },
-                  {
-                    "id": "ra-5.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "ra-5.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(5)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines information system components to which privileged\n                     access is authorized for selected vulnerability scanning activities;"
-                      },
-                      {
-                        "id": "ra-5.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(5)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines vulnerability scanning activities selected for\n                     privileged access authorization to organization-defined information system\n                     components; and"
-                      },
-                      {
-                        "id": "ra-5.5_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "RA-5(5)[3]"
-                          }
-                        ],
-                        "prose": "the information system implements privileged access authorization to\n                     organization-defined information system components for selected\n                     organization-defined vulnerability scanning activities."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\nsecurity plan\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system components for vulnerability scanning\\n\\npersonnel access authorization list\\n\\nauthorization credentials\\n\\naccess authorization records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with vulnerability scanning responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel responsible for access control to the information\n                     system\\n\\norganizational personnel responsible for configuration management of the\n                     information system\\n\\nsystem developers\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for vulnerability scanning\\n\\norganizational processes for access control\\n\\nautomated mechanisms supporting and/or implementing access control\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-5.6",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Trend Analyses",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "RA-5(6)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ra-05.06"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ra-5.6_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms to compare the results of\n                  vulnerability scans over time to determine trends in information system\n                  vulnerabilities.",
-                    "parts": [
-                      {
-                        "id": "ra-5.6_fr",
-                        "name": "item",
-                        "title": "RA-5 (6) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ra-5.6_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "Include in Continuous Monitoring ISSO digest/report to JAB/AO"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.6_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ir-4",
-                        "rel": "related",
-                        "text": "IR-4"
-                      },
-                      {
-                        "href": "#ir-5",
-                        "rel": "related",
-                        "text": "IR-5"
-                      },
-                      {
-                        "href": "#si-4",
-                        "rel": "related",
-                        "text": "SI-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.6_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs automated mechanisms to compare the results\n                  of vulnerability scans over time to determine trends in information system\n                  vulnerabilities."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\ninformation system design documentation\\n\\nvulnerability scanning tools and techniques documentation\\n\\nvulnerability scanning results\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for vulnerability scanning\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning\\n\\nautomated mechanisms supporting and/or implementing trend analysis of\n                     vulnerability scan results"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "ra-5.8",
-                "class": "SP800-53-enhancement",
-                "title": "Review Historic Audit Logs",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "RA-5(8)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "ra-05.08"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "ra-5.8_smt",
-                    "name": "statement",
-                    "prose": "The organization reviews historic audit logs to determine if a vulnerability\n                  identified in the information system has been previously exploited.",
-                    "parts": [
-                      {
-                        "id": "ra-5.8_fr",
-                        "name": "item",
-                        "title": "RA-5 (8) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "ra-5.8_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "This enhancement is required for all high vulnerability scan findings."
-                          },
-                          {
-                            "id": "ra-5.8_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.8_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#au-6",
-                        "rel": "related",
-                        "text": "AU-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "ra-5.8_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization reviews historic audit logs to determine if a\n                  vulnerability identified in the information system has been previously exploited.\n               "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Risk assessment policy\\n\\nprocedures addressing vulnerability scanning\\n\\naudit logs\\n\\nrecords of audit log reviews\\n\\nvulnerability scanning results\\n\\npatch and vulnerability management records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with vulnerability scanning responsibilities\\n\\norganizational personnel with vulnerability scan analysis responsibilities\\n\\norganizational personnel with audit record review responsibilities\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for vulnerability scanning\\n\\norganizational process for audit record review and response\\n\\nautomated mechanisms/tools supporting and/or implementing vulnerability\n                     scanning\\n\\nautomated mechanisms supporting and/or implementing audit record review"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "sa",
-        "class": "family",
-        "title": "System and Services Acquisition",
-        "controls": [
-          {
-            "id": "sa-1",
-            "class": "SP800-53",
-            "title": "System and Services Acquisition Policy and Procedures",
-            "parameters": [
-              {
-                "id": "sa-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "sa-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "sa-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SA-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ sa-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "sa-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A system and services acquisition policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "sa-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the system and services\n                     acquisition policy and associated system and services acquisition controls;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "sa-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "System and services acquisition policy {{ sa-1_prm_2 }}; and"
-                      },
-                      {
-                        "id": "sa-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "System and services acquisition procedures {{ sa-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SA\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "sa-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a system and services acquisition policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "sa-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "sa-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SA-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "sa-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the system and services acquisition\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "sa-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the system and services acquisition policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        system and services acquisition policy and associated system and services\n                        acquisition controls;"
-                          },
-                          {
-                            "id": "sa-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "sa-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and services\n                        acquisition policy;"
-                          },
-                          {
-                            "id": "sa-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and services acquisition policy with\n                        the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and services\n                        acquisition procedures; and"
-                          },
-                          {
-                            "id": "sa-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and services acquisition procedures\n                        with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-2",
-            "class": "SP800-53",
-            "title": "Allocation of Resources",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#29fcfe59-33cd-494a-8756-5907ae3a8f92",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-65"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Determines information security requirements for the information system or\n                  information system service in mission/business process planning;"
-                  },
-                  {
-                    "id": "sa-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Determines, documents, and allocates the resources required to protect the\n                  information system or information system service as part of its capital planning\n                  and investment control process; and"
-                  },
-                  {
-                    "id": "sa-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Establishes a discrete line item for information security in organizational\n                  programming and budgeting documentation."
-                  }
-                ]
-              },
-              {
-                "id": "sa-2_gdn",
-                "name": "guidance",
-                "prose": "Resource allocation for information security includes funding for the initial\n               information system or information system service acquisition and funding for the\n               sustainment of the system/service.",
-                "links": [
-                  {
-                    "href": "#pm-3",
-                    "rel": "related",
-                    "text": "PM-3"
-                  },
-                  {
-                    "href": "#pm-11",
-                    "rel": "related",
-                    "text": "PM-11"
-                  }
-                ]
-              },
-              {
-                "id": "sa-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-2(a)"
-                      }
-                    ],
-                    "prose": "determines information security requirements for the information system or\n                  information system service in mission/business process planning;"
-                  },
-                  {
-                    "id": "sa-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-2(b)"
-                      }
-                    ],
-                    "prose": "to protect the information system or information system service as part of its\n                  capital planning and investment control process:",
-                    "parts": [
-                      {
-                        "id": "sa-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-2(b)[1]"
-                          }
-                        ],
-                        "prose": "determines the resources required;"
-                      },
-                      {
-                        "id": "sa-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-2(b)[2]"
-                          }
-                        ],
-                        "prose": "documents the resources required;"
-                      },
-                      {
-                        "id": "sa-2.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-2(b)[3]"
-                          }
-                        ],
-                        "prose": "allocates the resources required; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-2(c)"
-                      }
-                    ],
-                    "prose": "establishes a discrete line item for information security in organizational\n                  programming and budgeting documentation."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing the allocation of resources to information security\n                  requirements\\n\\nprocedures addressing capital planning and investment control\\n\\norganizational programming and budgeting documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with capital planning, investment control, organizational\n                  programming and budgeting responsibilities\\n\\norganizational personnel responsible for determining information security\n                  requirements for information systems/services\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for determining information security requirements\\n\\norganizational processes for capital planning, programming, and budgeting\\n\\nautomated mechanisms supporting and/or implementing organizational capital\n                  planning, programming, and budgeting"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-3",
-            "class": "SP800-53",
-            "title": "System Development Life Cycle",
-            "parameters": [
-              {
-                "id": "sa-3_prm_1",
-                "label": "organization-defined system development life cycle"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#abd950ae-092f-4b7a-b374-1c7c67fe9350",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-64"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Manages the information system using {{ sa-3_prm_1 }} that\n                  incorporates information security considerations;"
-                  },
-                  {
-                    "id": "sa-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Defines and documents information security roles and responsibilities throughout\n                  the system development life cycle;"
-                  },
-                  {
-                    "id": "sa-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Identifies individuals having information security roles and responsibilities;\n                  and"
-                  },
-                  {
-                    "id": "sa-3_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Integrates the organizational information security risk management process into\n                  system development life cycle activities."
-                  }
-                ]
-              },
-              {
-                "id": "sa-3_gdn",
-                "name": "guidance",
-                "prose": "A well-defined system development life cycle provides the foundation for the\n               successful development, implementation, and operation of organizational information\n               systems. To apply the required security controls within the system development life\n               cycle requires a basic understanding of information security, threats,\n               vulnerabilities, adverse impacts, and risk to critical missions/business functions.\n               The security engineering principles in SA-8 cannot be properly applied if individuals\n               that design, code, and test information systems and system components (including\n               information technology products) do not understand security. Therefore, organizations\n               include qualified personnel, for example, chief information security officers,\n               security architects, security engineers, and information system security officers in\n               system development life cycle activities to ensure that security requirements are\n               incorporated into organizational information systems. It is equally important that\n               developers include individuals on the development team that possess the requisite\n               security expertise and skills to ensure that needed security capabilities are\n               effectively integrated into the information system. Security awareness and training\n               programs can help ensure that individuals having key security roles and\n               responsibilities have the appropriate experience, skills, and expertise to conduct\n               assigned system development life cycle activities. The effective integration of\n               security requirements into enterprise architecture also helps to ensure that\n               important security considerations are addressed early in the system development life\n               cycle and that those considerations are directly related to the organizational\n               mission/business processes. This process also facilitates the integration of the\n               information security architecture into the enterprise architecture, consistent with\n               organizational risk management and information security strategies.",
-                "links": [
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#pm-7",
-                    "rel": "related",
-                    "text": "PM-7"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  }
-                ]
-              },
-              {
-                "id": "sa-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-3(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-3(a)[1]"
-                          }
-                        ],
-                        "prose": "defines a system development life cycle that incorporates information security\n                     considerations to be used to manage the information system;"
-                      },
-                      {
-                        "id": "sa-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-3(a)[2]"
-                          }
-                        ],
-                        "prose": "manages the information system using the organization-defined system\n                     development life cycle;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-3(b)"
-                      }
-                    ],
-                    "prose": "defines and documents information security roles and responsibilities throughout\n                  the system development life cycle;"
-                  },
-                  {
-                    "id": "sa-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-3(c)"
-                      }
-                    ],
-                    "prose": "identifies individuals having information security roles and responsibilities;\n                  and"
-                  },
-                  {
-                    "id": "sa-3.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-3(d)"
-                      }
-                    ],
-                    "prose": "integrates the organizational information security risk management process into\n                  system development life cycle activities."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing the integration of information security into the system\n                  development life cycle process\\n\\ninformation system development life cycle documentation\\n\\ninformation security risk management strategy/program documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with information security and system life cycle\n                  development responsibilities\\n\\norganizational personnel with information security risk management\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for defining and documenting the SDLC\\n\\norganizational processes for identifying SDLC roles and responsibilities\\n\\norganizational process for integrating information security risk management into\n                  the SDLC\\n\\nautomated mechanisms supporting and/or implementing the SDLC"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-4",
-            "class": "SP800-53",
-            "title": "Acquisition Process",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#ad733a42-a7ed-4774-b988-4930c28852f3",
-                "rel": "reference",
-                "text": "HSPD-12"
-              },
-              {
-                "href": "#1737a687-52fb-4008-b900-cbfa836f7b65",
-                "rel": "reference",
-                "text": "ISO/IEC 15408"
-              },
-              {
-                "href": "#d715b234-9b5b-4e07-b1ed-99836727664d",
-                "rel": "reference",
-                "text": "FIPS Publication 140-2"
-              },
-              {
-                "href": "#c80c10b3-1294-4984-a4cc-d1733ca432b9",
-                "rel": "reference",
-                "text": "FIPS Publication 201"
-              },
-              {
-                "href": "#0a5db899-f033-467f-8631-f5a8ba971475",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-23"
-              },
-              {
-                "href": "#0c775bc3-bfc3-42c7-a382-88949f503171",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-35"
-              },
-              {
-                "href": "#d818efd3-db31-4953-8afa-9e76afe83ce2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-36"
-              },
-              {
-                "href": "#0a0c26b6-fd44-4274-8b36-93442d49d998",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-37"
-              },
-              {
-                "href": "#abd950ae-092f-4b7a-b374-1c7c67fe9350",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-64"
-              },
-              {
-                "href": "#84a37532-6db6-477b-9ea8-f9085ebca0fc",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-70"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              },
-              {
-                "href": "#56d671da-6b7b-4abf-8296-84b61980390a",
-                "rel": "reference",
-                "text": "Federal Acquisition Regulation"
-              },
-              {
-                "href": "#c95a9986-3cd6-4a98-931b-ccfc56cb11e5",
-                "rel": "reference",
-                "text": "http://www.niap-ccevs.org"
-              },
-              {
-                "href": "#5ed1f4d5-1494-421b-97ed-39d3c88ab51f",
-                "rel": "reference",
-                "text": "http://fips201ep.cio.gov"
-              },
-              {
-                "href": "#bbd50dd1-54ce-4432-959d-63ea564b1bb4",
-                "rel": "reference",
-                "text": "http://www.acquisition.gov/far"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-4_smt",
-                "name": "statement",
-                "prose": "The organization includes the following requirements, descriptions, and criteria,\n               explicitly or by reference, in the acquisition contract for the information system,\n               system component, or information system service in accordance with applicable federal\n               laws, Executive Orders, directives, policies, regulations, standards, guidelines, and\n               organizational mission/business needs:",
-                "parts": [
-                  {
-                    "id": "sa-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Security functional requirements;"
-                  },
-                  {
-                    "id": "sa-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Security strength requirements;"
-                  },
-                  {
-                    "id": "sa-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Security assurance requirements;"
-                  },
-                  {
-                    "id": "sa-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Security-related documentation requirements;"
-                  },
-                  {
-                    "id": "sa-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Requirements for protecting security-related documentation;"
-                  },
-                  {
-                    "id": "sa-4_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Description of the information system development environment and environment in\n                  which the system is intended to operate; and"
-                  },
-                  {
-                    "id": "sa-4_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Acceptance criteria."
-                  },
-                  {
-                    "id": "sa-4_fr",
-                    "name": "item",
-                    "title": "SA-4 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "sa-4_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See [http://www.niap-ccevs.org/vpl](http://www.niap-ccevs.org/vpl) or [http://www.commoncriteriaportal.org/products.html](http://www.commoncriteriaportal.org/products.html)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-4_gdn",
-                "name": "guidance",
-                "prose": "Information system components are discrete, identifiable information technology\n               assets (e.g., hardware, software, or firmware) that represent the building blocks of\n               an information system. Information system components include commercial information\n               technology products. Security functional requirements include security capabilities,\n               security functions, and security mechanisms. Security strength requirements\n               associated with such capabilities, functions, and mechanisms include degree of\n               correctness, completeness, resistance to direct attack, and resistance to tampering\n               or bypass. Security assurance requirements include: (i) development processes,\n               procedures, practices, and methodologies; and (ii) evidence from development and\n               assessment activities providing grounds for confidence that the required security\n               functionality has been implemented and the required security strength has been\n               achieved. Security documentation requirements address all phases of the system\n               development life cycle. Security functionality, assurance, and documentation\n               requirements are expressed in terms of security controls and control enhancements\n               that have been selected through the tailoring process. The security control tailoring\n               process includes, for example, the specification of parameter values through the use\n               of assignment and selection statements and the specification of platform dependencies\n               and implementation information. Security documentation provides user and\n               administrator guidance regarding the implementation and operation of security\n               controls. The level of detail required in security documentation is based on the\n               security category or classification level of the information system and the degree to\n               which organizations depend on the stated security capability, functions, or\n               mechanisms to meet overall risk response expectations (as defined in the\n               organizational risk management strategy). Security requirements can also include\n               organizationally mandated configuration settings specifying allowed functions, ports,\n               protocols, and services. Acceptance criteria for information systems, information\n               system components, and information system services are defined in the same manner as\n               such criteria for any organizational acquisition or procurement. The Federal\n               Acquisition Regulation (FAR) Section 7.103 contains information security requirements\n               from FISMA.",
-                "links": [
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#ps-7",
-                    "rel": "related",
-                    "text": "PS-7"
-                  },
-                  {
-                    "href": "#sa-3",
-                    "rel": "related",
-                    "text": "SA-3"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  }
-                ]
-              },
-              {
-                "id": "sa-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization includes the following requirements, descriptions, and\n               criteria, explicitly or by reference, in the acquisition contracts for the\n               information system, system component, or information system service in accordance\n               with applicable federal laws, Executive Orders, directives, policies, regulations,\n               standards, guidelines, and organizational mission/business needs:",
-                "parts": [
-                  {
-                    "id": "sa-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(a)"
-                      }
-                    ],
-                    "prose": "security functional requirements;"
-                  },
-                  {
-                    "id": "sa-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(b)"
-                      }
-                    ],
-                    "prose": "security strength requirements;"
-                  },
-                  {
-                    "id": "sa-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(c)"
-                      }
-                    ],
-                    "prose": "security assurance requirements;"
-                  },
-                  {
-                    "id": "sa-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(d)"
-                      }
-                    ],
-                    "prose": "security-related documentation requirements;"
-                  },
-                  {
-                    "id": "sa-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(e)"
-                      }
-                    ],
-                    "prose": "requirements for protecting security-related documentation;"
-                  },
-                  {
-                    "id": "sa-4.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(f)"
-                      }
-                    ],
-                    "prose": "description of:",
-                    "parts": [
-                      {
-                        "id": "sa-4.f_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-4(f)[1]"
-                          }
-                        ],
-                        "prose": "the information system development environment;"
-                      },
-                      {
-                        "id": "sa-4.f_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-4(f)[2]"
-                          }
-                        ],
-                        "prose": "the environment in which the system is intended to operate; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-4.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-4(g)"
-                      }
-                    ],
-                    "prose": "acceptance criteria."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                  descriptions, and criteria into the acquisition process\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\ninformation system design documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security functional, strength, and assurance requirements\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for determining information system security functional,\n                  strength, and assurance requirements\\n\\norganizational processes for developing acquisition contracts\\n\\nautomated mechanisms supporting and/or implementing acquisitions and inclusion of\n                  security requirements in contracts"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "sa-4.1",
-                "class": "SP800-53-enhancement",
-                "title": "Functional Properties of Security Controls",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-4(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-04.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-4.1_smt",
-                    "name": "statement",
-                    "prose": "The organization requires the developer of the information system, system\n                  component, or information system service to provide a description of the\n                  functional properties of the security controls to be employed."
-                  },
-                  {
-                    "id": "sa-4.1_gdn",
-                    "name": "guidance",
-                    "prose": "Functional properties of security controls describe the functionality (i.e.,\n                  security capability, functions, or mechanisms) visible at the interfaces of the\n                  controls and specifically exclude functionality and data structures internal to\n                  the operation of the controls.",
-                    "links": [
-                      {
-                        "href": "#sa-5",
-                        "rel": "related",
-                        "text": "SA-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-4.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization requires the developer of the information system,\n                  system component, or information system service to provide a description of the\n                  functional properties of the security controls to be employed."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\nsolicitation documents\\n\\nacquisition documentation\\n\\nacquisition contracts for the information system, system component, or\n                     information system services\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security functional requirements\\n\\ninformation system developer or service provider\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for determining information system security\n                     functional, requirements\\n\\norganizational processes for developing acquisition contracts\\n\\nautomated mechanisms supporting and/or implementing acquisitions and inclusion\n                     of security requirements in contracts"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-4.2",
-                "class": "SP800-53-enhancement",
-                "title": "Design / Implementation Information for Security Controls",
-                "parameters": [
-                  {
-                    "id": "sa-4.2_prm_1",
-                    "constraints": [
-                      {
-                        "detail": "to include security-relevant external system interfaces and high-level design"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-4.2_prm_2",
-                    "depends-on": "sa-4.2_prm_1",
-                    "label": "organization-defined design/implementation information"
-                  },
-                  {
-                    "id": "sa-4.2_prm_3",
-                    "label": "organization-defined level of detail"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-4(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-04.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-4.2_smt",
-                    "name": "statement",
-                    "prose": "The organization requires the developer of the information system, system\n                  component, or information system service to provide design and implementation\n                  information for the security controls to be employed that includes: {{ sa-4.2_prm_1 }} at {{ sa-4.2_prm_3 }}."
-                  },
-                  {
-                    "id": "sa-4.2_gdn",
-                    "name": "guidance",
-                    "prose": "Organizations may require different levels of detail in design and implementation\n                  documentation for security controls employed in organizational information\n                  systems, system components, or information system services based on\n                  mission/business requirements, requirements for trustworthiness/resiliency, and\n                  requirements for analysis and testing. Information systems can be partitioned into\n                  multiple subsystems. Each subsystem within the system can contain one or more\n                  modules. The high-level design for the system is expressed in terms of multiple\n                  subsystems and the interfaces between subsystems providing security-relevant\n                  functionality. The low-level design for the system is expressed in terms of\n                  modules with particular emphasis on software and firmware (but not excluding\n                  hardware) and the interfaces between modules providing security-relevant\n                  functionality. Source code and hardware schematics are typically referred to as\n                  the implementation representation of the information system.",
-                    "links": [
-                      {
-                        "href": "#sa-5",
-                        "rel": "related",
-                        "text": "SA-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-4.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "sa-4.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-4(2)[1]"
-                          }
-                        ],
-                        "prose": "defines level of detail that the developer is required to provide in design and\n                     implementation information for the security controls to be employed in the\n                     information system, system component, or information system service;"
-                      },
-                      {
-                        "id": "sa-4.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-4(2)[2]"
-                          }
-                        ],
-                        "prose": "defines design/implementation information that the developer is to provide for\n                     the security controls to be employed (if selected);"
-                      },
-                      {
-                        "id": "sa-4.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-4(2)[3]"
-                          }
-                        ],
-                        "prose": "requires the developer of the information system, system component, or\n                     information system service to provide design and implementation information for\n                     the security controls to be employed that includes, at the organization-defined\n                     level of detail, one or more of the following:",
-                        "parts": [
-                          {
-                            "id": "sa-4.2_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-4(2)[3][a]"
-                              }
-                            ],
-                            "prose": "security-relevant external system interfaces;"
-                          },
-                          {
-                            "id": "sa-4.2_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-4(2)[3][b]"
-                              }
-                            ],
-                            "prose": "high-level design;"
-                          },
-                          {
-                            "id": "sa-4.2_obj.3.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-4(2)[3][c]"
-                              }
-                            ],
-                            "prose": "low-level design;"
-                          },
-                          {
-                            "id": "sa-4.2_obj.3.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-4(2)[3][d]"
-                              }
-                            ],
-                            "prose": "source code;"
-                          },
-                          {
-                            "id": "sa-4.2_obj.3.e",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-4(2)[3][e]"
-                              }
-                            ],
-                            "prose": "hardware schematics; and/or"
-                          },
-                          {
-                            "id": "sa-4.2_obj.3.f",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-4(2)[3][f]"
-                              }
-                            ],
-                            "prose": "organization-defined design/implementation information."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\nsolicitation documents\\n\\nacquisition documentation\\n\\nacquisition contracts for the information system, system components, or\n                     information system services\\n\\ndesign and implementation information for security controls employed in the\n                     information system, system component, or information system service\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security requirements\\n\\ninformation system developer or service provider\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for determining level of detail for system design and\n                     security controls\\n\\norganizational processes for developing acquisition contracts\\n\\nautomated mechanisms supporting and/or implementing development of system\n                     design details"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-4.8",
-                "class": "SP800-53-enhancement",
-                "title": "Continuous Monitoring Plan",
-                "parameters": [
-                  {
-                    "id": "sa-4.8_prm_1",
-                    "label": "organization-defined level of detail",
-                    "constraints": [
-                      {
-                        "detail": "at least the minimum requirement as defined in control CA-7"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-4(8)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-04.08"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-4.8_smt",
-                    "name": "statement",
-                    "prose": "The organization requires the developer of the information system, system\n                  component, or information system service to produce a plan for the continuous\n                  monitoring of security control effectiveness that contains {{ sa-4.8_prm_1 }}.",
-                    "parts": [
-                      {
-                        "id": "sa-4.8_fr",
-                        "name": "item",
-                        "title": "SA-4 (8) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "sa-4.8_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "CSP must use the same security standards regardless of where the system component or information system service is acquired."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-4.8_gdn",
-                    "name": "guidance",
-                    "prose": "The objective of continuous monitoring plans is to determine if the complete set\n                  of planned, required, and deployed security controls within the information\n                  system, system component, or information system service continue to be effective\n                  over time based on the inevitable changes that occur. Developer continuous\n                  monitoring plans include a sufficient level of detail such that the information\n                  can be incorporated into the continuous monitoring strategies and programs\n                  implemented by organizations.",
-                    "links": [
-                      {
-                        "href": "#ca-7",
-                        "rel": "related",
-                        "text": "CA-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-4.8_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "sa-4.8_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-4(8)[1]"
-                          }
-                        ],
-                        "prose": "defines the level of detail the developer of the information system, system\n                     component, or information system service is required to provide when producing\n                     a plan for the continuous monitoring of security control effectiveness; and"
-                      },
-                      {
-                        "id": "sa-4.8_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-4(8)[2]"
-                          }
-                        ],
-                        "prose": "requires the developer of the information system, system component, or\n                     information system service to produce a plan for the continuous monitoring of\n                     security control effectiveness that contains the organization-defined level of\n                     detail."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing developer continuous monitoring plans\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\ndeveloper continuous monitoring plans\\n\\nsecurity assessment plans\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nacquisition documentation\\n\\nsolicitation documentation\\n\\nservice-level agreements\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security requirements\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Vendor processes for continuous monitoring\\n\\nautomated mechanisms supporting and/or implementing developer continuous\n                     monitoring"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-4.9",
-                "class": "SP800-53-enhancement",
-                "title": "Functions / Ports / Protocols / Services in Use",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-4(9)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-04.09"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-4.9_smt",
-                    "name": "statement",
-                    "prose": "The organization requires the developer of the information system, system\n                  component, or information system service to identify early in the system\n                  development life cycle, the functions, ports, protocols, and services intended for\n                  organizational use."
-                  },
-                  {
-                    "id": "sa-4.9_gdn",
-                    "name": "guidance",
-                    "prose": "The identification of functions, ports, protocols, and services early in the\n                  system development life cycle (e.g., during the initial requirements definition\n                  and design phases) allows organizations to influence the design of the information\n                  system, information system component, or information system service. This early\n                  involvement in the life cycle helps organizations to avoid or minimize the use of\n                  functions, ports, protocols, or services that pose unnecessarily high risks and\n                  understand the trade-offs involved in blocking specific ports, protocols, or\n                  services (or when requiring information system service providers to do so). Early\n                  identification of functions, ports, protocols, and services avoids costly\n                  retrofitting of security controls after the information system, system component,\n                  or information system service has been implemented. SA-9 describes requirements\n                  for external information system services with organizations identifying which\n                  functions, ports, protocols, and services are provided from external sources.",
-                    "links": [
-                      {
-                        "href": "#cm-7",
-                        "rel": "related",
-                        "text": "CM-7"
-                      },
-                      {
-                        "href": "#sa-9",
-                        "rel": "related",
-                        "text": "SA-9"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-4.9_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization requires the developer of the information system,\n                  system component, or information system service to identify early in the system\n                  development life cycle:",
-                    "parts": [
-                      {
-                        "id": "sa-4.9_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-4(9)[1]"
-                          }
-                        ],
-                        "prose": "the functions intended for organizational use;"
-                      },
-                      {
-                        "id": "sa-4.9_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-4(9)[2]"
-                          }
-                        ],
-                        "prose": "the ports intended for organizational use;"
-                      },
-                      {
-                        "id": "sa-4.9_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-4(9)[3]"
-                          }
-                        ],
-                        "prose": "the protocols intended for organizational use; and"
-                      },
-                      {
-                        "id": "sa-4.9_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-4(9)[4]"
-                          }
-                        ],
-                        "prose": "the services intended for organizational use."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\ninformation system design documentation\\n\\ninformation system documentation including functions, ports, protocols, and\n                     services intended for organizational use\\n\\nacquisition contracts for information systems or services\\n\\nacquisition documentation\\n\\nsolicitation documentation\\n\\nservice-level agreements\\n\\norganizational security requirements, descriptions, and criteria for developers\n                     of information systems, system components, and information system services\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security requirements\\n\\nsystem/network administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                     system\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-4.10",
-                "class": "SP800-53-enhancement",
-                "title": "Use of Approved PIV Products",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-4(10)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-04.10"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-4.10_smt",
-                    "name": "statement",
-                    "prose": "The organization employs only information technology products on the FIPS\n                  201-approved products list for Personal Identity Verification (PIV) capability\n                  implemented within organizational information systems."
-                  },
-                  {
-                    "id": "sa-4.10_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#ia-2",
-                        "rel": "related",
-                        "text": "IA-2"
-                      },
-                      {
-                        "href": "#ia-8",
-                        "rel": "related",
-                        "text": "IA-8"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-4.10_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs only information technology products on the\n                  FIPS 201-approved products list for Personal Identity Verification (PIV)\n                  capability implemented within organizational information systems. "
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing the integration of information security requirements,\n                     descriptions, and criteria into the acquisition process\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nservice-level agreements\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                     security requirements\\n\\norganizational personnel with responsibility for ensuring only FIPS\n                     201-approved products are implemented\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for selecting and employing FIPS 201-approved\n                     products"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-5",
-            "class": "SP800-53",
-            "title": "Information System Documentation",
-            "parameters": [
-              {
-                "id": "sa-5_prm_1",
-                "label": "organization-defined actions"
-              },
-              {
-                "id": "sa-5_prm_2",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Obtains administrator documentation for the information system, system component,\n                  or information system service that describes:",
-                    "parts": [
-                      {
-                        "id": "sa-5_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Secure configuration, installation, and operation of the system, component, or\n                     service;"
-                      },
-                      {
-                        "id": "sa-5_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Effective use and maintenance of security functions/mechanisms; and"
-                      },
-                      {
-                        "id": "sa-5_smt.a.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "Known vulnerabilities regarding configuration and use of administrative (i.e.,\n                     privileged) functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Obtains user documentation for the information system, system component, or\n                  information system service that describes:",
-                    "parts": [
-                      {
-                        "id": "sa-5_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "User-accessible security functions/mechanisms and how to effectively use those\n                     security functions/mechanisms;"
-                      },
-                      {
-                        "id": "sa-5_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Methods for user interaction, which enables individuals to use the system,\n                     component, or service in a more secure manner; and"
-                      },
-                      {
-                        "id": "sa-5_smt.b.3",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "3."
-                          }
-                        ],
-                        "prose": "User responsibilities in maintaining the security of the system, component, or\n                     service;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Documents attempts to obtain information system, system component, or information\n                  system service documentation when such documentation is either unavailable or\n                  nonexistent and takes {{ sa-5_prm_1 }} in response;"
-                  },
-                  {
-                    "id": "sa-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Protects documentation as required, in accordance with the risk management\n                  strategy; and"
-                  },
-                  {
-                    "id": "sa-5_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Distributes documentation to {{ sa-5_prm_2 }}."
-                  }
-                ]
-              },
-              {
-                "id": "sa-5_gdn",
-                "name": "guidance",
-                "prose": "This control helps organizational personnel understand the implementation and\n               operation of security controls associated with information systems, system\n               components, and information system services. Organizations consider establishing\n               specific measures to determine the quality/completeness of the content provided. The\n               inability to obtain needed documentation may occur, for example, due to the age of\n               the information system/component or lack of support from developers and contractors.\n               In those situations, organizations may need to recreate selected documentation if\n               such documentation is essential to the effective implementation or operation of\n               security controls. The level of protection provided for selected information system,\n               component, or service documentation is commensurate with the security category or\n               classification of the system. For example, documentation associated with a key DoD\n               weapons system or command and control system would typically require a higher level\n               of protection than a routine administrative system. Documentation that addresses\n               information system vulnerabilities may also require an increased level of protection.\n               Secure operation of the information system, includes, for example, initially starting\n               the system and resuming secure system operation after any lapse in system\n               operation.",
-                "links": [
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#pl-2",
-                    "rel": "related",
-                    "text": "PL-2"
-                  },
-                  {
-                    "href": "#pl-4",
-                    "rel": "related",
-                    "text": "PL-4"
-                  },
-                  {
-                    "href": "#ps-2",
-                    "rel": "related",
-                    "text": "PS-2"
-                  },
-                  {
-                    "href": "#sa-3",
-                    "rel": "related",
-                    "text": "SA-3"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  }
-                ]
-              },
-              {
-                "id": "sa-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-5(a)"
-                      }
-                    ],
-                    "prose": "obtains administrator documentation for the information system, system component,\n                  or information system service that describes:",
-                    "parts": [
-                      {
-                        "id": "sa-5.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-5.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "secure configuration of the system, system component, or service;"
-                          },
-                          {
-                            "id": "sa-5.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "secure installation of the system, system component, or service;"
-                          },
-                          {
-                            "id": "sa-5.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "secure operation of the system, system component, or service;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-5.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-5.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "effective use of the security features/mechanisms;"
-                          },
-                          {
-                            "id": "sa-5.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "effective maintenance of the security features/mechanisms;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-5.a.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(a)(3)"
-                          }
-                        ],
-                        "prose": "known vulnerabilities regarding configuration and use of administrative (i.e.,\n                     privileged) functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-5(b)"
-                      }
-                    ],
-                    "prose": "obtains user documentation for the information system, system component, or\n                  information system service that describes:",
-                    "parts": [
-                      {
-                        "id": "sa-5.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-5.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "user-accessible security functions/mechanisms;"
-                          },
-                          {
-                            "id": "sa-5.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-5(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "how to effectively use those functions/mechanisms;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-5.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(b)(2)"
-                          }
-                        ],
-                        "prose": "methods for user interaction, which enables individuals to use the system,\n                     component, or service in a more secure manner;"
-                      },
-                      {
-                        "id": "sa-5.b.3_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-5(b)(3)"
-                          }
-                        ],
-                        "prose": "user responsibilities in maintaining the security of the system, component, or\n                     service;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-5(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-5.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-5(c)[1]"
-                          }
-                        ],
-                        "prose": "defines actions to be taken after documented attempts to obtain information\n                     system, system component, or information system service documentation when such\n                     documentation is either unavailable or nonexistent;"
-                      },
-                      {
-                        "id": "sa-5.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-5(c)[2]"
-                          }
-                        ],
-                        "prose": "documents attempts to obtain information system, system component, or\n                     information system service documentation when such documentation is either\n                     unavailable or nonexistent;"
-                      },
-                      {
-                        "id": "sa-5.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-5(c)[3]"
-                          }
-                        ],
-                        "prose": "takes organization-defined actions in response;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-5(d)"
-                      }
-                    ],
-                    "prose": "protects documentation as required, in accordance with the risk management\n                  strategy;"
-                  },
-                  {
-                    "id": "sa-5.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-5(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-5.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-5(e)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom documentation is to be distributed; and"
-                      },
-                      {
-                        "id": "sa-5.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-5(e)[2]"
-                          }
-                        ],
-                        "prose": "distributes documentation to organization-defined personnel or roles."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing information system documentation\\n\\ninformation system documentation including administrator and user guides\\n\\nrecords documenting attempts to obtain unavailable or nonexistent information\n                  system documentation\\n\\nlist of actions to be taken in response to documented attempts to obtain\n                  information system, system component, or information system service\n                  documentation\\n\\nrisk management strategy documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security requirements\\n\\nsystem administrators\\n\\norganizational personnel operating, using, and/or maintaining the information\n                  system\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for obtaining, protecting, and distributing information\n                  system administrator and user documentation"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-8",
-            "class": "SP800-53",
-            "title": "Security Engineering Principles",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-08"
-              }
-            ],
-            "links": [
-              {
-                "href": "#21b1ed35-56d2-40a8-bdfe-b461fffe322f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-27"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-8_smt",
-                "name": "statement",
-                "prose": "The organization applies information system security engineering principles in the\n               specification, design, development, implementation, and modification of the\n               information system."
-              },
-              {
-                "id": "sa-8_gdn",
-                "name": "guidance",
-                "prose": "Organizations apply security engineering principles primarily to new development\n               information systems or systems undergoing major upgrades. For legacy systems,\n               organizations apply security engineering principles to system upgrades and\n               modifications to the extent feasible, given the current state of hardware, software,\n               and firmware within those systems. Security engineering principles include, for\n               example: (i) developing layered protections; (ii) establishing sound security policy,\n               architecture, and controls as the foundation for design; (iii) incorporating security\n               requirements into the system development life cycle; (iv) delineating physical and\n               logical security boundaries; (v) ensuring that system developers are trained on how\n               to build secure software; (vi) tailoring security controls to meet organizational and\n               operational needs; (vii) performing threat modeling to identify use cases, threat\n               agents, attack vectors, and attack patterns as well as compensating controls and\n               design patterns needed to mitigate risk; and (viii) reducing risk to acceptable\n               levels, thus enabling informed risk management decisions.",
-                "links": [
-                  {
-                    "href": "#pm-7",
-                    "rel": "related",
-                    "text": "PM-7"
-                  },
-                  {
-                    "href": "#sa-3",
-                    "rel": "related",
-                    "text": "SA-3"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-17",
-                    "rel": "related",
-                    "text": "SA-17"
-                  },
-                  {
-                    "href": "#sc-2",
-                    "rel": "related",
-                    "text": "SC-2"
-                  },
-                  {
-                    "href": "#sc-3",
-                    "rel": "related",
-                    "text": "SC-3"
-                  }
-                ]
-              },
-              {
-                "id": "sa-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization applies information system security engineering\n               principles in: ",
-                "parts": [
-                  {
-                    "id": "sa-8_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-8[1]"
-                      }
-                    ],
-                    "prose": "the specification of the information system;"
-                  },
-                  {
-                    "id": "sa-8_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-8[2]"
-                      }
-                    ],
-                    "prose": "the design of the information system;"
-                  },
-                  {
-                    "id": "sa-8_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-8[3]"
-                      }
-                    ],
-                    "prose": "the development of the information system;"
-                  },
-                  {
-                    "id": "sa-8_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-8[4]"
-                      }
-                    ],
-                    "prose": "the implementation of the information system; and"
-                  },
-                  {
-                    "id": "sa-8_obj.5",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-8[5]"
-                      }
-                    ],
-                    "prose": "the modification of the information system."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing security engineering principles used in the specification,\n                  design, development, implementation, and modification of the information\n                  system\\n\\ninformation system design documentation\\n\\ninformation security requirements and specifications for the information\n                  system\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with acquisition/contracting responsibilities\\n\\norganizational personnel with responsibility for determining information system\n                  security requirements\\n\\norganizational personnel with information system specification, design,\n                  development, implementation, and modification responsibilities\\n\\ninformation system developers\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for applying security engineering principles in\n                  information system specification, design, development, implementation, and\n                  modification\\n\\nautomated mechanisms supporting the application of security engineering principles\n                  in information system specification, design, development, implementation, and\n                  modification"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-9",
-            "class": "SP800-53",
-            "title": "External Information System Services",
-            "parameters": [
-              {
-                "id": "sa-9_prm_1",
-                "label": "organization-defined security controls",
-                "constraints": [
-                  {
-                    "detail": "FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system"
-                  }
-                ]
-              },
-              {
-                "id": "sa-9_prm_2",
-                "label": "organization-defined processes, methods, and techniques",
-                "constraints": [
-                  {
-                    "detail": "Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-9"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-09"
-              }
-            ],
-            "links": [
-              {
-                "href": "#0c775bc3-bfc3-42c7-a382-88949f503171",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-35"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-9_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sa-9_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Requires that providers of external information system services comply with\n                  organizational information security requirements and employ {{ sa-9_prm_1 }} in accordance with applicable federal laws, Executive\n                  Orders, directives, policies, regulations, standards, and guidance;"
-                  },
-                  {
-                    "id": "sa-9_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Defines and documents government oversight and user roles and responsibilities\n                  with regard to external information system services; and"
-                  },
-                  {
-                    "id": "sa-9_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Employs {{ sa-9_prm_2 }} to monitor security control compliance by\n                  external service providers on an ongoing basis."
-                  }
-                ]
-              },
-              {
-                "id": "sa-9_gdn",
-                "name": "guidance",
-                "prose": "External information system services are services that are implemented outside of the\n               authorization boundaries of organizational information systems. This includes\n               services that are used by, but not a part of, organizational information systems.\n               FISMA and OMB policy require that organizations using external service providers that\n               are processing, storing, or transmitting federal information or operating information\n               systems on behalf of the federal government ensure that such providers meet the same\n               security requirements that federal agencies are required to meet. Organizations\n               establish relationships with external service providers in a variety of ways\n               including, for example, through joint ventures, business partnerships, contracts,\n               interagency agreements, lines of business arrangements, licensing agreements, and\n               supply chain exchanges. The responsibility for managing risks from the use of\n               external information system services remains with authorizing officials. For services\n               external to organizations, a chain of trust requires that organizations establish and\n               retain a level of confidence that each participating provider in the potentially\n               complex consumer-provider relationship provides adequate protection for the services\n               rendered. The extent and nature of this chain of trust varies based on the\n               relationships between organizations and the external providers. Organizations\n               document the basis for trust relationships so the relationships can be monitored over\n               time. External information system services documentation includes government, service\n               providers, end user security roles and responsibilities, and service-level\n               agreements. Service-level agreements define expectations of performance for security\n               controls, describe measurable outcomes, and identify remedies and response\n               requirements for identified instances of noncompliance.",
-                "links": [
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#ir-7",
-                    "rel": "related",
-                    "text": "IR-7"
-                  },
-                  {
-                    "href": "#ps-7",
-                    "rel": "related",
-                    "text": "PS-7"
-                  }
-                ]
-              },
-              {
-                "id": "sa-9_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-9.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-9(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-9.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(a)[1]"
-                          }
-                        ],
-                        "prose": "defines security controls to be employed by providers of external information\n                     system services;"
-                      },
-                      {
-                        "id": "sa-9.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(a)[2]"
-                          }
-                        ],
-                        "prose": "requires that providers of external information system services comply with\n                     organizational information security requirements;"
-                      },
-                      {
-                        "id": "sa-9.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(a)[3]"
-                          }
-                        ],
-                        "prose": "requires that providers of external information system services employ\n                     organization-defined security controls in accordance with applicable federal\n                     laws, Executive Orders, directives, policies, regulations, standards, and\n                     guidance;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-9.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-9(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-9.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(b)[1]"
-                          }
-                        ],
-                        "prose": "defines and documents government oversight with regard to external information\n                     system services;"
-                      },
-                      {
-                        "id": "sa-9.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(b)[2]"
-                          }
-                        ],
-                        "prose": "defines and documents user roles and responsibilities with regard to external\n                     information system services;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-9.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-9(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-9.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(c)[1]"
-                          }
-                        ],
-                        "prose": "defines processes, methods, and techniques to be employed to monitor security\n                     control compliance by external service providers; and"
-                      },
-                      {
-                        "id": "sa-9.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(c)[2]"
-                          }
-                        ],
-                        "prose": "employs organization-defined processes, methods, and techniques to monitor\n                     security control compliance by external service providers on an ongoing\n                     basis."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nprocedures addressing methods and techniques for monitoring security control\n                  compliance by external service providers of information system services\\n\\nacquisition contracts, service-level agreements\\n\\norganizational security requirements and security specifications for external\n                  provider services\\n\\nsecurity control assessment evidence from external providers of information system\n                  services\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and services acquisition responsibilities\\n\\nexternal providers of information system services\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for monitoring security control compliance by external\n                  service providers on an ongoing basis\\n\\nautomated mechanisms for monitoring security control compliance by external\n                  service providers on an ongoing basis"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "sa-9.1",
-                "class": "SP800-53-enhancement",
-                "title": "Risk Assessments / Organizational Approvals",
-                "parameters": [
-                  {
-                    "id": "sa-9.1_prm_1",
-                    "label": "organization-defined personnel or roles"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-9(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-09.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-9.1_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "sa-9.1_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Conducts an organizational assessment of risk prior to the acquisition or\n                     outsourcing of dedicated information security services; and"
-                      },
-                      {
-                        "id": "sa-9.1_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Ensures that the acquisition or outsourcing of dedicated information security\n                     services is approved by {{ sa-9.1_prm_1 }}."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-9.1_gdn",
-                    "name": "guidance",
-                    "prose": "Dedicated information security services include, for example, incident monitoring,\n                  analysis and response, operation of information security-related devices such as\n                  firewalls, or key management services.",
-                    "links": [
-                      {
-                        "href": "#ca-6",
-                        "rel": "related",
-                        "text": "CA-6"
-                      },
-                      {
-                        "href": "#ra-3",
-                        "rel": "related",
-                        "text": "RA-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-9.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "sa-9.1.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(1)(a)"
-                          }
-                        ],
-                        "prose": "conducts an organizational assessment of risk prior to the acquisition or\n                     outsourcing of dedicated information security services;",
-                        "links": [
-                          {
-                            "href": "#sa-9.1_smt.a",
-                            "rel": "corresp",
-                            "text": "SA-9(1)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sa-9.1.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-9(1)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sa-9.1.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-9(1)(b)[1]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles designated to approve the acquisition or\n                        outsourcing of dedicated information security services; and"
-                          },
-                          {
-                            "id": "sa-9.1.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SA-9(1)(b)[2]"
-                              }
-                            ],
-                            "prose": "ensures that the acquisition or outsourcing of dedicated information\n                        security services is approved by organization-defined personnel or\n                        roles."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#sa-9.1_smt.b",
-                            "rel": "corresp",
-                            "text": "SA-9(1)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nacquisition documentation\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nrisk assessment reports\\n\\napproval records for acquisition or outsourcing of dedicated information\n                     security services\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information system security responsibilities\\n\\nexternal providers of information system services\\n\\norganizational personnel with information security responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for conducting a risk assessment prior to acquiring or\n                     outsourcing dedicated information security services\\n\\norganizational processes for approving the outsourcing of dedicated information\n                     security services\\n\\nautomated mechanisms supporting and/or implementing risk assessment\\n\\nautomated mechanisms supporting and/or implementing approval processes"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-9.2",
-                "class": "SP800-53-enhancement",
-                "title": "Identification of Functions / Ports / Protocols / Services",
-                "parameters": [
-                  {
-                    "id": "sa-9.2_prm_1",
-                    "label": "organization-defined external information system services",
-                    "constraints": [
-                      {
-                        "detail": "all external systems where Federal information is processed or stored"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-9(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-09.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-9.2_smt",
-                    "name": "statement",
-                    "prose": "The organization requires providers of {{ sa-9.2_prm_1 }} to\n                  identify the functions, ports, protocols, and other services required for the use\n                  of such services."
-                  },
-                  {
-                    "id": "sa-9.2_gdn",
-                    "name": "guidance",
-                    "prose": "Information from external service providers regarding the specific functions,\n                  ports, protocols, and services used in the provision of such services can be\n                  particularly useful when the need arises to understand the trade-offs involved in\n                  restricting certain functions/services or blocking certain ports/protocols.",
-                    "links": [
-                      {
-                        "href": "#cm-7",
-                        "rel": "related",
-                        "text": "CM-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-9.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "sa-9.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(2)[1]"
-                          }
-                        ],
-                        "prose": "defines external information system services for which providers of such\n                     services are to identify the functions, ports, protocols, and other services\n                     required for the use of such services;"
-                      },
-                      {
-                        "id": "sa-9.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(2)[2]"
-                          }
-                        ],
-                        "prose": "requires providers of organization-defined external information system services\n                     to identify:",
-                        "parts": [
-                          {
-                            "id": "sa-9.2_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-9(2)[2][a]"
-                              }
-                            ],
-                            "prose": "the functions required for the use of such services;"
-                          },
-                          {
-                            "id": "sa-9.2_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-9(2)[2][b]"
-                              }
-                            ],
-                            "prose": "the ports required for the use of such services;"
-                          },
-                          {
-                            "id": "sa-9.2_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-9(2)[2][c]"
-                              }
-                            ],
-                            "prose": "the protocols required for the use of such services; and"
-                          },
-                          {
-                            "id": "sa-9.2_obj.2.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-9(2)[2][d]"
-                              }
-                            ],
-                            "prose": "the other services required for the use of such services."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nacquisition documentation\\n\\nsolicitation documentation, service-level agreements\\n\\norganizational security requirements and security specifications for external\n                     service providers\\n\\nlist of required functions, ports, protocols, and other services\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nexternal providers of information system services"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-9.4",
-                "class": "SP800-53-enhancement",
-                "title": "Consistent Interests of Consumers and Providers",
-                "parameters": [
-                  {
-                    "id": "sa-9.4_prm_1",
-                    "label": "organization-defined security safeguards"
-                  },
-                  {
-                    "id": "sa-9.4_prm_2",
-                    "label": "organization-defined external service providers",
-                    "constraints": [
-                      {
-                        "detail": "all external systems where Federal information is processed or stored"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-9(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-09.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-9.4_smt",
-                    "name": "statement",
-                    "prose": "The organization employs {{ sa-9.4_prm_1 }} to ensure that the\n                  interests of {{ sa-9.4_prm_2 }} are consistent with and reflect\n                  organizational interests."
-                  },
-                  {
-                    "id": "sa-9.4_gdn",
-                    "name": "guidance",
-                    "prose": "As organizations increasingly use external service providers, the possibility\n                  exists that the interests of the service providers may diverge from organizational\n                  interests. In such situations, simply having the correct technical, procedural, or\n                  operational safeguards in place may not be sufficient if the service providers\n                  that implement and control those safeguards are not operating in a manner\n                  consistent with the interests of the consuming organizations. Possible actions\n                  that organizations might take to address such concerns include, for example,\n                  requiring background checks for selected service provider personnel, examining\n                  ownership records, employing only trustworthy service providers (i.e., providers\n                  with which organizations have had positive experiences), and conducting\n                  periodic/unscheduled visits to service provider facilities."
-                  },
-                  {
-                    "id": "sa-9.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "sa-9.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(4)[1]"
-                          }
-                        ],
-                        "prose": "defines external service providers whose interests are to be consistent with\n                     and reflect organizational interests;"
-                      },
-                      {
-                        "id": "sa-9.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(4)[2]"
-                          }
-                        ],
-                        "prose": "defines security safeguards to be employed to ensure that the interests of\n                     organization-defined external service providers are consistent with and reflect\n                     organizational interests; and"
-                      },
-                      {
-                        "id": "sa-9.4_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(4)[3]"
-                          }
-                        ],
-                        "prose": "employs organization-defined security safeguards to ensure that the interests\n                     of organization-defined external service providers are consistent with and\n                     reflect organizational interests."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\norganizational security requirements/safeguards for external service\n                     providers\\n\\npersonnel security policies for external service providers\\n\\nassessments performed on external service providers\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nexternal providers of information system services"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for defining and employing safeguards to ensure\n                     consistent interests with external service providers\\n\\nautomated mechanisms supporting and/or implementing safeguards to ensure\n                     consistent interests with external service providers"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-9.5",
-                "class": "SP800-53-enhancement",
-                "title": "Processing, Storage, and Service Location",
-                "parameters": [
-                  {
-                    "id": "sa-9.5_prm_1",
-                    "constraints": [
-                      {
-                        "detail": "information processing, information data, AND information services"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-9.5_prm_2",
-                    "label": "organization-defined locations"
-                  },
-                  {
-                    "id": "sa-9.5_prm_3",
-                    "label": "organization-defined requirements or conditions"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-9(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-09.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-9.5_smt",
-                    "name": "statement",
-                    "prose": "The organization restricts the location of {{ sa-9.5_prm_1 }} to\n                     {{ sa-9.5_prm_2 }} based on {{ sa-9.5_prm_3 }}."
-                  },
-                  {
-                    "id": "sa-9.5_gdn",
-                    "name": "guidance",
-                    "prose": "The location of information processing, information/data storage, or information\n                  system services that are critical to organizations can have a direct impact on the\n                  ability of those organizations to successfully execute their missions/business\n                  functions. This situation exists when external providers control the location of\n                  processing, storage or services. The criteria external providers use for the\n                  selection of processing, storage, or service locations may be different from\n                  organizational criteria. For example, organizations may want to ensure that\n                  data/information storage locations are restricted to certain locations to\n                  facilitate incident response activities (e.g., forensic analyses, after-the-fact\n                  investigations) in case of information security breaches/compromises. Such\n                  incident response activities may be adversely affected by the governing laws or\n                  protocols in the locations where processing and storage occur and/or the locations\n                  from which information system services emanate."
-                  },
-                  {
-                    "id": "sa-9.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "sa-9.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(5)[1]"
-                          }
-                        ],
-                        "prose": "defines locations where organization-defined information processing,\n                     information/data, and/or information system services are to be restricted;"
-                      },
-                      {
-                        "id": "sa-9.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(5)[2]"
-                          }
-                        ],
-                        "prose": "defines requirements or conditions to restrict the location of information\n                     processing, information/data, and/or information system services;"
-                      },
-                      {
-                        "id": "sa-9.5_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-9(5)[3]"
-                          }
-                        ],
-                        "prose": "restricts the location of one or more of the following to organization-defined\n                     locations based on organization-defined requirements or conditions:",
-                        "parts": [
-                          {
-                            "id": "sa-9.5_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-9(5)[3][a]"
-                              }
-                            ],
-                            "prose": "information processing;"
-                          },
-                          {
-                            "id": "sa-9.5_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-9(5)[3][b]"
-                              }
-                            ],
-                            "prose": "information/data; and/or"
-                          },
-                          {
-                            "id": "sa-9.5_obj.3.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-9(5)[3][c]"
-                              }
-                            ],
-                            "prose": "information services."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing external information system services\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nrestricted locations for information processing\\n\\ninformation/data and/or information system services\\n\\ninformation processing, information/data, and/or information system services to\n                     be maintained in restricted locations\\n\\norganizational security requirements or conditions for external providers\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\nexternal providers of information system services"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for defining requirements to restrict locations of\n                     information processing, information/data, or information services\\n\\norganizational processes for ensuring the location is restricted in accordance\n                     with requirements or conditions"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-10",
-            "class": "SP800-53",
-            "title": "Developer Configuration Management",
-            "parameters": [
-              {
-                "id": "sa-10_prm_1",
-                "constraints": [
-                  {
-                    "detail": "development, implementation, AND operation"
-                  }
-                ]
-              },
-              {
-                "id": "sa-10_prm_2",
-                "label": "organization-defined configuration items under configuration management"
-              },
-              {
-                "id": "sa-10_prm_3",
-                "label": "organization-defined personnel"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-10"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-10"
-              }
-            ],
-            "links": [
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-10_smt",
-                "name": "statement",
-                "prose": "The organization requires the developer of the information system, system component,\n               or information system service to:",
-                "parts": [
-                  {
-                    "id": "sa-10_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Perform configuration management during system, component, or service {{ sa-10_prm_1 }};"
-                  },
-                  {
-                    "id": "sa-10_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Document, manage, and control the integrity of changes to {{ sa-10_prm_2 }};"
-                  },
-                  {
-                    "id": "sa-10_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Implement only organization-approved changes to the system, component, or\n                  service;"
-                  },
-                  {
-                    "id": "sa-10_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Document approved changes to the system, component, or service and the potential\n                  security impacts of such changes; and"
-                  },
-                  {
-                    "id": "sa-10_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Track security flaws and flaw resolution within the system, component, or service\n                  and report findings to {{ sa-10_prm_3 }}."
-                  },
-                  {
-                    "id": "sa-10_fr",
-                    "name": "item",
-                    "title": "SA-10 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "sa-10_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(e)  Requirement:"
-                          }
-                        ],
-                        "prose": "For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-10_gdn",
-                "name": "guidance",
-                "prose": "This control also applies to organizations conducting internal information systems\n               development and integration. Organizations consider the quality and completeness of\n               the configuration management activities conducted by developers as evidence of\n               applying effective security safeguards. Safeguards include, for example, protecting\n               from unauthorized modification or destruction, the master copies of all material used\n               to generate security-relevant portions of the system hardware, software, and\n               firmware. Maintaining the integrity of changes to the information system, information\n               system component, or information system service requires configuration control\n               throughout the system development life cycle to track authorized changes and prevent\n               unauthorized changes. Configuration items that are placed under configuration\n               management (if existence/use is required by other security controls) include: the\n               formal model; the functional, high-level, and low-level design specifications; other\n               design data; implementation documentation; source code and hardware schematics; the\n               running version of the object code; tools for comparing new versions of\n               security-relevant hardware descriptions and software/firmware source code with\n               previous versions; and test fixtures and documentation. Depending on the\n               mission/business needs of organizations and the nature of the contractual\n               relationships in place, developers may provide configuration management support\n               during the operations and maintenance phases of the life cycle.",
-                "links": [
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#cm-9",
-                    "rel": "related",
-                    "text": "CM-9"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "sa-10_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-10.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-10(a)"
-                      }
-                    ],
-                    "prose": "requires the developer of the information system, system component, or information\n                  system service to perform configuration management during one or more of the\n                  following:",
-                    "parts": [
-                      {
-                        "id": "sa-10.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-10(a)[1]"
-                          }
-                        ],
-                        "prose": "system, component, or service design;"
-                      },
-                      {
-                        "id": "sa-10.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-10(a)[2]"
-                          }
-                        ],
-                        "prose": "system, component, or service development;"
-                      },
-                      {
-                        "id": "sa-10.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-10(a)[3]"
-                          }
-                        ],
-                        "prose": "system, component, or service implementation; and/or"
-                      },
-                      {
-                        "id": "sa-10.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-10(a)[4]"
-                          }
-                        ],
-                        "prose": "system, component, or service operation;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-10.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-10(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-10.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-10(b)[1]"
-                          }
-                        ],
-                        "prose": "defines configuration items to be placed under configuration management;"
-                      },
-                      {
-                        "id": "sa-10.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-10(b)[2]"
-                          }
-                        ],
-                        "prose": "requires the developer of the information system, system component, or\n                     information system service to:",
-                        "parts": [
-                          {
-                            "id": "sa-10.b_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-10(b)[2][a]"
-                              }
-                            ],
-                            "prose": "document the integrity of changes to organization-defined items under\n                        configuration management;"
-                          },
-                          {
-                            "id": "sa-10.b_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-10(b)[2][b]"
-                              }
-                            ],
-                            "prose": "manage the integrity of changes to organization-defined items under\n                        configuration management;"
-                          },
-                          {
-                            "id": "sa-10.b_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-10(b)[2][c]"
-                              }
-                            ],
-                            "prose": "control the integrity of changes to organization-defined items under\n                        configuration management;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-10.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-10(c)"
-                      }
-                    ],
-                    "prose": "requires the developer of the information system, system component, or information\n                  system service to implement only organization-approved changes to the system,\n                  component, or service;"
-                  },
-                  {
-                    "id": "sa-10.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-10(d)"
-                      }
-                    ],
-                    "prose": "requires the developer of the information system, system component, or information\n                  system service to document:",
-                    "parts": [
-                      {
-                        "id": "sa-10.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-10(d)[1]"
-                          }
-                        ],
-                        "prose": "approved changes to the system, component, or service;"
-                      },
-                      {
-                        "id": "sa-10.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-10(d)[2]"
-                          }
-                        ],
-                        "prose": "the potential security impacts of such changes;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-10.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-10(e)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-10.e_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-10(e)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel to whom findings, resulting from security flaws and flaw\n                     resolution tracked within the system, component, or service, are to be\n                     reported;"
-                      },
-                      {
-                        "id": "sa-10.e_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-10(e)[2]"
-                          }
-                        ],
-                        "prose": "requires the developer of the information system, system component, or\n                     information system service to:",
-                        "parts": [
-                          {
-                            "id": "sa-10.e_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-10(e)[2][a]"
-                              }
-                            ],
-                            "prose": "track security flaws within the system, component, or service;"
-                          },
-                          {
-                            "id": "sa-10.e_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-10(e)[2][b]"
-                              }
-                            ],
-                            "prose": "track security flaw resolution within the system, component, or service;\n                        and"
-                          },
-                          {
-                            "id": "sa-10.e_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-10(e)[2][c]"
-                              }
-                            ],
-                            "prose": "report findings to organization-defined personnel."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing system developer configuration management\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\nsystem developer configuration management plan\\n\\nsecurity flaw and flaw resolution tracking records\\n\\nsystem change authorization records\\n\\nchange control records\\n\\nconfiguration management records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with configuration management responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for monitoring developer configuration management\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                  configuration management"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "sa-10.1",
-                "class": "SP800-53-enhancement",
-                "title": "Software / Firmware Integrity Verification",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-10(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-10.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-10.1_smt",
-                    "name": "statement",
-                    "prose": "The organization requires the developer of the information system, system\n                  component, or information system service to enable integrity verification of\n                  software and firmware components."
-                  },
-                  {
-                    "id": "sa-10.1_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement allows organizations to detect unauthorized changes to\n                  software and firmware components through the use of tools, techniques, and/or\n                  mechanisms provided by developers. Integrity checking mechanisms can also address\n                  counterfeiting of software and firmware components. Organizations verify the\n                  integrity of software and firmware components, for example, through secure one-way\n                  hashes provided by developers. Delivered software and firmware components also\n                  include any updates to such components.",
-                    "links": [
-                      {
-                        "href": "#si-7",
-                        "rel": "related",
-                        "text": "SI-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-10.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization requires the developer of the information system,\n                  system component, or information system service to enable integrity verification\n                  of software and firmware components."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing system developer configuration management\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system\\n\\nsystem component, or information system service\\n\\nsystem developer configuration management plan\\n\\nsoftware and firmware integrity verification records\\n\\nsystem change authorization records\\n\\nchange control records\\n\\nconfiguration management records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with configuration management responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for monitoring developer configuration management\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                     configuration management"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sa-11",
-            "class": "SP800-53",
-            "title": "Developer Security Testing and Evaluation",
-            "parameters": [
-              {
-                "id": "sa-11_prm_1"
-              },
-              {
-                "id": "sa-11_prm_2",
-                "label": "organization-defined depth and coverage"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SA-11"
-              },
-              {
-                "name": "sort-id",
-                "value": "sa-11"
-              }
-            ],
-            "links": [
-              {
-                "href": "#1737a687-52fb-4008-b900-cbfa836f7b65",
-                "rel": "reference",
-                "text": "ISO/IEC 15408"
-              },
-              {
-                "href": "#cd4cf751-3312-4a55-b1a9-fad2f1db9119",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-53A"
-              },
-              {
-                "href": "#275cc052-0f7f-423c-bdb6-ed503dc36228",
-                "rel": "reference",
-                "text": "http://nvd.nist.gov"
-              },
-              {
-                "href": "#15522e92-9192-463d-9646-6a01982db8ca",
-                "rel": "reference",
-                "text": "http://cwe.mitre.org"
-              },
-              {
-                "href": "#0931209f-00ae-4132-b92c-bc645847e8f9",
-                "rel": "reference",
-                "text": "http://cve.mitre.org"
-              },
-              {
-                "href": "#4ef539ba-b767-4666-b0d3-168c53005fa3",
-                "rel": "reference",
-                "text": "http://capec.mitre.org"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sa-11_smt",
-                "name": "statement",
-                "prose": "The organization requires the developer of the information system, system component,\n               or information system service to:",
-                "parts": [
-                  {
-                    "id": "sa-11_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Create and implement a security assessment plan;"
-                  },
-                  {
-                    "id": "sa-11_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Perform {{ sa-11_prm_1 }} testing/evaluation at {{ sa-11_prm_2 }};"
-                  },
-                  {
-                    "id": "sa-11_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Produce evidence of the execution of the security assessment plan and the results\n                  of the security testing/evaluation;"
-                  },
-                  {
-                    "id": "sa-11_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Implement a verifiable flaw remediation process; and"
-                  },
-                  {
-                    "id": "sa-11_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Correct flaws identified during security testing/evaluation."
-                  }
-                ]
-              },
-              {
-                "id": "sa-11_gdn",
-                "name": "guidance",
-                "prose": "Developmental security testing/evaluation occurs at all post-design phases of the\n               system development life cycle. Such testing/evaluation confirms that the required\n               security controls are implemented correctly, operating as intended, enforcing the\n               desired security policy, and meeting established security requirements. Security\n               properties of information systems may be affected by the interconnection of system\n               components or changes to those components. These interconnections or changes (e.g.,\n               upgrading or replacing applications and operating systems) may adversely affect\n               previously implemented security controls. This control provides additional types of\n               security testing/evaluation that developers can conduct to reduce or eliminate\n               potential flaws. Testing custom software applications may require approaches such as\n               static analysis, dynamic analysis, binary analysis, or a hybrid of the three\n               approaches. Developers can employ these analysis approaches in a variety of tools\n               (e.g., web-based application scanners, static analysis tools, binary analyzers) and\n               in source code reviews. Security assessment plans provide the specific activities\n               that developers plan to carry out including the types of analyses, testing,\n               evaluation, and reviews of software and firmware components, the degree of rigor to\n               be applied, and the types of artifacts produced during those processes. The depth of\n               security testing/evaluation refers to the rigor and level of detail associated with\n               the assessment process (e.g., black box, gray box, or white box testing). The\n               coverage of security testing/evaluation refers to the scope (i.e., number and type)\n               of the artifacts included in the assessment process. Contracts specify the acceptance\n               criteria for security assessment plans, flaw remediation processes, and the evidence\n               that the plans/processes have been diligently applied. Methods for reviewing and\n               protecting assessment plans, evidence, and documentation are commensurate with the\n               security category or classification level of the information system. Contracts may\n               specify documentation protection requirements.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#cm-4",
-                    "rel": "related",
-                    "text": "CM-4"
-                  },
-                  {
-                    "href": "#sa-3",
-                    "rel": "related",
-                    "text": "SA-3"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "sa-11_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sa-11.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-11(a)"
-                      }
-                    ],
-                    "prose": "requires the developer of the information system, system component, or information\n                  system service to create and implement a security plan;"
-                  },
-                  {
-                    "id": "sa-11.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SA-11(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sa-11.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-11(b)[1]"
-                          }
-                        ],
-                        "prose": "defines the depth of testing/evaluation to be performed by the developer of the\n                     information system, system component, or information system service;"
-                      },
-                      {
-                        "id": "sa-11.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-11(b)[2]"
-                          }
-                        ],
-                        "prose": "defines the coverage of testing/evaluation to be performed by the developer of\n                     the information system, system component, or information system service;"
-                      },
-                      {
-                        "id": "sa-11.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-11(b)[3]"
-                          }
-                        ],
-                        "prose": "requires the developer of the information system, system component, or\n                     information system service to perform one or more of the following\n                     testing/evaluation at the organization-defined depth and coverage:",
-                        "parts": [
-                          {
-                            "id": "sa-11.b_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-11(b)[3][a]"
-                              }
-                            ],
-                            "prose": "unit testing/evaluation;"
-                          },
-                          {
-                            "id": "sa-11.b_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-11(b)[3][b]"
-                              }
-                            ],
-                            "prose": "integration testing/evaluation;"
-                          },
-                          {
-                            "id": "sa-11.b_obj.3.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-11(b)[3][c]"
-                              }
-                            ],
-                            "prose": "system testing/evaluation; and/or"
-                          },
-                          {
-                            "id": "sa-11.b_obj.3.d",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SA-11(b)[3][d]"
-                              }
-                            ],
-                            "prose": "regression testing/evaluation;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-11.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-11(c)"
-                      }
-                    ],
-                    "prose": "requires the developer of the information system, system component, or information\n                  system service to produce evidence of:",
-                    "parts": [
-                      {
-                        "id": "sa-11.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-11(c)[1]"
-                          }
-                        ],
-                        "prose": "the execution of the security assessment plan;"
-                      },
-                      {
-                        "id": "sa-11.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-11(c)[2]"
-                          }
-                        ],
-                        "prose": "the results of the security testing/evaluation;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-11.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-11(d)"
-                      }
-                    ],
-                    "prose": "requires the developer of the information system, system component, or information\n                  system service to implement a verifiable flaw remediation process; and"
-                  },
-                  {
-                    "id": "sa-11.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SA-11(e)"
-                      }
-                    ],
-                    "prose": "requires the developer of the information system, system component, or information\n                  system service to correct flaws identified during security testing/evaluation."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and services acquisition policy\\n\\nprocedures addressing system developer security testing\\n\\nprocedures addressing flaw remediation\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or information\n                  system service\\n\\nsystem developer security test plans\\n\\nrecords of developer security testing results for the information system, system\n                  component, or information system service\\n\\nsecurity flaw and remediation tracking records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and services acquisition responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with developer security testing responsibilities\\n\\nsystem developers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for monitoring developer security testing and\n                  evaluation\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                  security testing and evaluation"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "sa-11.1",
-                "class": "SP800-53-enhancement",
-                "title": "Static Code Analysis",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-11(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-11.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-11.1_smt",
-                    "name": "statement",
-                    "prose": "The organization requires the developer of the information system, system\n                  component, or information system service to employ static code analysis tools to\n                  identify common flaws and document the results of the analysis.",
-                    "parts": [
-                      {
-                        "id": "sa-11.1_fr",
-                        "name": "item",
-                        "title": "SA-11 (1) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "sa-11.1_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-11.1_gdn",
-                    "name": "guidance",
-                    "prose": "Static code analysis provides a technology and methodology for security reviews.\n                  Such analysis can be used to identify security vulnerabilities and enforce\n                  security coding practices. Static code analysis is most effective when used early\n                  in the development process, when each code change can be automatically scanned for\n                  potential weaknesses. Static analysis can provide clear remediation guidance along\n                  with defects to enable developers to fix such defects. Evidence of correct\n                  implementation of static analysis can include, for example, aggregate defect\n                  density for critical defect types, evidence that defects were inspected by\n                  developers or security professionals, and evidence that defects were fixed. An\n                  excessively high density of ignored findings (commonly referred to as ignored or\n                  false positives) indicates a potential problem with the analysis process or tool.\n                  In such cases, organizations weigh the validity of the evidence against evidence\n                  from other sources."
-                  },
-                  {
-                    "id": "sa-11.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization requires the developer of the information system,\n                  system component, or information system service to employ static code analysis\n                  tools to identify common flaws and document the results of the analysis."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing system developer security testing\\n\\nprocedures addressing flaw remediation\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsystem developer security test plans\\n\\nsystem developer security testing results\\n\\nsecurity flaw and remediation tracking records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with developer security testing responsibilities\\n\\norganizational personnel with configuration management responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for monitoring developer security testing and\n                     evaluation\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                     security testing and evaluation\\n\\nstatic code analysis tools"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-11.2",
-                "class": "SP800-53-enhancement",
-                "title": "Threat and Vulnerability Analyses",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-11(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-11.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-11.2_smt",
-                    "name": "statement",
-                    "prose": "The organization requires the developer of the information system, system\n                  component, or information system service to perform threat and vulnerability\n                  analyses and subsequent testing/evaluation of the as-built system, component, or\n                  service."
-                  },
-                  {
-                    "id": "sa-11.2_gdn",
-                    "name": "guidance",
-                    "prose": "Applications may deviate significantly from the functional and design\n                  specifications created during the requirements and design phases of the system\n                  development life cycle. Therefore, threat and vulnerability analyses of\n                  information systems, system components, and information system services prior to\n                  delivery are critical to the effective operation of those systems, components, and\n                  services. Threat and vulnerability analyses at this phase of the life cycle help\n                  to ensure that design or implementation changes have been accounted for, and that\n                  any new vulnerabilities created as a result of those changes have been reviewed\n                  and mitigated.",
-                    "links": [
-                      {
-                        "href": "#pm-15",
-                        "rel": "related",
-                        "text": "PM-15"
-                      },
-                      {
-                        "href": "#ra-5",
-                        "rel": "related",
-                        "text": "RA-5"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-11.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization requires the developer of the information system,\n                  system component, or information system service to perform:",
-                    "parts": [
-                      {
-                        "id": "sa-11.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SA-11(2)[1]"
-                          }
-                        ],
-                        "prose": "threat analyses of the as-built, system component, or service;"
-                      },
-                      {
-                        "id": "sa-11.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-11(2)[2]"
-                          }
-                        ],
-                        "prose": "vulnerability analyses of the as-built, system component, or service; and"
-                      },
-                      {
-                        "id": "sa-11.2_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SA-11(2)[3]"
-                          }
-                        ],
-                        "prose": "subsequent testing/evaluation of the as-built, system component, or\n                     service."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing system developer security testing\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsystem developer security test plans\\n\\nrecords of developer security testing results for the information system,\n                     system component, or information system service\\n\\nvulnerability scanning results\\n\\ninformation system risk assessment reports\\n\\nthreat and vulnerability analysis reports\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with developer security testing responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for monitoring developer security testing and\n                     evaluation\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                     security testing and evaluation"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sa-11.8",
-                "class": "SP800-53-enhancement",
-                "title": "Dynamic Code Analysis",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SA-11(8)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sa-11.08"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sa-11.8_smt",
-                    "name": "statement",
-                    "prose": "The organization requires the developer of the information system, system\n                  component, or information system service to employ dynamic code analysis tools to\n                  identify common flaws and document the results of the analysis.",
-                    "parts": [
-                      {
-                        "id": "sa-11.8_fr",
-                        "name": "item",
-                        "title": "SA-11 (8) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "sa-11.8_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sa-11.8_gdn",
-                    "name": "guidance",
-                    "prose": "Dynamic code analysis provides run-time verification of software programs, using\n                  tools capable of monitoring programs for memory corruption, user privilege issues,\n                  and other potential security problems. Dynamic code analysis employs run-time\n                  tools to help to ensure that security functionality performs in the manner in\n                  which it was designed. A specialized type of dynamic analysis, known as fuzz\n                  testing, induces program failures by deliberately introducing malformed or random\n                  data into software programs. Fuzz testing strategies derive from the intended use\n                  of applications and the functional and design specifications for the applications.\n                  To understand the scope of dynamic code analysis and hence the assurance provided,\n                  organizations may also consider conducting code coverage analysis (checking the\n                  degree to which the code has been tested using metrics such as percent of\n                  subroutines tested or percent of program statements called during execution of the\n                  test suite) and/or concordance analysis (checking for words that are out of place\n                  in software code such as non-English language words or derogatory terms)."
-                  },
-                  {
-                    "id": "sa-11.8_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization requires the developer of the information system,\n                  system component, or information system service to employ dynamic code analysis\n                  tools to identify common flaws and document the results of the analysis."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and services acquisition policy\\n\\nprocedures addressing system developer security testing\\n\\nprocedures addressing flaw remediation\\n\\nsolicitation documentation\\n\\nacquisition documentation\\n\\nservice-level agreements\\n\\nacquisition contracts for the information system, system component, or\n                     information system service\\n\\nsystem developer security test and evaluation plans\\n\\nsecurity test and evaluation results\\n\\nsecurity flaw and remediation tracking reports\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with system and services acquisition\n                     responsibilities\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with developer security testing responsibilities\\n\\norganizational personnel with configuration management responsibilities\\n\\nsystem developers"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for monitoring developer security testing and\n                     evaluation\\n\\nautomated mechanisms supporting and/or implementing the monitoring of developer\n                     security testing and evaluation"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "sc",
-        "class": "family",
-        "title": "System and Communications Protection",
-        "controls": [
-          {
-            "id": "sc-1",
-            "class": "SP800-53",
-            "title": "System and Communications Protection Policy and Procedures",
-            "parameters": [
-              {
-                "id": "sc-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "sc-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "sc-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SC-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sc-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ sc-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "sc-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A system and communications protection policy that addresses purpose, scope,\n                     roles, responsibilities, management commitment, coordination among\n                     organizational entities, and compliance; and"
-                      },
-                      {
-                        "id": "sc-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the system and communications\n                     protection policy and associated system and communications protection controls;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "sc-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "System and communications protection policy {{ sc-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "sc-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "System and communications protection procedures {{ sc-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SC\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "sc-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sc-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sc-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a system and communications protection policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "sc-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "sc-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SC-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "sc-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the system and communications protection\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "sc-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the system and communications protection policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sc-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sc-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        system and communications protection policy and associated system and\n                        communications protection controls;"
-                          },
-                          {
-                            "id": "sc-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "sc-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sc-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and\n                        communications protection policy;"
-                          },
-                          {
-                            "id": "sc-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and communications protection policy\n                        with the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sc-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sc-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and\n                        communications protection procedures; and"
-                          },
-                          {
-                            "id": "sc-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and communications protection\n                        procedures with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and communications protection\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-2",
-            "class": "SP800-53",
-            "title": "Application Partitioning",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-02"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-2_smt",
-                "name": "statement",
-                "prose": "The information system separates user functionality (including user interface\n               services) from information system management functionality."
-              },
-              {
-                "id": "sc-2_gdn",
-                "name": "guidance",
-                "prose": "Information system management functionality includes, for example, functions\n               necessary to administer databases, network components, workstations, or servers, and\n               typically requires privileged user access. The separation of user functionality from\n               information system management functionality is either physical or logical.\n               Organizations implement separation of system management-related functionality from\n               user functionality by using different computers, different central processing units,\n               different instances of operating systems, different network addresses, virtualization\n               techniques, or combinations of these or other methods, as appropriate. This type of\n               separation includes, for example, web administrative interfaces that use separate\n               authentication methods for users of any other information system resources.\n               Separation of system and user functionality may include isolating administrative\n               interfaces on different domains and with additional access controls.",
-                "links": [
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  },
-                  {
-                    "href": "#sc-3",
-                    "rel": "related",
-                    "text": "SC-3"
-                  }
-                ]
-              },
-              {
-                "id": "sc-2_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system separates user functionality (including user\n               interface services) from information system management functionality."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing application partitioning\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Separation of user functionality from information system management\n                  functionality"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-4",
-            "class": "SP800-53",
-            "title": "Information in Shared Resources",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-04"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-4_smt",
-                "name": "statement",
-                "prose": "The information system prevents unauthorized and unintended information transfer via\n               shared system resources."
-              },
-              {
-                "id": "sc-4_gdn",
-                "name": "guidance",
-                "prose": "This control prevents information, including encrypted representations of\n               information, produced by the actions of prior users/roles (or the actions of\n               processes acting on behalf of prior users/roles) from being available to any current\n               users/roles (or current processes) that obtain access to shared system resources\n               (e.g., registers, main memory, hard disks) after those resources have been released\n               back to information systems. The control of information in shared resources is also\n               commonly referred to as object reuse and residual information protection. This\n               control does not address: (i) information remanence which refers to residual\n               representation of data that has been nominally erased or removed; (ii) covert\n               channels (including storage and/or timing channels) where shared resources are\n               manipulated to violate information flow restrictions; or (iii) components within\n               information systems for which there are only single users/roles.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#mp-6",
-                    "rel": "related",
-                    "text": "MP-6"
-                  }
-                ]
-              },
-              {
-                "id": "sc-4_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system prevents unauthorized and unintended information\n               transfer via shared system resources."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing information protection in shared system resources\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms preventing unauthorized and unintended transfer of\n                  information via shared system resources"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-5",
-            "class": "SP800-53",
-            "title": "Denial of Service Protection",
-            "parameters": [
-              {
-                "id": "sc-5_prm_1",
-                "label": "organization-defined types of denial of service attacks or references to sources\n               for such information"
-              },
-              {
-                "id": "sc-5_prm_2",
-                "label": "organization-defined security safeguards"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-05"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-5_smt",
-                "name": "statement",
-                "prose": "The information system protects against or limits the effects of the following types\n               of denial of service attacks: {{ sc-5_prm_1 }} by employing {{ sc-5_prm_2 }}."
-              },
-              {
-                "id": "sc-5_gdn",
-                "name": "guidance",
-                "prose": "A variety of technologies exist to limit, or in some cases, eliminate the effects of\n               denial of service attacks. For example, boundary protection devices can filter\n               certain types of packets to protect information system components on internal\n               organizational networks from being directly affected by denial of service attacks.\n               Employing increased capacity and bandwidth combined with service redundancy may also\n               reduce the susceptibility to denial of service attacks.",
-                "links": [
-                  {
-                    "href": "#sc-6",
-                    "rel": "related",
-                    "text": "SC-6"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  }
-                ]
-              },
-              {
-                "id": "sc-5_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "sc-5_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-5[1]"
-                      }
-                    ],
-                    "prose": "the organization defines types of denial of service attacks or reference to source\n                  of such information for the information system to protect against or limit the\n                  effects;"
-                  },
-                  {
-                    "id": "sc-5_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-5[2]"
-                      }
-                    ],
-                    "prose": "the organization defines security safeguards to be employed by the information\n                  system to protect against or limit the effects of organization-defined types of\n                  denial of service attacks; and"
-                  },
-                  {
-                    "id": "sc-5_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-5[3]"
-                      }
-                    ],
-                    "prose": "the information system protects against or limits the effects of the\n                  organization-defined denial or service attacks (or reference to source for such\n                  information) by employing organization-defined security safeguards."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing denial of service protection\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\nlist of denial of services attacks requiring employment of security safeguards to\n                  protect against or limit effects of such attacks\\n\\nlist of security safeguards protecting against or limiting the effects of denial\n                  of service attacks\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with incident response responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms protecting against or limiting the effects of denial of\n                  service attacks"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-6",
-            "class": "SP800-53",
-            "title": "Resource Availability",
-            "parameters": [
-              {
-                "id": "sc-6_prm_1",
-                "label": "organization-defined resources"
-              },
-              {
-                "id": "sc-6_prm_2"
-              },
-              {
-                "id": "sc-6_prm_3",
-                "depends-on": "sc-6_prm_2",
-                "label": "organization-defined security safeguards"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-6_smt",
-                "name": "statement",
-                "prose": "The information system protects the availability of resources by allocating {{ sc-6_prm_1 }} by {{ sc-6_prm_2 }}."
-              },
-              {
-                "id": "sc-6_gdn",
-                "name": "guidance",
-                "prose": "Priority protection helps prevent lower-priority processes from delaying or\n               interfering with the information system servicing any higher-priority processes.\n               Quotas prevent users or processes from obtaining more than predetermined amounts of\n               resources. This control does not apply to information system components for which\n               there are only single users/roles."
-              },
-              {
-                "id": "sc-6_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "sc-6_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-6[1]"
-                      }
-                    ],
-                    "prose": "the organization defines resources to be allocated to protect the availability of\n                  resources;"
-                  },
-                  {
-                    "id": "sc-6_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-6[2]"
-                      }
-                    ],
-                    "prose": "the organization defines security safeguards to be employed to protect the\n                  availability of resources;"
-                  },
-                  {
-                    "id": "sc-6_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-6[3]"
-                      }
-                    ],
-                    "prose": "the information system protects the availability of resources by allocating\n                  organization-defined resources by one or more of the following:",
-                    "parts": [
-                      {
-                        "id": "sc-6_obj.3.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-6[3][a]"
-                          }
-                        ],
-                        "prose": "priority;"
-                      },
-                      {
-                        "id": "sc-6_obj.3.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-6[3][b]"
-                          }
-                        ],
-                        "prose": "quota; and/or"
-                      },
-                      {
-                        "id": "sc-6_obj.3.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-6[3][c]"
-                          }
-                        ],
-                        "prose": "organization-defined safeguards."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing prioritization of information system resources\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing resource allocation\n                  capability\\n\\nsafeguards employed to protect availability of resources"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-7",
-            "class": "SP800-53",
-            "title": "Boundary Protection",
-            "parameters": [
-              {
-                "id": "sc-7_prm_1"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-                "rel": "reference",
-                "text": "FIPS Publication 199"
-              },
-              {
-                "href": "#756a8e86-57d5-4701-8382-f7a40439665a",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-41"
-              },
-              {
-                "href": "#99f331f2-a9f0-46c2-9856-a3cbb9b89442",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-77"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-7_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "sc-7_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Monitors and controls communications at the external boundary of the system and at\n                  key internal boundaries within the system;"
-                  },
-                  {
-                    "id": "sc-7_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Implements subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks;\n                  and"
-                  },
-                  {
-                    "id": "sc-7_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Connects to external networks or information systems only through managed\n                  interfaces consisting of boundary protection devices arranged in accordance with\n                  an organizational security architecture."
-                  }
-                ]
-              },
-              {
-                "id": "sc-7_gdn",
-                "name": "guidance",
-                "prose": "Managed interfaces include, for example, gateways, routers, firewalls, guards,\n               network-based malicious code analysis and virtualization systems, or encrypted\n               tunnels implemented within a security architecture (e.g., routers protecting\n               firewalls or application gateways residing on protected subnetworks). Subnetworks\n               that are physically or logically separated from internal networks are referred to as\n               demilitarized zones or DMZs. Restricting or prohibiting interfaces within\n               organizational information systems includes, for example, restricting external web\n               traffic to designated web servers within managed interfaces and prohibiting external\n               traffic that appears to be spoofing internal addresses. Organizations consider the\n               shared nature of commercial telecommunications services in the implementation of\n               security controls associated with the use of such services. Commercial\n               telecommunications services are commonly based on network components and consolidated\n               management systems shared by all attached commercial customers, and may also include\n               third party-provided access lines and other service elements. Such transmission\n               services may represent sources of increased risk despite contract security\n               provisions.",
-                "links": [
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ca-3",
-                    "rel": "related",
-                    "text": "CA-3"
-                  },
-                  {
-                    "href": "#cm-7",
-                    "rel": "related",
-                    "text": "CM-7"
-                  },
-                  {
-                    "href": "#cp-8",
-                    "rel": "related",
-                    "text": "CP-8"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ra-3",
-                    "rel": "related",
-                    "text": "RA-3"
-                  },
-                  {
-                    "href": "#sc-5",
-                    "rel": "related",
-                    "text": "SC-5"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  }
-                ]
-              },
-              {
-                "id": "sc-7_obj",
-                "name": "objective",
-                "prose": "Determine if the information system:",
-                "parts": [
-                  {
-                    "id": "sc-7.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-7(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-7.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(a)[1]"
-                          }
-                        ],
-                        "prose": "monitors communications at the external boundary of the information system;"
-                      },
-                      {
-                        "id": "sc-7.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(a)[2]"
-                          }
-                        ],
-                        "prose": "monitors communications at key internal boundaries within the system;"
-                      },
-                      {
-                        "id": "sc-7.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(a)[3]"
-                          }
-                        ],
-                        "prose": "controls communications at the external boundary of the information system;"
-                      },
-                      {
-                        "id": "sc-7.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(a)[4]"
-                          }
-                        ],
-                        "prose": "controls communications at key internal boundaries within the system;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-7(b)"
-                      }
-                    ],
-                    "prose": "implements subnetworks for publicly accessible system components that are\n                  either:",
-                    "parts": [
-                      {
-                        "id": "sc-7.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-7(b)[1]"
-                          }
-                        ],
-                        "prose": "physically separated from internal organizational networks; and/or"
-                      },
-                      {
-                        "id": "sc-7.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-7(b)[2]"
-                          }
-                        ],
-                        "prose": "logically separated from internal organizational networks; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-7(c)"
-                      }
-                    ],
-                    "prose": "connects to external networks or information systems only through managed\n                  interfaces consisting of boundary protection devices arranged in accordance with\n                  an organizational security architecture."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\nlist of key internal boundaries of the information system\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system configuration settings and associated documentation\\n\\nenterprise security architecture documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms implementing boundary protection capability"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "sc-7.3",
-                "class": "SP800-53-enhancement",
-                "title": "Access Points",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-7(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-07.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-7.3_smt",
-                    "name": "statement",
-                    "prose": "The organization limits the number of external network connections to the\n                  information system."
-                  },
-                  {
-                    "id": "sc-7.3_gdn",
-                    "name": "guidance",
-                    "prose": "Limiting the number of external network connections facilitates more comprehensive\n                  monitoring of inbound and outbound communications traffic. The Trusted Internet\n                  Connection (TIC) initiative is an example of limiting the number of external\n                  network connections."
-                  },
-                  {
-                    "id": "sc-7.3_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization limits the number of external network connections to\n                  the information system."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncommunications and network traffic monitoring logs\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing boundary protection capability\\n\\nautomated mechanisms limiting the number of external network connections to the\n                     information system"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-7.4",
-                "class": "SP800-53-enhancement",
-                "title": "External Telecommunications Services",
-                "parameters": [
-                  {
-                    "id": "sc-7.4_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least annually"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "SC-7(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-07.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-7.4_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "sc-7.4_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Implements a managed interface for each external telecommunication service;"
-                      },
-                      {
-                        "id": "sc-7.4_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Establishes a traffic flow policy for each managed interface;"
-                      },
-                      {
-                        "id": "sc-7.4_smt.c",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(c)"
-                          }
-                        ],
-                        "prose": "Protects the confidentiality and integrity of the information being transmitted\n                     across each interface;"
-                      },
-                      {
-                        "id": "sc-7.4_smt.d",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(d)"
-                          }
-                        ],
-                        "prose": "Documents each exception to the traffic flow policy with a supporting\n                     mission/business need and duration of that need; and"
-                      },
-                      {
-                        "id": "sc-7.4_smt.e",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(e)"
-                          }
-                        ],
-                        "prose": "Reviews exceptions to the traffic flow policy {{ sc-7.4_prm_1 }}\n                     and removes exceptions that are no longer supported by an explicit\n                     mission/business need."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.4_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#sc-8",
-                        "rel": "related",
-                        "text": "SC-8"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "sc-7.4.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(4)(a)"
-                          }
-                        ],
-                        "prose": "implements a managed interface for each external telecommunication service;",
-                        "links": [
-                          {
-                            "href": "#sc-7.4_smt.a",
-                            "rel": "corresp",
-                            "text": "SC-7(4)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sc-7.4.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(4)(b)"
-                          }
-                        ],
-                        "prose": "establishes a traffic flow policy for each managed interface;",
-                        "links": [
-                          {
-                            "href": "#sc-7.4_smt.b",
-                            "rel": "corresp",
-                            "text": "SC-7(4)(b)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sc-7.4.c_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(4)(c)"
-                          }
-                        ],
-                        "prose": "protects the confidentiality and integrity of the information being transmitted\n                     across each interface;",
-                        "links": [
-                          {
-                            "href": "#sc-7.4_smt.c",
-                            "rel": "corresp",
-                            "text": "SC-7(4)(c)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sc-7.4.d_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-7(4)(d)"
-                          }
-                        ],
-                        "prose": "documents each exception to the traffic flow policy with:",
-                        "parts": [
-                          {
-                            "id": "sc-7.4.d_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-7(4)(d)[1]"
-                              }
-                            ],
-                            "prose": "a supporting mission/business need;"
-                          },
-                          {
-                            "id": "sc-7.4.d_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-7(4)(d)[2]"
-                              }
-                            ],
-                            "prose": "duration of that need;"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#sc-7.4_smt.d",
-                            "rel": "corresp",
-                            "text": "SC-7(4)(d)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "sc-7.4.e_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-7(4)(e)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "sc-7.4.e_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-7(4)(e)[1]"
-                              }
-                            ],
-                            "prose": "defines a frequency to review exceptions to traffic flow policy;"
-                          },
-                          {
-                            "id": "sc-7.4.e_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-7(4)(e)[2]"
-                              }
-                            ],
-                            "prose": "reviews exceptions to the traffic flow policy with the organization-defined\n                        frequency; and"
-                          },
-                          {
-                            "id": "sc-7.4.e_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SC-7(4)(e)[3]"
-                              }
-                            ],
-                            "prose": "removes traffic flow policy exceptions that are no longer supported by an\n                        explicit mission/business need"
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#sc-7.4_smt.e",
-                            "rel": "corresp",
-                            "text": "SC-7(4)(e)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\ntraffic flow policy\\n\\ninformation flow control policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system security architecture\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system architecture and configuration documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nrecords of traffic flow policy exceptions\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for documenting and reviewing exceptions to the\n                     traffic flow policy\\n\\norganizational processes for removing exceptions to the traffic flow policy\\n\\nautomated mechanisms implementing boundary protection capability\\n\\nmanaged interfaces implementing traffic flow policy"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-7.5",
-                "class": "SP800-53-enhancement",
-                "title": "Deny by Default / Allow by Exception",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-7(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-07.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-7.5_smt",
-                    "name": "statement",
-                    "prose": "The information system at managed interfaces denies network communications traffic\n                  by default and allows network communications traffic by exception (i.e., deny all,\n                  permit by exception)."
-                  },
-                  {
-                    "id": "sc-7.5_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement applies to both inbound and outbound network\n                  communications traffic. A deny-all, permit-by-exception network communications\n                  traffic policy ensures that only those connections which are essential and\n                  approved are allowed."
-                  },
-                  {
-                    "id": "sc-7.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if the information system, at managed interfaces:",
-                    "parts": [
-                      {
-                        "id": "sc-7.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(5)[1]"
-                          }
-                        ],
-                        "prose": "denies network traffic by default; and"
-                      },
-                      {
-                        "id": "sc-7.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(5)[2]"
-                          }
-                        ],
-                        "prose": "allows network traffic by exception."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing traffic management at managed interfaces"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-7.7",
-                "class": "SP800-53-enhancement",
-                "title": "Prevent Split Tunneling for Remote Devices",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-7(7)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-07.07"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-7.7_smt",
-                    "name": "statement",
-                    "prose": "The information system, in conjunction with a remote device, prevents the device\n                  from simultaneously establishing non-remote connections with the system and\n                  communicating via some other connection to resources in external networks."
-                  },
-                  {
-                    "id": "sc-7.7_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement is implemented within remote devices (e.g., notebook\n                  computers) through configuration settings to disable split tunneling in those\n                  devices, and by preventing those configuration settings from being readily\n                  configurable by users. This control enhancement is implemented within the\n                  information system by the detection of split tunneling (or of configuration\n                  settings that allow split tunneling) in the remote device, and by prohibiting the\n                  connection if the remote device is using split tunneling. Split tunneling might be\n                  desirable by remote users to communicate with local information system resources\n                  such as printers/file servers. However, split tunneling would in effect allow\n                  unauthorized external connections, making the system more vulnerable to attack and\n                  to exfiltration of organizational information. The use of VPNs for remote\n                  connections, when adequately provisioned with appropriate security controls, may\n                  provide the organization with sufficient assurance that it can effectively treat\n                  such connections as non-remote connections from the confidentiality and integrity\n                  perspective. VPNs thus provide a means for allowing non-remote communications\n                  paths from remote devices. The use of an adequately provisioned VPN does not\n                  eliminate the need for preventing split tunneling."
-                  },
-                  {
-                    "id": "sc-7.7_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system, in conjunction with a remote device, prevents\n                  the device from simultaneously establishing non-remote connections with the system\n                  and communicating via some other connection to resources in external networks."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system hardware and software\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing boundary protection capability\\n\\nautomated mechanisms supporting/restricting non-remote connections"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-7.8",
-                "class": "SP800-53-enhancement",
-                "title": "Route Traffic to Authenticated Proxy Servers",
-                "parameters": [
-                  {
-                    "id": "sc-7.8_prm_1",
-                    "label": "organization-defined internal communications traffic"
-                  },
-                  {
-                    "id": "sc-7.8_prm_2",
-                    "label": "organization-defined external networks"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-7(8)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-07.08"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-7.8_smt",
-                    "name": "statement",
-                    "prose": "The information system routes {{ sc-7.8_prm_1 }} to {{ sc-7.8_prm_2 }} through authenticated proxy servers at managed\n                  interfaces."
-                  },
-                  {
-                    "id": "sc-7.8_gdn",
-                    "name": "guidance",
-                    "prose": "External networks are networks outside of organizational control. A proxy server\n                  is a server (i.e., information system or application) that acts as an intermediary\n                  for clients requesting information system resources (e.g., files, connections, web\n                  pages, or services) from other organizational servers. Client requests established\n                  through an initial connection to the proxy server are evaluated to manage\n                  complexity and to provide additional protection by limiting direct connectivity.\n                  Web content filtering devices are one of the most common proxy servers providing\n                  access to the Internet. Proxy servers support logging individual Transmission\n                  Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators\n                  (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be\n                  configured with organization-defined lists of authorized and unauthorized\n                  websites.",
-                    "links": [
-                      {
-                        "href": "#ac-3",
-                        "rel": "related",
-                        "text": "AC-3"
-                      },
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.8_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "sc-7.8_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(8)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines internal communications traffic to be routed to\n                     external networks;"
-                      },
-                      {
-                        "id": "sc-7.8_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(8)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines external networks to which organization-defined\n                     internal communications traffic is to be routed; and"
-                      },
-                      {
-                        "id": "sc-7.8_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(8)[3]"
-                          }
-                        ],
-                        "prose": "the information system routes organization-defined internal communications\n                     traffic to organization-defined external networks through authenticated proxy\n                     servers at managed interfaces."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system hardware and software\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing traffic management through authenticated\n                     proxy servers at managed interfaces"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-7.12",
-                "class": "SP800-53-enhancement",
-                "title": "Host-based Protection",
-                "parameters": [
-                  {
-                    "id": "sc-7.12_prm_1",
-                    "label": "organization-defined host-based boundary protection mechanisms"
-                  },
-                  {
-                    "id": "sc-7.12_prm_2",
-                    "label": "organization-defined information system components"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-7(12)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-07.12"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-7.12_smt",
-                    "name": "statement",
-                    "prose": "The organization implements {{ sc-7.12_prm_1 }} at {{ sc-7.12_prm_2 }}."
-                  },
-                  {
-                    "id": "sc-7.12_gdn",
-                    "name": "guidance",
-                    "prose": "Host-based boundary protection mechanisms include, for example, host-based\n                  firewalls. Information system components employing host-based boundary protection\n                  mechanisms include, for example, servers, workstations, and mobile devices."
-                  },
-                  {
-                    "id": "sc-7.12_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "sc-7.12_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(12)[1]"
-                          }
-                        ],
-                        "prose": "defines host-based boundary protection mechanisms;"
-                      },
-                      {
-                        "id": "sc-7.12_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(12)[2]"
-                          }
-                        ],
-                        "prose": "defines information system components where organization-defined host-based\n                     boundary protection mechanisms are to be implemented; and"
-                      },
-                      {
-                        "id": "sc-7.12_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(12)[3]"
-                          }
-                        ],
-                        "prose": "implements organization-defined host-based boundary protection mechanisms at\n                     organization-defined information system components."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\nboundary protection hardware and software\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities\\n\\ninformation system users"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms implementing host-based boundary protection\n                     capabilities"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-7.13",
-                "class": "SP800-53-enhancement",
-                "title": "Isolation of Security Tools / Mechanisms / Support Components",
-                "parameters": [
-                  {
-                    "id": "sc-7.13_prm_1",
-                    "label": "organization-defined information security tools, mechanisms, and support\n                  components"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-7(13)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-07.13"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-7.13_smt",
-                    "name": "statement",
-                    "prose": "The organization isolates {{ sc-7.13_prm_1 }} from other internal\n                  information system components by implementing physically separate subnetworks with\n                  managed interfaces to other components of the system.",
-                    "parts": [
-                      {
-                        "id": "sc-7.13_fr",
-                        "name": "item",
-                        "title": "SC-7 (13) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "sc-7.13_fr_smt.1",
-                            "name": "item",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Requirement:"
-                              }
-                            ],
-                            "prose": "The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.13_gdn",
-                    "name": "guidance",
-                    "prose": "Physically separate subnetworks with managed interfaces are useful, for example,\n                  in isolating computer network defenses from critical operational processing\n                  networks to prevent adversaries from discovering the analysis and forensics\n                  techniques of organizations.",
-                    "links": [
-                      {
-                        "href": "#sa-8",
-                        "rel": "related",
-                        "text": "SA-8"
-                      },
-                      {
-                        "href": "#sc-2",
-                        "rel": "related",
-                        "text": "SC-2"
-                      },
-                      {
-                        "href": "#sc-3",
-                        "rel": "related",
-                        "text": "SC-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.13_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "sc-7.13_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(13)[1]"
-                          }
-                        ],
-                        "prose": "defines information security tools, mechanisms, and support components to be\n                     isolated from other internal information system components; and"
-                      },
-                      {
-                        "id": "sc-7.13_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-7(13)[2]"
-                          }
-                        ],
-                        "prose": "isolates organization-defined information security tools, mechanisms, and\n                     support components from other internal information system components by\n                     implementing physically separate subnetworks with managed interfaces to other\n                     components of the system."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system hardware and software\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of security tools and support components to be isolated from other\n                     internal information system components\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with boundary protection responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing isolation of information\n                     security tools, mechanisms, and support components"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-7.18",
-                "class": "SP800-53-enhancement",
-                "title": "Fail Secure",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-7(18)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-07.18"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-7.18_smt",
-                    "name": "statement",
-                    "prose": "The information system fails securely in the event of an operational failure of a\n                  boundary protection device."
-                  },
-                  {
-                    "id": "sc-7.18_gdn",
-                    "name": "guidance",
-                    "prose": "Fail secure is a condition achieved by employing information system mechanisms to\n                  ensure that in the event of operational failures of boundary protection devices at\n                  managed interfaces (e.g., routers, firewalls, guards, and application gateways\n                  residing on protected subnetworks commonly referred to as demilitarized zones),\n                  information systems do not enter into unsecure states where intended security\n                  properties no longer hold. Failures of boundary protection devices cannot lead to,\n                  or cause information external to the devices to enter the devices, nor can\n                  failures permit unauthorized information releases.",
-                    "links": [
-                      {
-                        "href": "#cp-2",
-                        "rel": "related",
-                        "text": "CP-2"
-                      },
-                      {
-                        "href": "#sc-24",
-                        "rel": "related",
-                        "text": "SC-24"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-7.18_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system fails securely in the event of an operational\n                  failure of a boundary protection device."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing boundary protection\\n\\ninformation system design documentation\\n\\ninformation system architecture\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with boundary protection responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing secure failure"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-8",
-            "class": "SP800-53",
-            "title": "Transmission Confidentiality and Integrity",
-            "parameters": [
-              {
-                "id": "sc-8_prm_1",
-                "constraints": [
-                  {
-                    "detail": "confidentiality AND integrity"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-08"
-              }
-            ],
-            "links": [
-              {
-                "href": "#d715b234-9b5b-4e07-b1ed-99836727664d",
-                "rel": "reference",
-                "text": "FIPS Publication 140-2"
-              },
-              {
-                "href": "#f2dbd4ec-c413-4714-b85b-6b7184d1c195",
-                "rel": "reference",
-                "text": "FIPS Publication 197"
-              },
-              {
-                "href": "#90c5bc98-f9c4-44c9-98b7-787422f0999c",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-52"
-              },
-              {
-                "href": "#99f331f2-a9f0-46c2-9856-a3cbb9b89442",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-77"
-              },
-              {
-                "href": "#6af1e841-672c-46c4-b121-96f603d04be3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-81"
-              },
-              {
-                "href": "#349fe082-502d-464a-aa0c-1443c6a5cf40",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-113"
-              },
-              {
-                "href": "#a4aa9645-9a8a-4b51-90a9-e223250f9a75",
-                "rel": "reference",
-                "text": "CNSS Policy 15"
-              },
-              {
-                "href": "#06dff0ea-3848-4945-8d91-e955ee69f05d",
-                "rel": "reference",
-                "text": "NSTISSI No. 7003"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-8_smt",
-                "name": "statement",
-                "prose": "The information system protects the {{ sc-8_prm_1 }} of transmitted\n               information."
-              },
-              {
-                "id": "sc-8_gdn",
-                "name": "guidance",
-                "prose": "This control applies to both internal and external networks and all types of\n               information system components from which information can be transmitted (e.g.,\n               servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile\n               machines). Communication paths outside the physical protection of a controlled\n               boundary are exposed to the possibility of interception and modification. Protecting\n               the confidentiality and/or integrity of organizational information can be\n               accomplished by physical means (e.g., by employing protected distribution systems) or\n               by logical means (e.g., employing encryption techniques). Organizations relying on\n               commercial providers offering transmission services as commodity services rather than\n               as fully dedicated services (i.e., services which can be highly specialized to\n               individual customer needs), may find it difficult to obtain the necessary assurances\n               regarding the implementation of needed security controls for transmission\n               confidentiality/integrity. In such situations, organizations determine what types of\n               confidentiality/integrity services are available in standard, commercial\n               telecommunication service packages. If it is infeasible or impractical to obtain the\n               necessary security controls and assurances of control effectiveness through\n               appropriate contracting vehicles, organizations implement appropriate compensating\n               security controls or explicitly accept the additional risk.",
-                "links": [
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#pe-4",
-                    "rel": "related",
-                    "text": "PE-4"
-                  }
-                ]
-              },
-              {
-                "id": "sc-8_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system protects one or more of the following:",
-                "parts": [
-                  {
-                    "id": "sc-8_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-8[1]"
-                      }
-                    ],
-                    "prose": "confidentiality of transmitted information; and/or"
-                  },
-                  {
-                    "id": "sc-8_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-8[2]"
-                      }
-                    ],
-                    "prose": "integrity of transmitted information."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing transmission confidentiality and integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing transmission confidentiality\n                  and/or integrity"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "sc-8.1",
-                "class": "SP800-53-enhancement",
-                "title": "Cryptographic or Alternate Physical Protection",
-                "parameters": [
-                  {
-                    "id": "sc-8.1_prm_1",
-                    "constraints": [
-                      {
-                        "detail": "prevent unauthorized disclosure of information AND detect changes to information"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-8.1_prm_2",
-                    "label": "organization-defined alternative physical safeguards",
-                    "constraints": [
-                      {
-                        "detail": "a hardened or alarmed carrier Protective Distribution System (PDS)"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-8(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-08.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-8.1_smt",
-                    "name": "statement",
-                    "prose": "The information system implements cryptographic mechanisms to {{ sc-8.1_prm_1 }} during transmission unless otherwise protected by\n                     {{ sc-8.1_prm_2 }}."
-                  },
-                  {
-                    "id": "sc-8.1_gdn",
-                    "name": "guidance",
-                    "prose": "Encrypting information for transmission protects information from unauthorized\n                  disclosure and modification. Cryptographic mechanisms implemented to protect\n                  information integrity include, for example, cryptographic hash functions which\n                  have common application in digital signatures, checksums, and message\n                  authentication codes. Alternative physical security safeguards include, for\n                  example, protected distribution systems.",
-                    "links": [
-                      {
-                        "href": "#sc-13",
-                        "rel": "related",
-                        "text": "SC-13"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-8.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "sc-8.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-8(1)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines physical safeguards to be implemented to protect\n                     information during transmission when cryptographic mechanisms are not\n                     implemented; and"
-                      },
-                      {
-                        "id": "sc-8.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-8(1)[2]"
-                          }
-                        ],
-                        "prose": "the information system implements cryptographic mechanisms to do one or more of\n                     the following during transmission unless otherwise protected by\n                     organization-defined alternative physical safeguards:",
-                        "parts": [
-                          {
-                            "id": "sc-8.1_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SC-8(1)[2][a]"
-                              }
-                            ],
-                            "prose": "prevent unauthorized disclosure of information; and/or"
-                          },
-                          {
-                            "id": "sc-8.1_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SC-8(1)[2][b]"
-                              }
-                            ],
-                            "prose": "detect changes to information."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing transmission confidentiality and integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Cryptographic mechanisms supporting and/or implementing transmission\n                     confidentiality and/or integrity\\n\\nautomated mechanisms supporting and/or implementing alternative physical\n                     safeguards\\n\\norganizational processes for defining and implementing alternative physical\n                     safeguards"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-10",
-            "class": "SP800-53",
-            "title": "Network Disconnect",
-            "parameters": [
-              {
-                "id": "sc-10_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-interactive user sessions"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-10"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-10"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-10_smt",
-                "name": "statement",
-                "prose": "The information system terminates the network connection associated with a\n               communications session at the end of the session or after {{ sc-10_prm_1 }} of inactivity."
-              },
-              {
-                "id": "sc-10_gdn",
-                "name": "guidance",
-                "prose": "This control applies to both internal and external networks. Terminating network\n               connections associated with communications sessions include, for example,\n               de-allocating associated TCP/IP address/port pairs at the operating system level, or\n               de-allocating networking assignments at the application level if multiple application\n               sessions are using a single, operating system-level network connection. Time periods\n               of inactivity may be established by organizations and include, for example, time\n               periods by type of network access or for specific network accesses."
-              },
-              {
-                "id": "sc-10_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "sc-10_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-10[1]"
-                      }
-                    ],
-                    "prose": "the organization defines a time period of inactivity after which the information\n                  system terminates a network connection associated with a communications session;\n                  and"
-                  },
-                  {
-                    "id": "sc-10_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-10[2]"
-                      }
-                    ],
-                    "prose": "the information system terminates the network connection associated with a\n                  communication session at the end of the session or after the organization-defined\n                  time period of inactivity."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing network disconnect\\n\\ninformation system design documentation\\n\\nsecurity plan\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing network disconnect\n                  capability"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-12",
-            "class": "SP800-53",
-            "title": "Cryptographic Key Establishment and Management",
-            "parameters": [
-              {
-                "id": "sc-12_prm_1",
-                "label": "organization-defined requirements for key generation, distribution, storage,\n               access, and destruction"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-12"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-12"
-              }
-            ],
-            "links": [
-              {
-                "href": "#81f09e01-d0b0-4ae2-aa6a-064ed9950070",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-56"
-              },
-              {
-                "href": "#a6c774c0-bf50-4590-9841-2a5c1c91ac6f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-57"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-12_smt",
-                "name": "statement",
-                "prose": "The organization establishes and manages cryptographic keys for required cryptography\n               employed within the information system in accordance with {{ sc-12_prm_1 }}.",
-                "parts": [
-                  {
-                    "id": "sc-12_fr",
-                    "name": "item",
-                    "title": "SC-12 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "sc-12_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "Federally approved and validated cryptography."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-12_gdn",
-                "name": "guidance",
-                "prose": "Cryptographic key management and establishment can be performed using manual\n               procedures or automated mechanisms with supporting manual procedures. Organizations\n               define key management requirements in accordance with applicable federal laws,\n               Executive Orders, directives, regulations, policies, standards, and guidance,\n               specifying appropriate options, levels, and parameters. Organizations manage trust\n               stores to ensure that only approved trust anchors are in such trust stores. This\n               includes certificates with visibility external to organizational information systems\n               and certificates related to the internal operations of systems.",
-                "links": [
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  },
-                  {
-                    "href": "#sc-17",
-                    "rel": "related",
-                    "text": "SC-17"
-                  }
-                ]
-              },
-              {
-                "id": "sc-12_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sc-12_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-12[1]"
-                      }
-                    ],
-                    "prose": "defines requirements for cryptographic key:",
-                    "parts": [
-                      {
-                        "id": "sc-12_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][a]"
-                          }
-                        ],
-                        "prose": "generation;"
-                      },
-                      {
-                        "id": "sc-12_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][b]"
-                          }
-                        ],
-                        "prose": "distribution;"
-                      },
-                      {
-                        "id": "sc-12_obj.1.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][c]"
-                          }
-                        ],
-                        "prose": "storage;"
-                      },
-                      {
-                        "id": "sc-12_obj.1.d",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][d]"
-                          }
-                        ],
-                        "prose": "access;"
-                      },
-                      {
-                        "id": "sc-12_obj.1.e",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12[1][e]"
-                          }
-                        ],
-                        "prose": "destruction; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-12_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-12[2]"
-                      }
-                    ],
-                    "prose": "establishes and manages cryptographic keys for required cryptography employed\n                  within the information system in accordance with organization-defined requirements\n                  for key generation, distribution, storage, access, and destruction."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing cryptographic key establishment and management\\n\\ninformation system design documentation\\n\\ncryptographic mechanisms\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for cryptographic key establishment\n                  and/or management"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing cryptographic key\n                  establishment and management"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "sc-12.2",
-                "class": "SP800-53-enhancement",
-                "title": "Symmetric Keys",
-                "parameters": [
-                  {
-                    "id": "sc-12.2_prm_1",
-                    "constraints": [
-                      {
-                        "detail": "NIST FIPS-compliant"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-12(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-12.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-12.2_smt",
-                    "name": "statement",
-                    "prose": "The organization produces, controls, and distributes symmetric cryptographic keys\n                  using {{ sc-12.2_prm_1 }} key management technology and\n                  processes."
-                  },
-                  {
-                    "id": "sc-12.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization produces, controls, and distributes symmetric\n                  cryptographic keys using one of the following: ",
-                    "parts": [
-                      {
-                        "id": "sc-12.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12(2)[1]"
-                          }
-                        ],
-                        "prose": "NIST FIPS-compliant key management technology and processes; or"
-                      },
-                      {
-                        "id": "sc-12.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12(2)[2]"
-                          }
-                        ],
-                        "prose": "NSA-approved key management technology and processes."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing cryptographic key establishment and management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of FIPS validated cryptographic products\\n\\nlist of NSA-approved cryptographic products\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for cryptographic key\n                     establishment or management"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing symmetric cryptographic key\n                     establishment and management"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-12.3",
-                "class": "SP800-53-enhancement",
-                "title": "Asymmetric Keys",
-                "parameters": [
-                  {
-                    "id": "sc-12.3_prm_1"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-12(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-12.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-12.3_smt",
-                    "name": "statement",
-                    "prose": "The organization produces, controls, and distributes asymmetric cryptographic keys\n                  using {{ sc-12.3_prm_1 }}."
-                  },
-                  {
-                    "id": "sc-12.3_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization produces, controls, and distributes asymmetric\n                  cryptographic keys using one of the following: ",
-                    "parts": [
-                      {
-                        "id": "sc-12.3_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12(3)[1]"
-                          }
-                        ],
-                        "prose": "NSA-approved key management technology and processes;"
-                      },
-                      {
-                        "id": "sc-12.3_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12(3)[2]"
-                          }
-                        ],
-                        "prose": "approved PKI Class 3 certificates or prepositioned keying material; or"
-                      },
-                      {
-                        "id": "sc-12.3_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-12(3)[3]"
-                          }
-                        ],
-                        "prose": "approved PKI Class 3 or Class 4 certificates and hardware security tokens that\n                     protect the user’s private key."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing cryptographic key establishment and management\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nlist of NSA-approved cryptographic products\\n\\nlist of approved PKI Class 3 and Class 4 certificates\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for cryptographic key\n                     establishment or management\\n\\norganizational personnel with responsibilities for PKI certificates"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing asymmetric cryptographic\n                     key establishment and management"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-13",
-            "class": "SP800-53",
-            "title": "Cryptographic Protection",
-            "parameters": [
-              {
-                "id": "sc-13_prm_1",
-                "label": "organization-defined cryptographic uses and type of cryptography required for\n               each use",
-                "constraints": [
-                  {
-                    "detail": "FIPS-validated or NSA-approved cryptography"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SC-13"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-13"
-              }
-            ],
-            "links": [
-              {
-                "href": "#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9",
-                "rel": "reference",
-                "text": "FIPS Publication 140"
-              },
-              {
-                "href": "#6a1041fc-054e-4230-946b-2e6f4f3731bb",
-                "rel": "reference",
-                "text": "http://csrc.nist.gov/cryptval"
-              },
-              {
-                "href": "#9b97ed27-3dd6-4f9a-ade5-1b43e9669794",
-                "rel": "reference",
-                "text": "http://www.cnss.gov"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-13_smt",
-                "name": "statement",
-                "prose": "The information system implements {{ sc-13_prm_1 }} in accordance with\n               applicable federal laws, Executive Orders, directives, policies, regulations, and\n               standards."
-              },
-              {
-                "id": "sc-13_gdn",
-                "name": "guidance",
-                "prose": "Cryptography can be employed to support a variety of security solutions including,\n               for example, the protection of classified and Controlled Unclassified Information,\n               the provision of digital signatures, and the enforcement of information separation\n               when authorized individuals have the necessary clearances for such information but\n               lack the necessary formal access approvals. Cryptography can also be used to support\n               random number generation and hash generation. Generally applicable cryptographic\n               standards include FIPS-validated cryptography and NSA-approved cryptography. This\n               control does not impose any requirements on organizations to use cryptography.\n               However, if cryptography is required based on the selection of other security\n               controls, organizations define each type of cryptographic use and the type of\n               cryptography required (e.g., protection of classified information: NSA-approved\n               cryptography; provision of digital signatures: FIPS-validated cryptography).",
-                "links": [
-                  {
-                    "href": "#ac-2",
-                    "rel": "related",
-                    "text": "AC-2"
-                  },
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-7",
-                    "rel": "related",
-                    "text": "AC-7"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#ac-18",
-                    "rel": "related",
-                    "text": "AC-18"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#au-10",
-                    "rel": "related",
-                    "text": "AU-10"
-                  },
-                  {
-                    "href": "#cm-11",
-                    "rel": "related",
-                    "text": "CM-11"
-                  },
-                  {
-                    "href": "#cp-9",
-                    "rel": "related",
-                    "text": "CP-9"
-                  },
-                  {
-                    "href": "#ia-3",
-                    "rel": "related",
-                    "text": "IA-3"
-                  },
-                  {
-                    "href": "#ia-7",
-                    "rel": "related",
-                    "text": "IA-7"
-                  },
-                  {
-                    "href": "#ma-4",
-                    "rel": "related",
-                    "text": "MA-4"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  },
-                  {
-                    "href": "#mp-5",
-                    "rel": "related",
-                    "text": "MP-5"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  },
-                  {
-                    "href": "#sc-12",
-                    "rel": "related",
-                    "text": "SC-12"
-                  },
-                  {
-                    "href": "#sc-28",
-                    "rel": "related",
-                    "text": "SC-28"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "sc-13_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "sc-13_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-13[1]"
-                      }
-                    ],
-                    "prose": "the organization defines cryptographic uses; and"
-                  },
-                  {
-                    "id": "sc-13_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-13[2]"
-                      }
-                    ],
-                    "prose": "the organization defines the type of cryptography required for each use; and"
-                  },
-                  {
-                    "id": "sc-13_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-13[3]"
-                      }
-                    ],
-                    "prose": "the information system implements the organization-defined cryptographic uses and\n                  type of cryptography required for each use in accordance with applicable federal\n                  laws, Executive Orders, directives, policies, regulations, and standards."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing cryptographic protection\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic module validation certificates\\n\\nlist of FIPS validated cryptographic modules\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for cryptographic protection"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing cryptographic protection"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-15",
-            "class": "SP800-53",
-            "title": "Collaborative Computing Devices",
-            "parameters": [
-              {
-                "id": "sc-15_prm_1",
-                "label": "organization-defined exceptions where remote activation is to be allowed",
-                "constraints": [
-                  {
-                    "detail": "no exceptions"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-15"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-15"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-15_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "sc-15_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Prohibits remote activation of collaborative computing devices with the following\n                  exceptions: {{ sc-15_prm_1 }}; and"
-                  },
-                  {
-                    "id": "sc-15_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Provides an explicit indication of use to users physically present at the\n                  devices."
-                  },
-                  {
-                    "id": "sc-15_fr",
-                    "name": "item",
-                    "title": "SC-15 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "sc-15_fr_smt.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Requirement:"
-                          }
-                        ],
-                        "prose": "The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-15_gdn",
-                "name": "guidance",
-                "prose": "Collaborative computing devices include, for example, networked white boards,\n               cameras, and microphones. Explicit indication of use includes, for example, signals\n               to users when collaborative computing devices are activated.",
-                "links": [
-                  {
-                    "href": "#ac-21",
-                    "rel": "related",
-                    "text": "AC-21"
-                  }
-                ]
-              },
-              {
-                "id": "sc-15_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "sc-15.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-15(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-15.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-15(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines exceptions where remote activation of collaborative\n                     computing devices is to be allowed;"
-                      },
-                      {
-                        "id": "sc-15.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-15(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system prohibits remote activation of collaborative computing\n                     devices, except for organization-defined exceptions where remote activation is\n                     to be allowed; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-15.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-15(b)"
-                      }
-                    ],
-                    "prose": "the information system provides an explicit indication of use to users physically\n                  present at the devices."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing collaborative computing\\n\\naccess control policy and procedures\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer\\n\\norganizational personnel with responsibilities for managing collaborative\n                  computing devices"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing management of remote\n                  activation of collaborative computing devices\\n\\nautomated mechanisms providing an indication of use of collaborative computing\n                  devices"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-17",
-            "class": "SP800-53",
-            "title": "Public Key Infrastructure Certificates",
-            "parameters": [
-              {
-                "id": "sc-17_prm_1",
-                "label": "organization-defined certificate policy"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-17"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-17"
-              }
-            ],
-            "links": [
-              {
-                "href": "#58ad6f27-af99-429f-86a8-8bb767b014b9",
-                "rel": "reference",
-                "text": "OMB Memorandum 05-24"
-              },
-              {
-                "href": "#8f174e91-844e-4cf1-a72a-45c119a3a8dd",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-32"
-              },
-              {
-                "href": "#644f44a9-a2de-4494-9c04-cd37fba45471",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-63"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-17_smt",
-                "name": "statement",
-                "prose": "The organization issues public key certificates under an {{ sc-17_prm_1 }} or obtains public key certificates from an approved\n               service provider."
-              },
-              {
-                "id": "sc-17_gdn",
-                "name": "guidance",
-                "prose": "For all certificates, organizations manage information system trust stores to ensure\n               only approved trust anchors are in the trust stores. This control addresses both\n               certificates with visibility external to organizational information systems and\n               certificates related to the internal operations of systems, for example,\n               application-specific time services.",
-                "links": [
-                  {
-                    "href": "#sc-12",
-                    "rel": "related",
-                    "text": "SC-12"
-                  }
-                ]
-              },
-              {
-                "id": "sc-17_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sc-17_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-17[1]"
-                      }
-                    ],
-                    "prose": "defines a certificate policy for issuing public key certificates;"
-                  },
-                  {
-                    "id": "sc-17_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-17[2]"
-                      }
-                    ],
-                    "prose": "issues public key certificates:",
-                    "parts": [
-                      {
-                        "id": "sc-17_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-17[2][a]"
-                          }
-                        ],
-                        "prose": "under an organization-defined certificate policy: or"
-                      },
-                      {
-                        "id": "sc-17_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-17[2][b]"
-                          }
-                        ],
-                        "prose": "obtains public key certificates from an approved service provider."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing public key infrastructure certificates\\n\\npublic key certificate policy or policies\\n\\npublic key issuing process\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for issuing public key\n                  certificates\\n\\nservice providers"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing the management of public key\n                  infrastructure certificates"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-18",
-            "class": "SP800-53",
-            "title": "Mobile Code",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-18"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-18"
-              }
-            ],
-            "links": [
-              {
-                "href": "#e716cd51-d1d5-4c6a-967a-22e9fbbc42f1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-28"
-              },
-              {
-                "href": "#e6522953-6714-435d-a0d3-140df554c186",
-                "rel": "reference",
-                "text": "DoD Instruction 8552.01"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-18_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sc-18_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Defines acceptable and unacceptable mobile code and mobile code technologies;"
-                  },
-                  {
-                    "id": "sc-18_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Establishes usage restrictions and implementation guidance for acceptable mobile\n                  code and mobile code technologies; and"
-                  },
-                  {
-                    "id": "sc-18_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Authorizes, monitors, and controls the use of mobile code within the information\n                  system."
-                  }
-                ]
-              },
-              {
-                "id": "sc-18_gdn",
-                "name": "guidance",
-                "prose": "Decisions regarding the employment of mobile code within organizational information\n               systems are based on the potential for the code to cause damage to the systems if\n               used maliciously. Mobile code technologies include, for example, Java, JavaScript,\n               ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage\n               restrictions and implementation guidance apply to both the selection and use of\n               mobile code installed on servers and mobile code downloaded and executed on\n               individual workstations and devices (e.g., smart phones). Mobile code policy and\n               procedures address preventing the development, acquisition, or introduction of\n               unacceptable mobile code within organizational information systems.",
-                "links": [
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#cm-2",
-                    "rel": "related",
-                    "text": "CM-2"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  }
-                ]
-              },
-              {
-                "id": "sc-18_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sc-18.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-18(a)"
-                      }
-                    ],
-                    "prose": "defines acceptable and unacceptable mobile code and mobile code technologies;"
-                  },
-                  {
-                    "id": "sc-18.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-18(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-18.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-18(b)[1]"
-                          }
-                        ],
-                        "prose": "establishes usage restrictions for acceptable mobile code and mobile code\n                     technologies;"
-                      },
-                      {
-                        "id": "sc-18.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-18(b)[2]"
-                          }
-                        ],
-                        "prose": "establishes implementation guidance for acceptable mobile code and mobile code\n                     technologies;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-18.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-18(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-18.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-18(c)[1]"
-                          }
-                        ],
-                        "prose": "authorizes the use of mobile code within the information system;"
-                      },
-                      {
-                        "id": "sc-18.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-18(c)[2]"
-                          }
-                        ],
-                        "prose": "monitors the use of mobile code within the information system; and"
-                      },
-                      {
-                        "id": "sc-18.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-18(c)[3]"
-                          }
-                        ],
-                        "prose": "controls the use of mobile code within the information system."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing mobile code\\n\\nmobile code usage restrictions, mobile code implementation policy and\n                  procedures\\n\\nlist of acceptable mobile code and mobile code technologies\\n\\nlist of unacceptable mobile code and mobile technologies\\n\\nauthorization records\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing mobile code"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational process for controlling, authorizing, monitoring, and restricting\n                  mobile code\\n\\nautomated mechanisms supporting and/or implementing the management of mobile\n                  code\\n\\nautomated mechanisms supporting and/or implementing the monitoring of mobile\n                  code"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-19",
-            "class": "SP800-53",
-            "title": "Voice Over Internet Protocol",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-19"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-19"
-              }
-            ],
-            "links": [
-              {
-                "href": "#7783f3e7-09b3-478b-9aa2-4a76dfd0ea90",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-58"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-19_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "sc-19_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Establishes usage restrictions and implementation guidance for Voice over Internet\n                  Protocol (VoIP) technologies based on the potential to cause damage to the\n                  information system if used maliciously; and"
-                  },
-                  {
-                    "id": "sc-19_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Authorizes, monitors, and controls the use of VoIP within the information\n                  system."
-                  }
-                ]
-              },
-              {
-                "id": "sc-19_gdn",
-                "name": "guidance",
-                "links": [
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-15",
-                    "rel": "related",
-                    "text": "SC-15"
-                  }
-                ]
-              },
-              {
-                "id": "sc-19_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "sc-19.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-19(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-19.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-19(a)[1]"
-                          }
-                        ],
-                        "prose": "establishes usage restrictions for Voice over Internet Protocol (VoIP)\n                     technologies based on the potential to cause damage to the information system\n                     if used maliciously;"
-                      },
-                      {
-                        "id": "sc-19.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-19(a)[2]"
-                          }
-                        ],
-                        "prose": "establishes implementation guidance for Voice over Internet Protocol (VoIP)\n                     technologies based on the potential to cause damage to the information system\n                     if used maliciously;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-19.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-19(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "sc-19.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-19(b)[1]"
-                          }
-                        ],
-                        "prose": "authorizes the use of VoIP within the information system;"
-                      },
-                      {
-                        "id": "sc-19.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-19(b)[2]"
-                          }
-                        ],
-                        "prose": "monitors the use of VoIP within the information system; and"
-                      },
-                      {
-                        "id": "sc-19.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-19(b)[3]"
-                          }
-                        ],
-                        "prose": "controls the use of VoIP within the information system."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing VoIP\\n\\nVoIP usage restrictions\\n\\nVoIP implementation guidance\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system monitoring records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing VoIP"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational process for authorizing, monitoring, and controlling VoIP\\n\\nautomated mechanisms supporting and/or implementing authorizing, monitoring, and\n                  controlling VoIP"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-20",
-            "class": "SP800-53",
-            "title": "Secure Name / Address Resolution Service (authoritative Source)",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-20"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-20"
-              }
-            ],
-            "links": [
-              {
-                "href": "#28115a56-da6b-4d44-b1df-51dd7f048a3e",
-                "rel": "reference",
-                "text": "OMB Memorandum 08-23"
-              },
-              {
-                "href": "#6af1e841-672c-46c4-b121-96f603d04be3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-81"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-20_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "sc-20_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Provides additional data origin authentication and integrity verification\n                  artifacts along with the authoritative name resolution data the system returns in\n                  response to external name/address resolution queries; and"
-                  },
-                  {
-                    "id": "sc-20_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Provides the means to indicate the security status of child zones and (if the\n                  child supports secure resolution services) to enable verification of a chain of\n                  trust among parent and child domains, when operating as part of a distributed,\n                  hierarchical namespace."
-                  }
-                ]
-              },
-              {
-                "id": "sc-20_gdn",
-                "name": "guidance",
-                "prose": "This control enables external clients including, for example, remote Internet\n               clients, to obtain origin authentication and integrity verification assurances for\n               the host/service name to network address resolution information obtained through the\n               service. Information systems that provide name and address resolution services\n               include, for example, domain name system (DNS) servers. Additional artifacts include,\n               for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS\n               resource records are examples of authoritative data. The means to indicate the\n               security status of child zones includes, for example, the use of delegation signer\n               resource records in the DNS. The DNS security controls reflect (and are referenced\n               from) OMB Memorandum 08-23. Information systems that use technologies other than the\n               DNS to map between host/service names and network addresses provide other means to\n               assure the authenticity and integrity of response data.",
-                "links": [
-                  {
-                    "href": "#au-10",
-                    "rel": "related",
-                    "text": "AU-10"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  },
-                  {
-                    "href": "#sc-12",
-                    "rel": "related",
-                    "text": "SC-12"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  },
-                  {
-                    "href": "#sc-21",
-                    "rel": "related",
-                    "text": "SC-21"
-                  },
-                  {
-                    "href": "#sc-22",
-                    "rel": "related",
-                    "text": "SC-22"
-                  }
-                ]
-              },
-              {
-                "id": "sc-20_obj",
-                "name": "objective",
-                "prose": "Determine if the information system:",
-                "parts": [
-                  {
-                    "id": "sc-20.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-20(a)"
-                      }
-                    ],
-                    "prose": "provides additional data origin and integrity verification artifacts along with\n                  the authoritative name resolution data the system returns in response to external\n                  name/address resolution queries;"
-                  },
-                  {
-                    "id": "sc-20.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-20(b)"
-                      }
-                    ],
-                    "prose": "provides the means to, when operating as part of a distributed, hierarchical\n                  namespace:",
-                    "parts": [
-                      {
-                        "id": "sc-20.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-20(b)[1]"
-                          }
-                        ],
-                        "prose": "indicate the security status of child zones; and"
-                      },
-                      {
-                        "id": "sc-20.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-20(b)[2]"
-                          }
-                        ],
-                        "prose": "enable verification of a chain of trust among parent and child domains (if the\n                     child supports secure resolution services)."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing secure name/address resolution service (authoritative\n                  source)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing secure name/address resolution\n                  service"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-21",
-            "class": "SP800-53",
-            "title": "Secure Name / Address Resolution Service (recursive or Caching Resolver)",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-21"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-21"
-              }
-            ],
-            "links": [
-              {
-                "href": "#6af1e841-672c-46c4-b121-96f603d04be3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-81"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-21_smt",
-                "name": "statement",
-                "prose": "The information system requests and performs data origin authentication and data\n               integrity verification on the name/address resolution responses the system receives\n               from authoritative sources."
-              },
-              {
-                "id": "sc-21_gdn",
-                "name": "guidance",
-                "prose": "Each client of name resolution services either performs this validation on its own,\n               or has authenticated channels to trusted validation providers. Information systems\n               that provide name and address resolution services for local clients include, for\n               example, recursive resolving or caching domain name system (DNS) servers. DNS client\n               resolvers either perform validation of DNSSEC signatures, or clients use\n               authenticated channels to recursive resolvers that perform such validations.\n               Information systems that use technologies other than the DNS to map between\n               host/service names and network addresses provide other means to enable clients to\n               verify the authenticity and integrity of response data.",
-                "links": [
-                  {
-                    "href": "#sc-20",
-                    "rel": "related",
-                    "text": "SC-20"
-                  },
-                  {
-                    "href": "#sc-22",
-                    "rel": "related",
-                    "text": "SC-22"
-                  }
-                ]
-              },
-              {
-                "id": "sc-21_obj",
-                "name": "objective",
-                "prose": "Determine if the information system: ",
-                "parts": [
-                  {
-                    "id": "sc-21_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-21[1]"
-                      }
-                    ],
-                    "prose": "requests data origin authentication on the name/address resolution responses the\n                  system receives from authoritative sources;"
-                  },
-                  {
-                    "id": "sc-21_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-21[2]"
-                      }
-                    ],
-                    "prose": "requests data integrity verification on the name/address resolution responses the\n                  system receives from authoritative sources;"
-                  },
-                  {
-                    "id": "sc-21_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-21[3]"
-                      }
-                    ],
-                    "prose": "performs data origin authentication on the name/address resolution responses the\n                  system receives from authoritative sources; and"
-                  },
-                  {
-                    "id": "sc-21_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-21[4]"
-                      }
-                    ],
-                    "prose": "performs data integrity verification on the name/address resolution responses the\n                  system receives from authoritative sources."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing secure name/address resolution service (recursive or caching\n                  resolver)\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing data origin authentication and\n                  data integrity verification for name/address resolution services"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-22",
-            "class": "SP800-53",
-            "title": "Architecture and Provisioning for Name / Address Resolution Service",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-22"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-22"
-              }
-            ],
-            "links": [
-              {
-                "href": "#6af1e841-672c-46c4-b121-96f603d04be3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-81"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-22_smt",
-                "name": "statement",
-                "prose": "The information systems that collectively provide name/address resolution service for\n               an organization are fault-tolerant and implement internal/external role\n               separation."
-              },
-              {
-                "id": "sc-22_gdn",
-                "name": "guidance",
-                "prose": "Information systems that provide name and address resolution services include, for\n               example, domain name system (DNS) servers. To eliminate single points of failure and\n               to enhance redundancy, organizations employ at least two authoritative domain name\n               system servers, one configured as the primary server and the other configured as the\n               secondary server. Additionally, organizations typically deploy the servers in two\n               geographically separated network subnetworks (i.e., not located in the same physical\n               facility). For role separation, DNS servers with internal roles only process name and\n               address resolution requests from within organizations (i.e., from internal clients).\n               DNS servers with external roles only process name and address resolution information\n               requests from clients external to organizations (i.e., on external networks including\n               the Internet). Organizations specify clients that can access authoritative DNS\n               servers in particular roles (e.g., by address ranges, explicit lists).",
-                "links": [
-                  {
-                    "href": "#sc-2",
-                    "rel": "related",
-                    "text": "SC-2"
-                  },
-                  {
-                    "href": "#sc-20",
-                    "rel": "related",
-                    "text": "SC-20"
-                  },
-                  {
-                    "href": "#sc-21",
-                    "rel": "related",
-                    "text": "SC-21"
-                  },
-                  {
-                    "href": "#sc-24",
-                    "rel": "related",
-                    "text": "SC-24"
-                  }
-                ]
-              },
-              {
-                "id": "sc-22_obj",
-                "name": "objective",
-                "prose": "Determine if the information systems that collectively provide name/address\n               resolution service for an organization: ",
-                "parts": [
-                  {
-                    "id": "sc-22_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-22[1]"
-                      }
-                    ],
-                    "prose": "are fault tolerant; and"
-                  },
-                  {
-                    "id": "sc-22_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SC-22[2]"
-                      }
-                    ],
-                    "prose": "implement internal/external role separation."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing architecture and provisioning for name/address resolution\n                  service\\n\\naccess control policy and procedures\\n\\ninformation system design documentation\\n\\nassessment results from independent, testing organizations\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with responsibilities for managing DNS"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing name/address resolution\n                  service for fault tolerance and role separation"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-23",
-            "class": "SP800-53",
-            "title": "Session Authenticity",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-23"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-23"
-              }
-            ],
-            "links": [
-              {
-                "href": "#90c5bc98-f9c4-44c9-98b7-787422f0999c",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-52"
-              },
-              {
-                "href": "#99f331f2-a9f0-46c2-9856-a3cbb9b89442",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-77"
-              },
-              {
-                "href": "#1ebdf782-d95d-4a7b-8ec7-ee860951eced",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-95"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-23_smt",
-                "name": "statement",
-                "prose": "The information system protects the authenticity of communications sessions."
-              },
-              {
-                "id": "sc-23_gdn",
-                "name": "guidance",
-                "prose": "This control addresses communications protection at the session, versus packet level\n               (e.g., sessions in service-oriented architectures providing web-based services) and\n               establishes grounds for confidence at both ends of communications sessions in ongoing\n               identities of other parties and in the validity of information transmitted.\n               Authenticity protection includes, for example, protecting against man-in-the-middle\n               attacks/session hijacking and the insertion of false information into sessions.",
-                "links": [
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  },
-                  {
-                    "href": "#sc-10",
-                    "rel": "related",
-                    "text": "SC-10"
-                  },
-                  {
-                    "href": "#sc-11",
-                    "rel": "related",
-                    "text": "SC-11"
-                  }
-                ]
-              },
-              {
-                "id": "sc-23_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system protects the authenticity of communications\n               sessions."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing session authenticity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing session authenticity"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-28",
-            "class": "SP800-53",
-            "title": "Protection of Information at Rest",
-            "parameters": [
-              {
-                "id": "sc-28_prm_1",
-                "constraints": [
-                  {
-                    "detail": "confidentiality AND integrity"
-                  }
-                ]
-              },
-              {
-                "id": "sc-28_prm_2",
-                "label": "organization-defined information at rest"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-28"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-28"
-              }
-            ],
-            "links": [
-              {
-                "href": "#81f09e01-d0b0-4ae2-aa6a-064ed9950070",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-56"
-              },
-              {
-                "href": "#a6c774c0-bf50-4590-9841-2a5c1c91ac6f",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-57"
-              },
-              {
-                "href": "#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-111"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-28_smt",
-                "name": "statement",
-                "prose": "The information system protects the {{ sc-28_prm_1 }} of {{ sc-28_prm_2 }}.",
-                "parts": [
-                  {
-                    "id": "sc-28_fr",
-                    "name": "item",
-                    "title": "SC-28 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "sc-28_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "The organization supports the capability to use cryptographic mechanisms to protect information at rest."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "sc-28_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the confidentiality and integrity of information at rest and\n               covers user information and system information. Information at rest refers to the\n               state of information when it is located on storage devices as specific components of\n               information systems. System-related information requiring protection includes, for\n               example, configurations or rule sets for firewalls, gateways, intrusion\n               detection/prevention systems, filtering routers, and authenticator content.\n               Organizations may employ different mechanisms to achieve confidentiality and\n               integrity protections, including the use of cryptographic mechanisms and file share\n               scanning. Integrity protection can be achieved, for example, by implementing\n               Write-Once-Read-Many (WORM) technologies. Organizations may also employ other\n               security controls including, for example, secure off-line storage in lieu of online\n               storage when adequate protection of information at rest cannot otherwise be achieved\n               and/or continuous monitoring to identify malicious code at rest.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "sc-28_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "sc-28_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-28[1]"
-                      }
-                    ],
-                    "prose": "the organization defines information at rest requiring one or more of the\n                  following:",
-                    "parts": [
-                      {
-                        "id": "sc-28_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-28[1][a]"
-                          }
-                        ],
-                        "prose": "confidentiality protection; and/or"
-                      },
-                      {
-                        "id": "sc-28_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-28[1][b]"
-                          }
-                        ],
-                        "prose": "integrity protection;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-28_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SC-28[2]"
-                      }
-                    ],
-                    "prose": "the information system protects:",
-                    "parts": [
-                      {
-                        "id": "sc-28_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-28[2][a]"
-                          }
-                        ],
-                        "prose": "the confidentiality of organization-defined information at rest; and/or"
-                      },
-                      {
-                        "id": "sc-28_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SC-28[2][b]"
-                          }
-                        ],
-                        "prose": "the integrity of organization-defined information at rest."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and communications protection policy\\n\\nprocedures addressing protection of information at rest\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic mechanisms and associated configuration documentation\\n\\nlist of information at rest requiring confidentiality and integrity\n                  protections\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing confidentiality and integrity\n                  protections for information at rest"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "sc-28.1",
-                "class": "SP800-53-enhancement",
-                "title": "Cryptographic Protection",
-                "parameters": [
-                  {
-                    "id": "sc-28.1_prm_1",
-                    "label": "organization-defined information"
-                  },
-                  {
-                    "id": "sc-28.1_prm_2",
-                    "label": "organization-defined information system components"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SC-28(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "sc-28.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "sc-28.1_smt",
-                    "name": "statement",
-                    "prose": "The information system implements cryptographic mechanisms to prevent unauthorized\n                  disclosure and modification of {{ sc-28.1_prm_1 }} on {{ sc-28.1_prm_2 }}."
-                  },
-                  {
-                    "id": "sc-28.1_gdn",
-                    "name": "guidance",
-                    "prose": "Selection of cryptographic mechanisms is based on the need to protect the\n                  confidentiality and integrity of organizational information. The strength of\n                  mechanism is commensurate with the security category and/or classification of the\n                  information. This control enhancement applies to significant concentrations of\n                  digital media in organizational areas designated for media storage and also to\n                  limited quantities of media generally associated with information system\n                  components in operational environments (e.g., portable storage devices, mobile\n                  devices). Organizations have the flexibility to either encrypt all information on\n                  storage devices (i.e., full disk encryption) or encrypt specific data structures\n                  (e.g., files, records, or fields). Organizations employing cryptographic\n                  mechanisms to protect information at rest also consider cryptographic key\n                  management solutions.",
-                    "links": [
-                      {
-                        "href": "#ac-19",
-                        "rel": "related",
-                        "text": "AC-19"
-                      },
-                      {
-                        "href": "#sc-12",
-                        "rel": "related",
-                        "text": "SC-12"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "sc-28.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "sc-28.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-28(1)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines information requiring cryptographic protection;"
-                      },
-                      {
-                        "id": "sc-28.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-28(1)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines information system components with\n                     organization-defined information requiring cryptographic protection; and"
-                      },
-                      {
-                        "id": "sc-28.1_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SC-28(1)[3]"
-                          }
-                        ],
-                        "prose": "the information system employs cryptographic mechanisms to prevent unauthorized\n                     disclosure and modification of organization-defined information on\n                     organization-defined information system components."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and communications protection policy\\n\\nprocedures addressing protection of information at rest\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ncryptographic mechanisms and associated configuration documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Cryptographic mechanisms implementing confidentiality and integrity protections\n                     for information at rest"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "sc-39",
-            "class": "SP800-53",
-            "title": "Process Isolation",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SC-39"
-              },
-              {
-                "name": "sort-id",
-                "value": "sc-39"
-              }
-            ],
-            "parts": [
-              {
-                "id": "sc-39_smt",
-                "name": "statement",
-                "prose": "The information system maintains a separate execution domain for each executing\n               process."
-              },
-              {
-                "id": "sc-39_gdn",
-                "name": "guidance",
-                "prose": "Information systems can maintain separate execution domains for each executing\n               process by assigning each process a separate address space. Each information system\n               process has a distinct address space so that communication between processes is\n               performed in a manner controlled through the security functions, and one process\n               cannot modify the executing code of another process. Maintaining separate execution\n               domains for executing processes can be achieved, for example, by implementing\n               separate address spaces. This capability is available in most commercial operating\n               systems that employ multi-state processor technologies.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-6",
-                    "rel": "related",
-                    "text": "AC-6"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-5",
-                    "rel": "related",
-                    "text": "SA-5"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  },
-                  {
-                    "href": "#sc-2",
-                    "rel": "related",
-                    "text": "SC-2"
-                  },
-                  {
-                    "href": "#sc-3",
-                    "rel": "related",
-                    "text": "SC-3"
-                  }
-                ]
-              },
-              {
-                "id": "sc-39_obj",
-                "name": "objective",
-                "properties": [
-                  {
-                    "name": "conformity",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": "assessment-objective"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "EXAMINE"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "INTERVIEW"
-                  },
-                  {
-                    "name": "method",
-                    "class": "fedramp",
-                    "value": "TEST"
-                  }
-                ],
-                "prose": "Determine if the information system maintains a separate execution domain for each\n               executing process."
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system design documentation\\n\\ninformation system architecture\\n\\nindependent verification and validation documentation\\n\\ntesting and evaluation documentation, other relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Information system developers/integrators\\n\\ninformation system security architect"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing separate execution domains for\n                  each executing process"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      },
-      {
-        "id": "si",
-        "class": "family",
-        "title": "System and Information Integrity",
-        "controls": [
-          {
-            "id": "si-1",
-            "class": "SP800-53",
-            "title": "System and Information Integrity Policy and Procedures",
-            "parameters": [
-              {
-                "id": "si-1_prm_1",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "si-1_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least every 3 years"
-                  }
-                ]
-              },
-              {
-                "id": "si-1_prm_3",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least annually"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SI-1"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-01"
-              }
-            ],
-            "links": [
-              {
-                "href": "#5c201b63-0768-417b-ac22-3f014e3941b2",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-12"
-              },
-              {
-                "href": "#9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-100"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-1_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-1_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Develops, documents, and disseminates to {{ si-1_prm_1 }}:",
-                    "parts": [
-                      {
-                        "id": "si-1_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "A system and information integrity policy that addresses purpose, scope, roles,\n                     responsibilities, management commitment, coordination among organizational\n                     entities, and compliance; and"
-                      },
-                      {
-                        "id": "si-1_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Procedures to facilitate the implementation of the system and information\n                     integrity policy and associated system and information integrity controls;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-1_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reviews and updates the current:",
-                    "parts": [
-                      {
-                        "id": "si-1_smt.b.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "System and information integrity policy {{ si-1_prm_2 }};\n                     and"
-                      },
-                      {
-                        "id": "si-1_smt.b.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "System and information integrity procedures {{ si-1_prm_3 }}."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-1_gdn",
-                "name": "guidance",
-                "prose": "This control addresses the establishment of policy and procedures for the effective\n               implementation of selected security controls and control enhancements in the SI\n               family. Policy and procedures reflect applicable federal laws, Executive Orders,\n               directives, regulations, policies, standards, and guidance. Security program policies\n               and procedures at the organization level may make the need for system-specific\n               policies and procedures unnecessary. The policy can be included as part of the\n               general information security policy for organizations or conversely, can be\n               represented by multiple policies reflecting the complex nature of certain\n               organizations. The procedures can be established for the security program in general\n               and for particular information systems, if needed. The organizational risk management\n               strategy is a key factor in establishing policy and procedures.",
-                "links": [
-                  {
-                    "href": "#pm-9",
-                    "rel": "related",
-                    "text": "PM-9"
-                  }
-                ]
-              },
-              {
-                "id": "si-1_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-1.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-1(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-1.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-1(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-1.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents a system and information integrity policy that\n                        addresses:",
-                            "parts": [
-                              {
-                                "id": "si-1.a.1_obj.1.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][a]"
-                                  }
-                                ],
-                                "prose": "purpose;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][b]"
-                                  }
-                                ],
-                                "prose": "scope;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][c]"
-                                  }
-                                ],
-                                "prose": "roles;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][d]"
-                                  }
-                                ],
-                                "prose": "responsibilities;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.e",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][e]"
-                                  }
-                                ],
-                                "prose": "management commitment;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.f",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][f]"
-                                  }
-                                ],
-                                "prose": "coordination among organizational entities;"
-                              },
-                              {
-                                "id": "si-1.a.1_obj.1.g",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-1(a)(1)[1][g]"
-                                  }
-                                ],
-                                "prose": "compliance;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "si-1.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the system and information integrity\n                        policy is to be disseminated;"
-                          },
-                          {
-                            "id": "si-1.a.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(1)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the system and information integrity policy to\n                        organization-defined personnel or roles;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-1.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-1(a)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-1.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "develops and documents procedures to facilitate the implementation of the\n                        system and information integrity policy and associated system and\n                        information integrity controls;"
-                          },
-                          {
-                            "id": "si-1.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "defines personnel or roles to whom the procedures are to be\n                        disseminated;"
-                          },
-                          {
-                            "id": "si-1.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "disseminates the procedures to organization-defined personnel or roles;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-1.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-1(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-1.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-1(b)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-1.b.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(b)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and\n                        information integrity policy;"
-                          },
-                          {
-                            "id": "si-1.b.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(b)(1)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and information integrity policy with\n                        the organization-defined frequency;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-1.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-1(b)(2)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-1.b.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(b)(2)[1]"
-                              }
-                            ],
-                            "prose": "defines the frequency to review and update the current system and\n                        information integrity procedures; and"
-                          },
-                          {
-                            "id": "si-1.b.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-1(b)(2)[2]"
-                              }
-                            ],
-                            "prose": "reviews and updates the current system and information integrity procedures\n                        with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy and procedures\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with system and information integrity\n                  responsibilities\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-2",
-            "class": "SP800-53",
-            "title": "Flaw Remediation",
-            "parameters": [
-              {
-                "id": "si-2_prm_1",
-                "label": "organization-defined time period",
-                "constraints": [
-                  {
-                    "detail": "within 30 days of release of updates"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SI-2"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-02"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-40"
-              },
-              {
-                "href": "#080f8068-5e3e-435e-9790-d22ba4722693",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-128"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-2_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-2_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Identifies, reports, and corrects information system flaws;"
-                  },
-                  {
-                    "id": "si-2_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Tests software and firmware updates related to flaw remediation for effectiveness\n                  and potential side effects before installation;"
-                  },
-                  {
-                    "id": "si-2_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Installs security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and"
-                  },
-                  {
-                    "id": "si-2_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Incorporates flaw remediation into the organizational configuration management\n                  process."
-                  }
-                ]
-              },
-              {
-                "id": "si-2_gdn",
-                "name": "guidance",
-                "prose": "Organizations identify information systems affected by announced software flaws\n               including potential vulnerabilities resulting from those flaws, and report this\n               information to designated organizational personnel with information security\n               responsibilities. Security-relevant software updates include, for example, patches,\n               service packs, hot fixes, and anti-virus signatures. Organizations also address flaws\n               discovered during security assessments, continuous monitoring, incident response\n               activities, and system error handling. Organizations take advantage of available\n               resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and\n               Exposures (CVE) databases in remediating flaws discovered in organizational\n               information systems. By incorporating flaw remediation into ongoing configuration\n               management processes, required/anticipated remediation actions can be tracked and\n               verified. Flaw remediation actions that can be tracked and verified include, for\n               example, determining whether organizations follow US-CERT guidance and Information\n               Assurance Vulnerability Alerts. Organization-defined time periods for updating\n               security-relevant software and firmware may vary based on a variety of factors\n               including, for example, the security category of the information system or the\n               criticality of the update (i.e., severity of the vulnerability related to the\n               discovered flaw). Some types of flaw remediation may require more testing than other\n               types. Organizations determine the degree and type of testing needed for the specific\n               type of flaw remediation activity under consideration and also the types of changes\n               that are to be configuration-managed. In some situations, organizations may determine\n               that the testing of software and/or firmware updates is not necessary or practical,\n               for example, when implementing simple anti-virus signature updates. Organizations may\n               also consider in testing decisions, whether security-relevant software or firmware\n               updates are obtained from authorized sources with appropriate digital signatures.",
-                "links": [
-                  {
-                    "href": "#ca-2",
-                    "rel": "related",
-                    "text": "CA-2"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#cm-5",
-                    "rel": "related",
-                    "text": "CM-5"
-                  },
-                  {
-                    "href": "#cm-8",
-                    "rel": "related",
-                    "text": "CM-8"
-                  },
-                  {
-                    "href": "#ma-2",
-                    "rel": "related",
-                    "text": "MA-2"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sa-10",
-                    "rel": "related",
-                    "text": "SA-10"
-                  },
-                  {
-                    "href": "#sa-11",
-                    "rel": "related",
-                    "text": "SA-11"
-                  },
-                  {
-                    "href": "#si-11",
-                    "rel": "related",
-                    "text": "SI-11"
-                  }
-                ]
-              },
-              {
-                "id": "si-2_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-2.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-2(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-2.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(a)[1]"
-                          }
-                        ],
-                        "prose": "identifies information system flaws;"
-                      },
-                      {
-                        "id": "si-2.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(a)[2]"
-                          }
-                        ],
-                        "prose": "reports information system flaws;"
-                      },
-                      {
-                        "id": "si-2.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(a)[3]"
-                          }
-                        ],
-                        "prose": "corrects information system flaws;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-2.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-2(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-2.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(b)[1]"
-                          }
-                        ],
-                        "prose": "tests software updates related to flaw remediation for effectiveness and\n                     potential side effects before installation;"
-                      },
-                      {
-                        "id": "si-2.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(b)[2]"
-                          }
-                        ],
-                        "prose": "tests firmware updates related to flaw remediation for effectiveness and\n                     potential side effects before installation;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-2.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-2(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-2.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(c)[1]"
-                          }
-                        ],
-                        "prose": "defines the time period within which to install security-relevant software\n                     updates after the release of the updates;"
-                      },
-                      {
-                        "id": "si-2.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(c)[2]"
-                          }
-                        ],
-                        "prose": "defines the time period within which to install security-relevant firmware\n                     updates after the release of the updates;"
-                      },
-                      {
-                        "id": "si-2.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(c)[3]"
-                          }
-                        ],
-                        "prose": "installs software updates within the organization-defined time period of the\n                     release of the updates;"
-                      },
-                      {
-                        "id": "si-2.c_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(c)[4]"
-                          }
-                        ],
-                        "prose": "installs firmware updates within the organization-defined time period of the\n                     release of the updates; and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-2.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-2(d)"
-                      }
-                    ],
-                    "prose": "incorporates flaw remediation into the organizational configuration management\n                  process."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nprocedures addressing flaw remediation\\n\\nprocedures addressing configuration management\\n\\nlist of flaws and vulnerabilities potentially affecting the information system\\n\\nlist of recent security flaw remediation actions performed on the information\n                  system (e.g., list of installed patches, service packs, hot fixes, and other\n                  software updates to correct information system flaws)\\n\\ntest results from the installation of software and firmware updates to correct\n                  information system flaws\\n\\ninstallation/change control records for security-relevant software and firmware\n                  updates\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility for flaw remediation\\n\\norganizational personnel with configuration management responsibility"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for identifying, reporting, and correcting information\n                  system flaws\\n\\norganizational process for installing software and firmware updates\\n\\nautomated mechanisms supporting and/or implementing reporting, and correcting\n                  information system flaws\\n\\nautomated mechanisms supporting and/or implementing testing software and firmware\n                  updates"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "si-2.2",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Flaw Remediation Status",
-                "parameters": [
-                  {
-                    "id": "si-2.2_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least monthly"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "SI-2(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-02.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-2.2_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated mechanisms {{ si-2.2_prm_1 }} to\n                  determine the state of information system components with regard to flaw\n                  remediation."
-                  },
-                  {
-                    "id": "si-2.2_gdn",
-                    "name": "guidance",
-                    "links": [
-                      {
-                        "href": "#cm-6",
-                        "rel": "related",
-                        "text": "CM-6"
-                      },
-                      {
-                        "href": "#si-4",
-                        "rel": "related",
-                        "text": "SI-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-2.2_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "si-2.2_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(2)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency to employ automated mechanisms to determine the state of\n                     information system components with regard to flaw remediation; and"
-                      },
-                      {
-                        "id": "si-2.2_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(2)[2]"
-                          }
-                        ],
-                        "prose": "employs automated mechanisms with the organization-defined frequency to\n                     determine the state of information system components with regard to flaw\n                     remediation."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing flaw remediation\\n\\nautomated mechanisms supporting centralized management of flaw remediation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for flaw remediation"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms used to determine the state of information system\n                     components with regard to flaw remediation"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-2.3",
-                "class": "SP800-53-enhancement",
-                "title": "Time to Remediate Flaws / Benchmarks for Corrective Actions",
-                "parameters": [
-                  {
-                    "id": "si-2.3_prm_1",
-                    "label": "organization-defined benchmarks"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-2(3)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-02.03"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-2.3_smt",
-                    "name": "statement",
-                    "prose": "The organization:",
-                    "parts": [
-                      {
-                        "id": "si-2.3_smt.a",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(a)"
-                          }
-                        ],
-                        "prose": "Measures the time between flaw identification and flaw remediation; and"
-                      },
-                      {
-                        "id": "si-2.3_smt.b",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "(b)"
-                          }
-                        ],
-                        "prose": "Establishes {{ si-2.3_prm_1 }} for taking corrective\n                     actions."
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-2.3_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement requires organizations to determine the current time it\n                  takes on the average to correct information system flaws after such flaws have\n                  been identified, and subsequently establish organizational benchmarks (i.e., time\n                  frames) for taking corrective actions. Benchmarks can be established by type of\n                  flaw and/or severity of the potential vulnerability if the flaw can be\n                  exploited."
-                  },
-                  {
-                    "id": "si-2.3_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "si-2.3.a_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-2(3)(a)"
-                          }
-                        ],
-                        "prose": "measures the time between flaw identification and flaw remediation;",
-                        "links": [
-                          {
-                            "href": "#si-2.3_smt.a",
-                            "rel": "corresp",
-                            "text": "SI-2(3)(a)"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-2.3.b_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-2(3)(b)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-2.3.b_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-2(3)(b)[1]"
-                              }
-                            ],
-                            "prose": "defines benchmarks for taking corrective actions; and"
-                          },
-                          {
-                            "id": "si-2.3.b_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-2(3)(b)[2]"
-                              }
-                            ],
-                            "prose": "establishes organization-defined benchmarks for taking corrective\n                        actions."
-                          }
-                        ],
-                        "links": [
-                          {
-                            "href": "#si-2.3_smt.b",
-                            "rel": "corresp",
-                            "text": "SI-2(3)(b)"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing flaw remediation\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of benchmarks for taking corrective action on flaws identified\\n\\nrecords providing time stamps of flaw identification and subsequent flaw\n                     remediation activities\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for flaw remediation"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for identifying, reporting, and correcting information\n                     system flaws\\n\\nautomated mechanisms used to measure the time between flaw identification and\n                     flaw remediation"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-3",
-            "class": "SP800-53",
-            "title": "Malicious Code Protection",
-            "parameters": [
-              {
-                "id": "si-3_prm_1",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least weekly"
-                  }
-                ]
-              },
-              {
-                "id": "si-3_prm_2",
-                "constraints": [
-                  {
-                    "detail": "to include endpoints"
-                  }
-                ]
-              },
-              {
-                "id": "si-3_prm_3",
-                "constraints": [
-                  {
-                    "detail": "to include alerting administrator or defined security personnel"
-                  }
-                ]
-              },
-              {
-                "id": "si-3_prm_4",
-                "depends-on": "si-3_prm_3",
-                "label": "organization-defined action"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SI-3"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-03"
-              }
-            ],
-            "links": [
-              {
-                "href": "#6d431fee-658f-4a0e-9f2e-a38b5d398fab",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-83"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-3_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-3_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Employs malicious code protection mechanisms at information system entry and exit\n                  points to detect and eradicate malicious code;"
-                  },
-                  {
-                    "id": "si-3_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Updates malicious code protection mechanisms whenever new releases are available\n                  in accordance with organizational configuration management policy and\n                  procedures;"
-                  },
-                  {
-                    "id": "si-3_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Configures malicious code protection mechanisms to:",
-                    "parts": [
-                      {
-                        "id": "si-3_smt.c.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Perform periodic scans of the information system {{ si-3_prm_1 }} and real-time scans of files from external sources at {{ si-3_prm_2 }} as the files are downloaded, opened, or executed in\n                     accordance with organizational security policy; and"
-                      },
-                      {
-                        "id": "si-3_smt.c.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "\n                     {{ si-3_prm_3 }} in response to malicious code detection;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-3_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Addresses the receipt of false positives during malicious code detection and\n                  eradication and the resulting potential impact on the availability of the\n                  information system."
-                  }
-                ]
-              },
-              {
-                "id": "si-3_gdn",
-                "name": "guidance",
-                "prose": "Information system entry and exit points include, for example, firewalls, electronic\n               mail servers, web servers, proxy servers, remote-access servers, workstations,\n               notebook computers, and mobile devices. Malicious code includes, for example,\n               viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in\n               various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden\n               files, or hidden in files using steganography. Malicious code can be transported by\n               different means including, for example, web accesses, electronic mail, electronic\n               mail attachments, and portable storage devices. Malicious code insertions occur\n               through the exploitation of information system vulnerabilities. Malicious code\n               protection mechanisms include, for example, anti-virus signature definitions and\n               reputation-based technologies. A variety of technologies and methods exist to limit\n               or eliminate the effects of malicious code. Pervasive configuration management and\n               comprehensive software integrity controls may be effective in preventing execution of\n               unauthorized code. In addition to commercial off-the-shelf software, malicious code\n               may also be present in custom-built software. This could include, for example, logic\n               bombs, back doors, and other types of cyber attacks that could affect organizational\n               missions/business functions. Traditional malicious code protection mechanisms cannot\n               always detect such code. In these situations, organizations rely instead on other\n               safeguards including, for example, secure coding practices, configuration management\n               and control, trusted procurement processes, and monitoring practices to help ensure\n               that software does not perform functions other than the functions intended.\n               Organizations may determine that in response to the detection of malicious code,\n               different actions may be warranted. For example, organizations can define actions in\n               response to malicious code detection during periodic scans, actions in response to\n               detection of malicious downloads, and/or actions in response to detection of\n               maliciousness when attempting to open or execute files.",
-                "links": [
-                  {
-                    "href": "#cm-3",
-                    "rel": "related",
-                    "text": "CM-3"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#sa-4",
-                    "rel": "related",
-                    "text": "SA-4"
-                  },
-                  {
-                    "href": "#sa-8",
-                    "rel": "related",
-                    "text": "SA-8"
-                  },
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#sa-13",
-                    "rel": "related",
-                    "text": "SA-13"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-26",
-                    "rel": "related",
-                    "text": "SC-26"
-                  },
-                  {
-                    "href": "#sc-44",
-                    "rel": "related",
-                    "text": "SC-44"
-                  },
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  },
-                  {
-                    "href": "#si-4",
-                    "rel": "related",
-                    "text": "SI-4"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "si-3_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-3.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-3(a)"
-                      }
-                    ],
-                    "prose": "employs malicious code protection mechanisms to detect and eradicate malicious\n                  code at information system:",
-                    "parts": [
-                      {
-                        "id": "si-3.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-3(a)[1]"
-                          }
-                        ],
-                        "prose": "entry points;"
-                      },
-                      {
-                        "id": "si-3.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-3(a)[2]"
-                          }
-                        ],
-                        "prose": "exit points;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-3.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-3(b)"
-                      }
-                    ],
-                    "prose": "updates malicious code protection mechanisms whenever new releases are available\n                  in accordance with organizational configuration management policy and procedures\n                  (as identified in CM-1);"
-                  },
-                  {
-                    "id": "si-3.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-3(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-3.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-3(c)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency for malicious code protection mechanisms to perform\n                     periodic scans of the information system;"
-                      },
-                      {
-                        "id": "si-3.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-3(c)[2]"
-                          }
-                        ],
-                        "prose": "defines action to be initiated by malicious protection mechanisms in response\n                     to malicious code detection;"
-                      },
-                      {
-                        "id": "si-3.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-3(c)[3]"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-3.c.1_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-3(c)[3](1)"
-                              }
-                            ],
-                            "prose": "configures malicious code protection mechanisms to:",
-                            "parts": [
-                              {
-                                "id": "si-3.c.1_obj.3.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](1)[a]"
-                                  }
-                                ],
-                                "prose": "perform periodic scans of the information system with the\n                           organization-defined frequency;"
-                              },
-                              {
-                                "id": "si-3.c.1_obj.3.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](1)[b]"
-                                  }
-                                ],
-                                "prose": "perform real-time scans of files from external sources at endpoint and/or\n                           network entry/exit points as the files are downloaded, opened, or\n                           executed in accordance with organizational security policy;"
-                              }
-                            ]
-                          },
-                          {
-                            "id": "si-3.c.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-3(c)[3](2)"
-                              }
-                            ],
-                            "prose": "configures malicious code protection mechanisms to do one or more of the\n                        following:",
-                            "parts": [
-                              {
-                                "id": "si-3.c.2_obj.3.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](2)[a]"
-                                  }
-                                ],
-                                "prose": "block malicious code in response to malicious code detection;"
-                              },
-                              {
-                                "id": "si-3.c.2_obj.3.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](2)[b]"
-                                  }
-                                ],
-                                "prose": "quarantine malicious code in response to malicious code detection;"
-                              },
-                              {
-                                "id": "si-3.c.2_obj.3.c",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](2)[c]"
-                                  }
-                                ],
-                                "prose": "send alert to administrator in response to malicious code detection;\n                           and/or"
-                              },
-                              {
-                                "id": "si-3.c.2_obj.3.d",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-3(c)[3](2)[d]"
-                                  }
-                                ],
-                                "prose": "initiate organization-defined action in response to malicious code\n                           detection;"
-                              }
-                            ]
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-3.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-3(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-3.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-3(d)[1]"
-                          }
-                        ],
-                        "prose": "addresses the receipt of false positives during malicious code detection and\n                     eradication; and"
-                      },
-                      {
-                        "id": "si-3.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-3(d)[2]"
-                          }
-                        ],
-                        "prose": "addresses the resulting potential impact on the availability of the information\n                     system."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nconfiguration management policy and procedures\\n\\nprocedures addressing malicious code protection\\n\\nmalicious code protection mechanisms\\n\\nrecords of malicious code protection updates\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nscan results from malicious code protection mechanisms\\n\\nrecord of actions initiated by malicious code protection mechanisms in response to\n                  malicious code detection\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility for malicious code protection\\n\\norganizational personnel with configuration management responsibility"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for employing, updating, and configuring malicious code\n                  protection mechanisms\\n\\norganizational process for addressing false positives and resulting potential\n                  impact\\n\\nautomated mechanisms supporting and/or implementing employing, updating, and\n                  configuring malicious code protection mechanisms\\n\\nautomated mechanisms supporting and/or implementing malicious code scanning and\n                  subsequent actions"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "si-3.1",
-                "class": "SP800-53-enhancement",
-                "title": "Central Management",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-3(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-03.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-3.1_smt",
-                    "name": "statement",
-                    "prose": "The organization centrally manages malicious code protection mechanisms."
-                  },
-                  {
-                    "id": "si-3.1_gdn",
-                    "name": "guidance",
-                    "prose": "Central management is the organization-wide management and implementation of\n                  malicious code protection mechanisms. Central management includes planning,\n                  implementing, assessing, authorizing, and monitoring the organization-defined,\n                  centrally managed flaw malicious code protection security controls.",
-                    "links": [
-                      {
-                        "href": "#au-2",
-                        "rel": "related",
-                        "text": "AU-2"
-                      },
-                      {
-                        "href": "#si-8",
-                        "rel": "related",
-                        "text": "SI-8"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-3.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization centrally manages malicious code protection\n                  mechanisms."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing malicious code protection\\n\\nautomated mechanisms supporting centralized management of malicious code\n                     protection mechanisms\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for malicious code protection"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for central management of malicious code protection\n                     mechanisms\\n\\nautomated mechanisms supporting and/or implementing central management of\n                     malicious code protection mechanisms"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-3.2",
-                "class": "SP800-53-enhancement",
-                "title": "Automatic Updates",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-3(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-03.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-3.2_smt",
-                    "name": "statement",
-                    "prose": "The information system automatically updates malicious code protection\n                  mechanisms."
-                  },
-                  {
-                    "id": "si-3.2_gdn",
-                    "name": "guidance",
-                    "prose": "Malicious code protection mechanisms include, for example, signature definitions.\n                  Due to information system integrity and availability concerns, organizations give\n                  careful consideration to the methodology used to carry out automatic updates.",
-                    "links": [
-                      {
-                        "href": "#si-8",
-                        "rel": "related",
-                        "text": "SI-8"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-3.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system automatically updates malicious code\n                  protection mechanisms."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing malicious code protection\\n\\nautomated mechanisms supporting centralized management of malicious code\n                     protection mechanisms\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for malicious code protection"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing automatic updates to\n                     malicious code protection capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-3.7",
-                "class": "SP800-53-enhancement",
-                "title": "Nonsignature-based Detection",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-3(7)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-03.07"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-3.7_smt",
-                    "name": "statement",
-                    "prose": "The information system implements nonsignature-based malicious code detection\n                  mechanisms."
-                  },
-                  {
-                    "id": "si-3.7_gdn",
-                    "name": "guidance",
-                    "prose": "Nonsignature-based detection mechanisms include, for example, the use of\n                  heuristics to detect, analyze, and describe the characteristics or behavior of\n                  malicious code and to provide safeguards against malicious code for which\n                  signatures do not yet exist or for which existing signatures may not be effective.\n                  This includes polymorphic malicious code (i.e., code that changes signatures when\n                  it replicates). This control enhancement does not preclude the use of\n                  signature-based detection mechanisms."
-                  },
-                  {
-                    "id": "si-3.7_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system implements non signature-based malicious code\n                  detection mechanisms."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing malicious code protection\\n\\ninformation system design documentation\\n\\nmalicious code protection mechanisms\\n\\nrecords of malicious code protection updates\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for malicious code protection"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Automated mechanisms supporting and/or implementing nonsignature-based\n                     malicious code protection capability"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-4",
-            "class": "SP800-53",
-            "title": "Information System Monitoring",
-            "parameters": [
-              {
-                "id": "si-4_prm_1",
-                "label": "organization-defined monitoring objectives"
-              },
-              {
-                "id": "si-4_prm_2",
-                "label": "organization-defined techniques and methods"
-              },
-              {
-                "id": "si-4_prm_3",
-                "label": "organization-defined information system monitoring information"
-              },
-              {
-                "id": "si-4_prm_4",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "si-4_prm_5"
-              },
-              {
-                "id": "si-4_prm_6",
-                "depends-on": "si-4_prm_5",
-                "label": "organization-defined frequency"
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SI-4"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-04"
-              }
-            ],
-            "links": [
-              {
-                "href": "#be95fb85-a53f-4624-bdbb-140075500aa3",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-61"
-              },
-              {
-                "href": "#6d431fee-658f-4a0e-9f2e-a38b5d398fab",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-83"
-              },
-              {
-                "href": "#672fd561-b92b-4713-b9cf-6c9d9456728b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-92"
-              },
-              {
-                "href": "#d1b1d689-0f66-4474-9924-c81119758dc1",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-94"
-              },
-              {
-                "href": "#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-137"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-4_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-4_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Monitors the information system to detect:",
-                    "parts": [
-                      {
-                        "id": "si-4_smt.a.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Attacks and indicators of potential attacks in accordance with {{ si-4_prm_1 }}; and"
-                      },
-                      {
-                        "id": "si-4_smt.a.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "Unauthorized local, network, and remote connections;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Identifies unauthorized use of the information system through {{ si-4_prm_2 }};"
-                  },
-                  {
-                    "id": "si-4_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Deploys monitoring devices:",
-                    "parts": [
-                      {
-                        "id": "si-4_smt.c.1",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "1."
-                          }
-                        ],
-                        "prose": "Strategically within the information system to collect organization-determined\n                     essential information; and"
-                      },
-                      {
-                        "id": "si-4_smt.c.2",
-                        "name": "item",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "2."
-                          }
-                        ],
-                        "prose": "At ad hoc locations within the system to track specific types of transactions\n                     of interest to the organization;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Protects information obtained from intrusion-monitoring tools from unauthorized\n                  access, modification, and deletion;"
-                  },
-                  {
-                    "id": "si-4_smt.e",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "e."
-                      }
-                    ],
-                    "prose": "Heightens the level of information system monitoring activity whenever there is an\n                  indication of increased risk to organizational operations and assets, individuals,\n                  other organizations, or the Nation based on law enforcement information,\n                  intelligence information, or other credible sources of information;"
-                  },
-                  {
-                    "id": "si-4_smt.f",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "f."
-                      }
-                    ],
-                    "prose": "Obtains legal opinion with regard to information system monitoring activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  or regulations; and"
-                  },
-                  {
-                    "id": "si-4_smt.g",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "g."
-                      }
-                    ],
-                    "prose": "Provides {{ si-4_prm_3 }} to {{ si-4_prm_4 }}\n                  {{ si-4_prm_5 }}."
-                  },
-                  {
-                    "id": "si-4_fr",
-                    "name": "item",
-                    "title": "SI-4 Additional FedRAMP Requirements and Guidance",
-                    "parts": [
-                      {
-                        "id": "si-4_fr_gdn.1",
-                        "name": "guidance",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "Guidance:"
-                          }
-                        ],
-                        "prose": "See US-CERT Incident Response Reporting Guidelines."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4_gdn",
-                "name": "guidance",
-                "prose": "Information system monitoring includes external and internal monitoring. External\n               monitoring includes the observation of events occurring at the information system\n               boundary (i.e., part of perimeter defense and boundary protection). Internal\n               monitoring includes the observation of events occurring within the information\n               system. Organizations can monitor information systems, for example, by observing\n               audit activities in real time or by observing other system aspects such as access\n               patterns, characteristics of access, and other actions. The monitoring objectives may\n               guide determination of the events. Information system monitoring capability is\n               achieved through a variety of tools and techniques (e.g., intrusion detection\n               systems, intrusion prevention systems, malicious code protection software, scanning\n               tools, audit record monitoring software, network monitoring software). Strategic\n               locations for monitoring devices include, for example, selected perimeter locations\n               and near server farms supporting critical applications, with such devices typically\n               being employed at the managed interfaces associated with controls SC-7 and AC-17.\n               Einstein network monitoring devices from the Department of Homeland Security can also\n               be included as monitoring devices. The granularity of monitoring information\n               collected is based on organizational monitoring objectives and the capability of\n               information systems to support such objectives. Specific types of transactions of\n               interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that\n               bypasses HTTP proxies. Information system monitoring is an integral part of\n               organizational continuous monitoring and incident response programs. Output from\n               system monitoring serves as input to continuous monitoring and incident response\n               programs. A network connection is any connection with a device that communicates\n               through a network (e.g., local area network, Internet). A remote connection is any\n               connection with a device communicating through an external network (e.g., the\n               Internet). Local, network, and remote connections can be either wired or\n               wireless.",
-                "links": [
-                  {
-                    "href": "#ac-3",
-                    "rel": "related",
-                    "text": "AC-3"
-                  },
-                  {
-                    "href": "#ac-4",
-                    "rel": "related",
-                    "text": "AC-4"
-                  },
-                  {
-                    "href": "#ac-8",
-                    "rel": "related",
-                    "text": "AC-8"
-                  },
-                  {
-                    "href": "#ac-17",
-                    "rel": "related",
-                    "text": "AC-17"
-                  },
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-6",
-                    "rel": "related",
-                    "text": "AU-6"
-                  },
-                  {
-                    "href": "#au-7",
-                    "rel": "related",
-                    "text": "AU-7"
-                  },
-                  {
-                    "href": "#au-9",
-                    "rel": "related",
-                    "text": "AU-9"
-                  },
-                  {
-                    "href": "#au-12",
-                    "rel": "related",
-                    "text": "AU-12"
-                  },
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#ir-4",
-                    "rel": "related",
-                    "text": "IR-4"
-                  },
-                  {
-                    "href": "#pe-3",
-                    "rel": "related",
-                    "text": "PE-3"
-                  },
-                  {
-                    "href": "#ra-5",
-                    "rel": "related",
-                    "text": "RA-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#sc-26",
-                    "rel": "related",
-                    "text": "SC-26"
-                  },
-                  {
-                    "href": "#sc-35",
-                    "rel": "related",
-                    "text": "SC-35"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  },
-                  {
-                    "href": "#si-7",
-                    "rel": "related",
-                    "text": "SI-7"
-                  }
-                ]
-              },
-              {
-                "id": "si-4_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-4.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-4(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-4.a.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(a)(1)"
-                          }
-                        ],
-                        "parts": [
-                          {
-                            "id": "si-4.a.1_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "EXAMINE"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(1)[1]"
-                              }
-                            ],
-                            "prose": "defines monitoring objectives to detect attacks and indicators of potential\n                        attacks on the information system;"
-                          },
-                          {
-                            "id": "si-4.a.1_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "conformity",
-                                "ns": "https://fedramp.gov/ns/oscal",
-                                "value": "assessment-objective"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "INTERVIEW"
-                              },
-                              {
-                                "name": "method",
-                                "class": "fedramp",
-                                "value": "TEST"
-                              },
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(1)[2]"
-                              }
-                            ],
-                            "prose": "monitors the information system to detect, in accordance with\n                        organization-defined monitoring objectives,:",
-                            "parts": [
-                              {
-                                "id": "si-4.a.1_obj.2.a",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-4(a)(1)[2][a]"
-                                  }
-                                ],
-                                "prose": "attacks;"
-                              },
-                              {
-                                "id": "si-4.a.1_obj.2.b",
-                                "name": "objective",
-                                "properties": [
-                                  {
-                                    "name": "label",
-                                    "value": "SI-4(a)(1)[2][b]"
-                                  }
-                                ],
-                                "prose": "indicators of potential attacks;"
-                              }
-                            ]
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-4.a.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(a)(2)"
-                          }
-                        ],
-                        "prose": "monitors the information system to detect unauthorized:",
-                        "parts": [
-                          {
-                            "id": "si-4.a.2_obj.1",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(2)[1]"
-                              }
-                            ],
-                            "prose": "local connections;"
-                          },
-                          {
-                            "id": "si-4.a.2_obj.2",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(2)[2]"
-                              }
-                            ],
-                            "prose": "network connections;"
-                          },
-                          {
-                            "id": "si-4.a.2_obj.3",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(a)(2)[3]"
-                              }
-                            ],
-                            "prose": "remote connections;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-4(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-4.b.1_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(b)(1)"
-                          }
-                        ],
-                        "prose": "defines techniques and methods to identify unauthorized use of the information\n                     system;"
-                      },
-                      {
-                        "id": "si-4.b.2_obj",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(b)(2)"
-                          }
-                        ],
-                        "prose": "identifies unauthorized use of the information system through\n                     organization-defined techniques and methods;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-4(c)"
-                      }
-                    ],
-                    "prose": "deploys monitoring devices:",
-                    "parts": [
-                      {
-                        "id": "si-4.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(c)[1]"
-                          }
-                        ],
-                        "prose": "strategically within the information system to collect organization-determined\n                     essential information;"
-                      },
-                      {
-                        "id": "si-4.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(c)[2]"
-                          }
-                        ],
-                        "prose": "at ad hoc locations within the system to track specific types of transactions\n                     of interest to the organization;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-4(d)"
-                      }
-                    ],
-                    "prose": "protects information obtained from intrusion-monitoring tools from\n                  unauthorized:",
-                    "parts": [
-                      {
-                        "id": "si-4.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(d)[1]"
-                          }
-                        ],
-                        "prose": "access;"
-                      },
-                      {
-                        "id": "si-4.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(d)[2]"
-                          }
-                        ],
-                        "prose": "modification;"
-                      },
-                      {
-                        "id": "si-4.d_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-4(d)[3]"
-                          }
-                        ],
-                        "prose": "deletion;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.e_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-4(e)"
-                      }
-                    ],
-                    "prose": "heightens the level of information system monitoring activity whenever there is an\n                  indication of increased risk to organizational operations and assets, individuals,\n                  other organizations, or the Nation based on law enforcement information,\n                  intelligence information, or other credible sources of information;"
-                  },
-                  {
-                    "id": "si-4.f_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-4(f)"
-                      }
-                    ],
-                    "prose": "obtains legal opinion with regard to information system monitoring activities in\n                  accordance with applicable federal laws, Executive Orders, directives, policies,\n                  or regulations;"
-                  },
-                  {
-                    "id": "si-4.g_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-4(g)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-4.g_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(g)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom information system monitoring information is\n                     to be provided;"
-                      },
-                      {
-                        "id": "si-4.g_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(g)[2]"
-                          }
-                        ],
-                        "prose": "defines information system monitoring information to be provided to\n                     organization-defined personnel or roles;"
-                      },
-                      {
-                        "id": "si-4.g_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(g)[3]"
-                          }
-                        ],
-                        "prose": "defines a frequency to provide organization-defined information system\n                     monitoring to organization-defined personnel or roles;"
-                      },
-                      {
-                        "id": "si-4.g_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(g)[4]"
-                          }
-                        ],
-                        "prose": "provides organization-defined information system monitoring information to\n                     organization-defined personnel or roles one or more of the following:",
-                        "parts": [
-                          {
-                            "id": "si-4.g_obj.4.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(g)[4][a]"
-                              }
-                            ],
-                            "prose": "as needed; and/or"
-                          },
-                          {
-                            "id": "si-4.g_obj.4.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(g)[4][b]"
-                              }
-                            ],
-                            "prose": "with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Continuous monitoring strategy\\n\\nsystem and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\nfacility diagram/layout\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\nlocations within information system where monitoring devices are deployed\\n\\ninformation system configuration settings and associated documentation\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                  information system\\n\\norganizational personnel with responsibility monitoring the information system"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing information system monitoring\n                  capability"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "si-4.1",
-                "class": "SP800-53-enhancement",
-                "title": "System-wide Intrusion Detection System",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-4(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.1_smt",
-                    "name": "statement",
-                    "prose": "The organization connects and configures individual intrusion detection tools into\n                  an information system-wide intrusion detection system."
-                  },
-                  {
-                    "id": "si-4.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "si-4.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(1)[1]"
-                          }
-                        ],
-                        "prose": "connects individual intrusion detection tools into an information system-wide\n                     intrusion detection system; and"
-                      },
-                      {
-                        "id": "si-4.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(1)[2]"
-                          }
-                        ],
-                        "prose": "configures individual intrusion detection tools into an information system-wide\n                     intrusion detection system."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion detection\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4.2",
-                "class": "SP800-53-enhancement",
-                "title": "Automated Tools for Real-time Analysis",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-4(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.2_smt",
-                    "name": "statement",
-                    "prose": "The organization employs automated tools to support near real-time analysis of\n                  events."
-                  },
-                  {
-                    "id": "si-4.2_gdn",
-                    "name": "guidance",
-                    "prose": "Automated tools include, for example, host-based, network-based, transport-based,\n                  or storage-based event monitoring tools or Security Information and Event\n                  Management (SIEM) technologies that provide real time analysis of alerts and/or\n                  notifications generated by organizational information systems."
-                  },
-                  {
-                    "id": "si-4.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization employs automated tools to support near real-time\n                  analysis of events."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for incident\n                     response/management"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for near real-time analysis of events\\n\\norganizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing information system\n                     monitoring\\n\\nautomated mechanisms/tools supporting and/or implementing analysis of\n                     events"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4.4",
-                "class": "SP800-53-enhancement",
-                "title": "Inbound and Outbound Communications Traffic",
-                "parameters": [
-                  {
-                    "id": "si-4.4_prm_1",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "continuously"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "SI-4(4)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.04"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.4_smt",
-                    "name": "statement",
-                    "prose": "The information system monitors inbound and outbound communications traffic\n                     {{ si-4.4_prm_1 }} for unusual or unauthorized activities or\n                  conditions."
-                  },
-                  {
-                    "id": "si-4.4_gdn",
-                    "name": "guidance",
-                    "prose": "Unusual/unauthorized activities or conditions related to information system\n                  inbound and outbound communications traffic include, for example, internal traffic\n                  that indicates the presence of malicious code within organizational information\n                  systems or propagating among system components, the unauthorized exporting of\n                  information, or signaling to external information systems. Evidence of malicious\n                  code is used to identify potentially compromised information systems or\n                  information system components."
-                  },
-                  {
-                    "id": "si-4.4_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "si-4.4_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(4)[1]"
-                          }
-                        ],
-                        "prose": "defines a frequency to monitor:",
-                        "parts": [
-                          {
-                            "id": "si-4.4_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(4)[1][a]"
-                              }
-                            ],
-                            "prose": "inbound communications traffic for unusual or unauthorized activities or\n                        conditions;"
-                          },
-                          {
-                            "id": "si-4.4_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(4)[1][b]"
-                              }
-                            ],
-                            "prose": "outbound communications traffic for unusual or unauthorized activities or\n                        conditions;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-4.4_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(4)[2]"
-                          }
-                        ],
-                        "prose": "monitors, with the organization-defined frequency:",
-                        "parts": [
-                          {
-                            "id": "si-4.4_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(4)[2][a]"
-                              }
-                            ],
-                            "prose": "inbound communications traffic for unusual or unauthorized activities or\n                        conditions; and"
-                          },
-                          {
-                            "id": "si-4.4_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-4(4)[2][b]"
-                              }
-                            ],
-                            "prose": "outbound communications traffic for unusual or unauthorized activities or\n                        conditions."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system protocols\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion detection\n                     capability/information system monitoring\\n\\nautomated mechanisms supporting and/or implementing monitoring of\n                     inbound/outbound communications traffic"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4.5",
-                "class": "SP800-53-enhancement",
-                "title": "System-generated Alerts",
-                "parameters": [
-                  {
-                    "id": "si-4.5_prm_1",
-                    "label": "organization-defined personnel or roles"
-                  },
-                  {
-                    "id": "si-4.5_prm_2",
-                    "label": "organization-defined compromise indicators"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-4(5)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.05"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.5_smt",
-                    "name": "statement",
-                    "prose": "The information system alerts {{ si-4.5_prm_1 }} when the following\n                  indications of compromise or potential compromise occur: {{ si-4.5_prm_2 }}.",
-                    "parts": [
-                      {
-                        "id": "si-4.5_fr",
-                        "name": "item",
-                        "title": "SI-4 (5) Additional FedRAMP Requirements and Guidance",
-                        "parts": [
-                          {
-                            "id": "si-4.5_fr_gdn.1",
-                            "name": "guidance",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "Guidance:"
-                              }
-                            ],
-                            "prose": "In accordance with the incident response plan."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.5_gdn",
-                    "name": "guidance",
-                    "prose": "Alerts may be generated from a variety of sources, including, for example, audit\n                  records or inputs from malicious code protection mechanisms, intrusion detection\n                  or prevention mechanisms, or boundary protection devices such as firewalls,\n                  gateways, and routers. Alerts can be transmitted, for example, telephonically, by\n                  electronic mail messages, or by text messaging. Organizational personnel on the\n                  notification list can include, for example, system administrators,\n                  mission/business owners, system owners, or information system security\n                  officers.",
-                    "links": [
-                      {
-                        "href": "#au-5",
-                        "rel": "related",
-                        "text": "AU-5"
-                      },
-                      {
-                        "href": "#pe-6",
-                        "rel": "related",
-                        "text": "PE-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.5_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "si-4.5_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(5)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines compromise indicators for the information system;"
-                      },
-                      {
-                        "id": "si-4.5_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(5)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines personnel or roles to be alerted when indications of\n                     compromise or potential compromise occur; and"
-                      },
-                      {
-                        "id": "si-4.5_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(5)[3]"
-                          }
-                        ],
-                        "prose": "the information system alerts organization-defined personnel or roles when\n                     organization-defined compromise indicators occur."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nalerts/notifications generated based on compromise indicators\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developers\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion\n                     detection/information system monitoring capability\\n\\nautomated mechanisms supporting and/or implementing alerts for compromise\n                     indicators"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4.14",
-                "class": "SP800-53-enhancement",
-                "title": "Wireless Intrusion Detection",
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "SI-4(14)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.14"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.14_smt",
-                    "name": "statement",
-                    "prose": "The organization employs a wireless intrusion detection system to identify rogue\n                  wireless devices and to detect attack attempts and potential compromises/breaches\n                  to the information system."
-                  },
-                  {
-                    "id": "si-4.14_gdn",
-                    "name": "guidance",
-                    "prose": "Wireless signals may radiate beyond the confines of organization-controlled\n                  facilities. Organizations proactively search for unauthorized wireless connections\n                  including the conduct of thorough scans for unauthorized wireless access points.\n                  Scans are not limited to those areas within facilities containing information\n                  systems, but also include areas outside of facilities as needed, to verify that\n                  unauthorized wireless access points are not connected to the systems.",
-                    "links": [
-                      {
-                        "href": "#ac-18",
-                        "rel": "related",
-                        "text": "AC-18"
-                      },
-                      {
-                        "href": "#ia-3",
-                        "rel": "related",
-                        "text": "IA-3"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.14_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization employs a wireless intrusion detection system\n                  to:",
-                    "parts": [
-                      {
-                        "id": "si-4.14_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(14)[1]"
-                          }
-                        ],
-                        "prose": "identify rogue wireless devices;"
-                      },
-                      {
-                        "id": "si-4.14_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(14)[2]"
-                          }
-                        ],
-                        "prose": "detect attack attempts to the information system; and"
-                      },
-                      {
-                        "id": "si-4.14_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(14)[3]"
-                          }
-                        ],
-                        "prose": "detect potential compromises/breaches to the information system."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system protocols\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for intrusion detection\\n\\nautomated mechanisms supporting and/or implementing wireless intrusion\n                     detection capability"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4.16",
-                "class": "SP800-53-enhancement",
-                "title": "Correlate Monitoring Information",
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-4(16)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.16"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.16_smt",
-                    "name": "statement",
-                    "prose": "The organization correlates information from monitoring tools employed throughout\n                  the information system."
-                  },
-                  {
-                    "id": "si-4.16_gdn",
-                    "name": "guidance",
-                    "prose": "Correlating information from different monitoring tools can provide a more\n                  comprehensive view of information system activity. The correlation of monitoring\n                  tools that usually work in isolation (e.g., host monitoring, network monitoring,\n                  anti-virus software) can provide an organization-wide view and in so doing, may\n                  reveal otherwise unseen attack patterns. Understanding the\n                  capabilities/limitations of diverse monitoring tools and how to maximize the\n                  utility of information generated by those tools can help organizations to build,\n                  operate, and maintain effective monitoring programs.",
-                    "links": [
-                      {
-                        "href": "#au-6",
-                        "rel": "related",
-                        "text": "AU-6"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-4.16_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization correlates information from monitoring tools\n                  employed throughout the information system."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nevent correlation logs or records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring the information\n                     system\\n\\norganizational personnel with responsibility for the intrusion detection\n                     system"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for intrusion detection/information system\n                     monitoring\\n\\nautomated mechanisms supporting and/or implementing intrusion\n                     detection/information system monitoring capability\\n\\nautomated mechanisms supporting and/or implementing correlation of information\n                     from monitoring tools"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-4.23",
-                "class": "SP800-53-enhancement",
-                "title": "Host-based Devices",
-                "parameters": [
-                  {
-                    "id": "si-4.23_prm_1",
-                    "label": "organization-defined host-based monitoring mechanisms"
-                  },
-                  {
-                    "id": "si-4.23_prm_2",
-                    "label": "organization-defined information system components"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-4(23)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-04.23"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-4.23_smt",
-                    "name": "statement",
-                    "prose": "The organization implements {{ si-4.23_prm_1 }} at {{ si-4.23_prm_2 }}."
-                  },
-                  {
-                    "id": "si-4.23_gdn",
-                    "name": "guidance",
-                    "prose": "Information system components where host-based monitoring can be implemented\n                  include, for example, servers, workstations, and mobile devices. Organizations\n                  consider employing host-based monitoring mechanisms from multiple information\n                  technology product developers."
-                  },
-                  {
-                    "id": "si-4.23_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "si-4.23_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(23)[1]"
-                          }
-                        ],
-                        "prose": "defines host-based monitoring mechanisms to be implemented;"
-                      },
-                      {
-                        "id": "si-4.23_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(23)[2]"
-                          }
-                        ],
-                        "prose": "defines information system components where organization-defined host-based\n                     monitoring is to be implemented; and"
-                      },
-                      {
-                        "id": "si-4.23_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-4(23)[3]"
-                          }
-                        ],
-                        "prose": "implements organization-defined host-based monitoring mechanisms at\n                     organization-defined information system components."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing information system monitoring tools and techniques\\n\\ninformation system design documentation\\n\\nhost-based monitoring mechanisms\\n\\ninformation system monitoring tools and techniques documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of information system components requiring host-based monitoring\\n\\ninformation system monitoring logs or records\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel installing, configuring, and/or maintaining the\n                     information system\\n\\norganizational personnel with responsibility for monitoring information system\n                     hosts"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for information system monitoring\\n\\nautomated mechanisms supporting and/or implementing host-based monitoring\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-5",
-            "class": "SP800-53",
-            "title": "Security Alerts, Advisories, and Directives",
-            "parameters": [
-              {
-                "id": "si-5_prm_1",
-                "label": "organization-defined external organizations",
-                "constraints": [
-                  {
-                    "detail": "to include US-CERT"
-                  }
-                ]
-              },
-              {
-                "id": "si-5_prm_2",
-                "constraints": [
-                  {
-                    "detail": "to include system security personnel and administrators with configuration/patch-management responsibilities"
-                  }
-                ]
-              },
-              {
-                "id": "si-5_prm_3",
-                "depends-on": "si-5_prm_2",
-                "label": "organization-defined personnel or roles"
-              },
-              {
-                "id": "si-5_prm_4",
-                "depends-on": "si-5_prm_2",
-                "label": "organization-defined elements within the organization"
-              },
-              {
-                "id": "si-5_prm_5",
-                "depends-on": "si-5_prm_2",
-                "label": "organization-defined external organizations"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-5"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-05"
-              }
-            ],
-            "links": [
-              {
-                "href": "#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-40"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-5_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-5_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Receives information system security alerts, advisories, and directives from\n                     {{ si-5_prm_1 }} on an ongoing basis;"
-                  },
-                  {
-                    "id": "si-5_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Generates internal security alerts, advisories, and directives as deemed\n                  necessary;"
-                  },
-                  {
-                    "id": "si-5_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Disseminates security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and"
-                  },
-                  {
-                    "id": "si-5_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "Implements security directives in accordance with established time frames, or\n                  notifies the issuing organization of the degree of noncompliance."
-                  }
-                ]
-              },
-              {
-                "id": "si-5_gdn",
-                "name": "guidance",
-                "prose": "The United States Computer Emergency Readiness Team (US-CERT) generates security\n               alerts and advisories to maintain situational awareness across the federal\n               government. Security directives are issued by OMB or other designated organizations\n               with the responsibility and authority to issue such directives. Compliance to\n               security directives is essential due to the critical nature of many of these\n               directives and the potential immediate adverse effects on organizational operations\n               and assets, individuals, other organizations, and the Nation should the directives\n               not be implemented in a timely manner. External organizations include, for example,\n               external mission/business partners, supply chain partners, external service\n               providers, and other peer/supporting organizations.",
-                "links": [
-                  {
-                    "href": "#si-2",
-                    "rel": "related",
-                    "text": "SI-2"
-                  }
-                ]
-              },
-              {
-                "id": "si-5_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-5.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-5(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-5.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-5(a)[1]"
-                          }
-                        ],
-                        "prose": "defines external organizations from whom information system security alerts,\n                     advisories and directives are to be received;"
-                      },
-                      {
-                        "id": "si-5.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-5(a)[2]"
-                          }
-                        ],
-                        "prose": "receives information system security alerts, advisories, and directives from\n                     organization-defined external organizations on an ongoing basis;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-5.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-5(b)"
-                      }
-                    ],
-                    "prose": "generates internal security alerts, advisories, and directives as deemed\n                  necessary;"
-                  },
-                  {
-                    "id": "si-5.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-5(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-5.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-5(c)[1]"
-                          }
-                        ],
-                        "prose": "defines personnel or roles to whom security alerts, advisories, and directives\n                     are to be provided;"
-                      },
-                      {
-                        "id": "si-5.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-5(c)[2]"
-                          }
-                        ],
-                        "prose": "defines elements within the organization to whom security alerts, advisories,\n                     and directives are to be provided;"
-                      },
-                      {
-                        "id": "si-5.c_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-5(c)[3]"
-                          }
-                        ],
-                        "prose": "defines external organizations to whom security alerts, advisories, and\n                     directives are to be provided;"
-                      },
-                      {
-                        "id": "si-5.c_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-5(c)[4]"
-                          }
-                        ],
-                        "prose": "disseminates security alerts, advisories, and directives to one or more of the\n                     following:",
-                        "parts": [
-                          {
-                            "id": "si-5.c_obj.4.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-5(c)[4][a]"
-                              }
-                            ],
-                            "prose": "organization-defined personnel or roles;"
-                          },
-                          {
-                            "id": "si-5.c_obj.4.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-5(c)[4][b]"
-                              }
-                            ],
-                            "prose": "organization-defined elements within the organization; and/or"
-                          },
-                          {
-                            "id": "si-5.c_obj.4.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-5(c)[4][c]"
-                              }
-                            ],
-                            "prose": "organization-defined external organizations; and"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-5.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-5(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-5.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-5(d)[1]"
-                          }
-                        ],
-                        "prose": "implements security directives in accordance with established time frames;\n                     or"
-                      },
-                      {
-                        "id": "si-5.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-5(d)[2]"
-                          }
-                        ],
-                        "prose": "notifies the issuing organization of the degree of noncompliance."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nprocedures addressing security alerts, advisories, and directives\\n\\nrecords of security alerts and advisories\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security alert and advisory responsibilities\\n\\norganizational personnel implementing, operating, maintaining, and using the\n                  information system\\n\\norganizational personnel, organizational elements, and/or external organizations\n                  to whom alerts, advisories, and directives are to be disseminated\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for defining, receiving, generating, disseminating, and\n                  complying with security alerts, advisories, and directives\\n\\nautomated mechanisms supporting and/or implementing definition, receipt,\n                  generation, and dissemination of security alerts, advisories, and directives\\n\\nautomated mechanisms supporting and/or implementing security directives"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-6",
-            "class": "SP800-53",
-            "title": "Security Function Verification",
-            "parameters": [
-              {
-                "id": "si-6_prm_1",
-                "label": "organization-defined security functions"
-              },
-              {
-                "id": "si-6_prm_2"
-              },
-              {
-                "id": "si-6_prm_3",
-                "depends-on": "si-6_prm_2",
-                "label": "organization-defined system transitional states",
-                "constraints": [
-                  {
-                    "detail": "to include upon system startup and/or restart"
-                  }
-                ]
-              },
-              {
-                "id": "si-6_prm_4",
-                "depends-on": "si-6_prm_2",
-                "label": "organization-defined frequency",
-                "constraints": [
-                  {
-                    "detail": "at least monthly"
-                  }
-                ]
-              },
-              {
-                "id": "si-6_prm_5",
-                "label": "organization-defined personnel or roles",
-                "constraints": [
-                  {
-                    "detail": "to include system administrators and security personnel"
-                  }
-                ]
-              },
-              {
-                "id": "si-6_prm_6"
-              },
-              {
-                "id": "si-6_prm_7",
-                "depends-on": "si-6_prm_6",
-                "label": "organization-defined alternative action(s)",
-                "constraints": [
-                  {
-                    "detail": "to include notification of system administrators and security personnel"
-                  }
-                ]
-              }
-            ],
-            "properties": [
-              {
-                "name": "CORE",
-                "ns": "https://fedramp.gov/ns/oscal",
-                "value": ""
-              },
-              {
-                "name": "label",
-                "value": "SI-6"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-06"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-6_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "si-6_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Verifies the correct operation of {{ si-6_prm_1 }};"
-                  },
-                  {
-                    "id": "si-6_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Performs this verification {{ si-6_prm_2 }};"
-                  },
-                  {
-                    "id": "si-6_smt.c",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "c."
-                      }
-                    ],
-                    "prose": "Notifies {{ si-6_prm_5 }} of failed security verification tests;\n                  and"
-                  },
-                  {
-                    "id": "si-6_smt.d",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "d."
-                      }
-                    ],
-                    "prose": "\n                  {{ si-6_prm_6 }} when anomalies are discovered."
-                  }
-                ]
-              },
-              {
-                "id": "si-6_gdn",
-                "name": "guidance",
-                "prose": "Transitional states for information systems include, for example, system startup,\n               restart, shutdown, and abort. Notifications provided by information systems include,\n               for example, electronic alerts to system administrators, messages to local computer\n               consoles, and/or hardware indications such as lights.",
-                "links": [
-                  {
-                    "href": "#ca-7",
-                    "rel": "related",
-                    "text": "CA-7"
-                  },
-                  {
-                    "href": "#cm-6",
-                    "rel": "related",
-                    "text": "CM-6"
-                  }
-                ]
-              },
-              {
-                "id": "si-6_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "si-6.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-6(a)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-6.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-6(a)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines security functions to be verified for correct\n                     operation;"
-                      },
-                      {
-                        "id": "si-6.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-6(a)[2]"
-                          }
-                        ],
-                        "prose": "the information system verifies the correct operation of organization-defined\n                     security functions;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-6.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-6(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-6.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-6(b)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines system transitional states requiring verification of\n                     organization-defined security functions;"
-                      },
-                      {
-                        "id": "si-6.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-6(b)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines a frequency to verify the correct operation of\n                     organization-defined security functions;"
-                      },
-                      {
-                        "id": "si-6.b_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-6(b)[3]"
-                          }
-                        ],
-                        "prose": "the information system performs this verification one or more of the\n                     following:",
-                        "parts": [
-                          {
-                            "id": "si-6.b_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-6(b)[3][a]"
-                              }
-                            ],
-                            "prose": "at organization-defined system transitional states;"
-                          },
-                          {
-                            "id": "si-6.b_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-6(b)[3][b]"
-                              }
-                            ],
-                            "prose": "upon command by user with appropriate privilege; and/or"
-                          },
-                          {
-                            "id": "si-6.b_obj.3.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-6(b)[3][c]"
-                              }
-                            ],
-                            "prose": "with the organization-defined frequency;"
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-6.c_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-6(c)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-6.c_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-6(c)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines personnel or roles to be notified of failed security\n                     verification tests;"
-                      },
-                      {
-                        "id": "si-6.c_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-6(c)[2]"
-                          }
-                        ],
-                        "prose": "the information system notifies organization-defined personnel or roles of\n                     failed security verification tests;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-6.d_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-6(d)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-6.d_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-6(d)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines alternative action(s) to be performed when anomalies\n                     are discovered;"
-                      },
-                      {
-                        "id": "si-6.d_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-6(d)[2]"
-                          }
-                        ],
-                        "prose": "the information system performs one or more of the following actions when\n                     anomalies are discovered:",
-                        "parts": [
-                          {
-                            "id": "si-6.d_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-6(d)[2][a]"
-                              }
-                            ],
-                            "prose": "shuts the information system down;"
-                          },
-                          {
-                            "id": "si-6.d_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-6(d)[2][b]"
-                              }
-                            ],
-                            "prose": "restarts the information system; and/or"
-                          },
-                          {
-                            "id": "si-6.d_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-6(d)[2][c]"
-                              }
-                            ],
-                            "prose": "performs organization-defined alternative action(s)."
-                          }
-                        ]
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nprocedures addressing security function verification\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nalerts/notifications of failed security verification tests\\n\\nlist of system transition states requiring security functionality verification\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with security function verification responsibilities\\n\\norganizational personnel implementing, operating, and maintaining the information\n                  system\\n\\nsystem/network administrators\\n\\norganizational personnel with information security responsibilities\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for security function verification\\n\\nautomated mechanisms supporting and/or implementing security function verification\n                  capability"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-7",
-            "class": "SP800-53",
-            "title": "Software, Firmware, and Information Integrity",
-            "parameters": [
-              {
-                "id": "si-7_prm_1",
-                "label": "organization-defined software, firmware, and information"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-7"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-07"
-              }
-            ],
-            "links": [
-              {
-                "href": "#6bf8d24a-78dc-4727-a2ac-0e64d71c495c",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-147"
-              },
-              {
-                "href": "#3878cc04-144a-483e-af62-8fe6f4ad6c7a",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-155"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-7_smt",
-                "name": "statement",
-                "prose": "The organization employs integrity verification tools to detect unauthorized changes\n               to {{ si-7_prm_1 }}."
-              },
-              {
-                "id": "si-7_gdn",
-                "name": "guidance",
-                "prose": "Unauthorized changes to software, firmware, and information can occur due to errors\n               or malicious activity (e.g., tampering). Software includes, for example, operating\n               systems (with key internal components such as kernels, drivers), middleware, and\n               applications. Firmware includes, for example, the Basic Input Output System (BIOS).\n               Information includes metadata such as security attributes associated with\n               information. State-of-the-practice integrity-checking mechanisms (e.g., parity\n               checks, cyclical redundancy checks, cryptographic hashes) and associated tools can\n               automatically monitor the integrity of information systems and hosted\n               applications.",
-                "links": [
-                  {
-                    "href": "#sa-12",
-                    "rel": "related",
-                    "text": "SA-12"
-                  },
-                  {
-                    "href": "#sc-8",
-                    "rel": "related",
-                    "text": "SC-8"
-                  },
-                  {
-                    "href": "#sc-13",
-                    "rel": "related",
-                    "text": "SC-13"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  }
-                ]
-              },
-              {
-                "id": "si-7_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-7_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-7[1]"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-7_obj.1.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7[1][a]"
-                          }
-                        ],
-                        "prose": "defines software requiring integrity verification tools to be employed to\n                     detect unauthorized changes;"
-                      },
-                      {
-                        "id": "si-7_obj.1.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7[1][b]"
-                          }
-                        ],
-                        "prose": "defines firmware requiring integrity verification tools to be employed to\n                     detect unauthorized changes;"
-                      },
-                      {
-                        "id": "si-7_obj.1.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7[1][c]"
-                          }
-                        ],
-                        "prose": "defines information requiring integrity verification tools to be employed to\n                     detect unauthorized changes;"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-7_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-7[2]"
-                      }
-                    ],
-                    "prose": "employs integrity verification tools to detect unauthorized changes to\n                  organization-defined:",
-                    "parts": [
-                      {
-                        "id": "si-7_obj.2.a",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-7[2][a]"
-                          }
-                        ],
-                        "prose": "software;"
-                      },
-                      {
-                        "id": "si-7_obj.2.b",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-7[2][b]"
-                          }
-                        ],
-                        "prose": "firmware; and"
-                      },
-                      {
-                        "id": "si-7_obj.2.c",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-7[2][c]"
-                          }
-                        ],
-                        "prose": "information."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nprocedures addressing software, firmware, and information integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nintegrity verification tools and associated documentation\\n\\nrecords generated/triggered from integrity verification tools regarding\n                  unauthorized software, firmware, and information changes\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for software, firmware, and/or\n                  information integrity\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Software, firmware, and information integrity verification tools"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "si-7.1",
-                "class": "SP800-53-enhancement",
-                "title": "Integrity Checks",
-                "parameters": [
-                  {
-                    "id": "si-7.1_prm_1",
-                    "label": "organization-defined software, firmware, and information"
-                  },
-                  {
-                    "id": "si-7.1_prm_2"
-                  },
-                  {
-                    "id": "si-7.1_prm_3",
-                    "depends-on": "si-7.1_prm_2",
-                    "label": "organization-defined transitional states or security-relevant events",
-                    "constraints": [
-                      {
-                        "detail": "Selection to include security relevant events"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-7.1_prm_4",
-                    "depends-on": "si-7.1_prm_2",
-                    "label": "organization-defined frequency",
-                    "constraints": [
-                      {
-                        "detail": "at least monthly"
-                      }
-                    ]
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "SI-7(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-07.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-7.1_smt",
-                    "name": "statement",
-                    "prose": "The information system performs an integrity check of {{ si-7.1_prm_1 }}\n                  {{ si-7.1_prm_2 }}."
-                  },
-                  {
-                    "id": "si-7.1_gdn",
-                    "name": "guidance",
-                    "prose": "Security-relevant events include, for example, the identification of a new threat\n                  to which organizational information systems are susceptible, and the installation\n                  of new hardware, software, or firmware. Transitional states include, for example,\n                  system startup, restart, shutdown, and abort."
-                  },
-                  {
-                    "id": "si-7.1_obj",
-                    "name": "objective",
-                    "prose": "Determine if:",
-                    "parts": [
-                      {
-                        "id": "si-7.1_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7(1)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines:",
-                        "parts": [
-                          {
-                            "id": "si-7.1_obj.1.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[1][a]"
-                              }
-                            ],
-                            "prose": "software requiring integrity checks to be performed;"
-                          },
-                          {
-                            "id": "si-7.1_obj.1.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[1][b]"
-                              }
-                            ],
-                            "prose": "firmware requiring integrity checks to be performed;"
-                          },
-                          {
-                            "id": "si-7.1_obj.1.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[1][c]"
-                              }
-                            ],
-                            "prose": "information requiring integrity checks to be performed;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-7.1_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7(1)[2]"
-                          }
-                        ],
-                        "prose": "the organization defines transitional states or security-relevant events\n                     requiring integrity checks of organization-defined:",
-                        "parts": [
-                          {
-                            "id": "si-7.1_obj.2.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[2][a]"
-                              }
-                            ],
-                            "prose": "software;"
-                          },
-                          {
-                            "id": "si-7.1_obj.2.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[2][b]"
-                              }
-                            ],
-                            "prose": "firmware;"
-                          },
-                          {
-                            "id": "si-7.1_obj.2.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[2][c]"
-                              }
-                            ],
-                            "prose": "information;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-7.1_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7(1)[3]"
-                          }
-                        ],
-                        "prose": "the organization defines a frequency with which to perform an integrity check\n                     of organization-defined:",
-                        "parts": [
-                          {
-                            "id": "si-7.1_obj.3.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[3][a]"
-                              }
-                            ],
-                            "prose": "software;"
-                          },
-                          {
-                            "id": "si-7.1_obj.3.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[3][b]"
-                              }
-                            ],
-                            "prose": "firmware;"
-                          },
-                          {
-                            "id": "si-7.1_obj.3.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[3][c]"
-                              }
-                            ],
-                            "prose": "information;"
-                          }
-                        ]
-                      },
-                      {
-                        "id": "si-7.1_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7(1)[4]"
-                          }
-                        ],
-                        "prose": "the information system performs an integrity check of organization-defined\n                     software, firmware, and information one or more of the following:",
-                        "parts": [
-                          {
-                            "id": "si-7.1_obj.4.a",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[4][a]"
-                              }
-                            ],
-                            "prose": "at startup;"
-                          },
-                          {
-                            "id": "si-7.1_obj.4.b",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[4][b]"
-                              }
-                            ],
-                            "prose": "at organization-defined transitional states or security-relevant events;\n                        and/or"
-                          },
-                          {
-                            "id": "si-7.1_obj.4.c",
-                            "name": "objective",
-                            "properties": [
-                              {
-                                "name": "label",
-                                "value": "SI-7(1)[4][c]"
-                              }
-                            ],
-                            "prose": "with the organization-defined frequency."
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing software, firmware, and information integrity\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nintegrity verification tools and associated documentation\\n\\nrecords of integrity scans\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for software, firmware, and/or\n                     information integrity\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Software, firmware, and information integrity verification tools"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-7.7",
-                "class": "SP800-53-enhancement",
-                "title": "Integration of Detection and Response",
-                "parameters": [
-                  {
-                    "id": "si-7.7_prm_1",
-                    "label": "organization-defined security-relevant changes to the information\n                  system"
-                  }
-                ],
-                "properties": [
-                  {
-                    "name": "label",
-                    "value": "SI-7(7)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-07.07"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-7.7_smt",
-                    "name": "statement",
-                    "prose": "The organization incorporates the detection of unauthorized {{ si-7.7_prm_1 }} into the organizational incident response\n                  capability."
-                  },
-                  {
-                    "id": "si-7.7_gdn",
-                    "name": "guidance",
-                    "prose": "This control enhancement helps to ensure that detected events are tracked,\n                  monitored, corrected, and available for historical purposes. Maintaining\n                  historical records is important both for being able to identify and discern\n                  adversary actions over an extended period of time and for possible legal actions.\n                  Security-relevant changes include, for example, unauthorized changes to\n                  established configuration settings or unauthorized elevation of information system\n                  privileges.",
-                    "links": [
-                      {
-                        "href": "#ir-4",
-                        "rel": "related",
-                        "text": "IR-4"
-                      },
-                      {
-                        "href": "#ir-5",
-                        "rel": "related",
-                        "text": "IR-5"
-                      },
-                      {
-                        "href": "#si-4",
-                        "rel": "related",
-                        "text": "SI-4"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-7.7_obj",
-                    "name": "objective",
-                    "prose": "Determine if the organization:",
-                    "parts": [
-                      {
-                        "id": "si-7.7_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7(7)[1]"
-                          }
-                        ],
-                        "prose": "defines unauthorized security-relevant changes to the information system;\n                     and"
-                      },
-                      {
-                        "id": "si-7.7_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-7(7)[2]"
-                          }
-                        ],
-                        "prose": "incorporates the detection of unauthorized organization-defined\n                     security-relevant changes to the information system into the organizational\n                     incident response capability."
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing software, firmware, and information integrity\\n\\nprocedures addressing incident response\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nincident response records\\n\\ninformation audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for software, firmware, and/or\n                     information integrity\\n\\norganizational personnel with information security responsibilities\\n\\norganizational personnel with incident response responsibilities"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for incorporating detection of unauthorized\n                     security-relevant changes into the incident response capability\\n\\nsoftware, firmware, and information integrity verification tools\\n\\nautomated mechanisms supporting and/or implementing incorporation of detection\n                     of unauthorized security-relevant changes into the incident response\n                     capability"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-8",
-            "class": "SP800-53",
-            "title": "Spam Protection",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-8"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-08"
-              }
-            ],
-            "links": [
-              {
-                "href": "#c6e95ca0-5828-420e-b095-00895b72b5e8",
-                "rel": "reference",
-                "text": "NIST Special Publication 800-45"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-8_smt",
-                "name": "statement",
-                "prose": "The organization:",
-                "parts": [
-                  {
-                    "id": "si-8_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Employs spam protection mechanisms at information system entry and exit points to\n                  detect and take action on unsolicited messages; and"
-                  },
-                  {
-                    "id": "si-8_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Updates spam protection mechanisms when new releases are available in accordance\n                  with organizational configuration management policy and procedures."
-                  }
-                ]
-              },
-              {
-                "id": "si-8_gdn",
-                "name": "guidance",
-                "prose": "Information system entry and exit points include, for example, firewalls, electronic\n               mail servers, web servers, proxy servers, remote-access servers, workstations, mobile\n               devices, and notebook/laptop computers. Spam can be transported by different means\n               including, for example, electronic mail, electronic mail attachments, and web\n               accesses. Spam protection mechanisms include, for example, signature definitions.",
-                "links": [
-                  {
-                    "href": "#at-2",
-                    "rel": "related",
-                    "text": "AT-2"
-                  },
-                  {
-                    "href": "#at-3",
-                    "rel": "related",
-                    "text": "AT-3"
-                  },
-                  {
-                    "href": "#sc-5",
-                    "rel": "related",
-                    "text": "SC-5"
-                  },
-                  {
-                    "href": "#sc-7",
-                    "rel": "related",
-                    "text": "SC-7"
-                  },
-                  {
-                    "href": "#si-3",
-                    "rel": "related",
-                    "text": "SI-3"
-                  }
-                ]
-              },
-              {
-                "id": "si-8_obj",
-                "name": "objective",
-                "prose": "Determine if the organization:",
-                "parts": [
-                  {
-                    "id": "si-8.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-8(a)"
-                      }
-                    ],
-                    "prose": "employs spam protection mechanisms:",
-                    "parts": [
-                      {
-                        "id": "si-8.a_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-8(a)[1]"
-                          }
-                        ],
-                        "prose": "at information system entry points to detect unsolicited messages;"
-                      },
-                      {
-                        "id": "si-8.a_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-8(a)[2]"
-                          }
-                        ],
-                        "prose": "at information system entry points to take action on unsolicited messages;"
-                      },
-                      {
-                        "id": "si-8.a_obj.3",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-8(a)[3]"
-                          }
-                        ],
-                        "prose": "at information system exit points to detect unsolicited messages;"
-                      },
-                      {
-                        "id": "si-8.a_obj.4",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "label",
-                            "value": "SI-8(a)[4]"
-                          }
-                        ],
-                        "prose": "at information system exit points to take action on unsolicited messages;\n                     and"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-8.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-8(b)"
-                      }
-                    ],
-                    "prose": "updates spam protection mechanisms when new releases are available in accordance\n                  with organizational configuration management policy and procedures."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nconfiguration management policy and procedures (CM-1)\\n\\nprocedures addressing spam protection\\n\\nspam protection mechanisms\\n\\nrecords of spam protection updates\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for spam protection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for implementing spam protection\\n\\nautomated mechanisms supporting and/or implementing spam protection"
-                  }
-                ]
-              }
-            ],
-            "controls": [
-              {
-                "id": "si-8.1",
-                "class": "SP800-53-enhancement",
-                "title": "Central Management",
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "SI-8(1)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-08.01"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-8.1_smt",
-                    "name": "statement",
-                    "prose": "The organization centrally manages spam protection mechanisms."
-                  },
-                  {
-                    "id": "si-8.1_gdn",
-                    "name": "guidance",
-                    "prose": "Central management is the organization-wide management and implementation of spam\n                  protection mechanisms. Central management includes planning, implementing,\n                  assessing, authorizing, and monitoring the organization-defined, centrally managed\n                  spam protection security controls.",
-                    "links": [
-                      {
-                        "href": "#au-3",
-                        "rel": "related",
-                        "text": "AU-3"
-                      },
-                      {
-                        "href": "#si-2",
-                        "rel": "related",
-                        "text": "SI-2"
-                      },
-                      {
-                        "href": "#si-7",
-                        "rel": "related",
-                        "text": "SI-7"
-                      }
-                    ]
-                  },
-                  {
-                    "id": "si-8.1_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the organization centrally manages spam protection mechanisms."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing spam protection\\n\\nspam protection mechanisms\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for spam protection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for central management of spam protection\\n\\nautomated mechanisms supporting and/or implementing central management of spam\n                     protection"
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "id": "si-8.2",
-                "class": "SP800-53-enhancement",
-                "title": "Automatic Updates",
-                "properties": [
-                  {
-                    "name": "CORE",
-                    "ns": "https://fedramp.gov/ns/oscal",
-                    "value": ""
-                  },
-                  {
-                    "name": "label",
-                    "value": "SI-8(2)"
-                  },
-                  {
-                    "name": "sort-id",
-                    "value": "si-08.02"
-                  }
-                ],
-                "parts": [
-                  {
-                    "id": "si-8.2_smt",
-                    "name": "statement",
-                    "prose": "The information system automatically updates spam protection mechanisms."
-                  },
-                  {
-                    "id": "si-8.2_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      }
-                    ],
-                    "prose": "Determine if the information system automatically updates spam protection\n                  mechanisms."
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "EXAMINE"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "System and information integrity policy\\n\\nprocedures addressing spam protection\\n\\nspam protection mechanisms\\n\\nrecords of spam protection updates\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "INTERVIEW"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational personnel with responsibility for spam protection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "assessment",
-                    "properties": [
-                      {
-                        "name": "method",
-                        "value": "TEST"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "name": "objects",
-                        "prose": "Organizational processes for spam protection\\n\\nautomated mechanisms supporting and/or implementing automatic updates to spam\n                     protection mechanisms"
-                      }
-                    ]
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-10",
-            "class": "SP800-53",
-            "title": "Information Input Validation",
-            "parameters": [
-              {
-                "id": "si-10_prm_1",
-                "label": "organization-defined information inputs"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-10"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-10"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-10_smt",
-                "name": "statement",
-                "prose": "The information system checks the validity of {{ si-10_prm_1 }}."
-              },
-              {
-                "id": "si-10_gdn",
-                "name": "guidance",
-                "prose": "Checking the valid syntax and semantics of information system inputs (e.g., character\n               set, length, numerical range, and acceptable values) verifies that inputs match\n               specified definitions for format and content. Software applications typically follow\n               well-defined protocols that use structured messages (i.e., commands or queries) to\n               communicate between software modules or system components. Structured messages can\n               contain raw or unstructured data interspersed with metadata or control information.\n               If software applications use attacker-supplied inputs to construct structured\n               messages without properly encoding such messages, then the attacker could insert\n               malicious commands or special characters that can cause the data to be interpreted as\n               control information or metadata. Consequently, the module or component that receives\n               the tainted output will perform the wrong operations or otherwise interpret the data\n               incorrectly. Prescreening inputs prior to passing to interpreters prevents the\n               content from being unintentionally interpreted as commands. Input validation helps to\n               ensure accurate and correct inputs and prevent attacks such as cross-site scripting\n               and a variety of injection attacks."
-              },
-              {
-                "id": "si-10_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "si-10_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-10[1]"
-                      }
-                    ],
-                    "prose": "the organization defines information inputs requiring validity checks; and"
-                  },
-                  {
-                    "id": "si-10_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-10[2]"
-                      }
-                    ],
-                    "prose": "the information system checks the validity of organization-defined information\n                  inputs."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\naccess control policy and procedures\\n\\nseparation of duties policy and procedures\\n\\nprocedures addressing information input validation\\n\\ndocumentation for automated tools and applications to verify validity of\n                  information\\n\\nlist of information inputs requiring validity checks\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for information input validation\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing validity checks on information\n                  inputs"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-11",
-            "class": "SP800-53",
-            "title": "Error Handling",
-            "parameters": [
-              {
-                "id": "si-11_prm_1",
-                "label": "organization-defined personnel or roles"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-11"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-11"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-11_smt",
-                "name": "statement",
-                "prose": "The information system:",
-                "parts": [
-                  {
-                    "id": "si-11_smt.a",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "a."
-                      }
-                    ],
-                    "prose": "Generates error messages that provide information necessary for corrective actions\n                  without revealing information that could be exploited by adversaries; and"
-                  },
-                  {
-                    "id": "si-11_smt.b",
-                    "name": "item",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "b."
-                      }
-                    ],
-                    "prose": "Reveals error messages only to {{ si-11_prm_1 }}."
-                  }
-                ]
-              },
-              {
-                "id": "si-11_gdn",
-                "name": "guidance",
-                "prose": "Organizations carefully consider the structure/content of error messages. The extent\n               to which information systems are able to identify and handle error conditions is\n               guided by organizational policy and operational requirements. Information that could\n               be exploited by adversaries includes, for example, erroneous logon attempts with\n               passwords entered by mistake as the username, mission/business information that can\n               be derived from (if not stated explicitly by) information recorded, and personal\n               information such as account numbers, social security numbers, and credit card\n               numbers. In addition, error messages may provide a covert channel for transmitting\n               information.",
-                "links": [
-                  {
-                    "href": "#au-2",
-                    "rel": "related",
-                    "text": "AU-2"
-                  },
-                  {
-                    "href": "#au-3",
-                    "rel": "related",
-                    "text": "AU-3"
-                  },
-                  {
-                    "href": "#sc-31",
-                    "rel": "related",
-                    "text": "SC-31"
-                  }
-                ]
-              },
-              {
-                "id": "si-11_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "si-11.a_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-11(a)"
-                      }
-                    ],
-                    "prose": "the information system generates error messages that provide information necessary\n                  for corrective actions without revealing information that could be exploited by\n                  adversaries;"
-                  },
-                  {
-                    "id": "si-11.b_obj",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-11(b)"
-                      }
-                    ],
-                    "parts": [
-                      {
-                        "id": "si-11.b_obj.1",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "EXAMINE"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-11(b)[1]"
-                          }
-                        ],
-                        "prose": "the organization defines personnel or roles to whom error messages are to be\n                     revealed; and"
-                      },
-                      {
-                        "id": "si-11.b_obj.2",
-                        "name": "objective",
-                        "properties": [
-                          {
-                            "name": "conformity",
-                            "ns": "https://fedramp.gov/ns/oscal",
-                            "value": "assessment-objective"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "INTERVIEW"
-                          },
-                          {
-                            "name": "method",
-                            "class": "fedramp",
-                            "value": "TEST"
-                          },
-                          {
-                            "name": "label",
-                            "value": "SI-11(b)[2]"
-                          }
-                        ],
-                        "prose": "the information system reveals error messages only to organization-defined\n                     personnel or roles."
-                      }
-                    ]
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nprocedures addressing information system error handling\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\ndocumentation providing structure/content of error messages\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for information input validation\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for error handling\\n\\nautomated mechanisms supporting and/or implementing error handling\\n\\nautomated mechanisms supporting and/or implementing management of error\n                  messages"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-12",
-            "class": "SP800-53",
-            "title": "Information Handling and Retention",
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-12"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-12"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-12_smt",
-                "name": "statement",
-                "prose": "The organization handles and retains information within the information system and\n               information output from the system in accordance with applicable federal laws,\n               Executive Orders, directives, policies, regulations, standards, and operational\n               requirements."
-              },
-              {
-                "id": "si-12_gdn",
-                "name": "guidance",
-                "prose": "Information handling and retention requirements cover the full life cycle of\n               information, in some cases extending beyond the disposal of information systems. The\n               National Archives and Records Administration provides guidance on records\n               retention.",
-                "links": [
-                  {
-                    "href": "#ac-16",
-                    "rel": "related",
-                    "text": "AC-16"
-                  },
-                  {
-                    "href": "#au-5",
-                    "rel": "related",
-                    "text": "AU-5"
-                  },
-                  {
-                    "href": "#au-11",
-                    "rel": "related",
-                    "text": "AU-11"
-                  },
-                  {
-                    "href": "#mp-2",
-                    "rel": "related",
-                    "text": "MP-2"
-                  },
-                  {
-                    "href": "#mp-4",
-                    "rel": "related",
-                    "text": "MP-4"
-                  }
-                ]
-              },
-              {
-                "id": "si-12_obj",
-                "name": "objective",
-                "prose": "Determine if the organization, in accordance with applicable federal laws, Executive\n               Orders, directives, policies, regulations, standards, and operational\n               requirements:",
-                "parts": [
-                  {
-                    "id": "si-12_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-12[1]"
-                      }
-                    ],
-                    "prose": "handles information within the information system;"
-                  },
-                  {
-                    "id": "si-12_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-12[2]"
-                      }
-                    ],
-                    "prose": "handles output from the information system;"
-                  },
-                  {
-                    "id": "si-12_obj.3",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-12[3]"
-                      }
-                    ],
-                    "prose": "retains information within the information system; and"
-                  },
-                  {
-                    "id": "si-12_obj.4",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "label",
-                        "value": "SI-12[4]"
-                      }
-                    ],
-                    "prose": "retains output from the information system."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nfederal laws, Executive Orders, directives, policies, regulations, standards, and\n                  operational requirements applicable to information handling and retention\\n\\nmedia protection policy and procedures\\n\\nprocedures addressing information system output handling and retention\\n\\ninformation retention records, other relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for information handling and\n                  retention\\n\\norganizational personnel with information security responsibilities/network\n                  administrators"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational processes for information handling and retention\\n\\nautomated mechanisms supporting and/or implementing information handling and\n                  retention"
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "id": "si-16",
-            "class": "SP800-53",
-            "title": "Memory Protection",
-            "parameters": [
-              {
-                "id": "si-16_prm_1",
-                "label": "organization-defined security safeguards"
-              }
-            ],
-            "properties": [
-              {
-                "name": "label",
-                "value": "SI-16"
-              },
-              {
-                "name": "sort-id",
-                "value": "si-16"
-              }
-            ],
-            "parts": [
-              {
-                "id": "si-16_smt",
-                "name": "statement",
-                "prose": "The information system implements {{ si-16_prm_1 }} to protect its\n               memory from unauthorized code execution."
-              },
-              {
-                "id": "si-16_gdn",
-                "name": "guidance",
-                "prose": "Some adversaries launch attacks with the intent of executing code in non-executable\n               regions of memory or in memory locations that are prohibited. Security safeguards\n               employed to protect memory include, for example, data execution prevention and\n               address space layout randomization. Data execution prevention safeguards can either\n               be hardware-enforced or software-enforced with hardware providing the greater\n               strength of mechanism.",
-                "links": [
-                  {
-                    "href": "#ac-25",
-                    "rel": "related",
-                    "text": "AC-25"
-                  },
-                  {
-                    "href": "#sc-3",
-                    "rel": "related",
-                    "text": "SC-3"
-                  }
-                ]
-              },
-              {
-                "id": "si-16_obj",
-                "name": "objective",
-                "prose": "Determine if:",
-                "parts": [
-                  {
-                    "id": "si-16_obj.1",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "EXAMINE"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-16[1]"
-                      }
-                    ],
-                    "prose": "the organization defines security safeguards to be implemented to protect\n                  information system memory from unauthorized code execution; and"
-                  },
-                  {
-                    "id": "si-16_obj.2",
-                    "name": "objective",
-                    "properties": [
-                      {
-                        "name": "conformity",
-                        "ns": "https://fedramp.gov/ns/oscal",
-                        "value": "assessment-objective"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "INTERVIEW"
-                      },
-                      {
-                        "name": "method",
-                        "class": "fedramp",
-                        "value": "TEST"
-                      },
-                      {
-                        "name": "label",
-                        "value": "SI-16[2]"
-                      }
-                    ],
-                    "prose": "the information system implements organization-defined security safeguards to\n                  protect its memory from unauthorized code execution."
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "EXAMINE"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "System and information integrity policy\\n\\nprocedures addressing memory protection for the information system\\n\\ninformation system design documentation\\n\\ninformation system configuration settings and associated documentation\\n\\nlist of security safeguards protecting information system memory from unauthorized\n                  code execution\\n\\ninformation system audit records\\n\\nother relevant documents or records"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "INTERVIEW"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Organizational personnel with responsibility for memory protection\\n\\norganizational personnel with information security responsibilities\\n\\nsystem/network administrators\\n\\nsystem developer"
-                  }
-                ]
-              },
-              {
-                "name": "assessment",
-                "properties": [
-                  {
-                    "name": "method",
-                    "value": "TEST"
-                  }
-                ],
-                "parts": [
-                  {
-                    "name": "objects",
-                    "prose": "Automated mechanisms supporting and/or implementing safeguards to protect\n                  information system memory from unauthorized code execution"
-                  }
-                ]
-              }
-            ]
-          }
-        ]
-      }
-    ],
-    "back-matter": {
-      "resources": [
-        {
-          "uuid": "0c97e60b-325a-4efa-ba2b-90f20ccd5abc",
-          "title": "5 C.F.R. 731.106",
-          "citation": {
-            "text": "Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106,\n               Designation of Public Trust Positions and Investigative Requirements (5 C.F.R.\n               731.106)."
-          },
-          "rlinks": [
-            {
-              "href": "http://www.gpo.gov/fdsys/granule/CFR-2012-title5-vol2/CFR-2012-title5-vol2-sec731-106/content-detail.html"
-            }
-          ]
-        },
-        {
-          "uuid": "bb61234b-46c3-4211-8c2b-9869222a720d",
-          "title": "C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)",
-          "citation": {
-            "text": "C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.gpo.gov/fdsys/granule/CFR-2009-title5-vol2/CFR-2009-title5-vol2-sec930-301/content-detail.html"
-            }
-          ]
-        },
-        {
-          "uuid": "a4aa9645-9a8a-4b51-90a9-e223250f9a75",
-          "title": "CNSS Policy 15",
-          "citation": {
-            "text": "CNSS Policy 15"
-          },
-          "rlinks": [
-            {
-              "href": "https://www.cnss.gov/policies.html"
-            }
-          ]
-        },
-        {
-          "uuid": "2d8b14e9-c8b5-4d3d-8bdc-155078f3281b",
-          "title": "DoD Information Assurance Vulnerability Alerts",
-          "citation": {
-            "text": "DoD Information Assurance Vulnerability Alerts"
-          }
-        },
-        {
-          "uuid": "61081e7f-041d-4033-96a7-44a439071683",
-          "title": "DoD Instruction 5200.39",
-          "citation": {
-            "text": "DoD Instruction 5200.39"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dtic.mil/whs/directives/corres/ins1.html"
-            }
-          ]
-        },
-        {
-          "uuid": "e42b2099-3e1c-415b-952c-61c96533c12e",
-          "title": "DoD Instruction 8551.01",
-          "citation": {
-            "text": "DoD Instruction 8551.01"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dtic.mil/whs/directives/corres/ins1.html"
-            }
-          ]
-        },
-        {
-          "uuid": "e6522953-6714-435d-a0d3-140df554c186",
-          "title": "DoD Instruction 8552.01",
-          "citation": {
-            "text": "DoD Instruction 8552.01"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dtic.mil/whs/directives/corres/ins1.html"
-            }
-          ]
-        },
-        {
-          "uuid": "c5034e0c-eba6-4ecd-a541-79f0678f4ba4",
-          "title": "Executive Order 13587",
-          "citation": {
-            "text": "Executive Order 13587"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net"
-            }
-          ]
-        },
-        {
-          "uuid": "56d671da-6b7b-4abf-8296-84b61980390a",
-          "title": "Federal Acquisition Regulation",
-          "citation": {
-            "text": "Federal Acquisition Regulation"
-          },
-          "rlinks": [
-            {
-              "href": "https://acquisition.gov/far"
-            }
-          ]
-        },
-        {
-          "uuid": "023104bc-6f75-4cd5-b7d0-fc92326f8007",
-          "title": "Federal Continuity Directive 1",
-          "citation": {
-            "text": "Federal Continuity Directive 1"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.fema.gov/pdf/about/offices/fcd1.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "ba557c91-ba3e-4792-adc6-a4ae479b39ff",
-          "title": "FICAM Roadmap and Implementation Guidance",
-          "citation": {
-            "text": "FICAM Roadmap and Implementation Guidance"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.idmanagement.gov/documents/ficam-roadmap-and-implementation-guidance"
-            }
-          ]
-        },
-        {
-          "uuid": "39f9087d-7687-46d2-8eda-b6f4b7a4d8a9",
-          "title": "FIPS Publication 140",
-          "citation": {
-            "text": "FIPS Publication 140"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html"
-            }
-          ]
-        },
-        {
-          "uuid": "d715b234-9b5b-4e07-b1ed-99836727664d",
-          "title": "FIPS Publication 140-2",
-          "citation": {
-            "text": "FIPS Publication 140-2"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html#140-2"
-            }
-          ]
-        },
-        {
-          "uuid": "f2dbd4ec-c413-4714-b85b-6b7184d1c195",
-          "title": "FIPS Publication 197",
-          "citation": {
-            "text": "FIPS Publication 197"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html#197"
-            }
-          ]
-        },
-        {
-          "uuid": "e85cdb3f-7f0a-4083-8639-f13f70d3760b",
-          "title": "FIPS Publication 199",
-          "citation": {
-            "text": "FIPS Publication 199"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html#199"
-            }
-          ]
-        },
-        {
-          "uuid": "c80c10b3-1294-4984-a4cc-d1733ca432b9",
-          "title": "FIPS Publication 201",
-          "citation": {
-            "text": "FIPS Publication 201"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsFIPS.html#201"
-            }
-          ]
-        },
-        {
-          "uuid": "ad733a42-a7ed-4774-b988-4930c28852f3",
-          "title": "HSPD-12",
-          "citation": {
-            "text": "HSPD-12"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dhs.gov/homeland-security-presidential-directive-12"
-            }
-          ]
-        },
-        {
-          "uuid": "4ef539ba-b767-4666-b0d3-168c53005fa3",
-          "title": "http://capec.mitre.org",
-          "citation": {
-            "text": "http://capec.mitre.org"
-          },
-          "rlinks": [
-            {
-              "href": "http://capec.mitre.org"
-            }
-          ]
-        },
-        {
-          "uuid": "e95dd121-2733-413e-bf1e-f1eb49f20a98",
-          "title": "http://checklists.nist.gov",
-          "citation": {
-            "text": "http://checklists.nist.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://checklists.nist.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "6a1041fc-054e-4230-946b-2e6f4f3731bb",
-          "title": "http://csrc.nist.gov/cryptval",
-          "citation": {
-            "text": "http://csrc.nist.gov/cryptval"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/cryptval"
-            }
-          ]
-        },
-        {
-          "uuid": "b09d1a31-d3c9-4138-a4f4-4c63816afd7d",
-          "title": "http://csrc.nist.gov/groups/STM/cmvp/index.html",
-          "citation": {
-            "text": "http://csrc.nist.gov/groups/STM/cmvp/index.html"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/groups/STM/cmvp/index.html"
-            }
-          ]
-        },
-        {
-          "uuid": "0931209f-00ae-4132-b92c-bc645847e8f9",
-          "title": "http://cve.mitre.org",
-          "citation": {
-            "text": "http://cve.mitre.org"
-          },
-          "rlinks": [
-            {
-              "href": "http://cve.mitre.org"
-            }
-          ]
-        },
-        {
-          "uuid": "15522e92-9192-463d-9646-6a01982db8ca",
-          "title": "http://cwe.mitre.org",
-          "citation": {
-            "text": "http://cwe.mitre.org"
-          },
-          "rlinks": [
-            {
-              "href": "http://cwe.mitre.org"
-            }
-          ]
-        },
-        {
-          "uuid": "5ed1f4d5-1494-421b-97ed-39d3c88ab51f",
-          "title": "http://fips201ep.cio.gov",
-          "citation": {
-            "text": "http://fips201ep.cio.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://fips201ep.cio.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "85280698-0417-489d-b214-12bb935fb939",
-          "title": "http://idmanagement.gov",
-          "citation": {
-            "text": "http://idmanagement.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://idmanagement.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "275cc052-0f7f-423c-bdb6-ed503dc36228",
-          "title": "http://nvd.nist.gov",
-          "citation": {
-            "text": "http://nvd.nist.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://nvd.nist.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "bbd50dd1-54ce-4432-959d-63ea564b1bb4",
-          "title": "http://www.acquisition.gov/far",
-          "citation": {
-            "text": "http://www.acquisition.gov/far"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.acquisition.gov/far"
-            }
-          ]
-        },
-        {
-          "uuid": "9b97ed27-3dd6-4f9a-ade5-1b43e9669794",
-          "title": "http://www.cnss.gov",
-          "citation": {
-            "text": "http://www.cnss.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.cnss.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "3ac12e79-f54f-4a63-9f4b-ee4bcd4df604",
-          "title": "http://www.dhs.gov/telecommunications-service-priority-tsp",
-          "citation": {
-            "text": "http://www.dhs.gov/telecommunications-service-priority-tsp"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dhs.gov/telecommunications-service-priority-tsp"
-            }
-          ]
-        },
-        {
-          "uuid": "c95a9986-3cd6-4a98-931b-ccfc56cb11e5",
-          "title": "http://www.niap-ccevs.org",
-          "citation": {
-            "text": "http://www.niap-ccevs.org"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.niap-ccevs.org"
-            }
-          ]
-        },
-        {
-          "uuid": "647b6de3-81d0-4d22-bec1-5f1333e34380",
-          "title": "http://www.nsa.gov",
-          "citation": {
-            "text": "http://www.nsa.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.nsa.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "a47466c4-c837-4f06-a39f-e68412a5f73d",
-          "title": "http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml",
-          "citation": {
-            "text": "http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"
-            }
-          ]
-        },
-        {
-          "uuid": "02631467-668b-4233-989b-3dfded2fd184",
-          "title": "http://www.us-cert.gov",
-          "citation": {
-            "text": "http://www.us-cert.gov"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.us-cert.gov"
-            }
-          ]
-        },
-        {
-          "uuid": "6caa237b-531b-43ac-9711-d8f6b97b0377",
-          "title": "ICD 704",
-          "citation": {
-            "text": "ICD 704"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"
-            }
-          ]
-        },
-        {
-          "uuid": "398e33fd-f404-4e5c-b90e-2d50d3181244",
-          "title": "ICD 705",
-          "citation": {
-            "text": "ICD 705"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"
-            }
-          ]
-        },
-        {
-          "uuid": "1737a687-52fb-4008-b900-cbfa836f7b65",
-          "title": "ISO/IEC 15408",
-          "citation": {
-            "text": "ISO/IEC 15408"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.iso.org/iso/iso_catalog/catalog_tc/catalog_detail.htm?csnumber=50341"
-            }
-          ]
-        },
-        {
-          "uuid": "fb5844de-ff96-47c0-b258-4f52bcc2f30d",
-          "title": "National Communications Systems Directive 3-10",
-          "citation": {
-            "text": "National Communications Systems Directive 3-10"
-          }
-        },
-        {
-          "uuid": "654f21e2-f3bc-43b2-abdc-60ab8d09744b",
-          "title": "National Strategy for Trusted Identities in Cyberspace",
-          "citation": {
-            "text": "National Strategy for Trusted Identities in Cyberspace"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.nist.gov/nstic"
-            }
-          ]
-        },
-        {
-          "uuid": "9cb3d8fe-2127-48ba-821e-cdd2d7aee921",
-          "title": "NIST Special Publication 800-100",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-100"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-100"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-100"
-            }
-          ]
-        },
-        {
-          "uuid": "3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e",
-          "title": "NIST Special Publication 800-111",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-111"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-111"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-111"
-            }
-          ]
-        },
-        {
-          "uuid": "349fe082-502d-464a-aa0c-1443c6a5cf40",
-          "title": "NIST Special Publication 800-113",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-113"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-113"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-113"
-            }
-          ]
-        },
-        {
-          "uuid": "1201fcf3-afb1-4675-915a-fb4ae0435717",
-          "title": "NIST Special Publication 800-114 Rev. 1",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-114r1"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-114 Rev. 1"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-114r1"
-            }
-          ]
-        },
-        {
-          "uuid": "c4691b88-57d1-463b-9053-2d0087913f31",
-          "title": "NIST Special Publication 800-115",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-115"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-115"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-115"
-            }
-          ]
-        },
-        {
-          "uuid": "2157bb7e-192c-4eaa-877f-93ef6b0a3292",
-          "title": "NIST Special Publication 800-116 Rev. 1",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-116r1"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-116 Rev. 1"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-116r1"
-            }
-          ]
-        },
-        {
-          "uuid": "5c201b63-0768-417b-ac22-3f014e3941b2",
-          "title": "NIST Special Publication 800-12 Rev. 1",
-          "document-ids": [
-            {
-              "type": "doi",
-              "identifier": "10.6028/NIST.SP.800-12r1"
-            }
-          ],
-          "citation": {
-            "text": "NIST Special Publication 800-12 Rev. 1"
-          },
-          "rlinks": [
-            {
-              "href": "https://doi.org/10.6028/NIST.SP.800-12r1"
-            }
-          ]
-        },
-        {
-          "uuid": "d1a4e2a9-e512-4132-8795-5357aba29254",
-          "title": "NIST Special Publication 800-121",
-          "citation": {
-            "text": "NIST Special Publication 800-121"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-121"
-            }
-          ]
-        },
-        {
-          "uuid": "0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589",
-          "title": "NIST Special Publication 800-124",
-          "citation": {
-            "text": "NIST Special Publication 800-124"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-124"
-            }
-          ]
-        },
-        {
-          "uuid": "080f8068-5e3e-435e-9790-d22ba4722693",
-          "title": "NIST Special Publication 800-128",
-          "citation": {
-            "text": "NIST Special Publication 800-128"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-128"
-            }
-          ]
-        },
-        {
-          "uuid": "cee2c6ca-0261-4a6f-b630-e41d8ffdd82b",
-          "title": "NIST Special Publication 800-137",
-          "citation": {
-            "text": "NIST Special Publication 800-137"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-137"
-            }
-          ]
-        },
-        {
-          "uuid": "6bf8d24a-78dc-4727-a2ac-0e64d71c495c",
-          "title": "NIST Special Publication 800-147",
-          "citation": {
-            "text": "NIST Special Publication 800-147"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-147"
-            }
-          ]
-        },
-        {
-          "uuid": "3878cc04-144a-483e-af62-8fe6f4ad6c7a",
-          "title": "NIST Special Publication 800-155",
-          "citation": {
-            "text": "NIST Special Publication 800-155"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-155"
-            }
-          ]
-        },
-        {
-          "uuid": "825438c3-248d-4e30-a51e-246473ce6ada",
-          "title": "NIST Special Publication 800-16",
-          "citation": {
-            "text": "NIST Special Publication 800-16"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-16"
-            }
-          ]
-        },
-        {
-          "uuid": "6513e480-fada-4876-abba-1397084dfb26",
-          "title": "NIST Special Publication 800-164",
-          "citation": {
-            "text": "NIST Special Publication 800-164"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-164"
-            }
-          ]
-        },
-        {
-          "uuid": "9c5c9e8c-dc81-4f55-a11c-d71d7487790f",
-          "title": "NIST Special Publication 800-18",
-          "citation": {
-            "text": "NIST Special Publication 800-18"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-18"
-            }
-          ]
-        },
-        {
-          "uuid": "0a5db899-f033-467f-8631-f5a8ba971475",
-          "title": "NIST Special Publication 800-23",
-          "citation": {
-            "text": "NIST Special Publication 800-23"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-23"
-            }
-          ]
-        },
-        {
-          "uuid": "21b1ed35-56d2-40a8-bdfe-b461fffe322f",
-          "title": "NIST Special Publication 800-27",
-          "citation": {
-            "text": "NIST Special Publication 800-27"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-27"
-            }
-          ]
-        },
-        {
-          "uuid": "e716cd51-d1d5-4c6a-967a-22e9fbbc42f1",
-          "title": "NIST Special Publication 800-28",
-          "citation": {
-            "text": "NIST Special Publication 800-28"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-28"
-            }
-          ]
-        },
-        {
-          "uuid": "a466121b-f0e2-41f0-a5f9-deb0b5fe6b15",
-          "title": "NIST Special Publication 800-30",
-          "citation": {
-            "text": "NIST Special Publication 800-30"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-30"
-            }
-          ]
-        },
-        {
-          "uuid": "8f174e91-844e-4cf1-a72a-45c119a3a8dd",
-          "title": "NIST Special Publication 800-32",
-          "citation": {
-            "text": "NIST Special Publication 800-32"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-32"
-            }
-          ]
-        },
-        {
-          "uuid": "748a81b9-9cad-463f-abde-8b368167e70d",
-          "title": "NIST Special Publication 800-34",
-          "citation": {
-            "text": "NIST Special Publication 800-34"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-34"
-            }
-          ]
-        },
-        {
-          "uuid": "0c775bc3-bfc3-42c7-a382-88949f503171",
-          "title": "NIST Special Publication 800-35",
-          "citation": {
-            "text": "NIST Special Publication 800-35"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-35"
-            }
-          ]
-        },
-        {
-          "uuid": "d818efd3-db31-4953-8afa-9e76afe83ce2",
-          "title": "NIST Special Publication 800-36",
-          "citation": {
-            "text": "NIST Special Publication 800-36"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-36"
-            }
-          ]
-        },
-        {
-          "uuid": "0a0c26b6-fd44-4274-8b36-93442d49d998",
-          "title": "NIST Special Publication 800-37",
-          "citation": {
-            "text": "NIST Special Publication 800-37"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-37"
-            }
-          ]
-        },
-        {
-          "uuid": "d480aa6a-7a88-424e-a10c-ad1c7870354b",
-          "title": "NIST Special Publication 800-39",
-          "citation": {
-            "text": "NIST Special Publication 800-39"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-39"
-            }
-          ]
-        },
-        {
-          "uuid": "bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d",
-          "title": "NIST Special Publication 800-40",
-          "citation": {
-            "text": "NIST Special Publication 800-40"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-40"
-            }
-          ]
-        },
-        {
-          "uuid": "756a8e86-57d5-4701-8382-f7a40439665a",
-          "title": "NIST Special Publication 800-41",
-          "citation": {
-            "text": "NIST Special Publication 800-41"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-41"
-            }
-          ]
-        },
-        {
-          "uuid": "c6e95ca0-5828-420e-b095-00895b72b5e8",
-          "title": "NIST Special Publication 800-45",
-          "citation": {
-            "text": "NIST Special Publication 800-45"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-45"
-            }
-          ]
-        },
-        {
-          "uuid": "5309d4d0-46f8-4213-a749-e7584164e5e8",
-          "title": "NIST Special Publication 800-46",
-          "citation": {
-            "text": "NIST Special Publication 800-46"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-46"
-            }
-          ]
-        },
-        {
-          "uuid": "2711f068-734e-4afd-94ba-0b22247fbc88",
-          "title": "NIST Special Publication 800-47",
-          "citation": {
-            "text": "NIST Special Publication 800-47"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-47"
-            }
-          ]
-        },
-        {
-          "uuid": "238ed479-eccb-49f6-82ec-ab74a7a428cf",
-          "title": "NIST Special Publication 800-48",
-          "citation": {
-            "text": "NIST Special Publication 800-48"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-48"
-            }
-          ]
-        },
-        {
-          "uuid": "e12b5738-de74-4fb3-8317-a3995a8a1898",
-          "title": "NIST Special Publication 800-50",
-          "citation": {
-            "text": "NIST Special Publication 800-50"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-50"
-            }
-          ]
-        },
-        {
-          "uuid": "90c5bc98-f9c4-44c9-98b7-787422f0999c",
-          "title": "NIST Special Publication 800-52",
-          "citation": {
-            "text": "NIST Special Publication 800-52"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-52"
-            }
-          ]
-        },
-        {
-          "uuid": "cd4cf751-3312-4a55-b1a9-fad2f1db9119",
-          "title": "NIST Special Publication 800-53A",
-          "citation": {
-            "text": "NIST Special Publication 800-53A"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-53A"
-            }
-          ]
-        },
-        {
-          "uuid": "81f09e01-d0b0-4ae2-aa6a-064ed9950070",
-          "title": "NIST Special Publication 800-56",
-          "citation": {
-            "text": "NIST Special Publication 800-56"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-56"
-            }
-          ]
-        },
-        {
-          "uuid": "a6c774c0-bf50-4590-9841-2a5c1c91ac6f",
-          "title": "NIST Special Publication 800-57",
-          "citation": {
-            "text": "NIST Special Publication 800-57"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-57"
-            }
-          ]
-        },
-        {
-          "uuid": "7783f3e7-09b3-478b-9aa2-4a76dfd0ea90",
-          "title": "NIST Special Publication 800-58",
-          "citation": {
-            "text": "NIST Special Publication 800-58"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-58"
-            }
-          ]
-        },
-        {
-          "uuid": "f152844f-b1ef-4836-8729-6277078ebee1",
-          "title": "NIST Special Publication 800-60",
-          "citation": {
-            "text": "NIST Special Publication 800-60"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-60"
-            }
-          ]
-        },
-        {
-          "uuid": "be95fb85-a53f-4624-bdbb-140075500aa3",
-          "title": "NIST Special Publication 800-61",
-          "citation": {
-            "text": "NIST Special Publication 800-61"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-61"
-            }
-          ]
-        },
-        {
-          "uuid": "644f44a9-a2de-4494-9c04-cd37fba45471",
-          "title": "NIST Special Publication 800-63",
-          "citation": {
-            "text": "NIST Special Publication 800-63"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-63"
-            }
-          ]
-        },
-        {
-          "uuid": "abd950ae-092f-4b7a-b374-1c7c67fe9350",
-          "title": "NIST Special Publication 800-64",
-          "citation": {
-            "text": "NIST Special Publication 800-64"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-64"
-            }
-          ]
-        },
-        {
-          "uuid": "29fcfe59-33cd-494a-8756-5907ae3a8f92",
-          "title": "NIST Special Publication 800-65",
-          "citation": {
-            "text": "NIST Special Publication 800-65"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-65"
-            }
-          ]
-        },
-        {
-          "uuid": "84a37532-6db6-477b-9ea8-f9085ebca0fc",
-          "title": "NIST Special Publication 800-70",
-          "citation": {
-            "text": "NIST Special Publication 800-70"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-70"
-            }
-          ]
-        },
-        {
-          "uuid": "ead74ea9-4c9c-446d-9b92-bcbf0ad4b655",
-          "title": "NIST Special Publication 800-73",
-          "citation": {
-            "text": "NIST Special Publication 800-73"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-73"
-            }
-          ]
-        },
-        {
-          "uuid": "2a71298a-ee90-490e-80ff-48c967173a47",
-          "title": "NIST Special Publication 800-76",
-          "citation": {
-            "text": "NIST Special Publication 800-76"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-76"
-            }
-          ]
-        },
-        {
-          "uuid": "99f331f2-a9f0-46c2-9856-a3cbb9b89442",
-          "title": "NIST Special Publication 800-77",
-          "citation": {
-            "text": "NIST Special Publication 800-77"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-77"
-            }
-          ]
-        },
-        {
-          "uuid": "2042d97b-f7f6-4c74-84f8-981867684659",
-          "title": "NIST Special Publication 800-78",
-          "citation": {
-            "text": "NIST Special Publication 800-78"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-78"
-            }
-          ]
-        },
-        {
-          "uuid": "6af1e841-672c-46c4-b121-96f603d04be3",
-          "title": "NIST Special Publication 800-81",
-          "citation": {
-            "text": "NIST Special Publication 800-81"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-81"
-            }
-          ]
-        },
-        {
-          "uuid": "6d431fee-658f-4a0e-9f2e-a38b5d398fab",
-          "title": "NIST Special Publication 800-83",
-          "citation": {
-            "text": "NIST Special Publication 800-83"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-83"
-            }
-          ]
-        },
-        {
-          "uuid": "0243a05a-e8a3-4d51-9364-4a9d20b0dcdf",
-          "title": "NIST Special Publication 800-84",
-          "citation": {
-            "text": "NIST Special Publication 800-84"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-84"
-            }
-          ]
-        },
-        {
-          "uuid": "263823e0-a971-4b00-959d-315b26278b22",
-          "title": "NIST Special Publication 800-88",
-          "citation": {
-            "text": "NIST Special Publication 800-88"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-88"
-            }
-          ]
-        },
-        {
-          "uuid": "672fd561-b92b-4713-b9cf-6c9d9456728b",
-          "title": "NIST Special Publication 800-92",
-          "citation": {
-            "text": "NIST Special Publication 800-92"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-92"
-            }
-          ]
-        },
-        {
-          "uuid": "d1b1d689-0f66-4474-9924-c81119758dc1",
-          "title": "NIST Special Publication 800-94",
-          "citation": {
-            "text": "NIST Special Publication 800-94"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-94"
-            }
-          ]
-        },
-        {
-          "uuid": "1ebdf782-d95d-4a7b-8ec7-ee860951eced",
-          "title": "NIST Special Publication 800-95",
-          "citation": {
-            "text": "NIST Special Publication 800-95"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-95"
-            }
-          ]
-        },
-        {
-          "uuid": "6f336ecd-f2a0-4c84-9699-0491d81b6e0d",
-          "title": "NIST Special Publication 800-97",
-          "citation": {
-            "text": "NIST Special Publication 800-97"
-          },
-          "rlinks": [
-            {
-              "href": "http://csrc.nist.gov/publications/PubsSPs.html#800-97"
-            }
-          ]
-        },
-        {
-          "uuid": "06dff0ea-3848-4945-8d91-e955ee69f05d",
-          "title": "NSTISSI No. 7003",
-          "citation": {
-            "text": "NSTISSI No. 7003"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.cnss.gov/Assets/pdf/nstissi_7003.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab",
-          "title": "OMB Circular A-130",
-          "citation": {
-            "text": "OMB Circular A-130"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/omb/circulars_a130_a130trans4"
-            }
-          ]
-        },
-        {
-          "uuid": "2c5884cd-7b96-425c-862a-99877e1cf909",
-          "title": "OMB Memorandum 02-01",
-          "citation": {
-            "text": "OMB Memorandum 02-01"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/omb/memoranda_m02-01"
-            }
-          ]
-        },
-        {
-          "uuid": "ff3bfb02-79b2-411f-8735-98dfe5af2ab0",
-          "title": "OMB Memorandum 04-04",
-          "citation": {
-            "text": "OMB Memorandum 04-04"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy04/m04-04.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "58ad6f27-af99-429f-86a8-8bb767b014b9",
-          "title": "OMB Memorandum 05-24",
-          "citation": {
-            "text": "OMB Memorandum 05-24"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2005/m05-24.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "4da24a96-6cf8-435d-9d1f-c73247cad109",
-          "title": "OMB Memorandum 06-16",
-          "citation": {
-            "text": "OMB Memorandum 06-16"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2006/m06-16.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "990268bf-f4a9-4c81-91ae-dc7d3115f4b1",
-          "title": "OMB Memorandum 07-11",
-          "citation": {
-            "text": "OMB Memorandum 07-11"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-11.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "0b3d8ba9-051f-498d-81ea-97f0f018c612",
-          "title": "OMB Memorandum 07-18",
-          "citation": {
-            "text": "OMB Memorandum 07-18"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-18.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "0916ef02-3618-411b-a525-565c088849a6",
-          "title": "OMB Memorandum 08-22",
-          "citation": {
-            "text": "OMB Memorandum 08-22"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-22.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "28115a56-da6b-4d44-b1df-51dd7f048a3e",
-          "title": "OMB Memorandum 08-23",
-          "citation": {
-            "text": "OMB Memorandum 08-23"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "599fe9ba-4750-4450-9eeb-b95bd19a5e8f",
-          "title": "OMB Memorandum 10-06-2011",
-          "citation": {
-            "text": "OMB Memorandum 10-06-2011"
-          }
-        },
-        {
-          "uuid": "74e740a4-c45d-49f3-a86e-eb747c549e01",
-          "title": "OMB Memorandum 11-11",
-          "citation": {
-            "text": "OMB Memorandum 11-11"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "bedb15b7-ec5c-4a68-807f-385125751fcd",
-          "title": "OMB Memorandum 11-33",
-          "citation": {
-            "text": "OMB Memorandum 11-33"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "dd2f5acd-08f1-435a-9837-f8203088dc1a",
-          "title": "Personal Identity Verification (PIV) in Enterprise Physical Access Control System\n            (E-PACS)",
-          "citation": {
-            "text": "Personal Identity Verification (PIV) in Enterprise Physical Access Control System\n               (E-PACS)"
-          }
-        },
-        {
-          "uuid": "8ade2fbe-e468-4ca8-9a40-54d7f23c32bb",
-          "title": "US-CERT Technical Cyber Security Alerts",
-          "citation": {
-            "text": "US-CERT Technical Cyber Security Alerts"
-          },
-          "rlinks": [
-            {
-              "href": "http://www.us-cert.gov/ncas/alerts"
-            }
-          ]
-        },
-        {
-          "uuid": "985475ee-d4d6-4581-8fdf-d84d3d8caa48",
-          "title": "FedRAMP Applicable Laws and Regulations",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-citations"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"
-            }
-          ]
-        },
-        {
-          "uuid": "1a23a771-d481-4594-9a1a-71d584fa4123",
-          "title": "FedRAMP Master Acronym and Glossary",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-acronyms"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "a2381e87-3d04-4108-a30b-b4d2f36d001f",
-          "desc": "FedRAMP Logo",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-logo"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/img/logo-main-fedramp.png"
-            }
-          ]
-        },
-        {
-          "uuid": "ad005eae-cc63-4e64-9109-3905a9a825e4",
-          "title": "NIST Special Publication (SP) 800-53",
-          "properties": [
-            {
-              "name": "version",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "Revision 4"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json",
-              "media-type": "application/xml"
-            }
-          ]
-        }
-      ]
-    }
-  }
-}
diff --git a/content/fedramp.gov/json/FedRAMP_MODERATE-baseline_profile-min.json b/content/fedramp.gov/json/FedRAMP_MODERATE-baseline_profile-min.json
deleted file mode 100644
index eed10d96a0..0000000000
--- a/content/fedramp.gov/json/FedRAMP_MODERATE-baseline_profile-min.json
+++ /dev/null
@@ -1 +0,0 @@
-{"profile":{"uuid":"8383f859-be40-453d-9588-c645af5bef6f","metadata":{"title":"FedRAMP Moderate Baseline","published":"2020-06-01T00:00:00.000-04:00","last-modified":"2020-06-01T10:00:00.000-04:00","version":"1.2","oscal-version":"1.0.0-milestone3","roles":[{"id":"parpared-by","title":"Document creator"},{"id":"fedramp-pmo","title":"The FedRAMP Program Management Office (PMO)","short-name":"CSP"},{"id":"fedramp-jab","title":"The FedRAMP Joint Authorization Board (JAB)","short-name":"CSP"}],"parties":[{"uuid":"8cc0b8e5-9650-4d5f-9796-316f05fa9a2d","type":"organization","party-name":"Federal Risk and Authorization Management Program: Program Management Office","short-name":"FedRAMP PMO","links":[{"href":"https://fedramp.gov","rel":"homepage","text":""}],"addresses":[{"type":"work","postal-address":["1800 F St. NW",""],"city":"Washington","state":"DC","postal-code":"","country":"US"}],"email-addresses":["info@fedramp.gov"]},{"uuid":"ca9ba80e-1342-4bfd-b32a-abac468c24b4","type":"organization","party-name":"Federal Risk and Authorization Management Program: Joint Authorization Board","short-name":"FedRAMP JAB"}],"responsible-parties":{"prepared-by":{"party-uuids":["4aa7b203-318b-4cde-96cf-feaeffc3a4b7"]},"fedramp-pmo":{"party-uuids":["4aa7b203-318b-4cde-96cf-feaeffc3a4b7"]},"fedramp-jab":{"party-uuids":["ca9ba80e-1342-4bfd-b32a-abac468c24b4"]}}},"imports":[{"href":"#ad005eae-cc63-4e64-9109-3905a9a825e4","include":{"id-selectors":[{"control-id":"ac-1"},{"control-id":"ac-2"},{"control-id":"ac-2.1"},{"control-id":"ac-2.2"},{"control-id":"ac-2.3"},{"control-id":"ac-2.4"},{"control-id":"ac-2.5"},{"control-id":"ac-2.7"},{"control-id":"ac-2.9"},{"control-id":"ac-2.10"},{"control-id":"ac-2.12"},{"control-id":"ac-3"},{"control-id":"ac-4"},{"control-id":"ac-4.21"},{"control-id":"ac-5"},{"control-id":"ac-6"},{"control-id":"ac-6.1"},{"control-id":"ac-6.2"},{"control-id":"ac-6.5"},{"control-id":"ac-6.9"},{"control-id":"ac-6.10"},{"control-id":"ac-7"},{"control-id":"ac-8"},{"control-id":"ac-10"},{"control-id":"ac-11"},{"control-id":"ac-11.1"},{"control-id":"ac-12"},{"control-id":"ac-14"},{"control-id":"ac-17"},{"control-id":"ac-17.1"},{"control-id":"ac-17.2"},{"control-id":"ac-17.3"},{"control-id":"ac-17.4"},{"control-id":"ac-17.9"},{"control-id":"ac-18"},{"control-id":"ac-18.1"},{"control-id":"ac-19"},{"control-id":"ac-19.5"},{"control-id":"ac-20"},{"control-id":"ac-20.1"},{"control-id":"ac-20.2"},{"control-id":"ac-21"},{"control-id":"ac-22"},{"control-id":"at-1"},{"control-id":"at-2"},{"control-id":"at-2.2"},{"control-id":"at-3"},{"control-id":"at-4"},{"control-id":"au-1"},{"control-id":"au-2"},{"control-id":"au-2.3"},{"control-id":"au-3"},{"control-id":"au-3.1"},{"control-id":"au-4"},{"control-id":"au-5"},{"control-id":"au-6"},{"control-id":"au-6.1"},{"control-id":"au-6.3"},{"control-id":"au-7"},{"control-id":"au-7.1"},{"control-id":"au-8"},{"control-id":"au-8.1"},{"control-id":"au-9"},{"control-id":"au-9.2"},{"control-id":"au-9.4"},{"control-id":"au-11"},{"control-id":"au-12"},{"control-id":"ca-1"},{"control-id":"ca-2"},{"control-id":"ca-2.1"},{"control-id":"ca-2.2"},{"control-id":"ca-2.3"},{"control-id":"ca-3"},{"control-id":"ca-3.3"},{"control-id":"ca-3.5"},{"control-id":"ca-5"},{"control-id":"ca-6"},{"control-id":"ca-7"},{"control-id":"ca-7.1"},{"control-id":"ca-8"},{"control-id":"ca-8.1"},{"control-id":"ca-9"},{"control-id":"cm-1"},{"control-id":"cm-2"},{"control-id":"cm-2.1"},{"control-id":"cm-2.2"},{"control-id":"cm-2.3"},{"control-id":"cm-2.7"},{"control-id":"cm-3"},{"control-id":"cm-4"},{"control-id":"cm-5"},{"control-id":"cm-5.1"},{"control-id":"cm-5.3"},{"control-id":"cm-5.5"},{"control-id":"cm-6"},{"control-id":"cm-6.1"},{"control-id":"cm-7"},{"control-id":"cm-7.1"},{"control-id":"cm-7.2"},{"control-id":"cm-7.5"},{"control-id":"cm-8"},{"control-id":"cm-8.1"},{"control-id":"cm-8.3"},{"control-id":"cm-8.5"},{"control-id":"cm-9"},{"control-id":"cm-10"},{"control-id":"cm-10.1"},{"control-id":"cm-11"},{"control-id":"cp-1"},{"control-id":"cp-2"},{"control-id":"cp-2.1"},{"control-id":"cp-2.2"},{"control-id":"cp-2.3"},{"control-id":"cp-2.8"},{"control-id":"cp-3"},{"control-id":"cp-4"},{"control-id":"cp-4.1"},{"control-id":"cp-6"},{"control-id":"cp-6.1"},{"control-id":"cp-6.3"},{"control-id":"cp-7"},{"control-id":"cp-7.1"},{"control-id":"cp-7.2"},{"control-id":"cp-7.3"},{"control-id":"cp-8"},{"control-id":"cp-8.1"},{"control-id":"cp-8.2"},{"control-id":"cp-9"},{"control-id":"cp-9.1"},{"control-id":"cp-9.3"},{"control-id":"cp-10"},{"control-id":"cp-10.2"},{"control-id":"ia-1"},{"control-id":"ia-2"},{"control-id":"ia-2.1"},{"control-id":"ia-2.2"},{"control-id":"ia-2.3"},{"control-id":"ia-2.5"},{"control-id":"ia-2.8"},{"control-id":"ia-2.11"},{"control-id":"ia-2.12"},{"control-id":"ia-3"},{"control-id":"ia-4"},{"control-id":"ia-4.4"},{"control-id":"ia-5"},{"control-id":"ia-5.1"},{"control-id":"ia-5.2"},{"control-id":"ia-5.3"},{"control-id":"ia-5.4"},{"control-id":"ia-5.6"},{"control-id":"ia-5.7"},{"control-id":"ia-5.11"},{"control-id":"ia-6"},{"control-id":"ia-7"},{"control-id":"ia-8"},{"control-id":"ia-8.1"},{"control-id":"ia-8.2"},{"control-id":"ia-8.3"},{"control-id":"ia-8.4"},{"control-id":"ir-1"},{"control-id":"ir-2"},{"control-id":"ir-3"},{"control-id":"ir-3.2"},{"control-id":"ir-4"},{"control-id":"ir-4.1"},{"control-id":"ir-5"},{"control-id":"ir-6"},{"control-id":"ir-6.1"},{"control-id":"ir-7"},{"control-id":"ir-7.1"},{"control-id":"ir-7.2"},{"control-id":"ir-8"},{"control-id":"ir-9"},{"control-id":"ir-9.1"},{"control-id":"ir-9.2"},{"control-id":"ir-9.3"},{"control-id":"ir-9.4"},{"control-id":"ma-1"},{"control-id":"ma-2"},{"control-id":"ma-3"},{"control-id":"ma-3.1"},{"control-id":"ma-3.2"},{"control-id":"ma-3.3"},{"control-id":"ma-4"},{"control-id":"ma-4.2"},{"control-id":"ma-5"},{"control-id":"ma-5.1"},{"control-id":"ma-6"},{"control-id":"mp-1"},{"control-id":"mp-2"},{"control-id":"mp-3"},{"control-id":"mp-4"},{"control-id":"mp-5"},{"control-id":"mp-5.4"},{"control-id":"mp-6"},{"control-id":"mp-6.2"},{"control-id":"mp-7"},{"control-id":"mp-7.1"},{"control-id":"pe-1"},{"control-id":"pe-2"},{"control-id":"pe-3"},{"control-id":"pe-4"},{"control-id":"pe-5"},{"control-id":"pe-6"},{"control-id":"pe-6.1"},{"control-id":"pe-8"},{"control-id":"pe-9"},{"control-id":"pe-10"},{"control-id":"pe-11"},{"control-id":"pe-12"},{"control-id":"pe-13"},{"control-id":"pe-13.2"},{"control-id":"pe-13.3"},{"control-id":"pe-14"},{"control-id":"pe-14.2"},{"control-id":"pe-15"},{"control-id":"pe-16"},{"control-id":"pe-17"},{"control-id":"pl-1"},{"control-id":"pl-2"},{"control-id":"pl-2.3"},{"control-id":"pl-4"},{"control-id":"pl-4.1"},{"control-id":"pl-8"},{"control-id":"ps-1"},{"control-id":"ps-2"},{"control-id":"ps-3"},{"control-id":"ps-3.3"},{"control-id":"ps-4"},{"control-id":"ps-5"},{"control-id":"ps-6"},{"control-id":"ps-7"},{"control-id":"ps-8"},{"control-id":"ra-1"},{"control-id":"ra-2"},{"control-id":"ra-3"},{"control-id":"ra-5"},{"control-id":"ra-5.1"},{"control-id":"ra-5.2"},{"control-id":"ra-5.3"},{"control-id":"ra-5.5"},{"control-id":"ra-5.6"},{"control-id":"ra-5.8"},{"control-id":"sa-1"},{"control-id":"sa-2"},{"control-id":"sa-3"},{"control-id":"sa-4"},{"control-id":"sa-4.1"},{"control-id":"sa-4.2"},{"control-id":"sa-4.8"},{"control-id":"sa-4.9"},{"control-id":"sa-4.10"},{"control-id":"sa-5"},{"control-id":"sa-8"},{"control-id":"sa-9"},{"control-id":"sa-9.1"},{"control-id":"sa-9.2"},{"control-id":"sa-9.4"},{"control-id":"sa-9.5"},{"control-id":"sa-10"},{"control-id":"sa-10.1"},{"control-id":"sa-11"},{"control-id":"sa-11.1"},{"control-id":"sa-11.2"},{"control-id":"sa-11.8"},{"control-id":"sc-1"},{"control-id":"sc-2"},{"control-id":"sc-4"},{"control-id":"sc-5"},{"control-id":"sc-6"},{"control-id":"sc-7"},{"control-id":"sc-7.3"},{"control-id":"sc-7.4"},{"control-id":"sc-7.5"},{"control-id":"sc-7.7"},{"control-id":"sc-7.8"},{"control-id":"sc-7.12"},{"control-id":"sc-7.13"},{"control-id":"sc-7.18"},{"control-id":"sc-8"},{"control-id":"sc-8.1"},{"control-id":"sc-10"},{"control-id":"sc-12"},{"control-id":"sc-12.2"},{"control-id":"sc-12.3"},{"control-id":"sc-13"},{"control-id":"sc-15"},{"control-id":"sc-17"},{"control-id":"sc-18"},{"control-id":"sc-19"},{"control-id":"sc-20"},{"control-id":"sc-21"},{"control-id":"sc-22"},{"control-id":"sc-23"},{"control-id":"sc-28"},{"control-id":"sc-28.1"},{"control-id":"sc-39"},{"control-id":"si-1"},{"control-id":"si-2"},{"control-id":"si-2.2"},{"control-id":"si-2.3"},{"control-id":"si-3"},{"control-id":"si-3.1"},{"control-id":"si-3.2"},{"control-id":"si-3.7"},{"control-id":"si-4"},{"control-id":"si-4.1"},{"control-id":"si-4.2"},{"control-id":"si-4.4"},{"control-id":"si-4.5"},{"control-id":"si-4.14"},{"control-id":"si-4.16"},{"control-id":"si-4.23"},{"control-id":"si-5"},{"control-id":"si-6"},{"control-id":"si-7"},{"control-id":"si-7.1"},{"control-id":"si-7.7"},{"control-id":"si-8"},{"control-id":"si-8.1"},{"control-id":"si-8.2"},{"control-id":"si-10"},{"control-id":"si-11"},{"control-id":"si-12"},{"control-id":"si-16"}]}}],"merge":{"combine":{"method":"keep"},"as-is":true},"modify":{"parameter-settings":{"ac-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"ac-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"ac-2_prm_4":{"constraints":[{"detail":"at least annually"}]},"ac-2.2_prm_2":{"constraints":[{"detail":"no more than 30 days for temporary and emergency account types"}]},"ac-2.3_prm_1":{"constraints":[{"detail":"90 days for user accounts"}]},"ac-6.2_prm_1":{"constraints":[{"detail":"all security functions"}]},"ac-7_prm_1":{"constraints":[{"detail":"not more than three (3)"}]},"ac-7_prm_2":{"constraints":[{"detail":"fifteen (15) minutes"}]},"ac-7_prm_4":{"constraints":[{"detail":"locks the account/node for thirty minutes"}]},"ac-8_prm_1":{"constraints":[{"detail":"see additional Requirements and Guidance"}]},"ac-8_prm_2":{"constraints":[{"detail":"see additional Requirements and Guidance]"}]},"ac-10_prm_2":{"constraints":[{"detail":"three (3) sessions for privileged access and two (2) sessions for non-privileged access"}]},"ac-11_prm_1":{"constraints":[{"detail":"fifteen (15) minutes"}]},"ac-17.9_prm_1":{"constraints":[{"detail":"fifteen 15 minutes"}]},"ac-22_prm_1":{"constraints":[{"detail":"at least quarterly"}]},"at-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"at-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"at-2_prm_1":{"constraints":[{"detail":"at least annually"}]},"at-3_prm_1":{"constraints":[{"detail":"at least annually"}]},"at-4_prm_1":{"constraints":[{"detail":"At least one year"}]},"au-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"au-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"au-2_prm_1":{"constraints":[{"detail":"successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes"}]},"au-2_prm_2":{"constraints":[{"detail":"organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event"}]},"au-2.3_prm_1":{"constraints":[{"detail":"annually or whenever there is a change in the threat environment"}]},"au-3.1_prm_1":{"constraints":[{"detail":"session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon"}]},"au-5_prm_2":{"constraints":[{"detail":"organization-defined actions to be taken (overwrite oldest record)"}]},"au-6_prm_1":{"constraints":[{"detail":"at least weekly"}]},"au-8.1_prm_1":{"constraints":[{"detail":"At least hourly"}]},"au-8.1_prm_2":{"constraints":[{"detail":"http://tf.nist.gov/tf-cgi/servers.cgi"}]},"au-9.2_prm_1":{"constraints":[{"detail":"at least weekly"}]},"au-11_prm_1":{"constraints":[{"detail":"at least ninety days"}]},"au-12_prm_1":{"constraints":[{"detail":"all information system and network components where audit capability is deployed/available"}]},"ca-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"ca-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"ca-2_prm_1":{"constraints":[{"detail":"at least annually"}]},"ca-2_prm_2":{"constraints":[{"detail":"individuals or roles to include FedRAMP PMO"}]},"ca-2.2_prm_1":{"constraints":[{"detail":"at least annually"}]},"ca-2.3_prm_1":{"constraints":[{"detail":"any FedRAMP Accredited 3PAO"}]},"ca-2.3_prm_2":{"constraints":[{"detail":"any FedRAMP Accredited 3PAO"}]},"ca-2.3_prm_3":{"constraints":[{"detail":"the conditions of the JAB/AO in the FedRAMP Repository"}]},"ca-3_prm_1":{"constraints":[{"detail":"at least annually and on input from FedRAMP"}]},"ca-3.3_prm_2":{"constraints":[{"detail":"Boundary Protections which meet the Trusted Internet Connection (TIC) requirements"}]},"ca-5_prm_1":{"constraints":[{"detail":"at least monthly"}]},"ca-6_prm_1":{"constraints":[{"detail":"at least every three (3) years or when a significant change occurs"}]},"ca-7_prm_4":{"constraints":[{"detail":"to meet Federal and FedRAMP requirements (See additional guidance)"}]},"ca-7_prm_5":{"constraints":[{"detail":"to meet Federal and FedRAMP requirements (See additional guidance)"}]},"ca-8_prm_1":{"constraints":[{"detail":"at least annually"}]},"cm-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"cm-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"cm-2.1_prm_1":{"constraints":[{"detail":"at least annually or when a significant change occurs"}]},"cm-2.1_prm_2":{"constraints":[{"detail":"to include when directed by the JAB"}]},"cm-5.5_prm_1":{"constraints":[{"detail":"at least quarterly"}]},"cm-6_prm_1":{"guidance":[{"prose":"See CM-6(a) Additional FedRAMP Requirements and Guidance"}]},"cm-7_prm_1":{"constraints":[{"detail":"United States Government Configuration Baseline (USGCB)"}]},"cm-7.1_prm_1":{"constraints":[{"detail":"at least monthly"}]},"cm-7.5_prm_2":{"constraints":[{"detail":"at least Annually or when there is a change"}]},"cm-8_prm_2":{"constraints":[{"detail":"at least monthly"}]},"cm-8.3_prm_1":{"constraints":[{"detail":"Continuously, using automated mechanisms with a maximum five-minute delay in detection"}]},"cm-11_prm_3":{"constraints":[{"detail":"Continuously (via CM-7 (5))"}]},"cp-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"cp-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"cp-2_prm_3":{"constraints":[{"detail":"at least annually"}]},"cp-3_prm_1":{"constraints":[{"detail":"ten (10) days"}]},"cp-3_prm_2":{"constraints":[{"detail":"at least annually"}]},"cp-4_prm_1":{"constraints":[{"detail":"at least annually"}]},"cp-4_prm_2":{"constraints":[{"detail":"functional exercises"}]},"cp-9_prm_1":{"constraints":[{"detail":"daily incremental; weekly full"}]},"cp-9_prm_2":{"constraints":[{"detail":"daily incremental; weekly full"}]},"cp-9_prm_3":{"constraints":[{"detail":"daily incremental; weekly full"}]},"cp-9.1_prm_1":{"constraints":[{"detail":"at least annually"}]},"ia-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"ia-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"ia-2.11_prm_1":{"constraints":[{"detail":"FIPS 140-2, NIAP Certification, or NSA approval"}]},"ia-4_prm_2":{"constraints":[{"detail":"IA-4 (d) [at least two years]"}]},"ia-4_prm_3":{"constraints":[{"detail":"ninety days for user identifiers (See additional requirements and guidance)"}]},"ia-4.4_prm_1":{"constraints":[{"detail":"contractors; foreign nationals"}]},"ia-5.1_prm_2":{"constraints":[{"detail":"at least one"}]},"ia-5.1_prm_4":{"constraints":[{"detail":"twenty four (24)"}]},"ia-5.3_prm_1":{"constraints":[{"detail":"All hardware/biometric (multifactor authenticators)"}]},"ia-5.3_prm_2":{"constraints":[{"detail":"in person"}]},"ir-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"ir-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"ir-2_prm_2":{"constraints":[{"detail":"at least annually"}]},"ir-3_prm_1":{"constraints":[{"detail":"at least annually"}]},"ir-3_prm_2":{"constraints":[{"detail":"see additional FedRAMP Requirements and Guidance"}]},"ir-6_prm_1":{"constraints":[{"detail":"US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)"}]},"ir-8_prm_2":{"constraints":[{"detail":"see additional FedRAMP Requirements and Guidance"}]},"ir-8_prm_3":{"constraints":[{"detail":"at least annually"}]},"ir-8_prm_4":{"constraints":[{"detail":"see additional FedRAMP Requirements and Guidance"}]},"ma-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"ma-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"ma-3.3_prm_1":{"constraints":[{"detail":"the information owner explicitly authorizing removal of the equipment from the facility"}]},"mp-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"mp-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"mp-3_prm_1":{"constraints":[{"detail":"no removable media types"}]},"mp-4_prm_1":{"constraints":[{"detail":"all types of digital and non-digital media with sensitive information"}]},"mp-4_prm_2":{"constraints":[{"detail":"see additional FedRAMP requirements and guidance"}]},"mp-5_prm_1":{"constraints":[{"detail":"all media with sensitive information"}]},"mp-5_prm_2":{"constraints":[{"detail":"prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digitital media, secured in locked container"}]},"mp-6.2_prm_1":{"constraints":[{"detail":"at least annually"}]},"pe-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"pe-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"pe-2_prm_1":{"constraints":[{"detail":"at least annually"}]},"pe-3_prm_2":{"constraints":[{"detail":"CSP defined physical access control systems/devices AND guards"}]},"pe-3_prm_3":{"constraints":[{"detail":"CSP defined physical access control systems/devices"}]},"pe-3_prm_6":{"constraints":[{"detail":"in all circumstances within restricted access area where the information system resides"}]},"pe-3_prm_8":{"constraints":[{"detail":"at least annually"}]},"pe-3_prm_9":{"constraints":[{"detail":"at least annually"}]},"pe-6_prm_1":{"constraints":[{"detail":"at least monthly"}]},"pe-8_prm_1":{"constraints":[{"detail":"for a minimum of one (1) year"}]},"pe-8_prm_2":{"constraints":[{"detail":"at least monthly"}]},"pe-14_prm_1":{"constraints":[{"detail":"consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments"}]},"pe-14_prm_2":{"constraints":[{"detail":"continuously"}]},"pe-16_prm_1":{"constraints":[{"detail":"all information system components"}]},"pl-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"pl-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"pl-2_prm_2":{"constraints":[{"detail":"at least annually"}]},"pl-4_prm_1":{"constraints":[{"detail":"At least every 3 years"}]},"pl-8_prm_1":{"constraints":[{"detail":"At least annually or when a significant change occurs"}]},"ps-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"ps-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"ps-2_prm_1":{"constraints":[{"detail":"at least every three years"}]},"ps-3_prm_1":{"constraints":[{"detail":"for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions"}]},"ps-3.3_prm_1":{"constraints":[{"detail":"personnel screening criteria - as required by specific information"}]},"ps-4_prm_1":{"constraints":[{"detail":"same day"}]},"ps-5_prm_4":{"constraints":[{"detail":"five days of the time period following the formal transfer action (DoD 24 hours)"}]},"ps-6_prm_1":{"constraints":[{"detail":"at least annually"}]},"ps-6_prm_2":{"constraints":[{"detail":"at least annually"}]},"ps-7_prm_2":{"constraints":[{"detail":"organization-defined time period - same day"}]},"ra-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"ra-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"ra-3_prm_2":{"constraints":[{"detail":"security assessment report"}]},"ra-3_prm_3":{"constraints":[{"detail":"at least every three (3) years or when a significant change occurs"}]},"ra-3_prm_5":{"constraints":[{"detail":"at least every three (3) years or when a significant change occurs"}]},"ra-5_prm_1":{"constraints":[{"detail":"monthly operating system/infrastructure; monthly web applications and databases"}]},"ra-5_prm_2":{"constraints":[{"detail":"high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery"}]},"ra-5.2_prm_1":{"constraints":[{"detail":"prior to a new scan"}]},"ra-5.5_prm_1":{"constraints":[{"detail":"operating systems / web applications / databases"}]},"ra-5.5_prm_2":{"constraints":[{"detail":"all scans"}]},"sa-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"sa-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"sa-4.2_prm_1":{"constraints":[{"detail":"to include security-relevant external system interfaces and high-level design"}]},"sa-4.8_prm_1":{"constraints":[{"detail":"at least the minimum requirement as defined in control CA-7"}]},"sa-9_prm_1":{"constraints":[{"detail":"FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system"}]},"sa-9_prm_2":{"constraints":[{"detail":"Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored"}]},"sa-9.2_prm_1":{"constraints":[{"detail":"all external systems where Federal information is processed or stored"}]},"sa-9.4_prm_2":{"constraints":[{"detail":"all external systems where Federal information is processed or stored"}]},"sa-9.5_prm_1":{"constraints":[{"detail":"information processing, information data, AND information services"}]},"sa-10_prm_1":{"constraints":[{"detail":"development, implementation, AND operation"}]},"sc-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"sc-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"sc-7.4_prm_1":{"constraints":[{"detail":"at least annually"}]},"sc-8_prm_1":{"constraints":[{"detail":"confidentiality AND integrity"}]},"sc-8.1_prm_1":{"constraints":[{"detail":"prevent unauthorized disclosure of information AND detect changes to information"}]},"sc-8.1_prm_2":{"constraints":[{"detail":"a hardened or alarmed carrier Protective Distribution System (PDS)"}]},"sc-10_prm_1":{"constraints":[{"detail":"no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-interactive user sessions"}]},"sc-12.2_prm_1":{"constraints":[{"detail":"NIST FIPS-compliant"}]},"sc-13_prm_1":{"constraints":[{"detail":"FIPS-validated or NSA-approved cryptography"}]},"sc-15_prm_1":{"constraints":[{"detail":"no exceptions"}]},"sc-28_prm_1":{"constraints":[{"detail":"confidentiality AND integrity"}]},"si-1_prm_2":{"constraints":[{"detail":"at least every 3 years"}]},"si-1_prm_3":{"constraints":[{"detail":"at least annually"}]},"si-2_prm_1":{"constraints":[{"detail":"within 30 days of release of updates"}]},"si-2.2_prm_1":{"constraints":[{"detail":"at least monthly"}]},"si-3_prm_1":{"constraints":[{"detail":"at least weekly"}]},"si-3_prm_2":{"constraints":[{"detail":"to include endpoints"}]},"si-3_prm_3":{"constraints":[{"detail":"to include alerting administrator or defined security personnel"}]},"si-4.4_prm_1":{"constraints":[{"detail":"continuously"}]},"si-5_prm_1":{"constraints":[{"detail":"to include US-CERT"}]},"si-5_prm_2":{"constraints":[{"detail":"to include system security personnel and administrators with configuration/patch-management responsibilities"}]},"si-6_prm_3":{"constraints":[{"detail":"to include upon system startup and/or restart"}]},"si-6_prm_4":{"constraints":[{"detail":"at least monthly"}]},"si-6_prm_5":{"constraints":[{"detail":"to include system administrators and security personnel"}]},"si-6_prm_7":{"constraints":[{"detail":"to include notification of system administrators and security personnel"}]},"si-7.1_prm_3":{"constraints":[{"detail":"Selection to include security relevant events"}]},"si-7.1_prm_4":{"constraints":[{"detail":"at least monthly"}]}},"alterations":[{"control-id":"ac-1","additions":[{"position":"starting","id-ref":"ac-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ac-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ac-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ac-10","additions":[{"position":"starting","id-ref":"ac-10_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-10_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-10_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-11","additions":[{"position":"starting","id-ref":"ac-11","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-11.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-11.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-11.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-11.1","additions":[{"position":"starting","id-ref":"ac-11.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-12","additions":[{"position":"starting","id-ref":"ac-12","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-12.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-12_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-14","additions":[{"position":"starting","id-ref":"ac-14.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-14.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ac-14.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ac-17","additions":[{"position":"starting","id-ref":"ac-17","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-17.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-17.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-17.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-17.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-17.1","additions":[{"position":"starting","id-ref":"ac-17.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-17.2","additions":[{"position":"starting","id-ref":"ac-17.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-17.3","additions":[{"position":"starting","id-ref":"ac-17.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-17.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-17.4","additions":[{"position":"starting","id-ref":"ac-17.4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-17.4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-17.4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ac-17.9","additions":[{"position":"starting","id-ref":"ac-17.9","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-17.9_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-17.9_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-18","additions":[{"position":"starting","id-ref":"ac-18","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-18.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-18.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-18.1","additions":[{"position":"starting","id-ref":"ac-18.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-19","additions":[{"position":"starting","id-ref":"ac-19","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-19.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-19.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-19.5","additions":[{"position":"starting","id-ref":"ac-19.5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-19.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-19.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2","additions":[{"position":"starting","id-ref":"ac-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ac-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ac-2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.g_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.h_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.i_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.j_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.j_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.k_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ac-2.1","additions":[{"position":"starting","id-ref":"ac-2.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2.10","additions":[{"position":"ending","id-ref":"ac-2.10_smt","parts":[{"id":"ac-2.10_fr","name":"item","title":"AC-2 (10) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2.10_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Required if shared/group accounts are deployed"}]}]},{"position":"starting","id-ref":"ac-2.10_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2.12","additions":[{"position":"ending","id-ref":"ac-2.12_smt","parts":[{"id":"ac-2.12_fr","name":"item","title":"AC-2 (12) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2.12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"(a) Guidance:"}],"prose":"Required for privileged accounts."},{"id":"ac-2.12_fr_gdn.2","name":"guidance","properties":[{"name":"label","value":"(b) Guidance:"}],"prose":"Required for privileged accounts."}]}]},{"position":"starting","id-ref":"ac-2.12","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-2.12.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.12.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.12.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.12.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2.2","additions":[{"position":"starting","id-ref":"ac-2.2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-2.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2.3","additions":[{"position":"starting","id-ref":"ac-2.3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-2.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2.4","additions":[{"position":"starting","id-ref":"ac-2.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.4_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2.5","additions":[{"position":"ending","id-ref":"ac-2.5_smt","parts":[{"id":"ac-2.5_fr","name":"item","title":"AC-2 (5) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2.5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Should use a shorter timeframe than AC-12."}]}]},{"position":"starting","id-ref":"ac-2.5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-2.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2.7","additions":[{"position":"starting","id-ref":"ac-2.7.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.7.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-2.7.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.7.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-2.9","additions":[{"position":"ending","id-ref":"ac-2.9_smt","parts":[{"id":"ac-2.9_fr","name":"item","title":"AC-2 (9) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-2.9_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Required if shared/group accounts are deployed"}]}]},{"position":"starting","id-ref":"ac-2.9_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-2.9_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-20","additions":[{"position":"starting","id-ref":"ac-20.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-20.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-20.1","additions":[{"position":"starting","id-ref":"ac-20.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-20.2","additions":[{"position":"starting","id-ref":"ac-20.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-21","additions":[{"position":"starting","id-ref":"ac-21.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-21.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-21.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-21.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-22","additions":[{"position":"starting","id-ref":"ac-22","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-22.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-22.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-22.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-22.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-22.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-22.d_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-3","additions":[{"position":"starting","id-ref":"ac-3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-4","additions":[{"position":"starting","id-ref":"ac-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-4.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-4.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-4.21","additions":[{"position":"starting","id-ref":"ac-4.21_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-4.21_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-4.21_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-5","additions":[{"position":"ending","id-ref":"ac-5_smt","parts":[{"id":"ac-5_fr","name":"item","title":"AC-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac.5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP."}]}]},{"position":"starting","id-ref":"ac-5.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-5.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-5.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-5.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ac-6","additions":[{"position":"starting","id-ref":"ac-6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-6.1","additions":[{"position":"starting","id-ref":"ac-6.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-6.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-6.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-6.10","additions":[{"position":"starting","id-ref":"ac-6.10_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-6.2","additions":[{"position":"ending","id-ref":"ac-6.2_smt","parts":[{"id":"ac-6.2_fr","name":"item","title":"AC-6 (2) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-6.2_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions."}]}]},{"position":"starting","id-ref":"ac-6.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-6.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-6.5","additions":[{"position":"starting","id-ref":"ac-6.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-6.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-6.9","additions":[{"position":"starting","id-ref":"ac-6.9","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-6.9_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-7","additions":[{"position":"starting","id-ref":"ac-7","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ac-7.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-7.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-7.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-7.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-7.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ac-8","additions":[{"position":"ending","id-ref":"ac-8_smt","parts":[{"id":"ac-8_fr","name":"item","title":"AC-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ac-8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO."},{"id":"ac-8_fr_smt.2","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided."},{"id":"ac-8_fr_smt.3","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO."}]}]},{"position":"starting","id-ref":"ac-8.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-8.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-8.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-8.c.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ac-8.c.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-8.c.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ac-8.c.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"at-1","additions":[{"position":"starting","id-ref":"at-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"at-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"at-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"at-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"at-2","additions":[{"position":"starting","id-ref":"at-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"at-2.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"at-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"at-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"at-2.2","additions":[{"position":"starting","id-ref":"at-2.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"at-3","additions":[{"position":"starting","id-ref":"at-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"at-3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"at-3.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"at-3.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-3.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"at-4","additions":[{"position":"starting","id-ref":"at-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"at-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"at-4.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"at-4.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-1","additions":[{"position":"starting","id-ref":"au-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"au-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"au-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"au-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"au-11","additions":[{"position":"ending","id-ref":"au-11_smt","parts":[{"id":"au-11_fr","name":"item","title":"AU-11 Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-11_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements."}]}]},{"position":"starting","id-ref":"au-11","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"au-11.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-11_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"au-12","additions":[{"position":"starting","id-ref":"au-12.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-12.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-12.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-12.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-12.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-2","additions":[{"position":"ending","id-ref":"au-2_smt","parts":[{"id":"au-2_fr","name":"item","title":"AU-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-2_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Coordination between service provider and consumer shall be documented and accepted by the JAB/AO."}]}]},{"position":"starting","id-ref":"au-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"au-2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"au-2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-2.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-2.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"au-2.d_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"au-2.3","additions":[{"position":"ending","id-ref":"au-2.3_smt","parts":[{"id":"au-2.3_fr","name":"item","title":"AU-2 (3) Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-2.3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO."}]}]},{"position":"starting","id-ref":"au-2.3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"au-2.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-2.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-3","additions":[{"position":"starting","id-ref":"au-3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-3.1","additions":[{"position":"ending","id-ref":"au-3.1_smt","parts":[{"id":"au-3.1_fr","name":"item","title":"AU-3 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-3.1_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines audit record types *[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]*.  The audit record types are approved and accepted by the JAB/AO."},{"id":"au-3.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry."}]}]},{"position":"starting","id-ref":"au-3.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-3.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-4","additions":[{"position":"starting","id-ref":"au-4.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-5","additions":[{"position":"starting","id-ref":"au-5.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-5.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-5.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-5.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-6","additions":[{"position":"ending","id-ref":"au-6_smt","parts":[{"id":"au-6_fr","name":"item","title":"AU-6 Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented."}]}]},{"position":"starting","id-ref":"au-6","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"au-6.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-6.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-6.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"au-6.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-6.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"au-6.1","additions":[{"position":"starting","id-ref":"au-6.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-6.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"au-6.3","additions":[{"position":"starting","id-ref":"au-6.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-7","additions":[{"position":"starting","id-ref":"au-7.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"au-7.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-7.1","additions":[{"position":"starting","id-ref":"au-7.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-7.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-8","additions":[{"position":"starting","id-ref":"au-8.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-8.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-8.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-8.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-8.1","additions":[{"position":"ending","id-ref":"au-8.1_smt","parts":[{"id":"au-8.1_fr","name":"item","title":"AU-8 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"au-8.1_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server."},{"id":"au-8.1_fr_smt.2","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server."},{"id":"au-8.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Synchronization of system clocks improves the accuracy of log analysis."}]}]},{"position":"starting","id-ref":"au-8.1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"au-8.1.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-8.1.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-8.1.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-8.1.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-8.1.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-9","additions":[{"position":"starting","id-ref":"au-9.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"au-9.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-9.2","additions":[{"position":"starting","id-ref":"au-9.2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"au-9.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-9.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"au-9.4","additions":[{"position":"starting","id-ref":"au-9.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"au-9.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-1","additions":[{"position":"starting","id-ref":"ca-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ca-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ca-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ca-2","additions":[{"position":"ending","id-ref":"ca-2_smt","parts":[{"id":"ca-2_fr","name":"item","title":"CA-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-2_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "}]}]},{"position":"starting","id-ref":"ca-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-2.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-2.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-2.1","additions":[{"position":"ending","id-ref":"ca-2.1_smt","parts":[{"id":"ca-2.1_fr","name":"item","title":"CA-2 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-2.1_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO)."}]}]},{"position":"starting","id-ref":"ca-2.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ca-2.2","additions":[{"position":"ending","id-ref":"ca-2.2_smt","parts":[{"id":"ca-2.2_fr","name":"item","title":"CA-2 (2) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-2.2_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"To include 'announced', 'vulnerability scanning'"}]}]},{"position":"starting","id-ref":"ca-2.2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-2.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.2_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-2.3","additions":[{"position":"starting","id-ref":"ca-2.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.3_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-2.3_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ca-3","additions":[{"position":"starting","id-ref":"ca-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ca-3.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-3.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-3.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ca-3.3","additions":[{"position":"ending","id-ref":"ca-3.3_smt","parts":[{"id":"ca-3.3_fr","name":"item","title":"CA-3 (3) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-3.3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document."}]}]},{"position":"starting","id-ref":"ca-3.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ca-3.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-3.3_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-3.5","additions":[{"position":"ending","id-ref":"ca-3.5_smt","parts":[{"id":"ca-3.5_fr","name":"item","title":"CA-3 (5) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-3.5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing"}]}]},{"position":"starting","id-ref":"ca-3.5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-3.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-3.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-5","additions":[{"position":"ending","id-ref":"ca-5_smt","parts":[{"id":"ca-5_fr","name":"item","title":"CA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-5_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Plan of Action & Milestones (POA&M) must be provided at least monthly."},{"id":"ca-5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "}]}]},{"position":"starting","id-ref":"ca-5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-5.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ca-5.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-5.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-6","additions":[{"position":"ending","id-ref":"ca-6_smt","parts":[{"id":"ca-6_fr","name":"item","title":"CA-6(c) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO."}]}]},{"position":"starting","id-ref":"ca-6.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-6.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-6.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-6.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-7","additions":[{"position":"ending","id-ref":"ca-7_smt","parts":[{"id":"ca-7_fr","name":"item","title":"CA-7 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-7_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually."},{"id":"ca-7_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates."},{"id":"ca-7_fr_gdn.2","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "}]}]},{"position":"starting","id-ref":"ca-7","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-7.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-7.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.b_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-7.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-7.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-7.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-7.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ca-7.g_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.g_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.g_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.g_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-7.1","additions":[{"position":"starting","id-ref":"ca-7.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-7.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ca-8","additions":[{"position":"ending","id-ref":"ca-8_smt","parts":[{"id":"ca-8_fr","name":"item","title":"CA-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ca-8_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance [https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/)\n                  "}]}]},{"position":"starting","id-ref":"ca-8","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-8.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-8.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-8_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ca-8.1","additions":[{"position":"starting","id-ref":"ca-8.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ca-9","additions":[{"position":"starting","id-ref":"ca-9","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ca-9.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ca-9.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ca-9.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"cm-1","additions":[{"position":"starting","id-ref":"cm-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-1.a.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cm-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cm-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"cm-10","additions":[{"position":"starting","id-ref":"cm-10.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-10.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-10.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-10.1","additions":[{"position":"starting","id-ref":"cm-10.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-10.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-11","additions":[{"position":"starting","id-ref":"cm-11.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-11.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-11.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-11.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-11.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-11.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-2","additions":[{"position":"starting","id-ref":"cm-2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cm-2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-2.1","additions":[{"position":"starting","id-ref":"cm-2.1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-2.1.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-2.1.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-2.1.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-2.1.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-2.1.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-2.2","additions":[{"position":"starting","id-ref":"cm-2.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-2.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-2.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-2.2_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-2.3","additions":[{"position":"starting","id-ref":"cm-2.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-2.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-2.7","additions":[{"position":"starting","id-ref":"cm-2.7.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-2.7.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-2.7.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-2.7.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-2.7.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-3","additions":[{"position":"ending","id-ref":"cm-3_smt","parts":[{"id":"cm-3_fr","name":"item","title":"CM-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-3_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO."},{"id":"cm-3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"(e) Guidance:"}],"prose":"In accordance with record retention policies and procedures."}]}]},{"position":"starting","id-ref":"cm-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-3.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cm-3.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cm-3.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-3.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-3.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-3.f_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-3.g_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-3.g_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-3.g_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-3.g_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-4","additions":[{"position":"starting","id-ref":"cm-4.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-5","additions":[{"position":"starting","id-ref":"cm-5.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-5.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-5.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-5.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cm-5.5_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-5.6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-5_obj.7","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-5_obj.8","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-5.1","additions":[{"position":"starting","id-ref":"cm-5.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-5.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-5.3","additions":[{"position":"ending","id-ref":"cm-5.3_smt","parts":[{"id":"cm-5.3_fr","name":"item","title":"CM-5 (3) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-5.3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized."}]}]},{"position":"starting","id-ref":"cm-5.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-5.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-5.5","additions":[{"position":"starting","id-ref":"cm-5.5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-5.5.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-5.5.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-5.5.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"cm-6","additions":[{"position":"ending","id-ref":"cm-6_smt","parts":[{"id":"cm-6_fr","name":"item","title":"CM-6(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement 1:"}],"prose":"The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. "},{"id":"cm-6_fr_smt.2","name":"item","properties":[{"name":"label","value":"Requirement 2:"}],"prose":"The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available)."},{"id":"cm-6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)."}]}]},{"position":"starting","id-ref":"cm-6","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-6.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-6.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cm-6.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-6.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-6.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-6.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-6.c_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-6.c_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-6.c_obj.5","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-6.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-6.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-6.1","additions":[{"position":"starting","id-ref":"cm-6.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-6.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-7","additions":[{"position":"ending","id-ref":"cm-7_smt","parts":[{"id":"cm-7_fr","name":"item","title":"CM-7 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-7_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available."},{"id":"cm-7_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Information on the USGCB checklists can be found at: [http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc](http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc). Partially derived from AC-17(8)."}]}]},{"position":"starting","id-ref":"cm-7.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-7.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-7.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-7.1","additions":[{"position":"starting","id-ref":"cm-7.1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-7.1.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-7.1.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-7.1.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-7.1.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-7.2","additions":[{"position":"ending","id-ref":"cm-7.2_smt","parts":[{"id":"cm-7.2_fr","name":"item","title":"CM-7 (2) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-7.2_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run."}]}]},{"position":"starting","id-ref":"cm-7.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-7.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-7.5","additions":[{"position":"starting","id-ref":"cm-7.5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-7.5.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-7.5.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-7.5.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-7.5.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-8","additions":[{"position":"ending","id-ref":"cm-8_smt","parts":[{"id":"cm-8_fr","name":"item","title":"CM-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cm-8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Must be provided at least monthly or when there is a change."}]}]},{"position":"starting","id-ref":"cm-8","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-8.a.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.a.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.a.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.a.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.a.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-8.1","additions":[{"position":"starting","id-ref":"cm-8.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-8.3","additions":[{"position":"starting","id-ref":"cm-8.3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-8.3.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.3.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cm-8.3.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-8.3.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-8.5","additions":[{"position":"starting","id-ref":"cm-8.5_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cm-9","additions":[{"position":"starting","id-ref":"cm-9","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cm-9.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-9.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-9.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-9.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cm-9.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-1","additions":[{"position":"starting","id-ref":"cp-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cp-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"cp-10","additions":[{"position":"starting","id-ref":"cp-10_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-10.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-10.2","additions":[{"position":"starting","id-ref":"cp-10.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-2","additions":[{"position":"ending","id-ref":"cp-2_smt","parts":[{"id":"cp-2_fr","name":"item","title":"CP-2 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-2_fr_smt.1","name":"item","properties":[{"name":"label","value":"CP-2 Requirement:"}],"prose":"For JAB authorizations the contingency lists include designated FedRAMP personnel."}]}]},{"position":"starting","id-ref":"cp-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cp-2.a.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.a.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.a.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.a.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.a.5_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.a.6_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.a.6_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-2.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-2.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-2.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-2.g_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-2.1","additions":[{"position":"starting","id-ref":"cp-2.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-2.2","additions":[{"position":"starting","id-ref":"cp-2.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-2.3","additions":[{"position":"starting","id-ref":"cp-2.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-2.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-2.8","additions":[{"position":"starting","id-ref":"cp-2.8_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-3","additions":[{"position":"starting","id-ref":"cp-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cp-3.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-3.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-3.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-3.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-3.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-4","additions":[{"position":"ending","id-ref":"cp-4_smt","parts":[{"id":"cp-4_fr","name":"item","title":"CP-4(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-4_fr_smt.a","name":"item","properties":[{"name":"label","value":"CP-4(a) Requirement:"}],"prose":"The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing."}]}]},{"position":"starting","id-ref":"cp-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cp-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-4.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-4.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-4.1","additions":[{"position":"starting","id-ref":"cp-4.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-6","additions":[{"position":"starting","id-ref":"cp-6.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"cp-6.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-6.1","additions":[{"position":"starting","id-ref":"cp-6.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-6.3","additions":[{"position":"starting","id-ref":"cp-6.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-6.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-7","additions":[{"position":"ending","id-ref":"cp-7_smt","parts":[{"id":"cp-7_fr","name":"item","title":"CP-7 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-7_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider defines a time period consistent with the recovery time objectives and business impact analysis."}]}]},{"position":"starting","id-ref":"cp-7","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cp-7.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-7.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-7.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-7.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-7.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-7.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-7.1","additions":[{"position":"ending","id-ref":"cp-7.1_smt","parts":[{"id":"cp-7.1_fr","name":"item","title":"CP-7 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-7.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant."}]}]},{"position":"starting","id-ref":"cp-7.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-7.2","additions":[{"position":"starting","id-ref":"cp-7.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-7.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-7.3","additions":[{"position":"starting","id-ref":"cp-7.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-8","additions":[{"position":"ending","id-ref":"cp-8_smt","parts":[{"id":"cp-8_fr","name":"item","title":"CP-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines a time period consistent with the recovery time objectives and business impact analysis."}]}]},{"position":"starting","id-ref":"cp-8.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-8.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-8.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-8.1","additions":[{"position":"starting","id-ref":"cp-8.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-8.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-8.2","additions":[{"position":"starting","id-ref":"cp-8.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"cp-9","additions":[{"position":"ending","id-ref":"cp-9_smt","parts":[{"id":"cp-9_fr","name":"item","title":"CP-9 Additional FedRAMP Requirements and Guidance","parts":[{"id":"cp-9_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check."},{"id":"cp-9_fr_smt.a","name":"item","properties":[{"name":"label","value":"CP-9(a) Requirement:"}],"prose":"The service provider maintains at least three backup copies of user-level information (at least one of which is available online)."},{"id":"cp-9_fr_smt.b","name":"item","properties":[{"name":"label","value":"CP-9(b)Requirement:"}],"prose":"The service provider maintains at least three backup copies of system-level information (at least one of which is available online)."},{"id":"cp-9_fr_smt.c","name":"item","properties":[{"name":"label","value":"CP-9(c)Requirement:"}],"prose":"The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online)."}]}]},{"position":"starting","id-ref":"cp-9","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cp-9.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-9.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-9.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-9.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-9.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-9.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"cp-9.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-9.1","additions":[{"position":"starting","id-ref":"cp-9.1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"cp-9.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-9.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"cp-9.3","additions":[{"position":"starting","id-ref":"cp-9.3_obj.1.a","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-9.3_obj.1.b","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"cp-9.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ia-1","additions":[{"position":"starting","id-ref":"ia-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ia-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ia-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ia-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ia-2","additions":[{"position":"starting","id-ref":"ia-2.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-2.1","additions":[{"position":"starting","id-ref":"ia-2.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-2.11","additions":[{"position":"ending","id-ref":"ia-2.11_smt","parts":[{"id":"ia-2.11_fr","name":"item","title":"IA-2 (11) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-2.11_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials."}]}]},{"position":"starting","id-ref":"ia-2.11_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-2.11_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-2.11_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-2.11_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-2.11_obj.5","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-2.11_obj.6","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-2.12","additions":[{"position":"ending","id-ref":"ia-2.12_smt","parts":[{"id":"ia-2.12_fr","name":"item","title":"IA-2 (12) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-2.12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12."}]}]},{"position":"starting","id-ref":"ia-2.12_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-2.12_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-2.2","additions":[{"position":"starting","id-ref":"ia-2.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-2.3","additions":[{"position":"starting","id-ref":"ia-2.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-2.5","additions":[{"position":"starting","id-ref":"ia-2.5_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-2.8","additions":[{"position":"starting","id-ref":"ia-2.8_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-3","additions":[{"position":"starting","id-ref":"ia-3.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-4","additions":[{"position":"ending","id-ref":"ia-4_smt","parts":[{"id":"ia-4_fr","name":"item","title":"IA-4(e) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-4_fr_smt.e","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines the time period of inactivity for device identifiers."},{"id":"ia-4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP [http://iase.disa.mil/cloud_security/Pages/index.aspx](http://iase.disa.mil/cloud_security/Pages/index.aspx)."}]}]},{"position":"starting","id-ref":"ia-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ia-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-4.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-4.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-4.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-4.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-4.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-4.4","additions":[{"position":"starting","id-ref":"ia-4.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-4.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-5","additions":[{"position":"ending","id-ref":"ia-5_smt","parts":[{"id":"ia-5_fr","name":"item","title":"IA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-5_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link [https://pages.nist.gov/800-63-3](https://pages.nist.gov/800-63-3)."}]}]},{"position":"starting","id-ref":"ia-5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ia-5.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.d_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.f_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.g_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.g_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.h_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.i_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ia-5.i_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.j_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-5.1","additions":[{"position":"ending","id-ref":"ia-5.1_smt","parts":[{"id":"ia-5.1_fr","name":"item","title":"IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-5.1_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"(a) (d) Guidance:"}],"prose":"If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant."}]}]},{"position":"starting","id-ref":"ia-5.1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ia-5.1.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.a_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.a_obj.5","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.1.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.1.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.1.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.d_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.1.d_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.1.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.1.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.1.f_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-5.11","additions":[{"position":"starting","id-ref":"ia-5.11_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.11_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-5.2","additions":[{"position":"starting","id-ref":"ia-5.2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.2.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-5.2.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-5.3","additions":[{"position":"starting","id-ref":"ia-5.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.3_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.3_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.3_obj.5","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ia-5.4","additions":[{"position":"ending","id-ref":"ia-5.4_smt","parts":[{"id":"ia-5.4_fr","name":"item","title":"IA-5 (4) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ia-5.4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators."}]}]},{"position":"starting","id-ref":"ia-5.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-5.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-5.6","additions":[{"position":"starting","id-ref":"ia-5.6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-5.7","additions":[{"position":"starting","id-ref":"ia-5.7_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-6","additions":[{"position":"starting","id-ref":"ia-6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-7","additions":[{"position":"starting","id-ref":"ia-7_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-8","additions":[{"position":"starting","id-ref":"ia-8.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-8.1","additions":[{"position":"starting","id-ref":"ia-8.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ia-8.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-8.2","additions":[{"position":"starting","id-ref":"ia-8.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-8.3","additions":[{"position":"starting","id-ref":"ia-8.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ia-8.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ia-8.4","additions":[{"position":"starting","id-ref":"ia-8.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-1","additions":[{"position":"starting","id-ref":"ir-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ir-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ir-2","additions":[{"position":"starting","id-ref":"ir-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ir-2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ir-3","additions":[{"position":"ending","id-ref":"ir-3_smt","parts":[{"id":"ir-3_fr","name":"item","title":"IR-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-3_fr_smt.1","name":"item","properties":[{"name":"label","value":"IR-3 -2 Requirement:"}],"prose":"The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing."}]}]},{"position":"starting","id-ref":"ir-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ir-3.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-3.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-3_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ir-3.2","additions":[{"position":"starting","id-ref":"ir-3.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ir-4","additions":[{"position":"ending","id-ref":"ir-4_smt","parts":[{"id":"ir-4_fr","name":"item","title":"IR-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-4_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system."}]}]},{"position":"starting","id-ref":"ir-4.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-4.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-4.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-4.1","additions":[{"position":"starting","id-ref":"ir-4.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-5","additions":[{"position":"starting","id-ref":"ir-5.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-6","additions":[{"position":"ending","id-ref":"ir-6_smt","parts":[{"id":"ir-6_fr","name":"item","title":"IR-6 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-6_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Report security incident information according to FedRAMP Incident Communications Procedure."}]}]},{"position":"starting","id-ref":"ir-6","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ir-6.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-6.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-6.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-6.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-6.1","additions":[{"position":"starting","id-ref":"ir-6.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-7","additions":[{"position":"starting","id-ref":"ir-7.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-7.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-7.1","additions":[{"position":"starting","id-ref":"ir-7.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-7.2","additions":[{"position":"starting","id-ref":"ir-7.2.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-7.2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ir-8","additions":[{"position":"ending","id-ref":"ir-8_smt","parts":[{"id":"ir-8_fr","name":"item","title":"IR-8 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ir-8_fr_smt.b","name":"item","properties":[{"name":"label","value":"(b) Requirement:"}],"prose":"The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."},{"id":"ir-8_fr_smt.e","name":"item","properties":[{"name":"label","value":"(e) Requirement:"}],"prose":"The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."}]}]},{"position":"starting","id-ref":"ir-8","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ir-8.a.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.5_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-8.a.7_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.8_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.a.8_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-8.b_obj.1.a","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.b_obj.1.b","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-8.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-8.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-8.e_obj.1.a","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-8.e_obj.1.b","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-8.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-8.f_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-9","additions":[{"position":"starting","id-ref":"ir-9.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-9.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-9.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ir-9.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-9.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-9.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-9.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ir-9.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-9.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-9.1","additions":[{"position":"starting","id-ref":"ir-9.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-9.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ir-9.2","additions":[{"position":"starting","id-ref":"ir-9.2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ir-9.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-9.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ir-9.3","additions":[{"position":"starting","id-ref":"ir-9.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-9.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ir-9.4","additions":[{"position":"starting","id-ref":"ir-9.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ir-9.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ma-1","additions":[{"position":"starting","id-ref":"ma-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ma-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ma-2","additions":[{"position":"starting","id-ref":"ma-2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-2.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-2.a_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-2.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-2.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-2.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-2.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-2.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-2.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ma-3","additions":[{"position":"starting","id-ref":"ma-3.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-3.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-3.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ma-3.1","additions":[{"position":"starting","id-ref":"ma-3.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ma-3.2","additions":[{"position":"starting","id-ref":"ma-3.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ma-3.3","additions":[{"position":"starting","id-ref":"ma-3.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ma-4","additions":[{"position":"starting","id-ref":"ma-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ma-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-4.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-4.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-4.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-4.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ma-4.2","additions":[{"position":"starting","id-ref":"ma-4.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ma-4.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"ma-5","additions":[{"position":"starting","id-ref":"ma-5.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-5.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-5.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-5.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ma-5.1","additions":[{"position":"ending","id-ref":"ma-5.1_smt","parts":[{"id":"ma-5.1_fr","name":"item","title":"MA-5 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ma-5.1_fr_smt.b","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"Only MA-5 (1)(a)(1) is required by FedRAMP Moderate Baseline"}]}]},{"position":"starting","id-ref":"ma-5.1.a.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-5.1.a.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ma-5.1.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ma-6","additions":[{"position":"starting","id-ref":"ma-6.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-6.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ma-6.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-1","additions":[{"position":"starting","id-ref":"mp-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"mp-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"mp-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"mp-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"mp-2","additions":[{"position":"starting","id-ref":"mp-2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-3","additions":[{"position":"ending","id-ref":"mp-3_smt","parts":[{"id":"mp-3_fr","name":"item","title":"MP-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"mp-3_fr_gdn.b","name":"guidance","properties":[{"name":"label","value":"(b) Guidance:"}],"prose":"Second parameter not-applicable"}]}]},{"position":"starting","id-ref":"mp-3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"mp-3.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-3.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-3.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-4","additions":[{"position":"ending","id-ref":"mp-4_smt","parts":[{"id":"mp-4_fr","name":"item","title":"MP-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"mp-4_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider defines controlled areas within facilities where the information and information system reside."}]}]},{"position":"starting","id-ref":"mp-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-4.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"mp-4.a_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"mp-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-5","additions":[{"position":"ending","id-ref":"mp-5_smt","parts":[{"id":"mp-5_fr","name":"item","title":"MP-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"mp-5_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB."}]}]},{"position":"starting","id-ref":"mp-5.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-5.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-5.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"mp-5.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"mp-5.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-5.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-5.4","additions":[{"position":"starting","id-ref":"mp-5.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-6","additions":[{"position":"starting","id-ref":"mp-6.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-6.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-6.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"mp-6.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-6.2","additions":[{"position":"ending","id-ref":"mp-6.2_smt","parts":[{"id":"mp-6.2_fr","name":"item","title":"MP-6 (2) Additional FedRAMP Requirements and Guidance","parts":[{"id":"mp-6.2_fr_gdn.a","name":"guidance","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"Equipment and procedures may be tested or validated for effectiveness"}]}]},{"position":"starting","id-ref":"mp-6.2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"mp-6.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-6.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-7","additions":[{"position":"starting","id-ref":"mp-7.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-7.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-7_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"mp-7_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"mp-7.1","additions":[{"position":"starting","id-ref":"mp-7.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-1","additions":[{"position":"starting","id-ref":"pe-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pe-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"pe-10","additions":[{"position":"starting","id-ref":"pe-10.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-10.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-10.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-10.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-11","additions":[{"position":"starting","id-ref":"pe-11_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-12","additions":[{"position":"starting","id-ref":"pe-12.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-12_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-13","additions":[{"position":"starting","id-ref":"pe-13.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-13.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-13.2","additions":[{"position":"starting","id-ref":"pe-13.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-13.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-13.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-13.3","additions":[{"position":"starting","id-ref":"pe-13.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-14","additions":[{"position":"ending","id-ref":"pe-14_smt","parts":[{"id":"pe-14_fr","name":"item","title":"PE-14(a) Additional FedRAMP Requirements and Guidance","parts":[{"id":"pe-14_fr_smt.a","name":"item","properties":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider measures temperature at server inlets and humidity levels by dew point."}]}]},{"position":"starting","id-ref":"pe-14.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-14.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-14.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-14.a_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-14.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-14.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-14.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-14.b_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-14.2","additions":[{"position":"starting","id-ref":"pe-14.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-14.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-15","additions":[{"position":"starting","id-ref":"pe-15_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-16","additions":[{"position":"starting","id-ref":"pe-16_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-16_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-16_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-16_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-16_obj.5","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-16_obj.6","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-16_obj.7","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-16_obj.8","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-16_obj.9","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"pe-17","additions":[{"position":"starting","id-ref":"pe-17.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-17.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-17.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-17.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-2","additions":[{"position":"starting","id-ref":"pe-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pe-2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-2.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pe-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-2.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-3","additions":[{"position":"starting","id-ref":"pe-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pe-3.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.e_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.f_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-3.g_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-3.g_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-4","additions":[{"position":"starting","id-ref":"pe-4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-4_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-5","additions":[{"position":"starting","id-ref":"pe-5_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-6","additions":[{"position":"starting","id-ref":"pe-6","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pe-6.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-6.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-6.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-6.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-6.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"pe-6.1","additions":[{"position":"starting","id-ref":"pe-6.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-8","additions":[{"position":"starting","id-ref":"pe-8","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pe-8.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-8.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pe-8.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pe-8.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pe-9","additions":[{"position":"starting","id-ref":"pe-9_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pl-1","additions":[{"position":"starting","id-ref":"pl-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pl-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pl-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"pl-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"pl-2","additions":[{"position":"starting","id-ref":"pl-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pl-2.a.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.5_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.7_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.8_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.a.9_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-2.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-2.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pl-2.3","additions":[{"position":"starting","id-ref":"pl-2.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-2.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"pl-4","additions":[{"position":"starting","id-ref":"pl-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-4.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-4.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-4.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pl-4.1","additions":[{"position":"starting","id-ref":"pl-4.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-4.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"pl-8","additions":[{"position":"ending","id-ref":"pl-8_smt","parts":[{"id":"pl-8_fr","name":"item","title":"PL-8(b) Additional FedRAMP Requirements and Guidance","parts":[{"id":"pl-8_fr_gdn.b","name":"guidance","properties":[{"name":"label","value":"(b) Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7."}]}]},{"position":"starting","id-ref":"pl-8","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"pl-8.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-8.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"pl-8.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"pl-8.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-1","additions":[{"position":"starting","id-ref":"ps-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ps-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ps-2","additions":[{"position":"starting","id-ref":"ps-2.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-3","additions":[{"position":"starting","id-ref":"ps-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ps-3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-3.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-3.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-3.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-3.3","additions":[{"position":"starting","id-ref":"ps-3.3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ps-3.3.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-3.3.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-4","additions":[{"position":"starting","id-ref":"ps-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ps-4.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-4.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ps-4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ps-4.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-4.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-4.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-4.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-4.f_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-4.f_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-4.f_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-5","additions":[{"position":"starting","id-ref":"ps-5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ps-5.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-5.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-5.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-5.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-5.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ps-5.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ps-5.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-5.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-5.d_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-6","additions":[{"position":"starting","id-ref":"ps-6","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ps-6.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-6.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-6.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-6.c.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ps-6.c.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-6.c.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-7","additions":[{"position":"starting","id-ref":"ps-7","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ps-7.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-7.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ps-7.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-7.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-7.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-7.d_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-7.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ps-8","additions":[{"position":"starting","id-ref":"ps-8.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-8.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-8.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ps-8.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-1","additions":[{"position":"starting","id-ref":"ra-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ra-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ra-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"ra-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"ra-2","additions":[{"position":"starting","id-ref":"ra-2.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-3","additions":[{"position":"ending","id-ref":"ra-3_smt","parts":[{"id":"ra-3_fr","name":"item","title":"RA-3 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-3_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F"},{"id":"ra-3_fr_smt.d","name":"item","properties":[{"name":"label","value":"RA-3 (d) Requirement:"}],"prose":"Include all Authorizing Officials; for JAB authorizations to include FedRAMP."}]}]},{"position":"starting","id-ref":"ra-3.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-3.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-3.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-3.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-3.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-3.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-3.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-3.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-3.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-3.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-5","additions":[{"position":"ending","id-ref":"ra-5_smt.a","parts":[{"id":"ra-5_fr_smt.a","name":"item","title":"RA-5(a) Additional FedRAMP Requirements and Guidance","properties":[{"name":"label","value":"RA-5 (a)Requirement:"}],"prose":"An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually."}]},{"position":"ending","id-ref":"ra-5_smt.e","parts":[{"id":"ra-5_fr_smt.e","name":"item","title":"RA-5(e) Additional FedRAMP Requirements and Guidance","properties":[{"name":"label","value":"RA-5 (e)Requirement:"}],"prose":"To include all Authorizing Officials; for JAB authorizations to include FedRAMP."}]},{"position":"ending","id-ref":"ra-5_smt","parts":[{"id":"ra-5_fr","name":"item","title":"RA-5 Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"\n                     **See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))"}]}]},{"position":"starting","id-ref":"ra-5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ra-5.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-5.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.b.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.b.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.b.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-5.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-5.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.e_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-5.1","additions":[{"position":"starting","id-ref":"ra-5.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-5.2","additions":[{"position":"starting","id-ref":"ra-5.2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ra-5.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-5.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-5.3","additions":[{"position":"starting","id-ref":"ra-5.3_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"ra-5.3_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-5.5","additions":[{"position":"starting","id-ref":"ra-5.5","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"ra-5.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-5.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"ra-5.5_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-5.6","additions":[{"position":"ending","id-ref":"ra-5.6_smt","parts":[{"id":"ra-5.6_fr","name":"item","title":"RA-5 (6) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-5.6_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Include in Continuous Monitoring ISSO digest/report to JAB/AO"}]}]},{"position":"starting","id-ref":"ra-5.6_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"ra-5.8","additions":[{"position":"ending","id-ref":"ra-5.8_smt","parts":[{"id":"ra-5.8_fr","name":"item","title":"RA-5 (8) Additional FedRAMP Requirements and Guidance","parts":[{"id":"ra-5.8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"This enhancement is required for all high vulnerability scan findings."},{"id":"ra-5.8_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability."}]}]},{"position":"starting","id-ref":"ra-5.8_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-1","additions":[{"position":"starting","id-ref":"sa-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"sa-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"sa-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"sa-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"sa-10","additions":[{"position":"ending","id-ref":"sa-10_smt","parts":[{"id":"sa-10_fr","name":"item","title":"SA-10 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-10_fr_smt.1","name":"item","properties":[{"name":"label","value":"(e)  Requirement:"}],"prose":"For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP."}]}]},{"position":"starting","id-ref":"sa-10.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-10.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-10.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-10.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-10.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-10.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-10.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-10.1","additions":[{"position":"starting","id-ref":"sa-10.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-11","additions":[{"position":"starting","id-ref":"sa-11.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-11.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-11.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-11.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-11.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-11.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-11.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-11.1","additions":[{"position":"ending","id-ref":"sa-11.1_smt","parts":[{"id":"sa-11.1_fr","name":"item","title":"SA-11 (1) Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-11.1_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed."}]}]},{"position":"starting","id-ref":"sa-11.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-11.2","additions":[{"position":"starting","id-ref":"sa-11.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-11.8","additions":[{"position":"ending","id-ref":"sa-11.8_smt","parts":[{"id":"sa-11.8_fr","name":"item","title":"SA-11 (8) Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-11.8_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed."}]}]},{"position":"starting","id-ref":"sa-11.8_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-2","additions":[{"position":"starting","id-ref":"sa-2.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-2.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-2.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-3","additions":[{"position":"starting","id-ref":"sa-3.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-3.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-3.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-3.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-3.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-4","additions":[{"position":"ending","id-ref":"sa-4_smt","parts":[{"id":"sa-4_fr","name":"item","title":"SA-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See [http://www.niap-ccevs.org/vpl](http://www.niap-ccevs.org/vpl) or [http://www.commoncriteriaportal.org/products.html](http://www.commoncriteriaportal.org/products.html)."}]}]},{"position":"starting","id-ref":"sa-4.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-4.1","additions":[{"position":"starting","id-ref":"sa-4.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-4.10","additions":[{"position":"starting","id-ref":"sa-4.10_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-4.2","additions":[{"position":"starting","id-ref":"sa-4.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-4.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-4.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-4.8","additions":[{"position":"ending","id-ref":"sa-4.8_smt","parts":[{"id":"sa-4.8_fr","name":"item","title":"SA-4 (8) Additional FedRAMP Requirements and Guidance","parts":[{"id":"sa-4.8_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"CSP must use the same security standards regardless of where the system component or information system service is acquired."}]}]},{"position":"starting","id-ref":"sa-4.8_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-4.8_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-4.9","additions":[{"position":"starting","id-ref":"sa-4.9_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"sa-5","additions":[{"position":"starting","id-ref":"sa-5.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-5.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-5.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-5.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-5.c_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-5.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-5.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-5.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-8","additions":[{"position":"starting","id-ref":"sa-8_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-9","additions":[{"position":"starting","id-ref":"sa-9.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-9.1","additions":[{"position":"starting","id-ref":"sa-9.1.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sa-9.1.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.1.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-9.2","additions":[{"position":"starting","id-ref":"sa-9.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]}]},{"control-id":"sa-9.4","additions":[{"position":"starting","id-ref":"sa-9.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.4_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sa-9.5","additions":[{"position":"starting","id-ref":"sa-9.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sa-9.5_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-1","additions":[{"position":"starting","id-ref":"sc-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"sc-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"sc-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"sc-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"sc-10","additions":[{"position":"starting","id-ref":"sc-10_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-10_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-12","additions":[{"position":"ending","id-ref":"sc-12_smt","parts":[{"id":"sc-12_fr","name":"item","title":"SC-12 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-12_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"Federally approved and validated cryptography."}]}]},{"position":"starting","id-ref":"sc-12.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-12.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-12.2","additions":[{"position":"starting","id-ref":"sc-12.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-12.3","additions":[{"position":"starting","id-ref":"sc-12.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-13","additions":[{"position":"starting","id-ref":"sc-13","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"sc-13_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-13_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-13_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-15","additions":[{"position":"ending","id-ref":"sc-15_smt","parts":[{"id":"sc-15_fr","name":"item","title":"SC-15 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-15_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use."}]}]},{"position":"starting","id-ref":"sc-15.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-15.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-15.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-17","additions":[{"position":"starting","id-ref":"sc-17_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-17_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-18","additions":[{"position":"starting","id-ref":"sc-18.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-18.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-18.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-18.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-18.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-18.c_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-19","additions":[{"position":"starting","id-ref":"sc-19.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-19.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-19.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-19.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-19.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-2","additions":[{"position":"starting","id-ref":"sc-2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-20","additions":[{"position":"starting","id-ref":"sc-20.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-20.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-21","additions":[{"position":"starting","id-ref":"sc-21_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-21_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-21_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-21_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-22","additions":[{"position":"starting","id-ref":"sc-22_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-22_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-23","additions":[{"position":"starting","id-ref":"sc-23_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-28","additions":[{"position":"ending","id-ref":"sc-28_smt","parts":[{"id":"sc-28_fr","name":"item","title":"SC-28 Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-28_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"The organization supports the capability to use cryptographic mechanisms to protect information at rest."}]}]},{"position":"starting","id-ref":"sc-28.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-28.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-28.1","additions":[{"position":"starting","id-ref":"sc-28.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-28.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-28.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-39","additions":[{"position":"starting","id-ref":"sc-39_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-4","additions":[{"position":"starting","id-ref":"sc-4_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-5","additions":[{"position":"starting","id-ref":"sc-5.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-5.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-5.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-6","additions":[{"position":"starting","id-ref":"sc-6_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-6_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-6_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7","additions":[{"position":"starting","id-ref":"sc-7.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.a_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7.12","additions":[{"position":"starting","id-ref":"sc-7.12_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.12_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.12_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7.13","additions":[{"position":"ending","id-ref":"sc-7.13_smt","parts":[{"id":"sc-7.13_fr","name":"item","title":"SC-7 (13) Additional FedRAMP Requirements and Guidance","parts":[{"id":"sc-7.13_fr_smt.1","name":"item","properties":[{"name":"label","value":"Requirement:"}],"prose":"The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets."}]}]},{"position":"starting","id-ref":"sc-7.13_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.13_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7.18","additions":[{"position":"starting","id-ref":"sc-7.18_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7.3","additions":[{"position":"starting","id-ref":"sc-7.3_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7.4","additions":[{"position":"starting","id-ref":"sc-7.4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"sc-7.4.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.4.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.4.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.4.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.4.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.4.e_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.4.e_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.4.e_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7.5","additions":[{"position":"starting","id-ref":"sc-7.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"sc-7.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7.7","additions":[{"position":"starting","id-ref":"sc-7.7_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-7.8","additions":[{"position":"starting","id-ref":"sc-7.8_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.8_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-7.8_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-8","additions":[{"position":"starting","id-ref":"sc-8_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"sc-8.1","additions":[{"position":"starting","id-ref":"sc-8.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"sc-8.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-1","additions":[{"position":"starting","id-ref":"si-1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-1.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.a.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"si-1.a.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.a.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.a.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"si-1.b.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.b.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.b.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-1.b.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"si-10","additions":[{"position":"starting","id-ref":"si-10_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-10_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-11","additions":[{"position":"starting","id-ref":"si-11.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-11.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-11.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-12","additions":[{"position":"starting","id-ref":"si-12_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-16","additions":[{"position":"starting","id-ref":"si-16_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-16_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-2","additions":[{"position":"starting","id-ref":"si-2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-2.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.a_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-2.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-2.c_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.c_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-2.2","additions":[{"position":"starting","id-ref":"si-2.2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-2.2_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-2.2_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-2.3","additions":[{"position":"starting","id-ref":"si-2.3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-2.3.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-2.3.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]}]},{"control-id":"si-3","additions":[{"position":"starting","id-ref":"si-3","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-3.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-3.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-3.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-3.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-3.c.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-3.c.2_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-3.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-3.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-3.1","additions":[{"position":"starting","id-ref":"si-3.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-3.2","additions":[{"position":"starting","id-ref":"si-3.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-3.7","additions":[{"position":"starting","id-ref":"si-3.7_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4","additions":[{"position":"ending","id-ref":"si-4_smt","parts":[{"id":"si-4_fr","name":"item","title":"SI-4 Additional FedRAMP Requirements and Guidance","parts":[{"id":"si-4_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"See US-CERT Incident Response Reporting Guidelines."}]}]},{"position":"starting","id-ref":"si-4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-4.a.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.a.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.a.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.b.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.b.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.c_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.e_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.f_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}]},{"position":"starting","id-ref":"si-4.g_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.g_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.g_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.g_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.1","additions":[{"position":"starting","id-ref":"si-4.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.14","additions":[{"position":"starting","id-ref":"si-4.14","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-4.14_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.14_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-4.14_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.16","additions":[{"position":"starting","id-ref":"si-4.16_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.2","additions":[{"position":"starting","id-ref":"si-4.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.23","additions":[{"position":"starting","id-ref":"si-4.23_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.23_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.23_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.4","additions":[{"position":"starting","id-ref":"si-4.4","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-4.4_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.4_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-4.5","additions":[{"position":"ending","id-ref":"si-4.5_smt","parts":[{"id":"si-4.5_fr","name":"item","title":"SI-4 (5) Additional FedRAMP Requirements and Guidance","parts":[{"id":"si-4.5_fr_gdn.1","name":"guidance","properties":[{"name":"label","value":"Guidance:"}],"prose":"In accordance with the incident response plan."}]}]},{"position":"starting","id-ref":"si-4.5_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.5_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-4.5_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-5","additions":[{"position":"starting","id-ref":"si-5.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-5.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-5.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-5.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-5.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-5.c_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-5.c_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-5.d_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-6","additions":[{"position":"starting","id-ref":"si-6","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-6.a_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-6.a_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-6.b_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-6.b_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-6.b_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-6.c_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-6.c_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]},{"position":"starting","id-ref":"si-6.d_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-6.d_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-7","additions":[{"position":"starting","id-ref":"si-7_obj.1.a","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-7_obj.1.b","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-7_obj.1.c","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-7.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-7.1","additions":[{"position":"starting","id-ref":"si-7.1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-7.1_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-7.1_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-7.1_obj.3","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-7.1_obj.4","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-7.7","additions":[{"position":"starting","id-ref":"si-7.7_obj.1","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-7.7_obj.2","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-8","additions":[{"position":"starting","id-ref":"si-8.a_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"}]},{"position":"starting","id-ref":"si-8.b_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-8.1","additions":[{"position":"starting","id-ref":"si-8.1","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-8.1_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]},{"control-id":"si-8.2","additions":[{"position":"starting","id-ref":"si-8.2","properties":[{"name":"CORE","ns":"https://fedramp.gov/ns/oscal","value":""}]},{"position":"starting","id-ref":"si-8.2_obj","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"assessment-objective"},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}]}]}]},"back-matter":{"resources":[{"uuid":"985475ee-d4d6-4581-8fdf-d84d3d8caa48","title":"FedRAMP Applicable Laws and Regulations","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-citations"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"}]},{"uuid":"1a23a771-d481-4594-9a1a-71d584fa4123","title":"FedRAMP Master Acronym and Glossary","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-acronyms"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"}]},{"uuid":"a2381e87-3d04-4108-a30b-b4d2f36d001f","desc":"FedRAMP Logo","properties":[{"name":"conformity","ns":"https://fedramp.gov/ns/oscal","value":"fedramp-logo"},{"name":"keep","value":"always"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/img/logo-main-fedramp.png"}]},{"uuid":"ad005eae-cc63-4e64-9109-3905a9a825e4","title":"NIST Special Publication (SP) 800-53","properties":[{"name":"version","ns":"https://fedramp.gov/ns/oscal","value":"Revision 4"},{"name":"keep","value":"always"}],"rlinks":[{"href":"../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json","media-type":"application/xml"}]}]}}}
\ No newline at end of file
diff --git a/content/fedramp.gov/json/FedRAMP_MODERATE-baseline_profile.json b/content/fedramp.gov/json/FedRAMP_MODERATE-baseline_profile.json
deleted file mode 100644
index 0d875e1923..0000000000
--- a/content/fedramp.gov/json/FedRAMP_MODERATE-baseline_profile.json
+++ /dev/null
@@ -1,29889 +0,0 @@
-{
-  "profile": {
-    "uuid": "8383f859-be40-453d-9588-c645af5bef6f",
-    "metadata": {
-      "title": "FedRAMP Moderate Baseline",
-      "published": "2020-06-01T00:00:00.000-04:00",
-      "last-modified": "2020-06-01T10:00:00.000-04:00",
-      "version": "1.2",
-      "oscal-version": "1.0.0-milestone3",
-      "roles": [
-        {
-          "id": "parpared-by",
-          "title": "Document creator"
-        },
-        {
-          "id": "fedramp-pmo",
-          "title": "The FedRAMP Program Management Office (PMO)",
-          "short-name": "CSP"
-        },
-        {
-          "id": "fedramp-jab",
-          "title": "The FedRAMP Joint Authorization Board (JAB)",
-          "short-name": "CSP"
-        }
-      ],
-      "parties": [
-        {
-          "uuid": "8cc0b8e5-9650-4d5f-9796-316f05fa9a2d",
-          "type": "organization",
-          "party-name": "Federal Risk and Authorization Management Program: Program Management Office",
-          "short-name": "FedRAMP PMO",
-          "links": [
-            {
-              "href": "https://fedramp.gov",
-              "rel": "homepage",
-              "text": ""
-            }
-          ],
-          "addresses": [
-            {
-              "type": "work",
-              "postal-address": [
-                "1800 F St. NW",
-                ""
-              ],
-              "city": "Washington",
-              "state": "DC",
-              "postal-code": "",
-              "country": "US"
-            }
-          ],
-          "email-addresses": [
-            "info@fedramp.gov"
-          ]
-        },
-        {
-          "uuid": "ca9ba80e-1342-4bfd-b32a-abac468c24b4",
-          "type": "organization",
-          "party-name": "Federal Risk and Authorization Management Program: Joint Authorization Board",
-          "short-name": "FedRAMP JAB"
-        }
-      ],
-      "responsible-parties": {
-        "prepared-by": {
-          "party-uuids": [
-            "4aa7b203-318b-4cde-96cf-feaeffc3a4b7"
-          ]
-        },
-        "fedramp-pmo": {
-          "party-uuids": [
-            "4aa7b203-318b-4cde-96cf-feaeffc3a4b7"
-          ]
-        },
-        "fedramp-jab": {
-          "party-uuids": [
-            "ca9ba80e-1342-4bfd-b32a-abac468c24b4"
-          ]
-        }
-      }
-    },
-    "imports": [
-      {
-        "href": "#ad005eae-cc63-4e64-9109-3905a9a825e4",
-        "include": {
-          "id-selectors": [
-            {
-              "control-id": "ac-1"
-            },
-            {
-              "control-id": "ac-2"
-            },
-            {
-              "control-id": "ac-2.1"
-            },
-            {
-              "control-id": "ac-2.2"
-            },
-            {
-              "control-id": "ac-2.3"
-            },
-            {
-              "control-id": "ac-2.4"
-            },
-            {
-              "control-id": "ac-2.5"
-            },
-            {
-              "control-id": "ac-2.7"
-            },
-            {
-              "control-id": "ac-2.9"
-            },
-            {
-              "control-id": "ac-2.10"
-            },
-            {
-              "control-id": "ac-2.12"
-            },
-            {
-              "control-id": "ac-3"
-            },
-            {
-              "control-id": "ac-4"
-            },
-            {
-              "control-id": "ac-4.21"
-            },
-            {
-              "control-id": "ac-5"
-            },
-            {
-              "control-id": "ac-6"
-            },
-            {
-              "control-id": "ac-6.1"
-            },
-            {
-              "control-id": "ac-6.2"
-            },
-            {
-              "control-id": "ac-6.5"
-            },
-            {
-              "control-id": "ac-6.9"
-            },
-            {
-              "control-id": "ac-6.10"
-            },
-            {
-              "control-id": "ac-7"
-            },
-            {
-              "control-id": "ac-8"
-            },
-            {
-              "control-id": "ac-10"
-            },
-            {
-              "control-id": "ac-11"
-            },
-            {
-              "control-id": "ac-11.1"
-            },
-            {
-              "control-id": "ac-12"
-            },
-            {
-              "control-id": "ac-14"
-            },
-            {
-              "control-id": "ac-17"
-            },
-            {
-              "control-id": "ac-17.1"
-            },
-            {
-              "control-id": "ac-17.2"
-            },
-            {
-              "control-id": "ac-17.3"
-            },
-            {
-              "control-id": "ac-17.4"
-            },
-            {
-              "control-id": "ac-17.9"
-            },
-            {
-              "control-id": "ac-18"
-            },
-            {
-              "control-id": "ac-18.1"
-            },
-            {
-              "control-id": "ac-19"
-            },
-            {
-              "control-id": "ac-19.5"
-            },
-            {
-              "control-id": "ac-20"
-            },
-            {
-              "control-id": "ac-20.1"
-            },
-            {
-              "control-id": "ac-20.2"
-            },
-            {
-              "control-id": "ac-21"
-            },
-            {
-              "control-id": "ac-22"
-            },
-            {
-              "control-id": "at-1"
-            },
-            {
-              "control-id": "at-2"
-            },
-            {
-              "control-id": "at-2.2"
-            },
-            {
-              "control-id": "at-3"
-            },
-            {
-              "control-id": "at-4"
-            },
-            {
-              "control-id": "au-1"
-            },
-            {
-              "control-id": "au-2"
-            },
-            {
-              "control-id": "au-2.3"
-            },
-            {
-              "control-id": "au-3"
-            },
-            {
-              "control-id": "au-3.1"
-            },
-            {
-              "control-id": "au-4"
-            },
-            {
-              "control-id": "au-5"
-            },
-            {
-              "control-id": "au-6"
-            },
-            {
-              "control-id": "au-6.1"
-            },
-            {
-              "control-id": "au-6.3"
-            },
-            {
-              "control-id": "au-7"
-            },
-            {
-              "control-id": "au-7.1"
-            },
-            {
-              "control-id": "au-8"
-            },
-            {
-              "control-id": "au-8.1"
-            },
-            {
-              "control-id": "au-9"
-            },
-            {
-              "control-id": "au-9.2"
-            },
-            {
-              "control-id": "au-9.4"
-            },
-            {
-              "control-id": "au-11"
-            },
-            {
-              "control-id": "au-12"
-            },
-            {
-              "control-id": "ca-1"
-            },
-            {
-              "control-id": "ca-2"
-            },
-            {
-              "control-id": "ca-2.1"
-            },
-            {
-              "control-id": "ca-2.2"
-            },
-            {
-              "control-id": "ca-2.3"
-            },
-            {
-              "control-id": "ca-3"
-            },
-            {
-              "control-id": "ca-3.3"
-            },
-            {
-              "control-id": "ca-3.5"
-            },
-            {
-              "control-id": "ca-5"
-            },
-            {
-              "control-id": "ca-6"
-            },
-            {
-              "control-id": "ca-7"
-            },
-            {
-              "control-id": "ca-7.1"
-            },
-            {
-              "control-id": "ca-8"
-            },
-            {
-              "control-id": "ca-8.1"
-            },
-            {
-              "control-id": "ca-9"
-            },
-            {
-              "control-id": "cm-1"
-            },
-            {
-              "control-id": "cm-2"
-            },
-            {
-              "control-id": "cm-2.1"
-            },
-            {
-              "control-id": "cm-2.2"
-            },
-            {
-              "control-id": "cm-2.3"
-            },
-            {
-              "control-id": "cm-2.7"
-            },
-            {
-              "control-id": "cm-3"
-            },
-            {
-              "control-id": "cm-4"
-            },
-            {
-              "control-id": "cm-5"
-            },
-            {
-              "control-id": "cm-5.1"
-            },
-            {
-              "control-id": "cm-5.3"
-            },
-            {
-              "control-id": "cm-5.5"
-            },
-            {
-              "control-id": "cm-6"
-            },
-            {
-              "control-id": "cm-6.1"
-            },
-            {
-              "control-id": "cm-7"
-            },
-            {
-              "control-id": "cm-7.1"
-            },
-            {
-              "control-id": "cm-7.2"
-            },
-            {
-              "control-id": "cm-7.5"
-            },
-            {
-              "control-id": "cm-8"
-            },
-            {
-              "control-id": "cm-8.1"
-            },
-            {
-              "control-id": "cm-8.3"
-            },
-            {
-              "control-id": "cm-8.5"
-            },
-            {
-              "control-id": "cm-9"
-            },
-            {
-              "control-id": "cm-10"
-            },
-            {
-              "control-id": "cm-10.1"
-            },
-            {
-              "control-id": "cm-11"
-            },
-            {
-              "control-id": "cp-1"
-            },
-            {
-              "control-id": "cp-2"
-            },
-            {
-              "control-id": "cp-2.1"
-            },
-            {
-              "control-id": "cp-2.2"
-            },
-            {
-              "control-id": "cp-2.3"
-            },
-            {
-              "control-id": "cp-2.8"
-            },
-            {
-              "control-id": "cp-3"
-            },
-            {
-              "control-id": "cp-4"
-            },
-            {
-              "control-id": "cp-4.1"
-            },
-            {
-              "control-id": "cp-6"
-            },
-            {
-              "control-id": "cp-6.1"
-            },
-            {
-              "control-id": "cp-6.3"
-            },
-            {
-              "control-id": "cp-7"
-            },
-            {
-              "control-id": "cp-7.1"
-            },
-            {
-              "control-id": "cp-7.2"
-            },
-            {
-              "control-id": "cp-7.3"
-            },
-            {
-              "control-id": "cp-8"
-            },
-            {
-              "control-id": "cp-8.1"
-            },
-            {
-              "control-id": "cp-8.2"
-            },
-            {
-              "control-id": "cp-9"
-            },
-            {
-              "control-id": "cp-9.1"
-            },
-            {
-              "control-id": "cp-9.3"
-            },
-            {
-              "control-id": "cp-10"
-            },
-            {
-              "control-id": "cp-10.2"
-            },
-            {
-              "control-id": "ia-1"
-            },
-            {
-              "control-id": "ia-2"
-            },
-            {
-              "control-id": "ia-2.1"
-            },
-            {
-              "control-id": "ia-2.2"
-            },
-            {
-              "control-id": "ia-2.3"
-            },
-            {
-              "control-id": "ia-2.5"
-            },
-            {
-              "control-id": "ia-2.8"
-            },
-            {
-              "control-id": "ia-2.11"
-            },
-            {
-              "control-id": "ia-2.12"
-            },
-            {
-              "control-id": "ia-3"
-            },
-            {
-              "control-id": "ia-4"
-            },
-            {
-              "control-id": "ia-4.4"
-            },
-            {
-              "control-id": "ia-5"
-            },
-            {
-              "control-id": "ia-5.1"
-            },
-            {
-              "control-id": "ia-5.2"
-            },
-            {
-              "control-id": "ia-5.3"
-            },
-            {
-              "control-id": "ia-5.4"
-            },
-            {
-              "control-id": "ia-5.6"
-            },
-            {
-              "control-id": "ia-5.7"
-            },
-            {
-              "control-id": "ia-5.11"
-            },
-            {
-              "control-id": "ia-6"
-            },
-            {
-              "control-id": "ia-7"
-            },
-            {
-              "control-id": "ia-8"
-            },
-            {
-              "control-id": "ia-8.1"
-            },
-            {
-              "control-id": "ia-8.2"
-            },
-            {
-              "control-id": "ia-8.3"
-            },
-            {
-              "control-id": "ia-8.4"
-            },
-            {
-              "control-id": "ir-1"
-            },
-            {
-              "control-id": "ir-2"
-            },
-            {
-              "control-id": "ir-3"
-            },
-            {
-              "control-id": "ir-3.2"
-            },
-            {
-              "control-id": "ir-4"
-            },
-            {
-              "control-id": "ir-4.1"
-            },
-            {
-              "control-id": "ir-5"
-            },
-            {
-              "control-id": "ir-6"
-            },
-            {
-              "control-id": "ir-6.1"
-            },
-            {
-              "control-id": "ir-7"
-            },
-            {
-              "control-id": "ir-7.1"
-            },
-            {
-              "control-id": "ir-7.2"
-            },
-            {
-              "control-id": "ir-8"
-            },
-            {
-              "control-id": "ir-9"
-            },
-            {
-              "control-id": "ir-9.1"
-            },
-            {
-              "control-id": "ir-9.2"
-            },
-            {
-              "control-id": "ir-9.3"
-            },
-            {
-              "control-id": "ir-9.4"
-            },
-            {
-              "control-id": "ma-1"
-            },
-            {
-              "control-id": "ma-2"
-            },
-            {
-              "control-id": "ma-3"
-            },
-            {
-              "control-id": "ma-3.1"
-            },
-            {
-              "control-id": "ma-3.2"
-            },
-            {
-              "control-id": "ma-3.3"
-            },
-            {
-              "control-id": "ma-4"
-            },
-            {
-              "control-id": "ma-4.2"
-            },
-            {
-              "control-id": "ma-5"
-            },
-            {
-              "control-id": "ma-5.1"
-            },
-            {
-              "control-id": "ma-6"
-            },
-            {
-              "control-id": "mp-1"
-            },
-            {
-              "control-id": "mp-2"
-            },
-            {
-              "control-id": "mp-3"
-            },
-            {
-              "control-id": "mp-4"
-            },
-            {
-              "control-id": "mp-5"
-            },
-            {
-              "control-id": "mp-5.4"
-            },
-            {
-              "control-id": "mp-6"
-            },
-            {
-              "control-id": "mp-6.2"
-            },
-            {
-              "control-id": "mp-7"
-            },
-            {
-              "control-id": "mp-7.1"
-            },
-            {
-              "control-id": "pe-1"
-            },
-            {
-              "control-id": "pe-2"
-            },
-            {
-              "control-id": "pe-3"
-            },
-            {
-              "control-id": "pe-4"
-            },
-            {
-              "control-id": "pe-5"
-            },
-            {
-              "control-id": "pe-6"
-            },
-            {
-              "control-id": "pe-6.1"
-            },
-            {
-              "control-id": "pe-8"
-            },
-            {
-              "control-id": "pe-9"
-            },
-            {
-              "control-id": "pe-10"
-            },
-            {
-              "control-id": "pe-11"
-            },
-            {
-              "control-id": "pe-12"
-            },
-            {
-              "control-id": "pe-13"
-            },
-            {
-              "control-id": "pe-13.2"
-            },
-            {
-              "control-id": "pe-13.3"
-            },
-            {
-              "control-id": "pe-14"
-            },
-            {
-              "control-id": "pe-14.2"
-            },
-            {
-              "control-id": "pe-15"
-            },
-            {
-              "control-id": "pe-16"
-            },
-            {
-              "control-id": "pe-17"
-            },
-            {
-              "control-id": "pl-1"
-            },
-            {
-              "control-id": "pl-2"
-            },
-            {
-              "control-id": "pl-2.3"
-            },
-            {
-              "control-id": "pl-4"
-            },
-            {
-              "control-id": "pl-4.1"
-            },
-            {
-              "control-id": "pl-8"
-            },
-            {
-              "control-id": "ps-1"
-            },
-            {
-              "control-id": "ps-2"
-            },
-            {
-              "control-id": "ps-3"
-            },
-            {
-              "control-id": "ps-3.3"
-            },
-            {
-              "control-id": "ps-4"
-            },
-            {
-              "control-id": "ps-5"
-            },
-            {
-              "control-id": "ps-6"
-            },
-            {
-              "control-id": "ps-7"
-            },
-            {
-              "control-id": "ps-8"
-            },
-            {
-              "control-id": "ra-1"
-            },
-            {
-              "control-id": "ra-2"
-            },
-            {
-              "control-id": "ra-3"
-            },
-            {
-              "control-id": "ra-5"
-            },
-            {
-              "control-id": "ra-5.1"
-            },
-            {
-              "control-id": "ra-5.2"
-            },
-            {
-              "control-id": "ra-5.3"
-            },
-            {
-              "control-id": "ra-5.5"
-            },
-            {
-              "control-id": "ra-5.6"
-            },
-            {
-              "control-id": "ra-5.8"
-            },
-            {
-              "control-id": "sa-1"
-            },
-            {
-              "control-id": "sa-2"
-            },
-            {
-              "control-id": "sa-3"
-            },
-            {
-              "control-id": "sa-4"
-            },
-            {
-              "control-id": "sa-4.1"
-            },
-            {
-              "control-id": "sa-4.2"
-            },
-            {
-              "control-id": "sa-4.8"
-            },
-            {
-              "control-id": "sa-4.9"
-            },
-            {
-              "control-id": "sa-4.10"
-            },
-            {
-              "control-id": "sa-5"
-            },
-            {
-              "control-id": "sa-8"
-            },
-            {
-              "control-id": "sa-9"
-            },
-            {
-              "control-id": "sa-9.1"
-            },
-            {
-              "control-id": "sa-9.2"
-            },
-            {
-              "control-id": "sa-9.4"
-            },
-            {
-              "control-id": "sa-9.5"
-            },
-            {
-              "control-id": "sa-10"
-            },
-            {
-              "control-id": "sa-10.1"
-            },
-            {
-              "control-id": "sa-11"
-            },
-            {
-              "control-id": "sa-11.1"
-            },
-            {
-              "control-id": "sa-11.2"
-            },
-            {
-              "control-id": "sa-11.8"
-            },
-            {
-              "control-id": "sc-1"
-            },
-            {
-              "control-id": "sc-2"
-            },
-            {
-              "control-id": "sc-4"
-            },
-            {
-              "control-id": "sc-5"
-            },
-            {
-              "control-id": "sc-6"
-            },
-            {
-              "control-id": "sc-7"
-            },
-            {
-              "control-id": "sc-7.3"
-            },
-            {
-              "control-id": "sc-7.4"
-            },
-            {
-              "control-id": "sc-7.5"
-            },
-            {
-              "control-id": "sc-7.7"
-            },
-            {
-              "control-id": "sc-7.8"
-            },
-            {
-              "control-id": "sc-7.12"
-            },
-            {
-              "control-id": "sc-7.13"
-            },
-            {
-              "control-id": "sc-7.18"
-            },
-            {
-              "control-id": "sc-8"
-            },
-            {
-              "control-id": "sc-8.1"
-            },
-            {
-              "control-id": "sc-10"
-            },
-            {
-              "control-id": "sc-12"
-            },
-            {
-              "control-id": "sc-12.2"
-            },
-            {
-              "control-id": "sc-12.3"
-            },
-            {
-              "control-id": "sc-13"
-            },
-            {
-              "control-id": "sc-15"
-            },
-            {
-              "control-id": "sc-17"
-            },
-            {
-              "control-id": "sc-18"
-            },
-            {
-              "control-id": "sc-19"
-            },
-            {
-              "control-id": "sc-20"
-            },
-            {
-              "control-id": "sc-21"
-            },
-            {
-              "control-id": "sc-22"
-            },
-            {
-              "control-id": "sc-23"
-            },
-            {
-              "control-id": "sc-28"
-            },
-            {
-              "control-id": "sc-28.1"
-            },
-            {
-              "control-id": "sc-39"
-            },
-            {
-              "control-id": "si-1"
-            },
-            {
-              "control-id": "si-2"
-            },
-            {
-              "control-id": "si-2.2"
-            },
-            {
-              "control-id": "si-2.3"
-            },
-            {
-              "control-id": "si-3"
-            },
-            {
-              "control-id": "si-3.1"
-            },
-            {
-              "control-id": "si-3.2"
-            },
-            {
-              "control-id": "si-3.7"
-            },
-            {
-              "control-id": "si-4"
-            },
-            {
-              "control-id": "si-4.1"
-            },
-            {
-              "control-id": "si-4.2"
-            },
-            {
-              "control-id": "si-4.4"
-            },
-            {
-              "control-id": "si-4.5"
-            },
-            {
-              "control-id": "si-4.14"
-            },
-            {
-              "control-id": "si-4.16"
-            },
-            {
-              "control-id": "si-4.23"
-            },
-            {
-              "control-id": "si-5"
-            },
-            {
-              "control-id": "si-6"
-            },
-            {
-              "control-id": "si-7"
-            },
-            {
-              "control-id": "si-7.1"
-            },
-            {
-              "control-id": "si-7.7"
-            },
-            {
-              "control-id": "si-8"
-            },
-            {
-              "control-id": "si-8.1"
-            },
-            {
-              "control-id": "si-8.2"
-            },
-            {
-              "control-id": "si-10"
-            },
-            {
-              "control-id": "si-11"
-            },
-            {
-              "control-id": "si-12"
-            },
-            {
-              "control-id": "si-16"
-            }
-          ]
-        }
-      }
-    ],
-    "merge": {
-      "combine": {
-        "method": "keep"
-      },
-      "as-is": true
-    },
-    "modify": {
-      "parameter-settings": {
-        "ac-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "ac-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ac-2_prm_4": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ac-2.2_prm_2": {
-          "constraints": [
-            {
-              "detail": "no more than 30 days for temporary and emergency account types"
-            }
-          ]
-        },
-        "ac-2.3_prm_1": {
-          "constraints": [
-            {
-              "detail": "90 days for user accounts"
-            }
-          ]
-        },
-        "ac-6.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "all security functions"
-            }
-          ]
-        },
-        "ac-7_prm_1": {
-          "constraints": [
-            {
-              "detail": "not more than three (3)"
-            }
-          ]
-        },
-        "ac-7_prm_2": {
-          "constraints": [
-            {
-              "detail": "fifteen (15) minutes"
-            }
-          ]
-        },
-        "ac-7_prm_4": {
-          "constraints": [
-            {
-              "detail": "locks the account/node for thirty minutes"
-            }
-          ]
-        },
-        "ac-8_prm_1": {
-          "constraints": [
-            {
-              "detail": "see additional Requirements and Guidance"
-            }
-          ]
-        },
-        "ac-8_prm_2": {
-          "constraints": [
-            {
-              "detail": "see additional Requirements and Guidance]"
-            }
-          ]
-        },
-        "ac-10_prm_2": {
-          "constraints": [
-            {
-              "detail": "three (3) sessions for privileged access and two (2) sessions for non-privileged access"
-            }
-          ]
-        },
-        "ac-11_prm_1": {
-          "constraints": [
-            {
-              "detail": "fifteen (15) minutes"
-            }
-          ]
-        },
-        "ac-17.9_prm_1": {
-          "constraints": [
-            {
-              "detail": "fifteen 15 minutes"
-            }
-          ]
-        },
-        "ac-22_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least quarterly"
-            }
-          ]
-        },
-        "at-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "at-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "at-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "at-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "at-4_prm_1": {
-          "constraints": [
-            {
-              "detail": "At least one year"
-            }
-          ]
-        },
-        "au-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "au-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "au-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes"
-            }
-          ]
-        },
-        "au-2_prm_2": {
-          "constraints": [
-            {
-              "detail": "organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event"
-            }
-          ]
-        },
-        "au-2.3_prm_1": {
-          "constraints": [
-            {
-              "detail": "annually or whenever there is a change in the threat environment"
-            }
-          ]
-        },
-        "au-3.1_prm_1": {
-          "constraints": [
-            {
-              "detail": "session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon"
-            }
-          ]
-        },
-        "au-5_prm_2": {
-          "constraints": [
-            {
-              "detail": "organization-defined actions to be taken (overwrite oldest record)"
-            }
-          ]
-        },
-        "au-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least weekly"
-            }
-          ]
-        },
-        "au-8.1_prm_1": {
-          "constraints": [
-            {
-              "detail": "At least hourly"
-            }
-          ]
-        },
-        "au-8.1_prm_2": {
-          "constraints": [
-            {
-              "detail": "http://tf.nist.gov/tf-cgi/servers.cgi"
-            }
-          ]
-        },
-        "au-9.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least weekly"
-            }
-          ]
-        },
-        "au-11_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least ninety days"
-            }
-          ]
-        },
-        "au-12_prm_1": {
-          "constraints": [
-            {
-              "detail": "all information system and network components where audit capability is deployed/available"
-            }
-          ]
-        },
-        "ca-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "ca-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ca-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ca-2_prm_2": {
-          "constraints": [
-            {
-              "detail": "individuals or roles to include FedRAMP PMO"
-            }
-          ]
-        },
-        "ca-2.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ca-2.3_prm_1": {
-          "constraints": [
-            {
-              "detail": "any FedRAMP Accredited 3PAO"
-            }
-          ]
-        },
-        "ca-2.3_prm_2": {
-          "constraints": [
-            {
-              "detail": "any FedRAMP Accredited 3PAO"
-            }
-          ]
-        },
-        "ca-2.3_prm_3": {
-          "constraints": [
-            {
-              "detail": "the conditions of the JAB/AO in the FedRAMP Repository"
-            }
-          ]
-        },
-        "ca-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually and on input from FedRAMP"
-            }
-          ]
-        },
-        "ca-3.3_prm_2": {
-          "constraints": [
-            {
-              "detail": "Boundary Protections which meet the Trusted Internet Connection (TIC) requirements"
-            }
-          ]
-        },
-        "ca-5_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "ca-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least every three (3) years or when a significant change occurs"
-            }
-          ]
-        },
-        "ca-7_prm_4": {
-          "constraints": [
-            {
-              "detail": "to meet Federal and FedRAMP requirements (See additional guidance)"
-            }
-          ]
-        },
-        "ca-7_prm_5": {
-          "constraints": [
-            {
-              "detail": "to meet Federal and FedRAMP requirements (See additional guidance)"
-            }
-          ]
-        },
-        "ca-8_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "cm-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "cm-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "cm-2.1_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually or when a significant change occurs"
-            }
-          ]
-        },
-        "cm-2.1_prm_2": {
-          "constraints": [
-            {
-              "detail": "to include when directed by the JAB"
-            }
-          ]
-        },
-        "cm-5.5_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least quarterly"
-            }
-          ]
-        },
-        "cm-6_prm_1": {
-          "guidance": [
-            {
-              "prose": "See CM-6(a) Additional FedRAMP Requirements and Guidance"
-            }
-          ]
-        },
-        "cm-7_prm_1": {
-          "constraints": [
-            {
-              "detail": "United States Government Configuration Baseline (USGCB)"
-            }
-          ]
-        },
-        "cm-7.1_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "cm-7.5_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least Annually or when there is a change"
-            }
-          ]
-        },
-        "cm-8_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "cm-8.3_prm_1": {
-          "constraints": [
-            {
-              "detail": "Continuously, using automated mechanisms with a maximum five-minute delay in detection"
-            }
-          ]
-        },
-        "cm-11_prm_3": {
-          "constraints": [
-            {
-              "detail": "Continuously (via CM-7 (5))"
-            }
-          ]
-        },
-        "cp-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "cp-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "cp-2_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "cp-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "ten (10) days"
-            }
-          ]
-        },
-        "cp-3_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "cp-4_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "cp-4_prm_2": {
-          "constraints": [
-            {
-              "detail": "functional exercises"
-            }
-          ]
-        },
-        "cp-9_prm_1": {
-          "constraints": [
-            {
-              "detail": "daily incremental; weekly full"
-            }
-          ]
-        },
-        "cp-9_prm_2": {
-          "constraints": [
-            {
-              "detail": "daily incremental; weekly full"
-            }
-          ]
-        },
-        "cp-9_prm_3": {
-          "constraints": [
-            {
-              "detail": "daily incremental; weekly full"
-            }
-          ]
-        },
-        "cp-9.1_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ia-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "ia-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ia-2.11_prm_1": {
-          "constraints": [
-            {
-              "detail": "FIPS 140-2, NIAP Certification, or NSA approval"
-            }
-          ]
-        },
-        "ia-4_prm_2": {
-          "constraints": [
-            {
-              "detail": "IA-4 (d) [at least two years]"
-            }
-          ]
-        },
-        "ia-4_prm_3": {
-          "constraints": [
-            {
-              "detail": "ninety days for user identifiers (See additional requirements and guidance)"
-            }
-          ]
-        },
-        "ia-4.4_prm_1": {
-          "constraints": [
-            {
-              "detail": "contractors; foreign nationals"
-            }
-          ]
-        },
-        "ia-5.1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least one"
-            }
-          ]
-        },
-        "ia-5.1_prm_4": {
-          "constraints": [
-            {
-              "detail": "twenty four (24)"
-            }
-          ]
-        },
-        "ia-5.3_prm_1": {
-          "constraints": [
-            {
-              "detail": "All hardware/biometric (multifactor authenticators)"
-            }
-          ]
-        },
-        "ia-5.3_prm_2": {
-          "constraints": [
-            {
-              "detail": "in person"
-            }
-          ]
-        },
-        "ir-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "ir-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ir-2_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ir-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ir-3_prm_2": {
-          "constraints": [
-            {
-              "detail": "see additional FedRAMP Requirements and Guidance"
-            }
-          ]
-        },
-        "ir-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)"
-            }
-          ]
-        },
-        "ir-8_prm_2": {
-          "constraints": [
-            {
-              "detail": "see additional FedRAMP Requirements and Guidance"
-            }
-          ]
-        },
-        "ir-8_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ir-8_prm_4": {
-          "constraints": [
-            {
-              "detail": "see additional FedRAMP Requirements and Guidance"
-            }
-          ]
-        },
-        "ma-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "ma-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ma-3.3_prm_1": {
-          "constraints": [
-            {
-              "detail": "the information owner explicitly authorizing removal of the equipment from the facility"
-            }
-          ]
-        },
-        "mp-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "mp-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "mp-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "no removable media types"
-            }
-          ]
-        },
-        "mp-4_prm_1": {
-          "constraints": [
-            {
-              "detail": "all types of digital and non-digital media with sensitive information"
-            }
-          ]
-        },
-        "mp-4_prm_2": {
-          "constraints": [
-            {
-              "detail": "see additional FedRAMP requirements and guidance"
-            }
-          ]
-        },
-        "mp-5_prm_1": {
-          "constraints": [
-            {
-              "detail": "all media with sensitive information"
-            }
-          ]
-        },
-        "mp-5_prm_2": {
-          "constraints": [
-            {
-              "detail": "prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digitital media, secured in locked container"
-            }
-          ]
-        },
-        "mp-6.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pe-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "pe-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pe-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pe-3_prm_2": {
-          "constraints": [
-            {
-              "detail": "CSP defined physical access control systems/devices AND guards"
-            }
-          ]
-        },
-        "pe-3_prm_3": {
-          "constraints": [
-            {
-              "detail": "CSP defined physical access control systems/devices"
-            }
-          ]
-        },
-        "pe-3_prm_6": {
-          "constraints": [
-            {
-              "detail": "in all circumstances within restricted access area where the information system resides"
-            }
-          ]
-        },
-        "pe-3_prm_8": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pe-3_prm_9": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pe-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "pe-8_prm_1": {
-          "constraints": [
-            {
-              "detail": "for a minimum of one (1) year"
-            }
-          ]
-        },
-        "pe-8_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "pe-14_prm_1": {
-          "constraints": [
-            {
-              "detail": "consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments"
-            }
-          ]
-        },
-        "pe-14_prm_2": {
-          "constraints": [
-            {
-              "detail": "continuously"
-            }
-          ]
-        },
-        "pe-16_prm_1": {
-          "constraints": [
-            {
-              "detail": "all information system components"
-            }
-          ]
-        },
-        "pl-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "pl-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pl-2_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "pl-4_prm_1": {
-          "constraints": [
-            {
-              "detail": "At least every 3 years"
-            }
-          ]
-        },
-        "pl-8_prm_1": {
-          "constraints": [
-            {
-              "detail": "At least annually or when a significant change occurs"
-            }
-          ]
-        },
-        "ps-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "ps-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ps-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least every three years"
-            }
-          ]
-        },
-        "ps-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions"
-            }
-          ]
-        },
-        "ps-3.3_prm_1": {
-          "constraints": [
-            {
-              "detail": "personnel screening criteria - as required by specific information"
-            }
-          ]
-        },
-        "ps-4_prm_1": {
-          "constraints": [
-            {
-              "detail": "same day"
-            }
-          ]
-        },
-        "ps-5_prm_4": {
-          "constraints": [
-            {
-              "detail": "five days of the time period following the formal transfer action (DoD 24 hours)"
-            }
-          ]
-        },
-        "ps-6_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ps-6_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ps-7_prm_2": {
-          "constraints": [
-            {
-              "detail": "organization-defined time period - same day"
-            }
-          ]
-        },
-        "ra-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "ra-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "ra-3_prm_2": {
-          "constraints": [
-            {
-              "detail": "security assessment report"
-            }
-          ]
-        },
-        "ra-3_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least every three (3) years or when a significant change occurs"
-            }
-          ]
-        },
-        "ra-3_prm_5": {
-          "constraints": [
-            {
-              "detail": "at least every three (3) years or when a significant change occurs"
-            }
-          ]
-        },
-        "ra-5_prm_1": {
-          "constraints": [
-            {
-              "detail": "monthly operating system/infrastructure; monthly web applications and databases"
-            }
-          ]
-        },
-        "ra-5_prm_2": {
-          "constraints": [
-            {
-              "detail": "high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery"
-            }
-          ]
-        },
-        "ra-5.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "prior to a new scan"
-            }
-          ]
-        },
-        "ra-5.5_prm_1": {
-          "constraints": [
-            {
-              "detail": "operating systems / web applications / databases"
-            }
-          ]
-        },
-        "ra-5.5_prm_2": {
-          "constraints": [
-            {
-              "detail": "all scans"
-            }
-          ]
-        },
-        "sa-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "sa-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "sa-4.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "to include security-relevant external system interfaces and high-level design"
-            }
-          ]
-        },
-        "sa-4.8_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least the minimum requirement as defined in control CA-7"
-            }
-          ]
-        },
-        "sa-9_prm_1": {
-          "constraints": [
-            {
-              "detail": "FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system"
-            }
-          ]
-        },
-        "sa-9_prm_2": {
-          "constraints": [
-            {
-              "detail": "Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored"
-            }
-          ]
-        },
-        "sa-9.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "all external systems where Federal information is processed or stored"
-            }
-          ]
-        },
-        "sa-9.4_prm_2": {
-          "constraints": [
-            {
-              "detail": "all external systems where Federal information is processed or stored"
-            }
-          ]
-        },
-        "sa-9.5_prm_1": {
-          "constraints": [
-            {
-              "detail": "information processing, information data, AND information services"
-            }
-          ]
-        },
-        "sa-10_prm_1": {
-          "constraints": [
-            {
-              "detail": "development, implementation, AND operation"
-            }
-          ]
-        },
-        "sc-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "sc-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "sc-7.4_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "sc-8_prm_1": {
-          "constraints": [
-            {
-              "detail": "confidentiality AND integrity"
-            }
-          ]
-        },
-        "sc-8.1_prm_1": {
-          "constraints": [
-            {
-              "detail": "prevent unauthorized disclosure of information AND detect changes to information"
-            }
-          ]
-        },
-        "sc-8.1_prm_2": {
-          "constraints": [
-            {
-              "detail": "a hardened or alarmed carrier Protective Distribution System (PDS)"
-            }
-          ]
-        },
-        "sc-10_prm_1": {
-          "constraints": [
-            {
-              "detail": "no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-interactive user sessions"
-            }
-          ]
-        },
-        "sc-12.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "NIST FIPS-compliant"
-            }
-          ]
-        },
-        "sc-13_prm_1": {
-          "constraints": [
-            {
-              "detail": "FIPS-validated or NSA-approved cryptography"
-            }
-          ]
-        },
-        "sc-15_prm_1": {
-          "constraints": [
-            {
-              "detail": "no exceptions"
-            }
-          ]
-        },
-        "sc-28_prm_1": {
-          "constraints": [
-            {
-              "detail": "confidentiality AND integrity"
-            }
-          ]
-        },
-        "si-1_prm_2": {
-          "constraints": [
-            {
-              "detail": "at least every 3 years"
-            }
-          ]
-        },
-        "si-1_prm_3": {
-          "constraints": [
-            {
-              "detail": "at least annually"
-            }
-          ]
-        },
-        "si-2_prm_1": {
-          "constraints": [
-            {
-              "detail": "within 30 days of release of updates"
-            }
-          ]
-        },
-        "si-2.2_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "si-3_prm_1": {
-          "constraints": [
-            {
-              "detail": "at least weekly"
-            }
-          ]
-        },
-        "si-3_prm_2": {
-          "constraints": [
-            {
-              "detail": "to include endpoints"
-            }
-          ]
-        },
-        "si-3_prm_3": {
-          "constraints": [
-            {
-              "detail": "to include alerting administrator or defined security personnel"
-            }
-          ]
-        },
-        "si-4.4_prm_1": {
-          "constraints": [
-            {
-              "detail": "continuously"
-            }
-          ]
-        },
-        "si-5_prm_1": {
-          "constraints": [
-            {
-              "detail": "to include US-CERT"
-            }
-          ]
-        },
-        "si-5_prm_2": {
-          "constraints": [
-            {
-              "detail": "to include system security personnel and administrators with configuration/patch-management responsibilities"
-            }
-          ]
-        },
-        "si-6_prm_3": {
-          "constraints": [
-            {
-              "detail": "to include upon system startup and/or restart"
-            }
-          ]
-        },
-        "si-6_prm_4": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        },
-        "si-6_prm_5": {
-          "constraints": [
-            {
-              "detail": "to include system administrators and security personnel"
-            }
-          ]
-        },
-        "si-6_prm_7": {
-          "constraints": [
-            {
-              "detail": "to include notification of system administrators and security personnel"
-            }
-          ]
-        },
-        "si-7.1_prm_3": {
-          "constraints": [
-            {
-              "detail": "Selection to include security relevant events"
-            }
-          ]
-        },
-        "si-7.1_prm_4": {
-          "constraints": [
-            {
-              "detail": "at least monthly"
-            }
-          ]
-        }
-      },
-      "alterations": [
-        {
-          "control-id": "ac-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-10_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-10_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-10_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-11",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-11",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-11.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-11.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-11.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-11.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-11.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-12",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-12",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-12.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-12_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-14",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-14.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-14.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-14.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-17",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-17",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-17.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-17.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-17.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-17.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-17.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-17.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-17.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-17.4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-17.9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-17.9",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.9_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-17.9_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-18",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-18",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-18.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-18.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-18.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-18.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-19",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-19",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-19.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-19.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-19.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-19.5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-19.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-19.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.g_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.h_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.i_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.j_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.j_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.k_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-2.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.10",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ac-2.10_smt",
-              "parts": [
-                {
-                  "id": "ac-2.10_fr",
-                  "name": "item",
-                  "title": "AC-2 (10) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ac-2.10_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Required if shared/group accounts are deployed"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.10_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.12",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ac-2.12_smt",
-              "parts": [
-                {
-                  "id": "ac-2.12_fr",
-                  "name": "item",
-                  "title": "AC-2 (12) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ac-2.12_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(a) Guidance:"
-                        }
-                      ],
-                      "prose": "Required for privileged accounts."
-                    },
-                    {
-                      "id": "ac-2.12_fr_gdn.2",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(b) Guidance:"
-                        }
-                      ],
-                      "prose": "Required for privileged accounts."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.12",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.12.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.12.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.12.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.12.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-2.2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-2.3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-2.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.4_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.5",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ac-2.5_smt",
-              "parts": [
-                {
-                  "id": "ac-2.5_fr",
-                  "name": "item",
-                  "title": "AC-2 (5) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ac-2.5_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Should use a shorter timeframe than AC-12."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-2.7.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.7.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.7.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.7.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-2.9",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ac-2.9_smt",
-              "parts": [
-                {
-                  "id": "ac-2.9_fr",
-                  "name": "item",
-                  "title": "AC-2 (9) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ac-2.9_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Required if shared/group accounts are deployed"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.9_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-2.9_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-20",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-20.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-20.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-20.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-20.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-20.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-20.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-21",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-21.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-21.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-21.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-21.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-22",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-22",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-22.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-22.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-22.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-22.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-22.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-22.d_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-4.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-4.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-4.21",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-4.21_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-4.21_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-4.21_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-5",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ac-5_smt",
-              "parts": [
-                {
-                  "id": "ac-5_fr",
-                  "name": "item",
-                  "title": "AC-5 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ac.5_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-5.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-5.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-5.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-5.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-6.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-6.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-6.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-6.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-6.10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-6.10_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-6.2",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ac-6.2_smt",
-              "parts": [
-                {
-                  "id": "ac-6.2_fr",
-                  "name": "item",
-                  "title": "AC-6 (2) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ac-6.2_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-6.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-6.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-6.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-6.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-6.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-6.9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-6.9",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-6.9_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ac-7",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-7.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-7.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-7.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-7.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-7.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ac-8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ac-8_smt",
-              "parts": [
-                {
-                  "id": "ac-8_fr",
-                  "name": "item",
-                  "title": "AC-8 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ac-8_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO."
-                    },
-                    {
-                      "id": "ac-8_fr_smt.2",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided."
-                    },
-                    {
-                      "id": "ac-8_fr_smt.3",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.c.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.c.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.c.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ac-8.c.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "at-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "at-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-2.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-2.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "at-2.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "at-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-3.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-3.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-3.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "at-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "at-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-4.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "at-4.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-11",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "au-11_smt",
-              "parts": [
-                {
-                  "id": "au-11_fr",
-                  "name": "item",
-                  "title": "AU-11 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "au-11_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-11",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-11.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-11_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-12",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-12.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-12.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-12.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-12.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-12.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-2",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "au-2_smt",
-              "parts": [
-                {
-                  "id": "au-2_fr",
-                  "name": "item",
-                  "title": "AU-2 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "au-2_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.d_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-2.3",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "au-2.3_smt",
-              "parts": [
-                {
-                  "id": "au-2.3_fr",
-                  "name": "item",
-                  "title": "AU-2 (3) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "au-2.3_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-2.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-3.1",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "au-3.1_smt",
-              "parts": [
-                {
-                  "id": "au-3.1_fr",
-                  "name": "item",
-                  "title": "AU-3 (1) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "au-3.1_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines audit record types *[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]*.  The audit record types are approved and accepted by the JAB/AO."
-                    },
-                    {
-                      "id": "au-3.1_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-3.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-3.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-4.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-5.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-5.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-5.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-5.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-6",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "au-6_smt",
-              "parts": [
-                {
-                  "id": "au-6_fr",
-                  "name": "item",
-                  "title": "AU-6 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "au-6_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-6.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-6.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-6.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-6.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-6.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-7.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-7.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-7.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-7.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-7.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-8.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-8.1",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "au-8.1_smt",
-              "parts": [
-                {
-                  "id": "au-8.1_fr",
-                  "name": "item",
-                  "title": "AU-8 (1) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "au-8.1_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server."
-                    },
-                    {
-                      "id": "au-8.1_fr_smt.2",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server."
-                    },
-                    {
-                      "id": "au-8.1_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Synchronization of system clocks improves the accuracy of log analysis."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.1.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.1.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.1.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.1.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-8.1.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-9.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-9.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-9.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-9.2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-9.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-9.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "au-9.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "au-9.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "au-9.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ca-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-2",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-2_smt",
-              "parts": [
-                {
-                  "id": "ca-2_fr",
-                  "name": "item",
-                  "title": "CA-2 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-2_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-2.1",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-2.1_smt",
-              "parts": [
-                {
-                  "id": "ca-2.1_fr",
-                  "name": "item",
-                  "title": "CA-2 (1) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-2.1_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-2.2",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-2.2_smt",
-              "parts": [
-                {
-                  "id": "ca-2.2_fr",
-                  "name": "item",
-                  "title": "CA-2 (2) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-2.2_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "To include 'announced', 'vulnerability scanning'"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.2_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-2.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ca-2.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.3_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-2.3_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ca-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-3.3",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-3.3_smt",
-              "parts": [
-                {
-                  "id": "ca-3.3_fr",
-                  "name": "item",
-                  "title": "CA-3 (3) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-3.3_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.3_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-3.5",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-3.5_smt",
-              "parts": [
-                {
-                  "id": "ca-3.5_fr",
-                  "name": "item",
-                  "title": "CA-3 (5) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-3.5_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-3.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-5",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-5_smt",
-              "parts": [
-                {
-                  "id": "ca-5_fr",
-                  "name": "item",
-                  "title": "CA-5 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-5_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Plan of Action & Milestones (POA&M) must be provided at least monthly."
-                    },
-                    {
-                      "id": "ca-5_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-5.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-5.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-5.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-6",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-6_smt",
-              "parts": [
-                {
-                  "id": "ca-6_fr",
-                  "name": "item",
-                  "title": "CA-6(c) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-6_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-6.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-6.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-6.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-6.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-7",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-7_smt",
-              "parts": [
-                {
-                  "id": "ca-7_fr",
-                  "name": "item",
-                  "title": "CA-7 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-7_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually."
-                    },
-                    {
-                      "id": "ca-7_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates."
-                    },
-                    {
-                      "id": "ca-7_fr_gdn.2",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)\n                  "
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.b_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.g_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.g_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.g_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.g_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-7.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ca-7.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-7.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ca-8_smt",
-              "parts": [
-                {
-                  "id": "ca-8_fr",
-                  "name": "item",
-                  "title": "CA-8 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ca-8_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance [https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/)\n                  "
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-8",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-8.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-8.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-8_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-8.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ca-8.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ca-9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ca-9",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-9.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-9.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ca-9.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.a.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-10.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-10.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-10.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-10.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-10.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-10.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-11",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-11.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-11.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-11.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-11.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-11.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-11.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-2.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-2.1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.1.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.1.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.1.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.1.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.1.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-2.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-2.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.2_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-2.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-2.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-2.7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-2.7.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.7.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.7.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.7.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-2.7.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-3",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cm-3_smt",
-              "parts": [
-                {
-                  "id": "cm-3_fr",
-                  "name": "item",
-                  "title": "CM-3 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cm-3_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO."
-                    },
-                    {
-                      "id": "cm-3_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(e) Guidance:"
-                        }
-                      ],
-                      "prose": "In accordance with record retention policies and procedures."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.f_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.g_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.g_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.g_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-3.g_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-4.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-5.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.5_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5_obj.7",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5_obj.8",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-5.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-5.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-5.3",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cm-5.3_smt",
-              "parts": [
-                {
-                  "id": "cm-5.3_fr",
-                  "name": "item",
-                  "title": "CM-5 (3) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cm-5.3_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-5.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-5.5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.5.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.5.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-5.5.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-6",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cm-6_smt",
-              "parts": [
-                {
-                  "id": "cm-6_fr",
-                  "name": "item",
-                  "title": "CM-6(a) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cm-6_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement 1:"
-                        }
-                      ],
-                      "prose": "The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. "
-                    },
-                    {
-                      "id": "cm-6_fr_smt.2",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement 2:"
-                        }
-                      ],
-                      "prose": "The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available)."
-                    },
-                    {
-                      "id": "cm-6_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.c_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.c_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.c_obj.5",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-6.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-6.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-6.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-7",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cm-7_smt",
-              "parts": [
-                {
-                  "id": "cm-7_fr",
-                  "name": "item",
-                  "title": "CM-7 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cm-7_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available."
-                    },
-                    {
-                      "id": "cm-7_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Information on the USGCB checklists can be found at: [http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc](http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc). Partially derived from AC-17(8)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-7.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-7.1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.1.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.1.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.1.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.1.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-7.2",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cm-7.2_smt",
-              "parts": [
-                {
-                  "id": "cm-7.2_fr",
-                  "name": "item",
-                  "title": "CM-7 (2) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cm-7.2_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-7.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-7.5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.5.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.5.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.5.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-7.5.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cm-8_smt",
-              "parts": [
-                {
-                  "id": "cm-8_fr",
-                  "name": "item",
-                  "title": "CM-8 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cm-8_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Must be provided at least monthly or when there is a change."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.a.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.a.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.a.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.a.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.a.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-8.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-8.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-8.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-8.3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.3.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.3.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.3.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-8.3.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-8.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-8.5_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cm-9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cm-9",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-9.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-9.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-9.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-9.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cm-9.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-10_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-10.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-10.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-10.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-2",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cp-2_smt",
-              "parts": [
-                {
-                  "id": "cp-2_fr",
-                  "name": "item",
-                  "title": "CP-2 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cp-2_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "CP-2 Requirement:"
-                        }
-                      ],
-                      "prose": "For JAB authorizations the contingency lists include designated FedRAMP personnel."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.5_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.6_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.a.6_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.g_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-2.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-2.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-2.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-2.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-2.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-2.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-2.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-2.8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-2.8_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-3.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-3.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-3.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-3.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-3.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-4",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cp-4_smt",
-              "parts": [
-                {
-                  "id": "cp-4_fr",
-                  "name": "item",
-                  "title": "CP-4(a) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cp-4_fr_smt.a",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "CP-4(a) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-4.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-4.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-4.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-4.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-6.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-6.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-6.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-6.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-6.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-6.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-6.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-7",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cp-7_smt",
-              "parts": [
-                {
-                  "id": "cp-7_fr",
-                  "name": "item",
-                  "title": "CP-7 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cp-7_fr_smt.a",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(a) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines a time period consistent with the recovery time objectives and business impact analysis."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-7",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-7.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-7.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-7.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-7.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-7.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-7.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-7.1",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cp-7.1_smt",
-              "parts": [
-                {
-                  "id": "cp-7.1_fr",
-                  "name": "item",
-                  "title": "CP-7 (1) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cp-7.1_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-7.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-7.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-7.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-7.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-7.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-7.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cp-8_smt",
-              "parts": [
-                {
-                  "id": "cp-8_fr",
-                  "name": "item",
-                  "title": "CP-8 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cp-8_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines a time period consistent with the recovery time objectives and business impact analysis."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-8.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-8.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-8.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-8.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-8.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-8.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-8.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-8.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-9",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "cp-9_smt",
-              "parts": [
-                {
-                  "id": "cp-9_fr",
-                  "name": "item",
-                  "title": "CP-9 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "cp-9_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check."
-                    },
-                    {
-                      "id": "cp-9_fr_smt.a",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "CP-9(a) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider maintains at least three backup copies of user-level information (at least one of which is available online)."
-                    },
-                    {
-                      "id": "cp-9_fr_smt.b",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "CP-9(b)Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider maintains at least three backup copies of system-level information (at least one of which is available online)."
-                    },
-                    {
-                      "id": "cp-9_fr_smt.c",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "CP-9(c)Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-9.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-9.1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "cp-9.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "cp-9.3_obj.1.a",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.3_obj.1.b",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "cp-9.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-2.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-2.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.11",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ia-2.11_smt",
-              "parts": [
-                {
-                  "id": "ia-2.11_fr",
-                  "name": "item",
-                  "title": "IA-2 (11) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ia-2.11_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-2.11_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-2.11_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-2.11_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-2.11_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-2.11_obj.5",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-2.11_obj.6",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.12",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ia-2.12_smt",
-              "parts": [
-                {
-                  "id": "ia-2.12_fr",
-                  "name": "item",
-                  "title": "IA-2 (12) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ia-2.12_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-2.12_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-2.12_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-2.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-2.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-2.5_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-2.8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-2.8_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-3.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-4",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ia-4_smt",
-              "parts": [
-                {
-                  "id": "ia-4_fr",
-                  "name": "item",
-                  "title": "IA-4(e) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ia-4_fr_smt.e",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines the time period of inactivity for device identifiers."
-                    },
-                    {
-                      "id": "ia-4_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP [http://iase.disa.mil/cloud_security/Pages/index.aspx](http://iase.disa.mil/cloud_security/Pages/index.aspx)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-4.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-4.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-4.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ia-5_smt",
-              "parts": [
-                {
-                  "id": "ia-5_fr",
-                  "name": "item",
-                  "title": "IA-5 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ia-5_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link [https://pages.nist.gov/800-63-3](https://pages.nist.gov/800-63-3)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.d_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.f_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.g_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.g_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.h_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.i_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.i_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.j_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.1",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ia-5.1_smt",
-              "parts": [
-                {
-                  "id": "ia-5.1_fr",
-                  "name": "item",
-                  "title": "IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ia-5.1_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(a) (d) Guidance:"
-                        }
-                      ],
-                      "prose": "If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.a_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.a_obj.5",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.d_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.d_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.1.f_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.11",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-5.11_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.11_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-5.2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.2.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.2.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-5.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.3_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.3_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.3_obj.5",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.4",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ia-5.4_smt",
-              "parts": [
-                {
-                  "id": "ia-5.4_fr",
-                  "name": "item",
-                  "title": "IA-5 (4) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ia-5.4_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-5.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-5.6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-5.7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-5.7_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-7_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-8.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-8.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-8.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-8.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-8.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ia-8.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ia-8.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ia-8.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-3",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ir-3_smt",
-              "parts": [
-                {
-                  "id": "ir-3_fr",
-                  "name": "item",
-                  "title": "IR-3 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ir-3_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "IR-3 -2 Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-3.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-3.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-3_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-3.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-3.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-4",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ir-4_smt",
-              "parts": [
-                {
-                  "id": "ir-4_fr",
-                  "name": "item",
-                  "title": "IR-4 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ir-4_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-4.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-4.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-4.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-4.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-4.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-5.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-6",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ir-6_smt",
-              "parts": [
-                {
-                  "id": "ir-6_fr",
-                  "name": "item",
-                  "title": "IR-6 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ir-6_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Report security incident information according to FedRAMP Incident Communications Procedure."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-6",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-6.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-6.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-6.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-6.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-6.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-6.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-7.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-7.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-7.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-7.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-7.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-7.2.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-7.2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ir-8_smt",
-              "parts": [
-                {
-                  "id": "ir-8_fr",
-                  "name": "item",
-                  "title": "IR-8 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ir-8_fr_smt.b",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(b) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."
-                    },
-                    {
-                      "id": "ir-8_fr_smt.e",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(e) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.5_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.7_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.8_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.a.8_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.b_obj.1.a",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.b_obj.1.b",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.e_obj.1.a",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.e_obj.1.b",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-8.f_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-9.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-9.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-9.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-9.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-9.2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-9.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-9.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ir-9.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ir-9.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ir-9.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.a_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-2.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-3.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-3.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-3.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-3.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-3.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-3.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-3.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-3.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-3.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-4.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-4.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-4.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-5.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-5.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-5.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-5.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-5.1",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ma-5.1_smt",
-              "parts": [
-                {
-                  "id": "ma-5.1_fr",
-                  "name": "item",
-                  "title": "MA-5 (1) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ma-5.1_fr_smt.b",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "Only MA-5 (1)(a)(1) is required by FedRAMP Moderate Baseline"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-5.1.a.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-5.1.a.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-5.1.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ma-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ma-6.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-6.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ma-6.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "mp-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "mp-2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-3",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "mp-3_smt",
-              "parts": [
-                {
-                  "id": "mp-3_fr",
-                  "name": "item",
-                  "title": "MP-3 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "mp-3_fr_gdn.b",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(b) Guidance:"
-                        }
-                      ],
-                      "prose": "Second parameter not-applicable"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-3.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-3.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-3.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-4",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "mp-4_smt",
-              "parts": [
-                {
-                  "id": "mp-4_fr",
-                  "name": "item",
-                  "title": "MP-4 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "mp-4_fr_smt.a",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(a) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines controlled areas within facilities where the information and information system reside."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-4.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-4.a_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-5",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "mp-5_smt",
-              "parts": [
-                {
-                  "id": "mp-5_fr",
-                  "name": "item",
-                  "title": "MP-5 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "mp-5_fr_smt.a",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(a) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-5.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-5.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-5.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-5.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-5.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-5.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-5.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "mp-5.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "mp-6.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-6.2",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "mp-6.2_smt",
-              "parts": [
-                {
-                  "id": "mp-6.2_fr",
-                  "name": "item",
-                  "title": "MP-6 (2) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "mp-6.2_fr_gdn.a",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(a) Requirement:"
-                        }
-                      ],
-                      "prose": "Equipment and procedures may be tested or validated for effectiveness"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-6.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "mp-7.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-7.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-7_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "mp-7_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "mp-7.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "mp-7.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-10.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-10.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-10.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-10.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-11",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-11_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-12",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-12.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-12_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-13",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-13.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-13.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-13.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-13.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-13.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-13.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-13.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-13.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-14",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "pe-14_smt",
-              "parts": [
-                {
-                  "id": "pe-14_fr",
-                  "name": "item",
-                  "title": "PE-14(a) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "pe-14_fr_smt.a",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(a) Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider measures temperature at server inlets and humidity levels by dew point."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.a_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.b_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-14.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-14.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-14.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-15",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-15_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-16",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.5",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.6",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.7",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.8",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-16_obj.9",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-17",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-17.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-17.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-17.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-17.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-2.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.e_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.f_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.g_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-3.g_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-4_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-5_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-6",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-6.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-6.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-6.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-6.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-6.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-6.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-6.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-8",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-8.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-8.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-8.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pe-8.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pe-9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pe-9_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pl-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pl-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pl-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pl-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.5_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.7_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.8_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.a.9_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pl-2.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pl-2.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-2.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pl-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pl-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-4.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-4.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-4.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pl-4.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "pl-4.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-4.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "pl-8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "pl-8_smt",
-              "parts": [
-                {
-                  "id": "pl-8_fr",
-                  "name": "item",
-                  "title": "PL-8(b) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "pl-8_fr_gdn.b",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(b) Guidance:"
-                        }
-                      ],
-                      "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-8",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-8.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-8.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-8.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "pl-8.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-2.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-3.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-3.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-3.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-3.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-3.3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-3.3.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-3.3.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.f_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.f_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-4.f_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-5.d_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-6",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-6.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-6.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-6.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-6.c.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-6.c.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-6.c.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-7",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.d_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-7.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ps-8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ps-8.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-8.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-8.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ps-8.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ra-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ra-2.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-3",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ra-3_smt",
-              "parts": [
-                {
-                  "id": "ra-3_fr",
-                  "name": "item",
-                  "title": "RA-3 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ra-3_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F"
-                    },
-                    {
-                      "id": "ra-3_fr_smt.d",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "RA-3 (d) Requirement:"
-                        }
-                      ],
-                      "prose": "Include all Authorizing Officials; for JAB authorizations to include FedRAMP."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-3.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-5",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ra-5_smt.a",
-              "parts": [
-                {
-                  "id": "ra-5_fr_smt.a",
-                  "name": "item",
-                  "title": "RA-5(a) Additional FedRAMP Requirements and Guidance",
-                  "properties": [
-                    {
-                      "name": "label",
-                      "value": "RA-5 (a)Requirement:"
-                    }
-                  ],
-                  "prose": "An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually."
-                }
-              ]
-            },
-            {
-              "position": "ending",
-              "id-ref": "ra-5_smt.e",
-              "parts": [
-                {
-                  "id": "ra-5_fr_smt.e",
-                  "name": "item",
-                  "title": "RA-5(e) Additional FedRAMP Requirements and Guidance",
-                  "properties": [
-                    {
-                      "name": "label",
-                      "value": "RA-5 (e)Requirement:"
-                    }
-                  ],
-                  "prose": "To include all Authorizing Officials; for JAB authorizations to include FedRAMP."
-                }
-              ]
-            },
-            {
-              "position": "ending",
-              "id-ref": "ra-5_smt",
-              "parts": [
-                {
-                  "id": "ra-5_fr",
-                  "name": "item",
-                  "title": "RA-5 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ra-5_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "\n                     **See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.b.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.b.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.b.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.e_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-5.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ra-5.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-5.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ra-5.2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-5.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ra-5.3_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.3_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-5.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "ra-5.5",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.5_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-5.6",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ra-5.6_smt",
-              "parts": [
-                {
-                  "id": "ra-5.6_fr",
-                  "name": "item",
-                  "title": "RA-5 (6) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ra-5.6_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Include in Continuous Monitoring ISSO digest/report to JAB/AO"
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.6_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "ra-5.8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "ra-5.8_smt",
-              "parts": [
-                {
-                  "id": "ra-5.8_fr",
-                  "name": "item",
-                  "title": "RA-5 (8) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "ra-5.8_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "This enhancement is required for all high vulnerability scan findings."
-                    },
-                    {
-                      "id": "ra-5.8_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "ra-5.8_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-10",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sa-10_smt",
-              "parts": [
-                {
-                  "id": "sa-10_fr",
-                  "name": "item",
-                  "title": "SA-10 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sa-10_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "(e)  Requirement:"
-                        }
-                      ],
-                      "prose": "For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-10.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-10.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-10.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-10.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-10.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-10.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-10.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-10.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-10.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-11",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-11.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-11.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-11.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-11.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-11.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-11.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-11.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-11.1",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sa-11.1_smt",
-              "parts": [
-                {
-                  "id": "sa-11.1_fr",
-                  "name": "item",
-                  "title": "SA-11 (1) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sa-11.1_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-11.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-11.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-11.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-11.8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sa-11.8_smt",
-              "parts": [
-                {
-                  "id": "sa-11.8_fr",
-                  "name": "item",
-                  "title": "SA-11 (8) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sa-11.8_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-11.8_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-2.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-2.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-2.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-3.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-3.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-3.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-3.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-3.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-4",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sa-4_smt",
-              "parts": [
-                {
-                  "id": "sa-4_fr",
-                  "name": "item",
-                  "title": "SA-4 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sa-4_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See [http://www.niap-ccevs.org/vpl](http://www.niap-ccevs.org/vpl) or [http://www.commoncriteriaportal.org/products.html](http://www.commoncriteriaportal.org/products.html)."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-4.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-4.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-4.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-4.10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-4.10_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-4.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-4.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-4.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-4.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-4.8",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sa-4.8_smt",
-              "parts": [
-                {
-                  "id": "sa-4.8_fr",
-                  "name": "item",
-                  "title": "SA-4 (8) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sa-4.8_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "CSP must use the same security standards regardless of where the system component or information system service is acquired."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-4.8_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-4.8_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-4.9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-4.9_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-5.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.c_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-5.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-8_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-9",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-9.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-9.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-9.1.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.1.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.1.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-9.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-9.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-9.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-9.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.4_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sa-9.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sa-9.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sa-9.5_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-10_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-10_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-12",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sc-12_smt",
-              "parts": [
-                {
-                  "id": "sc-12_fr",
-                  "name": "item",
-                  "title": "SC-12 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sc-12_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "Federally approved and validated cryptography."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-12.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-12.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-12.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-12.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-12.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-12.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-13",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-13",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-13_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-13_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-13_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-15",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sc-15_smt",
-              "parts": [
-                {
-                  "id": "sc-15_fr",
-                  "name": "item",
-                  "title": "SC-15 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sc-15_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-15.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-15.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-15.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-17",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-17_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-17_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-18",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-18.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-18.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-18.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-18.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-18.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-18.c_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-19",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-19.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-19.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-19.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-19.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-19.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-20",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-20.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-20.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-21",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-21_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-21_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-21_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-21_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-22",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-22_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-22_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-23",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-23_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-28",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sc-28_smt",
-              "parts": [
-                {
-                  "id": "sc-28_fr",
-                  "name": "item",
-                  "title": "SC-28 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sc-28_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "The organization supports the capability to use cryptographic mechanisms to protect information at rest."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-28.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-28.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-28.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-28.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-28.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-28.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-39",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-39_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-4_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-5.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-5.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-5.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-6_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-6_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-6_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.a_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7.12",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.12_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.12_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.12_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7.13",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "sc-7.13_smt",
-              "parts": [
-                {
-                  "id": "sc-7.13_fr",
-                  "name": "item",
-                  "title": "SC-7 (13) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "sc-7.13_fr_smt.1",
-                      "name": "item",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Requirement:"
-                        }
-                      ],
-                      "prose": "The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.13_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.13_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7.18",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.18_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.3_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.4.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.4.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.4.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.4.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.4.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.4.e_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.4.e_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.4.e_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7.5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7.7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.7_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-7.8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-7.8_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.8_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-7.8_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-8_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "sc-8.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "sc-8.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "sc-8.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.a.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.a.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.a.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.a.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.b.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.b.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.b.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-1.b.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-10",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-10_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-10_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-11",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-11.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-11.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-11.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-12",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-12_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-16",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-16_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-16_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.a_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.c_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.c_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-2.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-2.2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.2_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.2_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-2.3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-2.3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.3.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-2.3.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-3",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-3",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.c.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.c.2_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-3.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-3.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-3.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-3.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-3.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-3.7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-3.7_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "si-4_smt",
-              "parts": [
-                {
-                  "id": "si-4_fr",
-                  "name": "item",
-                  "title": "SI-4 Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "si-4_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "See US-CERT Incident Response Reporting Guidelines."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.a.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.a.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.a.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.b.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.b.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.c_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.e_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.f_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.g_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.g_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.g_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.g_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-4.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.14",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-4.14",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.14_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.14_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.14_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.16",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-4.16_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-4.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.23",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-4.23_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.23_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.23_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.4",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-4.4",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.4_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.4_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-4.5",
-          "additions": [
-            {
-              "position": "ending",
-              "id-ref": "si-4.5_smt",
-              "parts": [
-                {
-                  "id": "si-4.5_fr",
-                  "name": "item",
-                  "title": "SI-4 (5) Additional FedRAMP Requirements and Guidance",
-                  "parts": [
-                    {
-                      "id": "si-4.5_fr_gdn.1",
-                      "name": "guidance",
-                      "properties": [
-                        {
-                          "name": "label",
-                          "value": "Guidance:"
-                        }
-                      ],
-                      "prose": "In accordance with the incident response plan."
-                    }
-                  ]
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.5_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.5_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-4.5_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-5",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-5.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.c_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.c_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-5.d_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-6",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-6",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-6.a_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-6.a_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-6.b_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-6.b_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-6.b_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-6.c_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-6.c_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-6.d_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-6.d_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-7_obj.1.a",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7_obj.1.b",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7_obj.1.c",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-7.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-7.1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7.1_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7.1_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7.1_obj.3",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7.1_obj.4",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-7.7",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-7.7_obj.1",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-7.7_obj.2",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-8",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-8.a_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-8.b_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-8.1",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-8.1",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-8.1_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "control-id": "si-8.2",
-          "additions": [
-            {
-              "position": "starting",
-              "id-ref": "si-8.2",
-              "properties": [
-                {
-                  "name": "CORE",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": ""
-                }
-              ]
-            },
-            {
-              "position": "starting",
-              "id-ref": "si-8.2_obj",
-              "properties": [
-                {
-                  "name": "conformity",
-                  "ns": "https://fedramp.gov/ns/oscal",
-                  "value": "assessment-objective"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "EXAMINE"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "INTERVIEW"
-                },
-                {
-                  "name": "method",
-                  "class": "fedramp",
-                  "value": "TEST"
-                }
-              ]
-            }
-          ]
-        }
-      ]
-    },
-    "back-matter": {
-      "resources": [
-        {
-          "uuid": "985475ee-d4d6-4581-8fdf-d84d3d8caa48",
-          "title": "FedRAMP Applicable Laws and Regulations",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-citations"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"
-            }
-          ]
-        },
-        {
-          "uuid": "1a23a771-d481-4594-9a1a-71d584fa4123",
-          "title": "FedRAMP Master Acronym and Glossary",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-acronyms"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"
-            }
-          ]
-        },
-        {
-          "uuid": "a2381e87-3d04-4108-a30b-b4d2f36d001f",
-          "desc": "FedRAMP Logo",
-          "properties": [
-            {
-              "name": "conformity",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "fedramp-logo"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "https://www.fedramp.gov/assets/img/logo-main-fedramp.png"
-            }
-          ]
-        },
-        {
-          "uuid": "ad005eae-cc63-4e64-9109-3905a9a825e4",
-          "title": "NIST Special Publication (SP) 800-53",
-          "properties": [
-            {
-              "name": "version",
-              "ns": "https://fedramp.gov/ns/oscal",
-              "value": "Revision 4"
-            },
-            {
-              "name": "keep",
-              "value": "always"
-            }
-          ],
-          "rlinks": [
-            {
-              "href": "../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json",
-              "media-type": "application/xml"
-            }
-          ]
-        }
-      ]
-    }
-  }
-}
diff --git a/content/fedramp.gov/xml/FedRAMP_HIGH-baseline-resolved-profile_catalog.xml b/content/fedramp.gov/xml/FedRAMP_HIGH-baseline-resolved-profile_catalog.xml
deleted file mode 100644
index 85f93f136d..0000000000
--- a/content/fedramp.gov/xml/FedRAMP_HIGH-baseline-resolved-profile_catalog.xml
+++ /dev/null
@@ -1,42714 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-         uuid="a8ace2a3-4082-40eb-be07-0b0cd7bb4c15">
-   <metadata>
-      <title>FedRAMP High Baseline</title>
-      <published>2020-06-01T00:00:00.000-04:00</published>
-      <last-modified>2020-06-01T10:00:00.000-04:00</last-modified>
-      <version>1.2</version>
-      <oscal-version>1.0.0-milestone3</oscal-version>
-      <prop name="resolution-timestamp">2020-08-31T17:38:24.694738Z</prop>
-      <link rel="resolution-source" href="FedRAMP_HIGH-baseline_profile.xml">FedRAMP High Baseline</link>
-      <role id="parpared-by">
-         <title>Document creator</title>
-      </role>
-      <role id="fedramp-pmo">
-         <title>The FedRAMP Program Management Office (PMO)</title>
-         <short-name>CSP</short-name>
-      </role>
-      <role id="fedramp-jab">
-         <title>The FedRAMP Joint Authorization Board (JAB)</title>
-         <short-name>CSP</short-name>
-      </role>
-      <party uuid="8cc0b8e5-9650-4d5f-9796-316f05fa9a2d" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Program Management Office</party-name>
-         <short-name>FedRAMP PMO</short-name>
-         <link href="https://fedramp.gov" rel="homepage"/>
-         <address type="work">
-            <addr-line>1800 F St. NW</addr-line>
-            <addr-line/>
-            <city>Washington</city>
-            <state>DC</state>
-            <postal-code/>
-            <country>US</country>
-         </address>
-         <email>info@fedramp.gov</email>
-      </party>
-      <party uuid="ca9ba80e-1342-4bfd-b32a-abac468c24b4" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Joint Authorization Board</party-name>
-         <short-name>FedRAMP JAB</short-name>
-      </party>
-      <responsible-party role-id="prepared-by">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-pmo">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-jab">
-         <party-uuid>ca9ba80e-1342-4bfd-b32a-abac468c24b4</party-uuid>
-      </responsible-party>
-   </metadata>
-   <group class="family" id="ac">
-      <title>Access Control</title>
-      <control class="SP800-53" id="ac-1">
-         <title>Access Control Policy and Procedures</title>
-         <param id="ac-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ac-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ac-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or whenever a significant change occurs</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-1</prop>
-         <prop name="sort-id">ac-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ac-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ac-1_prm_1"/>:</p>
-               <part id="ac-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An access control policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ac-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the access control policy and
-                     associated access controls; and</p>
-               </part>
-            </part>
-            <part id="ac-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ac-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Access control policy <insert param-id="ac-1_prm_2"/>; and</p>
-               </part>
-               <part id="ac-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Access control procedures <insert param-id="ac-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ac-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the AC
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ac-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-1.a_obj" name="objective">
-               <prop name="label">AC-1(a)</prop>
-               <part id="ac-1.a.1_obj" name="objective">
-                  <prop name="label">AC-1(a)(1)</prop>
-                  <part id="ac-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(a)(1)[1]</prop>
-                     <p>develops and documents an access control policy that addresses:</p>
-                     <part id="ac-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ac-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the access control policy are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ac-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">AC-1(a)(1)[3]</prop>
-                     <p>disseminates the access control policy to organization-defined personnel or
-                        roles;</p>
-                  </part>
-               </part>
-               <part id="ac-1.a.2_obj" name="objective">
-                  <prop name="label">AC-1(a)(2)</prop>
-                  <part id="ac-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        access control policy and associated access control controls;</p>
-                  </part>
-                  <part id="ac-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ac-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">AC-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-1.b_obj" name="objective">
-               <prop name="label">AC-1(b)</prop>
-               <part id="ac-1.b.1_obj" name="objective">
-                  <prop name="label">AC-1(b)(1)</prop>
-                  <part id="ac-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current access control
-                        policy;</p>
-                  </part>
-                  <part id="ac-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current access control policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ac-1.b.2_obj" name="objective">
-                  <prop name="label">AC-1(b)(2)</prop>
-                  <part id="ac-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current access control
-                        procedures; and</p>
-                  </part>
-                  <part id="ac-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current access control procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-2">
-         <title>Account Management</title>
-         <param id="ac-2_prm_1">
-            <label>organization-defined information system account types</label>
-         </param>
-         <param id="ac-2_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ac-2_prm_3">
-            <label>organization-defined procedures or conditions</label>
-         </param>
-         <param id="ac-2_prm_4">
-            <label>organization-defined frequency</label>
-            <constraint>monthly for privileged accessed, every six (6) months for non-privileged access</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-2</prop>
-         <prop name="sort-id">ac-02</prop>
-         <part id="ac-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Identifies and selects the following types of information system accounts to
-                  support organizational missions/business functions: <insert param-id="ac-2_prm_1"/>;</p>
-            </part>
-            <part id="ac-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Assigns account managers for information system accounts;</p>
-            </part>
-            <part id="ac-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Establishes conditions for group and role membership;</p>
-            </part>
-            <part id="ac-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Specifies authorized users of the information system, group and role membership,
-                  and access authorizations (i.e., privileges) and other attributes (as required)
-                  for each account;</p>
-            </part>
-            <part id="ac-2_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Requires approvals by <insert param-id="ac-2_prm_2"/> for requests to create
-                  information system accounts;</p>
-            </part>
-            <part id="ac-2_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Creates, enables, modifies, disables, and removes information system accounts in
-                  accordance with <insert param-id="ac-2_prm_3"/>;</p>
-            </part>
-            <part id="ac-2_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Monitors the use of information system accounts;</p>
-            </part>
-            <part id="ac-2_smt.h" name="item">
-               <prop name="label">h.</prop>
-               <p>Notifies account managers:</p>
-               <part id="ac-2_smt.h.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>When accounts are no longer required;</p>
-               </part>
-               <part id="ac-2_smt.h.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>When users are terminated or transferred; and</p>
-               </part>
-               <part id="ac-2_smt.h.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>When individual information system usage or need-to-know changes;</p>
-               </part>
-            </part>
-            <part id="ac-2_smt.i" name="item">
-               <prop name="label">i.</prop>
-               <p>Authorizes access to the information system based on:</p>
-               <part id="ac-2_smt.i.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A valid access authorization;</p>
-               </part>
-               <part id="ac-2_smt.i.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Intended system usage; and</p>
-               </part>
-               <part id="ac-2_smt.i.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Other attributes as required by the organization or associated
-                     missions/business functions;</p>
-               </part>
-            </part>
-            <part id="ac-2_smt.j" name="item">
-               <prop name="label">j.</prop>
-               <p>Reviews accounts for compliance with account management requirements <insert param-id="ac-2_prm_4"/>; and</p>
-            </part>
-            <part id="ac-2_smt.k" name="item">
-               <prop name="label">k.</prop>
-               <p>Establishes a process for reissuing shared/group account credentials (if deployed)
-                  when individuals are removed from the group.</p>
-            </part>
-         </part>
-         <part id="ac-2_gdn" name="guidance">
-            <p>Information system account types include, for example, individual, shared, group,
-               system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and
-               service. Some of the account management requirements listed above can be implemented
-               by organizational information systems. The identification of authorized users of the
-               information system and the specification of access privileges reflects the
-               requirements in other security controls in the security plan. Users requiring
-               administrative privileges on information system accounts receive additional scrutiny
-               by appropriate organizational personnel (e.g., system owner, mission/business owner,
-               or chief information security officer) responsible for approving such accounts and
-               privileged access. Organizations may choose to define access privileges or other
-               attributes by account, by type of account, or a combination of both. Other attributes
-               required for authorizing access include, for example, restrictions on time-of-day,
-               day-of-week, and point-of-origin. In defining other account attributes, organizations
-               consider system-related requirements (e.g., scheduled maintenance, system upgrades)
-               and mission/business requirements, (e.g., time zone differences, customer
-               requirements, remote access to support travel requirements). Failure to consider
-               these factors could affect information system availability. Temporary and emergency
-               accounts are accounts intended for short-term use. Organizations establish temporary
-               accounts as a part of normal account activation procedures when there is a need for
-               short-term accounts without the demand for immediacy in account activation.
-               Organizations establish emergency accounts in response to crisis situations and with
-               the need for rapid account activation. Therefore, emergency account activation may
-               bypass normal account authorization processes. Emergency and temporary accounts are
-               not to be confused with infrequently used accounts (e.g., local logon accounts used
-               for special tasks defined by organizations or when network resources are
-               unavailable). Such accounts remain available and are not subject to automatic
-               disabling or removal dates. Conditions for disabling or deactivating accounts
-               include, for example: (i) when shared/group, emergency, or temporary accounts are no
-               longer required; or (ii) when individuals are transferred or terminated. Some types
-               of information system accounts may require specialized training.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-10">AC-10</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ma-3">MA-3</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="ac-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-2.a_obj" name="objective">
-               <prop name="label">AC-2(a)</prop>
-               <part id="ac-2.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(a)[1]</prop>
-                  <p>defines information system account types to be identified and selected to
-                     support organizational missions/business functions;</p>
-               </part>
-               <part id="ac-2.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AC-2(a)[2]</prop>
-                  <p>identifies and selects organization-defined information system account types to
-                     support organizational missions/business functions;</p>
-               </part>
-            </part>
-            <part id="ac-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AC-2(b)</prop>
-               <p>assigns account managers for information system accounts;</p>
-            </part>
-            <part id="ac-2.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-2(c)</prop>
-               <p>establishes conditions for group and role membership;</p>
-            </part>
-            <part id="ac-2.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-2(d)</prop>
-               <p>specifies for each account (as required):</p>
-               <part id="ac-2.d_obj.1" name="objective">
-                  <prop name="label">AC-2(d)[1]</prop>
-                  <p>authorized users of the information system;</p>
-               </part>
-               <part id="ac-2.d_obj.2" name="objective">
-                  <prop name="label">AC-2(d)[2]</prop>
-                  <p>group and role membership;</p>
-               </part>
-               <part id="ac-2.d_obj.3" name="objective">
-                  <prop name="label">AC-2(d)[3]</prop>
-                  <p>access authorizations (i.e., privileges);</p>
-               </part>
-               <part id="ac-2.d_obj.4" name="objective">
-                  <prop name="label">AC-2(d)[4]</prop>
-                  <p>other attributes;</p>
-               </part>
-            </part>
-            <part id="ac-2.e_obj" name="objective">
-               <prop name="label">AC-2(e)</prop>
-               <part id="ac-2.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(e)[1]</prop>
-                  <p>defines personnel or roles required to approve requests to create information
-                     system accounts;</p>
-               </part>
-               <part id="ac-2.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(e)[2]</prop>
-                  <p>requires approvals by organization-defined personnel or roles for requests to
-                     create information system accounts;</p>
-               </part>
-            </part>
-            <part id="ac-2.f_obj" name="objective">
-               <prop name="label">AC-2(f)</prop>
-               <part id="ac-2.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(f)[1]</prop>
-                  <p>defines procedures or conditions to:</p>
-                  <part id="ac-2.f_obj.1.a" name="objective">
-                     <prop name="label">AC-2(f)[1][a]</prop>
-                     <p>create information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.b" name="objective">
-                     <prop name="label">AC-2(f)[1][b]</prop>
-                     <p>enable information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.c" name="objective">
-                     <prop name="label">AC-2(f)[1][c]</prop>
-                     <p>modify information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.d" name="objective">
-                     <prop name="label">AC-2(f)[1][d]</prop>
-                     <p>disable information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.e" name="objective">
-                     <prop name="label">AC-2(f)[1][e]</prop>
-                     <p>remove information system accounts;</p>
-                  </part>
-               </part>
-               <part id="ac-2.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(f)[2]</prop>
-                  <p>in accordance with organization-defined procedures or conditions:</p>
-                  <part id="ac-2.f_obj.2.a" name="objective">
-                     <prop name="label">AC-2(f)[2][a]</prop>
-                     <p>creates information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.b" name="objective">
-                     <prop name="label">AC-2(f)[2][b]</prop>
-                     <p>enables information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.c" name="objective">
-                     <prop name="label">AC-2(f)[2][c]</prop>
-                     <p>modifies information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.d" name="objective">
-                     <prop name="label">AC-2(f)[2][d]</prop>
-                     <p>disables information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.e" name="objective">
-                     <prop name="label">AC-2(f)[2][e]</prop>
-                     <p>removes information system accounts;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-2.g_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-2(g)</prop>
-               <p>monitors the use of information system accounts;</p>
-            </part>
-            <part id="ac-2.h_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-2(h)</prop>
-               <p>notifies account managers:</p>
-               <part id="ac-2.h.1_obj" name="objective">
-                  <prop name="label">AC-2(h)(1)</prop>
-                  <p>when accounts are no longer required;</p>
-               </part>
-               <part id="ac-2.h.2_obj" name="objective">
-                  <prop name="label">AC-2(h)(2)</prop>
-                  <p>when users are terminated or transferred;</p>
-               </part>
-               <part id="ac-2.h.3_obj" name="objective">
-                  <prop name="label">AC-2(h)(3)</prop>
-                  <p>when individual information system usage or need to know changes;</p>
-               </part>
-            </part>
-            <part id="ac-2.i_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-2(i)</prop>
-               <p>authorizes access to the information system based on;</p>
-               <part id="ac-2.i.1_obj" name="objective">
-                  <prop name="label">AC-2(i)(1)</prop>
-                  <p>a valid access authorization;</p>
-               </part>
-               <part id="ac-2.i.2_obj" name="objective">
-                  <prop name="label">AC-2(i)(2)</prop>
-                  <p>intended system usage;</p>
-               </part>
-               <part id="ac-2.i.3_obj" name="objective">
-                  <prop name="label">AC-2(i)(3)</prop>
-                  <p>other attributes as required by the organization or associated
-                     missions/business functions;</p>
-               </part>
-            </part>
-            <part id="ac-2.j_obj" name="objective">
-               <prop name="label">AC-2(j)</prop>
-               <part id="ac-2.j_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(j)[1]</prop>
-                  <p>defines the frequency to review accounts for compliance with account management
-                     requirements;</p>
-               </part>
-               <part id="ac-2.j_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(j)[2]</prop>
-                  <p>reviews accounts for compliance with account management requirements with the
-                     organization-defined frequency; and</p>
-               </part>
-            </part>
-            <part id="ac-2.k_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-2(k)</prop>
-               <p>establishes a process for reissuing shared/group account credentials (if deployed)
-                  when individuals are removed from the group.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing account management</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of active system accounts along with the name of the individual associated
-                  with each account</p>
-               <p>list of conditions for group and role membership</p>
-               <p>notifications or records of recently transferred, separated, or terminated
-                  employees</p>
-               <p>list of recently disabled information system accounts along with the name of the
-                  individual associated with each account</p>
-               <p>access authorization records</p>
-               <p>account management compliance reviews</p>
-               <p>information system monitoring records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with account management responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes account management on the information system</p>
-               <p>automated mechanisms for implementing account management</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-2.1">
-            <title>Automated System Account Management</title>
-            <prop name="label">AC-2(1)</prop>
-            <prop name="sort-id">ac-02.01</prop>
-            <part id="ac-2.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to support the management of
-                  information system accounts.</p>
-            </part>
-            <part id="ac-2.1_gdn" name="guidance">
-               <p>The use of automated mechanisms can include, for example: using email or text
-                  messaging to automatically notify account managers when users are terminated or
-                  transferred; using the information system to monitor account usage; and using
-                  telephonic notification to report atypical system account usage.</p>
-            </part>
-            <part id="ac-2.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs automated mechanisms to support the
-                  management of information system accounts.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.2">
-            <title>Removal of Temporary / Emergency Accounts</title>
-            <param id="ac-2.2_prm_1">
-               <constraint>Selection: disables</constraint>
-            </param>
-            <param id="ac-2.2_prm_2">
-               <label>organization-defined time period for each type of account</label>
-               <constraint>24 hours from last use</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AC-2(2)</prop>
-            <prop name="sort-id">ac-02.02</prop>
-            <part id="ac-2.2_smt" name="statement">
-               <p>The information system automatically <insert param-id="ac-2.2_prm_1"/> temporary
-                  and emergency accounts after <insert param-id="ac-2.2_prm_2"/>.</p>
-            </part>
-            <part id="ac-2.2_gdn" name="guidance">
-               <p>This control enhancement requires the removal of both temporary and emergency
-                  accounts automatically after a predefined period of time has elapsed, rather than
-                  at the convenience of the systems administrator.</p>
-            </part>
-            <part id="ac-2.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-2.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(2)[1]</prop>
-                  <p>the organization defines the time period after which the information system
-                     automatically removes or disables temporary and emergency accounts; and</p>
-               </part>
-               <part id="ac-2.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(2)[2]</prop>
-                  <p>the information system automatically removes or disables temporary and
-                     emergency accounts after the organization-defined time period for each type of
-                     account.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system-generated list of temporary accounts removed and/or
-                     disabled</p>
-                  <p>information system-generated list of emergency accounts removed and/or
-                     disabled</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.3">
-            <title>Disable Inactive Accounts</title>
-            <param id="ac-2.3_prm_1">
-               <label>organization-defined time period</label>
-               <constraint>35 days for user accounts</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AC-2(3)</prop>
-            <prop name="sort-id">ac-02.03</prop>
-            <part id="ac-2.3_smt" name="statement">
-               <p>The information system automatically disables inactive accounts after <insert param-id="ac-2.3_prm_1"/>.</p>
-               <part id="ac-2.3_fr" name="item">
-                  <title>AC-2 (3) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ac-2.3_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-2.3_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-2.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(3)[1]</prop>
-                  <p>the organization defines the time period after which the information system
-                     automatically disables inactive accounts; and</p>
-               </part>
-               <part id="ac-2.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(3)[2]</prop>
-                  <p>the information system automatically disables inactive accounts after the
-                     organization-defined time period.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system-generated list of temporary accounts removed and/or
-                     disabled</p>
-                  <p>information system-generated list of emergency accounts removed and/or
-                     disabled</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.4">
-            <title>Automated Audit Actions</title>
-            <param id="ac-2.4_prm_1">
-               <label>organization-defined personnel or roles</label>
-               <constraint>organization and/or service provider system owner</constraint>
-            </param>
-            <prop name="label">AC-2(4)</prop>
-            <prop name="sort-id">ac-02.04</prop>
-            <part id="ac-2.4_smt" name="statement">
-               <p>The information system automatically audits account creation, modification,
-                  enabling, disabling, and removal actions, and notifies <insert param-id="ac-2.4_prm_1"/>.</p>
-            </part>
-            <part id="ac-2.4_gdn" name="guidance">
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-12">AU-12</link>
-            </part>
-            <part id="ac-2.4_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-2.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(4)[1]</prop>
-                  <p>the information system automatically audits the following account actions:</p>
-                  <part id="ac-2.4_obj.1.a" name="objective">
-                     <prop name="label">AC-2(4)[1][a]</prop>
-                     <p>creation;</p>
-                  </part>
-                  <part id="ac-2.4_obj.1.b" name="objective">
-                     <prop name="label">AC-2(4)[1][b]</prop>
-                     <p>modification;</p>
-                  </part>
-                  <part id="ac-2.4_obj.1.c" name="objective">
-                     <prop name="label">AC-2(4)[1][c]</prop>
-                     <p>enabling;</p>
-                  </part>
-                  <part id="ac-2.4_obj.1.d" name="objective">
-                     <prop name="label">AC-2(4)[1][d]</prop>
-                     <p>disabling;</p>
-                  </part>
-                  <part id="ac-2.4_obj.1.e" name="objective">
-                     <prop name="label">AC-2(4)[1][e]</prop>
-                     <p>removal;</p>
-                  </part>
-               </part>
-               <part id="ac-2.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(4)[2]</prop>
-                  <p>the organization defines personnel or roles to be notified of the following
-                     account actions:</p>
-                  <part id="ac-2.4_obj.2.a" name="objective">
-                     <prop name="label">AC-2(4)[2][a]</prop>
-                     <p>creation;</p>
-                  </part>
-                  <part id="ac-2.4_obj.2.b" name="objective">
-                     <prop name="label">AC-2(4)[2][b]</prop>
-                     <p>modification;</p>
-                  </part>
-                  <part id="ac-2.4_obj.2.c" name="objective">
-                     <prop name="label">AC-2(4)[2][c]</prop>
-                     <p>enabling;</p>
-                  </part>
-                  <part id="ac-2.4_obj.2.d" name="objective">
-                     <prop name="label">AC-2(4)[2][d]</prop>
-                     <p>disabling;</p>
-                  </part>
-                  <part id="ac-2.4_obj.2.e" name="objective">
-                     <prop name="label">AC-2(4)[2][e]</prop>
-                     <p>removal;</p>
-                  </part>
-               </part>
-               <part id="ac-2.4_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(4)[3]</prop>
-                  <p>the information system notifies organization-defined personnel or roles of the
-                     following account actions:</p>
-                  <part id="ac-2.4_obj.3.a" name="objective">
-                     <prop name="label">AC-2(4)[3][a]</prop>
-                     <p>creation;</p>
-                  </part>
-                  <part id="ac-2.4_obj.3.b" name="objective">
-                     <prop name="label">AC-2(4)[3][b]</prop>
-                     <p>modification;</p>
-                  </part>
-                  <part id="ac-2.4_obj.3.c" name="objective">
-                     <prop name="label">AC-2(4)[3][c]</prop>
-                     <p>enabling;</p>
-                  </part>
-                  <part id="ac-2.4_obj.3.d" name="objective">
-                     <prop name="label">AC-2(4)[3][d]</prop>
-                     <p>disabling; and</p>
-                  </part>
-                  <part id="ac-2.4_obj.3.e" name="objective">
-                     <prop name="label">AC-2(4)[3][e]</prop>
-                     <p>removal.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>notifications/alerts of account creation, modification, enabling, disabling,
-                     and removal actions</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.5">
-            <title>Inactivity Logout</title>
-            <param id="ac-2.5_prm_1">
-               <label>organization-defined time-period of expected inactivity or description of when
-                  to log out</label>
-               <constraint>inactivity is anticipated to exceed Fifteen (15) minutes</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AC-2(5)</prop>
-            <prop name="sort-id">ac-02.05</prop>
-            <part id="ac-2.5_smt" name="statement">
-               <p>The organization requires that users log out when <insert param-id="ac-2.5_prm_1"/>.</p>
-               <part id="ac-2.5_fr" name="item">
-                  <title>AC-2 (5) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ac-2.5_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>Should use a shorter timeframe than AC-12.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-2.5_gdn" name="guidance">
-               <link rel="related" href="#sc-23">SC-23</link>
-            </part>
-            <part id="ac-2.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-2.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(5)[1]</prop>
-                  <p>defines either the time period of expected inactivity that requires users to
-                     log out or the description of when users are required to log out; and</p>
-               </part>
-               <part id="ac-2.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(5)[2]</prop>
-                  <p>requires that users log out when the organization-defined time period of
-                     inactivity is reached or in accordance with organization-defined description of
-                     when to log out.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security violation reports</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>users that must comply with inactivity logout policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.7">
-            <title>Role-based Schemes</title>
-            <param id="ac-2.7_prm_1">
-               <label>organization-defined actions</label>
-               <constraint>disables/revokes access within a organization-specified timeframe</constraint>
-            </param>
-            <prop name="label">AC-2(7)</prop>
-            <prop name="sort-id">ac-02.07</prop>
-            <part id="ac-2.7_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ac-2.7_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Establishes and administers privileged user accounts in accordance with a
-                     role-based access scheme that organizes allowed information system access and
-                     privileges into roles;</p>
-               </part>
-               <part id="ac-2.7_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Monitors privileged role assignments; and</p>
-               </part>
-               <part id="ac-2.7_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Takes <insert param-id="ac-2.7_prm_1"/> when privileged role assignments are no
-                     longer appropriate.</p>
-               </part>
-            </part>
-            <part id="ac-2.7_gdn" name="guidance">
-               <p>Privileged roles are organization-defined roles assigned to individuals that allow
-                  those individuals to perform certain security-relevant functions that ordinary
-                  users are not authorized to perform. These privileged roles include, for example,
-                  key management, account management, network and system administration, database
-                  administration, and web administration.</p>
-            </part>
-            <part id="ac-2.7_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-2.7.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(7)(a)</prop>
-                  <p>establishes and administers privileged user accounts in accordance with a
-                     role-based access scheme that organizes allowed information system access and
-                     privileges into roles;</p>
-                  <link rel="corresp" href="#ac-2.7_smt.a">AC-2(7)(a)</link>
-               </part>
-               <part id="ac-2.7.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(7)(b)</prop>
-                  <p>monitors privileged role assignments;</p>
-                  <link rel="corresp" href="#ac-2.7_smt.b">AC-2(7)(b)</link>
-               </part>
-               <part id="ac-2.7.c_obj" name="objective">
-                  <prop name="label">AC-2(7)(c)</prop>
-                  <part id="ac-2.7.c_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-2(7)(c)[1]</prop>
-                     <p>defines actions to be taken when privileged role assignments are no longer
-                        appropriate; and</p>
-                  </part>
-                  <part id="ac-2.7.c_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">AC-2(7)(c)[2]</prop>
-                     <p>takes organization-defined actions when privileged role assignments are no
-                        longer appropriate.</p>
-                  </part>
-                  <link rel="corresp" href="#ac-2.7_smt.c">AC-2(7)(c)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system-generated list of privileged user accounts and associated
-                     role</p>
-                  <p>records of actions taken when privileged role assignments are no longer
-                     appropriate</p>
-                  <p>information system audit records</p>
-                  <p>audit tracking and monitoring reports</p>
-                  <p>information system monitoring records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-                  <p>automated mechanisms monitoring privileged role assignments</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.9">
-            <title>Restrictions On Use of Shared / Group Accounts</title>
-            <param id="ac-2.9_prm_1">
-               <label>organization-defined conditions for establishing shared/group accounts</label>
-               <constraint>organization-defined need with justification statement that explains why such accounts are necessary</constraint>
-            </param>
-            <prop name="label">AC-2(9)</prop>
-            <prop name="sort-id">ac-02.09</prop>
-            <part id="ac-2.9_smt" name="statement">
-               <p>The organization only permits the use of shared/group accounts that meet <insert param-id="ac-2.9_prm_1"/>.</p>
-               <part id="ac-2.9_fr" name="item">
-                  <title>AC-2 (9) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ac-2.9_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>Required if shared/group accounts are deployed</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-2.9_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-2.9_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(9)[1]</prop>
-                  <p>defines conditions for establishing shared/group accounts; and</p>
-               </part>
-               <part id="ac-2.9_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(9)[2]</prop>
-                  <p>only permits the use of shared/group accounts that meet organization-defined
-                     conditions for establishing shared/group accounts.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>system-generated list of shared/group accounts and associated role</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing management of shared/group accounts</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.10">
-            <title>Shared / Group Account Credential Termination</title>
-            <prop name="label">AC-2(10)</prop>
-            <prop name="sort-id">ac-02.10</prop>
-            <part id="ac-2.10_smt" name="statement">
-               <p>The information system terminates shared/group account credentials when members
-                  leave the group.</p>
-               <part id="ac-2.10_fr" name="item">
-                  <title>AC-2 (10) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ac-2.10_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>Required if shared/group accounts are deployed</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-2.10_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system terminates shared/group account credentials
-                  when members leave the group.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>account access termination records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.11">
-            <title>Usage Conditions</title>
-            <param id="ac-2.11_prm_1">
-               <label>organization-defined circumstances and/or usage conditions</label>
-            </param>
-            <param id="ac-2.11_prm_2">
-               <label>organization-defined information system accounts</label>
-            </param>
-            <prop name="label">AC-2(11)</prop>
-            <prop name="sort-id">ac-02.11</prop>
-            <part id="ac-2.11_smt" name="statement">
-               <p>The information system enforces <insert param-id="ac-2.11_prm_1"/> for <insert param-id="ac-2.11_prm_2"/>.</p>
-            </part>
-            <part id="ac-2.11_gdn" name="guidance">
-               <p>Organizations can describe the specific conditions or circumstances under which
-                  information system accounts can be used, for example, by restricting usage to
-                  certain days of the week, time of day, or specific durations of time.</p>
-            </part>
-            <part id="ac-2.11_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-2.11_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(11)[1]</prop>
-                  <p>the organization defines circumstances and/or usage conditions to be enforced
-                     for information system accounts;</p>
-               </part>
-               <part id="ac-2.11_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(11)[2]</prop>
-                  <p>the organization defines information system accounts for which
-                     organization-defined circumstances and/or usage conditions are to be enforced;
-                     and</p>
-               </part>
-               <part id="ac-2.11_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(11)[3]</prop>
-                  <p>the information system enforces organization-defined circumstances and/or usage
-                     conditions for organization-defined information system accounts.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>system-generated list of information system accounts and associated assignments
-                     of usage circumstances and/or usage conditions</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.12">
-            <title>Account Monitoring / Atypical Usage</title>
-            <param id="ac-2.12_prm_1">
-               <label>organization-defined atypical usage</label>
-            </param>
-            <param id="ac-2.12_prm_2">
-               <label>organization-defined personnel or roles</label>
-               <constraint>at a minimum, the ISSO and/or similar role within the organization</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AC-2(12)</prop>
-            <prop name="sort-id">ac-02.12</prop>
-            <part id="ac-2.12_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ac-2.12_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Monitors information system accounts for <insert param-id="ac-2.12_prm_1"/>;
-                     and</p>
-               </part>
-               <part id="ac-2.12_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Reports atypical usage of information system accounts to <insert param-id="ac-2.12_prm_2"/>.</p>
-               </part>
-               <part id="ac-2.12_fr" name="item">
-                  <title>AC-2 (12) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ac-2.12_fr_gdn.1" name="guidance">
-                     <prop name="label">(a) Guidance:</prop>
-                     <p>Required for privileged accounts.</p>
-                  </part>
-                  <part id="ac-2.12_fr_gdn.2" name="guidance">
-                     <prop name="label">(b) Guidance:</prop>
-                     <p>Required for privileged accounts.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-2.12_gdn" name="guidance">
-               <p>Atypical usage includes, for example, accessing information systems at certain
-                  times of the day and from locations that are not consistent with the normal usage
-                  patterns of individuals working in organizations.</p>
-               <link rel="related" href="#ca-7">CA-7</link>
-            </part>
-            <part id="ac-2.12_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-2.12.a_obj" name="objective">
-                  <prop name="label">AC-2(12)(a)</prop>
-                  <part id="ac-2.12.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-2(12)(a)[1]</prop>
-                     <p>defines atypical usage to be monitored for information system accounts;</p>
-                  </part>
-                  <part id="ac-2.12.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">AC-2(12)(a)[2]</prop>
-                     <p>monitors information system accounts for organization-defined atypical
-                        usage;</p>
-                  </part>
-                  <link rel="corresp" href="#ac-2.12_smt.a">AC-2(12)(a)</link>
-               </part>
-               <part id="ac-2.12.b_obj" name="objective">
-                  <prop name="label">AC-2(12)(b)</prop>
-                  <part id="ac-2.12.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-2(12)(b)[1]</prop>
-                     <p>defines personnel or roles to whom atypical usage of information system
-                        accounts are to be reported; and</p>
-                  </part>
-                  <part id="ac-2.12.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">AC-2(12)(b)[2]</prop>
-                     <p>reports atypical usage of information system accounts to
-                        organization-defined personnel or roles.</p>
-                  </part>
-                  <link rel="corresp" href="#ac-2.12_smt.b">AC-2(12)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system monitoring records</p>
-                  <p>information system audit records</p>
-                  <p>audit tracking and monitoring reports</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.13">
-            <title>Disable Accounts for High-risk Individuals</title>
-            <param id="ac-2.13_prm_1">
-               <label>organization-defined time period</label>
-               <constraint>one (1) hour</constraint>
-            </param>
-            <prop name="label">AC-2(13)</prop>
-            <prop name="sort-id">ac-02.13</prop>
-            <part id="ac-2.13_smt" name="statement">
-               <p>The organization disables accounts of users posing a significant risk within
-                     <insert param-id="ac-2.13_prm_1"/> of discovery of the risk.</p>
-            </part>
-            <part id="ac-2.13_gdn" name="guidance">
-               <p>Users posing a significant risk to organizations include individuals for whom
-                  reliable evidence or intelligence indicates either the intention to use authorized
-                  access to information systems to cause harm or through whom adversaries will cause
-                  harm. Harm includes potential adverse impacts to organizational operations and
-                  assets, individuals, other organizations, or the Nation. Close coordination
-                  between authorizing officials, information system administrators, and human
-                  resource managers is essential in order for timely execution of this control
-                  enhancement.</p>
-               <link rel="related" href="#ps-4">PS-4</link>
-            </part>
-            <part id="ac-2.13_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ac-2.13_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(13)[1]</prop>
-                  <p>defines the time period within which accounts are disabled upon discovery of a
-                     significant risk posed by users of such accounts; and</p>
-               </part>
-               <part id="ac-2.13_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(13)[2]</prop>
-                  <p>disables accounts of users posing a significant risk within the
-                     organization-defined time period of discovery of the risk.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>system-generated list of disabled accounts</p>
-                  <p>list of user activities posing significant organizational risk</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-3">
-         <title>Access Enforcement</title>
-         <prop name="label">AC-3</prop>
-         <prop name="sort-id">ac-03</prop>
-         <part id="ac-3_smt" name="statement">
-            <p>The information system enforces approved authorizations for logical access to
-               information and system resources in accordance with applicable access control
-               policies.</p>
-         </part>
-         <part id="ac-3_gdn" name="guidance">
-            <p>Access control policies (e.g., identity-based policies, role-based policies, control
-               matrices, cryptography) control access between active entities or subjects (i.e.,
-               users or processes acting on behalf of users) and passive entities or objects (e.g.,
-               devices, files, records, domains) in information systems. In addition to enforcing
-               authorized access at the information system level and recognizing that information
-               systems can host many applications and services in support of organizational missions
-               and business operations, access enforcement mechanisms can also be employed at the
-               application and service level to provide increased information security.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ac-21">AC-21</link>
-            <link rel="related" href="#ac-22">AC-22</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ma-3">MA-3</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-         </part>
-         <part id="ac-3_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system enforces approved authorizations for logical
-               access to information and system resources in accordance with applicable access
-               control policies.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing access enforcement</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of approved authorizations (user privileges)</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with access enforcement responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing access control policy</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-4">
-         <title>Information Flow Enforcement</title>
-         <param id="ac-4_prm_1">
-            <label>organization-defined information flow control policies</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-4</prop>
-         <prop name="sort-id">ac-04</prop>
-         <part id="ac-4_smt" name="statement">
-            <p>The information system enforces approved authorizations for controlling the flow of
-               information within the system and between interconnected systems based on <insert param-id="ac-4_prm_1"/>.</p>
-         </part>
-         <part id="ac-4_gdn" name="guidance">
-            <p>Information flow control regulates where information is allowed to travel within an
-               information system and between information systems (as opposed to who is allowed to
-               access the information) and without explicit regard to subsequent accesses to that
-               information. Flow control restrictions include, for example, keeping
-               export-controlled information from being transmitted in the clear to the Internet,
-               blocking outside traffic that claims to be from within the organization, restricting
-               web requests to the Internet that are not from the internal web proxy server, and
-               limiting information transfers between organizations based on data structures and
-               content. Transferring information between information systems representing different
-               security domains with different security policies introduces risk that such transfers
-               violate one or more domain security policies. In such situations, information
-               owners/stewards provide guidance at designated policy enforcement points between
-               interconnected systems. Organizations consider mandating specific architectural
-               solutions when required to enforce specific security policies. Enforcement includes,
-               for example: (i) prohibiting information transfers between interconnected systems
-               (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way
-               information flows; and (iii) implementing trustworthy regrading mechanisms to
-               reassign security attributes and security labels. Organizations commonly employ
-               information flow control policies and enforcement mechanisms to control the flow of
-               information between designated sources and destinations (e.g., networks, individuals,
-               and devices) within information systems and between interconnected systems. Flow
-               control is based on the characteristics of the information and/or the information
-               path. Enforcement occurs, for example, in boundary protection devices (e.g.,
-               gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or
-               establish configuration settings that restrict information system services, provide a
-               packet-filtering capability based on header information, or message-filtering
-               capability based on message content (e.g., implementing key word searches or using
-               document characteristics). Organizations also consider the trustworthiness of
-               filtering/inspection mechanisms (i.e., hardware, firmware, and software components)
-               that are critical to information flow enforcement. Control enhancements 3 through 22
-               primarily address cross-domain solution needs which focus on more advanced filtering
-               techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented
-               in cross-domain products, for example, high-assurance guards. Such capabilities are
-               generally not available in commercial off-the-shelf information technology
-               products.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-21">AC-21</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-18">SC-18</link>
-         </part>
-         <part id="ac-4_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="ac-4_obj.1" name="objective">
-               <prop name="label">AC-4[1]</prop>
-               <p>the organization defines information flow control policies to control the flow of
-                  information within the system and between interconnected systems; and</p>
-            </part>
-            <part id="ac-4_obj.2" name="objective">
-               <prop name="label">AC-4[2]</prop>
-               <p>the information system enforces approved authorizations for controlling the flow
-                  of information within the system and between interconnected systems based on
-                  organization-defined information flow control policies.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>information flow control policies</p>
-               <p>procedures addressing information flow enforcement</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system baseline configuration</p>
-               <p>list of information flow authorizations</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing information flow enforcement policy</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-4.8">
-            <title>Security Policy Filters</title>
-            <param id="ac-4.8_prm_1">
-               <label>organization-defined security policy filters</label>
-            </param>
-            <param id="ac-4.8_prm_2">
-               <label>organization-defined information flows</label>
-            </param>
-            <prop name="label">AC-4(8)</prop>
-            <prop name="sort-id">ac-04.08</prop>
-            <part id="ac-4.8_smt" name="statement">
-               <p>The information system enforces information flow control using <insert param-id="ac-4.8_prm_1"/> as a basis for flow control decisions for <insert param-id="ac-4.8_prm_2"/>.</p>
-            </part>
-            <part id="ac-4.8_gdn" name="guidance">
-               <p>Organization-defined security policy filters can address data structures and
-                  content. For example, security policy filters for data structures can check for
-                  maximum file lengths, maximum field sizes, and data/file types (for structured and
-                  unstructured data). Security policy filters for data content can check for
-                  specific words (e.g., dirty/clean word filters), enumerated values or data value
-                  ranges, and hidden content. Structured data permits the interpretation of data
-                  content by applications. Unstructured data typically refers to digital information
-                  without a particular data structure or with a data structure that does not
-                  facilitate the development of rule sets to address the particular sensitivity of
-                  the information conveyed by the data or the associated flow enforcement decisions.
-                  Unstructured data consists of: (i) bitmap objects that are inherently non
-                  language-based (i.e., image, video, or audio files); and (ii) textual objects that
-                  are based on written or printed languages (e.g., commercial off-the-shelf word
-                  processing documents, spreadsheets, or emails). Organizations can implement more
-                  than one security policy filter to meet information flow control objectives (e.g.,
-                  employing clean word lists in conjunction with dirty word lists may help to reduce
-                  false positives).</p>
-            </part>
-            <part id="ac-4.8_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-4.8_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-4(8)[1]</prop>
-                  <p>the organization defines security policy filters to be used as a basis for
-                     enforcing flow control decisions;</p>
-               </part>
-               <part id="ac-4.8_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-4(8)[2]</prop>
-                  <p>the organization defines information flows for which flow control decisions are
-                     to be applied and enforced; and</p>
-               </part>
-               <part id="ac-4.8_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-4(8)[3]</prop>
-                  <p>the information system enforces information flow control using
-                     organization-defined security policy filters as a basis for flow control
-                     decisions for organization-defined information flows.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of security policy filters regulating flow control decisions</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.21">
-            <title>Physical / Logical Separation of Information Flows</title>
-            <param id="ac-4.21_prm_1">
-               <label>organization-defined mechanisms and/or techniques</label>
-            </param>
-            <param id="ac-4.21_prm_2">
-               <label>organization-defined required separations by types of information</label>
-            </param>
-            <prop name="label">AC-4(21)</prop>
-            <prop name="sort-id">ac-04.21</prop>
-            <part id="ac-4.21_smt" name="statement">
-               <p>The information system separates information flows logically or physically using
-                     <insert param-id="ac-4.21_prm_1"/> to accomplish <insert param-id="ac-4.21_prm_2"/>.</p>
-            </part>
-            <part id="ac-4.21_gdn" name="guidance">
-               <p>Enforcing the separation of information flows by type can enhance protection by
-                  ensuring that information is not commingled while in transit and by enabling flow
-                  control by transmission paths perhaps not otherwise achievable. Types of separable
-                  information include, for example, inbound and outbound communications traffic,
-                  service requests and responses, and information of differing security
-                  categories.</p>
-            </part>
-            <part id="ac-4.21_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ac-4.21_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-4(21)[1]</prop>
-                  <p>the organization defines the required separations of information flows by types
-                     of information;</p>
-               </part>
-               <part id="ac-4.21_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-4(21)[2]</prop>
-                  <p>the organization defines the mechanisms and/or techniques to be used to
-                     separate information flows logically or physically; and</p>
-               </part>
-               <part id="ac-4.21_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-4(21)[3]</prop>
-                  <p>the information system separates information flows logically or physically
-                     using organization-defined mechanisms and/or techniques to accomplish
-                     organization-defined required separations by types of information.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information flow enforcement policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of required separation of information flows by information types</p>
-                  <p>list of mechanisms and/or techniques used to logically or physically separate
-                     information flows</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information flow enforcement responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement functions</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-5">
-         <title>Separation of Duties</title>
-         <param id="ac-5_prm_1">
-            <label>organization-defined duties of individuals</label>
-         </param>
-         <prop name="label">AC-5</prop>
-         <prop name="sort-id">ac-05</prop>
-         <part id="ac-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Separates <insert param-id="ac-5_prm_1"/>;</p>
-            </part>
-            <part id="ac-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents separation of duties of individuals; and</p>
-            </part>
-            <part id="ac-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Defines information system access authorizations to support separation of
-                  duties.</p>
-            </part>
-            <part id="ac-5_fr" name="item">
-               <title>AC-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ac-5_gdn" name="guidance">
-            <p>Separation of duties addresses the potential for abuse of authorized privileges and
-               helps to reduce the risk of malevolent activity without collusion. Separation of
-               duties includes, for example: (i) dividing mission functions and information system
-               support functions among different individuals and/or roles; (ii) conducting
-               information system support functions with different individuals (e.g., system
-               management, programming, configuration management, quality assurance and testing, and
-               network security); and (iii) ensuring security personnel administering access control
-               functions do not also administer audit functions.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#ps-2">PS-2</link>
-         </part>
-         <part id="ac-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-5.a_obj" name="objective">
-               <prop name="label">AC-5(a)</prop>
-               <part id="ac-5.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-5(a)[1]</prop>
-                  <p>defines duties of individuals to be separated;</p>
-               </part>
-               <part id="ac-5.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-5(a)[2]</prop>
-                  <p>separates organization-defined duties of individuals;</p>
-               </part>
-            </part>
-            <part id="ac-5.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-5(b)</prop>
-               <p>documents separation of duties; and</p>
-            </part>
-            <part id="ac-5.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-5(c)</prop>
-               <p>defines information system access authorizations to support separation of
-                  duties.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing divisions of responsibility and separation of duties</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of divisions of responsibility and separation of duties</p>
-               <p>information system access authorizations</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for defining appropriate divisions
-                  of responsibility and separation of duties</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing separation of duties policy</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-6">
-         <title>Least Privilege</title>
-         <prop name="label">AC-6</prop>
-         <prop name="sort-id">ac-06</prop>
-         <part id="ac-6_smt" name="statement">
-            <p>The organization employs the principle of least privilege, allowing only authorized
-               accesses for users (or processes acting on behalf of users) which are necessary to
-               accomplish assigned tasks in accordance with organizational missions and business
-               functions.</p>
-         </part>
-         <part id="ac-6_gdn" name="guidance">
-            <p>Organizations employ least privilege for specific duties and information systems. The
-               principle of least privilege is also applied to information system processes,
-               ensuring that the processes operate at privilege levels no higher than necessary to
-               accomplish required organizational missions/business functions. Organizations
-               consider the creation of additional processes, roles, and information system accounts
-               as necessary, to achieve least privilege. Organizations also apply least privilege to
-               the development, implementation, and operation of organizational information
-               systems.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-         </part>
-         <part id="ac-6_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the organization employs the principle of least privilege, allowing only
-               authorized access for users (and processes acting on behalf of users) which are
-               necessary to accomplish assigned tasks in accordance with organizational missions and
-               business functions. </p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing least privilege</p>
-               <p>list of assigned access authorizations (user privileges)</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for defining least privileges
-                  necessary to accomplish specified tasks</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing least privilege functions</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-6.1">
-            <title>Authorize Access to Security Functions</title>
-            <param id="ac-6.1_prm_1">
-               <label>organization-defined security functions (deployed in hardware, software, and
-                  firmware) and security-relevant information</label>
-               <constraint>all functions not publicly accessible and all security-relevant information not publicly available</constraint>
-            </param>
-            <prop name="label">AC-6(1)</prop>
-            <prop name="sort-id">ac-06.01</prop>
-            <part id="ac-6.1_smt" name="statement">
-               <p>The organization explicitly authorizes access to <insert param-id="ac-6.1_prm_1"/>.</p>
-            </part>
-            <part id="ac-6.1_gdn" name="guidance">
-               <p>Security functions include, for example, establishing system accounts, configuring
-                  access authorizations (i.e., permissions, privileges), setting events to be
-                  audited, and setting intrusion detection parameters. Security-relevant information
-                  includes, for example, filtering rules for routers/firewalls, cryptographic key
-                  management information, configuration parameters for security services, and access
-                  control lists. Explicitly authorized personnel include, for example, security
-                  administrators, system and network administrators, system security officers,
-                  system maintenance personnel, system programmers, and other privileged users.</p>
-               <link rel="related" href="#ac-17">AC-17</link>
-               <link rel="related" href="#ac-18">AC-18</link>
-               <link rel="related" href="#ac-19">AC-19</link>
-            </part>
-            <part id="ac-6.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ac-6.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-6(1)[1]</prop>
-                  <p>defines security-relevant information for which access must be explicitly
-                     authorized;</p>
-               </part>
-               <part id="ac-6.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-6(1)[2]</prop>
-                  <p>defines security functions deployed in:</p>
-                  <part id="ac-6.1_obj.2.a" name="objective">
-                     <prop name="label">AC-6(1)[2][a]</prop>
-                     <p>hardware;</p>
-                  </part>
-                  <part id="ac-6.1_obj.2.b" name="objective">
-                     <prop name="label">AC-6(1)[2][b]</prop>
-                     <p>software;</p>
-                  </part>
-                  <part id="ac-6.1_obj.2.c" name="objective">
-                     <prop name="label">AC-6(1)[2][c]</prop>
-                     <p>firmware;</p>
-                  </part>
-               </part>
-               <part id="ac-6.1_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-6(1)[3]</prop>
-                  <p>explicitly authorizes access to:</p>
-                  <part id="ac-6.1_obj.3.a" name="objective">
-                     <prop name="label">AC-6(1)[3][a]</prop>
-                     <p>organization-defined security functions; and</p>
-                  </part>
-                  <part id="ac-6.1_obj.3.b" name="objective">
-                     <prop name="label">AC-6(1)[3][b]</prop>
-                     <p>security-relevant information.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>list of security functions (deployed in hardware, software, and firmware) and
-                     security-relevant information for which access must be explicitly
-                     authorized</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for defining least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing least privilege functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.2">
-            <title>Non-privileged Access for Nonsecurity Functions</title>
-            <param id="ac-6.2_prm_1">
-               <label>organization-defined security functions or security-relevant
-                  information</label>
-               <constraint>all security functions</constraint>
-            </param>
-            <prop name="label">AC-6(2)</prop>
-            <prop name="sort-id">ac-06.02</prop>
-            <part id="ac-6.2_smt" name="statement">
-               <p>The organization requires that users of information system accounts, or roles,
-                  with access to <insert param-id="ac-6.2_prm_1"/>, use non-privileged accounts or
-                  roles, when accessing nonsecurity functions.</p>
-               <part id="ac-6.2_fr" name="item">
-                  <title>AC-6 (2) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ac-6.2_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-6.2_gdn" name="guidance">
-               <p>This control enhancement limits exposure when operating from within privileged
-                  accounts or roles. The inclusion of roles addresses situations where organizations
-                  implement access control policies such as role-based access control and where a
-                  change of role provides the same degree of assurance in the change of access
-                  authorizations for both the user and all processes acting on behalf of the user as
-                  would be provided by a change between a privileged and non-privileged account.</p>
-               <link rel="related" href="#pl-4">PL-4</link>
-            </part>
-            <part id="ac-6.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-6.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-6(2)[1]</prop>
-                  <p>defines security functions or security-relevant information to which users of
-                     information system accounts, or roles, have access; and</p>
-               </part>
-               <part id="ac-6.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-6(2)[2]</prop>
-                  <p>requires that users of information system accounts, or roles, with access to
-                     organization-defined security functions or security-relevant information, use
-                     non-privileged accounts, or roles, when accessing nonsecurity functions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>list of system-generated security functions or security-relevant information
-                     assigned to information system accounts or roles</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for defining least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing least privilege functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.3">
-            <title>Network Access to Privileged Commands</title>
-            <param id="ac-6.3_prm_1">
-               <label>organization-defined privileged commands</label>
-               <constraint>all privileged commands</constraint>
-            </param>
-            <param id="ac-6.3_prm_2">
-               <label>organization-defined compelling operational needs</label>
-            </param>
-            <prop name="label">AC-6(3)</prop>
-            <prop name="sort-id">ac-06.03</prop>
-            <part id="ac-6.3_smt" name="statement">
-               <p>The organization authorizes network access to <insert param-id="ac-6.3_prm_1"/>
-                  only for <insert param-id="ac-6.3_prm_2"/> and documents the rationale for such
-                  access in the security plan for the information system.</p>
-            </part>
-            <part id="ac-6.3_gdn" name="guidance">
-               <p>Network access is any access across a network connection in lieu of local access
-                  (i.e., user being physically present at the device).</p>
-               <link rel="related" href="#ac-17">AC-17</link>
-            </part>
-            <part id="ac-6.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-6.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-6(3)[1]</prop>
-                  <p>defines privileged commands to which network access is to be authorized only
-                     for compelling operational needs;</p>
-               </part>
-               <part id="ac-6.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-6(3)[2]</prop>
-                  <p>defines compelling operational needs for which network access to
-                     organization-defined privileged commands are to be solely authorized;</p>
-               </part>
-               <part id="ac-6.3_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-6(3)[3]</prop>
-                  <p>authorizes network access to organization-defined privileged commands only for
-                     organization-defined compelling operational needs; and</p>
-               </part>
-               <part id="ac-6.3_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AC-6(3)[4]</prop>
-                  <p>documents the rationale for authorized network access to organization-defined
-                     privileged commands in the security plan for the information system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>security plan</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of operational needs for authorizing network access to privileged
-                     commands</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for defining least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing least privilege functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.5">
-            <title>Privileged Accounts</title>
-            <param id="ac-6.5_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">AC-6(5)</prop>
-            <prop name="sort-id">ac-06.05</prop>
-            <part id="ac-6.5_smt" name="statement">
-               <p>The organization restricts privileged accounts on the information system to
-                     <insert param-id="ac-6.5_prm_1"/>.</p>
-            </part>
-            <part id="ac-6.5_gdn" name="guidance">
-               <p>Privileged accounts, including super user accounts, are typically described as
-                  system administrator for various types of commercial off-the-shelf operating
-                  systems. Restricting privileged accounts to specific personnel or roles prevents
-                  day-to-day users from having access to privileged information/functions.
-                  Organizations may differentiate in the application of this control enhancement
-                  between allowed privileges for local accounts and for domain accounts provided
-                  organizations retain the ability to control information system configurations for
-                  key security parameters and as otherwise necessary to sufficiently mitigate
-                  risk.</p>
-               <link rel="related" href="#cm-6">CM-6</link>
-            </part>
-            <part id="ac-6.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-6.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-6(5)[1]</prop>
-                  <p>defines personnel or roles for which privileged accounts on the information
-                     system are to be restricted; and</p>
-               </part>
-               <part id="ac-6.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-6(5)[2]</prop>
-                  <p>restricts privileged accounts on the information system to organization-defined
-                     personnel or roles.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>list of system-generated privileged accounts</p>
-                  <p>list of system administration personnel</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for defining least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing least privilege functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.7">
-            <title>Review of User Privileges</title>
-            <param id="ac-6.7_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at a minimum, annually</constraint>
-            </param>
-            <param id="ac-6.7_prm_2">
-               <label>organization-defined roles or classes of users</label>
-               <constraint>all users with privileges</constraint>
-            </param>
-            <prop name="label">AC-6(7)</prop>
-            <prop name="sort-id">ac-06.07</prop>
-            <part id="ac-6.7_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ac-6.7_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Reviews <insert param-id="ac-6.7_prm_1"/> the privileges assigned to <insert param-id="ac-6.7_prm_2"/> to validate the need for such privileges; and</p>
-               </part>
-               <part id="ac-6.7_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Reassigns or removes privileges, if necessary, to correctly reflect
-                     organizational mission/business needs.</p>
-               </part>
-            </part>
-            <part id="ac-6.7_gdn" name="guidance">
-               <p>The need for certain assigned user privileges may change over time reflecting
-                  changes in organizational missions/business function, environments of operation,
-                  technologies, or threat. Periodic review of assigned user privileges is necessary
-                  to determine if the rationale for assigning such privileges remains valid. If the
-                  need cannot be revalidated, organizations take appropriate corrective actions.</p>
-               <link rel="related" href="#ca-7">CA-7</link>
-            </part>
-            <part id="ac-6.7_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ac-6.7.a_obj" name="objective">
-                  <prop name="label">AC-6(7)(a)</prop>
-                  <part id="ac-6.7.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-6(7)(a)[1]</prop>
-                     <p>defines roles or classes of users to which privileges are assigned;</p>
-                  </part>
-                  <part id="ac-6.7.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-6(7)(a)[2]</prop>
-                     <p>defines the frequency to review the privileges assigned to
-                        organization-defined roles or classes of users to validate the need for such
-                        privileges;</p>
-                  </part>
-                  <part id="ac-6.7.a_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">AC-6(7)(a)[3]</prop>
-                     <p>reviews the privileges assigned to organization-defined roles or classes of
-                        users with the organization-defined frequency to validate the need for such
-                        privileges; and</p>
-                  </part>
-                  <link rel="corresp" href="#ac-6.7_smt.a">AC-6(7)(a)</link>
-               </part>
-               <part id="ac-6.7.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-6(7)(b)</prop>
-                  <p>reassigns or removes privileges, if necessary, to correctly reflect
-                     organizational missions/business needs.</p>
-                  <link rel="corresp" href="#ac-6.7_smt.b">AC-6(7)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>list of system-generated roles or classes of users and assigned privileges</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>validation reviews of privileges assigned to roles or classes or users</p>
-                  <p>records of privilege removals or reassignments for roles or classes of
-                     users</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for reviewing least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing review of user privileges</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.8">
-            <title>Privilege Levels for Code Execution</title>
-            <param id="ac-6.8_prm_1">
-               <label>organization-defined software</label>
-               <constraint>any software except software explicitly documented</constraint>
-            </param>
-            <prop name="label">AC-6(8)</prop>
-            <prop name="sort-id">ac-06.08</prop>
-            <part id="ac-6.8_smt" name="statement">
-               <p>The information system prevents <insert param-id="ac-6.8_prm_1"/> from executing
-                  at higher privilege levels than users executing the software.</p>
-            </part>
-            <part id="ac-6.8_gdn" name="guidance">
-               <p>In certain situations, software applications/programs need to execute with
-                  elevated privileges to perform required functions. However, if the privileges
-                  required for execution are at a higher level than the privileges assigned to
-                  organizational users invoking such applications/programs, those users are
-                  indirectly provided with greater privileges than assigned by organizations.</p>
-            </part>
-            <part id="ac-6.8_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ac-6.8_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-6(8)[1]</prop>
-                  <p>the organization defines software that should not execute at higher privilege
-                     levels than users executing the software; and</p>
-               </part>
-               <part id="ac-6.8_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-6(8)[2]</prop>
-                  <p>the information system prevents organization-defined software from executing at
-                     higher privilege levels than users executing the software.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>list of software that should not execute at higher privilege levels than users
-                     executing software</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for defining least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing least privilege functions for software
-                     execution</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.9">
-            <title>Auditing Use of Privileged Functions</title>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AC-6(9)</prop>
-            <prop name="sort-id">ac-06.09</prop>
-            <part id="ac-6.9_smt" name="statement">
-               <p>The information system audits the execution of privileged functions.</p>
-            </part>
-            <part id="ac-6.9_gdn" name="guidance">
-               <p>Misuse of privileged functions, either intentionally or unintentionally by
-                  authorized users, or by unauthorized external entities that have compromised
-                  information system accounts, is a serious and ongoing concern and can have
-                  significant adverse impacts on organizations. Auditing the use of privileged
-                  functions is one way to detect such misuse, and in doing so, help mitigate the
-                  risk from insider threats and the advanced persistent threat (APT).</p>
-               <link rel="related" href="#au-2">AU-2</link>
-            </part>
-            <part id="ac-6.9_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system audits the execution of privileged functions.
-               </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of privileged functions to be audited</p>
-                  <p>list of audited events</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for reviewing least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms auditing the execution of least privilege functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.10">
-            <title>Prohibit Non-privileged Users from Executing Privileged Functions</title>
-            <prop name="label">AC-6(10)</prop>
-            <prop name="sort-id">ac-06.10</prop>
-            <part id="ac-6.10_smt" name="statement">
-               <p>The information system prevents non-privileged users from executing privileged
-                  functions to include disabling, circumventing, or altering implemented security
-                  safeguards/countermeasures.</p>
-            </part>
-            <part id="ac-6.10_gdn" name="guidance">
-               <p>Privileged functions include, for example, establishing information system
-                  accounts, performing system integrity checks, or administering cryptographic key
-                  management activities. Non-privileged users are individuals that do not possess
-                  appropriate authorizations. Circumventing intrusion detection and prevention
-                  mechanisms or malicious code protection mechanisms are examples of privileged
-                  functions that require protection from non-privileged users.</p>
-            </part>
-            <part id="ac-6.10_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system prevents non-privileged users from executing
-                  privileged functions to include:</p>
-               <part id="ac-6.10_obj.1" name="objective">
-                  <prop name="label">AC-6(10)[1]</prop>
-                  <p>disabling implemented security safeguards/countermeasures;</p>
-               </part>
-               <part id="ac-6.10_obj.2" name="objective">
-                  <prop name="label">AC-6(10)[2]</prop>
-                  <p>circumventing security safeguards/countermeasures; or</p>
-               </part>
-               <part id="ac-6.10_obj.3" name="objective">
-                  <prop name="label">AC-6(10)[3]</prop>
-                  <p>altering implemented security safeguards/countermeasures.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of privileged functions and associated user account assignments</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for defining least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing least privilege functions for non-privileged
-                     users</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-7">
-         <title>Unsuccessful Logon Attempts</title>
-         <param id="ac-7_prm_1">
-            <label>organization-defined number</label>
-            <constraint>not more than three (3)</constraint>
-         </param>
-         <param id="ac-7_prm_2">
-            <label>organization-defined time period</label>
-            <constraint>fifteen (15) minutes</constraint>
-         </param>
-         <param id="ac-7_prm_3"/>
-         <param id="ac-7_prm_4" depends-on="ac-7_prm_3">
-            <label>organization-defined time period</label>
-            <constraint>locks the account/node for a minimum of three (3) hours or until unlocked by an administrator</constraint>
-         </param>
-         <param id="ac-7_prm_5" depends-on="ac-7_prm_3">
-            <label>organization-defined delay algorithm</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-7</prop>
-         <prop name="sort-id">ac-07</prop>
-         <part id="ac-7_smt" name="statement">
-            <p>The information system:</p>
-            <part id="ac-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Enforces a limit of <insert param-id="ac-7_prm_1"/> consecutive invalid logon
-                  attempts by a user during a <insert param-id="ac-7_prm_2"/>; and</p>
-            </part>
-            <part id="ac-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Automatically <insert param-id="ac-7_prm_3"/> when the maximum number of
-                  unsuccessful attempts is exceeded.</p>
-            </part>
-         </part>
-         <part id="ac-7_gdn" name="guidance">
-            <p>This control applies regardless of whether the logon occurs via a local or network
-               connection. Due to the potential for denial of service, automatic lockouts initiated
-               by information systems are usually temporary and automatically release after a
-               predetermined time period established by organizations. If a delay algorithm is
-               selected, organizations may choose to employ different algorithms for different
-               information system components based on the capabilities of those components.
-               Responses to unsuccessful logon attempts may be implemented at both the operating
-               system and the application levels.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-9">AC-9</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-         </part>
-         <part id="ac-7_obj" name="objective">
-            <p>Determine if: </p>
-            <part id="ac-7.a_obj" name="objective">
-               <prop name="label">AC-7(a)</prop>
-               <part id="ac-7.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-7(a)[1]</prop>
-                  <p>the organization defines the number of consecutive invalid logon attempts
-                     allowed to the information system by a user during an organization-defined time
-                     period;</p>
-               </part>
-               <part id="ac-7.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-7(a)[2]</prop>
-                  <p>the organization defines the time period allowed by a user of the information
-                     system for an organization-defined number of consecutive invalid logon
-                     attempts;</p>
-               </part>
-               <part id="ac-7.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-7(a)[3]</prop>
-                  <p>the information system enforces a limit of organization-defined number of
-                     consecutive invalid logon attempts by a user during an organization-defined
-                     time period;</p>
-               </part>
-            </part>
-            <part id="ac-7.b_obj" name="objective">
-               <prop name="label">AC-7(b)</prop>
-               <part id="ac-7.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-7(b)[1]</prop>
-                  <p>the organization defines account/node lockout time period or logon delay
-                     algorithm to be automatically enforced by the information system when the
-                     maximum number of unsuccessful logon attempts is exceeded;</p>
-               </part>
-               <part id="ac-7.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-7(b)[2]</prop>
-                  <p>the information system, when the maximum number of unsuccessful logon attempts
-                     is exceeded, automatically:</p>
-                  <part id="ac-7.b_obj.2.a" name="objective">
-                     <prop name="label">AC-7(b)[2][a]</prop>
-                     <p>locks the account/node for the organization-defined time period;</p>
-                  </part>
-                  <part id="ac-7.b_obj.2.b" name="objective">
-                     <prop name="label">AC-7(b)[2][b]</prop>
-                     <p>locks the account/node until released by an administrator; or</p>
-                  </part>
-                  <part id="ac-7.b_obj.2.c" name="objective">
-                     <prop name="label">AC-7(b)[2][c]</prop>
-                     <p>delays next logon prompt according to the organization-defined delay
-                        algorithm.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing unsuccessful logon attempts</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing access control policy for unsuccessful logon
-                  attempts</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-7.2">
-            <title>Purge / Wipe Mobile Device</title>
-            <param id="ac-7.2_prm_1">
-               <label>organization-defined mobile devices</label>
-               <constraint>mobile devices as defined by organization policy</constraint>
-            </param>
-            <param id="ac-7.2_prm_2">
-               <label>organization-defined purging/wiping requirements/techniques</label>
-            </param>
-            <param id="ac-7.2_prm_3">
-               <label>organization-defined number</label>
-               <constraint>three (3)</constraint>
-            </param>
-            <prop name="label">AC-7(2)</prop>
-            <prop name="sort-id">ac-07.02</prop>
-            <part id="ac-7.2_smt" name="statement">
-               <p>The information system purges/wipes information from <insert param-id="ac-7.2_prm_1"/> based on <insert param-id="ac-7.2_prm_2"/> after
-                     <insert param-id="ac-7.2_prm_3"/> consecutive, unsuccessful device logon
-                  attempts.</p>
-            </part>
-            <part id="ac-7.2_gdn" name="guidance">
-               <p>This control enhancement applies only to mobile devices for which a logon occurs
-                  (e.g., personal digital assistants, smart phones, tablets). The logon is to the
-                  mobile device, not to any one account on the device. Therefore, successful logons
-                  to any accounts on mobile devices reset the unsuccessful logon count to zero.
-                  Organizations define information to be purged/wiped carefully in order to avoid
-                  over purging/wiping which may result in devices becoming unusable. Purging/wiping
-                  may be unnecessary if the information on the device is protected with sufficiently
-                  strong encryption mechanisms.</p>
-               <link rel="related" href="#ac-19">AC-19</link>
-               <link rel="related" href="#mp-5">MP-5</link>
-               <link rel="related" href="#mp-6">MP-6</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="ac-7.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-7.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-7(2)[1]</prop>
-                  <p>the organization defines mobile devices to be purged/wiped after
-                     organization-defined number of consecutive, unsuccessful device logon
-                     attempts;</p>
-               </part>
-               <part id="ac-7.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-7(2)[2]</prop>
-                  <p>the organization defines purging/wiping requirements/techniques to be used when
-                     organization-defined mobile devices are purged/wiped after organization-defined
-                     number of consecutive, unsuccessful device logon attempts;</p>
-               </part>
-               <part id="ac-7.2_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-7(2)[3]</prop>
-                  <p>the organization defines the number of consecutive, unsuccessful logon attempts
-                     allowed for accessing mobile devices before the information system purges/wipes
-                     information from such devices; and</p>
-               </part>
-               <part id="ac-7.2_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-7(2)[4]</prop>
-                  <p>the information system purges/wipes information from organization-defined
-                     mobile devices based on organization-defined purging/wiping
-                     requirements/techniques after organization-defined number of consecutive,
-                     unsuccessful logon attempts.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing unsuccessful login attempts on mobile devices</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of mobile devices to be purged/wiped after organization-defined
-                     consecutive, unsuccessful device logon attempts</p>
-                  <p>list of purging/wiping requirements or techniques for mobile devices</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing access control policy for unsuccessful device
-                     logon attempts</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-8">
-         <title>System Use Notification</title>
-         <param id="ac-8_prm_1">
-            <label>organization-defined system use notification message or banner</label>
-            <constraint>see additional Requirements and Guidance</constraint>
-         </param>
-         <param id="ac-8_prm_2">
-            <label>organization-defined conditions</label>
-            <constraint>see additional Requirements and Guidance</constraint>
-         </param>
-         <prop name="label">AC-8</prop>
-         <prop name="sort-id">ac-08</prop>
-         <part id="ac-8_smt" name="statement">
-            <p>The information system:</p>
-            <part id="ac-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Displays to users <insert param-id="ac-8_prm_1"/> before granting access to the
-                  system that provides privacy and security notices consistent with applicable
-                  federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  guidance and states that:</p>
-               <part id="ac-8_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Users are accessing a U.S. Government information system;</p>
-               </part>
-               <part id="ac-8_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Information system usage may be monitored, recorded, and subject to audit;</p>
-               </part>
-               <part id="ac-8_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Unauthorized use of the information system is prohibited and subject to
-                     criminal and civil penalties; and</p>
-               </part>
-               <part id="ac-8_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Use of the information system indicates consent to monitoring and
-                     recording;</p>
-               </part>
-            </part>
-            <part id="ac-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Retains the notification message or banner on the screen until users acknowledge
-                  the usage conditions and take explicit actions to log on to or further access the
-                  information system; and</p>
-            </part>
-            <part id="ac-8_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>For publicly accessible systems:</p>
-               <part id="ac-8_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Displays system use information <insert param-id="ac-8_prm_2"/>, before
-                     granting further access;</p>
-               </part>
-               <part id="ac-8_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Displays references, if any, to monitoring, recording, or auditing that are
-                     consistent with privacy accommodations for such systems that generally prohibit
-                     those activities; and</p>
-               </part>
-               <part id="ac-8_smt.c.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Includes a description of the authorized uses of the system.</p>
-               </part>
-            </part>
-            <part id="ac-8_fr" name="item">
-               <title>AC-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.</p>
-               </part>
-               <part id="ac-8_fr_smt.2" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.</p>
-               </part>
-               <part id="ac-8_fr_smt.3" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ac-8_gdn" name="guidance">
-            <p>System use notifications can be implemented using messages or warning banners
-               displayed before individuals log in to information systems. System use notifications
-               are used only for access via logon interfaces with human users and are not required
-               when such human interfaces do not exist. Organizations consider system use
-               notification messages/banners displayed in multiple languages based on specific
-               organizational needs and the demographics of information system users. Organizations
-               also consult with the Office of the General Counsel for legal review and approval of
-               warning banner content.</p>
-         </part>
-         <part id="ac-8_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="ac-8.a_obj" name="objective">
-               <prop name="label">AC-8(a)</prop>
-               <part id="ac-8.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-8(a)[1]</prop>
-                  <p>the organization defines a system use notification message or banner to be
-                     displayed by the information system to users before granting access to the
-                     system;</p>
-               </part>
-               <part id="ac-8.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-8(a)[2]</prop>
-                  <p>the information system displays to users the organization-defined system use
-                     notification message or banner before granting access to the information system
-                     that provides privacy and security notices consistent with applicable federal
-                     laws, Executive Orders, directives, policies, regulations, standards, and
-                     guidance, and states that:</p>
-                  <part id="ac-8.a.1_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](1)</prop>
-                     <p>users are accessing a U.S. Government information system;</p>
-                  </part>
-                  <part id="ac-8.a.2_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](2)</prop>
-                     <p>information system usage may be monitored, recorded, and subject to
-                        audit;</p>
-                  </part>
-                  <part id="ac-8.a.3_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](3)</prop>
-                     <p>unauthorized use of the information system is prohibited and subject to
-                        criminal and civil penalties;</p>
-                  </part>
-                  <part id="ac-8.a.4_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](4)</prop>
-                     <p>use of the information system indicates consent to monitoring and
-                        recording;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-8.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-8(b)</prop>
-               <p>the information system retains the notification message or banner on the screen
-                  until users acknowledge the usage conditions and take explicit actions to log on
-                  to or further access the information system;</p>
-            </part>
-            <part id="ac-8.c_obj" name="objective">
-               <prop name="label">AC-8(c)</prop>
-               <p>for publicly accessible systems:</p>
-               <part id="ac-8.c.1_obj" name="objective">
-                  <prop name="label">AC-8(c)(1)</prop>
-                  <part id="ac-8.c.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-8(c)(1)[1]</prop>
-                     <p>the organization defines conditions for system use to be displayed by the
-                        information system before granting further access;</p>
-                  </part>
-                  <part id="ac-8.c.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">AC-8(c)(1)[2]</prop>
-                     <p>the information system displays organization-defined conditions before
-                        granting further access;</p>
-                  </part>
-               </part>
-               <part id="ac-8.c.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-8(c)(2)</prop>
-                  <p>the information system displays references, if any, to monitoring, recording,
-                     or auditing that are consistent with privacy accommodations for such systems
-                     that generally prohibit those activities; and</p>
-               </part>
-               <part id="ac-8.c.3_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-8(c)(3)</prop>
-                  <p>the information system includes a description of the authorized uses of the
-                     system.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>privacy and security policies, procedures addressing system use notification</p>
-               <p>documented approval of information system use notification messages or banners</p>
-               <p>information system audit records</p>
-               <p>user acknowledgements of notification message or banner</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system use notification messages</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibility for providing legal advice</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing system use notification</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-10">
-         <title>Concurrent Session Control</title>
-         <param id="ac-10_prm_1">
-            <label>organization-defined account and/or account type</label>
-         </param>
-         <param id="ac-10_prm_2">
-            <label>organization-defined number</label>
-            <constraint>three (3) sessions for privileged access and two (2) sessions for non-privileged access</constraint>
-         </param>
-         <prop name="label">AC-10</prop>
-         <prop name="sort-id">ac-10</prop>
-         <part id="ac-10_smt" name="statement">
-            <p>The information system limits the number of concurrent sessions for each <insert param-id="ac-10_prm_1"/> to <insert param-id="ac-10_prm_2"/>.</p>
-         </part>
-         <part id="ac-10_gdn" name="guidance">
-            <p>Organizations may define the maximum number of concurrent sessions for information
-               system accounts globally, by account type (e.g., privileged user, non-privileged
-               user, domain, specific application), by account, or a combination. For example,
-               organizations may limit the number of concurrent sessions for system administrators
-               or individuals working in particularly sensitive domains or mission-critical
-               applications. This control addresses concurrent sessions for information system
-               accounts and does not address concurrent sessions by single users via multiple system
-               accounts.</p>
-         </part>
-         <part id="ac-10_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="ac-10_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-10[1]</prop>
-               <p>the organization defines account and/or account types for the information
-                  system;</p>
-            </part>
-            <part id="ac-10_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-10[2]</prop>
-               <p>the organization defines the number of concurrent sessions to be allowed for each
-                  organization-defined account and/or account type; and</p>
-            </part>
-            <part id="ac-10_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-10[3]</prop>
-               <p>the information system limits the number of concurrent sessions for each
-                  organization-defined account and/or account type to the organization-defined
-                  number of concurrent sessions allowed.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing concurrent session control</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing access control policy for concurrent session
-                  control</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-11">
-         <title>Session Lock</title>
-         <param id="ac-11_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>fifteen (15) minutes</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-11</prop>
-         <prop name="sort-id">ac-11</prop>
-         <link href="#4da24a96-6cf8-435d-9d1f-c73247cad109" rel="reference">OMB Memorandum 06-16</link>
-         <part id="ac-11_smt" name="statement">
-            <p>The information system:</p>
-            <part id="ac-11_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Prevents further access to the system by initiating a session lock after <insert param-id="ac-11_prm_1"/> of inactivity or upon receiving a request from a user;
-                  and</p>
-            </part>
-            <part id="ac-11_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Retains the session lock until the user reestablishes access using established
-                  identification and authentication procedures.</p>
-            </part>
-         </part>
-         <part id="ac-11_gdn" name="guidance">
-            <p>Session locks are temporary actions taken when users stop work and move away from the
-               immediate vicinity of information systems but do not want to log out because of the
-               temporary nature of their absences. Session locks are implemented where session
-               activities can be determined. This is typically at the operating system level, but
-               can also be at the application level. Session locks are not an acceptable substitute
-               for logging out of information systems, for example, if organizations require users
-               to log out at the end of workdays.</p>
-            <link rel="related" href="#ac-7">AC-7</link>
-         </part>
-         <part id="ac-11_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="ac-11.a_obj" name="objective">
-               <prop name="label">AC-11(a)</prop>
-               <part id="ac-11.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-11(a)[1]</prop>
-                  <p>the organization defines the time period of user inactivity after which the
-                     information system initiates a session lock;</p>
-               </part>
-               <part id="ac-11.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-11(a)[2]</prop>
-                  <p>the information system prevents further access to the system by initiating a
-                     session lock after organization-defined time period of user inactivity or upon
-                     receiving a request from a user; and</p>
-               </part>
-            </part>
-            <part id="ac-11.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-11(b)</prop>
-               <p>the information system retains the session lock until the user reestablishes
-                  access using established identification and authentication procedures.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing session lock</p>
-               <p>procedures addressing identification and authentication</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing access control policy for session lock</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-11.1">
-            <title>Pattern-hiding Displays</title>
-            <prop name="label">AC-11(1)</prop>
-            <prop name="sort-id">ac-11.01</prop>
-            <part id="ac-11.1_smt" name="statement">
-               <p>The information system conceals, via the session lock, information previously
-                  visible on the display with a publicly viewable image.</p>
-            </part>
-            <part id="ac-11.1_gdn" name="guidance">
-               <p>Publicly viewable images can include static or dynamic images, for example,
-                  patterns used with screen savers, photographic images, solid colors, clock,
-                  battery life indicator, or a blank screen, with the additional caveat that none of
-                  the images convey sensitive information.</p>
-            </part>
-            <part id="ac-11.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system conceals, via the session lock, information
-                  previously visible on the display with a publicly viewable image.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing session lock</p>
-                  <p>display screen with session lock activated</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system session lock mechanisms</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-12">
-         <title>Session Termination</title>
-         <param id="ac-12_prm_1">
-            <label>organization-defined conditions or trigger events requiring session
-               disconnect</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-12</prop>
-         <prop name="sort-id">ac-12</prop>
-         <part id="ac-12_smt" name="statement">
-            <p>The information system automatically terminates a user session after <insert param-id="ac-12_prm_1"/>.</p>
-         </part>
-         <part id="ac-12_gdn" name="guidance">
-            <p>This control addresses the termination of user-initiated logical sessions in contrast
-               to SC-10 which addresses the termination of network connections that are associated
-               with communications sessions (i.e., network disconnect). A logical session (for
-               local, network, and remote access) is initiated whenever a user (or process acting on
-               behalf of a user) accesses an organizational information system. Such user sessions
-               can be terminated (and thus terminate user access) without terminating network
-               sessions. Session termination terminates all processes associated with a user’s
-               logical session except those processes that are specifically created by the user
-               (i.e., session owner) to continue after the session is terminated. Conditions or
-               trigger events requiring automatic session termination can include, for example,
-               organization-defined periods of user inactivity, targeted responses to certain types
-               of incidents, time-of-day restrictions on information system use.</p>
-            <link rel="related" href="#sc-10">SC-10</link>
-            <link rel="related" href="#sc-23">SC-23</link>
-         </part>
-         <part id="ac-12_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="ac-12_obj.1" name="objective">
-               <prop name="label">AC-12[1]</prop>
-               <p>the organization defines conditions or trigger events requiring session
-                  disconnect; and</p>
-            </part>
-            <part id="ac-12_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-12[2]</prop>
-               <p>the information system automatically terminates a user session after
-                  organization-defined conditions or trigger events requiring session disconnect
-                  occurs.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing session termination</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of conditions or trigger events requiring session disconnect</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing user session termination</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-12.1">
-            <title>User-initiated Logouts / Message Displays</title>
-            <param id="ac-12.1_prm_1">
-               <label>organization-defined information resources</label>
-            </param>
-            <prop name="label">AC-12(1)</prop>
-            <prop name="sort-id">ac-12.01</prop>
-            <part id="ac-12.1_smt" name="statement">
-               <p>The information system:</p>
-               <part id="ac-12.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Provides a logout capability for user-initiated communications sessions
-                     whenever authentication is used to gain access to <insert param-id="ac-12.1_prm_1"/>; and</p>
-               </part>
-               <part id="ac-12.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Displays an explicit logout message to users indicating the reliable
-                     termination of authenticated communications sessions.</p>
-               </part>
-               <part id="ac-12.1_fr" name="item">
-                  <title>AC-12 (1) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ac-12.1_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>https://www.owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-006%29</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-12.1_gdn" name="guidance">
-               <p>Information resources to which users gain access via authentication include, for
-                  example, local workstations, databases, and password-protected websites/web-based
-                  services. Logout messages for web page access, for example, can be displayed after
-                  authenticated sessions have been terminated. However, for some types of
-                  interactive sessions including, for example, file transfer protocol (FTP)
-                  sessions, information systems typically send logout messages as final messages
-                  prior to terminating sessions.</p>
-            </part>
-            <part id="ac-12.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-12.1.a_obj" name="objective">
-                  <prop name="label">AC-12(1)(a)</prop>
-                  <part id="ac-12.1.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-12(1)(a)[1]</prop>
-                     <p>the organization defines information resources for which user authentication
-                        is required to gain access to such resources;</p>
-                  </part>
-                  <part id="ac-12.1.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">AC-12(1)(a)[2]</prop>
-                     <p>the information system provides a logout capability for user-initiated
-                        communications sessions whenever authentication is used to gain access to
-                        organization-defined information resources; and</p>
-                  </part>
-                  <link rel="corresp" href="#ac-12.1_smt.a">AC-12(1)(a)</link>
-               </part>
-               <part id="ac-12.1.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-12(1)(b)</prop>
-                  <p>the information system displays an explicit logout message to users indicating
-                     the reliable termination of authenticated communications sessions.</p>
-                  <link rel="corresp" href="#ac-12.1_smt.b">AC-12(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing session termination</p>
-                  <p>user logout messages</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system session lock mechanisms</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-14">
-         <title>Permitted Actions Without Identification or Authentication</title>
-         <param id="ac-14_prm_1">
-            <label>organization-defined user actions</label>
-         </param>
-         <prop name="label">AC-14</prop>
-         <prop name="sort-id">ac-14</prop>
-         <part id="ac-14_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-14_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Identifies <insert param-id="ac-14_prm_1"/> that can be performed on the
-                  information system without identification or authentication consistent with
-                  organizational missions/business functions; and</p>
-            </part>
-            <part id="ac-14_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents and provides supporting rationale in the security plan for the
-                  information system, user actions not requiring identification or
-                  authentication.</p>
-            </part>
-         </part>
-         <part id="ac-14_gdn" name="guidance">
-            <p>This control addresses situations in which organizations determine that no
-               identification or authentication is required in organizational information systems.
-               Organizations may allow a limited number of user actions without identification or
-               authentication including, for example, when individuals access public websites or
-               other publicly accessible federal information systems, when individuals use mobile
-               phones to receive calls, or when facsimiles are received. Organizations also identify
-               actions that normally require identification or authentication but may under certain
-               circumstances (e.g., emergencies), allow identification or authentication mechanisms
-               to be bypassed. Such bypasses may occur, for example, via a software-readable
-               physical switch that commands bypass of the logon functionality and is protected from
-               accidental or unmonitored use. This control does not apply to situations where
-               identification and authentication have already occurred and are not repeated, but
-               rather to situations where identification and authentication have not yet occurred.
-               Organizations may decide that there are no user actions that can be performed on
-               organizational information systems without identification and authentication and
-               thus, the values for assignment statements can be none.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-         </part>
-         <part id="ac-14_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-14.a_obj" name="objective">
-               <prop name="label">AC-14(a)</prop>
-               <part id="ac-14.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-14(a)[1]</prop>
-                  <p>defines user actions that can be performed on the information system without
-                     identification or authentication consistent with organizational
-                     missions/business functions;</p>
-               </part>
-               <part id="ac-14.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AC-14(a)[2]</prop>
-                  <p>identifies organization-defined user actions that can be performed on the
-                     information system without identification or authentication consistent with
-                     organizational missions/business functions; and</p>
-               </part>
-            </part>
-            <part id="ac-14.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-14(b)</prop>
-               <p>documents and provides supporting rationale in the security plan for the
-                  information system, user actions not requiring identification or
-                  authentication.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing permitted actions without identification or
-                  authentication</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security plan</p>
-               <p>list of user actions that can be performed without identification or
-                  authentication</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-17">
-         <title>Remote Access</title>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-17</prop>
-         <prop name="sort-id">ac-17</prop>
-         <link href="#5309d4d0-46f8-4213-a749-e7584164e5e8" rel="reference">NIST Special Publication 800-46</link>
-         <link href="#99f331f2-a9f0-46c2-9856-a3cbb9b89442" rel="reference">NIST Special Publication 800-77</link>
-         <link href="#349fe082-502d-464a-aa0c-1443c6a5cf40" rel="reference">NIST Special Publication 800-113</link>
-         <link href="#1201fcf3-afb1-4675-915a-fb4ae0435717" rel="reference">NIST Special Publication 800-114</link>
-         <link href="#d1a4e2a9-e512-4132-8795-5357aba29254" rel="reference">NIST Special Publication 800-121</link>
-         <part id="ac-17_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-17_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes and documents usage restrictions, configuration/connection
-                  requirements, and implementation guidance for each type of remote access allowed;
-                  and</p>
-            </part>
-            <part id="ac-17_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Authorizes remote access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part id="ac-17_gdn" name="guidance">
-            <p>Remote access is access to organizational information systems by users (or processes
-               acting on behalf of users) communicating through external networks (e.g., the
-               Internet). Remote access methods include, for example, dial-up, broadband, and
-               wireless. Organizations often employ encrypted virtual private networks (VPNs) to
-               enhance confidentiality and integrity over remote connections. The use of encrypted
-               VPNs does not make the access non-remote; however, the use of VPNs, when adequately
-               provisioned with appropriate security controls (e.g., employing appropriate
-               encryption techniques for confidentiality and integrity protection) may provide
-               sufficient assurance to the organization that it can effectively treat such
-               connections as internal networks. Still, VPN connections traverse external networks,
-               and the encrypted VPN does not enhance the availability of remote connections. Also,
-               VPNs with encrypted tunnels can affect the organizational capability to adequately
-               monitor network communications traffic for malicious code. Remote access controls
-               apply to information systems other than public web servers or systems designed for
-               public access. This control addresses authorization prior to allowing remote access
-               without specifying the formats for such authorization. While organizations may use
-               interconnection security agreements to authorize remote access connections, such
-               agreements are not required by this control. Enforcing access restrictions for remote
-               connections is addressed in AC-3.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#pe-17">PE-17</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sc-10">SC-10</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ac-17_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-17.a_obj" name="objective">
-               <prop name="label">AC-17(a)</prop>
-               <part id="ac-17.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-17(a)[1]</prop>
-                  <p>identifies the types of remote access allowed to the information system;</p>
-               </part>
-               <part id="ac-17.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-17(a)[2]</prop>
-                  <p>establishes for each type of remote access allowed:</p>
-                  <part id="ac-17.a_obj.2.a" name="objective">
-                     <prop name="label">AC-17(a)[2][a]</prop>
-                     <p>usage restrictions;</p>
-                  </part>
-                  <part id="ac-17.a_obj.2.b" name="objective">
-                     <prop name="label">AC-17(a)[2][b]</prop>
-                     <p>configuration/connection requirements;</p>
-                  </part>
-                  <part id="ac-17.a_obj.2.c" name="objective">
-                     <prop name="label">AC-17(a)[2][c]</prop>
-                     <p>implementation guidance;</p>
-                  </part>
-               </part>
-               <part id="ac-17.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-17(a)[3]</prop>
-                  <p>documents for each type of remote access allowed:</p>
-                  <part id="ac-17.a_obj.3.a" name="objective">
-                     <prop name="label">AC-17(a)[3][a]</prop>
-                     <p>usage restrictions;</p>
-                  </part>
-                  <part id="ac-17.a_obj.3.b" name="objective">
-                     <prop name="label">AC-17(a)[3][b]</prop>
-                     <p>configuration/connection requirements;</p>
-                  </part>
-                  <part id="ac-17.a_obj.3.c" name="objective">
-                     <prop name="label">AC-17(a)[3][c]</prop>
-                     <p>implementation guidance; and</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-17.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-17(b)</prop>
-               <p>authorizes remote access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing remote access implementation and usage (including
-                  restrictions)</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>remote access authorizations</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for managing remote access
-                  connections</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Remote access management capability for the information system</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-17.1">
-            <title>Automated Monitoring / Control</title>
-            <prop name="label">AC-17(1)</prop>
-            <prop name="sort-id">ac-17.01</prop>
-            <part id="ac-17.1_smt" name="statement">
-               <p>The information system monitors and controls remote access methods.</p>
-            </part>
-            <part id="ac-17.1_gdn" name="guidance">
-               <p>Automated monitoring and control of remote access sessions allows organizations to
-                  detect cyber attacks and also ensure ongoing compliance with remote access
-                  policies by auditing connection activities of remote users on a variety of
-                  information system components (e.g., servers, workstations, notebook computers,
-                  smart phones, and tablets).</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-12">AU-12</link>
-            </part>
-            <part id="ac-17.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system monitors and controls remote access methods.
-               </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing remote access to the information system</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>information system monitoring records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms monitoring and controlling remote access methods</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.2">
-            <title>Protection of Confidentiality / Integrity Using Encryption</title>
-            <prop name="label">AC-17(2)</prop>
-            <prop name="sort-id">ac-17.02</prop>
-            <part id="ac-17.2_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to protect the
-                  confidentiality and integrity of remote access sessions.</p>
-            </part>
-            <part id="ac-17.2_gdn" name="guidance">
-               <p>The encryption strength of mechanism is selected based on the security
-                  categorization of the information.</p>
-               <link rel="related" href="#sc-8">SC-8</link>
-               <link rel="related" href="#sc-12">SC-12</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="ac-17.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system implements cryptographic mechanisms to protect
-                  the confidentiality and integrity of remote access sessions. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing remote access to the information system</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>cryptographic mechanisms and associated configuration documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms protecting confidentiality and integrity of remote
-                     access sessions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.3">
-            <title>Managed Access Control Points</title>
-            <param id="ac-17.3_prm_1">
-               <label>organization-defined number</label>
-            </param>
-            <prop name="label">AC-17(3)</prop>
-            <prop name="sort-id">ac-17.03</prop>
-            <part id="ac-17.3_smt" name="statement">
-               <p>The information system routes all remote accesses through <insert param-id="ac-17.3_prm_1"/> managed network access control points.</p>
-            </part>
-            <part id="ac-17.3_gdn" name="guidance">
-               <p>Limiting the number of access control points for remote accesses reduces the
-                  attack surface for organizations. Organizations consider the Trusted Internet
-                  Connections (TIC) initiative requirements for external network connections.</p>
-               <link rel="related" href="#sc-7">SC-7</link>
-            </part>
-            <part id="ac-17.3_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-17.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-17(3)[1]</prop>
-                  <p>the organization defines the number of managed network access control points
-                     through which all remote accesses are to be routed; and</p>
-               </part>
-               <part id="ac-17.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-17(3)[2]</prop>
-                  <p>the information system routes all remote accesses through the
-                     organization-defined number of managed network access control points.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing remote access to the information system</p>
-                  <p>information system design documentation</p>
-                  <p>list of all managed network access control points</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms routing all remote accesses through managed network access
-                     control points</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.4">
-            <title>Privileged Commands / Access</title>
-            <param id="ac-17.4_prm_1">
-               <label>organization-defined needs</label>
-            </param>
-            <prop name="label">AC-17(4)</prop>
-            <prop name="sort-id">ac-17.04</prop>
-            <part id="ac-17.4_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ac-17.4_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Authorizes the execution of privileged commands and access to security-relevant
-                     information via remote access only for <insert param-id="ac-17.4_prm_1"/>;
-                     and</p>
-               </part>
-               <part id="ac-17.4_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Documents the rationale for such access in the security plan for the
-                     information system.</p>
-               </part>
-            </part>
-            <part id="ac-17.4_gdn" name="guidance">
-               <link rel="related" href="#ac-6">AC-6</link>
-            </part>
-            <part id="ac-17.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-17.4.a_obj" name="objective">
-                  <prop name="label">AC-17(4)(a)</prop>
-                  <part id="ac-17.4.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-17(4)(a)[1]</prop>
-                     <p>defines needs to authorize the execution of privileged commands and access
-                        to security-relevant information via remote access;</p>
-                  </part>
-                  <part id="ac-17.4.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">AC-17(4)(a)[2]</prop>
-                     <p>authorizes the execution of privileged commands and access to
-                        security-relevant information via remote access only for
-                        organization-defined needs; and</p>
-                  </part>
-                  <link rel="corresp" href="#ac-17.4_smt.a">AC-17(4)(a)</link>
-               </part>
-               <part id="ac-17.4.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-17(4)(b)</prop>
-                  <p>documents the rationale for such access in the information system security
-                     plan.</p>
-                  <link rel="corresp" href="#ac-17.4_smt.b">AC-17(4)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing remote access to the information system</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security plan</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing remote access management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.9">
-            <title>Disconnect / Disable Access</title>
-            <param id="ac-17.9_prm_1">
-               <label>organization-defined time period</label>
-               <constraint>fifteen (15) minutes</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AC-17(9)</prop>
-            <prop name="sort-id">ac-17.09</prop>
-            <part id="ac-17.9_smt" name="statement">
-               <p>The organization provides the capability to expeditiously disconnect or disable
-                  remote access to the information system within <insert param-id="ac-17.9_prm_1"/>.</p>
-            </part>
-            <part id="ac-17.9_gdn" name="guidance">
-               <p>This control enhancement requires organizations to have the capability to rapidly
-                  disconnect current users remotely accessing the information system and/or disable
-                  further remote access. The speed of disconnect or disablement varies based on the
-                  criticality of missions/business functions and the need to eliminate immediate or
-                  future remote access to organizational information systems.</p>
-            </part>
-            <part id="ac-17.9_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-17.9_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-17(9)[1]</prop>
-                  <p>defines the time period within which to expeditiously disconnect or disable
-                     remote access to the information system; and</p>
-               </part>
-               <part id="ac-17.9_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-17(9)[2]</prop>
-                  <p>provides the capability to expeditiously disconnect or disable remote access to
-                     the information system within the organization-defined time period.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing disconnecting or disabling remote access to the
-                     information system</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security plan, information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing capability to disconnect or disable remote
-                     access to information system</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-18">
-         <title>Wireless Access</title>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-18</prop>
-         <prop name="sort-id">ac-18</prop>
-         <link href="#238ed479-eccb-49f6-82ec-ab74a7a428cf" rel="reference">NIST Special Publication 800-48</link>
-         <link href="#d1b1d689-0f66-4474-9924-c81119758dc1" rel="reference">NIST Special Publication 800-94</link>
-         <link href="#6f336ecd-f2a0-4c84-9699-0491d81b6e0d" rel="reference">NIST Special Publication 800-97</link>
-         <part id="ac-18_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-18_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes usage restrictions, configuration/connection requirements, and
-                  implementation guidance for wireless access; and</p>
-            </part>
-            <part id="ac-18_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Authorizes wireless access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part id="ac-18_gdn" name="guidance">
-            <p>Wireless technologies include, for example, microwave, packet radio (UHF/VHF),
-               802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g.,
-               EAP/TLS, PEAP), which provide credential protection and mutual authentication.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ac-18_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-18.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-18(a)</prop>
-               <p>establishes for wireless access:</p>
-               <part id="ac-18.a_obj.1" name="objective">
-                  <prop name="label">AC-18(a)[1]</prop>
-                  <p>usage restrictions;</p>
-               </part>
-               <part id="ac-18.a_obj.2" name="objective">
-                  <prop name="label">AC-18(a)[2]</prop>
-                  <p>configuration/connection requirement;</p>
-               </part>
-               <part id="ac-18.a_obj.3" name="objective">
-                  <prop name="label">AC-18(a)[3]</prop>
-                  <p>implementation guidance; and</p>
-               </part>
-            </part>
-            <part id="ac-18.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-18(b)</prop>
-               <p>authorizes wireless access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing wireless access implementation and usage (including
-                  restrictions)</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>wireless access authorizations</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for managing wireless access
-                  connections</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Wireless access management capability for the information system</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-18.1">
-            <title>Authentication and Encryption</title>
-            <param id="ac-18.1_prm_1"/>
-            <prop name="label">AC-18(1)</prop>
-            <prop name="sort-id">ac-18.01</prop>
-            <part id="ac-18.1_smt" name="statement">
-               <p>The information system protects wireless access to the system using authentication
-                  of <insert param-id="ac-18.1_prm_1"/> and encryption.</p>
-            </part>
-            <part id="ac-18.1_gdn" name="guidance">
-               <link rel="related" href="#sc-8">SC-8</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="ac-18.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system protects wireless access to the system using
-                  encryption and one or more of the following:</p>
-               <part id="ac-18.1_obj.1" name="objective">
-                  <prop name="label">AC-18(1)[1]</prop>
-                  <p>authentication of users; and/or</p>
-               </part>
-               <part id="ac-18.1_obj.2" name="objective">
-                  <prop name="label">AC-18(1)[2]</prop>
-                  <p>authentication of devices.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing wireless implementation and usage (including
-                     restrictions)</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing wireless access protections to the
-                     information system</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-18.3">
-            <title>Disable Wireless Networking</title>
-            <prop name="label">AC-18(3)</prop>
-            <prop name="sort-id">ac-18.03</prop>
-            <part id="ac-18.3_smt" name="statement">
-               <p>The organization disables, when not intended for use, wireless networking
-                  capabilities internally embedded within information system components prior to
-                  issuance and deployment.</p>
-            </part>
-            <part id="ac-18.3_gdn" name="guidance">
-               <link rel="related" href="#ac-19">AC-19</link>
-            </part>
-            <part id="ac-18.3_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization disables, when not intended for use, wireless
-                  networking capabilities internally embedded within information system components
-                  prior to issuance and deployment.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing wireless implementation and usage (including
-                     restrictions)</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms managing the disabling of wireless networking capabilities
-                     internally embedded within information system components</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-18.4">
-            <title>Restrict Configurations by Users</title>
-            <prop name="label">AC-18(4)</prop>
-            <prop name="sort-id">ac-18.04</prop>
-            <part id="ac-18.4_smt" name="statement">
-               <p>The organization identifies and explicitly authorizes users allowed to
-                  independently configure wireless networking capabilities.</p>
-            </part>
-            <part id="ac-18.4_gdn" name="guidance">
-               <p>Organizational authorizations to allow selected users to configure wireless
-                  networking capability are enforced in part, by the access enforcement mechanisms
-                  employed within organizational information systems.</p>
-               <link rel="related" href="#ac-3">AC-3</link>
-               <link rel="related" href="#sc-15">SC-15</link>
-            </part>
-            <part id="ac-18.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-18.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-18(4)[1]</prop>
-                  <p>identifies users allowed to independently configure wireless networking
-                     capabilities; and</p>
-               </part>
-               <part id="ac-18.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-18(4)[2]</prop>
-                  <p>explicitly authorizes the identified users allowed to independently configure
-                     wireless networking capabilities.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing wireless implementation and usage (including
-                     restrictions)</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms authorizing independent user configuration of wireless
-                     networking capabilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-18.5">
-            <title>Antennas / Transmission Power Levels</title>
-            <prop name="label">AC-18(5)</prop>
-            <prop name="sort-id">ac-18.05</prop>
-            <part id="ac-18.5_smt" name="statement">
-               <p>The organization selects radio antennas and calibrates transmission power levels
-                  to reduce the probability that usable signals can be received outside of
-                  organization-controlled boundaries.</p>
-            </part>
-            <part id="ac-18.5_gdn" name="guidance">
-               <p>Actions that may be taken by organizations to limit unauthorized use of wireless
-                  communications outside of organization-controlled boundaries include, for example:
-                  (i) reducing the power of wireless transmissions so that the transmissions are
-                  less likely to emit a signal that can be used by adversaries outside of the
-                  physical perimeters of organizations; (ii) employing measures such as TEMPEST to
-                  control wireless emanations; and (iii) using directional/beam forming antennas
-                  that reduce the likelihood that unintended receivers will be able to intercept
-                  signals. Prior to taking such actions, organizations can conduct periodic wireless
-                  surveys to understand the radio frequency profile of organizational information
-                  systems as well as other systems that may be operating in the area.</p>
-               <link rel="related" href="#pe-19">PE-19</link>
-            </part>
-            <part id="ac-18.5_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ac-18.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-18(5)[1]</prop>
-                  <p>selects radio antennas to reduce the probability that usable signals can be
-                     received outside of organization-controlled boundaries; and</p>
-               </part>
-               <part id="ac-18.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-18(5)[2]</prop>
-                  <p>calibrates transmission power levels to reduce the probability that usable
-                     signals can be received outside of organization-controlled boundaries.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing wireless implementation and usage (including
-                     restrictions)</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Wireless access capability protecting usable signals from unauthorized access
-                     outside organization-controlled boundaries</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-19">
-         <title>Access Control for Mobile Devices</title>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-19</prop>
-         <prop name="sort-id">ac-19</prop>
-         <link href="#4da24a96-6cf8-435d-9d1f-c73247cad109" rel="reference">OMB Memorandum 06-16</link>
-         <link href="#1201fcf3-afb1-4675-915a-fb4ae0435717" rel="reference">NIST Special Publication 800-114</link>
-         <link href="#0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589" rel="reference">NIST Special Publication 800-124</link>
-         <link href="#6513e480-fada-4876-abba-1397084dfb26" rel="reference">NIST Special Publication 800-164</link>
-         <part id="ac-19_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-19_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes usage restrictions, configuration requirements, connection
-                  requirements, and implementation guidance for organization-controlled mobile
-                  devices; and</p>
-            </part>
-            <part id="ac-19_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Authorizes the connection of mobile devices to organizational information
-                  systems.</p>
-            </part>
-         </part>
-         <part id="ac-19_gdn" name="guidance">
-            <p>A mobile device is a computing device that: (i) has a small form factor such that it
-               can easily be carried by a single individual; (ii) is designed to operate without a
-               physical connection (e.g., wirelessly transmit or receive information); (iii)
-               possesses local, non-removable or removable data storage; and (iv) includes a
-               self-contained power source. Mobile devices may also include voice communication
-               capabilities, on-board sensors that allow the device to capture information, and/or
-               built-in features for synchronizing local data with remote locations. Examples
-               include smart phones, E-readers, and tablets. Mobile devices are typically associated
-               with a single individual and the device is usually in close proximity to the
-               individual; however, the degree of proximity can vary depending upon on the form
-               factor and size of the device. The processing, storage, and transmission capability
-               of the mobile device may be comparable to or merely a subset of desktop systems,
-               depending upon the nature and intended purpose of the device. Due to the large
-               variety of mobile devices with different technical characteristics and capabilities,
-               organizational restrictions may vary for the different classes/types of such devices.
-               Usage restrictions and specific implementation guidance for mobile devices include,
-               for example, configuration management, device identification and authentication,
-               implementation of mandatory protective software (e.g., malicious code detection,
-               firewall), scanning devices for malicious code, updating virus protection software,
-               scanning for critical software updates and patches, conducting primary operating
-               system (and possibly other resident software) integrity checks, and disabling
-               unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the
-               need to provide adequate security for mobile devices goes beyond the requirements in
-               this control. Many safeguards and countermeasures for mobile devices are reflected in
-               other security controls in the catalog allocated in the initial control baselines as
-               starting points for the development of security plans and overlays using the
-               tailoring process. There may also be some degree of overlap in the requirements
-               articulated by the security controls within the different families of controls. AC-20
-               addresses mobile devices that are not organization-controlled.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-7">AC-7</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ca-9">CA-9</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-43">SC-43</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ac-19_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-19.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-19(a)</prop>
-               <p>establishes for organization-controlled mobile devices:</p>
-               <part id="ac-19.a_obj.1" name="objective">
-                  <prop name="label">AC-19(a)[1]</prop>
-                  <p>usage restrictions;</p>
-               </part>
-               <part id="ac-19.a_obj.2" name="objective">
-                  <prop name="label">AC-19(a)[2]</prop>
-                  <p>configuration/connection requirement;</p>
-               </part>
-               <part id="ac-19.a_obj.3" name="objective">
-                  <prop name="label">AC-19(a)[3]</prop>
-                  <p>implementation guidance; and</p>
-               </part>
-            </part>
-            <part id="ac-19.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-19(b)</prop>
-               <p>authorizes the connection of mobile devices to organizational information
-                  systems.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing access control for mobile device usage (including
-                  restrictions)</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>authorizations for mobile device connections to organizational information
-                  systems</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel using mobile devices to access organizational information
-                  systems</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Access control capability authorizing mobile device connections to organizational
-                  information systems</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-19.5">
-            <title>Full Device / Container-based Encryption</title>
-            <param id="ac-19.5_prm_1"/>
-            <param id="ac-19.5_prm_2">
-               <label>organization-defined mobile devices</label>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AC-19(5)</prop>
-            <prop name="sort-id">ac-19.05</prop>
-            <part id="ac-19.5_smt" name="statement">
-               <p>The organization employs <insert param-id="ac-19.5_prm_1"/> to protect the
-                  confidentiality and integrity of information on <insert param-id="ac-19.5_prm_2"/>.</p>
-            </part>
-            <part id="ac-19.5_gdn" name="guidance">
-               <p>Container-based encryption provides a more fine-grained approach to the encryption
-                  of data/information on mobile devices, including for example, encrypting selected
-                  data structures such as files, records, or fields.</p>
-               <link rel="related" href="#mp-5">MP-5</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-               <link rel="related" href="#sc-28">SC-28</link>
-            </part>
-            <part id="ac-19.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-19.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-19(5)[1]</prop>
-                  <p>defines mobile devices for which full-device encryption or container encryption
-                     is required to protect the confidentiality and integrity of information on such
-                     devices; and</p>
-               </part>
-               <part id="ac-19.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-19(5)[2]</prop>
-                  <p>employs full-device encryption or container encryption to protect the
-                     confidentiality and integrity of information on organization-defined mobile
-                     devices.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing access control for mobile devices</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>encryption mechanism s and associated configuration documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with access control responsibilities for mobile
-                     devices</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Encryption mechanisms protecting confidentiality and integrity of information
-                     on mobile devices</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-20">
-         <title>Use of External Information Systems</title>
-         <prop name="label">AC-20</prop>
-         <prop name="sort-id">ac-20</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <part id="ac-20_smt" name="statement">
-            <p>The organization establishes terms and conditions, consistent with any trust
-               relationships established with other organizations owning, operating, and/or
-               maintaining external information systems, allowing authorized individuals to:</p>
-            <part id="ac-20_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Access the information system from external information systems; and</p>
-            </part>
-            <part id="ac-20_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Process, store, or transmit organization-controlled information using external
-                  information systems.</p>
-            </part>
-         </part>
-         <part id="ac-20_gdn" name="guidance">
-            <p>External information systems are information systems or components of information
-               systems that are outside of the authorization boundary established by organizations
-               and for which organizations typically have no direct supervision and authority over
-               the application of required security controls or the assessment of control
-               effectiveness. External information systems include, for example: (i) personally
-               owned information systems/devices (e.g., notebook computers, smart phones, tablets,
-               personal digital assistants); (ii) privately owned computing and communications
-               devices resident in commercial or public facilities (e.g., hotels, train stations,
-               convention centers, shopping malls, or airports); (iii) information systems owned or
-               controlled by nonfederal governmental organizations; and (iv) federal information
-               systems that are not owned by, operated by, or under the direct supervision and
-               authority of organizations. This control also addresses the use of external
-               information systems for the processing, storage, or transmission of organizational
-               information, including, for example, accessing cloud services (e.g., infrastructure
-               as a service, platform as a service, or software as a service) from organizational
-               information systems. For some external information systems (i.e., information systems
-               operated by other federal agencies, including organizations subordinate to those
-               agencies), the trust relationships that have been established between those
-               organizations and the originating organization may be such, that no explicit terms
-               and conditions are required. Information systems within these organizations would not
-               be considered external. These situations occur when, for example, there are
-               pre-existing sharing/trust agreements (either implicit or explicit) established
-               between federal agencies or organizations subordinate to those agencies, or when such
-               trust agreements are specified by applicable laws, Executive Orders, directives, or
-               policies. Authorized individuals include, for example, organizational personnel,
-               contractors, or other individuals with authorized access to organizational
-               information systems and over which organizations have the authority to impose rules
-               of behavior with regard to system access. Restrictions that organizations impose on
-               authorized individuals need not be uniform, as those restrictions may vary depending
-               upon the trust relationships between organizations. Therefore, organizations may
-               choose to impose different security restrictions on contractors than on state, local,
-               or tribal governments. This control does not apply to the use of external information
-               systems to access public interfaces to organizational information systems (e.g.,
-               individuals accessing federal information through www.usa.gov). Organizations
-               establish terms and conditions for the use of external information systems in
-               accordance with organizational security policies and procedures. Terms and conditions
-               address as a minimum: types of applications that can be accessed on organizational
-               information systems from external information systems; and the highest security
-               category of information that can be processed, stored, or transmitted on external
-               information systems. If terms and conditions with the owners of external information
-               systems cannot be established, organizations may impose restrictions on
-               organizational personnel using those external systems.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-         </part>
-         <part id="ac-20_obj" name="objective">
-            <p>Determine if the organization establishes terms and conditions, consistent with any
-               trust relationships established with other organizations owning, operating, and/or
-               maintaining external information systems, allowing authorized individuals to: </p>
-            <part id="ac-20.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-20(a)</prop>
-               <p>access the information system from the external information systems; and</p>
-            </part>
-            <part id="ac-20.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-20(b)</prop>
-               <p>process, store, or transmit organization-controlled information using external
-                  information systems.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing the use of external information systems</p>
-               <p>external information systems terms and conditions</p>
-               <p>list of types of applications accessible from external information systems</p>
-               <p>maximum security categorization for information processed, stored, or transmitted
-                  on external information systems</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for defining terms and conditions
-                  for use of external information systems to access organizational systems</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing terms and conditions on use of external
-                  information systems</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-20.1">
-            <title>Limits On Authorized Use</title>
-            <prop name="label">AC-20(1)</prop>
-            <prop name="sort-id">ac-20.01</prop>
-            <part id="ac-20.1_smt" name="statement">
-               <p>The organization permits authorized individuals to use an external information
-                  system to access the information system or to process, store, or transmit
-                  organization-controlled information only when the organization:</p>
-               <part id="ac-20.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Verifies the implementation of required security controls on the external
-                     system as specified in the organization’s information security policy and
-                     security plan; or</p>
-               </part>
-               <part id="ac-20.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Retains approved information system connection or processing agreements with
-                     the organizational entity hosting the external information system.</p>
-               </part>
-            </part>
-            <part id="ac-20.1_gdn" name="guidance">
-               <p>This control enhancement recognizes that there are circumstances where individuals
-                  using external information systems (e.g., contractors, coalition partners) need to
-                  access organizational information systems. In those situations, organizations need
-                  confidence that the external information systems contain the necessary security
-                  safeguards (i.e., security controls), so as not to compromise, damage, or
-                  otherwise harm organizational information systems. Verification that the required
-                  security controls have been implemented can be achieved, for example, by
-                  third-party, independent assessments, attestations, or other means, depending on
-                  the confidence level required by organizations.</p>
-               <link rel="related" href="#ca-2">CA-2</link>
-            </part>
-            <part id="ac-20.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization permits authorized individuals to use an external
-                  information system to access the information system or to process, store, or
-                  transmit organization-controlled information only when the organization: </p>
-               <part id="ac-20.1.a_obj" name="objective">
-                  <prop name="label">AC-20(1)(a)</prop>
-                  <p>verifies the implementation of required security controls on the external
-                     system as specified in the organization’s information security policy and
-                     security plan; or</p>
-                  <link rel="corresp" href="#ac-20.1_smt.a">AC-20(1)(a)</link>
-               </part>
-               <part id="ac-20.1.b_obj" name="objective">
-                  <prop name="label">AC-20(1)(b)</prop>
-                  <p>retains approved information system connection or processing agreements with
-                     the organizational entity hosting the external information system.</p>
-                  <link rel="corresp" href="#ac-20.1_smt.b">AC-20(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing the use of external information systems</p>
-                  <p>security plan</p>
-                  <p>information system connection or processing agreements</p>
-                  <p>account management documents</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing limits on use of external information
-                     systems</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-20.2">
-            <title>Portable Storage Devices</title>
-            <param id="ac-20.2_prm_1"/>
-            <prop name="label">AC-20(2)</prop>
-            <prop name="sort-id">ac-20.02</prop>
-            <part id="ac-20.2_smt" name="statement">
-               <p>The organization <insert param-id="ac-20.2_prm_1"/> the use of
-                  organization-controlled portable storage devices by authorized individuals on
-                  external information systems.</p>
-            </part>
-            <part id="ac-20.2_gdn" name="guidance">
-               <p>Limits on the use of organization-controlled portable storage devices in external
-                  information systems include, for example, complete prohibition of the use of such
-                  devices or restrictions on how the devices may be used and under what conditions
-                  the devices may be used.</p>
-            </part>
-            <part id="ac-20.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization restricts or prohibits the use of
-                  organization-controlled portable storage devices by authorized individuals on
-                  external information systems. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing the use of external information systems</p>
-                  <p>security plan</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system connection or processing agreements</p>
-                  <p>account management documents</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for restricting or prohibiting
-                     use of organization-controlled storage devices on external information
-                     systems</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing restrictions on use of portable storage
-                     devices</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-21">
-         <title>Information Sharing</title>
-         <param id="ac-21_prm_1">
-            <label>organization-defined information sharing circumstances where user discretion is
-               required</label>
-         </param>
-         <param id="ac-21_prm_2">
-            <label>organization-defined automated mechanisms or manual processes</label>
-         </param>
-         <prop name="label">AC-21</prop>
-         <prop name="sort-id">ac-21</prop>
-         <part id="ac-21_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-21_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Facilitates information sharing by enabling authorized users to determine whether
-                  access authorizations assigned to the sharing partner match the access
-                  restrictions on the information for <insert param-id="ac-21_prm_1"/>; and</p>
-            </part>
-            <part id="ac-21_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Employs <insert param-id="ac-21_prm_2"/> to assist users in making information
-                  sharing/collaboration decisions.</p>
-            </part>
-         </part>
-         <part id="ac-21_gdn" name="guidance">
-            <p>This control applies to information that may be restricted in some manner (e.g.,
-               privileged medical information, contract-sensitive information, proprietary
-               information, personally identifiable information, classified information related to
-               special access programs or compartments) based on some formal or administrative
-               determination. Depending on the particular information-sharing circumstances, sharing
-               partners may be defined at the individual, group, or organizational level.
-               Information may be defined by content, type, security category, or special access
-               program/compartment.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-         </part>
-         <part id="ac-21_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ac-21.a_obj" name="objective">
-               <prop name="label">AC-21(a)</prop>
-               <part id="ac-21.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-21(a)[1]</prop>
-                  <p>defines information sharing circumstances where user discretion is
-                     required;</p>
-               </part>
-               <part id="ac-21.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-21(a)[2]</prop>
-                  <p>facilitates information sharing by enabling authorized users to determine
-                     whether access authorizations assigned to the sharing partner match the access
-                     restrictions on the information for organization-defined information sharing
-                     circumstances;</p>
-               </part>
-            </part>
-            <part id="ac-21.b_obj" name="objective">
-               <prop name="label">AC-21(b)</prop>
-               <part id="ac-21.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-21(b)[1]</prop>
-                  <p>defines automated mechanisms or manual processes to be employed to assist users
-                     in making information sharing/collaboration decisions; and</p>
-               </part>
-               <part id="ac-21.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-21(b)[2]</prop>
-                  <p>employs organization-defined automated mechanisms or manual processes to assist
-                     users in making information sharing/collaboration decisions.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing user-based collaboration and information sharing (including
-                  restrictions)</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of users authorized to make information sharing/collaboration decisions</p>
-               <p>list of information sharing circumstances requiring user discretion</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel responsible for making information sharing/collaboration
-                  decisions</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms or manual process implementing access authorizations
-                  supporting information sharing/user collaboration decisions</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-22">
-         <title>Publicly Accessible Content</title>
-         <param id="ac-22_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least quarterly</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-22</prop>
-         <prop name="sort-id">ac-22</prop>
-         <part id="ac-22_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-22_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Designates individuals authorized to post information onto a publicly accessible
-                  information system;</p>
-            </part>
-            <part id="ac-22_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Trains authorized individuals to ensure that publicly accessible information does
-                  not contain nonpublic information;</p>
-            </part>
-            <part id="ac-22_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the proposed content of information prior to posting onto the publicly
-                  accessible information system to ensure that nonpublic information is not
-                  included; and</p>
-            </part>
-            <part id="ac-22_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Reviews the content on the publicly accessible information system for nonpublic
-                  information <insert param-id="ac-22_prm_1"/> and removes such information, if
-                  discovered.</p>
-            </part>
-         </part>
-         <part id="ac-22_gdn" name="guidance">
-            <p>In accordance with federal laws, Executive Orders, directives, policies, regulations,
-               standards, and/or guidance, the general public is not authorized access to nonpublic
-               information (e.g., information protected under the Privacy Act and proprietary
-               information). This control addresses information systems that are controlled by the
-               organization and accessible to the general public, typically without identification
-               or authentication. The posting of information on non-organization information systems
-               is covered by organizational policy.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#au-13">AU-13</link>
-         </part>
-         <part id="ac-22_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ac-22.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-22(a)</prop>
-               <p>designates individuals authorized to post information onto a publicly accessible
-                  information system;</p>
-            </part>
-            <part id="ac-22.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-22(b)</prop>
-               <p>trains authorized individuals to ensure that publicly accessible information does
-                  not contain nonpublic information;</p>
-            </part>
-            <part id="ac-22.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-22(c)</prop>
-               <p>reviews the proposed content of information prior to posting onto the publicly
-                  accessible information system to ensure that nonpublic information is not
-                  included;</p>
-            </part>
-            <part id="ac-22.d_obj" name="objective">
-               <prop name="label">AC-22(d)</prop>
-               <part id="ac-22.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-22(d)[1]</prop>
-                  <p>defines the frequency to review the content on the publicly accessible
-                     information system for nonpublic information;</p>
-               </part>
-               <part id="ac-22.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-22(d)[2]</prop>
-                  <p>reviews the content on the publicly accessible information system for nonpublic
-                     information with the organization-defined frequency; and</p>
-               </part>
-               <part id="ac-22.d_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-22(d)[3]</prop>
-                  <p>removes nonpublic information from the publicly accessible information system,
-                     if discovered.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing publicly accessible content</p>
-               <p>list of users authorized to post publicly accessible content on organizational
-                  information systems</p>
-               <p>training materials and/or records</p>
-               <p>records of publicly accessible information reviews</p>
-               <p>records of response to nonpublic information on public websites</p>
-               <p>system audit logs</p>
-               <p>security awareness training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for managing publicly accessible
-                  information posted on organizational information systems</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing management of publicly accessible content</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="at">
-      <title>Awareness and Training</title>
-      <control class="SP800-53" id="at-1">
-         <title>Security Awareness and Training Policy and Procedures</title>
-         <param id="at-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="at-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or whenever a significant change occurs</constraint>
-         </param>
-         <param id="at-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or whenever a significant change occurs</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AT-1</prop>
-         <prop name="sort-id">at-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="at-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="at-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="at-1_prm_1"/>:</p>
-               <part id="at-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A security awareness and training policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="at-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the security awareness and
-                     training policy and associated security awareness and training controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="at-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="at-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security awareness and training policy <insert param-id="at-1_prm_2"/>; and</p>
-               </part>
-               <part id="at-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Security awareness and training procedures <insert param-id="at-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="at-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the AT
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="at-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-1.a_obj" name="objective">
-               <prop name="label">AT-1(a)</prop>
-               <part id="at-1.a.1_obj" name="objective">
-                  <prop name="label">AT-1(a)(1)</prop>
-                  <part id="at-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(a)(1)[1]</prop>
-                     <p>develops and documents an security awareness and training policy that
-                        addresses:</p>
-                     <part id="at-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="at-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the security awareness and training
-                        policy are to be disseminated;</p>
-                  </part>
-                  <part id="at-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">AT-1(a)(1)[3]</prop>
-                     <p>disseminates the security awareness and training policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="at-1.a.2_obj" name="objective">
-                  <prop name="label">AT-1(a)(2)</prop>
-                  <part id="at-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        security awareness and training policy and associated awareness and training
-                        controls;</p>
-                  </part>
-                  <part id="at-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="at-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">AT-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="at-1.b_obj" name="objective">
-               <prop name="label">AT-1(b)</prop>
-               <part id="at-1.b.1_obj" name="objective">
-                  <prop name="label">AT-1(b)(1)</prop>
-                  <part id="at-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current security awareness
-                        and training policy;</p>
-                  </part>
-                  <part id="at-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current security awareness and training policy with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="at-1.b.2_obj" name="objective">
-                  <prop name="label">AT-1(b)(2)</prop>
-                  <part id="at-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current security awareness
-                        and training procedures; and</p>
-                  </part>
-                  <part id="at-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current security awareness and training procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security awareness and training responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="at-2">
-         <title>Security Awareness Training</title>
-         <param id="at-2_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AT-2</prop>
-         <prop name="sort-id">at-02</prop>
-         <link href="#bb61234b-46c3-4211-8c2b-9869222a720d" rel="reference">C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</link>
-         <link href="#c5034e0c-eba6-4ecd-a541-79f0678f4ba4" rel="reference">Executive Order 13587</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="at-2_smt" name="statement">
-            <p>The organization provides basic security awareness training to information system
-               users (including managers, senior executives, and contractors):</p>
-            <part id="at-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>As part of initial training for new users;</p>
-            </part>
-            <part id="at-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="at-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="at-2_prm_1"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="at-2_gdn" name="guidance">
-            <p>Organizations determine the appropriate content of security awareness training and
-               security awareness techniques based on the specific organizational requirements and
-               the information systems to which personnel have authorized access. The content
-               includes a basic understanding of the need for information security and user actions
-               to maintain security and to respond to suspected security incidents. The content also
-               addresses awareness of the need for operations security. Security awareness
-               techniques can include, for example, displaying posters, offering supplies inscribed
-               with security reminders, generating email advisories/notices from senior
-               organizational officials, displaying logon screen messages, and conducting
-               information security awareness events.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#at-4">AT-4</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-         </part>
-         <part id="at-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-2.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AT-2(a)</prop>
-               <p>provides basic security awareness training to information system users (including
-                  managers, senior executives, and contractors) as part of initial training for new
-                  users;</p>
-            </part>
-            <part id="at-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AT-2(b)</prop>
-               <p>provides basic security awareness training to information system users (including
-                  managers, senior executives, and contractors) when required by information system
-                  changes; and</p>
-            </part>
-            <part id="at-2.c_obj" name="objective">
-               <prop name="label">AT-2(c)</prop>
-               <part id="at-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AT-2(c)[1]</prop>
-                  <p>defines the frequency to provide refresher security awareness training
-                     thereafter to information system users (including managers, senior executives,
-                     and contractors); and</p>
-               </part>
-               <part id="at-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AT-2(c)[2]</prop>
-                  <p>provides refresher security awareness training to information users (including
-                     managers, senior executives, and contractors) with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy</p>
-               <p>procedures addressing security awareness training implementation</p>
-               <p>appropriate codes of federal regulations</p>
-               <p>security awareness training curriculum</p>
-               <p>security awareness training materials</p>
-               <p>security plan</p>
-               <p>training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for security awareness training</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel comprising the general information system user
-                  community</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms managing security awareness training</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="at-2.2">
-            <title>Insider Threat</title>
-            <prop name="label">AT-2(2)</prop>
-            <prop name="sort-id">at-02.02</prop>
-            <part id="at-2.2_smt" name="statement">
-               <p>The organization includes security awareness training on recognizing and reporting
-                  potential indicators of insider threat.</p>
-            </part>
-            <part id="at-2.2_gdn" name="guidance">
-               <p>Potential indicators and possible precursors of insider threat can include
-                  behaviors such as inordinate, long-term job dissatisfaction, attempts to gain
-                  access to information not required for job performance, unexplained access to
-                  financial resources, bullying or sexual harassment of fellow employees, workplace
-                  violence, and other serious violations of organizational policies, procedures,
-                  directives, rules, or practices. Security awareness training includes how to
-                  communicate employee and management concerns regarding potential indicators of
-                  insider threat through appropriate organizational channels in accordance with
-                  established organizational policies and procedures.</p>
-               <link rel="related" href="#pl-4">PL-4</link>
-               <link rel="related" href="#pm-12">PM-12</link>
-               <link rel="related" href="#ps-3">PS-3</link>
-               <link rel="related" href="#ps-6">PS-6</link>
-            </part>
-            <part id="at-2.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization includes security awareness training on recognizing
-                  and reporting potential indicators of insider threat. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security awareness and training policy</p>
-                  <p>procedures addressing security awareness training implementation</p>
-                  <p>security awareness training curriculum</p>
-                  <p>security awareness training materials</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel that participate in security awareness training</p>
-                  <p>organizational personnel with responsibilities for basic security awareness
-                     training</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="at-3">
-         <title>Role-based Security Training</title>
-         <param id="at-3_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AT-3</prop>
-         <prop name="sort-id">at-03</prop>
-         <link href="#bb61234b-46c3-4211-8c2b-9869222a720d" rel="reference">C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</link>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="at-3_smt" name="statement">
-            <p>The organization provides role-based security training to personnel with assigned
-               security roles and responsibilities:</p>
-            <part id="at-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Before authorizing access to the information system or performing assigned
-                  duties;</p>
-            </part>
-            <part id="at-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="at-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="at-3_prm_1"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="at-3_gdn" name="guidance">
-            <p>Organizations determine the appropriate content of security training based on the
-               assigned roles and responsibilities of individuals and the specific security
-               requirements of organizations and the information systems to which personnel have
-               authorized access. In addition, organizations provide enterprise architects,
-               information system developers, software developers, acquisition/procurement
-               officials, information system managers, system/network administrators, personnel
-               conducting configuration management and auditing activities, personnel performing
-               independent verification and validation activities, security control assessors, and
-               other personnel having access to system-level software, adequate security-related
-               technical training specifically tailored for their assigned duties. Comprehensive
-               role-based training addresses management, operational, and technical roles and
-               responsibilities covering physical, personnel, and technical safeguards and
-               countermeasures. Such training can include for example, policies, procedures, tools,
-               and artifacts for the organizational security roles defined. Organizations also
-               provide the training necessary for individuals to carry out their responsibilities
-               related to operations and supply chain security within the context of organizational
-               information security programs. Role-based security training also applies to
-               contractors providing services to federal agencies.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-4">AT-4</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-7">PS-7</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sa-16">SA-16</link>
-         </part>
-         <part id="at-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-3.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AT-3(a)</prop>
-               <p>provides role-based security training to personnel with assigned security roles
-                  and responsibilities before authorizing access to the information system or
-                  performing assigned duties;</p>
-            </part>
-            <part id="at-3.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AT-3(b)</prop>
-               <p>provides role-based security training to personnel with assigned security roles
-                  and responsibilities when required by information system changes; and</p>
-            </part>
-            <part id="at-3.c_obj" name="objective">
-               <prop name="label">AT-3(c)</prop>
-               <part id="at-3.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AT-3(c)[1]</prop>
-                  <p>defines the frequency to provide refresher role-based security training
-                     thereafter to personnel with assigned security roles and responsibilities;
-                     and</p>
-               </part>
-               <part id="at-3.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AT-3(c)[2]</prop>
-                  <p>provides refresher role-based security training to personnel with assigned
-                     security roles and responsibilities with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy</p>
-               <p>procedures addressing security training implementation</p>
-               <p>codes of federal regulations</p>
-               <p>security training curriculum</p>
-               <p>security training materials</p>
-               <p>security plan</p>
-               <p>training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for role-based security
-                  training</p>
-               <p>organizational personnel with assigned information system security roles and
-                  responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms managing role-based security training</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="at-3.3">
-            <title>Practical Exercises</title>
-            <prop name="label">AT-3(3)</prop>
-            <prop name="sort-id">at-03.03</prop>
-            <part id="at-3.3_smt" name="statement">
-               <p>The organization includes practical exercises in security training that reinforce
-                  training objectives.</p>
-            </part>
-            <part id="at-3.3_gdn" name="guidance">
-               <p>Practical exercises may include, for example, security training for software
-                  developers that includes simulated cyber attacks exploiting common software
-                  vulnerabilities (e.g., buffer overflows), or spear/whale phishing attacks targeted
-                  at senior leaders/executives. These types of practical exercises help developers
-                  better understand the effects of such vulnerabilities and appreciate the need for
-                  security coding standards and processes.</p>
-            </part>
-            <part id="at-3.3_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization includes practical exercises in security training
-                  that reinforce training objectives. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security awareness and training policy</p>
-                  <p>procedures addressing security awareness training implementation</p>
-                  <p>security awareness training curriculum</p>
-                  <p>security awareness training materials</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for role-based security
-                     training</p>
-                  <p>organizational personnel that participate in security awareness training</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="at-3.4">
-            <title>Suspicious Communications and Anomalous System Behavior</title>
-            <param id="at-3.4_prm_1">
-               <label>organization-defined indicators of malicious code</label>
-               <constraint>malicious code indicators as defined by organization incident policy/capability.</constraint>
-            </param>
-            <prop name="label">AT-3(4)</prop>
-            <prop name="sort-id">at-03.04</prop>
-            <part id="at-3.4_smt" name="statement">
-               <p>The organization provides training to its personnel on <insert param-id="at-3.4_prm_1"/> to recognize suspicious communications and anomalous
-                  behavior in organizational information systems.</p>
-            </part>
-            <part id="at-3.4_gdn" name="guidance">
-               <p>A well-trained workforce provides another organizational safeguard that can be
-                  employed as part of a defense-in-depth strategy to protect organizations against
-                  malicious code coming in to organizations via email or the web applications.
-                  Personnel are trained to look for indications of potentially suspicious email
-                  (e.g., receiving an unexpected email, receiving an email containing strange or
-                  poor grammar, or receiving an email from an unfamiliar sender but who appears to
-                  be from a known sponsor or contractor). Personnel are also trained on how to
-                  respond to such suspicious email or web communications (e.g., not opening
-                  attachments, not clicking on embedded web links, and checking the source of email
-                  addresses). For this process to work effectively, all organizational personnel are
-                  trained and made aware of what constitutes suspicious communications. Training
-                  personnel on how to recognize anomalous behaviors in organizational information
-                  systems can potentially provide early warning for the presence of malicious code.
-                  Recognition of such anomalous behavior by organizational personnel can supplement
-                  automated malicious code detection and protection tools and systems employed by
-                  organizations.</p>
-            </part>
-            <part id="at-3.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="at-3.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AT-3(4)[1]</prop>
-                  <p>defines indicators of malicious code; and</p>
-               </part>
-               <part id="at-3.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AT-3(4)[2]</prop>
-                  <p>provides training to its personnel on organization-defined indicators of
-                     malicious code to recognize suspicious communications and anomalous behavior in
-                     organizational information systems.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security awareness and training policy</p>
-                  <p>procedures addressing security training implementation</p>
-                  <p>security training curriculum</p>
-                  <p>security training materials</p>
-                  <p>security plan</p>
-                  <p>training records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for role-based security
-                     training</p>
-                  <p>organizational personnel that participate in security awareness training</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="at-4">
-         <title>Security Training Records</title>
-         <param id="at-4_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>five (5) years or 5 years after completion of a specific training program</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AT-4</prop>
-         <prop name="sort-id">at-04</prop>
-         <part id="at-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="at-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Documents and monitors individual information system security training activities
-                  including basic security awareness training and specific information system
-                  security training; and</p>
-            </part>
-            <part id="at-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Retains individual training records for <insert param-id="at-4_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="at-4_gdn" name="guidance">
-            <p>Documentation for specialized training may be maintained by individual supervisors at
-               the option of the organization.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#pm-14">PM-14</link>
-         </part>
-         <part id="at-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-4.a_obj" name="objective">
-               <prop name="label">AT-4(a)</prop>
-               <part id="at-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AT-4(a)[1]</prop>
-                  <p>documents individual information system security training activities
-                     including:</p>
-                  <part id="at-4.a_obj.1.a" name="objective">
-                     <prop name="label">AT-4(a)[1][a]</prop>
-                     <p>basic security awareness training;</p>
-                  </part>
-                  <part id="at-4.a_obj.1.b" name="objective">
-                     <prop name="label">AT-4(a)[1][b]</prop>
-                     <p>specific role-based information system security training;</p>
-                  </part>
-               </part>
-               <part id="at-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AT-4(a)[2]</prop>
-                  <p>monitors individual information system security training activities
-                     including:</p>
-                  <part id="at-4.a_obj.2.a" name="objective">
-                     <prop name="label">AT-4(a)[2][a]</prop>
-                     <p>basic security awareness training;</p>
-                  </part>
-                  <part id="at-4.a_obj.2.b" name="objective">
-                     <prop name="label">AT-4(a)[2][b]</prop>
-                     <p>specific role-based information system security training;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="at-4.b_obj" name="objective">
-               <prop name="label">AT-4(b)</prop>
-               <part id="at-4.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AT-4(b)[1]</prop>
-                  <p>defines a time period to retain individual training records; and</p>
-               </part>
-               <part id="at-4.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AT-4(b)[2]</prop>
-                  <p>retains individual training records for the organization-defined time
-                     period.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy</p>
-               <p>procedures addressing security training records</p>
-               <p>security awareness and training records</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security training record retention
-                  responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting management of security training records</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="au">
-      <title>Audit and Accountability</title>
-      <control class="SP800-53" id="au-1">
-         <title>Audit and Accountability Policy and Procedures</title>
-         <param id="au-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="au-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="au-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or whenever a significant change occurs</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AU-1</prop>
-         <prop name="sort-id">au-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="au-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="au-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="au-1_prm_1"/>:</p>
-               <part id="au-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An audit and accountability policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="au-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the audit and accountability
-                     policy and associated audit and accountability controls; and</p>
-               </part>
-            </part>
-            <part id="au-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="au-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Audit and accountability policy <insert param-id="au-1_prm_2"/>; and</p>
-               </part>
-               <part id="au-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Audit and accountability procedures <insert param-id="au-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="au-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the AU
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="au-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-1.a_obj" name="objective">
-               <prop name="label">AU-1(a)</prop>
-               <part id="au-1.a.1_obj" name="objective">
-                  <prop name="label">AU-1(a)(1)</prop>
-                  <part id="au-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(a)(1)[1]</prop>
-                     <p>develops and documents an audit and accountability policy that
-                        addresses:</p>
-                     <part id="au-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="au-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the audit and accountability policy are
-                        to be disseminated;</p>
-                  </part>
-                  <part id="au-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">AU-1(a)(1)[3]</prop>
-                     <p>disseminates the audit and accountability policy to organization-defined
-                        personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="au-1.a.2_obj" name="objective">
-                  <prop name="label">AU-1(a)(2)</prop>
-                  <part id="au-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        audit and accountability policy and associated audit and accountability
-                        controls;</p>
-                  </part>
-                  <part id="au-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="au-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">AU-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="au-1.b_obj" name="objective">
-               <prop name="label">AU-1(b)</prop>
-               <part id="au-1.b.1_obj" name="objective">
-                  <prop name="label">AU-1(b)(1)</prop>
-                  <part id="au-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current audit and
-                        accountability policy;</p>
-                  </part>
-                  <part id="au-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current audit and accountability policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="au-1.b.2_obj" name="objective">
-                  <prop name="label">AU-1(b)(2)</prop>
-                  <part id="au-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current audit and
-                        accountability procedures; and</p>
-                  </part>
-                  <part id="au-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current audit and accountability procedures in
-                        accordance with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-2">
-         <title>Audit Events</title>
-         <param id="au-2_prm_1">
-            <label>organization-defined auditable events</label>
-            <constraint>successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes</constraint>
-         </param>
-         <param id="au-2_prm_2">
-            <label>organization-defined audited events (the subset of the auditable events defined
-               in AU-2 a.) along with the frequency of (or situation requiring) auditing for each
-               identified event</label>
-            <constraint>organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AU-2</prop>
-         <prop name="sort-id">au-02</prop>
-         <link href="#672fd561-b92b-4713-b9cf-6c9d9456728b" rel="reference">NIST Special Publication 800-92</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="au-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="au-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Determines that the information system is capable of auditing the following
-                  events: <insert param-id="au-2_prm_1"/>;</p>
-            </part>
-            <part id="au-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Coordinates the security audit function with other organizational entities
-                  requiring audit-related information to enhance mutual support and to help guide
-                  the selection of auditable events;</p>
-            </part>
-            <part id="au-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Provides a rationale for why the auditable events are deemed to be adequate to
-                  support after-the-fact investigations of security incidents; and</p>
-            </part>
-            <part id="au-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Determines that the following events are to be audited within the information
-                  system: <insert param-id="au-2_prm_2"/>.</p>
-            </part>
-            <part id="au-2_fr" name="item">
-               <title>AU-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-2_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </part>
-         <part id="au-2_gdn" name="guidance">
-            <p>An event is any observable occurrence in an organizational information system.
-               Organizations identify audit events as those events which are significant and
-               relevant to the security of information systems and the environments in which those
-               systems operate in order to meet specific and ongoing audit needs. Audit events can
-               include, for example, password changes, failed logons, or failed accesses related to
-               information systems, administrative privilege usage, PIV credential usage, or
-               third-party credential usage. In determining the set of auditable events,
-               organizations consider the auditing appropriate for each of the security controls to
-               be implemented. To balance auditing requirements with other information system needs,
-               this control also requires identifying that subset of auditable events that are
-               audited at a given point in time. For example, organizations may determine that
-               information systems must have the capability to log every file access both successful
-               and unsuccessful, but not activate that capability except for specific circumstances
-               due to the potential burden on system performance. Auditing requirements, including
-               the need for auditable events, may be referenced in other security controls and
-               control enhancements. Organizations also include auditable events that are required
-               by applicable federal laws, Executive Orders, directives, policies, regulations, and
-               standards. Audit records can be generated at various levels of abstraction, including
-               at the packet level as information traverses the network. Selecting the appropriate
-               level of abstraction is a critical aspect of an audit capability and can facilitate
-               the identification of root causes to problems. Organizations consider in the
-               definition of auditable events, the auditing necessary to cover related events such
-               as the steps in distributed, transaction-based processes (e.g., processes that are
-               distributed across multiple organizations) and actions that occur in service-oriented
-               architectures.</p>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="au-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-2.a_obj" name="objective">
-               <prop name="label">AU-2(a)</prop>
-               <part id="au-2.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-2(a)[1]</prop>
-                  <p>defines the auditable events that the information system must be capable of
-                     auditing;</p>
-               </part>
-               <part id="au-2.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-2(a)[2]</prop>
-                  <p>determines that the information system is capable of auditing
-                     organization-defined auditable events;</p>
-               </part>
-            </part>
-            <part id="au-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AU-2(b)</prop>
-               <p>coordinates the security audit function with other organizational entities
-                  requiring audit-related information to enhance mutual support and to help guide
-                  the selection of auditable events;</p>
-            </part>
-            <part id="au-2.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AU-2(c)</prop>
-               <p>provides a rationale for why the auditable events are deemed to be adequate to
-                  support after-the-fact investigations of security incidents;</p>
-            </part>
-            <part id="au-2.d_obj" name="objective">
-               <prop name="label">AU-2(d)</prop>
-               <part id="au-2.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-2(d)[1]</prop>
-                  <p>defines the subset of auditable events defined in AU-2a that are to be audited
-                     within the information system;</p>
-               </part>
-               <part id="au-2.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AU-2(d)[2]</prop>
-                  <p>determines that the subset of auditable events defined in AU-2a are to be
-                     audited within the information system; and</p>
-               </part>
-               <part id="au-2.d_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AU-2(d)[3]</prop>
-                  <p>determines the frequency of (or situation requiring) auditing for each
-                     identified event.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing auditable events</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>information system auditable events</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing information system auditing</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-2.3">
-            <title>Reviews and Updates</title>
-            <param id="au-2.3_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>annually or whenever there is a change in the threat environment</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AU-2(3)</prop>
-            <prop name="sort-id">au-02.03</prop>
-            <part id="au-2.3_smt" name="statement">
-               <p>The organization reviews and updates the audited events <insert param-id="au-2.3_prm_1"/>.</p>
-               <part id="au-2.3_fr" name="item">
-                  <title>AU-2 (3) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="au-2.3_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="au-2.3_gdn" name="guidance">
-               <p>Over time, the events that organizations believe should be audited may change.
-                  Reviewing and updating the set of audited events periodically is necessary to
-                  ensure that the current set is still necessary and sufficient.</p>
-            </part>
-            <part id="au-2.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="au-2.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-2(3)[1]</prop>
-                  <p>defines the frequency to review and update the audited events; and</p>
-               </part>
-               <part id="au-2.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-2(3)[2]</prop>
-                  <p>reviews and updates the auditable events with organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing auditable events</p>
-                  <p>security plan</p>
-                  <p>list of organization-defined auditable events</p>
-                  <p>auditable events review and update records</p>
-                  <p>information system audit records</p>
-                  <p>information system incident reports</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting review and update of auditable events</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-3">
-         <title>Content of Audit Records</title>
-         <prop name="label">AU-3</prop>
-         <prop name="sort-id">au-03</prop>
-         <part id="au-3_smt" name="statement">
-            <p>The information system generates audit records containing information that
-               establishes what type of event occurred, when the event occurred, where the event
-               occurred, the source of the event, the outcome of the event, and the identity of any
-               individuals or subjects associated with the event.</p>
-         </part>
-         <part id="au-3_gdn" name="guidance">
-            <p>Audit record content that may be necessary to satisfy the requirement of this
-               control, includes, for example, time stamps, source and destination addresses,
-               user/process identifiers, event descriptions, success/fail indications, filenames
-               involved, and access control or flow control rules invoked. Event outcomes can
-               include indicators of event success or failure and event-specific results (e.g., the
-               security state of the information system after the event occurred).</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-8">AU-8</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#si-11">SI-11</link>
-         </part>
-         <part id="au-3_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system generates audit records containing information
-               that establishes: </p>
-            <part id="au-3_obj.1" name="objective">
-               <prop name="label">AU-3[1]</prop>
-               <p>what type of event occurred;</p>
-            </part>
-            <part id="au-3_obj.2" name="objective">
-               <prop name="label">AU-3[2]</prop>
-               <p>when the event occurred;</p>
-            </part>
-            <part id="au-3_obj.3" name="objective">
-               <prop name="label">AU-3[3]</prop>
-               <p>where the event occurred;</p>
-            </part>
-            <part id="au-3_obj.4" name="objective">
-               <prop name="label">AU-3[4]</prop>
-               <p>the source of the event;</p>
-            </part>
-            <part id="au-3_obj.5" name="objective">
-               <prop name="label">AU-3[5]</prop>
-               <p>the outcome of the event; and</p>
-            </part>
-            <part id="au-3_obj.6" name="objective">
-               <prop name="label">AU-3[6]</prop>
-               <p>the identity of any individuals or subjects associated with the event.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing content of audit records</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of organization-defined auditable events</p>
-               <p>information system audit records</p>
-               <p>information system incident reports</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing information system auditing of auditable
-                  events</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-3.1">
-            <title>Additional Audit Information</title>
-            <param id="au-3.1_prm_1">
-               <label>organization-defined additional, more detailed information</label>
-               <constraint>session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands</constraint>
-            </param>
-            <prop name="label">AU-3(1)</prop>
-            <prop name="sort-id">au-03.01</prop>
-            <part id="au-3.1_smt" name="statement">
-               <p>The information system generates audit records containing the following additional
-                  information: <insert param-id="au-3.1_prm_1"/>.</p>
-               <part id="au-3.1_fr" name="item">
-                  <title>AU-3 (1) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="au-3.1_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>The service provider defines audit record types <em>[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]</em>.  The audit record types are approved and accepted by the JAB/AO.</p>
-                  </part>
-                  <part id="au-3.1_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="au-3.1_gdn" name="guidance">
-               <p>Detailed information that organizations may consider in audit records includes,
-                  for example, full text recording of privileged commands or the individual
-                  identities of group account users. Organizations consider limiting the additional
-                  audit information to only that information explicitly needed for specific audit
-                  requirements. This facilitates the use of audit trails and audit logs by not
-                  including information that could potentially be misleading or could make it more
-                  difficult to locate information of interest.</p>
-            </part>
-            <part id="au-3.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-3.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-3(1)[1]</prop>
-                  <p>the organization defines additional, more detailed information to be contained
-                     in audit records that the information system generates; and</p>
-               </part>
-               <part id="au-3.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-3(1)[2]</prop>
-                  <p>the information system generates audit records containing the
-                     organization-defined additional, more detailed information.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing content of audit records</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of organization-defined auditable events</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system audit capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-3.2">
-            <title>Centralized Management of Planned Audit Record Content</title>
-            <param id="au-3.2_prm_1">
-               <label>organization-defined information system components</label>
-               <constraint>all network, data storage, and computing devices</constraint>
-            </param>
-            <prop name="label">AU-3(2)</prop>
-            <prop name="sort-id">au-03.02</prop>
-            <part id="au-3.2_smt" name="statement">
-               <p>The information system provides centralized management and configuration of the
-                  content to be captured in audit records generated by <insert param-id="au-3.2_prm_1"/>.</p>
-            </part>
-            <part id="au-3.2_gdn" name="guidance">
-               <p>This control enhancement requires that the content to be captured in audit records
-                  be configured from a central location (necessitating automation). Organizations
-                  coordinate the selection of required audit content to support the centralized
-                  management and configuration capability provided by the information system.</p>
-               <link rel="related" href="#au-6">AU-6</link>
-               <link rel="related" href="#au-7">AU-7</link>
-            </part>
-            <part id="au-3.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-3.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-3(2)[1]</prop>
-                  <p>the organization defines information system components that generate audit
-                     records whose content is to be centrally managed and configured by the
-                     information system; and</p>
-               </part>
-               <part id="au-3.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-3(2)[2]</prop>
-                  <p>the information system provides centralized management and configuration of the
-                     content to be captured in audit records generated by the organization-defined
-                     information system components.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing content of audit records</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of organization-defined auditable events</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system capability implementing centralized management and
-                     configuration of audit record content</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-4">
-         <title>Audit Storage Capacity</title>
-         <param id="au-4_prm_1">
-            <label>organization-defined audit record storage requirements</label>
-         </param>
-         <prop name="label">AU-4</prop>
-         <prop name="sort-id">au-04</prop>
-         <part id="au-4_smt" name="statement">
-            <p>The organization allocates audit record storage capacity in accordance with <insert param-id="au-4_prm_1"/>.</p>
-         </part>
-         <part id="au-4_gdn" name="guidance">
-            <p>Organizations consider the types of auditing to be performed and the audit processing
-               requirements when allocating audit storage capacity. Allocating sufficient audit
-               storage capacity reduces the likelihood of such capacity being exceeded and resulting
-               in the potential loss or reduction of auditing capability.</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-5">AU-5</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#au-11">AU-11</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="au-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-4_obj.1" name="objective">
-               <prop name="label">AU-4[1]</prop>
-               <p>defines audit record storage requirements; and</p>
-            </part>
-            <part id="au-4_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AU-4[2]</prop>
-               <p>allocates audit record storage capacity in accordance with the
-                  organization-defined audit record storage requirements.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing audit storage capacity</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>audit record storage requirements</p>
-               <p>audit record storage capability for information system components</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Audit record storage capacity and related configuration settings</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-5">
-         <title>Response to Audit Processing Failures</title>
-         <param id="au-5_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="au-5_prm_2">
-            <label>organization-defined actions to be taken (e.g., shut down information system,
-               overwrite oldest audit records, stop generating audit records)</label>
-            <constraint>organization-defined actions to be taken (overwrite oldest record)</constraint>
-         </param>
-         <prop name="label">AU-5</prop>
-         <prop name="sort-id">au-05</prop>
-         <part id="au-5_smt" name="statement">
-            <p>The information system:</p>
-            <part id="au-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Alerts <insert param-id="au-5_prm_1"/> in the event of an audit processing
-                  failure; and</p>
-            </part>
-            <part id="au-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Takes the following additional actions: <insert param-id="au-5_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="au-5_gdn" name="guidance">
-            <p>Audit processing failures include, for example, software/hardware errors, failures in
-               the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
-               Organizations may choose to define additional actions for different audit processing
-               failures (e.g., by type, by location, by severity, or a combination of such factors).
-               This control applies to each audit data storage repository (i.e., distinct
-               information system component where audit records are stored), the total audit storage
-               capacity of organizations (i.e., all audit data storage repositories combined), or
-               both.</p>
-            <link rel="related" href="#au-4">AU-4</link>
-            <link rel="related" href="#si-12">SI-12</link>
-         </part>
-         <part id="au-5_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="au-5.a_obj" name="objective">
-               <prop name="label">AU-5(a)</prop>
-               <part id="au-5.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-5(a)[1]</prop>
-                  <p>the organization defines the personnel or roles to be alerted in the event of
-                     an audit processing failure;</p>
-               </part>
-               <part id="au-5.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-5(a)[2]</prop>
-                  <p>the information system alerts the organization-defined personnel or roles in
-                     the event of an audit processing failure;</p>
-               </part>
-            </part>
-            <part id="au-5.b_obj" name="objective">
-               <prop name="label">AU-5(b)</prop>
-               <part id="au-5.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-5(b)[1]</prop>
-                  <p>the organization defines additional actions to be taken (e.g., shutdown
-                     information system, overwrite oldest audit records, stop generating audit
-                     records) in the event of an audit processing failure; and</p>
-               </part>
-               <part id="au-5.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-5(b)[2]</prop>
-                  <p>the information system takes the additional organization-defined actions in the
-                     event of an audit processing failure.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing response to audit processing failures</p>
-               <p>information system design documentation</p>
-               <p>security plan</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of personnel to be notified in case of an audit processing failure</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing information system response to audit processing
-                  failures</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-5.1">
-            <title>Audit Storage Capacity</title>
-            <param id="au-5.1_prm_1">
-               <label>organization-defined personnel, roles, and/or locations</label>
-            </param>
-            <param id="au-5.1_prm_2">
-               <label>organization-defined time period</label>
-            </param>
-            <param id="au-5.1_prm_3">
-               <label>organization-defined percentage</label>
-            </param>
-            <prop name="label">AU-5(1)</prop>
-            <prop name="sort-id">au-05.01</prop>
-            <part id="au-5.1_smt" name="statement">
-               <p>The information system provides a warning to <insert param-id="au-5.1_prm_1"/>
-                  within <insert param-id="au-5.1_prm_2"/> when allocated audit record storage
-                  volume reaches <insert param-id="au-5.1_prm_3"/> of repository maximum audit
-                  record storage capacity.</p>
-            </part>
-            <part id="au-5.1_gdn" name="guidance">
-               <p>Organizations may have multiple audit data storage repositories distributed across
-                  multiple information system components, with each repository having different
-                  storage volume capacities.</p>
-            </part>
-            <part id="au-5.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-5.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-5(1)[1]</prop>
-                  <p>the organization defines:</p>
-                  <part id="au-5.1_obj.1.a" name="objective">
-                     <prop name="label">AU-5(1)[1][a]</prop>
-                     <p>personnel to be warned when allocated audit record storage volume reaches
-                        organization-defined percentage of repository maximum audit record storage
-                        capacity;</p>
-                  </part>
-                  <part id="au-5.1_obj.1.b" name="objective">
-                     <prop name="label">AU-5(1)[1][b]</prop>
-                     <p>roles to be warned when allocated audit record storage volume reaches
-                        organization-defined percentage of repository maximum audit record storage
-                        capacity; and/or</p>
-                  </part>
-                  <part id="au-5.1_obj.1.c" name="objective">
-                     <prop name="label">AU-5(1)[1][c]</prop>
-                     <p>locations to be warned when allocated audit record storage volume reaches
-                        organization-defined percentage of repository maximum audit record storage
-                        capacity;</p>
-                  </part>
-               </part>
-               <part id="au-5.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-5(1)[2]</prop>
-                  <p>the organization defines the time period within which the information system is
-                     to provide a warning to the organization-defined personnel, roles, and/or
-                     locations when allocated audit record storage volume reaches the
-                     organization-defined percentage of repository maximum audit record storage
-                     capacity;</p>
-               </part>
-               <part id="au-5.1_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-5(1)[3]</prop>
-                  <p>the organization defines the percentage of repository maximum audit record
-                     storage capacity that, if reached, requires a warning to be provided; and</p>
-               </part>
-               <part id="au-5.1_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-5(1)[4]</prop>
-                  <p>the information system provides a warning to the organization-defined
-                     personnel, roles, and/or locations within the organization-defined time period
-                     when allocated audit record storage volume reaches the organization-defined
-                     percentage of repository maximum audit record storage capacity.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing response to audit processing failures</p>
-                  <p>information system design documentation</p>
-                  <p>security plan</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing audit storage limit warnings</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-5.2">
-            <title>Real-time Alerts</title>
-            <param id="au-5.2_prm_1">
-               <label>organization-defined real-time period</label>
-               <constraint>real-time</constraint>
-            </param>
-            <param id="au-5.2_prm_2">
-               <label>organization-defined personnel, roles, and/or locations</label>
-               <constraint>service provider personnel with authority to address failed audit events</constraint>
-            </param>
-            <param id="au-5.2_prm_3">
-               <label>organization-defined audit failure events requiring real-time alerts</label>
-               <constraint>audit failure events requiring real-time alerts, as defined by organization audit policy</constraint>
-            </param>
-            <prop name="label">AU-5(2)</prop>
-            <prop name="sort-id">au-05.02</prop>
-            <part id="au-5.2_smt" name="statement">
-               <p>The information system provides an alert in <insert param-id="au-5.2_prm_1"/> to
-                     <insert param-id="au-5.2_prm_2"/> when the following audit failure events
-                  occur: <insert param-id="au-5.2_prm_3"/>.</p>
-            </part>
-            <part id="au-5.2_gdn" name="guidance">
-               <p>Alerts provide organizations with urgent messages. Real-time alerts provide these
-                  messages at information technology speed (i.e., the time from event detection to
-                  alert occurs in seconds or less).</p>
-            </part>
-            <part id="au-5.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-5.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-5(2)[1]</prop>
-                  <p>the organization defines audit failure events requiring real-time alerts;</p>
-               </part>
-               <part id="au-5.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-5(2)[2]</prop>
-                  <p>the organization defines:</p>
-                  <part id="au-5.2_obj.2.a" name="objective">
-                     <prop name="label">AU-5(2)[2][a]</prop>
-                     <p>personnel to be alerted when organization-defined audit failure events
-                        requiring real-time alerts occur;</p>
-                  </part>
-                  <part id="au-5.2_obj.2.b" name="objective">
-                     <prop name="label">AU-5(2)[2][b]</prop>
-                     <p>roles to be alerted when organization-defined audit failure events requiring
-                        real-time alerts occur; and/or</p>
-                  </part>
-                  <part id="au-5.2_obj.2.c" name="objective">
-                     <prop name="label">AU-5(2)[2][c]</prop>
-                     <p>locations to be alerted when organization-defined audit failure events
-                        requiring real-time alerts occur;</p>
-                  </part>
-               </part>
-               <part id="au-5.2_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-5(2)[3]</prop>
-                  <p>the organization defines the real-time period within which the information
-                     system is to provide an alert to the organization-defined personnel, roles,
-                     and/or locations when the organization-defined audit failure events requiring
-                     real-time alerts occur; and</p>
-               </part>
-               <part id="au-5.2_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-5(2)[4]</prop>
-                  <p>the information system provides an alert within the organization-defined
-                     real-time period to the organization-defined personnel, roles, and/or locations
-                     when organization-defined audit failure events requiring real-time alerts
-                     occur.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing response to audit processing failures</p>
-                  <p>information system design documentation</p>
-                  <p>security plan</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>records of notifications or real-time alerts when audit processing failures
-                     occur</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing real-time audit alerts when
-                     organization-defined audit failure events occur</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-6">
-         <title>Audit Review, Analysis, and Reporting</title>
-         <param id="au-6_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least weekly</constraint>
-         </param>
-         <param id="au-6_prm_2">
-            <label>organization-defined inappropriate or unusual activity</label>
-         </param>
-         <param id="au-6_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AU-6</prop>
-         <prop name="sort-id">au-06</prop>
-         <part id="au-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="au-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Reviews and analyzes information system audit records <insert param-id="au-6_prm_1"/> for indications of <insert param-id="au-6_prm_2"/>;
-                  and</p>
-            </part>
-            <part id="au-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reports findings to <insert param-id="au-6_prm_3"/>.</p>
-            </part>
-            <part id="au-6_fr" name="item">
-               <title>AU-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.</p>
-               </part>
-            </part>
-         </part>
-         <part id="au-6_gdn" name="guidance">
-            <p>Audit review, analysis, and reporting covers information security-related auditing
-               performed by organizations including, for example, auditing that results from
-               monitoring of account usage, remote access, wireless connectivity, mobile device
-               connection, configuration settings, system component inventory, use of maintenance
-               tools and nonlocal maintenance, physical access, temperature and humidity, equipment
-               delivery and removal, communications at the information system boundaries, use of
-               mobile code, and use of VoIP. Findings can be reported to organizational entities
-               that include, for example, incident response team, help desk, information security
-               group/department. If organizations are prohibited from reviewing and analyzing audit
-               information or unable to conduct such activities (e.g., in certain national security
-               applications or systems), the review/analysis may be carried out by other
-               organizations granted such authority.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#au-16">AU-16</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-10">CM-10</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ir-5">IR-5</link>
-            <link rel="related" href="#ir-6">IR-6</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-            <link rel="related" href="#pe-14">PE-14</link>
-            <link rel="related" href="#pe-16">PE-16</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-18">SC-18</link>
-            <link rel="related" href="#sc-19">SC-19</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="au-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-6.a_obj" name="objective">
-               <prop name="label">AU-6(a)</prop>
-               <part id="au-6.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-6(a)[1]</prop>
-                  <p>defines the types of inappropriate or unusual activity to look for when
-                     information system audit records are reviewed and analyzed;</p>
-               </part>
-               <part id="au-6.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-6(a)[2]</prop>
-                  <p>defines the frequency to review and analyze information system audit records
-                     for indications of organization-defined inappropriate or unusual activity;</p>
-               </part>
-               <part id="au-6.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AU-6(a)[3]</prop>
-                  <p>reviews and analyzes information system audit records for indications of
-                     organization-defined inappropriate or unusual activity with the
-                     organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="au-6.b_obj" name="objective">
-               <prop name="label">AU-6(b)</prop>
-               <part id="au-6.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-6(b)[1]</prop>
-                  <p>defines personnel or roles to whom findings resulting from reviews and analysis
-                     of information system audit records are to be reported; and</p>
-               </part>
-               <part id="au-6.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AU-6(b)[2]</prop>
-                  <p>reports findings to organization-defined personnel or roles.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing audit review, analysis, and reporting</p>
-               <p>reports of audit findings</p>
-               <p>records of actions taken in response to reviews/analyses of audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit review, analysis, and reporting
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-6.1">
-            <title>Process Integration</title>
-            <prop name="label">AU-6(1)</prop>
-            <prop name="sort-id">au-06.01</prop>
-            <part id="au-6.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to integrate audit review, analysis,
-                  and reporting processes to support organizational processes for investigation and
-                  response to suspicious activities.</p>
-            </part>
-            <part id="au-6.1_gdn" name="guidance">
-               <p>Organizational processes benefiting from integrated audit review, analysis, and
-                  reporting include, for example, incident response, continuous monitoring,
-                  contingency planning, and Inspector General audits.</p>
-               <link rel="related" href="#au-12">AU-12</link>
-               <link rel="related" href="#pm-7">PM-7</link>
-            </part>
-            <part id="au-6.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="au-6.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-6(1)[1]</prop>
-                  <p>employs automated mechanisms to integrate:</p>
-                  <part id="au-6.1_obj.1.a" name="objective">
-                     <prop name="label">AU-6(1)[1][a]</prop>
-                     <p>audit review;</p>
-                  </part>
-                  <part id="au-6.1_obj.1.b" name="objective">
-                     <prop name="label">AU-6(1)[1][b]</prop>
-                     <p>analysis;</p>
-                  </part>
-                  <part id="au-6.1_obj.1.c" name="objective">
-                     <prop name="label">AU-6(1)[1][c]</prop>
-                     <p>reporting processes;</p>
-                  </part>
-               </part>
-               <part id="au-6.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AU-6(1)[2]</prop>
-                  <p>uses integrated audit review, analysis and reporting processes to support
-                     organizational processes for:</p>
-                  <part id="au-6.1_obj.2.a" name="objective">
-                     <prop name="label">AU-6(1)[2][a]</prop>
-                     <p>investigation of suspicious activities; and</p>
-                  </part>
-                  <part id="au-6.1_obj.2.b" name="objective">
-                     <prop name="label">AU-6(1)[2][b]</prop>
-                     <p>response to suspicious activities.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit review, analysis, and reporting</p>
-                  <p>procedures addressing investigation and response to suspicious activities</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit review, analysis, and reporting
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms integrating audit review, analysis, and reporting
-                     processes</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.3">
-            <title>Correlate Audit Repositories</title>
-            <prop name="label">AU-6(3)</prop>
-            <prop name="sort-id">au-06.03</prop>
-            <part id="au-6.3_smt" name="statement">
-               <p>The organization analyzes and correlates audit records across different
-                  repositories to gain organization-wide situational awareness.</p>
-            </part>
-            <part id="au-6.3_gdn" name="guidance">
-               <p>Organization-wide situational awareness includes awareness across all three tiers
-                  of risk management (i.e., organizational, mission/business process, and
-                  information system) and supports cross-organization awareness.</p>
-               <link rel="related" href="#au-12">AU-12</link>
-               <link rel="related" href="#ir-4">IR-4</link>
-            </part>
-            <part id="au-6.3_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization analyzes and correlates audit records across
-                  different repositories to gain organization-wide situational awareness. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit review, analysis, and reporting</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records across different repositories</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit review, analysis, and reporting
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting analysis and correlation of audit records</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.4">
-            <title>Central Review and Analysis</title>
-            <prop name="label">AU-6(4)</prop>
-            <prop name="sort-id">au-06.04</prop>
-            <part id="au-6.4_smt" name="statement">
-               <p>The information system provides the capability to centrally review and analyze
-                  audit records from multiple components within the system.</p>
-            </part>
-            <part id="au-6.4_gdn" name="guidance">
-               <p>Automated mechanisms for centralized reviews and analyses include, for example,
-                  Security Information Management products.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-12">AU-12</link>
-            </part>
-            <part id="au-6.4_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system provides the capability to centrally review
-                  and analyze audit records from multiple components within the system.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit review, analysis, and reporting</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security plan</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit review, analysis, and reporting
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system capability to centralize review and analysis of audit
-                     records</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.5">
-            <title>Integration / Scanning and Monitoring Capabilities</title>
-            <param id="au-6.5_prm_1"/>
-            <param id="au-6.5_prm_2" depends-on="au-6.5_prm_1">
-               <label>organization-defined data/information collected from other sources</label>
-               <constraint>Possibly to include penetration test data.</constraint>
-            </param>
-            <prop name="label">AU-6(5)</prop>
-            <prop name="sort-id">au-06.05</prop>
-            <part id="au-6.5_smt" name="statement">
-               <p>The organization integrates analysis of audit records with analysis of <insert param-id="au-6.5_prm_1"/> to further enhance the ability to identify
-                  inappropriate or unusual activity.</p>
-            </part>
-            <part id="au-6.5_gdn" name="guidance">
-               <p>This control enhancement does not require vulnerability scanning, the generation
-                  of performance data, or information system monitoring. Rather, the enhancement
-                  requires that the analysis of information being otherwise produced in these areas
-                  is integrated with the analysis of audit information. Security Event and
-                  Information Management System tools can facilitate audit record
-                  aggregation/consolidation from multiple information system components as well as
-                  audit record correlation and analysis. The use of standardized audit record
-                  analysis scripts developed by organizations (with localized script adjustments, as
-                  necessary) provides more cost-effective approaches for analyzing audit record
-                  information collected. The correlation of audit record information with
-                  vulnerability scanning information is important in determining the veracity of
-                  vulnerability scans and correlating attack detection events with scanning results.
-                  Correlation with performance data can help uncover denial of service attacks or
-                  cyber attacks resulting in unauthorized use of resources. Correlation with system
-                  monitoring information can assist in uncovering attacks and in better relating
-                  audit information to operational situations.</p>
-               <link rel="related" href="#au-12">AU-12</link>
-               <link rel="related" href="#ir-4">IR-4</link>
-               <link rel="related" href="#ra-5">RA-5</link>
-            </part>
-            <part id="au-6.5_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="au-6.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-6(5)[1]</prop>
-                  <p>defines data/information to be collected from other sources;</p>
-               </part>
-               <part id="au-6.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-6(5)[2]</prop>
-                  <p>selects sources of data/information to be analyzed and integrated with the
-                     analysis of audit records from one or more of the following:</p>
-                  <part id="au-6.5_obj.2.a" name="objective">
-                     <prop name="label">AU-6(5)[2][a]</prop>
-                     <p>vulnerability scanning information;</p>
-                  </part>
-                  <part id="au-6.5_obj.2.b" name="objective">
-                     <prop name="label">AU-6(5)[2][b]</prop>
-                     <p>performance data;</p>
-                  </part>
-                  <part id="au-6.5_obj.2.c" name="objective">
-                     <prop name="label">AU-6(5)[2][c]</prop>
-                     <p>information system monitoring information; and/or</p>
-                  </part>
-                  <part id="au-6.5_obj.2.d" name="objective">
-                     <prop name="label">AU-6(5)[2][d]</prop>
-                     <p>organization-defined data/information collected from other sources; and</p>
-                  </part>
-               </part>
-               <part id="au-6.5_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-6(5)[3]</prop>
-                  <p>integrates the analysis of audit records with the analysis of selected
-                     data/information to further enhance the ability to identify inappropriate or
-                     unusual activity.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit review, analysis, and reporting</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>integrated analysis of audit records, vulnerability scanning information,
-                     performance data, network monitoring information and associated
-                     documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit review, analysis, and reporting
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing capability to integrate analysis of audit
-                     records with analysis of data/information sources</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.6">
-            <title>Correlation with Physical Monitoring</title>
-            <prop name="label">AU-6(6)</prop>
-            <prop name="sort-id">au-06.06</prop>
-            <part id="au-6.6_smt" name="statement">
-               <p>The organization correlates information from audit records with information
-                  obtained from monitoring physical access to further enhance the ability to
-                  identify suspicious, inappropriate, unusual, or malevolent activity.</p>
-               <part id="au-6.6_fr" name="item">
-                  <title>AU-6 (6) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="au-6.6_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="au-6.6_gdn" name="guidance">
-               <p>The correlation of physical audit information and audit logs from information
-                  systems may assist organizations in identifying examples of suspicious behavior or
-                  supporting evidence of such behavior. For example, the correlation of an
-                  individual’s identity for logical access to certain information systems with the
-                  additional physical security information that the individual was actually present
-                  at the facility when the logical access occurred, may prove to be useful in
-                  investigations.</p>
-            </part>
-            <part id="au-6.6_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization correlates information from audit records with
-                  information obtained from monitoring physical access to enhance the ability to
-                  identify suspicious, inappropriate, unusual, or malevolent activity.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit review, analysis, and reporting</p>
-                  <p>procedures addressing physical access monitoring</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>documentation providing evidence of correlated information obtained from audit
-                     records and physical access monitoring records</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit review, analysis, and reporting
-                     responsibilities</p>
-                  <p>organizational personnel with physical access monitoring responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing capability to correlate information from
-                     audit records with information from monitoring physical access</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.7">
-            <title>Permitted Actions</title>
-            <param id="au-6.7_prm_1">
-               <constraint>information system process; role; user</constraint>
-            </param>
-            <prop name="label">AU-6(7)</prop>
-            <prop name="sort-id">au-06.07</prop>
-            <part id="au-6.7_smt" name="statement">
-               <p>The organization specifies the permitted actions for each <insert param-id="au-6.7_prm_1"/> associated with the review, analysis, and reporting
-                  of audit information.</p>
-            </part>
-            <part id="au-6.7_gdn" name="guidance">
-               <p>Organizations specify permitted actions for information system processes, roles,
-                  and/or users associated with the review, analysis, and reporting of audit records
-                  through account management techniques. Specifying permitted actions on audit
-                  information is a way to enforce the principle of least privilege. Permitted
-                  actions are enforced by the information system and include, for example, read,
-                  write, execute, append, and delete.</p>
-            </part>
-            <part id="au-6.7_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization specifies the permitted actions for each one or more
-                  of the following associated with the review, analysis and reporting of audit
-                  information:</p>
-               <part id="au-6.7_obj.1" name="objective">
-                  <prop name="label">AU-6(7)[1]</prop>
-                  <p>information system process;</p>
-               </part>
-               <part id="au-6.7_obj.2" name="objective">
-                  <prop name="label">AU-6(7)[2]</prop>
-                  <p>role; and/or</p>
-               </part>
-               <part id="au-6.7_obj.3" name="objective">
-                  <prop name="label">AU-6(7)[3]</prop>
-                  <p>user.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing process, role and/or user permitted actions from audit
-                     review, analysis, and reporting</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit review, analysis, and reporting
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting permitted actions for review, analysis, and
-                     reporting of audit information</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.10">
-            <title>Audit Level Adjustment</title>
-            <prop name="label">AU-6(10)</prop>
-            <prop name="sort-id">au-06.10</prop>
-            <part id="au-6.10_smt" name="statement">
-               <p>The organization adjusts the level of audit review, analysis, and reporting within
-                  the information system when there is a change in risk based on law enforcement
-                  information, intelligence information, or other credible sources of
-                  information.</p>
-            </part>
-            <part id="au-6.10_gdn" name="guidance">
-               <p>The frequency, scope, and/or depth of the audit review, analysis, and reporting
-                  may be adjusted to meet organizational needs based on new information
-                  received.</p>
-            </part>
-            <part id="au-6.10_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization adjusts the level of audit review, analysis, and
-                  reporting within the information system when there is a change in risk based
-                  on:</p>
-               <part id="au-6.10_obj.1" name="objective">
-                  <prop name="label">AU-6(10)[1]</prop>
-                  <p>law enforcement information;</p>
-               </part>
-               <part id="au-6.10_obj.2" name="objective">
-                  <prop name="label">AU-6(10)[2]</prop>
-                  <p>intelligence information; and/or</p>
-               </part>
-               <part id="au-6.10_obj.3" name="objective">
-                  <prop name="label">AU-6(10)[3]</prop>
-                  <p>other credible sources of information.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit review, analysis, and reporting</p>
-                  <p>organizational risk assessment</p>
-                  <p>security control assessment</p>
-                  <p>vulnerability assessment</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit review, analysis, and reporting
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting review, analysis, and reporting of audit
-                     information</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-7">
-         <title>Audit Reduction and Report Generation</title>
-         <prop name="label">AU-7</prop>
-         <prop name="sort-id">au-07</prop>
-         <part id="au-7_smt" name="statement">
-            <p>The information system provides an audit reduction and report generation capability
-               that:</p>
-            <part id="au-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Supports on-demand audit review, analysis, and reporting requirements and
-                  after-the-fact investigations of security incidents; and</p>
-            </part>
-            <part id="au-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Does not alter the original content or time ordering of audit records.</p>
-            </part>
-         </part>
-         <part id="au-7_gdn" name="guidance">
-            <p>Audit reduction is a process that manipulates collected audit information and
-               organizes such information in a summary format that is more meaningful to analysts.
-               Audit reduction and report generation capabilities do not always emanate from the
-               same information system or from the same organizational entities conducting auditing
-               activities. Audit reduction capability can include, for example, modern data mining
-               techniques with advanced data filters to identify anomalous behavior in audit
-               records. The report generation capability provided by the information system can
-               generate customizable reports. Time ordering of audit records can be a significant
-               issue if the granularity of the timestamp in the record is insufficient.</p>
-            <link rel="related" href="#au-6">AU-6</link>
-         </part>
-         <part id="au-7_obj" name="objective">
-            <p>Determine if the information system provides an audit reduction and report generation
-               capability that supports:</p>
-            <part id="au-7.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AU-7(a)</prop>
-               <part id="au-7.a_obj.1" name="objective">
-                  <prop name="label">AU-7(a)[1]</prop>
-                  <p>on-demand audit review;</p>
-               </part>
-               <part id="au-7.a_obj.2" name="objective">
-                  <prop name="label">AU-7(a)[2]</prop>
-                  <p>analysis;</p>
-               </part>
-               <part id="au-7.a_obj.3" name="objective">
-                  <prop name="label">AU-7(a)[3]</prop>
-                  <p>reporting requirements;</p>
-               </part>
-               <part id="au-7.a_obj.4" name="objective">
-                  <prop name="label">AU-7(a)[4]</prop>
-                  <p>after-the-fact investigations of security incidents; and</p>
-               </part>
-            </part>
-            <part id="au-7.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AU-7(b)</prop>
-               <p>does not alter the original content or time ordering of audit records.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing audit reduction and report generation</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>audit reduction, review, analysis, and reporting tools</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit reduction and report generation
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Audit reduction and report generation capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-7.1">
-            <title>Automatic Processing</title>
-            <param id="au-7.1_prm_1">
-               <label>organization-defined audit fields within audit records</label>
-            </param>
-            <prop name="label">AU-7(1)</prop>
-            <prop name="sort-id">au-07.01</prop>
-            <part id="au-7.1_smt" name="statement">
-               <p>The information system provides the capability to process audit records for events
-                  of interest based on <insert param-id="au-7.1_prm_1"/>.</p>
-            </part>
-            <part id="au-7.1_gdn" name="guidance">
-               <p>Events of interest can be identified by the content of specific audit record
-                  fields including, for example, identities of individuals, event types, event
-                  locations, event times, event dates, system resources involved, IP addresses
-                  involved, or information objects accessed. Organizations may define audit event
-                  criteria to any degree of granularity required, for example, locations selectable
-                  by general networking location (e.g., by network or subnetwork) or selectable by
-                  specific information system component.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-12">AU-12</link>
-            </part>
-            <part id="au-7.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-7.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-7(1)[1]</prop>
-                  <p>the organization defines audit fields within audit records in order to process
-                     audit records for events of interest; and</p>
-               </part>
-               <part id="au-7.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-7(1)[2]</prop>
-                  <p>the information system provides the capability to process audit records for
-                     events of interest based on the organization-defined audit fields within audit
-                     records.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit reduction and report generation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>audit reduction, review, analysis, and reporting tools</p>
-                  <p>audit record criteria (fields) establishing events of interest</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit reduction and report generation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Audit reduction and report generation capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-8">
-         <title>Time Stamps</title>
-         <param id="au-8_prm_1">
-            <label>organization-defined granularity of time measurement</label>
-            <constraint>one second granularity of time measurement</constraint>
-         </param>
-         <prop name="label">AU-8</prop>
-         <prop name="sort-id">au-08</prop>
-         <part id="au-8_smt" name="statement">
-            <p>The information system:</p>
-            <part id="au-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Uses internal system clocks to generate time stamps for audit records; and</p>
-            </part>
-            <part id="au-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Records time stamps for audit records that can be mapped to Coordinated Universal
-                  Time (UTC) or Greenwich Mean Time (GMT) and meets <insert param-id="au-8_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="au-8_gdn" name="guidance">
-            <p>Time stamps generated by the information system include date and time. Time is
-               commonly expressed in Coordinated Universal Time (UTC), a modern continuation of
-               Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time
-               measurements refers to the degree of synchronization between information system
-               clocks and reference clocks, for example, clocks synchronizing within hundreds of
-               milliseconds or within tens of milliseconds. Organizations may define different time
-               granularities for different system components. Time service can also be critical to
-               other security capabilities such as access control and identification and
-               authentication, depending on the nature of the mechanisms used to support those
-               capabilities.</p>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#au-12">AU-12</link>
-         </part>
-         <part id="au-8_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="au-8.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AU-8(a)</prop>
-               <p>the information system uses internal system clocks to generate time stamps for
-                  audit records;</p>
-            </part>
-            <part id="au-8.b_obj" name="objective">
-               <prop name="label">AU-8(b)</prop>
-               <part id="au-8.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-8(b)[1]</prop>
-                  <p>the information system records time stamps for audit records that can be mapped
-                     to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);</p>
-               </part>
-               <part id="au-8.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-8(b)[2]</prop>
-                  <p>the organization defines the granularity of time measurement to be met when
-                     recording time stamps for audit records; and</p>
-               </part>
-               <part id="au-8.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-8(b)[3]</prop>
-                  <p>the organization records time stamps for audit records that meet the
-                     organization-defined granularity of time measurement.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing time stamp generation</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing time stamp generation</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-8.1">
-            <title>Synchronization with Authoritative Time Source</title>
-            <param id="au-8.1_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>At least hourly</constraint>
-            </param>
-            <param id="au-8.1_prm_2">
-               <label>organization-defined authoritative time source</label>
-               <constraint>http://tf.nist.gov/tf-cgi/servers.cgi</constraint>
-            </param>
-            <param id="au-8.1_prm_3">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AU-8(1)</prop>
-            <prop name="sort-id">au-08.01</prop>
-            <part id="au-8.1_smt" name="statement">
-               <p>The information system:</p>
-               <part id="au-8.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Compares the internal information system clocks <insert param-id="au-8.1_prm_1"/> with <insert param-id="au-8.1_prm_2"/>; and</p>
-               </part>
-               <part id="au-8.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Synchronizes the internal system clocks to the authoritative time source when
-                     the time difference is greater than <insert param-id="au-8.1_prm_3"/>.</p>
-               </part>
-               <part id="au-8.1_fr" name="item">
-                  <title>AU-8 (1) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="au-8.1_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.</p>
-                  </part>
-                  <part id="au-8.1_fr_smt.2" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.</p>
-                  </part>
-                  <part id="au-8.1_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>Synchronization of system clocks improves the accuracy of log analysis.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="au-8.1_gdn" name="guidance">
-               <p>This control enhancement provides uniformity of time stamps for information
-                  systems with multiple system clocks and systems connected over a network.</p>
-            </part>
-            <part id="au-8.1_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="au-8.1.a_obj" name="objective">
-                  <prop name="label">AU-8(1)(a)</prop>
-                  <part id="au-8.1.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-8(1)(a)[1]</prop>
-                     <p>the organization defines the authoritative time source to which internal
-                        information system clocks are to be compared;</p>
-                  </part>
-                  <part id="au-8.1.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-8(1)(a)[2]</prop>
-                     <p>the organization defines the frequency to compare the internal information
-                        system clocks with the organization-defined authoritative time source;
-                        and</p>
-                  </part>
-                  <part id="au-8.1.a_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">AU-8(1)(a)[3]</prop>
-                     <p>the information system compares the internal information system clocks with
-                        the organization-defined authoritative time source with organization-defined
-                        frequency; and</p>
-                  </part>
-                  <link rel="corresp" href="#au-8.1_smt.a">AU-8(1)(a)</link>
-               </part>
-               <part id="au-8.1.b_obj" name="objective">
-                  <prop name="label">AU-8(1)(b)</prop>
-                  <part id="au-8.1.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-8(1)(b)[1]</prop>
-                     <p>the organization defines the time period that, if exceeded by the time
-                        difference between the internal system clocks and the authoritative time
-                        source, will result in the internal system clocks being synchronized to the
-                        authoritative time source; and</p>
-                  </part>
-                  <part id="au-8.1.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">AU-8(1)(b)[2]</prop>
-                     <p>the information system synchronizes the internal information system clocks
-                        to the authoritative time source when the time difference is greater than
-                        the organization-defined time period.</p>
-                  </part>
-                  <link rel="corresp" href="#au-8.1_smt.b">AU-8(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing time stamp generation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing internal information system clock
-                     synchronization</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-9">
-         <title>Protection of Audit Information</title>
-         <prop name="label">AU-9</prop>
-         <prop name="sort-id">au-09</prop>
-         <part id="au-9_smt" name="statement">
-            <p>The information system protects audit information and audit tools from unauthorized
-               access, modification, and deletion.</p>
-         </part>
-         <part id="au-9_gdn" name="guidance">
-            <p>Audit information includes all information (e.g., audit records, audit settings, and
-               audit reports) needed to successfully audit information system activity. This control
-               focuses on technical protection of audit information. Physical protection of audit
-               information is addressed by media protection controls and physical and environmental
-               protection controls.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-         </part>
-         <part id="au-9_obj" name="objective">
-            <p>Determine if: </p>
-            <part id="au-9_obj.1" name="objective">
-               <prop name="label">AU-9[1]</prop>
-               <p>the information system protects audit information from unauthorized:</p>
-               <part id="au-9_obj.1.a" name="objective">
-                  <prop name="label">AU-9[1][a]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="au-9_obj.1.b" name="objective">
-                  <prop name="label">AU-9[1][b]</prop>
-                  <p>modification;</p>
-               </part>
-               <part id="au-9_obj.1.c" name="objective">
-                  <prop name="label">AU-9[1][c]</prop>
-                  <p>deletion;</p>
-               </part>
-            </part>
-            <part id="au-9_obj.2" name="objective">
-               <prop name="label">AU-9[2]</prop>
-               <p>the information system protects audit tools from unauthorized:</p>
-               <part id="au-9_obj.2.a" name="objective">
-                  <prop name="label">AU-9[2][a]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="au-9_obj.2.b" name="objective">
-                  <prop name="label">AU-9[2][b]</prop>
-                  <p>modification; and</p>
-               </part>
-               <part id="au-9_obj.2.c" name="objective">
-                  <prop name="label">AU-9[2][c]</prop>
-                  <p>deletion.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>access control policy and procedures</p>
-               <p>procedures addressing protection of audit information</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation,
-                  information system audit records</p>
-               <p>audit tools</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing audit information protection</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-9.2">
-            <title>Audit Backup On Separate Physical Systems / Components</title>
-            <param id="au-9.2_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least weekly</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AU-9(2)</prop>
-            <prop name="sort-id">au-09.02</prop>
-            <part id="au-9.2_smt" name="statement">
-               <p>The information system backs up audit records <insert param-id="au-9.2_prm_1"/>
-                  onto a physically different system or system component than the system or
-                  component being audited.</p>
-            </part>
-            <part id="au-9.2_gdn" name="guidance">
-               <p>This control enhancement helps to ensure that a compromise of the information
-                  system being audited does not also result in a compromise of the audit
-                  records.</p>
-               <link rel="related" href="#au-4">AU-4</link>
-               <link rel="related" href="#au-5">AU-5</link>
-               <link rel="related" href="#au-11">AU-11</link>
-            </part>
-            <part id="au-9.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-9.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-9(2)[1]</prop>
-                  <p>the organization defines the frequency to back up audit records onto a
-                     physically different system or system component than the system or component
-                     being audited; and</p>
-               </part>
-               <part id="au-9.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-9(2)[2]</prop>
-                  <p>the information system backs up audit records with the organization-defined
-                     frequency, onto a physically different system or system component than the
-                     system or component being audited.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing protection of audit information</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation, system
-                     or media storing backups of information system audit records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing the backing up of audit records</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-9.3">
-            <title>Cryptographic Protection</title>
-            <prop name="label">AU-9(3)</prop>
-            <prop name="sort-id">au-09.03</prop>
-            <part id="au-9.3_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to protect the
-                  integrity of audit information and audit tools.</p>
-            </part>
-            <part id="au-9.3_gdn" name="guidance">
-               <p>Cryptographic mechanisms used for protecting the integrity of audit information
-                  include, for example, signed hash functions using asymmetric cryptography enabling
-                  distribution of the public key to verify the hash information while maintaining
-                  the confidentiality of the secret key used to generate the hash.</p>
-               <link rel="related" href="#au-10">AU-10</link>
-               <link rel="related" href="#sc-12">SC-12</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="au-9.3_obj" name="objective">
-               <p>Determine if the information system:</p>
-               <part id="au-9.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-9(3)[1]</prop>
-                  <p>uses cryptographic mechanisms to protect the integrity of audit information;
-                     and</p>
-               </part>
-               <part id="au-9.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-9(3)[2]</prop>
-                  <p>uses cryptographic mechanisms to protect the integrity of audit tools.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>procedures addressing protection of audit information</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware settings</p>
-                  <p>information system configuration settings and associated documentation,
-                     information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms protecting integrity of audit information and
-                     tools</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-9.4">
-            <title>Access by Subset of Privileged Users</title>
-            <param id="au-9.4_prm_1">
-               <label>organization-defined subset of privileged users</label>
-            </param>
-            <prop name="label">AU-9(4)</prop>
-            <prop name="sort-id">au-09.04</prop>
-            <part id="au-9.4_smt" name="statement">
-               <p>The organization authorizes access to management of audit functionality to only
-                     <insert param-id="au-9.4_prm_1"/>.</p>
-            </part>
-            <part id="au-9.4_gdn" name="guidance">
-               <p>Individuals with privileged access to an information system and who are also the
-                  subject of an audit by that system, may affect the reliability of audit
-                  information by inhibiting audit activities or modifying audit records. This
-                  control enhancement requires that privileged access be further defined between
-                  audit-related privileges and other privileges, thus limiting the users with
-                  audit-related privileges.</p>
-               <link rel="related" href="#ac-5">AC-5</link>
-            </part>
-            <part id="au-9.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="au-9.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-9(4)[1]</prop>
-                  <p>defines a subset of privileged users to be authorized access to management of
-                     audit functionality; and</p>
-               </part>
-               <part id="au-9.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-9(4)[2]</prop>
-                  <p>authorizes access to management of audit functionality to only the
-                     organization-defined subset of privileged users.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>procedures addressing protection of audit information</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation,
-                     system-generated list of privileged users with access to management of audit
-                     functionality</p>
-                  <p>access authorizations</p>
-                  <p>access control list</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms managing access to audit functionality</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-10">
-         <title>Non-repudiation</title>
-         <param id="au-10_prm_1">
-            <label>organization-defined actions to be covered by non-repudiation</label>
-            <constraint>minimum actions including the addition, modification, deletion, approval, sending, or receiving of data</constraint>
-         </param>
-         <prop name="label">AU-10</prop>
-         <prop name="sort-id">au-10</prop>
-         <part id="au-10_smt" name="statement">
-            <p>The information system protects against an individual (or process acting on behalf of
-               an individual) falsely denying having performed <insert param-id="au-10_prm_1"/>.</p>
-         </part>
-         <part id="au-10_gdn" name="guidance">
-            <p>Types of individual actions covered by non-repudiation include, for example, creating
-               information, sending and receiving messages, approving information (e.g., indicating
-               concurrence or signing a contract). Non-repudiation protects individuals against
-               later claims by: (i) authors of not having authored particular documents; (ii)
-               senders of not having transmitted messages; (iii) receivers of not having received
-               messages; or (iv) signatories of not having signed documents. Non-repudiation
-               services can be used to determine if information originated from a particular
-               individual, or if an individual took specific actions (e.g., sending an email,
-               signing a contract, approving a procurement request) or received specific
-               information. Organizations obtain non-repudiation services by employing various
-               techniques or mechanisms (e.g., digital signatures, digital message receipts).</p>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-16">SC-16</link>
-            <link rel="related" href="#sc-17">SC-17</link>
-            <link rel="related" href="#sc-23">SC-23</link>
-         </part>
-         <part id="au-10_obj" name="objective">
-            <p>Determine if: </p>
-            <part id="au-10_obj.1" name="objective">
-               <prop name="label">AU-10[1]</prop>
-               <p>the organization defines actions to be covered by non-repudiation; and</p>
-            </part>
-            <part id="au-10_obj.2" name="objective">
-               <prop name="label">AU-10[2]</prop>
-               <p>the information system protects against an individual (or process acting on behalf
-                  of an individual) falsely denying having performed organization-defined actions to
-                  be covered by non-repudiation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing non-repudiation</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing non-repudiation capability</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-11">
-         <title>Audit Record Retention</title>
-         <param id="au-11_prm_1">
-            <label>organization-defined time period consistent with records retention policy</label>
-            <constraint>at least one (1) year</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AU-11</prop>
-         <prop name="sort-id">au-11</prop>
-         <part id="au-11_smt" name="statement">
-            <p>The organization retains audit records for <insert param-id="au-11_prm_1"/> to
-               provide support for after-the-fact investigations of security incidents and to meet
-               regulatory and organizational information retention requirements.</p>
-            <part id="au-11_fr" name="item">
-               <title>AU-11 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-11_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.</p>
-               </part>
-            </part>
-         </part>
-         <part id="au-11_gdn" name="guidance">
-            <p>Organizations retain audit records until it is determined that they are no longer
-               needed for administrative, legal, audit, or other operational purposes. This
-               includes, for example, retention and availability of audit records relative to
-               Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions.
-               Organizations develop standard categories of audit records relative to such types of
-               actions and standard response processes for each type of action. The National
-               Archives and Records Administration (NARA) General Records Schedules provide federal
-               policy on record retention.</p>
-            <link rel="related" href="#au-4">AU-4</link>
-            <link rel="related" href="#au-5">AU-5</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-         </part>
-         <part id="au-11_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-11_obj.1" name="objective">
-               <prop name="label">AU-11[1]</prop>
-               <p>defines a time period to retain audit records that is consistent with records
-                  retention policy;</p>
-            </part>
-            <part id="au-11_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AU-11[2]</prop>
-               <p>retains audit records for the organization-defined time period consistent with
-                  records retention policy to:</p>
-               <part id="au-11_obj.2.a" name="objective">
-                  <prop name="label">AU-11[2][a]</prop>
-                  <p>provide support for after-the-fact investigations of security incidents;
-                     and</p>
-               </part>
-               <part id="au-11_obj.2.b" name="objective">
-                  <prop name="label">AU-11[2][b]</prop>
-                  <p>meet regulatory and organizational information retention requirements.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>audit record retention policy and procedures</p>
-               <p>security plan</p>
-               <p>organization-defined retention period for audit records</p>
-               <p>audit record archives</p>
-               <p>audit logs</p>
-               <p>audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit record retention responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-12">
-         <title>Audit Generation</title>
-         <param id="au-12_prm_1">
-            <label>organization-defined information system components</label>
-            <constraint>all information system and network components where audit capability is deployed/available</constraint>
-         </param>
-         <param id="au-12_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">AU-12</prop>
-         <prop name="sort-id">au-12</prop>
-         <part id="au-12_smt" name="statement">
-            <p>The information system:</p>
-            <part id="au-12_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Provides audit record generation capability for the auditable events defined in
-                  AU-2 a. at <insert param-id="au-12_prm_1"/>;</p>
-            </part>
-            <part id="au-12_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Allows <insert param-id="au-12_prm_2"/> to select which auditable events are to be
-                  audited by specific components of the information system; and</p>
-            </part>
-            <part id="au-12_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Generates audit records for the events defined in AU-2 d. with the content defined
-                  in AU-3.</p>
-            </part>
-         </part>
-         <part id="au-12_gdn" name="guidance">
-            <p>Audit records can be generated from many different information system components. The
-               list of audited events is the set of events for which audits are to be generated.
-               These events are typically a subset of all events for which the information system is
-               capable of generating audit records.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-         </part>
-         <part id="au-12_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="au-12.a_obj" name="objective">
-               <prop name="label">AU-12(a)</prop>
-               <part id="au-12.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-12(a)[1]</prop>
-                  <p>the organization defines the information system components which are to provide
-                     audit record generation capability for the auditable events defined in
-                     AU-2a;</p>
-               </part>
-               <part id="au-12.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-12(a)[2]</prop>
-                  <p>the information system provides audit record generation capability, for the
-                     auditable events defined in AU-2a, at organization-defined information system
-                     components;</p>
-               </part>
-            </part>
-            <part id="au-12.b_obj" name="objective">
-               <prop name="label">AU-12(b)</prop>
-               <part id="au-12.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-12(b)[1]</prop>
-                  <p>the organization defines the personnel or roles allowed to select which
-                     auditable events are to be audited by specific components of the information
-                     system;</p>
-               </part>
-               <part id="au-12.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-12(b)[2]</prop>
-                  <p>the information system allows the organization-defined personnel or roles to
-                     select which auditable events are to be audited by specific components of the
-                     system; and</p>
-               </part>
-            </part>
-            <part id="au-12.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AU-12(c)</prop>
-               <p>the information system generates audit records for the events defined in AU-2d
-                  with the content in defined in AU-3.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing audit record generation</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of auditable events</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit record generation responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing audit record generation capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-12.1">
-            <title>System-wide / Time-correlated Audit Trail</title>
-            <param id="au-12.1_prm_1">
-               <label>organization-defined information system components</label>
-               <constraint>all network, data storage, and computing devices</constraint>
-            </param>
-            <param id="au-12.1_prm_2">
-               <label>organization-defined level of tolerance for the relationship between time
-                  stamps of individual records in the audit trail</label>
-            </param>
-            <prop name="label">AU-12(1)</prop>
-            <prop name="sort-id">au-12.01</prop>
-            <part id="au-12.1_smt" name="statement">
-               <p>The information system compiles audit records from <insert param-id="au-12.1_prm_1"/> into a system-wide (logical or physical) audit trail
-                  that is time-correlated to within <insert param-id="au-12.1_prm_2"/>.</p>
-            </part>
-            <part id="au-12.1_gdn" name="guidance">
-               <p>Audit trails are time-correlated if the time stamps in the individual audit
-                  records can be reliably related to the time stamps in other audit records to
-                  achieve a time ordering of the records within organizational tolerances.</p>
-               <link rel="related" href="#au-8">AU-8</link>
-               <link rel="related" href="#au-12">AU-12</link>
-            </part>
-            <part id="au-12.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-12.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-12(1)[1]</prop>
-                  <p>the organization defines the information system components from which audit
-                     records are to be compiled into a system-wide (logical or physical) audit
-                     trail;</p>
-               </part>
-               <part id="au-12.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-12(1)[2]</prop>
-                  <p>the organization defines the level of tolerance for the relationship between
-                     time stamps of individual records in the audit trail; and</p>
-               </part>
-               <part id="au-12.1_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-12(1)[3]</prop>
-                  <p>the information system compiles audit records from organization-defined
-                     information system components into a system-wide (logical or physical) audit
-                     trail that is time-correlated to within the organization-defined level of
-                     tolerance for the relationship between time stamps of individual records in the
-                     audit trail.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit record generation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>system-wide audit trail (logical or physical)</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit record generation responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing audit record generation capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-12.3">
-            <title>Changes by Authorized Individuals</title>
-            <param id="au-12.3_prm_1">
-               <label>organization-defined individuals or roles</label>
-               <constraint>service provider-defined individuals or roles with audit configuration responsibilities</constraint>
-            </param>
-            <param id="au-12.3_prm_2">
-               <label>organization-defined information system components</label>
-               <constraint>all network, data storage, and computing devices</constraint>
-            </param>
-            <param id="au-12.3_prm_3">
-               <label>organization-defined selectable event criteria</label>
-            </param>
-            <param id="au-12.3_prm_4">
-               <label>organization-defined time thresholds</label>
-            </param>
-            <prop name="label">AU-12(3)</prop>
-            <prop name="sort-id">au-12.03</prop>
-            <part id="au-12.3_smt" name="statement">
-               <p>The information system provides the capability for <insert param-id="au-12.3_prm_1"/> to change the auditing to be performed on <insert param-id="au-12.3_prm_2"/> based on <insert param-id="au-12.3_prm_3"/> within
-                     <insert param-id="au-12.3_prm_4"/>.</p>
-            </part>
-            <part id="au-12.3_gdn" name="guidance">
-               <p>This control enhancement enables organizations to extend or limit auditing as
-                  necessary to meet organizational requirements. Auditing that is limited to
-                  conserve information system resources may be extended to address certain threat
-                  situations. In addition, auditing may be limited to a specific set of events to
-                  facilitate audit reduction, analysis, and reporting. Organizations can establish
-                  time thresholds in which audit actions are changed, for example, near real-time,
-                  within minutes, or within hours.</p>
-               <link rel="related" href="#au-7">AU-7</link>
-            </part>
-            <part id="au-12.3_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="au-12.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-12(3)[1]</prop>
-                  <p>the organization defines information system components on which auditing is to
-                     be performed;</p>
-               </part>
-               <part id="au-12.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-12(3)[2]</prop>
-                  <p>the organization defines individuals or roles authorized to change the auditing
-                     to be performed on organization-defined information system components;</p>
-               </part>
-               <part id="au-12.3_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-12(3)[3]</prop>
-                  <p>the organization defines time thresholds within which organization-defined
-                     individuals or roles can change the auditing to be performed on
-                     organization-defined information system components;</p>
-               </part>
-               <part id="au-12.3_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-12(3)[4]</prop>
-                  <p>the organization defines selectable event criteria that support the capability
-                     for organization-defined individuals or roles to change the auditing to be
-                     performed on organization-defined information system components; and</p>
-               </part>
-               <part id="au-12.3_obj.5" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-12(3)[5]</prop>
-                  <p>the information system provides the capability for organization-defined
-                     individuals or roles to change the auditing to be performed on
-                     organization-defined information system components based on
-                     organization-defined selectable event criteria within organization-defined time
-                     thresholds.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit record generation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>system-generated list of individuals or roles authorized to change auditing to
-                     be performed</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit record generation responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing audit record generation capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="ca">
-      <title>Security Assessment and Authorization</title>
-      <control class="SP800-53" id="ca-1">
-         <title>Security Assessment and Authorization Policy and Procedures</title>
-         <param id="ca-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ca-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ca-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or whenever a significant change occurs</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-1</prop>
-         <prop name="sort-id">ca-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ca-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ca-1_prm_1"/>:</p>
-               <part id="ca-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A security assessment and authorization policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="ca-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the security assessment and
-                     authorization policy and associated security assessment and authorization
-                     controls; and</p>
-               </part>
-            </part>
-            <part id="ca-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ca-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security assessment and authorization policy <insert param-id="ca-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="ca-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Security assessment and authorization procedures <insert param-id="ca-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ca-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the CA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ca-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-1.a_obj" name="objective">
-               <prop name="label">CA-1(a)</prop>
-               <part id="ca-1.a.1_obj" name="objective">
-                  <prop name="label">CA-1(a)(1)</prop>
-                  <part id="ca-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(a)(1)[1]</prop>
-                     <p>develops and documents a security assessment and authorization policy that
-                        addresses:</p>
-                     <part id="ca-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ca-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the security assessment and authorization
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="ca-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CA-1(a)(1)[3]</prop>
-                     <p>disseminates the security assessment and authorization policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="ca-1.a.2_obj" name="objective">
-                  <prop name="label">CA-1(a)(2)</prop>
-                  <part id="ca-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        security assessment and authorization policy and associated assessment and
-                        authorization controls;</p>
-                  </part>
-                  <part id="ca-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ca-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ca-1.b_obj" name="objective">
-               <prop name="label">CA-1(b)</prop>
-               <part id="ca-1.b.1_obj" name="objective">
-                  <prop name="label">CA-1(b)(1)</prop>
-                  <part id="ca-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current security assessment
-                        and authorization policy;</p>
-                  </part>
-                  <part id="ca-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current security assessment and authorization policy
-                        with the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ca-1.b.2_obj" name="objective">
-                  <prop name="label">CA-1(b)(2)</prop>
-                  <part id="ca-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current security assessment
-                        and authorization procedures; and</p>
-                  </part>
-                  <part id="ca-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current security assessment and authorization
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security assessment and authorization
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ca-2">
-         <title>Security Assessments</title>
-         <param id="ca-2_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ca-2_prm_2">
-            <label>organization-defined individuals or roles</label>
-            <constraint>individuals or roles to include FedRAMP PMO</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-2</prop>
-         <prop name="sort-id">ca-02</prop>
-         <link href="#c5034e0c-eba6-4ecd-a541-79f0678f4ba4" rel="reference">Executive Order 13587</link>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#c4691b88-57d1-463b-9053-2d0087913f31" rel="reference">NIST Special Publication 800-115</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <part id="ca-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a security assessment plan that describes the scope of the assessment
-                  including:</p>
-               <part id="ca-2_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security controls and control enhancements under assessment;</p>
-               </part>
-               <part id="ca-2_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Assessment procedures to be used to determine security control effectiveness;
-                     and</p>
-               </part>
-               <part id="ca-2_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Assessment environment, assessment team, and assessment roles and
-                     responsibilities;</p>
-               </part>
-            </part>
-            <part id="ca-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Assesses the security controls in the information system and its environment of
-                  operation <insert param-id="ca-2_prm_1"/> to determine the extent to which the
-                  controls are implemented correctly, operating as intended, and producing the
-                  desired outcome with respect to meeting established security requirements;</p>
-            </part>
-            <part id="ca-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Produces a security assessment report that documents the results of the
-                  assessment; and</p>
-            </part>
-            <part id="ca-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Provides the results of the security control assessment to <insert param-id="ca-2_prm_2"/>.</p>
-            </part>
-            <part id="ca-2_fr" name="item">
-               <title>CA-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </part>
-         <part id="ca-2_gdn" name="guidance">
-            <p>Organizations assess security controls in organizational information systems and the
-               environments in which those systems operate as part of: (i) initial and ongoing
-               security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring;
-               and (iv) system development life cycle activities. Security assessments: (i) ensure
-               that information security is built into organizational information systems; (ii)
-               identify weaknesses and deficiencies early in the development process; (iii) provide
-               essential information needed to make risk-based decisions as part of security
-               authorization processes; and (iv) ensure compliance to vulnerability mitigation
-               procedures. Assessments are conducted on the implemented security controls from
-               Appendix F (main catalog) and Appendix G (Program Management controls) as documented
-               in System Security Plans and Information Security Program Plans. Organizations can
-               use other types of assessment activities such as vulnerability scanning and system
-               monitoring to maintain the security posture of information systems during the entire
-               life cycle. Security assessment reports document assessment results in sufficient
-               detail as deemed necessary by organizations, to determine the accuracy and
-               completeness of the reports and whether the security controls are implemented
-               correctly, operating as intended, and producing the desired outcome with respect to
-               meeting security requirements. The FISMA requirement for assessing security controls
-               at least annually does not require additional assessment activities to those
-               activities already in place in organizational security authorization processes.
-               Security assessment results are provided to the individuals or roles appropriate for
-               the types of assessments being conducted. For example, assessments conducted in
-               support of security authorization decisions are provided to authorizing officials or
-               authorizing official designated representatives. To satisfy annual assessment
-               requirements, organizations can use assessment results from the following sources:
-               (i) initial or ongoing information system authorizations; (ii) continuous monitoring;
-               or (iii) system development life cycle activities. Organizations ensure that security
-               assessment results are current, relevant to the determination of security control
-               effectiveness, and obtained with the appropriate level of assessor independence.
-               Existing security control assessment results can be reused to the extent that the
-               results are still valid and can also be supplemented with additional assessments as
-               needed. Subsequent to initial authorizations and in accordance with OMB policy,
-               organizations assess security controls during continuous monitoring. Organizations
-               establish the frequency for ongoing security control assessments in accordance with
-               organizational continuous monitoring strategies. Information Assurance Vulnerability
-               Alerts provide useful examples of vulnerability mitigation procedures. External
-               audits (e.g., audits by external entities such as regulatory agencies) are outside
-               the scope of this control.</p>
-            <link rel="related" href="#ca-5">CA-5</link>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-2.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CA-2(a)</prop>
-               <p>develops a security assessment plan that describes the scope of the assessment
-                  including:</p>
-               <part id="ca-2.a.1_obj" name="objective">
-                  <prop name="label">CA-2(a)(1)</prop>
-                  <p>security controls and control enhancements under assessment;</p>
-               </part>
-               <part id="ca-2.a.2_obj" name="objective">
-                  <prop name="label">CA-2(a)(2)</prop>
-                  <p>assessment procedures to be used to determine security control
-                     effectiveness;</p>
-               </part>
-               <part id="ca-2.a.3_obj" name="objective">
-                  <prop name="label">CA-2(a)(3)</prop>
-                  <part id="ca-2.a.3_obj.1" name="objective">
-                     <prop name="label">CA-2(a)(3)[1]</prop>
-                     <p>assessment environment;</p>
-                  </part>
-                  <part id="ca-2.a.3_obj.2" name="objective">
-                     <prop name="label">CA-2(a)(3)[2]</prop>
-                     <p>assessment team;</p>
-                  </part>
-                  <part id="ca-2.a.3_obj.3" name="objective">
-                     <prop name="label">CA-2(a)(3)[3]</prop>
-                     <p>assessment roles and responsibilities;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ca-2.b_obj" name="objective">
-               <prop name="label">CA-2(b)</prop>
-               <part id="ca-2.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(b)[1]</prop>
-                  <p>defines the frequency to assess the security controls in the information system
-                     and its environment of operation;</p>
-               </part>
-               <part id="ca-2.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-2(b)[2]</prop>
-                  <p>assesses the security controls in the information system with the
-                     organization-defined frequency to determine the extent to which the controls
-                     are implemented correctly, operating as intended, and producing the desired
-                     outcome with respect to meeting established security requirements;</p>
-               </part>
-            </part>
-            <part id="ca-2.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CA-2(c)</prop>
-               <p>produces a security assessment report that documents the results of the
-                  assessment;</p>
-            </part>
-            <part id="ca-2.d_obj" name="objective">
-               <prop name="label">CA-2(d)</prop>
-               <part id="ca-2.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(d)[1]</prop>
-                  <p>defines individuals or roles to whom the results of the security control
-                     assessment are to be provided; and</p>
-               </part>
-               <part id="ca-2.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-2(d)[2]</prop>
-                  <p>provides the results of the security control assessment to organization-defined
-                     individuals or roles.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing security assessment planning</p>
-               <p>procedures addressing security assessments</p>
-               <p>security assessment plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security assessment responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting security assessment, security assessment plan
-                  development, and/or security assessment reporting</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-2.1">
-            <title>Independent Assessors</title>
-            <param id="ca-2.1_prm_1">
-               <label>organization-defined level of independence</label>
-            </param>
-            <prop name="label">CA-2(1)</prop>
-            <prop name="sort-id">ca-02.01</prop>
-            <part id="ca-2.1_smt" name="statement">
-               <p>The organization employs assessors or assessment teams with <insert param-id="ca-2.1_prm_1"/> to conduct security control assessments.</p>
-               <part id="ca-2.1_fr" name="item">
-                  <title>CA-2 (1) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ca-2.1_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ca-2.1_gdn" name="guidance">
-               <p>Independent assessors or assessment teams are individuals or groups who conduct
-                  impartial assessments of organizational information systems. Impartiality implies
-                  that assessors are free from any perceived or actual conflicts of interest with
-                  regard to the development, operation, or management of the organizational
-                  information systems under assessment or to the determination of security control
-                  effectiveness. To achieve impartiality, assessors should not: (i) create a mutual
-                  or conflicting interest with the organizations where the assessments are being
-                  conducted; (ii) assess their own work; (iii) act as management or employees of the
-                  organizations they are serving; or (iv) place themselves in positions of advocacy
-                  for the organizations acquiring their services. Independent assessments can be
-                  obtained from elements within organizations or can be contracted to public or
-                  private sector entities outside of organizations. Authorizing officials determine
-                  the required level of independence based on the security categories of information
-                  systems and/or the ultimate risk to organizational operations, organizational
-                  assets, or individuals. Authorizing officials also determine if the level of
-                  assessor independence provides sufficient assurance that the results are sound and
-                  can be used to make credible, risk-based decisions. This includes determining
-                  whether contracted security assessment services have sufficient independence, for
-                  example, when information system owners are not directly involved in contracting
-                  processes or cannot unduly influence the impartiality of assessors conducting
-                  assessments. In special situations, for example, when organizations that own the
-                  information systems are small or organizational structures require that
-                  assessments are conducted by individuals that are in the developmental,
-                  operational, or management chain of system owners, independence in assessment
-                  processes can be achieved by ensuring that assessment results are carefully
-                  reviewed and analyzed by independent teams of experts to validate the
-                  completeness, accuracy, integrity, and reliability of the results. Organizations
-                  recognize that assessments performed for purposes other than direct support to
-                  authorization decisions are, when performed by assessors with sufficient
-                  independence, more likely to be useable for such decisions, thereby reducing the
-                  need to repeat assessments.</p>
-            </part>
-            <part id="ca-2.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-2.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(1)[1]</prop>
-                  <p>defines the level of independence to be employed to conduct security control
-                     assessments; and</p>
-               </part>
-               <part id="ca-2.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CA-2(1)[2]</prop>
-                  <p>employs assessors or assessment teams with the organization-defined level of
-                     independence to conduct security control assessments.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing security assessments</p>
-                  <p>security authorization package (including security plan, security assessment
-                     plan, security assessment report, plan of action and milestones, authorization
-                     statement)</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security assessment responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-2.2">
-            <title>Specialized Assessments</title>
-            <param id="ca-2.2_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least annually</constraint>
-            </param>
-            <param id="ca-2.2_prm_2"/>
-            <param id="ca-2.2_prm_3"/>
-            <param id="ca-2.2_prm_4" depends-on="ca-2.2_prm_3">
-               <label>organization-defined other forms of security assessment</label>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">CA-2(2)</prop>
-            <prop name="sort-id">ca-02.02</prop>
-            <part id="ca-2.2_smt" name="statement">
-               <p>The organization includes as part of security control assessments, <insert param-id="ca-2.2_prm_1"/>, <insert param-id="ca-2.2_prm_2"/>, <insert param-id="ca-2.2_prm_3"/>.</p>
-               <part id="ca-2.2_fr" name="item">
-                  <title>CA-2 (2) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ca-2.2_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>To include 'announced', 'vulnerability scanning'</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ca-2.2_gdn" name="guidance">
-               <p>Organizations can employ information system monitoring, insider threat
-                  assessments, malicious user testing, and other forms of testing (e.g.,
-                  verification and validation) to improve readiness by exercising organizational
-                  capabilities and indicating current performance levels as a means of focusing
-                  actions to improve security. Organizations conduct assessment activities in
-                  accordance with applicable federal laws, Executive Orders, directives, policies,
-                  regulations, and standards. Authorizing officials approve the assessment methods
-                  in coordination with the organizational risk executive function. Organizations can
-                  incorporate vulnerabilities uncovered during assessments into vulnerability
-                  remediation processes.</p>
-               <link rel="related" href="#pe-3">PE-3</link>
-               <link rel="related" href="#si-2">SI-2</link>
-            </part>
-            <part id="ca-2.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-2.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(2)[1]</prop>
-                  <p>selects one or more of the following forms of specialized security assessment
-                     to be included as part of security control assessments:</p>
-                  <part id="ca-2.2_obj.1.a" name="objective">
-                     <prop name="label">CA-2(2)[1][a]</prop>
-                     <p>in-depth monitoring;</p>
-                  </part>
-                  <part id="ca-2.2_obj.1.b" name="objective">
-                     <prop name="label">CA-2(2)[1][b]</prop>
-                     <p>vulnerability scanning;</p>
-                  </part>
-                  <part id="ca-2.2_obj.1.c" name="objective">
-                     <prop name="label">CA-2(2)[1][c]</prop>
-                     <p>malicious user testing;</p>
-                  </part>
-                  <part id="ca-2.2_obj.1.d" name="objective">
-                     <prop name="label">CA-2(2)[1][d]</prop>
-                     <p>insider threat assessment;</p>
-                  </part>
-                  <part id="ca-2.2_obj.1.e" name="objective">
-                     <prop name="label">CA-2(2)[1][e]</prop>
-                     <p>performance/load testing; and/or</p>
-                  </part>
-                  <part id="ca-2.2_obj.1.f" name="objective">
-                     <prop name="label">CA-2(2)[1][f]</prop>
-                     <p>other forms of organization-defined specialized security assessment;</p>
-                  </part>
-               </part>
-               <part id="ca-2.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(2)[2]</prop>
-                  <p>defines the frequency for conducting the selected form(s) of specialized
-                     security assessment;</p>
-               </part>
-               <part id="ca-2.2_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(2)[3]</prop>
-                  <p>defines whether the specialized security assessment will be announced or
-                     unannounced; and</p>
-               </part>
-               <part id="ca-2.2_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-2(2)[4]</prop>
-                  <p>conducts announced or unannounced organization-defined forms of specialized
-                     security assessments with the organization-defined frequency as part of
-                     security control assessments.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing security assessments</p>
-                  <p>security plan</p>
-                  <p>security assessment plan</p>
-                  <p>security assessment report</p>
-                  <p>security assessment evidence</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security assessment responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting security control assessment</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-2.3">
-            <title>External Organizations</title>
-            <param id="ca-2.3_prm_1">
-               <label>organization-defined information system</label>
-               <constraint>any FedRAMP Accredited 3PAO</constraint>
-            </param>
-            <param id="ca-2.3_prm_2">
-               <label>organization-defined external organization</label>
-               <constraint>any FedRAMP Accredited 3PAO</constraint>
-            </param>
-            <param id="ca-2.3_prm_3">
-               <label>organization-defined requirements</label>
-               <constraint>the conditions of the JAB/AO in the FedRAMP Repository</constraint>
-            </param>
-            <prop name="label">CA-2(3)</prop>
-            <prop name="sort-id">ca-02.03</prop>
-            <part id="ca-2.3_smt" name="statement">
-               <p>The organization accepts the results of an assessment of <insert param-id="ca-2.3_prm_1"/> performed by <insert param-id="ca-2.3_prm_2"/> when
-                  the assessment meets <insert param-id="ca-2.3_prm_3"/>.</p>
-            </part>
-            <part id="ca-2.3_gdn" name="guidance">
-               <p>Organizations may often rely on assessments of specific information systems by
-                  other (external) organizations. Utilizing such existing assessments (i.e., reusing
-                  existing assessment evidence) can significantly decrease the time and resources
-                  required for organizational assessments by limiting the amount of independent
-                  assessment activities that organizations need to perform. The factors that
-                  organizations may consider in determining whether to accept assessment results
-                  from external organizations can vary. Determinations for accepting assessment
-                  results can be based on, for example, past assessment experiences one organization
-                  has had with another organization, the reputation that organizations have with
-                  regard to assessments, the level of detail of supporting assessment documentation
-                  provided, or mandates imposed upon organizations by federal legislation, policies,
-                  or directives.</p>
-            </part>
-            <part id="ca-2.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-2.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(3)[1]</prop>
-                  <p>defines an information system for which the results of a security assessment
-                     performed by an external organization are to be accepted;</p>
-               </part>
-               <part id="ca-2.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(3)[2]</prop>
-                  <p>defines an external organization from which to accept a security assessment
-                     performed on an organization-defined information system;</p>
-               </part>
-               <part id="ca-2.3_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(3)[3]</prop>
-                  <p>defines the requirements to be met by a security assessment performed by
-                     organization-defined external organization on organization-defined information
-                     system; and</p>
-               </part>
-               <part id="ca-2.3_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CA-2(3)[4]</prop>
-                  <p>accepts the results of an assessment of an organization-defined information
-                     system performed by an organization-defined external organization when the
-                     assessment meets organization-defined requirements.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing security assessments</p>
-                  <p>security plan</p>
-                  <p>security assessment requirements</p>
-                  <p>security assessment plan</p>
-                  <p>security assessment report</p>
-                  <p>security assessment evidence</p>
-                  <p>plan of action and milestones</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security assessment responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>personnel performing security assessments for the specified external
-                     organization</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-3">
-         <title>System Interconnections</title>
-         <param id="ca-3_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>At least annually and on input from FedRAMP</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-3</prop>
-         <prop name="sort-id">ca-03</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#2711f068-734e-4afd-94ba-0b22247fbc88" rel="reference">NIST Special Publication 800-47</link>
-         <part id="ca-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Authorizes connections from the information system to other information systems
-                  through the use of Interconnection Security Agreements;</p>
-            </part>
-            <part id="ca-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents, for each interconnection, the interface characteristics, security
-                  requirements, and the nature of the information communicated; and</p>
-            </part>
-            <part id="ca-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews and updates Interconnection Security Agreements <insert param-id="ca-3_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="ca-3_gdn" name="guidance">
-            <p>This control applies to dedicated connections between information systems (i.e.,
-               system interconnections) and does not apply to transitory, user-controlled
-               connections such as email and website browsing. Organizations carefully consider the
-               risks that may be introduced when information systems are connected to other systems
-               with different security requirements and security controls, both within organizations
-               and external to organizations. Authorizing officials determine the risk associated
-               with information system connections and the appropriate controls employed. If
-               interconnecting systems have the same authorizing official, organizations do not need
-               to develop Interconnection Security Agreements. Instead, organizations can describe
-               the interface characteristics between those interconnecting systems in their
-               respective security plans. If interconnecting systems have different authorizing
-               officials within the same organization, organizations can either develop
-               Interconnection Security Agreements or describe the interface characteristics between
-               systems in the security plans for the respective systems. Organizations may also
-               incorporate Interconnection Security Agreement information into formal contracts,
-               especially for interconnections established between federal agencies and nonfederal
-               (i.e., private sector) organizations. Risk considerations also include information
-               systems sharing the same networks. For certain technologies (e.g., space, unmanned
-               aerial vehicles, and medical devices), there may be specialized connections in place
-               during preoperational testing. Such connections may require Interconnection Security
-               Agreements and be subject to additional security controls.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#au-16">AU-16</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-3.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">CA-3(a)</prop>
-               <p>authorizes connections from the information system to other information systems
-                  through the use of Interconnection Security Agreements;</p>
-            </part>
-            <part id="ca-3.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CA-3(b)</prop>
-               <p>documents, for each interconnection:</p>
-               <part id="ca-3.b_obj.1" name="objective">
-                  <prop name="label">CA-3(b)[1]</prop>
-                  <p>the interface characteristics;</p>
-               </part>
-               <part id="ca-3.b_obj.2" name="objective">
-                  <prop name="label">CA-3(b)[2]</prop>
-                  <p>the security requirements;</p>
-               </part>
-               <part id="ca-3.b_obj.3" name="objective">
-                  <prop name="label">CA-3(b)[3]</prop>
-                  <p>the nature of the information communicated;</p>
-               </part>
-            </part>
-            <part id="ca-3.c_obj" name="objective">
-               <prop name="label">CA-3(c)</prop>
-               <part id="ca-3.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-3(c)[1]</prop>
-                  <p>defines the frequency to review and update Interconnection Security Agreements;
-                     and</p>
-               </part>
-               <part id="ca-3.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CA-3(c)[2]</prop>
-                  <p>reviews and updates Interconnection Security Agreements with the
-                     organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing information system connections</p>
-               <p>system and communications protection policy</p>
-               <p>information system Interconnection Security Agreements</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for developing, implementing, or
-                  approving information system interconnection agreements</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>personnel managing the system(s) to which the Interconnection Security Agreement
-                  applies</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-3.3">
-            <title>Unclassified Non-national Security System Connections</title>
-            <param id="ca-3.3_prm_1">
-               <label>organization-defined unclassified, non-national security system</label>
-            </param>
-            <param id="ca-3.3_prm_2">
-               <label>Assignment; organization-defined boundary protection device</label>
-               <constraint>boundary protections which meet the Trusted Internet Connection (TIC) requirements</constraint>
-            </param>
-            <prop name="label">CA-3(3)</prop>
-            <prop name="sort-id">ca-03.03</prop>
-            <part id="ca-3.3_smt" name="statement">
-               <p>The organization prohibits the direct connection of an <insert param-id="ca-3.3_prm_1"/> to an external network without the use of <insert param-id="ca-3.3_prm_2"/>.</p>
-               <part id="ca-3.3_fr" name="item">
-                  <title>CA-3 (3) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ca-3.3_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ca-3.3_gdn" name="guidance">
-               <p>Organizations typically do not have control over external networks (e.g., the
-                  Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate
-                  communications (i.e., information flows) between unclassified non-national
-                  security systems and external networks. This control enhancement is required for
-                  organizations processing, storing, or transmitting Controlled Unclassified
-                  Information (CUI).</p>
-            </part>
-            <part id="ca-3.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-3.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CA-3(3)[1]</prop>
-                  <p>defines an unclassified, non-national security system whose direct connection
-                     to an external network is to be prohibited without the use of approved boundary
-                     protection device;</p>
-               </part>
-               <part id="ca-3.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-3(3)[2]</prop>
-                  <p>defines a boundary protection device to be used to establish the direct
-                     connection of an organization-defined unclassified, non-national security
-                     system to an external network; and</p>
-               </part>
-               <part id="ca-3.3_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-3(3)[3]</prop>
-                  <p>prohibits the direct connection of an organization-defined unclassified,
-                     non-national security system to an external network without the use of an
-                     organization-defined boundary protection device.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing information system connections</p>
-                  <p>system and communications protection policy</p>
-                  <p>information system interconnection security agreements</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security assessment report</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for managing direct connections to
-                     external networks</p>
-                  <p>network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>personnel managing directly connected external networks</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting the management of external network
-                     connections</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-3.5">
-            <title>Restrictions On External System Connections</title>
-            <param id="ca-3.5_prm_1">
-               <constraint>deny-all, permit by exception</constraint>
-            </param>
-            <param id="ca-3.5_prm_2">
-               <label>organization-defined information systems</label>
-               <constraint>any systems</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">CA-3(5)</prop>
-            <prop name="sort-id">ca-03.05</prop>
-            <part id="ca-3.5_smt" name="statement">
-               <p>The organization employs <insert param-id="ca-3.5_prm_1"/> policy for allowing
-                     <insert param-id="ca-3.5_prm_2"/> to connect to external information
-                  systems.</p>
-               <part id="ca-3.5_fr" name="item">
-                  <title>CA-3 (5) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ca-3.5_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ca-3.5_gdn" name="guidance">
-               <p>Organizations can constrain information system connectivity to external domains
-                  (e.g., websites) by employing one of two policies with regard to such
-                  connectivity: (i) allow-all, deny by exception, also known as blacklisting (the
-                  weaker of the two policies); or (ii) deny-all, allow by exception, also known as
-                  whitelisting (the stronger of the two policies). For either policy, organizations
-                  determine what exceptions, if any, are acceptable.</p>
-               <link rel="related" href="#cm-7">CM-7</link>
-            </part>
-            <part id="ca-3.5_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ca-3.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-3(5)[1]</prop>
-                  <p>defines information systems to be allowed to connect to external information
-                     systems;</p>
-               </part>
-               <part id="ca-3.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-3(5)[2]</prop>
-                  <p>employs one of the following policies for allowing organization-defined
-                     information systems to connect to external information systems:</p>
-                  <part id="ca-3.5_obj.2.a" name="objective">
-                     <prop name="label">CA-3(5)[2][a]</prop>
-                     <p>allow-all policy;</p>
-                  </part>
-                  <part id="ca-3.5_obj.2.b" name="objective">
-                     <prop name="label">CA-3(5)[2][b]</prop>
-                     <p>deny-by-exception policy;</p>
-                  </part>
-                  <part id="ca-3.5_obj.2.c" name="objective">
-                     <prop name="label">CA-3(5)[2][c]</prop>
-                     <p>deny-all policy; or</p>
-                  </part>
-                  <part id="ca-3.5_obj.2.d" name="objective">
-                     <prop name="label">CA-3(5)[2][d]</prop>
-                     <p>permit-by-exception policy.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing information system connections</p>
-                  <p>system and communications protection policy</p>
-                  <p>information system interconnection agreements</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security assessment report</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for managing connections to
-                     external information systems</p>
-                  <p>network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing restrictions on external system
-                     connections</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-5">
-         <title>Plan of Action and Milestones</title>
-         <param id="ca-5_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least monthly</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-5</prop>
-         <prop name="sort-id">ca-05</prop>
-         <link href="#2c5884cd-7b96-425c-862a-99877e1cf909" rel="reference">OMB Memorandum 02-01</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <part id="ca-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a plan of action and milestones for the information system to document
-                  the organization’s planned remedial actions to correct weaknesses or deficiencies
-                  noted during the assessment of the security controls and to reduce or eliminate
-                  known vulnerabilities in the system; and</p>
-            </part>
-            <part id="ca-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Updates existing plan of action and milestones <insert param-id="ca-5_prm_1"/>
-                  based on the findings from security controls assessments, security impact
-                  analyses, and continuous monitoring activities.</p>
-            </part>
-            <part id="ca-5_fr" name="item">
-               <title>CA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-5_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Plan of Action &amp; Milestones (POA&amp;M) must be provided at least monthly.</p>
-               </part>
-               <part id="ca-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action &amp; Milestones (POA&amp;M) Template Completion Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </part>
-         <part id="ca-5_gdn" name="guidance">
-            <p>Plans of action and milestones are key documents in security authorization packages
-               and are subject to federal reporting requirements established by OMB.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#pm-4">PM-4</link>
-         </part>
-         <part id="ca-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-5.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">CA-5(a)</prop>
-               <p>develops a plan of action and milestones for the information system to:</p>
-               <part id="ca-5.a_obj.1" name="objective">
-                  <prop name="label">CA-5(a)[1]</prop>
-                  <p>document the organization’s planned remedial actions to correct weaknesses or
-                     deficiencies noted during the assessment of the security controls;</p>
-               </part>
-               <part id="ca-5.a_obj.2" name="objective">
-                  <prop name="label">CA-5(a)[2]</prop>
-                  <p>reduce or eliminate known vulnerabilities in the system;</p>
-               </part>
-            </part>
-            <part id="ca-5.b_obj" name="objective">
-               <prop name="label">CA-5(b)</prop>
-               <part id="ca-5.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-5(b)[1]</prop>
-                  <p>defines the frequency to update the existing plan of action and milestones;</p>
-               </part>
-               <part id="ca-5.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-5(b)[2]</prop>
-                  <p>updates the existing plan of action and milestones with the
-                     organization-defined frequency based on the findings from:</p>
-                  <part id="ca-5.b_obj.2.a" name="objective">
-                     <prop name="label">CA-5(b)[2][a]</prop>
-                     <p>security controls assessments;</p>
-                  </part>
-                  <part id="ca-5.b_obj.2.b" name="objective">
-                     <prop name="label">CA-5(b)[2][b]</prop>
-                     <p>security impact analyses; and</p>
-                  </part>
-                  <part id="ca-5.b_obj.2.c" name="objective">
-                     <prop name="label">CA-5(b)[2][c]</prop>
-                     <p>continuous monitoring activities.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing plan of action and milestones</p>
-               <p>security plan</p>
-               <p>security assessment plan</p>
-               <p>security assessment report</p>
-               <p>security assessment evidence</p>
-               <p>plan of action and milestones</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with plan of action and milestones development and
-                  implementation responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms for developing, implementing, and maintaining plan of action
-                  and milestones</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ca-6">
-         <title>Security Authorization</title>
-         <param id="ca-6_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least every three (3) years or when a significant change occurs</constraint>
-         </param>
-         <prop name="label">CA-6</prop>
-         <prop name="sort-id">ca-06</prop>
-         <link href="#9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab" rel="reference">OMB Circular A-130</link>
-         <link href="#bedb15b7-ec5c-4a68-807f-385125751fcd" rel="reference">OMB Memorandum 11-33</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <part id="ca-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Assigns a senior-level executive or manager as the authorizing official for the
-                  information system;</p>
-            </part>
-            <part id="ca-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Ensures that the authorizing official authorizes the information system for
-                  processing before commencing operations; and</p>
-            </part>
-            <part id="ca-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Updates the security authorization <insert param-id="ca-6_prm_1"/>.</p>
-            </part>
-            <part id="ca-6_fr" name="item">
-               <title>CA-6(c) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ca-6_gdn" name="guidance">
-            <p>Security authorizations are official management decisions, conveyed through
-               authorization decision documents, by senior organizational officials or executives
-               (i.e., authorizing officials) to authorize operation of information systems and to
-               explicitly accept the risk to organizational operations and assets, individuals,
-               other organizations, and the Nation based on the implementation of agreed-upon
-               security controls. Authorizing officials provide budgetary oversight for
-               organizational information systems or assume responsibility for the mission/business
-               operations supported by those systems. The security authorization process is an
-               inherently federal responsibility and therefore, authorizing officials must be
-               federal employees. Through the security authorization process, authorizing officials
-               assume responsibility and are accountable for security risks associated with the
-               operation and use of organizational information systems. Accordingly, authorizing
-               officials are in positions with levels of authority commensurate with understanding
-               and accepting such information security-related risks. OMB policy requires that
-               organizations conduct ongoing authorizations of information systems by implementing
-               continuous monitoring programs. Continuous monitoring programs can satisfy three-year
-               reauthorization requirements, so separate reauthorization processes are not
-               necessary. Through the employment of comprehensive continuous monitoring processes,
-               critical information contained in authorization packages (i.e., security plans,
-               security assessment reports, and plans of action and milestones) is updated on an
-               ongoing basis, providing authorizing officials and information system owners with an
-               up-to-date status of the security state of organizational information systems and
-               environments of operation. To reduce the administrative cost of security
-               reauthorization, authorizing officials use the results of continuous monitoring
-               processes to the maximum extent possible as the basis for rendering reauthorization
-               decisions.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#pm-10">PM-10</link>
-         </part>
-         <part id="ca-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-6.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CA-6(a)</prop>
-               <p>assigns a senior-level executive or manager as the authorizing official for the
-                  information system;</p>
-            </part>
-            <part id="ca-6.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CA-6(b)</prop>
-               <p>ensures that the authorizing official authorizes the information system for
-                  processing before commencing operations;</p>
-            </part>
-            <part id="ca-6.c_obj" name="objective">
-               <prop name="label">CA-6(c)</prop>
-               <part id="ca-6.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-6(c)[1]</prop>
-                  <p>defines the frequency to update the security authorization; and</p>
-               </part>
-               <part id="ca-6.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-6(c)[2]</prop>
-                  <p>updates the security authorization with the organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing security authorization</p>
-               <p>security authorization package (including security plan</p>
-               <p>security assessment report</p>
-               <p>plan of action and milestones</p>
-               <p>authorization statement)</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security authorization responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms that facilitate security authorizations and updates</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ca-7">
-         <title>Continuous Monitoring</title>
-         <param id="ca-7_prm_1">
-            <label>organization-defined metrics</label>
-         </param>
-         <param id="ca-7_prm_2">
-            <label>organization-defined frequencies</label>
-         </param>
-         <param id="ca-7_prm_3">
-            <label>organization-defined frequencies</label>
-         </param>
-         <param id="ca-7_prm_4">
-            <label>organization-defined personnel or roles</label>
-            <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-         </param>
-         <param id="ca-7_prm_5">
-            <label>organization-defined frequency</label>
-            <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-7</prop>
-         <prop name="sort-id">ca-07</prop>
-         <link href="#bedb15b7-ec5c-4a68-807f-385125751fcd" rel="reference">OMB Memorandum 11-33</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#c4691b88-57d1-463b-9053-2d0087913f31" rel="reference">NIST Special Publication 800-115</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <link href="#8ade2fbe-e468-4ca8-9a40-54d7f23c32bb" rel="reference">US-CERT Technical Cyber Security Alerts</link>
-         <link href="#2d8b14e9-c8b5-4d3d-8bdc-155078f3281b" rel="reference">DoD Information Assurance Vulnerability Alerts</link>
-         <part id="ca-7_smt" name="statement">
-            <p>The organization develops a continuous monitoring strategy and implements a
-               continuous monitoring program that includes:</p>
-            <part id="ca-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishment of <insert param-id="ca-7_prm_1"/> to be monitored;</p>
-            </part>
-            <part id="ca-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishment of <insert param-id="ca-7_prm_2"/> for monitoring and <insert param-id="ca-7_prm_3"/> for assessments supporting such monitoring;</p>
-            </part>
-            <part id="ca-7_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ongoing security control assessments in accordance with the organizational
-                  continuous monitoring strategy;</p>
-            </part>
-            <part id="ca-7_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Ongoing security status monitoring of organization-defined metrics in accordance
-                  with the organizational continuous monitoring strategy;</p>
-            </part>
-            <part id="ca-7_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Correlation and analysis of security-related information generated by assessments
-                  and monitoring;</p>
-            </part>
-            <part id="ca-7_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Response actions to address results of the analysis of security-related
-                  information; and</p>
-            </part>
-            <part id="ca-7_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Reporting the security status of organization and the information system to
-                     <insert param-id="ca-7_prm_4"/>
-                  <insert param-id="ca-7_prm_5"/>.</p>
-            </part>
-            <part id="ca-7_fr" name="item">
-               <title>CA-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-7_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.</p>
-               </part>
-               <part id="ca-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&amp;M updates.</p>
-               </part>
-               <part id="ca-7_fr_gdn.2" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </part>
-         <part id="ca-7_gdn" name="guidance">
-            <p>Continuous monitoring programs facilitate ongoing awareness of threats,
-               vulnerabilities, and information security to support organizational risk management
-               decisions. The terms continuous and ongoing imply that organizations assess/analyze
-               security controls and information security-related risks at a frequency sufficient to
-               support organizational risk-based decisions. The results of continuous monitoring
-               programs generate appropriate risk response actions by organizations. Continuous
-               monitoring programs also allow organizations to maintain the security authorizations
-               of information systems and common controls over time in highly dynamic environments
-               of operation with changing mission/business needs, threats, vulnerabilities, and
-               technologies. Having access to security-related information on a continuing basis
-               through reports/dashboards gives organizational officials the capability to make more
-               effective and timely risk management decisions, including ongoing security
-               authorization decisions. Automation supports more frequent updates to security
-               authorization packages, hardware/software/firmware inventories, and other system
-               information. Effectiveness is further enhanced when continuous monitoring outputs are
-               formatted to provide information that is specific, measurable, actionable, relevant,
-               and timely. Continuous monitoring activities are scaled in accordance with the
-               security categories of information systems.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-5">CA-5</link>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#pm-6">PM-6</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-2">SI-2</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-7_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ca-7.a_obj" name="objective">
-               <prop name="label">CA-7(a)</prop>
-               <part id="ca-7.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(a)[1]</prop>
-                  <p>develops a continuous monitoring strategy that defines metrics to be
-                     monitored;</p>
-               </part>
-               <part id="ca-7.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(a)[2]</prop>
-                  <p>develops a continuous monitoring strategy that includes monitoring of
-                     organization-defined metrics;</p>
-               </part>
-               <part id="ca-7.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(a)[3]</prop>
-                  <p>implements a continuous monitoring program that includes monitoring of
-                     organization-defined metrics in accordance with the organizational continuous
-                     monitoring strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.b_obj" name="objective">
-               <prop name="label">CA-7(b)</prop>
-               <part id="ca-7.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(b)[1]</prop>
-                  <p>develops a continuous monitoring strategy that defines frequencies for
-                     monitoring;</p>
-               </part>
-               <part id="ca-7.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(b)[2]</prop>
-                  <p>defines frequencies for assessments supporting monitoring;</p>
-               </part>
-               <part id="ca-7.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(b)[3]</prop>
-                  <p>develops a continuous monitoring strategy that includes establishment of the
-                     organization-defined frequencies for monitoring and for assessments supporting
-                     monitoring;</p>
-               </part>
-               <part id="ca-7.b_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(b)[4]</prop>
-                  <p>implements a continuous monitoring program that includes establishment of
-                     organization-defined frequencies for monitoring and for assessments supporting
-                     such monitoring in accordance with the organizational continuous monitoring
-                     strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.c_obj" name="objective">
-               <prop name="label">CA-7(c)</prop>
-               <part id="ca-7.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(c)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes ongoing security
-                     control assessments;</p>
-               </part>
-               <part id="ca-7.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(c)[2]</prop>
-                  <p>implements a continuous monitoring program that includes ongoing security
-                     control assessments in accordance with the organizational continuous monitoring
-                     strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.d_obj" name="objective">
-               <prop name="label">CA-7(d)</prop>
-               <part id="ca-7.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(d)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes ongoing security status
-                     monitoring of organization-defined metrics;</p>
-               </part>
-               <part id="ca-7.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(d)[2]</prop>
-                  <p>implements a continuous monitoring program that includes ongoing security
-                     status monitoring of organization-defined metrics in accordance with the
-                     organizational continuous monitoring strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.e_obj" name="objective">
-               <prop name="label">CA-7(e)</prop>
-               <part id="ca-7.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(e)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes correlation and
-                     analysis of security-related information generated by assessments and
-                     monitoring;</p>
-               </part>
-               <part id="ca-7.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(e)[2]</prop>
-                  <p>implements a continuous monitoring program that includes correlation and
-                     analysis of security-related information generated by assessments and
-                     monitoring in accordance with the organizational continuous monitoring
-                     strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.f_obj" name="objective">
-               <prop name="label">CA-7(f)</prop>
-               <part id="ca-7.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(f)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes response actions to
-                     address results of the analysis of security-related information;</p>
-               </part>
-               <part id="ca-7.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(f)[2]</prop>
-                  <p>implements a continuous monitoring program that includes response actions to
-                     address results of the analysis of security-related information in accordance
-                     with the organizational continuous monitoring strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.g_obj" name="objective">
-               <prop name="label">CA-7(g)</prop>
-               <part id="ca-7.g_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(g)[1]</prop>
-                  <p>develops a continuous monitoring strategy that defines the personnel or roles
-                     to whom the security status of the organization and information system are to
-                     be reported;</p>
-               </part>
-               <part id="ca-7.g_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(g)[2]</prop>
-                  <p>develops a continuous monitoring strategy that defines the frequency to report
-                     the security status of the organization and information system to
-                     organization-defined personnel or roles;</p>
-               </part>
-               <part id="ca-7.g_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(g)[3]</prop>
-                  <p>develops a continuous monitoring strategy that includes reporting the security
-                     status of the organization or information system to organizational-defined
-                     personnel or roles with the organization-defined frequency; and</p>
-               </part>
-               <part id="ca-7.g_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(g)[4]</prop>
-                  <p>implements a continuous monitoring program that includes reporting the security
-                     status of the organization and information system to organization-defined
-                     personnel or roles with the organization-defined frequency in accordance with
-                     the organizational continuous monitoring strategy.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing continuous monitoring of information system security
-                  controls</p>
-               <p>procedures addressing configuration management</p>
-               <p>security plan</p>
-               <p>security assessment report</p>
-               <p>plan of action and milestones</p>
-               <p>information system monitoring records</p>
-               <p>configuration management records, security impact analyses</p>
-               <p>status reports</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with continuous monitoring responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Mechanisms implementing continuous monitoring</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-7.1">
-            <title>Independent Assessment</title>
-            <param id="ca-7.1_prm_1">
-               <label>organization-defined level of independence</label>
-            </param>
-            <prop name="label">CA-7(1)</prop>
-            <prop name="sort-id">ca-07.01</prop>
-            <part id="ca-7.1_smt" name="statement">
-               <p>The organization employs assessors or assessment teams with <insert param-id="ca-7.1_prm_1"/> to monitor the security controls in the information
-                  system on an ongoing basis.</p>
-            </part>
-            <part id="ca-7.1_gdn" name="guidance">
-               <p>Organizations can maximize the value of assessments of security controls during
-                  the continuous monitoring process by requiring that such assessments be conducted
-                  by assessors or assessment teams with appropriate levels of independence based on
-                  continuous monitoring strategies. Assessor independence provides a degree of
-                  impartiality to the monitoring process. To achieve such impartiality, assessors
-                  should not: (i) create a mutual or conflicting interest with the organizations
-                  where the assessments are being conducted; (ii) assess their own work; (iii) act
-                  as management or employees of the organizations they are serving; or (iv) place
-                  themselves in advocacy positions for the organizations acquiring their
-                  services.</p>
-            </part>
-            <part id="ca-7.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-7.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(1)[1]</prop>
-                  <p>defines a level of independence to be employed to monitor the security controls
-                     in the information system on an ongoing basis; and</p>
-               </part>
-               <part id="ca-7.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CA-7(1)[2]</prop>
-                  <p>employs assessors or assessment teams with the organization-defined level of
-                     independence to monitor the security controls in the information system on an
-                     ongoing basis.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing continuous monitoring of information system security
-                     controls</p>
-                  <p>security plan</p>
-                  <p>security assessment report</p>
-                  <p>plan of action and milestones</p>
-                  <p>information system monitoring records</p>
-                  <p>security impact analyses</p>
-                  <p>status reports</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with continuous monitoring responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-7.3">
-            <title>Trend Analyses</title>
-            <prop name="label">CA-7(3)</prop>
-            <prop name="sort-id">ca-07.03</prop>
-            <part id="ca-7.3_smt" name="statement">
-               <p>The organization employs trend analyses to determine if security control
-                  implementations, the frequency of continuous monitoring activities, and/or the
-                  types of activities used in the continuous monitoring process need to be modified
-                  based on empirical data.</p>
-            </part>
-            <part id="ca-7.3_gdn" name="guidance">
-               <p>Trend analyses can include, for example, examining recent threat information
-                  regarding the types of threat events that have occurred within the organization or
-                  across the federal government, success rates of certain types of cyber attacks,
-                  emerging vulnerabilities in information technologies, evolving social engineering
-                  techniques, results from multiple security control assessments, the effectiveness
-                  of configuration settings, and findings from Inspectors General or auditors.</p>
-            </part>
-            <part id="ca-7.3_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization employs trend analyses to determine if the following
-                  items need to be modified based on empirical data:</p>
-               <part id="ca-7.3_obj.1" name="objective">
-                  <prop name="label">CA-7(3)[1]</prop>
-                  <p>security control implementations;</p>
-               </part>
-               <part id="ca-7.3_obj.2" name="objective">
-                  <prop name="label">CA-7(3)[2]</prop>
-                  <p>the frequency of continuous monitoring activities; and/or</p>
-               </part>
-               <part id="ca-7.3_obj.3" name="objective">
-                  <prop name="label">CA-7(3)[3]</prop>
-                  <p>the types of activities used in the continuous monitoring process.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Continuous monitoring strategy</p>
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing continuous monitoring of information system security
-                     controls</p>
-                  <p>security plan</p>
-                  <p>security assessment report</p>
-                  <p>plan of action and milestones</p>
-                  <p>information system monitoring records</p>
-                  <p>security impact analyses</p>
-                  <p>status reports</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with continuous monitoring responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-8">
-         <title>Penetration Testing</title>
-         <param id="ca-8_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ca-8_prm_2">
-            <label>organization-defined information systems or system components</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-8</prop>
-         <prop name="sort-id">ca-08</prop>
-         <part id="ca-8_smt" name="statement">
-            <p>The organization conducts penetration testing <insert param-id="ca-8_prm_1"/> on
-                  <insert param-id="ca-8_prm_2"/>.</p>
-            <part id="ca-8_fr" name="item">
-               <title>CA-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-8_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance <a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </part>
-         <part id="ca-8_gdn" name="guidance">
-            <p>Penetration testing is a specialized type of assessment conducted on information
-               systems or individual system components to identify vulnerabilities that could be
-               exploited by adversaries. Such testing can be used to either validate vulnerabilities
-               or determine the degree of resistance organizational information systems have to
-               adversaries within a set of specified constraints (e.g., time, resources, and/or
-               skills). Penetration testing attempts to duplicate the actions of adversaries in
-               carrying out hostile cyber attacks against organizations and provides a more in-depth
-               analysis of security-related weaknesses/deficiencies. Organizations can also use the
-               results of vulnerability analyses to support penetration testing activities.
-               Penetration testing can be conducted on the hardware, software, or firmware
-               components of an information system and can exercise both physical and technical
-               security controls. A standard method for penetration testing includes, for example:
-               (i) pretest analysis based on full knowledge of the target system; (ii) pretest
-               identification of potential vulnerabilities based on pretest analysis; and (iii)
-               testing designed to determine exploitability of identified vulnerabilities. All
-               parties agree to the rules of engagement before the commencement of penetration
-               testing scenarios. Organizations correlate the penetration testing rules of
-               engagement with the tools, techniques, and procedures that are anticipated to be
-               employed by adversaries carrying out attacks. Organizational risk assessments guide
-               decisions on the level of independence required for personnel conducting penetration
-               testing.</p>
-            <link rel="related" href="#sa-12">SA-12</link>
-         </part>
-         <part id="ca-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-8_obj.1" name="objective">
-               <prop name="label">CA-8[1]</prop>
-               <p>defines information systems or system components on which penetration testing is
-                  to be conducted;</p>
-            </part>
-            <part id="ca-8_obj.2" name="objective">
-               <prop name="label">CA-8[2]</prop>
-               <p>defines the frequency to conduct penetration testing on organization-defined
-                  information systems or system components; and</p>
-            </part>
-            <part id="ca-8_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CA-8[3]</prop>
-               <p>conducts penetration testing on organization-defined information systems or system
-                  components with the organization-defined frequency.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing penetration testing</p>
-               <p>security plan</p>
-               <p>security assessment plan</p>
-               <p>penetration test report</p>
-               <p>security assessment report</p>
-               <p>security assessment evidence</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security assessment responsibilities</p>
-               <p>organizational personnel with information security responsibilities,
-                  system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting penetration testing</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-8.1">
-            <title>Independent Penetration Agent or Team</title>
-            <prop name="label">CA-8(1)</prop>
-            <prop name="sort-id">ca-08.01</prop>
-            <part id="ca-8.1_smt" name="statement">
-               <p>The organization employs an independent penetration agent or penetration team to
-                  perform penetration testing on the information system or system components.</p>
-            </part>
-            <part id="ca-8.1_gdn" name="guidance">
-               <p>Independent penetration agents or teams are individuals or groups who conduct
-                  impartial penetration testing of organizational information systems. Impartiality
-                  implies that penetration agents or teams are free from any perceived or actual
-                  conflicts of interest with regard to the development, operation, or management of
-                  the information systems that are the targets of the penetration testing.
-                  Supplemental guidance for CA-2 (1) provides additional information regarding
-                  independent assessments that can be applied to penetration testing.</p>
-               <link rel="related" href="#ca-2">CA-2</link>
-            </part>
-            <part id="ca-8.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization employs an independent penetration agent or
-                  penetration team to perform penetration testing on the information system or
-                  system components. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing penetration testing</p>
-                  <p>security plan</p>
-                  <p>security assessment plan</p>
-                  <p>penetration test report</p>
-                  <p>security assessment report</p>
-                  <p>security assessment evidence</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security assessment responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-9">
-         <title>Internal System Connections</title>
-         <param id="ca-9_prm_1">
-            <label>organization-defined information system components or classes of
-               components</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-9</prop>
-         <prop name="sort-id">ca-09</prop>
-         <part id="ca-9_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Authorizes internal connections of <insert param-id="ca-9_prm_1"/> to the
-                  information system; and</p>
-            </part>
-            <part id="ca-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents, for each internal connection, the interface characteristics, security
-                  requirements, and the nature of the information communicated.</p>
-            </part>
-         </part>
-         <part id="ca-9_gdn" name="guidance">
-            <p>This control applies to connections between organizational information systems and
-               (separate) constituent system components (i.e., intra-system connections) including,
-               for example, system connections with mobile devices, notebook/desktop computers,
-               printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of
-               authorizing each individual internal connection, organizations can authorize internal
-               connections for a class of components with common characteristics and/or
-               configurations, for example, all digital printers, scanners, and copiers with a
-               specified processing, storage, and transmission capability or all smart phones with a
-               specific baseline configuration.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-9_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-9.a_obj" name="objective">
-               <prop name="label">CA-9(a)</prop>
-               <part id="ca-9.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-9(a)[1]</prop>
-                  <p>defines information system components or classes of components to be authorized
-                     as internal connections to the information system;</p>
-               </part>
-               <part id="ca-9.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CA-9(a)[2]</prop>
-                  <p>authorizes internal connections of organization-defined information system
-                     components or classes of components to the information system;</p>
-               </part>
-            </part>
-            <part id="ca-9.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CA-9(b)</prop>
-               <p>documents, for each internal connection:</p>
-               <part id="ca-9.b_obj.1" name="objective">
-                  <prop name="label">CA-9(b)[1]</prop>
-                  <p>the interface characteristics;</p>
-               </part>
-               <part id="ca-9.b_obj.2" name="objective">
-                  <prop name="label">CA-9(b)[2]</prop>
-                  <p>the security requirements; and</p>
-               </part>
-               <part id="ca-9.b_obj.3" name="objective">
-                  <prop name="label">CA-9(b)[3]</prop>
-                  <p>the nature of the information communicated.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing information system connections</p>
-               <p>system and communications protection policy</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of components or classes of components authorized as internal system
-                  connections</p>
-               <p>security assessment report</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for developing, implementing, or
-                  authorizing internal system connections</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="cm">
-      <title>Configuration Management</title>
-      <control class="SP800-53" id="cm-1">
-         <title>Configuration Management Policy and Procedures</title>
-         <param id="cm-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="cm-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="cm-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or whenever a significant change occurs</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CM-1</prop>
-         <prop name="sort-id">cm-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="cm-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="cm-1_prm_1"/>:</p>
-               <part id="cm-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A configuration management policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="cm-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the configuration management
-                     policy and associated configuration management controls; and</p>
-               </part>
-            </part>
-            <part id="cm-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="cm-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Configuration management policy <insert param-id="cm-1_prm_2"/>; and</p>
-               </part>
-               <part id="cm-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Configuration management procedures <insert param-id="cm-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cm-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the CM
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="cm-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-1.a_obj" name="objective">
-               <prop name="label">CM-1(a)</prop>
-               <part id="cm-1.a.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-1(a)(1)</prop>
-                  <part id="cm-1.a.1_obj.1" name="objective">
-                     <prop name="label">CM-1(a)(1)[1]</prop>
-                     <p>develops and documents a configuration management policy that addresses:</p>
-                     <part id="cm-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="cm-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the configuration management policy is to
-                        be disseminated;</p>
-                  </part>
-                  <part id="cm-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CM-1(a)(1)[3]</prop>
-                     <p>disseminates the configuration management policy to organization-defined
-                        personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="cm-1.a.2_obj" name="objective">
-                  <prop name="label">CM-1(a)(2)</prop>
-                  <part id="cm-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        configuration management policy and associated configuration management
-                        controls;</p>
-                  </part>
-                  <part id="cm-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="cm-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CM-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cm-1.b_obj" name="objective">
-               <prop name="label">CM-1(b)</prop>
-               <part id="cm-1.b.1_obj" name="objective">
-                  <prop name="label">CM-1(b)(1)</prop>
-                  <part id="cm-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current configuration
-                        management policy;</p>
-                  </part>
-                  <part id="cm-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current configuration management policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="cm-1.b.2_obj" name="objective">
-                  <prop name="label">CM-1(b)(2)</prop>
-                  <part id="cm-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current configuration
-                        management procedures; and</p>
-                  </part>
-                  <part id="cm-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current configuration management procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with configuration management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-2">
-         <title>Baseline Configuration</title>
-         <prop name="label">CM-2</prop>
-         <prop name="sort-id">cm-02</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-2_smt" name="statement">
-            <p>The organization develops, documents, and maintains under configuration control, a
-               current baseline configuration of the information system.</p>
-         </part>
-         <part id="cm-2_gdn" name="guidance">
-            <p>This control establishes baseline configurations for information systems and system
-               components including communications and connectivity-related aspects of systems.
-               Baseline configurations are documented, formally reviewed and agreed-upon sets of
-               specifications for information systems or configuration items within those systems.
-               Baseline configurations serve as a basis for future builds, releases, and/or changes
-               to information systems. Baseline configurations include information about information
-               system components (e.g., standard software packages installed on workstations,
-               notebook computers, servers, network components, or mobile devices; current version
-               numbers and patch information on operating systems and applications; and
-               configuration settings/parameters), network topology, and the logical placement of
-               those components within the system architecture. Maintaining baseline configurations
-               requires creating new baselines as organizational information systems change over
-               time. Baseline configurations of information systems reflect the current enterprise
-               architecture.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#pm-5">PM-5</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-         </part>
-         <part id="cm-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-2_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">CM-2[1]</prop>
-               <p>develops and documents a current baseline configuration of the information system;
-                  and</p>
-            </part>
-            <part id="cm-2_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-2[2]</prop>
-               <p>maintains, under configuration control, a current baseline configuration of the
-                  information system.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing the baseline configuration of the information system</p>
-               <p>configuration management plan</p>
-               <p>enterprise architecture documentation</p>
-               <p>information system design documentation</p>
-               <p>information system architecture and configuration documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>change control records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with configuration management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing baseline configurations</p>
-               <p>automated mechanisms supporting configuration control of the baseline
-                  configuration</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-2.1">
-            <title>Reviews and Updates</title>
-            <param id="cm-2.1_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least annually or when a significant change occurs</constraint>
-            </param>
-            <param id="cm-2.1_prm_2">
-               <label>Assignment organization-defined circumstances</label>
-               <constraint>to include when directed by the JAB</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">CM-2(1)</prop>
-            <prop name="sort-id">cm-02.01</prop>
-            <part id="cm-2.1_smt" name="statement">
-               <p>The organization reviews and updates the baseline configuration of the information
-                  system:</p>
-               <part id="cm-2.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>
-                     <insert param-id="cm-2.1_prm_1"/>;</p>
-               </part>
-               <part id="cm-2.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>When required due to <insert param-id="cm-2.1_prm_2"/>; and</p>
-               </part>
-               <part id="cm-2.1_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>As an integral part of information system component installations and
-                     upgrades.</p>
-               </part>
-               <part id="cm-2.1_fr" name="item">
-                  <title>CM-8 Additional FedRAMP Requirements and Guidance</title>
-                  <part id="cm-2.1_fr_gdn.1" name="guidance">
-                     <prop name="label">(a) Guidance:</prop>
-                     <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cm-2.1_gdn" name="guidance">
-               <link rel="related" href="#cm-5">CM-5</link>
-            </part>
-            <part id="cm-2.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-2.1.a_obj" name="objective">
-                  <prop name="label">CM-2(1)(a)</prop>
-                  <part id="cm-2.1.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-2(1)(a)[1]</prop>
-                     <p>defines the frequency to review and update the baseline configuration of the
-                        information system;</p>
-                  </part>
-                  <part id="cm-2.1.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-2(1)(a)[2]</prop>
-                     <p>reviews and updates the baseline configuration of the information system
-                        with the organization-defined frequency;</p>
-                  </part>
-                  <link rel="corresp" href="#cm-2.1_smt.a">CM-2(1)(a)</link>
-               </part>
-               <part id="cm-2.1.b_obj" name="objective">
-                  <prop name="label">CM-2(1)(b)</prop>
-                  <part id="cm-2.1.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-2(1)(b)[1]</prop>
-                     <p>defines circumstances that require the baseline configuration of the
-                        information system to be reviewed and updated;</p>
-                  </part>
-                  <part id="cm-2.1.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-2(1)(b)[2]</prop>
-                     <p>reviews and updates the baseline configuration of the information system
-                        when required due to organization-defined circumstances; and</p>
-                  </part>
-                  <link rel="corresp" href="#cm-2.1_smt.b">CM-2(1)(b)</link>
-               </part>
-               <part id="cm-2.1.c_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-2(1)(c)</prop>
-                  <p>reviews and updates the baseline configuration of the information system as an
-                     integral part of information system component installations and upgrades.</p>
-                  <link rel="corresp" href="#cm-2.1_smt.c">CM-2(1)(c)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>configuration management plan</p>
-                  <p>procedures addressing the baseline configuration of the information system</p>
-                  <p>procedures addressing information system component installations and
-                     upgrades</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>records of information system baseline configuration reviews and updates</p>
-                  <p>information system component installations/upgrades and associated records</p>
-                  <p>change control records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing baseline configurations</p>
-                  <p>automated mechanisms supporting review and update of the baseline
-                     configuration</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-2.2">
-            <title>Automation Support for Accuracy / Currency</title>
-            <prop name="label">CM-2(2)</prop>
-            <prop name="sort-id">cm-02.02</prop>
-            <part id="cm-2.2_smt" name="statement">
-               <p>The organization employs automated mechanisms to maintain an up-to-date, complete,
-                  accurate, and readily available baseline configuration of the information
-                  system.</p>
-            </part>
-            <part id="cm-2.2_gdn" name="guidance">
-               <p>Automated mechanisms that help organizations maintain consistent baseline
-                  configurations for information systems include, for example, hardware and software
-                  inventory tools, configuration management tools, and network management tools.
-                  Such tools can be deployed and/or allocated as common controls, at the information
-                  system level, or at the operating system or component level (e.g., on
-                  workstations, servers, notebook computers, network components, or mobile devices).
-                  Tools can be used, for example, to track version numbers on operating system
-                  applications, types of software installed, and current patch levels. This control
-                  enhancement can be satisfied by the implementation of CM-8 (2) for organizations
-                  that choose to combine information system component inventory and baseline
-                  configuration activities.</p>
-               <link rel="related" href="#cm-7">CM-7</link>
-               <link rel="related" href="#ra-5">RA-5</link>
-            </part>
-            <part id="cm-2.2_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to maintain: </p>
-               <part id="cm-2.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-2(2)[1]</prop>
-                  <p>an up-to-date baseline configuration of the information system;</p>
-               </part>
-               <part id="cm-2.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-2(2)[2]</prop>
-                  <p>a complete baseline configuration of the information system;</p>
-               </part>
-               <part id="cm-2.2_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-2(2)[3]</prop>
-                  <p>an accurate baseline configuration of the information system; and</p>
-               </part>
-               <part id="cm-2.2_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-2(2)[4]</prop>
-                  <p>a readily available baseline configuration of the information system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing the baseline configuration of the information system</p>
-                  <p>configuration management plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>configuration change control records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing baseline configurations</p>
-                  <p>automated mechanisms implementing baseline configuration maintenance</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-2.3">
-            <title>Retention of Previous Configurations</title>
-            <param id="cm-2.3_prm_1">
-               <label>organization-defined previous versions of baseline configurations of the
-                  information system</label>
-               <constraint>organization-defined previous versions of baseline configurations of the previously approved baseline configuration of IS components</constraint>
-            </param>
-            <prop name="label">CM-2(3)</prop>
-            <prop name="sort-id">cm-02.03</prop>
-            <part id="cm-2.3_smt" name="statement">
-               <p>The organization retains <insert param-id="cm-2.3_prm_1"/> to support
-                  rollback.</p>
-            </part>
-            <part id="cm-2.3_gdn" name="guidance">
-               <p>Retaining previous versions of baseline configurations to support rollback may
-                  include, for example, hardware, software, firmware, configuration files, and
-                  configuration records.</p>
-            </part>
-            <part id="cm-2.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-2.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-2(3)[1]</prop>
-                  <p>defines previous versions of baseline configurations of the information system
-                     to be retained to support rollback; and</p>
-               </part>
-               <part id="cm-2.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-2(3)[2]</prop>
-                  <p>retains organization-defined previous versions of baseline configurations of
-                     the information system to support rollback.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing the baseline configuration of the information system</p>
-                  <p>configuration management plan</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>copies of previous baseline configuration versions</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing baseline configurations</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-2.7">
-            <title>Configure Systems, Components, or Devices for High-risk Areas</title>
-            <param id="cm-2.7_prm_1">
-               <label>organization-defined information systems, system components, or
-                  devices</label>
-            </param>
-            <param id="cm-2.7_prm_2">
-               <label>organization-defined configurations</label>
-            </param>
-            <param id="cm-2.7_prm_3">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <prop name="label">CM-2(7)</prop>
-            <prop name="sort-id">cm-02.07</prop>
-            <part id="cm-2.7_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cm-2.7_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Issues <insert param-id="cm-2.7_prm_1"/> with <insert param-id="cm-2.7_prm_2"/>
-                     to individuals traveling to locations that the organization deems to be of
-                     significant risk; and</p>
-               </part>
-               <part id="cm-2.7_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Applies <insert param-id="cm-2.7_prm_3"/> to the devices when the individuals
-                     return.</p>
-               </part>
-            </part>
-            <part id="cm-2.7_gdn" name="guidance">
-               <p>When it is known that information systems, system components, or devices (e.g.,
-                  notebook computers, mobile devices) will be located in high-risk areas, additional
-                  security controls may be implemented to counter the greater threat in such areas
-                  coupled with the lack of physical security relative to organizational-controlled
-                  areas. For example, organizational policies and procedures for notebook computers
-                  used by individuals departing on and returning from travel include, for example,
-                  determining which locations are of concern, defining required configurations for
-                  the devices, ensuring that the devices are configured as intended before travel is
-                  initiated, and applying specific safeguards to the device after travel is
-                  completed. Specially configured notebook computers include, for example, computers
-                  with sanitized hard drives, limited applications, and additional hardening (e.g.,
-                  more stringent configuration settings). Specified safeguards applied to mobile
-                  devices upon return from travel include, for example, examining the device for
-                  signs of physical tampering and purging/reimaging the hard disk drive. Protecting
-                  information residing on mobile devices is covered in the media protection
-                  family.</p>
-            </part>
-            <part id="cm-2.7_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-2.7.a_obj" name="objective">
-                  <prop name="label">CM-2(7)(a)</prop>
-                  <part id="cm-2.7.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-2(7)(a)[1]</prop>
-                     <p>defines information systems, system components, or devices to be issued to
-                        individuals traveling to locations that the organization deems to be of
-                        significant risk;</p>
-                  </part>
-                  <part id="cm-2.7.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-2(7)(a)[2]</prop>
-                     <p>defines configurations to be employed on organization-defined information
-                        systems, system components, or devices issued to individuals traveling to
-                        such locations;</p>
-                  </part>
-                  <part id="cm-2.7.a_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-2(7)(a)[3]</prop>
-                     <p>issues organization-defined information systems, system components, or
-                        devices with organization-defined configurations to individuals traveling to
-                        locations that the organization deems to be of significant risk;</p>
-                  </part>
-                  <link rel="corresp" href="#cm-2.7_smt.a">CM-2(7)(a)</link>
-               </part>
-               <part id="cm-2.7.b_obj" name="objective">
-                  <prop name="label">CM-2(7)(b)</prop>
-                  <part id="cm-2.7.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-2(7)(b)[1]</prop>
-                     <p>defines security safeguards to be applied to the devices when the
-                        individuals return; and</p>
-                  </part>
-                  <part id="cm-2.7.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-2(7)(b)[2]</prop>
-                     <p>applies organization-defined safeguards to the devices when the individuals
-                        return.</p>
-                  </part>
-                  <link rel="corresp" href="#cm-2.7_smt.b">CM-2(7)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>configuration management plan</p>
-                  <p>procedures addressing the baseline configuration of the information system</p>
-                  <p>procedures addressing information system component installations and
-                     upgrades</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>records of information system baseline configuration reviews and updates</p>
-                  <p>information system component installations/upgrades and associated records</p>
-                  <p>change control records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing baseline configurations</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-3">
-         <title>Configuration Change Control</title>
-         <param id="cm-3_prm_1">
-            <label>organization-defined time period</label>
-         </param>
-         <param id="cm-3_prm_2">
-            <label>organization-defined configuration change control element (e.g., committee,
-               board)</label>
-         </param>
-         <param id="cm-3_prm_3"/>
-         <param id="cm-3_prm_4" depends-on="cm-3_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="cm-3_prm_5" depends-on="cm-3_prm_3">
-            <label>organization-defined configuration change conditions</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CM-3</prop>
-         <prop name="sort-id">cm-03</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Determines the types of changes to the information system that are
-                  configuration-controlled;</p>
-            </part>
-            <part id="cm-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews proposed configuration-controlled changes to the information system and
-                  approves or disapproves such changes with explicit consideration for security
-                  impact analyses;</p>
-            </part>
-            <part id="cm-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Documents configuration change decisions associated with the information
-                  system;</p>
-            </part>
-            <part id="cm-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Implements approved configuration-controlled changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-3_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Retains records of configuration-controlled changes to the information system for
-                     <insert param-id="cm-3_prm_1"/>;</p>
-            </part>
-            <part id="cm-3_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Audits and reviews activities associated with configuration-controlled changes to
-                  the information system; and</p>
-            </part>
-            <part id="cm-3_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Coordinates and provides oversight for configuration change control activities
-                  through <insert param-id="cm-3_prm_2"/> that convenes <insert param-id="cm-3_prm_3"/>.</p>
-            </part>
-            <part id="cm-3_fr" name="item">
-               <title>CM-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-3_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.</p>
-               </part>
-               <part id="cm-3_fr_gdn.1" name="guidance">
-                  <prop name="label">(e) Guidance:</prop>
-                  <p>In accordance with record retention policies and procedures.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cm-3_gdn" name="guidance">
-            <p>Configuration change controls for organizational information systems involve the
-               systematic proposal, justification, implementation, testing, review, and disposition
-               of changes to the systems, including system upgrades and modifications. Configuration
-               change control includes changes to baseline configurations for components and
-               configuration items of information systems, changes to configuration settings for
-               information technology products (e.g., operating systems, applications, firewalls,
-               routers, and mobile devices), unscheduled/unauthorized changes, and changes to
-               remediate vulnerabilities. Typical processes for managing configuration changes to
-               information systems include, for example, Configuration Control Boards that approve
-               proposed changes to systems. For new development information systems or systems
-               undergoing major upgrades, organizations consider including representatives from
-               development organizations on the Configuration Control Boards. Auditing of changes
-               includes activities before and after changes are made to organizational information
-               systems and the auditing activities required to implement such changes.</p>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#si-2">SI-2</link>
-            <link rel="related" href="#si-12">SI-12</link>
-         </part>
-         <part id="cm-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-3.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CM-3(a)</prop>
-               <p>determines the type of changes to the information system that must be
-                  configuration-controlled;</p>
-            </part>
-            <part id="cm-3.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">CM-3(b)</prop>
-               <p>reviews proposed configuration-controlled changes to the information system and
-                  approves or disapproves such changes with explicit consideration for security
-                  impact analyses;</p>
-            </part>
-            <part id="cm-3.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">CM-3(c)</prop>
-               <p>documents configuration change decisions associated with the information
-                  system;</p>
-            </part>
-            <part id="cm-3.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-3(d)</prop>
-               <p>implements approved configuration-controlled changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-3.e_obj" name="objective">
-               <prop name="label">CM-3(e)</prop>
-               <part id="cm-3.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-3(e)[1]</prop>
-                  <p>defines a time period to retain records of configuration-controlled changes to
-                     the information system;</p>
-               </part>
-               <part id="cm-3.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-3(e)[2]</prop>
-                  <p>retains records of configuration-controlled changes to the information system
-                     for the organization-defined time period;</p>
-               </part>
-            </part>
-            <part id="cm-3.f_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-3(f)</prop>
-               <p>audits and reviews activities associated with configuration-controlled changes to
-                  the information system;</p>
-            </part>
-            <part id="cm-3.g_obj" name="objective">
-               <prop name="label">CM-3(g)</prop>
-               <part id="cm-3.g_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-3(g)[1]</prop>
-                  <p>defines a configuration change control element (e.g., committee, board)
-                     responsible for coordinating and providing oversight for configuration change
-                     control activities;</p>
-               </part>
-               <part id="cm-3.g_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-3(g)[2]</prop>
-                  <p>defines the frequency with which the configuration change control element must
-                     convene; and/or</p>
-               </part>
-               <part id="cm-3.g_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-3(g)[3]</prop>
-                  <p>defines configuration change conditions that prompt the configuration change
-                     control element to convene; and</p>
-               </part>
-               <part id="cm-3.g_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-3(g)[4]</prop>
-                  <p>coordinates and provides oversight for configuration change control activities
-                     through organization-defined configuration change control element that convenes
-                     at organization-defined frequency and/or for any organization-defined
-                     configuration change conditions.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing information system configuration change control</p>
-               <p>configuration management plan</p>
-               <p>information system architecture and configuration documentation</p>
-               <p>security plan</p>
-               <p>change control records</p>
-               <p>information system audit records</p>
-               <p>change control audit and review reports</p>
-               <p>agenda /minutes from configuration change control oversight meetings</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with configuration change control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>members of change control board or similar</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for configuration change control</p>
-               <p>automated mechanisms that implement configuration change control</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-3.1">
-            <title>Automated Document / Notification / Prohibition of Changes</title>
-            <param id="cm-3.1_prm_1">
-               <label>organized-defined approval authorities</label>
-            </param>
-            <param id="cm-3.1_prm_2">
-               <label>organization-defined time period</label>
-               <constraint>organization agreed upon time period</constraint>
-            </param>
-            <param id="cm-3.1_prm_3">
-               <label>organization-defined personnel</label>
-               <constraint>organization defined configuration management approval authorities</constraint>
-            </param>
-            <prop name="label">CM-3(1)</prop>
-            <prop name="sort-id">cm-03.01</prop>
-            <part id="cm-3.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to:</p>
-               <part id="cm-3.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Document proposed changes to the information system;</p>
-               </part>
-               <part id="cm-3.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Notify <insert param-id="cm-3.1_prm_1"/> of proposed changes to the information
-                     system and request change approval;</p>
-               </part>
-               <part id="cm-3.1_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Highlight proposed changes to the information system that have not been
-                     approved or disapproved by <insert param-id="cm-3.1_prm_2"/>;</p>
-               </part>
-               <part id="cm-3.1_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Prohibit changes to the information system until designated approvals are
-                     received;</p>
-               </part>
-               <part id="cm-3.1_smt.e" name="item">
-                  <prop name="label">(e)</prop>
-                  <p>Document all changes to the information system; and</p>
-               </part>
-               <part id="cm-3.1_smt.f" name="item">
-                  <prop name="label">(f)</prop>
-                  <p>Notify <insert param-id="cm-3.1_prm_3"/> when approved changes to the
-                     information system are completed.</p>
-               </part>
-            </part>
-            <part id="cm-3.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-3.1.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-3(1)(a)</prop>
-                  <p>employs automated mechanisms to document proposed changes to the information
-                     system;</p>
-                  <link rel="corresp" href="#cm-3.1_smt.a">CM-3(1)(a)</link>
-               </part>
-               <part id="cm-3.1.b_obj" name="objective">
-                  <prop name="label">CM-3(1)(b)</prop>
-                  <part id="cm-3.1.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-3(1)(b)[1]</prop>
-                     <p>defines approval authorities to be notified of proposed changes to the
-                        information system and request change approval;</p>
-                  </part>
-                  <part id="cm-3.1.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-3(1)(b)[2]</prop>
-                     <p>employs automated mechanisms to notify organization-defined approval
-                        authorities of proposed changes to the information system and request change
-                        approval;</p>
-                  </part>
-                  <link rel="corresp" href="#cm-3.1_smt.b">CM-3(1)(b)</link>
-               </part>
-               <part id="cm-3.1.c_obj" name="objective">
-                  <prop name="label">CM-3(1)(c)</prop>
-                  <part id="cm-3.1.c_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-3(1)(c)[1]</prop>
-                     <p>defines the time period within which proposed changes to the information
-                        system that have not been approved or disapproved must be highlighted;</p>
-                  </part>
-                  <part id="cm-3.1.c_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-3(1)(c)[2]</prop>
-                     <p>employs automated mechanisms to highlight proposed changes to the
-                        information system that have not been approved or disapproved by
-                        organization-defined time period;</p>
-                  </part>
-                  <link rel="corresp" href="#cm-3.1_smt.c">CM-3(1)(c)</link>
-               </part>
-               <part id="cm-3.1.d_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-3(1)(d)</prop>
-                  <p>employs automated mechanisms to prohibit changes to the information system
-                     until designated approvals are received;</p>
-                  <link rel="corresp" href="#cm-3.1_smt.d">CM-3(1)(d)</link>
-               </part>
-               <part id="cm-3.1.e_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-3(1)(e)</prop>
-                  <p>employs automated mechanisms to document all changes to the information
-                     system;</p>
-                  <link rel="corresp" href="#cm-3.1_smt.e">CM-3(1)(e)</link>
-               </part>
-               <part id="cm-3.1.f_obj" name="objective">
-                  <prop name="label">CM-3(1)(f)</prop>
-                  <part id="cm-3.1.f_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-3(1)(f)[1]</prop>
-                     <p>defines personnel to be notified when approved changes to the information
-                        system are completed; and</p>
-                  </part>
-                  <part id="cm-3.1.f_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-3(1)(f)[2]</prop>
-                     <p>employs automated mechanisms to notify organization-defined personnel when
-                        approved changes to the information system are completed.</p>
-                  </part>
-                  <link rel="corresp" href="#cm-3.1_smt.f">CM-3(1)(f)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system configuration change control</p>
-                  <p>configuration management plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>automated configuration control mechanisms</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>change approval requests</p>
-                  <p>change approvals</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration change control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for configuration change control</p>
-                  <p>automated mechanisms implementing configuration change control activities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-3.2">
-            <title>Test / Validate / Document Changes</title>
-            <prop name="label">CM-3(2)</prop>
-            <prop name="sort-id">cm-03.02</prop>
-            <part id="cm-3.2_smt" name="statement">
-               <p>The organization tests, validates, and documents changes to the information system
-                  before implementing the changes on the operational system.</p>
-            </part>
-            <part id="cm-3.2_gdn" name="guidance">
-               <p>Changes to information systems include modifications to hardware, software, or
-                  firmware components and configuration settings defined in CM-6. Organizations
-                  ensure that testing does not interfere with information system operations.
-                  Individuals/groups conducting tests understand organizational security policies
-                  and procedures, information system security policies and procedures, and the
-                  specific health, safety, and environmental risks associated with particular
-                  facilities/processes. Operational systems may need to be taken off-line, or
-                  replicated to the extent feasible, before testing can be conducted. If information
-                  systems must be taken off-line for testing, the tests are scheduled to occur
-                  during planned system outages whenever possible. If testing cannot be conducted on
-                  operational systems, organizations employ compensating controls (e.g., testing on
-                  replicated systems).</p>
-            </part>
-            <part id="cm-3.2_obj" name="objective">
-               <p>Determine if the organization, before implementing changes on the operational
-                  system:</p>
-               <part id="cm-3.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-3(2)[1]</prop>
-                  <p>tests changes to the information system;</p>
-               </part>
-               <part id="cm-3.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-3(2)[2]</prop>
-                  <p>validates changes to the information system; and</p>
-               </part>
-               <part id="cm-3.2_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-3(2)[3]</prop>
-                  <p>documents changes to the information system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>configuration management plan</p>
-                  <p>procedures addressing information system configuration change control</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>test records</p>
-                  <p>validation records</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration change control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for configuration change control</p>
-                  <p>automated mechanisms supporting and/or implementing testing, validating, and
-                     documenting information system changes</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-3.4">
-            <title>Security Representative</title>
-            <param id="cm-3.4_prm_1">
-               <label>organization-defined configuration change control element</label>
-               <constraint>Configuration control board (CCB) or similar (as defined in CM-3)</constraint>
-            </param>
-            <prop name="label">CM-3(4)</prop>
-            <prop name="sort-id">cm-03.04</prop>
-            <part id="cm-3.4_smt" name="statement">
-               <p>The organization requires an information security representative to be a member of
-                  the <insert param-id="cm-3.4_prm_1"/>.</p>
-            </part>
-            <part id="cm-3.4_gdn" name="guidance">
-               <p>Information security representatives can include, for example, senior agency
-                  information security officers, information system security officers, or
-                  information system security managers. Representation by personnel with information
-                  security expertise is important because changes to information system
-                  configurations can have unintended side effects, some of which may be
-                  security-relevant. Detecting such changes early in the process can help avoid
-                  unintended, negative consequences that could ultimately affect the security state
-                  of organizational information systems. The configuration change control element in
-                  this control enhancement reflects the change control elements defined by
-                  organizations in CM-3.</p>
-            </part>
-            <part id="cm-3.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-3.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CM-3(4)[1]</prop>
-                  <p>specifies the configuration change control elements (as defined in CM-3g) of
-                     which an information security representative is to be a member; and</p>
-               </part>
-               <part id="cm-3.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-3(4)[2]</prop>
-                  <p>requires an information security representative to be a member of the specified
-                     configuration control element.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system configuration change control</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration change control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for configuration change control</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-3.6">
-            <title>Cryptography Management</title>
-            <param id="cm-3.6_prm_1">
-               <label>organization-defined security safeguards</label>
-               <constraint>All security safeguards that rely on cryptography</constraint>
-            </param>
-            <prop name="label">CM-3(6)</prop>
-            <prop name="sort-id">cm-03.06</prop>
-            <part id="cm-3.6_smt" name="statement">
-               <p>The organization ensures that cryptographic mechanisms used to provide <insert param-id="cm-3.6_prm_1"/> are under configuration management.</p>
-            </part>
-            <part id="cm-3.6_gdn" name="guidance">
-               <p>Regardless of the cryptographic means employed (e.g., public key, private key,
-                  shared secrets), organizations ensure that there are processes and procedures in
-                  place to effectively manage those means. For example, if devices use certificates
-                  as a basis for identification and authentication, there needs to be a process in
-                  place to address the expiration of those certificates.</p>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="cm-3.6_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-3.6_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-3(6)[1]</prop>
-                  <p>defines security safeguards provided by cryptographic mechanisms that are to be
-                     under configuration management; and</p>
-               </part>
-               <part id="cm-3.6_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-3(6)[2]</prop>
-                  <p>ensures that cryptographic mechanisms used to provide organization-defined
-                     security safeguards are under configuration management.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system configuration change control</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration change control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for configuration change control</p>
-                  <p>cryptographic mechanisms implementing organizational security safeguards</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-4">
-         <title>Security Impact Analysis</title>
-         <prop name="label">CM-4</prop>
-         <prop name="sort-id">cm-04</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-4_smt" name="statement">
-            <p>The organization analyzes changes to the information system to determine potential
-               security impacts prior to change implementation.</p>
-         </part>
-         <part id="cm-4_gdn" name="guidance">
-            <p>Organizational personnel with information security responsibilities (e.g.,
-               Information System Administrators, Information System Security Officers, Information
-               System Security Managers, and Information System Security Engineers) conduct security
-               impact analyses. Individuals conducting security impact analyses possess the
-               necessary skills/technical expertise to analyze the changes to information systems
-               and the associated security ramifications. Security impact analysis may include, for
-               example, reviewing security plans to understand security control requirements and
-               reviewing system design documentation to understand control implementation and how
-               specific changes might affect the controls. Security impact analyses may also include
-               assessments of risk to better understand the impact of the changes and to determine
-               if additional security controls are required. Security impact analyses are scaled in
-               accordance with the security categories of the information systems.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="cm-4_obj" name="objective">
-            <p>Determine if the organization analyzes changes to the information system to determine
-               potential security impacts prior to change implementation.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing security impact analysis for changes to the information
-                  system</p>
-               <p>configuration management plan</p>
-               <p>security impact analysis documentation</p>
-               <p>analysis tools and associated outputs</p>
-               <p>change control records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for conducting security impact
-                  analysis</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security impact analysis</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-4.1">
-            <title>Separate Test Environments</title>
-            <prop name="label">CM-4(1)</prop>
-            <prop name="sort-id">cm-04.01</prop>
-            <part id="cm-4.1_smt" name="statement">
-               <p>The organization analyzes changes to the information system in a separate test
-                  environment before implementation in an operational environment, looking for
-                  security impacts due to flaws, weaknesses, incompatibility, or intentional
-                  malice.</p>
-            </part>
-            <part id="cm-4.1_gdn" name="guidance">
-               <p>Separate test environment in this context means an environment that is physically
-                  or logically isolated and distinct from the operational environment. The
-                  separation is sufficient to ensure that activities in the test environment do not
-                  impact activities in the operational environment, and information in the
-                  operational environment is not inadvertently transmitted to the test environment.
-                  Separate environments can be achieved by physical or logical means. If physically
-                  separate test environments are not used, organizations determine the strength of
-                  mechanism required when implementing logical separation (e.g., separation achieved
-                  through virtual machines).</p>
-               <link rel="related" href="#sa-11">SA-11</link>
-               <link rel="related" href="#sc-3">SC-3</link>
-               <link rel="related" href="#sc-7">SC-7</link>
-            </part>
-            <part id="cm-4.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-4.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-4(1)[1]</prop>
-                  <p>analyzes changes to the information system in a separate test environment
-                     before implementation in an operational environment;</p>
-               </part>
-               <part id="cm-4.1_obj.2" name="objective">
-                  <prop name="label">CM-4(1)[2]</prop>
-                  <p>when analyzing changes to the information system in a separate test
-                     environment, looks for security impacts due to:</p>
-                  <part id="cm-4.1_obj.2.a" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-4(1)[2][a]</prop>
-                     <p>flaws;</p>
-                  </part>
-                  <part id="cm-4.1_obj.2.b" name="objective">
-                     <prop name="label">CM-4(1)[2][b]</prop>
-                     <p>weaknesses;</p>
-                  </part>
-                  <part id="cm-4.1_obj.2.c" name="objective">
-                     <prop name="label">CM-4(1)[2][c]</prop>
-                     <p>incompatibility; and</p>
-                  </part>
-                  <part id="cm-4.1_obj.2.d" name="objective">
-                     <prop name="label">CM-4(1)[2][d]</prop>
-                     <p>intentional malice.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing security impact analysis for changes to the information
-                     system</p>
-                  <p>configuration management plan</p>
-                  <p>security impact analysis documentation</p>
-                  <p>analysis tools and associated outputs information system design
-                     documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>documentation evidence of separate test and operational environments</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for conducting security impact
-                     analysis</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for security impact analysis</p>
-                  <p>automated mechanisms supporting and/or implementing security impact analysis of
-                     changes</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-5">
-         <title>Access Restrictions for Change</title>
-         <prop name="label">CM-5</prop>
-         <prop name="sort-id">cm-05</prop>
-         <part id="cm-5_smt" name="statement">
-            <p>The organization defines, documents, approves, and enforces physical and logical
-               access restrictions associated with changes to the information system.</p>
-         </part>
-         <part id="cm-5_gdn" name="guidance">
-            <p>Any changes to the hardware, software, and/or firmware components of information
-               systems can potentially have significant effects on the overall security of the
-               systems. Therefore, organizations permit only qualified and authorized individuals to
-               access information systems for purposes of initiating changes, including upgrades and
-               modifications. Organizations maintain records of access to ensure that configuration
-               change control is implemented and to support after-the-fact actions should
-               organizations discover any unauthorized changes. Access restrictions for change also
-               include software libraries. Access restrictions include, for example, physical and
-               logical access controls (see AC-3 and PE-3), workflow automation, media libraries,
-               abstract layers (e.g., changes implemented into third-party interfaces rather than
-               directly into information systems), and change windows (e.g., changes occur only
-               during specified times, making unauthorized changes easy to discover).</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-         </part>
-         <part id="cm-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-5_obj.1" name="objective">
-               <prop name="label">CM-5[1]</prop>
-               <p>defines physical access restrictions associated with changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-5_obj.2" name="objective">
-               <prop name="label">CM-5[2]</prop>
-               <p>documents physical access restrictions associated with changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-5_obj.3" name="objective">
-               <prop name="label">CM-5[3]</prop>
-               <p>approves physical access restrictions associated with changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-5_obj.4" name="objective">
-               <prop name="label">CM-5[4]</prop>
-               <p>enforces physical access restrictions associated with changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-5_obj.5" name="objective">
-               <prop name="label">CM-5[5]</prop>
-               <p>defines logical access restrictions associated with changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-5_obj.6" name="objective">
-               <prop name="label">CM-5[6]</prop>
-               <p>documents logical access restrictions associated with changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-5_obj.7" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-5[7]</prop>
-               <p>approves logical access restrictions associated with changes to the information
-                  system; and</p>
-            </part>
-            <part id="cm-5_obj.8" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-5[8]</prop>
-               <p>enforces logical access restrictions associated with changes to the information
-                  system.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing access restrictions for changes to the information
-                  system</p>
-               <p>configuration management plan</p>
-               <p>information system design documentation</p>
-               <p>information system architecture and configuration documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>logical access approvals</p>
-               <p>physical access approvals</p>
-               <p>access credentials</p>
-               <p>change control records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with logical access control responsibilities</p>
-               <p>organizational personnel with physical access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing access restrictions to change</p>
-               <p>automated mechanisms supporting/implementing/enforcing access restrictions
-                  associated with changes to the information system</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-5.1">
-            <title>Automated Access Enforcement / Auditing</title>
-            <prop name="label">CM-5(1)</prop>
-            <prop name="sort-id">cm-05.01</prop>
-            <part id="cm-5.1_smt" name="statement">
-               <p>The information system enforces access restrictions and supports auditing of the
-                  enforcement actions.</p>
-            </part>
-            <part id="cm-5.1_gdn" name="guidance">
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-12">AU-12</link>
-               <link rel="related" href="#au-6">AU-6</link>
-               <link rel="related" href="#cm-3">CM-3</link>
-               <link rel="related" href="#cm-6">CM-6</link>
-            </part>
-            <part id="cm-5.1_obj" name="objective">
-               <p>Determine if the information system:</p>
-               <part id="cm-5.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-5(1)[1]</prop>
-                  <p>enforces access restrictions for change; and</p>
-               </part>
-               <part id="cm-5.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-5(1)[2]</prop>
-                  <p>supports auditing of the enforcement actions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing access restrictions for changes to the information
-                     system</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing access restrictions to change</p>
-                  <p>automated mechanisms implementing enforcement of access restrictions for
-                     changes to the information system</p>
-                  <p>automated mechanisms supporting auditing of enforcement actions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-5.2">
-            <title>Review System Changes</title>
-            <param id="cm-5.2_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least every thirty (30) days</constraint>
-            </param>
-            <param id="cm-5.2_prm_2">
-               <label>organization-defined circumstances</label>
-            </param>
-            <prop name="label">CM-5(2)</prop>
-            <prop name="sort-id">cm-05.02</prop>
-            <part id="cm-5.2_smt" name="statement">
-               <p>The organization reviews information system changes <insert param-id="cm-5.2_prm_1"/> and <insert param-id="cm-5.2_prm_2"/> to determine
-                  whether unauthorized changes have occurred.</p>
-            </part>
-            <part id="cm-5.2_gdn" name="guidance">
-               <p>Indications that warrant review of information system changes and the specific
-                  circumstances justifying such reviews may be obtained from activities carried out
-                  by organizations during the configuration change process.</p>
-               <link rel="related" href="#au-6">AU-6</link>
-               <link rel="related" href="#au-7">AU-7</link>
-               <link rel="related" href="#cm-3">CM-3</link>
-               <link rel="related" href="#cm-5">CM-5</link>
-               <link rel="related" href="#pe-6">PE-6</link>
-               <link rel="related" href="#pe-8">PE-8</link>
-            </part>
-            <part id="cm-5.2_obj" name="objective">
-               <p>Determine if the organization, in an effort to ascertain whether unauthorized
-                  changes have occurred:</p>
-               <part id="cm-5.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-5(2)[1]</prop>
-                  <p>defines the frequency to review information system changes;</p>
-               </part>
-               <part id="cm-5.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-5(2)[2]</prop>
-                  <p>defines circumstances that warrant review of information system changes;</p>
-               </part>
-               <part id="cm-5.2_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-5(2)[3]</prop>
-                  <p>reviews information system changes with the organization-defined frequency;
-                     and</p>
-               </part>
-               <part id="cm-5.2_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-5(2)[4]</prop>
-                  <p>reviews information system changes with the organization-defined
-                     circumstances.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing access restrictions for changes to the information
-                     system</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>reviews of information system changes</p>
-                  <p>audit and review reports</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing access restrictions to change</p>
-                  <p>automated mechanisms supporting/implementing information system reviews to
-                     determine whether unauthorized changes have occurred</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-5.3">
-            <title>Signed Components</title>
-            <param id="cm-5.3_prm_1">
-               <label>organization-defined software and firmware components</label>
-            </param>
-            <prop name="label">CM-5(3)</prop>
-            <prop name="sort-id">cm-05.03</prop>
-            <part id="cm-5.3_smt" name="statement">
-               <p>The information system prevents the installation of <insert param-id="cm-5.3_prm_1"/> without verification that the component has been
-                  digitally signed using a certificate that is recognized and approved by the
-                  organization.</p>
-               <part id="cm-5.3_fr" name="item">
-                  <title>CM-5 (3) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="cm-5.3_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cm-5.3_gdn" name="guidance">
-               <p>Software and firmware components prevented from installation unless signed with
-                  recognized and approved certificates include, for example, software and firmware
-                  version updates, patches, service packs, device drivers, and basic input output
-                  system (BIOS) updates. Organizations can identify applicable software and firmware
-                  components by type, by specific items, or a combination of both. Digital
-                  signatures and organizational verification of such signatures, is a method of code
-                  authentication.</p>
-               <link rel="related" href="#cm-7">CM-7</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="cm-5.3_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="cm-5.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-5(3)[1]</prop>
-                  <p>the organization defines software and firmware components that the information
-                     system will prevent from being installed without verification that such
-                     components have been digitally signed using a certificate that is recognized
-                     and approved by the organization; and</p>
-               </part>
-               <part id="cm-5.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-5(3)[2]</prop>
-                  <p>the information system prevents the installation of organization-defined
-                     software and firmware components without verification that such components have
-                     been digitally signed using a certificate that is recognized and approved by
-                     the organization.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing access restrictions for changes to the information
-                     system</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>list of software and firmware components to be prohibited from installation
-                     without a recognized and approved certificate</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing access restrictions to change</p>
-                  <p>automated mechanisms preventing installation of software and firmware
-                     components not signed with an organization-recognized and approved
-                     certificate</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-5.5">
-            <title>Limit Production / Operational Privileges</title>
-            <param id="cm-5.5_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least quarterly</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">CM-5(5)</prop>
-            <prop name="sort-id">cm-05.05</prop>
-            <part id="cm-5.5_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cm-5.5_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Limits privileges to change information system components and system-related
-                     information within a production or operational environment; and</p>
-               </part>
-               <part id="cm-5.5_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Reviews and reevaluates privileges <insert param-id="cm-5.5_prm_1"/>.</p>
-               </part>
-            </part>
-            <part id="cm-5.5_gdn" name="guidance">
-               <p>In many organizations, information systems support multiple core missions/business
-                  functions. Limiting privileges to change information system components with
-                  respect to operational systems is necessary because changes to a particular
-                  information system component may have far-reaching effects on mission/business
-                  processes supported by the system where the component resides. The complex,
-                  many-to-many relationships between systems and mission/business processes are in
-                  some cases, unknown to developers.</p>
-               <link rel="related" href="#ac-2">AC-2</link>
-            </part>
-            <part id="cm-5.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-5.5.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-5(5)(a)</prop>
-                  <p>limits privileges to change information system components and system-related
-                     information within a production or operational environment;</p>
-                  <link rel="corresp" href="#cm-5.5_smt.a">CM-5(5)(a)</link>
-               </part>
-               <part id="cm-5.5.b_obj" name="objective">
-                  <prop name="label">CM-5(5)(b)</prop>
-                  <part id="cm-5.5.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-5(5)(b)[1]</prop>
-                     <p>defines the frequency to review and reevaluate privileges; and</p>
-                  </part>
-                  <part id="cm-5.5.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-5(5)(b)[2]</prop>
-                     <p>reviews and reevaluates privileges with the organization-defined
-                        frequency.</p>
-                  </part>
-                  <link rel="corresp" href="#cm-5.5_smt.b">CM-5(5)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing access restrictions for changes to the information
-                     system</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>user privilege reviews</p>
-                  <p>user privilege recertifications</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing access restrictions to change</p>
-                  <p>automated mechanisms supporting and/or implementing access restrictions for
-                     change</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-6">
-         <title>Configuration Settings</title>
-         <param id="cm-6_prm_1">
-            <label>organization-defined security configuration checklists</label>
-            <guideline>
-               <p>See CM-6(a) Additional FedRAMP Requirements and Guidance</p>
-            </guideline>
-         </param>
-         <param id="cm-6_prm_2">
-            <label>organization-defined information system components</label>
-         </param>
-         <param id="cm-6_prm_3">
-            <label>organization-defined operational requirements</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CM-6</prop>
-         <prop name="sort-id">cm-06</prop>
-         <link href="#990268bf-f4a9-4c81-91ae-dc7d3115f4b1" rel="reference">OMB Memorandum 07-11</link>
-         <link href="#0b3d8ba9-051f-498d-81ea-97f0f018c612" rel="reference">OMB Memorandum 07-18</link>
-         <link href="#0916ef02-3618-411b-a525-565c088849a6" rel="reference">OMB Memorandum 08-22</link>
-         <link href="#84a37532-6db6-477b-9ea8-f9085ebca0fc" rel="reference">NIST Special Publication 800-70</link>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <link href="#275cc052-0f7f-423c-bdb6-ed503dc36228" rel="reference">http://nvd.nist.gov</link>
-         <link href="#e95dd121-2733-413e-bf1e-f1eb49f20a98" rel="reference">http://checklists.nist.gov</link>
-         <link href="#647b6de3-81d0-4d22-bec1-5f1333e34380" rel="reference">http://www.nsa.gov</link>
-         <part id="cm-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes and documents configuration settings for information technology
-                  products employed within the information system using <insert param-id="cm-6_prm_1"/> that reflect the most restrictive mode consistent with
-                  operational requirements;</p>
-            </part>
-            <part id="cm-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Implements the configuration settings;</p>
-            </part>
-            <part id="cm-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Identifies, documents, and approves any deviations from established configuration
-                  settings for <insert param-id="cm-6_prm_2"/> based on <insert param-id="cm-6_prm_3"/>; and</p>
-            </part>
-            <part id="cm-6_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Monitors and controls changes to the configuration settings in accordance with
-                  organizational policies and procedures.</p>
-            </part>
-            <part id="cm-6_fr" name="item">
-               <title>CM-6(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement 1:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. </p>
-               </part>
-               <part id="cm-6_fr_smt.2" name="item">
-                  <prop name="label">Requirement 2:</prop>
-                  <p>The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (<a href="http://scap.nist.gov/">http://scap.nist.gov/</a>) validated or SCAP compatible (if validated checklists are not available).</p>
-               </part>
-               <part id="cm-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a href="https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline">https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline</a>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cm-6_gdn" name="guidance">
-            <p>Configuration settings are the set of parameters that can be changed in hardware,
-               software, or firmware components of the information system that affect the security
-               posture and/or functionality of the system. Information technology products for which
-               security-related configuration settings can be defined include, for example,
-               mainframe computers, servers (e.g., database, electronic mail, authentication, web,
-               proxy, file, domain name), workstations, input/output devices (e.g., scanners,
-               copiers, and printers), network components (e.g., firewalls, routers, gateways, voice
-               and data switches, wireless access points, network appliances, sensors), operating
-               systems, middleware, and applications. Security-related parameters are those
-               parameters impacting the security state of information systems including the
-               parameters required to satisfy other security control requirements. Security-related
-               parameters include, for example: (i) registry settings; (ii) account, file, directory
-               permission settings; and (iii) settings for functions, ports, protocols, services,
-               and remote connections. Organizations establish organization-wide configuration
-               settings and subsequently derive specific settings for information systems. The
-               established settings become part of the systems configuration baseline. Common secure
-               configurations (also referred to as security configuration checklists, lockdown and
-               hardening guides, security reference guides, security technical implementation
-               guides) provide recognized, standardized, and established benchmarks that stipulate
-               secure configuration settings for specific information technology platforms/products
-               and instructions for configuring those information system components to meet
-               operational requirements. Common secure configurations can be developed by a variety
-               of organizations including, for example, information technology product developers,
-               manufacturers, vendors, consortia, academia, industry, federal agencies, and other
-               organizations in the public and private sectors. Common secure configurations include
-               the United States Government Configuration Baseline (USGCB) which affects the
-               implementation of CM-6 and other controls such as AC-19 and CM-7. The Security
-               Content Automation Protocol (SCAP) and the defined standards within the protocol
-               (e.g., Common Configuration Enumeration) provide an effective method to uniquely
-               identify, track, and control configuration settings. OMB establishes federal policy
-               on configuration requirements for federal information systems.</p>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="cm-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-6.a_obj" name="objective">
-               <prop name="label">CM-6(a)</prop>
-               <part id="cm-6.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-6(a)[1]</prop>
-                  <p>defines security configuration checklists to be used to establish and document
-                     configuration settings for the information technology products employed;</p>
-               </part>
-               <part id="cm-6.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CM-6(a)[2]</prop>
-                  <p>ensures the defined security configuration checklists reflect the most
-                     restrictive mode consistent with operational requirements;</p>
-               </part>
-               <part id="cm-6.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-6(a)[3]</prop>
-                  <p>establishes and documents configuration settings for information technology
-                     products employed within the information system using organization-defined
-                     security configuration checklists;</p>
-               </part>
-            </part>
-            <part id="cm-6.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-6(b)</prop>
-               <p>implements the configuration settings established/documented in CM-6(a);;</p>
-            </part>
-            <part id="cm-6.c_obj" name="objective">
-               <prop name="label">CM-6(c)</prop>
-               <part id="cm-6.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-6(c)[1]</prop>
-                  <p>defines information system components for which any deviations from established
-                     configuration settings must be:</p>
-                  <part id="cm-6.c_obj.1.a" name="objective">
-                     <prop name="label">CM-6(c)[1][a]</prop>
-                     <p>identified;</p>
-                  </part>
-                  <part id="cm-6.c_obj.1.b" name="objective">
-                     <prop name="label">CM-6(c)[1][b]</prop>
-                     <p>documented;</p>
-                  </part>
-                  <part id="cm-6.c_obj.1.c" name="objective">
-                     <prop name="label">CM-6(c)[1][c]</prop>
-                     <p>approved;</p>
-                  </part>
-               </part>
-               <part id="cm-6.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-6(c)[2]</prop>
-                  <p>defines operational requirements to support:</p>
-                  <part id="cm-6.c_obj.2.a" name="objective">
-                     <prop name="label">CM-6(c)[2][a]</prop>
-                     <p>the identification of any deviations from established configuration
-                        settings;</p>
-                  </part>
-                  <part id="cm-6.c_obj.2.b" name="objective">
-                     <prop name="label">CM-6(c)[2][b]</prop>
-                     <p>the documentation of any deviations from established configuration
-                        settings;</p>
-                  </part>
-                  <part id="cm-6.c_obj.2.c" name="objective">
-                     <prop name="label">CM-6(c)[2][c]</prop>
-                     <p>the approval of any deviations from established configuration settings;</p>
-                  </part>
-               </part>
-               <part id="cm-6.c_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-6(c)[3]</prop>
-                  <p>identifies any deviations from established configuration settings for
-                     organization-defined information system components based on
-                     organizational-defined operational requirements;</p>
-               </part>
-               <part id="cm-6.c_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-6(c)[4]</prop>
-                  <p>documents any deviations from established configuration settings for
-                     organization-defined information system components based on
-                     organizational-defined operational requirements;</p>
-               </part>
-               <part id="cm-6.c_obj.5" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-6(c)[5]</prop>
-                  <p>approves any deviations from established configuration settings for
-                     organization-defined information system components based on
-                     organizational-defined operational requirements;</p>
-               </part>
-            </part>
-            <part id="cm-6.d_obj" name="objective">
-               <prop name="label">CM-6(d)</prop>
-               <part id="cm-6.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-6(d)[1]</prop>
-                  <p>monitors changes to the configuration settings in accordance with
-                     organizational policies and procedures; and</p>
-               </part>
-               <part id="cm-6.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-6(d)[2]</prop>
-                  <p>controls changes to the configuration settings in accordance with
-                     organizational policies and procedures.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing configuration settings for the information system</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security configuration checklists</p>
-               <p>evidence supporting approved deviations from established configuration
-                  settings</p>
-               <p>change control records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security configuration management
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing configuration settings</p>
-               <p>automated mechanisms that implement, monitor, and/or control information system
-                  configuration settings</p>
-               <p>automated mechanisms that identify and/or document deviations from established
-                  configuration settings</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-6.1">
-            <title>Automated Central Management / Application / Verification</title>
-            <param id="cm-6.1_prm_1">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">CM-6(1)</prop>
-            <prop name="sort-id">cm-06.01</prop>
-            <part id="cm-6.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to centrally manage, apply, and
-                  verify configuration settings for <insert param-id="cm-6.1_prm_1"/>.</p>
-            </part>
-            <part id="cm-6.1_gdn" name="guidance">
-               <link rel="related" href="#ca-7">CA-7</link>
-               <link rel="related" href="#cm-4">CM-4</link>
-            </part>
-            <part id="cm-6.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-6.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-6(1)[1]</prop>
-                  <p>defines information system components for which automated mechanisms are to be
-                     employed to:</p>
-                  <part id="cm-6.1_obj.1.a" name="objective">
-                     <prop name="label">CM-6(1)[1][a]</prop>
-                     <p>centrally manage configuration settings of such components;</p>
-                  </part>
-                  <part id="cm-6.1_obj.1.b" name="objective">
-                     <prop name="label">CM-6(1)[1][b]</prop>
-                     <p>apply configuration settings of such components;</p>
-                  </part>
-                  <part id="cm-6.1_obj.1.c" name="objective">
-                     <prop name="label">CM-6(1)[1][c]</prop>
-                     <p>verify configuration settings of such components;</p>
-                  </part>
-               </part>
-               <part id="cm-6.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-6(1)[2]</prop>
-                  <p>employs automated mechanisms to:</p>
-                  <part id="cm-6.1_obj.2.a" name="objective">
-                     <prop name="label">CM-6(1)[2][a]</prop>
-                     <p>centrally manage configuration settings for organization-defined information
-                        system components;</p>
-                  </part>
-                  <part id="cm-6.1_obj.2.b" name="objective">
-                     <prop name="label">CM-6(1)[2][b]</prop>
-                     <p>apply configuration settings for organization-defined information system
-                        components; and</p>
-                  </part>
-                  <part id="cm-6.1_obj.2.c" name="objective">
-                     <prop name="label">CM-6(1)[2][c]</prop>
-                     <p>verify configuration settings for organization-defined information system
-                        components.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing configuration settings for the information system</p>
-                  <p>configuration management plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security configuration checklists</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security configuration management
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing configuration settings</p>
-                  <p>automated mechanisms implemented to centrally manage, apply, and verify
-                     information system configuration settings</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-6.2">
-            <title>Respond to Unauthorized Changes</title>
-            <param id="cm-6.2_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <param id="cm-6.2_prm_2">
-               <label>organization-defined configuration settings</label>
-            </param>
-            <prop name="label">CM-6(2)</prop>
-            <prop name="sort-id">cm-06.02</prop>
-            <part id="cm-6.2_smt" name="statement">
-               <p>The organization employs <insert param-id="cm-6.2_prm_1"/> to respond to
-                  unauthorized changes to <insert param-id="cm-6.2_prm_2"/>.</p>
-            </part>
-            <part id="cm-6.2_gdn" name="guidance">
-               <p>Responses to unauthorized changes to configuration settings can include, for
-                  example, alerting designated organizational personnel, restoring established
-                  configuration settings, or in extreme cases, halting affected information system
-                  processing.</p>
-               <link rel="related" href="#ir-4">IR-4</link>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="cm-6.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-6.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-6(2)[1]</prop>
-                  <p>defines configuration settings that, if modified by unauthorized changes,
-                     result in organizational security safeguards being employed to respond to such
-                     changes;</p>
-               </part>
-               <part id="cm-6.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-6(2)[2]</prop>
-                  <p>defines security safeguards to be employed to respond to unauthorized changes
-                     to organization-defined configuration settings; and</p>
-               </part>
-               <part id="cm-6.2_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-6(2)[3]</prop>
-                  <p>employs organization-defined security safeguards to respond to unauthorized
-                     changes to organization-defined configuration settings.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing configuration settings for the information system</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>alerts/notifications of unauthorized changes to information system
-                     configuration settings</p>
-                  <p>documented responses to unauthorized changes to information system
-                     configuration settings</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security configuration management
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for responding to unauthorized changes to information
-                     system configuration settings</p>
-                  <p>automated mechanisms supporting and/or implementing security safeguards for
-                     response to unauthorized changes</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-7">
-         <title>Least Functionality</title>
-         <param id="cm-7_prm_1">
-            <label>organization-defined prohibited or restricted functions, ports, protocols, and/or
-               services</label>
-            <constraint>United States Government Configuration Baseline (USGCB)</constraint>
-         </param>
-         <prop name="label">CM-7</prop>
-         <prop name="sort-id">cm-07</prop>
-         <link href="#e42b2099-3e1c-415b-952c-61c96533c12e" rel="reference">DoD Instruction 8551.01</link>
-         <part id="cm-7_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Configures the information system to provide only essential capabilities; and</p>
-            </part>
-            <part id="cm-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Prohibits or restricts the use of the following functions, ports, protocols,
-                  and/or services: <insert param-id="cm-7_prm_1"/>.</p>
-            </part>
-            <part id="cm-7_fr" name="item">
-               <title>CM-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-7_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.</p>
-               </part>
-               <part id="cm-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a href="http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc">http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc</a>. Partially derived from AC-17(8).</p>
-               </part>
-            </part>
-         </part>
-         <part id="cm-7_gdn" name="guidance">
-            <p>Information systems can provide a wide variety of functions and services. Some of the
-               functions and services, provided by default, may not be necessary to support
-               essential organizational operations (e.g., key missions, functions). Additionally, it
-               is sometimes convenient to provide multiple services from single information system
-               components, but doing so increases risk over limiting the services provided by any
-               one component. Where feasible, organizations limit component functionality to a
-               single function per device (e.g., email servers or web servers, but not both).
-               Organizations review functions and services provided by information systems or
-               individual components of information systems, to determine which functions and
-               services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant
-               Messaging, auto-execute, and file sharing). Organizations consider disabling unused
-               or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File
-               Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to
-               prevent unauthorized connection of devices, unauthorized transfer of information, or
-               unauthorized tunneling. Organizations can utilize network scanning tools, intrusion
-               detection and prevention systems, and end-point protections such as firewalls and
-               host-based intrusion detection systems to identify and prevent the use of prohibited
-               functions, ports, protocols, and services.</p>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="cm-7_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-7.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-7(a)</prop>
-               <p>configures the information system to provide only essential capabilities;</p>
-            </part>
-            <part id="cm-7.b_obj" name="objective">
-               <prop name="label">CM-7(b)</prop>
-               <part id="cm-7.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-7(b)[1]</prop>
-                  <p>defines prohibited or restricted:</p>
-                  <part id="cm-7.b_obj.1.a" name="objective">
-                     <prop name="label">CM-7(b)[1][a]</prop>
-                     <p>functions;</p>
-                  </part>
-                  <part id="cm-7.b_obj.1.b" name="objective">
-                     <prop name="label">CM-7(b)[1][b]</prop>
-                     <p>ports;</p>
-                  </part>
-                  <part id="cm-7.b_obj.1.c" name="objective">
-                     <prop name="label">CM-7(b)[1][c]</prop>
-                     <p>protocols; and/or</p>
-                  </part>
-                  <part id="cm-7.b_obj.1.d" name="objective">
-                     <prop name="label">CM-7(b)[1][d]</prop>
-                     <p>services;</p>
-                  </part>
-               </part>
-               <part id="cm-7.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-7(b)[2]</prop>
-                  <p>prohibits or restricts the use of organization-defined:</p>
-                  <part id="cm-7.b_obj.2.a" name="objective">
-                     <prop name="label">CM-7(b)[2][a]</prop>
-                     <p>functions;</p>
-                  </part>
-                  <part id="cm-7.b_obj.2.b" name="objective">
-                     <prop name="label">CM-7(b)[2][b]</prop>
-                     <p>ports;</p>
-                  </part>
-                  <part id="cm-7.b_obj.2.c" name="objective">
-                     <prop name="label">CM-7(b)[2][c]</prop>
-                     <p>protocols; and/or</p>
-                  </part>
-                  <part id="cm-7.b_obj.2.d" name="objective">
-                     <prop name="label">CM-7(b)[2][d]</prop>
-                     <p>services.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>configuration management plan</p>
-               <p>procedures addressing least functionality in the information system</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security configuration checklists</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security configuration management
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes prohibiting or restricting functions, ports, protocols,
-                  and/or services</p>
-               <p>automated mechanisms implementing restrictions or prohibition of functions, ports,
-                  protocols, and/or services</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-7.1">
-            <title>Periodic Review</title>
-            <param id="cm-7.1_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least monthly</constraint>
-            </param>
-            <param id="cm-7.1_prm_2">
-               <label>organization-defined functions, ports, protocols, and services within the
-                  information system deemed to be unnecessary and/or nonsecure</label>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">CM-7(1)</prop>
-            <prop name="sort-id">cm-07.01</prop>
-            <part id="cm-7.1_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cm-7.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Reviews the information system <insert param-id="cm-7.1_prm_1"/> to identify
-                     unnecessary and/or nonsecure functions, ports, protocols, and services; and</p>
-               </part>
-               <part id="cm-7.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Disables <insert param-id="cm-7.1_prm_2"/>.</p>
-               </part>
-            </part>
-            <part id="cm-7.1_gdn" name="guidance">
-               <p>The organization can either make a determination of the relative security of the
-                  function, port, protocol, and/or service or base the security decision on the
-                  assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are
-                  examples of less than secure protocols.</p>
-               <link rel="related" href="#ac-18">AC-18</link>
-               <link rel="related" href="#cm-7">CM-7</link>
-               <link rel="related" href="#ia-2">IA-2</link>
-            </part>
-            <part id="cm-7.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-7.1.a_obj" name="objective">
-                  <prop name="label">CM-7(1)(a)</prop>
-                  <part id="cm-7.1.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-7(1)(a)[1]</prop>
-                     <p>defines the frequency to review the information system to identify
-                        unnecessary and/or nonsecure:</p>
-                     <part id="cm-7.1.a_obj.1.a" name="objective">
-                        <prop name="label">CM-7(1)(a)[1][a]</prop>
-                        <p>functions;</p>
-                     </part>
-                     <part id="cm-7.1.a_obj.1.b" name="objective">
-                        <prop name="label">CM-7(1)(a)[1][b]</prop>
-                        <p>ports;</p>
-                     </part>
-                     <part id="cm-7.1.a_obj.1.c" name="objective">
-                        <prop name="label">CM-7(1)(a)[1][c]</prop>
-                        <p>protocols; and/or</p>
-                     </part>
-                     <part id="cm-7.1.a_obj.1.d" name="objective">
-                        <prop name="label">CM-7(1)(a)[1][d]</prop>
-                        <p>services;</p>
-                     </part>
-                  </part>
-                  <part id="cm-7.1.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-7(1)(a)[2]</prop>
-                     <p>reviews the information system with the organization-defined frequency to
-                        identify unnecessary and/or nonsecure:</p>
-                     <part id="cm-7.1.a_obj.2.a" name="objective">
-                        <prop name="label">CM-7(1)(a)[2][a]</prop>
-                        <p>functions;</p>
-                     </part>
-                     <part id="cm-7.1.a_obj.2.b" name="objective">
-                        <prop name="label">CM-7(1)(a)[2][b]</prop>
-                        <p>ports;</p>
-                     </part>
-                     <part id="cm-7.1.a_obj.2.c" name="objective">
-                        <prop name="label">CM-7(1)(a)[2][c]</prop>
-                        <p>protocols; and/or</p>
-                     </part>
-                     <part id="cm-7.1.a_obj.2.d" name="objective">
-                        <prop name="label">CM-7(1)(a)[2][d]</prop>
-                        <p>services;</p>
-                     </part>
-                  </part>
-                  <link rel="corresp" href="#cm-7.1_smt.a">CM-7(1)(a)</link>
-               </part>
-               <part id="cm-7.1.b_obj" name="objective">
-                  <prop name="label">CM-7(1)(b)</prop>
-                  <part id="cm-7.1.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-7(1)(b)[1]</prop>
-                     <p>defines, within the information system, unnecessary and/or nonsecure:</p>
-                     <part id="cm-7.1.b_obj.1.a" name="objective">
-                        <prop name="label">CM-7(1)(b)[1][a]</prop>
-                        <p>functions;</p>
-                     </part>
-                     <part id="cm-7.1.b_obj.1.b" name="objective">
-                        <prop name="label">CM-7(1)(b)[1][b]</prop>
-                        <p>ports;</p>
-                     </part>
-                     <part id="cm-7.1.b_obj.1.c" name="objective">
-                        <prop name="label">CM-7(1)(b)[1][c]</prop>
-                        <p>protocols; and/or</p>
-                     </part>
-                     <part id="cm-7.1.b_obj.1.d" name="objective">
-                        <prop name="label">CM-7(1)(b)[1][d]</prop>
-                        <p>services;</p>
-                     </part>
-                  </part>
-                  <part id="cm-7.1.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-7(1)(b)[2]</prop>
-                     <p>disables organization-defined unnecessary and/or nonsecure:</p>
-                     <part id="cm-7.1.b_obj.2.a" name="objective">
-                        <prop name="label">CM-7(1)(b)[2][a]</prop>
-                        <p>functions;</p>
-                     </part>
-                     <part id="cm-7.1.b_obj.2.b" name="objective">
-                        <prop name="label">CM-7(1)(b)[2][b]</prop>
-                        <p>ports;</p>
-                     </part>
-                     <part id="cm-7.1.b_obj.2.c" name="objective">
-                        <prop name="label">CM-7(1)(b)[2][c]</prop>
-                        <p>protocols; and/or</p>
-                     </part>
-                     <part id="cm-7.1.b_obj.2.d" name="objective">
-                        <prop name="label">CM-7(1)(b)[2][d]</prop>
-                        <p>services.</p>
-                     </part>
-                  </part>
-                  <link rel="corresp" href="#cm-7.1_smt.b">CM-7(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing least functionality in the information system</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security configuration checklists</p>
-                  <p>documented reviews of functions, ports, protocols, and/or services</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for reviewing functions, ports,
-                     protocols, and services on the information system</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for reviewing/disabling nonsecure functions, ports,
-                     protocols, and/or services</p>
-                  <p>automated mechanisms implementing review and disabling of nonsecure functions,
-                     ports, protocols, and/or services</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-7.2">
-            <title>Prevent Program Execution</title>
-            <param id="cm-7.2_prm_1"/>
-            <param id="cm-7.2_prm_2" depends-on="cm-7.2_prm_1">
-               <label>organization-defined policies regarding software program usage and
-                  restrictions</label>
-            </param>
-            <prop name="label">CM-7(2)</prop>
-            <prop name="sort-id">cm-07.02</prop>
-            <part id="cm-7.2_smt" name="statement">
-               <p>The information system prevents program execution in accordance with <insert param-id="cm-7.2_prm_1"/>.</p>
-               <part id="cm-7.2_fr" name="item">
-                  <title>CM-7 (2) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="cm-7.2_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cm-7.2_gdn" name="guidance">
-               <link rel="related" href="#cm-8">CM-8</link>
-               <link rel="related" href="#pm-5">PM-5</link>
-            </part>
-            <part id="cm-7.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="cm-7.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-7(2)[1]</prop>
-                  <p>the organization defines policies regarding software program usage and
-                     restrictions;</p>
-               </part>
-               <part id="cm-7.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-7(2)[2]</prop>
-                  <p>the information system prevents program execution in accordance with one or
-                     more of the following:</p>
-                  <part id="cm-7.2_obj.2.a" name="objective">
-                     <prop name="label">CM-7(2)[2][a]</prop>
-                     <p>organization-defined policies regarding program usage and restrictions;
-                        and/or</p>
-                  </part>
-                  <part id="cm-7.2_obj.2.b" name="objective">
-                     <prop name="label">CM-7(2)[2][b]</prop>
-                     <p>rules authorizing the terms and conditions of software program usage.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing least functionality in the information system</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>specifications for preventing software program execution</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes preventing program execution on the information
-                     system</p>
-                  <p>organizational processes for software program usage and restrictions</p>
-                  <p>automated mechanisms preventing program execution on the information system</p>
-                  <p>automated mechanisms supporting and/or implementing software program usage and
-                     restrictions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-7.5">
-            <title>Authorized Software / Whitelisting</title>
-            <param id="cm-7.5_prm_1">
-               <label>organization-defined software programs authorized to execute on the
-                  information system</label>
-            </param>
-            <param id="cm-7.5_prm_2">
-               <label>organization-defined frequency</label>
-               <constraint>at least quarterly or when there is a change</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">CM-7(5)</prop>
-            <prop name="sort-id">cm-07.05</prop>
-            <part id="cm-7.5_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cm-7.5_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Identifies <insert param-id="cm-7.5_prm_1"/>;</p>
-               </part>
-               <part id="cm-7.5_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Employs a deny-all, permit-by-exception policy to allow the execution of
-                     authorized software programs on the information system; and</p>
-               </part>
-               <part id="cm-7.5_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Reviews and updates the list of authorized software programs <insert param-id="cm-7.5_prm_2"/>.</p>
-               </part>
-            </part>
-            <part id="cm-7.5_gdn" name="guidance">
-               <p>The process used to identify software programs that are authorized to execute on
-                  organizational information systems is commonly referred to as whitelisting. In
-                  addition to whitelisting, organizations consider verifying the integrity of
-                  white-listed software programs using, for example, cryptographic checksums,
-                  digital signatures, or hash functions. Verification of white-listed software can
-                  occur either prior to execution or at system startup.</p>
-               <link rel="related" href="#cm-2">CM-2</link>
-               <link rel="related" href="#cm-6">CM-6</link>
-               <link rel="related" href="#cm-8">CM-8</link>
-               <link rel="related" href="#pm-5">PM-5</link>
-               <link rel="related" href="#sa-10">SA-10</link>
-               <link rel="related" href="#sc-34">SC-34</link>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="cm-7.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-7.5.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-7(5)(a)</prop>
-                  <p>Identifies/defines software programs authorized to execute on the information
-                     system;</p>
-                  <link rel="corresp" href="#cm-7.5_smt.a">CM-7(5)(a)</link>
-               </part>
-               <part id="cm-7.5.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-7(5)(b)</prop>
-                  <p>employs a deny-all, permit-by-exception policy to allow the execution of
-                     authorized software programs on the information system;</p>
-                  <link rel="corresp" href="#cm-7.5_smt.b">CM-7(5)(b)</link>
-               </part>
-               <part id="cm-7.5.c_obj" name="objective">
-                  <prop name="label">CM-7(5)(c)</prop>
-                  <part id="cm-7.5.c_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-7(5)(c)[1]</prop>
-                     <p>defines the frequency to review and update the list of authorized software
-                        programs on the information system; and</p>
-                  </part>
-                  <part id="cm-7.5.c_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-7(5)(c)[2]</prop>
-                     <p>reviews and updates the list of authorized software programs with the
-                        organization-defined frequency.</p>
-                  </part>
-                  <link rel="corresp" href="#cm-7.5_smt.c">CM-7(5)(c)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing least functionality in the information system</p>
-                  <p>configuration management plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of software programs authorized to execute on the information system</p>
-                  <p>security configuration checklists</p>
-                  <p>review and update records associated with list of authorized software
-                     programs</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for identifying software
-                     authorized to execute on the information system</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for identifying, reviewing, and updating programs
-                     authorized to execute on the information system</p>
-                  <p>organizational process for implementing whitelisting</p>
-                  <p>automated mechanisms implementing whitelisting</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-8">
-         <title>Information System Component Inventory</title>
-         <param id="cm-8_prm_1">
-            <label>organization-defined information deemed necessary to achieve effective
-               information system component accountability</label>
-         </param>
-         <param id="cm-8_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least monthly</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CM-8</prop>
-         <prop name="sort-id">cm-08</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops and documents an inventory of information system components that:</p>
-               <part id="cm-8_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Accurately reflects the current information system;</p>
-               </part>
-               <part id="cm-8_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Includes all components within the authorization boundary of the information
-                     system;</p>
-               </part>
-               <part id="cm-8_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Is at the level of granularity deemed necessary for tracking and reporting;
-                     and</p>
-               </part>
-               <part id="cm-8_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Includes <insert param-id="cm-8_prm_1"/>; and</p>
-               </part>
-            </part>
-            <part id="cm-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the information system component inventory <insert param-id="cm-8_prm_2"/>.</p>
-            </part>
-            <part id="cm-8_fr" name="item">
-               <title>CM-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Must be provided at least monthly or when there is a change.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cm-8_gdn" name="guidance">
-            <p>Organizations may choose to implement centralized information system component
-               inventories that include components from all organizational information systems. In
-               such situations, organizations ensure that the resulting inventories include
-               system-specific information required for proper component accountability (e.g.,
-               information system association, information system owner). Information deemed
-               necessary for effective accountability of information system components includes, for
-               example, hardware inventory specifications, software license information, software
-               version numbers, component owners, and for networked components or devices, machine
-               names and network addresses. Inventory specifications include, for example,
-               manufacturer, device type, model, serial number, and physical location.</p>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#pm-5">PM-5</link>
-         </part>
-         <part id="cm-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-8.a_obj" name="objective">
-               <prop name="label">CM-8(a)</prop>
-               <part id="cm-8.a.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-8(a)(1)</prop>
-                  <p>develops and documents an inventory of information system components that
-                     accurately reflects the current information system;</p>
-               </part>
-               <part id="cm-8.a.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-8(a)(2)</prop>
-                  <p>develops and documents an inventory of information system components that
-                     includes all components within the authorization boundary of the information
-                     system;</p>
-               </part>
-               <part id="cm-8.a.3_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-8(a)(3)</prop>
-                  <p>develops and documents an inventory of information system components that is at
-                     the level of granularity deemed necessary for tracking and reporting;</p>
-               </part>
-               <part id="cm-8.a.4_obj" name="objective">
-                  <prop name="label">CM-8(a)(4)</prop>
-                  <part id="cm-8.a.4_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-8(a)(4)[1]</prop>
-                     <p>defines the information deemed necessary to achieve effective information
-                        system component accountability;</p>
-                  </part>
-                  <part id="cm-8.a.4_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-8(a)(4)[2]</prop>
-                     <p>develops and documents an inventory of information system components that
-                        includes organization-defined information deemed necessary to achieve
-                        effective information system component accountability;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cm-8.b_obj" name="objective">
-               <prop name="label">CM-8(b)</prop>
-               <part id="cm-8.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-8(b)[1]</prop>
-                  <p>defines the frequency to review and update the information system component
-                     inventory; and</p>
-               </part>
-               <part id="cm-8.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-8(b)[2]</prop>
-                  <p>reviews and updates the information system component inventory with the
-                     organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing information system component inventory</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system inventory records</p>
-               <p>inventory reviews and update records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for information system component
-                  inventory</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for developing and documenting an inventory of
-                  information system components</p>
-               <p>automated mechanisms supporting and/or implementing the information system
-                  component inventory</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-8.1">
-            <title>Updates During Installations / Removals</title>
-            <prop name="label">CM-8(1)</prop>
-            <prop name="sort-id">cm-08.01</prop>
-            <part id="cm-8.1_smt" name="statement">
-               <p>The organization updates the inventory of information system components as an
-                  integral part of component installations, removals, and information system
-                  updates.</p>
-            </part>
-            <part id="cm-8.1_obj" name="objective">
-               <p>Determine if the organization updates the inventory of information system
-                  components as an integral part of:</p>
-               <part id="cm-8.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-8(1)[1]</prop>
-                  <p>component installations;</p>
-               </part>
-               <part id="cm-8.1_obj.2" name="objective">
-                  <prop name="label">CM-8(1)[2]</prop>
-                  <p>component removals; and</p>
-               </part>
-               <part id="cm-8.1_obj.3" name="objective">
-                  <prop name="label">CM-8(1)[3]</prop>
-                  <p>information system updates.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system component inventory</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system inventory records</p>
-                  <p>inventory reviews and update records</p>
-                  <p>component installation records</p>
-                  <p>component removal records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for updating the information
-                     system component inventory</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for updating inventory of information system
-                     components</p>
-                  <p>automated mechanisms implementing updating of the information system component
-                     inventory</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.2">
-            <title>Automated Maintenance</title>
-            <prop name="label">CM-8(2)</prop>
-            <prop name="sort-id">cm-08.02</prop>
-            <part id="cm-8.2_smt" name="statement">
-               <p>The organization employs automated mechanisms to help maintain an up-to-date,
-                  complete, accurate, and readily available inventory of information system
-                  components.</p>
-            </part>
-            <part id="cm-8.2_gdn" name="guidance">
-               <p>Organizations maintain information system inventories to the extent feasible.
-                  Virtual machines, for example, can be difficult to monitor because such machines
-                  are not visible to the network when not in use. In such cases, organizations
-                  maintain as up-to-date, complete, and accurate an inventory as is deemed
-                  reasonable. This control enhancement can be satisfied by the implementation of
-                  CM-2 (2) for organizations that choose to combine information system component
-                  inventory and baseline configuration activities.</p>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="cm-8.2_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to maintain an
-                  inventory of information system components that is:</p>
-               <part id="cm-8.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-8(2)[1]</prop>
-                  <p>up-to-date;</p>
-               </part>
-               <part id="cm-8.2_obj.2" name="objective">
-                  <prop name="label">CM-8(2)[2]</prop>
-                  <p>complete;</p>
-               </part>
-               <part id="cm-8.2_obj.3" name="objective">
-                  <prop name="label">CM-8(2)[3]</prop>
-                  <p>accurate; and</p>
-               </part>
-               <part id="cm-8.2_obj.4" name="objective">
-                  <prop name="label">CM-8(2)[4]</prop>
-                  <p>readily available.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>configuration management plan</p>
-                  <p>procedures addressing information system component inventory</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system inventory records</p>
-                  <p>change control records</p>
-                  <p>information system maintenance records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for managing the automated
-                     mechanisms implementing the information system component inventory</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for maintaining the inventory of information system
-                     components</p>
-                  <p>automated mechanisms implementing the information system component
-                     inventory</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.3">
-            <title>Automated Unauthorized Component Detection</title>
-            <param id="cm-8.3_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>Continuously, using automated mechanisms with a maximum five-minute delay in detection.</constraint>
-            </param>
-            <param id="cm-8.3_prm_2"/>
-            <param id="cm-8.3_prm_3" depends-on="cm-8.3_prm_2">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">CM-8(3)</prop>
-            <prop name="sort-id">cm-08.03</prop>
-            <part id="cm-8.3_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cm-8.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Employs automated mechanisms <insert param-id="cm-8.3_prm_1"/> to detect the
-                     presence of unauthorized hardware, software, and firmware components within the
-                     information system; and</p>
-               </part>
-               <part id="cm-8.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Takes the following actions when unauthorized components are detected: <insert param-id="cm-8.3_prm_2"/>.</p>
-               </part>
-            </part>
-            <part id="cm-8.3_gdn" name="guidance">
-               <p>This control enhancement is applied in addition to the monitoring for unauthorized
-                  remote connections and mobile devices. Monitoring for unauthorized system
-                  components may be accomplished on an ongoing basis or by the periodic scanning of
-                  systems for that purpose. Automated mechanisms can be implemented within
-                  information systems or in other separate devices. Isolation can be achieved, for
-                  example, by placing unauthorized information system components in separate domains
-                  or subnets or otherwise quarantining such components. This type of component
-                  isolation is commonly referred to as sandboxing.</p>
-               <link rel="related" href="#ac-17">AC-17</link>
-               <link rel="related" href="#ac-18">AC-18</link>
-               <link rel="related" href="#ac-19">AC-19</link>
-               <link rel="related" href="#ca-7">CA-7</link>
-               <link rel="related" href="#si-3">SI-3</link>
-               <link rel="related" href="#si-4">SI-4</link>
-               <link rel="related" href="#si-7">SI-7</link>
-               <link rel="related" href="#ra-5">RA-5</link>
-            </part>
-            <part id="cm-8.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-8.3.a_obj" name="objective">
-                  <prop name="label">CM-8(3)(a)</prop>
-                  <part id="cm-8.3.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-8(3)(a)[1]</prop>
-                     <p>defines the frequency to employ automated mechanisms to detect the presence
-                        of unauthorized:</p>
-                     <part id="cm-8.3.a_obj.1.a" name="objective">
-                        <prop name="label">CM-8(3)(a)[1][a]</prop>
-                        <p>hardware components within the information system;</p>
-                     </part>
-                     <part id="cm-8.3.a_obj.1.b" name="objective">
-                        <prop name="label">CM-8(3)(a)[1][b]</prop>
-                        <p>software components within the information system;</p>
-                     </part>
-                     <part id="cm-8.3.a_obj.1.c" name="objective">
-                        <prop name="label">CM-8(3)(a)[1][c]</prop>
-                        <p>firmware components within the information system;</p>
-                     </part>
-                  </part>
-                  <part id="cm-8.3.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-8(3)(a)[2]</prop>
-                     <p>employs automated mechanisms with the organization-defined frequency to
-                        detect the presence of unauthorized:</p>
-                     <part id="cm-8.3.a_obj.2.a" name="objective">
-                        <prop name="label">CM-8(3)(a)[2][a]</prop>
-                        <p>hardware components within the information system;</p>
-                     </part>
-                     <part id="cm-8.3.a_obj.2.b" name="objective">
-                        <prop name="label">CM-8(3)(a)[2][b]</prop>
-                        <p>software components within the information system;</p>
-                     </part>
-                     <part id="cm-8.3.a_obj.2.c" name="objective">
-                        <prop name="label">CM-8(3)(a)[2][c]</prop>
-                        <p>firmware components within the information system;</p>
-                     </part>
-                  </part>
-                  <link rel="corresp" href="#cm-8.3_smt.a">CM-8(3)(a)</link>
-               </part>
-               <part id="cm-8.3.b_obj" name="objective">
-                  <prop name="label">CM-8(3)(b)</prop>
-                  <part id="cm-8.3.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-8(3)(b)[1]</prop>
-                     <p>defines personnel or roles to be notified when unauthorized components are
-                        detected;</p>
-                  </part>
-                  <part id="cm-8.3.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-8(3)(b)[2]</prop>
-                     <p>takes one or more of the following actions when unauthorized components are
-                        detected:</p>
-                     <part id="cm-8.3.b_obj.2.a" name="objective">
-                        <prop name="label">CM-8(3)(b)[2][a]</prop>
-                        <p>disables network access by such components;</p>
-                     </part>
-                     <part id="cm-8.3.b_obj.2.b" name="objective">
-                        <prop name="label">CM-8(3)(b)[2][b]</prop>
-                        <p>isolates the components; and/or</p>
-                     </part>
-                     <part id="cm-8.3.b_obj.2.c" name="objective">
-                        <prop name="label">CM-8(3)(b)[2][c]</prop>
-                        <p>notifies organization-defined personnel or roles.</p>
-                     </part>
-                  </part>
-                  <link rel="corresp" href="#cm-8.3_smt.b">CM-8(3)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system component inventory</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system inventory records</p>
-                  <p>alerts/notifications of unauthorized components within the information
-                     system</p>
-                  <p>information system monitoring records</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for managing the automated
-                     mechanisms implementing unauthorized information system component detection</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for detection of unauthorized information system
-                     components</p>
-                  <p>automated mechanisms implementing the detection of unauthorized information
-                     system components</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.4">
-            <title>Accountability Information</title>
-            <param id="cm-8.4_prm_1">
-               <constraint>position and role</constraint>
-            </param>
-            <prop name="label">CM-8(4)</prop>
-            <prop name="sort-id">cm-08.04</prop>
-            <part id="cm-8.4_smt" name="statement">
-               <p>The organization includes in the information system component inventory
-                  information, a means for identifying by <insert param-id="cm-8.4_prm_1"/>,
-                  individuals responsible/accountable for administering those components.</p>
-            </part>
-            <part id="cm-8.4_gdn" name="guidance">
-               <p>Identifying individuals who are both responsible and accountable for administering
-                  information system components helps to ensure that the assigned components are
-                  properly administered and organizations can contact those individuals if some
-                  action is required (e.g., component is determined to be the source of a
-                  breach/compromise, component needs to be recalled/replaced, or component needs to
-                  be relocated).</p>
-            </part>
-            <part id="cm-8.4_obj" name="objective">
-               <p>Determine if the organization includes in the information system component
-                  inventory for information system components, a means for identifying the
-                  individuals responsible and accountable for administering those components by one
-                  or more of the following: </p>
-               <part id="cm-8.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-8(4)[1]</prop>
-                  <p>name;</p>
-               </part>
-               <part id="cm-8.4_obj.2" name="objective">
-                  <prop name="label">CM-8(4)[2]</prop>
-                  <p>position; and/or</p>
-               </part>
-               <part id="cm-8.4_obj.3" name="objective">
-                  <prop name="label">CM-8(4)[3]</prop>
-                  <p>role.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system component inventory</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system inventory records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for managing the information
-                     system component inventory</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for maintaining the inventory of information system
-                     components</p>
-                  <p>automated mechanisms implementing the information system component
-                     inventory</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.5">
-            <title>No Duplicate Accounting of Components</title>
-            <prop name="label">CM-8(5)</prop>
-            <prop name="sort-id">cm-08.05</prop>
-            <part id="cm-8.5_smt" name="statement">
-               <p>The organization verifies that all components within the authorization boundary of
-                  the information system are not duplicated in other information system component
-                  inventories.</p>
-            </part>
-            <part id="cm-8.5_gdn" name="guidance">
-               <p>This control enhancement addresses the potential problem of duplicate accounting
-                  of information system components in large or complex interconnected systems.</p>
-            </part>
-            <part id="cm-8.5_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization verifies that all components within the
-                  authorization boundary of the information system are not duplicated in other
-                  information system inventories. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system component inventory</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system inventory records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system inventory responsibilities</p>
-                  <p>organizational personnel with responsibilities for defining information system
-                     components within the authorization boundary of the system</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for maintaining the inventory of information system
-                     components</p>
-                  <p>automated mechanisms implementing the information system component
-                     inventory</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-9">
-         <title>Configuration Management Plan</title>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CM-9</prop>
-         <prop name="sort-id">cm-09</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-9_smt" name="statement">
-            <p>The organization develops, documents, and implements a configuration management plan
-               for the information system that:</p>
-            <part id="cm-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Addresses roles, responsibilities, and configuration management processes and
-                  procedures;</p>
-            </part>
-            <part id="cm-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishes a process for identifying configuration items throughout the system
-                  development life cycle and for managing the configuration of the configuration
-                  items;</p>
-            </part>
-            <part id="cm-9_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Defines the configuration items for the information system and places the
-                  configuration items under configuration management; and</p>
-            </part>
-            <part id="cm-9_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Protects the configuration management plan from unauthorized disclosure and
-                  modification.</p>
-            </part>
-         </part>
-         <part id="cm-9_gdn" name="guidance">
-            <p>Configuration management plans satisfy the requirements in configuration management
-               policies while being tailored to individual information systems. Such plans define
-               detailed processes and procedures for how configuration management is used to support
-               system development life cycle activities at the information system level.
-               Configuration management plans are typically developed during the
-               development/acquisition phase of the system development life cycle. The plans
-               describe how to move changes through change management processes, how to update
-               configuration settings and baselines, how to maintain information system component
-               inventories, how to control development, test, and operational environments, and how
-               to develop, release, and update key documents. Organizations can employ templates to
-               help ensure consistent and timely development and implementation of configuration
-               management plans. Such templates can represent a master configuration management plan
-               for the organization at large with subsets of the plan implemented on a system by
-               system basis. Configuration management approval processes include designation of key
-               management stakeholders responsible for reviewing and approving proposed changes to
-               information systems, and personnel that conduct security impact analyses prior to the
-               implementation of changes to the systems. Configuration items are the information
-               system items (hardware, software, firmware, and documentation) to be
-               configuration-managed. As information systems continue through the system development
-               life cycle, new configuration items may be identified and some existing configuration
-               items may no longer need to be under configuration control.</p>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-         </part>
-         <part id="cm-9_obj" name="objective">
-            <p>Determine if the organization develops, documents, and implements a configuration
-               management plan for the information system that:</p>
-            <part id="cm-9.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CM-9(a)</prop>
-               <part id="cm-9.a_obj.1" name="objective">
-                  <prop name="label">CM-9(a)[1]</prop>
-                  <p>addresses roles;</p>
-               </part>
-               <part id="cm-9.a_obj.2" name="objective">
-                  <prop name="label">CM-9(a)[2]</prop>
-                  <p>addresses responsibilities;</p>
-               </part>
-               <part id="cm-9.a_obj.3" name="objective">
-                  <prop name="label">CM-9(a)[3]</prop>
-                  <p>addresses configuration management processes and procedures;</p>
-               </part>
-            </part>
-            <part id="cm-9.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CM-9(b)</prop>
-               <p>establishes a process for:</p>
-               <part id="cm-9.b_obj.1" name="objective">
-                  <prop name="label">CM-9(b)[1]</prop>
-                  <p>identifying configuration items throughout the SDLC;</p>
-               </part>
-               <part id="cm-9.b_obj.2" name="objective">
-                  <prop name="label">CM-9(b)[2]</prop>
-                  <p>managing the configuration of the configuration items;</p>
-               </part>
-            </part>
-            <part id="cm-9.c_obj" name="objective">
-               <prop name="label">CM-9(c)</prop>
-               <part id="cm-9.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-9(c)[1]</prop>
-                  <p>defines the configuration items for the information system;</p>
-               </part>
-               <part id="cm-9.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-9(c)[2]</prop>
-                  <p>places the configuration items under configuration management;</p>
-               </part>
-            </part>
-            <part id="cm-9.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-9(d)</prop>
-               <p>protects the configuration management plan from unauthorized:</p>
-               <part id="cm-9.d_obj.1" name="objective">
-                  <prop name="label">CM-9(d)[1]</prop>
-                  <p>disclosure; and</p>
-               </part>
-               <part id="cm-9.d_obj.2" name="objective">
-                  <prop name="label">CM-9(d)[2]</prop>
-                  <p>modification.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing configuration management planning</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for developing the configuration
-                  management plan</p>
-               <p>organizational personnel with responsibilities for implementing and managing
-                  processes defined in the configuration management plan</p>
-               <p>organizational personnel with responsibilities for protecting the configuration
-                  management plan</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for developing and documenting the configuration
-                  management plan</p>
-               <p>organizational processes for identifying and managing configuration items</p>
-               <p>organizational processes for protecting the configuration management plan</p>
-               <p>automated mechanisms implementing the configuration management plan</p>
-               <p>automated mechanisms for managing configuration items</p>
-               <p>automated mechanisms for protecting the configuration management plan</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-10">
-         <title>Software Usage Restrictions</title>
-         <prop name="label">CM-10</prop>
-         <prop name="sort-id">cm-10</prop>
-         <part id="cm-10_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-10_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Uses software and associated documentation in accordance with contract agreements
-                  and copyright laws;</p>
-            </part>
-            <part id="cm-10_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Tracks the use of software and associated documentation protected by quantity
-                  licenses to control copying and distribution; and</p>
-            </part>
-            <part id="cm-10_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Controls and documents the use of peer-to-peer file sharing technology to ensure
-                  that this capability is not used for the unauthorized distribution, display,
-                  performance, or reproduction of copyrighted work.</p>
-            </part>
-         </part>
-         <part id="cm-10_gdn" name="guidance">
-            <p>Software license tracking can be accomplished by manual methods (e.g., simple
-               spreadsheets) or automated methods (e.g., specialized tracking applications)
-               depending on organizational needs.</p>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="cm-10_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-10.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-10(a)</prop>
-               <p>uses software and associated documentation in accordance with contract agreements
-                  and copyright laws;</p>
-            </part>
-            <part id="cm-10.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CM-10(b)</prop>
-               <p>tracks the use of software and associated documentation protected by quantity
-                  licenses to control copying and distribution; and</p>
-            </part>
-            <part id="cm-10.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-10(c)</prop>
-               <p>controls and documents the use of peer-to-peer file sharing technology to ensure
-                  that this capability is not used for the unauthorized distribution, display,
-                  performance, or reproduction of copyrighted work.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing software usage restrictions</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>software contract agreements and copyright laws</p>
-               <p>site license documentation</p>
-               <p>list of software usage restrictions</p>
-               <p>software license tracking reports</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel operating, using, and/or maintaining the information
-                  system</p>
-               <p>organizational personnel with software license management responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational process for tracking the use of software protected by quantity
-                  licenses</p>
-               <p>organization process for controlling/documenting the use of peer-to-peer file
-                  sharing technology</p>
-               <p>automated mechanisms implementing software license tracking</p>
-               <p>automated mechanisms implementing and controlling the use of peer-to-peer files
-                  sharing technology</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-10.1">
-            <title>Open Source Software</title>
-            <param id="cm-10.1_prm_1">
-               <label>organization-defined restrictions</label>
-            </param>
-            <prop name="label">CM-10(1)</prop>
-            <prop name="sort-id">cm-10.01</prop>
-            <part id="cm-10.1_smt" name="statement">
-               <p>The organization establishes the following restrictions on the use of open source
-                  software: <insert param-id="cm-10.1_prm_1"/>.</p>
-            </part>
-            <part id="cm-10.1_gdn" name="guidance">
-               <p>Open source software refers to software that is available in source code form.
-                  Certain software rights normally reserved for copyright holders are routinely
-                  provided under software license agreements that permit individuals to study,
-                  change, and improve the software. From a security perspective, the major advantage
-                  of open source software is that it provides organizations with the ability to
-                  examine the source code. However, there are also various licensing issues
-                  associated with open source software including, for example, the constraints on
-                  derivative use of such software.</p>
-            </part>
-            <part id="cm-10.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-10.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-10(1)[1]</prop>
-                  <p>defines restrictions on the use of open source software; and</p>
-               </part>
-               <part id="cm-10.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-10(1)[2]</prop>
-                  <p>establishes organization-defined restrictions on the use of open source
-                     software.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing restrictions on use of open source software</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for establishing and enforcing
-                     restrictions on use of open source software</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for restricting the use of open source software</p>
-                  <p>automated mechanisms implementing restrictions on the use of open source
-                     software</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-11">
-         <title>User-installed Software</title>
-         <param id="cm-11_prm_1">
-            <label>organization-defined policies</label>
-         </param>
-         <param id="cm-11_prm_2">
-            <label>organization-defined methods</label>
-         </param>
-         <param id="cm-11_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>Continuously (via CM-7 (5))</constraint>
-         </param>
-         <prop name="label">CM-11</prop>
-         <prop name="sort-id">cm-11</prop>
-         <part id="cm-11_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-11_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes <insert param-id="cm-11_prm_1"/> governing the installation of
-                  software by users;</p>
-            </part>
-            <part id="cm-11_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Enforces software installation policies through <insert param-id="cm-11_prm_2"/>;
-                  and</p>
-            </part>
-            <part id="cm-11_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Monitors policy compliance at <insert param-id="cm-11_prm_3"/>.</p>
-            </part>
-         </part>
-         <part id="cm-11_gdn" name="guidance">
-            <p>If provided the necessary privileges, users have the ability to install software in
-               organizational information systems. To maintain control over the types of software
-               installed, organizations identify permitted and prohibited actions regarding software
-               installation. Permitted software installations may include, for example, updates and
-               security patches to existing software and downloading applications from
-               organization-approved “app stores” Prohibited software installations may include, for
-               example, software with unknown or suspect pedigrees or software that organizations
-               consider potentially malicious. The policies organizations select governing
-               user-installed software may be organization-developed or provided by some external
-               entity. Policy enforcement methods include procedural methods (e.g., periodic
-               examination of user accounts), automated methods (e.g., configuration settings
-               implemented on organizational information systems), or both.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-         </part>
-         <part id="cm-11_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-11.a_obj" name="objective">
-               <prop name="label">CM-11(a)</prop>
-               <part id="cm-11.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-11(a)[1]</prop>
-                  <p>defines policies to govern the installation of software by users;</p>
-               </part>
-               <part id="cm-11.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-11(a)[2]</prop>
-                  <p>establishes organization-defined policies governing the installation of
-                     software by users;</p>
-               </part>
-            </part>
-            <part id="cm-11.b_obj" name="objective">
-               <prop name="label">CM-11(b)</prop>
-               <part id="cm-11.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-11(b)[1]</prop>
-                  <p>defines methods to enforce software installation policies;</p>
-               </part>
-               <part id="cm-11.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-11(b)[2]</prop>
-                  <p>enforces software installation policies through organization-defined
-                     methods;</p>
-               </part>
-            </part>
-            <part id="cm-11.c_obj" name="objective">
-               <prop name="label">CM-11(c)</prop>
-               <part id="cm-11.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-11(c)[1]</prop>
-                  <p>defines frequency to monitor policy compliance; and</p>
-               </part>
-               <part id="cm-11.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-11(c)[2]</prop>
-                  <p>monitors policy compliance at organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing user installed software</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of rules governing user installed software</p>
-               <p>information system monitoring records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-               <p>continuous monitoring strategy</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for governing user-installed
-                  software</p>
-               <p>organizational personnel operating, using, and/or maintaining the information
-                  system</p>
-               <p>organizational personnel monitoring compliance with user-installed software
-                  policy</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes governing user-installed software on the information
-                  system</p>
-               <p>automated mechanisms enforcing rules/methods for governing the installation of
-                  software by users</p>
-               <p>automated mechanisms monitoring policy compliance</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-11.1">
-            <title>Alerts for Unauthorized Installations</title>
-            <param id="cm-11.1_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">CM-11(1)</prop>
-            <prop name="sort-id">cm-11.01</prop>
-            <part id="cm-11.1_smt" name="statement">
-               <p>The information system alerts <insert param-id="cm-11.1_prm_1"/> when the
-                  unauthorized installation of software is detected.</p>
-            </part>
-            <part id="cm-11.1_gdn" name="guidance">
-               <link rel="related" href="#ca-7">CA-7</link>
-               <link rel="related" href="#si-4">SI-4</link>
-            </part>
-            <part id="cm-11.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="cm-11.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-11(1)[1]</prop>
-                  <p>the organization defines personnel or roles to be alerted when the unauthorized
-                     installation of software is detected; and</p>
-               </part>
-               <part id="cm-11.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-11(1)[2]</prop>
-                  <p>the information system alerts organization-defined personnel or roles when the
-                     unauthorized installation of software is detected.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing user installed software</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for governing user-installed
-                     software</p>
-                  <p>organizational personnel operating, using, and/or maintaining the information
-                     system</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes governing user-installed software on the information
-                     system</p>
-                  <p>automated mechanisms for alerting personnel/roles when unauthorized
-                     installation of software is detected</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="cp">
-      <title>Contingency Planning</title>
-      <control class="SP800-53" id="cp-1">
-         <title>Contingency Planning Policy and Procedures</title>
-         <param id="cp-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="cp-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="cp-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or whenever a significant change occurs</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CP-1</prop>
-         <prop name="sort-id">cp-01</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="cp-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="cp-1_prm_1"/>:</p>
-               <part id="cp-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A contingency planning policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="cp-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the contingency planning policy
-                     and associated contingency planning controls; and</p>
-               </part>
-            </part>
-            <part id="cp-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="cp-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Contingency planning policy <insert param-id="cp-1_prm_2"/>; and</p>
-               </part>
-               <part id="cp-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Contingency planning procedures <insert param-id="cp-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cp-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the CP
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="cp-1_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="cp-1.a_obj" name="objective">
-               <prop name="label">CP-1(a)</prop>
-               <part id="cp-1.a.1_obj" name="objective">
-                  <prop name="label">CP-1(a)(1)</prop>
-                  <part id="cp-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(a)(1)[1]</prop>
-                     <p>the organization develops and documents a contingency planning policy that
-                        addresses:</p>
-                     <part id="cp-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="cp-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(a)(1)[2]</prop>
-                     <p>the organization defines personnel or roles to whom the contingency planning
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="cp-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CP-1(a)(1)[3]</prop>
-                     <p>the organization disseminates the contingency planning policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="cp-1.a.2_obj" name="objective">
-                  <prop name="label">CP-1(a)(2)</prop>
-                  <part id="cp-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(a)(2)[1]</prop>
-                     <p>the organization develops and documents procedures to facilitate the
-                        implementation of the contingency planning policy and associated contingency
-                        planning controls;</p>
-                  </part>
-                  <part id="cp-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(a)(2)[2]</prop>
-                     <p>the organization defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="cp-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CP-1(a)(2)[3]</prop>
-                     <p>the organization disseminates the procedures to organization-defined
-                        personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cp-1.b_obj" name="objective">
-               <prop name="label">CP-1(b)</prop>
-               <part id="cp-1.b.1_obj" name="objective">
-                  <prop name="label">CP-1(b)(1)</prop>
-                  <part id="cp-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(b)(1)[1]</prop>
-                     <p>the organization defines the frequency to review and update the current
-                        contingency planning policy;</p>
-                  </part>
-                  <part id="cp-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(b)(1)[2]</prop>
-                     <p>the organization reviews and updates the current contingency planning with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="cp-1.b.2_obj" name="objective">
-                  <prop name="label">CP-1(b)(2)</prop>
-                  <part id="cp-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(b)(2)[1]</prop>
-                     <p>the organization defines the frequency to review and update the current
-                        contingency planning procedures; and</p>
-                  </part>
-                  <part id="cp-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(b)(2)[2]</prop>
-                     <p>the organization reviews and updates the current contingency planning
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-2">
-         <title>Contingency Plan</title>
-         <param id="cp-2_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="cp-2_prm_2">
-            <label>organization-defined key contingency personnel (identified by name and/or by
-               role) and organizational elements</label>
-         </param>
-         <param id="cp-2_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="cp-2_prm_4">
-            <label>organization-defined key contingency personnel (identified by name and/or by
-               role) and organizational elements</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CP-2</prop>
-         <prop name="sort-id">cp-02</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a contingency plan for the information system that:</p>
-               <part id="cp-2_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Identifies essential missions and business functions and associated contingency
-                     requirements;</p>
-               </part>
-               <part id="cp-2_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Provides recovery objectives, restoration priorities, and metrics;</p>
-               </part>
-               <part id="cp-2_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Addresses contingency roles, responsibilities, assigned individuals with
-                     contact information;</p>
-               </part>
-               <part id="cp-2_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Addresses maintaining essential missions and business functions despite an
-                     information system disruption, compromise, or failure;</p>
-               </part>
-               <part id="cp-2_smt.a.5" name="item">
-                  <prop name="label">5.</prop>
-                  <p>Addresses eventual, full information system restoration without deterioration
-                     of the security safeguards originally planned and implemented; and</p>
-               </part>
-               <part id="cp-2_smt.a.6" name="item">
-                  <prop name="label">6.</prop>
-                  <p>Is reviewed and approved by <insert param-id="cp-2_prm_1"/>;</p>
-               </part>
-            </part>
-            <part id="cp-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Distributes copies of the contingency plan to <insert param-id="cp-2_prm_2"/>;</p>
-            </part>
-            <part id="cp-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Coordinates contingency planning activities with incident handling activities;</p>
-            </part>
-            <part id="cp-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Reviews the contingency plan for the information system <insert param-id="cp-2_prm_3"/>;</p>
-            </part>
-            <part id="cp-2_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Updates the contingency plan to address changes to the organization, information
-                  system, or environment of operation and problems encountered during contingency
-                  plan implementation, execution, or testing;</p>
-            </part>
-            <part id="cp-2_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Communicates contingency plan changes to <insert param-id="cp-2_prm_4"/>; and</p>
-            </part>
-            <part id="cp-2_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Protects the contingency plan from unauthorized disclosure and modification.</p>
-            </part>
-            <part id="cp-2_fr" name="item">
-               <title>CP-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-2_fr_smt.1" name="item">
-                  <prop name="label">CP-2 Requirement:</prop>
-                  <p>For JAB authorizations the contingency lists include designated FedRAMP personnel.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cp-2_gdn" name="guidance">
-            <p>Contingency planning for information systems is part of an overall organizational
-               program for achieving continuity of operations for mission/business functions.
-               Contingency planning addresses both information system restoration and implementation
-               of alternative mission/business processes when systems are compromised. The
-               effectiveness of contingency planning is maximized by considering such planning
-               throughout the phases of the system development life cycle. Performing contingency
-               planning on hardware, software, and firmware development can be an effective means of
-               achieving information system resiliency. Contingency plans reflect the degree of
-               restoration required for organizational information systems since not all systems may
-               need to fully recover to achieve the level of continuity of operations desired.
-               Information system recovery objectives reflect applicable laws, Executive Orders,
-               directives, policies, standards, regulations, and guidelines. In addition to
-               information system availability, contingency plans also address other
-               security-related events resulting in a reduction in mission and/or business
-               effectiveness, such as malicious attacks compromising the confidentiality or
-               integrity of information systems. Actions addressed in contingency plans include, for
-               example, orderly/graceful degradation, information system shutdown, fallback to a
-               manual mode, alternate information flows, and operating in modes reserved for when
-               systems are under attack. By closely coordinating contingency planning with incident
-               handling activities, organizations can ensure that the necessary contingency planning
-               activities are in place and activated in the event of a security incident.</p>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <link rel="related" href="#cp-8">CP-8</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#cp-10">CP-10</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#pm-8">PM-8</link>
-            <link rel="related" href="#pm-11">PM-11</link>
-         </part>
-         <part id="cp-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cp-2.a_obj" name="objective">
-               <prop name="label">CP-2(a)</prop>
-               <p>develops and documents a contingency plan for the information system that:</p>
-               <part id="cp-2.a.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(a)(1)</prop>
-                  <p>identifies essential missions and business functions and associated contingency
-                     requirements;</p>
-               </part>
-               <part id="cp-2.a.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(a)(2)</prop>
-                  <part id="cp-2.a.2_obj.1" name="objective">
-                     <prop name="label">CP-2(a)(2)[1]</prop>
-                     <p>provides recovery objectives;</p>
-                  </part>
-                  <part id="cp-2.a.2_obj.2" name="objective">
-                     <prop name="label">CP-2(a)(2)[2]</prop>
-                     <p>provides restoration priorities;</p>
-                  </part>
-                  <part id="cp-2.a.2_obj.3" name="objective">
-                     <prop name="label">CP-2(a)(2)[3]</prop>
-                     <p>provides metrics;</p>
-                  </part>
-               </part>
-               <part id="cp-2.a.3_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(a)(3)</prop>
-                  <part id="cp-2.a.3_obj.1" name="objective">
-                     <prop name="label">CP-2(a)(3)[1]</prop>
-                     <p>addresses contingency roles;</p>
-                  </part>
-                  <part id="cp-2.a.3_obj.2" name="objective">
-                     <prop name="label">CP-2(a)(3)[2]</prop>
-                     <p>addresses contingency responsibilities;</p>
-                  </part>
-                  <part id="cp-2.a.3_obj.3" name="objective">
-                     <prop name="label">CP-2(a)(3)[3]</prop>
-                     <p>addresses assigned individuals with contact information;</p>
-                  </part>
-               </part>
-               <part id="cp-2.a.4_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(a)(4)</prop>
-                  <p>addresses maintaining essential missions and business functions despite an
-                     information system disruption, compromise, or failure;</p>
-               </part>
-               <part id="cp-2.a.5_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(a)(5)</prop>
-                  <p>addresses eventual, full information system restoration without deterioration
-                     of the security safeguards originally planned and implemented;</p>
-               </part>
-               <part id="cp-2.a.6_obj" name="objective">
-                  <prop name="label">CP-2(a)(6)</prop>
-                  <part id="cp-2.a.6_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-2(a)(6)[1]</prop>
-                     <p>defines personnel or roles to review and approve the contingency plan for
-                        the information system;</p>
-                  </part>
-                  <part id="cp-2.a.6_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-2(a)(6)[2]</prop>
-                     <p>is reviewed and approved by organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cp-2.b_obj" name="objective">
-               <prop name="label">CP-2(b)</prop>
-               <part id="cp-2.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(b)[1]</prop>
-                  <p>defines key contingency personnel (identified by name and/or by role) and
-                     organizational elements to whom copies of the contingency plan are to be
-                     distributed;</p>
-               </part>
-               <part id="cp-2.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CP-2(b)[2]</prop>
-                  <p>distributes copies of the contingency plan to organization-defined key
-                     contingency personnel and organizational elements;</p>
-               </part>
-            </part>
-            <part id="cp-2.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">CP-2(c)</prop>
-               <p>coordinates contingency planning activities with incident handling activities;</p>
-            </part>
-            <part id="cp-2.d_obj" name="objective">
-               <prop name="label">CP-2(d)</prop>
-               <part id="cp-2.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(d)[1]</prop>
-                  <p>defines a frequency to review the contingency plan for the information
-                     system;</p>
-               </part>
-               <part id="cp-2.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(d)[2]</prop>
-                  <p>reviews the contingency plan with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="cp-2.e_obj" name="objective">
-               <prop name="label">CP-2(e)</prop>
-               <p>updates the contingency plan to address:</p>
-               <part id="cp-2.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-2(e)[1]</prop>
-                  <p>changes to the organization, information system, or environment of
-                     operation;</p>
-               </part>
-               <part id="cp-2.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-2(e)[2]</prop>
-                  <p>problems encountered during plan implementation, execution, and testing;</p>
-               </part>
-            </part>
-            <part id="cp-2.f_obj" name="objective">
-               <prop name="label">CP-2(f)</prop>
-               <part id="cp-2.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(f)[1]</prop>
-                  <p>defines key contingency personnel (identified by name and/or by role) and
-                     organizational elements to whom contingency plan changes are to be
-                     communicated;</p>
-               </part>
-               <part id="cp-2.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CP-2(f)[2]</prop>
-                  <p>communicates contingency plan changes to organization-defined key contingency
-                     personnel and organizational elements; and</p>
-               </part>
-            </part>
-            <part id="cp-2.g_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-2(g)</prop>
-               <p>protects the contingency plan from unauthorized disclosure and modification.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing contingency operations for the information system</p>
-               <p>contingency plan</p>
-               <p>security plan</p>
-               <p>evidence of contingency plan reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning and plan implementation
-                  responsibilities</p>
-               <p>organizational personnel with incident handling responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for contingency plan development, review, update, and
-                  protection</p>
-               <p>automated mechanisms for developing, reviewing, updating and/or protecting the
-                  contingency plan</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-2.1">
-            <title>Coordinate with Related Plans</title>
-            <prop name="label">CP-2(1)</prop>
-            <prop name="sort-id">cp-02.01</prop>
-            <part id="cp-2.1_smt" name="statement">
-               <p>The organization coordinates contingency plan development with organizational
-                  elements responsible for related plans.</p>
-            </part>
-            <part id="cp-2.1_gdn" name="guidance">
-               <p>Plans related to contingency plans for organizational information systems include,
-                  for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of
-                  Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,
-                  Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant
-                  Emergency Plans.</p>
-            </part>
-            <part id="cp-2.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization coordinates contingency plan development with
-                  organizational elements responsible for related plans.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency operations for the information system</p>
-                  <p>contingency plan</p>
-                  <p>business contingency plans</p>
-                  <p>disaster recovery plans</p>
-                  <p>continuity of operations plans</p>
-                  <p>crisis communications plans</p>
-                  <p>critical infrastructure plans</p>
-                  <p>cyber incident response plan</p>
-                  <p>insider threat implementation plans</p>
-                  <p>occupant emergency plans</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>personnel with responsibility for related plans</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.2">
-            <title>Capacity Planning</title>
-            <prop name="label">CP-2(2)</prop>
-            <prop name="sort-id">cp-02.02</prop>
-            <part id="cp-2.2_smt" name="statement">
-               <p>The organization conducts capacity planning so that necessary capacity for
-                  information processing, telecommunications, and environmental support exists
-                  during contingency operations.</p>
-            </part>
-            <part id="cp-2.2_gdn" name="guidance">
-               <p>Capacity planning is needed because different types of threats (e.g., natural
-                  disasters, targeted cyber attacks) can result in a reduction of the available
-                  processing, telecommunications, and support services originally intended to
-                  support the organizational missions/business functions. Organizations may need to
-                  anticipate degraded operations during contingency operations and factor such
-                  degradation into capacity planning.</p>
-            </part>
-            <part id="cp-2.2_obj" name="objective">
-               <p>Determine if the organization conducts capacity planning so that necessary
-                  capacity exists during contingency operations for: </p>
-               <part id="cp-2.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CP-2(2)[1]</prop>
-                  <p>information processing;</p>
-               </part>
-               <part id="cp-2.2_obj.2" name="objective">
-                  <prop name="label">CP-2(2)[2]</prop>
-                  <p>telecommunications; and</p>
-               </part>
-               <part id="cp-2.2_obj.3" name="objective">
-                  <prop name="label">CP-2(2)[3]</prop>
-                  <p>environmental support.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency operations for the information system</p>
-                  <p>contingency plan</p>
-                  <p>capacity planning documents</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.3">
-            <title>Resume Essential Missions / Business Functions</title>
-            <param id="cp-2.3_prm_1">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="label">CP-2(3)</prop>
-            <prop name="sort-id">cp-02.03</prop>
-            <part id="cp-2.3_smt" name="statement">
-               <p>The organization plans for the resumption of essential missions and business
-                  functions within <insert param-id="cp-2.3_prm_1"/> of contingency plan
-                  activation.</p>
-            </part>
-            <part id="cp-2.3_gdn" name="guidance">
-               <p>Organizations may choose to carry out the contingency planning activities in this
-                  control enhancement as part of organizational business continuity planning
-                  including, for example, as part of business impact analyses. The time period for
-                  resumption of essential missions/business functions may be dependent on the
-                  severity/extent of disruptions to the information system and its supporting
-                  infrastructure.</p>
-               <link rel="related" href="#pe-12">PE-12</link>
-            </part>
-            <part id="cp-2.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cp-2.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(3)[1]</prop>
-                  <p>defines the time period to plan for the resumption of essential missions and
-                     business functions as a result of contingency plan activation; and</p>
-               </part>
-               <part id="cp-2.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-2(3)[2]</prop>
-                  <p>plans for the resumption of essential missions and business functions within
-                     organization-defined time period of contingency plan activation.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency operations for the information system</p>
-                  <p>contingency plan</p>
-                  <p>security plan</p>
-                  <p>business impact assessment</p>
-                  <p>other related plans</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for resumption of missions and business functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.4">
-            <title>Resume All Missions / Business Functions</title>
-            <param id="cp-2.4_prm_1">
-               <label>organization-defined time period</label>
-               <constraint>time period defined in service provider and organization SLA</constraint>
-            </param>
-            <prop name="label">CP-2(4)</prop>
-            <prop name="sort-id">cp-02.04</prop>
-            <part id="cp-2.4_smt" name="statement">
-               <p>The organization plans for the resumption of all missions and business functions
-                  within <insert param-id="cp-2.4_prm_1"/> of contingency plan activation.</p>
-            </part>
-            <part id="cp-2.4_gdn" name="guidance">
-               <p>Organizations may choose to carry out the contingency planning activities in this
-                  control enhancement as part of organizational business continuity planning
-                  including, for example, as part of business impact analyses. The time period for
-                  resumption of all missions/business functions may be dependent on the
-                  severity/extent of disruptions to the information system and its supporting
-                  infrastructure.</p>
-               <link rel="related" href="#pe-12">PE-12</link>
-            </part>
-            <part id="cp-2.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cp-2.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(4)[1]</prop>
-                  <p>defines the time period to plan for the resumption of all missions and business
-                     functions as a result of contingency plan activation; and</p>
-               </part>
-               <part id="cp-2.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-2(4)[2]</prop>
-                  <p>plans for the resumption of all missions and business functions within
-                     organization-defined time period of contingency plan activation.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency operations for the information system</p>
-                  <p>contingency plan</p>
-                  <p>security plan</p>
-                  <p>business impact assessment</p>
-                  <p>other related plans</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for resumption of missions and business functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.5">
-            <title>Continue Essential Missions / Business Functions</title>
-            <prop name="label">CP-2(5)</prop>
-            <prop name="sort-id">cp-02.05</prop>
-            <part id="cp-2.5_smt" name="statement">
-               <p>The organization plans for the continuance of essential missions and business
-                  functions with little or no loss of operational continuity and sustains that
-                  continuity until full information system restoration at primary processing and/or
-                  storage sites.</p>
-            </part>
-            <part id="cp-2.5_gdn" name="guidance">
-               <p>Organizations may choose to carry out the contingency planning activities in this
-                  control enhancement as part of organizational business continuity planning
-                  including, for example, as part of business impact analyses. Primary processing
-                  and/or storage sites defined by organizations as part of contingency planning may
-                  change depending on the circumstances associated with the contingency (e.g.,
-                  backup sites may become primary sites).</p>
-               <link rel="related" href="#pe-12">PE-12</link>
-            </part>
-            <part id="cp-2.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cp-2.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(5)[1]</prop>
-                  <p>plans for the continuance of essential missions and business functions with
-                     little or no loss of operational continuity; and</p>
-               </part>
-               <part id="cp-2.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-2(5)[2]</prop>
-                  <p>sustains that operational continuity until full information system restoration
-                     at primary processing and/or storage sites.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency operations for the information system</p>
-                  <p>contingency plan</p>
-                  <p>business impact assessment</p>
-                  <p>primary processing site agreements</p>
-                  <p>primary storage site agreements</p>
-                  <p>alternate processing site agreements</p>
-                  <p>alternate storage site agreements</p>
-                  <p>contingency plan test documentation</p>
-                  <p>contingency plan test results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for continuing missions and business functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.8">
-            <title>Identify Critical Assets</title>
-            <prop name="label">CP-2(8)</prop>
-            <prop name="sort-id">cp-02.08</prop>
-            <part id="cp-2.8_smt" name="statement">
-               <p>The organization identifies critical information system assets supporting
-                  essential missions and business functions.</p>
-            </part>
-            <part id="cp-2.8_gdn" name="guidance">
-               <p>Organizations may choose to carry out the contingency planning activities in this
-                  control enhancement as part of organizational business continuity planning
-                  including, for example, as part of business impact analyses. Organizations
-                  identify critical information system assets so that additional safeguards and
-                  countermeasures can be employed (above and beyond those safeguards and
-                  countermeasures routinely implemented) to help ensure that organizational
-                  missions/business functions can continue to be conducted during contingency
-                  operations. In addition, the identification of critical information assets
-                  facilitates the prioritization of organizational resources. Critical information
-                  system assets include technical and operational aspects. Technical aspects
-                  include, for example, information technology services, information system
-                  components, information technology products, and mechanisms. Operational aspects
-                  include, for example, procedures (manually executed operations) and personnel
-                  (individuals operating technical safeguards and/or executing manual procedures).
-                  Organizational program protection plans can provide assistance in identifying
-                  critical assets.</p>
-               <link rel="related" href="#sa-14">SA-14</link>
-               <link rel="related" href="#sa-15">SA-15</link>
-            </part>
-            <part id="cp-2.8_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization identifies critical information system assets
-                  supporting essential missions and business functions.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency operations for the information system</p>
-                  <p>contingency plan</p>
-                  <p>business impact assessment</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-3">
-         <title>Contingency Training</title>
-         <param id="cp-3_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>ten (10) days</constraint>
-         </param>
-         <param id="cp-3_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CP-3</prop>
-         <prop name="sort-id">cp-03</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="cp-3_smt" name="statement">
-            <p>The organization provides contingency training to information system users consistent
-               with assigned roles and responsibilities:</p>
-            <part id="cp-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Within <insert param-id="cp-3_prm_1"/> of assuming a contingency role or
-                  responsibility;</p>
-            </part>
-            <part id="cp-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="cp-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="cp-3_prm_2"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="cp-3_gdn" name="guidance">
-            <p>Contingency training provided by organizations is linked to the assigned roles and
-               responsibilities of organizational personnel to ensure that the appropriate content
-               and level of detail is included in such training. For example, regular users may only
-               need to know when and where to report for duty during contingency operations and if
-               normal duties are affected; system administrators may require additional training on
-               how to set up information systems at alternate processing and storage sites; and
-               managers/senior leaders may receive more specific training on how to conduct
-               mission-essential functions in designated off-site locations and how to establish
-               communications with other governmental entities for purposes of coordination on
-               contingency-related activities. Training for contingency roles/responsibilities
-               reflects the specific continuity requirements in the contingency plan.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#ir-2">IR-2</link>
-         </part>
-         <part id="cp-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cp-3.a_obj" name="objective">
-               <prop name="label">CP-3(a)</prop>
-               <part id="cp-3.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-3(a)[1]</prop>
-                  <p>defines a time period within which contingency training is to be provided to
-                     information system users assuming a contingency role or responsibility;</p>
-               </part>
-               <part id="cp-3.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-3(a)[2]</prop>
-                  <p>provides contingency training to information system users consistent with
-                     assigned roles and responsibilities within the organization-defined time period
-                     of assuming a contingency role or responsibility;</p>
-               </part>
-            </part>
-            <part id="cp-3.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-3(b)</prop>
-               <p>provides contingency training to information system users consistent with assigned
-                  roles and responsibilities when required by information system changes;</p>
-            </part>
-            <part id="cp-3.c_obj" name="objective">
-               <prop name="label">CP-3(c)</prop>
-               <part id="cp-3.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-3(c)[1]</prop>
-                  <p>defines the frequency for contingency training thereafter; and</p>
-               </part>
-               <part id="cp-3.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-3(c)[2]</prop>
-                  <p>provides contingency training to information system users consistent with
-                     assigned roles and responsibilities with the organization-defined frequency
-                     thereafter.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing contingency training</p>
-               <p>contingency plan</p>
-               <p>contingency training curriculum</p>
-               <p>contingency training material</p>
-               <p>security plan</p>
-               <p>contingency training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning, plan implementation, and
-                  training responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for contingency training</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-3.1">
-            <title>Simulated Events</title>
-            <prop name="label">CP-3(1)</prop>
-            <prop name="sort-id">cp-03.01</prop>
-            <part id="cp-3.1_smt" name="statement">
-               <p>The organization incorporates simulated events into contingency training to
-                  facilitate effective response by personnel in crisis situations.</p>
-            </part>
-            <part id="cp-3.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization incorporates simulated events into contingency
-                  training to facilitate effective response by personnel in crisis situations.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency training</p>
-                  <p>contingency plan</p>
-                  <p>contingency training curriculum</p>
-                  <p>contingency training material</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning, plan implementation, and
-                     training responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for contingency training</p>
-                  <p>automated mechanisms for simulating contingency events</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-4">
-         <title>Contingency Plan Testing</title>
-         <param id="cp-4_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="cp-4_prm_2">
-            <label>organization-defined tests</label>
-            <constraint>functional exercises</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CP-4</prop>
-         <prop name="sort-id">cp-04</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <link href="#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf" rel="reference">NIST Special Publication 800-84</link>
-         <part id="cp-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Tests the contingency plan for the information system <insert param-id="cp-4_prm_1"/> using <insert param-id="cp-4_prm_2"/> to determine the
-                  effectiveness of the plan and the organizational readiness to execute the
-                  plan;</p>
-            </part>
-            <part id="cp-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews the contingency plan test results; and</p>
-            </part>
-            <part id="cp-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Initiates corrective actions, if needed.</p>
-            </part>
-            <part id="cp-4_fr" name="item">
-               <title>CP-4(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-4_fr_smt.a" name="item">
-                  <prop name="label">CP-4(a) Requirement:</prop>
-                  <p>The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cp-4_gdn" name="guidance">
-            <p>Methods for testing contingency plans to determine the effectiveness of the plans and
-               to identify potential weaknesses in the plans include, for example, walk-through and
-               tabletop exercises, checklists, simulations (parallel, full interrupt), and
-               comprehensive exercises. Organizations conduct testing based on the continuity
-               requirements in contingency plans and include a determination of the effects on
-               organizational operations, assets, and individuals arising due to contingency
-               operations. Organizations have flexibility and discretion in the breadth, depth, and
-               timelines of corrective actions.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-3">CP-3</link>
-            <link rel="related" href="#ir-3">IR-3</link>
-         </part>
-         <part id="cp-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="cp-4.a_obj" name="objective">
-               <prop name="label">CP-4(a)</prop>
-               <part id="cp-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-4(a)[1]</prop>
-                  <p>defines tests to determine the effectiveness of the contingency plan and the
-                     organizational readiness to execute the plan;</p>
-               </part>
-               <part id="cp-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-4(a)[2]</prop>
-                  <p>defines a frequency to test the contingency plan for the information
-                     system;</p>
-               </part>
-               <part id="cp-4.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-4(a)[3]</prop>
-                  <p>tests the contingency plan for the information system with the
-                     organization-defined frequency, using organization-defined tests to determine
-                     the effectiveness of the plan and the organizational readiness to execute the
-                     plan;</p>
-               </part>
-            </part>
-            <part id="cp-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-4(b)</prop>
-               <p>reviews the contingency plan test results; and</p>
-            </part>
-            <part id="cp-4.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-4(c)</prop>
-               <p>initiates corrective actions, if needed.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing contingency plan testing</p>
-               <p>contingency plan</p>
-               <p>security plan</p>
-               <p>contingency plan test documentation</p>
-               <p>contingency plan test results</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for contingency plan testing,
-                  reviewing or responding to contingency plan tests</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for contingency plan testing</p>
-               <p>automated mechanisms supporting the contingency plan and/or contingency plan
-                  testing</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-4.1">
-            <title>Coordinate with Related Plans</title>
-            <prop name="label">CP-4(1)</prop>
-            <prop name="sort-id">cp-04.01</prop>
-            <part id="cp-4.1_smt" name="statement">
-               <p>The organization coordinates contingency plan testing with organizational elements
-                  responsible for related plans.</p>
-            </part>
-            <part id="cp-4.1_gdn" name="guidance">
-               <p>Plans related to contingency plans for organizational information systems include,
-                  for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of
-                  Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,
-                  Cyber Incident Response Plans, and Occupant Emergency Plans. This control
-                  enhancement does not require organizations to create organizational elements to
-                  handle related plans or to align such elements with specific plans. It does
-                  require, however, that if such organizational elements are responsible for related
-                  plans, organizations should coordinate with those elements.</p>
-               <link rel="related" href="#ir-8">IR-8</link>
-               <link rel="related" href="#pm-8">PM-8</link>
-            </part>
-            <part id="cp-4.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization coordinates contingency plan testing with
-                  organizational elements responsible for related plans. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>incident response policy</p>
-                  <p>procedures addressing contingency plan testing</p>
-                  <p>contingency plan testing documentation</p>
-                  <p>contingency plan</p>
-                  <p>business continuity plans</p>
-                  <p>disaster recovery plans</p>
-                  <p>continuity of operations plans</p>
-                  <p>crisis communications plans</p>
-                  <p>critical infrastructure plans</p>
-                  <p>cyber incident response plans</p>
-                  <p>occupant emergency plans</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan testing responsibilities</p>
-                  <p>organizational personnel</p>
-                  <p>personnel with responsibilities for related plans</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-4.2">
-            <title>Alternate Processing Site</title>
-            <prop name="label">CP-4(2)</prop>
-            <prop name="sort-id">cp-04.02</prop>
-            <part id="cp-4.2_smt" name="statement">
-               <p>The organization tests the contingency plan at the alternate processing site:</p>
-               <part id="cp-4.2_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>To familiarize contingency personnel with the facility and available resources;
-                     and</p>
-               </part>
-               <part id="cp-4.2_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>To evaluate the capabilities of the alternate processing site to support
-                     contingency operations.</p>
-               </part>
-            </part>
-            <part id="cp-4.2_gdn" name="guidance">
-               <link rel="related" href="#cp-7">CP-7</link>
-            </part>
-            <part id="cp-4.2_obj" name="objective">
-               <p>Determine if the organization tests the contingency plan at the alternate
-                  processing site to:</p>
-               <part id="cp-4.2.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CP-4(2)(a)</prop>
-                  <p>familiarize contingency personnel with the facility and available resources;
-                     and</p>
-                  <link rel="corresp" href="#cp-4.2_smt.a">CP-4(2)(a)</link>
-               </part>
-               <part id="cp-4.2.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CP-4(2)(b)</prop>
-                  <p>evaluate the capabilities of the alternate processing site to support
-                     contingency operations.</p>
-                  <link rel="corresp" href="#cp-4.2_smt.b">CP-4(2)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency plan testing</p>
-                  <p>contingency plan</p>
-                  <p>contingency plan test documentation</p>
-                  <p>contingency plan test results</p>
-                  <p>alternate processing site agreements</p>
-                  <p>service-level agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for contingency plan testing</p>
-                  <p>automated mechanisms supporting the contingency plan and/or contingency plan
-                     testing</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-6">
-         <title>Alternate Storage Site</title>
-         <prop name="label">CP-6</prop>
-         <prop name="sort-id">cp-06</prop>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes an alternate storage site including necessary agreements to permit the
-                  storage and retrieval of information system backup information; and</p>
-            </part>
-            <part id="cp-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Ensures that the alternate storage site provides information security safeguards
-                  equivalent to that of the primary site.</p>
-            </part>
-         </part>
-         <part id="cp-6_gdn" name="guidance">
-            <p>Alternate storage sites are sites that are geographically distinct from primary
-               storage sites. An alternate storage site maintains duplicate copies of information
-               and data in the event that the primary storage site is not available. Items covered
-               by alternate storage site agreements include, for example, environmental conditions
-               at alternate sites, access rules, physical and environmental protection requirements,
-               and coordination of delivery/retrieval of backup media. Alternate storage sites
-               reflect the requirements in contingency plans so that organizations can maintain
-               essential missions/business functions despite disruption, compromise, or failure in
-               organizational information systems.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#cp-10">CP-10</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-         </part>
-         <part id="cp-6_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="cp-6_obj.1" name="objective">
-               <prop name="label">CP-6[1]</prop>
-               <p>establishes an alternate storage site including necessary agreements to permit the
-                  storage and retrieval of information system backup information; and</p>
-            </part>
-            <part id="cp-6_obj.2" name="objective">
-               <prop name="label">CP-6[2]</prop>
-               <p>ensures that the alternate storage site provides information security safeguards
-                  equivalent to that of the primary site.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing alternate storage sites</p>
-               <p>contingency plan</p>
-               <p>alternate storage site agreements</p>
-               <p>primary storage site agreements</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency plan alternate storage site
-                  responsibilities</p>
-               <p>organizational personnel with information system recovery responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for storing and retrieving information system backup
-                  information at the alternate storage site</p>
-               <p>automated mechanisms supporting and/or implementing storage and retrieval of
-                  information system backup information at the alternate storage site</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-6.1">
-            <title>Separation from Primary Site</title>
-            <prop name="label">CP-6(1)</prop>
-            <prop name="sort-id">cp-06.01</prop>
-            <part id="cp-6.1_smt" name="statement">
-               <p>The organization identifies an alternate storage site that is separated from the
-                  primary storage site to reduce susceptibility to the same threats.</p>
-            </part>
-            <part id="cp-6.1_gdn" name="guidance">
-               <p>Threats that affect alternate storage sites are typically defined in
-                  organizational assessments of risk and include, for example, natural disasters,
-                  structural failures, hostile cyber attacks, and errors of omission/commission.
-                  Organizations determine what is considered a sufficient degree of separation
-                  between primary and alternate storage sites based on the types of threats that are
-                  of concern. For one particular type of threat (i.e., hostile cyber attack), the
-                  degree of separation between sites is less relevant.</p>
-               <link rel="related" href="#ra-3">RA-3</link>
-            </part>
-            <part id="cp-6.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization identifies an alternate storage site that is
-                  separated from the primary storage site to reduce susceptibility to the same
-                  threats. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate storage sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate storage site</p>
-                  <p>alternate storage site agreements</p>
-                  <p>primary storage site agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan alternate storage site
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-6.2">
-            <title>Recovery Time / Point Objectives</title>
-            <prop name="label">CP-6(2)</prop>
-            <prop name="sort-id">cp-06.02</prop>
-            <part id="cp-6.2_smt" name="statement">
-               <p>The organization configures the alternate storage site to facilitate recovery
-                  operations in accordance with recovery time and recovery point objectives.</p>
-            </part>
-            <part id="cp-6.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization configures the alternate storage site to facilitate
-                  recovery operations in accordance with recovery time objectives and recovery point
-                  objectives (as specified in the information system contingency plan).</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate storage sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate storage site</p>
-                  <p>alternate storage site agreements</p>
-                  <p>alternate storage site configurations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan testing responsibilities</p>
-                  <p>organizational personnel with responsibilities for testing related plans</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for contingency plan testing</p>
-                  <p>automated mechanisms supporting recovery time/point objectives</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-6.3">
-            <title>Accessibility</title>
-            <prop name="label">CP-6(3)</prop>
-            <prop name="sort-id">cp-06.03</prop>
-            <part id="cp-6.3_smt" name="statement">
-               <p>The organization identifies potential accessibility problems to the alternate
-                  storage site in the event of an area-wide disruption or disaster and outlines
-                  explicit mitigation actions.</p>
-            </part>
-            <part id="cp-6.3_gdn" name="guidance">
-               <p>Area-wide disruptions refer to those types of disruptions that are broad in
-                  geographic scope (e.g., hurricane, regional power outage) with such determinations
-                  made by organizations based on organizational assessments of risk. Explicit
-                  mitigation actions include, for example: (i) duplicating backup information at
-                  other alternate storage sites if access problems occur at originally designated
-                  alternate sites; or (ii) planning for physical access to retrieve backup
-                  information if electronic accessibility to the alternate site is disrupted.</p>
-               <link rel="related" href="#ra-3">RA-3</link>
-            </part>
-            <part id="cp-6.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-6.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-6(3)[1]</prop>
-                  <p>identifies potential accessibility problems to the alternate storage site in
-                     the event of an area-wide disruption or disaster; and</p>
-               </part>
-               <part id="cp-6.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CP-6(3)[2]</prop>
-                  <p>outlines explicit mitigation actions for such potential accessibility problems
-                     to the alternate storage site in the event of an area-wide disruption or
-                     disaster.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate storage sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate storage site</p>
-                  <p>list of potential accessibility problems to alternate storage site</p>
-                  <p>mitigation actions for accessibility problems to alternate storage site</p>
-                  <p>organizational risk assessments</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan alternate storage site
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-7">
-         <title>Alternate Processing Site</title>
-         <param id="cp-7_prm_1">
-            <label>organization-defined information system operations</label>
-         </param>
-         <param id="cp-7_prm_2">
-            <label>organization-defined time period consistent with recovery time and recovery point
-               objectives</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CP-7</prop>
-         <prop name="sort-id">cp-07</prop>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-7_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes an alternate processing site including necessary agreements to permit
-                  the transfer and resumption of <insert param-id="cp-7_prm_1"/> for essential
-                  missions/business functions within <insert param-id="cp-7_prm_2"/> when the
-                  primary processing capabilities are unavailable;</p>
-            </part>
-            <part id="cp-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Ensures that equipment and supplies required to transfer and resume operations are
-                  available at the alternate processing site or contracts are in place to support
-                  delivery to the site within the organization-defined time period for
-                  transfer/resumption; and</p>
-            </part>
-            <part id="cp-7_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensures that the alternate processing site provides information security
-                  safeguards equivalent to those of the primary site.</p>
-            </part>
-            <part id="cp-7_fr" name="item">
-               <title>CP-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-7_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cp-7_gdn" name="guidance">
-            <p>Alternate processing sites are sites that are geographically distinct from primary
-               processing sites. An alternate processing site provides processing capability in the
-               event that the primary processing site is not available. Items covered by alternate
-               processing site agreements include, for example, environmental conditions at
-               alternate sites, access rules, physical and environmental protection requirements,
-               and coordination for the transfer/assignment of personnel. Requirements are
-               specifically allocated to alternate processing sites that reflect the requirements in
-               contingency plans to maintain essential missions/business functions despite
-               disruption, compromise, or failure in organizational information systems.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-8">CP-8</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#cp-10">CP-10</link>
-            <link rel="related" href="#ma-6">MA-6</link>
-         </part>
-         <part id="cp-7_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="cp-7.a_obj" name="objective">
-               <prop name="label">CP-7(a)</prop>
-               <part id="cp-7.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-7(a)[1]</prop>
-                  <p>defines information system operations requiring an alternate processing site to
-                     be established to permit the transfer and resumption of such operations;</p>
-               </part>
-               <part id="cp-7.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-7(a)[2]</prop>
-                  <p>defines the time period consistent with recovery time objectives and recovery
-                     point objectives (as specified in the information system contingency plan) for
-                     transfer/resumption of organization-defined information system operations for
-                     essential missions/business functions;</p>
-               </part>
-               <part id="cp-7.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-7(a)[3]</prop>
-                  <p>establishes an alternate processing site including necessary agreements to
-                     permit the transfer and resumption of organization-defined information system
-                     operations for essential missions/business functions, within the
-                     organization-defined time period, when the primary processing capabilities are
-                     unavailable;</p>
-               </part>
-            </part>
-            <part id="cp-7.b_obj" name="objective">
-               <prop name="label">CP-7(b)</prop>
-               <part id="cp-7.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-7(b)[1]</prop>
-                  <p>ensures that equipment and supplies required to transfer and resume operations
-                     are available at the alternate processing site; or</p>
-               </part>
-               <part id="cp-7.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-7(b)[2]</prop>
-                  <p>ensures that contracts are in place to support delivery to the site within the
-                     organization-defined time period for transfer/resumption; and</p>
-               </part>
-            </part>
-            <part id="cp-7.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-7(c)</prop>
-               <p>ensures that the alternate processing site provides information security
-                  safeguards equivalent to those of the primary site.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing alternate processing sites</p>
-               <p>contingency plan</p>
-               <p>alternate processing site agreements</p>
-               <p>primary processing site agreements</p>
-               <p>spare equipment and supplies inventory at alternate processing site</p>
-               <p>equipment and supply contracts</p>
-               <p>service-level agreements</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for contingency planning and/or
-                  alternate site arrangements</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for recovery at the alternate site</p>
-               <p>automated mechanisms supporting and/or implementing recovery at the alternate
-                  processing site</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-7.1">
-            <title>Separation from Primary Site</title>
-            <prop name="label">CP-7(1)</prop>
-            <prop name="sort-id">cp-07.01</prop>
-            <part id="cp-7.1_smt" name="statement">
-               <p>The organization identifies an alternate processing site that is separated from
-                  the primary processing site to reduce susceptibility to the same threats.</p>
-               <part id="cp-7.1_fr" name="item">
-                  <title>CP-7 (1) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="cp-7.1_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cp-7.1_gdn" name="guidance">
-               <p>Threats that affect alternate processing sites are typically defined in
-                  organizational assessments of risk and include, for example, natural disasters,
-                  structural failures, hostile cyber attacks, and errors of omission/commission.
-                  Organizations determine what is considered a sufficient degree of separation
-                  between primary and alternate processing sites based on the types of threats that
-                  are of concern. For one particular type of threat (i.e., hostile cyber attack),
-                  the degree of separation between sites is less relevant.</p>
-               <link rel="related" href="#ra-3">RA-3</link>
-            </part>
-            <part id="cp-7.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization identifies an alternate processing site that is
-                  separated from the primary storage site to reduce susceptibility to the same
-                  threats. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate processing sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate processing site</p>
-                  <p>alternate processing site agreements</p>
-                  <p>primary processing site agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan alternate processing site
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-7.2">
-            <title>Accessibility</title>
-            <prop name="label">CP-7(2)</prop>
-            <prop name="sort-id">cp-07.02</prop>
-            <part id="cp-7.2_smt" name="statement">
-               <p>The organization identifies potential accessibility problems to the alternate
-                  processing site in the event of an area-wide disruption or disaster and outlines
-                  explicit mitigation actions.</p>
-            </part>
-            <part id="cp-7.2_gdn" name="guidance">
-               <p>Area-wide disruptions refer to those types of disruptions that are broad in
-                  geographic scope (e.g., hurricane, regional power outage) with such determinations
-                  made by organizations based on organizational assessments of risk.</p>
-               <link rel="related" href="#ra-3">RA-3</link>
-            </part>
-            <part id="cp-7.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-7.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-7(2)[1]</prop>
-                  <p>identifies potential accessibility problems to the alternate processing site in
-                     the event of an area-wide disruption or disaster; and</p>
-               </part>
-               <part id="cp-7.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CP-7(2)[2]</prop>
-                  <p>outlines explicit mitigation actions for such potential accessibility problems
-                     to the alternate processing site in the event of an area-wide disruption or
-                     disaster.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate processing sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate processing site</p>
-                  <p>alternate processing site agreements</p>
-                  <p>primary processing site agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan alternate processing site
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-7.3">
-            <title>Priority of Service</title>
-            <prop name="label">CP-7(3)</prop>
-            <prop name="sort-id">cp-07.03</prop>
-            <part id="cp-7.3_smt" name="statement">
-               <p>The organization develops alternate processing site agreements that contain
-                  priority-of-service provisions in accordance with organizational availability
-                  requirements (including recovery time objectives).</p>
-            </part>
-            <part id="cp-7.3_gdn" name="guidance">
-               <p>Priority-of-service agreements refer to negotiated agreements with service
-                  providers that ensure that organizations receive priority treatment consistent
-                  with their availability requirements and the availability of information resources
-                  at the alternate processing site.</p>
-            </part>
-            <part id="cp-7.3_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization develops alternate processing site agreements that
-                  contain priority-of-service provisions in accordance with organizational
-                  availability requirements (including recovery time objectives as specified in the
-                  information system contingency plan).</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate processing sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate processing site agreements</p>
-                  <p>service-level agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan alternate processing site
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for acquisitions/contractual
-                     agreements</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-7.4">
-            <title>Preparation for Use</title>
-            <prop name="label">CP-7(4)</prop>
-            <prop name="sort-id">cp-07.04</prop>
-            <part id="cp-7.4_smt" name="statement">
-               <p>The organization prepares the alternate processing site so that the site is ready
-                  to be used as the operational site supporting essential missions and business
-                  functions.</p>
-            </part>
-            <part id="cp-7.4_gdn" name="guidance">
-               <p>Site preparation includes, for example, establishing configuration settings for
-                  information system components at the alternate processing site consistent with the
-                  requirements for such settings at the primary site and ensuring that essential
-                  supplies and other logistical considerations are in place.</p>
-               <link rel="related" href="#cm-2">CM-2</link>
-               <link rel="related" href="#cm-6">CM-6</link>
-            </part>
-            <part id="cp-7.4_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization prepares the alternate processing site so that the
-                  site is ready to be used as the operational site supporting essential missions and
-                  business functions.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate processing sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate processing site</p>
-                  <p>alternate processing site agreements</p>
-                  <p>alternate processing site configurations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan alternate processing site
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing recovery at the alternate
-                     processing site</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-8">
-         <title>Telecommunications Services</title>
-         <param id="cp-8_prm_1">
-            <label>organization-defined information system operations</label>
-         </param>
-         <param id="cp-8_prm_2">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">CP-8</prop>
-         <prop name="sort-id">cp-08</prop>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <link href="#fb5844de-ff96-47c0-b258-4f52bcc2f30d" rel="reference">National Communications Systems Directive 3-10</link>
-         <link href="#3ac12e79-f54f-4a63-9f4b-ee4bcd4df604" rel="reference">http://www.dhs.gov/telecommunications-service-priority-tsp</link>
-         <part id="cp-8_smt" name="statement">
-            <p>The organization establishes alternate telecommunications services including
-               necessary agreements to permit the resumption of <insert param-id="cp-8_prm_1"/> for
-               essential missions and business functions within <insert param-id="cp-8_prm_2"/> when
-               the primary telecommunications capabilities are unavailable at either the primary or
-               alternate processing or storage sites.</p>
-            <part id="cp-8_fr" name="item">
-               <title>CP-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cp-8_gdn" name="guidance">
-            <p>This control applies to telecommunications services (data and voice) for primary and
-               alternate processing and storage sites. Alternate telecommunications services reflect
-               the continuity requirements in contingency plans to maintain essential
-               missions/business functions despite the loss of primary telecommunications services.
-               Organizations may specify different time periods for primary/alternate sites.
-               Alternate telecommunications services include, for example, additional organizational
-               or commercial ground-based circuits/lines or satellites in lieu of ground-based
-               communications. Organizations consider factors such as availability, quality of
-               service, and access when entering into alternate telecommunications agreements.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-         </part>
-         <part id="cp-8_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="cp-8_obj.1" name="objective">
-               <prop name="label">CP-8[1]</prop>
-               <p>defines information system operations requiring alternate telecommunications
-                  services to be established to permit the resumption of such operations;</p>
-            </part>
-            <part id="cp-8_obj.2" name="objective">
-               <prop name="label">CP-8[2]</prop>
-               <p>defines the time period to permit resumption of organization-defined information
-                  system operations for essential missions and business functions; and</p>
-            </part>
-            <part id="cp-8_obj.3" name="objective">
-               <prop name="label">CP-8[3]</prop>
-               <p>establishes alternate telecommunications services including necessary agreements
-                  to permit the resumption of organization-defined information system operations for
-                  essential missions and business functions, within the organization-defined time
-                  period, when the primary telecommunications capabilities are unavailable at either
-                  the primary or alternate processing or storage sites.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing alternate telecommunications services</p>
-               <p>contingency plan</p>
-               <p>primary and alternate telecommunications service agreements</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency plan telecommunications
-                  responsibilities</p>
-               <p>organizational personnel with information system recovery responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibility for acquisitions/contractual
-                  agreements</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting telecommunications</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-8.1">
-            <title>Priority of Service Provisions</title>
-            <prop name="label">CP-8(1)</prop>
-            <prop name="sort-id">cp-08.01</prop>
-            <part id="cp-8.1_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cp-8.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Develops primary and alternate telecommunications service agreements that
-                     contain priority-of-service provisions in accordance with organizational
-                     availability requirements (including recovery time objectives); and</p>
-               </part>
-               <part id="cp-8.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Requests Telecommunications Service Priority for all telecommunications
-                     services used for national security emergency preparedness in the event that
-                     the primary and/or alternate telecommunications services are provided by a
-                     common carrier.</p>
-               </part>
-            </part>
-            <part id="cp-8.1_gdn" name="guidance">
-               <p>Organizations consider the potential mission/business impact in situations where
-                  telecommunications service providers are servicing other organizations with
-                  similar priority-of-service provisions.</p>
-            </part>
-            <part id="cp-8.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-8.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-8(1)[1]</prop>
-                  <p>develops primary and alternate telecommunications service agreements that
-                     contain priority-of-service provisions in accordance with organizational
-                     availability requirements (including recovery time objectives as specified in
-                     the information system contingency plan); and</p>
-               </part>
-               <part id="cp-8.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-8(1)[2]</prop>
-                  <p>requests Telecommunications Service Priority for all telecommunications
-                     services used for national security emergency preparedness in the event that
-                     the primary and/or alternate telecommunications services are provided by a
-                     common carrier.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing primary and alternate telecommunications services</p>
-                  <p>contingency plan</p>
-                  <p>primary and alternate telecommunications service agreements</p>
-                  <p>Telecommunications Service Priority documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan telecommunications
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for acquisitions/contractual
-                     agreements</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting telecommunications</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-8.2">
-            <title>Single Points of Failure</title>
-            <prop name="label">CP-8(2)</prop>
-            <prop name="sort-id">cp-08.02</prop>
-            <part id="cp-8.2_smt" name="statement">
-               <p>The organization obtains alternate telecommunications services to reduce the
-                  likelihood of sharing a single point of failure with primary telecommunications
-                  services.</p>
-            </part>
-            <part id="cp-8.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization obtains alternate telecommunications services to
-                  reduce the likelihood of sharing a single point of failure with primary
-                  telecommunications services. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing primary and alternate telecommunications services</p>
-                  <p>contingency plan</p>
-                  <p>primary and alternate telecommunications service agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan telecommunications
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>primary and alternate telecommunications service providers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-8.3">
-            <title>Separation of Primary / Alternate Providers</title>
-            <prop name="label">CP-8(3)</prop>
-            <prop name="sort-id">cp-08.03</prop>
-            <part id="cp-8.3_smt" name="statement">
-               <p>The organization obtains alternate telecommunications services from providers that
-                  are separated from primary service providers to reduce susceptibility to the same
-                  threats.</p>
-            </part>
-            <part id="cp-8.3_gdn" name="guidance">
-               <p>Threats that affect telecommunications services are typically defined in
-                  organizational assessments of risk and include, for example, natural disasters,
-                  structural failures, hostile cyber/physical attacks, and errors of
-                  omission/commission. Organizations seek to reduce common susceptibilities by, for
-                  example, minimizing shared infrastructure among telecommunications service
-                  providers and achieving sufficient geographic separation between services.
-                  Organizations may consider using a single service provider in situations where the
-                  service provider can provide alternate telecommunications services meeting the
-                  separation needs addressed in the risk assessment.</p>
-            </part>
-            <part id="cp-8.3_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization obtains alternate telecommunications services from
-                  providers that are separated from primary service providers to reduce
-                  susceptibility to the same threats. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing primary and alternate telecommunications services</p>
-                  <p>contingency plan</p>
-                  <p>primary and alternate telecommunications service agreements</p>
-                  <p>alternate telecommunications service provider site</p>
-                  <p>primary telecommunications service provider site</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan telecommunications
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>primary and alternate telecommunications service providers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-8.4">
-            <title>Provider Contingency Plan</title>
-            <param id="cp-8.4_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>annually</constraint>
-            </param>
-            <prop name="label">CP-8(4)</prop>
-            <prop name="sort-id">cp-08.04</prop>
-            <part id="cp-8.4_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cp-8.4_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Requires primary and alternate telecommunications service providers to have
-                     contingency plans;</p>
-               </part>
-               <part id="cp-8.4_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Reviews provider contingency plans to ensure that the plans meet organizational
-                     contingency requirements; and</p>
-               </part>
-               <part id="cp-8.4_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Obtains evidence of contingency testing/training by providers <insert param-id="cp-8.4_prm_1"/>.</p>
-               </part>
-            </part>
-            <part id="cp-8.4_gdn" name="guidance">
-               <p>Reviews of provider contingency plans consider the proprietary nature of such
-                  plans. In some situations, a summary of provider contingency plans may be
-                  sufficient evidence for organizations to satisfy the review requirement.
-                  Telecommunications service providers may also participate in ongoing disaster
-                  recovery exercises in coordination with the Department of Homeland Security,
-                  state, and local governments. Organizations may use these types of activities to
-                  satisfy evidentiary requirements related to service provider contingency plan
-                  reviews, testing, and training.</p>
-            </part>
-            <part id="cp-8.4_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-8.4.a_obj" name="objective">
-                  <prop name="label">CP-8(4)(a)</prop>
-                  <part id="cp-8.4.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CP-8(4)(a)[1]</prop>
-                     <p>requires primary telecommunications service provider to have contingency
-                        plans;</p>
-                  </part>
-                  <part id="cp-8.4.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CP-8(4)(a)[2]</prop>
-                     <p>requires alternate telecommunications service provider(s) to have
-                        contingency plans;</p>
-                  </part>
-                  <link rel="corresp" href="#cp-8.4_smt.a">CP-8(4)(a)</link>
-               </part>
-               <part id="cp-8.4.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CP-8(4)(b)</prop>
-                  <p>reviews provider contingency plans to ensure that the plans meet organizational
-                     contingency requirements;</p>
-                  <link rel="corresp" href="#cp-8.4_smt.b">CP-8(4)(b)</link>
-               </part>
-               <part id="cp-8.4.c_obj" name="objective">
-                  <prop name="label">CP-8(4)(c)</prop>
-                  <part id="cp-8.4.c_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-8(4)(c)[1]</prop>
-                     <p>defines the frequency to obtain evidence of contingency testing/training by
-                        providers; and</p>
-                  </part>
-                  <part id="cp-8.4.c_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CP-8(4)(c)[2]</prop>
-                     <p>obtains evidence of contingency testing/training by providers with the
-                        organization-defined frequency.</p>
-                  </part>
-                  <link rel="corresp" href="#cp-8.4_smt.c">CP-8(4)(c)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing primary and alternate telecommunications services</p>
-                  <p>contingency plan</p>
-                  <p>provider contingency plans</p>
-                  <p>evidence of contingency testing/training by providers</p>
-                  <p>primary and alternate telecommunications service agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning, plan implementation, and
-                     testing responsibilities</p>
-                  <p>primary and alternate telecommunications service providers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for acquisitions/contractual
-                     agreements</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-9">
-         <title>Information System Backup</title>
-         <param id="cp-9_prm_1">
-            <label>organization-defined frequency consistent with recovery time and recovery point
-               objectives</label>
-            <constraint>daily incremental; weekly full</constraint>
-         </param>
-         <param id="cp-9_prm_2">
-            <label>organization-defined frequency consistent with recovery time and recovery point
-               objectives</label>
-            <constraint>daily incremental; weekly full</constraint>
-         </param>
-         <param id="cp-9_prm_3">
-            <label>organization-defined frequency consistent with recovery time and recovery point
-               objectives</label>
-            <constraint>daily incremental; weekly full</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CP-9</prop>
-         <prop name="sort-id">cp-09</prop>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-9_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Conducts backups of user-level information contained in the information system
-                     <insert param-id="cp-9_prm_1"/>;</p>
-            </part>
-            <part id="cp-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Conducts backups of system-level information contained in the information system
-                     <insert param-id="cp-9_prm_2"/>;</p>
-            </part>
-            <part id="cp-9_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Conducts backups of information system documentation including security-related
-                  documentation <insert param-id="cp-9_prm_3"/>; and</p>
-            </part>
-            <part id="cp-9_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Protects the confidentiality, integrity, and availability of backup information at
-                  storage locations.</p>
-            </part>
-            <part id="cp-9_fr" name="item">
-               <title>CP-9 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-9_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.</p>
-               </part>
-               <part id="cp-9_fr_smt.a" name="item">
-                  <prop name="label">CP-9(a) Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of user-level information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.b" name="item">
-                  <prop name="label">CP-9(b)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of system-level information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.c" name="item">
-                  <prop name="label">CP-9(c)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).</p>
-               </part>
-            </part>
-         </part>
-         <part id="cp-9_gdn" name="guidance">
-            <p>System-level information includes, for example, system-state information, operating
-               system and application software, and licenses. User-level information includes any
-               information other than system-level information. Mechanisms employed by organizations
-               to protect the integrity of information system backups include, for example, digital
-               signatures and cryptographic hashes. Protection of system backup information while in
-               transit is beyond the scope of this control. Information system backups reflect the
-               requirements in contingency plans as well as other organizational requirements for
-               backing up information.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="cp-9_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="cp-9.a_obj" name="objective">
-               <prop name="label">CP-9(a)</prop>
-               <part id="cp-9.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-9(a)[1]</prop>
-                  <p>defines a frequency, consistent with recovery time objectives and recovery
-                     point objectives as specified in the information system contingency plan, to
-                     conduct backups of user-level information contained in the information
-                     system;</p>
-               </part>
-               <part id="cp-9.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-9(a)[2]</prop>
-                  <p>conducts backups of user-level information contained in the information system
-                     with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="cp-9.b_obj" name="objective">
-               <prop name="label">CP-9(b)</prop>
-               <part id="cp-9.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-9(b)[1]</prop>
-                  <p>defines a frequency, consistent with recovery time objectives and recovery
-                     point objectives as specified in the information system contingency plan, to
-                     conduct backups of system-level information contained in the information
-                     system;</p>
-               </part>
-               <part id="cp-9.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-9(b)[2]</prop>
-                  <p>conducts backups of system-level information contained in the information
-                     system with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="cp-9.c_obj" name="objective">
-               <prop name="label">CP-9(c)</prop>
-               <part id="cp-9.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-9(c)[1]</prop>
-                  <p>defines a frequency, consistent with recovery time objectives and recovery
-                     point objectives as specified in the information system contingency plan, to
-                     conduct backups of information system documentation including security-related
-                     documentation;</p>
-               </part>
-               <part id="cp-9.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-9(c)[2]</prop>
-                  <p>conducts backups of information system documentation, including
-                     security-related documentation, with the organization-defined frequency;
-                     and</p>
-               </part>
-            </part>
-            <part id="cp-9.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-9(d)</prop>
-               <p>protects the confidentiality, integrity, and availability of backup information at
-                  storage locations.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing information system backup</p>
-               <p>contingency plan</p>
-               <p>backup storage location(s)</p>
-               <p>information system backup logs or records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system backup responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for conducting information system backups</p>
-               <p>automated mechanisms supporting and/or implementing information system backups</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-9.1">
-            <title>Testing for Reliability / Integrity</title>
-            <param id="cp-9.1_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least monthly</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">CP-9(1)</prop>
-            <prop name="sort-id">cp-09.01</prop>
-            <part id="cp-9.1_smt" name="statement">
-               <p>The organization tests backup information <insert param-id="cp-9.1_prm_1"/> to
-                  verify media reliability and information integrity.</p>
-            </part>
-            <part id="cp-9.1_gdn" name="guidance">
-               <link rel="related" href="#cp-4">CP-4</link>
-            </part>
-            <part id="cp-9.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-9.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-9(1)[1]</prop>
-                  <p>defines the frequency to test backup information to verify media reliability
-                     and information integrity; and</p>
-               </part>
-               <part id="cp-9.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-9(1)[2]</prop>
-                  <p>tests backup information with the organization-defined frequency to verify
-                     media reliability and information integrity.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing information system backup</p>
-                  <p>contingency plan</p>
-                  <p>information system backup test results</p>
-                  <p>contingency plan test documentation</p>
-                  <p>contingency plan test results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system backup responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for conducting information system backups</p>
-                  <p>automated mechanisms supporting and/or implementing information system
-                     backups</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-9.2">
-            <title>Test Restoration Using Sampling</title>
-            <prop name="label">CP-9(2)</prop>
-            <prop name="sort-id">cp-09.02</prop>
-            <part id="cp-9.2_smt" name="statement">
-               <p>The organization uses a sample of backup information in the restoration of
-                  selected information system functions as part of contingency plan testing.</p>
-            </part>
-            <part id="cp-9.2_gdn" name="guidance">
-               <link rel="related" href="#cp-4">CP-4</link>
-            </part>
-            <part id="cp-9.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization uses a sample of backup information in the
-                  restoration of selected information system functions as part of contingency plan
-                  testing. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing information system backup</p>
-                  <p>contingency plan</p>
-                  <p>information system backup test results</p>
-                  <p>contingency plan test documentation</p>
-                  <p>contingency plan test results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system backup responsibilities</p>
-                  <p>organizational personnel with contingency planning/contingency plan testing
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for conducting information system backups</p>
-                  <p>automated mechanisms supporting and/or implementing information system
-                     backups</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-9.3">
-            <title>Separate Storage for Critical Information</title>
-            <param id="cp-9.3_prm_1">
-               <label>organization-defined critical information system software and other
-                  security-related information</label>
-            </param>
-            <prop name="label">CP-9(3)</prop>
-            <prop name="sort-id">cp-09.03</prop>
-            <part id="cp-9.3_smt" name="statement">
-               <p>The organization stores backup copies of <insert param-id="cp-9.3_prm_1"/> in a
-                  separate facility or in a fire-rated container that is not collocated with the
-                  operational system.</p>
-            </part>
-            <part id="cp-9.3_gdn" name="guidance">
-               <p>Critical information system software includes, for example, operating systems,
-                  cryptographic key management systems, and intrusion detection/prevention systems.
-                  Security-related information includes, for example, organizational inventories of
-                  hardware, software, and firmware components. Alternate storage sites typically
-                  serve as separate storage facilities for organizations.</p>
-               <link rel="related" href="#cm-2">CM-2</link>
-               <link rel="related" href="#cm-8">CM-8</link>
-            </part>
-            <part id="cp-9.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-9.3_obj.1" name="objective">
-                  <prop name="label">CP-9(3)[1]</prop>
-                  <part id="cp-9.3_obj.1.a" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-9(3)[1][a]</prop>
-                     <p>defines critical information system software and other security-related
-                        information requiring backup copies to be stored in a separate facility;
-                        or</p>
-                  </part>
-                  <part id="cp-9.3_obj.1.b" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-9(3)[1][b]</prop>
-                     <p>defines critical information system software and other security-related
-                        information requiring backup copies to be stored in a fire-rated container
-                        that is not collocated with the operational system; and</p>
-                  </part>
-               </part>
-               <part id="cp-9.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CP-9(3)[2]</prop>
-                  <p>stores backup copies of organization-defined critical information system
-                     software and other security-related information in a separate facility or in a
-                     fire-rated container that is not collocated with the operational system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing information system backup</p>
-                  <p>contingency plan</p>
-                  <p>backup storage location(s)</p>
-                  <p>information system backup configurations and associated documentation</p>
-                  <p>information system backup logs or records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information system backup responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-9.5">
-            <title>Transfer to Alternate Storage Site</title>
-            <param id="cp-9.5_prm_1">
-               <label>organization-defined time period and transfer rate consistent with the
-                  recovery time and recovery point objectives</label>
-               <constraint>time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA</constraint>
-            </param>
-            <prop name="label">CP-9(5)</prop>
-            <prop name="sort-id">cp-09.05</prop>
-            <part id="cp-9.5_smt" name="statement">
-               <p>The organization transfers information system backup information to the alternate
-                  storage site <insert param-id="cp-9.5_prm_1"/>.</p>
-            </part>
-            <part id="cp-9.5_gdn" name="guidance">
-               <p>Information system backup information can be transferred to alternate storage
-                  sites either electronically or by physical shipment of storage media.</p>
-            </part>
-            <part id="cp-9.5_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-9.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-9(5)[1]</prop>
-                  <p>defines a time period, consistent with recovery time objectives and recovery
-                     point objectives as specified in the information system contingency plan, to
-                     transfer information system backup information to the alternate storage
-                     site;</p>
-               </part>
-               <part id="cp-9.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-9(5)[2]</prop>
-                  <p>defines a transfer rate, consistent with recovery time objectives and recovery
-                     point objectives as specified in the information system contingency plan, to
-                     transfer information system backup information to the alternate storage site;
-                     and</p>
-               </part>
-               <part id="cp-9.5_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-9(5)[3]</prop>
-                  <p>transfers information system backup information to the alternate storage site
-                     with the organization-defined time period and transfer rate.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing information system backup</p>
-                  <p>contingency plan</p>
-                  <p>information system backup logs or records</p>
-                  <p>evidence of system backup information transferred to alternate storage site</p>
-                  <p>alternate storage site agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system backup responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for transferring information system backups to the
-                     alternate storage site</p>
-                  <p>automated mechanisms supporting and/or implementing information system
-                     backups</p>
-                  <p>automated mechanisms supporting and/or implementing information transfer to the
-                     alternate storage site</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-10">
-         <title>Information System Recovery and Reconstitution</title>
-         <prop name="label">CP-10</prop>
-         <prop name="sort-id">cp-10</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-10_smt" name="statement">
-            <p>The organization provides for the recovery and reconstitution of the information
-               system to a known state after a disruption, compromise, or failure.</p>
-         </part>
-         <part id="cp-10_gdn" name="guidance">
-            <p>Recovery is executing information system contingency plan activities to restore
-               organizational missions/business functions. Reconstitution takes place following
-               recovery and includes activities for returning organizational information systems to
-               fully operational states. Recovery and reconstitution operations reflect mission and
-               business priorities, recovery point/time and reconstitution objectives, and
-               established organizational metrics consistent with contingency plan requirements.
-               Reconstitution includes the deactivation of any interim information system
-               capabilities that may have been needed during recovery operations. Reconstitution
-               also includes assessments of fully restored information system capabilities,
-               reestablishment of continuous monitoring activities, potential information system
-               reauthorizations, and activities to prepare the systems against future disruptions,
-               compromises, or failures. Recovery/reconstitution capabilities employed by
-               organizations can include both automated mechanisms and manual procedures.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#sc-24">SC-24</link>
-         </part>
-         <part id="cp-10_obj" name="objective">
-            <p>Determine if the organization provides for: </p>
-            <part id="cp-10_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-10[1]</prop>
-               <p>the recovery of the information system to a known state after:</p>
-               <part id="cp-10_obj.1.a" name="objective">
-                  <prop name="label">CP-10[1][a]</prop>
-                  <p>a disruption;</p>
-               </part>
-               <part id="cp-10_obj.1.b" name="objective">
-                  <prop name="label">CP-10[1][b]</prop>
-                  <p>a compromise; or</p>
-               </part>
-               <part id="cp-10_obj.1.c" name="objective">
-                  <prop name="label">CP-10[1][c]</prop>
-                  <p>a failure;</p>
-               </part>
-            </part>
-            <part id="cp-10_obj.2" name="objective">
-               <prop name="label">CP-10[2]</prop>
-               <p>the reconstitution of the information system to a known state after:</p>
-               <part id="cp-10_obj.2.a" name="objective">
-                  <prop name="label">CP-10[2][a]</prop>
-                  <p>a disruption;</p>
-               </part>
-               <part id="cp-10_obj.2.b" name="objective">
-                  <prop name="label">CP-10[2][b]</prop>
-                  <p>a compromise; or</p>
-               </part>
-               <part id="cp-10_obj.2.c" name="objective">
-                  <prop name="label">CP-10[2][c]</prop>
-                  <p>a failure.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing information system backup</p>
-               <p>contingency plan</p>
-               <p>information system backup test results</p>
-               <p>contingency plan test results</p>
-               <p>contingency plan test documentation</p>
-               <p>redundant secondary system for information system backups</p>
-               <p>location(s) of redundant secondary backup system(s)</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning, recovery, and/or
-                  reconstitution responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes implementing information system recovery and
-                  reconstitution operations</p>
-               <p>automated mechanisms supporting and/or implementing information system recovery
-                  and reconstitution operations</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-10.2">
-            <title>Transaction Recovery</title>
-            <prop name="label">CP-10(2)</prop>
-            <prop name="sort-id">cp-10.02</prop>
-            <part id="cp-10.2_smt" name="statement">
-               <p>The information system implements transaction recovery for systems that are
-                  transaction-based.</p>
-            </part>
-            <part id="cp-10.2_gdn" name="guidance">
-               <p>Transaction-based information systems include, for example, database management
-                  systems and transaction processing systems. Mechanisms supporting transaction
-                  recovery include, for example, transaction rollback and transaction
-                  journaling.</p>
-            </part>
-            <part id="cp-10.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system implements transaction recovery for systems
-                  that are transaction-based. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing information system recovery and reconstitution</p>
-                  <p>contingency plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>contingency plan test documentation</p>
-                  <p>contingency plan test results</p>
-                  <p>information system transaction recovery records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for transaction recovery</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing transaction recovery
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-10.4">
-            <title>Restore Within Time Period</title>
-            <param id="cp-10.4_prm_1">
-               <label>organization-defined restoration time-periods</label>
-               <constraint>time period consistent with the restoration time-periods defined in the service provider and organization SLA</constraint>
-            </param>
-            <prop name="label">CP-10(4)</prop>
-            <prop name="sort-id">cp-10.04</prop>
-            <part id="cp-10.4_smt" name="statement">
-               <p>The organization provides the capability to restore information system components
-                  within <insert param-id="cp-10.4_prm_1"/> from configuration-controlled and
-                  integrity-protected information representing a known, operational state for the
-                  components.</p>
-            </part>
-            <part id="cp-10.4_gdn" name="guidance">
-               <p>Restoration of information system components includes, for example, reimaging
-                  which restores components to known, operational states.</p>
-               <link rel="related" href="#cm-2">CM-2</link>
-            </part>
-            <part id="cp-10.4_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-10.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-10(4)[1]</prop>
-                  <p>defines a time period to restore information system components from
-                     configuration-controlled and integrity-protected information representing a
-                     known, operational state for the components; and</p>
-               </part>
-               <part id="cp-10.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-10(4)[2]</prop>
-                  <p>provides the capability to restore information system components within the
-                     organization-defined time period from configuration-controlled and
-                     integrity-protected information representing a known, operational state for the
-                     components.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing information system recovery and reconstitution</p>
-                  <p>contingency plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>contingency plan test documentation</p>
-                  <p>contingency plan test results</p>
-                  <p>evidence of information system recovery and reconstitution operations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system recovery and reconstitution
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing recovery/reconstitution of
-                     information system information</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="ia">
-      <title>Identification and Authentication</title>
-      <control class="SP800-53" id="ia-1">
-         <title>Identification and Authentication Policy and Procedures</title>
-         <param id="ia-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ia-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ia-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or whenever a significant change occurs</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IA-1</prop>
-         <prop name="sort-id">ia-01</prop>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ia-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ia-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ia-1_prm_1"/>:</p>
-               <part id="ia-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An identification and authentication policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="ia-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the identification and
-                     authentication policy and associated identification and authentication
-                     controls; and</p>
-               </part>
-            </part>
-            <part id="ia-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ia-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Identification and authentication policy <insert param-id="ia-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="ia-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Identification and authentication procedures <insert param-id="ia-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ia-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the IA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ia-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ia-1.a_obj" name="objective">
-               <prop name="label">IA-1(a)</prop>
-               <part id="ia-1.a.1_obj" name="objective">
-                  <prop name="label">IA-1(a)(1)</prop>
-                  <part id="ia-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(a)(1)[1]</prop>
-                     <p>develops and documents an identification and authentication policy that
-                        addresses:</p>
-                     <part id="ia-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ia-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the identification and authentication
-                        policy is to be disseminated; and</p>
-                  </part>
-                  <part id="ia-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">IA-1(a)(1)[3]</prop>
-                     <p>disseminates the identification and authentication policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="ia-1.a.2_obj" name="objective">
-                  <prop name="label">IA-1(a)(2)</prop>
-                  <part id="ia-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        identification and authentication policy and associated identification and
-                        authentication controls;</p>
-                  </part>
-                  <part id="ia-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ia-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">IA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-1.b_obj" name="objective">
-               <prop name="label">IA-1(b)</prop>
-               <part id="ia-1.b.1_obj" name="objective">
-                  <prop name="label">IA-1(b)(1)</prop>
-                  <part id="ia-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current identification and
-                        authentication policy;</p>
-                  </part>
-                  <part id="ia-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current identification and authentication policy
-                        with the organization-defined frequency; and</p>
-                  </part>
-               </part>
-               <part id="ia-1.b.2_obj" name="objective">
-                  <prop name="label">IA-1(b)(2)</prop>
-                  <part id="ia-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current identification and
-                        authentication procedures; and</p>
-                  </part>
-                  <part id="ia-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current identification and authentication procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with identification and authentication
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-2">
-         <title>Identification and Authentication (organizational Users)</title>
-         <prop name="label">IA-2</prop>
-         <prop name="sort-id">ia-02</prop>
-         <link href="#ad733a42-a7ed-4774-b988-4930c28852f3" rel="reference">HSPD-12</link>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#4da24a96-6cf8-435d-9d1f-c73247cad109" rel="reference">OMB Memorandum 06-16</link>
-         <link href="#74e740a4-c45d-49f3-a86e-eb747c549e01" rel="reference">OMB Memorandum 11-11</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#ba557c91-ba3e-4792-adc6-a4ae479b39ff" rel="reference">FICAM Roadmap and Implementation Guidance</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ia-2_smt" name="statement">
-            <p>The information system uniquely identifies and authenticates organizational users (or
-               processes acting on behalf of organizational users).</p>
-         </part>
-         <part id="ia-2_gdn" name="guidance">
-            <p>Organizational users include employees or individuals that organizations deem to have
-               equivalent status of employees (e.g., contractors, guest researchers). This control
-               applies to all accesses other than: (i) accesses that are explicitly identified and
-               documented in AC-14; and (ii) accesses that occur through authorized use of group
-               authenticators without individual authentication. Organizations may require unique
-               identification of individuals in group accounts (e.g., shared privilege accounts) or
-               for detailed accountability of individual activity. Organizations employ passwords,
-               tokens, or biometrics to authenticate user identities, or in the case multifactor
-               authentication, or some combination thereof. Access to organizational information
-               systems is defined as either local access or network access. Local access is any
-               access to organizational information systems by users (or processes acting on behalf
-               of users) where such access is obtained by direct connections without the use of
-               networks. Network access is access to organizational information systems by users (or
-               processes acting on behalf of users) where such access is obtained through network
-               connections (i.e., nonlocal accesses). Remote access is a type of network access that
-               involves communication through external networks (e.g., the Internet). Internal
-               networks include local area networks and wide area networks. In addition, the use of
-               encrypted virtual private networks (VPNs) for network connections between
-               organization-controlled endpoints and non-organization controlled endpoints may be
-               treated as internal networks from the perspective of protecting the confidentiality
-               and integrity of information traversing the network. Organizations can satisfy the
-               identification and authentication requirements in this control by complying with the
-               requirements in Homeland Security Presidential Directive 12 consistent with the
-               specific organizational implementation plans. Multifactor authentication requires the
-               use of two or more different factors to achieve authentication. The factors are
-               defined as: (i) something you know (e.g., password, personal identification number
-               [PIN]); (ii) something you have (e.g., cryptographic identification device, token);
-               or (iii) something you are (e.g., biometric). Multifactor solutions that require
-               devices separate from information systems gaining access include, for example,
-               hardware tokens providing time-based or challenge-response authenticators and smart
-               cards such as the U.S. Government Personal Identity Verification card and the DoD
-               common access card. In addition to identifying and authenticating users at the
-               information system level (i.e., at logon), organizations also employ identification
-               and authentication mechanisms at the application level, when necessary, to provide
-               increased information security. Identification and authentication requirements for
-               other than organizational users are described in IA-8.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-         </part>
-         <part id="ia-2_obj" name="objective">
-            <p>Determine if the information system uniquely identifies and authenticates
-               organizational users (or processes acting on behalf of organizational users).</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing user identification and authentication</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>list of information system accounts</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system operations responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with account management responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for uniquely identifying and authenticating users</p>
-               <p>automated mechanisms supporting and/or implementing identification and
-                  authentication capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-2.1">
-            <title>Network Access to Privileged Accounts</title>
-            <prop name="label">IA-2(1)</prop>
-            <prop name="sort-id">ia-02.01</prop>
-            <part id="ia-2.1_smt" name="statement">
-               <p>The information system implements multifactor authentication for network access to
-                  privileged accounts.</p>
-            </part>
-            <part id="ia-2.1_gdn" name="guidance">
-               <link rel="related" href="#ac-6">AC-6</link>
-            </part>
-            <part id="ia-2.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system implements multifactor authentication for
-                  network access to privileged accounts.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing multifactor authentication
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.2">
-            <title>Network Access to Non-privileged Accounts</title>
-            <prop name="label">IA-2(2)</prop>
-            <prop name="sort-id">ia-02.02</prop>
-            <part id="ia-2.2_smt" name="statement">
-               <p>The information system implements multifactor authentication for network access to
-                  non-privileged accounts.</p>
-            </part>
-            <part id="ia-2.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system implements multifactor authentication for
-                  network access to non-privileged accounts.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing multifactor authentication
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.3">
-            <title>Local Access to Privileged Accounts</title>
-            <prop name="label">IA-2(3)</prop>
-            <prop name="sort-id">ia-02.03</prop>
-            <part id="ia-2.3_smt" name="statement">
-               <p>The information system implements multifactor authentication for local access to
-                  privileged accounts.</p>
-            </part>
-            <part id="ia-2.3_gdn" name="guidance">
-               <link rel="related" href="#ac-6">AC-6</link>
-            </part>
-            <part id="ia-2.3_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system implements multifactor authentication for
-                  local access to privileged accounts.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing multifactor authentication
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.4">
-            <title>Local Access to Non-privileged Accounts</title>
-            <prop name="label">IA-2(4)</prop>
-            <prop name="sort-id">ia-02.04</prop>
-            <part id="ia-2.4_smt" name="statement">
-               <p>The information system implements multifactor authentication for local access to
-                  non-privileged accounts.</p>
-            </part>
-            <part id="ia-2.4_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system implements multifactor authentication for
-                  local access to non-privileged accounts.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing multifactor authentication
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.5">
-            <title>Group Authentication</title>
-            <prop name="label">IA-2(5)</prop>
-            <prop name="sort-id">ia-02.05</prop>
-            <part id="ia-2.5_smt" name="statement">
-               <p>The organization requires individuals to be authenticated with an individual
-                  authenticator when a group authenticator is employed.</p>
-            </part>
-            <part id="ia-2.5_gdn" name="guidance">
-               <p>Requiring individuals to use individual authenticators as a second level of
-                  authentication helps organizations to mitigate the risk of using group
-                  authenticators.</p>
-            </part>
-            <part id="ia-2.5_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization requires individuals to be authenticated with an
-                  individual authenticator when a group authenticator is employed.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing authentication capability
-                     for group accounts</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.8">
-            <title>Network Access to Privileged Accounts - Replay Resistant</title>
-            <prop name="label">IA-2(8)</prop>
-            <prop name="sort-id">ia-02.08</prop>
-            <part id="ia-2.8_smt" name="statement">
-               <p>The information system implements replay-resistant authentication mechanisms for
-                  network access to privileged accounts.</p>
-            </part>
-            <part id="ia-2.8_gdn" name="guidance">
-               <p>Authentication processes resist replay attacks if it is impractical to achieve
-                  successful authentications by replaying previous authentication messages.
-                  Replay-resistant techniques include, for example, protocols that use nonces or
-                  challenges such as Transport Layer Security (TLS) and time synchronous or
-                  challenge-response one-time authenticators.</p>
-            </part>
-            <part id="ia-2.8_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system implements replay-resistant authentication
-                  mechanisms for network access to privileged accounts. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of privileged information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms supporting and/or implementing replay resistant
-                     authentication mechanisms</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.9">
-            <title>Network Access to Non-privileged Accounts - Replay Resistant</title>
-            <prop name="label">IA-2(9)</prop>
-            <prop name="sort-id">ia-02.09</prop>
-            <part id="ia-2.9_smt" name="statement">
-               <p>The information system implements replay-resistant authentication mechanisms for
-                  network access to non-privileged accounts.</p>
-            </part>
-            <part id="ia-2.9_gdn" name="guidance">
-               <p>Authentication processes resist replay attacks if it is impractical to achieve
-                  successful authentications by recording/replaying previous authentication
-                  messages. Replay-resistant techniques include, for example, protocols that use
-                  nonces or challenges such as Transport Layer Security (TLS) and time synchronous
-                  or challenge-response one-time authenticators.</p>
-            </part>
-            <part id="ia-2.9_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system implements replay-resistant authentication
-                  mechanisms for network access to non-privileged accounts. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of non-privileged information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms supporting and/or implementing replay resistant
-                     authentication mechanisms</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.11">
-            <title>Remote Access - Separate Device</title>
-            <param id="ia-2.11_prm_1">
-               <label>organization-defined strength of mechanism requirements</label>
-               <constraint>FIPS 140-2, NIAP Certification, or NSA approval</constraint>
-            </param>
-            <prop name="label">IA-2(11)</prop>
-            <prop name="sort-id">ia-02.11</prop>
-            <part id="ia-2.11_smt" name="statement">
-               <p>The information system implements multifactor authentication for remote access to
-                  privileged and non-privileged accounts such that one of the factors is provided by
-                  a device separate from the system gaining access and the device meets <insert param-id="ia-2.11_prm_1"/>.</p>
-               <part id="ia-2.11_fr" name="item">
-                  <title>IA-2 (11) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ia-2.11_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-2.11_gdn" name="guidance">
-               <p>For remote access to privileged/non-privileged accounts, the purpose of requiring
-                  a device that is separate from the information system gaining access for one of
-                  the factors during multifactor authentication is to reduce the likelihood of
-                  compromising authentication credentials stored on the system. For example,
-                  adversaries deploying malicious code on organizational information systems can
-                  potentially compromise such credentials resident on the system and subsequently
-                  impersonate authorized users.</p>
-               <link rel="related" href="#ac-6">AC-6</link>
-            </part>
-            <part id="ia-2.11_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ia-2.11_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-2(11)[1]</prop>
-                  <p>the information system implements multifactor authentication for remote access
-                     to privileged accounts such that one of the factors is provided by a device
-                     separate from the system gaining access;</p>
-               </part>
-               <part id="ia-2.11_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-2(11)[2]</prop>
-                  <p>the information system implements multifactor authentication for remote access
-                     to non-privileged accounts such that one of the factors is provided by a device
-                     separate from the system gaining access;</p>
-               </part>
-               <part id="ia-2.11_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-2(11)[3]</prop>
-                  <p>the organization defines strength of mechanism requirements to be enforced by a
-                     device separate from the system gaining remote access to privileged
-                     accounts;</p>
-               </part>
-               <part id="ia-2.11_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-2(11)[4]</prop>
-                  <p>the organization defines strength of mechanism requirements to be enforced by a
-                     device separate from the system gaining remote access to non-privileged
-                     accounts;</p>
-               </part>
-               <part id="ia-2.11_obj.5" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-2(11)[5]</prop>
-                  <p>the information system implements multifactor authentication for remote access
-                     to privileged accounts such that a device, separate from the system gaining
-                     access, meets organization-defined strength of mechanism requirements; and</p>
-               </part>
-               <part id="ia-2.11_obj.6" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-2(11)[6]</prop>
-                  <p>the information system implements multifactor authentication for remote access
-                     to non-privileged accounts such that a device, separate from the system gaining
-                     access, meets organization-defined strength of mechanism requirements.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of privileged and non-privileged information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.12">
-            <title>Acceptance of PIV Credentials</title>
-            <prop name="label">IA-2(12)</prop>
-            <prop name="sort-id">ia-02.12</prop>
-            <part id="ia-2.12_smt" name="statement">
-               <p>The information system accepts and electronically verifies Personal Identity
-                  Verification (PIV) credentials.</p>
-               <part id="ia-2.12_fr" name="item">
-                  <title>IA-2 (12) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ia-2.12_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-2.12_gdn" name="guidance">
-               <p>This control enhancement applies to organizations implementing logical access
-                  control systems (LACS) and physical access control systems (PACS). Personal
-                  Identity Verification (PIV) credentials are those credentials issued by federal
-                  agencies that conform to FIPS Publication 201 and supporting guidance documents.
-                  OMB Memorandum 11-11 requires federal agencies to continue implementing the
-                  requirements specified in HSPD-12 to enable agency-wide use of PIV
-                  credentials.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#pe-3">PE-3</link>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-2.12_obj" name="objective">
-               <p>Determine if the information system: </p>
-               <part id="ia-2.12_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-2(12)[1]</prop>
-                  <p>accepts Personal Identity Verification (PIV) credentials; and</p>
-               </part>
-               <part id="ia-2.12_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-2(12)[2]</prop>
-                  <p>electronically verifies Personal Identity Verification (PIV) credentials.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>PIV verification records</p>
-                  <p>evidence of PIV credentials</p>
-                  <p>PIV credential authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing acceptance and verification
-                     of PIV credentials</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-3">
-         <title>Device Identification and Authentication</title>
-         <param id="ia-3_prm_1">
-            <label>organization-defined specific and/or types of devices</label>
-         </param>
-         <param id="ia-3_prm_2"/>
-         <prop name="label">IA-3</prop>
-         <prop name="sort-id">ia-03</prop>
-         <part id="ia-3_smt" name="statement">
-            <p>The information system uniquely identifies and authenticates <insert param-id="ia-3_prm_1"/> before establishing a <insert param-id="ia-3_prm_2"/>
-               connection.</p>
-         </part>
-         <part id="ia-3_gdn" name="guidance">
-            <p>Organizational devices requiring unique device-to-device identification and
-               authentication may be defined by type, by device, or by a combination of type/device.
-               Information systems typically use either shared known information (e.g., Media Access
-               Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses)
-               for device identification or organizational authentication solutions (e.g., IEEE
-               802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport
-               Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on
-               local and/or wide area networks. Organizations determine the required strength of
-               authentication mechanisms by the security categories of information systems. Because
-               of the challenges of applying this control on large scale, organizations are
-               encouraged to only apply the control to those limited number (and type) of devices
-               that truly need to support this capability.</p>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-         </part>
-         <part id="ia-3_obj" name="objective">
-            <p>Determine if: </p>
-            <part id="ia-3_obj.1" name="objective">
-               <prop name="label">IA-3[1]</prop>
-               <p>the organization defines specific and/or types of devices that the information
-                  system uniquely identifies and authenticates before establishing one or more of
-                  the following:</p>
-               <part id="ia-3_obj.1.a" name="objective">
-                  <prop name="label">IA-3[1][a]</prop>
-                  <p>a local connection;</p>
-               </part>
-               <part id="ia-3_obj.1.b" name="objective">
-                  <prop name="label">IA-3[1][b]</prop>
-                  <p>a remote connection; and/or</p>
-               </part>
-               <part id="ia-3_obj.1.c" name="objective">
-                  <prop name="label">IA-3[1][c]</prop>
-                  <p>a network connection; and</p>
-               </part>
-            </part>
-            <part id="ia-3_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-3[2]</prop>
-               <p>the information system uniquely identifies and authenticates organization-defined
-                  devices before establishing one or more of the following:</p>
-               <part id="ia-3_obj.2.a" name="objective">
-                  <prop name="label">IA-3[2][a]</prop>
-                  <p>a local connection;</p>
-               </part>
-               <part id="ia-3_obj.2.b" name="objective">
-                  <prop name="label">IA-3[2][b]</prop>
-                  <p>a remote connection; and/or</p>
-               </part>
-               <part id="ia-3_obj.2.c" name="objective">
-                  <prop name="label">IA-3[2][c]</prop>
-                  <p>a network connection.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing device identification and authentication</p>
-               <p>information system design documentation</p>
-               <p>list of devices requiring unique identification and authentication</p>
-               <p>device connection reports</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with operational responsibilities for device
-                  identification and authentication</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing device identification and
-                  authentication capability</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-4">
-         <title>Identifier Management</title>
-         <param id="ia-4_prm_1">
-            <label>organization-defined personnel or roles</label>
-            <constraint>at a minimum, the ISSO (or similar role within the organization)</constraint>
-         </param>
-         <param id="ia-4_prm_2">
-            <label>organization-defined time period</label>
-            <constraint>at least two (2) years</constraint>
-         </param>
-         <param id="ia-4_prm_3">
-            <label>organization-defined time period of inactivity</label>
-            <constraint>thirty-five (35) days (See additional requirements and guidance.)</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IA-4</prop>
-         <prop name="sort-id">ia-04</prop>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <part id="ia-4_smt" name="statement">
-            <p>The organization manages information system identifiers by:</p>
-            <part id="ia-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Receiving authorization from <insert param-id="ia-4_prm_1"/> to assign an
-                  individual, group, role, or device identifier;</p>
-            </part>
-            <part id="ia-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Selecting an identifier that identifies an individual, group, role, or device;</p>
-            </part>
-            <part id="ia-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Assigning the identifier to the intended individual, group, role, or device;</p>
-            </part>
-            <part id="ia-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Preventing reuse of identifiers for <insert param-id="ia-4_prm_2"/>; and</p>
-            </part>
-            <part id="ia-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Disabling the identifier after <insert param-id="ia-4_prm_3"/>.</p>
-            </part>
-            <part id="ia-4_fr" name="item">
-               <title>IA-4(e) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-4_fr_smt.e" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines the time period of inactivity for device identifiers.</p>
-               </part>
-               <part id="ia-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP <a href="http://iase.disa.mil/cloud_security/Pages/index.aspx">http://iase.disa.mil/cloud_security/Pages/index.aspx</a>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ia-4_gdn" name="guidance">
-            <p>Common device identifiers include, for example, media access control (MAC), Internet
-               protocol (IP) addresses, or device-unique token identifiers. Management of individual
-               identifiers is not applicable to shared information system accounts (e.g., guest and
-               anonymous accounts). Typically, individual identifiers are the user names of the
-               information system accounts assigned to those individuals. In such instances, the
-               account management activities of AC-2 use account names provided by IA-4. This
-               control also addresses individual identifiers not necessarily associated with
-               information system accounts (e.g., identifiers used in physical security control
-               databases accessed by badge reader systems for access to information systems).
-               Preventing reuse of identifiers implies preventing the assignment of previously used
-               individual, group, role, or device identifiers to different individuals, groups,
-               roles, or devices.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#sc-37">SC-37</link>
-         </part>
-         <part id="ia-4_obj" name="objective">
-            <p>Determine if the organization manages information system identifiers by: </p>
-            <part id="ia-4.a_obj" name="objective">
-               <prop name="label">IA-4(a)</prop>
-               <part id="ia-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-4(a)[1]</prop>
-                  <p>defining personnel or roles from whom authorization must be received to
-                     assign:</p>
-                  <part id="ia-4.a_obj.1.a" name="objective">
-                     <prop name="label">IA-4(a)[1][a]</prop>
-                     <p>an individual identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.1.b" name="objective">
-                     <prop name="label">IA-4(a)[1][b]</prop>
-                     <p>a group identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.1.c" name="objective">
-                     <prop name="label">IA-4(a)[1][c]</prop>
-                     <p>a role identifier; and/or</p>
-                  </part>
-                  <part id="ia-4.a_obj.1.d" name="objective">
-                     <prop name="label">IA-4(a)[1][d]</prop>
-                     <p>a device identifier;</p>
-                  </part>
-               </part>
-               <part id="ia-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-4(a)[2]</prop>
-                  <p>receiving authorization from organization-defined personnel or roles to
-                     assign:</p>
-                  <part id="ia-4.a_obj.2.a" name="objective">
-                     <prop name="label">IA-4(a)[2][a]</prop>
-                     <p>an individual identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.2.b" name="objective">
-                     <prop name="label">IA-4(a)[2][b]</prop>
-                     <p>a group identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.2.c" name="objective">
-                     <prop name="label">IA-4(a)[2][c]</prop>
-                     <p>a role identifier; and/or</p>
-                  </part>
-                  <part id="ia-4.a_obj.2.d" name="objective">
-                     <prop name="label">IA-4(a)[2][d]</prop>
-                     <p>a device identifier;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-4(b)</prop>
-               <p>selecting an identifier that identifies:</p>
-               <part id="ia-4.b_obj.1" name="objective">
-                  <prop name="label">IA-4(b)[1]</prop>
-                  <p>an individual;</p>
-               </part>
-               <part id="ia-4.b_obj.2" name="objective">
-                  <prop name="label">IA-4(b)[2]</prop>
-                  <p>a group;</p>
-               </part>
-               <part id="ia-4.b_obj.3" name="objective">
-                  <prop name="label">IA-4(b)[3]</prop>
-                  <p>a role; and/or</p>
-               </part>
-               <part id="ia-4.b_obj.4" name="objective">
-                  <prop name="label">IA-4(b)[4]</prop>
-                  <p>a device;</p>
-               </part>
-            </part>
-            <part id="ia-4.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-4(c)</prop>
-               <p>assigning the identifier to the intended:</p>
-               <part id="ia-4.c_obj.1" name="objective">
-                  <prop name="label">IA-4(c)[1]</prop>
-                  <p>individual;</p>
-               </part>
-               <part id="ia-4.c_obj.2" name="objective">
-                  <prop name="label">IA-4(c)[2]</prop>
-                  <p>group;</p>
-               </part>
-               <part id="ia-4.c_obj.3" name="objective">
-                  <prop name="label">IA-4(c)[3]</prop>
-                  <p>role; and/or</p>
-               </part>
-               <part id="ia-4.c_obj.4" name="objective">
-                  <prop name="label">IA-4(c)[4]</prop>
-                  <p>device;</p>
-               </part>
-            </part>
-            <part id="ia-4.d_obj" name="objective">
-               <prop name="label">IA-4(d)</prop>
-               <part id="ia-4.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-4(d)[1]</prop>
-                  <p>defining a time period for preventing reuse of identifiers;</p>
-               </part>
-               <part id="ia-4.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-4(d)[2]</prop>
-                  <p>preventing reuse of identifiers for the organization-defined time period;</p>
-               </part>
-            </part>
-            <part id="ia-4.e_obj" name="objective">
-               <prop name="label">IA-4(e)</prop>
-               <part id="ia-4.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-4(e)[1]</prop>
-                  <p>defining a time period of inactivity to disable the identifier; and</p>
-               </part>
-               <part id="ia-4.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-4(e)[2]</prop>
-                  <p>disabling the identifier after the organization-defined time period of
-                     inactivity.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing identifier management</p>
-               <p>procedures addressing account management</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of information system accounts</p>
-               <p>list of identifiers generated from physical access control devices</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with identifier management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing identifier management</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-4.4">
-            <title>Identify User Status</title>
-            <param id="ia-4.4_prm_1">
-               <label>organization-defined characteristic identifying individual status</label>
-               <constraint>contractors; foreign nationals]</constraint>
-            </param>
-            <prop name="label">IA-4(4)</prop>
-            <prop name="sort-id">ia-04.04</prop>
-            <part id="ia-4.4_smt" name="statement">
-               <p>The organization manages individual identifiers by uniquely identifying each
-                  individual as <insert param-id="ia-4.4_prm_1"/>.</p>
-            </part>
-            <part id="ia-4.4_gdn" name="guidance">
-               <p>Characteristics identifying the status of individuals include, for example,
-                  contractors and foreign nationals. Identifying the status of individuals by
-                  specific characteristics provides additional information about the people with
-                  whom organizational personnel are communicating. For example, it might be useful
-                  for a government employee to know that one of the individuals on an email message
-                  is a contractor.</p>
-               <link rel="related" href="#at-2">AT-2</link>
-            </part>
-            <part id="ia-4.4_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-4.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-4(4)[1]</prop>
-                  <p>defines a characteristic to be used to identify individual status; and</p>
-               </part>
-               <part id="ia-4.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-4(4)[2]</prop>
-                  <p>manages individual identifiers by uniquely identifying each individual as the
-                     organization-defined characteristic identifying individual status.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing identifier management</p>
-                  <p>procedures addressing account management</p>
-                  <p>list of characteristics identifying individual status</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with identifier management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identifier management</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-5">
-         <title>Authenticator Management</title>
-         <param id="ia-5_prm_1">
-            <label>organization-defined time period by authenticator type</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IA-5</prop>
-         <prop name="sort-id">ia-05</prop>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#74e740a4-c45d-49f3-a86e-eb747c549e01" rel="reference">OMB Memorandum 11-11</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#ba557c91-ba3e-4792-adc6-a4ae479b39ff" rel="reference">FICAM Roadmap and Implementation Guidance</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ia-5_smt" name="statement">
-            <p>The organization manages information system authenticators by:</p>
-            <part id="ia-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Verifying, as part of the initial authenticator distribution, the identity of the
-                  individual, group, role, or device receiving the authenticator;</p>
-            </part>
-            <part id="ia-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishing initial authenticator content for authenticators defined by the
-                  organization;</p>
-            </part>
-            <part id="ia-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensuring that authenticators have sufficient strength of mechanism for their
-                  intended use;</p>
-            </part>
-            <part id="ia-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Establishing and implementing administrative procedures for initial authenticator
-                  distribution, for lost/compromised or damaged authenticators, and for revoking
-                  authenticators;</p>
-            </part>
-            <part id="ia-5_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Changing default content of authenticators prior to information system
-                  installation;</p>
-            </part>
-            <part id="ia-5_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Establishing minimum and maximum lifetime restrictions and reuse conditions for
-                  authenticators;</p>
-            </part>
-            <part id="ia-5_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Changing/refreshing authenticators <insert param-id="ia-5_prm_1"/>;</p>
-            </part>
-            <part id="ia-5_smt.h" name="item">
-               <prop name="label">h.</prop>
-               <p>Protecting authenticator content from unauthorized disclosure and
-                  modification;</p>
-            </part>
-            <part id="ia-5_smt.i" name="item">
-               <prop name="label">i.</prop>
-               <p>Requiring individuals to take, and having devices implement, specific security
-                  safeguards to protect authenticators; and</p>
-            </part>
-            <part id="ia-5_smt.j" name="item">
-               <prop name="label">j.</prop>
-               <p>Changing authenticators for group/role accounts when membership to those accounts
-                  changes.</p>
-            </part>
-            <part id="ia-5_fr" name="item">
-               <title>IA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-5_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link <a href="https://pages.nist.gov/800-63-3">https://pages.nist.gov/800-63-3</a>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ia-5_gdn" name="guidance">
-            <p>Individual authenticators include, for example, passwords, tokens, biometrics, PKI
-               certificates, and key cards. Initial authenticator content is the actual content
-               (e.g., the initial password) as opposed to requirements about authenticator content
-               (e.g., minimum password length). In many cases, developers ship information system
-               components with factory default authentication credentials to allow for initial
-               installation and configuration. Default authentication credentials are often well
-               known, easily discoverable, and present a significant security risk. The requirement
-               to protect individual authenticators may be implemented via control PL-4 or PS-6 for
-               authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28
-               for authenticators stored within organizational information systems (e.g., passwords
-               stored in hashed or encrypted formats, files containing encrypted or hashed passwords
-               accessible with administrator privileges). Information systems support individual
-               authenticator management by organization-defined settings and restrictions for
-               various authenticator characteristics including, for example, minimum password
-               length, password composition, validation time window for time synchronous one-time
-               tokens, and number of allowed rejections during the verification stage of biometric
-               authentication. Specific actions that can be taken to safeguard authenticators
-               include, for example, maintaining possession of individual authenticators, not
-               loaning or sharing individual authenticators with others, and reporting lost, stolen,
-               or compromised authenticators immediately. Authenticator management includes issuing
-               and revoking, when no longer needed, authenticators for temporary access such as that
-               required for remote maintenance. Device authenticators include, for example,
-               certificates and passwords.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-5">PS-5</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-17">SC-17</link>
-            <link rel="related" href="#sc-28">SC-28</link>
-         </part>
-         <part id="ia-5_obj" name="objective">
-            <p>Determine if the organization manages information system authenticators by: </p>
-            <part id="ia-5.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-5(a)</prop>
-               <p>verifying, as part of the initial authenticator distribution, the identity of:</p>
-               <part id="ia-5.a_obj.1" name="objective">
-                  <prop name="label">IA-5(a)[1]</prop>
-                  <p>the individual receiving the authenticator;</p>
-               </part>
-               <part id="ia-5.a_obj.2" name="objective">
-                  <prop name="label">IA-5(a)[2]</prop>
-                  <p>the group receiving the authenticator;</p>
-               </part>
-               <part id="ia-5.a_obj.3" name="objective">
-                  <prop name="label">IA-5(a)[3]</prop>
-                  <p>the role receiving the authenticator; and/or</p>
-               </part>
-               <part id="ia-5.a_obj.4" name="objective">
-                  <prop name="label">IA-5(a)[4]</prop>
-                  <p>the device receiving the authenticator;</p>
-               </part>
-            </part>
-            <part id="ia-5.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">IA-5(b)</prop>
-               <p>establishing initial authenticator content for authenticators defined by the
-                  organization;</p>
-            </part>
-            <part id="ia-5.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-5(c)</prop>
-               <p>ensuring that authenticators have sufficient strength of mechanism for their
-                  intended use;</p>
-            </part>
-            <part id="ia-5.d_obj" name="objective">
-               <prop name="label">IA-5(d)</prop>
-               <part id="ia-5.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(d)[1]</prop>
-                  <p>establishing and implementing administrative procedures for initial
-                     authenticator distribution;</p>
-               </part>
-               <part id="ia-5.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(d)[2]</prop>
-                  <p>establishing and implementing administrative procedures for lost/compromised or
-                     damaged authenticators;</p>
-               </part>
-               <part id="ia-5.d_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(d)[3]</prop>
-                  <p>establishing and implementing administrative procedures for revoking
-                     authenticators;</p>
-               </part>
-            </part>
-            <part id="ia-5.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-5(e)</prop>
-               <p>changing default content of authenticators prior to information system
-                  installation;</p>
-            </part>
-            <part id="ia-5.f_obj" name="objective">
-               <prop name="label">IA-5(f)</prop>
-               <part id="ia-5.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(f)[1]</prop>
-                  <p>establishing minimum lifetime restrictions for authenticators;</p>
-               </part>
-               <part id="ia-5.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(f)[2]</prop>
-                  <p>establishing maximum lifetime restrictions for authenticators;</p>
-               </part>
-               <part id="ia-5.f_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(f)[3]</prop>
-                  <p>establishing reuse conditions for authenticators;</p>
-               </part>
-            </part>
-            <part id="ia-5.g_obj" name="objective">
-               <prop name="label">IA-5(g)</prop>
-               <part id="ia-5.g_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(g)[1]</prop>
-                  <p>defining a time period (by authenticator type) for changing/refreshing
-                     authenticators;</p>
-               </part>
-               <part id="ia-5.g_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(g)[2]</prop>
-                  <p>changing/refreshing authenticators with the organization-defined time period by
-                     authenticator type;</p>
-               </part>
-            </part>
-            <part id="ia-5.h_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-5(h)</prop>
-               <p>protecting authenticator content from unauthorized:</p>
-               <part id="ia-5.h_obj.1" name="objective">
-                  <prop name="label">IA-5(h)[1]</prop>
-                  <p>disclosure;</p>
-               </part>
-               <part id="ia-5.h_obj.2" name="objective">
-                  <prop name="label">IA-5(h)[2]</prop>
-                  <p>modification;</p>
-               </part>
-            </part>
-            <part id="ia-5.i_obj" name="objective">
-               <prop name="label">IA-5(i)</prop>
-               <part id="ia-5.i_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IA-5(i)[1]</prop>
-                  <p>requiring individuals to take specific security safeguards to protect
-                     authenticators;</p>
-               </part>
-               <part id="ia-5.i_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(i)[2]</prop>
-                  <p>having devices implement specific security safeguards to protect
-                     authenticators; and</p>
-               </part>
-            </part>
-            <part id="ia-5.j_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-5(j)</prop>
-               <p>changing authenticators for group/role accounts when membership to those accounts
-                  changes.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing authenticator management</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of information system authenticator types</p>
-               <p>change control records associated with managing information system
-                  authenticators</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with authenticator management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing authenticator management
-                  capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-5.1">
-            <title>Password-based Authentication</title>
-            <param id="ia-5.1_prm_1">
-               <label>organization-defined requirements for case sensitivity, number of characters,
-                  mix of upper-case letters, lower-case letters, numbers, and special characters,
-                  including minimum requirements for each type</label>
-            </param>
-            <param id="ia-5.1_prm_2">
-               <label>organization-defined number</label>
-               <constraint>at least fifty percent (50%)</constraint>
-            </param>
-            <param id="ia-5.1_prm_3">
-               <label>organization-defined numbers for lifetime minimum, lifetime maximum</label>
-            </param>
-            <param id="ia-5.1_prm_4">
-               <label>organization-defined number</label>
-               <constraint>twenty four (24)</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">IA-5(1)</prop>
-            <prop name="sort-id">ia-05.01</prop>
-            <part id="ia-5.1_smt" name="statement">
-               <p>The information system, for password-based authentication:</p>
-               <part id="ia-5.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Enforces minimum password complexity of <insert param-id="ia-5.1_prm_1"/>;</p>
-               </part>
-               <part id="ia-5.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Enforces at least the following number of changed characters when new passwords
-                     are created: <insert param-id="ia-5.1_prm_2"/>;</p>
-               </part>
-               <part id="ia-5.1_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Stores and transmits only cryptographically-protected passwords;</p>
-               </part>
-               <part id="ia-5.1_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Enforces password minimum and maximum lifetime restrictions of <insert param-id="ia-5.1_prm_3"/>;</p>
-               </part>
-               <part id="ia-5.1_smt.e" name="item">
-                  <prop name="label">(e)</prop>
-                  <p>Prohibits password reuse for <insert param-id="ia-5.1_prm_4"/> generations;
-                     and</p>
-               </part>
-               <part id="ia-5.1_smt.f" name="item">
-                  <prop name="label">(f)</prop>
-                  <p>Allows the use of a temporary password for system logons with an immediate
-                     change to a permanent password.</p>
-               </part>
-               <part id="ia-5.1_fr" name="item">
-                  <title>IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ia-5.1_fr_gdn.1" name="guidance">
-                     <prop name="label">(a) (d) Guidance:</prop>
-                     <p>If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-5.1_gdn" name="guidance">
-               <p>This control enhancement applies to single-factor authentication of individuals
-                  using passwords as individual or group authenticators, and in a similar manner,
-                  when passwords are part of multifactor authenticators. This control enhancement
-                  does not apply when passwords are used to unlock hardware authenticators (e.g.,
-                  Personal Identity Verification cards). The implementation of such password
-                  mechanisms may not meet all of the requirements in the enhancement.
-                  Cryptographically-protected passwords include, for example, encrypted versions of
-                  passwords and one-way cryptographic hashes of passwords. The number of changed
-                  characters refers to the number of changes required with respect to the total
-                  number of positions in the current password. Password lifetime restrictions do not
-                  apply to temporary passwords. To mitigate certain brute force attacks against
-                  passwords, organizations may also consider salting passwords.</p>
-               <link rel="related" href="#ia-6">IA-6</link>
-            </part>
-            <part id="ia-5.1_obj" name="objective">
-               <p>Determine if, for password-based authentication: </p>
-               <part id="ia-5.1.a_obj" name="objective">
-                  <prop name="label">IA-5(1)(a)</prop>
-                  <part id="ia-5.1.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(a)[1]</prop>
-                     <p>the organization defines requirements for case sensitivity;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(a)[2]</prop>
-                     <p>the organization defines requirements for number of characters;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(a)[3]</prop>
-                     <p>the organization defines requirements for the mix of upper-case letters,
-                        lower-case letters, numbers and special characters;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.4" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(a)[4]</prop>
-                     <p>the organization defines minimum requirements for each type of
-                        character;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.5" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(1)(a)[5]</prop>
-                     <p>the information system enforces minimum password complexity of
-                        organization-defined requirements for case sensitivity, number of
-                        characters, mix of upper-case letters, lower-case letters, numbers, and
-                        special characters, including minimum requirements for each type;</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.a">IA-5(1)(a)</link>
-               </part>
-               <part id="ia-5.1.b_obj" name="objective">
-                  <prop name="label">IA-5(1)(b)</prop>
-                  <part id="ia-5.1.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(b)[1]</prop>
-                     <p>the organization defines a minimum number of changed characters to be
-                        enforced when new passwords are created;</p>
-                  </part>
-                  <part id="ia-5.1.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(1)(b)[2]</prop>
-                     <p>the information system enforces at least the organization-defined minimum
-                        number of characters that must be changed when new passwords are
-                        created;</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.b">IA-5(1)(b)</link>
-               </part>
-               <part id="ia-5.1.c_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(1)(c)</prop>
-                  <p>the information system stores and transmits only encrypted representations of
-                     passwords;</p>
-                  <link rel="corresp" href="#ia-5.1_smt.c">IA-5(1)(c)</link>
-               </part>
-               <part id="ia-5.1.d_obj" name="objective">
-                  <prop name="label">IA-5(1)(d)</prop>
-                  <part id="ia-5.1.d_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(d)[1]</prop>
-                     <p>the organization defines numbers for password minimum lifetime restrictions
-                        to be enforced for passwords;</p>
-                  </part>
-                  <part id="ia-5.1.d_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(d)[2]</prop>
-                     <p>the organization defines numbers for password maximum lifetime restrictions
-                        to be enforced for passwords;</p>
-                  </part>
-                  <part id="ia-5.1.d_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(1)(d)[3]</prop>
-                     <p>the information system enforces password minimum lifetime restrictions of
-                        organization-defined numbers for lifetime minimum;</p>
-                  </part>
-                  <part id="ia-5.1.d_obj.4" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(1)(d)[4]</prop>
-                     <p>the information system enforces password maximum lifetime restrictions of
-                        organization-defined numbers for lifetime maximum;</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.d">IA-5(1)(d)</link>
-               </part>
-               <part id="ia-5.1.e_obj" name="objective">
-                  <prop name="label">IA-5(1)(e)</prop>
-                  <part id="ia-5.1.e_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(e)[1]</prop>
-                     <p>the organization defines the number of password generations to be prohibited
-                        from password reuse;</p>
-                  </part>
-                  <part id="ia-5.1.e_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(1)(e)[2]</prop>
-                     <p>the information system prohibits password reuse for the organization-defined
-                        number of generations; and</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.e">IA-5(1)(e)</link>
-               </part>
-               <part id="ia-5.1.f_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(1)(f)</prop>
-                  <p>the information system allows the use of a temporary password for system logons
-                     with an immediate change to a permanent password.</p>
-                  <link rel="corresp" href="#ia-5.1_smt.f">IA-5(1)(f)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>password policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>password configurations and associated documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing password-based
-                     authenticator management capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.2">
-            <title>Pki-based Authentication</title>
-            <prop name="label">IA-5(2)</prop>
-            <prop name="sort-id">ia-05.02</prop>
-            <part id="ia-5.2_smt" name="statement">
-               <p>The information system, for PKI-based authentication:</p>
-               <part id="ia-5.2_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Validates certifications by constructing and verifying a certification path to
-                     an accepted trust anchor including checking certificate status information;</p>
-               </part>
-               <part id="ia-5.2_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Enforces authorized access to the corresponding private key;</p>
-               </part>
-               <part id="ia-5.2_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Maps the authenticated identity to the account of the individual or group;
-                     and</p>
-               </part>
-               <part id="ia-5.2_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Implements a local cache of revocation data to support path discovery and
-                     validation in case of inability to access revocation information via the
-                     network.</p>
-               </part>
-            </part>
-            <part id="ia-5.2_gdn" name="guidance">
-               <p>Status information for certification paths includes, for example, certificate
-                  revocation lists or certificate status protocol responses. For PIV cards,
-                  validation of certifications involves the construction and verification of a
-                  certification path to the Common Policy Root trust anchor including certificate
-                  policy processing.</p>
-               <link rel="related" href="#ia-6">IA-6</link>
-            </part>
-            <part id="ia-5.2_obj" name="objective">
-               <p>Determine if the information system, for PKI-based authentication: </p>
-               <part id="ia-5.2.a_obj" name="objective">
-                  <prop name="label">IA-5(2)(a)</prop>
-                  <part id="ia-5.2.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(2)(a)[1]</prop>
-                     <p>validates certifications by constructing a certification path to an accepted
-                        trust anchor;</p>
-                  </part>
-                  <part id="ia-5.2.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(2)(a)[2]</prop>
-                     <p>validates certifications by verifying a certification path to an accepted
-                        trust anchor;</p>
-                  </part>
-                  <part id="ia-5.2.a_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(2)(a)[3]</prop>
-                     <p>includes checking certificate status information when constructing and
-                        verifying the certification path;</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.2_smt.a">IA-5(2)(a)</link>
-               </part>
-               <part id="ia-5.2.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(2)(b)</prop>
-                  <p>enforces authorized access to the corresponding private key;</p>
-                  <link rel="corresp" href="#ia-5.2_smt.b">IA-5(2)(b)</link>
-               </part>
-               <part id="ia-5.2.c_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(2)(c)</prop>
-                  <p>maps the authenticated identity to the account of the individual or group;
-                     and</p>
-                  <link rel="corresp" href="#ia-5.2_smt.c">IA-5(2)(c)</link>
-               </part>
-               <part id="ia-5.2.d_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(2)(d)</prop>
-                  <p>implements a local cache of revocation data to support path discovery and
-                     validation in case of inability to access revocation information via the
-                     network.</p>
-                  <link rel="corresp" href="#ia-5.2_smt.d">IA-5(2)(d)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>PKI certification validation records</p>
-                  <p>PKI certification revocation lists</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with PKI-based, authenticator management
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing PKI-based, authenticator
-                     management capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.3">
-            <title>In-person or Trusted Third-party Registration</title>
-            <param id="ia-5.3_prm_1">
-               <label>organization-defined types of and/or specific authenticators</label>
-               <constraint>All hardware/biometric (multifactor authenticators)</constraint>
-            </param>
-            <param id="ia-5.3_prm_2">
-               <constraint>in person</constraint>
-            </param>
-            <param id="ia-5.3_prm_3">
-               <label>organization-defined registration authority</label>
-            </param>
-            <param id="ia-5.3_prm_4">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">IA-5(3)</prop>
-            <prop name="sort-id">ia-05.03</prop>
-            <part id="ia-5.3_smt" name="statement">
-               <p>The organization requires that the registration process to receive <insert param-id="ia-5.3_prm_1"/> be conducted <insert param-id="ia-5.3_prm_2"/> before
-                     <insert param-id="ia-5.3_prm_3"/> with authorization by <insert param-id="ia-5.3_prm_4"/>.</p>
-            </part>
-            <part id="ia-5.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-5.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(3)[1]</prop>
-                  <p>defines types of and/or specific authenticators to be received in person or by
-                     a trusted third party;</p>
-               </part>
-               <part id="ia-5.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(3)[2]</prop>
-                  <p>defines the registration authority with oversight of the registration process
-                     for receipt of organization-defined types of and/or specific
-                     authenticators;</p>
-               </part>
-               <part id="ia-5.3_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(3)[3]</prop>
-                  <p>defines personnel or roles responsible for authorizing organization-defined
-                     registration authority;</p>
-               </part>
-               <part id="ia-5.3_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(3)[4]</prop>
-                  <p>defines if the registration process is to be conducted:</p>
-                  <part id="ia-5.3_obj.4.a" name="objective">
-                     <prop name="label">IA-5(3)[4][a]</prop>
-                     <p>in person; or</p>
-                  </part>
-                  <part id="ia-5.3_obj.4.b" name="objective">
-                     <prop name="label">IA-5(3)[4][b]</prop>
-                     <p>by a trusted third party; and</p>
-                  </part>
-               </part>
-               <part id="ia-5.3_obj.5" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IA-5(3)[5]</prop>
-                  <p>requires that the registration process to receive organization-defined types of
-                     and/or specific authenticators be conducted in person or by a trusted third
-                     party before organization-defined registration authority with authorization by
-                     organization-defined personnel or roles.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>registration process for receiving information system authenticators</p>
-                  <p>list of authenticators requiring in-person registration</p>
-                  <p>list of authenticators requiring trusted third party registration</p>
-                  <p>authenticator registration documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>registration authority</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.4">
-            <title>Automated Support for Password Strength Determination</title>
-            <param id="ia-5.4_prm_1">
-               <label>organization-defined requirements</label>
-               <constraint>complexity as identified in IA-5 (1) Control Enhancement Part (a)</constraint>
-            </param>
-            <prop name="label">IA-5(4)</prop>
-            <prop name="sort-id">ia-05.04</prop>
-            <part id="ia-5.4_smt" name="statement">
-               <p>The organization employs automated tools to determine if password authenticators
-                  are sufficiently strong to satisfy <insert param-id="ia-5.4_prm_1"/>.</p>
-               <part id="ia-5.4_fr" name="item">
-                  <title>IA-5 (4) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ia-5.4_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-5.4_gdn" name="guidance">
-               <p>This control enhancement focuses on the creation of strong passwords and the
-                  characteristics of such passwords (e.g., complexity) prior to use, the enforcement
-                  of which is carried out by organizational information systems in IA-5 (1).</p>
-               <link rel="related" href="#ca-2">CA-2</link>
-               <link rel="related" href="#ca-7">CA-7</link>
-               <link rel="related" href="#ra-5">RA-5</link>
-            </part>
-            <part id="ia-5.4_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-5.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(4)[1]</prop>
-                  <p>defines requirements to be satisfied by password authenticators; and</p>
-               </part>
-               <part id="ia-5.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(4)[2]</prop>
-                  <p>employs automated tools to determine if password authenticators are
-                     sufficiently strong to satisfy organization-defined requirements.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>automated tools for evaluating password authenticators</p>
-                  <p>password strength assessment results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing password-based
-                     authenticator management capability</p>
-                  <p>automated tools for determining password strength</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.6">
-            <title>Protection of Authenticators</title>
-            <prop name="label">IA-5(6)</prop>
-            <prop name="sort-id">ia-05.06</prop>
-            <part id="ia-5.6_smt" name="statement">
-               <p>The organization protects authenticators commensurate with the security category
-                  of the information to which use of the authenticator permits access.</p>
-            </part>
-            <part id="ia-5.6_gdn" name="guidance">
-               <p>For information systems containing multiple security categories of information
-                  without reliable physical or logical separation between categories, authenticators
-                  used to grant access to the systems are protected commensurate with the highest
-                  security category of information on the systems.</p>
-            </part>
-            <part id="ia-5.6_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization protects authenticators commensurate with the
-                  security category of the information to which use of the authenticator permits
-                  access.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security categorization documentation for the information system</p>
-                  <p>security assessments of authenticator protections</p>
-                  <p>risk assessment results</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel implementing and/or maintaining authenticator
-                     protections</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing authenticator management
-                     capability</p>
-                  <p>automated mechanisms protecting authenticators</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.7">
-            <title>No Embedded Unencrypted Static Authenticators</title>
-            <prop name="label">IA-5(7)</prop>
-            <prop name="sort-id">ia-05.07</prop>
-            <part id="ia-5.7_smt" name="statement">
-               <p>The organization ensures that unencrypted static authenticators are not embedded
-                  in applications or access scripts or stored on function keys.</p>
-            </part>
-            <part id="ia-5.7_gdn" name="guidance">
-               <p>Organizations exercise caution in determining whether embedded or stored
-                  authenticators are in encrypted or unencrypted form. If authenticators are used in
-                  the manner stored, then those representations are considered unencrypted
-                  authenticators. This is irrespective of whether that representation is perhaps an
-                  encrypted version of something else (e.g., a password).</p>
-            </part>
-            <part id="ia-5.7_obj" name="objective">
-               <p>Determine if the organization ensures that unencrypted static authenticators are
-                  not: </p>
-               <part id="ia-5.7_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(7)[1]</prop>
-                  <p>embedded in applications;</p>
-               </part>
-               <part id="ia-5.7_obj.2" name="objective">
-                  <prop name="label">IA-5(7)[2]</prop>
-                  <p>embedded in access scripts; or</p>
-               </part>
-               <part id="ia-5.7_obj.3" name="objective">
-                  <prop name="label">IA-5(7)[3]</prop>
-                  <p>stored on function keys.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>logical access scripts</p>
-                  <p>application code reviews for detecting unencrypted static authenticators</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing authenticator management
-                     capability</p>
-                  <p>automated mechanisms implementing authentication in applications</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.8">
-            <title>Multiple Information System Accounts</title>
-            <param id="ia-5.8_prm_1">
-               <label>organization-defined security safeguards</label>
-               <constraint>different authenticators on different systems</constraint>
-            </param>
-            <prop name="label">IA-5(8)</prop>
-            <prop name="sort-id">ia-05.08</prop>
-            <part id="ia-5.8_smt" name="statement">
-               <p>The organization implements <insert param-id="ia-5.8_prm_1"/> to manage the risk
-                  of compromise due to individuals having accounts on multiple information
-                  systems.</p>
-            </part>
-            <part id="ia-5.8_gdn" name="guidance">
-               <p>When individuals have accounts on multiple information systems, there is the risk
-                  that the compromise of one account may lead to the compromise of other accounts if
-                  individuals use the same authenticators. Possible alternatives include, for
-                  example: (i) having different authenticators on all systems; (ii) employing some
-                  form of single sign-on mechanism; or (iii) including some form of one-time
-                  passwords on all systems.</p>
-            </part>
-            <part id="ia-5.8_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-5.8_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(8)[1]</prop>
-                  <p>defines security safeguards to manage the risk of compromise due to individuals
-                     having accounts on multiple information systems; and</p>
-               </part>
-               <part id="ia-5.8_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(8)[2]</prop>
-                  <p>implements organization-defined security safeguards to manage the risk of
-                     compromise due to individuals having accounts on multiple information
-                     systems.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security plan</p>
-                  <p>list of individuals having accounts on multiple information systems</p>
-                  <p>list of security safeguards intended to manage risk of compromise due to
-                     individuals having accounts on multiple information systems</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing safeguards for
-                     authenticator management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.11">
-            <title>Hardware Token-based Authentication</title>
-            <param id="ia-5.11_prm_1">
-               <label>organization-defined token quality requirements</label>
-            </param>
-            <prop name="label">IA-5(11)</prop>
-            <prop name="sort-id">ia-05.11</prop>
-            <part id="ia-5.11_smt" name="statement">
-               <p>The information system, for hardware token-based authentication, employs
-                  mechanisms that satisfy <insert param-id="ia-5.11_prm_1"/>.</p>
-            </part>
-            <part id="ia-5.11_gdn" name="guidance">
-               <p>Hardware token-based authentication typically refers to the use of PKI-based
-                  tokens, such as the U.S. Government Personal Identity Verification (PIV) card.
-                  Organizations define specific requirements for tokens, such as working with a
-                  particular PKI.</p>
-            </part>
-            <part id="ia-5.11_obj" name="objective">
-               <p>Determine if, for hardware token-based authentication: </p>
-               <part id="ia-5.11_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(11)[1]</prop>
-                  <p>the organization defines token quality requirements to be satisfied; and</p>
-               </part>
-               <part id="ia-5.11_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(11)[2]</prop>
-                  <p>the information system employs mechanisms that satisfy organization-defined
-                     token quality requirements.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>automated mechanisms employing hardware token-based authentication for the
-                     information system</p>
-                  <p>list of token quality requirements</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing hardware token-based
-                     authenticator management capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.13">
-            <title>Expiration of Cached Authenticators</title>
-            <param id="ia-5.13_prm_1">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="label">IA-5(13)</prop>
-            <prop name="sort-id">ia-05.13</prop>
-            <part id="ia-5.13_smt" name="statement">
-               <p>The information system prohibits the use of cached authenticators after <insert param-id="ia-5.13_prm_1"/>.</p>
-            </part>
-            <part id="ia-5.13_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ia-5.13_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(13)[1]</prop>
-                  <p>the organization defines the time period after which the information system is
-                     to prohibit the use of cached authenticators; and</p>
-               </part>
-               <part id="ia-5.13_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(13)[2]</prop>
-                  <p>the information system prohibits the use of cached authenticators after the
-                     organization-defined time period.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing authenticator management
-                     capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-6">
-         <title>Authenticator Feedback</title>
-         <prop name="label">IA-6</prop>
-         <prop name="sort-id">ia-06</prop>
-         <part id="ia-6_smt" name="statement">
-            <p>The information system obscures feedback of authentication information during the
-               authentication process to protect the information from possible exploitation/use by
-               unauthorized individuals.</p>
-         </part>
-         <part id="ia-6_gdn" name="guidance">
-            <p>The feedback from information systems does not provide information that would allow
-               unauthorized individuals to compromise authentication mechanisms. For some types of
-               information systems or system components, for example, desktops/notebooks with
-               relatively large monitors, the threat (often referred to as shoulder surfing) may be
-               significant. For other types of systems or components, for example, mobile devices
-               with 2-4 inch screens, this threat may be less significant, and may need to be
-               balanced against the increased likelihood of typographic input errors due to the
-               small keyboards. Therefore, the means for obscuring the authenticator feedback is
-               selected accordingly. Obscuring the feedback of authentication information includes,
-               for example, displaying asterisks when users type passwords into input devices, or
-               displaying feedback for a very limited time before fully obscuring it.</p>
-            <link rel="related" href="#pe-18">PE-18</link>
-         </part>
-         <part id="ia-6_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system obscures feedback of authentication information
-               during the authentication process to protect the information from possible
-               exploitation/use by unauthorized individuals.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing authenticator feedback</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing the obscuring of feedback of
-                  authentication information during authentication</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-7">
-         <title>Cryptographic Module Authentication</title>
-         <prop name="label">IA-7</prop>
-         <prop name="sort-id">ia-07</prop>
-         <link href="#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9" rel="reference">FIPS Publication 140</link>
-         <link href="#b09d1a31-d3c9-4138-a4f4-4c63816afd7d" rel="reference">http://csrc.nist.gov/groups/STM/cmvp/index.html</link>
-         <part id="ia-7_smt" name="statement">
-            <p>The information system implements mechanisms for authentication to a cryptographic
-               module that meet the requirements of applicable federal laws, Executive Orders,
-               directives, policies, regulations, standards, and guidance for such
-               authentication.</p>
-         </part>
-         <part id="ia-7_gdn" name="guidance">
-            <p>Authentication mechanisms may be required within a cryptographic module to
-               authenticate an operator accessing the module and to verify that the operator is
-               authorized to assume the requested role and perform services within that role.</p>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="ia-7_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system implements mechanisms for authentication to a
-               cryptographic module that meet the requirements of applicable federal laws, Executive
-               Orders, directives, policies, regulations, standards, and guidance for such
-               authentication.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing cryptographic module authentication</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for cryptographic module
-                  authentication</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing cryptographic module
-                  authentication</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-8">
-         <title>Identification and Authentication (non-organizational Users)</title>
-         <prop name="label">IA-8</prop>
-         <prop name="sort-id">ia-08</prop>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#74e740a4-c45d-49f3-a86e-eb747c549e01" rel="reference">OMB Memorandum 11-11</link>
-         <link href="#599fe9ba-4750-4450-9eeb-b95bd19a5e8f" rel="reference">OMB Memorandum 10-06-2011</link>
-         <link href="#ba557c91-ba3e-4792-adc6-a4ae479b39ff" rel="reference">FICAM Roadmap and Implementation Guidance</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#2157bb7e-192c-4eaa-877f-93ef6b0a3292" rel="reference">NIST Special Publication 800-116</link>
-         <link href="#654f21e2-f3bc-43b2-abdc-60ab8d09744b" rel="reference">National Strategy for Trusted Identities in
-            Cyberspace</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ia-8_smt" name="statement">
-            <p>The information system uniquely identifies and authenticates non-organizational users
-               (or processes acting on behalf of non-organizational users).</p>
-         </part>
-         <part id="ia-8_gdn" name="guidance">
-            <p>Non-organizational users include information system users other than organizational
-               users explicitly covered by IA-2. These individuals are uniquely identified and
-               authenticated for accesses other than those accesses explicitly identified and
-               documented in AC-14. In accordance with the E-Authentication E-Government initiative,
-               authentication of non-organizational users accessing federal information systems may
-               be required to protect federal, proprietary, or privacy-related information (with
-               exceptions noted for national security systems). Organizations use risk assessments
-               to determine authentication needs and consider scalability, practicality, and
-               security in balancing the need to ensure ease of use for access to federal
-               information and information systems with the need to protect and adequately mitigate
-               risk. IA-2 addresses identification and authentication requirements for access to
-               information systems by organizational users.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-         </part>
-         <part id="ia-8_obj" name="objective">
-            <p>Determine if the information system uniquely identifies and authenticates
-               non-organizational users (or processes acting on behalf of non-organizational
-               users).</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing user identification and authentication</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>list of information system accounts</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system operations responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with account management responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing identification and
-                  authentication capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-8.1">
-            <title>Acceptance of PIV Credentials from Other Agencies</title>
-            <prop name="label">IA-8(1)</prop>
-            <prop name="sort-id">ia-08.01</prop>
-            <part id="ia-8.1_smt" name="statement">
-               <p>The information system accepts and electronically verifies Personal Identity
-                  Verification (PIV) credentials from other federal agencies.</p>
-            </part>
-            <part id="ia-8.1_gdn" name="guidance">
-               <p>This control enhancement applies to logical access control systems (LACS) and
-                  physical access control systems (PACS). Personal Identity Verification (PIV)
-                  credentials are those credentials issued by federal agencies that conform to FIPS
-                  Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires
-                  federal agencies to continue implementing the requirements specified in HSPD-12 to
-                  enable agency-wide use of PIV credentials.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#pe-3">PE-3</link>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-8.1_obj" name="objective">
-               <p>Determine if the information system: </p>
-               <part id="ia-8.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-8(1)[1]</prop>
-                  <p>accepts Personal Identity Verification (PIV) credentials from other agencies;
-                     and</p>
-               </part>
-               <part id="ia-8.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-8(1)[2]</prop>
-                  <p>electronically verifies Personal Identity Verification (PIV) credentials from
-                     other agencies.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>PIV verification records</p>
-                  <p>evidence of PIV credentials</p>
-                  <p>PIV credential authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with account management responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms that accept and verify PIV credentials</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.2">
-            <title>Acceptance of Third-party Credentials</title>
-            <prop name="label">IA-8(2)</prop>
-            <prop name="sort-id">ia-08.02</prop>
-            <part id="ia-8.2_smt" name="statement">
-               <p>The information system accepts only FICAM-approved third-party credentials.</p>
-            </part>
-            <part id="ia-8.2_gdn" name="guidance">
-               <p>This control enhancement typically applies to organizational information systems
-                  that are accessible to the general public, for example, public-facing websites.
-                  Third-party credentials are those credentials issued by nonfederal government
-                  entities approved by the Federal Identity, Credential, and Access Management
-                  (FICAM) Trust Framework Solutions initiative. Approved third-party credentials
-                  meet or exceed the set of minimum federal government-wide technical, security,
-                  privacy, and organizational maturity requirements. This allows federal government
-                  relying parties to trust such credentials at their approved assurance levels.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-            </part>
-            <part id="ia-8.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system accepts only FICAM-approved third-party
-                  credentials. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of FICAM-approved, third-party credentialing products, components, or
-                     services procured and implemented by organization</p>
-                  <p>third-party credential verification records</p>
-                  <p>evidence of FICAM-approved third-party credentials</p>
-                  <p>third-party credential authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with account management responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms that accept FICAM-approved credentials</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.3">
-            <title>Use of Ficam-approved Products</title>
-            <param id="ia-8.3_prm_1">
-               <label>organization-defined information systems</label>
-            </param>
-            <prop name="label">IA-8(3)</prop>
-            <prop name="sort-id">ia-08.03</prop>
-            <part id="ia-8.3_smt" name="statement">
-               <p>The organization employs only FICAM-approved information system components in
-                     <insert param-id="ia-8.3_prm_1"/> to accept third-party credentials.</p>
-            </part>
-            <part id="ia-8.3_gdn" name="guidance">
-               <p>This control enhancement typically applies to information systems that are
-                  accessible to the general public, for example, public-facing websites.
-                  FICAM-approved information system components include, for example, information
-                  technology products and software libraries that have been approved by the Federal
-                  Identity, Credential, and Access Management conformance program.</p>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-8.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-8.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-8(3)[1]</prop>
-                  <p>defines information systems in which only FICAM-approved information system
-                     components are to be employed to accept third-party credentials; and</p>
-               </part>
-               <part id="ia-8.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-8(3)[2]</prop>
-                  <p>employs only FICAM-approved information system components in
-                     organization-defined information systems to accept third-party credentials.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>system and services acquisition policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>procedures addressing the integration of security requirements into the
-                     acquisition process</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>third-party credential validations</p>
-                  <p>third-party credential authorizations</p>
-                  <p>third-party credential records</p>
-                  <p>list of FICAM-approved information system components procured and implemented
-                     by organization</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for information system procurements or services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information system security, acquisition, and
-                     contracting responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.4">
-            <title>Use of Ficam-issued Profiles</title>
-            <prop name="label">IA-8(4)</prop>
-            <prop name="sort-id">ia-08.04</prop>
-            <part id="ia-8.4_smt" name="statement">
-               <p>The information system conforms to FICAM-issued profiles.</p>
-            </part>
-            <part id="ia-8.4_gdn" name="guidance">
-               <p>This control enhancement addresses open identity management standards. To ensure
-                  that these standards are viable, robust, reliable, sustainable (e.g., available in
-                  commercial information technology products), and interoperable as documented, the
-                  United States Government assesses and scopes identity management standards and
-                  technology implementations against applicable federal legislation, directives,
-                  policies, and requirements. The result is FICAM-issued implementation profiles of
-                  approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and
-                  OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute
-                  Exchange).</p>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-8.4_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system conforms to FICAM-issued profiles. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>system and services acquisition policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>procedures addressing the integration of security requirements into the
-                     acquisition process</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of FICAM-issued profiles and associated, approved protocols</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for information system procurements or services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with account management responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms supporting and/or implementing conformance with
-                     FICAM-issued profiles</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="ir">
-      <title>Incident Response</title>
-      <control class="SP800-53" id="ir-1">
-         <title>Incident Response Policy and Procedures</title>
-         <param id="ir-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ir-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ir-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or whenever a significant change occurs</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IR-1</prop>
-         <prop name="sort-id">ir-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <link href="#6d431fee-658f-4a0e-9f2e-a38b5d398fab" rel="reference">NIST Special Publication 800-83</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ir-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ir-1_prm_1"/>:</p>
-               <part id="ir-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An incident response policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ir-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the incident response policy and
-                     associated incident response controls; and</p>
-               </part>
-            </part>
-            <part id="ir-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ir-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Incident response policy <insert param-id="ir-1_prm_2"/>; and</p>
-               </part>
-               <part id="ir-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Incident response procedures <insert param-id="ir-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ir-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the IR
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ir-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-1.a_obj" name="objective">
-               <prop name="label">IR-1(a)</prop>
-               <part id="ir-1.a.1_obj" name="objective">
-                  <prop name="label">IR-1(a)(1)</prop>
-                  <part id="ir-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(a)(1)[1]</prop>
-                     <p>develops and documents an incident response policy that addresses:</p>
-                     <part id="ir-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ir-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the incident response policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ir-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">IR-1(a)(1)[3]</prop>
-                     <p>disseminates the incident response policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="ir-1.a.2_obj" name="objective">
-                  <prop name="label">IR-1(a)(2)</prop>
-                  <part id="ir-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        incident response policy and associated incident response controls;</p>
-                  </part>
-                  <part id="ir-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ir-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">IR-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ir-1.b_obj" name="objective">
-               <prop name="label">IR-1(b)</prop>
-               <part id="ir-1.b.1_obj" name="objective">
-                  <prop name="label">IR-1(b)(1)</prop>
-                  <part id="ir-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current incident response
-                        policy;</p>
-                  </part>
-                  <part id="ir-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current incident response policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ir-1.b.2_obj" name="objective">
-                  <prop name="label">IR-1(b)(2)</prop>
-                  <part id="ir-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current incident response
-                        procedures; and</p>
-                  </part>
-                  <part id="ir-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current incident response procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-2">
-         <title>Incident Response Training</title>
-         <param id="ir-2_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>within ten (10) days</constraint>
-         </param>
-         <param id="ir-2_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IR-2</prop>
-         <prop name="sort-id">ir-02</prop>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="ir-2_smt" name="statement">
-            <p>The organization provides incident response training to information system users
-               consistent with assigned roles and responsibilities:</p>
-            <part id="ir-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Within <insert param-id="ir-2_prm_1"/> of assuming an incident response role or
-                  responsibility;</p>
-            </part>
-            <part id="ir-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="ir-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="ir-2_prm_2"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="ir-2_gdn" name="guidance">
-            <p>Incident response training provided by organizations is linked to the assigned roles
-               and responsibilities of organizational personnel to ensure the appropriate content
-               and level of detail is included in such training. For example, regular users may only
-               need to know who to call or how to recognize an incident on the information system;
-               system administrators may require additional training on how to handle/remediate
-               incidents; and incident responders may receive more specific training on forensics,
-               reporting, system recovery, and restoration. Incident response training includes user
-               training in the identification and reporting of suspicious activities, both from
-               external and internal sources.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cp-3">CP-3</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-         </part>
-         <part id="ir-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-2.a_obj" name="objective">
-               <prop name="label">IR-2(a)</prop>
-               <part id="ir-2.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-2(a)[1]</prop>
-                  <p>defines a time period within which incident response training is to be provided
-                     to information system users assuming an incident response role or
-                     responsibility;</p>
-               </part>
-               <part id="ir-2.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IR-2(a)[2]</prop>
-                  <p>provides incident response training to information system users consistent with
-                     assigned roles and responsibilities within the organization-defined time period
-                     of assuming an incident response role or responsibility;</p>
-               </part>
-            </part>
-            <part id="ir-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">IR-2(b)</prop>
-               <p>provides incident response training to information system users consistent with
-                  assigned roles and responsibilities when required by information system
-                  changes;</p>
-            </part>
-            <part id="ir-2.c_obj" name="objective">
-               <prop name="label">IR-2(c)</prop>
-               <part id="ir-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-2(c)[1]</prop>
-                  <p>defines the frequency to provide refresher incident response training to
-                     information system users consistent with assigned roles or responsibilities;
-                     and</p>
-               </part>
-               <part id="ir-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IR-2(c)[2]</prop>
-                  <p>after the initial incident response training, provides refresher incident
-                     response training to information system users consistent with assigned roles
-                     and responsibilities in accordance with the organization-defined frequency to
-                     provide refresher training.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident response training</p>
-               <p>incident response training curriculum</p>
-               <p>incident response training materials</p>
-               <p>security plan</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>incident response training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response training and operational
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-2.1">
-            <title>Simulated Events</title>
-            <prop name="label">IR-2(1)</prop>
-            <prop name="sort-id">ir-02.01</prop>
-            <part id="ir-2.1_smt" name="statement">
-               <p>The organization incorporates simulated events into incident response training to
-                  facilitate effective response by personnel in crisis situations.</p>
-            </part>
-            <part id="ir-2.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization incorporates simulated events into incident response
-                  training to facilitate effective response by personnel in crisis situations. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident response training</p>
-                  <p>incident response training curriculum</p>
-                  <p>incident response training materials</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response training and operational
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms that support and/or implement simulated events for
-                     incident response training</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-2.2">
-            <title>Automated Training Environments</title>
-            <prop name="label">IR-2(2)</prop>
-            <prop name="sort-id">ir-02.02</prop>
-            <part id="ir-2.2_smt" name="statement">
-               <p>The organization employs automated mechanisms to provide a more thorough and
-                  realistic incident response training environment.</p>
-            </part>
-            <part id="ir-2.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs automated mechanisms to provide a more
-                  thorough and realistic incident response training environment. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident response training</p>
-                  <p>incident response training curriculum</p>
-                  <p>incident response training materials</p>
-                  <p>automated mechanisms supporting incident response training</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response training and operational
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms that provide a thorough and realistic incident response
-                     training environment</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-3">
-         <title>Incident Response Testing</title>
-         <param id="ir-3_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least every six (6) months</constraint>
-         </param>
-         <param id="ir-3_prm_2">
-            <label>organization-defined tests</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IR-3</prop>
-         <prop name="sort-id">ir-03</prop>
-         <link href="#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf" rel="reference">NIST Special Publication 800-84</link>
-         <link href="#c4691b88-57d1-463b-9053-2d0087913f31" rel="reference">NIST Special Publication 800-115</link>
-         <part id="ir-3_smt" name="statement">
-            <p>The organization tests the incident response capability for the information system
-                  <insert param-id="ir-3_prm_1"/> using <insert param-id="ir-3_prm_2"/> to determine
-               the incident response effectiveness and documents the results.</p>
-            <part id="ir-3_fr" name="item">
-               <title>IR-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-3_fr_smt.1" name="item">
-                  <prop name="label">IR-3 -2 Requirement:</prop>
-                  <p>The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ir-3_gdn" name="guidance">
-            <p>Organizations test incident response capabilities to determine the overall
-               effectiveness of the capabilities and to identify potential weaknesses or
-               deficiencies. Incident response testing includes, for example, the use of checklists,
-               walk-through or tabletop exercises, simulations (parallel/full interrupt), and
-               comprehensive exercises. Incident response testing can also include a determination
-               of the effects on organizational operations (e.g., reduction in mission
-               capabilities), organizational assets, and individuals due to incident response.</p>
-            <link rel="related" href="#cp-4">CP-4</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-         </part>
-         <part id="ir-3_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ir-3_obj.1" name="objective">
-               <prop name="label">IR-3[1]</prop>
-               <p>defines incident response tests to test the incident response capability for the
-                  information system;</p>
-            </part>
-            <part id="ir-3_obj.2" name="objective">
-               <prop name="label">IR-3[2]</prop>
-               <p>defines the frequency to test the incident response capability for the information
-                  system; and</p>
-            </part>
-            <part id="ir-3_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">IR-3[3]</prop>
-               <p>tests the incident response capability for the information system with the
-                  organization-defined frequency, using organization-defined tests to determine the
-                  incident response effectiveness and documents the results.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>contingency planning policy</p>
-               <p>procedures addressing incident response testing</p>
-               <p>procedures addressing contingency plan testing</p>
-               <p>incident response testing material</p>
-               <p>incident response test results</p>
-               <p>incident response test plan</p>
-               <p>incident response plan</p>
-               <p>contingency plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response testing responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-3.2">
-            <title>Coordination with Related Plans</title>
-            <prop name="label">IR-3(2)</prop>
-            <prop name="sort-id">ir-03.02</prop>
-            <part id="ir-3.2_smt" name="statement">
-               <p>The organization coordinates incident response testing with organizational
-                  elements responsible for related plans.</p>
-            </part>
-            <part id="ir-3.2_gdn" name="guidance">
-               <p>Organizational plans related to incident response testing include, for example,
-                  Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity
-                  of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,
-                  and Occupant Emergency Plans.</p>
-            </part>
-            <part id="ir-3.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization coordinates incident response testing with
-                  organizational elements responsible for related plans. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>contingency planning policy</p>
-                  <p>procedures addressing incident response testing</p>
-                  <p>incident response testing documentation</p>
-                  <p>incident response plan</p>
-                  <p>business continuity plans</p>
-                  <p>contingency plans</p>
-                  <p>disaster recovery plans</p>
-                  <p>continuity of operations plans</p>
-                  <p>crisis communications plans</p>
-                  <p>critical infrastructure plans</p>
-                  <p>occupant emergency plans</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response testing responsibilities</p>
-                  <p>organizational personnel with responsibilities for testing organizational plans
-                     related to incident response testing</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-4">
-         <title>Incident Handling</title>
-         <prop name="label">IR-4</prop>
-         <prop name="sort-id">ir-04</prop>
-         <link href="#c5034e0c-eba6-4ecd-a541-79f0678f4ba4" rel="reference">Executive Order 13587</link>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <part id="ir-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Implements an incident handling capability for security incidents that includes
-                  preparation, detection and analysis, containment, eradication, and recovery;</p>
-            </part>
-            <part id="ir-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Coordinates incident handling activities with contingency planning activities;
-                  and</p>
-            </part>
-            <part id="ir-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Incorporates lessons learned from ongoing incident handling activities into
-                  incident response procedures, training, and testing, and implements the resulting
-                  changes accordingly.</p>
-            </part>
-            <part id="ir-4_fr" name="item">
-               <title>IR-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-4_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ir-4_gdn" name="guidance">
-            <p>Organizations recognize that incident response capability is dependent on the
-               capabilities of organizational information systems and the mission/business processes
-               being supported by those systems. Therefore, organizations consider incident response
-               as part of the definition, design, and development of mission/business processes and
-               information systems. Incident-related information can be obtained from a variety of
-               sources including, for example, audit monitoring, network monitoring, physical access
-               monitoring, user/administrator reports, and reported supply chain events. Effective
-               incident handling capability includes coordination among many organizational entities
-               including, for example, mission/business owners, information system owners,
-               authorizing officials, human resources offices, physical and personnel security
-               offices, legal departments, operations personnel, procurement offices, and the risk
-               executive (function).</p>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-4">CP-4</link>
-            <link rel="related" href="#ir-2">IR-2</link>
-            <link rel="related" href="#ir-3">IR-3</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="ir-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-4.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">IR-4(a)</prop>
-               <p>implements an incident handling capability for security incidents that
-                  includes:</p>
-               <part id="ir-4.a_obj.1" name="objective">
-                  <prop name="label">IR-4(a)[1]</prop>
-                  <p>preparation;</p>
-               </part>
-               <part id="ir-4.a_obj.2" name="objective">
-                  <prop name="label">IR-4(a)[2]</prop>
-                  <p>detection and analysis;</p>
-               </part>
-               <part id="ir-4.a_obj.3" name="objective">
-                  <prop name="label">IR-4(a)[3]</prop>
-                  <p>containment;</p>
-               </part>
-               <part id="ir-4.a_obj.4" name="objective">
-                  <prop name="label">IR-4(a)[4]</prop>
-                  <p>eradication;</p>
-               </part>
-               <part id="ir-4.a_obj.5" name="objective">
-                  <prop name="label">IR-4(a)[5]</prop>
-                  <p>recovery;</p>
-               </part>
-            </part>
-            <part id="ir-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">IR-4(b)</prop>
-               <p>coordinates incident handling activities with contingency planning activities;</p>
-            </part>
-            <part id="ir-4.c_obj" name="objective">
-               <prop name="label">IR-4(c)</prop>
-               <part id="ir-4.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-4(c)[1]</prop>
-                  <p>incorporates lessons learned from ongoing incident handling activities
-                     into:</p>
-                  <part id="ir-4.c_obj.1.a" name="objective">
-                     <prop name="label">IR-4(c)[1][a]</prop>
-                     <p>incident response procedures;</p>
-                  </part>
-                  <part id="ir-4.c_obj.1.b" name="objective">
-                     <prop name="label">IR-4(c)[1][b]</prop>
-                     <p>training;</p>
-                  </part>
-                  <part id="ir-4.c_obj.1.c" name="objective">
-                     <prop name="label">IR-4(c)[1][c]</prop>
-                     <p>testing/exercises;</p>
-                  </part>
-               </part>
-               <part id="ir-4.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-4(c)[2]</prop>
-                  <p>implements the resulting changes accordingly to:</p>
-                  <part id="ir-4.c_obj.2.a" name="objective">
-                     <prop name="label">IR-4(c)[2][a]</prop>
-                     <p>incident response procedures;</p>
-                  </part>
-                  <part id="ir-4.c_obj.2.b" name="objective">
-                     <prop name="label">IR-4(c)[2][b]</prop>
-                     <p>training; and</p>
-                  </part>
-                  <part id="ir-4.c_obj.2.c" name="objective">
-                     <prop name="label">IR-4(c)[2][c]</prop>
-                     <p>testing/exercises.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>contingency planning policy</p>
-               <p>procedures addressing incident handling</p>
-               <p>incident response plan</p>
-               <p>contingency plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident handling responsibilities</p>
-               <p>organizational personnel with contingency planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Incident handling capability for the organization</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-4.1">
-            <title>Automated Incident Handling Processes</title>
-            <prop name="label">IR-4(1)</prop>
-            <prop name="sort-id">ir-04.01</prop>
-            <part id="ir-4.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to support the incident handling
-                  process.</p>
-            </part>
-            <part id="ir-4.1_gdn" name="guidance">
-               <p>Automated mechanisms supporting incident handling processes include, for example,
-                  online incident management systems.</p>
-            </part>
-            <part id="ir-4.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs automated mechanisms to support the incident
-                  handling process. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>automated mechanisms supporting incident handling</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident handling responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms that support and/or implement the incident handling
-                     process</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.2">
-            <title>Dynamic Reconfiguration</title>
-            <param id="ir-4.2_prm_1">
-               <label>organization-defined information system components</label>
-               <constraint>all network, data storage, and computing devices</constraint>
-            </param>
-            <prop name="label">IR-4(2)</prop>
-            <prop name="sort-id">ir-04.02</prop>
-            <part id="ir-4.2_smt" name="statement">
-               <p>The organization includes dynamic reconfiguration of <insert param-id="ir-4.2_prm_1"/> as part of the incident response capability.</p>
-            </part>
-            <part id="ir-4.2_gdn" name="guidance">
-               <p>Dynamic reconfiguration includes, for example, changes to router rules, access
-                  control lists, intrusion detection/prevention system parameters, and filter rules
-                  for firewalls and gateways. Organizations perform dynamic reconfiguration of
-                  information systems, for example, to stop attacks, to misdirect attackers, and to
-                  isolate components of systems, thus limiting the extent of the damage from
-                  breaches or compromises. Organizations include time frames for achieving the
-                  reconfiguration of information systems in the definition of the reconfiguration
-                  capability, considering the potential need for rapid response in order to
-                  effectively address sophisticated cyber threats.</p>
-               <link rel="related" href="#ac-2">AC-2</link>
-               <link rel="related" href="#ac-4">AC-4</link>
-               <link rel="related" href="#ac-16">AC-16</link>
-               <link rel="related" href="#cm-2">CM-2</link>
-               <link rel="related" href="#cm-3">CM-3</link>
-               <link rel="related" href="#cm-4">CM-4</link>
-            </part>
-            <part id="ir-4.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ir-4.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-4(2)[1]</prop>
-                  <p>defines information system components to be dynamically reconfigured as part of
-                     the incident response capability; and</p>
-               </part>
-               <part id="ir-4.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-4(2)[2]</prop>
-                  <p>includes dynamic reconfiguration of organization-defined information system
-                     components as part of the incident response capability.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>automated mechanisms supporting incident handling</p>
-                  <p>list of system components to be dynamically reconfigured as part of incident
-                     response capability</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident handling responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms that support and/or implement dynamic reconfiguration of
-                     components as part of incident response</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.3">
-            <title>Continuity of Operations</title>
-            <param id="ir-4.3_prm_1">
-               <label>organization-defined classes of incidents</label>
-            </param>
-            <param id="ir-4.3_prm_2">
-               <label>organization-defined actions to take in response to classes of
-                  incidents</label>
-            </param>
-            <prop name="label">IR-4(3)</prop>
-            <prop name="sort-id">ir-04.03</prop>
-            <part id="ir-4.3_smt" name="statement">
-               <p>The organization identifies <insert param-id="ir-4.3_prm_1"/> and <insert param-id="ir-4.3_prm_2"/> to ensure continuation of organizational missions and
-                  business functions.</p>
-            </part>
-            <part id="ir-4.3_gdn" name="guidance">
-               <p>Classes of incidents include, for example, malfunctions due to
-                  design/implementation errors and omissions, targeted malicious attacks, and
-                  untargeted malicious attacks. Appropriate incident response actions include, for
-                  example, graceful degradation, information system shutdown, fall back to manual
-                  mode/alternative technology whereby the system operates differently, employing
-                  deceptive measures, alternate information flows, or operating in a mode that is
-                  reserved solely for when systems are under attack.</p>
-            </part>
-            <part id="ir-4.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ir-4.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-4(3)[1]</prop>
-                  <p>defines classes of incidents requiring an organization-defined action to be
-                     taken;</p>
-               </part>
-               <part id="ir-4.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-4(3)[2]</prop>
-                  <p>defines actions to be taken in response to organization-defined classes of
-                     incidents; and</p>
-               </part>
-               <part id="ir-4.3_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-4(3)[3]</prop>
-                  <p>identifies organization-defined classes of incidents and organization-defined
-                     actions to take in response to classes of incidents to ensure continuation of
-                     organizational missions and business functions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>list of classes of incidents</p>
-                  <p>list of appropriate incident response actions</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident handling responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms that support and/or implement continuity of operations</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.4">
-            <title>Information Correlation</title>
-            <prop name="label">IR-4(4)</prop>
-            <prop name="sort-id">ir-04.04</prop>
-            <part id="ir-4.4_smt" name="statement">
-               <p>The organization correlates incident information and individual incident responses
-                  to achieve an organization-wide perspective on incident awareness and
-                  response.</p>
-            </part>
-            <part id="ir-4.4_gdn" name="guidance">
-               <p>Sometimes the nature of a threat event, for example, a hostile cyber attack, is
-                  such that it can only be observed by bringing together information from different
-                  sources including various reports and reporting procedures established by
-                  organizations.</p>
-            </part>
-            <part id="ir-4.4_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization correlates incident information and individual
-                  incident responses to achieve an organization-wide perspective on incident
-                  awareness and response. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>automated mechanisms supporting incident and event correlation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>incident management correlation logs</p>
-                  <p>event management correlation logs</p>
-                  <p>security information and event management logs</p>
-                  <p>incident management correlation reports</p>
-                  <p>event management correlation reports</p>
-                  <p>security information and event management reports</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident handling responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with whom incident information and individual incident
-                     responses are to be correlated</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for correlating incident information and individual
-                     incident responses</p>
-                  <p>automated mechanisms that support and or implement correlation of incident
-                     response information with individual incident responses</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.6">
-            <title>Insider Threats - Specific Capabilities</title>
-            <prop name="label">IR-4(6)</prop>
-            <prop name="sort-id">ir-04.06</prop>
-            <part id="ir-4.6_smt" name="statement">
-               <p>The organization implements incident handling capability for insider threats.</p>
-            </part>
-            <part id="ir-4.6_gdn" name="guidance">
-               <p>While many organizations address insider threat incidents as an inherent part of
-                  their organizational incident response capability, this control enhancement
-                  provides additional emphasis on this type of threat and the need for specific
-                  incident handling capabilities (as defined within organizations) to provide
-                  appropriate and timely responses.</p>
-            </part>
-            <part id="ir-4.6_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization implements incident handling capability for insider
-                  threats.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>automated mechanisms supporting incident handling</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident handling responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Incident handling capability for the organization</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.8">
-            <title>Correlation with External Organizations</title>
-            <param id="ir-4.8_prm_1">
-               <label>organization-defined external organizations</label>
-               <constraint>external organizations including consumer incident responders and network defenders and the appropriate CIRT/CERT (such as US-CERT, DOD CERT, IC CERT)</constraint>
-            </param>
-            <param id="ir-4.8_prm_2">
-               <label>organization-defined incident information</label>
-            </param>
-            <prop name="label">IR-4(8)</prop>
-            <prop name="sort-id">ir-04.08</prop>
-            <part id="ir-4.8_smt" name="statement">
-               <p>The organization coordinates with <insert param-id="ir-4.8_prm_1"/> to correlate
-                  and share <insert param-id="ir-4.8_prm_2"/> to achieve a cross-organization
-                  perspective on incident awareness and more effective incident responses.</p>
-            </part>
-            <part id="ir-4.8_gdn" name="guidance">
-               <p>The coordination of incident information with external organizations including,
-                  for example, mission/business partners, military/coalition partners, customers,
-                  and multitiered developers, can provide significant benefits. Cross-organizational
-                  coordination with respect to incident handling can serve as an important risk
-                  management capability. This capability allows organizations to leverage critical
-                  information from a variety of sources to effectively respond to information
-                  security-related incidents potentially affecting the organization’s operations,
-                  assets, and individuals.</p>
-            </part>
-            <part id="ir-4.8_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ir-4.8_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-4(8)[1]</prop>
-                  <p>defines external organizations with whom organizational incident information is
-                     to be coordinated;</p>
-               </part>
-               <part id="ir-4.8_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-4(8)[2]</prop>
-                  <p>defines incident information to be correlated and shared with
-                     organization-defined external organizations; and</p>
-               </part>
-               <part id="ir-4.8_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-4(8)[3]</prop>
-                  <p>the organization coordinates with organization-defined external organizations
-                     to correlate and share organization-defined information to achieve a
-                     cross-organization perspective on incident awareness and more effective
-                     incident responses.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>list of external organizations</p>
-                  <p>records of incident handling coordination with external organizations</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident handling responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>personnel from external organizations with whom incident response information
-                     is to be coordinated/shared/correlated</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for coordinating incident handling information with
-                     external organizations</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-5">
-         <title>Incident Monitoring</title>
-         <prop name="label">IR-5</prop>
-         <prop name="sort-id">ir-05</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <part id="ir-5_smt" name="statement">
-            <p>The organization tracks and documents information system security incidents.</p>
-         </part>
-         <part id="ir-5_gdn" name="guidance">
-            <p>Documenting information system security incidents includes, for example, maintaining
-               records about each incident, the status of the incident, and other pertinent
-               information necessary for forensics, evaluating incident details, trends, and
-               handling. Incident information can be obtained from a variety of sources including,
-               for example, incident reports, incident response teams, audit monitoring, network
-               monitoring, physical access monitoring, and user/administrator reports.</p>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="ir-5_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ir-5_obj.1" name="objective">
-               <prop name="label">IR-5[1]</prop>
-               <p>tracks information system security incidents; and</p>
-            </part>
-            <part id="ir-5_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IR-5[2]</prop>
-               <p>documents information system security incidents.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident monitoring</p>
-               <p>incident response records and documentation</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident monitoring responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Incident monitoring capability for the organization</p>
-               <p>automated mechanisms supporting and/or implementing tracking and documenting of
-                  system security incidents</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-5.1">
-            <title>Automated Tracking / Data Collection / Analysis</title>
-            <prop name="label">IR-5(1)</prop>
-            <prop name="sort-id">ir-05.01</prop>
-            <part id="ir-5.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to assist in the tracking of
-                  security incidents and in the collection and analysis of incident information.</p>
-            </part>
-            <part id="ir-5.1_gdn" name="guidance">
-               <p>Automated mechanisms for tracking security incidents and collecting/analyzing
-                  incident information include, for example, the Einstein network monitoring device
-                  and monitoring online Computer Incident Response Centers (CIRCs) or other
-                  electronic databases of incidents.</p>
-               <link rel="related" href="#au-7">AU-7</link>
-               <link rel="related" href="#ir-4">IR-4</link>
-            </part>
-            <part id="ir-5.1_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to assist in:</p>
-               <part id="ir-5.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-5(1)[1]</prop>
-                  <p>the tracking of security incidents;</p>
-               </part>
-               <part id="ir-5.1_obj.2" name="objective">
-                  <prop name="label">IR-5(1)[2]</prop>
-                  <p>the collection of incident information; and</p>
-               </part>
-               <part id="ir-5.1_obj.3" name="objective">
-                  <prop name="label">IR-5(1)[3]</prop>
-                  <p>the analysis of incident information.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident monitoring</p>
-                  <p>automated mechanisms supporting incident monitoring</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident monitoring responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms assisting in tracking of security incidents and in the
-                     collection and analysis of incident information</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-6">
-         <title>Incident Reporting</title>
-         <param id="ir-6_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)</constraint>
-         </param>
-         <param id="ir-6_prm_2">
-            <label>organization-defined authorities</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IR-6</prop>
-         <prop name="sort-id">ir-06</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <link href="#02631467-668b-4233-989b-3dfded2fd184" rel="reference">http://www.us-cert.gov</link>
-         <part id="ir-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Requires personnel to report suspected security incidents to the organizational
-                  incident response capability within <insert param-id="ir-6_prm_1"/>; and</p>
-            </part>
-            <part id="ir-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reports security incident information to <insert param-id="ir-6_prm_2"/>.</p>
-            </part>
-            <part id="ir-6_fr" name="item">
-               <title>IR-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Report security incident information according to FedRAMP Incident Communications Procedure.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ir-6_gdn" name="guidance">
-            <p>The intent of this control is to address both specific incident reporting
-               requirements within an organization and the formal incident reporting requirements
-               for federal agencies and their subordinate organizations. Suspected security
-               incidents include, for example, the receipt of suspicious email communications that
-               can potentially contain malicious code. The types of security incidents reported, the
-               content and timeliness of the reports, and the designated reporting authorities
-               reflect applicable federal laws, Executive Orders, directives, regulations, policies,
-               standards, and guidance. Current federal policy requires that all federal agencies
-               (unless specifically exempted from such requirements) report security incidents to
-               the United States Computer Emergency Readiness Team (US-CERT) within specified time
-               frames designated in the US-CERT Concept of Operations for Federal Cyber Security
-               Incident Handling.</p>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-5">IR-5</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-         </part>
-         <part id="ir-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-6.a_obj" name="objective">
-               <prop name="label">IR-6(a)</prop>
-               <part id="ir-6.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-6(a)[1]</prop>
-                  <p>defines the time period within which personnel report suspected security
-                     incidents to the organizational incident response capability;</p>
-               </part>
-               <part id="ir-6.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-6(a)[2]</prop>
-                  <p>requires personnel to report suspected security incidents to the organizational
-                     incident response capability within the organization-defined time period;</p>
-               </part>
-            </part>
-            <part id="ir-6.b_obj" name="objective">
-               <prop name="label">IR-6(b)</prop>
-               <part id="ir-6.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-6(b)[1]</prop>
-                  <p>defines authorities to whom security incident information is to be reported;
-                     and</p>
-               </part>
-               <part id="ir-6.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-6(b)[2]</prop>
-                  <p>reports security incident information to organization-defined authorities.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident reporting</p>
-               <p>incident reporting records and documentation</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident reporting responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>personnel who have/should have reported incidents</p>
-               <p>personnel (authorities) to whom incident information is to be reported</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for incident reporting</p>
-               <p>automated mechanisms supporting and/or implementing incident reporting</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-6.1">
-            <title>Automated Reporting</title>
-            <prop name="label">IR-6(1)</prop>
-            <prop name="sort-id">ir-06.01</prop>
-            <part id="ir-6.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to assist in the reporting of
-                  security incidents.</p>
-            </part>
-            <part id="ir-6.1_gdn" name="guidance">
-               <link rel="related" href="#ir-7">IR-7</link>
-            </part>
-            <part id="ir-6.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs automated mechanisms to assist in the
-                  reporting of security incidents.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident reporting</p>
-                  <p>automated mechanisms supporting incident reporting</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident reporting responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for incident reporting</p>
-                  <p>automated mechanisms supporting and/or implementing reporting of security
-                     incidents</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-7">
-         <title>Incident Response Assistance</title>
-         <prop name="label">IR-7</prop>
-         <prop name="sort-id">ir-07</prop>
-         <part id="ir-7_smt" name="statement">
-            <p>The organization provides an incident response support resource, integral to the
-               organizational incident response capability that offers advice and assistance to
-               users of the information system for the handling and reporting of security
-               incidents.</p>
-         </part>
-         <part id="ir-7_gdn" name="guidance">
-            <p>Incident response support resources provided by organizations include, for example,
-               help desks, assistance groups, and access to forensics services, when required.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-6">IR-6</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-         </part>
-         <part id="ir-7_obj" name="objective">
-            <p>Determine if the organization provides an incident response support resource:</p>
-            <part id="ir-7_obj.1" name="objective">
-               <prop name="label">IR-7[1]</prop>
-               <p>that is integral to the organizational incident response capability; and</p>
-            </part>
-            <part id="ir-7_obj.2" name="objective">
-               <prop name="label">IR-7[2]</prop>
-               <p>that offers advice and assistance to users of the information system for the
-                  handling and reporting of security incidents.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident response assistance</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response assistance and support
-                  responsibilities</p>
-               <p>organizational personnel with access to incident response support and assistance
-                  capability</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for incident response assistance</p>
-               <p>automated mechanisms supporting and/or implementing incident response
-                  assistance</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-7.1">
-            <title>Automation Support for Availability of Information / Support</title>
-            <prop name="label">IR-7(1)</prop>
-            <prop name="sort-id">ir-07.01</prop>
-            <part id="ir-7.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to increase the availability of
-                  incident response-related information and support.</p>
-            </part>
-            <part id="ir-7.1_gdn" name="guidance">
-               <p>Automated mechanisms can provide a push and/or pull capability for users to obtain
-                  incident response assistance. For example, individuals might have access to a
-                  website to query the assistance capability, or conversely, the assistance
-                  capability may have the ability to proactively send information to users (general
-                  distribution or targeted) as part of increasing understanding of current response
-                  capabilities and support.</p>
-            </part>
-            <part id="ir-7.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs automated mechanisms to increase the
-                  availability of incident response-related information and support.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident response assistance</p>
-                  <p>automated mechanisms supporting incident response support and assistance</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response support and assistance
-                     responsibilities</p>
-                  <p>organizational personnel with access to incident response support and
-                     assistance capability</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for incident response assistance</p>
-                  <p>automated mechanisms supporting and/or implementing an increase in the
-                     availability of incident response information and support</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-7.2">
-            <title>Coordination with External Providers</title>
-            <prop name="label">IR-7(2)</prop>
-            <prop name="sort-id">ir-07.02</prop>
-            <part id="ir-7.2_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ir-7.2_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Establishes a direct, cooperative relationship between its incident response
-                     capability and external providers of information system protection capability;
-                     and</p>
-               </part>
-               <part id="ir-7.2_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Identifies organizational incident response team members to the external
-                     providers.</p>
-               </part>
-            </part>
-            <part id="ir-7.2_gdn" name="guidance">
-               <p>External providers of information system protection capability include, for
-                  example, the Computer Network Defense program within the U.S. Department of
-                  Defense. External providers help to protect, monitor, analyze, detect, and respond
-                  to unauthorized activity within organizational information systems and
-                  networks.</p>
-            </part>
-            <part id="ir-7.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ir-7.2.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IR-7(2)(a)</prop>
-                  <p>establishes a direct, cooperative relationship between its incident response
-                     capability and external providers of information system protection capability;
-                     and</p>
-                  <link rel="corresp" href="#ir-7.2_smt.a">IR-7(2)(a)</link>
-               </part>
-               <part id="ir-7.2.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IR-7(2)(b)</prop>
-                  <p>identifies organizational incident response team members to the external
-                     providers.</p>
-                  <link rel="corresp" href="#ir-7.2_smt.b">IR-7(2)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident response assistance</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response support and assistance
-                     responsibilities</p>
-                  <p>external providers of information system protection capability</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-8">
-         <title>Incident Response Plan</title>
-         <param id="ir-8_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ir-8_prm_2">
-            <label>organization-defined incident response personnel (identified by name and/or by
-               role) and organizational elements</label>
-            <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-         </param>
-         <param id="ir-8_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ir-8_prm_4">
-            <label>organization-defined incident response personnel (identified by name and/or by
-               role) and organizational elements</label>
-            <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IR-8</prop>
-         <prop name="sort-id">ir-08</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <part id="ir-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops an incident response plan that:</p>
-               <part id="ir-8_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Provides the organization with a roadmap for implementing its incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Describes the structure and organization of the incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Provides a high-level approach for how the incident response capability fits
-                     into the overall organization;</p>
-               </part>
-               <part id="ir-8_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Meets the unique requirements of the organization, which relate to mission,
-                     size, structure, and functions;</p>
-               </part>
-               <part id="ir-8_smt.a.5" name="item">
-                  <prop name="label">5.</prop>
-                  <p>Defines reportable incidents;</p>
-               </part>
-               <part id="ir-8_smt.a.6" name="item">
-                  <prop name="label">6.</prop>
-                  <p>Provides metrics for measuring the incident response capability within the
-                     organization;</p>
-               </part>
-               <part id="ir-8_smt.a.7" name="item">
-                  <prop name="label">7.</prop>
-                  <p>Defines the resources and management support needed to effectively maintain and
-                     mature an incident response capability; and</p>
-               </part>
-               <part id="ir-8_smt.a.8" name="item">
-                  <prop name="label">8.</prop>
-                  <p>Is reviewed and approved by <insert param-id="ir-8_prm_1"/>;</p>
-               </part>
-            </part>
-            <part id="ir-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Distributes copies of the incident response plan to <insert param-id="ir-8_prm_2"/>;</p>
-            </part>
-            <part id="ir-8_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the incident response plan <insert param-id="ir-8_prm_3"/>;</p>
-            </part>
-            <part id="ir-8_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Updates the incident response plan to address system/organizational changes or
-                  problems encountered during plan implementation, execution, or testing;</p>
-            </part>
-            <part id="ir-8_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Communicates incident response plan changes to <insert param-id="ir-8_prm_4"/>;
-                  and</p>
-            </part>
-            <part id="ir-8_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Protects the incident response plan from unauthorized disclosure and
-                  modification.</p>
-            </part>
-            <part id="ir-8_fr" name="item">
-               <title>IR-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-8_fr_smt.b" name="item">
-                  <prop name="label">(b) Requirement:</prop>
-                  <p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
-               </part>
-               <part id="ir-8_fr_smt.e" name="item">
-                  <prop name="label">(e) Requirement:</prop>
-                  <p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ir-8_gdn" name="guidance">
-            <p>It is important that organizations develop and implement a coordinated approach to
-               incident response. Organizational missions, business functions, strategies, goals,
-               and objectives for incident response help to determine the structure of incident
-               response capabilities. As part of a comprehensive incident response capability,
-               organizations consider the coordination and sharing of information with external
-               organizations, including, for example, external service providers and organizations
-               involved in the supply chain for organizational information systems.</p>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-         </part>
-         <part id="ir-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-8.a_obj" name="objective">
-               <prop name="label">IR-8(a)</prop>
-               <p>develops an incident response plan that:</p>
-               <part id="ir-8.a.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(a)(1)</prop>
-                  <p>provides the organization with a roadmap for implementing its incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8.a.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(a)(2)</prop>
-                  <p>describes the structure and organization of the incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8.a.3_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(a)(3)</prop>
-                  <p>provides a high-level approach for how the incident response capability fits
-                     into the overall organization;</p>
-               </part>
-               <part id="ir-8.a.4_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(a)(4)</prop>
-                  <p>meets the unique requirements of the organization, which relate to:</p>
-                  <part id="ir-8.a.4_obj.1" name="objective">
-                     <prop name="label">IR-8(a)(4)[1]</prop>
-                     <p>mission;</p>
-                  </part>
-                  <part id="ir-8.a.4_obj.2" name="objective">
-                     <prop name="label">IR-8(a)(4)[2]</prop>
-                     <p>size;</p>
-                  </part>
-                  <part id="ir-8.a.4_obj.3" name="objective">
-                     <prop name="label">IR-8(a)(4)[3]</prop>
-                     <p>structure;</p>
-                  </part>
-                  <part id="ir-8.a.4_obj.4" name="objective">
-                     <prop name="label">IR-8(a)(4)[4]</prop>
-                     <p>functions;</p>
-                  </part>
-               </part>
-               <part id="ir-8.a.5_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(a)(5)</prop>
-                  <p>defines reportable incidents;</p>
-               </part>
-               <part id="ir-8.a.6_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-8(a)(6)</prop>
-                  <p>provides metrics for measuring the incident response capability within the
-                     organization;</p>
-               </part>
-               <part id="ir-8.a.7_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(a)(7)</prop>
-                  <p>defines the resources and management support needed to effectively maintain and
-                     mature an incident response capability;</p>
-               </part>
-               <part id="ir-8.a.8_obj" name="objective">
-                  <prop name="label">IR-8(a)(8)</prop>
-                  <part id="ir-8.a.8_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-8(a)(8)[1]</prop>
-                     <p>defines personnel or roles to review and approve the incident response
-                        plan;</p>
-                  </part>
-                  <part id="ir-8.a.8_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">IR-8(a)(8)[2]</prop>
-                     <p>is reviewed and approved by organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ir-8.b_obj" name="objective">
-               <prop name="label">IR-8(b)</prop>
-               <part id="ir-8.b_obj.1" name="objective">
-                  <prop name="label">IR-8(b)[1]</prop>
-                  <part id="ir-8.b_obj.1.a" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-8(b)[1][a]</prop>
-                     <p>defines incident response personnel (identified by name and/or by role) to
-                        whom copies of the incident response plan are to be distributed;</p>
-                  </part>
-                  <part id="ir-8.b_obj.1.b" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-8(b)[1][b]</prop>
-                     <p>defines organizational elements to whom copies of the incident response plan
-                        are to be distributed;</p>
-                  </part>
-               </part>
-               <part id="ir-8.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-8(b)[2]</prop>
-                  <p>distributes copies of the incident response plan to organization-defined
-                     incident response personnel (identified by name and/or by role) and
-                     organizational elements;</p>
-               </part>
-            </part>
-            <part id="ir-8.c_obj" name="objective">
-               <prop name="label">IR-8(c)</prop>
-               <part id="ir-8.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(c)[1]</prop>
-                  <p>defines the frequency to review the incident response plan;</p>
-               </part>
-               <part id="ir-8.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IR-8(c)[2]</prop>
-                  <p>reviews the incident response plan with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="ir-8.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IR-8(d)</prop>
-               <p>updates the incident response plan to address system/organizational changes or
-                  problems encountered during plan:</p>
-               <part id="ir-8.d_obj.1" name="objective">
-                  <prop name="label">IR-8(d)[1]</prop>
-                  <p>implementation;</p>
-               </part>
-               <part id="ir-8.d_obj.2" name="objective">
-                  <prop name="label">IR-8(d)[2]</prop>
-                  <p>execution; or</p>
-               </part>
-               <part id="ir-8.d_obj.3" name="objective">
-                  <prop name="label">IR-8(d)[3]</prop>
-                  <p>testing;</p>
-               </part>
-            </part>
-            <part id="ir-8.e_obj" name="objective">
-               <prop name="label">IR-8(e)</prop>
-               <part id="ir-8.e_obj.1" name="objective">
-                  <prop name="label">IR-8(e)[1]</prop>
-                  <part id="ir-8.e_obj.1.a" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-8(e)[1][a]</prop>
-                     <p>defines incident response personnel (identified by name and/or by role) to
-                        whom incident response plan changes are to be communicated;</p>
-                  </part>
-                  <part id="ir-8.e_obj.1.b" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IR-8(e)[1][b]</prop>
-                     <p>defines organizational elements to whom incident response plan changes are
-                        to be communicated;</p>
-                  </part>
-               </part>
-               <part id="ir-8.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-8(e)[2]</prop>
-                  <p>communicates incident response plan changes to organization-defined incident
-                     response personnel (identified by name and/or by role) and organizational
-                     elements; and</p>
-               </part>
-            </part>
-            <part id="ir-8.f_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IR-8(f)</prop>
-               <p>protects the incident response plan from unauthorized disclosure and
-                  modification.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident response planning</p>
-               <p>incident response plan</p>
-               <p>records of incident response plan reviews and approvals</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational incident response plan and related organizational processes</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-9">
-         <title>Information Spillage Response</title>
-         <param id="ir-9_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ir-9_prm_2">
-            <label>organization-defined actions</label>
-         </param>
-         <prop name="label">IR-9</prop>
-         <prop name="sort-id">ir-09</prop>
-         <part id="ir-9_smt" name="statement">
-            <p>The organization responds to information spills by:</p>
-            <part id="ir-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Identifying the specific information involved in the information system
-                  contamination;</p>
-            </part>
-            <part id="ir-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Alerting <insert param-id="ir-9_prm_1"/> of the information spill using a method
-                  of communication not associated with the spill;</p>
-            </part>
-            <part id="ir-9_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Isolating the contaminated information system or system component;</p>
-            </part>
-            <part id="ir-9_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Eradicating the information from the contaminated information system or
-                  component;</p>
-            </part>
-            <part id="ir-9_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Identifying other information systems or system components that may have been
-                  subsequently contaminated; and</p>
-            </part>
-            <part id="ir-9_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Performing other <insert param-id="ir-9_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="ir-9_gdn" name="guidance">
-            <p>Information spillage refers to instances where either classified or sensitive
-               information is inadvertently placed on information systems that are not authorized to
-               process such information. Such information spills often occur when information that
-               is initially thought to be of lower sensitivity is transmitted to an information
-               system and then is subsequently determined to be of higher sensitivity. At that
-               point, corrective action is required. The nature of the organizational response is
-               generally based upon the degree of sensitivity of the spilled information (e.g.,
-               security category or classification level), the security capabilities of the
-               information system, the specific nature of contaminated storage media, and the access
-               authorizations (e.g., security clearances) of individuals with authorized access to
-               the contaminated system. The methods used to communicate information about the spill
-               after the fact do not involve methods directly associated with the actual spill to
-               minimize the risk of further spreading the contamination before such contamination is
-               isolated and eradicated.</p>
-         </part>
-         <part id="ir-9_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ir-9.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IR-9(a)</prop>
-               <p>responds to information spills by identifying the specific information causing the
-                  information system contamination;</p>
-            </part>
-            <part id="ir-9.b_obj" name="objective">
-               <prop name="label">IR-9(b)</prop>
-               <part id="ir-9.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-9(b)[1]</prop>
-                  <p>defines personnel to be alerted of the information spillage;</p>
-               </part>
-               <part id="ir-9.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IR-9(b)[2]</prop>
-                  <p>identifies a method of communication not associated with the information spill
-                     to use to alert organization-defined personnel of the spill;</p>
-               </part>
-               <part id="ir-9.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-9(b)[3]</prop>
-                  <p>responds to information spills by alerting organization-defined personnel of
-                     the information spill using a method of communication not associated with the
-                     spill;</p>
-               </part>
-            </part>
-            <part id="ir-9.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IR-9(c)</prop>
-               <p>responds to information spills by isolating the contaminated information
-                  system;</p>
-            </part>
-            <part id="ir-9.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IR-9(d)</prop>
-               <p>responds to information spills by eradicating the information from the
-                  contaminated information system;</p>
-            </part>
-            <part id="ir-9.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IR-9(e)</prop>
-               <p>responds to information spills by identifying other information systems that may
-                  have been subsequently contaminated;</p>
-            </part>
-            <part id="ir-9.f_obj" name="objective">
-               <prop name="label">IR-9(f)</prop>
-               <part id="ir-9.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-9(f)[1]</prop>
-                  <p>defines other actions to be performed in response to information spills;
-                     and</p>
-               </part>
-               <part id="ir-9.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-9(f)[2]</prop>
-                  <p>responds to information spills by performing other organization-defined
-                     actions.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing information spillage</p>
-               <p>incident response plan</p>
-               <p>records of information spillage alerts/notifications, list of personnel who should
-                  receive alerts of information spillage</p>
-               <p>list of actions to be performed regarding information spillage</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for information spillage response</p>
-               <p>automated mechanisms supporting and/or implementing information spillage response
-                  actions and related communications</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-9.1">
-            <title>Responsible Personnel</title>
-            <param id="ir-9.1_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">IR-9(1)</prop>
-            <prop name="sort-id">ir-09.01</prop>
-            <part id="ir-9.1_smt" name="statement">
-               <p>The organization assigns <insert param-id="ir-9.1_prm_1"/> with responsibility for
-                  responding to information spills.</p>
-            </part>
-            <part id="ir-9.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ir-9.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-9(1)[1]</prop>
-                  <p>defines personnel with responsibility for responding to information spills;
-                     and</p>
-               </part>
-               <part id="ir-9.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IR-9(1)[2]</prop>
-                  <p>assigns organization-defined personnel with responsibility for responding to
-                     information spills.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing information spillage</p>
-                  <p>incident response plan</p>
-                  <p>list of personnel responsible for responding to information spillage</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-9.2">
-            <title>Training</title>
-            <param id="ir-9.2_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least annually</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">IR-9(2)</prop>
-            <prop name="sort-id">ir-09.02</prop>
-            <part id="ir-9.2_smt" name="statement">
-               <p>The organization provides information spillage response training <insert param-id="ir-9.2_prm_1"/>.</p>
-            </part>
-            <part id="ir-9.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ir-9.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-9(2)[1]</prop>
-                  <p>defines the frequency to provide information spillage response training;
-                     and</p>
-               </part>
-               <part id="ir-9.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IR-9(2)[2]</prop>
-                  <p>provides information spillage response training with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing information spillage response training</p>
-                  <p>information spillage response training curriculum</p>
-                  <p>information spillage response training materials</p>
-                  <p>incident response plan</p>
-                  <p>information spillage response training records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response training responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-9.3">
-            <title>Post-spill Operations</title>
-            <param id="ir-9.3_prm_1">
-               <label>organization-defined procedures</label>
-            </param>
-            <prop name="label">IR-9(3)</prop>
-            <prop name="sort-id">ir-09.03</prop>
-            <part id="ir-9.3_smt" name="statement">
-               <p>The organization implements <insert param-id="ir-9.3_prm_1"/> to ensure that
-                  organizational personnel impacted by information spills can continue to carry out
-                  assigned tasks while contaminated systems are undergoing corrective actions.</p>
-            </part>
-            <part id="ir-9.3_gdn" name="guidance">
-               <p>Correction actions for information systems contaminated due to information
-                  spillages may be very time-consuming. During those periods, personnel may not have
-                  access to the contaminated systems, which may potentially affect their ability to
-                  conduct organizational business.</p>
-            </part>
-            <part id="ir-9.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ir-9.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-9(3)[1]</prop>
-                  <p>defines procedures that ensure organizational personnel impacted by information
-                     spills can continue to carry out assigned tasks while contaminated systems are
-                     undergoing corrective actions; and</p>
-               </part>
-               <part id="ir-9.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-9(3)[2]</prop>
-                  <p>implements organization-defined procedures to ensure that organizational
-                     personnel impacted by information spills can continue to carry out assigned
-                     tasks while contaminated systems are undergoing corrective actions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>procedures addressing information spillage</p>
-                  <p>incident response plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for post-spill operations</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-9.4">
-            <title>Exposure to Unauthorized Personnel</title>
-            <param id="ir-9.4_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <prop name="label">IR-9(4)</prop>
-            <prop name="sort-id">ir-09.04</prop>
-            <part id="ir-9.4_smt" name="statement">
-               <p>The organization employs <insert param-id="ir-9.4_prm_1"/> for personnel exposed
-                  to information not within assigned access authorizations.</p>
-            </part>
-            <part id="ir-9.4_gdn" name="guidance">
-               <p>Security safeguards include, for example, making personnel exposed to spilled
-                  information aware of the federal laws, directives, policies, and/or regulations
-                  regarding the information and the restrictions imposed based on exposure to such
-                  information.</p>
-            </part>
-            <part id="ir-9.4_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ir-9.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-9(4)[1]</prop>
-                  <p>defines security safeguards to be employed for personnel exposed to information
-                     not within assigned access authorizations; and</p>
-               </part>
-               <part id="ir-9.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-9(4)[2]</prop>
-                  <p>employs organization-defined security safeguards for personnel exposed to
-                     information not within assigned access authorizations.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>procedures addressing information spillage</p>
-                  <p>incident response plan</p>
-                  <p>security safeguards regarding information spillage/exposure to unauthorized
-                     personnel</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for dealing with information exposed to unauthorized
-                     personnel</p>
-                  <p>automated mechanisms supporting and/or implementing safeguards for personnel
-                     exposed to information not within assigned access authorizations</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="ma">
-      <title>Maintenance</title>
-      <control class="SP800-53" id="ma-1">
-         <title>System Maintenance Policy and Procedures</title>
-         <param id="ma-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ma-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ma-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or whenever a significant change occurs</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">MA-1</prop>
-         <prop name="sort-id">ma-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ma-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ma-1_prm_1"/>:</p>
-               <part id="ma-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system maintenance policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ma-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system maintenance policy
-                     and associated system maintenance controls; and</p>
-               </part>
-            </part>
-            <part id="ma-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ma-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System maintenance policy <insert param-id="ma-1_prm_2"/>; and</p>
-               </part>
-               <part id="ma-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System maintenance procedures <insert param-id="ma-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ma-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the MA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ma-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ma-1.a_obj" name="objective">
-               <prop name="label">MA-1(a)</prop>
-               <part id="ma-1.a.1_obj" name="objective">
-                  <prop name="label">MA-1(a)(1)</prop>
-                  <part id="ma-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(a)(1)[1]</prop>
-                     <p>develops and documents a system maintenance policy that addresses:</p>
-                     <part id="ma-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ma-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system maintenance policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ma-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">MA-1(a)(1)[3]</prop>
-                     <p>disseminates the system maintenance policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="ma-1.a.2_obj" name="objective">
-                  <prop name="label">MA-1(a)(2)</prop>
-                  <part id="ma-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        maintenance policy and associated system maintenance controls;</p>
-                  </part>
-                  <part id="ma-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ma-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">MA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ma-1.b_obj" name="objective">
-               <prop name="label">MA-1(b)</prop>
-               <part id="ma-1.b.1_obj" name="objective">
-                  <prop name="label">MA-1(b)(1)</prop>
-                  <part id="ma-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system maintenance
-                        policy;</p>
-                  </part>
-                  <part id="ma-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system maintenance policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ma-1.b.2_obj" name="objective">
-                  <prop name="label">MA-1(b)(2)</prop>
-                  <part id="ma-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system maintenance
-                        procedures; and</p>
-                  </part>
-                  <part id="ma-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system maintenance procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Maintenance policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ma-2">
-         <title>Controlled Maintenance</title>
-         <param id="ma-2_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ma-2_prm_2">
-            <label>organization-defined maintenance-related information</label>
-         </param>
-         <prop name="label">MA-2</prop>
-         <prop name="sort-id">ma-02</prop>
-         <part id="ma-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Schedules, performs, documents, and reviews records of maintenance and repairs on
-                  information system components in accordance with manufacturer or vendor
-                  specifications and/or organizational requirements;</p>
-            </part>
-            <part id="ma-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Approves and monitors all maintenance activities, whether performed on site or
-                  remotely and whether the equipment is serviced on site or removed to another
-                  location;</p>
-            </part>
-            <part id="ma-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Requires that <insert param-id="ma-2_prm_1"/> explicitly approve the removal of
-                  the information system or system components from organizational facilities for
-                  off-site maintenance or repairs;</p>
-            </part>
-            <part id="ma-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Sanitizes equipment to remove all information from associated media prior to
-                  removal from organizational facilities for off-site maintenance or repairs;</p>
-            </part>
-            <part id="ma-2_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Checks all potentially impacted security controls to verify that the controls are
-                  still functioning properly following maintenance or repair actions; and</p>
-            </part>
-            <part id="ma-2_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Includes <insert param-id="ma-2_prm_2"/> in organizational maintenance
-                  records.</p>
-            </part>
-         </part>
-         <part id="ma-2_gdn" name="guidance">
-            <p>This control addresses the information security aspects of the information system
-               maintenance program and applies to all types of maintenance to any system component
-               (including applications) conducted by any local or nonlocal entity (e.g.,
-               in-contract, warranty, in-house, software maintenance agreement). System maintenance
-               also includes those components not directly associated with information processing
-               and/or data/information retention such as scanners, copiers, and printers.
-               Information necessary for creating effective maintenance records includes, for
-               example: (i) date and time of maintenance; (ii) name of individuals or group
-               performing the maintenance; (iii) name of escort, if necessary; (iv) a description of
-               the maintenance performed; and (v) information system components/equipment removed or
-               replaced (including identification numbers, if applicable). The level of detail
-               included in maintenance records can be informed by the security categories of
-               organizational information systems. Organizations consider supply chain issues
-               associated with replacement components for information systems.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-            <link rel="related" href="#pe-16">PE-16</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="ma-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ma-2.a_obj" name="objective">
-               <prop name="label">MA-2(a)</prop>
-               <part id="ma-2.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-2(a)[1]</prop>
-                  <p>schedules maintenance and repairs on information system components in
-                     accordance with:</p>
-                  <part id="ma-2.a_obj.1.a" name="objective">
-                     <prop name="label">MA-2(a)[1][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.1.b" name="objective">
-                     <prop name="label">MA-2(a)[1][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-               <part id="ma-2.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">MA-2(a)[2]</prop>
-                  <p>performs maintenance and repairs on information system components in accordance
-                     with:</p>
-                  <part id="ma-2.a_obj.2.a" name="objective">
-                     <prop name="label">MA-2(a)[2][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.2.b" name="objective">
-                     <prop name="label">MA-2(a)[2][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-               <part id="ma-2.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-2(a)[3]</prop>
-                  <p>documents maintenance and repairs on information system components in
-                     accordance with:</p>
-                  <part id="ma-2.a_obj.3.a" name="objective">
-                     <prop name="label">MA-2(a)[3][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.3.b" name="objective">
-                     <prop name="label">MA-2(a)[3][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-               <part id="ma-2.a_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">MA-2(a)[4]</prop>
-                  <p>reviews records of maintenance and repairs on information system components in
-                     accordance with:</p>
-                  <part id="ma-2.a_obj.4.a" name="objective">
-                     <prop name="label">MA-2(a)[4][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.4.b" name="objective">
-                     <prop name="label">MA-2(a)[4][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ma-2.b_obj" name="objective">
-               <prop name="label">MA-2(b)</prop>
-               <part id="ma-2.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">MA-2(b)[1]</prop>
-                  <p>approves all maintenance activities, whether performed on site or remotely and
-                     whether the equipment is serviced on site or removed to another location;</p>
-               </part>
-               <part id="ma-2.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MA-2(b)[2]</prop>
-                  <p>monitors all maintenance activities, whether performed on site or remotely and
-                     whether the equipment is serviced on site or removed to another location;</p>
-               </part>
-            </part>
-            <part id="ma-2.c_obj" name="objective">
-               <prop name="label">MA-2(c)</prop>
-               <part id="ma-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-2(c)[1]</prop>
-                  <p>defines personnel or roles required to explicitly approve the removal of the
-                     information system or system components from organizational facilities for
-                     off-site maintenance or repairs;</p>
-               </part>
-               <part id="ma-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-2(c)[2]</prop>
-                  <p>requires that organization-defined personnel or roles explicitly approve the
-                     removal of the information system or system components from organizational
-                     facilities for off-site maintenance or repairs;</p>
-               </part>
-            </part>
-            <part id="ma-2.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MA-2(d)</prop>
-               <p>sanitizes equipment to remove all information from associated media prior to
-                  removal from organizational facilities for off-site maintenance or repairs;</p>
-            </part>
-            <part id="ma-2.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MA-2(e)</prop>
-               <p>checks all potentially impacted security controls to verify that the controls are
-                  still functioning properly following maintenance or repair actions;</p>
-            </part>
-            <part id="ma-2.f_obj" name="objective">
-               <prop name="label">MA-2(f)</prop>
-               <part id="ma-2.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-2(f)[1]</prop>
-                  <p>defines maintenance-related information to be included in organizational
-                     maintenance records; and</p>
-               </part>
-               <part id="ma-2.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-2(f)[2]</prop>
-                  <p>includes organization-defined maintenance-related information in organizational
-                     maintenance records.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing controlled information system maintenance</p>
-               <p>maintenance records</p>
-               <p>manufacturer/vendor maintenance specifications</p>
-               <p>equipment sanitization records</p>
-               <p>media sanitization records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel responsible for media sanitization</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for scheduling, performing, documenting, reviewing,
-                  approving, and monitoring maintenance and repairs for the information system</p>
-               <p>organizational processes for sanitizing information system components</p>
-               <p>automated mechanisms supporting and/or implementing controlled maintenance</p>
-               <p>automated mechanisms implementing sanitization of information system
-                  components</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ma-2.2">
-            <title>Automated Maintenance Activities</title>
-            <prop name="label">MA-2(2)</prop>
-            <prop name="sort-id">ma-02.02</prop>
-            <part id="ma-2.2_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ma-2.2_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Employs automated mechanisms to schedule, conduct, and document maintenance and
-                     repairs; and</p>
-               </part>
-               <part id="ma-2.2_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Produces up-to date, accurate, and complete records of all maintenance and
-                     repair actions requested, scheduled, in process, and completed.</p>
-               </part>
-            </part>
-            <part id="ma-2.2_gdn" name="guidance">
-               <link rel="related" href="#ca-7">CA-7</link>
-               <link rel="related" href="#ma-3">MA-3</link>
-            </part>
-            <part id="ma-2.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ma-2.2.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-2(2)(a)</prop>
-                  <p>employs automated mechanisms to:</p>
-                  <part id="ma-2.2.a_obj.1" name="objective">
-                     <prop name="label">MA-2(2)(a)[1]</prop>
-                     <p>schedule maintenance and repairs;</p>
-                  </part>
-                  <part id="ma-2.2.a_obj.2" name="objective">
-                     <prop name="label">MA-2(2)(a)[2]</prop>
-                     <p>conduct maintenance and repairs;</p>
-                  </part>
-                  <part id="ma-2.2.a_obj.3" name="objective">
-                     <prop name="label">MA-2(2)(a)[3]</prop>
-                     <p>document maintenance and repairs;</p>
-                  </part>
-                  <link rel="corresp" href="#ma-2.2_smt.a">MA-2(2)(a)</link>
-               </part>
-               <part id="ma-2.2.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MA-2(2)(b)</prop>
-                  <p>produces up-to-date, accurate, and complete records of all maintenance and
-                     repair actions:</p>
-                  <part id="ma-2.2.b_obj.1" name="objective">
-                     <prop name="label">MA-2(2)(b)[1]</prop>
-                     <p>requested;</p>
-                  </part>
-                  <part id="ma-2.2.b_obj.2" name="objective">
-                     <prop name="label">MA-2(2)(b)[2]</prop>
-                     <p>scheduled;</p>
-                  </part>
-                  <part id="ma-2.2.b_obj.3" name="objective">
-                     <prop name="label">MA-2(2)(b)[3]</prop>
-                     <p>in process; and</p>
-                  </part>
-                  <part id="ma-2.2.b_obj.4" name="objective">
-                     <prop name="label">MA-2(2)(b)[4]</prop>
-                     <p>completed.</p>
-                  </part>
-                  <link rel="corresp" href="#ma-2.2_smt.b">MA-2(2)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing controlled information system maintenance</p>
-                  <p>automated mechanisms supporting information system maintenance activities</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>maintenance records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing controlled maintenance</p>
-                  <p>automated mechanisms supporting and/or implementing production of records of
-                     maintenance and repair actions</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ma-3">
-         <title>Maintenance Tools</title>
-         <prop name="label">MA-3</prop>
-         <prop name="sort-id">ma-03</prop>
-         <link href="#263823e0-a971-4b00-959d-315b26278b22" rel="reference">NIST Special Publication 800-88</link>
-         <part id="ma-3_smt" name="statement">
-            <p>The organization approves, controls, and monitors information system maintenance
-               tools.</p>
-         </part>
-         <part id="ma-3_gdn" name="guidance">
-            <p>This control addresses security-related issues associated with maintenance tools used
-               specifically for diagnostic and repair actions on organizational information systems.
-               Maintenance tools can include hardware, software, and firmware items. Maintenance
-               tools are potential vehicles for transporting malicious code, either intentionally or
-               unintentionally, into a facility and subsequently into organizational information
-               systems. Maintenance tools can include, for example, hardware/software diagnostic
-               test equipment and hardware/software packet sniffers. This control does not cover
-               hardware/software components that may support information system maintenance, yet are
-               a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,
-               or the hardware and software implementing the monitoring port of an Ethernet
-               switch.</p>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-         </part>
-         <part id="ma-3_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ma-3_obj.1" name="objective">
-               <prop name="label">MA-3[1]</prop>
-               <p>approves information system maintenance tools;</p>
-            </part>
-            <part id="ma-3_obj.2" name="objective">
-               <prop name="label">MA-3[2]</prop>
-               <p>controls information system maintenance tools; and</p>
-            </part>
-            <part id="ma-3_obj.3" name="objective">
-               <prop name="label">MA-3[3]</prop>
-               <p>monitors information system maintenance tools.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing information system maintenance tools</p>
-               <p>information system maintenance tools and associated documentation</p>
-               <p>maintenance records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for approving, controlling, and monitoring maintenance
-                  tools</p>
-               <p>automated mechanisms supporting and/or implementing approval, control, and/or
-                  monitoring of maintenance tools</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ma-3.1">
-            <title>Inspect Tools</title>
-            <prop name="label">MA-3(1)</prop>
-            <prop name="sort-id">ma-03.01</prop>
-            <part id="ma-3.1_smt" name="statement">
-               <p>The organization inspects the maintenance tools carried into a facility by
-                  maintenance personnel for improper or unauthorized modifications.</p>
-            </part>
-            <part id="ma-3.1_gdn" name="guidance">
-               <p>If, upon inspection of maintenance tools, organizations determine that the tools
-                  have been modified in an improper/unauthorized manner or contain malicious code,
-                  the incident is handled consistent with organizational policies and procedures for
-                  incident handling.</p>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="ma-3.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization inspects the maintenance tools carried into a
-                  facility by maintenance personnel for improper or unauthorized modifications. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing information system maintenance tools</p>
-                  <p>information system maintenance tools and associated documentation</p>
-                  <p>maintenance tool inspection records</p>
-                  <p>maintenance records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for inspecting maintenance tools</p>
-                  <p>automated mechanisms supporting and/or implementing inspection of maintenance
-                     tools</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-3.2">
-            <title>Inspect Media</title>
-            <prop name="label">MA-3(2)</prop>
-            <prop name="sort-id">ma-03.02</prop>
-            <part id="ma-3.2_smt" name="statement">
-               <p>The organization checks media containing diagnostic and test programs for
-                  malicious code before the media are used in the information system.</p>
-            </part>
-            <part id="ma-3.2_gdn" name="guidance">
-               <p>If, upon inspection of media containing maintenance diagnostic and test programs,
-                  organizations determine that the media contain malicious code, the incident is
-                  handled consistent with organizational incident handling policies and
-                  procedures.</p>
-               <link rel="related" href="#si-3">SI-3</link>
-            </part>
-            <part id="ma-3.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization checks media containing diagnostic and test programs
-                  for malicious code before the media are used in the information system. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing information system maintenance tools</p>
-                  <p>information system maintenance tools and associated documentation</p>
-                  <p>maintenance records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for inspecting media for malicious code</p>
-                  <p>automated mechanisms supporting and/or implementing inspection of media used
-                     for maintenance</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-3.3">
-            <title>Prevent Unauthorized Removal</title>
-            <param id="ma-3.3_prm_1">
-               <label>organization-defined personnel or roles</label>
-               <constraint>the information owner explicitly authorizing removal of the equipment from the facility</constraint>
-            </param>
-            <prop name="label">MA-3(3)</prop>
-            <prop name="sort-id">ma-03.03</prop>
-            <part id="ma-3.3_smt" name="statement">
-               <p>The organization prevents the unauthorized removal of maintenance equipment
-                  containing organizational information by:</p>
-               <part id="ma-3.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Verifying that there is no organizational information contained on the
-                     equipment;</p>
-               </part>
-               <part id="ma-3.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Sanitizing or destroying the equipment;</p>
-               </part>
-               <part id="ma-3.3_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Retaining the equipment within the facility; or</p>
-               </part>
-               <part id="ma-3.3_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Obtaining an exemption from <insert param-id="ma-3.3_prm_1"/> explicitly
-                     authorizing removal of the equipment from the facility.</p>
-               </part>
-            </part>
-            <part id="ma-3.3_gdn" name="guidance">
-               <p>Organizational information includes all information specifically owned by
-                  organizations and information provided to organizations in which organizations
-                  serve as information stewards.</p>
-            </part>
-            <part id="ma-3.3_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization prevents the unauthorized removal of maintenance
-                  equipment containing organizational information by: </p>
-               <part id="ma-3.3.a_obj" name="objective">
-                  <prop name="label">MA-3(3)(a)</prop>
-                  <p>verifying that there is no organizational information contained on the
-                     equipment;</p>
-                  <link rel="corresp" href="#ma-3.3_smt.a">MA-3(3)(a)</link>
-               </part>
-               <part id="ma-3.3.b_obj" name="objective">
-                  <prop name="label">MA-3(3)(b)</prop>
-                  <p>sanitizing or destroying the equipment;</p>
-                  <link rel="corresp" href="#ma-3.3_smt.b">MA-3(3)(b)</link>
-               </part>
-               <part id="ma-3.3.c_obj" name="objective">
-                  <prop name="label">MA-3(3)(c)</prop>
-                  <p>retaining the equipment within the facility; or</p>
-                  <link rel="corresp" href="#ma-3.3_smt.c">MA-3(3)(c)</link>
-               </part>
-               <part id="ma-3.3.d_obj" name="objective">
-                  <prop name="label">MA-3(3)(d)</prop>
-                  <part id="ma-3.3.d_obj.1" name="objective">
-                     <prop name="label">MA-3(3)(d)[1]</prop>
-                     <p>defining personnel or roles that can grant an exemption from explicitly
-                        authorizing removal of the equipment from the facility; and</p>
-                  </part>
-                  <part id="ma-3.3.d_obj.2" name="objective">
-                     <prop name="label">MA-3(3)(d)[2]</prop>
-                     <p>obtaining an exemption from organization-defined personnel or roles
-                        explicitly authorizing removal of the equipment from the facility.</p>
-                  </part>
-                  <link rel="corresp" href="#ma-3.3_smt.d">MA-3(3)(d)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing information system maintenance tools</p>
-                  <p>information system maintenance tools and associated documentation</p>
-                  <p>maintenance records</p>
-                  <p>equipment sanitization records</p>
-                  <p>media sanitization records</p>
-                  <p>exemptions for equipment removal</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel responsible for media sanitization</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for preventing unauthorized removal of information</p>
-                  <p>automated mechanisms supporting media sanitization or destruction of
-                     equipment</p>
-                  <p>automated mechanisms supporting verification of media sanitization</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ma-4">
-         <title>Nonlocal Maintenance</title>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">MA-4</prop>
-         <prop name="sort-id">ma-04</prop>
-         <link href="#d715b234-9b5b-4e07-b1ed-99836727664d" rel="reference">FIPS Publication 140-2</link>
-         <link href="#f2dbd4ec-c413-4714-b85b-6b7184d1c195" rel="reference">FIPS Publication 197</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#263823e0-a971-4b00-959d-315b26278b22" rel="reference">NIST Special Publication 800-88</link>
-         <link href="#a4aa9645-9a8a-4b51-90a9-e223250f9a75" rel="reference">CNSS Policy 15</link>
-         <part id="ma-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Approves and monitors nonlocal maintenance and diagnostic activities;</p>
-            </part>
-            <part id="ma-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Allows the use of nonlocal maintenance and diagnostic tools only as consistent
-                  with organizational policy and documented in the security plan for the information
-                  system;</p>
-            </part>
-            <part id="ma-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Employs strong authenticators in the establishment of nonlocal maintenance and
-                  diagnostic sessions;</p>
-            </part>
-            <part id="ma-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Maintains records for nonlocal maintenance and diagnostic activities; and</p>
-            </part>
-            <part id="ma-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Terminates session and network connections when nonlocal maintenance is
-                  completed.</p>
-            </part>
-         </part>
-         <part id="ma-4_gdn" name="guidance">
-            <p>Nonlocal maintenance and diagnostic activities are those activities conducted by
-               individuals communicating through a network, either an external network (e.g., the
-               Internet) or an internal network. Local maintenance and diagnostic activities are
-               those activities carried out by individuals physically present at the information
-               system or information system component and not communicating across a network
-               connection. Authentication techniques used in the establishment of nonlocal
-               maintenance and diagnostic sessions reflect the network access requirements in IA-2.
-               Typically, strong authentication requires authenticators that are resistant to replay
-               attacks and employ multifactor authentication. Strong authenticators include, for
-               example, PKI where certificates are stored on a token protected by a password,
-               passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by
-               other controls.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-10">SC-10</link>
-            <link rel="related" href="#sc-17">SC-17</link>
-         </part>
-         <part id="ma-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ma-4.a_obj" name="objective">
-               <prop name="label">MA-4(a)</prop>
-               <part id="ma-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-4(a)[1]</prop>
-                  <p>approves nonlocal maintenance and diagnostic activities;</p>
-               </part>
-               <part id="ma-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MA-4(a)[2]</prop>
-                  <p>monitors nonlocal maintenance and diagnostic activities;</p>
-               </part>
-            </part>
-            <part id="ma-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MA-4(b)</prop>
-               <p>allows the use of nonlocal maintenance and diagnostic tools only:</p>
-               <part id="ma-4.b_obj.1" name="objective">
-                  <prop name="label">MA-4(b)[1]</prop>
-                  <p>as consistent with organizational policy;</p>
-               </part>
-               <part id="ma-4.b_obj.2" name="objective">
-                  <prop name="label">MA-4(b)[2]</prop>
-                  <p>as documented in the security plan for the information system;</p>
-               </part>
-            </part>
-            <part id="ma-4.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MA-4(c)</prop>
-               <p>employs strong authenticators in the establishment of nonlocal maintenance and
-                  diagnostic sessions;</p>
-            </part>
-            <part id="ma-4.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MA-4(d)</prop>
-               <p>maintains records for nonlocal maintenance and diagnostic activities;</p>
-            </part>
-            <part id="ma-4.e_obj" name="objective">
-               <prop name="label">MA-4(e)</prop>
-               <part id="ma-4.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MA-4(e)[1]</prop>
-                  <p>terminates sessions when nonlocal maintenance or diagnostics is completed;
-                     and</p>
-               </part>
-               <part id="ma-4.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MA-4(e)[2]</prop>
-                  <p>terminates network connections when nonlocal maintenance or diagnostics is
-                     completed.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing nonlocal information system maintenance</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>maintenance records</p>
-               <p>diagnostic records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing nonlocal maintenance</p>
-               <p>automated mechanisms implementing, supporting, and/or managing nonlocal
-                  maintenance</p>
-               <p>automated mechanisms for strong authentication of nonlocal maintenance diagnostic
-                  sessions</p>
-               <p>automated mechanisms for terminating nonlocal maintenance sessions and network
-                  connections</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ma-4.2">
-            <title>Document Nonlocal Maintenance</title>
-            <prop name="label">MA-4(2)</prop>
-            <prop name="sort-id">ma-04.02</prop>
-            <part id="ma-4.2_smt" name="statement">
-               <p>The organization documents in the security plan for the information system, the
-                  policies and procedures for the establishment and use of nonlocal maintenance and
-                  diagnostic connections.</p>
-            </part>
-            <part id="ma-4.2_obj" name="objective">
-               <p>Determine if the organization documents in the security plan for the information
-                  system: </p>
-               <part id="ma-4.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">MA-4(2)[1]</prop>
-                  <p>the policies for the establishment and use of nonlocal maintenance and
-                     diagnostic connections; and</p>
-               </part>
-               <part id="ma-4.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">MA-4(2)[2]</prop>
-                  <p>the procedures for the establishment and use of nonlocal maintenance and
-                     diagnostic connections.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing non-local information system maintenance</p>
-                  <p>security plan</p>
-                  <p>maintenance records</p>
-                  <p>diagnostic records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-4.3">
-            <title>Comparable Security / Sanitization</title>
-            <prop name="label">MA-4(3)</prop>
-            <prop name="sort-id">ma-04.03</prop>
-            <part id="ma-4.3_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ma-4.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Requires that nonlocal maintenance and diagnostic services be performed from an
-                     information system that implements a security capability comparable to the
-                     capability implemented on the system being serviced; or</p>
-               </part>
-               <part id="ma-4.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Removes the component to be serviced from the information system prior to
-                     nonlocal maintenance or diagnostic services, sanitizes the component (with
-                     regard to organizational information) before removal from organizational
-                     facilities, and after the service is performed, inspects and sanitizes the
-                     component (with regard to potentially malicious software) before reconnecting
-                     the component to the information system.</p>
-               </part>
-            </part>
-            <part id="ma-4.3_gdn" name="guidance">
-               <p>Comparable security capability on information systems, diagnostic tools, and
-                  equipment providing maintenance services implies that the implemented security
-                  controls on those systems, tools, and equipment are at least as comprehensive as
-                  the controls on the information system being serviced.</p>
-               <link rel="related" href="#ma-3">MA-3</link>
-               <link rel="related" href="#sa-12">SA-12</link>
-               <link rel="related" href="#si-3">SI-3</link>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="ma-4.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ma-4.3.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-4(3)(a)</prop>
-                  <p>requires that nonlocal maintenance and diagnostic services be performed from an
-                     information system that implements a security capability comparable to the
-                     capability implemented on the system being serviced; or</p>
-                  <link rel="corresp" href="#ma-4.3_smt.a">MA-4(3)(a)</link>
-               </part>
-               <part id="ma-4.3.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MA-4(3)(b)</prop>
-                  <part id="ma-4.3.b_obj.1" name="objective">
-                     <prop name="label">MA-4(3)(b)[1]</prop>
-                     <p>removes the component to be serviced from the information system;</p>
-                  </part>
-                  <part id="ma-4.3.b_obj.2" name="objective">
-                     <prop name="label">MA-4(3)(b)[2]</prop>
-                     <p>sanitizes the component (with regard to organizational information) prior to
-                        nonlocal maintenance or diagnostic services and/or before removal from
-                        organizational facilities; and</p>
-                  </part>
-                  <part id="ma-4.3.b_obj.3" name="objective">
-                     <prop name="label">MA-4(3)(b)[3]</prop>
-                     <p>inspects and sanitizes the component (with regard to potentially malicious
-                        software) after service is performed on the component and before
-                        reconnecting the component to the information system.</p>
-                  </part>
-                  <link rel="corresp" href="#ma-4.3_smt.b">MA-4(3)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing nonlocal information system maintenance</p>
-                  <p>service provider contracts and/or service-level agreements</p>
-                  <p>maintenance records</p>
-                  <p>inspection records</p>
-                  <p>audit records</p>
-                  <p>equipment sanitization records</p>
-                  <p>media sanitization records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>information system maintenance provider</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel responsible for media sanitization</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for comparable security and sanitization for nonlocal
-                     maintenance</p>
-                  <p>organizational processes for removal, sanitization, and inspection of
-                     components serviced via nonlocal maintenance</p>
-                  <p>automated mechanisms supporting and/or implementing component sanitization and
-                     inspection</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-4.6">
-            <title>Cryptographic Protection</title>
-            <prop name="label">MA-4(6)</prop>
-            <prop name="sort-id">ma-04.06</prop>
-            <part id="ma-4.6_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to protect the
-                  integrity and confidentiality of nonlocal maintenance and diagnostic
-                  communications.</p>
-            </part>
-            <part id="ma-4.6_gdn" name="guidance">
-               <link rel="related" href="#sc-8">SC-8</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="ma-4.6_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system implements cryptographic mechanisms to protect
-                  the integrity and confidentiality of nonlocal maintenance and diagnostic
-                  communications. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing non-local information system maintenance</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>cryptographic mechanisms protecting nonlocal maintenance activities</p>
-                  <p>maintenance records</p>
-                  <p>diagnostic records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>network engineers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms protecting nonlocal maintenance and diagnostic
-                     communications</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ma-5">
-         <title>Maintenance Personnel</title>
-         <prop name="label">MA-5</prop>
-         <prop name="sort-id">ma-05</prop>
-         <part id="ma-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes a process for maintenance personnel authorization and maintains a list
-                  of authorized maintenance organizations or personnel;</p>
-            </part>
-            <part id="ma-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Ensures that non-escorted personnel performing maintenance on the information
-                  system have required access authorizations; and</p>
-            </part>
-            <part id="ma-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Designates organizational personnel with required access authorizations and
-                  technical competence to supervise the maintenance activities of personnel who do
-                  not possess the required access authorizations.</p>
-            </part>
-         </part>
-         <part id="ma-5_gdn" name="guidance">
-            <p>This control applies to individuals performing hardware or software maintenance on
-               organizational information systems, while PE-2 addresses physical access for
-               individuals whose maintenance duties place them within the physical protection
-               perimeter of the systems (e.g., custodial staff, physical plant maintenance
-               personnel). Technical competence of supervising individuals relates to the
-               maintenance performed on the information systems while having required access
-               authorizations refers to maintenance on and near the systems. Individuals not
-               previously identified as authorized maintenance personnel, such as information
-               technology manufacturers, vendors, systems integrators, and consultants, may require
-               privileged access to organizational information systems, for example, when required
-               to conduct maintenance activities with little or no notice. Based on organizational
-               assessments of risk, organizations may issue temporary credentials to these
-               individuals. Temporary credentials may be for one-time use or for very limited time
-               periods.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-         </part>
-         <part id="ma-5_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ma-5.a_obj" name="objective">
-               <prop name="label">MA-5(a)</prop>
-               <part id="ma-5.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-5(a)[1]</prop>
-                  <p>establishes a process for maintenance personnel authorization;</p>
-               </part>
-               <part id="ma-5.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-5(a)[2]</prop>
-                  <p>maintains a list of authorized maintenance organizations or personnel;</p>
-               </part>
-            </part>
-            <part id="ma-5.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MA-5(b)</prop>
-               <p>ensures that non-escorted personnel performing maintenance on the information
-                  system have required access authorizations; and</p>
-            </part>
-            <part id="ma-5.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MA-5(c)</prop>
-               <p>designates organizational personnel with required access authorizations and
-                  technical competence to supervise the maintenance activities of personnel who do
-                  not possess the required access authorizations.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing maintenance personnel</p>
-               <p>service provider contracts</p>
-               <p>service-level agreements</p>
-               <p>list of authorized personnel</p>
-               <p>maintenance records</p>
-               <p>access control records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for authorizing and managing maintenance personnel</p>
-               <p>automated mechanisms supporting and/or implementing authorization of maintenance
-                  personnel</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ma-5.1">
-            <title>Individuals Without Appropriate Access</title>
-            <prop name="label">MA-5(1)</prop>
-            <prop name="sort-id">ma-05.01</prop>
-            <part id="ma-5.1_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ma-5.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Implements procedures for the use of maintenance personnel that lack
-                     appropriate security clearances or are not U.S. citizens, that include the
-                     following requirements:</p>
-                  <part id="ma-5.1_smt.a.1" name="item">
-                     <prop name="label">(1)</prop>
-                     <p>Maintenance personnel who do not have needed access authorizations,
-                        clearances, or formal access approvals are escorted and supervised during
-                        the performance of maintenance and diagnostic activities on the information
-                        system by approved organizational personnel who are fully cleared, have
-                        appropriate access authorizations, and are technically qualified;</p>
-                  </part>
-                  <part id="ma-5.1_smt.a.2" name="item">
-                     <prop name="label">(2)</prop>
-                     <p>Prior to initiating maintenance or diagnostic activities by personnel who do
-                        not have needed access authorizations, clearances or formal access
-                        approvals, all volatile information storage components within the
-                        information system are sanitized and all nonvolatile storage media are
-                        removed or physically disconnected from the system and secured; and</p>
-                  </part>
-               </part>
-               <part id="ma-5.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Develops and implements alternate security safeguards in the event an
-                     information system component cannot be sanitized, removed, or disconnected from
-                     the system.</p>
-               </part>
-            </part>
-            <part id="ma-5.1_gdn" name="guidance">
-               <p>This control enhancement denies individuals who lack appropriate security
-                  clearances (i.e., individuals who do not possess security clearances or possess
-                  security clearances at a lower level than required) or who are not U.S. citizens,
-                  visual and electronic access to any classified information, Controlled
-                  Unclassified Information (CUI), or any other sensitive information contained on
-                  organizational information systems. Procedures for the use of maintenance
-                  personnel can be documented in security plans for the information systems.</p>
-               <link rel="related" href="#mp-6">MP-6</link>
-               <link rel="related" href="#pl-2">PL-2</link>
-            </part>
-            <part id="ma-5.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ma-5.1.a_obj" name="objective">
-                  <prop name="label">MA-5(1)(a)</prop>
-                  <p>implements procedures for the use of maintenance personnel that lack
-                     appropriate security clearances or are not U.S. citizens, that include the
-                     following requirements:</p>
-                  <part id="ma-5.1.a.1_obj" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">MA-5(1)(a)(1)</prop>
-                     <p>maintenance personnel who do not have needed access authorizations,
-                        clearances, or formal access approvals are escorted and supervised during
-                        the performance of maintenance and diagnostic activities on the information
-                        system by approved organizational personnel who:</p>
-                     <part id="ma-5.1.a.1_obj.1" name="objective">
-                        <prop name="label">MA-5(1)(a)(1)[1]</prop>
-                        <p>are fully cleared;</p>
-                     </part>
-                     <part id="ma-5.1.a.1_obj.2" name="objective">
-                        <prop name="label">MA-5(1)(a)(1)[2]</prop>
-                        <p>have appropriate access authorizations;</p>
-                     </part>
-                     <part id="ma-5.1.a.1_obj.3" name="objective">
-                        <prop name="label">MA-5(1)(a)(1)[3]</prop>
-                        <p>are technically qualified;</p>
-                     </part>
-                     <link rel="corresp" href="#ma-5.1_smt.a.1">MA-5(1)(a)(1)</link>
-                  </part>
-                  <part id="ma-5.1.a.2_obj" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">MA-5(1)(a)(2)</prop>
-                     <p>prior to initiating maintenance or diagnostic activities by personnel who do
-                        not have needed access authorizations, clearances, or formal access
-                        approvals:</p>
-                     <part id="ma-5.1.a.2_obj.1" name="objective">
-                        <prop name="label">MA-5(1)(a)(2)[1]</prop>
-                        <p>all volatile information storage components within the information system
-                           are sanitized; and</p>
-                     </part>
-                     <part id="ma-5.1.a.2_obj.2" name="objective">
-                        <prop name="label">MA-5(1)(a)(2)[2]</prop>
-                        <p>all nonvolatile storage media are removed; or</p>
-                     </part>
-                     <part id="ma-5.1.a.2_obj.3" name="objective">
-                        <prop name="label">MA-5(1)(a)(2)[3]</prop>
-                        <p>all nonvolatile storage media are physically disconnected from the system
-                           and secured; and</p>
-                     </part>
-                     <link rel="corresp" href="#ma-5.1_smt.a.2">MA-5(1)(a)(2)</link>
-                  </part>
-                  <link rel="corresp" href="#ma-5.1_smt.a">MA-5(1)(a)</link>
-               </part>
-               <part id="ma-5.1.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MA-5(1)(b)</prop>
-                  <p>develops and implements alternative security safeguards in the event an
-                     information system component cannot be sanitized, removed, or disconnected from
-                     the system.</p>
-                  <link rel="corresp" href="#ma-5.1_smt.b">MA-5(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing maintenance personnel</p>
-                  <p>information system media protection policy</p>
-                  <p>physical and environmental protection policy</p>
-                  <p>security plan</p>
-                  <p>list of maintenance personnel requiring escort/supervision</p>
-                  <p>maintenance records</p>
-                  <p>access control records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with personnel security responsibilities</p>
-                  <p>organizational personnel with physical access control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel responsible for media sanitization</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing maintenance personnel without appropriate
-                     access</p>
-                  <p>automated mechanisms supporting and/or implementing alternative security
-                     safeguards</p>
-                  <p>automated mechanisms supporting and/or implementing information storage
-                     component sanitization</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ma-6">
-         <title>Timely Maintenance</title>
-         <param id="ma-6_prm_1">
-            <label>organization-defined information system components</label>
-         </param>
-         <param id="ma-6_prm_2">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">MA-6</prop>
-         <prop name="sort-id">ma-06</prop>
-         <part id="ma-6_smt" name="statement">
-            <p>The organization obtains maintenance support and/or spare parts for <insert param-id="ma-6_prm_1"/> within <insert param-id="ma-6_prm_2"/> of failure.</p>
-         </part>
-         <part id="ma-6_gdn" name="guidance">
-            <p>Organizations specify the information system components that result in increased risk
-               to organizational operations and assets, individuals, other organizations, or the
-               Nation when the functionality provided by those components is not operational.
-               Organizational actions to obtain maintenance support typically include having
-               appropriate contracts in place.</p>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <link rel="related" href="#sa-14">SA-14</link>
-            <link rel="related" href="#sa-15">SA-15</link>
-         </part>
-         <part id="ma-6_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ma-6_obj.1" name="objective">
-               <prop name="label">MA-6[1]</prop>
-               <p>defines information system components for which maintenance support and/or spare
-                  parts are to be obtained;</p>
-            </part>
-            <part id="ma-6_obj.2" name="objective">
-               <prop name="label">MA-6[2]</prop>
-               <p>defines the time period within which maintenance support and/or spare parts are to
-                  be obtained after a failure;</p>
-            </part>
-            <part id="ma-6_obj.3" name="objective">
-               <prop name="label">MA-6[3]</prop>
-               <part id="ma-6_obj.3.a" name="objective">
-                  <prop name="label">MA-6[3][a]</prop>
-                  <p>obtains maintenance support for organization-defined information system
-                     components within the organization-defined time period of failure; and/or</p>
-               </part>
-               <part id="ma-6_obj.3.b" name="objective">
-                  <prop name="label">MA-6[3][b]</prop>
-                  <p>obtains spare parts for organization-defined information system components
-                     within the organization-defined time period of failure.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing information system maintenance</p>
-               <p>service provider contracts</p>
-               <p>service-level agreements</p>
-               <p>inventory and availability of spare parts</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for ensuring timely maintenance</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="mp">
-      <title>Media Protection</title>
-      <control class="SP800-53" id="mp-1">
-         <title>Media Protection Policy and Procedures</title>
-         <param id="mp-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="mp-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="mp-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or whenever a significant change occurs</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">MP-1</prop>
-         <prop name="sort-id">mp-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="mp-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="mp-1_prm_1"/>:</p>
-               <part id="mp-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A media protection policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="mp-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the media protection policy and
-                     associated media protection controls; and</p>
-               </part>
-            </part>
-            <part id="mp-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="mp-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Media protection policy <insert param-id="mp-1_prm_2"/>; and</p>
-               </part>
-               <part id="mp-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Media protection procedures <insert param-id="mp-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="mp-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the MP
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="mp-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="mp-1.a_obj" name="objective">
-               <prop name="label">MP-1(a)</prop>
-               <part id="mp-1.a.1_obj" name="objective">
-                  <prop name="label">MP-1(a)(1)</prop>
-                  <part id="mp-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(a)(1)[1]</prop>
-                     <p>develops and documents a media protection policy that addresses:</p>
-                     <part id="mp-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="mp-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the media protection policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="mp-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">MP-1(a)(1)[3]</prop>
-                     <p>disseminates the media protection policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="mp-1.a.2_obj" name="objective">
-                  <prop name="label">MP-1(a)(2)</prop>
-                  <part id="mp-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        media protection policy and associated media protection controls;</p>
-                  </part>
-                  <part id="mp-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="mp-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">MP-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="mp-1.b_obj" name="objective">
-               <prop name="label">MP-1(b)</prop>
-               <part id="mp-1.b.1_obj" name="objective">
-                  <prop name="label">MP-1(b)(1)</prop>
-                  <part id="mp-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current media protection
-                        policy;</p>
-                  </part>
-                  <part id="mp-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current media protection policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="mp-1.b.2_obj" name="objective">
-                  <prop name="label">MP-1(b)(2)</prop>
-                  <part id="mp-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current media protection
-                        procedures; and</p>
-                  </part>
-                  <part id="mp-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current media protection procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Media protection policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with media protection responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="mp-2">
-         <title>Media Access</title>
-         <param id="mp-2_prm_1">
-            <label>organization-defined types of digital and/or non-digital media</label>
-            <constraint>any digital and non-digital media deemed sensitive</constraint>
-         </param>
-         <param id="mp-2_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">MP-2</prop>
-         <prop name="sort-id">mp-02</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e" rel="reference">NIST Special Publication 800-111</link>
-         <part id="mp-2_smt" name="statement">
-            <p>The organization restricts access to <insert param-id="mp-2_prm_1"/> to <insert param-id="mp-2_prm_2"/>.</p>
-         </part>
-         <part id="mp-2_gdn" name="guidance">
-            <p>Information system media includes both digital and non-digital media. Digital media
-               includes, for example, diskettes, magnetic tapes, external/removable hard disk
-               drives, flash drives, compact disks, and digital video disks. Non-digital media
-               includes, for example, paper and microfilm. Restricting non-digital media access
-               includes, for example, denying access to patient medical records in a community
-               hospital unless the individuals seeking access to such records are authorized
-               healthcare providers. Restricting access to digital media includes, for example,
-               limiting access to design specifications stored on compact disks in the media library
-               to the project leader and the individuals on the development team.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-         </part>
-         <part id="mp-2_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-2_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MP-2[1]</prop>
-               <p>defines types of digital and/or non-digital media requiring restricted access;</p>
-            </part>
-            <part id="mp-2_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MP-2[2]</prop>
-               <p>defines personnel or roles authorized to access organization-defined types of
-                  digital and/or non-digital media; and</p>
-            </part>
-            <part id="mp-2_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MP-2[3]</prop>
-               <p>restricts access to organization-defined types of digital and/or non-digital media
-                  to organization-defined personnel or roles.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media access restrictions</p>
-               <p>access control policy and procedures</p>
-               <p>physical and environmental protection policy and procedures</p>
-               <p>media storage facilities</p>
-               <p>access control records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media protection
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for restricting information media</p>
-               <p>automated mechanisms supporting and/or implementing media access restrictions</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="mp-3">
-         <title>Media Marking</title>
-         <param id="mp-3_prm_1">
-            <label>organization-defined types of information system media</label>
-            <constraint>no removable media types</constraint>
-         </param>
-         <param id="mp-3_prm_2">
-            <label>organization-defined controlled areas</label>
-            <constraint>organization-defined security safeguards not applicable</constraint>
-         </param>
-         <prop name="label">MP-3</prop>
-         <prop name="sort-id">mp-03</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <part id="mp-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Marks information system media indicating the distribution limitations, handling
-                  caveats, and applicable security markings (if any) of the information; and</p>
-            </part>
-            <part id="mp-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Exempts <insert param-id="mp-3_prm_1"/> from marking as long as the media remain
-                  within <insert param-id="mp-3_prm_2"/>.</p>
-            </part>
-            <part id="mp-3_fr" name="item">
-               <title>MP-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-3_fr_gdn.b" name="guidance">
-                  <prop name="label">(b) Guidance:</prop>
-                  <p>Second parameter not-applicable</p>
-               </part>
-            </part>
-         </part>
-         <part id="mp-3_gdn" name="guidance">
-            <p>The term security marking refers to the application/use of human-readable security
-               attributes. The term security labeling refers to the application/use of security
-               attributes with regard to internal data structures within information systems (see
-               AC-16). Information system media includes both digital and non-digital media. Digital
-               media includes, for example, diskettes, magnetic tapes, external/removable hard disk
-               drives, flash drives, compact disks, and digital video disks. Non-digital media
-               includes, for example, paper and microfilm. Security marking is generally not
-               required for media containing information determined by organizations to be in the
-               public domain or to be publicly releasable. However, some organizations may require
-               markings for public information indicating that the information is publicly
-               releasable. Marking of information system media reflects applicable federal laws,
-               Executive Orders, directives, policies, regulations, standards, and guidance.</p>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-         </part>
-         <part id="mp-3_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-3.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MP-3(a)</prop>
-               <p>marks information system media indicating the:</p>
-               <part id="mp-3.a_obj.1" name="objective">
-                  <prop name="label">MP-3(a)[1]</prop>
-                  <p>distribution limitations of the information;</p>
-               </part>
-               <part id="mp-3.a_obj.2" name="objective">
-                  <prop name="label">MP-3(a)[2]</prop>
-                  <p>handling caveats of the information;</p>
-               </part>
-               <part id="mp-3.a_obj.3" name="objective">
-                  <prop name="label">MP-3(a)[3]</prop>
-                  <p>applicable security markings (if any) of the information;</p>
-               </part>
-            </part>
-            <part id="mp-3.b_obj" name="objective">
-               <prop name="label">MP-3(b)</prop>
-               <part id="mp-3.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-3(b)[1]</prop>
-                  <p>defines types of information system media to be exempted from marking as long
-                     as the media remain in designated controlled areas;</p>
-               </part>
-               <part id="mp-3.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-3(b)[2]</prop>
-                  <p>defines controlled areas where organization-defined types of information system
-                     media exempt from marking are to be retained; and</p>
-               </part>
-               <part id="mp-3.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MP-3(b)[3]</prop>
-                  <p>exempts organization-defined types of information system media from marking as
-                     long as the media remain within organization-defined controlled areas.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media marking</p>
-               <p>physical and environmental protection policy and procedures</p>
-               <p>security plan</p>
-               <p>list of information system media marking security attributes</p>
-               <p>designated controlled areas</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media protection and marking
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for marking information media</p>
-               <p>automated mechanisms supporting and/or implementing media marking</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="mp-4">
-         <title>Media Storage</title>
-         <param id="mp-4_prm_1">
-            <label>organization-defined types of digital and/or non-digital media</label>
-            <constraint>all types of digital and non-digital media with sensitive information</constraint>
-         </param>
-         <param id="mp-4_prm_2">
-            <label>organization-defined controlled areas</label>
-            <constraint>see additional FedRAMP requirements and guidance</constraint>
-         </param>
-         <prop name="label">MP-4</prop>
-         <prop name="sort-id">mp-04</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#81f09e01-d0b0-4ae2-aa6a-064ed9950070" rel="reference">NIST Special Publication 800-56</link>
-         <link href="#a6c774c0-bf50-4590-9841-2a5c1c91ac6f" rel="reference">NIST Special Publication 800-57</link>
-         <link href="#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e" rel="reference">NIST Special Publication 800-111</link>
-         <part id="mp-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Physically controls and securely stores <insert param-id="mp-4_prm_1"/> within
-                     <insert param-id="mp-4_prm_2"/>; and</p>
-            </part>
-            <part id="mp-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Protects information system media until the media are destroyed or sanitized using
-                  approved equipment, techniques, and procedures.</p>
-            </part>
-            <part id="mp-4_fr" name="item">
-               <title>MP-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-4_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider defines controlled areas within facilities where the information and information system reside.</p>
-               </part>
-            </part>
-         </part>
-         <part id="mp-4_gdn" name="guidance">
-            <p>Information system media includes both digital and non-digital media. Digital media
-               includes, for example, diskettes, magnetic tapes, external/removable hard disk
-               drives, flash drives, compact disks, and digital video disks. Non-digital media
-               includes, for example, paper and microfilm. Physically controlling information system
-               media includes, for example, conducting inventories, ensuring procedures are in place
-               to allow individuals to check out and return media to the media library, and
-               maintaining accountability for all stored media. Secure storage includes, for
-               example, a locked drawer, desk, or cabinet, or a controlled media library. The type
-               of media storage is commensurate with the security category and/or classification of
-               the information residing on the media. Controlled areas are areas for which
-               organizations provide sufficient physical and procedural safeguards to meet the
-               requirements established for protecting information and/or information systems. For
-               media containing information determined by organizations to be in the public domain,
-               to be publicly releasable, or to have limited or no adverse impact on organizations
-               or individuals if accessed by other than authorized personnel, fewer safeguards may
-               be needed. In these situations, physical access controls provide adequate
-               protection.</p>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-7">MP-7</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-         </part>
-         <part id="mp-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-4.a_obj" name="objective">
-               <prop name="label">MP-4(a)</prop>
-               <part id="mp-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-4(a)[1]</prop>
-                  <p>defines types of digital and/or non-digital media to be physically controlled
-                     and securely stored within designated controlled areas;</p>
-               </part>
-               <part id="mp-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-4(a)[2]</prop>
-                  <p>defines controlled areas designated to physically control and securely store
-                     organization-defined types of digital and/or non-digital media;</p>
-               </part>
-               <part id="mp-4.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MP-4(a)[3]</prop>
-                  <p>physically controls organization-defined types of digital and/or non-digital
-                     media within organization-defined controlled areas;</p>
-               </part>
-               <part id="mp-4.a_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MP-4(a)[4]</prop>
-                  <p>securely stores organization-defined types of digital and/or non-digital media
-                     within organization-defined controlled areas; and</p>
-               </part>
-            </part>
-            <part id="mp-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MP-4(b)</prop>
-               <p>protects information system media until the media are destroyed or sanitized using
-                  approved equipment, techniques, and procedures.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media storage</p>
-               <p>physical and environmental protection policy and procedures</p>
-               <p>access control policy and procedures</p>
-               <p>security plan</p>
-               <p>information system media</p>
-               <p>designated controlled areas</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media protection and storage
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for storing information media</p>
-               <p>automated mechanisms supporting and/or implementing secure media storage/media
-                  protection</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="mp-5">
-         <title>Media Transport</title>
-         <param id="mp-5_prm_1">
-            <label>organization-defined types of information system media</label>
-            <constraint>all media with sensitive information</constraint>
-         </param>
-         <param id="mp-5_prm_2">
-            <label>organization-defined security safeguards</label>
-            <constraint>prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container</constraint>
-         </param>
-         <prop name="label">MP-5</prop>
-         <prop name="sort-id">mp-05</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <part id="mp-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Protects and controls <insert param-id="mp-5_prm_1"/> during transport outside of
-                  controlled areas using <insert param-id="mp-5_prm_2"/>;</p>
-            </part>
-            <part id="mp-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Maintains accountability for information system media during transport outside of
-                  controlled areas;</p>
-            </part>
-            <part id="mp-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Documents activities associated with the transport of information system media;
-                  and</p>
-            </part>
-            <part id="mp-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Restricts the activities associated with the transport of information system media
-                  to authorized personnel.</p>
-            </part>
-            <part id="mp-5_fr" name="item">
-               <title>MP-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-5_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider defines security measures to protect digital and non-digital media in transport.  The security measures are approved and accepted by the JAB.</p>
-               </part>
-            </part>
-         </part>
-         <part id="mp-5_gdn" name="guidance">
-            <p>Information system media includes both digital and non-digital media. Digital media
-               includes, for example, diskettes, magnetic tapes, external/removable hard disk
-               drives, flash drives, compact disks, and digital video disks. Non-digital media
-               includes, for example, paper and microfilm. This control also applies to mobile
-               devices with information storage capability (e.g., smart phones, tablets, E-readers),
-               that are transported outside of controlled areas. Controlled areas are areas or
-               spaces for which organizations provide sufficient physical and/or procedural
-               safeguards to meet the requirements established for protecting information and/or
-               information systems. Physical and technical safeguards for media are commensurate
-               with the security category or classification of the information residing on the
-               media. Safeguards to protect media during transport include, for example, locked
-               containers and cryptography. Cryptographic mechanisms can provide confidentiality and
-               integrity protections depending upon the mechanisms used. Activities associated with
-               transport include the actual transport as well as those activities such as releasing
-               media for transport and ensuring that media enters the appropriate transport
-               processes. For the actual transport, authorized transport and courier personnel may
-               include individuals from outside the organization (e.g., U.S. Postal Service or a
-               commercial transport or delivery service). Maintaining accountability of media during
-               transport includes, for example, restricting transport activities to authorized
-               personnel, and tracking and/or obtaining explicit records of transport activities as
-               the media moves through the transportation system to prevent and detect loss,
-               destruction, or tampering. Organizations establish documentation requirements for
-               activities associated with the transport of information system media in accordance
-               with organizational assessments of risk to include the flexibility to define
-               different record-keeping methods for the different types of media transport as part
-               of an overall system of transport-related records.</p>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#mp-3">MP-3</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-28">SC-28</link>
-         </part>
-         <part id="mp-5_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-5.a_obj" name="objective">
-               <prop name="label">MP-5(a)</prop>
-               <part id="mp-5.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-5(a)[1]</prop>
-                  <p>defines types of information system media to be protected and controlled during
-                     transport outside of controlled areas;</p>
-               </part>
-               <part id="mp-5.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-5(a)[2]</prop>
-                  <p>defines security safeguards to protect and control organization-defined
-                     information system media during transport outside of controlled areas;</p>
-               </part>
-               <part id="mp-5.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MP-5(a)[3]</prop>
-                  <p>protects and controls organization-defined information system media during
-                     transport outside of controlled areas using organization-defined security
-                     safeguards;</p>
-               </part>
-            </part>
-            <part id="mp-5.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MP-5(b)</prop>
-               <p>maintains accountability for information system media during transport outside of
-                  controlled areas;</p>
-            </part>
-            <part id="mp-5.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MP-5(c)</prop>
-               <p>documents activities associated with the transport of information system media;
-                  and</p>
-            </part>
-            <part id="mp-5.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MP-5(d)</prop>
-               <p>restricts the activities associated with transport of information system media to
-                  authorized personnel.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media storage</p>
-               <p>physical and environmental protection policy and procedures</p>
-               <p>access control policy and procedures</p>
-               <p>security plan</p>
-               <p>information system media</p>
-               <p>designated controlled areas</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media protection and storage
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for storing information media</p>
-               <p>automated mechanisms supporting and/or implementing media storage/media
-                  protection</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="mp-5.4">
-            <title>Cryptographic Protection</title>
-            <prop name="label">MP-5(4)</prop>
-            <prop name="sort-id">mp-05.04</prop>
-            <part id="mp-5.4_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to protect the
-                  confidentiality and integrity of information stored on digital media during
-                  transport outside of controlled areas.</p>
-            </part>
-            <part id="mp-5.4_gdn" name="guidance">
-               <p>This control enhancement applies to both portable storage devices (e.g., USB
-                  memory sticks, compact disks, digital video disks, external/removable hard disk
-                  drives) and mobile devices with storage capability (e.g., smart phones, tablets,
-                  E-readers).</p>
-               <link rel="related" href="#mp-2">MP-2</link>
-            </part>
-            <part id="mp-5.4_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs cryptographic mechanisms to protect the
-                  confidentiality and integrity of information stored on digital media during
-                  transport outside of controlled areas. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>procedures addressing media transport</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system media transport records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media transport
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms protecting information on digital media during
-                     transportation outside controlled areas</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="mp-6">
-         <title>Media Sanitization</title>
-         <param id="mp-6_prm_1">
-            <label>organization-defined information system media</label>
-         </param>
-         <param id="mp-6_prm_2">
-            <label>organization-defined sanitization techniques and procedures</label>
-            <constraint>techniques and procedures IAW NIST SP 800-88 R1, Appendix A - Minimum Sanitization Recommendations</constraint>
-         </param>
-         <prop name="label">MP-6</prop>
-         <prop name="sort-id">mp-06</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <link href="#263823e0-a971-4b00-959d-315b26278b22" rel="reference">NIST Special Publication 800-88</link>
-         <link href="#a47466c4-c837-4f06-a39f-e68412a5f73d" rel="reference">http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml</link>
-         <part id="mp-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Sanitizes <insert param-id="mp-6_prm_1"/> prior to disposal, release out of
-                  organizational control, or release for reuse using <insert param-id="mp-6_prm_2"/>
-                  in accordance with applicable federal and organizational standards and policies;
-                  and</p>
-            </part>
-            <part id="mp-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Employs sanitization mechanisms with the strength and integrity commensurate with
-                  the security category or classification of the information.</p>
-            </part>
-         </part>
-         <part id="mp-6_gdn" name="guidance">
-            <p>This control applies to all information system media, both digital and non-digital,
-               subject to disposal or reuse, whether or not the media is considered removable.
-               Examples include media found in scanners, copiers, printers, notebook computers,
-               workstations, network components, and mobile devices. The sanitization process
-               removes information from the media such that the information cannot be retrieved or
-               reconstructed. Sanitization techniques, including clearing, purging, cryptographic
-               erase, and destruction, prevent the disclosure of information to unauthorized
-               individuals when such media is reused or released for disposal. Organizations
-               determine the appropriate sanitization methods recognizing that destruction is
-               sometimes necessary when other methods cannot be applied to media requiring
-               sanitization. Organizations use discretion on the employment of approved sanitization
-               techniques and procedures for media containing information deemed to be in the public
-               domain or publicly releasable, or deemed to have no adverse impact on organizations
-               or individuals if released for reuse or disposal. Sanitization of non-digital media
-               includes, for example, removing a classified appendix from an otherwise unclassified
-               document, or redacting selected sections or words from a document by obscuring the
-               redacted sections/words in a manner equivalent in effectiveness to removing them from
-               the document. NSA standards and policies control the sanitization process for media
-               containing classified information.</p>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sc-4">SC-4</link>
-         </part>
-         <part id="mp-6_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-6.a_obj" name="objective">
-               <prop name="label">MP-6(a)</prop>
-               <part id="mp-6.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-6(a)[1]</prop>
-                  <p>defines information system media to be sanitized prior to:</p>
-                  <part id="mp-6.a_obj.1.a" name="objective">
-                     <prop name="label">MP-6(a)[1][a]</prop>
-                     <p>disposal;</p>
-                  </part>
-                  <part id="mp-6.a_obj.1.b" name="objective">
-                     <prop name="label">MP-6(a)[1][b]</prop>
-                     <p>release out of organizational control; or</p>
-                  </part>
-                  <part id="mp-6.a_obj.1.c" name="objective">
-                     <prop name="label">MP-6(a)[1][c]</prop>
-                     <p>release for reuse;</p>
-                  </part>
-               </part>
-               <part id="mp-6.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-6(a)[2]</prop>
-                  <p>defines sanitization techniques or procedures to be used for sanitizing
-                     organization-defined information system media prior to:</p>
-                  <part id="mp-6.a_obj.2.a" name="objective">
-                     <prop name="label">MP-6(a)[2][a]</prop>
-                     <p>disposal;</p>
-                  </part>
-                  <part id="mp-6.a_obj.2.b" name="objective">
-                     <prop name="label">MP-6(a)[2][b]</prop>
-                     <p>release out of organizational control; or</p>
-                  </part>
-                  <part id="mp-6.a_obj.2.c" name="objective">
-                     <prop name="label">MP-6(a)[2][c]</prop>
-                     <p>release for reuse;</p>
-                  </part>
-               </part>
-               <part id="mp-6.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MP-6(a)[3]</prop>
-                  <p>sanitizes organization-defined information system media prior to disposal,
-                     release out of organizational control, or release for reuse using
-                     organization-defined sanitization techniques or procedures in accordance with
-                     applicable federal and organizational standards and policies; and</p>
-               </part>
-            </part>
-            <part id="mp-6.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MP-6(b)</prop>
-               <p>employs sanitization mechanisms with strength and integrity commensurate with the
-                  security category or classification of the information.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media sanitization and disposal</p>
-               <p>applicable federal standards and policies addressing media sanitization</p>
-               <p>media sanitization records</p>
-               <p>audit records</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with media sanitization responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for media sanitization</p>
-               <p>automated mechanisms supporting and/or implementing media sanitization</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="mp-6.1">
-            <title>Review / Approve / Track / Document / Verify</title>
-            <prop name="label">MP-6(1)</prop>
-            <prop name="sort-id">mp-06.01</prop>
-            <part id="mp-6.1_smt" name="statement">
-               <p>The organization reviews, approves, tracks, documents, and verifies media
-                  sanitization and disposal actions.</p>
-            </part>
-            <part id="mp-6.1_gdn" name="guidance">
-               <p>Organizations review and approve media to be sanitized to ensure compliance with
-                  records-retention policies. Tracking/documenting actions include, for example,
-                  listing personnel who reviewed and approved sanitization and disposal actions,
-                  types of media sanitized, specific files stored on the media, sanitization methods
-                  used, date and time of the sanitization actions, personnel who performed the
-                  sanitization, verification actions taken, personnel who performed the
-                  verification, and disposal action taken. Organizations verify that the
-                  sanitization of the media was effective prior to disposal.</p>
-               <link rel="related" href="#si-12">SI-12</link>
-            </part>
-            <part id="mp-6.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="mp-6.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-6(1)[1]</prop>
-                  <p>reviews media sanitization and disposal actions;</p>
-               </part>
-               <part id="mp-6.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-6(1)[2]</prop>
-                  <p>approves media sanitization and disposal actions;</p>
-               </part>
-               <part id="mp-6.1_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-6(1)[3]</prop>
-                  <p>tracks media sanitization and disposal actions;</p>
-               </part>
-               <part id="mp-6.1_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-6(1)[4]</prop>
-                  <p>documents media sanitization and disposal actions; and</p>
-               </part>
-               <part id="mp-6.1_obj.5" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MP-6(1)[5]</prop>
-                  <p>verifies media sanitization and disposal actions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>procedures addressing media sanitization and disposal</p>
-                  <p>media sanitization and disposal records</p>
-                  <p>review records for media sanitization and disposal actions</p>
-                  <p>approvals for media sanitization and disposal actions</p>
-                  <p>tracking records</p>
-                  <p>verification records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media sanitization and
-                     disposal responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for media sanitization</p>
-                  <p>automated mechanisms supporting and/or implementing media sanitization</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-6.2">
-            <title>Equipment Testing</title>
-            <param id="mp-6.2_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least every six (6) months</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">MP-6(2)</prop>
-            <prop name="sort-id">mp-06.02</prop>
-            <part id="mp-6.2_smt" name="statement">
-               <p>The organization tests sanitization equipment and procedures <insert param-id="mp-6.2_prm_1"/> to verify that the intended sanitization is being
-                  achieved.</p>
-               <part id="mp-6.2_fr" name="item">
-                  <title>MP-6 (2) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="mp-6.2_fr_gdn.a" name="guidance">
-                     <prop name="label">(a) Requirement:</prop>
-                     <p>Equipment and procedures may be tested or validated for effectiveness</p>
-                  </part>
-               </part>
-            </part>
-            <part id="mp-6.2_gdn" name="guidance">
-               <p>Testing of sanitization equipment and procedures may be conducted by qualified and
-                  authorized external entities (e.g., other federal agencies or external service
-                  providers).</p>
-            </part>
-            <part id="mp-6.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="mp-6.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-6(2)[1]</prop>
-                  <p>defines the frequency for testing sanitization equipment and procedures to
-                     verify that the intended sanitization is being achieved; and</p>
-               </part>
-               <part id="mp-6.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MP-6(2)[2]</prop>
-                  <p>tests sanitization equipment and procedures with the organization-defined
-                     frequency to verify that the intended sanitization is being achieved.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>procedures addressing media sanitization and disposal</p>
-                  <p>procedures addressing testing of media sanitization equipment</p>
-                  <p>results of media sanitization equipment and procedures testing</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media sanitization
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for media sanitization</p>
-                  <p>automated mechanisms supporting and/or implementing media sanitization</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-6.3">
-            <title>Nondestructive Techniques</title>
-            <param id="mp-6.3_prm_1">
-               <label>organization-defined circumstances requiring sanitization of portable storage
-                  devices</label>
-            </param>
-            <prop name="label">MP-6(3)</prop>
-            <prop name="sort-id">mp-06.03</prop>
-            <part id="mp-6.3_smt" name="statement">
-               <p>The organization applies nondestructive sanitization techniques to portable
-                  storage devices prior to connecting such devices to the information system under
-                  the following circumstances: <insert param-id="mp-6.3_prm_1"/>.</p>
-            </part>
-            <part id="mp-6.3_gdn" name="guidance">
-               <p>This control enhancement applies to digital media containing classified
-                  information and Controlled Unclassified Information (CUI). Portable storage
-                  devices can be the source of malicious code insertions into organizational
-                  information systems. Many of these devices are obtained from unknown and
-                  potentially untrustworthy sources and may contain malicious code that can be
-                  readily transferred to information systems through USB ports or other entry
-                  portals. While scanning such storage devices is always recommended, sanitization
-                  provides additional assurance that the devices are free of malicious code to
-                  include code capable of initiating zero-day attacks. Organizations consider
-                  nondestructive sanitization of portable storage devices when such devices are
-                  first purchased from the manufacturer or vendor prior to initial use or when
-                  organizations lose a positive chain of custody for the devices.</p>
-               <link rel="related" href="#si-3">SI-3</link>
-            </part>
-            <part id="mp-6.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="mp-6.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-6(3)[1]</prop>
-                  <p>defines circumstances requiring sanitization of portable storage devices;
-                     and</p>
-               </part>
-               <part id="mp-6.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MP-6(3)[2]</prop>
-                  <p>applies nondestructive sanitization techniques to portable storage devices
-                     prior to connecting such devices to the information system under
-                     organization-defined circumstances requiring sanitization of portable storage
-                     devices.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>procedures addressing media sanitization and disposal</p>
-                  <p>list of circumstances requiring sanitization of portable storage devices</p>
-                  <p>media sanitization records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media sanitization
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for media sanitization of portable storage devices</p>
-                  <p>automated mechanisms supporting and/or implementing media sanitization</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="mp-7">
-         <title>Media Use</title>
-         <param id="mp-7_prm_1"/>
-         <param id="mp-7_prm_2">
-            <label>organization-defined types of information system media</label>
-         </param>
-         <param id="mp-7_prm_3">
-            <label>organization-defined information systems or system components</label>
-         </param>
-         <param id="mp-7_prm_4">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">MP-7</prop>
-         <prop name="sort-id">mp-07</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e" rel="reference">NIST Special Publication 800-111</link>
-         <part id="mp-7_smt" name="statement">
-            <p>The organization <insert param-id="mp-7_prm_1"/> the use of <insert param-id="mp-7_prm_2"/> on <insert param-id="mp-7_prm_3"/> using <insert param-id="mp-7_prm_4"/>.</p>
-         </part>
-         <part id="mp-7_gdn" name="guidance">
-            <p>Information system media includes both digital and non-digital media. Digital media
-               includes, for example, diskettes, magnetic tapes, external/removable hard disk
-               drives, flash drives, compact disks, and digital video disks. Non-digital media
-               includes, for example, paper and microfilm. This control also applies to mobile
-               devices with information storage capability (e.g., smart phones, tablets, E-readers).
-               In contrast to MP-2, which restricts user access to media, this control restricts the
-               use of certain types of media on information systems, for example,
-               restricting/prohibiting the use of flash drives or external hard disk drives.
-               Organizations can employ technical and nontechnical safeguards (e.g., policies,
-               procedures, rules of behavior) to restrict the use of information system media.
-               Organizations may restrict the use of portable storage devices, for example, by using
-               physical cages on workstations to prohibit access to certain external ports, or
-               disabling/removing the ability to insert, read or write to such devices.
-               Organizations may also limit the use of portable storage devices to only approved
-               devices including, for example, devices provided by the organization, devices
-               provided by other approved organizations, and devices that are not personally owned.
-               Finally, organizations may restrict the use of portable storage devices based on the
-               type of device, for example, prohibiting the use of writeable, portable storage
-               devices, and implementing this restriction by disabling or removing the capability to
-               write to such devices.</p>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-         </part>
-         <part id="mp-7_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-7_obj.1" name="objective">
-               <prop name="label">MP-7[1]</prop>
-               <p>defines types of information system media to be:</p>
-               <part id="mp-7_obj.1.a" name="objective">
-                  <prop name="label">MP-7[1][a]</prop>
-                  <p>restricted on information systems or system components; or</p>
-               </part>
-               <part id="mp-7_obj.1.b" name="objective">
-                  <prop name="label">MP-7[1][b]</prop>
-                  <p>prohibited from use on information systems or system components;</p>
-               </part>
-            </part>
-            <part id="mp-7_obj.2" name="objective">
-               <prop name="label">MP-7[2]</prop>
-               <p>defines information systems or system components on which the use of
-                  organization-defined types of information system media is to be one of the
-                  following:</p>
-               <part id="mp-7_obj.2.a" name="objective">
-                  <prop name="label">MP-7[2][a]</prop>
-                  <p>restricted; or</p>
-               </part>
-               <part id="mp-7_obj.2.b" name="objective">
-                  <prop name="label">MP-7[2][b]</prop>
-                  <p>prohibited;</p>
-               </part>
-            </part>
-            <part id="mp-7_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MP-7[3]</prop>
-               <p>defines security safeguards to be employed to restrict or prohibit the use of
-                  organization-defined types of information system media on organization-defined
-                  information systems or system components; and</p>
-            </part>
-            <part id="mp-7_obj.4" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MP-7[4]</prop>
-               <p>restricts or prohibits the use of organization-defined information system media on
-                  organization-defined information systems or system components using
-                  organization-defined security safeguards.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>system use policy</p>
-               <p>procedures addressing media usage restrictions</p>
-               <p>security plan</p>
-               <p>rules of behavior</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media use responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for media use</p>
-               <p>automated mechanisms restricting or prohibiting use of information system media on
-                  information systems or system components</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="mp-7.1">
-            <title>Prohibit Use Without Owner</title>
-            <prop name="label">MP-7(1)</prop>
-            <prop name="sort-id">mp-07.01</prop>
-            <part id="mp-7.1_smt" name="statement">
-               <p>The organization prohibits the use of portable storage devices in organizational
-                  information systems when such devices have no identifiable owner.</p>
-            </part>
-            <part id="mp-7.1_gdn" name="guidance">
-               <p>Requiring identifiable owners (e.g., individuals, organizations, or projects) for
-                  portable storage devices reduces the risk of using such technologies by allowing
-                  organizations to assign responsibility and accountability for addressing known
-                  vulnerabilities in the devices (e.g., malicious code insertion).</p>
-               <link rel="related" href="#pl-4">PL-4</link>
-            </part>
-            <part id="mp-7.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization prohibits the use of portable storage devices in
-                  organizational information systems when such devices have no identifiable owner.
-               </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>system use policy</p>
-                  <p>procedures addressing media usage restrictions</p>
-                  <p>security plan</p>
-                  <p>rules of behavior</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media use responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for media use</p>
-                  <p>automated mechanisms prohibiting use of media on information systems or system
-                     components</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="pe">
-      <title>Physical and Environmental Protection</title>
-      <control class="SP800-53" id="pe-1">
-         <title>Physical and Environmental Protection Policy and Procedures</title>
-         <param id="pe-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pe-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="pe-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or whenever a significant change occurs</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PE-1</prop>
-         <prop name="sort-id">pe-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="pe-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="pe-1_prm_1"/>:</p>
-               <part id="pe-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A physical and environmental protection policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="pe-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the physical and environmental
-                     protection policy and associated physical and environmental protection
-                     controls; and</p>
-               </part>
-            </part>
-            <part id="pe-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="pe-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Physical and environmental protection policy <insert param-id="pe-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="pe-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Physical and environmental protection procedures <insert param-id="pe-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="pe-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the PE
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="pe-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="pe-1.a_obj" name="objective">
-               <prop name="label">PE-1(a)</prop>
-               <part id="pe-1.a.1_obj" name="objective">
-                  <prop name="label">PE-1(a)(1)</prop>
-                  <part id="pe-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(a)(1)[1]</prop>
-                     <p>develops and documents a physical and environmental protection policy that
-                        addresses:</p>
-                     <part id="pe-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="pe-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the physical and environmental protection
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="pe-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">PE-1(a)(1)[3]</prop>
-                     <p>disseminates the physical and environmental protection policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="pe-1.a.2_obj" name="objective">
-                  <prop name="label">PE-1(a)(2)</prop>
-                  <part id="pe-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        physical and environmental protection policy and associated physical and
-                        environmental protection controls;</p>
-                  </part>
-                  <part id="pe-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="pe-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">PE-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="pe-1.b_obj" name="objective">
-               <prop name="label">PE-1(b)</prop>
-               <part id="pe-1.b.1_obj" name="objective">
-                  <prop name="label">PE-1(b)(1)</prop>
-                  <part id="pe-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current physical and
-                        environmental protection policy;</p>
-                  </part>
-                  <part id="pe-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current physical and environmental protection policy
-                        with the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="pe-1.b.2_obj" name="objective">
-                  <prop name="label">PE-1(b)(2)</prop>
-                  <part id="pe-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current physical and
-                        environmental protection procedures; and</p>
-                  </part>
-                  <part id="pe-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current physical and environmental protection
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical and environmental protection
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-2">
-         <title>Physical Access Authorizations</title>
-         <param id="pe-2_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least every ninety (90) days</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PE-2</prop>
-         <prop name="sort-id">pe-02</prop>
-         <part id="pe-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, approves, and maintains a list of individuals with authorized access to
-                  the facility where the information system resides;</p>
-            </part>
-            <part id="pe-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Issues authorization credentials for facility access;</p>
-            </part>
-            <part id="pe-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the access list detailing authorized facility access by individuals
-                     <insert param-id="pe-2_prm_1"/>; and</p>
-            </part>
-            <part id="pe-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Removes individuals from the facility access list when access is no longer
-                  required.</p>
-            </part>
-         </part>
-         <part id="pe-2_gdn" name="guidance">
-            <p>This control applies to organizational employees and visitors. Individuals (e.g.,
-               employees, contractors, and others) with permanent physical access authorization
-               credentials are not considered visitors. Authorization credentials include, for
-               example, badges, identification cards, and smart cards. Organizations determine the
-               strength of authorization credentials needed (including level of forge-proof badges,
-               smart cards, or identification cards) consistent with federal standards, policies,
-               and procedures. This control only applies to areas within facilities that have not
-               been designated as publicly accessible.</p>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-         </part>
-         <part id="pe-2_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-2.a_obj" name="objective">
-               <prop name="label">PE-2(a)</prop>
-               <part id="pe-2.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">PE-2(a)[1]</prop>
-                  <p>develops a list of individuals with authorized access to the facility where the
-                     information system resides;</p>
-               </part>
-               <part id="pe-2.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-2(a)[2]</prop>
-                  <p>approves a list of individuals with authorized access to the facility where the
-                     information system resides;</p>
-               </part>
-               <part id="pe-2.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">PE-2(a)[3]</prop>
-                  <p>maintains a list of individuals with authorized access to the facility where
-                     the information system resides;</p>
-               </part>
-            </part>
-            <part id="pe-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-2(b)</prop>
-               <p>issues authorization credentials for facility access;</p>
-            </part>
-            <part id="pe-2.c_obj" name="objective">
-               <prop name="label">PE-2(c)</prop>
-               <part id="pe-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-2(c)[1]</prop>
-                  <p>defines the frequency to review the access list detailing authorized facility
-                     access by individuals;</p>
-               </part>
-               <part id="pe-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-2(c)[2]</prop>
-                  <p>reviews the access list detailing authorized facility access by individuals
-                     with the organization-defined frequency; and</p>
-               </part>
-            </part>
-            <part id="pe-2.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-2(d)</prop>
-               <p>removes individuals from the facility access list when access is no longer
-                  required.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing physical access authorizations</p>
-               <p>security plan</p>
-               <p>authorized personnel access list</p>
-               <p>authorization credentials</p>
-               <p>physical access list reviews</p>
-               <p>physical access termination records and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access authorization responsibilities</p>
-               <p>organizational personnel with physical access to information system facility</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for physical access authorizations</p>
-               <p>automated mechanisms supporting and/or implementing physical access
-                  authorizations</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-3">
-         <title>Physical Access Control</title>
-         <param id="pe-3_prm_1">
-            <label>organization-defined entry/exit points to the facility where the information
-               system resides</label>
-         </param>
-         <param id="pe-3_prm_2">
-            <constraint>CSP defined physical access control systems/devices AND guards</constraint>
-         </param>
-         <param id="pe-3_prm_3" depends-on="pe-3_prm_2">
-            <label>organization-defined physical access control systems/devices</label>
-            <constraint>CSP defined physical access control systems/devices</constraint>
-         </param>
-         <param id="pe-3_prm_4">
-            <label>organization-defined entry/exit points</label>
-         </param>
-         <param id="pe-3_prm_5">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <param id="pe-3_prm_6">
-            <label>organization-defined circumstances requiring visitor escorts and
-               monitoring</label>
-            <constraint>in all circumstances within restricted access area where the information system resides</constraint>
-         </param>
-         <param id="pe-3_prm_7">
-            <label>organization-defined physical access devices</label>
-         </param>
-         <param id="pe-3_prm_8">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="pe-3_prm_9">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PE-3</prop>
-         <prop name="sort-id">pe-03</prop>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#2157bb7e-192c-4eaa-877f-93ef6b0a3292" rel="reference">NIST Special Publication 800-116</link>
-         <link href="#6caa237b-531b-43ac-9711-d8f6b97b0377" rel="reference">ICD 704</link>
-         <link href="#398e33fd-f404-4e5c-b90e-2d50d3181244" rel="reference">ICD 705</link>
-         <link href="#61081e7f-041d-4033-96a7-44a439071683" rel="reference">DoD Instruction 5200.39</link>
-         <link href="#dd2f5acd-08f1-435a-9837-f8203088dc1a" rel="reference">Personal Identity Verification (PIV) in Enterprise
-            Physical Access Control System (E-PACS)</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <link href="#5ed1f4d5-1494-421b-97ed-39d3c88ab51f" rel="reference">http://fips201ep.cio.gov</link>
-         <part id="pe-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Enforces physical access authorizations at <insert param-id="pe-3_prm_1"/> by;</p>
-               <part id="pe-3_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Verifying individual access authorizations before granting access to the
-                     facility; and</p>
-               </part>
-               <part id="pe-3_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Controlling ingress/egress to the facility using <insert param-id="pe-3_prm_2"/>;</p>
-               </part>
-            </part>
-            <part id="pe-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Maintains physical access audit logs for <insert param-id="pe-3_prm_4"/>;</p>
-            </part>
-            <part id="pe-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Provides <insert param-id="pe-3_prm_5"/> to control access to areas within the
-                  facility officially designated as publicly accessible;</p>
-            </part>
-            <part id="pe-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Escorts visitors and monitors visitor activity <insert param-id="pe-3_prm_6"/>;</p>
-            </part>
-            <part id="pe-3_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Secures keys, combinations, and other physical access devices;</p>
-            </part>
-            <part id="pe-3_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Inventories <insert param-id="pe-3_prm_7"/> every <insert param-id="pe-3_prm_8"/>;
-                  and</p>
-            </part>
-            <part id="pe-3_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Changes combinations and keys <insert param-id="pe-3_prm_9"/> and/or when keys are
-                  lost, combinations are compromised, or individuals are transferred or
-                  terminated.</p>
-            </part>
-         </part>
-         <part id="pe-3_gdn" name="guidance">
-            <p>This control applies to organizational employees and visitors. Individuals (e.g.,
-               employees, contractors, and others) with permanent physical access authorization
-               credentials are not considered visitors. Organizations determine the types of
-               facility guards needed including, for example, professional physical security staff
-               or other personnel such as administrative staff or information system users. Physical
-               access devices include, for example, keys, locks, combinations, and card readers.
-               Safeguards for publicly accessible areas within organizational facilities include,
-               for example, cameras, monitoring by guards, and isolating selected information
-               systems and/or system components in secured areas. Physical access control systems
-               comply with applicable federal laws, Executive Orders, directives, policies,
-               regulations, standards, and guidance. The Federal Identity, Credential, and Access
-               Management Program provides implementation guidance for identity, credential, and
-               access management capabilities for physical access control systems. Organizations
-               have flexibility in the types of audit logs employed. Audit logs can be procedural
-               (e.g., a written log of individuals accessing the facility and when such access
-               occurred), automated (e.g., capturing ID provided by a PIV card), or some combination
-               thereof. Physical access points can include facility access points, interior access
-               points to information systems and/or components requiring supplemental access
-               controls, or both. Components of organizational information systems (e.g.,
-               workstations, terminals) may be located in areas designated as publicly accessible
-               with organizations safeguarding access to such devices.</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#pe-5">PE-5</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-         </part>
-         <part id="pe-3_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-3.a_obj" name="objective">
-               <prop name="label">PE-3(a)</prop>
-               <part id="pe-3.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(a)[1]</prop>
-                  <p>defines entry/exit points to the facility where the information system
-                     resides;</p>
-               </part>
-               <part id="pe-3.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(a)[2]</prop>
-                  <p>enforces physical access authorizations at organization-defined entry/exit
-                     points to the facility where the information system resides by:</p>
-                  <part id="pe-3.a.1_obj.2" name="objective">
-                     <prop name="label">PE-3(a)[2](1)</prop>
-                     <p>verifying individual access authorizations before granting access to the
-                        facility;</p>
-                  </part>
-                  <part id="pe-3.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-3(a)[2](2)</prop>
-                     <part id="pe-3.a.2_obj.2.a" name="objective">
-                        <prop name="label">PE-3(a)[2](2)[a]</prop>
-                        <p>defining physical access control systems/devices to be employed to
-                           control ingress/egress to the facility where the information system
-                           resides;</p>
-                     </part>
-                     <part id="pe-3.a.2_obj.2.b" name="objective">
-                        <prop name="label">PE-3(a)[2](2)[b]</prop>
-                        <p>using one or more of the following ways to control ingress/egress to the
-                           facility:</p>
-                        <part id="pe-3.a.2_obj.2.b.1" name="objective">
-                           <prop name="label">PE-3(a)[2](2)[b][1]</prop>
-                           <p>organization-defined physical access control systems/devices;
-                              and/or</p>
-                        </part>
-                        <part id="pe-3.a.2_obj.2.b.2" name="objective">
-                           <prop name="label">PE-3(a)[2](2)[b][2]</prop>
-                           <p>guards;</p>
-                        </part>
-                     </part>
-                  </part>
-               </part>
-            </part>
-            <part id="pe-3.b_obj" name="objective">
-               <prop name="label">PE-3(b)</prop>
-               <part id="pe-3.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(b)[1]</prop>
-                  <p>defines entry/exit points for which physical access audit logs are to be
-                     maintained;</p>
-               </part>
-               <part id="pe-3.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(b)[2]</prop>
-                  <p>maintains physical access audit logs for organization-defined entry/exit
-                     points;</p>
-               </part>
-            </part>
-            <part id="pe-3.c_obj" name="objective">
-               <prop name="label">PE-3(c)</prop>
-               <part id="pe-3.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(c)[1]</prop>
-                  <p>defines security safeguards to be employed to control access to areas within
-                     the facility officially designated as publicly accessible;</p>
-               </part>
-               <part id="pe-3.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(c)[2]</prop>
-                  <p>provides organization-defined security safeguards to control access to areas
-                     within the facility officially designated as publicly accessible;</p>
-               </part>
-            </part>
-            <part id="pe-3.d_obj" name="objective">
-               <prop name="label">PE-3(d)</prop>
-               <part id="pe-3.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(d)[1]</prop>
-                  <p>defines circumstances requiring visitor:</p>
-                  <part id="pe-3.d_obj.1.a" name="objective">
-                     <prop name="label">PE-3(d)[1][a]</prop>
-                     <p>escorts;</p>
-                  </part>
-                  <part id="pe-3.d_obj.1.b" name="objective">
-                     <prop name="label">PE-3(d)[1][b]</prop>
-                     <p>monitoring;</p>
-                  </part>
-               </part>
-               <part id="pe-3.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(d)[2]</prop>
-                  <p>in accordance with organization-defined circumstances requiring visitor escorts
-                     and monitoring:</p>
-                  <part id="pe-3.d_obj.2.a" name="objective">
-                     <prop name="label">PE-3(d)[2][a]</prop>
-                     <p>escorts visitors;</p>
-                  </part>
-                  <part id="pe-3.d_obj.2.b" name="objective">
-                     <prop name="label">PE-3(d)[2][b]</prop>
-                     <p>monitors visitor activities;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="pe-3.e_obj" name="objective">
-               <prop name="label">PE-3(e)</prop>
-               <part id="pe-3.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(e)[1]</prop>
-                  <p>secures keys;</p>
-               </part>
-               <part id="pe-3.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(e)[2]</prop>
-                  <p>secures combinations;</p>
-               </part>
-               <part id="pe-3.e_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(e)[3]</prop>
-                  <p>secures other physical access devices;</p>
-               </part>
-            </part>
-            <part id="pe-3.f_obj" name="objective">
-               <prop name="label">PE-3(f)</prop>
-               <part id="pe-3.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(f)[1]</prop>
-                  <p>defines physical access devices to be inventoried;</p>
-               </part>
-               <part id="pe-3.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(f)[2]</prop>
-                  <p>defines the frequency to inventory organization-defined physical access
-                     devices;</p>
-               </part>
-               <part id="pe-3.f_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(f)[3]</prop>
-                  <p>inventories the organization-defined physical access devices with the
-                     organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="pe-3.g_obj" name="objective">
-               <prop name="label">PE-3(g)</prop>
-               <part id="pe-3.g_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(g)[1]</prop>
-                  <p>defines the frequency to change combinations and keys; and</p>
-               </part>
-               <part id="pe-3.g_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(g)[2]</prop>
-                  <p>changes combinations and keys with the organization-defined frequency and/or
-                     when:</p>
-                  <part id="pe-3.g_obj.2.a" name="objective">
-                     <prop name="label">PE-3(g)[2][a]</prop>
-                     <p>keys are lost;</p>
-                  </part>
-                  <part id="pe-3.g_obj.2.b" name="objective">
-                     <prop name="label">PE-3(g)[2][b]</prop>
-                     <p>combinations are compromised;</p>
-                  </part>
-                  <part id="pe-3.g_obj.2.c" name="objective">
-                     <prop name="label">PE-3(g)[2][c]</prop>
-                     <p>individuals are transferred or terminated.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing physical access control</p>
-               <p>security plan</p>
-               <p>physical access control logs or records</p>
-               <p>inventory records of physical access control devices</p>
-               <p>information system entry and exit points</p>
-               <p>records of key and lock combination changes</p>
-               <p>storage locations for physical access control devices</p>
-               <p>physical access control devices</p>
-               <p>list of security safeguards controlling access to designated publicly accessible
-                  areas within facility</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for physical access control</p>
-               <p>automated mechanisms supporting and/or implementing physical access control</p>
-               <p>physical access control devices</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-3.1">
-            <title>Information System Access</title>
-            <param id="pe-3.1_prm_1">
-               <label>organization-defined physical spaces containing one or more components of the
-                  information system</label>
-            </param>
-            <prop name="label">PE-3(1)</prop>
-            <prop name="sort-id">pe-03.01</prop>
-            <part id="pe-3.1_smt" name="statement">
-               <p>The organization enforces physical access authorizations to the information system
-                  in addition to the physical access controls for the facility at <insert param-id="pe-3.1_prm_1"/>.</p>
-            </part>
-            <part id="pe-3.1_gdn" name="guidance">
-               <p>This control enhancement provides additional physical security for those areas
-                  within facilities where there is a concentration of information system components
-                  (e.g., server rooms, media storage areas, data and communications centers).</p>
-               <link rel="related" href="#ps-2">PS-2</link>
-            </part>
-            <part id="pe-3.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-3.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(1)[1]</prop>
-                  <p>defines physical spaces containing one or more components of the information
-                     system; and</p>
-               </part>
-               <part id="pe-3.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(1)[2]</prop>
-                  <p>enforces physical access authorizations to the information system in addition
-                     to the physical access controls for the facility at organization-defined
-                     physical spaces containing one or more components of the information
-                     system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access control</p>
-                  <p>physical access control logs or records</p>
-                  <p>physical access control devices</p>
-                  <p>access authorizations</p>
-                  <p>access credentials</p>
-                  <p>information system entry and exit points</p>
-                  <p>list of areas within the facility containing concentrations of information
-                     system components or information system components requiring additional
-                     physical protection</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access authorization
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for physical access control to the information
-                     system/components</p>
-                  <p>automated mechanisms supporting and/or implementing physical access control for
-                     facility areas containing information system components</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-4">
-         <title>Access Control for Transmission Medium</title>
-         <param id="pe-4_prm_1">
-            <label>organization-defined information system distribution and transmission
-               lines</label>
-         </param>
-         <param id="pe-4_prm_2">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">PE-4</prop>
-         <prop name="sort-id">pe-04</prop>
-         <link href="#06dff0ea-3848-4945-8d91-e955ee69f05d" rel="reference">NSTISSI No. 7003</link>
-         <part id="pe-4_smt" name="statement">
-            <p>The organization controls physical access to <insert param-id="pe-4_prm_1"/> within
-               organizational facilities using <insert param-id="pe-4_prm_2"/>.</p>
-         </part>
-         <part id="pe-4_gdn" name="guidance">
-            <p>Physical security safeguards applied to information system distribution and
-               transmission lines help to prevent accidental damage, disruption, and physical
-               tampering. In addition, physical safeguards may be necessary to help prevent
-               eavesdropping or in transit modification of unencrypted transmissions. Security
-               safeguards to control physical access to system distribution and transmission lines
-               include, for example: (i) locked wiring closets; (ii) disconnected or locked spare
-               jacks; and/or (iii) protection of cabling by conduit or cable trays.</p>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-5">PE-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-         </part>
-         <part id="pe-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-4_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PE-4[1]</prop>
-               <p>defines information system distribution and transmission lines requiring physical
-                  access controls;</p>
-            </part>
-            <part id="pe-4_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PE-4[2]</prop>
-               <p>defines security safeguards to be employed to control physical access to
-                  organization-defined information system distribution and transmission lines within
-                  organizational facilities; and</p>
-            </part>
-            <part id="pe-4_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-4[3]</prop>
-               <p>controls physical access to organization-defined information system distribution
-                  and transmission lines within organizational facilities using organization-defined
-                  security safeguards.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing access control for transmission medium</p>
-               <p>information system design documentation</p>
-               <p>facility communications and wiring diagrams</p>
-               <p>list of physical security safeguards applied to information system distribution
-                  and transmission lines</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for access control to distribution and transmission
-                  lines</p>
-               <p>automated mechanisms/security safeguards supporting and/or implementing access
-                  control to distribution and transmission lines</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-5">
-         <title>Access Control for Output Devices</title>
-         <prop name="label">PE-5</prop>
-         <prop name="sort-id">pe-05</prop>
-         <part id="pe-5_smt" name="statement">
-            <p>The organization controls physical access to information system output devices to
-               prevent unauthorized individuals from obtaining the output.</p>
-         </part>
-         <part id="pe-5_gdn" name="guidance">
-            <p>Controlling physical access to output devices includes, for example, placing output
-               devices in locked rooms or other secured areas and allowing access to authorized
-               individuals only, and placing output devices in locations that can be monitored by
-               organizational personnel. Monitors, printers, copiers, scanners, facsimile machines,
-               and audio devices are examples of information system output devices.</p>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#pe-18">PE-18</link>
-         </part>
-         <part id="pe-5_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the organization controls physical access to information system output
-               devices to prevent unauthorized individuals from obtaining the output. </p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing access control for display medium</p>
-               <p>facility layout of information system components</p>
-               <p>actual displays from information system components</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for access control to output devices</p>
-               <p>automated mechanisms supporting and/or implementing access control to output
-                  devices</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-6">
-         <title>Monitoring Physical Access</title>
-         <param id="pe-6_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least monthly</constraint>
-         </param>
-         <param id="pe-6_prm_2">
-            <label>organization-defined events or potential indications of events</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PE-6</prop>
-         <prop name="sort-id">pe-06</prop>
-         <part id="pe-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Monitors physical access to the facility where the information system resides to
-                  detect and respond to physical security incidents;</p>
-            </part>
-            <part id="pe-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews physical access logs <insert param-id="pe-6_prm_1"/> and upon occurrence
-                  of <insert param-id="pe-6_prm_2"/>; and</p>
-            </part>
-            <part id="pe-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Coordinates results of reviews and investigations with the organizational incident
-                  response capability.</p>
-            </part>
-         </part>
-         <part id="pe-6_gdn" name="guidance">
-            <p>Organizational incident response capabilities include investigations of and responses
-               to detected physical security incidents. Security incidents include, for example,
-               apparent security violations or suspicious physical access activities. Suspicious
-               physical access activities include, for example: (i) accesses outside of normal work
-               hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for
-               unusual lengths of time; and (iv) out-of-sequence accesses.</p>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-         </part>
-         <part id="pe-6_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-6.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-6(a)</prop>
-               <p>monitors physical access to the facility where the information system resides to
-                  detect and respond to physical security incidents;</p>
-            </part>
-            <part id="pe-6.b_obj" name="objective">
-               <prop name="label">PE-6(b)</prop>
-               <part id="pe-6.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-6(b)[1]</prop>
-                  <p>defines the frequency to review physical access logs;</p>
-               </part>
-               <part id="pe-6.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-6(b)[2]</prop>
-                  <p>defines events or potential indication of events requiring physical access logs
-                     to be reviewed;</p>
-               </part>
-               <part id="pe-6.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-6(b)[3]</prop>
-                  <p>reviews physical access logs with the organization-defined frequency and upon
-                     occurrence of organization-defined events or potential indications of events;
-                     and</p>
-               </part>
-            </part>
-            <part id="pe-6.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PE-6(c)</prop>
-               <p>coordinates results of reviews and investigations with the organizational incident
-                  response capability.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing physical access monitoring</p>
-               <p>security plan</p>
-               <p>physical access logs or records</p>
-               <p>physical access monitoring records</p>
-               <p>physical access log reviews</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access monitoring responsibilities</p>
-               <p>organizational personnel with incident response responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for monitoring physical access</p>
-               <p>automated mechanisms supporting and/or implementing physical access monitoring</p>
-               <p>automated mechanisms supporting and/or implementing reviewing of physical access
-                  logs</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-6.1">
-            <title>Intrusion Alarms / Surveillance Equipment</title>
-            <prop name="label">PE-6(1)</prop>
-            <prop name="sort-id">pe-06.01</prop>
-            <part id="pe-6.1_smt" name="statement">
-               <p>The organization monitors physical intrusion alarms and surveillance
-                  equipment.</p>
-            </part>
-            <part id="pe-6.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization monitors physical intrusion alarms and surveillance
-                  equipment. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access monitoring</p>
-                  <p>security plan</p>
-                  <p>physical access logs or records</p>
-                  <p>physical access monitoring records</p>
-                  <p>physical access log reviews</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access monitoring responsibilities</p>
-                  <p>organizational personnel with incident response responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring physical intrusion alarms and
-                     surveillance equipment</p>
-                  <p>automated mechanisms supporting and/or implementing physical access
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing physical intrusion alarms
-                     and surveillance equipment</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-6.4">
-            <title>Monitoring Physical Access to Information Systems</title>
-            <param id="pe-6.4_prm_1">
-               <label>organization-defined physical spaces containing one or more components of the
-                  information system</label>
-            </param>
-            <prop name="label">PE-6(4)</prop>
-            <prop name="sort-id">pe-06.04</prop>
-            <part id="pe-6.4_smt" name="statement">
-               <p>The organization monitors physical access to the information system in addition to
-                  the physical access monitoring of the facility as <insert param-id="pe-6.4_prm_1"/>.</p>
-            </part>
-            <part id="pe-6.4_gdn" name="guidance">
-               <p>This control enhancement provides additional monitoring for those areas within
-                  facilities where there is a concentration of information system components (e.g.,
-                  server rooms, media storage areas, communications centers).</p>
-               <link rel="related" href="#ps-2">PS-2</link>
-               <link rel="related" href="#ps-3">PS-3</link>
-            </part>
-            <part id="pe-6.4_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-6.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-6(4)[1]</prop>
-                  <p>defines physical spaces containing one or more components of the information
-                     system; and</p>
-               </part>
-               <part id="pe-6.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-6(4)[2]</prop>
-                  <p>monitors physical access to the information system in addition to the physical
-                     access monitoring of the facility at organization-defined physical spaces
-                     containing one or more components of the information system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access monitoring</p>
-                  <p>physical access control logs or records</p>
-                  <p>physical access control devices</p>
-                  <p>access authorizations</p>
-                  <p>access credentials</p>
-                  <p>list of areas within the facility containing concentrations of information
-                     system components or information system components requiring additional
-                     physical access monitoring</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access monitoring responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring physical access to the information
-                     system</p>
-                  <p>automated mechanisms supporting and/or implementing physical access monitoring
-                     for facility areas containing information system components</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-8">
-         <title>Visitor Access Records</title>
-         <param id="pe-8_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>for a minimum of one (1) year</constraint>
-         </param>
-         <param id="pe-8_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least monthly</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PE-8</prop>
-         <prop name="sort-id">pe-08</prop>
-         <part id="pe-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Maintains visitor access records to the facility where the information system
-                  resides for <insert param-id="pe-8_prm_1"/>; and</p>
-            </part>
-            <part id="pe-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews visitor access records <insert param-id="pe-8_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="pe-8_gdn" name="guidance">
-            <p>Visitor access records include, for example, names and organizations of persons
-               visiting, visitor signatures, forms of identification, dates of access, entry and
-               departure times, purposes of visits, and names and organizations of persons visited.
-               Visitor access records are not required for publicly accessible areas.</p>
-         </part>
-         <part id="pe-8_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-8.a_obj" name="objective">
-               <prop name="label">PE-8(a)</prop>
-               <part id="pe-8.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-8(a)[1]</prop>
-                  <p>defines the time period to maintain visitor access records to the facility
-                     where the information system resides;</p>
-               </part>
-               <part id="pe-8.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-8(a)[2]</prop>
-                  <p>maintains visitor access records to the facility where the information system
-                     resides for the organization-defined time period;</p>
-               </part>
-            </part>
-            <part id="pe-8.b_obj" name="objective">
-               <prop name="label">PE-8(b)</prop>
-               <part id="pe-8.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-8(b)[1]</prop>
-                  <p>defines the frequency to review visitor access records; and</p>
-               </part>
-               <part id="pe-8.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-8(b)[2]</prop>
-                  <p>reviews visitor access records with the organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing visitor access records</p>
-               <p>security plan</p>
-               <p>visitor access control logs or records</p>
-               <p>visitor access record or log reviews</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with visitor access records responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for maintaining and reviewing visitor access records</p>
-               <p>automated mechanisms supporting and/or implementing maintenance and review of
-                  visitor access records</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-8.1">
-            <title>Automated Records Maintenance / Review</title>
-            <prop name="label">PE-8(1)</prop>
-            <prop name="sort-id">pe-08.01</prop>
-            <part id="pe-8.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to facilitate the maintenance and
-                  review of visitor access records.</p>
-            </part>
-            <part id="pe-8.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs automated mechanisms to facilitate the
-                  maintenance and review of visitor access records. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing visitor access records</p>
-                  <p>automated mechanisms supporting management of visitor access records</p>
-                  <p>visitor access control logs or records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with visitor access records responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for maintaining and reviewing visitor access
-                     records</p>
-                  <p>automated mechanisms supporting and/or implementing maintenance and review of
-                     visitor access records</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-9">
-         <title>Power Equipment and Cabling</title>
-         <prop name="label">PE-9</prop>
-         <prop name="sort-id">pe-09</prop>
-         <part id="pe-9_smt" name="statement">
-            <p>The organization protects power equipment and power cabling for the information
-               system from damage and destruction.</p>
-         </part>
-         <part id="pe-9_gdn" name="guidance">
-            <p>Organizations determine the types of protection necessary for power equipment and
-               cabling employed at different locations both internal and external to organizational
-               facilities and environments of operation. This includes, for example, generators and
-               power cabling outside of buildings, internal cabling and uninterruptable power
-               sources within an office or data center, and power sources for self-contained
-               entities such as vehicles and satellites.</p>
-            <link rel="related" href="#pe-4">PE-4</link>
-         </part>
-         <part id="pe-9_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the organization protects power equipment and power cabling for the
-               information system from damage and destruction. </p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing power equipment/cabling protection</p>
-               <p>facilities housing power equipment/cabling</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for protecting power
-                  equipment/cabling</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing protection of power
-                  equipment/cabling</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-10">
-         <title>Emergency Shutoff</title>
-         <param id="pe-10_prm_1">
-            <label>organization-defined location by information system or system component</label>
-         </param>
-         <prop name="label">PE-10</prop>
-         <prop name="sort-id">pe-10</prop>
-         <part id="pe-10_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-10_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Provides the capability of shutting off power to the information system or
-                  individual system components in emergency situations;</p>
-            </part>
-            <part id="pe-10_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Places emergency shutoff switches or devices in <insert param-id="pe-10_prm_1"/>
-                  to facilitate safe and easy access for personnel; and</p>
-            </part>
-            <part id="pe-10_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Protects emergency power shutoff capability from unauthorized activation.</p>
-            </part>
-         </part>
-         <part id="pe-10_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources including, for example, data centers, server rooms, and mainframe
-               computer rooms.</p>
-            <link rel="related" href="#pe-15">PE-15</link>
-         </part>
-         <part id="pe-10_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-10.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PE-10(a)</prop>
-               <p>provides the capability of shutting off power to the information system or
-                  individual system components in emergency situations;</p>
-            </part>
-            <part id="pe-10.b_obj" name="objective">
-               <prop name="label">PE-10(b)</prop>
-               <part id="pe-10.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-10(b)[1]</prop>
-                  <p>defines the location of emergency shutoff switches or devices by information
-                     system or system component;</p>
-               </part>
-               <part id="pe-10.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-10(b)[2]</prop>
-                  <p>places emergency shutoff switches or devices in the organization-defined
-                     location by information system or system component to facilitate safe and easy
-                     access for personnel; and</p>
-               </part>
-            </part>
-            <part id="pe-10.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-10(c)</prop>
-               <p>protects emergency power shutoff capability from unauthorized activation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing power source emergency shutoff</p>
-               <p>security plan</p>
-               <p>emergency shutoff controls or switches</p>
-               <p>locations housing emergency shutoff switches and devices</p>
-               <p>security safeguards protecting emergency power shutoff capability from
-                  unauthorized activation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for emergency power shutoff
-                  capability (both implementing and using the capability)</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing emergency power shutoff</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-11">
-         <title>Emergency Power</title>
-         <param id="pe-11_prm_1"/>
-         <prop name="label">PE-11</prop>
-         <prop name="sort-id">pe-11</prop>
-         <part id="pe-11_smt" name="statement">
-            <p>The organization provides a short-term uninterruptible power supply to facilitate
-                  <insert param-id="pe-11_prm_1"/> in the event of a primary power source loss.</p>
-         </part>
-         <part id="pe-11_gdn" name="guidance">
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-         </part>
-         <part id="pe-11_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the organization provides a short-term uninterruptible power supply to
-               facilitate one or more of the following in the event of a primary power source loss: </p>
-            <part id="pe-11_obj.1" name="objective">
-               <prop name="label">PE-11[1]</prop>
-               <p>an orderly shutdown of the information system; and/or</p>
-            </part>
-            <part id="pe-11_obj.2" name="objective">
-               <prop name="label">PE-11[2]</prop>
-               <p>transition of the information system to long-term alternate power.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing emergency power</p>
-               <p>uninterruptible power supply</p>
-               <p>uninterruptible power supply documentation</p>
-               <p>uninterruptible power supply test records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for emergency power and/or
-                  planning</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing uninterruptible power
-                  supply</p>
-               <p>the uninterruptable power supply</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-11.1">
-            <title>Long-term Alternate Power Supply - Minimal Operational Capability</title>
-            <prop name="label">PE-11(1)</prop>
-            <prop name="sort-id">pe-11.01</prop>
-            <part id="pe-11.1_smt" name="statement">
-               <p>The organization provides a long-term alternate power supply for the information
-                  system that is capable of maintaining minimally required operational capability in
-                  the event of an extended loss of the primary power source.</p>
-            </part>
-            <part id="pe-11.1_gdn" name="guidance">
-               <p>This control enhancement can be satisfied, for example, by the use of a secondary
-                  commercial power supply or other external power supply. Long-term alternate power
-                  supplies for the information system can be either manually or automatically
-                  activated.</p>
-            </part>
-            <part id="pe-11.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization provides a long-term alternate power supply for the
-                  information system that is capable of maintaining minimally required operational
-                  capability in the event of an extended loss of the primary power source. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing emergency power</p>
-                  <p>alternate power supply</p>
-                  <p>alternate power supply documentation</p>
-                  <p>alternate power supply test records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for emergency power and/or
-                     planning</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing alternate power supply</p>
-                  <p>the alternate power supply</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-12">
-         <title>Emergency Lighting</title>
-         <prop name="label">PE-12</prop>
-         <prop name="sort-id">pe-12</prop>
-         <part id="pe-12_smt" name="statement">
-            <p>The organization employs and maintains automatic emergency lighting for the
-               information system that activates in the event of a power outage or disruption and
-               that covers emergency exits and evacuation routes within the facility.</p>
-         </part>
-         <part id="pe-12_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources including, for example, data centers, server rooms, and mainframe
-               computer rooms.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-         </part>
-         <part id="pe-12_obj" name="objective">
-            <p>Determine if the organization employs and maintains automatic emergency lighting for
-               the information system that: </p>
-            <part id="pe-12_obj.1" name="objective">
-               <prop name="label">PE-12[1]</prop>
-               <p>activates in the event of a power outage or disruption; and</p>
-            </part>
-            <part id="pe-12_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-12[2]</prop>
-               <p>covers emergency exits and evacuation routes within the facility.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing emergency lighting</p>
-               <p>emergency lighting documentation</p>
-               <p>emergency lighting test records</p>
-               <p>emergency exits and evacuation routes</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for emergency lighting and/or
-                  planning</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing emergency lighting
-                  capability</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-13">
-         <title>Fire Protection</title>
-         <prop name="label">PE-13</prop>
-         <prop name="sort-id">pe-13</prop>
-         <part id="pe-13_smt" name="statement">
-            <p>The organization employs and maintains fire suppression and detection devices/systems
-               for the information system that are supported by an independent energy source.</p>
-         </part>
-         <part id="pe-13_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources including, for example, data centers, server rooms, and mainframe
-               computer rooms. Fire suppression and detection devices/systems include, for example,
-               sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke
-               detectors.</p>
-         </part>
-         <part id="pe-13_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-13_obj.1" name="objective">
-               <prop name="label">PE-13[1]</prop>
-               <p>employs fire suppression and detection devices/systems for the information system
-                  that are supported by an independent energy source; and</p>
-            </part>
-            <part id="pe-13_obj.2" name="objective">
-               <prop name="label">PE-13[2]</prop>
-               <p>maintains fire suppression and detection devices/systems for the information
-                  system that are supported by an independent energy source.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing fire protection</p>
-               <p>fire suppression and detection devices/systems</p>
-               <p>fire suppression and detection devices/systems documentation</p>
-               <p>test records of fire suppression and detection devices/systems</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for fire detection and suppression
-                  devices/systems</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing fire suppression/detection
-                  devices/systems</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-13.1">
-            <title>Detection Devices / Systems</title>
-            <param id="pe-13.1_prm_1">
-               <label>organization-defined personnel or roles</label>
-               <constraint>service provider building maintenance/physical security personnel</constraint>
-            </param>
-            <param id="pe-13.1_prm_2">
-               <label>organization-defined emergency responders</label>
-               <constraint>service provider emergency responders with incident response responsibilities</constraint>
-            </param>
-            <prop name="label">PE-13(1)</prop>
-            <prop name="sort-id">pe-13.01</prop>
-            <part id="pe-13.1_smt" name="statement">
-               <p>The organization employs fire detection devices/systems for the information system
-                  that activate automatically and notify <insert param-id="pe-13.1_prm_1"/> and
-                     <insert param-id="pe-13.1_prm_2"/> in the event of a fire.</p>
-            </part>
-            <part id="pe-13.1_gdn" name="guidance">
-               <p>Organizations can identify specific personnel, roles, and emergency responders in
-                  the event that individuals on the notification list must have appropriate access
-                  authorizations and/or clearances, for example, to obtain access to facilities
-                  where classified operations are taking place or where there are information
-                  systems containing classified information.</p>
-            </part>
-            <part id="pe-13.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-13.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-13(1)[1]</prop>
-                  <p>defines personnel or roles to be notified in the event of a fire;</p>
-               </part>
-               <part id="pe-13.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-13(1)[2]</prop>
-                  <p>defines emergency responders to be notified in the event of a fire;</p>
-               </part>
-               <part id="pe-13.1_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-13(1)[3]</prop>
-                  <p>employs fire detection devices/systems for the information system that, in the
-                     event of a fire,:</p>
-                  <part id="pe-13.1_obj.3.a" name="objective">
-                     <prop name="label">PE-13(1)[3][a]</prop>
-                     <p>activate automatically;</p>
-                  </part>
-                  <part id="pe-13.1_obj.3.b" name="objective">
-                     <prop name="label">PE-13(1)[3][b]</prop>
-                     <p>notify organization-defined personnel or roles; and</p>
-                  </part>
-                  <part id="pe-13.1_obj.3.c" name="objective">
-                     <prop name="label">PE-13(1)[3][c]</prop>
-                     <p>notify organization-defined emergency responders.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing fire protection</p>
-                  <p>facility housing the information system</p>
-                  <p>alarm service-level agreements</p>
-                  <p>test records of fire suppression and detection devices/systems</p>
-                  <p>fire suppression and detection devices/systems documentation</p>
-                  <p>alerts/notifications of fire events</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for fire detection and
-                     suppression devices/systems</p>
-                  <p>organizational personnel with responsibilities for notifying appropriate
-                     personnel, roles, and emergency responders of fires</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing fire detection
-                     devices/systems</p>
-                  <p>activation of fire detection devices/systems (simulated)</p>
-                  <p>automated notifications</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-13.2">
-            <title>Suppression Devices / Systems</title>
-            <param id="pe-13.2_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="pe-13.2_prm_2">
-               <label>organization-defined emergency responders</label>
-            </param>
-            <prop name="label">PE-13(2)</prop>
-            <prop name="sort-id">pe-13.02</prop>
-            <part id="pe-13.2_smt" name="statement">
-               <p>The organization employs fire suppression devices/systems for the information
-                  system that provide automatic notification of any activation to <insert param-id="pe-13.2_prm_1"/> and <insert param-id="pe-13.2_prm_2"/>.</p>
-            </part>
-            <part id="pe-13.2_gdn" name="guidance">
-               <p>Organizations can identify specific personnel, roles, and emergency responders in
-                  the event that individuals on the notification list must have appropriate access
-                  authorizations and/or clearances, for example, to obtain access to facilities
-                  where classified operations are taking place or where there are information
-                  systems containing classified information.</p>
-            </part>
-            <part id="pe-13.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-13.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-13(2)[1]</prop>
-                  <p>defines personnel or roles to be provided automatic notification of any
-                     activation of fire suppression devices/systems for the information system;</p>
-               </part>
-               <part id="pe-13.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-13(2)[2]</prop>
-                  <p>defines emergency responders to be provided automatic notification of any
-                     activation of fire suppression devices/systems for the information system;</p>
-               </part>
-               <part id="pe-13.2_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-13(2)[3]</prop>
-                  <p>employs fire suppression devices/systems for the information system that
-                     provide automatic notification of any activation to:</p>
-                  <part id="pe-13.2_obj.3.a" name="objective">
-                     <prop name="label">PE-13(2)[3][a]</prop>
-                     <p>organization-defined personnel or roles; and</p>
-                  </part>
-                  <part id="pe-13.2_obj.3.b" name="objective">
-                     <prop name="label">PE-13(2)[3][b]</prop>
-                     <p>organization-defined emergency responders.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing fire protection</p>
-                  <p>fire suppression and detection devices/systems documentation</p>
-                  <p>facility housing the information system</p>
-                  <p>alarm service-level agreements</p>
-                  <p>test records of fire suppression and detection devices/systems</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for fire detection and
-                     suppression devices/systems</p>
-                  <p>organizational personnel with responsibilities for providing automatic
-                     notifications of any activation of fire suppression devices/systems to
-                     appropriate personnel, roles, and emergency responders</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing fire suppression
-                     devices/systems</p>
-                  <p>activation of fire suppression devices/systems (simulated)</p>
-                  <p>automated notifications</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-13.3">
-            <title>Automatic Fire Suppression</title>
-            <prop name="label">PE-13(3)</prop>
-            <prop name="sort-id">pe-13.03</prop>
-            <part id="pe-13.3_smt" name="statement">
-               <p>The organization employs an automatic fire suppression capability for the
-                  information system when the facility is not staffed on a continuous basis.</p>
-            </part>
-            <part id="pe-13.3_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs an automatic fire suppression capability for
-                  the information system when the facility is not staffed on a continuous basis.
-               </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing fire protection</p>
-                  <p>fire suppression and detection devices/systems documentation</p>
-                  <p>facility housing the information system</p>
-                  <p>alarm service-level agreements</p>
-                  <p>test records of fire suppression and detection devices/systems</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for fire detection and
-                     suppression devices/systems</p>
-                  <p>organizational personnel with responsibilities for providing automatic
-                     notifications of any activation of fire suppression devices/systems to
-                     appropriate personnel, roles, and emergency responders</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing fire suppression
-                     devices/systems</p>
-                  <p>activation of fire suppression devices/systems (simulated)</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-14">
-         <title>Temperature and Humidity Controls</title>
-         <param id="pe-14_prm_1">
-            <label>organization-defined acceptable levels</label>
-            <constraint>consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments</constraint>
-         </param>
-         <param id="pe-14_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>continuously</constraint>
-         </param>
-         <prop name="label">PE-14</prop>
-         <prop name="sort-id">pe-14</prop>
-         <part id="pe-14_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-14_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Maintains temperature and humidity levels within the facility where the
-                  information system resides at <insert param-id="pe-14_prm_1"/>; and</p>
-            </part>
-            <part id="pe-14_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Monitors temperature and humidity levels <insert param-id="pe-14_prm_2"/>.</p>
-            </part>
-            <part id="pe-14_fr" name="item">
-               <title>PE-14(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="pe-14_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider measures temperature at server inlets and humidity levels by dew point.</p>
-               </part>
-            </part>
-         </part>
-         <part id="pe-14_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources, for example, data centers, server rooms, and mainframe computer
-               rooms.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-         </part>
-         <part id="pe-14_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-14.a_obj" name="objective">
-               <prop name="label">PE-14(a)</prop>
-               <part id="pe-14.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-14(a)[1]</prop>
-                  <p>defines acceptable temperature levels to be maintained within the facility
-                     where the information system resides;</p>
-               </part>
-               <part id="pe-14.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-14(a)[2]</prop>
-                  <p>defines acceptable humidity levels to be maintained within the facility where
-                     the information system resides;</p>
-               </part>
-               <part id="pe-14.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-14(a)[3]</prop>
-                  <p>maintains temperature levels within the facility where the information system
-                     resides at the organization-defined levels;</p>
-               </part>
-               <part id="pe-14.a_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-14(a)[4]</prop>
-                  <p>maintains humidity levels within the facility where the information system
-                     resides at the organization-defined levels;</p>
-               </part>
-            </part>
-            <part id="pe-14.b_obj" name="objective">
-               <prop name="label">PE-14(b)</prop>
-               <part id="pe-14.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-14(b)[1]</prop>
-                  <p>defines the frequency to monitor temperature levels;</p>
-               </part>
-               <part id="pe-14.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-14(b)[2]</prop>
-                  <p>defines the frequency to monitor humidity levels;</p>
-               </part>
-               <part id="pe-14.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-14(b)[3]</prop>
-                  <p>monitors temperature levels with the organization-defined frequency; and</p>
-               </part>
-               <part id="pe-14.b_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-14(b)[4]</prop>
-                  <p>monitors humidity levels with the organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing temperature and humidity control</p>
-               <p>security plan</p>
-               <p>temperature and humidity controls</p>
-               <p>facility housing the information system</p>
-               <p>temperature and humidity controls documentation</p>
-               <p>temperature and humidity records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for information system
-                  environmental controls</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing maintenance and monitoring of
-                  temperature and humidity levels</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-14.2">
-            <title>Monitoring with Alarms / Notifications</title>
-            <prop name="label">PE-14(2)</prop>
-            <prop name="sort-id">pe-14.02</prop>
-            <part id="pe-14.2_smt" name="statement">
-               <p>The organization employs temperature and humidity monitoring that provides an
-                  alarm or notification of changes potentially harmful to personnel or
-                  equipment.</p>
-            </part>
-            <part id="pe-14.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-14.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-14(2)[1]</prop>
-                  <p>employs temperature monitoring that provides an alarm of changes potentially
-                     harmful to personnel or equipment; and/or</p>
-               </part>
-               <part id="pe-14.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-14(2)[2]</prop>
-                  <p>employs temperature monitoring that provides notification of changes
-                     potentially harmful to personnel or equipment;</p>
-               </part>
-               <part id="pe-14.2_obj.3" name="objective">
-                  <prop name="label">PE-14(2)[3]</prop>
-                  <p>employs humidity monitoring that provides an alarm of changes potentially
-                     harmful to personnel or equipment; and/or</p>
-               </part>
-               <part id="pe-14.2_obj.4" name="objective">
-                  <prop name="label">PE-14(2)[4]</prop>
-                  <p>employs humidity monitoring that provides notification of changes potentially
-                     harmful to personnel or equipment.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing temperature and humidity monitoring</p>
-                  <p>facility housing the information system</p>
-                  <p>logs or records of temperature and humidity monitoring</p>
-                  <p>records of changes to temperature and humidity levels that generate alarms or
-                     notifications</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for information system
-                     environmental controls</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing temperature and humidity
-                     monitoring</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-15">
-         <title>Water Damage Protection</title>
-         <prop name="label">PE-15</prop>
-         <prop name="sort-id">pe-15</prop>
-         <part id="pe-15_smt" name="statement">
-            <p>The organization protects the information system from damage resulting from water
-               leakage by providing master shutoff or isolation valves that are accessible, working
-               properly, and known to key personnel.</p>
-         </part>
-         <part id="pe-15_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources including, for example, data centers, server rooms, and mainframe
-               computer rooms. Isolation valves can be employed in addition to or in lieu of master
-               shutoff valves to shut off water supplies in specific areas of concern, without
-               affecting entire organizations.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-         </part>
-         <part id="pe-15_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the organization protects the information system from damage resulting
-               from water leakage by providing master shutoff or isolation valves that are: </p>
-            <part id="pe-15_obj.1" name="objective">
-               <prop name="label">PE-15[1]</prop>
-               <p>accessible;</p>
-            </part>
-            <part id="pe-15_obj.2" name="objective">
-               <prop name="label">PE-15[2]</prop>
-               <p>working properly; and</p>
-            </part>
-            <part id="pe-15_obj.3" name="objective">
-               <prop name="label">PE-15[3]</prop>
-               <p>known to key personnel.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing water damage protection</p>
-               <p>facility housing the information system</p>
-               <p>master shutoff valves</p>
-               <p>list of key personnel with knowledge of location and activation procedures for
-                  master shutoff valves for the plumbing system</p>
-               <p>master shutoff valve documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for information system
-                  environmental controls</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Master water-shutoff valves</p>
-               <p>organizational process for activating master water-shutoff</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-15.1">
-            <title>Automation Support</title>
-            <param id="pe-15.1_prm_1">
-               <label>organization-defined personnel or roles</label>
-               <constraint>service provider building maintenance/physical security personnel</constraint>
-            </param>
-            <prop name="label">PE-15(1)</prop>
-            <prop name="sort-id">pe-15.01</prop>
-            <part id="pe-15.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to detect the presence of water in
-                  the vicinity of the information system and alerts <insert param-id="pe-15.1_prm_1"/>.</p>
-            </part>
-            <part id="pe-15.1_gdn" name="guidance">
-               <p>Automated mechanisms can include, for example, water detection sensors, alarms,
-                  and notification systems.</p>
-            </part>
-            <part id="pe-15.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-15.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-15(1)[1]</prop>
-                  <p>defines personnel or roles to be alerted when the presence of water is detected
-                     in the vicinity of the information system;</p>
-               </part>
-               <part id="pe-15.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-15(1)[2]</prop>
-                  <p>employs automated mechanisms to detect the presence of water in the vicinity of
-                     the information system; and</p>
-               </part>
-               <part id="pe-15.1_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-15(1)[3]</prop>
-                  <p>alerts organization-defined personnel or roles when the presence of water is
-                     detected in the vicinity of the information system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing water damage protection</p>
-                  <p>facility housing the information system</p>
-                  <p>automated mechanisms for water shutoff valves</p>
-                  <p>automated mechanisms detecting presence of water in vicinity of information
-                     system</p>
-                  <p>alerts/notifications of water detection in information system facility</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for information system
-                     environmental controls</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing water detection capability
-                     and alerts for the information system</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-16">
-         <title>Delivery and Removal</title>
-         <param id="pe-16_prm_1">
-            <label>organization-defined types of information system components</label>
-            <constraint>all information system components</constraint>
-         </param>
-         <prop name="label">PE-16</prop>
-         <prop name="sort-id">pe-16</prop>
-         <part id="pe-16_smt" name="statement">
-            <p>The organization authorizes, monitors, and controls <insert param-id="pe-16_prm_1"/>
-               entering and exiting the facility and maintains records of those items.</p>
-         </part>
-         <part id="pe-16_gdn" name="guidance">
-            <p>Effectively enforcing authorizations for entry and exit of information system
-               components may require restricting access to delivery areas and possibly isolating
-               the areas from the information system and media libraries.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ma-3">MA-3</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-         </part>
-         <part id="pe-16_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-16_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PE-16[1]</prop>
-               <p>defines types of information system components to be authorized, monitored, and
-                  controlled as such components are entering and exiting the facility;</p>
-            </part>
-            <part id="pe-16_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-16[2]</prop>
-               <p>authorizes organization-defined information system components entering the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-16[3]</prop>
-               <p>monitors organization-defined information system components entering the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.4" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-16[4]</prop>
-               <p>controls organization-defined information system components entering the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.5" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-16[5]</prop>
-               <p>authorizes organization-defined information system components exiting the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.6" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-16[6]</prop>
-               <p>monitors organization-defined information system components exiting the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.7" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-16[7]</prop>
-               <p>controls organization-defined information system components exiting the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.8" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PE-16[8]</prop>
-               <p>maintains records of information system components entering the facility; and</p>
-            </part>
-            <part id="pe-16_obj.9" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PE-16[9]</prop>
-               <p>maintains records of information system components exiting the facility.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing delivery and removal of information system components from
-                  the facility</p>
-               <p>security plan</p>
-               <p>facility housing the information system</p>
-               <p>records of items entering and exiting the facility</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for controlling information system
-                  components entering and exiting the facility</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational process for authorizing, monitoring, and controlling information
-                  system-related items entering and exiting the facility</p>
-               <p>automated mechanisms supporting and/or implementing authorizing, monitoring, and
-                  controlling information system-related items entering and exiting the facility</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-17">
-         <title>Alternate Work Site</title>
-         <param id="pe-17_prm_1">
-            <label>organization-defined security controls</label>
-         </param>
-         <prop name="label">PE-17</prop>
-         <prop name="sort-id">pe-17</prop>
-         <link href="#5309d4d0-46f8-4213-a749-e7584164e5e8" rel="reference">NIST Special Publication 800-46</link>
-         <part id="pe-17_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-17_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Employs <insert param-id="pe-17_prm_1"/> at alternate work sites;</p>
-            </part>
-            <part id="pe-17_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Assesses as feasible, the effectiveness of security controls at alternate work
-                  sites; and</p>
-            </part>
-            <part id="pe-17_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Provides a means for employees to communicate with information security personnel
-                  in case of security incidents or problems.</p>
-            </part>
-         </part>
-         <part id="pe-17_gdn" name="guidance">
-            <p>Alternate work sites may include, for example, government facilities or private
-               residences of employees. While commonly distinct from alternative processing sites,
-               alternate work sites may provide readily available alternate locations as part of
-               contingency operations. Organizations may define different sets of security controls
-               for specific alternate work sites or types of sites depending on the work-related
-               activities conducted at those sites. This control supports the contingency planning
-               activities of organizations and the federal telework initiative.</p>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-         </part>
-         <part id="pe-17_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-17.a_obj" name="objective">
-               <prop name="label">PE-17(a)</prop>
-               <part id="pe-17.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-17(a)[1]</prop>
-                  <p>defines security controls to be employed at alternate work sites;</p>
-               </part>
-               <part id="pe-17.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">PE-17(a)[2]</prop>
-                  <p>employs organization-defined security controls at alternate work sites;</p>
-               </part>
-            </part>
-            <part id="pe-17.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PE-17(b)</prop>
-               <p>assesses, as feasible, the effectiveness of security controls at alternate work
-                  sites; and</p>
-            </part>
-            <part id="pe-17.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-17(c)</prop>
-               <p>provides a means for employees to communicate with information security personnel
-                  in case of security incidents or problems.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing alternate work sites for organizational personnel</p>
-               <p>security plan</p>
-               <p>list of security controls required for alternate work sites</p>
-               <p>assessments of security controls at alternate work sites</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel approving use of alternate work sites</p>
-               <p>organizational personnel using alternate work sites</p>
-               <p>organizational personnel assessing controls at alternate work sites</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security at alternate work sites</p>
-               <p>automated mechanisms supporting alternate work sites</p>
-               <p>security controls employed at alternate work sites</p>
-               <p>means of communications between personnel at alternate work sites and security
-                  personnel</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-18">
-         <title>Location of Information System Components</title>
-         <param id="pe-18_prm_1">
-            <label>organization-defined physical and environmental hazards</label>
-            <constraint>physical and environmental hazards identified during threat assessment</constraint>
-         </param>
-         <prop name="label">PE-18</prop>
-         <prop name="sort-id">pe-18</prop>
-         <part id="pe-18_smt" name="statement">
-            <p>The organization positions information system components within the facility to
-               minimize potential damage from <insert param-id="pe-18_prm_1"/> and to minimize the
-               opportunity for unauthorized access.</p>
-         </part>
-         <part id="pe-18_gdn" name="guidance">
-            <p>Physical and environmental hazards include, for example, flooding, fire, tornados,
-               earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse,
-               electrical interference, and other forms of incoming electromagnetic radiation. In
-               addition, organizations consider the location of physical entry points where
-               unauthorized individuals, while not being granted access, might nonetheless be in
-               close proximity to information systems and therefore increase the potential for
-               unauthorized access to organizational communications (e.g., through the use of
-               wireless sniffers or microphones).</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#pe-19">PE-19</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-         </part>
-         <part id="pe-18_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-18_obj.1" name="objective">
-               <prop name="label">PE-18[1]</prop>
-               <p>defines physical hazards that could result in potential damage to information
-                  system components within the facility;</p>
-            </part>
-            <part id="pe-18_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PE-18[2]</prop>
-               <p>defines environmental hazards that could result in potential damage to information
-                  system components within the facility;</p>
-            </part>
-            <part id="pe-18_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-18[3]</prop>
-               <p>positions information system components within the facility to minimize potential
-                  damage from organization-defined physical and environmental hazards; and</p>
-            </part>
-            <part id="pe-18_obj.4" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-18[4]</prop>
-               <p>positions information system components within the facility to minimize the
-                  opportunity for unauthorized access.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing positioning of information system components</p>
-               <p>documentation providing the location and position of information system components
-                  within the facility</p>
-               <p>locations housing information system components within the facility</p>
-               <p>list of physical and environmental hazards with potential to damage information
-                  system components within the facility</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for positioning information system
-                  components</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for positioning information system components</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="pl">
-      <title>Planning</title>
-      <control class="SP800-53" id="pl-1">
-         <title>Security Planning Policy and Procedures</title>
-         <param id="pl-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pl-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="pl-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or whenever a significant change occurs</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PL-1</prop>
-         <prop name="sort-id">pl-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9c5c9e8c-dc81-4f55-a11c-d71d7487790f" rel="reference">NIST Special Publication 800-18</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="pl-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pl-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="pl-1_prm_1"/>:</p>
-               <part id="pl-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A security planning policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="pl-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the security planning policy and
-                     associated security planning controls; and</p>
-               </part>
-            </part>
-            <part id="pl-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="pl-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security planning policy <insert param-id="pl-1_prm_2"/>; and</p>
-               </part>
-               <part id="pl-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Security planning procedures <insert param-id="pl-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="pl-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the PL
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="pl-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="pl-1.a_obj" name="objective">
-               <prop name="label">PL-1(a)</prop>
-               <part id="pl-1.a.1_obj" name="objective">
-                  <prop name="label">PL-1(a)(1)</prop>
-                  <part id="pl-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(a)(1)[1]</prop>
-                     <p>develops and documents a planning policy that addresses:</p>
-                     <part id="pl-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="pl-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the planning policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="pl-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">PL-1(a)(1)[3]</prop>
-                     <p>disseminates the planning policy to organization-defined personnel or
-                        roles;</p>
-                  </part>
-               </part>
-               <part id="pl-1.a.2_obj" name="objective">
-                  <prop name="label">PL-1(a)(2)</prop>
-                  <part id="pl-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        planning policy and associated planning controls;</p>
-                  </part>
-                  <part id="pl-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="pl-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">PL-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="pl-1.b_obj" name="objective">
-               <prop name="label">PL-1(b)</prop>
-               <part id="pl-1.b.1_obj" name="objective">
-                  <prop name="label">PL-1(b)(1)</prop>
-                  <part id="pl-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current planning policy;</p>
-                  </part>
-                  <part id="pl-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current planning policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="pl-1.b.2_obj" name="objective">
-                  <prop name="label">PL-1(b)(2)</prop>
-                  <part id="pl-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current planning procedures;
-                        and</p>
-                  </part>
-                  <part id="pl-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current planning procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Planning policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pl-2">
-         <title>System Security Plan</title>
-         <param id="pl-2_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pl-2_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PL-2</prop>
-         <prop name="sort-id">pl-02</prop>
-         <link href="#9c5c9e8c-dc81-4f55-a11c-d71d7487790f" rel="reference">NIST Special Publication 800-18</link>
-         <part id="pl-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pl-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a security plan for the information system that:</p>
-               <part id="pl-2_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Is consistent with the organization’s enterprise architecture;</p>
-               </part>
-               <part id="pl-2_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Explicitly defines the authorization boundary for the system;</p>
-               </part>
-               <part id="pl-2_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Describes the operational context of the information system in terms of
-                     missions and business processes;</p>
-               </part>
-               <part id="pl-2_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Provides the security categorization of the information system including
-                     supporting rationale;</p>
-               </part>
-               <part id="pl-2_smt.a.5" name="item">
-                  <prop name="label">5.</prop>
-                  <p>Describes the operational environment for the information system and
-                     relationships with or connections to other information systems;</p>
-               </part>
-               <part id="pl-2_smt.a.6" name="item">
-                  <prop name="label">6.</prop>
-                  <p>Provides an overview of the security requirements for the system;</p>
-               </part>
-               <part id="pl-2_smt.a.7" name="item">
-                  <prop name="label">7.</prop>
-                  <p>Identifies any relevant overlays, if applicable;</p>
-               </part>
-               <part id="pl-2_smt.a.8" name="item">
-                  <prop name="label">8.</prop>
-                  <p>Describes the security controls in place or planned for meeting those
-                     requirements including a rationale for the tailoring decisions; and</p>
-               </part>
-               <part id="pl-2_smt.a.9" name="item">
-                  <prop name="label">9.</prop>
-                  <p>Is reviewed and approved by the authorizing official or designated
-                     representative prior to plan implementation;</p>
-               </part>
-            </part>
-            <part id="pl-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Distributes copies of the security plan and communicates subsequent changes to the
-                  plan to <insert param-id="pl-2_prm_1"/>;</p>
-            </part>
-            <part id="pl-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the security plan for the information system <insert param-id="pl-2_prm_2"/>;</p>
-            </part>
-            <part id="pl-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Updates the plan to address changes to the information system/environment of
-                  operation or problems identified during plan implementation or security control
-                  assessments; and</p>
-            </part>
-            <part id="pl-2_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Protects the security plan from unauthorized disclosure and modification.</p>
-            </part>
-         </part>
-         <part id="pl-2_gdn" name="guidance">
-            <p>Security plans relate security requirements to a set of security controls and control
-               enhancements. Security plans also describe, at a high level, how the security
-               controls and control enhancements meet those security requirements, but do not
-               provide detailed, technical descriptions of the specific design or implementation of
-               the controls/enhancements. Security plans contain sufficient information (including
-               the specification of parameter values for assignment and selection statements either
-               explicitly or by reference) to enable a design and implementation that is
-               unambiguously compliant with the intent of the plans and subsequent determinations of
-               risk to organizational operations and assets, individuals, other organizations, and
-               the Nation if the plan is implemented as intended. Organizations can also apply
-               tailoring guidance to the security control baselines in Appendix D and CNSS
-               Instruction 1253 to develop overlays for community-wide use or to address specialized
-               requirements, technologies, or missions/environments of operation (e.g.,
-               DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and
-               Access Management, space operations). Appendix I provides guidance on developing
-               overlays. Security plans need not be single documents; the plans can be a collection
-               of various documents including documents that already exist. Effective security plans
-               make extensive use of references to policies, procedures, and additional documents
-               (e.g., design and implementation specifications) where more detailed information can
-               be obtained. This reduces the documentation requirements associated with security
-               programs and maintains security-related information in other established
-               management/operational areas related to enterprise architecture, system development
-               life cycle, systems engineering, and acquisition. For example, security plans do not
-               contain detailed contingency plan or incident response plan information but instead
-               provide explicitly or by reference, sufficient information to define what needs to be
-               accomplished by those plans.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#pl-7">PL-7</link>
-            <link rel="related" href="#pm-1">PM-1</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <link rel="related" href="#pm-8">PM-8</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#pm-11">PM-11</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-17">SA-17</link>
-         </part>
-         <part id="pl-2_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pl-2.a_obj" name="objective">
-               <prop name="label">PL-2(a)</prop>
-               <p>develops a security plan for the information system that:</p>
-               <part id="pl-2.a.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(1)</prop>
-                  <p>is consistent with the organization’s enterprise architecture;</p>
-               </part>
-               <part id="pl-2.a.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(2)</prop>
-                  <p>explicitly defines the authorization boundary for the system;</p>
-               </part>
-               <part id="pl-2.a.3_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(3)</prop>
-                  <p>describes the operational context of the information system in terms of
-                     missions and business processes;</p>
-               </part>
-               <part id="pl-2.a.4_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(4)</prop>
-                  <p>provides the security categorization of the information system including
-                     supporting rationale;</p>
-               </part>
-               <part id="pl-2.a.5_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(5)</prop>
-                  <p>describes the operational environment for the information system and
-                     relationships with or connections to other information systems;</p>
-               </part>
-               <part id="pl-2.a.6_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(6)</prop>
-                  <p>provides an overview of the security requirements for the system;</p>
-               </part>
-               <part id="pl-2.a.7_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(7)</prop>
-                  <p>identifies any relevant overlays, if applicable;</p>
-               </part>
-               <part id="pl-2.a.8_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(8)</prop>
-                  <p>describes the security controls in place or planned for meeting those
-                     requirements including a rationale for the tailoring and supplemental
-                     decisions;</p>
-               </part>
-               <part id="pl-2.a.9_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PL-2(a)(9)</prop>
-                  <p>is reviewed and approved by the authorizing official or designated
-                     representative prior to plan implementation;</p>
-               </part>
-            </part>
-            <part id="pl-2.b_obj" name="objective">
-               <prop name="label">PL-2(b)</prop>
-               <part id="pl-2.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(b)[1]</prop>
-                  <p>defines personnel or roles to whom copies of the security plan are to be
-                     distributed and subsequent changes to the plan are to be communicated;</p>
-               </part>
-               <part id="pl-2.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PL-2(b)[2]</prop>
-                  <p>distributes copies of the security plan and communicates subsequent changes to
-                     the plan to organization-defined personnel or roles;</p>
-               </part>
-            </part>
-            <part id="pl-2.c_obj" name="objective">
-               <prop name="label">PL-2(c)</prop>
-               <part id="pl-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(c)[1]</prop>
-                  <p>defines the frequency to review the security plan for the information
-                     system;</p>
-               </part>
-               <part id="pl-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(c)[2]</prop>
-                  <p>reviews the security plan for the information system with the
-                     organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="pl-2.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PL-2(d)</prop>
-               <p>updates the plan to address:</p>
-               <part id="pl-2.d_obj.1" name="objective">
-                  <prop name="label">PL-2(d)[1]</prop>
-                  <p>changes to the information system/environment of operation;</p>
-               </part>
-               <part id="pl-2.d_obj.2" name="objective">
-                  <prop name="label">PL-2(d)[2]</prop>
-                  <p>problems identified during plan implementation;</p>
-               </part>
-               <part id="pl-2.d_obj.3" name="objective">
-                  <prop name="label">PL-2(d)[3]</prop>
-                  <p>problems identified during security control assessments;</p>
-               </part>
-            </part>
-            <part id="pl-2.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PL-2(e)</prop>
-               <p>protects the security plan from unauthorized:</p>
-               <part id="pl-2.e_obj.1" name="objective">
-                  <prop name="label">PL-2(e)[1]</prop>
-                  <p>disclosure; and</p>
-               </part>
-               <part id="pl-2.e_obj.2" name="objective">
-                  <prop name="label">PL-2(e)[2]</prop>
-                  <p>modification.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security planning policy</p>
-               <p>procedures addressing security plan development and implementation</p>
-               <p>procedures addressing security plan reviews and updates</p>
-               <p>enterprise architecture documentation</p>
-               <p>security plan for the information system</p>
-               <p>records of security plan reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security planning and plan implementation
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security plan development/review/update/approval</p>
-               <p>automated mechanisms supporting the information system security plan</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pl-2.3">
-            <title>Plan / Coordinate with Other Organizational Entities</title>
-            <param id="pl-2.3_prm_1">
-               <label>organization-defined individuals or groups</label>
-            </param>
-            <prop name="label">PL-2(3)</prop>
-            <prop name="sort-id">pl-02.03</prop>
-            <part id="pl-2.3_smt" name="statement">
-               <p>The organization plans and coordinates security-related activities affecting the
-                  information system with <insert param-id="pl-2.3_prm_1"/> before conducting such
-                  activities in order to reduce the impact on other organizational entities.</p>
-            </part>
-            <part id="pl-2.3_gdn" name="guidance">
-               <p>Security-related activities include, for example, security assessments, audits,
-                  hardware and software maintenance, patch management, and contingency plan testing.
-                  Advance planning and coordination includes emergency and nonemergency (i.e.,
-                  planned or nonurgent unplanned) situations. The process defined by organizations
-                  to plan and coordinate security-related activities can be included in security
-                  plans for information systems or other documents, as appropriate.</p>
-               <link rel="related" href="#cp-4">CP-4</link>
-               <link rel="related" href="#ir-4">IR-4</link>
-            </part>
-            <part id="pl-2.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pl-2.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(3)[1]</prop>
-                  <p>defines individuals or groups with whom security-related activities affecting
-                     the information system are to be planned and coordinated before conducting such
-                     activities in order to reduce the impact on other organizational entities;
-                     and</p>
-               </part>
-               <part id="pl-2.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">PL-2(3)[2]</prop>
-                  <p>plans and coordinates security-related activities affecting the information
-                     system with organization-defined individuals or groups before conducting such
-                     activities in order to reduce the impact on other organizational entities.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security planning policy</p>
-                  <p>access control policy</p>
-                  <p>contingency planning policy</p>
-                  <p>procedures addressing security-related activity planning for the information
-                     system</p>
-                  <p>security plan for the information system</p>
-                  <p>contingency plan for the information system</p>
-                  <p>information system design documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational individuals or groups with whom security-related activities are
-                     to be planned and coordinated</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pl-4">
-         <title>Rules of Behavior</title>
-         <param id="pl-4_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>annually</constraint>
-         </param>
-         <prop name="label">PL-4</prop>
-         <prop name="sort-id">pl-04</prop>
-         <link href="#9c5c9e8c-dc81-4f55-a11c-d71d7487790f" rel="reference">NIST Special Publication 800-18</link>
-         <part id="pl-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pl-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes and makes readily available to individuals requiring access to the
-                  information system, the rules that describe their responsibilities and expected
-                  behavior with regard to information and information system usage;</p>
-            </part>
-            <part id="pl-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Receives a signed acknowledgment from such individuals, indicating that they have
-                  read, understand, and agree to abide by the rules of behavior, before authorizing
-                  access to information and the information system;</p>
-            </part>
-            <part id="pl-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews and updates the rules of behavior <insert param-id="pl-4_prm_1"/>; and</p>
-            </part>
-            <part id="pl-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Requires individuals who have signed a previous version of the rules of behavior
-                  to read and re-sign when the rules of behavior are revised/updated.</p>
-            </part>
-         </part>
-         <part id="pl-4_gdn" name="guidance">
-            <p>This control enhancement applies to organizational users. Organizations consider
-               rules of behavior based on individual user roles and responsibilities,
-               differentiating, for example, between rules that apply to privileged users and rules
-               that apply to general users. Establishing rules of behavior for some types of
-               non-organizational users including, for example, individuals who simply receive
-               data/information from federal information systems, is often not feasible given the
-               large number of such users and the limited nature of their interactions with the
-               systems. Rules of behavior for both organizational and non-organizational users can
-               also be established in AC-8, System Use Notification. PL-4 b. (the signed
-               acknowledgment portion of this control) may be satisfied by the security awareness
-               training and role-based security training programs conducted by organizations if such
-               training includes rules of behavior. Organizations can use electronic signatures for
-               acknowledging rules of behavior.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-8">AC-8</link>
-            <link rel="related" href="#ac-9">AC-9</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#mp-7">MP-7</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-            <link rel="related" href="#ps-8">PS-8</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-         </part>
-         <part id="pl-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pl-4.a_obj" name="objective">
-               <prop name="label">PL-4(a)</prop>
-               <part id="pl-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-4(a)[1]</prop>
-                  <p>establishes, for individuals requiring access to the information system, the
-                     rules that describe their responsibilities and expected behavior with regard to
-                     information and information system usage;</p>
-               </part>
-               <part id="pl-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PL-4(a)[2]</prop>
-                  <p>makes readily available to individuals requiring access to the information
-                     system, the rules that describe their responsibilities and expected behavior
-                     with regard to information and information system usage;</p>
-               </part>
-            </part>
-            <part id="pl-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PL-4(b)</prop>
-               <p>receives a signed acknowledgement from such individuals, indicating that they have
-                  read, understand, and agree to abide by the rules of behavior, before authorizing
-                  access to information and the information system;</p>
-            </part>
-            <part id="pl-4.c_obj" name="objective">
-               <prop name="label">PL-4(c)</prop>
-               <part id="pl-4.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-4(c)[1]</prop>
-                  <p>defines the frequency to review and update the rules of behavior;</p>
-               </part>
-               <part id="pl-4.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PL-4(c)[2]</prop>
-                  <p>reviews and updates the rules of behavior with the organization-defined
-                     frequency; and</p>
-               </part>
-            </part>
-            <part id="pl-4.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PL-4(d)</prop>
-               <p>requires individuals who have signed a previous version of the rules of behavior
-                  to read and resign when the rules of behavior are revised/updated.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security planning policy</p>
-               <p>procedures addressing rules of behavior for information system users</p>
-               <p>rules of behavior</p>
-               <p>signed acknowledgements</p>
-               <p>records for rules of behavior reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for establishing, reviewing, and
-                  updating rules of behavior</p>
-               <p>organizational personnel who are authorized users of the information system and
-                  have signed and resigned rules of behavior</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for establishing, reviewing, disseminating, and updating
-                  rules of behavior</p>
-               <p>automated mechanisms supporting and/or implementing the establishment, review,
-                  dissemination, and update of rules of behavior</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pl-4.1">
-            <title>Social Media and Networking Restrictions</title>
-            <prop name="label">PL-4(1)</prop>
-            <prop name="sort-id">pl-04.01</prop>
-            <part id="pl-4.1_smt" name="statement">
-               <p>The organization includes in the rules of behavior, explicit restrictions on the
-                  use of social media/networking sites and posting organizational information on
-                  public websites.</p>
-            </part>
-            <part id="pl-4.1_gdn" name="guidance">
-               <p>This control enhancement addresses rules of behavior related to the use of social
-                  media/networking sites: (i) when organizational personnel are using such sites for
-                  official duties or in the conduct of official business; (ii) when organizational
-                  information is involved in social media/networking transactions; and (iii) when
-                  personnel are accessing social media/networking sites from organizational
-                  information systems. Organizations also address specific rules that prevent
-                  unauthorized entities from obtaining and/or inferring non-public organizational
-                  information (e.g., system account information, personally identifiable
-                  information) from social media/networking sites.</p>
-            </part>
-            <part id="pl-4.1_obj" name="objective">
-               <p>Determine if the organization includes the following in the rules of behavior: </p>
-               <part id="pl-4.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PL-4(1)[1]</prop>
-                  <p>explicit restrictions on the use of social media/networking sites; and</p>
-               </part>
-               <part id="pl-4.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PL-4(1)[2]</prop>
-                  <p>posting organizational information on public websites.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security planning policy</p>
-                  <p>procedures addressing rules of behavior for information system users</p>
-                  <p>rules of behavior</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for establishing, reviewing, and
-                     updating rules of behavior</p>
-                  <p>organizational personnel who are authorized users of the information system and
-                     have signed rules of behavior</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for establishing rules of behavior</p>
-                  <p>automated mechanisms supporting and/or implementing the establishment of rules
-                     of behavior</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pl-8">
-         <title>Information Security Architecture</title>
-         <param id="pl-8_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or when a significant change occurs</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PL-8</prop>
-         <prop name="sort-id">pl-08</prop>
-         <part id="pl-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pl-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops an information security architecture for the information system that:</p>
-               <part id="pl-8_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Describes the overall philosophy, requirements, and approach to be taken with
-                     regard to protecting the confidentiality, integrity, and availability of
-                     organizational information;</p>
-               </part>
-               <part id="pl-8_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Describes how the information security architecture is integrated into and
-                     supports the enterprise architecture; and</p>
-               </part>
-               <part id="pl-8_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Describes any information security assumptions about, and dependencies on,
-                     external services;</p>
-               </part>
-            </part>
-            <part id="pl-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the information security architecture <insert param-id="pl-8_prm_1"/> to reflect updates in the enterprise architecture;
-                  and</p>
-            </part>
-            <part id="pl-8_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensures that planned information security architecture changes are reflected in
-                  the security plan, the security Concept of Operations (CONOPS), and organizational
-                  procurements/acquisitions.</p>
-            </part>
-            <part id="pl-8_fr" name="item">
-               <title>PL-8(b) Additional FedRAMP Requirements and Guidance</title>
-               <part id="pl-8_fr_gdn.b" name="guidance">
-                  <prop name="label">(b) Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.</p>
-               </part>
-            </part>
-         </part>
-         <part id="pl-8_gdn" name="guidance">
-            <p>This control addresses actions taken by organizations in the design and development
-               of information systems. The information security architecture at the individual
-               information system level is consistent with and complements the more global,
-               organization-wide information security architecture described in PM-7 that is
-               integral to and developed as part of the enterprise architecture. The information
-               security architecture includes an architectural description, the placement/allocation
-               of security functionality (including security controls), security-related information
-               for external interfaces, information being exchanged across the interfaces, and the
-               protection mechanisms associated with each interface. In addition, the security
-               architecture can include other important security-related information, for example,
-               user roles and access privileges assigned to each role, unique security requirements,
-               the types of information processed, stored, and transmitted by the information
-               system, restoration priorities of information and information system services, and
-               any other specific protection needs. In today’s modern architecture, it is becoming
-               less common for organizations to control all information resources. There are going
-               to be key dependencies on external information services and service providers.
-               Describing such dependencies in the information security architecture is important to
-               developing a comprehensive mission/business protection strategy. Establishing,
-               developing, documenting, and maintaining under configuration control, a baseline
-               configuration for organizational information systems is critical to implementing and
-               maintaining an effective information security architecture. The development of the
-               information security architecture is coordinated with the Senior Agency Official for
-               Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to
-               support privacy requirements are identified and effectively implemented. PL-8 is
-               primarily directed at organizations (i.e., internally focused) to help ensure that
-               organizations develop an information security architecture for the information
-               system, and that the security architecture is integrated with or tightly coupled to
-               the enterprise architecture through the organization-wide information security
-               architecture. In contrast, SA-17 is primarily directed at external information
-               technology product/system developers and integrators (although SA-17 could be used
-               internally within organizations for in-house system development). SA-17, which is
-               complementary to PL-8, is selected when organizations outsource the development of
-               information systems or information system components to external entities, and there
-               is a need to demonstrate/show consistency with the organization’s enterprise
-               architecture and information security architecture.</p>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-17">SA-17</link>
-            <link rel="related" href="https://doi.org/10.6028/NIST.SP.800-53r4">Appendix J</link>
-         </part>
-         <part id="pl-8_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pl-8.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PL-8(a)</prop>
-               <p>develops an information security architecture for the information system that
-                  describes:</p>
-               <part id="pl-8.a.1_obj" name="objective">
-                  <prop name="label">PL-8(a)(1)</prop>
-                  <p>the overall philosophy, requirements, and approach to be taken with regard to
-                     protecting the confidentiality, integrity, and availability of organizational
-                     information;</p>
-               </part>
-               <part id="pl-8.a.2_obj" name="objective">
-                  <prop name="label">PL-8(a)(2)</prop>
-                  <p>how the information security architecture is integrated into and supports the
-                     enterprise architecture;</p>
-               </part>
-               <part id="pl-8.a.3_obj" name="objective">
-                  <prop name="label">PL-8(a)(3)</prop>
-                  <p>any information security assumptions about, and dependencies on, external
-                     services;</p>
-               </part>
-            </part>
-            <part id="pl-8.b_obj" name="objective">
-               <prop name="label">PL-8(b)</prop>
-               <part id="pl-8.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-8(b)[1]</prop>
-                  <p>defines the frequency to review and update the information security
-                     architecture;</p>
-               </part>
-               <part id="pl-8.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PL-8(b)[2]</prop>
-                  <p>reviews and updates the information security architecture with the
-                     organization-defined frequency to reflect updates in the enterprise
-                     architecture;</p>
-               </part>
-            </part>
-            <part id="pl-8.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PL-8(c)</prop>
-               <p>ensures that planned information security architecture changes are reflected
-                  in:</p>
-               <part id="pl-8.c_obj.1" name="objective">
-                  <prop name="label">PL-8(c)[1]</prop>
-                  <p>the security plan;</p>
-               </part>
-               <part id="pl-8.c_obj.2" name="objective">
-                  <prop name="label">PL-8(c)[2]</prop>
-                  <p>the security Concept of Operations (CONOPS); and</p>
-               </part>
-               <part id="pl-8.c_obj.3" name="objective">
-                  <prop name="label">PL-8(c)[3]</prop>
-                  <p>the organizational procurements/acquisitions.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security planning policy</p>
-               <p>procedures addressing information security architecture development</p>
-               <p>procedures addressing information security architecture reviews and updates</p>
-               <p>enterprise architecture documentation</p>
-               <p>information security architecture documentation</p>
-               <p>security plan for the information system</p>
-               <p>security CONOPS for the information system</p>
-               <p>records of information security architecture reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security planning and plan implementation
-                  responsibilities</p>
-               <p>organizational personnel with information security architecture development
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for developing, reviewing, and updating the information
-                  security architecture</p>
-               <p>automated mechanisms supporting and/or implementing the development, review, and
-                  update of the information security architecture</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ps">
-      <title>Personnel Security</title>
-      <control class="SP800-53" id="ps-1">
-         <title>Personnel Security Policy and Procedures</title>
-         <param id="ps-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ps-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or whenever a significant change occurs</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PS-1</prop>
-         <prop name="sort-id">ps-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ps-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ps-1_prm_1"/>:</p>
-               <part id="ps-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A personnel security policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ps-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the personnel security policy
-                     and associated personnel security controls; and</p>
-               </part>
-            </part>
-            <part id="ps-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ps-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Personnel security policy <insert param-id="ps-1_prm_2"/>; and</p>
-               </part>
-               <part id="ps-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Personnel security procedures <insert param-id="ps-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ps-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the PS
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ps-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-1.a_obj" name="objective">
-               <prop name="label">PS-1(a)</prop>
-               <part id="ps-1.a.1_obj" name="objective">
-                  <prop name="label">PS-1(a)(1)</prop>
-                  <part id="ps-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(a)(1)[1]</prop>
-                     <p>develops and documents an personnel security policy that addresses:</p>
-                     <part id="ps-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ps-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the personnel security policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ps-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">PS-1(a)(1)[3]</prop>
-                     <p>disseminates the personnel security policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="ps-1.a.2_obj" name="objective">
-                  <prop name="label">PS-1(a)(2)</prop>
-                  <part id="ps-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        personnel security policy and associated personnel security controls;</p>
-                  </part>
-                  <part id="ps-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ps-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">PS-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ps-1.b_obj" name="objective">
-               <prop name="label">PS-1(b)</prop>
-               <part id="ps-1.b.1_obj" name="objective">
-                  <prop name="label">PS-1(b)(1)</prop>
-                  <part id="ps-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current personnel security
-                        policy;</p>
-                  </part>
-                  <part id="ps-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current personnel security policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ps-1.b.2_obj" name="objective">
-                  <prop name="label">PS-1(b)(2)</prop>
-                  <part id="ps-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current personnel security
-                        procedures; and</p>
-                  </part>
-                  <part id="ps-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current personnel security procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-2">
-         <title>Position Risk Designation</title>
-         <param id="ps-2_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="label">PS-2</prop>
-         <prop name="sort-id">ps-02</prop>
-         <link href="#0c97e60b-325a-4efa-ba2b-90f20ccd5abc" rel="reference">5 C.F.R. 731.106</link>
-         <part id="ps-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Assigns a risk designation to all organizational positions;</p>
-            </part>
-            <part id="ps-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishes screening criteria for individuals filling those positions; and</p>
-            </part>
-            <part id="ps-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews and updates position risk designations <insert param-id="ps-2_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="ps-2_gdn" name="guidance">
-            <p>Position risk designations reflect Office of Personnel Management policy and
-               guidance. Risk designations can guide and inform the types of authorizations
-               individuals receive when accessing organizational information and information
-               systems. Position screening criteria include explicit information security role
-               appointment requirements (e.g., training, security clearances).</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-         </part>
-         <part id="ps-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-2.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PS-2(a)</prop>
-               <p>assigns a risk designation to all organizational positions;</p>
-            </part>
-            <part id="ps-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PS-2(b)</prop>
-               <p>establishes screening criteria for individuals filling those positions;</p>
-            </part>
-            <part id="ps-2.c_obj" name="objective">
-               <prop name="label">PS-2(c)</prop>
-               <part id="ps-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-2(c)[1]</prop>
-                  <p>defines the frequency to review and update position risk designations; and</p>
-               </part>
-               <part id="ps-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-2(c)[2]</prop>
-                  <p>reviews and updates position risk designations with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing position categorization</p>
-               <p>appropriate codes of federal regulations</p>
-               <p>list of risk designations for organizational positions</p>
-               <p>security plan</p>
-               <p>records of position risk designation reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for assigning, reviewing, and updating position risk
-                  designations</p>
-               <p>organizational processes for establishing screening criteria</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-3">
-         <title>Personnel Screening</title>
-         <param id="ps-3_prm_1">
-            <label>organization-defined conditions requiring rescreening and, where rescreening is
-               so indicated, the frequency of such rescreening</label>
-            <constraint>for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PS-3</prop>
-         <prop name="sort-id">ps-03</prop>
-         <link href="#0c97e60b-325a-4efa-ba2b-90f20ccd5abc" rel="reference">5 C.F.R. 731.106</link>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#6caa237b-531b-43ac-9711-d8f6b97b0377" rel="reference">ICD 704</link>
-         <part id="ps-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Screens individuals prior to authorizing access to the information system; and</p>
-            </part>
-            <part id="ps-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Rescreens individuals according to <insert param-id="ps-3_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="ps-3_gdn" name="guidance">
-            <p>Personnel screening and rescreening activities reflect applicable federal laws,
-               Executive Orders, directives, regulations, policies, standards, guidance, and
-               specific criteria established for the risk designations of assigned positions.
-               Organizations may define different rescreening conditions and frequencies for
-               personnel accessing information systems based on types of information processed,
-               stored, or transmitted by the systems.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#ps-2">PS-2</link>
-         </part>
-         <part id="ps-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-3.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PS-3(a)</prop>
-               <p>screens individuals prior to authorizing access to the information system;</p>
-            </part>
-            <part id="ps-3.b_obj" name="objective">
-               <prop name="label">PS-3(b)</prop>
-               <part id="ps-3.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-3(b)[1]</prop>
-                  <p>defines conditions requiring re-screening;</p>
-               </part>
-               <part id="ps-3.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-3(b)[2]</prop>
-                  <p>defines the frequency of re-screening where it is so indicated; and</p>
-               </part>
-               <part id="ps-3.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-3(b)[3]</prop>
-                  <p>re-screens individuals in accordance with organization-defined conditions
-                     requiring re-screening and, where re-screening is so indicated, with the
-                     organization-defined frequency of such re-screening.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel screening</p>
-               <p>records of screened personnel</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for personnel screening</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ps-3.3">
-            <title>Information with Special Protection Measures</title>
-            <param id="ps-3.3_prm_1">
-               <label>organization-defined additional personnel screening criteria</label>
-               <constraint>personnel screening criteria - as required by specific information</constraint>
-            </param>
-            <prop name="label">PS-3(3)</prop>
-            <prop name="sort-id">ps-03.03</prop>
-            <part id="ps-3.3_smt" name="statement">
-               <p>The organization ensures that individuals accessing an information system
-                  processing, storing, or transmitting information requiring special protection:</p>
-               <part id="ps-3.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Have valid access authorizations that are demonstrated by assigned official
-                     government duties; and</p>
-               </part>
-               <part id="ps-3.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Satisfy <insert param-id="ps-3.3_prm_1"/>.</p>
-               </part>
-            </part>
-            <part id="ps-3.3_gdn" name="guidance">
-               <p>Organizational information requiring special protection includes, for example,
-                  Controlled Unclassified Information (CUI) and Sources and Methods Information
-                  (SAMI). Personnel security criteria include, for example, position sensitivity
-                  background screening requirements.</p>
-            </part>
-            <part id="ps-3.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ps-3.3.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-3(3)(a)</prop>
-                  <p>ensures that individuals accessing an information system processing, storing,
-                     or transmitting information requiring special protection have valid access
-                     authorizations that are demonstrated by assigned official government
-                     duties;</p>
-                  <link rel="corresp" href="#ps-3.3_smt.a">PS-3(3)(a)</link>
-               </part>
-               <part id="ps-3.3.b_obj" name="objective">
-                  <prop name="label">PS-3(3)(b)</prop>
-                  <part id="ps-3.3.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-3(3)(b)[1]</prop>
-                     <p>defines additional personnel screening criteria to be satisfied for
-                        individuals accessing an information system processing, storing, or
-                        transmitting information requiring special protection; and</p>
-                  </part>
-                  <part id="ps-3.3.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">PS-3(3)(b)[2]</prop>
-                     <p>ensures that individuals accessing an information system processing,
-                        storing, or transmitting information requiring special protection satisfy
-                        organization-defined additional personnel screening criteria.</p>
-                  </part>
-                  <link rel="corresp" href="#ps-3.3_smt.b">PS-3(3)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Personnel security policy</p>
-                  <p>access control policy, procedures addressing personnel screening</p>
-                  <p>records of screened personnel</p>
-                  <p>screening criteria</p>
-                  <p>records of access authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with personnel security responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for ensuring valid access authorizations for
-                     information requiring special protection</p>
-                  <p>organizational process for additional personnel screening for information
-                     requiring special protection</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ps-4">
-         <title>Personnel Termination</title>
-         <param id="ps-4_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>eight (8) hours</constraint>
-         </param>
-         <param id="ps-4_prm_2">
-            <label>organization-defined information security topics</label>
-         </param>
-         <param id="ps-4_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-4_prm_4">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PS-4</prop>
-         <prop name="sort-id">ps-04</prop>
-         <part id="ps-4_smt" name="statement">
-            <p>The organization, upon termination of individual employment:</p>
-            <part id="ps-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Disables information system access within <insert param-id="ps-4_prm_1"/>;</p>
-            </part>
-            <part id="ps-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Terminates/revokes any authenticators/credentials associated with the
-                  individual;</p>
-            </part>
-            <part id="ps-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Conducts exit interviews that include a discussion of <insert param-id="ps-4_prm_2"/>;</p>
-            </part>
-            <part id="ps-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Retrieves all security-related organizational information system-related
-                  property;</p>
-            </part>
-            <part id="ps-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Retains access to organizational information and information systems formerly
-                  controlled by terminated individual; and</p>
-            </part>
-            <part id="ps-4_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Notifies <insert param-id="ps-4_prm_3"/> within <insert param-id="ps-4_prm_4"/>.</p>
-            </part>
-         </part>
-         <part id="ps-4_gdn" name="guidance">
-            <p>Information system-related property includes, for example, hardware authentication
-               tokens, system administration technical manuals, keys, identification cards, and
-               building passes. Exit interviews ensure that terminated individuals understand the
-               security constraints imposed by being former employees and that proper accountability
-               is achieved for information system-related property. Security topics of interest at
-               exit interviews can include, for example, reminding terminated individuals of
-               nondisclosure agreements and potential limitations on future employment. Exit
-               interviews may not be possible for some terminated individuals, for example, in cases
-               related to job abandonment, illnesses, and nonavailability of supervisors. Exit
-               interviews are important for individuals with security clearances. Timely execution
-               of termination actions is essential for individuals terminated for cause. In certain
-               situations, organizations consider disabling the information system accounts of
-               individuals that are being terminated prior to the individuals being notified.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#ps-5">PS-5</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-         </part>
-         <part id="ps-4_obj" name="objective">
-            <p>Determine if the organization, upon termination of individual employment,:</p>
-            <part id="ps-4.a_obj" name="objective">
-               <prop name="label">PS-4(a)</prop>
-               <part id="ps-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-4(a)[1]</prop>
-                  <p>defines a time period within which to disable information system access;</p>
-               </part>
-               <part id="ps-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-4(a)[2]</prop>
-                  <p>disables information system access within the organization-defined time
-                     period;</p>
-               </part>
-            </part>
-            <part id="ps-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PS-4(b)</prop>
-               <p>terminates/revokes any authenticators/credentials associated with the
-                  individual;</p>
-            </part>
-            <part id="ps-4.c_obj" name="objective">
-               <prop name="label">PS-4(c)</prop>
-               <part id="ps-4.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-4(c)[1]</prop>
-                  <p>defines information security topics to be discussed when conducting exit
-                     interviews;</p>
-               </part>
-               <part id="ps-4.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">PS-4(c)[2]</prop>
-                  <p>conducts exit interviews that include a discussion of organization-defined
-                     information security topics;</p>
-               </part>
-            </part>
-            <part id="ps-4.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PS-4(d)</prop>
-               <p>retrieves all security-related organizational information system-related
-                  property;</p>
-            </part>
-            <part id="ps-4.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PS-4(e)</prop>
-               <p>retains access to organizational information and information systems formerly
-                  controlled by the terminated individual;</p>
-            </part>
-            <part id="ps-4.f_obj" name="objective">
-               <prop name="label">PS-4(f)</prop>
-               <part id="ps-4.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-4(f)[1]</prop>
-                  <p>defines personnel or roles to be notified of the termination;</p>
-               </part>
-               <part id="ps-4.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-4(f)[2]</prop>
-                  <p>defines the time period within which to notify organization-defined personnel
-                     or roles; and</p>
-               </part>
-               <part id="ps-4.f_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-4(f)[3]</prop>
-                  <p>notifies organization-defined personnel or roles within the
-                     organization-defined time period.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel termination</p>
-               <p>records of personnel termination actions</p>
-               <p>list of information system accounts</p>
-               <p>records of terminated or revoked authenticators/credentials</p>
-               <p>records of exit interviews</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with account management responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for personnel termination</p>
-               <p>automated mechanisms supporting and/or implementing personnel termination
-                  notifications</p>
-               <p>automated mechanisms for disabling information system access/revoking
-                  authenticators</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ps-4.2">
-            <title>Automated Notification</title>
-            <param id="ps-4.2_prm_1">
-               <label>organization-defined personnel or roles</label>
-               <constraint>access control personnel responsible for disabling access to the system</constraint>
-            </param>
-            <prop name="label">PS-4(2)</prop>
-            <prop name="sort-id">ps-04.02</prop>
-            <part id="ps-4.2_smt" name="statement">
-               <p>The organization employs automated mechanisms to notify <insert param-id="ps-4.2_prm_1"/> upon termination of an individual.</p>
-            </part>
-            <part id="ps-4.2_gdn" name="guidance">
-               <p>In organizations with a large number of employees, not all personnel who need to
-                  know about termination actions receive the appropriate notifications—or, if such
-                  notifications are received, they may not occur in a timely manner. Automated
-                  mechanisms can be used to send automatic alerts or notifications to specific
-                  organizational personnel or roles (e.g., management personnel, supervisors,
-                  personnel security officers, information security officers, systems
-                  administrators, or information technology administrators) when individuals are
-                  terminated. Such automatic alerts or notifications can be conveyed in a variety of
-                  ways, including, for example, telephonically, via electronic mail, via text
-                  message, or via websites.</p>
-            </part>
-            <part id="ps-4.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ps-4.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-4(2)[1]</prop>
-                  <p>defines personnel or roles to be notified upon termination of an individual;
-                     and</p>
-               </part>
-               <part id="ps-4.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-4(2)[2]</prop>
-                  <p>employs automated mechanisms to notify organization-defined personnel or roles
-                     upon termination of an individual.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Personnel security policy</p>
-                  <p>procedures addressing personnel termination</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>records of personnel termination actions</p>
-                  <p>automated notifications of employee terminations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with personnel security responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for personnel termination</p>
-                  <p>automated mechanisms supporting and/or implementing personnel termination
-                     notifications</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ps-5">
-         <title>Personnel Transfer</title>
-         <param id="ps-5_prm_1">
-            <label>organization-defined transfer or reassignment actions</label>
-         </param>
-         <param id="ps-5_prm_2">
-            <label>organization-defined time period following the formal transfer action</label>
-            <constraint>twenty-four (24) hours</constraint>
-         </param>
-         <param id="ps-5_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-5_prm_4">
-            <label>organization-defined time period</label>
-            <constraint>twenty-four (24) hours</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PS-5</prop>
-         <prop name="sort-id">ps-05</prop>
-         <part id="ps-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Reviews and confirms ongoing operational need for current logical and physical
-                  access authorizations to information systems/facilities when individuals are
-                  reassigned or transferred to other positions within the organization;</p>
-            </part>
-            <part id="ps-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Initiates <insert param-id="ps-5_prm_1"/> within <insert param-id="ps-5_prm_2"/>;</p>
-            </part>
-            <part id="ps-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Modifies access authorization as needed to correspond with any changes in
-                  operational need due to reassignment or transfer; and</p>
-            </part>
-            <part id="ps-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Notifies <insert param-id="ps-5_prm_3"/> within <insert param-id="ps-5_prm_4"/>.</p>
-            </part>
-         </part>
-         <part id="ps-5_gdn" name="guidance">
-            <p>This control applies when reassignments or transfers of individuals are permanent or
-               of such extended durations as to make the actions warranted. Organizations define
-               actions appropriate for the types of reassignments or transfers, whether permanent or
-               extended. Actions that may be required for personnel transfers or reassignments to
-               other positions within organizations include, for example: (i) returning old and
-               issuing new keys, identification cards, and building passes; (ii) closing information
-               system accounts and establishing new accounts; (iii) changing information system
-               access authorizations (i.e., privileges); and (iv) providing for access to official
-               records to which individuals had access at previous work locations and in previous
-               information system accounts.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#ps-4">PS-4</link>
-         </part>
-         <part id="ps-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-5.a_obj" name="objective">
-               <prop name="label">PS-5(a)</prop>
-               <p>when individuals are reassigned or transferred to other positions within the
-                  organization, reviews and confirms ongoing operational need for current:</p>
-               <part id="ps-5.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">PS-5(a)[1]</prop>
-                  <p>logical access authorizations to information systems;</p>
-               </part>
-               <part id="ps-5.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">PS-5(a)[2]</prop>
-                  <p>physical access authorizations to information systems and facilities;</p>
-               </part>
-            </part>
-            <part id="ps-5.b_obj" name="objective">
-               <prop name="label">PS-5(b)</prop>
-               <part id="ps-5.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-5(b)[1]</prop>
-                  <p>defines transfer or reassignment actions to be initiated following transfer or
-                     reassignment;</p>
-               </part>
-               <part id="ps-5.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-5(b)[2]</prop>
-                  <p>defines the time period within which transfer or reassignment actions must
-                     occur following transfer or reassignment;</p>
-               </part>
-               <part id="ps-5.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-5(b)[3]</prop>
-                  <p>initiates organization-defined transfer or reassignment actions within the
-                     organization-defined time period following transfer or reassignment;</p>
-               </part>
-            </part>
-            <part id="ps-5.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PS-5(c)</prop>
-               <p>modifies access authorization as needed to correspond with any changes in
-                  operational need due to reassignment or transfer;</p>
-            </part>
-            <part id="ps-5.d_obj" name="objective">
-               <prop name="label">PS-5(d)</prop>
-               <part id="ps-5.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-5(d)[1]</prop>
-                  <p>defines personnel or roles to be notified when individuals are reassigned or
-                     transferred to other positions within the organization;</p>
-               </part>
-               <part id="ps-5.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-5(d)[2]</prop>
-                  <p>defines the time period within which to notify organization-defined personnel
-                     or roles when individuals are reassigned or transferred to other positions
-                     within the organization; and</p>
-               </part>
-               <part id="ps-5.d_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-5(d)[3]</prop>
-                  <p>notifies organization-defined personnel or roles within the
-                     organization-defined time period when individuals are reassigned or transferred
-                     to other positions within the organization.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel transfer</p>
-               <p>security plan</p>
-               <p>records of personnel transfer actions</p>
-               <p>list of information system and facility access authorizations</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities organizational
-                  personnel with account management responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for personnel transfer</p>
-               <p>automated mechanisms supporting and/or implementing personnel transfer
-                  notifications</p>
-               <p>automated mechanisms for disabling information system access/revoking
-                  authenticators</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-6">
-         <title>Access Agreements</title>
-         <param id="ps-6_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ps-6_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually and any time there is a change to the user's level of access</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PS-6</prop>
-         <prop name="sort-id">ps-06</prop>
-         <part id="ps-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops and documents access agreements for organizational information
-                  systems;</p>
-            </part>
-            <part id="ps-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the access agreements <insert param-id="ps-6_prm_1"/>; and</p>
-            </part>
-            <part id="ps-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensures that individuals requiring access to organizational information and
-                  information systems:</p>
-               <part id="ps-6_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Sign appropriate access agreements prior to being granted access; and</p>
-               </part>
-               <part id="ps-6_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Re-sign access agreements to maintain access to organizational information
-                     systems when access agreements have been updated or <insert param-id="ps-6_prm_2"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ps-6_gdn" name="guidance">
-            <p>Access agreements include, for example, nondisclosure agreements, acceptable use
-               agreements, rules of behavior, and conflict-of-interest agreements. Signed access
-               agreements include an acknowledgement that individuals have read, understand, and
-               agree to abide by the constraints associated with organizational information systems
-               to which access is authorized. Organizations can use electronic signatures to
-               acknowledge access agreements unless specifically prohibited by organizational
-               policy.</p>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-2">PS-2</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <link rel="related" href="#ps-4">PS-4</link>
-            <link rel="related" href="#ps-8">PS-8</link>
-         </part>
-         <part id="ps-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-6.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PS-6(a)</prop>
-               <p>develops and documents access agreements for organizational information
-                  systems;</p>
-            </part>
-            <part id="ps-6.b_obj" name="objective">
-               <prop name="label">PS-6(b)</prop>
-               <part id="ps-6.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-6(b)[1]</prop>
-                  <p>defines the frequency to review and update the access agreements;</p>
-               </part>
-               <part id="ps-6.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-6(b)[2]</prop>
-                  <p>reviews and updates the access agreements with the organization-defined
-                     frequency;</p>
-               </part>
-            </part>
-            <part id="ps-6.c_obj" name="objective">
-               <prop name="label">PS-6(c)</prop>
-               <part id="ps-6.c.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-6(c)(1)</prop>
-                  <p>ensures that individuals requiring access to organizational information and
-                     information systems sign appropriate access agreements prior to being granted
-                     access;</p>
-               </part>
-               <part id="ps-6.c.2_obj" name="objective">
-                  <prop name="label">PS-6(c)(2)</prop>
-                  <part id="ps-6.c.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-6(c)(2)[1]</prop>
-                     <p>defines the frequency to re-sign access agreements to maintain access to
-                        organizational information systems when access agreements have been
-                        updated;</p>
-                  </part>
-                  <part id="ps-6.c.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">PS-6(c)(2)[2]</prop>
-                     <p>ensures that individuals requiring access to organizational information and
-                        information systems re-sign access agreements to maintain access to
-                        organizational information systems when access agreements have been updated
-                        or with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing access agreements for organizational information and
-                  information systems</p>
-               <p>security plan</p>
-               <p>access agreements</p>
-               <p>records of access agreement reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel who have signed/resigned access agreements</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for access agreements</p>
-               <p>automated mechanisms supporting access agreements</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-7">
-         <title>Third-party Personnel Security</title>
-         <param id="ps-7_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-7_prm_2">
-            <label>organization-defined time period</label>
-            <constraint>terminations: immediately; transfers: within twenty-four (24) hours</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PS-7</prop>
-         <prop name="sort-id">ps-07</prop>
-         <link href="#0c775bc3-bfc3-42c7-a382-88949f503171" rel="reference">NIST Special Publication 800-35</link>
-         <part id="ps-7_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes personnel security requirements including security roles and
-                  responsibilities for third-party providers;</p>
-            </part>
-            <part id="ps-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Requires third-party providers to comply with personnel security policies and
-                  procedures established by the organization;</p>
-            </part>
-            <part id="ps-7_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Documents personnel security requirements;</p>
-            </part>
-            <part id="ps-7_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Requires third-party providers to notify <insert param-id="ps-7_prm_1"/> of any
-                  personnel transfers or terminations of third-party personnel who possess
-                  organizational credentials and/or badges, or who have information system
-                  privileges within <insert param-id="ps-7_prm_2"/>; and</p>
-            </part>
-            <part id="ps-7_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Monitors provider compliance.</p>
-            </part>
-         </part>
-         <part id="ps-7_gdn" name="guidance">
-            <p>Third-party providers include, for example, service bureaus, contractors, and other
-               organizations providing information system development, information technology
-               services, outsourced applications, and network and security management. Organizations
-               explicitly include personnel security requirements in acquisition-related documents.
-               Third-party providers may have personnel working at organizational facilities with
-               credentials, badges, or information system privileges issued by organizations.
-               Notifications of third-party personnel changes ensure appropriate termination of
-               privileges and credentials. Organizations define the transfers and terminations
-               deemed reportable by security-related characteristics that include, for example,
-               functions, roles, and nature of credentials/privileges associated with individuals
-               transferred or terminated.</p>
-            <link rel="related" href="#ps-2">PS-2</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <link rel="related" href="#ps-4">PS-4</link>
-            <link rel="related" href="#ps-5">PS-5</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-            <link rel="related" href="#sa-21">SA-21</link>
-         </part>
-         <part id="ps-7_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-7.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PS-7(a)</prop>
-               <p>establishes personnel security requirements, including security roles and
-                  responsibilities, for third-party providers;</p>
-            </part>
-            <part id="ps-7.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PS-7(b)</prop>
-               <p>requires third-party providers to comply with personnel security policies and
-                  procedures established by the organization;</p>
-            </part>
-            <part id="ps-7.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PS-7(c)</prop>
-               <p>documents personnel security requirements;</p>
-            </part>
-            <part id="ps-7.d_obj" name="objective">
-               <prop name="label">PS-7(d)</prop>
-               <part id="ps-7.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-7(d)[1]</prop>
-                  <p>defines personnel or roles to be notified of any personnel transfers or
-                     terminations of third-party personnel who possess organizational credentials
-                     and/or badges, or who have information system privileges;</p>
-               </part>
-               <part id="ps-7.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-7(d)[2]</prop>
-                  <p>defines the time period within which third-party providers are required to
-                     notify organization-defined personnel or roles of any personnel transfers or
-                     terminations of third-party personnel who possess organizational credentials
-                     and/or badges, or who have information system privileges;</p>
-               </part>
-               <part id="ps-7.d_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-7(d)[3]</prop>
-                  <p>requires third-party providers to notify organization-defined personnel or
-                     roles within the organization-defined time period of any personnel transfers or
-                     terminations of third-party personnel who possess organizational credentials
-                     and/or badges, or who have information system privileges; and</p>
-               </part>
-            </part>
-            <part id="ps-7.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PS-7(e)</prop>
-               <p>monitors provider compliance.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing third-party personnel security</p>
-               <p>list of personnel security requirements</p>
-               <p>acquisition documents</p>
-               <p>service-level agreements</p>
-               <p>compliance monitoring process</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>third-party providers</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with account management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing and monitoring third-party personnel
-                  security</p>
-               <p>automated mechanisms supporting and/or implementing monitoring of provider
-                  compliance</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-8">
-         <title>Personnel Sanctions</title>
-         <param id="ps-8_prm_1">
-            <label>organization-defined personnel or roles</label>
-            <constraint>at a minimum, the ISSO and/or similar role within the organization</constraint>
-         </param>
-         <param id="ps-8_prm_2">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">PS-8</prop>
-         <prop name="sort-id">ps-08</prop>
-         <part id="ps-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Employs a formal sanctions process for individuals failing to comply with
-                  established information security policies and procedures; and</p>
-            </part>
-            <part id="ps-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Notifies <insert param-id="ps-8_prm_1"/> within <insert param-id="ps-8_prm_2"/>
-                  when a formal employee sanctions process is initiated, identifying the individual
-                  sanctioned and the reason for the sanction.</p>
-            </part>
-         </part>
-         <part id="ps-8_gdn" name="guidance">
-            <p>Organizational sanctions processes reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Sanctions processes are
-               described in access agreements and can be included as part of general personnel
-               policies and procedures for organizations. Organizations consult with the Office of
-               the General Counsel regarding matters of employee sanctions.</p>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-         </part>
-         <part id="ps-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-8.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PS-8(a)</prop>
-               <p>employs a formal sanctions process for individuals failing to comply with
-                  established information security policies and procedures;</p>
-            </part>
-            <part id="ps-8.b_obj" name="objective">
-               <prop name="label">PS-8(b)</prop>
-               <part id="ps-8.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-8(b)[1]</prop>
-                  <p>defines personnel or roles to be notified when a formal employee sanctions
-                     process is initiated;</p>
-               </part>
-               <part id="ps-8.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-8(b)[2]</prop>
-                  <p>defines the time period within which organization-defined personnel or roles
-                     must be notified when a formal employee sanctions process is initiated; and</p>
-               </part>
-               <part id="ps-8.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-8(b)[3]</prop>
-                  <p>notifies organization-defined personnel or roles within the
-                     organization-defined time period when a formal employee sanctions process is
-                     initiated, identifying the individual sanctioned and the reason for the
-                     sanction.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel sanctions</p>
-               <p>rules of behavior</p>
-               <p>records of formal sanctions</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing personnel sanctions</p>
-               <p>automated mechanisms supporting and/or implementing notifications</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ra">
-      <title>Risk Assessment</title>
-      <control class="SP800-53" id="ra-1">
-         <title>Risk Assessment Policy and Procedures</title>
-         <param id="ra-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ra-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ra-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or whenever a significant change occurs</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">RA-1</prop>
-         <prop name="sort-id">ra-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15" rel="reference">NIST Special Publication 800-30</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ra-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ra-1_prm_1"/>:</p>
-               <part id="ra-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A risk assessment policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ra-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the risk assessment policy and
-                     associated risk assessment controls; and</p>
-               </part>
-            </part>
-            <part id="ra-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ra-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Risk assessment policy <insert param-id="ra-1_prm_2"/>; and</p>
-               </part>
-               <part id="ra-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Risk assessment procedures <insert param-id="ra-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ra-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the RA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ra-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-1.a_obj" name="objective">
-               <prop name="label">RA-1(a)</prop>
-               <part id="ra-1.a.1_obj" name="objective">
-                  <prop name="label">RA-1(a)(1)</prop>
-                  <part id="ra-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(a)(1)[1]</prop>
-                     <p>develops and documents a risk assessment policy that addresses:</p>
-                     <part id="ra-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ra-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the risk assessment policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ra-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">RA-1(a)(1)[3]</prop>
-                     <p>disseminates the risk assessment policy to organization-defined personnel or
-                        roles;</p>
-                  </part>
-               </part>
-               <part id="ra-1.a.2_obj" name="objective">
-                  <prop name="label">RA-1(a)(2)</prop>
-                  <part id="ra-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        risk assessment policy and associated risk assessment controls;</p>
-                  </part>
-                  <part id="ra-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ra-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">RA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-1.b_obj" name="objective">
-               <prop name="label">RA-1(b)</prop>
-               <part id="ra-1.b.1_obj" name="objective">
-                  <prop name="label">RA-1(b)(1)</prop>
-                  <part id="ra-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current risk assessment
-                        policy;</p>
-                  </part>
-                  <part id="ra-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current risk assessment policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ra-1.b.2_obj" name="objective">
-                  <prop name="label">RA-1(b)(2)</prop>
-                  <part id="ra-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current risk assessment
-                        procedures; and</p>
-                  </part>
-                  <part id="ra-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current risk assessment procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>risk assessment policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with risk assessment responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-2">
-         <title>Security Categorization</title>
-         <prop name="label">RA-2</prop>
-         <prop name="sort-id">ra-02</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15" rel="reference">NIST Special Publication 800-30</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <part id="ra-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Categorizes information and the information system in accordance with applicable
-                  federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  guidance;</p>
-            </part>
-            <part id="ra-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents the security categorization results (including supporting rationale) in
-                  the security plan for the information system; and</p>
-            </part>
-            <part id="ra-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensures that the authorizing official or authorizing official designated
-                  representative reviews and approves the security categorization decision.</p>
-            </part>
-         </part>
-         <part id="ra-2_gdn" name="guidance">
-            <p>Clearly defined authorization boundaries are a prerequisite for effective security
-               categorization decisions. Security categories describe the potential adverse impacts
-               to organizational operations, organizational assets, and individuals if
-               organizational information and information systems are comprised through a loss of
-               confidentiality, integrity, or availability. Organizations conduct the security
-               categorization process as an organization-wide activity with the involvement of chief
-               information officers, senior information security officers, information system
-               owners, mission/business owners, and information owners/stewards. Organizations also
-               consider the potential adverse impacts to other organizations and, in accordance with
-               the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential
-               national-level adverse impacts. Security categorization processes carried out by
-               organizations facilitate the development of inventories of information assets, and
-               along with CM-8, mappings to specific information system components where information
-               is processed, stored, or transmitted.</p>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="ra-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-2.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">RA-2(a)</prop>
-               <p>categorizes information and the information system in accordance with applicable
-                  federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  guidance;</p>
-            </part>
-            <part id="ra-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">RA-2(b)</prop>
-               <p>documents the security categorization results (including supporting rationale) in
-                  the security plan for the information system; and</p>
-            </part>
-            <part id="ra-2.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">RA-2(c)</prop>
-               <p>ensures the authorizing official or authorizing official designated representative
-                  reviews and approves the security categorization decision.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Risk assessment policy</p>
-               <p>security planning policy and procedures</p>
-               <p>procedures addressing security categorization of organizational information and
-                  information systems</p>
-               <p>security plan</p>
-               <p>security categorization documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security categorization and risk assessment
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security categorization</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-3">
-         <title>Risk Assessment</title>
-         <param id="ra-3_prm_1"/>
-         <param id="ra-3_prm_2" depends-on="ra-3_prm_1">
-            <label>organization-defined document</label>
-            <constraint>security assessment report</constraint>
-         </param>
-         <param id="ra-3_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or whenever a significant change occurs</constraint>
-         </param>
-         <param id="ra-3_prm_4">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ra-3_prm_5">
-            <label>organization-defined frequency</label>
-            <constraint>annually</constraint>
-         </param>
-         <prop name="label">RA-3</prop>
-         <prop name="sort-id">ra-03</prop>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15" rel="reference">NIST Special Publication 800-30</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ra-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Conducts an assessment of risk, including the likelihood and magnitude of harm,
-                  from the unauthorized access, use, disclosure, disruption, modification, or
-                  destruction of the information system and the information it processes, stores, or
-                  transmits;</p>
-            </part>
-            <part id="ra-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents risk assessment results in <insert param-id="ra-3_prm_1"/>;</p>
-            </part>
-            <part id="ra-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews risk assessment results <insert param-id="ra-3_prm_3"/>;</p>
-            </part>
-            <part id="ra-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Disseminates risk assessment results to <insert param-id="ra-3_prm_4"/>; and</p>
-            </part>
-            <part id="ra-3_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Updates the risk assessment <insert param-id="ra-3_prm_5"/> or whenever there are
-                  significant changes to the information system or environment of operation
-                  (including the identification of new threats and vulnerabilities), or other
-                  conditions that may impact the security state of the system.</p>
-            </part>
-            <part id="ra-3_fr" name="item">
-               <title>RA-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F</p>
-               </part>
-               <part id="ra-3_fr_smt.d" name="item">
-                  <prop name="label">RA-3 (d) Requirement:</prop>
-                  <p>Include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ra-3_gdn" name="guidance">
-            <p>Clearly defined authorization boundaries are a prerequisite for effective risk
-               assessments. Risk assessments take into account threats, vulnerabilities, likelihood,
-               and impact to organizational operations and assets, individuals, other organizations,
-               and the Nation based on the operation and use of information systems. Risk
-               assessments also take into account risk from external parties (e.g., service
-               providers, contractors operating information systems on behalf of the organization,
-               individuals accessing organizational information systems, outsourcing entities). In
-               accordance with OMB policy and related E-authentication initiatives, authentication
-               of public users accessing federal information systems may also be required to protect
-               nonpublic or privacy-related information. As such, organizational assessments of risk
-               also address public access to federal information systems. Risk assessments (either
-               formal or informal) can be conducted at all three tiers in the risk management
-               hierarchy (i.e., organization level, mission/business process level, or information
-               system level) and at any phase in the system development life cycle. Risk assessments
-               can also be conducted at various steps in the Risk Management Framework, including
-               categorization, security control selection, security control implementation, security
-               control assessment, information system authorization, and security control
-               monitoring. RA-3 is noteworthy in that the control must be partially implemented
-               prior to the implementation of other controls in order to complete the first two
-               steps in the Risk Management Framework. Risk assessments can play an important role
-               in security control selection processes, particularly during the application of
-               tailoring guidance, which includes security control supplementation.</p>
-            <link rel="related" href="#ra-2">RA-2</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ra-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-3.a_obj" name="objective">
-               <prop name="label">RA-3(a)</prop>
-               <p>conducts an assessment of risk, including the likelihood and magnitude of harm,
-                  from the unauthorized access, use, disclosure, disruption, modification, or
-                  destruction of:</p>
-               <part id="ra-3.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-3(a)[1]</prop>
-                  <p>the information system;</p>
-               </part>
-               <part id="ra-3.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-3(a)[2]</prop>
-                  <p>the information the system processes, stores, or transmits;</p>
-               </part>
-            </part>
-            <part id="ra-3.b_obj" name="objective">
-               <prop name="label">RA-3(b)</prop>
-               <part id="ra-3.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-3(b)[1]</prop>
-                  <p>defines a document in which risk assessment results are to be documented (if
-                     not documented in the security plan or risk assessment report);</p>
-               </part>
-               <part id="ra-3.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-3(b)[2]</prop>
-                  <p>documents risk assessment results in one of the following:</p>
-                  <part id="ra-3.b_obj.2.a" name="objective">
-                     <prop name="label">RA-3(b)[2][a]</prop>
-                     <p>the security plan;</p>
-                  </part>
-                  <part id="ra-3.b_obj.2.b" name="objective">
-                     <prop name="label">RA-3(b)[2][b]</prop>
-                     <p>the risk assessment report; or</p>
-                  </part>
-                  <part id="ra-3.b_obj.2.c" name="objective">
-                     <prop name="label">RA-3(b)[2][c]</prop>
-                     <p>the organization-defined document;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-3.c_obj" name="objective">
-               <prop name="label">RA-3(c)</prop>
-               <part id="ra-3.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-3(c)[1]</prop>
-                  <p>defines the frequency to review risk assessment results;</p>
-               </part>
-               <part id="ra-3.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-3(c)[2]</prop>
-                  <p>reviews risk assessment results with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="ra-3.d_obj" name="objective">
-               <prop name="label">RA-3(d)</prop>
-               <part id="ra-3.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-3(d)[1]</prop>
-                  <p>defines personnel or roles to whom risk assessment results are to be
-                     disseminated;</p>
-               </part>
-               <part id="ra-3.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-3(d)[2]</prop>
-                  <p>disseminates risk assessment results to organization-defined personnel or
-                     roles;</p>
-               </part>
-            </part>
-            <part id="ra-3.e_obj" name="objective">
-               <prop name="label">RA-3(e)</prop>
-               <part id="ra-3.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-3(e)[1]</prop>
-                  <p>defines the frequency to update the risk assessment;</p>
-               </part>
-               <part id="ra-3.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-3(e)[2]</prop>
-                  <p>updates the risk assessment:</p>
-                  <part id="ra-3.e_obj.2.a" name="objective">
-                     <prop name="label">RA-3(e)[2][a]</prop>
-                     <p>with the organization-defined frequency;</p>
-                  </part>
-                  <part id="ra-3.e_obj.2.b" name="objective">
-                     <prop name="label">RA-3(e)[2][b]</prop>
-                     <p>whenever there are significant changes to the information system or
-                        environment of operation (including the identification of new threats and
-                        vulnerabilities); and</p>
-                  </part>
-                  <part id="ra-3.e_obj.2.c" name="objective">
-                     <prop name="label">RA-3(e)[2][c]</prop>
-                     <p>whenever there are other conditions that may impact the security state of
-                        the system.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Risk assessment policy</p>
-               <p>security planning policy and procedures</p>
-               <p>procedures addressing organizational assessments of risk</p>
-               <p>security plan</p>
-               <p>risk assessment</p>
-               <p>risk assessment results</p>
-               <p>risk assessment reviews</p>
-               <p>risk assessment updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with risk assessment responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for risk assessment</p>
-               <p>automated mechanisms supporting and/or for conducting, documenting, reviewing,
-                  disseminating, and updating the risk assessment</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-5">
-         <title>Vulnerability Scanning</title>
-         <param id="ra-5_prm_1">
-            <label>organization-defined frequency and/or randomly in accordance with
-               organization-defined process</label>
-            <constraint>monthly operating system/infrastructure; monthly web applications and databases</constraint>
-         </param>
-         <param id="ra-5_prm_2">
-            <label>organization-defined response times</label>
-            <constraint>high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery</constraint>
-         </param>
-         <param id="ra-5_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">RA-5</prop>
-         <prop name="sort-id">ra-05</prop>
-         <link href="#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d" rel="reference">NIST Special Publication 800-40</link>
-         <link href="#84a37532-6db6-477b-9ea8-f9085ebca0fc" rel="reference">NIST Special Publication 800-70</link>
-         <link href="#c4691b88-57d1-463b-9053-2d0087913f31" rel="reference">NIST Special Publication 800-115</link>
-         <link href="#15522e92-9192-463d-9646-6a01982db8ca" rel="reference">http://cwe.mitre.org</link>
-         <link href="#275cc052-0f7f-423c-bdb6-ed503dc36228" rel="reference">http://nvd.nist.gov</link>
-         <part id="ra-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Scans for vulnerabilities in the information system and hosted applications
-                     <insert param-id="ra-5_prm_1"/> and when new vulnerabilities potentially
-                  affecting the system/applications are identified and reported;</p>
-            </part>
-            <part id="ra-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Employs vulnerability scanning tools and techniques that facilitate
-                  interoperability among tools and automate parts of the vulnerability management
-                  process by using standards for:</p>
-               <part id="ra-5_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Enumerating platforms, software flaws, and improper configurations;</p>
-               </part>
-               <part id="ra-5_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Formatting checklists and test procedures; and</p>
-               </part>
-               <part id="ra-5_smt.b.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Measuring vulnerability impact;</p>
-               </part>
-            </part>
-            <part id="ra-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Analyzes vulnerability scan reports and results from security control
-                  assessments;</p>
-            </part>
-            <part id="ra-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Remediates legitimate vulnerabilities <insert param-id="ra-5_prm_2"/> in
-                  accordance with an organizational assessment of risk; and</p>
-            </part>
-            <part id="ra-5_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Shares information obtained from the vulnerability scanning process and security
-                  control assessments with <insert param-id="ra-5_prm_3"/> to help eliminate similar
-                  vulnerabilities in other information systems (i.e., systemic weaknesses or
-                  deficiencies).</p>
-            </part>
-            <part id="ra-5_fr_smt.a" name="item">
-               <title>RA-5(a) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (a)Requirement:</prop>
-               <p>An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.</p>
-            </part>
-            <part id="ra-5_fr_smt.e" name="item">
-               <title>RA-5(e) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (e)Requirement:</prop>
-               <p>To include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
-            </part>
-            <part id="ra-5_fr" name="item">
-               <title>RA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>
-                     <strong>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents&gt; Vulnerability Scanning Requirements</strong> (<a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a>)</p>
-               </part>
-            </part>
-         </part>
-         <part id="ra-5_gdn" name="guidance">
-            <p>Security categorization of information systems guides the frequency and
-               comprehensiveness of vulnerability scans. Organizations determine the required
-               vulnerability scanning for all information system components, ensuring that potential
-               sources of vulnerabilities such as networked printers, scanners, and copiers are not
-               overlooked. Vulnerability analyses for custom software applications may require
-               additional approaches such as static analysis, dynamic analysis, binary analysis, or
-               a hybrid of the three approaches. Organizations can employ these analysis approaches
-               in a variety of tools (e.g., web-based application scanners, static analysis tools,
-               binary analyzers) and in source code reviews. Vulnerability scanning includes, for
-               example: (i) scanning for patch levels; (ii) scanning for functions, ports,
-               protocols, and services that should not be accessible to users or devices; and (iii)
-               scanning for improperly configured or incorrectly operating information flow control
-               mechanisms. Organizations consider using tools that express vulnerabilities in the
-               Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open
-               Vulnerability Assessment Language (OVAL) to determine/test for the presence of
-               vulnerabilities. Suggested sources for vulnerability information include the Common
-               Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In
-               addition, security control assessments such as red team exercises provide other
-               sources of potential vulnerabilities for which to scan. Organizations also consider
-               using tools that express vulnerability impact by the Common Vulnerability Scoring
-               System (CVSS).</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#ra-2">RA-2</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="ra-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-5.a_obj" name="objective">
-               <prop name="label">RA-5(a)</prop>
-               <part id="ra-5.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-5(a)[1]</prop>
-                  <part id="ra-5.a_obj.1.a" name="objective">
-                     <prop name="label">RA-5(a)[1][a]</prop>
-                     <p>defines the frequency for conducting vulnerability scans on the information
-                        system and hosted applications; and/or</p>
-                  </part>
-                  <part id="ra-5.a_obj.1.b" name="objective">
-                     <prop name="label">RA-5(a)[1][b]</prop>
-                     <p>defines the process for conducting random vulnerability scans on the
-                        information system and hosted applications;</p>
-                  </part>
-               </part>
-               <part id="ra-5.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(a)[2]</prop>
-                  <p>in accordance with the organization-defined frequency and/or
-                     organization-defined process for conducting random scans, scans for
-                     vulnerabilities in:</p>
-                  <part id="ra-5.a_obj.2.a" name="objective">
-                     <prop name="label">RA-5(a)[2][a]</prop>
-                     <p>the information system;</p>
-                  </part>
-                  <part id="ra-5.a_obj.2.b" name="objective">
-                     <prop name="label">RA-5(a)[2][b]</prop>
-                     <p>hosted applications;</p>
-                  </part>
-               </part>
-               <part id="ra-5.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(a)[3]</prop>
-                  <p>when new vulnerabilities potentially affecting the system/applications are
-                     identified and reported, scans for vulnerabilities in:</p>
-                  <part id="ra-5.a_obj.3.a" name="objective">
-                     <prop name="label">RA-5(a)[3][a]</prop>
-                     <p>the information system;</p>
-                  </part>
-                  <part id="ra-5.a_obj.3.b" name="objective">
-                     <prop name="label">RA-5(a)[3][b]</prop>
-                     <p>hosted applications;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-5.b_obj" name="objective">
-               <prop name="label">RA-5(b)</prop>
-               <p>employs vulnerability scanning tools and techniques that facilitate
-                  interoperability among tools and automate parts of the vulnerability management
-                  process by using standards for:</p>
-               <part id="ra-5.b.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(b)(1)</prop>
-                  <part id="ra-5.b.1_obj.1" name="objective">
-                     <prop name="label">RA-5(b)(1)[1]</prop>
-                     <p>enumerating platforms;</p>
-                  </part>
-                  <part id="ra-5.b.1_obj.2" name="objective">
-                     <prop name="label">RA-5(b)(1)[2]</prop>
-                     <p>enumerating software flaws;</p>
-                  </part>
-                  <part id="ra-5.b.1_obj.3" name="objective">
-                     <prop name="label">RA-5(b)(1)[3]</prop>
-                     <p>enumerating improper configurations;</p>
-                  </part>
-               </part>
-               <part id="ra-5.b.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(b)(2)</prop>
-                  <part id="ra-5.b.2_obj.1" name="objective">
-                     <prop name="label">RA-5(b)(2)[1]</prop>
-                     <p>formatting checklists;</p>
-                  </part>
-                  <part id="ra-5.b.2_obj.2" name="objective">
-                     <prop name="label">RA-5(b)(2)[2]</prop>
-                     <p>formatting test procedures;</p>
-                  </part>
-               </part>
-               <part id="ra-5.b.3_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(b)(3)</prop>
-                  <p>measuring vulnerability impact;</p>
-               </part>
-            </part>
-            <part id="ra-5.c_obj" name="objective">
-               <prop name="label">RA-5(c)</prop>
-               <part id="ra-5.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(c)[1]</prop>
-                  <p>analyzes vulnerability scan reports;</p>
-               </part>
-               <part id="ra-5.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(c)[2]</prop>
-                  <p>analyzes results from security control assessments;</p>
-               </part>
-            </part>
-            <part id="ra-5.d_obj" name="objective">
-               <prop name="label">RA-5(d)</prop>
-               <part id="ra-5.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-5(d)[1]</prop>
-                  <p>defines response times to remediate legitimate vulnerabilities in accordance
-                     with an organizational assessment of risk;</p>
-               </part>
-               <part id="ra-5.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(d)[2]</prop>
-                  <p>remediates legitimate vulnerabilities within the organization-defined response
-                     times in accordance with an organizational assessment of risk;</p>
-               </part>
-            </part>
-            <part id="ra-5.e_obj" name="objective">
-               <prop name="label">RA-5(e)</prop>
-               <part id="ra-5.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-5(e)[1]</prop>
-                  <p>defines personnel or roles with whom information obtained from the
-                     vulnerability scanning process and security control assessments is to be
-                     shared;</p>
-               </part>
-               <part id="ra-5.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(e)[2]</prop>
-                  <p>shares information obtained from the vulnerability scanning process with
-                     organization-defined personnel or roles to help eliminate similar
-                     vulnerabilities in other information systems (i.e., systemic weaknesses or
-                     deficiencies); and</p>
-               </part>
-               <part id="ra-5.e_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(e)[3]</prop>
-                  <p>shares information obtained from security control assessments with
-                     organization-defined personnel or roles to help eliminate similar
-                     vulnerabilities in other information systems (i.e., systemic weaknesses or
-                     deficiencies).</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Risk assessment policy</p>
-               <p>procedures addressing vulnerability scanning</p>
-               <p>risk assessment</p>
-               <p>security plan</p>
-               <p>security assessment report</p>
-               <p>vulnerability scanning tools and associated configuration documentation</p>
-               <p>vulnerability scanning results</p>
-               <p>patch and vulnerability management records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with risk assessment, security control assessment and
-                  vulnerability scanning responsibilities</p>
-               <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-               <p>organizational personnel with vulnerability remediation responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for vulnerability scanning, analysis, remediation, and
-                  information sharing</p>
-               <p>automated mechanisms supporting and/or implementing vulnerability scanning,
-                  analysis, remediation, and information sharing</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ra-5.1">
-            <title>Update Tool Capability</title>
-            <prop name="label">RA-5(1)</prop>
-            <prop name="sort-id">ra-05.01</prop>
-            <part id="ra-5.1_smt" name="statement">
-               <p>The organization employs vulnerability scanning tools that include the capability
-                  to readily update the information system vulnerabilities to be scanned.</p>
-            </part>
-            <part id="ra-5.1_gdn" name="guidance">
-               <p>The vulnerabilities to be scanned need to be readily updated as new
-                  vulnerabilities are discovered, announced, and scanning methods developed. This
-                  updating process helps to ensure that potential vulnerabilities in the information
-                  system are identified and addressed as quickly as possible.</p>
-               <link rel="related" href="#si-3">SI-3</link>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="ra-5.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs vulnerability scanning tools that include
-                  the capability to readily update the information system vulnerabilities to be
-                  scanned.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Procedures addressing vulnerability scanning</p>
-                  <p>security plan</p>
-                  <p>security assessment report</p>
-                  <p>vulnerability scanning tools and associated configuration documentation</p>
-                  <p>vulnerability scanning results</p>
-                  <p>patch and vulnerability management records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.2">
-            <title>Update by Frequency / Prior to New Scan / When Identified</title>
-            <param id="ra-5.2_prm_1">
-               <constraint>prior to a new scan</constraint>
-            </param>
-            <param id="ra-5.2_prm_2" depends-on="ra-5.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">RA-5(2)</prop>
-            <prop name="sort-id">ra-05.02</prop>
-            <part id="ra-5.2_smt" name="statement">
-               <p>The organization updates the information system vulnerabilities scanned <insert param-id="ra-5.2_prm_1"/>.</p>
-            </part>
-            <part id="ra-5.2_gdn" name="guidance">
-               <link rel="related" href="#si-3">SI-3</link>
-               <link rel="related" href="#si-5">SI-5</link>
-            </part>
-            <part id="ra-5.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ra-5.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-5(2)[1]</prop>
-                  <p>defines the frequency to update the information system vulnerabilities
-                     scanned;</p>
-               </part>
-               <part id="ra-5.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(2)[2]</prop>
-                  <p>updates the information system vulnerabilities scanned one or more of the
-                     following:</p>
-                  <part id="ra-5.2_obj.2.a" name="objective">
-                     <prop name="label">RA-5(2)[2][a]</prop>
-                     <p>with the organization-defined frequency;</p>
-                  </part>
-                  <part id="ra-5.2_obj.2.b" name="objective">
-                     <prop name="label">RA-5(2)[2][b]</prop>
-                     <p>prior to a new scan; and/or</p>
-                  </part>
-                  <part id="ra-5.2_obj.2.c" name="objective">
-                     <prop name="label">RA-5(2)[2][c]</prop>
-                     <p>when new vulnerabilities are identified and reported.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Procedures addressing vulnerability scanning</p>
-                  <p>security plan</p>
-                  <p>security assessment report</p>
-                  <p>vulnerability scanning tools and associated configuration documentation</p>
-                  <p>vulnerability scanning results</p>
-                  <p>patch and vulnerability management records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.3">
-            <title>Breadth / Depth of Coverage</title>
-            <prop name="label">RA-5(3)</prop>
-            <prop name="sort-id">ra-05.03</prop>
-            <part id="ra-5.3_smt" name="statement">
-               <p>The organization employs vulnerability scanning procedures that can identify the
-                  breadth and depth of coverage (i.e., information system components scanned and
-                  vulnerabilities checked).</p>
-            </part>
-            <part id="ra-5.3_obj" name="objective">
-               <p>Determine if the organization employs vulnerability scanning procedures that can
-                  identify:</p>
-               <part id="ra-5.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(3)[1]</prop>
-                  <p>the breadth of coverage (i.e., information system components scanned); and</p>
-               </part>
-               <part id="ra-5.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(3)[2]</prop>
-                  <p>the depth of coverage (i.e., vulnerabilities checked).</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Procedures addressing vulnerability scanning</p>
-                  <p>security plan</p>
-                  <p>security assessment report</p>
-                  <p>vulnerability scanning tools and associated configuration documentation</p>
-                  <p>vulnerability scanning results</p>
-                  <p>patch and vulnerability management records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.4">
-            <title>Discoverable Information</title>
-            <param id="ra-5.4_prm_1">
-               <label>organization-defined corrective actions</label>
-               <constraint>notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions</constraint>
-            </param>
-            <prop name="label">RA-5(4)</prop>
-            <prop name="sort-id">ra-05.04</prop>
-            <part id="ra-5.4_smt" name="statement">
-               <p>The organization determines what information about the information system is
-                  discoverable by adversaries and subsequently takes <insert param-id="ra-5.4_prm_1"/>.</p>
-            </part>
-            <part id="ra-5.4_gdn" name="guidance">
-               <p>Discoverable information includes information that adversaries could obtain
-                  without directly compromising or breaching the information system, for example, by
-                  collecting information the system is exposing or by conducting extensive searches
-                  of the web. Corrective actions can include, for example, notifying appropriate
-                  organizational personnel, removing designated information, or changing the
-                  information system to make designated information less relevant or attractive to
-                  adversaries.</p>
-               <link rel="related" href="#au-13">AU-13</link>
-            </part>
-            <part id="ra-5.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ra-5.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-5(4)[1]</prop>
-                  <p>defines corrective actions to be taken if information about the information
-                     system is discoverable by adversaries;</p>
-               </part>
-               <part id="ra-5.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(4)[2]</prop>
-                  <p>determines what information about the information system is discoverable by
-                     adversaries; and</p>
-               </part>
-               <part id="ra-5.4_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(4)[3]</prop>
-                  <p>subsequently takes organization-defined corrective actions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Procedures addressing vulnerability scanning</p>
-                  <p>security assessment report</p>
-                  <p>penetration test results</p>
-                  <p>vulnerability scanning results</p>
-                  <p>risk assessment report</p>
-                  <p>records of corrective actions taken</p>
-                  <p>incident response records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning and/or penetration testing
-                     responsibilities</p>
-                  <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-                  <p>organizational personnel responsible for risk response</p>
-                  <p>organizational personnel responsible for incident management and response</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>organizational processes for risk response</p>
-                  <p>organizational processes for incident management and response</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-                  <p>automated mechanisms supporting and/or implementing risk response</p>
-                  <p>automated mechanisms supporting and/or implementing incident management and
-                     response</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.5">
-            <title>Privileged Access</title>
-            <param id="ra-5.5_prm_1">
-               <label>organization-identified information system components</label>
-               <constraint>operating systems / web applications / databases</constraint>
-            </param>
-            <param id="ra-5.5_prm_2">
-               <label>organization-defined vulnerability scanning activities</label>
-               <constraint>all scans</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">RA-5(5)</prop>
-            <prop name="sort-id">ra-05.05</prop>
-            <part id="ra-5.5_smt" name="statement">
-               <p>The information system implements privileged access authorization to <insert param-id="ra-5.5_prm_1"/> for selected <insert param-id="ra-5.5_prm_2"/>.</p>
-            </part>
-            <part id="ra-5.5_gdn" name="guidance">
-               <p>In certain situations, the nature of the vulnerability scanning may be more
-                  intrusive or the information system component that is the subject of the scanning
-                  may contain highly sensitive information. Privileged access authorization to
-                  selected system components facilitates more thorough vulnerability scanning and
-                  also protects the sensitive nature of such scanning.</p>
-            </part>
-            <part id="ra-5.5_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ra-5.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-5(5)[1]</prop>
-                  <p>the organization defines information system components to which privileged
-                     access is authorized for selected vulnerability scanning activities;</p>
-               </part>
-               <part id="ra-5.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-5(5)[2]</prop>
-                  <p>the organization defines vulnerability scanning activities selected for
-                     privileged access authorization to organization-defined information system
-                     components; and</p>
-               </part>
-               <part id="ra-5.5_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(5)[3]</prop>
-                  <p>the information system implements privileged access authorization to
-                     organization-defined information system components for selected
-                     organization-defined vulnerability scanning activities.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Risk assessment policy</p>
-                  <p>procedures addressing vulnerability scanning</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of information system components for vulnerability scanning</p>
-                  <p>personnel access authorization list</p>
-                  <p>authorization credentials</p>
-                  <p>access authorization records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel responsible for access control to the information
-                     system</p>
-                  <p>organizational personnel responsible for configuration management of the
-                     information system</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>organizational processes for access control</p>
-                  <p>automated mechanisms supporting and/or implementing access control</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.6">
-            <title>Automated Trend Analyses</title>
-            <prop name="label">RA-5(6)</prop>
-            <prop name="sort-id">ra-05.06</prop>
-            <part id="ra-5.6_smt" name="statement">
-               <p>The organization employs automated mechanisms to compare the results of
-                  vulnerability scans over time to determine trends in information system
-                  vulnerabilities.</p>
-               <part id="ra-5.6_fr" name="item">
-                  <title>RA-5 (6) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ra-5.6_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>Include in Continuous Monitoring ISSO digest/report to JAB/AO</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-5.6_gdn" name="guidance">
-               <link rel="related" href="#ir-4">IR-4</link>
-               <link rel="related" href="#ir-5">IR-5</link>
-               <link rel="related" href="#si-4">SI-4</link>
-            </part>
-            <part id="ra-5.6_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs automated mechanisms to compare the results
-                  of vulnerability scans over time to determine trends in information system
-                  vulnerabilities.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Risk assessment policy</p>
-                  <p>procedures addressing vulnerability scanning</p>
-                  <p>information system design documentation</p>
-                  <p>vulnerability scanning tools and techniques documentation</p>
-                  <p>vulnerability scanning results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-                  <p>automated mechanisms supporting and/or implementing trend analysis of
-                     vulnerability scan results</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.8">
-            <title>Review Historic Audit Logs</title>
-            <prop name="label">RA-5(8)</prop>
-            <prop name="sort-id">ra-05.08</prop>
-            <part id="ra-5.8_smt" name="statement">
-               <p>The organization reviews historic audit logs to determine if a vulnerability
-                  identified in the information system has been previously exploited.</p>
-               <part id="ra-5.8_fr" name="item">
-                  <title>RA-5 (8) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ra-5.8_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>This enhancement is required for all high vulnerability scan findings.</p>
-                  </part>
-                  <part id="ra-5.8_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-5.8_gdn" name="guidance">
-               <link rel="related" href="#au-6">AU-6</link>
-            </part>
-            <part id="ra-5.8_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization reviews historic audit logs to determine if a
-                  vulnerability identified in the information system has been previously exploited.
-               </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Risk assessment policy</p>
-                  <p>procedures addressing vulnerability scanning</p>
-                  <p>audit logs</p>
-                  <p>records of audit log reviews</p>
-                  <p>vulnerability scanning results</p>
-                  <p>patch and vulnerability management records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-                  <p>organizational personnel with audit record review responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>organizational process for audit record review and response</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-                  <p>automated mechanisms supporting and/or implementing audit record review</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.10">
-            <title>Correlate Scanning Information</title>
-            <prop name="label">RA-5(10)</prop>
-            <prop name="sort-id">ra-05.10</prop>
-            <part id="ra-5.10_smt" name="statement">
-               <p>The organization correlates the output from vulnerability scanning tools to
-                  determine the presence of multi-vulnerability/multi-hop attack vectors.</p>
-               <part id="ra-5.10_fr" name="item">
-                  <title>RA-5 (10) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ra-5.10_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>If multiple tools are not used, this control is not applicable.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-5.10_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization correlates the output from vulnerability scanning
-                  tools to determine the presence of multi-vulnerability/multi-hop attack vectors.
-               </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Risk assessment policy</p>
-                  <p>procedures addressing vulnerability scanning</p>
-                  <p>risk assessment</p>
-                  <p>security plan</p>
-                  <p>vulnerability scanning tools and techniques documentation</p>
-                  <p>vulnerability scanning results</p>
-                  <p>vulnerability management records</p>
-                  <p>audit records</p>
-                  <p>event/vulnerability correlation logs</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-                  <p>automated mechanisms implementing correlation of vulnerability scan results</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="sa">
-      <title>System and Services Acquisition</title>
-      <control class="SP800-53" id="sa-1">
-         <title>System and Services Acquisition Policy and Procedures</title>
-         <param id="sa-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="sa-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="sa-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or whenever a significant change occurs</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SA-1</prop>
-         <prop name="sort-id">sa-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="sa-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="sa-1_prm_1"/>:</p>
-               <part id="sa-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system and services acquisition policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="sa-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system and services
-                     acquisition policy and associated system and services acquisition controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="sa-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="sa-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System and services acquisition policy <insert param-id="sa-1_prm_2"/>; and</p>
-               </part>
-               <part id="sa-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System and services acquisition procedures <insert param-id="sa-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sa-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the SA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="sa-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-1.a_obj" name="objective">
-               <prop name="label">SA-1(a)</prop>
-               <part id="sa-1.a.1_obj" name="objective">
-                  <prop name="label">SA-1(a)(1)</prop>
-                  <part id="sa-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(a)(1)[1]</prop>
-                     <p>develops and documents a system and services acquisition policy that
-                        addresses:</p>
-                     <part id="sa-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="sa-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system and services acquisition
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="sa-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SA-1(a)(1)[3]</prop>
-                     <p>disseminates the system and services acquisition policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="sa-1.a.2_obj" name="objective">
-                  <prop name="label">SA-1(a)(2)</prop>
-                  <part id="sa-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        system and services acquisition policy and associated system and services
-                        acquisition controls;</p>
-                  </part>
-                  <part id="sa-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="sa-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sa-1.b_obj" name="objective">
-               <prop name="label">SA-1(b)</prop>
-               <part id="sa-1.b.1_obj" name="objective">
-                  <prop name="label">SA-1(b)(1)</prop>
-                  <part id="sa-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system and services
-                        acquisition policy;</p>
-                  </part>
-                  <part id="sa-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system and services acquisition policy with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="sa-1.b.2_obj" name="objective">
-                  <prop name="label">SA-1(b)(2)</prop>
-                  <part id="sa-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system and services
-                        acquisition procedures; and</p>
-                  </part>
-                  <part id="sa-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system and services acquisition procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-2">
-         <title>Allocation of Resources</title>
-         <prop name="label">SA-2</prop>
-         <prop name="sort-id">sa-02</prop>
-         <link href="#29fcfe59-33cd-494a-8756-5907ae3a8f92" rel="reference">NIST Special Publication 800-65</link>
-         <part id="sa-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Determines information security requirements for the information system or
-                  information system service in mission/business process planning;</p>
-            </part>
-            <part id="sa-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Determines, documents, and allocates the resources required to protect the
-                  information system or information system service as part of its capital planning
-                  and investment control process; and</p>
-            </part>
-            <part id="sa-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Establishes a discrete line item for information security in organizational
-                  programming and budgeting documentation.</p>
-            </part>
-         </part>
-         <part id="sa-2_gdn" name="guidance">
-            <p>Resource allocation for information security includes funding for the initial
-               information system or information system service acquisition and funding for the
-               sustainment of the system/service.</p>
-            <link rel="related" href="#pm-3">PM-3</link>
-            <link rel="related" href="#pm-11">PM-11</link>
-         </part>
-         <part id="sa-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-2.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SA-2(a)</prop>
-               <p>determines information security requirements for the information system or
-                  information system service in mission/business process planning;</p>
-            </part>
-            <part id="sa-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-2(b)</prop>
-               <p>to protect the information system or information system service as part of its
-                  capital planning and investment control process:</p>
-               <part id="sa-2.b_obj.1" name="objective">
-                  <prop name="label">SA-2(b)[1]</prop>
-                  <p>determines the resources required;</p>
-               </part>
-               <part id="sa-2.b_obj.2" name="objective">
-                  <prop name="label">SA-2(b)[2]</prop>
-                  <p>documents the resources required;</p>
-               </part>
-               <part id="sa-2.b_obj.3" name="objective">
-                  <prop name="label">SA-2(b)[3]</prop>
-                  <p>allocates the resources required; and</p>
-               </part>
-            </part>
-            <part id="sa-2.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-2(c)</prop>
-               <p>establishes a discrete line item for information security in organizational
-                  programming and budgeting documentation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing the allocation of resources to information security
-                  requirements</p>
-               <p>procedures addressing capital planning and investment control</p>
-               <p>organizational programming and budgeting documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with capital planning, investment control, organizational
-                  programming and budgeting responsibilities</p>
-               <p>organizational personnel responsible for determining information security
-                  requirements for information systems/services</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for determining information security requirements</p>
-               <p>organizational processes for capital planning, programming, and budgeting</p>
-               <p>automated mechanisms supporting and/or implementing organizational capital
-                  planning, programming, and budgeting</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-3">
-         <title>System Development Life Cycle</title>
-         <param id="sa-3_prm_1">
-            <label>organization-defined system development life cycle</label>
-         </param>
-         <prop name="label">SA-3</prop>
-         <prop name="sort-id">sa-03</prop>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#abd950ae-092f-4b7a-b374-1c7c67fe9350" rel="reference">NIST Special Publication 800-64</link>
-         <part id="sa-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Manages the information system using <insert param-id="sa-3_prm_1"/> that
-                  incorporates information security considerations;</p>
-            </part>
-            <part id="sa-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Defines and documents information security roles and responsibilities throughout
-                  the system development life cycle;</p>
-            </part>
-            <part id="sa-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Identifies individuals having information security roles and responsibilities;
-                  and</p>
-            </part>
-            <part id="sa-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Integrates the organizational information security risk management process into
-                  system development life cycle activities.</p>
-            </part>
-         </part>
-         <part id="sa-3_gdn" name="guidance">
-            <p>A well-defined system development life cycle provides the foundation for the
-               successful development, implementation, and operation of organizational information
-               systems. To apply the required security controls within the system development life
-               cycle requires a basic understanding of information security, threats,
-               vulnerabilities, adverse impacts, and risk to critical missions/business functions.
-               The security engineering principles in SA-8 cannot be properly applied if individuals
-               that design, code, and test information systems and system components (including
-               information technology products) do not understand security. Therefore, organizations
-               include qualified personnel, for example, chief information security officers,
-               security architects, security engineers, and information system security officers in
-               system development life cycle activities to ensure that security requirements are
-               incorporated into organizational information systems. It is equally important that
-               developers include individuals on the development team that possess the requisite
-               security expertise and skills to ensure that needed security capabilities are
-               effectively integrated into the information system. Security awareness and training
-               programs can help ensure that individuals having key security roles and
-               responsibilities have the appropriate experience, skills, and expertise to conduct
-               assigned system development life cycle activities. The effective integration of
-               security requirements into enterprise architecture also helps to ensure that
-               important security considerations are addressed early in the system development life
-               cycle and that those considerations are directly related to the organizational
-               mission/business processes. This process also facilitates the integration of the
-               information security architecture into the enterprise architecture, consistent with
-               organizational risk management and information security strategies.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-         </part>
-         <part id="sa-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-3.a_obj" name="objective">
-               <prop name="label">SA-3(a)</prop>
-               <part id="sa-3.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-3(a)[1]</prop>
-                  <p>defines a system development life cycle that incorporates information security
-                     considerations to be used to manage the information system;</p>
-               </part>
-               <part id="sa-3.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-3(a)[2]</prop>
-                  <p>manages the information system using the organization-defined system
-                     development life cycle;</p>
-               </part>
-            </part>
-            <part id="sa-3.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SA-3(b)</prop>
-               <p>defines and documents information security roles and responsibilities throughout
-                  the system development life cycle;</p>
-            </part>
-            <part id="sa-3.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SA-3(c)</prop>
-               <p>identifies individuals having information security roles and responsibilities;
-                  and</p>
-            </part>
-            <part id="sa-3.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-3(d)</prop>
-               <p>integrates the organizational information security risk management process into
-                  system development life cycle activities.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing the integration of information security into the system
-                  development life cycle process</p>
-               <p>information system development life cycle documentation</p>
-               <p>information security risk management strategy/program documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security and system life cycle
-                  development responsibilities</p>
-               <p>organizational personnel with information security risk management
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for defining and documenting the SDLC</p>
-               <p>organizational processes for identifying SDLC roles and responsibilities</p>
-               <p>organizational process for integrating information security risk management into
-                  the SDLC</p>
-               <p>automated mechanisms supporting and/or implementing the SDLC</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-4">
-         <title>Acquisition Process</title>
-         <prop name="label">SA-4</prop>
-         <prop name="sort-id">sa-04</prop>
-         <link href="#ad733a42-a7ed-4774-b988-4930c28852f3" rel="reference">HSPD-12</link>
-         <link href="#1737a687-52fb-4008-b900-cbfa836f7b65" rel="reference">ISO/IEC 15408</link>
-         <link href="#d715b234-9b5b-4e07-b1ed-99836727664d" rel="reference">FIPS Publication 140-2</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#0a5db899-f033-467f-8631-f5a8ba971475" rel="reference">NIST Special Publication 800-23</link>
-         <link href="#0c775bc3-bfc3-42c7-a382-88949f503171" rel="reference">NIST Special Publication 800-35</link>
-         <link href="#d818efd3-db31-4953-8afa-9e76afe83ce2" rel="reference">NIST Special Publication 800-36</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#abd950ae-092f-4b7a-b374-1c7c67fe9350" rel="reference">NIST Special Publication 800-64</link>
-         <link href="#84a37532-6db6-477b-9ea8-f9085ebca0fc" rel="reference">NIST Special Publication 800-70</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <link href="#56d671da-6b7b-4abf-8296-84b61980390a" rel="reference">Federal Acquisition Regulation</link>
-         <link href="#c95a9986-3cd6-4a98-931b-ccfc56cb11e5" rel="reference">http://www.niap-ccevs.org</link>
-         <link href="#5ed1f4d5-1494-421b-97ed-39d3c88ab51f" rel="reference">http://fips201ep.cio.gov</link>
-         <link href="#bbd50dd1-54ce-4432-959d-63ea564b1bb4" rel="reference">http://www.acquisition.gov/far</link>
-         <part id="sa-4_smt" name="statement">
-            <p>The organization includes the following requirements, descriptions, and criteria,
-               explicitly or by reference, in the acquisition contract for the information system,
-               system component, or information system service in accordance with applicable federal
-               laws, Executive Orders, directives, policies, regulations, standards, guidelines, and
-               organizational mission/business needs:</p>
-            <part id="sa-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Security functional requirements;</p>
-            </part>
-            <part id="sa-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Security strength requirements;</p>
-            </part>
-            <part id="sa-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Security assurance requirements;</p>
-            </part>
-            <part id="sa-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Security-related documentation requirements;</p>
-            </part>
-            <part id="sa-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Requirements for protecting security-related documentation;</p>
-            </part>
-            <part id="sa-4_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Description of the information system development environment and environment in
-                  which the system is intended to operate; and</p>
-            </part>
-            <part id="sa-4_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Acceptance criteria.</p>
-            </part>
-            <part id="sa-4_fr" name="item">
-               <title>SA-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See <a href="http://www.niap-ccevs.org/vpl">http://www.niap-ccevs.org/vpl</a> or <a href="http://www.commoncriteriaportal.org/products.html">http://www.commoncriteriaportal.org/products.html</a>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sa-4_gdn" name="guidance">
-            <p>Information system components are discrete, identifiable information technology
-               assets (e.g., hardware, software, or firmware) that represent the building blocks of
-               an information system. Information system components include commercial information
-               technology products. Security functional requirements include security capabilities,
-               security functions, and security mechanisms. Security strength requirements
-               associated with such capabilities, functions, and mechanisms include degree of
-               correctness, completeness, resistance to direct attack, and resistance to tampering
-               or bypass. Security assurance requirements include: (i) development processes,
-               procedures, practices, and methodologies; and (ii) evidence from development and
-               assessment activities providing grounds for confidence that the required security
-               functionality has been implemented and the required security strength has been
-               achieved. Security documentation requirements address all phases of the system
-               development life cycle. Security functionality, assurance, and documentation
-               requirements are expressed in terms of security controls and control enhancements
-               that have been selected through the tailoring process. The security control tailoring
-               process includes, for example, the specification of parameter values through the use
-               of assignment and selection statements and the specification of platform dependencies
-               and implementation information. Security documentation provides user and
-               administrator guidance regarding the implementation and operation of security
-               controls. The level of detail required in security documentation is based on the
-               security category or classification level of the information system and the degree to
-               which organizations depend on the stated security capability, functions, or
-               mechanisms to meet overall risk response expectations (as defined in the
-               organizational risk management strategy). Security requirements can also include
-               organizationally mandated configuration settings specifying allowed functions, ports,
-               protocols, and services. Acceptance criteria for information systems, information
-               system components, and information system services are defined in the same manner as
-               such criteria for any organizational acquisition or procurement. The Federal
-               Acquisition Regulation (FAR) Section 7.103 contains information security requirements
-               from FISMA.</p>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#ps-7">PS-7</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-         </part>
-         <part id="sa-4_obj" name="objective">
-            <p>Determine if the organization includes the following requirements, descriptions, and
-               criteria, explicitly or by reference, in the acquisition contracts for the
-               information system, system component, or information system service in accordance
-               with applicable federal laws, Executive Orders, directives, policies, regulations,
-               standards, guidelines, and organizational mission/business needs:</p>
-            <part id="sa-4.a_obj" name="objective">
-               <prop name="label">SA-4(a)</prop>
-               <p>security functional requirements;</p>
-            </part>
-            <part id="sa-4.b_obj" name="objective">
-               <prop name="label">SA-4(b)</prop>
-               <p>security strength requirements;</p>
-            </part>
-            <part id="sa-4.c_obj" name="objective">
-               <prop name="label">SA-4(c)</prop>
-               <p>security assurance requirements;</p>
-            </part>
-            <part id="sa-4.d_obj" name="objective">
-               <prop name="label">SA-4(d)</prop>
-               <p>security-related documentation requirements;</p>
-            </part>
-            <part id="sa-4.e_obj" name="objective">
-               <prop name="label">SA-4(e)</prop>
-               <p>requirements for protecting security-related documentation;</p>
-            </part>
-            <part id="sa-4.f_obj" name="objective">
-               <prop name="label">SA-4(f)</prop>
-               <p>description of:</p>
-               <part id="sa-4.f_obj.1" name="objective">
-                  <prop name="label">SA-4(f)[1]</prop>
-                  <p>the information system development environment;</p>
-               </part>
-               <part id="sa-4.f_obj.2" name="objective">
-                  <prop name="label">SA-4(f)[2]</prop>
-                  <p>the environment in which the system is intended to operate; and</p>
-               </part>
-            </part>
-            <part id="sa-4.g_obj" name="objective">
-               <prop name="label">SA-4(g)</prop>
-               <p>acceptance criteria.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing the integration of information security requirements,
-                  descriptions, and criteria into the acquisition process</p>
-               <p>acquisition contracts for the information system, system component, or information
-                  system service</p>
-               <p>information system design documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with acquisition/contracting responsibilities</p>
-               <p>organizational personnel with responsibility for determining information system
-                  security functional, strength, and assurance requirements</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for determining information system security functional,
-                  strength, and assurance requirements</p>
-               <p>organizational processes for developing acquisition contracts</p>
-               <p>automated mechanisms supporting and/or implementing acquisitions and inclusion of
-                  security requirements in contracts</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-4.1">
-            <title>Functional Properties of Security Controls</title>
-            <prop name="label">SA-4(1)</prop>
-            <prop name="sort-id">sa-04.01</prop>
-            <part id="sa-4.1_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to provide a description of the
-                  functional properties of the security controls to be employed.</p>
-            </part>
-            <part id="sa-4.1_gdn" name="guidance">
-               <p>Functional properties of security controls describe the functionality (i.e.,
-                  security capability, functions, or mechanisms) visible at the interfaces of the
-                  controls and specifically exclude functionality and data structures internal to
-                  the operation of the controls.</p>
-               <link rel="related" href="#sa-5">SA-5</link>
-            </part>
-            <part id="sa-4.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to provide a description of the
-                  functional properties of the security controls to be employed.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>solicitation documents</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security functional requirements</p>
-                  <p>information system developer or service provider</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for determining information system security
-                     functional, requirements</p>
-                  <p>organizational processes for developing acquisition contracts</p>
-                  <p>automated mechanisms supporting and/or implementing acquisitions and inclusion
-                     of security requirements in contracts</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.2">
-            <title>Design / Implementation Information for Security Controls</title>
-            <param id="sa-4.2_prm_1">
-               <constraint>at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram; [organization-defined design/implementation information]</constraint>
-            </param>
-            <param id="sa-4.2_prm_2" depends-on="sa-4.2_prm_1">
-               <label>organization-defined design/implementation information</label>
-            </param>
-            <param id="sa-4.2_prm_3">
-               <label>organization-defined level of detail</label>
-            </param>
-            <prop name="label">SA-4(2)</prop>
-            <prop name="sort-id">sa-04.02</prop>
-            <part id="sa-4.2_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to provide design and implementation
-                  information for the security controls to be employed that includes: <insert param-id="sa-4.2_prm_1"/> at <insert param-id="sa-4.2_prm_3"/>.</p>
-            </part>
-            <part id="sa-4.2_gdn" name="guidance">
-               <p>Organizations may require different levels of detail in design and implementation
-                  documentation for security controls employed in organizational information
-                  systems, system components, or information system services based on
-                  mission/business requirements, requirements for trustworthiness/resiliency, and
-                  requirements for analysis and testing. Information systems can be partitioned into
-                  multiple subsystems. Each subsystem within the system can contain one or more
-                  modules. The high-level design for the system is expressed in terms of multiple
-                  subsystems and the interfaces between subsystems providing security-relevant
-                  functionality. The low-level design for the system is expressed in terms of
-                  modules with particular emphasis on software and firmware (but not excluding
-                  hardware) and the interfaces between modules providing security-relevant
-                  functionality. Source code and hardware schematics are typically referred to as
-                  the implementation representation of the information system.</p>
-               <link rel="related" href="#sa-5">SA-5</link>
-            </part>
-            <part id="sa-4.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-4.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-4(2)[1]</prop>
-                  <p>defines level of detail that the developer is required to provide in design and
-                     implementation information for the security controls to be employed in the
-                     information system, system component, or information system service;</p>
-               </part>
-               <part id="sa-4.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-4(2)[2]</prop>
-                  <p>defines design/implementation information that the developer is to provide for
-                     the security controls to be employed (if selected);</p>
-               </part>
-               <part id="sa-4.2_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-4(2)[3]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to provide design and implementation information for
-                     the security controls to be employed that includes, at the organization-defined
-                     level of detail, one or more of the following:</p>
-                  <part id="sa-4.2_obj.3.a" name="objective">
-                     <prop name="label">SA-4(2)[3][a]</prop>
-                     <p>security-relevant external system interfaces;</p>
-                  </part>
-                  <part id="sa-4.2_obj.3.b" name="objective">
-                     <prop name="label">SA-4(2)[3][b]</prop>
-                     <p>high-level design;</p>
-                  </part>
-                  <part id="sa-4.2_obj.3.c" name="objective">
-                     <prop name="label">SA-4(2)[3][c]</prop>
-                     <p>low-level design;</p>
-                  </part>
-                  <part id="sa-4.2_obj.3.d" name="objective">
-                     <prop name="label">SA-4(2)[3][d]</prop>
-                     <p>source code;</p>
-                  </part>
-                  <part id="sa-4.2_obj.3.e" name="objective">
-                     <prop name="label">SA-4(2)[3][e]</prop>
-                     <p>hardware schematics; and/or</p>
-                  </part>
-                  <part id="sa-4.2_obj.3.f" name="objective">
-                     <prop name="label">SA-4(2)[3][f]</prop>
-                     <p>organization-defined design/implementation information.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>solicitation documents</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system components, or
-                     information system services</p>
-                  <p>design and implementation information for security controls employed in the
-                     information system, system component, or information system service</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security requirements</p>
-                  <p>information system developer or service provider</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for determining level of detail for system design and
-                     security controls</p>
-                  <p>organizational processes for developing acquisition contracts</p>
-                  <p>automated mechanisms supporting and/or implementing development of system
-                     design details</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.8">
-            <title>Continuous Monitoring Plan</title>
-            <param id="sa-4.8_prm_1">
-               <label>organization-defined level of detail</label>
-               <constraint>at least the minimum requirement as defined in control CA-7</constraint>
-            </param>
-            <prop name="label">SA-4(8)</prop>
-            <prop name="sort-id">sa-04.08</prop>
-            <part id="sa-4.8_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to produce a plan for the continuous
-                  monitoring of security control effectiveness that contains <insert param-id="sa-4.8_prm_1"/>.</p>
-               <part id="sa-4.8_fr" name="item">
-                  <title>SA-4 (8) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="sa-4.8_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>CSP must use the same security standards regardless of where the system component or information system service is acquired.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sa-4.8_gdn" name="guidance">
-               <p>The objective of continuous monitoring plans is to determine if the complete set
-                  of planned, required, and deployed security controls within the information
-                  system, system component, or information system service continue to be effective
-                  over time based on the inevitable changes that occur. Developer continuous
-                  monitoring plans include a sufficient level of detail such that the information
-                  can be incorporated into the continuous monitoring strategies and programs
-                  implemented by organizations.</p>
-               <link rel="related" href="#ca-7">CA-7</link>
-            </part>
-            <part id="sa-4.8_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-4.8_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-4(8)[1]</prop>
-                  <p>defines the level of detail the developer of the information system, system
-                     component, or information system service is required to provide when producing
-                     a plan for the continuous monitoring of security control effectiveness; and</p>
-               </part>
-               <part id="sa-4.8_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-4(8)[2]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to produce a plan for the continuous monitoring of
-                     security control effectiveness that contains the organization-defined level of
-                     detail.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing developer continuous monitoring plans</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>developer continuous monitoring plans</p>
-                  <p>security assessment plans</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>acquisition documentation</p>
-                  <p>solicitation documentation</p>
-                  <p>service-level agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security requirements</p>
-                  <p>information system developers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Vendor processes for continuous monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing developer continuous
-                     monitoring</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.9">
-            <title>Functions / Ports / Protocols / Services in Use</title>
-            <prop name="label">SA-4(9)</prop>
-            <prop name="sort-id">sa-04.09</prop>
-            <part id="sa-4.9_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to identify early in the system
-                  development life cycle, the functions, ports, protocols, and services intended for
-                  organizational use.</p>
-            </part>
-            <part id="sa-4.9_gdn" name="guidance">
-               <p>The identification of functions, ports, protocols, and services early in the
-                  system development life cycle (e.g., during the initial requirements definition
-                  and design phases) allows organizations to influence the design of the information
-                  system, information system component, or information system service. This early
-                  involvement in the life cycle helps organizations to avoid or minimize the use of
-                  functions, ports, protocols, or services that pose unnecessarily high risks and
-                  understand the trade-offs involved in blocking specific ports, protocols, or
-                  services (or when requiring information system service providers to do so). Early
-                  identification of functions, ports, protocols, and services avoids costly
-                  retrofitting of security controls after the information system, system component,
-                  or information system service has been implemented. SA-9 describes requirements
-                  for external information system services with organizations identifying which
-                  functions, ports, protocols, and services are provided from external sources.</p>
-               <link rel="related" href="#cm-7">CM-7</link>
-               <link rel="related" href="#sa-9">SA-9</link>
-            </part>
-            <part id="sa-4.9_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to identify early in the system
-                  development life cycle:</p>
-               <part id="sa-4.9_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">SA-4(9)[1]</prop>
-                  <p>the functions intended for organizational use;</p>
-               </part>
-               <part id="sa-4.9_obj.2" name="objective">
-                  <prop name="label">SA-4(9)[2]</prop>
-                  <p>the ports intended for organizational use;</p>
-               </part>
-               <part id="sa-4.9_obj.3" name="objective">
-                  <prop name="label">SA-4(9)[3]</prop>
-                  <p>the protocols intended for organizational use; and</p>
-               </part>
-               <part id="sa-4.9_obj.4" name="objective">
-                  <prop name="label">SA-4(9)[4]</prop>
-                  <p>the services intended for organizational use.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>information system design documentation</p>
-                  <p>information system documentation including functions, ports, protocols, and
-                     services intended for organizational use</p>
-                  <p>acquisition contracts for information systems or services</p>
-                  <p>acquisition documentation</p>
-                  <p>solicitation documentation</p>
-                  <p>service-level agreements</p>
-                  <p>organizational security requirements, descriptions, and criteria for developers
-                     of information systems, system components, and information system services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security requirements</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel operating, using, and/or maintaining the information
-                     system</p>
-                  <p>information system developers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.10">
-            <title>Use of Approved PIV Products</title>
-            <prop name="label">SA-4(10)</prop>
-            <prop name="sort-id">sa-04.10</prop>
-            <part id="sa-4.10_smt" name="statement">
-               <p>The organization employs only information technology products on the FIPS
-                  201-approved products list for Personal Identity Verification (PIV) capability
-                  implemented within organizational information systems.</p>
-            </part>
-            <part id="sa-4.10_gdn" name="guidance">
-               <link rel="related" href="#ia-2">IA-2</link>
-               <link rel="related" href="#ia-8">IA-8</link>
-            </part>
-            <part id="sa-4.10_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs only information technology products on the
-                  FIPS 201-approved products list for Personal Identity Verification (PIV)
-                  capability implemented within organizational information systems. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>service-level agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security requirements</p>
-                  <p>organizational personnel with responsibility for ensuring only FIPS
-                     201-approved products are implemented</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for selecting and employing FIPS 201-approved
-                     products</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-5">
-         <title>Information System Documentation</title>
-         <param id="sa-5_prm_1">
-            <label>organization-defined actions</label>
-         </param>
-         <param id="sa-5_prm_2">
-            <label>organization-defined personnel or roles</label>
-            <constraint>at a minimum, the ISSO (or similar role within the organization)</constraint>
-         </param>
-         <prop name="label">SA-5</prop>
-         <prop name="sort-id">sa-05</prop>
-         <part id="sa-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Obtains administrator documentation for the information system, system component,
-                  or information system service that describes:</p>
-               <part id="sa-5_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Secure configuration, installation, and operation of the system, component, or
-                     service;</p>
-               </part>
-               <part id="sa-5_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Effective use and maintenance of security functions/mechanisms; and</p>
-               </part>
-               <part id="sa-5_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Known vulnerabilities regarding configuration and use of administrative (i.e.,
-                     privileged) functions;</p>
-               </part>
-            </part>
-            <part id="sa-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Obtains user documentation for the information system, system component, or
-                  information system service that describes:</p>
-               <part id="sa-5_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>User-accessible security functions/mechanisms and how to effectively use those
-                     security functions/mechanisms;</p>
-               </part>
-               <part id="sa-5_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Methods for user interaction, which enables individuals to use the system,
-                     component, or service in a more secure manner; and</p>
-               </part>
-               <part id="sa-5_smt.b.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>User responsibilities in maintaining the security of the system, component, or
-                     service;</p>
-               </part>
-            </part>
-            <part id="sa-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Documents attempts to obtain information system, system component, or information
-                  system service documentation when such documentation is either unavailable or
-                  nonexistent and takes <insert param-id="sa-5_prm_1"/> in response;</p>
-            </part>
-            <part id="sa-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Protects documentation as required, in accordance with the risk management
-                  strategy; and</p>
-            </part>
-            <part id="sa-5_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Distributes documentation to <insert param-id="sa-5_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="sa-5_gdn" name="guidance">
-            <p>This control helps organizational personnel understand the implementation and
-               operation of security controls associated with information systems, system
-               components, and information system services. Organizations consider establishing
-               specific measures to determine the quality/completeness of the content provided. The
-               inability to obtain needed documentation may occur, for example, due to the age of
-               the information system/component or lack of support from developers and contractors.
-               In those situations, organizations may need to recreate selected documentation if
-               such documentation is essential to the effective implementation or operation of
-               security controls. The level of protection provided for selected information system,
-               component, or service documentation is commensurate with the security category or
-               classification of the system. For example, documentation associated with a key DoD
-               weapons system or command and control system would typically require a higher level
-               of protection than a routine administrative system. Documentation that addresses
-               information system vulnerabilities may also require an increased level of protection.
-               Secure operation of the information system, includes, for example, initially starting
-               the system and resuming secure system operation after any lapse in system
-               operation.</p>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-2">PS-2</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-         </part>
-         <part id="sa-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-5.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SA-5(a)</prop>
-               <p>obtains administrator documentation for the information system, system component,
-                  or information system service that describes:</p>
-               <part id="sa-5.a.1_obj" name="objective">
-                  <prop name="label">SA-5(a)(1)</prop>
-                  <part id="sa-5.a.1_obj.1" name="objective">
-                     <prop name="label">SA-5(a)(1)[1]</prop>
-                     <p>secure configuration of the system, system component, or service;</p>
-                  </part>
-                  <part id="sa-5.a.1_obj.2" name="objective">
-                     <prop name="label">SA-5(a)(1)[2]</prop>
-                     <p>secure installation of the system, system component, or service;</p>
-                  </part>
-                  <part id="sa-5.a.1_obj.3" name="objective">
-                     <prop name="label">SA-5(a)(1)[3]</prop>
-                     <p>secure operation of the system, system component, or service;</p>
-                  </part>
-               </part>
-               <part id="sa-5.a.2_obj" name="objective">
-                  <prop name="label">SA-5(a)(2)</prop>
-                  <part id="sa-5.a.2_obj.1" name="objective">
-                     <prop name="label">SA-5(a)(2)[1]</prop>
-                     <p>effective use of the security features/mechanisms;</p>
-                  </part>
-                  <part id="sa-5.a.2_obj.2" name="objective">
-                     <prop name="label">SA-5(a)(2)[2]</prop>
-                     <p>effective maintenance of the security features/mechanisms;</p>
-                  </part>
-               </part>
-               <part id="sa-5.a.3_obj" name="objective">
-                  <prop name="label">SA-5(a)(3)</prop>
-                  <p>known vulnerabilities regarding configuration and use of administrative (i.e.,
-                     privileged) functions;</p>
-               </part>
-            </part>
-            <part id="sa-5.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SA-5(b)</prop>
-               <p>obtains user documentation for the information system, system component, or
-                  information system service that describes:</p>
-               <part id="sa-5.b.1_obj" name="objective">
-                  <prop name="label">SA-5(b)(1)</prop>
-                  <part id="sa-5.b.1_obj.1" name="objective">
-                     <prop name="label">SA-5(b)(1)[1]</prop>
-                     <p>user-accessible security functions/mechanisms;</p>
-                  </part>
-                  <part id="sa-5.b.1_obj.2" name="objective">
-                     <prop name="label">SA-5(b)(1)[2]</prop>
-                     <p>how to effectively use those functions/mechanisms;</p>
-                  </part>
-               </part>
-               <part id="sa-5.b.2_obj" name="objective">
-                  <prop name="label">SA-5(b)(2)</prop>
-                  <p>methods for user interaction, which enables individuals to use the system,
-                     component, or service in a more secure manner;</p>
-               </part>
-               <part id="sa-5.b.3_obj" name="objective">
-                  <prop name="label">SA-5(b)(3)</prop>
-                  <p>user responsibilities in maintaining the security of the system, component, or
-                     service;</p>
-               </part>
-            </part>
-            <part id="sa-5.c_obj" name="objective">
-               <prop name="label">SA-5(c)</prop>
-               <part id="sa-5.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-5(c)[1]</prop>
-                  <p>defines actions to be taken after documented attempts to obtain information
-                     system, system component, or information system service documentation when such
-                     documentation is either unavailable or nonexistent;</p>
-               </part>
-               <part id="sa-5.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-5(c)[2]</prop>
-                  <p>documents attempts to obtain information system, system component, or
-                     information system service documentation when such documentation is either
-                     unavailable or nonexistent;</p>
-               </part>
-               <part id="sa-5.c_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-5(c)[3]</prop>
-                  <p>takes organization-defined actions in response;</p>
-               </part>
-            </part>
-            <part id="sa-5.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-5(d)</prop>
-               <p>protects documentation as required, in accordance with the risk management
-                  strategy;</p>
-            </part>
-            <part id="sa-5.e_obj" name="objective">
-               <prop name="label">SA-5(e)</prop>
-               <part id="sa-5.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-5(e)[1]</prop>
-                  <p>defines personnel or roles to whom documentation is to be distributed; and</p>
-               </part>
-               <part id="sa-5.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-5(e)[2]</prop>
-                  <p>distributes documentation to organization-defined personnel or roles.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing information system documentation</p>
-               <p>information system documentation including administrator and user guides</p>
-               <p>records documenting attempts to obtain unavailable or nonexistent information
-                  system documentation</p>
-               <p>list of actions to be taken in response to documented attempts to obtain
-                  information system, system component, or information system service
-                  documentation</p>
-               <p>risk management strategy documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with acquisition/contracting responsibilities</p>
-               <p>organizational personnel with responsibility for determining information system
-                  security requirements</p>
-               <p>system administrators</p>
-               <p>organizational personnel operating, using, and/or maintaining the information
-                  system</p>
-               <p>information system developers</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for obtaining, protecting, and distributing information
-                  system administrator and user documentation</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-8">
-         <title>Security Engineering Principles</title>
-         <prop name="label">SA-8</prop>
-         <prop name="sort-id">sa-08</prop>
-         <link href="#21b1ed35-56d2-40a8-bdfe-b461fffe322f" rel="reference">NIST Special Publication 800-27</link>
-         <part id="sa-8_smt" name="statement">
-            <p>The organization applies information system security engineering principles in the
-               specification, design, development, implementation, and modification of the
-               information system.</p>
-         </part>
-         <part id="sa-8_gdn" name="guidance">
-            <p>Organizations apply security engineering principles primarily to new development
-               information systems or systems undergoing major upgrades. For legacy systems,
-               organizations apply security engineering principles to system upgrades and
-               modifications to the extent feasible, given the current state of hardware, software,
-               and firmware within those systems. Security engineering principles include, for
-               example: (i) developing layered protections; (ii) establishing sound security policy,
-               architecture, and controls as the foundation for design; (iii) incorporating security
-               requirements into the system development life cycle; (iv) delineating physical and
-               logical security boundaries; (v) ensuring that system developers are trained on how
-               to build secure software; (vi) tailoring security controls to meet organizational and
-               operational needs; (vii) performing threat modeling to identify use cases, threat
-               agents, attack vectors, and attack patterns as well as compensating controls and
-               design patterns needed to mitigate risk; and (viii) reducing risk to acceptable
-               levels, thus enabling informed risk management decisions.</p>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-17">SA-17</link>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-         </part>
-         <part id="sa-8_obj" name="objective">
-            <p>Determine if the organization applies information system security engineering
-               principles in: </p>
-            <part id="sa-8_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-8[1]</prop>
-               <p>the specification of the information system;</p>
-            </part>
-            <part id="sa-8_obj.2" name="objective">
-               <prop name="label">SA-8[2]</prop>
-               <p>the design of the information system;</p>
-            </part>
-            <part id="sa-8_obj.3" name="objective">
-               <prop name="label">SA-8[3]</prop>
-               <p>the development of the information system;</p>
-            </part>
-            <part id="sa-8_obj.4" name="objective">
-               <prop name="label">SA-8[4]</prop>
-               <p>the implementation of the information system; and</p>
-            </part>
-            <part id="sa-8_obj.5" name="objective">
-               <prop name="label">SA-8[5]</prop>
-               <p>the modification of the information system.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing security engineering principles used in the specification,
-                  design, development, implementation, and modification of the information
-                  system</p>
-               <p>information system design documentation</p>
-               <p>information security requirements and specifications for the information
-                  system</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with acquisition/contracting responsibilities</p>
-               <p>organizational personnel with responsibility for determining information system
-                  security requirements</p>
-               <p>organizational personnel with information system specification, design,
-                  development, implementation, and modification responsibilities</p>
-               <p>information system developers</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for applying security engineering principles in
-                  information system specification, design, development, implementation, and
-                  modification</p>
-               <p>automated mechanisms supporting the application of security engineering principles
-                  in information system specification, design, development, implementation, and
-                  modification</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-9">
-         <title>External Information System Services</title>
-         <param id="sa-9_prm_1">
-            <label>organization-defined security controls</label>
-            <constraint>FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system</constraint>
-         </param>
-         <param id="sa-9_prm_2">
-            <label>organization-defined processes, methods, and techniques</label>
-            <constraint>Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored</constraint>
-         </param>
-         <prop name="label">SA-9</prop>
-         <prop name="sort-id">sa-09</prop>
-         <link href="#0c775bc3-bfc3-42c7-a382-88949f503171" rel="reference">NIST Special Publication 800-35</link>
-         <part id="sa-9_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Requires that providers of external information system services comply with
-                  organizational information security requirements and employ <insert param-id="sa-9_prm_1"/> in accordance with applicable federal laws, Executive
-                  Orders, directives, policies, regulations, standards, and guidance;</p>
-            </part>
-            <part id="sa-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Defines and documents government oversight and user roles and responsibilities
-                  with regard to external information system services; and</p>
-            </part>
-            <part id="sa-9_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Employs <insert param-id="sa-9_prm_2"/> to monitor security control compliance by
-                  external service providers on an ongoing basis.</p>
-            </part>
-         </part>
-         <part id="sa-9_gdn" name="guidance">
-            <p>External information system services are services that are implemented outside of the
-               authorization boundaries of organizational information systems. This includes
-               services that are used by, but not a part of, organizational information systems.
-               FISMA and OMB policy require that organizations using external service providers that
-               are processing, storing, or transmitting federal information or operating information
-               systems on behalf of the federal government ensure that such providers meet the same
-               security requirements that federal agencies are required to meet. Organizations
-               establish relationships with external service providers in a variety of ways
-               including, for example, through joint ventures, business partnerships, contracts,
-               interagency agreements, lines of business arrangements, licensing agreements, and
-               supply chain exchanges. The responsibility for managing risks from the use of
-               external information system services remains with authorizing officials. For services
-               external to organizations, a chain of trust requires that organizations establish and
-               retain a level of confidence that each participating provider in the potentially
-               complex consumer-provider relationship provides adequate protection for the services
-               rendered. The extent and nature of this chain of trust varies based on the
-               relationships between organizations and the external providers. Organizations
-               document the basis for trust relationships so the relationships can be monitored over
-               time. External information system services documentation includes government, service
-               providers, end user security roles and responsibilities, and service-level
-               agreements. Service-level agreements define expectations of performance for security
-               controls, describe measurable outcomes, and identify remedies and response
-               requirements for identified instances of noncompliance.</p>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ir-7">IR-7</link>
-            <link rel="related" href="#ps-7">PS-7</link>
-         </part>
-         <part id="sa-9_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-9.a_obj" name="objective">
-               <prop name="label">SA-9(a)</prop>
-               <part id="sa-9.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(a)[1]</prop>
-                  <p>defines security controls to be employed by providers of external information
-                     system services;</p>
-               </part>
-               <part id="sa-9.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(a)[2]</prop>
-                  <p>requires that providers of external information system services comply with
-                     organizational information security requirements;</p>
-               </part>
-               <part id="sa-9.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(a)[3]</prop>
-                  <p>requires that providers of external information system services employ
-                     organization-defined security controls in accordance with applicable federal
-                     laws, Executive Orders, directives, policies, regulations, standards, and
-                     guidance;</p>
-               </part>
-            </part>
-            <part id="sa-9.b_obj" name="objective">
-               <prop name="label">SA-9(b)</prop>
-               <part id="sa-9.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(b)[1]</prop>
-                  <p>defines and documents government oversight with regard to external information
-                     system services;</p>
-               </part>
-               <part id="sa-9.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(b)[2]</prop>
-                  <p>defines and documents user roles and responsibilities with regard to external
-                     information system services;</p>
-               </part>
-            </part>
-            <part id="sa-9.c_obj" name="objective">
-               <prop name="label">SA-9(c)</prop>
-               <part id="sa-9.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(c)[1]</prop>
-                  <p>defines processes, methods, and techniques to be employed to monitor security
-                     control compliance by external service providers; and</p>
-               </part>
-               <part id="sa-9.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-9(c)[2]</prop>
-                  <p>employs organization-defined processes, methods, and techniques to monitor
-                     security control compliance by external service providers on an ongoing
-                     basis.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing external information system services</p>
-               <p>procedures addressing methods and techniques for monitoring security control
-                  compliance by external service providers of information system services</p>
-               <p>acquisition contracts, service-level agreements</p>
-               <p>organizational security requirements and security specifications for external
-                  provider services</p>
-               <p>security control assessment evidence from external providers of information system
-                  services</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>external providers of information system services</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for monitoring security control compliance by external
-                  service providers on an ongoing basis</p>
-               <p>automated mechanisms for monitoring security control compliance by external
-                  service providers on an ongoing basis</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-9.1">
-            <title>Risk Assessments / Organizational Approvals</title>
-            <param id="sa-9.1_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">SA-9(1)</prop>
-            <prop name="sort-id">sa-09.01</prop>
-            <part id="sa-9.1_smt" name="statement">
-               <p>The organization:</p>
-               <part id="sa-9.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Conducts an organizational assessment of risk prior to the acquisition or
-                     outsourcing of dedicated information security services; and</p>
-               </part>
-               <part id="sa-9.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Ensures that the acquisition or outsourcing of dedicated information security
-                     services is approved by <insert param-id="sa-9.1_prm_1"/>.</p>
-               </part>
-            </part>
-            <part id="sa-9.1_gdn" name="guidance">
-               <p>Dedicated information security services include, for example, incident monitoring,
-                  analysis and response, operation of information security-related devices such as
-                  firewalls, or key management services.</p>
-               <link rel="related" href="#ca-6">CA-6</link>
-               <link rel="related" href="#ra-3">RA-3</link>
-            </part>
-            <part id="sa-9.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-9.1.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-9(1)(a)</prop>
-                  <p>conducts an organizational assessment of risk prior to the acquisition or
-                     outsourcing of dedicated information security services;</p>
-                  <link rel="corresp" href="#sa-9.1_smt.a">SA-9(1)(a)</link>
-               </part>
-               <part id="sa-9.1.b_obj" name="objective">
-                  <prop name="label">SA-9(1)(b)</prop>
-                  <part id="sa-9.1.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-9(1)(b)[1]</prop>
-                     <p>defines personnel or roles designated to approve the acquisition or
-                        outsourcing of dedicated information security services; and</p>
-                  </part>
-                  <part id="sa-9.1.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">SA-9(1)(b)[2]</prop>
-                     <p>ensures that the acquisition or outsourcing of dedicated information
-                        security services is approved by organization-defined personnel or
-                        roles.</p>
-                  </part>
-                  <link rel="corresp" href="#sa-9.1_smt.b">SA-9(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing external information system services</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>risk assessment reports</p>
-                  <p>approval records for acquisition or outsourcing of dedicated information
-                     security services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information system security responsibilities</p>
-                  <p>external providers of information system services</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for conducting a risk assessment prior to acquiring or
-                     outsourcing dedicated information security services</p>
-                  <p>organizational processes for approving the outsourcing of dedicated information
-                     security services</p>
-                  <p>automated mechanisms supporting and/or implementing risk assessment</p>
-                  <p>automated mechanisms supporting and/or implementing approval processes</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-9.2">
-            <title>Identification of Functions / Ports / Protocols / Services</title>
-            <param id="sa-9.2_prm_1">
-               <label>organization-defined external information system services</label>
-               <constraint>all external systems where Federal information is processed or stored</constraint>
-            </param>
-            <prop name="label">SA-9(2)</prop>
-            <prop name="sort-id">sa-09.02</prop>
-            <part id="sa-9.2_smt" name="statement">
-               <p>The organization requires providers of <insert param-id="sa-9.2_prm_1"/> to
-                  identify the functions, ports, protocols, and other services required for the use
-                  of such services.</p>
-            </part>
-            <part id="sa-9.2_gdn" name="guidance">
-               <p>Information from external service providers regarding the specific functions,
-                  ports, protocols, and services used in the provision of such services can be
-                  particularly useful when the need arises to understand the trade-offs involved in
-                  restricting certain functions/services or blocking certain ports/protocols.</p>
-               <link rel="related" href="#cm-7">CM-7</link>
-            </part>
-            <part id="sa-9.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-9.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(2)[1]</prop>
-                  <p>defines external information system services for which providers of such
-                     services are to identify the functions, ports, protocols, and other services
-                     required for the use of such services;</p>
-               </part>
-               <part id="sa-9.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">SA-9(2)[2]</prop>
-                  <p>requires providers of organization-defined external information system services
-                     to identify:</p>
-                  <part id="sa-9.2_obj.2.a" name="objective">
-                     <prop name="label">SA-9(2)[2][a]</prop>
-                     <p>the functions required for the use of such services;</p>
-                  </part>
-                  <part id="sa-9.2_obj.2.b" name="objective">
-                     <prop name="label">SA-9(2)[2][b]</prop>
-                     <p>the ports required for the use of such services;</p>
-                  </part>
-                  <part id="sa-9.2_obj.2.c" name="objective">
-                     <prop name="label">SA-9(2)[2][c]</prop>
-                     <p>the protocols required for the use of such services; and</p>
-                  </part>
-                  <part id="sa-9.2_obj.2.d" name="objective">
-                     <prop name="label">SA-9(2)[2][d]</prop>
-                     <p>the other services required for the use of such services.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing external information system services</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>acquisition documentation</p>
-                  <p>solicitation documentation, service-level agreements</p>
-                  <p>organizational security requirements and security specifications for external
-                     service providers</p>
-                  <p>list of required functions, ports, protocols, and other services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>external providers of information system services</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-9.4">
-            <title>Consistent Interests of Consumers and Providers</title>
-            <param id="sa-9.4_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <param id="sa-9.4_prm_2">
-               <label>organization-defined external service providers</label>
-               <constraint>all external systems where Federal information is processed or stored</constraint>
-            </param>
-            <prop name="label">SA-9(4)</prop>
-            <prop name="sort-id">sa-09.04</prop>
-            <part id="sa-9.4_smt" name="statement">
-               <p>The organization employs <insert param-id="sa-9.4_prm_1"/> to ensure that the
-                  interests of <insert param-id="sa-9.4_prm_2"/> are consistent with and reflect
-                  organizational interests.</p>
-            </part>
-            <part id="sa-9.4_gdn" name="guidance">
-               <p>As organizations increasingly use external service providers, the possibility
-                  exists that the interests of the service providers may diverge from organizational
-                  interests. In such situations, simply having the correct technical, procedural, or
-                  operational safeguards in place may not be sufficient if the service providers
-                  that implement and control those safeguards are not operating in a manner
-                  consistent with the interests of the consuming organizations. Possible actions
-                  that organizations might take to address such concerns include, for example,
-                  requiring background checks for selected service provider personnel, examining
-                  ownership records, employing only trustworthy service providers (i.e., providers
-                  with which organizations have had positive experiences), and conducting
-                  periodic/unscheduled visits to service provider facilities.</p>
-            </part>
-            <part id="sa-9.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-9.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(4)[1]</prop>
-                  <p>defines external service providers whose interests are to be consistent with
-                     and reflect organizational interests;</p>
-               </part>
-               <part id="sa-9.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(4)[2]</prop>
-                  <p>defines security safeguards to be employed to ensure that the interests of
-                     organization-defined external service providers are consistent with and reflect
-                     organizational interests; and</p>
-               </part>
-               <part id="sa-9.4_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-9(4)[3]</prop>
-                  <p>employs organization-defined security safeguards to ensure that the interests
-                     of organization-defined external service providers are consistent with and
-                     reflect organizational interests.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing external information system services</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>organizational security requirements/safeguards for external service
-                     providers</p>
-                  <p>personnel security policies for external service providers</p>
-                  <p>assessments performed on external service providers</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>external providers of information system services</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for defining and employing safeguards to ensure
-                     consistent interests with external service providers</p>
-                  <p>automated mechanisms supporting and/or implementing safeguards to ensure
-                     consistent interests with external service providers</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-9.5">
-            <title>Processing, Storage, and Service Location</title>
-            <param id="sa-9.5_prm_1">
-               <constraint>information processing, information data, AND information services</constraint>
-            </param>
-            <param id="sa-9.5_prm_2">
-               <label>organization-defined locations</label>
-               <constraint>U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction</constraint>
-            </param>
-            <param id="sa-9.5_prm_3">
-               <label>organization-defined requirements or conditions</label>
-               <constraint>all High Impact Data, Systems, or Services</constraint>
-            </param>
-            <prop name="label">SA-9(5)</prop>
-            <prop name="sort-id">sa-09.05</prop>
-            <part id="sa-9.5_smt" name="statement">
-               <p>The organization restricts the location of <insert param-id="sa-9.5_prm_1"/> to
-                     <insert param-id="sa-9.5_prm_2"/> based on <insert param-id="sa-9.5_prm_3"/>.</p>
-            </part>
-            <part id="sa-9.5_gdn" name="guidance">
-               <p>The location of information processing, information/data storage, or information
-                  system services that are critical to organizations can have a direct impact on the
-                  ability of those organizations to successfully execute their missions/business
-                  functions. This situation exists when external providers control the location of
-                  processing, storage or services. The criteria external providers use for the
-                  selection of processing, storage, or service locations may be different from
-                  organizational criteria. For example, organizations may want to ensure that
-                  data/information storage locations are restricted to certain locations to
-                  facilitate incident response activities (e.g., forensic analyses, after-the-fact
-                  investigations) in case of information security breaches/compromises. Such
-                  incident response activities may be adversely affected by the governing laws or
-                  protocols in the locations where processing and storage occur and/or the locations
-                  from which information system services emanate.</p>
-            </part>
-            <part id="sa-9.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-9.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(5)[1]</prop>
-                  <p>defines locations where organization-defined information processing,
-                     information/data, and/or information system services are to be restricted;</p>
-               </part>
-               <part id="sa-9.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(5)[2]</prop>
-                  <p>defines requirements or conditions to restrict the location of information
-                     processing, information/data, and/or information system services;</p>
-               </part>
-               <part id="sa-9.5_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-9(5)[3]</prop>
-                  <p>restricts the location of one or more of the following to organization-defined
-                     locations based on organization-defined requirements or conditions:</p>
-                  <part id="sa-9.5_obj.3.a" name="objective">
-                     <prop name="label">SA-9(5)[3][a]</prop>
-                     <p>information processing;</p>
-                  </part>
-                  <part id="sa-9.5_obj.3.b" name="objective">
-                     <prop name="label">SA-9(5)[3][b]</prop>
-                     <p>information/data; and/or</p>
-                  </part>
-                  <part id="sa-9.5_obj.3.c" name="objective">
-                     <prop name="label">SA-9(5)[3][c]</prop>
-                     <p>information services.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing external information system services</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>restricted locations for information processing</p>
-                  <p>information/data and/or information system services</p>
-                  <p>information processing, information/data, and/or information system services to
-                     be maintained in restricted locations</p>
-                  <p>organizational security requirements or conditions for external providers</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>external providers of information system services</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for defining requirements to restrict locations of
-                     information processing, information/data, or information services</p>
-                  <p>organizational processes for ensuring the location is restricted in accordance
-                     with requirements or conditions</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-10">
-         <title>Developer Configuration Management</title>
-         <param id="sa-10_prm_1">
-            <constraint>development, implementation, AND operation</constraint>
-         </param>
-         <param id="sa-10_prm_2">
-            <label>organization-defined configuration items under configuration management</label>
-         </param>
-         <param id="sa-10_prm_3">
-            <label>organization-defined personnel</label>
-         </param>
-         <prop name="label">SA-10</prop>
-         <prop name="sort-id">sa-10</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="sa-10_smt" name="statement">
-            <p>The organization requires the developer of the information system, system component,
-               or information system service to:</p>
-            <part id="sa-10_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Perform configuration management during system, component, or service <insert param-id="sa-10_prm_1"/>;</p>
-            </part>
-            <part id="sa-10_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Document, manage, and control the integrity of changes to <insert param-id="sa-10_prm_2"/>;</p>
-            </part>
-            <part id="sa-10_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Implement only organization-approved changes to the system, component, or
-                  service;</p>
-            </part>
-            <part id="sa-10_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Document approved changes to the system, component, or service and the potential
-                  security impacts of such changes; and</p>
-            </part>
-            <part id="sa-10_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Track security flaws and flaw resolution within the system, component, or service
-                  and report findings to <insert param-id="sa-10_prm_3"/>.</p>
-            </part>
-            <part id="sa-10_fr" name="item">
-               <title>SA-10 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-10_fr_smt.1" name="item">
-                  <prop name="label">(e)  Requirement:</prop>
-                  <p>For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sa-10_gdn" name="guidance">
-            <p>This control also applies to organizations conducting internal information systems
-               development and integration. Organizations consider the quality and completeness of
-               the configuration management activities conducted by developers as evidence of
-               applying effective security safeguards. Safeguards include, for example, protecting
-               from unauthorized modification or destruction, the master copies of all material used
-               to generate security-relevant portions of the system hardware, software, and
-               firmware. Maintaining the integrity of changes to the information system, information
-               system component, or information system service requires configuration control
-               throughout the system development life cycle to track authorized changes and prevent
-               unauthorized changes. Configuration items that are placed under configuration
-               management (if existence/use is required by other security controls) include: the
-               formal model; the functional, high-level, and low-level design specifications; other
-               design data; implementation documentation; source code and hardware schematics; the
-               running version of the object code; tools for comparing new versions of
-               security-relevant hardware descriptions and software/firmware source code with
-               previous versions; and test fixtures and documentation. Depending on the
-               mission/business needs of organizations and the nature of the contractual
-               relationships in place, developers may provide configuration management support
-               during the operations and maintenance phases of the life cycle.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="sa-10_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-10.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-10(a)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to perform configuration management during one or more of the
-                  following:</p>
-               <part id="sa-10.a_obj.1" name="objective">
-                  <prop name="label">SA-10(a)[1]</prop>
-                  <p>system, component, or service design;</p>
-               </part>
-               <part id="sa-10.a_obj.2" name="objective">
-                  <prop name="label">SA-10(a)[2]</prop>
-                  <p>system, component, or service development;</p>
-               </part>
-               <part id="sa-10.a_obj.3" name="objective">
-                  <prop name="label">SA-10(a)[3]</prop>
-                  <p>system, component, or service implementation; and/or</p>
-               </part>
-               <part id="sa-10.a_obj.4" name="objective">
-                  <prop name="label">SA-10(a)[4]</prop>
-                  <p>system, component, or service operation;</p>
-               </part>
-            </part>
-            <part id="sa-10.b_obj" name="objective">
-               <prop name="label">SA-10(b)</prop>
-               <part id="sa-10.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-10(b)[1]</prop>
-                  <p>defines configuration items to be placed under configuration management;</p>
-               </part>
-               <part id="sa-10.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-10(b)[2]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to:</p>
-                  <part id="sa-10.b_obj.2.a" name="objective">
-                     <prop name="label">SA-10(b)[2][a]</prop>
-                     <p>document the integrity of changes to organization-defined items under
-                        configuration management;</p>
-                  </part>
-                  <part id="sa-10.b_obj.2.b" name="objective">
-                     <prop name="label">SA-10(b)[2][b]</prop>
-                     <p>manage the integrity of changes to organization-defined items under
-                        configuration management;</p>
-                  </part>
-                  <part id="sa-10.b_obj.2.c" name="objective">
-                     <prop name="label">SA-10(b)[2][c]</prop>
-                     <p>control the integrity of changes to organization-defined items under
-                        configuration management;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sa-10.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-10(c)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to implement only organization-approved changes to the system,
-                  component, or service;</p>
-            </part>
-            <part id="sa-10.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-10(d)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to document:</p>
-               <part id="sa-10.d_obj.1" name="objective">
-                  <prop name="label">SA-10(d)[1]</prop>
-                  <p>approved changes to the system, component, or service;</p>
-               </part>
-               <part id="sa-10.d_obj.2" name="objective">
-                  <prop name="label">SA-10(d)[2]</prop>
-                  <p>the potential security impacts of such changes;</p>
-               </part>
-            </part>
-            <part id="sa-10.e_obj" name="objective">
-               <prop name="label">SA-10(e)</prop>
-               <part id="sa-10.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-10(e)[1]</prop>
-                  <p>defines personnel to whom findings, resulting from security flaws and flaw
-                     resolution tracked within the system, component, or service, are to be
-                     reported;</p>
-               </part>
-               <part id="sa-10.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-10(e)[2]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to:</p>
-                  <part id="sa-10.e_obj.2.a" name="objective">
-                     <prop name="label">SA-10(e)[2][a]</prop>
-                     <p>track security flaws within the system, component, or service;</p>
-                  </part>
-                  <part id="sa-10.e_obj.2.b" name="objective">
-                     <prop name="label">SA-10(e)[2][b]</prop>
-                     <p>track security flaw resolution within the system, component, or service;
-                        and</p>
-                  </part>
-                  <part id="sa-10.e_obj.2.c" name="objective">
-                     <prop name="label">SA-10(e)[2][c]</prop>
-                     <p>report findings to organization-defined personnel.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing system developer configuration management</p>
-               <p>solicitation documentation</p>
-               <p>acquisition documentation</p>
-               <p>service-level agreements</p>
-               <p>acquisition contracts for the information system, system component, or information
-                  system service</p>
-               <p>system developer configuration management plan</p>
-               <p>security flaw and flaw resolution tracking records</p>
-               <p>system change authorization records</p>
-               <p>change control records</p>
-               <p>configuration management records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with configuration management responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for monitoring developer configuration management</p>
-               <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                  configuration management</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-10.1">
-            <title>Software / Firmware Integrity Verification</title>
-            <prop name="label">SA-10(1)</prop>
-            <prop name="sort-id">sa-10.01</prop>
-            <part id="sa-10.1_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to enable integrity verification of
-                  software and firmware components.</p>
-            </part>
-            <part id="sa-10.1_gdn" name="guidance">
-               <p>This control enhancement allows organizations to detect unauthorized changes to
-                  software and firmware components through the use of tools, techniques, and/or
-                  mechanisms provided by developers. Integrity checking mechanisms can also address
-                  counterfeiting of software and firmware components. Organizations verify the
-                  integrity of software and firmware components, for example, through secure one-way
-                  hashes provided by developers. Delivered software and firmware components also
-                  include any updates to such components.</p>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="sa-10.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to enable integrity verification
-                  of software and firmware components.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer configuration management</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system</p>
-                  <p>system component, or information system service</p>
-                  <p>system developer configuration management plan</p>
-                  <p>software and firmware integrity verification records</p>
-                  <p>system change authorization records</p>
-                  <p>change control records</p>
-                  <p>configuration management records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with configuration management responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer configuration management</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     configuration management</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-11">
-         <title>Developer Security Testing and Evaluation</title>
-         <param id="sa-11_prm_1"/>
-         <param id="sa-11_prm_2">
-            <label>organization-defined depth and coverage</label>
-         </param>
-         <prop name="label">SA-11</prop>
-         <prop name="sort-id">sa-11</prop>
-         <link href="#1737a687-52fb-4008-b900-cbfa836f7b65" rel="reference">ISO/IEC 15408</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#275cc052-0f7f-423c-bdb6-ed503dc36228" rel="reference">http://nvd.nist.gov</link>
-         <link href="#15522e92-9192-463d-9646-6a01982db8ca" rel="reference">http://cwe.mitre.org</link>
-         <link href="#0931209f-00ae-4132-b92c-bc645847e8f9" rel="reference">http://cve.mitre.org</link>
-         <link href="#4ef539ba-b767-4666-b0d3-168c53005fa3" rel="reference">http://capec.mitre.org</link>
-         <part id="sa-11_smt" name="statement">
-            <p>The organization requires the developer of the information system, system component,
-               or information system service to:</p>
-            <part id="sa-11_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Create and implement a security assessment plan;</p>
-            </part>
-            <part id="sa-11_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Perform <insert param-id="sa-11_prm_1"/> testing/evaluation at <insert param-id="sa-11_prm_2"/>;</p>
-            </part>
-            <part id="sa-11_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Produce evidence of the execution of the security assessment plan and the results
-                  of the security testing/evaluation;</p>
-            </part>
-            <part id="sa-11_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Implement a verifiable flaw remediation process; and</p>
-            </part>
-            <part id="sa-11_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Correct flaws identified during security testing/evaluation.</p>
-            </part>
-         </part>
-         <part id="sa-11_gdn" name="guidance">
-            <p>Developmental security testing/evaluation occurs at all post-design phases of the
-               system development life cycle. Such testing/evaluation confirms that the required
-               security controls are implemented correctly, operating as intended, enforcing the
-               desired security policy, and meeting established security requirements. Security
-               properties of information systems may be affected by the interconnection of system
-               components or changes to those components. These interconnections or changes (e.g.,
-               upgrading or replacing applications and operating systems) may adversely affect
-               previously implemented security controls. This control provides additional types of
-               security testing/evaluation that developers can conduct to reduce or eliminate
-               potential flaws. Testing custom software applications may require approaches such as
-               static analysis, dynamic analysis, binary analysis, or a hybrid of the three
-               approaches. Developers can employ these analysis approaches in a variety of tools
-               (e.g., web-based application scanners, static analysis tools, binary analyzers) and
-               in source code reviews. Security assessment plans provide the specific activities
-               that developers plan to carry out including the types of analyses, testing,
-               evaluation, and reviews of software and firmware components, the degree of rigor to
-               be applied, and the types of artifacts produced during those processes. The depth of
-               security testing/evaluation refers to the rigor and level of detail associated with
-               the assessment process (e.g., black box, gray box, or white box testing). The
-               coverage of security testing/evaluation refers to the scope (i.e., number and type)
-               of the artifacts included in the assessment process. Contracts specify the acceptance
-               criteria for security assessment plans, flaw remediation processes, and the evidence
-               that the plans/processes have been diligently applied. Methods for reviewing and
-               protecting assessment plans, evidence, and documentation are commensurate with the
-               security category or classification level of the information system. Contracts may
-               specify documentation protection requirements.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="sa-11_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-11.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-11(a)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to create and implement a security plan;</p>
-            </part>
-            <part id="sa-11.b_obj" name="objective">
-               <prop name="label">SA-11(b)</prop>
-               <part id="sa-11.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-11(b)[1]</prop>
-                  <p>defines the depth of testing/evaluation to be performed by the developer of the
-                     information system, system component, or information system service;</p>
-               </part>
-               <part id="sa-11.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-11(b)[2]</prop>
-                  <p>defines the coverage of testing/evaluation to be performed by the developer of
-                     the information system, system component, or information system service;</p>
-               </part>
-               <part id="sa-11.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-11(b)[3]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to perform one or more of the following
-                     testing/evaluation at the organization-defined depth and coverage:</p>
-                  <part id="sa-11.b_obj.3.a" name="objective">
-                     <prop name="label">SA-11(b)[3][a]</prop>
-                     <p>unit testing/evaluation;</p>
-                  </part>
-                  <part id="sa-11.b_obj.3.b" name="objective">
-                     <prop name="label">SA-11(b)[3][b]</prop>
-                     <p>integration testing/evaluation;</p>
-                  </part>
-                  <part id="sa-11.b_obj.3.c" name="objective">
-                     <prop name="label">SA-11(b)[3][c]</prop>
-                     <p>system testing/evaluation; and/or</p>
-                  </part>
-                  <part id="sa-11.b_obj.3.d" name="objective">
-                     <prop name="label">SA-11(b)[3][d]</prop>
-                     <p>regression testing/evaluation;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sa-11.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-11(c)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to produce evidence of:</p>
-               <part id="sa-11.c_obj.1" name="objective">
-                  <prop name="label">SA-11(c)[1]</prop>
-                  <p>the execution of the security assessment plan;</p>
-               </part>
-               <part id="sa-11.c_obj.2" name="objective">
-                  <prop name="label">SA-11(c)[2]</prop>
-                  <p>the results of the security testing/evaluation;</p>
-               </part>
-            </part>
-            <part id="sa-11.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-11(d)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to implement a verifiable flaw remediation process; and</p>
-            </part>
-            <part id="sa-11.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-11(e)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to correct flaws identified during security testing/evaluation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing system developer security testing</p>
-               <p>procedures addressing flaw remediation</p>
-               <p>solicitation documentation</p>
-               <p>acquisition documentation</p>
-               <p>service-level agreements</p>
-               <p>acquisition contracts for the information system, system component, or information
-                  system service</p>
-               <p>system developer security test plans</p>
-               <p>records of developer security testing results for the information system, system
-                  component, or information system service</p>
-               <p>security flaw and remediation tracking records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with developer security testing responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for monitoring developer security testing and
-                  evaluation</p>
-               <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                  security testing and evaluation</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-11.1">
-            <title>Static Code Analysis</title>
-            <prop name="label">SA-11(1)</prop>
-            <prop name="sort-id">sa-11.01</prop>
-            <part id="sa-11.1_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to employ static code analysis tools to
-                  identify common flaws and document the results of the analysis.</p>
-               <part id="sa-11.1_fr" name="item">
-                  <title>SA-11 (1) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="sa-11.1_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sa-11.1_gdn" name="guidance">
-               <p>Static code analysis provides a technology and methodology for security reviews.
-                  Such analysis can be used to identify security vulnerabilities and enforce
-                  security coding practices. Static code analysis is most effective when used early
-                  in the development process, when each code change can be automatically scanned for
-                  potential weaknesses. Static analysis can provide clear remediation guidance along
-                  with defects to enable developers to fix such defects. Evidence of correct
-                  implementation of static analysis can include, for example, aggregate defect
-                  density for critical defect types, evidence that defects were inspected by
-                  developers or security professionals, and evidence that defects were fixed. An
-                  excessively high density of ignored findings (commonly referred to as ignored or
-                  false positives) indicates a potential problem with the analysis process or tool.
-                  In such cases, organizations weigh the validity of the evidence against evidence
-                  from other sources.</p>
-            </part>
-            <part id="sa-11.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to employ static code analysis
-                  tools to identify common flaws and document the results of the analysis.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer security testing</p>
-                  <p>procedures addressing flaw remediation</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>system developer security test plans</p>
-                  <p>system developer security testing results</p>
-                  <p>security flaw and remediation tracking records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with developer security testing responsibilities</p>
-                  <p>organizational personnel with configuration management responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer security testing and
-                     evaluation</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     security testing and evaluation</p>
-                  <p>static code analysis tools</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-11.2">
-            <title>Threat and Vulnerability Analyses</title>
-            <prop name="label">SA-11(2)</prop>
-            <prop name="sort-id">sa-11.02</prop>
-            <part id="sa-11.2_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to perform threat and vulnerability
-                  analyses and subsequent testing/evaluation of the as-built system, component, or
-                  service.</p>
-            </part>
-            <part id="sa-11.2_gdn" name="guidance">
-               <p>Applications may deviate significantly from the functional and design
-                  specifications created during the requirements and design phases of the system
-                  development life cycle. Therefore, threat and vulnerability analyses of
-                  information systems, system components, and information system services prior to
-                  delivery are critical to the effective operation of those systems, components, and
-                  services. Threat and vulnerability analyses at this phase of the life cycle help
-                  to ensure that design or implementation changes have been accounted for, and that
-                  any new vulnerabilities created as a result of those changes have been reviewed
-                  and mitigated.</p>
-               <link rel="related" href="#pm-15">PM-15</link>
-               <link rel="related" href="#ra-5">RA-5</link>
-            </part>
-            <part id="sa-11.2_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to perform:</p>
-               <part id="sa-11.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-11(2)[1]</prop>
-                  <p>threat analyses of the as-built, system component, or service;</p>
-               </part>
-               <part id="sa-11.2_obj.2" name="objective">
-                  <prop name="label">SA-11(2)[2]</prop>
-                  <p>vulnerability analyses of the as-built, system component, or service; and</p>
-               </part>
-               <part id="sa-11.2_obj.3" name="objective">
-                  <prop name="label">SA-11(2)[3]</prop>
-                  <p>subsequent testing/evaluation of the as-built, system component, or
-                     service.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer security testing</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>system developer security test plans</p>
-                  <p>records of developer security testing results for the information system,
-                     system component, or information system service</p>
-                  <p>vulnerability scanning results</p>
-                  <p>information system risk assessment reports</p>
-                  <p>threat and vulnerability analysis reports</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with developer security testing responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer security testing and
-                     evaluation</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     security testing and evaluation</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-11.8">
-            <title>Dynamic Code Analysis</title>
-            <prop name="label">SA-11(8)</prop>
-            <prop name="sort-id">sa-11.08</prop>
-            <part id="sa-11.8_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to employ dynamic code analysis tools to
-                  identify common flaws and document the results of the analysis.</p>
-               <part id="sa-11.8_fr" name="item">
-                  <title>SA-11 (8) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="sa-11.8_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sa-11.8_gdn" name="guidance">
-               <p>Dynamic code analysis provides run-time verification of software programs, using
-                  tools capable of monitoring programs for memory corruption, user privilege issues,
-                  and other potential security problems. Dynamic code analysis employs run-time
-                  tools to help to ensure that security functionality performs in the manner in
-                  which it was designed. A specialized type of dynamic analysis, known as fuzz
-                  testing, induces program failures by deliberately introducing malformed or random
-                  data into software programs. Fuzz testing strategies derive from the intended use
-                  of applications and the functional and design specifications for the applications.
-                  To understand the scope of dynamic code analysis and hence the assurance provided,
-                  organizations may also consider conducting code coverage analysis (checking the
-                  degree to which the code has been tested using metrics such as percent of
-                  subroutines tested or percent of program statements called during execution of the
-                  test suite) and/or concordance analysis (checking for words that are out of place
-                  in software code such as non-English language words or derogatory terms).</p>
-            </part>
-            <part id="sa-11.8_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to employ dynamic code analysis
-                  tools to identify common flaws and document the results of the analysis.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer security testing</p>
-                  <p>procedures addressing flaw remediation</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>system developer security test and evaluation plans</p>
-                  <p>security test and evaluation results</p>
-                  <p>security flaw and remediation tracking reports</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with developer security testing responsibilities</p>
-                  <p>organizational personnel with configuration management responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer security testing and
-                     evaluation</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     security testing and evaluation</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-12">
-         <title>Supply Chain Protection</title>
-         <param id="sa-12_prm_1">
-            <label>organization-defined security safeguards</label>
-            <constraint>organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures</constraint>
-         </param>
-         <prop name="label">SA-12</prop>
-         <prop name="sort-id">sa-12</prop>
-         <link href="#8ab6bcdc-339b-4068-b45e-994814a6e187" rel="reference">NIST Special Publication 800-161</link>
-         <link href="#bdd2f49e-edf7-491f-a178-4487898228f3" rel="reference">NIST Interagency Report 7622</link>
-         <part id="sa-12_smt" name="statement">
-            <p>The organization protects against supply chain threats to the information system,
-               system component, or information system service by employing <insert param-id="sa-12_prm_1"/> as part of a comprehensive, defense-in-breadth
-               information security strategy.</p>
-         </part>
-         <part id="sa-12_gdn" name="guidance">
-            <p>Information systems (including system components that compose those systems) need to
-               be protected throughout the system development life cycle (i.e., during design,
-               development, manufacturing, packaging, assembly, distribution, system integration,
-               operations, maintenance, and retirement). Protection of organizational information
-               systems is accomplished through threat awareness, by the identification, management,
-               and reduction of vulnerabilities at each phase of the life cycle and the use of
-               complementary, mutually reinforcing strategies to respond to risk. Organizations
-               consider implementing a standardized process to address supply chain risk with
-               respect to information systems and system components, and to educate the acquisition
-               workforce on threats, risk, and required security controls. Organizations use the
-               acquisition/procurement processes to require supply chain entities to implement
-               necessary security safeguards to: (i) reduce the likelihood of unauthorized
-               modifications at each stage in the supply chain; and (ii) protect information systems
-               and information system components, prior to taking delivery of such
-               systems/components. This control also applies to information system services.
-               Security safeguards include, for example: (i) security controls for development
-               systems, development facilities, and external connections to development systems;
-               (ii) vetting development personnel; and (iii) use of tamper-evident packaging during
-               shipping/warehousing. Methods for reviewing and protecting development plans,
-               evidence, and documentation are commensurate with the security category or
-               classification level of the information system. Contracts may specify documentation
-               protection requirements.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#pe-16">PE-16</link>
-            <link rel="related" href="#pl-8">PL-8</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#sa-14">SA-14</link>
-            <link rel="related" href="#sa-15">SA-15</link>
-            <link rel="related" href="#sa-18">SA-18</link>
-            <link rel="related" href="#sa-19">SA-19</link>
-            <link rel="related" href="#sc-29">SC-29</link>
-            <link rel="related" href="#sc-30">SC-30</link>
-            <link rel="related" href="#sc-38">SC-38</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="sa-12_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-12_obj.1" name="objective">
-               <prop name="label">SA-12[1]</prop>
-               <p>defines security safeguards to be employed to protect against supply chain threats
-                  to the information system, system component, or information system service;
-                  and</p>
-            </part>
-            <part id="sa-12_obj.2" name="objective">
-               <prop name="label">SA-12[2]</prop>
-               <p>protects against supply chain threats to the information system, system component,
-                  or information system service by employing organization-defined security
-                  safeguards as part of a comprehensive, defense-in-breadth information security
-                  strategy.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing supply chain protection</p>
-               <p>procedures addressing the integration of information security requirements into
-                  the acquisition process</p>
-               <p>solicitation documentation</p>
-               <p>acquisition documentation</p>
-               <p>service-level agreements</p>
-               <p>acquisition contracts for the information system, system component, or information
-                  system service</p>
-               <p>list of supply chain threats</p>
-               <p>list of security safeguards to be taken against supply chain threats</p>
-               <p>system development life cycle documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with supply chain protection responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for defining safeguards for and protecting against supply
-                  chain threats</p>
-               <p>automated mechanisms supporting and/or implementing safeguards for supply chain
-                  threats</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-15">
-         <title>Development Process, Standards, and Tools</title>
-         <param id="sa-15_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>as needed and as dictated by the current threat posture</constraint>
-         </param>
-         <param id="sa-15_prm_2">
-            <label>organization-defined security requirements</label>
-            <constraint>organization and service provider- defined security requirements</constraint>
-         </param>
-         <prop name="label">SA-15</prop>
-         <prop name="sort-id">sa-15</prop>
-         <part id="sa-15_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-15_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Requires the developer of the information system, system component, or information
-                  system service to follow a documented development process that:</p>
-               <part id="sa-15_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Explicitly addresses security requirements;</p>
-               </part>
-               <part id="sa-15_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Identifies the standards and tools used in the development process;</p>
-               </part>
-               <part id="sa-15_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Documents the specific tool options and tool configurations used in the
-                     development process; and</p>
-               </part>
-               <part id="sa-15_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Documents, manages, and ensures the integrity of changes to the process and/or
-                     tools used in development; and</p>
-               </part>
-            </part>
-            <part id="sa-15_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews the development process, standards, tools, and tool options/configurations
-                     <insert param-id="sa-15_prm_1"/> to determine if the process, standards, tools,
-                  and tool options/configurations selected and employed can satisfy <insert param-id="sa-15_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="sa-15_gdn" name="guidance">
-            <p>Development tools include, for example, programming languages and computer-aided
-               design (CAD) systems. Reviews of development processes can include, for example, the
-               use of maturity models to determine the potential effectiveness of such processes.
-               Maintaining the integrity of changes to tools and processes enables accurate supply
-               chain risk assessment and mitigation, and requires robust configuration control
-               throughout the life cycle (including design, development, transport, delivery,
-               integration, and maintenance) to track authorized changes and prevent unauthorized
-               changes.</p>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-         </part>
-         <part id="sa-15_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-15.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SA-15(a)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to follow a documented development process that:</p>
-               <part id="sa-15.a.1_obj" name="objective">
-                  <prop name="label">SA-15(a)(1)</prop>
-                  <p>explicitly addresses security requirements;</p>
-               </part>
-               <part id="sa-15.a.2_obj" name="objective">
-                  <prop name="label">SA-15(a)(2)</prop>
-                  <p>identifies the standards and tools used in the development process;</p>
-               </part>
-               <part id="sa-15.a.3_obj" name="objective">
-                  <prop name="label">SA-15(a)(3)</prop>
-                  <part id="sa-15.a.3_obj.1" name="objective">
-                     <prop name="label">SA-15(a)(3)[1]</prop>
-                     <p>documents the specific tool options used in the development process;</p>
-                  </part>
-                  <part id="sa-15.a.3_obj.2" name="objective">
-                     <prop name="label">SA-15(a)(3)[2]</prop>
-                     <p>documents the specific tool configurations used in the development
-                        process;</p>
-                  </part>
-               </part>
-               <part id="sa-15.a.4_obj" name="objective">
-                  <prop name="label">SA-15(a)(4)</prop>
-                  <part id="sa-15.a.4_obj.1" name="objective">
-                     <prop name="label">SA-15(a)(4)[1]</prop>
-                     <p>documents changes to the process and/or tools used in the development;</p>
-                  </part>
-                  <part id="sa-15.a.4_obj.2" name="objective">
-                     <prop name="label">SA-15(a)(4)[2]</prop>
-                     <p>manages changes to the process and/or tools used in the development;</p>
-                  </part>
-                  <part id="sa-15.a.4_obj.3" name="objective">
-                     <prop name="label">SA-15(a)(4)[3]</prop>
-                     <p>ensures the integrity of changes to the process and/or tools used in the
-                        development;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sa-15.b_obj" name="objective">
-               <prop name="label">SA-15(b)</prop>
-               <part id="sa-15.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-15(b)[1]</prop>
-                  <p>defines a frequency to review the development process, standards, tools, and
-                     tool options/configurations;</p>
-               </part>
-               <part id="sa-15.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-15(b)[2]</prop>
-                  <p>defines security requirements to be satisfied by the process, standards, tools,
-                     and tool option/configurations selected and employed; and</p>
-               </part>
-               <part id="sa-15.b_obj.3" name="objective">
-                  <prop name="label">SA-15(b)[3]</prop>
-                  <part id="sa-15.b_obj.3.a" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SA-15(b)[3][a]</prop>
-                     <p>reviews the development process with the organization-defined frequency to
-                        determine if the process selected and employed can satisfy
-                        organization-defined security requirements;</p>
-                  </part>
-                  <part id="sa-15.b_obj.3.b" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SA-15(b)[3][b]</prop>
-                     <p>reviews the development standards with the organization-defined frequency to
-                        determine if the standards selected and employed can satisfy
-                        organization-defined security requirements;</p>
-                  </part>
-                  <part id="sa-15.b_obj.3.c" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SA-15(b)[3][c]</prop>
-                     <p>reviews the development tools with the organization-defined frequency to
-                        determine if the tools selected and employed can satisfy
-                        organization-defined security requirements; and</p>
-                  </part>
-                  <part id="sa-15.b_obj.3.d" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SA-15(b)[3][d]</prop>
-                     <p>reviews the development tool options/configurations with the
-                        organization-defined frequency to determine if the tool
-                        options/configurations selected and employed can satisfy
-                        organization-defined security requirements.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing development process, standards, and tools</p>
-               <p>procedures addressing the integration of security requirements during the
-                  development process</p>
-               <p>solicitation documentation</p>
-               <p>acquisition documentation</p>
-               <p>service-level agreements</p>
-               <p>acquisition contracts for the information system, system component, or information
-                  system service</p>
-               <p>system developer documentation listing tool options/configuration guides,
-                  configuration management records</p>
-               <p>change control records</p>
-               <p>configuration control records</p>
-               <p>documented reviews of development process, standards, tools, and tool
-                  options/configurations</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-16">
-         <title>Developer-provided Training</title>
-         <param id="sa-16_prm_1">
-            <label>organization-defined training</label>
-         </param>
-         <prop name="label">SA-16</prop>
-         <prop name="sort-id">sa-16</prop>
-         <part id="sa-16_smt" name="statement">
-            <p>The organization requires the developer of the information system, system component,
-               or information system service to provide <insert param-id="sa-16_prm_1"/> on the
-               correct use and operation of the implemented security functions, controls, and/or
-               mechanisms.</p>
-         </part>
-         <part id="sa-16_gdn" name="guidance">
-            <p>This control applies to external and internal (in-house) developers. Training of
-               personnel is an essential element to ensure the effectiveness of security controls
-               implemented within organizational information systems. Training options include, for
-               example, classroom-style training, web-based/computer-based training, and hands-on
-               training. Organizations can also request sufficient training materials from
-               developers to conduct in-house training or offer self-training to organizational
-               personnel. Organizations determine the type of training necessary and may require
-               different types of training for different security functions, controls, or
-               mechanisms.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-         </part>
-         <part id="sa-16_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-16_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SA-16[1]</prop>
-               <p>defines training to be provided by the developer of the information system, system
-                  component, or information system service; and</p>
-            </part>
-            <part id="sa-16_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">SA-16[2]</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to provide organization-defined training on the correct use and
-                  operation of the implemented security functions, controls, and/or mechanisms.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing developer-provided training</p>
-               <p>solicitation documentation</p>
-               <p>acquisition documentation</p>
-               <p>service-level agreements</p>
-               <p>acquisition contracts for the information system, system component, or information
-                  system service</p>
-               <p>developer-provided training materials</p>
-               <p>training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information system security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational or third-party developers with training responsibilities for the
-                  information system, system component, or information system service</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-17">
-         <title>Developer Security Architecture and Design</title>
-         <prop name="label">SA-17</prop>
-         <prop name="sort-id">sa-17</prop>
-         <part id="sa-17_smt" name="statement">
-            <p>The organization requires the developer of the information system, system component,
-               or information system service to produce a design specification and security
-               architecture that:</p>
-            <part id="sa-17_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Is consistent with and supportive of the organization’s security architecture
-                  which is established within and is an integrated part of the organization’s
-                  enterprise architecture;</p>
-            </part>
-            <part id="sa-17_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Accurately and completely describes the required security functionality, and the
-                  allocation of security controls among physical and logical components; and</p>
-            </part>
-            <part id="sa-17_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Expresses how individual security functions, mechanisms, and services work
-                  together to provide required security capabilities and a unified approach to
-                  protection.</p>
-            </part>
-         </part>
-         <part id="sa-17_gdn" name="guidance">
-            <p>This control is primarily directed at external developers, although it could also be
-               used for internal (in-house) development. In contrast, PL-8 is primarily directed at
-               internal developers to help ensure that organizations develop an information security
-               architecture and such security architecture is integrated or tightly coupled to the
-               enterprise architecture. This distinction is important if/when organizations
-               outsource the development of information systems, information system components, or
-               information system services to external entities, and there is a requirement to
-               demonstrate consistency with the organization’s enterprise architecture and
-               information security architecture.</p>
-            <link rel="related" href="#pl-8">PL-8</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-         </part>
-         <part id="sa-17_obj" name="objective">
-            <p>Determine if the organization requires the developer of the information system,
-               system component, or information system service to produce a design specification and
-               security architecture that:</p>
-            <part id="sa-17.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">SA-17(a)</prop>
-               <p>is consistent with and supportive of the organization’s security architecture
-                  which is established within and is an integrated part of the organization’s
-                  enterprise architecture;</p>
-            </part>
-            <part id="sa-17.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">SA-17(b)</prop>
-               <p>accurately and completely describes:</p>
-               <part id="sa-17.b_obj.1" name="objective">
-                  <prop name="label">SA-17(b)[1]</prop>
-                  <p>the required security functionality;</p>
-               </part>
-               <part id="sa-17.b_obj.2" name="objective">
-                  <prop name="label">SA-17(b)[2]</prop>
-                  <p>the allocation of security controls among physical and logical components;
-                     and</p>
-               </part>
-            </part>
-            <part id="sa-17.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">SA-17(c)</prop>
-               <p>expresses how individual security functions, mechanisms, and services work
-                  together to provide required security capabilities and a unified approach to
-                  protection.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>enterprise architecture policy</p>
-               <p>procedures addressing developer security architecture and design specification for
-                  the information system</p>
-               <p>solicitation documentation</p>
-               <p>acquisition documentation</p>
-               <p>service-level agreements</p>
-               <p>acquisition contracts for the information system, system component, or information
-                  system service</p>
-               <p>design specification and security architecture documentation for the system</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel with security architecture and design
-                  responsibilities</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="sc">
-      <title>System and Communications Protection</title>
-      <control class="SP800-53" id="sc-1">
-         <title>System and Communications Protection Policy and Procedures</title>
-         <param id="sc-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="sc-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="sc-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or whenever a significant change occurs</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SC-1</prop>
-         <prop name="sort-id">sc-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="sc-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sc-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="sc-1_prm_1"/>:</p>
-               <part id="sc-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system and communications protection policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="sc-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system and communications
-                     protection policy and associated system and communications protection controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="sc-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="sc-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System and communications protection policy <insert param-id="sc-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="sc-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System and communications protection procedures <insert param-id="sc-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sc-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the SC
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="sc-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-1.a_obj" name="objective">
-               <prop name="label">SC-1(a)</prop>
-               <part id="sc-1.a.1_obj" name="objective">
-                  <prop name="label">SC-1(a)(1)</prop>
-                  <part id="sc-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(a)(1)[1]</prop>
-                     <p>develops and documents a system and communications protection policy that
-                        addresses:</p>
-                     <part id="sc-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="sc-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system and communications protection
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="sc-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SC-1(a)(1)[3]</prop>
-                     <p>disseminates the system and communications protection policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="sc-1.a.2_obj" name="objective">
-                  <prop name="label">SC-1(a)(2)</prop>
-                  <part id="sc-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        system and communications protection policy and associated system and
-                        communications protection controls;</p>
-                  </part>
-                  <part id="sc-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="sc-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SC-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sc-1.b_obj" name="objective">
-               <prop name="label">SC-1(b)</prop>
-               <part id="sc-1.b.1_obj" name="objective">
-                  <prop name="label">SC-1(b)(1)</prop>
-                  <part id="sc-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        communications protection policy;</p>
-                  </part>
-                  <part id="sc-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system and communications protection policy
-                        with the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="sc-1.b.2_obj" name="objective">
-                  <prop name="label">SC-1(b)(2)</prop>
-                  <part id="sc-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        communications protection procedures; and</p>
-                  </part>
-                  <part id="sc-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system and communications protection
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and communications protection
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-2">
-         <title>Application Partitioning</title>
-         <prop name="label">SC-2</prop>
-         <prop name="sort-id">sc-02</prop>
-         <part id="sc-2_smt" name="statement">
-            <p>The information system separates user functionality (including user interface
-               services) from information system management functionality.</p>
-         </part>
-         <part id="sc-2_gdn" name="guidance">
-            <p>Information system management functionality includes, for example, functions
-               necessary to administer databases, network components, workstations, or servers, and
-               typically requires privileged user access. The separation of user functionality from
-               information system management functionality is either physical or logical.
-               Organizations implement separation of system management-related functionality from
-               user functionality by using different computers, different central processing units,
-               different instances of operating systems, different network addresses, virtualization
-               techniques, or combinations of these or other methods, as appropriate. This type of
-               separation includes, for example, web administrative interfaces that use separate
-               authentication methods for users of any other information system resources.
-               Separation of system and user functionality may include isolating administrative
-               interfaces on different domains and with additional access controls.</p>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-         </part>
-         <part id="sc-2_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system separates user functionality (including user
-               interface services) from information system management functionality.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing application partitioning</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Separation of user functionality from information system management
-                  functionality</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-3">
-         <title>Security Function Isolation</title>
-         <prop name="label">SC-3</prop>
-         <prop name="sort-id">sc-03</prop>
-         <part id="sc-3_smt" name="statement">
-            <p>The information system isolates security functions from nonsecurity functions.</p>
-         </part>
-         <part id="sc-3_gdn" name="guidance">
-            <p>The information system isolates security functions from nonsecurity functions by
-               means of an isolation boundary (implemented via partitions and domains). Such
-               isolation controls access to and protects the integrity of the hardware, software,
-               and firmware that perform those security functions. Information systems implement
-               code separation (i.e., separation of security functions from nonsecurity functions)
-               in a number of ways, including, for example, through the provision of security
-               kernels via processor rings or processor modes. For non-kernel code, security
-               function isolation is often achieved through file system protections that serve to
-               protect the code on disk, and address space protections that protect executing code.
-               Information systems restrict access to security functions through the use of access
-               control mechanisms and by implementing least privilege capabilities. While the ideal
-               is for all of the code within the security function isolation boundary to only
-               contain security-relevant code, it is sometimes necessary to include nonsecurity
-               functions within the isolation boundary as an exception.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sa-13">SA-13</link>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-39">SC-39</link>
-         </part>
-         <part id="sc-3_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system isolates security functions from nonsecurity
-               functions.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing security function isolation</p>
-               <p>list of security functions to be isolated from nonsecurity functions</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Separation of security functions from nonsecurity functions within the information
-                  system</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-4">
-         <title>Information in Shared Resources</title>
-         <prop name="label">SC-4</prop>
-         <prop name="sort-id">sc-04</prop>
-         <part id="sc-4_smt" name="statement">
-            <p>The information system prevents unauthorized and unintended information transfer via
-               shared system resources.</p>
-         </part>
-         <part id="sc-4_gdn" name="guidance">
-            <p>This control prevents information, including encrypted representations of
-               information, produced by the actions of prior users/roles (or the actions of
-               processes acting on behalf of prior users/roles) from being available to any current
-               users/roles (or current processes) that obtain access to shared system resources
-               (e.g., registers, main memory, hard disks) after those resources have been released
-               back to information systems. The control of information in shared resources is also
-               commonly referred to as object reuse and residual information protection. This
-               control does not address: (i) information remanence which refers to residual
-               representation of data that has been nominally erased or removed; (ii) covert
-               channels (including storage and/or timing channels) where shared resources are
-               manipulated to violate information flow restrictions; or (iii) components within
-               information systems for which there are only single users/roles.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-         </part>
-         <part id="sc-4_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system prevents unauthorized and unintended information
-               transfer via shared system resources.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing information protection in shared system resources</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms preventing unauthorized and unintended transfer of
-                  information via shared system resources</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-5">
-         <title>Denial of Service Protection</title>
-         <param id="sc-5_prm_1">
-            <label>organization-defined types of denial of service attacks or references to sources
-               for such information</label>
-         </param>
-         <param id="sc-5_prm_2">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">SC-5</prop>
-         <prop name="sort-id">sc-05</prop>
-         <part id="sc-5_smt" name="statement">
-            <p>The information system protects against or limits the effects of the following types
-               of denial of service attacks: <insert param-id="sc-5_prm_1"/> by employing <insert param-id="sc-5_prm_2"/>.</p>
-         </part>
-         <part id="sc-5_gdn" name="guidance">
-            <p>A variety of technologies exist to limit, or in some cases, eliminate the effects of
-               denial of service attacks. For example, boundary protection devices can filter
-               certain types of packets to protect information system components on internal
-               organizational networks from being directly affected by denial of service attacks.
-               Employing increased capacity and bandwidth combined with service redundancy may also
-               reduce the susceptibility to denial of service attacks.</p>
-            <link rel="related" href="#sc-6">SC-6</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="sc-5_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-5_obj.1" name="objective">
-               <prop name="label">SC-5[1]</prop>
-               <p>the organization defines types of denial of service attacks or reference to source
-                  of such information for the information system to protect against or limit the
-                  effects;</p>
-            </part>
-            <part id="sc-5_obj.2" name="objective">
-               <prop name="label">SC-5[2]</prop>
-               <p>the organization defines security safeguards to be employed by the information
-                  system to protect against or limit the effects of organization-defined types of
-                  denial of service attacks; and</p>
-            </part>
-            <part id="sc-5_obj.3" name="objective">
-               <prop name="label">SC-5[3]</prop>
-               <p>the information system protects against or limits the effects of the
-                  organization-defined denial or service attacks (or reference to source for such
-                  information) by employing organization-defined security safeguards.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing denial of service protection</p>
-               <p>information system design documentation</p>
-               <p>security plan</p>
-               <p>list of denial of services attacks requiring employment of security safeguards to
-                  protect against or limit effects of such attacks</p>
-               <p>list of security safeguards protecting against or limiting the effects of denial
-                  of service attacks</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with incident response responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms protecting against or limiting the effects of denial of
-                  service attacks</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-6">
-         <title>Resource Availability</title>
-         <param id="sc-6_prm_1">
-            <label>organization-defined resources</label>
-         </param>
-         <param id="sc-6_prm_2"/>
-         <param id="sc-6_prm_3" depends-on="sc-6_prm_2">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">SC-6</prop>
-         <prop name="sort-id">sc-06</prop>
-         <part id="sc-6_smt" name="statement">
-            <p>The information system protects the availability of resources by allocating <insert param-id="sc-6_prm_1"/> by <insert param-id="sc-6_prm_2"/>.</p>
-         </part>
-         <part id="sc-6_gdn" name="guidance">
-            <p>Priority protection helps prevent lower-priority processes from delaying or
-               interfering with the information system servicing any higher-priority processes.
-               Quotas prevent users or processes from obtaining more than predetermined amounts of
-               resources. This control does not apply to information system components for which
-               there are only single users/roles.</p>
-         </part>
-         <part id="sc-6_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-6_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-6[1]</prop>
-               <p>the organization defines resources to be allocated to protect the availability of
-                  resources;</p>
-            </part>
-            <part id="sc-6_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-6[2]</prop>
-               <p>the organization defines security safeguards to be employed to protect the
-                  availability of resources;</p>
-            </part>
-            <part id="sc-6_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-6[3]</prop>
-               <p>the information system protects the availability of resources by allocating
-                  organization-defined resources by one or more of the following:</p>
-               <part id="sc-6_obj.3.a" name="objective">
-                  <prop name="label">SC-6[3][a]</prop>
-                  <p>priority;</p>
-               </part>
-               <part id="sc-6_obj.3.b" name="objective">
-                  <prop name="label">SC-6[3][b]</prop>
-                  <p>quota; and/or</p>
-               </part>
-               <part id="sc-6_obj.3.c" name="objective">
-                  <prop name="label">SC-6[3][c]</prop>
-                  <p>organization-defined safeguards.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing prioritization of information system resources</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing resource allocation
-                  capability</p>
-               <p>safeguards employed to protect availability of resources</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-7">
-         <title>Boundary Protection</title>
-         <param id="sc-7_prm_1"/>
-         <prop name="label">SC-7</prop>
-         <prop name="sort-id">sc-07</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#756a8e86-57d5-4701-8382-f7a40439665a" rel="reference">NIST Special Publication 800-41</link>
-         <link href="#99f331f2-a9f0-46c2-9856-a3cbb9b89442" rel="reference">NIST Special Publication 800-77</link>
-         <part id="sc-7_smt" name="statement">
-            <p>The information system:</p>
-            <part id="sc-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Monitors and controls communications at the external boundary of the system and at
-                  key internal boundaries within the system;</p>
-            </part>
-            <part id="sc-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Implements subnetworks for publicly accessible system components that are <insert param-id="sc-7_prm_1"/> separated from internal organizational networks;
-                  and</p>
-            </part>
-            <part id="sc-7_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Connects to external networks or information systems only through managed
-                  interfaces consisting of boundary protection devices arranged in accordance with
-                  an organizational security architecture.</p>
-            </part>
-         </part>
-         <part id="sc-7_gdn" name="guidance">
-            <p>Managed interfaces include, for example, gateways, routers, firewalls, guards,
-               network-based malicious code analysis and virtualization systems, or encrypted
-               tunnels implemented within a security architecture (e.g., routers protecting
-               firewalls or application gateways residing on protected subnetworks). Subnetworks
-               that are physically or logically separated from internal networks are referred to as
-               demilitarized zones or DMZs. Restricting or prohibiting interfaces within
-               organizational information systems includes, for example, restricting external web
-               traffic to designated web servers within managed interfaces and prohibiting external
-               traffic that appears to be spoofing internal addresses. Organizations consider the
-               shared nature of commercial telecommunications services in the implementation of
-               security controls associated with the use of such services. Commercial
-               telecommunications services are commonly based on network components and consolidated
-               management systems shared by all attached commercial customers, and may also include
-               third party-provided access lines and other service elements. Such transmission
-               services may represent sources of increased risk despite contract security
-               provisions.</p>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#cp-8">CP-8</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="sc-7_obj" name="objective">
-            <p>Determine if the information system:</p>
-            <part id="sc-7.a_obj" name="objective">
-               <prop name="label">SC-7(a)</prop>
-               <part id="sc-7.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(a)[1]</prop>
-                  <p>monitors communications at the external boundary of the information system;</p>
-               </part>
-               <part id="sc-7.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(a)[2]</prop>
-                  <p>monitors communications at key internal boundaries within the system;</p>
-               </part>
-               <part id="sc-7.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(a)[3]</prop>
-                  <p>controls communications at the external boundary of the information system;</p>
-               </part>
-               <part id="sc-7.a_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(a)[4]</prop>
-                  <p>controls communications at key internal boundaries within the system;</p>
-               </part>
-            </part>
-            <part id="sc-7.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-7(b)</prop>
-               <p>implements subnetworks for publicly accessible system components that are
-                  either:</p>
-               <part id="sc-7.b_obj.1" name="objective">
-                  <prop name="label">SC-7(b)[1]</prop>
-                  <p>physically separated from internal organizational networks; and/or</p>
-               </part>
-               <part id="sc-7.b_obj.2" name="objective">
-                  <prop name="label">SC-7(b)[2]</prop>
-                  <p>logically separated from internal organizational networks; and</p>
-               </part>
-            </part>
-            <part id="sc-7.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-7(c)</prop>
-               <p>connects to external networks or information systems only through managed
-                  interfaces consisting of boundary protection devices arranged in accordance with
-                  an organizational security architecture.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing boundary protection</p>
-               <p>list of key internal boundaries of the information system</p>
-               <p>information system design documentation</p>
-               <p>boundary protection hardware and software</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>enterprise security architecture documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel with boundary protection responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing boundary protection capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-7.3">
-            <title>Access Points</title>
-            <prop name="label">SC-7(3)</prop>
-            <prop name="sort-id">sc-07.03</prop>
-            <part id="sc-7.3_smt" name="statement">
-               <p>The organization limits the number of external network connections to the
-                  information system.</p>
-            </part>
-            <part id="sc-7.3_gdn" name="guidance">
-               <p>Limiting the number of external network connections facilitates more comprehensive
-                  monitoring of inbound and outbound communications traffic. The Trusted Internet
-                  Connection (TIC) initiative is an example of limiting the number of external
-                  network connections.</p>
-            </part>
-            <part id="sc-7.3_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization limits the number of external network connections to
-                  the information system.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>boundary protection hardware and software</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>communications and network traffic monitoring logs</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing boundary protection capability</p>
-                  <p>automated mechanisms limiting the number of external network connections to the
-                     information system</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.4">
-            <title>External Telecommunications Services</title>
-            <param id="sc-7.4_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">SC-7(4)</prop>
-            <prop name="sort-id">sc-07.04</prop>
-            <part id="sc-7.4_smt" name="statement">
-               <p>The organization:</p>
-               <part id="sc-7.4_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Implements a managed interface for each external telecommunication service;</p>
-               </part>
-               <part id="sc-7.4_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Establishes a traffic flow policy for each managed interface;</p>
-               </part>
-               <part id="sc-7.4_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Protects the confidentiality and integrity of the information being transmitted
-                     across each interface;</p>
-               </part>
-               <part id="sc-7.4_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Documents each exception to the traffic flow policy with a supporting
-                     mission/business need and duration of that need; and</p>
-               </part>
-               <part id="sc-7.4_smt.e" name="item">
-                  <prop name="label">(e)</prop>
-                  <p>Reviews exceptions to the traffic flow policy <insert param-id="sc-7.4_prm_1"/>
-                     and removes exceptions that are no longer supported by an explicit
-                     mission/business need.</p>
-               </part>
-            </part>
-            <part id="sc-7.4_gdn" name="guidance">
-               <link rel="related" href="#sc-8">SC-8</link>
-            </part>
-            <part id="sc-7.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-7.4.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(4)(a)</prop>
-                  <p>implements a managed interface for each external telecommunication service;</p>
-                  <link rel="corresp" href="#sc-7.4_smt.a">SC-7(4)(a)</link>
-               </part>
-               <part id="sc-7.4.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-7(4)(b)</prop>
-                  <p>establishes a traffic flow policy for each managed interface;</p>
-                  <link rel="corresp" href="#sc-7.4_smt.b">SC-7(4)(b)</link>
-               </part>
-               <part id="sc-7.4.c_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(4)(c)</prop>
-                  <p>protects the confidentiality and integrity of the information being transmitted
-                     across each interface;</p>
-                  <link rel="corresp" href="#sc-7.4_smt.c">SC-7(4)(c)</link>
-               </part>
-               <part id="sc-7.4.d_obj" name="objective">
-                  <prop name="label">SC-7(4)(d)</prop>
-                  <p>documents each exception to the traffic flow policy with:</p>
-                  <part id="sc-7.4.d_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-7(4)(d)[1]</prop>
-                     <p>a supporting mission/business need;</p>
-                  </part>
-                  <part id="sc-7.4.d_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-7(4)(d)[2]</prop>
-                     <p>duration of that need;</p>
-                  </part>
-                  <link rel="corresp" href="#sc-7.4_smt.d">SC-7(4)(d)</link>
-               </part>
-               <part id="sc-7.4.e_obj" name="objective">
-                  <prop name="label">SC-7(4)(e)</prop>
-                  <part id="sc-7.4.e_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-7(4)(e)[1]</prop>
-                     <p>defines a frequency to review exceptions to traffic flow policy;</p>
-                  </part>
-                  <part id="sc-7.4.e_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">SC-7(4)(e)[2]</prop>
-                     <p>reviews exceptions to the traffic flow policy with the organization-defined
-                        frequency; and</p>
-                  </part>
-                  <part id="sc-7.4.e_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">SC-7(4)(e)[3]</prop>
-                     <p>removes traffic flow policy exceptions that are no longer supported by an
-                        explicit mission/business need</p>
-                  </part>
-                  <link rel="corresp" href="#sc-7.4_smt.e">SC-7(4)(e)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>traffic flow policy</p>
-                  <p>information flow control policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system security architecture</p>
-                  <p>information system design documentation</p>
-                  <p>boundary protection hardware and software</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>records of traffic flow policy exceptions</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for documenting and reviewing exceptions to the
-                     traffic flow policy</p>
-                  <p>organizational processes for removing exceptions to the traffic flow policy</p>
-                  <p>automated mechanisms implementing boundary protection capability</p>
-                  <p>managed interfaces implementing traffic flow policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.5">
-            <title>Deny by Default / Allow by Exception</title>
-            <prop name="label">SC-7(5)</prop>
-            <prop name="sort-id">sc-07.05</prop>
-            <part id="sc-7.5_smt" name="statement">
-               <p>The information system at managed interfaces denies network communications traffic
-                  by default and allows network communications traffic by exception (i.e., deny all,
-                  permit by exception).</p>
-            </part>
-            <part id="sc-7.5_gdn" name="guidance">
-               <p>This control enhancement applies to both inbound and outbound network
-                  communications traffic. A deny-all, permit-by-exception network communications
-                  traffic policy ensures that only those connections which are essential and
-                  approved are allowed.</p>
-            </part>
-            <part id="sc-7.5_obj" name="objective">
-               <p>Determine if the information system, at managed interfaces:</p>
-               <part id="sc-7.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(5)[1]</prop>
-                  <p>denies network traffic by default; and</p>
-               </part>
-               <part id="sc-7.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(5)[2]</prop>
-                  <p>allows network traffic by exception.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing traffic management at managed interfaces</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.7">
-            <title>Prevent Split Tunneling for Remote Devices</title>
-            <prop name="label">SC-7(7)</prop>
-            <prop name="sort-id">sc-07.07</prop>
-            <part id="sc-7.7_smt" name="statement">
-               <p>The information system, in conjunction with a remote device, prevents the device
-                  from simultaneously establishing non-remote connections with the system and
-                  communicating via some other connection to resources in external networks.</p>
-            </part>
-            <part id="sc-7.7_gdn" name="guidance">
-               <p>This control enhancement is implemented within remote devices (e.g., notebook
-                  computers) through configuration settings to disable split tunneling in those
-                  devices, and by preventing those configuration settings from being readily
-                  configurable by users. This control enhancement is implemented within the
-                  information system by the detection of split tunneling (or of configuration
-                  settings that allow split tunneling) in the remote device, and by prohibiting the
-                  connection if the remote device is using split tunneling. Split tunneling might be
-                  desirable by remote users to communicate with local information system resources
-                  such as printers/file servers. However, split tunneling would in effect allow
-                  unauthorized external connections, making the system more vulnerable to attack and
-                  to exfiltration of organizational information. The use of VPNs for remote
-                  connections, when adequately provisioned with appropriate security controls, may
-                  provide the organization with sufficient assurance that it can effectively treat
-                  such connections as non-remote connections from the confidentiality and integrity
-                  perspective. VPNs thus provide a means for allowing non-remote communications
-                  paths from remote devices. The use of an adequately provisioned VPN does not
-                  eliminate the need for preventing split tunneling.</p>
-            </part>
-            <part id="sc-7.7_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system, in conjunction with a remote device, prevents
-                  the device from simultaneously establishing non-remote connections with the system
-                  and communicating via some other connection to resources in external networks.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing boundary protection capability</p>
-                  <p>automated mechanisms supporting/restricting non-remote connections</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.8">
-            <title>Route Traffic to Authenticated Proxy Servers</title>
-            <param id="sc-7.8_prm_1">
-               <label>organization-defined internal communications traffic</label>
-            </param>
-            <param id="sc-7.8_prm_2">
-               <label>organization-defined external networks</label>
-            </param>
-            <prop name="label">SC-7(8)</prop>
-            <prop name="sort-id">sc-07.08</prop>
-            <part id="sc-7.8_smt" name="statement">
-               <p>The information system routes <insert param-id="sc-7.8_prm_1"/> to <insert param-id="sc-7.8_prm_2"/> through authenticated proxy servers at managed
-                  interfaces.</p>
-            </part>
-            <part id="sc-7.8_gdn" name="guidance">
-               <p>External networks are networks outside of organizational control. A proxy server
-                  is a server (i.e., information system or application) that acts as an intermediary
-                  for clients requesting information system resources (e.g., files, connections, web
-                  pages, or services) from other organizational servers. Client requests established
-                  through an initial connection to the proxy server are evaluated to manage
-                  complexity and to provide additional protection by limiting direct connectivity.
-                  Web content filtering devices are one of the most common proxy servers providing
-                  access to the Internet. Proxy servers support logging individual Transmission
-                  Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators
-                  (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be
-                  configured with organization-defined lists of authorized and unauthorized
-                  websites.</p>
-               <link rel="related" href="#ac-3">AC-3</link>
-               <link rel="related" href="#au-2">AU-2</link>
-            </part>
-            <part id="sc-7.8_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-7.8_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-7(8)[1]</prop>
-                  <p>the organization defines internal communications traffic to be routed to
-                     external networks;</p>
-               </part>
-               <part id="sc-7.8_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-7(8)[2]</prop>
-                  <p>the organization defines external networks to which organization-defined
-                     internal communications traffic is to be routed; and</p>
-               </part>
-               <part id="sc-7.8_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(8)[3]</prop>
-                  <p>the information system routes organization-defined internal communications
-                     traffic to organization-defined external networks through authenticated proxy
-                     servers at managed interfaces.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing traffic management through authenticated
-                     proxy servers at managed interfaces</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.10">
-            <title>Prevent Unauthorized Exfiltration</title>
-            <prop name="label">SC-7(10)</prop>
-            <prop name="sort-id">sc-07.10</prop>
-            <part id="sc-7.10_smt" name="statement">
-               <p>The organization prevents the unauthorized exfiltration of information across
-                  managed interfaces.</p>
-            </part>
-            <part id="sc-7.10_gdn" name="guidance">
-               <p>Safeguards implemented by organizations to prevent unauthorized exfiltration of
-                  information from information systems include, for example: (i) strict adherence to
-                  protocol formats; (ii) monitoring for beaconing from information systems; (iii)
-                  monitoring for steganography; (iv) disconnecting external network interfaces
-                  except when explicitly needed; (v) disassembling and reassembling packet headers;
-                  and (vi) employing traffic profile analysis to detect deviations from the
-                  volume/types of traffic expected within organizations or call backs to command and
-                  control centers. Devices enforcing strict adherence to protocol formats include,
-                  for example, deep packet inspection firewalls and XML gateways. These devices
-                  verify adherence to protocol formats and specification at the application layer
-                  and serve to identify vulnerabilities that cannot be detected by devices operating
-                  at the network or transport layers. This control enhancement is closely associated
-                  with cross-domain solutions and system guards enforcing information flow
-                  requirements.</p>
-               <link rel="related" href="#si-3">SI-3</link>
-            </part>
-            <part id="sc-7.10_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization prevents the unauthorized exfiltration of
-                  information across managed interfaces.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing boundary protection capability</p>
-                  <p>preventing unauthorized exfiltration of information across managed
-                     interfaces</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.12">
-            <title>Host-based Protection</title>
-            <param id="sc-7.12_prm_1">
-               <label>organization-defined host-based boundary protection mechanisms</label>
-               <constraint>Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall</constraint>
-            </param>
-            <param id="sc-7.12_prm_2">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">SC-7(12)</prop>
-            <prop name="sort-id">sc-07.12</prop>
-            <part id="sc-7.12_smt" name="statement">
-               <p>The organization implements <insert param-id="sc-7.12_prm_1"/> at <insert param-id="sc-7.12_prm_2"/>.</p>
-            </part>
-            <part id="sc-7.12_gdn" name="guidance">
-               <p>Host-based boundary protection mechanisms include, for example, host-based
-                  firewalls. Information system components employing host-based boundary protection
-                  mechanisms include, for example, servers, workstations, and mobile devices.</p>
-            </part>
-            <part id="sc-7.12_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-7.12_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-7(12)[1]</prop>
-                  <p>defines host-based boundary protection mechanisms;</p>
-               </part>
-               <part id="sc-7.12_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-7(12)[2]</prop>
-                  <p>defines information system components where organization-defined host-based
-                     boundary protection mechanisms are to be implemented; and</p>
-               </part>
-               <part id="sc-7.12_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(12)[3]</prop>
-                  <p>implements organization-defined host-based boundary protection mechanisms at
-                     organization-defined information system components.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>boundary protection hardware and software</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-                  <p>information system users</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing host-based boundary protection
-                     capabilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.13">
-            <title>Isolation of Security Tools / Mechanisms / Support Components</title>
-            <param id="sc-7.13_prm_1">
-               <label>organization-defined information security tools, mechanisms, and support
-                  components</label>
-            </param>
-            <prop name="label">SC-7(13)</prop>
-            <prop name="sort-id">sc-07.13</prop>
-            <part id="sc-7.13_smt" name="statement">
-               <p>The organization isolates <insert param-id="sc-7.13_prm_1"/> from other internal
-                  information system components by implementing physically separate subnetworks with
-                  managed interfaces to other components of the system.</p>
-               <part id="sc-7.13_fr" name="item">
-                  <title>SC-7 (13) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="sc-7.13_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.</p>
-                  </part>
-                  <part id="sc-7.13_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>Examples include: information security tools, mechanisms, and support components such as, but not limited to PKI, patching infrastructure, cyber defense tools, special purpose gateway, vulnerability tracking systems, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sc-7.13_gdn" name="guidance">
-               <p>Physically separate subnetworks with managed interfaces are useful, for example,
-                  in isolating computer network defenses from critical operational processing
-                  networks to prevent adversaries from discovering the analysis and forensics
-                  techniques of organizations.</p>
-               <link rel="related" href="#sa-8">SA-8</link>
-               <link rel="related" href="#sc-2">SC-2</link>
-               <link rel="related" href="#sc-3">SC-3</link>
-            </part>
-            <part id="sc-7.13_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-7.13_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-7(13)[1]</prop>
-                  <p>defines information security tools, mechanisms, and support components to be
-                     isolated from other internal information system components; and</p>
-               </part>
-               <part id="sc-7.13_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(13)[2]</prop>
-                  <p>isolates organization-defined information security tools, mechanisms, and
-                     support components from other internal information system components by
-                     implementing physically separate subnetworks with managed interfaces to other
-                     components of the system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of security tools and support components to be isolated from other
-                     internal information system components</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing isolation of information
-                     security tools, mechanisms, and support components</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.18">
-            <title>Fail Secure</title>
-            <prop name="label">SC-7(18)</prop>
-            <prop name="sort-id">sc-07.18</prop>
-            <part id="sc-7.18_smt" name="statement">
-               <p>The information system fails securely in the event of an operational failure of a
-                  boundary protection device.</p>
-            </part>
-            <part id="sc-7.18_gdn" name="guidance">
-               <p>Fail secure is a condition achieved by employing information system mechanisms to
-                  ensure that in the event of operational failures of boundary protection devices at
-                  managed interfaces (e.g., routers, firewalls, guards, and application gateways
-                  residing on protected subnetworks commonly referred to as demilitarized zones),
-                  information systems do not enter into unsecure states where intended security
-                  properties no longer hold. Failures of boundary protection devices cannot lead to,
-                  or cause information external to the devices to enter the devices, nor can
-                  failures permit unauthorized information releases.</p>
-               <link rel="related" href="#cp-2">CP-2</link>
-               <link rel="related" href="#sc-24">SC-24</link>
-            </part>
-            <part id="sc-7.18_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system fails securely in the event of an operational
-                  failure of a boundary protection device.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing secure failure</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.20">
-            <title>Dynamic Isolation / Segregation</title>
-            <param id="sc-7.20_prm_1">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">SC-7(20)</prop>
-            <prop name="sort-id">sc-07.20</prop>
-            <part id="sc-7.20_smt" name="statement">
-               <p>The information system provides the capability to dynamically isolate/segregate
-                     <insert param-id="sc-7.20_prm_1"/> from other components of the system.</p>
-            </part>
-            <part id="sc-7.20_gdn" name="guidance">
-               <p>The capability to dynamically isolate or segregate certain internal components of
-                  organizational information systems is useful when it is necessary to partition or
-                  separate certain components of dubious origin from those components possessing
-                  greater trustworthiness. Component isolation reduces the attack surface of
-                  organizational information systems. Isolation of selected information system
-                  components is also a means of limiting the damage from successful cyber attacks
-                  when those attacks occur.</p>
-            </part>
-            <part id="sc-7.20_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-7.20_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-7(20)[1]</prop>
-                  <p>the organization defines information system components to be dynamically
-                     isolated/segregated from other components of the system; and</p>
-               </part>
-               <part id="sc-7.20_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(20)[2]</prop>
-                  <p>the information system provides the capability to dynamically isolate/segregate
-                     organization-defined information system components from other components of the
-                     system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of information system components to be dynamically isolated/segregated
-                     from other components of the system</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing the capability to
-                     dynamically isolate/segregate information system components</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.21">
-            <title>Isolation of Information System Components</title>
-            <param id="sc-7.21_prm_1">
-               <label>organization-defined information system components</label>
-            </param>
-            <param id="sc-7.21_prm_2">
-               <label>organization-defined missions and/or business functions</label>
-            </param>
-            <prop name="label">SC-7(21)</prop>
-            <prop name="sort-id">sc-07.21</prop>
-            <part id="sc-7.21_smt" name="statement">
-               <p>The organization employs boundary protection mechanisms to separate <insert param-id="sc-7.21_prm_1"/> supporting <insert param-id="sc-7.21_prm_2"/>.</p>
-            </part>
-            <part id="sc-7.21_gdn" name="guidance">
-               <p>Organizations can isolate information system components performing different
-                  missions and/or business functions. Such isolation limits unauthorized information
-                  flows among system components and also provides the opportunity to deploy greater
-                  levels of protection for selected components. Separating system components with
-                  boundary protection mechanisms provides the capability for increased protection of
-                  individual components and to more effectively control information flows between
-                  those components. This type of enhanced protection limits the potential harm from
-                  cyber attacks and errors. The degree of separation provided varies depending upon
-                  the mechanisms chosen. Boundary protection mechanisms include, for example,
-                  routers, gateways, and firewalls separating system components into physically
-                  separate networks or subnetworks, cross-domain devices separating subnetworks,
-                  virtualization techniques, and encrypting information flows among system
-                  components using distinct encryption keys.</p>
-               <link rel="related" href="#ca-9">CA-9</link>
-               <link rel="related" href="#sc-3">SC-3</link>
-            </part>
-            <part id="sc-7.21_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-7.21_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-7(21)[1]</prop>
-                  <p>defines information system components to be separated by boundary protection
-                     mechanisms;</p>
-               </part>
-               <part id="sc-7.21_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-7(21)[2]</prop>
-                  <p>defines missions and/or business functions to be supported by
-                     organization-defined information system components separated by boundary
-                     protection mechanisms; and</p>
-               </part>
-               <part id="sc-7.21_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(21)[3]</prop>
-                  <p>employs boundary protection mechanisms to separate organization-defined
-                     information system components supporting organization-defined missions and/or
-                     business functions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>enterprise architecture documentation</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing the capability to separate
-                     information system components supporting organizational missions and/or
-                     business functions</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-8">
-         <title>Transmission Confidentiality and Integrity</title>
-         <param id="sc-8_prm_1">
-            <constraint>confidentiality AND integrity</constraint>
-         </param>
-         <prop name="label">SC-8</prop>
-         <prop name="sort-id">sc-08</prop>
-         <link href="#d715b234-9b5b-4e07-b1ed-99836727664d" rel="reference">FIPS Publication 140-2</link>
-         <link href="#f2dbd4ec-c413-4714-b85b-6b7184d1c195" rel="reference">FIPS Publication 197</link>
-         <link href="#90c5bc98-f9c4-44c9-98b7-787422f0999c" rel="reference">NIST Special Publication 800-52</link>
-         <link href="#99f331f2-a9f0-46c2-9856-a3cbb9b89442" rel="reference">NIST Special Publication 800-77</link>
-         <link href="#6af1e841-672c-46c4-b121-96f603d04be3" rel="reference">NIST Special Publication 800-81</link>
-         <link href="#349fe082-502d-464a-aa0c-1443c6a5cf40" rel="reference">NIST Special Publication 800-113</link>
-         <link href="#a4aa9645-9a8a-4b51-90a9-e223250f9a75" rel="reference">CNSS Policy 15</link>
-         <link href="#06dff0ea-3848-4945-8d91-e955ee69f05d" rel="reference">NSTISSI No. 7003</link>
-         <part id="sc-8_smt" name="statement">
-            <p>The information system protects the <insert param-id="sc-8_prm_1"/> of transmitted
-               information.</p>
-         </part>
-         <part id="sc-8_gdn" name="guidance">
-            <p>This control applies to both internal and external networks and all types of
-               information system components from which information can be transmitted (e.g.,
-               servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile
-               machines). Communication paths outside the physical protection of a controlled
-               boundary are exposed to the possibility of interception and modification. Protecting
-               the confidentiality and/or integrity of organizational information can be
-               accomplished by physical means (e.g., by employing protected distribution systems) or
-               by logical means (e.g., employing encryption techniques). Organizations relying on
-               commercial providers offering transmission services as commodity services rather than
-               as fully dedicated services (i.e., services which can be highly specialized to
-               individual customer needs), may find it difficult to obtain the necessary assurances
-               regarding the implementation of needed security controls for transmission
-               confidentiality/integrity. In such situations, organizations determine what types of
-               confidentiality/integrity services are available in standard, commercial
-               telecommunication service packages. If it is infeasible or impractical to obtain the
-               necessary security controls and assurances of control effectiveness through
-               appropriate contracting vehicles, organizations implement appropriate compensating
-               security controls or explicitly accept the additional risk.</p>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-         </part>
-         <part id="sc-8_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system protects one or more of the following:</p>
-            <part id="sc-8_obj.1" name="objective">
-               <prop name="label">SC-8[1]</prop>
-               <p>confidentiality of transmitted information; and/or</p>
-            </part>
-            <part id="sc-8_obj.2" name="objective">
-               <prop name="label">SC-8[2]</prop>
-               <p>integrity of transmitted information.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing transmission confidentiality and integrity</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing transmission confidentiality
-                  and/or integrity</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-8.1">
-            <title>Cryptographic or Alternate Physical Protection</title>
-            <param id="sc-8.1_prm_1">
-               <constraint>prevent unauthorized disclosure of information AND detect changes to information</constraint>
-            </param>
-            <param id="sc-8.1_prm_2">
-               <label>organization-defined alternative physical safeguards</label>
-               <constraint>a hardened or alarmed carrier Protective Distribution System (PDS)</constraint>
-            </param>
-            <prop name="label">SC-8(1)</prop>
-            <prop name="sort-id">sc-08.01</prop>
-            <part id="sc-8.1_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to <insert param-id="sc-8.1_prm_1"/> during transmission unless otherwise protected by
-                     <insert param-id="sc-8.1_prm_2"/>.</p>
-            </part>
-            <part id="sc-8.1_gdn" name="guidance">
-               <p>Encrypting information for transmission protects information from unauthorized
-                  disclosure and modification. Cryptographic mechanisms implemented to protect
-                  information integrity include, for example, cryptographic hash functions which
-                  have common application in digital signatures, checksums, and message
-                  authentication codes. Alternative physical security safeguards include, for
-                  example, protected distribution systems.</p>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="sc-8.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-8.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-8(1)[1]</prop>
-                  <p>the organization defines physical safeguards to be implemented to protect
-                     information during transmission when cryptographic mechanisms are not
-                     implemented; and</p>
-               </part>
-               <part id="sc-8.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-8(1)[2]</prop>
-                  <p>the information system implements cryptographic mechanisms to do one or more of
-                     the following during transmission unless otherwise protected by
-                     organization-defined alternative physical safeguards:</p>
-                  <part id="sc-8.1_obj.2.a" name="objective">
-                     <prop name="label">SC-8(1)[2][a]</prop>
-                     <p>prevent unauthorized disclosure of information; and/or</p>
-                  </part>
-                  <part id="sc-8.1_obj.2.b" name="objective">
-                     <prop name="label">SC-8(1)[2][b]</prop>
-                     <p>detect changes to information.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing transmission confidentiality and integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms supporting and/or implementing transmission
-                     confidentiality and/or integrity</p>
-                  <p>automated mechanisms supporting and/or implementing alternative physical
-                     safeguards</p>
-                  <p>organizational processes for defining and implementing alternative physical
-                     safeguards</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-10">
-         <title>Network Disconnect</title>
-         <param id="sc-10_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions</constraint>
-         </param>
-         <prop name="label">SC-10</prop>
-         <prop name="sort-id">sc-10</prop>
-         <part id="sc-10_smt" name="statement">
-            <p>The information system terminates the network connection associated with a
-               communications session at the end of the session or after <insert param-id="sc-10_prm_1"/> of inactivity.</p>
-         </part>
-         <part id="sc-10_gdn" name="guidance">
-            <p>This control applies to both internal and external networks. Terminating network
-               connections associated with communications sessions include, for example,
-               de-allocating associated TCP/IP address/port pairs at the operating system level, or
-               de-allocating networking assignments at the application level if multiple application
-               sessions are using a single, operating system-level network connection. Time periods
-               of inactivity may be established by organizations and include, for example, time
-               periods by type of network access or for specific network accesses.</p>
-         </part>
-         <part id="sc-10_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-10_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-10[1]</prop>
-               <p>the organization defines a time period of inactivity after which the information
-                  system terminates a network connection associated with a communications session;
-                  and</p>
-            </part>
-            <part id="sc-10_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-10[2]</prop>
-               <p>the information system terminates the network connection associated with a
-                  communication session at the end of the session or after the organization-defined
-                  time period of inactivity.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing network disconnect</p>
-               <p>information system design documentation</p>
-               <p>security plan</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing network disconnect
-                  capability</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-12">
-         <title>Cryptographic Key Establishment and Management</title>
-         <param id="sc-12_prm_1">
-            <label>organization-defined requirements for key generation, distribution, storage,
-               access, and destruction</label>
-         </param>
-         <prop name="label">SC-12</prop>
-         <prop name="sort-id">sc-12</prop>
-         <link href="#81f09e01-d0b0-4ae2-aa6a-064ed9950070" rel="reference">NIST Special Publication 800-56</link>
-         <link href="#a6c774c0-bf50-4590-9841-2a5c1c91ac6f" rel="reference">NIST Special Publication 800-57</link>
-         <part id="sc-12_smt" name="statement">
-            <p>The organization establishes and manages cryptographic keys for required cryptography
-               employed within the information system in accordance with <insert param-id="sc-12_prm_1"/>.</p>
-            <part id="sc-12_fr" name="item">
-               <title>SC-12 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Federally approved and validated cryptography.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sc-12_gdn" name="guidance">
-            <p>Cryptographic key management and establishment can be performed using manual
-               procedures or automated mechanisms with supporting manual procedures. Organizations
-               define key management requirements in accordance with applicable federal laws,
-               Executive Orders, directives, regulations, policies, standards, and guidance,
-               specifying appropriate options, levels, and parameters. Organizations manage trust
-               stores to ensure that only approved trust anchors are in such trust stores. This
-               includes certificates with visibility external to organizational information systems
-               and certificates related to the internal operations of systems.</p>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-17">SC-17</link>
-         </part>
-         <part id="sc-12_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-12_obj.1" name="objective">
-               <prop name="label">SC-12[1]</prop>
-               <p>defines requirements for cryptographic key:</p>
-               <part id="sc-12_obj.1.a" name="objective">
-                  <prop name="label">SC-12[1][a]</prop>
-                  <p>generation;</p>
-               </part>
-               <part id="sc-12_obj.1.b" name="objective">
-                  <prop name="label">SC-12[1][b]</prop>
-                  <p>distribution;</p>
-               </part>
-               <part id="sc-12_obj.1.c" name="objective">
-                  <prop name="label">SC-12[1][c]</prop>
-                  <p>storage;</p>
-               </part>
-               <part id="sc-12_obj.1.d" name="objective">
-                  <prop name="label">SC-12[1][d]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="sc-12_obj.1.e" name="objective">
-                  <prop name="label">SC-12[1][e]</prop>
-                  <p>destruction; and</p>
-               </part>
-            </part>
-            <part id="sc-12_obj.2" name="objective">
-               <prop name="label">SC-12[2]</prop>
-               <p>establishes and manages cryptographic keys for required cryptography employed
-                  within the information system in accordance with organization-defined requirements
-                  for key generation, distribution, storage, access, and destruction.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing cryptographic key establishment and management</p>
-               <p>information system design documentation</p>
-               <p>cryptographic mechanisms</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for cryptographic key establishment
-                  and/or management</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing cryptographic key
-                  establishment and management</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-12.1">
-            <title>Availability</title>
-            <prop name="label">SC-12(1)</prop>
-            <prop name="sort-id">sc-12.01</prop>
-            <part id="sc-12.1_smt" name="statement">
-               <p>The organization maintains availability of information in the event of the loss of
-                  cryptographic keys by users.</p>
-            </part>
-            <part id="sc-12.1_gdn" name="guidance">
-               <p>Escrowing of encryption keys is a common practice for ensuring availability in the
-                  event of loss of keys (e.g., due to forgotten passphrase).</p>
-            </part>
-            <part id="sc-12.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization maintains availability of information in the event
-                  of the loss of cryptographic keys by users.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing cryptographic key establishment, management, and
-                     recovery</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibilities for cryptographic key
-                     establishment or management</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing cryptographic key
-                     establishment and management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-12.2">
-            <title>Symmetric Keys</title>
-            <param id="sc-12.2_prm_1">
-               <constraint>NIST FIPS-compliant</constraint>
-            </param>
-            <prop name="label">SC-12(2)</prop>
-            <prop name="sort-id">sc-12.02</prop>
-            <part id="sc-12.2_smt" name="statement">
-               <p>The organization produces, controls, and distributes symmetric cryptographic keys
-                  using <insert param-id="sc-12.2_prm_1"/> key management technology and
-                  processes.</p>
-            </part>
-            <part id="sc-12.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization produces, controls, and distributes symmetric
-                  cryptographic keys using one of the following: </p>
-               <part id="sc-12.2_obj.1" name="objective">
-                  <prop name="label">SC-12(2)[1]</prop>
-                  <p>NIST FIPS-compliant key management technology and processes; or</p>
-               </part>
-               <part id="sc-12.2_obj.2" name="objective">
-                  <prop name="label">SC-12(2)[2]</prop>
-                  <p>NSA-approved key management technology and processes.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing cryptographic key establishment and management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of FIPS validated cryptographic products</p>
-                  <p>list of NSA-approved cryptographic products</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with responsibilities for cryptographic key
-                     establishment or management</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing symmetric cryptographic key
-                     establishment and management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-12.3">
-            <title>Asymmetric Keys</title>
-            <param id="sc-12.3_prm_1"/>
-            <prop name="label">SC-12(3)</prop>
-            <prop name="sort-id">sc-12.03</prop>
-            <part id="sc-12.3_smt" name="statement">
-               <p>The organization produces, controls, and distributes asymmetric cryptographic keys
-                  using <insert param-id="sc-12.3_prm_1"/>.</p>
-            </part>
-            <part id="sc-12.3_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization produces, controls, and distributes asymmetric
-                  cryptographic keys using one of the following: </p>
-               <part id="sc-12.3_obj.1" name="objective">
-                  <prop name="label">SC-12(3)[1]</prop>
-                  <p>NSA-approved key management technology and processes;</p>
-               </part>
-               <part id="sc-12.3_obj.2" name="objective">
-                  <prop name="label">SC-12(3)[2]</prop>
-                  <p>approved PKI Class 3 certificates or prepositioned keying material; or</p>
-               </part>
-               <part id="sc-12.3_obj.3" name="objective">
-                  <prop name="label">SC-12(3)[3]</prop>
-                  <p>approved PKI Class 3 or Class 4 certificates and hardware security tokens that
-                     protect the user’s private key.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing cryptographic key establishment and management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of NSA-approved cryptographic products</p>
-                  <p>list of approved PKI Class 3 and Class 4 certificates</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with responsibilities for cryptographic key
-                     establishment or management</p>
-                  <p>organizational personnel with responsibilities for PKI certificates</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing asymmetric cryptographic
-                     key establishment and management</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-13">
-         <title>Cryptographic Protection</title>
-         <param id="sc-13_prm_1">
-            <label>organization-defined cryptographic uses and type of cryptography required for
-               each use</label>
-            <constraint>FIPS-validated or NSA-approved cryptography</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SC-13</prop>
-         <prop name="sort-id">sc-13</prop>
-         <link href="#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9" rel="reference">FIPS Publication 140</link>
-         <link href="#6a1041fc-054e-4230-946b-2e6f4f3731bb" rel="reference">http://csrc.nist.gov/cryptval</link>
-         <link href="#9b97ed27-3dd6-4f9a-ade5-1b43e9669794" rel="reference">http://www.cnss.gov</link>
-         <part id="sc-13_smt" name="statement">
-            <p>The information system implements <insert param-id="sc-13_prm_1"/> in accordance with
-               applicable federal laws, Executive Orders, directives, policies, regulations, and
-               standards.</p>
-         </part>
-         <part id="sc-13_gdn" name="guidance">
-            <p>Cryptography can be employed to support a variety of security solutions including,
-               for example, the protection of classified and Controlled Unclassified Information,
-               the provision of digital signatures, and the enforcement of information separation
-               when authorized individuals have the necessary clearances for such information but
-               lack the necessary formal access approvals. Cryptography can also be used to support
-               random number generation and hash generation. Generally applicable cryptographic
-               standards include FIPS-validated cryptography and NSA-approved cryptography. This
-               control does not impose any requirements on organizations to use cryptography.
-               However, if cryptography is required based on the selection of other security
-               controls, organizations define each type of cryptographic use and the type of
-               cryptography required (e.g., protection of classified information: NSA-approved
-               cryptography; provision of digital signatures: FIPS-validated cryptography).</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-7">AC-7</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#au-10">AU-10</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-7">IA-7</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-28">SC-28</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="sc-13_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-13_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-13[1]</prop>
-               <p>the organization defines cryptographic uses; and</p>
-            </part>
-            <part id="sc-13_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-13[2]</prop>
-               <p>the organization defines the type of cryptography required for each use; and</p>
-            </part>
-            <part id="sc-13_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-13[3]</prop>
-               <p>the information system implements the organization-defined cryptographic uses and
-                  type of cryptography required for each use in accordance with applicable federal
-                  laws, Executive Orders, directives, policies, regulations, and standards.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing cryptographic protection</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>cryptographic module validation certificates</p>
-               <p>list of FIPS validated cryptographic modules</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel with responsibilities for cryptographic protection</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing cryptographic protection</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-15">
-         <title>Collaborative Computing Devices</title>
-         <param id="sc-15_prm_1">
-            <label>organization-defined exceptions where remote activation is to be allowed</label>
-            <constraint>no exceptions</constraint>
-         </param>
-         <prop name="label">SC-15</prop>
-         <prop name="sort-id">sc-15</prop>
-         <part id="sc-15_smt" name="statement">
-            <p>The information system:</p>
-            <part id="sc-15_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Prohibits remote activation of collaborative computing devices with the following
-                  exceptions: <insert param-id="sc-15_prm_1"/>; and</p>
-            </part>
-            <part id="sc-15_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Provides an explicit indication of use to users physically present at the
-                  devices.</p>
-            </part>
-            <part id="sc-15_fr" name="item">
-               <title>SC-15 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-15_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sc-15_gdn" name="guidance">
-            <p>Collaborative computing devices include, for example, networked white boards,
-               cameras, and microphones. Explicit indication of use includes, for example, signals
-               to users when collaborative computing devices are activated.</p>
-            <link rel="related" href="#ac-21">AC-21</link>
-         </part>
-         <part id="sc-15_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-15.a_obj" name="objective">
-               <prop name="label">SC-15(a)</prop>
-               <part id="sc-15.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-15(a)[1]</prop>
-                  <p>the organization defines exceptions where remote activation of collaborative
-                     computing devices is to be allowed;</p>
-               </part>
-               <part id="sc-15.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-15(a)[2]</prop>
-                  <p>the information system prohibits remote activation of collaborative computing
-                     devices, except for organization-defined exceptions where remote activation is
-                     to be allowed; and</p>
-               </part>
-            </part>
-            <part id="sc-15.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-15(b)</prop>
-               <p>the information system provides an explicit indication of use to users physically
-                  present at the devices.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing collaborative computing</p>
-               <p>access control policy and procedures</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel with responsibilities for managing collaborative
-                  computing devices</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing management of remote
-                  activation of collaborative computing devices</p>
-               <p>automated mechanisms providing an indication of use of collaborative computing
-                  devices</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-17">
-         <title>Public Key Infrastructure Certificates</title>
-         <param id="sc-17_prm_1">
-            <label>organization-defined certificate policy</label>
-         </param>
-         <prop name="label">SC-17</prop>
-         <prop name="sort-id">sc-17</prop>
-         <link href="#58ad6f27-af99-429f-86a8-8bb767b014b9" rel="reference">OMB Memorandum 05-24</link>
-         <link href="#8f174e91-844e-4cf1-a72a-45c119a3a8dd" rel="reference">NIST Special Publication 800-32</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <part id="sc-17_smt" name="statement">
-            <p>The organization issues public key certificates under an <insert param-id="sc-17_prm_1"/> or obtains public key certificates from an approved
-               service provider.</p>
-         </part>
-         <part id="sc-17_gdn" name="guidance">
-            <p>For all certificates, organizations manage information system trust stores to ensure
-               only approved trust anchors are in the trust stores. This control addresses both
-               certificates with visibility external to organizational information systems and
-               certificates related to the internal operations of systems, for example,
-               application-specific time services.</p>
-            <link rel="related" href="#sc-12">SC-12</link>
-         </part>
-         <part id="sc-17_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-17_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-17[1]</prop>
-               <p>defines a certificate policy for issuing public key certificates;</p>
-            </part>
-            <part id="sc-17_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-17[2]</prop>
-               <p>issues public key certificates:</p>
-               <part id="sc-17_obj.2.a" name="objective">
-                  <prop name="label">SC-17[2][a]</prop>
-                  <p>under an organization-defined certificate policy: or</p>
-               </part>
-               <part id="sc-17_obj.2.b" name="objective">
-                  <prop name="label">SC-17[2][b]</prop>
-                  <p>obtains public key certificates from an approved service provider.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing public key infrastructure certificates</p>
-               <p>public key certificate policy or policies</p>
-               <p>public key issuing process</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for issuing public key
-                  certificates</p>
-               <p>service providers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing the management of public key
-                  infrastructure certificates</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-18">
-         <title>Mobile Code</title>
-         <prop name="label">SC-18</prop>
-         <prop name="sort-id">sc-18</prop>
-         <link href="#e716cd51-d1d5-4c6a-967a-22e9fbbc42f1" rel="reference">NIST Special Publication 800-28</link>
-         <link href="#e6522953-6714-435d-a0d3-140df554c186" rel="reference">DoD Instruction 8552.01</link>
-         <part id="sc-18_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sc-18_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Defines acceptable and unacceptable mobile code and mobile code technologies;</p>
-            </part>
-            <part id="sc-18_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishes usage restrictions and implementation guidance for acceptable mobile
-                  code and mobile code technologies; and</p>
-            </part>
-            <part id="sc-18_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Authorizes, monitors, and controls the use of mobile code within the information
-                  system.</p>
-            </part>
-         </part>
-         <part id="sc-18_gdn" name="guidance">
-            <p>Decisions regarding the employment of mobile code within organizational information
-               systems are based on the potential for the code to cause damage to the systems if
-               used maliciously. Mobile code technologies include, for example, Java, JavaScript,
-               ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage
-               restrictions and implementation guidance apply to both the selection and use of
-               mobile code installed on servers and mobile code downloaded and executed on
-               individual workstations and devices (e.g., smart phones). Mobile code policy and
-               procedures address preventing the development, acquisition, or introduction of
-               unacceptable mobile code within organizational information systems.</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#si-3">SI-3</link>
-         </part>
-         <part id="sc-18_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-18.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-18(a)</prop>
-               <p>defines acceptable and unacceptable mobile code and mobile code technologies;</p>
-            </part>
-            <part id="sc-18.b_obj" name="objective">
-               <prop name="label">SC-18(b)</prop>
-               <part id="sc-18.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-18(b)[1]</prop>
-                  <p>establishes usage restrictions for acceptable mobile code and mobile code
-                     technologies;</p>
-               </part>
-               <part id="sc-18.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-18(b)[2]</prop>
-                  <p>establishes implementation guidance for acceptable mobile code and mobile code
-                     technologies;</p>
-               </part>
-            </part>
-            <part id="sc-18.c_obj" name="objective">
-               <prop name="label">SC-18(c)</prop>
-               <part id="sc-18.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-18(c)[1]</prop>
-                  <p>authorizes the use of mobile code within the information system;</p>
-               </part>
-               <part id="sc-18.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-18(c)[2]</prop>
-                  <p>monitors the use of mobile code within the information system; and</p>
-               </part>
-               <part id="sc-18.c_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-18(c)[3]</prop>
-                  <p>controls the use of mobile code within the information system.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing mobile code</p>
-               <p>mobile code usage restrictions, mobile code implementation policy and
-                  procedures</p>
-               <p>list of acceptable mobile code and mobile code technologies</p>
-               <p>list of unacceptable mobile code and mobile technologies</p>
-               <p>authorization records</p>
-               <p>information system monitoring records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing mobile code</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational process for controlling, authorizing, monitoring, and restricting
-                  mobile code</p>
-               <p>automated mechanisms supporting and/or implementing the management of mobile
-                  code</p>
-               <p>automated mechanisms supporting and/or implementing the monitoring of mobile
-                  code</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-19">
-         <title>Voice Over Internet Protocol</title>
-         <prop name="label">SC-19</prop>
-         <prop name="sort-id">sc-19</prop>
-         <link href="#7783f3e7-09b3-478b-9aa2-4a76dfd0ea90" rel="reference">NIST Special Publication 800-58</link>
-         <part id="sc-19_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sc-19_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes usage restrictions and implementation guidance for Voice over Internet
-                  Protocol (VoIP) technologies based on the potential to cause damage to the
-                  information system if used maliciously; and</p>
-            </part>
-            <part id="sc-19_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Authorizes, monitors, and controls the use of VoIP within the information
-                  system.</p>
-            </part>
-         </part>
-         <part id="sc-19_gdn" name="guidance">
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-15">SC-15</link>
-         </part>
-         <part id="sc-19_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-19.a_obj" name="objective">
-               <prop name="label">SC-19(a)</prop>
-               <part id="sc-19.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-19(a)[1]</prop>
-                  <p>establishes usage restrictions for Voice over Internet Protocol (VoIP)
-                     technologies based on the potential to cause damage to the information system
-                     if used maliciously;</p>
-               </part>
-               <part id="sc-19.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-19(a)[2]</prop>
-                  <p>establishes implementation guidance for Voice over Internet Protocol (VoIP)
-                     technologies based on the potential to cause damage to the information system
-                     if used maliciously;</p>
-               </part>
-            </part>
-            <part id="sc-19.b_obj" name="objective">
-               <prop name="label">SC-19(b)</prop>
-               <part id="sc-19.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-19(b)[1]</prop>
-                  <p>authorizes the use of VoIP within the information system;</p>
-               </part>
-               <part id="sc-19.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-19(b)[2]</prop>
-                  <p>monitors the use of VoIP within the information system; and</p>
-               </part>
-               <part id="sc-19.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-19(b)[3]</prop>
-                  <p>controls the use of VoIP within the information system.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing VoIP</p>
-               <p>VoIP usage restrictions</p>
-               <p>VoIP implementation guidance</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system monitoring records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing VoIP</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational process for authorizing, monitoring, and controlling VoIP</p>
-               <p>automated mechanisms supporting and/or implementing authorizing, monitoring, and
-                  controlling VoIP</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-20">
-         <title>Secure Name / Address Resolution Service (authoritative Source)</title>
-         <prop name="label">SC-20</prop>
-         <prop name="sort-id">sc-20</prop>
-         <link href="#28115a56-da6b-4d44-b1df-51dd7f048a3e" rel="reference">OMB Memorandum 08-23</link>
-         <link href="#6af1e841-672c-46c4-b121-96f603d04be3" rel="reference">NIST Special Publication 800-81</link>
-         <part id="sc-20_smt" name="statement">
-            <p>The information system:</p>
-            <part id="sc-20_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Provides additional data origin authentication and integrity verification
-                  artifacts along with the authoritative name resolution data the system returns in
-                  response to external name/address resolution queries; and</p>
-            </part>
-            <part id="sc-20_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Provides the means to indicate the security status of child zones and (if the
-                  child supports secure resolution services) to enable verification of a chain of
-                  trust among parent and child domains, when operating as part of a distributed,
-                  hierarchical namespace.</p>
-            </part>
-         </part>
-         <part id="sc-20_gdn" name="guidance">
-            <p>This control enables external clients including, for example, remote Internet
-               clients, to obtain origin authentication and integrity verification assurances for
-               the host/service name to network address resolution information obtained through the
-               service. Information systems that provide name and address resolution services
-               include, for example, domain name system (DNS) servers. Additional artifacts include,
-               for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS
-               resource records are examples of authoritative data. The means to indicate the
-               security status of child zones includes, for example, the use of delegation signer
-               resource records in the DNS. The DNS security controls reflect (and are referenced
-               from) OMB Memorandum 08-23. Information systems that use technologies other than the
-               DNS to map between host/service names and network addresses provide other means to
-               assure the authenticity and integrity of response data.</p>
-            <link rel="related" href="#au-10">AU-10</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-21">SC-21</link>
-            <link rel="related" href="#sc-22">SC-22</link>
-         </part>
-         <part id="sc-20_obj" name="objective">
-            <p>Determine if the information system:</p>
-            <part id="sc-20.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-20(a)</prop>
-               <p>provides additional data origin and integrity verification artifacts along with
-                  the authoritative name resolution data the system returns in response to external
-                  name/address resolution queries;</p>
-            </part>
-            <part id="sc-20.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-20(b)</prop>
-               <p>provides the means to, when operating as part of a distributed, hierarchical
-                  namespace:</p>
-               <part id="sc-20.b_obj.1" name="objective">
-                  <prop name="label">SC-20(b)[1]</prop>
-                  <p>indicate the security status of child zones; and</p>
-               </part>
-               <part id="sc-20.b_obj.2" name="objective">
-                  <prop name="label">SC-20(b)[2]</prop>
-                  <p>enable verification of a chain of trust among parent and child domains (if the
-                     child supports secure resolution services).</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing secure name/address resolution service (authoritative
-                  source)</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing DNS</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing secure name/address resolution
-                  service</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-21">
-         <title>Secure Name / Address Resolution Service (recursive or Caching Resolver)</title>
-         <prop name="label">SC-21</prop>
-         <prop name="sort-id">sc-21</prop>
-         <link href="#6af1e841-672c-46c4-b121-96f603d04be3" rel="reference">NIST Special Publication 800-81</link>
-         <part id="sc-21_smt" name="statement">
-            <p>The information system requests and performs data origin authentication and data
-               integrity verification on the name/address resolution responses the system receives
-               from authoritative sources.</p>
-         </part>
-         <part id="sc-21_gdn" name="guidance">
-            <p>Each client of name resolution services either performs this validation on its own,
-               or has authenticated channels to trusted validation providers. Information systems
-               that provide name and address resolution services for local clients include, for
-               example, recursive resolving or caching domain name system (DNS) servers. DNS client
-               resolvers either perform validation of DNSSEC signatures, or clients use
-               authenticated channels to recursive resolvers that perform such validations.
-               Information systems that use technologies other than the DNS to map between
-               host/service names and network addresses provide other means to enable clients to
-               verify the authenticity and integrity of response data.</p>
-            <link rel="related" href="#sc-20">SC-20</link>
-            <link rel="related" href="#sc-22">SC-22</link>
-         </part>
-         <part id="sc-21_obj" name="objective">
-            <p>Determine if the information system: </p>
-            <part id="sc-21_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-21[1]</prop>
-               <p>requests data origin authentication on the name/address resolution responses the
-                  system receives from authoritative sources;</p>
-            </part>
-            <part id="sc-21_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-21[2]</prop>
-               <p>requests data integrity verification on the name/address resolution responses the
-                  system receives from authoritative sources;</p>
-            </part>
-            <part id="sc-21_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-21[3]</prop>
-               <p>performs data origin authentication on the name/address resolution responses the
-                  system receives from authoritative sources; and</p>
-            </part>
-            <part id="sc-21_obj.4" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-21[4]</prop>
-               <p>performs data integrity verification on the name/address resolution responses the
-                  system receives from authoritative sources.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing secure name/address resolution service (recursive or caching
-                  resolver)</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing DNS</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing data origin authentication and
-                  data integrity verification for name/address resolution services</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-22">
-         <title>Architecture and Provisioning for Name / Address Resolution Service</title>
-         <prop name="label">SC-22</prop>
-         <prop name="sort-id">sc-22</prop>
-         <link href="#6af1e841-672c-46c4-b121-96f603d04be3" rel="reference">NIST Special Publication 800-81</link>
-         <part id="sc-22_smt" name="statement">
-            <p>The information systems that collectively provide name/address resolution service for
-               an organization are fault-tolerant and implement internal/external role
-               separation.</p>
-         </part>
-         <part id="sc-22_gdn" name="guidance">
-            <p>Information systems that provide name and address resolution services include, for
-               example, domain name system (DNS) servers. To eliminate single points of failure and
-               to enhance redundancy, organizations employ at least two authoritative domain name
-               system servers, one configured as the primary server and the other configured as the
-               secondary server. Additionally, organizations typically deploy the servers in two
-               geographically separated network subnetworks (i.e., not located in the same physical
-               facility). For role separation, DNS servers with internal roles only process name and
-               address resolution requests from within organizations (i.e., from internal clients).
-               DNS servers with external roles only process name and address resolution information
-               requests from clients external to organizations (i.e., on external networks including
-               the Internet). Organizations specify clients that can access authoritative DNS
-               servers in particular roles (e.g., by address ranges, explicit lists).</p>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-20">SC-20</link>
-            <link rel="related" href="#sc-21">SC-21</link>
-            <link rel="related" href="#sc-24">SC-24</link>
-         </part>
-         <part id="sc-22_obj" name="objective">
-            <p>Determine if the information systems that collectively provide name/address
-               resolution service for an organization: </p>
-            <part id="sc-22_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-22[1]</prop>
-               <p>are fault tolerant; and</p>
-            </part>
-            <part id="sc-22_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-22[2]</prop>
-               <p>implement internal/external role separation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing architecture and provisioning for name/address resolution
-                  service</p>
-               <p>access control policy and procedures</p>
-               <p>information system design documentation</p>
-               <p>assessment results from independent, testing organizations</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing DNS</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing name/address resolution
-                  service for fault tolerance and role separation</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-23">
-         <title>Session Authenticity</title>
-         <prop name="label">SC-23</prop>
-         <prop name="sort-id">sc-23</prop>
-         <link href="#90c5bc98-f9c4-44c9-98b7-787422f0999c" rel="reference">NIST Special Publication 800-52</link>
-         <link href="#99f331f2-a9f0-46c2-9856-a3cbb9b89442" rel="reference">NIST Special Publication 800-77</link>
-         <link href="#1ebdf782-d95d-4a7b-8ec7-ee860951eced" rel="reference">NIST Special Publication 800-95</link>
-         <part id="sc-23_smt" name="statement">
-            <p>The information system protects the authenticity of communications sessions.</p>
-         </part>
-         <part id="sc-23_gdn" name="guidance">
-            <p>This control addresses communications protection at the session, versus packet level
-               (e.g., sessions in service-oriented architectures providing web-based services) and
-               establishes grounds for confidence at both ends of communications sessions in ongoing
-               identities of other parties and in the validity of information transmitted.
-               Authenticity protection includes, for example, protecting against man-in-the-middle
-               attacks/session hijacking and the insertion of false information into sessions.</p>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-10">SC-10</link>
-            <link rel="related" href="#sc-11">SC-11</link>
-         </part>
-         <part id="sc-23_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system protects the authenticity of communications
-               sessions.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing session authenticity</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing session authenticity</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-23.1">
-            <title>Invalidate Session Identifiers at Logout</title>
-            <prop name="label">SC-23(1)</prop>
-            <prop name="sort-id">sc-23.01</prop>
-            <part id="sc-23.1_smt" name="statement">
-               <p>The information system invalidates session identifiers upon user logout or other
-                  session termination.</p>
-            </part>
-            <part id="sc-23.1_gdn" name="guidance">
-               <p>This control enhancement curtails the ability of adversaries from capturing and
-                  continuing to employ previously valid session IDs.</p>
-            </part>
-            <part id="sc-23.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system invalidates session identifiers upon user
-                  logout or other session termination.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing session authenticity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing session identifier
-                     invalidation upon session termination</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-24">
-         <title>Fail in Known State</title>
-         <param id="sc-24_prm_1">
-            <label>organization-defined known-state</label>
-         </param>
-         <param id="sc-24_prm_2">
-            <label>organization-defined types of failures</label>
-         </param>
-         <param id="sc-24_prm_3">
-            <label>organization-defined system state information</label>
-         </param>
-         <prop name="label">SC-24</prop>
-         <prop name="sort-id">sc-24</prop>
-         <part id="sc-24_smt" name="statement">
-            <p>The information system fails to a <insert param-id="sc-24_prm_1"/> for <insert param-id="sc-24_prm_2"/> preserving <insert param-id="sc-24_prm_3"/> in
-               failure.</p>
-         </part>
-         <part id="sc-24_gdn" name="guidance">
-            <p>Failure in a known state addresses security concerns in accordance with the
-               mission/business needs of organizations. Failure in a known secure state helps to
-               prevent the loss of confidentiality, integrity, or availability of information in the
-               event of failures of organizational information systems or system components. Failure
-               in a known safe state helps to prevent systems from failing to a state that may cause
-               injury to individuals or destruction to property. Preserving information system state
-               information facilitates system restart and return to the operational mode of
-               organizations with less disruption of mission/business processes.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-10">CP-10</link>
-            <link rel="related" href="#cp-12">CP-12</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-22">SC-22</link>
-         </part>
-         <part id="sc-24_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-24_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-24[1]</prop>
-               <p>the organization defines a known-state to which the information system is to fail
-                  in the event of a system failure;</p>
-            </part>
-            <part id="sc-24_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-24[2]</prop>
-               <p>the organization defines types of failures for which the information system is to
-                  fail to an organization-defined known-state;</p>
-            </part>
-            <part id="sc-24_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-24[3]</prop>
-               <p>the organization defines system state information to be preserved in the event of
-                  a system failure;</p>
-            </part>
-            <part id="sc-24_obj.4" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-24[4]</prop>
-               <p>the information system fails to the organization-defined known-state for
-                  organization-defined types of failures; and</p>
-            </part>
-            <part id="sc-24_obj.5" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-24[5]</prop>
-               <p>the information system preserves the organization-defined system state information
-                  in the event of a system failure.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing information system failure to known state</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of failures requiring information system to fail in a known state</p>
-               <p>state information to be preserved in system failure</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing fail-in-known state
-                  capability</p>
-               <p>automated mechanisms preserving system state information in the event of a system
-                  failure</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-28">
-         <title>Protection of Information at Rest</title>
-         <param id="sc-28_prm_1">
-            <constraint>confidentiality AND integrity</constraint>
-         </param>
-         <param id="sc-28_prm_2">
-            <label>organization-defined information at rest</label>
-         </param>
-         <prop name="label">SC-28</prop>
-         <prop name="sort-id">sc-28</prop>
-         <link href="#81f09e01-d0b0-4ae2-aa6a-064ed9950070" rel="reference">NIST Special Publication 800-56</link>
-         <link href="#a6c774c0-bf50-4590-9841-2a5c1c91ac6f" rel="reference">NIST Special Publication 800-57</link>
-         <link href="#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e" rel="reference">NIST Special Publication 800-111</link>
-         <part id="sc-28_smt" name="statement">
-            <p>The information system protects the <insert param-id="sc-28_prm_1"/> of <insert param-id="sc-28_prm_2"/>.</p>
-            <part id="sc-28_fr" name="item">
-               <title>SC-28 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-28_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>The organization supports the capability to use cryptographic mechanisms to protect information at rest.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sc-28_gdn" name="guidance">
-            <p>This control addresses the confidentiality and integrity of information at rest and
-               covers user information and system information. Information at rest refers to the
-               state of information when it is located on storage devices as specific components of
-               information systems. System-related information requiring protection includes, for
-               example, configurations or rule sets for firewalls, gateways, intrusion
-               detection/prevention systems, filtering routers, and authenticator content.
-               Organizations may employ different mechanisms to achieve confidentiality and
-               integrity protections, including the use of cryptographic mechanisms and file share
-               scanning. Integrity protection can be achieved, for example, by implementing
-               Write-Once-Read-Many (WORM) technologies. Organizations may also employ other
-               security controls including, for example, secure off-line storage in lieu of online
-               storage when adequate protection of information at rest cannot otherwise be achieved
-               and/or continuous monitoring to identify malicious code at rest.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="sc-28_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-28_obj.1" name="objective">
-               <prop name="label">SC-28[1]</prop>
-               <p>the organization defines information at rest requiring one or more of the
-                  following:</p>
-               <part id="sc-28_obj.1.a" name="objective">
-                  <prop name="label">SC-28[1][a]</prop>
-                  <p>confidentiality protection; and/or</p>
-               </part>
-               <part id="sc-28_obj.1.b" name="objective">
-                  <prop name="label">SC-28[1][b]</prop>
-                  <p>integrity protection;</p>
-               </part>
-            </part>
-            <part id="sc-28_obj.2" name="objective">
-               <prop name="label">SC-28[2]</prop>
-               <p>the information system protects:</p>
-               <part id="sc-28_obj.2.a" name="objective">
-                  <prop name="label">SC-28[2][a]</prop>
-                  <p>the confidentiality of organization-defined information at rest; and/or</p>
-               </part>
-               <part id="sc-28_obj.2.b" name="objective">
-                  <prop name="label">SC-28[2][b]</prop>
-                  <p>the integrity of organization-defined information at rest.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing protection of information at rest</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>cryptographic mechanisms and associated configuration documentation</p>
-               <p>list of information at rest requiring confidentiality and integrity
-                  protections</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing confidentiality and integrity
-                  protections for information at rest</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-28.1">
-            <title>Cryptographic Protection</title>
-            <param id="sc-28.1_prm_1">
-               <label>organization-defined information</label>
-            </param>
-            <param id="sc-28.1_prm_2">
-               <label>organization-defined information system components</label>
-               <constraint>all information system components storing customer data deemed sensitive</constraint>
-            </param>
-            <prop name="label">SC-28(1)</prop>
-            <prop name="sort-id">sc-28.01</prop>
-            <part id="sc-28.1_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to prevent unauthorized
-                  disclosure and modification of <insert param-id="sc-28.1_prm_1"/> on <insert param-id="sc-28.1_prm_2"/>.</p>
-            </part>
-            <part id="sc-28.1_gdn" name="guidance">
-               <p>Selection of cryptographic mechanisms is based on the need to protect the
-                  confidentiality and integrity of organizational information. The strength of
-                  mechanism is commensurate with the security category and/or classification of the
-                  information. This control enhancement applies to significant concentrations of
-                  digital media in organizational areas designated for media storage and also to
-                  limited quantities of media generally associated with information system
-                  components in operational environments (e.g., portable storage devices, mobile
-                  devices). Organizations have the flexibility to either encrypt all information on
-                  storage devices (i.e., full disk encryption) or encrypt specific data structures
-                  (e.g., files, records, or fields). Organizations employing cryptographic
-                  mechanisms to protect information at rest also consider cryptographic key
-                  management solutions.</p>
-               <link rel="related" href="#ac-19">AC-19</link>
-               <link rel="related" href="#sc-12">SC-12</link>
-            </part>
-            <part id="sc-28.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-28.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-28(1)[1]</prop>
-                  <p>the organization defines information requiring cryptographic protection;</p>
-               </part>
-               <part id="sc-28.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-28(1)[2]</prop>
-                  <p>the organization defines information system components with
-                     organization-defined information requiring cryptographic protection; and</p>
-               </part>
-               <part id="sc-28.1_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-28(1)[3]</prop>
-                  <p>the information system employs cryptographic mechanisms to prevent unauthorized
-                     disclosure and modification of organization-defined information on
-                     organization-defined information system components.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing protection of information at rest</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>cryptographic mechanisms and associated configuration documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms implementing confidentiality and integrity protections
-                     for information at rest</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-39">
-         <title>Process Isolation</title>
-         <prop name="label">SC-39</prop>
-         <prop name="sort-id">sc-39</prop>
-         <part id="sc-39_smt" name="statement">
-            <p>The information system maintains a separate execution domain for each executing
-               process.</p>
-         </part>
-         <part id="sc-39_gdn" name="guidance">
-            <p>Information systems can maintain separate execution domains for each executing
-               process by assigning each process a separate address space. Each information system
-               process has a distinct address space so that communication between processes is
-               performed in a manner controlled through the security functions, and one process
-               cannot modify the executing code of another process. Maintaining separate execution
-               domains for executing processes can be achieved, for example, by implementing
-               separate address spaces. This capability is available in most commercial operating
-               systems that employ multi-state processor technologies.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-         </part>
-         <part id="sc-39_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system maintains a separate execution domain for each
-               executing process.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system design documentation</p>
-               <p>information system architecture</p>
-               <p>independent verification and validation documentation</p>
-               <p>testing and evaluation documentation, other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Information system developers/integrators</p>
-               <p>information system security architect</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing separate execution domains for
-                  each executing process</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="si">
-      <title>System and Information Integrity</title>
-      <control class="SP800-53" id="si-1">
-         <title>System and Information Integrity Policy and Procedures</title>
-         <param id="si-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="si-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually or whenever a significant change occurs</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SI-1</prop>
-         <prop name="sort-id">si-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="si-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="si-1_prm_1"/>:</p>
-               <part id="si-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system and information integrity policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="si-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system and information
-                     integrity policy and associated system and information integrity controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="si-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="si-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System and information integrity policy <insert param-id="si-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="si-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System and information integrity procedures <insert param-id="si-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="si-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the SI
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="si-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-1.a_obj" name="objective">
-               <prop name="label">SI-1(a)</prop>
-               <part id="si-1.a.1_obj" name="objective">
-                  <prop name="label">SI-1(a)(1)</prop>
-                  <part id="si-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(a)(1)[1]</prop>
-                     <p>develops and documents a system and information integrity policy that
-                        addresses:</p>
-                     <part id="si-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="si-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system and information integrity
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="si-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SI-1(a)(1)[3]</prop>
-                     <p>disseminates the system and information integrity policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="si-1.a.2_obj" name="objective">
-                  <prop name="label">SI-1(a)(2)</prop>
-                  <part id="si-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        system and information integrity policy and associated system and
-                        information integrity controls;</p>
-                  </part>
-                  <part id="si-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="si-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SI-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-1.b_obj" name="objective">
-               <prop name="label">SI-1(b)</prop>
-               <part id="si-1.b.1_obj" name="objective">
-                  <prop name="label">SI-1(b)(1)</prop>
-                  <part id="si-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        information integrity policy;</p>
-                  </part>
-                  <part id="si-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system and information integrity policy with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="si-1.b.2_obj" name="objective">
-                  <prop name="label">SI-1(b)(2)</prop>
-                  <part id="si-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        information integrity procedures; and</p>
-                  </part>
-                  <part id="si-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system and information integrity procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and information integrity
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-2">
-         <title>Flaw Remediation</title>
-         <param id="si-2_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>thirty (30) days of release of updates</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SI-2</prop>
-         <prop name="sort-id">si-02</prop>
-         <link href="#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d" rel="reference">NIST Special Publication 800-40</link>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="si-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Identifies, reports, and corrects information system flaws;</p>
-            </part>
-            <part id="si-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Tests software and firmware updates related to flaw remediation for effectiveness
-                  and potential side effects before installation;</p>
-            </part>
-            <part id="si-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Installs security-relevant software and firmware updates within <insert param-id="si-2_prm_1"/> of the release of the updates; and</p>
-            </part>
-            <part id="si-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Incorporates flaw remediation into the organizational configuration management
-                  process.</p>
-            </part>
-         </part>
-         <part id="si-2_gdn" name="guidance">
-            <p>Organizations identify information systems affected by announced software flaws
-               including potential vulnerabilities resulting from those flaws, and report this
-               information to designated organizational personnel with information security
-               responsibilities. Security-relevant software updates include, for example, patches,
-               service packs, hot fixes, and anti-virus signatures. Organizations also address flaws
-               discovered during security assessments, continuous monitoring, incident response
-               activities, and system error handling. Organizations take advantage of available
-               resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and
-               Exposures (CVE) databases in remediating flaws discovered in organizational
-               information systems. By incorporating flaw remediation into ongoing configuration
-               management processes, required/anticipated remediation actions can be tracked and
-               verified. Flaw remediation actions that can be tracked and verified include, for
-               example, determining whether organizations follow US-CERT guidance and Information
-               Assurance Vulnerability Alerts. Organization-defined time periods for updating
-               security-relevant software and firmware may vary based on a variety of factors
-               including, for example, the security category of the information system or the
-               criticality of the update (i.e., severity of the vulnerability related to the
-               discovered flaw). Some types of flaw remediation may require more testing than other
-               types. Organizations determine the degree and type of testing needed for the specific
-               type of flaw remediation activity under consideration and also the types of changes
-               that are to be configuration-managed. In some situations, organizations may determine
-               that the testing of software and/or firmware updates is not necessary or practical,
-               for example, when implementing simple anti-virus signature updates. Organizations may
-               also consider in testing decisions, whether security-relevant software or firmware
-               updates are obtained from authorized sources with appropriate digital signatures.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#si-11">SI-11</link>
-         </part>
-         <part id="si-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-2.a_obj" name="objective">
-               <prop name="label">SI-2(a)</prop>
-               <part id="si-2.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(a)[1]</prop>
-                  <p>identifies information system flaws;</p>
-               </part>
-               <part id="si-2.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(a)[2]</prop>
-                  <p>reports information system flaws;</p>
-               </part>
-               <part id="si-2.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(a)[3]</prop>
-                  <p>corrects information system flaws;</p>
-               </part>
-            </part>
-            <part id="si-2.b_obj" name="objective">
-               <prop name="label">SI-2(b)</prop>
-               <part id="si-2.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(b)[1]</prop>
-                  <p>tests software updates related to flaw remediation for effectiveness and
-                     potential side effects before installation;</p>
-               </part>
-               <part id="si-2.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(b)[2]</prop>
-                  <p>tests firmware updates related to flaw remediation for effectiveness and
-                     potential side effects before installation;</p>
-               </part>
-            </part>
-            <part id="si-2.c_obj" name="objective">
-               <prop name="label">SI-2(c)</prop>
-               <part id="si-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-2(c)[1]</prop>
-                  <p>defines the time period within which to install security-relevant software
-                     updates after the release of the updates;</p>
-               </part>
-               <part id="si-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-2(c)[2]</prop>
-                  <p>defines the time period within which to install security-relevant firmware
-                     updates after the release of the updates;</p>
-               </part>
-               <part id="si-2.c_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(c)[3]</prop>
-                  <p>installs software updates within the organization-defined time period of the
-                     release of the updates;</p>
-               </part>
-               <part id="si-2.c_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(c)[4]</prop>
-                  <p>installs firmware updates within the organization-defined time period of the
-                     release of the updates; and</p>
-               </part>
-            </part>
-            <part id="si-2.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-2(d)</prop>
-               <p>incorporates flaw remediation into the organizational configuration management
-                  process.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing flaw remediation</p>
-               <p>procedures addressing configuration management</p>
-               <p>list of flaws and vulnerabilities potentially affecting the information system</p>
-               <p>list of recent security flaw remediation actions performed on the information
-                  system (e.g., list of installed patches, service packs, hot fixes, and other
-                  software updates to correct information system flaws)</p>
-               <p>test results from the installation of software and firmware updates to correct
-                  information system flaws</p>
-               <p>installation/change control records for security-relevant software and firmware
-                  updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>organizational personnel with responsibility for flaw remediation</p>
-               <p>organizational personnel with configuration management responsibility</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for identifying, reporting, and correcting information
-                  system flaws</p>
-               <p>organizational process for installing software and firmware updates</p>
-               <p>automated mechanisms supporting and/or implementing reporting, and correcting
-                  information system flaws</p>
-               <p>automated mechanisms supporting and/or implementing testing software and firmware
-                  updates</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-2.1">
-            <title>Central Management</title>
-            <prop name="label">SI-2(1)</prop>
-            <prop name="sort-id">si-02.01</prop>
-            <part id="si-2.1_smt" name="statement">
-               <p>The organization centrally manages the flaw remediation process.</p>
-            </part>
-            <part id="si-2.1_gdn" name="guidance">
-               <p>Central management is the organization-wide management and implementation of flaw
-                  remediation processes. Central management includes planning, implementing,
-                  assessing, authorizing, and monitoring the organization-defined, centrally managed
-                  flaw remediation security controls.</p>
-            </part>
-            <part id="si-2.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization centrally manages the flaw remediation process.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing flaw remediation</p>
-                  <p>automated mechanisms supporting centralized management of flaw remediation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for flaw remediation</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for central management of the flaw remediation
-                     process</p>
-                  <p>automated mechanisms supporting and/or implementing central management of the
-                     flaw remediation process</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-2.2">
-            <title>Automated Flaw Remediation Status</title>
-            <param id="si-2.2_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least monthly</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">SI-2(2)</prop>
-            <prop name="sort-id">si-02.02</prop>
-            <part id="si-2.2_smt" name="statement">
-               <p>The organization employs automated mechanisms <insert param-id="si-2.2_prm_1"/> to
-                  determine the state of information system components with regard to flaw
-                  remediation.</p>
-            </part>
-            <part id="si-2.2_gdn" name="guidance">
-               <link rel="related" href="#cm-6">CM-6</link>
-               <link rel="related" href="#si-4">SI-4</link>
-            </part>
-            <part id="si-2.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-2.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-2(2)[1]</prop>
-                  <p>defines a frequency to employ automated mechanisms to determine the state of
-                     information system components with regard to flaw remediation; and</p>
-               </part>
-               <part id="si-2.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(2)[2]</prop>
-                  <p>employs automated mechanisms with the organization-defined frequency to
-                     determine the state of information system components with regard to flaw
-                     remediation.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing flaw remediation</p>
-                  <p>automated mechanisms supporting centralized management of flaw remediation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for flaw remediation</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms used to determine the state of information system
-                     components with regard to flaw remediation</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-2.3">
-            <title>Time to Remediate Flaws / Benchmarks for Corrective Actions</title>
-            <param id="si-2.3_prm_1">
-               <label>organization-defined benchmarks</label>
-            </param>
-            <prop name="label">SI-2(3)</prop>
-            <prop name="sort-id">si-02.03</prop>
-            <part id="si-2.3_smt" name="statement">
-               <p>The organization:</p>
-               <part id="si-2.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Measures the time between flaw identification and flaw remediation; and</p>
-               </part>
-               <part id="si-2.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Establishes <insert param-id="si-2.3_prm_1"/> for taking corrective
-                     actions.</p>
-               </part>
-            </part>
-            <part id="si-2.3_gdn" name="guidance">
-               <p>This control enhancement requires organizations to determine the current time it
-                  takes on the average to correct information system flaws after such flaws have
-                  been identified, and subsequently establish organizational benchmarks (i.e., time
-                  frames) for taking corrective actions. Benchmarks can be established by type of
-                  flaw and/or severity of the potential vulnerability if the flaw can be
-                  exploited.</p>
-            </part>
-            <part id="si-2.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-2.3.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(3)(a)</prop>
-                  <p>measures the time between flaw identification and flaw remediation;</p>
-                  <link rel="corresp" href="#si-2.3_smt.a">SI-2(3)(a)</link>
-               </part>
-               <part id="si-2.3.b_obj" name="objective">
-                  <prop name="label">SI-2(3)(b)</prop>
-                  <part id="si-2.3.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-2(3)(b)[1]</prop>
-                     <p>defines benchmarks for taking corrective actions; and</p>
-                  </part>
-                  <part id="si-2.3.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-2(3)(b)[2]</prop>
-                     <p>establishes organization-defined benchmarks for taking corrective
-                        actions.</p>
-                  </part>
-                  <link rel="corresp" href="#si-2.3_smt.b">SI-2(3)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing flaw remediation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of benchmarks for taking corrective action on flaws identified</p>
-                  <p>records providing time stamps of flaw identification and subsequent flaw
-                     remediation activities</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for flaw remediation</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for identifying, reporting, and correcting information
-                     system flaws</p>
-                  <p>automated mechanisms used to measure the time between flaw identification and
-                     flaw remediation</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-3">
-         <title>Malicious Code Protection</title>
-         <param id="si-3_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least weekly</constraint>
-         </param>
-         <param id="si-3_prm_2">
-            <constraint>to include endpoints</constraint>
-         </param>
-         <param id="si-3_prm_3">
-            <constraint>to include blocking and quarantining malicious code and alerting administrator or defined security personnel near-realtime</constraint>
-         </param>
-         <param id="si-3_prm_4" depends-on="si-3_prm_3">
-            <label>organization-defined action</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SI-3</prop>
-         <prop name="sort-id">si-03</prop>
-         <link href="#6d431fee-658f-4a0e-9f2e-a38b5d398fab" rel="reference">NIST Special Publication 800-83</link>
-         <part id="si-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Employs malicious code protection mechanisms at information system entry and exit
-                  points to detect and eradicate malicious code;</p>
-            </part>
-            <part id="si-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Updates malicious code protection mechanisms whenever new releases are available
-                  in accordance with organizational configuration management policy and
-                  procedures;</p>
-            </part>
-            <part id="si-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Configures malicious code protection mechanisms to:</p>
-               <part id="si-3_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Perform periodic scans of the information system <insert param-id="si-3_prm_1"/> and real-time scans of files from external sources at <insert param-id="si-3_prm_2"/> as the files are downloaded, opened, or executed in
-                     accordance with organizational security policy; and</p>
-               </part>
-               <part id="si-3_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>
-                     <insert param-id="si-3_prm_3"/> in response to malicious code detection;
-                     and</p>
-               </part>
-            </part>
-            <part id="si-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Addresses the receipt of false positives during malicious code detection and
-                  eradication and the resulting potential impact on the availability of the
-                  information system.</p>
-            </part>
-         </part>
-         <part id="si-3_gdn" name="guidance">
-            <p>Information system entry and exit points include, for example, firewalls, electronic
-               mail servers, web servers, proxy servers, remote-access servers, workstations,
-               notebook computers, and mobile devices. Malicious code includes, for example,
-               viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in
-               various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden
-               files, or hidden in files using steganography. Malicious code can be transported by
-               different means including, for example, web accesses, electronic mail, electronic
-               mail attachments, and portable storage devices. Malicious code insertions occur
-               through the exploitation of information system vulnerabilities. Malicious code
-               protection mechanisms include, for example, anti-virus signature definitions and
-               reputation-based technologies. A variety of technologies and methods exist to limit
-               or eliminate the effects of malicious code. Pervasive configuration management and
-               comprehensive software integrity controls may be effective in preventing execution of
-               unauthorized code. In addition to commercial off-the-shelf software, malicious code
-               may also be present in custom-built software. This could include, for example, logic
-               bombs, back doors, and other types of cyber attacks that could affect organizational
-               missions/business functions. Traditional malicious code protection mechanisms cannot
-               always detect such code. In these situations, organizations rely instead on other
-               safeguards including, for example, secure coding practices, configuration management
-               and control, trusted procurement processes, and monitoring practices to help ensure
-               that software does not perform functions other than the functions intended.
-               Organizations may determine that in response to the detection of malicious code,
-               different actions may be warranted. For example, organizations can define actions in
-               response to malicious code detection during periodic scans, actions in response to
-               detection of malicious downloads, and/or actions in response to detection of
-               maliciousness when attempting to open or execute files.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sa-13">SA-13</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-26">SC-26</link>
-            <link rel="related" href="#sc-44">SC-44</link>
-            <link rel="related" href="#si-2">SI-2</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="si-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-3.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-3(a)</prop>
-               <p>employs malicious code protection mechanisms to detect and eradicate malicious
-                  code at information system:</p>
-               <part id="si-3.a_obj.1" name="objective">
-                  <prop name="label">SI-3(a)[1]</prop>
-                  <p>entry points;</p>
-               </part>
-               <part id="si-3.a_obj.2" name="objective">
-                  <prop name="label">SI-3(a)[2]</prop>
-                  <p>exit points;</p>
-               </part>
-            </part>
-            <part id="si-3.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-3(b)</prop>
-               <p>updates malicious code protection mechanisms whenever new releases are available
-                  in accordance with organizational configuration management policy and procedures
-                  (as identified in CM-1);</p>
-            </part>
-            <part id="si-3.c_obj" name="objective">
-               <prop name="label">SI-3(c)</prop>
-               <part id="si-3.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-3(c)[1]</prop>
-                  <p>defines a frequency for malicious code protection mechanisms to perform
-                     periodic scans of the information system;</p>
-               </part>
-               <part id="si-3.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-3(c)[2]</prop>
-                  <p>defines action to be initiated by malicious protection mechanisms in response
-                     to malicious code detection;</p>
-               </part>
-               <part id="si-3.c_obj.3" name="objective">
-                  <prop name="label">SI-3(c)[3]</prop>
-                  <part id="si-3.c.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">SI-3(c)[3](1)</prop>
-                     <p>configures malicious code protection mechanisms to:</p>
-                     <part id="si-3.c.1_obj.3.a" name="objective">
-                        <prop name="label">SI-3(c)[3](1)[a]</prop>
-                        <p>perform periodic scans of the information system with the
-                           organization-defined frequency;</p>
-                     </part>
-                     <part id="si-3.c.1_obj.3.b" name="objective">
-                        <prop name="label">SI-3(c)[3](1)[b]</prop>
-                        <p>perform real-time scans of files from external sources at endpoint and/or
-                           network entry/exit points as the files are downloaded, opened, or
-                           executed in accordance with organizational security policy;</p>
-                     </part>
-                  </part>
-                  <part id="si-3.c.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">SI-3(c)[3](2)</prop>
-                     <p>configures malicious code protection mechanisms to do one or more of the
-                        following:</p>
-                     <part id="si-3.c.2_obj.3.a" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[a]</prop>
-                        <p>block malicious code in response to malicious code detection;</p>
-                     </part>
-                     <part id="si-3.c.2_obj.3.b" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[b]</prop>
-                        <p>quarantine malicious code in response to malicious code detection;</p>
-                     </part>
-                     <part id="si-3.c.2_obj.3.c" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[c]</prop>
-                        <p>send alert to administrator in response to malicious code detection;
-                           and/or</p>
-                     </part>
-                     <part id="si-3.c.2_obj.3.d" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[d]</prop>
-                        <p>initiate organization-defined action in response to malicious code
-                           detection;</p>
-                     </part>
-                  </part>
-               </part>
-            </part>
-            <part id="si-3.d_obj" name="objective">
-               <prop name="label">SI-3(d)</prop>
-               <part id="si-3.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-3(d)[1]</prop>
-                  <p>addresses the receipt of false positives during malicious code detection and
-                     eradication; and</p>
-               </part>
-               <part id="si-3.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-3(d)[2]</prop>
-                  <p>addresses the resulting potential impact on the availability of the information
-                     system.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>configuration management policy and procedures</p>
-               <p>procedures addressing malicious code protection</p>
-               <p>malicious code protection mechanisms</p>
-               <p>records of malicious code protection updates</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>scan results from malicious code protection mechanisms</p>
-               <p>record of actions initiated by malicious code protection mechanisms in response to
-                  malicious code detection</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>organizational personnel with responsibility for malicious code protection</p>
-               <p>organizational personnel with configuration management responsibility</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for employing, updating, and configuring malicious code
-                  protection mechanisms</p>
-               <p>organizational process for addressing false positives and resulting potential
-                  impact</p>
-               <p>automated mechanisms supporting and/or implementing employing, updating, and
-                  configuring malicious code protection mechanisms</p>
-               <p>automated mechanisms supporting and/or implementing malicious code scanning and
-                  subsequent actions</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-3.1">
-            <title>Central Management</title>
-            <prop name="label">SI-3(1)</prop>
-            <prop name="sort-id">si-03.01</prop>
-            <part id="si-3.1_smt" name="statement">
-               <p>The organization centrally manages malicious code protection mechanisms.</p>
-            </part>
-            <part id="si-3.1_gdn" name="guidance">
-               <p>Central management is the organization-wide management and implementation of
-                  malicious code protection mechanisms. Central management includes planning,
-                  implementing, assessing, authorizing, and monitoring the organization-defined,
-                  centrally managed flaw malicious code protection security controls.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#si-8">SI-8</link>
-            </part>
-            <part id="si-3.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization centrally manages malicious code protection
-                  mechanisms.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing malicious code protection</p>
-                  <p>automated mechanisms supporting centralized management of malicious code
-                     protection mechanisms</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for malicious code protection</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for central management of malicious code protection
-                     mechanisms</p>
-                  <p>automated mechanisms supporting and/or implementing central management of
-                     malicious code protection mechanisms</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.2">
-            <title>Automatic Updates</title>
-            <prop name="label">SI-3(2)</prop>
-            <prop name="sort-id">si-03.02</prop>
-            <part id="si-3.2_smt" name="statement">
-               <p>The information system automatically updates malicious code protection
-                  mechanisms.</p>
-            </part>
-            <part id="si-3.2_gdn" name="guidance">
-               <p>Malicious code protection mechanisms include, for example, signature definitions.
-                  Due to information system integrity and availability concerns, organizations give
-                  careful consideration to the methodology used to carry out automatic updates.</p>
-               <link rel="related" href="#si-8">SI-8</link>
-            </part>
-            <part id="si-3.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system automatically updates malicious code
-                  protection mechanisms.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing malicious code protection</p>
-                  <p>automated mechanisms supporting centralized management of malicious code
-                     protection mechanisms</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for malicious code protection</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing automatic updates to
-                     malicious code protection capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.7">
-            <title>Nonsignature-based Detection</title>
-            <prop name="label">SI-3(7)</prop>
-            <prop name="sort-id">si-03.07</prop>
-            <part id="si-3.7_smt" name="statement">
-               <p>The information system implements nonsignature-based malicious code detection
-                  mechanisms.</p>
-            </part>
-            <part id="si-3.7_gdn" name="guidance">
-               <p>Nonsignature-based detection mechanisms include, for example, the use of
-                  heuristics to detect, analyze, and describe the characteristics or behavior of
-                  malicious code and to provide safeguards against malicious code for which
-                  signatures do not yet exist or for which existing signatures may not be effective.
-                  This includes polymorphic malicious code (i.e., code that changes signatures when
-                  it replicates). This control enhancement does not preclude the use of
-                  signature-based detection mechanisms.</p>
-            </part>
-            <part id="si-3.7_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system implements non signature-based malicious code
-                  detection mechanisms.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing malicious code protection</p>
-                  <p>information system design documentation</p>
-                  <p>malicious code protection mechanisms</p>
-                  <p>records of malicious code protection updates</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for malicious code protection</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing nonsignature-based
-                     malicious code protection capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-4">
-         <title>Information System Monitoring</title>
-         <param id="si-4_prm_1">
-            <label>organization-defined monitoring objectives</label>
-         </param>
-         <param id="si-4_prm_2">
-            <label>organization-defined techniques and methods</label>
-         </param>
-         <param id="si-4_prm_3">
-            <label>organization-defined information system monitoring information</label>
-         </param>
-         <param id="si-4_prm_4">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-4_prm_5"/>
-         <param id="si-4_prm_6" depends-on="si-4_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SI-4</prop>
-         <prop name="sort-id">si-04</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <link href="#6d431fee-658f-4a0e-9f2e-a38b5d398fab" rel="reference">NIST Special Publication 800-83</link>
-         <link href="#672fd561-b92b-4713-b9cf-6c9d9456728b" rel="reference">NIST Special Publication 800-92</link>
-         <link href="#d1b1d689-0f66-4474-9924-c81119758dc1" rel="reference">NIST Special Publication 800-94</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <part id="si-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Monitors the information system to detect:</p>
-               <part id="si-4_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Attacks and indicators of potential attacks in accordance with <insert param-id="si-4_prm_1"/>; and</p>
-               </part>
-               <part id="si-4_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Unauthorized local, network, and remote connections;</p>
-               </part>
-            </part>
-            <part id="si-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Identifies unauthorized use of the information system through <insert param-id="si-4_prm_2"/>;</p>
-            </part>
-            <part id="si-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Deploys monitoring devices:</p>
-               <part id="si-4_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Strategically within the information system to collect organization-determined
-                     essential information; and</p>
-               </part>
-               <part id="si-4_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>At ad hoc locations within the system to track specific types of transactions
-                     of interest to the organization;</p>
-               </part>
-            </part>
-            <part id="si-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Protects information obtained from intrusion-monitoring tools from unauthorized
-                  access, modification, and deletion;</p>
-            </part>
-            <part id="si-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Heightens the level of information system monitoring activity whenever there is an
-                  indication of increased risk to organizational operations and assets, individuals,
-                  other organizations, or the Nation based on law enforcement information,
-                  intelligence information, or other credible sources of information;</p>
-            </part>
-            <part id="si-4_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Obtains legal opinion with regard to information system monitoring activities in
-                  accordance with applicable federal laws, Executive Orders, directives, policies,
-                  or regulations; and</p>
-            </part>
-            <part id="si-4_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Provides <insert param-id="si-4_prm_3"/> to <insert param-id="si-4_prm_4"/>
-                  <insert param-id="si-4_prm_5"/>.</p>
-            </part>
-            <part id="si-4_fr" name="item">
-               <title>SI-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="si-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See US-CERT Incident Response Reporting Guidelines.</p>
-               </part>
-            </part>
-         </part>
-         <part id="si-4_gdn" name="guidance">
-            <p>Information system monitoring includes external and internal monitoring. External
-               monitoring includes the observation of events occurring at the information system
-               boundary (i.e., part of perimeter defense and boundary protection). Internal
-               monitoring includes the observation of events occurring within the information
-               system. Organizations can monitor information systems, for example, by observing
-               audit activities in real time or by observing other system aspects such as access
-               patterns, characteristics of access, and other actions. The monitoring objectives may
-               guide determination of the events. Information system monitoring capability is
-               achieved through a variety of tools and techniques (e.g., intrusion detection
-               systems, intrusion prevention systems, malicious code protection software, scanning
-               tools, audit record monitoring software, network monitoring software). Strategic
-               locations for monitoring devices include, for example, selected perimeter locations
-               and near server farms supporting critical applications, with such devices typically
-               being employed at the managed interfaces associated with controls SC-7 and AC-17.
-               Einstein network monitoring devices from the Department of Homeland Security can also
-               be included as monitoring devices. The granularity of monitoring information
-               collected is based on organizational monitoring objectives and the capability of
-               information systems to support such objectives. Specific types of transactions of
-               interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that
-               bypasses HTTP proxies. Information system monitoring is an integral part of
-               organizational continuous monitoring and incident response programs. Output from
-               system monitoring serves as input to continuous monitoring and incident response
-               programs. A network connection is any connection with a device that communicates
-               through a network (e.g., local area network, Internet). A remote connection is any
-               connection with a device communicating through an external network (e.g., the
-               Internet). Local, network, and remote connections can be either wired or
-               wireless.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-8">AC-8</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-26">SC-26</link>
-            <link rel="related" href="#sc-35">SC-35</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="si-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-4.a_obj" name="objective">
-               <prop name="label">SI-4(a)</prop>
-               <part id="si-4.a.1_obj" name="objective">
-                  <prop name="label">SI-4(a)(1)</prop>
-                  <part id="si-4.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-4(a)(1)[1]</prop>
-                     <p>defines monitoring objectives to detect attacks and indicators of potential
-                        attacks on the information system;</p>
-                  </part>
-                  <part id="si-4.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">SI-4(a)(1)[2]</prop>
-                     <p>monitors the information system to detect, in accordance with
-                        organization-defined monitoring objectives,:</p>
-                     <part id="si-4.a.1_obj.2.a" name="objective">
-                        <prop name="label">SI-4(a)(1)[2][a]</prop>
-                        <p>attacks;</p>
-                     </part>
-                     <part id="si-4.a.1_obj.2.b" name="objective">
-                        <prop name="label">SI-4(a)(1)[2][b]</prop>
-                        <p>indicators of potential attacks;</p>
-                     </part>
-                  </part>
-               </part>
-               <part id="si-4.a.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(a)(2)</prop>
-                  <p>monitors the information system to detect unauthorized:</p>
-                  <part id="si-4.a.2_obj.1" name="objective">
-                     <prop name="label">SI-4(a)(2)[1]</prop>
-                     <p>local connections;</p>
-                  </part>
-                  <part id="si-4.a.2_obj.2" name="objective">
-                     <prop name="label">SI-4(a)(2)[2]</prop>
-                     <p>network connections;</p>
-                  </part>
-                  <part id="si-4.a.2_obj.3" name="objective">
-                     <prop name="label">SI-4(a)(2)[3]</prop>
-                     <p>remote connections;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-4.b_obj" name="objective">
-               <prop name="label">SI-4(b)</prop>
-               <part id="si-4.b.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(b)(1)</prop>
-                  <p>defines techniques and methods to identify unauthorized use of the information
-                     system;</p>
-               </part>
-               <part id="si-4.b.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(b)(2)</prop>
-                  <p>identifies unauthorized use of the information system through
-                     organization-defined techniques and methods;</p>
-               </part>
-            </part>
-            <part id="si-4.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-4(c)</prop>
-               <p>deploys monitoring devices:</p>
-               <part id="si-4.c_obj.1" name="objective">
-                  <prop name="label">SI-4(c)[1]</prop>
-                  <p>strategically within the information system to collect organization-determined
-                     essential information;</p>
-               </part>
-               <part id="si-4.c_obj.2" name="objective">
-                  <prop name="label">SI-4(c)[2]</prop>
-                  <p>at ad hoc locations within the system to track specific types of transactions
-                     of interest to the organization;</p>
-               </part>
-            </part>
-            <part id="si-4.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-4(d)</prop>
-               <p>protects information obtained from intrusion-monitoring tools from
-                  unauthorized:</p>
-               <part id="si-4.d_obj.1" name="objective">
-                  <prop name="label">SI-4(d)[1]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="si-4.d_obj.2" name="objective">
-                  <prop name="label">SI-4(d)[2]</prop>
-                  <p>modification;</p>
-               </part>
-               <part id="si-4.d_obj.3" name="objective">
-                  <prop name="label">SI-4(d)[3]</prop>
-                  <p>deletion;</p>
-               </part>
-            </part>
-            <part id="si-4.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-4(e)</prop>
-               <p>heightens the level of information system monitoring activity whenever there is an
-                  indication of increased risk to organizational operations and assets, individuals,
-                  other organizations, or the Nation based on law enforcement information,
-                  intelligence information, or other credible sources of information;</p>
-            </part>
-            <part id="si-4.f_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">SI-4(f)</prop>
-               <p>obtains legal opinion with regard to information system monitoring activities in
-                  accordance with applicable federal laws, Executive Orders, directives, policies,
-                  or regulations;</p>
-            </part>
-            <part id="si-4.g_obj" name="objective">
-               <prop name="label">SI-4(g)</prop>
-               <part id="si-4.g_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(g)[1]</prop>
-                  <p>defines personnel or roles to whom information system monitoring information is
-                     to be provided;</p>
-               </part>
-               <part id="si-4.g_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(g)[2]</prop>
-                  <p>defines information system monitoring information to be provided to
-                     organization-defined personnel or roles;</p>
-               </part>
-               <part id="si-4.g_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(g)[3]</prop>
-                  <p>defines a frequency to provide organization-defined information system
-                     monitoring to organization-defined personnel or roles;</p>
-               </part>
-               <part id="si-4.g_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(g)[4]</prop>
-                  <p>provides organization-defined information system monitoring information to
-                     organization-defined personnel or roles one or more of the following:</p>
-                  <part id="si-4.g_obj.4.a" name="objective">
-                     <prop name="label">SI-4(g)[4][a]</prop>
-                     <p>as needed; and/or</p>
-                  </part>
-                  <part id="si-4.g_obj.4.b" name="objective">
-                     <prop name="label">SI-4(g)[4][b]</prop>
-                     <p>with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Continuous monitoring strategy</p>
-               <p>system and information integrity policy</p>
-               <p>procedures addressing information system monitoring tools and techniques</p>
-               <p>facility diagram/layout</p>
-               <p>information system design documentation</p>
-               <p>information system monitoring tools and techniques documentation</p>
-               <p>locations within information system where monitoring devices are deployed</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>organizational personnel with responsibility monitoring the information system</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for information system monitoring</p>
-               <p>automated mechanisms supporting and/or implementing information system monitoring
-                  capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-4.1">
-            <title>System-wide Intrusion Detection System</title>
-            <prop name="label">SI-4(1)</prop>
-            <prop name="sort-id">si-04.01</prop>
-            <part id="si-4.1_smt" name="statement">
-               <p>The organization connects and configures individual intrusion detection tools into
-                  an information system-wide intrusion detection system.</p>
-            </part>
-            <part id="si-4.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(1)[1]</prop>
-                  <p>connects individual intrusion detection tools into an information system-wide
-                     intrusion detection system; and</p>
-               </part>
-               <part id="si-4.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(1)[2]</prop>
-                  <p>configures individual intrusion detection tools into an information system-wide
-                     intrusion detection system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion detection
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.2">
-            <title>Automated Tools for Real-time Analysis</title>
-            <prop name="label">SI-4(2)</prop>
-            <prop name="sort-id">si-04.02</prop>
-            <part id="si-4.2_smt" name="statement">
-               <p>The organization employs automated tools to support near real-time analysis of
-                  events.</p>
-            </part>
-            <part id="si-4.2_gdn" name="guidance">
-               <p>Automated tools include, for example, host-based, network-based, transport-based,
-                  or storage-based event monitoring tools or Security Information and Event
-                  Management (SIEM) technologies that provide real time analysis of alerts and/or
-                  notifications generated by organizational information systems.</p>
-            </part>
-            <part id="si-4.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs automated tools to support near real-time
-                  analysis of events.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for incident
-                     response/management</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for near real-time analysis of events</p>
-                  <p>organizational processes for information system monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing information system
-                     monitoring</p>
-                  <p>automated mechanisms/tools supporting and/or implementing analysis of
-                     events</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.4">
-            <title>Inbound and Outbound Communications Traffic</title>
-            <param id="si-4.4_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>continuously</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">SI-4(4)</prop>
-            <prop name="sort-id">si-04.04</prop>
-            <part id="si-4.4_smt" name="statement">
-               <p>The information system monitors inbound and outbound communications traffic
-                     <insert param-id="si-4.4_prm_1"/> for unusual or unauthorized activities or
-                  conditions.</p>
-            </part>
-            <part id="si-4.4_gdn" name="guidance">
-               <p>Unusual/unauthorized activities or conditions related to information system
-                  inbound and outbound communications traffic include, for example, internal traffic
-                  that indicates the presence of malicious code within organizational information
-                  systems or propagating among system components, the unauthorized exporting of
-                  information, or signaling to external information systems. Evidence of malicious
-                  code is used to identify potentially compromised information systems or
-                  information system components.</p>
-            </part>
-            <part id="si-4.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(4)[1]</prop>
-                  <p>defines a frequency to monitor:</p>
-                  <part id="si-4.4_obj.1.a" name="objective">
-                     <prop name="label">SI-4(4)[1][a]</prop>
-                     <p>inbound communications traffic for unusual or unauthorized activities or
-                        conditions;</p>
-                  </part>
-                  <part id="si-4.4_obj.1.b" name="objective">
-                     <prop name="label">SI-4(4)[1][b]</prop>
-                     <p>outbound communications traffic for unusual or unauthorized activities or
-                        conditions;</p>
-                  </part>
-               </part>
-               <part id="si-4.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(4)[2]</prop>
-                  <p>monitors, with the organization-defined frequency:</p>
-                  <part id="si-4.4_obj.2.a" name="objective">
-                     <prop name="label">SI-4(4)[2][a]</prop>
-                     <p>inbound communications traffic for unusual or unauthorized activities or
-                        conditions; and</p>
-                  </part>
-                  <part id="si-4.4_obj.2.b" name="objective">
-                     <prop name="label">SI-4(4)[2][b]</prop>
-                     <p>outbound communications traffic for unusual or unauthorized activities or
-                        conditions.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system protocols</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion detection
-                     capability/information system monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing monitoring of
-                     inbound/outbound communications traffic</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.5">
-            <title>System-generated Alerts</title>
-            <param id="si-4.5_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="si-4.5_prm_2">
-               <label>organization-defined compromise indicators</label>
-            </param>
-            <prop name="label">SI-4(5)</prop>
-            <prop name="sort-id">si-04.05</prop>
-            <part id="si-4.5_smt" name="statement">
-               <p>The information system alerts <insert param-id="si-4.5_prm_1"/> when the following
-                  indications of compromise or potential compromise occur: <insert param-id="si-4.5_prm_2"/>.</p>
-               <part id="si-4.5_fr" name="item">
-                  <title>SI-4 (5) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="si-4.5_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>In accordance with the incident response plan.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-4.5_gdn" name="guidance">
-               <p>Alerts may be generated from a variety of sources, including, for example, audit
-                  records or inputs from malicious code protection mechanisms, intrusion detection
-                  or prevention mechanisms, or boundary protection devices such as firewalls,
-                  gateways, and routers. Alerts can be transmitted, for example, telephonically, by
-                  electronic mail messages, or by text messaging. Organizational personnel on the
-                  notification list can include, for example, system administrators,
-                  mission/business owners, system owners, or information system security
-                  officers.</p>
-               <link rel="related" href="#au-5">AU-5</link>
-               <link rel="related" href="#pe-6">PE-6</link>
-            </part>
-            <part id="si-4.5_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="si-4.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(5)[1]</prop>
-                  <p>the organization defines compromise indicators for the information system;</p>
-               </part>
-               <part id="si-4.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(5)[2]</prop>
-                  <p>the organization defines personnel or roles to be alerted when indications of
-                     compromise or potential compromise occur; and</p>
-               </part>
-               <part id="si-4.5_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(5)[3]</prop>
-                  <p>the information system alerts organization-defined personnel or roles when
-                     organization-defined compromise indicators occur.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>alerts/notifications generated based on compromise indicators</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion
-                     detection/information system monitoring capability</p>
-                  <p>automated mechanisms supporting and/or implementing alerts for compromise
-                     indicators</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.11">
-            <title>Analyze Communications Traffic Anomalies</title>
-            <param id="si-4.11_prm_1">
-               <label>organization-defined interior points within the system (e.g., subnetworks,
-                  subsystems)</label>
-            </param>
-            <prop name="label">SI-4(11)</prop>
-            <prop name="sort-id">si-04.11</prop>
-            <part id="si-4.11_smt" name="statement">
-               <p>The organization analyzes outbound communications traffic at the external boundary
-                  of the information system and selected <insert param-id="si-4.11_prm_1"/> to
-                  discover anomalies.</p>
-            </part>
-            <part id="si-4.11_gdn" name="guidance">
-               <p>Anomalies within organizational information systems include, for example, large
-                  file transfers, long-time persistent connections, unusual protocols and ports in
-                  use, and attempted communications with suspected malicious external addresses.</p>
-            </part>
-            <part id="si-4.11_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.11_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(11)[1]</prop>
-                  <p>defines interior points within the system (e.g., subnetworks, subsystems) where
-                     communications traffic is to be analyzed;</p>
-               </part>
-               <part id="si-4.11_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(11)[2]</prop>
-                  <p>analyzes outbound communications traffic to discover anomalies at:</p>
-                  <part id="si-4.11_obj.2.a" name="objective">
-                     <prop name="label">SI-4(11)[2][a]</prop>
-                     <p>the external boundary of the information system; and</p>
-                  </part>
-                  <part id="si-4.11_obj.2.b" name="objective">
-                     <prop name="label">SI-4(11)[2][b]</prop>
-                     <p>selected organization-defined interior points within the system.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>network diagram</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system monitoring logs or records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion
-                     detection/information system monitoring capability</p>
-                  <p>automated mechanisms supporting and/or implementing analysis of communications
-                     traffic</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.14">
-            <title>Wireless Intrusion Detection</title>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">SI-4(14)</prop>
-            <prop name="sort-id">si-04.14</prop>
-            <part id="si-4.14_smt" name="statement">
-               <p>The organization employs a wireless intrusion detection system to identify rogue
-                  wireless devices and to detect attack attempts and potential compromises/breaches
-                  to the information system.</p>
-            </part>
-            <part id="si-4.14_gdn" name="guidance">
-               <p>Wireless signals may radiate beyond the confines of organization-controlled
-                  facilities. Organizations proactively search for unauthorized wireless connections
-                  including the conduct of thorough scans for unauthorized wireless access points.
-                  Scans are not limited to those areas within facilities containing information
-                  systems, but also include areas outside of facilities as needed, to verify that
-                  unauthorized wireless access points are not connected to the systems.</p>
-               <link rel="related" href="#ac-18">AC-18</link>
-               <link rel="related" href="#ia-3">IA-3</link>
-            </part>
-            <part id="si-4.14_obj" name="objective">
-               <p>Determine if the organization employs a wireless intrusion detection system
-                  to:</p>
-               <part id="si-4.14_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(14)[1]</prop>
-                  <p>identify rogue wireless devices;</p>
-               </part>
-               <part id="si-4.14_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(14)[2]</prop>
-                  <p>detect attack attempts to the information system; and</p>
-               </part>
-               <part id="si-4.14_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(14)[3]</prop>
-                  <p>detect potential compromises/breaches to the information system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system protocols</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection</p>
-                  <p>automated mechanisms supporting and/or implementing wireless intrusion
-                     detection capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.16">
-            <title>Correlate Monitoring Information</title>
-            <prop name="label">SI-4(16)</prop>
-            <prop name="sort-id">si-04.16</prop>
-            <part id="si-4.16_smt" name="statement">
-               <p>The organization correlates information from monitoring tools employed throughout
-                  the information system.</p>
-            </part>
-            <part id="si-4.16_gdn" name="guidance">
-               <p>Correlating information from different monitoring tools can provide a more
-                  comprehensive view of information system activity. The correlation of monitoring
-                  tools that usually work in isolation (e.g., host monitoring, network monitoring,
-                  anti-virus software) can provide an organization-wide view and in so doing, may
-                  reveal otherwise unseen attack patterns. Understanding the
-                  capabilities/limitations of diverse monitoring tools and how to maximize the
-                  utility of information generated by those tools can help organizations to build,
-                  operate, and maintain effective monitoring programs.</p>
-               <link rel="related" href="#au-6">AU-6</link>
-            </part>
-            <part id="si-4.16_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization correlates information from monitoring tools
-                  employed throughout the information system.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>event correlation logs or records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion
-                     detection/information system monitoring capability</p>
-                  <p>automated mechanisms supporting and/or implementing correlation of information
-                     from monitoring tools</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.18">
-            <title>Analyze Traffic / Covert Exfiltration</title>
-            <param id="si-4.18_prm_1">
-               <label>organization-defined interior points within the system (e.g., subsystems,
-                  subnetworks)</label>
-            </param>
-            <prop name="label">SI-4(18)</prop>
-            <prop name="sort-id">si-04.18</prop>
-            <part id="si-4.18_smt" name="statement">
-               <p>The organization analyzes outbound communications traffic at the external boundary
-                  of the information system (i.e., system perimeter) and at <insert param-id="si-4.18_prm_1"/> to detect covert exfiltration of information.</p>
-            </part>
-            <part id="si-4.18_gdn" name="guidance">
-               <p>Covert means that can be used for the unauthorized exfiltration of organizational
-                  information include, for example, steganography.</p>
-            </part>
-            <part id="si-4.18_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.18_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(18)[1]</prop>
-                  <p>defines interior points within the system (e.g., subsystems, subnetworks) where
-                     communications traffic is to be analyzed;</p>
-               </part>
-               <part id="si-4.18_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(18)[2]</prop>
-                  <p>to detect covert exfiltration of information, analyzes outbound communications
-                     traffic at:</p>
-                  <part id="si-4.18_obj.2.a" name="objective">
-                     <prop name="label">SI-4(18)[2][a]</prop>
-                     <p>the external boundary of the information system (i.e., system perimeter);
-                        and</p>
-                  </part>
-                  <part id="si-4.18_obj.2.b" name="objective">
-                     <prop name="label">SI-4(18)[2][b]</prop>
-                     <p>organization-defined interior points within the system.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>network diagram</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system monitoring logs or records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion detection/system
-                     monitoring capability</p>
-                  <p>automated mechanisms supporting and/or implementing analysis of outbound
-                     communications traffic</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.19">
-            <title>Individuals Posing Greater Risk</title>
-            <param id="si-4.19_prm_1">
-               <label>organization-defined additional monitoring</label>
-            </param>
-            <param id="si-4.19_prm_2">
-               <label>organization-defined sources</label>
-            </param>
-            <prop name="label">SI-4(19)</prop>
-            <prop name="sort-id">si-04.19</prop>
-            <part id="si-4.19_smt" name="statement">
-               <p>The organization implements <insert param-id="si-4.19_prm_1"/> of individuals who
-                  have been identified by <insert param-id="si-4.19_prm_2"/> as posing an increased
-                  level of risk.</p>
-            </part>
-            <part id="si-4.19_gdn" name="guidance">
-               <p>Indications of increased risk from individuals can be obtained from a variety of
-                  sources including, for example, human resource records, intelligence agencies, law
-                  enforcement organizations, and/or other credible sources. The monitoring of
-                  individuals is closely coordinated with management, legal, security, and human
-                  resources officials within organizations conducting such monitoring and complies
-                  with federal legislation, Executive Orders, policies, directives, regulations, and
-                  standards.</p>
-            </part>
-            <part id="si-4.19_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.19_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(19)[1]</prop>
-                  <p>defines sources that identify individuals who pose an increased level of
-                     risk;</p>
-               </part>
-               <part id="si-4.19_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(19)[2]</prop>
-                  <p>defines additional monitoring to be implemented on individuals who have been
-                     identified by organization-defined sources as posing an increased level of
-                     risk; and</p>
-               </part>
-               <part id="si-4.19_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(19)[3]</prop>
-                  <p>implements organization-defined additional monitoring of individuals who have
-                     been identified by organization-defined sources as posing an increased level of
-                     risk.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring</p>
-                  <p>information system design documentation</p>
-                  <p>list of individuals who have been identified as posing an increased level of
-                     risk</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for information system monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing system monitoring
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.20">
-            <title>Privileged Users</title>
-            <param id="si-4.20_prm_1">
-               <label>organization-defined additional monitoring</label>
-            </param>
-            <prop name="label">SI-4(20)</prop>
-            <prop name="sort-id">si-04.20</prop>
-            <part id="si-4.20_smt" name="statement">
-               <p>The organization implements <insert param-id="si-4.20_prm_1"/> of privileged
-                  users.</p>
-            </part>
-            <part id="si-4.20_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.20_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(20)[1]</prop>
-                  <p>defines additional monitoring to be implemented on privileged users; and</p>
-               </part>
-               <part id="si-4.20_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(20)[2]</prop>
-                  <p>implements organization-defined additional monitoring of privileged users;</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>list of privileged users</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system monitoring logs or records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for information system monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing system monitoring
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.22">
-            <title>Unauthorized Network Services</title>
-            <param id="si-4.22_prm_1">
-               <label>organization-defined authorization or approval processes</label>
-            </param>
-            <param id="si-4.22_prm_2"/>
-            <param id="si-4.22_prm_3" depends-on="si-4.22_prm_2">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">SI-4(22)</prop>
-            <prop name="sort-id">si-04.22</prop>
-            <part id="si-4.22_smt" name="statement">
-               <p>The information system detects network services that have not been authorized or
-                  approved by <insert param-id="si-4.22_prm_1"/> and <insert param-id="si-4.22_prm_2"/>.</p>
-            </part>
-            <part id="si-4.22_gdn" name="guidance">
-               <p>Unauthorized or unapproved network services include, for example, services in
-                  service-oriented architectures that lack organizational verification or validation
-                  and therefore may be unreliable or serve as malicious rogues for valid
-                  services.</p>
-               <link rel="related" href="#ac-6">AC-6</link>
-               <link rel="related" href="#cm-7">CM-7</link>
-               <link rel="related" href="#sa-5">SA-5</link>
-               <link rel="related" href="#sa-9">SA-9</link>
-            </part>
-            <part id="si-4.22_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="si-4.22_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(22)[1]</prop>
-                  <p>the organization defines authorization or approval processes for network
-                     services;</p>
-               </part>
-               <part id="si-4.22_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(22)[2]</prop>
-                  <p>the organization defines personnel or roles to be alerted upon detection of
-                     network services that have not been authorized or approved by
-                     organization-defined authorization or approval processes;</p>
-               </part>
-               <part id="si-4.22_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(22)[3]</prop>
-                  <p>the information system detects network services that have not been authorized
-                     or approved by organization-defined authorization or approval processes and
-                     does one or more of the following:</p>
-                  <part id="si-4.22_obj.3.a" name="objective">
-                     <prop name="label">SI-4(22)[3][a]</prop>
-                     <p>audits; and/or</p>
-                  </part>
-                  <part id="si-4.22_obj.3.b" name="objective">
-                     <prop name="label">SI-4(22)[3][b]</prop>
-                     <p>alerts organization-defined personnel or roles.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>documented authorization/approval of network services</p>
-                  <p>notifications or alerts of unauthorized network services</p>
-                  <p>information system monitoring logs or records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for information system monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing system monitoring
-                     capability</p>
-                  <p>automated mechanisms for auditing network services</p>
-                  <p>automated mechanisms for providing alerts</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.23">
-            <title>Host-based Devices</title>
-            <param id="si-4.23_prm_1">
-               <label>organization-defined host-based monitoring mechanisms</label>
-            </param>
-            <param id="si-4.23_prm_2">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">SI-4(23)</prop>
-            <prop name="sort-id">si-04.23</prop>
-            <part id="si-4.23_smt" name="statement">
-               <p>The organization implements <insert param-id="si-4.23_prm_1"/> at <insert param-id="si-4.23_prm_2"/>.</p>
-            </part>
-            <part id="si-4.23_gdn" name="guidance">
-               <p>Information system components where host-based monitoring can be implemented
-                  include, for example, servers, workstations, and mobile devices. Organizations
-                  consider employing host-based monitoring mechanisms from multiple information
-                  technology product developers.</p>
-            </part>
-            <part id="si-4.23_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.23_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(23)[1]</prop>
-                  <p>defines host-based monitoring mechanisms to be implemented;</p>
-               </part>
-               <part id="si-4.23_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(23)[2]</prop>
-                  <p>defines information system components where organization-defined host-based
-                     monitoring is to be implemented; and</p>
-               </part>
-               <part id="si-4.23_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(23)[3]</prop>
-                  <p>implements organization-defined host-based monitoring mechanisms at
-                     organization-defined information system components.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>host-based monitoring mechanisms</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of information system components requiring host-based monitoring</p>
-                  <p>information system monitoring logs or records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring information system
-                     hosts</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for information system monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing host-based monitoring
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.24">
-            <title>Indicators of Compromise</title>
-            <prop name="label">SI-4(24)</prop>
-            <prop name="sort-id">si-04.24</prop>
-            <part id="si-4.24_smt" name="statement">
-               <p>The information system discovers, collects, distributes, and uses indicators of
-                  compromise.</p>
-            </part>
-            <part id="si-4.24_gdn" name="guidance">
-               <p>Indicators of compromise (IOC) are forensic artifacts from intrusions that are
-                  identified on organizational information systems (at the host or network level).
-                  IOCs provide organizations with valuable information on objects or information
-                  systems that have been compromised. IOCs for the discovery of compromised hosts
-                  can include for example, the creation of registry key values. IOCs for network
-                  traffic include, for example, Universal Resource Locator (URL) or protocol
-                  elements that indicate malware command and control servers. The rapid distribution
-                  and adoption of IOCs can improve information security by reducing the time that
-                  information systems and organizations are vulnerable to the same exploit or
-                  attack.</p>
-            </part>
-            <part id="si-4.24_obj" name="objective">
-               <p>Determine if the information system:</p>
-               <part id="si-4.24_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(24)[1]</prop>
-                  <p>discovers indicators of compromise;</p>
-               </part>
-               <part id="si-4.24_obj.2" name="objective">
-                  <prop name="label">SI-4(24)[2]</prop>
-                  <p>collects indicators of compromise;</p>
-               </part>
-               <part id="si-4.24_obj.3" name="objective">
-                  <prop name="label">SI-4(24)[3]</prop>
-                  <p>distributes indicators of compromise; and</p>
-               </part>
-               <part id="si-4.24_obj.4" name="objective">
-                  <prop name="label">SI-4(24)[4]</prop>
-                  <p>uses indicators of compromise.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system monitoring logs or records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring information system
-                     hosts</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for information system monitoring</p>
-                  <p>organizational processes for discovery, collection, distribution, and use of
-                     indicators of compromise</p>
-                  <p>automated mechanisms supporting and/or implementing system monitoring
-                     capability</p>
-                  <p>automated mechanisms supporting and/or implementing the discovery, collection,
-                     distribution, and use of indicators of compromise</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-5">
-         <title>Security Alerts, Advisories, and Directives</title>
-         <param id="si-5_prm_1">
-            <label>organization-defined external organizations</label>
-            <constraint>to include US-CERT</constraint>
-         </param>
-         <param id="si-5_prm_2">
-            <constraint>to include system security personnel and administrators with configuration/patch-management responsibilities</constraint>
-         </param>
-         <param id="si-5_prm_3" depends-on="si-5_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-5_prm_4" depends-on="si-5_prm_2">
-            <label>organization-defined elements within the organization</label>
-         </param>
-         <param id="si-5_prm_5" depends-on="si-5_prm_2">
-            <label>organization-defined external organizations</label>
-         </param>
-         <prop name="label">SI-5</prop>
-         <prop name="sort-id">si-05</prop>
-         <link href="#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d" rel="reference">NIST Special Publication 800-40</link>
-         <part id="si-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Receives information system security alerts, advisories, and directives from
-                     <insert param-id="si-5_prm_1"/> on an ongoing basis;</p>
-            </part>
-            <part id="si-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Generates internal security alerts, advisories, and directives as deemed
-                  necessary;</p>
-            </part>
-            <part id="si-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Disseminates security alerts, advisories, and directives to: <insert param-id="si-5_prm_2"/>; and</p>
-            </part>
-            <part id="si-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Implements security directives in accordance with established time frames, or
-                  notifies the issuing organization of the degree of noncompliance.</p>
-            </part>
-         </part>
-         <part id="si-5_gdn" name="guidance">
-            <p>The United States Computer Emergency Readiness Team (US-CERT) generates security
-               alerts and advisories to maintain situational awareness across the federal
-               government. Security directives are issued by OMB or other designated organizations
-               with the responsibility and authority to issue such directives. Compliance to
-               security directives is essential due to the critical nature of many of these
-               directives and the potential immediate adverse effects on organizational operations
-               and assets, individuals, other organizations, and the Nation should the directives
-               not be implemented in a timely manner. External organizations include, for example,
-               external mission/business partners, supply chain partners, external service
-               providers, and other peer/supporting organizations.</p>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="si-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-5.a_obj" name="objective">
-               <prop name="label">SI-5(a)</prop>
-               <part id="si-5.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-5(a)[1]</prop>
-                  <p>defines external organizations from whom information system security alerts,
-                     advisories and directives are to be received;</p>
-               </part>
-               <part id="si-5.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-5(a)[2]</prop>
-                  <p>receives information system security alerts, advisories, and directives from
-                     organization-defined external organizations on an ongoing basis;</p>
-               </part>
-            </part>
-            <part id="si-5.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-5(b)</prop>
-               <p>generates internal security alerts, advisories, and directives as deemed
-                  necessary;</p>
-            </part>
-            <part id="si-5.c_obj" name="objective">
-               <prop name="label">SI-5(c)</prop>
-               <part id="si-5.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-5(c)[1]</prop>
-                  <p>defines personnel or roles to whom security alerts, advisories, and directives
-                     are to be provided;</p>
-               </part>
-               <part id="si-5.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-5(c)[2]</prop>
-                  <p>defines elements within the organization to whom security alerts, advisories,
-                     and directives are to be provided;</p>
-               </part>
-               <part id="si-5.c_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-5(c)[3]</prop>
-                  <p>defines external organizations to whom security alerts, advisories, and
-                     directives are to be provided;</p>
-               </part>
-               <part id="si-5.c_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-5(c)[4]</prop>
-                  <p>disseminates security alerts, advisories, and directives to one or more of the
-                     following:</p>
-                  <part id="si-5.c_obj.4.a" name="objective">
-                     <prop name="label">SI-5(c)[4][a]</prop>
-                     <p>organization-defined personnel or roles;</p>
-                  </part>
-                  <part id="si-5.c_obj.4.b" name="objective">
-                     <prop name="label">SI-5(c)[4][b]</prop>
-                     <p>organization-defined elements within the organization; and/or</p>
-                  </part>
-                  <part id="si-5.c_obj.4.c" name="objective">
-                     <prop name="label">SI-5(c)[4][c]</prop>
-                     <p>organization-defined external organizations; and</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-5.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-5(d)</prop>
-               <part id="si-5.d_obj.1" name="objective">
-                  <prop name="label">SI-5(d)[1]</prop>
-                  <p>implements security directives in accordance with established time frames;
-                     or</p>
-               </part>
-               <part id="si-5.d_obj.2" name="objective">
-                  <prop name="label">SI-5(d)[2]</prop>
-                  <p>notifies the issuing organization of the degree of noncompliance.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing security alerts, advisories, and directives</p>
-               <p>records of security alerts and advisories</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security alert and advisory responsibilities</p>
-               <p>organizational personnel implementing, operating, maintaining, and using the
-                  information system</p>
-               <p>organizational personnel, organizational elements, and/or external organizations
-                  to whom alerts, advisories, and directives are to be disseminated</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for defining, receiving, generating, disseminating, and
-                  complying with security alerts, advisories, and directives</p>
-               <p>automated mechanisms supporting and/or implementing definition, receipt,
-                  generation, and dissemination of security alerts, advisories, and directives</p>
-               <p>automated mechanisms supporting and/or implementing security directives</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-5.1">
-            <title>Automated Alerts and Advisories</title>
-            <prop name="label">SI-5(1)</prop>
-            <prop name="sort-id">si-05.01</prop>
-            <part id="si-5.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to make security alert and advisory
-                  information available throughout the organization.</p>
-            </part>
-            <part id="si-5.1_gdn" name="guidance">
-               <p>The significant number of changes to organizational information systems and the
-                  environments in which those systems operate requires the dissemination of
-                  security-related information to a variety of organizational entities that have a
-                  direct interest in the success of organizational missions and business functions.
-                  Based on the information provided by the security alerts and advisories, changes
-                  may be required at one or more of the three tiers related to the management of
-                  information security risk including the governance level, mission/business
-                  process/enterprise architecture level, and the information system level.</p>
-            </part>
-            <part id="si-5.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs automated mechanisms to make security alert
-                  and advisory information available throughout the organization.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing security alerts, advisories, and directives</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>automated mechanisms supporting the distribution of security alert and advisory
-                     information</p>
-                  <p>records of security alerts and advisories</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security alert and advisory responsibilities</p>
-                  <p>organizational personnel implementing, operating, maintaining, and using the
-                     information system</p>
-                  <p>organizational personnel, organizational elements, and/or external
-                     organizations to whom alerts and advisories are to be disseminated</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for defining, receiving, generating, and disseminating
-                     security alerts and advisories</p>
-                  <p>automated mechanisms supporting and/or implementing dissemination of security
-                     alerts and advisories</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-6">
-         <title>Security Function Verification</title>
-         <param id="si-6_prm_1">
-            <label>organization-defined security functions</label>
-         </param>
-         <param id="si-6_prm_2"/>
-         <param id="si-6_prm_3" depends-on="si-6_prm_2">
-            <label>organization-defined system transitional states</label>
-            <constraint>to include upon system startup and/or restart</constraint>
-         </param>
-         <param id="si-6_prm_4" depends-on="si-6_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least monthly</constraint>
-         </param>
-         <param id="si-6_prm_5">
-            <label>organization-defined personnel or roles</label>
-            <constraint>to include system administrators and security personnel</constraint>
-         </param>
-         <param id="si-6_prm_6"/>
-         <param id="si-6_prm_7" depends-on="si-6_prm_6">
-            <label>organization-defined alternative action(s)</label>
-            <constraint>to include notification of system administrators and security personnel</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SI-6</prop>
-         <prop name="sort-id">si-06</prop>
-         <part id="si-6_smt" name="statement">
-            <p>The information system:</p>
-            <part id="si-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Verifies the correct operation of <insert param-id="si-6_prm_1"/>;</p>
-            </part>
-            <part id="si-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Performs this verification <insert param-id="si-6_prm_2"/>;</p>
-            </part>
-            <part id="si-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Notifies <insert param-id="si-6_prm_5"/> of failed security verification tests;
-                  and</p>
-            </part>
-            <part id="si-6_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>
-                  <insert param-id="si-6_prm_6"/> when anomalies are discovered.</p>
-            </part>
-         </part>
-         <part id="si-6_gdn" name="guidance">
-            <p>Transitional states for information systems include, for example, system startup,
-               restart, shutdown, and abort. Notifications provided by information systems include,
-               for example, electronic alerts to system administrators, messages to local computer
-               consoles, and/or hardware indications such as lights.</p>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-         </part>
-         <part id="si-6_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="si-6.a_obj" name="objective">
-               <prop name="label">SI-6(a)</prop>
-               <part id="si-6.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-6(a)[1]</prop>
-                  <p>the organization defines security functions to be verified for correct
-                     operation;</p>
-               </part>
-               <part id="si-6.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-6(a)[2]</prop>
-                  <p>the information system verifies the correct operation of organization-defined
-                     security functions;</p>
-               </part>
-            </part>
-            <part id="si-6.b_obj" name="objective">
-               <prop name="label">SI-6(b)</prop>
-               <part id="si-6.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-6(b)[1]</prop>
-                  <p>the organization defines system transitional states requiring verification of
-                     organization-defined security functions;</p>
-               </part>
-               <part id="si-6.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-6(b)[2]</prop>
-                  <p>the organization defines a frequency to verify the correct operation of
-                     organization-defined security functions;</p>
-               </part>
-               <part id="si-6.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-6(b)[3]</prop>
-                  <p>the information system performs this verification one or more of the
-                     following:</p>
-                  <part id="si-6.b_obj.3.a" name="objective">
-                     <prop name="label">SI-6(b)[3][a]</prop>
-                     <p>at organization-defined system transitional states;</p>
-                  </part>
-                  <part id="si-6.b_obj.3.b" name="objective">
-                     <prop name="label">SI-6(b)[3][b]</prop>
-                     <p>upon command by user with appropriate privilege; and/or</p>
-                  </part>
-                  <part id="si-6.b_obj.3.c" name="objective">
-                     <prop name="label">SI-6(b)[3][c]</prop>
-                     <p>with the organization-defined frequency;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-6.c_obj" name="objective">
-               <prop name="label">SI-6(c)</prop>
-               <part id="si-6.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-6(c)[1]</prop>
-                  <p>the organization defines personnel or roles to be notified of failed security
-                     verification tests;</p>
-               </part>
-               <part id="si-6.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-6(c)[2]</prop>
-                  <p>the information system notifies organization-defined personnel or roles of
-                     failed security verification tests;</p>
-               </part>
-            </part>
-            <part id="si-6.d_obj" name="objective">
-               <prop name="label">SI-6(d)</prop>
-               <part id="si-6.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-6(d)[1]</prop>
-                  <p>the organization defines alternative action(s) to be performed when anomalies
-                     are discovered;</p>
-               </part>
-               <part id="si-6.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-6(d)[2]</prop>
-                  <p>the information system performs one or more of the following actions when
-                     anomalies are discovered:</p>
-                  <part id="si-6.d_obj.2.a" name="objective">
-                     <prop name="label">SI-6(d)[2][a]</prop>
-                     <p>shuts the information system down;</p>
-                  </part>
-                  <part id="si-6.d_obj.2.b" name="objective">
-                     <prop name="label">SI-6(d)[2][b]</prop>
-                     <p>restarts the information system; and/or</p>
-                  </part>
-                  <part id="si-6.d_obj.2.c" name="objective">
-                     <prop name="label">SI-6(d)[2][c]</prop>
-                     <p>performs organization-defined alternative action(s).</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing security function verification</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>alerts/notifications of failed security verification tests</p>
-               <p>list of system transition states requiring security functionality verification</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security function verification responsibilities</p>
-               <p>organizational personnel implementing, operating, and maintaining the information
-                  system</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security function verification</p>
-               <p>automated mechanisms supporting and/or implementing security function verification
-                  capability</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-7">
-         <title>Software, Firmware, and Information Integrity</title>
-         <param id="si-7_prm_1">
-            <label>organization-defined software, firmware, and information</label>
-         </param>
-         <prop name="label">SI-7</prop>
-         <prop name="sort-id">si-07</prop>
-         <link href="#6bf8d24a-78dc-4727-a2ac-0e64d71c495c" rel="reference">NIST Special Publication 800-147</link>
-         <link href="#3878cc04-144a-483e-af62-8fe6f4ad6c7a" rel="reference">NIST Special Publication 800-155</link>
-         <part id="si-7_smt" name="statement">
-            <p>The organization employs integrity verification tools to detect unauthorized changes
-               to <insert param-id="si-7_prm_1"/>.</p>
-         </part>
-         <part id="si-7_gdn" name="guidance">
-            <p>Unauthorized changes to software, firmware, and information can occur due to errors
-               or malicious activity (e.g., tampering). Software includes, for example, operating
-               systems (with key internal components such as kernels, drivers), middleware, and
-               applications. Firmware includes, for example, the Basic Input Output System (BIOS).
-               Information includes metadata such as security attributes associated with
-               information. State-of-the-practice integrity-checking mechanisms (e.g., parity
-               checks, cyclical redundancy checks, cryptographic hashes) and associated tools can
-               automatically monitor the integrity of information systems and hosted
-               applications.</p>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#si-3">SI-3</link>
-         </part>
-         <part id="si-7_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-7_obj.1" name="objective">
-               <prop name="label">SI-7[1]</prop>
-               <part id="si-7_obj.1.a" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-7[1][a]</prop>
-                  <p>defines software requiring integrity verification tools to be employed to
-                     detect unauthorized changes;</p>
-               </part>
-               <part id="si-7_obj.1.b" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-7[1][b]</prop>
-                  <p>defines firmware requiring integrity verification tools to be employed to
-                     detect unauthorized changes;</p>
-               </part>
-               <part id="si-7_obj.1.c" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-7[1][c]</prop>
-                  <p>defines information requiring integrity verification tools to be employed to
-                     detect unauthorized changes;</p>
-               </part>
-            </part>
-            <part id="si-7_obj.2" name="objective">
-               <prop name="label">SI-7[2]</prop>
-               <p>employs integrity verification tools to detect unauthorized changes to
-                  organization-defined:</p>
-               <part id="si-7_obj.2.a" name="objective">
-                  <prop name="label">SI-7[2][a]</prop>
-                  <p>software;</p>
-               </part>
-               <part id="si-7_obj.2.b" name="objective">
-                  <prop name="label">SI-7[2][b]</prop>
-                  <p>firmware; and</p>
-               </part>
-               <part id="si-7_obj.2.c" name="objective">
-                  <prop name="label">SI-7[2][c]</prop>
-                  <p>information.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing software, firmware, and information integrity</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>integrity verification tools and associated documentation</p>
-               <p>records generated/triggered from integrity verification tools regarding
-                  unauthorized software, firmware, and information changes</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for software, firmware, and/or
-                  information integrity</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Software, firmware, and information integrity verification tools</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-7.1">
-            <title>Integrity Checks</title>
-            <param id="si-7.1_prm_1">
-               <label>organization-defined software, firmware, and information</label>
-            </param>
-            <param id="si-7.1_prm_2"/>
-            <param id="si-7.1_prm_3" depends-on="si-7.1_prm_2">
-               <label>organization-defined transitional states or security-relevant events</label>
-               <constraint>selection to include security relevant events</constraint>
-            </param>
-            <param id="si-7.1_prm_4" depends-on="si-7.1_prm_2">
-               <label>organization-defined frequency</label>
-               <constraint>at least monthly</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">SI-7(1)</prop>
-            <prop name="sort-id">si-07.01</prop>
-            <part id="si-7.1_smt" name="statement">
-               <p>The information system performs an integrity check of <insert param-id="si-7.1_prm_1"/>
-                  <insert param-id="si-7.1_prm_2"/>.</p>
-            </part>
-            <part id="si-7.1_gdn" name="guidance">
-               <p>Security-relevant events include, for example, the identification of a new threat
-                  to which organizational information systems are susceptible, and the installation
-                  of new hardware, software, or firmware. Transitional states include, for example,
-                  system startup, restart, shutdown, and abort.</p>
-            </part>
-            <part id="si-7.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="si-7.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-7(1)[1]</prop>
-                  <p>the organization defines:</p>
-                  <part id="si-7.1_obj.1.a" name="objective">
-                     <prop name="label">SI-7(1)[1][a]</prop>
-                     <p>software requiring integrity checks to be performed;</p>
-                  </part>
-                  <part id="si-7.1_obj.1.b" name="objective">
-                     <prop name="label">SI-7(1)[1][b]</prop>
-                     <p>firmware requiring integrity checks to be performed;</p>
-                  </part>
-                  <part id="si-7.1_obj.1.c" name="objective">
-                     <prop name="label">SI-7(1)[1][c]</prop>
-                     <p>information requiring integrity checks to be performed;</p>
-                  </part>
-               </part>
-               <part id="si-7.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-7(1)[2]</prop>
-                  <p>the organization defines transitional states or security-relevant events
-                     requiring integrity checks of organization-defined:</p>
-                  <part id="si-7.1_obj.2.a" name="objective">
-                     <prop name="label">SI-7(1)[2][a]</prop>
-                     <p>software;</p>
-                  </part>
-                  <part id="si-7.1_obj.2.b" name="objective">
-                     <prop name="label">SI-7(1)[2][b]</prop>
-                     <p>firmware;</p>
-                  </part>
-                  <part id="si-7.1_obj.2.c" name="objective">
-                     <prop name="label">SI-7(1)[2][c]</prop>
-                     <p>information;</p>
-                  </part>
-               </part>
-               <part id="si-7.1_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-7(1)[3]</prop>
-                  <p>the organization defines a frequency with which to perform an integrity check
-                     of organization-defined:</p>
-                  <part id="si-7.1_obj.3.a" name="objective">
-                     <prop name="label">SI-7(1)[3][a]</prop>
-                     <p>software;</p>
-                  </part>
-                  <part id="si-7.1_obj.3.b" name="objective">
-                     <prop name="label">SI-7(1)[3][b]</prop>
-                     <p>firmware;</p>
-                  </part>
-                  <part id="si-7.1_obj.3.c" name="objective">
-                     <prop name="label">SI-7(1)[3][c]</prop>
-                     <p>information;</p>
-                  </part>
-               </part>
-               <part id="si-7.1_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-7(1)[4]</prop>
-                  <p>the information system performs an integrity check of organization-defined
-                     software, firmware, and information one or more of the following:</p>
-                  <part id="si-7.1_obj.4.a" name="objective">
-                     <prop name="label">SI-7(1)[4][a]</prop>
-                     <p>at startup;</p>
-                  </part>
-                  <part id="si-7.1_obj.4.b" name="objective">
-                     <prop name="label">SI-7(1)[4][b]</prop>
-                     <p>at organization-defined transitional states or security-relevant events;
-                        and/or</p>
-                  </part>
-                  <part id="si-7.1_obj.4.c" name="objective">
-                     <prop name="label">SI-7(1)[4][c]</prop>
-                     <p>with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>integrity verification tools and associated documentation</p>
-                  <p>records of integrity scans</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Software, firmware, and information integrity verification tools</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.2">
-            <title>Automated Notifications of Integrity Violations</title>
-            <param id="si-7.2_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">SI-7(2)</prop>
-            <prop name="sort-id">si-07.02</prop>
-            <part id="si-7.2_smt" name="statement">
-               <p>The organization employs automated tools that provide notification to <insert param-id="si-7.2_prm_1"/> upon discovering discrepancies during integrity
-                  verification.</p>
-            </part>
-            <part id="si-7.2_gdn" name="guidance">
-               <p>The use of automated tools to report integrity violations and to notify
-                  organizational personnel in a timely matter is an essential precursor to effective
-                  risk response. Personnel having an interest in integrity violations include, for
-                  example, mission/business owners, information system owners, systems
-                  administrators, software developers, systems integrators, and information security
-                  officers.</p>
-            </part>
-            <part id="si-7.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-7.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-7(2)[1]</prop>
-                  <p>defines personnel or roles to whom notification is to be provided upon
-                     discovering discrepancies during integrity verification; and</p>
-               </part>
-               <part id="si-7.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-7(2)[2]</prop>
-                  <p>employs automated tools that provide notification to organization-defined
-                     personnel or roles upon discovering discrepancies during integrity
-                     verification.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>integrity verification tools and associated documentation</p>
-                  <p>records of integrity scans</p>
-                  <p>automated tools supporting alerts and notifications for integrity
-                     discrepancies</p>
-                  <p>alerts/notifications provided upon discovering discrepancies during integrity
-                     verifications</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Software, firmware, and information integrity verification tools</p>
-                  <p>automated mechanisms providing integrity discrepancy notifications</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.5">
-            <title>Automated Response to Integrity Violations</title>
-            <param id="si-7.5_prm_1"/>
-            <param id="si-7.5_prm_2" depends-on="si-7.5_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <prop name="label">SI-7(5)</prop>
-            <prop name="sort-id">si-07.05</prop>
-            <part id="si-7.5_smt" name="statement">
-               <p>The information system automatically <insert param-id="si-7.5_prm_1"/> when
-                  integrity violations are discovered.</p>
-            </part>
-            <part id="si-7.5_gdn" name="guidance">
-               <p>Organizations may define different integrity checking and anomaly responses: (i)
-                  by type of information (e.g., firmware, software, user data); (ii) by specific
-                  information (e.g., boot firmware, boot firmware for a specific types of machines);
-                  or (iii) a combination of both. Automatic implementation of specific safeguards
-                  within organizational information systems includes, for example, reversing the
-                  changes, halting the information system, or triggering audit alerts when
-                  unauthorized modifications to critical security files occur.</p>
-            </part>
-            <part id="si-7.5_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="si-7.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-7(5)[1]</prop>
-                  <p>the organization defines security safeguards to be implemented when integrity
-                     violations are discovered;</p>
-               </part>
-               <part id="si-7.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-7(5)[2]</prop>
-                  <p>the information system automatically performs one or more of the following
-                     actions when integrity violations are discovered:</p>
-                  <part id="si-7.5_obj.2.a" name="objective">
-                     <prop name="label">SI-7(5)[2][a]</prop>
-                     <p>shuts the information system down;</p>
-                  </part>
-                  <part id="si-7.5_obj.2.b" name="objective">
-                     <prop name="label">SI-7(5)[2][b]</prop>
-                     <p>restarts the information system; and/or</p>
-                  </part>
-                  <part id="si-7.5_obj.2.c" name="objective">
-                     <prop name="label">SI-7(5)[2][c]</prop>
-                     <p>implements the organization-defined security safeguards.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>integrity verification tools and associated documentation</p>
-                  <p>records of integrity scans</p>
-                  <p>records of integrity checks and responses to integrity violations</p>
-                  <p>information audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Software, firmware, and information integrity verification tools</p>
-                  <p>automated mechanisms providing an automated response to integrity
-                     violations</p>
-                  <p>automated mechanisms supporting and/or implementing security safeguards to be
-                     implemented when integrity violations are discovered</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.7">
-            <title>Integration of Detection and Response</title>
-            <param id="si-7.7_prm_1">
-               <label>organization-defined security-relevant changes to the information
-                  system</label>
-            </param>
-            <prop name="label">SI-7(7)</prop>
-            <prop name="sort-id">si-07.07</prop>
-            <part id="si-7.7_smt" name="statement">
-               <p>The organization incorporates the detection of unauthorized <insert param-id="si-7.7_prm_1"/> into the organizational incident response
-                  capability.</p>
-            </part>
-            <part id="si-7.7_gdn" name="guidance">
-               <p>This control enhancement helps to ensure that detected events are tracked,
-                  monitored, corrected, and available for historical purposes. Maintaining
-                  historical records is important both for being able to identify and discern
-                  adversary actions over an extended period of time and for possible legal actions.
-                  Security-relevant changes include, for example, unauthorized changes to
-                  established configuration settings or unauthorized elevation of information system
-                  privileges.</p>
-               <link rel="related" href="#ir-4">IR-4</link>
-               <link rel="related" href="#ir-5">IR-5</link>
-               <link rel="related" href="#si-4">SI-4</link>
-            </part>
-            <part id="si-7.7_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-7.7_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-7(7)[1]</prop>
-                  <p>defines unauthorized security-relevant changes to the information system;
-                     and</p>
-               </part>
-               <part id="si-7.7_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-7(7)[2]</prop>
-                  <p>incorporates the detection of unauthorized organization-defined
-                     security-relevant changes to the information system into the organizational
-                     incident response capability.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>procedures addressing incident response</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>incident response records</p>
-                  <p>information audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with incident response responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for incorporating detection of unauthorized
-                     security-relevant changes into the incident response capability</p>
-                  <p>software, firmware, and information integrity verification tools</p>
-                  <p>automated mechanisms supporting and/or implementing incorporation of detection
-                     of unauthorized security-relevant changes into the incident response
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.14">
-            <title>Binary or Machine Executable Code</title>
-            <prop name="label">SI-7(14)</prop>
-            <prop name="sort-id">si-07.14</prop>
-            <part id="si-7.14_smt" name="statement">
-               <p>The organization:</p>
-               <part id="si-7.14_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Prohibits the use of binary or machine-executable code from sources with
-                     limited or no warranty and without the provision of source code; and</p>
-               </part>
-               <part id="si-7.14_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Provides exceptions to the source code requirement only for compelling
-                     mission/operational requirements and with the approval of the authorizing
-                     official.</p>
-               </part>
-            </part>
-            <part id="si-7.14_gdn" name="guidance">
-               <p>This control enhancement applies to all sources of binary or machine-executable
-                  code including, for example, commercial software/firmware and open source
-                  software. Organizations assess software products without accompanying source code
-                  from sources with limited or no warranty for potential security impacts. The
-                  assessments address the fact that these types of software products may be very
-                  difficult to review, repair, or extend, given that organizations, in most cases,
-                  do not have access to the original source code, and there may be no owners who
-                  could make such repairs on behalf of organizations.</p>
-               <link rel="related" href="#sa-5">SA-5</link>
-            </part>
-            <part id="si-7.14_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-7.14.a_obj" name="objective">
-                  <prop name="label">SI-7(14)(a)</prop>
-                  <part id="si-7.14.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-7(14)(a)[1]</prop>
-                     <p>prohibits the use of binary or machine-executable code from sources with
-                        limited or no warranty;</p>
-                  </part>
-                  <part id="si-7.14.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-7(14)(a)[2]</prop>
-                     <p>prohibits the use of binary or machine-executable code without the provision
-                        of source code;</p>
-                  </part>
-                  <link rel="corresp" href="#si-7.14_smt.a">SI-7(14)(a)</link>
-               </part>
-               <part id="si-7.14.b_obj" name="objective">
-                  <prop name="label">SI-7(14)(b)</prop>
-                  <part id="si-7.14.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">SI-7(14)(b)[1]</prop>
-                     <p>provides exceptions to the source code requirement only for compelling
-                        mission/operational requirements; and</p>
-                  </part>
-                  <part id="si-7.14.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">SI-7(14)(b)[2]</prop>
-                     <p>provides exceptions to the source code requirement only with the approval of
-                        the authorizing official.</p>
-                  </part>
-                  <link rel="corresp" href="#si-7.14_smt.b">SI-7(14)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>approval records for execution of binary and machine-executable code</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>authorizing official</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing prohibition of the
-                     execution of binary or machine-executable code</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-8">
-         <title>Spam Protection</title>
-         <prop name="label">SI-8</prop>
-         <prop name="sort-id">si-08</prop>
-         <link href="#c6e95ca0-5828-420e-b095-00895b72b5e8" rel="reference">NIST Special Publication 800-45</link>
-         <part id="si-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Employs spam protection mechanisms at information system entry and exit points to
-                  detect and take action on unsolicited messages; and</p>
-            </part>
-            <part id="si-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Updates spam protection mechanisms when new releases are available in accordance
-                  with organizational configuration management policy and procedures.</p>
-            </part>
-         </part>
-         <part id="si-8_gdn" name="guidance">
-            <p>Information system entry and exit points include, for example, firewalls, electronic
-               mail servers, web servers, proxy servers, remote-access servers, workstations, mobile
-               devices, and notebook/laptop computers. Spam can be transported by different means
-               including, for example, electronic mail, electronic mail attachments, and web
-               accesses. Spam protection mechanisms include, for example, signature definitions.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-3">SI-3</link>
-         </part>
-         <part id="si-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-8.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SI-8(a)</prop>
-               <p>employs spam protection mechanisms:</p>
-               <part id="si-8.a_obj.1" name="objective">
-                  <prop name="label">SI-8(a)[1]</prop>
-                  <p>at information system entry points to detect unsolicited messages;</p>
-               </part>
-               <part id="si-8.a_obj.2" name="objective">
-                  <prop name="label">SI-8(a)[2]</prop>
-                  <p>at information system entry points to take action on unsolicited messages;</p>
-               </part>
-               <part id="si-8.a_obj.3" name="objective">
-                  <prop name="label">SI-8(a)[3]</prop>
-                  <p>at information system exit points to detect unsolicited messages;</p>
-               </part>
-               <part id="si-8.a_obj.4" name="objective">
-                  <prop name="label">SI-8(a)[4]</prop>
-                  <p>at information system exit points to take action on unsolicited messages;
-                     and</p>
-               </part>
-            </part>
-            <part id="si-8.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-8(b)</prop>
-               <p>updates spam protection mechanisms when new releases are available in accordance
-                  with organizational configuration management policy and procedures.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>configuration management policy and procedures (CM-1)</p>
-               <p>procedures addressing spam protection</p>
-               <p>spam protection mechanisms</p>
-               <p>records of spam protection updates</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for spam protection</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for implementing spam protection</p>
-               <p>automated mechanisms supporting and/or implementing spam protection</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-8.1">
-            <title>Central Management</title>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">SI-8(1)</prop>
-            <prop name="sort-id">si-08.01</prop>
-            <part id="si-8.1_smt" name="statement">
-               <p>The organization centrally manages spam protection mechanisms.</p>
-            </part>
-            <part id="si-8.1_gdn" name="guidance">
-               <p>Central management is the organization-wide management and implementation of spam
-                  protection mechanisms. Central management includes planning, implementing,
-                  assessing, authorizing, and monitoring the organization-defined, centrally managed
-                  spam protection security controls.</p>
-               <link rel="related" href="#au-3">AU-3</link>
-               <link rel="related" href="#si-2">SI-2</link>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="si-8.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization centrally manages spam protection mechanisms.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing spam protection</p>
-                  <p>spam protection mechanisms</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for spam protection</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for central management of spam protection</p>
-                  <p>automated mechanisms supporting and/or implementing central management of spam
-                     protection</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-8.2">
-            <title>Automatic Updates</title>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">SI-8(2)</prop>
-            <prop name="sort-id">si-08.02</prop>
-            <part id="si-8.2_smt" name="statement">
-               <p>The information system automatically updates spam protection mechanisms.</p>
-            </part>
-            <part id="si-8.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system automatically updates spam protection
-                  mechanisms.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing spam protection</p>
-                  <p>spam protection mechanisms</p>
-                  <p>records of spam protection updates</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for spam protection</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for spam protection</p>
-                  <p>automated mechanisms supporting and/or implementing automatic updates to spam
-                     protection mechanisms</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-10">
-         <title>Information Input Validation</title>
-         <param id="si-10_prm_1">
-            <label>organization-defined information inputs</label>
-         </param>
-         <prop name="label">SI-10</prop>
-         <prop name="sort-id">si-10</prop>
-         <part id="si-10_smt" name="statement">
-            <p>The information system checks the validity of <insert param-id="si-10_prm_1"/>.</p>
-         </part>
-         <part id="si-10_gdn" name="guidance">
-            <p>Checking the valid syntax and semantics of information system inputs (e.g., character
-               set, length, numerical range, and acceptable values) verifies that inputs match
-               specified definitions for format and content. Software applications typically follow
-               well-defined protocols that use structured messages (i.e., commands or queries) to
-               communicate between software modules or system components. Structured messages can
-               contain raw or unstructured data interspersed with metadata or control information.
-               If software applications use attacker-supplied inputs to construct structured
-               messages without properly encoding such messages, then the attacker could insert
-               malicious commands or special characters that can cause the data to be interpreted as
-               control information or metadata. Consequently, the module or component that receives
-               the tainted output will perform the wrong operations or otherwise interpret the data
-               incorrectly. Prescreening inputs prior to passing to interpreters prevents the
-               content from being unintentionally interpreted as commands. Input validation helps to
-               ensure accurate and correct inputs and prevent attacks such as cross-site scripting
-               and a variety of injection attacks.</p>
-         </part>
-         <part id="si-10_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="si-10_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SI-10[1]</prop>
-               <p>the organization defines information inputs requiring validity checks; and</p>
-            </part>
-            <part id="si-10_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-10[2]</prop>
-               <p>the information system checks the validity of organization-defined information
-                  inputs.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>access control policy and procedures</p>
-               <p>separation of duties policy and procedures</p>
-               <p>procedures addressing information input validation</p>
-               <p>documentation for automated tools and applications to verify validity of
-                  information</p>
-               <p>list of information inputs requiring validity checks</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for information input validation</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing validity checks on information
-                  inputs</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-11">
-         <title>Error Handling</title>
-         <param id="si-11_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">SI-11</prop>
-         <prop name="sort-id">si-11</prop>
-         <part id="si-11_smt" name="statement">
-            <p>The information system:</p>
-            <part id="si-11_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Generates error messages that provide information necessary for corrective actions
-                  without revealing information that could be exploited by adversaries; and</p>
-            </part>
-            <part id="si-11_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reveals error messages only to <insert param-id="si-11_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="si-11_gdn" name="guidance">
-            <p>Organizations carefully consider the structure/content of error messages. The extent
-               to which information systems are able to identify and handle error conditions is
-               guided by organizational policy and operational requirements. Information that could
-               be exploited by adversaries includes, for example, erroneous logon attempts with
-               passwords entered by mistake as the username, mission/business information that can
-               be derived from (if not stated explicitly by) information recorded, and personal
-               information such as account numbers, social security numbers, and credit card
-               numbers. In addition, error messages may provide a covert channel for transmitting
-               information.</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#sc-31">SC-31</link>
-         </part>
-         <part id="si-11_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="si-11.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-11(a)</prop>
-               <p>the information system generates error messages that provide information necessary
-                  for corrective actions without revealing information that could be exploited by
-                  adversaries;</p>
-            </part>
-            <part id="si-11.b_obj" name="objective">
-               <prop name="label">SI-11(b)</prop>
-               <part id="si-11.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-11(b)[1]</prop>
-                  <p>the organization defines personnel or roles to whom error messages are to be
-                     revealed; and</p>
-               </part>
-               <part id="si-11.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-11(b)[2]</prop>
-                  <p>the information system reveals error messages only to organization-defined
-                     personnel or roles.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing information system error handling</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>documentation providing structure/content of error messages</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for information input validation</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for error handling</p>
-               <p>automated mechanisms supporting and/or implementing error handling</p>
-               <p>automated mechanisms supporting and/or implementing management of error
-                  messages</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-12">
-         <title>Information Handling and Retention</title>
-         <prop name="label">SI-12</prop>
-         <prop name="sort-id">si-12</prop>
-         <part id="si-12_smt" name="statement">
-            <p>The organization handles and retains information within the information system and
-               information output from the system in accordance with applicable federal laws,
-               Executive Orders, directives, policies, regulations, standards, and operational
-               requirements.</p>
-         </part>
-         <part id="si-12_gdn" name="guidance">
-            <p>Information handling and retention requirements cover the full life cycle of
-               information, in some cases extending beyond the disposal of information systems. The
-               National Archives and Records Administration provides guidance on records
-               retention.</p>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <link rel="related" href="#au-5">AU-5</link>
-            <link rel="related" href="#au-11">AU-11</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-         </part>
-         <part id="si-12_obj" name="objective">
-            <p>Determine if the organization, in accordance with applicable federal laws, Executive
-               Orders, directives, policies, regulations, standards, and operational
-               requirements:</p>
-            <part id="si-12_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-12[1]</prop>
-               <p>handles information within the information system;</p>
-            </part>
-            <part id="si-12_obj.2" name="objective">
-               <prop name="label">SI-12[2]</prop>
-               <p>handles output from the information system;</p>
-            </part>
-            <part id="si-12_obj.3" name="objective">
-               <prop name="label">SI-12[3]</prop>
-               <p>retains information within the information system; and</p>
-            </part>
-            <part id="si-12_obj.4" name="objective">
-               <prop name="label">SI-12[4]</prop>
-               <p>retains output from the information system.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  operational requirements applicable to information handling and retention</p>
-               <p>media protection policy and procedures</p>
-               <p>procedures addressing information system output handling and retention</p>
-               <p>information retention records, other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for information handling and
-                  retention</p>
-               <p>organizational personnel with information security responsibilities/network
-                  administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for information handling and retention</p>
-               <p>automated mechanisms supporting and/or implementing information handling and
-                  retention</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-16">
-         <title>Memory Protection</title>
-         <param id="si-16_prm_1">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">SI-16</prop>
-         <prop name="sort-id">si-16</prop>
-         <part id="si-16_smt" name="statement">
-            <p>The information system implements <insert param-id="si-16_prm_1"/> to protect its
-               memory from unauthorized code execution.</p>
-         </part>
-         <part id="si-16_gdn" name="guidance">
-            <p>Some adversaries launch attacks with the intent of executing code in non-executable
-               regions of memory or in memory locations that are prohibited. Security safeguards
-               employed to protect memory include, for example, data execution prevention and
-               address space layout randomization. Data execution prevention safeguards can either
-               be hardware-enforced or software-enforced with hardware providing the greater
-               strength of mechanism.</p>
-            <link rel="related" href="#ac-25">AC-25</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-         </part>
-         <part id="si-16_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="si-16_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SI-16[1]</prop>
-               <p>the organization defines security safeguards to be implemented to protect
-                  information system memory from unauthorized code execution; and</p>
-            </part>
-            <part id="si-16_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-16[2]</prop>
-               <p>the information system implements organization-defined security safeguards to
-                  protect its memory from unauthorized code execution.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing memory protection for the information system</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of security safeguards protecting information system memory from unauthorized
-                  code execution</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for memory protection</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing safeguards to protect
-                  information system memory from unauthorized code execution</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <back-matter>
-      <resource uuid="0c97e60b-325a-4efa-ba2b-90f20ccd5abc">
-         <title>5 C.F.R. 731.106</title>
-         <citation>
-            <text>Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106,
-               Designation of Public Trust Positions and Investigative Requirements (5 C.F.R.
-               731.106).</text>
-         </citation>
-         <rlink href="http://www.gpo.gov/fdsys/granule/CFR-2012-title5-vol2/CFR-2012-title5-vol2-sec731-106/content-detail.html"/>
-      </resource>
-      <resource uuid="bb61234b-46c3-4211-8c2b-9869222a720d">
-         <title>C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</title>
-         <citation>
-            <text>C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</text>
-         </citation>
-         <rlink href="http://www.gpo.gov/fdsys/granule/CFR-2009-title5-vol2/CFR-2009-title5-vol2-sec930-301/content-detail.html"/>
-      </resource>
-      <resource uuid="a4aa9645-9a8a-4b51-90a9-e223250f9a75">
-         <title>CNSS Policy 15</title>
-         <citation>
-            <text>CNSS Policy 15</text>
-         </citation>
-         <rlink href="https://www.cnss.gov/policies.html"/>
-      </resource>
-      <resource uuid="2d8b14e9-c8b5-4d3d-8bdc-155078f3281b">
-         <title>DoD Information Assurance Vulnerability Alerts</title>
-         <citation>
-            <text>DoD Information Assurance Vulnerability Alerts</text>
-         </citation>
-      </resource>
-      <resource uuid="61081e7f-041d-4033-96a7-44a439071683">
-         <title>DoD Instruction 5200.39</title>
-         <citation>
-            <text>DoD Instruction 5200.39</text>
-         </citation>
-         <rlink href="http://www.dtic.mil/whs/directives/corres/ins1.html"/>
-      </resource>
-      <resource uuid="e42b2099-3e1c-415b-952c-61c96533c12e">
-         <title>DoD Instruction 8551.01</title>
-         <citation>
-            <text>DoD Instruction 8551.01</text>
-         </citation>
-         <rlink href="http://www.dtic.mil/whs/directives/corres/ins1.html"/>
-      </resource>
-      <resource uuid="e6522953-6714-435d-a0d3-140df554c186">
-         <title>DoD Instruction 8552.01</title>
-         <citation>
-            <text>DoD Instruction 8552.01</text>
-         </citation>
-         <rlink href="http://www.dtic.mil/whs/directives/corres/ins1.html"/>
-      </resource>
-      <resource uuid="c5034e0c-eba6-4ecd-a541-79f0678f4ba4">
-         <title>Executive Order 13587</title>
-         <citation>
-            <text>Executive Order 13587</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net"/>
-      </resource>
-      <resource uuid="56d671da-6b7b-4abf-8296-84b61980390a">
-         <title>Federal Acquisition Regulation</title>
-         <citation>
-            <text>Federal Acquisition Regulation</text>
-         </citation>
-         <rlink href="https://acquisition.gov/far"/>
-      </resource>
-      <resource uuid="023104bc-6f75-4cd5-b7d0-fc92326f8007">
-         <title>Federal Continuity Directive 1</title>
-         <citation>
-            <text>Federal Continuity Directive 1</text>
-         </citation>
-         <rlink href="http://www.fema.gov/pdf/about/offices/fcd1.pdf"/>
-      </resource>
-      <resource uuid="ba557c91-ba3e-4792-adc6-a4ae479b39ff">
-         <title>FICAM Roadmap and Implementation Guidance</title>
-         <citation>
-            <text>FICAM Roadmap and Implementation Guidance</text>
-         </citation>
-         <rlink href="http://www.idmanagement.gov/documents/ficam-roadmap-and-implementation-guidance"/>
-      </resource>
-      <resource uuid="39f9087d-7687-46d2-8eda-b6f4b7a4d8a9">
-         <title>FIPS Publication 140</title>
-         <citation>
-            <text>FIPS Publication 140</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html"/>
-      </resource>
-      <resource uuid="d715b234-9b5b-4e07-b1ed-99836727664d">
-         <title>FIPS Publication 140-2</title>
-         <citation>
-            <text>FIPS Publication 140-2</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#140-2"/>
-      </resource>
-      <resource uuid="f2dbd4ec-c413-4714-b85b-6b7184d1c195">
-         <title>FIPS Publication 197</title>
-         <citation>
-            <text>FIPS Publication 197</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#197"/>
-      </resource>
-      <resource uuid="e85cdb3f-7f0a-4083-8639-f13f70d3760b">
-         <title>FIPS Publication 199</title>
-         <citation>
-            <text>FIPS Publication 199</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#199"/>
-      </resource>
-      <resource uuid="c80c10b3-1294-4984-a4cc-d1733ca432b9">
-         <title>FIPS Publication 201</title>
-         <citation>
-            <text>FIPS Publication 201</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#201"/>
-      </resource>
-      <resource uuid="ad733a42-a7ed-4774-b988-4930c28852f3">
-         <title>HSPD-12</title>
-         <citation>
-            <text>HSPD-12</text>
-         </citation>
-         <rlink href="http://www.dhs.gov/homeland-security-presidential-directive-12"/>
-      </resource>
-      <resource uuid="4ef539ba-b767-4666-b0d3-168c53005fa3">
-         <title>http://capec.mitre.org</title>
-         <citation>
-            <text>http://capec.mitre.org</text>
-         </citation>
-         <rlink href="http://capec.mitre.org"/>
-      </resource>
-      <resource uuid="e95dd121-2733-413e-bf1e-f1eb49f20a98">
-         <title>http://checklists.nist.gov</title>
-         <citation>
-            <text>http://checklists.nist.gov</text>
-         </citation>
-         <rlink href="http://checklists.nist.gov"/>
-      </resource>
-      <resource uuid="6a1041fc-054e-4230-946b-2e6f4f3731bb">
-         <title>http://csrc.nist.gov/cryptval</title>
-         <citation>
-            <text>http://csrc.nist.gov/cryptval</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/cryptval"/>
-      </resource>
-      <resource uuid="b09d1a31-d3c9-4138-a4f4-4c63816afd7d">
-         <title>http://csrc.nist.gov/groups/STM/cmvp/index.html</title>
-         <citation>
-            <text>http://csrc.nist.gov/groups/STM/cmvp/index.html</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/groups/STM/cmvp/index.html"/>
-      </resource>
-      <resource uuid="0931209f-00ae-4132-b92c-bc645847e8f9">
-         <title>http://cve.mitre.org</title>
-         <citation>
-            <text>http://cve.mitre.org</text>
-         </citation>
-         <rlink href="http://cve.mitre.org"/>
-      </resource>
-      <resource uuid="15522e92-9192-463d-9646-6a01982db8ca">
-         <title>http://cwe.mitre.org</title>
-         <citation>
-            <text>http://cwe.mitre.org</text>
-         </citation>
-         <rlink href="http://cwe.mitre.org"/>
-      </resource>
-      <resource uuid="5ed1f4d5-1494-421b-97ed-39d3c88ab51f">
-         <title>http://fips201ep.cio.gov</title>
-         <citation>
-            <text>http://fips201ep.cio.gov</text>
-         </citation>
-         <rlink href="http://fips201ep.cio.gov"/>
-      </resource>
-      <resource uuid="85280698-0417-489d-b214-12bb935fb939">
-         <title>http://idmanagement.gov</title>
-         <citation>
-            <text>http://idmanagement.gov</text>
-         </citation>
-         <rlink href="http://idmanagement.gov"/>
-      </resource>
-      <resource uuid="275cc052-0f7f-423c-bdb6-ed503dc36228">
-         <title>http://nvd.nist.gov</title>
-         <citation>
-            <text>http://nvd.nist.gov</text>
-         </citation>
-         <rlink href="http://nvd.nist.gov"/>
-      </resource>
-      <resource uuid="bbd50dd1-54ce-4432-959d-63ea564b1bb4">
-         <title>http://www.acquisition.gov/far</title>
-         <citation>
-            <text>http://www.acquisition.gov/far</text>
-         </citation>
-         <rlink href="http://www.acquisition.gov/far"/>
-      </resource>
-      <resource uuid="9b97ed27-3dd6-4f9a-ade5-1b43e9669794">
-         <title>http://www.cnss.gov</title>
-         <citation>
-            <text>http://www.cnss.gov</text>
-         </citation>
-         <rlink href="http://www.cnss.gov"/>
-      </resource>
-      <resource uuid="3ac12e79-f54f-4a63-9f4b-ee4bcd4df604">
-         <title>http://www.dhs.gov/telecommunications-service-priority-tsp</title>
-         <citation>
-            <text>http://www.dhs.gov/telecommunications-service-priority-tsp</text>
-         </citation>
-         <rlink href="http://www.dhs.gov/telecommunications-service-priority-tsp"/>
-      </resource>
-      <resource uuid="c95a9986-3cd6-4a98-931b-ccfc56cb11e5">
-         <title>http://www.niap-ccevs.org</title>
-         <citation>
-            <text>http://www.niap-ccevs.org</text>
-         </citation>
-         <rlink href="http://www.niap-ccevs.org"/>
-      </resource>
-      <resource uuid="647b6de3-81d0-4d22-bec1-5f1333e34380">
-         <title>http://www.nsa.gov</title>
-         <citation>
-            <text>http://www.nsa.gov</text>
-         </citation>
-         <rlink href="http://www.nsa.gov"/>
-      </resource>
-      <resource uuid="a47466c4-c837-4f06-a39f-e68412a5f73d">
-         <title>http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml</title>
-         <citation>
-            <text>http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml</text>
-         </citation>
-         <rlink href="http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"/>
-      </resource>
-      <resource uuid="02631467-668b-4233-989b-3dfded2fd184">
-         <title>http://www.us-cert.gov</title>
-         <citation>
-            <text>http://www.us-cert.gov</text>
-         </citation>
-         <rlink href="http://www.us-cert.gov"/>
-      </resource>
-      <resource uuid="6caa237b-531b-43ac-9711-d8f6b97b0377">
-         <title>ICD 704</title>
-         <citation>
-            <text>ICD 704</text>
-         </citation>
-         <rlink href="http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"/>
-      </resource>
-      <resource uuid="398e33fd-f404-4e5c-b90e-2d50d3181244">
-         <title>ICD 705</title>
-         <citation>
-            <text>ICD 705</text>
-         </citation>
-         <rlink href="http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"/>
-      </resource>
-      <resource uuid="1737a687-52fb-4008-b900-cbfa836f7b65">
-         <title>ISO/IEC 15408</title>
-         <citation>
-            <text>ISO/IEC 15408</text>
-         </citation>
-         <rlink href="http://www.iso.org/iso/iso_catalog/catalog_tc/catalog_detail.htm?csnumber=50341"/>
-      </resource>
-      <resource uuid="fb5844de-ff96-47c0-b258-4f52bcc2f30d">
-         <title>National Communications Systems Directive 3-10</title>
-         <citation>
-            <text>National Communications Systems Directive 3-10</text>
-         </citation>
-      </resource>
-      <resource uuid="654f21e2-f3bc-43b2-abdc-60ab8d09744b">
-         <title>National Strategy for Trusted Identities in Cyberspace</title>
-         <citation>
-            <text>National Strategy for Trusted Identities in Cyberspace</text>
-         </citation>
-         <rlink href="http://www.nist.gov/nstic"/>
-      </resource>
-      <resource uuid="bdd2f49e-edf7-491f-a178-4487898228f3">
-         <title>NIST Interagency Report 7622</title>
-         <citation>
-            <text>NIST Interagency Report 7622</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7622"/>
-      </resource>
-      <resource uuid="9cb3d8fe-2127-48ba-821e-cdd2d7aee921">
-         <title>NIST Special Publication 800-100</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-100</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-100</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-100"/>
-      </resource>
-      <resource uuid="3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e">
-         <title>NIST Special Publication 800-111</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-111</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-111</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-111"/>
-      </resource>
-      <resource uuid="349fe082-502d-464a-aa0c-1443c6a5cf40">
-         <title>NIST Special Publication 800-113</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-113</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-113</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-113"/>
-      </resource>
-      <resource uuid="1201fcf3-afb1-4675-915a-fb4ae0435717">
-         <title>NIST Special Publication 800-114 Rev. 1</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-114r1</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-114 Rev. 1</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-114r1"/>
-      </resource>
-      <resource uuid="c4691b88-57d1-463b-9053-2d0087913f31">
-         <title>NIST Special Publication 800-115</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-115</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-115</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-115"/>
-      </resource>
-      <resource uuid="2157bb7e-192c-4eaa-877f-93ef6b0a3292">
-         <title>NIST Special Publication 800-116 Rev. 1</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-116r1</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-116 Rev. 1</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-116r1"/>
-      </resource>
-      <resource uuid="5c201b63-0768-417b-ac22-3f014e3941b2">
-         <title>NIST Special Publication 800-12 Rev. 1</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-12r1</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-12 Rev. 1</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-12r1"/>
-      </resource>
-      <resource uuid="d1a4e2a9-e512-4132-8795-5357aba29254">
-         <title>NIST Special Publication 800-121</title>
-         <citation>
-            <text>NIST Special Publication 800-121</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-121"/>
-      </resource>
-      <resource uuid="0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589">
-         <title>NIST Special Publication 800-124</title>
-         <citation>
-            <text>NIST Special Publication 800-124</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-124"/>
-      </resource>
-      <resource uuid="080f8068-5e3e-435e-9790-d22ba4722693">
-         <title>NIST Special Publication 800-128</title>
-         <citation>
-            <text>NIST Special Publication 800-128</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-128"/>
-      </resource>
-      <resource uuid="cee2c6ca-0261-4a6f-b630-e41d8ffdd82b">
-         <title>NIST Special Publication 800-137</title>
-         <citation>
-            <text>NIST Special Publication 800-137</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-137"/>
-      </resource>
-      <resource uuid="6bf8d24a-78dc-4727-a2ac-0e64d71c495c">
-         <title>NIST Special Publication 800-147</title>
-         <citation>
-            <text>NIST Special Publication 800-147</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-147"/>
-      </resource>
-      <resource uuid="3878cc04-144a-483e-af62-8fe6f4ad6c7a">
-         <title>NIST Special Publication 800-155</title>
-         <citation>
-            <text>NIST Special Publication 800-155</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-155"/>
-      </resource>
-      <resource uuid="825438c3-248d-4e30-a51e-246473ce6ada">
-         <title>NIST Special Publication 800-16</title>
-         <citation>
-            <text>NIST Special Publication 800-16</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-16"/>
-      </resource>
-      <resource uuid="8ab6bcdc-339b-4068-b45e-994814a6e187">
-         <title>NIST Special Publication 800-161</title>
-         <citation>
-            <text>NIST Special Publication 800-161</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-161"/>
-      </resource>
-      <resource uuid="6513e480-fada-4876-abba-1397084dfb26">
-         <title>NIST Special Publication 800-164</title>
-         <citation>
-            <text>NIST Special Publication 800-164</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-164"/>
-      </resource>
-      <resource uuid="9c5c9e8c-dc81-4f55-a11c-d71d7487790f">
-         <title>NIST Special Publication 800-18</title>
-         <citation>
-            <text>NIST Special Publication 800-18</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-18"/>
-      </resource>
-      <resource uuid="0a5db899-f033-467f-8631-f5a8ba971475">
-         <title>NIST Special Publication 800-23</title>
-         <citation>
-            <text>NIST Special Publication 800-23</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-23"/>
-      </resource>
-      <resource uuid="21b1ed35-56d2-40a8-bdfe-b461fffe322f">
-         <title>NIST Special Publication 800-27</title>
-         <citation>
-            <text>NIST Special Publication 800-27</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-27"/>
-      </resource>
-      <resource uuid="e716cd51-d1d5-4c6a-967a-22e9fbbc42f1">
-         <title>NIST Special Publication 800-28</title>
-         <citation>
-            <text>NIST Special Publication 800-28</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-28"/>
-      </resource>
-      <resource uuid="a466121b-f0e2-41f0-a5f9-deb0b5fe6b15">
-         <title>NIST Special Publication 800-30</title>
-         <citation>
-            <text>NIST Special Publication 800-30</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-30"/>
-      </resource>
-      <resource uuid="8f174e91-844e-4cf1-a72a-45c119a3a8dd">
-         <title>NIST Special Publication 800-32</title>
-         <citation>
-            <text>NIST Special Publication 800-32</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-32"/>
-      </resource>
-      <resource uuid="748a81b9-9cad-463f-abde-8b368167e70d">
-         <title>NIST Special Publication 800-34</title>
-         <citation>
-            <text>NIST Special Publication 800-34</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-34"/>
-      </resource>
-      <resource uuid="0c775bc3-bfc3-42c7-a382-88949f503171">
-         <title>NIST Special Publication 800-35</title>
-         <citation>
-            <text>NIST Special Publication 800-35</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-35"/>
-      </resource>
-      <resource uuid="d818efd3-db31-4953-8afa-9e76afe83ce2">
-         <title>NIST Special Publication 800-36</title>
-         <citation>
-            <text>NIST Special Publication 800-36</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-36"/>
-      </resource>
-      <resource uuid="0a0c26b6-fd44-4274-8b36-93442d49d998">
-         <title>NIST Special Publication 800-37</title>
-         <citation>
-            <text>NIST Special Publication 800-37</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-37"/>
-      </resource>
-      <resource uuid="d480aa6a-7a88-424e-a10c-ad1c7870354b">
-         <title>NIST Special Publication 800-39</title>
-         <citation>
-            <text>NIST Special Publication 800-39</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-39"/>
-      </resource>
-      <resource uuid="bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d">
-         <title>NIST Special Publication 800-40</title>
-         <citation>
-            <text>NIST Special Publication 800-40</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-40"/>
-      </resource>
-      <resource uuid="756a8e86-57d5-4701-8382-f7a40439665a">
-         <title>NIST Special Publication 800-41</title>
-         <citation>
-            <text>NIST Special Publication 800-41</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-41"/>
-      </resource>
-      <resource uuid="c6e95ca0-5828-420e-b095-00895b72b5e8">
-         <title>NIST Special Publication 800-45</title>
-         <citation>
-            <text>NIST Special Publication 800-45</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-45"/>
-      </resource>
-      <resource uuid="5309d4d0-46f8-4213-a749-e7584164e5e8">
-         <title>NIST Special Publication 800-46</title>
-         <citation>
-            <text>NIST Special Publication 800-46</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-46"/>
-      </resource>
-      <resource uuid="2711f068-734e-4afd-94ba-0b22247fbc88">
-         <title>NIST Special Publication 800-47</title>
-         <citation>
-            <text>NIST Special Publication 800-47</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-47"/>
-      </resource>
-      <resource uuid="238ed479-eccb-49f6-82ec-ab74a7a428cf">
-         <title>NIST Special Publication 800-48</title>
-         <citation>
-            <text>NIST Special Publication 800-48</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-48"/>
-      </resource>
-      <resource uuid="e12b5738-de74-4fb3-8317-a3995a8a1898">
-         <title>NIST Special Publication 800-50</title>
-         <citation>
-            <text>NIST Special Publication 800-50</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-50"/>
-      </resource>
-      <resource uuid="90c5bc98-f9c4-44c9-98b7-787422f0999c">
-         <title>NIST Special Publication 800-52</title>
-         <citation>
-            <text>NIST Special Publication 800-52</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-52"/>
-      </resource>
-      <resource uuid="cd4cf751-3312-4a55-b1a9-fad2f1db9119">
-         <title>NIST Special Publication 800-53A</title>
-         <citation>
-            <text>NIST Special Publication 800-53A</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-53A"/>
-      </resource>
-      <resource uuid="81f09e01-d0b0-4ae2-aa6a-064ed9950070">
-         <title>NIST Special Publication 800-56</title>
-         <citation>
-            <text>NIST Special Publication 800-56</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-56"/>
-      </resource>
-      <resource uuid="a6c774c0-bf50-4590-9841-2a5c1c91ac6f">
-         <title>NIST Special Publication 800-57</title>
-         <citation>
-            <text>NIST Special Publication 800-57</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-57"/>
-      </resource>
-      <resource uuid="7783f3e7-09b3-478b-9aa2-4a76dfd0ea90">
-         <title>NIST Special Publication 800-58</title>
-         <citation>
-            <text>NIST Special Publication 800-58</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-58"/>
-      </resource>
-      <resource uuid="f152844f-b1ef-4836-8729-6277078ebee1">
-         <title>NIST Special Publication 800-60</title>
-         <citation>
-            <text>NIST Special Publication 800-60</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-60"/>
-      </resource>
-      <resource uuid="be95fb85-a53f-4624-bdbb-140075500aa3">
-         <title>NIST Special Publication 800-61</title>
-         <citation>
-            <text>NIST Special Publication 800-61</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-61"/>
-      </resource>
-      <resource uuid="644f44a9-a2de-4494-9c04-cd37fba45471">
-         <title>NIST Special Publication 800-63</title>
-         <citation>
-            <text>NIST Special Publication 800-63</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-63"/>
-      </resource>
-      <resource uuid="abd950ae-092f-4b7a-b374-1c7c67fe9350">
-         <title>NIST Special Publication 800-64</title>
-         <citation>
-            <text>NIST Special Publication 800-64</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-64"/>
-      </resource>
-      <resource uuid="29fcfe59-33cd-494a-8756-5907ae3a8f92">
-         <title>NIST Special Publication 800-65</title>
-         <citation>
-            <text>NIST Special Publication 800-65</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-65"/>
-      </resource>
-      <resource uuid="84a37532-6db6-477b-9ea8-f9085ebca0fc">
-         <title>NIST Special Publication 800-70</title>
-         <citation>
-            <text>NIST Special Publication 800-70</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-70"/>
-      </resource>
-      <resource uuid="ead74ea9-4c9c-446d-9b92-bcbf0ad4b655">
-         <title>NIST Special Publication 800-73</title>
-         <citation>
-            <text>NIST Special Publication 800-73</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-73"/>
-      </resource>
-      <resource uuid="2a71298a-ee90-490e-80ff-48c967173a47">
-         <title>NIST Special Publication 800-76</title>
-         <citation>
-            <text>NIST Special Publication 800-76</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-76"/>
-      </resource>
-      <resource uuid="99f331f2-a9f0-46c2-9856-a3cbb9b89442">
-         <title>NIST Special Publication 800-77</title>
-         <citation>
-            <text>NIST Special Publication 800-77</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-77"/>
-      </resource>
-      <resource uuid="2042d97b-f7f6-4c74-84f8-981867684659">
-         <title>NIST Special Publication 800-78</title>
-         <citation>
-            <text>NIST Special Publication 800-78</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-78"/>
-      </resource>
-      <resource uuid="6af1e841-672c-46c4-b121-96f603d04be3">
-         <title>NIST Special Publication 800-81</title>
-         <citation>
-            <text>NIST Special Publication 800-81</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-81"/>
-      </resource>
-      <resource uuid="6d431fee-658f-4a0e-9f2e-a38b5d398fab">
-         <title>NIST Special Publication 800-83</title>
-         <citation>
-            <text>NIST Special Publication 800-83</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-83"/>
-      </resource>
-      <resource uuid="0243a05a-e8a3-4d51-9364-4a9d20b0dcdf">
-         <title>NIST Special Publication 800-84</title>
-         <citation>
-            <text>NIST Special Publication 800-84</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-84"/>
-      </resource>
-      <resource uuid="263823e0-a971-4b00-959d-315b26278b22">
-         <title>NIST Special Publication 800-88</title>
-         <citation>
-            <text>NIST Special Publication 800-88</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-88"/>
-      </resource>
-      <resource uuid="672fd561-b92b-4713-b9cf-6c9d9456728b">
-         <title>NIST Special Publication 800-92</title>
-         <citation>
-            <text>NIST Special Publication 800-92</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-92"/>
-      </resource>
-      <resource uuid="d1b1d689-0f66-4474-9924-c81119758dc1">
-         <title>NIST Special Publication 800-94</title>
-         <citation>
-            <text>NIST Special Publication 800-94</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-94"/>
-      </resource>
-      <resource uuid="1ebdf782-d95d-4a7b-8ec7-ee860951eced">
-         <title>NIST Special Publication 800-95</title>
-         <citation>
-            <text>NIST Special Publication 800-95</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-95"/>
-      </resource>
-      <resource uuid="6f336ecd-f2a0-4c84-9699-0491d81b6e0d">
-         <title>NIST Special Publication 800-97</title>
-         <citation>
-            <text>NIST Special Publication 800-97</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-97"/>
-      </resource>
-      <resource uuid="06dff0ea-3848-4945-8d91-e955ee69f05d">
-         <title>NSTISSI No. 7003</title>
-         <citation>
-            <text>NSTISSI No. 7003</text>
-         </citation>
-         <rlink href="http://www.cnss.gov/Assets/pdf/nstissi_7003.pdf"/>
-      </resource>
-      <resource uuid="9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab">
-         <title>OMB Circular A-130</title>
-         <citation>
-            <text>OMB Circular A-130</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/omb/circulars_a130_a130trans4"/>
-      </resource>
-      <resource uuid="2c5884cd-7b96-425c-862a-99877e1cf909">
-         <title>OMB Memorandum 02-01</title>
-         <citation>
-            <text>OMB Memorandum 02-01</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/omb/memoranda_m02-01"/>
-      </resource>
-      <resource uuid="ff3bfb02-79b2-411f-8735-98dfe5af2ab0">
-         <title>OMB Memorandum 04-04</title>
-         <citation>
-            <text>OMB Memorandum 04-04</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy04/m04-04.pdf"/>
-      </resource>
-      <resource uuid="58ad6f27-af99-429f-86a8-8bb767b014b9">
-         <title>OMB Memorandum 05-24</title>
-         <citation>
-            <text>OMB Memorandum 05-24</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2005/m05-24.pdf"/>
-      </resource>
-      <resource uuid="4da24a96-6cf8-435d-9d1f-c73247cad109">
-         <title>OMB Memorandum 06-16</title>
-         <citation>
-            <text>OMB Memorandum 06-16</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2006/m06-16.pdf"/>
-      </resource>
-      <resource uuid="990268bf-f4a9-4c81-91ae-dc7d3115f4b1">
-         <title>OMB Memorandum 07-11</title>
-         <citation>
-            <text>OMB Memorandum 07-11</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-11.pdf"/>
-      </resource>
-      <resource uuid="0b3d8ba9-051f-498d-81ea-97f0f018c612">
-         <title>OMB Memorandum 07-18</title>
-         <citation>
-            <text>OMB Memorandum 07-18</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-18.pdf"/>
-      </resource>
-      <resource uuid="0916ef02-3618-411b-a525-565c088849a6">
-         <title>OMB Memorandum 08-22</title>
-         <citation>
-            <text>OMB Memorandum 08-22</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-22.pdf"/>
-      </resource>
-      <resource uuid="28115a56-da6b-4d44-b1df-51dd7f048a3e">
-         <title>OMB Memorandum 08-23</title>
-         <citation>
-            <text>OMB Memorandum 08-23</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf"/>
-      </resource>
-      <resource uuid="599fe9ba-4750-4450-9eeb-b95bd19a5e8f">
-         <title>OMB Memorandum 10-06-2011</title>
-         <citation>
-            <text>OMB Memorandum 10-06-2011</text>
-         </citation>
-      </resource>
-      <resource uuid="74e740a4-c45d-49f3-a86e-eb747c549e01">
-         <title>OMB Memorandum 11-11</title>
-         <citation>
-            <text>OMB Memorandum 11-11</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf"/>
-      </resource>
-      <resource uuid="bedb15b7-ec5c-4a68-807f-385125751fcd">
-         <title>OMB Memorandum 11-33</title>
-         <citation>
-            <text>OMB Memorandum 11-33</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf"/>
-      </resource>
-      <resource uuid="dd2f5acd-08f1-435a-9837-f8203088dc1a">
-         <title>Personal Identity Verification (PIV) in Enterprise Physical Access Control System
-            (E-PACS)</title>
-         <citation>
-            <text>Personal Identity Verification (PIV) in Enterprise Physical Access Control System
-               (E-PACS)</text>
-         </citation>
-      </resource>
-      <resource uuid="8ade2fbe-e468-4ca8-9a40-54d7f23c32bb">
-         <title>US-CERT Technical Cyber Security Alerts</title>
-         <citation>
-            <text>US-CERT Technical Cyber Security Alerts</text>
-         </citation>
-         <rlink href="http://www.us-cert.gov/ncas/alerts"/>
-      </resource>
-      <resource uuid="985475ee-d4d6-4581-8fdf-d84d3d8caa48">
-         <title>FedRAMP Applicable Laws and Regulations</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-citations</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"/>
-      </resource>
-      <resource uuid="1a23a771-d481-4594-9a1a-71d584fa4123">
-         <title>FedRAMP Master Acronym and Glossary</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-acronyms</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"/>
-      </resource>
-      <resource uuid="a2381e87-3d04-4108-a30b-b4d2f36d001f">
-         <desc>FedRAMP Logo</desc>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-logo</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/img/logo-main-fedramp.png"/>
-      </resource>
-      <resource uuid="ad005eae-cc63-4e64-9109-3905a9a825e4">
-         <title>NIST Special Publication (SP) 800-53</title>
-         <prop name="version" ns="https://fedramp.gov/ns/oscal">Revision 4</prop>
-         <prop name="keep">always</prop>
-         <rlink media-type="application/xml"
-                href="https://raw.githubusercontent.com/usnistgov/OSCAL/v1.0.0-milestone3/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml"/>
-      </resource>
-   </back-matter>
-</catalog>
diff --git a/content/fedramp.gov/xml/FedRAMP_HIGH-baseline_profile.xml b/content/fedramp.gov/xml/FedRAMP_HIGH-baseline_profile.xml
deleted file mode 100644
index e3e4565bfa..0000000000
--- a/content/fedramp.gov/xml/FedRAMP_HIGH-baseline_profile.xml
+++ /dev/null
@@ -1,9689 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="b11dba1c-0c68-4724-9eaf-02de2d5bbb89">
-   
-   <metadata>
-      <title>FedRAMP High Baseline</title>
-      <published>2020-06-01T00:00:00.000-04:00</published>
-      <last-modified>2020-06-01T10:00:00.000-04:00</last-modified>
-      <version>1.2</version>
-      <oscal-version>1.0.0-milestone3</oscal-version>
-      <role id="parpared-by">
-         <title>Document creator</title>
-      </role>
-      <role id="fedramp-pmo">
-         <title>The FedRAMP Program Management Office (PMO)</title>
-         <short-name>CSP</short-name>
-      </role>
-      <role id="fedramp-jab">
-         <title>The FedRAMP Joint Authorization Board (JAB)</title>
-         <short-name>CSP</short-name>
-      </role>
-      
-      <party uuid="8cc0b8e5-9650-4d5f-9796-316f05fa9a2d" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Program Management Office</party-name>
-         <short-name>FedRAMP PMO</short-name>
-         <link href="https://fedramp.gov" rel="homepage" />
-         <address type="work">
-            <addr-line>1800 F St. NW</addr-line>
-            <addr-line/>
-            <city>Washington</city>
-            <state>DC</state>
-            <postal-code/>
-            <country>US</country>
-         </address>
-         <email>info@fedramp.gov</email>
-      </party>
-      <party uuid="ca9ba80e-1342-4bfd-b32a-abac468c24b4" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Joint Authorization Board</party-name>
-         <short-name>FedRAMP JAB</short-name>
-      </party>
-      
-      <responsible-party role-id="prepared-by">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-pmo">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-jab">
-         <party-uuid>ca9ba80e-1342-4bfd-b32a-abac468c24b4</party-uuid>
-      </responsible-party>
-   </metadata>
-   <import href="#ad005eae-cc63-4e64-9109-3905a9a825e4">
-      <include>
-         <call control-id="ac-1"/>
-         <call control-id="ac-2"/>
-         <call control-id="ac-2.1"/>
-         <call control-id="ac-2.2"/>
-         <call control-id="ac-2.3"/>
-         <call control-id="ac-2.4"/>
-         <call control-id="ac-2.5"/>
-         <call control-id="ac-2.7"/>
-         <call control-id="ac-2.9"/>
-         <call control-id="ac-2.10"/>
-         <call control-id="ac-2.11"/>
-         <call control-id="ac-2.12"/>
-         <call control-id="ac-2.13"/>
-         <call control-id="ac-3"/>
-         <call control-id="ac-4"/>
-         <call control-id="ac-4.8"/>
-         <call control-id="ac-4.21"/>
-         <call control-id="ac-5"/>
-         <call control-id="ac-6"/>
-         <call control-id="ac-6.1"/>
-         <call control-id="ac-6.2"/>
-         <call control-id="ac-6.3"/>
-         <call control-id="ac-6.5"/>
-         <call control-id="ac-6.7"/>
-         <call control-id="ac-6.8"/>
-         <call control-id="ac-6.9"/>
-         <call control-id="ac-6.10"/>
-         <call control-id="ac-7"/>
-         <call control-id="ac-7.2"/>
-         <call control-id="ac-8"/>
-         <call control-id="ac-10"/>
-         <call control-id="ac-11"/>
-         <call control-id="ac-11.1"/>
-         <call control-id="ac-12"/>
-         <call control-id="ac-12.1"/>
-         <call control-id="ac-14"/>
-         <call control-id="ac-17"/>
-         <call control-id="ac-17.1"/>
-         <call control-id="ac-17.2"/>
-         <call control-id="ac-17.3"/>
-         <call control-id="ac-17.4"/>
-         <call control-id="ac-17.9"/>
-         <call control-id="ac-18"/>
-         <call control-id="ac-18.1"/>
-         <call control-id="ac-18.3"/>
-         <call control-id="ac-18.4"/>
-         <call control-id="ac-18.5"/>
-         <call control-id="ac-19"/>
-         <call control-id="ac-19.5"/>
-         <call control-id="ac-20"/>
-         <call control-id="ac-20.1"/>
-         <call control-id="ac-20.2"/>
-         <call control-id="ac-21"/>
-         <call control-id="ac-22"/>
-         <call control-id="at-1"/>
-         <call control-id="at-2"/>
-         <call control-id="at-2.2"/>
-         <call control-id="at-3"/>
-         <call control-id="at-3.3"/>
-         <call control-id="at-3.4"/>
-         <call control-id="at-4"/>
-         <call control-id="au-1"/>
-         <call control-id="au-2"/>
-         <call control-id="au-2.3"/>
-         <call control-id="au-3"/>
-         <call control-id="au-3.1"/>
-         <call control-id="au-3.2"/>
-         <call control-id="au-4"/>
-         <call control-id="au-5"/>
-         <call control-id="au-5.1"/>
-         <call control-id="au-5.2"/>
-         <call control-id="au-6"/>
-         <call control-id="au-6.1"/>
-         <call control-id="au-6.3"/>
-         <call control-id="au-6.4"/>
-         <call control-id="au-6.5"/>
-         <call control-id="au-6.6"/>
-         <call control-id="au-6.7"/>
-         <call control-id="au-6.10"/>
-         <call control-id="au-7"/>
-         <call control-id="au-7.1"/>
-         <call control-id="au-8"/>
-         <call control-id="au-8.1"/>
-         <call control-id="au-9"/>
-         <call control-id="au-9.2"/>
-         <call control-id="au-9.3"/>
-         <call control-id="au-9.4"/>
-         <call control-id="au-10"/>
-         <call control-id="au-11"/>
-         <call control-id="au-12"/>
-         <call control-id="au-12.1"/>
-         <call control-id="au-12.3"/>
-         <call control-id="ca-1"/>
-         <call control-id="ca-2"/>
-         <call control-id="ca-2.1"/>
-         <call control-id="ca-2.2"/>
-         <call control-id="ca-2.3"/>
-         <call control-id="ca-3"/>
-         <call control-id="ca-3.3"/>
-         <call control-id="ca-3.5"/>
-         <call control-id="ca-5"/>
-         <call control-id="ca-6"/>
-         <call control-id="ca-7"/>
-         <call control-id="ca-7.1"/>
-         <call control-id="ca-7.3"/>
-         <call control-id="ca-8"/>
-         <call control-id="ca-8.1"/>
-         <call control-id="ca-9"/>
-         <call control-id="cm-1"/>
-         <call control-id="cm-2"/>
-         <call control-id="cm-2.1"/>
-         <call control-id="cm-2.2"/>
-         <call control-id="cm-2.3"/>
-         <call control-id="cm-2.7"/>
-         <call control-id="cm-3"/>
-         <call control-id="cm-3.1"/>
-         <call control-id="cm-3.2"/>
-         <call control-id="cm-3.4"/>
-         <call control-id="cm-3.6"/>
-         <call control-id="cm-4"/>
-         <call control-id="cm-4.1"/>
-         <call control-id="cm-5"/>
-         <call control-id="cm-5.1"/>
-         <call control-id="cm-5.2"/>
-         <call control-id="cm-5.3"/>
-         <call control-id="cm-5.5"/>
-         <call control-id="cm-6"/>
-         <call control-id="cm-6.1"/>
-         <call control-id="cm-6.2"/>
-         <call control-id="cm-7"/>
-         <call control-id="cm-7.1"/>
-         <call control-id="cm-7.2"/>
-         <call control-id="cm-7.5"/>
-         <call control-id="cm-8"/>
-         <call control-id="cm-8.1"/>
-         <call control-id="cm-8.2"/>
-         <call control-id="cm-8.3"/>
-         <call control-id="cm-8.4"/>
-         <call control-id="cm-8.5"/>
-         <call control-id="cm-9"/>
-         <call control-id="cm-10"/>
-         <call control-id="cm-10.1"/>
-         <call control-id="cm-11"/>
-         <call control-id="cm-11.1"/>
-         <call control-id="cp-1"/>
-         <call control-id="cp-2"/>
-         <call control-id="cp-2.1"/>
-         <call control-id="cp-2.2"/>
-         <call control-id="cp-2.3"/>
-         <call control-id="cp-2.4"/>
-         <call control-id="cp-2.5"/>
-         <call control-id="cp-2.8"/>
-         <call control-id="cp-3"/>
-         <call control-id="cp-3.1"/>
-         <call control-id="cp-4"/>
-         <call control-id="cp-4.1"/>
-         <call control-id="cp-4.2"/>
-         <call control-id="cp-6"/>
-         <call control-id="cp-6.1"/>
-         <call control-id="cp-6.2"/>
-         <call control-id="cp-6.3"/>
-         <call control-id="cp-7"/>
-         <call control-id="cp-7.1"/>
-         <call control-id="cp-7.2"/>
-         <call control-id="cp-7.3"/>
-         <call control-id="cp-7.4"/>
-         <call control-id="cp-8"/>
-         <call control-id="cp-8.1"/>
-         <call control-id="cp-8.2"/>
-         <call control-id="cp-8.3"/>
-         <call control-id="cp-8.4"/>
-         <call control-id="cp-9"/>
-         <call control-id="cp-9.1"/>
-         <call control-id="cp-9.2"/>
-         <call control-id="cp-9.3"/>
-         <call control-id="cp-9.5"/>
-         <call control-id="cp-10"/>
-         <call control-id="cp-10.2"/>
-         <call control-id="cp-10.4"/>
-         <call control-id="ia-1"/>
-         <call control-id="ia-2"/>
-         <call control-id="ia-2.1"/>
-         <call control-id="ia-2.2"/>
-         <call control-id="ia-2.3"/>
-         <call control-id="ia-2.4"/>
-         <call control-id="ia-2.5"/>
-         <call control-id="ia-2.8"/>
-         <call control-id="ia-2.9"/>
-         <call control-id="ia-2.11"/>
-         <call control-id="ia-2.12"/>
-         <call control-id="ia-3"/>
-         <call control-id="ia-4"/>
-         <call control-id="ia-4.4"/>
-         <call control-id="ia-5"/>
-         <call control-id="ia-5.1"/>
-         <call control-id="ia-5.2"/>
-         <call control-id="ia-5.3"/>
-         <call control-id="ia-5.4"/>
-         <call control-id="ia-5.6"/>
-         <call control-id="ia-5.7"/>
-         <call control-id="ia-5.8"/>
-         <call control-id="ia-5.11"/>
-         <call control-id="ia-5.13"/>
-         <call control-id="ia-6"/>
-         <call control-id="ia-7"/>
-         <call control-id="ia-8"/>
-         <call control-id="ia-8.1"/>
-         <call control-id="ia-8.2"/>
-         <call control-id="ia-8.3"/>
-         <call control-id="ia-8.4"/>
-         <call control-id="ir-1"/>
-         <call control-id="ir-2"/>
-         <call control-id="ir-2.1"/>
-         <call control-id="ir-2.2"/>
-         <call control-id="ir-3"/>
-         <call control-id="ir-3.2"/>
-         <call control-id="ir-4"/>
-         <call control-id="ir-4.1"/>
-         <call control-id="ir-4.2"/>
-         <call control-id="ir-4.3"/>
-         <call control-id="ir-4.4"/>
-         <call control-id="ir-4.6"/>
-         <call control-id="ir-4.8"/>
-         <call control-id="ir-5"/>
-         <call control-id="ir-5.1"/>
-         <call control-id="ir-6"/>
-         <call control-id="ir-6.1"/>
-         <call control-id="ir-7"/>
-         <call control-id="ir-7.1"/>
-         <call control-id="ir-7.2"/>
-         <call control-id="ir-8"/>
-         <call control-id="ir-9"/>
-         <call control-id="ir-9.1"/>
-         <call control-id="ir-9.2"/>
-         <call control-id="ir-9.3"/>
-         <call control-id="ir-9.4"/>
-         <call control-id="ma-1"/>
-         <call control-id="ma-2"/>
-         <call control-id="ma-2.2"/>
-         <call control-id="ma-3"/>
-         <call control-id="ma-3.1"/>
-         <call control-id="ma-3.2"/>
-         <call control-id="ma-3.3"/>
-         <call control-id="ma-4"/>
-         <call control-id="ma-4.2"/>
-         <call control-id="ma-4.3"/>
-         <call control-id="ma-4.6"/>
-         <call control-id="ma-5"/>
-         <call control-id="ma-5.1"/>
-         <call control-id="ma-6"/>
-         <call control-id="mp-1"/>
-         <call control-id="mp-2"/>
-         <call control-id="mp-3"/>
-         <call control-id="mp-4"/>
-         <call control-id="mp-5"/>
-         <call control-id="mp-5.4"/>
-         <call control-id="mp-6"/>
-         <call control-id="mp-6.1"/>
-         <call control-id="mp-6.2"/>
-         <call control-id="mp-6.3"/>
-         <call control-id="mp-7"/>
-         <call control-id="mp-7.1"/>
-         <call control-id="pe-1"/>
-         <call control-id="pe-2"/>
-         <call control-id="pe-3"/>
-         <call control-id="pe-3.1"/>
-         <call control-id="pe-4"/>
-         <call control-id="pe-5"/>
-         <call control-id="pe-6"/>
-         <call control-id="pe-6.1"/>
-         <call control-id="pe-6.4"/>
-         <call control-id="pe-8"/>
-         <call control-id="pe-8.1"/>
-         <call control-id="pe-9"/>
-         <call control-id="pe-10"/>
-         <call control-id="pe-11"/>
-         <call control-id="pe-11.1"/>
-         <call control-id="pe-12"/>
-         <call control-id="pe-13"/>
-         <call control-id="pe-13.1"/>
-         <call control-id="pe-13.2"/>
-         <call control-id="pe-13.3"/>
-         <call control-id="pe-14"/>
-         <call control-id="pe-14.2"/>
-         <call control-id="pe-15"/>
-         <call control-id="pe-15.1"/>
-         <call control-id="pe-16"/>
-         <call control-id="pe-17"/>
-         <call control-id="pe-18"/>
-         <call control-id="pl-1"/>
-         <call control-id="pl-2"/>
-         <call control-id="pl-2.3"/>
-         <call control-id="pl-4"/>
-         <call control-id="pl-4.1"/>
-         <call control-id="pl-8"/>
-         <call control-id="ps-1"/>
-         <call control-id="ps-2"/>
-         <call control-id="ps-3"/>
-         <call control-id="ps-3.3"/>
-         <call control-id="ps-4"/>
-         <call control-id="ps-4.2"/>
-         <call control-id="ps-5"/>
-         <call control-id="ps-6"/>
-         <call control-id="ps-7"/>
-         <call control-id="ps-8"/>
-         <call control-id="ra-1"/>
-         <call control-id="ra-2"/>
-         <call control-id="ra-3"/>
-         <call control-id="ra-5"/>
-         <call control-id="ra-5.1"/>
-         <call control-id="ra-5.2"/>
-         <call control-id="ra-5.3"/>
-         <call control-id="ra-5.4"/>
-         <call control-id="ra-5.5"/>
-         <call control-id="ra-5.6"/>
-         <call control-id="ra-5.8"/>
-         <call control-id="ra-5.10"/>
-         <call control-id="sa-1"/>
-         <call control-id="sa-2"/>
-         <call control-id="sa-3"/>
-         <call control-id="sa-4"/>
-         <call control-id="sa-4.1"/>
-         <call control-id="sa-4.2"/>
-         <call control-id="sa-4.8"/>
-         <call control-id="sa-4.9"/>
-         <call control-id="sa-4.10"/>
-         <call control-id="sa-5"/>
-         <call control-id="sa-8"/>
-         <call control-id="sa-9"/>
-         <call control-id="sa-9.1"/>
-         <call control-id="sa-9.2"/>
-         <call control-id="sa-9.4"/>
-         <call control-id="sa-9.5"/>
-         <call control-id="sa-10"/>
-         <call control-id="sa-10.1"/>
-         <call control-id="sa-11"/>
-         <call control-id="sa-11.1"/>
-         <call control-id="sa-11.2"/>
-         <call control-id="sa-11.8"/>
-         <call control-id="sa-12"/>
-         <call control-id="sa-15"/>
-         <call control-id="sa-16"/>
-         <call control-id="sa-17"/>
-         <call control-id="sc-1"/>
-         <call control-id="sc-2"/>
-         <call control-id="sc-3"/>
-         <call control-id="sc-4"/>
-         <call control-id="sc-5"/>
-         <call control-id="sc-6"/>
-         <call control-id="sc-7"/>
-         <call control-id="sc-7.3"/>
-         <call control-id="sc-7.4"/>
-         <call control-id="sc-7.5"/>
-         <call control-id="sc-7.7"/>
-         <call control-id="sc-7.8"/>
-         <call control-id="sc-7.10"/>
-         <call control-id="sc-7.12"/>
-         <call control-id="sc-7.13"/>
-         <call control-id="sc-7.18"/>
-         <call control-id="sc-7.20"/>
-         <call control-id="sc-7.21"/>
-         <call control-id="sc-8"/>
-         <call control-id="sc-8.1"/>
-         <call control-id="sc-10"/>
-         <call control-id="sc-12"/>
-         <call control-id="sc-12.1"/>
-         <call control-id="sc-12.2"/>
-         <call control-id="sc-12.3"/>
-         <call control-id="sc-13"/>
-         <call control-id="sc-15"/>
-         <call control-id="sc-17"/>
-         <call control-id="sc-18"/>
-         <call control-id="sc-19"/>
-         <call control-id="sc-20"/>
-         <call control-id="sc-21"/>
-         <call control-id="sc-22"/>
-         <call control-id="sc-23"/>
-         <call control-id="sc-23.1"/>
-         <call control-id="sc-24"/>
-         <call control-id="sc-28"/>
-         <call control-id="sc-28.1"/>
-         <call control-id="sc-39"/>
-         <call control-id="si-1"/>
-         <call control-id="si-2"/>
-         <call control-id="si-2.1"/>
-         <call control-id="si-2.2"/>
-         <call control-id="si-2.3"/>
-         <call control-id="si-3"/>
-         <call control-id="si-3.1"/>
-         <call control-id="si-3.2"/>
-         <call control-id="si-3.7"/>
-         <call control-id="si-4"/>
-         <call control-id="si-4.1"/>
-         <call control-id="si-4.2"/>
-         <call control-id="si-4.4"/>
-         <call control-id="si-4.5"/>
-         <call control-id="si-4.11"/>
-         <call control-id="si-4.14"/>
-         <call control-id="si-4.16"/>
-         <call control-id="si-4.18"/>
-         <call control-id="si-4.19"/>
-         <call control-id="si-4.20"/>
-         <call control-id="si-4.22"/>
-         <call control-id="si-4.23"/>
-         <call control-id="si-4.24"/>
-         <call control-id="si-5"/>
-         <call control-id="si-5.1"/>
-         <call control-id="si-6"/>
-         <call control-id="si-7"/>
-         <call control-id="si-7.1"/>
-         <call control-id="si-7.2"/>
-         <call control-id="si-7.5"/>
-         <call control-id="si-7.7"/>
-         <call control-id="si-7.14"/>
-         <call control-id="si-8"/>
-         <call control-id="si-8.1"/>
-         <call control-id="si-8.2"/>
-         <call control-id="si-10"/>
-         <call control-id="si-11"/>
-         <call control-id="si-12"/>
-         <call control-id="si-16"/>
-      </include>
-   </import>
-   <merge>
-      <combine method="keep"/>
-      <as-is>true</as-is>
-   </merge>
-   <modify>
-      <set-parameter param-id="ac-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2_prm_4">
-         <constraint>monthly for privileged accessed, every six (6) months for non-privileged access</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.2_prm_1">
-         <constraint>Selection: disables</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.2_prm_2">
-         <constraint>24 hours from last use</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.3_prm_1">
-         <constraint>35 days for user accounts</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.4_prm_1">
-         <constraint>organization and/or service provider system owner</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.5_prm_1">
-         <constraint>inactivity is anticipated to exceed Fifteen (15) minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.7_prm_1">
-         <constraint>disables/revokes access within a organization-specified timeframe</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.9_prm_1">
-         <constraint>organization-defined need with justification statement that explains why such accounts are necessary</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.12_prm_2">
-         <constraint>at a minimum, the ISSO and/or similar role within the organization</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.13_prm_1">
-         <constraint>one (1) hour</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-6.1_prm_1">
-         <constraint>all functions not publicly accessible and all security-relevant information not publicly available</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-6.2_prm_1">
-         <constraint>all security functions</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-6.3_prm_1">
-         <constraint>all privileged commands</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-6.7_prm_1">
-         <constraint>at a minimum, annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-6.7_prm_2">
-         <constraint>all users with privileges</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-6.8_prm_1">
-         <constraint>any software except software explicitly documented</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7_prm_1">
-         <constraint>not more than three (3)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7_prm_2">
-         <constraint>fifteen (15) minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7_prm_4">
-         <constraint>locks the account/node for a minimum of three (3) hours or until unlocked by an administrator</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7.2_prm_1">
-         <constraint>mobile devices as defined by organization policy</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7.2_prm_3">
-         <constraint>three (3)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-8_prm_1">
-         <constraint>see additional Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-8_prm_2">
-         <constraint>see additional Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-10_prm_2">
-         <constraint>three (3) sessions for privileged access and two (2) sessions for non-privileged access</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-11_prm_1">
-         <constraint>fifteen (15) minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-17.9_prm_1">
-         <constraint>fifteen (15) minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-22_prm_1">
-         <constraint>at least quarterly</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-1_prm_2">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-3_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-3.4_prm_1">
-         <constraint>malicious code indicators as defined by organization incident policy/capability.</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-4_prm_1">
-         <constraint>five (5) years or 5 years after completion of a specific training program</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-2_prm_1">
-         <constraint>successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-2_prm_2">
-         <constraint>organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-2.3_prm_1">
-         <constraint>annually or whenever there is a change in the threat environment</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-3.1_prm_1">
-         <constraint>session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-3.2_prm_1">
-         <constraint>all network, data storage, and computing devices</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-5_prm_2">
-         <constraint>organization-defined actions to be taken (overwrite oldest record)</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-5.2_prm_1">
-         <constraint>real-time</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-5.2_prm_2">
-         <constraint>service provider personnel with authority to address failed audit events</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-5.2_prm_3">
-         <constraint>audit failure events requiring real-time alerts, as defined by organization audit policy</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-6_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-6.5_prm_2">
-         <constraint>Possibly to include penetration test data.</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-6.7_prm_1">
-         <constraint>information system process; role; user</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-8_prm_1">
-         <constraint>one second granularity of time measurement</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-8.1_prm_1">
-         <constraint>At least hourly</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-8.1_prm_2">
-         <constraint>http://tf.nist.gov/tf-cgi/servers.cgi</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-9.2_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-10_prm_1">
-         <constraint>minimum actions including the addition, modification, deletion, approval, sending, or receiving of data</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-11_prm_1">
-         <constraint>at least one (1) year</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-12_prm_1">
-         <constraint>all information system and network components where audit capability is deployed/available</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-12.1_prm_1">
-         <constraint>all network, data storage, and computing devices</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-12.3_prm_1">
-         <constraint>service provider-defined individuals or roles with audit configuration responsibilities</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-12.3_prm_2">
-         <constraint>all network, data storage, and computing devices</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2_prm_2">
-         <constraint>individuals or roles to include FedRAMP PMO</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2.2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2.3_prm_1">
-         <constraint>any FedRAMP Accredited 3PAO</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2.3_prm_2">
-         <constraint>any FedRAMP Accredited 3PAO</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2.3_prm_3">
-         <constraint>the conditions of the JAB/AO in the FedRAMP Repository</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-3_prm_1">
-         <constraint>At least annually and on input from FedRAMP</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-3.3_prm_2">
-         <constraint>boundary protections which meet the Trusted Internet Connection (TIC) requirements</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-3.5_prm_1">
-         <constraint>deny-all, permit by exception</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-3.5_prm_2">
-         <constraint>any systems</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-5_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-6_prm_1">
-         <constraint>at least every three (3) years or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-7_prm_4">
-         <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-7_prm_5">
-         <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-8_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-2.1_prm_1">
-         <constraint>at least annually or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-2.1_prm_2">
-         <constraint>to include when directed by the JAB</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-2.3_prm_1">
-         <constraint>organization-defined previous versions of baseline configurations of the previously approved baseline configuration of IS components</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-3.1_prm_2">
-         <constraint>organization agreed upon time period</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-3.1_prm_3">
-         <constraint>organization defined configuration management approval authorities</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-3.4_prm_1">
-         <constraint>Configuration control board (CCB) or similar (as defined in CM-3)</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-3.6_prm_1">
-         <constraint>All security safeguards that rely on cryptography</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-5.2_prm_1">
-         <constraint>at least every thirty (30) days</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-5.5_prm_1">
-         <constraint>at least quarterly</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-6_prm_1">
-         <guideline>
-            <p>See CM-6(a) Additional FedRAMP Requirements and Guidance</p>
-         </guideline>
-      </set-parameter>
-      <set-parameter param-id="cm-7_prm_1">
-         <constraint>United States Government Configuration Baseline (USGCB)</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-7.1_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-7.5_prm_2">
-         <constraint>at least quarterly or when there is a change</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-8_prm_2">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-8.3_prm_1">
-         <constraint>Continuously, using automated mechanisms with a maximum five-minute delay in detection.</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-8.4_prm_1">
-         <constraint>position and role</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-11_prm_3">
-         <constraint>Continuously (via CM-7 (5))</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-2_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-2.4_prm_1">
-         <constraint>time period defined in service provider and organization SLA</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-3_prm_1">
-         <constraint>ten (10) days</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-3_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-4_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-4_prm_2">
-         <constraint>functional exercises</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-8.4_prm_1">
-         <constraint>annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_1">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_2">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_3">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9.1_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9.5_prm_1">
-         <constraint>time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-10.4_prm_1">
-         <constraint>time period consistent with the restoration time-periods defined in the service provider and organization SLA</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-2.11_prm_1">
-         <constraint>FIPS 140-2, NIAP Certification, or NSA approval</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-4_prm_1">
-         <constraint>at a minimum, the ISSO (or similar role within the organization)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-4_prm_2">
-         <constraint>at least two (2) years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-4_prm_3">
-         <constraint>thirty-five (35) days (See additional requirements and guidance.)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-4.4_prm_1">
-         <constraint>contractors; foreign nationals]</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.1_prm_2">
-         <constraint>at least fifty percent (50%)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.1_prm_4">
-         <constraint>twenty four (24)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.3_prm_1">
-         <constraint>All hardware/biometric (multifactor authenticators)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.3_prm_2">
-         <constraint>in person</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.4_prm_1">
-         <constraint>complexity as identified in IA-5 (1) Control Enhancement Part (a)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.8_prm_1">
-         <constraint>different authenticators on different systems</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-2_prm_1">
-         <constraint>within ten (10) days</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-2_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-3_prm_1">
-         <constraint>at least every six (6) months</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-4.2_prm_1">
-         <constraint>all network, data storage, and computing devices</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-4.8_prm_1">
-         <constraint>external organizations including consumer incident responders and network defenders and the appropriate CIRT/CERT (such as US-CERT, DOD CERT, IC CERT)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-6_prm_1">
-         <constraint>US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-8_prm_2">
-         <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-8_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-8_prm_4">
-         <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-9.2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ma-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ma-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ma-3.3_prm_1">
-         <constraint>the information owner explicitly authorizing removal of the equipment from the facility</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-2_prm_1">
-         <constraint>any digital and non-digital media deemed sensitive</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-3_prm_1">
-         <constraint>no removable media types</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-3_prm_2">
-         <constraint>organization-defined security safeguards not applicable</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-4_prm_1">
-         <constraint>all types of digital and non-digital media with sensitive information</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-4_prm_2">
-         <constraint>see additional FedRAMP requirements and guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-5_prm_1">
-         <constraint>all media with sensitive information</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-5_prm_2">
-         <constraint>prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-6_prm_2">
-         <constraint>techniques and procedures IAW NIST SP 800-88 R1, Appendix A - Minimum Sanitization Recommendations</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-6.2_prm_1">
-         <constraint>at least every six (6) months</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-2_prm_1">
-         <constraint>at least every ninety (90) days</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_2">
-         <constraint>CSP defined physical access control systems/devices AND guards</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_3">
-         <constraint>CSP defined physical access control systems/devices</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_6">
-         <constraint>in all circumstances within restricted access area where the information system resides</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_8">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_9">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-6_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-8_prm_1">
-         <constraint>for a minimum of one (1) year</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-8_prm_2">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-13.1_prm_1">
-         <constraint>service provider building maintenance/physical security personnel</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-13.1_prm_2">
-         <constraint>service provider emergency responders with incident response responsibilities</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-14_prm_1">
-         <constraint>consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-14_prm_2">
-         <constraint>continuously</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-15.1_prm_1">
-         <constraint>service provider building maintenance/physical security personnel</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-16_prm_1">
-         <constraint>all information system components</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-18_prm_1">
-         <constraint>physical and environmental hazards identified during threat assessment</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-2_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-4_prm_1">
-         <constraint>annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-8_prm_1">
-         <constraint>at least annually or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-3_prm_1">
-         <constraint>for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-3.3_prm_1">
-         <constraint>personnel screening criteria - as required by specific information</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-4_prm_1">
-         <constraint>eight (8) hours</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-4.2_prm_1">
-         <constraint>access control personnel responsible for disabling access to the system</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-5_prm_2">
-         <constraint>twenty-four (24) hours</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-5_prm_4">
-         <constraint>twenty-four (24) hours</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-6_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-6_prm_2">
-         <constraint>at least annually and any time there is a change to the user's level of access</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-7_prm_2">
-         <constraint>terminations: immediately; transfers: within twenty-four (24) hours</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-8_prm_1">
-         <constraint>at a minimum, the ISSO and/or similar role within the organization</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_2">
-         <constraint>security assessment report</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_5">
-         <constraint>annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5_prm_1">
-         <constraint>monthly operating system/infrastructure; monthly web applications and databases</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5_prm_2">
-         <constraint>high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5.2_prm_1">
-         <constraint>prior to a new scan</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5.4_prm_1">
-         <constraint>notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5.5_prm_1">
-         <constraint>operating systems / web applications / databases</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5.5_prm_2">
-         <constraint>all scans</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-4.2_prm_1">
-         <constraint>at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram; [organization-defined design/implementation information]</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-4.8_prm_1">
-         <constraint>at least the minimum requirement as defined in control CA-7</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-5_prm_2">
-         <constraint>at a minimum, the ISSO (or similar role within the organization)</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9_prm_1">
-         <constraint>FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9_prm_2">
-         <constraint>Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9.2_prm_1">
-         <constraint>all external systems where Federal information is processed or stored</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9.4_prm_2">
-         <constraint>all external systems where Federal information is processed or stored</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9.5_prm_1">
-         <constraint>information processing, information data, AND information services</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9.5_prm_2">
-         <constraint>U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9.5_prm_3">
-         <constraint>all High Impact Data, Systems, or Services</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-10_prm_1">
-         <constraint>development, implementation, AND operation</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-12_prm_1">
-         <constraint>organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-15_prm_1">
-         <constraint>as needed and as dictated by the current threat posture</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-15_prm_2">
-         <constraint>organization and service provider- defined security requirements</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-7.4_prm_1">
-         <constraint>at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-7.12_prm_1">
-         <constraint>Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-8_prm_1">
-         <constraint>confidentiality AND integrity</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-8.1_prm_1">
-         <constraint>prevent unauthorized disclosure of information AND detect changes to information</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-8.1_prm_2">
-         <constraint>a hardened or alarmed carrier Protective Distribution System (PDS)</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-10_prm_1">
-         <constraint>no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-12.2_prm_1">
-         <constraint>NIST FIPS-compliant</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-13_prm_1">
-         <constraint>FIPS-validated or NSA-approved cryptography</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-15_prm_1">
-         <constraint>no exceptions</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-28_prm_1">
-         <constraint>confidentiality AND integrity</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-28.1_prm_2">
-         <constraint>all information system components storing customer data deemed sensitive</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-2_prm_1">
-         <constraint>thirty (30) days of release of updates</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-2.2_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_2">
-         <constraint>to include endpoints</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_3">
-         <constraint>to include blocking and quarantining malicious code and alerting administrator or defined security personnel near-realtime</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-4.4_prm_1">
-         <constraint>continuously</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-5_prm_1">
-         <constraint>to include US-CERT</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-5_prm_2">
-         <constraint>to include system security personnel and administrators with configuration/patch-management responsibilities</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-6_prm_3">
-         <constraint>to include upon system startup and/or restart</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-6_prm_4">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-6_prm_5">
-         <constraint>to include system administrators and security personnel</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-6_prm_7">
-         <constraint>to include notification of system administrators and security personnel</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-7.1_prm_3">
-         <constraint>selection to include security relevant events</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-7.1_prm_4">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <alter control-id="ac-1">
-         <add position="starting" id-ref="ac-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-10">
-         <add position="starting" id-ref="ac-10_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-10_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-10_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-11">
-         <add position="starting" id-ref="ac-11">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-11.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-11.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-11.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-11.1">
-         <add position="starting" id-ref="ac-11.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-12">
-         <add position="starting" id-ref="ac-12">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-12.1">
-         <add position="ending" id-ref="ac-12.1_smt">
-            <part id="ac-12.1_fr" name="item">
-               <title>AC-12 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-12.1_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>https://www.owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-006%29</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-12.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-12.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-12.1.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-14">
-         <add position="starting" id-ref="ac-14.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-14.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-14.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17">
-         <add position="starting" id-ref="ac-17">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-17.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.1">
-         <add position="starting" id-ref="ac-17.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.2">
-         <add position="starting" id-ref="ac-17.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.3">
-         <add position="starting" id-ref="ac-17.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.4">
-         <add position="starting" id-ref="ac-17.4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.9">
-         <add position="starting" id-ref="ac-17.9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-17.9_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.9_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-18">
-         <add position="starting" id-ref="ac-18">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-18.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-18.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-18.1">
-         <add position="starting" id-ref="ac-18.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-18.3">
-         <add position="starting" id-ref="ac-18.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-18.4">
-         <add position="starting" id-ref="ac-18.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-18.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-18.5">
-         <add position="starting" id-ref="ac-18.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-18.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-19">
-         <add position="starting" id-ref="ac-19">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-19.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-19.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-19.5">
-         <add position="starting" id-ref="ac-19.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-19.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-19.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2">
-         <add position="starting" id-ref="ac-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.g_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.h_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.i_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.j_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.j_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.k_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.1">
-         <add position="starting" id-ref="ac-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.10">
-         <add position="ending" id-ref="ac-2.10_smt">
-            <part id="ac-2.10_fr" name="item">
-               <title>AC-2 (10) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2.10_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Required if shared/group accounts are deployed</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-2.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.11">
-         <add position="starting" id-ref="ac-2.11_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.11_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.12">
-         <add position="ending" id-ref="ac-2.12_smt">
-            <part id="ac-2.12_fr" name="item">
-               <title>AC-2 (12) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2.12_fr_gdn.1" name="guidance">
-                  <prop name="label">(a) Guidance:</prop>
-                  <p>Required for privileged accounts.</p>
-               </part>
-               <part id="ac-2.12_fr_gdn.2" name="guidance">
-                  <prop name="label">(b) Guidance:</prop>
-                  <p>Required for privileged accounts.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-2.12">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.12.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.12.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.12.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.12.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.13">
-         <add position="starting" id-ref="ac-2.13_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.13_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.2">
-         <add position="starting" id-ref="ac-2.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.3">
-         <add position="ending" id-ref="ac-2.3_smt">
-            <part id="ac-2.3_fr" name="item">
-               <title>AC-2 (3) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2.3_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-2.3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.4">
-         <add position="starting" id-ref="ac-2.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.4_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.5">
-         <add position="ending" id-ref="ac-2.5_smt">
-            <part id="ac-2.5_fr" name="item">
-               <title>AC-2 (5) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2.5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Should use a shorter timeframe than AC-12.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-2.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.7">
-         <add position="starting" id-ref="ac-2.7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.7.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.7.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.9">
-         <add position="ending" id-ref="ac-2.9_smt">
-            <part id="ac-2.9_fr" name="item">
-               <title>AC-2 (9) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2.9_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Required if shared/group accounts are deployed</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-2.9_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.9_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-20">
-         <add position="starting" id-ref="ac-20.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-20.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-20.1">
-         <add position="starting" id-ref="ac-20.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-20.2">
-         <add position="starting" id-ref="ac-20.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-21">
-         <add position="starting" id-ref="ac-21.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-21.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-21.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-21.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-22">
-         <add position="starting" id-ref="ac-22">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-22.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-3">
-         <add position="starting" id-ref="ac-3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-4">
-         <add position="starting" id-ref="ac-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-4.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-4.21">
-         <add position="starting" id-ref="ac-4.21_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-4.21_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-4.21_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-4.8">
-         <add position="starting" id-ref="ac-4.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-4.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-4.8_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-5">
-         <add position="ending" id-ref="ac-5_smt">
-            <part id="ac-5_fr" name="item">
-               <title>AC-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6">
-         <add position="starting" id-ref="ac-6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.1">
-         <add position="starting" id-ref="ac-6.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.10">
-         <add position="starting" id-ref="ac-6.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.2">
-         <add position="ending" id-ref="ac-6.2_smt">
-            <part id="ac-6.2_fr" name="item">
-               <title>AC-6 (2) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-6.2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-6.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.3">
-         <add position="starting" id-ref="ac-6.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.3_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.5">
-         <add position="starting" id-ref="ac-6.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.7">
-         <add position="starting" id-ref="ac-6.7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.8">
-         <add position="starting" id-ref="ac-6.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.9">
-         <add position="starting" id-ref="ac-6.9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-6.9_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-7">
-         <add position="starting" id-ref="ac-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-7.2">
-         <add position="starting" id-ref="ac-7.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.2_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-8">
-         <add position="ending" id-ref="ac-8_smt">
-            <part id="ac-8_fr" name="item">
-               <title>AC-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.</p>
-               </part>
-               <part id="ac-8_fr_smt.2" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.</p>
-               </part>
-               <part id="ac-8_fr_smt.3" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-8.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="at-1">
-         <add position="starting" id-ref="at-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="at-2">
-         <add position="starting" id-ref="at-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="at-2.2">
-         <add position="starting" id-ref="at-2.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="at-3">
-         <add position="starting" id-ref="at-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="at-3.3">
-         <add position="starting" id-ref="at-3.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="at-3.4">
-         <add position="starting" id-ref="at-3.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-3.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="at-4">
-         <add position="starting" id-ref="at-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="at-4.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-4.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-1">
-         <add position="starting" id-ref="au-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="au-10">
-         <add position="starting" id-ref="au-10.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-10.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-11">
-         <add position="ending" id-ref="au-11_smt">
-            <part id="au-11_fr" name="item">
-               <title>AU-11 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-11_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-11">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-11.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-12">
-         <add position="starting" id-ref="au-12.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-12.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-12.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-12.1">
-         <add position="starting" id-ref="au-12.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-12.3">
-         <add position="starting" id-ref="au-12.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.3_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.3_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-2">
-         <add position="ending" id-ref="au-2_smt">
-            <part id="au-2_fr" name="item">
-               <title>AU-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-2_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-2.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-2.3">
-         <add position="ending" id-ref="au-2.3_smt">
-            <part id="au-2.3_fr" name="item">
-               <title>AU-2 (3) Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-2.3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-2.3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-3">
-         <add position="starting" id-ref="au-3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-3.1">
-         <add position="ending" id-ref="au-3.1_smt">
-            <part id="au-3.1_fr" name="item">
-               <title>AU-3 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-3.1_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines audit record types <em>[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]</em>.  The audit record types are approved and accepted by the JAB/AO.</p>
-               </part>
-               <part id="au-3.1_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-3.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-3.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-3.2">
-         <add position="starting" id-ref="au-3.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-3.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-4">
-         <add position="starting" id-ref="au-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-5">
-         <add position="starting" id-ref="au-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-5.1">
-         <add position="starting" id-ref="au-5.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.1_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-5.2">
-         <add position="starting" id-ref="au-5.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.2_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6">
-         <add position="ending" id-ref="au-6_smt">
-            <part id="au-6_fr" name="item">
-               <title>AU-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6.1">
-         <add position="starting" id-ref="au-6.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-6.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6.10">
-         <add position="starting" id-ref="au-6.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6.3">
-         <add position="starting" id-ref="au-6.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6.4">
-         <add position="starting" id-ref="au-6.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6.5">
-         <add position="starting" id-ref="au-6.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-6.5_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6.6">
-         <add position="ending" id-ref="au-6.6_smt">
-            <part id="au-6.6_fr" name="item">
-               <title>AU-6 (6) Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-6.6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-6.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6.7">
-         <add position="starting" id-ref="au-6.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-7">
-         <add position="starting" id-ref="au-7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-7.1">
-         <add position="starting" id-ref="au-7.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-7.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-8">
-         <add position="starting" id-ref="au-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-8.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-8.1">
-         <add position="ending" id-ref="au-8.1_smt">
-            <part id="au-8.1_fr" name="item">
-               <title>AU-8 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-8.1_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.</p>
-               </part>
-               <part id="au-8.1_fr_smt.2" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.</p>
-               </part>
-               <part id="au-8.1_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Synchronization of system clocks improves the accuracy of log analysis.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-8.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-8.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-8.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-8.1.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-8.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-8.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-9">
-         <add position="starting" id-ref="au-9.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-9.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-9.2">
-         <add position="starting" id-ref="au-9.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-9.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-9.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-9.3">
-         <add position="starting" id-ref="au-9.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-9.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-9.4">
-         <add position="starting" id-ref="au-9.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-9.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-1">
-         <add position="starting" id-ref="ca-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2">
-         <add position="ending" id-ref="ca-2_smt">
-            <part id="ca-2_fr" name="item">
-               <title>CA-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2.1">
-         <add position="ending" id-ref="ca-2.1_smt">
-            <part id="ca-2.1_fr" name="item">
-               <title>CA-2 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2.1_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-2.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2.2">
-         <add position="ending" id-ref="ca-2.2_smt">
-            <part id="ca-2.2_fr" name="item">
-               <title>CA-2 (2) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2.2_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>To include 'announced', 'vulnerability scanning'</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-2.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.2_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2.3">
-         <add position="starting" id-ref="ca-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.3_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-3">
-         <add position="starting" id-ref="ca-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-3.3">
-         <add position="ending" id-ref="ca-3.3_smt">
-            <part id="ca-3.3_fr" name="item">
-               <title>CA-3 (3) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-3.3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-3.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-3.5">
-         <add position="ending" id-ref="ca-3.5_smt">
-            <part id="ca-3.5_fr" name="item">
-               <title>CA-3 (5) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-3.5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-3.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-3.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-5">
-         <add position="ending" id-ref="ca-5_smt">
-            <part id="ca-5_fr" name="item">
-               <title>CA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-5_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Plan of Action &amp; Milestones (POA&amp;M) must be provided at least monthly.</p>
-               </part>
-               <part id="ca-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action &amp; Milestones (POA&amp;M) Template Completion Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-6">
-         <add position="ending" id-ref="ca-6_smt">
-            <part id="ca-6_fr" name="item">
-               <title>CA-6(c) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-6.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-6.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-6.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-6.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-7">
-         <add position="ending" id-ref="ca-7_smt">
-            <part id="ca-7_fr" name="item">
-               <title>CA-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-7_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.</p>
-               </part>
-               <part id="ca-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&amp;M updates.</p>
-               </part>
-               <part id="ca-7_fr_gdn.2" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-7.1">
-         <add position="starting" id-ref="ca-7.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-7.3">
-         <add position="starting" id-ref="ca-7.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-8">
-         <add position="ending" id-ref="ca-8_smt">
-            <part id="ca-8_fr" name="item">
-               <title>CA-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-8_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance <a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-8_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-8.1">
-         <add position="starting" id-ref="ca-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-9">
-         <add position="starting" id-ref="ca-9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-9.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-9.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-9.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-1">
-         <add position="starting" id-ref="cm-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-1.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-10">
-         <add position="starting" id-ref="cm-10.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-10.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-10.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-10.1">
-         <add position="starting" id-ref="cm-10.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-10.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-11">
-         <add position="starting" id-ref="cm-11.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-11.1">
-         <add position="starting" id-ref="cm-11.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2">
-         <add position="starting" id-ref="cm-2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2.1">
-         <add position="ending" id-ref="cm-2.1_smt">
-            <part id="cm-2.1_fr" name="item">
-               <title>CM-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-2.1_fr_gdn.1" name="guidance">
-                  <prop name="label">(a) Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-2.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-2.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.1.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2.2">
-         <add position="starting" id-ref="cm-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.2_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2.3">
-         <add position="starting" id-ref="cm-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2.7">
-         <add position="starting" id-ref="cm-2.7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-3">
-         <add position="ending" id-ref="cm-3_smt">
-            <part id="cm-3_fr" name="item">
-               <title>CM-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-3_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.</p>
-               </part>
-               <part id="cm-3_fr_gdn.1" name="guidance">
-                  <prop name="label">(e) Guidance:</prop>
-                  <p>In accordance with record retention policies and procedures.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.g_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.g_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-3.1">
-         <add position="starting" id-ref="cm-3.1.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.1.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.1.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.1.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.1.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.1.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.1.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-3.2">
-         <add position="starting" id-ref="cm-3.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-3.4">
-         <add position="starting" id-ref="cm-3.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-3.6">
-         <add position="starting" id-ref="cm-3.6_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.6_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-4">
-         <add position="starting" id-ref="cm-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-4.1">
-         <add position="starting" id-ref="cm-4.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-4.1_obj.2.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-4.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-4.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-4.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5">
-         <add position="starting" id-ref="cm-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5_obj.7">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-5_obj.8">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5.1">
-         <add position="starting" id-ref="cm-5.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5.2">
-         <add position="starting" id-ref="cm-5.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.2_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5.3">
-         <add position="ending" id-ref="cm-5.3_smt">
-            <part id="cm-5.3_fr" name="item">
-               <title>CM-5 (3) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-5.3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-5.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5.5">
-         <add position="starting" id-ref="cm-5.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-5.5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-6">
-         <add position="ending" id-ref="cm-6_smt">
-            <part id="cm-6_fr" name="item">
-               <title>CM-6(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement 1:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. </p>
-               </part>
-               <part id="cm-6_fr_smt.2" name="item">
-                  <prop name="label">Requirement 2:</prop>
-                  <p>The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (<a href="http://scap.nist.gov/">http://scap.nist.gov/</a>) validated or SCAP compatible (if validated checklists are not available).</p>
-               </part>
-               <part id="cm-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a href="https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline">https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-6.1">
-         <add position="starting" id-ref="cm-6.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-6.2">
-         <add position="starting" id-ref="cm-6.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7">
-         <add position="ending" id-ref="cm-7_smt">
-            <part id="cm-7_fr" name="item">
-               <title>CM-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-7_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.</p>
-               </part>
-               <part id="cm-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a href="http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc">http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc</a>. Partially derived from AC-17(8).</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7.1">
-         <add position="starting" id-ref="cm-7.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-7.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7.2">
-         <add position="ending" id-ref="cm-7.2_smt">
-            <part id="cm-7.2_fr" name="item">
-               <title>CM-7 (2) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-7.2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-7.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7.5">
-         <add position="starting" id-ref="cm-7.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-7.5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8">
-         <add position="ending" id-ref="cm-8_smt">
-            <part id="cm-8_fr" name="item">
-               <title>CM-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Must be provided at least monthly or when there is a change.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-8.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8.1">
-         <add position="starting" id-ref="cm-8.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8.2">
-         <add position="starting" id-ref="cm-8.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8.3">
-         <add position="starting" id-ref="cm-8.3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-8.3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8.4">
-         <add position="starting" id-ref="cm-8.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8.5">
-         <add position="starting" id-ref="cm-8.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-9">
-         <add position="starting" id-ref="cm-9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-9.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-9.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-9.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-9.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-9.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-1">
-         <add position="starting" id-ref="cp-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-10">
-         <add position="starting" id-ref="cp-10_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-10.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-10.2">
-         <add position="starting" id-ref="cp-10.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-10.4">
-         <add position="starting" id-ref="cp-10.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-10.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2">
-         <add position="ending" id-ref="cp-2_smt">
-            <part id="cp-2_fr" name="item">
-               <title>CP-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-2_fr_smt.1" name="item">
-                  <prop name="label">CP-2 Requirement:</prop>
-                  <p>For JAB authorizations the contingency lists include designated FedRAMP personnel.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-2.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.6_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.6_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.g_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.1">
-         <add position="starting" id-ref="cp-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.2">
-         <add position="starting" id-ref="cp-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.3">
-         <add position="starting" id-ref="cp-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.4">
-         <add position="starting" id-ref="cp-2.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.5">
-         <add position="starting" id-ref="cp-2.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.8">
-         <add position="starting" id-ref="cp-2.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-3">
-         <add position="starting" id-ref="cp-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-3.1">
-         <add position="starting" id-ref="cp-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-4">
-         <add position="ending" id-ref="cp-4_smt">
-            <part id="cp-4_fr" name="item">
-               <title>CP-4(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-4_fr_smt.a" name="item">
-                  <prop name="label">CP-4(a) Requirement:</prop>
-                  <p>The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-4.1">
-         <add position="starting" id-ref="cp-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-4.2">
-         <add position="starting" id-ref="cp-4.2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-6">
-         <add position="starting" id-ref="cp-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-6.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-6.1">
-         <add position="starting" id-ref="cp-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-6.2">
-         <add position="starting" id-ref="cp-6.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-6.3">
-         <add position="starting" id-ref="cp-6.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-6.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7">
-         <add position="ending" id-ref="cp-7_smt">
-            <part id="cp-7_fr" name="item">
-               <title>CP-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-7_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7.1">
-         <add position="ending" id-ref="cp-7.1_smt">
-            <part id="cp-7.1_fr" name="item">
-               <title>CP-7 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-7.1_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7.2">
-         <add position="starting" id-ref="cp-7.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7.3">
-         <add position="starting" id-ref="cp-7.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7.4">
-         <add position="starting" id-ref="cp-7.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-8">
-         <add position="ending" id-ref="cp-8_smt">
-            <part id="cp-8_fr" name="item">
-               <title>CP-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-8.1">
-         <add position="starting" id-ref="cp-8.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-8.2">
-         <add position="starting" id-ref="cp-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-8.3">
-         <add position="starting" id-ref="cp-8.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-8.4">
-         <add position="starting" id-ref="cp-8.4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9">
-         <add position="ending" id-ref="cp-9_smt">
-            <part id="cp-9_fr" name="item">
-               <title>CP-9 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-9_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.</p>
-               </part>
-               <part id="cp-9_fr_smt.a" name="item">
-                  <prop name="label">CP-9(a) Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of user-level information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.b" name="item">
-                  <prop name="label">CP-9(b)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of system-level information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.c" name="item">
-                  <prop name="label">CP-9(c)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-9.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9.1">
-         <add position="starting" id-ref="cp-9.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-9.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9.2">
-         <add position="starting" id-ref="cp-9.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9.3">
-         <add position="starting" id-ref="cp-9.3_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.3_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9.5">
-         <add position="starting" id-ref="cp-9.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.5_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-1">
-         <add position="starting" id-ref="ia-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2">
-         <add position="starting" id-ref="ia-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.1">
-         <add position="starting" id-ref="ia-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.11">
-         <add position="ending" id-ref="ia-2.11_smt">
-            <part id="ia-2.11_fr" name="item">
-               <title>IA-2 (11) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-2.11_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.6">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.12">
-         <add position="ending" id-ref="ia-2.12_smt">
-            <part id="ia-2.12_fr" name="item">
-               <title>IA-2 (12) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-2.12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-2.12_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.2">
-         <add position="starting" id-ref="ia-2.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.3">
-         <add position="starting" id-ref="ia-2.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.4">
-         <add position="starting" id-ref="ia-2.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.5">
-         <add position="starting" id-ref="ia-2.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.8">
-         <add position="starting" id-ref="ia-2.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.9">
-         <add position="starting" id-ref="ia-2.9_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-3">
-         <add position="starting" id-ref="ia-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-4">
-         <add position="ending" id-ref="ia-4_smt">
-            <part id="ia-4_fr" name="item">
-               <title>IA-4(e) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-4_fr_smt.e" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines the time period of inactivity for device identifiers.</p>
-               </part>
-               <part id="ia-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP <a href="http://iase.disa.mil/cloud_security/Pages/index.aspx">http://iase.disa.mil/cloud_security/Pages/index.aspx</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-4.4">
-         <add position="starting" id-ref="ia-4.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5">
-         <add position="ending" id-ref="ia-5_smt">
-            <part id="ia-5_fr" name="item">
-               <title>IA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-5_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link <a href="https://pages.nist.gov/800-63-3">https://pages.nist.gov/800-63-3</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.f_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.h_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.i_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.i_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.j_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.1">
-         <add position="ending" id-ref="ia-5.1_smt">
-            <part id="ia-5.1_fr" name="item">
-               <title>IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-5.1_fr_gdn.1" name="guidance">
-                  <prop name="label">(a) (d) Guidance:</prop>
-                  <p>If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-5.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.11">
-         <add position="starting" id-ref="ia-5.11_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.13">
-         <add position="starting" id-ref="ia-5.13_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.13_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.2">
-         <add position="starting" id-ref="ia-5.2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.3">
-         <add position="starting" id-ref="ia-5.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.3_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.3_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.4">
-         <add position="ending" id-ref="ia-5.4_smt">
-            <part id="ia-5.4_fr" name="item">
-               <title>IA-5 (4) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-5.4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-5.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.6">
-         <add position="starting" id-ref="ia-5.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.7">
-         <add position="starting" id-ref="ia-5.7_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.8">
-         <add position="starting" id-ref="ia-5.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-6">
-         <add position="starting" id-ref="ia-6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-7">
-         <add position="starting" id-ref="ia-7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8">
-         <add position="starting" id-ref="ia-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.1">
-         <add position="starting" id-ref="ia-8.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-8.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.2">
-         <add position="starting" id-ref="ia-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.3">
-         <add position="starting" id-ref="ia-8.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-8.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.4">
-         <add position="starting" id-ref="ia-8.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-1">
-         <add position="starting" id-ref="ir-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-2">
-         <add position="starting" id-ref="ir-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-2.1">
-         <add position="starting" id-ref="ir-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-2.2">
-         <add position="starting" id-ref="ir-2.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-3">
-         <add position="ending" id-ref="ir-3_smt">
-            <part id="ir-3_fr" name="item">
-               <title>IR-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-3_fr_smt.1" name="item">
-                  <prop name="label">IR-3 -2 Requirement:</prop>
-                  <p>The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-3.2">
-         <add position="starting" id-ref="ir-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4">
-         <add position="ending" id-ref="ir-4_smt">
-            <part id="ir-4_fr" name="item">
-               <title>IR-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-4_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-4.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4.1">
-         <add position="starting" id-ref="ir-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4.2">
-         <add position="starting" id-ref="ir-4.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4.3">
-         <add position="starting" id-ref="ir-4.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4.4">
-         <add position="starting" id-ref="ir-4.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4.6">
-         <add position="starting" id-ref="ir-4.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4.8">
-         <add position="starting" id-ref="ir-4.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.8_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-5">
-         <add position="starting" id-ref="ir-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-5.1">
-         <add position="starting" id-ref="ir-5.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-6">
-         <add position="ending" id-ref="ir-6_smt">
-            <part id="ir-6_fr" name="item">
-               <title>IR-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Report security incident information according to FedRAMP Incident Communications Procedure.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-6.1">
-         <add position="starting" id-ref="ir-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-7">
-         <add position="starting" id-ref="ir-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-7.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-7.1">
-         <add position="starting" id-ref="ir-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-7.2">
-         <add position="starting" id-ref="ir-7.2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-7.2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-8">
-         <add position="ending" id-ref="ir-8_smt">
-            <part id="ir-8_fr" name="item">
-               <title>IR-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-8_fr_smt.b" name="item">
-                  <prop name="label">(b) Requirement:</prop>
-                  <p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
-               </part>
-               <part id="ir-8_fr_smt.e" name="item">
-                  <prop name="label">(e) Requirement:</prop>
-                  <p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-8.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.b_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.b_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.e_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.e_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9">
-         <add position="starting" id-ref="ir-9.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9.1">
-         <add position="starting" id-ref="ir-9.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9.2">
-         <add position="starting" id-ref="ir-9.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-9.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9.3">
-         <add position="starting" id-ref="ir-9.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9.4">
-         <add position="starting" id-ref="ir-9.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-1">
-         <add position="starting" id-ref="ma-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ma-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-2">
-         <add position="starting" id-ref="ma-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-2.2">
-         <add position="starting" id-ref="ma-2.2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-3">
-         <add position="starting" id-ref="ma-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-3.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-3.1">
-         <add position="starting" id-ref="ma-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-3.2">
-         <add position="starting" id-ref="ma-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-3.3">
-         <add position="starting" id-ref="ma-3.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-4">
-         <add position="starting" id-ref="ma-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ma-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-4.2">
-         <add position="starting" id-ref="ma-4.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-4.3">
-         <add position="starting" id-ref="ma-4.3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-4.6">
-         <add position="starting" id-ref="ma-4.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-5">
-         <add position="starting" id-ref="ma-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-5.1">
-         <add position="starting" id-ref="ma-5.1.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.1.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.1.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-6">
-         <add position="starting" id-ref="ma-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-6.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-6.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-1">
-         <add position="starting" id-ref="mp-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="mp-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-2">
-         <add position="starting" id-ref="mp-2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-3">
-         <add position="ending" id-ref="mp-3_smt">
-            <part id="mp-3_fr" name="item">
-               <title>MP-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-3_fr_gdn.b" name="guidance">
-                  <prop name="label">(b) Guidance:</prop>
-                  <p>Second parameter not-applicable</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="mp-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-3.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-4">
-         <add position="ending" id-ref="mp-4_smt">
-            <part id="mp-4_fr" name="item">
-               <title>MP-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-4_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider defines controlled areas within facilities where the information and information system reside.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="mp-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-4.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-4.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-5">
-         <add position="ending" id-ref="mp-5_smt">
-            <part id="mp-5_fr" name="item">
-               <title>MP-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-5_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider defines security measures to protect digital and non-digital media in transport.  The security measures are approved and accepted by the JAB.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="mp-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-5.4">
-         <add position="starting" id-ref="mp-5.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-6">
-         <add position="starting" id-ref="mp-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-6.1">
-         <add position="starting" id-ref="mp-6.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.1_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.1_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-6.2">
-         <add position="ending" id-ref="mp-6.2_smt">
-            <part id="mp-6.2_fr" name="item">
-               <title>MP-6 (2) Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-6.2_fr_gdn.a" name="guidance">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>Equipment and procedures may be tested or validated for effectiveness</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="mp-6.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="mp-6.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-6.3">
-         <add position="starting" id-ref="mp-6.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-7">
-         <add position="starting" id-ref="mp-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-7.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-7_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-7_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-7.1">
-         <add position="starting" id-ref="mp-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-1">
-         <add position="starting" id-ref="pe-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-10">
-         <add position="starting" id-ref="pe-10.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-10.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-10.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-10.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-11">
-         <add position="starting" id-ref="pe-11_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-11.1">
-         <add position="starting" id-ref="pe-11.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-12">
-         <add position="starting" id-ref="pe-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-13">
-         <add position="starting" id-ref="pe-13.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-13.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-13.1">
-         <add position="starting" id-ref="pe-13.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-13.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-13.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-13.2">
-         <add position="starting" id-ref="pe-13.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-13.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-13.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-13.3">
-         <add position="starting" id-ref="pe-13.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-14">
-         <add position="ending" id-ref="pe-14_smt">
-            <part id="pe-14_fr" name="item">
-               <title>PE-14(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="pe-14_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider measures temperature at server inlets and humidity levels by dew point.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-14.2">
-         <add position="starting" id-ref="pe-14.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-15">
-         <add position="starting" id-ref="pe-15_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-15.1">
-         <add position="starting" id-ref="pe-15.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-15.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-15.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-16">
-         <add position="starting" id-ref="pe-16_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.6">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.7">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.8">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.9">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-17">
-         <add position="starting" id-ref="pe-17.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-17.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-17.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-17.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-18">
-         <add position="starting" id-ref="pe-18.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-18_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-18_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-18_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-2">
-         <add position="starting" id-ref="pe-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-3">
-         <add position="starting" id-ref="pe-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.e_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.f_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-3.1">
-         <add position="starting" id-ref="pe-3.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-4">
-         <add position="starting" id-ref="pe-4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-4_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-5">
-         <add position="starting" id-ref="pe-5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-6">
-         <add position="starting" id-ref="pe-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-6.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-6.1">
-         <add position="starting" id-ref="pe-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-6.4">
-         <add position="starting" id-ref="pe-6.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-8">
-         <add position="starting" id-ref="pe-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-8.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-8.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-8.1">
-         <add position="starting" id-ref="pe-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-9">
-         <add position="starting" id-ref="pe-9_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-1">
-         <add position="starting" id-ref="pl-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pl-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-2">
-         <add position="starting" id-ref="pl-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pl-2.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.9_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-2.3">
-         <add position="starting" id-ref="pl-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-4">
-         <add position="starting" id-ref="pl-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-4.1">
-         <add position="starting" id-ref="pl-4.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-8">
-         <add position="ending" id-ref="pl-8_smt">
-            <part id="pl-8_fr" name="item">
-               <title>PL-8(b) Additional FedRAMP Requirements and Guidance</title>
-               <part id="pl-8_fr_gdn.b" name="guidance">
-                  <prop name="label">(b) Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="pl-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pl-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-8.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-1">
-         <add position="starting" id-ref="ps-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-2">
-         <add position="starting" id-ref="ps-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-3">
-         <add position="starting" id-ref="ps-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-3.3">
-         <add position="starting" id-ref="ps-3.3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-4">
-         <add position="starting" id-ref="ps-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.f_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-4.2">
-         <add position="starting" id-ref="ps-4.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-5">
-         <add position="starting" id-ref="ps-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-6">
-         <add position="starting" id-ref="ps-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-6.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.c.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.c.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.c.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-7">
-         <add position="starting" id-ref="ps-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-8">
-         <add position="starting" id-ref="ps-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-8.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-1">
-         <add position="starting" id-ref="ra-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-2">
-         <add position="starting" id-ref="ra-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-3">
-         <add position="ending" id-ref="ra-3_smt">
-            <part id="ra-3_fr" name="item">
-               <title>RA-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F</p>
-               </part>
-               <part id="ra-3_fr_smt.d" name="item">
-                  <prop name="label">RA-3 (d) Requirement:</prop>
-                  <p>Include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5">
-         <add id-ref="ra-5_smt">
-            <part id="ra-5_fr_smt.a" name="item">
-               <title>RA-5(a) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (a)Requirement:</prop>
-               <p>An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.</p>
-            </part>
-            <part id="ra-5_fr_smt.e" name="item">
-               <title>RA-5(e) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (e)Requirement:</prop>
-               <p>To include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
-            </part>
-            <part id="ra-5_fr" name="item">
-               <title>RA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>
-                     <strong>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents&gt; Vulnerability Scanning Requirements</strong> (<a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a>)</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.b.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.b.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.b.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.e_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.1">
-         <add position="starting" id-ref="ra-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.10">
-         <add position="ending" id-ref="ra-5.10_smt">
-            <part id="ra-5.10_fr" name="item">
-               <title>RA-5 (10) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5.10_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>If multiple tools are not used, this control is not applicable.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-5.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.2">
-         <add position="starting" id-ref="ra-5.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-5.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.3">
-         <add position="starting" id-ref="ra-5.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.4">
-         <add position="starting" id-ref="ra-5.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.4_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.5">
-         <add position="starting" id-ref="ra-5.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-5.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.5_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.6">
-         <add position="ending" id-ref="ra-5.6_smt">
-            <part id="ra-5.6_fr" name="item">
-               <title>RA-5 (6) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5.6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Include in Continuous Monitoring ISSO digest/report to JAB/AO</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-5.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.8">
-         <add position="ending" id-ref="ra-5.8_smt">
-            <part id="ra-5.8_fr" name="item">
-               <title>RA-5 (8) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5.8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>This enhancement is required for all high vulnerability scan findings.</p>
-               </part>
-               <part id="ra-5.8_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-5.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-1">
-         <add position="starting" id-ref="sa-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sa-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-10">
-         <add position="ending" id-ref="sa-10_smt">
-            <part id="sa-10_fr" name="item">
-               <title>SA-10 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-10_fr_smt.1" name="item">
-                  <prop name="label">(e)  Requirement:</prop>
-                  <p>For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-10.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-10.1">
-         <add position="starting" id-ref="sa-10.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-11">
-         <add position="starting" id-ref="sa-11.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-11.1">
-         <add position="ending" id-ref="sa-11.1_smt">
-            <part id="sa-11.1_fr" name="item">
-               <title>SA-11 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-11.1_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-11.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-11.2">
-         <add position="starting" id-ref="sa-11.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-11.8">
-         <add position="ending" id-ref="sa-11.8_smt">
-            <part id="sa-11.8_fr" name="item">
-               <title>SA-11 (8) Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-11.8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-11.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-12">
-         <add position="starting" id-ref="sa-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-12.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-15">
-         <add position="starting" id-ref="sa-15.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-15.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-15.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-15.b_obj.3.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-15.b_obj.3.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-15.b_obj.3.c">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-15.b_obj.3.d">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-16">
-         <add position="starting" id-ref="sa-16_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-16_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-17">
-         <add position="starting" id-ref="sa-17.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-17.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-17.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-2">
-         <add position="starting" id-ref="sa-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-3">
-         <add position="starting" id-ref="sa-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4">
-         <add position="ending" id-ref="sa-4_smt">
-            <part id="sa-4_fr" name="item">
-               <title>SA-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See <a href="http://www.niap-ccevs.org/vpl">http://www.niap-ccevs.org/vpl</a> or <a href="http://www.commoncriteriaportal.org/products.html">http://www.commoncriteriaportal.org/products.html</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.1">
-         <add position="starting" id-ref="sa-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.10">
-         <add position="starting" id-ref="sa-4.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.2">
-         <add position="starting" id-ref="sa-4.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-4.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-4.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.8">
-         <add position="ending" id-ref="sa-4.8_smt">
-            <part id="sa-4.8_fr" name="item">
-               <title>SA-4 (8) Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-4.8_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>CSP must use the same security standards regardless of where the system component or information system service is acquired.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-4.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-4.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.9">
-         <add position="starting" id-ref="sa-4.9_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-5">
-         <add position="starting" id-ref="sa-5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-8">
-         <add position="starting" id-ref="sa-8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9">
-         <add position="starting" id-ref="sa-9.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9.1">
-         <add position="starting" id-ref="sa-9.1.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9.2">
-         <add position="starting" id-ref="sa-9.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9.4">
-         <add position="starting" id-ref="sa-9.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.4_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9.5">
-         <add position="starting" id-ref="sa-9.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.5_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-1">
-         <add position="starting" id-ref="sc-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sc-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-10">
-         <add position="starting" id-ref="sc-10_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-10_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-12">
-         <add position="ending" id-ref="sc-12_smt">
-            <part id="sc-12_fr" name="item">
-               <title>SC-12 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Federally approved and validated cryptography.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-12.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-12.1">
-         <add position="starting" id-ref="sc-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-12.2">
-         <add position="starting" id-ref="sc-12.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-12.3">
-         <add position="starting" id-ref="sc-12.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-13">
-         <add position="starting" id-ref="sc-13">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sc-13_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-13_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-13_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-15">
-         <add position="ending" id-ref="sc-15_smt">
-            <part id="sc-15_fr" name="item">
-               <title>SC-15 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-15_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-15.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-15.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-15.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-17">
-         <add position="starting" id-ref="sc-17_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-17_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-18">
-         <add position="starting" id-ref="sc-18.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-19">
-         <add position="starting" id-ref="sc-19.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-19.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-19.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-19.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-19.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-2">
-         <add position="starting" id-ref="sc-2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-20">
-         <add position="starting" id-ref="sc-20.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-20.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-21">
-         <add position="starting" id-ref="sc-21_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-21_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-21_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-21_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-22">
-         <add position="starting" id-ref="sc-22_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-22_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-23">
-         <add position="starting" id-ref="sc-23_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-23.1">
-         <add position="starting" id-ref="sc-23.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-24">
-         <add position="starting" id-ref="sc-24_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-24_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-24_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-24_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-24_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-28">
-         <add position="ending" id-ref="sc-28_smt">
-            <part id="sc-28_fr" name="item">
-               <title>SC-28 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-28_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>The organization supports the capability to use cryptographic mechanisms to protect information at rest.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-28.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-28.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-28.1">
-         <add position="starting" id-ref="sc-28.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-28.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-28.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-3">
-         <add position="starting" id-ref="sc-3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-39">
-         <add position="starting" id-ref="sc-39_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-4">
-         <add position="starting" id-ref="sc-4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-5">
-         <add position="starting" id-ref="sc-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-5.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-5.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-6">
-         <add position="starting" id-ref="sc-6_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-6_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-6_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7">
-         <add position="starting" id-ref="sc-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.10">
-         <add position="starting" id-ref="sc-7.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.12">
-         <add position="starting" id-ref="sc-7.12_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.12_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.13">
-         <add position="ending" id-ref="sc-7.13_smt">
-            <part id="sc-7.13_fr" name="item">
-               <title>SC-7 (13) Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-7.13_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.</p>
-               </part>
-               <part id="sc-7.13_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Examples include: information security tools, mechanisms, and support components such as, but not limited to PKI, patching infrastructure, cyber defense tools, special purpose gateway, vulnerability tracking systems, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-7.13_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.13_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.18">
-         <add position="starting" id-ref="sc-7.18_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.20">
-         <add position="starting" id-ref="sc-7.20_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.20_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.21">
-         <add position="starting" id-ref="sc-7.21_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.21_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.21_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.3">
-         <add position="starting" id-ref="sc-7.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.4">
-         <add position="starting" id-ref="sc-7.4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sc-7.4.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.e_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.5">
-         <add position="starting" id-ref="sc-7.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.7">
-         <add position="starting" id-ref="sc-7.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.8">
-         <add position="starting" id-ref="sc-7.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.8_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-8">
-         <add position="starting" id-ref="sc-8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-8.1">
-         <add position="starting" id-ref="sc-8.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-8.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-1">
-         <add position="starting" id-ref="si-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="si-10">
-         <add position="starting" id-ref="si-10_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-10_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-11">
-         <add position="starting" id-ref="si-11.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-11.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-11.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-12">
-         <add position="starting" id-ref="si-12_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-16">
-         <add position="starting" id-ref="si-16_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-16_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-2">
-         <add position="starting" id-ref="si-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-2.1">
-         <add position="starting" id-ref="si-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-2.2">
-         <add position="starting" id-ref="si-2.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-2.3">
-         <add position="starting" id-ref="si-2.3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3">
-         <add position="starting" id-ref="si-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3.1">
-         <add position="starting" id-ref="si-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3.2">
-         <add position="starting" id-ref="si-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3.7">
-         <add position="starting" id-ref="si-3.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4">
-         <add position="ending" id-ref="si-4_smt">
-            <part id="si-4_fr" name="item">
-               <title>SI-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="si-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See US-CERT Incident Response Reporting Guidelines.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="si-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-4.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.b.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.b.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.1">
-         <add position="starting" id-ref="si-4.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.11">
-         <add position="starting" id-ref="si-4.11_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.14">
-         <add position="starting" id-ref="si-4.14">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-4.14_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.14_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.14_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.16">
-         <add position="starting" id-ref="si-4.16_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.18">
-         <add position="starting" id-ref="si-4.18_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.18_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.19">
-         <add position="starting" id-ref="si-4.19_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.19_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.19_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.2">
-         <add position="starting" id-ref="si-4.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.20">
-         <add position="starting" id-ref="si-4.20_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.20_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.22">
-         <add position="starting" id-ref="si-4.22_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.22_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.22_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.23">
-         <add position="starting" id-ref="si-4.23_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.23_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.23_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.24">
-         <add position="starting" id-ref="si-4.24_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.4">
-         <add position="starting" id-ref="si-4.4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-4.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.5">
-         <add position="ending" id-ref="si-4.5_smt">
-            <part id="si-4.5_fr" name="item">
-               <title>SI-4 (5) Additional FedRAMP Requirements and Guidance</title>
-               <part id="si-4.5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>In accordance with the incident response plan.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="si-4.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.5_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-5">
-         <add position="starting" id-ref="si-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-5.1">
-         <add position="starting" id-ref="si-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-6">
-         <add position="starting" id-ref="si-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-6.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-6.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7">
-         <add position="starting" id-ref="si-7_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7_obj.1.c">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7.1">
-         <add position="starting" id-ref="si-7.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-7.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.1_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7.14">
-         <add position="starting" id-ref="si-7.14.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.14.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.14.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-7.14.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7.2">
-         <add position="starting" id-ref="si-7.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7.5">
-         <add position="starting" id-ref="si-7.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7.7">
-         <add position="starting" id-ref="si-7.7_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.7_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-8">
-         <add position="starting" id-ref="si-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-8.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-8.1">
-         <add position="starting" id-ref="si-8.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-8.2">
-         <add position="starting" id-ref="si-8.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-   </modify>
-   <back-matter>
-      <resource uuid="985475ee-d4d6-4581-8fdf-d84d3d8caa48">
-         <title>FedRAMP Applicable Laws and Regulations</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-citations</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"/>
-      </resource>
-      <resource uuid="1a23a771-d481-4594-9a1a-71d584fa4123">
-         <title>FedRAMP Master Acronym and Glossary</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-acronyms</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"/>
-      </resource>
-      <resource uuid="a2381e87-3d04-4108-a30b-b4d2f36d001f">
-         <desc>FedRAMP Logo</desc>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-logo</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/img/logo-main-fedramp.png"/>
-      </resource>
-      <resource uuid="ad005eae-cc63-4e64-9109-3905a9a825e4">
-         <title>NIST Special Publication (SP) 800-53</title>
-         <prop name="version" ns="https://fedramp.gov/ns/oscal">Revision 4</prop>
-         <prop name="keep">always</prop>
-         <rlink media-type="application/xml" href="https://raw.githubusercontent.com/usnistgov/OSCAL/v1.0.0-milestone3/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml"/>
-      </resource>
-   </back-matter>
-</profile>
diff --git a/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.xml b/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.xml
deleted file mode 100644
index 2165714969..0000000000
--- a/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.xml
+++ /dev/null
@@ -1,17511 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-         uuid="7ec7633b-cbd4-4e1d-9015-e5b3d44c2550">
-   <metadata>
-      <title>FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline</title>
-      <published>2020-02-02T00:00:00.000-05:00</published>
-      <last-modified>2020-06-01T10:00:00.000-05:00</last-modified>
-      <version>1.2</version>
-      <oscal-version>1.0.0-milestone3</oscal-version>
-      <prop name="resolution-timestamp">2020-08-31T17:38:37.186738Z</prop>
-      <link rel="resolution-source" href="FedRAMP_LI-SaaS-baseline_profile.xml">FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline</link>
-      <role id="parpared-by">
-         <title>Document creator</title>
-      </role>
-      <role id="fedramp-pmo">
-         <title>The FedRAMP Program Management Office (PMO)</title>
-         <short-name>CSP</short-name>
-      </role>
-      <role id="fedramp-jab">
-         <title>The FedRAMP Joint Authorization Board (JAB)</title>
-         <short-name>CSP</short-name>
-      </role>
-      <party uuid="8cc0b8e5-9650-4d5f-9796-316f05fa9a2d" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Program Management Office</party-name>
-         <short-name>FedRAMP PMO</short-name>
-         <link href="https://fedramp.gov" rel="homepage"/>
-         <address type="work">
-            <addr-line>1800 F St. NW</addr-line>
-            <addr-line/>
-            <city>Washington</city>
-            <state>DC</state>
-            <postal-code/>
-            <country>US</country>
-         </address>
-         <email>info@fedramp.gov</email>
-      </party>
-      <party uuid="ca9ba80e-1342-4bfd-b32a-abac468c24b4" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Joint Authorization Board</party-name>
-         <short-name>FedRAMP JAB</short-name>
-      </party>
-      <responsible-party role-id="prepared-by">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-pmo">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-jab">
-         <party-uuid>ca9ba80e-1342-4bfd-b32a-abac468c24b4</party-uuid>
-      </responsible-party>
-   </metadata>
-   <group class="family" id="ac">
-      <title>Access Control</title>
-      <control class="SP800-53" id="ac-1">
-         <title>Access Control Policy and Procedures</title>
-         <param id="ac-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ac-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ac-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AC-1</prop>
-         <prop name="sort-id">ac-01</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ac-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ac-1_prm_1"/>:</p>
-               <part id="ac-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An access control policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ac-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the access control policy and
-                     associated access controls; and</p>
-               </part>
-            </part>
-            <part id="ac-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ac-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Access control policy <insert param-id="ac-1_prm_2"/>; and</p>
-               </part>
-               <part id="ac-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Access control procedures <insert param-id="ac-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ac-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the AC
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ac-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-1.a_obj" name="objective">
-               <prop name="label">AC-1(a)</prop>
-               <part id="ac-1.a.1_obj" name="objective">
-                  <prop name="label">AC-1(a)(1)</prop>
-                  <part id="ac-1.a.1_obj.1" name="objective">
-                     <prop name="label">AC-1(a)(1)[1]</prop>
-                     <p>develops and documents an access control policy that addresses:</p>
-                     <part id="ac-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ac-1.a.1_obj.2" name="objective">
-                     <prop name="label">AC-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the access control policy are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ac-1.a.1_obj.3" name="objective">
-                     <prop name="label">AC-1(a)(1)[3]</prop>
-                     <p>disseminates the access control policy to organization-defined personnel or
-                        roles;</p>
-                  </part>
-               </part>
-               <part id="ac-1.a.2_obj" name="objective">
-                  <prop name="label">AC-1(a)(2)</prop>
-                  <part id="ac-1.a.2_obj.1" name="objective">
-                     <prop name="label">AC-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        access control policy and associated access control controls;</p>
-                  </part>
-                  <part id="ac-1.a.2_obj.2" name="objective">
-                     <prop name="label">AC-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ac-1.a.2_obj.3" name="objective">
-                     <prop name="label">AC-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-1.b_obj" name="objective">
-               <prop name="label">AC-1(b)</prop>
-               <part id="ac-1.b.1_obj" name="objective">
-                  <prop name="label">AC-1(b)(1)</prop>
-                  <part id="ac-1.b.1_obj.1" name="objective">
-                     <prop name="label">AC-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current access control
-                        policy;</p>
-                  </part>
-                  <part id="ac-1.b.1_obj.2" name="objective">
-                     <prop name="label">AC-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current access control policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ac-1.b.2_obj" name="objective">
-                  <prop name="label">AC-1(b)(2)</prop>
-                  <part id="ac-1.b.2_obj.1" name="objective">
-                     <prop name="label">AC-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current access control
-                        procedures; and</p>
-                  </part>
-                  <part id="ac-1.b.2_obj.2" name="objective">
-                     <prop name="label">AC-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current access control procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-2">
-         <title>Account Management</title>
-         <param id="ac-2_prm_1">
-            <label>organization-defined information system account types</label>
-         </param>
-         <param id="ac-2_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ac-2_prm_3">
-            <label>organization-defined procedures or conditions</label>
-         </param>
-         <param id="ac-2_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AC-2</prop>
-         <prop name="sort-id">ac-02</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <part id="ac-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Identifies and selects the following types of information system accounts to
-                  support organizational missions/business functions: <insert param-id="ac-2_prm_1"/>;</p>
-            </part>
-            <part id="ac-2_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Creates, enables, modifies, disables, and removes information system accounts in
-                  accordance with <insert param-id="ac-2_prm_3"/>;</p>
-            </part>
-            <part id="ac-2_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Monitors the use of information system accounts;</p>
-            </part>
-            <part id="ac-2_smt.h" name="item">
-               <prop name="label">h.</prop>
-               <p>Notifies account managers:</p>
-               <part id="ac-2_smt.h.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>When accounts are no longer required;</p>
-               </part>
-               <part id="ac-2_smt.h.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>When users are terminated or transferred; and</p>
-               </part>
-               <part id="ac-2_smt.h.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>When individual information system usage or need-to-know changes;</p>
-               </part>
-            </part>
-         </part>
-         <part id="ac-2_gdn" name="guidance">
-            <p>Information system account types include, for example, individual, shared, group,
-               system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and
-               service. Some of the account management requirements listed above can be implemented
-               by organizational information systems. The identification of authorized users of the
-               information system and the specification of access privileges reflects the
-               requirements in other security controls in the security plan. Users requiring
-               administrative privileges on information system accounts receive additional scrutiny
-               by appropriate organizational personnel (e.g., system owner, mission/business owner,
-               or chief information security officer) responsible for approving such accounts and
-               privileged access. Organizations may choose to define access privileges or other
-               attributes by account, by type of account, or a combination of both. Other attributes
-               required for authorizing access include, for example, restrictions on time-of-day,
-               day-of-week, and point-of-origin. In defining other account attributes, organizations
-               consider system-related requirements (e.g., scheduled maintenance, system upgrades)
-               and mission/business requirements, (e.g., time zone differences, customer
-               requirements, remote access to support travel requirements). Failure to consider
-               these factors could affect information system availability. Temporary and emergency
-               accounts are accounts intended for short-term use. Organizations establish temporary
-               accounts as a part of normal account activation procedures when there is a need for
-               short-term accounts without the demand for immediacy in account activation.
-               Organizations establish emergency accounts in response to crisis situations and with
-               the need for rapid account activation. Therefore, emergency account activation may
-               bypass normal account authorization processes. Emergency and temporary accounts are
-               not to be confused with infrequently used accounts (e.g., local logon accounts used
-               for special tasks defined by organizations or when network resources are
-               unavailable). Such accounts remain available and are not subject to automatic
-               disabling or removal dates. Conditions for disabling or deactivating accounts
-               include, for example: (i) when shared/group, emergency, or temporary accounts are no
-               longer required; or (ii) when individuals are transferred or terminated. Some types
-               of information system accounts may require specialized training.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-10">AC-10</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ma-3">MA-3</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="ac-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-2.a_obj" name="objective">
-               <prop name="label">AC-2(a)</prop>
-               <part id="ac-2.a_obj.1" name="objective">
-                  <prop name="label">AC-2(a)[1]</prop>
-                  <p>defines information system account types to be identified and selected to
-                     support organizational missions/business functions;</p>
-               </part>
-               <part id="ac-2.a_obj.2" name="objective">
-                  <prop name="label">AC-2(a)[2]</prop>
-                  <p>identifies and selects organization-defined information system account types to
-                     support organizational missions/business functions;</p>
-               </part>
-            </part>
-            <part id="ac-2.b_obj" name="objective">
-               <prop name="label">AC-2(b)</prop>
-               <p>assigns account managers for information system accounts;</p>
-            </part>
-            <part id="ac-2.c_obj" name="objective">
-               <prop name="label">AC-2(c)</prop>
-               <p>establishes conditions for group and role membership;</p>
-            </part>
-            <part id="ac-2.d_obj" name="objective">
-               <prop name="label">AC-2(d)</prop>
-               <p>specifies for each account (as required):</p>
-               <part id="ac-2.d_obj.1" name="objective">
-                  <prop name="label">AC-2(d)[1]</prop>
-                  <p>authorized users of the information system;</p>
-               </part>
-               <part id="ac-2.d_obj.2" name="objective">
-                  <prop name="label">AC-2(d)[2]</prop>
-                  <p>group and role membership;</p>
-               </part>
-               <part id="ac-2.d_obj.3" name="objective">
-                  <prop name="label">AC-2(d)[3]</prop>
-                  <p>access authorizations (i.e., privileges);</p>
-               </part>
-               <part id="ac-2.d_obj.4" name="objective">
-                  <prop name="label">AC-2(d)[4]</prop>
-                  <p>other attributes;</p>
-               </part>
-            </part>
-            <part id="ac-2.e_obj" name="objective">
-               <prop name="label">AC-2(e)</prop>
-               <part id="ac-2.e_obj.1" name="objective">
-                  <prop name="label">AC-2(e)[1]</prop>
-                  <p>defines personnel or roles required to approve requests to create information
-                     system accounts;</p>
-               </part>
-               <part id="ac-2.e_obj.2" name="objective">
-                  <prop name="label">AC-2(e)[2]</prop>
-                  <p>requires approvals by organization-defined personnel or roles for requests to
-                     create information system accounts;</p>
-               </part>
-            </part>
-            <part id="ac-2.f_obj" name="objective">
-               <prop name="label">AC-2(f)</prop>
-               <part id="ac-2.f_obj.1" name="objective">
-                  <prop name="label">AC-2(f)[1]</prop>
-                  <p>defines procedures or conditions to:</p>
-                  <part id="ac-2.f_obj.1.a" name="objective">
-                     <prop name="label">AC-2(f)[1][a]</prop>
-                     <p>create information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.b" name="objective">
-                     <prop name="label">AC-2(f)[1][b]</prop>
-                     <p>enable information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.c" name="objective">
-                     <prop name="label">AC-2(f)[1][c]</prop>
-                     <p>modify information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.d" name="objective">
-                     <prop name="label">AC-2(f)[1][d]</prop>
-                     <p>disable information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.e" name="objective">
-                     <prop name="label">AC-2(f)[1][e]</prop>
-                     <p>remove information system accounts;</p>
-                  </part>
-               </part>
-               <part id="ac-2.f_obj.2" name="objective">
-                  <prop name="label">AC-2(f)[2]</prop>
-                  <p>in accordance with organization-defined procedures or conditions:</p>
-                  <part id="ac-2.f_obj.2.a" name="objective">
-                     <prop name="label">AC-2(f)[2][a]</prop>
-                     <p>creates information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.b" name="objective">
-                     <prop name="label">AC-2(f)[2][b]</prop>
-                     <p>enables information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.c" name="objective">
-                     <prop name="label">AC-2(f)[2][c]</prop>
-                     <p>modifies information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.d" name="objective">
-                     <prop name="label">AC-2(f)[2][d]</prop>
-                     <p>disables information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.e" name="objective">
-                     <prop name="label">AC-2(f)[2][e]</prop>
-                     <p>removes information system accounts;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-2.g_obj" name="objective">
-               <prop name="label">AC-2(g)</prop>
-               <p>monitors the use of information system accounts;</p>
-            </part>
-            <part id="ac-2.h_obj" name="objective">
-               <prop name="label">AC-2(h)</prop>
-               <p>notifies account managers:</p>
-               <part id="ac-2.h.1_obj" name="objective">
-                  <prop name="label">AC-2(h)(1)</prop>
-                  <p>when accounts are no longer required;</p>
-               </part>
-               <part id="ac-2.h.2_obj" name="objective">
-                  <prop name="label">AC-2(h)(2)</prop>
-                  <p>when users are terminated or transferred;</p>
-               </part>
-               <part id="ac-2.h.3_obj" name="objective">
-                  <prop name="label">AC-2(h)(3)</prop>
-                  <p>when individual information system usage or need to know changes;</p>
-               </part>
-            </part>
-            <part id="ac-2.i_obj" name="objective">
-               <prop name="label">AC-2(i)</prop>
-               <p>authorizes access to the information system based on;</p>
-               <part id="ac-2.i.1_obj" name="objective">
-                  <prop name="label">AC-2(i)(1)</prop>
-                  <p>a valid access authorization;</p>
-               </part>
-               <part id="ac-2.i.2_obj" name="objective">
-                  <prop name="label">AC-2(i)(2)</prop>
-                  <p>intended system usage;</p>
-               </part>
-               <part id="ac-2.i.3_obj" name="objective">
-                  <prop name="label">AC-2(i)(3)</prop>
-                  <p>other attributes as required by the organization or associated
-                     missions/business functions;</p>
-               </part>
-            </part>
-            <part id="ac-2.j_obj" name="objective">
-               <prop name="label">AC-2(j)</prop>
-               <part id="ac-2.j_obj.1" name="objective">
-                  <prop name="label">AC-2(j)[1]</prop>
-                  <p>defines the frequency to review accounts for compliance with account management
-                     requirements;</p>
-               </part>
-               <part id="ac-2.j_obj.2" name="objective">
-                  <prop name="label">AC-2(j)[2]</prop>
-                  <p>reviews accounts for compliance with account management requirements with the
-                     organization-defined frequency; and</p>
-               </part>
-            </part>
-            <part id="ac-2.k_obj" name="objective">
-               <prop name="label">AC-2(k)</prop>
-               <p>establishes a process for reissuing shared/group account credentials (if deployed)
-                  when individuals are removed from the group.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing account management</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of active system accounts along with the name of the individual associated
-                  with each account</p>
-               <p>list of conditions for group and role membership</p>
-               <p>notifications or records of recently transferred, separated, or terminated
-                  employees</p>
-               <p>list of recently disabled information system accounts along with the name of the
-                  individual associated with each account</p>
-               <p>access authorization records</p>
-               <p>account management compliance reviews</p>
-               <p>information system monitoring records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with account management responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes account management on the information system</p>
-               <p>automated mechanisms for implementing account management</p>
-            </part>
-         </part>
-         <part id="ac-2_fr" name="item">
-            <title>AC-2 Additional FedRAMP Requirements and Guidance</title>
-            <part id="ac-2_fr_gdn.1" name="guidance">
-               <prop name="label">Guidance:</prop>
-               <p>Parts (b), (c), (d), (e), (i), (j), and (k) are excluded from FedRAMP Tailored
-                     for LI-SaaS.</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-3">
-         <title>Access Enforcement</title>
-         <prop name="label">AC-3</prop>
-         <prop name="sort-id">ac-03</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <part id="ac-3_smt" name="statement">
-            <p>The information system enforces approved authorizations for logical access to
-               information and system resources in accordance with applicable access control
-               policies.</p>
-         </part>
-         <part id="ac-3_gdn" name="guidance">
-            <p>Access control policies (e.g., identity-based policies, role-based policies, control
-               matrices, cryptography) control access between active entities or subjects (i.e.,
-               users or processes acting on behalf of users) and passive entities or objects (e.g.,
-               devices, files, records, domains) in information systems. In addition to enforcing
-               authorized access at the information system level and recognizing that information
-               systems can host many applications and services in support of organizational missions
-               and business operations, access enforcement mechanisms can also be employed at the
-               application and service level to provide increased information security.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ac-21">AC-21</link>
-            <link rel="related" href="#ac-22">AC-22</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ma-3">MA-3</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-         </part>
-         <part id="ac-3_obj" name="objective">
-            <p>Determine if the information system enforces approved authorizations for logical
-               access to information and system resources in accordance with applicable access
-               control policies.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing access enforcement</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of approved authorizations (user privileges)</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with access enforcement responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing access control policy</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-7">
-         <title>Unsuccessful Logon Attempts</title>
-         <param id="ac-7_prm_1">
-            <label>organization-defined number</label>
-         </param>
-         <param id="ac-7_prm_2">
-            <label>organization-defined time period</label>
-         </param>
-         <param id="ac-7_prm_3"/>
-         <param id="ac-7_prm_4" depends-on="ac-7_prm_3">
-            <label>organization-defined time period</label>
-         </param>
-         <param id="ac-7_prm_5" depends-on="ac-7_prm_3">
-            <label>organization-defined delay algorithm</label>
-         </param>
-         <prop name="label">AC-7</prop>
-         <prop name="sort-id">ac-07</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <part id="ac-7_smt" name="statement">
-            <p>The information system:</p>
-            <part id="ac-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Enforces a limit of <insert param-id="ac-7_prm_1"/> consecutive invalid logon
-                  attempts by a user during a <insert param-id="ac-7_prm_2"/>; and</p>
-            </part>
-            <part id="ac-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Automatically <insert param-id="ac-7_prm_3"/> when the maximum number of
-                  unsuccessful attempts is exceeded.</p>
-            </part>
-         </part>
-         <part id="ac-7_gdn" name="guidance">
-            <p>This control applies regardless of whether the logon occurs via a local or network
-               connection. Due to the potential for denial of service, automatic lockouts initiated
-               by information systems are usually temporary and automatically release after a
-               predetermined time period established by organizations. If a delay algorithm is
-               selected, organizations may choose to employ different algorithms for different
-               information system components based on the capabilities of those components.
-               Responses to unsuccessful logon attempts may be implemented at both the operating
-               system and the application levels.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-9">AC-9</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-         </part>
-         <part id="ac-7_obj" name="objective">
-            <p>Determine if: </p>
-            <part id="ac-7.a_obj" name="objective">
-               <prop name="label">AC-7(a)</prop>
-               <part id="ac-7.a_obj.1" name="objective">
-                  <prop name="label">AC-7(a)[1]</prop>
-                  <p>the organization defines the number of consecutive invalid logon attempts
-                     allowed to the information system by a user during an organization-defined time
-                     period;</p>
-               </part>
-               <part id="ac-7.a_obj.2" name="objective">
-                  <prop name="label">AC-7(a)[2]</prop>
-                  <p>the organization defines the time period allowed by a user of the information
-                     system for an organization-defined number of consecutive invalid logon
-                     attempts;</p>
-               </part>
-               <part id="ac-7.a_obj.3" name="objective">
-                  <prop name="label">AC-7(a)[3]</prop>
-                  <p>the information system enforces a limit of organization-defined number of
-                     consecutive invalid logon attempts by a user during an organization-defined
-                     time period;</p>
-               </part>
-            </part>
-            <part id="ac-7.b_obj" name="objective">
-               <prop name="label">AC-7(b)</prop>
-               <part id="ac-7.b_obj.1" name="objective">
-                  <prop name="label">AC-7(b)[1]</prop>
-                  <p>the organization defines account/node lockout time period or logon delay
-                     algorithm to be automatically enforced by the information system when the
-                     maximum number of unsuccessful logon attempts is exceeded;</p>
-               </part>
-               <part id="ac-7.b_obj.2" name="objective">
-                  <prop name="label">AC-7(b)[2]</prop>
-                  <p>the information system, when the maximum number of unsuccessful logon attempts
-                     is exceeded, automatically:</p>
-                  <part id="ac-7.b_obj.2.a" name="objective">
-                     <prop name="label">AC-7(b)[2][a]</prop>
-                     <p>locks the account/node for the organization-defined time period;</p>
-                  </part>
-                  <part id="ac-7.b_obj.2.b" name="objective">
-                     <prop name="label">AC-7(b)[2][b]</prop>
-                     <p>locks the account/node until released by an administrator; or</p>
-                  </part>
-                  <part id="ac-7.b_obj.2.c" name="objective">
-                     <prop name="label">AC-7(b)[2][c]</prop>
-                     <p>delays next logon prompt according to the organization-defined delay
-                        algorithm.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing unsuccessful logon attempts</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing access control policy for unsuccessful logon
-                  attempts</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>NSO for non-privileged users. Attestation for privileged users related to
-                  multi-factor identification and authentication.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-8">
-         <title>System Use Notification</title>
-         <param id="ac-8_prm_1">
-            <label>organization-defined system use notification message or banner</label>
-         </param>
-         <param id="ac-8_prm_2">
-            <label>organization-defined conditions</label>
-         </param>
-         <prop name="label">AC-8</prop>
-         <prop name="sort-id">ac-08</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">FED</prop>
-         <part id="ac-8_smt" name="statement">
-            <p>The information system:</p>
-            <part id="ac-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Displays to users <insert param-id="ac-8_prm_1"/> before granting access to the
-                  system that provides privacy and security notices consistent with applicable
-                  federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  guidance and states that:</p>
-               <part id="ac-8_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Users are accessing a U.S. Government information system;</p>
-               </part>
-               <part id="ac-8_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Information system usage may be monitored, recorded, and subject to audit;</p>
-               </part>
-               <part id="ac-8_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Unauthorized use of the information system is prohibited and subject to
-                     criminal and civil penalties; and</p>
-               </part>
-               <part id="ac-8_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Use of the information system indicates consent to monitoring and
-                     recording;</p>
-               </part>
-            </part>
-            <part id="ac-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Retains the notification message or banner on the screen until users acknowledge
-                  the usage conditions and take explicit actions to log on to or further access the
-                  information system; and</p>
-            </part>
-            <part id="ac-8_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>For publicly accessible systems:</p>
-               <part id="ac-8_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Displays system use information <insert param-id="ac-8_prm_2"/>, before
-                     granting further access;</p>
-               </part>
-               <part id="ac-8_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Displays references, if any, to monitoring, recording, or auditing that are
-                     consistent with privacy accommodations for such systems that generally prohibit
-                     those activities; and</p>
-               </part>
-               <part id="ac-8_smt.c.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Includes a description of the authorized uses of the system.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ac-8_gdn" name="guidance">
-            <p>System use notifications can be implemented using messages or warning banners
-               displayed before individuals log in to information systems. System use notifications
-               are used only for access via logon interfaces with human users and are not required
-               when such human interfaces do not exist. Organizations consider system use
-               notification messages/banners displayed in multiple languages based on specific
-               organizational needs and the demographics of information system users. Organizations
-               also consult with the Office of the General Counsel for legal review and approval of
-               warning banner content.</p>
-         </part>
-         <part id="ac-8_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="ac-8.a_obj" name="objective">
-               <prop name="label">AC-8(a)</prop>
-               <part id="ac-8.a_obj.1" name="objective">
-                  <prop name="label">AC-8(a)[1]</prop>
-                  <p>the organization defines a system use notification message or banner to be
-                     displayed by the information system to users before granting access to the
-                     system;</p>
-               </part>
-               <part id="ac-8.a_obj.2" name="objective">
-                  <prop name="label">AC-8(a)[2]</prop>
-                  <p>the information system displays to users the organization-defined system use
-                     notification message or banner before granting access to the information system
-                     that provides privacy and security notices consistent with applicable federal
-                     laws, Executive Orders, directives, policies, regulations, standards, and
-                     guidance, and states that:</p>
-                  <part id="ac-8.a.1_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](1)</prop>
-                     <p>users are accessing a U.S. Government information system;</p>
-                  </part>
-                  <part id="ac-8.a.2_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](2)</prop>
-                     <p>information system usage may be monitored, recorded, and subject to
-                        audit;</p>
-                  </part>
-                  <part id="ac-8.a.3_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](3)</prop>
-                     <p>unauthorized use of the information system is prohibited and subject to
-                        criminal and civil penalties;</p>
-                  </part>
-                  <part id="ac-8.a.4_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](4)</prop>
-                     <p>use of the information system indicates consent to monitoring and
-                        recording;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-8.b_obj" name="objective">
-               <prop name="label">AC-8(b)</prop>
-               <p>the information system retains the notification message or banner on the screen
-                  until users acknowledge the usage conditions and take explicit actions to log on
-                  to or further access the information system;</p>
-            </part>
-            <part id="ac-8.c_obj" name="objective">
-               <prop name="label">AC-8(c)</prop>
-               <p>for publicly accessible systems:</p>
-               <part id="ac-8.c.1_obj" name="objective">
-                  <prop name="label">AC-8(c)(1)</prop>
-                  <part id="ac-8.c.1_obj.1" name="objective">
-                     <prop name="label">AC-8(c)(1)[1]</prop>
-                     <p>the organization defines conditions for system use to be displayed by the
-                        information system before granting further access;</p>
-                  </part>
-                  <part id="ac-8.c.1_obj.2" name="objective">
-                     <prop name="label">AC-8(c)(1)[2]</prop>
-                     <p>the information system displays organization-defined conditions before
-                        granting further access;</p>
-                  </part>
-               </part>
-               <part id="ac-8.c.2_obj" name="objective">
-                  <prop name="label">AC-8(c)(2)</prop>
-                  <p>the information system displays references, if any, to monitoring, recording,
-                     or auditing that are consistent with privacy accommodations for such systems
-                     that generally prohibit those activities; and</p>
-               </part>
-               <part id="ac-8.c.3_obj" name="objective">
-                  <prop name="label">AC-8(c)(3)</prop>
-                  <p>the information system includes a description of the authorized uses of the
-                     system.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>privacy and security policies, procedures addressing system use notification</p>
-               <p>documented approval of information system use notification messages or banners</p>
-               <p>information system audit records</p>
-               <p>user acknowledgements of notification message or banner</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system use notification messages</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibility for providing legal advice</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing system use notification</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>FED - This is related to agency data and agency policy solution.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-14">
-         <title>Permitted Actions Without Identification or Authentication</title>
-         <param id="ac-14_prm_1">
-            <label>organization-defined user actions</label>
-         </param>
-         <prop name="label">AC-14</prop>
-         <prop name="sort-id">ac-14</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">FED</prop>
-         <part id="ac-14_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-14_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Identifies <insert param-id="ac-14_prm_1"/> that can be performed on the
-                  information system without identification or authentication consistent with
-                  organizational missions/business functions; and</p>
-            </part>
-            <part id="ac-14_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents and provides supporting rationale in the security plan for the
-                  information system, user actions not requiring identification or
-                  authentication.</p>
-            </part>
-         </part>
-         <part id="ac-14_gdn" name="guidance">
-            <p>This control addresses situations in which organizations determine that no
-               identification or authentication is required in organizational information systems.
-               Organizations may allow a limited number of user actions without identification or
-               authentication including, for example, when individuals access public websites or
-               other publicly accessible federal information systems, when individuals use mobile
-               phones to receive calls, or when facsimiles are received. Organizations also identify
-               actions that normally require identification or authentication but may under certain
-               circumstances (e.g., emergencies), allow identification or authentication mechanisms
-               to be bypassed. Such bypasses may occur, for example, via a software-readable
-               physical switch that commands bypass of the logon functionality and is protected from
-               accidental or unmonitored use. This control does not apply to situations where
-               identification and authentication have already occurred and are not repeated, but
-               rather to situations where identification and authentication have not yet occurred.
-               Organizations may decide that there are no user actions that can be performed on
-               organizational information systems without identification and authentication and
-               thus, the values for assignment statements can be none.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-         </part>
-         <part id="ac-14_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-14.a_obj" name="objective">
-               <prop name="label">AC-14(a)</prop>
-               <part id="ac-14.a_obj.1" name="objective">
-                  <prop name="label">AC-14(a)[1]</prop>
-                  <p>defines user actions that can be performed on the information system without
-                     identification or authentication consistent with organizational
-                     missions/business functions;</p>
-               </part>
-               <part id="ac-14.a_obj.2" name="objective">
-                  <prop name="label">AC-14(a)[2]</prop>
-                  <p>identifies organization-defined user actions that can be performed on the
-                     information system without identification or authentication consistent with
-                     organizational missions/business functions; and</p>
-               </part>
-            </part>
-            <part id="ac-14.b_obj" name="objective">
-               <prop name="label">AC-14(b)</prop>
-               <p>documents and provides supporting rationale in the security plan for the
-                  information system, user actions not requiring identification or
-                  authentication.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing permitted actions without identification or
-                  authentication</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security plan</p>
-               <p>list of user actions that can be performed without identification or
-                  authentication</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>FED - This is related to agency data and agency policy solution.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-17">
-         <title>Remote Access</title>
-         <prop name="label">AC-17</prop>
-         <prop name="sort-id">ac-17</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#5309d4d0-46f8-4213-a749-e7584164e5e8" rel="reference">NIST Special Publication 800-46</link>
-         <link href="#99f331f2-a9f0-46c2-9856-a3cbb9b89442" rel="reference">NIST Special Publication 800-77</link>
-         <link href="#349fe082-502d-464a-aa0c-1443c6a5cf40" rel="reference">NIST Special Publication 800-113</link>
-         <link href="#1201fcf3-afb1-4675-915a-fb4ae0435717" rel="reference">NIST Special Publication 800-114</link>
-         <link href="#d1a4e2a9-e512-4132-8795-5357aba29254" rel="reference">NIST Special Publication 800-121</link>
-         <part id="ac-17_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-17_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes and documents usage restrictions, configuration/connection
-                  requirements, and implementation guidance for each type of remote access allowed;
-                  and</p>
-            </part>
-            <part id="ac-17_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Authorizes remote access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part id="ac-17_gdn" name="guidance">
-            <p>Remote access is access to organizational information systems by users (or processes
-               acting on behalf of users) communicating through external networks (e.g., the
-               Internet). Remote access methods include, for example, dial-up, broadband, and
-               wireless. Organizations often employ encrypted virtual private networks (VPNs) to
-               enhance confidentiality and integrity over remote connections. The use of encrypted
-               VPNs does not make the access non-remote; however, the use of VPNs, when adequately
-               provisioned with appropriate security controls (e.g., employing appropriate
-               encryption techniques for confidentiality and integrity protection) may provide
-               sufficient assurance to the organization that it can effectively treat such
-               connections as internal networks. Still, VPN connections traverse external networks,
-               and the encrypted VPN does not enhance the availability of remote connections. Also,
-               VPNs with encrypted tunnels can affect the organizational capability to adequately
-               monitor network communications traffic for malicious code. Remote access controls
-               apply to information systems other than public web servers or systems designed for
-               public access. This control addresses authorization prior to allowing remote access
-               without specifying the formats for such authorization. While organizations may use
-               interconnection security agreements to authorize remote access connections, such
-               agreements are not required by this control. Enforcing access restrictions for remote
-               connections is addressed in AC-3.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#pe-17">PE-17</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sc-10">SC-10</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ac-17_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-17.a_obj" name="objective">
-               <prop name="label">AC-17(a)</prop>
-               <part id="ac-17.a_obj.1" name="objective">
-                  <prop name="label">AC-17(a)[1]</prop>
-                  <p>identifies the types of remote access allowed to the information system;</p>
-               </part>
-               <part id="ac-17.a_obj.2" name="objective">
-                  <prop name="label">AC-17(a)[2]</prop>
-                  <p>establishes for each type of remote access allowed:</p>
-                  <part id="ac-17.a_obj.2.a" name="objective">
-                     <prop name="label">AC-17(a)[2][a]</prop>
-                     <p>usage restrictions;</p>
-                  </part>
-                  <part id="ac-17.a_obj.2.b" name="objective">
-                     <prop name="label">AC-17(a)[2][b]</prop>
-                     <p>configuration/connection requirements;</p>
-                  </part>
-                  <part id="ac-17.a_obj.2.c" name="objective">
-                     <prop name="label">AC-17(a)[2][c]</prop>
-                     <p>implementation guidance;</p>
-                  </part>
-               </part>
-               <part id="ac-17.a_obj.3" name="objective">
-                  <prop name="label">AC-17(a)[3]</prop>
-                  <p>documents for each type of remote access allowed:</p>
-                  <part id="ac-17.a_obj.3.a" name="objective">
-                     <prop name="label">AC-17(a)[3][a]</prop>
-                     <p>usage restrictions;</p>
-                  </part>
-                  <part id="ac-17.a_obj.3.b" name="objective">
-                     <prop name="label">AC-17(a)[3][b]</prop>
-                     <p>configuration/connection requirements;</p>
-                  </part>
-                  <part id="ac-17.a_obj.3.c" name="objective">
-                     <prop name="label">AC-17(a)[3][c]</prop>
-                     <p>implementation guidance; and</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-17.b_obj" name="objective">
-               <prop name="label">AC-17(b)</prop>
-               <p>authorizes remote access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing remote access implementation and usage (including
-                  restrictions)</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>remote access authorizations</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for managing remote access
-                  connections</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Remote access management capability for the information system</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-18">
-         <title>Wireless Access</title>
-         <prop name="label">AC-18</prop>
-         <prop name="sort-id">ac-18</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-         <link href="#238ed479-eccb-49f6-82ec-ab74a7a428cf" rel="reference">NIST Special Publication 800-48</link>
-         <link href="#d1b1d689-0f66-4474-9924-c81119758dc1" rel="reference">NIST Special Publication 800-94</link>
-         <link href="#6f336ecd-f2a0-4c84-9699-0491d81b6e0d" rel="reference">NIST Special Publication 800-97</link>
-         <part id="ac-18_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-18_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes usage restrictions, configuration/connection requirements, and
-                  implementation guidance for wireless access; and</p>
-            </part>
-            <part id="ac-18_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Authorizes wireless access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part id="ac-18_gdn" name="guidance">
-            <p>Wireless technologies include, for example, microwave, packet radio (UHF/VHF),
-               802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g.,
-               EAP/TLS, PEAP), which provide credential protection and mutual authentication.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ac-18_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-18.a_obj" name="objective">
-               <prop name="label">AC-18(a)</prop>
-               <p>establishes for wireless access:</p>
-               <part id="ac-18.a_obj.1" name="objective">
-                  <prop name="label">AC-18(a)[1]</prop>
-                  <p>usage restrictions;</p>
-               </part>
-               <part id="ac-18.a_obj.2" name="objective">
-                  <prop name="label">AC-18(a)[2]</prop>
-                  <p>configuration/connection requirement;</p>
-               </part>
-               <part id="ac-18.a_obj.3" name="objective">
-                  <prop name="label">AC-18(a)[3]</prop>
-                  <p>implementation guidance; and</p>
-               </part>
-            </part>
-            <part id="ac-18.b_obj" name="objective">
-               <prop name="label">AC-18(b)</prop>
-               <p>authorizes wireless access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing wireless access implementation and usage (including
-                  restrictions)</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>wireless access authorizations</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for managing wireless access
-                  connections</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Wireless access management capability for the information system</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>NSO - All access to Cloud SaaS are via web services and/or API. The device
-                  accessed from or whether via wired or wireless connection is out of scope.
-                  Regardless of device accessed from, must utilize approved remote access methods
-                  (AC-17), secure communication with strong encryption (SC-13), key management
-                  (SC-12), and multi-factor authentication for privileged access (IA-2[1]).</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-19">
-         <title>Access Control for Mobile Devices</title>
-         <prop name="label">AC-19</prop>
-         <prop name="sort-id">ac-19</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-         <link href="#4da24a96-6cf8-435d-9d1f-c73247cad109" rel="reference">OMB Memorandum 06-16</link>
-         <link href="#1201fcf3-afb1-4675-915a-fb4ae0435717" rel="reference">NIST Special Publication 800-114</link>
-         <link href="#0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589" rel="reference">NIST Special Publication 800-124</link>
-         <link href="#6513e480-fada-4876-abba-1397084dfb26" rel="reference">NIST Special Publication 800-164</link>
-         <part id="ac-19_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-19_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes usage restrictions, configuration requirements, connection
-                  requirements, and implementation guidance for organization-controlled mobile
-                  devices; and</p>
-            </part>
-            <part id="ac-19_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Authorizes the connection of mobile devices to organizational information
-                  systems.</p>
-            </part>
-         </part>
-         <part id="ac-19_gdn" name="guidance">
-            <p>A mobile device is a computing device that: (i) has a small form factor such that it
-               can easily be carried by a single individual; (ii) is designed to operate without a
-               physical connection (e.g., wirelessly transmit or receive information); (iii)
-               possesses local, non-removable or removable data storage; and (iv) includes a
-               self-contained power source. Mobile devices may also include voice communication
-               capabilities, on-board sensors that allow the device to capture information, and/or
-               built-in features for synchronizing local data with remote locations. Examples
-               include smart phones, E-readers, and tablets. Mobile devices are typically associated
-               with a single individual and the device is usually in close proximity to the
-               individual; however, the degree of proximity can vary depending upon on the form
-               factor and size of the device. The processing, storage, and transmission capability
-               of the mobile device may be comparable to or merely a subset of desktop systems,
-               depending upon the nature and intended purpose of the device. Due to the large
-               variety of mobile devices with different technical characteristics and capabilities,
-               organizational restrictions may vary for the different classes/types of such devices.
-               Usage restrictions and specific implementation guidance for mobile devices include,
-               for example, configuration management, device identification and authentication,
-               implementation of mandatory protective software (e.g., malicious code detection,
-               firewall), scanning devices for malicious code, updating virus protection software,
-               scanning for critical software updates and patches, conducting primary operating
-               system (and possibly other resident software) integrity checks, and disabling
-               unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the
-               need to provide adequate security for mobile devices goes beyond the requirements in
-               this control. Many safeguards and countermeasures for mobile devices are reflected in
-               other security controls in the catalog allocated in the initial control baselines as
-               starting points for the development of security plans and overlays using the
-               tailoring process. There may also be some degree of overlap in the requirements
-               articulated by the security controls within the different families of controls. AC-20
-               addresses mobile devices that are not organization-controlled.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-7">AC-7</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ca-9">CA-9</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-43">SC-43</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ac-19_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-19.a_obj" name="objective">
-               <prop name="label">AC-19(a)</prop>
-               <p>establishes for organization-controlled mobile devices:</p>
-               <part id="ac-19.a_obj.1" name="objective">
-                  <prop name="label">AC-19(a)[1]</prop>
-                  <p>usage restrictions;</p>
-               </part>
-               <part id="ac-19.a_obj.2" name="objective">
-                  <prop name="label">AC-19(a)[2]</prop>
-                  <p>configuration/connection requirement;</p>
-               </part>
-               <part id="ac-19.a_obj.3" name="objective">
-                  <prop name="label">AC-19(a)[3]</prop>
-                  <p>implementation guidance; and</p>
-               </part>
-            </part>
-            <part id="ac-19.b_obj" name="objective">
-               <prop name="label">AC-19(b)</prop>
-               <p>authorizes the connection of mobile devices to organizational information
-                  systems.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing access control for mobile device usage (including
-                  restrictions)</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>authorizations for mobile device connections to organizational information
-                  systems</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel using mobile devices to access organizational information
-                  systems</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Access control capability authorizing mobile device connections to organizational
-                  information systems</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>NSO - All access to Cloud SaaS are via web service and/or API. The device accessed
-                  from is out of the scope. Regardless of device accessed from, must utilize
-                  approved remote access methods (AC-17), secure communication with strong
-                  encryption (SC-13), key management (SC-12), and multi-factor authentication for
-                  privileged access (IA-2 [1]).</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-20">
-         <title>Use of External Information Systems</title>
-         <prop name="label">AC-20</prop>
-         <prop name="sort-id">ac-20</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <part id="ac-20_smt" name="statement">
-            <p>The organization establishes terms and conditions, consistent with any trust
-               relationships established with other organizations owning, operating, and/or
-               maintaining external information systems, allowing authorized individuals to:</p>
-            <part id="ac-20_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Access the information system from external information systems; and</p>
-            </part>
-            <part id="ac-20_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Process, store, or transmit organization-controlled information using external
-                  information systems.</p>
-            </part>
-         </part>
-         <part id="ac-20_gdn" name="guidance">
-            <p>External information systems are information systems or components of information
-               systems that are outside of the authorization boundary established by organizations
-               and for which organizations typically have no direct supervision and authority over
-               the application of required security controls or the assessment of control
-               effectiveness. External information systems include, for example: (i) personally
-               owned information systems/devices (e.g., notebook computers, smart phones, tablets,
-               personal digital assistants); (ii) privately owned computing and communications
-               devices resident in commercial or public facilities (e.g., hotels, train stations,
-               convention centers, shopping malls, or airports); (iii) information systems owned or
-               controlled by nonfederal governmental organizations; and (iv) federal information
-               systems that are not owned by, operated by, or under the direct supervision and
-               authority of organizations. This control also addresses the use of external
-               information systems for the processing, storage, or transmission of organizational
-               information, including, for example, accessing cloud services (e.g., infrastructure
-               as a service, platform as a service, or software as a service) from organizational
-               information systems. For some external information systems (i.e., information systems
-               operated by other federal agencies, including organizations subordinate to those
-               agencies), the trust relationships that have been established between those
-               organizations and the originating organization may be such, that no explicit terms
-               and conditions are required. Information systems within these organizations would not
-               be considered external. These situations occur when, for example, there are
-               pre-existing sharing/trust agreements (either implicit or explicit) established
-               between federal agencies or organizations subordinate to those agencies, or when such
-               trust agreements are specified by applicable laws, Executive Orders, directives, or
-               policies. Authorized individuals include, for example, organizational personnel,
-               contractors, or other individuals with authorized access to organizational
-               information systems and over which organizations have the authority to impose rules
-               of behavior with regard to system access. Restrictions that organizations impose on
-               authorized individuals need not be uniform, as those restrictions may vary depending
-               upon the trust relationships between organizations. Therefore, organizations may
-               choose to impose different security restrictions on contractors than on state, local,
-               or tribal governments. This control does not apply to the use of external information
-               systems to access public interfaces to organizational information systems (e.g.,
-               individuals accessing federal information through www.usa.gov). Organizations
-               establish terms and conditions for the use of external information systems in
-               accordance with organizational security policies and procedures. Terms and conditions
-               address as a minimum: types of applications that can be accessed on organizational
-               information systems from external information systems; and the highest security
-               category of information that can be processed, stored, or transmitted on external
-               information systems. If terms and conditions with the owners of external information
-               systems cannot be established, organizations may impose restrictions on
-               organizational personnel using those external systems.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-         </part>
-         <part id="ac-20_obj" name="objective">
-            <p>Determine if the organization establishes terms and conditions, consistent with any
-               trust relationships established with other organizations owning, operating, and/or
-               maintaining external information systems, allowing authorized individuals to: </p>
-            <part id="ac-20.a_obj" name="objective">
-               <prop name="label">AC-20(a)</prop>
-               <p>access the information system from the external information systems; and</p>
-            </part>
-            <part id="ac-20.b_obj" name="objective">
-               <prop name="label">AC-20(b)</prop>
-               <p>process, store, or transmit organization-controlled information using external
-                  information systems.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing the use of external information systems</p>
-               <p>external information systems terms and conditions</p>
-               <p>list of types of applications accessible from external information systems</p>
-               <p>maximum security categorization for information processed, stored, or transmitted
-                  on external information systems</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for defining terms and conditions
-                  for use of external information systems to access organizational systems</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing terms and conditions on use of external
-                  information systems</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-22">
-         <title>Publicly Accessible Content</title>
-         <param id="ac-22_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least quarterly</constraint>
-         </param>
-         <prop name="label">AC-22</prop>
-         <prop name="sort-id">ac-22</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <part id="ac-22_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-22_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Designates individuals authorized to post information onto a publicly accessible
-                  information system;</p>
-            </part>
-            <part id="ac-22_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Trains authorized individuals to ensure that publicly accessible information does
-                  not contain nonpublic information;</p>
-            </part>
-            <part id="ac-22_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the proposed content of information prior to posting onto the publicly
-                  accessible information system to ensure that nonpublic information is not
-                  included; and</p>
-            </part>
-            <part id="ac-22_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Reviews the content on the publicly accessible information system for nonpublic
-                  information <insert param-id="ac-22_prm_1"/> and removes such information, if
-                  discovered.</p>
-            </part>
-         </part>
-         <part id="ac-22_gdn" name="guidance">
-            <p>In accordance with federal laws, Executive Orders, directives, policies, regulations,
-               standards, and/or guidance, the general public is not authorized access to nonpublic
-               information (e.g., information protected under the Privacy Act and proprietary
-               information). This control addresses information systems that are controlled by the
-               organization and accessible to the general public, typically without identification
-               or authentication. The posting of information on non-organization information systems
-               is covered by organizational policy.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#au-13">AU-13</link>
-         </part>
-         <part id="ac-22_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ac-22.a_obj" name="objective">
-               <prop name="label">AC-22(a)</prop>
-               <p>designates individuals authorized to post information onto a publicly accessible
-                  information system;</p>
-            </part>
-            <part id="ac-22.b_obj" name="objective">
-               <prop name="label">AC-22(b)</prop>
-               <p>trains authorized individuals to ensure that publicly accessible information does
-                  not contain nonpublic information;</p>
-            </part>
-            <part id="ac-22.c_obj" name="objective">
-               <prop name="label">AC-22(c)</prop>
-               <p>reviews the proposed content of information prior to posting onto the publicly
-                  accessible information system to ensure that nonpublic information is not
-                  included;</p>
-            </part>
-            <part id="ac-22.d_obj" name="objective">
-               <prop name="label">AC-22(d)</prop>
-               <part id="ac-22.d_obj.1" name="objective">
-                  <prop name="label">AC-22(d)[1]</prop>
-                  <p>defines the frequency to review the content on the publicly accessible
-                     information system for nonpublic information;</p>
-               </part>
-               <part id="ac-22.d_obj.2" name="objective">
-                  <prop name="label">AC-22(d)[2]</prop>
-                  <p>reviews the content on the publicly accessible information system for nonpublic
-                     information with the organization-defined frequency; and</p>
-               </part>
-               <part id="ac-22.d_obj.3" name="objective">
-                  <prop name="label">AC-22(d)[3]</prop>
-                  <p>removes nonpublic information from the publicly accessible information system,
-                     if discovered.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing publicly accessible content</p>
-               <p>list of users authorized to post publicly accessible content on organizational
-                  information systems</p>
-               <p>training materials and/or records</p>
-               <p>records of publicly accessible information reviews</p>
-               <p>records of response to nonpublic information on public websites</p>
-               <p>system audit logs</p>
-               <p>security awareness training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for managing publicly accessible
-                  information posted on organizational information systems</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing management of publicly accessible content</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="at">
-      <title>Awareness and Training</title>
-      <control class="SP800-53" id="at-1">
-         <title>Security Awareness and Training Policy and Procedures</title>
-         <param id="at-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="at-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="at-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AT-1</prop>
-         <prop name="sort-id">at-01</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="at-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="at-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="at-1_prm_1"/>:</p>
-               <part id="at-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A security awareness and training policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="at-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the security awareness and
-                     training policy and associated security awareness and training controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="at-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="at-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security awareness and training policy <insert param-id="at-1_prm_2"/>; and</p>
-               </part>
-               <part id="at-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Security awareness and training procedures <insert param-id="at-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="at-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the AT
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="at-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-1.a_obj" name="objective">
-               <prop name="label">AT-1(a)</prop>
-               <part id="at-1.a.1_obj" name="objective">
-                  <prop name="label">AT-1(a)(1)</prop>
-                  <part id="at-1.a.1_obj.1" name="objective">
-                     <prop name="label">AT-1(a)(1)[1]</prop>
-                     <p>develops and documents an security awareness and training policy that
-                        addresses:</p>
-                     <part id="at-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="at-1.a.1_obj.2" name="objective">
-                     <prop name="label">AT-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the security awareness and training
-                        policy are to be disseminated;</p>
-                  </part>
-                  <part id="at-1.a.1_obj.3" name="objective">
-                     <prop name="label">AT-1(a)(1)[3]</prop>
-                     <p>disseminates the security awareness and training policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="at-1.a.2_obj" name="objective">
-                  <prop name="label">AT-1(a)(2)</prop>
-                  <part id="at-1.a.2_obj.1" name="objective">
-                     <prop name="label">AT-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        security awareness and training policy and associated awareness and training
-                        controls;</p>
-                  </part>
-                  <part id="at-1.a.2_obj.2" name="objective">
-                     <prop name="label">AT-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="at-1.a.2_obj.3" name="objective">
-                     <prop name="label">AT-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="at-1.b_obj" name="objective">
-               <prop name="label">AT-1(b)</prop>
-               <part id="at-1.b.1_obj" name="objective">
-                  <prop name="label">AT-1(b)(1)</prop>
-                  <part id="at-1.b.1_obj.1" name="objective">
-                     <prop name="label">AT-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current security awareness
-                        and training policy;</p>
-                  </part>
-                  <part id="at-1.b.1_obj.2" name="objective">
-                     <prop name="label">AT-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current security awareness and training policy with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="at-1.b.2_obj" name="objective">
-                  <prop name="label">AT-1(b)(2)</prop>
-                  <part id="at-1.b.2_obj.1" name="objective">
-                     <prop name="label">AT-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current security awareness
-                        and training procedures; and</p>
-                  </part>
-                  <part id="at-1.b.2_obj.2" name="objective">
-                     <prop name="label">AT-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current security awareness and training procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security awareness and training responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="at-2">
-         <title>Security Awareness Training</title>
-         <param id="at-2_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AT-2</prop>
-         <prop name="sort-id">at-02</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#bb61234b-46c3-4211-8c2b-9869222a720d" rel="reference">C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</link>
-         <link href="#c5034e0c-eba6-4ecd-a541-79f0678f4ba4" rel="reference">Executive Order 13587</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="at-2_smt" name="statement">
-            <p>The organization provides basic security awareness training to information system
-               users (including managers, senior executives, and contractors):</p>
-            <part id="at-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>As part of initial training for new users;</p>
-            </part>
-            <part id="at-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="at-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="at-2_prm_1"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="at-2_gdn" name="guidance">
-            <p>Organizations determine the appropriate content of security awareness training and
-               security awareness techniques based on the specific organizational requirements and
-               the information systems to which personnel have authorized access. The content
-               includes a basic understanding of the need for information security and user actions
-               to maintain security and to respond to suspected security incidents. The content also
-               addresses awareness of the need for operations security. Security awareness
-               techniques can include, for example, displaying posters, offering supplies inscribed
-               with security reminders, generating email advisories/notices from senior
-               organizational officials, displaying logon screen messages, and conducting
-               information security awareness events.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#at-4">AT-4</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-         </part>
-         <part id="at-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-2.a_obj" name="objective">
-               <prop name="label">AT-2(a)</prop>
-               <p>provides basic security awareness training to information system users (including
-                  managers, senior executives, and contractors) as part of initial training for new
-                  users;</p>
-            </part>
-            <part id="at-2.b_obj" name="objective">
-               <prop name="label">AT-2(b)</prop>
-               <p>provides basic security awareness training to information system users (including
-                  managers, senior executives, and contractors) when required by information system
-                  changes; and</p>
-            </part>
-            <part id="at-2.c_obj" name="objective">
-               <prop name="label">AT-2(c)</prop>
-               <part id="at-2.c_obj.1" name="objective">
-                  <prop name="label">AT-2(c)[1]</prop>
-                  <p>defines the frequency to provide refresher security awareness training
-                     thereafter to information system users (including managers, senior executives,
-                     and contractors); and</p>
-               </part>
-               <part id="at-2.c_obj.2" name="objective">
-                  <prop name="label">AT-2(c)[2]</prop>
-                  <p>provides refresher security awareness training to information users (including
-                     managers, senior executives, and contractors) with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy</p>
-               <p>procedures addressing security awareness training implementation</p>
-               <p>appropriate codes of federal regulations</p>
-               <p>security awareness training curriculum</p>
-               <p>security awareness training materials</p>
-               <p>security plan</p>
-               <p>training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for security awareness training</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel comprising the general information system user
-                  community</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms managing security awareness training</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="at-3">
-         <title>Role-based Security Training</title>
-         <param id="at-3_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AT-3</prop>
-         <prop name="sort-id">at-03</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#bb61234b-46c3-4211-8c2b-9869222a720d" rel="reference">C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</link>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="at-3_smt" name="statement">
-            <p>The organization provides role-based security training to personnel with assigned
-               security roles and responsibilities:</p>
-            <part id="at-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Before authorizing access to the information system or performing assigned
-                  duties;</p>
-            </part>
-            <part id="at-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="at-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="at-3_prm_1"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="at-3_gdn" name="guidance">
-            <p>Organizations determine the appropriate content of security training based on the
-               assigned roles and responsibilities of individuals and the specific security
-               requirements of organizations and the information systems to which personnel have
-               authorized access. In addition, organizations provide enterprise architects,
-               information system developers, software developers, acquisition/procurement
-               officials, information system managers, system/network administrators, personnel
-               conducting configuration management and auditing activities, personnel performing
-               independent verification and validation activities, security control assessors, and
-               other personnel having access to system-level software, adequate security-related
-               technical training specifically tailored for their assigned duties. Comprehensive
-               role-based training addresses management, operational, and technical roles and
-               responsibilities covering physical, personnel, and technical safeguards and
-               countermeasures. Such training can include for example, policies, procedures, tools,
-               and artifacts for the organizational security roles defined. Organizations also
-               provide the training necessary for individuals to carry out their responsibilities
-               related to operations and supply chain security within the context of organizational
-               information security programs. Role-based security training also applies to
-               contractors providing services to federal agencies.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-4">AT-4</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-7">PS-7</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sa-16">SA-16</link>
-         </part>
-         <part id="at-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-3.a_obj" name="objective">
-               <prop name="label">AT-3(a)</prop>
-               <p>provides role-based security training to personnel with assigned security roles
-                  and responsibilities before authorizing access to the information system or
-                  performing assigned duties;</p>
-            </part>
-            <part id="at-3.b_obj" name="objective">
-               <prop name="label">AT-3(b)</prop>
-               <p>provides role-based security training to personnel with assigned security roles
-                  and responsibilities when required by information system changes; and</p>
-            </part>
-            <part id="at-3.c_obj" name="objective">
-               <prop name="label">AT-3(c)</prop>
-               <part id="at-3.c_obj.1" name="objective">
-                  <prop name="label">AT-3(c)[1]</prop>
-                  <p>defines the frequency to provide refresher role-based security training
-                     thereafter to personnel with assigned security roles and responsibilities;
-                     and</p>
-               </part>
-               <part id="at-3.c_obj.2" name="objective">
-                  <prop name="label">AT-3(c)[2]</prop>
-                  <p>provides refresher role-based security training to personnel with assigned
-                     security roles and responsibilities with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy</p>
-               <p>procedures addressing security training implementation</p>
-               <p>codes of federal regulations</p>
-               <p>security training curriculum</p>
-               <p>security training materials</p>
-               <p>security plan</p>
-               <p>training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for role-based security
-                  training</p>
-               <p>organizational personnel with assigned information system security roles and
-                  responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms managing role-based security training</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="at-4">
-         <title>Security Training Records</title>
-         <param id="at-4_prm_1">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">AT-4</prop>
-         <prop name="sort-id">at-04</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <part id="at-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="at-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Documents and monitors individual information system security training activities
-                  including basic security awareness training and specific information system
-                  security training; and</p>
-            </part>
-            <part id="at-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Retains individual training records for <insert param-id="at-4_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="at-4_gdn" name="guidance">
-            <p>Documentation for specialized training may be maintained by individual supervisors at
-               the option of the organization.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#pm-14">PM-14</link>
-         </part>
-         <part id="at-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-4.a_obj" name="objective">
-               <prop name="label">AT-4(a)</prop>
-               <part id="at-4.a_obj.1" name="objective">
-                  <prop name="label">AT-4(a)[1]</prop>
-                  <p>documents individual information system security training activities
-                     including:</p>
-                  <part id="at-4.a_obj.1.a" name="objective">
-                     <prop name="label">AT-4(a)[1][a]</prop>
-                     <p>basic security awareness training;</p>
-                  </part>
-                  <part id="at-4.a_obj.1.b" name="objective">
-                     <prop name="label">AT-4(a)[1][b]</prop>
-                     <p>specific role-based information system security training;</p>
-                  </part>
-               </part>
-               <part id="at-4.a_obj.2" name="objective">
-                  <prop name="label">AT-4(a)[2]</prop>
-                  <p>monitors individual information system security training activities
-                     including:</p>
-                  <part id="at-4.a_obj.2.a" name="objective">
-                     <prop name="label">AT-4(a)[2][a]</prop>
-                     <p>basic security awareness training;</p>
-                  </part>
-                  <part id="at-4.a_obj.2.b" name="objective">
-                     <prop name="label">AT-4(a)[2][b]</prop>
-                     <p>specific role-based information system security training;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="at-4.b_obj" name="objective">
-               <prop name="label">AT-4(b)</prop>
-               <part id="at-4.b_obj.1" name="objective">
-                  <prop name="label">AT-4(b)[1]</prop>
-                  <p>defines a time period to retain individual training records; and</p>
-               </part>
-               <part id="at-4.b_obj.2" name="objective">
-                  <prop name="label">AT-4(b)[2]</prop>
-                  <p>retains individual training records for the organization-defined time
-                     period.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy</p>
-               <p>procedures addressing security training records</p>
-               <p>security awareness and training records</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security training record retention
-                  responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting management of security training records</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="au">
-      <title>Audit and Accountability</title>
-      <control class="SP800-53" id="au-1">
-         <title>Audit and Accountability Policy and Procedures</title>
-         <param id="au-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="au-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="au-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AU-1</prop>
-         <prop name="sort-id">au-01</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="au-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="au-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="au-1_prm_1"/>:</p>
-               <part id="au-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An audit and accountability policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="au-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the audit and accountability
-                     policy and associated audit and accountability controls; and</p>
-               </part>
-            </part>
-            <part id="au-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="au-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Audit and accountability policy <insert param-id="au-1_prm_2"/>; and</p>
-               </part>
-               <part id="au-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Audit and accountability procedures <insert param-id="au-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="au-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the AU
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="au-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-1.a_obj" name="objective">
-               <prop name="label">AU-1(a)</prop>
-               <part id="au-1.a.1_obj" name="objective">
-                  <prop name="label">AU-1(a)(1)</prop>
-                  <part id="au-1.a.1_obj.1" name="objective">
-                     <prop name="label">AU-1(a)(1)[1]</prop>
-                     <p>develops and documents an audit and accountability policy that
-                        addresses:</p>
-                     <part id="au-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="au-1.a.1_obj.2" name="objective">
-                     <prop name="label">AU-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the audit and accountability policy are
-                        to be disseminated;</p>
-                  </part>
-                  <part id="au-1.a.1_obj.3" name="objective">
-                     <prop name="label">AU-1(a)(1)[3]</prop>
-                     <p>disseminates the audit and accountability policy to organization-defined
-                        personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="au-1.a.2_obj" name="objective">
-                  <prop name="label">AU-1(a)(2)</prop>
-                  <part id="au-1.a.2_obj.1" name="objective">
-                     <prop name="label">AU-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        audit and accountability policy and associated audit and accountability
-                        controls;</p>
-                  </part>
-                  <part id="au-1.a.2_obj.2" name="objective">
-                     <prop name="label">AU-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="au-1.a.2_obj.3" name="objective">
-                     <prop name="label">AU-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="au-1.b_obj" name="objective">
-               <prop name="label">AU-1(b)</prop>
-               <part id="au-1.b.1_obj" name="objective">
-                  <prop name="label">AU-1(b)(1)</prop>
-                  <part id="au-1.b.1_obj.1" name="objective">
-                     <prop name="label">AU-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current audit and
-                        accountability policy;</p>
-                  </part>
-                  <part id="au-1.b.1_obj.2" name="objective">
-                     <prop name="label">AU-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current audit and accountability policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="au-1.b.2_obj" name="objective">
-                  <prop name="label">AU-1(b)(2)</prop>
-                  <part id="au-1.b.2_obj.1" name="objective">
-                     <prop name="label">AU-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current audit and
-                        accountability procedures; and</p>
-                  </part>
-                  <part id="au-1.b.2_obj.2" name="objective">
-                     <prop name="label">AU-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current audit and accountability procedures in
-                        accordance with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-2">
-         <title>Audit Events</title>
-         <param id="au-2_prm_1">
-            <label>organization-defined auditable events</label>
-         </param>
-         <param id="au-2_prm_2">
-            <label>organization-defined audited events (the subset of the auditable events defined
-               in AU-2 a.) along with the frequency of (or situation requiring) auditing for each
-               identified event</label>
-         </param>
-         <prop name="label">AU-2</prop>
-         <prop name="sort-id">au-02</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#672fd561-b92b-4713-b9cf-6c9d9456728b" rel="reference">NIST Special Publication 800-92</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="au-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="au-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Determines that the information system is capable of auditing the following
-                  events: <insert param-id="au-2_prm_1"/>;</p>
-            </part>
-            <part id="au-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Coordinates the security audit function with other organizational entities
-                  requiring audit-related information to enhance mutual support and to help guide
-                  the selection of auditable events;</p>
-            </part>
-            <part id="au-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Provides a rationale for why the auditable events are deemed to be adequate to
-                  support after-the-fact investigations of security incidents; and</p>
-            </part>
-            <part id="au-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Determines that the following events are to be audited within the information
-                  system: <insert param-id="au-2_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="au-2_gdn" name="guidance">
-            <p>An event is any observable occurrence in an organizational information system.
-               Organizations identify audit events as those events which are significant and
-               relevant to the security of information systems and the environments in which those
-               systems operate in order to meet specific and ongoing audit needs. Audit events can
-               include, for example, password changes, failed logons, or failed accesses related to
-               information systems, administrative privilege usage, PIV credential usage, or
-               third-party credential usage. In determining the set of auditable events,
-               organizations consider the auditing appropriate for each of the security controls to
-               be implemented. To balance auditing requirements with other information system needs,
-               this control also requires identifying that subset of auditable events that are
-               audited at a given point in time. For example, organizations may determine that
-               information systems must have the capability to log every file access both successful
-               and unsuccessful, but not activate that capability except for specific circumstances
-               due to the potential burden on system performance. Auditing requirements, including
-               the need for auditable events, may be referenced in other security controls and
-               control enhancements. Organizations also include auditable events that are required
-               by applicable federal laws, Executive Orders, directives, policies, regulations, and
-               standards. Audit records can be generated at various levels of abstraction, including
-               at the packet level as information traverses the network. Selecting the appropriate
-               level of abstraction is a critical aspect of an audit capability and can facilitate
-               the identification of root causes to problems. Organizations consider in the
-               definition of auditable events, the auditing necessary to cover related events such
-               as the steps in distributed, transaction-based processes (e.g., processes that are
-               distributed across multiple organizations) and actions that occur in service-oriented
-               architectures.</p>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="au-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-2.a_obj" name="objective">
-               <prop name="label">AU-2(a)</prop>
-               <part id="au-2.a_obj.1" name="objective">
-                  <prop name="label">AU-2(a)[1]</prop>
-                  <p>defines the auditable events that the information system must be capable of
-                     auditing;</p>
-               </part>
-               <part id="au-2.a_obj.2" name="objective">
-                  <prop name="label">AU-2(a)[2]</prop>
-                  <p>determines that the information system is capable of auditing
-                     organization-defined auditable events;</p>
-               </part>
-            </part>
-            <part id="au-2.b_obj" name="objective">
-               <prop name="label">AU-2(b)</prop>
-               <p>coordinates the security audit function with other organizational entities
-                  requiring audit-related information to enhance mutual support and to help guide
-                  the selection of auditable events;</p>
-            </part>
-            <part id="au-2.c_obj" name="objective">
-               <prop name="label">AU-2(c)</prop>
-               <p>provides a rationale for why the auditable events are deemed to be adequate to
-                  support after-the-fact investigations of security incidents;</p>
-            </part>
-            <part id="au-2.d_obj" name="objective">
-               <prop name="label">AU-2(d)</prop>
-               <part id="au-2.d_obj.1" name="objective">
-                  <prop name="label">AU-2(d)[1]</prop>
-                  <p>defines the subset of auditable events defined in AU-2a that are to be audited
-                     within the information system;</p>
-               </part>
-               <part id="au-2.d_obj.2" name="objective">
-                  <prop name="label">AU-2(d)[2]</prop>
-                  <p>determines that the subset of auditable events defined in AU-2a are to be
-                     audited within the information system; and</p>
-               </part>
-               <part id="au-2.d_obj.3" name="objective">
-                  <prop name="label">AU-2(d)[3]</prop>
-                  <p>determines the frequency of (or situation requiring) auditing for each
-                     identified event.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing auditable events</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>information system auditable events</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing information system auditing</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-3">
-         <title>Content of Audit Records</title>
-         <prop name="label">AU-3</prop>
-         <prop name="sort-id">au-03</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <part id="au-3_smt" name="statement">
-            <p>The information system generates audit records containing information that
-               establishes what type of event occurred, when the event occurred, where the event
-               occurred, the source of the event, the outcome of the event, and the identity of any
-               individuals or subjects associated with the event.</p>
-         </part>
-         <part id="au-3_gdn" name="guidance">
-            <p>Audit record content that may be necessary to satisfy the requirement of this
-               control, includes, for example, time stamps, source and destination addresses,
-               user/process identifiers, event descriptions, success/fail indications, filenames
-               involved, and access control or flow control rules invoked. Event outcomes can
-               include indicators of event success or failure and event-specific results (e.g., the
-               security state of the information system after the event occurred).</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-8">AU-8</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#si-11">SI-11</link>
-         </part>
-         <part id="au-3_obj" name="objective">
-            <p>Determine if the information system generates audit records containing information
-               that establishes: </p>
-            <part id="au-3_obj.1" name="objective">
-               <prop name="label">AU-3[1]</prop>
-               <p>what type of event occurred;</p>
-            </part>
-            <part id="au-3_obj.2" name="objective">
-               <prop name="label">AU-3[2]</prop>
-               <p>when the event occurred;</p>
-            </part>
-            <part id="au-3_obj.3" name="objective">
-               <prop name="label">AU-3[3]</prop>
-               <p>where the event occurred;</p>
-            </part>
-            <part id="au-3_obj.4" name="objective">
-               <prop name="label">AU-3[4]</prop>
-               <p>the source of the event;</p>
-            </part>
-            <part id="au-3_obj.5" name="objective">
-               <prop name="label">AU-3[5]</prop>
-               <p>the outcome of the event; and</p>
-            </part>
-            <part id="au-3_obj.6" name="objective">
-               <prop name="label">AU-3[6]</prop>
-               <p>the identity of any individuals or subjects associated with the event.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing content of audit records</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of organization-defined auditable events</p>
-               <p>information system audit records</p>
-               <p>information system incident reports</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing information system auditing of auditable
-                  events</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-4">
-         <title>Audit Storage Capacity</title>
-         <param id="au-4_prm_1">
-            <label>organization-defined audit record storage requirements</label>
-         </param>
-         <prop name="label">AU-4</prop>
-         <prop name="sort-id">au-04</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-         <part id="au-4_smt" name="statement">
-            <p>The organization allocates audit record storage capacity in accordance with <insert param-id="au-4_prm_1"/>.</p>
-         </part>
-         <part id="au-4_gdn" name="guidance">
-            <p>Organizations consider the types of auditing to be performed and the audit processing
-               requirements when allocating audit storage capacity. Allocating sufficient audit
-               storage capacity reduces the likelihood of such capacity being exceeded and resulting
-               in the potential loss or reduction of auditing capability.</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-5">AU-5</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#au-11">AU-11</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="au-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-4_obj.1" name="objective">
-               <prop name="label">AU-4[1]</prop>
-               <p>defines audit record storage requirements; and</p>
-            </part>
-            <part id="au-4_obj.2" name="objective">
-               <prop name="label">AU-4[2]</prop>
-               <p>allocates audit record storage capacity in accordance with the
-                  organization-defined audit record storage requirements.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing audit storage capacity</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>audit record storage requirements</p>
-               <p>audit record storage capability for information system components</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Audit record storage capacity and related configuration settings</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>NSO - Loss of availability of the audit data has been determined to have little or
-                  no impact to government business/mission needs.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-5">
-         <title>Response to Audit Processing Failures</title>
-         <param id="au-5_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="au-5_prm_2">
-            <label>organization-defined actions to be taken (e.g., shut down information system,
-               overwrite oldest audit records, stop generating audit records)</label>
-            <constraint>organization-defined actions to be taken (overwrite oldest record)</constraint>
-         </param>
-         <prop name="label">AU-5</prop>
-         <prop name="sort-id">au-05</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <part id="au-5_smt" name="statement">
-            <p>The information system:</p>
-            <part id="au-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Alerts <insert param-id="au-5_prm_1"/> in the event of an audit processing
-                  failure; and</p>
-            </part>
-            <part id="au-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Takes the following additional actions: <insert param-id="au-5_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="au-5_gdn" name="guidance">
-            <p>Audit processing failures include, for example, software/hardware errors, failures in
-               the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
-               Organizations may choose to define additional actions for different audit processing
-               failures (e.g., by type, by location, by severity, or a combination of such factors).
-               This control applies to each audit data storage repository (i.e., distinct
-               information system component where audit records are stored), the total audit storage
-               capacity of organizations (i.e., all audit data storage repositories combined), or
-               both.</p>
-            <link rel="related" href="#au-4">AU-4</link>
-            <link rel="related" href="#si-12">SI-12</link>
-         </part>
-         <part id="au-5_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="au-5.a_obj" name="objective">
-               <prop name="label">AU-5(a)</prop>
-               <part id="au-5.a_obj.1" name="objective">
-                  <prop name="label">AU-5(a)[1]</prop>
-                  <p>the organization defines the personnel or roles to be alerted in the event of
-                     an audit processing failure;</p>
-               </part>
-               <part id="au-5.a_obj.2" name="objective">
-                  <prop name="label">AU-5(a)[2]</prop>
-                  <p>the information system alerts the organization-defined personnel or roles in
-                     the event of an audit processing failure;</p>
-               </part>
-            </part>
-            <part id="au-5.b_obj" name="objective">
-               <prop name="label">AU-5(b)</prop>
-               <part id="au-5.b_obj.1" name="objective">
-                  <prop name="label">AU-5(b)[1]</prop>
-                  <p>the organization defines additional actions to be taken (e.g., shutdown
-                     information system, overwrite oldest audit records, stop generating audit
-                     records) in the event of an audit processing failure; and</p>
-               </part>
-               <part id="au-5.b_obj.2" name="objective">
-                  <prop name="label">AU-5(b)[2]</prop>
-                  <p>the information system takes the additional organization-defined actions in the
-                     event of an audit processing failure.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing response to audit processing failures</p>
-               <p>information system design documentation</p>
-               <p>security plan</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of personnel to be notified in case of an audit processing failure</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing information system response to audit processing
-                  failures</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-6">
-         <title>Audit Review, Analysis, and Reporting</title>
-         <param id="au-6_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least weekly</constraint>
-         </param>
-         <param id="au-6_prm_2">
-            <label>organization-defined inappropriate or unusual activity</label>
-         </param>
-         <param id="au-6_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">AU-6</prop>
-         <prop name="sort-id">au-06</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <part id="au-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="au-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Reviews and analyzes information system audit records <insert param-id="au-6_prm_1"/> for indications of <insert param-id="au-6_prm_2"/>;
-                  and</p>
-            </part>
-            <part id="au-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reports findings to <insert param-id="au-6_prm_3"/>.</p>
-            </part>
-         </part>
-         <part id="au-6_gdn" name="guidance">
-            <p>Audit review, analysis, and reporting covers information security-related auditing
-               performed by organizations including, for example, auditing that results from
-               monitoring of account usage, remote access, wireless connectivity, mobile device
-               connection, configuration settings, system component inventory, use of maintenance
-               tools and nonlocal maintenance, physical access, temperature and humidity, equipment
-               delivery and removal, communications at the information system boundaries, use of
-               mobile code, and use of VoIP. Findings can be reported to organizational entities
-               that include, for example, incident response team, help desk, information security
-               group/department. If organizations are prohibited from reviewing and analyzing audit
-               information or unable to conduct such activities (e.g., in certain national security
-               applications or systems), the review/analysis may be carried out by other
-               organizations granted such authority.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#au-16">AU-16</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-10">CM-10</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ir-5">IR-5</link>
-            <link rel="related" href="#ir-6">IR-6</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-            <link rel="related" href="#pe-14">PE-14</link>
-            <link rel="related" href="#pe-16">PE-16</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-18">SC-18</link>
-            <link rel="related" href="#sc-19">SC-19</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="au-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-6.a_obj" name="objective">
-               <prop name="label">AU-6(a)</prop>
-               <part id="au-6.a_obj.1" name="objective">
-                  <prop name="label">AU-6(a)[1]</prop>
-                  <p>defines the types of inappropriate or unusual activity to look for when
-                     information system audit records are reviewed and analyzed;</p>
-               </part>
-               <part id="au-6.a_obj.2" name="objective">
-                  <prop name="label">AU-6(a)[2]</prop>
-                  <p>defines the frequency to review and analyze information system audit records
-                     for indications of organization-defined inappropriate or unusual activity;</p>
-               </part>
-               <part id="au-6.a_obj.3" name="objective">
-                  <prop name="label">AU-6(a)[3]</prop>
-                  <p>reviews and analyzes information system audit records for indications of
-                     organization-defined inappropriate or unusual activity with the
-                     organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="au-6.b_obj" name="objective">
-               <prop name="label">AU-6(b)</prop>
-               <part id="au-6.b_obj.1" name="objective">
-                  <prop name="label">AU-6(b)[1]</prop>
-                  <p>defines personnel or roles to whom findings resulting from reviews and analysis
-                     of information system audit records are to be reported; and</p>
-               </part>
-               <part id="au-6.b_obj.2" name="objective">
-                  <prop name="label">AU-6(b)[2]</prop>
-                  <p>reports findings to organization-defined personnel or roles.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing audit review, analysis, and reporting</p>
-               <p>reports of audit findings</p>
-               <p>records of actions taken in response to reviews/analyses of audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit review, analysis, and reporting
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-8">
-         <title>Time Stamps</title>
-         <param id="au-8_prm_1">
-            <label>organization-defined granularity of time measurement</label>
-         </param>
-         <prop name="label">AU-8</prop>
-         <prop name="sort-id">au-08</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <part id="au-8_smt" name="statement">
-            <p>The information system:</p>
-            <part id="au-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Uses internal system clocks to generate time stamps for audit records; and</p>
-            </part>
-            <part id="au-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Records time stamps for audit records that can be mapped to Coordinated Universal
-                  Time (UTC) or Greenwich Mean Time (GMT) and meets <insert param-id="au-8_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="au-8_gdn" name="guidance">
-            <p>Time stamps generated by the information system include date and time. Time is
-               commonly expressed in Coordinated Universal Time (UTC), a modern continuation of
-               Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time
-               measurements refers to the degree of synchronization between information system
-               clocks and reference clocks, for example, clocks synchronizing within hundreds of
-               milliseconds or within tens of milliseconds. Organizations may define different time
-               granularities for different system components. Time service can also be critical to
-               other security capabilities such as access control and identification and
-               authentication, depending on the nature of the mechanisms used to support those
-               capabilities.</p>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#au-12">AU-12</link>
-         </part>
-         <part id="au-8_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="au-8.a_obj" name="objective">
-               <prop name="label">AU-8(a)</prop>
-               <p>the information system uses internal system clocks to generate time stamps for
-                  audit records;</p>
-            </part>
-            <part id="au-8.b_obj" name="objective">
-               <prop name="label">AU-8(b)</prop>
-               <part id="au-8.b_obj.1" name="objective">
-                  <prop name="label">AU-8(b)[1]</prop>
-                  <p>the information system records time stamps for audit records that can be mapped
-                     to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);</p>
-               </part>
-               <part id="au-8.b_obj.2" name="objective">
-                  <prop name="label">AU-8(b)[2]</prop>
-                  <p>the organization defines the granularity of time measurement to be met when
-                     recording time stamps for audit records; and</p>
-               </part>
-               <part id="au-8.b_obj.3" name="objective">
-                  <prop name="label">AU-8(b)[3]</prop>
-                  <p>the organization records time stamps for audit records that meet the
-                     organization-defined granularity of time measurement.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing time stamp generation</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing time stamp generation</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-9">
-         <title>Protection of Audit Information</title>
-         <prop name="label">AU-9</prop>
-         <prop name="sort-id">au-09</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <part id="au-9_smt" name="statement">
-            <p>The information system protects audit information and audit tools from unauthorized
-               access, modification, and deletion.</p>
-         </part>
-         <part id="au-9_gdn" name="guidance">
-            <p>Audit information includes all information (e.g., audit records, audit settings, and
-               audit reports) needed to successfully audit information system activity. This control
-               focuses on technical protection of audit information. Physical protection of audit
-               information is addressed by media protection controls and physical and environmental
-               protection controls.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-         </part>
-         <part id="au-9_obj" name="objective">
-            <p>Determine if: </p>
-            <part id="au-9_obj.1" name="objective">
-               <prop name="label">AU-9[1]</prop>
-               <p>the information system protects audit information from unauthorized:</p>
-               <part id="au-9_obj.1.a" name="objective">
-                  <prop name="label">AU-9[1][a]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="au-9_obj.1.b" name="objective">
-                  <prop name="label">AU-9[1][b]</prop>
-                  <p>modification;</p>
-               </part>
-               <part id="au-9_obj.1.c" name="objective">
-                  <prop name="label">AU-9[1][c]</prop>
-                  <p>deletion;</p>
-               </part>
-            </part>
-            <part id="au-9_obj.2" name="objective">
-               <prop name="label">AU-9[2]</prop>
-               <p>the information system protects audit tools from unauthorized:</p>
-               <part id="au-9_obj.2.a" name="objective">
-                  <prop name="label">AU-9[2][a]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="au-9_obj.2.b" name="objective">
-                  <prop name="label">AU-9[2][b]</prop>
-                  <p>modification; and</p>
-               </part>
-               <part id="au-9_obj.2.c" name="objective">
-                  <prop name="label">AU-9[2][c]</prop>
-                  <p>deletion.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>access control policy and procedures</p>
-               <p>procedures addressing protection of audit information</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation,
-                  information system audit records</p>
-               <p>audit tools</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing audit information protection</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-11">
-         <title>Audit Record Retention</title>
-         <param id="au-11_prm_1">
-            <label>organization-defined time period consistent with records retention policy</label>
-         </param>
-         <prop name="label">AU-11</prop>
-         <prop name="sort-id">au-11</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-         <part id="au-11_smt" name="statement">
-            <p>The organization retains audit records for <insert param-id="au-11_prm_1"/> to
-               provide support for after-the-fact investigations of security incidents and to meet
-               regulatory and organizational information retention requirements.</p>
-         </part>
-         <part id="au-11_gdn" name="guidance">
-            <p>Organizations retain audit records until it is determined that they are no longer
-               needed for administrative, legal, audit, or other operational purposes. This
-               includes, for example, retention and availability of audit records relative to
-               Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions.
-               Organizations develop standard categories of audit records relative to such types of
-               actions and standard response processes for each type of action. The National
-               Archives and Records Administration (NARA) General Records Schedules provide federal
-               policy on record retention.</p>
-            <link rel="related" href="#au-4">AU-4</link>
-            <link rel="related" href="#au-5">AU-5</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-         </part>
-         <part id="au-11_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-11_obj.1" name="objective">
-               <prop name="label">AU-11[1]</prop>
-               <p>defines a time period to retain audit records that is consistent with records
-                  retention policy;</p>
-            </part>
-            <part id="au-11_obj.2" name="objective">
-               <prop name="label">AU-11[2]</prop>
-               <p>retains audit records for the organization-defined time period consistent with
-                  records retention policy to:</p>
-               <part id="au-11_obj.2.a" name="objective">
-                  <prop name="label">AU-11[2][a]</prop>
-                  <p>provide support for after-the-fact investigations of security incidents;
-                     and</p>
-               </part>
-               <part id="au-11_obj.2.b" name="objective">
-                  <prop name="label">AU-11[2][b]</prop>
-                  <p>meet regulatory and organizational information retention requirements.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>audit record retention policy and procedures</p>
-               <p>security plan</p>
-               <p>organization-defined retention period for audit records</p>
-               <p>audit record archives</p>
-               <p>audit logs</p>
-               <p>audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit record retention responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>NSO - Loss of availability of the audit data has been determined as little or no
-                  impact to government business/mission needs.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-12">
-         <title>Audit Generation</title>
-         <param id="au-12_prm_1">
-            <label>organization-defined information system components</label>
-         </param>
-         <param id="au-12_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">AU-12</prop>
-         <prop name="sort-id">au-12</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <part id="au-12_smt" name="statement">
-            <p>The information system:</p>
-            <part id="au-12_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Provides audit record generation capability for the auditable events defined in
-                  AU-2 a. at <insert param-id="au-12_prm_1"/>;</p>
-            </part>
-            <part id="au-12_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Allows <insert param-id="au-12_prm_2"/> to select which auditable events are to be
-                  audited by specific components of the information system; and</p>
-            </part>
-            <part id="au-12_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Generates audit records for the events defined in AU-2 d. with the content defined
-                  in AU-3.</p>
-            </part>
-         </part>
-         <part id="au-12_gdn" name="guidance">
-            <p>Audit records can be generated from many different information system components. The
-               list of audited events is the set of events for which audits are to be generated.
-               These events are typically a subset of all events for which the information system is
-               capable of generating audit records.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-         </part>
-         <part id="au-12_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="au-12.a_obj" name="objective">
-               <prop name="label">AU-12(a)</prop>
-               <part id="au-12.a_obj.1" name="objective">
-                  <prop name="label">AU-12(a)[1]</prop>
-                  <p>the organization defines the information system components which are to provide
-                     audit record generation capability for the auditable events defined in
-                     AU-2a;</p>
-               </part>
-               <part id="au-12.a_obj.2" name="objective">
-                  <prop name="label">AU-12(a)[2]</prop>
-                  <p>the information system provides audit record generation capability, for the
-                     auditable events defined in AU-2a, at organization-defined information system
-                     components;</p>
-               </part>
-            </part>
-            <part id="au-12.b_obj" name="objective">
-               <prop name="label">AU-12(b)</prop>
-               <part id="au-12.b_obj.1" name="objective">
-                  <prop name="label">AU-12(b)[1]</prop>
-                  <p>the organization defines the personnel or roles allowed to select which
-                     auditable events are to be audited by specific components of the information
-                     system;</p>
-               </part>
-               <part id="au-12.b_obj.2" name="objective">
-                  <prop name="label">AU-12(b)[2]</prop>
-                  <p>the information system allows the organization-defined personnel or roles to
-                     select which auditable events are to be audited by specific components of the
-                     system; and</p>
-               </part>
-            </part>
-            <part id="au-12.c_obj" name="objective">
-               <prop name="label">AU-12(c)</prop>
-               <p>the information system generates audit records for the events defined in AU-2d
-                  with the content in defined in AU-3.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing audit record generation</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of auditable events</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit record generation responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing audit record generation capability</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ca">
-      <title>Security Assessment and Authorization</title>
-      <control class="SP800-53" id="ca-1">
-         <title>Security Assessment and Authorization Policy and Procedures</title>
-         <param id="ca-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ca-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ca-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CA-1</prop>
-         <prop name="sort-id">ca-01</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ca-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ca-1_prm_1"/>:</p>
-               <part id="ca-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A security assessment and authorization policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="ca-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the security assessment and
-                     authorization policy and associated security assessment and authorization
-                     controls; and</p>
-               </part>
-            </part>
-            <part id="ca-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ca-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security assessment and authorization policy <insert param-id="ca-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="ca-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Security assessment and authorization procedures <insert param-id="ca-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ca-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the CA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ca-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-1.a_obj" name="objective">
-               <prop name="label">CA-1(a)</prop>
-               <part id="ca-1.a.1_obj" name="objective">
-                  <prop name="label">CA-1(a)(1)</prop>
-                  <part id="ca-1.a.1_obj.1" name="objective">
-                     <prop name="label">CA-1(a)(1)[1]</prop>
-                     <p>develops and documents a security assessment and authorization policy that
-                        addresses:</p>
-                     <part id="ca-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ca-1.a.1_obj.2" name="objective">
-                     <prop name="label">CA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the security assessment and authorization
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="ca-1.a.1_obj.3" name="objective">
-                     <prop name="label">CA-1(a)(1)[3]</prop>
-                     <p>disseminates the security assessment and authorization policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="ca-1.a.2_obj" name="objective">
-                  <prop name="label">CA-1(a)(2)</prop>
-                  <part id="ca-1.a.2_obj.1" name="objective">
-                     <prop name="label">CA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        security assessment and authorization policy and associated assessment and
-                        authorization controls;</p>
-                  </part>
-                  <part id="ca-1.a.2_obj.2" name="objective">
-                     <prop name="label">CA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ca-1.a.2_obj.3" name="objective">
-                     <prop name="label">CA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ca-1.b_obj" name="objective">
-               <prop name="label">CA-1(b)</prop>
-               <part id="ca-1.b.1_obj" name="objective">
-                  <prop name="label">CA-1(b)(1)</prop>
-                  <part id="ca-1.b.1_obj.1" name="objective">
-                     <prop name="label">CA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current security assessment
-                        and authorization policy;</p>
-                  </part>
-                  <part id="ca-1.b.1_obj.2" name="objective">
-                     <prop name="label">CA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current security assessment and authorization policy
-                        with the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ca-1.b.2_obj" name="objective">
-                  <prop name="label">CA-1(b)(2)</prop>
-                  <part id="ca-1.b.2_obj.1" name="objective">
-                     <prop name="label">CA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current security assessment
-                        and authorization procedures; and</p>
-                  </part>
-                  <part id="ca-1.b.2_obj.2" name="objective">
-                     <prop name="label">CA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current security assessment and authorization
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security assessment and authorization
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ca-2">
-         <title>Security Assessments</title>
-         <param id="ca-2_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ca-2_prm_2">
-            <label>organization-defined individuals or roles</label>
-            <constraint>individuals or roles to include FedRAMP PMO</constraint>
-         </param>
-         <prop name="label">CA-2</prop>
-         <prop name="sort-id">ca-02</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#c5034e0c-eba6-4ecd-a541-79f0678f4ba4" rel="reference">Executive Order 13587</link>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#c4691b88-57d1-463b-9053-2d0087913f31" rel="reference">NIST Special Publication 800-115</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <part id="ca-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a security assessment plan that describes the scope of the assessment
-                  including:</p>
-               <part id="ca-2_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security controls and control enhancements under assessment;</p>
-               </part>
-               <part id="ca-2_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Assessment procedures to be used to determine security control effectiveness;
-                     and</p>
-               </part>
-               <part id="ca-2_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Assessment environment, assessment team, and assessment roles and
-                     responsibilities;</p>
-               </part>
-            </part>
-            <part id="ca-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Assesses the security controls in the information system and its environment of
-                  operation <insert param-id="ca-2_prm_1"/> to determine the extent to which the
-                  controls are implemented correctly, operating as intended, and producing the
-                  desired outcome with respect to meeting established security requirements;</p>
-            </part>
-            <part id="ca-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Produces a security assessment report that documents the results of the
-                  assessment; and</p>
-            </part>
-            <part id="ca-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Provides the results of the security control assessment to <insert param-id="ca-2_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="ca-2_gdn" name="guidance">
-            <p>Organizations assess security controls in organizational information systems and the
-               environments in which those systems operate as part of: (i) initial and ongoing
-               security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring;
-               and (iv) system development life cycle activities. Security assessments: (i) ensure
-               that information security is built into organizational information systems; (ii)
-               identify weaknesses and deficiencies early in the development process; (iii) provide
-               essential information needed to make risk-based decisions as part of security
-               authorization processes; and (iv) ensure compliance to vulnerability mitigation
-               procedures. Assessments are conducted on the implemented security controls from
-               Appendix F (main catalog) and Appendix G (Program Management controls) as documented
-               in System Security Plans and Information Security Program Plans. Organizations can
-               use other types of assessment activities such as vulnerability scanning and system
-               monitoring to maintain the security posture of information systems during the entire
-               life cycle. Security assessment reports document assessment results in sufficient
-               detail as deemed necessary by organizations, to determine the accuracy and
-               completeness of the reports and whether the security controls are implemented
-               correctly, operating as intended, and producing the desired outcome with respect to
-               meeting security requirements. The FISMA requirement for assessing security controls
-               at least annually does not require additional assessment activities to those
-               activities already in place in organizational security authorization processes.
-               Security assessment results are provided to the individuals or roles appropriate for
-               the types of assessments being conducted. For example, assessments conducted in
-               support of security authorization decisions are provided to authorizing officials or
-               authorizing official designated representatives. To satisfy annual assessment
-               requirements, organizations can use assessment results from the following sources:
-               (i) initial or ongoing information system authorizations; (ii) continuous monitoring;
-               or (iii) system development life cycle activities. Organizations ensure that security
-               assessment results are current, relevant to the determination of security control
-               effectiveness, and obtained with the appropriate level of assessor independence.
-               Existing security control assessment results can be reused to the extent that the
-               results are still valid and can also be supplemented with additional assessments as
-               needed. Subsequent to initial authorizations and in accordance with OMB policy,
-               organizations assess security controls during continuous monitoring. Organizations
-               establish the frequency for ongoing security control assessments in accordance with
-               organizational continuous monitoring strategies. Information Assurance Vulnerability
-               Alerts provide useful examples of vulnerability mitigation procedures. External
-               audits (e.g., audits by external entities such as regulatory agencies) are outside
-               the scope of this control.</p>
-            <link rel="related" href="#ca-5">CA-5</link>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-2.a_obj" name="objective">
-               <prop name="label">CA-2(a)</prop>
-               <p>develops a security assessment plan that describes the scope of the assessment
-                  including:</p>
-               <part id="ca-2.a.1_obj" name="objective">
-                  <prop name="label">CA-2(a)(1)</prop>
-                  <p>security controls and control enhancements under assessment;</p>
-               </part>
-               <part id="ca-2.a.2_obj" name="objective">
-                  <prop name="label">CA-2(a)(2)</prop>
-                  <p>assessment procedures to be used to determine security control
-                     effectiveness;</p>
-               </part>
-               <part id="ca-2.a.3_obj" name="objective">
-                  <prop name="label">CA-2(a)(3)</prop>
-                  <part id="ca-2.a.3_obj.1" name="objective">
-                     <prop name="label">CA-2(a)(3)[1]</prop>
-                     <p>assessment environment;</p>
-                  </part>
-                  <part id="ca-2.a.3_obj.2" name="objective">
-                     <prop name="label">CA-2(a)(3)[2]</prop>
-                     <p>assessment team;</p>
-                  </part>
-                  <part id="ca-2.a.3_obj.3" name="objective">
-                     <prop name="label">CA-2(a)(3)[3]</prop>
-                     <p>assessment roles and responsibilities;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ca-2.b_obj" name="objective">
-               <prop name="label">CA-2(b)</prop>
-               <part id="ca-2.b_obj.1" name="objective">
-                  <prop name="label">CA-2(b)[1]</prop>
-                  <p>defines the frequency to assess the security controls in the information system
-                     and its environment of operation;</p>
-               </part>
-               <part id="ca-2.b_obj.2" name="objective">
-                  <prop name="label">CA-2(b)[2]</prop>
-                  <p>assesses the security controls in the information system with the
-                     organization-defined frequency to determine the extent to which the controls
-                     are implemented correctly, operating as intended, and producing the desired
-                     outcome with respect to meeting established security requirements;</p>
-               </part>
-            </part>
-            <part id="ca-2.c_obj" name="objective">
-               <prop name="label">CA-2(c)</prop>
-               <p>produces a security assessment report that documents the results of the
-                  assessment;</p>
-            </part>
-            <part id="ca-2.d_obj" name="objective">
-               <prop name="label">CA-2(d)</prop>
-               <part id="ca-2.d_obj.1" name="objective">
-                  <prop name="label">CA-2(d)[1]</prop>
-                  <p>defines individuals or roles to whom the results of the security control
-                     assessment are to be provided; and</p>
-               </part>
-               <part id="ca-2.d_obj.2" name="objective">
-                  <prop name="label">CA-2(d)[2]</prop>
-                  <p>provides the results of the security control assessment to organization-defined
-                     individuals or roles.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing security assessment planning</p>
-               <p>procedures addressing security assessments</p>
-               <p>security assessment plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security assessment responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting security assessment, security assessment plan
-                  development, and/or security assessment reporting</p>
-            </part>
-         </part>
-         <part id="ca-2_fr" name="item">
-            <title>CA-2 Additional FedRAMP Requirements and Guidance</title>
-            <part id="ca-2_fr_gdn.1" name="guidance">
-               <prop name="label">Guidance:</prop>
-               <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP)
-                     Documents, Annual Assessment Guidance <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-               </p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-2.1">
-            <title>Independent Assessors</title>
-            <param id="ca-2.1_prm_1">
-               <label>organization-defined level of independence</label>
-            </param>
-            <prop name="label">CA-2(1)</prop>
-            <prop name="sort-id">ca-02.01</prop>
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-            <part id="ca-2.1_smt" name="statement">
-               <p>The organization employs assessors or assessment teams with <insert param-id="ca-2.1_prm_1"/> to conduct security control assessments.</p>
-            </part>
-            <part id="ca-2.1_gdn" name="guidance">
-               <p>Independent assessors or assessment teams are individuals or groups who conduct
-                  impartial assessments of organizational information systems. Impartiality implies
-                  that assessors are free from any perceived or actual conflicts of interest with
-                  regard to the development, operation, or management of the organizational
-                  information systems under assessment or to the determination of security control
-                  effectiveness. To achieve impartiality, assessors should not: (i) create a mutual
-                  or conflicting interest with the organizations where the assessments are being
-                  conducted; (ii) assess their own work; (iii) act as management or employees of the
-                  organizations they are serving; or (iv) place themselves in positions of advocacy
-                  for the organizations acquiring their services. Independent assessments can be
-                  obtained from elements within organizations or can be contracted to public or
-                  private sector entities outside of organizations. Authorizing officials determine
-                  the required level of independence based on the security categories of information
-                  systems and/or the ultimate risk to organizational operations, organizational
-                  assets, or individuals. Authorizing officials also determine if the level of
-                  assessor independence provides sufficient assurance that the results are sound and
-                  can be used to make credible, risk-based decisions. This includes determining
-                  whether contracted security assessment services have sufficient independence, for
-                  example, when information system owners are not directly involved in contracting
-                  processes or cannot unduly influence the impartiality of assessors conducting
-                  assessments. In special situations, for example, when organizations that own the
-                  information systems are small or organizational structures require that
-                  assessments are conducted by individuals that are in the developmental,
-                  operational, or management chain of system owners, independence in assessment
-                  processes can be achieved by ensuring that assessment results are carefully
-                  reviewed and analyzed by independent teams of experts to validate the
-                  completeness, accuracy, integrity, and reliability of the results. Organizations
-                  recognize that assessments performed for purposes other than direct support to
-                  authorization decisions are, when performed by assessors with sufficient
-                  independence, more likely to be useable for such decisions, thereby reducing the
-                  need to repeat assessments.</p>
-            </part>
-            <part id="ca-2.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-2.1_obj.1" name="objective">
-                  <prop name="label">CA-2(1)[1]</prop>
-                  <p>defines the level of independence to be employed to conduct security control
-                     assessments; and</p>
-               </part>
-               <part id="ca-2.1_obj.2" name="objective">
-                  <prop name="label">CA-2(1)[2]</prop>
-                  <p>employs assessors or assessment teams with the organization-defined level of
-                     independence to conduct security control assessments.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing security assessments</p>
-                  <p>security authorization package (including security plan, security assessment
-                     plan, security assessment report, plan of action and milestones, authorization
-                     statement)</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security assessment responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-3">
-         <title>System Interconnections</title>
-         <param id="ca-3_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually and on input from FedRAMP</constraint>
-         </param>
-         <prop name="label">CA-3</prop>
-         <prop name="sort-id">ca-03</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#2711f068-734e-4afd-94ba-0b22247fbc88" rel="reference">NIST Special Publication 800-47</link>
-         <part id="ca-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Authorizes connections from the information system to other information systems
-                  through the use of Interconnection Security Agreements;</p>
-            </part>
-            <part id="ca-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents, for each interconnection, the interface characteristics, security
-                  requirements, and the nature of the information communicated; and</p>
-            </part>
-            <part id="ca-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews and updates Interconnection Security Agreements <insert param-id="ca-3_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="ca-3_gdn" name="guidance">
-            <p>This control applies to dedicated connections between information systems (i.e.,
-               system interconnections) and does not apply to transitory, user-controlled
-               connections such as email and website browsing. Organizations carefully consider the
-               risks that may be introduced when information systems are connected to other systems
-               with different security requirements and security controls, both within organizations
-               and external to organizations. Authorizing officials determine the risk associated
-               with information system connections and the appropriate controls employed. If
-               interconnecting systems have the same authorizing official, organizations do not need
-               to develop Interconnection Security Agreements. Instead, organizations can describe
-               the interface characteristics between those interconnecting systems in their
-               respective security plans. If interconnecting systems have different authorizing
-               officials within the same organization, organizations can either develop
-               Interconnection Security Agreements or describe the interface characteristics between
-               systems in the security plans for the respective systems. Organizations may also
-               incorporate Interconnection Security Agreement information into formal contracts,
-               especially for interconnections established between federal agencies and nonfederal
-               (i.e., private sector) organizations. Risk considerations also include information
-               systems sharing the same networks. For certain technologies (e.g., space, unmanned
-               aerial vehicles, and medical devices), there may be specialized connections in place
-               during preoperational testing. Such connections may require Interconnection Security
-               Agreements and be subject to additional security controls.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#au-16">AU-16</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-3.a_obj" name="objective">
-               <prop name="label">CA-3(a)</prop>
-               <p>authorizes connections from the information system to other information systems
-                  through the use of Interconnection Security Agreements;</p>
-            </part>
-            <part id="ca-3.b_obj" name="objective">
-               <prop name="label">CA-3(b)</prop>
-               <p>documents, for each interconnection:</p>
-               <part id="ca-3.b_obj.1" name="objective">
-                  <prop name="label">CA-3(b)[1]</prop>
-                  <p>the interface characteristics;</p>
-               </part>
-               <part id="ca-3.b_obj.2" name="objective">
-                  <prop name="label">CA-3(b)[2]</prop>
-                  <p>the security requirements;</p>
-               </part>
-               <part id="ca-3.b_obj.3" name="objective">
-                  <prop name="label">CA-3(b)[3]</prop>
-                  <p>the nature of the information communicated;</p>
-               </part>
-            </part>
-            <part id="ca-3.c_obj" name="objective">
-               <prop name="label">CA-3(c)</prop>
-               <part id="ca-3.c_obj.1" name="objective">
-                  <prop name="label">CA-3(c)[1]</prop>
-                  <p>defines the frequency to review and update Interconnection Security Agreements;
-                     and</p>
-               </part>
-               <part id="ca-3.c_obj.2" name="objective">
-                  <prop name="label">CA-3(c)[2]</prop>
-                  <p>reviews and updates Interconnection Security Agreements with the
-                     organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing information system connections</p>
-               <p>system and communications protection policy</p>
-               <p>information system Interconnection Security Agreements</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for developing, implementing, or
-                  approving information system interconnection agreements</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>personnel managing the system(s) to which the Interconnection Security Agreement
-                  applies</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Condition: There are connection(s) to external systems. Connections (if any) shall
-                  be authorized and must: 1) Identify the interface/connection. 2) Detail what data
-                  is involved and its sensitivity. 3) Determine whether the connection is one-way or
-                  bi-directional. 4) Identify how the connection is secured.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ca-5">
-         <title>Plan of Action and Milestones</title>
-         <param id="ca-5_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least monthly</constraint>
-         </param>
-         <prop name="label">CA-5</prop>
-         <prop name="sort-id">ca-05</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#2c5884cd-7b96-425c-862a-99877e1cf909" rel="reference">OMB Memorandum 02-01</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <part id="ca-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a plan of action and milestones for the information system to document
-                  the organization’s planned remedial actions to correct weaknesses or deficiencies
-                  noted during the assessment of the security controls and to reduce or eliminate
-                  known vulnerabilities in the system; and</p>
-            </part>
-            <part id="ca-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Updates existing plan of action and milestones <insert param-id="ca-5_prm_1"/>
-                  based on the findings from security controls assessments, security impact
-                  analyses, and continuous monitoring activities.</p>
-            </part>
-         </part>
-         <part id="ca-5_gdn" name="guidance">
-            <p>Plans of action and milestones are key documents in security authorization packages
-               and are subject to federal reporting requirements established by OMB.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#pm-4">PM-4</link>
-         </part>
-         <part id="ca-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-5.a_obj" name="objective">
-               <prop name="label">CA-5(a)</prop>
-               <p>develops a plan of action and milestones for the information system to:</p>
-               <part id="ca-5.a_obj.1" name="objective">
-                  <prop name="label">CA-5(a)[1]</prop>
-                  <p>document the organization’s planned remedial actions to correct weaknesses or
-                     deficiencies noted during the assessment of the security controls;</p>
-               </part>
-               <part id="ca-5.a_obj.2" name="objective">
-                  <prop name="label">CA-5(a)[2]</prop>
-                  <p>reduce or eliminate known vulnerabilities in the system;</p>
-               </part>
-            </part>
-            <part id="ca-5.b_obj" name="objective">
-               <prop name="label">CA-5(b)</prop>
-               <part id="ca-5.b_obj.1" name="objective">
-                  <prop name="label">CA-5(b)[1]</prop>
-                  <p>defines the frequency to update the existing plan of action and milestones;</p>
-               </part>
-               <part id="ca-5.b_obj.2" name="objective">
-                  <prop name="label">CA-5(b)[2]</prop>
-                  <p>updates the existing plan of action and milestones with the
-                     organization-defined frequency based on the findings from:</p>
-                  <part id="ca-5.b_obj.2.a" name="objective">
-                     <prop name="label">CA-5(b)[2][a]</prop>
-                     <p>security controls assessments;</p>
-                  </part>
-                  <part id="ca-5.b_obj.2.b" name="objective">
-                     <prop name="label">CA-5(b)[2][b]</prop>
-                     <p>security impact analyses; and</p>
-                  </part>
-                  <part id="ca-5.b_obj.2.c" name="objective">
-                     <prop name="label">CA-5(b)[2][c]</prop>
-                     <p>continuous monitoring activities.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing plan of action and milestones</p>
-               <p>security plan</p>
-               <p>security assessment plan</p>
-               <p>security assessment report</p>
-               <p>security assessment evidence</p>
-               <p>plan of action and milestones</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with plan of action and milestones development and
-                  implementation responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms for developing, implementing, and maintaining plan of action
-                  and milestones</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring
-                  Requirements.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ca-6">
-         <title>Security Authorization</title>
-         <param id="ca-6_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least every three years or when a significant change occurs</constraint>
-         </param>
-         <prop name="label">CA-6</prop>
-         <prop name="sort-id">ca-06</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab" rel="reference">OMB Circular A-130</link>
-         <link href="#bedb15b7-ec5c-4a68-807f-385125751fcd" rel="reference">OMB Memorandum 11-33</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <part id="ca-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Assigns a senior-level executive or manager as the authorizing official for the
-                  information system;</p>
-            </part>
-            <part id="ca-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Ensures that the authorizing official authorizes the information system for
-                  processing before commencing operations; and</p>
-            </part>
-            <part id="ca-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Updates the security authorization <insert param-id="ca-6_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="ca-6_gdn" name="guidance">
-            <p>Security authorizations are official management decisions, conveyed through
-               authorization decision documents, by senior organizational officials or executives
-               (i.e., authorizing officials) to authorize operation of information systems and to
-               explicitly accept the risk to organizational operations and assets, individuals,
-               other organizations, and the Nation based on the implementation of agreed-upon
-               security controls. Authorizing officials provide budgetary oversight for
-               organizational information systems or assume responsibility for the mission/business
-               operations supported by those systems. The security authorization process is an
-               inherently federal responsibility and therefore, authorizing officials must be
-               federal employees. Through the security authorization process, authorizing officials
-               assume responsibility and are accountable for security risks associated with the
-               operation and use of organizational information systems. Accordingly, authorizing
-               officials are in positions with levels of authority commensurate with understanding
-               and accepting such information security-related risks. OMB policy requires that
-               organizations conduct ongoing authorizations of information systems by implementing
-               continuous monitoring programs. Continuous monitoring programs can satisfy three-year
-               reauthorization requirements, so separate reauthorization processes are not
-               necessary. Through the employment of comprehensive continuous monitoring processes,
-               critical information contained in authorization packages (i.e., security plans,
-               security assessment reports, and plans of action and milestones) is updated on an
-               ongoing basis, providing authorizing officials and information system owners with an
-               up-to-date status of the security state of organizational information systems and
-               environments of operation. To reduce the administrative cost of security
-               reauthorization, authorizing officials use the results of continuous monitoring
-               processes to the maximum extent possible as the basis for rendering reauthorization
-               decisions.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#pm-10">PM-10</link>
-         </part>
-         <part id="ca-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-6.a_obj" name="objective">
-               <prop name="label">CA-6(a)</prop>
-               <p>assigns a senior-level executive or manager as the authorizing official for the
-                  information system;</p>
-            </part>
-            <part id="ca-6.b_obj" name="objective">
-               <prop name="label">CA-6(b)</prop>
-               <p>ensures that the authorizing official authorizes the information system for
-                  processing before commencing operations;</p>
-            </part>
-            <part id="ca-6.c_obj" name="objective">
-               <prop name="label">CA-6(c)</prop>
-               <part id="ca-6.c_obj.1" name="objective">
-                  <prop name="label">CA-6(c)[1]</prop>
-                  <p>defines the frequency to update the security authorization; and</p>
-               </part>
-               <part id="ca-6.c_obj.2" name="objective">
-                  <prop name="label">CA-6(c)[2]</prop>
-                  <p>updates the security authorization with the organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing security authorization</p>
-               <p>security authorization package (including security plan</p>
-               <p>security assessment report</p>
-               <p>plan of action and milestones</p>
-               <p>authorization statement)</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security authorization responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms that facilitate security authorizations and updates</p>
-            </part>
-         </part>
-         <part id="ca-6_fr" name="item">
-            <title>CA-6(c) Additional FedRAMP Requirements and Guidance</title>
-            <part id="ca-6_fr_gdn.1" name="guidance">
-               <prop name="label">Guidance:</prop>
-               <p>Significant change is defined in NIST Special Publication 800-37 Revision 1,
-                     Appendix F. The service provider describes the types of changes to the
-                     information system or the environment of operations that would impact the risk
-                     posture. The types of changes are approved and accepted by the Authorizing
-                     Official.</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ca-7">
-         <title>Continuous Monitoring</title>
-         <param id="ca-7_prm_1">
-            <label>organization-defined metrics</label>
-         </param>
-         <param id="ca-7_prm_2">
-            <label>organization-defined frequencies</label>
-         </param>
-         <param id="ca-7_prm_3">
-            <label>organization-defined frequencies</label>
-         </param>
-         <param id="ca-7_prm_4">
-            <label>organization-defined personnel or roles</label>
-            <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-         </param>
-         <param id="ca-7_prm_5">
-            <label>organization-defined frequency</label>
-            <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-         </param>
-         <prop name="label">CA-7</prop>
-         <prop name="sort-id">ca-07</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#bedb15b7-ec5c-4a68-807f-385125751fcd" rel="reference">OMB Memorandum 11-33</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#c4691b88-57d1-463b-9053-2d0087913f31" rel="reference">NIST Special Publication 800-115</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <link href="#8ade2fbe-e468-4ca8-9a40-54d7f23c32bb" rel="reference">US-CERT Technical Cyber Security Alerts</link>
-         <link href="#2d8b14e9-c8b5-4d3d-8bdc-155078f3281b" rel="reference">DoD Information Assurance Vulnerability Alerts</link>
-         <part id="ca-7_smt" name="statement">
-            <p>The organization develops a continuous monitoring strategy and implements a
-               continuous monitoring program that includes:</p>
-            <part id="ca-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishment of <insert param-id="ca-7_prm_1"/> to be monitored;</p>
-            </part>
-            <part id="ca-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishment of <insert param-id="ca-7_prm_2"/> for monitoring and <insert param-id="ca-7_prm_3"/> for assessments supporting such monitoring;</p>
-            </part>
-            <part id="ca-7_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ongoing security control assessments in accordance with the organizational
-                  continuous monitoring strategy;</p>
-            </part>
-            <part id="ca-7_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Ongoing security status monitoring of organization-defined metrics in accordance
-                  with the organizational continuous monitoring strategy;</p>
-            </part>
-            <part id="ca-7_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Correlation and analysis of security-related information generated by assessments
-                  and monitoring;</p>
-            </part>
-            <part id="ca-7_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Response actions to address results of the analysis of security-related
-                  information; and</p>
-            </part>
-            <part id="ca-7_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Reporting the security status of organization and the information system to
-                     <insert param-id="ca-7_prm_4"/>
-                  <insert param-id="ca-7_prm_5"/>.</p>
-            </part>
-         </part>
-         <part id="ca-7_gdn" name="guidance">
-            <p>Continuous monitoring programs facilitate ongoing awareness of threats,
-               vulnerabilities, and information security to support organizational risk management
-               decisions. The terms continuous and ongoing imply that organizations assess/analyze
-               security controls and information security-related risks at a frequency sufficient to
-               support organizational risk-based decisions. The results of continuous monitoring
-               programs generate appropriate risk response actions by organizations. Continuous
-               monitoring programs also allow organizations to maintain the security authorizations
-               of information systems and common controls over time in highly dynamic environments
-               of operation with changing mission/business needs, threats, vulnerabilities, and
-               technologies. Having access to security-related information on a continuing basis
-               through reports/dashboards gives organizational officials the capability to make more
-               effective and timely risk management decisions, including ongoing security
-               authorization decisions. Automation supports more frequent updates to security
-               authorization packages, hardware/software/firmware inventories, and other system
-               information. Effectiveness is further enhanced when continuous monitoring outputs are
-               formatted to provide information that is specific, measurable, actionable, relevant,
-               and timely. Continuous monitoring activities are scaled in accordance with the
-               security categories of information systems.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-5">CA-5</link>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#pm-6">PM-6</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-2">SI-2</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-7_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ca-7.a_obj" name="objective">
-               <prop name="label">CA-7(a)</prop>
-               <part id="ca-7.a_obj.1" name="objective">
-                  <prop name="label">CA-7(a)[1]</prop>
-                  <p>develops a continuous monitoring strategy that defines metrics to be
-                     monitored;</p>
-               </part>
-               <part id="ca-7.a_obj.2" name="objective">
-                  <prop name="label">CA-7(a)[2]</prop>
-                  <p>develops a continuous monitoring strategy that includes monitoring of
-                     organization-defined metrics;</p>
-               </part>
-               <part id="ca-7.a_obj.3" name="objective">
-                  <prop name="label">CA-7(a)[3]</prop>
-                  <p>implements a continuous monitoring program that includes monitoring of
-                     organization-defined metrics in accordance with the organizational continuous
-                     monitoring strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.b_obj" name="objective">
-               <prop name="label">CA-7(b)</prop>
-               <part id="ca-7.b_obj.1" name="objective">
-                  <prop name="label">CA-7(b)[1]</prop>
-                  <p>develops a continuous monitoring strategy that defines frequencies for
-                     monitoring;</p>
-               </part>
-               <part id="ca-7.b_obj.2" name="objective">
-                  <prop name="label">CA-7(b)[2]</prop>
-                  <p>defines frequencies for assessments supporting monitoring;</p>
-               </part>
-               <part id="ca-7.b_obj.3" name="objective">
-                  <prop name="label">CA-7(b)[3]</prop>
-                  <p>develops a continuous monitoring strategy that includes establishment of the
-                     organization-defined frequencies for monitoring and for assessments supporting
-                     monitoring;</p>
-               </part>
-               <part id="ca-7.b_obj.4" name="objective">
-                  <prop name="label">CA-7(b)[4]</prop>
-                  <p>implements a continuous monitoring program that includes establishment of
-                     organization-defined frequencies for monitoring and for assessments supporting
-                     such monitoring in accordance with the organizational continuous monitoring
-                     strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.c_obj" name="objective">
-               <prop name="label">CA-7(c)</prop>
-               <part id="ca-7.c_obj.1" name="objective">
-                  <prop name="label">CA-7(c)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes ongoing security
-                     control assessments;</p>
-               </part>
-               <part id="ca-7.c_obj.2" name="objective">
-                  <prop name="label">CA-7(c)[2]</prop>
-                  <p>implements a continuous monitoring program that includes ongoing security
-                     control assessments in accordance with the organizational continuous monitoring
-                     strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.d_obj" name="objective">
-               <prop name="label">CA-7(d)</prop>
-               <part id="ca-7.d_obj.1" name="objective">
-                  <prop name="label">CA-7(d)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes ongoing security status
-                     monitoring of organization-defined metrics;</p>
-               </part>
-               <part id="ca-7.d_obj.2" name="objective">
-                  <prop name="label">CA-7(d)[2]</prop>
-                  <p>implements a continuous monitoring program that includes ongoing security
-                     status monitoring of organization-defined metrics in accordance with the
-                     organizational continuous monitoring strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.e_obj" name="objective">
-               <prop name="label">CA-7(e)</prop>
-               <part id="ca-7.e_obj.1" name="objective">
-                  <prop name="label">CA-7(e)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes correlation and
-                     analysis of security-related information generated by assessments and
-                     monitoring;</p>
-               </part>
-               <part id="ca-7.e_obj.2" name="objective">
-                  <prop name="label">CA-7(e)[2]</prop>
-                  <p>implements a continuous monitoring program that includes correlation and
-                     analysis of security-related information generated by assessments and
-                     monitoring in accordance with the organizational continuous monitoring
-                     strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.f_obj" name="objective">
-               <prop name="label">CA-7(f)</prop>
-               <part id="ca-7.f_obj.1" name="objective">
-                  <prop name="label">CA-7(f)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes response actions to
-                     address results of the analysis of security-related information;</p>
-               </part>
-               <part id="ca-7.f_obj.2" name="objective">
-                  <prop name="label">CA-7(f)[2]</prop>
-                  <p>implements a continuous monitoring program that includes response actions to
-                     address results of the analysis of security-related information in accordance
-                     with the organizational continuous monitoring strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.g_obj" name="objective">
-               <prop name="label">CA-7(g)</prop>
-               <part id="ca-7.g_obj.1" name="objective">
-                  <prop name="label">CA-7(g)[1]</prop>
-                  <p>develops a continuous monitoring strategy that defines the personnel or roles
-                     to whom the security status of the organization and information system are to
-                     be reported;</p>
-               </part>
-               <part id="ca-7.g_obj.2" name="objective">
-                  <prop name="label">CA-7(g)[2]</prop>
-                  <p>develops a continuous monitoring strategy that defines the frequency to report
-                     the security status of the organization and information system to
-                     organization-defined personnel or roles;</p>
-               </part>
-               <part id="ca-7.g_obj.3" name="objective">
-                  <prop name="label">CA-7(g)[3]</prop>
-                  <p>develops a continuous monitoring strategy that includes reporting the security
-                     status of the organization or information system to organizational-defined
-                     personnel or roles with the organization-defined frequency; and</p>
-               </part>
-               <part id="ca-7.g_obj.4" name="objective">
-                  <prop name="label">CA-7(g)[4]</prop>
-                  <p>implements a continuous monitoring program that includes reporting the security
-                     status of the organization and information system to organization-defined
-                     personnel or roles with the organization-defined frequency in accordance with
-                     the organizational continuous monitoring strategy.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing continuous monitoring of information system security
-                  controls</p>
-               <p>procedures addressing configuration management</p>
-               <p>security plan</p>
-               <p>security assessment report</p>
-               <p>plan of action and milestones</p>
-               <p>information system monitoring records</p>
-               <p>configuration management records, security impact analyses</p>
-               <p>status reports</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with continuous monitoring responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Mechanisms implementing continuous monitoring</p>
-            </part>
-         </part>
-         <part id="ca-7_fr" name="item">
-            <title>CA-7 Additional FedRAMP Requirements and Guidance</title>
-            <part id="ca-7_fr_gdn.1" name="guidance">
-               <prop name="label">Guidance:</prop>
-               <p>CSPs must provide evidence of closure and remediation of high vulnerabilities
-                     within the timeframe for standard POA&amp;M updates.</p>
-            </part>
-            <part id="ca-7_fr_gdn.2" name="guidance">
-               <prop name="label">Guidance:</prop>
-               <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP)
-                     Documents, Continuous Monitoring Strategy Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-               </p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ca-9">
-         <title>Internal System Connections</title>
-         <param id="ca-9_prm_1">
-            <label>organization-defined information system components or classes of
-               components</label>
-         </param>
-         <prop name="label">CA-9</prop>
-         <prop name="sort-id">ca-09</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-         <part id="ca-9_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Authorizes internal connections of <insert param-id="ca-9_prm_1"/> to the
-                  information system; and</p>
-            </part>
-            <part id="ca-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents, for each internal connection, the interface characteristics, security
-                  requirements, and the nature of the information communicated.</p>
-            </part>
-         </part>
-         <part id="ca-9_gdn" name="guidance">
-            <p>This control applies to connections between organizational information systems and
-               (separate) constituent system components (i.e., intra-system connections) including,
-               for example, system connections with mobile devices, notebook/desktop computers,
-               printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of
-               authorizing each individual internal connection, organizations can authorize internal
-               connections for a class of components with common characteristics and/or
-               configurations, for example, all digital printers, scanners, and copiers with a
-               specified processing, storage, and transmission capability or all smart phones with a
-               specific baseline configuration.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-9_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-9.a_obj" name="objective">
-               <prop name="label">CA-9(a)</prop>
-               <part id="ca-9.a_obj.1" name="objective">
-                  <prop name="label">CA-9(a)[1]</prop>
-                  <p>defines information system components or classes of components to be authorized
-                     as internal connections to the information system;</p>
-               </part>
-               <part id="ca-9.a_obj.2" name="objective">
-                  <prop name="label">CA-9(a)[2]</prop>
-                  <p>authorizes internal connections of organization-defined information system
-                     components or classes of components to the information system;</p>
-               </part>
-            </part>
-            <part id="ca-9.b_obj" name="objective">
-               <prop name="label">CA-9(b)</prop>
-               <p>documents, for each internal connection:</p>
-               <part id="ca-9.b_obj.1" name="objective">
-                  <prop name="label">CA-9(b)[1]</prop>
-                  <p>the interface characteristics;</p>
-               </part>
-               <part id="ca-9.b_obj.2" name="objective">
-                  <prop name="label">CA-9(b)[2]</prop>
-                  <p>the security requirements; and</p>
-               </part>
-               <part id="ca-9.b_obj.3" name="objective">
-                  <prop name="label">CA-9(b)[3]</prop>
-                  <p>the nature of the information communicated.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing information system connections</p>
-               <p>system and communications protection policy</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of components or classes of components authorized as internal system
-                  connections</p>
-               <p>security assessment report</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for developing, implementing, or
-                  authorizing internal system connections</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Condition: There are connection(s) to external systems. Connections (if any) shall
-                  be authorized and must: 1) Identify the interface/connection. 2) Detail what data
-                  is involved and its sensitivity. 3) Determine whether the connection is one-way or
-                  bi-directional. 4) Identify how the connection is secured.</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="cm">
-      <title>Configuration Management</title>
-      <control class="SP800-53" id="cm-1">
-         <title>Configuration Management Policy and Procedures</title>
-         <param id="cm-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="cm-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="cm-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CM-1</prop>
-         <prop name="sort-id">cm-01</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="cm-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="cm-1_prm_1"/>:</p>
-               <part id="cm-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A configuration management policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="cm-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the configuration management
-                     policy and associated configuration management controls; and</p>
-               </part>
-            </part>
-            <part id="cm-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="cm-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Configuration management policy <insert param-id="cm-1_prm_2"/>; and</p>
-               </part>
-               <part id="cm-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Configuration management procedures <insert param-id="cm-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cm-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the CM
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="cm-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-1.a_obj" name="objective">
-               <prop name="label">CM-1(a)</prop>
-               <part id="cm-1.a.1_obj" name="objective">
-                  <prop name="label">CM-1(a)(1)</prop>
-                  <part id="cm-1.a.1_obj.1" name="objective">
-                     <prop name="label">CM-1(a)(1)[1]</prop>
-                     <p>develops and documents a configuration management policy that addresses:</p>
-                     <part id="cm-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="cm-1.a.1_obj.2" name="objective">
-                     <prop name="label">CM-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the configuration management policy is to
-                        be disseminated;</p>
-                  </part>
-                  <part id="cm-1.a.1_obj.3" name="objective">
-                     <prop name="label">CM-1(a)(1)[3]</prop>
-                     <p>disseminates the configuration management policy to organization-defined
-                        personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="cm-1.a.2_obj" name="objective">
-                  <prop name="label">CM-1(a)(2)</prop>
-                  <part id="cm-1.a.2_obj.1" name="objective">
-                     <prop name="label">CM-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        configuration management policy and associated configuration management
-                        controls;</p>
-                  </part>
-                  <part id="cm-1.a.2_obj.2" name="objective">
-                     <prop name="label">CM-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="cm-1.a.2_obj.3" name="objective">
-                     <prop name="label">CM-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cm-1.b_obj" name="objective">
-               <prop name="label">CM-1(b)</prop>
-               <part id="cm-1.b.1_obj" name="objective">
-                  <prop name="label">CM-1(b)(1)</prop>
-                  <part id="cm-1.b.1_obj.1" name="objective">
-                     <prop name="label">CM-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current configuration
-                        management policy;</p>
-                  </part>
-                  <part id="cm-1.b.1_obj.2" name="objective">
-                     <prop name="label">CM-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current configuration management policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="cm-1.b.2_obj" name="objective">
-                  <prop name="label">CM-1(b)(2)</prop>
-                  <part id="cm-1.b.2_obj.1" name="objective">
-                     <prop name="label">CM-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current configuration
-                        management procedures; and</p>
-                  </part>
-                  <part id="cm-1.b.2_obj.2" name="objective">
-                     <prop name="label">CM-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current configuration management procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with configuration management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-2">
-         <title>Baseline Configuration</title>
-         <prop name="label">CM-2</prop>
-         <prop name="sort-id">cm-02</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-2_smt" name="statement">
-            <p>The organization develops, documents, and maintains under configuration control, a
-               current baseline configuration of the information system.</p>
-         </part>
-         <part id="cm-2_gdn" name="guidance">
-            <p>This control establishes baseline configurations for information systems and system
-               components including communications and connectivity-related aspects of systems.
-               Baseline configurations are documented, formally reviewed and agreed-upon sets of
-               specifications for information systems or configuration items within those systems.
-               Baseline configurations serve as a basis for future builds, releases, and/or changes
-               to information systems. Baseline configurations include information about information
-               system components (e.g., standard software packages installed on workstations,
-               notebook computers, servers, network components, or mobile devices; current version
-               numbers and patch information on operating systems and applications; and
-               configuration settings/parameters), network topology, and the logical placement of
-               those components within the system architecture. Maintaining baseline configurations
-               requires creating new baselines as organizational information systems change over
-               time. Baseline configurations of information systems reflect the current enterprise
-               architecture.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#pm-5">PM-5</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-         </part>
-         <part id="cm-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-2_obj.1" name="objective">
-               <prop name="label">CM-2[1]</prop>
-               <p>develops and documents a current baseline configuration of the information system;
-                  and</p>
-            </part>
-            <part id="cm-2_obj.2" name="objective">
-               <prop name="label">CM-2[2]</prop>
-               <p>maintains, under configuration control, a current baseline configuration of the
-                  information system.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing the baseline configuration of the information system</p>
-               <p>configuration management plan</p>
-               <p>enterprise architecture documentation</p>
-               <p>information system design documentation</p>
-               <p>information system architecture and configuration documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>change control records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with configuration management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing baseline configurations</p>
-               <p>automated mechanisms supporting configuration control of the baseline
-                  configuration</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-4">
-         <title>Security Impact Analysis</title>
-         <prop name="label">CM-4</prop>
-         <prop name="sort-id">cm-04</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-4_smt" name="statement">
-            <p>The organization analyzes changes to the information system to determine potential
-               security impacts prior to change implementation.</p>
-         </part>
-         <part id="cm-4_gdn" name="guidance">
-            <p>Organizational personnel with information security responsibilities (e.g.,
-               Information System Administrators, Information System Security Officers, Information
-               System Security Managers, and Information System Security Engineers) conduct security
-               impact analyses. Individuals conducting security impact analyses possess the
-               necessary skills/technical expertise to analyze the changes to information systems
-               and the associated security ramifications. Security impact analysis may include, for
-               example, reviewing security plans to understand security control requirements and
-               reviewing system design documentation to understand control implementation and how
-               specific changes might affect the controls. Security impact analyses may also include
-               assessments of risk to better understand the impact of the changes and to determine
-               if additional security controls are required. Security impact analyses are scaled in
-               accordance with the security categories of the information systems.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="cm-4_obj" name="objective">
-            <p>Determine if the organization analyzes changes to the information system to determine
-               potential security impacts prior to change implementation.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing security impact analysis for changes to the information
-                  system</p>
-               <p>configuration management plan</p>
-               <p>security impact analysis documentation</p>
-               <p>analysis tools and associated outputs</p>
-               <p>change control records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for conducting security impact
-                  analysis</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security impact analysis</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-6">
-         <title>Configuration Settings</title>
-         <param id="cm-6_prm_1">
-            <label>organization-defined security configuration checklists</label>
-            <constraint>see CM-6(a) Additional FedRAMP Requirements and Guidance</constraint>
-         </param>
-         <param id="cm-6_prm_2">
-            <label>organization-defined information system components</label>
-         </param>
-         <param id="cm-6_prm_3">
-            <label>organization-defined operational requirements</label>
-         </param>
-         <prop name="label">CM-6</prop>
-         <prop name="sort-id">cm-06</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#990268bf-f4a9-4c81-91ae-dc7d3115f4b1" rel="reference">OMB Memorandum 07-11</link>
-         <link href="#0b3d8ba9-051f-498d-81ea-97f0f018c612" rel="reference">OMB Memorandum 07-18</link>
-         <link href="#0916ef02-3618-411b-a525-565c088849a6" rel="reference">OMB Memorandum 08-22</link>
-         <link href="#84a37532-6db6-477b-9ea8-f9085ebca0fc" rel="reference">NIST Special Publication 800-70</link>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <link href="#275cc052-0f7f-423c-bdb6-ed503dc36228" rel="reference">http://nvd.nist.gov</link>
-         <link href="#e95dd121-2733-413e-bf1e-f1eb49f20a98" rel="reference">http://checklists.nist.gov</link>
-         <link href="#647b6de3-81d0-4d22-bec1-5f1333e34380" rel="reference">http://www.nsa.gov</link>
-         <part id="cm-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes and documents configuration settings for information technology
-                  products employed within the information system using <insert param-id="cm-6_prm_1"/> that reflect the most restrictive mode consistent with
-                  operational requirements;</p>
-            </part>
-            <part id="cm-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Implements the configuration settings;</p>
-            </part>
-            <part id="cm-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Identifies, documents, and approves any deviations from established configuration
-                  settings for <insert param-id="cm-6_prm_2"/> based on <insert param-id="cm-6_prm_3"/>; and</p>
-            </part>
-            <part id="cm-6_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Monitors and controls changes to the configuration settings in accordance with
-                  organizational policies and procedures.</p>
-            </part>
-         </part>
-         <part id="cm-6_gdn" name="guidance">
-            <p>Configuration settings are the set of parameters that can be changed in hardware,
-               software, or firmware components of the information system that affect the security
-               posture and/or functionality of the system. Information technology products for which
-               security-related configuration settings can be defined include, for example,
-               mainframe computers, servers (e.g., database, electronic mail, authentication, web,
-               proxy, file, domain name), workstations, input/output devices (e.g., scanners,
-               copiers, and printers), network components (e.g., firewalls, routers, gateways, voice
-               and data switches, wireless access points, network appliances, sensors), operating
-               systems, middleware, and applications. Security-related parameters are those
-               parameters impacting the security state of information systems including the
-               parameters required to satisfy other security control requirements. Security-related
-               parameters include, for example: (i) registry settings; (ii) account, file, directory
-               permission settings; and (iii) settings for functions, ports, protocols, services,
-               and remote connections. Organizations establish organization-wide configuration
-               settings and subsequently derive specific settings for information systems. The
-               established settings become part of the systems configuration baseline. Common secure
-               configurations (also referred to as security configuration checklists, lockdown and
-               hardening guides, security reference guides, security technical implementation
-               guides) provide recognized, standardized, and established benchmarks that stipulate
-               secure configuration settings for specific information technology platforms/products
-               and instructions for configuring those information system components to meet
-               operational requirements. Common secure configurations can be developed by a variety
-               of organizations including, for example, information technology product developers,
-               manufacturers, vendors, consortia, academia, industry, federal agencies, and other
-               organizations in the public and private sectors. Common secure configurations include
-               the United States Government Configuration Baseline (USGCB) which affects the
-               implementation of CM-6 and other controls such as AC-19 and CM-7. The Security
-               Content Automation Protocol (SCAP) and the defined standards within the protocol
-               (e.g., Common Configuration Enumeration) provide an effective method to uniquely
-               identify, track, and control configuration settings. OMB establishes federal policy
-               on configuration requirements for federal information systems.</p>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="cm-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-6.a_obj" name="objective">
-               <prop name="label">CM-6(a)</prop>
-               <part id="cm-6.a_obj.1" name="objective">
-                  <prop name="label">CM-6(a)[1]</prop>
-                  <p>defines security configuration checklists to be used to establish and document
-                     configuration settings for the information technology products employed;</p>
-               </part>
-               <part id="cm-6.a_obj.2" name="objective">
-                  <prop name="label">CM-6(a)[2]</prop>
-                  <p>ensures the defined security configuration checklists reflect the most
-                     restrictive mode consistent with operational requirements;</p>
-               </part>
-               <part id="cm-6.a_obj.3" name="objective">
-                  <prop name="label">CM-6(a)[3]</prop>
-                  <p>establishes and documents configuration settings for information technology
-                     products employed within the information system using organization-defined
-                     security configuration checklists;</p>
-               </part>
-            </part>
-            <part id="cm-6.b_obj" name="objective">
-               <prop name="label">CM-6(b)</prop>
-               <p>implements the configuration settings established/documented in CM-6(a);;</p>
-            </part>
-            <part id="cm-6.c_obj" name="objective">
-               <prop name="label">CM-6(c)</prop>
-               <part id="cm-6.c_obj.1" name="objective">
-                  <prop name="label">CM-6(c)[1]</prop>
-                  <p>defines information system components for which any deviations from established
-                     configuration settings must be:</p>
-                  <part id="cm-6.c_obj.1.a" name="objective">
-                     <prop name="label">CM-6(c)[1][a]</prop>
-                     <p>identified;</p>
-                  </part>
-                  <part id="cm-6.c_obj.1.b" name="objective">
-                     <prop name="label">CM-6(c)[1][b]</prop>
-                     <p>documented;</p>
-                  </part>
-                  <part id="cm-6.c_obj.1.c" name="objective">
-                     <prop name="label">CM-6(c)[1][c]</prop>
-                     <p>approved;</p>
-                  </part>
-               </part>
-               <part id="cm-6.c_obj.2" name="objective">
-                  <prop name="label">CM-6(c)[2]</prop>
-                  <p>defines operational requirements to support:</p>
-                  <part id="cm-6.c_obj.2.a" name="objective">
-                     <prop name="label">CM-6(c)[2][a]</prop>
-                     <p>the identification of any deviations from established configuration
-                        settings;</p>
-                  </part>
-                  <part id="cm-6.c_obj.2.b" name="objective">
-                     <prop name="label">CM-6(c)[2][b]</prop>
-                     <p>the documentation of any deviations from established configuration
-                        settings;</p>
-                  </part>
-                  <part id="cm-6.c_obj.2.c" name="objective">
-                     <prop name="label">CM-6(c)[2][c]</prop>
-                     <p>the approval of any deviations from established configuration settings;</p>
-                  </part>
-               </part>
-               <part id="cm-6.c_obj.3" name="objective">
-                  <prop name="label">CM-6(c)[3]</prop>
-                  <p>identifies any deviations from established configuration settings for
-                     organization-defined information system components based on
-                     organizational-defined operational requirements;</p>
-               </part>
-               <part id="cm-6.c_obj.4" name="objective">
-                  <prop name="label">CM-6(c)[4]</prop>
-                  <p>documents any deviations from established configuration settings for
-                     organization-defined information system components based on
-                     organizational-defined operational requirements;</p>
-               </part>
-               <part id="cm-6.c_obj.5" name="objective">
-                  <prop name="label">CM-6(c)[5]</prop>
-                  <p>approves any deviations from established configuration settings for
-                     organization-defined information system components based on
-                     organizational-defined operational requirements;</p>
-               </part>
-            </part>
-            <part id="cm-6.d_obj" name="objective">
-               <prop name="label">CM-6(d)</prop>
-               <part id="cm-6.d_obj.1" name="objective">
-                  <prop name="label">CM-6(d)[1]</prop>
-                  <p>monitors changes to the configuration settings in accordance with
-                     organizational policies and procedures; and</p>
-               </part>
-               <part id="cm-6.d_obj.2" name="objective">
-                  <prop name="label">CM-6(d)[2]</prop>
-                  <p>controls changes to the configuration settings in accordance with
-                     organizational policies and procedures.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing configuration settings for the information system</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security configuration checklists</p>
-               <p>evidence supporting approved deviations from established configuration
-                  settings</p>
-               <p>change control records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security configuration management
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing configuration settings</p>
-               <p>automated mechanisms that implement, monitor, and/or control information system
-                  configuration settings</p>
-               <p>automated mechanisms that identify and/or document deviations from established
-                  configuration settings</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Required - Specifically include details of least functionality.</p>
-         </part>
-         <part id="cm-6_fr" name="item">
-            <title>CM-6(a) Additional FedRAMP Requirements and Guidance</title>
-            <part id="cm-6_fr_smt.1" name="item">
-               <prop name="label">Requirement 1:</prop>
-               <p>The service provider shall use the Center for Internet Security guidelines
-                     (Level 1) to establish configuration settings or establishes its own
-                     configuration settings if USGCB is not available. </p>
-            </part>
-            <part id="cm-6_fr_smt.2" name="item">
-               <prop name="label">Requirement 2:</prop>
-               <p>The service provider shall ensure that checklists for configuration settings
-                     are Security Content Automation Protocol (SCAP) (<a href="http://scap.nist.gov/">http://scap.nist.gov/</a>) validated or SCAP
-                     compatible (if validated checklists are not available).</p>
-            </part>
-            <part id="cm-6_fr_gdn.1" name="guidance">
-               <prop name="label">Guidance:</prop>
-               <p>Information on the USGCB checklists can be found at: <a href="https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline">https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline</a>.</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-7">
-         <title>Least Functionality</title>
-         <param id="cm-7_prm_1">
-            <label>organization-defined prohibited or restricted functions, ports, protocols, and/or
-               services</label>
-         </param>
-         <prop name="label">CM-7</prop>
-         <prop name="sort-id">cm-07</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#e42b2099-3e1c-415b-952c-61c96533c12e" rel="reference">DoD Instruction 8551.01</link>
-         <part id="cm-7_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Configures the information system to provide only essential capabilities; and</p>
-            </part>
-            <part id="cm-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Prohibits or restricts the use of the following functions, ports, protocols,
-                  and/or services: <insert param-id="cm-7_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="cm-7_gdn" name="guidance">
-            <p>Information systems can provide a wide variety of functions and services. Some of the
-               functions and services, provided by default, may not be necessary to support
-               essential organizational operations (e.g., key missions, functions). Additionally, it
-               is sometimes convenient to provide multiple services from single information system
-               components, but doing so increases risk over limiting the services provided by any
-               one component. Where feasible, organizations limit component functionality to a
-               single function per device (e.g., email servers or web servers, but not both).
-               Organizations review functions and services provided by information systems or
-               individual components of information systems, to determine which functions and
-               services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant
-               Messaging, auto-execute, and file sharing). Organizations consider disabling unused
-               or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File
-               Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to
-               prevent unauthorized connection of devices, unauthorized transfer of information, or
-               unauthorized tunneling. Organizations can utilize network scanning tools, intrusion
-               detection and prevention systems, and end-point protections such as firewalls and
-               host-based intrusion detection systems to identify and prevent the use of prohibited
-               functions, ports, protocols, and services.</p>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="cm-7_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-7.a_obj" name="objective">
-               <prop name="label">CM-7(a)</prop>
-               <p>configures the information system to provide only essential capabilities;</p>
-            </part>
-            <part id="cm-7.b_obj" name="objective">
-               <prop name="label">CM-7(b)</prop>
-               <part id="cm-7.b_obj.1" name="objective">
-                  <prop name="label">CM-7(b)[1]</prop>
-                  <p>defines prohibited or restricted:</p>
-                  <part id="cm-7.b_obj.1.a" name="objective">
-                     <prop name="label">CM-7(b)[1][a]</prop>
-                     <p>functions;</p>
-                  </part>
-                  <part id="cm-7.b_obj.1.b" name="objective">
-                     <prop name="label">CM-7(b)[1][b]</prop>
-                     <p>ports;</p>
-                  </part>
-                  <part id="cm-7.b_obj.1.c" name="objective">
-                     <prop name="label">CM-7(b)[1][c]</prop>
-                     <p>protocols; and/or</p>
-                  </part>
-                  <part id="cm-7.b_obj.1.d" name="objective">
-                     <prop name="label">CM-7(b)[1][d]</prop>
-                     <p>services;</p>
-                  </part>
-               </part>
-               <part id="cm-7.b_obj.2" name="objective">
-                  <prop name="label">CM-7(b)[2]</prop>
-                  <p>prohibits or restricts the use of organization-defined:</p>
-                  <part id="cm-7.b_obj.2.a" name="objective">
-                     <prop name="label">CM-7(b)[2][a]</prop>
-                     <p>functions;</p>
-                  </part>
-                  <part id="cm-7.b_obj.2.b" name="objective">
-                     <prop name="label">CM-7(b)[2][b]</prop>
-                     <p>ports;</p>
-                  </part>
-                  <part id="cm-7.b_obj.2.c" name="objective">
-                     <prop name="label">CM-7(b)[2][c]</prop>
-                     <p>protocols; and/or</p>
-                  </part>
-                  <part id="cm-7.b_obj.2.d" name="objective">
-                     <prop name="label">CM-7(b)[2][d]</prop>
-                     <p>services.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>configuration management plan</p>
-               <p>procedures addressing least functionality in the information system</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security configuration checklists</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security configuration management
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes prohibiting or restricting functions, ports, protocols,
-                  and/or services</p>
-               <p>automated mechanisms implementing restrictions or prohibition of functions, ports,
-                  protocols, and/or services</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-8">
-         <title>Information System Component Inventory</title>
-         <param id="cm-8_prm_1">
-            <label>organization-defined information deemed necessary to achieve effective
-               information system component accountability</label>
-         </param>
-         <param id="cm-8_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least monthly</constraint>
-         </param>
-         <prop name="label">CM-8</prop>
-         <prop name="sort-id">cm-08</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops and documents an inventory of information system components that:</p>
-               <part id="cm-8_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Accurately reflects the current information system;</p>
-               </part>
-               <part id="cm-8_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Includes all components within the authorization boundary of the information
-                     system;</p>
-               </part>
-               <part id="cm-8_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Is at the level of granularity deemed necessary for tracking and reporting;
-                     and</p>
-               </part>
-               <part id="cm-8_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Includes <insert param-id="cm-8_prm_1"/>; and</p>
-               </part>
-            </part>
-            <part id="cm-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the information system component inventory <insert param-id="cm-8_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="cm-8_gdn" name="guidance">
-            <p>Organizations may choose to implement centralized information system component
-               inventories that include components from all organizational information systems. In
-               such situations, organizations ensure that the resulting inventories include
-               system-specific information required for proper component accountability (e.g.,
-               information system association, information system owner). Information deemed
-               necessary for effective accountability of information system components includes, for
-               example, hardware inventory specifications, software license information, software
-               version numbers, component owners, and for networked components or devices, machine
-               names and network addresses. Inventory specifications include, for example,
-               manufacturer, device type, model, serial number, and physical location.</p>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#pm-5">PM-5</link>
-         </part>
-         <part id="cm-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-8.a_obj" name="objective">
-               <prop name="label">CM-8(a)</prop>
-               <part id="cm-8.a.1_obj" name="objective">
-                  <prop name="label">CM-8(a)(1)</prop>
-                  <p>develops and documents an inventory of information system components that
-                     accurately reflects the current information system;</p>
-               </part>
-               <part id="cm-8.a.2_obj" name="objective">
-                  <prop name="label">CM-8(a)(2)</prop>
-                  <p>develops and documents an inventory of information system components that
-                     includes all components within the authorization boundary of the information
-                     system;</p>
-               </part>
-               <part id="cm-8.a.3_obj" name="objective">
-                  <prop name="label">CM-8(a)(3)</prop>
-                  <p>develops and documents an inventory of information system components that is at
-                     the level of granularity deemed necessary for tracking and reporting;</p>
-               </part>
-               <part id="cm-8.a.4_obj" name="objective">
-                  <prop name="label">CM-8(a)(4)</prop>
-                  <part id="cm-8.a.4_obj.1" name="objective">
-                     <prop name="label">CM-8(a)(4)[1]</prop>
-                     <p>defines the information deemed necessary to achieve effective information
-                        system component accountability;</p>
-                  </part>
-                  <part id="cm-8.a.4_obj.2" name="objective">
-                     <prop name="label">CM-8(a)(4)[2]</prop>
-                     <p>develops and documents an inventory of information system components that
-                        includes organization-defined information deemed necessary to achieve
-                        effective information system component accountability;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cm-8.b_obj" name="objective">
-               <prop name="label">CM-8(b)</prop>
-               <part id="cm-8.b_obj.1" name="objective">
-                  <prop name="label">CM-8(b)[1]</prop>
-                  <p>defines the frequency to review and update the information system component
-                     inventory; and</p>
-               </part>
-               <part id="cm-8.b_obj.2" name="objective">
-                  <prop name="label">CM-8(b)[2]</prop>
-                  <p>reviews and updates the information system component inventory with the
-                     organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing information system component inventory</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system inventory records</p>
-               <p>inventory reviews and update records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for information system component
-                  inventory</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for developing and documenting an inventory of
-                  information system components</p>
-               <p>automated mechanisms supporting and/or implementing the information system
-                  component inventory</p>
-            </part>
-         </part>
-         <part id="cm-8_fr" name="item">
-            <title>CM-8 Additional FedRAMP Requirements and Guidance</title>
-            <part id="cm-8_fr_smt.1" name="item">
-               <prop name="label">Requirement:</prop>
-               <p>Must be provided at least monthly or when there is a change.</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-10">
-         <title>Software Usage Restrictions</title>
-         <prop name="label">CM-10</prop>
-         <prop name="sort-id">cm-10</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-         <part id="cm-10_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-10_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Uses software and associated documentation in accordance with contract agreements
-                  and copyright laws;</p>
-            </part>
-            <part id="cm-10_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Tracks the use of software and associated documentation protected by quantity
-                  licenses to control copying and distribution; and</p>
-            </part>
-            <part id="cm-10_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Controls and documents the use of peer-to-peer file sharing technology to ensure
-                  that this capability is not used for the unauthorized distribution, display,
-                  performance, or reproduction of copyrighted work.</p>
-            </part>
-         </part>
-         <part id="cm-10_gdn" name="guidance">
-            <p>Software license tracking can be accomplished by manual methods (e.g., simple
-               spreadsheets) or automated methods (e.g., specialized tracking applications)
-               depending on organizational needs.</p>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="cm-10_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-10.a_obj" name="objective">
-               <prop name="label">CM-10(a)</prop>
-               <p>uses software and associated documentation in accordance with contract agreements
-                  and copyright laws;</p>
-            </part>
-            <part id="cm-10.b_obj" name="objective">
-               <prop name="label">CM-10(b)</prop>
-               <p>tracks the use of software and associated documentation protected by quantity
-                  licenses to control copying and distribution; and</p>
-            </part>
-            <part id="cm-10.c_obj" name="objective">
-               <prop name="label">CM-10(c)</prop>
-               <p>controls and documents the use of peer-to-peer file sharing technology to ensure
-                  that this capability is not used for the unauthorized distribution, display,
-                  performance, or reproduction of copyrighted work.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing software usage restrictions</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>software contract agreements and copyright laws</p>
-               <p>site license documentation</p>
-               <p>list of software usage restrictions</p>
-               <p>software license tracking reports</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel operating, using, and/or maintaining the information
-                  system</p>
-               <p>organizational personnel with software license management responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational process for tracking the use of software protected by quantity
-                  licenses</p>
-               <p>organization process for controlling/documenting the use of peer-to-peer file
-                  sharing technology</p>
-               <p>automated mechanisms implementing software license tracking</p>
-               <p>automated mechanisms implementing and controlling the use of peer-to-peer files
-                  sharing technology</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>NSO- Not directly related to protection of the data.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-11">
-         <title>User-installed Software</title>
-         <param id="cm-11_prm_1">
-            <label>organization-defined policies</label>
-         </param>
-         <param id="cm-11_prm_2">
-            <label>organization-defined methods</label>
-         </param>
-         <param id="cm-11_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CM-11</prop>
-         <prop name="sort-id">cm-11</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-         <part id="cm-11_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-11_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes <insert param-id="cm-11_prm_1"/> governing the installation of
-                  software by users;</p>
-            </part>
-            <part id="cm-11_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Enforces software installation policies through <insert param-id="cm-11_prm_2"/>;
-                  and</p>
-            </part>
-            <part id="cm-11_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Monitors policy compliance at <insert param-id="cm-11_prm_3"/>.</p>
-            </part>
-         </part>
-         <part id="cm-11_gdn" name="guidance">
-            <p>If provided the necessary privileges, users have the ability to install software in
-               organizational information systems. To maintain control over the types of software
-               installed, organizations identify permitted and prohibited actions regarding software
-               installation. Permitted software installations may include, for example, updates and
-               security patches to existing software and downloading applications from
-               organization-approved “app stores” Prohibited software installations may include, for
-               example, software with unknown or suspect pedigrees or software that organizations
-               consider potentially malicious. The policies organizations select governing
-               user-installed software may be organization-developed or provided by some external
-               entity. Policy enforcement methods include procedural methods (e.g., periodic
-               examination of user accounts), automated methods (e.g., configuration settings
-               implemented on organizational information systems), or both.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-         </part>
-         <part id="cm-11_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-11.a_obj" name="objective">
-               <prop name="label">CM-11(a)</prop>
-               <part id="cm-11.a_obj.1" name="objective">
-                  <prop name="label">CM-11(a)[1]</prop>
-                  <p>defines policies to govern the installation of software by users;</p>
-               </part>
-               <part id="cm-11.a_obj.2" name="objective">
-                  <prop name="label">CM-11(a)[2]</prop>
-                  <p>establishes organization-defined policies governing the installation of
-                     software by users;</p>
-               </part>
-            </part>
-            <part id="cm-11.b_obj" name="objective">
-               <prop name="label">CM-11(b)</prop>
-               <part id="cm-11.b_obj.1" name="objective">
-                  <prop name="label">CM-11(b)[1]</prop>
-                  <p>defines methods to enforce software installation policies;</p>
-               </part>
-               <part id="cm-11.b_obj.2" name="objective">
-                  <prop name="label">CM-11(b)[2]</prop>
-                  <p>enforces software installation policies through organization-defined
-                     methods;</p>
-               </part>
-            </part>
-            <part id="cm-11.c_obj" name="objective">
-               <prop name="label">CM-11(c)</prop>
-               <part id="cm-11.c_obj.1" name="objective">
-                  <prop name="label">CM-11(c)[1]</prop>
-                  <p>defines frequency to monitor policy compliance; and</p>
-               </part>
-               <part id="cm-11.c_obj.2" name="objective">
-                  <prop name="label">CM-11(c)[2]</prop>
-                  <p>monitors policy compliance at organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing user installed software</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of rules governing user installed software</p>
-               <p>information system monitoring records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-               <p>continuous monitoring strategy</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for governing user-installed
-                  software</p>
-               <p>organizational personnel operating, using, and/or maintaining the information
-                  system</p>
-               <p>organizational personnel monitoring compliance with user-installed software
-                  policy</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes governing user-installed software on the information
-                  system</p>
-               <p>automated mechanisms enforcing rules/methods for governing the installation of
-                  software by users</p>
-               <p>automated mechanisms monitoring policy compliance</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>NSO - Boundary is specific to SaaS environment; all access is via web services;
-                  users' machine or internal network are not contemplated. External services (SA-9),
-                  internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and
-                  SC-13), and privileged authentication (IA-2[1]) are considerations.</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="cp">
-      <title>Contingency Planning</title>
-      <control class="SP800-53" id="cp-1">
-         <title>Contingency Planning Policy and Procedures</title>
-         <param id="cp-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="cp-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="cp-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CP-1</prop>
-         <prop name="sort-id">cp-01</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="cp-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="cp-1_prm_1"/>:</p>
-               <part id="cp-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A contingency planning policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="cp-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the contingency planning policy
-                     and associated contingency planning controls; and</p>
-               </part>
-            </part>
-            <part id="cp-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="cp-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Contingency planning policy <insert param-id="cp-1_prm_2"/>; and</p>
-               </part>
-               <part id="cp-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Contingency planning procedures <insert param-id="cp-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cp-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the CP
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="cp-1_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="cp-1.a_obj" name="objective">
-               <prop name="label">CP-1(a)</prop>
-               <part id="cp-1.a.1_obj" name="objective">
-                  <prop name="label">CP-1(a)(1)</prop>
-                  <part id="cp-1.a.1_obj.1" name="objective">
-                     <prop name="label">CP-1(a)(1)[1]</prop>
-                     <p>the organization develops and documents a contingency planning policy that
-                        addresses:</p>
-                     <part id="cp-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="cp-1.a.1_obj.2" name="objective">
-                     <prop name="label">CP-1(a)(1)[2]</prop>
-                     <p>the organization defines personnel or roles to whom the contingency planning
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="cp-1.a.1_obj.3" name="objective">
-                     <prop name="label">CP-1(a)(1)[3]</prop>
-                     <p>the organization disseminates the contingency planning policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="cp-1.a.2_obj" name="objective">
-                  <prop name="label">CP-1(a)(2)</prop>
-                  <part id="cp-1.a.2_obj.1" name="objective">
-                     <prop name="label">CP-1(a)(2)[1]</prop>
-                     <p>the organization develops and documents procedures to facilitate the
-                        implementation of the contingency planning policy and associated contingency
-                        planning controls;</p>
-                  </part>
-                  <part id="cp-1.a.2_obj.2" name="objective">
-                     <prop name="label">CP-1(a)(2)[2]</prop>
-                     <p>the organization defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="cp-1.a.2_obj.3" name="objective">
-                     <prop name="label">CP-1(a)(2)[3]</prop>
-                     <p>the organization disseminates the procedures to organization-defined
-                        personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cp-1.b_obj" name="objective">
-               <prop name="label">CP-1(b)</prop>
-               <part id="cp-1.b.1_obj" name="objective">
-                  <prop name="label">CP-1(b)(1)</prop>
-                  <part id="cp-1.b.1_obj.1" name="objective">
-                     <prop name="label">CP-1(b)(1)[1]</prop>
-                     <p>the organization defines the frequency to review and update the current
-                        contingency planning policy;</p>
-                  </part>
-                  <part id="cp-1.b.1_obj.2" name="objective">
-                     <prop name="label">CP-1(b)(1)[2]</prop>
-                     <p>the organization reviews and updates the current contingency planning with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="cp-1.b.2_obj" name="objective">
-                  <prop name="label">CP-1(b)(2)</prop>
-                  <part id="cp-1.b.2_obj.1" name="objective">
-                     <prop name="label">CP-1(b)(2)[1]</prop>
-                     <p>the organization defines the frequency to review and update the current
-                        contingency planning procedures; and</p>
-                  </part>
-                  <part id="cp-1.b.2_obj.2" name="objective">
-                     <prop name="label">CP-1(b)(2)[2]</prop>
-                     <p>the organization reviews and updates the current contingency planning
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-2">
-         <title>Contingency Plan</title>
-         <param id="cp-2_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="cp-2_prm_2">
-            <label>organization-defined key contingency personnel (identified by name and/or by
-               role) and organizational elements</label>
-         </param>
-         <param id="cp-2_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="cp-2_prm_4">
-            <label>organization-defined key contingency personnel (identified by name and/or by
-               role) and organizational elements</label>
-         </param>
-         <prop name="label">CP-2</prop>
-         <prop name="sort-id">cp-02</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a contingency plan for the information system that:</p>
-               <part id="cp-2_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Identifies essential missions and business functions and associated contingency
-                     requirements;</p>
-               </part>
-               <part id="cp-2_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Provides recovery objectives, restoration priorities, and metrics;</p>
-               </part>
-               <part id="cp-2_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Addresses contingency roles, responsibilities, assigned individuals with
-                     contact information;</p>
-               </part>
-               <part id="cp-2_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Addresses maintaining essential missions and business functions despite an
-                     information system disruption, compromise, or failure;</p>
-               </part>
-               <part id="cp-2_smt.a.5" name="item">
-                  <prop name="label">5.</prop>
-                  <p>Addresses eventual, full information system restoration without deterioration
-                     of the security safeguards originally planned and implemented; and</p>
-               </part>
-               <part id="cp-2_smt.a.6" name="item">
-                  <prop name="label">6.</prop>
-                  <p>Is reviewed and approved by <insert param-id="cp-2_prm_1"/>;</p>
-               </part>
-            </part>
-            <part id="cp-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Distributes copies of the contingency plan to <insert param-id="cp-2_prm_2"/>;</p>
-            </part>
-            <part id="cp-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Coordinates contingency planning activities with incident handling activities;</p>
-            </part>
-            <part id="cp-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Reviews the contingency plan for the information system <insert param-id="cp-2_prm_3"/>;</p>
-            </part>
-            <part id="cp-2_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Updates the contingency plan to address changes to the organization, information
-                  system, or environment of operation and problems encountered during contingency
-                  plan implementation, execution, or testing;</p>
-            </part>
-            <part id="cp-2_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Communicates contingency plan changes to <insert param-id="cp-2_prm_4"/>; and</p>
-            </part>
-            <part id="cp-2_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Protects the contingency plan from unauthorized disclosure and modification.</p>
-            </part>
-         </part>
-         <part id="cp-2_gdn" name="guidance">
-            <p>Contingency planning for information systems is part of an overall organizational
-               program for achieving continuity of operations for mission/business functions.
-               Contingency planning addresses both information system restoration and implementation
-               of alternative mission/business processes when systems are compromised. The
-               effectiveness of contingency planning is maximized by considering such planning
-               throughout the phases of the system development life cycle. Performing contingency
-               planning on hardware, software, and firmware development can be an effective means of
-               achieving information system resiliency. Contingency plans reflect the degree of
-               restoration required for organizational information systems since not all systems may
-               need to fully recover to achieve the level of continuity of operations desired.
-               Information system recovery objectives reflect applicable laws, Executive Orders,
-               directives, policies, standards, regulations, and guidelines. In addition to
-               information system availability, contingency plans also address other
-               security-related events resulting in a reduction in mission and/or business
-               effectiveness, such as malicious attacks compromising the confidentiality or
-               integrity of information systems. Actions addressed in contingency plans include, for
-               example, orderly/graceful degradation, information system shutdown, fallback to a
-               manual mode, alternate information flows, and operating in modes reserved for when
-               systems are under attack. By closely coordinating contingency planning with incident
-               handling activities, organizations can ensure that the necessary contingency planning
-               activities are in place and activated in the event of a security incident.</p>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <link rel="related" href="#cp-8">CP-8</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#cp-10">CP-10</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#pm-8">PM-8</link>
-            <link rel="related" href="#pm-11">PM-11</link>
-         </part>
-         <part id="cp-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cp-2.a_obj" name="objective">
-               <prop name="label">CP-2(a)</prop>
-               <p>develops and documents a contingency plan for the information system that:</p>
-               <part id="cp-2.a.1_obj" name="objective">
-                  <prop name="label">CP-2(a)(1)</prop>
-                  <p>identifies essential missions and business functions and associated contingency
-                     requirements;</p>
-               </part>
-               <part id="cp-2.a.2_obj" name="objective">
-                  <prop name="label">CP-2(a)(2)</prop>
-                  <part id="cp-2.a.2_obj.1" name="objective">
-                     <prop name="label">CP-2(a)(2)[1]</prop>
-                     <p>provides recovery objectives;</p>
-                  </part>
-                  <part id="cp-2.a.2_obj.2" name="objective">
-                     <prop name="label">CP-2(a)(2)[2]</prop>
-                     <p>provides restoration priorities;</p>
-                  </part>
-                  <part id="cp-2.a.2_obj.3" name="objective">
-                     <prop name="label">CP-2(a)(2)[3]</prop>
-                     <p>provides metrics;</p>
-                  </part>
-               </part>
-               <part id="cp-2.a.3_obj" name="objective">
-                  <prop name="label">CP-2(a)(3)</prop>
-                  <part id="cp-2.a.3_obj.1" name="objective">
-                     <prop name="label">CP-2(a)(3)[1]</prop>
-                     <p>addresses contingency roles;</p>
-                  </part>
-                  <part id="cp-2.a.3_obj.2" name="objective">
-                     <prop name="label">CP-2(a)(3)[2]</prop>
-                     <p>addresses contingency responsibilities;</p>
-                  </part>
-                  <part id="cp-2.a.3_obj.3" name="objective">
-                     <prop name="label">CP-2(a)(3)[3]</prop>
-                     <p>addresses assigned individuals with contact information;</p>
-                  </part>
-               </part>
-               <part id="cp-2.a.4_obj" name="objective">
-                  <prop name="label">CP-2(a)(4)</prop>
-                  <p>addresses maintaining essential missions and business functions despite an
-                     information system disruption, compromise, or failure;</p>
-               </part>
-               <part id="cp-2.a.5_obj" name="objective">
-                  <prop name="label">CP-2(a)(5)</prop>
-                  <p>addresses eventual, full information system restoration without deterioration
-                     of the security safeguards originally planned and implemented;</p>
-               </part>
-               <part id="cp-2.a.6_obj" name="objective">
-                  <prop name="label">CP-2(a)(6)</prop>
-                  <part id="cp-2.a.6_obj.1" name="objective">
-                     <prop name="label">CP-2(a)(6)[1]</prop>
-                     <p>defines personnel or roles to review and approve the contingency plan for
-                        the information system;</p>
-                  </part>
-                  <part id="cp-2.a.6_obj.2" name="objective">
-                     <prop name="label">CP-2(a)(6)[2]</prop>
-                     <p>is reviewed and approved by organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cp-2.b_obj" name="objective">
-               <prop name="label">CP-2(b)</prop>
-               <part id="cp-2.b_obj.1" name="objective">
-                  <prop name="label">CP-2(b)[1]</prop>
-                  <p>defines key contingency personnel (identified by name and/or by role) and
-                     organizational elements to whom copies of the contingency plan are to be
-                     distributed;</p>
-               </part>
-               <part id="cp-2.b_obj.2" name="objective">
-                  <prop name="label">CP-2(b)[2]</prop>
-                  <p>distributes copies of the contingency plan to organization-defined key
-                     contingency personnel and organizational elements;</p>
-               </part>
-            </part>
-            <part id="cp-2.c_obj" name="objective">
-               <prop name="label">CP-2(c)</prop>
-               <p>coordinates contingency planning activities with incident handling activities;</p>
-            </part>
-            <part id="cp-2.d_obj" name="objective">
-               <prop name="label">CP-2(d)</prop>
-               <part id="cp-2.d_obj.1" name="objective">
-                  <prop name="label">CP-2(d)[1]</prop>
-                  <p>defines a frequency to review the contingency plan for the information
-                     system;</p>
-               </part>
-               <part id="cp-2.d_obj.2" name="objective">
-                  <prop name="label">CP-2(d)[2]</prop>
-                  <p>reviews the contingency plan with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="cp-2.e_obj" name="objective">
-               <prop name="label">CP-2(e)</prop>
-               <p>updates the contingency plan to address:</p>
-               <part id="cp-2.e_obj.1" name="objective">
-                  <prop name="label">CP-2(e)[1]</prop>
-                  <p>changes to the organization, information system, or environment of
-                     operation;</p>
-               </part>
-               <part id="cp-2.e_obj.2" name="objective">
-                  <prop name="label">CP-2(e)[2]</prop>
-                  <p>problems encountered during plan implementation, execution, and testing;</p>
-               </part>
-            </part>
-            <part id="cp-2.f_obj" name="objective">
-               <prop name="label">CP-2(f)</prop>
-               <part id="cp-2.f_obj.1" name="objective">
-                  <prop name="label">CP-2(f)[1]</prop>
-                  <p>defines key contingency personnel (identified by name and/or by role) and
-                     organizational elements to whom contingency plan changes are to be
-                     communicated;</p>
-               </part>
-               <part id="cp-2.f_obj.2" name="objective">
-                  <prop name="label">CP-2(f)[2]</prop>
-                  <p>communicates contingency plan changes to organization-defined key contingency
-                     personnel and organizational elements; and</p>
-               </part>
-            </part>
-            <part id="cp-2.g_obj" name="objective">
-               <prop name="label">CP-2(g)</prop>
-               <p>protects the contingency plan from unauthorized disclosure and modification.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing contingency operations for the information system</p>
-               <p>contingency plan</p>
-               <p>security plan</p>
-               <p>evidence of contingency plan reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning and plan implementation
-                  responsibilities</p>
-               <p>organizational personnel with incident handling responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for contingency plan development, review, update, and
-                  protection</p>
-               <p>automated mechanisms for developing, reviewing, updating and/or protecting the
-                  contingency plan</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>NSO - Loss of availability of the SaaS has been determined as little or no impact
-                  to government business/mission needs.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-3">
-         <title>Contingency Training</title>
-         <param id="cp-3_prm_1">
-            <label>organization-defined time period</label>
-         </param>
-         <param id="cp-3_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CP-3</prop>
-         <prop name="sort-id">cp-03</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="cp-3_smt" name="statement">
-            <p>The organization provides contingency training to information system users consistent
-               with assigned roles and responsibilities:</p>
-            <part id="cp-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Within <insert param-id="cp-3_prm_1"/> of assuming a contingency role or
-                  responsibility;</p>
-            </part>
-            <part id="cp-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="cp-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="cp-3_prm_2"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="cp-3_gdn" name="guidance">
-            <p>Contingency training provided by organizations is linked to the assigned roles and
-               responsibilities of organizational personnel to ensure that the appropriate content
-               and level of detail is included in such training. For example, regular users may only
-               need to know when and where to report for duty during contingency operations and if
-               normal duties are affected; system administrators may require additional training on
-               how to set up information systems at alternate processing and storage sites; and
-               managers/senior leaders may receive more specific training on how to conduct
-               mission-essential functions in designated off-site locations and how to establish
-               communications with other governmental entities for purposes of coordination on
-               contingency-related activities. Training for contingency roles/responsibilities
-               reflects the specific continuity requirements in the contingency plan.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#ir-2">IR-2</link>
-         </part>
-         <part id="cp-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cp-3.a_obj" name="objective">
-               <prop name="label">CP-3(a)</prop>
-               <part id="cp-3.a_obj.1" name="objective">
-                  <prop name="label">CP-3(a)[1]</prop>
-                  <p>defines a time period within which contingency training is to be provided to
-                     information system users assuming a contingency role or responsibility;</p>
-               </part>
-               <part id="cp-3.a_obj.2" name="objective">
-                  <prop name="label">CP-3(a)[2]</prop>
-                  <p>provides contingency training to information system users consistent with
-                     assigned roles and responsibilities within the organization-defined time period
-                     of assuming a contingency role or responsibility;</p>
-               </part>
-            </part>
-            <part id="cp-3.b_obj" name="objective">
-               <prop name="label">CP-3(b)</prop>
-               <p>provides contingency training to information system users consistent with assigned
-                  roles and responsibilities when required by information system changes;</p>
-            </part>
-            <part id="cp-3.c_obj" name="objective">
-               <prop name="label">CP-3(c)</prop>
-               <part id="cp-3.c_obj.1" name="objective">
-                  <prop name="label">CP-3(c)[1]</prop>
-                  <p>defines the frequency for contingency training thereafter; and</p>
-               </part>
-               <part id="cp-3.c_obj.2" name="objective">
-                  <prop name="label">CP-3(c)[2]</prop>
-                  <p>provides contingency training to information system users consistent with
-                     assigned roles and responsibilities with the organization-defined frequency
-                     thereafter.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing contingency training</p>
-               <p>contingency plan</p>
-               <p>contingency training curriculum</p>
-               <p>contingency training material</p>
-               <p>security plan</p>
-               <p>contingency training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning, plan implementation, and
-                  training responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for contingency training</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>NSO - Loss of availability of the SaaS has been determined as little or no impact
-                  to government business/mission needs.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-4">
-         <title>Contingency Plan Testing</title>
-         <param id="cp-4_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="cp-4_prm_2">
-            <label>organization-defined tests</label>
-         </param>
-         <prop name="label">CP-4</prop>
-         <prop name="sort-id">cp-04</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <link href="#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf" rel="reference">NIST Special Publication 800-84</link>
-         <part id="cp-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Tests the contingency plan for the information system <insert param-id="cp-4_prm_1"/> using <insert param-id="cp-4_prm_2"/> to determine the
-                  effectiveness of the plan and the organizational readiness to execute the
-                  plan;</p>
-            </part>
-            <part id="cp-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews the contingency plan test results; and</p>
-            </part>
-            <part id="cp-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Initiates corrective actions, if needed.</p>
-            </part>
-         </part>
-         <part id="cp-4_gdn" name="guidance">
-            <p>Methods for testing contingency plans to determine the effectiveness of the plans and
-               to identify potential weaknesses in the plans include, for example, walk-through and
-               tabletop exercises, checklists, simulations (parallel, full interrupt), and
-               comprehensive exercises. Organizations conduct testing based on the continuity
-               requirements in contingency plans and include a determination of the effects on
-               organizational operations, assets, and individuals arising due to contingency
-               operations. Organizations have flexibility and discretion in the breadth, depth, and
-               timelines of corrective actions.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-3">CP-3</link>
-            <link rel="related" href="#ir-3">IR-3</link>
-         </part>
-         <part id="cp-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="cp-4.a_obj" name="objective">
-               <prop name="label">CP-4(a)</prop>
-               <part id="cp-4.a_obj.1" name="objective">
-                  <prop name="label">CP-4(a)[1]</prop>
-                  <p>defines tests to determine the effectiveness of the contingency plan and the
-                     organizational readiness to execute the plan;</p>
-               </part>
-               <part id="cp-4.a_obj.2" name="objective">
-                  <prop name="label">CP-4(a)[2]</prop>
-                  <p>defines a frequency to test the contingency plan for the information
-                     system;</p>
-               </part>
-               <part id="cp-4.a_obj.3" name="objective">
-                  <prop name="label">CP-4(a)[3]</prop>
-                  <p>tests the contingency plan for the information system with the
-                     organization-defined frequency, using organization-defined tests to determine
-                     the effectiveness of the plan and the organizational readiness to execute the
-                     plan;</p>
-               </part>
-            </part>
-            <part id="cp-4.b_obj" name="objective">
-               <prop name="label">CP-4(b)</prop>
-               <p>reviews the contingency plan test results; and</p>
-            </part>
-            <part id="cp-4.c_obj" name="objective">
-               <prop name="label">CP-4(c)</prop>
-               <p>initiates corrective actions, if needed.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing contingency plan testing</p>
-               <p>contingency plan</p>
-               <p>security plan</p>
-               <p>contingency plan test documentation</p>
-               <p>contingency plan test results</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for contingency plan testing,
-                  reviewing or responding to contingency plan tests</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for contingency plan testing</p>
-               <p>automated mechanisms supporting the contingency plan and/or contingency plan
-                  testing</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>NSO - Loss of availability of the SaaS has been determined as little or no impact
-                  to government business/mission needs.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-9">
-         <title>Information System Backup</title>
-         <param id="cp-9_prm_1">
-            <label>organization-defined frequency consistent with recovery time and recovery point
-               objectives</label>
-            <constraint>daily incremental; weekly full</constraint>
-         </param>
-         <param id="cp-9_prm_2">
-            <label>organization-defined frequency consistent with recovery time and recovery point
-               objectives</label>
-            <constraint>daily incremental; weekly full</constraint>
-         </param>
-         <param id="cp-9_prm_3">
-            <label>organization-defined frequency consistent with recovery time and recovery point
-               objectives</label>
-            <constraint>daily incremental; weekly full</constraint>
-         </param>
-         <prop name="label">CP-9</prop>
-         <prop name="sort-id">cp-09</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-9_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Conducts backups of user-level information contained in the information system
-                     <insert param-id="cp-9_prm_1"/>;</p>
-            </part>
-            <part id="cp-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Conducts backups of system-level information contained in the information system
-                     <insert param-id="cp-9_prm_2"/>;</p>
-            </part>
-            <part id="cp-9_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Conducts backups of information system documentation including security-related
-                  documentation <insert param-id="cp-9_prm_3"/>; and</p>
-            </part>
-            <part id="cp-9_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Protects the confidentiality, integrity, and availability of backup information at
-                  storage locations.</p>
-            </part>
-         </part>
-         <part id="cp-9_gdn" name="guidance">
-            <p>System-level information includes, for example, system-state information, operating
-               system and application software, and licenses. User-level information includes any
-               information other than system-level information. Mechanisms employed by organizations
-               to protect the integrity of information system backups include, for example, digital
-               signatures and cryptographic hashes. Protection of system backup information while in
-               transit is beyond the scope of this control. Information system backups reflect the
-               requirements in contingency plans as well as other organizational requirements for
-               backing up information.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="cp-9_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="cp-9.a_obj" name="objective">
-               <prop name="label">CP-9(a)</prop>
-               <part id="cp-9.a_obj.1" name="objective">
-                  <prop name="label">CP-9(a)[1]</prop>
-                  <p>defines a frequency, consistent with recovery time objectives and recovery
-                     point objectives as specified in the information system contingency plan, to
-                     conduct backups of user-level information contained in the information
-                     system;</p>
-               </part>
-               <part id="cp-9.a_obj.2" name="objective">
-                  <prop name="label">CP-9(a)[2]</prop>
-                  <p>conducts backups of user-level information contained in the information system
-                     with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="cp-9.b_obj" name="objective">
-               <prop name="label">CP-9(b)</prop>
-               <part id="cp-9.b_obj.1" name="objective">
-                  <prop name="label">CP-9(b)[1]</prop>
-                  <p>defines a frequency, consistent with recovery time objectives and recovery
-                     point objectives as specified in the information system contingency plan, to
-                     conduct backups of system-level information contained in the information
-                     system;</p>
-               </part>
-               <part id="cp-9.b_obj.2" name="objective">
-                  <prop name="label">CP-9(b)[2]</prop>
-                  <p>conducts backups of system-level information contained in the information
-                     system with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="cp-9.c_obj" name="objective">
-               <prop name="label">CP-9(c)</prop>
-               <part id="cp-9.c_obj.1" name="objective">
-                  <prop name="label">CP-9(c)[1]</prop>
-                  <p>defines a frequency, consistent with recovery time objectives and recovery
-                     point objectives as specified in the information system contingency plan, to
-                     conduct backups of information system documentation including security-related
-                     documentation;</p>
-               </part>
-               <part id="cp-9.c_obj.2" name="objective">
-                  <prop name="label">CP-9(c)[2]</prop>
-                  <p>conducts backups of information system documentation, including
-                     security-related documentation, with the organization-defined frequency;
-                     and</p>
-               </part>
-            </part>
-            <part id="cp-9.d_obj" name="objective">
-               <prop name="label">CP-9(d)</prop>
-               <p>protects the confidentiality, integrity, and availability of backup information at
-                  storage locations.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing information system backup</p>
-               <p>contingency plan</p>
-               <p>backup storage location(s)</p>
-               <p>information system backup logs or records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system backup responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for conducting information system backups</p>
-               <p>automated mechanisms supporting and/or implementing information system backups</p>
-            </part>
-         </part>
-         <part id="cp-9_fr" name="item">
-            <title>CP-9 Additional FedRAMP Requirements and Guidance</title>
-            <part id="cp-9_fr_smt.1" name="item">
-               <prop name="label">Requirement:</prop>
-               <p>The service provider shall determine what elements of the cloud environment
-                     require the Information System Backup control. The service provider shall
-                     determine how Information System Backup is going to be verified and appropriate
-                     periodicity of the check.</p>
-            </part>
-            <part id="cp-9_fr_smt.a" name="item">
-               <prop name="label">CP-9(a) Requirement:</prop>
-               <p>The service provider maintains at least three backup copies of user-level
-                     information (at least one of which is available online).</p>
-            </part>
-            <part id="cp-9_fr_smt.b" name="item">
-               <prop name="label">CP-9(b)Requirement:</prop>
-               <p>The service provider maintains at least three backup copies of system-level
-                     information (at least one of which is available online).</p>
-            </part>
-            <part id="cp-9_fr_smt.c" name="item">
-               <prop name="label">CP-9(c)Requirement:</prop>
-               <p>The service provider maintains at least three backup copies of information
-                     system documentation including security information (at least one of which is
-                     available online).</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-10">
-         <title>Information System Recovery and Reconstitution</title>
-         <prop name="label">CP-10</prop>
-         <prop name="sort-id">cp-10</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-10_smt" name="statement">
-            <p>The organization provides for the recovery and reconstitution of the information
-               system to a known state after a disruption, compromise, or failure.</p>
-         </part>
-         <part id="cp-10_gdn" name="guidance">
-            <p>Recovery is executing information system contingency plan activities to restore
-               organizational missions/business functions. Reconstitution takes place following
-               recovery and includes activities for returning organizational information systems to
-               fully operational states. Recovery and reconstitution operations reflect mission and
-               business priorities, recovery point/time and reconstitution objectives, and
-               established organizational metrics consistent with contingency plan requirements.
-               Reconstitution includes the deactivation of any interim information system
-               capabilities that may have been needed during recovery operations. Reconstitution
-               also includes assessments of fully restored information system capabilities,
-               reestablishment of continuous monitoring activities, potential information system
-               reauthorizations, and activities to prepare the systems against future disruptions,
-               compromises, or failures. Recovery/reconstitution capabilities employed by
-               organizations can include both automated mechanisms and manual procedures.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#sc-24">SC-24</link>
-         </part>
-         <part id="cp-10_obj" name="objective">
-            <p>Determine if the organization provides for: </p>
-            <part id="cp-10_obj.1" name="objective">
-               <prop name="label">CP-10[1]</prop>
-               <p>the recovery of the information system to a known state after:</p>
-               <part id="cp-10_obj.1.a" name="objective">
-                  <prop name="label">CP-10[1][a]</prop>
-                  <p>a disruption;</p>
-               </part>
-               <part id="cp-10_obj.1.b" name="objective">
-                  <prop name="label">CP-10[1][b]</prop>
-                  <p>a compromise; or</p>
-               </part>
-               <part id="cp-10_obj.1.c" name="objective">
-                  <prop name="label">CP-10[1][c]</prop>
-                  <p>a failure;</p>
-               </part>
-            </part>
-            <part id="cp-10_obj.2" name="objective">
-               <prop name="label">CP-10[2]</prop>
-               <p>the reconstitution of the information system to a known state after:</p>
-               <part id="cp-10_obj.2.a" name="objective">
-                  <prop name="label">CP-10[2][a]</prop>
-                  <p>a disruption;</p>
-               </part>
-               <part id="cp-10_obj.2.b" name="objective">
-                  <prop name="label">CP-10[2][b]</prop>
-                  <p>a compromise; or</p>
-               </part>
-               <part id="cp-10_obj.2.c" name="objective">
-                  <prop name="label">CP-10[2][c]</prop>
-                  <p>a failure.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing information system backup</p>
-               <p>contingency plan</p>
-               <p>information system backup test results</p>
-               <p>contingency plan test results</p>
-               <p>contingency plan test documentation</p>
-               <p>redundant secondary system for information system backups</p>
-               <p>location(s) of redundant secondary backup system(s)</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning, recovery, and/or
-                  reconstitution responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes implementing information system recovery and
-                  reconstitution operations</p>
-               <p>automated mechanisms supporting and/or implementing information system recovery
-                  and reconstitution operations</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>NSO - Loss of availability of the SaaS has been determined as little or no impact
-                  to government business/mission needs.</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ia">
-      <title>Identification and Authentication</title>
-      <control class="SP800-53" id="ia-1">
-         <title>Identification and Authentication Policy and Procedures</title>
-         <param id="ia-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ia-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ia-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">IA-1</prop>
-         <prop name="sort-id">ia-01</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ia-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ia-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ia-1_prm_1"/>:</p>
-               <part id="ia-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An identification and authentication policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="ia-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the identification and
-                     authentication policy and associated identification and authentication
-                     controls; and</p>
-               </part>
-            </part>
-            <part id="ia-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ia-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Identification and authentication policy <insert param-id="ia-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="ia-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Identification and authentication procedures <insert param-id="ia-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ia-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the IA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ia-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ia-1.a_obj" name="objective">
-               <prop name="label">IA-1(a)</prop>
-               <part id="ia-1.a.1_obj" name="objective">
-                  <prop name="label">IA-1(a)(1)</prop>
-                  <part id="ia-1.a.1_obj.1" name="objective">
-                     <prop name="label">IA-1(a)(1)[1]</prop>
-                     <p>develops and documents an identification and authentication policy that
-                        addresses:</p>
-                     <part id="ia-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ia-1.a.1_obj.2" name="objective">
-                     <prop name="label">IA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the identification and authentication
-                        policy is to be disseminated; and</p>
-                  </part>
-                  <part id="ia-1.a.1_obj.3" name="objective">
-                     <prop name="label">IA-1(a)(1)[3]</prop>
-                     <p>disseminates the identification and authentication policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="ia-1.a.2_obj" name="objective">
-                  <prop name="label">IA-1(a)(2)</prop>
-                  <part id="ia-1.a.2_obj.1" name="objective">
-                     <prop name="label">IA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        identification and authentication policy and associated identification and
-                        authentication controls;</p>
-                  </part>
-                  <part id="ia-1.a.2_obj.2" name="objective">
-                     <prop name="label">IA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ia-1.a.2_obj.3" name="objective">
-                     <prop name="label">IA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-1.b_obj" name="objective">
-               <prop name="label">IA-1(b)</prop>
-               <part id="ia-1.b.1_obj" name="objective">
-                  <prop name="label">IA-1(b)(1)</prop>
-                  <part id="ia-1.b.1_obj.1" name="objective">
-                     <prop name="label">IA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current identification and
-                        authentication policy;</p>
-                  </part>
-                  <part id="ia-1.b.1_obj.2" name="objective">
-                     <prop name="label">IA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current identification and authentication policy
-                        with the organization-defined frequency; and</p>
-                  </part>
-               </part>
-               <part id="ia-1.b.2_obj" name="objective">
-                  <prop name="label">IA-1(b)(2)</prop>
-                  <part id="ia-1.b.2_obj.1" name="objective">
-                     <prop name="label">IA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current identification and
-                        authentication procedures; and</p>
-                  </part>
-                  <part id="ia-1.b.2_obj.2" name="objective">
-                     <prop name="label">IA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current identification and authentication procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with identification and authentication
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-2">
-         <title>Identification and Authentication (organizational Users)</title>
-         <prop name="label">IA-2</prop>
-         <prop name="sort-id">ia-02</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#ad733a42-a7ed-4774-b988-4930c28852f3" rel="reference">HSPD-12</link>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#4da24a96-6cf8-435d-9d1f-c73247cad109" rel="reference">OMB Memorandum 06-16</link>
-         <link href="#74e740a4-c45d-49f3-a86e-eb747c549e01" rel="reference">OMB Memorandum 11-11</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#ba557c91-ba3e-4792-adc6-a4ae479b39ff" rel="reference">FICAM Roadmap and Implementation Guidance</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ia-2_smt" name="statement">
-            <p>The information system uniquely identifies and authenticates organizational users (or
-               processes acting on behalf of organizational users).</p>
-         </part>
-         <part id="ia-2_gdn" name="guidance">
-            <p>Organizational users include employees or individuals that organizations deem to have
-               equivalent status of employees (e.g., contractors, guest researchers). This control
-               applies to all accesses other than: (i) accesses that are explicitly identified and
-               documented in AC-14; and (ii) accesses that occur through authorized use of group
-               authenticators without individual authentication. Organizations may require unique
-               identification of individuals in group accounts (e.g., shared privilege accounts) or
-               for detailed accountability of individual activity. Organizations employ passwords,
-               tokens, or biometrics to authenticate user identities, or in the case multifactor
-               authentication, or some combination thereof. Access to organizational information
-               systems is defined as either local access or network access. Local access is any
-               access to organizational information systems by users (or processes acting on behalf
-               of users) where such access is obtained by direct connections without the use of
-               networks. Network access is access to organizational information systems by users (or
-               processes acting on behalf of users) where such access is obtained through network
-               connections (i.e., nonlocal accesses). Remote access is a type of network access that
-               involves communication through external networks (e.g., the Internet). Internal
-               networks include local area networks and wide area networks. In addition, the use of
-               encrypted virtual private networks (VPNs) for network connections between
-               organization-controlled endpoints and non-organization controlled endpoints may be
-               treated as internal networks from the perspective of protecting the confidentiality
-               and integrity of information traversing the network. Organizations can satisfy the
-               identification and authentication requirements in this control by complying with the
-               requirements in Homeland Security Presidential Directive 12 consistent with the
-               specific organizational implementation plans. Multifactor authentication requires the
-               use of two or more different factors to achieve authentication. The factors are
-               defined as: (i) something you know (e.g., password, personal identification number
-               [PIN]); (ii) something you have (e.g., cryptographic identification device, token);
-               or (iii) something you are (e.g., biometric). Multifactor solutions that require
-               devices separate from information systems gaining access include, for example,
-               hardware tokens providing time-based or challenge-response authenticators and smart
-               cards such as the U.S. Government Personal Identity Verification card and the DoD
-               common access card. In addition to identifying and authenticating users at the
-               information system level (i.e., at logon), organizations also employ identification
-               and authentication mechanisms at the application level, when necessary, to provide
-               increased information security. Identification and authentication requirements for
-               other than organizational users are described in IA-8.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-         </part>
-         <part id="ia-2_obj" name="objective">
-            <p>Determine if the information system uniquely identifies and authenticates
-               organizational users (or processes acting on behalf of organizational users).</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing user identification and authentication</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>list of information system accounts</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system operations responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with account management responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for uniquely identifying and authenticating users</p>
-               <p>automated mechanisms supporting and/or implementing identification and
-                  authentication capability</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>NSO for non-privileged users. Attestation for privileged users related to
-                  multi-factor identification and authentication - specifically include description
-                  of management of service accounts.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-2.1">
-            <title>Network Access to Privileged Accounts</title>
-            <prop name="label">IA-2(1)</prop>
-            <prop name="sort-id">ia-02.01</prop>
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="ia-2.1_smt" name="statement">
-               <p>The information system implements multifactor authentication for network access to
-                  privileged accounts.</p>
-            </part>
-            <part id="ia-2.1_gdn" name="guidance">
-               <link rel="related" href="#ac-6">AC-6</link>
-            </part>
-            <part id="ia-2.1_obj" name="objective">
-               <p>Determine if the information system implements multifactor authentication for
-                  network access to privileged accounts.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing multifactor authentication
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.12">
-            <title>Acceptance of PIV Credentials</title>
-            <prop name="label">IA-2(12)</prop>
-            <prop name="sort-id">ia-02.12</prop>
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part id="ia-2.12_smt" name="statement">
-               <p>The information system accepts and electronically verifies Personal Identity
-                  Verification (PIV) credentials.</p>
-            </part>
-            <part id="ia-2.12_gdn" name="guidance">
-               <p>This control enhancement applies to organizations implementing logical access
-                  control systems (LACS) and physical access control systems (PACS). Personal
-                  Identity Verification (PIV) credentials are those credentials issued by federal
-                  agencies that conform to FIPS Publication 201 and supporting guidance documents.
-                  OMB Memorandum 11-11 requires federal agencies to continue implementing the
-                  requirements specified in HSPD-12 to enable agency-wide use of PIV
-                  credentials.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#pe-3">PE-3</link>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-2.12_obj" name="objective">
-               <p>Determine if the information system: </p>
-               <part id="ia-2.12_obj.1" name="objective">
-                  <prop name="label">IA-2(12)[1]</prop>
-                  <p>accepts Personal Identity Verification (PIV) credentials; and</p>
-               </part>
-               <part id="ia-2.12_obj.2" name="objective">
-                  <prop name="label">IA-2(12)[2]</prop>
-                  <p>electronically verifies Personal Identity Verification (PIV) credentials.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>PIV verification records</p>
-                  <p>evidence of PIV credentials</p>
-                  <p>PIV credential authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing acceptance and verification
-                     of PIV credentials</p>
-               </part>
-            </part>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Must document and assess for privileged users. May attest to this
-                  control for non-privileged users. FedRAMP requires a minimum of multi-factor
-                  authentication for all Federal privileged users, if acceptance of PIV credentials
-                  is not supported. The implementation status and details of how this control is
-                  implemented must be clearly defined by the CSP.</p>
-            </part>
-            <part id="ia-2.12_fr" name="item">
-               <title>IA-2 (12) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-2.12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Include Common Access Card (CAC), i.e., the DoD technical implementation of
-                     PIV/FIPS 201/HSPD-12.</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-4">
-         <title>Identifier Management</title>
-         <param id="ia-4_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ia-4_prm_2">
-            <label>organization-defined time period</label>
-         </param>
-         <param id="ia-4_prm_3">
-            <label>organization-defined time period of inactivity</label>
-         </param>
-         <prop name="label">IA-4</prop>
-         <prop name="sort-id">ia-04</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <part id="ia-4_smt" name="statement">
-            <p>The organization manages information system identifiers by:</p>
-            <part id="ia-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Receiving authorization from <insert param-id="ia-4_prm_1"/> to assign an
-                  individual, group, role, or device identifier;</p>
-            </part>
-            <part id="ia-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Selecting an identifier that identifies an individual, group, role, or device;</p>
-            </part>
-            <part id="ia-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Assigning the identifier to the intended individual, group, role, or device;</p>
-            </part>
-            <part id="ia-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Preventing reuse of identifiers for <insert param-id="ia-4_prm_2"/>; and</p>
-            </part>
-            <part id="ia-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Disabling the identifier after <insert param-id="ia-4_prm_3"/>.</p>
-            </part>
-         </part>
-         <part id="ia-4_gdn" name="guidance">
-            <p>Common device identifiers include, for example, media access control (MAC), Internet
-               protocol (IP) addresses, or device-unique token identifiers. Management of individual
-               identifiers is not applicable to shared information system accounts (e.g., guest and
-               anonymous accounts). Typically, individual identifiers are the user names of the
-               information system accounts assigned to those individuals. In such instances, the
-               account management activities of AC-2 use account names provided by IA-4. This
-               control also addresses individual identifiers not necessarily associated with
-               information system accounts (e.g., identifiers used in physical security control
-               databases accessed by badge reader systems for access to information systems).
-               Preventing reuse of identifiers implies preventing the assignment of previously used
-               individual, group, role, or device identifiers to different individuals, groups,
-               roles, or devices.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#sc-37">SC-37</link>
-         </part>
-         <part id="ia-4_obj" name="objective">
-            <p>Determine if the organization manages information system identifiers by: </p>
-            <part id="ia-4.a_obj" name="objective">
-               <prop name="label">IA-4(a)</prop>
-               <part id="ia-4.a_obj.1" name="objective">
-                  <prop name="label">IA-4(a)[1]</prop>
-                  <p>defining personnel or roles from whom authorization must be received to
-                     assign:</p>
-                  <part id="ia-4.a_obj.1.a" name="objective">
-                     <prop name="label">IA-4(a)[1][a]</prop>
-                     <p>an individual identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.1.b" name="objective">
-                     <prop name="label">IA-4(a)[1][b]</prop>
-                     <p>a group identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.1.c" name="objective">
-                     <prop name="label">IA-4(a)[1][c]</prop>
-                     <p>a role identifier; and/or</p>
-                  </part>
-                  <part id="ia-4.a_obj.1.d" name="objective">
-                     <prop name="label">IA-4(a)[1][d]</prop>
-                     <p>a device identifier;</p>
-                  </part>
-               </part>
-               <part id="ia-4.a_obj.2" name="objective">
-                  <prop name="label">IA-4(a)[2]</prop>
-                  <p>receiving authorization from organization-defined personnel or roles to
-                     assign:</p>
-                  <part id="ia-4.a_obj.2.a" name="objective">
-                     <prop name="label">IA-4(a)[2][a]</prop>
-                     <p>an individual identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.2.b" name="objective">
-                     <prop name="label">IA-4(a)[2][b]</prop>
-                     <p>a group identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.2.c" name="objective">
-                     <prop name="label">IA-4(a)[2][c]</prop>
-                     <p>a role identifier; and/or</p>
-                  </part>
-                  <part id="ia-4.a_obj.2.d" name="objective">
-                     <prop name="label">IA-4(a)[2][d]</prop>
-                     <p>a device identifier;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-4.b_obj" name="objective">
-               <prop name="label">IA-4(b)</prop>
-               <p>selecting an identifier that identifies:</p>
-               <part id="ia-4.b_obj.1" name="objective">
-                  <prop name="label">IA-4(b)[1]</prop>
-                  <p>an individual;</p>
-               </part>
-               <part id="ia-4.b_obj.2" name="objective">
-                  <prop name="label">IA-4(b)[2]</prop>
-                  <p>a group;</p>
-               </part>
-               <part id="ia-4.b_obj.3" name="objective">
-                  <prop name="label">IA-4(b)[3]</prop>
-                  <p>a role; and/or</p>
-               </part>
-               <part id="ia-4.b_obj.4" name="objective">
-                  <prop name="label">IA-4(b)[4]</prop>
-                  <p>a device;</p>
-               </part>
-            </part>
-            <part id="ia-4.c_obj" name="objective">
-               <prop name="label">IA-4(c)</prop>
-               <p>assigning the identifier to the intended:</p>
-               <part id="ia-4.c_obj.1" name="objective">
-                  <prop name="label">IA-4(c)[1]</prop>
-                  <p>individual;</p>
-               </part>
-               <part id="ia-4.c_obj.2" name="objective">
-                  <prop name="label">IA-4(c)[2]</prop>
-                  <p>group;</p>
-               </part>
-               <part id="ia-4.c_obj.3" name="objective">
-                  <prop name="label">IA-4(c)[3]</prop>
-                  <p>role; and/or</p>
-               </part>
-               <part id="ia-4.c_obj.4" name="objective">
-                  <prop name="label">IA-4(c)[4]</prop>
-                  <p>device;</p>
-               </part>
-            </part>
-            <part id="ia-4.d_obj" name="objective">
-               <prop name="label">IA-4(d)</prop>
-               <part id="ia-4.d_obj.1" name="objective">
-                  <prop name="label">IA-4(d)[1]</prop>
-                  <p>defining a time period for preventing reuse of identifiers;</p>
-               </part>
-               <part id="ia-4.d_obj.2" name="objective">
-                  <prop name="label">IA-4(d)[2]</prop>
-                  <p>preventing reuse of identifiers for the organization-defined time period;</p>
-               </part>
-            </part>
-            <part id="ia-4.e_obj" name="objective">
-               <prop name="label">IA-4(e)</prop>
-               <part id="ia-4.e_obj.1" name="objective">
-                  <prop name="label">IA-4(e)[1]</prop>
-                  <p>defining a time period of inactivity to disable the identifier; and</p>
-               </part>
-               <part id="ia-4.e_obj.2" name="objective">
-                  <prop name="label">IA-4(e)[2]</prop>
-                  <p>disabling the identifier after the organization-defined time period of
-                     inactivity.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing identifier management</p>
-               <p>procedures addressing account management</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of information system accounts</p>
-               <p>list of identifiers generated from physical access control devices</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with identifier management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing identifier management</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-5">
-         <title>Authenticator Management</title>
-         <param id="ia-5_prm_1">
-            <label>organization-defined time period by authenticator type</label>
-         </param>
-         <prop name="label">IA-5</prop>
-         <prop name="sort-id">ia-05</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#74e740a4-c45d-49f3-a86e-eb747c549e01" rel="reference">OMB Memorandum 11-11</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#ba557c91-ba3e-4792-adc6-a4ae479b39ff" rel="reference">FICAM Roadmap and Implementation Guidance</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ia-5_smt" name="statement">
-            <p>The organization manages information system authenticators by:</p>
-            <part id="ia-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Verifying, as part of the initial authenticator distribution, the identity of the
-                  individual, group, role, or device receiving the authenticator;</p>
-            </part>
-            <part id="ia-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishing initial authenticator content for authenticators defined by the
-                  organization;</p>
-            </part>
-            <part id="ia-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensuring that authenticators have sufficient strength of mechanism for their
-                  intended use;</p>
-            </part>
-            <part id="ia-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Establishing and implementing administrative procedures for initial authenticator
-                  distribution, for lost/compromised or damaged authenticators, and for revoking
-                  authenticators;</p>
-            </part>
-            <part id="ia-5_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Changing default content of authenticators prior to information system
-                  installation;</p>
-            </part>
-            <part id="ia-5_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Establishing minimum and maximum lifetime restrictions and reuse conditions for
-                  authenticators;</p>
-            </part>
-            <part id="ia-5_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Changing/refreshing authenticators <insert param-id="ia-5_prm_1"/>;</p>
-            </part>
-            <part id="ia-5_smt.h" name="item">
-               <prop name="label">h.</prop>
-               <p>Protecting authenticator content from unauthorized disclosure and
-                  modification;</p>
-            </part>
-            <part id="ia-5_smt.i" name="item">
-               <prop name="label">i.</prop>
-               <p>Requiring individuals to take, and having devices implement, specific security
-                  safeguards to protect authenticators; and</p>
-            </part>
-            <part id="ia-5_smt.j" name="item">
-               <prop name="label">j.</prop>
-               <p>Changing authenticators for group/role accounts when membership to those accounts
-                  changes.</p>
-            </part>
-         </part>
-         <part id="ia-5_gdn" name="guidance">
-            <p>Individual authenticators include, for example, passwords, tokens, biometrics, PKI
-               certificates, and key cards. Initial authenticator content is the actual content
-               (e.g., the initial password) as opposed to requirements about authenticator content
-               (e.g., minimum password length). In many cases, developers ship information system
-               components with factory default authentication credentials to allow for initial
-               installation and configuration. Default authentication credentials are often well
-               known, easily discoverable, and present a significant security risk. The requirement
-               to protect individual authenticators may be implemented via control PL-4 or PS-6 for
-               authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28
-               for authenticators stored within organizational information systems (e.g., passwords
-               stored in hashed or encrypted formats, files containing encrypted or hashed passwords
-               accessible with administrator privileges). Information systems support individual
-               authenticator management by organization-defined settings and restrictions for
-               various authenticator characteristics including, for example, minimum password
-               length, password composition, validation time window for time synchronous one-time
-               tokens, and number of allowed rejections during the verification stage of biometric
-               authentication. Specific actions that can be taken to safeguard authenticators
-               include, for example, maintaining possession of individual authenticators, not
-               loaning or sharing individual authenticators with others, and reporting lost, stolen,
-               or compromised authenticators immediately. Authenticator management includes issuing
-               and revoking, when no longer needed, authenticators for temporary access such as that
-               required for remote maintenance. Device authenticators include, for example,
-               certificates and passwords.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-5">PS-5</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-17">SC-17</link>
-            <link rel="related" href="#sc-28">SC-28</link>
-         </part>
-         <part id="ia-5_obj" name="objective">
-            <p>Determine if the organization manages information system authenticators by: </p>
-            <part id="ia-5.a_obj" name="objective">
-               <prop name="label">IA-5(a)</prop>
-               <p>verifying, as part of the initial authenticator distribution, the identity of:</p>
-               <part id="ia-5.a_obj.1" name="objective">
-                  <prop name="label">IA-5(a)[1]</prop>
-                  <p>the individual receiving the authenticator;</p>
-               </part>
-               <part id="ia-5.a_obj.2" name="objective">
-                  <prop name="label">IA-5(a)[2]</prop>
-                  <p>the group receiving the authenticator;</p>
-               </part>
-               <part id="ia-5.a_obj.3" name="objective">
-                  <prop name="label">IA-5(a)[3]</prop>
-                  <p>the role receiving the authenticator; and/or</p>
-               </part>
-               <part id="ia-5.a_obj.4" name="objective">
-                  <prop name="label">IA-5(a)[4]</prop>
-                  <p>the device receiving the authenticator;</p>
-               </part>
-            </part>
-            <part id="ia-5.b_obj" name="objective">
-               <prop name="label">IA-5(b)</prop>
-               <p>establishing initial authenticator content for authenticators defined by the
-                  organization;</p>
-            </part>
-            <part id="ia-5.c_obj" name="objective">
-               <prop name="label">IA-5(c)</prop>
-               <p>ensuring that authenticators have sufficient strength of mechanism for their
-                  intended use;</p>
-            </part>
-            <part id="ia-5.d_obj" name="objective">
-               <prop name="label">IA-5(d)</prop>
-               <part id="ia-5.d_obj.1" name="objective">
-                  <prop name="label">IA-5(d)[1]</prop>
-                  <p>establishing and implementing administrative procedures for initial
-                     authenticator distribution;</p>
-               </part>
-               <part id="ia-5.d_obj.2" name="objective">
-                  <prop name="label">IA-5(d)[2]</prop>
-                  <p>establishing and implementing administrative procedures for lost/compromised or
-                     damaged authenticators;</p>
-               </part>
-               <part id="ia-5.d_obj.3" name="objective">
-                  <prop name="label">IA-5(d)[3]</prop>
-                  <p>establishing and implementing administrative procedures for revoking
-                     authenticators;</p>
-               </part>
-            </part>
-            <part id="ia-5.e_obj" name="objective">
-               <prop name="label">IA-5(e)</prop>
-               <p>changing default content of authenticators prior to information system
-                  installation;</p>
-            </part>
-            <part id="ia-5.f_obj" name="objective">
-               <prop name="label">IA-5(f)</prop>
-               <part id="ia-5.f_obj.1" name="objective">
-                  <prop name="label">IA-5(f)[1]</prop>
-                  <p>establishing minimum lifetime restrictions for authenticators;</p>
-               </part>
-               <part id="ia-5.f_obj.2" name="objective">
-                  <prop name="label">IA-5(f)[2]</prop>
-                  <p>establishing maximum lifetime restrictions for authenticators;</p>
-               </part>
-               <part id="ia-5.f_obj.3" name="objective">
-                  <prop name="label">IA-5(f)[3]</prop>
-                  <p>establishing reuse conditions for authenticators;</p>
-               </part>
-            </part>
-            <part id="ia-5.g_obj" name="objective">
-               <prop name="label">IA-5(g)</prop>
-               <part id="ia-5.g_obj.1" name="objective">
-                  <prop name="label">IA-5(g)[1]</prop>
-                  <p>defining a time period (by authenticator type) for changing/refreshing
-                     authenticators;</p>
-               </part>
-               <part id="ia-5.g_obj.2" name="objective">
-                  <prop name="label">IA-5(g)[2]</prop>
-                  <p>changing/refreshing authenticators with the organization-defined time period by
-                     authenticator type;</p>
-               </part>
-            </part>
-            <part id="ia-5.h_obj" name="objective">
-               <prop name="label">IA-5(h)</prop>
-               <p>protecting authenticator content from unauthorized:</p>
-               <part id="ia-5.h_obj.1" name="objective">
-                  <prop name="label">IA-5(h)[1]</prop>
-                  <p>disclosure;</p>
-               </part>
-               <part id="ia-5.h_obj.2" name="objective">
-                  <prop name="label">IA-5(h)[2]</prop>
-                  <p>modification;</p>
-               </part>
-            </part>
-            <part id="ia-5.i_obj" name="objective">
-               <prop name="label">IA-5(i)</prop>
-               <part id="ia-5.i_obj.1" name="objective">
-                  <prop name="label">IA-5(i)[1]</prop>
-                  <p>requiring individuals to take specific security safeguards to protect
-                     authenticators;</p>
-               </part>
-               <part id="ia-5.i_obj.2" name="objective">
-                  <prop name="label">IA-5(i)[2]</prop>
-                  <p>having devices implement specific security safeguards to protect
-                     authenticators; and</p>
-               </part>
-            </part>
-            <part id="ia-5.j_obj" name="objective">
-               <prop name="label">IA-5(j)</prop>
-               <p>changing authenticators for group/role accounts when membership to those accounts
-                  changes.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing authenticator management</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of information system authenticator types</p>
-               <p>change control records associated with managing information system
-                  authenticators</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with authenticator management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing authenticator management
-                  capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-5.1">
-            <title>Password-based Authentication</title>
-            <param id="ia-5.1_prm_1">
-               <label>organization-defined requirements for case sensitivity, number of characters,
-                  mix of upper-case letters, lower-case letters, numbers, and special characters,
-                  including minimum requirements for each type</label>
-            </param>
-            <param id="ia-5.1_prm_2">
-               <label>organization-defined number</label>
-            </param>
-            <param id="ia-5.1_prm_3">
-               <label>organization-defined numbers for lifetime minimum, lifetime maximum</label>
-            </param>
-            <param id="ia-5.1_prm_4">
-               <label>organization-defined number</label>
-            </param>
-            <prop name="label">IA-5(1)</prop>
-            <prop name="sort-id">ia-05.01</prop>
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-            <part id="ia-5.1_smt" name="statement">
-               <p>The information system, for password-based authentication:</p>
-               <part id="ia-5.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Enforces minimum password complexity of <insert param-id="ia-5.1_prm_1"/>;</p>
-               </part>
-               <part id="ia-5.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Enforces at least the following number of changed characters when new passwords
-                     are created: <insert param-id="ia-5.1_prm_2"/>;</p>
-               </part>
-               <part id="ia-5.1_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Stores and transmits only cryptographically-protected passwords;</p>
-               </part>
-               <part id="ia-5.1_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Enforces password minimum and maximum lifetime restrictions of <insert param-id="ia-5.1_prm_3"/>;</p>
-               </part>
-               <part id="ia-5.1_smt.e" name="item">
-                  <prop name="label">(e)</prop>
-                  <p>Prohibits password reuse for <insert param-id="ia-5.1_prm_4"/> generations;
-                     and</p>
-               </part>
-               <part id="ia-5.1_smt.f" name="item">
-                  <prop name="label">(f)</prop>
-                  <p>Allows the use of a temporary password for system logons with an immediate
-                     change to a permanent password.</p>
-               </part>
-            </part>
-            <part id="ia-5.1_gdn" name="guidance">
-               <p>This control enhancement applies to single-factor authentication of individuals
-                  using passwords as individual or group authenticators, and in a similar manner,
-                  when passwords are part of multifactor authenticators. This control enhancement
-                  does not apply when passwords are used to unlock hardware authenticators (e.g.,
-                  Personal Identity Verification cards). The implementation of such password
-                  mechanisms may not meet all of the requirements in the enhancement.
-                  Cryptographically-protected passwords include, for example, encrypted versions of
-                  passwords and one-way cryptographic hashes of passwords. The number of changed
-                  characters refers to the number of changes required with respect to the total
-                  number of positions in the current password. Password lifetime restrictions do not
-                  apply to temporary passwords. To mitigate certain brute force attacks against
-                  passwords, organizations may also consider salting passwords.</p>
-               <link rel="related" href="#ia-6">IA-6</link>
-            </part>
-            <part id="ia-5.1_obj" name="objective">
-               <p>Determine if, for password-based authentication: </p>
-               <part id="ia-5.1.a_obj" name="objective">
-                  <prop name="label">IA-5(1)(a)</prop>
-                  <part id="ia-5.1.a_obj.1" name="objective">
-                     <prop name="label">IA-5(1)(a)[1]</prop>
-                     <p>the organization defines requirements for case sensitivity;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.2" name="objective">
-                     <prop name="label">IA-5(1)(a)[2]</prop>
-                     <p>the organization defines requirements for number of characters;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.3" name="objective">
-                     <prop name="label">IA-5(1)(a)[3]</prop>
-                     <p>the organization defines requirements for the mix of upper-case letters,
-                        lower-case letters, numbers and special characters;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.4" name="objective">
-                     <prop name="label">IA-5(1)(a)[4]</prop>
-                     <p>the organization defines minimum requirements for each type of
-                        character;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.5" name="objective">
-                     <prop name="label">IA-5(1)(a)[5]</prop>
-                     <p>the information system enforces minimum password complexity of
-                        organization-defined requirements for case sensitivity, number of
-                        characters, mix of upper-case letters, lower-case letters, numbers, and
-                        special characters, including minimum requirements for each type;</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.a">IA-5(1)(a)</link>
-               </part>
-               <part id="ia-5.1.b_obj" name="objective">
-                  <prop name="label">IA-5(1)(b)</prop>
-                  <part id="ia-5.1.b_obj.1" name="objective">
-                     <prop name="label">IA-5(1)(b)[1]</prop>
-                     <p>the organization defines a minimum number of changed characters to be
-                        enforced when new passwords are created;</p>
-                  </part>
-                  <part id="ia-5.1.b_obj.2" name="objective">
-                     <prop name="label">IA-5(1)(b)[2]</prop>
-                     <p>the information system enforces at least the organization-defined minimum
-                        number of characters that must be changed when new passwords are
-                        created;</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.b">IA-5(1)(b)</link>
-               </part>
-               <part id="ia-5.1.c_obj" name="objective">
-                  <prop name="label">IA-5(1)(c)</prop>
-                  <p>the information system stores and transmits only encrypted representations of
-                     passwords;</p>
-                  <link rel="corresp" href="#ia-5.1_smt.c">IA-5(1)(c)</link>
-               </part>
-               <part id="ia-5.1.d_obj" name="objective">
-                  <prop name="label">IA-5(1)(d)</prop>
-                  <part id="ia-5.1.d_obj.1" name="objective">
-                     <prop name="label">IA-5(1)(d)[1]</prop>
-                     <p>the organization defines numbers for password minimum lifetime restrictions
-                        to be enforced for passwords;</p>
-                  </part>
-                  <part id="ia-5.1.d_obj.2" name="objective">
-                     <prop name="label">IA-5(1)(d)[2]</prop>
-                     <p>the organization defines numbers for password maximum lifetime restrictions
-                        to be enforced for passwords;</p>
-                  </part>
-                  <part id="ia-5.1.d_obj.3" name="objective">
-                     <prop name="label">IA-5(1)(d)[3]</prop>
-                     <p>the information system enforces password minimum lifetime restrictions of
-                        organization-defined numbers for lifetime minimum;</p>
-                  </part>
-                  <part id="ia-5.1.d_obj.4" name="objective">
-                     <prop name="label">IA-5(1)(d)[4]</prop>
-                     <p>the information system enforces password maximum lifetime restrictions of
-                        organization-defined numbers for lifetime maximum;</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.d">IA-5(1)(d)</link>
-               </part>
-               <part id="ia-5.1.e_obj" name="objective">
-                  <prop name="label">IA-5(1)(e)</prop>
-                  <part id="ia-5.1.e_obj.1" name="objective">
-                     <prop name="label">IA-5(1)(e)[1]</prop>
-                     <p>the organization defines the number of password generations to be prohibited
-                        from password reuse;</p>
-                  </part>
-                  <part id="ia-5.1.e_obj.2" name="objective">
-                     <prop name="label">IA-5(1)(e)[2]</prop>
-                     <p>the information system prohibits password reuse for the organization-defined
-                        number of generations; and</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.e">IA-5(1)(e)</link>
-               </part>
-               <part id="ia-5.1.f_obj" name="objective">
-                  <prop name="label">IA-5(1)(f)</prop>
-                  <p>the information system allows the use of a temporary password for system logons
-                     with an immediate change to a permanent password.</p>
-                  <link rel="corresp" href="#ia-5.1_smt.f">IA-5(1)(f)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>password policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>password configurations and associated documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing password-based
-                     authenticator management capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.11">
-            <title>Hardware Token-based Authentication</title>
-            <param id="ia-5.11_prm_1">
-               <label>organization-defined token quality requirements</label>
-            </param>
-            <prop name="label">IA-5(11)</prop>
-            <prop name="sort-id">ia-05.11</prop>
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">FED</prop>
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part id="ia-5.11_smt" name="statement">
-               <p>The information system, for hardware token-based authentication, employs
-                  mechanisms that satisfy <insert param-id="ia-5.11_prm_1"/>.</p>
-            </part>
-            <part id="ia-5.11_gdn" name="guidance">
-               <p>Hardware token-based authentication typically refers to the use of PKI-based
-                  tokens, such as the U.S. Government Personal Identity Verification (PIV) card.
-                  Organizations define specific requirements for tokens, such as working with a
-                  particular PKI.</p>
-            </part>
-            <part id="ia-5.11_obj" name="objective">
-               <p>Determine if, for hardware token-based authentication: </p>
-               <part id="ia-5.11_obj.1" name="objective">
-                  <prop name="label">IA-5(11)[1]</prop>
-                  <p>the organization defines token quality requirements to be satisfied; and</p>
-               </part>
-               <part id="ia-5.11_obj.2" name="objective">
-                  <prop name="label">IA-5(11)[2]</prop>
-                  <p>the information system employs mechanisms that satisfy organization-defined
-                     token quality requirements.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>automated mechanisms employing hardware token-based authentication for the
-                     information system</p>
-                  <p>list of token quality requirements</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing hardware token-based
-                     authenticator management capability</p>
-               </part>
-            </part>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>FED - for Federal privileged users. Condition - Must document and assess for
-                  privileged users. May attest to this control for non-privileged users.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-6">
-         <title>Authenticator Feedback</title>
-         <prop name="label">IA-6</prop>
-         <prop name="sort-id">ia-06</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <part id="ia-6_smt" name="statement">
-            <p>The information system obscures feedback of authentication information during the
-               authentication process to protect the information from possible exploitation/use by
-               unauthorized individuals.</p>
-         </part>
-         <part id="ia-6_gdn" name="guidance">
-            <p>The feedback from information systems does not provide information that would allow
-               unauthorized individuals to compromise authentication mechanisms. For some types of
-               information systems or system components, for example, desktops/notebooks with
-               relatively large monitors, the threat (often referred to as shoulder surfing) may be
-               significant. For other types of systems or components, for example, mobile devices
-               with 2-4 inch screens, this threat may be less significant, and may need to be
-               balanced against the increased likelihood of typographic input errors due to the
-               small keyboards. Therefore, the means for obscuring the authenticator feedback is
-               selected accordingly. Obscuring the feedback of authentication information includes,
-               for example, displaying asterisks when users type passwords into input devices, or
-               displaying feedback for a very limited time before fully obscuring it.</p>
-            <link rel="related" href="#pe-18">PE-18</link>
-         </part>
-         <part id="ia-6_obj" name="objective">
-            <p>Determine if the information system obscures feedback of authentication information
-               during the authentication process to protect the information from possible
-               exploitation/use by unauthorized individuals.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing authenticator feedback</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing the obscuring of feedback of
-                  authentication information during authentication</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-7">
-         <title>Cryptographic Module Authentication</title>
-         <prop name="label">IA-7</prop>
-         <prop name="sort-id">ia-07</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9" rel="reference">FIPS Publication 140</link>
-         <link href="#b09d1a31-d3c9-4138-a4f4-4c63816afd7d" rel="reference">http://csrc.nist.gov/groups/STM/cmvp/index.html</link>
-         <part id="ia-7_smt" name="statement">
-            <p>The information system implements mechanisms for authentication to a cryptographic
-               module that meet the requirements of applicable federal laws, Executive Orders,
-               directives, policies, regulations, standards, and guidance for such
-               authentication.</p>
-         </part>
-         <part id="ia-7_gdn" name="guidance">
-            <p>Authentication mechanisms may be required within a cryptographic module to
-               authenticate an operator accessing the module and to verify that the operator is
-               authorized to assume the requested role and perform services within that role.</p>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="ia-7_obj" name="objective">
-            <p>Determine if the information system implements mechanisms for authentication to a
-               cryptographic module that meet the requirements of applicable federal laws, Executive
-               Orders, directives, policies, regulations, standards, and guidance for such
-               authentication.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing cryptographic module authentication</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for cryptographic module
-                  authentication</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing cryptographic module
-                  authentication</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-8">
-         <title>Identification and Authentication (non-organizational Users)</title>
-         <prop name="label">IA-8</prop>
-         <prop name="sort-id">ia-08</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#74e740a4-c45d-49f3-a86e-eb747c549e01" rel="reference">OMB Memorandum 11-11</link>
-         <link href="#599fe9ba-4750-4450-9eeb-b95bd19a5e8f" rel="reference">OMB Memorandum 10-06-2011</link>
-         <link href="#ba557c91-ba3e-4792-adc6-a4ae479b39ff" rel="reference">FICAM Roadmap and Implementation Guidance</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#2157bb7e-192c-4eaa-877f-93ef6b0a3292" rel="reference">NIST Special Publication 800-116</link>
-         <link href="#654f21e2-f3bc-43b2-abdc-60ab8d09744b" rel="reference">National Strategy for Trusted Identities in
-            Cyberspace</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ia-8_smt" name="statement">
-            <p>The information system uniquely identifies and authenticates non-organizational users
-               (or processes acting on behalf of non-organizational users).</p>
-         </part>
-         <part id="ia-8_gdn" name="guidance">
-            <p>Non-organizational users include information system users other than organizational
-               users explicitly covered by IA-2. These individuals are uniquely identified and
-               authenticated for accesses other than those accesses explicitly identified and
-               documented in AC-14. In accordance with the E-Authentication E-Government initiative,
-               authentication of non-organizational users accessing federal information systems may
-               be required to protect federal, proprietary, or privacy-related information (with
-               exceptions noted for national security systems). Organizations use risk assessments
-               to determine authentication needs and consider scalability, practicality, and
-               security in balancing the need to ensure ease of use for access to federal
-               information and information systems with the need to protect and adequately mitigate
-               risk. IA-2 addresses identification and authentication requirements for access to
-               information systems by organizational users.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-         </part>
-         <part id="ia-8_obj" name="objective">
-            <p>Determine if the information system uniquely identifies and authenticates
-               non-organizational users (or processes acting on behalf of non-organizational
-               users).</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing user identification and authentication</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>list of information system accounts</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system operations responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with account management responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing identification and
-                  authentication capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-8.1">
-            <title>Acceptance of PIV Credentials from Other Agencies</title>
-            <prop name="label">IA-8(1)</prop>
-            <prop name="sort-id">ia-08.01</prop>
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part id="ia-8.1_smt" name="statement">
-               <p>The information system accepts and electronically verifies Personal Identity
-                  Verification (PIV) credentials from other federal agencies.</p>
-            </part>
-            <part id="ia-8.1_gdn" name="guidance">
-               <p>This control enhancement applies to logical access control systems (LACS) and
-                  physical access control systems (PACS). Personal Identity Verification (PIV)
-                  credentials are those credentials issued by federal agencies that conform to FIPS
-                  Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires
-                  federal agencies to continue implementing the requirements specified in HSPD-12 to
-                  enable agency-wide use of PIV credentials.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#pe-3">PE-3</link>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-8.1_obj" name="objective">
-               <p>Determine if the information system: </p>
-               <part id="ia-8.1_obj.1" name="objective">
-                  <prop name="label">IA-8(1)[1]</prop>
-                  <p>accepts Personal Identity Verification (PIV) credentials from other agencies;
-                     and</p>
-               </part>
-               <part id="ia-8.1_obj.2" name="objective">
-                  <prop name="label">IA-8(1)[2]</prop>
-                  <p>electronically verifies Personal Identity Verification (PIV) credentials from
-                     other agencies.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>PIV verification records</p>
-                  <p>evidence of PIV credentials</p>
-                  <p>PIV credential authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with account management responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms that accept and verify PIV credentials</p>
-               </part>
-            </part>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Must document and assess for privileged users. May attest to this
-                  control for non-privileged users. FedRAMP requires a minimum of multi-factor
-                  authentication for all Federal privileged users, if acceptance of PIV credentials
-                  is not supported. The implementation status and details of how this control is
-                  implemented must be clearly defined by the CSP.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.2">
-            <title>Acceptance of Third-party Credentials</title>
-            <prop name="label">IA-8(2)</prop>
-            <prop name="sort-id">ia-08.02</prop>
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part id="ia-8.2_smt" name="statement">
-               <p>The information system accepts only FICAM-approved third-party credentials.</p>
-            </part>
-            <part id="ia-8.2_gdn" name="guidance">
-               <p>This control enhancement typically applies to organizational information systems
-                  that are accessible to the general public, for example, public-facing websites.
-                  Third-party credentials are those credentials issued by nonfederal government
-                  entities approved by the Federal Identity, Credential, and Access Management
-                  (FICAM) Trust Framework Solutions initiative. Approved third-party credentials
-                  meet or exceed the set of minimum federal government-wide technical, security,
-                  privacy, and organizational maturity requirements. This allows federal government
-                  relying parties to trust such credentials at their approved assurance levels.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-            </part>
-            <part id="ia-8.2_obj" name="objective">
-               <p>Determine if the information system accepts only FICAM-approved third-party
-                  credentials. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of FICAM-approved, third-party credentialing products, components, or
-                     services procured and implemented by organization</p>
-                  <p>third-party credential verification records</p>
-                  <p>evidence of FICAM-approved third-party credentials</p>
-                  <p>third-party credential authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with account management responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms that accept FICAM-approved credentials</p>
-               </part>
-            </part>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Must document and assess for privileged users. May attest to this
-                  control for non-privileged users. FedRAMP requires a minimum of multi-factor
-                  authentication for all Federal privileged users, if acceptance of PIV credentials
-                  is not supported. The implementation status and details of how this control is
-                  implemented must be clearly defined by the CSP.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.3">
-            <title>Use of Ficam-approved Products</title>
-            <param id="ia-8.3_prm_1">
-               <label>organization-defined information systems</label>
-            </param>
-            <prop name="label">IA-8(3)</prop>
-            <prop name="sort-id">ia-08.03</prop>
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-            <part id="ia-8.3_smt" name="statement">
-               <p>The organization employs only FICAM-approved information system components in
-                     <insert param-id="ia-8.3_prm_1"/> to accept third-party credentials.</p>
-            </part>
-            <part id="ia-8.3_gdn" name="guidance">
-               <p>This control enhancement typically applies to information systems that are
-                  accessible to the general public, for example, public-facing websites.
-                  FICAM-approved information system components include, for example, information
-                  technology products and software libraries that have been approved by the Federal
-                  Identity, Credential, and Access Management conformance program.</p>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-8.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-8.3_obj.1" name="objective">
-                  <prop name="label">IA-8(3)[1]</prop>
-                  <p>defines information systems in which only FICAM-approved information system
-                     components are to be employed to accept third-party credentials; and</p>
-               </part>
-               <part id="ia-8.3_obj.2" name="objective">
-                  <prop name="label">IA-8(3)[2]</prop>
-                  <p>employs only FICAM-approved information system components in
-                     organization-defined information systems to accept third-party credentials.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>system and services acquisition policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>procedures addressing the integration of security requirements into the
-                     acquisition process</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>third-party credential validations</p>
-                  <p>third-party credential authorizations</p>
-                  <p>third-party credential records</p>
-                  <p>list of FICAM-approved information system components procured and implemented
-                     by organization</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for information system procurements or services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information system security, acquisition, and
-                     contracting responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.4">
-            <title>Use of Ficam-issued Profiles</title>
-            <prop name="label">IA-8(4)</prop>
-            <prop name="sort-id">ia-08.04</prop>
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-            <part id="ia-8.4_smt" name="statement">
-               <p>The information system conforms to FICAM-issued profiles.</p>
-            </part>
-            <part id="ia-8.4_gdn" name="guidance">
-               <p>This control enhancement addresses open identity management standards. To ensure
-                  that these standards are viable, robust, reliable, sustainable (e.g., available in
-                  commercial information technology products), and interoperable as documented, the
-                  United States Government assesses and scopes identity management standards and
-                  technology implementations against applicable federal legislation, directives,
-                  policies, and requirements. The result is FICAM-issued implementation profiles of
-                  approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and
-                  OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute
-                  Exchange).</p>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-8.4_obj" name="objective">
-               <p>Determine if the information system conforms to FICAM-issued profiles. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>system and services acquisition policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>procedures addressing the integration of security requirements into the
-                     acquisition process</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of FICAM-issued profiles and associated, approved protocols</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for information system procurements or services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with account management responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms supporting and/or implementing conformance with
-                     FICAM-issued profiles</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="ir">
-      <title>Incident Response</title>
-      <control class="SP800-53" id="ir-1">
-         <title>Incident Response Policy and Procedures</title>
-         <param id="ir-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ir-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ir-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">IR-1</prop>
-         <prop name="sort-id">ir-01</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <link href="#6d431fee-658f-4a0e-9f2e-a38b5d398fab" rel="reference">NIST Special Publication 800-83</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ir-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ir-1_prm_1"/>:</p>
-               <part id="ir-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An incident response policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ir-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the incident response policy and
-                     associated incident response controls; and</p>
-               </part>
-            </part>
-            <part id="ir-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ir-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Incident response policy <insert param-id="ir-1_prm_2"/>; and</p>
-               </part>
-               <part id="ir-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Incident response procedures <insert param-id="ir-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ir-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the IR
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ir-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-1.a_obj" name="objective">
-               <prop name="label">IR-1(a)</prop>
-               <part id="ir-1.a.1_obj" name="objective">
-                  <prop name="label">IR-1(a)(1)</prop>
-                  <part id="ir-1.a.1_obj.1" name="objective">
-                     <prop name="label">IR-1(a)(1)[1]</prop>
-                     <p>develops and documents an incident response policy that addresses:</p>
-                     <part id="ir-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ir-1.a.1_obj.2" name="objective">
-                     <prop name="label">IR-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the incident response policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ir-1.a.1_obj.3" name="objective">
-                     <prop name="label">IR-1(a)(1)[3]</prop>
-                     <p>disseminates the incident response policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="ir-1.a.2_obj" name="objective">
-                  <prop name="label">IR-1(a)(2)</prop>
-                  <part id="ir-1.a.2_obj.1" name="objective">
-                     <prop name="label">IR-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        incident response policy and associated incident response controls;</p>
-                  </part>
-                  <part id="ir-1.a.2_obj.2" name="objective">
-                     <prop name="label">IR-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ir-1.a.2_obj.3" name="objective">
-                     <prop name="label">IR-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ir-1.b_obj" name="objective">
-               <prop name="label">IR-1(b)</prop>
-               <part id="ir-1.b.1_obj" name="objective">
-                  <prop name="label">IR-1(b)(1)</prop>
-                  <part id="ir-1.b.1_obj.1" name="objective">
-                     <prop name="label">IR-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current incident response
-                        policy;</p>
-                  </part>
-                  <part id="ir-1.b.1_obj.2" name="objective">
-                     <prop name="label">IR-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current incident response policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ir-1.b.2_obj" name="objective">
-                  <prop name="label">IR-1(b)(2)</prop>
-                  <part id="ir-1.b.2_obj.1" name="objective">
-                     <prop name="label">IR-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current incident response
-                        procedures; and</p>
-                  </part>
-                  <part id="ir-1.b.2_obj.2" name="objective">
-                     <prop name="label">IR-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current incident response procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-2">
-         <title>Incident Response Training</title>
-         <param id="ir-2_prm_1">
-            <label>organization-defined time period</label>
-         </param>
-         <param id="ir-2_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">IR-2</prop>
-         <prop name="sort-id">ir-02</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="ir-2_smt" name="statement">
-            <p>The organization provides incident response training to information system users
-               consistent with assigned roles and responsibilities:</p>
-            <part id="ir-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Within <insert param-id="ir-2_prm_1"/> of assuming an incident response role or
-                  responsibility;</p>
-            </part>
-            <part id="ir-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="ir-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="ir-2_prm_2"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="ir-2_gdn" name="guidance">
-            <p>Incident response training provided by organizations is linked to the assigned roles
-               and responsibilities of organizational personnel to ensure the appropriate content
-               and level of detail is included in such training. For example, regular users may only
-               need to know who to call or how to recognize an incident on the information system;
-               system administrators may require additional training on how to handle/remediate
-               incidents; and incident responders may receive more specific training on forensics,
-               reporting, system recovery, and restoration. Incident response training includes user
-               training in the identification and reporting of suspicious activities, both from
-               external and internal sources.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cp-3">CP-3</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-         </part>
-         <part id="ir-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-2.a_obj" name="objective">
-               <prop name="label">IR-2(a)</prop>
-               <part id="ir-2.a_obj.1" name="objective">
-                  <prop name="label">IR-2(a)[1]</prop>
-                  <p>defines a time period within which incident response training is to be provided
-                     to information system users assuming an incident response role or
-                     responsibility;</p>
-               </part>
-               <part id="ir-2.a_obj.2" name="objective">
-                  <prop name="label">IR-2(a)[2]</prop>
-                  <p>provides incident response training to information system users consistent with
-                     assigned roles and responsibilities within the organization-defined time period
-                     of assuming an incident response role or responsibility;</p>
-               </part>
-            </part>
-            <part id="ir-2.b_obj" name="objective">
-               <prop name="label">IR-2(b)</prop>
-               <p>provides incident response training to information system users consistent with
-                  assigned roles and responsibilities when required by information system
-                  changes;</p>
-            </part>
-            <part id="ir-2.c_obj" name="objective">
-               <prop name="label">IR-2(c)</prop>
-               <part id="ir-2.c_obj.1" name="objective">
-                  <prop name="label">IR-2(c)[1]</prop>
-                  <p>defines the frequency to provide refresher incident response training to
-                     information system users consistent with assigned roles or responsibilities;
-                     and</p>
-               </part>
-               <part id="ir-2.c_obj.2" name="objective">
-                  <prop name="label">IR-2(c)[2]</prop>
-                  <p>after the initial incident response training, provides refresher incident
-                     response training to information system users consistent with assigned roles
-                     and responsibilities in accordance with the organization-defined frequency to
-                     provide refresher training.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident response training</p>
-               <p>incident response training curriculum</p>
-               <p>incident response training materials</p>
-               <p>security plan</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>incident response training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response training and operational
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-4">
-         <title>Incident Handling</title>
-         <prop name="label">IR-4</prop>
-         <prop name="sort-id">ir-04</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#c5034e0c-eba6-4ecd-a541-79f0678f4ba4" rel="reference">Executive Order 13587</link>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <part id="ir-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Implements an incident handling capability for security incidents that includes
-                  preparation, detection and analysis, containment, eradication, and recovery;</p>
-            </part>
-            <part id="ir-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Coordinates incident handling activities with contingency planning activities;
-                  and</p>
-            </part>
-            <part id="ir-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Incorporates lessons learned from ongoing incident handling activities into
-                  incident response procedures, training, and testing, and implements the resulting
-                  changes accordingly.</p>
-            </part>
-         </part>
-         <part id="ir-4_gdn" name="guidance">
-            <p>Organizations recognize that incident response capability is dependent on the
-               capabilities of organizational information systems and the mission/business processes
-               being supported by those systems. Therefore, organizations consider incident response
-               as part of the definition, design, and development of mission/business processes and
-               information systems. Incident-related information can be obtained from a variety of
-               sources including, for example, audit monitoring, network monitoring, physical access
-               monitoring, user/administrator reports, and reported supply chain events. Effective
-               incident handling capability includes coordination among many organizational entities
-               including, for example, mission/business owners, information system owners,
-               authorizing officials, human resources offices, physical and personnel security
-               offices, legal departments, operations personnel, procurement offices, and the risk
-               executive (function).</p>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-4">CP-4</link>
-            <link rel="related" href="#ir-2">IR-2</link>
-            <link rel="related" href="#ir-3">IR-3</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="ir-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-4.a_obj" name="objective">
-               <prop name="label">IR-4(a)</prop>
-               <p>implements an incident handling capability for security incidents that
-                  includes:</p>
-               <part id="ir-4.a_obj.1" name="objective">
-                  <prop name="label">IR-4(a)[1]</prop>
-                  <p>preparation;</p>
-               </part>
-               <part id="ir-4.a_obj.2" name="objective">
-                  <prop name="label">IR-4(a)[2]</prop>
-                  <p>detection and analysis;</p>
-               </part>
-               <part id="ir-4.a_obj.3" name="objective">
-                  <prop name="label">IR-4(a)[3]</prop>
-                  <p>containment;</p>
-               </part>
-               <part id="ir-4.a_obj.4" name="objective">
-                  <prop name="label">IR-4(a)[4]</prop>
-                  <p>eradication;</p>
-               </part>
-               <part id="ir-4.a_obj.5" name="objective">
-                  <prop name="label">IR-4(a)[5]</prop>
-                  <p>recovery;</p>
-               </part>
-            </part>
-            <part id="ir-4.b_obj" name="objective">
-               <prop name="label">IR-4(b)</prop>
-               <p>coordinates incident handling activities with contingency planning activities;</p>
-            </part>
-            <part id="ir-4.c_obj" name="objective">
-               <prop name="label">IR-4(c)</prop>
-               <part id="ir-4.c_obj.1" name="objective">
-                  <prop name="label">IR-4(c)[1]</prop>
-                  <p>incorporates lessons learned from ongoing incident handling activities
-                     into:</p>
-                  <part id="ir-4.c_obj.1.a" name="objective">
-                     <prop name="label">IR-4(c)[1][a]</prop>
-                     <p>incident response procedures;</p>
-                  </part>
-                  <part id="ir-4.c_obj.1.b" name="objective">
-                     <prop name="label">IR-4(c)[1][b]</prop>
-                     <p>training;</p>
-                  </part>
-                  <part id="ir-4.c_obj.1.c" name="objective">
-                     <prop name="label">IR-4(c)[1][c]</prop>
-                     <p>testing/exercises;</p>
-                  </part>
-               </part>
-               <part id="ir-4.c_obj.2" name="objective">
-                  <prop name="label">IR-4(c)[2]</prop>
-                  <p>implements the resulting changes accordingly to:</p>
-                  <part id="ir-4.c_obj.2.a" name="objective">
-                     <prop name="label">IR-4(c)[2][a]</prop>
-                     <p>incident response procedures;</p>
-                  </part>
-                  <part id="ir-4.c_obj.2.b" name="objective">
-                     <prop name="label">IR-4(c)[2][b]</prop>
-                     <p>training; and</p>
-                  </part>
-                  <part id="ir-4.c_obj.2.c" name="objective">
-                     <prop name="label">IR-4(c)[2][c]</prop>
-                     <p>testing/exercises.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>contingency planning policy</p>
-               <p>procedures addressing incident handling</p>
-               <p>incident response plan</p>
-               <p>contingency plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident handling responsibilities</p>
-               <p>organizational personnel with contingency planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Incident handling capability for the organization</p>
-            </part>
-         </part>
-         <part id="ir-4_fr" name="item">
-            <title>IR-4 Additional FedRAMP Requirements and Guidance</title>
-            <part id="ir-4_fr_smt.1" name="item">
-               <prop name="label">Requirement:</prop>
-               <p>The service provider ensures that individuals conducting incident handling meet
-                     personnel security requirements commensurate with the criticality/sensitivity
-                     of the information being processed, stored, and transmitted by the information
-                     system.</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-5">
-         <title>Incident Monitoring</title>
-         <prop name="label">IR-5</prop>
-         <prop name="sort-id">ir-05</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <part id="ir-5_smt" name="statement">
-            <p>The organization tracks and documents information system security incidents.</p>
-         </part>
-         <part id="ir-5_gdn" name="guidance">
-            <p>Documenting information system security incidents includes, for example, maintaining
-               records about each incident, the status of the incident, and other pertinent
-               information necessary for forensics, evaluating incident details, trends, and
-               handling. Incident information can be obtained from a variety of sources including,
-               for example, incident reports, incident response teams, audit monitoring, network
-               monitoring, physical access monitoring, and user/administrator reports.</p>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="ir-5_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ir-5_obj.1" name="objective">
-               <prop name="label">IR-5[1]</prop>
-               <p>tracks information system security incidents; and</p>
-            </part>
-            <part id="ir-5_obj.2" name="objective">
-               <prop name="label">IR-5[2]</prop>
-               <p>documents information system security incidents.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident monitoring</p>
-               <p>incident response records and documentation</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident monitoring responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Incident monitoring capability for the organization</p>
-               <p>automated mechanisms supporting and/or implementing tracking and documenting of
-                  system security incidents</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-6">
-         <title>Incident Reporting</title>
-         <param id="ir-6_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)</constraint>
-         </param>
-         <param id="ir-6_prm_2">
-            <label>organization-defined authorities</label>
-         </param>
-         <prop name="label">IR-6</prop>
-         <prop name="sort-id">ir-06</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <link href="#02631467-668b-4233-989b-3dfded2fd184" rel="reference">http://www.us-cert.gov</link>
-         <part id="ir-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Requires personnel to report suspected security incidents to the organizational
-                  incident response capability within <insert param-id="ir-6_prm_1"/>; and</p>
-            </part>
-            <part id="ir-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reports security incident information to <insert param-id="ir-6_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="ir-6_gdn" name="guidance">
-            <p>The intent of this control is to address both specific incident reporting
-               requirements within an organization and the formal incident reporting requirements
-               for federal agencies and their subordinate organizations. Suspected security
-               incidents include, for example, the receipt of suspicious email communications that
-               can potentially contain malicious code. The types of security incidents reported, the
-               content and timeliness of the reports, and the designated reporting authorities
-               reflect applicable federal laws, Executive Orders, directives, regulations, policies,
-               standards, and guidance. Current federal policy requires that all federal agencies
-               (unless specifically exempted from such requirements) report security incidents to
-               the United States Computer Emergency Readiness Team (US-CERT) within specified time
-               frames designated in the US-CERT Concept of Operations for Federal Cyber Security
-               Incident Handling.</p>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-5">IR-5</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-         </part>
-         <part id="ir-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-6.a_obj" name="objective">
-               <prop name="label">IR-6(a)</prop>
-               <part id="ir-6.a_obj.1" name="objective">
-                  <prop name="label">IR-6(a)[1]</prop>
-                  <p>defines the time period within which personnel report suspected security
-                     incidents to the organizational incident response capability;</p>
-               </part>
-               <part id="ir-6.a_obj.2" name="objective">
-                  <prop name="label">IR-6(a)[2]</prop>
-                  <p>requires personnel to report suspected security incidents to the organizational
-                     incident response capability within the organization-defined time period;</p>
-               </part>
-            </part>
-            <part id="ir-6.b_obj" name="objective">
-               <prop name="label">IR-6(b)</prop>
-               <part id="ir-6.b_obj.1" name="objective">
-                  <prop name="label">IR-6(b)[1]</prop>
-                  <p>defines authorities to whom security incident information is to be reported;
-                     and</p>
-               </part>
-               <part id="ir-6.b_obj.2" name="objective">
-                  <prop name="label">IR-6(b)[2]</prop>
-                  <p>reports security incident information to organization-defined authorities.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident reporting</p>
-               <p>incident reporting records and documentation</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident reporting responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>personnel who have/should have reported incidents</p>
-               <p>personnel (authorities) to whom incident information is to be reported</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for incident reporting</p>
-               <p>automated mechanisms supporting and/or implementing incident reporting</p>
-            </part>
-         </part>
-         <part id="ir-6_fr" name="item">
-            <title>IR-6 Additional FedRAMP Requirements and Guidance</title>
-            <part id="ir-6_fr_smt.1" name="item">
-               <prop name="label">Requirement:</prop>
-               <p>Report security incident information according to FedRAMP Incident
-                     Communications Procedure.</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-7">
-         <title>Incident Response Assistance</title>
-         <prop name="label">IR-7</prop>
-         <prop name="sort-id">ir-07</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <part id="ir-7_smt" name="statement">
-            <p>The organization provides an incident response support resource, integral to the
-               organizational incident response capability that offers advice and assistance to
-               users of the information system for the handling and reporting of security
-               incidents.</p>
-         </part>
-         <part id="ir-7_gdn" name="guidance">
-            <p>Incident response support resources provided by organizations include, for example,
-               help desks, assistance groups, and access to forensics services, when required.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-6">IR-6</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-         </part>
-         <part id="ir-7_obj" name="objective">
-            <p>Determine if the organization provides an incident response support resource:</p>
-            <part id="ir-7_obj.1" name="objective">
-               <prop name="label">IR-7[1]</prop>
-               <p>that is integral to the organizational incident response capability; and</p>
-            </part>
-            <part id="ir-7_obj.2" name="objective">
-               <prop name="label">IR-7[2]</prop>
-               <p>that offers advice and assistance to users of the information system for the
-                  handling and reporting of security incidents.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident response assistance</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response assistance and support
-                  responsibilities</p>
-               <p>organizational personnel with access to incident response support and assistance
-                  capability</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for incident response assistance</p>
-               <p>automated mechanisms supporting and/or implementing incident response
-                  assistance</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-8">
-         <title>Incident Response Plan</title>
-         <param id="ir-8_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ir-8_prm_2">
-            <label>organization-defined incident response personnel (identified by name and/or by
-               role) and organizational elements</label>
-         </param>
-         <param id="ir-8_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ir-8_prm_4">
-            <label>organization-defined incident response personnel (identified by name and/or by
-               role) and organizational elements</label>
-         </param>
-         <prop name="label">IR-8</prop>
-         <prop name="sort-id">ir-08</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <part id="ir-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops an incident response plan that:</p>
-               <part id="ir-8_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Provides the organization with a roadmap for implementing its incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Describes the structure and organization of the incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Provides a high-level approach for how the incident response capability fits
-                     into the overall organization;</p>
-               </part>
-               <part id="ir-8_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Meets the unique requirements of the organization, which relate to mission,
-                     size, structure, and functions;</p>
-               </part>
-               <part id="ir-8_smt.a.5" name="item">
-                  <prop name="label">5.</prop>
-                  <p>Defines reportable incidents;</p>
-               </part>
-               <part id="ir-8_smt.a.6" name="item">
-                  <prop name="label">6.</prop>
-                  <p>Provides metrics for measuring the incident response capability within the
-                     organization;</p>
-               </part>
-               <part id="ir-8_smt.a.7" name="item">
-                  <prop name="label">7.</prop>
-                  <p>Defines the resources and management support needed to effectively maintain and
-                     mature an incident response capability; and</p>
-               </part>
-               <part id="ir-8_smt.a.8" name="item">
-                  <prop name="label">8.</prop>
-                  <p>Is reviewed and approved by <insert param-id="ir-8_prm_1"/>;</p>
-               </part>
-            </part>
-            <part id="ir-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Distributes copies of the incident response plan to <insert param-id="ir-8_prm_2"/>;</p>
-            </part>
-            <part id="ir-8_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the incident response plan <insert param-id="ir-8_prm_3"/>;</p>
-            </part>
-            <part id="ir-8_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Updates the incident response plan to address system/organizational changes or
-                  problems encountered during plan implementation, execution, or testing;</p>
-            </part>
-            <part id="ir-8_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Communicates incident response plan changes to <insert param-id="ir-8_prm_4"/>;
-                  and</p>
-            </part>
-            <part id="ir-8_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Protects the incident response plan from unauthorized disclosure and
-                  modification.</p>
-            </part>
-         </part>
-         <part id="ir-8_gdn" name="guidance">
-            <p>It is important that organizations develop and implement a coordinated approach to
-               incident response. Organizational missions, business functions, strategies, goals,
-               and objectives for incident response help to determine the structure of incident
-               response capabilities. As part of a comprehensive incident response capability,
-               organizations consider the coordination and sharing of information with external
-               organizations, including, for example, external service providers and organizations
-               involved in the supply chain for organizational information systems.</p>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-         </part>
-         <part id="ir-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-8.a_obj" name="objective">
-               <prop name="label">IR-8(a)</prop>
-               <p>develops an incident response plan that:</p>
-               <part id="ir-8.a.1_obj" name="objective">
-                  <prop name="label">IR-8(a)(1)</prop>
-                  <p>provides the organization with a roadmap for implementing its incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8.a.2_obj" name="objective">
-                  <prop name="label">IR-8(a)(2)</prop>
-                  <p>describes the structure and organization of the incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8.a.3_obj" name="objective">
-                  <prop name="label">IR-8(a)(3)</prop>
-                  <p>provides a high-level approach for how the incident response capability fits
-                     into the overall organization;</p>
-               </part>
-               <part id="ir-8.a.4_obj" name="objective">
-                  <prop name="label">IR-8(a)(4)</prop>
-                  <p>meets the unique requirements of the organization, which relate to:</p>
-                  <part id="ir-8.a.4_obj.1" name="objective">
-                     <prop name="label">IR-8(a)(4)[1]</prop>
-                     <p>mission;</p>
-                  </part>
-                  <part id="ir-8.a.4_obj.2" name="objective">
-                     <prop name="label">IR-8(a)(4)[2]</prop>
-                     <p>size;</p>
-                  </part>
-                  <part id="ir-8.a.4_obj.3" name="objective">
-                     <prop name="label">IR-8(a)(4)[3]</prop>
-                     <p>structure;</p>
-                  </part>
-                  <part id="ir-8.a.4_obj.4" name="objective">
-                     <prop name="label">IR-8(a)(4)[4]</prop>
-                     <p>functions;</p>
-                  </part>
-               </part>
-               <part id="ir-8.a.5_obj" name="objective">
-                  <prop name="label">IR-8(a)(5)</prop>
-                  <p>defines reportable incidents;</p>
-               </part>
-               <part id="ir-8.a.6_obj" name="objective">
-                  <prop name="label">IR-8(a)(6)</prop>
-                  <p>provides metrics for measuring the incident response capability within the
-                     organization;</p>
-               </part>
-               <part id="ir-8.a.7_obj" name="objective">
-                  <prop name="label">IR-8(a)(7)</prop>
-                  <p>defines the resources and management support needed to effectively maintain and
-                     mature an incident response capability;</p>
-               </part>
-               <part id="ir-8.a.8_obj" name="objective">
-                  <prop name="label">IR-8(a)(8)</prop>
-                  <part id="ir-8.a.8_obj.1" name="objective">
-                     <prop name="label">IR-8(a)(8)[1]</prop>
-                     <p>defines personnel or roles to review and approve the incident response
-                        plan;</p>
-                  </part>
-                  <part id="ir-8.a.8_obj.2" name="objective">
-                     <prop name="label">IR-8(a)(8)[2]</prop>
-                     <p>is reviewed and approved by organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ir-8.b_obj" name="objective">
-               <prop name="label">IR-8(b)</prop>
-               <part id="ir-8.b_obj.1" name="objective">
-                  <prop name="label">IR-8(b)[1]</prop>
-                  <part id="ir-8.b_obj.1.a" name="objective">
-                     <prop name="label">IR-8(b)[1][a]</prop>
-                     <p>defines incident response personnel (identified by name and/or by role) to
-                        whom copies of the incident response plan are to be distributed;</p>
-                  </part>
-                  <part id="ir-8.b_obj.1.b" name="objective">
-                     <prop name="label">IR-8(b)[1][b]</prop>
-                     <p>defines organizational elements to whom copies of the incident response plan
-                        are to be distributed;</p>
-                  </part>
-               </part>
-               <part id="ir-8.b_obj.2" name="objective">
-                  <prop name="label">IR-8(b)[2]</prop>
-                  <p>distributes copies of the incident response plan to organization-defined
-                     incident response personnel (identified by name and/or by role) and
-                     organizational elements;</p>
-               </part>
-            </part>
-            <part id="ir-8.c_obj" name="objective">
-               <prop name="label">IR-8(c)</prop>
-               <part id="ir-8.c_obj.1" name="objective">
-                  <prop name="label">IR-8(c)[1]</prop>
-                  <p>defines the frequency to review the incident response plan;</p>
-               </part>
-               <part id="ir-8.c_obj.2" name="objective">
-                  <prop name="label">IR-8(c)[2]</prop>
-                  <p>reviews the incident response plan with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="ir-8.d_obj" name="objective">
-               <prop name="label">IR-8(d)</prop>
-               <p>updates the incident response plan to address system/organizational changes or
-                  problems encountered during plan:</p>
-               <part id="ir-8.d_obj.1" name="objective">
-                  <prop name="label">IR-8(d)[1]</prop>
-                  <p>implementation;</p>
-               </part>
-               <part id="ir-8.d_obj.2" name="objective">
-                  <prop name="label">IR-8(d)[2]</prop>
-                  <p>execution; or</p>
-               </part>
-               <part id="ir-8.d_obj.3" name="objective">
-                  <prop name="label">IR-8(d)[3]</prop>
-                  <p>testing;</p>
-               </part>
-            </part>
-            <part id="ir-8.e_obj" name="objective">
-               <prop name="label">IR-8(e)</prop>
-               <part id="ir-8.e_obj.1" name="objective">
-                  <prop name="label">IR-8(e)[1]</prop>
-                  <part id="ir-8.e_obj.1.a" name="objective">
-                     <prop name="label">IR-8(e)[1][a]</prop>
-                     <p>defines incident response personnel (identified by name and/or by role) to
-                        whom incident response plan changes are to be communicated;</p>
-                  </part>
-                  <part id="ir-8.e_obj.1.b" name="objective">
-                     <prop name="label">IR-8(e)[1][b]</prop>
-                     <p>defines organizational elements to whom incident response plan changes are
-                        to be communicated;</p>
-                  </part>
-               </part>
-               <part id="ir-8.e_obj.2" name="objective">
-                  <prop name="label">IR-8(e)[2]</prop>
-                  <p>communicates incident response plan changes to organization-defined incident
-                     response personnel (identified by name and/or by role) and organizational
-                     elements; and</p>
-               </part>
-            </part>
-            <part id="ir-8.f_obj" name="objective">
-               <prop name="label">IR-8(f)</prop>
-               <p>protects the incident response plan from unauthorized disclosure and
-                  modification.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident response planning</p>
-               <p>incident response plan</p>
-               <p>records of incident response plan reviews and approvals</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational incident response plan and related organizational processes</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Attestation - Specifically attest to US-CERT compliance.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-9">
-         <title>Information Spillage Response</title>
-         <param id="ir-9_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ir-9_prm_2">
-            <label>organization-defined actions</label>
-         </param>
-         <prop name="label">IR-9</prop>
-         <prop name="sort-id">ir-09</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <part id="ir-9_smt" name="statement">
-            <p>The organization responds to information spills by:</p>
-            <part id="ir-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Identifying the specific information involved in the information system
-                  contamination;</p>
-            </part>
-            <part id="ir-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Alerting <insert param-id="ir-9_prm_1"/> of the information spill using a method
-                  of communication not associated with the spill;</p>
-            </part>
-            <part id="ir-9_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Isolating the contaminated information system or system component;</p>
-            </part>
-            <part id="ir-9_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Eradicating the information from the contaminated information system or
-                  component;</p>
-            </part>
-            <part id="ir-9_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Identifying other information systems or system components that may have been
-                  subsequently contaminated; and</p>
-            </part>
-            <part id="ir-9_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Performing other <insert param-id="ir-9_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="ir-9_gdn" name="guidance">
-            <p>Information spillage refers to instances where either classified or sensitive
-               information is inadvertently placed on information systems that are not authorized to
-               process such information. Such information spills often occur when information that
-               is initially thought to be of lower sensitivity is transmitted to an information
-               system and then is subsequently determined to be of higher sensitivity. At that
-               point, corrective action is required. The nature of the organizational response is
-               generally based upon the degree of sensitivity of the spilled information (e.g.,
-               security category or classification level), the security capabilities of the
-               information system, the specific nature of contaminated storage media, and the access
-               authorizations (e.g., security clearances) of individuals with authorized access to
-               the contaminated system. The methods used to communicate information about the spill
-               after the fact do not involve methods directly associated with the actual spill to
-               minimize the risk of further spreading the contamination before such contamination is
-               isolated and eradicated.</p>
-         </part>
-         <part id="ir-9_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ir-9.a_obj" name="objective">
-               <prop name="label">IR-9(a)</prop>
-               <p>responds to information spills by identifying the specific information causing the
-                  information system contamination;</p>
-            </part>
-            <part id="ir-9.b_obj" name="objective">
-               <prop name="label">IR-9(b)</prop>
-               <part id="ir-9.b_obj.1" name="objective">
-                  <prop name="label">IR-9(b)[1]</prop>
-                  <p>defines personnel to be alerted of the information spillage;</p>
-               </part>
-               <part id="ir-9.b_obj.2" name="objective">
-                  <prop name="label">IR-9(b)[2]</prop>
-                  <p>identifies a method of communication not associated with the information spill
-                     to use to alert organization-defined personnel of the spill;</p>
-               </part>
-               <part id="ir-9.b_obj.3" name="objective">
-                  <prop name="label">IR-9(b)[3]</prop>
-                  <p>responds to information spills by alerting organization-defined personnel of
-                     the information spill using a method of communication not associated with the
-                     spill;</p>
-               </part>
-            </part>
-            <part id="ir-9.c_obj" name="objective">
-               <prop name="label">IR-9(c)</prop>
-               <p>responds to information spills by isolating the contaminated information
-                  system;</p>
-            </part>
-            <part id="ir-9.d_obj" name="objective">
-               <prop name="label">IR-9(d)</prop>
-               <p>responds to information spills by eradicating the information from the
-                  contaminated information system;</p>
-            </part>
-            <part id="ir-9.e_obj" name="objective">
-               <prop name="label">IR-9(e)</prop>
-               <p>responds to information spills by identifying other information systems that may
-                  have been subsequently contaminated;</p>
-            </part>
-            <part id="ir-9.f_obj" name="objective">
-               <prop name="label">IR-9(f)</prop>
-               <part id="ir-9.f_obj.1" name="objective">
-                  <prop name="label">IR-9(f)[1]</prop>
-                  <p>defines other actions to be performed in response to information spills;
-                     and</p>
-               </part>
-               <part id="ir-9.f_obj.2" name="objective">
-                  <prop name="label">IR-9(f)[2]</prop>
-                  <p>responds to information spills by performing other organization-defined
-                     actions.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing information spillage</p>
-               <p>incident response plan</p>
-               <p>records of information spillage alerts/notifications, list of personnel who should
-                  receive alerts of information spillage</p>
-               <p>list of actions to be performed regarding information spillage</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for information spillage response</p>
-               <p>automated mechanisms supporting and/or implementing information spillage response
-                  actions and related communications</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Attestation - Specifically describe information spillage response processes.</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ma">
-      <title>Maintenance</title>
-      <control class="SP800-53" id="ma-1">
-         <title>System Maintenance Policy and Procedures</title>
-         <param id="ma-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ma-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ma-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">MA-1</prop>
-         <prop name="sort-id">ma-01</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ma-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ma-1_prm_1"/>:</p>
-               <part id="ma-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system maintenance policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ma-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system maintenance policy
-                     and associated system maintenance controls; and</p>
-               </part>
-            </part>
-            <part id="ma-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ma-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System maintenance policy <insert param-id="ma-1_prm_2"/>; and</p>
-               </part>
-               <part id="ma-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System maintenance procedures <insert param-id="ma-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ma-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the MA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ma-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ma-1.a_obj" name="objective">
-               <prop name="label">MA-1(a)</prop>
-               <part id="ma-1.a.1_obj" name="objective">
-                  <prop name="label">MA-1(a)(1)</prop>
-                  <part id="ma-1.a.1_obj.1" name="objective">
-                     <prop name="label">MA-1(a)(1)[1]</prop>
-                     <p>develops and documents a system maintenance policy that addresses:</p>
-                     <part id="ma-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ma-1.a.1_obj.2" name="objective">
-                     <prop name="label">MA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system maintenance policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ma-1.a.1_obj.3" name="objective">
-                     <prop name="label">MA-1(a)(1)[3]</prop>
-                     <p>disseminates the system maintenance policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="ma-1.a.2_obj" name="objective">
-                  <prop name="label">MA-1(a)(2)</prop>
-                  <part id="ma-1.a.2_obj.1" name="objective">
-                     <prop name="label">MA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        maintenance policy and associated system maintenance controls;</p>
-                  </part>
-                  <part id="ma-1.a.2_obj.2" name="objective">
-                     <prop name="label">MA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ma-1.a.2_obj.3" name="objective">
-                     <prop name="label">MA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ma-1.b_obj" name="objective">
-               <prop name="label">MA-1(b)</prop>
-               <part id="ma-1.b.1_obj" name="objective">
-                  <prop name="label">MA-1(b)(1)</prop>
-                  <part id="ma-1.b.1_obj.1" name="objective">
-                     <prop name="label">MA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system maintenance
-                        policy;</p>
-                  </part>
-                  <part id="ma-1.b.1_obj.2" name="objective">
-                     <prop name="label">MA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system maintenance policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ma-1.b.2_obj" name="objective">
-                  <prop name="label">MA-1(b)(2)</prop>
-                  <part id="ma-1.b.2_obj.1" name="objective">
-                     <prop name="label">MA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system maintenance
-                        procedures; and</p>
-                  </part>
-                  <part id="ma-1.b.2_obj.2" name="objective">
-                     <prop name="label">MA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system maintenance procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Maintenance policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ma-2">
-         <title>Controlled Maintenance</title>
-         <param id="ma-2_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ma-2_prm_2">
-            <label>organization-defined maintenance-related information</label>
-         </param>
-         <prop name="label">MA-2</prop>
-         <prop name="sort-id">ma-02</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-         <part id="ma-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Schedules, performs, documents, and reviews records of maintenance and repairs on
-                  information system components in accordance with manufacturer or vendor
-                  specifications and/or organizational requirements;</p>
-            </part>
-            <part id="ma-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Approves and monitors all maintenance activities, whether performed on site or
-                  remotely and whether the equipment is serviced on site or removed to another
-                  location;</p>
-            </part>
-            <part id="ma-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Requires that <insert param-id="ma-2_prm_1"/> explicitly approve the removal of
-                  the information system or system components from organizational facilities for
-                  off-site maintenance or repairs;</p>
-            </part>
-            <part id="ma-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Sanitizes equipment to remove all information from associated media prior to
-                  removal from organizational facilities for off-site maintenance or repairs;</p>
-            </part>
-            <part id="ma-2_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Checks all potentially impacted security controls to verify that the controls are
-                  still functioning properly following maintenance or repair actions; and</p>
-            </part>
-            <part id="ma-2_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Includes <insert param-id="ma-2_prm_2"/> in organizational maintenance
-                  records.</p>
-            </part>
-         </part>
-         <part id="ma-2_gdn" name="guidance">
-            <p>This control addresses the information security aspects of the information system
-               maintenance program and applies to all types of maintenance to any system component
-               (including applications) conducted by any local or nonlocal entity (e.g.,
-               in-contract, warranty, in-house, software maintenance agreement). System maintenance
-               also includes those components not directly associated with information processing
-               and/or data/information retention such as scanners, copiers, and printers.
-               Information necessary for creating effective maintenance records includes, for
-               example: (i) date and time of maintenance; (ii) name of individuals or group
-               performing the maintenance; (iii) name of escort, if necessary; (iv) a description of
-               the maintenance performed; and (v) information system components/equipment removed or
-               replaced (including identification numbers, if applicable). The level of detail
-               included in maintenance records can be informed by the security categories of
-               organizational information systems. Organizations consider supply chain issues
-               associated with replacement components for information systems.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-            <link rel="related" href="#pe-16">PE-16</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="ma-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ma-2.a_obj" name="objective">
-               <prop name="label">MA-2(a)</prop>
-               <part id="ma-2.a_obj.1" name="objective">
-                  <prop name="label">MA-2(a)[1]</prop>
-                  <p>schedules maintenance and repairs on information system components in
-                     accordance with:</p>
-                  <part id="ma-2.a_obj.1.a" name="objective">
-                     <prop name="label">MA-2(a)[1][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.1.b" name="objective">
-                     <prop name="label">MA-2(a)[1][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-               <part id="ma-2.a_obj.2" name="objective">
-                  <prop name="label">MA-2(a)[2]</prop>
-                  <p>performs maintenance and repairs on information system components in accordance
-                     with:</p>
-                  <part id="ma-2.a_obj.2.a" name="objective">
-                     <prop name="label">MA-2(a)[2][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.2.b" name="objective">
-                     <prop name="label">MA-2(a)[2][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-               <part id="ma-2.a_obj.3" name="objective">
-                  <prop name="label">MA-2(a)[3]</prop>
-                  <p>documents maintenance and repairs on information system components in
-                     accordance with:</p>
-                  <part id="ma-2.a_obj.3.a" name="objective">
-                     <prop name="label">MA-2(a)[3][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.3.b" name="objective">
-                     <prop name="label">MA-2(a)[3][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-               <part id="ma-2.a_obj.4" name="objective">
-                  <prop name="label">MA-2(a)[4]</prop>
-                  <p>reviews records of maintenance and repairs on information system components in
-                     accordance with:</p>
-                  <part id="ma-2.a_obj.4.a" name="objective">
-                     <prop name="label">MA-2(a)[4][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.4.b" name="objective">
-                     <prop name="label">MA-2(a)[4][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ma-2.b_obj" name="objective">
-               <prop name="label">MA-2(b)</prop>
-               <part id="ma-2.b_obj.1" name="objective">
-                  <prop name="label">MA-2(b)[1]</prop>
-                  <p>approves all maintenance activities, whether performed on site or remotely and
-                     whether the equipment is serviced on site or removed to another location;</p>
-               </part>
-               <part id="ma-2.b_obj.2" name="objective">
-                  <prop name="label">MA-2(b)[2]</prop>
-                  <p>monitors all maintenance activities, whether performed on site or remotely and
-                     whether the equipment is serviced on site or removed to another location;</p>
-               </part>
-            </part>
-            <part id="ma-2.c_obj" name="objective">
-               <prop name="label">MA-2(c)</prop>
-               <part id="ma-2.c_obj.1" name="objective">
-                  <prop name="label">MA-2(c)[1]</prop>
-                  <p>defines personnel or roles required to explicitly approve the removal of the
-                     information system or system components from organizational facilities for
-                     off-site maintenance or repairs;</p>
-               </part>
-               <part id="ma-2.c_obj.2" name="objective">
-                  <prop name="label">MA-2(c)[2]</prop>
-                  <p>requires that organization-defined personnel or roles explicitly approve the
-                     removal of the information system or system components from organizational
-                     facilities for off-site maintenance or repairs;</p>
-               </part>
-            </part>
-            <part id="ma-2.d_obj" name="objective">
-               <prop name="label">MA-2(d)</prop>
-               <p>sanitizes equipment to remove all information from associated media prior to
-                  removal from organizational facilities for off-site maintenance or repairs;</p>
-            </part>
-            <part id="ma-2.e_obj" name="objective">
-               <prop name="label">MA-2(e)</prop>
-               <p>checks all potentially impacted security controls to verify that the controls are
-                  still functioning properly following maintenance or repair actions;</p>
-            </part>
-            <part id="ma-2.f_obj" name="objective">
-               <prop name="label">MA-2(f)</prop>
-               <part id="ma-2.f_obj.1" name="objective">
-                  <prop name="label">MA-2(f)[1]</prop>
-                  <p>defines maintenance-related information to be included in organizational
-                     maintenance records; and</p>
-               </part>
-               <part id="ma-2.f_obj.2" name="objective">
-                  <prop name="label">MA-2(f)[2]</prop>
-                  <p>includes organization-defined maintenance-related information in organizational
-                     maintenance records.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing controlled information system maintenance</p>
-               <p>maintenance records</p>
-               <p>manufacturer/vendor maintenance specifications</p>
-               <p>equipment sanitization records</p>
-               <p>media sanitization records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel responsible for media sanitization</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for scheduling, performing, documenting, reviewing,
-                  approving, and monitoring maintenance and repairs for the information system</p>
-               <p>organizational processes for sanitizing information system components</p>
-               <p>automated mechanisms supporting and/or implementing controlled maintenance</p>
-               <p>automated mechanisms implementing sanitization of information system
-                  components</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ma-4">
-         <title>Nonlocal Maintenance</title>
-         <prop name="label">MA-4</prop>
-         <prop name="sort-id">ma-04</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#d715b234-9b5b-4e07-b1ed-99836727664d" rel="reference">FIPS Publication 140-2</link>
-         <link href="#f2dbd4ec-c413-4714-b85b-6b7184d1c195" rel="reference">FIPS Publication 197</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#263823e0-a971-4b00-959d-315b26278b22" rel="reference">NIST Special Publication 800-88</link>
-         <link href="#a4aa9645-9a8a-4b51-90a9-e223250f9a75" rel="reference">CNSS Policy 15</link>
-         <part id="ma-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Approves and monitors nonlocal maintenance and diagnostic activities;</p>
-            </part>
-            <part id="ma-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Allows the use of nonlocal maintenance and diagnostic tools only as consistent
-                  with organizational policy and documented in the security plan for the information
-                  system;</p>
-            </part>
-            <part id="ma-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Employs strong authenticators in the establishment of nonlocal maintenance and
-                  diagnostic sessions;</p>
-            </part>
-            <part id="ma-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Maintains records for nonlocal maintenance and diagnostic activities; and</p>
-            </part>
-            <part id="ma-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Terminates session and network connections when nonlocal maintenance is
-                  completed.</p>
-            </part>
-         </part>
-         <part id="ma-4_gdn" name="guidance">
-            <p>Nonlocal maintenance and diagnostic activities are those activities conducted by
-               individuals communicating through a network, either an external network (e.g., the
-               Internet) or an internal network. Local maintenance and diagnostic activities are
-               those activities carried out by individuals physically present at the information
-               system or information system component and not communicating across a network
-               connection. Authentication techniques used in the establishment of nonlocal
-               maintenance and diagnostic sessions reflect the network access requirements in IA-2.
-               Typically, strong authentication requires authenticators that are resistant to replay
-               attacks and employ multifactor authentication. Strong authenticators include, for
-               example, PKI where certificates are stored on a token protected by a password,
-               passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by
-               other controls.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-10">SC-10</link>
-            <link rel="related" href="#sc-17">SC-17</link>
-         </part>
-         <part id="ma-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ma-4.a_obj" name="objective">
-               <prop name="label">MA-4(a)</prop>
-               <part id="ma-4.a_obj.1" name="objective">
-                  <prop name="label">MA-4(a)[1]</prop>
-                  <p>approves nonlocal maintenance and diagnostic activities;</p>
-               </part>
-               <part id="ma-4.a_obj.2" name="objective">
-                  <prop name="label">MA-4(a)[2]</prop>
-                  <p>monitors nonlocal maintenance and diagnostic activities;</p>
-               </part>
-            </part>
-            <part id="ma-4.b_obj" name="objective">
-               <prop name="label">MA-4(b)</prop>
-               <p>allows the use of nonlocal maintenance and diagnostic tools only:</p>
-               <part id="ma-4.b_obj.1" name="objective">
-                  <prop name="label">MA-4(b)[1]</prop>
-                  <p>as consistent with organizational policy;</p>
-               </part>
-               <part id="ma-4.b_obj.2" name="objective">
-                  <prop name="label">MA-4(b)[2]</prop>
-                  <p>as documented in the security plan for the information system;</p>
-               </part>
-            </part>
-            <part id="ma-4.c_obj" name="objective">
-               <prop name="label">MA-4(c)</prop>
-               <p>employs strong authenticators in the establishment of nonlocal maintenance and
-                  diagnostic sessions;</p>
-            </part>
-            <part id="ma-4.d_obj" name="objective">
-               <prop name="label">MA-4(d)</prop>
-               <p>maintains records for nonlocal maintenance and diagnostic activities;</p>
-            </part>
-            <part id="ma-4.e_obj" name="objective">
-               <prop name="label">MA-4(e)</prop>
-               <part id="ma-4.e_obj.1" name="objective">
-                  <prop name="label">MA-4(e)[1]</prop>
-                  <p>terminates sessions when nonlocal maintenance or diagnostics is completed;
-                     and</p>
-               </part>
-               <part id="ma-4.e_obj.2" name="objective">
-                  <prop name="label">MA-4(e)[2]</prop>
-                  <p>terminates network connections when nonlocal maintenance or diagnostics is
-                     completed.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing nonlocal information system maintenance</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>maintenance records</p>
-               <p>diagnostic records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing nonlocal maintenance</p>
-               <p>automated mechanisms implementing, supporting, and/or managing nonlocal
-                  maintenance</p>
-               <p>automated mechanisms for strong authentication of nonlocal maintenance diagnostic
-                  sessions</p>
-               <p>automated mechanisms for terminating nonlocal maintenance sessions and network
-                  connections</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ma-5">
-         <title>Maintenance Personnel</title>
-         <prop name="label">MA-5</prop>
-         <prop name="sort-id">ma-05</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-         <part id="ma-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes a process for maintenance personnel authorization and maintains a list
-                  of authorized maintenance organizations or personnel;</p>
-            </part>
-            <part id="ma-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Ensures that non-escorted personnel performing maintenance on the information
-                  system have required access authorizations; and</p>
-            </part>
-            <part id="ma-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Designates organizational personnel with required access authorizations and
-                  technical competence to supervise the maintenance activities of personnel who do
-                  not possess the required access authorizations.</p>
-            </part>
-         </part>
-         <part id="ma-5_gdn" name="guidance">
-            <p>This control applies to individuals performing hardware or software maintenance on
-               organizational information systems, while PE-2 addresses physical access for
-               individuals whose maintenance duties place them within the physical protection
-               perimeter of the systems (e.g., custodial staff, physical plant maintenance
-               personnel). Technical competence of supervising individuals relates to the
-               maintenance performed on the information systems while having required access
-               authorizations refers to maintenance on and near the systems. Individuals not
-               previously identified as authorized maintenance personnel, such as information
-               technology manufacturers, vendors, systems integrators, and consultants, may require
-               privileged access to organizational information systems, for example, when required
-               to conduct maintenance activities with little or no notice. Based on organizational
-               assessments of risk, organizations may issue temporary credentials to these
-               individuals. Temporary credentials may be for one-time use or for very limited time
-               periods.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-         </part>
-         <part id="ma-5_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ma-5.a_obj" name="objective">
-               <prop name="label">MA-5(a)</prop>
-               <part id="ma-5.a_obj.1" name="objective">
-                  <prop name="label">MA-5(a)[1]</prop>
-                  <p>establishes a process for maintenance personnel authorization;</p>
-               </part>
-               <part id="ma-5.a_obj.2" name="objective">
-                  <prop name="label">MA-5(a)[2]</prop>
-                  <p>maintains a list of authorized maintenance organizations or personnel;</p>
-               </part>
-            </part>
-            <part id="ma-5.b_obj" name="objective">
-               <prop name="label">MA-5(b)</prop>
-               <p>ensures that non-escorted personnel performing maintenance on the information
-                  system have required access authorizations; and</p>
-            </part>
-            <part id="ma-5.c_obj" name="objective">
-               <prop name="label">MA-5(c)</prop>
-               <p>designates organizational personnel with required access authorizations and
-                  technical competence to supervise the maintenance activities of personnel who do
-                  not possess the required access authorizations.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing maintenance personnel</p>
-               <p>service provider contracts</p>
-               <p>service-level agreements</p>
-               <p>list of authorized personnel</p>
-               <p>maintenance records</p>
-               <p>access control records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for authorizing and managing maintenance personnel</p>
-               <p>automated mechanisms supporting and/or implementing authorization of maintenance
-                  personnel</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="mp">
-      <title>Media Protection</title>
-      <control class="SP800-53" id="mp-1">
-         <title>Media Protection Policy and Procedures</title>
-         <param id="mp-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="mp-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="mp-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">MP-1</prop>
-         <prop name="sort-id">mp-01</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="mp-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="mp-1_prm_1"/>:</p>
-               <part id="mp-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A media protection policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="mp-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the media protection policy and
-                     associated media protection controls; and</p>
-               </part>
-            </part>
-            <part id="mp-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="mp-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Media protection policy <insert param-id="mp-1_prm_2"/>; and</p>
-               </part>
-               <part id="mp-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Media protection procedures <insert param-id="mp-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="mp-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the MP
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="mp-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="mp-1.a_obj" name="objective">
-               <prop name="label">MP-1(a)</prop>
-               <part id="mp-1.a.1_obj" name="objective">
-                  <prop name="label">MP-1(a)(1)</prop>
-                  <part id="mp-1.a.1_obj.1" name="objective">
-                     <prop name="label">MP-1(a)(1)[1]</prop>
-                     <p>develops and documents a media protection policy that addresses:</p>
-                     <part id="mp-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="mp-1.a.1_obj.2" name="objective">
-                     <prop name="label">MP-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the media protection policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="mp-1.a.1_obj.3" name="objective">
-                     <prop name="label">MP-1(a)(1)[3]</prop>
-                     <p>disseminates the media protection policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="mp-1.a.2_obj" name="objective">
-                  <prop name="label">MP-1(a)(2)</prop>
-                  <part id="mp-1.a.2_obj.1" name="objective">
-                     <prop name="label">MP-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        media protection policy and associated media protection controls;</p>
-                  </part>
-                  <part id="mp-1.a.2_obj.2" name="objective">
-                     <prop name="label">MP-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="mp-1.a.2_obj.3" name="objective">
-                     <prop name="label">MP-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="mp-1.b_obj" name="objective">
-               <prop name="label">MP-1(b)</prop>
-               <part id="mp-1.b.1_obj" name="objective">
-                  <prop name="label">MP-1(b)(1)</prop>
-                  <part id="mp-1.b.1_obj.1" name="objective">
-                     <prop name="label">MP-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current media protection
-                        policy;</p>
-                  </part>
-                  <part id="mp-1.b.1_obj.2" name="objective">
-                     <prop name="label">MP-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current media protection policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="mp-1.b.2_obj" name="objective">
-                  <prop name="label">MP-1(b)(2)</prop>
-                  <part id="mp-1.b.2_obj.1" name="objective">
-                     <prop name="label">MP-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current media protection
-                        procedures; and</p>
-                  </part>
-                  <part id="mp-1.b.2_obj.2" name="objective">
-                     <prop name="label">MP-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current media protection procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Media protection policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with media protection responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="mp-2">
-         <title>Media Access</title>
-         <param id="mp-2_prm_1">
-            <label>organization-defined types of digital and/or non-digital media</label>
-         </param>
-         <param id="mp-2_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">MP-2</prop>
-         <prop name="sort-id">mp-02</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e" rel="reference">NIST Special Publication 800-111</link>
-         <part id="mp-2_smt" name="statement">
-            <p>The organization restricts access to <insert param-id="mp-2_prm_1"/> to <insert param-id="mp-2_prm_2"/>.</p>
-         </part>
-         <part id="mp-2_gdn" name="guidance">
-            <p>Information system media includes both digital and non-digital media. Digital media
-               includes, for example, diskettes, magnetic tapes, external/removable hard disk
-               drives, flash drives, compact disks, and digital video disks. Non-digital media
-               includes, for example, paper and microfilm. Restricting non-digital media access
-               includes, for example, denying access to patient medical records in a community
-               hospital unless the individuals seeking access to such records are authorized
-               healthcare providers. Restricting access to digital media includes, for example,
-               limiting access to design specifications stored on compact disks in the media library
-               to the project leader and the individuals on the development team.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-         </part>
-         <part id="mp-2_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-2_obj.1" name="objective">
-               <prop name="label">MP-2[1]</prop>
-               <p>defines types of digital and/or non-digital media requiring restricted access;</p>
-            </part>
-            <part id="mp-2_obj.2" name="objective">
-               <prop name="label">MP-2[2]</prop>
-               <p>defines personnel or roles authorized to access organization-defined types of
-                  digital and/or non-digital media; and</p>
-            </part>
-            <part id="mp-2_obj.3" name="objective">
-               <prop name="label">MP-2[3]</prop>
-               <p>restricts access to organization-defined types of digital and/or non-digital media
-                  to organization-defined personnel or roles.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media access restrictions</p>
-               <p>access control policy and procedures</p>
-               <p>physical and environmental protection policy and procedures</p>
-               <p>media storage facilities</p>
-               <p>access control records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media protection
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for restricting information media</p>
-               <p>automated mechanisms supporting and/or implementing media access restrictions</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="mp-6">
-         <title>Media Sanitization</title>
-         <param id="mp-6_prm_1">
-            <label>organization-defined information system media</label>
-         </param>
-         <param id="mp-6_prm_2">
-            <label>organization-defined sanitization techniques and procedures</label>
-         </param>
-         <prop name="label">MP-6</prop>
-         <prop name="sort-id">mp-06</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <link href="#263823e0-a971-4b00-959d-315b26278b22" rel="reference">NIST Special Publication 800-88</link>
-         <link href="#a47466c4-c837-4f06-a39f-e68412a5f73d" rel="reference">http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml</link>
-         <part id="mp-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Sanitizes <insert param-id="mp-6_prm_1"/> prior to disposal, release out of
-                  organizational control, or release for reuse using <insert param-id="mp-6_prm_2"/>
-                  in accordance with applicable federal and organizational standards and policies;
-                  and</p>
-            </part>
-            <part id="mp-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Employs sanitization mechanisms with the strength and integrity commensurate with
-                  the security category or classification of the information.</p>
-            </part>
-         </part>
-         <part id="mp-6_gdn" name="guidance">
-            <p>This control applies to all information system media, both digital and non-digital,
-               subject to disposal or reuse, whether or not the media is considered removable.
-               Examples include media found in scanners, copiers, printers, notebook computers,
-               workstations, network components, and mobile devices. The sanitization process
-               removes information from the media such that the information cannot be retrieved or
-               reconstructed. Sanitization techniques, including clearing, purging, cryptographic
-               erase, and destruction, prevent the disclosure of information to unauthorized
-               individuals when such media is reused or released for disposal. Organizations
-               determine the appropriate sanitization methods recognizing that destruction is
-               sometimes necessary when other methods cannot be applied to media requiring
-               sanitization. Organizations use discretion on the employment of approved sanitization
-               techniques and procedures for media containing information deemed to be in the public
-               domain or publicly releasable, or deemed to have no adverse impact on organizations
-               or individuals if released for reuse or disposal. Sanitization of non-digital media
-               includes, for example, removing a classified appendix from an otherwise unclassified
-               document, or redacting selected sections or words from a document by obscuring the
-               redacted sections/words in a manner equivalent in effectiveness to removing them from
-               the document. NSA standards and policies control the sanitization process for media
-               containing classified information.</p>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sc-4">SC-4</link>
-         </part>
-         <part id="mp-6_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-6.a_obj" name="objective">
-               <prop name="label">MP-6(a)</prop>
-               <part id="mp-6.a_obj.1" name="objective">
-                  <prop name="label">MP-6(a)[1]</prop>
-                  <p>defines information system media to be sanitized prior to:</p>
-                  <part id="mp-6.a_obj.1.a" name="objective">
-                     <prop name="label">MP-6(a)[1][a]</prop>
-                     <p>disposal;</p>
-                  </part>
-                  <part id="mp-6.a_obj.1.b" name="objective">
-                     <prop name="label">MP-6(a)[1][b]</prop>
-                     <p>release out of organizational control; or</p>
-                  </part>
-                  <part id="mp-6.a_obj.1.c" name="objective">
-                     <prop name="label">MP-6(a)[1][c]</prop>
-                     <p>release for reuse;</p>
-                  </part>
-               </part>
-               <part id="mp-6.a_obj.2" name="objective">
-                  <prop name="label">MP-6(a)[2]</prop>
-                  <p>defines sanitization techniques or procedures to be used for sanitizing
-                     organization-defined information system media prior to:</p>
-                  <part id="mp-6.a_obj.2.a" name="objective">
-                     <prop name="label">MP-6(a)[2][a]</prop>
-                     <p>disposal;</p>
-                  </part>
-                  <part id="mp-6.a_obj.2.b" name="objective">
-                     <prop name="label">MP-6(a)[2][b]</prop>
-                     <p>release out of organizational control; or</p>
-                  </part>
-                  <part id="mp-6.a_obj.2.c" name="objective">
-                     <prop name="label">MP-6(a)[2][c]</prop>
-                     <p>release for reuse;</p>
-                  </part>
-               </part>
-               <part id="mp-6.a_obj.3" name="objective">
-                  <prop name="label">MP-6(a)[3]</prop>
-                  <p>sanitizes organization-defined information system media prior to disposal,
-                     release out of organizational control, or release for reuse using
-                     organization-defined sanitization techniques or procedures in accordance with
-                     applicable federal and organizational standards and policies; and</p>
-               </part>
-            </part>
-            <part id="mp-6.b_obj" name="objective">
-               <prop name="label">MP-6(b)</prop>
-               <p>employs sanitization mechanisms with strength and integrity commensurate with the
-                  security category or classification of the information.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media sanitization and disposal</p>
-               <p>applicable federal standards and policies addressing media sanitization</p>
-               <p>media sanitization records</p>
-               <p>audit records</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with media sanitization responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for media sanitization</p>
-               <p>automated mechanisms supporting and/or implementing media sanitization</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="mp-7">
-         <title>Media Use</title>
-         <param id="mp-7_prm_1"/>
-         <param id="mp-7_prm_2">
-            <label>organization-defined types of information system media</label>
-         </param>
-         <param id="mp-7_prm_3">
-            <label>organization-defined information systems or system components</label>
-         </param>
-         <param id="mp-7_prm_4">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">MP-7</prop>
-         <prop name="sort-id">mp-07</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e" rel="reference">NIST Special Publication 800-111</link>
-         <part id="mp-7_smt" name="statement">
-            <p>The organization <insert param-id="mp-7_prm_1"/> the use of <insert param-id="mp-7_prm_2"/> on <insert param-id="mp-7_prm_3"/> using <insert param-id="mp-7_prm_4"/>.</p>
-         </part>
-         <part id="mp-7_gdn" name="guidance">
-            <p>Information system media includes both digital and non-digital media. Digital media
-               includes, for example, diskettes, magnetic tapes, external/removable hard disk
-               drives, flash drives, compact disks, and digital video disks. Non-digital media
-               includes, for example, paper and microfilm. This control also applies to mobile
-               devices with information storage capability (e.g., smart phones, tablets, E-readers).
-               In contrast to MP-2, which restricts user access to media, this control restricts the
-               use of certain types of media on information systems, for example,
-               restricting/prohibiting the use of flash drives or external hard disk drives.
-               Organizations can employ technical and nontechnical safeguards (e.g., policies,
-               procedures, rules of behavior) to restrict the use of information system media.
-               Organizations may restrict the use of portable storage devices, for example, by using
-               physical cages on workstations to prohibit access to certain external ports, or
-               disabling/removing the ability to insert, read or write to such devices.
-               Organizations may also limit the use of portable storage devices to only approved
-               devices including, for example, devices provided by the organization, devices
-               provided by other approved organizations, and devices that are not personally owned.
-               Finally, organizations may restrict the use of portable storage devices based on the
-               type of device, for example, prohibiting the use of writeable, portable storage
-               devices, and implementing this restriction by disabling or removing the capability to
-               write to such devices.</p>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-         </part>
-         <part id="mp-7_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-7_obj.1" name="objective">
-               <prop name="label">MP-7[1]</prop>
-               <p>defines types of information system media to be:</p>
-               <part id="mp-7_obj.1.a" name="objective">
-                  <prop name="label">MP-7[1][a]</prop>
-                  <p>restricted on information systems or system components; or</p>
-               </part>
-               <part id="mp-7_obj.1.b" name="objective">
-                  <prop name="label">MP-7[1][b]</prop>
-                  <p>prohibited from use on information systems or system components;</p>
-               </part>
-            </part>
-            <part id="mp-7_obj.2" name="objective">
-               <prop name="label">MP-7[2]</prop>
-               <p>defines information systems or system components on which the use of
-                  organization-defined types of information system media is to be one of the
-                  following:</p>
-               <part id="mp-7_obj.2.a" name="objective">
-                  <prop name="label">MP-7[2][a]</prop>
-                  <p>restricted; or</p>
-               </part>
-               <part id="mp-7_obj.2.b" name="objective">
-                  <prop name="label">MP-7[2][b]</prop>
-                  <p>prohibited;</p>
-               </part>
-            </part>
-            <part id="mp-7_obj.3" name="objective">
-               <prop name="label">MP-7[3]</prop>
-               <p>defines security safeguards to be employed to restrict or prohibit the use of
-                  organization-defined types of information system media on organization-defined
-                  information systems or system components; and</p>
-            </part>
-            <part id="mp-7_obj.4" name="objective">
-               <prop name="label">MP-7[4]</prop>
-               <p>restricts or prohibits the use of organization-defined information system media on
-                  organization-defined information systems or system components using
-                  organization-defined security safeguards.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>system use policy</p>
-               <p>procedures addressing media usage restrictions</p>
-               <p>security plan</p>
-               <p>rules of behavior</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media use responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for media use</p>
-               <p>automated mechanisms restricting or prohibiting use of information system media on
-                  information systems or system components</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="pe">
-      <title>Physical and Environmental Protection</title>
-      <control class="SP800-53" id="pe-1">
-         <title>Physical and Environmental Protection Policy and Procedures</title>
-         <param id="pe-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pe-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="pe-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PE-1</prop>
-         <prop name="sort-id">pe-01</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="pe-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="pe-1_prm_1"/>:</p>
-               <part id="pe-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A physical and environmental protection policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="pe-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the physical and environmental
-                     protection policy and associated physical and environmental protection
-                     controls; and</p>
-               </part>
-            </part>
-            <part id="pe-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="pe-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Physical and environmental protection policy <insert param-id="pe-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="pe-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Physical and environmental protection procedures <insert param-id="pe-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="pe-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the PE
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="pe-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="pe-1.a_obj" name="objective">
-               <prop name="label">PE-1(a)</prop>
-               <part id="pe-1.a.1_obj" name="objective">
-                  <prop name="label">PE-1(a)(1)</prop>
-                  <part id="pe-1.a.1_obj.1" name="objective">
-                     <prop name="label">PE-1(a)(1)[1]</prop>
-                     <p>develops and documents a physical and environmental protection policy that
-                        addresses:</p>
-                     <part id="pe-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="pe-1.a.1_obj.2" name="objective">
-                     <prop name="label">PE-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the physical and environmental protection
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="pe-1.a.1_obj.3" name="objective">
-                     <prop name="label">PE-1(a)(1)[3]</prop>
-                     <p>disseminates the physical and environmental protection policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="pe-1.a.2_obj" name="objective">
-                  <prop name="label">PE-1(a)(2)</prop>
-                  <part id="pe-1.a.2_obj.1" name="objective">
-                     <prop name="label">PE-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        physical and environmental protection policy and associated physical and
-                        environmental protection controls;</p>
-                  </part>
-                  <part id="pe-1.a.2_obj.2" name="objective">
-                     <prop name="label">PE-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="pe-1.a.2_obj.3" name="objective">
-                     <prop name="label">PE-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="pe-1.b_obj" name="objective">
-               <prop name="label">PE-1(b)</prop>
-               <part id="pe-1.b.1_obj" name="objective">
-                  <prop name="label">PE-1(b)(1)</prop>
-                  <part id="pe-1.b.1_obj.1" name="objective">
-                     <prop name="label">PE-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current physical and
-                        environmental protection policy;</p>
-                  </part>
-                  <part id="pe-1.b.1_obj.2" name="objective">
-                     <prop name="label">PE-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current physical and environmental protection policy
-                        with the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="pe-1.b.2_obj" name="objective">
-                  <prop name="label">PE-1(b)(2)</prop>
-                  <part id="pe-1.b.2_obj.1" name="objective">
-                     <prop name="label">PE-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current physical and
-                        environmental protection procedures; and</p>
-                  </part>
-                  <part id="pe-1.b.2_obj.2" name="objective">
-                     <prop name="label">PE-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current physical and environmental protection
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical and environmental protection
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-2">
-         <title>Physical Access Authorizations</title>
-         <param id="pe-2_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="label">PE-2</prop>
-         <prop name="sort-id">pe-02</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-         <part id="pe-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, approves, and maintains a list of individuals with authorized access to
-                  the facility where the information system resides;</p>
-            </part>
-            <part id="pe-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Issues authorization credentials for facility access;</p>
-            </part>
-            <part id="pe-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the access list detailing authorized facility access by individuals
-                     <insert param-id="pe-2_prm_1"/>; and</p>
-            </part>
-            <part id="pe-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Removes individuals from the facility access list when access is no longer
-                  required.</p>
-            </part>
-         </part>
-         <part id="pe-2_gdn" name="guidance">
-            <p>This control applies to organizational employees and visitors. Individuals (e.g.,
-               employees, contractors, and others) with permanent physical access authorization
-               credentials are not considered visitors. Authorization credentials include, for
-               example, badges, identification cards, and smart cards. Organizations determine the
-               strength of authorization credentials needed (including level of forge-proof badges,
-               smart cards, or identification cards) consistent with federal standards, policies,
-               and procedures. This control only applies to areas within facilities that have not
-               been designated as publicly accessible.</p>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-         </part>
-         <part id="pe-2_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-2.a_obj" name="objective">
-               <prop name="label">PE-2(a)</prop>
-               <part id="pe-2.a_obj.1" name="objective">
-                  <prop name="label">PE-2(a)[1]</prop>
-                  <p>develops a list of individuals with authorized access to the facility where the
-                     information system resides;</p>
-               </part>
-               <part id="pe-2.a_obj.2" name="objective">
-                  <prop name="label">PE-2(a)[2]</prop>
-                  <p>approves a list of individuals with authorized access to the facility where the
-                     information system resides;</p>
-               </part>
-               <part id="pe-2.a_obj.3" name="objective">
-                  <prop name="label">PE-2(a)[3]</prop>
-                  <p>maintains a list of individuals with authorized access to the facility where
-                     the information system resides;</p>
-               </part>
-            </part>
-            <part id="pe-2.b_obj" name="objective">
-               <prop name="label">PE-2(b)</prop>
-               <p>issues authorization credentials for facility access;</p>
-            </part>
-            <part id="pe-2.c_obj" name="objective">
-               <prop name="label">PE-2(c)</prop>
-               <part id="pe-2.c_obj.1" name="objective">
-                  <prop name="label">PE-2(c)[1]</prop>
-                  <p>defines the frequency to review the access list detailing authorized facility
-                     access by individuals;</p>
-               </part>
-               <part id="pe-2.c_obj.2" name="objective">
-                  <prop name="label">PE-2(c)[2]</prop>
-                  <p>reviews the access list detailing authorized facility access by individuals
-                     with the organization-defined frequency; and</p>
-               </part>
-            </part>
-            <part id="pe-2.d_obj" name="objective">
-               <prop name="label">PE-2(d)</prop>
-               <p>removes individuals from the facility access list when access is no longer
-                  required.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing physical access authorizations</p>
-               <p>security plan</p>
-               <p>authorized personnel access list</p>
-               <p>authorization credentials</p>
-               <p>physical access list reviews</p>
-               <p>physical access termination records and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access authorization responsibilities</p>
-               <p>organizational personnel with physical access to information system facility</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for physical access authorizations</p>
-               <p>automated mechanisms supporting and/or implementing physical access
-                  authorizations</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-3">
-         <title>Physical Access Control</title>
-         <param id="pe-3_prm_1">
-            <label>organization-defined entry/exit points to the facility where the information
-               system resides</label>
-         </param>
-         <param id="pe-3_prm_2">
-            <constraint>CSP defined physical access control systems/devices AND guards</constraint>
-         </param>
-         <param id="pe-3_prm_3" depends-on="pe-3_prm_2">
-            <label>organization-defined physical access control systems/devices</label>
-         </param>
-         <param id="pe-3_prm_4">
-            <label>organization-defined entry/exit points</label>
-         </param>
-         <param id="pe-3_prm_5">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <param id="pe-3_prm_6">
-            <label>organization-defined circumstances requiring visitor escorts and
-               monitoring</label>
-            <constraint>in all circumstances within restricted access area where the information system resides</constraint>
-         </param>
-         <param id="pe-3_prm_7">
-            <label>organization-defined physical access devices</label>
-         </param>
-         <param id="pe-3_prm_8">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="pe-3_prm_9">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="label">PE-3</prop>
-         <prop name="sort-id">pe-03</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#2157bb7e-192c-4eaa-877f-93ef6b0a3292" rel="reference">NIST Special Publication 800-116</link>
-         <link href="#6caa237b-531b-43ac-9711-d8f6b97b0377" rel="reference">ICD 704</link>
-         <link href="#398e33fd-f404-4e5c-b90e-2d50d3181244" rel="reference">ICD 705</link>
-         <link href="#61081e7f-041d-4033-96a7-44a439071683" rel="reference">DoD Instruction 5200.39</link>
-         <link href="#dd2f5acd-08f1-435a-9837-f8203088dc1a" rel="reference">Personal Identity Verification (PIV) in Enterprise
-            Physical Access Control System (E-PACS)</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <link href="#5ed1f4d5-1494-421b-97ed-39d3c88ab51f" rel="reference">http://fips201ep.cio.gov</link>
-         <part id="pe-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Enforces physical access authorizations at <insert param-id="pe-3_prm_1"/> by;</p>
-               <part id="pe-3_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Verifying individual access authorizations before granting access to the
-                     facility; and</p>
-               </part>
-               <part id="pe-3_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Controlling ingress/egress to the facility using <insert param-id="pe-3_prm_2"/>;</p>
-               </part>
-            </part>
-            <part id="pe-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Maintains physical access audit logs for <insert param-id="pe-3_prm_4"/>;</p>
-            </part>
-            <part id="pe-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Provides <insert param-id="pe-3_prm_5"/> to control access to areas within the
-                  facility officially designated as publicly accessible;</p>
-            </part>
-            <part id="pe-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Escorts visitors and monitors visitor activity <insert param-id="pe-3_prm_6"/>;</p>
-            </part>
-            <part id="pe-3_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Secures keys, combinations, and other physical access devices;</p>
-            </part>
-            <part id="pe-3_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Inventories <insert param-id="pe-3_prm_7"/> every <insert param-id="pe-3_prm_8"/>;
-                  and</p>
-            </part>
-            <part id="pe-3_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Changes combinations and keys <insert param-id="pe-3_prm_9"/> and/or when keys are
-                  lost, combinations are compromised, or individuals are transferred or
-                  terminated.</p>
-            </part>
-         </part>
-         <part id="pe-3_gdn" name="guidance">
-            <p>This control applies to organizational employees and visitors. Individuals (e.g.,
-               employees, contractors, and others) with permanent physical access authorization
-               credentials are not considered visitors. Organizations determine the types of
-               facility guards needed including, for example, professional physical security staff
-               or other personnel such as administrative staff or information system users. Physical
-               access devices include, for example, keys, locks, combinations, and card readers.
-               Safeguards for publicly accessible areas within organizational facilities include,
-               for example, cameras, monitoring by guards, and isolating selected information
-               systems and/or system components in secured areas. Physical access control systems
-               comply with applicable federal laws, Executive Orders, directives, policies,
-               regulations, standards, and guidance. The Federal Identity, Credential, and Access
-               Management Program provides implementation guidance for identity, credential, and
-               access management capabilities for physical access control systems. Organizations
-               have flexibility in the types of audit logs employed. Audit logs can be procedural
-               (e.g., a written log of individuals accessing the facility and when such access
-               occurred), automated (e.g., capturing ID provided by a PIV card), or some combination
-               thereof. Physical access points can include facility access points, interior access
-               points to information systems and/or components requiring supplemental access
-               controls, or both. Components of organizational information systems (e.g.,
-               workstations, terminals) may be located in areas designated as publicly accessible
-               with organizations safeguarding access to such devices.</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#pe-5">PE-5</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-         </part>
-         <part id="pe-3_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-3.a_obj" name="objective">
-               <prop name="label">PE-3(a)</prop>
-               <part id="pe-3.a_obj.1" name="objective">
-                  <prop name="label">PE-3(a)[1]</prop>
-                  <p>defines entry/exit points to the facility where the information system
-                     resides;</p>
-               </part>
-               <part id="pe-3.a_obj.2" name="objective">
-                  <prop name="label">PE-3(a)[2]</prop>
-                  <p>enforces physical access authorizations at organization-defined entry/exit
-                     points to the facility where the information system resides by:</p>
-                  <part id="pe-3.a.1_obj.2" name="objective">
-                     <prop name="label">PE-3(a)[2](1)</prop>
-                     <p>verifying individual access authorizations before granting access to the
-                        facility;</p>
-                  </part>
-                  <part id="pe-3.a.2_obj.2" name="objective">
-                     <prop name="label">PE-3(a)[2](2)</prop>
-                     <part id="pe-3.a.2_obj.2.a" name="objective">
-                        <prop name="label">PE-3(a)[2](2)[a]</prop>
-                        <p>defining physical access control systems/devices to be employed to
-                           control ingress/egress to the facility where the information system
-                           resides;</p>
-                     </part>
-                     <part id="pe-3.a.2_obj.2.b" name="objective">
-                        <prop name="label">PE-3(a)[2](2)[b]</prop>
-                        <p>using one or more of the following ways to control ingress/egress to the
-                           facility:</p>
-                        <part id="pe-3.a.2_obj.2.b.1" name="objective">
-                           <prop name="label">PE-3(a)[2](2)[b][1]</prop>
-                           <p>organization-defined physical access control systems/devices;
-                              and/or</p>
-                        </part>
-                        <part id="pe-3.a.2_obj.2.b.2" name="objective">
-                           <prop name="label">PE-3(a)[2](2)[b][2]</prop>
-                           <p>guards;</p>
-                        </part>
-                     </part>
-                  </part>
-               </part>
-            </part>
-            <part id="pe-3.b_obj" name="objective">
-               <prop name="label">PE-3(b)</prop>
-               <part id="pe-3.b_obj.1" name="objective">
-                  <prop name="label">PE-3(b)[1]</prop>
-                  <p>defines entry/exit points for which physical access audit logs are to be
-                     maintained;</p>
-               </part>
-               <part id="pe-3.b_obj.2" name="objective">
-                  <prop name="label">PE-3(b)[2]</prop>
-                  <p>maintains physical access audit logs for organization-defined entry/exit
-                     points;</p>
-               </part>
-            </part>
-            <part id="pe-3.c_obj" name="objective">
-               <prop name="label">PE-3(c)</prop>
-               <part id="pe-3.c_obj.1" name="objective">
-                  <prop name="label">PE-3(c)[1]</prop>
-                  <p>defines security safeguards to be employed to control access to areas within
-                     the facility officially designated as publicly accessible;</p>
-               </part>
-               <part id="pe-3.c_obj.2" name="objective">
-                  <prop name="label">PE-3(c)[2]</prop>
-                  <p>provides organization-defined security safeguards to control access to areas
-                     within the facility officially designated as publicly accessible;</p>
-               </part>
-            </part>
-            <part id="pe-3.d_obj" name="objective">
-               <prop name="label">PE-3(d)</prop>
-               <part id="pe-3.d_obj.1" name="objective">
-                  <prop name="label">PE-3(d)[1]</prop>
-                  <p>defines circumstances requiring visitor:</p>
-                  <part id="pe-3.d_obj.1.a" name="objective">
-                     <prop name="label">PE-3(d)[1][a]</prop>
-                     <p>escorts;</p>
-                  </part>
-                  <part id="pe-3.d_obj.1.b" name="objective">
-                     <prop name="label">PE-3(d)[1][b]</prop>
-                     <p>monitoring;</p>
-                  </part>
-               </part>
-               <part id="pe-3.d_obj.2" name="objective">
-                  <prop name="label">PE-3(d)[2]</prop>
-                  <p>in accordance with organization-defined circumstances requiring visitor escorts
-                     and monitoring:</p>
-                  <part id="pe-3.d_obj.2.a" name="objective">
-                     <prop name="label">PE-3(d)[2][a]</prop>
-                     <p>escorts visitors;</p>
-                  </part>
-                  <part id="pe-3.d_obj.2.b" name="objective">
-                     <prop name="label">PE-3(d)[2][b]</prop>
-                     <p>monitors visitor activities;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="pe-3.e_obj" name="objective">
-               <prop name="label">PE-3(e)</prop>
-               <part id="pe-3.e_obj.1" name="objective">
-                  <prop name="label">PE-3(e)[1]</prop>
-                  <p>secures keys;</p>
-               </part>
-               <part id="pe-3.e_obj.2" name="objective">
-                  <prop name="label">PE-3(e)[2]</prop>
-                  <p>secures combinations;</p>
-               </part>
-               <part id="pe-3.e_obj.3" name="objective">
-                  <prop name="label">PE-3(e)[3]</prop>
-                  <p>secures other physical access devices;</p>
-               </part>
-            </part>
-            <part id="pe-3.f_obj" name="objective">
-               <prop name="label">PE-3(f)</prop>
-               <part id="pe-3.f_obj.1" name="objective">
-                  <prop name="label">PE-3(f)[1]</prop>
-                  <p>defines physical access devices to be inventoried;</p>
-               </part>
-               <part id="pe-3.f_obj.2" name="objective">
-                  <prop name="label">PE-3(f)[2]</prop>
-                  <p>defines the frequency to inventory organization-defined physical access
-                     devices;</p>
-               </part>
-               <part id="pe-3.f_obj.3" name="objective">
-                  <prop name="label">PE-3(f)[3]</prop>
-                  <p>inventories the organization-defined physical access devices with the
-                     organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="pe-3.g_obj" name="objective">
-               <prop name="label">PE-3(g)</prop>
-               <part id="pe-3.g_obj.1" name="objective">
-                  <prop name="label">PE-3(g)[1]</prop>
-                  <p>defines the frequency to change combinations and keys; and</p>
-               </part>
-               <part id="pe-3.g_obj.2" name="objective">
-                  <prop name="label">PE-3(g)[2]</prop>
-                  <p>changes combinations and keys with the organization-defined frequency and/or
-                     when:</p>
-                  <part id="pe-3.g_obj.2.a" name="objective">
-                     <prop name="label">PE-3(g)[2][a]</prop>
-                     <p>keys are lost;</p>
-                  </part>
-                  <part id="pe-3.g_obj.2.b" name="objective">
-                     <prop name="label">PE-3(g)[2][b]</prop>
-                     <p>combinations are compromised;</p>
-                  </part>
-                  <part id="pe-3.g_obj.2.c" name="objective">
-                     <prop name="label">PE-3(g)[2][c]</prop>
-                     <p>individuals are transferred or terminated.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing physical access control</p>
-               <p>security plan</p>
-               <p>physical access control logs or records</p>
-               <p>inventory records of physical access control devices</p>
-               <p>information system entry and exit points</p>
-               <p>records of key and lock combination changes</p>
-               <p>storage locations for physical access control devices</p>
-               <p>physical access control devices</p>
-               <p>list of security safeguards controlling access to designated publicly accessible
-                  areas within facility</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for physical access control</p>
-               <p>automated mechanisms supporting and/or implementing physical access control</p>
-               <p>physical access control devices</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-6">
-         <title>Monitoring Physical Access</title>
-         <param id="pe-6_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least monthly</constraint>
-         </param>
-         <param id="pe-6_prm_2">
-            <label>organization-defined events or potential indications of events</label>
-         </param>
-         <prop name="label">PE-6</prop>
-         <prop name="sort-id">pe-06</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-         <part id="pe-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Monitors physical access to the facility where the information system resides to
-                  detect and respond to physical security incidents;</p>
-            </part>
-            <part id="pe-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews physical access logs <insert param-id="pe-6_prm_1"/> and upon occurrence
-                  of <insert param-id="pe-6_prm_2"/>; and</p>
-            </part>
-            <part id="pe-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Coordinates results of reviews and investigations with the organizational incident
-                  response capability.</p>
-            </part>
-         </part>
-         <part id="pe-6_gdn" name="guidance">
-            <p>Organizational incident response capabilities include investigations of and responses
-               to detected physical security incidents. Security incidents include, for example,
-               apparent security violations or suspicious physical access activities. Suspicious
-               physical access activities include, for example: (i) accesses outside of normal work
-               hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for
-               unusual lengths of time; and (iv) out-of-sequence accesses.</p>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-         </part>
-         <part id="pe-6_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-6.a_obj" name="objective">
-               <prop name="label">PE-6(a)</prop>
-               <p>monitors physical access to the facility where the information system resides to
-                  detect and respond to physical security incidents;</p>
-            </part>
-            <part id="pe-6.b_obj" name="objective">
-               <prop name="label">PE-6(b)</prop>
-               <part id="pe-6.b_obj.1" name="objective">
-                  <prop name="label">PE-6(b)[1]</prop>
-                  <p>defines the frequency to review physical access logs;</p>
-               </part>
-               <part id="pe-6.b_obj.2" name="objective">
-                  <prop name="label">PE-6(b)[2]</prop>
-                  <p>defines events or potential indication of events requiring physical access logs
-                     to be reviewed;</p>
-               </part>
-               <part id="pe-6.b_obj.3" name="objective">
-                  <prop name="label">PE-6(b)[3]</prop>
-                  <p>reviews physical access logs with the organization-defined frequency and upon
-                     occurrence of organization-defined events or potential indications of events;
-                     and</p>
-               </part>
-            </part>
-            <part id="pe-6.c_obj" name="objective">
-               <prop name="label">PE-6(c)</prop>
-               <p>coordinates results of reviews and investigations with the organizational incident
-                  response capability.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing physical access monitoring</p>
-               <p>security plan</p>
-               <p>physical access logs or records</p>
-               <p>physical access monitoring records</p>
-               <p>physical access log reviews</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access monitoring responsibilities</p>
-               <p>organizational personnel with incident response responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for monitoring physical access</p>
-               <p>automated mechanisms supporting and/or implementing physical access monitoring</p>
-               <p>automated mechanisms supporting and/or implementing reviewing of physical access
-                  logs</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-8">
-         <title>Visitor Access Records</title>
-         <param id="pe-8_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>for a minimum of one (1) year</constraint>
-         </param>
-         <param id="pe-8_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least monthly</constraint>
-         </param>
-         <prop name="label">PE-8</prop>
-         <prop name="sort-id">pe-08</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-         <part id="pe-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Maintains visitor access records to the facility where the information system
-                  resides for <insert param-id="pe-8_prm_1"/>; and</p>
-            </part>
-            <part id="pe-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews visitor access records <insert param-id="pe-8_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="pe-8_gdn" name="guidance">
-            <p>Visitor access records include, for example, names and organizations of persons
-               visiting, visitor signatures, forms of identification, dates of access, entry and
-               departure times, purposes of visits, and names and organizations of persons visited.
-               Visitor access records are not required for publicly accessible areas.</p>
-         </part>
-         <part id="pe-8_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-8.a_obj" name="objective">
-               <prop name="label">PE-8(a)</prop>
-               <part id="pe-8.a_obj.1" name="objective">
-                  <prop name="label">PE-8(a)[1]</prop>
-                  <p>defines the time period to maintain visitor access records to the facility
-                     where the information system resides;</p>
-               </part>
-               <part id="pe-8.a_obj.2" name="objective">
-                  <prop name="label">PE-8(a)[2]</prop>
-                  <p>maintains visitor access records to the facility where the information system
-                     resides for the organization-defined time period;</p>
-               </part>
-            </part>
-            <part id="pe-8.b_obj" name="objective">
-               <prop name="label">PE-8(b)</prop>
-               <part id="pe-8.b_obj.1" name="objective">
-                  <prop name="label">PE-8(b)[1]</prop>
-                  <p>defines the frequency to review visitor access records; and</p>
-               </part>
-               <part id="pe-8.b_obj.2" name="objective">
-                  <prop name="label">PE-8(b)[2]</prop>
-                  <p>reviews visitor access records with the organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing visitor access records</p>
-               <p>security plan</p>
-               <p>visitor access control logs or records</p>
-               <p>visitor access record or log reviews</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with visitor access records responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for maintaining and reviewing visitor access records</p>
-               <p>automated mechanisms supporting and/or implementing maintenance and review of
-                  visitor access records</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-12">
-         <title>Emergency Lighting</title>
-         <prop name="label">PE-12</prop>
-         <prop name="sort-id">pe-12</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-         <part id="pe-12_smt" name="statement">
-            <p>The organization employs and maintains automatic emergency lighting for the
-               information system that activates in the event of a power outage or disruption and
-               that covers emergency exits and evacuation routes within the facility.</p>
-         </part>
-         <part id="pe-12_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources including, for example, data centers, server rooms, and mainframe
-               computer rooms.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-         </part>
-         <part id="pe-12_obj" name="objective">
-            <p>Determine if the organization employs and maintains automatic emergency lighting for
-               the information system that: </p>
-            <part id="pe-12_obj.1" name="objective">
-               <prop name="label">PE-12[1]</prop>
-               <p>activates in the event of a power outage or disruption; and</p>
-            </part>
-            <part id="pe-12_obj.2" name="objective">
-               <prop name="label">PE-12[2]</prop>
-               <p>covers emergency exits and evacuation routes within the facility.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing emergency lighting</p>
-               <p>emergency lighting documentation</p>
-               <p>emergency lighting test records</p>
-               <p>emergency exits and evacuation routes</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for emergency lighting and/or
-                  planning</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing emergency lighting
-                  capability</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-13">
-         <title>Fire Protection</title>
-         <prop name="label">PE-13</prop>
-         <prop name="sort-id">pe-13</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-         <part id="pe-13_smt" name="statement">
-            <p>The organization employs and maintains fire suppression and detection devices/systems
-               for the information system that are supported by an independent energy source.</p>
-         </part>
-         <part id="pe-13_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources including, for example, data centers, server rooms, and mainframe
-               computer rooms. Fire suppression and detection devices/systems include, for example,
-               sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke
-               detectors.</p>
-         </part>
-         <part id="pe-13_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-13_obj.1" name="objective">
-               <prop name="label">PE-13[1]</prop>
-               <p>employs fire suppression and detection devices/systems for the information system
-                  that are supported by an independent energy source; and</p>
-            </part>
-            <part id="pe-13_obj.2" name="objective">
-               <prop name="label">PE-13[2]</prop>
-               <p>maintains fire suppression and detection devices/systems for the information
-                  system that are supported by an independent energy source.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing fire protection</p>
-               <p>fire suppression and detection devices/systems</p>
-               <p>fire suppression and detection devices/systems documentation</p>
-               <p>test records of fire suppression and detection devices/systems</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for fire detection and suppression
-                  devices/systems</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing fire suppression/detection
-                  devices/systems</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-14">
-         <title>Temperature and Humidity Controls</title>
-         <param id="pe-14_prm_1">
-            <label>organization-defined acceptable levels</label>
-            <constraint>consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments</constraint>
-         </param>
-         <param id="pe-14_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>continuously</constraint>
-         </param>
-         <prop name="label">PE-14</prop>
-         <prop name="sort-id">pe-14</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-         <part id="pe-14_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-14_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Maintains temperature and humidity levels within the facility where the
-                  information system resides at <insert param-id="pe-14_prm_1"/>; and</p>
-            </part>
-            <part id="pe-14_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Monitors temperature and humidity levels <insert param-id="pe-14_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="pe-14_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources, for example, data centers, server rooms, and mainframe computer
-               rooms.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-         </part>
-         <part id="pe-14_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-14.a_obj" name="objective">
-               <prop name="label">PE-14(a)</prop>
-               <part id="pe-14.a_obj.1" name="objective">
-                  <prop name="label">PE-14(a)[1]</prop>
-                  <p>defines acceptable temperature levels to be maintained within the facility
-                     where the information system resides;</p>
-               </part>
-               <part id="pe-14.a_obj.2" name="objective">
-                  <prop name="label">PE-14(a)[2]</prop>
-                  <p>defines acceptable humidity levels to be maintained within the facility where
-                     the information system resides;</p>
-               </part>
-               <part id="pe-14.a_obj.3" name="objective">
-                  <prop name="label">PE-14(a)[3]</prop>
-                  <p>maintains temperature levels within the facility where the information system
-                     resides at the organization-defined levels;</p>
-               </part>
-               <part id="pe-14.a_obj.4" name="objective">
-                  <prop name="label">PE-14(a)[4]</prop>
-                  <p>maintains humidity levels within the facility where the information system
-                     resides at the organization-defined levels;</p>
-               </part>
-            </part>
-            <part id="pe-14.b_obj" name="objective">
-               <prop name="label">PE-14(b)</prop>
-               <part id="pe-14.b_obj.1" name="objective">
-                  <prop name="label">PE-14(b)[1]</prop>
-                  <p>defines the frequency to monitor temperature levels;</p>
-               </part>
-               <part id="pe-14.b_obj.2" name="objective">
-                  <prop name="label">PE-14(b)[2]</prop>
-                  <p>defines the frequency to monitor humidity levels;</p>
-               </part>
-               <part id="pe-14.b_obj.3" name="objective">
-                  <prop name="label">PE-14(b)[3]</prop>
-                  <p>monitors temperature levels with the organization-defined frequency; and</p>
-               </part>
-               <part id="pe-14.b_obj.4" name="objective">
-                  <prop name="label">PE-14(b)[4]</prop>
-                  <p>monitors humidity levels with the organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing temperature and humidity control</p>
-               <p>security plan</p>
-               <p>temperature and humidity controls</p>
-               <p>facility housing the information system</p>
-               <p>temperature and humidity controls documentation</p>
-               <p>temperature and humidity records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for information system
-                  environmental controls</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing maintenance and monitoring of
-                  temperature and humidity levels</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-         </part>
-         <part id="pe-14_fr" name="item">
-            <title>PE-14(a) Additional FedRAMP Requirements and Guidance</title>
-            <part id="pe-14_fr_smt.a" name="item">
-               <prop name="label">(a) Requirement:</prop>
-               <p>The service provider measures temperature at server inlets and humidity levels
-                     by dew point.</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-15">
-         <title>Water Damage Protection</title>
-         <prop name="label">PE-15</prop>
-         <prop name="sort-id">pe-15</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-         <part id="pe-15_smt" name="statement">
-            <p>The organization protects the information system from damage resulting from water
-               leakage by providing master shutoff or isolation valves that are accessible, working
-               properly, and known to key personnel.</p>
-         </part>
-         <part id="pe-15_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources including, for example, data centers, server rooms, and mainframe
-               computer rooms. Isolation valves can be employed in addition to or in lieu of master
-               shutoff valves to shut off water supplies in specific areas of concern, without
-               affecting entire organizations.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-         </part>
-         <part id="pe-15_obj" name="objective">
-            <p>Determine if the organization protects the information system from damage resulting
-               from water leakage by providing master shutoff or isolation valves that are: </p>
-            <part id="pe-15_obj.1" name="objective">
-               <prop name="label">PE-15[1]</prop>
-               <p>accessible;</p>
-            </part>
-            <part id="pe-15_obj.2" name="objective">
-               <prop name="label">PE-15[2]</prop>
-               <p>working properly; and</p>
-            </part>
-            <part id="pe-15_obj.3" name="objective">
-               <prop name="label">PE-15[3]</prop>
-               <p>known to key personnel.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing water damage protection</p>
-               <p>facility housing the information system</p>
-               <p>master shutoff valves</p>
-               <p>list of key personnel with knowledge of location and activation procedures for
-                  master shutoff valves for the plumbing system</p>
-               <p>master shutoff valve documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for information system
-                  environmental controls</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Master water-shutoff valves</p>
-               <p>organizational process for activating master water-shutoff</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-16">
-         <title>Delivery and Removal</title>
-         <param id="pe-16_prm_1">
-            <label>organization-defined types of information system components</label>
-            <constraint>all information system components</constraint>
-         </param>
-         <prop name="label">PE-16</prop>
-         <prop name="sort-id">pe-16</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-         <part id="pe-16_smt" name="statement">
-            <p>The organization authorizes, monitors, and controls <insert param-id="pe-16_prm_1"/>
-               entering and exiting the facility and maintains records of those items.</p>
-         </part>
-         <part id="pe-16_gdn" name="guidance">
-            <p>Effectively enforcing authorizations for entry and exit of information system
-               components may require restricting access to delivery areas and possibly isolating
-               the areas from the information system and media libraries.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ma-3">MA-3</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-         </part>
-         <part id="pe-16_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-16_obj.1" name="objective">
-               <prop name="label">PE-16[1]</prop>
-               <p>defines types of information system components to be authorized, monitored, and
-                  controlled as such components are entering and exiting the facility;</p>
-            </part>
-            <part id="pe-16_obj.2" name="objective">
-               <prop name="label">PE-16[2]</prop>
-               <p>authorizes organization-defined information system components entering the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.3" name="objective">
-               <prop name="label">PE-16[3]</prop>
-               <p>monitors organization-defined information system components entering the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.4" name="objective">
-               <prop name="label">PE-16[4]</prop>
-               <p>controls organization-defined information system components entering the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.5" name="objective">
-               <prop name="label">PE-16[5]</prop>
-               <p>authorizes organization-defined information system components exiting the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.6" name="objective">
-               <prop name="label">PE-16[6]</prop>
-               <p>monitors organization-defined information system components exiting the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.7" name="objective">
-               <prop name="label">PE-16[7]</prop>
-               <p>controls organization-defined information system components exiting the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.8" name="objective">
-               <prop name="label">PE-16[8]</prop>
-               <p>maintains records of information system components entering the facility; and</p>
-            </part>
-            <part id="pe-16_obj.9" name="objective">
-               <prop name="label">PE-16[9]</prop>
-               <p>maintains records of information system components exiting the facility.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing delivery and removal of information system components from
-                  the facility</p>
-               <p>security plan</p>
-               <p>facility housing the information system</p>
-               <p>records of items entering and exiting the facility</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for controlling information system
-                  components entering and exiting the facility</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational process for authorizing, monitoring, and controlling information
-                  system-related items entering and exiting the facility</p>
-               <p>automated mechanisms supporting and/or implementing authorizing, monitoring, and
-                  controlling information system-related items entering and exiting the facility</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="pl">
-      <title>Planning</title>
-      <control class="SP800-53" id="pl-1">
-         <title>Security Planning Policy and Procedures</title>
-         <param id="pl-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pl-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="pl-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PL-1</prop>
-         <prop name="sort-id">pl-01</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9c5c9e8c-dc81-4f55-a11c-d71d7487790f" rel="reference">NIST Special Publication 800-18</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="pl-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pl-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="pl-1_prm_1"/>:</p>
-               <part id="pl-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A security planning policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="pl-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the security planning policy and
-                     associated security planning controls; and</p>
-               </part>
-            </part>
-            <part id="pl-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="pl-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security planning policy <insert param-id="pl-1_prm_2"/>; and</p>
-               </part>
-               <part id="pl-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Security planning procedures <insert param-id="pl-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="pl-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the PL
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="pl-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="pl-1.a_obj" name="objective">
-               <prop name="label">PL-1(a)</prop>
-               <part id="pl-1.a.1_obj" name="objective">
-                  <prop name="label">PL-1(a)(1)</prop>
-                  <part id="pl-1.a.1_obj.1" name="objective">
-                     <prop name="label">PL-1(a)(1)[1]</prop>
-                     <p>develops and documents a planning policy that addresses:</p>
-                     <part id="pl-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="pl-1.a.1_obj.2" name="objective">
-                     <prop name="label">PL-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the planning policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="pl-1.a.1_obj.3" name="objective">
-                     <prop name="label">PL-1(a)(1)[3]</prop>
-                     <p>disseminates the planning policy to organization-defined personnel or
-                        roles;</p>
-                  </part>
-               </part>
-               <part id="pl-1.a.2_obj" name="objective">
-                  <prop name="label">PL-1(a)(2)</prop>
-                  <part id="pl-1.a.2_obj.1" name="objective">
-                     <prop name="label">PL-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        planning policy and associated planning controls;</p>
-                  </part>
-                  <part id="pl-1.a.2_obj.2" name="objective">
-                     <prop name="label">PL-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="pl-1.a.2_obj.3" name="objective">
-                     <prop name="label">PL-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="pl-1.b_obj" name="objective">
-               <prop name="label">PL-1(b)</prop>
-               <part id="pl-1.b.1_obj" name="objective">
-                  <prop name="label">PL-1(b)(1)</prop>
-                  <part id="pl-1.b.1_obj.1" name="objective">
-                     <prop name="label">PL-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current planning policy;</p>
-                  </part>
-                  <part id="pl-1.b.1_obj.2" name="objective">
-                     <prop name="label">PL-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current planning policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="pl-1.b.2_obj" name="objective">
-                  <prop name="label">PL-1(b)(2)</prop>
-                  <part id="pl-1.b.2_obj.1" name="objective">
-                     <prop name="label">PL-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current planning procedures;
-                        and</p>
-                  </part>
-                  <part id="pl-1.b.2_obj.2" name="objective">
-                     <prop name="label">PL-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current planning procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Planning policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pl-2">
-         <title>System Security Plan</title>
-         <param id="pl-2_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pl-2_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="label">PL-2</prop>
-         <prop name="sort-id">pl-02</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#9c5c9e8c-dc81-4f55-a11c-d71d7487790f" rel="reference">NIST Special Publication 800-18</link>
-         <part id="pl-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pl-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a security plan for the information system that:</p>
-               <part id="pl-2_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Is consistent with the organization’s enterprise architecture;</p>
-               </part>
-               <part id="pl-2_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Explicitly defines the authorization boundary for the system;</p>
-               </part>
-               <part id="pl-2_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Describes the operational context of the information system in terms of
-                     missions and business processes;</p>
-               </part>
-               <part id="pl-2_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Provides the security categorization of the information system including
-                     supporting rationale;</p>
-               </part>
-               <part id="pl-2_smt.a.5" name="item">
-                  <prop name="label">5.</prop>
-                  <p>Describes the operational environment for the information system and
-                     relationships with or connections to other information systems;</p>
-               </part>
-               <part id="pl-2_smt.a.6" name="item">
-                  <prop name="label">6.</prop>
-                  <p>Provides an overview of the security requirements for the system;</p>
-               </part>
-               <part id="pl-2_smt.a.7" name="item">
-                  <prop name="label">7.</prop>
-                  <p>Identifies any relevant overlays, if applicable;</p>
-               </part>
-               <part id="pl-2_smt.a.8" name="item">
-                  <prop name="label">8.</prop>
-                  <p>Describes the security controls in place or planned for meeting those
-                     requirements including a rationale for the tailoring decisions; and</p>
-               </part>
-               <part id="pl-2_smt.a.9" name="item">
-                  <prop name="label">9.</prop>
-                  <p>Is reviewed and approved by the authorizing official or designated
-                     representative prior to plan implementation;</p>
-               </part>
-            </part>
-            <part id="pl-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Distributes copies of the security plan and communicates subsequent changes to the
-                  plan to <insert param-id="pl-2_prm_1"/>;</p>
-            </part>
-            <part id="pl-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the security plan for the information system <insert param-id="pl-2_prm_2"/>;</p>
-            </part>
-            <part id="pl-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Updates the plan to address changes to the information system/environment of
-                  operation or problems identified during plan implementation or security control
-                  assessments; and</p>
-            </part>
-            <part id="pl-2_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Protects the security plan from unauthorized disclosure and modification.</p>
-            </part>
-         </part>
-         <part id="pl-2_gdn" name="guidance">
-            <p>Security plans relate security requirements to a set of security controls and control
-               enhancements. Security plans also describe, at a high level, how the security
-               controls and control enhancements meet those security requirements, but do not
-               provide detailed, technical descriptions of the specific design or implementation of
-               the controls/enhancements. Security plans contain sufficient information (including
-               the specification of parameter values for assignment and selection statements either
-               explicitly or by reference) to enable a design and implementation that is
-               unambiguously compliant with the intent of the plans and subsequent determinations of
-               risk to organizational operations and assets, individuals, other organizations, and
-               the Nation if the plan is implemented as intended. Organizations can also apply
-               tailoring guidance to the security control baselines in Appendix D and CNSS
-               Instruction 1253 to develop overlays for community-wide use or to address specialized
-               requirements, technologies, or missions/environments of operation (e.g.,
-               DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and
-               Access Management, space operations). Appendix I provides guidance on developing
-               overlays. Security plans need not be single documents; the plans can be a collection
-               of various documents including documents that already exist. Effective security plans
-               make extensive use of references to policies, procedures, and additional documents
-               (e.g., design and implementation specifications) where more detailed information can
-               be obtained. This reduces the documentation requirements associated with security
-               programs and maintains security-related information in other established
-               management/operational areas related to enterprise architecture, system development
-               life cycle, systems engineering, and acquisition. For example, security plans do not
-               contain detailed contingency plan or incident response plan information but instead
-               provide explicitly or by reference, sufficient information to define what needs to be
-               accomplished by those plans.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#pl-7">PL-7</link>
-            <link rel="related" href="#pm-1">PM-1</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <link rel="related" href="#pm-8">PM-8</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#pm-11">PM-11</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-17">SA-17</link>
-         </part>
-         <part id="pl-2_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pl-2.a_obj" name="objective">
-               <prop name="label">PL-2(a)</prop>
-               <p>develops a security plan for the information system that:</p>
-               <part id="pl-2.a.1_obj" name="objective">
-                  <prop name="label">PL-2(a)(1)</prop>
-                  <p>is consistent with the organization’s enterprise architecture;</p>
-               </part>
-               <part id="pl-2.a.2_obj" name="objective">
-                  <prop name="label">PL-2(a)(2)</prop>
-                  <p>explicitly defines the authorization boundary for the system;</p>
-               </part>
-               <part id="pl-2.a.3_obj" name="objective">
-                  <prop name="label">PL-2(a)(3)</prop>
-                  <p>describes the operational context of the information system in terms of
-                     missions and business processes;</p>
-               </part>
-               <part id="pl-2.a.4_obj" name="objective">
-                  <prop name="label">PL-2(a)(4)</prop>
-                  <p>provides the security categorization of the information system including
-                     supporting rationale;</p>
-               </part>
-               <part id="pl-2.a.5_obj" name="objective">
-                  <prop name="label">PL-2(a)(5)</prop>
-                  <p>describes the operational environment for the information system and
-                     relationships with or connections to other information systems;</p>
-               </part>
-               <part id="pl-2.a.6_obj" name="objective">
-                  <prop name="label">PL-2(a)(6)</prop>
-                  <p>provides an overview of the security requirements for the system;</p>
-               </part>
-               <part id="pl-2.a.7_obj" name="objective">
-                  <prop name="label">PL-2(a)(7)</prop>
-                  <p>identifies any relevant overlays, if applicable;</p>
-               </part>
-               <part id="pl-2.a.8_obj" name="objective">
-                  <prop name="label">PL-2(a)(8)</prop>
-                  <p>describes the security controls in place or planned for meeting those
-                     requirements including a rationale for the tailoring and supplemental
-                     decisions;</p>
-               </part>
-               <part id="pl-2.a.9_obj" name="objective">
-                  <prop name="label">PL-2(a)(9)</prop>
-                  <p>is reviewed and approved by the authorizing official or designated
-                     representative prior to plan implementation;</p>
-               </part>
-            </part>
-            <part id="pl-2.b_obj" name="objective">
-               <prop name="label">PL-2(b)</prop>
-               <part id="pl-2.b_obj.1" name="objective">
-                  <prop name="label">PL-2(b)[1]</prop>
-                  <p>defines personnel or roles to whom copies of the security plan are to be
-                     distributed and subsequent changes to the plan are to be communicated;</p>
-               </part>
-               <part id="pl-2.b_obj.2" name="objective">
-                  <prop name="label">PL-2(b)[2]</prop>
-                  <p>distributes copies of the security plan and communicates subsequent changes to
-                     the plan to organization-defined personnel or roles;</p>
-               </part>
-            </part>
-            <part id="pl-2.c_obj" name="objective">
-               <prop name="label">PL-2(c)</prop>
-               <part id="pl-2.c_obj.1" name="objective">
-                  <prop name="label">PL-2(c)[1]</prop>
-                  <p>defines the frequency to review the security plan for the information
-                     system;</p>
-               </part>
-               <part id="pl-2.c_obj.2" name="objective">
-                  <prop name="label">PL-2(c)[2]</prop>
-                  <p>reviews the security plan for the information system with the
-                     organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="pl-2.d_obj" name="objective">
-               <prop name="label">PL-2(d)</prop>
-               <p>updates the plan to address:</p>
-               <part id="pl-2.d_obj.1" name="objective">
-                  <prop name="label">PL-2(d)[1]</prop>
-                  <p>changes to the information system/environment of operation;</p>
-               </part>
-               <part id="pl-2.d_obj.2" name="objective">
-                  <prop name="label">PL-2(d)[2]</prop>
-                  <p>problems identified during plan implementation;</p>
-               </part>
-               <part id="pl-2.d_obj.3" name="objective">
-                  <prop name="label">PL-2(d)[3]</prop>
-                  <p>problems identified during security control assessments;</p>
-               </part>
-            </part>
-            <part id="pl-2.e_obj" name="objective">
-               <prop name="label">PL-2(e)</prop>
-               <p>protects the security plan from unauthorized:</p>
-               <part id="pl-2.e_obj.1" name="objective">
-                  <prop name="label">PL-2(e)[1]</prop>
-                  <p>disclosure; and</p>
-               </part>
-               <part id="pl-2.e_obj.2" name="objective">
-                  <prop name="label">PL-2(e)[2]</prop>
-                  <p>modification.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security planning policy</p>
-               <p>procedures addressing security plan development and implementation</p>
-               <p>procedures addressing security plan reviews and updates</p>
-               <p>enterprise architecture documentation</p>
-               <p>security plan for the information system</p>
-               <p>records of security plan reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security planning and plan implementation
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security plan development/review/update/approval</p>
-               <p>automated mechanisms supporting the information system security plan</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pl-4">
-         <title>Rules of Behavior</title>
-         <param id="pl-4_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PL-4</prop>
-         <prop name="sort-id">pl-04</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#9c5c9e8c-dc81-4f55-a11c-d71d7487790f" rel="reference">NIST Special Publication 800-18</link>
-         <part id="pl-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pl-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes and makes readily available to individuals requiring access to the
-                  information system, the rules that describe their responsibilities and expected
-                  behavior with regard to information and information system usage;</p>
-            </part>
-            <part id="pl-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Receives a signed acknowledgment from such individuals, indicating that they have
-                  read, understand, and agree to abide by the rules of behavior, before authorizing
-                  access to information and the information system;</p>
-            </part>
-            <part id="pl-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews and updates the rules of behavior <insert param-id="pl-4_prm_1"/>; and</p>
-            </part>
-            <part id="pl-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Requires individuals who have signed a previous version of the rules of behavior
-                  to read and re-sign when the rules of behavior are revised/updated.</p>
-            </part>
-         </part>
-         <part id="pl-4_gdn" name="guidance">
-            <p>This control enhancement applies to organizational users. Organizations consider
-               rules of behavior based on individual user roles and responsibilities,
-               differentiating, for example, between rules that apply to privileged users and rules
-               that apply to general users. Establishing rules of behavior for some types of
-               non-organizational users including, for example, individuals who simply receive
-               data/information from federal information systems, is often not feasible given the
-               large number of such users and the limited nature of their interactions with the
-               systems. Rules of behavior for both organizational and non-organizational users can
-               also be established in AC-8, System Use Notification. PL-4 b. (the signed
-               acknowledgment portion of this control) may be satisfied by the security awareness
-               training and role-based security training programs conducted by organizations if such
-               training includes rules of behavior. Organizations can use electronic signatures for
-               acknowledging rules of behavior.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-8">AC-8</link>
-            <link rel="related" href="#ac-9">AC-9</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#mp-7">MP-7</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-            <link rel="related" href="#ps-8">PS-8</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-         </part>
-         <part id="pl-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pl-4.a_obj" name="objective">
-               <prop name="label">PL-4(a)</prop>
-               <part id="pl-4.a_obj.1" name="objective">
-                  <prop name="label">PL-4(a)[1]</prop>
-                  <p>establishes, for individuals requiring access to the information system, the
-                     rules that describe their responsibilities and expected behavior with regard to
-                     information and information system usage;</p>
-               </part>
-               <part id="pl-4.a_obj.2" name="objective">
-                  <prop name="label">PL-4(a)[2]</prop>
-                  <p>makes readily available to individuals requiring access to the information
-                     system, the rules that describe their responsibilities and expected behavior
-                     with regard to information and information system usage;</p>
-               </part>
-            </part>
-            <part id="pl-4.b_obj" name="objective">
-               <prop name="label">PL-4(b)</prop>
-               <p>receives a signed acknowledgement from such individuals, indicating that they have
-                  read, understand, and agree to abide by the rules of behavior, before authorizing
-                  access to information and the information system;</p>
-            </part>
-            <part id="pl-4.c_obj" name="objective">
-               <prop name="label">PL-4(c)</prop>
-               <part id="pl-4.c_obj.1" name="objective">
-                  <prop name="label">PL-4(c)[1]</prop>
-                  <p>defines the frequency to review and update the rules of behavior;</p>
-               </part>
-               <part id="pl-4.c_obj.2" name="objective">
-                  <prop name="label">PL-4(c)[2]</prop>
-                  <p>reviews and updates the rules of behavior with the organization-defined
-                     frequency; and</p>
-               </part>
-            </part>
-            <part id="pl-4.d_obj" name="objective">
-               <prop name="label">PL-4(d)</prop>
-               <p>requires individuals who have signed a previous version of the rules of behavior
-                  to read and resign when the rules of behavior are revised/updated.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security planning policy</p>
-               <p>procedures addressing rules of behavior for information system users</p>
-               <p>rules of behavior</p>
-               <p>signed acknowledgements</p>
-               <p>records for rules of behavior reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for establishing, reviewing, and
-                  updating rules of behavior</p>
-               <p>organizational personnel who are authorized users of the information system and
-                  have signed and resigned rules of behavior</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for establishing, reviewing, disseminating, and updating
-                  rules of behavior</p>
-               <p>automated mechanisms supporting and/or implementing the establishment, review,
-                  dissemination, and update of rules of behavior</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ps">
-      <title>Personnel Security</title>
-      <control class="SP800-53" id="ps-1">
-         <title>Personnel Security Policy and Procedures</title>
-         <param id="ps-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ps-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PS-1</prop>
-         <prop name="sort-id">ps-01</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ps-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ps-1_prm_1"/>:</p>
-               <part id="ps-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A personnel security policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ps-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the personnel security policy
-                     and associated personnel security controls; and</p>
-               </part>
-            </part>
-            <part id="ps-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ps-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Personnel security policy <insert param-id="ps-1_prm_2"/>; and</p>
-               </part>
-               <part id="ps-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Personnel security procedures <insert param-id="ps-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ps-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the PS
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ps-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-1.a_obj" name="objective">
-               <prop name="label">PS-1(a)</prop>
-               <part id="ps-1.a.1_obj" name="objective">
-                  <prop name="label">PS-1(a)(1)</prop>
-                  <part id="ps-1.a.1_obj.1" name="objective">
-                     <prop name="label">PS-1(a)(1)[1]</prop>
-                     <p>develops and documents an personnel security policy that addresses:</p>
-                     <part id="ps-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ps-1.a.1_obj.2" name="objective">
-                     <prop name="label">PS-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the personnel security policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ps-1.a.1_obj.3" name="objective">
-                     <prop name="label">PS-1(a)(1)[3]</prop>
-                     <p>disseminates the personnel security policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="ps-1.a.2_obj" name="objective">
-                  <prop name="label">PS-1(a)(2)</prop>
-                  <part id="ps-1.a.2_obj.1" name="objective">
-                     <prop name="label">PS-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        personnel security policy and associated personnel security controls;</p>
-                  </part>
-                  <part id="ps-1.a.2_obj.2" name="objective">
-                     <prop name="label">PS-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ps-1.a.2_obj.3" name="objective">
-                     <prop name="label">PS-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ps-1.b_obj" name="objective">
-               <prop name="label">PS-1(b)</prop>
-               <part id="ps-1.b.1_obj" name="objective">
-                  <prop name="label">PS-1(b)(1)</prop>
-                  <part id="ps-1.b.1_obj.1" name="objective">
-                     <prop name="label">PS-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current personnel security
-                        policy;</p>
-                  </part>
-                  <part id="ps-1.b.1_obj.2" name="objective">
-                     <prop name="label">PS-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current personnel security policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ps-1.b.2_obj" name="objective">
-                  <prop name="label">PS-1(b)(2)</prop>
-                  <part id="ps-1.b.2_obj.1" name="objective">
-                     <prop name="label">PS-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current personnel security
-                        procedures; and</p>
-                  </part>
-                  <part id="ps-1.b.2_obj.2" name="objective">
-                     <prop name="label">PS-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current personnel security procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-2">
-         <title>Position Risk Designation</title>
-         <param id="ps-2_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PS-2</prop>
-         <prop name="sort-id">ps-02</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">FED</prop>
-         <link href="#0c97e60b-325a-4efa-ba2b-90f20ccd5abc" rel="reference">5 C.F.R. 731.106</link>
-         <part id="ps-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Assigns a risk designation to all organizational positions;</p>
-            </part>
-            <part id="ps-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishes screening criteria for individuals filling those positions; and</p>
-            </part>
-            <part id="ps-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews and updates position risk designations <insert param-id="ps-2_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="ps-2_gdn" name="guidance">
-            <p>Position risk designations reflect Office of Personnel Management policy and
-               guidance. Risk designations can guide and inform the types of authorizations
-               individuals receive when accessing organizational information and information
-               systems. Position screening criteria include explicit information security role
-               appointment requirements (e.g., training, security clearances).</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-         </part>
-         <part id="ps-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-2.a_obj" name="objective">
-               <prop name="label">PS-2(a)</prop>
-               <p>assigns a risk designation to all organizational positions;</p>
-            </part>
-            <part id="ps-2.b_obj" name="objective">
-               <prop name="label">PS-2(b)</prop>
-               <p>establishes screening criteria for individuals filling those positions;</p>
-            </part>
-            <part id="ps-2.c_obj" name="objective">
-               <prop name="label">PS-2(c)</prop>
-               <part id="ps-2.c_obj.1" name="objective">
-                  <prop name="label">PS-2(c)[1]</prop>
-                  <p>defines the frequency to review and update position risk designations; and</p>
-               </part>
-               <part id="ps-2.c_obj.2" name="objective">
-                  <prop name="label">PS-2(c)[2]</prop>
-                  <p>reviews and updates position risk designations with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing position categorization</p>
-               <p>appropriate codes of federal regulations</p>
-               <p>list of risk designations for organizational positions</p>
-               <p>security plan</p>
-               <p>records of position risk designation reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for assigning, reviewing, and updating position risk
-                  designations</p>
-               <p>organizational processes for establishing screening criteria</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-3">
-         <title>Personnel Screening</title>
-         <param id="ps-3_prm_1">
-            <label>organization-defined conditions requiring rescreening and, where rescreening is
-               so indicated, the frequency of such rescreening</label>
-            <constraint>For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions.</constraint>
-         </param>
-         <prop name="label">PS-3</prop>
-         <prop name="sort-id">ps-03</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#0c97e60b-325a-4efa-ba2b-90f20ccd5abc" rel="reference">5 C.F.R. 731.106</link>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#6caa237b-531b-43ac-9711-d8f6b97b0377" rel="reference">ICD 704</link>
-         <part id="ps-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Screens individuals prior to authorizing access to the information system; and</p>
-            </part>
-            <part id="ps-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Rescreens individuals according to <insert param-id="ps-3_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="ps-3_gdn" name="guidance">
-            <p>Personnel screening and rescreening activities reflect applicable federal laws,
-               Executive Orders, directives, regulations, policies, standards, guidance, and
-               specific criteria established for the risk designations of assigned positions.
-               Organizations may define different rescreening conditions and frequencies for
-               personnel accessing information systems based on types of information processed,
-               stored, or transmitted by the systems.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#ps-2">PS-2</link>
-         </part>
-         <part id="ps-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-3.a_obj" name="objective">
-               <prop name="label">PS-3(a)</prop>
-               <p>screens individuals prior to authorizing access to the information system;</p>
-            </part>
-            <part id="ps-3.b_obj" name="objective">
-               <prop name="label">PS-3(b)</prop>
-               <part id="ps-3.b_obj.1" name="objective">
-                  <prop name="label">PS-3(b)[1]</prop>
-                  <p>defines conditions requiring re-screening;</p>
-               </part>
-               <part id="ps-3.b_obj.2" name="objective">
-                  <prop name="label">PS-3(b)[2]</prop>
-                  <p>defines the frequency of re-screening where it is so indicated; and</p>
-               </part>
-               <part id="ps-3.b_obj.3" name="objective">
-                  <prop name="label">PS-3(b)[3]</prop>
-                  <p>re-screens individuals in accordance with organization-defined conditions
-                     requiring re-screening and, where re-screening is so indicated, with the
-                     organization-defined frequency of such re-screening.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel screening</p>
-               <p>records of screened personnel</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for personnel screening</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-4">
-         <title>Personnel Termination</title>
-         <param id="ps-4_prm_1">
-            <label>organization-defined time period</label>
-         </param>
-         <param id="ps-4_prm_2">
-            <label>organization-defined information security topics</label>
-         </param>
-         <param id="ps-4_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-4_prm_4">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">PS-4</prop>
-         <prop name="sort-id">ps-04</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <part id="ps-4_smt" name="statement">
-            <p>The organization, upon termination of individual employment:</p>
-            <part id="ps-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Disables information system access within <insert param-id="ps-4_prm_1"/>;</p>
-            </part>
-            <part id="ps-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Terminates/revokes any authenticators/credentials associated with the
-                  individual;</p>
-            </part>
-            <part id="ps-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Conducts exit interviews that include a discussion of <insert param-id="ps-4_prm_2"/>;</p>
-            </part>
-            <part id="ps-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Retrieves all security-related organizational information system-related
-                  property;</p>
-            </part>
-            <part id="ps-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Retains access to organizational information and information systems formerly
-                  controlled by terminated individual; and</p>
-            </part>
-            <part id="ps-4_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Notifies <insert param-id="ps-4_prm_3"/> within <insert param-id="ps-4_prm_4"/>.</p>
-            </part>
-         </part>
-         <part id="ps-4_gdn" name="guidance">
-            <p>Information system-related property includes, for example, hardware authentication
-               tokens, system administration technical manuals, keys, identification cards, and
-               building passes. Exit interviews ensure that terminated individuals understand the
-               security constraints imposed by being former employees and that proper accountability
-               is achieved for information system-related property. Security topics of interest at
-               exit interviews can include, for example, reminding terminated individuals of
-               nondisclosure agreements and potential limitations on future employment. Exit
-               interviews may not be possible for some terminated individuals, for example, in cases
-               related to job abandonment, illnesses, and nonavailability of supervisors. Exit
-               interviews are important for individuals with security clearances. Timely execution
-               of termination actions is essential for individuals terminated for cause. In certain
-               situations, organizations consider disabling the information system accounts of
-               individuals that are being terminated prior to the individuals being notified.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#ps-5">PS-5</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-         </part>
-         <part id="ps-4_obj" name="objective">
-            <p>Determine if the organization, upon termination of individual employment,:</p>
-            <part id="ps-4.a_obj" name="objective">
-               <prop name="label">PS-4(a)</prop>
-               <part id="ps-4.a_obj.1" name="objective">
-                  <prop name="label">PS-4(a)[1]</prop>
-                  <p>defines a time period within which to disable information system access;</p>
-               </part>
-               <part id="ps-4.a_obj.2" name="objective">
-                  <prop name="label">PS-4(a)[2]</prop>
-                  <p>disables information system access within the organization-defined time
-                     period;</p>
-               </part>
-            </part>
-            <part id="ps-4.b_obj" name="objective">
-               <prop name="label">PS-4(b)</prop>
-               <p>terminates/revokes any authenticators/credentials associated with the
-                  individual;</p>
-            </part>
-            <part id="ps-4.c_obj" name="objective">
-               <prop name="label">PS-4(c)</prop>
-               <part id="ps-4.c_obj.1" name="objective">
-                  <prop name="label">PS-4(c)[1]</prop>
-                  <p>defines information security topics to be discussed when conducting exit
-                     interviews;</p>
-               </part>
-               <part id="ps-4.c_obj.2" name="objective">
-                  <prop name="label">PS-4(c)[2]</prop>
-                  <p>conducts exit interviews that include a discussion of organization-defined
-                     information security topics;</p>
-               </part>
-            </part>
-            <part id="ps-4.d_obj" name="objective">
-               <prop name="label">PS-4(d)</prop>
-               <p>retrieves all security-related organizational information system-related
-                  property;</p>
-            </part>
-            <part id="ps-4.e_obj" name="objective">
-               <prop name="label">PS-4(e)</prop>
-               <p>retains access to organizational information and information systems formerly
-                  controlled by the terminated individual;</p>
-            </part>
-            <part id="ps-4.f_obj" name="objective">
-               <prop name="label">PS-4(f)</prop>
-               <part id="ps-4.f_obj.1" name="objective">
-                  <prop name="label">PS-4(f)[1]</prop>
-                  <p>defines personnel or roles to be notified of the termination;</p>
-               </part>
-               <part id="ps-4.f_obj.2" name="objective">
-                  <prop name="label">PS-4(f)[2]</prop>
-                  <p>defines the time period within which to notify organization-defined personnel
-                     or roles; and</p>
-               </part>
-               <part id="ps-4.f_obj.3" name="objective">
-                  <prop name="label">PS-4(f)[3]</prop>
-                  <p>notifies organization-defined personnel or roles within the
-                     organization-defined time period.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel termination</p>
-               <p>records of personnel termination actions</p>
-               <p>list of information system accounts</p>
-               <p>records of terminated or revoked authenticators/credentials</p>
-               <p>records of exit interviews</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with account management responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for personnel termination</p>
-               <p>automated mechanisms supporting and/or implementing personnel termination
-                  notifications</p>
-               <p>automated mechanisms for disabling information system access/revoking
-                  authenticators</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-5">
-         <title>Personnel Transfer</title>
-         <param id="ps-5_prm_1">
-            <label>organization-defined transfer or reassignment actions</label>
-         </param>
-         <param id="ps-5_prm_2">
-            <label>organization-defined time period following the formal transfer action</label>
-         </param>
-         <param id="ps-5_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-5_prm_4">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">PS-5</prop>
-         <prop name="sort-id">ps-05</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <part id="ps-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Reviews and confirms ongoing operational need for current logical and physical
-                  access authorizations to information systems/facilities when individuals are
-                  reassigned or transferred to other positions within the organization;</p>
-            </part>
-            <part id="ps-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Initiates <insert param-id="ps-5_prm_1"/> within <insert param-id="ps-5_prm_2"/>;</p>
-            </part>
-            <part id="ps-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Modifies access authorization as needed to correspond with any changes in
-                  operational need due to reassignment or transfer; and</p>
-            </part>
-            <part id="ps-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Notifies <insert param-id="ps-5_prm_3"/> within <insert param-id="ps-5_prm_4"/>.</p>
-            </part>
-         </part>
-         <part id="ps-5_gdn" name="guidance">
-            <p>This control applies when reassignments or transfers of individuals are permanent or
-               of such extended durations as to make the actions warranted. Organizations define
-               actions appropriate for the types of reassignments or transfers, whether permanent or
-               extended. Actions that may be required for personnel transfers or reassignments to
-               other positions within organizations include, for example: (i) returning old and
-               issuing new keys, identification cards, and building passes; (ii) closing information
-               system accounts and establishing new accounts; (iii) changing information system
-               access authorizations (i.e., privileges); and (iv) providing for access to official
-               records to which individuals had access at previous work locations and in previous
-               information system accounts.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#ps-4">PS-4</link>
-         </part>
-         <part id="ps-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-5.a_obj" name="objective">
-               <prop name="label">PS-5(a)</prop>
-               <p>when individuals are reassigned or transferred to other positions within the
-                  organization, reviews and confirms ongoing operational need for current:</p>
-               <part id="ps-5.a_obj.1" name="objective">
-                  <prop name="label">PS-5(a)[1]</prop>
-                  <p>logical access authorizations to information systems;</p>
-               </part>
-               <part id="ps-5.a_obj.2" name="objective">
-                  <prop name="label">PS-5(a)[2]</prop>
-                  <p>physical access authorizations to information systems and facilities;</p>
-               </part>
-            </part>
-            <part id="ps-5.b_obj" name="objective">
-               <prop name="label">PS-5(b)</prop>
-               <part id="ps-5.b_obj.1" name="objective">
-                  <prop name="label">PS-5(b)[1]</prop>
-                  <p>defines transfer or reassignment actions to be initiated following transfer or
-                     reassignment;</p>
-               </part>
-               <part id="ps-5.b_obj.2" name="objective">
-                  <prop name="label">PS-5(b)[2]</prop>
-                  <p>defines the time period within which transfer or reassignment actions must
-                     occur following transfer or reassignment;</p>
-               </part>
-               <part id="ps-5.b_obj.3" name="objective">
-                  <prop name="label">PS-5(b)[3]</prop>
-                  <p>initiates organization-defined transfer or reassignment actions within the
-                     organization-defined time period following transfer or reassignment;</p>
-               </part>
-            </part>
-            <part id="ps-5.c_obj" name="objective">
-               <prop name="label">PS-5(c)</prop>
-               <p>modifies access authorization as needed to correspond with any changes in
-                  operational need due to reassignment or transfer;</p>
-            </part>
-            <part id="ps-5.d_obj" name="objective">
-               <prop name="label">PS-5(d)</prop>
-               <part id="ps-5.d_obj.1" name="objective">
-                  <prop name="label">PS-5(d)[1]</prop>
-                  <p>defines personnel or roles to be notified when individuals are reassigned or
-                     transferred to other positions within the organization;</p>
-               </part>
-               <part id="ps-5.d_obj.2" name="objective">
-                  <prop name="label">PS-5(d)[2]</prop>
-                  <p>defines the time period within which to notify organization-defined personnel
-                     or roles when individuals are reassigned or transferred to other positions
-                     within the organization; and</p>
-               </part>
-               <part id="ps-5.d_obj.3" name="objective">
-                  <prop name="label">PS-5(d)[3]</prop>
-                  <p>notifies organization-defined personnel or roles within the
-                     organization-defined time period when individuals are reassigned or transferred
-                     to other positions within the organization.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel transfer</p>
-               <p>security plan</p>
-               <p>records of personnel transfer actions</p>
-               <p>list of information system and facility access authorizations</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities organizational
-                  personnel with account management responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for personnel transfer</p>
-               <p>automated mechanisms supporting and/or implementing personnel transfer
-                  notifications</p>
-               <p>automated mechanisms for disabling information system access/revoking
-                  authenticators</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-6">
-         <title>Access Agreements</title>
-         <param id="ps-6_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ps-6_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PS-6</prop>
-         <prop name="sort-id">ps-06</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <part id="ps-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops and documents access agreements for organizational information
-                  systems;</p>
-            </part>
-            <part id="ps-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the access agreements <insert param-id="ps-6_prm_1"/>; and</p>
-            </part>
-            <part id="ps-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensures that individuals requiring access to organizational information and
-                  information systems:</p>
-               <part id="ps-6_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Sign appropriate access agreements prior to being granted access; and</p>
-               </part>
-               <part id="ps-6_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Re-sign access agreements to maintain access to organizational information
-                     systems when access agreements have been updated or <insert param-id="ps-6_prm_2"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ps-6_gdn" name="guidance">
-            <p>Access agreements include, for example, nondisclosure agreements, acceptable use
-               agreements, rules of behavior, and conflict-of-interest agreements. Signed access
-               agreements include an acknowledgement that individuals have read, understand, and
-               agree to abide by the constraints associated with organizational information systems
-               to which access is authorized. Organizations can use electronic signatures to
-               acknowledge access agreements unless specifically prohibited by organizational
-               policy.</p>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-2">PS-2</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <link rel="related" href="#ps-4">PS-4</link>
-            <link rel="related" href="#ps-8">PS-8</link>
-         </part>
-         <part id="ps-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-6.a_obj" name="objective">
-               <prop name="label">PS-6(a)</prop>
-               <p>develops and documents access agreements for organizational information
-                  systems;</p>
-            </part>
-            <part id="ps-6.b_obj" name="objective">
-               <prop name="label">PS-6(b)</prop>
-               <part id="ps-6.b_obj.1" name="objective">
-                  <prop name="label">PS-6(b)[1]</prop>
-                  <p>defines the frequency to review and update the access agreements;</p>
-               </part>
-               <part id="ps-6.b_obj.2" name="objective">
-                  <prop name="label">PS-6(b)[2]</prop>
-                  <p>reviews and updates the access agreements with the organization-defined
-                     frequency;</p>
-               </part>
-            </part>
-            <part id="ps-6.c_obj" name="objective">
-               <prop name="label">PS-6(c)</prop>
-               <part id="ps-6.c.1_obj" name="objective">
-                  <prop name="label">PS-6(c)(1)</prop>
-                  <p>ensures that individuals requiring access to organizational information and
-                     information systems sign appropriate access agreements prior to being granted
-                     access;</p>
-               </part>
-               <part id="ps-6.c.2_obj" name="objective">
-                  <prop name="label">PS-6(c)(2)</prop>
-                  <part id="ps-6.c.2_obj.1" name="objective">
-                     <prop name="label">PS-6(c)(2)[1]</prop>
-                     <p>defines the frequency to re-sign access agreements to maintain access to
-                        organizational information systems when access agreements have been
-                        updated;</p>
-                  </part>
-                  <part id="ps-6.c.2_obj.2" name="objective">
-                     <prop name="label">PS-6(c)(2)[2]</prop>
-                     <p>ensures that individuals requiring access to organizational information and
-                        information systems re-sign access agreements to maintain access to
-                        organizational information systems when access agreements have been updated
-                        or with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing access agreements for organizational information and
-                  information systems</p>
-               <p>security plan</p>
-               <p>access agreements</p>
-               <p>records of access agreement reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel who have signed/resigned access agreements</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for access agreements</p>
-               <p>automated mechanisms supporting access agreements</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-7">
-         <title>Third-party Personnel Security</title>
-         <param id="ps-7_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-7_prm_2">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">PS-7</prop>
-         <prop name="sort-id">ps-07</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#0c775bc3-bfc3-42c7-a382-88949f503171" rel="reference">NIST Special Publication 800-35</link>
-         <part id="ps-7_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes personnel security requirements including security roles and
-                  responsibilities for third-party providers;</p>
-            </part>
-            <part id="ps-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Requires third-party providers to comply with personnel security policies and
-                  procedures established by the organization;</p>
-            </part>
-            <part id="ps-7_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Documents personnel security requirements;</p>
-            </part>
-            <part id="ps-7_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Requires third-party providers to notify <insert param-id="ps-7_prm_1"/> of any
-                  personnel transfers or terminations of third-party personnel who possess
-                  organizational credentials and/or badges, or who have information system
-                  privileges within <insert param-id="ps-7_prm_2"/>; and</p>
-            </part>
-            <part id="ps-7_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Monitors provider compliance.</p>
-            </part>
-         </part>
-         <part id="ps-7_gdn" name="guidance">
-            <p>Third-party providers include, for example, service bureaus, contractors, and other
-               organizations providing information system development, information technology
-               services, outsourced applications, and network and security management. Organizations
-               explicitly include personnel security requirements in acquisition-related documents.
-               Third-party providers may have personnel working at organizational facilities with
-               credentials, badges, or information system privileges issued by organizations.
-               Notifications of third-party personnel changes ensure appropriate termination of
-               privileges and credentials. Organizations define the transfers and terminations
-               deemed reportable by security-related characteristics that include, for example,
-               functions, roles, and nature of credentials/privileges associated with individuals
-               transferred or terminated.</p>
-            <link rel="related" href="#ps-2">PS-2</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <link rel="related" href="#ps-4">PS-4</link>
-            <link rel="related" href="#ps-5">PS-5</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-            <link rel="related" href="#sa-21">SA-21</link>
-         </part>
-         <part id="ps-7_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-7.a_obj" name="objective">
-               <prop name="label">PS-7(a)</prop>
-               <p>establishes personnel security requirements, including security roles and
-                  responsibilities, for third-party providers;</p>
-            </part>
-            <part id="ps-7.b_obj" name="objective">
-               <prop name="label">PS-7(b)</prop>
-               <p>requires third-party providers to comply with personnel security policies and
-                  procedures established by the organization;</p>
-            </part>
-            <part id="ps-7.c_obj" name="objective">
-               <prop name="label">PS-7(c)</prop>
-               <p>documents personnel security requirements;</p>
-            </part>
-            <part id="ps-7.d_obj" name="objective">
-               <prop name="label">PS-7(d)</prop>
-               <part id="ps-7.d_obj.1" name="objective">
-                  <prop name="label">PS-7(d)[1]</prop>
-                  <p>defines personnel or roles to be notified of any personnel transfers or
-                     terminations of third-party personnel who possess organizational credentials
-                     and/or badges, or who have information system privileges;</p>
-               </part>
-               <part id="ps-7.d_obj.2" name="objective">
-                  <prop name="label">PS-7(d)[2]</prop>
-                  <p>defines the time period within which third-party providers are required to
-                     notify organization-defined personnel or roles of any personnel transfers or
-                     terminations of third-party personnel who possess organizational credentials
-                     and/or badges, or who have information system privileges;</p>
-               </part>
-               <part id="ps-7.d_obj.3" name="objective">
-                  <prop name="label">PS-7(d)[3]</prop>
-                  <p>requires third-party providers to notify organization-defined personnel or
-                     roles within the organization-defined time period of any personnel transfers or
-                     terminations of third-party personnel who possess organizational credentials
-                     and/or badges, or who have information system privileges; and</p>
-               </part>
-            </part>
-            <part id="ps-7.e_obj" name="objective">
-               <prop name="label">PS-7(e)</prop>
-               <p>monitors provider compliance.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing third-party personnel security</p>
-               <p>list of personnel security requirements</p>
-               <p>acquisition documents</p>
-               <p>service-level agreements</p>
-               <p>compliance monitoring process</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>third-party providers</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with account management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing and monitoring third-party personnel
-                  security</p>
-               <p>automated mechanisms supporting and/or implementing monitoring of provider
-                  compliance</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Attestation - Specifically stating that any third-party security personnel are
-                  treated as CSP employees.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-8">
-         <title>Personnel Sanctions</title>
-         <param id="ps-8_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-8_prm_2">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">PS-8</prop>
-         <prop name="sort-id">ps-08</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <part id="ps-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Employs a formal sanctions process for individuals failing to comply with
-                  established information security policies and procedures; and</p>
-            </part>
-            <part id="ps-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Notifies <insert param-id="ps-8_prm_1"/> within <insert param-id="ps-8_prm_2"/>
-                  when a formal employee sanctions process is initiated, identifying the individual
-                  sanctioned and the reason for the sanction.</p>
-            </part>
-         </part>
-         <part id="ps-8_gdn" name="guidance">
-            <p>Organizational sanctions processes reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Sanctions processes are
-               described in access agreements and can be included as part of general personnel
-               policies and procedures for organizations. Organizations consult with the Office of
-               the General Counsel regarding matters of employee sanctions.</p>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-         </part>
-         <part id="ps-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-8.a_obj" name="objective">
-               <prop name="label">PS-8(a)</prop>
-               <p>employs a formal sanctions process for individuals failing to comply with
-                  established information security policies and procedures;</p>
-            </part>
-            <part id="ps-8.b_obj" name="objective">
-               <prop name="label">PS-8(b)</prop>
-               <part id="ps-8.b_obj.1" name="objective">
-                  <prop name="label">PS-8(b)[1]</prop>
-                  <p>defines personnel or roles to be notified when a formal employee sanctions
-                     process is initiated;</p>
-               </part>
-               <part id="ps-8.b_obj.2" name="objective">
-                  <prop name="label">PS-8(b)[2]</prop>
-                  <p>defines the time period within which organization-defined personnel or roles
-                     must be notified when a formal employee sanctions process is initiated; and</p>
-               </part>
-               <part id="ps-8.b_obj.3" name="objective">
-                  <prop name="label">PS-8(b)[3]</prop>
-                  <p>notifies organization-defined personnel or roles within the
-                     organization-defined time period when a formal employee sanctions process is
-                     initiated, identifying the individual sanctioned and the reason for the
-                     sanction.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel sanctions</p>
-               <p>rules of behavior</p>
-               <p>records of formal sanctions</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing personnel sanctions</p>
-               <p>automated mechanisms supporting and/or implementing notifications</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ra">
-      <title>Risk Assessment</title>
-      <control class="SP800-53" id="ra-1">
-         <title>Risk Assessment Policy and Procedures</title>
-         <param id="ra-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ra-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ra-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">RA-1</prop>
-         <prop name="sort-id">ra-01</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15" rel="reference">NIST Special Publication 800-30</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ra-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ra-1_prm_1"/>:</p>
-               <part id="ra-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A risk assessment policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ra-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the risk assessment policy and
-                     associated risk assessment controls; and</p>
-               </part>
-            </part>
-            <part id="ra-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ra-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Risk assessment policy <insert param-id="ra-1_prm_2"/>; and</p>
-               </part>
-               <part id="ra-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Risk assessment procedures <insert param-id="ra-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ra-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the RA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ra-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-1.a_obj" name="objective">
-               <prop name="label">RA-1(a)</prop>
-               <part id="ra-1.a.1_obj" name="objective">
-                  <prop name="label">RA-1(a)(1)</prop>
-                  <part id="ra-1.a.1_obj.1" name="objective">
-                     <prop name="label">RA-1(a)(1)[1]</prop>
-                     <p>develops and documents a risk assessment policy that addresses:</p>
-                     <part id="ra-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ra-1.a.1_obj.2" name="objective">
-                     <prop name="label">RA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the risk assessment policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ra-1.a.1_obj.3" name="objective">
-                     <prop name="label">RA-1(a)(1)[3]</prop>
-                     <p>disseminates the risk assessment policy to organization-defined personnel or
-                        roles;</p>
-                  </part>
-               </part>
-               <part id="ra-1.a.2_obj" name="objective">
-                  <prop name="label">RA-1(a)(2)</prop>
-                  <part id="ra-1.a.2_obj.1" name="objective">
-                     <prop name="label">RA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        risk assessment policy and associated risk assessment controls;</p>
-                  </part>
-                  <part id="ra-1.a.2_obj.2" name="objective">
-                     <prop name="label">RA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ra-1.a.2_obj.3" name="objective">
-                     <prop name="label">RA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-1.b_obj" name="objective">
-               <prop name="label">RA-1(b)</prop>
-               <part id="ra-1.b.1_obj" name="objective">
-                  <prop name="label">RA-1(b)(1)</prop>
-                  <part id="ra-1.b.1_obj.1" name="objective">
-                     <prop name="label">RA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current risk assessment
-                        policy;</p>
-                  </part>
-                  <part id="ra-1.b.1_obj.2" name="objective">
-                     <prop name="label">RA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current risk assessment policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ra-1.b.2_obj" name="objective">
-                  <prop name="label">RA-1(b)(2)</prop>
-                  <part id="ra-1.b.2_obj.1" name="objective">
-                     <prop name="label">RA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current risk assessment
-                        procedures; and</p>
-                  </part>
-                  <part id="ra-1.b.2_obj.2" name="objective">
-                     <prop name="label">RA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current risk assessment procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>risk assessment policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with risk assessment responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-2">
-         <title>Security Categorization</title>
-         <prop name="label">RA-2</prop>
-         <prop name="sort-id">ra-02</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15" rel="reference">NIST Special Publication 800-30</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <part id="ra-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Categorizes information and the information system in accordance with applicable
-                  federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  guidance;</p>
-            </part>
-            <part id="ra-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents the security categorization results (including supporting rationale) in
-                  the security plan for the information system; and</p>
-            </part>
-            <part id="ra-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensures that the authorizing official or authorizing official designated
-                  representative reviews and approves the security categorization decision.</p>
-            </part>
-         </part>
-         <part id="ra-2_gdn" name="guidance">
-            <p>Clearly defined authorization boundaries are a prerequisite for effective security
-               categorization decisions. Security categories describe the potential adverse impacts
-               to organizational operations, organizational assets, and individuals if
-               organizational information and information systems are comprised through a loss of
-               confidentiality, integrity, or availability. Organizations conduct the security
-               categorization process as an organization-wide activity with the involvement of chief
-               information officers, senior information security officers, information system
-               owners, mission/business owners, and information owners/stewards. Organizations also
-               consider the potential adverse impacts to other organizations and, in accordance with
-               the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential
-               national-level adverse impacts. Security categorization processes carried out by
-               organizations facilitate the development of inventories of information assets, and
-               along with CM-8, mappings to specific information system components where information
-               is processed, stored, or transmitted.</p>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="ra-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-2.a_obj" name="objective">
-               <prop name="label">RA-2(a)</prop>
-               <p>categorizes information and the information system in accordance with applicable
-                  federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  guidance;</p>
-            </part>
-            <part id="ra-2.b_obj" name="objective">
-               <prop name="label">RA-2(b)</prop>
-               <p>documents the security categorization results (including supporting rationale) in
-                  the security plan for the information system; and</p>
-            </part>
-            <part id="ra-2.c_obj" name="objective">
-               <prop name="label">RA-2(c)</prop>
-               <p>ensures the authorizing official or authorizing official designated representative
-                  reviews and approves the security categorization decision.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Risk assessment policy</p>
-               <p>security planning policy and procedures</p>
-               <p>procedures addressing security categorization of organizational information and
-                  information systems</p>
-               <p>security plan</p>
-               <p>security categorization documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security categorization and risk assessment
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security categorization</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-3">
-         <title>Risk Assessment</title>
-         <param id="ra-3_prm_1"/>
-         <param id="ra-3_prm_2" depends-on="ra-3_prm_1">
-            <label>organization-defined document</label>
-            <constraint>security assessment report</constraint>
-         </param>
-         <param id="ra-3_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least every three (3) years or when a significant change occurs</constraint>
-         </param>
-         <param id="ra-3_prm_4">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ra-3_prm_5">
-            <label>organization-defined frequency</label>
-            <constraint>at least every three (3) years or when a significant change occurs</constraint>
-         </param>
-         <prop name="label">RA-3</prop>
-         <prop name="sort-id">ra-03</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15" rel="reference">NIST Special Publication 800-30</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ra-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Conducts an assessment of risk, including the likelihood and magnitude of harm,
-                  from the unauthorized access, use, disclosure, disruption, modification, or
-                  destruction of the information system and the information it processes, stores, or
-                  transmits;</p>
-            </part>
-            <part id="ra-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents risk assessment results in <insert param-id="ra-3_prm_1"/>;</p>
-            </part>
-            <part id="ra-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews risk assessment results <insert param-id="ra-3_prm_3"/>;</p>
-            </part>
-            <part id="ra-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Disseminates risk assessment results to <insert param-id="ra-3_prm_4"/>; and</p>
-            </part>
-            <part id="ra-3_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Updates the risk assessment <insert param-id="ra-3_prm_5"/> or whenever there are
-                  significant changes to the information system or environment of operation
-                  (including the identification of new threats and vulnerabilities), or other
-                  conditions that may impact the security state of the system.</p>
-            </part>
-         </part>
-         <part id="ra-3_gdn" name="guidance">
-            <p>Clearly defined authorization boundaries are a prerequisite for effective risk
-               assessments. Risk assessments take into account threats, vulnerabilities, likelihood,
-               and impact to organizational operations and assets, individuals, other organizations,
-               and the Nation based on the operation and use of information systems. Risk
-               assessments also take into account risk from external parties (e.g., service
-               providers, contractors operating information systems on behalf of the organization,
-               individuals accessing organizational information systems, outsourcing entities). In
-               accordance with OMB policy and related E-authentication initiatives, authentication
-               of public users accessing federal information systems may also be required to protect
-               nonpublic or privacy-related information. As such, organizational assessments of risk
-               also address public access to federal information systems. Risk assessments (either
-               formal or informal) can be conducted at all three tiers in the risk management
-               hierarchy (i.e., organization level, mission/business process level, or information
-               system level) and at any phase in the system development life cycle. Risk assessments
-               can also be conducted at various steps in the Risk Management Framework, including
-               categorization, security control selection, security control implementation, security
-               control assessment, information system authorization, and security control
-               monitoring. RA-3 is noteworthy in that the control must be partially implemented
-               prior to the implementation of other controls in order to complete the first two
-               steps in the Risk Management Framework. Risk assessments can play an important role
-               in security control selection processes, particularly during the application of
-               tailoring guidance, which includes security control supplementation.</p>
-            <link rel="related" href="#ra-2">RA-2</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ra-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-3.a_obj" name="objective">
-               <prop name="label">RA-3(a)</prop>
-               <p>conducts an assessment of risk, including the likelihood and magnitude of harm,
-                  from the unauthorized access, use, disclosure, disruption, modification, or
-                  destruction of:</p>
-               <part id="ra-3.a_obj.1" name="objective">
-                  <prop name="label">RA-3(a)[1]</prop>
-                  <p>the information system;</p>
-               </part>
-               <part id="ra-3.a_obj.2" name="objective">
-                  <prop name="label">RA-3(a)[2]</prop>
-                  <p>the information the system processes, stores, or transmits;</p>
-               </part>
-            </part>
-            <part id="ra-3.b_obj" name="objective">
-               <prop name="label">RA-3(b)</prop>
-               <part id="ra-3.b_obj.1" name="objective">
-                  <prop name="label">RA-3(b)[1]</prop>
-                  <p>defines a document in which risk assessment results are to be documented (if
-                     not documented in the security plan or risk assessment report);</p>
-               </part>
-               <part id="ra-3.b_obj.2" name="objective">
-                  <prop name="label">RA-3(b)[2]</prop>
-                  <p>documents risk assessment results in one of the following:</p>
-                  <part id="ra-3.b_obj.2.a" name="objective">
-                     <prop name="label">RA-3(b)[2][a]</prop>
-                     <p>the security plan;</p>
-                  </part>
-                  <part id="ra-3.b_obj.2.b" name="objective">
-                     <prop name="label">RA-3(b)[2][b]</prop>
-                     <p>the risk assessment report; or</p>
-                  </part>
-                  <part id="ra-3.b_obj.2.c" name="objective">
-                     <prop name="label">RA-3(b)[2][c]</prop>
-                     <p>the organization-defined document;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-3.c_obj" name="objective">
-               <prop name="label">RA-3(c)</prop>
-               <part id="ra-3.c_obj.1" name="objective">
-                  <prop name="label">RA-3(c)[1]</prop>
-                  <p>defines the frequency to review risk assessment results;</p>
-               </part>
-               <part id="ra-3.c_obj.2" name="objective">
-                  <prop name="label">RA-3(c)[2]</prop>
-                  <p>reviews risk assessment results with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="ra-3.d_obj" name="objective">
-               <prop name="label">RA-3(d)</prop>
-               <part id="ra-3.d_obj.1" name="objective">
-                  <prop name="label">RA-3(d)[1]</prop>
-                  <p>defines personnel or roles to whom risk assessment results are to be
-                     disseminated;</p>
-               </part>
-               <part id="ra-3.d_obj.2" name="objective">
-                  <prop name="label">RA-3(d)[2]</prop>
-                  <p>disseminates risk assessment results to organization-defined personnel or
-                     roles;</p>
-               </part>
-            </part>
-            <part id="ra-3.e_obj" name="objective">
-               <prop name="label">RA-3(e)</prop>
-               <part id="ra-3.e_obj.1" name="objective">
-                  <prop name="label">RA-3(e)[1]</prop>
-                  <p>defines the frequency to update the risk assessment;</p>
-               </part>
-               <part id="ra-3.e_obj.2" name="objective">
-                  <prop name="label">RA-3(e)[2]</prop>
-                  <p>updates the risk assessment:</p>
-                  <part id="ra-3.e_obj.2.a" name="objective">
-                     <prop name="label">RA-3(e)[2][a]</prop>
-                     <p>with the organization-defined frequency;</p>
-                  </part>
-                  <part id="ra-3.e_obj.2.b" name="objective">
-                     <prop name="label">RA-3(e)[2][b]</prop>
-                     <p>whenever there are significant changes to the information system or
-                        environment of operation (including the identification of new threats and
-                        vulnerabilities); and</p>
-                  </part>
-                  <part id="ra-3.e_obj.2.c" name="objective">
-                     <prop name="label">RA-3(e)[2][c]</prop>
-                     <p>whenever there are other conditions that may impact the security state of
-                        the system.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Risk assessment policy</p>
-               <p>security planning policy and procedures</p>
-               <p>procedures addressing organizational assessments of risk</p>
-               <p>security plan</p>
-               <p>risk assessment</p>
-               <p>risk assessment results</p>
-               <p>risk assessment reviews</p>
-               <p>risk assessment updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with risk assessment responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for risk assessment</p>
-               <p>automated mechanisms supporting and/or for conducting, documenting, reviewing,
-                  disseminating, and updating the risk assessment</p>
-            </part>
-         </part>
-         <part id="ra-3_fr" name="item">
-            <title>RA-3 Additional FedRAMP Requirements and Guidance</title>
-            <part id="ra-3_fr_gdn.1" name="guidance">
-               <prop name="label">Guidance:</prop>
-               <p>Significant change is defined in NIST Special Publication 800-37 Revision 1,
-                     Appendix F</p>
-            </part>
-            <part id="ra-3_fr_smt.d" name="item">
-               <prop name="label">RA-3 (d) Requirement:</prop>
-               <p>Include all Authorizing Officials; for JAB authorizations to include
-                     FedRAMP.</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-5">
-         <title>Vulnerability Scanning</title>
-         <param id="ra-5_prm_1">
-            <label>organization-defined frequency and/or randomly in accordance with
-               organization-defined process</label>
-            <constraint>monthly operating system/infrastructure; monthly web applications and databases</constraint>
-         </param>
-         <param id="ra-5_prm_2">
-            <label>organization-defined response times</label>
-            <constraint>[high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery.</constraint>
-         </param>
-         <param id="ra-5_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">RA-5</prop>
-         <prop name="sort-id">ra-05</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d" rel="reference">NIST Special Publication 800-40</link>
-         <link href="#84a37532-6db6-477b-9ea8-f9085ebca0fc" rel="reference">NIST Special Publication 800-70</link>
-         <link href="#c4691b88-57d1-463b-9053-2d0087913f31" rel="reference">NIST Special Publication 800-115</link>
-         <link href="#15522e92-9192-463d-9646-6a01982db8ca" rel="reference">http://cwe.mitre.org</link>
-         <link href="#275cc052-0f7f-423c-bdb6-ed503dc36228" rel="reference">http://nvd.nist.gov</link>
-         <part id="ra-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Scans for vulnerabilities in the information system and hosted applications
-                     <insert param-id="ra-5_prm_1"/> and when new vulnerabilities potentially
-                  affecting the system/applications are identified and reported;</p>
-            </part>
-            <part id="ra-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Employs vulnerability scanning tools and techniques that facilitate
-                  interoperability among tools and automate parts of the vulnerability management
-                  process by using standards for:</p>
-               <part id="ra-5_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Enumerating platforms, software flaws, and improper configurations;</p>
-               </part>
-               <part id="ra-5_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Formatting checklists and test procedures; and</p>
-               </part>
-               <part id="ra-5_smt.b.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Measuring vulnerability impact;</p>
-               </part>
-            </part>
-            <part id="ra-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Analyzes vulnerability scan reports and results from security control
-                  assessments;</p>
-            </part>
-            <part id="ra-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Remediates legitimate vulnerabilities <insert param-id="ra-5_prm_2"/> in
-                  accordance with an organizational assessment of risk; and</p>
-            </part>
-            <part id="ra-5_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Shares information obtained from the vulnerability scanning process and security
-                  control assessments with <insert param-id="ra-5_prm_3"/> to help eliminate similar
-                  vulnerabilities in other information systems (i.e., systemic weaknesses or
-                  deficiencies).</p>
-            </part>
-         </part>
-         <part id="ra-5_gdn" name="guidance">
-            <p>Security categorization of information systems guides the frequency and
-               comprehensiveness of vulnerability scans. Organizations determine the required
-               vulnerability scanning for all information system components, ensuring that potential
-               sources of vulnerabilities such as networked printers, scanners, and copiers are not
-               overlooked. Vulnerability analyses for custom software applications may require
-               additional approaches such as static analysis, dynamic analysis, binary analysis, or
-               a hybrid of the three approaches. Organizations can employ these analysis approaches
-               in a variety of tools (e.g., web-based application scanners, static analysis tools,
-               binary analyzers) and in source code reviews. Vulnerability scanning includes, for
-               example: (i) scanning for patch levels; (ii) scanning for functions, ports,
-               protocols, and services that should not be accessible to users or devices; and (iii)
-               scanning for improperly configured or incorrectly operating information flow control
-               mechanisms. Organizations consider using tools that express vulnerabilities in the
-               Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open
-               Vulnerability Assessment Language (OVAL) to determine/test for the presence of
-               vulnerabilities. Suggested sources for vulnerability information include the Common
-               Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In
-               addition, security control assessments such as red team exercises provide other
-               sources of potential vulnerabilities for which to scan. Organizations also consider
-               using tools that express vulnerability impact by the Common Vulnerability Scoring
-               System (CVSS).</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#ra-2">RA-2</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="ra-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-5.a_obj" name="objective">
-               <prop name="label">RA-5(a)</prop>
-               <part id="ra-5.a_obj.1" name="objective">
-                  <prop name="label">RA-5(a)[1]</prop>
-                  <part id="ra-5.a_obj.1.a" name="objective">
-                     <prop name="label">RA-5(a)[1][a]</prop>
-                     <p>defines the frequency for conducting vulnerability scans on the information
-                        system and hosted applications; and/or</p>
-                  </part>
-                  <part id="ra-5.a_obj.1.b" name="objective">
-                     <prop name="label">RA-5(a)[1][b]</prop>
-                     <p>defines the process for conducting random vulnerability scans on the
-                        information system and hosted applications;</p>
-                  </part>
-               </part>
-               <part id="ra-5.a_obj.2" name="objective">
-                  <prop name="label">RA-5(a)[2]</prop>
-                  <p>in accordance with the organization-defined frequency and/or
-                     organization-defined process for conducting random scans, scans for
-                     vulnerabilities in:</p>
-                  <part id="ra-5.a_obj.2.a" name="objective">
-                     <prop name="label">RA-5(a)[2][a]</prop>
-                     <p>the information system;</p>
-                  </part>
-                  <part id="ra-5.a_obj.2.b" name="objective">
-                     <prop name="label">RA-5(a)[2][b]</prop>
-                     <p>hosted applications;</p>
-                  </part>
-               </part>
-               <part id="ra-5.a_obj.3" name="objective">
-                  <prop name="label">RA-5(a)[3]</prop>
-                  <p>when new vulnerabilities potentially affecting the system/applications are
-                     identified and reported, scans for vulnerabilities in:</p>
-                  <part id="ra-5.a_obj.3.a" name="objective">
-                     <prop name="label">RA-5(a)[3][a]</prop>
-                     <p>the information system;</p>
-                  </part>
-                  <part id="ra-5.a_obj.3.b" name="objective">
-                     <prop name="label">RA-5(a)[3][b]</prop>
-                     <p>hosted applications;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-5.b_obj" name="objective">
-               <prop name="label">RA-5(b)</prop>
-               <p>employs vulnerability scanning tools and techniques that facilitate
-                  interoperability among tools and automate parts of the vulnerability management
-                  process by using standards for:</p>
-               <part id="ra-5.b.1_obj" name="objective">
-                  <prop name="label">RA-5(b)(1)</prop>
-                  <part id="ra-5.b.1_obj.1" name="objective">
-                     <prop name="label">RA-5(b)(1)[1]</prop>
-                     <p>enumerating platforms;</p>
-                  </part>
-                  <part id="ra-5.b.1_obj.2" name="objective">
-                     <prop name="label">RA-5(b)(1)[2]</prop>
-                     <p>enumerating software flaws;</p>
-                  </part>
-                  <part id="ra-5.b.1_obj.3" name="objective">
-                     <prop name="label">RA-5(b)(1)[3]</prop>
-                     <p>enumerating improper configurations;</p>
-                  </part>
-               </part>
-               <part id="ra-5.b.2_obj" name="objective">
-                  <prop name="label">RA-5(b)(2)</prop>
-                  <part id="ra-5.b.2_obj.1" name="objective">
-                     <prop name="label">RA-5(b)(2)[1]</prop>
-                     <p>formatting checklists;</p>
-                  </part>
-                  <part id="ra-5.b.2_obj.2" name="objective">
-                     <prop name="label">RA-5(b)(2)[2]</prop>
-                     <p>formatting test procedures;</p>
-                  </part>
-               </part>
-               <part id="ra-5.b.3_obj" name="objective">
-                  <prop name="label">RA-5(b)(3)</prop>
-                  <p>measuring vulnerability impact;</p>
-               </part>
-            </part>
-            <part id="ra-5.c_obj" name="objective">
-               <prop name="label">RA-5(c)</prop>
-               <part id="ra-5.c_obj.1" name="objective">
-                  <prop name="label">RA-5(c)[1]</prop>
-                  <p>analyzes vulnerability scan reports;</p>
-               </part>
-               <part id="ra-5.c_obj.2" name="objective">
-                  <prop name="label">RA-5(c)[2]</prop>
-                  <p>analyzes results from security control assessments;</p>
-               </part>
-            </part>
-            <part id="ra-5.d_obj" name="objective">
-               <prop name="label">RA-5(d)</prop>
-               <part id="ra-5.d_obj.1" name="objective">
-                  <prop name="label">RA-5(d)[1]</prop>
-                  <p>defines response times to remediate legitimate vulnerabilities in accordance
-                     with an organizational assessment of risk;</p>
-               </part>
-               <part id="ra-5.d_obj.2" name="objective">
-                  <prop name="label">RA-5(d)[2]</prop>
-                  <p>remediates legitimate vulnerabilities within the organization-defined response
-                     times in accordance with an organizational assessment of risk;</p>
-               </part>
-            </part>
-            <part id="ra-5.e_obj" name="objective">
-               <prop name="label">RA-5(e)</prop>
-               <part id="ra-5.e_obj.1" name="objective">
-                  <prop name="label">RA-5(e)[1]</prop>
-                  <p>defines personnel or roles with whom information obtained from the
-                     vulnerability scanning process and security control assessments is to be
-                     shared;</p>
-               </part>
-               <part id="ra-5.e_obj.2" name="objective">
-                  <prop name="label">RA-5(e)[2]</prop>
-                  <p>shares information obtained from the vulnerability scanning process with
-                     organization-defined personnel or roles to help eliminate similar
-                     vulnerabilities in other information systems (i.e., systemic weaknesses or
-                     deficiencies); and</p>
-               </part>
-               <part id="ra-5.e_obj.3" name="objective">
-                  <prop name="label">RA-5(e)[3]</prop>
-                  <p>shares information obtained from security control assessments with
-                     organization-defined personnel or roles to help eliminate similar
-                     vulnerabilities in other information systems (i.e., systemic weaknesses or
-                     deficiencies).</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Risk assessment policy</p>
-               <p>procedures addressing vulnerability scanning</p>
-               <p>risk assessment</p>
-               <p>security plan</p>
-               <p>security assessment report</p>
-               <p>vulnerability scanning tools and associated configuration documentation</p>
-               <p>vulnerability scanning results</p>
-               <p>patch and vulnerability management records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with risk assessment, security control assessment and
-                  vulnerability scanning responsibilities</p>
-               <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-               <p>organizational personnel with vulnerability remediation responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for vulnerability scanning, analysis, remediation, and
-                  information sharing</p>
-               <p>automated mechanisms supporting and/or implementing vulnerability scanning,
-                  analysis, remediation, and information sharing</p>
-            </part>
-         </part>
-         <part id="ra-5_fr_smt.a" name="item">
-            <title>RA-5(a) Additional FedRAMP Requirements and Guidance</title>
-            <prop name="label">RA-5 (a)Requirement:</prop>
-            <p>An accredited independent assessor scans operating systems/infrastructure, web
-                  applications, and databases once annually.</p>
-         </part>
-         <part id="ra-5_fr_smt.e" name="item">
-            <title>RA-5(e) Additional FedRAMP Requirements and Guidance</title>
-            <prop name="label">RA-5 (e)Requirement:</prop>
-            <p>To include all Authorizing Officials; for JAB authorizations to include
-                  FedRAMP.</p>
-         </part>
-         <part id="ra-5_fr" name="item">
-            <title>RA-5 Additional FedRAMP Requirements and Guidance</title>
-            <part id="ra-5_fr_gdn.1" name="guidance">
-               <prop name="label">Guidance:</prop>
-               <p>
-                  <strong>See the FedRAMP Documents page under Key Cloud Service Provider (CSP)
-                        Documents&gt; Vulnerability Scanning Requirements</strong> (<a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a>)</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="sa">
-      <title>System and Services Acquisition</title>
-      <control class="SP800-53" id="sa-1">
-         <title>System and Services Acquisition Policy and Procedures</title>
-         <param id="sa-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="sa-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="sa-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">SA-1</prop>
-         <prop name="sort-id">sa-01</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="sa-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="sa-1_prm_1"/>:</p>
-               <part id="sa-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system and services acquisition policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="sa-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system and services
-                     acquisition policy and associated system and services acquisition controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="sa-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="sa-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System and services acquisition policy <insert param-id="sa-1_prm_2"/>; and</p>
-               </part>
-               <part id="sa-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System and services acquisition procedures <insert param-id="sa-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sa-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the SA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="sa-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-1.a_obj" name="objective">
-               <prop name="label">SA-1(a)</prop>
-               <part id="sa-1.a.1_obj" name="objective">
-                  <prop name="label">SA-1(a)(1)</prop>
-                  <part id="sa-1.a.1_obj.1" name="objective">
-                     <prop name="label">SA-1(a)(1)[1]</prop>
-                     <p>develops and documents a system and services acquisition policy that
-                        addresses:</p>
-                     <part id="sa-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="sa-1.a.1_obj.2" name="objective">
-                     <prop name="label">SA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system and services acquisition
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="sa-1.a.1_obj.3" name="objective">
-                     <prop name="label">SA-1(a)(1)[3]</prop>
-                     <p>disseminates the system and services acquisition policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="sa-1.a.2_obj" name="objective">
-                  <prop name="label">SA-1(a)(2)</prop>
-                  <part id="sa-1.a.2_obj.1" name="objective">
-                     <prop name="label">SA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        system and services acquisition policy and associated system and services
-                        acquisition controls;</p>
-                  </part>
-                  <part id="sa-1.a.2_obj.2" name="objective">
-                     <prop name="label">SA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="sa-1.a.2_obj.3" name="objective">
-                     <prop name="label">SA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sa-1.b_obj" name="objective">
-               <prop name="label">SA-1(b)</prop>
-               <part id="sa-1.b.1_obj" name="objective">
-                  <prop name="label">SA-1(b)(1)</prop>
-                  <part id="sa-1.b.1_obj.1" name="objective">
-                     <prop name="label">SA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system and services
-                        acquisition policy;</p>
-                  </part>
-                  <part id="sa-1.b.1_obj.2" name="objective">
-                     <prop name="label">SA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system and services acquisition policy with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="sa-1.b.2_obj" name="objective">
-                  <prop name="label">SA-1(b)(2)</prop>
-                  <part id="sa-1.b.2_obj.1" name="objective">
-                     <prop name="label">SA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system and services
-                        acquisition procedures; and</p>
-                  </part>
-                  <part id="sa-1.b.2_obj.2" name="objective">
-                     <prop name="label">SA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system and services acquisition procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-2">
-         <title>Allocation of Resources</title>
-         <prop name="label">SA-2</prop>
-         <prop name="sort-id">sa-02</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#29fcfe59-33cd-494a-8756-5907ae3a8f92" rel="reference">NIST Special Publication 800-65</link>
-         <part id="sa-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Determines information security requirements for the information system or
-                  information system service in mission/business process planning;</p>
-            </part>
-            <part id="sa-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Determines, documents, and allocates the resources required to protect the
-                  information system or information system service as part of its capital planning
-                  and investment control process; and</p>
-            </part>
-            <part id="sa-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Establishes a discrete line item for information security in organizational
-                  programming and budgeting documentation.</p>
-            </part>
-         </part>
-         <part id="sa-2_gdn" name="guidance">
-            <p>Resource allocation for information security includes funding for the initial
-               information system or information system service acquisition and funding for the
-               sustainment of the system/service.</p>
-            <link rel="related" href="#pm-3">PM-3</link>
-            <link rel="related" href="#pm-11">PM-11</link>
-         </part>
-         <part id="sa-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-2.a_obj" name="objective">
-               <prop name="label">SA-2(a)</prop>
-               <p>determines information security requirements for the information system or
-                  information system service in mission/business process planning;</p>
-            </part>
-            <part id="sa-2.b_obj" name="objective">
-               <prop name="label">SA-2(b)</prop>
-               <p>to protect the information system or information system service as part of its
-                  capital planning and investment control process:</p>
-               <part id="sa-2.b_obj.1" name="objective">
-                  <prop name="label">SA-2(b)[1]</prop>
-                  <p>determines the resources required;</p>
-               </part>
-               <part id="sa-2.b_obj.2" name="objective">
-                  <prop name="label">SA-2(b)[2]</prop>
-                  <p>documents the resources required;</p>
-               </part>
-               <part id="sa-2.b_obj.3" name="objective">
-                  <prop name="label">SA-2(b)[3]</prop>
-                  <p>allocates the resources required; and</p>
-               </part>
-            </part>
-            <part id="sa-2.c_obj" name="objective">
-               <prop name="label">SA-2(c)</prop>
-               <p>establishes a discrete line item for information security in organizational
-                  programming and budgeting documentation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing the allocation of resources to information security
-                  requirements</p>
-               <p>procedures addressing capital planning and investment control</p>
-               <p>organizational programming and budgeting documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with capital planning, investment control, organizational
-                  programming and budgeting responsibilities</p>
-               <p>organizational personnel responsible for determining information security
-                  requirements for information systems/services</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for determining information security requirements</p>
-               <p>organizational processes for capital planning, programming, and budgeting</p>
-               <p>automated mechanisms supporting and/or implementing organizational capital
-                  planning, programming, and budgeting</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-3">
-         <title>System Development Life Cycle</title>
-         <param id="sa-3_prm_1">
-            <label>organization-defined system development life cycle</label>
-         </param>
-         <prop name="label">SA-3</prop>
-         <prop name="sort-id">sa-03</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#abd950ae-092f-4b7a-b374-1c7c67fe9350" rel="reference">NIST Special Publication 800-64</link>
-         <part id="sa-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Manages the information system using <insert param-id="sa-3_prm_1"/> that
-                  incorporates information security considerations;</p>
-            </part>
-            <part id="sa-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Defines and documents information security roles and responsibilities throughout
-                  the system development life cycle;</p>
-            </part>
-            <part id="sa-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Identifies individuals having information security roles and responsibilities;
-                  and</p>
-            </part>
-            <part id="sa-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Integrates the organizational information security risk management process into
-                  system development life cycle activities.</p>
-            </part>
-         </part>
-         <part id="sa-3_gdn" name="guidance">
-            <p>A well-defined system development life cycle provides the foundation for the
-               successful development, implementation, and operation of organizational information
-               systems. To apply the required security controls within the system development life
-               cycle requires a basic understanding of information security, threats,
-               vulnerabilities, adverse impacts, and risk to critical missions/business functions.
-               The security engineering principles in SA-8 cannot be properly applied if individuals
-               that design, code, and test information systems and system components (including
-               information technology products) do not understand security. Therefore, organizations
-               include qualified personnel, for example, chief information security officers,
-               security architects, security engineers, and information system security officers in
-               system development life cycle activities to ensure that security requirements are
-               incorporated into organizational information systems. It is equally important that
-               developers include individuals on the development team that possess the requisite
-               security expertise and skills to ensure that needed security capabilities are
-               effectively integrated into the information system. Security awareness and training
-               programs can help ensure that individuals having key security roles and
-               responsibilities have the appropriate experience, skills, and expertise to conduct
-               assigned system development life cycle activities. The effective integration of
-               security requirements into enterprise architecture also helps to ensure that
-               important security considerations are addressed early in the system development life
-               cycle and that those considerations are directly related to the organizational
-               mission/business processes. This process also facilitates the integration of the
-               information security architecture into the enterprise architecture, consistent with
-               organizational risk management and information security strategies.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-         </part>
-         <part id="sa-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-3.a_obj" name="objective">
-               <prop name="label">SA-3(a)</prop>
-               <part id="sa-3.a_obj.1" name="objective">
-                  <prop name="label">SA-3(a)[1]</prop>
-                  <p>defines a system development life cycle that incorporates information security
-                     considerations to be used to manage the information system;</p>
-               </part>
-               <part id="sa-3.a_obj.2" name="objective">
-                  <prop name="label">SA-3(a)[2]</prop>
-                  <p>manages the information system using the organization-defined system
-                     development life cycle;</p>
-               </part>
-            </part>
-            <part id="sa-3.b_obj" name="objective">
-               <prop name="label">SA-3(b)</prop>
-               <p>defines and documents information security roles and responsibilities throughout
-                  the system development life cycle;</p>
-            </part>
-            <part id="sa-3.c_obj" name="objective">
-               <prop name="label">SA-3(c)</prop>
-               <p>identifies individuals having information security roles and responsibilities;
-                  and</p>
-            </part>
-            <part id="sa-3.d_obj" name="objective">
-               <prop name="label">SA-3(d)</prop>
-               <p>integrates the organizational information security risk management process into
-                  system development life cycle activities.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing the integration of information security into the system
-                  development life cycle process</p>
-               <p>information system development life cycle documentation</p>
-               <p>information security risk management strategy/program documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security and system life cycle
-                  development responsibilities</p>
-               <p>organizational personnel with information security risk management
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for defining and documenting the SDLC</p>
-               <p>organizational processes for identifying SDLC roles and responsibilities</p>
-               <p>organizational process for integrating information security risk management into
-                  the SDLC</p>
-               <p>automated mechanisms supporting and/or implementing the SDLC</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-4">
-         <title>Acquisition Process</title>
-         <prop name="label">SA-4</prop>
-         <prop name="sort-id">sa-04</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#ad733a42-a7ed-4774-b988-4930c28852f3" rel="reference">HSPD-12</link>
-         <link href="#1737a687-52fb-4008-b900-cbfa836f7b65" rel="reference">ISO/IEC 15408</link>
-         <link href="#d715b234-9b5b-4e07-b1ed-99836727664d" rel="reference">FIPS Publication 140-2</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#0a5db899-f033-467f-8631-f5a8ba971475" rel="reference">NIST Special Publication 800-23</link>
-         <link href="#0c775bc3-bfc3-42c7-a382-88949f503171" rel="reference">NIST Special Publication 800-35</link>
-         <link href="#d818efd3-db31-4953-8afa-9e76afe83ce2" rel="reference">NIST Special Publication 800-36</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#abd950ae-092f-4b7a-b374-1c7c67fe9350" rel="reference">NIST Special Publication 800-64</link>
-         <link href="#84a37532-6db6-477b-9ea8-f9085ebca0fc" rel="reference">NIST Special Publication 800-70</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <link href="#56d671da-6b7b-4abf-8296-84b61980390a" rel="reference">Federal Acquisition Regulation</link>
-         <link href="#c95a9986-3cd6-4a98-931b-ccfc56cb11e5" rel="reference">http://www.niap-ccevs.org</link>
-         <link href="#5ed1f4d5-1494-421b-97ed-39d3c88ab51f" rel="reference">http://fips201ep.cio.gov</link>
-         <link href="#bbd50dd1-54ce-4432-959d-63ea564b1bb4" rel="reference">http://www.acquisition.gov/far</link>
-         <part id="sa-4_smt" name="statement">
-            <p>The organization includes the following requirements, descriptions, and criteria,
-               explicitly or by reference, in the acquisition contract for the information system,
-               system component, or information system service in accordance with applicable federal
-               laws, Executive Orders, directives, policies, regulations, standards, guidelines, and
-               organizational mission/business needs:</p>
-            <part id="sa-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Security functional requirements;</p>
-            </part>
-            <part id="sa-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Security strength requirements;</p>
-            </part>
-            <part id="sa-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Security assurance requirements;</p>
-            </part>
-            <part id="sa-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Security-related documentation requirements;</p>
-            </part>
-            <part id="sa-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Requirements for protecting security-related documentation;</p>
-            </part>
-            <part id="sa-4_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Description of the information system development environment and environment in
-                  which the system is intended to operate; and</p>
-            </part>
-            <part id="sa-4_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Acceptance criteria.</p>
-            </part>
-         </part>
-         <part id="sa-4_gdn" name="guidance">
-            <p>Information system components are discrete, identifiable information technology
-               assets (e.g., hardware, software, or firmware) that represent the building blocks of
-               an information system. Information system components include commercial information
-               technology products. Security functional requirements include security capabilities,
-               security functions, and security mechanisms. Security strength requirements
-               associated with such capabilities, functions, and mechanisms include degree of
-               correctness, completeness, resistance to direct attack, and resistance to tampering
-               or bypass. Security assurance requirements include: (i) development processes,
-               procedures, practices, and methodologies; and (ii) evidence from development and
-               assessment activities providing grounds for confidence that the required security
-               functionality has been implemented and the required security strength has been
-               achieved. Security documentation requirements address all phases of the system
-               development life cycle. Security functionality, assurance, and documentation
-               requirements are expressed in terms of security controls and control enhancements
-               that have been selected through the tailoring process. The security control tailoring
-               process includes, for example, the specification of parameter values through the use
-               of assignment and selection statements and the specification of platform dependencies
-               and implementation information. Security documentation provides user and
-               administrator guidance regarding the implementation and operation of security
-               controls. The level of detail required in security documentation is based on the
-               security category or classification level of the information system and the degree to
-               which organizations depend on the stated security capability, functions, or
-               mechanisms to meet overall risk response expectations (as defined in the
-               organizational risk management strategy). Security requirements can also include
-               organizationally mandated configuration settings specifying allowed functions, ports,
-               protocols, and services. Acceptance criteria for information systems, information
-               system components, and information system services are defined in the same manner as
-               such criteria for any organizational acquisition or procurement. The Federal
-               Acquisition Regulation (FAR) Section 7.103 contains information security requirements
-               from FISMA.</p>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#ps-7">PS-7</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-         </part>
-         <part id="sa-4_obj" name="objective">
-            <p>Determine if the organization includes the following requirements, descriptions, and
-               criteria, explicitly or by reference, in the acquisition contracts for the
-               information system, system component, or information system service in accordance
-               with applicable federal laws, Executive Orders, directives, policies, regulations,
-               standards, guidelines, and organizational mission/business needs:</p>
-            <part id="sa-4.a_obj" name="objective">
-               <prop name="label">SA-4(a)</prop>
-               <p>security functional requirements;</p>
-            </part>
-            <part id="sa-4.b_obj" name="objective">
-               <prop name="label">SA-4(b)</prop>
-               <p>security strength requirements;</p>
-            </part>
-            <part id="sa-4.c_obj" name="objective">
-               <prop name="label">SA-4(c)</prop>
-               <p>security assurance requirements;</p>
-            </part>
-            <part id="sa-4.d_obj" name="objective">
-               <prop name="label">SA-4(d)</prop>
-               <p>security-related documentation requirements;</p>
-            </part>
-            <part id="sa-4.e_obj" name="objective">
-               <prop name="label">SA-4(e)</prop>
-               <p>requirements for protecting security-related documentation;</p>
-            </part>
-            <part id="sa-4.f_obj" name="objective">
-               <prop name="label">SA-4(f)</prop>
-               <p>description of:</p>
-               <part id="sa-4.f_obj.1" name="objective">
-                  <prop name="label">SA-4(f)[1]</prop>
-                  <p>the information system development environment;</p>
-               </part>
-               <part id="sa-4.f_obj.2" name="objective">
-                  <prop name="label">SA-4(f)[2]</prop>
-                  <p>the environment in which the system is intended to operate; and</p>
-               </part>
-            </part>
-            <part id="sa-4.g_obj" name="objective">
-               <prop name="label">SA-4(g)</prop>
-               <p>acceptance criteria.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing the integration of information security requirements,
-                  descriptions, and criteria into the acquisition process</p>
-               <p>acquisition contracts for the information system, system component, or information
-                  system service</p>
-               <p>information system design documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with acquisition/contracting responsibilities</p>
-               <p>organizational personnel with responsibility for determining information system
-                  security functional, strength, and assurance requirements</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for determining information system security functional,
-                  strength, and assurance requirements</p>
-               <p>organizational processes for developing acquisition contracts</p>
-               <p>automated mechanisms supporting and/or implementing acquisitions and inclusion of
-                  security requirements in contracts</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-4.10">
-            <title>Use of Approved PIV Products</title>
-            <prop name="label">SA-4(10)</prop>
-            <prop name="sort-id">sa-04.10</prop>
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-            <part id="sa-4.10_smt" name="statement">
-               <p>The organization employs only information technology products on the FIPS
-                  201-approved products list for Personal Identity Verification (PIV) capability
-                  implemented within organizational information systems.</p>
-            </part>
-            <part id="sa-4.10_gdn" name="guidance">
-               <link rel="related" href="#ia-2">IA-2</link>
-               <link rel="related" href="#ia-8">IA-8</link>
-            </part>
-            <part id="sa-4.10_obj" name="objective">
-               <p>Determine if the organization employs only information technology products on the
-                  FIPS 201-approved products list for Personal Identity Verification (PIV)
-                  capability implemented within organizational information systems. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>service-level agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security requirements</p>
-                  <p>organizational personnel with responsibility for ensuring only FIPS
-                     201-approved products are implemented</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for selecting and employing FIPS 201-approved
-                     products</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-5">
-         <title>Information System Documentation</title>
-         <param id="sa-5_prm_1">
-            <label>organization-defined actions</label>
-         </param>
-         <param id="sa-5_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">SA-5</prop>
-         <prop name="sort-id">sa-05</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <part id="sa-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Obtains administrator documentation for the information system, system component,
-                  or information system service that describes:</p>
-               <part id="sa-5_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Secure configuration, installation, and operation of the system, component, or
-                     service;</p>
-               </part>
-               <part id="sa-5_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Effective use and maintenance of security functions/mechanisms; and</p>
-               </part>
-               <part id="sa-5_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Known vulnerabilities regarding configuration and use of administrative (i.e.,
-                     privileged) functions;</p>
-               </part>
-            </part>
-            <part id="sa-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Obtains user documentation for the information system, system component, or
-                  information system service that describes:</p>
-               <part id="sa-5_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>User-accessible security functions/mechanisms and how to effectively use those
-                     security functions/mechanisms;</p>
-               </part>
-               <part id="sa-5_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Methods for user interaction, which enables individuals to use the system,
-                     component, or service in a more secure manner; and</p>
-               </part>
-               <part id="sa-5_smt.b.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>User responsibilities in maintaining the security of the system, component, or
-                     service;</p>
-               </part>
-            </part>
-            <part id="sa-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Documents attempts to obtain information system, system component, or information
-                  system service documentation when such documentation is either unavailable or
-                  nonexistent and takes <insert param-id="sa-5_prm_1"/> in response;</p>
-            </part>
-            <part id="sa-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Protects documentation as required, in accordance with the risk management
-                  strategy; and</p>
-            </part>
-            <part id="sa-5_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Distributes documentation to <insert param-id="sa-5_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="sa-5_gdn" name="guidance">
-            <p>This control helps organizational personnel understand the implementation and
-               operation of security controls associated with information systems, system
-               components, and information system services. Organizations consider establishing
-               specific measures to determine the quality/completeness of the content provided. The
-               inability to obtain needed documentation may occur, for example, due to the age of
-               the information system/component or lack of support from developers and contractors.
-               In those situations, organizations may need to recreate selected documentation if
-               such documentation is essential to the effective implementation or operation of
-               security controls. The level of protection provided for selected information system,
-               component, or service documentation is commensurate with the security category or
-               classification of the system. For example, documentation associated with a key DoD
-               weapons system or command and control system would typically require a higher level
-               of protection than a routine administrative system. Documentation that addresses
-               information system vulnerabilities may also require an increased level of protection.
-               Secure operation of the information system, includes, for example, initially starting
-               the system and resuming secure system operation after any lapse in system
-               operation.</p>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-2">PS-2</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-         </part>
-         <part id="sa-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-5.a_obj" name="objective">
-               <prop name="label">SA-5(a)</prop>
-               <p>obtains administrator documentation for the information system, system component,
-                  or information system service that describes:</p>
-               <part id="sa-5.a.1_obj" name="objective">
-                  <prop name="label">SA-5(a)(1)</prop>
-                  <part id="sa-5.a.1_obj.1" name="objective">
-                     <prop name="label">SA-5(a)(1)[1]</prop>
-                     <p>secure configuration of the system, system component, or service;</p>
-                  </part>
-                  <part id="sa-5.a.1_obj.2" name="objective">
-                     <prop name="label">SA-5(a)(1)[2]</prop>
-                     <p>secure installation of the system, system component, or service;</p>
-                  </part>
-                  <part id="sa-5.a.1_obj.3" name="objective">
-                     <prop name="label">SA-5(a)(1)[3]</prop>
-                     <p>secure operation of the system, system component, or service;</p>
-                  </part>
-               </part>
-               <part id="sa-5.a.2_obj" name="objective">
-                  <prop name="label">SA-5(a)(2)</prop>
-                  <part id="sa-5.a.2_obj.1" name="objective">
-                     <prop name="label">SA-5(a)(2)[1]</prop>
-                     <p>effective use of the security features/mechanisms;</p>
-                  </part>
-                  <part id="sa-5.a.2_obj.2" name="objective">
-                     <prop name="label">SA-5(a)(2)[2]</prop>
-                     <p>effective maintenance of the security features/mechanisms;</p>
-                  </part>
-               </part>
-               <part id="sa-5.a.3_obj" name="objective">
-                  <prop name="label">SA-5(a)(3)</prop>
-                  <p>known vulnerabilities regarding configuration and use of administrative (i.e.,
-                     privileged) functions;</p>
-               </part>
-            </part>
-            <part id="sa-5.b_obj" name="objective">
-               <prop name="label">SA-5(b)</prop>
-               <p>obtains user documentation for the information system, system component, or
-                  information system service that describes:</p>
-               <part id="sa-5.b.1_obj" name="objective">
-                  <prop name="label">SA-5(b)(1)</prop>
-                  <part id="sa-5.b.1_obj.1" name="objective">
-                     <prop name="label">SA-5(b)(1)[1]</prop>
-                     <p>user-accessible security functions/mechanisms;</p>
-                  </part>
-                  <part id="sa-5.b.1_obj.2" name="objective">
-                     <prop name="label">SA-5(b)(1)[2]</prop>
-                     <p>how to effectively use those functions/mechanisms;</p>
-                  </part>
-               </part>
-               <part id="sa-5.b.2_obj" name="objective">
-                  <prop name="label">SA-5(b)(2)</prop>
-                  <p>methods for user interaction, which enables individuals to use the system,
-                     component, or service in a more secure manner;</p>
-               </part>
-               <part id="sa-5.b.3_obj" name="objective">
-                  <prop name="label">SA-5(b)(3)</prop>
-                  <p>user responsibilities in maintaining the security of the system, component, or
-                     service;</p>
-               </part>
-            </part>
-            <part id="sa-5.c_obj" name="objective">
-               <prop name="label">SA-5(c)</prop>
-               <part id="sa-5.c_obj.1" name="objective">
-                  <prop name="label">SA-5(c)[1]</prop>
-                  <p>defines actions to be taken after documented attempts to obtain information
-                     system, system component, or information system service documentation when such
-                     documentation is either unavailable or nonexistent;</p>
-               </part>
-               <part id="sa-5.c_obj.2" name="objective">
-                  <prop name="label">SA-5(c)[2]</prop>
-                  <p>documents attempts to obtain information system, system component, or
-                     information system service documentation when such documentation is either
-                     unavailable or nonexistent;</p>
-               </part>
-               <part id="sa-5.c_obj.3" name="objective">
-                  <prop name="label">SA-5(c)[3]</prop>
-                  <p>takes organization-defined actions in response;</p>
-               </part>
-            </part>
-            <part id="sa-5.d_obj" name="objective">
-               <prop name="label">SA-5(d)</prop>
-               <p>protects documentation as required, in accordance with the risk management
-                  strategy;</p>
-            </part>
-            <part id="sa-5.e_obj" name="objective">
-               <prop name="label">SA-5(e)</prop>
-               <part id="sa-5.e_obj.1" name="objective">
-                  <prop name="label">SA-5(e)[1]</prop>
-                  <p>defines personnel or roles to whom documentation is to be distributed; and</p>
-               </part>
-               <part id="sa-5.e_obj.2" name="objective">
-                  <prop name="label">SA-5(e)[2]</prop>
-                  <p>distributes documentation to organization-defined personnel or roles.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing information system documentation</p>
-               <p>information system documentation including administrator and user guides</p>
-               <p>records documenting attempts to obtain unavailable or nonexistent information
-                  system documentation</p>
-               <p>list of actions to be taken in response to documented attempts to obtain
-                  information system, system component, or information system service
-                  documentation</p>
-               <p>risk management strategy documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with acquisition/contracting responsibilities</p>
-               <p>organizational personnel with responsibility for determining information system
-                  security requirements</p>
-               <p>system administrators</p>
-               <p>organizational personnel operating, using, and/or maintaining the information
-                  system</p>
-               <p>information system developers</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for obtaining, protecting, and distributing information
-                  system administrator and user documentation</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-9">
-         <title>External Information System Services</title>
-         <param id="sa-9_prm_1">
-            <label>organization-defined security controls</label>
-            <constraint>FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system</constraint>
-         </param>
-         <param id="sa-9_prm_2">
-            <label>organization-defined processes, methods, and techniques</label>
-            <constraint>Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored</constraint>
-         </param>
-         <prop name="label">SA-9</prop>
-         <prop name="sort-id">sa-09</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#0c775bc3-bfc3-42c7-a382-88949f503171" rel="reference">NIST Special Publication 800-35</link>
-         <part id="sa-9_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Requires that providers of external information system services comply with
-                  organizational information security requirements and employ <insert param-id="sa-9_prm_1"/> in accordance with applicable federal laws, Executive
-                  Orders, directives, policies, regulations, standards, and guidance;</p>
-            </part>
-            <part id="sa-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Defines and documents government oversight and user roles and responsibilities
-                  with regard to external information system services; and</p>
-            </part>
-            <part id="sa-9_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Employs <insert param-id="sa-9_prm_2"/> to monitor security control compliance by
-                  external service providers on an ongoing basis.</p>
-            </part>
-         </part>
-         <part id="sa-9_gdn" name="guidance">
-            <p>External information system services are services that are implemented outside of the
-               authorization boundaries of organizational information systems. This includes
-               services that are used by, but not a part of, organizational information systems.
-               FISMA and OMB policy require that organizations using external service providers that
-               are processing, storing, or transmitting federal information or operating information
-               systems on behalf of the federal government ensure that such providers meet the same
-               security requirements that federal agencies are required to meet. Organizations
-               establish relationships with external service providers in a variety of ways
-               including, for example, through joint ventures, business partnerships, contracts,
-               interagency agreements, lines of business arrangements, licensing agreements, and
-               supply chain exchanges. The responsibility for managing risks from the use of
-               external information system services remains with authorizing officials. For services
-               external to organizations, a chain of trust requires that organizations establish and
-               retain a level of confidence that each participating provider in the potentially
-               complex consumer-provider relationship provides adequate protection for the services
-               rendered. The extent and nature of this chain of trust varies based on the
-               relationships between organizations and the external providers. Organizations
-               document the basis for trust relationships so the relationships can be monitored over
-               time. External information system services documentation includes government, service
-               providers, end user security roles and responsibilities, and service-level
-               agreements. Service-level agreements define expectations of performance for security
-               controls, describe measurable outcomes, and identify remedies and response
-               requirements for identified instances of noncompliance.</p>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ir-7">IR-7</link>
-            <link rel="related" href="#ps-7">PS-7</link>
-         </part>
-         <part id="sa-9_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-9.a_obj" name="objective">
-               <prop name="label">SA-9(a)</prop>
-               <part id="sa-9.a_obj.1" name="objective">
-                  <prop name="label">SA-9(a)[1]</prop>
-                  <p>defines security controls to be employed by providers of external information
-                     system services;</p>
-               </part>
-               <part id="sa-9.a_obj.2" name="objective">
-                  <prop name="label">SA-9(a)[2]</prop>
-                  <p>requires that providers of external information system services comply with
-                     organizational information security requirements;</p>
-               </part>
-               <part id="sa-9.a_obj.3" name="objective">
-                  <prop name="label">SA-9(a)[3]</prop>
-                  <p>requires that providers of external information system services employ
-                     organization-defined security controls in accordance with applicable federal
-                     laws, Executive Orders, directives, policies, regulations, standards, and
-                     guidance;</p>
-               </part>
-            </part>
-            <part id="sa-9.b_obj" name="objective">
-               <prop name="label">SA-9(b)</prop>
-               <part id="sa-9.b_obj.1" name="objective">
-                  <prop name="label">SA-9(b)[1]</prop>
-                  <p>defines and documents government oversight with regard to external information
-                     system services;</p>
-               </part>
-               <part id="sa-9.b_obj.2" name="objective">
-                  <prop name="label">SA-9(b)[2]</prop>
-                  <p>defines and documents user roles and responsibilities with regard to external
-                     information system services;</p>
-               </part>
-            </part>
-            <part id="sa-9.c_obj" name="objective">
-               <prop name="label">SA-9(c)</prop>
-               <part id="sa-9.c_obj.1" name="objective">
-                  <prop name="label">SA-9(c)[1]</prop>
-                  <p>defines processes, methods, and techniques to be employed to monitor security
-                     control compliance by external service providers; and</p>
-               </part>
-               <part id="sa-9.c_obj.2" name="objective">
-                  <prop name="label">SA-9(c)[2]</prop>
-                  <p>employs organization-defined processes, methods, and techniques to monitor
-                     security control compliance by external service providers on an ongoing
-                     basis.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing external information system services</p>
-               <p>procedures addressing methods and techniques for monitoring security control
-                  compliance by external service providers of information system services</p>
-               <p>acquisition contracts, service-level agreements</p>
-               <p>organizational security requirements and security specifications for external
-                  provider services</p>
-               <p>security control assessment evidence from external providers of information system
-                  services</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>external providers of information system services</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for monitoring security control compliance by external
-                  service providers on an ongoing basis</p>
-               <p>automated mechanisms for monitoring security control compliance by external
-                  service providers on an ongoing basis</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="sc">
-      <title>System and Communications Protection</title>
-      <control class="SP800-53" id="sc-1">
-         <title>System and Communications Protection Policy and Procedures</title>
-         <param id="sc-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="sc-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="sc-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">SC-1</prop>
-         <prop name="sort-id">sc-01</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="sc-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sc-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="sc-1_prm_1"/>:</p>
-               <part id="sc-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system and communications protection policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="sc-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system and communications
-                     protection policy and associated system and communications protection controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="sc-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="sc-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System and communications protection policy <insert param-id="sc-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="sc-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System and communications protection procedures <insert param-id="sc-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sc-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the SC
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="sc-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-1.a_obj" name="objective">
-               <prop name="label">SC-1(a)</prop>
-               <part id="sc-1.a.1_obj" name="objective">
-                  <prop name="label">SC-1(a)(1)</prop>
-                  <part id="sc-1.a.1_obj.1" name="objective">
-                     <prop name="label">SC-1(a)(1)[1]</prop>
-                     <p>develops and documents a system and communications protection policy that
-                        addresses:</p>
-                     <part id="sc-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="sc-1.a.1_obj.2" name="objective">
-                     <prop name="label">SC-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system and communications protection
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="sc-1.a.1_obj.3" name="objective">
-                     <prop name="label">SC-1(a)(1)[3]</prop>
-                     <p>disseminates the system and communications protection policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="sc-1.a.2_obj" name="objective">
-                  <prop name="label">SC-1(a)(2)</prop>
-                  <part id="sc-1.a.2_obj.1" name="objective">
-                     <prop name="label">SC-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        system and communications protection policy and associated system and
-                        communications protection controls;</p>
-                  </part>
-                  <part id="sc-1.a.2_obj.2" name="objective">
-                     <prop name="label">SC-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="sc-1.a.2_obj.3" name="objective">
-                     <prop name="label">SC-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sc-1.b_obj" name="objective">
-               <prop name="label">SC-1(b)</prop>
-               <part id="sc-1.b.1_obj" name="objective">
-                  <prop name="label">SC-1(b)(1)</prop>
-                  <part id="sc-1.b.1_obj.1" name="objective">
-                     <prop name="label">SC-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        communications protection policy;</p>
-                  </part>
-                  <part id="sc-1.b.1_obj.2" name="objective">
-                     <prop name="label">SC-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system and communications protection policy
-                        with the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="sc-1.b.2_obj" name="objective">
-                  <prop name="label">SC-1(b)(2)</prop>
-                  <part id="sc-1.b.2_obj.1" name="objective">
-                     <prop name="label">SC-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        communications protection procedures; and</p>
-                  </part>
-                  <part id="sc-1.b.2_obj.2" name="objective">
-                     <prop name="label">SC-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system and communications protection
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and communications protection
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-5">
-         <title>Denial of Service Protection</title>
-         <param id="sc-5_prm_1">
-            <label>organization-defined types of denial of service attacks or references to sources
-               for such information</label>
-         </param>
-         <param id="sc-5_prm_2">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">SC-5</prop>
-         <prop name="sort-id">sc-05</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-         <part id="sc-5_smt" name="statement">
-            <p>The information system protects against or limits the effects of the following types
-               of denial of service attacks: <insert param-id="sc-5_prm_1"/> by employing <insert param-id="sc-5_prm_2"/>.</p>
-         </part>
-         <part id="sc-5_gdn" name="guidance">
-            <p>A variety of technologies exist to limit, or in some cases, eliminate the effects of
-               denial of service attacks. For example, boundary protection devices can filter
-               certain types of packets to protect information system components on internal
-               organizational networks from being directly affected by denial of service attacks.
-               Employing increased capacity and bandwidth combined with service redundancy may also
-               reduce the susceptibility to denial of service attacks.</p>
-            <link rel="related" href="#sc-6">SC-6</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="sc-5_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-5_obj.1" name="objective">
-               <prop name="label">SC-5[1]</prop>
-               <p>the organization defines types of denial of service attacks or reference to source
-                  of such information for the information system to protect against or limit the
-                  effects;</p>
-            </part>
-            <part id="sc-5_obj.2" name="objective">
-               <prop name="label">SC-5[2]</prop>
-               <p>the organization defines security safeguards to be employed by the information
-                  system to protect against or limit the effects of organization-defined types of
-                  denial of service attacks; and</p>
-            </part>
-            <part id="sc-5_obj.3" name="objective">
-               <prop name="label">SC-5[3]</prop>
-               <p>the information system protects against or limits the effects of the
-                  organization-defined denial or service attacks (or reference to source for such
-                  information) by employing organization-defined security safeguards.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing denial of service protection</p>
-               <p>information system design documentation</p>
-               <p>security plan</p>
-               <p>list of denial of services attacks requiring employment of security safeguards to
-                  protect against or limit effects of such attacks</p>
-               <p>list of security safeguards protecting against or limiting the effects of denial
-                  of service attacks</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with incident response responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms protecting against or limiting the effects of denial of
-                  service attacks</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Condition: If availability is a requirement, define protections in place as per
-                  control requirement.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-7">
-         <title>Boundary Protection</title>
-         <param id="sc-7_prm_1"/>
-         <prop name="label">SC-7</prop>
-         <prop name="sort-id">sc-07</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#756a8e86-57d5-4701-8382-f7a40439665a" rel="reference">NIST Special Publication 800-41</link>
-         <link href="#99f331f2-a9f0-46c2-9856-a3cbb9b89442" rel="reference">NIST Special Publication 800-77</link>
-         <part id="sc-7_smt" name="statement">
-            <p>The information system:</p>
-            <part id="sc-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Monitors and controls communications at the external boundary of the system and at
-                  key internal boundaries within the system;</p>
-            </part>
-            <part id="sc-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Implements subnetworks for publicly accessible system components that are <insert param-id="sc-7_prm_1"/> separated from internal organizational networks;
-                  and</p>
-            </part>
-            <part id="sc-7_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Connects to external networks or information systems only through managed
-                  interfaces consisting of boundary protection devices arranged in accordance with
-                  an organizational security architecture.</p>
-            </part>
-         </part>
-         <part id="sc-7_gdn" name="guidance">
-            <p>Managed interfaces include, for example, gateways, routers, firewalls, guards,
-               network-based malicious code analysis and virtualization systems, or encrypted
-               tunnels implemented within a security architecture (e.g., routers protecting
-               firewalls or application gateways residing on protected subnetworks). Subnetworks
-               that are physically or logically separated from internal networks are referred to as
-               demilitarized zones or DMZs. Restricting or prohibiting interfaces within
-               organizational information systems includes, for example, restricting external web
-               traffic to designated web servers within managed interfaces and prohibiting external
-               traffic that appears to be spoofing internal addresses. Organizations consider the
-               shared nature of commercial telecommunications services in the implementation of
-               security controls associated with the use of such services. Commercial
-               telecommunications services are commonly based on network components and consolidated
-               management systems shared by all attached commercial customers, and may also include
-               third party-provided access lines and other service elements. Such transmission
-               services may represent sources of increased risk despite contract security
-               provisions.</p>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#cp-8">CP-8</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="sc-7_obj" name="objective">
-            <p>Determine if the information system:</p>
-            <part id="sc-7.a_obj" name="objective">
-               <prop name="label">SC-7(a)</prop>
-               <part id="sc-7.a_obj.1" name="objective">
-                  <prop name="label">SC-7(a)[1]</prop>
-                  <p>monitors communications at the external boundary of the information system;</p>
-               </part>
-               <part id="sc-7.a_obj.2" name="objective">
-                  <prop name="label">SC-7(a)[2]</prop>
-                  <p>monitors communications at key internal boundaries within the system;</p>
-               </part>
-               <part id="sc-7.a_obj.3" name="objective">
-                  <prop name="label">SC-7(a)[3]</prop>
-                  <p>controls communications at the external boundary of the information system;</p>
-               </part>
-               <part id="sc-7.a_obj.4" name="objective">
-                  <prop name="label">SC-7(a)[4]</prop>
-                  <p>controls communications at key internal boundaries within the system;</p>
-               </part>
-            </part>
-            <part id="sc-7.b_obj" name="objective">
-               <prop name="label">SC-7(b)</prop>
-               <p>implements subnetworks for publicly accessible system components that are
-                  either:</p>
-               <part id="sc-7.b_obj.1" name="objective">
-                  <prop name="label">SC-7(b)[1]</prop>
-                  <p>physically separated from internal organizational networks; and/or</p>
-               </part>
-               <part id="sc-7.b_obj.2" name="objective">
-                  <prop name="label">SC-7(b)[2]</prop>
-                  <p>logically separated from internal organizational networks; and</p>
-               </part>
-            </part>
-            <part id="sc-7.c_obj" name="objective">
-               <prop name="label">SC-7(c)</prop>
-               <p>connects to external networks or information systems only through managed
-                  interfaces consisting of boundary protection devices arranged in accordance with
-                  an organizational security architecture.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing boundary protection</p>
-               <p>list of key internal boundaries of the information system</p>
-               <p>information system design documentation</p>
-               <p>boundary protection hardware and software</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>enterprise security architecture documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel with boundary protection responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing boundary protection capability</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-12">
-         <title>Cryptographic Key Establishment and Management</title>
-         <param id="sc-12_prm_1">
-            <label>organization-defined requirements for key generation, distribution, storage,
-               access, and destruction</label>
-         </param>
-         <prop name="label">SC-12</prop>
-         <prop name="sort-id">sc-12</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#81f09e01-d0b0-4ae2-aa6a-064ed9950070" rel="reference">NIST Special Publication 800-56</link>
-         <link href="#a6c774c0-bf50-4590-9841-2a5c1c91ac6f" rel="reference">NIST Special Publication 800-57</link>
-         <part id="sc-12_smt" name="statement">
-            <p>The organization establishes and manages cryptographic keys for required cryptography
-               employed within the information system in accordance with <insert param-id="sc-12_prm_1"/>.</p>
-         </part>
-         <part id="sc-12_gdn" name="guidance">
-            <p>Cryptographic key management and establishment can be performed using manual
-               procedures or automated mechanisms with supporting manual procedures. Organizations
-               define key management requirements in accordance with applicable federal laws,
-               Executive Orders, directives, regulations, policies, standards, and guidance,
-               specifying appropriate options, levels, and parameters. Organizations manage trust
-               stores to ensure that only approved trust anchors are in such trust stores. This
-               includes certificates with visibility external to organizational information systems
-               and certificates related to the internal operations of systems.</p>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-17">SC-17</link>
-         </part>
-         <part id="sc-12_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-12_obj.1" name="objective">
-               <prop name="label">SC-12[1]</prop>
-               <p>defines requirements for cryptographic key:</p>
-               <part id="sc-12_obj.1.a" name="objective">
-                  <prop name="label">SC-12[1][a]</prop>
-                  <p>generation;</p>
-               </part>
-               <part id="sc-12_obj.1.b" name="objective">
-                  <prop name="label">SC-12[1][b]</prop>
-                  <p>distribution;</p>
-               </part>
-               <part id="sc-12_obj.1.c" name="objective">
-                  <prop name="label">SC-12[1][c]</prop>
-                  <p>storage;</p>
-               </part>
-               <part id="sc-12_obj.1.d" name="objective">
-                  <prop name="label">SC-12[1][d]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="sc-12_obj.1.e" name="objective">
-                  <prop name="label">SC-12[1][e]</prop>
-                  <p>destruction; and</p>
-               </part>
-            </part>
-            <part id="sc-12_obj.2" name="objective">
-               <prop name="label">SC-12[2]</prop>
-               <p>establishes and manages cryptographic keys for required cryptography employed
-                  within the information system in accordance with organization-defined requirements
-                  for key generation, distribution, storage, access, and destruction.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing cryptographic key establishment and management</p>
-               <p>information system design documentation</p>
-               <p>cryptographic mechanisms</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for cryptographic key establishment
-                  and/or management</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing cryptographic key
-                  establishment and management</p>
-            </part>
-         </part>
-         <part id="sc-12_fr" name="item">
-            <title>SC-12 Additional FedRAMP Requirements and Guidance</title>
-            <part id="sc-12_fr_gdn.1" name="guidance">
-               <prop name="label">Guidance:</prop>
-               <p>Federally approved cryptography.</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-13">
-         <title>Cryptographic Protection</title>
-         <param id="sc-13_prm_1">
-            <label>organization-defined cryptographic uses and type of cryptography required for
-               each use</label>
-            <constraint>FIPS-validated or NSA-approved cryptography</constraint>
-         </param>
-         <prop name="label">SC-13</prop>
-         <prop name="sort-id">sc-13</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-         <link href="#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9" rel="reference">FIPS Publication 140</link>
-         <link href="#6a1041fc-054e-4230-946b-2e6f4f3731bb" rel="reference">http://csrc.nist.gov/cryptval</link>
-         <link href="#9b97ed27-3dd6-4f9a-ade5-1b43e9669794" rel="reference">http://www.cnss.gov</link>
-         <part id="sc-13_smt" name="statement">
-            <p>The information system implements <insert param-id="sc-13_prm_1"/> in accordance with
-               applicable federal laws, Executive Orders, directives, policies, regulations, and
-               standards.</p>
-         </part>
-         <part id="sc-13_gdn" name="guidance">
-            <p>Cryptography can be employed to support a variety of security solutions including,
-               for example, the protection of classified and Controlled Unclassified Information,
-               the provision of digital signatures, and the enforcement of information separation
-               when authorized individuals have the necessary clearances for such information but
-               lack the necessary formal access approvals. Cryptography can also be used to support
-               random number generation and hash generation. Generally applicable cryptographic
-               standards include FIPS-validated cryptography and NSA-approved cryptography. This
-               control does not impose any requirements on organizations to use cryptography.
-               However, if cryptography is required based on the selection of other security
-               controls, organizations define each type of cryptographic use and the type of
-               cryptography required (e.g., protection of classified information: NSA-approved
-               cryptography; provision of digital signatures: FIPS-validated cryptography).</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-7">AC-7</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#au-10">AU-10</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-7">IA-7</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-28">SC-28</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="sc-13_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-13_obj.1" name="objective">
-               <prop name="label">SC-13[1]</prop>
-               <p>the organization defines cryptographic uses; and</p>
-            </part>
-            <part id="sc-13_obj.2" name="objective">
-               <prop name="label">SC-13[2]</prop>
-               <p>the organization defines the type of cryptography required for each use; and</p>
-            </part>
-            <part id="sc-13_obj.3" name="objective">
-               <prop name="label">SC-13[3]</prop>
-               <p>the information system implements the organization-defined cryptographic uses and
-                  type of cryptography required for each use in accordance with applicable federal
-                  laws, Executive Orders, directives, policies, regulations, and standards.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing cryptographic protection</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>cryptographic module validation certificates</p>
-               <p>list of FIPS validated cryptographic modules</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel with responsibilities for cryptographic protection</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing cryptographic protection</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Condition: If implementing need to detail how they meet it or don't meet it.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-15">
-         <title>Collaborative Computing Devices</title>
-         <param id="sc-15_prm_1">
-            <label>organization-defined exceptions where remote activation is to be allowed</label>
-         </param>
-         <prop name="label">SC-15</prop>
-         <prop name="sort-id">sc-15</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-         <part id="sc-15_smt" name="statement">
-            <p>The information system:</p>
-            <part id="sc-15_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Prohibits remote activation of collaborative computing devices with the following
-                  exceptions: <insert param-id="sc-15_prm_1"/>; and</p>
-            </part>
-            <part id="sc-15_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Provides an explicit indication of use to users physically present at the
-                  devices.</p>
-            </part>
-         </part>
-         <part id="sc-15_gdn" name="guidance">
-            <p>Collaborative computing devices include, for example, networked white boards,
-               cameras, and microphones. Explicit indication of use includes, for example, signals
-               to users when collaborative computing devices are activated.</p>
-            <link rel="related" href="#ac-21">AC-21</link>
-         </part>
-         <part id="sc-15_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-15.a_obj" name="objective">
-               <prop name="label">SC-15(a)</prop>
-               <part id="sc-15.a_obj.1" name="objective">
-                  <prop name="label">SC-15(a)[1]</prop>
-                  <p>the organization defines exceptions where remote activation of collaborative
-                     computing devices is to be allowed;</p>
-               </part>
-               <part id="sc-15.a_obj.2" name="objective">
-                  <prop name="label">SC-15(a)[2]</prop>
-                  <p>the information system prohibits remote activation of collaborative computing
-                     devices, except for organization-defined exceptions where remote activation is
-                     to be allowed; and</p>
-               </part>
-            </part>
-            <part id="sc-15.b_obj" name="objective">
-               <prop name="label">SC-15(b)</prop>
-               <p>the information system provides an explicit indication of use to users physically
-                  present at the devices.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing collaborative computing</p>
-               <p>access control policy and procedures</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel with responsibilities for managing collaborative
-                  computing devices</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing management of remote
-                  activation of collaborative computing devices</p>
-               <p>automated mechanisms providing an indication of use of collaborative computing
-                  devices</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>NSO - Not directly related to the security of the SaaS.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-20">
-         <title>Secure Name / Address Resolution Service (authoritative Source)</title>
-         <prop name="label">SC-20</prop>
-         <prop name="sort-id">sc-20</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#28115a56-da6b-4d44-b1df-51dd7f048a3e" rel="reference">OMB Memorandum 08-23</link>
-         <link href="#6af1e841-672c-46c4-b121-96f603d04be3" rel="reference">NIST Special Publication 800-81</link>
-         <part id="sc-20_smt" name="statement">
-            <p>The information system:</p>
-            <part id="sc-20_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Provides additional data origin authentication and integrity verification
-                  artifacts along with the authoritative name resolution data the system returns in
-                  response to external name/address resolution queries; and</p>
-            </part>
-            <part id="sc-20_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Provides the means to indicate the security status of child zones and (if the
-                  child supports secure resolution services) to enable verification of a chain of
-                  trust among parent and child domains, when operating as part of a distributed,
-                  hierarchical namespace.</p>
-            </part>
-         </part>
-         <part id="sc-20_gdn" name="guidance">
-            <p>This control enables external clients including, for example, remote Internet
-               clients, to obtain origin authentication and integrity verification assurances for
-               the host/service name to network address resolution information obtained through the
-               service. Information systems that provide name and address resolution services
-               include, for example, domain name system (DNS) servers. Additional artifacts include,
-               for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS
-               resource records are examples of authoritative data. The means to indicate the
-               security status of child zones includes, for example, the use of delegation signer
-               resource records in the DNS. The DNS security controls reflect (and are referenced
-               from) OMB Memorandum 08-23. Information systems that use technologies other than the
-               DNS to map between host/service names and network addresses provide other means to
-               assure the authenticity and integrity of response data.</p>
-            <link rel="related" href="#au-10">AU-10</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-21">SC-21</link>
-            <link rel="related" href="#sc-22">SC-22</link>
-         </part>
-         <part id="sc-20_obj" name="objective">
-            <p>Determine if the information system:</p>
-            <part id="sc-20.a_obj" name="objective">
-               <prop name="label">SC-20(a)</prop>
-               <p>provides additional data origin and integrity verification artifacts along with
-                  the authoritative name resolution data the system returns in response to external
-                  name/address resolution queries;</p>
-            </part>
-            <part id="sc-20.b_obj" name="objective">
-               <prop name="label">SC-20(b)</prop>
-               <p>provides the means to, when operating as part of a distributed, hierarchical
-                  namespace:</p>
-               <part id="sc-20.b_obj.1" name="objective">
-                  <prop name="label">SC-20(b)[1]</prop>
-                  <p>indicate the security status of child zones; and</p>
-               </part>
-               <part id="sc-20.b_obj.2" name="objective">
-                  <prop name="label">SC-20(b)[2]</prop>
-                  <p>enable verification of a chain of trust among parent and child domains (if the
-                     child supports secure resolution services).</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing secure name/address resolution service (authoritative
-                  source)</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing DNS</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing secure name/address resolution
-                  service</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-21">
-         <title>Secure Name / Address Resolution Service (recursive or Caching Resolver)</title>
-         <prop name="label">SC-21</prop>
-         <prop name="sort-id">sc-21</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#6af1e841-672c-46c4-b121-96f603d04be3" rel="reference">NIST Special Publication 800-81</link>
-         <part id="sc-21_smt" name="statement">
-            <p>The information system requests and performs data origin authentication and data
-               integrity verification on the name/address resolution responses the system receives
-               from authoritative sources.</p>
-         </part>
-         <part id="sc-21_gdn" name="guidance">
-            <p>Each client of name resolution services either performs this validation on its own,
-               or has authenticated channels to trusted validation providers. Information systems
-               that provide name and address resolution services for local clients include, for
-               example, recursive resolving or caching domain name system (DNS) servers. DNS client
-               resolvers either perform validation of DNSSEC signatures, or clients use
-               authenticated channels to recursive resolvers that perform such validations.
-               Information systems that use technologies other than the DNS to map between
-               host/service names and network addresses provide other means to enable clients to
-               verify the authenticity and integrity of response data.</p>
-            <link rel="related" href="#sc-20">SC-20</link>
-            <link rel="related" href="#sc-22">SC-22</link>
-         </part>
-         <part id="sc-21_obj" name="objective">
-            <p>Determine if the information system: </p>
-            <part id="sc-21_obj.1" name="objective">
-               <prop name="label">SC-21[1]</prop>
-               <p>requests data origin authentication on the name/address resolution responses the
-                  system receives from authoritative sources;</p>
-            </part>
-            <part id="sc-21_obj.2" name="objective">
-               <prop name="label">SC-21[2]</prop>
-               <p>requests data integrity verification on the name/address resolution responses the
-                  system receives from authoritative sources;</p>
-            </part>
-            <part id="sc-21_obj.3" name="objective">
-               <prop name="label">SC-21[3]</prop>
-               <p>performs data origin authentication on the name/address resolution responses the
-                  system receives from authoritative sources; and</p>
-            </part>
-            <part id="sc-21_obj.4" name="objective">
-               <prop name="label">SC-21[4]</prop>
-               <p>performs data integrity verification on the name/address resolution responses the
-                  system receives from authoritative sources.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing secure name/address resolution service (recursive or caching
-                  resolver)</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing DNS</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing data origin authentication and
-                  data integrity verification for name/address resolution services</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-22">
-         <title>Architecture and Provisioning for Name / Address Resolution Service</title>
-         <prop name="label">SC-22</prop>
-         <prop name="sort-id">sc-22</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#6af1e841-672c-46c4-b121-96f603d04be3" rel="reference">NIST Special Publication 800-81</link>
-         <part id="sc-22_smt" name="statement">
-            <p>The information systems that collectively provide name/address resolution service for
-               an organization are fault-tolerant and implement internal/external role
-               separation.</p>
-         </part>
-         <part id="sc-22_gdn" name="guidance">
-            <p>Information systems that provide name and address resolution services include, for
-               example, domain name system (DNS) servers. To eliminate single points of failure and
-               to enhance redundancy, organizations employ at least two authoritative domain name
-               system servers, one configured as the primary server and the other configured as the
-               secondary server. Additionally, organizations typically deploy the servers in two
-               geographically separated network subnetworks (i.e., not located in the same physical
-               facility). For role separation, DNS servers with internal roles only process name and
-               address resolution requests from within organizations (i.e., from internal clients).
-               DNS servers with external roles only process name and address resolution information
-               requests from clients external to organizations (i.e., on external networks including
-               the Internet). Organizations specify clients that can access authoritative DNS
-               servers in particular roles (e.g., by address ranges, explicit lists).</p>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-20">SC-20</link>
-            <link rel="related" href="#sc-21">SC-21</link>
-            <link rel="related" href="#sc-24">SC-24</link>
-         </part>
-         <part id="sc-22_obj" name="objective">
-            <p>Determine if the information systems that collectively provide name/address
-               resolution service for an organization: </p>
-            <part id="sc-22_obj.1" name="objective">
-               <prop name="label">SC-22[1]</prop>
-               <p>are fault tolerant; and</p>
-            </part>
-            <part id="sc-22_obj.2" name="objective">
-               <prop name="label">SC-22[2]</prop>
-               <p>implement internal/external role separation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing architecture and provisioning for name/address resolution
-                  service</p>
-               <p>access control policy and procedures</p>
-               <p>information system design documentation</p>
-               <p>assessment results from independent, testing organizations</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing DNS</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing name/address resolution
-                  service for fault tolerance and role separation</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-39">
-         <title>Process Isolation</title>
-         <prop name="label">SC-39</prop>
-         <prop name="sort-id">sc-39</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <part id="sc-39_smt" name="statement">
-            <p>The information system maintains a separate execution domain for each executing
-               process.</p>
-         </part>
-         <part id="sc-39_gdn" name="guidance">
-            <p>Information systems can maintain separate execution domains for each executing
-               process by assigning each process a separate address space. Each information system
-               process has a distinct address space so that communication between processes is
-               performed in a manner controlled through the security functions, and one process
-               cannot modify the executing code of another process. Maintaining separate execution
-               domains for executing processes can be achieved, for example, by implementing
-               separate address spaces. This capability is available in most commercial operating
-               systems that employ multi-state processor technologies.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-         </part>
-         <part id="sc-39_obj" name="objective">
-            <p>Determine if the information system maintains a separate execution domain for each
-               executing process.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system design documentation</p>
-               <p>information system architecture</p>
-               <p>independent verification and validation documentation</p>
-               <p>testing and evaluation documentation, other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Information system developers/integrators</p>
-               <p>information system security architect</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing separate execution domains for
-                  each executing process</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="si">
-      <title>System and Information Integrity</title>
-      <control class="SP800-53" id="si-1">
-         <title>System and Information Integrity Policy and Procedures</title>
-         <param id="si-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="si-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">SI-1</prop>
-         <prop name="sort-id">si-01</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="si-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="si-1_prm_1"/>:</p>
-               <part id="si-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system and information integrity policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="si-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system and information
-                     integrity policy and associated system and information integrity controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="si-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="si-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System and information integrity policy <insert param-id="si-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="si-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System and information integrity procedures <insert param-id="si-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="si-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the SI
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="si-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-1.a_obj" name="objective">
-               <prop name="label">SI-1(a)</prop>
-               <part id="si-1.a.1_obj" name="objective">
-                  <prop name="label">SI-1(a)(1)</prop>
-                  <part id="si-1.a.1_obj.1" name="objective">
-                     <prop name="label">SI-1(a)(1)[1]</prop>
-                     <p>develops and documents a system and information integrity policy that
-                        addresses:</p>
-                     <part id="si-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="si-1.a.1_obj.2" name="objective">
-                     <prop name="label">SI-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system and information integrity
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="si-1.a.1_obj.3" name="objective">
-                     <prop name="label">SI-1(a)(1)[3]</prop>
-                     <p>disseminates the system and information integrity policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="si-1.a.2_obj" name="objective">
-                  <prop name="label">SI-1(a)(2)</prop>
-                  <part id="si-1.a.2_obj.1" name="objective">
-                     <prop name="label">SI-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        system and information integrity policy and associated system and
-                        information integrity controls;</p>
-                  </part>
-                  <part id="si-1.a.2_obj.2" name="objective">
-                     <prop name="label">SI-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="si-1.a.2_obj.3" name="objective">
-                     <prop name="label">SI-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-1.b_obj" name="objective">
-               <prop name="label">SI-1(b)</prop>
-               <part id="si-1.b.1_obj" name="objective">
-                  <prop name="label">SI-1(b)(1)</prop>
-                  <part id="si-1.b.1_obj.1" name="objective">
-                     <prop name="label">SI-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        information integrity policy;</p>
-                  </part>
-                  <part id="si-1.b.1_obj.2" name="objective">
-                     <prop name="label">SI-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system and information integrity policy with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="si-1.b.2_obj" name="objective">
-                  <prop name="label">SI-1(b)(2)</prop>
-                  <part id="si-1.b.2_obj.1" name="objective">
-                     <prop name="label">SI-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        information integrity procedures; and</p>
-                  </part>
-                  <part id="si-1.b.2_obj.2" name="objective">
-                     <prop name="label">SI-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system and information integrity procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and information integrity
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-2">
-         <title>Flaw Remediation</title>
-         <param id="si-2_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>within 30 days of release of updates</constraint>
-         </param>
-         <prop name="label">SI-2</prop>
-         <prop name="sort-id">si-02</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d" rel="reference">NIST Special Publication 800-40</link>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="si-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Identifies, reports, and corrects information system flaws;</p>
-            </part>
-            <part id="si-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Tests software and firmware updates related to flaw remediation for effectiveness
-                  and potential side effects before installation;</p>
-            </part>
-            <part id="si-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Installs security-relevant software and firmware updates within <insert param-id="si-2_prm_1"/> of the release of the updates; and</p>
-            </part>
-            <part id="si-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Incorporates flaw remediation into the organizational configuration management
-                  process.</p>
-            </part>
-         </part>
-         <part id="si-2_gdn" name="guidance">
-            <p>Organizations identify information systems affected by announced software flaws
-               including potential vulnerabilities resulting from those flaws, and report this
-               information to designated organizational personnel with information security
-               responsibilities. Security-relevant software updates include, for example, patches,
-               service packs, hot fixes, and anti-virus signatures. Organizations also address flaws
-               discovered during security assessments, continuous monitoring, incident response
-               activities, and system error handling. Organizations take advantage of available
-               resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and
-               Exposures (CVE) databases in remediating flaws discovered in organizational
-               information systems. By incorporating flaw remediation into ongoing configuration
-               management processes, required/anticipated remediation actions can be tracked and
-               verified. Flaw remediation actions that can be tracked and verified include, for
-               example, determining whether organizations follow US-CERT guidance and Information
-               Assurance Vulnerability Alerts. Organization-defined time periods for updating
-               security-relevant software and firmware may vary based on a variety of factors
-               including, for example, the security category of the information system or the
-               criticality of the update (i.e., severity of the vulnerability related to the
-               discovered flaw). Some types of flaw remediation may require more testing than other
-               types. Organizations determine the degree and type of testing needed for the specific
-               type of flaw remediation activity under consideration and also the types of changes
-               that are to be configuration-managed. In some situations, organizations may determine
-               that the testing of software and/or firmware updates is not necessary or practical,
-               for example, when implementing simple anti-virus signature updates. Organizations may
-               also consider in testing decisions, whether security-relevant software or firmware
-               updates are obtained from authorized sources with appropriate digital signatures.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#si-11">SI-11</link>
-         </part>
-         <part id="si-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-2.a_obj" name="objective">
-               <prop name="label">SI-2(a)</prop>
-               <part id="si-2.a_obj.1" name="objective">
-                  <prop name="label">SI-2(a)[1]</prop>
-                  <p>identifies information system flaws;</p>
-               </part>
-               <part id="si-2.a_obj.2" name="objective">
-                  <prop name="label">SI-2(a)[2]</prop>
-                  <p>reports information system flaws;</p>
-               </part>
-               <part id="si-2.a_obj.3" name="objective">
-                  <prop name="label">SI-2(a)[3]</prop>
-                  <p>corrects information system flaws;</p>
-               </part>
-            </part>
-            <part id="si-2.b_obj" name="objective">
-               <prop name="label">SI-2(b)</prop>
-               <part id="si-2.b_obj.1" name="objective">
-                  <prop name="label">SI-2(b)[1]</prop>
-                  <p>tests software updates related to flaw remediation for effectiveness and
-                     potential side effects before installation;</p>
-               </part>
-               <part id="si-2.b_obj.2" name="objective">
-                  <prop name="label">SI-2(b)[2]</prop>
-                  <p>tests firmware updates related to flaw remediation for effectiveness and
-                     potential side effects before installation;</p>
-               </part>
-            </part>
-            <part id="si-2.c_obj" name="objective">
-               <prop name="label">SI-2(c)</prop>
-               <part id="si-2.c_obj.1" name="objective">
-                  <prop name="label">SI-2(c)[1]</prop>
-                  <p>defines the time period within which to install security-relevant software
-                     updates after the release of the updates;</p>
-               </part>
-               <part id="si-2.c_obj.2" name="objective">
-                  <prop name="label">SI-2(c)[2]</prop>
-                  <p>defines the time period within which to install security-relevant firmware
-                     updates after the release of the updates;</p>
-               </part>
-               <part id="si-2.c_obj.3" name="objective">
-                  <prop name="label">SI-2(c)[3]</prop>
-                  <p>installs software updates within the organization-defined time period of the
-                     release of the updates;</p>
-               </part>
-               <part id="si-2.c_obj.4" name="objective">
-                  <prop name="label">SI-2(c)[4]</prop>
-                  <p>installs firmware updates within the organization-defined time period of the
-                     release of the updates; and</p>
-               </part>
-            </part>
-            <part id="si-2.d_obj" name="objective">
-               <prop name="label">SI-2(d)</prop>
-               <p>incorporates flaw remediation into the organizational configuration management
-                  process.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing flaw remediation</p>
-               <p>procedures addressing configuration management</p>
-               <p>list of flaws and vulnerabilities potentially affecting the information system</p>
-               <p>list of recent security flaw remediation actions performed on the information
-                  system (e.g., list of installed patches, service packs, hot fixes, and other
-                  software updates to correct information system flaws)</p>
-               <p>test results from the installation of software and firmware updates to correct
-                  information system flaws</p>
-               <p>installation/change control records for security-relevant software and firmware
-                  updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>organizational personnel with responsibility for flaw remediation</p>
-               <p>organizational personnel with configuration management responsibility</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for identifying, reporting, and correcting information
-                  system flaws</p>
-               <p>organizational process for installing software and firmware updates</p>
-               <p>automated mechanisms supporting and/or implementing reporting, and correcting
-                  information system flaws</p>
-               <p>automated mechanisms supporting and/or implementing testing software and firmware
-                  updates</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-3">
-         <title>Malicious Code Protection</title>
-         <param id="si-3_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least weekly</constraint>
-         </param>
-         <param id="si-3_prm_2">
-            <constraint>to include endpoints</constraint>
-         </param>
-         <param id="si-3_prm_3">
-            <constraint>to include alerting administrator or defined security personnel</constraint>
-         </param>
-         <param id="si-3_prm_4" depends-on="si-3_prm_3">
-            <label>organization-defined action</label>
-         </param>
-         <prop name="label">SI-3</prop>
-         <prop name="sort-id">si-03</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#6d431fee-658f-4a0e-9f2e-a38b5d398fab" rel="reference">NIST Special Publication 800-83</link>
-         <part id="si-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Employs malicious code protection mechanisms at information system entry and exit
-                  points to detect and eradicate malicious code;</p>
-            </part>
-            <part id="si-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Updates malicious code protection mechanisms whenever new releases are available
-                  in accordance with organizational configuration management policy and
-                  procedures;</p>
-            </part>
-            <part id="si-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Configures malicious code protection mechanisms to:</p>
-               <part id="si-3_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Perform periodic scans of the information system <insert param-id="si-3_prm_1"/> and real-time scans of files from external sources at <insert param-id="si-3_prm_2"/> as the files are downloaded, opened, or executed in
-                     accordance with organizational security policy; and</p>
-               </part>
-               <part id="si-3_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>
-                     <insert param-id="si-3_prm_3"/> in response to malicious code detection;
-                     and</p>
-               </part>
-            </part>
-            <part id="si-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Addresses the receipt of false positives during malicious code detection and
-                  eradication and the resulting potential impact on the availability of the
-                  information system.</p>
-            </part>
-         </part>
-         <part id="si-3_gdn" name="guidance">
-            <p>Information system entry and exit points include, for example, firewalls, electronic
-               mail servers, web servers, proxy servers, remote-access servers, workstations,
-               notebook computers, and mobile devices. Malicious code includes, for example,
-               viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in
-               various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden
-               files, or hidden in files using steganography. Malicious code can be transported by
-               different means including, for example, web accesses, electronic mail, electronic
-               mail attachments, and portable storage devices. Malicious code insertions occur
-               through the exploitation of information system vulnerabilities. Malicious code
-               protection mechanisms include, for example, anti-virus signature definitions and
-               reputation-based technologies. A variety of technologies and methods exist to limit
-               or eliminate the effects of malicious code. Pervasive configuration management and
-               comprehensive software integrity controls may be effective in preventing execution of
-               unauthorized code. In addition to commercial off-the-shelf software, malicious code
-               may also be present in custom-built software. This could include, for example, logic
-               bombs, back doors, and other types of cyber attacks that could affect organizational
-               missions/business functions. Traditional malicious code protection mechanisms cannot
-               always detect such code. In these situations, organizations rely instead on other
-               safeguards including, for example, secure coding practices, configuration management
-               and control, trusted procurement processes, and monitoring practices to help ensure
-               that software does not perform functions other than the functions intended.
-               Organizations may determine that in response to the detection of malicious code,
-               different actions may be warranted. For example, organizations can define actions in
-               response to malicious code detection during periodic scans, actions in response to
-               detection of malicious downloads, and/or actions in response to detection of
-               maliciousness when attempting to open or execute files.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sa-13">SA-13</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-26">SC-26</link>
-            <link rel="related" href="#sc-44">SC-44</link>
-            <link rel="related" href="#si-2">SI-2</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="si-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-3.a_obj" name="objective">
-               <prop name="label">SI-3(a)</prop>
-               <p>employs malicious code protection mechanisms to detect and eradicate malicious
-                  code at information system:</p>
-               <part id="si-3.a_obj.1" name="objective">
-                  <prop name="label">SI-3(a)[1]</prop>
-                  <p>entry points;</p>
-               </part>
-               <part id="si-3.a_obj.2" name="objective">
-                  <prop name="label">SI-3(a)[2]</prop>
-                  <p>exit points;</p>
-               </part>
-            </part>
-            <part id="si-3.b_obj" name="objective">
-               <prop name="label">SI-3(b)</prop>
-               <p>updates malicious code protection mechanisms whenever new releases are available
-                  in accordance with organizational configuration management policy and procedures
-                  (as identified in CM-1);</p>
-            </part>
-            <part id="si-3.c_obj" name="objective">
-               <prop name="label">SI-3(c)</prop>
-               <part id="si-3.c_obj.1" name="objective">
-                  <prop name="label">SI-3(c)[1]</prop>
-                  <p>defines a frequency for malicious code protection mechanisms to perform
-                     periodic scans of the information system;</p>
-               </part>
-               <part id="si-3.c_obj.2" name="objective">
-                  <prop name="label">SI-3(c)[2]</prop>
-                  <p>defines action to be initiated by malicious protection mechanisms in response
-                     to malicious code detection;</p>
-               </part>
-               <part id="si-3.c_obj.3" name="objective">
-                  <prop name="label">SI-3(c)[3]</prop>
-                  <part id="si-3.c.1_obj.3" name="objective">
-                     <prop name="label">SI-3(c)[3](1)</prop>
-                     <p>configures malicious code protection mechanisms to:</p>
-                     <part id="si-3.c.1_obj.3.a" name="objective">
-                        <prop name="label">SI-3(c)[3](1)[a]</prop>
-                        <p>perform periodic scans of the information system with the
-                           organization-defined frequency;</p>
-                     </part>
-                     <part id="si-3.c.1_obj.3.b" name="objective">
-                        <prop name="label">SI-3(c)[3](1)[b]</prop>
-                        <p>perform real-time scans of files from external sources at endpoint and/or
-                           network entry/exit points as the files are downloaded, opened, or
-                           executed in accordance with organizational security policy;</p>
-                     </part>
-                  </part>
-                  <part id="si-3.c.2_obj.3" name="objective">
-                     <prop name="label">SI-3(c)[3](2)</prop>
-                     <p>configures malicious code protection mechanisms to do one or more of the
-                        following:</p>
-                     <part id="si-3.c.2_obj.3.a" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[a]</prop>
-                        <p>block malicious code in response to malicious code detection;</p>
-                     </part>
-                     <part id="si-3.c.2_obj.3.b" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[b]</prop>
-                        <p>quarantine malicious code in response to malicious code detection;</p>
-                     </part>
-                     <part id="si-3.c.2_obj.3.c" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[c]</prop>
-                        <p>send alert to administrator in response to malicious code detection;
-                           and/or</p>
-                     </part>
-                     <part id="si-3.c.2_obj.3.d" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[d]</prop>
-                        <p>initiate organization-defined action in response to malicious code
-                           detection;</p>
-                     </part>
-                  </part>
-               </part>
-            </part>
-            <part id="si-3.d_obj" name="objective">
-               <prop name="label">SI-3(d)</prop>
-               <part id="si-3.d_obj.1" name="objective">
-                  <prop name="label">SI-3(d)[1]</prop>
-                  <p>addresses the receipt of false positives during malicious code detection and
-                     eradication; and</p>
-               </part>
-               <part id="si-3.d_obj.2" name="objective">
-                  <prop name="label">SI-3(d)[2]</prop>
-                  <p>addresses the resulting potential impact on the availability of the information
-                     system.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>configuration management policy and procedures</p>
-               <p>procedures addressing malicious code protection</p>
-               <p>malicious code protection mechanisms</p>
-               <p>records of malicious code protection updates</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>scan results from malicious code protection mechanisms</p>
-               <p>record of actions initiated by malicious code protection mechanisms in response to
-                  malicious code detection</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>organizational personnel with responsibility for malicious code protection</p>
-               <p>organizational personnel with configuration management responsibility</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for employing, updating, and configuring malicious code
-                  protection mechanisms</p>
-               <p>organizational process for addressing false positives and resulting potential
-                  impact</p>
-               <p>automated mechanisms supporting and/or implementing employing, updating, and
-                  configuring malicious code protection mechanisms</p>
-               <p>automated mechanisms supporting and/or implementing malicious code scanning and
-                  subsequent actions</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-4">
-         <title>Information System Monitoring</title>
-         <param id="si-4_prm_1">
-            <label>organization-defined monitoring objectives</label>
-         </param>
-         <param id="si-4_prm_2">
-            <label>organization-defined techniques and methods</label>
-         </param>
-         <param id="si-4_prm_3">
-            <label>organization-defined information system monitoring information</label>
-         </param>
-         <param id="si-4_prm_4">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-4_prm_5"/>
-         <param id="si-4_prm_6" depends-on="si-4_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">SI-4</prop>
-         <prop name="sort-id">si-04</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <link href="#6d431fee-658f-4a0e-9f2e-a38b5d398fab" rel="reference">NIST Special Publication 800-83</link>
-         <link href="#672fd561-b92b-4713-b9cf-6c9d9456728b" rel="reference">NIST Special Publication 800-92</link>
-         <link href="#d1b1d689-0f66-4474-9924-c81119758dc1" rel="reference">NIST Special Publication 800-94</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <part id="si-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Monitors the information system to detect:</p>
-               <part id="si-4_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Attacks and indicators of potential attacks in accordance with <insert param-id="si-4_prm_1"/>; and</p>
-               </part>
-               <part id="si-4_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Unauthorized local, network, and remote connections;</p>
-               </part>
-            </part>
-            <part id="si-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Identifies unauthorized use of the information system through <insert param-id="si-4_prm_2"/>;</p>
-            </part>
-            <part id="si-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Deploys monitoring devices:</p>
-               <part id="si-4_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Strategically within the information system to collect organization-determined
-                     essential information; and</p>
-               </part>
-               <part id="si-4_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>At ad hoc locations within the system to track specific types of transactions
-                     of interest to the organization;</p>
-               </part>
-            </part>
-            <part id="si-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Protects information obtained from intrusion-monitoring tools from unauthorized
-                  access, modification, and deletion;</p>
-            </part>
-            <part id="si-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Heightens the level of information system monitoring activity whenever there is an
-                  indication of increased risk to organizational operations and assets, individuals,
-                  other organizations, or the Nation based on law enforcement information,
-                  intelligence information, or other credible sources of information;</p>
-            </part>
-            <part id="si-4_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Obtains legal opinion with regard to information system monitoring activities in
-                  accordance with applicable federal laws, Executive Orders, directives, policies,
-                  or regulations; and</p>
-            </part>
-            <part id="si-4_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Provides <insert param-id="si-4_prm_3"/> to <insert param-id="si-4_prm_4"/>
-                  <insert param-id="si-4_prm_5"/>.</p>
-            </part>
-         </part>
-         <part id="si-4_gdn" name="guidance">
-            <p>Information system monitoring includes external and internal monitoring. External
-               monitoring includes the observation of events occurring at the information system
-               boundary (i.e., part of perimeter defense and boundary protection). Internal
-               monitoring includes the observation of events occurring within the information
-               system. Organizations can monitor information systems, for example, by observing
-               audit activities in real time or by observing other system aspects such as access
-               patterns, characteristics of access, and other actions. The monitoring objectives may
-               guide determination of the events. Information system monitoring capability is
-               achieved through a variety of tools and techniques (e.g., intrusion detection
-               systems, intrusion prevention systems, malicious code protection software, scanning
-               tools, audit record monitoring software, network monitoring software). Strategic
-               locations for monitoring devices include, for example, selected perimeter locations
-               and near server farms supporting critical applications, with such devices typically
-               being employed at the managed interfaces associated with controls SC-7 and AC-17.
-               Einstein network monitoring devices from the Department of Homeland Security can also
-               be included as monitoring devices. The granularity of monitoring information
-               collected is based on organizational monitoring objectives and the capability of
-               information systems to support such objectives. Specific types of transactions of
-               interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that
-               bypasses HTTP proxies. Information system monitoring is an integral part of
-               organizational continuous monitoring and incident response programs. Output from
-               system monitoring serves as input to continuous monitoring and incident response
-               programs. A network connection is any connection with a device that communicates
-               through a network (e.g., local area network, Internet). A remote connection is any
-               connection with a device communicating through an external network (e.g., the
-               Internet). Local, network, and remote connections can be either wired or
-               wireless.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-8">AC-8</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-26">SC-26</link>
-            <link rel="related" href="#sc-35">SC-35</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="si-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-4.a_obj" name="objective">
-               <prop name="label">SI-4(a)</prop>
-               <part id="si-4.a.1_obj" name="objective">
-                  <prop name="label">SI-4(a)(1)</prop>
-                  <part id="si-4.a.1_obj.1" name="objective">
-                     <prop name="label">SI-4(a)(1)[1]</prop>
-                     <p>defines monitoring objectives to detect attacks and indicators of potential
-                        attacks on the information system;</p>
-                  </part>
-                  <part id="si-4.a.1_obj.2" name="objective">
-                     <prop name="label">SI-4(a)(1)[2]</prop>
-                     <p>monitors the information system to detect, in accordance with
-                        organization-defined monitoring objectives,:</p>
-                     <part id="si-4.a.1_obj.2.a" name="objective">
-                        <prop name="label">SI-4(a)(1)[2][a]</prop>
-                        <p>attacks;</p>
-                     </part>
-                     <part id="si-4.a.1_obj.2.b" name="objective">
-                        <prop name="label">SI-4(a)(1)[2][b]</prop>
-                        <p>indicators of potential attacks;</p>
-                     </part>
-                  </part>
-               </part>
-               <part id="si-4.a.2_obj" name="objective">
-                  <prop name="label">SI-4(a)(2)</prop>
-                  <p>monitors the information system to detect unauthorized:</p>
-                  <part id="si-4.a.2_obj.1" name="objective">
-                     <prop name="label">SI-4(a)(2)[1]</prop>
-                     <p>local connections;</p>
-                  </part>
-                  <part id="si-4.a.2_obj.2" name="objective">
-                     <prop name="label">SI-4(a)(2)[2]</prop>
-                     <p>network connections;</p>
-                  </part>
-                  <part id="si-4.a.2_obj.3" name="objective">
-                     <prop name="label">SI-4(a)(2)[3]</prop>
-                     <p>remote connections;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-4.b_obj" name="objective">
-               <prop name="label">SI-4(b)</prop>
-               <part id="si-4.b.1_obj" name="objective">
-                  <prop name="label">SI-4(b)(1)</prop>
-                  <p>defines techniques and methods to identify unauthorized use of the information
-                     system;</p>
-               </part>
-               <part id="si-4.b.2_obj" name="objective">
-                  <prop name="label">SI-4(b)(2)</prop>
-                  <p>identifies unauthorized use of the information system through
-                     organization-defined techniques and methods;</p>
-               </part>
-            </part>
-            <part id="si-4.c_obj" name="objective">
-               <prop name="label">SI-4(c)</prop>
-               <p>deploys monitoring devices:</p>
-               <part id="si-4.c_obj.1" name="objective">
-                  <prop name="label">SI-4(c)[1]</prop>
-                  <p>strategically within the information system to collect organization-determined
-                     essential information;</p>
-               </part>
-               <part id="si-4.c_obj.2" name="objective">
-                  <prop name="label">SI-4(c)[2]</prop>
-                  <p>at ad hoc locations within the system to track specific types of transactions
-                     of interest to the organization;</p>
-               </part>
-            </part>
-            <part id="si-4.d_obj" name="objective">
-               <prop name="label">SI-4(d)</prop>
-               <p>protects information obtained from intrusion-monitoring tools from
-                  unauthorized:</p>
-               <part id="si-4.d_obj.1" name="objective">
-                  <prop name="label">SI-4(d)[1]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="si-4.d_obj.2" name="objective">
-                  <prop name="label">SI-4(d)[2]</prop>
-                  <p>modification;</p>
-               </part>
-               <part id="si-4.d_obj.3" name="objective">
-                  <prop name="label">SI-4(d)[3]</prop>
-                  <p>deletion;</p>
-               </part>
-            </part>
-            <part id="si-4.e_obj" name="objective">
-               <prop name="label">SI-4(e)</prop>
-               <p>heightens the level of information system monitoring activity whenever there is an
-                  indication of increased risk to organizational operations and assets, individuals,
-                  other organizations, or the Nation based on law enforcement information,
-                  intelligence information, or other credible sources of information;</p>
-            </part>
-            <part id="si-4.f_obj" name="objective">
-               <prop name="label">SI-4(f)</prop>
-               <p>obtains legal opinion with regard to information system monitoring activities in
-                  accordance with applicable federal laws, Executive Orders, directives, policies,
-                  or regulations;</p>
-            </part>
-            <part id="si-4.g_obj" name="objective">
-               <prop name="label">SI-4(g)</prop>
-               <part id="si-4.g_obj.1" name="objective">
-                  <prop name="label">SI-4(g)[1]</prop>
-                  <p>defines personnel or roles to whom information system monitoring information is
-                     to be provided;</p>
-               </part>
-               <part id="si-4.g_obj.2" name="objective">
-                  <prop name="label">SI-4(g)[2]</prop>
-                  <p>defines information system monitoring information to be provided to
-                     organization-defined personnel or roles;</p>
-               </part>
-               <part id="si-4.g_obj.3" name="objective">
-                  <prop name="label">SI-4(g)[3]</prop>
-                  <p>defines a frequency to provide organization-defined information system
-                     monitoring to organization-defined personnel or roles;</p>
-               </part>
-               <part id="si-4.g_obj.4" name="objective">
-                  <prop name="label">SI-4(g)[4]</prop>
-                  <p>provides organization-defined information system monitoring information to
-                     organization-defined personnel or roles one or more of the following:</p>
-                  <part id="si-4.g_obj.4.a" name="objective">
-                     <prop name="label">SI-4(g)[4][a]</prop>
-                     <p>as needed; and/or</p>
-                  </part>
-                  <part id="si-4.g_obj.4.b" name="objective">
-                     <prop name="label">SI-4(g)[4][b]</prop>
-                     <p>with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Continuous monitoring strategy</p>
-               <p>system and information integrity policy</p>
-               <p>procedures addressing information system monitoring tools and techniques</p>
-               <p>facility diagram/layout</p>
-               <p>information system design documentation</p>
-               <p>information system monitoring tools and techniques documentation</p>
-               <p>locations within information system where monitoring devices are deployed</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>organizational personnel with responsibility monitoring the information system</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for information system monitoring</p>
-               <p>automated mechanisms supporting and/or implementing information system monitoring
-                  capability</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-5">
-         <title>Security Alerts, Advisories, and Directives</title>
-         <param id="si-5_prm_1">
-            <label>organization-defined external organizations</label>
-         </param>
-         <param id="si-5_prm_2"/>
-         <param id="si-5_prm_3" depends-on="si-5_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-5_prm_4" depends-on="si-5_prm_2">
-            <label>organization-defined elements within the organization</label>
-         </param>
-         <param id="si-5_prm_5" depends-on="si-5_prm_2">
-            <label>organization-defined external organizations</label>
-         </param>
-         <prop name="label">SI-5</prop>
-         <prop name="sort-id">si-05</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <link href="#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d" rel="reference">NIST Special Publication 800-40</link>
-         <part id="si-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Receives information system security alerts, advisories, and directives from
-                     <insert param-id="si-5_prm_1"/> on an ongoing basis;</p>
-            </part>
-            <part id="si-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Generates internal security alerts, advisories, and directives as deemed
-                  necessary;</p>
-            </part>
-            <part id="si-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Disseminates security alerts, advisories, and directives to: <insert param-id="si-5_prm_2"/>; and</p>
-            </part>
-            <part id="si-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Implements security directives in accordance with established time frames, or
-                  notifies the issuing organization of the degree of noncompliance.</p>
-            </part>
-         </part>
-         <part id="si-5_gdn" name="guidance">
-            <p>The United States Computer Emergency Readiness Team (US-CERT) generates security
-               alerts and advisories to maintain situational awareness across the federal
-               government. Security directives are issued by OMB or other designated organizations
-               with the responsibility and authority to issue such directives. Compliance to
-               security directives is essential due to the critical nature of many of these
-               directives and the potential immediate adverse effects on organizational operations
-               and assets, individuals, other organizations, and the Nation should the directives
-               not be implemented in a timely manner. External organizations include, for example,
-               external mission/business partners, supply chain partners, external service
-               providers, and other peer/supporting organizations.</p>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="si-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-5.a_obj" name="objective">
-               <prop name="label">SI-5(a)</prop>
-               <part id="si-5.a_obj.1" name="objective">
-                  <prop name="label">SI-5(a)[1]</prop>
-                  <p>defines external organizations from whom information system security alerts,
-                     advisories and directives are to be received;</p>
-               </part>
-               <part id="si-5.a_obj.2" name="objective">
-                  <prop name="label">SI-5(a)[2]</prop>
-                  <p>receives information system security alerts, advisories, and directives from
-                     organization-defined external organizations on an ongoing basis;</p>
-               </part>
-            </part>
-            <part id="si-5.b_obj" name="objective">
-               <prop name="label">SI-5(b)</prop>
-               <p>generates internal security alerts, advisories, and directives as deemed
-                  necessary;</p>
-            </part>
-            <part id="si-5.c_obj" name="objective">
-               <prop name="label">SI-5(c)</prop>
-               <part id="si-5.c_obj.1" name="objective">
-                  <prop name="label">SI-5(c)[1]</prop>
-                  <p>defines personnel or roles to whom security alerts, advisories, and directives
-                     are to be provided;</p>
-               </part>
-               <part id="si-5.c_obj.2" name="objective">
-                  <prop name="label">SI-5(c)[2]</prop>
-                  <p>defines elements within the organization to whom security alerts, advisories,
-                     and directives are to be provided;</p>
-               </part>
-               <part id="si-5.c_obj.3" name="objective">
-                  <prop name="label">SI-5(c)[3]</prop>
-                  <p>defines external organizations to whom security alerts, advisories, and
-                     directives are to be provided;</p>
-               </part>
-               <part id="si-5.c_obj.4" name="objective">
-                  <prop name="label">SI-5(c)[4]</prop>
-                  <p>disseminates security alerts, advisories, and directives to one or more of the
-                     following:</p>
-                  <part id="si-5.c_obj.4.a" name="objective">
-                     <prop name="label">SI-5(c)[4][a]</prop>
-                     <p>organization-defined personnel or roles;</p>
-                  </part>
-                  <part id="si-5.c_obj.4.b" name="objective">
-                     <prop name="label">SI-5(c)[4][b]</prop>
-                     <p>organization-defined elements within the organization; and/or</p>
-                  </part>
-                  <part id="si-5.c_obj.4.c" name="objective">
-                     <prop name="label">SI-5(c)[4][c]</prop>
-                     <p>organization-defined external organizations; and</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-5.d_obj" name="objective">
-               <prop name="label">SI-5(d)</prop>
-               <part id="si-5.d_obj.1" name="objective">
-                  <prop name="label">SI-5(d)[1]</prop>
-                  <p>implements security directives in accordance with established time frames;
-                     or</p>
-               </part>
-               <part id="si-5.d_obj.2" name="objective">
-                  <prop name="label">SI-5(d)[2]</prop>
-                  <p>notifies the issuing organization of the degree of noncompliance.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing security alerts, advisories, and directives</p>
-               <p>records of security alerts and advisories</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security alert and advisory responsibilities</p>
-               <p>organizational personnel implementing, operating, maintaining, and using the
-                  information system</p>
-               <p>organizational personnel, organizational elements, and/or external organizations
-                  to whom alerts, advisories, and directives are to be disseminated</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for defining, receiving, generating, disseminating, and
-                  complying with security alerts, advisories, and directives</p>
-               <p>automated mechanisms supporting and/or implementing definition, receipt,
-                  generation, and dissemination of security alerts, advisories, and directives</p>
-               <p>automated mechanisms supporting and/or implementing security directives</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-12">
-         <title>Information Handling and Retention</title>
-         <prop name="label">SI-12</prop>
-         <prop name="sort-id">si-12</prop>
-         <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         <part id="si-12_smt" name="statement">
-            <p>The organization handles and retains information within the information system and
-               information output from the system in accordance with applicable federal laws,
-               Executive Orders, directives, policies, regulations, standards, and operational
-               requirements.</p>
-         </part>
-         <part id="si-12_gdn" name="guidance">
-            <p>Information handling and retention requirements cover the full life cycle of
-               information, in some cases extending beyond the disposal of information systems. The
-               National Archives and Records Administration provides guidance on records
-               retention.</p>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <link rel="related" href="#au-5">AU-5</link>
-            <link rel="related" href="#au-11">AU-11</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-         </part>
-         <part id="si-12_obj" name="objective">
-            <p>Determine if the organization, in accordance with applicable federal laws, Executive
-               Orders, directives, policies, regulations, standards, and operational
-               requirements:</p>
-            <part id="si-12_obj.1" name="objective">
-               <prop name="label">SI-12[1]</prop>
-               <p>handles information within the information system;</p>
-            </part>
-            <part id="si-12_obj.2" name="objective">
-               <prop name="label">SI-12[2]</prop>
-               <p>handles output from the information system;</p>
-            </part>
-            <part id="si-12_obj.3" name="objective">
-               <prop name="label">SI-12[3]</prop>
-               <p>retains information within the information system; and</p>
-            </part>
-            <part id="si-12_obj.4" name="objective">
-               <prop name="label">SI-12[4]</prop>
-               <p>retains output from the information system.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  operational requirements applicable to information handling and retention</p>
-               <p>media protection policy and procedures</p>
-               <p>procedures addressing information system output handling and retention</p>
-               <p>information retention records, other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for information handling and
-                  retention</p>
-               <p>organizational personnel with information security responsibilities/network
-                  administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for information handling and retention</p>
-               <p>automated mechanisms supporting and/or implementing information handling and
-                  retention</p>
-            </part>
-         </part>
-         <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-            <p>Attestation - Specifically related to US-CERT and FedRAMP communications
-                  procedures.</p>
-         </part>
-      </control>
-   </group>
-   <back-matter>
-      <resource uuid="0c97e60b-325a-4efa-ba2b-90f20ccd5abc">
-         <title>5 C.F.R. 731.106</title>
-         <citation>
-            <text>Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106,
-               Designation of Public Trust Positions and Investigative Requirements (5 C.F.R.
-               731.106).</text>
-         </citation>
-         <rlink href="http://www.gpo.gov/fdsys/granule/CFR-2012-title5-vol2/CFR-2012-title5-vol2-sec731-106/content-detail.html"/>
-      </resource>
-      <resource uuid="bb61234b-46c3-4211-8c2b-9869222a720d">
-         <title>C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</title>
-         <citation>
-            <text>C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</text>
-         </citation>
-         <rlink href="http://www.gpo.gov/fdsys/granule/CFR-2009-title5-vol2/CFR-2009-title5-vol2-sec930-301/content-detail.html"/>
-      </resource>
-      <resource uuid="a4aa9645-9a8a-4b51-90a9-e223250f9a75">
-         <title>CNSS Policy 15</title>
-         <citation>
-            <text>CNSS Policy 15</text>
-         </citation>
-         <rlink href="https://www.cnss.gov/policies.html"/>
-      </resource>
-      <resource uuid="2d8b14e9-c8b5-4d3d-8bdc-155078f3281b">
-         <title>DoD Information Assurance Vulnerability Alerts</title>
-         <citation>
-            <text>DoD Information Assurance Vulnerability Alerts</text>
-         </citation>
-      </resource>
-      <resource uuid="61081e7f-041d-4033-96a7-44a439071683">
-         <title>DoD Instruction 5200.39</title>
-         <citation>
-            <text>DoD Instruction 5200.39</text>
-         </citation>
-         <rlink href="http://www.dtic.mil/whs/directives/corres/ins1.html"/>
-      </resource>
-      <resource uuid="e42b2099-3e1c-415b-952c-61c96533c12e">
-         <title>DoD Instruction 8551.01</title>
-         <citation>
-            <text>DoD Instruction 8551.01</text>
-         </citation>
-         <rlink href="http://www.dtic.mil/whs/directives/corres/ins1.html"/>
-      </resource>
-      <resource uuid="c5034e0c-eba6-4ecd-a541-79f0678f4ba4">
-         <title>Executive Order 13587</title>
-         <citation>
-            <text>Executive Order 13587</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net"/>
-      </resource>
-      <resource uuid="56d671da-6b7b-4abf-8296-84b61980390a">
-         <title>Federal Acquisition Regulation</title>
-         <citation>
-            <text>Federal Acquisition Regulation</text>
-         </citation>
-         <rlink href="https://acquisition.gov/far"/>
-      </resource>
-      <resource uuid="023104bc-6f75-4cd5-b7d0-fc92326f8007">
-         <title>Federal Continuity Directive 1</title>
-         <citation>
-            <text>Federal Continuity Directive 1</text>
-         </citation>
-         <rlink href="http://www.fema.gov/pdf/about/offices/fcd1.pdf"/>
-      </resource>
-      <resource uuid="ba557c91-ba3e-4792-adc6-a4ae479b39ff">
-         <title>FICAM Roadmap and Implementation Guidance</title>
-         <citation>
-            <text>FICAM Roadmap and Implementation Guidance</text>
-         </citation>
-         <rlink href="http://www.idmanagement.gov/documents/ficam-roadmap-and-implementation-guidance"/>
-      </resource>
-      <resource uuid="39f9087d-7687-46d2-8eda-b6f4b7a4d8a9">
-         <title>FIPS Publication 140</title>
-         <citation>
-            <text>FIPS Publication 140</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html"/>
-      </resource>
-      <resource uuid="d715b234-9b5b-4e07-b1ed-99836727664d">
-         <title>FIPS Publication 140-2</title>
-         <citation>
-            <text>FIPS Publication 140-2</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#140-2"/>
-      </resource>
-      <resource uuid="f2dbd4ec-c413-4714-b85b-6b7184d1c195">
-         <title>FIPS Publication 197</title>
-         <citation>
-            <text>FIPS Publication 197</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#197"/>
-      </resource>
-      <resource uuid="e85cdb3f-7f0a-4083-8639-f13f70d3760b">
-         <title>FIPS Publication 199</title>
-         <citation>
-            <text>FIPS Publication 199</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#199"/>
-      </resource>
-      <resource uuid="c80c10b3-1294-4984-a4cc-d1733ca432b9">
-         <title>FIPS Publication 201</title>
-         <citation>
-            <text>FIPS Publication 201</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#201"/>
-      </resource>
-      <resource uuid="ad733a42-a7ed-4774-b988-4930c28852f3">
-         <title>HSPD-12</title>
-         <citation>
-            <text>HSPD-12</text>
-         </citation>
-         <rlink href="http://www.dhs.gov/homeland-security-presidential-directive-12"/>
-      </resource>
-      <resource uuid="e95dd121-2733-413e-bf1e-f1eb49f20a98">
-         <title>http://checklists.nist.gov</title>
-         <citation>
-            <text>http://checklists.nist.gov</text>
-         </citation>
-         <rlink href="http://checklists.nist.gov"/>
-      </resource>
-      <resource uuid="6a1041fc-054e-4230-946b-2e6f4f3731bb">
-         <title>http://csrc.nist.gov/cryptval</title>
-         <citation>
-            <text>http://csrc.nist.gov/cryptval</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/cryptval"/>
-      </resource>
-      <resource uuid="b09d1a31-d3c9-4138-a4f4-4c63816afd7d">
-         <title>http://csrc.nist.gov/groups/STM/cmvp/index.html</title>
-         <citation>
-            <text>http://csrc.nist.gov/groups/STM/cmvp/index.html</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/groups/STM/cmvp/index.html"/>
-      </resource>
-      <resource uuid="15522e92-9192-463d-9646-6a01982db8ca">
-         <title>http://cwe.mitre.org</title>
-         <citation>
-            <text>http://cwe.mitre.org</text>
-         </citation>
-         <rlink href="http://cwe.mitre.org"/>
-      </resource>
-      <resource uuid="5ed1f4d5-1494-421b-97ed-39d3c88ab51f">
-         <title>http://fips201ep.cio.gov</title>
-         <citation>
-            <text>http://fips201ep.cio.gov</text>
-         </citation>
-         <rlink href="http://fips201ep.cio.gov"/>
-      </resource>
-      <resource uuid="85280698-0417-489d-b214-12bb935fb939">
-         <title>http://idmanagement.gov</title>
-         <citation>
-            <text>http://idmanagement.gov</text>
-         </citation>
-         <rlink href="http://idmanagement.gov"/>
-      </resource>
-      <resource uuid="275cc052-0f7f-423c-bdb6-ed503dc36228">
-         <title>http://nvd.nist.gov</title>
-         <citation>
-            <text>http://nvd.nist.gov</text>
-         </citation>
-         <rlink href="http://nvd.nist.gov"/>
-      </resource>
-      <resource uuid="bbd50dd1-54ce-4432-959d-63ea564b1bb4">
-         <title>http://www.acquisition.gov/far</title>
-         <citation>
-            <text>http://www.acquisition.gov/far</text>
-         </citation>
-         <rlink href="http://www.acquisition.gov/far"/>
-      </resource>
-      <resource uuid="9b97ed27-3dd6-4f9a-ade5-1b43e9669794">
-         <title>http://www.cnss.gov</title>
-         <citation>
-            <text>http://www.cnss.gov</text>
-         </citation>
-         <rlink href="http://www.cnss.gov"/>
-      </resource>
-      <resource uuid="c95a9986-3cd6-4a98-931b-ccfc56cb11e5">
-         <title>http://www.niap-ccevs.org</title>
-         <citation>
-            <text>http://www.niap-ccevs.org</text>
-         </citation>
-         <rlink href="http://www.niap-ccevs.org"/>
-      </resource>
-      <resource uuid="647b6de3-81d0-4d22-bec1-5f1333e34380">
-         <title>http://www.nsa.gov</title>
-         <citation>
-            <text>http://www.nsa.gov</text>
-         </citation>
-         <rlink href="http://www.nsa.gov"/>
-      </resource>
-      <resource uuid="a47466c4-c837-4f06-a39f-e68412a5f73d">
-         <title>http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml</title>
-         <citation>
-            <text>http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml</text>
-         </citation>
-         <rlink href="http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"/>
-      </resource>
-      <resource uuid="02631467-668b-4233-989b-3dfded2fd184">
-         <title>http://www.us-cert.gov</title>
-         <citation>
-            <text>http://www.us-cert.gov</text>
-         </citation>
-         <rlink href="http://www.us-cert.gov"/>
-      </resource>
-      <resource uuid="6caa237b-531b-43ac-9711-d8f6b97b0377">
-         <title>ICD 704</title>
-         <citation>
-            <text>ICD 704</text>
-         </citation>
-         <rlink href="http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"/>
-      </resource>
-      <resource uuid="398e33fd-f404-4e5c-b90e-2d50d3181244">
-         <title>ICD 705</title>
-         <citation>
-            <text>ICD 705</text>
-         </citation>
-         <rlink href="http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"/>
-      </resource>
-      <resource uuid="1737a687-52fb-4008-b900-cbfa836f7b65">
-         <title>ISO/IEC 15408</title>
-         <citation>
-            <text>ISO/IEC 15408</text>
-         </citation>
-         <rlink href="http://www.iso.org/iso/iso_catalog/catalog_tc/catalog_detail.htm?csnumber=50341"/>
-      </resource>
-      <resource uuid="654f21e2-f3bc-43b2-abdc-60ab8d09744b">
-         <title>National Strategy for Trusted Identities in Cyberspace</title>
-         <citation>
-            <text>National Strategy for Trusted Identities in Cyberspace</text>
-         </citation>
-         <rlink href="http://www.nist.gov/nstic"/>
-      </resource>
-      <resource uuid="9cb3d8fe-2127-48ba-821e-cdd2d7aee921">
-         <title>NIST Special Publication 800-100</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-100</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-100</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-100"/>
-      </resource>
-      <resource uuid="3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e">
-         <title>NIST Special Publication 800-111</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-111</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-111</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-111"/>
-      </resource>
-      <resource uuid="349fe082-502d-464a-aa0c-1443c6a5cf40">
-         <title>NIST Special Publication 800-113</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-113</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-113</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-113"/>
-      </resource>
-      <resource uuid="1201fcf3-afb1-4675-915a-fb4ae0435717">
-         <title>NIST Special Publication 800-114 Rev. 1</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-114r1</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-114 Rev. 1</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-114r1"/>
-      </resource>
-      <resource uuid="c4691b88-57d1-463b-9053-2d0087913f31">
-         <title>NIST Special Publication 800-115</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-115</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-115</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-115"/>
-      </resource>
-      <resource uuid="2157bb7e-192c-4eaa-877f-93ef6b0a3292">
-         <title>NIST Special Publication 800-116 Rev. 1</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-116r1</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-116 Rev. 1</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-116r1"/>
-      </resource>
-      <resource uuid="5c201b63-0768-417b-ac22-3f014e3941b2">
-         <title>NIST Special Publication 800-12 Rev. 1</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-12r1</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-12 Rev. 1</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-12r1"/>
-      </resource>
-      <resource uuid="d1a4e2a9-e512-4132-8795-5357aba29254">
-         <title>NIST Special Publication 800-121</title>
-         <citation>
-            <text>NIST Special Publication 800-121</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-121"/>
-      </resource>
-      <resource uuid="0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589">
-         <title>NIST Special Publication 800-124</title>
-         <citation>
-            <text>NIST Special Publication 800-124</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-124"/>
-      </resource>
-      <resource uuid="080f8068-5e3e-435e-9790-d22ba4722693">
-         <title>NIST Special Publication 800-128</title>
-         <citation>
-            <text>NIST Special Publication 800-128</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-128"/>
-      </resource>
-      <resource uuid="cee2c6ca-0261-4a6f-b630-e41d8ffdd82b">
-         <title>NIST Special Publication 800-137</title>
-         <citation>
-            <text>NIST Special Publication 800-137</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-137"/>
-      </resource>
-      <resource uuid="825438c3-248d-4e30-a51e-246473ce6ada">
-         <title>NIST Special Publication 800-16</title>
-         <citation>
-            <text>NIST Special Publication 800-16</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-16"/>
-      </resource>
-      <resource uuid="6513e480-fada-4876-abba-1397084dfb26">
-         <title>NIST Special Publication 800-164</title>
-         <citation>
-            <text>NIST Special Publication 800-164</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-164"/>
-      </resource>
-      <resource uuid="9c5c9e8c-dc81-4f55-a11c-d71d7487790f">
-         <title>NIST Special Publication 800-18</title>
-         <citation>
-            <text>NIST Special Publication 800-18</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-18"/>
-      </resource>
-      <resource uuid="0a5db899-f033-467f-8631-f5a8ba971475">
-         <title>NIST Special Publication 800-23</title>
-         <citation>
-            <text>NIST Special Publication 800-23</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-23"/>
-      </resource>
-      <resource uuid="a466121b-f0e2-41f0-a5f9-deb0b5fe6b15">
-         <title>NIST Special Publication 800-30</title>
-         <citation>
-            <text>NIST Special Publication 800-30</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-30"/>
-      </resource>
-      <resource uuid="748a81b9-9cad-463f-abde-8b368167e70d">
-         <title>NIST Special Publication 800-34</title>
-         <citation>
-            <text>NIST Special Publication 800-34</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-34"/>
-      </resource>
-      <resource uuid="0c775bc3-bfc3-42c7-a382-88949f503171">
-         <title>NIST Special Publication 800-35</title>
-         <citation>
-            <text>NIST Special Publication 800-35</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-35"/>
-      </resource>
-      <resource uuid="d818efd3-db31-4953-8afa-9e76afe83ce2">
-         <title>NIST Special Publication 800-36</title>
-         <citation>
-            <text>NIST Special Publication 800-36</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-36"/>
-      </resource>
-      <resource uuid="0a0c26b6-fd44-4274-8b36-93442d49d998">
-         <title>NIST Special Publication 800-37</title>
-         <citation>
-            <text>NIST Special Publication 800-37</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-37"/>
-      </resource>
-      <resource uuid="d480aa6a-7a88-424e-a10c-ad1c7870354b">
-         <title>NIST Special Publication 800-39</title>
-         <citation>
-            <text>NIST Special Publication 800-39</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-39"/>
-      </resource>
-      <resource uuid="bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d">
-         <title>NIST Special Publication 800-40</title>
-         <citation>
-            <text>NIST Special Publication 800-40</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-40"/>
-      </resource>
-      <resource uuid="756a8e86-57d5-4701-8382-f7a40439665a">
-         <title>NIST Special Publication 800-41</title>
-         <citation>
-            <text>NIST Special Publication 800-41</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-41"/>
-      </resource>
-      <resource uuid="5309d4d0-46f8-4213-a749-e7584164e5e8">
-         <title>NIST Special Publication 800-46</title>
-         <citation>
-            <text>NIST Special Publication 800-46</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-46"/>
-      </resource>
-      <resource uuid="2711f068-734e-4afd-94ba-0b22247fbc88">
-         <title>NIST Special Publication 800-47</title>
-         <citation>
-            <text>NIST Special Publication 800-47</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-47"/>
-      </resource>
-      <resource uuid="238ed479-eccb-49f6-82ec-ab74a7a428cf">
-         <title>NIST Special Publication 800-48</title>
-         <citation>
-            <text>NIST Special Publication 800-48</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-48"/>
-      </resource>
-      <resource uuid="e12b5738-de74-4fb3-8317-a3995a8a1898">
-         <title>NIST Special Publication 800-50</title>
-         <citation>
-            <text>NIST Special Publication 800-50</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-50"/>
-      </resource>
-      <resource uuid="cd4cf751-3312-4a55-b1a9-fad2f1db9119">
-         <title>NIST Special Publication 800-53A</title>
-         <citation>
-            <text>NIST Special Publication 800-53A</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-53A"/>
-      </resource>
-      <resource uuid="81f09e01-d0b0-4ae2-aa6a-064ed9950070">
-         <title>NIST Special Publication 800-56</title>
-         <citation>
-            <text>NIST Special Publication 800-56</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-56"/>
-      </resource>
-      <resource uuid="a6c774c0-bf50-4590-9841-2a5c1c91ac6f">
-         <title>NIST Special Publication 800-57</title>
-         <citation>
-            <text>NIST Special Publication 800-57</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-57"/>
-      </resource>
-      <resource uuid="f152844f-b1ef-4836-8729-6277078ebee1">
-         <title>NIST Special Publication 800-60</title>
-         <citation>
-            <text>NIST Special Publication 800-60</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-60"/>
-      </resource>
-      <resource uuid="be95fb85-a53f-4624-bdbb-140075500aa3">
-         <title>NIST Special Publication 800-61</title>
-         <citation>
-            <text>NIST Special Publication 800-61</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-61"/>
-      </resource>
-      <resource uuid="644f44a9-a2de-4494-9c04-cd37fba45471">
-         <title>NIST Special Publication 800-63</title>
-         <citation>
-            <text>NIST Special Publication 800-63</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-63"/>
-      </resource>
-      <resource uuid="abd950ae-092f-4b7a-b374-1c7c67fe9350">
-         <title>NIST Special Publication 800-64</title>
-         <citation>
-            <text>NIST Special Publication 800-64</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-64"/>
-      </resource>
-      <resource uuid="29fcfe59-33cd-494a-8756-5907ae3a8f92">
-         <title>NIST Special Publication 800-65</title>
-         <citation>
-            <text>NIST Special Publication 800-65</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-65"/>
-      </resource>
-      <resource uuid="84a37532-6db6-477b-9ea8-f9085ebca0fc">
-         <title>NIST Special Publication 800-70</title>
-         <citation>
-            <text>NIST Special Publication 800-70</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-70"/>
-      </resource>
-      <resource uuid="ead74ea9-4c9c-446d-9b92-bcbf0ad4b655">
-         <title>NIST Special Publication 800-73</title>
-         <citation>
-            <text>NIST Special Publication 800-73</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-73"/>
-      </resource>
-      <resource uuid="2a71298a-ee90-490e-80ff-48c967173a47">
-         <title>NIST Special Publication 800-76</title>
-         <citation>
-            <text>NIST Special Publication 800-76</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-76"/>
-      </resource>
-      <resource uuid="99f331f2-a9f0-46c2-9856-a3cbb9b89442">
-         <title>NIST Special Publication 800-77</title>
-         <citation>
-            <text>NIST Special Publication 800-77</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-77"/>
-      </resource>
-      <resource uuid="2042d97b-f7f6-4c74-84f8-981867684659">
-         <title>NIST Special Publication 800-78</title>
-         <citation>
-            <text>NIST Special Publication 800-78</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-78"/>
-      </resource>
-      <resource uuid="6af1e841-672c-46c4-b121-96f603d04be3">
-         <title>NIST Special Publication 800-81</title>
-         <citation>
-            <text>NIST Special Publication 800-81</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-81"/>
-      </resource>
-      <resource uuid="6d431fee-658f-4a0e-9f2e-a38b5d398fab">
-         <title>NIST Special Publication 800-83</title>
-         <citation>
-            <text>NIST Special Publication 800-83</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-83"/>
-      </resource>
-      <resource uuid="0243a05a-e8a3-4d51-9364-4a9d20b0dcdf">
-         <title>NIST Special Publication 800-84</title>
-         <citation>
-            <text>NIST Special Publication 800-84</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-84"/>
-      </resource>
-      <resource uuid="263823e0-a971-4b00-959d-315b26278b22">
-         <title>NIST Special Publication 800-88</title>
-         <citation>
-            <text>NIST Special Publication 800-88</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-88"/>
-      </resource>
-      <resource uuid="672fd561-b92b-4713-b9cf-6c9d9456728b">
-         <title>NIST Special Publication 800-92</title>
-         <citation>
-            <text>NIST Special Publication 800-92</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-92"/>
-      </resource>
-      <resource uuid="d1b1d689-0f66-4474-9924-c81119758dc1">
-         <title>NIST Special Publication 800-94</title>
-         <citation>
-            <text>NIST Special Publication 800-94</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-94"/>
-      </resource>
-      <resource uuid="6f336ecd-f2a0-4c84-9699-0491d81b6e0d">
-         <title>NIST Special Publication 800-97</title>
-         <citation>
-            <text>NIST Special Publication 800-97</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-97"/>
-      </resource>
-      <resource uuid="9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab">
-         <title>OMB Circular A-130</title>
-         <citation>
-            <text>OMB Circular A-130</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/omb/circulars_a130_a130trans4"/>
-      </resource>
-      <resource uuid="2c5884cd-7b96-425c-862a-99877e1cf909">
-         <title>OMB Memorandum 02-01</title>
-         <citation>
-            <text>OMB Memorandum 02-01</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/omb/memoranda_m02-01"/>
-      </resource>
-      <resource uuid="ff3bfb02-79b2-411f-8735-98dfe5af2ab0">
-         <title>OMB Memorandum 04-04</title>
-         <citation>
-            <text>OMB Memorandum 04-04</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy04/m04-04.pdf"/>
-      </resource>
-      <resource uuid="4da24a96-6cf8-435d-9d1f-c73247cad109">
-         <title>OMB Memorandum 06-16</title>
-         <citation>
-            <text>OMB Memorandum 06-16</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2006/m06-16.pdf"/>
-      </resource>
-      <resource uuid="990268bf-f4a9-4c81-91ae-dc7d3115f4b1">
-         <title>OMB Memorandum 07-11</title>
-         <citation>
-            <text>OMB Memorandum 07-11</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-11.pdf"/>
-      </resource>
-      <resource uuid="0b3d8ba9-051f-498d-81ea-97f0f018c612">
-         <title>OMB Memorandum 07-18</title>
-         <citation>
-            <text>OMB Memorandum 07-18</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-18.pdf"/>
-      </resource>
-      <resource uuid="0916ef02-3618-411b-a525-565c088849a6">
-         <title>OMB Memorandum 08-22</title>
-         <citation>
-            <text>OMB Memorandum 08-22</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-22.pdf"/>
-      </resource>
-      <resource uuid="28115a56-da6b-4d44-b1df-51dd7f048a3e">
-         <title>OMB Memorandum 08-23</title>
-         <citation>
-            <text>OMB Memorandum 08-23</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf"/>
-      </resource>
-      <resource uuid="599fe9ba-4750-4450-9eeb-b95bd19a5e8f">
-         <title>OMB Memorandum 10-06-2011</title>
-         <citation>
-            <text>OMB Memorandum 10-06-2011</text>
-         </citation>
-      </resource>
-      <resource uuid="74e740a4-c45d-49f3-a86e-eb747c549e01">
-         <title>OMB Memorandum 11-11</title>
-         <citation>
-            <text>OMB Memorandum 11-11</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf"/>
-      </resource>
-      <resource uuid="bedb15b7-ec5c-4a68-807f-385125751fcd">
-         <title>OMB Memorandum 11-33</title>
-         <citation>
-            <text>OMB Memorandum 11-33</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf"/>
-      </resource>
-      <resource uuid="dd2f5acd-08f1-435a-9837-f8203088dc1a">
-         <title>Personal Identity Verification (PIV) in Enterprise Physical Access Control System
-            (E-PACS)</title>
-         <citation>
-            <text>Personal Identity Verification (PIV) in Enterprise Physical Access Control System
-               (E-PACS)</text>
-         </citation>
-      </resource>
-      <resource uuid="8ade2fbe-e468-4ca8-9a40-54d7f23c32bb">
-         <title>US-CERT Technical Cyber Security Alerts</title>
-         <citation>
-            <text>US-CERT Technical Cyber Security Alerts</text>
-         </citation>
-         <rlink href="http://www.us-cert.gov/ncas/alerts"/>
-      </resource>
-      <resource uuid="985475ee-d4d6-4581-8fdf-d84d3d8caa48">
-         <title>FedRAMP Applicable Laws and Regulations</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-citations</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"/>
-      </resource>
-      <resource uuid="1a23a771-d481-4594-9a1a-71d584fa4123">
-         <title>FedRAMP Master Acronym and Glossary</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-acronyms</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"/>
-      </resource>
-      <resource uuid="a2381e87-3d04-4108-a30b-b4d2f36d001f">
-         <desc>FedRAMP Logo</desc>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-logo</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/img/logo-main-fedramp.png"/>
-      </resource>
-      <resource uuid="ad005eae-cc63-4e64-9109-3905a9a825e4">
-         <title>NIST Special Publication (SP) 800-53</title>
-         <prop name="version" ns="https://fedramp.gov/ns/oscal">Revision 4</prop>
-         <prop name="keep">always</prop>
-         <rlink media-type="application/xml"
-                href="../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml"/>
-      </resource>
-   </back-matter>
-</catalog>
diff --git a/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline_profile.xml b/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline_profile.xml
deleted file mode 100644
index 74ed89cbf0..0000000000
--- a/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline_profile.xml
+++ /dev/null
@@ -1,1734 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="48d3387b-e554-4232-97bc-a8617cf238d9">
-   
-   <metadata>
-      <title>FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline</title>
-      <published>2020-02-02T00:00:00.000-05:00</published>
-      <last-modified>2020-06-01T10:00:00.000-05:00</last-modified>
-      <version>1.2</version>
-      <oscal-version>1.0.0-milestone3</oscal-version>
-      <role id="parpared-by">
-         <title>Document creator</title>
-      </role>
-      <role id="fedramp-pmo">
-         <title>The FedRAMP Program Management Office (PMO)</title>
-         <short-name>CSP</short-name>
-      </role>
-      <role id="fedramp-jab">
-         <title>The FedRAMP Joint Authorization Board (JAB)</title>
-         <short-name>CSP</short-name>
-      </role>
-
-      <party uuid="8cc0b8e5-9650-4d5f-9796-316f05fa9a2d" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Program Management Office</party-name>
-         <short-name>FedRAMP PMO</short-name>
-         <link href="https://fedramp.gov" rel="homepage" />
-         <address type="work">
-            <addr-line>1800 F St. NW</addr-line>
-            <addr-line/>
-            <city>Washington</city>
-            <state>DC</state>
-            <postal-code/>
-            <country>US</country>
-         </address>
-         <email>info@fedramp.gov</email>
-      </party>
-      <party uuid="ca9ba80e-1342-4bfd-b32a-abac468c24b4" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Joint Authorization Board</party-name>
-         <short-name>FedRAMP JAB</short-name>
-      </party>
-      
-      <responsible-party role-id="prepared-by">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-pmo">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-jab">
-         <party-uuid>ca9ba80e-1342-4bfd-b32a-abac468c24b4</party-uuid>
-      </responsible-party>
-   </metadata>
-   <import href="#ad005eae-cc63-4e64-9109-3905a9a825e4">
-      <include>
-         <call control-id="ac-1"/>
-         <call control-id="ac-2"/>
-         <call control-id="ac-3"/>
-         <call control-id="ac-7"/>
-         <call control-id="ac-8"/>
-         <call control-id="ac-14"/>
-         <call control-id="ac-17"/>
-         <call control-id="ac-18"/>
-         <call control-id="ac-19"/>
-         <call control-id="ac-20"/>
-         <call control-id="ac-22"/>
-         <call control-id="at-1"/>
-         <call control-id="at-2"/>
-         <call control-id="at-3"/>
-         <call control-id="at-4"/>
-         <call control-id="au-1"/>
-         <call control-id="au-2"/>
-         <call control-id="au-3"/>
-         <call control-id="au-4"/>
-         <call control-id="au-5"/>
-         <call control-id="au-6"/>
-         <call control-id="au-8"/>
-         <call control-id="au-9"/>
-         <call control-id="au-11"/>
-         <call control-id="au-12"/>
-         <call control-id="ca-1"/>
-         <call control-id="ca-2"/>
-         <call control-id="ca-2.1"/>
-         <call control-id="ca-3"/>
-         <call control-id="ca-5"/>
-         <call control-id="ca-6"/>
-         <call control-id="ca-7"/>
-         <call control-id="ca-9"/>
-         <call control-id="cm-1"/>
-         <call control-id="cm-2"/>
-         <call control-id="cm-4"/>
-         <call control-id="cm-6"/>
-         <call control-id="cm-7"/>
-         <call control-id="cm-8"/>
-         <call control-id="cm-10"/>
-         <call control-id="cm-11"/>
-         <call control-id="cp-1"/>
-         <call control-id="cp-2"/>
-         <call control-id="cp-3"/>
-         <call control-id="cp-4"/>
-         <call control-id="cp-9"/>
-         <call control-id="cp-10"/>
-         <call control-id="ia-1"/>
-         <call control-id="ia-2"/>
-         <call control-id="ia-2.1"/>
-         <call control-id="ia-2.12"/>
-         <call control-id="ia-4"/>
-         <call control-id="ia-5"/>
-         <call control-id="ia-5.1"/>
-         <call control-id="ia-5.11"/>
-         <call control-id="ia-6"/>
-         <call control-id="ia-7"/>
-         <call control-id="ia-8"/>
-         <call control-id="ia-8.1"/>
-         <call control-id="ia-8.2"/>
-         <call control-id="ia-8.3"/>
-         <call control-id="ia-8.4"/>
-         <call control-id="ir-1"/>
-         <call control-id="ir-2"/>
-         <call control-id="ir-4"/>
-         <call control-id="ir-5"/>
-         <call control-id="ir-6"/>
-         <call control-id="ir-7"/>
-         <call control-id="ir-8"/>
-         <call control-id="ir-9"/>
-         <call control-id="ma-1"/>
-         <call control-id="ma-2"/>
-         <call control-id="ma-4"/>
-         <call control-id="ma-5"/>
-         <call control-id="mp-1"/>
-         <call control-id="mp-2"/>
-         <call control-id="mp-6"/>
-         <call control-id="mp-7"/>
-         <call control-id="pe-1"/>
-         <call control-id="pe-2"/>
-         <call control-id="pe-3"/>
-         <call control-id="pe-6"/>
-         <call control-id="pe-8"/>
-         <call control-id="pe-12"/>
-         <call control-id="pe-13"/>
-         <call control-id="pe-14"/>
-         <call control-id="pe-15"/>
-         <call control-id="pe-16"/>
-         <call control-id="pl-1"/>
-         <call control-id="pl-2"/>
-         <call control-id="pl-4"/>
-         <call control-id="ps-1"/>
-         <call control-id="ps-2"/>
-         <call control-id="ps-3"/>
-         <call control-id="ps-4"/>
-         <call control-id="ps-5"/>
-         <call control-id="ps-6"/>
-         <call control-id="ps-7"/>
-         <call control-id="ps-8"/>
-         <call control-id="ra-1"/>
-         <call control-id="ra-2"/>
-         <call control-id="ra-3"/>
-         <call control-id="ra-5"/>
-         <call control-id="sa-1"/>
-         <call control-id="sa-2"/>
-         <call control-id="sa-3"/>
-         <call control-id="sa-4"/>
-         <call control-id="sa-4.10"/>
-         <call control-id="sa-5"/>
-         <call control-id="sa-9"/>
-         <call control-id="sc-1"/>
-         <call control-id="sc-5"/>
-         <call control-id="sc-7"/>
-         <call control-id="sc-12"/>
-         <call control-id="sc-13"/>
-         <call control-id="sc-15"/>
-         <call control-id="sc-20"/>
-         <call control-id="sc-21"/>
-         <call control-id="sc-22"/>
-         <call control-id="sc-39"/>
-         <call control-id="si-1"/>
-         <call control-id="si-2"/>
-         <call control-id="si-3"/>
-         <call control-id="si-4"/>
-         <call control-id="si-5"/>
-         <call control-id="si-12"/>
-      </include>
-   </import>
-   <merge>
-      <combine method="keep"/>
-      <as-is>true</as-is>
-   </merge>
-   <modify>
-      <!-- - - AC-22 - -  -->
-      <set-parameter param-id="ac-22_prm_1">
-         <constraint>at least quarterly</constraint>
-      </set-parameter>
-      <!-- - - AU-5 - -  -->
-      <set-parameter param-id="au-5_prm_2">
-         <constraint>organization-defined actions to be taken (overwrite oldest record)</constraint>
-      </set-parameter>
-      <!-- - - AU-6 - -  -->
-      <set-parameter param-id="au-6_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <!-- - - CA-2 - -  -->
-      <set-parameter param-id="ca-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2_prm_2">
-         <constraint>individuals or roles to include FedRAMP PMO</constraint>
-      </set-parameter>
-      <!-- - - CA-2 (1) - -  -->
-      <!-- - - CA-3 - -  -->
-      <set-parameter param-id="ca-3_prm_1">
-         <constraint>at least annually and on input from FedRAMP</constraint>
-      </set-parameter>
-      <!-- - - CA-5 - -  -->
-      <set-parameter param-id="ca-5_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <!-- - - CA-6 - -  -->
-      <set-parameter param-id="ca-6_prm_1">
-         <constraint>at least every three years or when a significant change occurs</constraint>
-      </set-parameter>
-      <!-- - - CA-7 - -  -->
-      <set-parameter param-id="ca-7_prm_4">
-         <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-7_prm_5">
-         <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-      </set-parameter>
-      <!-- - - CM-6 - -  -->
-      <set-parameter param-id="cm-6_prm_1">
-         <constraint>see CM-6(a) Additional FedRAMP Requirements and Guidance</constraint>
-      </set-parameter>
-      <!-- - - CM-8 - -  -->
-      <set-parameter param-id="cm-8_prm_2">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <!-- - - CP-9 - -  -->
-      <set-parameter param-id="cp-9_prm_1">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_2">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_3">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <!-- - - IR-6 - -  -->
-      <set-parameter param-id="ir-6_prm_1">
-         <constraint>US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)</constraint>
-      </set-parameter>
-      <!-- - - PE-2 - -  -->
-      <set-parameter param-id="pe-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <!-- - - PE-3 - -  -->
-      <set-parameter param-id="pe-3_prm_2">
-         <constraint>CSP defined physical access control systems/devices AND guards</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_6">
-         <constraint>in all circumstances within restricted access area where the information system resides</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_8">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_9">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <!-- - - PE-6 - -  -->
-      <set-parameter param-id="pe-6_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <!-- - - PE-8 - -  -->
-      <set-parameter param-id="pe-8_prm_1">
-         <constraint>for a minimum of one (1) year</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-8_prm_2">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <!-- - - PE-14 - -  -->
-      <set-parameter param-id="pe-14_prm_1">
-         <constraint>consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-14_prm_2">
-         <constraint>continuously</constraint>
-      </set-parameter>
-      <!-- - - PE-16 - -  -->
-      <set-parameter param-id="pe-16_prm_1">
-         <constraint>all information system components</constraint>
-      </set-parameter>
-      <!-- - - PL-2 - -  -->
-      <set-parameter param-id="pl-2_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <!-- - - PS-3 - -  -->
-      <set-parameter param-id="ps-3_prm_1">
-         <constraint>For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions.</constraint>
-      </set-parameter>
-      <!-- - - RA-3 - -  -->
-      <set-parameter param-id="ra-3_prm_2">
-         <constraint>security assessment report</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_3">
-         <constraint>at least every three (3) years or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_5">
-         <constraint>at least every three (3) years or when a significant change occurs</constraint>
-      </set-parameter>
-      <!-- - - RA-5 - -  -->
-      <set-parameter param-id="ra-5_prm_1">
-         <constraint>monthly operating system/infrastructure; monthly web applications and databases</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5_prm_2">
-         <constraint>[high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery.</constraint>
-      </set-parameter>
-      <!-- - - SA-9 - -  -->
-      <set-parameter param-id="sa-9_prm_1">
-         <constraint>FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9_prm_2">
-         <constraint>Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored</constraint>
-      </set-parameter>
-      <!-- - - SC-13 - -  -->
-      <set-parameter param-id="sc-13_prm_1">
-         <constraint>FIPS-validated or NSA-approved cryptography</constraint>
-      </set-parameter>
-      <!-- - - SI-2 - -  -->
-      <set-parameter param-id="si-2_prm_1">
-         <constraint>within 30 days of release of updates</constraint>
-      </set-parameter>
-      <!-- - - SI-3 - -  -->
-      <set-parameter param-id="si-3_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_2">
-         <constraint>to include endpoints</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_3">
-         <constraint>to include alerting administrator or defined security personnel</constraint>
-      </set-parameter>
-      <!-- - -     CONTROL MODIFICATIONS      - -  -->
-      <!-- - - AC-1 - -  -->
-      <alter control-id="ac-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AC-2 - -  -->
-      <alter control-id="ac-2">
-         <remove id-ref="ac-2_smt.b"/>
-         <remove id-ref="ac-2_smt.c"/>
-         <remove id-ref="ac-2_smt.d"/>
-         <remove id-ref="ac-2_smt.e"/>
-         <remove id-ref="ac-2_smt.i"/>
-         <remove id-ref="ac-2_smt.j"/>
-         <remove id-ref="ac-2_smt.k"/>
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="ac-2_fr" name="item">
-               <title>AC-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Parts (b), (c), (d), (e), (i), (j), and (k) are excluded from FedRAMP Tailored
-                     for LI-SaaS.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - AC-3 - -  -->
-      <alter control-id="ac-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - AC-7 - -  -->
-      <alter control-id="ac-7">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO for non-privileged users. Attestation for privileged users related to
-                  multi-factor identification and authentication.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - AC-8 - -  -->
-      <alter control-id="ac-8">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">FED</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>FED - This is related to agency data and agency policy solution.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - AC-14 - -  -->
-      <alter control-id="ac-14">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">FED</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>FED - This is related to agency data and agency policy solution.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - AC-17 - -  -->
-      <alter control-id="ac-17">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - AC-18 - -  -->
-      <alter control-id="ac-18">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - All access to Cloud SaaS are via web services and/or API. The device
-                  accessed from or whether via wired or wireless connection is out of scope.
-                  Regardless of device accessed from, must utilize approved remote access methods
-                  (AC-17), secure communication with strong encryption (SC-13), key management
-                  (SC-12), and multi-factor authentication for privileged access (IA-2[1]).</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - AC-19 - -  -->
-      <alter control-id="ac-19">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - All access to Cloud SaaS are via web service and/or API. The device accessed
-                  from is out of the scope. Regardless of device accessed from, must utilize
-                  approved remote access methods (AC-17), secure communication with strong
-                  encryption (SC-13), key management (SC-12), and multi-factor authentication for
-                  privileged access (IA-2 [1]).</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - AC-20 - -  -->
-      <alter control-id="ac-20">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AC-22 - -  -->
-      <alter control-id="ac-22">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - AT-1 - -  -->
-      <alter control-id="at-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AT-2 - -  -->
-      <alter control-id="at-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AT-3 - -  -->
-      <alter control-id="at-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AT-4 - -  -->
-      <alter control-id="at-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AU-1 - -  -->
-      <alter control-id="au-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AU-2 - -  -->
-      <alter control-id="au-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AU-3 - -  -->
-      <alter control-id="au-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - AU-4 - -  -->
-      <alter control-id="au-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - Loss of availability of the audit data has been determined to have little or
-                  no impact to government business/mission needs.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - AU-5 - -  -->
-      <alter control-id="au-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - AU-6 - -  -->
-      <alter control-id="au-6">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - AU-8 - -  -->
-      <alter control-id="au-8">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AU-9 - -  -->
-      <alter control-id="au-9">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AU-11 - -  -->
-      <alter control-id="au-11">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - Loss of availability of the audit data has been determined as little or no
-                  impact to government business/mission needs.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - AU-12 - -  -->
-      <alter control-id="au-12">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - CA-1 - -  -->
-      <alter control-id="ca-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - CA-2 - -  -->
-      <alter control-id="ca-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="ca-2_fr" name="item">
-               <title>CA-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP)
-                     Documents, Annual Assessment Guidance <a
-                        href="https://www.fedramp.gov/documents/"
-                        >https://www.fedramp.gov/documents/</a></p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CA-2 (1) - -  -->
-      <alter control-id="ca-2.1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - CA-3 - -  -->
-      <alter control-id="ca-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: There are connection(s) to external systems. Connections (if any) shall
-                  be authorized and must: 1) Identify the interface/connection. 2) Detail what data
-                  is involved and its sensitivity. 3) Determine whether the connection is one-way or
-                  bi-directional. 4) Identify how the connection is secured.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CA-5 - -  -->
-      <alter control-id="ca-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring
-                  Requirements.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CA-6 - -  -->
-      <alter control-id="ca-6">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="ca-6_fr" name="item">
-               <title>CA-6(c) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1,
-                     Appendix F. The service provider describes the types of changes to the
-                     information system or the environment of operations that would impact the risk
-                     posture. The types of changes are approved and accepted by the Authorizing
-                     Official.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CA-7 - -  -->
-      <alter control-id="ca-7">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="ca-7_fr" name="item">
-               <title>CA-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>CSPs must provide evidence of closure and remediation of high vulnerabilities
-                     within the timeframe for standard POA&amp;M updates.</p>
-               </part>
-               <part id="ca-7_fr_gdn.2" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP)
-                     Documents, Continuous Monitoring Strategy Guide <a
-                        href="https://www.fedramp.gov/documents/"
-                        >https://www.fedramp.gov/documents/</a></p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CA-9 - -  -->
-      <alter control-id="ca-9">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: There are connection(s) to external systems. Connections (if any) shall
-                  be authorized and must: 1) Identify the interface/connection. 2) Detail what data
-                  is involved and its sensitivity. 3) Determine whether the connection is one-way or
-                  bi-directional. 4) Identify how the connection is secured.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CM-1 - -  -->
-      <alter control-id="cm-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - CM-2 - -  -->
-      <alter control-id="cm-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - CM-4 - -  -->
-      <alter control-id="cm-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - CM-6 - -  -->
-      <alter control-id="cm-6">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Required - Specifically include details of least functionality.</p>
-            </part>
-            <part id="cm-6_fr" name="item">
-               <title>CM-6(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement 1:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines
-                     (Level 1) to establish configuration settings or establishes its own
-                     configuration settings if USGCB is not available. </p>
-               </part>
-               <part id="cm-6_fr_smt.2" name="item">
-                  <prop name="label">Requirement 2:</prop>
-                  <p>The service provider shall ensure that checklists for configuration settings
-                     are Security Content Automation Protocol (SCAP) (<a
-                        href="http://scap.nist.gov/">http://scap.nist.gov/</a>) validated or SCAP
-                     compatible (if validated checklists are not available).</p>
-               </part>
-               <part id="cm-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a
-                        href="https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline"
-                        >https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline</a>.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CM-7 - -  -->
-      <alter control-id="cm-7">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - CM-8 - -  -->
-      <alter control-id="cm-8">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="cm-8_fr" name="item">
-               <title>CM-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Must be provided at least monthly or when there is a change.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CM-10 - -  -->
-      <alter control-id="cm-10">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO- Not directly related to protection of the data.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CM-11 - -  -->
-      <alter control-id="cm-11">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - Boundary is specific to SaaS environment; all access is via web services;
-                  users' machine or internal network are not contemplated. External services (SA-9),
-                  internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and
-                  SC-13), and privileged authentication (IA-2[1]) are considerations.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CP-1 - -  -->
-      <alter control-id="cp-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - CP-2 - -  -->
-      <alter control-id="cp-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - Loss of availability of the SaaS has been determined as little or no impact
-                  to government business/mission needs.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CP-3 - -  -->
-      <alter control-id="cp-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - Loss of availability of the SaaS has been determined as little or no impact
-                  to government business/mission needs.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CP-4 - -  -->
-      <alter control-id="cp-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - Loss of availability of the SaaS has been determined as little or no impact
-                  to government business/mission needs.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CP-9 - -  -->
-      <alter control-id="cp-9">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="cp-9_fr" name="item">
-               <title>CP-9 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-9_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine what elements of the cloud environment
-                     require the Information System Backup control. The service provider shall
-                     determine how Information System Backup is going to be verified and appropriate
-                     periodicity of the check.</p>
-               </part>
-               <part id="cp-9_fr_smt.a" name="item">
-                  <prop name="label">CP-9(a) Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of user-level
-                     information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.b" name="item">
-                  <prop name="label">CP-9(b)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of system-level
-                     information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.c" name="item">
-                  <prop name="label">CP-9(c)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of information
-                     system documentation including security information (at least one of which is
-                     available online).</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CP-10 - -  -->
-      <alter control-id="cp-10">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - Loss of availability of the SaaS has been determined as little or no impact
-                  to government business/mission needs.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - IA-1 - -  -->
-      <alter control-id="ia-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IA-2 - -  -->
-      <alter control-id="ia-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO for non-privileged users. Attestation for privileged users related to
-                  multi-factor identification and authentication - specifically include description
-                  of management of service accounts.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - IA-2 (1) - -  -->
-      <alter control-id="ia-2.1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - IA-2 (12) - -  -->
-      <alter control-id="ia-2.12">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Must document and assess for privileged users. May attest to this
-                  control for non-privileged users. FedRAMP requires a minimum of multi-factor
-                  authentication for all Federal privileged users, if acceptance of PIV credentials
-                  is not supported. The implementation status and details of how this control is
-                  implemented must be clearly defined by the CSP.</p>
-            </part>
-            <part id="ia-2.12_fr" name="item">
-               <title>IA-2 (12) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-2.12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Include Common Access Card (CAC), i.e., the DoD technical implementation of
-                     PIV/FIPS 201/HSPD-12.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - IA-4 - -  -->
-      <alter control-id="ia-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IA-5 - -  -->
-      <alter control-id="ia-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IA-5 (1) - -  -->
-      <alter control-id="ia-5.1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IA-5 (11) - -  -->
-      <alter control-id="ia-5.11">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">FED</prop>
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>FED - for Federal privileged users. Condition - Must document and assess for
-                  privileged users. May attest to this control for non-privileged users.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - IA-6 - -  -->
-      <alter control-id="ia-6">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - IA-7 - -  -->
-      <alter control-id="ia-7">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IA-8 - -  -->
-      <alter control-id="ia-8">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IA-8 (1) - -  -->
-      <alter control-id="ia-8.1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Must document and assess for privileged users. May attest to this
-                  control for non-privileged users. FedRAMP requires a minimum of multi-factor
-                  authentication for all Federal privileged users, if acceptance of PIV credentials
-                  is not supported. The implementation status and details of how this control is
-                  implemented must be clearly defined by the CSP.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - IA-8 (2) - -  -->
-      <alter control-id="ia-8.2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Must document and assess for privileged users. May attest to this
-                  control for non-privileged users. FedRAMP requires a minimum of multi-factor
-                  authentication for all Federal privileged users, if acceptance of PIV credentials
-                  is not supported. The implementation status and details of how this control is
-                  implemented must be clearly defined by the CSP.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - IA-8 (3) - -  -->
-      <alter control-id="ia-8.3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IA-8 (4) - -  -->
-      <alter control-id="ia-8.4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IR-1 - -  -->
-      <alter control-id="ir-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IR-2 - -  -->
-      <alter control-id="ir-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IR-4 - -  -->
-      <alter control-id="ir-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="ir-4_fr" name="item">
-               <title>IR-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-4_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider ensures that individuals conducting incident handling meet
-                     personnel security requirements commensurate with the criticality/sensitivity
-                     of the information being processed, stored, and transmitted by the information
-                     system.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - IR-5 - -  -->
-      <alter control-id="ir-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IR-6 - -  -->
-      <alter control-id="ir-6">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="ir-6_fr" name="item">
-               <title>IR-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Report security incident information according to FedRAMP Incident
-                     Communications Procedure.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - IR-7 - -  -->
-      <alter control-id="ir-7">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IR-8 - -  -->
-      <alter control-id="ir-8">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Attestation - Specifically attest to US-CERT compliance.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - IR-9 - -  -->
-      <alter control-id="ir-9">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Attestation - Specifically describe information spillage response processes.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - MA-1 - -  -->
-      <alter control-id="ma-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - MA-2 - -  -->
-      <alter control-id="ma-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - MA-4 - -  -->
-      <alter control-id="ma-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - MA-5 - -  -->
-      <alter control-id="ma-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - MP-1 - -  -->
-      <alter control-id="mp-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - MP-2 - -  -->
-      <alter control-id="mp-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - MP-6 - -  -->
-      <alter control-id="mp-6">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - MP-7 - -  -->
-      <alter control-id="mp-7">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PE-1 - -  -->
-      <alter control-id="pe-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - PE-2 - -  -->
-      <alter control-id="pe-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PE-3 - -  -->
-      <alter control-id="pe-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PE-6 - -  -->
-      <alter control-id="pe-6">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PE-8 - -  -->
-      <alter control-id="pe-8">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PE-12 - -  -->
-      <alter control-id="pe-12">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PE-13 - -  -->
-      <alter control-id="pe-13">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PE-14 - -  -->
-      <alter control-id="pe-14">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-            <part id="pe-14_fr" name="item">
-               <title>PE-14(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="pe-14_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider measures temperature at server inlets and humidity levels
-                     by dew point.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PE-15 - -  -->
-      <alter control-id="pe-15">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PE-16 - -  -->
-      <alter control-id="pe-16">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PL-1 - -  -->
-      <alter control-id="pl-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - PL-2 - -  -->
-      <alter control-id="pl-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - PL-4 - -  -->
-      <alter control-id="pl-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - PS-1 - -  -->
-      <alter control-id="ps-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - PS-2 - -  -->
-      <alter control-id="ps-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">FED</prop>
-         </add>
-      </alter>
-      <!-- - - PS-3 - -  -->
-      <alter control-id="ps-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - PS-4 - -  -->
-      <alter control-id="ps-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - PS-5 - -  -->
-      <alter control-id="ps-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - PS-6 - -  -->
-      <alter control-id="ps-6">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - PS-7 - -  -->
-      <alter control-id="ps-7">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Attestation - Specifically stating that any third-party security personnel are
-                  treated as CSP employees.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PS-8 - -  -->
-      <alter control-id="ps-8">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - RA-1 - -  -->
-      <alter control-id="ra-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - RA-2 - -  -->
-      <alter control-id="ra-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - RA-3 - -  -->
-      <alter control-id="ra-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="ra-3_fr" name="item">
-               <title>RA-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1,
-                     Appendix F</p>
-               </part>
-               <part id="ra-3_fr_smt.d" name="item">
-                  <prop name="label">RA-3 (d) Requirement:</prop>
-                  <p>Include all Authorizing Officials; for JAB authorizations to include
-                     FedRAMP.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - RA-5 - -  -->
-      <alter control-id="ra-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add>
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="ra-5_fr_smt.a" name="item">
-               <title>RA-5(a) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (a)Requirement:</prop>
-               <p>An accredited independent assessor scans operating systems/infrastructure, web
-                  applications, and databases once annually.</p>
-            </part>
-            <part id="ra-5_fr_smt.e" name="item">
-               <title>RA-5(e) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (e)Requirement:</prop>
-               <p>To include all Authorizing Officials; for JAB authorizations to include
-                  FedRAMP.</p>
-            </part>
-            <part id="ra-5_fr" name="item">
-               <title>RA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p><strong>See the FedRAMP Documents page under Key Cloud Service Provider (CSP)
-                        Documents> Vulnerability Scanning Requirements</strong> (<a
-                        href="https://www.FedRAMP.gov/documents/"
-                        >https://www.FedRAMP.gov/documents/</a>)</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - SA-1 - -  -->
-      <alter control-id="sa-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SA-2 - -  -->
-      <alter control-id="sa-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SA-3 - -  -->
-      <alter control-id="sa-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SA-4 - -  -->
-      <alter control-id="sa-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SA-4(10) - -  -->
-      <alter control-id="sa-4.10">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SA-5 - -  -->
-      <alter control-id="sa-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SA-9 - -  -->
-      <alter control-id="sa-9">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - SC-1 - -  -->
-      <alter control-id="sc-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SC-5 - -  -->
-      <alter control-id="sc-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: If availability is a requirement, define protections in place as per
-                  control requirement.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - SC-7 - -  -->
-      <alter control-id="sc-7">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - SC-12 - -  -->
-      <alter control-id="sc-12">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="sc-12_fr" name="item">
-               <title>SC-12 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Federally approved cryptography.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - SC-13 - -  -->
-      <alter control-id="sc-13">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: If implementing need to detail how they meet it or don't meet it.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - SC-15 - -  -->
-      <alter control-id="sc-15">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - Not directly related to the security of the SaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - SC-20 - -  -->
-      <alter control-id="sc-20">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SC-21 - -  -->
-      <alter control-id="sc-21">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SC-22 - -  -->
-      <alter control-id="sc-22">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SC-39 - -  -->
-      <alter control-id="sc-39">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SI-1 - -  -->
-      <alter control-id="si-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SI-2 - -  -->
-      <alter control-id="si-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - SI-3 - -  -->
-      <alter control-id="si-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - SI-4 - -  -->
-      <alter control-id="si-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - SI-5 - -  -->
-      <alter control-id="si-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SI-12 - -  -->
-      <alter control-id="si-12">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Attestation - Specifically related to US-CERT and FedRAMP communications
-                  procedures.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - SI-16 - -  -->
-   </modify>
-   <back-matter>
-      <resource uuid="985475ee-d4d6-4581-8fdf-d84d3d8caa48">
-         <title>FedRAMP Applicable Laws and Regulations</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-citations</prop>
-         <prop name="keep">always</prop>
-         <rlink
-            href="https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"
-         />
-      </resource>
-      <resource uuid="1a23a771-d481-4594-9a1a-71d584fa4123">
-         <title>FedRAMP Master Acronym and Glossary</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-acronyms</prop>
-         <prop name="keep">always</prop>
-         <rlink
-            href="https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"
-         />
-      </resource>
-      <resource uuid="a2381e87-3d04-4108-a30b-b4d2f36d001f">
-         <desc>FedRAMP Logo</desc>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-logo</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/img/logo-main-fedramp.png"/>
-      </resource>
-      <resource uuid="ad005eae-cc63-4e64-9109-3905a9a825e4">
-         <title>NIST Special Publication (SP) 800-53</title>
-         <prop name="version" ns="https://fedramp.gov/ns/oscal">Revision 4</prop>
-         <prop name="keep">always</prop>
-         <rlink media-type="application/xml" href="../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml"/>
-      </resource>
-   </back-matter>
-</profile>
diff --git a/content/fedramp.gov/xml/FedRAMP_LOW-baseline-resolved-profile_catalog.xml b/content/fedramp.gov/xml/FedRAMP_LOW-baseline-resolved-profile_catalog.xml
deleted file mode 100644
index eda383843b..0000000000
--- a/content/fedramp.gov/xml/FedRAMP_LOW-baseline-resolved-profile_catalog.xml
+++ /dev/null
@@ -1,19131 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-         uuid="d320d731-1aea-4d48-a4df-05b1c9f48c04">
-   <metadata>
-      <title>FedRAMP Low Baseline</title>
-      <published>2020-06-01T00:00:00.000-04:00</published>
-      <last-modified>2020-06-01T10:00:00.000-04:00</last-modified>
-      <version>1.2</version>
-      <oscal-version>1.0.0-milestone3</oscal-version>
-      <prop name="resolution-timestamp">2020-08-31T17:38:45.129825Z</prop>
-      <link rel="resolution-source" href="FedRAMP_LOW-baseline_profile.xml">FedRAMP Low Baseline</link>
-      <role id="parpared-by">
-         <title>Document creator</title>
-      </role>
-      <role id="fedramp-pmo">
-         <title>The FedRAMP Program Management Office (PMO)</title>
-         <short-name>CSP</short-name>
-      </role>
-      <role id="fedramp-jab">
-         <title>The FedRAMP Joint Authorization Board (JAB)</title>
-         <short-name>CSP</short-name>
-      </role>
-      <party uuid="8cc0b8e5-9650-4d5f-9796-316f05fa9a2d" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Program Management Office</party-name>
-         <short-name>FedRAMP PMO</short-name>
-         <link href="https://fedramp.gov" rel="homepage"/>
-         <address type="work">
-            <addr-line>1800 F St. NW</addr-line>
-            <addr-line/>
-            <city>Washington</city>
-            <state>DC</state>
-            <postal-code/>
-            <country>US</country>
-         </address>
-         <email>info@fedramp.gov</email>
-      </party>
-      <party uuid="ca9ba80e-1342-4bfd-b32a-abac468c24b4" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Joint Authorization Board</party-name>
-         <short-name>FedRAMP JAB</short-name>
-      </party>
-      <responsible-party role-id="prepared-by">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-pmo">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-jab">
-         <party-uuid>ca9ba80e-1342-4bfd-b32a-abac468c24b4</party-uuid>
-      </responsible-party>
-   </metadata>
-   <group class="family" id="ac">
-      <title>Access Control</title>
-      <control class="SP800-53" id="ac-1">
-         <title>Access Control Policy and Procedures</title>
-         <param id="ac-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ac-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="ac-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-1</prop>
-         <prop name="sort-id">ac-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ac-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ac-1_prm_1"/>:</p>
-               <part id="ac-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An access control policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ac-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the access control policy and
-                     associated access controls; and</p>
-               </part>
-            </part>
-            <part id="ac-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ac-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Access control policy <insert param-id="ac-1_prm_2"/>; and</p>
-               </part>
-               <part id="ac-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Access control procedures <insert param-id="ac-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ac-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the AC
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ac-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-1.a_obj" name="objective">
-               <prop name="label">AC-1(a)</prop>
-               <part id="ac-1.a.1_obj" name="objective">
-                  <prop name="label">AC-1(a)(1)</prop>
-                  <part id="ac-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(a)(1)[1]</prop>
-                     <p>develops and documents an access control policy that addresses:</p>
-                     <part id="ac-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ac-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the access control policy are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ac-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">AC-1(a)(1)[3]</prop>
-                     <p>disseminates the access control policy to organization-defined personnel or
-                        roles;</p>
-                  </part>
-               </part>
-               <part id="ac-1.a.2_obj" name="objective">
-                  <prop name="label">AC-1(a)(2)</prop>
-                  <part id="ac-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        access control policy and associated access control controls;</p>
-                  </part>
-                  <part id="ac-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ac-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">AC-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-1.b_obj" name="objective">
-               <prop name="label">AC-1(b)</prop>
-               <part id="ac-1.b.1_obj" name="objective">
-                  <prop name="label">AC-1(b)(1)</prop>
-                  <part id="ac-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current access control
-                        policy;</p>
-                  </part>
-                  <part id="ac-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current access control policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ac-1.b.2_obj" name="objective">
-                  <prop name="label">AC-1(b)(2)</prop>
-                  <part id="ac-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current access control
-                        procedures; and</p>
-                  </part>
-                  <part id="ac-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current access control procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-2">
-         <title>Account Management</title>
-         <param id="ac-2_prm_1">
-            <label>organization-defined information system account types</label>
-         </param>
-         <param id="ac-2_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ac-2_prm_3">
-            <label>organization-defined procedures or conditions</label>
-         </param>
-         <param id="ac-2_prm_4">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-2</prop>
-         <prop name="sort-id">ac-02</prop>
-         <part id="ac-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Identifies and selects the following types of information system accounts to
-                  support organizational missions/business functions: <insert param-id="ac-2_prm_1"/>;</p>
-            </part>
-            <part id="ac-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Assigns account managers for information system accounts;</p>
-            </part>
-            <part id="ac-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Establishes conditions for group and role membership;</p>
-            </part>
-            <part id="ac-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Specifies authorized users of the information system, group and role membership,
-                  and access authorizations (i.e., privileges) and other attributes (as required)
-                  for each account;</p>
-            </part>
-            <part id="ac-2_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Requires approvals by <insert param-id="ac-2_prm_2"/> for requests to create
-                  information system accounts;</p>
-            </part>
-            <part id="ac-2_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Creates, enables, modifies, disables, and removes information system accounts in
-                  accordance with <insert param-id="ac-2_prm_3"/>;</p>
-            </part>
-            <part id="ac-2_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Monitors the use of information system accounts;</p>
-            </part>
-            <part id="ac-2_smt.h" name="item">
-               <prop name="label">h.</prop>
-               <p>Notifies account managers:</p>
-               <part id="ac-2_smt.h.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>When accounts are no longer required;</p>
-               </part>
-               <part id="ac-2_smt.h.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>When users are terminated or transferred; and</p>
-               </part>
-               <part id="ac-2_smt.h.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>When individual information system usage or need-to-know changes;</p>
-               </part>
-            </part>
-            <part id="ac-2_smt.i" name="item">
-               <prop name="label">i.</prop>
-               <p>Authorizes access to the information system based on:</p>
-               <part id="ac-2_smt.i.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A valid access authorization;</p>
-               </part>
-               <part id="ac-2_smt.i.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Intended system usage; and</p>
-               </part>
-               <part id="ac-2_smt.i.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Other attributes as required by the organization or associated
-                     missions/business functions;</p>
-               </part>
-            </part>
-            <part id="ac-2_smt.j" name="item">
-               <prop name="label">j.</prop>
-               <p>Reviews accounts for compliance with account management requirements <insert param-id="ac-2_prm_4"/>; and</p>
-            </part>
-            <part id="ac-2_smt.k" name="item">
-               <prop name="label">k.</prop>
-               <p>Establishes a process for reissuing shared/group account credentials (if deployed)
-                  when individuals are removed from the group.</p>
-            </part>
-         </part>
-         <part id="ac-2_gdn" name="guidance">
-            <p>Information system account types include, for example, individual, shared, group,
-               system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and
-               service. Some of the account management requirements listed above can be implemented
-               by organizational information systems. The identification of authorized users of the
-               information system and the specification of access privileges reflects the
-               requirements in other security controls in the security plan. Users requiring
-               administrative privileges on information system accounts receive additional scrutiny
-               by appropriate organizational personnel (e.g., system owner, mission/business owner,
-               or chief information security officer) responsible for approving such accounts and
-               privileged access. Organizations may choose to define access privileges or other
-               attributes by account, by type of account, or a combination of both. Other attributes
-               required for authorizing access include, for example, restrictions on time-of-day,
-               day-of-week, and point-of-origin. In defining other account attributes, organizations
-               consider system-related requirements (e.g., scheduled maintenance, system upgrades)
-               and mission/business requirements, (e.g., time zone differences, customer
-               requirements, remote access to support travel requirements). Failure to consider
-               these factors could affect information system availability. Temporary and emergency
-               accounts are accounts intended for short-term use. Organizations establish temporary
-               accounts as a part of normal account activation procedures when there is a need for
-               short-term accounts without the demand for immediacy in account activation.
-               Organizations establish emergency accounts in response to crisis situations and with
-               the need for rapid account activation. Therefore, emergency account activation may
-               bypass normal account authorization processes. Emergency and temporary accounts are
-               not to be confused with infrequently used accounts (e.g., local logon accounts used
-               for special tasks defined by organizations or when network resources are
-               unavailable). Such accounts remain available and are not subject to automatic
-               disabling or removal dates. Conditions for disabling or deactivating accounts
-               include, for example: (i) when shared/group, emergency, or temporary accounts are no
-               longer required; or (ii) when individuals are transferred or terminated. Some types
-               of information system accounts may require specialized training.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-10">AC-10</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ma-3">MA-3</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="ac-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-2.a_obj" name="objective">
-               <prop name="label">AC-2(a)</prop>
-               <part id="ac-2.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(a)[1]</prop>
-                  <p>defines information system account types to be identified and selected to
-                     support organizational missions/business functions;</p>
-               </part>
-               <part id="ac-2.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AC-2(a)[2]</prop>
-                  <p>identifies and selects organization-defined information system account types to
-                     support organizational missions/business functions;</p>
-               </part>
-            </part>
-            <part id="ac-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AC-2(b)</prop>
-               <p>assigns account managers for information system accounts;</p>
-            </part>
-            <part id="ac-2.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-2(c)</prop>
-               <p>establishes conditions for group and role membership;</p>
-            </part>
-            <part id="ac-2.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-2(d)</prop>
-               <p>specifies for each account (as required):</p>
-               <part id="ac-2.d_obj.1" name="objective">
-                  <prop name="label">AC-2(d)[1]</prop>
-                  <p>authorized users of the information system;</p>
-               </part>
-               <part id="ac-2.d_obj.2" name="objective">
-                  <prop name="label">AC-2(d)[2]</prop>
-                  <p>group and role membership;</p>
-               </part>
-               <part id="ac-2.d_obj.3" name="objective">
-                  <prop name="label">AC-2(d)[3]</prop>
-                  <p>access authorizations (i.e., privileges);</p>
-               </part>
-               <part id="ac-2.d_obj.4" name="objective">
-                  <prop name="label">AC-2(d)[4]</prop>
-                  <p>other attributes;</p>
-               </part>
-            </part>
-            <part id="ac-2.e_obj" name="objective">
-               <prop name="label">AC-2(e)</prop>
-               <part id="ac-2.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(e)[1]</prop>
-                  <p>defines personnel or roles required to approve requests to create information
-                     system accounts;</p>
-               </part>
-               <part id="ac-2.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(e)[2]</prop>
-                  <p>requires approvals by organization-defined personnel or roles for requests to
-                     create information system accounts;</p>
-               </part>
-            </part>
-            <part id="ac-2.f_obj" name="objective">
-               <prop name="label">AC-2(f)</prop>
-               <part id="ac-2.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(f)[1]</prop>
-                  <p>defines procedures or conditions to:</p>
-                  <part id="ac-2.f_obj.1.a" name="objective">
-                     <prop name="label">AC-2(f)[1][a]</prop>
-                     <p>create information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.b" name="objective">
-                     <prop name="label">AC-2(f)[1][b]</prop>
-                     <p>enable information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.c" name="objective">
-                     <prop name="label">AC-2(f)[1][c]</prop>
-                     <p>modify information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.d" name="objective">
-                     <prop name="label">AC-2(f)[1][d]</prop>
-                     <p>disable information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.e" name="objective">
-                     <prop name="label">AC-2(f)[1][e]</prop>
-                     <p>remove information system accounts;</p>
-                  </part>
-               </part>
-               <part id="ac-2.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(f)[2]</prop>
-                  <p>in accordance with organization-defined procedures or conditions:</p>
-                  <part id="ac-2.f_obj.2.a" name="objective">
-                     <prop name="label">AC-2(f)[2][a]</prop>
-                     <p>creates information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.b" name="objective">
-                     <prop name="label">AC-2(f)[2][b]</prop>
-                     <p>enables information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.c" name="objective">
-                     <prop name="label">AC-2(f)[2][c]</prop>
-                     <p>modifies information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.d" name="objective">
-                     <prop name="label">AC-2(f)[2][d]</prop>
-                     <p>disables information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.e" name="objective">
-                     <prop name="label">AC-2(f)[2][e]</prop>
-                     <p>removes information system accounts;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-2.g_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-2(g)</prop>
-               <p>monitors the use of information system accounts;</p>
-            </part>
-            <part id="ac-2.h_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-2(h)</prop>
-               <p>notifies account managers:</p>
-               <part id="ac-2.h.1_obj" name="objective">
-                  <prop name="label">AC-2(h)(1)</prop>
-                  <p>when accounts are no longer required;</p>
-               </part>
-               <part id="ac-2.h.2_obj" name="objective">
-                  <prop name="label">AC-2(h)(2)</prop>
-                  <p>when users are terminated or transferred;</p>
-               </part>
-               <part id="ac-2.h.3_obj" name="objective">
-                  <prop name="label">AC-2(h)(3)</prop>
-                  <p>when individual information system usage or need to know changes;</p>
-               </part>
-            </part>
-            <part id="ac-2.i_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-2(i)</prop>
-               <p>authorizes access to the information system based on;</p>
-               <part id="ac-2.i.1_obj" name="objective">
-                  <prop name="label">AC-2(i)(1)</prop>
-                  <p>a valid access authorization;</p>
-               </part>
-               <part id="ac-2.i.2_obj" name="objective">
-                  <prop name="label">AC-2(i)(2)</prop>
-                  <p>intended system usage;</p>
-               </part>
-               <part id="ac-2.i.3_obj" name="objective">
-                  <prop name="label">AC-2(i)(3)</prop>
-                  <p>other attributes as required by the organization or associated
-                     missions/business functions;</p>
-               </part>
-            </part>
-            <part id="ac-2.j_obj" name="objective">
-               <prop name="label">AC-2(j)</prop>
-               <part id="ac-2.j_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(j)[1]</prop>
-                  <p>defines the frequency to review accounts for compliance with account management
-                     requirements;</p>
-               </part>
-               <part id="ac-2.j_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(j)[2]</prop>
-                  <p>reviews accounts for compliance with account management requirements with the
-                     organization-defined frequency; and</p>
-               </part>
-            </part>
-            <part id="ac-2.k_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-2(k)</prop>
-               <p>establishes a process for reissuing shared/group account credentials (if deployed)
-                  when individuals are removed from the group.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing account management</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of active system accounts along with the name of the individual associated
-                  with each account</p>
-               <p>list of conditions for group and role membership</p>
-               <p>notifications or records of recently transferred, separated, or terminated
-                  employees</p>
-               <p>list of recently disabled information system accounts along with the name of the
-                  individual associated with each account</p>
-               <p>access authorization records</p>
-               <p>account management compliance reviews</p>
-               <p>information system monitoring records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with account management responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes account management on the information system</p>
-               <p>automated mechanisms for implementing account management</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-3">
-         <title>Access Enforcement</title>
-         <prop name="label">AC-3</prop>
-         <prop name="sort-id">ac-03</prop>
-         <part id="ac-3_smt" name="statement">
-            <p>The information system enforces approved authorizations for logical access to
-               information and system resources in accordance with applicable access control
-               policies.</p>
-         </part>
-         <part id="ac-3_gdn" name="guidance">
-            <p>Access control policies (e.g., identity-based policies, role-based policies, control
-               matrices, cryptography) control access between active entities or subjects (i.e.,
-               users or processes acting on behalf of users) and passive entities or objects (e.g.,
-               devices, files, records, domains) in information systems. In addition to enforcing
-               authorized access at the information system level and recognizing that information
-               systems can host many applications and services in support of organizational missions
-               and business operations, access enforcement mechanisms can also be employed at the
-               application and service level to provide increased information security.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ac-21">AC-21</link>
-            <link rel="related" href="#ac-22">AC-22</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ma-3">MA-3</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-         </part>
-         <part id="ac-3_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system enforces approved authorizations for logical
-               access to information and system resources in accordance with applicable access
-               control policies.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing access enforcement</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of approved authorizations (user privileges)</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with access enforcement responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing access control policy</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-7">
-         <title>Unsuccessful Logon Attempts</title>
-         <param id="ac-7_prm_1">
-            <label>organization-defined number</label>
-            <constraint>not more than three (3)</constraint>
-         </param>
-         <param id="ac-7_prm_2">
-            <label>organization-defined time period</label>
-            <constraint>fifteen (15) minutes</constraint>
-         </param>
-         <param id="ac-7_prm_3"/>
-         <param id="ac-7_prm_4" depends-on="ac-7_prm_3">
-            <label>organization-defined time period</label>
-            <constraint>thirty (30) minutes</constraint>
-         </param>
-         <param id="ac-7_prm_5" depends-on="ac-7_prm_3">
-            <label>organization-defined delay algorithm</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-7</prop>
-         <prop name="sort-id">ac-07</prop>
-         <part id="ac-7_smt" name="statement">
-            <p>The information system:</p>
-            <part id="ac-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Enforces a limit of <insert param-id="ac-7_prm_1"/> consecutive invalid logon
-                  attempts by a user during a <insert param-id="ac-7_prm_2"/>; and</p>
-            </part>
-            <part id="ac-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Automatically <insert param-id="ac-7_prm_3"/> when the maximum number of
-                  unsuccessful attempts is exceeded.</p>
-            </part>
-         </part>
-         <part id="ac-7_gdn" name="guidance">
-            <p>This control applies regardless of whether the logon occurs via a local or network
-               connection. Due to the potential for denial of service, automatic lockouts initiated
-               by information systems are usually temporary and automatically release after a
-               predetermined time period established by organizations. If a delay algorithm is
-               selected, organizations may choose to employ different algorithms for different
-               information system components based on the capabilities of those components.
-               Responses to unsuccessful logon attempts may be implemented at both the operating
-               system and the application levels.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-9">AC-9</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-         </part>
-         <part id="ac-7_obj" name="objective">
-            <p>Determine if: </p>
-            <part id="ac-7.a_obj" name="objective">
-               <prop name="label">AC-7(a)</prop>
-               <part id="ac-7.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-7(a)[1]</prop>
-                  <p>the organization defines the number of consecutive invalid logon attempts
-                     allowed to the information system by a user during an organization-defined time
-                     period;</p>
-               </part>
-               <part id="ac-7.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-7(a)[2]</prop>
-                  <p>the organization defines the time period allowed by a user of the information
-                     system for an organization-defined number of consecutive invalid logon
-                     attempts;</p>
-               </part>
-               <part id="ac-7.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-7(a)[3]</prop>
-                  <p>the information system enforces a limit of organization-defined number of
-                     consecutive invalid logon attempts by a user during an organization-defined
-                     time period;</p>
-               </part>
-            </part>
-            <part id="ac-7.b_obj" name="objective">
-               <prop name="label">AC-7(b)</prop>
-               <part id="ac-7.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-7(b)[1]</prop>
-                  <p>the organization defines account/node lockout time period or logon delay
-                     algorithm to be automatically enforced by the information system when the
-                     maximum number of unsuccessful logon attempts is exceeded;</p>
-               </part>
-               <part id="ac-7.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-7(b)[2]</prop>
-                  <p>the information system, when the maximum number of unsuccessful logon attempts
-                     is exceeded, automatically:</p>
-                  <part id="ac-7.b_obj.2.a" name="objective">
-                     <prop name="label">AC-7(b)[2][a]</prop>
-                     <p>locks the account/node for the organization-defined time period;</p>
-                  </part>
-                  <part id="ac-7.b_obj.2.b" name="objective">
-                     <prop name="label">AC-7(b)[2][b]</prop>
-                     <p>locks the account/node until released by an administrator; or</p>
-                  </part>
-                  <part id="ac-7.b_obj.2.c" name="objective">
-                     <prop name="label">AC-7(b)[2][c]</prop>
-                     <p>delays next logon prompt according to the organization-defined delay
-                        algorithm.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing unsuccessful logon attempts</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing access control policy for unsuccessful logon
-                  attempts</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-8">
-         <title>System Use Notification</title>
-         <param id="ac-8_prm_1">
-            <label>organization-defined system use notification message or banner</label>
-            <constraint>see additional Requirements and Guidance</constraint>
-         </param>
-         <param id="ac-8_prm_2">
-            <label>organization-defined conditions</label>
-            <constraint>see additional Requirements and Guidance</constraint>
-         </param>
-         <prop name="label">AC-8</prop>
-         <prop name="sort-id">ac-08</prop>
-         <part id="ac-8_smt" name="statement">
-            <p>The information system:</p>
-            <part id="ac-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Displays to users <insert param-id="ac-8_prm_1"/> before granting access to the
-                  system that provides privacy and security notices consistent with applicable
-                  federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  guidance and states that:</p>
-               <part id="ac-8_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Users are accessing a U.S. Government information system;</p>
-               </part>
-               <part id="ac-8_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Information system usage may be monitored, recorded, and subject to audit;</p>
-               </part>
-               <part id="ac-8_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Unauthorized use of the information system is prohibited and subject to
-                     criminal and civil penalties; and</p>
-               </part>
-               <part id="ac-8_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Use of the information system indicates consent to monitoring and
-                     recording;</p>
-               </part>
-            </part>
-            <part id="ac-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Retains the notification message or banner on the screen until users acknowledge
-                  the usage conditions and take explicit actions to log on to or further access the
-                  information system; and</p>
-            </part>
-            <part id="ac-8_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>For publicly accessible systems:</p>
-               <part id="ac-8_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Displays system use information <insert param-id="ac-8_prm_2"/>, before
-                     granting further access;</p>
-               </part>
-               <part id="ac-8_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Displays references, if any, to monitoring, recording, or auditing that are
-                     consistent with privacy accommodations for such systems that generally prohibit
-                     those activities; and</p>
-               </part>
-               <part id="ac-8_smt.c.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Includes a description of the authorized uses of the system.</p>
-               </part>
-            </part>
-            <part id="ac-8_fr" name="item">
-               <title>AC-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.</p>
-               </part>
-               <part id="ac-8_fr_smt.2" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.</p>
-               </part>
-               <part id="ac-8_fr_smt.3" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ac-8_gdn" name="guidance">
-            <p>System use notifications can be implemented using messages or warning banners
-               displayed before individuals log in to information systems. System use notifications
-               are used only for access via logon interfaces with human users and are not required
-               when such human interfaces do not exist. Organizations consider system use
-               notification messages/banners displayed in multiple languages based on specific
-               organizational needs and the demographics of information system users. Organizations
-               also consult with the Office of the General Counsel for legal review and approval of
-               warning banner content.</p>
-         </part>
-         <part id="ac-8_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="ac-8.a_obj" name="objective">
-               <prop name="label">AC-8(a)</prop>
-               <part id="ac-8.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-8(a)[1]</prop>
-                  <p>the organization defines a system use notification message or banner to be
-                     displayed by the information system to users before granting access to the
-                     system;</p>
-               </part>
-               <part id="ac-8.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-8(a)[2]</prop>
-                  <p>the information system displays to users the organization-defined system use
-                     notification message or banner before granting access to the information system
-                     that provides privacy and security notices consistent with applicable federal
-                     laws, Executive Orders, directives, policies, regulations, standards, and
-                     guidance, and states that:</p>
-                  <part id="ac-8.a.1_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](1)</prop>
-                     <p>users are accessing a U.S. Government information system;</p>
-                  </part>
-                  <part id="ac-8.a.2_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](2)</prop>
-                     <p>information system usage may be monitored, recorded, and subject to
-                        audit;</p>
-                  </part>
-                  <part id="ac-8.a.3_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](3)</prop>
-                     <p>unauthorized use of the information system is prohibited and subject to
-                        criminal and civil penalties;</p>
-                  </part>
-                  <part id="ac-8.a.4_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](4)</prop>
-                     <p>use of the information system indicates consent to monitoring and
-                        recording;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-8.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-8(b)</prop>
-               <p>the information system retains the notification message or banner on the screen
-                  until users acknowledge the usage conditions and take explicit actions to log on
-                  to or further access the information system;</p>
-            </part>
-            <part id="ac-8.c_obj" name="objective">
-               <prop name="label">AC-8(c)</prop>
-               <p>for publicly accessible systems:</p>
-               <part id="ac-8.c.1_obj" name="objective">
-                  <prop name="label">AC-8(c)(1)</prop>
-                  <part id="ac-8.c.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-8(c)(1)[1]</prop>
-                     <p>the organization defines conditions for system use to be displayed by the
-                        information system before granting further access;</p>
-                  </part>
-                  <part id="ac-8.c.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">AC-8(c)(1)[2]</prop>
-                     <p>the information system displays organization-defined conditions before
-                        granting further access;</p>
-                  </part>
-               </part>
-               <part id="ac-8.c.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-8(c)(2)</prop>
-                  <p>the information system displays references, if any, to monitoring, recording,
-                     or auditing that are consistent with privacy accommodations for such systems
-                     that generally prohibit those activities; and</p>
-               </part>
-               <part id="ac-8.c.3_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-8(c)(3)</prop>
-                  <p>the information system includes a description of the authorized uses of the
-                     system.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>privacy and security policies, procedures addressing system use notification</p>
-               <p>documented approval of information system use notification messages or banners</p>
-               <p>information system audit records</p>
-               <p>user acknowledgements of notification message or banner</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system use notification messages</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibility for providing legal advice</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing system use notification</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-14">
-         <title>Permitted Actions Without Identification or Authentication</title>
-         <param id="ac-14_prm_1">
-            <label>organization-defined user actions</label>
-         </param>
-         <prop name="label">AC-14</prop>
-         <prop name="sort-id">ac-14</prop>
-         <part id="ac-14_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-14_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Identifies <insert param-id="ac-14_prm_1"/> that can be performed on the
-                  information system without identification or authentication consistent with
-                  organizational missions/business functions; and</p>
-            </part>
-            <part id="ac-14_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents and provides supporting rationale in the security plan for the
-                  information system, user actions not requiring identification or
-                  authentication.</p>
-            </part>
-         </part>
-         <part id="ac-14_gdn" name="guidance">
-            <p>This control addresses situations in which organizations determine that no
-               identification or authentication is required in organizational information systems.
-               Organizations may allow a limited number of user actions without identification or
-               authentication including, for example, when individuals access public websites or
-               other publicly accessible federal information systems, when individuals use mobile
-               phones to receive calls, or when facsimiles are received. Organizations also identify
-               actions that normally require identification or authentication but may under certain
-               circumstances (e.g., emergencies), allow identification or authentication mechanisms
-               to be bypassed. Such bypasses may occur, for example, via a software-readable
-               physical switch that commands bypass of the logon functionality and is protected from
-               accidental or unmonitored use. This control does not apply to situations where
-               identification and authentication have already occurred and are not repeated, but
-               rather to situations where identification and authentication have not yet occurred.
-               Organizations may decide that there are no user actions that can be performed on
-               organizational information systems without identification and authentication and
-               thus, the values for assignment statements can be none.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-         </part>
-         <part id="ac-14_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-14.a_obj" name="objective">
-               <prop name="label">AC-14(a)</prop>
-               <part id="ac-14.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-14(a)[1]</prop>
-                  <p>defines user actions that can be performed on the information system without
-                     identification or authentication consistent with organizational
-                     missions/business functions;</p>
-               </part>
-               <part id="ac-14.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AC-14(a)[2]</prop>
-                  <p>identifies organization-defined user actions that can be performed on the
-                     information system without identification or authentication consistent with
-                     organizational missions/business functions; and</p>
-               </part>
-            </part>
-            <part id="ac-14.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-14(b)</prop>
-               <p>documents and provides supporting rationale in the security plan for the
-                  information system, user actions not requiring identification or
-                  authentication.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing permitted actions without identification or
-                  authentication</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security plan</p>
-               <p>list of user actions that can be performed without identification or
-                  authentication</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-17">
-         <title>Remote Access</title>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-17</prop>
-         <prop name="sort-id">ac-17</prop>
-         <link href="#5309d4d0-46f8-4213-a749-e7584164e5e8" rel="reference">NIST Special Publication 800-46</link>
-         <link href="#99f331f2-a9f0-46c2-9856-a3cbb9b89442" rel="reference">NIST Special Publication 800-77</link>
-         <link href="#349fe082-502d-464a-aa0c-1443c6a5cf40" rel="reference">NIST Special Publication 800-113</link>
-         <link href="#1201fcf3-afb1-4675-915a-fb4ae0435717" rel="reference">NIST Special Publication 800-114</link>
-         <link href="#d1a4e2a9-e512-4132-8795-5357aba29254" rel="reference">NIST Special Publication 800-121</link>
-         <part id="ac-17_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-17_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes and documents usage restrictions, configuration/connection
-                  requirements, and implementation guidance for each type of remote access allowed;
-                  and</p>
-            </part>
-            <part id="ac-17_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Authorizes remote access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part id="ac-17_gdn" name="guidance">
-            <p>Remote access is access to organizational information systems by users (or processes
-               acting on behalf of users) communicating through external networks (e.g., the
-               Internet). Remote access methods include, for example, dial-up, broadband, and
-               wireless. Organizations often employ encrypted virtual private networks (VPNs) to
-               enhance confidentiality and integrity over remote connections. The use of encrypted
-               VPNs does not make the access non-remote; however, the use of VPNs, when adequately
-               provisioned with appropriate security controls (e.g., employing appropriate
-               encryption techniques for confidentiality and integrity protection) may provide
-               sufficient assurance to the organization that it can effectively treat such
-               connections as internal networks. Still, VPN connections traverse external networks,
-               and the encrypted VPN does not enhance the availability of remote connections. Also,
-               VPNs with encrypted tunnels can affect the organizational capability to adequately
-               monitor network communications traffic for malicious code. Remote access controls
-               apply to information systems other than public web servers or systems designed for
-               public access. This control addresses authorization prior to allowing remote access
-               without specifying the formats for such authorization. While organizations may use
-               interconnection security agreements to authorize remote access connections, such
-               agreements are not required by this control. Enforcing access restrictions for remote
-               connections is addressed in AC-3.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#pe-17">PE-17</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sc-10">SC-10</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ac-17_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-17.a_obj" name="objective">
-               <prop name="label">AC-17(a)</prop>
-               <part id="ac-17.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-17(a)[1]</prop>
-                  <p>identifies the types of remote access allowed to the information system;</p>
-               </part>
-               <part id="ac-17.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-17(a)[2]</prop>
-                  <p>establishes for each type of remote access allowed:</p>
-                  <part id="ac-17.a_obj.2.a" name="objective">
-                     <prop name="label">AC-17(a)[2][a]</prop>
-                     <p>usage restrictions;</p>
-                  </part>
-                  <part id="ac-17.a_obj.2.b" name="objective">
-                     <prop name="label">AC-17(a)[2][b]</prop>
-                     <p>configuration/connection requirements;</p>
-                  </part>
-                  <part id="ac-17.a_obj.2.c" name="objective">
-                     <prop name="label">AC-17(a)[2][c]</prop>
-                     <p>implementation guidance;</p>
-                  </part>
-               </part>
-               <part id="ac-17.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-17(a)[3]</prop>
-                  <p>documents for each type of remote access allowed:</p>
-                  <part id="ac-17.a_obj.3.a" name="objective">
-                     <prop name="label">AC-17(a)[3][a]</prop>
-                     <p>usage restrictions;</p>
-                  </part>
-                  <part id="ac-17.a_obj.3.b" name="objective">
-                     <prop name="label">AC-17(a)[3][b]</prop>
-                     <p>configuration/connection requirements;</p>
-                  </part>
-                  <part id="ac-17.a_obj.3.c" name="objective">
-                     <prop name="label">AC-17(a)[3][c]</prop>
-                     <p>implementation guidance; and</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-17.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-17(b)</prop>
-               <p>authorizes remote access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing remote access implementation and usage (including
-                  restrictions)</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>remote access authorizations</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for managing remote access
-                  connections</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Remote access management capability for the information system</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-18">
-         <title>Wireless Access</title>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-18</prop>
-         <prop name="sort-id">ac-18</prop>
-         <link href="#238ed479-eccb-49f6-82ec-ab74a7a428cf" rel="reference">NIST Special Publication 800-48</link>
-         <link href="#d1b1d689-0f66-4474-9924-c81119758dc1" rel="reference">NIST Special Publication 800-94</link>
-         <link href="#6f336ecd-f2a0-4c84-9699-0491d81b6e0d" rel="reference">NIST Special Publication 800-97</link>
-         <part id="ac-18_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-18_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes usage restrictions, configuration/connection requirements, and
-                  implementation guidance for wireless access; and</p>
-            </part>
-            <part id="ac-18_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Authorizes wireless access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part id="ac-18_gdn" name="guidance">
-            <p>Wireless technologies include, for example, microwave, packet radio (UHF/VHF),
-               802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g.,
-               EAP/TLS, PEAP), which provide credential protection and mutual authentication.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ac-18_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-18.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-18(a)</prop>
-               <p>establishes for wireless access:</p>
-               <part id="ac-18.a_obj.1" name="objective">
-                  <prop name="label">AC-18(a)[1]</prop>
-                  <p>usage restrictions;</p>
-               </part>
-               <part id="ac-18.a_obj.2" name="objective">
-                  <prop name="label">AC-18(a)[2]</prop>
-                  <p>configuration/connection requirement;</p>
-               </part>
-               <part id="ac-18.a_obj.3" name="objective">
-                  <prop name="label">AC-18(a)[3]</prop>
-                  <p>implementation guidance; and</p>
-               </part>
-            </part>
-            <part id="ac-18.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-18(b)</prop>
-               <p>authorizes wireless access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing wireless access implementation and usage (including
-                  restrictions)</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>wireless access authorizations</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for managing wireless access
-                  connections</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Wireless access management capability for the information system</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-19">
-         <title>Access Control for Mobile Devices</title>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-19</prop>
-         <prop name="sort-id">ac-19</prop>
-         <link href="#4da24a96-6cf8-435d-9d1f-c73247cad109" rel="reference">OMB Memorandum 06-16</link>
-         <link href="#1201fcf3-afb1-4675-915a-fb4ae0435717" rel="reference">NIST Special Publication 800-114</link>
-         <link href="#0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589" rel="reference">NIST Special Publication 800-124</link>
-         <link href="#6513e480-fada-4876-abba-1397084dfb26" rel="reference">NIST Special Publication 800-164</link>
-         <part id="ac-19_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-19_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes usage restrictions, configuration requirements, connection
-                  requirements, and implementation guidance for organization-controlled mobile
-                  devices; and</p>
-            </part>
-            <part id="ac-19_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Authorizes the connection of mobile devices to organizational information
-                  systems.</p>
-            </part>
-         </part>
-         <part id="ac-19_gdn" name="guidance">
-            <p>A mobile device is a computing device that: (i) has a small form factor such that it
-               can easily be carried by a single individual; (ii) is designed to operate without a
-               physical connection (e.g., wirelessly transmit or receive information); (iii)
-               possesses local, non-removable or removable data storage; and (iv) includes a
-               self-contained power source. Mobile devices may also include voice communication
-               capabilities, on-board sensors that allow the device to capture information, and/or
-               built-in features for synchronizing local data with remote locations. Examples
-               include smart phones, E-readers, and tablets. Mobile devices are typically associated
-               with a single individual and the device is usually in close proximity to the
-               individual; however, the degree of proximity can vary depending upon on the form
-               factor and size of the device. The processing, storage, and transmission capability
-               of the mobile device may be comparable to or merely a subset of desktop systems,
-               depending upon the nature and intended purpose of the device. Due to the large
-               variety of mobile devices with different technical characteristics and capabilities,
-               organizational restrictions may vary for the different classes/types of such devices.
-               Usage restrictions and specific implementation guidance for mobile devices include,
-               for example, configuration management, device identification and authentication,
-               implementation of mandatory protective software (e.g., malicious code detection,
-               firewall), scanning devices for malicious code, updating virus protection software,
-               scanning for critical software updates and patches, conducting primary operating
-               system (and possibly other resident software) integrity checks, and disabling
-               unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the
-               need to provide adequate security for mobile devices goes beyond the requirements in
-               this control. Many safeguards and countermeasures for mobile devices are reflected in
-               other security controls in the catalog allocated in the initial control baselines as
-               starting points for the development of security plans and overlays using the
-               tailoring process. There may also be some degree of overlap in the requirements
-               articulated by the security controls within the different families of controls. AC-20
-               addresses mobile devices that are not organization-controlled.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-7">AC-7</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ca-9">CA-9</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-43">SC-43</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ac-19_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-19.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-19(a)</prop>
-               <p>establishes for organization-controlled mobile devices:</p>
-               <part id="ac-19.a_obj.1" name="objective">
-                  <prop name="label">AC-19(a)[1]</prop>
-                  <p>usage restrictions;</p>
-               </part>
-               <part id="ac-19.a_obj.2" name="objective">
-                  <prop name="label">AC-19(a)[2]</prop>
-                  <p>configuration/connection requirement;</p>
-               </part>
-               <part id="ac-19.a_obj.3" name="objective">
-                  <prop name="label">AC-19(a)[3]</prop>
-                  <p>implementation guidance; and</p>
-               </part>
-            </part>
-            <part id="ac-19.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-19(b)</prop>
-               <p>authorizes the connection of mobile devices to organizational information
-                  systems.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing access control for mobile device usage (including
-                  restrictions)</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>authorizations for mobile device connections to organizational information
-                  systems</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel using mobile devices to access organizational information
-                  systems</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Access control capability authorizing mobile device connections to organizational
-                  information systems</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-20">
-         <title>Use of External Information Systems</title>
-         <prop name="label">AC-20</prop>
-         <prop name="sort-id">ac-20</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <part id="ac-20_smt" name="statement">
-            <p>The organization establishes terms and conditions, consistent with any trust
-               relationships established with other organizations owning, operating, and/or
-               maintaining external information systems, allowing authorized individuals to:</p>
-            <part id="ac-20_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Access the information system from external information systems; and</p>
-            </part>
-            <part id="ac-20_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Process, store, or transmit organization-controlled information using external
-                  information systems.</p>
-            </part>
-         </part>
-         <part id="ac-20_gdn" name="guidance">
-            <p>External information systems are information systems or components of information
-               systems that are outside of the authorization boundary established by organizations
-               and for which organizations typically have no direct supervision and authority over
-               the application of required security controls or the assessment of control
-               effectiveness. External information systems include, for example: (i) personally
-               owned information systems/devices (e.g., notebook computers, smart phones, tablets,
-               personal digital assistants); (ii) privately owned computing and communications
-               devices resident in commercial or public facilities (e.g., hotels, train stations,
-               convention centers, shopping malls, or airports); (iii) information systems owned or
-               controlled by nonfederal governmental organizations; and (iv) federal information
-               systems that are not owned by, operated by, or under the direct supervision and
-               authority of organizations. This control also addresses the use of external
-               information systems for the processing, storage, or transmission of organizational
-               information, including, for example, accessing cloud services (e.g., infrastructure
-               as a service, platform as a service, or software as a service) from organizational
-               information systems. For some external information systems (i.e., information systems
-               operated by other federal agencies, including organizations subordinate to those
-               agencies), the trust relationships that have been established between those
-               organizations and the originating organization may be such, that no explicit terms
-               and conditions are required. Information systems within these organizations would not
-               be considered external. These situations occur when, for example, there are
-               pre-existing sharing/trust agreements (either implicit or explicit) established
-               between federal agencies or organizations subordinate to those agencies, or when such
-               trust agreements are specified by applicable laws, Executive Orders, directives, or
-               policies. Authorized individuals include, for example, organizational personnel,
-               contractors, or other individuals with authorized access to organizational
-               information systems and over which organizations have the authority to impose rules
-               of behavior with regard to system access. Restrictions that organizations impose on
-               authorized individuals need not be uniform, as those restrictions may vary depending
-               upon the trust relationships between organizations. Therefore, organizations may
-               choose to impose different security restrictions on contractors than on state, local,
-               or tribal governments. This control does not apply to the use of external information
-               systems to access public interfaces to organizational information systems (e.g.,
-               individuals accessing federal information through www.usa.gov). Organizations
-               establish terms and conditions for the use of external information systems in
-               accordance with organizational security policies and procedures. Terms and conditions
-               address as a minimum: types of applications that can be accessed on organizational
-               information systems from external information systems; and the highest security
-               category of information that can be processed, stored, or transmitted on external
-               information systems. If terms and conditions with the owners of external information
-               systems cannot be established, organizations may impose restrictions on
-               organizational personnel using those external systems.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-         </part>
-         <part id="ac-20_obj" name="objective">
-            <p>Determine if the organization establishes terms and conditions, consistent with any
-               trust relationships established with other organizations owning, operating, and/or
-               maintaining external information systems, allowing authorized individuals to: </p>
-            <part id="ac-20.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-20(a)</prop>
-               <p>access the information system from the external information systems; and</p>
-            </part>
-            <part id="ac-20.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-20(b)</prop>
-               <p>process, store, or transmit organization-controlled information using external
-                  information systems.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing the use of external information systems</p>
-               <p>external information systems terms and conditions</p>
-               <p>list of types of applications accessible from external information systems</p>
-               <p>maximum security categorization for information processed, stored, or transmitted
-                  on external information systems</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for defining terms and conditions
-                  for use of external information systems to access organizational systems</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing terms and conditions on use of external
-                  information systems</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-22">
-         <title>Publicly Accessible Content</title>
-         <param id="ac-22_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least quarterly</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-22</prop>
-         <prop name="sort-id">ac-22</prop>
-         <part id="ac-22_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-22_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Designates individuals authorized to post information onto a publicly accessible
-                  information system;</p>
-            </part>
-            <part id="ac-22_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Trains authorized individuals to ensure that publicly accessible information does
-                  not contain nonpublic information;</p>
-            </part>
-            <part id="ac-22_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the proposed content of information prior to posting onto the publicly
-                  accessible information system to ensure that nonpublic information is not
-                  included; and</p>
-            </part>
-            <part id="ac-22_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Reviews the content on the publicly accessible information system for nonpublic
-                  information <insert param-id="ac-22_prm_1"/> and removes such information, if
-                  discovered.</p>
-            </part>
-         </part>
-         <part id="ac-22_gdn" name="guidance">
-            <p>In accordance with federal laws, Executive Orders, directives, policies, regulations,
-               standards, and/or guidance, the general public is not authorized access to nonpublic
-               information (e.g., information protected under the Privacy Act and proprietary
-               information). This control addresses information systems that are controlled by the
-               organization and accessible to the general public, typically without identification
-               or authentication. The posting of information on non-organization information systems
-               is covered by organizational policy.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#au-13">AU-13</link>
-         </part>
-         <part id="ac-22_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ac-22.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-22(a)</prop>
-               <p>designates individuals authorized to post information onto a publicly accessible
-                  information system;</p>
-            </part>
-            <part id="ac-22.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-22(b)</prop>
-               <p>trains authorized individuals to ensure that publicly accessible information does
-                  not contain nonpublic information;</p>
-            </part>
-            <part id="ac-22.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-22(c)</prop>
-               <p>reviews the proposed content of information prior to posting onto the publicly
-                  accessible information system to ensure that nonpublic information is not
-                  included;</p>
-            </part>
-            <part id="ac-22.d_obj" name="objective">
-               <prop name="label">AC-22(d)</prop>
-               <part id="ac-22.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-22(d)[1]</prop>
-                  <p>defines the frequency to review the content on the publicly accessible
-                     information system for nonpublic information;</p>
-               </part>
-               <part id="ac-22.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-22(d)[2]</prop>
-                  <p>reviews the content on the publicly accessible information system for nonpublic
-                     information with the organization-defined frequency; and</p>
-               </part>
-               <part id="ac-22.d_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-22(d)[3]</prop>
-                  <p>removes nonpublic information from the publicly accessible information system,
-                     if discovered.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing publicly accessible content</p>
-               <p>list of users authorized to post publicly accessible content on organizational
-                  information systems</p>
-               <p>training materials and/or records</p>
-               <p>records of publicly accessible information reviews</p>
-               <p>records of response to nonpublic information on public websites</p>
-               <p>system audit logs</p>
-               <p>security awareness training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for managing publicly accessible
-                  information posted on organizational information systems</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing management of publicly accessible content</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="at">
-      <title>Awareness and Training</title>
-      <control class="SP800-53" id="at-1">
-         <title>Security Awareness and Training Policy and Procedures</title>
-         <param id="at-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="at-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="at-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AT-1</prop>
-         <prop name="sort-id">at-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="at-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="at-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="at-1_prm_1"/>:</p>
-               <part id="at-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A security awareness and training policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="at-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the security awareness and
-                     training policy and associated security awareness and training controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="at-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="at-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security awareness and training policy <insert param-id="at-1_prm_2"/>; and</p>
-               </part>
-               <part id="at-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Security awareness and training procedures <insert param-id="at-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="at-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the AT
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="at-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-1.a_obj" name="objective">
-               <prop name="label">AT-1(a)</prop>
-               <part id="at-1.a.1_obj" name="objective">
-                  <prop name="label">AT-1(a)(1)</prop>
-                  <part id="at-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(a)(1)[1]</prop>
-                     <p>develops and documents an security awareness and training policy that
-                        addresses:</p>
-                     <part id="at-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="at-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the security awareness and training
-                        policy are to be disseminated;</p>
-                  </part>
-                  <part id="at-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">AT-1(a)(1)[3]</prop>
-                     <p>disseminates the security awareness and training policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="at-1.a.2_obj" name="objective">
-                  <prop name="label">AT-1(a)(2)</prop>
-                  <part id="at-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        security awareness and training policy and associated awareness and training
-                        controls;</p>
-                  </part>
-                  <part id="at-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="at-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">AT-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="at-1.b_obj" name="objective">
-               <prop name="label">AT-1(b)</prop>
-               <part id="at-1.b.1_obj" name="objective">
-                  <prop name="label">AT-1(b)(1)</prop>
-                  <part id="at-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current security awareness
-                        and training policy;</p>
-                  </part>
-                  <part id="at-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current security awareness and training policy with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="at-1.b.2_obj" name="objective">
-                  <prop name="label">AT-1(b)(2)</prop>
-                  <part id="at-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current security awareness
-                        and training procedures; and</p>
-                  </part>
-                  <part id="at-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current security awareness and training procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security awareness and training responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="at-2">
-         <title>Security Awareness Training</title>
-         <param id="at-2_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AT-2</prop>
-         <prop name="sort-id">at-02</prop>
-         <link href="#bb61234b-46c3-4211-8c2b-9869222a720d" rel="reference">C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</link>
-         <link href="#c5034e0c-eba6-4ecd-a541-79f0678f4ba4" rel="reference">Executive Order 13587</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="at-2_smt" name="statement">
-            <p>The organization provides basic security awareness training to information system
-               users (including managers, senior executives, and contractors):</p>
-            <part id="at-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>As part of initial training for new users;</p>
-            </part>
-            <part id="at-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="at-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="at-2_prm_1"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="at-2_gdn" name="guidance">
-            <p>Organizations determine the appropriate content of security awareness training and
-               security awareness techniques based on the specific organizational requirements and
-               the information systems to which personnel have authorized access. The content
-               includes a basic understanding of the need for information security and user actions
-               to maintain security and to respond to suspected security incidents. The content also
-               addresses awareness of the need for operations security. Security awareness
-               techniques can include, for example, displaying posters, offering supplies inscribed
-               with security reminders, generating email advisories/notices from senior
-               organizational officials, displaying logon screen messages, and conducting
-               information security awareness events.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#at-4">AT-4</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-         </part>
-         <part id="at-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-2.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AT-2(a)</prop>
-               <p>provides basic security awareness training to information system users (including
-                  managers, senior executives, and contractors) as part of initial training for new
-                  users;</p>
-            </part>
-            <part id="at-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AT-2(b)</prop>
-               <p>provides basic security awareness training to information system users (including
-                  managers, senior executives, and contractors) when required by information system
-                  changes; and</p>
-            </part>
-            <part id="at-2.c_obj" name="objective">
-               <prop name="label">AT-2(c)</prop>
-               <part id="at-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AT-2(c)[1]</prop>
-                  <p>defines the frequency to provide refresher security awareness training
-                     thereafter to information system users (including managers, senior executives,
-                     and contractors); and</p>
-               </part>
-               <part id="at-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AT-2(c)[2]</prop>
-                  <p>provides refresher security awareness training to information users (including
-                     managers, senior executives, and contractors) with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy</p>
-               <p>procedures addressing security awareness training implementation</p>
-               <p>appropriate codes of federal regulations</p>
-               <p>security awareness training curriculum</p>
-               <p>security awareness training materials</p>
-               <p>security plan</p>
-               <p>training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for security awareness training</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel comprising the general information system user
-                  community</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms managing security awareness training</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="at-3">
-         <title>Role-based Security Training</title>
-         <param id="at-3_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AT-3</prop>
-         <prop name="sort-id">at-03</prop>
-         <link href="#bb61234b-46c3-4211-8c2b-9869222a720d" rel="reference">C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</link>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="at-3_smt" name="statement">
-            <p>The organization provides role-based security training to personnel with assigned
-               security roles and responsibilities:</p>
-            <part id="at-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Before authorizing access to the information system or performing assigned
-                  duties;</p>
-            </part>
-            <part id="at-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="at-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="at-3_prm_1"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="at-3_gdn" name="guidance">
-            <p>Organizations determine the appropriate content of security training based on the
-               assigned roles and responsibilities of individuals and the specific security
-               requirements of organizations and the information systems to which personnel have
-               authorized access. In addition, organizations provide enterprise architects,
-               information system developers, software developers, acquisition/procurement
-               officials, information system managers, system/network administrators, personnel
-               conducting configuration management and auditing activities, personnel performing
-               independent verification and validation activities, security control assessors, and
-               other personnel having access to system-level software, adequate security-related
-               technical training specifically tailored for their assigned duties. Comprehensive
-               role-based training addresses management, operational, and technical roles and
-               responsibilities covering physical, personnel, and technical safeguards and
-               countermeasures. Such training can include for example, policies, procedures, tools,
-               and artifacts for the organizational security roles defined. Organizations also
-               provide the training necessary for individuals to carry out their responsibilities
-               related to operations and supply chain security within the context of organizational
-               information security programs. Role-based security training also applies to
-               contractors providing services to federal agencies.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-4">AT-4</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-7">PS-7</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sa-16">SA-16</link>
-         </part>
-         <part id="at-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-3.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AT-3(a)</prop>
-               <p>provides role-based security training to personnel with assigned security roles
-                  and responsibilities before authorizing access to the information system or
-                  performing assigned duties;</p>
-            </part>
-            <part id="at-3.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AT-3(b)</prop>
-               <p>provides role-based security training to personnel with assigned security roles
-                  and responsibilities when required by information system changes; and</p>
-            </part>
-            <part id="at-3.c_obj" name="objective">
-               <prop name="label">AT-3(c)</prop>
-               <part id="at-3.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AT-3(c)[1]</prop>
-                  <p>defines the frequency to provide refresher role-based security training
-                     thereafter to personnel with assigned security roles and responsibilities;
-                     and</p>
-               </part>
-               <part id="at-3.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AT-3(c)[2]</prop>
-                  <p>provides refresher role-based security training to personnel with assigned
-                     security roles and responsibilities with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy</p>
-               <p>procedures addressing security training implementation</p>
-               <p>codes of federal regulations</p>
-               <p>security training curriculum</p>
-               <p>security training materials</p>
-               <p>security plan</p>
-               <p>training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for role-based security
-                  training</p>
-               <p>organizational personnel with assigned information system security roles and
-                  responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms managing role-based security training</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="at-4">
-         <title>Security Training Records</title>
-         <param id="at-4_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>At least one year</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AT-4</prop>
-         <prop name="sort-id">at-04</prop>
-         <part id="at-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="at-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Documents and monitors individual information system security training activities
-                  including basic security awareness training and specific information system
-                  security training; and</p>
-            </part>
-            <part id="at-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Retains individual training records for <insert param-id="at-4_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="at-4_gdn" name="guidance">
-            <p>Documentation for specialized training may be maintained by individual supervisors at
-               the option of the organization.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#pm-14">PM-14</link>
-         </part>
-         <part id="at-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-4.a_obj" name="objective">
-               <prop name="label">AT-4(a)</prop>
-               <part id="at-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AT-4(a)[1]</prop>
-                  <p>documents individual information system security training activities
-                     including:</p>
-                  <part id="at-4.a_obj.1.a" name="objective">
-                     <prop name="label">AT-4(a)[1][a]</prop>
-                     <p>basic security awareness training;</p>
-                  </part>
-                  <part id="at-4.a_obj.1.b" name="objective">
-                     <prop name="label">AT-4(a)[1][b]</prop>
-                     <p>specific role-based information system security training;</p>
-                  </part>
-               </part>
-               <part id="at-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AT-4(a)[2]</prop>
-                  <p>monitors individual information system security training activities
-                     including:</p>
-                  <part id="at-4.a_obj.2.a" name="objective">
-                     <prop name="label">AT-4(a)[2][a]</prop>
-                     <p>basic security awareness training;</p>
-                  </part>
-                  <part id="at-4.a_obj.2.b" name="objective">
-                     <prop name="label">AT-4(a)[2][b]</prop>
-                     <p>specific role-based information system security training;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="at-4.b_obj" name="objective">
-               <prop name="label">AT-4(b)</prop>
-               <part id="at-4.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AT-4(b)[1]</prop>
-                  <p>defines a time period to retain individual training records; and</p>
-               </part>
-               <part id="at-4.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AT-4(b)[2]</prop>
-                  <p>retains individual training records for the organization-defined time
-                     period.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy</p>
-               <p>procedures addressing security training records</p>
-               <p>security awareness and training records</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security training record retention
-                  responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting management of security training records</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="au">
-      <title>Audit and Accountability</title>
-      <control class="SP800-53" id="au-1">
-         <title>Audit and Accountability Policy and Procedures</title>
-         <param id="au-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="au-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="au-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AU-1</prop>
-         <prop name="sort-id">au-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="au-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="au-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="au-1_prm_1"/>:</p>
-               <part id="au-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An audit and accountability policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="au-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the audit and accountability
-                     policy and associated audit and accountability controls; and</p>
-               </part>
-            </part>
-            <part id="au-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="au-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Audit and accountability policy <insert param-id="au-1_prm_2"/>; and</p>
-               </part>
-               <part id="au-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Audit and accountability procedures <insert param-id="au-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="au-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the AU
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="au-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-1.a_obj" name="objective">
-               <prop name="label">AU-1(a)</prop>
-               <part id="au-1.a.1_obj" name="objective">
-                  <prop name="label">AU-1(a)(1)</prop>
-                  <part id="au-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(a)(1)[1]</prop>
-                     <p>develops and documents an audit and accountability policy that
-                        addresses:</p>
-                     <part id="au-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="au-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the audit and accountability policy are
-                        to be disseminated;</p>
-                  </part>
-                  <part id="au-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">AU-1(a)(1)[3]</prop>
-                     <p>disseminates the audit and accountability policy to organization-defined
-                        personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="au-1.a.2_obj" name="objective">
-                  <prop name="label">AU-1(a)(2)</prop>
-                  <part id="au-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        audit and accountability policy and associated audit and accountability
-                        controls;</p>
-                  </part>
-                  <part id="au-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="au-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">AU-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="au-1.b_obj" name="objective">
-               <prop name="label">AU-1(b)</prop>
-               <part id="au-1.b.1_obj" name="objective">
-                  <prop name="label">AU-1(b)(1)</prop>
-                  <part id="au-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current audit and
-                        accountability policy;</p>
-                  </part>
-                  <part id="au-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current audit and accountability policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="au-1.b.2_obj" name="objective">
-                  <prop name="label">AU-1(b)(2)</prop>
-                  <part id="au-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current audit and
-                        accountability procedures; and</p>
-                  </part>
-                  <part id="au-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current audit and accountability procedures in
-                        accordance with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-2">
-         <title>Audit Events</title>
-         <param id="au-2_prm_1">
-            <label>organization-defined auditable events</label>
-            <constraint>Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes</constraint>
-         </param>
-         <param id="au-2_prm_2">
-            <label>organization-defined audited events (the subset of the auditable events defined
-               in AU-2 a.) along with the frequency of (or situation requiring) auditing for each
-               identified event</label>
-            <constraint>organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AU-2</prop>
-         <prop name="sort-id">au-02</prop>
-         <link href="#672fd561-b92b-4713-b9cf-6c9d9456728b" rel="reference">NIST Special Publication 800-92</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="au-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="au-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Determines that the information system is capable of auditing the following
-                  events: <insert param-id="au-2_prm_1"/>;</p>
-            </part>
-            <part id="au-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Coordinates the security audit function with other organizational entities
-                  requiring audit-related information to enhance mutual support and to help guide
-                  the selection of auditable events;</p>
-            </part>
-            <part id="au-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Provides a rationale for why the auditable events are deemed to be adequate to
-                  support after-the-fact investigations of security incidents; and</p>
-            </part>
-            <part id="au-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Determines that the following events are to be audited within the information
-                  system: <insert param-id="au-2_prm_2"/>.</p>
-            </part>
-            <part id="au-2_fr" name="item">
-               <title>AU-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-2_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </part>
-         <part id="au-2_gdn" name="guidance">
-            <p>An event is any observable occurrence in an organizational information system.
-               Organizations identify audit events as those events which are significant and
-               relevant to the security of information systems and the environments in which those
-               systems operate in order to meet specific and ongoing audit needs. Audit events can
-               include, for example, password changes, failed logons, or failed accesses related to
-               information systems, administrative privilege usage, PIV credential usage, or
-               third-party credential usage. In determining the set of auditable events,
-               organizations consider the auditing appropriate for each of the security controls to
-               be implemented. To balance auditing requirements with other information system needs,
-               this control also requires identifying that subset of auditable events that are
-               audited at a given point in time. For example, organizations may determine that
-               information systems must have the capability to log every file access both successful
-               and unsuccessful, but not activate that capability except for specific circumstances
-               due to the potential burden on system performance. Auditing requirements, including
-               the need for auditable events, may be referenced in other security controls and
-               control enhancements. Organizations also include auditable events that are required
-               by applicable federal laws, Executive Orders, directives, policies, regulations, and
-               standards. Audit records can be generated at various levels of abstraction, including
-               at the packet level as information traverses the network. Selecting the appropriate
-               level of abstraction is a critical aspect of an audit capability and can facilitate
-               the identification of root causes to problems. Organizations consider in the
-               definition of auditable events, the auditing necessary to cover related events such
-               as the steps in distributed, transaction-based processes (e.g., processes that are
-               distributed across multiple organizations) and actions that occur in service-oriented
-               architectures.</p>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="au-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-2.a_obj" name="objective">
-               <prop name="label">AU-2(a)</prop>
-               <part id="au-2.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-2(a)[1]</prop>
-                  <p>defines the auditable events that the information system must be capable of
-                     auditing;</p>
-               </part>
-               <part id="au-2.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-2(a)[2]</prop>
-                  <p>determines that the information system is capable of auditing
-                     organization-defined auditable events;</p>
-               </part>
-            </part>
-            <part id="au-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AU-2(b)</prop>
-               <p>coordinates the security audit function with other organizational entities
-                  requiring audit-related information to enhance mutual support and to help guide
-                  the selection of auditable events;</p>
-            </part>
-            <part id="au-2.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AU-2(c)</prop>
-               <p>provides a rationale for why the auditable events are deemed to be adequate to
-                  support after-the-fact investigations of security incidents;</p>
-            </part>
-            <part id="au-2.d_obj" name="objective">
-               <prop name="label">AU-2(d)</prop>
-               <part id="au-2.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-2(d)[1]</prop>
-                  <p>defines the subset of auditable events defined in AU-2a that are to be audited
-                     within the information system;</p>
-               </part>
-               <part id="au-2.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AU-2(d)[2]</prop>
-                  <p>determines that the subset of auditable events defined in AU-2a are to be
-                     audited within the information system; and</p>
-               </part>
-               <part id="au-2.d_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AU-2(d)[3]</prop>
-                  <p>determines the frequency of (or situation requiring) auditing for each
-                     identified event.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing auditable events</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>information system auditable events</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing information system auditing</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-3">
-         <title>Content of Audit Records</title>
-         <prop name="label">AU-3</prop>
-         <prop name="sort-id">au-03</prop>
-         <part id="au-3_smt" name="statement">
-            <p>The information system generates audit records containing information that
-               establishes what type of event occurred, when the event occurred, where the event
-               occurred, the source of the event, the outcome of the event, and the identity of any
-               individuals or subjects associated with the event.</p>
-         </part>
-         <part id="au-3_gdn" name="guidance">
-            <p>Audit record content that may be necessary to satisfy the requirement of this
-               control, includes, for example, time stamps, source and destination addresses,
-               user/process identifiers, event descriptions, success/fail indications, filenames
-               involved, and access control or flow control rules invoked. Event outcomes can
-               include indicators of event success or failure and event-specific results (e.g., the
-               security state of the information system after the event occurred).</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-8">AU-8</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#si-11">SI-11</link>
-         </part>
-         <part id="au-3_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system generates audit records containing information
-               that establishes: </p>
-            <part id="au-3_obj.1" name="objective">
-               <prop name="label">AU-3[1]</prop>
-               <p>what type of event occurred;</p>
-            </part>
-            <part id="au-3_obj.2" name="objective">
-               <prop name="label">AU-3[2]</prop>
-               <p>when the event occurred;</p>
-            </part>
-            <part id="au-3_obj.3" name="objective">
-               <prop name="label">AU-3[3]</prop>
-               <p>where the event occurred;</p>
-            </part>
-            <part id="au-3_obj.4" name="objective">
-               <prop name="label">AU-3[4]</prop>
-               <p>the source of the event;</p>
-            </part>
-            <part id="au-3_obj.5" name="objective">
-               <prop name="label">AU-3[5]</prop>
-               <p>the outcome of the event; and</p>
-            </part>
-            <part id="au-3_obj.6" name="objective">
-               <prop name="label">AU-3[6]</prop>
-               <p>the identity of any individuals or subjects associated with the event.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing content of audit records</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of organization-defined auditable events</p>
-               <p>information system audit records</p>
-               <p>information system incident reports</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing information system auditing of auditable
-                  events</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-4">
-         <title>Audit Storage Capacity</title>
-         <param id="au-4_prm_1">
-            <label>organization-defined audit record storage requirements</label>
-         </param>
-         <prop name="label">AU-4</prop>
-         <prop name="sort-id">au-04</prop>
-         <part id="au-4_smt" name="statement">
-            <p>The organization allocates audit record storage capacity in accordance with <insert param-id="au-4_prm_1"/>.</p>
-         </part>
-         <part id="au-4_gdn" name="guidance">
-            <p>Organizations consider the types of auditing to be performed and the audit processing
-               requirements when allocating audit storage capacity. Allocating sufficient audit
-               storage capacity reduces the likelihood of such capacity being exceeded and resulting
-               in the potential loss or reduction of auditing capability.</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-5">AU-5</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#au-11">AU-11</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="au-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-4_obj.1" name="objective">
-               <prop name="label">AU-4[1]</prop>
-               <p>defines audit record storage requirements; and</p>
-            </part>
-            <part id="au-4_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AU-4[2]</prop>
-               <p>allocates audit record storage capacity in accordance with the
-                  organization-defined audit record storage requirements.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing audit storage capacity</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>audit record storage requirements</p>
-               <p>audit record storage capability for information system components</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Audit record storage capacity and related configuration settings</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-5">
-         <title>Response to Audit Processing Failures</title>
-         <param id="au-5_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="au-5_prm_2">
-            <label>organization-defined actions to be taken (e.g., shut down information system,
-               overwrite oldest audit records, stop generating audit records)</label>
-            <constraint>organization-defined actions to be taken (overwrite oldest record)</constraint>
-         </param>
-         <prop name="label">AU-5</prop>
-         <prop name="sort-id">au-05</prop>
-         <part id="au-5_smt" name="statement">
-            <p>The information system:</p>
-            <part id="au-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Alerts <insert param-id="au-5_prm_1"/> in the event of an audit processing
-                  failure; and</p>
-            </part>
-            <part id="au-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Takes the following additional actions: <insert param-id="au-5_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="au-5_gdn" name="guidance">
-            <p>Audit processing failures include, for example, software/hardware errors, failures in
-               the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
-               Organizations may choose to define additional actions for different audit processing
-               failures (e.g., by type, by location, by severity, or a combination of such factors).
-               This control applies to each audit data storage repository (i.e., distinct
-               information system component where audit records are stored), the total audit storage
-               capacity of organizations (i.e., all audit data storage repositories combined), or
-               both.</p>
-            <link rel="related" href="#au-4">AU-4</link>
-            <link rel="related" href="#si-12">SI-12</link>
-         </part>
-         <part id="au-5_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="au-5.a_obj" name="objective">
-               <prop name="label">AU-5(a)</prop>
-               <part id="au-5.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-5(a)[1]</prop>
-                  <p>the organization defines the personnel or roles to be alerted in the event of
-                     an audit processing failure;</p>
-               </part>
-               <part id="au-5.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-5(a)[2]</prop>
-                  <p>the information system alerts the organization-defined personnel or roles in
-                     the event of an audit processing failure;</p>
-               </part>
-            </part>
-            <part id="au-5.b_obj" name="objective">
-               <prop name="label">AU-5(b)</prop>
-               <part id="au-5.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-5(b)[1]</prop>
-                  <p>the organization defines additional actions to be taken (e.g., shutdown
-                     information system, overwrite oldest audit records, stop generating audit
-                     records) in the event of an audit processing failure; and</p>
-               </part>
-               <part id="au-5.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-5(b)[2]</prop>
-                  <p>the information system takes the additional organization-defined actions in the
-                     event of an audit processing failure.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing response to audit processing failures</p>
-               <p>information system design documentation</p>
-               <p>security plan</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of personnel to be notified in case of an audit processing failure</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing information system response to audit processing
-                  failures</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-6">
-         <title>Audit Review, Analysis, and Reporting</title>
-         <param id="au-6_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least weekly</constraint>
-         </param>
-         <param id="au-6_prm_2">
-            <label>organization-defined inappropriate or unusual activity</label>
-         </param>
-         <param id="au-6_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AU-6</prop>
-         <prop name="sort-id">au-06</prop>
-         <part id="au-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="au-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Reviews and analyzes information system audit records <insert param-id="au-6_prm_1"/> for indications of <insert param-id="au-6_prm_2"/>;
-                  and</p>
-            </part>
-            <part id="au-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reports findings to <insert param-id="au-6_prm_3"/>.</p>
-            </part>
-            <part id="au-6_fr" name="item">
-               <title>AU-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.</p>
-               </part>
-            </part>
-         </part>
-         <part id="au-6_gdn" name="guidance">
-            <p>Audit review, analysis, and reporting covers information security-related auditing
-               performed by organizations including, for example, auditing that results from
-               monitoring of account usage, remote access, wireless connectivity, mobile device
-               connection, configuration settings, system component inventory, use of maintenance
-               tools and nonlocal maintenance, physical access, temperature and humidity, equipment
-               delivery and removal, communications at the information system boundaries, use of
-               mobile code, and use of VoIP. Findings can be reported to organizational entities
-               that include, for example, incident response team, help desk, information security
-               group/department. If organizations are prohibited from reviewing and analyzing audit
-               information or unable to conduct such activities (e.g., in certain national security
-               applications or systems), the review/analysis may be carried out by other
-               organizations granted such authority.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#au-16">AU-16</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-10">CM-10</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ir-5">IR-5</link>
-            <link rel="related" href="#ir-6">IR-6</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-            <link rel="related" href="#pe-14">PE-14</link>
-            <link rel="related" href="#pe-16">PE-16</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-18">SC-18</link>
-            <link rel="related" href="#sc-19">SC-19</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="au-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-6.a_obj" name="objective">
-               <prop name="label">AU-6(a)</prop>
-               <part id="au-6.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-6(a)[1]</prop>
-                  <p>defines the types of inappropriate or unusual activity to look for when
-                     information system audit records are reviewed and analyzed;</p>
-               </part>
-               <part id="au-6.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-6(a)[2]</prop>
-                  <p>defines the frequency to review and analyze information system audit records
-                     for indications of organization-defined inappropriate or unusual activity;</p>
-               </part>
-               <part id="au-6.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AU-6(a)[3]</prop>
-                  <p>reviews and analyzes information system audit records for indications of
-                     organization-defined inappropriate or unusual activity with the
-                     organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="au-6.b_obj" name="objective">
-               <prop name="label">AU-6(b)</prop>
-               <part id="au-6.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-6(b)[1]</prop>
-                  <p>defines personnel or roles to whom findings resulting from reviews and analysis
-                     of information system audit records are to be reported; and</p>
-               </part>
-               <part id="au-6.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AU-6(b)[2]</prop>
-                  <p>reports findings to organization-defined personnel or roles.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing audit review, analysis, and reporting</p>
-               <p>reports of audit findings</p>
-               <p>records of actions taken in response to reviews/analyses of audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit review, analysis, and reporting
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-8">
-         <title>Time Stamps</title>
-         <param id="au-8_prm_1">
-            <label>organization-defined granularity of time measurement</label>
-         </param>
-         <prop name="label">AU-8</prop>
-         <prop name="sort-id">au-08</prop>
-         <part id="au-8_smt" name="statement">
-            <p>The information system:</p>
-            <part id="au-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Uses internal system clocks to generate time stamps for audit records; and</p>
-            </part>
-            <part id="au-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Records time stamps for audit records that can be mapped to Coordinated Universal
-                  Time (UTC) or Greenwich Mean Time (GMT) and meets <insert param-id="au-8_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="au-8_gdn" name="guidance">
-            <p>Time stamps generated by the information system include date and time. Time is
-               commonly expressed in Coordinated Universal Time (UTC), a modern continuation of
-               Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time
-               measurements refers to the degree of synchronization between information system
-               clocks and reference clocks, for example, clocks synchronizing within hundreds of
-               milliseconds or within tens of milliseconds. Organizations may define different time
-               granularities for different system components. Time service can also be critical to
-               other security capabilities such as access control and identification and
-               authentication, depending on the nature of the mechanisms used to support those
-               capabilities.</p>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#au-12">AU-12</link>
-         </part>
-         <part id="au-8_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="au-8.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AU-8(a)</prop>
-               <p>the information system uses internal system clocks to generate time stamps for
-                  audit records;</p>
-            </part>
-            <part id="au-8.b_obj" name="objective">
-               <prop name="label">AU-8(b)</prop>
-               <part id="au-8.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-8(b)[1]</prop>
-                  <p>the information system records time stamps for audit records that can be mapped
-                     to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);</p>
-               </part>
-               <part id="au-8.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-8(b)[2]</prop>
-                  <p>the organization defines the granularity of time measurement to be met when
-                     recording time stamps for audit records; and</p>
-               </part>
-               <part id="au-8.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-8(b)[3]</prop>
-                  <p>the organization records time stamps for audit records that meet the
-                     organization-defined granularity of time measurement.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing time stamp generation</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing time stamp generation</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-9">
-         <title>Protection of Audit Information</title>
-         <prop name="label">AU-9</prop>
-         <prop name="sort-id">au-09</prop>
-         <part id="au-9_smt" name="statement">
-            <p>The information system protects audit information and audit tools from unauthorized
-               access, modification, and deletion.</p>
-         </part>
-         <part id="au-9_gdn" name="guidance">
-            <p>Audit information includes all information (e.g., audit records, audit settings, and
-               audit reports) needed to successfully audit information system activity. This control
-               focuses on technical protection of audit information. Physical protection of audit
-               information is addressed by media protection controls and physical and environmental
-               protection controls.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-         </part>
-         <part id="au-9_obj" name="objective">
-            <p>Determine if: </p>
-            <part id="au-9_obj.1" name="objective">
-               <prop name="label">AU-9[1]</prop>
-               <p>the information system protects audit information from unauthorized:</p>
-               <part id="au-9_obj.1.a" name="objective">
-                  <prop name="label">AU-9[1][a]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="au-9_obj.1.b" name="objective">
-                  <prop name="label">AU-9[1][b]</prop>
-                  <p>modification;</p>
-               </part>
-               <part id="au-9_obj.1.c" name="objective">
-                  <prop name="label">AU-9[1][c]</prop>
-                  <p>deletion;</p>
-               </part>
-            </part>
-            <part id="au-9_obj.2" name="objective">
-               <prop name="label">AU-9[2]</prop>
-               <p>the information system protects audit tools from unauthorized:</p>
-               <part id="au-9_obj.2.a" name="objective">
-                  <prop name="label">AU-9[2][a]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="au-9_obj.2.b" name="objective">
-                  <prop name="label">AU-9[2][b]</prop>
-                  <p>modification; and</p>
-               </part>
-               <part id="au-9_obj.2.c" name="objective">
-                  <prop name="label">AU-9[2][c]</prop>
-                  <p>deletion.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>access control policy and procedures</p>
-               <p>procedures addressing protection of audit information</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation,
-                  information system audit records</p>
-               <p>audit tools</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing audit information protection</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-11">
-         <title>Audit Record Retention</title>
-         <param id="au-11_prm_1">
-            <label>organization-defined time period consistent with records retention policy</label>
-            <constraint>at least ninety days</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AU-11</prop>
-         <prop name="sort-id">au-11</prop>
-         <part id="au-11_smt" name="statement">
-            <p>The organization retains audit records for <insert param-id="au-11_prm_1"/> to
-               provide support for after-the-fact investigations of security incidents and to meet
-               regulatory and organizational information retention requirements.</p>
-            <part id="au-11_fr" name="item">
-               <title>AU-11 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-11_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.</p>
-               </part>
-            </part>
-         </part>
-         <part id="au-11_gdn" name="guidance">
-            <p>Organizations retain audit records until it is determined that they are no longer
-               needed for administrative, legal, audit, or other operational purposes. This
-               includes, for example, retention and availability of audit records relative to
-               Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions.
-               Organizations develop standard categories of audit records relative to such types of
-               actions and standard response processes for each type of action. The National
-               Archives and Records Administration (NARA) General Records Schedules provide federal
-               policy on record retention.</p>
-            <link rel="related" href="#au-4">AU-4</link>
-            <link rel="related" href="#au-5">AU-5</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-         </part>
-         <part id="au-11_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-11_obj.1" name="objective">
-               <prop name="label">AU-11[1]</prop>
-               <p>defines a time period to retain audit records that is consistent with records
-                  retention policy;</p>
-            </part>
-            <part id="au-11_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AU-11[2]</prop>
-               <p>retains audit records for the organization-defined time period consistent with
-                  records retention policy to:</p>
-               <part id="au-11_obj.2.a" name="objective">
-                  <prop name="label">AU-11[2][a]</prop>
-                  <p>provide support for after-the-fact investigations of security incidents;
-                     and</p>
-               </part>
-               <part id="au-11_obj.2.b" name="objective">
-                  <prop name="label">AU-11[2][b]</prop>
-                  <p>meet regulatory and organizational information retention requirements.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>audit record retention policy and procedures</p>
-               <p>security plan</p>
-               <p>organization-defined retention period for audit records</p>
-               <p>audit record archives</p>
-               <p>audit logs</p>
-               <p>audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit record retention responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-12">
-         <title>Audit Generation</title>
-         <param id="au-12_prm_1">
-            <label>organization-defined information system components</label>
-            <constraint>all information system and network components where audit capability is deployed/available</constraint>
-         </param>
-         <param id="au-12_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">AU-12</prop>
-         <prop name="sort-id">au-12</prop>
-         <part id="au-12_smt" name="statement">
-            <p>The information system:</p>
-            <part id="au-12_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Provides audit record generation capability for the auditable events defined in
-                  AU-2 a. at <insert param-id="au-12_prm_1"/>;</p>
-            </part>
-            <part id="au-12_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Allows <insert param-id="au-12_prm_2"/> to select which auditable events are to be
-                  audited by specific components of the information system; and</p>
-            </part>
-            <part id="au-12_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Generates audit records for the events defined in AU-2 d. with the content defined
-                  in AU-3.</p>
-            </part>
-         </part>
-         <part id="au-12_gdn" name="guidance">
-            <p>Audit records can be generated from many different information system components. The
-               list of audited events is the set of events for which audits are to be generated.
-               These events are typically a subset of all events for which the information system is
-               capable of generating audit records.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-         </part>
-         <part id="au-12_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="au-12.a_obj" name="objective">
-               <prop name="label">AU-12(a)</prop>
-               <part id="au-12.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-12(a)[1]</prop>
-                  <p>the organization defines the information system components which are to provide
-                     audit record generation capability for the auditable events defined in
-                     AU-2a;</p>
-               </part>
-               <part id="au-12.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-12(a)[2]</prop>
-                  <p>the information system provides audit record generation capability, for the
-                     auditable events defined in AU-2a, at organization-defined information system
-                     components;</p>
-               </part>
-            </part>
-            <part id="au-12.b_obj" name="objective">
-               <prop name="label">AU-12(b)</prop>
-               <part id="au-12.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-12(b)[1]</prop>
-                  <p>the organization defines the personnel or roles allowed to select which
-                     auditable events are to be audited by specific components of the information
-                     system;</p>
-               </part>
-               <part id="au-12.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-12(b)[2]</prop>
-                  <p>the information system allows the organization-defined personnel or roles to
-                     select which auditable events are to be audited by specific components of the
-                     system; and</p>
-               </part>
-            </part>
-            <part id="au-12.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AU-12(c)</prop>
-               <p>the information system generates audit records for the events defined in AU-2d
-                  with the content in defined in AU-3.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing audit record generation</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of auditable events</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit record generation responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing audit record generation capability</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ca">
-      <title>Security Assessment and Authorization</title>
-      <control class="SP800-53" id="ca-1">
-         <title>Security Assessment and Authorization Policy and Procedures</title>
-         <param id="ca-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ca-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="ca-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-1</prop>
-         <prop name="sort-id">ca-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ca-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ca-1_prm_1"/>:</p>
-               <part id="ca-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A security assessment and authorization policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="ca-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the security assessment and
-                     authorization policy and associated security assessment and authorization
-                     controls; and</p>
-               </part>
-            </part>
-            <part id="ca-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ca-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security assessment and authorization policy <insert param-id="ca-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="ca-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Security assessment and authorization procedures <insert param-id="ca-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ca-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the CA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ca-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-1.a_obj" name="objective">
-               <prop name="label">CA-1(a)</prop>
-               <part id="ca-1.a.1_obj" name="objective">
-                  <prop name="label">CA-1(a)(1)</prop>
-                  <part id="ca-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(a)(1)[1]</prop>
-                     <p>develops and documents a security assessment and authorization policy that
-                        addresses:</p>
-                     <part id="ca-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ca-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the security assessment and authorization
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="ca-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CA-1(a)(1)[3]</prop>
-                     <p>disseminates the security assessment and authorization policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="ca-1.a.2_obj" name="objective">
-                  <prop name="label">CA-1(a)(2)</prop>
-                  <part id="ca-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        security assessment and authorization policy and associated assessment and
-                        authorization controls;</p>
-                  </part>
-                  <part id="ca-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ca-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ca-1.b_obj" name="objective">
-               <prop name="label">CA-1(b)</prop>
-               <part id="ca-1.b.1_obj" name="objective">
-                  <prop name="label">CA-1(b)(1)</prop>
-                  <part id="ca-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current security assessment
-                        and authorization policy;</p>
-                  </part>
-                  <part id="ca-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current security assessment and authorization policy
-                        with the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ca-1.b.2_obj" name="objective">
-                  <prop name="label">CA-1(b)(2)</prop>
-                  <part id="ca-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current security assessment
-                        and authorization procedures; and</p>
-                  </part>
-                  <part id="ca-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current security assessment and authorization
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security assessment and authorization
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ca-2">
-         <title>Security Assessments</title>
-         <param id="ca-2_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ca-2_prm_2">
-            <label>organization-defined individuals or roles</label>
-            <constraint>individuals or roles to include FedRAMP PMO</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-2</prop>
-         <prop name="sort-id">ca-02</prop>
-         <link href="#c5034e0c-eba6-4ecd-a541-79f0678f4ba4" rel="reference">Executive Order 13587</link>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#c4691b88-57d1-463b-9053-2d0087913f31" rel="reference">NIST Special Publication 800-115</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <part id="ca-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a security assessment plan that describes the scope of the assessment
-                  including:</p>
-               <part id="ca-2_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security controls and control enhancements under assessment;</p>
-               </part>
-               <part id="ca-2_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Assessment procedures to be used to determine security control effectiveness;
-                     and</p>
-               </part>
-               <part id="ca-2_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Assessment environment, assessment team, and assessment roles and
-                     responsibilities;</p>
-               </part>
-            </part>
-            <part id="ca-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Assesses the security controls in the information system and its environment of
-                  operation <insert param-id="ca-2_prm_1"/> to determine the extent to which the
-                  controls are implemented correctly, operating as intended, and producing the
-                  desired outcome with respect to meeting established security requirements;</p>
-            </part>
-            <part id="ca-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Produces a security assessment report that documents the results of the
-                  assessment; and</p>
-            </part>
-            <part id="ca-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Provides the results of the security control assessment to <insert param-id="ca-2_prm_2"/>.</p>
-            </part>
-            <part id="ca-2_fr" name="item">
-               <title>CA-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </part>
-         <part id="ca-2_gdn" name="guidance">
-            <p>Organizations assess security controls in organizational information systems and the
-               environments in which those systems operate as part of: (i) initial and ongoing
-               security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring;
-               and (iv) system development life cycle activities. Security assessments: (i) ensure
-               that information security is built into organizational information systems; (ii)
-               identify weaknesses and deficiencies early in the development process; (iii) provide
-               essential information needed to make risk-based decisions as part of security
-               authorization processes; and (iv) ensure compliance to vulnerability mitigation
-               procedures. Assessments are conducted on the implemented security controls from
-               Appendix F (main catalog) and Appendix G (Program Management controls) as documented
-               in System Security Plans and Information Security Program Plans. Organizations can
-               use other types of assessment activities such as vulnerability scanning and system
-               monitoring to maintain the security posture of information systems during the entire
-               life cycle. Security assessment reports document assessment results in sufficient
-               detail as deemed necessary by organizations, to determine the accuracy and
-               completeness of the reports and whether the security controls are implemented
-               correctly, operating as intended, and producing the desired outcome with respect to
-               meeting security requirements. The FISMA requirement for assessing security controls
-               at least annually does not require additional assessment activities to those
-               activities already in place in organizational security authorization processes.
-               Security assessment results are provided to the individuals or roles appropriate for
-               the types of assessments being conducted. For example, assessments conducted in
-               support of security authorization decisions are provided to authorizing officials or
-               authorizing official designated representatives. To satisfy annual assessment
-               requirements, organizations can use assessment results from the following sources:
-               (i) initial or ongoing information system authorizations; (ii) continuous monitoring;
-               or (iii) system development life cycle activities. Organizations ensure that security
-               assessment results are current, relevant to the determination of security control
-               effectiveness, and obtained with the appropriate level of assessor independence.
-               Existing security control assessment results can be reused to the extent that the
-               results are still valid and can also be supplemented with additional assessments as
-               needed. Subsequent to initial authorizations and in accordance with OMB policy,
-               organizations assess security controls during continuous monitoring. Organizations
-               establish the frequency for ongoing security control assessments in accordance with
-               organizational continuous monitoring strategies. Information Assurance Vulnerability
-               Alerts provide useful examples of vulnerability mitigation procedures. External
-               audits (e.g., audits by external entities such as regulatory agencies) are outside
-               the scope of this control.</p>
-            <link rel="related" href="#ca-5">CA-5</link>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-2.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CA-2(a)</prop>
-               <p>develops a security assessment plan that describes the scope of the assessment
-                  including:</p>
-               <part id="ca-2.a.1_obj" name="objective">
-                  <prop name="label">CA-2(a)(1)</prop>
-                  <p>security controls and control enhancements under assessment;</p>
-               </part>
-               <part id="ca-2.a.2_obj" name="objective">
-                  <prop name="label">CA-2(a)(2)</prop>
-                  <p>assessment procedures to be used to determine security control
-                     effectiveness;</p>
-               </part>
-               <part id="ca-2.a.3_obj" name="objective">
-                  <prop name="label">CA-2(a)(3)</prop>
-                  <part id="ca-2.a.3_obj.1" name="objective">
-                     <prop name="label">CA-2(a)(3)[1]</prop>
-                     <p>assessment environment;</p>
-                  </part>
-                  <part id="ca-2.a.3_obj.2" name="objective">
-                     <prop name="label">CA-2(a)(3)[2]</prop>
-                     <p>assessment team;</p>
-                  </part>
-                  <part id="ca-2.a.3_obj.3" name="objective">
-                     <prop name="label">CA-2(a)(3)[3]</prop>
-                     <p>assessment roles and responsibilities;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ca-2.b_obj" name="objective">
-               <prop name="label">CA-2(b)</prop>
-               <part id="ca-2.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(b)[1]</prop>
-                  <p>defines the frequency to assess the security controls in the information system
-                     and its environment of operation;</p>
-               </part>
-               <part id="ca-2.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-2(b)[2]</prop>
-                  <p>assesses the security controls in the information system with the
-                     organization-defined frequency to determine the extent to which the controls
-                     are implemented correctly, operating as intended, and producing the desired
-                     outcome with respect to meeting established security requirements;</p>
-               </part>
-            </part>
-            <part id="ca-2.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CA-2(c)</prop>
-               <p>produces a security assessment report that documents the results of the
-                  assessment;</p>
-            </part>
-            <part id="ca-2.d_obj" name="objective">
-               <prop name="label">CA-2(d)</prop>
-               <part id="ca-2.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(d)[1]</prop>
-                  <p>defines individuals or roles to whom the results of the security control
-                     assessment are to be provided; and</p>
-               </part>
-               <part id="ca-2.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-2(d)[2]</prop>
-                  <p>provides the results of the security control assessment to organization-defined
-                     individuals or roles.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing security assessment planning</p>
-               <p>procedures addressing security assessments</p>
-               <p>security assessment plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security assessment responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting security assessment, security assessment plan
-                  development, and/or security assessment reporting</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-2.1">
-            <title>Independent Assessors</title>
-            <param id="ca-2.1_prm_1">
-               <label>organization-defined level of independence</label>
-            </param>
-            <prop name="label">CA-2(1)</prop>
-            <prop name="sort-id">ca-02.01</prop>
-            <part id="ca-2.1_smt" name="statement">
-               <p>The organization employs assessors or assessment teams with <insert param-id="ca-2.1_prm_1"/> to conduct security control assessments.</p>
-               <part id="ca-2.1_fr" name="item">
-                  <title>CA-2 (1) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ca-2.1_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ca-2.1_gdn" name="guidance">
-               <p>Independent assessors or assessment teams are individuals or groups who conduct
-                  impartial assessments of organizational information systems. Impartiality implies
-                  that assessors are free from any perceived or actual conflicts of interest with
-                  regard to the development, operation, or management of the organizational
-                  information systems under assessment or to the determination of security control
-                  effectiveness. To achieve impartiality, assessors should not: (i) create a mutual
-                  or conflicting interest with the organizations where the assessments are being
-                  conducted; (ii) assess their own work; (iii) act as management or employees of the
-                  organizations they are serving; or (iv) place themselves in positions of advocacy
-                  for the organizations acquiring their services. Independent assessments can be
-                  obtained from elements within organizations or can be contracted to public or
-                  private sector entities outside of organizations. Authorizing officials determine
-                  the required level of independence based on the security categories of information
-                  systems and/or the ultimate risk to organizational operations, organizational
-                  assets, or individuals. Authorizing officials also determine if the level of
-                  assessor independence provides sufficient assurance that the results are sound and
-                  can be used to make credible, risk-based decisions. This includes determining
-                  whether contracted security assessment services have sufficient independence, for
-                  example, when information system owners are not directly involved in contracting
-                  processes or cannot unduly influence the impartiality of assessors conducting
-                  assessments. In special situations, for example, when organizations that own the
-                  information systems are small or organizational structures require that
-                  assessments are conducted by individuals that are in the developmental,
-                  operational, or management chain of system owners, independence in assessment
-                  processes can be achieved by ensuring that assessment results are carefully
-                  reviewed and analyzed by independent teams of experts to validate the
-                  completeness, accuracy, integrity, and reliability of the results. Organizations
-                  recognize that assessments performed for purposes other than direct support to
-                  authorization decisions are, when performed by assessors with sufficient
-                  independence, more likely to be useable for such decisions, thereby reducing the
-                  need to repeat assessments.</p>
-            </part>
-            <part id="ca-2.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-2.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(1)[1]</prop>
-                  <p>defines the level of independence to be employed to conduct security control
-                     assessments; and</p>
-               </part>
-               <part id="ca-2.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CA-2(1)[2]</prop>
-                  <p>employs assessors or assessment teams with the organization-defined level of
-                     independence to conduct security control assessments.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing security assessments</p>
-                  <p>security authorization package (including security plan, security assessment
-                     plan, security assessment report, plan of action and milestones, authorization
-                     statement)</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security assessment responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-3">
-         <title>System Interconnections</title>
-         <param id="ca-3_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually and on input from FedRAMP</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-3</prop>
-         <prop name="sort-id">ca-03</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#2711f068-734e-4afd-94ba-0b22247fbc88" rel="reference">NIST Special Publication 800-47</link>
-         <part id="ca-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Authorizes connections from the information system to other information systems
-                  through the use of Interconnection Security Agreements;</p>
-            </part>
-            <part id="ca-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents, for each interconnection, the interface characteristics, security
-                  requirements, and the nature of the information communicated; and</p>
-            </part>
-            <part id="ca-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews and updates Interconnection Security Agreements <insert param-id="ca-3_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="ca-3_gdn" name="guidance">
-            <p>This control applies to dedicated connections between information systems (i.e.,
-               system interconnections) and does not apply to transitory, user-controlled
-               connections such as email and website browsing. Organizations carefully consider the
-               risks that may be introduced when information systems are connected to other systems
-               with different security requirements and security controls, both within organizations
-               and external to organizations. Authorizing officials determine the risk associated
-               with information system connections and the appropriate controls employed. If
-               interconnecting systems have the same authorizing official, organizations do not need
-               to develop Interconnection Security Agreements. Instead, organizations can describe
-               the interface characteristics between those interconnecting systems in their
-               respective security plans. If interconnecting systems have different authorizing
-               officials within the same organization, organizations can either develop
-               Interconnection Security Agreements or describe the interface characteristics between
-               systems in the security plans for the respective systems. Organizations may also
-               incorporate Interconnection Security Agreement information into formal contracts,
-               especially for interconnections established between federal agencies and nonfederal
-               (i.e., private sector) organizations. Risk considerations also include information
-               systems sharing the same networks. For certain technologies (e.g., space, unmanned
-               aerial vehicles, and medical devices), there may be specialized connections in place
-               during preoperational testing. Such connections may require Interconnection Security
-               Agreements and be subject to additional security controls.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#au-16">AU-16</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-3.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">CA-3(a)</prop>
-               <p>authorizes connections from the information system to other information systems
-                  through the use of Interconnection Security Agreements;</p>
-            </part>
-            <part id="ca-3.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CA-3(b)</prop>
-               <p>documents, for each interconnection:</p>
-               <part id="ca-3.b_obj.1" name="objective">
-                  <prop name="label">CA-3(b)[1]</prop>
-                  <p>the interface characteristics;</p>
-               </part>
-               <part id="ca-3.b_obj.2" name="objective">
-                  <prop name="label">CA-3(b)[2]</prop>
-                  <p>the security requirements;</p>
-               </part>
-               <part id="ca-3.b_obj.3" name="objective">
-                  <prop name="label">CA-3(b)[3]</prop>
-                  <p>the nature of the information communicated;</p>
-               </part>
-            </part>
-            <part id="ca-3.c_obj" name="objective">
-               <prop name="label">CA-3(c)</prop>
-               <part id="ca-3.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-3(c)[1]</prop>
-                  <p>defines the frequency to review and update Interconnection Security Agreements;
-                     and</p>
-               </part>
-               <part id="ca-3.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CA-3(c)[2]</prop>
-                  <p>reviews and updates Interconnection Security Agreements with the
-                     organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing information system connections</p>
-               <p>system and communications protection policy</p>
-               <p>information system Interconnection Security Agreements</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for developing, implementing, or
-                  approving information system interconnection agreements</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>personnel managing the system(s) to which the Interconnection Security Agreement
-                  applies</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ca-5">
-         <title>Plan of Action and Milestones</title>
-         <param id="ca-5_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least monthly</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-5</prop>
-         <prop name="sort-id">ca-05</prop>
-         <link href="#2c5884cd-7b96-425c-862a-99877e1cf909" rel="reference">OMB Memorandum 02-01</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <part id="ca-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a plan of action and milestones for the information system to document
-                  the organization’s planned remedial actions to correct weaknesses or deficiencies
-                  noted during the assessment of the security controls and to reduce or eliminate
-                  known vulnerabilities in the system; and</p>
-            </part>
-            <part id="ca-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Updates existing plan of action and milestones <insert param-id="ca-5_prm_1"/>
-                  based on the findings from security controls assessments, security impact
-                  analyses, and continuous monitoring activities.</p>
-            </part>
-            <part id="ca-5_fr" name="item">
-               <title>CA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-5_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Plan of Action &amp; Milestones (POA&amp;M) must be provided at least monthly.</p>
-               </part>
-               <part id="ca-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action &amp; Milestones (POA&amp;M) Template Completion Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </part>
-         <part id="ca-5_gdn" name="guidance">
-            <p>Plans of action and milestones are key documents in security authorization packages
-               and are subject to federal reporting requirements established by OMB.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#pm-4">PM-4</link>
-         </part>
-         <part id="ca-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-5.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">CA-5(a)</prop>
-               <p>develops a plan of action and milestones for the information system to:</p>
-               <part id="ca-5.a_obj.1" name="objective">
-                  <prop name="label">CA-5(a)[1]</prop>
-                  <p>document the organization’s planned remedial actions to correct weaknesses or
-                     deficiencies noted during the assessment of the security controls;</p>
-               </part>
-               <part id="ca-5.a_obj.2" name="objective">
-                  <prop name="label">CA-5(a)[2]</prop>
-                  <p>reduce or eliminate known vulnerabilities in the system;</p>
-               </part>
-            </part>
-            <part id="ca-5.b_obj" name="objective">
-               <prop name="label">CA-5(b)</prop>
-               <part id="ca-5.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-5(b)[1]</prop>
-                  <p>defines the frequency to update the existing plan of action and milestones;</p>
-               </part>
-               <part id="ca-5.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-5(b)[2]</prop>
-                  <p>updates the existing plan of action and milestones with the
-                     organization-defined frequency based on the findings from:</p>
-                  <part id="ca-5.b_obj.2.a" name="objective">
-                     <prop name="label">CA-5(b)[2][a]</prop>
-                     <p>security controls assessments;</p>
-                  </part>
-                  <part id="ca-5.b_obj.2.b" name="objective">
-                     <prop name="label">CA-5(b)[2][b]</prop>
-                     <p>security impact analyses; and</p>
-                  </part>
-                  <part id="ca-5.b_obj.2.c" name="objective">
-                     <prop name="label">CA-5(b)[2][c]</prop>
-                     <p>continuous monitoring activities.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing plan of action and milestones</p>
-               <p>security plan</p>
-               <p>security assessment plan</p>
-               <p>security assessment report</p>
-               <p>security assessment evidence</p>
-               <p>plan of action and milestones</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with plan of action and milestones development and
-                  implementation responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms for developing, implementing, and maintaining plan of action
-                  and milestones</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ca-6">
-         <title>Security Authorization</title>
-         <param id="ca-6_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least every three years or when a significant change occurs</constraint>
-         </param>
-         <prop name="label">CA-6</prop>
-         <prop name="sort-id">ca-06</prop>
-         <link href="#9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab" rel="reference">OMB Circular A-130</link>
-         <link href="#bedb15b7-ec5c-4a68-807f-385125751fcd" rel="reference">OMB Memorandum 11-33</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <part id="ca-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Assigns a senior-level executive or manager as the authorizing official for the
-                  information system;</p>
-            </part>
-            <part id="ca-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Ensures that the authorizing official authorizes the information system for
-                  processing before commencing operations; and</p>
-            </part>
-            <part id="ca-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Updates the security authorization <insert param-id="ca-6_prm_1"/>.</p>
-            </part>
-            <part id="ca-6_fr" name="item">
-               <title>CA-6(c) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ca-6_gdn" name="guidance">
-            <p>Security authorizations are official management decisions, conveyed through
-               authorization decision documents, by senior organizational officials or executives
-               (i.e., authorizing officials) to authorize operation of information systems and to
-               explicitly accept the risk to organizational operations and assets, individuals,
-               other organizations, and the Nation based on the implementation of agreed-upon
-               security controls. Authorizing officials provide budgetary oversight for
-               organizational information systems or assume responsibility for the mission/business
-               operations supported by those systems. The security authorization process is an
-               inherently federal responsibility and therefore, authorizing officials must be
-               federal employees. Through the security authorization process, authorizing officials
-               assume responsibility and are accountable for security risks associated with the
-               operation and use of organizational information systems. Accordingly, authorizing
-               officials are in positions with levels of authority commensurate with understanding
-               and accepting such information security-related risks. OMB policy requires that
-               organizations conduct ongoing authorizations of information systems by implementing
-               continuous monitoring programs. Continuous monitoring programs can satisfy three-year
-               reauthorization requirements, so separate reauthorization processes are not
-               necessary. Through the employment of comprehensive continuous monitoring processes,
-               critical information contained in authorization packages (i.e., security plans,
-               security assessment reports, and plans of action and milestones) is updated on an
-               ongoing basis, providing authorizing officials and information system owners with an
-               up-to-date status of the security state of organizational information systems and
-               environments of operation. To reduce the administrative cost of security
-               reauthorization, authorizing officials use the results of continuous monitoring
-               processes to the maximum extent possible as the basis for rendering reauthorization
-               decisions.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#pm-10">PM-10</link>
-         </part>
-         <part id="ca-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-6.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CA-6(a)</prop>
-               <p>assigns a senior-level executive or manager as the authorizing official for the
-                  information system;</p>
-            </part>
-            <part id="ca-6.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CA-6(b)</prop>
-               <p>ensures that the authorizing official authorizes the information system for
-                  processing before commencing operations;</p>
-            </part>
-            <part id="ca-6.c_obj" name="objective">
-               <prop name="label">CA-6(c)</prop>
-               <part id="ca-6.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-6(c)[1]</prop>
-                  <p>defines the frequency to update the security authorization; and</p>
-               </part>
-               <part id="ca-6.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-6(c)[2]</prop>
-                  <p>updates the security authorization with the organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing security authorization</p>
-               <p>security authorization package (including security plan</p>
-               <p>security assessment report</p>
-               <p>plan of action and milestones</p>
-               <p>authorization statement)</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security authorization responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms that facilitate security authorizations and updates</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ca-7">
-         <title>Continuous Monitoring</title>
-         <param id="ca-7_prm_1">
-            <label>organization-defined metrics</label>
-         </param>
-         <param id="ca-7_prm_2">
-            <label>organization-defined frequencies</label>
-         </param>
-         <param id="ca-7_prm_3">
-            <label>organization-defined frequencies</label>
-         </param>
-         <param id="ca-7_prm_4">
-            <label>organization-defined personnel or roles</label>
-            <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-         </param>
-         <param id="ca-7_prm_5">
-            <label>organization-defined frequency</label>
-            <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-7</prop>
-         <prop name="sort-id">ca-07</prop>
-         <link href="#bedb15b7-ec5c-4a68-807f-385125751fcd" rel="reference">OMB Memorandum 11-33</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#c4691b88-57d1-463b-9053-2d0087913f31" rel="reference">NIST Special Publication 800-115</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <link href="#8ade2fbe-e468-4ca8-9a40-54d7f23c32bb" rel="reference">US-CERT Technical Cyber Security Alerts</link>
-         <link href="#2d8b14e9-c8b5-4d3d-8bdc-155078f3281b" rel="reference">DoD Information Assurance Vulnerability Alerts</link>
-         <part id="ca-7_smt" name="statement">
-            <p>The organization develops a continuous monitoring strategy and implements a
-               continuous monitoring program that includes:</p>
-            <part id="ca-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishment of <insert param-id="ca-7_prm_1"/> to be monitored;</p>
-            </part>
-            <part id="ca-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishment of <insert param-id="ca-7_prm_2"/> for monitoring and <insert param-id="ca-7_prm_3"/> for assessments supporting such monitoring;</p>
-            </part>
-            <part id="ca-7_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ongoing security control assessments in accordance with the organizational
-                  continuous monitoring strategy;</p>
-            </part>
-            <part id="ca-7_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Ongoing security status monitoring of organization-defined metrics in accordance
-                  with the organizational continuous monitoring strategy;</p>
-            </part>
-            <part id="ca-7_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Correlation and analysis of security-related information generated by assessments
-                  and monitoring;</p>
-            </part>
-            <part id="ca-7_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Response actions to address results of the analysis of security-related
-                  information; and</p>
-            </part>
-            <part id="ca-7_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Reporting the security status of organization and the information system to
-                     <insert param-id="ca-7_prm_4"/>
-                  <insert param-id="ca-7_prm_5"/>.</p>
-            </part>
-            <part id="ca-7_fr" name="item">
-               <title>CA-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-7_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.</p>
-               </part>
-               <part id="ca-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&amp;M updates.</p>
-               </part>
-               <part id="ca-7_fr_gdn.2" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </part>
-         <part id="ca-7_gdn" name="guidance">
-            <p>Continuous monitoring programs facilitate ongoing awareness of threats,
-               vulnerabilities, and information security to support organizational risk management
-               decisions. The terms continuous and ongoing imply that organizations assess/analyze
-               security controls and information security-related risks at a frequency sufficient to
-               support organizational risk-based decisions. The results of continuous monitoring
-               programs generate appropriate risk response actions by organizations. Continuous
-               monitoring programs also allow organizations to maintain the security authorizations
-               of information systems and common controls over time in highly dynamic environments
-               of operation with changing mission/business needs, threats, vulnerabilities, and
-               technologies. Having access to security-related information on a continuing basis
-               through reports/dashboards gives organizational officials the capability to make more
-               effective and timely risk management decisions, including ongoing security
-               authorization decisions. Automation supports more frequent updates to security
-               authorization packages, hardware/software/firmware inventories, and other system
-               information. Effectiveness is further enhanced when continuous monitoring outputs are
-               formatted to provide information that is specific, measurable, actionable, relevant,
-               and timely. Continuous monitoring activities are scaled in accordance with the
-               security categories of information systems.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-5">CA-5</link>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#pm-6">PM-6</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-2">SI-2</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-7_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ca-7.a_obj" name="objective">
-               <prop name="label">CA-7(a)</prop>
-               <part id="ca-7.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(a)[1]</prop>
-                  <p>develops a continuous monitoring strategy that defines metrics to be
-                     monitored;</p>
-               </part>
-               <part id="ca-7.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(a)[2]</prop>
-                  <p>develops a continuous monitoring strategy that includes monitoring of
-                     organization-defined metrics;</p>
-               </part>
-               <part id="ca-7.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(a)[3]</prop>
-                  <p>implements a continuous monitoring program that includes monitoring of
-                     organization-defined metrics in accordance with the organizational continuous
-                     monitoring strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.b_obj" name="objective">
-               <prop name="label">CA-7(b)</prop>
-               <part id="ca-7.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(b)[1]</prop>
-                  <p>develops a continuous monitoring strategy that defines frequencies for
-                     monitoring;</p>
-               </part>
-               <part id="ca-7.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(b)[2]</prop>
-                  <p>defines frequencies for assessments supporting monitoring;</p>
-               </part>
-               <part id="ca-7.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(b)[3]</prop>
-                  <p>develops a continuous monitoring strategy that includes establishment of the
-                     organization-defined frequencies for monitoring and for assessments supporting
-                     monitoring;</p>
-               </part>
-               <part id="ca-7.b_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(b)[4]</prop>
-                  <p>implements a continuous monitoring program that includes establishment of
-                     organization-defined frequencies for monitoring and for assessments supporting
-                     such monitoring in accordance with the organizational continuous monitoring
-                     strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.c_obj" name="objective">
-               <prop name="label">CA-7(c)</prop>
-               <part id="ca-7.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(c)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes ongoing security
-                     control assessments;</p>
-               </part>
-               <part id="ca-7.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(c)[2]</prop>
-                  <p>implements a continuous monitoring program that includes ongoing security
-                     control assessments in accordance with the organizational continuous monitoring
-                     strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.d_obj" name="objective">
-               <prop name="label">CA-7(d)</prop>
-               <part id="ca-7.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(d)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes ongoing security status
-                     monitoring of organization-defined metrics;</p>
-               </part>
-               <part id="ca-7.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(d)[2]</prop>
-                  <p>implements a continuous monitoring program that includes ongoing security
-                     status monitoring of organization-defined metrics in accordance with the
-                     organizational continuous monitoring strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.e_obj" name="objective">
-               <prop name="label">CA-7(e)</prop>
-               <part id="ca-7.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(e)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes correlation and
-                     analysis of security-related information generated by assessments and
-                     monitoring;</p>
-               </part>
-               <part id="ca-7.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(e)[2]</prop>
-                  <p>implements a continuous monitoring program that includes correlation and
-                     analysis of security-related information generated by assessments and
-                     monitoring in accordance with the organizational continuous monitoring
-                     strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.f_obj" name="objective">
-               <prop name="label">CA-7(f)</prop>
-               <part id="ca-7.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(f)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes response actions to
-                     address results of the analysis of security-related information;</p>
-               </part>
-               <part id="ca-7.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(f)[2]</prop>
-                  <p>implements a continuous monitoring program that includes response actions to
-                     address results of the analysis of security-related information in accordance
-                     with the organizational continuous monitoring strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.g_obj" name="objective">
-               <prop name="label">CA-7(g)</prop>
-               <part id="ca-7.g_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(g)[1]</prop>
-                  <p>develops a continuous monitoring strategy that defines the personnel or roles
-                     to whom the security status of the organization and information system are to
-                     be reported;</p>
-               </part>
-               <part id="ca-7.g_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(g)[2]</prop>
-                  <p>develops a continuous monitoring strategy that defines the frequency to report
-                     the security status of the organization and information system to
-                     organization-defined personnel or roles;</p>
-               </part>
-               <part id="ca-7.g_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(g)[3]</prop>
-                  <p>develops a continuous monitoring strategy that includes reporting the security
-                     status of the organization or information system to organizational-defined
-                     personnel or roles with the organization-defined frequency; and</p>
-               </part>
-               <part id="ca-7.g_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(g)[4]</prop>
-                  <p>implements a continuous monitoring program that includes reporting the security
-                     status of the organization and information system to organization-defined
-                     personnel or roles with the organization-defined frequency in accordance with
-                     the organizational continuous monitoring strategy.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing continuous monitoring of information system security
-                  controls</p>
-               <p>procedures addressing configuration management</p>
-               <p>security plan</p>
-               <p>security assessment report</p>
-               <p>plan of action and milestones</p>
-               <p>information system monitoring records</p>
-               <p>configuration management records, security impact analyses</p>
-               <p>status reports</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with continuous monitoring responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Mechanisms implementing continuous monitoring</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ca-9">
-         <title>Internal System Connections</title>
-         <param id="ca-9_prm_1">
-            <label>organization-defined information system components or classes of
-               components</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-9</prop>
-         <prop name="sort-id">ca-09</prop>
-         <part id="ca-9_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Authorizes internal connections of <insert param-id="ca-9_prm_1"/> to the
-                  information system; and</p>
-            </part>
-            <part id="ca-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents, for each internal connection, the interface characteristics, security
-                  requirements, and the nature of the information communicated.</p>
-            </part>
-         </part>
-         <part id="ca-9_gdn" name="guidance">
-            <p>This control applies to connections between organizational information systems and
-               (separate) constituent system components (i.e., intra-system connections) including,
-               for example, system connections with mobile devices, notebook/desktop computers,
-               printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of
-               authorizing each individual internal connection, organizations can authorize internal
-               connections for a class of components with common characteristics and/or
-               configurations, for example, all digital printers, scanners, and copiers with a
-               specified processing, storage, and transmission capability or all smart phones with a
-               specific baseline configuration.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-9_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-9.a_obj" name="objective">
-               <prop name="label">CA-9(a)</prop>
-               <part id="ca-9.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-9(a)[1]</prop>
-                  <p>defines information system components or classes of components to be authorized
-                     as internal connections to the information system;</p>
-               </part>
-               <part id="ca-9.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CA-9(a)[2]</prop>
-                  <p>authorizes internal connections of organization-defined information system
-                     components or classes of components to the information system;</p>
-               </part>
-            </part>
-            <part id="ca-9.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CA-9(b)</prop>
-               <p>documents, for each internal connection:</p>
-               <part id="ca-9.b_obj.1" name="objective">
-                  <prop name="label">CA-9(b)[1]</prop>
-                  <p>the interface characteristics;</p>
-               </part>
-               <part id="ca-9.b_obj.2" name="objective">
-                  <prop name="label">CA-9(b)[2]</prop>
-                  <p>the security requirements; and</p>
-               </part>
-               <part id="ca-9.b_obj.3" name="objective">
-                  <prop name="label">CA-9(b)[3]</prop>
-                  <p>the nature of the information communicated.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing information system connections</p>
-               <p>system and communications protection policy</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of components or classes of components authorized as internal system
-                  connections</p>
-               <p>security assessment report</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for developing, implementing, or
-                  authorizing internal system connections</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="cm">
-      <title>Configuration Management</title>
-      <control class="SP800-53" id="cm-1">
-         <title>Configuration Management Policy and Procedures</title>
-         <param id="cm-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="cm-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="cm-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CM-1</prop>
-         <prop name="sort-id">cm-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="cm-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="cm-1_prm_1"/>:</p>
-               <part id="cm-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A configuration management policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="cm-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the configuration management
-                     policy and associated configuration management controls; and</p>
-               </part>
-            </part>
-            <part id="cm-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="cm-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Configuration management policy <insert param-id="cm-1_prm_2"/>; and</p>
-               </part>
-               <part id="cm-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Configuration management procedures <insert param-id="cm-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cm-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the CM
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="cm-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-1.a_obj" name="objective">
-               <prop name="label">CM-1(a)</prop>
-               <part id="cm-1.a.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-1(a)(1)</prop>
-                  <part id="cm-1.a.1_obj.1" name="objective">
-                     <prop name="label">CM-1(a)(1)[1]</prop>
-                     <p>develops and documents a configuration management policy that addresses:</p>
-                     <part id="cm-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="cm-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the configuration management policy is to
-                        be disseminated;</p>
-                  </part>
-                  <part id="cm-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CM-1(a)(1)[3]</prop>
-                     <p>disseminates the configuration management policy to organization-defined
-                        personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="cm-1.a.2_obj" name="objective">
-                  <prop name="label">CM-1(a)(2)</prop>
-                  <part id="cm-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        configuration management policy and associated configuration management
-                        controls;</p>
-                  </part>
-                  <part id="cm-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="cm-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CM-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cm-1.b_obj" name="objective">
-               <prop name="label">CM-1(b)</prop>
-               <part id="cm-1.b.1_obj" name="objective">
-                  <prop name="label">CM-1(b)(1)</prop>
-                  <part id="cm-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current configuration
-                        management policy;</p>
-                  </part>
-                  <part id="cm-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current configuration management policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="cm-1.b.2_obj" name="objective">
-                  <prop name="label">CM-1(b)(2)</prop>
-                  <part id="cm-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current configuration
-                        management procedures; and</p>
-                  </part>
-                  <part id="cm-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current configuration management procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with configuration management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-2">
-         <title>Baseline Configuration</title>
-         <prop name="label">CM-2</prop>
-         <prop name="sort-id">cm-02</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-2_smt" name="statement">
-            <p>The organization develops, documents, and maintains under configuration control, a
-               current baseline configuration of the information system.</p>
-         </part>
-         <part id="cm-2_gdn" name="guidance">
-            <p>This control establishes baseline configurations for information systems and system
-               components including communications and connectivity-related aspects of systems.
-               Baseline configurations are documented, formally reviewed and agreed-upon sets of
-               specifications for information systems or configuration items within those systems.
-               Baseline configurations serve as a basis for future builds, releases, and/or changes
-               to information systems. Baseline configurations include information about information
-               system components (e.g., standard software packages installed on workstations,
-               notebook computers, servers, network components, or mobile devices; current version
-               numbers and patch information on operating systems and applications; and
-               configuration settings/parameters), network topology, and the logical placement of
-               those components within the system architecture. Maintaining baseline configurations
-               requires creating new baselines as organizational information systems change over
-               time. Baseline configurations of information systems reflect the current enterprise
-               architecture.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#pm-5">PM-5</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-         </part>
-         <part id="cm-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-2_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">CM-2[1]</prop>
-               <p>develops and documents a current baseline configuration of the information system;
-                  and</p>
-            </part>
-            <part id="cm-2_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-2[2]</prop>
-               <p>maintains, under configuration control, a current baseline configuration of the
-                  information system.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing the baseline configuration of the information system</p>
-               <p>configuration management plan</p>
-               <p>enterprise architecture documentation</p>
-               <p>information system design documentation</p>
-               <p>information system architecture and configuration documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>change control records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with configuration management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing baseline configurations</p>
-               <p>automated mechanisms supporting configuration control of the baseline
-                  configuration</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-4">
-         <title>Security Impact Analysis</title>
-         <prop name="label">CM-4</prop>
-         <prop name="sort-id">cm-04</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-4_smt" name="statement">
-            <p>The organization analyzes changes to the information system to determine potential
-               security impacts prior to change implementation.</p>
-         </part>
-         <part id="cm-4_gdn" name="guidance">
-            <p>Organizational personnel with information security responsibilities (e.g.,
-               Information System Administrators, Information System Security Officers, Information
-               System Security Managers, and Information System Security Engineers) conduct security
-               impact analyses. Individuals conducting security impact analyses possess the
-               necessary skills/technical expertise to analyze the changes to information systems
-               and the associated security ramifications. Security impact analysis may include, for
-               example, reviewing security plans to understand security control requirements and
-               reviewing system design documentation to understand control implementation and how
-               specific changes might affect the controls. Security impact analyses may also include
-               assessments of risk to better understand the impact of the changes and to determine
-               if additional security controls are required. Security impact analyses are scaled in
-               accordance with the security categories of the information systems.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="cm-4_obj" name="objective">
-            <p>Determine if the organization analyzes changes to the information system to determine
-               potential security impacts prior to change implementation.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing security impact analysis for changes to the information
-                  system</p>
-               <p>configuration management plan</p>
-               <p>security impact analysis documentation</p>
-               <p>analysis tools and associated outputs</p>
-               <p>change control records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for conducting security impact
-                  analysis</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security impact analysis</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-6">
-         <title>Configuration Settings</title>
-         <param id="cm-6_prm_1">
-            <label>organization-defined security configuration checklists</label>
-            <constraint>United States Government Configuration Baseline (USGCB)</constraint>
-         </param>
-         <param id="cm-6_prm_2">
-            <label>organization-defined information system components</label>
-         </param>
-         <param id="cm-6_prm_3">
-            <label>organization-defined operational requirements</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CM-6</prop>
-         <prop name="sort-id">cm-06</prop>
-         <link href="#990268bf-f4a9-4c81-91ae-dc7d3115f4b1" rel="reference">OMB Memorandum 07-11</link>
-         <link href="#0b3d8ba9-051f-498d-81ea-97f0f018c612" rel="reference">OMB Memorandum 07-18</link>
-         <link href="#0916ef02-3618-411b-a525-565c088849a6" rel="reference">OMB Memorandum 08-22</link>
-         <link href="#84a37532-6db6-477b-9ea8-f9085ebca0fc" rel="reference">NIST Special Publication 800-70</link>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <link href="#275cc052-0f7f-423c-bdb6-ed503dc36228" rel="reference">http://nvd.nist.gov</link>
-         <link href="#e95dd121-2733-413e-bf1e-f1eb49f20a98" rel="reference">http://checklists.nist.gov</link>
-         <link href="#647b6de3-81d0-4d22-bec1-5f1333e34380" rel="reference">http://www.nsa.gov</link>
-         <part id="cm-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes and documents configuration settings for information technology
-                  products employed within the information system using <insert param-id="cm-6_prm_1"/> that reflect the most restrictive mode consistent with
-                  operational requirements;</p>
-            </part>
-            <part id="cm-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Implements the configuration settings;</p>
-            </part>
-            <part id="cm-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Identifies, documents, and approves any deviations from established configuration
-                  settings for <insert param-id="cm-6_prm_2"/> based on <insert param-id="cm-6_prm_3"/>; and</p>
-            </part>
-            <part id="cm-6_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Monitors and controls changes to the configuration settings in accordance with
-                  organizational policies and procedures.</p>
-            </part>
-            <part id="cm-6_fr" name="item">
-               <title>CM-6(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement 1:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. </p>
-               </part>
-               <part id="cm-6_fr_smt.2" name="item">
-                  <prop name="label">Requirement 2:</prop>
-                  <p>The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (<a href="http://scap.nist.gov/">http://scap.nist.gov/</a>) validated or SCAP compatible (if validated checklists are not available).</p>
-               </part>
-               <part id="cm-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a href="https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline">https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline</a>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cm-6_gdn" name="guidance">
-            <p>Configuration settings are the set of parameters that can be changed in hardware,
-               software, or firmware components of the information system that affect the security
-               posture and/or functionality of the system. Information technology products for which
-               security-related configuration settings can be defined include, for example,
-               mainframe computers, servers (e.g., database, electronic mail, authentication, web,
-               proxy, file, domain name), workstations, input/output devices (e.g., scanners,
-               copiers, and printers), network components (e.g., firewalls, routers, gateways, voice
-               and data switches, wireless access points, network appliances, sensors), operating
-               systems, middleware, and applications. Security-related parameters are those
-               parameters impacting the security state of information systems including the
-               parameters required to satisfy other security control requirements. Security-related
-               parameters include, for example: (i) registry settings; (ii) account, file, directory
-               permission settings; and (iii) settings for functions, ports, protocols, services,
-               and remote connections. Organizations establish organization-wide configuration
-               settings and subsequently derive specific settings for information systems. The
-               established settings become part of the systems configuration baseline. Common secure
-               configurations (also referred to as security configuration checklists, lockdown and
-               hardening guides, security reference guides, security technical implementation
-               guides) provide recognized, standardized, and established benchmarks that stipulate
-               secure configuration settings for specific information technology platforms/products
-               and instructions for configuring those information system components to meet
-               operational requirements. Common secure configurations can be developed by a variety
-               of organizations including, for example, information technology product developers,
-               manufacturers, vendors, consortia, academia, industry, federal agencies, and other
-               organizations in the public and private sectors. Common secure configurations include
-               the United States Government Configuration Baseline (USGCB) which affects the
-               implementation of CM-6 and other controls such as AC-19 and CM-7. The Security
-               Content Automation Protocol (SCAP) and the defined standards within the protocol
-               (e.g., Common Configuration Enumeration) provide an effective method to uniquely
-               identify, track, and control configuration settings. OMB establishes federal policy
-               on configuration requirements for federal information systems.</p>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="cm-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-6.a_obj" name="objective">
-               <prop name="label">CM-6(a)</prop>
-               <part id="cm-6.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-6(a)[1]</prop>
-                  <p>defines security configuration checklists to be used to establish and document
-                     configuration settings for the information technology products employed;</p>
-               </part>
-               <part id="cm-6.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CM-6(a)[2]</prop>
-                  <p>ensures the defined security configuration checklists reflect the most
-                     restrictive mode consistent with operational requirements;</p>
-               </part>
-               <part id="cm-6.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-6(a)[3]</prop>
-                  <p>establishes and documents configuration settings for information technology
-                     products employed within the information system using organization-defined
-                     security configuration checklists;</p>
-               </part>
-            </part>
-            <part id="cm-6.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-6(b)</prop>
-               <p>implements the configuration settings established/documented in CM-6(a);;</p>
-            </part>
-            <part id="cm-6.c_obj" name="objective">
-               <prop name="label">CM-6(c)</prop>
-               <part id="cm-6.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-6(c)[1]</prop>
-                  <p>defines information system components for which any deviations from established
-                     configuration settings must be:</p>
-                  <part id="cm-6.c_obj.1.a" name="objective">
-                     <prop name="label">CM-6(c)[1][a]</prop>
-                     <p>identified;</p>
-                  </part>
-                  <part id="cm-6.c_obj.1.b" name="objective">
-                     <prop name="label">CM-6(c)[1][b]</prop>
-                     <p>documented;</p>
-                  </part>
-                  <part id="cm-6.c_obj.1.c" name="objective">
-                     <prop name="label">CM-6(c)[1][c]</prop>
-                     <p>approved;</p>
-                  </part>
-               </part>
-               <part id="cm-6.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-6(c)[2]</prop>
-                  <p>defines operational requirements to support:</p>
-                  <part id="cm-6.c_obj.2.a" name="objective">
-                     <prop name="label">CM-6(c)[2][a]</prop>
-                     <p>the identification of any deviations from established configuration
-                        settings;</p>
-                  </part>
-                  <part id="cm-6.c_obj.2.b" name="objective">
-                     <prop name="label">CM-6(c)[2][b]</prop>
-                     <p>the documentation of any deviations from established configuration
-                        settings;</p>
-                  </part>
-                  <part id="cm-6.c_obj.2.c" name="objective">
-                     <prop name="label">CM-6(c)[2][c]</prop>
-                     <p>the approval of any deviations from established configuration settings;</p>
-                  </part>
-               </part>
-               <part id="cm-6.c_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-6(c)[3]</prop>
-                  <p>identifies any deviations from established configuration settings for
-                     organization-defined information system components based on
-                     organizational-defined operational requirements;</p>
-               </part>
-               <part id="cm-6.c_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-6(c)[4]</prop>
-                  <p>documents any deviations from established configuration settings for
-                     organization-defined information system components based on
-                     organizational-defined operational requirements;</p>
-               </part>
-               <part id="cm-6.c_obj.5" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-6(c)[5]</prop>
-                  <p>approves any deviations from established configuration settings for
-                     organization-defined information system components based on
-                     organizational-defined operational requirements;</p>
-               </part>
-            </part>
-            <part id="cm-6.d_obj" name="objective">
-               <prop name="label">CM-6(d)</prop>
-               <part id="cm-6.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-6(d)[1]</prop>
-                  <p>monitors changes to the configuration settings in accordance with
-                     organizational policies and procedures; and</p>
-               </part>
-               <part id="cm-6.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-6(d)[2]</prop>
-                  <p>controls changes to the configuration settings in accordance with
-                     organizational policies and procedures.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing configuration settings for the information system</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security configuration checklists</p>
-               <p>evidence supporting approved deviations from established configuration
-                  settings</p>
-               <p>change control records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security configuration management
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing configuration settings</p>
-               <p>automated mechanisms that implement, monitor, and/or control information system
-                  configuration settings</p>
-               <p>automated mechanisms that identify and/or document deviations from established
-                  configuration settings</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-7">
-         <title>Least Functionality</title>
-         <param id="cm-7_prm_1">
-            <label>organization-defined prohibited or restricted functions, ports, protocols, and/or
-               services</label>
-            <constraint>United States Government Configuration Baseline (USGCB)</constraint>
-         </param>
-         <prop name="label">CM-7</prop>
-         <prop name="sort-id">cm-07</prop>
-         <link href="#e42b2099-3e1c-415b-952c-61c96533c12e" rel="reference">DoD Instruction 8551.01</link>
-         <part id="cm-7_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Configures the information system to provide only essential capabilities; and</p>
-            </part>
-            <part id="cm-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Prohibits or restricts the use of the following functions, ports, protocols,
-                  and/or services: <insert param-id="cm-7_prm_1"/>.</p>
-            </part>
-            <part id="cm-7_fr" name="item">
-               <title>CM-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-7_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.</p>
-               </part>
-               <part id="cm-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a href="http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc">http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc</a>
-							Partially derived from AC-17(8).</p>
-               </part>
-            </part>
-         </part>
-         <part id="cm-7_gdn" name="guidance">
-            <p>Information systems can provide a wide variety of functions and services. Some of the
-               functions and services, provided by default, may not be necessary to support
-               essential organizational operations (e.g., key missions, functions). Additionally, it
-               is sometimes convenient to provide multiple services from single information system
-               components, but doing so increases risk over limiting the services provided by any
-               one component. Where feasible, organizations limit component functionality to a
-               single function per device (e.g., email servers or web servers, but not both).
-               Organizations review functions and services provided by information systems or
-               individual components of information systems, to determine which functions and
-               services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant
-               Messaging, auto-execute, and file sharing). Organizations consider disabling unused
-               or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File
-               Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to
-               prevent unauthorized connection of devices, unauthorized transfer of information, or
-               unauthorized tunneling. Organizations can utilize network scanning tools, intrusion
-               detection and prevention systems, and end-point protections such as firewalls and
-               host-based intrusion detection systems to identify and prevent the use of prohibited
-               functions, ports, protocols, and services.</p>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="cm-7_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-7.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-7(a)</prop>
-               <p>configures the information system to provide only essential capabilities;</p>
-            </part>
-            <part id="cm-7.b_obj" name="objective">
-               <prop name="label">CM-7(b)</prop>
-               <part id="cm-7.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-7(b)[1]</prop>
-                  <p>defines prohibited or restricted:</p>
-                  <part id="cm-7.b_obj.1.a" name="objective">
-                     <prop name="label">CM-7(b)[1][a]</prop>
-                     <p>functions;</p>
-                  </part>
-                  <part id="cm-7.b_obj.1.b" name="objective">
-                     <prop name="label">CM-7(b)[1][b]</prop>
-                     <p>ports;</p>
-                  </part>
-                  <part id="cm-7.b_obj.1.c" name="objective">
-                     <prop name="label">CM-7(b)[1][c]</prop>
-                     <p>protocols; and/or</p>
-                  </part>
-                  <part id="cm-7.b_obj.1.d" name="objective">
-                     <prop name="label">CM-7(b)[1][d]</prop>
-                     <p>services;</p>
-                  </part>
-               </part>
-               <part id="cm-7.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-7(b)[2]</prop>
-                  <p>prohibits or restricts the use of organization-defined:</p>
-                  <part id="cm-7.b_obj.2.a" name="objective">
-                     <prop name="label">CM-7(b)[2][a]</prop>
-                     <p>functions;</p>
-                  </part>
-                  <part id="cm-7.b_obj.2.b" name="objective">
-                     <prop name="label">CM-7(b)[2][b]</prop>
-                     <p>ports;</p>
-                  </part>
-                  <part id="cm-7.b_obj.2.c" name="objective">
-                     <prop name="label">CM-7(b)[2][c]</prop>
-                     <p>protocols; and/or</p>
-                  </part>
-                  <part id="cm-7.b_obj.2.d" name="objective">
-                     <prop name="label">CM-7(b)[2][d]</prop>
-                     <p>services.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>configuration management plan</p>
-               <p>procedures addressing least functionality in the information system</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security configuration checklists</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security configuration management
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes prohibiting or restricting functions, ports, protocols,
-                  and/or services</p>
-               <p>automated mechanisms implementing restrictions or prohibition of functions, ports,
-                  protocols, and/or services</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-8">
-         <title>Information System Component Inventory</title>
-         <param id="cm-8_prm_1">
-            <label>organization-defined information deemed necessary to achieve effective
-               information system component accountability</label>
-         </param>
-         <param id="cm-8_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least monthly</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CM-8</prop>
-         <prop name="sort-id">cm-08</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops and documents an inventory of information system components that:</p>
-               <part id="cm-8_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Accurately reflects the current information system;</p>
-               </part>
-               <part id="cm-8_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Includes all components within the authorization boundary of the information
-                     system;</p>
-               </part>
-               <part id="cm-8_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Is at the level of granularity deemed necessary for tracking and reporting;
-                     and</p>
-               </part>
-               <part id="cm-8_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Includes <insert param-id="cm-8_prm_1"/>; and</p>
-               </part>
-            </part>
-            <part id="cm-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the information system component inventory <insert param-id="cm-8_prm_2"/>.</p>
-            </part>
-            <part id="cm-8_fr" name="item">
-               <title>CM-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Must be provided at least monthly or when there is a change.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cm-8_gdn" name="guidance">
-            <p>Organizations may choose to implement centralized information system component
-               inventories that include components from all organizational information systems. In
-               such situations, organizations ensure that the resulting inventories include
-               system-specific information required for proper component accountability (e.g.,
-               information system association, information system owner). Information deemed
-               necessary for effective accountability of information system components includes, for
-               example, hardware inventory specifications, software license information, software
-               version numbers, component owners, and for networked components or devices, machine
-               names and network addresses. Inventory specifications include, for example,
-               manufacturer, device type, model, serial number, and physical location.</p>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#pm-5">PM-5</link>
-         </part>
-         <part id="cm-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-8.a_obj" name="objective">
-               <prop name="label">CM-8(a)</prop>
-               <part id="cm-8.a.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-8(a)(1)</prop>
-                  <p>develops and documents an inventory of information system components that
-                     accurately reflects the current information system;</p>
-               </part>
-               <part id="cm-8.a.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-8(a)(2)</prop>
-                  <p>develops and documents an inventory of information system components that
-                     includes all components within the authorization boundary of the information
-                     system;</p>
-               </part>
-               <part id="cm-8.a.3_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-8(a)(3)</prop>
-                  <p>develops and documents an inventory of information system components that is at
-                     the level of granularity deemed necessary for tracking and reporting;</p>
-               </part>
-               <part id="cm-8.a.4_obj" name="objective">
-                  <prop name="label">CM-8(a)(4)</prop>
-                  <part id="cm-8.a.4_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-8(a)(4)[1]</prop>
-                     <p>defines the information deemed necessary to achieve effective information
-                        system component accountability;</p>
-                  </part>
-                  <part id="cm-8.a.4_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-8(a)(4)[2]</prop>
-                     <p>develops and documents an inventory of information system components that
-                        includes organization-defined information deemed necessary to achieve
-                        effective information system component accountability;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cm-8.b_obj" name="objective">
-               <prop name="label">CM-8(b)</prop>
-               <part id="cm-8.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-8(b)[1]</prop>
-                  <p>defines the frequency to review and update the information system component
-                     inventory; and</p>
-               </part>
-               <part id="cm-8.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-8(b)[2]</prop>
-                  <p>reviews and updates the information system component inventory with the
-                     organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing information system component inventory</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system inventory records</p>
-               <p>inventory reviews and update records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for information system component
-                  inventory</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for developing and documenting an inventory of
-                  information system components</p>
-               <p>automated mechanisms supporting and/or implementing the information system
-                  component inventory</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-10">
-         <title>Software Usage Restrictions</title>
-         <prop name="label">CM-10</prop>
-         <prop name="sort-id">cm-10</prop>
-         <part id="cm-10_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-10_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Uses software and associated documentation in accordance with contract agreements
-                  and copyright laws;</p>
-            </part>
-            <part id="cm-10_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Tracks the use of software and associated documentation protected by quantity
-                  licenses to control copying and distribution; and</p>
-            </part>
-            <part id="cm-10_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Controls and documents the use of peer-to-peer file sharing technology to ensure
-                  that this capability is not used for the unauthorized distribution, display,
-                  performance, or reproduction of copyrighted work.</p>
-            </part>
-         </part>
-         <part id="cm-10_gdn" name="guidance">
-            <p>Software license tracking can be accomplished by manual methods (e.g., simple
-               spreadsheets) or automated methods (e.g., specialized tracking applications)
-               depending on organizational needs.</p>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="cm-10_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-10.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-10(a)</prop>
-               <p>uses software and associated documentation in accordance with contract agreements
-                  and copyright laws;</p>
-            </part>
-            <part id="cm-10.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CM-10(b)</prop>
-               <p>tracks the use of software and associated documentation protected by quantity
-                  licenses to control copying and distribution; and</p>
-            </part>
-            <part id="cm-10.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-10(c)</prop>
-               <p>controls and documents the use of peer-to-peer file sharing technology to ensure
-                  that this capability is not used for the unauthorized distribution, display,
-                  performance, or reproduction of copyrighted work.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing software usage restrictions</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>software contract agreements and copyright laws</p>
-               <p>site license documentation</p>
-               <p>list of software usage restrictions</p>
-               <p>software license tracking reports</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel operating, using, and/or maintaining the information
-                  system</p>
-               <p>organizational personnel with software license management responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational process for tracking the use of software protected by quantity
-                  licenses</p>
-               <p>organization process for controlling/documenting the use of peer-to-peer file
-                  sharing technology</p>
-               <p>automated mechanisms implementing software license tracking</p>
-               <p>automated mechanisms implementing and controlling the use of peer-to-peer files
-                  sharing technology</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-11">
-         <title>User-installed Software</title>
-         <param id="cm-11_prm_1">
-            <label>organization-defined policies</label>
-         </param>
-         <param id="cm-11_prm_2">
-            <label>organization-defined methods</label>
-         </param>
-         <param id="cm-11_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>Continuously (via CM-7 (5))</constraint>
-         </param>
-         <prop name="label">CM-11</prop>
-         <prop name="sort-id">cm-11</prop>
-         <part id="cm-11_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-11_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes <insert param-id="cm-11_prm_1"/> governing the installation of
-                  software by users;</p>
-            </part>
-            <part id="cm-11_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Enforces software installation policies through <insert param-id="cm-11_prm_2"/>;
-                  and</p>
-            </part>
-            <part id="cm-11_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Monitors policy compliance at <insert param-id="cm-11_prm_3"/>.</p>
-            </part>
-         </part>
-         <part id="cm-11_gdn" name="guidance">
-            <p>If provided the necessary privileges, users have the ability to install software in
-               organizational information systems. To maintain control over the types of software
-               installed, organizations identify permitted and prohibited actions regarding software
-               installation. Permitted software installations may include, for example, updates and
-               security patches to existing software and downloading applications from
-               organization-approved “app stores” Prohibited software installations may include, for
-               example, software with unknown or suspect pedigrees or software that organizations
-               consider potentially malicious. The policies organizations select governing
-               user-installed software may be organization-developed or provided by some external
-               entity. Policy enforcement methods include procedural methods (e.g., periodic
-               examination of user accounts), automated methods (e.g., configuration settings
-               implemented on organizational information systems), or both.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-         </part>
-         <part id="cm-11_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-11.a_obj" name="objective">
-               <prop name="label">CM-11(a)</prop>
-               <part id="cm-11.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-11(a)[1]</prop>
-                  <p>defines policies to govern the installation of software by users;</p>
-               </part>
-               <part id="cm-11.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-11(a)[2]</prop>
-                  <p>establishes organization-defined policies governing the installation of
-                     software by users;</p>
-               </part>
-            </part>
-            <part id="cm-11.b_obj" name="objective">
-               <prop name="label">CM-11(b)</prop>
-               <part id="cm-11.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-11(b)[1]</prop>
-                  <p>defines methods to enforce software installation policies;</p>
-               </part>
-               <part id="cm-11.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-11(b)[2]</prop>
-                  <p>enforces software installation policies through organization-defined
-                     methods;</p>
-               </part>
-            </part>
-            <part id="cm-11.c_obj" name="objective">
-               <prop name="label">CM-11(c)</prop>
-               <part id="cm-11.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-11(c)[1]</prop>
-                  <p>defines frequency to monitor policy compliance; and</p>
-               </part>
-               <part id="cm-11.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-11(c)[2]</prop>
-                  <p>monitors policy compliance at organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing user installed software</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of rules governing user installed software</p>
-               <p>information system monitoring records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-               <p>continuous monitoring strategy</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for governing user-installed
-                  software</p>
-               <p>organizational personnel operating, using, and/or maintaining the information
-                  system</p>
-               <p>organizational personnel monitoring compliance with user-installed software
-                  policy</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes governing user-installed software on the information
-                  system</p>
-               <p>automated mechanisms enforcing rules/methods for governing the installation of
-                  software by users</p>
-               <p>automated mechanisms monitoring policy compliance</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="cp">
-      <title>Contingency Planning</title>
-      <control class="SP800-53" id="cp-1">
-         <title>Contingency Planning Policy and Procedures</title>
-         <param id="cp-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="cp-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="cp-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CP-1</prop>
-         <prop name="sort-id">cp-01</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="cp-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="cp-1_prm_1"/>:</p>
-               <part id="cp-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A contingency planning policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="cp-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the contingency planning policy
-                     and associated contingency planning controls; and</p>
-               </part>
-            </part>
-            <part id="cp-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="cp-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Contingency planning policy <insert param-id="cp-1_prm_2"/>; and</p>
-               </part>
-               <part id="cp-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Contingency planning procedures <insert param-id="cp-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cp-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the CP
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="cp-1_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="cp-1.a_obj" name="objective">
-               <prop name="label">CP-1(a)</prop>
-               <part id="cp-1.a.1_obj" name="objective">
-                  <prop name="label">CP-1(a)(1)</prop>
-                  <part id="cp-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(a)(1)[1]</prop>
-                     <p>the organization develops and documents a contingency planning policy that
-                        addresses:</p>
-                     <part id="cp-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="cp-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(a)(1)[2]</prop>
-                     <p>the organization defines personnel or roles to whom the contingency planning
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="cp-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CP-1(a)(1)[3]</prop>
-                     <p>the organization disseminates the contingency planning policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="cp-1.a.2_obj" name="objective">
-                  <prop name="label">CP-1(a)(2)</prop>
-                  <part id="cp-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(a)(2)[1]</prop>
-                     <p>the organization develops and documents procedures to facilitate the
-                        implementation of the contingency planning policy and associated contingency
-                        planning controls;</p>
-                  </part>
-                  <part id="cp-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(a)(2)[2]</prop>
-                     <p>the organization defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="cp-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CP-1(a)(2)[3]</prop>
-                     <p>the organization disseminates the procedures to organization-defined
-                        personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cp-1.b_obj" name="objective">
-               <prop name="label">CP-1(b)</prop>
-               <part id="cp-1.b.1_obj" name="objective">
-                  <prop name="label">CP-1(b)(1)</prop>
-                  <part id="cp-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(b)(1)[1]</prop>
-                     <p>the organization defines the frequency to review and update the current
-                        contingency planning policy;</p>
-                  </part>
-                  <part id="cp-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(b)(1)[2]</prop>
-                     <p>the organization reviews and updates the current contingency planning with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="cp-1.b.2_obj" name="objective">
-                  <prop name="label">CP-1(b)(2)</prop>
-                  <part id="cp-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(b)(2)[1]</prop>
-                     <p>the organization defines the frequency to review and update the current
-                        contingency planning procedures; and</p>
-                  </part>
-                  <part id="cp-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(b)(2)[2]</prop>
-                     <p>the organization reviews and updates the current contingency planning
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-2">
-         <title>Contingency Plan</title>
-         <param id="cp-2_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="cp-2_prm_2">
-            <label>organization-defined key contingency personnel (identified by name and/or by
-               role) and organizational elements</label>
-         </param>
-         <param id="cp-2_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="cp-2_prm_4">
-            <label>organization-defined key contingency personnel (identified by name and/or by
-               role) and organizational elements</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CP-2</prop>
-         <prop name="sort-id">cp-02</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a contingency plan for the information system that:</p>
-               <part id="cp-2_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Identifies essential missions and business functions and associated contingency
-                     requirements;</p>
-               </part>
-               <part id="cp-2_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Provides recovery objectives, restoration priorities, and metrics;</p>
-               </part>
-               <part id="cp-2_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Addresses contingency roles, responsibilities, assigned individuals with
-                     contact information;</p>
-               </part>
-               <part id="cp-2_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Addresses maintaining essential missions and business functions despite an
-                     information system disruption, compromise, or failure;</p>
-               </part>
-               <part id="cp-2_smt.a.5" name="item">
-                  <prop name="label">5.</prop>
-                  <p>Addresses eventual, full information system restoration without deterioration
-                     of the security safeguards originally planned and implemented; and</p>
-               </part>
-               <part id="cp-2_smt.a.6" name="item">
-                  <prop name="label">6.</prop>
-                  <p>Is reviewed and approved by <insert param-id="cp-2_prm_1"/>;</p>
-               </part>
-            </part>
-            <part id="cp-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Distributes copies of the contingency plan to <insert param-id="cp-2_prm_2"/>;</p>
-            </part>
-            <part id="cp-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Coordinates contingency planning activities with incident handling activities;</p>
-            </part>
-            <part id="cp-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Reviews the contingency plan for the information system <insert param-id="cp-2_prm_3"/>;</p>
-            </part>
-            <part id="cp-2_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Updates the contingency plan to address changes to the organization, information
-                  system, or environment of operation and problems encountered during contingency
-                  plan implementation, execution, or testing;</p>
-            </part>
-            <part id="cp-2_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Communicates contingency plan changes to <insert param-id="cp-2_prm_4"/>; and</p>
-            </part>
-            <part id="cp-2_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Protects the contingency plan from unauthorized disclosure and modification.</p>
-            </part>
-            <part id="cp-2_fr" name="item">
-               <title>CP-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-2_fr_smt.1" name="item">
-                  <prop name="label">CP-2 Requirement:</prop>
-                  <p>For JAB authorizations the contingency lists include designated FedRAMP personnel.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cp-2_gdn" name="guidance">
-            <p>Contingency planning for information systems is part of an overall organizational
-               program for achieving continuity of operations for mission/business functions.
-               Contingency planning addresses both information system restoration and implementation
-               of alternative mission/business processes when systems are compromised. The
-               effectiveness of contingency planning is maximized by considering such planning
-               throughout the phases of the system development life cycle. Performing contingency
-               planning on hardware, software, and firmware development can be an effective means of
-               achieving information system resiliency. Contingency plans reflect the degree of
-               restoration required for organizational information systems since not all systems may
-               need to fully recover to achieve the level of continuity of operations desired.
-               Information system recovery objectives reflect applicable laws, Executive Orders,
-               directives, policies, standards, regulations, and guidelines. In addition to
-               information system availability, contingency plans also address other
-               security-related events resulting in a reduction in mission and/or business
-               effectiveness, such as malicious attacks compromising the confidentiality or
-               integrity of information systems. Actions addressed in contingency plans include, for
-               example, orderly/graceful degradation, information system shutdown, fallback to a
-               manual mode, alternate information flows, and operating in modes reserved for when
-               systems are under attack. By closely coordinating contingency planning with incident
-               handling activities, organizations can ensure that the necessary contingency planning
-               activities are in place and activated in the event of a security incident.</p>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <link rel="related" href="#cp-8">CP-8</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#cp-10">CP-10</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#pm-8">PM-8</link>
-            <link rel="related" href="#pm-11">PM-11</link>
-         </part>
-         <part id="cp-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cp-2.a_obj" name="objective">
-               <prop name="label">CP-2(a)</prop>
-               <p>develops and documents a contingency plan for the information system that:</p>
-               <part id="cp-2.a.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(a)(1)</prop>
-                  <p>identifies essential missions and business functions and associated contingency
-                     requirements;</p>
-               </part>
-               <part id="cp-2.a.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(a)(2)</prop>
-                  <part id="cp-2.a.2_obj.1" name="objective">
-                     <prop name="label">CP-2(a)(2)[1]</prop>
-                     <p>provides recovery objectives;</p>
-                  </part>
-                  <part id="cp-2.a.2_obj.2" name="objective">
-                     <prop name="label">CP-2(a)(2)[2]</prop>
-                     <p>provides restoration priorities;</p>
-                  </part>
-                  <part id="cp-2.a.2_obj.3" name="objective">
-                     <prop name="label">CP-2(a)(2)[3]</prop>
-                     <p>provides metrics;</p>
-                  </part>
-               </part>
-               <part id="cp-2.a.3_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(a)(3)</prop>
-                  <part id="cp-2.a.3_obj.1" name="objective">
-                     <prop name="label">CP-2(a)(3)[1]</prop>
-                     <p>addresses contingency roles;</p>
-                  </part>
-                  <part id="cp-2.a.3_obj.2" name="objective">
-                     <prop name="label">CP-2(a)(3)[2]</prop>
-                     <p>addresses contingency responsibilities;</p>
-                  </part>
-                  <part id="cp-2.a.3_obj.3" name="objective">
-                     <prop name="label">CP-2(a)(3)[3]</prop>
-                     <p>addresses assigned individuals with contact information;</p>
-                  </part>
-               </part>
-               <part id="cp-2.a.4_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(a)(4)</prop>
-                  <p>addresses maintaining essential missions and business functions despite an
-                     information system disruption, compromise, or failure;</p>
-               </part>
-               <part id="cp-2.a.5_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(a)(5)</prop>
-                  <p>addresses eventual, full information system restoration without deterioration
-                     of the security safeguards originally planned and implemented;</p>
-               </part>
-               <part id="cp-2.a.6_obj" name="objective">
-                  <prop name="label">CP-2(a)(6)</prop>
-                  <part id="cp-2.a.6_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-2(a)(6)[1]</prop>
-                     <p>defines personnel or roles to review and approve the contingency plan for
-                        the information system;</p>
-                  </part>
-                  <part id="cp-2.a.6_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-2(a)(6)[2]</prop>
-                     <p>is reviewed and approved by organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cp-2.b_obj" name="objective">
-               <prop name="label">CP-2(b)</prop>
-               <part id="cp-2.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(b)[1]</prop>
-                  <p>defines key contingency personnel (identified by name and/or by role) and
-                     organizational elements to whom copies of the contingency plan are to be
-                     distributed;</p>
-               </part>
-               <part id="cp-2.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CP-2(b)[2]</prop>
-                  <p>distributes copies of the contingency plan to organization-defined key
-                     contingency personnel and organizational elements;</p>
-               </part>
-            </part>
-            <part id="cp-2.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">CP-2(c)</prop>
-               <p>coordinates contingency planning activities with incident handling activities;</p>
-            </part>
-            <part id="cp-2.d_obj" name="objective">
-               <prop name="label">CP-2(d)</prop>
-               <part id="cp-2.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(d)[1]</prop>
-                  <p>defines a frequency to review the contingency plan for the information
-                     system;</p>
-               </part>
-               <part id="cp-2.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(d)[2]</prop>
-                  <p>reviews the contingency plan with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="cp-2.e_obj" name="objective">
-               <prop name="label">CP-2(e)</prop>
-               <p>updates the contingency plan to address:</p>
-               <part id="cp-2.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-2(e)[1]</prop>
-                  <p>changes to the organization, information system, or environment of
-                     operation;</p>
-               </part>
-               <part id="cp-2.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-2(e)[2]</prop>
-                  <p>problems encountered during plan implementation, execution, and testing;</p>
-               </part>
-            </part>
-            <part id="cp-2.f_obj" name="objective">
-               <prop name="label">CP-2(f)</prop>
-               <part id="cp-2.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(f)[1]</prop>
-                  <p>defines key contingency personnel (identified by name and/or by role) and
-                     organizational elements to whom contingency plan changes are to be
-                     communicated;</p>
-               </part>
-               <part id="cp-2.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CP-2(f)[2]</prop>
-                  <p>communicates contingency plan changes to organization-defined key contingency
-                     personnel and organizational elements; and</p>
-               </part>
-            </part>
-            <part id="cp-2.g_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-2(g)</prop>
-               <p>protects the contingency plan from unauthorized disclosure and modification.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing contingency operations for the information system</p>
-               <p>contingency plan</p>
-               <p>security plan</p>
-               <p>evidence of contingency plan reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning and plan implementation
-                  responsibilities</p>
-               <p>organizational personnel with incident handling responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for contingency plan development, review, update, and
-                  protection</p>
-               <p>automated mechanisms for developing, reviewing, updating and/or protecting the
-                  contingency plan</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-3">
-         <title>Contingency Training</title>
-         <param id="cp-3_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>ten (10) days</constraint>
-         </param>
-         <param id="cp-3_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CP-3</prop>
-         <prop name="sort-id">cp-03</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="cp-3_smt" name="statement">
-            <p>The organization provides contingency training to information system users consistent
-               with assigned roles and responsibilities:</p>
-            <part id="cp-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Within <insert param-id="cp-3_prm_1"/> of assuming a contingency role or
-                  responsibility;</p>
-            </part>
-            <part id="cp-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="cp-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="cp-3_prm_2"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="cp-3_gdn" name="guidance">
-            <p>Contingency training provided by organizations is linked to the assigned roles and
-               responsibilities of organizational personnel to ensure that the appropriate content
-               and level of detail is included in such training. For example, regular users may only
-               need to know when and where to report for duty during contingency operations and if
-               normal duties are affected; system administrators may require additional training on
-               how to set up information systems at alternate processing and storage sites; and
-               managers/senior leaders may receive more specific training on how to conduct
-               mission-essential functions in designated off-site locations and how to establish
-               communications with other governmental entities for purposes of coordination on
-               contingency-related activities. Training for contingency roles/responsibilities
-               reflects the specific continuity requirements in the contingency plan.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#ir-2">IR-2</link>
-         </part>
-         <part id="cp-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cp-3.a_obj" name="objective">
-               <prop name="label">CP-3(a)</prop>
-               <part id="cp-3.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-3(a)[1]</prop>
-                  <p>defines a time period within which contingency training is to be provided to
-                     information system users assuming a contingency role or responsibility;</p>
-               </part>
-               <part id="cp-3.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-3(a)[2]</prop>
-                  <p>provides contingency training to information system users consistent with
-                     assigned roles and responsibilities within the organization-defined time period
-                     of assuming a contingency role or responsibility;</p>
-               </part>
-            </part>
-            <part id="cp-3.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-3(b)</prop>
-               <p>provides contingency training to information system users consistent with assigned
-                  roles and responsibilities when required by information system changes;</p>
-            </part>
-            <part id="cp-3.c_obj" name="objective">
-               <prop name="label">CP-3(c)</prop>
-               <part id="cp-3.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-3(c)[1]</prop>
-                  <p>defines the frequency for contingency training thereafter; and</p>
-               </part>
-               <part id="cp-3.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-3(c)[2]</prop>
-                  <p>provides contingency training to information system users consistent with
-                     assigned roles and responsibilities with the organization-defined frequency
-                     thereafter.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing contingency training</p>
-               <p>contingency plan</p>
-               <p>contingency training curriculum</p>
-               <p>contingency training material</p>
-               <p>security plan</p>
-               <p>contingency training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning, plan implementation, and
-                  training responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for contingency training</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-4">
-         <title>Contingency Plan Testing</title>
-         <param id="cp-4_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least every three years</constraint>
-         </param>
-         <param id="cp-4_prm_2">
-            <label>organization-defined tests</label>
-            <constraint>classroom exercises/table top written tests</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CP-4</prop>
-         <prop name="sort-id">cp-04</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <link href="#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf" rel="reference">NIST Special Publication 800-84</link>
-         <part id="cp-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Tests the contingency plan for the information system <insert param-id="cp-4_prm_1"/> using <insert param-id="cp-4_prm_2"/> to determine the
-                  effectiveness of the plan and the organizational readiness to execute the
-                  plan;</p>
-            </part>
-            <part id="cp-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews the contingency plan test results; and</p>
-            </part>
-            <part id="cp-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Initiates corrective actions, if needed.</p>
-            </part>
-            <part id="cp-4_fr" name="item">
-               <title>CP-4(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-4_fr_smt.a" name="item">
-                  <prop name="label">CP-4(a) Requirement:</prop>
-                  <p>The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cp-4_gdn" name="guidance">
-            <p>Methods for testing contingency plans to determine the effectiveness of the plans and
-               to identify potential weaknesses in the plans include, for example, walk-through and
-               tabletop exercises, checklists, simulations (parallel, full interrupt), and
-               comprehensive exercises. Organizations conduct testing based on the continuity
-               requirements in contingency plans and include a determination of the effects on
-               organizational operations, assets, and individuals arising due to contingency
-               operations. Organizations have flexibility and discretion in the breadth, depth, and
-               timelines of corrective actions.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-3">CP-3</link>
-            <link rel="related" href="#ir-3">IR-3</link>
-         </part>
-         <part id="cp-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="cp-4.a_obj" name="objective">
-               <prop name="label">CP-4(a)</prop>
-               <part id="cp-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-4(a)[1]</prop>
-                  <p>defines tests to determine the effectiveness of the contingency plan and the
-                     organizational readiness to execute the plan;</p>
-               </part>
-               <part id="cp-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-4(a)[2]</prop>
-                  <p>defines a frequency to test the contingency plan for the information
-                     system;</p>
-               </part>
-               <part id="cp-4.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-4(a)[3]</prop>
-                  <p>tests the contingency plan for the information system with the
-                     organization-defined frequency, using organization-defined tests to determine
-                     the effectiveness of the plan and the organizational readiness to execute the
-                     plan;</p>
-               </part>
-            </part>
-            <part id="cp-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-4(b)</prop>
-               <p>reviews the contingency plan test results; and</p>
-            </part>
-            <part id="cp-4.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-4(c)</prop>
-               <p>initiates corrective actions, if needed.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing contingency plan testing</p>
-               <p>contingency plan</p>
-               <p>security plan</p>
-               <p>contingency plan test documentation</p>
-               <p>contingency plan test results</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for contingency plan testing,
-                  reviewing or responding to contingency plan tests</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for contingency plan testing</p>
-               <p>automated mechanisms supporting the contingency plan and/or contingency plan
-                  testing</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-9">
-         <title>Information System Backup</title>
-         <param id="cp-9_prm_1">
-            <label>organization-defined frequency consistent with recovery time and recovery point
-               objectives</label>
-            <constraint>daily incremental; weekly full</constraint>
-         </param>
-         <param id="cp-9_prm_2">
-            <label>organization-defined frequency consistent with recovery time and recovery point
-               objectives</label>
-            <constraint>daily incremental; weekly full</constraint>
-         </param>
-         <param id="cp-9_prm_3">
-            <label>organization-defined frequency consistent with recovery time and recovery point
-               objectives</label>
-            <constraint>daily incremental; weekly full</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CP-9</prop>
-         <prop name="sort-id">cp-09</prop>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-9_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Conducts backups of user-level information contained in the information system
-                     <insert param-id="cp-9_prm_1"/>;</p>
-            </part>
-            <part id="cp-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Conducts backups of system-level information contained in the information system
-                     <insert param-id="cp-9_prm_2"/>;</p>
-            </part>
-            <part id="cp-9_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Conducts backups of information system documentation including security-related
-                  documentation <insert param-id="cp-9_prm_3"/>; and</p>
-            </part>
-            <part id="cp-9_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Protects the confidentiality, integrity, and availability of backup information at
-                  storage locations.</p>
-            </part>
-            <part id="cp-9_fr" name="item">
-               <title>CP-9 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-9_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.</p>
-               </part>
-               <part id="cp-9_fr_smt.a" name="item">
-                  <prop name="label">CP-9(a) Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of user-level information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.b" name="item">
-                  <prop name="label">CP-9(b)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of system-level information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.c" name="item">
-                  <prop name="label">CP-9(c)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).</p>
-               </part>
-            </part>
-         </part>
-         <part id="cp-9_gdn" name="guidance">
-            <p>System-level information includes, for example, system-state information, operating
-               system and application software, and licenses. User-level information includes any
-               information other than system-level information. Mechanisms employed by organizations
-               to protect the integrity of information system backups include, for example, digital
-               signatures and cryptographic hashes. Protection of system backup information while in
-               transit is beyond the scope of this control. Information system backups reflect the
-               requirements in contingency plans as well as other organizational requirements for
-               backing up information.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="cp-9_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="cp-9.a_obj" name="objective">
-               <prop name="label">CP-9(a)</prop>
-               <part id="cp-9.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-9(a)[1]</prop>
-                  <p>defines a frequency, consistent with recovery time objectives and recovery
-                     point objectives as specified in the information system contingency plan, to
-                     conduct backups of user-level information contained in the information
-                     system;</p>
-               </part>
-               <part id="cp-9.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-9(a)[2]</prop>
-                  <p>conducts backups of user-level information contained in the information system
-                     with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="cp-9.b_obj" name="objective">
-               <prop name="label">CP-9(b)</prop>
-               <part id="cp-9.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-9(b)[1]</prop>
-                  <p>defines a frequency, consistent with recovery time objectives and recovery
-                     point objectives as specified in the information system contingency plan, to
-                     conduct backups of system-level information contained in the information
-                     system;</p>
-               </part>
-               <part id="cp-9.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-9(b)[2]</prop>
-                  <p>conducts backups of system-level information contained in the information
-                     system with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="cp-9.c_obj" name="objective">
-               <prop name="label">CP-9(c)</prop>
-               <part id="cp-9.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-9(c)[1]</prop>
-                  <p>defines a frequency, consistent with recovery time objectives and recovery
-                     point objectives as specified in the information system contingency plan, to
-                     conduct backups of information system documentation including security-related
-                     documentation;</p>
-               </part>
-               <part id="cp-9.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-9(c)[2]</prop>
-                  <p>conducts backups of information system documentation, including
-                     security-related documentation, with the organization-defined frequency;
-                     and</p>
-               </part>
-            </part>
-            <part id="cp-9.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-9(d)</prop>
-               <p>protects the confidentiality, integrity, and availability of backup information at
-                  storage locations.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing information system backup</p>
-               <p>contingency plan</p>
-               <p>backup storage location(s)</p>
-               <p>information system backup logs or records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system backup responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for conducting information system backups</p>
-               <p>automated mechanisms supporting and/or implementing information system backups</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-10">
-         <title>Information System Recovery and Reconstitution</title>
-         <prop name="label">CP-10</prop>
-         <prop name="sort-id">cp-10</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-10_smt" name="statement">
-            <p>The organization provides for the recovery and reconstitution of the information
-               system to a known state after a disruption, compromise, or failure.</p>
-         </part>
-         <part id="cp-10_gdn" name="guidance">
-            <p>Recovery is executing information system contingency plan activities to restore
-               organizational missions/business functions. Reconstitution takes place following
-               recovery and includes activities for returning organizational information systems to
-               fully operational states. Recovery and reconstitution operations reflect mission and
-               business priorities, recovery point/time and reconstitution objectives, and
-               established organizational metrics consistent with contingency plan requirements.
-               Reconstitution includes the deactivation of any interim information system
-               capabilities that may have been needed during recovery operations. Reconstitution
-               also includes assessments of fully restored information system capabilities,
-               reestablishment of continuous monitoring activities, potential information system
-               reauthorizations, and activities to prepare the systems against future disruptions,
-               compromises, or failures. Recovery/reconstitution capabilities employed by
-               organizations can include both automated mechanisms and manual procedures.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#sc-24">SC-24</link>
-         </part>
-         <part id="cp-10_obj" name="objective">
-            <p>Determine if the organization provides for: </p>
-            <part id="cp-10_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-10[1]</prop>
-               <p>the recovery of the information system to a known state after:</p>
-               <part id="cp-10_obj.1.a" name="objective">
-                  <prop name="label">CP-10[1][a]</prop>
-                  <p>a disruption;</p>
-               </part>
-               <part id="cp-10_obj.1.b" name="objective">
-                  <prop name="label">CP-10[1][b]</prop>
-                  <p>a compromise; or</p>
-               </part>
-               <part id="cp-10_obj.1.c" name="objective">
-                  <prop name="label">CP-10[1][c]</prop>
-                  <p>a failure;</p>
-               </part>
-            </part>
-            <part id="cp-10_obj.2" name="objective">
-               <prop name="label">CP-10[2]</prop>
-               <p>the reconstitution of the information system to a known state after:</p>
-               <part id="cp-10_obj.2.a" name="objective">
-                  <prop name="label">CP-10[2][a]</prop>
-                  <p>a disruption;</p>
-               </part>
-               <part id="cp-10_obj.2.b" name="objective">
-                  <prop name="label">CP-10[2][b]</prop>
-                  <p>a compromise; or</p>
-               </part>
-               <part id="cp-10_obj.2.c" name="objective">
-                  <prop name="label">CP-10[2][c]</prop>
-                  <p>a failure.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing information system backup</p>
-               <p>contingency plan</p>
-               <p>information system backup test results</p>
-               <p>contingency plan test results</p>
-               <p>contingency plan test documentation</p>
-               <p>redundant secondary system for information system backups</p>
-               <p>location(s) of redundant secondary backup system(s)</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning, recovery, and/or
-                  reconstitution responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes implementing information system recovery and
-                  reconstitution operations</p>
-               <p>automated mechanisms supporting and/or implementing information system recovery
-                  and reconstitution operations</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ia">
-      <title>Identification and Authentication</title>
-      <control class="SP800-53" id="ia-1">
-         <title>Identification and Authentication Policy and Procedures</title>
-         <param id="ia-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ia-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="ia-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IA-1</prop>
-         <prop name="sort-id">ia-01</prop>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ia-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ia-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ia-1_prm_1"/>:</p>
-               <part id="ia-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An identification and authentication policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="ia-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the identification and
-                     authentication policy and associated identification and authentication
-                     controls; and</p>
-               </part>
-            </part>
-            <part id="ia-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ia-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Identification and authentication policy <insert param-id="ia-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="ia-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Identification and authentication procedures <insert param-id="ia-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ia-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the IA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ia-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ia-1.a_obj" name="objective">
-               <prop name="label">IA-1(a)</prop>
-               <part id="ia-1.a.1_obj" name="objective">
-                  <prop name="label">IA-1(a)(1)</prop>
-                  <part id="ia-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(a)(1)[1]</prop>
-                     <p>develops and documents an identification and authentication policy that
-                        addresses:</p>
-                     <part id="ia-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ia-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the identification and authentication
-                        policy is to be disseminated; and</p>
-                  </part>
-                  <part id="ia-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">IA-1(a)(1)[3]</prop>
-                     <p>disseminates the identification and authentication policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="ia-1.a.2_obj" name="objective">
-                  <prop name="label">IA-1(a)(2)</prop>
-                  <part id="ia-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        identification and authentication policy and associated identification and
-                        authentication controls;</p>
-                  </part>
-                  <part id="ia-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ia-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">IA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-1.b_obj" name="objective">
-               <prop name="label">IA-1(b)</prop>
-               <part id="ia-1.b.1_obj" name="objective">
-                  <prop name="label">IA-1(b)(1)</prop>
-                  <part id="ia-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current identification and
-                        authentication policy;</p>
-                  </part>
-                  <part id="ia-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current identification and authentication policy
-                        with the organization-defined frequency; and</p>
-                  </part>
-               </part>
-               <part id="ia-1.b.2_obj" name="objective">
-                  <prop name="label">IA-1(b)(2)</prop>
-                  <part id="ia-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current identification and
-                        authentication procedures; and</p>
-                  </part>
-                  <part id="ia-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current identification and authentication procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with identification and authentication
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-2">
-         <title>Identification and Authentication (organizational Users)</title>
-         <prop name="label">IA-2</prop>
-         <prop name="sort-id">ia-02</prop>
-         <link href="#ad733a42-a7ed-4774-b988-4930c28852f3" rel="reference">HSPD-12</link>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#4da24a96-6cf8-435d-9d1f-c73247cad109" rel="reference">OMB Memorandum 06-16</link>
-         <link href="#74e740a4-c45d-49f3-a86e-eb747c549e01" rel="reference">OMB Memorandum 11-11</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#ba557c91-ba3e-4792-adc6-a4ae479b39ff" rel="reference">FICAM Roadmap and Implementation Guidance</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ia-2_smt" name="statement">
-            <p>The information system uniquely identifies and authenticates organizational users (or
-               processes acting on behalf of organizational users).</p>
-         </part>
-         <part id="ia-2_gdn" name="guidance">
-            <p>Organizational users include employees or individuals that organizations deem to have
-               equivalent status of employees (e.g., contractors, guest researchers). This control
-               applies to all accesses other than: (i) accesses that are explicitly identified and
-               documented in AC-14; and (ii) accesses that occur through authorized use of group
-               authenticators without individual authentication. Organizations may require unique
-               identification of individuals in group accounts (e.g., shared privilege accounts) or
-               for detailed accountability of individual activity. Organizations employ passwords,
-               tokens, or biometrics to authenticate user identities, or in the case multifactor
-               authentication, or some combination thereof. Access to organizational information
-               systems is defined as either local access or network access. Local access is any
-               access to organizational information systems by users (or processes acting on behalf
-               of users) where such access is obtained by direct connections without the use of
-               networks. Network access is access to organizational information systems by users (or
-               processes acting on behalf of users) where such access is obtained through network
-               connections (i.e., nonlocal accesses). Remote access is a type of network access that
-               involves communication through external networks (e.g., the Internet). Internal
-               networks include local area networks and wide area networks. In addition, the use of
-               encrypted virtual private networks (VPNs) for network connections between
-               organization-controlled endpoints and non-organization controlled endpoints may be
-               treated as internal networks from the perspective of protecting the confidentiality
-               and integrity of information traversing the network. Organizations can satisfy the
-               identification and authentication requirements in this control by complying with the
-               requirements in Homeland Security Presidential Directive 12 consistent with the
-               specific organizational implementation plans. Multifactor authentication requires the
-               use of two or more different factors to achieve authentication. The factors are
-               defined as: (i) something you know (e.g., password, personal identification number
-               [PIN]); (ii) something you have (e.g., cryptographic identification device, token);
-               or (iii) something you are (e.g., biometric). Multifactor solutions that require
-               devices separate from information systems gaining access include, for example,
-               hardware tokens providing time-based or challenge-response authenticators and smart
-               cards such as the U.S. Government Personal Identity Verification card and the DoD
-               common access card. In addition to identifying and authenticating users at the
-               information system level (i.e., at logon), organizations also employ identification
-               and authentication mechanisms at the application level, when necessary, to provide
-               increased information security. Identification and authentication requirements for
-               other than organizational users are described in IA-8.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-         </part>
-         <part id="ia-2_obj" name="objective">
-            <p>Determine if the information system uniquely identifies and authenticates
-               organizational users (or processes acting on behalf of organizational users).</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing user identification and authentication</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>list of information system accounts</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system operations responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with account management responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for uniquely identifying and authenticating users</p>
-               <p>automated mechanisms supporting and/or implementing identification and
-                  authentication capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-2.1">
-            <title>Network Access to Privileged Accounts</title>
-            <prop name="label">IA-2(1)</prop>
-            <prop name="sort-id">ia-02.01</prop>
-            <part id="ia-2.1_smt" name="statement">
-               <p>The information system implements multifactor authentication for network access to
-                  privileged accounts.</p>
-            </part>
-            <part id="ia-2.1_gdn" name="guidance">
-               <link rel="related" href="#ac-6">AC-6</link>
-            </part>
-            <part id="ia-2.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system implements multifactor authentication for
-                  network access to privileged accounts.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing multifactor authentication
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.12">
-            <title>Acceptance of PIV Credentials</title>
-            <prop name="label">IA-2(12)</prop>
-            <prop name="sort-id">ia-02.12</prop>
-            <part id="ia-2.12_smt" name="statement">
-               <p>The information system accepts and electronically verifies Personal Identity
-                  Verification (PIV) credentials.</p>
-               <part id="ia-2.12_fr" name="item">
-                  <title>IA-2 (12) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ia-2.12_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-2.12_gdn" name="guidance">
-               <p>This control enhancement applies to organizations implementing logical access
-                  control systems (LACS) and physical access control systems (PACS). Personal
-                  Identity Verification (PIV) credentials are those credentials issued by federal
-                  agencies that conform to FIPS Publication 201 and supporting guidance documents.
-                  OMB Memorandum 11-11 requires federal agencies to continue implementing the
-                  requirements specified in HSPD-12 to enable agency-wide use of PIV
-                  credentials.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#pe-3">PE-3</link>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-2.12_obj" name="objective">
-               <p>Determine if the information system: </p>
-               <part id="ia-2.12_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-2(12)[1]</prop>
-                  <p>accepts Personal Identity Verification (PIV) credentials; and</p>
-               </part>
-               <part id="ia-2.12_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-2(12)[2]</prop>
-                  <p>electronically verifies Personal Identity Verification (PIV) credentials.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>PIV verification records</p>
-                  <p>evidence of PIV credentials</p>
-                  <p>PIV credential authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing acceptance and verification
-                     of PIV credentials</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-4">
-         <title>Identifier Management</title>
-         <param id="ia-4_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ia-4_prm_2">
-            <label>organization-defined time period</label>
-            <constraint>IA-4 (d) [at least two years]</constraint>
-         </param>
-         <param id="ia-4_prm_3">
-            <label>organization-defined time period of inactivity</label>
-            <constraint>ninety days for user identifiers (See additional requirements and guidance)</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IA-4</prop>
-         <prop name="sort-id">ia-04</prop>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <part id="ia-4_smt" name="statement">
-            <p>The organization manages information system identifiers by:</p>
-            <part id="ia-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Receiving authorization from <insert param-id="ia-4_prm_1"/> to assign an
-                  individual, group, role, or device identifier;</p>
-            </part>
-            <part id="ia-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Selecting an identifier that identifies an individual, group, role, or device;</p>
-            </part>
-            <part id="ia-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Assigning the identifier to the intended individual, group, role, or device;</p>
-            </part>
-            <part id="ia-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Preventing reuse of identifiers for <insert param-id="ia-4_prm_2"/>; and</p>
-            </part>
-            <part id="ia-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Disabling the identifier after <insert param-id="ia-4_prm_3"/>.</p>
-            </part>
-            <part id="ia-4_fr" name="item">
-               <title>IA-4(e) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-4_fr_smt.e" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines the time period of inactivity for device identifiers.</p>
-               </part>
-               <part id="ia-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP <a href="http://iase.disa.mil/cloud_security/Pages/index.aspx">http://iase.disa.mil/cloud_security/Pages/index.aspx</a>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ia-4_gdn" name="guidance">
-            <p>Common device identifiers include, for example, media access control (MAC), Internet
-               protocol (IP) addresses, or device-unique token identifiers. Management of individual
-               identifiers is not applicable to shared information system accounts (e.g., guest and
-               anonymous accounts). Typically, individual identifiers are the user names of the
-               information system accounts assigned to those individuals. In such instances, the
-               account management activities of AC-2 use account names provided by IA-4. This
-               control also addresses individual identifiers not necessarily associated with
-               information system accounts (e.g., identifiers used in physical security control
-               databases accessed by badge reader systems for access to information systems).
-               Preventing reuse of identifiers implies preventing the assignment of previously used
-               individual, group, role, or device identifiers to different individuals, groups,
-               roles, or devices.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#sc-37">SC-37</link>
-         </part>
-         <part id="ia-4_obj" name="objective">
-            <p>Determine if the organization manages information system identifiers by: </p>
-            <part id="ia-4.a_obj" name="objective">
-               <prop name="label">IA-4(a)</prop>
-               <part id="ia-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-4(a)[1]</prop>
-                  <p>defining personnel or roles from whom authorization must be received to
-                     assign:</p>
-                  <part id="ia-4.a_obj.1.a" name="objective">
-                     <prop name="label">IA-4(a)[1][a]</prop>
-                     <p>an individual identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.1.b" name="objective">
-                     <prop name="label">IA-4(a)[1][b]</prop>
-                     <p>a group identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.1.c" name="objective">
-                     <prop name="label">IA-4(a)[1][c]</prop>
-                     <p>a role identifier; and/or</p>
-                  </part>
-                  <part id="ia-4.a_obj.1.d" name="objective">
-                     <prop name="label">IA-4(a)[1][d]</prop>
-                     <p>a device identifier;</p>
-                  </part>
-               </part>
-               <part id="ia-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-4(a)[2]</prop>
-                  <p>receiving authorization from organization-defined personnel or roles to
-                     assign:</p>
-                  <part id="ia-4.a_obj.2.a" name="objective">
-                     <prop name="label">IA-4(a)[2][a]</prop>
-                     <p>an individual identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.2.b" name="objective">
-                     <prop name="label">IA-4(a)[2][b]</prop>
-                     <p>a group identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.2.c" name="objective">
-                     <prop name="label">IA-4(a)[2][c]</prop>
-                     <p>a role identifier; and/or</p>
-                  </part>
-                  <part id="ia-4.a_obj.2.d" name="objective">
-                     <prop name="label">IA-4(a)[2][d]</prop>
-                     <p>a device identifier;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-4(b)</prop>
-               <p>selecting an identifier that identifies:</p>
-               <part id="ia-4.b_obj.1" name="objective">
-                  <prop name="label">IA-4(b)[1]</prop>
-                  <p>an individual;</p>
-               </part>
-               <part id="ia-4.b_obj.2" name="objective">
-                  <prop name="label">IA-4(b)[2]</prop>
-                  <p>a group;</p>
-               </part>
-               <part id="ia-4.b_obj.3" name="objective">
-                  <prop name="label">IA-4(b)[3]</prop>
-                  <p>a role; and/or</p>
-               </part>
-               <part id="ia-4.b_obj.4" name="objective">
-                  <prop name="label">IA-4(b)[4]</prop>
-                  <p>a device;</p>
-               </part>
-            </part>
-            <part id="ia-4.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-4(c)</prop>
-               <p>assigning the identifier to the intended:</p>
-               <part id="ia-4.c_obj.1" name="objective">
-                  <prop name="label">IA-4(c)[1]</prop>
-                  <p>individual;</p>
-               </part>
-               <part id="ia-4.c_obj.2" name="objective">
-                  <prop name="label">IA-4(c)[2]</prop>
-                  <p>group;</p>
-               </part>
-               <part id="ia-4.c_obj.3" name="objective">
-                  <prop name="label">IA-4(c)[3]</prop>
-                  <p>role; and/or</p>
-               </part>
-               <part id="ia-4.c_obj.4" name="objective">
-                  <prop name="label">IA-4(c)[4]</prop>
-                  <p>device;</p>
-               </part>
-            </part>
-            <part id="ia-4.d_obj" name="objective">
-               <prop name="label">IA-4(d)</prop>
-               <part id="ia-4.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-4(d)[1]</prop>
-                  <p>defining a time period for preventing reuse of identifiers;</p>
-               </part>
-               <part id="ia-4.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-4(d)[2]</prop>
-                  <p>preventing reuse of identifiers for the organization-defined time period;</p>
-               </part>
-            </part>
-            <part id="ia-4.e_obj" name="objective">
-               <prop name="label">IA-4(e)</prop>
-               <part id="ia-4.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-4(e)[1]</prop>
-                  <p>defining a time period of inactivity to disable the identifier; and</p>
-               </part>
-               <part id="ia-4.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-4(e)[2]</prop>
-                  <p>disabling the identifier after the organization-defined time period of
-                     inactivity.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing identifier management</p>
-               <p>procedures addressing account management</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of information system accounts</p>
-               <p>list of identifiers generated from physical access control devices</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with identifier management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing identifier management</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-5">
-         <title>Authenticator Management</title>
-         <param id="ia-5_prm_1">
-            <label>organization-defined time period by authenticator type</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IA-5</prop>
-         <prop name="sort-id">ia-05</prop>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#74e740a4-c45d-49f3-a86e-eb747c549e01" rel="reference">OMB Memorandum 11-11</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#ba557c91-ba3e-4792-adc6-a4ae479b39ff" rel="reference">FICAM Roadmap and Implementation Guidance</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ia-5_smt" name="statement">
-            <p>The organization manages information system authenticators by:</p>
-            <part id="ia-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Verifying, as part of the initial authenticator distribution, the identity of the
-                  individual, group, role, or device receiving the authenticator;</p>
-            </part>
-            <part id="ia-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishing initial authenticator content for authenticators defined by the
-                  organization;</p>
-            </part>
-            <part id="ia-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensuring that authenticators have sufficient strength of mechanism for their
-                  intended use;</p>
-            </part>
-            <part id="ia-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Establishing and implementing administrative procedures for initial authenticator
-                  distribution, for lost/compromised or damaged authenticators, and for revoking
-                  authenticators;</p>
-            </part>
-            <part id="ia-5_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Changing default content of authenticators prior to information system
-                  installation;</p>
-            </part>
-            <part id="ia-5_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Establishing minimum and maximum lifetime restrictions and reuse conditions for
-                  authenticators;</p>
-            </part>
-            <part id="ia-5_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Changing/refreshing authenticators <insert param-id="ia-5_prm_1"/>;</p>
-            </part>
-            <part id="ia-5_smt.h" name="item">
-               <prop name="label">h.</prop>
-               <p>Protecting authenticator content from unauthorized disclosure and
-                  modification;</p>
-            </part>
-            <part id="ia-5_smt.i" name="item">
-               <prop name="label">i.</prop>
-               <p>Requiring individuals to take, and having devices implement, specific security
-                  safeguards to protect authenticators; and</p>
-            </part>
-            <part id="ia-5_smt.j" name="item">
-               <prop name="label">j.</prop>
-               <p>Changing authenticators for group/role accounts when membership to those accounts
-                  changes.</p>
-            </part>
-            <part id="ia-5_fr" name="item">
-               <title>IA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-5_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link <a href="https://pages.nist.gov/800-63-3">https://pages.nist.gov/800-63-3</a>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ia-5_gdn" name="guidance">
-            <p>Individual authenticators include, for example, passwords, tokens, biometrics, PKI
-               certificates, and key cards. Initial authenticator content is the actual content
-               (e.g., the initial password) as opposed to requirements about authenticator content
-               (e.g., minimum password length). In many cases, developers ship information system
-               components with factory default authentication credentials to allow for initial
-               installation and configuration. Default authentication credentials are often well
-               known, easily discoverable, and present a significant security risk. The requirement
-               to protect individual authenticators may be implemented via control PL-4 or PS-6 for
-               authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28
-               for authenticators stored within organizational information systems (e.g., passwords
-               stored in hashed or encrypted formats, files containing encrypted or hashed passwords
-               accessible with administrator privileges). Information systems support individual
-               authenticator management by organization-defined settings and restrictions for
-               various authenticator characteristics including, for example, minimum password
-               length, password composition, validation time window for time synchronous one-time
-               tokens, and number of allowed rejections during the verification stage of biometric
-               authentication. Specific actions that can be taken to safeguard authenticators
-               include, for example, maintaining possession of individual authenticators, not
-               loaning or sharing individual authenticators with others, and reporting lost, stolen,
-               or compromised authenticators immediately. Authenticator management includes issuing
-               and revoking, when no longer needed, authenticators for temporary access such as that
-               required for remote maintenance. Device authenticators include, for example,
-               certificates and passwords.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-5">PS-5</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-17">SC-17</link>
-            <link rel="related" href="#sc-28">SC-28</link>
-         </part>
-         <part id="ia-5_obj" name="objective">
-            <p>Determine if the organization manages information system authenticators by: </p>
-            <part id="ia-5.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-5(a)</prop>
-               <p>verifying, as part of the initial authenticator distribution, the identity of:</p>
-               <part id="ia-5.a_obj.1" name="objective">
-                  <prop name="label">IA-5(a)[1]</prop>
-                  <p>the individual receiving the authenticator;</p>
-               </part>
-               <part id="ia-5.a_obj.2" name="objective">
-                  <prop name="label">IA-5(a)[2]</prop>
-                  <p>the group receiving the authenticator;</p>
-               </part>
-               <part id="ia-5.a_obj.3" name="objective">
-                  <prop name="label">IA-5(a)[3]</prop>
-                  <p>the role receiving the authenticator; and/or</p>
-               </part>
-               <part id="ia-5.a_obj.4" name="objective">
-                  <prop name="label">IA-5(a)[4]</prop>
-                  <p>the device receiving the authenticator;</p>
-               </part>
-            </part>
-            <part id="ia-5.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">IA-5(b)</prop>
-               <p>establishing initial authenticator content for authenticators defined by the
-                  organization;</p>
-            </part>
-            <part id="ia-5.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-5(c)</prop>
-               <p>ensuring that authenticators have sufficient strength of mechanism for their
-                  intended use;</p>
-            </part>
-            <part id="ia-5.d_obj" name="objective">
-               <prop name="label">IA-5(d)</prop>
-               <part id="ia-5.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(d)[1]</prop>
-                  <p>establishing and implementing administrative procedures for initial
-                     authenticator distribution;</p>
-               </part>
-               <part id="ia-5.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(d)[2]</prop>
-                  <p>establishing and implementing administrative procedures for lost/compromised or
-                     damaged authenticators;</p>
-               </part>
-               <part id="ia-5.d_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(d)[3]</prop>
-                  <p>establishing and implementing administrative procedures for revoking
-                     authenticators;</p>
-               </part>
-            </part>
-            <part id="ia-5.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-5(e)</prop>
-               <p>changing default content of authenticators prior to information system
-                  installation;</p>
-            </part>
-            <part id="ia-5.f_obj" name="objective">
-               <prop name="label">IA-5(f)</prop>
-               <part id="ia-5.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(f)[1]</prop>
-                  <p>establishing minimum lifetime restrictions for authenticators;</p>
-               </part>
-               <part id="ia-5.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(f)[2]</prop>
-                  <p>establishing maximum lifetime restrictions for authenticators;</p>
-               </part>
-               <part id="ia-5.f_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(f)[3]</prop>
-                  <p>establishing reuse conditions for authenticators;</p>
-               </part>
-            </part>
-            <part id="ia-5.g_obj" name="objective">
-               <prop name="label">IA-5(g)</prop>
-               <part id="ia-5.g_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(g)[1]</prop>
-                  <p>defining a time period (by authenticator type) for changing/refreshing
-                     authenticators;</p>
-               </part>
-               <part id="ia-5.g_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(g)[2]</prop>
-                  <p>changing/refreshing authenticators with the organization-defined time period by
-                     authenticator type;</p>
-               </part>
-            </part>
-            <part id="ia-5.h_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-5(h)</prop>
-               <p>protecting authenticator content from unauthorized:</p>
-               <part id="ia-5.h_obj.1" name="objective">
-                  <prop name="label">IA-5(h)[1]</prop>
-                  <p>disclosure;</p>
-               </part>
-               <part id="ia-5.h_obj.2" name="objective">
-                  <prop name="label">IA-5(h)[2]</prop>
-                  <p>modification;</p>
-               </part>
-            </part>
-            <part id="ia-5.i_obj" name="objective">
-               <prop name="label">IA-5(i)</prop>
-               <part id="ia-5.i_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IA-5(i)[1]</prop>
-                  <p>requiring individuals to take specific security safeguards to protect
-                     authenticators;</p>
-               </part>
-               <part id="ia-5.i_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(i)[2]</prop>
-                  <p>having devices implement specific security safeguards to protect
-                     authenticators; and</p>
-               </part>
-            </part>
-            <part id="ia-5.j_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-5(j)</prop>
-               <p>changing authenticators for group/role accounts when membership to those accounts
-                  changes.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing authenticator management</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of information system authenticator types</p>
-               <p>change control records associated with managing information system
-                  authenticators</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with authenticator management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing authenticator management
-                  capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-5.1">
-            <title>Password-based Authentication</title>
-            <param id="ia-5.1_prm_1">
-               <label>organization-defined requirements for case sensitivity, number of characters,
-                  mix of upper-case letters, lower-case letters, numbers, and special characters,
-                  including minimum requirements for each type</label>
-            </param>
-            <param id="ia-5.1_prm_2">
-               <label>organization-defined number</label>
-               <constraint>at least one</constraint>
-            </param>
-            <param id="ia-5.1_prm_3">
-               <label>organization-defined numbers for lifetime minimum, lifetime maximum</label>
-            </param>
-            <param id="ia-5.1_prm_4">
-               <label>organization-defined number</label>
-               <constraint>twenty four</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">IA-5(1)</prop>
-            <prop name="sort-id">ia-05.01</prop>
-            <part id="ia-5.1_smt" name="statement">
-               <p>The information system, for password-based authentication:</p>
-               <part id="ia-5.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Enforces minimum password complexity of <insert param-id="ia-5.1_prm_1"/>;</p>
-               </part>
-               <part id="ia-5.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Enforces at least the following number of changed characters when new passwords
-                     are created: <insert param-id="ia-5.1_prm_2"/>;</p>
-               </part>
-               <part id="ia-5.1_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Stores and transmits only cryptographically-protected passwords;</p>
-               </part>
-               <part id="ia-5.1_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Enforces password minimum and maximum lifetime restrictions of <insert param-id="ia-5.1_prm_3"/>;</p>
-               </part>
-               <part id="ia-5.1_smt.e" name="item">
-                  <prop name="label">(e)</prop>
-                  <p>Prohibits password reuse for <insert param-id="ia-5.1_prm_4"/> generations;
-                     and</p>
-               </part>
-               <part id="ia-5.1_smt.f" name="item">
-                  <prop name="label">(f)</prop>
-                  <p>Allows the use of a temporary password for system logons with an immediate
-                     change to a permanent password.</p>
-               </part>
-               <part id="ia-5.1_fr" name="item">
-                  <title>IA-5 (1) (a) and (d) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ia-5.1_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance (a) (d):</prop>
-                     <p>If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-5.1_gdn" name="guidance">
-               <p>This control enhancement applies to single-factor authentication of individuals
-                  using passwords as individual or group authenticators, and in a similar manner,
-                  when passwords are part of multifactor authenticators. This control enhancement
-                  does not apply when passwords are used to unlock hardware authenticators (e.g.,
-                  Personal Identity Verification cards). The implementation of such password
-                  mechanisms may not meet all of the requirements in the enhancement.
-                  Cryptographically-protected passwords include, for example, encrypted versions of
-                  passwords and one-way cryptographic hashes of passwords. The number of changed
-                  characters refers to the number of changes required with respect to the total
-                  number of positions in the current password. Password lifetime restrictions do not
-                  apply to temporary passwords. To mitigate certain brute force attacks against
-                  passwords, organizations may also consider salting passwords.</p>
-               <link rel="related" href="#ia-6">IA-6</link>
-            </part>
-            <part id="ia-5.1_obj" name="objective">
-               <p>Determine if, for password-based authentication: </p>
-               <part id="ia-5.1.a_obj" name="objective">
-                  <prop name="label">IA-5(1)(a)</prop>
-                  <part id="ia-5.1.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(a)[1]</prop>
-                     <p>the organization defines requirements for case sensitivity;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(a)[2]</prop>
-                     <p>the organization defines requirements for number of characters;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(a)[3]</prop>
-                     <p>the organization defines requirements for the mix of upper-case letters,
-                        lower-case letters, numbers and special characters;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.4" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(a)[4]</prop>
-                     <p>the organization defines minimum requirements for each type of
-                        character;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.5" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(1)(a)[5]</prop>
-                     <p>the information system enforces minimum password complexity of
-                        organization-defined requirements for case sensitivity, number of
-                        characters, mix of upper-case letters, lower-case letters, numbers, and
-                        special characters, including minimum requirements for each type;</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.a">IA-5(1)(a)</link>
-               </part>
-               <part id="ia-5.1.b_obj" name="objective">
-                  <prop name="label">IA-5(1)(b)</prop>
-                  <part id="ia-5.1.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(b)[1]</prop>
-                     <p>the organization defines a minimum number of changed characters to be
-                        enforced when new passwords are created;</p>
-                  </part>
-                  <part id="ia-5.1.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(1)(b)[2]</prop>
-                     <p>the information system enforces at least the organization-defined minimum
-                        number of characters that must be changed when new passwords are
-                        created;</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.b">IA-5(1)(b)</link>
-               </part>
-               <part id="ia-5.1.c_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(1)(c)</prop>
-                  <p>the information system stores and transmits only encrypted representations of
-                     passwords;</p>
-                  <link rel="corresp" href="#ia-5.1_smt.c">IA-5(1)(c)</link>
-               </part>
-               <part id="ia-5.1.d_obj" name="objective">
-                  <prop name="label">IA-5(1)(d)</prop>
-                  <part id="ia-5.1.d_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(d)[1]</prop>
-                     <p>the organization defines numbers for password minimum lifetime restrictions
-                        to be enforced for passwords;</p>
-                  </part>
-                  <part id="ia-5.1.d_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(d)[2]</prop>
-                     <p>the organization defines numbers for password maximum lifetime restrictions
-                        to be enforced for passwords;</p>
-                  </part>
-                  <part id="ia-5.1.d_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(1)(d)[3]</prop>
-                     <p>the information system enforces password minimum lifetime restrictions of
-                        organization-defined numbers for lifetime minimum;</p>
-                  </part>
-                  <part id="ia-5.1.d_obj.4" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(1)(d)[4]</prop>
-                     <p>the information system enforces password maximum lifetime restrictions of
-                        organization-defined numbers for lifetime maximum;</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.d">IA-5(1)(d)</link>
-               </part>
-               <part id="ia-5.1.e_obj" name="objective">
-                  <prop name="label">IA-5(1)(e)</prop>
-                  <part id="ia-5.1.e_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(e)[1]</prop>
-                     <p>the organization defines the number of password generations to be prohibited
-                        from password reuse;</p>
-                  </part>
-                  <part id="ia-5.1.e_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(1)(e)[2]</prop>
-                     <p>the information system prohibits password reuse for the organization-defined
-                        number of generations; and</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.e">IA-5(1)(e)</link>
-               </part>
-               <part id="ia-5.1.f_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(1)(f)</prop>
-                  <p>the information system allows the use of a temporary password for system logons
-                     with an immediate change to a permanent password.</p>
-                  <link rel="corresp" href="#ia-5.1_smt.f">IA-5(1)(f)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>password policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>password configurations and associated documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing password-based
-                     authenticator management capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.11">
-            <title>Hardware Token-based Authentication</title>
-            <param id="ia-5.11_prm_1">
-               <label>organization-defined token quality requirements</label>
-            </param>
-            <prop name="label">IA-5(11)</prop>
-            <prop name="sort-id">ia-05.11</prop>
-            <part id="ia-5.11_smt" name="statement">
-               <p>The information system, for hardware token-based authentication, employs
-                  mechanisms that satisfy <insert param-id="ia-5.11_prm_1"/>.</p>
-            </part>
-            <part id="ia-5.11_gdn" name="guidance">
-               <p>Hardware token-based authentication typically refers to the use of PKI-based
-                  tokens, such as the U.S. Government Personal Identity Verification (PIV) card.
-                  Organizations define specific requirements for tokens, such as working with a
-                  particular PKI.</p>
-            </part>
-            <part id="ia-5.11_obj" name="objective">
-               <p>Determine if, for hardware token-based authentication: </p>
-               <part id="ia-5.11_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(11)[1]</prop>
-                  <p>the organization defines token quality requirements to be satisfied; and</p>
-               </part>
-               <part id="ia-5.11_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(11)[2]</prop>
-                  <p>the information system employs mechanisms that satisfy organization-defined
-                     token quality requirements.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>automated mechanisms employing hardware token-based authentication for the
-                     information system</p>
-                  <p>list of token quality requirements</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing hardware token-based
-                     authenticator management capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-6">
-         <title>Authenticator Feedback</title>
-         <prop name="label">IA-6</prop>
-         <prop name="sort-id">ia-06</prop>
-         <part id="ia-6_smt" name="statement">
-            <p>The information system obscures feedback of authentication information during the
-               authentication process to protect the information from possible exploitation/use by
-               unauthorized individuals.</p>
-         </part>
-         <part id="ia-6_gdn" name="guidance">
-            <p>The feedback from information systems does not provide information that would allow
-               unauthorized individuals to compromise authentication mechanisms. For some types of
-               information systems or system components, for example, desktops/notebooks with
-               relatively large monitors, the threat (often referred to as shoulder surfing) may be
-               significant. For other types of systems or components, for example, mobile devices
-               with 2-4 inch screens, this threat may be less significant, and may need to be
-               balanced against the increased likelihood of typographic input errors due to the
-               small keyboards. Therefore, the means for obscuring the authenticator feedback is
-               selected accordingly. Obscuring the feedback of authentication information includes,
-               for example, displaying asterisks when users type passwords into input devices, or
-               displaying feedback for a very limited time before fully obscuring it.</p>
-            <link rel="related" href="#pe-18">PE-18</link>
-         </part>
-         <part id="ia-6_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system obscures feedback of authentication information
-               during the authentication process to protect the information from possible
-               exploitation/use by unauthorized individuals.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing authenticator feedback</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing the obscuring of feedback of
-                  authentication information during authentication</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-7">
-         <title>Cryptographic Module Authentication</title>
-         <prop name="label">IA-7</prop>
-         <prop name="sort-id">ia-07</prop>
-         <link href="#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9" rel="reference">FIPS Publication 140</link>
-         <link href="#b09d1a31-d3c9-4138-a4f4-4c63816afd7d" rel="reference">http://csrc.nist.gov/groups/STM/cmvp/index.html</link>
-         <part id="ia-7_smt" name="statement">
-            <p>The information system implements mechanisms for authentication to a cryptographic
-               module that meet the requirements of applicable federal laws, Executive Orders,
-               directives, policies, regulations, standards, and guidance for such
-               authentication.</p>
-         </part>
-         <part id="ia-7_gdn" name="guidance">
-            <p>Authentication mechanisms may be required within a cryptographic module to
-               authenticate an operator accessing the module and to verify that the operator is
-               authorized to assume the requested role and perform services within that role.</p>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="ia-7_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system implements mechanisms for authentication to a
-               cryptographic module that meet the requirements of applicable federal laws, Executive
-               Orders, directives, policies, regulations, standards, and guidance for such
-               authentication.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing cryptographic module authentication</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for cryptographic module
-                  authentication</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing cryptographic module
-                  authentication</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-8">
-         <title>Identification and Authentication (non-organizational Users)</title>
-         <prop name="label">IA-8</prop>
-         <prop name="sort-id">ia-08</prop>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#74e740a4-c45d-49f3-a86e-eb747c549e01" rel="reference">OMB Memorandum 11-11</link>
-         <link href="#599fe9ba-4750-4450-9eeb-b95bd19a5e8f" rel="reference">OMB Memorandum 10-06-2011</link>
-         <link href="#ba557c91-ba3e-4792-adc6-a4ae479b39ff" rel="reference">FICAM Roadmap and Implementation Guidance</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#2157bb7e-192c-4eaa-877f-93ef6b0a3292" rel="reference">NIST Special Publication 800-116</link>
-         <link href="#654f21e2-f3bc-43b2-abdc-60ab8d09744b" rel="reference">National Strategy for Trusted Identities in
-            Cyberspace</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ia-8_smt" name="statement">
-            <p>The information system uniquely identifies and authenticates non-organizational users
-               (or processes acting on behalf of non-organizational users).</p>
-         </part>
-         <part id="ia-8_gdn" name="guidance">
-            <p>Non-organizational users include information system users other than organizational
-               users explicitly covered by IA-2. These individuals are uniquely identified and
-               authenticated for accesses other than those accesses explicitly identified and
-               documented in AC-14. In accordance with the E-Authentication E-Government initiative,
-               authentication of non-organizational users accessing federal information systems may
-               be required to protect federal, proprietary, or privacy-related information (with
-               exceptions noted for national security systems). Organizations use risk assessments
-               to determine authentication needs and consider scalability, practicality, and
-               security in balancing the need to ensure ease of use for access to federal
-               information and information systems with the need to protect and adequately mitigate
-               risk. IA-2 addresses identification and authentication requirements for access to
-               information systems by organizational users.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-         </part>
-         <part id="ia-8_obj" name="objective">
-            <p>Determine if the information system uniquely identifies and authenticates
-               non-organizational users (or processes acting on behalf of non-organizational
-               users).</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing user identification and authentication</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>list of information system accounts</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system operations responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with account management responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing identification and
-                  authentication capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-8.1">
-            <title>Acceptance of PIV Credentials from Other Agencies</title>
-            <prop name="label">IA-8(1)</prop>
-            <prop name="sort-id">ia-08.01</prop>
-            <part id="ia-8.1_smt" name="statement">
-               <p>The information system accepts and electronically verifies Personal Identity
-                  Verification (PIV) credentials from other federal agencies.</p>
-            </part>
-            <part id="ia-8.1_gdn" name="guidance">
-               <p>This control enhancement applies to logical access control systems (LACS) and
-                  physical access control systems (PACS). Personal Identity Verification (PIV)
-                  credentials are those credentials issued by federal agencies that conform to FIPS
-                  Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires
-                  federal agencies to continue implementing the requirements specified in HSPD-12 to
-                  enable agency-wide use of PIV credentials.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#pe-3">PE-3</link>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-8.1_obj" name="objective">
-               <p>Determine if the information system: </p>
-               <part id="ia-8.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-8(1)[1]</prop>
-                  <p>accepts Personal Identity Verification (PIV) credentials from other agencies;
-                     and</p>
-               </part>
-               <part id="ia-8.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-8(1)[2]</prop>
-                  <p>electronically verifies Personal Identity Verification (PIV) credentials from
-                     other agencies.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>PIV verification records</p>
-                  <p>evidence of PIV credentials</p>
-                  <p>PIV credential authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with account management responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms that accept and verify PIV credentials</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.2">
-            <title>Acceptance of Third-party Credentials</title>
-            <prop name="label">IA-8(2)</prop>
-            <prop name="sort-id">ia-08.02</prop>
-            <part id="ia-8.2_smt" name="statement">
-               <p>The information system accepts only FICAM-approved third-party credentials.</p>
-            </part>
-            <part id="ia-8.2_gdn" name="guidance">
-               <p>This control enhancement typically applies to organizational information systems
-                  that are accessible to the general public, for example, public-facing websites.
-                  Third-party credentials are those credentials issued by nonfederal government
-                  entities approved by the Federal Identity, Credential, and Access Management
-                  (FICAM) Trust Framework Solutions initiative. Approved third-party credentials
-                  meet or exceed the set of minimum federal government-wide technical, security,
-                  privacy, and organizational maturity requirements. This allows federal government
-                  relying parties to trust such credentials at their approved assurance levels.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-            </part>
-            <part id="ia-8.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system accepts only FICAM-approved third-party
-                  credentials. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of FICAM-approved, third-party credentialing products, components, or
-                     services procured and implemented by organization</p>
-                  <p>third-party credential verification records</p>
-                  <p>evidence of FICAM-approved third-party credentials</p>
-                  <p>third-party credential authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with account management responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms that accept FICAM-approved credentials</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.3">
-            <title>Use of Ficam-approved Products</title>
-            <param id="ia-8.3_prm_1">
-               <label>organization-defined information systems</label>
-            </param>
-            <prop name="label">IA-8(3)</prop>
-            <prop name="sort-id">ia-08.03</prop>
-            <part id="ia-8.3_smt" name="statement">
-               <p>The organization employs only FICAM-approved information system components in
-                     <insert param-id="ia-8.3_prm_1"/> to accept third-party credentials.</p>
-            </part>
-            <part id="ia-8.3_gdn" name="guidance">
-               <p>This control enhancement typically applies to information systems that are
-                  accessible to the general public, for example, public-facing websites.
-                  FICAM-approved information system components include, for example, information
-                  technology products and software libraries that have been approved by the Federal
-                  Identity, Credential, and Access Management conformance program.</p>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-8.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-8.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-8(3)[1]</prop>
-                  <p>defines information systems in which only FICAM-approved information system
-                     components are to be employed to accept third-party credentials; and</p>
-               </part>
-               <part id="ia-8.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-8(3)[2]</prop>
-                  <p>employs only FICAM-approved information system components in
-                     organization-defined information systems to accept third-party credentials.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>system and services acquisition policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>procedures addressing the integration of security requirements into the
-                     acquisition process</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>third-party credential validations</p>
-                  <p>third-party credential authorizations</p>
-                  <p>third-party credential records</p>
-                  <p>list of FICAM-approved information system components procured and implemented
-                     by organization</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for information system procurements or services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information system security, acquisition, and
-                     contracting responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.4">
-            <title>Use of Ficam-issued Profiles</title>
-            <prop name="label">IA-8(4)</prop>
-            <prop name="sort-id">ia-08.04</prop>
-            <part id="ia-8.4_smt" name="statement">
-               <p>The information system conforms to FICAM-issued profiles.</p>
-            </part>
-            <part id="ia-8.4_gdn" name="guidance">
-               <p>This control enhancement addresses open identity management standards. To ensure
-                  that these standards are viable, robust, reliable, sustainable (e.g., available in
-                  commercial information technology products), and interoperable as documented, the
-                  United States Government assesses and scopes identity management standards and
-                  technology implementations against applicable federal legislation, directives,
-                  policies, and requirements. The result is FICAM-issued implementation profiles of
-                  approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and
-                  OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute
-                  Exchange).</p>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-8.4_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system conforms to FICAM-issued profiles. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>system and services acquisition policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>procedures addressing the integration of security requirements into the
-                     acquisition process</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of FICAM-issued profiles and associated, approved protocols</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for information system procurements or services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with account management responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms supporting and/or implementing conformance with
-                     FICAM-issued profiles</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="ir">
-      <title>Incident Response</title>
-      <control class="SP800-53" id="ir-1">
-         <title>Incident Response Policy and Procedures</title>
-         <param id="ir-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ir-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="ir-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IR-1</prop>
-         <prop name="sort-id">ir-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <link href="#6d431fee-658f-4a0e-9f2e-a38b5d398fab" rel="reference">NIST Special Publication 800-83</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ir-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ir-1_prm_1"/>:</p>
-               <part id="ir-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An incident response policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ir-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the incident response policy and
-                     associated incident response controls; and</p>
-               </part>
-            </part>
-            <part id="ir-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ir-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Incident response policy <insert param-id="ir-1_prm_2"/>; and</p>
-               </part>
-               <part id="ir-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Incident response procedures <insert param-id="ir-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ir-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the IR
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ir-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-1.a_obj" name="objective">
-               <prop name="label">IR-1(a)</prop>
-               <part id="ir-1.a.1_obj" name="objective">
-                  <prop name="label">IR-1(a)(1)</prop>
-                  <part id="ir-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(a)(1)[1]</prop>
-                     <p>develops and documents an incident response policy that addresses:</p>
-                     <part id="ir-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ir-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the incident response policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ir-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">IR-1(a)(1)[3]</prop>
-                     <p>disseminates the incident response policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="ir-1.a.2_obj" name="objective">
-                  <prop name="label">IR-1(a)(2)</prop>
-                  <part id="ir-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        incident response policy and associated incident response controls;</p>
-                  </part>
-                  <part id="ir-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ir-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">IR-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ir-1.b_obj" name="objective">
-               <prop name="label">IR-1(b)</prop>
-               <part id="ir-1.b.1_obj" name="objective">
-                  <prop name="label">IR-1(b)(1)</prop>
-                  <part id="ir-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current incident response
-                        policy;</p>
-                  </part>
-                  <part id="ir-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current incident response policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ir-1.b.2_obj" name="objective">
-                  <prop name="label">IR-1(b)(2)</prop>
-                  <part id="ir-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current incident response
-                        procedures; and</p>
-                  </part>
-                  <part id="ir-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current incident response procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-2">
-         <title>Incident Response Training</title>
-         <param id="ir-2_prm_1">
-            <label>organization-defined time period</label>
-         </param>
-         <param id="ir-2_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IR-2</prop>
-         <prop name="sort-id">ir-02</prop>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="ir-2_smt" name="statement">
-            <p>The organization provides incident response training to information system users
-               consistent with assigned roles and responsibilities:</p>
-            <part id="ir-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Within <insert param-id="ir-2_prm_1"/> of assuming an incident response role or
-                  responsibility;</p>
-            </part>
-            <part id="ir-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="ir-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="ir-2_prm_2"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="ir-2_gdn" name="guidance">
-            <p>Incident response training provided by organizations is linked to the assigned roles
-               and responsibilities of organizational personnel to ensure the appropriate content
-               and level of detail is included in such training. For example, regular users may only
-               need to know who to call or how to recognize an incident on the information system;
-               system administrators may require additional training on how to handle/remediate
-               incidents; and incident responders may receive more specific training on forensics,
-               reporting, system recovery, and restoration. Incident response training includes user
-               training in the identification and reporting of suspicious activities, both from
-               external and internal sources.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cp-3">CP-3</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-         </part>
-         <part id="ir-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-2.a_obj" name="objective">
-               <prop name="label">IR-2(a)</prop>
-               <part id="ir-2.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-2(a)[1]</prop>
-                  <p>defines a time period within which incident response training is to be provided
-                     to information system users assuming an incident response role or
-                     responsibility;</p>
-               </part>
-               <part id="ir-2.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IR-2(a)[2]</prop>
-                  <p>provides incident response training to information system users consistent with
-                     assigned roles and responsibilities within the organization-defined time period
-                     of assuming an incident response role or responsibility;</p>
-               </part>
-            </part>
-            <part id="ir-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">IR-2(b)</prop>
-               <p>provides incident response training to information system users consistent with
-                  assigned roles and responsibilities when required by information system
-                  changes;</p>
-            </part>
-            <part id="ir-2.c_obj" name="objective">
-               <prop name="label">IR-2(c)</prop>
-               <part id="ir-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-2(c)[1]</prop>
-                  <p>defines the frequency to provide refresher incident response training to
-                     information system users consistent with assigned roles or responsibilities;
-                     and</p>
-               </part>
-               <part id="ir-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IR-2(c)[2]</prop>
-                  <p>after the initial incident response training, provides refresher incident
-                     response training to information system users consistent with assigned roles
-                     and responsibilities in accordance with the organization-defined frequency to
-                     provide refresher training.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident response training</p>
-               <p>incident response training curriculum</p>
-               <p>incident response training materials</p>
-               <p>security plan</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>incident response training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response training and operational
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-4">
-         <title>Incident Handling</title>
-         <prop name="label">IR-4</prop>
-         <prop name="sort-id">ir-04</prop>
-         <link href="#c5034e0c-eba6-4ecd-a541-79f0678f4ba4" rel="reference">Executive Order 13587</link>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <part id="ir-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Implements an incident handling capability for security incidents that includes
-                  preparation, detection and analysis, containment, eradication, and recovery;</p>
-            </part>
-            <part id="ir-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Coordinates incident handling activities with contingency planning activities;
-                  and</p>
-            </part>
-            <part id="ir-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Incorporates lessons learned from ongoing incident handling activities into
-                  incident response procedures, training, and testing, and implements the resulting
-                  changes accordingly.</p>
-            </part>
-            <part id="ir-4_fr" name="item">
-               <title>IR-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-4_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ir-4_gdn" name="guidance">
-            <p>Organizations recognize that incident response capability is dependent on the
-               capabilities of organizational information systems and the mission/business processes
-               being supported by those systems. Therefore, organizations consider incident response
-               as part of the definition, design, and development of mission/business processes and
-               information systems. Incident-related information can be obtained from a variety of
-               sources including, for example, audit monitoring, network monitoring, physical access
-               monitoring, user/administrator reports, and reported supply chain events. Effective
-               incident handling capability includes coordination among many organizational entities
-               including, for example, mission/business owners, information system owners,
-               authorizing officials, human resources offices, physical and personnel security
-               offices, legal departments, operations personnel, procurement offices, and the risk
-               executive (function).</p>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-4">CP-4</link>
-            <link rel="related" href="#ir-2">IR-2</link>
-            <link rel="related" href="#ir-3">IR-3</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="ir-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-4.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">IR-4(a)</prop>
-               <p>implements an incident handling capability for security incidents that
-                  includes:</p>
-               <part id="ir-4.a_obj.1" name="objective">
-                  <prop name="label">IR-4(a)[1]</prop>
-                  <p>preparation;</p>
-               </part>
-               <part id="ir-4.a_obj.2" name="objective">
-                  <prop name="label">IR-4(a)[2]</prop>
-                  <p>detection and analysis;</p>
-               </part>
-               <part id="ir-4.a_obj.3" name="objective">
-                  <prop name="label">IR-4(a)[3]</prop>
-                  <p>containment;</p>
-               </part>
-               <part id="ir-4.a_obj.4" name="objective">
-                  <prop name="label">IR-4(a)[4]</prop>
-                  <p>eradication;</p>
-               </part>
-               <part id="ir-4.a_obj.5" name="objective">
-                  <prop name="label">IR-4(a)[5]</prop>
-                  <p>recovery;</p>
-               </part>
-            </part>
-            <part id="ir-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">IR-4(b)</prop>
-               <p>coordinates incident handling activities with contingency planning activities;</p>
-            </part>
-            <part id="ir-4.c_obj" name="objective">
-               <prop name="label">IR-4(c)</prop>
-               <part id="ir-4.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-4(c)[1]</prop>
-                  <p>incorporates lessons learned from ongoing incident handling activities
-                     into:</p>
-                  <part id="ir-4.c_obj.1.a" name="objective">
-                     <prop name="label">IR-4(c)[1][a]</prop>
-                     <p>incident response procedures;</p>
-                  </part>
-                  <part id="ir-4.c_obj.1.b" name="objective">
-                     <prop name="label">IR-4(c)[1][b]</prop>
-                     <p>training;</p>
-                  </part>
-                  <part id="ir-4.c_obj.1.c" name="objective">
-                     <prop name="label">IR-4(c)[1][c]</prop>
-                     <p>testing/exercises;</p>
-                  </part>
-               </part>
-               <part id="ir-4.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-4(c)[2]</prop>
-                  <p>implements the resulting changes accordingly to:</p>
-                  <part id="ir-4.c_obj.2.a" name="objective">
-                     <prop name="label">IR-4(c)[2][a]</prop>
-                     <p>incident response procedures;</p>
-                  </part>
-                  <part id="ir-4.c_obj.2.b" name="objective">
-                     <prop name="label">IR-4(c)[2][b]</prop>
-                     <p>training; and</p>
-                  </part>
-                  <part id="ir-4.c_obj.2.c" name="objective">
-                     <prop name="label">IR-4(c)[2][c]</prop>
-                     <p>testing/exercises.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>contingency planning policy</p>
-               <p>procedures addressing incident handling</p>
-               <p>incident response plan</p>
-               <p>contingency plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident handling responsibilities</p>
-               <p>organizational personnel with contingency planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Incident handling capability for the organization</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-5">
-         <title>Incident Monitoring</title>
-         <prop name="label">IR-5</prop>
-         <prop name="sort-id">ir-05</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <part id="ir-5_smt" name="statement">
-            <p>The organization tracks and documents information system security incidents.</p>
-         </part>
-         <part id="ir-5_gdn" name="guidance">
-            <p>Documenting information system security incidents includes, for example, maintaining
-               records about each incident, the status of the incident, and other pertinent
-               information necessary for forensics, evaluating incident details, trends, and
-               handling. Incident information can be obtained from a variety of sources including,
-               for example, incident reports, incident response teams, audit monitoring, network
-               monitoring, physical access monitoring, and user/administrator reports.</p>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="ir-5_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ir-5_obj.1" name="objective">
-               <prop name="label">IR-5[1]</prop>
-               <p>tracks information system security incidents; and</p>
-            </part>
-            <part id="ir-5_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IR-5[2]</prop>
-               <p>documents information system security incidents.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident monitoring</p>
-               <p>incident response records and documentation</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident monitoring responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Incident monitoring capability for the organization</p>
-               <p>automated mechanisms supporting and/or implementing tracking and documenting of
-                  system security incidents</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-6">
-         <title>Incident Reporting</title>
-         <param id="ir-6_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)</constraint>
-         </param>
-         <param id="ir-6_prm_2">
-            <label>organization-defined authorities</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IR-6</prop>
-         <prop name="sort-id">ir-06</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <link href="#02631467-668b-4233-989b-3dfded2fd184" rel="reference">http://www.us-cert.gov</link>
-         <part id="ir-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Requires personnel to report suspected security incidents to the organizational
-                  incident response capability within <insert param-id="ir-6_prm_1"/>; and</p>
-            </part>
-            <part id="ir-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reports security incident information to <insert param-id="ir-6_prm_2"/>.</p>
-            </part>
-            <part id="ir-6_fr" name="item">
-               <title>IR-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Report security incident information according to FedRAMP Incident Communications Procedure.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ir-6_gdn" name="guidance">
-            <p>The intent of this control is to address both specific incident reporting
-               requirements within an organization and the formal incident reporting requirements
-               for federal agencies and their subordinate organizations. Suspected security
-               incidents include, for example, the receipt of suspicious email communications that
-               can potentially contain malicious code. The types of security incidents reported, the
-               content and timeliness of the reports, and the designated reporting authorities
-               reflect applicable federal laws, Executive Orders, directives, regulations, policies,
-               standards, and guidance. Current federal policy requires that all federal agencies
-               (unless specifically exempted from such requirements) report security incidents to
-               the United States Computer Emergency Readiness Team (US-CERT) within specified time
-               frames designated in the US-CERT Concept of Operations for Federal Cyber Security
-               Incident Handling.</p>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-5">IR-5</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-         </part>
-         <part id="ir-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-6.a_obj" name="objective">
-               <prop name="label">IR-6(a)</prop>
-               <part id="ir-6.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-6(a)[1]</prop>
-                  <p>defines the time period within which personnel report suspected security
-                     incidents to the organizational incident response capability;</p>
-               </part>
-               <part id="ir-6.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-6(a)[2]</prop>
-                  <p>requires personnel to report suspected security incidents to the organizational
-                     incident response capability within the organization-defined time period;</p>
-               </part>
-            </part>
-            <part id="ir-6.b_obj" name="objective">
-               <prop name="label">IR-6(b)</prop>
-               <part id="ir-6.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-6(b)[1]</prop>
-                  <p>defines authorities to whom security incident information is to be reported;
-                     and</p>
-               </part>
-               <part id="ir-6.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-6(b)[2]</prop>
-                  <p>reports security incident information to organization-defined authorities.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident reporting</p>
-               <p>incident reporting records and documentation</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident reporting responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>personnel who have/should have reported incidents</p>
-               <p>personnel (authorities) to whom incident information is to be reported</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for incident reporting</p>
-               <p>automated mechanisms supporting and/or implementing incident reporting</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-7">
-         <title>Incident Response Assistance</title>
-         <prop name="label">IR-7</prop>
-         <prop name="sort-id">ir-07</prop>
-         <part id="ir-7_smt" name="statement">
-            <p>The organization provides an incident response support resource, integral to the
-               organizational incident response capability that offers advice and assistance to
-               users of the information system for the handling and reporting of security
-               incidents.</p>
-         </part>
-         <part id="ir-7_gdn" name="guidance">
-            <p>Incident response support resources provided by organizations include, for example,
-               help desks, assistance groups, and access to forensics services, when required.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-6">IR-6</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-         </part>
-         <part id="ir-7_obj" name="objective">
-            <p>Determine if the organization provides an incident response support resource:</p>
-            <part id="ir-7_obj.1" name="objective">
-               <prop name="label">IR-7[1]</prop>
-               <p>that is integral to the organizational incident response capability; and</p>
-            </part>
-            <part id="ir-7_obj.2" name="objective">
-               <prop name="label">IR-7[2]</prop>
-               <p>that offers advice and assistance to users of the information system for the
-                  handling and reporting of security incidents.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident response assistance</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response assistance and support
-                  responsibilities</p>
-               <p>organizational personnel with access to incident response support and assistance
-                  capability</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for incident response assistance</p>
-               <p>automated mechanisms supporting and/or implementing incident response
-                  assistance</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-8">
-         <title>Incident Response Plan</title>
-         <param id="ir-8_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ir-8_prm_2">
-            <label>organization-defined incident response personnel (identified by name and/or by
-               role) and organizational elements</label>
-            <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-         </param>
-         <param id="ir-8_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ir-8_prm_4">
-            <label>organization-defined incident response personnel (identified by name and/or by
-               role) and organizational elements</label>
-            <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IR-8</prop>
-         <prop name="sort-id">ir-08</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <part id="ir-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops an incident response plan that:</p>
-               <part id="ir-8_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Provides the organization with a roadmap for implementing its incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Describes the structure and organization of the incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Provides a high-level approach for how the incident response capability fits
-                     into the overall organization;</p>
-               </part>
-               <part id="ir-8_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Meets the unique requirements of the organization, which relate to mission,
-                     size, structure, and functions;</p>
-               </part>
-               <part id="ir-8_smt.a.5" name="item">
-                  <prop name="label">5.</prop>
-                  <p>Defines reportable incidents;</p>
-               </part>
-               <part id="ir-8_smt.a.6" name="item">
-                  <prop name="label">6.</prop>
-                  <p>Provides metrics for measuring the incident response capability within the
-                     organization;</p>
-               </part>
-               <part id="ir-8_smt.a.7" name="item">
-                  <prop name="label">7.</prop>
-                  <p>Defines the resources and management support needed to effectively maintain and
-                     mature an incident response capability; and</p>
-               </part>
-               <part id="ir-8_smt.a.8" name="item">
-                  <prop name="label">8.</prop>
-                  <p>Is reviewed and approved by <insert param-id="ir-8_prm_1"/>;</p>
-               </part>
-            </part>
-            <part id="ir-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Distributes copies of the incident response plan to <insert param-id="ir-8_prm_2"/>;</p>
-            </part>
-            <part id="ir-8_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the incident response plan <insert param-id="ir-8_prm_3"/>;</p>
-            </part>
-            <part id="ir-8_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Updates the incident response plan to address system/organizational changes or
-                  problems encountered during plan implementation, execution, or testing;</p>
-            </part>
-            <part id="ir-8_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Communicates incident response plan changes to <insert param-id="ir-8_prm_4"/>;
-                  and</p>
-            </part>
-            <part id="ir-8_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Protects the incident response plan from unauthorized disclosure and
-                  modification.</p>
-            </part>
-            <part id="ir-8_fr" name="item">
-               <title>IR-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-8_fr_smt.b" name="item">
-                  <prop name="label">(b) Requirement:</prop>
-                  <p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
-               </part>
-               <part id="ir-8_fr_smt.e" name="item">
-                  <prop name="label">(e) Requirement:</prop>
-                  <p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ir-8_gdn" name="guidance">
-            <p>It is important that organizations develop and implement a coordinated approach to
-               incident response. Organizational missions, business functions, strategies, goals,
-               and objectives for incident response help to determine the structure of incident
-               response capabilities. As part of a comprehensive incident response capability,
-               organizations consider the coordination and sharing of information with external
-               organizations, including, for example, external service providers and organizations
-               involved in the supply chain for organizational information systems.</p>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-         </part>
-         <part id="ir-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-8.a_obj" name="objective">
-               <prop name="label">IR-8(a)</prop>
-               <p>develops an incident response plan that:</p>
-               <part id="ir-8.a.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(a)(1)</prop>
-                  <p>provides the organization with a roadmap for implementing its incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8.a.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(a)(2)</prop>
-                  <p>describes the structure and organization of the incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8.a.3_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(a)(3)</prop>
-                  <p>provides a high-level approach for how the incident response capability fits
-                     into the overall organization;</p>
-               </part>
-               <part id="ir-8.a.4_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(a)(4)</prop>
-                  <p>meets the unique requirements of the organization, which relate to:</p>
-                  <part id="ir-8.a.4_obj.1" name="objective">
-                     <prop name="label">IR-8(a)(4)[1]</prop>
-                     <p>mission;</p>
-                  </part>
-                  <part id="ir-8.a.4_obj.2" name="objective">
-                     <prop name="label">IR-8(a)(4)[2]</prop>
-                     <p>size;</p>
-                  </part>
-                  <part id="ir-8.a.4_obj.3" name="objective">
-                     <prop name="label">IR-8(a)(4)[3]</prop>
-                     <p>structure;</p>
-                  </part>
-                  <part id="ir-8.a.4_obj.4" name="objective">
-                     <prop name="label">IR-8(a)(4)[4]</prop>
-                     <p>functions;</p>
-                  </part>
-               </part>
-               <part id="ir-8.a.5_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(a)(5)</prop>
-                  <p>defines reportable incidents;</p>
-               </part>
-               <part id="ir-8.a.6_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-8(a)(6)</prop>
-                  <p>provides metrics for measuring the incident response capability within the
-                     organization;</p>
-               </part>
-               <part id="ir-8.a.7_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(a)(7)</prop>
-                  <p>defines the resources and management support needed to effectively maintain and
-                     mature an incident response capability;</p>
-               </part>
-               <part id="ir-8.a.8_obj" name="objective">
-                  <prop name="label">IR-8(a)(8)</prop>
-                  <part id="ir-8.a.8_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-8(a)(8)[1]</prop>
-                     <p>defines personnel or roles to review and approve the incident response
-                        plan;</p>
-                  </part>
-                  <part id="ir-8.a.8_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">IR-8(a)(8)[2]</prop>
-                     <p>is reviewed and approved by organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ir-8.b_obj" name="objective">
-               <prop name="label">IR-8(b)</prop>
-               <part id="ir-8.b_obj.1" name="objective">
-                  <prop name="label">IR-8(b)[1]</prop>
-                  <part id="ir-8.b_obj.1.a" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-8(b)[1][a]</prop>
-                     <p>defines incident response personnel (identified by name and/or by role) to
-                        whom copies of the incident response plan are to be distributed;</p>
-                  </part>
-                  <part id="ir-8.b_obj.1.b" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-8(b)[1][b]</prop>
-                     <p>defines organizational elements to whom copies of the incident response plan
-                        are to be distributed;</p>
-                  </part>
-               </part>
-               <part id="ir-8.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-8(b)[2]</prop>
-                  <p>distributes copies of the incident response plan to organization-defined
-                     incident response personnel (identified by name and/or by role) and
-                     organizational elements;</p>
-               </part>
-            </part>
-            <part id="ir-8.c_obj" name="objective">
-               <prop name="label">IR-8(c)</prop>
-               <part id="ir-8.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(c)[1]</prop>
-                  <p>defines the frequency to review the incident response plan;</p>
-               </part>
-               <part id="ir-8.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IR-8(c)[2]</prop>
-                  <p>reviews the incident response plan with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="ir-8.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IR-8(d)</prop>
-               <p>updates the incident response plan to address system/organizational changes or
-                  problems encountered during plan:</p>
-               <part id="ir-8.d_obj.1" name="objective">
-                  <prop name="label">IR-8(d)[1]</prop>
-                  <p>implementation;</p>
-               </part>
-               <part id="ir-8.d_obj.2" name="objective">
-                  <prop name="label">IR-8(d)[2]</prop>
-                  <p>execution; or</p>
-               </part>
-               <part id="ir-8.d_obj.3" name="objective">
-                  <prop name="label">IR-8(d)[3]</prop>
-                  <p>testing;</p>
-               </part>
-            </part>
-            <part id="ir-8.e_obj" name="objective">
-               <prop name="label">IR-8(e)</prop>
-               <part id="ir-8.e_obj.1" name="objective">
-                  <prop name="label">IR-8(e)[1]</prop>
-                  <part id="ir-8.e_obj.1.a" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-8(e)[1][a]</prop>
-                     <p>defines incident response personnel (identified by name and/or by role) to
-                        whom incident response plan changes are to be communicated;</p>
-                  </part>
-                  <part id="ir-8.e_obj.1.b" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IR-8(e)[1][b]</prop>
-                     <p>defines organizational elements to whom incident response plan changes are
-                        to be communicated;</p>
-                  </part>
-               </part>
-               <part id="ir-8.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-8(e)[2]</prop>
-                  <p>communicates incident response plan changes to organization-defined incident
-                     response personnel (identified by name and/or by role) and organizational
-                     elements; and</p>
-               </part>
-            </part>
-            <part id="ir-8.f_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IR-8(f)</prop>
-               <p>protects the incident response plan from unauthorized disclosure and
-                  modification.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident response planning</p>
-               <p>incident response plan</p>
-               <p>records of incident response plan reviews and approvals</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational incident response plan and related organizational processes</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ma">
-      <title>Maintenance</title>
-      <control class="SP800-53" id="ma-1">
-         <title>System Maintenance Policy and Procedures</title>
-         <param id="ma-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ma-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="ma-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">MA-1</prop>
-         <prop name="sort-id">ma-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ma-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ma-1_prm_1"/>:</p>
-               <part id="ma-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system maintenance policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ma-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system maintenance policy
-                     and associated system maintenance controls; and</p>
-               </part>
-            </part>
-            <part id="ma-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ma-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System maintenance policy <insert param-id="ma-1_prm_2"/>; and</p>
-               </part>
-               <part id="ma-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System maintenance procedures <insert param-id="ma-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ma-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the MA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ma-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ma-1.a_obj" name="objective">
-               <prop name="label">MA-1(a)</prop>
-               <part id="ma-1.a.1_obj" name="objective">
-                  <prop name="label">MA-1(a)(1)</prop>
-                  <part id="ma-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(a)(1)[1]</prop>
-                     <p>develops and documents a system maintenance policy that addresses:</p>
-                     <part id="ma-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ma-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system maintenance policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ma-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">MA-1(a)(1)[3]</prop>
-                     <p>disseminates the system maintenance policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="ma-1.a.2_obj" name="objective">
-                  <prop name="label">MA-1(a)(2)</prop>
-                  <part id="ma-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        maintenance policy and associated system maintenance controls;</p>
-                  </part>
-                  <part id="ma-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ma-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">MA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ma-1.b_obj" name="objective">
-               <prop name="label">MA-1(b)</prop>
-               <part id="ma-1.b.1_obj" name="objective">
-                  <prop name="label">MA-1(b)(1)</prop>
-                  <part id="ma-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system maintenance
-                        policy;</p>
-                  </part>
-                  <part id="ma-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system maintenance policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ma-1.b.2_obj" name="objective">
-                  <prop name="label">MA-1(b)(2)</prop>
-                  <part id="ma-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system maintenance
-                        procedures; and</p>
-                  </part>
-                  <part id="ma-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system maintenance procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Maintenance policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ma-2">
-         <title>Controlled Maintenance</title>
-         <param id="ma-2_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ma-2_prm_2">
-            <label>organization-defined maintenance-related information</label>
-         </param>
-         <prop name="label">MA-2</prop>
-         <prop name="sort-id">ma-02</prop>
-         <part id="ma-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Schedules, performs, documents, and reviews records of maintenance and repairs on
-                  information system components in accordance with manufacturer or vendor
-                  specifications and/or organizational requirements;</p>
-            </part>
-            <part id="ma-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Approves and monitors all maintenance activities, whether performed on site or
-                  remotely and whether the equipment is serviced on site or removed to another
-                  location;</p>
-            </part>
-            <part id="ma-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Requires that <insert param-id="ma-2_prm_1"/> explicitly approve the removal of
-                  the information system or system components from organizational facilities for
-                  off-site maintenance or repairs;</p>
-            </part>
-            <part id="ma-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Sanitizes equipment to remove all information from associated media prior to
-                  removal from organizational facilities for off-site maintenance or repairs;</p>
-            </part>
-            <part id="ma-2_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Checks all potentially impacted security controls to verify that the controls are
-                  still functioning properly following maintenance or repair actions; and</p>
-            </part>
-            <part id="ma-2_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Includes <insert param-id="ma-2_prm_2"/> in organizational maintenance
-                  records.</p>
-            </part>
-         </part>
-         <part id="ma-2_gdn" name="guidance">
-            <p>This control addresses the information security aspects of the information system
-               maintenance program and applies to all types of maintenance to any system component
-               (including applications) conducted by any local or nonlocal entity (e.g.,
-               in-contract, warranty, in-house, software maintenance agreement). System maintenance
-               also includes those components not directly associated with information processing
-               and/or data/information retention such as scanners, copiers, and printers.
-               Information necessary for creating effective maintenance records includes, for
-               example: (i) date and time of maintenance; (ii) name of individuals or group
-               performing the maintenance; (iii) name of escort, if necessary; (iv) a description of
-               the maintenance performed; and (v) information system components/equipment removed or
-               replaced (including identification numbers, if applicable). The level of detail
-               included in maintenance records can be informed by the security categories of
-               organizational information systems. Organizations consider supply chain issues
-               associated with replacement components for information systems.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-            <link rel="related" href="#pe-16">PE-16</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="ma-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ma-2.a_obj" name="objective">
-               <prop name="label">MA-2(a)</prop>
-               <part id="ma-2.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-2(a)[1]</prop>
-                  <p>schedules maintenance and repairs on information system components in
-                     accordance with:</p>
-                  <part id="ma-2.a_obj.1.a" name="objective">
-                     <prop name="label">MA-2(a)[1][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.1.b" name="objective">
-                     <prop name="label">MA-2(a)[1][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-               <part id="ma-2.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">MA-2(a)[2]</prop>
-                  <p>performs maintenance and repairs on information system components in accordance
-                     with:</p>
-                  <part id="ma-2.a_obj.2.a" name="objective">
-                     <prop name="label">MA-2(a)[2][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.2.b" name="objective">
-                     <prop name="label">MA-2(a)[2][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-               <part id="ma-2.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-2(a)[3]</prop>
-                  <p>documents maintenance and repairs on information system components in
-                     accordance with:</p>
-                  <part id="ma-2.a_obj.3.a" name="objective">
-                     <prop name="label">MA-2(a)[3][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.3.b" name="objective">
-                     <prop name="label">MA-2(a)[3][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-               <part id="ma-2.a_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">MA-2(a)[4]</prop>
-                  <p>reviews records of maintenance and repairs on information system components in
-                     accordance with:</p>
-                  <part id="ma-2.a_obj.4.a" name="objective">
-                     <prop name="label">MA-2(a)[4][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.4.b" name="objective">
-                     <prop name="label">MA-2(a)[4][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ma-2.b_obj" name="objective">
-               <prop name="label">MA-2(b)</prop>
-               <part id="ma-2.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">MA-2(b)[1]</prop>
-                  <p>approves all maintenance activities, whether performed on site or remotely and
-                     whether the equipment is serviced on site or removed to another location;</p>
-               </part>
-               <part id="ma-2.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MA-2(b)[2]</prop>
-                  <p>monitors all maintenance activities, whether performed on site or remotely and
-                     whether the equipment is serviced on site or removed to another location;</p>
-               </part>
-            </part>
-            <part id="ma-2.c_obj" name="objective">
-               <prop name="label">MA-2(c)</prop>
-               <part id="ma-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-2(c)[1]</prop>
-                  <p>defines personnel or roles required to explicitly approve the removal of the
-                     information system or system components from organizational facilities for
-                     off-site maintenance or repairs;</p>
-               </part>
-               <part id="ma-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-2(c)[2]</prop>
-                  <p>requires that organization-defined personnel or roles explicitly approve the
-                     removal of the information system or system components from organizational
-                     facilities for off-site maintenance or repairs;</p>
-               </part>
-            </part>
-            <part id="ma-2.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MA-2(d)</prop>
-               <p>sanitizes equipment to remove all information from associated media prior to
-                  removal from organizational facilities for off-site maintenance or repairs;</p>
-            </part>
-            <part id="ma-2.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MA-2(e)</prop>
-               <p>checks all potentially impacted security controls to verify that the controls are
-                  still functioning properly following maintenance or repair actions;</p>
-            </part>
-            <part id="ma-2.f_obj" name="objective">
-               <prop name="label">MA-2(f)</prop>
-               <part id="ma-2.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-2(f)[1]</prop>
-                  <p>defines maintenance-related information to be included in organizational
-                     maintenance records; and</p>
-               </part>
-               <part id="ma-2.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-2(f)[2]</prop>
-                  <p>includes organization-defined maintenance-related information in organizational
-                     maintenance records.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing controlled information system maintenance</p>
-               <p>maintenance records</p>
-               <p>manufacturer/vendor maintenance specifications</p>
-               <p>equipment sanitization records</p>
-               <p>media sanitization records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel responsible for media sanitization</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for scheduling, performing, documenting, reviewing,
-                  approving, and monitoring maintenance and repairs for the information system</p>
-               <p>organizational processes for sanitizing information system components</p>
-               <p>automated mechanisms supporting and/or implementing controlled maintenance</p>
-               <p>automated mechanisms implementing sanitization of information system
-                  components</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ma-4">
-         <title>Nonlocal Maintenance</title>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">MA-4</prop>
-         <prop name="sort-id">ma-04</prop>
-         <link href="#d715b234-9b5b-4e07-b1ed-99836727664d" rel="reference">FIPS Publication 140-2</link>
-         <link href="#f2dbd4ec-c413-4714-b85b-6b7184d1c195" rel="reference">FIPS Publication 197</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#263823e0-a971-4b00-959d-315b26278b22" rel="reference">NIST Special Publication 800-88</link>
-         <link href="#a4aa9645-9a8a-4b51-90a9-e223250f9a75" rel="reference">CNSS Policy 15</link>
-         <part id="ma-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Approves and monitors nonlocal maintenance and diagnostic activities;</p>
-            </part>
-            <part id="ma-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Allows the use of nonlocal maintenance and diagnostic tools only as consistent
-                  with organizational policy and documented in the security plan for the information
-                  system;</p>
-            </part>
-            <part id="ma-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Employs strong authenticators in the establishment of nonlocal maintenance and
-                  diagnostic sessions;</p>
-            </part>
-            <part id="ma-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Maintains records for nonlocal maintenance and diagnostic activities; and</p>
-            </part>
-            <part id="ma-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Terminates session and network connections when nonlocal maintenance is
-                  completed.</p>
-            </part>
-         </part>
-         <part id="ma-4_gdn" name="guidance">
-            <p>Nonlocal maintenance and diagnostic activities are those activities conducted by
-               individuals communicating through a network, either an external network (e.g., the
-               Internet) or an internal network. Local maintenance and diagnostic activities are
-               those activities carried out by individuals physically present at the information
-               system or information system component and not communicating across a network
-               connection. Authentication techniques used in the establishment of nonlocal
-               maintenance and diagnostic sessions reflect the network access requirements in IA-2.
-               Typically, strong authentication requires authenticators that are resistant to replay
-               attacks and employ multifactor authentication. Strong authenticators include, for
-               example, PKI where certificates are stored on a token protected by a password,
-               passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by
-               other controls.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-10">SC-10</link>
-            <link rel="related" href="#sc-17">SC-17</link>
-         </part>
-         <part id="ma-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ma-4.a_obj" name="objective">
-               <prop name="label">MA-4(a)</prop>
-               <part id="ma-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-4(a)[1]</prop>
-                  <p>approves nonlocal maintenance and diagnostic activities;</p>
-               </part>
-               <part id="ma-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MA-4(a)[2]</prop>
-                  <p>monitors nonlocal maintenance and diagnostic activities;</p>
-               </part>
-            </part>
-            <part id="ma-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MA-4(b)</prop>
-               <p>allows the use of nonlocal maintenance and diagnostic tools only:</p>
-               <part id="ma-4.b_obj.1" name="objective">
-                  <prop name="label">MA-4(b)[1]</prop>
-                  <p>as consistent with organizational policy;</p>
-               </part>
-               <part id="ma-4.b_obj.2" name="objective">
-                  <prop name="label">MA-4(b)[2]</prop>
-                  <p>as documented in the security plan for the information system;</p>
-               </part>
-            </part>
-            <part id="ma-4.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MA-4(c)</prop>
-               <p>employs strong authenticators in the establishment of nonlocal maintenance and
-                  diagnostic sessions;</p>
-            </part>
-            <part id="ma-4.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MA-4(d)</prop>
-               <p>maintains records for nonlocal maintenance and diagnostic activities;</p>
-            </part>
-            <part id="ma-4.e_obj" name="objective">
-               <prop name="label">MA-4(e)</prop>
-               <part id="ma-4.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MA-4(e)[1]</prop>
-                  <p>terminates sessions when nonlocal maintenance or diagnostics is completed;
-                     and</p>
-               </part>
-               <part id="ma-4.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MA-4(e)[2]</prop>
-                  <p>terminates network connections when nonlocal maintenance or diagnostics is
-                     completed.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing nonlocal information system maintenance</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>maintenance records</p>
-               <p>diagnostic records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing nonlocal maintenance</p>
-               <p>automated mechanisms implementing, supporting, and/or managing nonlocal
-                  maintenance</p>
-               <p>automated mechanisms for strong authentication of nonlocal maintenance diagnostic
-                  sessions</p>
-               <p>automated mechanisms for terminating nonlocal maintenance sessions and network
-                  connections</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ma-5">
-         <title>Maintenance Personnel</title>
-         <prop name="label">MA-5</prop>
-         <prop name="sort-id">ma-05</prop>
-         <part id="ma-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes a process for maintenance personnel authorization and maintains a list
-                  of authorized maintenance organizations or personnel;</p>
-            </part>
-            <part id="ma-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Ensures that non-escorted personnel performing maintenance on the information
-                  system have required access authorizations; and</p>
-            </part>
-            <part id="ma-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Designates organizational personnel with required access authorizations and
-                  technical competence to supervise the maintenance activities of personnel who do
-                  not possess the required access authorizations.</p>
-            </part>
-         </part>
-         <part id="ma-5_gdn" name="guidance">
-            <p>This control applies to individuals performing hardware or software maintenance on
-               organizational information systems, while PE-2 addresses physical access for
-               individuals whose maintenance duties place them within the physical protection
-               perimeter of the systems (e.g., custodial staff, physical plant maintenance
-               personnel). Technical competence of supervising individuals relates to the
-               maintenance performed on the information systems while having required access
-               authorizations refers to maintenance on and near the systems. Individuals not
-               previously identified as authorized maintenance personnel, such as information
-               technology manufacturers, vendors, systems integrators, and consultants, may require
-               privileged access to organizational information systems, for example, when required
-               to conduct maintenance activities with little or no notice. Based on organizational
-               assessments of risk, organizations may issue temporary credentials to these
-               individuals. Temporary credentials may be for one-time use or for very limited time
-               periods.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-         </part>
-         <part id="ma-5_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ma-5.a_obj" name="objective">
-               <prop name="label">MA-5(a)</prop>
-               <part id="ma-5.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-5(a)[1]</prop>
-                  <p>establishes a process for maintenance personnel authorization;</p>
-               </part>
-               <part id="ma-5.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-5(a)[2]</prop>
-                  <p>maintains a list of authorized maintenance organizations or personnel;</p>
-               </part>
-            </part>
-            <part id="ma-5.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MA-5(b)</prop>
-               <p>ensures that non-escorted personnel performing maintenance on the information
-                  system have required access authorizations; and</p>
-            </part>
-            <part id="ma-5.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MA-5(c)</prop>
-               <p>designates organizational personnel with required access authorizations and
-                  technical competence to supervise the maintenance activities of personnel who do
-                  not possess the required access authorizations.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing maintenance personnel</p>
-               <p>service provider contracts</p>
-               <p>service-level agreements</p>
-               <p>list of authorized personnel</p>
-               <p>maintenance records</p>
-               <p>access control records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for authorizing and managing maintenance personnel</p>
-               <p>automated mechanisms supporting and/or implementing authorization of maintenance
-                  personnel</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="mp">
-      <title>Media Protection</title>
-      <control class="SP800-53" id="mp-1">
-         <title>Media Protection Policy and Procedures</title>
-         <param id="mp-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="mp-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="mp-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">MP-1</prop>
-         <prop name="sort-id">mp-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="mp-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="mp-1_prm_1"/>:</p>
-               <part id="mp-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A media protection policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="mp-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the media protection policy and
-                     associated media protection controls; and</p>
-               </part>
-            </part>
-            <part id="mp-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="mp-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Media protection policy <insert param-id="mp-1_prm_2"/>; and</p>
-               </part>
-               <part id="mp-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Media protection procedures <insert param-id="mp-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="mp-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the MP
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="mp-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="mp-1.a_obj" name="objective">
-               <prop name="label">MP-1(a)</prop>
-               <part id="mp-1.a.1_obj" name="objective">
-                  <prop name="label">MP-1(a)(1)</prop>
-                  <part id="mp-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(a)(1)[1]</prop>
-                     <p>develops and documents a media protection policy that addresses:</p>
-                     <part id="mp-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="mp-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the media protection policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="mp-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">MP-1(a)(1)[3]</prop>
-                     <p>disseminates the media protection policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="mp-1.a.2_obj" name="objective">
-                  <prop name="label">MP-1(a)(2)</prop>
-                  <part id="mp-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        media protection policy and associated media protection controls;</p>
-                  </part>
-                  <part id="mp-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="mp-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">MP-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="mp-1.b_obj" name="objective">
-               <prop name="label">MP-1(b)</prop>
-               <part id="mp-1.b.1_obj" name="objective">
-                  <prop name="label">MP-1(b)(1)</prop>
-                  <part id="mp-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current media protection
-                        policy;</p>
-                  </part>
-                  <part id="mp-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current media protection policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="mp-1.b.2_obj" name="objective">
-                  <prop name="label">MP-1(b)(2)</prop>
-                  <part id="mp-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current media protection
-                        procedures; and</p>
-                  </part>
-                  <part id="mp-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current media protection procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Media protection policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with media protection responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="mp-2">
-         <title>Media Access</title>
-         <param id="mp-2_prm_1">
-            <label>organization-defined types of digital and/or non-digital media</label>
-         </param>
-         <param id="mp-2_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">MP-2</prop>
-         <prop name="sort-id">mp-02</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e" rel="reference">NIST Special Publication 800-111</link>
-         <part id="mp-2_smt" name="statement">
-            <p>The organization restricts access to <insert param-id="mp-2_prm_1"/> to <insert param-id="mp-2_prm_2"/>.</p>
-         </part>
-         <part id="mp-2_gdn" name="guidance">
-            <p>Information system media includes both digital and non-digital media. Digital media
-               includes, for example, diskettes, magnetic tapes, external/removable hard disk
-               drives, flash drives, compact disks, and digital video disks. Non-digital media
-               includes, for example, paper and microfilm. Restricting non-digital media access
-               includes, for example, denying access to patient medical records in a community
-               hospital unless the individuals seeking access to such records are authorized
-               healthcare providers. Restricting access to digital media includes, for example,
-               limiting access to design specifications stored on compact disks in the media library
-               to the project leader and the individuals on the development team.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-         </part>
-         <part id="mp-2_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-2_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MP-2[1]</prop>
-               <p>defines types of digital and/or non-digital media requiring restricted access;</p>
-            </part>
-            <part id="mp-2_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MP-2[2]</prop>
-               <p>defines personnel or roles authorized to access organization-defined types of
-                  digital and/or non-digital media; and</p>
-            </part>
-            <part id="mp-2_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MP-2[3]</prop>
-               <p>restricts access to organization-defined types of digital and/or non-digital media
-                  to organization-defined personnel or roles.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media access restrictions</p>
-               <p>access control policy and procedures</p>
-               <p>physical and environmental protection policy and procedures</p>
-               <p>media storage facilities</p>
-               <p>access control records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media protection
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for restricting information media</p>
-               <p>automated mechanisms supporting and/or implementing media access restrictions</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="mp-6">
-         <title>Media Sanitization</title>
-         <param id="mp-6_prm_1">
-            <label>organization-defined information system media</label>
-         </param>
-         <param id="mp-6_prm_2">
-            <label>organization-defined sanitization techniques and procedures</label>
-         </param>
-         <prop name="label">MP-6</prop>
-         <prop name="sort-id">mp-06</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <link href="#263823e0-a971-4b00-959d-315b26278b22" rel="reference">NIST Special Publication 800-88</link>
-         <link href="#a47466c4-c837-4f06-a39f-e68412a5f73d" rel="reference">http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml</link>
-         <part id="mp-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Sanitizes <insert param-id="mp-6_prm_1"/> prior to disposal, release out of
-                  organizational control, or release for reuse using <insert param-id="mp-6_prm_2"/>
-                  in accordance with applicable federal and organizational standards and policies;
-                  and</p>
-            </part>
-            <part id="mp-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Employs sanitization mechanisms with the strength and integrity commensurate with
-                  the security category or classification of the information.</p>
-            </part>
-         </part>
-         <part id="mp-6_gdn" name="guidance">
-            <p>This control applies to all information system media, both digital and non-digital,
-               subject to disposal or reuse, whether or not the media is considered removable.
-               Examples include media found in scanners, copiers, printers, notebook computers,
-               workstations, network components, and mobile devices. The sanitization process
-               removes information from the media such that the information cannot be retrieved or
-               reconstructed. Sanitization techniques, including clearing, purging, cryptographic
-               erase, and destruction, prevent the disclosure of information to unauthorized
-               individuals when such media is reused or released for disposal. Organizations
-               determine the appropriate sanitization methods recognizing that destruction is
-               sometimes necessary when other methods cannot be applied to media requiring
-               sanitization. Organizations use discretion on the employment of approved sanitization
-               techniques and procedures for media containing information deemed to be in the public
-               domain or publicly releasable, or deemed to have no adverse impact on organizations
-               or individuals if released for reuse or disposal. Sanitization of non-digital media
-               includes, for example, removing a classified appendix from an otherwise unclassified
-               document, or redacting selected sections or words from a document by obscuring the
-               redacted sections/words in a manner equivalent in effectiveness to removing them from
-               the document. NSA standards and policies control the sanitization process for media
-               containing classified information.</p>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sc-4">SC-4</link>
-         </part>
-         <part id="mp-6_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-6.a_obj" name="objective">
-               <prop name="label">MP-6(a)</prop>
-               <part id="mp-6.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-6(a)[1]</prop>
-                  <p>defines information system media to be sanitized prior to:</p>
-                  <part id="mp-6.a_obj.1.a" name="objective">
-                     <prop name="label">MP-6(a)[1][a]</prop>
-                     <p>disposal;</p>
-                  </part>
-                  <part id="mp-6.a_obj.1.b" name="objective">
-                     <prop name="label">MP-6(a)[1][b]</prop>
-                     <p>release out of organizational control; or</p>
-                  </part>
-                  <part id="mp-6.a_obj.1.c" name="objective">
-                     <prop name="label">MP-6(a)[1][c]</prop>
-                     <p>release for reuse;</p>
-                  </part>
-               </part>
-               <part id="mp-6.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-6(a)[2]</prop>
-                  <p>defines sanitization techniques or procedures to be used for sanitizing
-                     organization-defined information system media prior to:</p>
-                  <part id="mp-6.a_obj.2.a" name="objective">
-                     <prop name="label">MP-6(a)[2][a]</prop>
-                     <p>disposal;</p>
-                  </part>
-                  <part id="mp-6.a_obj.2.b" name="objective">
-                     <prop name="label">MP-6(a)[2][b]</prop>
-                     <p>release out of organizational control; or</p>
-                  </part>
-                  <part id="mp-6.a_obj.2.c" name="objective">
-                     <prop name="label">MP-6(a)[2][c]</prop>
-                     <p>release for reuse;</p>
-                  </part>
-               </part>
-               <part id="mp-6.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MP-6(a)[3]</prop>
-                  <p>sanitizes organization-defined information system media prior to disposal,
-                     release out of organizational control, or release for reuse using
-                     organization-defined sanitization techniques or procedures in accordance with
-                     applicable federal and organizational standards and policies; and</p>
-               </part>
-            </part>
-            <part id="mp-6.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MP-6(b)</prop>
-               <p>employs sanitization mechanisms with strength and integrity commensurate with the
-                  security category or classification of the information.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media sanitization and disposal</p>
-               <p>applicable federal standards and policies addressing media sanitization</p>
-               <p>media sanitization records</p>
-               <p>audit records</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with media sanitization responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for media sanitization</p>
-               <p>automated mechanisms supporting and/or implementing media sanitization</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="mp-7">
-         <title>Media Use</title>
-         <param id="mp-7_prm_1"/>
-         <param id="mp-7_prm_2">
-            <label>organization-defined types of information system media</label>
-         </param>
-         <param id="mp-7_prm_3">
-            <label>organization-defined information systems or system components</label>
-         </param>
-         <param id="mp-7_prm_4">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">MP-7</prop>
-         <prop name="sort-id">mp-07</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e" rel="reference">NIST Special Publication 800-111</link>
-         <part id="mp-7_smt" name="statement">
-            <p>The organization <insert param-id="mp-7_prm_1"/> the use of <insert param-id="mp-7_prm_2"/> on <insert param-id="mp-7_prm_3"/> using <insert param-id="mp-7_prm_4"/>.</p>
-         </part>
-         <part id="mp-7_gdn" name="guidance">
-            <p>Information system media includes both digital and non-digital media. Digital media
-               includes, for example, diskettes, magnetic tapes, external/removable hard disk
-               drives, flash drives, compact disks, and digital video disks. Non-digital media
-               includes, for example, paper and microfilm. This control also applies to mobile
-               devices with information storage capability (e.g., smart phones, tablets, E-readers).
-               In contrast to MP-2, which restricts user access to media, this control restricts the
-               use of certain types of media on information systems, for example,
-               restricting/prohibiting the use of flash drives or external hard disk drives.
-               Organizations can employ technical and nontechnical safeguards (e.g., policies,
-               procedures, rules of behavior) to restrict the use of information system media.
-               Organizations may restrict the use of portable storage devices, for example, by using
-               physical cages on workstations to prohibit access to certain external ports, or
-               disabling/removing the ability to insert, read or write to such devices.
-               Organizations may also limit the use of portable storage devices to only approved
-               devices including, for example, devices provided by the organization, devices
-               provided by other approved organizations, and devices that are not personally owned.
-               Finally, organizations may restrict the use of portable storage devices based on the
-               type of device, for example, prohibiting the use of writeable, portable storage
-               devices, and implementing this restriction by disabling or removing the capability to
-               write to such devices.</p>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-         </part>
-         <part id="mp-7_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-7_obj.1" name="objective">
-               <prop name="label">MP-7[1]</prop>
-               <p>defines types of information system media to be:</p>
-               <part id="mp-7_obj.1.a" name="objective">
-                  <prop name="label">MP-7[1][a]</prop>
-                  <p>restricted on information systems or system components; or</p>
-               </part>
-               <part id="mp-7_obj.1.b" name="objective">
-                  <prop name="label">MP-7[1][b]</prop>
-                  <p>prohibited from use on information systems or system components;</p>
-               </part>
-            </part>
-            <part id="mp-7_obj.2" name="objective">
-               <prop name="label">MP-7[2]</prop>
-               <p>defines information systems or system components on which the use of
-                  organization-defined types of information system media is to be one of the
-                  following:</p>
-               <part id="mp-7_obj.2.a" name="objective">
-                  <prop name="label">MP-7[2][a]</prop>
-                  <p>restricted; or</p>
-               </part>
-               <part id="mp-7_obj.2.b" name="objective">
-                  <prop name="label">MP-7[2][b]</prop>
-                  <p>prohibited;</p>
-               </part>
-            </part>
-            <part id="mp-7_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MP-7[3]</prop>
-               <p>defines security safeguards to be employed to restrict or prohibit the use of
-                  organization-defined types of information system media on organization-defined
-                  information systems or system components; and</p>
-            </part>
-            <part id="mp-7_obj.4" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MP-7[4]</prop>
-               <p>restricts or prohibits the use of organization-defined information system media on
-                  organization-defined information systems or system components using
-                  organization-defined security safeguards.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>system use policy</p>
-               <p>procedures addressing media usage restrictions</p>
-               <p>security plan</p>
-               <p>rules of behavior</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media use responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for media use</p>
-               <p>automated mechanisms restricting or prohibiting use of information system media on
-                  information systems or system components</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="pe">
-      <title>Physical and Environmental Protection</title>
-      <control class="SP800-53" id="pe-1">
-         <title>Physical and Environmental Protection Policy and Procedures</title>
-         <param id="pe-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pe-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="pe-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PE-1</prop>
-         <prop name="sort-id">pe-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="pe-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="pe-1_prm_1"/>:</p>
-               <part id="pe-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A physical and environmental protection policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="pe-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the physical and environmental
-                     protection policy and associated physical and environmental protection
-                     controls; and</p>
-               </part>
-            </part>
-            <part id="pe-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="pe-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Physical and environmental protection policy <insert param-id="pe-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="pe-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Physical and environmental protection procedures <insert param-id="pe-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="pe-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the PE
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="pe-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="pe-1.a_obj" name="objective">
-               <prop name="label">PE-1(a)</prop>
-               <part id="pe-1.a.1_obj" name="objective">
-                  <prop name="label">PE-1(a)(1)</prop>
-                  <part id="pe-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(a)(1)[1]</prop>
-                     <p>develops and documents a physical and environmental protection policy that
-                        addresses:</p>
-                     <part id="pe-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="pe-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the physical and environmental protection
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="pe-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">PE-1(a)(1)[3]</prop>
-                     <p>disseminates the physical and environmental protection policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="pe-1.a.2_obj" name="objective">
-                  <prop name="label">PE-1(a)(2)</prop>
-                  <part id="pe-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        physical and environmental protection policy and associated physical and
-                        environmental protection controls;</p>
-                  </part>
-                  <part id="pe-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="pe-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">PE-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="pe-1.b_obj" name="objective">
-               <prop name="label">PE-1(b)</prop>
-               <part id="pe-1.b.1_obj" name="objective">
-                  <prop name="label">PE-1(b)(1)</prop>
-                  <part id="pe-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current physical and
-                        environmental protection policy;</p>
-                  </part>
-                  <part id="pe-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current physical and environmental protection policy
-                        with the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="pe-1.b.2_obj" name="objective">
-                  <prop name="label">PE-1(b)(2)</prop>
-                  <part id="pe-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current physical and
-                        environmental protection procedures; and</p>
-                  </part>
-                  <part id="pe-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current physical and environmental protection
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical and environmental protection
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-2">
-         <title>Physical Access Authorizations</title>
-         <param id="pe-2_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PE-2</prop>
-         <prop name="sort-id">pe-02</prop>
-         <part id="pe-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, approves, and maintains a list of individuals with authorized access to
-                  the facility where the information system resides;</p>
-            </part>
-            <part id="pe-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Issues authorization credentials for facility access;</p>
-            </part>
-            <part id="pe-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the access list detailing authorized facility access by individuals
-                     <insert param-id="pe-2_prm_1"/>; and</p>
-            </part>
-            <part id="pe-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Removes individuals from the facility access list when access is no longer
-                  required.</p>
-            </part>
-         </part>
-         <part id="pe-2_gdn" name="guidance">
-            <p>This control applies to organizational employees and visitors. Individuals (e.g.,
-               employees, contractors, and others) with permanent physical access authorization
-               credentials are not considered visitors. Authorization credentials include, for
-               example, badges, identification cards, and smart cards. Organizations determine the
-               strength of authorization credentials needed (including level of forge-proof badges,
-               smart cards, or identification cards) consistent with federal standards, policies,
-               and procedures. This control only applies to areas within facilities that have not
-               been designated as publicly accessible.</p>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-         </part>
-         <part id="pe-2_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-2.a_obj" name="objective">
-               <prop name="label">PE-2(a)</prop>
-               <part id="pe-2.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">PE-2(a)[1]</prop>
-                  <p>develops a list of individuals with authorized access to the facility where the
-                     information system resides;</p>
-               </part>
-               <part id="pe-2.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-2(a)[2]</prop>
-                  <p>approves a list of individuals with authorized access to the facility where the
-                     information system resides;</p>
-               </part>
-               <part id="pe-2.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">PE-2(a)[3]</prop>
-                  <p>maintains a list of individuals with authorized access to the facility where
-                     the information system resides;</p>
-               </part>
-            </part>
-            <part id="pe-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-2(b)</prop>
-               <p>issues authorization credentials for facility access;</p>
-            </part>
-            <part id="pe-2.c_obj" name="objective">
-               <prop name="label">PE-2(c)</prop>
-               <part id="pe-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-2(c)[1]</prop>
-                  <p>defines the frequency to review the access list detailing authorized facility
-                     access by individuals;</p>
-               </part>
-               <part id="pe-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-2(c)[2]</prop>
-                  <p>reviews the access list detailing authorized facility access by individuals
-                     with the organization-defined frequency; and</p>
-               </part>
-            </part>
-            <part id="pe-2.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-2(d)</prop>
-               <p>removes individuals from the facility access list when access is no longer
-                  required.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing physical access authorizations</p>
-               <p>security plan</p>
-               <p>authorized personnel access list</p>
-               <p>authorization credentials</p>
-               <p>physical access list reviews</p>
-               <p>physical access termination records and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access authorization responsibilities</p>
-               <p>organizational personnel with physical access to information system facility</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for physical access authorizations</p>
-               <p>automated mechanisms supporting and/or implementing physical access
-                  authorizations</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-3">
-         <title>Physical Access Control</title>
-         <param id="pe-3_prm_1">
-            <label>organization-defined entry/exit points to the facility where the information
-               system resides</label>
-         </param>
-         <param id="pe-3_prm_2">
-            <constraint>CSP defined physical access control systems/devices AND guards</constraint>
-         </param>
-         <param id="pe-3_prm_3" depends-on="pe-3_prm_2">
-            <label>organization-defined physical access control systems/devices</label>
-            <constraint>CSP defined physical access control systems/devices</constraint>
-         </param>
-         <param id="pe-3_prm_4">
-            <label>organization-defined entry/exit points</label>
-         </param>
-         <param id="pe-3_prm_5">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <param id="pe-3_prm_6">
-            <label>organization-defined circumstances requiring visitor escorts and
-               monitoring</label>
-            <constraint>in all circumstances within restricted access area where the information system resides</constraint>
-         </param>
-         <param id="pe-3_prm_7">
-            <label>organization-defined physical access devices</label>
-         </param>
-         <param id="pe-3_prm_8">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="pe-3_prm_9">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PE-3</prop>
-         <prop name="sort-id">pe-03</prop>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#2157bb7e-192c-4eaa-877f-93ef6b0a3292" rel="reference">NIST Special Publication 800-116</link>
-         <link href="#6caa237b-531b-43ac-9711-d8f6b97b0377" rel="reference">ICD 704</link>
-         <link href="#398e33fd-f404-4e5c-b90e-2d50d3181244" rel="reference">ICD 705</link>
-         <link href="#61081e7f-041d-4033-96a7-44a439071683" rel="reference">DoD Instruction 5200.39</link>
-         <link href="#dd2f5acd-08f1-435a-9837-f8203088dc1a" rel="reference">Personal Identity Verification (PIV) in Enterprise
-            Physical Access Control System (E-PACS)</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <link href="#5ed1f4d5-1494-421b-97ed-39d3c88ab51f" rel="reference">http://fips201ep.cio.gov</link>
-         <part id="pe-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Enforces physical access authorizations at <insert param-id="pe-3_prm_1"/> by;</p>
-               <part id="pe-3_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Verifying individual access authorizations before granting access to the
-                     facility; and</p>
-               </part>
-               <part id="pe-3_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Controlling ingress/egress to the facility using <insert param-id="pe-3_prm_2"/>;</p>
-               </part>
-            </part>
-            <part id="pe-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Maintains physical access audit logs for <insert param-id="pe-3_prm_4"/>;</p>
-            </part>
-            <part id="pe-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Provides <insert param-id="pe-3_prm_5"/> to control access to areas within the
-                  facility officially designated as publicly accessible;</p>
-            </part>
-            <part id="pe-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Escorts visitors and monitors visitor activity <insert param-id="pe-3_prm_6"/>;</p>
-            </part>
-            <part id="pe-3_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Secures keys, combinations, and other physical access devices;</p>
-            </part>
-            <part id="pe-3_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Inventories <insert param-id="pe-3_prm_7"/> every <insert param-id="pe-3_prm_8"/>;
-                  and</p>
-            </part>
-            <part id="pe-3_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Changes combinations and keys <insert param-id="pe-3_prm_9"/> and/or when keys are
-                  lost, combinations are compromised, or individuals are transferred or
-                  terminated.</p>
-            </part>
-         </part>
-         <part id="pe-3_gdn" name="guidance">
-            <p>This control applies to organizational employees and visitors. Individuals (e.g.,
-               employees, contractors, and others) with permanent physical access authorization
-               credentials are not considered visitors. Organizations determine the types of
-               facility guards needed including, for example, professional physical security staff
-               or other personnel such as administrative staff or information system users. Physical
-               access devices include, for example, keys, locks, combinations, and card readers.
-               Safeguards for publicly accessible areas within organizational facilities include,
-               for example, cameras, monitoring by guards, and isolating selected information
-               systems and/or system components in secured areas. Physical access control systems
-               comply with applicable federal laws, Executive Orders, directives, policies,
-               regulations, standards, and guidance. The Federal Identity, Credential, and Access
-               Management Program provides implementation guidance for identity, credential, and
-               access management capabilities for physical access control systems. Organizations
-               have flexibility in the types of audit logs employed. Audit logs can be procedural
-               (e.g., a written log of individuals accessing the facility and when such access
-               occurred), automated (e.g., capturing ID provided by a PIV card), or some combination
-               thereof. Physical access points can include facility access points, interior access
-               points to information systems and/or components requiring supplemental access
-               controls, or both. Components of organizational information systems (e.g.,
-               workstations, terminals) may be located in areas designated as publicly accessible
-               with organizations safeguarding access to such devices.</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#pe-5">PE-5</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-         </part>
-         <part id="pe-3_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-3.a_obj" name="objective">
-               <prop name="label">PE-3(a)</prop>
-               <part id="pe-3.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(a)[1]</prop>
-                  <p>defines entry/exit points to the facility where the information system
-                     resides;</p>
-               </part>
-               <part id="pe-3.a_obj.2" name="objective">
-                  <prop name="label">PE-3(a)[2]</prop>
-                  <p>enforces physical access authorizations at organization-defined entry/exit
-                     points to the facility where the information system resides by:</p>
-                  <part id="pe-3.a.1_obj.2" name="objective">
-                     <prop name="label">PE-3(a)[2](1)</prop>
-                     <p>verifying individual access authorizations before granting access to the
-                        facility;</p>
-                  </part>
-                  <part id="pe-3.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-3(a)[2](2)</prop>
-                     <part id="pe-3.a.2_obj.2.a" name="objective">
-                        <prop name="label">PE-3(a)[2](2)[a]</prop>
-                        <p>defining physical access control systems/devices to be employed to
-                           control ingress/egress to the facility where the information system
-                           resides;</p>
-                     </part>
-                     <part id="pe-3.a.2_obj.2.b" name="objective">
-                        <prop name="label">PE-3(a)[2](2)[b]</prop>
-                        <p>using one or more of the following ways to control ingress/egress to the
-                           facility:</p>
-                        <part id="pe-3.a.2_obj.2.b.1" name="objective">
-                           <prop name="label">PE-3(a)[2](2)[b][1]</prop>
-                           <p>organization-defined physical access control systems/devices;
-                              and/or</p>
-                        </part>
-                        <part id="pe-3.a.2_obj.2.b.2" name="objective">
-                           <prop name="label">PE-3(a)[2](2)[b][2]</prop>
-                           <p>guards;</p>
-                        </part>
-                     </part>
-                  </part>
-               </part>
-            </part>
-            <part id="pe-3.b_obj" name="objective">
-               <prop name="label">PE-3(b)</prop>
-               <part id="pe-3.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(b)[1]</prop>
-                  <p>defines entry/exit points for which physical access audit logs are to be
-                     maintained;</p>
-               </part>
-               <part id="pe-3.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(b)[2]</prop>
-                  <p>maintains physical access audit logs for organization-defined entry/exit
-                     points;</p>
-               </part>
-            </part>
-            <part id="pe-3.c_obj" name="objective">
-               <prop name="label">PE-3(c)</prop>
-               <part id="pe-3.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(c)[1]</prop>
-                  <p>defines security safeguards to be employed to control access to areas within
-                     the facility officially designated as publicly accessible;</p>
-               </part>
-               <part id="pe-3.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(c)[2]</prop>
-                  <p>provides organization-defined security safeguards to control access to areas
-                     within the facility officially designated as publicly accessible;</p>
-               </part>
-            </part>
-            <part id="pe-3.d_obj" name="objective">
-               <prop name="label">PE-3(d)</prop>
-               <part id="pe-3.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(d)[1]</prop>
-                  <p>defines circumstances requiring visitor:</p>
-                  <part id="pe-3.d_obj.1.a" name="objective">
-                     <prop name="label">PE-3(d)[1][a]</prop>
-                     <p>escorts;</p>
-                  </part>
-                  <part id="pe-3.d_obj.1.b" name="objective">
-                     <prop name="label">PE-3(d)[1][b]</prop>
-                     <p>monitoring;</p>
-                  </part>
-               </part>
-               <part id="pe-3.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(d)[2]</prop>
-                  <p>in accordance with organization-defined circumstances requiring visitor escorts
-                     and monitoring:</p>
-                  <part id="pe-3.d_obj.2.a" name="objective">
-                     <prop name="label">PE-3(d)[2][a]</prop>
-                     <p>escorts visitors;</p>
-                  </part>
-                  <part id="pe-3.d_obj.2.b" name="objective">
-                     <prop name="label">PE-3(d)[2][b]</prop>
-                     <p>monitors visitor activities;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="pe-3.e_obj" name="objective">
-               <prop name="label">PE-3(e)</prop>
-               <part id="pe-3.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(e)[1]</prop>
-                  <p>secures keys;</p>
-               </part>
-               <part id="pe-3.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(e)[2]</prop>
-                  <p>secures combinations;</p>
-               </part>
-               <part id="pe-3.e_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(e)[3]</prop>
-                  <p>secures other physical access devices;</p>
-               </part>
-            </part>
-            <part id="pe-3.f_obj" name="objective">
-               <prop name="label">PE-3(f)</prop>
-               <part id="pe-3.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(f)[1]</prop>
-                  <p>defines physical access devices to be inventoried;</p>
-               </part>
-               <part id="pe-3.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(f)[2]</prop>
-                  <p>defines the frequency to inventory organization-defined physical access
-                     devices;</p>
-               </part>
-               <part id="pe-3.f_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(f)[3]</prop>
-                  <p>inventories the organization-defined physical access devices with the
-                     organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="pe-3.g_obj" name="objective">
-               <prop name="label">PE-3(g)</prop>
-               <part id="pe-3.g_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(g)[1]</prop>
-                  <p>defines the frequency to change combinations and keys; and</p>
-               </part>
-               <part id="pe-3.g_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(g)[2]</prop>
-                  <p>changes combinations and keys with the organization-defined frequency and/or
-                     when:</p>
-                  <part id="pe-3.g_obj.2.a" name="objective">
-                     <prop name="label">PE-3(g)[2][a]</prop>
-                     <p>keys are lost;</p>
-                  </part>
-                  <part id="pe-3.g_obj.2.b" name="objective">
-                     <prop name="label">PE-3(g)[2][b]</prop>
-                     <p>combinations are compromised;</p>
-                  </part>
-                  <part id="pe-3.g_obj.2.c" name="objective">
-                     <prop name="label">PE-3(g)[2][c]</prop>
-                     <p>individuals are transferred or terminated.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing physical access control</p>
-               <p>security plan</p>
-               <p>physical access control logs or records</p>
-               <p>inventory records of physical access control devices</p>
-               <p>information system entry and exit points</p>
-               <p>records of key and lock combination changes</p>
-               <p>storage locations for physical access control devices</p>
-               <p>physical access control devices</p>
-               <p>list of security safeguards controlling access to designated publicly accessible
-                  areas within facility</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for physical access control</p>
-               <p>automated mechanisms supporting and/or implementing physical access control</p>
-               <p>physical access control devices</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-6">
-         <title>Monitoring Physical Access</title>
-         <param id="pe-6_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least monthly</constraint>
-         </param>
-         <param id="pe-6_prm_2">
-            <label>organization-defined events or potential indications of events</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PE-6</prop>
-         <prop name="sort-id">pe-06</prop>
-         <part id="pe-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Monitors physical access to the facility where the information system resides to
-                  detect and respond to physical security incidents;</p>
-            </part>
-            <part id="pe-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews physical access logs <insert param-id="pe-6_prm_1"/> and upon occurrence
-                  of <insert param-id="pe-6_prm_2"/>; and</p>
-            </part>
-            <part id="pe-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Coordinates results of reviews and investigations with the organizational incident
-                  response capability.</p>
-            </part>
-         </part>
-         <part id="pe-6_gdn" name="guidance">
-            <p>Organizational incident response capabilities include investigations of and responses
-               to detected physical security incidents. Security incidents include, for example,
-               apparent security violations or suspicious physical access activities. Suspicious
-               physical access activities include, for example: (i) accesses outside of normal work
-               hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for
-               unusual lengths of time; and (iv) out-of-sequence accesses.</p>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-         </part>
-         <part id="pe-6_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-6.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-6(a)</prop>
-               <p>monitors physical access to the facility where the information system resides to
-                  detect and respond to physical security incidents;</p>
-            </part>
-            <part id="pe-6.b_obj" name="objective">
-               <prop name="label">PE-6(b)</prop>
-               <part id="pe-6.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-6(b)[1]</prop>
-                  <p>defines the frequency to review physical access logs;</p>
-               </part>
-               <part id="pe-6.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-6(b)[2]</prop>
-                  <p>defines events or potential indication of events requiring physical access logs
-                     to be reviewed;</p>
-               </part>
-               <part id="pe-6.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-6(b)[3]</prop>
-                  <p>reviews physical access logs with the organization-defined frequency and upon
-                     occurrence of organization-defined events or potential indications of events;
-                     and</p>
-               </part>
-            </part>
-            <part id="pe-6.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PE-6(c)</prop>
-               <p>coordinates results of reviews and investigations with the organizational incident
-                  response capability.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing physical access monitoring</p>
-               <p>security plan</p>
-               <p>physical access logs or records</p>
-               <p>physical access monitoring records</p>
-               <p>physical access log reviews</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access monitoring responsibilities</p>
-               <p>organizational personnel with incident response responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for monitoring physical access</p>
-               <p>automated mechanisms supporting and/or implementing physical access monitoring</p>
-               <p>automated mechanisms supporting and/or implementing reviewing of physical access
-                  logs</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-8">
-         <title>Visitor Access Records</title>
-         <param id="pe-8_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>for a minimum of one (1) year</constraint>
-         </param>
-         <param id="pe-8_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least monthly</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PE-8</prop>
-         <prop name="sort-id">pe-08</prop>
-         <part id="pe-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Maintains visitor access records to the facility where the information system
-                  resides for <insert param-id="pe-8_prm_1"/>; and</p>
-            </part>
-            <part id="pe-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews visitor access records <insert param-id="pe-8_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="pe-8_gdn" name="guidance">
-            <p>Visitor access records include, for example, names and organizations of persons
-               visiting, visitor signatures, forms of identification, dates of access, entry and
-               departure times, purposes of visits, and names and organizations of persons visited.
-               Visitor access records are not required for publicly accessible areas.</p>
-         </part>
-         <part id="pe-8_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-8.a_obj" name="objective">
-               <prop name="label">PE-8(a)</prop>
-               <part id="pe-8.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-8(a)[1]</prop>
-                  <p>defines the time period to maintain visitor access records to the facility
-                     where the information system resides;</p>
-               </part>
-               <part id="pe-8.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-8(a)[2]</prop>
-                  <p>maintains visitor access records to the facility where the information system
-                     resides for the organization-defined time period;</p>
-               </part>
-            </part>
-            <part id="pe-8.b_obj" name="objective">
-               <prop name="label">PE-8(b)</prop>
-               <part id="pe-8.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-8(b)[1]</prop>
-                  <p>defines the frequency to review visitor access records; and</p>
-               </part>
-               <part id="pe-8.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-8(b)[2]</prop>
-                  <p>reviews visitor access records with the organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing visitor access records</p>
-               <p>security plan</p>
-               <p>visitor access control logs or records</p>
-               <p>visitor access record or log reviews</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with visitor access records responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for maintaining and reviewing visitor access records</p>
-               <p>automated mechanisms supporting and/or implementing maintenance and review of
-                  visitor access records</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-12">
-         <title>Emergency Lighting</title>
-         <prop name="label">PE-12</prop>
-         <prop name="sort-id">pe-12</prop>
-         <part id="pe-12_smt" name="statement">
-            <p>The organization employs and maintains automatic emergency lighting for the
-               information system that activates in the event of a power outage or disruption and
-               that covers emergency exits and evacuation routes within the facility.</p>
-         </part>
-         <part id="pe-12_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources including, for example, data centers, server rooms, and mainframe
-               computer rooms.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-         </part>
-         <part id="pe-12_obj" name="objective">
-            <p>Determine if the organization employs and maintains automatic emergency lighting for
-               the information system that: </p>
-            <part id="pe-12_obj.1" name="objective">
-               <prop name="label">PE-12[1]</prop>
-               <p>activates in the event of a power outage or disruption; and</p>
-            </part>
-            <part id="pe-12_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-12[2]</prop>
-               <p>covers emergency exits and evacuation routes within the facility.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing emergency lighting</p>
-               <p>emergency lighting documentation</p>
-               <p>emergency lighting test records</p>
-               <p>emergency exits and evacuation routes</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for emergency lighting and/or
-                  planning</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing emergency lighting
-                  capability</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-13">
-         <title>Fire Protection</title>
-         <prop name="label">PE-13</prop>
-         <prop name="sort-id">pe-13</prop>
-         <part id="pe-13_smt" name="statement">
-            <p>The organization employs and maintains fire suppression and detection devices/systems
-               for the information system that are supported by an independent energy source.</p>
-         </part>
-         <part id="pe-13_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources including, for example, data centers, server rooms, and mainframe
-               computer rooms. Fire suppression and detection devices/systems include, for example,
-               sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke
-               detectors.</p>
-         </part>
-         <part id="pe-13_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-13_obj.1" name="objective">
-               <prop name="label">PE-13[1]</prop>
-               <p>employs fire suppression and detection devices/systems for the information system
-                  that are supported by an independent energy source; and</p>
-            </part>
-            <part id="pe-13_obj.2" name="objective">
-               <prop name="label">PE-13[2]</prop>
-               <p>maintains fire suppression and detection devices/systems for the information
-                  system that are supported by an independent energy source.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing fire protection</p>
-               <p>fire suppression and detection devices/systems</p>
-               <p>fire suppression and detection devices/systems documentation</p>
-               <p>test records of fire suppression and detection devices/systems</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for fire detection and suppression
-                  devices/systems</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing fire suppression/detection
-                  devices/systems</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-14">
-         <title>Temperature and Humidity Controls</title>
-         <param id="pe-14_prm_1">
-            <label>organization-defined acceptable levels</label>
-            <constraint>consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments</constraint>
-         </param>
-         <param id="pe-14_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>continuously</constraint>
-         </param>
-         <prop name="label">PE-14</prop>
-         <prop name="sort-id">pe-14</prop>
-         <part id="pe-14_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-14_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Maintains temperature and humidity levels within the facility where the
-                  information system resides at <insert param-id="pe-14_prm_1"/>; and</p>
-            </part>
-            <part id="pe-14_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Monitors temperature and humidity levels <insert param-id="pe-14_prm_2"/>.</p>
-            </part>
-            <part id="pe-14_fr" name="item">
-               <title>PE-14(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="pe-14_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider measures temperature at server inlets and humidity levels by dew point.</p>
-               </part>
-            </part>
-         </part>
-         <part id="pe-14_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources, for example, data centers, server rooms, and mainframe computer
-               rooms.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-         </part>
-         <part id="pe-14_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-14.a_obj" name="objective">
-               <prop name="label">PE-14(a)</prop>
-               <part id="pe-14.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-14(a)[1]</prop>
-                  <p>defines acceptable temperature levels to be maintained within the facility
-                     where the information system resides;</p>
-               </part>
-               <part id="pe-14.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-14(a)[2]</prop>
-                  <p>defines acceptable humidity levels to be maintained within the facility where
-                     the information system resides;</p>
-               </part>
-               <part id="pe-14.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-14(a)[3]</prop>
-                  <p>maintains temperature levels within the facility where the information system
-                     resides at the organization-defined levels;</p>
-               </part>
-               <part id="pe-14.a_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-14(a)[4]</prop>
-                  <p>maintains humidity levels within the facility where the information system
-                     resides at the organization-defined levels;</p>
-               </part>
-            </part>
-            <part id="pe-14.b_obj" name="objective">
-               <prop name="label">PE-14(b)</prop>
-               <part id="pe-14.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-14(b)[1]</prop>
-                  <p>defines the frequency to monitor temperature levels;</p>
-               </part>
-               <part id="pe-14.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-14(b)[2]</prop>
-                  <p>defines the frequency to monitor humidity levels;</p>
-               </part>
-               <part id="pe-14.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-14(b)[3]</prop>
-                  <p>monitors temperature levels with the organization-defined frequency; and</p>
-               </part>
-               <part id="pe-14.b_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-14(b)[4]</prop>
-                  <p>monitors humidity levels with the organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing temperature and humidity control</p>
-               <p>security plan</p>
-               <p>temperature and humidity controls</p>
-               <p>facility housing the information system</p>
-               <p>temperature and humidity controls documentation</p>
-               <p>temperature and humidity records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for information system
-                  environmental controls</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing maintenance and monitoring of
-                  temperature and humidity levels</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-15">
-         <title>Water Damage Protection</title>
-         <prop name="label">PE-15</prop>
-         <prop name="sort-id">pe-15</prop>
-         <part id="pe-15_smt" name="statement">
-            <p>The organization protects the information system from damage resulting from water
-               leakage by providing master shutoff or isolation valves that are accessible, working
-               properly, and known to key personnel.</p>
-         </part>
-         <part id="pe-15_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources including, for example, data centers, server rooms, and mainframe
-               computer rooms. Isolation valves can be employed in addition to or in lieu of master
-               shutoff valves to shut off water supplies in specific areas of concern, without
-               affecting entire organizations.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-         </part>
-         <part id="pe-15_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the organization protects the information system from damage resulting
-               from water leakage by providing master shutoff or isolation valves that are: </p>
-            <part id="pe-15_obj.1" name="objective">
-               <prop name="label">PE-15[1]</prop>
-               <p>accessible;</p>
-            </part>
-            <part id="pe-15_obj.2" name="objective">
-               <prop name="label">PE-15[2]</prop>
-               <p>working properly; and</p>
-            </part>
-            <part id="pe-15_obj.3" name="objective">
-               <prop name="label">PE-15[3]</prop>
-               <p>known to key personnel.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing water damage protection</p>
-               <p>facility housing the information system</p>
-               <p>master shutoff valves</p>
-               <p>list of key personnel with knowledge of location and activation procedures for
-                  master shutoff valves for the plumbing system</p>
-               <p>master shutoff valve documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for information system
-                  environmental controls</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Master water-shutoff valves</p>
-               <p>organizational process for activating master water-shutoff</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-16">
-         <title>Delivery and Removal</title>
-         <param id="pe-16_prm_1">
-            <label>organization-defined types of information system components</label>
-            <constraint>all information system components</constraint>
-         </param>
-         <prop name="label">PE-16</prop>
-         <prop name="sort-id">pe-16</prop>
-         <part id="pe-16_smt" name="statement">
-            <p>The organization authorizes, monitors, and controls <insert param-id="pe-16_prm_1"/>
-               entering and exiting the facility and maintains records of those items.</p>
-         </part>
-         <part id="pe-16_gdn" name="guidance">
-            <p>Effectively enforcing authorizations for entry and exit of information system
-               components may require restricting access to delivery areas and possibly isolating
-               the areas from the information system and media libraries.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ma-3">MA-3</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-         </part>
-         <part id="pe-16_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-16_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PE-16[1]</prop>
-               <p>defines types of information system components to be authorized, monitored, and
-                  controlled as such components are entering and exiting the facility;</p>
-            </part>
-            <part id="pe-16_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-16[2]</prop>
-               <p>authorizes organization-defined information system components entering the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-16[3]</prop>
-               <p>monitors organization-defined information system components entering the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.4" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-16[4]</prop>
-               <p>controls organization-defined information system components entering the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.5" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-16[5]</prop>
-               <p>authorizes organization-defined information system components exiting the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.6" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-16[6]</prop>
-               <p>monitors organization-defined information system components exiting the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.7" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-16[7]</prop>
-               <p>controls organization-defined information system components exiting the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.8" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PE-16[8]</prop>
-               <p>maintains records of information system components entering the facility; and</p>
-            </part>
-            <part id="pe-16_obj.9" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PE-16[9]</prop>
-               <p>maintains records of information system components exiting the facility.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing delivery and removal of information system components from
-                  the facility</p>
-               <p>security plan</p>
-               <p>facility housing the information system</p>
-               <p>records of items entering and exiting the facility</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for controlling information system
-                  components entering and exiting the facility</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational process for authorizing, monitoring, and controlling information
-                  system-related items entering and exiting the facility</p>
-               <p>automated mechanisms supporting and/or implementing authorizing, monitoring, and
-                  controlling information system-related items entering and exiting the facility</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="pl">
-      <title>Planning</title>
-      <control class="SP800-53" id="pl-1">
-         <title>Security Planning Policy and Procedures</title>
-         <param id="pl-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pl-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="pl-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PL-1</prop>
-         <prop name="sort-id">pl-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9c5c9e8c-dc81-4f55-a11c-d71d7487790f" rel="reference">NIST Special Publication 800-18</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="pl-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pl-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="pl-1_prm_1"/>:</p>
-               <part id="pl-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A security planning policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="pl-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the security planning policy and
-                     associated security planning controls; and</p>
-               </part>
-            </part>
-            <part id="pl-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="pl-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security planning policy <insert param-id="pl-1_prm_2"/>; and</p>
-               </part>
-               <part id="pl-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Security planning procedures <insert param-id="pl-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="pl-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the PL
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="pl-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="pl-1.a_obj" name="objective">
-               <prop name="label">PL-1(a)</prop>
-               <part id="pl-1.a.1_obj" name="objective">
-                  <prop name="label">PL-1(a)(1)</prop>
-                  <part id="pl-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(a)(1)[1]</prop>
-                     <p>develops and documents a planning policy that addresses:</p>
-                     <part id="pl-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="pl-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the planning policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="pl-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">PL-1(a)(1)[3]</prop>
-                     <p>disseminates the planning policy to organization-defined personnel or
-                        roles;</p>
-                  </part>
-               </part>
-               <part id="pl-1.a.2_obj" name="objective">
-                  <prop name="label">PL-1(a)(2)</prop>
-                  <part id="pl-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        planning policy and associated planning controls;</p>
-                  </part>
-                  <part id="pl-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="pl-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">PL-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="pl-1.b_obj" name="objective">
-               <prop name="label">PL-1(b)</prop>
-               <part id="pl-1.b.1_obj" name="objective">
-                  <prop name="label">PL-1(b)(1)</prop>
-                  <part id="pl-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current planning policy;</p>
-                  </part>
-                  <part id="pl-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current planning policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="pl-1.b.2_obj" name="objective">
-                  <prop name="label">PL-1(b)(2)</prop>
-                  <part id="pl-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current planning procedures;
-                        and</p>
-                  </part>
-                  <part id="pl-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current planning procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Planning policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pl-2">
-         <title>System Security Plan</title>
-         <param id="pl-2_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pl-2_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PL-2</prop>
-         <prop name="sort-id">pl-02</prop>
-         <link href="#9c5c9e8c-dc81-4f55-a11c-d71d7487790f" rel="reference">NIST Special Publication 800-18</link>
-         <part id="pl-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pl-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a security plan for the information system that:</p>
-               <part id="pl-2_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Is consistent with the organization’s enterprise architecture;</p>
-               </part>
-               <part id="pl-2_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Explicitly defines the authorization boundary for the system;</p>
-               </part>
-               <part id="pl-2_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Describes the operational context of the information system in terms of
-                     missions and business processes;</p>
-               </part>
-               <part id="pl-2_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Provides the security categorization of the information system including
-                     supporting rationale;</p>
-               </part>
-               <part id="pl-2_smt.a.5" name="item">
-                  <prop name="label">5.</prop>
-                  <p>Describes the operational environment for the information system and
-                     relationships with or connections to other information systems;</p>
-               </part>
-               <part id="pl-2_smt.a.6" name="item">
-                  <prop name="label">6.</prop>
-                  <p>Provides an overview of the security requirements for the system;</p>
-               </part>
-               <part id="pl-2_smt.a.7" name="item">
-                  <prop name="label">7.</prop>
-                  <p>Identifies any relevant overlays, if applicable;</p>
-               </part>
-               <part id="pl-2_smt.a.8" name="item">
-                  <prop name="label">8.</prop>
-                  <p>Describes the security controls in place or planned for meeting those
-                     requirements including a rationale for the tailoring decisions; and</p>
-               </part>
-               <part id="pl-2_smt.a.9" name="item">
-                  <prop name="label">9.</prop>
-                  <p>Is reviewed and approved by the authorizing official or designated
-                     representative prior to plan implementation;</p>
-               </part>
-            </part>
-            <part id="pl-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Distributes copies of the security plan and communicates subsequent changes to the
-                  plan to <insert param-id="pl-2_prm_1"/>;</p>
-            </part>
-            <part id="pl-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the security plan for the information system <insert param-id="pl-2_prm_2"/>;</p>
-            </part>
-            <part id="pl-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Updates the plan to address changes to the information system/environment of
-                  operation or problems identified during plan implementation or security control
-                  assessments; and</p>
-            </part>
-            <part id="pl-2_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Protects the security plan from unauthorized disclosure and modification.</p>
-            </part>
-         </part>
-         <part id="pl-2_gdn" name="guidance">
-            <p>Security plans relate security requirements to a set of security controls and control
-               enhancements. Security plans also describe, at a high level, how the security
-               controls and control enhancements meet those security requirements, but do not
-               provide detailed, technical descriptions of the specific design or implementation of
-               the controls/enhancements. Security plans contain sufficient information (including
-               the specification of parameter values for assignment and selection statements either
-               explicitly or by reference) to enable a design and implementation that is
-               unambiguously compliant with the intent of the plans and subsequent determinations of
-               risk to organizational operations and assets, individuals, other organizations, and
-               the Nation if the plan is implemented as intended. Organizations can also apply
-               tailoring guidance to the security control baselines in Appendix D and CNSS
-               Instruction 1253 to develop overlays for community-wide use or to address specialized
-               requirements, technologies, or missions/environments of operation (e.g.,
-               DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and
-               Access Management, space operations). Appendix I provides guidance on developing
-               overlays. Security plans need not be single documents; the plans can be a collection
-               of various documents including documents that already exist. Effective security plans
-               make extensive use of references to policies, procedures, and additional documents
-               (e.g., design and implementation specifications) where more detailed information can
-               be obtained. This reduces the documentation requirements associated with security
-               programs and maintains security-related information in other established
-               management/operational areas related to enterprise architecture, system development
-               life cycle, systems engineering, and acquisition. For example, security plans do not
-               contain detailed contingency plan or incident response plan information but instead
-               provide explicitly or by reference, sufficient information to define what needs to be
-               accomplished by those plans.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#pl-7">PL-7</link>
-            <link rel="related" href="#pm-1">PM-1</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <link rel="related" href="#pm-8">PM-8</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#pm-11">PM-11</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-17">SA-17</link>
-         </part>
-         <part id="pl-2_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pl-2.a_obj" name="objective">
-               <prop name="label">PL-2(a)</prop>
-               <p>develops a security plan for the information system that:</p>
-               <part id="pl-2.a.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(1)</prop>
-                  <p>is consistent with the organization’s enterprise architecture;</p>
-               </part>
-               <part id="pl-2.a.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(2)</prop>
-                  <p>explicitly defines the authorization boundary for the system;</p>
-               </part>
-               <part id="pl-2.a.3_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(3)</prop>
-                  <p>describes the operational context of the information system in terms of
-                     missions and business processes;</p>
-               </part>
-               <part id="pl-2.a.4_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(4)</prop>
-                  <p>provides the security categorization of the information system including
-                     supporting rationale;</p>
-               </part>
-               <part id="pl-2.a.5_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(5)</prop>
-                  <p>describes the operational environment for the information system and
-                     relationships with or connections to other information systems;</p>
-               </part>
-               <part id="pl-2.a.6_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(6)</prop>
-                  <p>provides an overview of the security requirements for the system;</p>
-               </part>
-               <part id="pl-2.a.7_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(7)</prop>
-                  <p>identifies any relevant overlays, if applicable;</p>
-               </part>
-               <part id="pl-2.a.8_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(8)</prop>
-                  <p>describes the security controls in place or planned for meeting those
-                     requirements including a rationale for the tailoring and supplemental
-                     decisions;</p>
-               </part>
-               <part id="pl-2.a.9_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PL-2(a)(9)</prop>
-                  <p>is reviewed and approved by the authorizing official or designated
-                     representative prior to plan implementation;</p>
-               </part>
-            </part>
-            <part id="pl-2.b_obj" name="objective">
-               <prop name="label">PL-2(b)</prop>
-               <part id="pl-2.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(b)[1]</prop>
-                  <p>defines personnel or roles to whom copies of the security plan are to be
-                     distributed and subsequent changes to the plan are to be communicated;</p>
-               </part>
-               <part id="pl-2.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PL-2(b)[2]</prop>
-                  <p>distributes copies of the security plan and communicates subsequent changes to
-                     the plan to organization-defined personnel or roles;</p>
-               </part>
-            </part>
-            <part id="pl-2.c_obj" name="objective">
-               <prop name="label">PL-2(c)</prop>
-               <part id="pl-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(c)[1]</prop>
-                  <p>defines the frequency to review the security plan for the information
-                     system;</p>
-               </part>
-               <part id="pl-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(c)[2]</prop>
-                  <p>reviews the security plan for the information system with the
-                     organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="pl-2.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PL-2(d)</prop>
-               <p>updates the plan to address:</p>
-               <part id="pl-2.d_obj.1" name="objective">
-                  <prop name="label">PL-2(d)[1]</prop>
-                  <p>changes to the information system/environment of operation;</p>
-               </part>
-               <part id="pl-2.d_obj.2" name="objective">
-                  <prop name="label">PL-2(d)[2]</prop>
-                  <p>problems identified during plan implementation;</p>
-               </part>
-               <part id="pl-2.d_obj.3" name="objective">
-                  <prop name="label">PL-2(d)[3]</prop>
-                  <p>problems identified during security control assessments;</p>
-               </part>
-            </part>
-            <part id="pl-2.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PL-2(e)</prop>
-               <p>protects the security plan from unauthorized:</p>
-               <part id="pl-2.e_obj.1" name="objective">
-                  <prop name="label">PL-2(e)[1]</prop>
-                  <p>disclosure; and</p>
-               </part>
-               <part id="pl-2.e_obj.2" name="objective">
-                  <prop name="label">PL-2(e)[2]</prop>
-                  <p>modification.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security planning policy</p>
-               <p>procedures addressing security plan development and implementation</p>
-               <p>procedures addressing security plan reviews and updates</p>
-               <p>enterprise architecture documentation</p>
-               <p>security plan for the information system</p>
-               <p>records of security plan reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security planning and plan implementation
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security plan development/review/update/approval</p>
-               <p>automated mechanisms supporting the information system security plan</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pl-4">
-         <title>Rules of Behavior</title>
-         <param id="pl-4_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>At least every 3 years</constraint>
-         </param>
-         <prop name="label">PL-4</prop>
-         <prop name="sort-id">pl-04</prop>
-         <link href="#9c5c9e8c-dc81-4f55-a11c-d71d7487790f" rel="reference">NIST Special Publication 800-18</link>
-         <part id="pl-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pl-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes and makes readily available to individuals requiring access to the
-                  information system, the rules that describe their responsibilities and expected
-                  behavior with regard to information and information system usage;</p>
-            </part>
-            <part id="pl-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Receives a signed acknowledgment from such individuals, indicating that they have
-                  read, understand, and agree to abide by the rules of behavior, before authorizing
-                  access to information and the information system;</p>
-            </part>
-            <part id="pl-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews and updates the rules of behavior <insert param-id="pl-4_prm_1"/>; and</p>
-            </part>
-            <part id="pl-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Requires individuals who have signed a previous version of the rules of behavior
-                  to read and re-sign when the rules of behavior are revised/updated.</p>
-            </part>
-         </part>
-         <part id="pl-4_gdn" name="guidance">
-            <p>This control enhancement applies to organizational users. Organizations consider
-               rules of behavior based on individual user roles and responsibilities,
-               differentiating, for example, between rules that apply to privileged users and rules
-               that apply to general users. Establishing rules of behavior for some types of
-               non-organizational users including, for example, individuals who simply receive
-               data/information from federal information systems, is often not feasible given the
-               large number of such users and the limited nature of their interactions with the
-               systems. Rules of behavior for both organizational and non-organizational users can
-               also be established in AC-8, System Use Notification. PL-4 b. (the signed
-               acknowledgment portion of this control) may be satisfied by the security awareness
-               training and role-based security training programs conducted by organizations if such
-               training includes rules of behavior. Organizations can use electronic signatures for
-               acknowledging rules of behavior.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-8">AC-8</link>
-            <link rel="related" href="#ac-9">AC-9</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#mp-7">MP-7</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-            <link rel="related" href="#ps-8">PS-8</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-         </part>
-         <part id="pl-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pl-4.a_obj" name="objective">
-               <prop name="label">PL-4(a)</prop>
-               <part id="pl-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-4(a)[1]</prop>
-                  <p>establishes, for individuals requiring access to the information system, the
-                     rules that describe their responsibilities and expected behavior with regard to
-                     information and information system usage;</p>
-               </part>
-               <part id="pl-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PL-4(a)[2]</prop>
-                  <p>makes readily available to individuals requiring access to the information
-                     system, the rules that describe their responsibilities and expected behavior
-                     with regard to information and information system usage;</p>
-               </part>
-            </part>
-            <part id="pl-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PL-4(b)</prop>
-               <p>receives a signed acknowledgement from such individuals, indicating that they have
-                  read, understand, and agree to abide by the rules of behavior, before authorizing
-                  access to information and the information system;</p>
-            </part>
-            <part id="pl-4.c_obj" name="objective">
-               <prop name="label">PL-4(c)</prop>
-               <part id="pl-4.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-4(c)[1]</prop>
-                  <p>defines the frequency to review and update the rules of behavior;</p>
-               </part>
-               <part id="pl-4.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PL-4(c)[2]</prop>
-                  <p>reviews and updates the rules of behavior with the organization-defined
-                     frequency; and</p>
-               </part>
-            </part>
-            <part id="pl-4.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PL-4(d)</prop>
-               <p>requires individuals who have signed a previous version of the rules of behavior
-                  to read and resign when the rules of behavior are revised/updated.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security planning policy</p>
-               <p>procedures addressing rules of behavior for information system users</p>
-               <p>rules of behavior</p>
-               <p>signed acknowledgements</p>
-               <p>records for rules of behavior reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for establishing, reviewing, and
-                  updating rules of behavior</p>
-               <p>organizational personnel who are authorized users of the information system and
-                  have signed and resigned rules of behavior</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for establishing, reviewing, disseminating, and updating
-                  rules of behavior</p>
-               <p>automated mechanisms supporting and/or implementing the establishment, review,
-                  dissemination, and update of rules of behavior</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ps">
-      <title>Personnel Security</title>
-      <control class="SP800-53" id="ps-1">
-         <title>Personnel Security Policy and Procedures</title>
-         <param id="ps-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="ps-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PS-1</prop>
-         <prop name="sort-id">ps-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ps-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ps-1_prm_1"/>:</p>
-               <part id="ps-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A personnel security policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ps-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the personnel security policy
-                     and associated personnel security controls; and</p>
-               </part>
-            </part>
-            <part id="ps-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ps-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Personnel security policy <insert param-id="ps-1_prm_2"/>; and</p>
-               </part>
-               <part id="ps-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Personnel security procedures <insert param-id="ps-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ps-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the PS
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ps-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-1.a_obj" name="objective">
-               <prop name="label">PS-1(a)</prop>
-               <part id="ps-1.a.1_obj" name="objective">
-                  <prop name="label">PS-1(a)(1)</prop>
-                  <part id="ps-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(a)(1)[1]</prop>
-                     <p>develops and documents an personnel security policy that addresses:</p>
-                     <part id="ps-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ps-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the personnel security policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ps-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">PS-1(a)(1)[3]</prop>
-                     <p>disseminates the personnel security policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="ps-1.a.2_obj" name="objective">
-                  <prop name="label">PS-1(a)(2)</prop>
-                  <part id="ps-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        personnel security policy and associated personnel security controls;</p>
-                  </part>
-                  <part id="ps-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ps-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">PS-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ps-1.b_obj" name="objective">
-               <prop name="label">PS-1(b)</prop>
-               <part id="ps-1.b.1_obj" name="objective">
-                  <prop name="label">PS-1(b)(1)</prop>
-                  <part id="ps-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current personnel security
-                        policy;</p>
-                  </part>
-                  <part id="ps-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current personnel security policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ps-1.b.2_obj" name="objective">
-                  <prop name="label">PS-1(b)(2)</prop>
-                  <part id="ps-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current personnel security
-                        procedures; and</p>
-                  </part>
-                  <part id="ps-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current personnel security procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-2">
-         <title>Position Risk Designation</title>
-         <param id="ps-2_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least every three years</constraint>
-         </param>
-         <prop name="label">PS-2</prop>
-         <prop name="sort-id">ps-02</prop>
-         <link href="#0c97e60b-325a-4efa-ba2b-90f20ccd5abc" rel="reference">5 C.F.R. 731.106</link>
-         <part id="ps-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Assigns a risk designation to all organizational positions;</p>
-            </part>
-            <part id="ps-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishes screening criteria for individuals filling those positions; and</p>
-            </part>
-            <part id="ps-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews and updates position risk designations <insert param-id="ps-2_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="ps-2_gdn" name="guidance">
-            <p>Position risk designations reflect Office of Personnel Management policy and
-               guidance. Risk designations can guide and inform the types of authorizations
-               individuals receive when accessing organizational information and information
-               systems. Position screening criteria include explicit information security role
-               appointment requirements (e.g., training, security clearances).</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-         </part>
-         <part id="ps-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-2.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PS-2(a)</prop>
-               <p>assigns a risk designation to all organizational positions;</p>
-            </part>
-            <part id="ps-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PS-2(b)</prop>
-               <p>establishes screening criteria for individuals filling those positions;</p>
-            </part>
-            <part id="ps-2.c_obj" name="objective">
-               <prop name="label">PS-2(c)</prop>
-               <part id="ps-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-2(c)[1]</prop>
-                  <p>defines the frequency to review and update position risk designations; and</p>
-               </part>
-               <part id="ps-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-2(c)[2]</prop>
-                  <p>reviews and updates position risk designations with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing position categorization</p>
-               <p>appropriate codes of federal regulations</p>
-               <p>list of risk designations for organizational positions</p>
-               <p>security plan</p>
-               <p>records of position risk designation reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for assigning, reviewing, and updating position risk
-                  designations</p>
-               <p>organizational processes for establishing screening criteria</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-3">
-         <title>Personnel Screening</title>
-         <param id="ps-3_prm_1">
-            <label>organization-defined conditions requiring rescreening and, where rescreening is
-               so indicated, the frequency of such rescreening</label>
-            <constraint>For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions.</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PS-3</prop>
-         <prop name="sort-id">ps-03</prop>
-         <link href="#0c97e60b-325a-4efa-ba2b-90f20ccd5abc" rel="reference">5 C.F.R. 731.106</link>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#6caa237b-531b-43ac-9711-d8f6b97b0377" rel="reference">ICD 704</link>
-         <part id="ps-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Screens individuals prior to authorizing access to the information system; and</p>
-            </part>
-            <part id="ps-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Rescreens individuals according to <insert param-id="ps-3_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="ps-3_gdn" name="guidance">
-            <p>Personnel screening and rescreening activities reflect applicable federal laws,
-               Executive Orders, directives, regulations, policies, standards, guidance, and
-               specific criteria established for the risk designations of assigned positions.
-               Organizations may define different rescreening conditions and frequencies for
-               personnel accessing information systems based on types of information processed,
-               stored, or transmitted by the systems.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#ps-2">PS-2</link>
-         </part>
-         <part id="ps-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-3.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PS-3(a)</prop>
-               <p>screens individuals prior to authorizing access to the information system;</p>
-            </part>
-            <part id="ps-3.b_obj" name="objective">
-               <prop name="label">PS-3(b)</prop>
-               <part id="ps-3.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-3(b)[1]</prop>
-                  <p>defines conditions requiring re-screening;</p>
-               </part>
-               <part id="ps-3.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-3(b)[2]</prop>
-                  <p>defines the frequency of re-screening where it is so indicated; and</p>
-               </part>
-               <part id="ps-3.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-3(b)[3]</prop>
-                  <p>re-screens individuals in accordance with organization-defined conditions
-                     requiring re-screening and, where re-screening is so indicated, with the
-                     organization-defined frequency of such re-screening.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel screening</p>
-               <p>records of screened personnel</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for personnel screening</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-4">
-         <title>Personnel Termination</title>
-         <param id="ps-4_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>same day</constraint>
-         </param>
-         <param id="ps-4_prm_2">
-            <label>organization-defined information security topics</label>
-         </param>
-         <param id="ps-4_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-4_prm_4">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PS-4</prop>
-         <prop name="sort-id">ps-04</prop>
-         <part id="ps-4_smt" name="statement">
-            <p>The organization, upon termination of individual employment:</p>
-            <part id="ps-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Disables information system access within <insert param-id="ps-4_prm_1"/>;</p>
-            </part>
-            <part id="ps-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Terminates/revokes any authenticators/credentials associated with the
-                  individual;</p>
-            </part>
-            <part id="ps-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Conducts exit interviews that include a discussion of <insert param-id="ps-4_prm_2"/>;</p>
-            </part>
-            <part id="ps-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Retrieves all security-related organizational information system-related
-                  property;</p>
-            </part>
-            <part id="ps-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Retains access to organizational information and information systems formerly
-                  controlled by terminated individual; and</p>
-            </part>
-            <part id="ps-4_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Notifies <insert param-id="ps-4_prm_3"/> within <insert param-id="ps-4_prm_4"/>.</p>
-            </part>
-         </part>
-         <part id="ps-4_gdn" name="guidance">
-            <p>Information system-related property includes, for example, hardware authentication
-               tokens, system administration technical manuals, keys, identification cards, and
-               building passes. Exit interviews ensure that terminated individuals understand the
-               security constraints imposed by being former employees and that proper accountability
-               is achieved for information system-related property. Security topics of interest at
-               exit interviews can include, for example, reminding terminated individuals of
-               nondisclosure agreements and potential limitations on future employment. Exit
-               interviews may not be possible for some terminated individuals, for example, in cases
-               related to job abandonment, illnesses, and nonavailability of supervisors. Exit
-               interviews are important for individuals with security clearances. Timely execution
-               of termination actions is essential for individuals terminated for cause. In certain
-               situations, organizations consider disabling the information system accounts of
-               individuals that are being terminated prior to the individuals being notified.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#ps-5">PS-5</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-         </part>
-         <part id="ps-4_obj" name="objective">
-            <p>Determine if the organization, upon termination of individual employment,:</p>
-            <part id="ps-4.a_obj" name="objective">
-               <prop name="label">PS-4(a)</prop>
-               <part id="ps-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-4(a)[1]</prop>
-                  <p>defines a time period within which to disable information system access;</p>
-               </part>
-               <part id="ps-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-4(a)[2]</prop>
-                  <p>disables information system access within the organization-defined time
-                     period;</p>
-               </part>
-            </part>
-            <part id="ps-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PS-4(b)</prop>
-               <p>terminates/revokes any authenticators/credentials associated with the
-                  individual;</p>
-            </part>
-            <part id="ps-4.c_obj" name="objective">
-               <prop name="label">PS-4(c)</prop>
-               <part id="ps-4.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-4(c)[1]</prop>
-                  <p>defines information security topics to be discussed when conducting exit
-                     interviews;</p>
-               </part>
-               <part id="ps-4.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">PS-4(c)[2]</prop>
-                  <p>conducts exit interviews that include a discussion of organization-defined
-                     information security topics;</p>
-               </part>
-            </part>
-            <part id="ps-4.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PS-4(d)</prop>
-               <p>retrieves all security-related organizational information system-related
-                  property;</p>
-            </part>
-            <part id="ps-4.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PS-4(e)</prop>
-               <p>retains access to organizational information and information systems formerly
-                  controlled by the terminated individual;</p>
-            </part>
-            <part id="ps-4.f_obj" name="objective">
-               <prop name="label">PS-4(f)</prop>
-               <part id="ps-4.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-4(f)[1]</prop>
-                  <p>defines personnel or roles to be notified of the termination;</p>
-               </part>
-               <part id="ps-4.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-4(f)[2]</prop>
-                  <p>defines the time period within which to notify organization-defined personnel
-                     or roles; and</p>
-               </part>
-               <part id="ps-4.f_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-4(f)[3]</prop>
-                  <p>notifies organization-defined personnel or roles within the
-                     organization-defined time period.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel termination</p>
-               <p>records of personnel termination actions</p>
-               <p>list of information system accounts</p>
-               <p>records of terminated or revoked authenticators/credentials</p>
-               <p>records of exit interviews</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with account management responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for personnel termination</p>
-               <p>automated mechanisms supporting and/or implementing personnel termination
-                  notifications</p>
-               <p>automated mechanisms for disabling information system access/revoking
-                  authenticators</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-5">
-         <title>Personnel Transfer</title>
-         <param id="ps-5_prm_1">
-            <label>organization-defined transfer or reassignment actions</label>
-         </param>
-         <param id="ps-5_prm_2">
-            <label>organization-defined time period following the formal transfer action</label>
-         </param>
-         <param id="ps-5_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-5_prm_4">
-            <label>organization-defined time period</label>
-            <constraint>five days of the time period following the formal transfer action (DoD 24 hours)</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PS-5</prop>
-         <prop name="sort-id">ps-05</prop>
-         <part id="ps-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Reviews and confirms ongoing operational need for current logical and physical
-                  access authorizations to information systems/facilities when individuals are
-                  reassigned or transferred to other positions within the organization;</p>
-            </part>
-            <part id="ps-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Initiates <insert param-id="ps-5_prm_1"/> within <insert param-id="ps-5_prm_2"/>;</p>
-            </part>
-            <part id="ps-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Modifies access authorization as needed to correspond with any changes in
-                  operational need due to reassignment or transfer; and</p>
-            </part>
-            <part id="ps-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Notifies <insert param-id="ps-5_prm_3"/> within <insert param-id="ps-5_prm_4"/>.</p>
-            </part>
-         </part>
-         <part id="ps-5_gdn" name="guidance">
-            <p>This control applies when reassignments or transfers of individuals are permanent or
-               of such extended durations as to make the actions warranted. Organizations define
-               actions appropriate for the types of reassignments or transfers, whether permanent or
-               extended. Actions that may be required for personnel transfers or reassignments to
-               other positions within organizations include, for example: (i) returning old and
-               issuing new keys, identification cards, and building passes; (ii) closing information
-               system accounts and establishing new accounts; (iii) changing information system
-               access authorizations (i.e., privileges); and (iv) providing for access to official
-               records to which individuals had access at previous work locations and in previous
-               information system accounts.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#ps-4">PS-4</link>
-         </part>
-         <part id="ps-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-5.a_obj" name="objective">
-               <prop name="label">PS-5(a)</prop>
-               <p>when individuals are reassigned or transferred to other positions within the
-                  organization, reviews and confirms ongoing operational need for current:</p>
-               <part id="ps-5.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">PS-5(a)[1]</prop>
-                  <p>logical access authorizations to information systems;</p>
-               </part>
-               <part id="ps-5.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">PS-5(a)[2]</prop>
-                  <p>physical access authorizations to information systems and facilities;</p>
-               </part>
-            </part>
-            <part id="ps-5.b_obj" name="objective">
-               <prop name="label">PS-5(b)</prop>
-               <part id="ps-5.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-5(b)[1]</prop>
-                  <p>defines transfer or reassignment actions to be initiated following transfer or
-                     reassignment;</p>
-               </part>
-               <part id="ps-5.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-5(b)[2]</prop>
-                  <p>defines the time period within which transfer or reassignment actions must
-                     occur following transfer or reassignment;</p>
-               </part>
-               <part id="ps-5.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-5(b)[3]</prop>
-                  <p>initiates organization-defined transfer or reassignment actions within the
-                     organization-defined time period following transfer or reassignment;</p>
-               </part>
-            </part>
-            <part id="ps-5.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PS-5(c)</prop>
-               <p>modifies access authorization as needed to correspond with any changes in
-                  operational need due to reassignment or transfer;</p>
-            </part>
-            <part id="ps-5.d_obj" name="objective">
-               <prop name="label">PS-5(d)</prop>
-               <part id="ps-5.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-5(d)[1]</prop>
-                  <p>defines personnel or roles to be notified when individuals are reassigned or
-                     transferred to other positions within the organization;</p>
-               </part>
-               <part id="ps-5.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-5(d)[2]</prop>
-                  <p>defines the time period within which to notify organization-defined personnel
-                     or roles when individuals are reassigned or transferred to other positions
-                     within the organization; and</p>
-               </part>
-               <part id="ps-5.d_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-5(d)[3]</prop>
-                  <p>notifies organization-defined personnel or roles within the
-                     organization-defined time period when individuals are reassigned or transferred
-                     to other positions within the organization.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel transfer</p>
-               <p>security plan</p>
-               <p>records of personnel transfer actions</p>
-               <p>list of information system and facility access authorizations</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities organizational
-                  personnel with account management responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for personnel transfer</p>
-               <p>automated mechanisms supporting and/or implementing personnel transfer
-                  notifications</p>
-               <p>automated mechanisms for disabling information system access/revoking
-                  authenticators</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-6">
-         <title>Access Agreements</title>
-         <param id="ps-6_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ps-6_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PS-6</prop>
-         <prop name="sort-id">ps-06</prop>
-         <part id="ps-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops and documents access agreements for organizational information
-                  systems;</p>
-            </part>
-            <part id="ps-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the access agreements <insert param-id="ps-6_prm_1"/>; and</p>
-            </part>
-            <part id="ps-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensures that individuals requiring access to organizational information and
-                  information systems:</p>
-               <part id="ps-6_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Sign appropriate access agreements prior to being granted access; and</p>
-               </part>
-               <part id="ps-6_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Re-sign access agreements to maintain access to organizational information
-                     systems when access agreements have been updated or <insert param-id="ps-6_prm_2"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ps-6_gdn" name="guidance">
-            <p>Access agreements include, for example, nondisclosure agreements, acceptable use
-               agreements, rules of behavior, and conflict-of-interest agreements. Signed access
-               agreements include an acknowledgement that individuals have read, understand, and
-               agree to abide by the constraints associated with organizational information systems
-               to which access is authorized. Organizations can use electronic signatures to
-               acknowledge access agreements unless specifically prohibited by organizational
-               policy.</p>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-2">PS-2</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <link rel="related" href="#ps-4">PS-4</link>
-            <link rel="related" href="#ps-8">PS-8</link>
-         </part>
-         <part id="ps-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-6.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PS-6(a)</prop>
-               <p>develops and documents access agreements for organizational information
-                  systems;</p>
-            </part>
-            <part id="ps-6.b_obj" name="objective">
-               <prop name="label">PS-6(b)</prop>
-               <part id="ps-6.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-6(b)[1]</prop>
-                  <p>defines the frequency to review and update the access agreements;</p>
-               </part>
-               <part id="ps-6.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-6(b)[2]</prop>
-                  <p>reviews and updates the access agreements with the organization-defined
-                     frequency;</p>
-               </part>
-            </part>
-            <part id="ps-6.c_obj" name="objective">
-               <prop name="label">PS-6(c)</prop>
-               <part id="ps-6.c.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-6(c)(1)</prop>
-                  <p>ensures that individuals requiring access to organizational information and
-                     information systems sign appropriate access agreements prior to being granted
-                     access;</p>
-               </part>
-               <part id="ps-6.c.2_obj" name="objective">
-                  <prop name="label">PS-6(c)(2)</prop>
-                  <part id="ps-6.c.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-6(c)(2)[1]</prop>
-                     <p>defines the frequency to re-sign access agreements to maintain access to
-                        organizational information systems when access agreements have been
-                        updated;</p>
-                  </part>
-                  <part id="ps-6.c.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">PS-6(c)(2)[2]</prop>
-                     <p>ensures that individuals requiring access to organizational information and
-                        information systems re-sign access agreements to maintain access to
-                        organizational information systems when access agreements have been updated
-                        or with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing access agreements for organizational information and
-                  information systems</p>
-               <p>security plan</p>
-               <p>access agreements</p>
-               <p>records of access agreement reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel who have signed/resigned access agreements</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for access agreements</p>
-               <p>automated mechanisms supporting access agreements</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-7">
-         <title>Third-party Personnel Security</title>
-         <param id="ps-7_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-7_prm_2">
-            <label>organization-defined time period</label>
-            <constraint>organization-defined time period - same day</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PS-7</prop>
-         <prop name="sort-id">ps-07</prop>
-         <link href="#0c775bc3-bfc3-42c7-a382-88949f503171" rel="reference">NIST Special Publication 800-35</link>
-         <part id="ps-7_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes personnel security requirements including security roles and
-                  responsibilities for third-party providers;</p>
-            </part>
-            <part id="ps-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Requires third-party providers to comply with personnel security policies and
-                  procedures established by the organization;</p>
-            </part>
-            <part id="ps-7_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Documents personnel security requirements;</p>
-            </part>
-            <part id="ps-7_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Requires third-party providers to notify <insert param-id="ps-7_prm_1"/> of any
-                  personnel transfers or terminations of third-party personnel who possess
-                  organizational credentials and/or badges, or who have information system
-                  privileges within <insert param-id="ps-7_prm_2"/>; and</p>
-            </part>
-            <part id="ps-7_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Monitors provider compliance.</p>
-            </part>
-         </part>
-         <part id="ps-7_gdn" name="guidance">
-            <p>Third-party providers include, for example, service bureaus, contractors, and other
-               organizations providing information system development, information technology
-               services, outsourced applications, and network and security management. Organizations
-               explicitly include personnel security requirements in acquisition-related documents.
-               Third-party providers may have personnel working at organizational facilities with
-               credentials, badges, or information system privileges issued by organizations.
-               Notifications of third-party personnel changes ensure appropriate termination of
-               privileges and credentials. Organizations define the transfers and terminations
-               deemed reportable by security-related characteristics that include, for example,
-               functions, roles, and nature of credentials/privileges associated with individuals
-               transferred or terminated.</p>
-            <link rel="related" href="#ps-2">PS-2</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <link rel="related" href="#ps-4">PS-4</link>
-            <link rel="related" href="#ps-5">PS-5</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-            <link rel="related" href="#sa-21">SA-21</link>
-         </part>
-         <part id="ps-7_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-7.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PS-7(a)</prop>
-               <p>establishes personnel security requirements, including security roles and
-                  responsibilities, for third-party providers;</p>
-            </part>
-            <part id="ps-7.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PS-7(b)</prop>
-               <p>requires third-party providers to comply with personnel security policies and
-                  procedures established by the organization;</p>
-            </part>
-            <part id="ps-7.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PS-7(c)</prop>
-               <p>documents personnel security requirements;</p>
-            </part>
-            <part id="ps-7.d_obj" name="objective">
-               <prop name="label">PS-7(d)</prop>
-               <part id="ps-7.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-7(d)[1]</prop>
-                  <p>defines personnel or roles to be notified of any personnel transfers or
-                     terminations of third-party personnel who possess organizational credentials
-                     and/or badges, or who have information system privileges;</p>
-               </part>
-               <part id="ps-7.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-7(d)[2]</prop>
-                  <p>defines the time period within which third-party providers are required to
-                     notify organization-defined personnel or roles of any personnel transfers or
-                     terminations of third-party personnel who possess organizational credentials
-                     and/or badges, or who have information system privileges;</p>
-               </part>
-               <part id="ps-7.d_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-7(d)[3]</prop>
-                  <p>requires third-party providers to notify organization-defined personnel or
-                     roles within the organization-defined time period of any personnel transfers or
-                     terminations of third-party personnel who possess organizational credentials
-                     and/or badges, or who have information system privileges; and</p>
-               </part>
-            </part>
-            <part id="ps-7.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PS-7(e)</prop>
-               <p>monitors provider compliance.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing third-party personnel security</p>
-               <p>list of personnel security requirements</p>
-               <p>acquisition documents</p>
-               <p>service-level agreements</p>
-               <p>compliance monitoring process</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>third-party providers</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with account management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing and monitoring third-party personnel
-                  security</p>
-               <p>automated mechanisms supporting and/or implementing monitoring of provider
-                  compliance</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-8">
-         <title>Personnel Sanctions</title>
-         <param id="ps-8_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-8_prm_2">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">PS-8</prop>
-         <prop name="sort-id">ps-08</prop>
-         <part id="ps-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Employs a formal sanctions process for individuals failing to comply with
-                  established information security policies and procedures; and</p>
-            </part>
-            <part id="ps-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Notifies <insert param-id="ps-8_prm_1"/> within <insert param-id="ps-8_prm_2"/>
-                  when a formal employee sanctions process is initiated, identifying the individual
-                  sanctioned and the reason for the sanction.</p>
-            </part>
-         </part>
-         <part id="ps-8_gdn" name="guidance">
-            <p>Organizational sanctions processes reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Sanctions processes are
-               described in access agreements and can be included as part of general personnel
-               policies and procedures for organizations. Organizations consult with the Office of
-               the General Counsel regarding matters of employee sanctions.</p>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-         </part>
-         <part id="ps-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-8.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PS-8(a)</prop>
-               <p>employs a formal sanctions process for individuals failing to comply with
-                  established information security policies and procedures;</p>
-            </part>
-            <part id="ps-8.b_obj" name="objective">
-               <prop name="label">PS-8(b)</prop>
-               <part id="ps-8.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-8(b)[1]</prop>
-                  <p>defines personnel or roles to be notified when a formal employee sanctions
-                     process is initiated;</p>
-               </part>
-               <part id="ps-8.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-8(b)[2]</prop>
-                  <p>defines the time period within which organization-defined personnel or roles
-                     must be notified when a formal employee sanctions process is initiated; and</p>
-               </part>
-               <part id="ps-8.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-8(b)[3]</prop>
-                  <p>notifies organization-defined personnel or roles within the
-                     organization-defined time period when a formal employee sanctions process is
-                     initiated, identifying the individual sanctioned and the reason for the
-                     sanction.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel sanctions</p>
-               <p>rules of behavior</p>
-               <p>records of formal sanctions</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing personnel sanctions</p>
-               <p>automated mechanisms supporting and/or implementing notifications</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ra">
-      <title>Risk Assessment</title>
-      <control class="SP800-53" id="ra-1">
-         <title>Risk Assessment Policy and Procedures</title>
-         <param id="ra-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ra-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="ra-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">RA-1</prop>
-         <prop name="sort-id">ra-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15" rel="reference">NIST Special Publication 800-30</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ra-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ra-1_prm_1"/>:</p>
-               <part id="ra-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A risk assessment policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ra-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the risk assessment policy and
-                     associated risk assessment controls; and</p>
-               </part>
-            </part>
-            <part id="ra-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ra-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Risk assessment policy <insert param-id="ra-1_prm_2"/>; and</p>
-               </part>
-               <part id="ra-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Risk assessment procedures <insert param-id="ra-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ra-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the RA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ra-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-1.a_obj" name="objective">
-               <prop name="label">RA-1(a)</prop>
-               <part id="ra-1.a.1_obj" name="objective">
-                  <prop name="label">RA-1(a)(1)</prop>
-                  <part id="ra-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(a)(1)[1]</prop>
-                     <p>develops and documents a risk assessment policy that addresses:</p>
-                     <part id="ra-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ra-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the risk assessment policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ra-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">RA-1(a)(1)[3]</prop>
-                     <p>disseminates the risk assessment policy to organization-defined personnel or
-                        roles;</p>
-                  </part>
-               </part>
-               <part id="ra-1.a.2_obj" name="objective">
-                  <prop name="label">RA-1(a)(2)</prop>
-                  <part id="ra-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        risk assessment policy and associated risk assessment controls;</p>
-                  </part>
-                  <part id="ra-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ra-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">RA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-1.b_obj" name="objective">
-               <prop name="label">RA-1(b)</prop>
-               <part id="ra-1.b.1_obj" name="objective">
-                  <prop name="label">RA-1(b)(1)</prop>
-                  <part id="ra-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current risk assessment
-                        policy;</p>
-                  </part>
-                  <part id="ra-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current risk assessment policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ra-1.b.2_obj" name="objective">
-                  <prop name="label">RA-1(b)(2)</prop>
-                  <part id="ra-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current risk assessment
-                        procedures; and</p>
-                  </part>
-                  <part id="ra-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current risk assessment procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>risk assessment policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with risk assessment responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-2">
-         <title>Security Categorization</title>
-         <prop name="label">RA-2</prop>
-         <prop name="sort-id">ra-02</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15" rel="reference">NIST Special Publication 800-30</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <part id="ra-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Categorizes information and the information system in accordance with applicable
-                  federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  guidance;</p>
-            </part>
-            <part id="ra-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents the security categorization results (including supporting rationale) in
-                  the security plan for the information system; and</p>
-            </part>
-            <part id="ra-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensures that the authorizing official or authorizing official designated
-                  representative reviews and approves the security categorization decision.</p>
-            </part>
-         </part>
-         <part id="ra-2_gdn" name="guidance">
-            <p>Clearly defined authorization boundaries are a prerequisite for effective security
-               categorization decisions. Security categories describe the potential adverse impacts
-               to organizational operations, organizational assets, and individuals if
-               organizational information and information systems are comprised through a loss of
-               confidentiality, integrity, or availability. Organizations conduct the security
-               categorization process as an organization-wide activity with the involvement of chief
-               information officers, senior information security officers, information system
-               owners, mission/business owners, and information owners/stewards. Organizations also
-               consider the potential adverse impacts to other organizations and, in accordance with
-               the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential
-               national-level adverse impacts. Security categorization processes carried out by
-               organizations facilitate the development of inventories of information assets, and
-               along with CM-8, mappings to specific information system components where information
-               is processed, stored, or transmitted.</p>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="ra-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-2.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">RA-2(a)</prop>
-               <p>categorizes information and the information system in accordance with applicable
-                  federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  guidance;</p>
-            </part>
-            <part id="ra-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">RA-2(b)</prop>
-               <p>documents the security categorization results (including supporting rationale) in
-                  the security plan for the information system; and</p>
-            </part>
-            <part id="ra-2.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">RA-2(c)</prop>
-               <p>ensures the authorizing official or authorizing official designated representative
-                  reviews and approves the security categorization decision.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Risk assessment policy</p>
-               <p>security planning policy and procedures</p>
-               <p>procedures addressing security categorization of organizational information and
-                  information systems</p>
-               <p>security plan</p>
-               <p>security categorization documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security categorization and risk assessment
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security categorization</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-3">
-         <title>Risk Assessment</title>
-         <param id="ra-3_prm_1"/>
-         <param id="ra-3_prm_2" depends-on="ra-3_prm_1">
-            <label>organization-defined document</label>
-            <constraint>security assessment report</constraint>
-         </param>
-         <param id="ra-3_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least every three (3) years or when a significant change occurs</constraint>
-         </param>
-         <param id="ra-3_prm_4">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ra-3_prm_5">
-            <label>organization-defined frequency</label>
-            <constraint>at least every three (3) years or when a significant change occurs</constraint>
-         </param>
-         <prop name="label">RA-3</prop>
-         <prop name="sort-id">ra-03</prop>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15" rel="reference">NIST Special Publication 800-30</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ra-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Conducts an assessment of risk, including the likelihood and magnitude of harm,
-                  from the unauthorized access, use, disclosure, disruption, modification, or
-                  destruction of the information system and the information it processes, stores, or
-                  transmits;</p>
-            </part>
-            <part id="ra-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents risk assessment results in <insert param-id="ra-3_prm_1"/>;</p>
-            </part>
-            <part id="ra-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews risk assessment results <insert param-id="ra-3_prm_3"/>;</p>
-            </part>
-            <part id="ra-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Disseminates risk assessment results to <insert param-id="ra-3_prm_4"/>; and</p>
-            </part>
-            <part id="ra-3_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Updates the risk assessment <insert param-id="ra-3_prm_5"/> or whenever there are
-                  significant changes to the information system or environment of operation
-                  (including the identification of new threats and vulnerabilities), or other
-                  conditions that may impact the security state of the system.</p>
-            </part>
-            <part id="ra-3_fr" name="item">
-               <title>RA-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F</p>
-               </part>
-               <part id="ra-3_fr_smt.d" name="item">
-                  <prop name="label">RA-3 (d) Requirement:</prop>
-                  <p>Include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ra-3_gdn" name="guidance">
-            <p>Clearly defined authorization boundaries are a prerequisite for effective risk
-               assessments. Risk assessments take into account threats, vulnerabilities, likelihood,
-               and impact to organizational operations and assets, individuals, other organizations,
-               and the Nation based on the operation and use of information systems. Risk
-               assessments also take into account risk from external parties (e.g., service
-               providers, contractors operating information systems on behalf of the organization,
-               individuals accessing organizational information systems, outsourcing entities). In
-               accordance with OMB policy and related E-authentication initiatives, authentication
-               of public users accessing federal information systems may also be required to protect
-               nonpublic or privacy-related information. As such, organizational assessments of risk
-               also address public access to federal information systems. Risk assessments (either
-               formal or informal) can be conducted at all three tiers in the risk management
-               hierarchy (i.e., organization level, mission/business process level, or information
-               system level) and at any phase in the system development life cycle. Risk assessments
-               can also be conducted at various steps in the Risk Management Framework, including
-               categorization, security control selection, security control implementation, security
-               control assessment, information system authorization, and security control
-               monitoring. RA-3 is noteworthy in that the control must be partially implemented
-               prior to the implementation of other controls in order to complete the first two
-               steps in the Risk Management Framework. Risk assessments can play an important role
-               in security control selection processes, particularly during the application of
-               tailoring guidance, which includes security control supplementation.</p>
-            <link rel="related" href="#ra-2">RA-2</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ra-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-3.a_obj" name="objective">
-               <prop name="label">RA-3(a)</prop>
-               <p>conducts an assessment of risk, including the likelihood and magnitude of harm,
-                  from the unauthorized access, use, disclosure, disruption, modification, or
-                  destruction of:</p>
-               <part id="ra-3.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-3(a)[1]</prop>
-                  <p>the information system;</p>
-               </part>
-               <part id="ra-3.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-3(a)[2]</prop>
-                  <p>the information the system processes, stores, or transmits;</p>
-               </part>
-            </part>
-            <part id="ra-3.b_obj" name="objective">
-               <prop name="label">RA-3(b)</prop>
-               <part id="ra-3.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-3(b)[1]</prop>
-                  <p>defines a document in which risk assessment results are to be documented (if
-                     not documented in the security plan or risk assessment report);</p>
-               </part>
-               <part id="ra-3.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-3(b)[2]</prop>
-                  <p>documents risk assessment results in one of the following:</p>
-                  <part id="ra-3.b_obj.2.a" name="objective">
-                     <prop name="label">RA-3(b)[2][a]</prop>
-                     <p>the security plan;</p>
-                  </part>
-                  <part id="ra-3.b_obj.2.b" name="objective">
-                     <prop name="label">RA-3(b)[2][b]</prop>
-                     <p>the risk assessment report; or</p>
-                  </part>
-                  <part id="ra-3.b_obj.2.c" name="objective">
-                     <prop name="label">RA-3(b)[2][c]</prop>
-                     <p>the organization-defined document;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-3.c_obj" name="objective">
-               <prop name="label">RA-3(c)</prop>
-               <part id="ra-3.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-3(c)[1]</prop>
-                  <p>defines the frequency to review risk assessment results;</p>
-               </part>
-               <part id="ra-3.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-3(c)[2]</prop>
-                  <p>reviews risk assessment results with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="ra-3.d_obj" name="objective">
-               <prop name="label">RA-3(d)</prop>
-               <part id="ra-3.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-3(d)[1]</prop>
-                  <p>defines personnel or roles to whom risk assessment results are to be
-                     disseminated;</p>
-               </part>
-               <part id="ra-3.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-3(d)[2]</prop>
-                  <p>disseminates risk assessment results to organization-defined personnel or
-                     roles;</p>
-               </part>
-            </part>
-            <part id="ra-3.e_obj" name="objective">
-               <prop name="label">RA-3(e)</prop>
-               <part id="ra-3.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-3(e)[1]</prop>
-                  <p>defines the frequency to update the risk assessment;</p>
-               </part>
-               <part id="ra-3.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-3(e)[2]</prop>
-                  <p>updates the risk assessment:</p>
-                  <part id="ra-3.e_obj.2.a" name="objective">
-                     <prop name="label">RA-3(e)[2][a]</prop>
-                     <p>with the organization-defined frequency;</p>
-                  </part>
-                  <part id="ra-3.e_obj.2.b" name="objective">
-                     <prop name="label">RA-3(e)[2][b]</prop>
-                     <p>whenever there are significant changes to the information system or
-                        environment of operation (including the identification of new threats and
-                        vulnerabilities); and</p>
-                  </part>
-                  <part id="ra-3.e_obj.2.c" name="objective">
-                     <prop name="label">RA-3(e)[2][c]</prop>
-                     <p>whenever there are other conditions that may impact the security state of
-                        the system.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Risk assessment policy</p>
-               <p>security planning policy and procedures</p>
-               <p>procedures addressing organizational assessments of risk</p>
-               <p>security plan</p>
-               <p>risk assessment</p>
-               <p>risk assessment results</p>
-               <p>risk assessment reviews</p>
-               <p>risk assessment updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with risk assessment responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for risk assessment</p>
-               <p>automated mechanisms supporting and/or for conducting, documenting, reviewing,
-                  disseminating, and updating the risk assessment</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-5">
-         <title>Vulnerability Scanning</title>
-         <param id="ra-5_prm_1">
-            <label>organization-defined frequency and/or randomly in accordance with
-               organization-defined process</label>
-            <constraint>monthly operating system/infrastructure; monthly web applications and databases</constraint>
-         </param>
-         <param id="ra-5_prm_2">
-            <label>organization-defined response times</label>
-            <constraint>[high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery.</constraint>
-         </param>
-         <param id="ra-5_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">RA-5</prop>
-         <prop name="sort-id">ra-05</prop>
-         <link href="#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d" rel="reference">NIST Special Publication 800-40</link>
-         <link href="#84a37532-6db6-477b-9ea8-f9085ebca0fc" rel="reference">NIST Special Publication 800-70</link>
-         <link href="#c4691b88-57d1-463b-9053-2d0087913f31" rel="reference">NIST Special Publication 800-115</link>
-         <link href="#15522e92-9192-463d-9646-6a01982db8ca" rel="reference">http://cwe.mitre.org</link>
-         <link href="#275cc052-0f7f-423c-bdb6-ed503dc36228" rel="reference">http://nvd.nist.gov</link>
-         <part id="ra-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Scans for vulnerabilities in the information system and hosted applications
-                     <insert param-id="ra-5_prm_1"/> and when new vulnerabilities potentially
-                  affecting the system/applications are identified and reported;</p>
-            </part>
-            <part id="ra-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Employs vulnerability scanning tools and techniques that facilitate
-                  interoperability among tools and automate parts of the vulnerability management
-                  process by using standards for:</p>
-               <part id="ra-5_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Enumerating platforms, software flaws, and improper configurations;</p>
-               </part>
-               <part id="ra-5_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Formatting checklists and test procedures; and</p>
-               </part>
-               <part id="ra-5_smt.b.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Measuring vulnerability impact;</p>
-               </part>
-            </part>
-            <part id="ra-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Analyzes vulnerability scan reports and results from security control
-                  assessments;</p>
-            </part>
-            <part id="ra-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Remediates legitimate vulnerabilities <insert param-id="ra-5_prm_2"/> in
-                  accordance with an organizational assessment of risk; and</p>
-            </part>
-            <part id="ra-5_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Shares information obtained from the vulnerability scanning process and security
-                  control assessments with <insert param-id="ra-5_prm_3"/> to help eliminate similar
-                  vulnerabilities in other information systems (i.e., systemic weaknesses or
-                  deficiencies).</p>
-            </part>
-            <part id="ra-5_fr_smt.a" name="item">
-               <title>RA-5(a) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (a)Requirement:</prop>
-               <p>An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.</p>
-            </part>
-            <part id="ra-5_fr_smt.e" name="item">
-               <title>RA-5(e) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (e)Requirement:</prop>
-               <p>To include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
-            </part>
-            <part id="ra-5_fr" name="item">
-               <title>RA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>
-                     <strong>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents&gt; Vulnerability Scanning Requirements</strong> (<a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a>)</p>
-               </part>
-            </part>
-         </part>
-         <part id="ra-5_gdn" name="guidance">
-            <p>Security categorization of information systems guides the frequency and
-               comprehensiveness of vulnerability scans. Organizations determine the required
-               vulnerability scanning for all information system components, ensuring that potential
-               sources of vulnerabilities such as networked printers, scanners, and copiers are not
-               overlooked. Vulnerability analyses for custom software applications may require
-               additional approaches such as static analysis, dynamic analysis, binary analysis, or
-               a hybrid of the three approaches. Organizations can employ these analysis approaches
-               in a variety of tools (e.g., web-based application scanners, static analysis tools,
-               binary analyzers) and in source code reviews. Vulnerability scanning includes, for
-               example: (i) scanning for patch levels; (ii) scanning for functions, ports,
-               protocols, and services that should not be accessible to users or devices; and (iii)
-               scanning for improperly configured or incorrectly operating information flow control
-               mechanisms. Organizations consider using tools that express vulnerabilities in the
-               Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open
-               Vulnerability Assessment Language (OVAL) to determine/test for the presence of
-               vulnerabilities. Suggested sources for vulnerability information include the Common
-               Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In
-               addition, security control assessments such as red team exercises provide other
-               sources of potential vulnerabilities for which to scan. Organizations also consider
-               using tools that express vulnerability impact by the Common Vulnerability Scoring
-               System (CVSS).</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#ra-2">RA-2</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="ra-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-5.a_obj" name="objective">
-               <prop name="label">RA-5(a)</prop>
-               <part id="ra-5.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-5(a)[1]</prop>
-                  <part id="ra-5.a_obj.1.a" name="objective">
-                     <prop name="label">RA-5(a)[1][a]</prop>
-                     <p>defines the frequency for conducting vulnerability scans on the information
-                        system and hosted applications; and/or</p>
-                  </part>
-                  <part id="ra-5.a_obj.1.b" name="objective">
-                     <prop name="label">RA-5(a)[1][b]</prop>
-                     <p>defines the process for conducting random vulnerability scans on the
-                        information system and hosted applications;</p>
-                  </part>
-               </part>
-               <part id="ra-5.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(a)[2]</prop>
-                  <p>in accordance with the organization-defined frequency and/or
-                     organization-defined process for conducting random scans, scans for
-                     vulnerabilities in:</p>
-                  <part id="ra-5.a_obj.2.a" name="objective">
-                     <prop name="label">RA-5(a)[2][a]</prop>
-                     <p>the information system;</p>
-                  </part>
-                  <part id="ra-5.a_obj.2.b" name="objective">
-                     <prop name="label">RA-5(a)[2][b]</prop>
-                     <p>hosted applications;</p>
-                  </part>
-               </part>
-               <part id="ra-5.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(a)[3]</prop>
-                  <p>when new vulnerabilities potentially affecting the system/applications are
-                     identified and reported, scans for vulnerabilities in:</p>
-                  <part id="ra-5.a_obj.3.a" name="objective">
-                     <prop name="label">RA-5(a)[3][a]</prop>
-                     <p>the information system;</p>
-                  </part>
-                  <part id="ra-5.a_obj.3.b" name="objective">
-                     <prop name="label">RA-5(a)[3][b]</prop>
-                     <p>hosted applications;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-5.b_obj" name="objective">
-               <prop name="label">RA-5(b)</prop>
-               <p>employs vulnerability scanning tools and techniques that facilitate
-                  interoperability among tools and automate parts of the vulnerability management
-                  process by using standards for:</p>
-               <part id="ra-5.b.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(b)(1)</prop>
-                  <part id="ra-5.b.1_obj.1" name="objective">
-                     <prop name="label">RA-5(b)(1)[1]</prop>
-                     <p>enumerating platforms;</p>
-                  </part>
-                  <part id="ra-5.b.1_obj.2" name="objective">
-                     <prop name="label">RA-5(b)(1)[2]</prop>
-                     <p>enumerating software flaws;</p>
-                  </part>
-                  <part id="ra-5.b.1_obj.3" name="objective">
-                     <prop name="label">RA-5(b)(1)[3]</prop>
-                     <p>enumerating improper configurations;</p>
-                  </part>
-               </part>
-               <part id="ra-5.b.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(b)(2)</prop>
-                  <part id="ra-5.b.2_obj.1" name="objective">
-                     <prop name="label">RA-5(b)(2)[1]</prop>
-                     <p>formatting checklists;</p>
-                  </part>
-                  <part id="ra-5.b.2_obj.2" name="objective">
-                     <prop name="label">RA-5(b)(2)[2]</prop>
-                     <p>formatting test procedures;</p>
-                  </part>
-               </part>
-               <part id="ra-5.b.3_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(b)(3)</prop>
-                  <p>measuring vulnerability impact;</p>
-               </part>
-            </part>
-            <part id="ra-5.c_obj" name="objective">
-               <prop name="label">RA-5(c)</prop>
-               <part id="ra-5.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(c)[1]</prop>
-                  <p>analyzes vulnerability scan reports;</p>
-               </part>
-               <part id="ra-5.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(c)[2]</prop>
-                  <p>analyzes results from security control assessments;</p>
-               </part>
-            </part>
-            <part id="ra-5.d_obj" name="objective">
-               <prop name="label">RA-5(d)</prop>
-               <part id="ra-5.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-5(d)[1]</prop>
-                  <p>defines response times to remediate legitimate vulnerabilities in accordance
-                     with an organizational assessment of risk;</p>
-               </part>
-               <part id="ra-5.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(d)[2]</prop>
-                  <p>remediates legitimate vulnerabilities within the organization-defined response
-                     times in accordance with an organizational assessment of risk;</p>
-               </part>
-            </part>
-            <part id="ra-5.e_obj" name="objective">
-               <prop name="label">RA-5(e)</prop>
-               <part id="ra-5.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-5(e)[1]</prop>
-                  <p>defines personnel or roles with whom information obtained from the
-                     vulnerability scanning process and security control assessments is to be
-                     shared;</p>
-               </part>
-               <part id="ra-5.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(e)[2]</prop>
-                  <p>shares information obtained from the vulnerability scanning process with
-                     organization-defined personnel or roles to help eliminate similar
-                     vulnerabilities in other information systems (i.e., systemic weaknesses or
-                     deficiencies); and</p>
-               </part>
-               <part id="ra-5.e_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(e)[3]</prop>
-                  <p>shares information obtained from security control assessments with
-                     organization-defined personnel or roles to help eliminate similar
-                     vulnerabilities in other information systems (i.e., systemic weaknesses or
-                     deficiencies).</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Risk assessment policy</p>
-               <p>procedures addressing vulnerability scanning</p>
-               <p>risk assessment</p>
-               <p>security plan</p>
-               <p>security assessment report</p>
-               <p>vulnerability scanning tools and associated configuration documentation</p>
-               <p>vulnerability scanning results</p>
-               <p>patch and vulnerability management records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with risk assessment, security control assessment and
-                  vulnerability scanning responsibilities</p>
-               <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-               <p>organizational personnel with vulnerability remediation responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for vulnerability scanning, analysis, remediation, and
-                  information sharing</p>
-               <p>automated mechanisms supporting and/or implementing vulnerability scanning,
-                  analysis, remediation, and information sharing</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="sa">
-      <title>System and Services Acquisition</title>
-      <control class="SP800-53" id="sa-1">
-         <title>System and Services Acquisition Policy and Procedures</title>
-         <param id="sa-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="sa-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="sa-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SA-1</prop>
-         <prop name="sort-id">sa-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="sa-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="sa-1_prm_1"/>:</p>
-               <part id="sa-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system and services acquisition policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="sa-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system and services
-                     acquisition policy and associated system and services acquisition controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="sa-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="sa-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System and services acquisition policy <insert param-id="sa-1_prm_2"/>; and</p>
-               </part>
-               <part id="sa-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System and services acquisition procedures <insert param-id="sa-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sa-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the SA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="sa-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-1.a_obj" name="objective">
-               <prop name="label">SA-1(a)</prop>
-               <part id="sa-1.a.1_obj" name="objective">
-                  <prop name="label">SA-1(a)(1)</prop>
-                  <part id="sa-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(a)(1)[1]</prop>
-                     <p>develops and documents a system and services acquisition policy that
-                        addresses:</p>
-                     <part id="sa-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="sa-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system and services acquisition
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="sa-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SA-1(a)(1)[3]</prop>
-                     <p>disseminates the system and services acquisition policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="sa-1.a.2_obj" name="objective">
-                  <prop name="label">SA-1(a)(2)</prop>
-                  <part id="sa-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        system and services acquisition policy and associated system and services
-                        acquisition controls;</p>
-                  </part>
-                  <part id="sa-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="sa-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sa-1.b_obj" name="objective">
-               <prop name="label">SA-1(b)</prop>
-               <part id="sa-1.b.1_obj" name="objective">
-                  <prop name="label">SA-1(b)(1)</prop>
-                  <part id="sa-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system and services
-                        acquisition policy;</p>
-                  </part>
-                  <part id="sa-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system and services acquisition policy with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="sa-1.b.2_obj" name="objective">
-                  <prop name="label">SA-1(b)(2)</prop>
-                  <part id="sa-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system and services
-                        acquisition procedures; and</p>
-                  </part>
-                  <part id="sa-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system and services acquisition procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-2">
-         <title>Allocation of Resources</title>
-         <prop name="label">SA-2</prop>
-         <prop name="sort-id">sa-02</prop>
-         <link href="#29fcfe59-33cd-494a-8756-5907ae3a8f92" rel="reference">NIST Special Publication 800-65</link>
-         <part id="sa-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Determines information security requirements for the information system or
-                  information system service in mission/business process planning;</p>
-            </part>
-            <part id="sa-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Determines, documents, and allocates the resources required to protect the
-                  information system or information system service as part of its capital planning
-                  and investment control process; and</p>
-            </part>
-            <part id="sa-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Establishes a discrete line item for information security in organizational
-                  programming and budgeting documentation.</p>
-            </part>
-         </part>
-         <part id="sa-2_gdn" name="guidance">
-            <p>Resource allocation for information security includes funding for the initial
-               information system or information system service acquisition and funding for the
-               sustainment of the system/service.</p>
-            <link rel="related" href="#pm-3">PM-3</link>
-            <link rel="related" href="#pm-11">PM-11</link>
-         </part>
-         <part id="sa-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-2.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SA-2(a)</prop>
-               <p>determines information security requirements for the information system or
-                  information system service in mission/business process planning;</p>
-            </part>
-            <part id="sa-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-2(b)</prop>
-               <p>to protect the information system or information system service as part of its
-                  capital planning and investment control process:</p>
-               <part id="sa-2.b_obj.1" name="objective">
-                  <prop name="label">SA-2(b)[1]</prop>
-                  <p>determines the resources required;</p>
-               </part>
-               <part id="sa-2.b_obj.2" name="objective">
-                  <prop name="label">SA-2(b)[2]</prop>
-                  <p>documents the resources required;</p>
-               </part>
-               <part id="sa-2.b_obj.3" name="objective">
-                  <prop name="label">SA-2(b)[3]</prop>
-                  <p>allocates the resources required; and</p>
-               </part>
-            </part>
-            <part id="sa-2.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-2(c)</prop>
-               <p>establishes a discrete line item for information security in organizational
-                  programming and budgeting documentation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing the allocation of resources to information security
-                  requirements</p>
-               <p>procedures addressing capital planning and investment control</p>
-               <p>organizational programming and budgeting documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with capital planning, investment control, organizational
-                  programming and budgeting responsibilities</p>
-               <p>organizational personnel responsible for determining information security
-                  requirements for information systems/services</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for determining information security requirements</p>
-               <p>organizational processes for capital planning, programming, and budgeting</p>
-               <p>automated mechanisms supporting and/or implementing organizational capital
-                  planning, programming, and budgeting</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-3">
-         <title>System Development Life Cycle</title>
-         <param id="sa-3_prm_1">
-            <label>organization-defined system development life cycle</label>
-         </param>
-         <prop name="label">SA-3</prop>
-         <prop name="sort-id">sa-03</prop>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#abd950ae-092f-4b7a-b374-1c7c67fe9350" rel="reference">NIST Special Publication 800-64</link>
-         <part id="sa-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Manages the information system using <insert param-id="sa-3_prm_1"/> that
-                  incorporates information security considerations;</p>
-            </part>
-            <part id="sa-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Defines and documents information security roles and responsibilities throughout
-                  the system development life cycle;</p>
-            </part>
-            <part id="sa-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Identifies individuals having information security roles and responsibilities;
-                  and</p>
-            </part>
-            <part id="sa-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Integrates the organizational information security risk management process into
-                  system development life cycle activities.</p>
-            </part>
-         </part>
-         <part id="sa-3_gdn" name="guidance">
-            <p>A well-defined system development life cycle provides the foundation for the
-               successful development, implementation, and operation of organizational information
-               systems. To apply the required security controls within the system development life
-               cycle requires a basic understanding of information security, threats,
-               vulnerabilities, adverse impacts, and risk to critical missions/business functions.
-               The security engineering principles in SA-8 cannot be properly applied if individuals
-               that design, code, and test information systems and system components (including
-               information technology products) do not understand security. Therefore, organizations
-               include qualified personnel, for example, chief information security officers,
-               security architects, security engineers, and information system security officers in
-               system development life cycle activities to ensure that security requirements are
-               incorporated into organizational information systems. It is equally important that
-               developers include individuals on the development team that possess the requisite
-               security expertise and skills to ensure that needed security capabilities are
-               effectively integrated into the information system. Security awareness and training
-               programs can help ensure that individuals having key security roles and
-               responsibilities have the appropriate experience, skills, and expertise to conduct
-               assigned system development life cycle activities. The effective integration of
-               security requirements into enterprise architecture also helps to ensure that
-               important security considerations are addressed early in the system development life
-               cycle and that those considerations are directly related to the organizational
-               mission/business processes. This process also facilitates the integration of the
-               information security architecture into the enterprise architecture, consistent with
-               organizational risk management and information security strategies.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-         </part>
-         <part id="sa-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-3.a_obj" name="objective">
-               <prop name="label">SA-3(a)</prop>
-               <part id="sa-3.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-3(a)[1]</prop>
-                  <p>defines a system development life cycle that incorporates information security
-                     considerations to be used to manage the information system;</p>
-               </part>
-               <part id="sa-3.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-3(a)[2]</prop>
-                  <p>manages the information system using the organization-defined system
-                     development life cycle;</p>
-               </part>
-            </part>
-            <part id="sa-3.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SA-3(b)</prop>
-               <p>defines and documents information security roles and responsibilities throughout
-                  the system development life cycle;</p>
-            </part>
-            <part id="sa-3.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SA-3(c)</prop>
-               <p>identifies individuals having information security roles and responsibilities;
-                  and</p>
-            </part>
-            <part id="sa-3.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-3(d)</prop>
-               <p>integrates the organizational information security risk management process into
-                  system development life cycle activities.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing the integration of information security into the system
-                  development life cycle process</p>
-               <p>information system development life cycle documentation</p>
-               <p>information security risk management strategy/program documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security and system life cycle
-                  development responsibilities</p>
-               <p>organizational personnel with information security risk management
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for defining and documenting the SDLC</p>
-               <p>organizational processes for identifying SDLC roles and responsibilities</p>
-               <p>organizational process for integrating information security risk management into
-                  the SDLC</p>
-               <p>automated mechanisms supporting and/or implementing the SDLC</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-4">
-         <title>Acquisition Process</title>
-         <prop name="label">SA-4</prop>
-         <prop name="sort-id">sa-04</prop>
-         <link href="#ad733a42-a7ed-4774-b988-4930c28852f3" rel="reference">HSPD-12</link>
-         <link href="#1737a687-52fb-4008-b900-cbfa836f7b65" rel="reference">ISO/IEC 15408</link>
-         <link href="#d715b234-9b5b-4e07-b1ed-99836727664d" rel="reference">FIPS Publication 140-2</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#0a5db899-f033-467f-8631-f5a8ba971475" rel="reference">NIST Special Publication 800-23</link>
-         <link href="#0c775bc3-bfc3-42c7-a382-88949f503171" rel="reference">NIST Special Publication 800-35</link>
-         <link href="#d818efd3-db31-4953-8afa-9e76afe83ce2" rel="reference">NIST Special Publication 800-36</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#abd950ae-092f-4b7a-b374-1c7c67fe9350" rel="reference">NIST Special Publication 800-64</link>
-         <link href="#84a37532-6db6-477b-9ea8-f9085ebca0fc" rel="reference">NIST Special Publication 800-70</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <link href="#56d671da-6b7b-4abf-8296-84b61980390a" rel="reference">Federal Acquisition Regulation</link>
-         <link href="#c95a9986-3cd6-4a98-931b-ccfc56cb11e5" rel="reference">http://www.niap-ccevs.org</link>
-         <link href="#5ed1f4d5-1494-421b-97ed-39d3c88ab51f" rel="reference">http://fips201ep.cio.gov</link>
-         <link href="#bbd50dd1-54ce-4432-959d-63ea564b1bb4" rel="reference">http://www.acquisition.gov/far</link>
-         <part id="sa-4_smt" name="statement">
-            <p>The organization includes the following requirements, descriptions, and criteria,
-               explicitly or by reference, in the acquisition contract for the information system,
-               system component, or information system service in accordance with applicable federal
-               laws, Executive Orders, directives, policies, regulations, standards, guidelines, and
-               organizational mission/business needs:</p>
-            <part id="sa-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Security functional requirements;</p>
-            </part>
-            <part id="sa-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Security strength requirements;</p>
-            </part>
-            <part id="sa-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Security assurance requirements;</p>
-            </part>
-            <part id="sa-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Security-related documentation requirements;</p>
-            </part>
-            <part id="sa-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Requirements for protecting security-related documentation;</p>
-            </part>
-            <part id="sa-4_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Description of the information system development environment and environment in
-                  which the system is intended to operate; and</p>
-            </part>
-            <part id="sa-4_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Acceptance criteria.</p>
-            </part>
-            <part id="sa-4_fr" name="item">
-               <title>SA-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See <a href="http://www.niap-ccevs.org/vpl">http://www.niap-ccevs.org/vpl</a> or <a href="http://www.commoncriteriaportal.org/products.html">http://www.commoncriteriaportal.org/products.html</a>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sa-4_gdn" name="guidance">
-            <p>Information system components are discrete, identifiable information technology
-               assets (e.g., hardware, software, or firmware) that represent the building blocks of
-               an information system. Information system components include commercial information
-               technology products. Security functional requirements include security capabilities,
-               security functions, and security mechanisms. Security strength requirements
-               associated with such capabilities, functions, and mechanisms include degree of
-               correctness, completeness, resistance to direct attack, and resistance to tampering
-               or bypass. Security assurance requirements include: (i) development processes,
-               procedures, practices, and methodologies; and (ii) evidence from development and
-               assessment activities providing grounds for confidence that the required security
-               functionality has been implemented and the required security strength has been
-               achieved. Security documentation requirements address all phases of the system
-               development life cycle. Security functionality, assurance, and documentation
-               requirements are expressed in terms of security controls and control enhancements
-               that have been selected through the tailoring process. The security control tailoring
-               process includes, for example, the specification of parameter values through the use
-               of assignment and selection statements and the specification of platform dependencies
-               and implementation information. Security documentation provides user and
-               administrator guidance regarding the implementation and operation of security
-               controls. The level of detail required in security documentation is based on the
-               security category or classification level of the information system and the degree to
-               which organizations depend on the stated security capability, functions, or
-               mechanisms to meet overall risk response expectations (as defined in the
-               organizational risk management strategy). Security requirements can also include
-               organizationally mandated configuration settings specifying allowed functions, ports,
-               protocols, and services. Acceptance criteria for information systems, information
-               system components, and information system services are defined in the same manner as
-               such criteria for any organizational acquisition or procurement. The Federal
-               Acquisition Regulation (FAR) Section 7.103 contains information security requirements
-               from FISMA.</p>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#ps-7">PS-7</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-         </part>
-         <part id="sa-4_obj" name="objective">
-            <p>Determine if the organization includes the following requirements, descriptions, and
-               criteria, explicitly or by reference, in the acquisition contracts for the
-               information system, system component, or information system service in accordance
-               with applicable federal laws, Executive Orders, directives, policies, regulations,
-               standards, guidelines, and organizational mission/business needs:</p>
-            <part id="sa-4.a_obj" name="objective">
-               <prop name="label">SA-4(a)</prop>
-               <p>security functional requirements;</p>
-            </part>
-            <part id="sa-4.b_obj" name="objective">
-               <prop name="label">SA-4(b)</prop>
-               <p>security strength requirements;</p>
-            </part>
-            <part id="sa-4.c_obj" name="objective">
-               <prop name="label">SA-4(c)</prop>
-               <p>security assurance requirements;</p>
-            </part>
-            <part id="sa-4.d_obj" name="objective">
-               <prop name="label">SA-4(d)</prop>
-               <p>security-related documentation requirements;</p>
-            </part>
-            <part id="sa-4.e_obj" name="objective">
-               <prop name="label">SA-4(e)</prop>
-               <p>requirements for protecting security-related documentation;</p>
-            </part>
-            <part id="sa-4.f_obj" name="objective">
-               <prop name="label">SA-4(f)</prop>
-               <p>description of:</p>
-               <part id="sa-4.f_obj.1" name="objective">
-                  <prop name="label">SA-4(f)[1]</prop>
-                  <p>the information system development environment;</p>
-               </part>
-               <part id="sa-4.f_obj.2" name="objective">
-                  <prop name="label">SA-4(f)[2]</prop>
-                  <p>the environment in which the system is intended to operate; and</p>
-               </part>
-            </part>
-            <part id="sa-4.g_obj" name="objective">
-               <prop name="label">SA-4(g)</prop>
-               <p>acceptance criteria.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing the integration of information security requirements,
-                  descriptions, and criteria into the acquisition process</p>
-               <p>acquisition contracts for the information system, system component, or information
-                  system service</p>
-               <p>information system design documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with acquisition/contracting responsibilities</p>
-               <p>organizational personnel with responsibility for determining information system
-                  security functional, strength, and assurance requirements</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for determining information system security functional,
-                  strength, and assurance requirements</p>
-               <p>organizational processes for developing acquisition contracts</p>
-               <p>automated mechanisms supporting and/or implementing acquisitions and inclusion of
-                  security requirements in contracts</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-5">
-         <title>Information System Documentation</title>
-         <param id="sa-5_prm_1">
-            <label>organization-defined actions</label>
-         </param>
-         <param id="sa-5_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">SA-5</prop>
-         <prop name="sort-id">sa-05</prop>
-         <part id="sa-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Obtains administrator documentation for the information system, system component,
-                  or information system service that describes:</p>
-               <part id="sa-5_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Secure configuration, installation, and operation of the system, component, or
-                     service;</p>
-               </part>
-               <part id="sa-5_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Effective use and maintenance of security functions/mechanisms; and</p>
-               </part>
-               <part id="sa-5_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Known vulnerabilities regarding configuration and use of administrative (i.e.,
-                     privileged) functions;</p>
-               </part>
-            </part>
-            <part id="sa-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Obtains user documentation for the information system, system component, or
-                  information system service that describes:</p>
-               <part id="sa-5_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>User-accessible security functions/mechanisms and how to effectively use those
-                     security functions/mechanisms;</p>
-               </part>
-               <part id="sa-5_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Methods for user interaction, which enables individuals to use the system,
-                     component, or service in a more secure manner; and</p>
-               </part>
-               <part id="sa-5_smt.b.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>User responsibilities in maintaining the security of the system, component, or
-                     service;</p>
-               </part>
-            </part>
-            <part id="sa-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Documents attempts to obtain information system, system component, or information
-                  system service documentation when such documentation is either unavailable or
-                  nonexistent and takes <insert param-id="sa-5_prm_1"/> in response;</p>
-            </part>
-            <part id="sa-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Protects documentation as required, in accordance with the risk management
-                  strategy; and</p>
-            </part>
-            <part id="sa-5_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Distributes documentation to <insert param-id="sa-5_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="sa-5_gdn" name="guidance">
-            <p>This control helps organizational personnel understand the implementation and
-               operation of security controls associated with information systems, system
-               components, and information system services. Organizations consider establishing
-               specific measures to determine the quality/completeness of the content provided. The
-               inability to obtain needed documentation may occur, for example, due to the age of
-               the information system/component or lack of support from developers and contractors.
-               In those situations, organizations may need to recreate selected documentation if
-               such documentation is essential to the effective implementation or operation of
-               security controls. The level of protection provided for selected information system,
-               component, or service documentation is commensurate with the security category or
-               classification of the system. For example, documentation associated with a key DoD
-               weapons system or command and control system would typically require a higher level
-               of protection than a routine administrative system. Documentation that addresses
-               information system vulnerabilities may also require an increased level of protection.
-               Secure operation of the information system, includes, for example, initially starting
-               the system and resuming secure system operation after any lapse in system
-               operation.</p>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-2">PS-2</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-         </part>
-         <part id="sa-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-5.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SA-5(a)</prop>
-               <p>obtains administrator documentation for the information system, system component,
-                  or information system service that describes:</p>
-               <part id="sa-5.a.1_obj" name="objective">
-                  <prop name="label">SA-5(a)(1)</prop>
-                  <part id="sa-5.a.1_obj.1" name="objective">
-                     <prop name="label">SA-5(a)(1)[1]</prop>
-                     <p>secure configuration of the system, system component, or service;</p>
-                  </part>
-                  <part id="sa-5.a.1_obj.2" name="objective">
-                     <prop name="label">SA-5(a)(1)[2]</prop>
-                     <p>secure installation of the system, system component, or service;</p>
-                  </part>
-                  <part id="sa-5.a.1_obj.3" name="objective">
-                     <prop name="label">SA-5(a)(1)[3]</prop>
-                     <p>secure operation of the system, system component, or service;</p>
-                  </part>
-               </part>
-               <part id="sa-5.a.2_obj" name="objective">
-                  <prop name="label">SA-5(a)(2)</prop>
-                  <part id="sa-5.a.2_obj.1" name="objective">
-                     <prop name="label">SA-5(a)(2)[1]</prop>
-                     <p>effective use of the security features/mechanisms;</p>
-                  </part>
-                  <part id="sa-5.a.2_obj.2" name="objective">
-                     <prop name="label">SA-5(a)(2)[2]</prop>
-                     <p>effective maintenance of the security features/mechanisms;</p>
-                  </part>
-               </part>
-               <part id="sa-5.a.3_obj" name="objective">
-                  <prop name="label">SA-5(a)(3)</prop>
-                  <p>known vulnerabilities regarding configuration and use of administrative (i.e.,
-                     privileged) functions;</p>
-               </part>
-            </part>
-            <part id="sa-5.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SA-5(b)</prop>
-               <p>obtains user documentation for the information system, system component, or
-                  information system service that describes:</p>
-               <part id="sa-5.b.1_obj" name="objective">
-                  <prop name="label">SA-5(b)(1)</prop>
-                  <part id="sa-5.b.1_obj.1" name="objective">
-                     <prop name="label">SA-5(b)(1)[1]</prop>
-                     <p>user-accessible security functions/mechanisms;</p>
-                  </part>
-                  <part id="sa-5.b.1_obj.2" name="objective">
-                     <prop name="label">SA-5(b)(1)[2]</prop>
-                     <p>how to effectively use those functions/mechanisms;</p>
-                  </part>
-               </part>
-               <part id="sa-5.b.2_obj" name="objective">
-                  <prop name="label">SA-5(b)(2)</prop>
-                  <p>methods for user interaction, which enables individuals to use the system,
-                     component, or service in a more secure manner;</p>
-               </part>
-               <part id="sa-5.b.3_obj" name="objective">
-                  <prop name="label">SA-5(b)(3)</prop>
-                  <p>user responsibilities in maintaining the security of the system, component, or
-                     service;</p>
-               </part>
-            </part>
-            <part id="sa-5.c_obj" name="objective">
-               <prop name="label">SA-5(c)</prop>
-               <part id="sa-5.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-5(c)[1]</prop>
-                  <p>defines actions to be taken after documented attempts to obtain information
-                     system, system component, or information system service documentation when such
-                     documentation is either unavailable or nonexistent;</p>
-               </part>
-               <part id="sa-5.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-5(c)[2]</prop>
-                  <p>documents attempts to obtain information system, system component, or
-                     information system service documentation when such documentation is either
-                     unavailable or nonexistent;</p>
-               </part>
-               <part id="sa-5.c_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-5(c)[3]</prop>
-                  <p>takes organization-defined actions in response;</p>
-               </part>
-            </part>
-            <part id="sa-5.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-5(d)</prop>
-               <p>protects documentation as required, in accordance with the risk management
-                  strategy;</p>
-            </part>
-            <part id="sa-5.e_obj" name="objective">
-               <prop name="label">SA-5(e)</prop>
-               <part id="sa-5.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-5(e)[1]</prop>
-                  <p>defines personnel or roles to whom documentation is to be distributed; and</p>
-               </part>
-               <part id="sa-5.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-5(e)[2]</prop>
-                  <p>distributes documentation to organization-defined personnel or roles.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing information system documentation</p>
-               <p>information system documentation including administrator and user guides</p>
-               <p>records documenting attempts to obtain unavailable or nonexistent information
-                  system documentation</p>
-               <p>list of actions to be taken in response to documented attempts to obtain
-                  information system, system component, or information system service
-                  documentation</p>
-               <p>risk management strategy documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with acquisition/contracting responsibilities</p>
-               <p>organizational personnel with responsibility for determining information system
-                  security requirements</p>
-               <p>system administrators</p>
-               <p>organizational personnel operating, using, and/or maintaining the information
-                  system</p>
-               <p>information system developers</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for obtaining, protecting, and distributing information
-                  system administrator and user documentation</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-9">
-         <title>External Information System Services</title>
-         <param id="sa-9_prm_1">
-            <label>organization-defined security controls</label>
-            <constraint>FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system</constraint>
-         </param>
-         <param id="sa-9_prm_2">
-            <label>organization-defined processes, methods, and techniques</label>
-            <constraint>Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored</constraint>
-         </param>
-         <prop name="label">SA-9</prop>
-         <prop name="sort-id">sa-09</prop>
-         <link href="#0c775bc3-bfc3-42c7-a382-88949f503171" rel="reference">NIST Special Publication 800-35</link>
-         <part id="sa-9_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Requires that providers of external information system services comply with
-                  organizational information security requirements and employ <insert param-id="sa-9_prm_1"/> in accordance with applicable federal laws, Executive
-                  Orders, directives, policies, regulations, standards, and guidance;</p>
-            </part>
-            <part id="sa-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Defines and documents government oversight and user roles and responsibilities
-                  with regard to external information system services; and</p>
-            </part>
-            <part id="sa-9_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Employs <insert param-id="sa-9_prm_2"/> to monitor security control compliance by
-                  external service providers on an ongoing basis.</p>
-            </part>
-            <part id="sa-9_fr" name="item">
-               <title>SA-9 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-9_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents&gt; Continuous Monitoring Strategy Guide <a href="https://www.FedRAMP.gov/documents">https://www.FedRAMP.gov/documents</a>
-                  </p>
-               </part>
-               <part id="sa-9_fr_gdn.2" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Independent Assessors should assess the risk associated with the use of external services. See the FedRAMP page under Key Cloud Service Provider (CSP) Documents&gt;FedRAMP Authorization Boundary Guidance</p>
-               </part>
-            </part>
-         </part>
-         <part id="sa-9_gdn" name="guidance">
-            <p>External information system services are services that are implemented outside of the
-               authorization boundaries of organizational information systems. This includes
-               services that are used by, but not a part of, organizational information systems.
-               FISMA and OMB policy require that organizations using external service providers that
-               are processing, storing, or transmitting federal information or operating information
-               systems on behalf of the federal government ensure that such providers meet the same
-               security requirements that federal agencies are required to meet. Organizations
-               establish relationships with external service providers in a variety of ways
-               including, for example, through joint ventures, business partnerships, contracts,
-               interagency agreements, lines of business arrangements, licensing agreements, and
-               supply chain exchanges. The responsibility for managing risks from the use of
-               external information system services remains with authorizing officials. For services
-               external to organizations, a chain of trust requires that organizations establish and
-               retain a level of confidence that each participating provider in the potentially
-               complex consumer-provider relationship provides adequate protection for the services
-               rendered. The extent and nature of this chain of trust varies based on the
-               relationships between organizations and the external providers. Organizations
-               document the basis for trust relationships so the relationships can be monitored over
-               time. External information system services documentation includes government, service
-               providers, end user security roles and responsibilities, and service-level
-               agreements. Service-level agreements define expectations of performance for security
-               controls, describe measurable outcomes, and identify remedies and response
-               requirements for identified instances of noncompliance.</p>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ir-7">IR-7</link>
-            <link rel="related" href="#ps-7">PS-7</link>
-         </part>
-         <part id="sa-9_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-9.a_obj" name="objective">
-               <prop name="label">SA-9(a)</prop>
-               <part id="sa-9.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(a)[1]</prop>
-                  <p>defines security controls to be employed by providers of external information
-                     system services;</p>
-               </part>
-               <part id="sa-9.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(a)[2]</prop>
-                  <p>requires that providers of external information system services comply with
-                     organizational information security requirements;</p>
-               </part>
-               <part id="sa-9.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(a)[3]</prop>
-                  <p>requires that providers of external information system services employ
-                     organization-defined security controls in accordance with applicable federal
-                     laws, Executive Orders, directives, policies, regulations, standards, and
-                     guidance;</p>
-               </part>
-            </part>
-            <part id="sa-9.b_obj" name="objective">
-               <prop name="label">SA-9(b)</prop>
-               <part id="sa-9.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(b)[1]</prop>
-                  <p>defines and documents government oversight with regard to external information
-                     system services;</p>
-               </part>
-               <part id="sa-9.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(b)[2]</prop>
-                  <p>defines and documents user roles and responsibilities with regard to external
-                     information system services;</p>
-               </part>
-            </part>
-            <part id="sa-9.c_obj" name="objective">
-               <prop name="label">SA-9(c)</prop>
-               <part id="sa-9.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(c)[1]</prop>
-                  <p>defines processes, methods, and techniques to be employed to monitor security
-                     control compliance by external service providers; and</p>
-               </part>
-               <part id="sa-9.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-9(c)[2]</prop>
-                  <p>employs organization-defined processes, methods, and techniques to monitor
-                     security control compliance by external service providers on an ongoing
-                     basis.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing external information system services</p>
-               <p>procedures addressing methods and techniques for monitoring security control
-                  compliance by external service providers of information system services</p>
-               <p>acquisition contracts, service-level agreements</p>
-               <p>organizational security requirements and security specifications for external
-                  provider services</p>
-               <p>security control assessment evidence from external providers of information system
-                  services</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>external providers of information system services</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for monitoring security control compliance by external
-                  service providers on an ongoing basis</p>
-               <p>automated mechanisms for monitoring security control compliance by external
-                  service providers on an ongoing basis</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="sc">
-      <title>System and Communications Protection</title>
-      <control class="SP800-53" id="sc-1">
-         <title>System and Communications Protection Policy and Procedures</title>
-         <param id="sc-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="sc-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="sc-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SC-1</prop>
-         <prop name="sort-id">sc-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="sc-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sc-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="sc-1_prm_1"/>:</p>
-               <part id="sc-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system and communications protection policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="sc-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system and communications
-                     protection policy and associated system and communications protection controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="sc-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="sc-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System and communications protection policy <insert param-id="sc-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="sc-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System and communications protection procedures <insert param-id="sc-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sc-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the SC
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="sc-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-1.a_obj" name="objective">
-               <prop name="label">SC-1(a)</prop>
-               <part id="sc-1.a.1_obj" name="objective">
-                  <prop name="label">SC-1(a)(1)</prop>
-                  <part id="sc-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(a)(1)[1]</prop>
-                     <p>develops and documents a system and communications protection policy that
-                        addresses:</p>
-                     <part id="sc-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="sc-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system and communications protection
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="sc-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SC-1(a)(1)[3]</prop>
-                     <p>disseminates the system and communications protection policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="sc-1.a.2_obj" name="objective">
-                  <prop name="label">SC-1(a)(2)</prop>
-                  <part id="sc-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        system and communications protection policy and associated system and
-                        communications protection controls;</p>
-                  </part>
-                  <part id="sc-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="sc-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SC-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sc-1.b_obj" name="objective">
-               <prop name="label">SC-1(b)</prop>
-               <part id="sc-1.b.1_obj" name="objective">
-                  <prop name="label">SC-1(b)(1)</prop>
-                  <part id="sc-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        communications protection policy;</p>
-                  </part>
-                  <part id="sc-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system and communications protection policy
-                        with the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="sc-1.b.2_obj" name="objective">
-                  <prop name="label">SC-1(b)(2)</prop>
-                  <part id="sc-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        communications protection procedures; and</p>
-                  </part>
-                  <part id="sc-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system and communications protection
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and communications protection
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-5">
-         <title>Denial of Service Protection</title>
-         <param id="sc-5_prm_1">
-            <label>organization-defined types of denial of service attacks or references to sources
-               for such information</label>
-         </param>
-         <param id="sc-5_prm_2">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">SC-5</prop>
-         <prop name="sort-id">sc-05</prop>
-         <part id="sc-5_smt" name="statement">
-            <p>The information system protects against or limits the effects of the following types
-               of denial of service attacks: <insert param-id="sc-5_prm_1"/> by employing <insert param-id="sc-5_prm_2"/>.</p>
-         </part>
-         <part id="sc-5_gdn" name="guidance">
-            <p>A variety of technologies exist to limit, or in some cases, eliminate the effects of
-               denial of service attacks. For example, boundary protection devices can filter
-               certain types of packets to protect information system components on internal
-               organizational networks from being directly affected by denial of service attacks.
-               Employing increased capacity and bandwidth combined with service redundancy may also
-               reduce the susceptibility to denial of service attacks.</p>
-            <link rel="related" href="#sc-6">SC-6</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="sc-5_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-5_obj.1" name="objective">
-               <prop name="label">SC-5[1]</prop>
-               <p>the organization defines types of denial of service attacks or reference to source
-                  of such information for the information system to protect against or limit the
-                  effects;</p>
-            </part>
-            <part id="sc-5_obj.2" name="objective">
-               <prop name="label">SC-5[2]</prop>
-               <p>the organization defines security safeguards to be employed by the information
-                  system to protect against or limit the effects of organization-defined types of
-                  denial of service attacks; and</p>
-            </part>
-            <part id="sc-5_obj.3" name="objective">
-               <prop name="label">SC-5[3]</prop>
-               <p>the information system protects against or limits the effects of the
-                  organization-defined denial or service attacks (or reference to source for such
-                  information) by employing organization-defined security safeguards.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing denial of service protection</p>
-               <p>information system design documentation</p>
-               <p>security plan</p>
-               <p>list of denial of services attacks requiring employment of security safeguards to
-                  protect against or limit effects of such attacks</p>
-               <p>list of security safeguards protecting against or limiting the effects of denial
-                  of service attacks</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with incident response responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms protecting against or limiting the effects of denial of
-                  service attacks</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-7">
-         <title>Boundary Protection</title>
-         <param id="sc-7_prm_1"/>
-         <prop name="label">SC-7</prop>
-         <prop name="sort-id">sc-07</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#756a8e86-57d5-4701-8382-f7a40439665a" rel="reference">NIST Special Publication 800-41</link>
-         <link href="#99f331f2-a9f0-46c2-9856-a3cbb9b89442" rel="reference">NIST Special Publication 800-77</link>
-         <part id="sc-7_smt" name="statement">
-            <p>The information system:</p>
-            <part id="sc-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Monitors and controls communications at the external boundary of the system and at
-                  key internal boundaries within the system;</p>
-            </part>
-            <part id="sc-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Implements subnetworks for publicly accessible system components that are <insert param-id="sc-7_prm_1"/> separated from internal organizational networks;
-                  and</p>
-            </part>
-            <part id="sc-7_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Connects to external networks or information systems only through managed
-                  interfaces consisting of boundary protection devices arranged in accordance with
-                  an organizational security architecture.</p>
-            </part>
-         </part>
-         <part id="sc-7_gdn" name="guidance">
-            <p>Managed interfaces include, for example, gateways, routers, firewalls, guards,
-               network-based malicious code analysis and virtualization systems, or encrypted
-               tunnels implemented within a security architecture (e.g., routers protecting
-               firewalls or application gateways residing on protected subnetworks). Subnetworks
-               that are physically or logically separated from internal networks are referred to as
-               demilitarized zones or DMZs. Restricting or prohibiting interfaces within
-               organizational information systems includes, for example, restricting external web
-               traffic to designated web servers within managed interfaces and prohibiting external
-               traffic that appears to be spoofing internal addresses. Organizations consider the
-               shared nature of commercial telecommunications services in the implementation of
-               security controls associated with the use of such services. Commercial
-               telecommunications services are commonly based on network components and consolidated
-               management systems shared by all attached commercial customers, and may also include
-               third party-provided access lines and other service elements. Such transmission
-               services may represent sources of increased risk despite contract security
-               provisions.</p>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#cp-8">CP-8</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="sc-7_obj" name="objective">
-            <p>Determine if the information system:</p>
-            <part id="sc-7.a_obj" name="objective">
-               <prop name="label">SC-7(a)</prop>
-               <part id="sc-7.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(a)[1]</prop>
-                  <p>monitors communications at the external boundary of the information system;</p>
-               </part>
-               <part id="sc-7.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(a)[2]</prop>
-                  <p>monitors communications at key internal boundaries within the system;</p>
-               </part>
-               <part id="sc-7.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(a)[3]</prop>
-                  <p>controls communications at the external boundary of the information system;</p>
-               </part>
-               <part id="sc-7.a_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(a)[4]</prop>
-                  <p>controls communications at key internal boundaries within the system;</p>
-               </part>
-            </part>
-            <part id="sc-7.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-7(b)</prop>
-               <p>implements subnetworks for publicly accessible system components that are
-                  either:</p>
-               <part id="sc-7.b_obj.1" name="objective">
-                  <prop name="label">SC-7(b)[1]</prop>
-                  <p>physically separated from internal organizational networks; and/or</p>
-               </part>
-               <part id="sc-7.b_obj.2" name="objective">
-                  <prop name="label">SC-7(b)[2]</prop>
-                  <p>logically separated from internal organizational networks; and</p>
-               </part>
-            </part>
-            <part id="sc-7.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-7(c)</prop>
-               <p>connects to external networks or information systems only through managed
-                  interfaces consisting of boundary protection devices arranged in accordance with
-                  an organizational security architecture.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing boundary protection</p>
-               <p>list of key internal boundaries of the information system</p>
-               <p>information system design documentation</p>
-               <p>boundary protection hardware and software</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>enterprise security architecture documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel with boundary protection responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing boundary protection capability</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-12">
-         <title>Cryptographic Key Establishment and Management</title>
-         <param id="sc-12_prm_1">
-            <label>organization-defined requirements for key generation, distribution, storage,
-               access, and destruction</label>
-         </param>
-         <prop name="label">SC-12</prop>
-         <prop name="sort-id">sc-12</prop>
-         <link href="#81f09e01-d0b0-4ae2-aa6a-064ed9950070" rel="reference">NIST Special Publication 800-56</link>
-         <link href="#a6c774c0-bf50-4590-9841-2a5c1c91ac6f" rel="reference">NIST Special Publication 800-57</link>
-         <part id="sc-12_smt" name="statement">
-            <p>The organization establishes and manages cryptographic keys for required cryptography
-               employed within the information system in accordance with <insert param-id="sc-12_prm_1"/>.</p>
-            <part id="sc-12_fr" name="item">
-               <title>SC-12 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Federally approved and validated cryptography.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sc-12_gdn" name="guidance">
-            <p>Cryptographic key management and establishment can be performed using manual
-               procedures or automated mechanisms with supporting manual procedures. Organizations
-               define key management requirements in accordance with applicable federal laws,
-               Executive Orders, directives, regulations, policies, standards, and guidance,
-               specifying appropriate options, levels, and parameters. Organizations manage trust
-               stores to ensure that only approved trust anchors are in such trust stores. This
-               includes certificates with visibility external to organizational information systems
-               and certificates related to the internal operations of systems.</p>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-17">SC-17</link>
-         </part>
-         <part id="sc-12_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-12_obj.1" name="objective">
-               <prop name="label">SC-12[1]</prop>
-               <p>defines requirements for cryptographic key:</p>
-               <part id="sc-12_obj.1.a" name="objective">
-                  <prop name="label">SC-12[1][a]</prop>
-                  <p>generation;</p>
-               </part>
-               <part id="sc-12_obj.1.b" name="objective">
-                  <prop name="label">SC-12[1][b]</prop>
-                  <p>distribution;</p>
-               </part>
-               <part id="sc-12_obj.1.c" name="objective">
-                  <prop name="label">SC-12[1][c]</prop>
-                  <p>storage;</p>
-               </part>
-               <part id="sc-12_obj.1.d" name="objective">
-                  <prop name="label">SC-12[1][d]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="sc-12_obj.1.e" name="objective">
-                  <prop name="label">SC-12[1][e]</prop>
-                  <p>destruction; and</p>
-               </part>
-            </part>
-            <part id="sc-12_obj.2" name="objective">
-               <prop name="label">SC-12[2]</prop>
-               <p>establishes and manages cryptographic keys for required cryptography employed
-                  within the information system in accordance with organization-defined requirements
-                  for key generation, distribution, storage, access, and destruction.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing cryptographic key establishment and management</p>
-               <p>information system design documentation</p>
-               <p>cryptographic mechanisms</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for cryptographic key establishment
-                  and/or management</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing cryptographic key
-                  establishment and management</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-13">
-         <title>Cryptographic Protection</title>
-         <param id="sc-13_prm_1">
-            <label>organization-defined cryptographic uses and type of cryptography required for
-               each use</label>
-            <constraint>FIPS-validated or NSA-approved cryptography</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SC-13</prop>
-         <prop name="sort-id">sc-13</prop>
-         <link href="#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9" rel="reference">FIPS Publication 140</link>
-         <link href="#6a1041fc-054e-4230-946b-2e6f4f3731bb" rel="reference">http://csrc.nist.gov/cryptval</link>
-         <link href="#9b97ed27-3dd6-4f9a-ade5-1b43e9669794" rel="reference">http://www.cnss.gov</link>
-         <part id="sc-13_smt" name="statement">
-            <p>The information system implements <insert param-id="sc-13_prm_1"/> in accordance with
-               applicable federal laws, Executive Orders, directives, policies, regulations, and
-               standards.</p>
-         </part>
-         <part id="sc-13_gdn" name="guidance">
-            <p>Cryptography can be employed to support a variety of security solutions including,
-               for example, the protection of classified and Controlled Unclassified Information,
-               the provision of digital signatures, and the enforcement of information separation
-               when authorized individuals have the necessary clearances for such information but
-               lack the necessary formal access approvals. Cryptography can also be used to support
-               random number generation and hash generation. Generally applicable cryptographic
-               standards include FIPS-validated cryptography and NSA-approved cryptography. This
-               control does not impose any requirements on organizations to use cryptography.
-               However, if cryptography is required based on the selection of other security
-               controls, organizations define each type of cryptographic use and the type of
-               cryptography required (e.g., protection of classified information: NSA-approved
-               cryptography; provision of digital signatures: FIPS-validated cryptography).</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-7">AC-7</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#au-10">AU-10</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-7">IA-7</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-28">SC-28</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="sc-13_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-13_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-13[1]</prop>
-               <p>the organization defines cryptographic uses; and</p>
-            </part>
-            <part id="sc-13_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-13[2]</prop>
-               <p>the organization defines the type of cryptography required for each use; and</p>
-            </part>
-            <part id="sc-13_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-13[3]</prop>
-               <p>the information system implements the organization-defined cryptographic uses and
-                  type of cryptography required for each use in accordance with applicable federal
-                  laws, Executive Orders, directives, policies, regulations, and standards.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing cryptographic protection</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>cryptographic module validation certificates</p>
-               <p>list of FIPS validated cryptographic modules</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel with responsibilities for cryptographic protection</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing cryptographic protection</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-15">
-         <title>Collaborative Computing Devices</title>
-         <param id="sc-15_prm_1">
-            <label>organization-defined exceptions where remote activation is to be allowed</label>
-            <constraint>no exceptions</constraint>
-         </param>
-         <prop name="label">SC-15</prop>
-         <prop name="sort-id">sc-15</prop>
-         <part id="sc-15_smt" name="statement">
-            <p>The information system:</p>
-            <part id="sc-15_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Prohibits remote activation of collaborative computing devices with the following
-                  exceptions: <insert param-id="sc-15_prm_1"/>; and</p>
-            </part>
-            <part id="sc-15_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Provides an explicit indication of use to users physically present at the
-                  devices.</p>
-            </part>
-            <part id="sc-15_fr" name="item">
-               <title>SC-15 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-15_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sc-15_gdn" name="guidance">
-            <p>Collaborative computing devices include, for example, networked white boards,
-               cameras, and microphones. Explicit indication of use includes, for example, signals
-               to users when collaborative computing devices are activated.</p>
-            <link rel="related" href="#ac-21">AC-21</link>
-         </part>
-         <part id="sc-15_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-15.a_obj" name="objective">
-               <prop name="label">SC-15(a)</prop>
-               <part id="sc-15.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-15(a)[1]</prop>
-                  <p>the organization defines exceptions where remote activation of collaborative
-                     computing devices is to be allowed;</p>
-               </part>
-               <part id="sc-15.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-15(a)[2]</prop>
-                  <p>the information system prohibits remote activation of collaborative computing
-                     devices, except for organization-defined exceptions where remote activation is
-                     to be allowed; and</p>
-               </part>
-            </part>
-            <part id="sc-15.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-15(b)</prop>
-               <p>the information system provides an explicit indication of use to users physically
-                  present at the devices.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing collaborative computing</p>
-               <p>access control policy and procedures</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel with responsibilities for managing collaborative
-                  computing devices</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing management of remote
-                  activation of collaborative computing devices</p>
-               <p>automated mechanisms providing an indication of use of collaborative computing
-                  devices</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-20">
-         <title>Secure Name / Address Resolution Service (authoritative Source)</title>
-         <prop name="label">SC-20</prop>
-         <prop name="sort-id">sc-20</prop>
-         <link href="#28115a56-da6b-4d44-b1df-51dd7f048a3e" rel="reference">OMB Memorandum 08-23</link>
-         <link href="#6af1e841-672c-46c4-b121-96f603d04be3" rel="reference">NIST Special Publication 800-81</link>
-         <part id="sc-20_smt" name="statement">
-            <p>The information system:</p>
-            <part id="sc-20_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Provides additional data origin authentication and integrity verification
-                  artifacts along with the authoritative name resolution data the system returns in
-                  response to external name/address resolution queries; and</p>
-            </part>
-            <part id="sc-20_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Provides the means to indicate the security status of child zones and (if the
-                  child supports secure resolution services) to enable verification of a chain of
-                  trust among parent and child domains, when operating as part of a distributed,
-                  hierarchical namespace.</p>
-            </part>
-         </part>
-         <part id="sc-20_gdn" name="guidance">
-            <p>This control enables external clients including, for example, remote Internet
-               clients, to obtain origin authentication and integrity verification assurances for
-               the host/service name to network address resolution information obtained through the
-               service. Information systems that provide name and address resolution services
-               include, for example, domain name system (DNS) servers. Additional artifacts include,
-               for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS
-               resource records are examples of authoritative data. The means to indicate the
-               security status of child zones includes, for example, the use of delegation signer
-               resource records in the DNS. The DNS security controls reflect (and are referenced
-               from) OMB Memorandum 08-23. Information systems that use technologies other than the
-               DNS to map between host/service names and network addresses provide other means to
-               assure the authenticity and integrity of response data.</p>
-            <link rel="related" href="#au-10">AU-10</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-21">SC-21</link>
-            <link rel="related" href="#sc-22">SC-22</link>
-         </part>
-         <part id="sc-20_obj" name="objective">
-            <p>Determine if the information system:</p>
-            <part id="sc-20.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-20(a)</prop>
-               <p>provides additional data origin and integrity verification artifacts along with
-                  the authoritative name resolution data the system returns in response to external
-                  name/address resolution queries;</p>
-            </part>
-            <part id="sc-20.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-20(b)</prop>
-               <p>provides the means to, when operating as part of a distributed, hierarchical
-                  namespace:</p>
-               <part id="sc-20.b_obj.1" name="objective">
-                  <prop name="label">SC-20(b)[1]</prop>
-                  <p>indicate the security status of child zones; and</p>
-               </part>
-               <part id="sc-20.b_obj.2" name="objective">
-                  <prop name="label">SC-20(b)[2]</prop>
-                  <p>enable verification of a chain of trust among parent and child domains (if the
-                     child supports secure resolution services).</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing secure name/address resolution service (authoritative
-                  source)</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing DNS</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing secure name/address resolution
-                  service</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-21">
-         <title>Secure Name / Address Resolution Service (recursive or Caching Resolver)</title>
-         <prop name="label">SC-21</prop>
-         <prop name="sort-id">sc-21</prop>
-         <link href="#6af1e841-672c-46c4-b121-96f603d04be3" rel="reference">NIST Special Publication 800-81</link>
-         <part id="sc-21_smt" name="statement">
-            <p>The information system requests and performs data origin authentication and data
-               integrity verification on the name/address resolution responses the system receives
-               from authoritative sources.</p>
-         </part>
-         <part id="sc-21_gdn" name="guidance">
-            <p>Each client of name resolution services either performs this validation on its own,
-               or has authenticated channels to trusted validation providers. Information systems
-               that provide name and address resolution services for local clients include, for
-               example, recursive resolving or caching domain name system (DNS) servers. DNS client
-               resolvers either perform validation of DNSSEC signatures, or clients use
-               authenticated channels to recursive resolvers that perform such validations.
-               Information systems that use technologies other than the DNS to map between
-               host/service names and network addresses provide other means to enable clients to
-               verify the authenticity and integrity of response data.</p>
-            <link rel="related" href="#sc-20">SC-20</link>
-            <link rel="related" href="#sc-22">SC-22</link>
-         </part>
-         <part id="sc-21_obj" name="objective">
-            <p>Determine if the information system: </p>
-            <part id="sc-21_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-21[1]</prop>
-               <p>requests data origin authentication on the name/address resolution responses the
-                  system receives from authoritative sources;</p>
-            </part>
-            <part id="sc-21_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-21[2]</prop>
-               <p>requests data integrity verification on the name/address resolution responses the
-                  system receives from authoritative sources;</p>
-            </part>
-            <part id="sc-21_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-21[3]</prop>
-               <p>performs data origin authentication on the name/address resolution responses the
-                  system receives from authoritative sources; and</p>
-            </part>
-            <part id="sc-21_obj.4" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-21[4]</prop>
-               <p>performs data integrity verification on the name/address resolution responses the
-                  system receives from authoritative sources.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing secure name/address resolution service (recursive or caching
-                  resolver)</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing DNS</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing data origin authentication and
-                  data integrity verification for name/address resolution services</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-22">
-         <title>Architecture and Provisioning for Name / Address Resolution Service</title>
-         <prop name="label">SC-22</prop>
-         <prop name="sort-id">sc-22</prop>
-         <link href="#6af1e841-672c-46c4-b121-96f603d04be3" rel="reference">NIST Special Publication 800-81</link>
-         <part id="sc-22_smt" name="statement">
-            <p>The information systems that collectively provide name/address resolution service for
-               an organization are fault-tolerant and implement internal/external role
-               separation.</p>
-         </part>
-         <part id="sc-22_gdn" name="guidance">
-            <p>Information systems that provide name and address resolution services include, for
-               example, domain name system (DNS) servers. To eliminate single points of failure and
-               to enhance redundancy, organizations employ at least two authoritative domain name
-               system servers, one configured as the primary server and the other configured as the
-               secondary server. Additionally, organizations typically deploy the servers in two
-               geographically separated network subnetworks (i.e., not located in the same physical
-               facility). For role separation, DNS servers with internal roles only process name and
-               address resolution requests from within organizations (i.e., from internal clients).
-               DNS servers with external roles only process name and address resolution information
-               requests from clients external to organizations (i.e., on external networks including
-               the Internet). Organizations specify clients that can access authoritative DNS
-               servers in particular roles (e.g., by address ranges, explicit lists).</p>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-20">SC-20</link>
-            <link rel="related" href="#sc-21">SC-21</link>
-            <link rel="related" href="#sc-24">SC-24</link>
-         </part>
-         <part id="sc-22_obj" name="objective">
-            <p>Determine if the information systems that collectively provide name/address
-               resolution service for an organization: </p>
-            <part id="sc-22_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-22[1]</prop>
-               <p>are fault tolerant; and</p>
-            </part>
-            <part id="sc-22_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-22[2]</prop>
-               <p>implement internal/external role separation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing architecture and provisioning for name/address resolution
-                  service</p>
-               <p>access control policy and procedures</p>
-               <p>information system design documentation</p>
-               <p>assessment results from independent, testing organizations</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing DNS</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing name/address resolution
-                  service for fault tolerance and role separation</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-39">
-         <title>Process Isolation</title>
-         <prop name="label">SC-39</prop>
-         <prop name="sort-id">sc-39</prop>
-         <part id="sc-39_smt" name="statement">
-            <p>The information system maintains a separate execution domain for each executing
-               process.</p>
-         </part>
-         <part id="sc-39_gdn" name="guidance">
-            <p>Information systems can maintain separate execution domains for each executing
-               process by assigning each process a separate address space. Each information system
-               process has a distinct address space so that communication between processes is
-               performed in a manner controlled through the security functions, and one process
-               cannot modify the executing code of another process. Maintaining separate execution
-               domains for executing processes can be achieved, for example, by implementing
-               separate address spaces. This capability is available in most commercial operating
-               systems that employ multi-state processor technologies.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-         </part>
-         <part id="sc-39_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system maintains a separate execution domain for each
-               executing process.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system design documentation</p>
-               <p>information system architecture</p>
-               <p>independent verification and validation documentation</p>
-               <p>testing and evaluation documentation, other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Information system developers/integrators</p>
-               <p>information system security architect</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing separate execution domains for
-                  each executing process</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="si">
-      <title>System and Information Integrity</title>
-      <control class="SP800-53" id="si-1">
-         <title>System and Information Integrity Policy and Procedures</title>
-         <param id="si-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="si-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SI-1</prop>
-         <prop name="sort-id">si-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="si-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="si-1_prm_1"/>:</p>
-               <part id="si-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system and information integrity policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="si-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system and information
-                     integrity policy and associated system and information integrity controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="si-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="si-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System and information integrity policy <insert param-id="si-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="si-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System and information integrity procedures <insert param-id="si-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="si-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the SI
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="si-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-1.a_obj" name="objective">
-               <prop name="label">SI-1(a)</prop>
-               <part id="si-1.a.1_obj" name="objective">
-                  <prop name="label">SI-1(a)(1)</prop>
-                  <part id="si-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(a)(1)[1]</prop>
-                     <p>develops and documents a system and information integrity policy that
-                        addresses:</p>
-                     <part id="si-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="si-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system and information integrity
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="si-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SI-1(a)(1)[3]</prop>
-                     <p>disseminates the system and information integrity policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="si-1.a.2_obj" name="objective">
-                  <prop name="label">SI-1(a)(2)</prop>
-                  <part id="si-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        system and information integrity policy and associated system and
-                        information integrity controls;</p>
-                  </part>
-                  <part id="si-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="si-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SI-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-1.b_obj" name="objective">
-               <prop name="label">SI-1(b)</prop>
-               <part id="si-1.b.1_obj" name="objective">
-                  <prop name="label">SI-1(b)(1)</prop>
-                  <part id="si-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        information integrity policy;</p>
-                  </part>
-                  <part id="si-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system and information integrity policy with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="si-1.b.2_obj" name="objective">
-                  <prop name="label">SI-1(b)(2)</prop>
-                  <part id="si-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        information integrity procedures; and</p>
-                  </part>
-                  <part id="si-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system and information integrity procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and information integrity
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-2">
-         <title>Flaw Remediation</title>
-         <param id="si-2_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>within 30 days of release of updates</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SI-2</prop>
-         <prop name="sort-id">si-02</prop>
-         <link href="#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d" rel="reference">NIST Special Publication 800-40</link>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="si-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Identifies, reports, and corrects information system flaws;</p>
-            </part>
-            <part id="si-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Tests software and firmware updates related to flaw remediation for effectiveness
-                  and potential side effects before installation;</p>
-            </part>
-            <part id="si-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Installs security-relevant software and firmware updates within <insert param-id="si-2_prm_1"/> of the release of the updates; and</p>
-            </part>
-            <part id="si-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Incorporates flaw remediation into the organizational configuration management
-                  process.</p>
-            </part>
-         </part>
-         <part id="si-2_gdn" name="guidance">
-            <p>Organizations identify information systems affected by announced software flaws
-               including potential vulnerabilities resulting from those flaws, and report this
-               information to designated organizational personnel with information security
-               responsibilities. Security-relevant software updates include, for example, patches,
-               service packs, hot fixes, and anti-virus signatures. Organizations also address flaws
-               discovered during security assessments, continuous monitoring, incident response
-               activities, and system error handling. Organizations take advantage of available
-               resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and
-               Exposures (CVE) databases in remediating flaws discovered in organizational
-               information systems. By incorporating flaw remediation into ongoing configuration
-               management processes, required/anticipated remediation actions can be tracked and
-               verified. Flaw remediation actions that can be tracked and verified include, for
-               example, determining whether organizations follow US-CERT guidance and Information
-               Assurance Vulnerability Alerts. Organization-defined time periods for updating
-               security-relevant software and firmware may vary based on a variety of factors
-               including, for example, the security category of the information system or the
-               criticality of the update (i.e., severity of the vulnerability related to the
-               discovered flaw). Some types of flaw remediation may require more testing than other
-               types. Organizations determine the degree and type of testing needed for the specific
-               type of flaw remediation activity under consideration and also the types of changes
-               that are to be configuration-managed. In some situations, organizations may determine
-               that the testing of software and/or firmware updates is not necessary or practical,
-               for example, when implementing simple anti-virus signature updates. Organizations may
-               also consider in testing decisions, whether security-relevant software or firmware
-               updates are obtained from authorized sources with appropriate digital signatures.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#si-11">SI-11</link>
-         </part>
-         <part id="si-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-2.a_obj" name="objective">
-               <prop name="label">SI-2(a)</prop>
-               <part id="si-2.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(a)[1]</prop>
-                  <p>identifies information system flaws;</p>
-               </part>
-               <part id="si-2.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(a)[2]</prop>
-                  <p>reports information system flaws;</p>
-               </part>
-               <part id="si-2.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(a)[3]</prop>
-                  <p>corrects information system flaws;</p>
-               </part>
-            </part>
-            <part id="si-2.b_obj" name="objective">
-               <prop name="label">SI-2(b)</prop>
-               <part id="si-2.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(b)[1]</prop>
-                  <p>tests software updates related to flaw remediation for effectiveness and
-                     potential side effects before installation;</p>
-               </part>
-               <part id="si-2.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(b)[2]</prop>
-                  <p>tests firmware updates related to flaw remediation for effectiveness and
-                     potential side effects before installation;</p>
-               </part>
-            </part>
-            <part id="si-2.c_obj" name="objective">
-               <prop name="label">SI-2(c)</prop>
-               <part id="si-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-2(c)[1]</prop>
-                  <p>defines the time period within which to install security-relevant software
-                     updates after the release of the updates;</p>
-               </part>
-               <part id="si-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-2(c)[2]</prop>
-                  <p>defines the time period within which to install security-relevant firmware
-                     updates after the release of the updates;</p>
-               </part>
-               <part id="si-2.c_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(c)[3]</prop>
-                  <p>installs software updates within the organization-defined time period of the
-                     release of the updates;</p>
-               </part>
-               <part id="si-2.c_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(c)[4]</prop>
-                  <p>installs firmware updates within the organization-defined time period of the
-                     release of the updates; and</p>
-               </part>
-            </part>
-            <part id="si-2.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-2(d)</prop>
-               <p>incorporates flaw remediation into the organizational configuration management
-                  process.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing flaw remediation</p>
-               <p>procedures addressing configuration management</p>
-               <p>list of flaws and vulnerabilities potentially affecting the information system</p>
-               <p>list of recent security flaw remediation actions performed on the information
-                  system (e.g., list of installed patches, service packs, hot fixes, and other
-                  software updates to correct information system flaws)</p>
-               <p>test results from the installation of software and firmware updates to correct
-                  information system flaws</p>
-               <p>installation/change control records for security-relevant software and firmware
-                  updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>organizational personnel with responsibility for flaw remediation</p>
-               <p>organizational personnel with configuration management responsibility</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for identifying, reporting, and correcting information
-                  system flaws</p>
-               <p>organizational process for installing software and firmware updates</p>
-               <p>automated mechanisms supporting and/or implementing reporting, and correcting
-                  information system flaws</p>
-               <p>automated mechanisms supporting and/or implementing testing software and firmware
-                  updates</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-3">
-         <title>Malicious Code Protection</title>
-         <param id="si-3_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least weekly</constraint>
-         </param>
-         <param id="si-3_prm_2">
-            <constraint>to include endpoints</constraint>
-         </param>
-         <param id="si-3_prm_3">
-            <constraint>to include alerting administrator or defined security personnel</constraint>
-         </param>
-         <param id="si-3_prm_4" depends-on="si-3_prm_3">
-            <label>organization-defined action</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SI-3</prop>
-         <prop name="sort-id">si-03</prop>
-         <link href="#6d431fee-658f-4a0e-9f2e-a38b5d398fab" rel="reference">NIST Special Publication 800-83</link>
-         <part id="si-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Employs malicious code protection mechanisms at information system entry and exit
-                  points to detect and eradicate malicious code;</p>
-            </part>
-            <part id="si-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Updates malicious code protection mechanisms whenever new releases are available
-                  in accordance with organizational configuration management policy and
-                  procedures;</p>
-            </part>
-            <part id="si-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Configures malicious code protection mechanisms to:</p>
-               <part id="si-3_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Perform periodic scans of the information system <insert param-id="si-3_prm_1"/> and real-time scans of files from external sources at <insert param-id="si-3_prm_2"/> as the files are downloaded, opened, or executed in
-                     accordance with organizational security policy; and</p>
-               </part>
-               <part id="si-3_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>
-                     <insert param-id="si-3_prm_3"/> in response to malicious code detection;
-                     and</p>
-               </part>
-            </part>
-            <part id="si-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Addresses the receipt of false positives during malicious code detection and
-                  eradication and the resulting potential impact on the availability of the
-                  information system.</p>
-            </part>
-         </part>
-         <part id="si-3_gdn" name="guidance">
-            <p>Information system entry and exit points include, for example, firewalls, electronic
-               mail servers, web servers, proxy servers, remote-access servers, workstations,
-               notebook computers, and mobile devices. Malicious code includes, for example,
-               viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in
-               various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden
-               files, or hidden in files using steganography. Malicious code can be transported by
-               different means including, for example, web accesses, electronic mail, electronic
-               mail attachments, and portable storage devices. Malicious code insertions occur
-               through the exploitation of information system vulnerabilities. Malicious code
-               protection mechanisms include, for example, anti-virus signature definitions and
-               reputation-based technologies. A variety of technologies and methods exist to limit
-               or eliminate the effects of malicious code. Pervasive configuration management and
-               comprehensive software integrity controls may be effective in preventing execution of
-               unauthorized code. In addition to commercial off-the-shelf software, malicious code
-               may also be present in custom-built software. This could include, for example, logic
-               bombs, back doors, and other types of cyber attacks that could affect organizational
-               missions/business functions. Traditional malicious code protection mechanisms cannot
-               always detect such code. In these situations, organizations rely instead on other
-               safeguards including, for example, secure coding practices, configuration management
-               and control, trusted procurement processes, and monitoring practices to help ensure
-               that software does not perform functions other than the functions intended.
-               Organizations may determine that in response to the detection of malicious code,
-               different actions may be warranted. For example, organizations can define actions in
-               response to malicious code detection during periodic scans, actions in response to
-               detection of malicious downloads, and/or actions in response to detection of
-               maliciousness when attempting to open or execute files.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sa-13">SA-13</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-26">SC-26</link>
-            <link rel="related" href="#sc-44">SC-44</link>
-            <link rel="related" href="#si-2">SI-2</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="si-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-3.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-3(a)</prop>
-               <p>employs malicious code protection mechanisms to detect and eradicate malicious
-                  code at information system:</p>
-               <part id="si-3.a_obj.1" name="objective">
-                  <prop name="label">SI-3(a)[1]</prop>
-                  <p>entry points;</p>
-               </part>
-               <part id="si-3.a_obj.2" name="objective">
-                  <prop name="label">SI-3(a)[2]</prop>
-                  <p>exit points;</p>
-               </part>
-            </part>
-            <part id="si-3.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-3(b)</prop>
-               <p>updates malicious code protection mechanisms whenever new releases are available
-                  in accordance with organizational configuration management policy and procedures
-                  (as identified in CM-1);</p>
-            </part>
-            <part id="si-3.c_obj" name="objective">
-               <prop name="label">SI-3(c)</prop>
-               <part id="si-3.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-3(c)[1]</prop>
-                  <p>defines a frequency for malicious code protection mechanisms to perform
-                     periodic scans of the information system;</p>
-               </part>
-               <part id="si-3.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-3(c)[2]</prop>
-                  <p>defines action to be initiated by malicious protection mechanisms in response
-                     to malicious code detection;</p>
-               </part>
-               <part id="si-3.c_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-3(c)[3]</prop>
-                  <part id="si-3.c.1_obj.3" name="objective">
-                     <prop name="label">SI-3(c)[3](1)</prop>
-                     <p>configures malicious code protection mechanisms to:</p>
-                     <part id="si-3.c.1_obj.3.a" name="objective">
-                        <prop name="label">SI-3(c)[3](1)[a]</prop>
-                        <p>perform periodic scans of the information system with the
-                           organization-defined frequency;</p>
-                     </part>
-                     <part id="si-3.c.1_obj.3.b" name="objective">
-                        <prop name="label">SI-3(c)[3](1)[b]</prop>
-                        <p>perform real-time scans of files from external sources at endpoint and/or
-                           network entry/exit points as the files are downloaded, opened, or
-                           executed in accordance with organizational security policy;</p>
-                     </part>
-                  </part>
-                  <part id="si-3.c.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">SI-3(c)[3](2)</prop>
-                     <p>configures malicious code protection mechanisms to do one or more of the
-                        following:</p>
-                     <part id="si-3.c.2_obj.3.a" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[a]</prop>
-                        <p>block malicious code in response to malicious code detection;</p>
-                     </part>
-                     <part id="si-3.c.2_obj.3.b" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[b]</prop>
-                        <p>quarantine malicious code in response to malicious code detection;</p>
-                     </part>
-                     <part id="si-3.c.2_obj.3.c" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[c]</prop>
-                        <p>send alert to administrator in response to malicious code detection;
-                           and/or</p>
-                     </part>
-                     <part id="si-3.c.2_obj.3.d" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[d]</prop>
-                        <p>initiate organization-defined action in response to malicious code
-                           detection;</p>
-                     </part>
-                  </part>
-               </part>
-            </part>
-            <part id="si-3.d_obj" name="objective">
-               <prop name="label">SI-3(d)</prop>
-               <part id="si-3.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-3(d)[1]</prop>
-                  <p>addresses the receipt of false positives during malicious code detection and
-                     eradication; and</p>
-               </part>
-               <part id="si-3.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-3(d)[2]</prop>
-                  <p>addresses the resulting potential impact on the availability of the information
-                     system.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>configuration management policy and procedures</p>
-               <p>procedures addressing malicious code protection</p>
-               <p>malicious code protection mechanisms</p>
-               <p>records of malicious code protection updates</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>scan results from malicious code protection mechanisms</p>
-               <p>record of actions initiated by malicious code protection mechanisms in response to
-                  malicious code detection</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>organizational personnel with responsibility for malicious code protection</p>
-               <p>organizational personnel with configuration management responsibility</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for employing, updating, and configuring malicious code
-                  protection mechanisms</p>
-               <p>organizational process for addressing false positives and resulting potential
-                  impact</p>
-               <p>automated mechanisms supporting and/or implementing employing, updating, and
-                  configuring malicious code protection mechanisms</p>
-               <p>automated mechanisms supporting and/or implementing malicious code scanning and
-                  subsequent actions</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-4">
-         <title>Information System Monitoring</title>
-         <param id="si-4_prm_1">
-            <label>organization-defined monitoring objectives</label>
-         </param>
-         <param id="si-4_prm_2">
-            <label>organization-defined techniques and methods</label>
-         </param>
-         <param id="si-4_prm_3">
-            <label>organization-defined information system monitoring information</label>
-         </param>
-         <param id="si-4_prm_4">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-4_prm_5"/>
-         <param id="si-4_prm_6" depends-on="si-4_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SI-4</prop>
-         <prop name="sort-id">si-04</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <link href="#6d431fee-658f-4a0e-9f2e-a38b5d398fab" rel="reference">NIST Special Publication 800-83</link>
-         <link href="#672fd561-b92b-4713-b9cf-6c9d9456728b" rel="reference">NIST Special Publication 800-92</link>
-         <link href="#d1b1d689-0f66-4474-9924-c81119758dc1" rel="reference">NIST Special Publication 800-94</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <part id="si-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Monitors the information system to detect:</p>
-               <part id="si-4_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Attacks and indicators of potential attacks in accordance with <insert param-id="si-4_prm_1"/>; and</p>
-               </part>
-               <part id="si-4_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Unauthorized local, network, and remote connections;</p>
-               </part>
-            </part>
-            <part id="si-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Identifies unauthorized use of the information system through <insert param-id="si-4_prm_2"/>;</p>
-            </part>
-            <part id="si-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Deploys monitoring devices:</p>
-               <part id="si-4_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Strategically within the information system to collect organization-determined
-                     essential information; and</p>
-               </part>
-               <part id="si-4_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>At ad hoc locations within the system to track specific types of transactions
-                     of interest to the organization;</p>
-               </part>
-            </part>
-            <part id="si-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Protects information obtained from intrusion-monitoring tools from unauthorized
-                  access, modification, and deletion;</p>
-            </part>
-            <part id="si-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Heightens the level of information system monitoring activity whenever there is an
-                  indication of increased risk to organizational operations and assets, individuals,
-                  other organizations, or the Nation based on law enforcement information,
-                  intelligence information, or other credible sources of information;</p>
-            </part>
-            <part id="si-4_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Obtains legal opinion with regard to information system monitoring activities in
-                  accordance with applicable federal laws, Executive Orders, directives, policies,
-                  or regulations; and</p>
-            </part>
-            <part id="si-4_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Provides <insert param-id="si-4_prm_3"/> to <insert param-id="si-4_prm_4"/>
-                  <insert param-id="si-4_prm_5"/>.</p>
-            </part>
-            <part id="si-4_fr" name="item">
-               <title>SI-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="si-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See US-CERT Incident Response Reporting Guidelines.</p>
-               </part>
-            </part>
-         </part>
-         <part id="si-4_gdn" name="guidance">
-            <p>Information system monitoring includes external and internal monitoring. External
-               monitoring includes the observation of events occurring at the information system
-               boundary (i.e., part of perimeter defense and boundary protection). Internal
-               monitoring includes the observation of events occurring within the information
-               system. Organizations can monitor information systems, for example, by observing
-               audit activities in real time or by observing other system aspects such as access
-               patterns, characteristics of access, and other actions. The monitoring objectives may
-               guide determination of the events. Information system monitoring capability is
-               achieved through a variety of tools and techniques (e.g., intrusion detection
-               systems, intrusion prevention systems, malicious code protection software, scanning
-               tools, audit record monitoring software, network monitoring software). Strategic
-               locations for monitoring devices include, for example, selected perimeter locations
-               and near server farms supporting critical applications, with such devices typically
-               being employed at the managed interfaces associated with controls SC-7 and AC-17.
-               Einstein network monitoring devices from the Department of Homeland Security can also
-               be included as monitoring devices. The granularity of monitoring information
-               collected is based on organizational monitoring objectives and the capability of
-               information systems to support such objectives. Specific types of transactions of
-               interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that
-               bypasses HTTP proxies. Information system monitoring is an integral part of
-               organizational continuous monitoring and incident response programs. Output from
-               system monitoring serves as input to continuous monitoring and incident response
-               programs. A network connection is any connection with a device that communicates
-               through a network (e.g., local area network, Internet). A remote connection is any
-               connection with a device communicating through an external network (e.g., the
-               Internet). Local, network, and remote connections can be either wired or
-               wireless.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-8">AC-8</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-26">SC-26</link>
-            <link rel="related" href="#sc-35">SC-35</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="si-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-4.a_obj" name="objective">
-               <prop name="label">SI-4(a)</prop>
-               <part id="si-4.a.1_obj" name="objective">
-                  <prop name="label">SI-4(a)(1)</prop>
-                  <part id="si-4.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-4(a)(1)[1]</prop>
-                     <p>defines monitoring objectives to detect attacks and indicators of potential
-                        attacks on the information system;</p>
-                  </part>
-                  <part id="si-4.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">SI-4(a)(1)[2]</prop>
-                     <p>monitors the information system to detect, in accordance with
-                        organization-defined monitoring objectives,:</p>
-                     <part id="si-4.a.1_obj.2.a" name="objective">
-                        <prop name="label">SI-4(a)(1)[2][a]</prop>
-                        <p>attacks;</p>
-                     </part>
-                     <part id="si-4.a.1_obj.2.b" name="objective">
-                        <prop name="label">SI-4(a)(1)[2][b]</prop>
-                        <p>indicators of potential attacks;</p>
-                     </part>
-                  </part>
-               </part>
-               <part id="si-4.a.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(a)(2)</prop>
-                  <p>monitors the information system to detect unauthorized:</p>
-                  <part id="si-4.a.2_obj.1" name="objective">
-                     <prop name="label">SI-4(a)(2)[1]</prop>
-                     <p>local connections;</p>
-                  </part>
-                  <part id="si-4.a.2_obj.2" name="objective">
-                     <prop name="label">SI-4(a)(2)[2]</prop>
-                     <p>network connections;</p>
-                  </part>
-                  <part id="si-4.a.2_obj.3" name="objective">
-                     <prop name="label">SI-4(a)(2)[3]</prop>
-                     <p>remote connections;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-4.b_obj" name="objective">
-               <prop name="label">SI-4(b)</prop>
-               <part id="si-4.b.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(b)(1)</prop>
-                  <p>defines techniques and methods to identify unauthorized use of the information
-                     system;</p>
-               </part>
-               <part id="si-4.b.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(b)(2)</prop>
-                  <p>identifies unauthorized use of the information system through
-                     organization-defined techniques and methods;</p>
-               </part>
-            </part>
-            <part id="si-4.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-4(c)</prop>
-               <p>deploys monitoring devices:</p>
-               <part id="si-4.c_obj.1" name="objective">
-                  <prop name="label">SI-4(c)[1]</prop>
-                  <p>strategically within the information system to collect organization-determined
-                     essential information;</p>
-               </part>
-               <part id="si-4.c_obj.2" name="objective">
-                  <prop name="label">SI-4(c)[2]</prop>
-                  <p>at ad hoc locations within the system to track specific types of transactions
-                     of interest to the organization;</p>
-               </part>
-            </part>
-            <part id="si-4.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-4(d)</prop>
-               <p>protects information obtained from intrusion-monitoring tools from
-                  unauthorized:</p>
-               <part id="si-4.d_obj.1" name="objective">
-                  <prop name="label">SI-4(d)[1]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="si-4.d_obj.2" name="objective">
-                  <prop name="label">SI-4(d)[2]</prop>
-                  <p>modification;</p>
-               </part>
-               <part id="si-4.d_obj.3" name="objective">
-                  <prop name="label">SI-4(d)[3]</prop>
-                  <p>deletion;</p>
-               </part>
-            </part>
-            <part id="si-4.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-4(e)</prop>
-               <p>heightens the level of information system monitoring activity whenever there is an
-                  indication of increased risk to organizational operations and assets, individuals,
-                  other organizations, or the Nation based on law enforcement information,
-                  intelligence information, or other credible sources of information;</p>
-            </part>
-            <part id="si-4.f_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">SI-4(f)</prop>
-               <p>obtains legal opinion with regard to information system monitoring activities in
-                  accordance with applicable federal laws, Executive Orders, directives, policies,
-                  or regulations;</p>
-            </part>
-            <part id="si-4.g_obj" name="objective">
-               <prop name="label">SI-4(g)</prop>
-               <part id="si-4.g_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(g)[1]</prop>
-                  <p>defines personnel or roles to whom information system monitoring information is
-                     to be provided;</p>
-               </part>
-               <part id="si-4.g_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(g)[2]</prop>
-                  <p>defines information system monitoring information to be provided to
-                     organization-defined personnel or roles;</p>
-               </part>
-               <part id="si-4.g_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(g)[3]</prop>
-                  <p>defines a frequency to provide organization-defined information system
-                     monitoring to organization-defined personnel or roles;</p>
-               </part>
-               <part id="si-4.g_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(g)[4]</prop>
-                  <p>provides organization-defined information system monitoring information to
-                     organization-defined personnel or roles one or more of the following:</p>
-                  <part id="si-4.g_obj.4.a" name="objective">
-                     <prop name="label">SI-4(g)[4][a]</prop>
-                     <p>as needed; and/or</p>
-                  </part>
-                  <part id="si-4.g_obj.4.b" name="objective">
-                     <prop name="label">SI-4(g)[4][b]</prop>
-                     <p>with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Continuous monitoring strategy</p>
-               <p>system and information integrity policy</p>
-               <p>procedures addressing information system monitoring tools and techniques</p>
-               <p>facility diagram/layout</p>
-               <p>information system design documentation</p>
-               <p>information system monitoring tools and techniques documentation</p>
-               <p>locations within information system where monitoring devices are deployed</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>organizational personnel with responsibility monitoring the information system</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for information system monitoring</p>
-               <p>automated mechanisms supporting and/or implementing information system monitoring
-                  capability</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-5">
-         <title>Security Alerts, Advisories, and Directives</title>
-         <param id="si-5_prm_1">
-            <label>organization-defined external organizations</label>
-            <constraint>to include US-CERT</constraint>
-         </param>
-         <param id="si-5_prm_2">
-            <constraint>to include system security personnel and administrators with configuration/patch-management responsibilities</constraint>
-         </param>
-         <param id="si-5_prm_3" depends-on="si-5_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-5_prm_4" depends-on="si-5_prm_2">
-            <label>organization-defined elements within the organization</label>
-         </param>
-         <param id="si-5_prm_5" depends-on="si-5_prm_2">
-            <label>organization-defined external organizations</label>
-         </param>
-         <prop name="label">SI-5</prop>
-         <prop name="sort-id">si-05</prop>
-         <link href="#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d" rel="reference">NIST Special Publication 800-40</link>
-         <part id="si-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Receives information system security alerts, advisories, and directives from
-                     <insert param-id="si-5_prm_1"/> on an ongoing basis;</p>
-            </part>
-            <part id="si-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Generates internal security alerts, advisories, and directives as deemed
-                  necessary;</p>
-            </part>
-            <part id="si-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Disseminates security alerts, advisories, and directives to: <insert param-id="si-5_prm_2"/>; and</p>
-            </part>
-            <part id="si-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Implements security directives in accordance with established time frames, or
-                  notifies the issuing organization of the degree of noncompliance.</p>
-            </part>
-         </part>
-         <part id="si-5_gdn" name="guidance">
-            <p>The United States Computer Emergency Readiness Team (US-CERT) generates security
-               alerts and advisories to maintain situational awareness across the federal
-               government. Security directives are issued by OMB or other designated organizations
-               with the responsibility and authority to issue such directives. Compliance to
-               security directives is essential due to the critical nature of many of these
-               directives and the potential immediate adverse effects on organizational operations
-               and assets, individuals, other organizations, and the Nation should the directives
-               not be implemented in a timely manner. External organizations include, for example,
-               external mission/business partners, supply chain partners, external service
-               providers, and other peer/supporting organizations.</p>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="si-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-5.a_obj" name="objective">
-               <prop name="label">SI-5(a)</prop>
-               <part id="si-5.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-5(a)[1]</prop>
-                  <p>defines external organizations from whom information system security alerts,
-                     advisories and directives are to be received;</p>
-               </part>
-               <part id="si-5.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-5(a)[2]</prop>
-                  <p>receives information system security alerts, advisories, and directives from
-                     organization-defined external organizations on an ongoing basis;</p>
-               </part>
-            </part>
-            <part id="si-5.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-5(b)</prop>
-               <p>generates internal security alerts, advisories, and directives as deemed
-                  necessary;</p>
-            </part>
-            <part id="si-5.c_obj" name="objective">
-               <prop name="label">SI-5(c)</prop>
-               <part id="si-5.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-5(c)[1]</prop>
-                  <p>defines personnel or roles to whom security alerts, advisories, and directives
-                     are to be provided;</p>
-               </part>
-               <part id="si-5.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-5(c)[2]</prop>
-                  <p>defines elements within the organization to whom security alerts, advisories,
-                     and directives are to be provided;</p>
-               </part>
-               <part id="si-5.c_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-5(c)[3]</prop>
-                  <p>defines external organizations to whom security alerts, advisories, and
-                     directives are to be provided;</p>
-               </part>
-               <part id="si-5.c_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-5(c)[4]</prop>
-                  <p>disseminates security alerts, advisories, and directives to one or more of the
-                     following:</p>
-                  <part id="si-5.c_obj.4.a" name="objective">
-                     <prop name="label">SI-5(c)[4][a]</prop>
-                     <p>organization-defined personnel or roles;</p>
-                  </part>
-                  <part id="si-5.c_obj.4.b" name="objective">
-                     <prop name="label">SI-5(c)[4][b]</prop>
-                     <p>organization-defined elements within the organization; and/or</p>
-                  </part>
-                  <part id="si-5.c_obj.4.c" name="objective">
-                     <prop name="label">SI-5(c)[4][c]</prop>
-                     <p>organization-defined external organizations; and</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-5.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-5(d)</prop>
-               <part id="si-5.d_obj.1" name="objective">
-                  <prop name="label">SI-5(d)[1]</prop>
-                  <p>implements security directives in accordance with established time frames;
-                     or</p>
-               </part>
-               <part id="si-5.d_obj.2" name="objective">
-                  <prop name="label">SI-5(d)[2]</prop>
-                  <p>notifies the issuing organization of the degree of noncompliance.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing security alerts, advisories, and directives</p>
-               <p>records of security alerts and advisories</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security alert and advisory responsibilities</p>
-               <p>organizational personnel implementing, operating, maintaining, and using the
-                  information system</p>
-               <p>organizational personnel, organizational elements, and/or external organizations
-                  to whom alerts, advisories, and directives are to be disseminated</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for defining, receiving, generating, disseminating, and
-                  complying with security alerts, advisories, and directives</p>
-               <p>automated mechanisms supporting and/or implementing definition, receipt,
-                  generation, and dissemination of security alerts, advisories, and directives</p>
-               <p>automated mechanisms supporting and/or implementing security directives</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-12">
-         <title>Information Handling and Retention</title>
-         <prop name="label">SI-12</prop>
-         <prop name="sort-id">si-12</prop>
-         <part id="si-12_smt" name="statement">
-            <p>The organization handles and retains information within the information system and
-               information output from the system in accordance with applicable federal laws,
-               Executive Orders, directives, policies, regulations, standards, and operational
-               requirements.</p>
-         </part>
-         <part id="si-12_gdn" name="guidance">
-            <p>Information handling and retention requirements cover the full life cycle of
-               information, in some cases extending beyond the disposal of information systems. The
-               National Archives and Records Administration provides guidance on records
-               retention.</p>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <link rel="related" href="#au-5">AU-5</link>
-            <link rel="related" href="#au-11">AU-11</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-         </part>
-         <part id="si-12_obj" name="objective">
-            <p>Determine if the organization, in accordance with applicable federal laws, Executive
-               Orders, directives, policies, regulations, standards, and operational
-               requirements:</p>
-            <part id="si-12_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-12[1]</prop>
-               <p>handles information within the information system;</p>
-            </part>
-            <part id="si-12_obj.2" name="objective">
-               <prop name="label">SI-12[2]</prop>
-               <p>handles output from the information system;</p>
-            </part>
-            <part id="si-12_obj.3" name="objective">
-               <prop name="label">SI-12[3]</prop>
-               <p>retains information within the information system; and</p>
-            </part>
-            <part id="si-12_obj.4" name="objective">
-               <prop name="label">SI-12[4]</prop>
-               <p>retains output from the information system.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  operational requirements applicable to information handling and retention</p>
-               <p>media protection policy and procedures</p>
-               <p>procedures addressing information system output handling and retention</p>
-               <p>information retention records, other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for information handling and
-                  retention</p>
-               <p>organizational personnel with information security responsibilities/network
-                  administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for information handling and retention</p>
-               <p>automated mechanisms supporting and/or implementing information handling and
-                  retention</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-16">
-         <title>Memory Protection</title>
-         <param id="si-16_prm_1">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">SI-16</prop>
-         <prop name="sort-id">si-16</prop>
-         <part id="si-16_smt" name="statement">
-            <p>The information system implements <insert param-id="si-16_prm_1"/> to protect its
-               memory from unauthorized code execution.</p>
-         </part>
-         <part id="si-16_gdn" name="guidance">
-            <p>Some adversaries launch attacks with the intent of executing code in non-executable
-               regions of memory or in memory locations that are prohibited. Security safeguards
-               employed to protect memory include, for example, data execution prevention and
-               address space layout randomization. Data execution prevention safeguards can either
-               be hardware-enforced or software-enforced with hardware providing the greater
-               strength of mechanism.</p>
-            <link rel="related" href="#ac-25">AC-25</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-         </part>
-         <part id="si-16_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="si-16_obj.1" name="objective">
-               <prop name="label">SI-16[1]</prop>
-               <p>the organization defines security safeguards to be implemented to protect
-                  information system memory from unauthorized code execution; and</p>
-            </part>
-            <part id="si-16_obj.2" name="objective">
-               <prop name="label">SI-16[2]</prop>
-               <p>the information system implements organization-defined security safeguards to
-                  protect its memory from unauthorized code execution.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing memory protection for the information system</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of security safeguards protecting information system memory from unauthorized
-                  code execution</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for memory protection</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing safeguards to protect
-                  information system memory from unauthorized code execution</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <back-matter>
-      <resource uuid="0c97e60b-325a-4efa-ba2b-90f20ccd5abc">
-         <title>5 C.F.R. 731.106</title>
-         <citation>
-            <text>Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106,
-               Designation of Public Trust Positions and Investigative Requirements (5 C.F.R.
-               731.106).</text>
-         </citation>
-         <rlink href="http://www.gpo.gov/fdsys/granule/CFR-2012-title5-vol2/CFR-2012-title5-vol2-sec731-106/content-detail.html"/>
-      </resource>
-      <resource uuid="bb61234b-46c3-4211-8c2b-9869222a720d">
-         <title>C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</title>
-         <citation>
-            <text>C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</text>
-         </citation>
-         <rlink href="http://www.gpo.gov/fdsys/granule/CFR-2009-title5-vol2/CFR-2009-title5-vol2-sec930-301/content-detail.html"/>
-      </resource>
-      <resource uuid="a4aa9645-9a8a-4b51-90a9-e223250f9a75">
-         <title>CNSS Policy 15</title>
-         <citation>
-            <text>CNSS Policy 15</text>
-         </citation>
-         <rlink href="https://www.cnss.gov/policies.html"/>
-      </resource>
-      <resource uuid="2d8b14e9-c8b5-4d3d-8bdc-155078f3281b">
-         <title>DoD Information Assurance Vulnerability Alerts</title>
-         <citation>
-            <text>DoD Information Assurance Vulnerability Alerts</text>
-         </citation>
-      </resource>
-      <resource uuid="61081e7f-041d-4033-96a7-44a439071683">
-         <title>DoD Instruction 5200.39</title>
-         <citation>
-            <text>DoD Instruction 5200.39</text>
-         </citation>
-         <rlink href="http://www.dtic.mil/whs/directives/corres/ins1.html"/>
-      </resource>
-      <resource uuid="e42b2099-3e1c-415b-952c-61c96533c12e">
-         <title>DoD Instruction 8551.01</title>
-         <citation>
-            <text>DoD Instruction 8551.01</text>
-         </citation>
-         <rlink href="http://www.dtic.mil/whs/directives/corres/ins1.html"/>
-      </resource>
-      <resource uuid="c5034e0c-eba6-4ecd-a541-79f0678f4ba4">
-         <title>Executive Order 13587</title>
-         <citation>
-            <text>Executive Order 13587</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net"/>
-      </resource>
-      <resource uuid="56d671da-6b7b-4abf-8296-84b61980390a">
-         <title>Federal Acquisition Regulation</title>
-         <citation>
-            <text>Federal Acquisition Regulation</text>
-         </citation>
-         <rlink href="https://acquisition.gov/far"/>
-      </resource>
-      <resource uuid="023104bc-6f75-4cd5-b7d0-fc92326f8007">
-         <title>Federal Continuity Directive 1</title>
-         <citation>
-            <text>Federal Continuity Directive 1</text>
-         </citation>
-         <rlink href="http://www.fema.gov/pdf/about/offices/fcd1.pdf"/>
-      </resource>
-      <resource uuid="ba557c91-ba3e-4792-adc6-a4ae479b39ff">
-         <title>FICAM Roadmap and Implementation Guidance</title>
-         <citation>
-            <text>FICAM Roadmap and Implementation Guidance</text>
-         </citation>
-         <rlink href="http://www.idmanagement.gov/documents/ficam-roadmap-and-implementation-guidance"/>
-      </resource>
-      <resource uuid="39f9087d-7687-46d2-8eda-b6f4b7a4d8a9">
-         <title>FIPS Publication 140</title>
-         <citation>
-            <text>FIPS Publication 140</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html"/>
-      </resource>
-      <resource uuid="d715b234-9b5b-4e07-b1ed-99836727664d">
-         <title>FIPS Publication 140-2</title>
-         <citation>
-            <text>FIPS Publication 140-2</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#140-2"/>
-      </resource>
-      <resource uuid="f2dbd4ec-c413-4714-b85b-6b7184d1c195">
-         <title>FIPS Publication 197</title>
-         <citation>
-            <text>FIPS Publication 197</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#197"/>
-      </resource>
-      <resource uuid="e85cdb3f-7f0a-4083-8639-f13f70d3760b">
-         <title>FIPS Publication 199</title>
-         <citation>
-            <text>FIPS Publication 199</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#199"/>
-      </resource>
-      <resource uuid="c80c10b3-1294-4984-a4cc-d1733ca432b9">
-         <title>FIPS Publication 201</title>
-         <citation>
-            <text>FIPS Publication 201</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#201"/>
-      </resource>
-      <resource uuid="ad733a42-a7ed-4774-b988-4930c28852f3">
-         <title>HSPD-12</title>
-         <citation>
-            <text>HSPD-12</text>
-         </citation>
-         <rlink href="http://www.dhs.gov/homeland-security-presidential-directive-12"/>
-      </resource>
-      <resource uuid="e95dd121-2733-413e-bf1e-f1eb49f20a98">
-         <title>http://checklists.nist.gov</title>
-         <citation>
-            <text>http://checklists.nist.gov</text>
-         </citation>
-         <rlink href="http://checklists.nist.gov"/>
-      </resource>
-      <resource uuid="6a1041fc-054e-4230-946b-2e6f4f3731bb">
-         <title>http://csrc.nist.gov/cryptval</title>
-         <citation>
-            <text>http://csrc.nist.gov/cryptval</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/cryptval"/>
-      </resource>
-      <resource uuid="b09d1a31-d3c9-4138-a4f4-4c63816afd7d">
-         <title>http://csrc.nist.gov/groups/STM/cmvp/index.html</title>
-         <citation>
-            <text>http://csrc.nist.gov/groups/STM/cmvp/index.html</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/groups/STM/cmvp/index.html"/>
-      </resource>
-      <resource uuid="15522e92-9192-463d-9646-6a01982db8ca">
-         <title>http://cwe.mitre.org</title>
-         <citation>
-            <text>http://cwe.mitre.org</text>
-         </citation>
-         <rlink href="http://cwe.mitre.org"/>
-      </resource>
-      <resource uuid="5ed1f4d5-1494-421b-97ed-39d3c88ab51f">
-         <title>http://fips201ep.cio.gov</title>
-         <citation>
-            <text>http://fips201ep.cio.gov</text>
-         </citation>
-         <rlink href="http://fips201ep.cio.gov"/>
-      </resource>
-      <resource uuid="85280698-0417-489d-b214-12bb935fb939">
-         <title>http://idmanagement.gov</title>
-         <citation>
-            <text>http://idmanagement.gov</text>
-         </citation>
-         <rlink href="http://idmanagement.gov"/>
-      </resource>
-      <resource uuid="275cc052-0f7f-423c-bdb6-ed503dc36228">
-         <title>http://nvd.nist.gov</title>
-         <citation>
-            <text>http://nvd.nist.gov</text>
-         </citation>
-         <rlink href="http://nvd.nist.gov"/>
-      </resource>
-      <resource uuid="bbd50dd1-54ce-4432-959d-63ea564b1bb4">
-         <title>http://www.acquisition.gov/far</title>
-         <citation>
-            <text>http://www.acquisition.gov/far</text>
-         </citation>
-         <rlink href="http://www.acquisition.gov/far"/>
-      </resource>
-      <resource uuid="9b97ed27-3dd6-4f9a-ade5-1b43e9669794">
-         <title>http://www.cnss.gov</title>
-         <citation>
-            <text>http://www.cnss.gov</text>
-         </citation>
-         <rlink href="http://www.cnss.gov"/>
-      </resource>
-      <resource uuid="c95a9986-3cd6-4a98-931b-ccfc56cb11e5">
-         <title>http://www.niap-ccevs.org</title>
-         <citation>
-            <text>http://www.niap-ccevs.org</text>
-         </citation>
-         <rlink href="http://www.niap-ccevs.org"/>
-      </resource>
-      <resource uuid="647b6de3-81d0-4d22-bec1-5f1333e34380">
-         <title>http://www.nsa.gov</title>
-         <citation>
-            <text>http://www.nsa.gov</text>
-         </citation>
-         <rlink href="http://www.nsa.gov"/>
-      </resource>
-      <resource uuid="a47466c4-c837-4f06-a39f-e68412a5f73d">
-         <title>http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml</title>
-         <citation>
-            <text>http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml</text>
-         </citation>
-         <rlink href="http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"/>
-      </resource>
-      <resource uuid="02631467-668b-4233-989b-3dfded2fd184">
-         <title>http://www.us-cert.gov</title>
-         <citation>
-            <text>http://www.us-cert.gov</text>
-         </citation>
-         <rlink href="http://www.us-cert.gov"/>
-      </resource>
-      <resource uuid="6caa237b-531b-43ac-9711-d8f6b97b0377">
-         <title>ICD 704</title>
-         <citation>
-            <text>ICD 704</text>
-         </citation>
-         <rlink href="http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"/>
-      </resource>
-      <resource uuid="398e33fd-f404-4e5c-b90e-2d50d3181244">
-         <title>ICD 705</title>
-         <citation>
-            <text>ICD 705</text>
-         </citation>
-         <rlink href="http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"/>
-      </resource>
-      <resource uuid="1737a687-52fb-4008-b900-cbfa836f7b65">
-         <title>ISO/IEC 15408</title>
-         <citation>
-            <text>ISO/IEC 15408</text>
-         </citation>
-         <rlink href="http://www.iso.org/iso/iso_catalog/catalog_tc/catalog_detail.htm?csnumber=50341"/>
-      </resource>
-      <resource uuid="654f21e2-f3bc-43b2-abdc-60ab8d09744b">
-         <title>National Strategy for Trusted Identities in Cyberspace</title>
-         <citation>
-            <text>National Strategy for Trusted Identities in Cyberspace</text>
-         </citation>
-         <rlink href="http://www.nist.gov/nstic"/>
-      </resource>
-      <resource uuid="9cb3d8fe-2127-48ba-821e-cdd2d7aee921">
-         <title>NIST Special Publication 800-100</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-100</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-100</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-100"/>
-      </resource>
-      <resource uuid="3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e">
-         <title>NIST Special Publication 800-111</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-111</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-111</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-111"/>
-      </resource>
-      <resource uuid="349fe082-502d-464a-aa0c-1443c6a5cf40">
-         <title>NIST Special Publication 800-113</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-113</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-113</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-113"/>
-      </resource>
-      <resource uuid="1201fcf3-afb1-4675-915a-fb4ae0435717">
-         <title>NIST Special Publication 800-114 Rev. 1</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-114r1</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-114 Rev. 1</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-114r1"/>
-      </resource>
-      <resource uuid="c4691b88-57d1-463b-9053-2d0087913f31">
-         <title>NIST Special Publication 800-115</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-115</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-115</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-115"/>
-      </resource>
-      <resource uuid="2157bb7e-192c-4eaa-877f-93ef6b0a3292">
-         <title>NIST Special Publication 800-116 Rev. 1</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-116r1</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-116 Rev. 1</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-116r1"/>
-      </resource>
-      <resource uuid="5c201b63-0768-417b-ac22-3f014e3941b2">
-         <title>NIST Special Publication 800-12 Rev. 1</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-12r1</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-12 Rev. 1</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-12r1"/>
-      </resource>
-      <resource uuid="d1a4e2a9-e512-4132-8795-5357aba29254">
-         <title>NIST Special Publication 800-121</title>
-         <citation>
-            <text>NIST Special Publication 800-121</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-121"/>
-      </resource>
-      <resource uuid="0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589">
-         <title>NIST Special Publication 800-124</title>
-         <citation>
-            <text>NIST Special Publication 800-124</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-124"/>
-      </resource>
-      <resource uuid="080f8068-5e3e-435e-9790-d22ba4722693">
-         <title>NIST Special Publication 800-128</title>
-         <citation>
-            <text>NIST Special Publication 800-128</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-128"/>
-      </resource>
-      <resource uuid="cee2c6ca-0261-4a6f-b630-e41d8ffdd82b">
-         <title>NIST Special Publication 800-137</title>
-         <citation>
-            <text>NIST Special Publication 800-137</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-137"/>
-      </resource>
-      <resource uuid="825438c3-248d-4e30-a51e-246473ce6ada">
-         <title>NIST Special Publication 800-16</title>
-         <citation>
-            <text>NIST Special Publication 800-16</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-16"/>
-      </resource>
-      <resource uuid="6513e480-fada-4876-abba-1397084dfb26">
-         <title>NIST Special Publication 800-164</title>
-         <citation>
-            <text>NIST Special Publication 800-164</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-164"/>
-      </resource>
-      <resource uuid="9c5c9e8c-dc81-4f55-a11c-d71d7487790f">
-         <title>NIST Special Publication 800-18</title>
-         <citation>
-            <text>NIST Special Publication 800-18</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-18"/>
-      </resource>
-      <resource uuid="0a5db899-f033-467f-8631-f5a8ba971475">
-         <title>NIST Special Publication 800-23</title>
-         <citation>
-            <text>NIST Special Publication 800-23</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-23"/>
-      </resource>
-      <resource uuid="a466121b-f0e2-41f0-a5f9-deb0b5fe6b15">
-         <title>NIST Special Publication 800-30</title>
-         <citation>
-            <text>NIST Special Publication 800-30</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-30"/>
-      </resource>
-      <resource uuid="748a81b9-9cad-463f-abde-8b368167e70d">
-         <title>NIST Special Publication 800-34</title>
-         <citation>
-            <text>NIST Special Publication 800-34</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-34"/>
-      </resource>
-      <resource uuid="0c775bc3-bfc3-42c7-a382-88949f503171">
-         <title>NIST Special Publication 800-35</title>
-         <citation>
-            <text>NIST Special Publication 800-35</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-35"/>
-      </resource>
-      <resource uuid="d818efd3-db31-4953-8afa-9e76afe83ce2">
-         <title>NIST Special Publication 800-36</title>
-         <citation>
-            <text>NIST Special Publication 800-36</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-36"/>
-      </resource>
-      <resource uuid="0a0c26b6-fd44-4274-8b36-93442d49d998">
-         <title>NIST Special Publication 800-37</title>
-         <citation>
-            <text>NIST Special Publication 800-37</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-37"/>
-      </resource>
-      <resource uuid="d480aa6a-7a88-424e-a10c-ad1c7870354b">
-         <title>NIST Special Publication 800-39</title>
-         <citation>
-            <text>NIST Special Publication 800-39</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-39"/>
-      </resource>
-      <resource uuid="bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d">
-         <title>NIST Special Publication 800-40</title>
-         <citation>
-            <text>NIST Special Publication 800-40</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-40"/>
-      </resource>
-      <resource uuid="756a8e86-57d5-4701-8382-f7a40439665a">
-         <title>NIST Special Publication 800-41</title>
-         <citation>
-            <text>NIST Special Publication 800-41</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-41"/>
-      </resource>
-      <resource uuid="5309d4d0-46f8-4213-a749-e7584164e5e8">
-         <title>NIST Special Publication 800-46</title>
-         <citation>
-            <text>NIST Special Publication 800-46</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-46"/>
-      </resource>
-      <resource uuid="2711f068-734e-4afd-94ba-0b22247fbc88">
-         <title>NIST Special Publication 800-47</title>
-         <citation>
-            <text>NIST Special Publication 800-47</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-47"/>
-      </resource>
-      <resource uuid="238ed479-eccb-49f6-82ec-ab74a7a428cf">
-         <title>NIST Special Publication 800-48</title>
-         <citation>
-            <text>NIST Special Publication 800-48</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-48"/>
-      </resource>
-      <resource uuid="e12b5738-de74-4fb3-8317-a3995a8a1898">
-         <title>NIST Special Publication 800-50</title>
-         <citation>
-            <text>NIST Special Publication 800-50</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-50"/>
-      </resource>
-      <resource uuid="cd4cf751-3312-4a55-b1a9-fad2f1db9119">
-         <title>NIST Special Publication 800-53A</title>
-         <citation>
-            <text>NIST Special Publication 800-53A</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-53A"/>
-      </resource>
-      <resource uuid="81f09e01-d0b0-4ae2-aa6a-064ed9950070">
-         <title>NIST Special Publication 800-56</title>
-         <citation>
-            <text>NIST Special Publication 800-56</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-56"/>
-      </resource>
-      <resource uuid="a6c774c0-bf50-4590-9841-2a5c1c91ac6f">
-         <title>NIST Special Publication 800-57</title>
-         <citation>
-            <text>NIST Special Publication 800-57</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-57"/>
-      </resource>
-      <resource uuid="f152844f-b1ef-4836-8729-6277078ebee1">
-         <title>NIST Special Publication 800-60</title>
-         <citation>
-            <text>NIST Special Publication 800-60</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-60"/>
-      </resource>
-      <resource uuid="be95fb85-a53f-4624-bdbb-140075500aa3">
-         <title>NIST Special Publication 800-61</title>
-         <citation>
-            <text>NIST Special Publication 800-61</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-61"/>
-      </resource>
-      <resource uuid="644f44a9-a2de-4494-9c04-cd37fba45471">
-         <title>NIST Special Publication 800-63</title>
-         <citation>
-            <text>NIST Special Publication 800-63</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-63"/>
-      </resource>
-      <resource uuid="abd950ae-092f-4b7a-b374-1c7c67fe9350">
-         <title>NIST Special Publication 800-64</title>
-         <citation>
-            <text>NIST Special Publication 800-64</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-64"/>
-      </resource>
-      <resource uuid="29fcfe59-33cd-494a-8756-5907ae3a8f92">
-         <title>NIST Special Publication 800-65</title>
-         <citation>
-            <text>NIST Special Publication 800-65</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-65"/>
-      </resource>
-      <resource uuid="84a37532-6db6-477b-9ea8-f9085ebca0fc">
-         <title>NIST Special Publication 800-70</title>
-         <citation>
-            <text>NIST Special Publication 800-70</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-70"/>
-      </resource>
-      <resource uuid="ead74ea9-4c9c-446d-9b92-bcbf0ad4b655">
-         <title>NIST Special Publication 800-73</title>
-         <citation>
-            <text>NIST Special Publication 800-73</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-73"/>
-      </resource>
-      <resource uuid="2a71298a-ee90-490e-80ff-48c967173a47">
-         <title>NIST Special Publication 800-76</title>
-         <citation>
-            <text>NIST Special Publication 800-76</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-76"/>
-      </resource>
-      <resource uuid="99f331f2-a9f0-46c2-9856-a3cbb9b89442">
-         <title>NIST Special Publication 800-77</title>
-         <citation>
-            <text>NIST Special Publication 800-77</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-77"/>
-      </resource>
-      <resource uuid="2042d97b-f7f6-4c74-84f8-981867684659">
-         <title>NIST Special Publication 800-78</title>
-         <citation>
-            <text>NIST Special Publication 800-78</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-78"/>
-      </resource>
-      <resource uuid="6af1e841-672c-46c4-b121-96f603d04be3">
-         <title>NIST Special Publication 800-81</title>
-         <citation>
-            <text>NIST Special Publication 800-81</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-81"/>
-      </resource>
-      <resource uuid="6d431fee-658f-4a0e-9f2e-a38b5d398fab">
-         <title>NIST Special Publication 800-83</title>
-         <citation>
-            <text>NIST Special Publication 800-83</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-83"/>
-      </resource>
-      <resource uuid="0243a05a-e8a3-4d51-9364-4a9d20b0dcdf">
-         <title>NIST Special Publication 800-84</title>
-         <citation>
-            <text>NIST Special Publication 800-84</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-84"/>
-      </resource>
-      <resource uuid="263823e0-a971-4b00-959d-315b26278b22">
-         <title>NIST Special Publication 800-88</title>
-         <citation>
-            <text>NIST Special Publication 800-88</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-88"/>
-      </resource>
-      <resource uuid="672fd561-b92b-4713-b9cf-6c9d9456728b">
-         <title>NIST Special Publication 800-92</title>
-         <citation>
-            <text>NIST Special Publication 800-92</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-92"/>
-      </resource>
-      <resource uuid="d1b1d689-0f66-4474-9924-c81119758dc1">
-         <title>NIST Special Publication 800-94</title>
-         <citation>
-            <text>NIST Special Publication 800-94</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-94"/>
-      </resource>
-      <resource uuid="6f336ecd-f2a0-4c84-9699-0491d81b6e0d">
-         <title>NIST Special Publication 800-97</title>
-         <citation>
-            <text>NIST Special Publication 800-97</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-97"/>
-      </resource>
-      <resource uuid="9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab">
-         <title>OMB Circular A-130</title>
-         <citation>
-            <text>OMB Circular A-130</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/omb/circulars_a130_a130trans4"/>
-      </resource>
-      <resource uuid="2c5884cd-7b96-425c-862a-99877e1cf909">
-         <title>OMB Memorandum 02-01</title>
-         <citation>
-            <text>OMB Memorandum 02-01</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/omb/memoranda_m02-01"/>
-      </resource>
-      <resource uuid="ff3bfb02-79b2-411f-8735-98dfe5af2ab0">
-         <title>OMB Memorandum 04-04</title>
-         <citation>
-            <text>OMB Memorandum 04-04</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy04/m04-04.pdf"/>
-      </resource>
-      <resource uuid="4da24a96-6cf8-435d-9d1f-c73247cad109">
-         <title>OMB Memorandum 06-16</title>
-         <citation>
-            <text>OMB Memorandum 06-16</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2006/m06-16.pdf"/>
-      </resource>
-      <resource uuid="990268bf-f4a9-4c81-91ae-dc7d3115f4b1">
-         <title>OMB Memorandum 07-11</title>
-         <citation>
-            <text>OMB Memorandum 07-11</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-11.pdf"/>
-      </resource>
-      <resource uuid="0b3d8ba9-051f-498d-81ea-97f0f018c612">
-         <title>OMB Memorandum 07-18</title>
-         <citation>
-            <text>OMB Memorandum 07-18</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-18.pdf"/>
-      </resource>
-      <resource uuid="0916ef02-3618-411b-a525-565c088849a6">
-         <title>OMB Memorandum 08-22</title>
-         <citation>
-            <text>OMB Memorandum 08-22</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-22.pdf"/>
-      </resource>
-      <resource uuid="28115a56-da6b-4d44-b1df-51dd7f048a3e">
-         <title>OMB Memorandum 08-23</title>
-         <citation>
-            <text>OMB Memorandum 08-23</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf"/>
-      </resource>
-      <resource uuid="599fe9ba-4750-4450-9eeb-b95bd19a5e8f">
-         <title>OMB Memorandum 10-06-2011</title>
-         <citation>
-            <text>OMB Memorandum 10-06-2011</text>
-         </citation>
-      </resource>
-      <resource uuid="74e740a4-c45d-49f3-a86e-eb747c549e01">
-         <title>OMB Memorandum 11-11</title>
-         <citation>
-            <text>OMB Memorandum 11-11</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf"/>
-      </resource>
-      <resource uuid="bedb15b7-ec5c-4a68-807f-385125751fcd">
-         <title>OMB Memorandum 11-33</title>
-         <citation>
-            <text>OMB Memorandum 11-33</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf"/>
-      </resource>
-      <resource uuid="dd2f5acd-08f1-435a-9837-f8203088dc1a">
-         <title>Personal Identity Verification (PIV) in Enterprise Physical Access Control System
-            (E-PACS)</title>
-         <citation>
-            <text>Personal Identity Verification (PIV) in Enterprise Physical Access Control System
-               (E-PACS)</text>
-         </citation>
-      </resource>
-      <resource uuid="8ade2fbe-e468-4ca8-9a40-54d7f23c32bb">
-         <title>US-CERT Technical Cyber Security Alerts</title>
-         <citation>
-            <text>US-CERT Technical Cyber Security Alerts</text>
-         </citation>
-         <rlink href="http://www.us-cert.gov/ncas/alerts"/>
-      </resource>
-      <resource uuid="985475ee-d4d6-4581-8fdf-d84d3d8caa48">
-         <title>FedRAMP Applicable Laws and Regulations</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-citations</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"/>
-      </resource>
-      <resource uuid="1a23a771-d481-4594-9a1a-71d584fa4123">
-         <title>FedRAMP Master Acronym and Glossary</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-acronyms</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"/>
-      </resource>
-      <resource uuid="a2381e87-3d04-4108-a30b-b4d2f36d001f">
-         <desc>FedRAMP Logo</desc>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-logo</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/img/logo-main-fedramp.png"/>
-      </resource>
-      <resource uuid="ad005eae-cc63-4e64-9109-3905a9a825e4">
-         <title>NIST Special Publication (SP) 800-53</title>
-         <prop name="version" ns="https://fedramp.gov/ns/oscal">Revision 4</prop>
-         <prop name="keep">always</prop>
-         <rlink media-type="application/xml"
-                href="../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml"/>
-      </resource>
-   </back-matter>
-</catalog>
diff --git a/content/fedramp.gov/xml/FedRAMP_LOW-baseline_profile.xml b/content/fedramp.gov/xml/FedRAMP_LOW-baseline_profile.xml
deleted file mode 100644
index 8e29d4ae72..0000000000
--- a/content/fedramp.gov/xml/FedRAMP_LOW-baseline_profile.xml
+++ /dev/null
@@ -1,4623 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="4678df89-bdc1-4804-bdfd-0bb1fc5bba1a">
-   
-   <metadata>
-      <title>FedRAMP Low Baseline</title>
-      <published>2020-06-01T00:00:00.000-04:00</published>
-      <last-modified>2020-06-01T10:00:00.000-04:00</last-modified>
-      <version>1.2</version>
-      <oscal-version>1.0.0-milestone3</oscal-version>
-      <role id="parpared-by">
-         <title>Document creator</title>
-      </role>
-      <role id="fedramp-pmo">
-         <title>The FedRAMP Program Management Office (PMO)</title>
-         <short-name>CSP</short-name>
-      </role>
-      <role id="fedramp-jab">
-         <title>The FedRAMP Joint Authorization Board (JAB)</title>
-         <short-name>CSP</short-name>
-      </role>
-      
-      <party uuid="8cc0b8e5-9650-4d5f-9796-316f05fa9a2d" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Program Management Office</party-name>
-         <short-name>FedRAMP PMO</short-name>
-         <link href="https://fedramp.gov" rel="homepage" />
-         <address type="work">
-            <addr-line>1800 F St. NW</addr-line>
-            <addr-line/>
-            <city>Washington</city>
-            <state>DC</state>
-            <postal-code/>
-            <country>US</country>
-         </address>
-         <email>info@fedramp.gov</email>
-      </party>
-      <party uuid="ca9ba80e-1342-4bfd-b32a-abac468c24b4" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Joint Authorization Board</party-name>
-         <short-name>FedRAMP JAB</short-name>
-      </party>
-      
-      <responsible-party role-id="prepared-by">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-pmo">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-jab">
-         <party-uuid>ca9ba80e-1342-4bfd-b32a-abac468c24b4</party-uuid>
-      </responsible-party>
-   </metadata>
-   <import href="#ad005eae-cc63-4e64-9109-3905a9a825e4">
-      <include>
-         <call control-id="ac-1"/>
-         <call control-id="ac-2"/>
-         <call control-id="ac-3"/>
-         <call control-id="ac-7"/>
-         <call control-id="ac-8"/>
-         <call control-id="ac-14"/>
-         <call control-id="ac-17"/>
-         <call control-id="ac-18"/>
-         <call control-id="ac-19"/>
-         <call control-id="ac-20"/>
-         <call control-id="ac-22"/>
-         <call control-id="at-1"/>
-         <call control-id="at-2"/>
-         <call control-id="at-3"/>
-         <call control-id="at-4"/>
-         <call control-id="au-1"/>
-         <call control-id="au-2"/>
-         <call control-id="au-3"/>
-         <call control-id="au-4"/>
-         <call control-id="au-5"/>
-         <call control-id="au-6"/>
-         <call control-id="au-8"/>
-         <call control-id="au-9"/>
-         <call control-id="au-11"/>
-         <call control-id="au-12"/>
-         <call control-id="ca-1"/>
-         <call control-id="ca-2"/>
-         <call control-id="ca-2.1"/>
-         <call control-id="ca-3"/>
-         <call control-id="ca-5"/>
-         <call control-id="ca-6"/>
-         <call control-id="ca-7"/>
-         <call control-id="ca-9"/>
-         <call control-id="cm-1"/>
-         <call control-id="cm-2"/>
-         <call control-id="cm-4"/>
-         <call control-id="cm-6"/>
-         <call control-id="cm-7"/>
-         <call control-id="cm-8"/>
-         <call control-id="cm-10"/>
-         <call control-id="cm-11"/>
-         <call control-id="cp-1"/>
-         <call control-id="cp-2"/>
-         <call control-id="cp-3"/>
-         <call control-id="cp-4"/>
-         <call control-id="cp-9"/>
-         <call control-id="cp-10"/>
-         <call control-id="ia-1"/>
-         <call control-id="ia-2"/>
-         <call control-id="ia-2.1"/>
-         <call control-id="ia-2.12"/>
-         <call control-id="ia-4"/>
-         <call control-id="ia-5"/>
-         <call control-id="ia-5.1"/>
-         <call control-id="ia-5.11"/>
-         <call control-id="ia-6"/>
-         <call control-id="ia-7"/>
-         <call control-id="ia-8"/>
-         <call control-id="ia-8.1"/>
-         <call control-id="ia-8.2"/>
-         <call control-id="ia-8.3"/>
-         <call control-id="ia-8.4"/>
-         <call control-id="ir-1"/>
-         <call control-id="ir-2"/>
-         <call control-id="ir-4"/>
-         <call control-id="ir-5"/>
-         <call control-id="ir-6"/>
-         <call control-id="ir-7"/>
-         <call control-id="ir-8"/>
-         <call control-id="ma-1"/>
-         <call control-id="ma-2"/>
-         <call control-id="ma-4"/>
-         <call control-id="ma-5"/>
-         <call control-id="mp-1"/>
-         <call control-id="mp-2"/>
-         <call control-id="mp-6"/>
-         <call control-id="mp-7"/>
-         <call control-id="pe-1"/>
-         <call control-id="pe-2"/>
-         <call control-id="pe-3"/>
-         <call control-id="pe-6"/>
-         <call control-id="pe-8"/>
-         <call control-id="pe-12"/>
-         <call control-id="pe-13"/>
-         <call control-id="pe-14"/>
-         <call control-id="pe-15"/>
-         <call control-id="pe-16"/>
-         <call control-id="pl-1"/>
-         <call control-id="pl-2"/>
-         <call control-id="pl-4"/>
-         <call control-id="ps-1"/>
-         <call control-id="ps-2"/>
-         <call control-id="ps-3"/>
-         <call control-id="ps-4"/>
-         <call control-id="ps-5"/>
-         <call control-id="ps-6"/>
-         <call control-id="ps-7"/>
-         <call control-id="ps-8"/>
-         <call control-id="ra-1"/>
-         <call control-id="ra-2"/>
-         <call control-id="ra-3"/>
-         <call control-id="ra-5"/>
-         <call control-id="sa-1"/>
-         <call control-id="sa-2"/>
-         <call control-id="sa-3"/>
-         <call control-id="sa-4"/>
-         <call control-id="sa-5"/>
-         <call control-id="sa-9"/>
-         <call control-id="sc-1"/>
-         <call control-id="sc-5"/>
-         <call control-id="sc-7"/>
-         <call control-id="sc-12"/>
-         <call control-id="sc-13"/>
-         <call control-id="sc-15"/>
-         <call control-id="sc-20"/>
-         <call control-id="sc-21"/>
-         <call control-id="sc-22"/>
-         <call control-id="sc-39"/>
-         <call control-id="si-1"/>
-         <call control-id="si-2"/>
-         <call control-id="si-3"/>
-         <call control-id="si-4"/>
-         <call control-id="si-5"/>
-         <call control-id="si-12"/>
-         <call control-id="si-16"/>
-      </include>
-   </import>
-   <merge>
-      <combine method="keep"/>
-      <as-is>true</as-is>
-   </merge>
-   <modify>
-      <set-parameter param-id="ac-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2_prm_4">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7_prm_1">
-         <constraint>not more than three (3)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7_prm_2">
-         <constraint>fifteen (15) minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7_prm_4">
-         <constraint>thirty (30) minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-8_prm_1">
-         <constraint>see additional Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-8_prm_2">
-         <constraint>see additional Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-22_prm_1">
-         <constraint>at least quarterly</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-3_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-4_prm_1">
-         <constraint>At least one year</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-2_prm_1">
-         <constraint>Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-2_prm_2">
-         <constraint>organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-5_prm_2">
-         <constraint>organization-defined actions to be taken (overwrite oldest record)</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-6_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-11_prm_1">
-         <constraint>at least ninety days</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-12_prm_1">
-         <constraint>all information system and network components where audit capability is deployed/available</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2_prm_2">
-         <constraint>individuals or roles to include FedRAMP PMO</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-3_prm_1">
-         <constraint>at least annually and on input from FedRAMP</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-5_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-6_prm_1">
-         <constraint>at least every three years or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-7_prm_4">
-         <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-7_prm_5">
-         <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-6_prm_1">
-         <constraint>United States Government Configuration Baseline (USGCB)</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-7_prm_1">
-         <constraint>United States Government Configuration Baseline (USGCB)</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-8_prm_2">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-11_prm_3">
-         <constraint>Continuously (via CM-7 (5))</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-2_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-3_prm_1">
-         <constraint>ten (10) days</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-3_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-4_prm_1">
-         <constraint>at least every three years</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-4_prm_2">
-         <constraint>classroom exercises/table top written tests</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_1">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_2">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_3">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-4_prm_2">
-         <constraint>IA-4 (d) [at least two years]</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-4_prm_3">
-         <constraint>ninety days for user identifiers (See additional requirements and guidance)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.1_prm_2">
-         <constraint>at least one</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.1_prm_4">
-         <constraint>twenty four</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-2_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-6_prm_1">
-         <constraint>US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-8_prm_2">
-         <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-8_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-8_prm_4">
-         <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ma-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ma-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_2">
-         <constraint>CSP defined physical access control systems/devices AND guards</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_3">
-         <constraint>CSP defined physical access control systems/devices</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_6">
-         <constraint>in all circumstances within restricted access area where the information system resides</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_8">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_9">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-6_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-8_prm_1">
-         <constraint>for a minimum of one (1) year</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-8_prm_2">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-14_prm_1">
-         <constraint>consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-14_prm_2">
-         <constraint>continuously</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-16_prm_1">
-         <constraint>all information system components</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-2_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-4_prm_1">
-         <constraint>At least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-2_prm_1">
-         <constraint>at least every three years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-3_prm_1">
-         <constraint>For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions.</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-4_prm_1">
-         <constraint>same day</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-5_prm_4">
-         <constraint>five days of the time period following the formal transfer action (DoD 24 hours)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-6_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-6_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-7_prm_2">
-         <constraint>organization-defined time period - same day</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_2">
-         <constraint>security assessment report</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_3">
-         <constraint>at least every three (3) years or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_5">
-         <constraint>at least every three (3) years or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5_prm_1">
-         <constraint>monthly operating system/infrastructure; monthly web applications and databases</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5_prm_2">
-         <constraint>[high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery.</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9_prm_1">
-         <constraint>FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9_prm_2">
-         <constraint>Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-13_prm_1">
-         <constraint>FIPS-validated or NSA-approved cryptography</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-15_prm_1">
-         <constraint>no exceptions</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-2_prm_1">
-         <constraint>within 30 days of release of updates</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_2">
-         <constraint>to include endpoints</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_3">
-         <constraint>to include alerting administrator or defined security personnel</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-5_prm_1">
-         <constraint>to include US-CERT</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-5_prm_2">
-         <constraint>to include system security personnel and administrators with configuration/patch-management responsibilities</constraint>
-      </set-parameter>
-      <alter control-id="ac-1">
-         <add position="starting" id-ref="ac-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-14">
-         <add position="starting" id-ref="ac-14.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-14.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-14.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17">
-         <add position="starting" id-ref="ac-17">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-17.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-18">
-         <add position="starting" id-ref="ac-18">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-18.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-18.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-19">
-         <add position="starting" id-ref="ac-19">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-19.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-19.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2">
-         <add position="starting" id-ref="ac-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.g_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.h_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.i_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.j_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.j_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.k_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-20">
-         <add position="starting" id-ref="ac-20.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-20.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-22">
-         <add position="starting" id-ref="ac-22">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-22.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-3">
-         <add position="starting" id-ref="ac-3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-7">
-         <add position="starting" id-ref="ac-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-8">
-         <add position="ending" id-ref="ac-8_smt">
-            <part id="ac-8_fr" name="item">
-               <title>AC-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.</p>
-               </part>
-               <part id="ac-8_fr_smt.2" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.</p>
-               </part>
-               <part id="ac-8_fr_smt.3" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-8.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="at-1">
-         <add position="starting" id-ref="at-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="at-2">
-         <add position="starting" id-ref="at-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="at-3">
-         <add position="starting" id-ref="at-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="at-4">
-         <add position="starting" id-ref="at-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="at-4.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-4.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-1">
-         <add position="starting" id-ref="au-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="au-11">
-         <add position="ending" id-ref="au-11_smt">
-            <part id="au-11_fr" name="item">
-               <title>AU-11 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-11_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-11">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-11.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-12">
-         <add position="starting" id-ref="au-12.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-12.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-12.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-2">
-         <add position="ending" id-ref="au-2_smt">
-            <part id="au-2_fr" name="item">
-               <title>AU-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-2_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-2.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-3">
-         <add position="starting" id-ref="au-3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-4">
-         <add position="starting" id-ref="au-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-5">
-         <add position="starting" id-ref="au-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6">
-         <add position="ending" id-ref="au-6_smt">
-            <part id="au-6_fr" name="item">
-               <title>AU-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-8">
-         <add position="starting" id-ref="au-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-8.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-9">
-         <add position="starting" id-ref="au-9.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-9.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-1">
-         <add position="starting" id-ref="ca-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2">
-         <add position="ending" id-ref="ca-2_smt">
-            <part id="ca-2_fr" name="item">
-               <title>CA-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2.1">
-         <add position="ending" id-ref="ca-2.1_smt">
-            <part id="ca-2.1_fr" name="item">
-               <title>CA-2 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2.1_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-2.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-3">
-         <add position="starting" id-ref="ca-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-5">
-         <add position="ending" id-ref="ca-5_smt">
-            <part id="ca-5_fr" name="item">
-               <title>CA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-5_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Plan of Action &amp; Milestones (POA&amp;M) must be provided at least monthly.</p>
-               </part>
-               <part id="ca-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action &amp; Milestones (POA&amp;M) Template Completion Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-6">
-         <add position="ending" id-ref="ca-6_smt">
-            <part id="ca-6_fr" name="item">
-               <title>CA-6(c) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-6.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-6.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-6.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-6.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-7">
-         <add position="ending" id-ref="ca-7_smt">
-            <part id="ca-7_fr" name="item">
-               <title>CA-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-7_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.</p>
-               </part>
-               <part id="ca-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&amp;M updates.</p>
-               </part>
-               <part id="ca-7_fr_gdn.2" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-9">
-         <add position="starting" id-ref="ca-9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-9.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-9.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-9.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-1">
-         <add position="starting" id-ref="cm-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-1.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-10">
-         <add position="starting" id-ref="cm-10.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-10.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-10.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-11">
-         <add position="starting" id-ref="cm-11.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2">
-         <add position="starting" id-ref="cm-2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-4">
-         <add position="starting" id-ref="cm-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-6">
-         <add position="ending" id-ref="cm-6_smt">
-            <part id="cm-6_fr" name="item">
-               <title>CM-6(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement 1:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. </p>
-               </part>
-               <part id="cm-6_fr_smt.2" name="item">
-                  <prop name="label">Requirement 2:</prop>
-                  <p>The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (<a href="http://scap.nist.gov/">http://scap.nist.gov/</a>) validated or SCAP compatible (if validated checklists are not available).</p>
-               </part>
-               <part id="cm-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a href="https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline">https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7">
-         <add position="ending" id-ref="cm-7_smt">
-            <part id="cm-7_fr" name="item">
-               <title>CM-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-7_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.</p>
-               </part>
-               <part id="cm-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a href="http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc">http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc</a>
-							Partially derived from AC-17(8).</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8">
-         <add position="ending" id-ref="cm-8_smt">
-            <part id="cm-8_fr" name="item">
-               <title>CM-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Must be provided at least monthly or when there is a change.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-8.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-1">
-         <add position="starting" id-ref="cp-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-10">
-         <add position="starting" id-ref="cp-10_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-10.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2">
-         <add position="ending" id-ref="cp-2_smt">
-            <part id="cp-2_fr" name="item">
-               <title>CP-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-2_fr_smt.1" name="item">
-                  <prop name="label">CP-2 Requirement:</prop>
-                  <p>For JAB authorizations the contingency lists include designated FedRAMP personnel.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-2.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.6_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.6_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.g_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-3">
-         <add position="starting" id-ref="cp-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-4">
-         <add position="ending" id-ref="cp-4_smt">
-            <part id="cp-4_fr" name="item">
-               <title>CP-4(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-4_fr_smt.a" name="item">
-                  <prop name="label">CP-4(a) Requirement:</prop>
-                  <p>The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9">
-         <add position="ending" id-ref="cp-9_smt">
-            <part id="cp-9_fr" name="item">
-               <title>CP-9 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-9_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.</p>
-               </part>
-               <part id="cp-9_fr_smt.a" name="item">
-                  <prop name="label">CP-9(a) Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of user-level information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.b" name="item">
-                  <prop name="label">CP-9(b)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of system-level information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.c" name="item">
-                  <prop name="label">CP-9(c)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-9.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-1">
-         <add position="starting" id-ref="ia-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2">
-         <add position="starting" id-ref="ia-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.1">
-         <add position="starting" id-ref="ia-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.12">
-         <add position="ending" id-ref="ia-2.12_smt">
-            <part id="ia-2.12_fr" name="item">
-               <title>IA-2 (12) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-2.12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-2.12_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-4">
-         <add position="ending" id-ref="ia-4_smt">
-            <part id="ia-4_fr" name="item">
-               <title>IA-4(e) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-4_fr_smt.e" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines the time period of inactivity for device identifiers.</p>
-               </part>
-               <part id="ia-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP <a href="http://iase.disa.mil/cloud_security/Pages/index.aspx">http://iase.disa.mil/cloud_security/Pages/index.aspx</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5">
-         <add position="ending" id-ref="ia-5_smt">
-            <part id="ia-5_fr" name="item">
-               <title>IA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-5_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link <a href="https://pages.nist.gov/800-63-3">https://pages.nist.gov/800-63-3</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.f_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.h_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.i_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.i_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.j_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.1">
-         <add position="ending" id-ref="ia-5.1_smt">
-            <part id="ia-5.1_fr" name="item">
-               <title>IA-5 (1) (a) and (d) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-5.1_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance (a) (d):</prop>
-                  <p>If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-5.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.11">
-         <add position="starting" id-ref="ia-5.11_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-6">
-         <add position="starting" id-ref="ia-6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-7">
-         <add position="starting" id-ref="ia-7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8">
-         <add position="starting" id-ref="ia-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.1">
-         <add position="starting" id-ref="ia-8.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-8.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.2">
-         <add position="starting" id-ref="ia-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.3">
-         <add position="starting" id-ref="ia-8.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-8.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.4">
-         <add position="starting" id-ref="ia-8.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-1">
-         <add position="starting" id-ref="ir-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-2">
-         <add position="starting" id-ref="ir-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4">
-         <add position="ending" id-ref="ir-4_smt">
-            <part id="ir-4_fr" name="item">
-               <title>IR-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-4_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-4.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-5">
-         <add position="starting" id-ref="ir-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-6">
-         <add position="ending" id-ref="ir-6_smt">
-            <part id="ir-6_fr" name="item">
-               <title>IR-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Report security incident information according to FedRAMP Incident Communications Procedure.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-7">
-         <add position="starting" id-ref="ir-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-7.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-8">
-         <add position="ending" id-ref="ir-8_smt">
-            <part id="ir-8_fr" name="item">
-               <title>IR-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-8_fr_smt.b" name="item">
-                  <prop name="label">(b) Requirement:</prop>
-                  <p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
-               </part>
-               <part id="ir-8_fr_smt.e" name="item">
-                  <prop name="label">(e) Requirement:</prop>
-                  <p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-8.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.b_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.b_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.e_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.e_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-1">
-         <add position="starting" id-ref="ma-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ma-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-2">
-         <add position="starting" id-ref="ma-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-4">
-         <add position="starting" id-ref="ma-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ma-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-5">
-         <add position="starting" id-ref="ma-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-1">
-         <add position="starting" id-ref="mp-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="mp-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-2">
-         <add position="starting" id-ref="mp-2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-6">
-         <add position="starting" id-ref="mp-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-7">
-         <add position="starting" id-ref="mp-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-7.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-7_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-7_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-1">
-         <add position="starting" id-ref="pe-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-12">
-         <add position="starting" id-ref="pe-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-13">
-         <add position="starting" id-ref="pe-13.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-13.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-14">
-         <add position="ending" id-ref="pe-14_smt">
-            <part id="pe-14_fr" name="item">
-               <title>PE-14(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="pe-14_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider measures temperature at server inlets and humidity levels by dew point.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-15">
-         <add position="starting" id-ref="pe-15_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-16">
-         <add position="starting" id-ref="pe-16_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.6">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.7">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.8">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.9">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-2">
-         <add position="starting" id-ref="pe-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-3">
-         <add position="starting" id-ref="pe-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.e_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.f_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-6">
-         <add position="starting" id-ref="pe-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-6.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-8">
-         <add position="starting" id-ref="pe-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-8.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-8.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-1">
-         <add position="starting" id-ref="pl-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pl-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-2">
-         <add position="starting" id-ref="pl-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pl-2.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.9_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-4">
-         <add position="starting" id-ref="pl-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-1">
-         <add position="starting" id-ref="ps-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-2">
-         <add position="starting" id-ref="ps-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-3">
-         <add position="starting" id-ref="ps-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-4">
-         <add position="starting" id-ref="ps-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.f_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-5">
-         <add position="starting" id-ref="ps-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-6">
-         <add position="starting" id-ref="ps-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-6.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.c.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.c.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.c.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-7">
-         <add position="starting" id-ref="ps-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-8">
-         <add position="starting" id-ref="ps-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-8.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-1">
-         <add position="starting" id-ref="ra-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-2">
-         <add position="starting" id-ref="ra-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-3">
-         <add position="ending" id-ref="ra-3_smt">
-            <part id="ra-3_fr" name="item">
-               <title>RA-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F</p>
-               </part>
-               <part id="ra-3_fr_smt.d" name="item">
-                  <prop name="label">RA-3 (d) Requirement:</prop>
-                  <p>Include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5">
-         <add id-ref="ra-5_smt">
-            <part id="ra-5_fr_smt.a" name="item">
-               <title>RA-5(a) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (a)Requirement:</prop>
-               <p>An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.</p>
-            </part>
-            <part id="ra-5_fr_smt.e" name="item">
-               <title>RA-5(e) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (e)Requirement:</prop>
-               <p>To include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
-            </part>
-            <part id="ra-5_fr" name="item">
-               <title>RA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>
-                     <strong>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents&gt; Vulnerability Scanning Requirements</strong> (<a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a>)</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.b.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.b.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.b.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.e_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-1">
-         <add position="starting" id-ref="sa-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sa-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-2">
-         <add position="starting" id-ref="sa-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-3">
-         <add position="starting" id-ref="sa-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4">
-         <add position="ending" id-ref="sa-4_smt">
-            <part id="sa-4_fr" name="item">
-               <title>SA-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See <a href="http://www.niap-ccevs.org/vpl">http://www.niap-ccevs.org/vpl</a> or <a href="http://www.commoncriteriaportal.org/products.html">http://www.commoncriteriaportal.org/products.html</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.10">
-         <add position="starting" id-ref="sa-4.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-5">
-         <add position="starting" id-ref="sa-5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9">
-         <add position="ending" id-ref="sa-9_smt">
-            <part id="sa-9_fr" name="item">
-               <title>SA-9 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-9_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents&gt; Continuous Monitoring Strategy Guide <a href="https://www.FedRAMP.gov/documents">https://www.FedRAMP.gov/documents</a>
-                  </p>
-               </part>
-               <part id="sa-9_fr_gdn.2" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Independent Assessors should assess the risk associated with the use of external services. See the FedRAMP page under Key Cloud Service Provider (CSP) Documents&gt;FedRAMP Authorization Boundary Guidance</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-9.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-1">
-         <add position="starting" id-ref="sc-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sc-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-12">
-         <add position="ending" id-ref="sc-12_smt">
-            <part id="sc-12_fr" name="item">
-               <title>SC-12 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Federally approved and validated cryptography.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-12.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-13">
-         <add position="starting" id-ref="sc-13">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sc-13_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-13_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-13_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-15">
-         <add position="ending" id-ref="sc-15_smt">
-            <part id="sc-15_fr" name="item">
-               <title>SC-15 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-15_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-15.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-15.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-15.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-20">
-         <add position="starting" id-ref="sc-20.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-20.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-21">
-         <add position="starting" id-ref="sc-21_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-21_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-21_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-21_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-22">
-         <add position="starting" id-ref="sc-22_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-22_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-39">
-         <add position="starting" id-ref="sc-39_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-5">
-         <add position="starting" id-ref="sc-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-5.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-5.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7">
-         <add position="starting" id-ref="sc-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-1">
-         <add position="starting" id-ref="si-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="si-12">
-         <add position="starting" id-ref="si-12_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-2">
-         <add position="starting" id-ref="si-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3">
-         <add position="starting" id-ref="si-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4">
-         <add position="ending" id-ref="si-4_smt">
-            <part id="si-4_fr" name="item">
-               <title>SI-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="si-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See US-CERT Incident Response Reporting Guidelines.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="si-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-4.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.b.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.b.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-5">
-         <add position="starting" id-ref="si-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-   </modify>
-   <back-matter>
-      <resource uuid="985475ee-d4d6-4581-8fdf-d84d3d8caa48">
-         <title>FedRAMP Applicable Laws and Regulations</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-citations</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"/>
-      </resource>
-      <resource uuid="1a23a771-d481-4594-9a1a-71d584fa4123">
-         <title>FedRAMP Master Acronym and Glossary</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-acronyms</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"/>
-      </resource>
-      <resource uuid="a2381e87-3d04-4108-a30b-b4d2f36d001f">
-         <desc>FedRAMP Logo</desc>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-logo</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/img/logo-main-fedramp.png"/>
-      </resource>
-      <resource uuid="ad005eae-cc63-4e64-9109-3905a9a825e4">
-         <title>NIST Special Publication (SP) 800-53</title>
-         <prop name="version" ns="https://fedramp.gov/ns/oscal">Revision 4</prop>
-         <prop name="keep">always</prop>
-         <rlink media-type="application/xml" href="../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml"/>
-      </resource>
-   </back-matter>
-</profile>
diff --git a/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.xml b/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.xml
deleted file mode 100644
index dbd6a0854b..0000000000
--- a/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.xml
+++ /dev/null
@@ -1,35446 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-         uuid="c9301b61-9f2b-431e-9c7f-c8ffcd110388">
-   <metadata>
-      <title>FedRAMP Moderate Baseline</title>
-      <published>2020-06-01T00:00:00.000-04:00</published>
-      <last-modified>2020-06-01T10:00:00.000-04:00</last-modified>
-      <version>1.2</version>
-      <oscal-version>1.0.0-milestone3</oscal-version>
-      <prop name="resolution-timestamp">2020-08-31T17:38:53.967424Z</prop>
-      <link rel="resolution-source" href="FedRAMP_MODERATE-baseline_profile.xml">FedRAMP Moderate Baseline</link>
-      <role id="parpared-by">
-         <title>Document creator</title>
-      </role>
-      <role id="fedramp-pmo">
-         <title>The FedRAMP Program Management Office (PMO)</title>
-         <short-name>CSP</short-name>
-      </role>
-      <role id="fedramp-jab">
-         <title>The FedRAMP Joint Authorization Board (JAB)</title>
-         <short-name>CSP</short-name>
-      </role>
-      <party uuid="8cc0b8e5-9650-4d5f-9796-316f05fa9a2d" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Program Management Office</party-name>
-         <short-name>FedRAMP PMO</short-name>
-         <link href="https://fedramp.gov" rel="homepage"/>
-         <address type="work">
-            <addr-line>1800 F St. NW</addr-line>
-            <addr-line/>
-            <city>Washington</city>
-            <state>DC</state>
-            <postal-code/>
-            <country>US</country>
-         </address>
-         <email>info@fedramp.gov</email>
-      </party>
-      <party uuid="ca9ba80e-1342-4bfd-b32a-abac468c24b4" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Joint Authorization Board</party-name>
-         <short-name>FedRAMP JAB</short-name>
-      </party>
-      <responsible-party role-id="prepared-by">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-pmo">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-jab">
-         <party-uuid>ca9ba80e-1342-4bfd-b32a-abac468c24b4</party-uuid>
-      </responsible-party>
-   </metadata>
-   <group class="family" id="ac">
-      <title>Access Control</title>
-      <control class="SP800-53" id="ac-1">
-         <title>Access Control Policy and Procedures</title>
-         <param id="ac-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ac-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="ac-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-1</prop>
-         <prop name="sort-id">ac-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ac-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ac-1_prm_1"/>:</p>
-               <part id="ac-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An access control policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ac-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the access control policy and
-                     associated access controls; and</p>
-               </part>
-            </part>
-            <part id="ac-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ac-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Access control policy <insert param-id="ac-1_prm_2"/>; and</p>
-               </part>
-               <part id="ac-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Access control procedures <insert param-id="ac-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ac-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the AC
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ac-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-1.a_obj" name="objective">
-               <prop name="label">AC-1(a)</prop>
-               <part id="ac-1.a.1_obj" name="objective">
-                  <prop name="label">AC-1(a)(1)</prop>
-                  <part id="ac-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(a)(1)[1]</prop>
-                     <p>develops and documents an access control policy that addresses:</p>
-                     <part id="ac-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ac-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the access control policy are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ac-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">AC-1(a)(1)[3]</prop>
-                     <p>disseminates the access control policy to organization-defined personnel or
-                        roles;</p>
-                  </part>
-               </part>
-               <part id="ac-1.a.2_obj" name="objective">
-                  <prop name="label">AC-1(a)(2)</prop>
-                  <part id="ac-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        access control policy and associated access control controls;</p>
-                  </part>
-                  <part id="ac-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ac-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">AC-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-1.b_obj" name="objective">
-               <prop name="label">AC-1(b)</prop>
-               <part id="ac-1.b.1_obj" name="objective">
-                  <prop name="label">AC-1(b)(1)</prop>
-                  <part id="ac-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current access control
-                        policy;</p>
-                  </part>
-                  <part id="ac-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current access control policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ac-1.b.2_obj" name="objective">
-                  <prop name="label">AC-1(b)(2)</prop>
-                  <part id="ac-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current access control
-                        procedures; and</p>
-                  </part>
-                  <part id="ac-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current access control procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-2">
-         <title>Account Management</title>
-         <param id="ac-2_prm_1">
-            <label>organization-defined information system account types</label>
-         </param>
-         <param id="ac-2_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ac-2_prm_3">
-            <label>organization-defined procedures or conditions</label>
-         </param>
-         <param id="ac-2_prm_4">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-2</prop>
-         <prop name="sort-id">ac-02</prop>
-         <part id="ac-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Identifies and selects the following types of information system accounts to
-                  support organizational missions/business functions: <insert param-id="ac-2_prm_1"/>;</p>
-            </part>
-            <part id="ac-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Assigns account managers for information system accounts;</p>
-            </part>
-            <part id="ac-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Establishes conditions for group and role membership;</p>
-            </part>
-            <part id="ac-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Specifies authorized users of the information system, group and role membership,
-                  and access authorizations (i.e., privileges) and other attributes (as required)
-                  for each account;</p>
-            </part>
-            <part id="ac-2_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Requires approvals by <insert param-id="ac-2_prm_2"/> for requests to create
-                  information system accounts;</p>
-            </part>
-            <part id="ac-2_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Creates, enables, modifies, disables, and removes information system accounts in
-                  accordance with <insert param-id="ac-2_prm_3"/>;</p>
-            </part>
-            <part id="ac-2_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Monitors the use of information system accounts;</p>
-            </part>
-            <part id="ac-2_smt.h" name="item">
-               <prop name="label">h.</prop>
-               <p>Notifies account managers:</p>
-               <part id="ac-2_smt.h.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>When accounts are no longer required;</p>
-               </part>
-               <part id="ac-2_smt.h.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>When users are terminated or transferred; and</p>
-               </part>
-               <part id="ac-2_smt.h.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>When individual information system usage or need-to-know changes;</p>
-               </part>
-            </part>
-            <part id="ac-2_smt.i" name="item">
-               <prop name="label">i.</prop>
-               <p>Authorizes access to the information system based on:</p>
-               <part id="ac-2_smt.i.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A valid access authorization;</p>
-               </part>
-               <part id="ac-2_smt.i.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Intended system usage; and</p>
-               </part>
-               <part id="ac-2_smt.i.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Other attributes as required by the organization or associated
-                     missions/business functions;</p>
-               </part>
-            </part>
-            <part id="ac-2_smt.j" name="item">
-               <prop name="label">j.</prop>
-               <p>Reviews accounts for compliance with account management requirements <insert param-id="ac-2_prm_4"/>; and</p>
-            </part>
-            <part id="ac-2_smt.k" name="item">
-               <prop name="label">k.</prop>
-               <p>Establishes a process for reissuing shared/group account credentials (if deployed)
-                  when individuals are removed from the group.</p>
-            </part>
-         </part>
-         <part id="ac-2_gdn" name="guidance">
-            <p>Information system account types include, for example, individual, shared, group,
-               system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and
-               service. Some of the account management requirements listed above can be implemented
-               by organizational information systems. The identification of authorized users of the
-               information system and the specification of access privileges reflects the
-               requirements in other security controls in the security plan. Users requiring
-               administrative privileges on information system accounts receive additional scrutiny
-               by appropriate organizational personnel (e.g., system owner, mission/business owner,
-               or chief information security officer) responsible for approving such accounts and
-               privileged access. Organizations may choose to define access privileges or other
-               attributes by account, by type of account, or a combination of both. Other attributes
-               required for authorizing access include, for example, restrictions on time-of-day,
-               day-of-week, and point-of-origin. In defining other account attributes, organizations
-               consider system-related requirements (e.g., scheduled maintenance, system upgrades)
-               and mission/business requirements, (e.g., time zone differences, customer
-               requirements, remote access to support travel requirements). Failure to consider
-               these factors could affect information system availability. Temporary and emergency
-               accounts are accounts intended for short-term use. Organizations establish temporary
-               accounts as a part of normal account activation procedures when there is a need for
-               short-term accounts without the demand for immediacy in account activation.
-               Organizations establish emergency accounts in response to crisis situations and with
-               the need for rapid account activation. Therefore, emergency account activation may
-               bypass normal account authorization processes. Emergency and temporary accounts are
-               not to be confused with infrequently used accounts (e.g., local logon accounts used
-               for special tasks defined by organizations or when network resources are
-               unavailable). Such accounts remain available and are not subject to automatic
-               disabling or removal dates. Conditions for disabling or deactivating accounts
-               include, for example: (i) when shared/group, emergency, or temporary accounts are no
-               longer required; or (ii) when individuals are transferred or terminated. Some types
-               of information system accounts may require specialized training.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-10">AC-10</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ma-3">MA-3</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="ac-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-2.a_obj" name="objective">
-               <prop name="label">AC-2(a)</prop>
-               <part id="ac-2.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(a)[1]</prop>
-                  <p>defines information system account types to be identified and selected to
-                     support organizational missions/business functions;</p>
-               </part>
-               <part id="ac-2.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AC-2(a)[2]</prop>
-                  <p>identifies and selects organization-defined information system account types to
-                     support organizational missions/business functions;</p>
-               </part>
-            </part>
-            <part id="ac-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AC-2(b)</prop>
-               <p>assigns account managers for information system accounts;</p>
-            </part>
-            <part id="ac-2.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-2(c)</prop>
-               <p>establishes conditions for group and role membership;</p>
-            </part>
-            <part id="ac-2.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-2(d)</prop>
-               <p>specifies for each account (as required):</p>
-               <part id="ac-2.d_obj.1" name="objective">
-                  <prop name="label">AC-2(d)[1]</prop>
-                  <p>authorized users of the information system;</p>
-               </part>
-               <part id="ac-2.d_obj.2" name="objective">
-                  <prop name="label">AC-2(d)[2]</prop>
-                  <p>group and role membership;</p>
-               </part>
-               <part id="ac-2.d_obj.3" name="objective">
-                  <prop name="label">AC-2(d)[3]</prop>
-                  <p>access authorizations (i.e., privileges);</p>
-               </part>
-               <part id="ac-2.d_obj.4" name="objective">
-                  <prop name="label">AC-2(d)[4]</prop>
-                  <p>other attributes;</p>
-               </part>
-            </part>
-            <part id="ac-2.e_obj" name="objective">
-               <prop name="label">AC-2(e)</prop>
-               <part id="ac-2.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(e)[1]</prop>
-                  <p>defines personnel or roles required to approve requests to create information
-                     system accounts;</p>
-               </part>
-               <part id="ac-2.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(e)[2]</prop>
-                  <p>requires approvals by organization-defined personnel or roles for requests to
-                     create information system accounts;</p>
-               </part>
-            </part>
-            <part id="ac-2.f_obj" name="objective">
-               <prop name="label">AC-2(f)</prop>
-               <part id="ac-2.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(f)[1]</prop>
-                  <p>defines procedures or conditions to:</p>
-                  <part id="ac-2.f_obj.1.a" name="objective">
-                     <prop name="label">AC-2(f)[1][a]</prop>
-                     <p>create information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.b" name="objective">
-                     <prop name="label">AC-2(f)[1][b]</prop>
-                     <p>enable information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.c" name="objective">
-                     <prop name="label">AC-2(f)[1][c]</prop>
-                     <p>modify information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.d" name="objective">
-                     <prop name="label">AC-2(f)[1][d]</prop>
-                     <p>disable information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.e" name="objective">
-                     <prop name="label">AC-2(f)[1][e]</prop>
-                     <p>remove information system accounts;</p>
-                  </part>
-               </part>
-               <part id="ac-2.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(f)[2]</prop>
-                  <p>in accordance with organization-defined procedures or conditions:</p>
-                  <part id="ac-2.f_obj.2.a" name="objective">
-                     <prop name="label">AC-2(f)[2][a]</prop>
-                     <p>creates information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.b" name="objective">
-                     <prop name="label">AC-2(f)[2][b]</prop>
-                     <p>enables information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.c" name="objective">
-                     <prop name="label">AC-2(f)[2][c]</prop>
-                     <p>modifies information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.d" name="objective">
-                     <prop name="label">AC-2(f)[2][d]</prop>
-                     <p>disables information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.e" name="objective">
-                     <prop name="label">AC-2(f)[2][e]</prop>
-                     <p>removes information system accounts;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-2.g_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-2(g)</prop>
-               <p>monitors the use of information system accounts;</p>
-            </part>
-            <part id="ac-2.h_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-2(h)</prop>
-               <p>notifies account managers:</p>
-               <part id="ac-2.h.1_obj" name="objective">
-                  <prop name="label">AC-2(h)(1)</prop>
-                  <p>when accounts are no longer required;</p>
-               </part>
-               <part id="ac-2.h.2_obj" name="objective">
-                  <prop name="label">AC-2(h)(2)</prop>
-                  <p>when users are terminated or transferred;</p>
-               </part>
-               <part id="ac-2.h.3_obj" name="objective">
-                  <prop name="label">AC-2(h)(3)</prop>
-                  <p>when individual information system usage or need to know changes;</p>
-               </part>
-            </part>
-            <part id="ac-2.i_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-2(i)</prop>
-               <p>authorizes access to the information system based on;</p>
-               <part id="ac-2.i.1_obj" name="objective">
-                  <prop name="label">AC-2(i)(1)</prop>
-                  <p>a valid access authorization;</p>
-               </part>
-               <part id="ac-2.i.2_obj" name="objective">
-                  <prop name="label">AC-2(i)(2)</prop>
-                  <p>intended system usage;</p>
-               </part>
-               <part id="ac-2.i.3_obj" name="objective">
-                  <prop name="label">AC-2(i)(3)</prop>
-                  <p>other attributes as required by the organization or associated
-                     missions/business functions;</p>
-               </part>
-            </part>
-            <part id="ac-2.j_obj" name="objective">
-               <prop name="label">AC-2(j)</prop>
-               <part id="ac-2.j_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(j)[1]</prop>
-                  <p>defines the frequency to review accounts for compliance with account management
-                     requirements;</p>
-               </part>
-               <part id="ac-2.j_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(j)[2]</prop>
-                  <p>reviews accounts for compliance with account management requirements with the
-                     organization-defined frequency; and</p>
-               </part>
-            </part>
-            <part id="ac-2.k_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-2(k)</prop>
-               <p>establishes a process for reissuing shared/group account credentials (if deployed)
-                  when individuals are removed from the group.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing account management</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of active system accounts along with the name of the individual associated
-                  with each account</p>
-               <p>list of conditions for group and role membership</p>
-               <p>notifications or records of recently transferred, separated, or terminated
-                  employees</p>
-               <p>list of recently disabled information system accounts along with the name of the
-                  individual associated with each account</p>
-               <p>access authorization records</p>
-               <p>account management compliance reviews</p>
-               <p>information system monitoring records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with account management responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes account management on the information system</p>
-               <p>automated mechanisms for implementing account management</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-2.1">
-            <title>Automated System Account Management</title>
-            <prop name="label">AC-2(1)</prop>
-            <prop name="sort-id">ac-02.01</prop>
-            <part id="ac-2.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to support the management of
-                  information system accounts.</p>
-            </part>
-            <part id="ac-2.1_gdn" name="guidance">
-               <p>The use of automated mechanisms can include, for example: using email or text
-                  messaging to automatically notify account managers when users are terminated or
-                  transferred; using the information system to monitor account usage; and using
-                  telephonic notification to report atypical system account usage.</p>
-            </part>
-            <part id="ac-2.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs automated mechanisms to support the
-                  management of information system accounts.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.2">
-            <title>Removal of Temporary / Emergency Accounts</title>
-            <param id="ac-2.2_prm_1"/>
-            <param id="ac-2.2_prm_2">
-               <label>organization-defined time period for each type of account</label>
-               <constraint>no more than 30 days for temporary and emergency account types</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AC-2(2)</prop>
-            <prop name="sort-id">ac-02.02</prop>
-            <part id="ac-2.2_smt" name="statement">
-               <p>The information system automatically <insert param-id="ac-2.2_prm_1"/> temporary
-                  and emergency accounts after <insert param-id="ac-2.2_prm_2"/>.</p>
-            </part>
-            <part id="ac-2.2_gdn" name="guidance">
-               <p>This control enhancement requires the removal of both temporary and emergency
-                  accounts automatically after a predefined period of time has elapsed, rather than
-                  at the convenience of the systems administrator.</p>
-            </part>
-            <part id="ac-2.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-2.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(2)[1]</prop>
-                  <p>the organization defines the time period after which the information system
-                     automatically removes or disables temporary and emergency accounts; and</p>
-               </part>
-               <part id="ac-2.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(2)[2]</prop>
-                  <p>the information system automatically removes or disables temporary and
-                     emergency accounts after the organization-defined time period for each type of
-                     account.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system-generated list of temporary accounts removed and/or
-                     disabled</p>
-                  <p>information system-generated list of emergency accounts removed and/or
-                     disabled</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.3">
-            <title>Disable Inactive Accounts</title>
-            <param id="ac-2.3_prm_1">
-               <label>organization-defined time period</label>
-               <constraint>90 days for user accounts</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AC-2(3)</prop>
-            <prop name="sort-id">ac-02.03</prop>
-            <part id="ac-2.3_smt" name="statement">
-               <p>The information system automatically disables inactive accounts after <insert param-id="ac-2.3_prm_1"/>.</p>
-            </part>
-            <part id="ac-2.3_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-2.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(3)[1]</prop>
-                  <p>the organization defines the time period after which the information system
-                     automatically disables inactive accounts; and</p>
-               </part>
-               <part id="ac-2.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(3)[2]</prop>
-                  <p>the information system automatically disables inactive accounts after the
-                     organization-defined time period.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system-generated list of temporary accounts removed and/or
-                     disabled</p>
-                  <p>information system-generated list of emergency accounts removed and/or
-                     disabled</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.4">
-            <title>Automated Audit Actions</title>
-            <param id="ac-2.4_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">AC-2(4)</prop>
-            <prop name="sort-id">ac-02.04</prop>
-            <part id="ac-2.4_smt" name="statement">
-               <p>The information system automatically audits account creation, modification,
-                  enabling, disabling, and removal actions, and notifies <insert param-id="ac-2.4_prm_1"/>.</p>
-            </part>
-            <part id="ac-2.4_gdn" name="guidance">
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-12">AU-12</link>
-            </part>
-            <part id="ac-2.4_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-2.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(4)[1]</prop>
-                  <p>the information system automatically audits the following account actions:</p>
-                  <part id="ac-2.4_obj.1.a" name="objective">
-                     <prop name="label">AC-2(4)[1][a]</prop>
-                     <p>creation;</p>
-                  </part>
-                  <part id="ac-2.4_obj.1.b" name="objective">
-                     <prop name="label">AC-2(4)[1][b]</prop>
-                     <p>modification;</p>
-                  </part>
-                  <part id="ac-2.4_obj.1.c" name="objective">
-                     <prop name="label">AC-2(4)[1][c]</prop>
-                     <p>enabling;</p>
-                  </part>
-                  <part id="ac-2.4_obj.1.d" name="objective">
-                     <prop name="label">AC-2(4)[1][d]</prop>
-                     <p>disabling;</p>
-                  </part>
-                  <part id="ac-2.4_obj.1.e" name="objective">
-                     <prop name="label">AC-2(4)[1][e]</prop>
-                     <p>removal;</p>
-                  </part>
-               </part>
-               <part id="ac-2.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(4)[2]</prop>
-                  <p>the organization defines personnel or roles to be notified of the following
-                     account actions:</p>
-                  <part id="ac-2.4_obj.2.a" name="objective">
-                     <prop name="label">AC-2(4)[2][a]</prop>
-                     <p>creation;</p>
-                  </part>
-                  <part id="ac-2.4_obj.2.b" name="objective">
-                     <prop name="label">AC-2(4)[2][b]</prop>
-                     <p>modification;</p>
-                  </part>
-                  <part id="ac-2.4_obj.2.c" name="objective">
-                     <prop name="label">AC-2(4)[2][c]</prop>
-                     <p>enabling;</p>
-                  </part>
-                  <part id="ac-2.4_obj.2.d" name="objective">
-                     <prop name="label">AC-2(4)[2][d]</prop>
-                     <p>disabling;</p>
-                  </part>
-                  <part id="ac-2.4_obj.2.e" name="objective">
-                     <prop name="label">AC-2(4)[2][e]</prop>
-                     <p>removal;</p>
-                  </part>
-               </part>
-               <part id="ac-2.4_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(4)[3]</prop>
-                  <p>the information system notifies organization-defined personnel or roles of the
-                     following account actions:</p>
-                  <part id="ac-2.4_obj.3.a" name="objective">
-                     <prop name="label">AC-2(4)[3][a]</prop>
-                     <p>creation;</p>
-                  </part>
-                  <part id="ac-2.4_obj.3.b" name="objective">
-                     <prop name="label">AC-2(4)[3][b]</prop>
-                     <p>modification;</p>
-                  </part>
-                  <part id="ac-2.4_obj.3.c" name="objective">
-                     <prop name="label">AC-2(4)[3][c]</prop>
-                     <p>enabling;</p>
-                  </part>
-                  <part id="ac-2.4_obj.3.d" name="objective">
-                     <prop name="label">AC-2(4)[3][d]</prop>
-                     <p>disabling; and</p>
-                  </part>
-                  <part id="ac-2.4_obj.3.e" name="objective">
-                     <prop name="label">AC-2(4)[3][e]</prop>
-                     <p>removal.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>notifications/alerts of account creation, modification, enabling, disabling,
-                     and removal actions</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.5">
-            <title>Inactivity Logout</title>
-            <param id="ac-2.5_prm_1">
-               <label>organization-defined time-period of expected inactivity or description of when
-                  to log out</label>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AC-2(5)</prop>
-            <prop name="sort-id">ac-02.05</prop>
-            <part id="ac-2.5_smt" name="statement">
-               <p>The organization requires that users log out when <insert param-id="ac-2.5_prm_1"/>.</p>
-               <part id="ac-2.5_fr" name="item">
-                  <title>AC-2 (5) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ac-2.5_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>Should use a shorter timeframe than AC-12.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-2.5_gdn" name="guidance">
-               <link rel="related" href="#sc-23">SC-23</link>
-            </part>
-            <part id="ac-2.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-2.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(5)[1]</prop>
-                  <p>defines either the time period of expected inactivity that requires users to
-                     log out or the description of when users are required to log out; and</p>
-               </part>
-               <part id="ac-2.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(5)[2]</prop>
-                  <p>requires that users log out when the organization-defined time period of
-                     inactivity is reached or in accordance with organization-defined description of
-                     when to log out.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security violation reports</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>users that must comply with inactivity logout policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.7">
-            <title>Role-based Schemes</title>
-            <param id="ac-2.7_prm_1">
-               <label>organization-defined actions</label>
-            </param>
-            <prop name="label">AC-2(7)</prop>
-            <prop name="sort-id">ac-02.07</prop>
-            <part id="ac-2.7_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ac-2.7_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Establishes and administers privileged user accounts in accordance with a
-                     role-based access scheme that organizes allowed information system access and
-                     privileges into roles;</p>
-               </part>
-               <part id="ac-2.7_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Monitors privileged role assignments; and</p>
-               </part>
-               <part id="ac-2.7_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Takes <insert param-id="ac-2.7_prm_1"/> when privileged role assignments are no
-                     longer appropriate.</p>
-               </part>
-            </part>
-            <part id="ac-2.7_gdn" name="guidance">
-               <p>Privileged roles are organization-defined roles assigned to individuals that allow
-                  those individuals to perform certain security-relevant functions that ordinary
-                  users are not authorized to perform. These privileged roles include, for example,
-                  key management, account management, network and system administration, database
-                  administration, and web administration.</p>
-            </part>
-            <part id="ac-2.7_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-2.7.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(7)(a)</prop>
-                  <p>establishes and administers privileged user accounts in accordance with a
-                     role-based access scheme that organizes allowed information system access and
-                     privileges into roles;</p>
-                  <link rel="corresp" href="#ac-2.7_smt.a">AC-2(7)(a)</link>
-               </part>
-               <part id="ac-2.7.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(7)(b)</prop>
-                  <p>monitors privileged role assignments;</p>
-                  <link rel="corresp" href="#ac-2.7_smt.b">AC-2(7)(b)</link>
-               </part>
-               <part id="ac-2.7.c_obj" name="objective">
-                  <prop name="label">AC-2(7)(c)</prop>
-                  <part id="ac-2.7.c_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-2(7)(c)[1]</prop>
-                     <p>defines actions to be taken when privileged role assignments are no longer
-                        appropriate; and</p>
-                  </part>
-                  <part id="ac-2.7.c_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">AC-2(7)(c)[2]</prop>
-                     <p>takes organization-defined actions when privileged role assignments are no
-                        longer appropriate.</p>
-                  </part>
-                  <link rel="corresp" href="#ac-2.7_smt.c">AC-2(7)(c)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system-generated list of privileged user accounts and associated
-                     role</p>
-                  <p>records of actions taken when privileged role assignments are no longer
-                     appropriate</p>
-                  <p>information system audit records</p>
-                  <p>audit tracking and monitoring reports</p>
-                  <p>information system monitoring records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-                  <p>automated mechanisms monitoring privileged role assignments</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.9">
-            <title>Restrictions On Use of Shared / Group Accounts</title>
-            <param id="ac-2.9_prm_1">
-               <label>organization-defined conditions for establishing shared/group accounts</label>
-            </param>
-            <prop name="label">AC-2(9)</prop>
-            <prop name="sort-id">ac-02.09</prop>
-            <part id="ac-2.9_smt" name="statement">
-               <p>The organization only permits the use of shared/group accounts that meet <insert param-id="ac-2.9_prm_1"/>.</p>
-               <part id="ac-2.9_fr" name="item">
-                  <title>AC-2 (9) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ac-2.9_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>Required if shared/group accounts are deployed</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-2.9_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-2.9_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-2(9)[1]</prop>
-                  <p>defines conditions for establishing shared/group accounts; and</p>
-               </part>
-               <part id="ac-2.9_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-2(9)[2]</prop>
-                  <p>only permits the use of shared/group accounts that meet organization-defined
-                     conditions for establishing shared/group accounts.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>system-generated list of shared/group accounts and associated role</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing management of shared/group accounts</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.10">
-            <title>Shared / Group Account Credential Termination</title>
-            <prop name="label">AC-2(10)</prop>
-            <prop name="sort-id">ac-02.10</prop>
-            <part id="ac-2.10_smt" name="statement">
-               <p>The information system terminates shared/group account credentials when members
-                  leave the group.</p>
-               <part id="ac-2.10_fr" name="item">
-                  <title>AC-2 (10) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ac-2.10_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>Required if shared/group accounts are deployed</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-2.10_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system terminates shared/group account credentials
-                  when members leave the group.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>account access termination records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.12">
-            <title>Account Monitoring / Atypical Usage</title>
-            <param id="ac-2.12_prm_1">
-               <label>organization-defined atypical usage</label>
-            </param>
-            <param id="ac-2.12_prm_2">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AC-2(12)</prop>
-            <prop name="sort-id">ac-02.12</prop>
-            <part id="ac-2.12_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ac-2.12_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Monitors information system accounts for <insert param-id="ac-2.12_prm_1"/>;
-                     and</p>
-               </part>
-               <part id="ac-2.12_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Reports atypical usage of information system accounts to <insert param-id="ac-2.12_prm_2"/>.</p>
-               </part>
-               <part id="ac-2.12_fr" name="item">
-                  <title>AC-2 (12) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ac-2.12_fr_gdn.1" name="guidance">
-                     <prop name="label">(a) Guidance:</prop>
-                     <p>Required for privileged accounts.</p>
-                  </part>
-                  <part id="ac-2.12_fr_gdn.2" name="guidance">
-                     <prop name="label">(b) Guidance:</prop>
-                     <p>Required for privileged accounts.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-2.12_gdn" name="guidance">
-               <p>Atypical usage includes, for example, accessing information systems at certain
-                  times of the day and from locations that are not consistent with the normal usage
-                  patterns of individuals working in organizations.</p>
-               <link rel="related" href="#ca-7">CA-7</link>
-            </part>
-            <part id="ac-2.12_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-2.12.a_obj" name="objective">
-                  <prop name="label">AC-2(12)(a)</prop>
-                  <part id="ac-2.12.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-2(12)(a)[1]</prop>
-                     <p>defines atypical usage to be monitored for information system accounts;</p>
-                  </part>
-                  <part id="ac-2.12.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">AC-2(12)(a)[2]</prop>
-                     <p>monitors information system accounts for organization-defined atypical
-                        usage;</p>
-                  </part>
-                  <link rel="corresp" href="#ac-2.12_smt.a">AC-2(12)(a)</link>
-               </part>
-               <part id="ac-2.12.b_obj" name="objective">
-                  <prop name="label">AC-2(12)(b)</prop>
-                  <part id="ac-2.12.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-2(12)(b)[1]</prop>
-                     <p>defines personnel or roles to whom atypical usage of information system
-                        accounts are to be reported; and</p>
-                  </part>
-                  <part id="ac-2.12.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">AC-2(12)(b)[2]</prop>
-                     <p>reports atypical usage of information system accounts to
-                        organization-defined personnel or roles.</p>
-                  </part>
-                  <link rel="corresp" href="#ac-2.12_smt.b">AC-2(12)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system monitoring records</p>
-                  <p>information system audit records</p>
-                  <p>audit tracking and monitoring reports</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-3">
-         <title>Access Enforcement</title>
-         <prop name="label">AC-3</prop>
-         <prop name="sort-id">ac-03</prop>
-         <part id="ac-3_smt" name="statement">
-            <p>The information system enforces approved authorizations for logical access to
-               information and system resources in accordance with applicable access control
-               policies.</p>
-         </part>
-         <part id="ac-3_gdn" name="guidance">
-            <p>Access control policies (e.g., identity-based policies, role-based policies, control
-               matrices, cryptography) control access between active entities or subjects (i.e.,
-               users or processes acting on behalf of users) and passive entities or objects (e.g.,
-               devices, files, records, domains) in information systems. In addition to enforcing
-               authorized access at the information system level and recognizing that information
-               systems can host many applications and services in support of organizational missions
-               and business operations, access enforcement mechanisms can also be employed at the
-               application and service level to provide increased information security.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ac-21">AC-21</link>
-            <link rel="related" href="#ac-22">AC-22</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ma-3">MA-3</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-         </part>
-         <part id="ac-3_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system enforces approved authorizations for logical
-               access to information and system resources in accordance with applicable access
-               control policies.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing access enforcement</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of approved authorizations (user privileges)</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with access enforcement responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing access control policy</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-4">
-         <title>Information Flow Enforcement</title>
-         <param id="ac-4_prm_1">
-            <label>organization-defined information flow control policies</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-4</prop>
-         <prop name="sort-id">ac-04</prop>
-         <part id="ac-4_smt" name="statement">
-            <p>The information system enforces approved authorizations for controlling the flow of
-               information within the system and between interconnected systems based on <insert param-id="ac-4_prm_1"/>.</p>
-         </part>
-         <part id="ac-4_gdn" name="guidance">
-            <p>Information flow control regulates where information is allowed to travel within an
-               information system and between information systems (as opposed to who is allowed to
-               access the information) and without explicit regard to subsequent accesses to that
-               information. Flow control restrictions include, for example, keeping
-               export-controlled information from being transmitted in the clear to the Internet,
-               blocking outside traffic that claims to be from within the organization, restricting
-               web requests to the Internet that are not from the internal web proxy server, and
-               limiting information transfers between organizations based on data structures and
-               content. Transferring information between information systems representing different
-               security domains with different security policies introduces risk that such transfers
-               violate one or more domain security policies. In such situations, information
-               owners/stewards provide guidance at designated policy enforcement points between
-               interconnected systems. Organizations consider mandating specific architectural
-               solutions when required to enforce specific security policies. Enforcement includes,
-               for example: (i) prohibiting information transfers between interconnected systems
-               (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way
-               information flows; and (iii) implementing trustworthy regrading mechanisms to
-               reassign security attributes and security labels. Organizations commonly employ
-               information flow control policies and enforcement mechanisms to control the flow of
-               information between designated sources and destinations (e.g., networks, individuals,
-               and devices) within information systems and between interconnected systems. Flow
-               control is based on the characteristics of the information and/or the information
-               path. Enforcement occurs, for example, in boundary protection devices (e.g.,
-               gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or
-               establish configuration settings that restrict information system services, provide a
-               packet-filtering capability based on header information, or message-filtering
-               capability based on message content (e.g., implementing key word searches or using
-               document characteristics). Organizations also consider the trustworthiness of
-               filtering/inspection mechanisms (i.e., hardware, firmware, and software components)
-               that are critical to information flow enforcement. Control enhancements 3 through 22
-               primarily address cross-domain solution needs which focus on more advanced filtering
-               techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented
-               in cross-domain products, for example, high-assurance guards. Such capabilities are
-               generally not available in commercial off-the-shelf information technology
-               products.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-21">AC-21</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-18">SC-18</link>
-         </part>
-         <part id="ac-4_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="ac-4_obj.1" name="objective">
-               <prop name="label">AC-4[1]</prop>
-               <p>the organization defines information flow control policies to control the flow of
-                  information within the system and between interconnected systems; and</p>
-            </part>
-            <part id="ac-4_obj.2" name="objective">
-               <prop name="label">AC-4[2]</prop>
-               <p>the information system enforces approved authorizations for controlling the flow
-                  of information within the system and between interconnected systems based on
-                  organization-defined information flow control policies.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>information flow control policies</p>
-               <p>procedures addressing information flow enforcement</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system baseline configuration</p>
-               <p>list of information flow authorizations</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing information flow enforcement policy</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-4.21">
-            <title>Physical / Logical Separation of Information Flows</title>
-            <param id="ac-4.21_prm_1">
-               <label>organization-defined mechanisms and/or techniques</label>
-            </param>
-            <param id="ac-4.21_prm_2">
-               <label>organization-defined required separations by types of information</label>
-            </param>
-            <prop name="label">AC-4(21)</prop>
-            <prop name="sort-id">ac-04.21</prop>
-            <part id="ac-4.21_smt" name="statement">
-               <p>The information system separates information flows logically or physically using
-                     <insert param-id="ac-4.21_prm_1"/> to accomplish <insert param-id="ac-4.21_prm_2"/>.</p>
-            </part>
-            <part id="ac-4.21_gdn" name="guidance">
-               <p>Enforcing the separation of information flows by type can enhance protection by
-                  ensuring that information is not commingled while in transit and by enabling flow
-                  control by transmission paths perhaps not otherwise achievable. Types of separable
-                  information include, for example, inbound and outbound communications traffic,
-                  service requests and responses, and information of differing security
-                  categories.</p>
-            </part>
-            <part id="ac-4.21_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ac-4.21_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-4(21)[1]</prop>
-                  <p>the organization defines the required separations of information flows by types
-                     of information;</p>
-               </part>
-               <part id="ac-4.21_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-4(21)[2]</prop>
-                  <p>the organization defines the mechanisms and/or techniques to be used to
-                     separate information flows logically or physically; and</p>
-               </part>
-               <part id="ac-4.21_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-4(21)[3]</prop>
-                  <p>the information system separates information flows logically or physically
-                     using organization-defined mechanisms and/or techniques to accomplish
-                     organization-defined required separations by types of information.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information flow enforcement policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of required separation of information flows by information types</p>
-                  <p>list of mechanisms and/or techniques used to logically or physically separate
-                     information flows</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information flow enforcement responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement functions</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-5">
-         <title>Separation of Duties</title>
-         <param id="ac-5_prm_1">
-            <label>organization-defined duties of individuals</label>
-         </param>
-         <prop name="label">AC-5</prop>
-         <prop name="sort-id">ac-05</prop>
-         <part id="ac-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Separates <insert param-id="ac-5_prm_1"/>;</p>
-            </part>
-            <part id="ac-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents separation of duties of individuals; and</p>
-            </part>
-            <part id="ac-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Defines information system access authorizations to support separation of
-                  duties.</p>
-            </part>
-            <part id="ac-5_fr" name="item">
-               <title>AC-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac.5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ac-5_gdn" name="guidance">
-            <p>Separation of duties addresses the potential for abuse of authorized privileges and
-               helps to reduce the risk of malevolent activity without collusion. Separation of
-               duties includes, for example: (i) dividing mission functions and information system
-               support functions among different individuals and/or roles; (ii) conducting
-               information system support functions with different individuals (e.g., system
-               management, programming, configuration management, quality assurance and testing, and
-               network security); and (iii) ensuring security personnel administering access control
-               functions do not also administer audit functions.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#ps-2">PS-2</link>
-         </part>
-         <part id="ac-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-5.a_obj" name="objective">
-               <prop name="label">AC-5(a)</prop>
-               <part id="ac-5.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-5(a)[1]</prop>
-                  <p>defines duties of individuals to be separated;</p>
-               </part>
-               <part id="ac-5.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-5(a)[2]</prop>
-                  <p>separates organization-defined duties of individuals;</p>
-               </part>
-            </part>
-            <part id="ac-5.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-5(b)</prop>
-               <p>documents separation of duties; and</p>
-            </part>
-            <part id="ac-5.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-5(c)</prop>
-               <p>defines information system access authorizations to support separation of
-                  duties.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing divisions of responsibility and separation of duties</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of divisions of responsibility and separation of duties</p>
-               <p>information system access authorizations</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for defining appropriate divisions
-                  of responsibility and separation of duties</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing separation of duties policy</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-6">
-         <title>Least Privilege</title>
-         <prop name="label">AC-6</prop>
-         <prop name="sort-id">ac-06</prop>
-         <part id="ac-6_smt" name="statement">
-            <p>The organization employs the principle of least privilege, allowing only authorized
-               accesses for users (or processes acting on behalf of users) which are necessary to
-               accomplish assigned tasks in accordance with organizational missions and business
-               functions.</p>
-         </part>
-         <part id="ac-6_gdn" name="guidance">
-            <p>Organizations employ least privilege for specific duties and information systems. The
-               principle of least privilege is also applied to information system processes,
-               ensuring that the processes operate at privilege levels no higher than necessary to
-               accomplish required organizational missions/business functions. Organizations
-               consider the creation of additional processes, roles, and information system accounts
-               as necessary, to achieve least privilege. Organizations also apply least privilege to
-               the development, implementation, and operation of organizational information
-               systems.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-         </part>
-         <part id="ac-6_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the organization employs the principle of least privilege, allowing only
-               authorized access for users (and processes acting on behalf of users) which are
-               necessary to accomplish assigned tasks in accordance with organizational missions and
-               business functions. </p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing least privilege</p>
-               <p>list of assigned access authorizations (user privileges)</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for defining least privileges
-                  necessary to accomplish specified tasks</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing least privilege functions</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-6.1">
-            <title>Authorize Access to Security Functions</title>
-            <param id="ac-6.1_prm_1">
-               <label>organization-defined security functions (deployed in hardware, software, and
-                  firmware) and security-relevant information</label>
-            </param>
-            <prop name="label">AC-6(1)</prop>
-            <prop name="sort-id">ac-06.01</prop>
-            <part id="ac-6.1_smt" name="statement">
-               <p>The organization explicitly authorizes access to <insert param-id="ac-6.1_prm_1"/>.</p>
-            </part>
-            <part id="ac-6.1_gdn" name="guidance">
-               <p>Security functions include, for example, establishing system accounts, configuring
-                  access authorizations (i.e., permissions, privileges), setting events to be
-                  audited, and setting intrusion detection parameters. Security-relevant information
-                  includes, for example, filtering rules for routers/firewalls, cryptographic key
-                  management information, configuration parameters for security services, and access
-                  control lists. Explicitly authorized personnel include, for example, security
-                  administrators, system and network administrators, system security officers,
-                  system maintenance personnel, system programmers, and other privileged users.</p>
-               <link rel="related" href="#ac-17">AC-17</link>
-               <link rel="related" href="#ac-18">AC-18</link>
-               <link rel="related" href="#ac-19">AC-19</link>
-            </part>
-            <part id="ac-6.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ac-6.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-6(1)[1]</prop>
-                  <p>defines security-relevant information for which access must be explicitly
-                     authorized;</p>
-               </part>
-               <part id="ac-6.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-6(1)[2]</prop>
-                  <p>defines security functions deployed in:</p>
-                  <part id="ac-6.1_obj.2.a" name="objective">
-                     <prop name="label">AC-6(1)[2][a]</prop>
-                     <p>hardware;</p>
-                  </part>
-                  <part id="ac-6.1_obj.2.b" name="objective">
-                     <prop name="label">AC-6(1)[2][b]</prop>
-                     <p>software;</p>
-                  </part>
-                  <part id="ac-6.1_obj.2.c" name="objective">
-                     <prop name="label">AC-6(1)[2][c]</prop>
-                     <p>firmware;</p>
-                  </part>
-               </part>
-               <part id="ac-6.1_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-6(1)[3]</prop>
-                  <p>explicitly authorizes access to:</p>
-                  <part id="ac-6.1_obj.3.a" name="objective">
-                     <prop name="label">AC-6(1)[3][a]</prop>
-                     <p>organization-defined security functions; and</p>
-                  </part>
-                  <part id="ac-6.1_obj.3.b" name="objective">
-                     <prop name="label">AC-6(1)[3][b]</prop>
-                     <p>security-relevant information.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>list of security functions (deployed in hardware, software, and firmware) and
-                     security-relevant information for which access must be explicitly
-                     authorized</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for defining least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing least privilege functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.2">
-            <title>Non-privileged Access for Nonsecurity Functions</title>
-            <param id="ac-6.2_prm_1">
-               <label>organization-defined security functions or security-relevant
-                  information</label>
-               <constraint>all security functions</constraint>
-            </param>
-            <prop name="label">AC-6(2)</prop>
-            <prop name="sort-id">ac-06.02</prop>
-            <part id="ac-6.2_smt" name="statement">
-               <p>The organization requires that users of information system accounts, or roles,
-                  with access to <insert param-id="ac-6.2_prm_1"/>, use non-privileged accounts or
-                  roles, when accessing nonsecurity functions.</p>
-               <part id="ac-6.2_fr" name="item">
-                  <title>AC-6 (2) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ac-6.2_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-6.2_gdn" name="guidance">
-               <p>This control enhancement limits exposure when operating from within privileged
-                  accounts or roles. The inclusion of roles addresses situations where organizations
-                  implement access control policies such as role-based access control and where a
-                  change of role provides the same degree of assurance in the change of access
-                  authorizations for both the user and all processes acting on behalf of the user as
-                  would be provided by a change between a privileged and non-privileged account.</p>
-               <link rel="related" href="#pl-4">PL-4</link>
-            </part>
-            <part id="ac-6.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-6.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-6(2)[1]</prop>
-                  <p>defines security functions or security-relevant information to which users of
-                     information system accounts, or roles, have access; and</p>
-               </part>
-               <part id="ac-6.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-6(2)[2]</prop>
-                  <p>requires that users of information system accounts, or roles, with access to
-                     organization-defined security functions or security-relevant information, use
-                     non-privileged accounts, or roles, when accessing nonsecurity functions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>list of system-generated security functions or security-relevant information
-                     assigned to information system accounts or roles</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for defining least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing least privilege functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.5">
-            <title>Privileged Accounts</title>
-            <param id="ac-6.5_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">AC-6(5)</prop>
-            <prop name="sort-id">ac-06.05</prop>
-            <part id="ac-6.5_smt" name="statement">
-               <p>The organization restricts privileged accounts on the information system to
-                     <insert param-id="ac-6.5_prm_1"/>.</p>
-            </part>
-            <part id="ac-6.5_gdn" name="guidance">
-               <p>Privileged accounts, including super user accounts, are typically described as
-                  system administrator for various types of commercial off-the-shelf operating
-                  systems. Restricting privileged accounts to specific personnel or roles prevents
-                  day-to-day users from having access to privileged information/functions.
-                  Organizations may differentiate in the application of this control enhancement
-                  between allowed privileges for local accounts and for domain accounts provided
-                  organizations retain the ability to control information system configurations for
-                  key security parameters and as otherwise necessary to sufficiently mitigate
-                  risk.</p>
-               <link rel="related" href="#cm-6">CM-6</link>
-            </part>
-            <part id="ac-6.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-6.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-6(5)[1]</prop>
-                  <p>defines personnel or roles for which privileged accounts on the information
-                     system are to be restricted; and</p>
-               </part>
-               <part id="ac-6.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-6(5)[2]</prop>
-                  <p>restricts privileged accounts on the information system to organization-defined
-                     personnel or roles.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>list of system-generated privileged accounts</p>
-                  <p>list of system administration personnel</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for defining least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing least privilege functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.9">
-            <title>Auditing Use of Privileged Functions</title>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AC-6(9)</prop>
-            <prop name="sort-id">ac-06.09</prop>
-            <part id="ac-6.9_smt" name="statement">
-               <p>The information system audits the execution of privileged functions.</p>
-            </part>
-            <part id="ac-6.9_gdn" name="guidance">
-               <p>Misuse of privileged functions, either intentionally or unintentionally by
-                  authorized users, or by unauthorized external entities that have compromised
-                  information system accounts, is a serious and ongoing concern and can have
-                  significant adverse impacts on organizations. Auditing the use of privileged
-                  functions is one way to detect such misuse, and in doing so, help mitigate the
-                  risk from insider threats and the advanced persistent threat (APT).</p>
-               <link rel="related" href="#au-2">AU-2</link>
-            </part>
-            <part id="ac-6.9_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system audits the execution of privileged functions.
-               </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of privileged functions to be audited</p>
-                  <p>list of audited events</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for reviewing least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms auditing the execution of least privilege functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.10">
-            <title>Prohibit Non-privileged Users from Executing Privileged Functions</title>
-            <prop name="label">AC-6(10)</prop>
-            <prop name="sort-id">ac-06.10</prop>
-            <part id="ac-6.10_smt" name="statement">
-               <p>The information system prevents non-privileged users from executing privileged
-                  functions to include disabling, circumventing, or altering implemented security
-                  safeguards/countermeasures.</p>
-            </part>
-            <part id="ac-6.10_gdn" name="guidance">
-               <p>Privileged functions include, for example, establishing information system
-                  accounts, performing system integrity checks, or administering cryptographic key
-                  management activities. Non-privileged users are individuals that do not possess
-                  appropriate authorizations. Circumventing intrusion detection and prevention
-                  mechanisms or malicious code protection mechanisms are examples of privileged
-                  functions that require protection from non-privileged users.</p>
-            </part>
-            <part id="ac-6.10_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system prevents non-privileged users from executing
-                  privileged functions to include:</p>
-               <part id="ac-6.10_obj.1" name="objective">
-                  <prop name="label">AC-6(10)[1]</prop>
-                  <p>disabling implemented security safeguards/countermeasures;</p>
-               </part>
-               <part id="ac-6.10_obj.2" name="objective">
-                  <prop name="label">AC-6(10)[2]</prop>
-                  <p>circumventing security safeguards/countermeasures; or</p>
-               </part>
-               <part id="ac-6.10_obj.3" name="objective">
-                  <prop name="label">AC-6(10)[3]</prop>
-                  <p>altering implemented security safeguards/countermeasures.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of privileged functions and associated user account assignments</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for defining least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing least privilege functions for non-privileged
-                     users</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-7">
-         <title>Unsuccessful Logon Attempts</title>
-         <param id="ac-7_prm_1">
-            <label>organization-defined number</label>
-            <constraint>not more than three (3)</constraint>
-         </param>
-         <param id="ac-7_prm_2">
-            <label>organization-defined time period</label>
-            <constraint>fifteen (15) minutes</constraint>
-         </param>
-         <param id="ac-7_prm_3"/>
-         <param id="ac-7_prm_4" depends-on="ac-7_prm_3">
-            <label>organization-defined time period</label>
-            <constraint>locks the account/node for thirty minutes</constraint>
-         </param>
-         <param id="ac-7_prm_5" depends-on="ac-7_prm_3">
-            <label>organization-defined delay algorithm</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-7</prop>
-         <prop name="sort-id">ac-07</prop>
-         <part id="ac-7_smt" name="statement">
-            <p>The information system:</p>
-            <part id="ac-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Enforces a limit of <insert param-id="ac-7_prm_1"/> consecutive invalid logon
-                  attempts by a user during a <insert param-id="ac-7_prm_2"/>; and</p>
-            </part>
-            <part id="ac-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Automatically <insert param-id="ac-7_prm_3"/> when the maximum number of
-                  unsuccessful attempts is exceeded.</p>
-            </part>
-         </part>
-         <part id="ac-7_gdn" name="guidance">
-            <p>This control applies regardless of whether the logon occurs via a local or network
-               connection. Due to the potential for denial of service, automatic lockouts initiated
-               by information systems are usually temporary and automatically release after a
-               predetermined time period established by organizations. If a delay algorithm is
-               selected, organizations may choose to employ different algorithms for different
-               information system components based on the capabilities of those components.
-               Responses to unsuccessful logon attempts may be implemented at both the operating
-               system and the application levels.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-9">AC-9</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-         </part>
-         <part id="ac-7_obj" name="objective">
-            <p>Determine if: </p>
-            <part id="ac-7.a_obj" name="objective">
-               <prop name="label">AC-7(a)</prop>
-               <part id="ac-7.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-7(a)[1]</prop>
-                  <p>the organization defines the number of consecutive invalid logon attempts
-                     allowed to the information system by a user during an organization-defined time
-                     period;</p>
-               </part>
-               <part id="ac-7.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-7(a)[2]</prop>
-                  <p>the organization defines the time period allowed by a user of the information
-                     system for an organization-defined number of consecutive invalid logon
-                     attempts;</p>
-               </part>
-               <part id="ac-7.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-7(a)[3]</prop>
-                  <p>the information system enforces a limit of organization-defined number of
-                     consecutive invalid logon attempts by a user during an organization-defined
-                     time period;</p>
-               </part>
-            </part>
-            <part id="ac-7.b_obj" name="objective">
-               <prop name="label">AC-7(b)</prop>
-               <part id="ac-7.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-7(b)[1]</prop>
-                  <p>the organization defines account/node lockout time period or logon delay
-                     algorithm to be automatically enforced by the information system when the
-                     maximum number of unsuccessful logon attempts is exceeded;</p>
-               </part>
-               <part id="ac-7.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-7(b)[2]</prop>
-                  <p>the information system, when the maximum number of unsuccessful logon attempts
-                     is exceeded, automatically:</p>
-                  <part id="ac-7.b_obj.2.a" name="objective">
-                     <prop name="label">AC-7(b)[2][a]</prop>
-                     <p>locks the account/node for the organization-defined time period;</p>
-                  </part>
-                  <part id="ac-7.b_obj.2.b" name="objective">
-                     <prop name="label">AC-7(b)[2][b]</prop>
-                     <p>locks the account/node until released by an administrator; or</p>
-                  </part>
-                  <part id="ac-7.b_obj.2.c" name="objective">
-                     <prop name="label">AC-7(b)[2][c]</prop>
-                     <p>delays next logon prompt according to the organization-defined delay
-                        algorithm.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing unsuccessful logon attempts</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing access control policy for unsuccessful logon
-                  attempts</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-8">
-         <title>System Use Notification</title>
-         <param id="ac-8_prm_1">
-            <label>organization-defined system use notification message or banner</label>
-            <constraint>see additional Requirements and Guidance</constraint>
-         </param>
-         <param id="ac-8_prm_2">
-            <label>organization-defined conditions</label>
-            <constraint>see additional Requirements and Guidance]</constraint>
-         </param>
-         <prop name="label">AC-8</prop>
-         <prop name="sort-id">ac-08</prop>
-         <part id="ac-8_smt" name="statement">
-            <p>The information system:</p>
-            <part id="ac-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Displays to users <insert param-id="ac-8_prm_1"/> before granting access to the
-                  system that provides privacy and security notices consistent with applicable
-                  federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  guidance and states that:</p>
-               <part id="ac-8_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Users are accessing a U.S. Government information system;</p>
-               </part>
-               <part id="ac-8_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Information system usage may be monitored, recorded, and subject to audit;</p>
-               </part>
-               <part id="ac-8_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Unauthorized use of the information system is prohibited and subject to
-                     criminal and civil penalties; and</p>
-               </part>
-               <part id="ac-8_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Use of the information system indicates consent to monitoring and
-                     recording;</p>
-               </part>
-            </part>
-            <part id="ac-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Retains the notification message or banner on the screen until users acknowledge
-                  the usage conditions and take explicit actions to log on to or further access the
-                  information system; and</p>
-            </part>
-            <part id="ac-8_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>For publicly accessible systems:</p>
-               <part id="ac-8_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Displays system use information <insert param-id="ac-8_prm_2"/>, before
-                     granting further access;</p>
-               </part>
-               <part id="ac-8_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Displays references, if any, to monitoring, recording, or auditing that are
-                     consistent with privacy accommodations for such systems that generally prohibit
-                     those activities; and</p>
-               </part>
-               <part id="ac-8_smt.c.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Includes a description of the authorized uses of the system.</p>
-               </part>
-            </part>
-            <part id="ac-8_fr" name="item">
-               <title>AC-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.</p>
-               </part>
-               <part id="ac-8_fr_smt.2" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.</p>
-               </part>
-               <part id="ac-8_fr_smt.3" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ac-8_gdn" name="guidance">
-            <p>System use notifications can be implemented using messages or warning banners
-               displayed before individuals log in to information systems. System use notifications
-               are used only for access via logon interfaces with human users and are not required
-               when such human interfaces do not exist. Organizations consider system use
-               notification messages/banners displayed in multiple languages based on specific
-               organizational needs and the demographics of information system users. Organizations
-               also consult with the Office of the General Counsel for legal review and approval of
-               warning banner content.</p>
-         </part>
-         <part id="ac-8_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="ac-8.a_obj" name="objective">
-               <prop name="label">AC-8(a)</prop>
-               <part id="ac-8.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-8(a)[1]</prop>
-                  <p>the organization defines a system use notification message or banner to be
-                     displayed by the information system to users before granting access to the
-                     system;</p>
-               </part>
-               <part id="ac-8.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-8(a)[2]</prop>
-                  <p>the information system displays to users the organization-defined system use
-                     notification message or banner before granting access to the information system
-                     that provides privacy and security notices consistent with applicable federal
-                     laws, Executive Orders, directives, policies, regulations, standards, and
-                     guidance, and states that:</p>
-                  <part id="ac-8.a.1_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](1)</prop>
-                     <p>users are accessing a U.S. Government information system;</p>
-                  </part>
-                  <part id="ac-8.a.2_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](2)</prop>
-                     <p>information system usage may be monitored, recorded, and subject to
-                        audit;</p>
-                  </part>
-                  <part id="ac-8.a.3_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](3)</prop>
-                     <p>unauthorized use of the information system is prohibited and subject to
-                        criminal and civil penalties;</p>
-                  </part>
-                  <part id="ac-8.a.4_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](4)</prop>
-                     <p>use of the information system indicates consent to monitoring and
-                        recording;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-8.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-8(b)</prop>
-               <p>the information system retains the notification message or banner on the screen
-                  until users acknowledge the usage conditions and take explicit actions to log on
-                  to or further access the information system;</p>
-            </part>
-            <part id="ac-8.c_obj" name="objective">
-               <prop name="label">AC-8(c)</prop>
-               <p>for publicly accessible systems:</p>
-               <part id="ac-8.c.1_obj" name="objective">
-                  <prop name="label">AC-8(c)(1)</prop>
-                  <part id="ac-8.c.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-8(c)(1)[1]</prop>
-                     <p>the organization defines conditions for system use to be displayed by the
-                        information system before granting further access;</p>
-                  </part>
-                  <part id="ac-8.c.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">AC-8(c)(1)[2]</prop>
-                     <p>the information system displays organization-defined conditions before
-                        granting further access;</p>
-                  </part>
-               </part>
-               <part id="ac-8.c.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-8(c)(2)</prop>
-                  <p>the information system displays references, if any, to monitoring, recording,
-                     or auditing that are consistent with privacy accommodations for such systems
-                     that generally prohibit those activities; and</p>
-               </part>
-               <part id="ac-8.c.3_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-8(c)(3)</prop>
-                  <p>the information system includes a description of the authorized uses of the
-                     system.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>privacy and security policies, procedures addressing system use notification</p>
-               <p>documented approval of information system use notification messages or banners</p>
-               <p>information system audit records</p>
-               <p>user acknowledgements of notification message or banner</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system use notification messages</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibility for providing legal advice</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing system use notification</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-10">
-         <title>Concurrent Session Control</title>
-         <param id="ac-10_prm_1">
-            <label>organization-defined account and/or account type</label>
-         </param>
-         <param id="ac-10_prm_2">
-            <label>organization-defined number</label>
-            <constraint>three (3) sessions for privileged access and two (2) sessions for non-privileged access</constraint>
-         </param>
-         <prop name="label">AC-10</prop>
-         <prop name="sort-id">ac-10</prop>
-         <part id="ac-10_smt" name="statement">
-            <p>The information system limits the number of concurrent sessions for each <insert param-id="ac-10_prm_1"/> to <insert param-id="ac-10_prm_2"/>.</p>
-         </part>
-         <part id="ac-10_gdn" name="guidance">
-            <p>Organizations may define the maximum number of concurrent sessions for information
-               system accounts globally, by account type (e.g., privileged user, non-privileged
-               user, domain, specific application), by account, or a combination. For example,
-               organizations may limit the number of concurrent sessions for system administrators
-               or individuals working in particularly sensitive domains or mission-critical
-               applications. This control addresses concurrent sessions for information system
-               accounts and does not address concurrent sessions by single users via multiple system
-               accounts.</p>
-         </part>
-         <part id="ac-10_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="ac-10_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-10[1]</prop>
-               <p>the organization defines account and/or account types for the information
-                  system;</p>
-            </part>
-            <part id="ac-10_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-10[2]</prop>
-               <p>the organization defines the number of concurrent sessions to be allowed for each
-                  organization-defined account and/or account type; and</p>
-            </part>
-            <part id="ac-10_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-10[3]</prop>
-               <p>the information system limits the number of concurrent sessions for each
-                  organization-defined account and/or account type to the organization-defined
-                  number of concurrent sessions allowed.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing concurrent session control</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing access control policy for concurrent session
-                  control</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-11">
-         <title>Session Lock</title>
-         <param id="ac-11_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>fifteen (15) minutes</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-11</prop>
-         <prop name="sort-id">ac-11</prop>
-         <link href="#4da24a96-6cf8-435d-9d1f-c73247cad109" rel="reference">OMB Memorandum 06-16</link>
-         <part id="ac-11_smt" name="statement">
-            <p>The information system:</p>
-            <part id="ac-11_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Prevents further access to the system by initiating a session lock after <insert param-id="ac-11_prm_1"/> of inactivity or upon receiving a request from a user;
-                  and</p>
-            </part>
-            <part id="ac-11_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Retains the session lock until the user reestablishes access using established
-                  identification and authentication procedures.</p>
-            </part>
-         </part>
-         <part id="ac-11_gdn" name="guidance">
-            <p>Session locks are temporary actions taken when users stop work and move away from the
-               immediate vicinity of information systems but do not want to log out because of the
-               temporary nature of their absences. Session locks are implemented where session
-               activities can be determined. This is typically at the operating system level, but
-               can also be at the application level. Session locks are not an acceptable substitute
-               for logging out of information systems, for example, if organizations require users
-               to log out at the end of workdays.</p>
-            <link rel="related" href="#ac-7">AC-7</link>
-         </part>
-         <part id="ac-11_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="ac-11.a_obj" name="objective">
-               <prop name="label">AC-11(a)</prop>
-               <part id="ac-11.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-11(a)[1]</prop>
-                  <p>the organization defines the time period of user inactivity after which the
-                     information system initiates a session lock;</p>
-               </part>
-               <part id="ac-11.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-11(a)[2]</prop>
-                  <p>the information system prevents further access to the system by initiating a
-                     session lock after organization-defined time period of user inactivity or upon
-                     receiving a request from a user; and</p>
-               </part>
-            </part>
-            <part id="ac-11.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-11(b)</prop>
-               <p>the information system retains the session lock until the user reestablishes
-                  access using established identification and authentication procedures.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing session lock</p>
-               <p>procedures addressing identification and authentication</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing access control policy for session lock</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-11.1">
-            <title>Pattern-hiding Displays</title>
-            <prop name="label">AC-11(1)</prop>
-            <prop name="sort-id">ac-11.01</prop>
-            <part id="ac-11.1_smt" name="statement">
-               <p>The information system conceals, via the session lock, information previously
-                  visible on the display with a publicly viewable image.</p>
-            </part>
-            <part id="ac-11.1_gdn" name="guidance">
-               <p>Publicly viewable images can include static or dynamic images, for example,
-                  patterns used with screen savers, photographic images, solid colors, clock,
-                  battery life indicator, or a blank screen, with the additional caveat that none of
-                  the images convey sensitive information.</p>
-            </part>
-            <part id="ac-11.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system conceals, via the session lock, information
-                  previously visible on the display with a publicly viewable image.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing session lock</p>
-                  <p>display screen with session lock activated</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system session lock mechanisms</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-12">
-         <title>Session Termination</title>
-         <param id="ac-12_prm_1">
-            <label>organization-defined conditions or trigger events requiring session
-               disconnect</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-12</prop>
-         <prop name="sort-id">ac-12</prop>
-         <part id="ac-12_smt" name="statement">
-            <p>The information system automatically terminates a user session after <insert param-id="ac-12_prm_1"/>.</p>
-         </part>
-         <part id="ac-12_gdn" name="guidance">
-            <p>This control addresses the termination of user-initiated logical sessions in contrast
-               to SC-10 which addresses the termination of network connections that are associated
-               with communications sessions (i.e., network disconnect). A logical session (for
-               local, network, and remote access) is initiated whenever a user (or process acting on
-               behalf of a user) accesses an organizational information system. Such user sessions
-               can be terminated (and thus terminate user access) without terminating network
-               sessions. Session termination terminates all processes associated with a user’s
-               logical session except those processes that are specifically created by the user
-               (i.e., session owner) to continue after the session is terminated. Conditions or
-               trigger events requiring automatic session termination can include, for example,
-               organization-defined periods of user inactivity, targeted responses to certain types
-               of incidents, time-of-day restrictions on information system use.</p>
-            <link rel="related" href="#sc-10">SC-10</link>
-            <link rel="related" href="#sc-23">SC-23</link>
-         </part>
-         <part id="ac-12_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="ac-12_obj.1" name="objective">
-               <prop name="label">AC-12[1]</prop>
-               <p>the organization defines conditions or trigger events requiring session
-                  disconnect; and</p>
-            </part>
-            <part id="ac-12_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-12[2]</prop>
-               <p>the information system automatically terminates a user session after
-                  organization-defined conditions or trigger events requiring session disconnect
-                  occurs.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing session termination</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of conditions or trigger events requiring session disconnect</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing user session termination</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-14">
-         <title>Permitted Actions Without Identification or Authentication</title>
-         <param id="ac-14_prm_1">
-            <label>organization-defined user actions</label>
-         </param>
-         <prop name="label">AC-14</prop>
-         <prop name="sort-id">ac-14</prop>
-         <part id="ac-14_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-14_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Identifies <insert param-id="ac-14_prm_1"/> that can be performed on the
-                  information system without identification or authentication consistent with
-                  organizational missions/business functions; and</p>
-            </part>
-            <part id="ac-14_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents and provides supporting rationale in the security plan for the
-                  information system, user actions not requiring identification or
-                  authentication.</p>
-            </part>
-         </part>
-         <part id="ac-14_gdn" name="guidance">
-            <p>This control addresses situations in which organizations determine that no
-               identification or authentication is required in organizational information systems.
-               Organizations may allow a limited number of user actions without identification or
-               authentication including, for example, when individuals access public websites or
-               other publicly accessible federal information systems, when individuals use mobile
-               phones to receive calls, or when facsimiles are received. Organizations also identify
-               actions that normally require identification or authentication but may under certain
-               circumstances (e.g., emergencies), allow identification or authentication mechanisms
-               to be bypassed. Such bypasses may occur, for example, via a software-readable
-               physical switch that commands bypass of the logon functionality and is protected from
-               accidental or unmonitored use. This control does not apply to situations where
-               identification and authentication have already occurred and are not repeated, but
-               rather to situations where identification and authentication have not yet occurred.
-               Organizations may decide that there are no user actions that can be performed on
-               organizational information systems without identification and authentication and
-               thus, the values for assignment statements can be none.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-         </part>
-         <part id="ac-14_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-14.a_obj" name="objective">
-               <prop name="label">AC-14(a)</prop>
-               <part id="ac-14.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-14(a)[1]</prop>
-                  <p>defines user actions that can be performed on the information system without
-                     identification or authentication consistent with organizational
-                     missions/business functions;</p>
-               </part>
-               <part id="ac-14.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AC-14(a)[2]</prop>
-                  <p>identifies organization-defined user actions that can be performed on the
-                     information system without identification or authentication consistent with
-                     organizational missions/business functions; and</p>
-               </part>
-            </part>
-            <part id="ac-14.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-14(b)</prop>
-               <p>documents and provides supporting rationale in the security plan for the
-                  information system, user actions not requiring identification or
-                  authentication.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing permitted actions without identification or
-                  authentication</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security plan</p>
-               <p>list of user actions that can be performed without identification or
-                  authentication</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-17">
-         <title>Remote Access</title>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-17</prop>
-         <prop name="sort-id">ac-17</prop>
-         <link href="#5309d4d0-46f8-4213-a749-e7584164e5e8" rel="reference">NIST Special Publication 800-46</link>
-         <link href="#99f331f2-a9f0-46c2-9856-a3cbb9b89442" rel="reference">NIST Special Publication 800-77</link>
-         <link href="#349fe082-502d-464a-aa0c-1443c6a5cf40" rel="reference">NIST Special Publication 800-113</link>
-         <link href="#1201fcf3-afb1-4675-915a-fb4ae0435717" rel="reference">NIST Special Publication 800-114</link>
-         <link href="#d1a4e2a9-e512-4132-8795-5357aba29254" rel="reference">NIST Special Publication 800-121</link>
-         <part id="ac-17_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-17_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes and documents usage restrictions, configuration/connection
-                  requirements, and implementation guidance for each type of remote access allowed;
-                  and</p>
-            </part>
-            <part id="ac-17_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Authorizes remote access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part id="ac-17_gdn" name="guidance">
-            <p>Remote access is access to organizational information systems by users (or processes
-               acting on behalf of users) communicating through external networks (e.g., the
-               Internet). Remote access methods include, for example, dial-up, broadband, and
-               wireless. Organizations often employ encrypted virtual private networks (VPNs) to
-               enhance confidentiality and integrity over remote connections. The use of encrypted
-               VPNs does not make the access non-remote; however, the use of VPNs, when adequately
-               provisioned with appropriate security controls (e.g., employing appropriate
-               encryption techniques for confidentiality and integrity protection) may provide
-               sufficient assurance to the organization that it can effectively treat such
-               connections as internal networks. Still, VPN connections traverse external networks,
-               and the encrypted VPN does not enhance the availability of remote connections. Also,
-               VPNs with encrypted tunnels can affect the organizational capability to adequately
-               monitor network communications traffic for malicious code. Remote access controls
-               apply to information systems other than public web servers or systems designed for
-               public access. This control addresses authorization prior to allowing remote access
-               without specifying the formats for such authorization. While organizations may use
-               interconnection security agreements to authorize remote access connections, such
-               agreements are not required by this control. Enforcing access restrictions for remote
-               connections is addressed in AC-3.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#pe-17">PE-17</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sc-10">SC-10</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ac-17_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-17.a_obj" name="objective">
-               <prop name="label">AC-17(a)</prop>
-               <part id="ac-17.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-17(a)[1]</prop>
-                  <p>identifies the types of remote access allowed to the information system;</p>
-               </part>
-               <part id="ac-17.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-17(a)[2]</prop>
-                  <p>establishes for each type of remote access allowed:</p>
-                  <part id="ac-17.a_obj.2.a" name="objective">
-                     <prop name="label">AC-17(a)[2][a]</prop>
-                     <p>usage restrictions;</p>
-                  </part>
-                  <part id="ac-17.a_obj.2.b" name="objective">
-                     <prop name="label">AC-17(a)[2][b]</prop>
-                     <p>configuration/connection requirements;</p>
-                  </part>
-                  <part id="ac-17.a_obj.2.c" name="objective">
-                     <prop name="label">AC-17(a)[2][c]</prop>
-                     <p>implementation guidance;</p>
-                  </part>
-               </part>
-               <part id="ac-17.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-17(a)[3]</prop>
-                  <p>documents for each type of remote access allowed:</p>
-                  <part id="ac-17.a_obj.3.a" name="objective">
-                     <prop name="label">AC-17(a)[3][a]</prop>
-                     <p>usage restrictions;</p>
-                  </part>
-                  <part id="ac-17.a_obj.3.b" name="objective">
-                     <prop name="label">AC-17(a)[3][b]</prop>
-                     <p>configuration/connection requirements;</p>
-                  </part>
-                  <part id="ac-17.a_obj.3.c" name="objective">
-                     <prop name="label">AC-17(a)[3][c]</prop>
-                     <p>implementation guidance; and</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-17.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-17(b)</prop>
-               <p>authorizes remote access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing remote access implementation and usage (including
-                  restrictions)</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>remote access authorizations</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for managing remote access
-                  connections</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Remote access management capability for the information system</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-17.1">
-            <title>Automated Monitoring / Control</title>
-            <prop name="label">AC-17(1)</prop>
-            <prop name="sort-id">ac-17.01</prop>
-            <part id="ac-17.1_smt" name="statement">
-               <p>The information system monitors and controls remote access methods.</p>
-            </part>
-            <part id="ac-17.1_gdn" name="guidance">
-               <p>Automated monitoring and control of remote access sessions allows organizations to
-                  detect cyber attacks and also ensure ongoing compliance with remote access
-                  policies by auditing connection activities of remote users on a variety of
-                  information system components (e.g., servers, workstations, notebook computers,
-                  smart phones, and tablets).</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-12">AU-12</link>
-            </part>
-            <part id="ac-17.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system monitors and controls remote access methods.
-               </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing remote access to the information system</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>information system monitoring records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms monitoring and controlling remote access methods</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.2">
-            <title>Protection of Confidentiality / Integrity Using Encryption</title>
-            <prop name="label">AC-17(2)</prop>
-            <prop name="sort-id">ac-17.02</prop>
-            <part id="ac-17.2_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to protect the
-                  confidentiality and integrity of remote access sessions.</p>
-            </part>
-            <part id="ac-17.2_gdn" name="guidance">
-               <p>The encryption strength of mechanism is selected based on the security
-                  categorization of the information.</p>
-               <link rel="related" href="#sc-8">SC-8</link>
-               <link rel="related" href="#sc-12">SC-12</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="ac-17.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system implements cryptographic mechanisms to protect
-                  the confidentiality and integrity of remote access sessions. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing remote access to the information system</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>cryptographic mechanisms and associated configuration documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms protecting confidentiality and integrity of remote
-                     access sessions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.3">
-            <title>Managed Access Control Points</title>
-            <param id="ac-17.3_prm_1">
-               <label>organization-defined number</label>
-            </param>
-            <prop name="label">AC-17(3)</prop>
-            <prop name="sort-id">ac-17.03</prop>
-            <part id="ac-17.3_smt" name="statement">
-               <p>The information system routes all remote accesses through <insert param-id="ac-17.3_prm_1"/> managed network access control points.</p>
-            </part>
-            <part id="ac-17.3_gdn" name="guidance">
-               <p>Limiting the number of access control points for remote accesses reduces the
-                  attack surface for organizations. Organizations consider the Trusted Internet
-                  Connections (TIC) initiative requirements for external network connections.</p>
-               <link rel="related" href="#sc-7">SC-7</link>
-            </part>
-            <part id="ac-17.3_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-17.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-17(3)[1]</prop>
-                  <p>the organization defines the number of managed network access control points
-                     through which all remote accesses are to be routed; and</p>
-               </part>
-               <part id="ac-17.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-17(3)[2]</prop>
-                  <p>the information system routes all remote accesses through the
-                     organization-defined number of managed network access control points.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing remote access to the information system</p>
-                  <p>information system design documentation</p>
-                  <p>list of all managed network access control points</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms routing all remote accesses through managed network access
-                     control points</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.4">
-            <title>Privileged Commands / Access</title>
-            <param id="ac-17.4_prm_1">
-               <label>organization-defined needs</label>
-            </param>
-            <prop name="label">AC-17(4)</prop>
-            <prop name="sort-id">ac-17.04</prop>
-            <part id="ac-17.4_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ac-17.4_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Authorizes the execution of privileged commands and access to security-relevant
-                     information via remote access only for <insert param-id="ac-17.4_prm_1"/>;
-                     and</p>
-               </part>
-               <part id="ac-17.4_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Documents the rationale for such access in the security plan for the
-                     information system.</p>
-               </part>
-            </part>
-            <part id="ac-17.4_gdn" name="guidance">
-               <link rel="related" href="#ac-6">AC-6</link>
-            </part>
-            <part id="ac-17.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-17.4.a_obj" name="objective">
-                  <prop name="label">AC-17(4)(a)</prop>
-                  <part id="ac-17.4.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AC-17(4)(a)[1]</prop>
-                     <p>defines needs to authorize the execution of privileged commands and access
-                        to security-relevant information via remote access;</p>
-                  </part>
-                  <part id="ac-17.4.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">AC-17(4)(a)[2]</prop>
-                     <p>authorizes the execution of privileged commands and access to
-                        security-relevant information via remote access only for
-                        organization-defined needs; and</p>
-                  </part>
-                  <link rel="corresp" href="#ac-17.4_smt.a">AC-17(4)(a)</link>
-               </part>
-               <part id="ac-17.4.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-17(4)(b)</prop>
-                  <p>documents the rationale for such access in the information system security
-                     plan.</p>
-                  <link rel="corresp" href="#ac-17.4_smt.b">AC-17(4)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing remote access to the information system</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security plan</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing remote access management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.9">
-            <title>Disconnect / Disable Access</title>
-            <param id="ac-17.9_prm_1">
-               <label>organization-defined time period</label>
-               <constraint>fifteen 15 minutes</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AC-17(9)</prop>
-            <prop name="sort-id">ac-17.09</prop>
-            <part id="ac-17.9_smt" name="statement">
-               <p>The organization provides the capability to expeditiously disconnect or disable
-                  remote access to the information system within <insert param-id="ac-17.9_prm_1"/>.</p>
-            </part>
-            <part id="ac-17.9_gdn" name="guidance">
-               <p>This control enhancement requires organizations to have the capability to rapidly
-                  disconnect current users remotely accessing the information system and/or disable
-                  further remote access. The speed of disconnect or disablement varies based on the
-                  criticality of missions/business functions and the need to eliminate immediate or
-                  future remote access to organizational information systems.</p>
-            </part>
-            <part id="ac-17.9_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-17.9_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-17(9)[1]</prop>
-                  <p>defines the time period within which to expeditiously disconnect or disable
-                     remote access to the information system; and</p>
-               </part>
-               <part id="ac-17.9_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-17(9)[2]</prop>
-                  <p>provides the capability to expeditiously disconnect or disable remote access to
-                     the information system within the organization-defined time period.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing disconnecting or disabling remote access to the
-                     information system</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security plan, information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing capability to disconnect or disable remote
-                     access to information system</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-18">
-         <title>Wireless Access</title>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-18</prop>
-         <prop name="sort-id">ac-18</prop>
-         <link href="#238ed479-eccb-49f6-82ec-ab74a7a428cf" rel="reference">NIST Special Publication 800-48</link>
-         <link href="#d1b1d689-0f66-4474-9924-c81119758dc1" rel="reference">NIST Special Publication 800-94</link>
-         <link href="#6f336ecd-f2a0-4c84-9699-0491d81b6e0d" rel="reference">NIST Special Publication 800-97</link>
-         <part id="ac-18_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-18_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes usage restrictions, configuration/connection requirements, and
-                  implementation guidance for wireless access; and</p>
-            </part>
-            <part id="ac-18_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Authorizes wireless access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part id="ac-18_gdn" name="guidance">
-            <p>Wireless technologies include, for example, microwave, packet radio (UHF/VHF),
-               802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g.,
-               EAP/TLS, PEAP), which provide credential protection and mutual authentication.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ac-18_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-18.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-18(a)</prop>
-               <p>establishes for wireless access:</p>
-               <part id="ac-18.a_obj.1" name="objective">
-                  <prop name="label">AC-18(a)[1]</prop>
-                  <p>usage restrictions;</p>
-               </part>
-               <part id="ac-18.a_obj.2" name="objective">
-                  <prop name="label">AC-18(a)[2]</prop>
-                  <p>configuration/connection requirement;</p>
-               </part>
-               <part id="ac-18.a_obj.3" name="objective">
-                  <prop name="label">AC-18(a)[3]</prop>
-                  <p>implementation guidance; and</p>
-               </part>
-            </part>
-            <part id="ac-18.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-18(b)</prop>
-               <p>authorizes wireless access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing wireless access implementation and usage (including
-                  restrictions)</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>wireless access authorizations</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for managing wireless access
-                  connections</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Wireless access management capability for the information system</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-18.1">
-            <title>Authentication and Encryption</title>
-            <param id="ac-18.1_prm_1"/>
-            <prop name="label">AC-18(1)</prop>
-            <prop name="sort-id">ac-18.01</prop>
-            <part id="ac-18.1_smt" name="statement">
-               <p>The information system protects wireless access to the system using authentication
-                  of <insert param-id="ac-18.1_prm_1"/> and encryption.</p>
-            </part>
-            <part id="ac-18.1_gdn" name="guidance">
-               <link rel="related" href="#sc-8">SC-8</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="ac-18.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system protects wireless access to the system using
-                  encryption and one or more of the following:</p>
-               <part id="ac-18.1_obj.1" name="objective">
-                  <prop name="label">AC-18(1)[1]</prop>
-                  <p>authentication of users; and/or</p>
-               </part>
-               <part id="ac-18.1_obj.2" name="objective">
-                  <prop name="label">AC-18(1)[2]</prop>
-                  <p>authentication of devices.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing wireless implementation and usage (including
-                     restrictions)</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing wireless access protections to the
-                     information system</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-19">
-         <title>Access Control for Mobile Devices</title>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-19</prop>
-         <prop name="sort-id">ac-19</prop>
-         <link href="#4da24a96-6cf8-435d-9d1f-c73247cad109" rel="reference">OMB Memorandum 06-16</link>
-         <link href="#1201fcf3-afb1-4675-915a-fb4ae0435717" rel="reference">NIST Special Publication 800-114</link>
-         <link href="#0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589" rel="reference">NIST Special Publication 800-124</link>
-         <link href="#6513e480-fada-4876-abba-1397084dfb26" rel="reference">NIST Special Publication 800-164</link>
-         <part id="ac-19_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-19_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes usage restrictions, configuration requirements, connection
-                  requirements, and implementation guidance for organization-controlled mobile
-                  devices; and</p>
-            </part>
-            <part id="ac-19_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Authorizes the connection of mobile devices to organizational information
-                  systems.</p>
-            </part>
-         </part>
-         <part id="ac-19_gdn" name="guidance">
-            <p>A mobile device is a computing device that: (i) has a small form factor such that it
-               can easily be carried by a single individual; (ii) is designed to operate without a
-               physical connection (e.g., wirelessly transmit or receive information); (iii)
-               possesses local, non-removable or removable data storage; and (iv) includes a
-               self-contained power source. Mobile devices may also include voice communication
-               capabilities, on-board sensors that allow the device to capture information, and/or
-               built-in features for synchronizing local data with remote locations. Examples
-               include smart phones, E-readers, and tablets. Mobile devices are typically associated
-               with a single individual and the device is usually in close proximity to the
-               individual; however, the degree of proximity can vary depending upon on the form
-               factor and size of the device. The processing, storage, and transmission capability
-               of the mobile device may be comparable to or merely a subset of desktop systems,
-               depending upon the nature and intended purpose of the device. Due to the large
-               variety of mobile devices with different technical characteristics and capabilities,
-               organizational restrictions may vary for the different classes/types of such devices.
-               Usage restrictions and specific implementation guidance for mobile devices include,
-               for example, configuration management, device identification and authentication,
-               implementation of mandatory protective software (e.g., malicious code detection,
-               firewall), scanning devices for malicious code, updating virus protection software,
-               scanning for critical software updates and patches, conducting primary operating
-               system (and possibly other resident software) integrity checks, and disabling
-               unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the
-               need to provide adequate security for mobile devices goes beyond the requirements in
-               this control. Many safeguards and countermeasures for mobile devices are reflected in
-               other security controls in the catalog allocated in the initial control baselines as
-               starting points for the development of security plans and overlays using the
-               tailoring process. There may also be some degree of overlap in the requirements
-               articulated by the security controls within the different families of controls. AC-20
-               addresses mobile devices that are not organization-controlled.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-7">AC-7</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ca-9">CA-9</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-43">SC-43</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ac-19_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-19.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-19(a)</prop>
-               <p>establishes for organization-controlled mobile devices:</p>
-               <part id="ac-19.a_obj.1" name="objective">
-                  <prop name="label">AC-19(a)[1]</prop>
-                  <p>usage restrictions;</p>
-               </part>
-               <part id="ac-19.a_obj.2" name="objective">
-                  <prop name="label">AC-19(a)[2]</prop>
-                  <p>configuration/connection requirement;</p>
-               </part>
-               <part id="ac-19.a_obj.3" name="objective">
-                  <prop name="label">AC-19(a)[3]</prop>
-                  <p>implementation guidance; and</p>
-               </part>
-            </part>
-            <part id="ac-19.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-19(b)</prop>
-               <p>authorizes the connection of mobile devices to organizational information
-                  systems.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing access control for mobile device usage (including
-                  restrictions)</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>authorizations for mobile device connections to organizational information
-                  systems</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel using mobile devices to access organizational information
-                  systems</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Access control capability authorizing mobile device connections to organizational
-                  information systems</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-19.5">
-            <title>Full Device / Container-based Encryption</title>
-            <param id="ac-19.5_prm_1"/>
-            <param id="ac-19.5_prm_2">
-               <label>organization-defined mobile devices</label>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AC-19(5)</prop>
-            <prop name="sort-id">ac-19.05</prop>
-            <part id="ac-19.5_smt" name="statement">
-               <p>The organization employs <insert param-id="ac-19.5_prm_1"/> to protect the
-                  confidentiality and integrity of information on <insert param-id="ac-19.5_prm_2"/>.</p>
-            </part>
-            <part id="ac-19.5_gdn" name="guidance">
-               <p>Container-based encryption provides a more fine-grained approach to the encryption
-                  of data/information on mobile devices, including for example, encrypting selected
-                  data structures such as files, records, or fields.</p>
-               <link rel="related" href="#mp-5">MP-5</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-               <link rel="related" href="#sc-28">SC-28</link>
-            </part>
-            <part id="ac-19.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-19.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-19(5)[1]</prop>
-                  <p>defines mobile devices for which full-device encryption or container encryption
-                     is required to protect the confidentiality and integrity of information on such
-                     devices; and</p>
-               </part>
-               <part id="ac-19.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-19(5)[2]</prop>
-                  <p>employs full-device encryption or container encryption to protect the
-                     confidentiality and integrity of information on organization-defined mobile
-                     devices.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing access control for mobile devices</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>encryption mechanism s and associated configuration documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with access control responsibilities for mobile
-                     devices</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Encryption mechanisms protecting confidentiality and integrity of information
-                     on mobile devices</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-20">
-         <title>Use of External Information Systems</title>
-         <prop name="label">AC-20</prop>
-         <prop name="sort-id">ac-20</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <part id="ac-20_smt" name="statement">
-            <p>The organization establishes terms and conditions, consistent with any trust
-               relationships established with other organizations owning, operating, and/or
-               maintaining external information systems, allowing authorized individuals to:</p>
-            <part id="ac-20_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Access the information system from external information systems; and</p>
-            </part>
-            <part id="ac-20_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Process, store, or transmit organization-controlled information using external
-                  information systems.</p>
-            </part>
-         </part>
-         <part id="ac-20_gdn" name="guidance">
-            <p>External information systems are information systems or components of information
-               systems that are outside of the authorization boundary established by organizations
-               and for which organizations typically have no direct supervision and authority over
-               the application of required security controls or the assessment of control
-               effectiveness. External information systems include, for example: (i) personally
-               owned information systems/devices (e.g., notebook computers, smart phones, tablets,
-               personal digital assistants); (ii) privately owned computing and communications
-               devices resident in commercial or public facilities (e.g., hotels, train stations,
-               convention centers, shopping malls, or airports); (iii) information systems owned or
-               controlled by nonfederal governmental organizations; and (iv) federal information
-               systems that are not owned by, operated by, or under the direct supervision and
-               authority of organizations. This control also addresses the use of external
-               information systems for the processing, storage, or transmission of organizational
-               information, including, for example, accessing cloud services (e.g., infrastructure
-               as a service, platform as a service, or software as a service) from organizational
-               information systems. For some external information systems (i.e., information systems
-               operated by other federal agencies, including organizations subordinate to those
-               agencies), the trust relationships that have been established between those
-               organizations and the originating organization may be such, that no explicit terms
-               and conditions are required. Information systems within these organizations would not
-               be considered external. These situations occur when, for example, there are
-               pre-existing sharing/trust agreements (either implicit or explicit) established
-               between federal agencies or organizations subordinate to those agencies, or when such
-               trust agreements are specified by applicable laws, Executive Orders, directives, or
-               policies. Authorized individuals include, for example, organizational personnel,
-               contractors, or other individuals with authorized access to organizational
-               information systems and over which organizations have the authority to impose rules
-               of behavior with regard to system access. Restrictions that organizations impose on
-               authorized individuals need not be uniform, as those restrictions may vary depending
-               upon the trust relationships between organizations. Therefore, organizations may
-               choose to impose different security restrictions on contractors than on state, local,
-               or tribal governments. This control does not apply to the use of external information
-               systems to access public interfaces to organizational information systems (e.g.,
-               individuals accessing federal information through www.usa.gov). Organizations
-               establish terms and conditions for the use of external information systems in
-               accordance with organizational security policies and procedures. Terms and conditions
-               address as a minimum: types of applications that can be accessed on organizational
-               information systems from external information systems; and the highest security
-               category of information that can be processed, stored, or transmitted on external
-               information systems. If terms and conditions with the owners of external information
-               systems cannot be established, organizations may impose restrictions on
-               organizational personnel using those external systems.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-         </part>
-         <part id="ac-20_obj" name="objective">
-            <p>Determine if the organization establishes terms and conditions, consistent with any
-               trust relationships established with other organizations owning, operating, and/or
-               maintaining external information systems, allowing authorized individuals to: </p>
-            <part id="ac-20.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-20(a)</prop>
-               <p>access the information system from the external information systems; and</p>
-            </part>
-            <part id="ac-20.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-20(b)</prop>
-               <p>process, store, or transmit organization-controlled information using external
-                  information systems.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing the use of external information systems</p>
-               <p>external information systems terms and conditions</p>
-               <p>list of types of applications accessible from external information systems</p>
-               <p>maximum security categorization for information processed, stored, or transmitted
-                  on external information systems</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for defining terms and conditions
-                  for use of external information systems to access organizational systems</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing terms and conditions on use of external
-                  information systems</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-20.1">
-            <title>Limits On Authorized Use</title>
-            <prop name="label">AC-20(1)</prop>
-            <prop name="sort-id">ac-20.01</prop>
-            <part id="ac-20.1_smt" name="statement">
-               <p>The organization permits authorized individuals to use an external information
-                  system to access the information system or to process, store, or transmit
-                  organization-controlled information only when the organization:</p>
-               <part id="ac-20.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Verifies the implementation of required security controls on the external
-                     system as specified in the organization’s information security policy and
-                     security plan; or</p>
-               </part>
-               <part id="ac-20.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Retains approved information system connection or processing agreements with
-                     the organizational entity hosting the external information system.</p>
-               </part>
-            </part>
-            <part id="ac-20.1_gdn" name="guidance">
-               <p>This control enhancement recognizes that there are circumstances where individuals
-                  using external information systems (e.g., contractors, coalition partners) need to
-                  access organizational information systems. In those situations, organizations need
-                  confidence that the external information systems contain the necessary security
-                  safeguards (i.e., security controls), so as not to compromise, damage, or
-                  otherwise harm organizational information systems. Verification that the required
-                  security controls have been implemented can be achieved, for example, by
-                  third-party, independent assessments, attestations, or other means, depending on
-                  the confidence level required by organizations.</p>
-               <link rel="related" href="#ca-2">CA-2</link>
-            </part>
-            <part id="ac-20.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization permits authorized individuals to use an external
-                  information system to access the information system or to process, store, or
-                  transmit organization-controlled information only when the organization: </p>
-               <part id="ac-20.1.a_obj" name="objective">
-                  <prop name="label">AC-20(1)(a)</prop>
-                  <p>verifies the implementation of required security controls on the external
-                     system as specified in the organization’s information security policy and
-                     security plan; or</p>
-                  <link rel="corresp" href="#ac-20.1_smt.a">AC-20(1)(a)</link>
-               </part>
-               <part id="ac-20.1.b_obj" name="objective">
-                  <prop name="label">AC-20(1)(b)</prop>
-                  <p>retains approved information system connection or processing agreements with
-                     the organizational entity hosting the external information system.</p>
-                  <link rel="corresp" href="#ac-20.1_smt.b">AC-20(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing the use of external information systems</p>
-                  <p>security plan</p>
-                  <p>information system connection or processing agreements</p>
-                  <p>account management documents</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing limits on use of external information
-                     systems</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-20.2">
-            <title>Portable Storage Devices</title>
-            <param id="ac-20.2_prm_1"/>
-            <prop name="label">AC-20(2)</prop>
-            <prop name="sort-id">ac-20.02</prop>
-            <part id="ac-20.2_smt" name="statement">
-               <p>The organization <insert param-id="ac-20.2_prm_1"/> the use of
-                  organization-controlled portable storage devices by authorized individuals on
-                  external information systems.</p>
-            </part>
-            <part id="ac-20.2_gdn" name="guidance">
-               <p>Limits on the use of organization-controlled portable storage devices in external
-                  information systems include, for example, complete prohibition of the use of such
-                  devices or restrictions on how the devices may be used and under what conditions
-                  the devices may be used.</p>
-            </part>
-            <part id="ac-20.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization restricts or prohibits the use of
-                  organization-controlled portable storage devices by authorized individuals on
-                  external information systems. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing the use of external information systems</p>
-                  <p>security plan</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system connection or processing agreements</p>
-                  <p>account management documents</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for restricting or prohibiting
-                     use of organization-controlled storage devices on external information
-                     systems</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing restrictions on use of portable storage
-                     devices</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-21">
-         <title>Information Sharing</title>
-         <param id="ac-21_prm_1">
-            <label>organization-defined information sharing circumstances where user discretion is
-               required</label>
-         </param>
-         <param id="ac-21_prm_2">
-            <label>organization-defined automated mechanisms or manual processes</label>
-         </param>
-         <prop name="label">AC-21</prop>
-         <prop name="sort-id">ac-21</prop>
-         <part id="ac-21_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-21_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Facilitates information sharing by enabling authorized users to determine whether
-                  access authorizations assigned to the sharing partner match the access
-                  restrictions on the information for <insert param-id="ac-21_prm_1"/>; and</p>
-            </part>
-            <part id="ac-21_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Employs <insert param-id="ac-21_prm_2"/> to assist users in making information
-                  sharing/collaboration decisions.</p>
-            </part>
-         </part>
-         <part id="ac-21_gdn" name="guidance">
-            <p>This control applies to information that may be restricted in some manner (e.g.,
-               privileged medical information, contract-sensitive information, proprietary
-               information, personally identifiable information, classified information related to
-               special access programs or compartments) based on some formal or administrative
-               determination. Depending on the particular information-sharing circumstances, sharing
-               partners may be defined at the individual, group, or organizational level.
-               Information may be defined by content, type, security category, or special access
-               program/compartment.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-         </part>
-         <part id="ac-21_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ac-21.a_obj" name="objective">
-               <prop name="label">AC-21(a)</prop>
-               <part id="ac-21.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-21(a)[1]</prop>
-                  <p>defines information sharing circumstances where user discretion is
-                     required;</p>
-               </part>
-               <part id="ac-21.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-21(a)[2]</prop>
-                  <p>facilitates information sharing by enabling authorized users to determine
-                     whether access authorizations assigned to the sharing partner match the access
-                     restrictions on the information for organization-defined information sharing
-                     circumstances;</p>
-               </part>
-            </part>
-            <part id="ac-21.b_obj" name="objective">
-               <prop name="label">AC-21(b)</prop>
-               <part id="ac-21.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-21(b)[1]</prop>
-                  <p>defines automated mechanisms or manual processes to be employed to assist users
-                     in making information sharing/collaboration decisions; and</p>
-               </part>
-               <part id="ac-21.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-21(b)[2]</prop>
-                  <p>employs organization-defined automated mechanisms or manual processes to assist
-                     users in making information sharing/collaboration decisions.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing user-based collaboration and information sharing (including
-                  restrictions)</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of users authorized to make information sharing/collaboration decisions</p>
-               <p>list of information sharing circumstances requiring user discretion</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel responsible for making information sharing/collaboration
-                  decisions</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms or manual process implementing access authorizations
-                  supporting information sharing/user collaboration decisions</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-22">
-         <title>Publicly Accessible Content</title>
-         <param id="ac-22_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least quarterly</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AC-22</prop>
-         <prop name="sort-id">ac-22</prop>
-         <part id="ac-22_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-22_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Designates individuals authorized to post information onto a publicly accessible
-                  information system;</p>
-            </part>
-            <part id="ac-22_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Trains authorized individuals to ensure that publicly accessible information does
-                  not contain nonpublic information;</p>
-            </part>
-            <part id="ac-22_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the proposed content of information prior to posting onto the publicly
-                  accessible information system to ensure that nonpublic information is not
-                  included; and</p>
-            </part>
-            <part id="ac-22_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Reviews the content on the publicly accessible information system for nonpublic
-                  information <insert param-id="ac-22_prm_1"/> and removes such information, if
-                  discovered.</p>
-            </part>
-         </part>
-         <part id="ac-22_gdn" name="guidance">
-            <p>In accordance with federal laws, Executive Orders, directives, policies, regulations,
-               standards, and/or guidance, the general public is not authorized access to nonpublic
-               information (e.g., information protected under the Privacy Act and proprietary
-               information). This control addresses information systems that are controlled by the
-               organization and accessible to the general public, typically without identification
-               or authentication. The posting of information on non-organization information systems
-               is covered by organizational policy.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#au-13">AU-13</link>
-         </part>
-         <part id="ac-22_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ac-22.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AC-22(a)</prop>
-               <p>designates individuals authorized to post information onto a publicly accessible
-                  information system;</p>
-            </part>
-            <part id="ac-22.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-22(b)</prop>
-               <p>trains authorized individuals to ensure that publicly accessible information does
-                  not contain nonpublic information;</p>
-            </part>
-            <part id="ac-22.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AC-22(c)</prop>
-               <p>reviews the proposed content of information prior to posting onto the publicly
-                  accessible information system to ensure that nonpublic information is not
-                  included;</p>
-            </part>
-            <part id="ac-22.d_obj" name="objective">
-               <prop name="label">AC-22(d)</prop>
-               <part id="ac-22.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AC-22(d)[1]</prop>
-                  <p>defines the frequency to review the content on the publicly accessible
-                     information system for nonpublic information;</p>
-               </part>
-               <part id="ac-22.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-22(d)[2]</prop>
-                  <p>reviews the content on the publicly accessible information system for nonpublic
-                     information with the organization-defined frequency; and</p>
-               </part>
-               <part id="ac-22.d_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AC-22(d)[3]</prop>
-                  <p>removes nonpublic information from the publicly accessible information system,
-                     if discovered.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing publicly accessible content</p>
-               <p>list of users authorized to post publicly accessible content on organizational
-                  information systems</p>
-               <p>training materials and/or records</p>
-               <p>records of publicly accessible information reviews</p>
-               <p>records of response to nonpublic information on public websites</p>
-               <p>system audit logs</p>
-               <p>security awareness training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for managing publicly accessible
-                  information posted on organizational information systems</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing management of publicly accessible content</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="at">
-      <title>Awareness and Training</title>
-      <control class="SP800-53" id="at-1">
-         <title>Security Awareness and Training Policy and Procedures</title>
-         <param id="at-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="at-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="at-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AT-1</prop>
-         <prop name="sort-id">at-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="at-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="at-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="at-1_prm_1"/>:</p>
-               <part id="at-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A security awareness and training policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="at-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the security awareness and
-                     training policy and associated security awareness and training controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="at-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="at-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security awareness and training policy <insert param-id="at-1_prm_2"/>; and</p>
-               </part>
-               <part id="at-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Security awareness and training procedures <insert param-id="at-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="at-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the AT
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="at-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-1.a_obj" name="objective">
-               <prop name="label">AT-1(a)</prop>
-               <part id="at-1.a.1_obj" name="objective">
-                  <prop name="label">AT-1(a)(1)</prop>
-                  <part id="at-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(a)(1)[1]</prop>
-                     <p>develops and documents an security awareness and training policy that
-                        addresses:</p>
-                     <part id="at-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="at-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the security awareness and training
-                        policy are to be disseminated;</p>
-                  </part>
-                  <part id="at-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">AT-1(a)(1)[3]</prop>
-                     <p>disseminates the security awareness and training policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="at-1.a.2_obj" name="objective">
-                  <prop name="label">AT-1(a)(2)</prop>
-                  <part id="at-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        security awareness and training policy and associated awareness and training
-                        controls;</p>
-                  </part>
-                  <part id="at-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="at-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">AT-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="at-1.b_obj" name="objective">
-               <prop name="label">AT-1(b)</prop>
-               <part id="at-1.b.1_obj" name="objective">
-                  <prop name="label">AT-1(b)(1)</prop>
-                  <part id="at-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current security awareness
-                        and training policy;</p>
-                  </part>
-                  <part id="at-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current security awareness and training policy with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="at-1.b.2_obj" name="objective">
-                  <prop name="label">AT-1(b)(2)</prop>
-                  <part id="at-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current security awareness
-                        and training procedures; and</p>
-                  </part>
-                  <part id="at-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AT-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current security awareness and training procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security awareness and training responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="at-2">
-         <title>Security Awareness Training</title>
-         <param id="at-2_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AT-2</prop>
-         <prop name="sort-id">at-02</prop>
-         <link href="#bb61234b-46c3-4211-8c2b-9869222a720d" rel="reference">C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</link>
-         <link href="#c5034e0c-eba6-4ecd-a541-79f0678f4ba4" rel="reference">Executive Order 13587</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="at-2_smt" name="statement">
-            <p>The organization provides basic security awareness training to information system
-               users (including managers, senior executives, and contractors):</p>
-            <part id="at-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>As part of initial training for new users;</p>
-            </part>
-            <part id="at-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="at-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="at-2_prm_1"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="at-2_gdn" name="guidance">
-            <p>Organizations determine the appropriate content of security awareness training and
-               security awareness techniques based on the specific organizational requirements and
-               the information systems to which personnel have authorized access. The content
-               includes a basic understanding of the need for information security and user actions
-               to maintain security and to respond to suspected security incidents. The content also
-               addresses awareness of the need for operations security. Security awareness
-               techniques can include, for example, displaying posters, offering supplies inscribed
-               with security reminders, generating email advisories/notices from senior
-               organizational officials, displaying logon screen messages, and conducting
-               information security awareness events.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#at-4">AT-4</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-         </part>
-         <part id="at-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-2.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AT-2(a)</prop>
-               <p>provides basic security awareness training to information system users (including
-                  managers, senior executives, and contractors) as part of initial training for new
-                  users;</p>
-            </part>
-            <part id="at-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AT-2(b)</prop>
-               <p>provides basic security awareness training to information system users (including
-                  managers, senior executives, and contractors) when required by information system
-                  changes; and</p>
-            </part>
-            <part id="at-2.c_obj" name="objective">
-               <prop name="label">AT-2(c)</prop>
-               <part id="at-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AT-2(c)[1]</prop>
-                  <p>defines the frequency to provide refresher security awareness training
-                     thereafter to information system users (including managers, senior executives,
-                     and contractors); and</p>
-               </part>
-               <part id="at-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AT-2(c)[2]</prop>
-                  <p>provides refresher security awareness training to information users (including
-                     managers, senior executives, and contractors) with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy</p>
-               <p>procedures addressing security awareness training implementation</p>
-               <p>appropriate codes of federal regulations</p>
-               <p>security awareness training curriculum</p>
-               <p>security awareness training materials</p>
-               <p>security plan</p>
-               <p>training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for security awareness training</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel comprising the general information system user
-                  community</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms managing security awareness training</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="at-2.2">
-            <title>Insider Threat</title>
-            <prop name="label">AT-2(2)</prop>
-            <prop name="sort-id">at-02.02</prop>
-            <part id="at-2.2_smt" name="statement">
-               <p>The organization includes security awareness training on recognizing and reporting
-                  potential indicators of insider threat.</p>
-            </part>
-            <part id="at-2.2_gdn" name="guidance">
-               <p>Potential indicators and possible precursors of insider threat can include
-                  behaviors such as inordinate, long-term job dissatisfaction, attempts to gain
-                  access to information not required for job performance, unexplained access to
-                  financial resources, bullying or sexual harassment of fellow employees, workplace
-                  violence, and other serious violations of organizational policies, procedures,
-                  directives, rules, or practices. Security awareness training includes how to
-                  communicate employee and management concerns regarding potential indicators of
-                  insider threat through appropriate organizational channels in accordance with
-                  established organizational policies and procedures.</p>
-               <link rel="related" href="#pl-4">PL-4</link>
-               <link rel="related" href="#pm-12">PM-12</link>
-               <link rel="related" href="#ps-3">PS-3</link>
-               <link rel="related" href="#ps-6">PS-6</link>
-            </part>
-            <part id="at-2.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization includes security awareness training on recognizing
-                  and reporting potential indicators of insider threat. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security awareness and training policy</p>
-                  <p>procedures addressing security awareness training implementation</p>
-                  <p>security awareness training curriculum</p>
-                  <p>security awareness training materials</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel that participate in security awareness training</p>
-                  <p>organizational personnel with responsibilities for basic security awareness
-                     training</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="at-3">
-         <title>Role-based Security Training</title>
-         <param id="at-3_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AT-3</prop>
-         <prop name="sort-id">at-03</prop>
-         <link href="#bb61234b-46c3-4211-8c2b-9869222a720d" rel="reference">C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</link>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="at-3_smt" name="statement">
-            <p>The organization provides role-based security training to personnel with assigned
-               security roles and responsibilities:</p>
-            <part id="at-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Before authorizing access to the information system or performing assigned
-                  duties;</p>
-            </part>
-            <part id="at-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="at-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="at-3_prm_1"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="at-3_gdn" name="guidance">
-            <p>Organizations determine the appropriate content of security training based on the
-               assigned roles and responsibilities of individuals and the specific security
-               requirements of organizations and the information systems to which personnel have
-               authorized access. In addition, organizations provide enterprise architects,
-               information system developers, software developers, acquisition/procurement
-               officials, information system managers, system/network administrators, personnel
-               conducting configuration management and auditing activities, personnel performing
-               independent verification and validation activities, security control assessors, and
-               other personnel having access to system-level software, adequate security-related
-               technical training specifically tailored for their assigned duties. Comprehensive
-               role-based training addresses management, operational, and technical roles and
-               responsibilities covering physical, personnel, and technical safeguards and
-               countermeasures. Such training can include for example, policies, procedures, tools,
-               and artifacts for the organizational security roles defined. Organizations also
-               provide the training necessary for individuals to carry out their responsibilities
-               related to operations and supply chain security within the context of organizational
-               information security programs. Role-based security training also applies to
-               contractors providing services to federal agencies.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-4">AT-4</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-7">PS-7</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sa-16">SA-16</link>
-         </part>
-         <part id="at-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-3.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AT-3(a)</prop>
-               <p>provides role-based security training to personnel with assigned security roles
-                  and responsibilities before authorizing access to the information system or
-                  performing assigned duties;</p>
-            </part>
-            <part id="at-3.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AT-3(b)</prop>
-               <p>provides role-based security training to personnel with assigned security roles
-                  and responsibilities when required by information system changes; and</p>
-            </part>
-            <part id="at-3.c_obj" name="objective">
-               <prop name="label">AT-3(c)</prop>
-               <part id="at-3.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AT-3(c)[1]</prop>
-                  <p>defines the frequency to provide refresher role-based security training
-                     thereafter to personnel with assigned security roles and responsibilities;
-                     and</p>
-               </part>
-               <part id="at-3.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AT-3(c)[2]</prop>
-                  <p>provides refresher role-based security training to personnel with assigned
-                     security roles and responsibilities with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy</p>
-               <p>procedures addressing security training implementation</p>
-               <p>codes of federal regulations</p>
-               <p>security training curriculum</p>
-               <p>security training materials</p>
-               <p>security plan</p>
-               <p>training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for role-based security
-                  training</p>
-               <p>organizational personnel with assigned information system security roles and
-                  responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms managing role-based security training</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="at-4">
-         <title>Security Training Records</title>
-         <param id="at-4_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>At least one year</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AT-4</prop>
-         <prop name="sort-id">at-04</prop>
-         <part id="at-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="at-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Documents and monitors individual information system security training activities
-                  including basic security awareness training and specific information system
-                  security training; and</p>
-            </part>
-            <part id="at-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Retains individual training records for <insert param-id="at-4_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="at-4_gdn" name="guidance">
-            <p>Documentation for specialized training may be maintained by individual supervisors at
-               the option of the organization.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#pm-14">PM-14</link>
-         </part>
-         <part id="at-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-4.a_obj" name="objective">
-               <prop name="label">AT-4(a)</prop>
-               <part id="at-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AT-4(a)[1]</prop>
-                  <p>documents individual information system security training activities
-                     including:</p>
-                  <part id="at-4.a_obj.1.a" name="objective">
-                     <prop name="label">AT-4(a)[1][a]</prop>
-                     <p>basic security awareness training;</p>
-                  </part>
-                  <part id="at-4.a_obj.1.b" name="objective">
-                     <prop name="label">AT-4(a)[1][b]</prop>
-                     <p>specific role-based information system security training;</p>
-                  </part>
-               </part>
-               <part id="at-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AT-4(a)[2]</prop>
-                  <p>monitors individual information system security training activities
-                     including:</p>
-                  <part id="at-4.a_obj.2.a" name="objective">
-                     <prop name="label">AT-4(a)[2][a]</prop>
-                     <p>basic security awareness training;</p>
-                  </part>
-                  <part id="at-4.a_obj.2.b" name="objective">
-                     <prop name="label">AT-4(a)[2][b]</prop>
-                     <p>specific role-based information system security training;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="at-4.b_obj" name="objective">
-               <prop name="label">AT-4(b)</prop>
-               <part id="at-4.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AT-4(b)[1]</prop>
-                  <p>defines a time period to retain individual training records; and</p>
-               </part>
-               <part id="at-4.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AT-4(b)[2]</prop>
-                  <p>retains individual training records for the organization-defined time
-                     period.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy</p>
-               <p>procedures addressing security training records</p>
-               <p>security awareness and training records</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security training record retention
-                  responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting management of security training records</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="au">
-      <title>Audit and Accountability</title>
-      <control class="SP800-53" id="au-1">
-         <title>Audit and Accountability Policy and Procedures</title>
-         <param id="au-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="au-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="au-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AU-1</prop>
-         <prop name="sort-id">au-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="au-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="au-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="au-1_prm_1"/>:</p>
-               <part id="au-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An audit and accountability policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="au-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the audit and accountability
-                     policy and associated audit and accountability controls; and</p>
-               </part>
-            </part>
-            <part id="au-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="au-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Audit and accountability policy <insert param-id="au-1_prm_2"/>; and</p>
-               </part>
-               <part id="au-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Audit and accountability procedures <insert param-id="au-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="au-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the AU
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="au-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-1.a_obj" name="objective">
-               <prop name="label">AU-1(a)</prop>
-               <part id="au-1.a.1_obj" name="objective">
-                  <prop name="label">AU-1(a)(1)</prop>
-                  <part id="au-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(a)(1)[1]</prop>
-                     <p>develops and documents an audit and accountability policy that
-                        addresses:</p>
-                     <part id="au-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="au-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the audit and accountability policy are
-                        to be disseminated;</p>
-                  </part>
-                  <part id="au-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">AU-1(a)(1)[3]</prop>
-                     <p>disseminates the audit and accountability policy to organization-defined
-                        personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="au-1.a.2_obj" name="objective">
-                  <prop name="label">AU-1(a)(2)</prop>
-                  <part id="au-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        audit and accountability policy and associated audit and accountability
-                        controls;</p>
-                  </part>
-                  <part id="au-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="au-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">AU-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="au-1.b_obj" name="objective">
-               <prop name="label">AU-1(b)</prop>
-               <part id="au-1.b.1_obj" name="objective">
-                  <prop name="label">AU-1(b)(1)</prop>
-                  <part id="au-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current audit and
-                        accountability policy;</p>
-                  </part>
-                  <part id="au-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current audit and accountability policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="au-1.b.2_obj" name="objective">
-                  <prop name="label">AU-1(b)(2)</prop>
-                  <part id="au-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current audit and
-                        accountability procedures; and</p>
-                  </part>
-                  <part id="au-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current audit and accountability procedures in
-                        accordance with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-2">
-         <title>Audit Events</title>
-         <param id="au-2_prm_1">
-            <label>organization-defined auditable events</label>
-            <constraint>successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes</constraint>
-         </param>
-         <param id="au-2_prm_2">
-            <label>organization-defined audited events (the subset of the auditable events defined
-               in AU-2 a.) along with the frequency of (or situation requiring) auditing for each
-               identified event</label>
-            <constraint>organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AU-2</prop>
-         <prop name="sort-id">au-02</prop>
-         <link href="#672fd561-b92b-4713-b9cf-6c9d9456728b" rel="reference">NIST Special Publication 800-92</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="au-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="au-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Determines that the information system is capable of auditing the following
-                  events: <insert param-id="au-2_prm_1"/>;</p>
-            </part>
-            <part id="au-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Coordinates the security audit function with other organizational entities
-                  requiring audit-related information to enhance mutual support and to help guide
-                  the selection of auditable events;</p>
-            </part>
-            <part id="au-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Provides a rationale for why the auditable events are deemed to be adequate to
-                  support after-the-fact investigations of security incidents; and</p>
-            </part>
-            <part id="au-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Determines that the following events are to be audited within the information
-                  system: <insert param-id="au-2_prm_2"/>.</p>
-            </part>
-            <part id="au-2_fr" name="item">
-               <title>AU-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-2_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </part>
-         <part id="au-2_gdn" name="guidance">
-            <p>An event is any observable occurrence in an organizational information system.
-               Organizations identify audit events as those events which are significant and
-               relevant to the security of information systems and the environments in which those
-               systems operate in order to meet specific and ongoing audit needs. Audit events can
-               include, for example, password changes, failed logons, or failed accesses related to
-               information systems, administrative privilege usage, PIV credential usage, or
-               third-party credential usage. In determining the set of auditable events,
-               organizations consider the auditing appropriate for each of the security controls to
-               be implemented. To balance auditing requirements with other information system needs,
-               this control also requires identifying that subset of auditable events that are
-               audited at a given point in time. For example, organizations may determine that
-               information systems must have the capability to log every file access both successful
-               and unsuccessful, but not activate that capability except for specific circumstances
-               due to the potential burden on system performance. Auditing requirements, including
-               the need for auditable events, may be referenced in other security controls and
-               control enhancements. Organizations also include auditable events that are required
-               by applicable federal laws, Executive Orders, directives, policies, regulations, and
-               standards. Audit records can be generated at various levels of abstraction, including
-               at the packet level as information traverses the network. Selecting the appropriate
-               level of abstraction is a critical aspect of an audit capability and can facilitate
-               the identification of root causes to problems. Organizations consider in the
-               definition of auditable events, the auditing necessary to cover related events such
-               as the steps in distributed, transaction-based processes (e.g., processes that are
-               distributed across multiple organizations) and actions that occur in service-oriented
-               architectures.</p>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="au-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-2.a_obj" name="objective">
-               <prop name="label">AU-2(a)</prop>
-               <part id="au-2.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-2(a)[1]</prop>
-                  <p>defines the auditable events that the information system must be capable of
-                     auditing;</p>
-               </part>
-               <part id="au-2.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-2(a)[2]</prop>
-                  <p>determines that the information system is capable of auditing
-                     organization-defined auditable events;</p>
-               </part>
-            </part>
-            <part id="au-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AU-2(b)</prop>
-               <p>coordinates the security audit function with other organizational entities
-                  requiring audit-related information to enhance mutual support and to help guide
-                  the selection of auditable events;</p>
-            </part>
-            <part id="au-2.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">AU-2(c)</prop>
-               <p>provides a rationale for why the auditable events are deemed to be adequate to
-                  support after-the-fact investigations of security incidents;</p>
-            </part>
-            <part id="au-2.d_obj" name="objective">
-               <prop name="label">AU-2(d)</prop>
-               <part id="au-2.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-2(d)[1]</prop>
-                  <p>defines the subset of auditable events defined in AU-2a that are to be audited
-                     within the information system;</p>
-               </part>
-               <part id="au-2.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AU-2(d)[2]</prop>
-                  <p>determines that the subset of auditable events defined in AU-2a are to be
-                     audited within the information system; and</p>
-               </part>
-               <part id="au-2.d_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AU-2(d)[3]</prop>
-                  <p>determines the frequency of (or situation requiring) auditing for each
-                     identified event.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing auditable events</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>information system auditable events</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing information system auditing</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-2.3">
-            <title>Reviews and Updates</title>
-            <param id="au-2.3_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>annually or whenever there is a change in the threat environment</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AU-2(3)</prop>
-            <prop name="sort-id">au-02.03</prop>
-            <part id="au-2.3_smt" name="statement">
-               <p>The organization reviews and updates the audited events <insert param-id="au-2.3_prm_1"/>.</p>
-               <part id="au-2.3_fr" name="item">
-                  <title>AU-2 (3) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="au-2.3_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="au-2.3_gdn" name="guidance">
-               <p>Over time, the events that organizations believe should be audited may change.
-                  Reviewing and updating the set of audited events periodically is necessary to
-                  ensure that the current set is still necessary and sufficient.</p>
-            </part>
-            <part id="au-2.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="au-2.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-2(3)[1]</prop>
-                  <p>defines the frequency to review and update the audited events; and</p>
-               </part>
-               <part id="au-2.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-2(3)[2]</prop>
-                  <p>reviews and updates the auditable events with organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing auditable events</p>
-                  <p>security plan</p>
-                  <p>list of organization-defined auditable events</p>
-                  <p>auditable events review and update records</p>
-                  <p>information system audit records</p>
-                  <p>information system incident reports</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting review and update of auditable events</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-3">
-         <title>Content of Audit Records</title>
-         <prop name="label">AU-3</prop>
-         <prop name="sort-id">au-03</prop>
-         <part id="au-3_smt" name="statement">
-            <p>The information system generates audit records containing information that
-               establishes what type of event occurred, when the event occurred, where the event
-               occurred, the source of the event, the outcome of the event, and the identity of any
-               individuals or subjects associated with the event.</p>
-         </part>
-         <part id="au-3_gdn" name="guidance">
-            <p>Audit record content that may be necessary to satisfy the requirement of this
-               control, includes, for example, time stamps, source and destination addresses,
-               user/process identifiers, event descriptions, success/fail indications, filenames
-               involved, and access control or flow control rules invoked. Event outcomes can
-               include indicators of event success or failure and event-specific results (e.g., the
-               security state of the information system after the event occurred).</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-8">AU-8</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#si-11">SI-11</link>
-         </part>
-         <part id="au-3_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system generates audit records containing information
-               that establishes: </p>
-            <part id="au-3_obj.1" name="objective">
-               <prop name="label">AU-3[1]</prop>
-               <p>what type of event occurred;</p>
-            </part>
-            <part id="au-3_obj.2" name="objective">
-               <prop name="label">AU-3[2]</prop>
-               <p>when the event occurred;</p>
-            </part>
-            <part id="au-3_obj.3" name="objective">
-               <prop name="label">AU-3[3]</prop>
-               <p>where the event occurred;</p>
-            </part>
-            <part id="au-3_obj.4" name="objective">
-               <prop name="label">AU-3[4]</prop>
-               <p>the source of the event;</p>
-            </part>
-            <part id="au-3_obj.5" name="objective">
-               <prop name="label">AU-3[5]</prop>
-               <p>the outcome of the event; and</p>
-            </part>
-            <part id="au-3_obj.6" name="objective">
-               <prop name="label">AU-3[6]</prop>
-               <p>the identity of any individuals or subjects associated with the event.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing content of audit records</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of organization-defined auditable events</p>
-               <p>information system audit records</p>
-               <p>information system incident reports</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing information system auditing of auditable
-                  events</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-3.1">
-            <title>Additional Audit Information</title>
-            <param id="au-3.1_prm_1">
-               <label>organization-defined additional, more detailed information</label>
-               <constraint>session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon</constraint>
-            </param>
-            <prop name="label">AU-3(1)</prop>
-            <prop name="sort-id">au-03.01</prop>
-            <part id="au-3.1_smt" name="statement">
-               <p>The information system generates audit records containing the following additional
-                  information: <insert param-id="au-3.1_prm_1"/>.</p>
-               <part id="au-3.1_fr" name="item">
-                  <title>AU-3 (1) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="au-3.1_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>The service provider defines audit record types <em>[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]</em>.  The audit record types are approved and accepted by the JAB/AO.</p>
-                  </part>
-                  <part id="au-3.1_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="au-3.1_gdn" name="guidance">
-               <p>Detailed information that organizations may consider in audit records includes,
-                  for example, full text recording of privileged commands or the individual
-                  identities of group account users. Organizations consider limiting the additional
-                  audit information to only that information explicitly needed for specific audit
-                  requirements. This facilitates the use of audit trails and audit logs by not
-                  including information that could potentially be misleading or could make it more
-                  difficult to locate information of interest.</p>
-            </part>
-            <part id="au-3.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-3.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-3(1)[1]</prop>
-                  <p>the organization defines additional, more detailed information to be contained
-                     in audit records that the information system generates; and</p>
-               </part>
-               <part id="au-3.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-3(1)[2]</prop>
-                  <p>the information system generates audit records containing the
-                     organization-defined additional, more detailed information.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing content of audit records</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of organization-defined auditable events</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system audit capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-4">
-         <title>Audit Storage Capacity</title>
-         <param id="au-4_prm_1">
-            <label>organization-defined audit record storage requirements</label>
-         </param>
-         <prop name="label">AU-4</prop>
-         <prop name="sort-id">au-04</prop>
-         <part id="au-4_smt" name="statement">
-            <p>The organization allocates audit record storage capacity in accordance with <insert param-id="au-4_prm_1"/>.</p>
-         </part>
-         <part id="au-4_gdn" name="guidance">
-            <p>Organizations consider the types of auditing to be performed and the audit processing
-               requirements when allocating audit storage capacity. Allocating sufficient audit
-               storage capacity reduces the likelihood of such capacity being exceeded and resulting
-               in the potential loss or reduction of auditing capability.</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-5">AU-5</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#au-11">AU-11</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="au-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-4_obj.1" name="objective">
-               <prop name="label">AU-4[1]</prop>
-               <p>defines audit record storage requirements; and</p>
-            </part>
-            <part id="au-4_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AU-4[2]</prop>
-               <p>allocates audit record storage capacity in accordance with the
-                  organization-defined audit record storage requirements.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing audit storage capacity</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>audit record storage requirements</p>
-               <p>audit record storage capability for information system components</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Audit record storage capacity and related configuration settings</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-5">
-         <title>Response to Audit Processing Failures</title>
-         <param id="au-5_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="au-5_prm_2">
-            <label>organization-defined actions to be taken (e.g., shut down information system,
-               overwrite oldest audit records, stop generating audit records)</label>
-            <constraint>organization-defined actions to be taken (overwrite oldest record)</constraint>
-         </param>
-         <prop name="label">AU-5</prop>
-         <prop name="sort-id">au-05</prop>
-         <part id="au-5_smt" name="statement">
-            <p>The information system:</p>
-            <part id="au-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Alerts <insert param-id="au-5_prm_1"/> in the event of an audit processing
-                  failure; and</p>
-            </part>
-            <part id="au-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Takes the following additional actions: <insert param-id="au-5_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="au-5_gdn" name="guidance">
-            <p>Audit processing failures include, for example, software/hardware errors, failures in
-               the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
-               Organizations may choose to define additional actions for different audit processing
-               failures (e.g., by type, by location, by severity, or a combination of such factors).
-               This control applies to each audit data storage repository (i.e., distinct
-               information system component where audit records are stored), the total audit storage
-               capacity of organizations (i.e., all audit data storage repositories combined), or
-               both.</p>
-            <link rel="related" href="#au-4">AU-4</link>
-            <link rel="related" href="#si-12">SI-12</link>
-         </part>
-         <part id="au-5_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="au-5.a_obj" name="objective">
-               <prop name="label">AU-5(a)</prop>
-               <part id="au-5.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-5(a)[1]</prop>
-                  <p>the organization defines the personnel or roles to be alerted in the event of
-                     an audit processing failure;</p>
-               </part>
-               <part id="au-5.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-5(a)[2]</prop>
-                  <p>the information system alerts the organization-defined personnel or roles in
-                     the event of an audit processing failure;</p>
-               </part>
-            </part>
-            <part id="au-5.b_obj" name="objective">
-               <prop name="label">AU-5(b)</prop>
-               <part id="au-5.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-5(b)[1]</prop>
-                  <p>the organization defines additional actions to be taken (e.g., shutdown
-                     information system, overwrite oldest audit records, stop generating audit
-                     records) in the event of an audit processing failure; and</p>
-               </part>
-               <part id="au-5.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-5(b)[2]</prop>
-                  <p>the information system takes the additional organization-defined actions in the
-                     event of an audit processing failure.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing response to audit processing failures</p>
-               <p>information system design documentation</p>
-               <p>security plan</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of personnel to be notified in case of an audit processing failure</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing information system response to audit processing
-                  failures</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-6">
-         <title>Audit Review, Analysis, and Reporting</title>
-         <param id="au-6_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least weekly</constraint>
-         </param>
-         <param id="au-6_prm_2">
-            <label>organization-defined inappropriate or unusual activity</label>
-         </param>
-         <param id="au-6_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AU-6</prop>
-         <prop name="sort-id">au-06</prop>
-         <part id="au-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="au-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Reviews and analyzes information system audit records <insert param-id="au-6_prm_1"/> for indications of <insert param-id="au-6_prm_2"/>;
-                  and</p>
-            </part>
-            <part id="au-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reports findings to <insert param-id="au-6_prm_3"/>.</p>
-            </part>
-            <part id="au-6_fr" name="item">
-               <title>AU-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.</p>
-               </part>
-            </part>
-         </part>
-         <part id="au-6_gdn" name="guidance">
-            <p>Audit review, analysis, and reporting covers information security-related auditing
-               performed by organizations including, for example, auditing that results from
-               monitoring of account usage, remote access, wireless connectivity, mobile device
-               connection, configuration settings, system component inventory, use of maintenance
-               tools and nonlocal maintenance, physical access, temperature and humidity, equipment
-               delivery and removal, communications at the information system boundaries, use of
-               mobile code, and use of VoIP. Findings can be reported to organizational entities
-               that include, for example, incident response team, help desk, information security
-               group/department. If organizations are prohibited from reviewing and analyzing audit
-               information or unable to conduct such activities (e.g., in certain national security
-               applications or systems), the review/analysis may be carried out by other
-               organizations granted such authority.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#au-16">AU-16</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-10">CM-10</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ir-5">IR-5</link>
-            <link rel="related" href="#ir-6">IR-6</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-            <link rel="related" href="#pe-14">PE-14</link>
-            <link rel="related" href="#pe-16">PE-16</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-18">SC-18</link>
-            <link rel="related" href="#sc-19">SC-19</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="au-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-6.a_obj" name="objective">
-               <prop name="label">AU-6(a)</prop>
-               <part id="au-6.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-6(a)[1]</prop>
-                  <p>defines the types of inappropriate or unusual activity to look for when
-                     information system audit records are reviewed and analyzed;</p>
-               </part>
-               <part id="au-6.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-6(a)[2]</prop>
-                  <p>defines the frequency to review and analyze information system audit records
-                     for indications of organization-defined inappropriate or unusual activity;</p>
-               </part>
-               <part id="au-6.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AU-6(a)[3]</prop>
-                  <p>reviews and analyzes information system audit records for indications of
-                     organization-defined inappropriate or unusual activity with the
-                     organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="au-6.b_obj" name="objective">
-               <prop name="label">AU-6(b)</prop>
-               <part id="au-6.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-6(b)[1]</prop>
-                  <p>defines personnel or roles to whom findings resulting from reviews and analysis
-                     of information system audit records are to be reported; and</p>
-               </part>
-               <part id="au-6.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AU-6(b)[2]</prop>
-                  <p>reports findings to organization-defined personnel or roles.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing audit review, analysis, and reporting</p>
-               <p>reports of audit findings</p>
-               <p>records of actions taken in response to reviews/analyses of audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit review, analysis, and reporting
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-6.1">
-            <title>Process Integration</title>
-            <prop name="label">AU-6(1)</prop>
-            <prop name="sort-id">au-06.01</prop>
-            <part id="au-6.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to integrate audit review, analysis,
-                  and reporting processes to support organizational processes for investigation and
-                  response to suspicious activities.</p>
-            </part>
-            <part id="au-6.1_gdn" name="guidance">
-               <p>Organizational processes benefiting from integrated audit review, analysis, and
-                  reporting include, for example, incident response, continuous monitoring,
-                  contingency planning, and Inspector General audits.</p>
-               <link rel="related" href="#au-12">AU-12</link>
-               <link rel="related" href="#pm-7">PM-7</link>
-            </part>
-            <part id="au-6.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="au-6.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-6(1)[1]</prop>
-                  <p>employs automated mechanisms to integrate:</p>
-                  <part id="au-6.1_obj.1.a" name="objective">
-                     <prop name="label">AU-6(1)[1][a]</prop>
-                     <p>audit review;</p>
-                  </part>
-                  <part id="au-6.1_obj.1.b" name="objective">
-                     <prop name="label">AU-6(1)[1][b]</prop>
-                     <p>analysis;</p>
-                  </part>
-                  <part id="au-6.1_obj.1.c" name="objective">
-                     <prop name="label">AU-6(1)[1][c]</prop>
-                     <p>reporting processes;</p>
-                  </part>
-               </part>
-               <part id="au-6.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">AU-6(1)[2]</prop>
-                  <p>uses integrated audit review, analysis and reporting processes to support
-                     organizational processes for:</p>
-                  <part id="au-6.1_obj.2.a" name="objective">
-                     <prop name="label">AU-6(1)[2][a]</prop>
-                     <p>investigation of suspicious activities; and</p>
-                  </part>
-                  <part id="au-6.1_obj.2.b" name="objective">
-                     <prop name="label">AU-6(1)[2][b]</prop>
-                     <p>response to suspicious activities.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit review, analysis, and reporting</p>
-                  <p>procedures addressing investigation and response to suspicious activities</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit review, analysis, and reporting
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms integrating audit review, analysis, and reporting
-                     processes</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.3">
-            <title>Correlate Audit Repositories</title>
-            <prop name="label">AU-6(3)</prop>
-            <prop name="sort-id">au-06.03</prop>
-            <part id="au-6.3_smt" name="statement">
-               <p>The organization analyzes and correlates audit records across different
-                  repositories to gain organization-wide situational awareness.</p>
-            </part>
-            <part id="au-6.3_gdn" name="guidance">
-               <p>Organization-wide situational awareness includes awareness across all three tiers
-                  of risk management (i.e., organizational, mission/business process, and
-                  information system) and supports cross-organization awareness.</p>
-               <link rel="related" href="#au-12">AU-12</link>
-               <link rel="related" href="#ir-4">IR-4</link>
-            </part>
-            <part id="au-6.3_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization analyzes and correlates audit records across
-                  different repositories to gain organization-wide situational awareness. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit review, analysis, and reporting</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records across different repositories</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit review, analysis, and reporting
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting analysis and correlation of audit records</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-7">
-         <title>Audit Reduction and Report Generation</title>
-         <prop name="label">AU-7</prop>
-         <prop name="sort-id">au-07</prop>
-         <part id="au-7_smt" name="statement">
-            <p>The information system provides an audit reduction and report generation capability
-               that:</p>
-            <part id="au-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Supports on-demand audit review, analysis, and reporting requirements and
-                  after-the-fact investigations of security incidents; and</p>
-            </part>
-            <part id="au-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Does not alter the original content or time ordering of audit records.</p>
-            </part>
-         </part>
-         <part id="au-7_gdn" name="guidance">
-            <p>Audit reduction is a process that manipulates collected audit information and
-               organizes such information in a summary format that is more meaningful to analysts.
-               Audit reduction and report generation capabilities do not always emanate from the
-               same information system or from the same organizational entities conducting auditing
-               activities. Audit reduction capability can include, for example, modern data mining
-               techniques with advanced data filters to identify anomalous behavior in audit
-               records. The report generation capability provided by the information system can
-               generate customizable reports. Time ordering of audit records can be a significant
-               issue if the granularity of the timestamp in the record is insufficient.</p>
-            <link rel="related" href="#au-6">AU-6</link>
-         </part>
-         <part id="au-7_obj" name="objective">
-            <p>Determine if the information system provides an audit reduction and report generation
-               capability that supports:</p>
-            <part id="au-7.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AU-7(a)</prop>
-               <part id="au-7.a_obj.1" name="objective">
-                  <prop name="label">AU-7(a)[1]</prop>
-                  <p>on-demand audit review;</p>
-               </part>
-               <part id="au-7.a_obj.2" name="objective">
-                  <prop name="label">AU-7(a)[2]</prop>
-                  <p>analysis;</p>
-               </part>
-               <part id="au-7.a_obj.3" name="objective">
-                  <prop name="label">AU-7(a)[3]</prop>
-                  <p>reporting requirements;</p>
-               </part>
-               <part id="au-7.a_obj.4" name="objective">
-                  <prop name="label">AU-7(a)[4]</prop>
-                  <p>after-the-fact investigations of security incidents; and</p>
-               </part>
-            </part>
-            <part id="au-7.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AU-7(b)</prop>
-               <p>does not alter the original content or time ordering of audit records.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing audit reduction and report generation</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>audit reduction, review, analysis, and reporting tools</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit reduction and report generation
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Audit reduction and report generation capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-7.1">
-            <title>Automatic Processing</title>
-            <param id="au-7.1_prm_1">
-               <label>organization-defined audit fields within audit records</label>
-            </param>
-            <prop name="label">AU-7(1)</prop>
-            <prop name="sort-id">au-07.01</prop>
-            <part id="au-7.1_smt" name="statement">
-               <p>The information system provides the capability to process audit records for events
-                  of interest based on <insert param-id="au-7.1_prm_1"/>.</p>
-            </part>
-            <part id="au-7.1_gdn" name="guidance">
-               <p>Events of interest can be identified by the content of specific audit record
-                  fields including, for example, identities of individuals, event types, event
-                  locations, event times, event dates, system resources involved, IP addresses
-                  involved, or information objects accessed. Organizations may define audit event
-                  criteria to any degree of granularity required, for example, locations selectable
-                  by general networking location (e.g., by network or subnetwork) or selectable by
-                  specific information system component.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-12">AU-12</link>
-            </part>
-            <part id="au-7.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-7.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-7(1)[1]</prop>
-                  <p>the organization defines audit fields within audit records in order to process
-                     audit records for events of interest; and</p>
-               </part>
-               <part id="au-7.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-7(1)[2]</prop>
-                  <p>the information system provides the capability to process audit records for
-                     events of interest based on the organization-defined audit fields within audit
-                     records.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit reduction and report generation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>audit reduction, review, analysis, and reporting tools</p>
-                  <p>audit record criteria (fields) establishing events of interest</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit reduction and report generation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Audit reduction and report generation capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-8">
-         <title>Time Stamps</title>
-         <param id="au-8_prm_1">
-            <label>organization-defined granularity of time measurement</label>
-         </param>
-         <prop name="label">AU-8</prop>
-         <prop name="sort-id">au-08</prop>
-         <part id="au-8_smt" name="statement">
-            <p>The information system:</p>
-            <part id="au-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Uses internal system clocks to generate time stamps for audit records; and</p>
-            </part>
-            <part id="au-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Records time stamps for audit records that can be mapped to Coordinated Universal
-                  Time (UTC) or Greenwich Mean Time (GMT) and meets <insert param-id="au-8_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="au-8_gdn" name="guidance">
-            <p>Time stamps generated by the information system include date and time. Time is
-               commonly expressed in Coordinated Universal Time (UTC), a modern continuation of
-               Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time
-               measurements refers to the degree of synchronization between information system
-               clocks and reference clocks, for example, clocks synchronizing within hundreds of
-               milliseconds or within tens of milliseconds. Organizations may define different time
-               granularities for different system components. Time service can also be critical to
-               other security capabilities such as access control and identification and
-               authentication, depending on the nature of the mechanisms used to support those
-               capabilities.</p>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#au-12">AU-12</link>
-         </part>
-         <part id="au-8_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="au-8.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AU-8(a)</prop>
-               <p>the information system uses internal system clocks to generate time stamps for
-                  audit records;</p>
-            </part>
-            <part id="au-8.b_obj" name="objective">
-               <prop name="label">AU-8(b)</prop>
-               <part id="au-8.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-8(b)[1]</prop>
-                  <p>the information system records time stamps for audit records that can be mapped
-                     to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);</p>
-               </part>
-               <part id="au-8.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-8(b)[2]</prop>
-                  <p>the organization defines the granularity of time measurement to be met when
-                     recording time stamps for audit records; and</p>
-               </part>
-               <part id="au-8.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-8(b)[3]</prop>
-                  <p>the organization records time stamps for audit records that meet the
-                     organization-defined granularity of time measurement.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing time stamp generation</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing time stamp generation</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-8.1">
-            <title>Synchronization with Authoritative Time Source</title>
-            <param id="au-8.1_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>At least hourly</constraint>
-            </param>
-            <param id="au-8.1_prm_2">
-               <label>organization-defined authoritative time source</label>
-               <constraint>http://tf.nist.gov/tf-cgi/servers.cgi</constraint>
-            </param>
-            <param id="au-8.1_prm_3">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AU-8(1)</prop>
-            <prop name="sort-id">au-08.01</prop>
-            <part id="au-8.1_smt" name="statement">
-               <p>The information system:</p>
-               <part id="au-8.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Compares the internal information system clocks <insert param-id="au-8.1_prm_1"/> with <insert param-id="au-8.1_prm_2"/>; and</p>
-               </part>
-               <part id="au-8.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Synchronizes the internal system clocks to the authoritative time source when
-                     the time difference is greater than <insert param-id="au-8.1_prm_3"/>.</p>
-               </part>
-               <part id="au-8.1_fr" name="item">
-                  <title>AU-8 (1) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="au-8.1_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.</p>
-                  </part>
-                  <part id="au-8.1_fr_smt.2" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.</p>
-                  </part>
-                  <part id="au-8.1_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>Synchronization of system clocks improves the accuracy of log analysis.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="au-8.1_gdn" name="guidance">
-               <p>This control enhancement provides uniformity of time stamps for information
-                  systems with multiple system clocks and systems connected over a network.</p>
-            </part>
-            <part id="au-8.1_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="au-8.1.a_obj" name="objective">
-                  <prop name="label">AU-8(1)(a)</prop>
-                  <part id="au-8.1.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-8(1)(a)[1]</prop>
-                     <p>the organization defines the authoritative time source to which internal
-                        information system clocks are to be compared;</p>
-                  </part>
-                  <part id="au-8.1.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-8(1)(a)[2]</prop>
-                     <p>the organization defines the frequency to compare the internal information
-                        system clocks with the organization-defined authoritative time source;
-                        and</p>
-                  </part>
-                  <part id="au-8.1.a_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">AU-8(1)(a)[3]</prop>
-                     <p>the information system compares the internal information system clocks with
-                        the organization-defined authoritative time source with organization-defined
-                        frequency; and</p>
-                  </part>
-                  <link rel="corresp" href="#au-8.1_smt.a">AU-8(1)(a)</link>
-               </part>
-               <part id="au-8.1.b_obj" name="objective">
-                  <prop name="label">AU-8(1)(b)</prop>
-                  <part id="au-8.1.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">AU-8(1)(b)[1]</prop>
-                     <p>the organization defines the time period that, if exceeded by the time
-                        difference between the internal system clocks and the authoritative time
-                        source, will result in the internal system clocks being synchronized to the
-                        authoritative time source; and</p>
-                  </part>
-                  <part id="au-8.1.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">AU-8(1)(b)[2]</prop>
-                     <p>the information system synchronizes the internal information system clocks
-                        to the authoritative time source when the time difference is greater than
-                        the organization-defined time period.</p>
-                  </part>
-                  <link rel="corresp" href="#au-8.1_smt.b">AU-8(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing time stamp generation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing internal information system clock
-                     synchronization</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-9">
-         <title>Protection of Audit Information</title>
-         <prop name="label">AU-9</prop>
-         <prop name="sort-id">au-09</prop>
-         <part id="au-9_smt" name="statement">
-            <p>The information system protects audit information and audit tools from unauthorized
-               access, modification, and deletion.</p>
-         </part>
-         <part id="au-9_gdn" name="guidance">
-            <p>Audit information includes all information (e.g., audit records, audit settings, and
-               audit reports) needed to successfully audit information system activity. This control
-               focuses on technical protection of audit information. Physical protection of audit
-               information is addressed by media protection controls and physical and environmental
-               protection controls.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-         </part>
-         <part id="au-9_obj" name="objective">
-            <p>Determine if: </p>
-            <part id="au-9_obj.1" name="objective">
-               <prop name="label">AU-9[1]</prop>
-               <p>the information system protects audit information from unauthorized:</p>
-               <part id="au-9_obj.1.a" name="objective">
-                  <prop name="label">AU-9[1][a]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="au-9_obj.1.b" name="objective">
-                  <prop name="label">AU-9[1][b]</prop>
-                  <p>modification;</p>
-               </part>
-               <part id="au-9_obj.1.c" name="objective">
-                  <prop name="label">AU-9[1][c]</prop>
-                  <p>deletion;</p>
-               </part>
-            </part>
-            <part id="au-9_obj.2" name="objective">
-               <prop name="label">AU-9[2]</prop>
-               <p>the information system protects audit tools from unauthorized:</p>
-               <part id="au-9_obj.2.a" name="objective">
-                  <prop name="label">AU-9[2][a]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="au-9_obj.2.b" name="objective">
-                  <prop name="label">AU-9[2][b]</prop>
-                  <p>modification; and</p>
-               </part>
-               <part id="au-9_obj.2.c" name="objective">
-                  <prop name="label">AU-9[2][c]</prop>
-                  <p>deletion.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>access control policy and procedures</p>
-               <p>procedures addressing protection of audit information</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation,
-                  information system audit records</p>
-               <p>audit tools</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing audit information protection</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-9.2">
-            <title>Audit Backup On Separate Physical Systems / Components</title>
-            <param id="au-9.2_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least weekly</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">AU-9(2)</prop>
-            <prop name="sort-id">au-09.02</prop>
-            <part id="au-9.2_smt" name="statement">
-               <p>The information system backs up audit records <insert param-id="au-9.2_prm_1"/>
-                  onto a physically different system or system component than the system or
-                  component being audited.</p>
-            </part>
-            <part id="au-9.2_gdn" name="guidance">
-               <p>This control enhancement helps to ensure that a compromise of the information
-                  system being audited does not also result in a compromise of the audit
-                  records.</p>
-               <link rel="related" href="#au-4">AU-4</link>
-               <link rel="related" href="#au-5">AU-5</link>
-               <link rel="related" href="#au-11">AU-11</link>
-            </part>
-            <part id="au-9.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-9.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-9(2)[1]</prop>
-                  <p>the organization defines the frequency to back up audit records onto a
-                     physically different system or system component than the system or component
-                     being audited; and</p>
-               </part>
-               <part id="au-9.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-9(2)[2]</prop>
-                  <p>the information system backs up audit records with the organization-defined
-                     frequency, onto a physically different system or system component than the
-                     system or component being audited.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing protection of audit information</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation, system
-                     or media storing backups of information system audit records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing the backing up of audit records</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-9.4">
-            <title>Access by Subset of Privileged Users</title>
-            <param id="au-9.4_prm_1">
-               <label>organization-defined subset of privileged users</label>
-            </param>
-            <prop name="label">AU-9(4)</prop>
-            <prop name="sort-id">au-09.04</prop>
-            <part id="au-9.4_smt" name="statement">
-               <p>The organization authorizes access to management of audit functionality to only
-                     <insert param-id="au-9.4_prm_1"/>.</p>
-            </part>
-            <part id="au-9.4_gdn" name="guidance">
-               <p>Individuals with privileged access to an information system and who are also the
-                  subject of an audit by that system, may affect the reliability of audit
-                  information by inhibiting audit activities or modifying audit records. This
-                  control enhancement requires that privileged access be further defined between
-                  audit-related privileges and other privileges, thus limiting the users with
-                  audit-related privileges.</p>
-               <link rel="related" href="#ac-5">AC-5</link>
-            </part>
-            <part id="au-9.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="au-9.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-9(4)[1]</prop>
-                  <p>defines a subset of privileged users to be authorized access to management of
-                     audit functionality; and</p>
-               </part>
-               <part id="au-9.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-9(4)[2]</prop>
-                  <p>authorizes access to management of audit functionality to only the
-                     organization-defined subset of privileged users.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>procedures addressing protection of audit information</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation,
-                     system-generated list of privileged users with access to management of audit
-                     functionality</p>
-                  <p>access authorizations</p>
-                  <p>access control list</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms managing access to audit functionality</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-11">
-         <title>Audit Record Retention</title>
-         <param id="au-11_prm_1">
-            <label>organization-defined time period consistent with records retention policy</label>
-            <constraint>at least ninety days</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">AU-11</prop>
-         <prop name="sort-id">au-11</prop>
-         <part id="au-11_smt" name="statement">
-            <p>The organization retains audit records for <insert param-id="au-11_prm_1"/> to
-               provide support for after-the-fact investigations of security incidents and to meet
-               regulatory and organizational information retention requirements.</p>
-            <part id="au-11_fr" name="item">
-               <title>AU-11 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-11_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.</p>
-               </part>
-            </part>
-         </part>
-         <part id="au-11_gdn" name="guidance">
-            <p>Organizations retain audit records until it is determined that they are no longer
-               needed for administrative, legal, audit, or other operational purposes. This
-               includes, for example, retention and availability of audit records relative to
-               Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions.
-               Organizations develop standard categories of audit records relative to such types of
-               actions and standard response processes for each type of action. The National
-               Archives and Records Administration (NARA) General Records Schedules provide federal
-               policy on record retention.</p>
-            <link rel="related" href="#au-4">AU-4</link>
-            <link rel="related" href="#au-5">AU-5</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-         </part>
-         <part id="au-11_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-11_obj.1" name="objective">
-               <prop name="label">AU-11[1]</prop>
-               <p>defines a time period to retain audit records that is consistent with records
-                  retention policy;</p>
-            </part>
-            <part id="au-11_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">AU-11[2]</prop>
-               <p>retains audit records for the organization-defined time period consistent with
-                  records retention policy to:</p>
-               <part id="au-11_obj.2.a" name="objective">
-                  <prop name="label">AU-11[2][a]</prop>
-                  <p>provide support for after-the-fact investigations of security incidents;
-                     and</p>
-               </part>
-               <part id="au-11_obj.2.b" name="objective">
-                  <prop name="label">AU-11[2][b]</prop>
-                  <p>meet regulatory and organizational information retention requirements.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>audit record retention policy and procedures</p>
-               <p>security plan</p>
-               <p>organization-defined retention period for audit records</p>
-               <p>audit record archives</p>
-               <p>audit logs</p>
-               <p>audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit record retention responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-12">
-         <title>Audit Generation</title>
-         <param id="au-12_prm_1">
-            <label>organization-defined information system components</label>
-            <constraint>all information system and network components where audit capability is deployed/available</constraint>
-         </param>
-         <param id="au-12_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">AU-12</prop>
-         <prop name="sort-id">au-12</prop>
-         <part id="au-12_smt" name="statement">
-            <p>The information system:</p>
-            <part id="au-12_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Provides audit record generation capability for the auditable events defined in
-                  AU-2 a. at <insert param-id="au-12_prm_1"/>;</p>
-            </part>
-            <part id="au-12_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Allows <insert param-id="au-12_prm_2"/> to select which auditable events are to be
-                  audited by specific components of the information system; and</p>
-            </part>
-            <part id="au-12_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Generates audit records for the events defined in AU-2 d. with the content defined
-                  in AU-3.</p>
-            </part>
-         </part>
-         <part id="au-12_gdn" name="guidance">
-            <p>Audit records can be generated from many different information system components. The
-               list of audited events is the set of events for which audits are to be generated.
-               These events are typically a subset of all events for which the information system is
-               capable of generating audit records.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-         </part>
-         <part id="au-12_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="au-12.a_obj" name="objective">
-               <prop name="label">AU-12(a)</prop>
-               <part id="au-12.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-12(a)[1]</prop>
-                  <p>the organization defines the information system components which are to provide
-                     audit record generation capability for the auditable events defined in
-                     AU-2a;</p>
-               </part>
-               <part id="au-12.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-12(a)[2]</prop>
-                  <p>the information system provides audit record generation capability, for the
-                     auditable events defined in AU-2a, at organization-defined information system
-                     components;</p>
-               </part>
-            </part>
-            <part id="au-12.b_obj" name="objective">
-               <prop name="label">AU-12(b)</prop>
-               <part id="au-12.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">AU-12(b)[1]</prop>
-                  <p>the organization defines the personnel or roles allowed to select which
-                     auditable events are to be audited by specific components of the information
-                     system;</p>
-               </part>
-               <part id="au-12.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">AU-12(b)[2]</prop>
-                  <p>the information system allows the organization-defined personnel or roles to
-                     select which auditable events are to be audited by specific components of the
-                     system; and</p>
-               </part>
-            </part>
-            <part id="au-12.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">AU-12(c)</prop>
-               <p>the information system generates audit records for the events defined in AU-2d
-                  with the content in defined in AU-3.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing audit record generation</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of auditable events</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit record generation responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing audit record generation capability</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ca">
-      <title>Security Assessment and Authorization</title>
-      <control class="SP800-53" id="ca-1">
-         <title>Security Assessment and Authorization Policy and Procedures</title>
-         <param id="ca-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ca-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="ca-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-1</prop>
-         <prop name="sort-id">ca-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ca-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ca-1_prm_1"/>:</p>
-               <part id="ca-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A security assessment and authorization policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="ca-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the security assessment and
-                     authorization policy and associated security assessment and authorization
-                     controls; and</p>
-               </part>
-            </part>
-            <part id="ca-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ca-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security assessment and authorization policy <insert param-id="ca-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="ca-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Security assessment and authorization procedures <insert param-id="ca-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ca-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the CA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ca-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-1.a_obj" name="objective">
-               <prop name="label">CA-1(a)</prop>
-               <part id="ca-1.a.1_obj" name="objective">
-                  <prop name="label">CA-1(a)(1)</prop>
-                  <part id="ca-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(a)(1)[1]</prop>
-                     <p>develops and documents a security assessment and authorization policy that
-                        addresses:</p>
-                     <part id="ca-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ca-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the security assessment and authorization
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="ca-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CA-1(a)(1)[3]</prop>
-                     <p>disseminates the security assessment and authorization policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="ca-1.a.2_obj" name="objective">
-                  <prop name="label">CA-1(a)(2)</prop>
-                  <part id="ca-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        security assessment and authorization policy and associated assessment and
-                        authorization controls;</p>
-                  </part>
-                  <part id="ca-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ca-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ca-1.b_obj" name="objective">
-               <prop name="label">CA-1(b)</prop>
-               <part id="ca-1.b.1_obj" name="objective">
-                  <prop name="label">CA-1(b)(1)</prop>
-                  <part id="ca-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current security assessment
-                        and authorization policy;</p>
-                  </part>
-                  <part id="ca-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current security assessment and authorization policy
-                        with the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ca-1.b.2_obj" name="objective">
-                  <prop name="label">CA-1(b)(2)</prop>
-                  <part id="ca-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current security assessment
-                        and authorization procedures; and</p>
-                  </part>
-                  <part id="ca-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current security assessment and authorization
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security assessment and authorization
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ca-2">
-         <title>Security Assessments</title>
-         <param id="ca-2_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ca-2_prm_2">
-            <label>organization-defined individuals or roles</label>
-            <constraint>individuals or roles to include FedRAMP PMO</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-2</prop>
-         <prop name="sort-id">ca-02</prop>
-         <link href="#c5034e0c-eba6-4ecd-a541-79f0678f4ba4" rel="reference">Executive Order 13587</link>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#c4691b88-57d1-463b-9053-2d0087913f31" rel="reference">NIST Special Publication 800-115</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <part id="ca-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a security assessment plan that describes the scope of the assessment
-                  including:</p>
-               <part id="ca-2_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security controls and control enhancements under assessment;</p>
-               </part>
-               <part id="ca-2_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Assessment procedures to be used to determine security control effectiveness;
-                     and</p>
-               </part>
-               <part id="ca-2_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Assessment environment, assessment team, and assessment roles and
-                     responsibilities;</p>
-               </part>
-            </part>
-            <part id="ca-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Assesses the security controls in the information system and its environment of
-                  operation <insert param-id="ca-2_prm_1"/> to determine the extent to which the
-                  controls are implemented correctly, operating as intended, and producing the
-                  desired outcome with respect to meeting established security requirements;</p>
-            </part>
-            <part id="ca-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Produces a security assessment report that documents the results of the
-                  assessment; and</p>
-            </part>
-            <part id="ca-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Provides the results of the security control assessment to <insert param-id="ca-2_prm_2"/>.</p>
-            </part>
-            <part id="ca-2_fr" name="item">
-               <title>CA-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </part>
-         <part id="ca-2_gdn" name="guidance">
-            <p>Organizations assess security controls in organizational information systems and the
-               environments in which those systems operate as part of: (i) initial and ongoing
-               security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring;
-               and (iv) system development life cycle activities. Security assessments: (i) ensure
-               that information security is built into organizational information systems; (ii)
-               identify weaknesses and deficiencies early in the development process; (iii) provide
-               essential information needed to make risk-based decisions as part of security
-               authorization processes; and (iv) ensure compliance to vulnerability mitigation
-               procedures. Assessments are conducted on the implemented security controls from
-               Appendix F (main catalog) and Appendix G (Program Management controls) as documented
-               in System Security Plans and Information Security Program Plans. Organizations can
-               use other types of assessment activities such as vulnerability scanning and system
-               monitoring to maintain the security posture of information systems during the entire
-               life cycle. Security assessment reports document assessment results in sufficient
-               detail as deemed necessary by organizations, to determine the accuracy and
-               completeness of the reports and whether the security controls are implemented
-               correctly, operating as intended, and producing the desired outcome with respect to
-               meeting security requirements. The FISMA requirement for assessing security controls
-               at least annually does not require additional assessment activities to those
-               activities already in place in organizational security authorization processes.
-               Security assessment results are provided to the individuals or roles appropriate for
-               the types of assessments being conducted. For example, assessments conducted in
-               support of security authorization decisions are provided to authorizing officials or
-               authorizing official designated representatives. To satisfy annual assessment
-               requirements, organizations can use assessment results from the following sources:
-               (i) initial or ongoing information system authorizations; (ii) continuous monitoring;
-               or (iii) system development life cycle activities. Organizations ensure that security
-               assessment results are current, relevant to the determination of security control
-               effectiveness, and obtained with the appropriate level of assessor independence.
-               Existing security control assessment results can be reused to the extent that the
-               results are still valid and can also be supplemented with additional assessments as
-               needed. Subsequent to initial authorizations and in accordance with OMB policy,
-               organizations assess security controls during continuous monitoring. Organizations
-               establish the frequency for ongoing security control assessments in accordance with
-               organizational continuous monitoring strategies. Information Assurance Vulnerability
-               Alerts provide useful examples of vulnerability mitigation procedures. External
-               audits (e.g., audits by external entities such as regulatory agencies) are outside
-               the scope of this control.</p>
-            <link rel="related" href="#ca-5">CA-5</link>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-2.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CA-2(a)</prop>
-               <p>develops a security assessment plan that describes the scope of the assessment
-                  including:</p>
-               <part id="ca-2.a.1_obj" name="objective">
-                  <prop name="label">CA-2(a)(1)</prop>
-                  <p>security controls and control enhancements under assessment;</p>
-               </part>
-               <part id="ca-2.a.2_obj" name="objective">
-                  <prop name="label">CA-2(a)(2)</prop>
-                  <p>assessment procedures to be used to determine security control
-                     effectiveness;</p>
-               </part>
-               <part id="ca-2.a.3_obj" name="objective">
-                  <prop name="label">CA-2(a)(3)</prop>
-                  <part id="ca-2.a.3_obj.1" name="objective">
-                     <prop name="label">CA-2(a)(3)[1]</prop>
-                     <p>assessment environment;</p>
-                  </part>
-                  <part id="ca-2.a.3_obj.2" name="objective">
-                     <prop name="label">CA-2(a)(3)[2]</prop>
-                     <p>assessment team;</p>
-                  </part>
-                  <part id="ca-2.a.3_obj.3" name="objective">
-                     <prop name="label">CA-2(a)(3)[3]</prop>
-                     <p>assessment roles and responsibilities;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ca-2.b_obj" name="objective">
-               <prop name="label">CA-2(b)</prop>
-               <part id="ca-2.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(b)[1]</prop>
-                  <p>defines the frequency to assess the security controls in the information system
-                     and its environment of operation;</p>
-               </part>
-               <part id="ca-2.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-2(b)[2]</prop>
-                  <p>assesses the security controls in the information system with the
-                     organization-defined frequency to determine the extent to which the controls
-                     are implemented correctly, operating as intended, and producing the desired
-                     outcome with respect to meeting established security requirements;</p>
-               </part>
-            </part>
-            <part id="ca-2.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CA-2(c)</prop>
-               <p>produces a security assessment report that documents the results of the
-                  assessment;</p>
-            </part>
-            <part id="ca-2.d_obj" name="objective">
-               <prop name="label">CA-2(d)</prop>
-               <part id="ca-2.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(d)[1]</prop>
-                  <p>defines individuals or roles to whom the results of the security control
-                     assessment are to be provided; and</p>
-               </part>
-               <part id="ca-2.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-2(d)[2]</prop>
-                  <p>provides the results of the security control assessment to organization-defined
-                     individuals or roles.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing security assessment planning</p>
-               <p>procedures addressing security assessments</p>
-               <p>security assessment plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security assessment responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting security assessment, security assessment plan
-                  development, and/or security assessment reporting</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-2.1">
-            <title>Independent Assessors</title>
-            <param id="ca-2.1_prm_1">
-               <label>organization-defined level of independence</label>
-            </param>
-            <prop name="label">CA-2(1)</prop>
-            <prop name="sort-id">ca-02.01</prop>
-            <part id="ca-2.1_smt" name="statement">
-               <p>The organization employs assessors or assessment teams with <insert param-id="ca-2.1_prm_1"/> to conduct security control assessments.</p>
-               <part id="ca-2.1_fr" name="item">
-                  <title>CA-2 (1) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ca-2.1_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ca-2.1_gdn" name="guidance">
-               <p>Independent assessors or assessment teams are individuals or groups who conduct
-                  impartial assessments of organizational information systems. Impartiality implies
-                  that assessors are free from any perceived or actual conflicts of interest with
-                  regard to the development, operation, or management of the organizational
-                  information systems under assessment or to the determination of security control
-                  effectiveness. To achieve impartiality, assessors should not: (i) create a mutual
-                  or conflicting interest with the organizations where the assessments are being
-                  conducted; (ii) assess their own work; (iii) act as management or employees of the
-                  organizations they are serving; or (iv) place themselves in positions of advocacy
-                  for the organizations acquiring their services. Independent assessments can be
-                  obtained from elements within organizations or can be contracted to public or
-                  private sector entities outside of organizations. Authorizing officials determine
-                  the required level of independence based on the security categories of information
-                  systems and/or the ultimate risk to organizational operations, organizational
-                  assets, or individuals. Authorizing officials also determine if the level of
-                  assessor independence provides sufficient assurance that the results are sound and
-                  can be used to make credible, risk-based decisions. This includes determining
-                  whether contracted security assessment services have sufficient independence, for
-                  example, when information system owners are not directly involved in contracting
-                  processes or cannot unduly influence the impartiality of assessors conducting
-                  assessments. In special situations, for example, when organizations that own the
-                  information systems are small or organizational structures require that
-                  assessments are conducted by individuals that are in the developmental,
-                  operational, or management chain of system owners, independence in assessment
-                  processes can be achieved by ensuring that assessment results are carefully
-                  reviewed and analyzed by independent teams of experts to validate the
-                  completeness, accuracy, integrity, and reliability of the results. Organizations
-                  recognize that assessments performed for purposes other than direct support to
-                  authorization decisions are, when performed by assessors with sufficient
-                  independence, more likely to be useable for such decisions, thereby reducing the
-                  need to repeat assessments.</p>
-            </part>
-            <part id="ca-2.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-2.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(1)[1]</prop>
-                  <p>defines the level of independence to be employed to conduct security control
-                     assessments; and</p>
-               </part>
-               <part id="ca-2.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CA-2(1)[2]</prop>
-                  <p>employs assessors or assessment teams with the organization-defined level of
-                     independence to conduct security control assessments.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing security assessments</p>
-                  <p>security authorization package (including security plan, security assessment
-                     plan, security assessment report, plan of action and milestones, authorization
-                     statement)</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security assessment responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-2.2">
-            <title>Specialized Assessments</title>
-            <param id="ca-2.2_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least annually</constraint>
-            </param>
-            <param id="ca-2.2_prm_2"/>
-            <param id="ca-2.2_prm_3"/>
-            <param id="ca-2.2_prm_4" depends-on="ca-2.2_prm_3">
-               <label>organization-defined other forms of security assessment</label>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">CA-2(2)</prop>
-            <prop name="sort-id">ca-02.02</prop>
-            <part id="ca-2.2_smt" name="statement">
-               <p>The organization includes as part of security control assessments, <insert param-id="ca-2.2_prm_1"/>, <insert param-id="ca-2.2_prm_2"/>, <insert param-id="ca-2.2_prm_3"/>.</p>
-               <part id="ca-2.2_fr" name="item">
-                  <title>CA-2 (2) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ca-2.2_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>To include 'announced', 'vulnerability scanning'</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ca-2.2_gdn" name="guidance">
-               <p>Organizations can employ information system monitoring, insider threat
-                  assessments, malicious user testing, and other forms of testing (e.g.,
-                  verification and validation) to improve readiness by exercising organizational
-                  capabilities and indicating current performance levels as a means of focusing
-                  actions to improve security. Organizations conduct assessment activities in
-                  accordance with applicable federal laws, Executive Orders, directives, policies,
-                  regulations, and standards. Authorizing officials approve the assessment methods
-                  in coordination with the organizational risk executive function. Organizations can
-                  incorporate vulnerabilities uncovered during assessments into vulnerability
-                  remediation processes.</p>
-               <link rel="related" href="#pe-3">PE-3</link>
-               <link rel="related" href="#si-2">SI-2</link>
-            </part>
-            <part id="ca-2.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-2.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(2)[1]</prop>
-                  <p>selects one or more of the following forms of specialized security assessment
-                     to be included as part of security control assessments:</p>
-                  <part id="ca-2.2_obj.1.a" name="objective">
-                     <prop name="label">CA-2(2)[1][a]</prop>
-                     <p>in-depth monitoring;</p>
-                  </part>
-                  <part id="ca-2.2_obj.1.b" name="objective">
-                     <prop name="label">CA-2(2)[1][b]</prop>
-                     <p>vulnerability scanning;</p>
-                  </part>
-                  <part id="ca-2.2_obj.1.c" name="objective">
-                     <prop name="label">CA-2(2)[1][c]</prop>
-                     <p>malicious user testing;</p>
-                  </part>
-                  <part id="ca-2.2_obj.1.d" name="objective">
-                     <prop name="label">CA-2(2)[1][d]</prop>
-                     <p>insider threat assessment;</p>
-                  </part>
-                  <part id="ca-2.2_obj.1.e" name="objective">
-                     <prop name="label">CA-2(2)[1][e]</prop>
-                     <p>performance/load testing; and/or</p>
-                  </part>
-                  <part id="ca-2.2_obj.1.f" name="objective">
-                     <prop name="label">CA-2(2)[1][f]</prop>
-                     <p>other forms of organization-defined specialized security assessment;</p>
-                  </part>
-               </part>
-               <part id="ca-2.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(2)[2]</prop>
-                  <p>defines the frequency for conducting the selected form(s) of specialized
-                     security assessment;</p>
-               </part>
-               <part id="ca-2.2_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(2)[3]</prop>
-                  <p>defines whether the specialized security assessment will be announced or
-                     unannounced; and</p>
-               </part>
-               <part id="ca-2.2_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-2(2)[4]</prop>
-                  <p>conducts announced or unannounced organization-defined forms of specialized
-                     security assessments with the organization-defined frequency as part of
-                     security control assessments.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing security assessments</p>
-                  <p>security plan</p>
-                  <p>security assessment plan</p>
-                  <p>security assessment report</p>
-                  <p>security assessment evidence</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security assessment responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting security control assessment</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-2.3">
-            <title>External Organizations</title>
-            <param id="ca-2.3_prm_1">
-               <label>organization-defined information system</label>
-               <constraint>any FedRAMP Accredited 3PAO</constraint>
-            </param>
-            <param id="ca-2.3_prm_2">
-               <label>organization-defined external organization</label>
-               <constraint>any FedRAMP Accredited 3PAO</constraint>
-            </param>
-            <param id="ca-2.3_prm_3">
-               <label>organization-defined requirements</label>
-               <constraint>the conditions of the JAB/AO in the FedRAMP Repository</constraint>
-            </param>
-            <prop name="label">CA-2(3)</prop>
-            <prop name="sort-id">ca-02.03</prop>
-            <part id="ca-2.3_smt" name="statement">
-               <p>The organization accepts the results of an assessment of <insert param-id="ca-2.3_prm_1"/> performed by <insert param-id="ca-2.3_prm_2"/> when
-                  the assessment meets <insert param-id="ca-2.3_prm_3"/>.</p>
-            </part>
-            <part id="ca-2.3_gdn" name="guidance">
-               <p>Organizations may often rely on assessments of specific information systems by
-                  other (external) organizations. Utilizing such existing assessments (i.e., reusing
-                  existing assessment evidence) can significantly decrease the time and resources
-                  required for organizational assessments by limiting the amount of independent
-                  assessment activities that organizations need to perform. The factors that
-                  organizations may consider in determining whether to accept assessment results
-                  from external organizations can vary. Determinations for accepting assessment
-                  results can be based on, for example, past assessment experiences one organization
-                  has had with another organization, the reputation that organizations have with
-                  regard to assessments, the level of detail of supporting assessment documentation
-                  provided, or mandates imposed upon organizations by federal legislation, policies,
-                  or directives.</p>
-            </part>
-            <part id="ca-2.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-2.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(3)[1]</prop>
-                  <p>defines an information system for which the results of a security assessment
-                     performed by an external organization are to be accepted;</p>
-               </part>
-               <part id="ca-2.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(3)[2]</prop>
-                  <p>defines an external organization from which to accept a security assessment
-                     performed on an organization-defined information system;</p>
-               </part>
-               <part id="ca-2.3_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-2(3)[3]</prop>
-                  <p>defines the requirements to be met by a security assessment performed by
-                     organization-defined external organization on organization-defined information
-                     system; and</p>
-               </part>
-               <part id="ca-2.3_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CA-2(3)[4]</prop>
-                  <p>accepts the results of an assessment of an organization-defined information
-                     system performed by an organization-defined external organization when the
-                     assessment meets organization-defined requirements.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing security assessments</p>
-                  <p>security plan</p>
-                  <p>security assessment requirements</p>
-                  <p>security assessment plan</p>
-                  <p>security assessment report</p>
-                  <p>security assessment evidence</p>
-                  <p>plan of action and milestones</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security assessment responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>personnel performing security assessments for the specified external
-                     organization</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-3">
-         <title>System Interconnections</title>
-         <param id="ca-3_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually and on input from FedRAMP</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-3</prop>
-         <prop name="sort-id">ca-03</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#2711f068-734e-4afd-94ba-0b22247fbc88" rel="reference">NIST Special Publication 800-47</link>
-         <part id="ca-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Authorizes connections from the information system to other information systems
-                  through the use of Interconnection Security Agreements;</p>
-            </part>
-            <part id="ca-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents, for each interconnection, the interface characteristics, security
-                  requirements, and the nature of the information communicated; and</p>
-            </part>
-            <part id="ca-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews and updates Interconnection Security Agreements <insert param-id="ca-3_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="ca-3_gdn" name="guidance">
-            <p>This control applies to dedicated connections between information systems (i.e.,
-               system interconnections) and does not apply to transitory, user-controlled
-               connections such as email and website browsing. Organizations carefully consider the
-               risks that may be introduced when information systems are connected to other systems
-               with different security requirements and security controls, both within organizations
-               and external to organizations. Authorizing officials determine the risk associated
-               with information system connections and the appropriate controls employed. If
-               interconnecting systems have the same authorizing official, organizations do not need
-               to develop Interconnection Security Agreements. Instead, organizations can describe
-               the interface characteristics between those interconnecting systems in their
-               respective security plans. If interconnecting systems have different authorizing
-               officials within the same organization, organizations can either develop
-               Interconnection Security Agreements or describe the interface characteristics between
-               systems in the security plans for the respective systems. Organizations may also
-               incorporate Interconnection Security Agreement information into formal contracts,
-               especially for interconnections established between federal agencies and nonfederal
-               (i.e., private sector) organizations. Risk considerations also include information
-               systems sharing the same networks. For certain technologies (e.g., space, unmanned
-               aerial vehicles, and medical devices), there may be specialized connections in place
-               during preoperational testing. Such connections may require Interconnection Security
-               Agreements and be subject to additional security controls.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#au-16">AU-16</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-3.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">CA-3(a)</prop>
-               <p>authorizes connections from the information system to other information systems
-                  through the use of Interconnection Security Agreements;</p>
-            </part>
-            <part id="ca-3.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CA-3(b)</prop>
-               <p>documents, for each interconnection:</p>
-               <part id="ca-3.b_obj.1" name="objective">
-                  <prop name="label">CA-3(b)[1]</prop>
-                  <p>the interface characteristics;</p>
-               </part>
-               <part id="ca-3.b_obj.2" name="objective">
-                  <prop name="label">CA-3(b)[2]</prop>
-                  <p>the security requirements;</p>
-               </part>
-               <part id="ca-3.b_obj.3" name="objective">
-                  <prop name="label">CA-3(b)[3]</prop>
-                  <p>the nature of the information communicated;</p>
-               </part>
-            </part>
-            <part id="ca-3.c_obj" name="objective">
-               <prop name="label">CA-3(c)</prop>
-               <part id="ca-3.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-3(c)[1]</prop>
-                  <p>defines the frequency to review and update Interconnection Security Agreements;
-                     and</p>
-               </part>
-               <part id="ca-3.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CA-3(c)[2]</prop>
-                  <p>reviews and updates Interconnection Security Agreements with the
-                     organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing information system connections</p>
-               <p>system and communications protection policy</p>
-               <p>information system Interconnection Security Agreements</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for developing, implementing, or
-                  approving information system interconnection agreements</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>personnel managing the system(s) to which the Interconnection Security Agreement
-                  applies</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-3.3">
-            <title>Unclassified Non-national Security System Connections</title>
-            <param id="ca-3.3_prm_1">
-               <label>organization-defined unclassified, non-national security system</label>
-            </param>
-            <param id="ca-3.3_prm_2">
-               <label>Assignment; organization-defined boundary protection device</label>
-               <constraint>Boundary Protections which meet the Trusted Internet Connection (TIC) requirements</constraint>
-            </param>
-            <prop name="label">CA-3(3)</prop>
-            <prop name="sort-id">ca-03.03</prop>
-            <part id="ca-3.3_smt" name="statement">
-               <p>The organization prohibits the direct connection of an <insert param-id="ca-3.3_prm_1"/> to an external network without the use of <insert param-id="ca-3.3_prm_2"/>.</p>
-               <part id="ca-3.3_fr" name="item">
-                  <title>CA-3 (3) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ca-3.3_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ca-3.3_gdn" name="guidance">
-               <p>Organizations typically do not have control over external networks (e.g., the
-                  Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate
-                  communications (i.e., information flows) between unclassified non-national
-                  security systems and external networks. This control enhancement is required for
-                  organizations processing, storing, or transmitting Controlled Unclassified
-                  Information (CUI).</p>
-            </part>
-            <part id="ca-3.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-3.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CA-3(3)[1]</prop>
-                  <p>defines an unclassified, non-national security system whose direct connection
-                     to an external network is to be prohibited without the use of approved boundary
-                     protection device;</p>
-               </part>
-               <part id="ca-3.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-3(3)[2]</prop>
-                  <p>defines a boundary protection device to be used to establish the direct
-                     connection of an organization-defined unclassified, non-national security
-                     system to an external network; and</p>
-               </part>
-               <part id="ca-3.3_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-3(3)[3]</prop>
-                  <p>prohibits the direct connection of an organization-defined unclassified,
-                     non-national security system to an external network without the use of an
-                     organization-defined boundary protection device.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing information system connections</p>
-                  <p>system and communications protection policy</p>
-                  <p>information system interconnection security agreements</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security assessment report</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for managing direct connections to
-                     external networks</p>
-                  <p>network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>personnel managing directly connected external networks</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting the management of external network
-                     connections</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-3.5">
-            <title>Restrictions On External System Connections</title>
-            <param id="ca-3.5_prm_1"/>
-            <param id="ca-3.5_prm_2">
-               <label>organization-defined information systems</label>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">CA-3(5)</prop>
-            <prop name="sort-id">ca-03.05</prop>
-            <part id="ca-3.5_smt" name="statement">
-               <p>The organization employs <insert param-id="ca-3.5_prm_1"/> policy for allowing
-                     <insert param-id="ca-3.5_prm_2"/> to connect to external information
-                  systems.</p>
-               <part id="ca-3.5_fr" name="item">
-                  <title>CA-3 (5) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ca-3.5_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ca-3.5_gdn" name="guidance">
-               <p>Organizations can constrain information system connectivity to external domains
-                  (e.g., websites) by employing one of two policies with regard to such
-                  connectivity: (i) allow-all, deny by exception, also known as blacklisting (the
-                  weaker of the two policies); or (ii) deny-all, allow by exception, also known as
-                  whitelisting (the stronger of the two policies). For either policy, organizations
-                  determine what exceptions, if any, are acceptable.</p>
-               <link rel="related" href="#cm-7">CM-7</link>
-            </part>
-            <part id="ca-3.5_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ca-3.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-3(5)[1]</prop>
-                  <p>defines information systems to be allowed to connect to external information
-                     systems;</p>
-               </part>
-               <part id="ca-3.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-3(5)[2]</prop>
-                  <p>employs one of the following policies for allowing organization-defined
-                     information systems to connect to external information systems:</p>
-                  <part id="ca-3.5_obj.2.a" name="objective">
-                     <prop name="label">CA-3(5)[2][a]</prop>
-                     <p>allow-all policy;</p>
-                  </part>
-                  <part id="ca-3.5_obj.2.b" name="objective">
-                     <prop name="label">CA-3(5)[2][b]</prop>
-                     <p>deny-by-exception policy;</p>
-                  </part>
-                  <part id="ca-3.5_obj.2.c" name="objective">
-                     <prop name="label">CA-3(5)[2][c]</prop>
-                     <p>deny-all policy; or</p>
-                  </part>
-                  <part id="ca-3.5_obj.2.d" name="objective">
-                     <prop name="label">CA-3(5)[2][d]</prop>
-                     <p>permit-by-exception policy.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing information system connections</p>
-                  <p>system and communications protection policy</p>
-                  <p>information system interconnection agreements</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security assessment report</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for managing connections to
-                     external information systems</p>
-                  <p>network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing restrictions on external system
-                     connections</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-5">
-         <title>Plan of Action and Milestones</title>
-         <param id="ca-5_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least monthly</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-5</prop>
-         <prop name="sort-id">ca-05</prop>
-         <link href="#2c5884cd-7b96-425c-862a-99877e1cf909" rel="reference">OMB Memorandum 02-01</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <part id="ca-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a plan of action and milestones for the information system to document
-                  the organization’s planned remedial actions to correct weaknesses or deficiencies
-                  noted during the assessment of the security controls and to reduce or eliminate
-                  known vulnerabilities in the system; and</p>
-            </part>
-            <part id="ca-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Updates existing plan of action and milestones <insert param-id="ca-5_prm_1"/>
-                  based on the findings from security controls assessments, security impact
-                  analyses, and continuous monitoring activities.</p>
-            </part>
-            <part id="ca-5_fr" name="item">
-               <title>CA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-5_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Plan of Action &amp; Milestones (POA&amp;M) must be provided at least monthly.</p>
-               </part>
-               <part id="ca-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action &amp; Milestones (POA&amp;M) Template Completion Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </part>
-         <part id="ca-5_gdn" name="guidance">
-            <p>Plans of action and milestones are key documents in security authorization packages
-               and are subject to federal reporting requirements established by OMB.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#pm-4">PM-4</link>
-         </part>
-         <part id="ca-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-5.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">CA-5(a)</prop>
-               <p>develops a plan of action and milestones for the information system to:</p>
-               <part id="ca-5.a_obj.1" name="objective">
-                  <prop name="label">CA-5(a)[1]</prop>
-                  <p>document the organization’s planned remedial actions to correct weaknesses or
-                     deficiencies noted during the assessment of the security controls;</p>
-               </part>
-               <part id="ca-5.a_obj.2" name="objective">
-                  <prop name="label">CA-5(a)[2]</prop>
-                  <p>reduce or eliminate known vulnerabilities in the system;</p>
-               </part>
-            </part>
-            <part id="ca-5.b_obj" name="objective">
-               <prop name="label">CA-5(b)</prop>
-               <part id="ca-5.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-5(b)[1]</prop>
-                  <p>defines the frequency to update the existing plan of action and milestones;</p>
-               </part>
-               <part id="ca-5.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-5(b)[2]</prop>
-                  <p>updates the existing plan of action and milestones with the
-                     organization-defined frequency based on the findings from:</p>
-                  <part id="ca-5.b_obj.2.a" name="objective">
-                     <prop name="label">CA-5(b)[2][a]</prop>
-                     <p>security controls assessments;</p>
-                  </part>
-                  <part id="ca-5.b_obj.2.b" name="objective">
-                     <prop name="label">CA-5(b)[2][b]</prop>
-                     <p>security impact analyses; and</p>
-                  </part>
-                  <part id="ca-5.b_obj.2.c" name="objective">
-                     <prop name="label">CA-5(b)[2][c]</prop>
-                     <p>continuous monitoring activities.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing plan of action and milestones</p>
-               <p>security plan</p>
-               <p>security assessment plan</p>
-               <p>security assessment report</p>
-               <p>security assessment evidence</p>
-               <p>plan of action and milestones</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with plan of action and milestones development and
-                  implementation responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms for developing, implementing, and maintaining plan of action
-                  and milestones</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ca-6">
-         <title>Security Authorization</title>
-         <param id="ca-6_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least every three (3) years or when a significant change occurs</constraint>
-         </param>
-         <prop name="label">CA-6</prop>
-         <prop name="sort-id">ca-06</prop>
-         <link href="#9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab" rel="reference">OMB Circular A-130</link>
-         <link href="#bedb15b7-ec5c-4a68-807f-385125751fcd" rel="reference">OMB Memorandum 11-33</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <part id="ca-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Assigns a senior-level executive or manager as the authorizing official for the
-                  information system;</p>
-            </part>
-            <part id="ca-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Ensures that the authorizing official authorizes the information system for
-                  processing before commencing operations; and</p>
-            </part>
-            <part id="ca-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Updates the security authorization <insert param-id="ca-6_prm_1"/>.</p>
-            </part>
-            <part id="ca-6_fr" name="item">
-               <title>CA-6(c) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ca-6_gdn" name="guidance">
-            <p>Security authorizations are official management decisions, conveyed through
-               authorization decision documents, by senior organizational officials or executives
-               (i.e., authorizing officials) to authorize operation of information systems and to
-               explicitly accept the risk to organizational operations and assets, individuals,
-               other organizations, and the Nation based on the implementation of agreed-upon
-               security controls. Authorizing officials provide budgetary oversight for
-               organizational information systems or assume responsibility for the mission/business
-               operations supported by those systems. The security authorization process is an
-               inherently federal responsibility and therefore, authorizing officials must be
-               federal employees. Through the security authorization process, authorizing officials
-               assume responsibility and are accountable for security risks associated with the
-               operation and use of organizational information systems. Accordingly, authorizing
-               officials are in positions with levels of authority commensurate with understanding
-               and accepting such information security-related risks. OMB policy requires that
-               organizations conduct ongoing authorizations of information systems by implementing
-               continuous monitoring programs. Continuous monitoring programs can satisfy three-year
-               reauthorization requirements, so separate reauthorization processes are not
-               necessary. Through the employment of comprehensive continuous monitoring processes,
-               critical information contained in authorization packages (i.e., security plans,
-               security assessment reports, and plans of action and milestones) is updated on an
-               ongoing basis, providing authorizing officials and information system owners with an
-               up-to-date status of the security state of organizational information systems and
-               environments of operation. To reduce the administrative cost of security
-               reauthorization, authorizing officials use the results of continuous monitoring
-               processes to the maximum extent possible as the basis for rendering reauthorization
-               decisions.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#pm-10">PM-10</link>
-         </part>
-         <part id="ca-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-6.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CA-6(a)</prop>
-               <p>assigns a senior-level executive or manager as the authorizing official for the
-                  information system;</p>
-            </part>
-            <part id="ca-6.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CA-6(b)</prop>
-               <p>ensures that the authorizing official authorizes the information system for
-                  processing before commencing operations;</p>
-            </part>
-            <part id="ca-6.c_obj" name="objective">
-               <prop name="label">CA-6(c)</prop>
-               <part id="ca-6.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-6(c)[1]</prop>
-                  <p>defines the frequency to update the security authorization; and</p>
-               </part>
-               <part id="ca-6.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-6(c)[2]</prop>
-                  <p>updates the security authorization with the organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing security authorization</p>
-               <p>security authorization package (including security plan</p>
-               <p>security assessment report</p>
-               <p>plan of action and milestones</p>
-               <p>authorization statement)</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security authorization responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms that facilitate security authorizations and updates</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ca-7">
-         <title>Continuous Monitoring</title>
-         <param id="ca-7_prm_1">
-            <label>organization-defined metrics</label>
-         </param>
-         <param id="ca-7_prm_2">
-            <label>organization-defined frequencies</label>
-         </param>
-         <param id="ca-7_prm_3">
-            <label>organization-defined frequencies</label>
-         </param>
-         <param id="ca-7_prm_4">
-            <label>organization-defined personnel or roles</label>
-            <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-         </param>
-         <param id="ca-7_prm_5">
-            <label>organization-defined frequency</label>
-            <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-7</prop>
-         <prop name="sort-id">ca-07</prop>
-         <link href="#bedb15b7-ec5c-4a68-807f-385125751fcd" rel="reference">OMB Memorandum 11-33</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#c4691b88-57d1-463b-9053-2d0087913f31" rel="reference">NIST Special Publication 800-115</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <link href="#8ade2fbe-e468-4ca8-9a40-54d7f23c32bb" rel="reference">US-CERT Technical Cyber Security Alerts</link>
-         <link href="#2d8b14e9-c8b5-4d3d-8bdc-155078f3281b" rel="reference">DoD Information Assurance Vulnerability Alerts</link>
-         <part id="ca-7_smt" name="statement">
-            <p>The organization develops a continuous monitoring strategy and implements a
-               continuous monitoring program that includes:</p>
-            <part id="ca-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishment of <insert param-id="ca-7_prm_1"/> to be monitored;</p>
-            </part>
-            <part id="ca-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishment of <insert param-id="ca-7_prm_2"/> for monitoring and <insert param-id="ca-7_prm_3"/> for assessments supporting such monitoring;</p>
-            </part>
-            <part id="ca-7_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ongoing security control assessments in accordance with the organizational
-                  continuous monitoring strategy;</p>
-            </part>
-            <part id="ca-7_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Ongoing security status monitoring of organization-defined metrics in accordance
-                  with the organizational continuous monitoring strategy;</p>
-            </part>
-            <part id="ca-7_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Correlation and analysis of security-related information generated by assessments
-                  and monitoring;</p>
-            </part>
-            <part id="ca-7_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Response actions to address results of the analysis of security-related
-                  information; and</p>
-            </part>
-            <part id="ca-7_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Reporting the security status of organization and the information system to
-                     <insert param-id="ca-7_prm_4"/>
-                  <insert param-id="ca-7_prm_5"/>.</p>
-            </part>
-            <part id="ca-7_fr" name="item">
-               <title>CA-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-7_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.</p>
-               </part>
-               <part id="ca-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&amp;M updates.</p>
-               </part>
-               <part id="ca-7_fr_gdn.2" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </part>
-         <part id="ca-7_gdn" name="guidance">
-            <p>Continuous monitoring programs facilitate ongoing awareness of threats,
-               vulnerabilities, and information security to support organizational risk management
-               decisions. The terms continuous and ongoing imply that organizations assess/analyze
-               security controls and information security-related risks at a frequency sufficient to
-               support organizational risk-based decisions. The results of continuous monitoring
-               programs generate appropriate risk response actions by organizations. Continuous
-               monitoring programs also allow organizations to maintain the security authorizations
-               of information systems and common controls over time in highly dynamic environments
-               of operation with changing mission/business needs, threats, vulnerabilities, and
-               technologies. Having access to security-related information on a continuing basis
-               through reports/dashboards gives organizational officials the capability to make more
-               effective and timely risk management decisions, including ongoing security
-               authorization decisions. Automation supports more frequent updates to security
-               authorization packages, hardware/software/firmware inventories, and other system
-               information. Effectiveness is further enhanced when continuous monitoring outputs are
-               formatted to provide information that is specific, measurable, actionable, relevant,
-               and timely. Continuous monitoring activities are scaled in accordance with the
-               security categories of information systems.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-5">CA-5</link>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#pm-6">PM-6</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-2">SI-2</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-7_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ca-7.a_obj" name="objective">
-               <prop name="label">CA-7(a)</prop>
-               <part id="ca-7.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(a)[1]</prop>
-                  <p>develops a continuous monitoring strategy that defines metrics to be
-                     monitored;</p>
-               </part>
-               <part id="ca-7.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(a)[2]</prop>
-                  <p>develops a continuous monitoring strategy that includes monitoring of
-                     organization-defined metrics;</p>
-               </part>
-               <part id="ca-7.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(a)[3]</prop>
-                  <p>implements a continuous monitoring program that includes monitoring of
-                     organization-defined metrics in accordance with the organizational continuous
-                     monitoring strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.b_obj" name="objective">
-               <prop name="label">CA-7(b)</prop>
-               <part id="ca-7.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(b)[1]</prop>
-                  <p>develops a continuous monitoring strategy that defines frequencies for
-                     monitoring;</p>
-               </part>
-               <part id="ca-7.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(b)[2]</prop>
-                  <p>defines frequencies for assessments supporting monitoring;</p>
-               </part>
-               <part id="ca-7.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(b)[3]</prop>
-                  <p>develops a continuous monitoring strategy that includes establishment of the
-                     organization-defined frequencies for monitoring and for assessments supporting
-                     monitoring;</p>
-               </part>
-               <part id="ca-7.b_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(b)[4]</prop>
-                  <p>implements a continuous monitoring program that includes establishment of
-                     organization-defined frequencies for monitoring and for assessments supporting
-                     such monitoring in accordance with the organizational continuous monitoring
-                     strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.c_obj" name="objective">
-               <prop name="label">CA-7(c)</prop>
-               <part id="ca-7.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(c)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes ongoing security
-                     control assessments;</p>
-               </part>
-               <part id="ca-7.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(c)[2]</prop>
-                  <p>implements a continuous monitoring program that includes ongoing security
-                     control assessments in accordance with the organizational continuous monitoring
-                     strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.d_obj" name="objective">
-               <prop name="label">CA-7(d)</prop>
-               <part id="ca-7.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(d)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes ongoing security status
-                     monitoring of organization-defined metrics;</p>
-               </part>
-               <part id="ca-7.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(d)[2]</prop>
-                  <p>implements a continuous monitoring program that includes ongoing security
-                     status monitoring of organization-defined metrics in accordance with the
-                     organizational continuous monitoring strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.e_obj" name="objective">
-               <prop name="label">CA-7(e)</prop>
-               <part id="ca-7.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(e)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes correlation and
-                     analysis of security-related information generated by assessments and
-                     monitoring;</p>
-               </part>
-               <part id="ca-7.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(e)[2]</prop>
-                  <p>implements a continuous monitoring program that includes correlation and
-                     analysis of security-related information generated by assessments and
-                     monitoring in accordance with the organizational continuous monitoring
-                     strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.f_obj" name="objective">
-               <prop name="label">CA-7(f)</prop>
-               <part id="ca-7.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(f)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes response actions to
-                     address results of the analysis of security-related information;</p>
-               </part>
-               <part id="ca-7.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(f)[2]</prop>
-                  <p>implements a continuous monitoring program that includes response actions to
-                     address results of the analysis of security-related information in accordance
-                     with the organizational continuous monitoring strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.g_obj" name="objective">
-               <prop name="label">CA-7(g)</prop>
-               <part id="ca-7.g_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(g)[1]</prop>
-                  <p>develops a continuous monitoring strategy that defines the personnel or roles
-                     to whom the security status of the organization and information system are to
-                     be reported;</p>
-               </part>
-               <part id="ca-7.g_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(g)[2]</prop>
-                  <p>develops a continuous monitoring strategy that defines the frequency to report
-                     the security status of the organization and information system to
-                     organization-defined personnel or roles;</p>
-               </part>
-               <part id="ca-7.g_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(g)[3]</prop>
-                  <p>develops a continuous monitoring strategy that includes reporting the security
-                     status of the organization or information system to organizational-defined
-                     personnel or roles with the organization-defined frequency; and</p>
-               </part>
-               <part id="ca-7.g_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CA-7(g)[4]</prop>
-                  <p>implements a continuous monitoring program that includes reporting the security
-                     status of the organization and information system to organization-defined
-                     personnel or roles with the organization-defined frequency in accordance with
-                     the organizational continuous monitoring strategy.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing continuous monitoring of information system security
-                  controls</p>
-               <p>procedures addressing configuration management</p>
-               <p>security plan</p>
-               <p>security assessment report</p>
-               <p>plan of action and milestones</p>
-               <p>information system monitoring records</p>
-               <p>configuration management records, security impact analyses</p>
-               <p>status reports</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with continuous monitoring responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Mechanisms implementing continuous monitoring</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-7.1">
-            <title>Independent Assessment</title>
-            <param id="ca-7.1_prm_1">
-               <label>organization-defined level of independence</label>
-            </param>
-            <prop name="label">CA-7(1)</prop>
-            <prop name="sort-id">ca-07.01</prop>
-            <part id="ca-7.1_smt" name="statement">
-               <p>The organization employs assessors or assessment teams with <insert param-id="ca-7.1_prm_1"/> to monitor the security controls in the information
-                  system on an ongoing basis.</p>
-            </part>
-            <part id="ca-7.1_gdn" name="guidance">
-               <p>Organizations can maximize the value of assessments of security controls during
-                  the continuous monitoring process by requiring that such assessments be conducted
-                  by assessors or assessment teams with appropriate levels of independence based on
-                  continuous monitoring strategies. Assessor independence provides a degree of
-                  impartiality to the monitoring process. To achieve such impartiality, assessors
-                  should not: (i) create a mutual or conflicting interest with the organizations
-                  where the assessments are being conducted; (ii) assess their own work; (iii) act
-                  as management or employees of the organizations they are serving; or (iv) place
-                  themselves in advocacy positions for the organizations acquiring their
-                  services.</p>
-            </part>
-            <part id="ca-7.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-7.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-7(1)[1]</prop>
-                  <p>defines a level of independence to be employed to monitor the security controls
-                     in the information system on an ongoing basis; and</p>
-               </part>
-               <part id="ca-7.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CA-7(1)[2]</prop>
-                  <p>employs assessors or assessment teams with the organization-defined level of
-                     independence to monitor the security controls in the information system on an
-                     ongoing basis.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing continuous monitoring of information system security
-                     controls</p>
-                  <p>security plan</p>
-                  <p>security assessment report</p>
-                  <p>plan of action and milestones</p>
-                  <p>information system monitoring records</p>
-                  <p>security impact analyses</p>
-                  <p>status reports</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with continuous monitoring responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-8">
-         <title>Penetration Testing</title>
-         <param id="ca-8_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ca-8_prm_2">
-            <label>organization-defined information systems or system components</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-8</prop>
-         <prop name="sort-id">ca-08</prop>
-         <part id="ca-8_smt" name="statement">
-            <p>The organization conducts penetration testing <insert param-id="ca-8_prm_1"/> on
-                  <insert param-id="ca-8_prm_2"/>.</p>
-            <part id="ca-8_fr" name="item">
-               <title>CA-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-8_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance <a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </part>
-         <part id="ca-8_gdn" name="guidance">
-            <p>Penetration testing is a specialized type of assessment conducted on information
-               systems or individual system components to identify vulnerabilities that could be
-               exploited by adversaries. Such testing can be used to either validate vulnerabilities
-               or determine the degree of resistance organizational information systems have to
-               adversaries within a set of specified constraints (e.g., time, resources, and/or
-               skills). Penetration testing attempts to duplicate the actions of adversaries in
-               carrying out hostile cyber attacks against organizations and provides a more in-depth
-               analysis of security-related weaknesses/deficiencies. Organizations can also use the
-               results of vulnerability analyses to support penetration testing activities.
-               Penetration testing can be conducted on the hardware, software, or firmware
-               components of an information system and can exercise both physical and technical
-               security controls. A standard method for penetration testing includes, for example:
-               (i) pretest analysis based on full knowledge of the target system; (ii) pretest
-               identification of potential vulnerabilities based on pretest analysis; and (iii)
-               testing designed to determine exploitability of identified vulnerabilities. All
-               parties agree to the rules of engagement before the commencement of penetration
-               testing scenarios. Organizations correlate the penetration testing rules of
-               engagement with the tools, techniques, and procedures that are anticipated to be
-               employed by adversaries carrying out attacks. Organizational risk assessments guide
-               decisions on the level of independence required for personnel conducting penetration
-               testing.</p>
-            <link rel="related" href="#sa-12">SA-12</link>
-         </part>
-         <part id="ca-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-8_obj.1" name="objective">
-               <prop name="label">CA-8[1]</prop>
-               <p>defines information systems or system components on which penetration testing is
-                  to be conducted;</p>
-            </part>
-            <part id="ca-8_obj.2" name="objective">
-               <prop name="label">CA-8[2]</prop>
-               <p>defines the frequency to conduct penetration testing on organization-defined
-                  information systems or system components; and</p>
-            </part>
-            <part id="ca-8_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CA-8[3]</prop>
-               <p>conducts penetration testing on organization-defined information systems or system
-                  components with the organization-defined frequency.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing penetration testing</p>
-               <p>security plan</p>
-               <p>security assessment plan</p>
-               <p>penetration test report</p>
-               <p>security assessment report</p>
-               <p>security assessment evidence</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security assessment responsibilities</p>
-               <p>organizational personnel with information security responsibilities,
-                  system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting penetration testing</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-8.1">
-            <title>Independent Penetration Agent or Team</title>
-            <prop name="label">CA-8(1)</prop>
-            <prop name="sort-id">ca-08.01</prop>
-            <part id="ca-8.1_smt" name="statement">
-               <p>The organization employs an independent penetration agent or penetration team to
-                  perform penetration testing on the information system or system components.</p>
-            </part>
-            <part id="ca-8.1_gdn" name="guidance">
-               <p>Independent penetration agents or teams are individuals or groups who conduct
-                  impartial penetration testing of organizational information systems. Impartiality
-                  implies that penetration agents or teams are free from any perceived or actual
-                  conflicts of interest with regard to the development, operation, or management of
-                  the information systems that are the targets of the penetration testing.
-                  Supplemental guidance for CA-2 (1) provides additional information regarding
-                  independent assessments that can be applied to penetration testing.</p>
-               <link rel="related" href="#ca-2">CA-2</link>
-            </part>
-            <part id="ca-8.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization employs an independent penetration agent or
-                  penetration team to perform penetration testing on the information system or
-                  system components. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing penetration testing</p>
-                  <p>security plan</p>
-                  <p>security assessment plan</p>
-                  <p>penetration test report</p>
-                  <p>security assessment report</p>
-                  <p>security assessment evidence</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security assessment responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-9">
-         <title>Internal System Connections</title>
-         <param id="ca-9_prm_1">
-            <label>organization-defined information system components or classes of
-               components</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CA-9</prop>
-         <prop name="sort-id">ca-09</prop>
-         <part id="ca-9_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Authorizes internal connections of <insert param-id="ca-9_prm_1"/> to the
-                  information system; and</p>
-            </part>
-            <part id="ca-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents, for each internal connection, the interface characteristics, security
-                  requirements, and the nature of the information communicated.</p>
-            </part>
-         </part>
-         <part id="ca-9_gdn" name="guidance">
-            <p>This control applies to connections between organizational information systems and
-               (separate) constituent system components (i.e., intra-system connections) including,
-               for example, system connections with mobile devices, notebook/desktop computers,
-               printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of
-               authorizing each individual internal connection, organizations can authorize internal
-               connections for a class of components with common characteristics and/or
-               configurations, for example, all digital printers, scanners, and copiers with a
-               specified processing, storage, and transmission capability or all smart phones with a
-               specific baseline configuration.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-9_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-9.a_obj" name="objective">
-               <prop name="label">CA-9(a)</prop>
-               <part id="ca-9.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CA-9(a)[1]</prop>
-                  <p>defines information system components or classes of components to be authorized
-                     as internal connections to the information system;</p>
-               </part>
-               <part id="ca-9.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CA-9(a)[2]</prop>
-                  <p>authorizes internal connections of organization-defined information system
-                     components or classes of components to the information system;</p>
-               </part>
-            </part>
-            <part id="ca-9.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CA-9(b)</prop>
-               <p>documents, for each internal connection:</p>
-               <part id="ca-9.b_obj.1" name="objective">
-                  <prop name="label">CA-9(b)[1]</prop>
-                  <p>the interface characteristics;</p>
-               </part>
-               <part id="ca-9.b_obj.2" name="objective">
-                  <prop name="label">CA-9(b)[2]</prop>
-                  <p>the security requirements; and</p>
-               </part>
-               <part id="ca-9.b_obj.3" name="objective">
-                  <prop name="label">CA-9(b)[3]</prop>
-                  <p>the nature of the information communicated.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing information system connections</p>
-               <p>system and communications protection policy</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of components or classes of components authorized as internal system
-                  connections</p>
-               <p>security assessment report</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for developing, implementing, or
-                  authorizing internal system connections</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="cm">
-      <title>Configuration Management</title>
-      <control class="SP800-53" id="cm-1">
-         <title>Configuration Management Policy and Procedures</title>
-         <param id="cm-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="cm-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="cm-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CM-1</prop>
-         <prop name="sort-id">cm-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="cm-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="cm-1_prm_1"/>:</p>
-               <part id="cm-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A configuration management policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="cm-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the configuration management
-                     policy and associated configuration management controls; and</p>
-               </part>
-            </part>
-            <part id="cm-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="cm-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Configuration management policy <insert param-id="cm-1_prm_2"/>; and</p>
-               </part>
-               <part id="cm-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Configuration management procedures <insert param-id="cm-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cm-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the CM
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="cm-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-1.a_obj" name="objective">
-               <prop name="label">CM-1(a)</prop>
-               <part id="cm-1.a.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-1(a)(1)</prop>
-                  <part id="cm-1.a.1_obj.1" name="objective">
-                     <prop name="label">CM-1(a)(1)[1]</prop>
-                     <p>develops and documents a configuration management policy that addresses:</p>
-                     <part id="cm-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="cm-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the configuration management policy is to
-                        be disseminated;</p>
-                  </part>
-                  <part id="cm-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CM-1(a)(1)[3]</prop>
-                     <p>disseminates the configuration management policy to organization-defined
-                        personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="cm-1.a.2_obj" name="objective">
-                  <prop name="label">CM-1(a)(2)</prop>
-                  <part id="cm-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        configuration management policy and associated configuration management
-                        controls;</p>
-                  </part>
-                  <part id="cm-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="cm-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CM-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cm-1.b_obj" name="objective">
-               <prop name="label">CM-1(b)</prop>
-               <part id="cm-1.b.1_obj" name="objective">
-                  <prop name="label">CM-1(b)(1)</prop>
-                  <part id="cm-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current configuration
-                        management policy;</p>
-                  </part>
-                  <part id="cm-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current configuration management policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="cm-1.b.2_obj" name="objective">
-                  <prop name="label">CM-1(b)(2)</prop>
-                  <part id="cm-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current configuration
-                        management procedures; and</p>
-                  </part>
-                  <part id="cm-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current configuration management procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with configuration management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-2">
-         <title>Baseline Configuration</title>
-         <prop name="label">CM-2</prop>
-         <prop name="sort-id">cm-02</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-2_smt" name="statement">
-            <p>The organization develops, documents, and maintains under configuration control, a
-               current baseline configuration of the information system.</p>
-         </part>
-         <part id="cm-2_gdn" name="guidance">
-            <p>This control establishes baseline configurations for information systems and system
-               components including communications and connectivity-related aspects of systems.
-               Baseline configurations are documented, formally reviewed and agreed-upon sets of
-               specifications for information systems or configuration items within those systems.
-               Baseline configurations serve as a basis for future builds, releases, and/or changes
-               to information systems. Baseline configurations include information about information
-               system components (e.g., standard software packages installed on workstations,
-               notebook computers, servers, network components, or mobile devices; current version
-               numbers and patch information on operating systems and applications; and
-               configuration settings/parameters), network topology, and the logical placement of
-               those components within the system architecture. Maintaining baseline configurations
-               requires creating new baselines as organizational information systems change over
-               time. Baseline configurations of information systems reflect the current enterprise
-               architecture.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#pm-5">PM-5</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-         </part>
-         <part id="cm-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-2_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">CM-2[1]</prop>
-               <p>develops and documents a current baseline configuration of the information system;
-                  and</p>
-            </part>
-            <part id="cm-2_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-2[2]</prop>
-               <p>maintains, under configuration control, a current baseline configuration of the
-                  information system.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing the baseline configuration of the information system</p>
-               <p>configuration management plan</p>
-               <p>enterprise architecture documentation</p>
-               <p>information system design documentation</p>
-               <p>information system architecture and configuration documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>change control records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with configuration management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing baseline configurations</p>
-               <p>automated mechanisms supporting configuration control of the baseline
-                  configuration</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-2.1">
-            <title>Reviews and Updates</title>
-            <param id="cm-2.1_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least annually or when a significant change occurs</constraint>
-            </param>
-            <param id="cm-2.1_prm_2">
-               <label>Assignment organization-defined circumstances</label>
-               <constraint>to include when directed by the JAB</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">CM-2(1)</prop>
-            <prop name="sort-id">cm-02.01</prop>
-            <part id="cm-2.1_smt" name="statement">
-               <p>The organization reviews and updates the baseline configuration of the information
-                  system:</p>
-               <part id="cm-2.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>
-                     <insert param-id="cm-2.1_prm_1"/>;</p>
-               </part>
-               <part id="cm-2.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>When required due to <insert param-id="cm-2.1_prm_2"/>; and</p>
-               </part>
-               <part id="cm-2.1_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>As an integral part of information system component installations and
-                     upgrades.</p>
-               </part>
-            </part>
-            <part id="cm-2.1_gdn" name="guidance">
-               <link rel="related" href="#cm-5">CM-5</link>
-            </part>
-            <part id="cm-2.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-2.1.a_obj" name="objective">
-                  <prop name="label">CM-2(1)(a)</prop>
-                  <part id="cm-2.1.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-2(1)(a)[1]</prop>
-                     <p>defines the frequency to review and update the baseline configuration of the
-                        information system;</p>
-                  </part>
-                  <part id="cm-2.1.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-2(1)(a)[2]</prop>
-                     <p>reviews and updates the baseline configuration of the information system
-                        with the organization-defined frequency;</p>
-                  </part>
-                  <link rel="corresp" href="#cm-2.1_smt.a">CM-2(1)(a)</link>
-               </part>
-               <part id="cm-2.1.b_obj" name="objective">
-                  <prop name="label">CM-2(1)(b)</prop>
-                  <part id="cm-2.1.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-2(1)(b)[1]</prop>
-                     <p>defines circumstances that require the baseline configuration of the
-                        information system to be reviewed and updated;</p>
-                  </part>
-                  <part id="cm-2.1.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-2(1)(b)[2]</prop>
-                     <p>reviews and updates the baseline configuration of the information system
-                        when required due to organization-defined circumstances; and</p>
-                  </part>
-                  <link rel="corresp" href="#cm-2.1_smt.b">CM-2(1)(b)</link>
-               </part>
-               <part id="cm-2.1.c_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-2(1)(c)</prop>
-                  <p>reviews and updates the baseline configuration of the information system as an
-                     integral part of information system component installations and upgrades.</p>
-                  <link rel="corresp" href="#cm-2.1_smt.c">CM-2(1)(c)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>configuration management plan</p>
-                  <p>procedures addressing the baseline configuration of the information system</p>
-                  <p>procedures addressing information system component installations and
-                     upgrades</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>records of information system baseline configuration reviews and updates</p>
-                  <p>information system component installations/upgrades and associated records</p>
-                  <p>change control records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing baseline configurations</p>
-                  <p>automated mechanisms supporting review and update of the baseline
-                     configuration</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-2.2">
-            <title>Automation Support for Accuracy / Currency</title>
-            <prop name="label">CM-2(2)</prop>
-            <prop name="sort-id">cm-02.02</prop>
-            <part id="cm-2.2_smt" name="statement">
-               <p>The organization employs automated mechanisms to maintain an up-to-date, complete,
-                  accurate, and readily available baseline configuration of the information
-                  system.</p>
-            </part>
-            <part id="cm-2.2_gdn" name="guidance">
-               <p>Automated mechanisms that help organizations maintain consistent baseline
-                  configurations for information systems include, for example, hardware and software
-                  inventory tools, configuration management tools, and network management tools.
-                  Such tools can be deployed and/or allocated as common controls, at the information
-                  system level, or at the operating system or component level (e.g., on
-                  workstations, servers, notebook computers, network components, or mobile devices).
-                  Tools can be used, for example, to track version numbers on operating system
-                  applications, types of software installed, and current patch levels. This control
-                  enhancement can be satisfied by the implementation of CM-8 (2) for organizations
-                  that choose to combine information system component inventory and baseline
-                  configuration activities.</p>
-               <link rel="related" href="#cm-7">CM-7</link>
-               <link rel="related" href="#ra-5">RA-5</link>
-            </part>
-            <part id="cm-2.2_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to maintain: </p>
-               <part id="cm-2.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-2(2)[1]</prop>
-                  <p>an up-to-date baseline configuration of the information system;</p>
-               </part>
-               <part id="cm-2.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-2(2)[2]</prop>
-                  <p>a complete baseline configuration of the information system;</p>
-               </part>
-               <part id="cm-2.2_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-2(2)[3]</prop>
-                  <p>an accurate baseline configuration of the information system; and</p>
-               </part>
-               <part id="cm-2.2_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-2(2)[4]</prop>
-                  <p>a readily available baseline configuration of the information system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing the baseline configuration of the information system</p>
-                  <p>configuration management plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>configuration change control records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing baseline configurations</p>
-                  <p>automated mechanisms implementing baseline configuration maintenance</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-2.3">
-            <title>Retention of Previous Configurations</title>
-            <param id="cm-2.3_prm_1">
-               <label>organization-defined previous versions of baseline configurations of the
-                  information system</label>
-            </param>
-            <prop name="label">CM-2(3)</prop>
-            <prop name="sort-id">cm-02.03</prop>
-            <part id="cm-2.3_smt" name="statement">
-               <p>The organization retains <insert param-id="cm-2.3_prm_1"/> to support
-                  rollback.</p>
-            </part>
-            <part id="cm-2.3_gdn" name="guidance">
-               <p>Retaining previous versions of baseline configurations to support rollback may
-                  include, for example, hardware, software, firmware, configuration files, and
-                  configuration records.</p>
-            </part>
-            <part id="cm-2.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-2.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-2(3)[1]</prop>
-                  <p>defines previous versions of baseline configurations of the information system
-                     to be retained to support rollback; and</p>
-               </part>
-               <part id="cm-2.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-2(3)[2]</prop>
-                  <p>retains organization-defined previous versions of baseline configurations of
-                     the information system to support rollback.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing the baseline configuration of the information system</p>
-                  <p>configuration management plan</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>copies of previous baseline configuration versions</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing baseline configurations</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-2.7">
-            <title>Configure Systems, Components, or Devices for High-risk Areas</title>
-            <param id="cm-2.7_prm_1">
-               <label>organization-defined information systems, system components, or
-                  devices</label>
-            </param>
-            <param id="cm-2.7_prm_2">
-               <label>organization-defined configurations</label>
-            </param>
-            <param id="cm-2.7_prm_3">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <prop name="label">CM-2(7)</prop>
-            <prop name="sort-id">cm-02.07</prop>
-            <part id="cm-2.7_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cm-2.7_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Issues <insert param-id="cm-2.7_prm_1"/> with <insert param-id="cm-2.7_prm_2"/>
-                     to individuals traveling to locations that the organization deems to be of
-                     significant risk; and</p>
-               </part>
-               <part id="cm-2.7_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Applies <insert param-id="cm-2.7_prm_3"/> to the devices when the individuals
-                     return.</p>
-               </part>
-            </part>
-            <part id="cm-2.7_gdn" name="guidance">
-               <p>When it is known that information systems, system components, or devices (e.g.,
-                  notebook computers, mobile devices) will be located in high-risk areas, additional
-                  security controls may be implemented to counter the greater threat in such areas
-                  coupled with the lack of physical security relative to organizational-controlled
-                  areas. For example, organizational policies and procedures for notebook computers
-                  used by individuals departing on and returning from travel include, for example,
-                  determining which locations are of concern, defining required configurations for
-                  the devices, ensuring that the devices are configured as intended before travel is
-                  initiated, and applying specific safeguards to the device after travel is
-                  completed. Specially configured notebook computers include, for example, computers
-                  with sanitized hard drives, limited applications, and additional hardening (e.g.,
-                  more stringent configuration settings). Specified safeguards applied to mobile
-                  devices upon return from travel include, for example, examining the device for
-                  signs of physical tampering and purging/reimaging the hard disk drive. Protecting
-                  information residing on mobile devices is covered in the media protection
-                  family.</p>
-            </part>
-            <part id="cm-2.7_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-2.7.a_obj" name="objective">
-                  <prop name="label">CM-2(7)(a)</prop>
-                  <part id="cm-2.7.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-2(7)(a)[1]</prop>
-                     <p>defines information systems, system components, or devices to be issued to
-                        individuals traveling to locations that the organization deems to be of
-                        significant risk;</p>
-                  </part>
-                  <part id="cm-2.7.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-2(7)(a)[2]</prop>
-                     <p>defines configurations to be employed on organization-defined information
-                        systems, system components, or devices issued to individuals traveling to
-                        such locations;</p>
-                  </part>
-                  <part id="cm-2.7.a_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-2(7)(a)[3]</prop>
-                     <p>issues organization-defined information systems, system components, or
-                        devices with organization-defined configurations to individuals traveling to
-                        locations that the organization deems to be of significant risk;</p>
-                  </part>
-                  <link rel="corresp" href="#cm-2.7_smt.a">CM-2(7)(a)</link>
-               </part>
-               <part id="cm-2.7.b_obj" name="objective">
-                  <prop name="label">CM-2(7)(b)</prop>
-                  <part id="cm-2.7.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-2(7)(b)[1]</prop>
-                     <p>defines security safeguards to be applied to the devices when the
-                        individuals return; and</p>
-                  </part>
-                  <part id="cm-2.7.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-2(7)(b)[2]</prop>
-                     <p>applies organization-defined safeguards to the devices when the individuals
-                        return.</p>
-                  </part>
-                  <link rel="corresp" href="#cm-2.7_smt.b">CM-2(7)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>configuration management plan</p>
-                  <p>procedures addressing the baseline configuration of the information system</p>
-                  <p>procedures addressing information system component installations and
-                     upgrades</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>records of information system baseline configuration reviews and updates</p>
-                  <p>information system component installations/upgrades and associated records</p>
-                  <p>change control records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing baseline configurations</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-3">
-         <title>Configuration Change Control</title>
-         <param id="cm-3_prm_1">
-            <label>organization-defined time period</label>
-         </param>
-         <param id="cm-3_prm_2">
-            <label>organization-defined configuration change control element (e.g., committee,
-               board)</label>
-         </param>
-         <param id="cm-3_prm_3"/>
-         <param id="cm-3_prm_4" depends-on="cm-3_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="cm-3_prm_5" depends-on="cm-3_prm_3">
-            <label>organization-defined configuration change conditions</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CM-3</prop>
-         <prop name="sort-id">cm-03</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Determines the types of changes to the information system that are
-                  configuration-controlled;</p>
-            </part>
-            <part id="cm-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews proposed configuration-controlled changes to the information system and
-                  approves or disapproves such changes with explicit consideration for security
-                  impact analyses;</p>
-            </part>
-            <part id="cm-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Documents configuration change decisions associated with the information
-                  system;</p>
-            </part>
-            <part id="cm-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Implements approved configuration-controlled changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-3_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Retains records of configuration-controlled changes to the information system for
-                     <insert param-id="cm-3_prm_1"/>;</p>
-            </part>
-            <part id="cm-3_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Audits and reviews activities associated with configuration-controlled changes to
-                  the information system; and</p>
-            </part>
-            <part id="cm-3_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Coordinates and provides oversight for configuration change control activities
-                  through <insert param-id="cm-3_prm_2"/> that convenes <insert param-id="cm-3_prm_3"/>.</p>
-            </part>
-            <part id="cm-3_fr" name="item">
-               <title>CM-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-3_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.</p>
-               </part>
-               <part id="cm-3_fr_gdn.1" name="guidance">
-                  <prop name="label">(e) Guidance:</prop>
-                  <p>In accordance with record retention policies and procedures.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cm-3_gdn" name="guidance">
-            <p>Configuration change controls for organizational information systems involve the
-               systematic proposal, justification, implementation, testing, review, and disposition
-               of changes to the systems, including system upgrades and modifications. Configuration
-               change control includes changes to baseline configurations for components and
-               configuration items of information systems, changes to configuration settings for
-               information technology products (e.g., operating systems, applications, firewalls,
-               routers, and mobile devices), unscheduled/unauthorized changes, and changes to
-               remediate vulnerabilities. Typical processes for managing configuration changes to
-               information systems include, for example, Configuration Control Boards that approve
-               proposed changes to systems. For new development information systems or systems
-               undergoing major upgrades, organizations consider including representatives from
-               development organizations on the Configuration Control Boards. Auditing of changes
-               includes activities before and after changes are made to organizational information
-               systems and the auditing activities required to implement such changes.</p>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#si-2">SI-2</link>
-            <link rel="related" href="#si-12">SI-12</link>
-         </part>
-         <part id="cm-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-3.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CM-3(a)</prop>
-               <p>determines the type of changes to the information system that must be
-                  configuration-controlled;</p>
-            </part>
-            <part id="cm-3.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">CM-3(b)</prop>
-               <p>reviews proposed configuration-controlled changes to the information system and
-                  approves or disapproves such changes with explicit consideration for security
-                  impact analyses;</p>
-            </part>
-            <part id="cm-3.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">CM-3(c)</prop>
-               <p>documents configuration change decisions associated with the information
-                  system;</p>
-            </part>
-            <part id="cm-3.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-3(d)</prop>
-               <p>implements approved configuration-controlled changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-3.e_obj" name="objective">
-               <prop name="label">CM-3(e)</prop>
-               <part id="cm-3.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-3(e)[1]</prop>
-                  <p>defines a time period to retain records of configuration-controlled changes to
-                     the information system;</p>
-               </part>
-               <part id="cm-3.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-3(e)[2]</prop>
-                  <p>retains records of configuration-controlled changes to the information system
-                     for the organization-defined time period;</p>
-               </part>
-            </part>
-            <part id="cm-3.f_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-3(f)</prop>
-               <p>audits and reviews activities associated with configuration-controlled changes to
-                  the information system;</p>
-            </part>
-            <part id="cm-3.g_obj" name="objective">
-               <prop name="label">CM-3(g)</prop>
-               <part id="cm-3.g_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-3(g)[1]</prop>
-                  <p>defines a configuration change control element (e.g., committee, board)
-                     responsible for coordinating and providing oversight for configuration change
-                     control activities;</p>
-               </part>
-               <part id="cm-3.g_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-3(g)[2]</prop>
-                  <p>defines the frequency with which the configuration change control element must
-                     convene; and/or</p>
-               </part>
-               <part id="cm-3.g_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-3(g)[3]</prop>
-                  <p>defines configuration change conditions that prompt the configuration change
-                     control element to convene; and</p>
-               </part>
-               <part id="cm-3.g_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-3(g)[4]</prop>
-                  <p>coordinates and provides oversight for configuration change control activities
-                     through organization-defined configuration change control element that convenes
-                     at organization-defined frequency and/or for any organization-defined
-                     configuration change conditions.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing information system configuration change control</p>
-               <p>configuration management plan</p>
-               <p>information system architecture and configuration documentation</p>
-               <p>security plan</p>
-               <p>change control records</p>
-               <p>information system audit records</p>
-               <p>change control audit and review reports</p>
-               <p>agenda /minutes from configuration change control oversight meetings</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with configuration change control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>members of change control board or similar</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for configuration change control</p>
-               <p>automated mechanisms that implement configuration change control</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-4">
-         <title>Security Impact Analysis</title>
-         <prop name="label">CM-4</prop>
-         <prop name="sort-id">cm-04</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-4_smt" name="statement">
-            <p>The organization analyzes changes to the information system to determine potential
-               security impacts prior to change implementation.</p>
-         </part>
-         <part id="cm-4_gdn" name="guidance">
-            <p>Organizational personnel with information security responsibilities (e.g.,
-               Information System Administrators, Information System Security Officers, Information
-               System Security Managers, and Information System Security Engineers) conduct security
-               impact analyses. Individuals conducting security impact analyses possess the
-               necessary skills/technical expertise to analyze the changes to information systems
-               and the associated security ramifications. Security impact analysis may include, for
-               example, reviewing security plans to understand security control requirements and
-               reviewing system design documentation to understand control implementation and how
-               specific changes might affect the controls. Security impact analyses may also include
-               assessments of risk to better understand the impact of the changes and to determine
-               if additional security controls are required. Security impact analyses are scaled in
-               accordance with the security categories of the information systems.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="cm-4_obj" name="objective">
-            <p>Determine if the organization analyzes changes to the information system to determine
-               potential security impacts prior to change implementation.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing security impact analysis for changes to the information
-                  system</p>
-               <p>configuration management plan</p>
-               <p>security impact analysis documentation</p>
-               <p>analysis tools and associated outputs</p>
-               <p>change control records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for conducting security impact
-                  analysis</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security impact analysis</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-5">
-         <title>Access Restrictions for Change</title>
-         <prop name="label">CM-5</prop>
-         <prop name="sort-id">cm-05</prop>
-         <part id="cm-5_smt" name="statement">
-            <p>The organization defines, documents, approves, and enforces physical and logical
-               access restrictions associated with changes to the information system.</p>
-         </part>
-         <part id="cm-5_gdn" name="guidance">
-            <p>Any changes to the hardware, software, and/or firmware components of information
-               systems can potentially have significant effects on the overall security of the
-               systems. Therefore, organizations permit only qualified and authorized individuals to
-               access information systems for purposes of initiating changes, including upgrades and
-               modifications. Organizations maintain records of access to ensure that configuration
-               change control is implemented and to support after-the-fact actions should
-               organizations discover any unauthorized changes. Access restrictions for change also
-               include software libraries. Access restrictions include, for example, physical and
-               logical access controls (see AC-3 and PE-3), workflow automation, media libraries,
-               abstract layers (e.g., changes implemented into third-party interfaces rather than
-               directly into information systems), and change windows (e.g., changes occur only
-               during specified times, making unauthorized changes easy to discover).</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-         </part>
-         <part id="cm-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-5_obj.1" name="objective">
-               <prop name="label">CM-5[1]</prop>
-               <p>defines physical access restrictions associated with changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-5_obj.2" name="objective">
-               <prop name="label">CM-5[2]</prop>
-               <p>documents physical access restrictions associated with changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-5_obj.3" name="objective">
-               <prop name="label">CM-5[3]</prop>
-               <p>approves physical access restrictions associated with changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-5_obj.4" name="objective">
-               <prop name="label">CM-5[4]</prop>
-               <p>enforces physical access restrictions associated with changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-5_obj.5" name="objective">
-               <prop name="label">CM-5[5]</prop>
-               <p>defines logical access restrictions associated with changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-5_obj.6" name="objective">
-               <prop name="label">CM-5[6]</prop>
-               <p>documents logical access restrictions associated with changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-5_obj.7" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-5[7]</prop>
-               <p>approves logical access restrictions associated with changes to the information
-                  system; and</p>
-            </part>
-            <part id="cm-5_obj.8" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-5[8]</prop>
-               <p>enforces logical access restrictions associated with changes to the information
-                  system.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing access restrictions for changes to the information
-                  system</p>
-               <p>configuration management plan</p>
-               <p>information system design documentation</p>
-               <p>information system architecture and configuration documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>logical access approvals</p>
-               <p>physical access approvals</p>
-               <p>access credentials</p>
-               <p>change control records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with logical access control responsibilities</p>
-               <p>organizational personnel with physical access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing access restrictions to change</p>
-               <p>automated mechanisms supporting/implementing/enforcing access restrictions
-                  associated with changes to the information system</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-5.1">
-            <title>Automated Access Enforcement / Auditing</title>
-            <prop name="label">CM-5(1)</prop>
-            <prop name="sort-id">cm-05.01</prop>
-            <part id="cm-5.1_smt" name="statement">
-               <p>The information system enforces access restrictions and supports auditing of the
-                  enforcement actions.</p>
-            </part>
-            <part id="cm-5.1_gdn" name="guidance">
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-12">AU-12</link>
-               <link rel="related" href="#au-6">AU-6</link>
-               <link rel="related" href="#cm-3">CM-3</link>
-               <link rel="related" href="#cm-6">CM-6</link>
-            </part>
-            <part id="cm-5.1_obj" name="objective">
-               <p>Determine if the information system:</p>
-               <part id="cm-5.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-5(1)[1]</prop>
-                  <p>enforces access restrictions for change; and</p>
-               </part>
-               <part id="cm-5.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-5(1)[2]</prop>
-                  <p>supports auditing of the enforcement actions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing access restrictions for changes to the information
-                     system</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing access restrictions to change</p>
-                  <p>automated mechanisms implementing enforcement of access restrictions for
-                     changes to the information system</p>
-                  <p>automated mechanisms supporting auditing of enforcement actions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-5.3">
-            <title>Signed Components</title>
-            <param id="cm-5.3_prm_1">
-               <label>organization-defined software and firmware components</label>
-            </param>
-            <prop name="label">CM-5(3)</prop>
-            <prop name="sort-id">cm-05.03</prop>
-            <part id="cm-5.3_smt" name="statement">
-               <p>The information system prevents the installation of <insert param-id="cm-5.3_prm_1"/> without verification that the component has been
-                  digitally signed using a certificate that is recognized and approved by the
-                  organization.</p>
-               <part id="cm-5.3_fr" name="item">
-                  <title>CM-5 (3) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="cm-5.3_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cm-5.3_gdn" name="guidance">
-               <p>Software and firmware components prevented from installation unless signed with
-                  recognized and approved certificates include, for example, software and firmware
-                  version updates, patches, service packs, device drivers, and basic input output
-                  system (BIOS) updates. Organizations can identify applicable software and firmware
-                  components by type, by specific items, or a combination of both. Digital
-                  signatures and organizational verification of such signatures, is a method of code
-                  authentication.</p>
-               <link rel="related" href="#cm-7">CM-7</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="cm-5.3_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="cm-5.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-5(3)[1]</prop>
-                  <p>the organization defines software and firmware components that the information
-                     system will prevent from being installed without verification that such
-                     components have been digitally signed using a certificate that is recognized
-                     and approved by the organization; and</p>
-               </part>
-               <part id="cm-5.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-5(3)[2]</prop>
-                  <p>the information system prevents the installation of organization-defined
-                     software and firmware components without verification that such components have
-                     been digitally signed using a certificate that is recognized and approved by
-                     the organization.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing access restrictions for changes to the information
-                     system</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>list of software and firmware components to be prohibited from installation
-                     without a recognized and approved certificate</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing access restrictions to change</p>
-                  <p>automated mechanisms preventing installation of software and firmware
-                     components not signed with an organization-recognized and approved
-                     certificate</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-5.5">
-            <title>Limit Production / Operational Privileges</title>
-            <param id="cm-5.5_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least quarterly</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">CM-5(5)</prop>
-            <prop name="sort-id">cm-05.05</prop>
-            <part id="cm-5.5_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cm-5.5_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Limits privileges to change information system components and system-related
-                     information within a production or operational environment; and</p>
-               </part>
-               <part id="cm-5.5_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Reviews and reevaluates privileges <insert param-id="cm-5.5_prm_1"/>.</p>
-               </part>
-            </part>
-            <part id="cm-5.5_gdn" name="guidance">
-               <p>In many organizations, information systems support multiple core missions/business
-                  functions. Limiting privileges to change information system components with
-                  respect to operational systems is necessary because changes to a particular
-                  information system component may have far-reaching effects on mission/business
-                  processes supported by the system where the component resides. The complex,
-                  many-to-many relationships between systems and mission/business processes are in
-                  some cases, unknown to developers.</p>
-               <link rel="related" href="#ac-2">AC-2</link>
-            </part>
-            <part id="cm-5.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-5.5.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-5(5)(a)</prop>
-                  <p>limits privileges to change information system components and system-related
-                     information within a production or operational environment;</p>
-                  <link rel="corresp" href="#cm-5.5_smt.a">CM-5(5)(a)</link>
-               </part>
-               <part id="cm-5.5.b_obj" name="objective">
-                  <prop name="label">CM-5(5)(b)</prop>
-                  <part id="cm-5.5.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-5(5)(b)[1]</prop>
-                     <p>defines the frequency to review and reevaluate privileges; and</p>
-                  </part>
-                  <part id="cm-5.5.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-5(5)(b)[2]</prop>
-                     <p>reviews and reevaluates privileges with the organization-defined
-                        frequency.</p>
-                  </part>
-                  <link rel="corresp" href="#cm-5.5_smt.b">CM-5(5)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing access restrictions for changes to the information
-                     system</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>user privilege reviews</p>
-                  <p>user privilege recertifications</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing access restrictions to change</p>
-                  <p>automated mechanisms supporting and/or implementing access restrictions for
-                     change</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-6">
-         <title>Configuration Settings</title>
-         <param id="cm-6_prm_1">
-            <label>organization-defined security configuration checklists</label>
-            <guideline>
-               <p>See CM-6(a) Additional FedRAMP Requirements and Guidance</p>
-            </guideline>
-         </param>
-         <param id="cm-6_prm_2">
-            <label>organization-defined information system components</label>
-         </param>
-         <param id="cm-6_prm_3">
-            <label>organization-defined operational requirements</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CM-6</prop>
-         <prop name="sort-id">cm-06</prop>
-         <link href="#990268bf-f4a9-4c81-91ae-dc7d3115f4b1" rel="reference">OMB Memorandum 07-11</link>
-         <link href="#0b3d8ba9-051f-498d-81ea-97f0f018c612" rel="reference">OMB Memorandum 07-18</link>
-         <link href="#0916ef02-3618-411b-a525-565c088849a6" rel="reference">OMB Memorandum 08-22</link>
-         <link href="#84a37532-6db6-477b-9ea8-f9085ebca0fc" rel="reference">NIST Special Publication 800-70</link>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <link href="#275cc052-0f7f-423c-bdb6-ed503dc36228" rel="reference">http://nvd.nist.gov</link>
-         <link href="#e95dd121-2733-413e-bf1e-f1eb49f20a98" rel="reference">http://checklists.nist.gov</link>
-         <link href="#647b6de3-81d0-4d22-bec1-5f1333e34380" rel="reference">http://www.nsa.gov</link>
-         <part id="cm-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes and documents configuration settings for information technology
-                  products employed within the information system using <insert param-id="cm-6_prm_1"/> that reflect the most restrictive mode consistent with
-                  operational requirements;</p>
-            </part>
-            <part id="cm-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Implements the configuration settings;</p>
-            </part>
-            <part id="cm-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Identifies, documents, and approves any deviations from established configuration
-                  settings for <insert param-id="cm-6_prm_2"/> based on <insert param-id="cm-6_prm_3"/>; and</p>
-            </part>
-            <part id="cm-6_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Monitors and controls changes to the configuration settings in accordance with
-                  organizational policies and procedures.</p>
-            </part>
-            <part id="cm-6_fr" name="item">
-               <title>CM-6(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement 1:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. </p>
-               </part>
-               <part id="cm-6_fr_smt.2" name="item">
-                  <prop name="label">Requirement 2:</prop>
-                  <p>The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (<a href="http://scap.nist.gov/">http://scap.nist.gov/</a>) validated or SCAP compatible (if validated checklists are not available).</p>
-               </part>
-               <part id="cm-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a href="https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline">https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline</a>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cm-6_gdn" name="guidance">
-            <p>Configuration settings are the set of parameters that can be changed in hardware,
-               software, or firmware components of the information system that affect the security
-               posture and/or functionality of the system. Information technology products for which
-               security-related configuration settings can be defined include, for example,
-               mainframe computers, servers (e.g., database, electronic mail, authentication, web,
-               proxy, file, domain name), workstations, input/output devices (e.g., scanners,
-               copiers, and printers), network components (e.g., firewalls, routers, gateways, voice
-               and data switches, wireless access points, network appliances, sensors), operating
-               systems, middleware, and applications. Security-related parameters are those
-               parameters impacting the security state of information systems including the
-               parameters required to satisfy other security control requirements. Security-related
-               parameters include, for example: (i) registry settings; (ii) account, file, directory
-               permission settings; and (iii) settings for functions, ports, protocols, services,
-               and remote connections. Organizations establish organization-wide configuration
-               settings and subsequently derive specific settings for information systems. The
-               established settings become part of the systems configuration baseline. Common secure
-               configurations (also referred to as security configuration checklists, lockdown and
-               hardening guides, security reference guides, security technical implementation
-               guides) provide recognized, standardized, and established benchmarks that stipulate
-               secure configuration settings for specific information technology platforms/products
-               and instructions for configuring those information system components to meet
-               operational requirements. Common secure configurations can be developed by a variety
-               of organizations including, for example, information technology product developers,
-               manufacturers, vendors, consortia, academia, industry, federal agencies, and other
-               organizations in the public and private sectors. Common secure configurations include
-               the United States Government Configuration Baseline (USGCB) which affects the
-               implementation of CM-6 and other controls such as AC-19 and CM-7. The Security
-               Content Automation Protocol (SCAP) and the defined standards within the protocol
-               (e.g., Common Configuration Enumeration) provide an effective method to uniquely
-               identify, track, and control configuration settings. OMB establishes federal policy
-               on configuration requirements for federal information systems.</p>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="cm-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-6.a_obj" name="objective">
-               <prop name="label">CM-6(a)</prop>
-               <part id="cm-6.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-6(a)[1]</prop>
-                  <p>defines security configuration checklists to be used to establish and document
-                     configuration settings for the information technology products employed;</p>
-               </part>
-               <part id="cm-6.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CM-6(a)[2]</prop>
-                  <p>ensures the defined security configuration checklists reflect the most
-                     restrictive mode consistent with operational requirements;</p>
-               </part>
-               <part id="cm-6.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-6(a)[3]</prop>
-                  <p>establishes and documents configuration settings for information technology
-                     products employed within the information system using organization-defined
-                     security configuration checklists;</p>
-               </part>
-            </part>
-            <part id="cm-6.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-6(b)</prop>
-               <p>implements the configuration settings established/documented in CM-6(a);;</p>
-            </part>
-            <part id="cm-6.c_obj" name="objective">
-               <prop name="label">CM-6(c)</prop>
-               <part id="cm-6.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-6(c)[1]</prop>
-                  <p>defines information system components for which any deviations from established
-                     configuration settings must be:</p>
-                  <part id="cm-6.c_obj.1.a" name="objective">
-                     <prop name="label">CM-6(c)[1][a]</prop>
-                     <p>identified;</p>
-                  </part>
-                  <part id="cm-6.c_obj.1.b" name="objective">
-                     <prop name="label">CM-6(c)[1][b]</prop>
-                     <p>documented;</p>
-                  </part>
-                  <part id="cm-6.c_obj.1.c" name="objective">
-                     <prop name="label">CM-6(c)[1][c]</prop>
-                     <p>approved;</p>
-                  </part>
-               </part>
-               <part id="cm-6.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-6(c)[2]</prop>
-                  <p>defines operational requirements to support:</p>
-                  <part id="cm-6.c_obj.2.a" name="objective">
-                     <prop name="label">CM-6(c)[2][a]</prop>
-                     <p>the identification of any deviations from established configuration
-                        settings;</p>
-                  </part>
-                  <part id="cm-6.c_obj.2.b" name="objective">
-                     <prop name="label">CM-6(c)[2][b]</prop>
-                     <p>the documentation of any deviations from established configuration
-                        settings;</p>
-                  </part>
-                  <part id="cm-6.c_obj.2.c" name="objective">
-                     <prop name="label">CM-6(c)[2][c]</prop>
-                     <p>the approval of any deviations from established configuration settings;</p>
-                  </part>
-               </part>
-               <part id="cm-6.c_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-6(c)[3]</prop>
-                  <p>identifies any deviations from established configuration settings for
-                     organization-defined information system components based on
-                     organizational-defined operational requirements;</p>
-               </part>
-               <part id="cm-6.c_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-6(c)[4]</prop>
-                  <p>documents any deviations from established configuration settings for
-                     organization-defined information system components based on
-                     organizational-defined operational requirements;</p>
-               </part>
-               <part id="cm-6.c_obj.5" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-6(c)[5]</prop>
-                  <p>approves any deviations from established configuration settings for
-                     organization-defined information system components based on
-                     organizational-defined operational requirements;</p>
-               </part>
-            </part>
-            <part id="cm-6.d_obj" name="objective">
-               <prop name="label">CM-6(d)</prop>
-               <part id="cm-6.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-6(d)[1]</prop>
-                  <p>monitors changes to the configuration settings in accordance with
-                     organizational policies and procedures; and</p>
-               </part>
-               <part id="cm-6.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-6(d)[2]</prop>
-                  <p>controls changes to the configuration settings in accordance with
-                     organizational policies and procedures.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing configuration settings for the information system</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security configuration checklists</p>
-               <p>evidence supporting approved deviations from established configuration
-                  settings</p>
-               <p>change control records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security configuration management
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing configuration settings</p>
-               <p>automated mechanisms that implement, monitor, and/or control information system
-                  configuration settings</p>
-               <p>automated mechanisms that identify and/or document deviations from established
-                  configuration settings</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-6.1">
-            <title>Automated Central Management / Application / Verification</title>
-            <param id="cm-6.1_prm_1">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">CM-6(1)</prop>
-            <prop name="sort-id">cm-06.01</prop>
-            <part id="cm-6.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to centrally manage, apply, and
-                  verify configuration settings for <insert param-id="cm-6.1_prm_1"/>.</p>
-            </part>
-            <part id="cm-6.1_gdn" name="guidance">
-               <link rel="related" href="#ca-7">CA-7</link>
-               <link rel="related" href="#cm-4">CM-4</link>
-            </part>
-            <part id="cm-6.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-6.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-6(1)[1]</prop>
-                  <p>defines information system components for which automated mechanisms are to be
-                     employed to:</p>
-                  <part id="cm-6.1_obj.1.a" name="objective">
-                     <prop name="label">CM-6(1)[1][a]</prop>
-                     <p>centrally manage configuration settings of such components;</p>
-                  </part>
-                  <part id="cm-6.1_obj.1.b" name="objective">
-                     <prop name="label">CM-6(1)[1][b]</prop>
-                     <p>apply configuration settings of such components;</p>
-                  </part>
-                  <part id="cm-6.1_obj.1.c" name="objective">
-                     <prop name="label">CM-6(1)[1][c]</prop>
-                     <p>verify configuration settings of such components;</p>
-                  </part>
-               </part>
-               <part id="cm-6.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-6(1)[2]</prop>
-                  <p>employs automated mechanisms to:</p>
-                  <part id="cm-6.1_obj.2.a" name="objective">
-                     <prop name="label">CM-6(1)[2][a]</prop>
-                     <p>centrally manage configuration settings for organization-defined information
-                        system components;</p>
-                  </part>
-                  <part id="cm-6.1_obj.2.b" name="objective">
-                     <prop name="label">CM-6(1)[2][b]</prop>
-                     <p>apply configuration settings for organization-defined information system
-                        components; and</p>
-                  </part>
-                  <part id="cm-6.1_obj.2.c" name="objective">
-                     <prop name="label">CM-6(1)[2][c]</prop>
-                     <p>verify configuration settings for organization-defined information system
-                        components.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing configuration settings for the information system</p>
-                  <p>configuration management plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security configuration checklists</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security configuration management
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing configuration settings</p>
-                  <p>automated mechanisms implemented to centrally manage, apply, and verify
-                     information system configuration settings</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-7">
-         <title>Least Functionality</title>
-         <param id="cm-7_prm_1">
-            <label>organization-defined prohibited or restricted functions, ports, protocols, and/or
-               services</label>
-            <constraint>United States Government Configuration Baseline (USGCB)</constraint>
-         </param>
-         <prop name="label">CM-7</prop>
-         <prop name="sort-id">cm-07</prop>
-         <link href="#e42b2099-3e1c-415b-952c-61c96533c12e" rel="reference">DoD Instruction 8551.01</link>
-         <part id="cm-7_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Configures the information system to provide only essential capabilities; and</p>
-            </part>
-            <part id="cm-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Prohibits or restricts the use of the following functions, ports, protocols,
-                  and/or services: <insert param-id="cm-7_prm_1"/>.</p>
-            </part>
-            <part id="cm-7_fr" name="item">
-               <title>CM-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-7_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.</p>
-               </part>
-               <part id="cm-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a href="http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc">http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc</a>. Partially derived from AC-17(8).</p>
-               </part>
-            </part>
-         </part>
-         <part id="cm-7_gdn" name="guidance">
-            <p>Information systems can provide a wide variety of functions and services. Some of the
-               functions and services, provided by default, may not be necessary to support
-               essential organizational operations (e.g., key missions, functions). Additionally, it
-               is sometimes convenient to provide multiple services from single information system
-               components, but doing so increases risk over limiting the services provided by any
-               one component. Where feasible, organizations limit component functionality to a
-               single function per device (e.g., email servers or web servers, but not both).
-               Organizations review functions and services provided by information systems or
-               individual components of information systems, to determine which functions and
-               services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant
-               Messaging, auto-execute, and file sharing). Organizations consider disabling unused
-               or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File
-               Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to
-               prevent unauthorized connection of devices, unauthorized transfer of information, or
-               unauthorized tunneling. Organizations can utilize network scanning tools, intrusion
-               detection and prevention systems, and end-point protections such as firewalls and
-               host-based intrusion detection systems to identify and prevent the use of prohibited
-               functions, ports, protocols, and services.</p>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="cm-7_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-7.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-7(a)</prop>
-               <p>configures the information system to provide only essential capabilities;</p>
-            </part>
-            <part id="cm-7.b_obj" name="objective">
-               <prop name="label">CM-7(b)</prop>
-               <part id="cm-7.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-7(b)[1]</prop>
-                  <p>defines prohibited or restricted:</p>
-                  <part id="cm-7.b_obj.1.a" name="objective">
-                     <prop name="label">CM-7(b)[1][a]</prop>
-                     <p>functions;</p>
-                  </part>
-                  <part id="cm-7.b_obj.1.b" name="objective">
-                     <prop name="label">CM-7(b)[1][b]</prop>
-                     <p>ports;</p>
-                  </part>
-                  <part id="cm-7.b_obj.1.c" name="objective">
-                     <prop name="label">CM-7(b)[1][c]</prop>
-                     <p>protocols; and/or</p>
-                  </part>
-                  <part id="cm-7.b_obj.1.d" name="objective">
-                     <prop name="label">CM-7(b)[1][d]</prop>
-                     <p>services;</p>
-                  </part>
-               </part>
-               <part id="cm-7.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-7(b)[2]</prop>
-                  <p>prohibits or restricts the use of organization-defined:</p>
-                  <part id="cm-7.b_obj.2.a" name="objective">
-                     <prop name="label">CM-7(b)[2][a]</prop>
-                     <p>functions;</p>
-                  </part>
-                  <part id="cm-7.b_obj.2.b" name="objective">
-                     <prop name="label">CM-7(b)[2][b]</prop>
-                     <p>ports;</p>
-                  </part>
-                  <part id="cm-7.b_obj.2.c" name="objective">
-                     <prop name="label">CM-7(b)[2][c]</prop>
-                     <p>protocols; and/or</p>
-                  </part>
-                  <part id="cm-7.b_obj.2.d" name="objective">
-                     <prop name="label">CM-7(b)[2][d]</prop>
-                     <p>services.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>configuration management plan</p>
-               <p>procedures addressing least functionality in the information system</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security configuration checklists</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security configuration management
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes prohibiting or restricting functions, ports, protocols,
-                  and/or services</p>
-               <p>automated mechanisms implementing restrictions or prohibition of functions, ports,
-                  protocols, and/or services</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-7.1">
-            <title>Periodic Review</title>
-            <param id="cm-7.1_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least monthly</constraint>
-            </param>
-            <param id="cm-7.1_prm_2">
-               <label>organization-defined functions, ports, protocols, and services within the
-                  information system deemed to be unnecessary and/or nonsecure</label>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">CM-7(1)</prop>
-            <prop name="sort-id">cm-07.01</prop>
-            <part id="cm-7.1_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cm-7.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Reviews the information system <insert param-id="cm-7.1_prm_1"/> to identify
-                     unnecessary and/or nonsecure functions, ports, protocols, and services; and</p>
-               </part>
-               <part id="cm-7.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Disables <insert param-id="cm-7.1_prm_2"/>.</p>
-               </part>
-            </part>
-            <part id="cm-7.1_gdn" name="guidance">
-               <p>The organization can either make a determination of the relative security of the
-                  function, port, protocol, and/or service or base the security decision on the
-                  assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are
-                  examples of less than secure protocols.</p>
-               <link rel="related" href="#ac-18">AC-18</link>
-               <link rel="related" href="#cm-7">CM-7</link>
-               <link rel="related" href="#ia-2">IA-2</link>
-            </part>
-            <part id="cm-7.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-7.1.a_obj" name="objective">
-                  <prop name="label">CM-7(1)(a)</prop>
-                  <part id="cm-7.1.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-7(1)(a)[1]</prop>
-                     <p>defines the frequency to review the information system to identify
-                        unnecessary and/or nonsecure:</p>
-                     <part id="cm-7.1.a_obj.1.a" name="objective">
-                        <prop name="label">CM-7(1)(a)[1][a]</prop>
-                        <p>functions;</p>
-                     </part>
-                     <part id="cm-7.1.a_obj.1.b" name="objective">
-                        <prop name="label">CM-7(1)(a)[1][b]</prop>
-                        <p>ports;</p>
-                     </part>
-                     <part id="cm-7.1.a_obj.1.c" name="objective">
-                        <prop name="label">CM-7(1)(a)[1][c]</prop>
-                        <p>protocols; and/or</p>
-                     </part>
-                     <part id="cm-7.1.a_obj.1.d" name="objective">
-                        <prop name="label">CM-7(1)(a)[1][d]</prop>
-                        <p>services;</p>
-                     </part>
-                  </part>
-                  <part id="cm-7.1.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-7(1)(a)[2]</prop>
-                     <p>reviews the information system with the organization-defined frequency to
-                        identify unnecessary and/or nonsecure:</p>
-                     <part id="cm-7.1.a_obj.2.a" name="objective">
-                        <prop name="label">CM-7(1)(a)[2][a]</prop>
-                        <p>functions;</p>
-                     </part>
-                     <part id="cm-7.1.a_obj.2.b" name="objective">
-                        <prop name="label">CM-7(1)(a)[2][b]</prop>
-                        <p>ports;</p>
-                     </part>
-                     <part id="cm-7.1.a_obj.2.c" name="objective">
-                        <prop name="label">CM-7(1)(a)[2][c]</prop>
-                        <p>protocols; and/or</p>
-                     </part>
-                     <part id="cm-7.1.a_obj.2.d" name="objective">
-                        <prop name="label">CM-7(1)(a)[2][d]</prop>
-                        <p>services;</p>
-                     </part>
-                  </part>
-                  <link rel="corresp" href="#cm-7.1_smt.a">CM-7(1)(a)</link>
-               </part>
-               <part id="cm-7.1.b_obj" name="objective">
-                  <prop name="label">CM-7(1)(b)</prop>
-                  <part id="cm-7.1.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-7(1)(b)[1]</prop>
-                     <p>defines, within the information system, unnecessary and/or nonsecure:</p>
-                     <part id="cm-7.1.b_obj.1.a" name="objective">
-                        <prop name="label">CM-7(1)(b)[1][a]</prop>
-                        <p>functions;</p>
-                     </part>
-                     <part id="cm-7.1.b_obj.1.b" name="objective">
-                        <prop name="label">CM-7(1)(b)[1][b]</prop>
-                        <p>ports;</p>
-                     </part>
-                     <part id="cm-7.1.b_obj.1.c" name="objective">
-                        <prop name="label">CM-7(1)(b)[1][c]</prop>
-                        <p>protocols; and/or</p>
-                     </part>
-                     <part id="cm-7.1.b_obj.1.d" name="objective">
-                        <prop name="label">CM-7(1)(b)[1][d]</prop>
-                        <p>services;</p>
-                     </part>
-                  </part>
-                  <part id="cm-7.1.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-7(1)(b)[2]</prop>
-                     <p>disables organization-defined unnecessary and/or nonsecure:</p>
-                     <part id="cm-7.1.b_obj.2.a" name="objective">
-                        <prop name="label">CM-7(1)(b)[2][a]</prop>
-                        <p>functions;</p>
-                     </part>
-                     <part id="cm-7.1.b_obj.2.b" name="objective">
-                        <prop name="label">CM-7(1)(b)[2][b]</prop>
-                        <p>ports;</p>
-                     </part>
-                     <part id="cm-7.1.b_obj.2.c" name="objective">
-                        <prop name="label">CM-7(1)(b)[2][c]</prop>
-                        <p>protocols; and/or</p>
-                     </part>
-                     <part id="cm-7.1.b_obj.2.d" name="objective">
-                        <prop name="label">CM-7(1)(b)[2][d]</prop>
-                        <p>services.</p>
-                     </part>
-                  </part>
-                  <link rel="corresp" href="#cm-7.1_smt.b">CM-7(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing least functionality in the information system</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security configuration checklists</p>
-                  <p>documented reviews of functions, ports, protocols, and/or services</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for reviewing functions, ports,
-                     protocols, and services on the information system</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for reviewing/disabling nonsecure functions, ports,
-                     protocols, and/or services</p>
-                  <p>automated mechanisms implementing review and disabling of nonsecure functions,
-                     ports, protocols, and/or services</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-7.2">
-            <title>Prevent Program Execution</title>
-            <param id="cm-7.2_prm_1"/>
-            <param id="cm-7.2_prm_2" depends-on="cm-7.2_prm_1">
-               <label>organization-defined policies regarding software program usage and
-                  restrictions</label>
-            </param>
-            <prop name="label">CM-7(2)</prop>
-            <prop name="sort-id">cm-07.02</prop>
-            <part id="cm-7.2_smt" name="statement">
-               <p>The information system prevents program execution in accordance with <insert param-id="cm-7.2_prm_1"/>.</p>
-               <part id="cm-7.2_fr" name="item">
-                  <title>CM-7 (2) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="cm-7.2_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cm-7.2_gdn" name="guidance">
-               <link rel="related" href="#cm-8">CM-8</link>
-               <link rel="related" href="#pm-5">PM-5</link>
-            </part>
-            <part id="cm-7.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="cm-7.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-7(2)[1]</prop>
-                  <p>the organization defines policies regarding software program usage and
-                     restrictions;</p>
-               </part>
-               <part id="cm-7.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-7(2)[2]</prop>
-                  <p>the information system prevents program execution in accordance with one or
-                     more of the following:</p>
-                  <part id="cm-7.2_obj.2.a" name="objective">
-                     <prop name="label">CM-7(2)[2][a]</prop>
-                     <p>organization-defined policies regarding program usage and restrictions;
-                        and/or</p>
-                  </part>
-                  <part id="cm-7.2_obj.2.b" name="objective">
-                     <prop name="label">CM-7(2)[2][b]</prop>
-                     <p>rules authorizing the terms and conditions of software program usage.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing least functionality in the information system</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>specifications for preventing software program execution</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes preventing program execution on the information
-                     system</p>
-                  <p>organizational processes for software program usage and restrictions</p>
-                  <p>automated mechanisms preventing program execution on the information system</p>
-                  <p>automated mechanisms supporting and/or implementing software program usage and
-                     restrictions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-7.5">
-            <title>Authorized Software / Whitelisting</title>
-            <param id="cm-7.5_prm_1">
-               <label>organization-defined software programs authorized to execute on the
-                  information system</label>
-            </param>
-            <param id="cm-7.5_prm_2">
-               <label>organization-defined frequency</label>
-               <constraint>at least Annually or when there is a change</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">CM-7(5)</prop>
-            <prop name="sort-id">cm-07.05</prop>
-            <part id="cm-7.5_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cm-7.5_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Identifies <insert param-id="cm-7.5_prm_1"/>;</p>
-               </part>
-               <part id="cm-7.5_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Employs a deny-all, permit-by-exception policy to allow the execution of
-                     authorized software programs on the information system; and</p>
-               </part>
-               <part id="cm-7.5_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Reviews and updates the list of authorized software programs <insert param-id="cm-7.5_prm_2"/>.</p>
-               </part>
-            </part>
-            <part id="cm-7.5_gdn" name="guidance">
-               <p>The process used to identify software programs that are authorized to execute on
-                  organizational information systems is commonly referred to as whitelisting. In
-                  addition to whitelisting, organizations consider verifying the integrity of
-                  white-listed software programs using, for example, cryptographic checksums,
-                  digital signatures, or hash functions. Verification of white-listed software can
-                  occur either prior to execution or at system startup.</p>
-               <link rel="related" href="#cm-2">CM-2</link>
-               <link rel="related" href="#cm-6">CM-6</link>
-               <link rel="related" href="#cm-8">CM-8</link>
-               <link rel="related" href="#pm-5">PM-5</link>
-               <link rel="related" href="#sa-10">SA-10</link>
-               <link rel="related" href="#sc-34">SC-34</link>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="cm-7.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-7.5.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-7(5)(a)</prop>
-                  <p>Identifies/defines software programs authorized to execute on the information
-                     system;</p>
-                  <link rel="corresp" href="#cm-7.5_smt.a">CM-7(5)(a)</link>
-               </part>
-               <part id="cm-7.5.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-7(5)(b)</prop>
-                  <p>employs a deny-all, permit-by-exception policy to allow the execution of
-                     authorized software programs on the information system;</p>
-                  <link rel="corresp" href="#cm-7.5_smt.b">CM-7(5)(b)</link>
-               </part>
-               <part id="cm-7.5.c_obj" name="objective">
-                  <prop name="label">CM-7(5)(c)</prop>
-                  <part id="cm-7.5.c_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-7(5)(c)[1]</prop>
-                     <p>defines the frequency to review and update the list of authorized software
-                        programs on the information system; and</p>
-                  </part>
-                  <part id="cm-7.5.c_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-7(5)(c)[2]</prop>
-                     <p>reviews and updates the list of authorized software programs with the
-                        organization-defined frequency.</p>
-                  </part>
-                  <link rel="corresp" href="#cm-7.5_smt.c">CM-7(5)(c)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing least functionality in the information system</p>
-                  <p>configuration management plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of software programs authorized to execute on the information system</p>
-                  <p>security configuration checklists</p>
-                  <p>review and update records associated with list of authorized software
-                     programs</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for identifying software
-                     authorized to execute on the information system</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for identifying, reviewing, and updating programs
-                     authorized to execute on the information system</p>
-                  <p>organizational process for implementing whitelisting</p>
-                  <p>automated mechanisms implementing whitelisting</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-8">
-         <title>Information System Component Inventory</title>
-         <param id="cm-8_prm_1">
-            <label>organization-defined information deemed necessary to achieve effective
-               information system component accountability</label>
-         </param>
-         <param id="cm-8_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least monthly</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CM-8</prop>
-         <prop name="sort-id">cm-08</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops and documents an inventory of information system components that:</p>
-               <part id="cm-8_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Accurately reflects the current information system;</p>
-               </part>
-               <part id="cm-8_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Includes all components within the authorization boundary of the information
-                     system;</p>
-               </part>
-               <part id="cm-8_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Is at the level of granularity deemed necessary for tracking and reporting;
-                     and</p>
-               </part>
-               <part id="cm-8_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Includes <insert param-id="cm-8_prm_1"/>; and</p>
-               </part>
-            </part>
-            <part id="cm-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the information system component inventory <insert param-id="cm-8_prm_2"/>.</p>
-            </part>
-            <part id="cm-8_fr" name="item">
-               <title>CM-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Must be provided at least monthly or when there is a change.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cm-8_gdn" name="guidance">
-            <p>Organizations may choose to implement centralized information system component
-               inventories that include components from all organizational information systems. In
-               such situations, organizations ensure that the resulting inventories include
-               system-specific information required for proper component accountability (e.g.,
-               information system association, information system owner). Information deemed
-               necessary for effective accountability of information system components includes, for
-               example, hardware inventory specifications, software license information, software
-               version numbers, component owners, and for networked components or devices, machine
-               names and network addresses. Inventory specifications include, for example,
-               manufacturer, device type, model, serial number, and physical location.</p>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#pm-5">PM-5</link>
-         </part>
-         <part id="cm-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-8.a_obj" name="objective">
-               <prop name="label">CM-8(a)</prop>
-               <part id="cm-8.a.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-8(a)(1)</prop>
-                  <p>develops and documents an inventory of information system components that
-                     accurately reflects the current information system;</p>
-               </part>
-               <part id="cm-8.a.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-8(a)(2)</prop>
-                  <p>develops and documents an inventory of information system components that
-                     includes all components within the authorization boundary of the information
-                     system;</p>
-               </part>
-               <part id="cm-8.a.3_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-8(a)(3)</prop>
-                  <p>develops and documents an inventory of information system components that is at
-                     the level of granularity deemed necessary for tracking and reporting;</p>
-               </part>
-               <part id="cm-8.a.4_obj" name="objective">
-                  <prop name="label">CM-8(a)(4)</prop>
-                  <part id="cm-8.a.4_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-8(a)(4)[1]</prop>
-                     <p>defines the information deemed necessary to achieve effective information
-                        system component accountability;</p>
-                  </part>
-                  <part id="cm-8.a.4_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-8(a)(4)[2]</prop>
-                     <p>develops and documents an inventory of information system components that
-                        includes organization-defined information deemed necessary to achieve
-                        effective information system component accountability;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cm-8.b_obj" name="objective">
-               <prop name="label">CM-8(b)</prop>
-               <part id="cm-8.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-8(b)[1]</prop>
-                  <p>defines the frequency to review and update the information system component
-                     inventory; and</p>
-               </part>
-               <part id="cm-8.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-8(b)[2]</prop>
-                  <p>reviews and updates the information system component inventory with the
-                     organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing information system component inventory</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system inventory records</p>
-               <p>inventory reviews and update records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for information system component
-                  inventory</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for developing and documenting an inventory of
-                  information system components</p>
-               <p>automated mechanisms supporting and/or implementing the information system
-                  component inventory</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-8.1">
-            <title>Updates During Installations / Removals</title>
-            <prop name="label">CM-8(1)</prop>
-            <prop name="sort-id">cm-08.01</prop>
-            <part id="cm-8.1_smt" name="statement">
-               <p>The organization updates the inventory of information system components as an
-                  integral part of component installations, removals, and information system
-                  updates.</p>
-            </part>
-            <part id="cm-8.1_obj" name="objective">
-               <p>Determine if the organization updates the inventory of information system
-                  components as an integral part of:</p>
-               <part id="cm-8.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-8(1)[1]</prop>
-                  <p>component installations;</p>
-               </part>
-               <part id="cm-8.1_obj.2" name="objective">
-                  <prop name="label">CM-8(1)[2]</prop>
-                  <p>component removals; and</p>
-               </part>
-               <part id="cm-8.1_obj.3" name="objective">
-                  <prop name="label">CM-8(1)[3]</prop>
-                  <p>information system updates.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system component inventory</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system inventory records</p>
-                  <p>inventory reviews and update records</p>
-                  <p>component installation records</p>
-                  <p>component removal records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for updating the information
-                     system component inventory</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for updating inventory of information system
-                     components</p>
-                  <p>automated mechanisms implementing updating of the information system component
-                     inventory</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.3">
-            <title>Automated Unauthorized Component Detection</title>
-            <param id="cm-8.3_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>Continuously, using automated mechanisms with a maximum five-minute delay in detection</constraint>
-            </param>
-            <param id="cm-8.3_prm_2"/>
-            <param id="cm-8.3_prm_3" depends-on="cm-8.3_prm_2">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">CM-8(3)</prop>
-            <prop name="sort-id">cm-08.03</prop>
-            <part id="cm-8.3_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cm-8.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Employs automated mechanisms <insert param-id="cm-8.3_prm_1"/> to detect the
-                     presence of unauthorized hardware, software, and firmware components within the
-                     information system; and</p>
-               </part>
-               <part id="cm-8.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Takes the following actions when unauthorized components are detected: <insert param-id="cm-8.3_prm_2"/>.</p>
-               </part>
-            </part>
-            <part id="cm-8.3_gdn" name="guidance">
-               <p>This control enhancement is applied in addition to the monitoring for unauthorized
-                  remote connections and mobile devices. Monitoring for unauthorized system
-                  components may be accomplished on an ongoing basis or by the periodic scanning of
-                  systems for that purpose. Automated mechanisms can be implemented within
-                  information systems or in other separate devices. Isolation can be achieved, for
-                  example, by placing unauthorized information system components in separate domains
-                  or subnets or otherwise quarantining such components. This type of component
-                  isolation is commonly referred to as sandboxing.</p>
-               <link rel="related" href="#ac-17">AC-17</link>
-               <link rel="related" href="#ac-18">AC-18</link>
-               <link rel="related" href="#ac-19">AC-19</link>
-               <link rel="related" href="#ca-7">CA-7</link>
-               <link rel="related" href="#si-3">SI-3</link>
-               <link rel="related" href="#si-4">SI-4</link>
-               <link rel="related" href="#si-7">SI-7</link>
-               <link rel="related" href="#ra-5">RA-5</link>
-            </part>
-            <part id="cm-8.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-8.3.a_obj" name="objective">
-                  <prop name="label">CM-8(3)(a)</prop>
-                  <part id="cm-8.3.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-8(3)(a)[1]</prop>
-                     <p>defines the frequency to employ automated mechanisms to detect the presence
-                        of unauthorized:</p>
-                     <part id="cm-8.3.a_obj.1.a" name="objective">
-                        <prop name="label">CM-8(3)(a)[1][a]</prop>
-                        <p>hardware components within the information system;</p>
-                     </part>
-                     <part id="cm-8.3.a_obj.1.b" name="objective">
-                        <prop name="label">CM-8(3)(a)[1][b]</prop>
-                        <p>software components within the information system;</p>
-                     </part>
-                     <part id="cm-8.3.a_obj.1.c" name="objective">
-                        <prop name="label">CM-8(3)(a)[1][c]</prop>
-                        <p>firmware components within the information system;</p>
-                     </part>
-                  </part>
-                  <part id="cm-8.3.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-8(3)(a)[2]</prop>
-                     <p>employs automated mechanisms with the organization-defined frequency to
-                        detect the presence of unauthorized:</p>
-                     <part id="cm-8.3.a_obj.2.a" name="objective">
-                        <prop name="label">CM-8(3)(a)[2][a]</prop>
-                        <p>hardware components within the information system;</p>
-                     </part>
-                     <part id="cm-8.3.a_obj.2.b" name="objective">
-                        <prop name="label">CM-8(3)(a)[2][b]</prop>
-                        <p>software components within the information system;</p>
-                     </part>
-                     <part id="cm-8.3.a_obj.2.c" name="objective">
-                        <prop name="label">CM-8(3)(a)[2][c]</prop>
-                        <p>firmware components within the information system;</p>
-                     </part>
-                  </part>
-                  <link rel="corresp" href="#cm-8.3_smt.a">CM-8(3)(a)</link>
-               </part>
-               <part id="cm-8.3.b_obj" name="objective">
-                  <prop name="label">CM-8(3)(b)</prop>
-                  <part id="cm-8.3.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CM-8(3)(b)[1]</prop>
-                     <p>defines personnel or roles to be notified when unauthorized components are
-                        detected;</p>
-                  </part>
-                  <part id="cm-8.3.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">CM-8(3)(b)[2]</prop>
-                     <p>takes one or more of the following actions when unauthorized components are
-                        detected:</p>
-                     <part id="cm-8.3.b_obj.2.a" name="objective">
-                        <prop name="label">CM-8(3)(b)[2][a]</prop>
-                        <p>disables network access by such components;</p>
-                     </part>
-                     <part id="cm-8.3.b_obj.2.b" name="objective">
-                        <prop name="label">CM-8(3)(b)[2][b]</prop>
-                        <p>isolates the components; and/or</p>
-                     </part>
-                     <part id="cm-8.3.b_obj.2.c" name="objective">
-                        <prop name="label">CM-8(3)(b)[2][c]</prop>
-                        <p>notifies organization-defined personnel or roles.</p>
-                     </part>
-                  </part>
-                  <link rel="corresp" href="#cm-8.3_smt.b">CM-8(3)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system component inventory</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system inventory records</p>
-                  <p>alerts/notifications of unauthorized components within the information
-                     system</p>
-                  <p>information system monitoring records</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for managing the automated
-                     mechanisms implementing unauthorized information system component detection</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for detection of unauthorized information system
-                     components</p>
-                  <p>automated mechanisms implementing the detection of unauthorized information
-                     system components</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.5">
-            <title>No Duplicate Accounting of Components</title>
-            <prop name="label">CM-8(5)</prop>
-            <prop name="sort-id">cm-08.05</prop>
-            <part id="cm-8.5_smt" name="statement">
-               <p>The organization verifies that all components within the authorization boundary of
-                  the information system are not duplicated in other information system component
-                  inventories.</p>
-            </part>
-            <part id="cm-8.5_gdn" name="guidance">
-               <p>This control enhancement addresses the potential problem of duplicate accounting
-                  of information system components in large or complex interconnected systems.</p>
-            </part>
-            <part id="cm-8.5_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization verifies that all components within the
-                  authorization boundary of the information system are not duplicated in other
-                  information system inventories. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system component inventory</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system inventory records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system inventory responsibilities</p>
-                  <p>organizational personnel with responsibilities for defining information system
-                     components within the authorization boundary of the system</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for maintaining the inventory of information system
-                     components</p>
-                  <p>automated mechanisms implementing the information system component
-                     inventory</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-9">
-         <title>Configuration Management Plan</title>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CM-9</prop>
-         <prop name="sort-id">cm-09</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-9_smt" name="statement">
-            <p>The organization develops, documents, and implements a configuration management plan
-               for the information system that:</p>
-            <part id="cm-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Addresses roles, responsibilities, and configuration management processes and
-                  procedures;</p>
-            </part>
-            <part id="cm-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishes a process for identifying configuration items throughout the system
-                  development life cycle and for managing the configuration of the configuration
-                  items;</p>
-            </part>
-            <part id="cm-9_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Defines the configuration items for the information system and places the
-                  configuration items under configuration management; and</p>
-            </part>
-            <part id="cm-9_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Protects the configuration management plan from unauthorized disclosure and
-                  modification.</p>
-            </part>
-         </part>
-         <part id="cm-9_gdn" name="guidance">
-            <p>Configuration management plans satisfy the requirements in configuration management
-               policies while being tailored to individual information systems. Such plans define
-               detailed processes and procedures for how configuration management is used to support
-               system development life cycle activities at the information system level.
-               Configuration management plans are typically developed during the
-               development/acquisition phase of the system development life cycle. The plans
-               describe how to move changes through change management processes, how to update
-               configuration settings and baselines, how to maintain information system component
-               inventories, how to control development, test, and operational environments, and how
-               to develop, release, and update key documents. Organizations can employ templates to
-               help ensure consistent and timely development and implementation of configuration
-               management plans. Such templates can represent a master configuration management plan
-               for the organization at large with subsets of the plan implemented on a system by
-               system basis. Configuration management approval processes include designation of key
-               management stakeholders responsible for reviewing and approving proposed changes to
-               information systems, and personnel that conduct security impact analyses prior to the
-               implementation of changes to the systems. Configuration items are the information
-               system items (hardware, software, firmware, and documentation) to be
-               configuration-managed. As information systems continue through the system development
-               life cycle, new configuration items may be identified and some existing configuration
-               items may no longer need to be under configuration control.</p>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-         </part>
-         <part id="cm-9_obj" name="objective">
-            <p>Determine if the organization develops, documents, and implements a configuration
-               management plan for the information system that:</p>
-            <part id="cm-9.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CM-9(a)</prop>
-               <part id="cm-9.a_obj.1" name="objective">
-                  <prop name="label">CM-9(a)[1]</prop>
-                  <p>addresses roles;</p>
-               </part>
-               <part id="cm-9.a_obj.2" name="objective">
-                  <prop name="label">CM-9(a)[2]</prop>
-                  <p>addresses responsibilities;</p>
-               </part>
-               <part id="cm-9.a_obj.3" name="objective">
-                  <prop name="label">CM-9(a)[3]</prop>
-                  <p>addresses configuration management processes and procedures;</p>
-               </part>
-            </part>
-            <part id="cm-9.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CM-9(b)</prop>
-               <p>establishes a process for:</p>
-               <part id="cm-9.b_obj.1" name="objective">
-                  <prop name="label">CM-9(b)[1]</prop>
-                  <p>identifying configuration items throughout the SDLC;</p>
-               </part>
-               <part id="cm-9.b_obj.2" name="objective">
-                  <prop name="label">CM-9(b)[2]</prop>
-                  <p>managing the configuration of the configuration items;</p>
-               </part>
-            </part>
-            <part id="cm-9.c_obj" name="objective">
-               <prop name="label">CM-9(c)</prop>
-               <part id="cm-9.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-9(c)[1]</prop>
-                  <p>defines the configuration items for the information system;</p>
-               </part>
-               <part id="cm-9.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-9(c)[2]</prop>
-                  <p>places the configuration items under configuration management;</p>
-               </part>
-            </part>
-            <part id="cm-9.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-9(d)</prop>
-               <p>protects the configuration management plan from unauthorized:</p>
-               <part id="cm-9.d_obj.1" name="objective">
-                  <prop name="label">CM-9(d)[1]</prop>
-                  <p>disclosure; and</p>
-               </part>
-               <part id="cm-9.d_obj.2" name="objective">
-                  <prop name="label">CM-9(d)[2]</prop>
-                  <p>modification.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing configuration management planning</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for developing the configuration
-                  management plan</p>
-               <p>organizational personnel with responsibilities for implementing and managing
-                  processes defined in the configuration management plan</p>
-               <p>organizational personnel with responsibilities for protecting the configuration
-                  management plan</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for developing and documenting the configuration
-                  management plan</p>
-               <p>organizational processes for identifying and managing configuration items</p>
-               <p>organizational processes for protecting the configuration management plan</p>
-               <p>automated mechanisms implementing the configuration management plan</p>
-               <p>automated mechanisms for managing configuration items</p>
-               <p>automated mechanisms for protecting the configuration management plan</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-10">
-         <title>Software Usage Restrictions</title>
-         <prop name="label">CM-10</prop>
-         <prop name="sort-id">cm-10</prop>
-         <part id="cm-10_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-10_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Uses software and associated documentation in accordance with contract agreements
-                  and copyright laws;</p>
-            </part>
-            <part id="cm-10_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Tracks the use of software and associated documentation protected by quantity
-                  licenses to control copying and distribution; and</p>
-            </part>
-            <part id="cm-10_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Controls and documents the use of peer-to-peer file sharing technology to ensure
-                  that this capability is not used for the unauthorized distribution, display,
-                  performance, or reproduction of copyrighted work.</p>
-            </part>
-         </part>
-         <part id="cm-10_gdn" name="guidance">
-            <p>Software license tracking can be accomplished by manual methods (e.g., simple
-               spreadsheets) or automated methods (e.g., specialized tracking applications)
-               depending on organizational needs.</p>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="cm-10_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-10.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-10(a)</prop>
-               <p>uses software and associated documentation in accordance with contract agreements
-                  and copyright laws;</p>
-            </part>
-            <part id="cm-10.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">CM-10(b)</prop>
-               <p>tracks the use of software and associated documentation protected by quantity
-                  licenses to control copying and distribution; and</p>
-            </part>
-            <part id="cm-10.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CM-10(c)</prop>
-               <p>controls and documents the use of peer-to-peer file sharing technology to ensure
-                  that this capability is not used for the unauthorized distribution, display,
-                  performance, or reproduction of copyrighted work.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing software usage restrictions</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>software contract agreements and copyright laws</p>
-               <p>site license documentation</p>
-               <p>list of software usage restrictions</p>
-               <p>software license tracking reports</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel operating, using, and/or maintaining the information
-                  system</p>
-               <p>organizational personnel with software license management responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational process for tracking the use of software protected by quantity
-                  licenses</p>
-               <p>organization process for controlling/documenting the use of peer-to-peer file
-                  sharing technology</p>
-               <p>automated mechanisms implementing software license tracking</p>
-               <p>automated mechanisms implementing and controlling the use of peer-to-peer files
-                  sharing technology</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-10.1">
-            <title>Open Source Software</title>
-            <param id="cm-10.1_prm_1">
-               <label>organization-defined restrictions</label>
-            </param>
-            <prop name="label">CM-10(1)</prop>
-            <prop name="sort-id">cm-10.01</prop>
-            <part id="cm-10.1_smt" name="statement">
-               <p>The organization establishes the following restrictions on the use of open source
-                  software: <insert param-id="cm-10.1_prm_1"/>.</p>
-            </part>
-            <part id="cm-10.1_gdn" name="guidance">
-               <p>Open source software refers to software that is available in source code form.
-                  Certain software rights normally reserved for copyright holders are routinely
-                  provided under software license agreements that permit individuals to study,
-                  change, and improve the software. From a security perspective, the major advantage
-                  of open source software is that it provides organizations with the ability to
-                  examine the source code. However, there are also various licensing issues
-                  associated with open source software including, for example, the constraints on
-                  derivative use of such software.</p>
-            </part>
-            <part id="cm-10.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-10.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-10(1)[1]</prop>
-                  <p>defines restrictions on the use of open source software; and</p>
-               </part>
-               <part id="cm-10.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-10(1)[2]</prop>
-                  <p>establishes organization-defined restrictions on the use of open source
-                     software.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing restrictions on use of open source software</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for establishing and enforcing
-                     restrictions on use of open source software</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for restricting the use of open source software</p>
-                  <p>automated mechanisms implementing restrictions on the use of open source
-                     software</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-11">
-         <title>User-installed Software</title>
-         <param id="cm-11_prm_1">
-            <label>organization-defined policies</label>
-         </param>
-         <param id="cm-11_prm_2">
-            <label>organization-defined methods</label>
-         </param>
-         <param id="cm-11_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>Continuously (via CM-7 (5))</constraint>
-         </param>
-         <prop name="label">CM-11</prop>
-         <prop name="sort-id">cm-11</prop>
-         <part id="cm-11_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-11_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes <insert param-id="cm-11_prm_1"/> governing the installation of
-                  software by users;</p>
-            </part>
-            <part id="cm-11_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Enforces software installation policies through <insert param-id="cm-11_prm_2"/>;
-                  and</p>
-            </part>
-            <part id="cm-11_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Monitors policy compliance at <insert param-id="cm-11_prm_3"/>.</p>
-            </part>
-         </part>
-         <part id="cm-11_gdn" name="guidance">
-            <p>If provided the necessary privileges, users have the ability to install software in
-               organizational information systems. To maintain control over the types of software
-               installed, organizations identify permitted and prohibited actions regarding software
-               installation. Permitted software installations may include, for example, updates and
-               security patches to existing software and downloading applications from
-               organization-approved “app stores” Prohibited software installations may include, for
-               example, software with unknown or suspect pedigrees or software that organizations
-               consider potentially malicious. The policies organizations select governing
-               user-installed software may be organization-developed or provided by some external
-               entity. Policy enforcement methods include procedural methods (e.g., periodic
-               examination of user accounts), automated methods (e.g., configuration settings
-               implemented on organizational information systems), or both.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-         </part>
-         <part id="cm-11_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-11.a_obj" name="objective">
-               <prop name="label">CM-11(a)</prop>
-               <part id="cm-11.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-11(a)[1]</prop>
-                  <p>defines policies to govern the installation of software by users;</p>
-               </part>
-               <part id="cm-11.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-11(a)[2]</prop>
-                  <p>establishes organization-defined policies governing the installation of
-                     software by users;</p>
-               </part>
-            </part>
-            <part id="cm-11.b_obj" name="objective">
-               <prop name="label">CM-11(b)</prop>
-               <part id="cm-11.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-11(b)[1]</prop>
-                  <p>defines methods to enforce software installation policies;</p>
-               </part>
-               <part id="cm-11.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-11(b)[2]</prop>
-                  <p>enforces software installation policies through organization-defined
-                     methods;</p>
-               </part>
-            </part>
-            <part id="cm-11.c_obj" name="objective">
-               <prop name="label">CM-11(c)</prop>
-               <part id="cm-11.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CM-11(c)[1]</prop>
-                  <p>defines frequency to monitor policy compliance; and</p>
-               </part>
-               <part id="cm-11.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CM-11(c)[2]</prop>
-                  <p>monitors policy compliance at organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing user installed software</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of rules governing user installed software</p>
-               <p>information system monitoring records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-               <p>continuous monitoring strategy</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for governing user-installed
-                  software</p>
-               <p>organizational personnel operating, using, and/or maintaining the information
-                  system</p>
-               <p>organizational personnel monitoring compliance with user-installed software
-                  policy</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes governing user-installed software on the information
-                  system</p>
-               <p>automated mechanisms enforcing rules/methods for governing the installation of
-                  software by users</p>
-               <p>automated mechanisms monitoring policy compliance</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="cp">
-      <title>Contingency Planning</title>
-      <control class="SP800-53" id="cp-1">
-         <title>Contingency Planning Policy and Procedures</title>
-         <param id="cp-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="cp-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="cp-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CP-1</prop>
-         <prop name="sort-id">cp-01</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="cp-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="cp-1_prm_1"/>:</p>
-               <part id="cp-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A contingency planning policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="cp-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the contingency planning policy
-                     and associated contingency planning controls; and</p>
-               </part>
-            </part>
-            <part id="cp-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="cp-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Contingency planning policy <insert param-id="cp-1_prm_2"/>; and</p>
-               </part>
-               <part id="cp-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Contingency planning procedures <insert param-id="cp-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cp-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the CP
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="cp-1_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="cp-1.a_obj" name="objective">
-               <prop name="label">CP-1(a)</prop>
-               <part id="cp-1.a.1_obj" name="objective">
-                  <prop name="label">CP-1(a)(1)</prop>
-                  <part id="cp-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(a)(1)[1]</prop>
-                     <p>the organization develops and documents a contingency planning policy that
-                        addresses:</p>
-                     <part id="cp-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="cp-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(a)(1)[2]</prop>
-                     <p>the organization defines personnel or roles to whom the contingency planning
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="cp-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CP-1(a)(1)[3]</prop>
-                     <p>the organization disseminates the contingency planning policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="cp-1.a.2_obj" name="objective">
-                  <prop name="label">CP-1(a)(2)</prop>
-                  <part id="cp-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(a)(2)[1]</prop>
-                     <p>the organization develops and documents procedures to facilitate the
-                        implementation of the contingency planning policy and associated contingency
-                        planning controls;</p>
-                  </part>
-                  <part id="cp-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(a)(2)[2]</prop>
-                     <p>the organization defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="cp-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">CP-1(a)(2)[3]</prop>
-                     <p>the organization disseminates the procedures to organization-defined
-                        personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cp-1.b_obj" name="objective">
-               <prop name="label">CP-1(b)</prop>
-               <part id="cp-1.b.1_obj" name="objective">
-                  <prop name="label">CP-1(b)(1)</prop>
-                  <part id="cp-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(b)(1)[1]</prop>
-                     <p>the organization defines the frequency to review and update the current
-                        contingency planning policy;</p>
-                  </part>
-                  <part id="cp-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(b)(1)[2]</prop>
-                     <p>the organization reviews and updates the current contingency planning with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="cp-1.b.2_obj" name="objective">
-                  <prop name="label">CP-1(b)(2)</prop>
-                  <part id="cp-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(b)(2)[1]</prop>
-                     <p>the organization defines the frequency to review and update the current
-                        contingency planning procedures; and</p>
-                  </part>
-                  <part id="cp-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-1(b)(2)[2]</prop>
-                     <p>the organization reviews and updates the current contingency planning
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-2">
-         <title>Contingency Plan</title>
-         <param id="cp-2_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="cp-2_prm_2">
-            <label>organization-defined key contingency personnel (identified by name and/or by
-               role) and organizational elements</label>
-         </param>
-         <param id="cp-2_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="cp-2_prm_4">
-            <label>organization-defined key contingency personnel (identified by name and/or by
-               role) and organizational elements</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CP-2</prop>
-         <prop name="sort-id">cp-02</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a contingency plan for the information system that:</p>
-               <part id="cp-2_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Identifies essential missions and business functions and associated contingency
-                     requirements;</p>
-               </part>
-               <part id="cp-2_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Provides recovery objectives, restoration priorities, and metrics;</p>
-               </part>
-               <part id="cp-2_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Addresses contingency roles, responsibilities, assigned individuals with
-                     contact information;</p>
-               </part>
-               <part id="cp-2_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Addresses maintaining essential missions and business functions despite an
-                     information system disruption, compromise, or failure;</p>
-               </part>
-               <part id="cp-2_smt.a.5" name="item">
-                  <prop name="label">5.</prop>
-                  <p>Addresses eventual, full information system restoration without deterioration
-                     of the security safeguards originally planned and implemented; and</p>
-               </part>
-               <part id="cp-2_smt.a.6" name="item">
-                  <prop name="label">6.</prop>
-                  <p>Is reviewed and approved by <insert param-id="cp-2_prm_1"/>;</p>
-               </part>
-            </part>
-            <part id="cp-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Distributes copies of the contingency plan to <insert param-id="cp-2_prm_2"/>;</p>
-            </part>
-            <part id="cp-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Coordinates contingency planning activities with incident handling activities;</p>
-            </part>
-            <part id="cp-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Reviews the contingency plan for the information system <insert param-id="cp-2_prm_3"/>;</p>
-            </part>
-            <part id="cp-2_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Updates the contingency plan to address changes to the organization, information
-                  system, or environment of operation and problems encountered during contingency
-                  plan implementation, execution, or testing;</p>
-            </part>
-            <part id="cp-2_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Communicates contingency plan changes to <insert param-id="cp-2_prm_4"/>; and</p>
-            </part>
-            <part id="cp-2_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Protects the contingency plan from unauthorized disclosure and modification.</p>
-            </part>
-            <part id="cp-2_fr" name="item">
-               <title>CP-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-2_fr_smt.1" name="item">
-                  <prop name="label">CP-2 Requirement:</prop>
-                  <p>For JAB authorizations the contingency lists include designated FedRAMP personnel.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cp-2_gdn" name="guidance">
-            <p>Contingency planning for information systems is part of an overall organizational
-               program for achieving continuity of operations for mission/business functions.
-               Contingency planning addresses both information system restoration and implementation
-               of alternative mission/business processes when systems are compromised. The
-               effectiveness of contingency planning is maximized by considering such planning
-               throughout the phases of the system development life cycle. Performing contingency
-               planning on hardware, software, and firmware development can be an effective means of
-               achieving information system resiliency. Contingency plans reflect the degree of
-               restoration required for organizational information systems since not all systems may
-               need to fully recover to achieve the level of continuity of operations desired.
-               Information system recovery objectives reflect applicable laws, Executive Orders,
-               directives, policies, standards, regulations, and guidelines. In addition to
-               information system availability, contingency plans also address other
-               security-related events resulting in a reduction in mission and/or business
-               effectiveness, such as malicious attacks compromising the confidentiality or
-               integrity of information systems. Actions addressed in contingency plans include, for
-               example, orderly/graceful degradation, information system shutdown, fallback to a
-               manual mode, alternate information flows, and operating in modes reserved for when
-               systems are under attack. By closely coordinating contingency planning with incident
-               handling activities, organizations can ensure that the necessary contingency planning
-               activities are in place and activated in the event of a security incident.</p>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <link rel="related" href="#cp-8">CP-8</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#cp-10">CP-10</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#pm-8">PM-8</link>
-            <link rel="related" href="#pm-11">PM-11</link>
-         </part>
-         <part id="cp-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cp-2.a_obj" name="objective">
-               <prop name="label">CP-2(a)</prop>
-               <p>develops and documents a contingency plan for the information system that:</p>
-               <part id="cp-2.a.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(a)(1)</prop>
-                  <p>identifies essential missions and business functions and associated contingency
-                     requirements;</p>
-               </part>
-               <part id="cp-2.a.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(a)(2)</prop>
-                  <part id="cp-2.a.2_obj.1" name="objective">
-                     <prop name="label">CP-2(a)(2)[1]</prop>
-                     <p>provides recovery objectives;</p>
-                  </part>
-                  <part id="cp-2.a.2_obj.2" name="objective">
-                     <prop name="label">CP-2(a)(2)[2]</prop>
-                     <p>provides restoration priorities;</p>
-                  </part>
-                  <part id="cp-2.a.2_obj.3" name="objective">
-                     <prop name="label">CP-2(a)(2)[3]</prop>
-                     <p>provides metrics;</p>
-                  </part>
-               </part>
-               <part id="cp-2.a.3_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(a)(3)</prop>
-                  <part id="cp-2.a.3_obj.1" name="objective">
-                     <prop name="label">CP-2(a)(3)[1]</prop>
-                     <p>addresses contingency roles;</p>
-                  </part>
-                  <part id="cp-2.a.3_obj.2" name="objective">
-                     <prop name="label">CP-2(a)(3)[2]</prop>
-                     <p>addresses contingency responsibilities;</p>
-                  </part>
-                  <part id="cp-2.a.3_obj.3" name="objective">
-                     <prop name="label">CP-2(a)(3)[3]</prop>
-                     <p>addresses assigned individuals with contact information;</p>
-                  </part>
-               </part>
-               <part id="cp-2.a.4_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(a)(4)</prop>
-                  <p>addresses maintaining essential missions and business functions despite an
-                     information system disruption, compromise, or failure;</p>
-               </part>
-               <part id="cp-2.a.5_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(a)(5)</prop>
-                  <p>addresses eventual, full information system restoration without deterioration
-                     of the security safeguards originally planned and implemented;</p>
-               </part>
-               <part id="cp-2.a.6_obj" name="objective">
-                  <prop name="label">CP-2(a)(6)</prop>
-                  <part id="cp-2.a.6_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-2(a)(6)[1]</prop>
-                     <p>defines personnel or roles to review and approve the contingency plan for
-                        the information system;</p>
-                  </part>
-                  <part id="cp-2.a.6_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-2(a)(6)[2]</prop>
-                     <p>is reviewed and approved by organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cp-2.b_obj" name="objective">
-               <prop name="label">CP-2(b)</prop>
-               <part id="cp-2.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(b)[1]</prop>
-                  <p>defines key contingency personnel (identified by name and/or by role) and
-                     organizational elements to whom copies of the contingency plan are to be
-                     distributed;</p>
-               </part>
-               <part id="cp-2.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CP-2(b)[2]</prop>
-                  <p>distributes copies of the contingency plan to organization-defined key
-                     contingency personnel and organizational elements;</p>
-               </part>
-            </part>
-            <part id="cp-2.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">CP-2(c)</prop>
-               <p>coordinates contingency planning activities with incident handling activities;</p>
-            </part>
-            <part id="cp-2.d_obj" name="objective">
-               <prop name="label">CP-2(d)</prop>
-               <part id="cp-2.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(d)[1]</prop>
-                  <p>defines a frequency to review the contingency plan for the information
-                     system;</p>
-               </part>
-               <part id="cp-2.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(d)[2]</prop>
-                  <p>reviews the contingency plan with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="cp-2.e_obj" name="objective">
-               <prop name="label">CP-2(e)</prop>
-               <p>updates the contingency plan to address:</p>
-               <part id="cp-2.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-2(e)[1]</prop>
-                  <p>changes to the organization, information system, or environment of
-                     operation;</p>
-               </part>
-               <part id="cp-2.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-2(e)[2]</prop>
-                  <p>problems encountered during plan implementation, execution, and testing;</p>
-               </part>
-            </part>
-            <part id="cp-2.f_obj" name="objective">
-               <prop name="label">CP-2(f)</prop>
-               <part id="cp-2.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(f)[1]</prop>
-                  <p>defines key contingency personnel (identified by name and/or by role) and
-                     organizational elements to whom contingency plan changes are to be
-                     communicated;</p>
-               </part>
-               <part id="cp-2.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CP-2(f)[2]</prop>
-                  <p>communicates contingency plan changes to organization-defined key contingency
-                     personnel and organizational elements; and</p>
-               </part>
-            </part>
-            <part id="cp-2.g_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-2(g)</prop>
-               <p>protects the contingency plan from unauthorized disclosure and modification.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing contingency operations for the information system</p>
-               <p>contingency plan</p>
-               <p>security plan</p>
-               <p>evidence of contingency plan reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning and plan implementation
-                  responsibilities</p>
-               <p>organizational personnel with incident handling responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for contingency plan development, review, update, and
-                  protection</p>
-               <p>automated mechanisms for developing, reviewing, updating and/or protecting the
-                  contingency plan</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-2.1">
-            <title>Coordinate with Related Plans</title>
-            <prop name="label">CP-2(1)</prop>
-            <prop name="sort-id">cp-02.01</prop>
-            <part id="cp-2.1_smt" name="statement">
-               <p>The organization coordinates contingency plan development with organizational
-                  elements responsible for related plans.</p>
-            </part>
-            <part id="cp-2.1_gdn" name="guidance">
-               <p>Plans related to contingency plans for organizational information systems include,
-                  for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of
-                  Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,
-                  Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant
-                  Emergency Plans.</p>
-            </part>
-            <part id="cp-2.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization coordinates contingency plan development with
-                  organizational elements responsible for related plans.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency operations for the information system</p>
-                  <p>contingency plan</p>
-                  <p>business contingency plans</p>
-                  <p>disaster recovery plans</p>
-                  <p>continuity of operations plans</p>
-                  <p>crisis communications plans</p>
-                  <p>critical infrastructure plans</p>
-                  <p>cyber incident response plan</p>
-                  <p>insider threat implementation plans</p>
-                  <p>occupant emergency plans</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>personnel with responsibility for related plans</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.2">
-            <title>Capacity Planning</title>
-            <prop name="label">CP-2(2)</prop>
-            <prop name="sort-id">cp-02.02</prop>
-            <part id="cp-2.2_smt" name="statement">
-               <p>The organization conducts capacity planning so that necessary capacity for
-                  information processing, telecommunications, and environmental support exists
-                  during contingency operations.</p>
-            </part>
-            <part id="cp-2.2_gdn" name="guidance">
-               <p>Capacity planning is needed because different types of threats (e.g., natural
-                  disasters, targeted cyber attacks) can result in a reduction of the available
-                  processing, telecommunications, and support services originally intended to
-                  support the organizational missions/business functions. Organizations may need to
-                  anticipate degraded operations during contingency operations and factor such
-                  degradation into capacity planning.</p>
-            </part>
-            <part id="cp-2.2_obj" name="objective">
-               <p>Determine if the organization conducts capacity planning so that necessary
-                  capacity exists during contingency operations for: </p>
-               <part id="cp-2.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CP-2(2)[1]</prop>
-                  <p>information processing;</p>
-               </part>
-               <part id="cp-2.2_obj.2" name="objective">
-                  <prop name="label">CP-2(2)[2]</prop>
-                  <p>telecommunications; and</p>
-               </part>
-               <part id="cp-2.2_obj.3" name="objective">
-                  <prop name="label">CP-2(2)[3]</prop>
-                  <p>environmental support.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency operations for the information system</p>
-                  <p>contingency plan</p>
-                  <p>capacity planning documents</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.3">
-            <title>Resume Essential Missions / Business Functions</title>
-            <param id="cp-2.3_prm_1">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="label">CP-2(3)</prop>
-            <prop name="sort-id">cp-02.03</prop>
-            <part id="cp-2.3_smt" name="statement">
-               <p>The organization plans for the resumption of essential missions and business
-                  functions within <insert param-id="cp-2.3_prm_1"/> of contingency plan
-                  activation.</p>
-            </part>
-            <part id="cp-2.3_gdn" name="guidance">
-               <p>Organizations may choose to carry out the contingency planning activities in this
-                  control enhancement as part of organizational business continuity planning
-                  including, for example, as part of business impact analyses. The time period for
-                  resumption of essential missions/business functions may be dependent on the
-                  severity/extent of disruptions to the information system and its supporting
-                  infrastructure.</p>
-               <link rel="related" href="#pe-12">PE-12</link>
-            </part>
-            <part id="cp-2.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cp-2.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-2(3)[1]</prop>
-                  <p>defines the time period to plan for the resumption of essential missions and
-                     business functions as a result of contingency plan activation; and</p>
-               </part>
-               <part id="cp-2.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-2(3)[2]</prop>
-                  <p>plans for the resumption of essential missions and business functions within
-                     organization-defined time period of contingency plan activation.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency operations for the information system</p>
-                  <p>contingency plan</p>
-                  <p>security plan</p>
-                  <p>business impact assessment</p>
-                  <p>other related plans</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for resumption of missions and business functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.8">
-            <title>Identify Critical Assets</title>
-            <prop name="label">CP-2(8)</prop>
-            <prop name="sort-id">cp-02.08</prop>
-            <part id="cp-2.8_smt" name="statement">
-               <p>The organization identifies critical information system assets supporting
-                  essential missions and business functions.</p>
-            </part>
-            <part id="cp-2.8_gdn" name="guidance">
-               <p>Organizations may choose to carry out the contingency planning activities in this
-                  control enhancement as part of organizational business continuity planning
-                  including, for example, as part of business impact analyses. Organizations
-                  identify critical information system assets so that additional safeguards and
-                  countermeasures can be employed (above and beyond those safeguards and
-                  countermeasures routinely implemented) to help ensure that organizational
-                  missions/business functions can continue to be conducted during contingency
-                  operations. In addition, the identification of critical information assets
-                  facilitates the prioritization of organizational resources. Critical information
-                  system assets include technical and operational aspects. Technical aspects
-                  include, for example, information technology services, information system
-                  components, information technology products, and mechanisms. Operational aspects
-                  include, for example, procedures (manually executed operations) and personnel
-                  (individuals operating technical safeguards and/or executing manual procedures).
-                  Organizational program protection plans can provide assistance in identifying
-                  critical assets.</p>
-               <link rel="related" href="#sa-14">SA-14</link>
-               <link rel="related" href="#sa-15">SA-15</link>
-            </part>
-            <part id="cp-2.8_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization identifies critical information system assets
-                  supporting essential missions and business functions.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency operations for the information system</p>
-                  <p>contingency plan</p>
-                  <p>business impact assessment</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-3">
-         <title>Contingency Training</title>
-         <param id="cp-3_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>ten (10) days</constraint>
-         </param>
-         <param id="cp-3_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CP-3</prop>
-         <prop name="sort-id">cp-03</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="cp-3_smt" name="statement">
-            <p>The organization provides contingency training to information system users consistent
-               with assigned roles and responsibilities:</p>
-            <part id="cp-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Within <insert param-id="cp-3_prm_1"/> of assuming a contingency role or
-                  responsibility;</p>
-            </part>
-            <part id="cp-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="cp-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="cp-3_prm_2"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="cp-3_gdn" name="guidance">
-            <p>Contingency training provided by organizations is linked to the assigned roles and
-               responsibilities of organizational personnel to ensure that the appropriate content
-               and level of detail is included in such training. For example, regular users may only
-               need to know when and where to report for duty during contingency operations and if
-               normal duties are affected; system administrators may require additional training on
-               how to set up information systems at alternate processing and storage sites; and
-               managers/senior leaders may receive more specific training on how to conduct
-               mission-essential functions in designated off-site locations and how to establish
-               communications with other governmental entities for purposes of coordination on
-               contingency-related activities. Training for contingency roles/responsibilities
-               reflects the specific continuity requirements in the contingency plan.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#ir-2">IR-2</link>
-         </part>
-         <part id="cp-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cp-3.a_obj" name="objective">
-               <prop name="label">CP-3(a)</prop>
-               <part id="cp-3.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-3(a)[1]</prop>
-                  <p>defines a time period within which contingency training is to be provided to
-                     information system users assuming a contingency role or responsibility;</p>
-               </part>
-               <part id="cp-3.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-3(a)[2]</prop>
-                  <p>provides contingency training to information system users consistent with
-                     assigned roles and responsibilities within the organization-defined time period
-                     of assuming a contingency role or responsibility;</p>
-               </part>
-            </part>
-            <part id="cp-3.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-3(b)</prop>
-               <p>provides contingency training to information system users consistent with assigned
-                  roles and responsibilities when required by information system changes;</p>
-            </part>
-            <part id="cp-3.c_obj" name="objective">
-               <prop name="label">CP-3(c)</prop>
-               <part id="cp-3.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-3(c)[1]</prop>
-                  <p>defines the frequency for contingency training thereafter; and</p>
-               </part>
-               <part id="cp-3.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-3(c)[2]</prop>
-                  <p>provides contingency training to information system users consistent with
-                     assigned roles and responsibilities with the organization-defined frequency
-                     thereafter.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing contingency training</p>
-               <p>contingency plan</p>
-               <p>contingency training curriculum</p>
-               <p>contingency training material</p>
-               <p>security plan</p>
-               <p>contingency training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning, plan implementation, and
-                  training responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for contingency training</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-4">
-         <title>Contingency Plan Testing</title>
-         <param id="cp-4_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="cp-4_prm_2">
-            <label>organization-defined tests</label>
-            <constraint>functional exercises</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CP-4</prop>
-         <prop name="sort-id">cp-04</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <link href="#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf" rel="reference">NIST Special Publication 800-84</link>
-         <part id="cp-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Tests the contingency plan for the information system <insert param-id="cp-4_prm_1"/> using <insert param-id="cp-4_prm_2"/> to determine the
-                  effectiveness of the plan and the organizational readiness to execute the
-                  plan;</p>
-            </part>
-            <part id="cp-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews the contingency plan test results; and</p>
-            </part>
-            <part id="cp-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Initiates corrective actions, if needed.</p>
-            </part>
-            <part id="cp-4_fr" name="item">
-               <title>CP-4(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-4_fr_smt.a" name="item">
-                  <prop name="label">CP-4(a) Requirement:</prop>
-                  <p>The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cp-4_gdn" name="guidance">
-            <p>Methods for testing contingency plans to determine the effectiveness of the plans and
-               to identify potential weaknesses in the plans include, for example, walk-through and
-               tabletop exercises, checklists, simulations (parallel, full interrupt), and
-               comprehensive exercises. Organizations conduct testing based on the continuity
-               requirements in contingency plans and include a determination of the effects on
-               organizational operations, assets, and individuals arising due to contingency
-               operations. Organizations have flexibility and discretion in the breadth, depth, and
-               timelines of corrective actions.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-3">CP-3</link>
-            <link rel="related" href="#ir-3">IR-3</link>
-         </part>
-         <part id="cp-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="cp-4.a_obj" name="objective">
-               <prop name="label">CP-4(a)</prop>
-               <part id="cp-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-4(a)[1]</prop>
-                  <p>defines tests to determine the effectiveness of the contingency plan and the
-                     organizational readiness to execute the plan;</p>
-               </part>
-               <part id="cp-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-4(a)[2]</prop>
-                  <p>defines a frequency to test the contingency plan for the information
-                     system;</p>
-               </part>
-               <part id="cp-4.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-4(a)[3]</prop>
-                  <p>tests the contingency plan for the information system with the
-                     organization-defined frequency, using organization-defined tests to determine
-                     the effectiveness of the plan and the organizational readiness to execute the
-                     plan;</p>
-               </part>
-            </part>
-            <part id="cp-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-4(b)</prop>
-               <p>reviews the contingency plan test results; and</p>
-            </part>
-            <part id="cp-4.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-4(c)</prop>
-               <p>initiates corrective actions, if needed.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing contingency plan testing</p>
-               <p>contingency plan</p>
-               <p>security plan</p>
-               <p>contingency plan test documentation</p>
-               <p>contingency plan test results</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for contingency plan testing,
-                  reviewing or responding to contingency plan tests</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for contingency plan testing</p>
-               <p>automated mechanisms supporting the contingency plan and/or contingency plan
-                  testing</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-4.1">
-            <title>Coordinate with Related Plans</title>
-            <prop name="label">CP-4(1)</prop>
-            <prop name="sort-id">cp-04.01</prop>
-            <part id="cp-4.1_smt" name="statement">
-               <p>The organization coordinates contingency plan testing with organizational elements
-                  responsible for related plans.</p>
-            </part>
-            <part id="cp-4.1_gdn" name="guidance">
-               <p>Plans related to contingency plans for organizational information systems include,
-                  for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of
-                  Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,
-                  Cyber Incident Response Plans, and Occupant Emergency Plans. This control
-                  enhancement does not require organizations to create organizational elements to
-                  handle related plans or to align such elements with specific plans. It does
-                  require, however, that if such organizational elements are responsible for related
-                  plans, organizations should coordinate with those elements.</p>
-               <link rel="related" href="#ir-8">IR-8</link>
-               <link rel="related" href="#pm-8">PM-8</link>
-            </part>
-            <part id="cp-4.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization coordinates contingency plan testing with
-                  organizational elements responsible for related plans. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>incident response policy</p>
-                  <p>procedures addressing contingency plan testing</p>
-                  <p>contingency plan testing documentation</p>
-                  <p>contingency plan</p>
-                  <p>business continuity plans</p>
-                  <p>disaster recovery plans</p>
-                  <p>continuity of operations plans</p>
-                  <p>crisis communications plans</p>
-                  <p>critical infrastructure plans</p>
-                  <p>cyber incident response plans</p>
-                  <p>occupant emergency plans</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan testing responsibilities</p>
-                  <p>organizational personnel</p>
-                  <p>personnel with responsibilities for related plans</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-6">
-         <title>Alternate Storage Site</title>
-         <prop name="label">CP-6</prop>
-         <prop name="sort-id">cp-06</prop>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes an alternate storage site including necessary agreements to permit the
-                  storage and retrieval of information system backup information; and</p>
-            </part>
-            <part id="cp-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Ensures that the alternate storage site provides information security safeguards
-                  equivalent to that of the primary site.</p>
-            </part>
-         </part>
-         <part id="cp-6_gdn" name="guidance">
-            <p>Alternate storage sites are sites that are geographically distinct from primary
-               storage sites. An alternate storage site maintains duplicate copies of information
-               and data in the event that the primary storage site is not available. Items covered
-               by alternate storage site agreements include, for example, environmental conditions
-               at alternate sites, access rules, physical and environmental protection requirements,
-               and coordination of delivery/retrieval of backup media. Alternate storage sites
-               reflect the requirements in contingency plans so that organizations can maintain
-               essential missions/business functions despite disruption, compromise, or failure in
-               organizational information systems.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#cp-10">CP-10</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-         </part>
-         <part id="cp-6_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="cp-6_obj.1" name="objective">
-               <prop name="label">CP-6[1]</prop>
-               <p>establishes an alternate storage site including necessary agreements to permit the
-                  storage and retrieval of information system backup information; and</p>
-            </part>
-            <part id="cp-6_obj.2" name="objective">
-               <prop name="label">CP-6[2]</prop>
-               <p>ensures that the alternate storage site provides information security safeguards
-                  equivalent to that of the primary site.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing alternate storage sites</p>
-               <p>contingency plan</p>
-               <p>alternate storage site agreements</p>
-               <p>primary storage site agreements</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency plan alternate storage site
-                  responsibilities</p>
-               <p>organizational personnel with information system recovery responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for storing and retrieving information system backup
-                  information at the alternate storage site</p>
-               <p>automated mechanisms supporting and/or implementing storage and retrieval of
-                  information system backup information at the alternate storage site</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-6.1">
-            <title>Separation from Primary Site</title>
-            <prop name="label">CP-6(1)</prop>
-            <prop name="sort-id">cp-06.01</prop>
-            <part id="cp-6.1_smt" name="statement">
-               <p>The organization identifies an alternate storage site that is separated from the
-                  primary storage site to reduce susceptibility to the same threats.</p>
-            </part>
-            <part id="cp-6.1_gdn" name="guidance">
-               <p>Threats that affect alternate storage sites are typically defined in
-                  organizational assessments of risk and include, for example, natural disasters,
-                  structural failures, hostile cyber attacks, and errors of omission/commission.
-                  Organizations determine what is considered a sufficient degree of separation
-                  between primary and alternate storage sites based on the types of threats that are
-                  of concern. For one particular type of threat (i.e., hostile cyber attack), the
-                  degree of separation between sites is less relevant.</p>
-               <link rel="related" href="#ra-3">RA-3</link>
-            </part>
-            <part id="cp-6.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization identifies an alternate storage site that is
-                  separated from the primary storage site to reduce susceptibility to the same
-                  threats. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate storage sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate storage site</p>
-                  <p>alternate storage site agreements</p>
-                  <p>primary storage site agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan alternate storage site
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-6.3">
-            <title>Accessibility</title>
-            <prop name="label">CP-6(3)</prop>
-            <prop name="sort-id">cp-06.03</prop>
-            <part id="cp-6.3_smt" name="statement">
-               <p>The organization identifies potential accessibility problems to the alternate
-                  storage site in the event of an area-wide disruption or disaster and outlines
-                  explicit mitigation actions.</p>
-            </part>
-            <part id="cp-6.3_gdn" name="guidance">
-               <p>Area-wide disruptions refer to those types of disruptions that are broad in
-                  geographic scope (e.g., hurricane, regional power outage) with such determinations
-                  made by organizations based on organizational assessments of risk. Explicit
-                  mitigation actions include, for example: (i) duplicating backup information at
-                  other alternate storage sites if access problems occur at originally designated
-                  alternate sites; or (ii) planning for physical access to retrieve backup
-                  information if electronic accessibility to the alternate site is disrupted.</p>
-               <link rel="related" href="#ra-3">RA-3</link>
-            </part>
-            <part id="cp-6.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-6.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-6(3)[1]</prop>
-                  <p>identifies potential accessibility problems to the alternate storage site in
-                     the event of an area-wide disruption or disaster; and</p>
-               </part>
-               <part id="cp-6.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CP-6(3)[2]</prop>
-                  <p>outlines explicit mitigation actions for such potential accessibility problems
-                     to the alternate storage site in the event of an area-wide disruption or
-                     disaster.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate storage sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate storage site</p>
-                  <p>list of potential accessibility problems to alternate storage site</p>
-                  <p>mitigation actions for accessibility problems to alternate storage site</p>
-                  <p>organizational risk assessments</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan alternate storage site
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-7">
-         <title>Alternate Processing Site</title>
-         <param id="cp-7_prm_1">
-            <label>organization-defined information system operations</label>
-         </param>
-         <param id="cp-7_prm_2">
-            <label>organization-defined time period consistent with recovery time and recovery point
-               objectives</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CP-7</prop>
-         <prop name="sort-id">cp-07</prop>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-7_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes an alternate processing site including necessary agreements to permit
-                  the transfer and resumption of <insert param-id="cp-7_prm_1"/> for essential
-                  missions/business functions within <insert param-id="cp-7_prm_2"/> when the
-                  primary processing capabilities are unavailable;</p>
-            </part>
-            <part id="cp-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Ensures that equipment and supplies required to transfer and resume operations are
-                  available at the alternate processing site or contracts are in place to support
-                  delivery to the site within the organization-defined time period for
-                  transfer/resumption; and</p>
-            </part>
-            <part id="cp-7_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensures that the alternate processing site provides information security
-                  safeguards equivalent to those of the primary site.</p>
-            </part>
-            <part id="cp-7_fr" name="item">
-               <title>CP-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-7_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cp-7_gdn" name="guidance">
-            <p>Alternate processing sites are sites that are geographically distinct from primary
-               processing sites. An alternate processing site provides processing capability in the
-               event that the primary processing site is not available. Items covered by alternate
-               processing site agreements include, for example, environmental conditions at
-               alternate sites, access rules, physical and environmental protection requirements,
-               and coordination for the transfer/assignment of personnel. Requirements are
-               specifically allocated to alternate processing sites that reflect the requirements in
-               contingency plans to maintain essential missions/business functions despite
-               disruption, compromise, or failure in organizational information systems.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-8">CP-8</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#cp-10">CP-10</link>
-            <link rel="related" href="#ma-6">MA-6</link>
-         </part>
-         <part id="cp-7_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="cp-7.a_obj" name="objective">
-               <prop name="label">CP-7(a)</prop>
-               <part id="cp-7.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-7(a)[1]</prop>
-                  <p>defines information system operations requiring an alternate processing site to
-                     be established to permit the transfer and resumption of such operations;</p>
-               </part>
-               <part id="cp-7.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-7(a)[2]</prop>
-                  <p>defines the time period consistent with recovery time objectives and recovery
-                     point objectives (as specified in the information system contingency plan) for
-                     transfer/resumption of organization-defined information system operations for
-                     essential missions/business functions;</p>
-               </part>
-               <part id="cp-7.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-7(a)[3]</prop>
-                  <p>establishes an alternate processing site including necessary agreements to
-                     permit the transfer and resumption of organization-defined information system
-                     operations for essential missions/business functions, within the
-                     organization-defined time period, when the primary processing capabilities are
-                     unavailable;</p>
-               </part>
-            </part>
-            <part id="cp-7.b_obj" name="objective">
-               <prop name="label">CP-7(b)</prop>
-               <part id="cp-7.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-7(b)[1]</prop>
-                  <p>ensures that equipment and supplies required to transfer and resume operations
-                     are available at the alternate processing site; or</p>
-               </part>
-               <part id="cp-7.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-7(b)[2]</prop>
-                  <p>ensures that contracts are in place to support delivery to the site within the
-                     organization-defined time period for transfer/resumption; and</p>
-               </part>
-            </part>
-            <part id="cp-7.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-7(c)</prop>
-               <p>ensures that the alternate processing site provides information security
-                  safeguards equivalent to those of the primary site.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing alternate processing sites</p>
-               <p>contingency plan</p>
-               <p>alternate processing site agreements</p>
-               <p>primary processing site agreements</p>
-               <p>spare equipment and supplies inventory at alternate processing site</p>
-               <p>equipment and supply contracts</p>
-               <p>service-level agreements</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for contingency planning and/or
-                  alternate site arrangements</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for recovery at the alternate site</p>
-               <p>automated mechanisms supporting and/or implementing recovery at the alternate
-                  processing site</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-7.1">
-            <title>Separation from Primary Site</title>
-            <prop name="label">CP-7(1)</prop>
-            <prop name="sort-id">cp-07.01</prop>
-            <part id="cp-7.1_smt" name="statement">
-               <p>The organization identifies an alternate processing site that is separated from
-                  the primary processing site to reduce susceptibility to the same threats.</p>
-               <part id="cp-7.1_fr" name="item">
-                  <title>CP-7 (1) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="cp-7.1_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cp-7.1_gdn" name="guidance">
-               <p>Threats that affect alternate processing sites are typically defined in
-                  organizational assessments of risk and include, for example, natural disasters,
-                  structural failures, hostile cyber attacks, and errors of omission/commission.
-                  Organizations determine what is considered a sufficient degree of separation
-                  between primary and alternate processing sites based on the types of threats that
-                  are of concern. For one particular type of threat (i.e., hostile cyber attack),
-                  the degree of separation between sites is less relevant.</p>
-               <link rel="related" href="#ra-3">RA-3</link>
-            </part>
-            <part id="cp-7.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization identifies an alternate processing site that is
-                  separated from the primary storage site to reduce susceptibility to the same
-                  threats. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate processing sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate processing site</p>
-                  <p>alternate processing site agreements</p>
-                  <p>primary processing site agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan alternate processing site
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-7.2">
-            <title>Accessibility</title>
-            <prop name="label">CP-7(2)</prop>
-            <prop name="sort-id">cp-07.02</prop>
-            <part id="cp-7.2_smt" name="statement">
-               <p>The organization identifies potential accessibility problems to the alternate
-                  processing site in the event of an area-wide disruption or disaster and outlines
-                  explicit mitigation actions.</p>
-            </part>
-            <part id="cp-7.2_gdn" name="guidance">
-               <p>Area-wide disruptions refer to those types of disruptions that are broad in
-                  geographic scope (e.g., hurricane, regional power outage) with such determinations
-                  made by organizations based on organizational assessments of risk.</p>
-               <link rel="related" href="#ra-3">RA-3</link>
-            </part>
-            <part id="cp-7.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-7.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-7(2)[1]</prop>
-                  <p>identifies potential accessibility problems to the alternate processing site in
-                     the event of an area-wide disruption or disaster; and</p>
-               </part>
-               <part id="cp-7.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CP-7(2)[2]</prop>
-                  <p>outlines explicit mitigation actions for such potential accessibility problems
-                     to the alternate processing site in the event of an area-wide disruption or
-                     disaster.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate processing sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate processing site</p>
-                  <p>alternate processing site agreements</p>
-                  <p>primary processing site agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan alternate processing site
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-7.3">
-            <title>Priority of Service</title>
-            <prop name="label">CP-7(3)</prop>
-            <prop name="sort-id">cp-07.03</prop>
-            <part id="cp-7.3_smt" name="statement">
-               <p>The organization develops alternate processing site agreements that contain
-                  priority-of-service provisions in accordance with organizational availability
-                  requirements (including recovery time objectives).</p>
-            </part>
-            <part id="cp-7.3_gdn" name="guidance">
-               <p>Priority-of-service agreements refer to negotiated agreements with service
-                  providers that ensure that organizations receive priority treatment consistent
-                  with their availability requirements and the availability of information resources
-                  at the alternate processing site.</p>
-            </part>
-            <part id="cp-7.3_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization develops alternate processing site agreements that
-                  contain priority-of-service provisions in accordance with organizational
-                  availability requirements (including recovery time objectives as specified in the
-                  information system contingency plan).</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate processing sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate processing site agreements</p>
-                  <p>service-level agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan alternate processing site
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for acquisitions/contractual
-                     agreements</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-8">
-         <title>Telecommunications Services</title>
-         <param id="cp-8_prm_1">
-            <label>organization-defined information system operations</label>
-         </param>
-         <param id="cp-8_prm_2">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">CP-8</prop>
-         <prop name="sort-id">cp-08</prop>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <link href="#fb5844de-ff96-47c0-b258-4f52bcc2f30d" rel="reference">National Communications Systems Directive 3-10</link>
-         <link href="#3ac12e79-f54f-4a63-9f4b-ee4bcd4df604" rel="reference">http://www.dhs.gov/telecommunications-service-priority-tsp</link>
-         <part id="cp-8_smt" name="statement">
-            <p>The organization establishes alternate telecommunications services including
-               necessary agreements to permit the resumption of <insert param-id="cp-8_prm_1"/> for
-               essential missions and business functions within <insert param-id="cp-8_prm_2"/> when
-               the primary telecommunications capabilities are unavailable at either the primary or
-               alternate processing or storage sites.</p>
-            <part id="cp-8_fr" name="item">
-               <title>CP-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cp-8_gdn" name="guidance">
-            <p>This control applies to telecommunications services (data and voice) for primary and
-               alternate processing and storage sites. Alternate telecommunications services reflect
-               the continuity requirements in contingency plans to maintain essential
-               missions/business functions despite the loss of primary telecommunications services.
-               Organizations may specify different time periods for primary/alternate sites.
-               Alternate telecommunications services include, for example, additional organizational
-               or commercial ground-based circuits/lines or satellites in lieu of ground-based
-               communications. Organizations consider factors such as availability, quality of
-               service, and access when entering into alternate telecommunications agreements.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-         </part>
-         <part id="cp-8_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="cp-8_obj.1" name="objective">
-               <prop name="label">CP-8[1]</prop>
-               <p>defines information system operations requiring alternate telecommunications
-                  services to be established to permit the resumption of such operations;</p>
-            </part>
-            <part id="cp-8_obj.2" name="objective">
-               <prop name="label">CP-8[2]</prop>
-               <p>defines the time period to permit resumption of organization-defined information
-                  system operations for essential missions and business functions; and</p>
-            </part>
-            <part id="cp-8_obj.3" name="objective">
-               <prop name="label">CP-8[3]</prop>
-               <p>establishes alternate telecommunications services including necessary agreements
-                  to permit the resumption of organization-defined information system operations for
-                  essential missions and business functions, within the organization-defined time
-                  period, when the primary telecommunications capabilities are unavailable at either
-                  the primary or alternate processing or storage sites.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing alternate telecommunications services</p>
-               <p>contingency plan</p>
-               <p>primary and alternate telecommunications service agreements</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency plan telecommunications
-                  responsibilities</p>
-               <p>organizational personnel with information system recovery responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibility for acquisitions/contractual
-                  agreements</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting telecommunications</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-8.1">
-            <title>Priority of Service Provisions</title>
-            <prop name="label">CP-8(1)</prop>
-            <prop name="sort-id">cp-08.01</prop>
-            <part id="cp-8.1_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cp-8.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Develops primary and alternate telecommunications service agreements that
-                     contain priority-of-service provisions in accordance with organizational
-                     availability requirements (including recovery time objectives); and</p>
-               </part>
-               <part id="cp-8.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Requests Telecommunications Service Priority for all telecommunications
-                     services used for national security emergency preparedness in the event that
-                     the primary and/or alternate telecommunications services are provided by a
-                     common carrier.</p>
-               </part>
-            </part>
-            <part id="cp-8.1_gdn" name="guidance">
-               <p>Organizations consider the potential mission/business impact in situations where
-                  telecommunications service providers are servicing other organizations with
-                  similar priority-of-service provisions.</p>
-            </part>
-            <part id="cp-8.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-8.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-8(1)[1]</prop>
-                  <p>develops primary and alternate telecommunications service agreements that
-                     contain priority-of-service provisions in accordance with organizational
-                     availability requirements (including recovery time objectives as specified in
-                     the information system contingency plan); and</p>
-               </part>
-               <part id="cp-8.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-8(1)[2]</prop>
-                  <p>requests Telecommunications Service Priority for all telecommunications
-                     services used for national security emergency preparedness in the event that
-                     the primary and/or alternate telecommunications services are provided by a
-                     common carrier.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing primary and alternate telecommunications services</p>
-                  <p>contingency plan</p>
-                  <p>primary and alternate telecommunications service agreements</p>
-                  <p>Telecommunications Service Priority documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan telecommunications
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for acquisitions/contractual
-                     agreements</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting telecommunications</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-8.2">
-            <title>Single Points of Failure</title>
-            <prop name="label">CP-8(2)</prop>
-            <prop name="sort-id">cp-08.02</prop>
-            <part id="cp-8.2_smt" name="statement">
-               <p>The organization obtains alternate telecommunications services to reduce the
-                  likelihood of sharing a single point of failure with primary telecommunications
-                  services.</p>
-            </part>
-            <part id="cp-8.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization obtains alternate telecommunications services to
-                  reduce the likelihood of sharing a single point of failure with primary
-                  telecommunications services. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing primary and alternate telecommunications services</p>
-                  <p>contingency plan</p>
-                  <p>primary and alternate telecommunications service agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan telecommunications
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>primary and alternate telecommunications service providers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-9">
-         <title>Information System Backup</title>
-         <param id="cp-9_prm_1">
-            <label>organization-defined frequency consistent with recovery time and recovery point
-               objectives</label>
-            <constraint>daily incremental; weekly full</constraint>
-         </param>
-         <param id="cp-9_prm_2">
-            <label>organization-defined frequency consistent with recovery time and recovery point
-               objectives</label>
-            <constraint>daily incremental; weekly full</constraint>
-         </param>
-         <param id="cp-9_prm_3">
-            <label>organization-defined frequency consistent with recovery time and recovery point
-               objectives</label>
-            <constraint>daily incremental; weekly full</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">CP-9</prop>
-         <prop name="sort-id">cp-09</prop>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-9_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Conducts backups of user-level information contained in the information system
-                     <insert param-id="cp-9_prm_1"/>;</p>
-            </part>
-            <part id="cp-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Conducts backups of system-level information contained in the information system
-                     <insert param-id="cp-9_prm_2"/>;</p>
-            </part>
-            <part id="cp-9_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Conducts backups of information system documentation including security-related
-                  documentation <insert param-id="cp-9_prm_3"/>; and</p>
-            </part>
-            <part id="cp-9_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Protects the confidentiality, integrity, and availability of backup information at
-                  storage locations.</p>
-            </part>
-            <part id="cp-9_fr" name="item">
-               <title>CP-9 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-9_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.</p>
-               </part>
-               <part id="cp-9_fr_smt.a" name="item">
-                  <prop name="label">CP-9(a) Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of user-level information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.b" name="item">
-                  <prop name="label">CP-9(b)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of system-level information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.c" name="item">
-                  <prop name="label">CP-9(c)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).</p>
-               </part>
-            </part>
-         </part>
-         <part id="cp-9_gdn" name="guidance">
-            <p>System-level information includes, for example, system-state information, operating
-               system and application software, and licenses. User-level information includes any
-               information other than system-level information. Mechanisms employed by organizations
-               to protect the integrity of information system backups include, for example, digital
-               signatures and cryptographic hashes. Protection of system backup information while in
-               transit is beyond the scope of this control. Information system backups reflect the
-               requirements in contingency plans as well as other organizational requirements for
-               backing up information.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="cp-9_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="cp-9.a_obj" name="objective">
-               <prop name="label">CP-9(a)</prop>
-               <part id="cp-9.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-9(a)[1]</prop>
-                  <p>defines a frequency, consistent with recovery time objectives and recovery
-                     point objectives as specified in the information system contingency plan, to
-                     conduct backups of user-level information contained in the information
-                     system;</p>
-               </part>
-               <part id="cp-9.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-9(a)[2]</prop>
-                  <p>conducts backups of user-level information contained in the information system
-                     with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="cp-9.b_obj" name="objective">
-               <prop name="label">CP-9(b)</prop>
-               <part id="cp-9.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-9(b)[1]</prop>
-                  <p>defines a frequency, consistent with recovery time objectives and recovery
-                     point objectives as specified in the information system contingency plan, to
-                     conduct backups of system-level information contained in the information
-                     system;</p>
-               </part>
-               <part id="cp-9.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-9(b)[2]</prop>
-                  <p>conducts backups of system-level information contained in the information
-                     system with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="cp-9.c_obj" name="objective">
-               <prop name="label">CP-9(c)</prop>
-               <part id="cp-9.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-9(c)[1]</prop>
-                  <p>defines a frequency, consistent with recovery time objectives and recovery
-                     point objectives as specified in the information system contingency plan, to
-                     conduct backups of information system documentation including security-related
-                     documentation;</p>
-               </part>
-               <part id="cp-9.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-9(c)[2]</prop>
-                  <p>conducts backups of information system documentation, including
-                     security-related documentation, with the organization-defined frequency;
-                     and</p>
-               </part>
-            </part>
-            <part id="cp-9.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-9(d)</prop>
-               <p>protects the confidentiality, integrity, and availability of backup information at
-                  storage locations.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing information system backup</p>
-               <p>contingency plan</p>
-               <p>backup storage location(s)</p>
-               <p>information system backup logs or records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system backup responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for conducting information system backups</p>
-               <p>automated mechanisms supporting and/or implementing information system backups</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-9.1">
-            <title>Testing for Reliability / Integrity</title>
-            <param id="cp-9.1_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least annually</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">CP-9(1)</prop>
-            <prop name="sort-id">cp-09.01</prop>
-            <part id="cp-9.1_smt" name="statement">
-               <p>The organization tests backup information <insert param-id="cp-9.1_prm_1"/> to
-                  verify media reliability and information integrity.</p>
-            </part>
-            <part id="cp-9.1_gdn" name="guidance">
-               <link rel="related" href="#cp-4">CP-4</link>
-            </part>
-            <part id="cp-9.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-9.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">CP-9(1)[1]</prop>
-                  <p>defines the frequency to test backup information to verify media reliability
-                     and information integrity; and</p>
-               </part>
-               <part id="cp-9.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">CP-9(1)[2]</prop>
-                  <p>tests backup information with the organization-defined frequency to verify
-                     media reliability and information integrity.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing information system backup</p>
-                  <p>contingency plan</p>
-                  <p>information system backup test results</p>
-                  <p>contingency plan test documentation</p>
-                  <p>contingency plan test results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system backup responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for conducting information system backups</p>
-                  <p>automated mechanisms supporting and/or implementing information system
-                     backups</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-9.3">
-            <title>Separate Storage for Critical Information</title>
-            <param id="cp-9.3_prm_1">
-               <label>organization-defined critical information system software and other
-                  security-related information</label>
-            </param>
-            <prop name="label">CP-9(3)</prop>
-            <prop name="sort-id">cp-09.03</prop>
-            <part id="cp-9.3_smt" name="statement">
-               <p>The organization stores backup copies of <insert param-id="cp-9.3_prm_1"/> in a
-                  separate facility or in a fire-rated container that is not collocated with the
-                  operational system.</p>
-            </part>
-            <part id="cp-9.3_gdn" name="guidance">
-               <p>Critical information system software includes, for example, operating systems,
-                  cryptographic key management systems, and intrusion detection/prevention systems.
-                  Security-related information includes, for example, organizational inventories of
-                  hardware, software, and firmware components. Alternate storage sites typically
-                  serve as separate storage facilities for organizations.</p>
-               <link rel="related" href="#cm-2">CM-2</link>
-               <link rel="related" href="#cm-8">CM-8</link>
-            </part>
-            <part id="cp-9.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-9.3_obj.1" name="objective">
-                  <prop name="label">CP-9(3)[1]</prop>
-                  <part id="cp-9.3_obj.1.a" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-9(3)[1][a]</prop>
-                     <p>defines critical information system software and other security-related
-                        information requiring backup copies to be stored in a separate facility;
-                        or</p>
-                  </part>
-                  <part id="cp-9.3_obj.1.b" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">CP-9(3)[1][b]</prop>
-                     <p>defines critical information system software and other security-related
-                        information requiring backup copies to be stored in a fire-rated container
-                        that is not collocated with the operational system; and</p>
-                  </part>
-               </part>
-               <part id="cp-9.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">CP-9(3)[2]</prop>
-                  <p>stores backup copies of organization-defined critical information system
-                     software and other security-related information in a separate facility or in a
-                     fire-rated container that is not collocated with the operational system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing information system backup</p>
-                  <p>contingency plan</p>
-                  <p>backup storage location(s)</p>
-                  <p>information system backup configurations and associated documentation</p>
-                  <p>information system backup logs or records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information system backup responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-10">
-         <title>Information System Recovery and Reconstitution</title>
-         <prop name="label">CP-10</prop>
-         <prop name="sort-id">cp-10</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-10_smt" name="statement">
-            <p>The organization provides for the recovery and reconstitution of the information
-               system to a known state after a disruption, compromise, or failure.</p>
-         </part>
-         <part id="cp-10_gdn" name="guidance">
-            <p>Recovery is executing information system contingency plan activities to restore
-               organizational missions/business functions. Reconstitution takes place following
-               recovery and includes activities for returning organizational information systems to
-               fully operational states. Recovery and reconstitution operations reflect mission and
-               business priorities, recovery point/time and reconstitution objectives, and
-               established organizational metrics consistent with contingency plan requirements.
-               Reconstitution includes the deactivation of any interim information system
-               capabilities that may have been needed during recovery operations. Reconstitution
-               also includes assessments of fully restored information system capabilities,
-               reestablishment of continuous monitoring activities, potential information system
-               reauthorizations, and activities to prepare the systems against future disruptions,
-               compromises, or failures. Recovery/reconstitution capabilities employed by
-               organizations can include both automated mechanisms and manual procedures.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#sc-24">SC-24</link>
-         </part>
-         <part id="cp-10_obj" name="objective">
-            <p>Determine if the organization provides for: </p>
-            <part id="cp-10_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">CP-10[1]</prop>
-               <p>the recovery of the information system to a known state after:</p>
-               <part id="cp-10_obj.1.a" name="objective">
-                  <prop name="label">CP-10[1][a]</prop>
-                  <p>a disruption;</p>
-               </part>
-               <part id="cp-10_obj.1.b" name="objective">
-                  <prop name="label">CP-10[1][b]</prop>
-                  <p>a compromise; or</p>
-               </part>
-               <part id="cp-10_obj.1.c" name="objective">
-                  <prop name="label">CP-10[1][c]</prop>
-                  <p>a failure;</p>
-               </part>
-            </part>
-            <part id="cp-10_obj.2" name="objective">
-               <prop name="label">CP-10[2]</prop>
-               <p>the reconstitution of the information system to a known state after:</p>
-               <part id="cp-10_obj.2.a" name="objective">
-                  <prop name="label">CP-10[2][a]</prop>
-                  <p>a disruption;</p>
-               </part>
-               <part id="cp-10_obj.2.b" name="objective">
-                  <prop name="label">CP-10[2][b]</prop>
-                  <p>a compromise; or</p>
-               </part>
-               <part id="cp-10_obj.2.c" name="objective">
-                  <prop name="label">CP-10[2][c]</prop>
-                  <p>a failure.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing information system backup</p>
-               <p>contingency plan</p>
-               <p>information system backup test results</p>
-               <p>contingency plan test results</p>
-               <p>contingency plan test documentation</p>
-               <p>redundant secondary system for information system backups</p>
-               <p>location(s) of redundant secondary backup system(s)</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning, recovery, and/or
-                  reconstitution responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes implementing information system recovery and
-                  reconstitution operations</p>
-               <p>automated mechanisms supporting and/or implementing information system recovery
-                  and reconstitution operations</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-10.2">
-            <title>Transaction Recovery</title>
-            <prop name="label">CP-10(2)</prop>
-            <prop name="sort-id">cp-10.02</prop>
-            <part id="cp-10.2_smt" name="statement">
-               <p>The information system implements transaction recovery for systems that are
-                  transaction-based.</p>
-            </part>
-            <part id="cp-10.2_gdn" name="guidance">
-               <p>Transaction-based information systems include, for example, database management
-                  systems and transaction processing systems. Mechanisms supporting transaction
-                  recovery include, for example, transaction rollback and transaction
-                  journaling.</p>
-            </part>
-            <part id="cp-10.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system implements transaction recovery for systems
-                  that are transaction-based. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing information system recovery and reconstitution</p>
-                  <p>contingency plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>contingency plan test documentation</p>
-                  <p>contingency plan test results</p>
-                  <p>information system transaction recovery records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for transaction recovery</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing transaction recovery
-                     capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="ia">
-      <title>Identification and Authentication</title>
-      <control class="SP800-53" id="ia-1">
-         <title>Identification and Authentication Policy and Procedures</title>
-         <param id="ia-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ia-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="ia-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IA-1</prop>
-         <prop name="sort-id">ia-01</prop>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ia-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ia-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ia-1_prm_1"/>:</p>
-               <part id="ia-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An identification and authentication policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="ia-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the identification and
-                     authentication policy and associated identification and authentication
-                     controls; and</p>
-               </part>
-            </part>
-            <part id="ia-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ia-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Identification and authentication policy <insert param-id="ia-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="ia-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Identification and authentication procedures <insert param-id="ia-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ia-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the IA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ia-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ia-1.a_obj" name="objective">
-               <prop name="label">IA-1(a)</prop>
-               <part id="ia-1.a.1_obj" name="objective">
-                  <prop name="label">IA-1(a)(1)</prop>
-                  <part id="ia-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(a)(1)[1]</prop>
-                     <p>develops and documents an identification and authentication policy that
-                        addresses:</p>
-                     <part id="ia-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ia-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the identification and authentication
-                        policy is to be disseminated; and</p>
-                  </part>
-                  <part id="ia-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">IA-1(a)(1)[3]</prop>
-                     <p>disseminates the identification and authentication policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="ia-1.a.2_obj" name="objective">
-                  <prop name="label">IA-1(a)(2)</prop>
-                  <part id="ia-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        identification and authentication policy and associated identification and
-                        authentication controls;</p>
-                  </part>
-                  <part id="ia-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ia-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">IA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-1.b_obj" name="objective">
-               <prop name="label">IA-1(b)</prop>
-               <part id="ia-1.b.1_obj" name="objective">
-                  <prop name="label">IA-1(b)(1)</prop>
-                  <part id="ia-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current identification and
-                        authentication policy;</p>
-                  </part>
-                  <part id="ia-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current identification and authentication policy
-                        with the organization-defined frequency; and</p>
-                  </part>
-               </part>
-               <part id="ia-1.b.2_obj" name="objective">
-                  <prop name="label">IA-1(b)(2)</prop>
-                  <part id="ia-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current identification and
-                        authentication procedures; and</p>
-                  </part>
-                  <part id="ia-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current identification and authentication procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with identification and authentication
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-2">
-         <title>Identification and Authentication (organizational Users)</title>
-         <prop name="label">IA-2</prop>
-         <prop name="sort-id">ia-02</prop>
-         <link href="#ad733a42-a7ed-4774-b988-4930c28852f3" rel="reference">HSPD-12</link>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#4da24a96-6cf8-435d-9d1f-c73247cad109" rel="reference">OMB Memorandum 06-16</link>
-         <link href="#74e740a4-c45d-49f3-a86e-eb747c549e01" rel="reference">OMB Memorandum 11-11</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#ba557c91-ba3e-4792-adc6-a4ae479b39ff" rel="reference">FICAM Roadmap and Implementation Guidance</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ia-2_smt" name="statement">
-            <p>The information system uniquely identifies and authenticates organizational users (or
-               processes acting on behalf of organizational users).</p>
-         </part>
-         <part id="ia-2_gdn" name="guidance">
-            <p>Organizational users include employees or individuals that organizations deem to have
-               equivalent status of employees (e.g., contractors, guest researchers). This control
-               applies to all accesses other than: (i) accesses that are explicitly identified and
-               documented in AC-14; and (ii) accesses that occur through authorized use of group
-               authenticators without individual authentication. Organizations may require unique
-               identification of individuals in group accounts (e.g., shared privilege accounts) or
-               for detailed accountability of individual activity. Organizations employ passwords,
-               tokens, or biometrics to authenticate user identities, or in the case multifactor
-               authentication, or some combination thereof. Access to organizational information
-               systems is defined as either local access or network access. Local access is any
-               access to organizational information systems by users (or processes acting on behalf
-               of users) where such access is obtained by direct connections without the use of
-               networks. Network access is access to organizational information systems by users (or
-               processes acting on behalf of users) where such access is obtained through network
-               connections (i.e., nonlocal accesses). Remote access is a type of network access that
-               involves communication through external networks (e.g., the Internet). Internal
-               networks include local area networks and wide area networks. In addition, the use of
-               encrypted virtual private networks (VPNs) for network connections between
-               organization-controlled endpoints and non-organization controlled endpoints may be
-               treated as internal networks from the perspective of protecting the confidentiality
-               and integrity of information traversing the network. Organizations can satisfy the
-               identification and authentication requirements in this control by complying with the
-               requirements in Homeland Security Presidential Directive 12 consistent with the
-               specific organizational implementation plans. Multifactor authentication requires the
-               use of two or more different factors to achieve authentication. The factors are
-               defined as: (i) something you know (e.g., password, personal identification number
-               [PIN]); (ii) something you have (e.g., cryptographic identification device, token);
-               or (iii) something you are (e.g., biometric). Multifactor solutions that require
-               devices separate from information systems gaining access include, for example,
-               hardware tokens providing time-based or challenge-response authenticators and smart
-               cards such as the U.S. Government Personal Identity Verification card and the DoD
-               common access card. In addition to identifying and authenticating users at the
-               information system level (i.e., at logon), organizations also employ identification
-               and authentication mechanisms at the application level, when necessary, to provide
-               increased information security. Identification and authentication requirements for
-               other than organizational users are described in IA-8.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-         </part>
-         <part id="ia-2_obj" name="objective">
-            <p>Determine if the information system uniquely identifies and authenticates
-               organizational users (or processes acting on behalf of organizational users).</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing user identification and authentication</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>list of information system accounts</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system operations responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with account management responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for uniquely identifying and authenticating users</p>
-               <p>automated mechanisms supporting and/or implementing identification and
-                  authentication capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-2.1">
-            <title>Network Access to Privileged Accounts</title>
-            <prop name="label">IA-2(1)</prop>
-            <prop name="sort-id">ia-02.01</prop>
-            <part id="ia-2.1_smt" name="statement">
-               <p>The information system implements multifactor authentication for network access to
-                  privileged accounts.</p>
-            </part>
-            <part id="ia-2.1_gdn" name="guidance">
-               <link rel="related" href="#ac-6">AC-6</link>
-            </part>
-            <part id="ia-2.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system implements multifactor authentication for
-                  network access to privileged accounts.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing multifactor authentication
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.2">
-            <title>Network Access to Non-privileged Accounts</title>
-            <prop name="label">IA-2(2)</prop>
-            <prop name="sort-id">ia-02.02</prop>
-            <part id="ia-2.2_smt" name="statement">
-               <p>The information system implements multifactor authentication for network access to
-                  non-privileged accounts.</p>
-            </part>
-            <part id="ia-2.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system implements multifactor authentication for
-                  network access to non-privileged accounts.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing multifactor authentication
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.3">
-            <title>Local Access to Privileged Accounts</title>
-            <prop name="label">IA-2(3)</prop>
-            <prop name="sort-id">ia-02.03</prop>
-            <part id="ia-2.3_smt" name="statement">
-               <p>The information system implements multifactor authentication for local access to
-                  privileged accounts.</p>
-            </part>
-            <part id="ia-2.3_gdn" name="guidance">
-               <link rel="related" href="#ac-6">AC-6</link>
-            </part>
-            <part id="ia-2.3_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system implements multifactor authentication for
-                  local access to privileged accounts.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing multifactor authentication
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.5">
-            <title>Group Authentication</title>
-            <prop name="label">IA-2(5)</prop>
-            <prop name="sort-id">ia-02.05</prop>
-            <part id="ia-2.5_smt" name="statement">
-               <p>The organization requires individuals to be authenticated with an individual
-                  authenticator when a group authenticator is employed.</p>
-            </part>
-            <part id="ia-2.5_gdn" name="guidance">
-               <p>Requiring individuals to use individual authenticators as a second level of
-                  authentication helps organizations to mitigate the risk of using group
-                  authenticators.</p>
-            </part>
-            <part id="ia-2.5_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization requires individuals to be authenticated with an
-                  individual authenticator when a group authenticator is employed.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing authentication capability
-                     for group accounts</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.8">
-            <title>Network Access to Privileged Accounts - Replay Resistant</title>
-            <prop name="label">IA-2(8)</prop>
-            <prop name="sort-id">ia-02.08</prop>
-            <part id="ia-2.8_smt" name="statement">
-               <p>The information system implements replay-resistant authentication mechanisms for
-                  network access to privileged accounts.</p>
-            </part>
-            <part id="ia-2.8_gdn" name="guidance">
-               <p>Authentication processes resist replay attacks if it is impractical to achieve
-                  successful authentications by replaying previous authentication messages.
-                  Replay-resistant techniques include, for example, protocols that use nonces or
-                  challenges such as Transport Layer Security (TLS) and time synchronous or
-                  challenge-response one-time authenticators.</p>
-            </part>
-            <part id="ia-2.8_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system implements replay-resistant authentication
-                  mechanisms for network access to privileged accounts. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of privileged information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms supporting and/or implementing replay resistant
-                     authentication mechanisms</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.11">
-            <title>Remote Access - Separate Device</title>
-            <param id="ia-2.11_prm_1">
-               <label>organization-defined strength of mechanism requirements</label>
-               <constraint>FIPS 140-2, NIAP Certification, or NSA approval</constraint>
-            </param>
-            <prop name="label">IA-2(11)</prop>
-            <prop name="sort-id">ia-02.11</prop>
-            <part id="ia-2.11_smt" name="statement">
-               <p>The information system implements multifactor authentication for remote access to
-                  privileged and non-privileged accounts such that one of the factors is provided by
-                  a device separate from the system gaining access and the device meets <insert param-id="ia-2.11_prm_1"/>.</p>
-               <part id="ia-2.11_fr" name="item">
-                  <title>IA-2 (11) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ia-2.11_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-2.11_gdn" name="guidance">
-               <p>For remote access to privileged/non-privileged accounts, the purpose of requiring
-                  a device that is separate from the information system gaining access for one of
-                  the factors during multifactor authentication is to reduce the likelihood of
-                  compromising authentication credentials stored on the system. For example,
-                  adversaries deploying malicious code on organizational information systems can
-                  potentially compromise such credentials resident on the system and subsequently
-                  impersonate authorized users.</p>
-               <link rel="related" href="#ac-6">AC-6</link>
-            </part>
-            <part id="ia-2.11_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ia-2.11_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-2(11)[1]</prop>
-                  <p>the information system implements multifactor authentication for remote access
-                     to privileged accounts such that one of the factors is provided by a device
-                     separate from the system gaining access;</p>
-               </part>
-               <part id="ia-2.11_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-2(11)[2]</prop>
-                  <p>the information system implements multifactor authentication for remote access
-                     to non-privileged accounts such that one of the factors is provided by a device
-                     separate from the system gaining access;</p>
-               </part>
-               <part id="ia-2.11_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-2(11)[3]</prop>
-                  <p>the organization defines strength of mechanism requirements to be enforced by a
-                     device separate from the system gaining remote access to privileged
-                     accounts;</p>
-               </part>
-               <part id="ia-2.11_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-2(11)[4]</prop>
-                  <p>the organization defines strength of mechanism requirements to be enforced by a
-                     device separate from the system gaining remote access to non-privileged
-                     accounts;</p>
-               </part>
-               <part id="ia-2.11_obj.5" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-2(11)[5]</prop>
-                  <p>the information system implements multifactor authentication for remote access
-                     to privileged accounts such that a device, separate from the system gaining
-                     access, meets organization-defined strength of mechanism requirements; and</p>
-               </part>
-               <part id="ia-2.11_obj.6" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-2(11)[6]</prop>
-                  <p>the information system implements multifactor authentication for remote access
-                     to non-privileged accounts such that a device, separate from the system gaining
-                     access, meets organization-defined strength of mechanism requirements.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of privileged and non-privileged information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.12">
-            <title>Acceptance of PIV Credentials</title>
-            <prop name="label">IA-2(12)</prop>
-            <prop name="sort-id">ia-02.12</prop>
-            <part id="ia-2.12_smt" name="statement">
-               <p>The information system accepts and electronically verifies Personal Identity
-                  Verification (PIV) credentials.</p>
-               <part id="ia-2.12_fr" name="item">
-                  <title>IA-2 (12) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ia-2.12_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-2.12_gdn" name="guidance">
-               <p>This control enhancement applies to organizations implementing logical access
-                  control systems (LACS) and physical access control systems (PACS). Personal
-                  Identity Verification (PIV) credentials are those credentials issued by federal
-                  agencies that conform to FIPS Publication 201 and supporting guidance documents.
-                  OMB Memorandum 11-11 requires federal agencies to continue implementing the
-                  requirements specified in HSPD-12 to enable agency-wide use of PIV
-                  credentials.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#pe-3">PE-3</link>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-2.12_obj" name="objective">
-               <p>Determine if the information system: </p>
-               <part id="ia-2.12_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-2(12)[1]</prop>
-                  <p>accepts Personal Identity Verification (PIV) credentials; and</p>
-               </part>
-               <part id="ia-2.12_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-2(12)[2]</prop>
-                  <p>electronically verifies Personal Identity Verification (PIV) credentials.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>PIV verification records</p>
-                  <p>evidence of PIV credentials</p>
-                  <p>PIV credential authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing acceptance and verification
-                     of PIV credentials</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-3">
-         <title>Device Identification and Authentication</title>
-         <param id="ia-3_prm_1">
-            <label>organization-defined specific and/or types of devices</label>
-         </param>
-         <param id="ia-3_prm_2"/>
-         <prop name="label">IA-3</prop>
-         <prop name="sort-id">ia-03</prop>
-         <part id="ia-3_smt" name="statement">
-            <p>The information system uniquely identifies and authenticates <insert param-id="ia-3_prm_1"/> before establishing a <insert param-id="ia-3_prm_2"/>
-               connection.</p>
-         </part>
-         <part id="ia-3_gdn" name="guidance">
-            <p>Organizational devices requiring unique device-to-device identification and
-               authentication may be defined by type, by device, or by a combination of type/device.
-               Information systems typically use either shared known information (e.g., Media Access
-               Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses)
-               for device identification or organizational authentication solutions (e.g., IEEE
-               802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport
-               Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on
-               local and/or wide area networks. Organizations determine the required strength of
-               authentication mechanisms by the security categories of information systems. Because
-               of the challenges of applying this control on large scale, organizations are
-               encouraged to only apply the control to those limited number (and type) of devices
-               that truly need to support this capability.</p>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-         </part>
-         <part id="ia-3_obj" name="objective">
-            <p>Determine if: </p>
-            <part id="ia-3_obj.1" name="objective">
-               <prop name="label">IA-3[1]</prop>
-               <p>the organization defines specific and/or types of devices that the information
-                  system uniquely identifies and authenticates before establishing one or more of
-                  the following:</p>
-               <part id="ia-3_obj.1.a" name="objective">
-                  <prop name="label">IA-3[1][a]</prop>
-                  <p>a local connection;</p>
-               </part>
-               <part id="ia-3_obj.1.b" name="objective">
-                  <prop name="label">IA-3[1][b]</prop>
-                  <p>a remote connection; and/or</p>
-               </part>
-               <part id="ia-3_obj.1.c" name="objective">
-                  <prop name="label">IA-3[1][c]</prop>
-                  <p>a network connection; and</p>
-               </part>
-            </part>
-            <part id="ia-3_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-3[2]</prop>
-               <p>the information system uniquely identifies and authenticates organization-defined
-                  devices before establishing one or more of the following:</p>
-               <part id="ia-3_obj.2.a" name="objective">
-                  <prop name="label">IA-3[2][a]</prop>
-                  <p>a local connection;</p>
-               </part>
-               <part id="ia-3_obj.2.b" name="objective">
-                  <prop name="label">IA-3[2][b]</prop>
-                  <p>a remote connection; and/or</p>
-               </part>
-               <part id="ia-3_obj.2.c" name="objective">
-                  <prop name="label">IA-3[2][c]</prop>
-                  <p>a network connection.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing device identification and authentication</p>
-               <p>information system design documentation</p>
-               <p>list of devices requiring unique identification and authentication</p>
-               <p>device connection reports</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with operational responsibilities for device
-                  identification and authentication</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing device identification and
-                  authentication capability</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-4">
-         <title>Identifier Management</title>
-         <param id="ia-4_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ia-4_prm_2">
-            <label>organization-defined time period</label>
-            <constraint>IA-4 (d) [at least two years]</constraint>
-         </param>
-         <param id="ia-4_prm_3">
-            <label>organization-defined time period of inactivity</label>
-            <constraint>ninety days for user identifiers (See additional requirements and guidance)</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IA-4</prop>
-         <prop name="sort-id">ia-04</prop>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <part id="ia-4_smt" name="statement">
-            <p>The organization manages information system identifiers by:</p>
-            <part id="ia-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Receiving authorization from <insert param-id="ia-4_prm_1"/> to assign an
-                  individual, group, role, or device identifier;</p>
-            </part>
-            <part id="ia-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Selecting an identifier that identifies an individual, group, role, or device;</p>
-            </part>
-            <part id="ia-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Assigning the identifier to the intended individual, group, role, or device;</p>
-            </part>
-            <part id="ia-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Preventing reuse of identifiers for <insert param-id="ia-4_prm_2"/>; and</p>
-            </part>
-            <part id="ia-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Disabling the identifier after <insert param-id="ia-4_prm_3"/>.</p>
-            </part>
-            <part id="ia-4_fr" name="item">
-               <title>IA-4(e) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-4_fr_smt.e" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines the time period of inactivity for device identifiers.</p>
-               </part>
-               <part id="ia-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP <a href="http://iase.disa.mil/cloud_security/Pages/index.aspx">http://iase.disa.mil/cloud_security/Pages/index.aspx</a>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ia-4_gdn" name="guidance">
-            <p>Common device identifiers include, for example, media access control (MAC), Internet
-               protocol (IP) addresses, or device-unique token identifiers. Management of individual
-               identifiers is not applicable to shared information system accounts (e.g., guest and
-               anonymous accounts). Typically, individual identifiers are the user names of the
-               information system accounts assigned to those individuals. In such instances, the
-               account management activities of AC-2 use account names provided by IA-4. This
-               control also addresses individual identifiers not necessarily associated with
-               information system accounts (e.g., identifiers used in physical security control
-               databases accessed by badge reader systems for access to information systems).
-               Preventing reuse of identifiers implies preventing the assignment of previously used
-               individual, group, role, or device identifiers to different individuals, groups,
-               roles, or devices.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#sc-37">SC-37</link>
-         </part>
-         <part id="ia-4_obj" name="objective">
-            <p>Determine if the organization manages information system identifiers by: </p>
-            <part id="ia-4.a_obj" name="objective">
-               <prop name="label">IA-4(a)</prop>
-               <part id="ia-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-4(a)[1]</prop>
-                  <p>defining personnel or roles from whom authorization must be received to
-                     assign:</p>
-                  <part id="ia-4.a_obj.1.a" name="objective">
-                     <prop name="label">IA-4(a)[1][a]</prop>
-                     <p>an individual identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.1.b" name="objective">
-                     <prop name="label">IA-4(a)[1][b]</prop>
-                     <p>a group identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.1.c" name="objective">
-                     <prop name="label">IA-4(a)[1][c]</prop>
-                     <p>a role identifier; and/or</p>
-                  </part>
-                  <part id="ia-4.a_obj.1.d" name="objective">
-                     <prop name="label">IA-4(a)[1][d]</prop>
-                     <p>a device identifier;</p>
-                  </part>
-               </part>
-               <part id="ia-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-4(a)[2]</prop>
-                  <p>receiving authorization from organization-defined personnel or roles to
-                     assign:</p>
-                  <part id="ia-4.a_obj.2.a" name="objective">
-                     <prop name="label">IA-4(a)[2][a]</prop>
-                     <p>an individual identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.2.b" name="objective">
-                     <prop name="label">IA-4(a)[2][b]</prop>
-                     <p>a group identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.2.c" name="objective">
-                     <prop name="label">IA-4(a)[2][c]</prop>
-                     <p>a role identifier; and/or</p>
-                  </part>
-                  <part id="ia-4.a_obj.2.d" name="objective">
-                     <prop name="label">IA-4(a)[2][d]</prop>
-                     <p>a device identifier;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-4(b)</prop>
-               <p>selecting an identifier that identifies:</p>
-               <part id="ia-4.b_obj.1" name="objective">
-                  <prop name="label">IA-4(b)[1]</prop>
-                  <p>an individual;</p>
-               </part>
-               <part id="ia-4.b_obj.2" name="objective">
-                  <prop name="label">IA-4(b)[2]</prop>
-                  <p>a group;</p>
-               </part>
-               <part id="ia-4.b_obj.3" name="objective">
-                  <prop name="label">IA-4(b)[3]</prop>
-                  <p>a role; and/or</p>
-               </part>
-               <part id="ia-4.b_obj.4" name="objective">
-                  <prop name="label">IA-4(b)[4]</prop>
-                  <p>a device;</p>
-               </part>
-            </part>
-            <part id="ia-4.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-4(c)</prop>
-               <p>assigning the identifier to the intended:</p>
-               <part id="ia-4.c_obj.1" name="objective">
-                  <prop name="label">IA-4(c)[1]</prop>
-                  <p>individual;</p>
-               </part>
-               <part id="ia-4.c_obj.2" name="objective">
-                  <prop name="label">IA-4(c)[2]</prop>
-                  <p>group;</p>
-               </part>
-               <part id="ia-4.c_obj.3" name="objective">
-                  <prop name="label">IA-4(c)[3]</prop>
-                  <p>role; and/or</p>
-               </part>
-               <part id="ia-4.c_obj.4" name="objective">
-                  <prop name="label">IA-4(c)[4]</prop>
-                  <p>device;</p>
-               </part>
-            </part>
-            <part id="ia-4.d_obj" name="objective">
-               <prop name="label">IA-4(d)</prop>
-               <part id="ia-4.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-4(d)[1]</prop>
-                  <p>defining a time period for preventing reuse of identifiers;</p>
-               </part>
-               <part id="ia-4.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-4(d)[2]</prop>
-                  <p>preventing reuse of identifiers for the organization-defined time period;</p>
-               </part>
-            </part>
-            <part id="ia-4.e_obj" name="objective">
-               <prop name="label">IA-4(e)</prop>
-               <part id="ia-4.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-4(e)[1]</prop>
-                  <p>defining a time period of inactivity to disable the identifier; and</p>
-               </part>
-               <part id="ia-4.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-4(e)[2]</prop>
-                  <p>disabling the identifier after the organization-defined time period of
-                     inactivity.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing identifier management</p>
-               <p>procedures addressing account management</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of information system accounts</p>
-               <p>list of identifiers generated from physical access control devices</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with identifier management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing identifier management</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-4.4">
-            <title>Identify User Status</title>
-            <param id="ia-4.4_prm_1">
-               <label>organization-defined characteristic identifying individual status</label>
-               <constraint>contractors; foreign nationals</constraint>
-            </param>
-            <prop name="label">IA-4(4)</prop>
-            <prop name="sort-id">ia-04.04</prop>
-            <part id="ia-4.4_smt" name="statement">
-               <p>The organization manages individual identifiers by uniquely identifying each
-                  individual as <insert param-id="ia-4.4_prm_1"/>.</p>
-            </part>
-            <part id="ia-4.4_gdn" name="guidance">
-               <p>Characteristics identifying the status of individuals include, for example,
-                  contractors and foreign nationals. Identifying the status of individuals by
-                  specific characteristics provides additional information about the people with
-                  whom organizational personnel are communicating. For example, it might be useful
-                  for a government employee to know that one of the individuals on an email message
-                  is a contractor.</p>
-               <link rel="related" href="#at-2">AT-2</link>
-            </part>
-            <part id="ia-4.4_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-4.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-4(4)[1]</prop>
-                  <p>defines a characteristic to be used to identify individual status; and</p>
-               </part>
-               <part id="ia-4.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-4(4)[2]</prop>
-                  <p>manages individual identifiers by uniquely identifying each individual as the
-                     organization-defined characteristic identifying individual status.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing identifier management</p>
-                  <p>procedures addressing account management</p>
-                  <p>list of characteristics identifying individual status</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with identifier management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identifier management</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-5">
-         <title>Authenticator Management</title>
-         <param id="ia-5_prm_1">
-            <label>organization-defined time period by authenticator type</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IA-5</prop>
-         <prop name="sort-id">ia-05</prop>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#74e740a4-c45d-49f3-a86e-eb747c549e01" rel="reference">OMB Memorandum 11-11</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#ba557c91-ba3e-4792-adc6-a4ae479b39ff" rel="reference">FICAM Roadmap and Implementation Guidance</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ia-5_smt" name="statement">
-            <p>The organization manages information system authenticators by:</p>
-            <part id="ia-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Verifying, as part of the initial authenticator distribution, the identity of the
-                  individual, group, role, or device receiving the authenticator;</p>
-            </part>
-            <part id="ia-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishing initial authenticator content for authenticators defined by the
-                  organization;</p>
-            </part>
-            <part id="ia-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensuring that authenticators have sufficient strength of mechanism for their
-                  intended use;</p>
-            </part>
-            <part id="ia-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Establishing and implementing administrative procedures for initial authenticator
-                  distribution, for lost/compromised or damaged authenticators, and for revoking
-                  authenticators;</p>
-            </part>
-            <part id="ia-5_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Changing default content of authenticators prior to information system
-                  installation;</p>
-            </part>
-            <part id="ia-5_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Establishing minimum and maximum lifetime restrictions and reuse conditions for
-                  authenticators;</p>
-            </part>
-            <part id="ia-5_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Changing/refreshing authenticators <insert param-id="ia-5_prm_1"/>;</p>
-            </part>
-            <part id="ia-5_smt.h" name="item">
-               <prop name="label">h.</prop>
-               <p>Protecting authenticator content from unauthorized disclosure and
-                  modification;</p>
-            </part>
-            <part id="ia-5_smt.i" name="item">
-               <prop name="label">i.</prop>
-               <p>Requiring individuals to take, and having devices implement, specific security
-                  safeguards to protect authenticators; and</p>
-            </part>
-            <part id="ia-5_smt.j" name="item">
-               <prop name="label">j.</prop>
-               <p>Changing authenticators for group/role accounts when membership to those accounts
-                  changes.</p>
-            </part>
-            <part id="ia-5_fr" name="item">
-               <title>IA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-5_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link <a href="https://pages.nist.gov/800-63-3">https://pages.nist.gov/800-63-3</a>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ia-5_gdn" name="guidance">
-            <p>Individual authenticators include, for example, passwords, tokens, biometrics, PKI
-               certificates, and key cards. Initial authenticator content is the actual content
-               (e.g., the initial password) as opposed to requirements about authenticator content
-               (e.g., minimum password length). In many cases, developers ship information system
-               components with factory default authentication credentials to allow for initial
-               installation and configuration. Default authentication credentials are often well
-               known, easily discoverable, and present a significant security risk. The requirement
-               to protect individual authenticators may be implemented via control PL-4 or PS-6 for
-               authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28
-               for authenticators stored within organizational information systems (e.g., passwords
-               stored in hashed or encrypted formats, files containing encrypted or hashed passwords
-               accessible with administrator privileges). Information systems support individual
-               authenticator management by organization-defined settings and restrictions for
-               various authenticator characteristics including, for example, minimum password
-               length, password composition, validation time window for time synchronous one-time
-               tokens, and number of allowed rejections during the verification stage of biometric
-               authentication. Specific actions that can be taken to safeguard authenticators
-               include, for example, maintaining possession of individual authenticators, not
-               loaning or sharing individual authenticators with others, and reporting lost, stolen,
-               or compromised authenticators immediately. Authenticator management includes issuing
-               and revoking, when no longer needed, authenticators for temporary access such as that
-               required for remote maintenance. Device authenticators include, for example,
-               certificates and passwords.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-5">PS-5</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-17">SC-17</link>
-            <link rel="related" href="#sc-28">SC-28</link>
-         </part>
-         <part id="ia-5_obj" name="objective">
-            <p>Determine if the organization manages information system authenticators by: </p>
-            <part id="ia-5.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-5(a)</prop>
-               <p>verifying, as part of the initial authenticator distribution, the identity of:</p>
-               <part id="ia-5.a_obj.1" name="objective">
-                  <prop name="label">IA-5(a)[1]</prop>
-                  <p>the individual receiving the authenticator;</p>
-               </part>
-               <part id="ia-5.a_obj.2" name="objective">
-                  <prop name="label">IA-5(a)[2]</prop>
-                  <p>the group receiving the authenticator;</p>
-               </part>
-               <part id="ia-5.a_obj.3" name="objective">
-                  <prop name="label">IA-5(a)[3]</prop>
-                  <p>the role receiving the authenticator; and/or</p>
-               </part>
-               <part id="ia-5.a_obj.4" name="objective">
-                  <prop name="label">IA-5(a)[4]</prop>
-                  <p>the device receiving the authenticator;</p>
-               </part>
-            </part>
-            <part id="ia-5.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">IA-5(b)</prop>
-               <p>establishing initial authenticator content for authenticators defined by the
-                  organization;</p>
-            </part>
-            <part id="ia-5.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-5(c)</prop>
-               <p>ensuring that authenticators have sufficient strength of mechanism for their
-                  intended use;</p>
-            </part>
-            <part id="ia-5.d_obj" name="objective">
-               <prop name="label">IA-5(d)</prop>
-               <part id="ia-5.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(d)[1]</prop>
-                  <p>establishing and implementing administrative procedures for initial
-                     authenticator distribution;</p>
-               </part>
-               <part id="ia-5.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(d)[2]</prop>
-                  <p>establishing and implementing administrative procedures for lost/compromised or
-                     damaged authenticators;</p>
-               </part>
-               <part id="ia-5.d_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(d)[3]</prop>
-                  <p>establishing and implementing administrative procedures for revoking
-                     authenticators;</p>
-               </part>
-            </part>
-            <part id="ia-5.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-5(e)</prop>
-               <p>changing default content of authenticators prior to information system
-                  installation;</p>
-            </part>
-            <part id="ia-5.f_obj" name="objective">
-               <prop name="label">IA-5(f)</prop>
-               <part id="ia-5.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(f)[1]</prop>
-                  <p>establishing minimum lifetime restrictions for authenticators;</p>
-               </part>
-               <part id="ia-5.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(f)[2]</prop>
-                  <p>establishing maximum lifetime restrictions for authenticators;</p>
-               </part>
-               <part id="ia-5.f_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(f)[3]</prop>
-                  <p>establishing reuse conditions for authenticators;</p>
-               </part>
-            </part>
-            <part id="ia-5.g_obj" name="objective">
-               <prop name="label">IA-5(g)</prop>
-               <part id="ia-5.g_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(g)[1]</prop>
-                  <p>defining a time period (by authenticator type) for changing/refreshing
-                     authenticators;</p>
-               </part>
-               <part id="ia-5.g_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(g)[2]</prop>
-                  <p>changing/refreshing authenticators with the organization-defined time period by
-                     authenticator type;</p>
-               </part>
-            </part>
-            <part id="ia-5.h_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-5(h)</prop>
-               <p>protecting authenticator content from unauthorized:</p>
-               <part id="ia-5.h_obj.1" name="objective">
-                  <prop name="label">IA-5(h)[1]</prop>
-                  <p>disclosure;</p>
-               </part>
-               <part id="ia-5.h_obj.2" name="objective">
-                  <prop name="label">IA-5(h)[2]</prop>
-                  <p>modification;</p>
-               </part>
-            </part>
-            <part id="ia-5.i_obj" name="objective">
-               <prop name="label">IA-5(i)</prop>
-               <part id="ia-5.i_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IA-5(i)[1]</prop>
-                  <p>requiring individuals to take specific security safeguards to protect
-                     authenticators;</p>
-               </part>
-               <part id="ia-5.i_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(i)[2]</prop>
-                  <p>having devices implement specific security safeguards to protect
-                     authenticators; and</p>
-               </part>
-            </part>
-            <part id="ia-5.j_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IA-5(j)</prop>
-               <p>changing authenticators for group/role accounts when membership to those accounts
-                  changes.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing authenticator management</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of information system authenticator types</p>
-               <p>change control records associated with managing information system
-                  authenticators</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with authenticator management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing authenticator management
-                  capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-5.1">
-            <title>Password-based Authentication</title>
-            <param id="ia-5.1_prm_1">
-               <label>organization-defined requirements for case sensitivity, number of characters,
-                  mix of upper-case letters, lower-case letters, numbers, and special characters,
-                  including minimum requirements for each type</label>
-            </param>
-            <param id="ia-5.1_prm_2">
-               <label>organization-defined number</label>
-               <constraint>at least one</constraint>
-            </param>
-            <param id="ia-5.1_prm_3">
-               <label>organization-defined numbers for lifetime minimum, lifetime maximum</label>
-            </param>
-            <param id="ia-5.1_prm_4">
-               <label>organization-defined number</label>
-               <constraint>twenty four (24)</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">IA-5(1)</prop>
-            <prop name="sort-id">ia-05.01</prop>
-            <part id="ia-5.1_smt" name="statement">
-               <p>The information system, for password-based authentication:</p>
-               <part id="ia-5.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Enforces minimum password complexity of <insert param-id="ia-5.1_prm_1"/>;</p>
-               </part>
-               <part id="ia-5.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Enforces at least the following number of changed characters when new passwords
-                     are created: <insert param-id="ia-5.1_prm_2"/>;</p>
-               </part>
-               <part id="ia-5.1_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Stores and transmits only cryptographically-protected passwords;</p>
-               </part>
-               <part id="ia-5.1_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Enforces password minimum and maximum lifetime restrictions of <insert param-id="ia-5.1_prm_3"/>;</p>
-               </part>
-               <part id="ia-5.1_smt.e" name="item">
-                  <prop name="label">(e)</prop>
-                  <p>Prohibits password reuse for <insert param-id="ia-5.1_prm_4"/> generations;
-                     and</p>
-               </part>
-               <part id="ia-5.1_smt.f" name="item">
-                  <prop name="label">(f)</prop>
-                  <p>Allows the use of a temporary password for system logons with an immediate
-                     change to a permanent password.</p>
-               </part>
-               <part id="ia-5.1_fr" name="item">
-                  <title>IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ia-5.1_fr_gdn.1" name="guidance">
-                     <prop name="label">(a) (d) Guidance:</prop>
-                     <p>If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-5.1_gdn" name="guidance">
-               <p>This control enhancement applies to single-factor authentication of individuals
-                  using passwords as individual or group authenticators, and in a similar manner,
-                  when passwords are part of multifactor authenticators. This control enhancement
-                  does not apply when passwords are used to unlock hardware authenticators (e.g.,
-                  Personal Identity Verification cards). The implementation of such password
-                  mechanisms may not meet all of the requirements in the enhancement.
-                  Cryptographically-protected passwords include, for example, encrypted versions of
-                  passwords and one-way cryptographic hashes of passwords. The number of changed
-                  characters refers to the number of changes required with respect to the total
-                  number of positions in the current password. Password lifetime restrictions do not
-                  apply to temporary passwords. To mitigate certain brute force attacks against
-                  passwords, organizations may also consider salting passwords.</p>
-               <link rel="related" href="#ia-6">IA-6</link>
-            </part>
-            <part id="ia-5.1_obj" name="objective">
-               <p>Determine if, for password-based authentication: </p>
-               <part id="ia-5.1.a_obj" name="objective">
-                  <prop name="label">IA-5(1)(a)</prop>
-                  <part id="ia-5.1.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(a)[1]</prop>
-                     <p>the organization defines requirements for case sensitivity;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(a)[2]</prop>
-                     <p>the organization defines requirements for number of characters;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(a)[3]</prop>
-                     <p>the organization defines requirements for the mix of upper-case letters,
-                        lower-case letters, numbers and special characters;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.4" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(a)[4]</prop>
-                     <p>the organization defines minimum requirements for each type of
-                        character;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.5" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(1)(a)[5]</prop>
-                     <p>the information system enforces minimum password complexity of
-                        organization-defined requirements for case sensitivity, number of
-                        characters, mix of upper-case letters, lower-case letters, numbers, and
-                        special characters, including minimum requirements for each type;</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.a">IA-5(1)(a)</link>
-               </part>
-               <part id="ia-5.1.b_obj" name="objective">
-                  <prop name="label">IA-5(1)(b)</prop>
-                  <part id="ia-5.1.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(b)[1]</prop>
-                     <p>the organization defines a minimum number of changed characters to be
-                        enforced when new passwords are created;</p>
-                  </part>
-                  <part id="ia-5.1.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(1)(b)[2]</prop>
-                     <p>the information system enforces at least the organization-defined minimum
-                        number of characters that must be changed when new passwords are
-                        created;</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.b">IA-5(1)(b)</link>
-               </part>
-               <part id="ia-5.1.c_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(1)(c)</prop>
-                  <p>the information system stores and transmits only encrypted representations of
-                     passwords;</p>
-                  <link rel="corresp" href="#ia-5.1_smt.c">IA-5(1)(c)</link>
-               </part>
-               <part id="ia-5.1.d_obj" name="objective">
-                  <prop name="label">IA-5(1)(d)</prop>
-                  <part id="ia-5.1.d_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(d)[1]</prop>
-                     <p>the organization defines numbers for password minimum lifetime restrictions
-                        to be enforced for passwords;</p>
-                  </part>
-                  <part id="ia-5.1.d_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(d)[2]</prop>
-                     <p>the organization defines numbers for password maximum lifetime restrictions
-                        to be enforced for passwords;</p>
-                  </part>
-                  <part id="ia-5.1.d_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(1)(d)[3]</prop>
-                     <p>the information system enforces password minimum lifetime restrictions of
-                        organization-defined numbers for lifetime minimum;</p>
-                  </part>
-                  <part id="ia-5.1.d_obj.4" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(1)(d)[4]</prop>
-                     <p>the information system enforces password maximum lifetime restrictions of
-                        organization-defined numbers for lifetime maximum;</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.d">IA-5(1)(d)</link>
-               </part>
-               <part id="ia-5.1.e_obj" name="objective">
-                  <prop name="label">IA-5(1)(e)</prop>
-                  <part id="ia-5.1.e_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IA-5(1)(e)[1]</prop>
-                     <p>the organization defines the number of password generations to be prohibited
-                        from password reuse;</p>
-                  </part>
-                  <part id="ia-5.1.e_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(1)(e)[2]</prop>
-                     <p>the information system prohibits password reuse for the organization-defined
-                        number of generations; and</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.e">IA-5(1)(e)</link>
-               </part>
-               <part id="ia-5.1.f_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(1)(f)</prop>
-                  <p>the information system allows the use of a temporary password for system logons
-                     with an immediate change to a permanent password.</p>
-                  <link rel="corresp" href="#ia-5.1_smt.f">IA-5(1)(f)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>password policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>password configurations and associated documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing password-based
-                     authenticator management capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.2">
-            <title>Pki-based Authentication</title>
-            <prop name="label">IA-5(2)</prop>
-            <prop name="sort-id">ia-05.02</prop>
-            <part id="ia-5.2_smt" name="statement">
-               <p>The information system, for PKI-based authentication:</p>
-               <part id="ia-5.2_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Validates certifications by constructing and verifying a certification path to
-                     an accepted trust anchor including checking certificate status information;</p>
-               </part>
-               <part id="ia-5.2_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Enforces authorized access to the corresponding private key;</p>
-               </part>
-               <part id="ia-5.2_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Maps the authenticated identity to the account of the individual or group;
-                     and</p>
-               </part>
-               <part id="ia-5.2_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Implements a local cache of revocation data to support path discovery and
-                     validation in case of inability to access revocation information via the
-                     network.</p>
-               </part>
-            </part>
-            <part id="ia-5.2_gdn" name="guidance">
-               <p>Status information for certification paths includes, for example, certificate
-                  revocation lists or certificate status protocol responses. For PIV cards,
-                  validation of certifications involves the construction and verification of a
-                  certification path to the Common Policy Root trust anchor including certificate
-                  policy processing.</p>
-               <link rel="related" href="#ia-6">IA-6</link>
-            </part>
-            <part id="ia-5.2_obj" name="objective">
-               <p>Determine if the information system, for PKI-based authentication: </p>
-               <part id="ia-5.2.a_obj" name="objective">
-                  <prop name="label">IA-5(2)(a)</prop>
-                  <part id="ia-5.2.a_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(2)(a)[1]</prop>
-                     <p>validates certifications by constructing a certification path to an accepted
-                        trust anchor;</p>
-                  </part>
-                  <part id="ia-5.2.a_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(2)(a)[2]</prop>
-                     <p>validates certifications by verifying a certification path to an accepted
-                        trust anchor;</p>
-                  </part>
-                  <part id="ia-5.2.a_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IA-5(2)(a)[3]</prop>
-                     <p>includes checking certificate status information when constructing and
-                        verifying the certification path;</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.2_smt.a">IA-5(2)(a)</link>
-               </part>
-               <part id="ia-5.2.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(2)(b)</prop>
-                  <p>enforces authorized access to the corresponding private key;</p>
-                  <link rel="corresp" href="#ia-5.2_smt.b">IA-5(2)(b)</link>
-               </part>
-               <part id="ia-5.2.c_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(2)(c)</prop>
-                  <p>maps the authenticated identity to the account of the individual or group;
-                     and</p>
-                  <link rel="corresp" href="#ia-5.2_smt.c">IA-5(2)(c)</link>
-               </part>
-               <part id="ia-5.2.d_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(2)(d)</prop>
-                  <p>implements a local cache of revocation data to support path discovery and
-                     validation in case of inability to access revocation information via the
-                     network.</p>
-                  <link rel="corresp" href="#ia-5.2_smt.d">IA-5(2)(d)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>PKI certification validation records</p>
-                  <p>PKI certification revocation lists</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with PKI-based, authenticator management
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing PKI-based, authenticator
-                     management capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.3">
-            <title>In-person or Trusted Third-party Registration</title>
-            <param id="ia-5.3_prm_1">
-               <label>organization-defined types of and/or specific authenticators</label>
-               <constraint>All hardware/biometric (multifactor authenticators)</constraint>
-            </param>
-            <param id="ia-5.3_prm_2">
-               <constraint>in person</constraint>
-            </param>
-            <param id="ia-5.3_prm_3">
-               <label>organization-defined registration authority</label>
-            </param>
-            <param id="ia-5.3_prm_4">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">IA-5(3)</prop>
-            <prop name="sort-id">ia-05.03</prop>
-            <part id="ia-5.3_smt" name="statement">
-               <p>The organization requires that the registration process to receive <insert param-id="ia-5.3_prm_1"/> be conducted <insert param-id="ia-5.3_prm_2"/> before
-                     <insert param-id="ia-5.3_prm_3"/> with authorization by <insert param-id="ia-5.3_prm_4"/>.</p>
-            </part>
-            <part id="ia-5.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-5.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(3)[1]</prop>
-                  <p>defines types of and/or specific authenticators to be received in person or by
-                     a trusted third party;</p>
-               </part>
-               <part id="ia-5.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(3)[2]</prop>
-                  <p>defines the registration authority with oversight of the registration process
-                     for receipt of organization-defined types of and/or specific
-                     authenticators;</p>
-               </part>
-               <part id="ia-5.3_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(3)[3]</prop>
-                  <p>defines personnel or roles responsible for authorizing organization-defined
-                     registration authority;</p>
-               </part>
-               <part id="ia-5.3_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(3)[4]</prop>
-                  <p>defines if the registration process is to be conducted:</p>
-                  <part id="ia-5.3_obj.4.a" name="objective">
-                     <prop name="label">IA-5(3)[4][a]</prop>
-                     <p>in person; or</p>
-                  </part>
-                  <part id="ia-5.3_obj.4.b" name="objective">
-                     <prop name="label">IA-5(3)[4][b]</prop>
-                     <p>by a trusted third party; and</p>
-                  </part>
-               </part>
-               <part id="ia-5.3_obj.5" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IA-5(3)[5]</prop>
-                  <p>requires that the registration process to receive organization-defined types of
-                     and/or specific authenticators be conducted in person or by a trusted third
-                     party before organization-defined registration authority with authorization by
-                     organization-defined personnel or roles.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>registration process for receiving information system authenticators</p>
-                  <p>list of authenticators requiring in-person registration</p>
-                  <p>list of authenticators requiring trusted third party registration</p>
-                  <p>authenticator registration documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>registration authority</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.4">
-            <title>Automated Support for Password Strength Determination</title>
-            <param id="ia-5.4_prm_1">
-               <label>organization-defined requirements</label>
-            </param>
-            <prop name="label">IA-5(4)</prop>
-            <prop name="sort-id">ia-05.04</prop>
-            <part id="ia-5.4_smt" name="statement">
-               <p>The organization employs automated tools to determine if password authenticators
-                  are sufficiently strong to satisfy <insert param-id="ia-5.4_prm_1"/>.</p>
-               <part id="ia-5.4_fr" name="item">
-                  <title>IA-5 (4) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ia-5.4_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-5.4_gdn" name="guidance">
-               <p>This control enhancement focuses on the creation of strong passwords and the
-                  characteristics of such passwords (e.g., complexity) prior to use, the enforcement
-                  of which is carried out by organizational information systems in IA-5 (1).</p>
-               <link rel="related" href="#ca-2">CA-2</link>
-               <link rel="related" href="#ca-7">CA-7</link>
-               <link rel="related" href="#ra-5">RA-5</link>
-            </part>
-            <part id="ia-5.4_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-5.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(4)[1]</prop>
-                  <p>defines requirements to be satisfied by password authenticators; and</p>
-               </part>
-               <part id="ia-5.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(4)[2]</prop>
-                  <p>employs automated tools to determine if password authenticators are
-                     sufficiently strong to satisfy organization-defined requirements.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>automated tools for evaluating password authenticators</p>
-                  <p>password strength assessment results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing password-based
-                     authenticator management capability</p>
-                  <p>automated tools for determining password strength</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.6">
-            <title>Protection of Authenticators</title>
-            <prop name="label">IA-5(6)</prop>
-            <prop name="sort-id">ia-05.06</prop>
-            <part id="ia-5.6_smt" name="statement">
-               <p>The organization protects authenticators commensurate with the security category
-                  of the information to which use of the authenticator permits access.</p>
-            </part>
-            <part id="ia-5.6_gdn" name="guidance">
-               <p>For information systems containing multiple security categories of information
-                  without reliable physical or logical separation between categories, authenticators
-                  used to grant access to the systems are protected commensurate with the highest
-                  security category of information on the systems.</p>
-            </part>
-            <part id="ia-5.6_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization protects authenticators commensurate with the
-                  security category of the information to which use of the authenticator permits
-                  access.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security categorization documentation for the information system</p>
-                  <p>security assessments of authenticator protections</p>
-                  <p>risk assessment results</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel implementing and/or maintaining authenticator
-                     protections</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing authenticator management
-                     capability</p>
-                  <p>automated mechanisms protecting authenticators</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.7">
-            <title>No Embedded Unencrypted Static Authenticators</title>
-            <prop name="label">IA-5(7)</prop>
-            <prop name="sort-id">ia-05.07</prop>
-            <part id="ia-5.7_smt" name="statement">
-               <p>The organization ensures that unencrypted static authenticators are not embedded
-                  in applications or access scripts or stored on function keys.</p>
-            </part>
-            <part id="ia-5.7_gdn" name="guidance">
-               <p>Organizations exercise caution in determining whether embedded or stored
-                  authenticators are in encrypted or unencrypted form. If authenticators are used in
-                  the manner stored, then those representations are considered unencrypted
-                  authenticators. This is irrespective of whether that representation is perhaps an
-                  encrypted version of something else (e.g., a password).</p>
-            </part>
-            <part id="ia-5.7_obj" name="objective">
-               <p>Determine if the organization ensures that unencrypted static authenticators are
-                  not: </p>
-               <part id="ia-5.7_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(7)[1]</prop>
-                  <p>embedded in applications;</p>
-               </part>
-               <part id="ia-5.7_obj.2" name="objective">
-                  <prop name="label">IA-5(7)[2]</prop>
-                  <p>embedded in access scripts; or</p>
-               </part>
-               <part id="ia-5.7_obj.3" name="objective">
-                  <prop name="label">IA-5(7)[3]</prop>
-                  <p>stored on function keys.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>logical access scripts</p>
-                  <p>application code reviews for detecting unencrypted static authenticators</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing authenticator management
-                     capability</p>
-                  <p>automated mechanisms implementing authentication in applications</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.11">
-            <title>Hardware Token-based Authentication</title>
-            <param id="ia-5.11_prm_1">
-               <label>organization-defined token quality requirements</label>
-            </param>
-            <prop name="label">IA-5(11)</prop>
-            <prop name="sort-id">ia-05.11</prop>
-            <part id="ia-5.11_smt" name="statement">
-               <p>The information system, for hardware token-based authentication, employs
-                  mechanisms that satisfy <insert param-id="ia-5.11_prm_1"/>.</p>
-            </part>
-            <part id="ia-5.11_gdn" name="guidance">
-               <p>Hardware token-based authentication typically refers to the use of PKI-based
-                  tokens, such as the U.S. Government Personal Identity Verification (PIV) card.
-                  Organizations define specific requirements for tokens, such as working with a
-                  particular PKI.</p>
-            </part>
-            <part id="ia-5.11_obj" name="objective">
-               <p>Determine if, for hardware token-based authentication: </p>
-               <part id="ia-5.11_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-5(11)[1]</prop>
-                  <p>the organization defines token quality requirements to be satisfied; and</p>
-               </part>
-               <part id="ia-5.11_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-5(11)[2]</prop>
-                  <p>the information system employs mechanisms that satisfy organization-defined
-                     token quality requirements.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>automated mechanisms employing hardware token-based authentication for the
-                     information system</p>
-                  <p>list of token quality requirements</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing hardware token-based
-                     authenticator management capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-6">
-         <title>Authenticator Feedback</title>
-         <prop name="label">IA-6</prop>
-         <prop name="sort-id">ia-06</prop>
-         <part id="ia-6_smt" name="statement">
-            <p>The information system obscures feedback of authentication information during the
-               authentication process to protect the information from possible exploitation/use by
-               unauthorized individuals.</p>
-         </part>
-         <part id="ia-6_gdn" name="guidance">
-            <p>The feedback from information systems does not provide information that would allow
-               unauthorized individuals to compromise authentication mechanisms. For some types of
-               information systems or system components, for example, desktops/notebooks with
-               relatively large monitors, the threat (often referred to as shoulder surfing) may be
-               significant. For other types of systems or components, for example, mobile devices
-               with 2-4 inch screens, this threat may be less significant, and may need to be
-               balanced against the increased likelihood of typographic input errors due to the
-               small keyboards. Therefore, the means for obscuring the authenticator feedback is
-               selected accordingly. Obscuring the feedback of authentication information includes,
-               for example, displaying asterisks when users type passwords into input devices, or
-               displaying feedback for a very limited time before fully obscuring it.</p>
-            <link rel="related" href="#pe-18">PE-18</link>
-         </part>
-         <part id="ia-6_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system obscures feedback of authentication information
-               during the authentication process to protect the information from possible
-               exploitation/use by unauthorized individuals.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing authenticator feedback</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing the obscuring of feedback of
-                  authentication information during authentication</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-7">
-         <title>Cryptographic Module Authentication</title>
-         <prop name="label">IA-7</prop>
-         <prop name="sort-id">ia-07</prop>
-         <link href="#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9" rel="reference">FIPS Publication 140</link>
-         <link href="#b09d1a31-d3c9-4138-a4f4-4c63816afd7d" rel="reference">http://csrc.nist.gov/groups/STM/cmvp/index.html</link>
-         <part id="ia-7_smt" name="statement">
-            <p>The information system implements mechanisms for authentication to a cryptographic
-               module that meet the requirements of applicable federal laws, Executive Orders,
-               directives, policies, regulations, standards, and guidance for such
-               authentication.</p>
-         </part>
-         <part id="ia-7_gdn" name="guidance">
-            <p>Authentication mechanisms may be required within a cryptographic module to
-               authenticate an operator accessing the module and to verify that the operator is
-               authorized to assume the requested role and perform services within that role.</p>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="ia-7_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system implements mechanisms for authentication to a
-               cryptographic module that meet the requirements of applicable federal laws, Executive
-               Orders, directives, policies, regulations, standards, and guidance for such
-               authentication.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing cryptographic module authentication</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for cryptographic module
-                  authentication</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing cryptographic module
-                  authentication</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-8">
-         <title>Identification and Authentication (non-organizational Users)</title>
-         <prop name="label">IA-8</prop>
-         <prop name="sort-id">ia-08</prop>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#74e740a4-c45d-49f3-a86e-eb747c549e01" rel="reference">OMB Memorandum 11-11</link>
-         <link href="#599fe9ba-4750-4450-9eeb-b95bd19a5e8f" rel="reference">OMB Memorandum 10-06-2011</link>
-         <link href="#ba557c91-ba3e-4792-adc6-a4ae479b39ff" rel="reference">FICAM Roadmap and Implementation Guidance</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#2157bb7e-192c-4eaa-877f-93ef6b0a3292" rel="reference">NIST Special Publication 800-116</link>
-         <link href="#654f21e2-f3bc-43b2-abdc-60ab8d09744b" rel="reference">National Strategy for Trusted Identities in
-            Cyberspace</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ia-8_smt" name="statement">
-            <p>The information system uniquely identifies and authenticates non-organizational users
-               (or processes acting on behalf of non-organizational users).</p>
-         </part>
-         <part id="ia-8_gdn" name="guidance">
-            <p>Non-organizational users include information system users other than organizational
-               users explicitly covered by IA-2. These individuals are uniquely identified and
-               authenticated for accesses other than those accesses explicitly identified and
-               documented in AC-14. In accordance with the E-Authentication E-Government initiative,
-               authentication of non-organizational users accessing federal information systems may
-               be required to protect federal, proprietary, or privacy-related information (with
-               exceptions noted for national security systems). Organizations use risk assessments
-               to determine authentication needs and consider scalability, practicality, and
-               security in balancing the need to ensure ease of use for access to federal
-               information and information systems with the need to protect and adequately mitigate
-               risk. IA-2 addresses identification and authentication requirements for access to
-               information systems by organizational users.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-         </part>
-         <part id="ia-8_obj" name="objective">
-            <p>Determine if the information system uniquely identifies and authenticates
-               non-organizational users (or processes acting on behalf of non-organizational
-               users).</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing user identification and authentication</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>list of information system accounts</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system operations responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with account management responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing identification and
-                  authentication capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-8.1">
-            <title>Acceptance of PIV Credentials from Other Agencies</title>
-            <prop name="label">IA-8(1)</prop>
-            <prop name="sort-id">ia-08.01</prop>
-            <part id="ia-8.1_smt" name="statement">
-               <p>The information system accepts and electronically verifies Personal Identity
-                  Verification (PIV) credentials from other federal agencies.</p>
-            </part>
-            <part id="ia-8.1_gdn" name="guidance">
-               <p>This control enhancement applies to logical access control systems (LACS) and
-                  physical access control systems (PACS). Personal Identity Verification (PIV)
-                  credentials are those credentials issued by federal agencies that conform to FIPS
-                  Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires
-                  federal agencies to continue implementing the requirements specified in HSPD-12 to
-                  enable agency-wide use of PIV credentials.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#pe-3">PE-3</link>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-8.1_obj" name="objective">
-               <p>Determine if the information system: </p>
-               <part id="ia-8.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-8(1)[1]</prop>
-                  <p>accepts Personal Identity Verification (PIV) credentials from other agencies;
-                     and</p>
-               </part>
-               <part id="ia-8.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-8(1)[2]</prop>
-                  <p>electronically verifies Personal Identity Verification (PIV) credentials from
-                     other agencies.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>PIV verification records</p>
-                  <p>evidence of PIV credentials</p>
-                  <p>PIV credential authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with account management responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms that accept and verify PIV credentials</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.2">
-            <title>Acceptance of Third-party Credentials</title>
-            <prop name="label">IA-8(2)</prop>
-            <prop name="sort-id">ia-08.02</prop>
-            <part id="ia-8.2_smt" name="statement">
-               <p>The information system accepts only FICAM-approved third-party credentials.</p>
-            </part>
-            <part id="ia-8.2_gdn" name="guidance">
-               <p>This control enhancement typically applies to organizational information systems
-                  that are accessible to the general public, for example, public-facing websites.
-                  Third-party credentials are those credentials issued by nonfederal government
-                  entities approved by the Federal Identity, Credential, and Access Management
-                  (FICAM) Trust Framework Solutions initiative. Approved third-party credentials
-                  meet or exceed the set of minimum federal government-wide technical, security,
-                  privacy, and organizational maturity requirements. This allows federal government
-                  relying parties to trust such credentials at their approved assurance levels.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-            </part>
-            <part id="ia-8.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system accepts only FICAM-approved third-party
-                  credentials. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of FICAM-approved, third-party credentialing products, components, or
-                     services procured and implemented by organization</p>
-                  <p>third-party credential verification records</p>
-                  <p>evidence of FICAM-approved third-party credentials</p>
-                  <p>third-party credential authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with account management responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms that accept FICAM-approved credentials</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.3">
-            <title>Use of Ficam-approved Products</title>
-            <param id="ia-8.3_prm_1">
-               <label>organization-defined information systems</label>
-            </param>
-            <prop name="label">IA-8(3)</prop>
-            <prop name="sort-id">ia-08.03</prop>
-            <part id="ia-8.3_smt" name="statement">
-               <p>The organization employs only FICAM-approved information system components in
-                     <insert param-id="ia-8.3_prm_1"/> to accept third-party credentials.</p>
-            </part>
-            <part id="ia-8.3_gdn" name="guidance">
-               <p>This control enhancement typically applies to information systems that are
-                  accessible to the general public, for example, public-facing websites.
-                  FICAM-approved information system components include, for example, information
-                  technology products and software libraries that have been approved by the Federal
-                  Identity, Credential, and Access Management conformance program.</p>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-8.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-8.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IA-8(3)[1]</prop>
-                  <p>defines information systems in which only FICAM-approved information system
-                     components are to be employed to accept third-party credentials; and</p>
-               </part>
-               <part id="ia-8.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IA-8(3)[2]</prop>
-                  <p>employs only FICAM-approved information system components in
-                     organization-defined information systems to accept third-party credentials.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>system and services acquisition policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>procedures addressing the integration of security requirements into the
-                     acquisition process</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>third-party credential validations</p>
-                  <p>third-party credential authorizations</p>
-                  <p>third-party credential records</p>
-                  <p>list of FICAM-approved information system components procured and implemented
-                     by organization</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for information system procurements or services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information system security, acquisition, and
-                     contracting responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.4">
-            <title>Use of Ficam-issued Profiles</title>
-            <prop name="label">IA-8(4)</prop>
-            <prop name="sort-id">ia-08.04</prop>
-            <part id="ia-8.4_smt" name="statement">
-               <p>The information system conforms to FICAM-issued profiles.</p>
-            </part>
-            <part id="ia-8.4_gdn" name="guidance">
-               <p>This control enhancement addresses open identity management standards. To ensure
-                  that these standards are viable, robust, reliable, sustainable (e.g., available in
-                  commercial information technology products), and interoperable as documented, the
-                  United States Government assesses and scopes identity management standards and
-                  technology implementations against applicable federal legislation, directives,
-                  policies, and requirements. The result is FICAM-issued implementation profiles of
-                  approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and
-                  OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute
-                  Exchange).</p>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-8.4_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system conforms to FICAM-issued profiles. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>system and services acquisition policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>procedures addressing the integration of security requirements into the
-                     acquisition process</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of FICAM-issued profiles and associated, approved protocols</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for information system procurements or services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with account management responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms supporting and/or implementing conformance with
-                     FICAM-issued profiles</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="ir">
-      <title>Incident Response</title>
-      <control class="SP800-53" id="ir-1">
-         <title>Incident Response Policy and Procedures</title>
-         <param id="ir-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ir-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="ir-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IR-1</prop>
-         <prop name="sort-id">ir-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <link href="#6d431fee-658f-4a0e-9f2e-a38b5d398fab" rel="reference">NIST Special Publication 800-83</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ir-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ir-1_prm_1"/>:</p>
-               <part id="ir-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An incident response policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ir-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the incident response policy and
-                     associated incident response controls; and</p>
-               </part>
-            </part>
-            <part id="ir-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ir-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Incident response policy <insert param-id="ir-1_prm_2"/>; and</p>
-               </part>
-               <part id="ir-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Incident response procedures <insert param-id="ir-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ir-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the IR
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ir-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-1.a_obj" name="objective">
-               <prop name="label">IR-1(a)</prop>
-               <part id="ir-1.a.1_obj" name="objective">
-                  <prop name="label">IR-1(a)(1)</prop>
-                  <part id="ir-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(a)(1)[1]</prop>
-                     <p>develops and documents an incident response policy that addresses:</p>
-                     <part id="ir-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ir-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the incident response policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ir-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">IR-1(a)(1)[3]</prop>
-                     <p>disseminates the incident response policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="ir-1.a.2_obj" name="objective">
-                  <prop name="label">IR-1(a)(2)</prop>
-                  <part id="ir-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        incident response policy and associated incident response controls;</p>
-                  </part>
-                  <part id="ir-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ir-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">IR-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ir-1.b_obj" name="objective">
-               <prop name="label">IR-1(b)</prop>
-               <part id="ir-1.b.1_obj" name="objective">
-                  <prop name="label">IR-1(b)(1)</prop>
-                  <part id="ir-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current incident response
-                        policy;</p>
-                  </part>
-                  <part id="ir-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current incident response policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ir-1.b.2_obj" name="objective">
-                  <prop name="label">IR-1(b)(2)</prop>
-                  <part id="ir-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current incident response
-                        procedures; and</p>
-                  </part>
-                  <part id="ir-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current incident response procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-2">
-         <title>Incident Response Training</title>
-         <param id="ir-2_prm_1">
-            <label>organization-defined time period</label>
-         </param>
-         <param id="ir-2_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IR-2</prop>
-         <prop name="sort-id">ir-02</prop>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="ir-2_smt" name="statement">
-            <p>The organization provides incident response training to information system users
-               consistent with assigned roles and responsibilities:</p>
-            <part id="ir-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Within <insert param-id="ir-2_prm_1"/> of assuming an incident response role or
-                  responsibility;</p>
-            </part>
-            <part id="ir-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="ir-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="ir-2_prm_2"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="ir-2_gdn" name="guidance">
-            <p>Incident response training provided by organizations is linked to the assigned roles
-               and responsibilities of organizational personnel to ensure the appropriate content
-               and level of detail is included in such training. For example, regular users may only
-               need to know who to call or how to recognize an incident on the information system;
-               system administrators may require additional training on how to handle/remediate
-               incidents; and incident responders may receive more specific training on forensics,
-               reporting, system recovery, and restoration. Incident response training includes user
-               training in the identification and reporting of suspicious activities, both from
-               external and internal sources.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cp-3">CP-3</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-         </part>
-         <part id="ir-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-2.a_obj" name="objective">
-               <prop name="label">IR-2(a)</prop>
-               <part id="ir-2.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-2(a)[1]</prop>
-                  <p>defines a time period within which incident response training is to be provided
-                     to information system users assuming an incident response role or
-                     responsibility;</p>
-               </part>
-               <part id="ir-2.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IR-2(a)[2]</prop>
-                  <p>provides incident response training to information system users consistent with
-                     assigned roles and responsibilities within the organization-defined time period
-                     of assuming an incident response role or responsibility;</p>
-               </part>
-            </part>
-            <part id="ir-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">IR-2(b)</prop>
-               <p>provides incident response training to information system users consistent with
-                  assigned roles and responsibilities when required by information system
-                  changes;</p>
-            </part>
-            <part id="ir-2.c_obj" name="objective">
-               <prop name="label">IR-2(c)</prop>
-               <part id="ir-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-2(c)[1]</prop>
-                  <p>defines the frequency to provide refresher incident response training to
-                     information system users consistent with assigned roles or responsibilities;
-                     and</p>
-               </part>
-               <part id="ir-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IR-2(c)[2]</prop>
-                  <p>after the initial incident response training, provides refresher incident
-                     response training to information system users consistent with assigned roles
-                     and responsibilities in accordance with the organization-defined frequency to
-                     provide refresher training.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident response training</p>
-               <p>incident response training curriculum</p>
-               <p>incident response training materials</p>
-               <p>security plan</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>incident response training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response training and operational
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-3">
-         <title>Incident Response Testing</title>
-         <param id="ir-3_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ir-3_prm_2">
-            <label>organization-defined tests</label>
-            <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IR-3</prop>
-         <prop name="sort-id">ir-03</prop>
-         <link href="#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf" rel="reference">NIST Special Publication 800-84</link>
-         <link href="#c4691b88-57d1-463b-9053-2d0087913f31" rel="reference">NIST Special Publication 800-115</link>
-         <part id="ir-3_smt" name="statement">
-            <p>The organization tests the incident response capability for the information system
-                  <insert param-id="ir-3_prm_1"/> using <insert param-id="ir-3_prm_2"/> to determine
-               the incident response effectiveness and documents the results.</p>
-            <part id="ir-3_fr" name="item">
-               <title>IR-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-3_fr_smt.1" name="item">
-                  <prop name="label">IR-3 -2 Requirement:</prop>
-                  <p>The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ir-3_gdn" name="guidance">
-            <p>Organizations test incident response capabilities to determine the overall
-               effectiveness of the capabilities and to identify potential weaknesses or
-               deficiencies. Incident response testing includes, for example, the use of checklists,
-               walk-through or tabletop exercises, simulations (parallel/full interrupt), and
-               comprehensive exercises. Incident response testing can also include a determination
-               of the effects on organizational operations (e.g., reduction in mission
-               capabilities), organizational assets, and individuals due to incident response.</p>
-            <link rel="related" href="#cp-4">CP-4</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-         </part>
-         <part id="ir-3_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ir-3_obj.1" name="objective">
-               <prop name="label">IR-3[1]</prop>
-               <p>defines incident response tests to test the incident response capability for the
-                  information system;</p>
-            </part>
-            <part id="ir-3_obj.2" name="objective">
-               <prop name="label">IR-3[2]</prop>
-               <p>defines the frequency to test the incident response capability for the information
-                  system; and</p>
-            </part>
-            <part id="ir-3_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">IR-3[3]</prop>
-               <p>tests the incident response capability for the information system with the
-                  organization-defined frequency, using organization-defined tests to determine the
-                  incident response effectiveness and documents the results.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>contingency planning policy</p>
-               <p>procedures addressing incident response testing</p>
-               <p>procedures addressing contingency plan testing</p>
-               <p>incident response testing material</p>
-               <p>incident response test results</p>
-               <p>incident response test plan</p>
-               <p>incident response plan</p>
-               <p>contingency plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response testing responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-3.2">
-            <title>Coordination with Related Plans</title>
-            <prop name="label">IR-3(2)</prop>
-            <prop name="sort-id">ir-03.02</prop>
-            <part id="ir-3.2_smt" name="statement">
-               <p>The organization coordinates incident response testing with organizational
-                  elements responsible for related plans.</p>
-            </part>
-            <part id="ir-3.2_gdn" name="guidance">
-               <p>Organizational plans related to incident response testing include, for example,
-                  Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity
-                  of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,
-                  and Occupant Emergency Plans.</p>
-            </part>
-            <part id="ir-3.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <p>Determine if the organization coordinates incident response testing with
-                  organizational elements responsible for related plans. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>contingency planning policy</p>
-                  <p>procedures addressing incident response testing</p>
-                  <p>incident response testing documentation</p>
-                  <p>incident response plan</p>
-                  <p>business continuity plans</p>
-                  <p>contingency plans</p>
-                  <p>disaster recovery plans</p>
-                  <p>continuity of operations plans</p>
-                  <p>crisis communications plans</p>
-                  <p>critical infrastructure plans</p>
-                  <p>occupant emergency plans</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response testing responsibilities</p>
-                  <p>organizational personnel with responsibilities for testing organizational plans
-                     related to incident response testing</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-4">
-         <title>Incident Handling</title>
-         <prop name="label">IR-4</prop>
-         <prop name="sort-id">ir-04</prop>
-         <link href="#c5034e0c-eba6-4ecd-a541-79f0678f4ba4" rel="reference">Executive Order 13587</link>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <part id="ir-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Implements an incident handling capability for security incidents that includes
-                  preparation, detection and analysis, containment, eradication, and recovery;</p>
-            </part>
-            <part id="ir-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Coordinates incident handling activities with contingency planning activities;
-                  and</p>
-            </part>
-            <part id="ir-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Incorporates lessons learned from ongoing incident handling activities into
-                  incident response procedures, training, and testing, and implements the resulting
-                  changes accordingly.</p>
-            </part>
-            <part id="ir-4_fr" name="item">
-               <title>IR-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-4_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ir-4_gdn" name="guidance">
-            <p>Organizations recognize that incident response capability is dependent on the
-               capabilities of organizational information systems and the mission/business processes
-               being supported by those systems. Therefore, organizations consider incident response
-               as part of the definition, design, and development of mission/business processes and
-               information systems. Incident-related information can be obtained from a variety of
-               sources including, for example, audit monitoring, network monitoring, physical access
-               monitoring, user/administrator reports, and reported supply chain events. Effective
-               incident handling capability includes coordination among many organizational entities
-               including, for example, mission/business owners, information system owners,
-               authorizing officials, human resources offices, physical and personnel security
-               offices, legal departments, operations personnel, procurement offices, and the risk
-               executive (function).</p>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-4">CP-4</link>
-            <link rel="related" href="#ir-2">IR-2</link>
-            <link rel="related" href="#ir-3">IR-3</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="ir-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-4.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">IR-4(a)</prop>
-               <p>implements an incident handling capability for security incidents that
-                  includes:</p>
-               <part id="ir-4.a_obj.1" name="objective">
-                  <prop name="label">IR-4(a)[1]</prop>
-                  <p>preparation;</p>
-               </part>
-               <part id="ir-4.a_obj.2" name="objective">
-                  <prop name="label">IR-4(a)[2]</prop>
-                  <p>detection and analysis;</p>
-               </part>
-               <part id="ir-4.a_obj.3" name="objective">
-                  <prop name="label">IR-4(a)[3]</prop>
-                  <p>containment;</p>
-               </part>
-               <part id="ir-4.a_obj.4" name="objective">
-                  <prop name="label">IR-4(a)[4]</prop>
-                  <p>eradication;</p>
-               </part>
-               <part id="ir-4.a_obj.5" name="objective">
-                  <prop name="label">IR-4(a)[5]</prop>
-                  <p>recovery;</p>
-               </part>
-            </part>
-            <part id="ir-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">IR-4(b)</prop>
-               <p>coordinates incident handling activities with contingency planning activities;</p>
-            </part>
-            <part id="ir-4.c_obj" name="objective">
-               <prop name="label">IR-4(c)</prop>
-               <part id="ir-4.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-4(c)[1]</prop>
-                  <p>incorporates lessons learned from ongoing incident handling activities
-                     into:</p>
-                  <part id="ir-4.c_obj.1.a" name="objective">
-                     <prop name="label">IR-4(c)[1][a]</prop>
-                     <p>incident response procedures;</p>
-                  </part>
-                  <part id="ir-4.c_obj.1.b" name="objective">
-                     <prop name="label">IR-4(c)[1][b]</prop>
-                     <p>training;</p>
-                  </part>
-                  <part id="ir-4.c_obj.1.c" name="objective">
-                     <prop name="label">IR-4(c)[1][c]</prop>
-                     <p>testing/exercises;</p>
-                  </part>
-               </part>
-               <part id="ir-4.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-4(c)[2]</prop>
-                  <p>implements the resulting changes accordingly to:</p>
-                  <part id="ir-4.c_obj.2.a" name="objective">
-                     <prop name="label">IR-4(c)[2][a]</prop>
-                     <p>incident response procedures;</p>
-                  </part>
-                  <part id="ir-4.c_obj.2.b" name="objective">
-                     <prop name="label">IR-4(c)[2][b]</prop>
-                     <p>training; and</p>
-                  </part>
-                  <part id="ir-4.c_obj.2.c" name="objective">
-                     <prop name="label">IR-4(c)[2][c]</prop>
-                     <p>testing/exercises.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>contingency planning policy</p>
-               <p>procedures addressing incident handling</p>
-               <p>incident response plan</p>
-               <p>contingency plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident handling responsibilities</p>
-               <p>organizational personnel with contingency planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Incident handling capability for the organization</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-4.1">
-            <title>Automated Incident Handling Processes</title>
-            <prop name="label">IR-4(1)</prop>
-            <prop name="sort-id">ir-04.01</prop>
-            <part id="ir-4.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to support the incident handling
-                  process.</p>
-            </part>
-            <part id="ir-4.1_gdn" name="guidance">
-               <p>Automated mechanisms supporting incident handling processes include, for example,
-                  online incident management systems.</p>
-            </part>
-            <part id="ir-4.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs automated mechanisms to support the incident
-                  handling process. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>automated mechanisms supporting incident handling</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident handling responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms that support and/or implement the incident handling
-                     process</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-5">
-         <title>Incident Monitoring</title>
-         <prop name="label">IR-5</prop>
-         <prop name="sort-id">ir-05</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <part id="ir-5_smt" name="statement">
-            <p>The organization tracks and documents information system security incidents.</p>
-         </part>
-         <part id="ir-5_gdn" name="guidance">
-            <p>Documenting information system security incidents includes, for example, maintaining
-               records about each incident, the status of the incident, and other pertinent
-               information necessary for forensics, evaluating incident details, trends, and
-               handling. Incident information can be obtained from a variety of sources including,
-               for example, incident reports, incident response teams, audit monitoring, network
-               monitoring, physical access monitoring, and user/administrator reports.</p>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="ir-5_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ir-5_obj.1" name="objective">
-               <prop name="label">IR-5[1]</prop>
-               <p>tracks information system security incidents; and</p>
-            </part>
-            <part id="ir-5_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IR-5[2]</prop>
-               <p>documents information system security incidents.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident monitoring</p>
-               <p>incident response records and documentation</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident monitoring responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Incident monitoring capability for the organization</p>
-               <p>automated mechanisms supporting and/or implementing tracking and documenting of
-                  system security incidents</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-6">
-         <title>Incident Reporting</title>
-         <param id="ir-6_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)</constraint>
-         </param>
-         <param id="ir-6_prm_2">
-            <label>organization-defined authorities</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IR-6</prop>
-         <prop name="sort-id">ir-06</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <link href="#02631467-668b-4233-989b-3dfded2fd184" rel="reference">http://www.us-cert.gov</link>
-         <part id="ir-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Requires personnel to report suspected security incidents to the organizational
-                  incident response capability within <insert param-id="ir-6_prm_1"/>; and</p>
-            </part>
-            <part id="ir-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reports security incident information to <insert param-id="ir-6_prm_2"/>.</p>
-            </part>
-            <part id="ir-6_fr" name="item">
-               <title>IR-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Report security incident information according to FedRAMP Incident Communications Procedure.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ir-6_gdn" name="guidance">
-            <p>The intent of this control is to address both specific incident reporting
-               requirements within an organization and the formal incident reporting requirements
-               for federal agencies and their subordinate organizations. Suspected security
-               incidents include, for example, the receipt of suspicious email communications that
-               can potentially contain malicious code. The types of security incidents reported, the
-               content and timeliness of the reports, and the designated reporting authorities
-               reflect applicable federal laws, Executive Orders, directives, regulations, policies,
-               standards, and guidance. Current federal policy requires that all federal agencies
-               (unless specifically exempted from such requirements) report security incidents to
-               the United States Computer Emergency Readiness Team (US-CERT) within specified time
-               frames designated in the US-CERT Concept of Operations for Federal Cyber Security
-               Incident Handling.</p>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-5">IR-5</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-         </part>
-         <part id="ir-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-6.a_obj" name="objective">
-               <prop name="label">IR-6(a)</prop>
-               <part id="ir-6.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-6(a)[1]</prop>
-                  <p>defines the time period within which personnel report suspected security
-                     incidents to the organizational incident response capability;</p>
-               </part>
-               <part id="ir-6.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-6(a)[2]</prop>
-                  <p>requires personnel to report suspected security incidents to the organizational
-                     incident response capability within the organization-defined time period;</p>
-               </part>
-            </part>
-            <part id="ir-6.b_obj" name="objective">
-               <prop name="label">IR-6(b)</prop>
-               <part id="ir-6.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-6(b)[1]</prop>
-                  <p>defines authorities to whom security incident information is to be reported;
-                     and</p>
-               </part>
-               <part id="ir-6.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-6(b)[2]</prop>
-                  <p>reports security incident information to organization-defined authorities.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident reporting</p>
-               <p>incident reporting records and documentation</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident reporting responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>personnel who have/should have reported incidents</p>
-               <p>personnel (authorities) to whom incident information is to be reported</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for incident reporting</p>
-               <p>automated mechanisms supporting and/or implementing incident reporting</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-6.1">
-            <title>Automated Reporting</title>
-            <prop name="label">IR-6(1)</prop>
-            <prop name="sort-id">ir-06.01</prop>
-            <part id="ir-6.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to assist in the reporting of
-                  security incidents.</p>
-            </part>
-            <part id="ir-6.1_gdn" name="guidance">
-               <link rel="related" href="#ir-7">IR-7</link>
-            </part>
-            <part id="ir-6.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs automated mechanisms to assist in the
-                  reporting of security incidents.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident reporting</p>
-                  <p>automated mechanisms supporting incident reporting</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident reporting responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for incident reporting</p>
-                  <p>automated mechanisms supporting and/or implementing reporting of security
-                     incidents</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-7">
-         <title>Incident Response Assistance</title>
-         <prop name="label">IR-7</prop>
-         <prop name="sort-id">ir-07</prop>
-         <part id="ir-7_smt" name="statement">
-            <p>The organization provides an incident response support resource, integral to the
-               organizational incident response capability that offers advice and assistance to
-               users of the information system for the handling and reporting of security
-               incidents.</p>
-         </part>
-         <part id="ir-7_gdn" name="guidance">
-            <p>Incident response support resources provided by organizations include, for example,
-               help desks, assistance groups, and access to forensics services, when required.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-6">IR-6</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-         </part>
-         <part id="ir-7_obj" name="objective">
-            <p>Determine if the organization provides an incident response support resource:</p>
-            <part id="ir-7_obj.1" name="objective">
-               <prop name="label">IR-7[1]</prop>
-               <p>that is integral to the organizational incident response capability; and</p>
-            </part>
-            <part id="ir-7_obj.2" name="objective">
-               <prop name="label">IR-7[2]</prop>
-               <p>that offers advice and assistance to users of the information system for the
-                  handling and reporting of security incidents.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident response assistance</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response assistance and support
-                  responsibilities</p>
-               <p>organizational personnel with access to incident response support and assistance
-                  capability</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for incident response assistance</p>
-               <p>automated mechanisms supporting and/or implementing incident response
-                  assistance</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-7.1">
-            <title>Automation Support for Availability of Information / Support</title>
-            <prop name="label">IR-7(1)</prop>
-            <prop name="sort-id">ir-07.01</prop>
-            <part id="ir-7.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to increase the availability of
-                  incident response-related information and support.</p>
-            </part>
-            <part id="ir-7.1_gdn" name="guidance">
-               <p>Automated mechanisms can provide a push and/or pull capability for users to obtain
-                  incident response assistance. For example, individuals might have access to a
-                  website to query the assistance capability, or conversely, the assistance
-                  capability may have the ability to proactively send information to users (general
-                  distribution or targeted) as part of increasing understanding of current response
-                  capabilities and support.</p>
-            </part>
-            <part id="ir-7.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs automated mechanisms to increase the
-                  availability of incident response-related information and support.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident response assistance</p>
-                  <p>automated mechanisms supporting incident response support and assistance</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response support and assistance
-                     responsibilities</p>
-                  <p>organizational personnel with access to incident response support and
-                     assistance capability</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for incident response assistance</p>
-                  <p>automated mechanisms supporting and/or implementing an increase in the
-                     availability of incident response information and support</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-7.2">
-            <title>Coordination with External Providers</title>
-            <prop name="label">IR-7(2)</prop>
-            <prop name="sort-id">ir-07.02</prop>
-            <part id="ir-7.2_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ir-7.2_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Establishes a direct, cooperative relationship between its incident response
-                     capability and external providers of information system protection capability;
-                     and</p>
-               </part>
-               <part id="ir-7.2_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Identifies organizational incident response team members to the external
-                     providers.</p>
-               </part>
-            </part>
-            <part id="ir-7.2_gdn" name="guidance">
-               <p>External providers of information system protection capability include, for
-                  example, the Computer Network Defense program within the U.S. Department of
-                  Defense. External providers help to protect, monitor, analyze, detect, and respond
-                  to unauthorized activity within organizational information systems and
-                  networks.</p>
-            </part>
-            <part id="ir-7.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ir-7.2.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IR-7(2)(a)</prop>
-                  <p>establishes a direct, cooperative relationship between its incident response
-                     capability and external providers of information system protection capability;
-                     and</p>
-                  <link rel="corresp" href="#ir-7.2_smt.a">IR-7(2)(a)</link>
-               </part>
-               <part id="ir-7.2.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IR-7(2)(b)</prop>
-                  <p>identifies organizational incident response team members to the external
-                     providers.</p>
-                  <link rel="corresp" href="#ir-7.2_smt.b">IR-7(2)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident response assistance</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response support and assistance
-                     responsibilities</p>
-                  <p>external providers of information system protection capability</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-8">
-         <title>Incident Response Plan</title>
-         <param id="ir-8_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ir-8_prm_2">
-            <label>organization-defined incident response personnel (identified by name and/or by
-               role) and organizational elements</label>
-            <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-         </param>
-         <param id="ir-8_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ir-8_prm_4">
-            <label>organization-defined incident response personnel (identified by name and/or by
-               role) and organizational elements</label>
-            <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">IR-8</prop>
-         <prop name="sort-id">ir-08</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <part id="ir-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops an incident response plan that:</p>
-               <part id="ir-8_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Provides the organization with a roadmap for implementing its incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Describes the structure and organization of the incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Provides a high-level approach for how the incident response capability fits
-                     into the overall organization;</p>
-               </part>
-               <part id="ir-8_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Meets the unique requirements of the organization, which relate to mission,
-                     size, structure, and functions;</p>
-               </part>
-               <part id="ir-8_smt.a.5" name="item">
-                  <prop name="label">5.</prop>
-                  <p>Defines reportable incidents;</p>
-               </part>
-               <part id="ir-8_smt.a.6" name="item">
-                  <prop name="label">6.</prop>
-                  <p>Provides metrics for measuring the incident response capability within the
-                     organization;</p>
-               </part>
-               <part id="ir-8_smt.a.7" name="item">
-                  <prop name="label">7.</prop>
-                  <p>Defines the resources and management support needed to effectively maintain and
-                     mature an incident response capability; and</p>
-               </part>
-               <part id="ir-8_smt.a.8" name="item">
-                  <prop name="label">8.</prop>
-                  <p>Is reviewed and approved by <insert param-id="ir-8_prm_1"/>;</p>
-               </part>
-            </part>
-            <part id="ir-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Distributes copies of the incident response plan to <insert param-id="ir-8_prm_2"/>;</p>
-            </part>
-            <part id="ir-8_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the incident response plan <insert param-id="ir-8_prm_3"/>;</p>
-            </part>
-            <part id="ir-8_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Updates the incident response plan to address system/organizational changes or
-                  problems encountered during plan implementation, execution, or testing;</p>
-            </part>
-            <part id="ir-8_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Communicates incident response plan changes to <insert param-id="ir-8_prm_4"/>;
-                  and</p>
-            </part>
-            <part id="ir-8_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Protects the incident response plan from unauthorized disclosure and
-                  modification.</p>
-            </part>
-            <part id="ir-8_fr" name="item">
-               <title>IR-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-8_fr_smt.b" name="item">
-                  <prop name="label">(b) Requirement:</prop>
-                  <p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
-               </part>
-               <part id="ir-8_fr_smt.e" name="item">
-                  <prop name="label">(e) Requirement:</prop>
-                  <p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ir-8_gdn" name="guidance">
-            <p>It is important that organizations develop and implement a coordinated approach to
-               incident response. Organizational missions, business functions, strategies, goals,
-               and objectives for incident response help to determine the structure of incident
-               response capabilities. As part of a comprehensive incident response capability,
-               organizations consider the coordination and sharing of information with external
-               organizations, including, for example, external service providers and organizations
-               involved in the supply chain for organizational information systems.</p>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-         </part>
-         <part id="ir-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-8.a_obj" name="objective">
-               <prop name="label">IR-8(a)</prop>
-               <p>develops an incident response plan that:</p>
-               <part id="ir-8.a.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(a)(1)</prop>
-                  <p>provides the organization with a roadmap for implementing its incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8.a.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(a)(2)</prop>
-                  <p>describes the structure and organization of the incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8.a.3_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(a)(3)</prop>
-                  <p>provides a high-level approach for how the incident response capability fits
-                     into the overall organization;</p>
-               </part>
-               <part id="ir-8.a.4_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(a)(4)</prop>
-                  <p>meets the unique requirements of the organization, which relate to:</p>
-                  <part id="ir-8.a.4_obj.1" name="objective">
-                     <prop name="label">IR-8(a)(4)[1]</prop>
-                     <p>mission;</p>
-                  </part>
-                  <part id="ir-8.a.4_obj.2" name="objective">
-                     <prop name="label">IR-8(a)(4)[2]</prop>
-                     <p>size;</p>
-                  </part>
-                  <part id="ir-8.a.4_obj.3" name="objective">
-                     <prop name="label">IR-8(a)(4)[3]</prop>
-                     <p>structure;</p>
-                  </part>
-                  <part id="ir-8.a.4_obj.4" name="objective">
-                     <prop name="label">IR-8(a)(4)[4]</prop>
-                     <p>functions;</p>
-                  </part>
-               </part>
-               <part id="ir-8.a.5_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(a)(5)</prop>
-                  <p>defines reportable incidents;</p>
-               </part>
-               <part id="ir-8.a.6_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-8(a)(6)</prop>
-                  <p>provides metrics for measuring the incident response capability within the
-                     organization;</p>
-               </part>
-               <part id="ir-8.a.7_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(a)(7)</prop>
-                  <p>defines the resources and management support needed to effectively maintain and
-                     mature an incident response capability;</p>
-               </part>
-               <part id="ir-8.a.8_obj" name="objective">
-                  <prop name="label">IR-8(a)(8)</prop>
-                  <part id="ir-8.a.8_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-8(a)(8)[1]</prop>
-                     <p>defines personnel or roles to review and approve the incident response
-                        plan;</p>
-                  </part>
-                  <part id="ir-8.a.8_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">IR-8(a)(8)[2]</prop>
-                     <p>is reviewed and approved by organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ir-8.b_obj" name="objective">
-               <prop name="label">IR-8(b)</prop>
-               <part id="ir-8.b_obj.1" name="objective">
-                  <prop name="label">IR-8(b)[1]</prop>
-                  <part id="ir-8.b_obj.1.a" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-8(b)[1][a]</prop>
-                     <p>defines incident response personnel (identified by name and/or by role) to
-                        whom copies of the incident response plan are to be distributed;</p>
-                  </part>
-                  <part id="ir-8.b_obj.1.b" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-8(b)[1][b]</prop>
-                     <p>defines organizational elements to whom copies of the incident response plan
-                        are to be distributed;</p>
-                  </part>
-               </part>
-               <part id="ir-8.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-8(b)[2]</prop>
-                  <p>distributes copies of the incident response plan to organization-defined
-                     incident response personnel (identified by name and/or by role) and
-                     organizational elements;</p>
-               </part>
-            </part>
-            <part id="ir-8.c_obj" name="objective">
-               <prop name="label">IR-8(c)</prop>
-               <part id="ir-8.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-8(c)[1]</prop>
-                  <p>defines the frequency to review the incident response plan;</p>
-               </part>
-               <part id="ir-8.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IR-8(c)[2]</prop>
-                  <p>reviews the incident response plan with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="ir-8.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IR-8(d)</prop>
-               <p>updates the incident response plan to address system/organizational changes or
-                  problems encountered during plan:</p>
-               <part id="ir-8.d_obj.1" name="objective">
-                  <prop name="label">IR-8(d)[1]</prop>
-                  <p>implementation;</p>
-               </part>
-               <part id="ir-8.d_obj.2" name="objective">
-                  <prop name="label">IR-8(d)[2]</prop>
-                  <p>execution; or</p>
-               </part>
-               <part id="ir-8.d_obj.3" name="objective">
-                  <prop name="label">IR-8(d)[3]</prop>
-                  <p>testing;</p>
-               </part>
-            </part>
-            <part id="ir-8.e_obj" name="objective">
-               <prop name="label">IR-8(e)</prop>
-               <part id="ir-8.e_obj.1" name="objective">
-                  <prop name="label">IR-8(e)[1]</prop>
-                  <part id="ir-8.e_obj.1.a" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">IR-8(e)[1][a]</prop>
-                     <p>defines incident response personnel (identified by name and/or by role) to
-                        whom incident response plan changes are to be communicated;</p>
-                  </part>
-                  <part id="ir-8.e_obj.1.b" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">IR-8(e)[1][b]</prop>
-                     <p>defines organizational elements to whom incident response plan changes are
-                        to be communicated;</p>
-                  </part>
-               </part>
-               <part id="ir-8.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-8(e)[2]</prop>
-                  <p>communicates incident response plan changes to organization-defined incident
-                     response personnel (identified by name and/or by role) and organizational
-                     elements; and</p>
-               </part>
-            </part>
-            <part id="ir-8.f_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IR-8(f)</prop>
-               <p>protects the incident response plan from unauthorized disclosure and
-                  modification.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident response planning</p>
-               <p>incident response plan</p>
-               <p>records of incident response plan reviews and approvals</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational incident response plan and related organizational processes</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-9">
-         <title>Information Spillage Response</title>
-         <param id="ir-9_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ir-9_prm_2">
-            <label>organization-defined actions</label>
-         </param>
-         <prop name="label">IR-9</prop>
-         <prop name="sort-id">ir-09</prop>
-         <part id="ir-9_smt" name="statement">
-            <p>The organization responds to information spills by:</p>
-            <part id="ir-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Identifying the specific information involved in the information system
-                  contamination;</p>
-            </part>
-            <part id="ir-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Alerting <insert param-id="ir-9_prm_1"/> of the information spill using a method
-                  of communication not associated with the spill;</p>
-            </part>
-            <part id="ir-9_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Isolating the contaminated information system or system component;</p>
-            </part>
-            <part id="ir-9_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Eradicating the information from the contaminated information system or
-                  component;</p>
-            </part>
-            <part id="ir-9_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Identifying other information systems or system components that may have been
-                  subsequently contaminated; and</p>
-            </part>
-            <part id="ir-9_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Performing other <insert param-id="ir-9_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="ir-9_gdn" name="guidance">
-            <p>Information spillage refers to instances where either classified or sensitive
-               information is inadvertently placed on information systems that are not authorized to
-               process such information. Such information spills often occur when information that
-               is initially thought to be of lower sensitivity is transmitted to an information
-               system and then is subsequently determined to be of higher sensitivity. At that
-               point, corrective action is required. The nature of the organizational response is
-               generally based upon the degree of sensitivity of the spilled information (e.g.,
-               security category or classification level), the security capabilities of the
-               information system, the specific nature of contaminated storage media, and the access
-               authorizations (e.g., security clearances) of individuals with authorized access to
-               the contaminated system. The methods used to communicate information about the spill
-               after the fact do not involve methods directly associated with the actual spill to
-               minimize the risk of further spreading the contamination before such contamination is
-               isolated and eradicated.</p>
-         </part>
-         <part id="ir-9_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ir-9.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IR-9(a)</prop>
-               <p>responds to information spills by identifying the specific information causing the
-                  information system contamination;</p>
-            </part>
-            <part id="ir-9.b_obj" name="objective">
-               <prop name="label">IR-9(b)</prop>
-               <part id="ir-9.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-9(b)[1]</prop>
-                  <p>defines personnel to be alerted of the information spillage;</p>
-               </part>
-               <part id="ir-9.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IR-9(b)[2]</prop>
-                  <p>identifies a method of communication not associated with the information spill
-                     to use to alert organization-defined personnel of the spill;</p>
-               </part>
-               <part id="ir-9.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-9(b)[3]</prop>
-                  <p>responds to information spills by alerting organization-defined personnel of
-                     the information spill using a method of communication not associated with the
-                     spill;</p>
-               </part>
-            </part>
-            <part id="ir-9.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IR-9(c)</prop>
-               <p>responds to information spills by isolating the contaminated information
-                  system;</p>
-            </part>
-            <part id="ir-9.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IR-9(d)</prop>
-               <p>responds to information spills by eradicating the information from the
-                  contaminated information system;</p>
-            </part>
-            <part id="ir-9.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">IR-9(e)</prop>
-               <p>responds to information spills by identifying other information systems that may
-                  have been subsequently contaminated;</p>
-            </part>
-            <part id="ir-9.f_obj" name="objective">
-               <prop name="label">IR-9(f)</prop>
-               <part id="ir-9.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-9(f)[1]</prop>
-                  <p>defines other actions to be performed in response to information spills;
-                     and</p>
-               </part>
-               <part id="ir-9.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-9(f)[2]</prop>
-                  <p>responds to information spills by performing other organization-defined
-                     actions.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing information spillage</p>
-               <p>incident response plan</p>
-               <p>records of information spillage alerts/notifications, list of personnel who should
-                  receive alerts of information spillage</p>
-               <p>list of actions to be performed regarding information spillage</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for information spillage response</p>
-               <p>automated mechanisms supporting and/or implementing information spillage response
-                  actions and related communications</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-9.1">
-            <title>Responsible Personnel</title>
-            <param id="ir-9.1_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">IR-9(1)</prop>
-            <prop name="sort-id">ir-09.01</prop>
-            <part id="ir-9.1_smt" name="statement">
-               <p>The organization assigns <insert param-id="ir-9.1_prm_1"/> with responsibility for
-                  responding to information spills.</p>
-            </part>
-            <part id="ir-9.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ir-9.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-9(1)[1]</prop>
-                  <p>defines personnel with responsibility for responding to information spills;
-                     and</p>
-               </part>
-               <part id="ir-9.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IR-9(1)[2]</prop>
-                  <p>assigns organization-defined personnel with responsibility for responding to
-                     information spills.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing information spillage</p>
-                  <p>incident response plan</p>
-                  <p>list of personnel responsible for responding to information spillage</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-9.2">
-            <title>Training</title>
-            <param id="ir-9.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">IR-9(2)</prop>
-            <prop name="sort-id">ir-09.02</prop>
-            <part id="ir-9.2_smt" name="statement">
-               <p>The organization provides information spillage response training <insert param-id="ir-9.2_prm_1"/>.</p>
-            </part>
-            <part id="ir-9.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ir-9.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-9(2)[1]</prop>
-                  <p>defines the frequency to provide information spillage response training;
-                     and</p>
-               </part>
-               <part id="ir-9.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">IR-9(2)[2]</prop>
-                  <p>provides information spillage response training with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing information spillage response training</p>
-                  <p>information spillage response training curriculum</p>
-                  <p>information spillage response training materials</p>
-                  <p>incident response plan</p>
-                  <p>information spillage response training records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response training responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-9.3">
-            <title>Post-spill Operations</title>
-            <param id="ir-9.3_prm_1">
-               <label>organization-defined procedures</label>
-            </param>
-            <prop name="label">IR-9(3)</prop>
-            <prop name="sort-id">ir-09.03</prop>
-            <part id="ir-9.3_smt" name="statement">
-               <p>The organization implements <insert param-id="ir-9.3_prm_1"/> to ensure that
-                  organizational personnel impacted by information spills can continue to carry out
-                  assigned tasks while contaminated systems are undergoing corrective actions.</p>
-            </part>
-            <part id="ir-9.3_gdn" name="guidance">
-               <p>Correction actions for information systems contaminated due to information
-                  spillages may be very time-consuming. During those periods, personnel may not have
-                  access to the contaminated systems, which may potentially affect their ability to
-                  conduct organizational business.</p>
-            </part>
-            <part id="ir-9.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ir-9.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-9(3)[1]</prop>
-                  <p>defines procedures that ensure organizational personnel impacted by information
-                     spills can continue to carry out assigned tasks while contaminated systems are
-                     undergoing corrective actions; and</p>
-               </part>
-               <part id="ir-9.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-9(3)[2]</prop>
-                  <p>implements organization-defined procedures to ensure that organizational
-                     personnel impacted by information spills can continue to carry out assigned
-                     tasks while contaminated systems are undergoing corrective actions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>procedures addressing information spillage</p>
-                  <p>incident response plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for post-spill operations</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-9.4">
-            <title>Exposure to Unauthorized Personnel</title>
-            <param id="ir-9.4_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <prop name="label">IR-9(4)</prop>
-            <prop name="sort-id">ir-09.04</prop>
-            <part id="ir-9.4_smt" name="statement">
-               <p>The organization employs <insert param-id="ir-9.4_prm_1"/> for personnel exposed
-                  to information not within assigned access authorizations.</p>
-            </part>
-            <part id="ir-9.4_gdn" name="guidance">
-               <p>Security safeguards include, for example, making personnel exposed to spilled
-                  information aware of the federal laws, directives, policies, and/or regulations
-                  regarding the information and the restrictions imposed based on exposure to such
-                  information.</p>
-            </part>
-            <part id="ir-9.4_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ir-9.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">IR-9(4)[1]</prop>
-                  <p>defines security safeguards to be employed for personnel exposed to information
-                     not within assigned access authorizations; and</p>
-               </part>
-               <part id="ir-9.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">IR-9(4)[2]</prop>
-                  <p>employs organization-defined security safeguards for personnel exposed to
-                     information not within assigned access authorizations.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>procedures addressing information spillage</p>
-                  <p>incident response plan</p>
-                  <p>security safeguards regarding information spillage/exposure to unauthorized
-                     personnel</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for dealing with information exposed to unauthorized
-                     personnel</p>
-                  <p>automated mechanisms supporting and/or implementing safeguards for personnel
-                     exposed to information not within assigned access authorizations</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="ma">
-      <title>Maintenance</title>
-      <control class="SP800-53" id="ma-1">
-         <title>System Maintenance Policy and Procedures</title>
-         <param id="ma-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ma-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="ma-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">MA-1</prop>
-         <prop name="sort-id">ma-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ma-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ma-1_prm_1"/>:</p>
-               <part id="ma-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system maintenance policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ma-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system maintenance policy
-                     and associated system maintenance controls; and</p>
-               </part>
-            </part>
-            <part id="ma-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ma-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System maintenance policy <insert param-id="ma-1_prm_2"/>; and</p>
-               </part>
-               <part id="ma-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System maintenance procedures <insert param-id="ma-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ma-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the MA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ma-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ma-1.a_obj" name="objective">
-               <prop name="label">MA-1(a)</prop>
-               <part id="ma-1.a.1_obj" name="objective">
-                  <prop name="label">MA-1(a)(1)</prop>
-                  <part id="ma-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(a)(1)[1]</prop>
-                     <p>develops and documents a system maintenance policy that addresses:</p>
-                     <part id="ma-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ma-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system maintenance policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ma-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">MA-1(a)(1)[3]</prop>
-                     <p>disseminates the system maintenance policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="ma-1.a.2_obj" name="objective">
-                  <prop name="label">MA-1(a)(2)</prop>
-                  <part id="ma-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        maintenance policy and associated system maintenance controls;</p>
-                  </part>
-                  <part id="ma-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ma-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">MA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ma-1.b_obj" name="objective">
-               <prop name="label">MA-1(b)</prop>
-               <part id="ma-1.b.1_obj" name="objective">
-                  <prop name="label">MA-1(b)(1)</prop>
-                  <part id="ma-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system maintenance
-                        policy;</p>
-                  </part>
-                  <part id="ma-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system maintenance policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ma-1.b.2_obj" name="objective">
-                  <prop name="label">MA-1(b)(2)</prop>
-                  <part id="ma-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system maintenance
-                        procedures; and</p>
-                  </part>
-                  <part id="ma-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system maintenance procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Maintenance policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ma-2">
-         <title>Controlled Maintenance</title>
-         <param id="ma-2_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ma-2_prm_2">
-            <label>organization-defined maintenance-related information</label>
-         </param>
-         <prop name="label">MA-2</prop>
-         <prop name="sort-id">ma-02</prop>
-         <part id="ma-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Schedules, performs, documents, and reviews records of maintenance and repairs on
-                  information system components in accordance with manufacturer or vendor
-                  specifications and/or organizational requirements;</p>
-            </part>
-            <part id="ma-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Approves and monitors all maintenance activities, whether performed on site or
-                  remotely and whether the equipment is serviced on site or removed to another
-                  location;</p>
-            </part>
-            <part id="ma-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Requires that <insert param-id="ma-2_prm_1"/> explicitly approve the removal of
-                  the information system or system components from organizational facilities for
-                  off-site maintenance or repairs;</p>
-            </part>
-            <part id="ma-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Sanitizes equipment to remove all information from associated media prior to
-                  removal from organizational facilities for off-site maintenance or repairs;</p>
-            </part>
-            <part id="ma-2_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Checks all potentially impacted security controls to verify that the controls are
-                  still functioning properly following maintenance or repair actions; and</p>
-            </part>
-            <part id="ma-2_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Includes <insert param-id="ma-2_prm_2"/> in organizational maintenance
-                  records.</p>
-            </part>
-         </part>
-         <part id="ma-2_gdn" name="guidance">
-            <p>This control addresses the information security aspects of the information system
-               maintenance program and applies to all types of maintenance to any system component
-               (including applications) conducted by any local or nonlocal entity (e.g.,
-               in-contract, warranty, in-house, software maintenance agreement). System maintenance
-               also includes those components not directly associated with information processing
-               and/or data/information retention such as scanners, copiers, and printers.
-               Information necessary for creating effective maintenance records includes, for
-               example: (i) date and time of maintenance; (ii) name of individuals or group
-               performing the maintenance; (iii) name of escort, if necessary; (iv) a description of
-               the maintenance performed; and (v) information system components/equipment removed or
-               replaced (including identification numbers, if applicable). The level of detail
-               included in maintenance records can be informed by the security categories of
-               organizational information systems. Organizations consider supply chain issues
-               associated with replacement components for information systems.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-            <link rel="related" href="#pe-16">PE-16</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="ma-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ma-2.a_obj" name="objective">
-               <prop name="label">MA-2(a)</prop>
-               <part id="ma-2.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-2(a)[1]</prop>
-                  <p>schedules maintenance and repairs on information system components in
-                     accordance with:</p>
-                  <part id="ma-2.a_obj.1.a" name="objective">
-                     <prop name="label">MA-2(a)[1][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.1.b" name="objective">
-                     <prop name="label">MA-2(a)[1][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-               <part id="ma-2.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">MA-2(a)[2]</prop>
-                  <p>performs maintenance and repairs on information system components in accordance
-                     with:</p>
-                  <part id="ma-2.a_obj.2.a" name="objective">
-                     <prop name="label">MA-2(a)[2][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.2.b" name="objective">
-                     <prop name="label">MA-2(a)[2][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-               <part id="ma-2.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-2(a)[3]</prop>
-                  <p>documents maintenance and repairs on information system components in
-                     accordance with:</p>
-                  <part id="ma-2.a_obj.3.a" name="objective">
-                     <prop name="label">MA-2(a)[3][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.3.b" name="objective">
-                     <prop name="label">MA-2(a)[3][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-               <part id="ma-2.a_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">MA-2(a)[4]</prop>
-                  <p>reviews records of maintenance and repairs on information system components in
-                     accordance with:</p>
-                  <part id="ma-2.a_obj.4.a" name="objective">
-                     <prop name="label">MA-2(a)[4][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.4.b" name="objective">
-                     <prop name="label">MA-2(a)[4][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ma-2.b_obj" name="objective">
-               <prop name="label">MA-2(b)</prop>
-               <part id="ma-2.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">MA-2(b)[1]</prop>
-                  <p>approves all maintenance activities, whether performed on site or remotely and
-                     whether the equipment is serviced on site or removed to another location;</p>
-               </part>
-               <part id="ma-2.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MA-2(b)[2]</prop>
-                  <p>monitors all maintenance activities, whether performed on site or remotely and
-                     whether the equipment is serviced on site or removed to another location;</p>
-               </part>
-            </part>
-            <part id="ma-2.c_obj" name="objective">
-               <prop name="label">MA-2(c)</prop>
-               <part id="ma-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-2(c)[1]</prop>
-                  <p>defines personnel or roles required to explicitly approve the removal of the
-                     information system or system components from organizational facilities for
-                     off-site maintenance or repairs;</p>
-               </part>
-               <part id="ma-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-2(c)[2]</prop>
-                  <p>requires that organization-defined personnel or roles explicitly approve the
-                     removal of the information system or system components from organizational
-                     facilities for off-site maintenance or repairs;</p>
-               </part>
-            </part>
-            <part id="ma-2.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MA-2(d)</prop>
-               <p>sanitizes equipment to remove all information from associated media prior to
-                  removal from organizational facilities for off-site maintenance or repairs;</p>
-            </part>
-            <part id="ma-2.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MA-2(e)</prop>
-               <p>checks all potentially impacted security controls to verify that the controls are
-                  still functioning properly following maintenance or repair actions;</p>
-            </part>
-            <part id="ma-2.f_obj" name="objective">
-               <prop name="label">MA-2(f)</prop>
-               <part id="ma-2.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-2(f)[1]</prop>
-                  <p>defines maintenance-related information to be included in organizational
-                     maintenance records; and</p>
-               </part>
-               <part id="ma-2.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-2(f)[2]</prop>
-                  <p>includes organization-defined maintenance-related information in organizational
-                     maintenance records.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing controlled information system maintenance</p>
-               <p>maintenance records</p>
-               <p>manufacturer/vendor maintenance specifications</p>
-               <p>equipment sanitization records</p>
-               <p>media sanitization records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel responsible for media sanitization</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for scheduling, performing, documenting, reviewing,
-                  approving, and monitoring maintenance and repairs for the information system</p>
-               <p>organizational processes for sanitizing information system components</p>
-               <p>automated mechanisms supporting and/or implementing controlled maintenance</p>
-               <p>automated mechanisms implementing sanitization of information system
-                  components</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ma-3">
-         <title>Maintenance Tools</title>
-         <prop name="label">MA-3</prop>
-         <prop name="sort-id">ma-03</prop>
-         <link href="#263823e0-a971-4b00-959d-315b26278b22" rel="reference">NIST Special Publication 800-88</link>
-         <part id="ma-3_smt" name="statement">
-            <p>The organization approves, controls, and monitors information system maintenance
-               tools.</p>
-         </part>
-         <part id="ma-3_gdn" name="guidance">
-            <p>This control addresses security-related issues associated with maintenance tools used
-               specifically for diagnostic and repair actions on organizational information systems.
-               Maintenance tools can include hardware, software, and firmware items. Maintenance
-               tools are potential vehicles for transporting malicious code, either intentionally or
-               unintentionally, into a facility and subsequently into organizational information
-               systems. Maintenance tools can include, for example, hardware/software diagnostic
-               test equipment and hardware/software packet sniffers. This control does not cover
-               hardware/software components that may support information system maintenance, yet are
-               a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,
-               or the hardware and software implementing the monitoring port of an Ethernet
-               switch.</p>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-         </part>
-         <part id="ma-3_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ma-3_obj.1" name="objective">
-               <prop name="label">MA-3[1]</prop>
-               <p>approves information system maintenance tools;</p>
-            </part>
-            <part id="ma-3_obj.2" name="objective">
-               <prop name="label">MA-3[2]</prop>
-               <p>controls information system maintenance tools; and</p>
-            </part>
-            <part id="ma-3_obj.3" name="objective">
-               <prop name="label">MA-3[3]</prop>
-               <p>monitors information system maintenance tools.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing information system maintenance tools</p>
-               <p>information system maintenance tools and associated documentation</p>
-               <p>maintenance records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for approving, controlling, and monitoring maintenance
-                  tools</p>
-               <p>automated mechanisms supporting and/or implementing approval, control, and/or
-                  monitoring of maintenance tools</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ma-3.1">
-            <title>Inspect Tools</title>
-            <prop name="label">MA-3(1)</prop>
-            <prop name="sort-id">ma-03.01</prop>
-            <part id="ma-3.1_smt" name="statement">
-               <p>The organization inspects the maintenance tools carried into a facility by
-                  maintenance personnel for improper or unauthorized modifications.</p>
-            </part>
-            <part id="ma-3.1_gdn" name="guidance">
-               <p>If, upon inspection of maintenance tools, organizations determine that the tools
-                  have been modified in an improper/unauthorized manner or contain malicious code,
-                  the incident is handled consistent with organizational policies and procedures for
-                  incident handling.</p>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="ma-3.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization inspects the maintenance tools carried into a
-                  facility by maintenance personnel for improper or unauthorized modifications. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing information system maintenance tools</p>
-                  <p>information system maintenance tools and associated documentation</p>
-                  <p>maintenance tool inspection records</p>
-                  <p>maintenance records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for inspecting maintenance tools</p>
-                  <p>automated mechanisms supporting and/or implementing inspection of maintenance
-                     tools</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-3.2">
-            <title>Inspect Media</title>
-            <prop name="label">MA-3(2)</prop>
-            <prop name="sort-id">ma-03.02</prop>
-            <part id="ma-3.2_smt" name="statement">
-               <p>The organization checks media containing diagnostic and test programs for
-                  malicious code before the media are used in the information system.</p>
-            </part>
-            <part id="ma-3.2_gdn" name="guidance">
-               <p>If, upon inspection of media containing maintenance diagnostic and test programs,
-                  organizations determine that the media contain malicious code, the incident is
-                  handled consistent with organizational incident handling policies and
-                  procedures.</p>
-               <link rel="related" href="#si-3">SI-3</link>
-            </part>
-            <part id="ma-3.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization checks media containing diagnostic and test programs
-                  for malicious code before the media are used in the information system. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing information system maintenance tools</p>
-                  <p>information system maintenance tools and associated documentation</p>
-                  <p>maintenance records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for inspecting media for malicious code</p>
-                  <p>automated mechanisms supporting and/or implementing inspection of media used
-                     for maintenance</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-3.3">
-            <title>Prevent Unauthorized Removal</title>
-            <param id="ma-3.3_prm_1">
-               <label>organization-defined personnel or roles</label>
-               <constraint>the information owner explicitly authorizing removal of the equipment from the facility</constraint>
-            </param>
-            <prop name="label">MA-3(3)</prop>
-            <prop name="sort-id">ma-03.03</prop>
-            <part id="ma-3.3_smt" name="statement">
-               <p>The organization prevents the unauthorized removal of maintenance equipment
-                  containing organizational information by:</p>
-               <part id="ma-3.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Verifying that there is no organizational information contained on the
-                     equipment;</p>
-               </part>
-               <part id="ma-3.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Sanitizing or destroying the equipment;</p>
-               </part>
-               <part id="ma-3.3_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Retaining the equipment within the facility; or</p>
-               </part>
-               <part id="ma-3.3_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Obtaining an exemption from <insert param-id="ma-3.3_prm_1"/> explicitly
-                     authorizing removal of the equipment from the facility.</p>
-               </part>
-            </part>
-            <part id="ma-3.3_gdn" name="guidance">
-               <p>Organizational information includes all information specifically owned by
-                  organizations and information provided to organizations in which organizations
-                  serve as information stewards.</p>
-            </part>
-            <part id="ma-3.3_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization prevents the unauthorized removal of maintenance
-                  equipment containing organizational information by: </p>
-               <part id="ma-3.3.a_obj" name="objective">
-                  <prop name="label">MA-3(3)(a)</prop>
-                  <p>verifying that there is no organizational information contained on the
-                     equipment;</p>
-                  <link rel="corresp" href="#ma-3.3_smt.a">MA-3(3)(a)</link>
-               </part>
-               <part id="ma-3.3.b_obj" name="objective">
-                  <prop name="label">MA-3(3)(b)</prop>
-                  <p>sanitizing or destroying the equipment;</p>
-                  <link rel="corresp" href="#ma-3.3_smt.b">MA-3(3)(b)</link>
-               </part>
-               <part id="ma-3.3.c_obj" name="objective">
-                  <prop name="label">MA-3(3)(c)</prop>
-                  <p>retaining the equipment within the facility; or</p>
-                  <link rel="corresp" href="#ma-3.3_smt.c">MA-3(3)(c)</link>
-               </part>
-               <part id="ma-3.3.d_obj" name="objective">
-                  <prop name="label">MA-3(3)(d)</prop>
-                  <part id="ma-3.3.d_obj.1" name="objective">
-                     <prop name="label">MA-3(3)(d)[1]</prop>
-                     <p>defining personnel or roles that can grant an exemption from explicitly
-                        authorizing removal of the equipment from the facility; and</p>
-                  </part>
-                  <part id="ma-3.3.d_obj.2" name="objective">
-                     <prop name="label">MA-3(3)(d)[2]</prop>
-                     <p>obtaining an exemption from organization-defined personnel or roles
-                        explicitly authorizing removal of the equipment from the facility.</p>
-                  </part>
-                  <link rel="corresp" href="#ma-3.3_smt.d">MA-3(3)(d)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing information system maintenance tools</p>
-                  <p>information system maintenance tools and associated documentation</p>
-                  <p>maintenance records</p>
-                  <p>equipment sanitization records</p>
-                  <p>media sanitization records</p>
-                  <p>exemptions for equipment removal</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel responsible for media sanitization</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for preventing unauthorized removal of information</p>
-                  <p>automated mechanisms supporting media sanitization or destruction of
-                     equipment</p>
-                  <p>automated mechanisms supporting verification of media sanitization</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ma-4">
-         <title>Nonlocal Maintenance</title>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">MA-4</prop>
-         <prop name="sort-id">ma-04</prop>
-         <link href="#d715b234-9b5b-4e07-b1ed-99836727664d" rel="reference">FIPS Publication 140-2</link>
-         <link href="#f2dbd4ec-c413-4714-b85b-6b7184d1c195" rel="reference">FIPS Publication 197</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#263823e0-a971-4b00-959d-315b26278b22" rel="reference">NIST Special Publication 800-88</link>
-         <link href="#a4aa9645-9a8a-4b51-90a9-e223250f9a75" rel="reference">CNSS Policy 15</link>
-         <part id="ma-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Approves and monitors nonlocal maintenance and diagnostic activities;</p>
-            </part>
-            <part id="ma-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Allows the use of nonlocal maintenance and diagnostic tools only as consistent
-                  with organizational policy and documented in the security plan for the information
-                  system;</p>
-            </part>
-            <part id="ma-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Employs strong authenticators in the establishment of nonlocal maintenance and
-                  diagnostic sessions;</p>
-            </part>
-            <part id="ma-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Maintains records for nonlocal maintenance and diagnostic activities; and</p>
-            </part>
-            <part id="ma-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Terminates session and network connections when nonlocal maintenance is
-                  completed.</p>
-            </part>
-         </part>
-         <part id="ma-4_gdn" name="guidance">
-            <p>Nonlocal maintenance and diagnostic activities are those activities conducted by
-               individuals communicating through a network, either an external network (e.g., the
-               Internet) or an internal network. Local maintenance and diagnostic activities are
-               those activities carried out by individuals physically present at the information
-               system or information system component and not communicating across a network
-               connection. Authentication techniques used in the establishment of nonlocal
-               maintenance and diagnostic sessions reflect the network access requirements in IA-2.
-               Typically, strong authentication requires authenticators that are resistant to replay
-               attacks and employ multifactor authentication. Strong authenticators include, for
-               example, PKI where certificates are stored on a token protected by a password,
-               passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by
-               other controls.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-10">SC-10</link>
-            <link rel="related" href="#sc-17">SC-17</link>
-         </part>
-         <part id="ma-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ma-4.a_obj" name="objective">
-               <prop name="label">MA-4(a)</prop>
-               <part id="ma-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-4(a)[1]</prop>
-                  <p>approves nonlocal maintenance and diagnostic activities;</p>
-               </part>
-               <part id="ma-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MA-4(a)[2]</prop>
-                  <p>monitors nonlocal maintenance and diagnostic activities;</p>
-               </part>
-            </part>
-            <part id="ma-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MA-4(b)</prop>
-               <p>allows the use of nonlocal maintenance and diagnostic tools only:</p>
-               <part id="ma-4.b_obj.1" name="objective">
-                  <prop name="label">MA-4(b)[1]</prop>
-                  <p>as consistent with organizational policy;</p>
-               </part>
-               <part id="ma-4.b_obj.2" name="objective">
-                  <prop name="label">MA-4(b)[2]</prop>
-                  <p>as documented in the security plan for the information system;</p>
-               </part>
-            </part>
-            <part id="ma-4.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MA-4(c)</prop>
-               <p>employs strong authenticators in the establishment of nonlocal maintenance and
-                  diagnostic sessions;</p>
-            </part>
-            <part id="ma-4.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MA-4(d)</prop>
-               <p>maintains records for nonlocal maintenance and diagnostic activities;</p>
-            </part>
-            <part id="ma-4.e_obj" name="objective">
-               <prop name="label">MA-4(e)</prop>
-               <part id="ma-4.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MA-4(e)[1]</prop>
-                  <p>terminates sessions when nonlocal maintenance or diagnostics is completed;
-                     and</p>
-               </part>
-               <part id="ma-4.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MA-4(e)[2]</prop>
-                  <p>terminates network connections when nonlocal maintenance or diagnostics is
-                     completed.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing nonlocal information system maintenance</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>maintenance records</p>
-               <p>diagnostic records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing nonlocal maintenance</p>
-               <p>automated mechanisms implementing, supporting, and/or managing nonlocal
-                  maintenance</p>
-               <p>automated mechanisms for strong authentication of nonlocal maintenance diagnostic
-                  sessions</p>
-               <p>automated mechanisms for terminating nonlocal maintenance sessions and network
-                  connections</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ma-4.2">
-            <title>Document Nonlocal Maintenance</title>
-            <prop name="label">MA-4(2)</prop>
-            <prop name="sort-id">ma-04.02</prop>
-            <part id="ma-4.2_smt" name="statement">
-               <p>The organization documents in the security plan for the information system, the
-                  policies and procedures for the establishment and use of nonlocal maintenance and
-                  diagnostic connections.</p>
-            </part>
-            <part id="ma-4.2_obj" name="objective">
-               <p>Determine if the organization documents in the security plan for the information
-                  system: </p>
-               <part id="ma-4.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">MA-4(2)[1]</prop>
-                  <p>the policies for the establishment and use of nonlocal maintenance and
-                     diagnostic connections; and</p>
-               </part>
-               <part id="ma-4.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">MA-4(2)[2]</prop>
-                  <p>the procedures for the establishment and use of nonlocal maintenance and
-                     diagnostic connections.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing non-local information system maintenance</p>
-                  <p>security plan</p>
-                  <p>maintenance records</p>
-                  <p>diagnostic records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ma-5">
-         <title>Maintenance Personnel</title>
-         <prop name="label">MA-5</prop>
-         <prop name="sort-id">ma-05</prop>
-         <part id="ma-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes a process for maintenance personnel authorization and maintains a list
-                  of authorized maintenance organizations or personnel;</p>
-            </part>
-            <part id="ma-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Ensures that non-escorted personnel performing maintenance on the information
-                  system have required access authorizations; and</p>
-            </part>
-            <part id="ma-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Designates organizational personnel with required access authorizations and
-                  technical competence to supervise the maintenance activities of personnel who do
-                  not possess the required access authorizations.</p>
-            </part>
-         </part>
-         <part id="ma-5_gdn" name="guidance">
-            <p>This control applies to individuals performing hardware or software maintenance on
-               organizational information systems, while PE-2 addresses physical access for
-               individuals whose maintenance duties place them within the physical protection
-               perimeter of the systems (e.g., custodial staff, physical plant maintenance
-               personnel). Technical competence of supervising individuals relates to the
-               maintenance performed on the information systems while having required access
-               authorizations refers to maintenance on and near the systems. Individuals not
-               previously identified as authorized maintenance personnel, such as information
-               technology manufacturers, vendors, systems integrators, and consultants, may require
-               privileged access to organizational information systems, for example, when required
-               to conduct maintenance activities with little or no notice. Based on organizational
-               assessments of risk, organizations may issue temporary credentials to these
-               individuals. Temporary credentials may be for one-time use or for very limited time
-               periods.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-         </part>
-         <part id="ma-5_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ma-5.a_obj" name="objective">
-               <prop name="label">MA-5(a)</prop>
-               <part id="ma-5.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-5(a)[1]</prop>
-                  <p>establishes a process for maintenance personnel authorization;</p>
-               </part>
-               <part id="ma-5.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MA-5(a)[2]</prop>
-                  <p>maintains a list of authorized maintenance organizations or personnel;</p>
-               </part>
-            </part>
-            <part id="ma-5.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MA-5(b)</prop>
-               <p>ensures that non-escorted personnel performing maintenance on the information
-                  system have required access authorizations; and</p>
-            </part>
-            <part id="ma-5.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MA-5(c)</prop>
-               <p>designates organizational personnel with required access authorizations and
-                  technical competence to supervise the maintenance activities of personnel who do
-                  not possess the required access authorizations.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing maintenance personnel</p>
-               <p>service provider contracts</p>
-               <p>service-level agreements</p>
-               <p>list of authorized personnel</p>
-               <p>maintenance records</p>
-               <p>access control records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for authorizing and managing maintenance personnel</p>
-               <p>automated mechanisms supporting and/or implementing authorization of maintenance
-                  personnel</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ma-5.1">
-            <title>Individuals Without Appropriate Access</title>
-            <prop name="label">MA-5(1)</prop>
-            <prop name="sort-id">ma-05.01</prop>
-            <part id="ma-5.1_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ma-5.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Implements procedures for the use of maintenance personnel that lack
-                     appropriate security clearances or are not U.S. citizens, that include the
-                     following requirements:</p>
-                  <part id="ma-5.1_smt.a.1" name="item">
-                     <prop name="label">(1)</prop>
-                     <p>Maintenance personnel who do not have needed access authorizations,
-                        clearances, or formal access approvals are escorted and supervised during
-                        the performance of maintenance and diagnostic activities on the information
-                        system by approved organizational personnel who are fully cleared, have
-                        appropriate access authorizations, and are technically qualified;</p>
-                  </part>
-                  <part id="ma-5.1_smt.a.2" name="item">
-                     <prop name="label">(2)</prop>
-                     <p>Prior to initiating maintenance or diagnostic activities by personnel who do
-                        not have needed access authorizations, clearances or formal access
-                        approvals, all volatile information storage components within the
-                        information system are sanitized and all nonvolatile storage media are
-                        removed or physically disconnected from the system and secured; and</p>
-                  </part>
-               </part>
-               <part id="ma-5.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Develops and implements alternate security safeguards in the event an
-                     information system component cannot be sanitized, removed, or disconnected from
-                     the system.</p>
-               </part>
-               <part id="ma-5.1_fr" name="item">
-                  <title>MA-5 (1) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ma-5.1_fr_smt.b" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>Only MA-5 (1)(a)(1) is required by FedRAMP Moderate Baseline</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ma-5.1_gdn" name="guidance">
-               <p>This control enhancement denies individuals who lack appropriate security
-                  clearances (i.e., individuals who do not possess security clearances or possess
-                  security clearances at a lower level than required) or who are not U.S. citizens,
-                  visual and electronic access to any classified information, Controlled
-                  Unclassified Information (CUI), or any other sensitive information contained on
-                  organizational information systems. Procedures for the use of maintenance
-                  personnel can be documented in security plans for the information systems.</p>
-               <link rel="related" href="#mp-6">MP-6</link>
-               <link rel="related" href="#pl-2">PL-2</link>
-            </part>
-            <part id="ma-5.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ma-5.1.a_obj" name="objective">
-                  <prop name="label">MA-5(1)(a)</prop>
-                  <p>implements procedures for the use of maintenance personnel that lack
-                     appropriate security clearances or are not U.S. citizens, that include the
-                     following requirements:</p>
-                  <part id="ma-5.1.a.1_obj" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">MA-5(1)(a)(1)</prop>
-                     <p>maintenance personnel who do not have needed access authorizations,
-                        clearances, or formal access approvals are escorted and supervised during
-                        the performance of maintenance and diagnostic activities on the information
-                        system by approved organizational personnel who:</p>
-                     <part id="ma-5.1.a.1_obj.1" name="objective">
-                        <prop name="label">MA-5(1)(a)(1)[1]</prop>
-                        <p>are fully cleared;</p>
-                     </part>
-                     <part id="ma-5.1.a.1_obj.2" name="objective">
-                        <prop name="label">MA-5(1)(a)(1)[2]</prop>
-                        <p>have appropriate access authorizations;</p>
-                     </part>
-                     <part id="ma-5.1.a.1_obj.3" name="objective">
-                        <prop name="label">MA-5(1)(a)(1)[3]</prop>
-                        <p>are technically qualified;</p>
-                     </part>
-                     <link rel="corresp" href="#ma-5.1_smt.a.1">MA-5(1)(a)(1)</link>
-                  </part>
-                  <part id="ma-5.1.a.2_obj" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">MA-5(1)(a)(2)</prop>
-                     <p>prior to initiating maintenance or diagnostic activities by personnel who do
-                        not have needed access authorizations, clearances, or formal access
-                        approvals:</p>
-                     <part id="ma-5.1.a.2_obj.1" name="objective">
-                        <prop name="label">MA-5(1)(a)(2)[1]</prop>
-                        <p>all volatile information storage components within the information system
-                           are sanitized; and</p>
-                     </part>
-                     <part id="ma-5.1.a.2_obj.2" name="objective">
-                        <prop name="label">MA-5(1)(a)(2)[2]</prop>
-                        <p>all nonvolatile storage media are removed; or</p>
-                     </part>
-                     <part id="ma-5.1.a.2_obj.3" name="objective">
-                        <prop name="label">MA-5(1)(a)(2)[3]</prop>
-                        <p>all nonvolatile storage media are physically disconnected from the system
-                           and secured; and</p>
-                     </part>
-                     <link rel="corresp" href="#ma-5.1_smt.a.2">MA-5(1)(a)(2)</link>
-                  </part>
-                  <link rel="corresp" href="#ma-5.1_smt.a">MA-5(1)(a)</link>
-               </part>
-               <part id="ma-5.1.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MA-5(1)(b)</prop>
-                  <p>develops and implements alternative security safeguards in the event an
-                     information system component cannot be sanitized, removed, or disconnected from
-                     the system.</p>
-                  <link rel="corresp" href="#ma-5.1_smt.b">MA-5(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing maintenance personnel</p>
-                  <p>information system media protection policy</p>
-                  <p>physical and environmental protection policy</p>
-                  <p>security plan</p>
-                  <p>list of maintenance personnel requiring escort/supervision</p>
-                  <p>maintenance records</p>
-                  <p>access control records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with personnel security responsibilities</p>
-                  <p>organizational personnel with physical access control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel responsible for media sanitization</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing maintenance personnel without appropriate
-                     access</p>
-                  <p>automated mechanisms supporting and/or implementing alternative security
-                     safeguards</p>
-                  <p>automated mechanisms supporting and/or implementing information storage
-                     component sanitization</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ma-6">
-         <title>Timely Maintenance</title>
-         <param id="ma-6_prm_1">
-            <label>organization-defined information system components</label>
-         </param>
-         <param id="ma-6_prm_2">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">MA-6</prop>
-         <prop name="sort-id">ma-06</prop>
-         <part id="ma-6_smt" name="statement">
-            <p>The organization obtains maintenance support and/or spare parts for <insert param-id="ma-6_prm_1"/> within <insert param-id="ma-6_prm_2"/> of failure.</p>
-         </part>
-         <part id="ma-6_gdn" name="guidance">
-            <p>Organizations specify the information system components that result in increased risk
-               to organizational operations and assets, individuals, other organizations, or the
-               Nation when the functionality provided by those components is not operational.
-               Organizational actions to obtain maintenance support typically include having
-               appropriate contracts in place.</p>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <link rel="related" href="#sa-14">SA-14</link>
-            <link rel="related" href="#sa-15">SA-15</link>
-         </part>
-         <part id="ma-6_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ma-6_obj.1" name="objective">
-               <prop name="label">MA-6[1]</prop>
-               <p>defines information system components for which maintenance support and/or spare
-                  parts are to be obtained;</p>
-            </part>
-            <part id="ma-6_obj.2" name="objective">
-               <prop name="label">MA-6[2]</prop>
-               <p>defines the time period within which maintenance support and/or spare parts are to
-                  be obtained after a failure;</p>
-            </part>
-            <part id="ma-6_obj.3" name="objective">
-               <prop name="label">MA-6[3]</prop>
-               <part id="ma-6_obj.3.a" name="objective">
-                  <prop name="label">MA-6[3][a]</prop>
-                  <p>obtains maintenance support for organization-defined information system
-                     components within the organization-defined time period of failure; and/or</p>
-               </part>
-               <part id="ma-6_obj.3.b" name="objective">
-                  <prop name="label">MA-6[3][b]</prop>
-                  <p>obtains spare parts for organization-defined information system components
-                     within the organization-defined time period of failure.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing information system maintenance</p>
-               <p>service provider contracts</p>
-               <p>service-level agreements</p>
-               <p>inventory and availability of spare parts</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for ensuring timely maintenance</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="mp">
-      <title>Media Protection</title>
-      <control class="SP800-53" id="mp-1">
-         <title>Media Protection Policy and Procedures</title>
-         <param id="mp-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="mp-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="mp-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">MP-1</prop>
-         <prop name="sort-id">mp-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="mp-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="mp-1_prm_1"/>:</p>
-               <part id="mp-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A media protection policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="mp-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the media protection policy and
-                     associated media protection controls; and</p>
-               </part>
-            </part>
-            <part id="mp-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="mp-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Media protection policy <insert param-id="mp-1_prm_2"/>; and</p>
-               </part>
-               <part id="mp-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Media protection procedures <insert param-id="mp-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="mp-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the MP
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="mp-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="mp-1.a_obj" name="objective">
-               <prop name="label">MP-1(a)</prop>
-               <part id="mp-1.a.1_obj" name="objective">
-                  <prop name="label">MP-1(a)(1)</prop>
-                  <part id="mp-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(a)(1)[1]</prop>
-                     <p>develops and documents a media protection policy that addresses:</p>
-                     <part id="mp-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="mp-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the media protection policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="mp-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">MP-1(a)(1)[3]</prop>
-                     <p>disseminates the media protection policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="mp-1.a.2_obj" name="objective">
-                  <prop name="label">MP-1(a)(2)</prop>
-                  <part id="mp-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        media protection policy and associated media protection controls;</p>
-                  </part>
-                  <part id="mp-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="mp-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">MP-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="mp-1.b_obj" name="objective">
-               <prop name="label">MP-1(b)</prop>
-               <part id="mp-1.b.1_obj" name="objective">
-                  <prop name="label">MP-1(b)(1)</prop>
-                  <part id="mp-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current media protection
-                        policy;</p>
-                  </part>
-                  <part id="mp-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current media protection policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="mp-1.b.2_obj" name="objective">
-                  <prop name="label">MP-1(b)(2)</prop>
-                  <part id="mp-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current media protection
-                        procedures; and</p>
-                  </part>
-                  <part id="mp-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">MP-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current media protection procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Media protection policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with media protection responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="mp-2">
-         <title>Media Access</title>
-         <param id="mp-2_prm_1">
-            <label>organization-defined types of digital and/or non-digital media</label>
-         </param>
-         <param id="mp-2_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">MP-2</prop>
-         <prop name="sort-id">mp-02</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e" rel="reference">NIST Special Publication 800-111</link>
-         <part id="mp-2_smt" name="statement">
-            <p>The organization restricts access to <insert param-id="mp-2_prm_1"/> to <insert param-id="mp-2_prm_2"/>.</p>
-         </part>
-         <part id="mp-2_gdn" name="guidance">
-            <p>Information system media includes both digital and non-digital media. Digital media
-               includes, for example, diskettes, magnetic tapes, external/removable hard disk
-               drives, flash drives, compact disks, and digital video disks. Non-digital media
-               includes, for example, paper and microfilm. Restricting non-digital media access
-               includes, for example, denying access to patient medical records in a community
-               hospital unless the individuals seeking access to such records are authorized
-               healthcare providers. Restricting access to digital media includes, for example,
-               limiting access to design specifications stored on compact disks in the media library
-               to the project leader and the individuals on the development team.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-         </part>
-         <part id="mp-2_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-2_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MP-2[1]</prop>
-               <p>defines types of digital and/or non-digital media requiring restricted access;</p>
-            </part>
-            <part id="mp-2_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MP-2[2]</prop>
-               <p>defines personnel or roles authorized to access organization-defined types of
-                  digital and/or non-digital media; and</p>
-            </part>
-            <part id="mp-2_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MP-2[3]</prop>
-               <p>restricts access to organization-defined types of digital and/or non-digital media
-                  to organization-defined personnel or roles.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media access restrictions</p>
-               <p>access control policy and procedures</p>
-               <p>physical and environmental protection policy and procedures</p>
-               <p>media storage facilities</p>
-               <p>access control records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media protection
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for restricting information media</p>
-               <p>automated mechanisms supporting and/or implementing media access restrictions</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="mp-3">
-         <title>Media Marking</title>
-         <param id="mp-3_prm_1">
-            <label>organization-defined types of information system media</label>
-            <constraint>no removable media types</constraint>
-         </param>
-         <param id="mp-3_prm_2">
-            <label>organization-defined controlled areas</label>
-         </param>
-         <prop name="label">MP-3</prop>
-         <prop name="sort-id">mp-03</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <part id="mp-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Marks information system media indicating the distribution limitations, handling
-                  caveats, and applicable security markings (if any) of the information; and</p>
-            </part>
-            <part id="mp-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Exempts <insert param-id="mp-3_prm_1"/> from marking as long as the media remain
-                  within <insert param-id="mp-3_prm_2"/>.</p>
-            </part>
-            <part id="mp-3_fr" name="item">
-               <title>MP-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-3_fr_gdn.b" name="guidance">
-                  <prop name="label">(b) Guidance:</prop>
-                  <p>Second parameter not-applicable</p>
-               </part>
-            </part>
-         </part>
-         <part id="mp-3_gdn" name="guidance">
-            <p>The term security marking refers to the application/use of human-readable security
-               attributes. The term security labeling refers to the application/use of security
-               attributes with regard to internal data structures within information systems (see
-               AC-16). Information system media includes both digital and non-digital media. Digital
-               media includes, for example, diskettes, magnetic tapes, external/removable hard disk
-               drives, flash drives, compact disks, and digital video disks. Non-digital media
-               includes, for example, paper and microfilm. Security marking is generally not
-               required for media containing information determined by organizations to be in the
-               public domain or to be publicly releasable. However, some organizations may require
-               markings for public information indicating that the information is publicly
-               releasable. Marking of information system media reflects applicable federal laws,
-               Executive Orders, directives, policies, regulations, standards, and guidance.</p>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-         </part>
-         <part id="mp-3_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-3.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MP-3(a)</prop>
-               <p>marks information system media indicating the:</p>
-               <part id="mp-3.a_obj.1" name="objective">
-                  <prop name="label">MP-3(a)[1]</prop>
-                  <p>distribution limitations of the information;</p>
-               </part>
-               <part id="mp-3.a_obj.2" name="objective">
-                  <prop name="label">MP-3(a)[2]</prop>
-                  <p>handling caveats of the information;</p>
-               </part>
-               <part id="mp-3.a_obj.3" name="objective">
-                  <prop name="label">MP-3(a)[3]</prop>
-                  <p>applicable security markings (if any) of the information;</p>
-               </part>
-            </part>
-            <part id="mp-3.b_obj" name="objective">
-               <prop name="label">MP-3(b)</prop>
-               <part id="mp-3.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-3(b)[1]</prop>
-                  <p>defines types of information system media to be exempted from marking as long
-                     as the media remain in designated controlled areas;</p>
-               </part>
-               <part id="mp-3.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-3(b)[2]</prop>
-                  <p>defines controlled areas where organization-defined types of information system
-                     media exempt from marking are to be retained; and</p>
-               </part>
-               <part id="mp-3.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MP-3(b)[3]</prop>
-                  <p>exempts organization-defined types of information system media from marking as
-                     long as the media remain within organization-defined controlled areas.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media marking</p>
-               <p>physical and environmental protection policy and procedures</p>
-               <p>security plan</p>
-               <p>list of information system media marking security attributes</p>
-               <p>designated controlled areas</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media protection and marking
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for marking information media</p>
-               <p>automated mechanisms supporting and/or implementing media marking</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="mp-4">
-         <title>Media Storage</title>
-         <param id="mp-4_prm_1">
-            <label>organization-defined types of digital and/or non-digital media</label>
-            <constraint>all types of digital and non-digital media with sensitive information</constraint>
-         </param>
-         <param id="mp-4_prm_2">
-            <label>organization-defined controlled areas</label>
-            <constraint>see additional FedRAMP requirements and guidance</constraint>
-         </param>
-         <prop name="label">MP-4</prop>
-         <prop name="sort-id">mp-04</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#81f09e01-d0b0-4ae2-aa6a-064ed9950070" rel="reference">NIST Special Publication 800-56</link>
-         <link href="#a6c774c0-bf50-4590-9841-2a5c1c91ac6f" rel="reference">NIST Special Publication 800-57</link>
-         <link href="#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e" rel="reference">NIST Special Publication 800-111</link>
-         <part id="mp-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Physically controls and securely stores <insert param-id="mp-4_prm_1"/> within
-                     <insert param-id="mp-4_prm_2"/>; and</p>
-            </part>
-            <part id="mp-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Protects information system media until the media are destroyed or sanitized using
-                  approved equipment, techniques, and procedures.</p>
-            </part>
-            <part id="mp-4_fr" name="item">
-               <title>MP-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-4_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider defines controlled areas within facilities where the information and information system reside.</p>
-               </part>
-            </part>
-         </part>
-         <part id="mp-4_gdn" name="guidance">
-            <p>Information system media includes both digital and non-digital media. Digital media
-               includes, for example, diskettes, magnetic tapes, external/removable hard disk
-               drives, flash drives, compact disks, and digital video disks. Non-digital media
-               includes, for example, paper and microfilm. Physically controlling information system
-               media includes, for example, conducting inventories, ensuring procedures are in place
-               to allow individuals to check out and return media to the media library, and
-               maintaining accountability for all stored media. Secure storage includes, for
-               example, a locked drawer, desk, or cabinet, or a controlled media library. The type
-               of media storage is commensurate with the security category and/or classification of
-               the information residing on the media. Controlled areas are areas for which
-               organizations provide sufficient physical and procedural safeguards to meet the
-               requirements established for protecting information and/or information systems. For
-               media containing information determined by organizations to be in the public domain,
-               to be publicly releasable, or to have limited or no adverse impact on organizations
-               or individuals if accessed by other than authorized personnel, fewer safeguards may
-               be needed. In these situations, physical access controls provide adequate
-               protection.</p>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-7">MP-7</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-         </part>
-         <part id="mp-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-4.a_obj" name="objective">
-               <prop name="label">MP-4(a)</prop>
-               <part id="mp-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-4(a)[1]</prop>
-                  <p>defines types of digital and/or non-digital media to be physically controlled
-                     and securely stored within designated controlled areas;</p>
-               </part>
-               <part id="mp-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-4(a)[2]</prop>
-                  <p>defines controlled areas designated to physically control and securely store
-                     organization-defined types of digital and/or non-digital media;</p>
-               </part>
-               <part id="mp-4.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MP-4(a)[3]</prop>
-                  <p>physically controls organization-defined types of digital and/or non-digital
-                     media within organization-defined controlled areas;</p>
-               </part>
-               <part id="mp-4.a_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MP-4(a)[4]</prop>
-                  <p>securely stores organization-defined types of digital and/or non-digital media
-                     within organization-defined controlled areas; and</p>
-               </part>
-            </part>
-            <part id="mp-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MP-4(b)</prop>
-               <p>protects information system media until the media are destroyed or sanitized using
-                  approved equipment, techniques, and procedures.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media storage</p>
-               <p>physical and environmental protection policy and procedures</p>
-               <p>access control policy and procedures</p>
-               <p>security plan</p>
-               <p>information system media</p>
-               <p>designated controlled areas</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media protection and storage
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for storing information media</p>
-               <p>automated mechanisms supporting and/or implementing secure media storage/media
-                  protection</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="mp-5">
-         <title>Media Transport</title>
-         <param id="mp-5_prm_1">
-            <label>organization-defined types of information system media</label>
-            <constraint>all media with sensitive information</constraint>
-         </param>
-         <param id="mp-5_prm_2">
-            <label>organization-defined security safeguards</label>
-            <constraint>prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digitital media, secured in locked container</constraint>
-         </param>
-         <prop name="label">MP-5</prop>
-         <prop name="sort-id">mp-05</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <part id="mp-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Protects and controls <insert param-id="mp-5_prm_1"/> during transport outside of
-                  controlled areas using <insert param-id="mp-5_prm_2"/>;</p>
-            </part>
-            <part id="mp-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Maintains accountability for information system media during transport outside of
-                  controlled areas;</p>
-            </part>
-            <part id="mp-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Documents activities associated with the transport of information system media;
-                  and</p>
-            </part>
-            <part id="mp-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Restricts the activities associated with the transport of information system media
-                  to authorized personnel.</p>
-            </part>
-            <part id="mp-5_fr" name="item">
-               <title>MP-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-5_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB.</p>
-               </part>
-            </part>
-         </part>
-         <part id="mp-5_gdn" name="guidance">
-            <p>Information system media includes both digital and non-digital media. Digital media
-               includes, for example, diskettes, magnetic tapes, external/removable hard disk
-               drives, flash drives, compact disks, and digital video disks. Non-digital media
-               includes, for example, paper and microfilm. This control also applies to mobile
-               devices with information storage capability (e.g., smart phones, tablets, E-readers),
-               that are transported outside of controlled areas. Controlled areas are areas or
-               spaces for which organizations provide sufficient physical and/or procedural
-               safeguards to meet the requirements established for protecting information and/or
-               information systems. Physical and technical safeguards for media are commensurate
-               with the security category or classification of the information residing on the
-               media. Safeguards to protect media during transport include, for example, locked
-               containers and cryptography. Cryptographic mechanisms can provide confidentiality and
-               integrity protections depending upon the mechanisms used. Activities associated with
-               transport include the actual transport as well as those activities such as releasing
-               media for transport and ensuring that media enters the appropriate transport
-               processes. For the actual transport, authorized transport and courier personnel may
-               include individuals from outside the organization (e.g., U.S. Postal Service or a
-               commercial transport or delivery service). Maintaining accountability of media during
-               transport includes, for example, restricting transport activities to authorized
-               personnel, and tracking and/or obtaining explicit records of transport activities as
-               the media moves through the transportation system to prevent and detect loss,
-               destruction, or tampering. Organizations establish documentation requirements for
-               activities associated with the transport of information system media in accordance
-               with organizational assessments of risk to include the flexibility to define
-               different record-keeping methods for the different types of media transport as part
-               of an overall system of transport-related records.</p>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#mp-3">MP-3</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-28">SC-28</link>
-         </part>
-         <part id="mp-5_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-5.a_obj" name="objective">
-               <prop name="label">MP-5(a)</prop>
-               <part id="mp-5.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-5(a)[1]</prop>
-                  <p>defines types of information system media to be protected and controlled during
-                     transport outside of controlled areas;</p>
-               </part>
-               <part id="mp-5.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-5(a)[2]</prop>
-                  <p>defines security safeguards to protect and control organization-defined
-                     information system media during transport outside of controlled areas;</p>
-               </part>
-               <part id="mp-5.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MP-5(a)[3]</prop>
-                  <p>protects and controls organization-defined information system media during
-                     transport outside of controlled areas using organization-defined security
-                     safeguards;</p>
-               </part>
-            </part>
-            <part id="mp-5.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MP-5(b)</prop>
-               <p>maintains accountability for information system media during transport outside of
-                  controlled areas;</p>
-            </part>
-            <part id="mp-5.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MP-5(c)</prop>
-               <p>documents activities associated with the transport of information system media;
-                  and</p>
-            </part>
-            <part id="mp-5.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MP-5(d)</prop>
-               <p>restricts the activities associated with transport of information system media to
-                  authorized personnel.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media storage</p>
-               <p>physical and environmental protection policy and procedures</p>
-               <p>access control policy and procedures</p>
-               <p>security plan</p>
-               <p>information system media</p>
-               <p>designated controlled areas</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media protection and storage
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for storing information media</p>
-               <p>automated mechanisms supporting and/or implementing media storage/media
-                  protection</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="mp-5.4">
-            <title>Cryptographic Protection</title>
-            <prop name="label">MP-5(4)</prop>
-            <prop name="sort-id">mp-05.04</prop>
-            <part id="mp-5.4_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to protect the
-                  confidentiality and integrity of information stored on digital media during
-                  transport outside of controlled areas.</p>
-            </part>
-            <part id="mp-5.4_gdn" name="guidance">
-               <p>This control enhancement applies to both portable storage devices (e.g., USB
-                  memory sticks, compact disks, digital video disks, external/removable hard disk
-                  drives) and mobile devices with storage capability (e.g., smart phones, tablets,
-                  E-readers).</p>
-               <link rel="related" href="#mp-2">MP-2</link>
-            </part>
-            <part id="mp-5.4_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs cryptographic mechanisms to protect the
-                  confidentiality and integrity of information stored on digital media during
-                  transport outside of controlled areas. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>procedures addressing media transport</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system media transport records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media transport
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms protecting information on digital media during
-                     transportation outside controlled areas</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="mp-6">
-         <title>Media Sanitization</title>
-         <param id="mp-6_prm_1">
-            <label>organization-defined information system media</label>
-         </param>
-         <param id="mp-6_prm_2">
-            <label>organization-defined sanitization techniques and procedures</label>
-         </param>
-         <prop name="label">MP-6</prop>
-         <prop name="sort-id">mp-06</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <link href="#263823e0-a971-4b00-959d-315b26278b22" rel="reference">NIST Special Publication 800-88</link>
-         <link href="#a47466c4-c837-4f06-a39f-e68412a5f73d" rel="reference">http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml</link>
-         <part id="mp-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Sanitizes <insert param-id="mp-6_prm_1"/> prior to disposal, release out of
-                  organizational control, or release for reuse using <insert param-id="mp-6_prm_2"/>
-                  in accordance with applicable federal and organizational standards and policies;
-                  and</p>
-            </part>
-            <part id="mp-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Employs sanitization mechanisms with the strength and integrity commensurate with
-                  the security category or classification of the information.</p>
-            </part>
-         </part>
-         <part id="mp-6_gdn" name="guidance">
-            <p>This control applies to all information system media, both digital and non-digital,
-               subject to disposal or reuse, whether or not the media is considered removable.
-               Examples include media found in scanners, copiers, printers, notebook computers,
-               workstations, network components, and mobile devices. The sanitization process
-               removes information from the media such that the information cannot be retrieved or
-               reconstructed. Sanitization techniques, including clearing, purging, cryptographic
-               erase, and destruction, prevent the disclosure of information to unauthorized
-               individuals when such media is reused or released for disposal. Organizations
-               determine the appropriate sanitization methods recognizing that destruction is
-               sometimes necessary when other methods cannot be applied to media requiring
-               sanitization. Organizations use discretion on the employment of approved sanitization
-               techniques and procedures for media containing information deemed to be in the public
-               domain or publicly releasable, or deemed to have no adverse impact on organizations
-               or individuals if released for reuse or disposal. Sanitization of non-digital media
-               includes, for example, removing a classified appendix from an otherwise unclassified
-               document, or redacting selected sections or words from a document by obscuring the
-               redacted sections/words in a manner equivalent in effectiveness to removing them from
-               the document. NSA standards and policies control the sanitization process for media
-               containing classified information.</p>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sc-4">SC-4</link>
-         </part>
-         <part id="mp-6_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-6.a_obj" name="objective">
-               <prop name="label">MP-6(a)</prop>
-               <part id="mp-6.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-6(a)[1]</prop>
-                  <p>defines information system media to be sanitized prior to:</p>
-                  <part id="mp-6.a_obj.1.a" name="objective">
-                     <prop name="label">MP-6(a)[1][a]</prop>
-                     <p>disposal;</p>
-                  </part>
-                  <part id="mp-6.a_obj.1.b" name="objective">
-                     <prop name="label">MP-6(a)[1][b]</prop>
-                     <p>release out of organizational control; or</p>
-                  </part>
-                  <part id="mp-6.a_obj.1.c" name="objective">
-                     <prop name="label">MP-6(a)[1][c]</prop>
-                     <p>release for reuse;</p>
-                  </part>
-               </part>
-               <part id="mp-6.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-6(a)[2]</prop>
-                  <p>defines sanitization techniques or procedures to be used for sanitizing
-                     organization-defined information system media prior to:</p>
-                  <part id="mp-6.a_obj.2.a" name="objective">
-                     <prop name="label">MP-6(a)[2][a]</prop>
-                     <p>disposal;</p>
-                  </part>
-                  <part id="mp-6.a_obj.2.b" name="objective">
-                     <prop name="label">MP-6(a)[2][b]</prop>
-                     <p>release out of organizational control; or</p>
-                  </part>
-                  <part id="mp-6.a_obj.2.c" name="objective">
-                     <prop name="label">MP-6(a)[2][c]</prop>
-                     <p>release for reuse;</p>
-                  </part>
-               </part>
-               <part id="mp-6.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MP-6(a)[3]</prop>
-                  <p>sanitizes organization-defined information system media prior to disposal,
-                     release out of organizational control, or release for reuse using
-                     organization-defined sanitization techniques or procedures in accordance with
-                     applicable federal and organizational standards and policies; and</p>
-               </part>
-            </part>
-            <part id="mp-6.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MP-6(b)</prop>
-               <p>employs sanitization mechanisms with strength and integrity commensurate with the
-                  security category or classification of the information.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media sanitization and disposal</p>
-               <p>applicable federal standards and policies addressing media sanitization</p>
-               <p>media sanitization records</p>
-               <p>audit records</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with media sanitization responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for media sanitization</p>
-               <p>automated mechanisms supporting and/or implementing media sanitization</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="mp-6.2">
-            <title>Equipment Testing</title>
-            <param id="mp-6.2_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least annually</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">MP-6(2)</prop>
-            <prop name="sort-id">mp-06.02</prop>
-            <part id="mp-6.2_smt" name="statement">
-               <p>The organization tests sanitization equipment and procedures <insert param-id="mp-6.2_prm_1"/> to verify that the intended sanitization is being
-                  achieved.</p>
-               <part id="mp-6.2_fr" name="item">
-                  <title>MP-6 (2) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="mp-6.2_fr_gdn.a" name="guidance">
-                     <prop name="label">(a) Requirement:</prop>
-                     <p>Equipment and procedures may be tested or validated for effectiveness</p>
-                  </part>
-               </part>
-            </part>
-            <part id="mp-6.2_gdn" name="guidance">
-               <p>Testing of sanitization equipment and procedures may be conducted by qualified and
-                  authorized external entities (e.g., other federal agencies or external service
-                  providers).</p>
-            </part>
-            <part id="mp-6.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="mp-6.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">MP-6(2)[1]</prop>
-                  <p>defines the frequency for testing sanitization equipment and procedures to
-                     verify that the intended sanitization is being achieved; and</p>
-               </part>
-               <part id="mp-6.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">MP-6(2)[2]</prop>
-                  <p>tests sanitization equipment and procedures with the organization-defined
-                     frequency to verify that the intended sanitization is being achieved.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>procedures addressing media sanitization and disposal</p>
-                  <p>procedures addressing testing of media sanitization equipment</p>
-                  <p>results of media sanitization equipment and procedures testing</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media sanitization
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for media sanitization</p>
-                  <p>automated mechanisms supporting and/or implementing media sanitization</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="mp-7">
-         <title>Media Use</title>
-         <param id="mp-7_prm_1"/>
-         <param id="mp-7_prm_2">
-            <label>organization-defined types of information system media</label>
-         </param>
-         <param id="mp-7_prm_3">
-            <label>organization-defined information systems or system components</label>
-         </param>
-         <param id="mp-7_prm_4">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">MP-7</prop>
-         <prop name="sort-id">mp-07</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e" rel="reference">NIST Special Publication 800-111</link>
-         <part id="mp-7_smt" name="statement">
-            <p>The organization <insert param-id="mp-7_prm_1"/> the use of <insert param-id="mp-7_prm_2"/> on <insert param-id="mp-7_prm_3"/> using <insert param-id="mp-7_prm_4"/>.</p>
-         </part>
-         <part id="mp-7_gdn" name="guidance">
-            <p>Information system media includes both digital and non-digital media. Digital media
-               includes, for example, diskettes, magnetic tapes, external/removable hard disk
-               drives, flash drives, compact disks, and digital video disks. Non-digital media
-               includes, for example, paper and microfilm. This control also applies to mobile
-               devices with information storage capability (e.g., smart phones, tablets, E-readers).
-               In contrast to MP-2, which restricts user access to media, this control restricts the
-               use of certain types of media on information systems, for example,
-               restricting/prohibiting the use of flash drives or external hard disk drives.
-               Organizations can employ technical and nontechnical safeguards (e.g., policies,
-               procedures, rules of behavior) to restrict the use of information system media.
-               Organizations may restrict the use of portable storage devices, for example, by using
-               physical cages on workstations to prohibit access to certain external ports, or
-               disabling/removing the ability to insert, read or write to such devices.
-               Organizations may also limit the use of portable storage devices to only approved
-               devices including, for example, devices provided by the organization, devices
-               provided by other approved organizations, and devices that are not personally owned.
-               Finally, organizations may restrict the use of portable storage devices based on the
-               type of device, for example, prohibiting the use of writeable, portable storage
-               devices, and implementing this restriction by disabling or removing the capability to
-               write to such devices.</p>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-         </part>
-         <part id="mp-7_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-7_obj.1" name="objective">
-               <prop name="label">MP-7[1]</prop>
-               <p>defines types of information system media to be:</p>
-               <part id="mp-7_obj.1.a" name="objective">
-                  <prop name="label">MP-7[1][a]</prop>
-                  <p>restricted on information systems or system components; or</p>
-               </part>
-               <part id="mp-7_obj.1.b" name="objective">
-                  <prop name="label">MP-7[1][b]</prop>
-                  <p>prohibited from use on information systems or system components;</p>
-               </part>
-            </part>
-            <part id="mp-7_obj.2" name="objective">
-               <prop name="label">MP-7[2]</prop>
-               <p>defines information systems or system components on which the use of
-                  organization-defined types of information system media is to be one of the
-                  following:</p>
-               <part id="mp-7_obj.2.a" name="objective">
-                  <prop name="label">MP-7[2][a]</prop>
-                  <p>restricted; or</p>
-               </part>
-               <part id="mp-7_obj.2.b" name="objective">
-                  <prop name="label">MP-7[2][b]</prop>
-                  <p>prohibited;</p>
-               </part>
-            </part>
-            <part id="mp-7_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">MP-7[3]</prop>
-               <p>defines security safeguards to be employed to restrict or prohibit the use of
-                  organization-defined types of information system media on organization-defined
-                  information systems or system components; and</p>
-            </part>
-            <part id="mp-7_obj.4" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">MP-7[4]</prop>
-               <p>restricts or prohibits the use of organization-defined information system media on
-                  organization-defined information systems or system components using
-                  organization-defined security safeguards.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>system use policy</p>
-               <p>procedures addressing media usage restrictions</p>
-               <p>security plan</p>
-               <p>rules of behavior</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media use responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for media use</p>
-               <p>automated mechanisms restricting or prohibiting use of information system media on
-                  information systems or system components</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="mp-7.1">
-            <title>Prohibit Use Without Owner</title>
-            <prop name="label">MP-7(1)</prop>
-            <prop name="sort-id">mp-07.01</prop>
-            <part id="mp-7.1_smt" name="statement">
-               <p>The organization prohibits the use of portable storage devices in organizational
-                  information systems when such devices have no identifiable owner.</p>
-            </part>
-            <part id="mp-7.1_gdn" name="guidance">
-               <p>Requiring identifiable owners (e.g., individuals, organizations, or projects) for
-                  portable storage devices reduces the risk of using such technologies by allowing
-                  organizations to assign responsibility and accountability for addressing known
-                  vulnerabilities in the devices (e.g., malicious code insertion).</p>
-               <link rel="related" href="#pl-4">PL-4</link>
-            </part>
-            <part id="mp-7.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization prohibits the use of portable storage devices in
-                  organizational information systems when such devices have no identifiable owner.
-               </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>system use policy</p>
-                  <p>procedures addressing media usage restrictions</p>
-                  <p>security plan</p>
-                  <p>rules of behavior</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media use responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for media use</p>
-                  <p>automated mechanisms prohibiting use of media on information systems or system
-                     components</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="pe">
-      <title>Physical and Environmental Protection</title>
-      <control class="SP800-53" id="pe-1">
-         <title>Physical and Environmental Protection Policy and Procedures</title>
-         <param id="pe-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pe-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="pe-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PE-1</prop>
-         <prop name="sort-id">pe-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="pe-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="pe-1_prm_1"/>:</p>
-               <part id="pe-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A physical and environmental protection policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="pe-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the physical and environmental
-                     protection policy and associated physical and environmental protection
-                     controls; and</p>
-               </part>
-            </part>
-            <part id="pe-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="pe-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Physical and environmental protection policy <insert param-id="pe-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="pe-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Physical and environmental protection procedures <insert param-id="pe-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="pe-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the PE
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="pe-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="pe-1.a_obj" name="objective">
-               <prop name="label">PE-1(a)</prop>
-               <part id="pe-1.a.1_obj" name="objective">
-                  <prop name="label">PE-1(a)(1)</prop>
-                  <part id="pe-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(a)(1)[1]</prop>
-                     <p>develops and documents a physical and environmental protection policy that
-                        addresses:</p>
-                     <part id="pe-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="pe-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the physical and environmental protection
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="pe-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">PE-1(a)(1)[3]</prop>
-                     <p>disseminates the physical and environmental protection policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="pe-1.a.2_obj" name="objective">
-                  <prop name="label">PE-1(a)(2)</prop>
-                  <part id="pe-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        physical and environmental protection policy and associated physical and
-                        environmental protection controls;</p>
-                  </part>
-                  <part id="pe-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="pe-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">PE-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="pe-1.b_obj" name="objective">
-               <prop name="label">PE-1(b)</prop>
-               <part id="pe-1.b.1_obj" name="objective">
-                  <prop name="label">PE-1(b)(1)</prop>
-                  <part id="pe-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current physical and
-                        environmental protection policy;</p>
-                  </part>
-                  <part id="pe-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current physical and environmental protection policy
-                        with the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="pe-1.b.2_obj" name="objective">
-                  <prop name="label">PE-1(b)(2)</prop>
-                  <part id="pe-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current physical and
-                        environmental protection procedures; and</p>
-                  </part>
-                  <part id="pe-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current physical and environmental protection
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical and environmental protection
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-2">
-         <title>Physical Access Authorizations</title>
-         <param id="pe-2_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PE-2</prop>
-         <prop name="sort-id">pe-02</prop>
-         <part id="pe-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, approves, and maintains a list of individuals with authorized access to
-                  the facility where the information system resides;</p>
-            </part>
-            <part id="pe-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Issues authorization credentials for facility access;</p>
-            </part>
-            <part id="pe-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the access list detailing authorized facility access by individuals
-                     <insert param-id="pe-2_prm_1"/>; and</p>
-            </part>
-            <part id="pe-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Removes individuals from the facility access list when access is no longer
-                  required.</p>
-            </part>
-         </part>
-         <part id="pe-2_gdn" name="guidance">
-            <p>This control applies to organizational employees and visitors. Individuals (e.g.,
-               employees, contractors, and others) with permanent physical access authorization
-               credentials are not considered visitors. Authorization credentials include, for
-               example, badges, identification cards, and smart cards. Organizations determine the
-               strength of authorization credentials needed (including level of forge-proof badges,
-               smart cards, or identification cards) consistent with federal standards, policies,
-               and procedures. This control only applies to areas within facilities that have not
-               been designated as publicly accessible.</p>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-         </part>
-         <part id="pe-2_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-2.a_obj" name="objective">
-               <prop name="label">PE-2(a)</prop>
-               <part id="pe-2.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">PE-2(a)[1]</prop>
-                  <p>develops a list of individuals with authorized access to the facility where the
-                     information system resides;</p>
-               </part>
-               <part id="pe-2.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-2(a)[2]</prop>
-                  <p>approves a list of individuals with authorized access to the facility where the
-                     information system resides;</p>
-               </part>
-               <part id="pe-2.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">PE-2(a)[3]</prop>
-                  <p>maintains a list of individuals with authorized access to the facility where
-                     the information system resides;</p>
-               </part>
-            </part>
-            <part id="pe-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-2(b)</prop>
-               <p>issues authorization credentials for facility access;</p>
-            </part>
-            <part id="pe-2.c_obj" name="objective">
-               <prop name="label">PE-2(c)</prop>
-               <part id="pe-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-2(c)[1]</prop>
-                  <p>defines the frequency to review the access list detailing authorized facility
-                     access by individuals;</p>
-               </part>
-               <part id="pe-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-2(c)[2]</prop>
-                  <p>reviews the access list detailing authorized facility access by individuals
-                     with the organization-defined frequency; and</p>
-               </part>
-            </part>
-            <part id="pe-2.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-2(d)</prop>
-               <p>removes individuals from the facility access list when access is no longer
-                  required.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing physical access authorizations</p>
-               <p>security plan</p>
-               <p>authorized personnel access list</p>
-               <p>authorization credentials</p>
-               <p>physical access list reviews</p>
-               <p>physical access termination records and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access authorization responsibilities</p>
-               <p>organizational personnel with physical access to information system facility</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for physical access authorizations</p>
-               <p>automated mechanisms supporting and/or implementing physical access
-                  authorizations</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-3">
-         <title>Physical Access Control</title>
-         <param id="pe-3_prm_1">
-            <label>organization-defined entry/exit points to the facility where the information
-               system resides</label>
-         </param>
-         <param id="pe-3_prm_2">
-            <constraint>CSP defined physical access control systems/devices AND guards</constraint>
-         </param>
-         <param id="pe-3_prm_3" depends-on="pe-3_prm_2">
-            <label>organization-defined physical access control systems/devices</label>
-            <constraint>CSP defined physical access control systems/devices</constraint>
-         </param>
-         <param id="pe-3_prm_4">
-            <label>organization-defined entry/exit points</label>
-         </param>
-         <param id="pe-3_prm_5">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <param id="pe-3_prm_6">
-            <label>organization-defined circumstances requiring visitor escorts and
-               monitoring</label>
-            <constraint>in all circumstances within restricted access area where the information system resides</constraint>
-         </param>
-         <param id="pe-3_prm_7">
-            <label>organization-defined physical access devices</label>
-         </param>
-         <param id="pe-3_prm_8">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="pe-3_prm_9">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PE-3</prop>
-         <prop name="sort-id">pe-03</prop>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#2157bb7e-192c-4eaa-877f-93ef6b0a3292" rel="reference">NIST Special Publication 800-116</link>
-         <link href="#6caa237b-531b-43ac-9711-d8f6b97b0377" rel="reference">ICD 704</link>
-         <link href="#398e33fd-f404-4e5c-b90e-2d50d3181244" rel="reference">ICD 705</link>
-         <link href="#61081e7f-041d-4033-96a7-44a439071683" rel="reference">DoD Instruction 5200.39</link>
-         <link href="#dd2f5acd-08f1-435a-9837-f8203088dc1a" rel="reference">Personal Identity Verification (PIV) in Enterprise
-            Physical Access Control System (E-PACS)</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <link href="#5ed1f4d5-1494-421b-97ed-39d3c88ab51f" rel="reference">http://fips201ep.cio.gov</link>
-         <part id="pe-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Enforces physical access authorizations at <insert param-id="pe-3_prm_1"/> by;</p>
-               <part id="pe-3_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Verifying individual access authorizations before granting access to the
-                     facility; and</p>
-               </part>
-               <part id="pe-3_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Controlling ingress/egress to the facility using <insert param-id="pe-3_prm_2"/>;</p>
-               </part>
-            </part>
-            <part id="pe-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Maintains physical access audit logs for <insert param-id="pe-3_prm_4"/>;</p>
-            </part>
-            <part id="pe-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Provides <insert param-id="pe-3_prm_5"/> to control access to areas within the
-                  facility officially designated as publicly accessible;</p>
-            </part>
-            <part id="pe-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Escorts visitors and monitors visitor activity <insert param-id="pe-3_prm_6"/>;</p>
-            </part>
-            <part id="pe-3_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Secures keys, combinations, and other physical access devices;</p>
-            </part>
-            <part id="pe-3_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Inventories <insert param-id="pe-3_prm_7"/> every <insert param-id="pe-3_prm_8"/>;
-                  and</p>
-            </part>
-            <part id="pe-3_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Changes combinations and keys <insert param-id="pe-3_prm_9"/> and/or when keys are
-                  lost, combinations are compromised, or individuals are transferred or
-                  terminated.</p>
-            </part>
-         </part>
-         <part id="pe-3_gdn" name="guidance">
-            <p>This control applies to organizational employees and visitors. Individuals (e.g.,
-               employees, contractors, and others) with permanent physical access authorization
-               credentials are not considered visitors. Organizations determine the types of
-               facility guards needed including, for example, professional physical security staff
-               or other personnel such as administrative staff or information system users. Physical
-               access devices include, for example, keys, locks, combinations, and card readers.
-               Safeguards for publicly accessible areas within organizational facilities include,
-               for example, cameras, monitoring by guards, and isolating selected information
-               systems and/or system components in secured areas. Physical access control systems
-               comply with applicable federal laws, Executive Orders, directives, policies,
-               regulations, standards, and guidance. The Federal Identity, Credential, and Access
-               Management Program provides implementation guidance for identity, credential, and
-               access management capabilities for physical access control systems. Organizations
-               have flexibility in the types of audit logs employed. Audit logs can be procedural
-               (e.g., a written log of individuals accessing the facility and when such access
-               occurred), automated (e.g., capturing ID provided by a PIV card), or some combination
-               thereof. Physical access points can include facility access points, interior access
-               points to information systems and/or components requiring supplemental access
-               controls, or both. Components of organizational information systems (e.g.,
-               workstations, terminals) may be located in areas designated as publicly accessible
-               with organizations safeguarding access to such devices.</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#pe-5">PE-5</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-         </part>
-         <part id="pe-3_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-3.a_obj" name="objective">
-               <prop name="label">PE-3(a)</prop>
-               <part id="pe-3.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(a)[1]</prop>
-                  <p>defines entry/exit points to the facility where the information system
-                     resides;</p>
-               </part>
-               <part id="pe-3.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(a)[2]</prop>
-                  <p>enforces physical access authorizations at organization-defined entry/exit
-                     points to the facility where the information system resides by:</p>
-                  <part id="pe-3.a.1_obj.2" name="objective">
-                     <prop name="label">PE-3(a)[2](1)</prop>
-                     <p>verifying individual access authorizations before granting access to the
-                        facility;</p>
-                  </part>
-                  <part id="pe-3.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PE-3(a)[2](2)</prop>
-                     <part id="pe-3.a.2_obj.2.a" name="objective">
-                        <prop name="label">PE-3(a)[2](2)[a]</prop>
-                        <p>defining physical access control systems/devices to be employed to
-                           control ingress/egress to the facility where the information system
-                           resides;</p>
-                     </part>
-                     <part id="pe-3.a.2_obj.2.b" name="objective">
-                        <prop name="label">PE-3(a)[2](2)[b]</prop>
-                        <p>using one or more of the following ways to control ingress/egress to the
-                           facility:</p>
-                        <part id="pe-3.a.2_obj.2.b.1" name="objective">
-                           <prop name="label">PE-3(a)[2](2)[b][1]</prop>
-                           <p>organization-defined physical access control systems/devices;
-                              and/or</p>
-                        </part>
-                        <part id="pe-3.a.2_obj.2.b.2" name="objective">
-                           <prop name="label">PE-3(a)[2](2)[b][2]</prop>
-                           <p>guards;</p>
-                        </part>
-                     </part>
-                  </part>
-               </part>
-            </part>
-            <part id="pe-3.b_obj" name="objective">
-               <prop name="label">PE-3(b)</prop>
-               <part id="pe-3.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(b)[1]</prop>
-                  <p>defines entry/exit points for which physical access audit logs are to be
-                     maintained;</p>
-               </part>
-               <part id="pe-3.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(b)[2]</prop>
-                  <p>maintains physical access audit logs for organization-defined entry/exit
-                     points;</p>
-               </part>
-            </part>
-            <part id="pe-3.c_obj" name="objective">
-               <prop name="label">PE-3(c)</prop>
-               <part id="pe-3.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(c)[1]</prop>
-                  <p>defines security safeguards to be employed to control access to areas within
-                     the facility officially designated as publicly accessible;</p>
-               </part>
-               <part id="pe-3.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(c)[2]</prop>
-                  <p>provides organization-defined security safeguards to control access to areas
-                     within the facility officially designated as publicly accessible;</p>
-               </part>
-            </part>
-            <part id="pe-3.d_obj" name="objective">
-               <prop name="label">PE-3(d)</prop>
-               <part id="pe-3.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(d)[1]</prop>
-                  <p>defines circumstances requiring visitor:</p>
-                  <part id="pe-3.d_obj.1.a" name="objective">
-                     <prop name="label">PE-3(d)[1][a]</prop>
-                     <p>escorts;</p>
-                  </part>
-                  <part id="pe-3.d_obj.1.b" name="objective">
-                     <prop name="label">PE-3(d)[1][b]</prop>
-                     <p>monitoring;</p>
-                  </part>
-               </part>
-               <part id="pe-3.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(d)[2]</prop>
-                  <p>in accordance with organization-defined circumstances requiring visitor escorts
-                     and monitoring:</p>
-                  <part id="pe-3.d_obj.2.a" name="objective">
-                     <prop name="label">PE-3(d)[2][a]</prop>
-                     <p>escorts visitors;</p>
-                  </part>
-                  <part id="pe-3.d_obj.2.b" name="objective">
-                     <prop name="label">PE-3(d)[2][b]</prop>
-                     <p>monitors visitor activities;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="pe-3.e_obj" name="objective">
-               <prop name="label">PE-3(e)</prop>
-               <part id="pe-3.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(e)[1]</prop>
-                  <p>secures keys;</p>
-               </part>
-               <part id="pe-3.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(e)[2]</prop>
-                  <p>secures combinations;</p>
-               </part>
-               <part id="pe-3.e_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(e)[3]</prop>
-                  <p>secures other physical access devices;</p>
-               </part>
-            </part>
-            <part id="pe-3.f_obj" name="objective">
-               <prop name="label">PE-3(f)</prop>
-               <part id="pe-3.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(f)[1]</prop>
-                  <p>defines physical access devices to be inventoried;</p>
-               </part>
-               <part id="pe-3.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(f)[2]</prop>
-                  <p>defines the frequency to inventory organization-defined physical access
-                     devices;</p>
-               </part>
-               <part id="pe-3.f_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(f)[3]</prop>
-                  <p>inventories the organization-defined physical access devices with the
-                     organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="pe-3.g_obj" name="objective">
-               <prop name="label">PE-3(g)</prop>
-               <part id="pe-3.g_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-3(g)[1]</prop>
-                  <p>defines the frequency to change combinations and keys; and</p>
-               </part>
-               <part id="pe-3.g_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-3(g)[2]</prop>
-                  <p>changes combinations and keys with the organization-defined frequency and/or
-                     when:</p>
-                  <part id="pe-3.g_obj.2.a" name="objective">
-                     <prop name="label">PE-3(g)[2][a]</prop>
-                     <p>keys are lost;</p>
-                  </part>
-                  <part id="pe-3.g_obj.2.b" name="objective">
-                     <prop name="label">PE-3(g)[2][b]</prop>
-                     <p>combinations are compromised;</p>
-                  </part>
-                  <part id="pe-3.g_obj.2.c" name="objective">
-                     <prop name="label">PE-3(g)[2][c]</prop>
-                     <p>individuals are transferred or terminated.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing physical access control</p>
-               <p>security plan</p>
-               <p>physical access control logs or records</p>
-               <p>inventory records of physical access control devices</p>
-               <p>information system entry and exit points</p>
-               <p>records of key and lock combination changes</p>
-               <p>storage locations for physical access control devices</p>
-               <p>physical access control devices</p>
-               <p>list of security safeguards controlling access to designated publicly accessible
-                  areas within facility</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for physical access control</p>
-               <p>automated mechanisms supporting and/or implementing physical access control</p>
-               <p>physical access control devices</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-4">
-         <title>Access Control for Transmission Medium</title>
-         <param id="pe-4_prm_1">
-            <label>organization-defined information system distribution and transmission
-               lines</label>
-         </param>
-         <param id="pe-4_prm_2">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">PE-4</prop>
-         <prop name="sort-id">pe-04</prop>
-         <link href="#06dff0ea-3848-4945-8d91-e955ee69f05d" rel="reference">NSTISSI No. 7003</link>
-         <part id="pe-4_smt" name="statement">
-            <p>The organization controls physical access to <insert param-id="pe-4_prm_1"/> within
-               organizational facilities using <insert param-id="pe-4_prm_2"/>.</p>
-         </part>
-         <part id="pe-4_gdn" name="guidance">
-            <p>Physical security safeguards applied to information system distribution and
-               transmission lines help to prevent accidental damage, disruption, and physical
-               tampering. In addition, physical safeguards may be necessary to help prevent
-               eavesdropping or in transit modification of unencrypted transmissions. Security
-               safeguards to control physical access to system distribution and transmission lines
-               include, for example: (i) locked wiring closets; (ii) disconnected or locked spare
-               jacks; and/or (iii) protection of cabling by conduit or cable trays.</p>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-5">PE-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-         </part>
-         <part id="pe-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-4_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PE-4[1]</prop>
-               <p>defines information system distribution and transmission lines requiring physical
-                  access controls;</p>
-            </part>
-            <part id="pe-4_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PE-4[2]</prop>
-               <p>defines security safeguards to be employed to control physical access to
-                  organization-defined information system distribution and transmission lines within
-                  organizational facilities; and</p>
-            </part>
-            <part id="pe-4_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-4[3]</prop>
-               <p>controls physical access to organization-defined information system distribution
-                  and transmission lines within organizational facilities using organization-defined
-                  security safeguards.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing access control for transmission medium</p>
-               <p>information system design documentation</p>
-               <p>facility communications and wiring diagrams</p>
-               <p>list of physical security safeguards applied to information system distribution
-                  and transmission lines</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for access control to distribution and transmission
-                  lines</p>
-               <p>automated mechanisms/security safeguards supporting and/or implementing access
-                  control to distribution and transmission lines</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-5">
-         <title>Access Control for Output Devices</title>
-         <prop name="label">PE-5</prop>
-         <prop name="sort-id">pe-05</prop>
-         <part id="pe-5_smt" name="statement">
-            <p>The organization controls physical access to information system output devices to
-               prevent unauthorized individuals from obtaining the output.</p>
-         </part>
-         <part id="pe-5_gdn" name="guidance">
-            <p>Controlling physical access to output devices includes, for example, placing output
-               devices in locked rooms or other secured areas and allowing access to authorized
-               individuals only, and placing output devices in locations that can be monitored by
-               organizational personnel. Monitors, printers, copiers, scanners, facsimile machines,
-               and audio devices are examples of information system output devices.</p>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#pe-18">PE-18</link>
-         </part>
-         <part id="pe-5_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the organization controls physical access to information system output
-               devices to prevent unauthorized individuals from obtaining the output. </p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing access control for display medium</p>
-               <p>facility layout of information system components</p>
-               <p>actual displays from information system components</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for access control to output devices</p>
-               <p>automated mechanisms supporting and/or implementing access control to output
-                  devices</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-6">
-         <title>Monitoring Physical Access</title>
-         <param id="pe-6_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least monthly</constraint>
-         </param>
-         <param id="pe-6_prm_2">
-            <label>organization-defined events or potential indications of events</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PE-6</prop>
-         <prop name="sort-id">pe-06</prop>
-         <part id="pe-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Monitors physical access to the facility where the information system resides to
-                  detect and respond to physical security incidents;</p>
-            </part>
-            <part id="pe-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews physical access logs <insert param-id="pe-6_prm_1"/> and upon occurrence
-                  of <insert param-id="pe-6_prm_2"/>; and</p>
-            </part>
-            <part id="pe-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Coordinates results of reviews and investigations with the organizational incident
-                  response capability.</p>
-            </part>
-         </part>
-         <part id="pe-6_gdn" name="guidance">
-            <p>Organizational incident response capabilities include investigations of and responses
-               to detected physical security incidents. Security incidents include, for example,
-               apparent security violations or suspicious physical access activities. Suspicious
-               physical access activities include, for example: (i) accesses outside of normal work
-               hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for
-               unusual lengths of time; and (iv) out-of-sequence accesses.</p>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-         </part>
-         <part id="pe-6_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-6.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-6(a)</prop>
-               <p>monitors physical access to the facility where the information system resides to
-                  detect and respond to physical security incidents;</p>
-            </part>
-            <part id="pe-6.b_obj" name="objective">
-               <prop name="label">PE-6(b)</prop>
-               <part id="pe-6.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-6(b)[1]</prop>
-                  <p>defines the frequency to review physical access logs;</p>
-               </part>
-               <part id="pe-6.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-6(b)[2]</prop>
-                  <p>defines events or potential indication of events requiring physical access logs
-                     to be reviewed;</p>
-               </part>
-               <part id="pe-6.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-6(b)[3]</prop>
-                  <p>reviews physical access logs with the organization-defined frequency and upon
-                     occurrence of organization-defined events or potential indications of events;
-                     and</p>
-               </part>
-            </part>
-            <part id="pe-6.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PE-6(c)</prop>
-               <p>coordinates results of reviews and investigations with the organizational incident
-                  response capability.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing physical access monitoring</p>
-               <p>security plan</p>
-               <p>physical access logs or records</p>
-               <p>physical access monitoring records</p>
-               <p>physical access log reviews</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access monitoring responsibilities</p>
-               <p>organizational personnel with incident response responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for monitoring physical access</p>
-               <p>automated mechanisms supporting and/or implementing physical access monitoring</p>
-               <p>automated mechanisms supporting and/or implementing reviewing of physical access
-                  logs</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-6.1">
-            <title>Intrusion Alarms / Surveillance Equipment</title>
-            <prop name="label">PE-6(1)</prop>
-            <prop name="sort-id">pe-06.01</prop>
-            <part id="pe-6.1_smt" name="statement">
-               <p>The organization monitors physical intrusion alarms and surveillance
-                  equipment.</p>
-            </part>
-            <part id="pe-6.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization monitors physical intrusion alarms and surveillance
-                  equipment. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access monitoring</p>
-                  <p>security plan</p>
-                  <p>physical access logs or records</p>
-                  <p>physical access monitoring records</p>
-                  <p>physical access log reviews</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access monitoring responsibilities</p>
-                  <p>organizational personnel with incident response responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring physical intrusion alarms and
-                     surveillance equipment</p>
-                  <p>automated mechanisms supporting and/or implementing physical access
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing physical intrusion alarms
-                     and surveillance equipment</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-8">
-         <title>Visitor Access Records</title>
-         <param id="pe-8_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>for a minimum of one (1) year</constraint>
-         </param>
-         <param id="pe-8_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least monthly</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PE-8</prop>
-         <prop name="sort-id">pe-08</prop>
-         <part id="pe-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Maintains visitor access records to the facility where the information system
-                  resides for <insert param-id="pe-8_prm_1"/>; and</p>
-            </part>
-            <part id="pe-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews visitor access records <insert param-id="pe-8_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="pe-8_gdn" name="guidance">
-            <p>Visitor access records include, for example, names and organizations of persons
-               visiting, visitor signatures, forms of identification, dates of access, entry and
-               departure times, purposes of visits, and names and organizations of persons visited.
-               Visitor access records are not required for publicly accessible areas.</p>
-         </part>
-         <part id="pe-8_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-8.a_obj" name="objective">
-               <prop name="label">PE-8(a)</prop>
-               <part id="pe-8.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-8(a)[1]</prop>
-                  <p>defines the time period to maintain visitor access records to the facility
-                     where the information system resides;</p>
-               </part>
-               <part id="pe-8.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-8(a)[2]</prop>
-                  <p>maintains visitor access records to the facility where the information system
-                     resides for the organization-defined time period;</p>
-               </part>
-            </part>
-            <part id="pe-8.b_obj" name="objective">
-               <prop name="label">PE-8(b)</prop>
-               <part id="pe-8.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-8(b)[1]</prop>
-                  <p>defines the frequency to review visitor access records; and</p>
-               </part>
-               <part id="pe-8.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-8(b)[2]</prop>
-                  <p>reviews visitor access records with the organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing visitor access records</p>
-               <p>security plan</p>
-               <p>visitor access control logs or records</p>
-               <p>visitor access record or log reviews</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with visitor access records responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for maintaining and reviewing visitor access records</p>
-               <p>automated mechanisms supporting and/or implementing maintenance and review of
-                  visitor access records</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-9">
-         <title>Power Equipment and Cabling</title>
-         <prop name="label">PE-9</prop>
-         <prop name="sort-id">pe-09</prop>
-         <part id="pe-9_smt" name="statement">
-            <p>The organization protects power equipment and power cabling for the information
-               system from damage and destruction.</p>
-         </part>
-         <part id="pe-9_gdn" name="guidance">
-            <p>Organizations determine the types of protection necessary for power equipment and
-               cabling employed at different locations both internal and external to organizational
-               facilities and environments of operation. This includes, for example, generators and
-               power cabling outside of buildings, internal cabling and uninterruptable power
-               sources within an office or data center, and power sources for self-contained
-               entities such as vehicles and satellites.</p>
-            <link rel="related" href="#pe-4">PE-4</link>
-         </part>
-         <part id="pe-9_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the organization protects power equipment and power cabling for the
-               information system from damage and destruction. </p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing power equipment/cabling protection</p>
-               <p>facilities housing power equipment/cabling</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for protecting power
-                  equipment/cabling</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing protection of power
-                  equipment/cabling</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-10">
-         <title>Emergency Shutoff</title>
-         <param id="pe-10_prm_1">
-            <label>organization-defined location by information system or system component</label>
-         </param>
-         <prop name="label">PE-10</prop>
-         <prop name="sort-id">pe-10</prop>
-         <part id="pe-10_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-10_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Provides the capability of shutting off power to the information system or
-                  individual system components in emergency situations;</p>
-            </part>
-            <part id="pe-10_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Places emergency shutoff switches or devices in <insert param-id="pe-10_prm_1"/>
-                  to facilitate safe and easy access for personnel; and</p>
-            </part>
-            <part id="pe-10_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Protects emergency power shutoff capability from unauthorized activation.</p>
-            </part>
-         </part>
-         <part id="pe-10_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources including, for example, data centers, server rooms, and mainframe
-               computer rooms.</p>
-            <link rel="related" href="#pe-15">PE-15</link>
-         </part>
-         <part id="pe-10_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-10.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PE-10(a)</prop>
-               <p>provides the capability of shutting off power to the information system or
-                  individual system components in emergency situations;</p>
-            </part>
-            <part id="pe-10.b_obj" name="objective">
-               <prop name="label">PE-10(b)</prop>
-               <part id="pe-10.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-10(b)[1]</prop>
-                  <p>defines the location of emergency shutoff switches or devices by information
-                     system or system component;</p>
-               </part>
-               <part id="pe-10.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-10(b)[2]</prop>
-                  <p>places emergency shutoff switches or devices in the organization-defined
-                     location by information system or system component to facilitate safe and easy
-                     access for personnel; and</p>
-               </part>
-            </part>
-            <part id="pe-10.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-10(c)</prop>
-               <p>protects emergency power shutoff capability from unauthorized activation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing power source emergency shutoff</p>
-               <p>security plan</p>
-               <p>emergency shutoff controls or switches</p>
-               <p>locations housing emergency shutoff switches and devices</p>
-               <p>security safeguards protecting emergency power shutoff capability from
-                  unauthorized activation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for emergency power shutoff
-                  capability (both implementing and using the capability)</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing emergency power shutoff</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-11">
-         <title>Emergency Power</title>
-         <param id="pe-11_prm_1"/>
-         <prop name="label">PE-11</prop>
-         <prop name="sort-id">pe-11</prop>
-         <part id="pe-11_smt" name="statement">
-            <p>The organization provides a short-term uninterruptible power supply to facilitate
-                  <insert param-id="pe-11_prm_1"/> in the event of a primary power source loss.</p>
-         </part>
-         <part id="pe-11_gdn" name="guidance">
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-         </part>
-         <part id="pe-11_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the organization provides a short-term uninterruptible power supply to
-               facilitate one or more of the following in the event of a primary power source loss: </p>
-            <part id="pe-11_obj.1" name="objective">
-               <prop name="label">PE-11[1]</prop>
-               <p>an orderly shutdown of the information system; and/or</p>
-            </part>
-            <part id="pe-11_obj.2" name="objective">
-               <prop name="label">PE-11[2]</prop>
-               <p>transition of the information system to long-term alternate power.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing emergency power</p>
-               <p>uninterruptible power supply</p>
-               <p>uninterruptible power supply documentation</p>
-               <p>uninterruptible power supply test records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for emergency power and/or
-                  planning</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing uninterruptible power
-                  supply</p>
-               <p>the uninterruptable power supply</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-12">
-         <title>Emergency Lighting</title>
-         <prop name="label">PE-12</prop>
-         <prop name="sort-id">pe-12</prop>
-         <part id="pe-12_smt" name="statement">
-            <p>The organization employs and maintains automatic emergency lighting for the
-               information system that activates in the event of a power outage or disruption and
-               that covers emergency exits and evacuation routes within the facility.</p>
-         </part>
-         <part id="pe-12_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources including, for example, data centers, server rooms, and mainframe
-               computer rooms.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-         </part>
-         <part id="pe-12_obj" name="objective">
-            <p>Determine if the organization employs and maintains automatic emergency lighting for
-               the information system that: </p>
-            <part id="pe-12_obj.1" name="objective">
-               <prop name="label">PE-12[1]</prop>
-               <p>activates in the event of a power outage or disruption; and</p>
-            </part>
-            <part id="pe-12_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-12[2]</prop>
-               <p>covers emergency exits and evacuation routes within the facility.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing emergency lighting</p>
-               <p>emergency lighting documentation</p>
-               <p>emergency lighting test records</p>
-               <p>emergency exits and evacuation routes</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for emergency lighting and/or
-                  planning</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing emergency lighting
-                  capability</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-13">
-         <title>Fire Protection</title>
-         <prop name="label">PE-13</prop>
-         <prop name="sort-id">pe-13</prop>
-         <part id="pe-13_smt" name="statement">
-            <p>The organization employs and maintains fire suppression and detection devices/systems
-               for the information system that are supported by an independent energy source.</p>
-         </part>
-         <part id="pe-13_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources including, for example, data centers, server rooms, and mainframe
-               computer rooms. Fire suppression and detection devices/systems include, for example,
-               sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke
-               detectors.</p>
-         </part>
-         <part id="pe-13_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-13_obj.1" name="objective">
-               <prop name="label">PE-13[1]</prop>
-               <p>employs fire suppression and detection devices/systems for the information system
-                  that are supported by an independent energy source; and</p>
-            </part>
-            <part id="pe-13_obj.2" name="objective">
-               <prop name="label">PE-13[2]</prop>
-               <p>maintains fire suppression and detection devices/systems for the information
-                  system that are supported by an independent energy source.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing fire protection</p>
-               <p>fire suppression and detection devices/systems</p>
-               <p>fire suppression and detection devices/systems documentation</p>
-               <p>test records of fire suppression and detection devices/systems</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for fire detection and suppression
-                  devices/systems</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing fire suppression/detection
-                  devices/systems</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-13.2">
-            <title>Suppression Devices / Systems</title>
-            <param id="pe-13.2_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="pe-13.2_prm_2">
-               <label>organization-defined emergency responders</label>
-            </param>
-            <prop name="label">PE-13(2)</prop>
-            <prop name="sort-id">pe-13.02</prop>
-            <part id="pe-13.2_smt" name="statement">
-               <p>The organization employs fire suppression devices/systems for the information
-                  system that provide automatic notification of any activation to <insert param-id="pe-13.2_prm_1"/> and <insert param-id="pe-13.2_prm_2"/>.</p>
-            </part>
-            <part id="pe-13.2_gdn" name="guidance">
-               <p>Organizations can identify specific personnel, roles, and emergency responders in
-                  the event that individuals on the notification list must have appropriate access
-                  authorizations and/or clearances, for example, to obtain access to facilities
-                  where classified operations are taking place or where there are information
-                  systems containing classified information.</p>
-            </part>
-            <part id="pe-13.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-13.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-13(2)[1]</prop>
-                  <p>defines personnel or roles to be provided automatic notification of any
-                     activation of fire suppression devices/systems for the information system;</p>
-               </part>
-               <part id="pe-13.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-13(2)[2]</prop>
-                  <p>defines emergency responders to be provided automatic notification of any
-                     activation of fire suppression devices/systems for the information system;</p>
-               </part>
-               <part id="pe-13.2_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-13(2)[3]</prop>
-                  <p>employs fire suppression devices/systems for the information system that
-                     provide automatic notification of any activation to:</p>
-                  <part id="pe-13.2_obj.3.a" name="objective">
-                     <prop name="label">PE-13(2)[3][a]</prop>
-                     <p>organization-defined personnel or roles; and</p>
-                  </part>
-                  <part id="pe-13.2_obj.3.b" name="objective">
-                     <prop name="label">PE-13(2)[3][b]</prop>
-                     <p>organization-defined emergency responders.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing fire protection</p>
-                  <p>fire suppression and detection devices/systems documentation</p>
-                  <p>facility housing the information system</p>
-                  <p>alarm service-level agreements</p>
-                  <p>test records of fire suppression and detection devices/systems</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for fire detection and
-                     suppression devices/systems</p>
-                  <p>organizational personnel with responsibilities for providing automatic
-                     notifications of any activation of fire suppression devices/systems to
-                     appropriate personnel, roles, and emergency responders</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing fire suppression
-                     devices/systems</p>
-                  <p>activation of fire suppression devices/systems (simulated)</p>
-                  <p>automated notifications</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-13.3">
-            <title>Automatic Fire Suppression</title>
-            <prop name="label">PE-13(3)</prop>
-            <prop name="sort-id">pe-13.03</prop>
-            <part id="pe-13.3_smt" name="statement">
-               <p>The organization employs an automatic fire suppression capability for the
-                  information system when the facility is not staffed on a continuous basis.</p>
-            </part>
-            <part id="pe-13.3_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs an automatic fire suppression capability for
-                  the information system when the facility is not staffed on a continuous basis.
-               </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing fire protection</p>
-                  <p>fire suppression and detection devices/systems documentation</p>
-                  <p>facility housing the information system</p>
-                  <p>alarm service-level agreements</p>
-                  <p>test records of fire suppression and detection devices/systems</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for fire detection and
-                     suppression devices/systems</p>
-                  <p>organizational personnel with responsibilities for providing automatic
-                     notifications of any activation of fire suppression devices/systems to
-                     appropriate personnel, roles, and emergency responders</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing fire suppression
-                     devices/systems</p>
-                  <p>activation of fire suppression devices/systems (simulated)</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-14">
-         <title>Temperature and Humidity Controls</title>
-         <param id="pe-14_prm_1">
-            <label>organization-defined acceptable levels</label>
-            <constraint>consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments</constraint>
-         </param>
-         <param id="pe-14_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>continuously</constraint>
-         </param>
-         <prop name="label">PE-14</prop>
-         <prop name="sort-id">pe-14</prop>
-         <part id="pe-14_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-14_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Maintains temperature and humidity levels within the facility where the
-                  information system resides at <insert param-id="pe-14_prm_1"/>; and</p>
-            </part>
-            <part id="pe-14_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Monitors temperature and humidity levels <insert param-id="pe-14_prm_2"/>.</p>
-            </part>
-            <part id="pe-14_fr" name="item">
-               <title>PE-14(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="pe-14_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider measures temperature at server inlets and humidity levels by dew point.</p>
-               </part>
-            </part>
-         </part>
-         <part id="pe-14_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources, for example, data centers, server rooms, and mainframe computer
-               rooms.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-         </part>
-         <part id="pe-14_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-14.a_obj" name="objective">
-               <prop name="label">PE-14(a)</prop>
-               <part id="pe-14.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-14(a)[1]</prop>
-                  <p>defines acceptable temperature levels to be maintained within the facility
-                     where the information system resides;</p>
-               </part>
-               <part id="pe-14.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-14(a)[2]</prop>
-                  <p>defines acceptable humidity levels to be maintained within the facility where
-                     the information system resides;</p>
-               </part>
-               <part id="pe-14.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-14(a)[3]</prop>
-                  <p>maintains temperature levels within the facility where the information system
-                     resides at the organization-defined levels;</p>
-               </part>
-               <part id="pe-14.a_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-14(a)[4]</prop>
-                  <p>maintains humidity levels within the facility where the information system
-                     resides at the organization-defined levels;</p>
-               </part>
-            </part>
-            <part id="pe-14.b_obj" name="objective">
-               <prop name="label">PE-14(b)</prop>
-               <part id="pe-14.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-14(b)[1]</prop>
-                  <p>defines the frequency to monitor temperature levels;</p>
-               </part>
-               <part id="pe-14.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-14(b)[2]</prop>
-                  <p>defines the frequency to monitor humidity levels;</p>
-               </part>
-               <part id="pe-14.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-14(b)[3]</prop>
-                  <p>monitors temperature levels with the organization-defined frequency; and</p>
-               </part>
-               <part id="pe-14.b_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-14(b)[4]</prop>
-                  <p>monitors humidity levels with the organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing temperature and humidity control</p>
-               <p>security plan</p>
-               <p>temperature and humidity controls</p>
-               <p>facility housing the information system</p>
-               <p>temperature and humidity controls documentation</p>
-               <p>temperature and humidity records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for information system
-                  environmental controls</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing maintenance and monitoring of
-                  temperature and humidity levels</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-14.2">
-            <title>Monitoring with Alarms / Notifications</title>
-            <prop name="label">PE-14(2)</prop>
-            <prop name="sort-id">pe-14.02</prop>
-            <part id="pe-14.2_smt" name="statement">
-               <p>The organization employs temperature and humidity monitoring that provides an
-                  alarm or notification of changes potentially harmful to personnel or
-                  equipment.</p>
-            </part>
-            <part id="pe-14.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-14.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-14(2)[1]</prop>
-                  <p>employs temperature monitoring that provides an alarm of changes potentially
-                     harmful to personnel or equipment; and/or</p>
-               </part>
-               <part id="pe-14.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PE-14(2)[2]</prop>
-                  <p>employs temperature monitoring that provides notification of changes
-                     potentially harmful to personnel or equipment;</p>
-               </part>
-               <part id="pe-14.2_obj.3" name="objective">
-                  <prop name="label">PE-14(2)[3]</prop>
-                  <p>employs humidity monitoring that provides an alarm of changes potentially
-                     harmful to personnel or equipment; and/or</p>
-               </part>
-               <part id="pe-14.2_obj.4" name="objective">
-                  <prop name="label">PE-14(2)[4]</prop>
-                  <p>employs humidity monitoring that provides notification of changes potentially
-                     harmful to personnel or equipment.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing temperature and humidity monitoring</p>
-                  <p>facility housing the information system</p>
-                  <p>logs or records of temperature and humidity monitoring</p>
-                  <p>records of changes to temperature and humidity levels that generate alarms or
-                     notifications</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for information system
-                     environmental controls</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing temperature and humidity
-                     monitoring</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-15">
-         <title>Water Damage Protection</title>
-         <prop name="label">PE-15</prop>
-         <prop name="sort-id">pe-15</prop>
-         <part id="pe-15_smt" name="statement">
-            <p>The organization protects the information system from damage resulting from water
-               leakage by providing master shutoff or isolation valves that are accessible, working
-               properly, and known to key personnel.</p>
-         </part>
-         <part id="pe-15_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources including, for example, data centers, server rooms, and mainframe
-               computer rooms. Isolation valves can be employed in addition to or in lieu of master
-               shutoff valves to shut off water supplies in specific areas of concern, without
-               affecting entire organizations.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-         </part>
-         <part id="pe-15_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the organization protects the information system from damage resulting
-               from water leakage by providing master shutoff or isolation valves that are: </p>
-            <part id="pe-15_obj.1" name="objective">
-               <prop name="label">PE-15[1]</prop>
-               <p>accessible;</p>
-            </part>
-            <part id="pe-15_obj.2" name="objective">
-               <prop name="label">PE-15[2]</prop>
-               <p>working properly; and</p>
-            </part>
-            <part id="pe-15_obj.3" name="objective">
-               <prop name="label">PE-15[3]</prop>
-               <p>known to key personnel.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing water damage protection</p>
-               <p>facility housing the information system</p>
-               <p>master shutoff valves</p>
-               <p>list of key personnel with knowledge of location and activation procedures for
-                  master shutoff valves for the plumbing system</p>
-               <p>master shutoff valve documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for information system
-                  environmental controls</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Master water-shutoff valves</p>
-               <p>organizational process for activating master water-shutoff</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-16">
-         <title>Delivery and Removal</title>
-         <param id="pe-16_prm_1">
-            <label>organization-defined types of information system components</label>
-            <constraint>all information system components</constraint>
-         </param>
-         <prop name="label">PE-16</prop>
-         <prop name="sort-id">pe-16</prop>
-         <part id="pe-16_smt" name="statement">
-            <p>The organization authorizes, monitors, and controls <insert param-id="pe-16_prm_1"/>
-               entering and exiting the facility and maintains records of those items.</p>
-         </part>
-         <part id="pe-16_gdn" name="guidance">
-            <p>Effectively enforcing authorizations for entry and exit of information system
-               components may require restricting access to delivery areas and possibly isolating
-               the areas from the information system and media libraries.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ma-3">MA-3</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-         </part>
-         <part id="pe-16_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-16_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PE-16[1]</prop>
-               <p>defines types of information system components to be authorized, monitored, and
-                  controlled as such components are entering and exiting the facility;</p>
-            </part>
-            <part id="pe-16_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-16[2]</prop>
-               <p>authorizes organization-defined information system components entering the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-16[3]</prop>
-               <p>monitors organization-defined information system components entering the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.4" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-16[4]</prop>
-               <p>controls organization-defined information system components entering the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.5" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-16[5]</prop>
-               <p>authorizes organization-defined information system components exiting the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.6" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-16[6]</prop>
-               <p>monitors organization-defined information system components exiting the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.7" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-16[7]</prop>
-               <p>controls organization-defined information system components exiting the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.8" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PE-16[8]</prop>
-               <p>maintains records of information system components entering the facility; and</p>
-            </part>
-            <part id="pe-16_obj.9" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PE-16[9]</prop>
-               <p>maintains records of information system components exiting the facility.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing delivery and removal of information system components from
-                  the facility</p>
-               <p>security plan</p>
-               <p>facility housing the information system</p>
-               <p>records of items entering and exiting the facility</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for controlling information system
-                  components entering and exiting the facility</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational process for authorizing, monitoring, and controlling information
-                  system-related items entering and exiting the facility</p>
-               <p>automated mechanisms supporting and/or implementing authorizing, monitoring, and
-                  controlling information system-related items entering and exiting the facility</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-17">
-         <title>Alternate Work Site</title>
-         <param id="pe-17_prm_1">
-            <label>organization-defined security controls</label>
-         </param>
-         <prop name="label">PE-17</prop>
-         <prop name="sort-id">pe-17</prop>
-         <link href="#5309d4d0-46f8-4213-a749-e7584164e5e8" rel="reference">NIST Special Publication 800-46</link>
-         <part id="pe-17_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-17_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Employs <insert param-id="pe-17_prm_1"/> at alternate work sites;</p>
-            </part>
-            <part id="pe-17_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Assesses as feasible, the effectiveness of security controls at alternate work
-                  sites; and</p>
-            </part>
-            <part id="pe-17_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Provides a means for employees to communicate with information security personnel
-                  in case of security incidents or problems.</p>
-            </part>
-         </part>
-         <part id="pe-17_gdn" name="guidance">
-            <p>Alternate work sites may include, for example, government facilities or private
-               residences of employees. While commonly distinct from alternative processing sites,
-               alternate work sites may provide readily available alternate locations as part of
-               contingency operations. Organizations may define different sets of security controls
-               for specific alternate work sites or types of sites depending on the work-related
-               activities conducted at those sites. This control supports the contingency planning
-               activities of organizations and the federal telework initiative.</p>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-         </part>
-         <part id="pe-17_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-17.a_obj" name="objective">
-               <prop name="label">PE-17(a)</prop>
-               <part id="pe-17.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PE-17(a)[1]</prop>
-                  <p>defines security controls to be employed at alternate work sites;</p>
-               </part>
-               <part id="pe-17.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">PE-17(a)[2]</prop>
-                  <p>employs organization-defined security controls at alternate work sites;</p>
-               </part>
-            </part>
-            <part id="pe-17.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PE-17(b)</prop>
-               <p>assesses, as feasible, the effectiveness of security controls at alternate work
-                  sites; and</p>
-            </part>
-            <part id="pe-17.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PE-17(c)</prop>
-               <p>provides a means for employees to communicate with information security personnel
-                  in case of security incidents or problems.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing alternate work sites for organizational personnel</p>
-               <p>security plan</p>
-               <p>list of security controls required for alternate work sites</p>
-               <p>assessments of security controls at alternate work sites</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel approving use of alternate work sites</p>
-               <p>organizational personnel using alternate work sites</p>
-               <p>organizational personnel assessing controls at alternate work sites</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security at alternate work sites</p>
-               <p>automated mechanisms supporting alternate work sites</p>
-               <p>security controls employed at alternate work sites</p>
-               <p>means of communications between personnel at alternate work sites and security
-                  personnel</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="pl">
-      <title>Planning</title>
-      <control class="SP800-53" id="pl-1">
-         <title>Security Planning Policy and Procedures</title>
-         <param id="pl-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pl-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="pl-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PL-1</prop>
-         <prop name="sort-id">pl-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9c5c9e8c-dc81-4f55-a11c-d71d7487790f" rel="reference">NIST Special Publication 800-18</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="pl-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pl-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="pl-1_prm_1"/>:</p>
-               <part id="pl-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A security planning policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="pl-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the security planning policy and
-                     associated security planning controls; and</p>
-               </part>
-            </part>
-            <part id="pl-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="pl-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security planning policy <insert param-id="pl-1_prm_2"/>; and</p>
-               </part>
-               <part id="pl-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Security planning procedures <insert param-id="pl-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="pl-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the PL
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="pl-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="pl-1.a_obj" name="objective">
-               <prop name="label">PL-1(a)</prop>
-               <part id="pl-1.a.1_obj" name="objective">
-                  <prop name="label">PL-1(a)(1)</prop>
-                  <part id="pl-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(a)(1)[1]</prop>
-                     <p>develops and documents a planning policy that addresses:</p>
-                     <part id="pl-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="pl-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the planning policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="pl-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">PL-1(a)(1)[3]</prop>
-                     <p>disseminates the planning policy to organization-defined personnel or
-                        roles;</p>
-                  </part>
-               </part>
-               <part id="pl-1.a.2_obj" name="objective">
-                  <prop name="label">PL-1(a)(2)</prop>
-                  <part id="pl-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        planning policy and associated planning controls;</p>
-                  </part>
-                  <part id="pl-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="pl-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">PL-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="pl-1.b_obj" name="objective">
-               <prop name="label">PL-1(b)</prop>
-               <part id="pl-1.b.1_obj" name="objective">
-                  <prop name="label">PL-1(b)(1)</prop>
-                  <part id="pl-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current planning policy;</p>
-                  </part>
-                  <part id="pl-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current planning policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="pl-1.b.2_obj" name="objective">
-                  <prop name="label">PL-1(b)(2)</prop>
-                  <part id="pl-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current planning procedures;
-                        and</p>
-                  </part>
-                  <part id="pl-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PL-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current planning procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Planning policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pl-2">
-         <title>System Security Plan</title>
-         <param id="pl-2_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pl-2_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PL-2</prop>
-         <prop name="sort-id">pl-02</prop>
-         <link href="#9c5c9e8c-dc81-4f55-a11c-d71d7487790f" rel="reference">NIST Special Publication 800-18</link>
-         <part id="pl-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pl-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a security plan for the information system that:</p>
-               <part id="pl-2_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Is consistent with the organization’s enterprise architecture;</p>
-               </part>
-               <part id="pl-2_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Explicitly defines the authorization boundary for the system;</p>
-               </part>
-               <part id="pl-2_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Describes the operational context of the information system in terms of
-                     missions and business processes;</p>
-               </part>
-               <part id="pl-2_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Provides the security categorization of the information system including
-                     supporting rationale;</p>
-               </part>
-               <part id="pl-2_smt.a.5" name="item">
-                  <prop name="label">5.</prop>
-                  <p>Describes the operational environment for the information system and
-                     relationships with or connections to other information systems;</p>
-               </part>
-               <part id="pl-2_smt.a.6" name="item">
-                  <prop name="label">6.</prop>
-                  <p>Provides an overview of the security requirements for the system;</p>
-               </part>
-               <part id="pl-2_smt.a.7" name="item">
-                  <prop name="label">7.</prop>
-                  <p>Identifies any relevant overlays, if applicable;</p>
-               </part>
-               <part id="pl-2_smt.a.8" name="item">
-                  <prop name="label">8.</prop>
-                  <p>Describes the security controls in place or planned for meeting those
-                     requirements including a rationale for the tailoring decisions; and</p>
-               </part>
-               <part id="pl-2_smt.a.9" name="item">
-                  <prop name="label">9.</prop>
-                  <p>Is reviewed and approved by the authorizing official or designated
-                     representative prior to plan implementation;</p>
-               </part>
-            </part>
-            <part id="pl-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Distributes copies of the security plan and communicates subsequent changes to the
-                  plan to <insert param-id="pl-2_prm_1"/>;</p>
-            </part>
-            <part id="pl-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the security plan for the information system <insert param-id="pl-2_prm_2"/>;</p>
-            </part>
-            <part id="pl-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Updates the plan to address changes to the information system/environment of
-                  operation or problems identified during plan implementation or security control
-                  assessments; and</p>
-            </part>
-            <part id="pl-2_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Protects the security plan from unauthorized disclosure and modification.</p>
-            </part>
-         </part>
-         <part id="pl-2_gdn" name="guidance">
-            <p>Security plans relate security requirements to a set of security controls and control
-               enhancements. Security plans also describe, at a high level, how the security
-               controls and control enhancements meet those security requirements, but do not
-               provide detailed, technical descriptions of the specific design or implementation of
-               the controls/enhancements. Security plans contain sufficient information (including
-               the specification of parameter values for assignment and selection statements either
-               explicitly or by reference) to enable a design and implementation that is
-               unambiguously compliant with the intent of the plans and subsequent determinations of
-               risk to organizational operations and assets, individuals, other organizations, and
-               the Nation if the plan is implemented as intended. Organizations can also apply
-               tailoring guidance to the security control baselines in Appendix D and CNSS
-               Instruction 1253 to develop overlays for community-wide use or to address specialized
-               requirements, technologies, or missions/environments of operation (e.g.,
-               DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and
-               Access Management, space operations). Appendix I provides guidance on developing
-               overlays. Security plans need not be single documents; the plans can be a collection
-               of various documents including documents that already exist. Effective security plans
-               make extensive use of references to policies, procedures, and additional documents
-               (e.g., design and implementation specifications) where more detailed information can
-               be obtained. This reduces the documentation requirements associated with security
-               programs and maintains security-related information in other established
-               management/operational areas related to enterprise architecture, system development
-               life cycle, systems engineering, and acquisition. For example, security plans do not
-               contain detailed contingency plan or incident response plan information but instead
-               provide explicitly or by reference, sufficient information to define what needs to be
-               accomplished by those plans.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#pl-7">PL-7</link>
-            <link rel="related" href="#pm-1">PM-1</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <link rel="related" href="#pm-8">PM-8</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#pm-11">PM-11</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-17">SA-17</link>
-         </part>
-         <part id="pl-2_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pl-2.a_obj" name="objective">
-               <prop name="label">PL-2(a)</prop>
-               <p>develops a security plan for the information system that:</p>
-               <part id="pl-2.a.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(1)</prop>
-                  <p>is consistent with the organization’s enterprise architecture;</p>
-               </part>
-               <part id="pl-2.a.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(2)</prop>
-                  <p>explicitly defines the authorization boundary for the system;</p>
-               </part>
-               <part id="pl-2.a.3_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(3)</prop>
-                  <p>describes the operational context of the information system in terms of
-                     missions and business processes;</p>
-               </part>
-               <part id="pl-2.a.4_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(4)</prop>
-                  <p>provides the security categorization of the information system including
-                     supporting rationale;</p>
-               </part>
-               <part id="pl-2.a.5_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(5)</prop>
-                  <p>describes the operational environment for the information system and
-                     relationships with or connections to other information systems;</p>
-               </part>
-               <part id="pl-2.a.6_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(6)</prop>
-                  <p>provides an overview of the security requirements for the system;</p>
-               </part>
-               <part id="pl-2.a.7_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(7)</prop>
-                  <p>identifies any relevant overlays, if applicable;</p>
-               </part>
-               <part id="pl-2.a.8_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(a)(8)</prop>
-                  <p>describes the security controls in place or planned for meeting those
-                     requirements including a rationale for the tailoring and supplemental
-                     decisions;</p>
-               </part>
-               <part id="pl-2.a.9_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PL-2(a)(9)</prop>
-                  <p>is reviewed and approved by the authorizing official or designated
-                     representative prior to plan implementation;</p>
-               </part>
-            </part>
-            <part id="pl-2.b_obj" name="objective">
-               <prop name="label">PL-2(b)</prop>
-               <part id="pl-2.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(b)[1]</prop>
-                  <p>defines personnel or roles to whom copies of the security plan are to be
-                     distributed and subsequent changes to the plan are to be communicated;</p>
-               </part>
-               <part id="pl-2.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PL-2(b)[2]</prop>
-                  <p>distributes copies of the security plan and communicates subsequent changes to
-                     the plan to organization-defined personnel or roles;</p>
-               </part>
-            </part>
-            <part id="pl-2.c_obj" name="objective">
-               <prop name="label">PL-2(c)</prop>
-               <part id="pl-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(c)[1]</prop>
-                  <p>defines the frequency to review the security plan for the information
-                     system;</p>
-               </part>
-               <part id="pl-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(c)[2]</prop>
-                  <p>reviews the security plan for the information system with the
-                     organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="pl-2.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PL-2(d)</prop>
-               <p>updates the plan to address:</p>
-               <part id="pl-2.d_obj.1" name="objective">
-                  <prop name="label">PL-2(d)[1]</prop>
-                  <p>changes to the information system/environment of operation;</p>
-               </part>
-               <part id="pl-2.d_obj.2" name="objective">
-                  <prop name="label">PL-2(d)[2]</prop>
-                  <p>problems identified during plan implementation;</p>
-               </part>
-               <part id="pl-2.d_obj.3" name="objective">
-                  <prop name="label">PL-2(d)[3]</prop>
-                  <p>problems identified during security control assessments;</p>
-               </part>
-            </part>
-            <part id="pl-2.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PL-2(e)</prop>
-               <p>protects the security plan from unauthorized:</p>
-               <part id="pl-2.e_obj.1" name="objective">
-                  <prop name="label">PL-2(e)[1]</prop>
-                  <p>disclosure; and</p>
-               </part>
-               <part id="pl-2.e_obj.2" name="objective">
-                  <prop name="label">PL-2(e)[2]</prop>
-                  <p>modification.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security planning policy</p>
-               <p>procedures addressing security plan development and implementation</p>
-               <p>procedures addressing security plan reviews and updates</p>
-               <p>enterprise architecture documentation</p>
-               <p>security plan for the information system</p>
-               <p>records of security plan reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security planning and plan implementation
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security plan development/review/update/approval</p>
-               <p>automated mechanisms supporting the information system security plan</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pl-2.3">
-            <title>Plan / Coordinate with Other Organizational Entities</title>
-            <param id="pl-2.3_prm_1">
-               <label>organization-defined individuals or groups</label>
-            </param>
-            <prop name="label">PL-2(3)</prop>
-            <prop name="sort-id">pl-02.03</prop>
-            <part id="pl-2.3_smt" name="statement">
-               <p>The organization plans and coordinates security-related activities affecting the
-                  information system with <insert param-id="pl-2.3_prm_1"/> before conducting such
-                  activities in order to reduce the impact on other organizational entities.</p>
-            </part>
-            <part id="pl-2.3_gdn" name="guidance">
-               <p>Security-related activities include, for example, security assessments, audits,
-                  hardware and software maintenance, patch management, and contingency plan testing.
-                  Advance planning and coordination includes emergency and nonemergency (i.e.,
-                  planned or nonurgent unplanned) situations. The process defined by organizations
-                  to plan and coordinate security-related activities can be included in security
-                  plans for information systems or other documents, as appropriate.</p>
-               <link rel="related" href="#cp-4">CP-4</link>
-               <link rel="related" href="#ir-4">IR-4</link>
-            </part>
-            <part id="pl-2.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pl-2.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-2(3)[1]</prop>
-                  <p>defines individuals or groups with whom security-related activities affecting
-                     the information system are to be planned and coordinated before conducting such
-                     activities in order to reduce the impact on other organizational entities;
-                     and</p>
-               </part>
-               <part id="pl-2.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">PL-2(3)[2]</prop>
-                  <p>plans and coordinates security-related activities affecting the information
-                     system with organization-defined individuals or groups before conducting such
-                     activities in order to reduce the impact on other organizational entities.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security planning policy</p>
-                  <p>access control policy</p>
-                  <p>contingency planning policy</p>
-                  <p>procedures addressing security-related activity planning for the information
-                     system</p>
-                  <p>security plan for the information system</p>
-                  <p>contingency plan for the information system</p>
-                  <p>information system design documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational individuals or groups with whom security-related activities are
-                     to be planned and coordinated</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pl-4">
-         <title>Rules of Behavior</title>
-         <param id="pl-4_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>At least every 3 years</constraint>
-         </param>
-         <prop name="label">PL-4</prop>
-         <prop name="sort-id">pl-04</prop>
-         <link href="#9c5c9e8c-dc81-4f55-a11c-d71d7487790f" rel="reference">NIST Special Publication 800-18</link>
-         <part id="pl-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pl-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes and makes readily available to individuals requiring access to the
-                  information system, the rules that describe their responsibilities and expected
-                  behavior with regard to information and information system usage;</p>
-            </part>
-            <part id="pl-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Receives a signed acknowledgment from such individuals, indicating that they have
-                  read, understand, and agree to abide by the rules of behavior, before authorizing
-                  access to information and the information system;</p>
-            </part>
-            <part id="pl-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews and updates the rules of behavior <insert param-id="pl-4_prm_1"/>; and</p>
-            </part>
-            <part id="pl-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Requires individuals who have signed a previous version of the rules of behavior
-                  to read and re-sign when the rules of behavior are revised/updated.</p>
-            </part>
-         </part>
-         <part id="pl-4_gdn" name="guidance">
-            <p>This control enhancement applies to organizational users. Organizations consider
-               rules of behavior based on individual user roles and responsibilities,
-               differentiating, for example, between rules that apply to privileged users and rules
-               that apply to general users. Establishing rules of behavior for some types of
-               non-organizational users including, for example, individuals who simply receive
-               data/information from federal information systems, is often not feasible given the
-               large number of such users and the limited nature of their interactions with the
-               systems. Rules of behavior for both organizational and non-organizational users can
-               also be established in AC-8, System Use Notification. PL-4 b. (the signed
-               acknowledgment portion of this control) may be satisfied by the security awareness
-               training and role-based security training programs conducted by organizations if such
-               training includes rules of behavior. Organizations can use electronic signatures for
-               acknowledging rules of behavior.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-8">AC-8</link>
-            <link rel="related" href="#ac-9">AC-9</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#mp-7">MP-7</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-            <link rel="related" href="#ps-8">PS-8</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-         </part>
-         <part id="pl-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pl-4.a_obj" name="objective">
-               <prop name="label">PL-4(a)</prop>
-               <part id="pl-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-4(a)[1]</prop>
-                  <p>establishes, for individuals requiring access to the information system, the
-                     rules that describe their responsibilities and expected behavior with regard to
-                     information and information system usage;</p>
-               </part>
-               <part id="pl-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PL-4(a)[2]</prop>
-                  <p>makes readily available to individuals requiring access to the information
-                     system, the rules that describe their responsibilities and expected behavior
-                     with regard to information and information system usage;</p>
-               </part>
-            </part>
-            <part id="pl-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PL-4(b)</prop>
-               <p>receives a signed acknowledgement from such individuals, indicating that they have
-                  read, understand, and agree to abide by the rules of behavior, before authorizing
-                  access to information and the information system;</p>
-            </part>
-            <part id="pl-4.c_obj" name="objective">
-               <prop name="label">PL-4(c)</prop>
-               <part id="pl-4.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-4(c)[1]</prop>
-                  <p>defines the frequency to review and update the rules of behavior;</p>
-               </part>
-               <part id="pl-4.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PL-4(c)[2]</prop>
-                  <p>reviews and updates the rules of behavior with the organization-defined
-                     frequency; and</p>
-               </part>
-            </part>
-            <part id="pl-4.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PL-4(d)</prop>
-               <p>requires individuals who have signed a previous version of the rules of behavior
-                  to read and resign when the rules of behavior are revised/updated.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security planning policy</p>
-               <p>procedures addressing rules of behavior for information system users</p>
-               <p>rules of behavior</p>
-               <p>signed acknowledgements</p>
-               <p>records for rules of behavior reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for establishing, reviewing, and
-                  updating rules of behavior</p>
-               <p>organizational personnel who are authorized users of the information system and
-                  have signed and resigned rules of behavior</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for establishing, reviewing, disseminating, and updating
-                  rules of behavior</p>
-               <p>automated mechanisms supporting and/or implementing the establishment, review,
-                  dissemination, and update of rules of behavior</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pl-4.1">
-            <title>Social Media and Networking Restrictions</title>
-            <prop name="label">PL-4(1)</prop>
-            <prop name="sort-id">pl-04.01</prop>
-            <part id="pl-4.1_smt" name="statement">
-               <p>The organization includes in the rules of behavior, explicit restrictions on the
-                  use of social media/networking sites and posting organizational information on
-                  public websites.</p>
-            </part>
-            <part id="pl-4.1_gdn" name="guidance">
-               <p>This control enhancement addresses rules of behavior related to the use of social
-                  media/networking sites: (i) when organizational personnel are using such sites for
-                  official duties or in the conduct of official business; (ii) when organizational
-                  information is involved in social media/networking transactions; and (iii) when
-                  personnel are accessing social media/networking sites from organizational
-                  information systems. Organizations also address specific rules that prevent
-                  unauthorized entities from obtaining and/or inferring non-public organizational
-                  information (e.g., system account information, personally identifiable
-                  information) from social media/networking sites.</p>
-            </part>
-            <part id="pl-4.1_obj" name="objective">
-               <p>Determine if the organization includes the following in the rules of behavior: </p>
-               <part id="pl-4.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PL-4(1)[1]</prop>
-                  <p>explicit restrictions on the use of social media/networking sites; and</p>
-               </part>
-               <part id="pl-4.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PL-4(1)[2]</prop>
-                  <p>posting organizational information on public websites.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security planning policy</p>
-                  <p>procedures addressing rules of behavior for information system users</p>
-                  <p>rules of behavior</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for establishing, reviewing, and
-                     updating rules of behavior</p>
-                  <p>organizational personnel who are authorized users of the information system and
-                     have signed rules of behavior</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for establishing rules of behavior</p>
-                  <p>automated mechanisms supporting and/or implementing the establishment of rules
-                     of behavior</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pl-8">
-         <title>Information Security Architecture</title>
-         <param id="pl-8_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>At least annually or when a significant change occurs</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PL-8</prop>
-         <prop name="sort-id">pl-08</prop>
-         <part id="pl-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pl-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops an information security architecture for the information system that:</p>
-               <part id="pl-8_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Describes the overall philosophy, requirements, and approach to be taken with
-                     regard to protecting the confidentiality, integrity, and availability of
-                     organizational information;</p>
-               </part>
-               <part id="pl-8_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Describes how the information security architecture is integrated into and
-                     supports the enterprise architecture; and</p>
-               </part>
-               <part id="pl-8_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Describes any information security assumptions about, and dependencies on,
-                     external services;</p>
-               </part>
-            </part>
-            <part id="pl-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the information security architecture <insert param-id="pl-8_prm_1"/> to reflect updates in the enterprise architecture;
-                  and</p>
-            </part>
-            <part id="pl-8_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensures that planned information security architecture changes are reflected in
-                  the security plan, the security Concept of Operations (CONOPS), and organizational
-                  procurements/acquisitions.</p>
-            </part>
-            <part id="pl-8_fr" name="item">
-               <title>PL-8(b) Additional FedRAMP Requirements and Guidance</title>
-               <part id="pl-8_fr_gdn.b" name="guidance">
-                  <prop name="label">(b) Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.</p>
-               </part>
-            </part>
-         </part>
-         <part id="pl-8_gdn" name="guidance">
-            <p>This control addresses actions taken by organizations in the design and development
-               of information systems. The information security architecture at the individual
-               information system level is consistent with and complements the more global,
-               organization-wide information security architecture described in PM-7 that is
-               integral to and developed as part of the enterprise architecture. The information
-               security architecture includes an architectural description, the placement/allocation
-               of security functionality (including security controls), security-related information
-               for external interfaces, information being exchanged across the interfaces, and the
-               protection mechanisms associated with each interface. In addition, the security
-               architecture can include other important security-related information, for example,
-               user roles and access privileges assigned to each role, unique security requirements,
-               the types of information processed, stored, and transmitted by the information
-               system, restoration priorities of information and information system services, and
-               any other specific protection needs. In today’s modern architecture, it is becoming
-               less common for organizations to control all information resources. There are going
-               to be key dependencies on external information services and service providers.
-               Describing such dependencies in the information security architecture is important to
-               developing a comprehensive mission/business protection strategy. Establishing,
-               developing, documenting, and maintaining under configuration control, a baseline
-               configuration for organizational information systems is critical to implementing and
-               maintaining an effective information security architecture. The development of the
-               information security architecture is coordinated with the Senior Agency Official for
-               Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to
-               support privacy requirements are identified and effectively implemented. PL-8 is
-               primarily directed at organizations (i.e., internally focused) to help ensure that
-               organizations develop an information security architecture for the information
-               system, and that the security architecture is integrated with or tightly coupled to
-               the enterprise architecture through the organization-wide information security
-               architecture. In contrast, SA-17 is primarily directed at external information
-               technology product/system developers and integrators (although SA-17 could be used
-               internally within organizations for in-house system development). SA-17, which is
-               complementary to PL-8, is selected when organizations outsource the development of
-               information systems or information system components to external entities, and there
-               is a need to demonstrate/show consistency with the organization’s enterprise
-               architecture and information security architecture.</p>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-17">SA-17</link>
-            <link rel="related" href="https://doi.org/10.6028/NIST.SP.800-53r4">Appendix J</link>
-         </part>
-         <part id="pl-8_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pl-8.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PL-8(a)</prop>
-               <p>develops an information security architecture for the information system that
-                  describes:</p>
-               <part id="pl-8.a.1_obj" name="objective">
-                  <prop name="label">PL-8(a)(1)</prop>
-                  <p>the overall philosophy, requirements, and approach to be taken with regard to
-                     protecting the confidentiality, integrity, and availability of organizational
-                     information;</p>
-               </part>
-               <part id="pl-8.a.2_obj" name="objective">
-                  <prop name="label">PL-8(a)(2)</prop>
-                  <p>how the information security architecture is integrated into and supports the
-                     enterprise architecture;</p>
-               </part>
-               <part id="pl-8.a.3_obj" name="objective">
-                  <prop name="label">PL-8(a)(3)</prop>
-                  <p>any information security assumptions about, and dependencies on, external
-                     services;</p>
-               </part>
-            </part>
-            <part id="pl-8.b_obj" name="objective">
-               <prop name="label">PL-8(b)</prop>
-               <part id="pl-8.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PL-8(b)[1]</prop>
-                  <p>defines the frequency to review and update the information security
-                     architecture;</p>
-               </part>
-               <part id="pl-8.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PL-8(b)[2]</prop>
-                  <p>reviews and updates the information security architecture with the
-                     organization-defined frequency to reflect updates in the enterprise
-                     architecture;</p>
-               </part>
-            </part>
-            <part id="pl-8.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PL-8(c)</prop>
-               <p>ensures that planned information security architecture changes are reflected
-                  in:</p>
-               <part id="pl-8.c_obj.1" name="objective">
-                  <prop name="label">PL-8(c)[1]</prop>
-                  <p>the security plan;</p>
-               </part>
-               <part id="pl-8.c_obj.2" name="objective">
-                  <prop name="label">PL-8(c)[2]</prop>
-                  <p>the security Concept of Operations (CONOPS); and</p>
-               </part>
-               <part id="pl-8.c_obj.3" name="objective">
-                  <prop name="label">PL-8(c)[3]</prop>
-                  <p>the organizational procurements/acquisitions.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security planning policy</p>
-               <p>procedures addressing information security architecture development</p>
-               <p>procedures addressing information security architecture reviews and updates</p>
-               <p>enterprise architecture documentation</p>
-               <p>information security architecture documentation</p>
-               <p>security plan for the information system</p>
-               <p>security CONOPS for the information system</p>
-               <p>records of information security architecture reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security planning and plan implementation
-                  responsibilities</p>
-               <p>organizational personnel with information security architecture development
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for developing, reviewing, and updating the information
-                  security architecture</p>
-               <p>automated mechanisms supporting and/or implementing the development, review, and
-                  update of the information security architecture</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ps">
-      <title>Personnel Security</title>
-      <control class="SP800-53" id="ps-1">
-         <title>Personnel Security Policy and Procedures</title>
-         <param id="ps-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="ps-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PS-1</prop>
-         <prop name="sort-id">ps-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ps-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ps-1_prm_1"/>:</p>
-               <part id="ps-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A personnel security policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ps-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the personnel security policy
-                     and associated personnel security controls; and</p>
-               </part>
-            </part>
-            <part id="ps-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ps-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Personnel security policy <insert param-id="ps-1_prm_2"/>; and</p>
-               </part>
-               <part id="ps-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Personnel security procedures <insert param-id="ps-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ps-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the PS
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ps-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-1.a_obj" name="objective">
-               <prop name="label">PS-1(a)</prop>
-               <part id="ps-1.a.1_obj" name="objective">
-                  <prop name="label">PS-1(a)(1)</prop>
-                  <part id="ps-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(a)(1)[1]</prop>
-                     <p>develops and documents an personnel security policy that addresses:</p>
-                     <part id="ps-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ps-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the personnel security policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ps-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">PS-1(a)(1)[3]</prop>
-                     <p>disseminates the personnel security policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="ps-1.a.2_obj" name="objective">
-                  <prop name="label">PS-1(a)(2)</prop>
-                  <part id="ps-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        personnel security policy and associated personnel security controls;</p>
-                  </part>
-                  <part id="ps-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ps-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">PS-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ps-1.b_obj" name="objective">
-               <prop name="label">PS-1(b)</prop>
-               <part id="ps-1.b.1_obj" name="objective">
-                  <prop name="label">PS-1(b)(1)</prop>
-                  <part id="ps-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current personnel security
-                        policy;</p>
-                  </part>
-                  <part id="ps-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current personnel security policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ps-1.b.2_obj" name="objective">
-                  <prop name="label">PS-1(b)(2)</prop>
-                  <part id="ps-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current personnel security
-                        procedures; and</p>
-                  </part>
-                  <part id="ps-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current personnel security procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-2">
-         <title>Position Risk Designation</title>
-         <param id="ps-2_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least every three years</constraint>
-         </param>
-         <prop name="label">PS-2</prop>
-         <prop name="sort-id">ps-02</prop>
-         <link href="#0c97e60b-325a-4efa-ba2b-90f20ccd5abc" rel="reference">5 C.F.R. 731.106</link>
-         <part id="ps-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Assigns a risk designation to all organizational positions;</p>
-            </part>
-            <part id="ps-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishes screening criteria for individuals filling those positions; and</p>
-            </part>
-            <part id="ps-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews and updates position risk designations <insert param-id="ps-2_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="ps-2_gdn" name="guidance">
-            <p>Position risk designations reflect Office of Personnel Management policy and
-               guidance. Risk designations can guide and inform the types of authorizations
-               individuals receive when accessing organizational information and information
-               systems. Position screening criteria include explicit information security role
-               appointment requirements (e.g., training, security clearances).</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-         </part>
-         <part id="ps-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-2.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PS-2(a)</prop>
-               <p>assigns a risk designation to all organizational positions;</p>
-            </part>
-            <part id="ps-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PS-2(b)</prop>
-               <p>establishes screening criteria for individuals filling those positions;</p>
-            </part>
-            <part id="ps-2.c_obj" name="objective">
-               <prop name="label">PS-2(c)</prop>
-               <part id="ps-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-2(c)[1]</prop>
-                  <p>defines the frequency to review and update position risk designations; and</p>
-               </part>
-               <part id="ps-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-2(c)[2]</prop>
-                  <p>reviews and updates position risk designations with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing position categorization</p>
-               <p>appropriate codes of federal regulations</p>
-               <p>list of risk designations for organizational positions</p>
-               <p>security plan</p>
-               <p>records of position risk designation reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for assigning, reviewing, and updating position risk
-                  designations</p>
-               <p>organizational processes for establishing screening criteria</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-3">
-         <title>Personnel Screening</title>
-         <param id="ps-3_prm_1">
-            <label>organization-defined conditions requiring rescreening and, where rescreening is
-               so indicated, the frequency of such rescreening</label>
-            <constraint>for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PS-3</prop>
-         <prop name="sort-id">ps-03</prop>
-         <link href="#0c97e60b-325a-4efa-ba2b-90f20ccd5abc" rel="reference">5 C.F.R. 731.106</link>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#6caa237b-531b-43ac-9711-d8f6b97b0377" rel="reference">ICD 704</link>
-         <part id="ps-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Screens individuals prior to authorizing access to the information system; and</p>
-            </part>
-            <part id="ps-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Rescreens individuals according to <insert param-id="ps-3_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="ps-3_gdn" name="guidance">
-            <p>Personnel screening and rescreening activities reflect applicable federal laws,
-               Executive Orders, directives, regulations, policies, standards, guidance, and
-               specific criteria established for the risk designations of assigned positions.
-               Organizations may define different rescreening conditions and frequencies for
-               personnel accessing information systems based on types of information processed,
-               stored, or transmitted by the systems.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#ps-2">PS-2</link>
-         </part>
-         <part id="ps-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-3.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PS-3(a)</prop>
-               <p>screens individuals prior to authorizing access to the information system;</p>
-            </part>
-            <part id="ps-3.b_obj" name="objective">
-               <prop name="label">PS-3(b)</prop>
-               <part id="ps-3.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-3(b)[1]</prop>
-                  <p>defines conditions requiring re-screening;</p>
-               </part>
-               <part id="ps-3.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-3(b)[2]</prop>
-                  <p>defines the frequency of re-screening where it is so indicated; and</p>
-               </part>
-               <part id="ps-3.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-3(b)[3]</prop>
-                  <p>re-screens individuals in accordance with organization-defined conditions
-                     requiring re-screening and, where re-screening is so indicated, with the
-                     organization-defined frequency of such re-screening.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel screening</p>
-               <p>records of screened personnel</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for personnel screening</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ps-3.3">
-            <title>Information with Special Protection Measures</title>
-            <param id="ps-3.3_prm_1">
-               <label>organization-defined additional personnel screening criteria</label>
-               <constraint>personnel screening criteria - as required by specific information</constraint>
-            </param>
-            <prop name="label">PS-3(3)</prop>
-            <prop name="sort-id">ps-03.03</prop>
-            <part id="ps-3.3_smt" name="statement">
-               <p>The organization ensures that individuals accessing an information system
-                  processing, storing, or transmitting information requiring special protection:</p>
-               <part id="ps-3.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Have valid access authorizations that are demonstrated by assigned official
-                     government duties; and</p>
-               </part>
-               <part id="ps-3.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Satisfy <insert param-id="ps-3.3_prm_1"/>.</p>
-               </part>
-            </part>
-            <part id="ps-3.3_gdn" name="guidance">
-               <p>Organizational information requiring special protection includes, for example,
-                  Controlled Unclassified Information (CUI) and Sources and Methods Information
-                  (SAMI). Personnel security criteria include, for example, position sensitivity
-                  background screening requirements.</p>
-            </part>
-            <part id="ps-3.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ps-3.3.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-3(3)(a)</prop>
-                  <p>ensures that individuals accessing an information system processing, storing,
-                     or transmitting information requiring special protection have valid access
-                     authorizations that are demonstrated by assigned official government
-                     duties;</p>
-                  <link rel="corresp" href="#ps-3.3_smt.a">PS-3(3)(a)</link>
-               </part>
-               <part id="ps-3.3.b_obj" name="objective">
-                  <prop name="label">PS-3(3)(b)</prop>
-                  <part id="ps-3.3.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-3(3)(b)[1]</prop>
-                     <p>defines additional personnel screening criteria to be satisfied for
-                        individuals accessing an information system processing, storing, or
-                        transmitting information requiring special protection; and</p>
-                  </part>
-                  <part id="ps-3.3.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">PS-3(3)(b)[2]</prop>
-                     <p>ensures that individuals accessing an information system processing,
-                        storing, or transmitting information requiring special protection satisfy
-                        organization-defined additional personnel screening criteria.</p>
-                  </part>
-                  <link rel="corresp" href="#ps-3.3_smt.b">PS-3(3)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Personnel security policy</p>
-                  <p>access control policy, procedures addressing personnel screening</p>
-                  <p>records of screened personnel</p>
-                  <p>screening criteria</p>
-                  <p>records of access authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with personnel security responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for ensuring valid access authorizations for
-                     information requiring special protection</p>
-                  <p>organizational process for additional personnel screening for information
-                     requiring special protection</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ps-4">
-         <title>Personnel Termination</title>
-         <param id="ps-4_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>same day</constraint>
-         </param>
-         <param id="ps-4_prm_2">
-            <label>organization-defined information security topics</label>
-         </param>
-         <param id="ps-4_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-4_prm_4">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PS-4</prop>
-         <prop name="sort-id">ps-04</prop>
-         <part id="ps-4_smt" name="statement">
-            <p>The organization, upon termination of individual employment:</p>
-            <part id="ps-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Disables information system access within <insert param-id="ps-4_prm_1"/>;</p>
-            </part>
-            <part id="ps-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Terminates/revokes any authenticators/credentials associated with the
-                  individual;</p>
-            </part>
-            <part id="ps-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Conducts exit interviews that include a discussion of <insert param-id="ps-4_prm_2"/>;</p>
-            </part>
-            <part id="ps-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Retrieves all security-related organizational information system-related
-                  property;</p>
-            </part>
-            <part id="ps-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Retains access to organizational information and information systems formerly
-                  controlled by terminated individual; and</p>
-            </part>
-            <part id="ps-4_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Notifies <insert param-id="ps-4_prm_3"/> within <insert param-id="ps-4_prm_4"/>.</p>
-            </part>
-         </part>
-         <part id="ps-4_gdn" name="guidance">
-            <p>Information system-related property includes, for example, hardware authentication
-               tokens, system administration technical manuals, keys, identification cards, and
-               building passes. Exit interviews ensure that terminated individuals understand the
-               security constraints imposed by being former employees and that proper accountability
-               is achieved for information system-related property. Security topics of interest at
-               exit interviews can include, for example, reminding terminated individuals of
-               nondisclosure agreements and potential limitations on future employment. Exit
-               interviews may not be possible for some terminated individuals, for example, in cases
-               related to job abandonment, illnesses, and nonavailability of supervisors. Exit
-               interviews are important for individuals with security clearances. Timely execution
-               of termination actions is essential for individuals terminated for cause. In certain
-               situations, organizations consider disabling the information system accounts of
-               individuals that are being terminated prior to the individuals being notified.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#ps-5">PS-5</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-         </part>
-         <part id="ps-4_obj" name="objective">
-            <p>Determine if the organization, upon termination of individual employment,:</p>
-            <part id="ps-4.a_obj" name="objective">
-               <prop name="label">PS-4(a)</prop>
-               <part id="ps-4.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-4(a)[1]</prop>
-                  <p>defines a time period within which to disable information system access;</p>
-               </part>
-               <part id="ps-4.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-4(a)[2]</prop>
-                  <p>disables information system access within the organization-defined time
-                     period;</p>
-               </part>
-            </part>
-            <part id="ps-4.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PS-4(b)</prop>
-               <p>terminates/revokes any authenticators/credentials associated with the
-                  individual;</p>
-            </part>
-            <part id="ps-4.c_obj" name="objective">
-               <prop name="label">PS-4(c)</prop>
-               <part id="ps-4.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-4(c)[1]</prop>
-                  <p>defines information security topics to be discussed when conducting exit
-                     interviews;</p>
-               </part>
-               <part id="ps-4.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">PS-4(c)[2]</prop>
-                  <p>conducts exit interviews that include a discussion of organization-defined
-                     information security topics;</p>
-               </part>
-            </part>
-            <part id="ps-4.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PS-4(d)</prop>
-               <p>retrieves all security-related organizational information system-related
-                  property;</p>
-            </part>
-            <part id="ps-4.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PS-4(e)</prop>
-               <p>retains access to organizational information and information systems formerly
-                  controlled by the terminated individual;</p>
-            </part>
-            <part id="ps-4.f_obj" name="objective">
-               <prop name="label">PS-4(f)</prop>
-               <part id="ps-4.f_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-4(f)[1]</prop>
-                  <p>defines personnel or roles to be notified of the termination;</p>
-               </part>
-               <part id="ps-4.f_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-4(f)[2]</prop>
-                  <p>defines the time period within which to notify organization-defined personnel
-                     or roles; and</p>
-               </part>
-               <part id="ps-4.f_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-4(f)[3]</prop>
-                  <p>notifies organization-defined personnel or roles within the
-                     organization-defined time period.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel termination</p>
-               <p>records of personnel termination actions</p>
-               <p>list of information system accounts</p>
-               <p>records of terminated or revoked authenticators/credentials</p>
-               <p>records of exit interviews</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with account management responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for personnel termination</p>
-               <p>automated mechanisms supporting and/or implementing personnel termination
-                  notifications</p>
-               <p>automated mechanisms for disabling information system access/revoking
-                  authenticators</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-5">
-         <title>Personnel Transfer</title>
-         <param id="ps-5_prm_1">
-            <label>organization-defined transfer or reassignment actions</label>
-         </param>
-         <param id="ps-5_prm_2">
-            <label>organization-defined time period following the formal transfer action</label>
-         </param>
-         <param id="ps-5_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-5_prm_4">
-            <label>organization-defined time period</label>
-            <constraint>five days of the time period following the formal transfer action (DoD 24 hours)</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PS-5</prop>
-         <prop name="sort-id">ps-05</prop>
-         <part id="ps-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Reviews and confirms ongoing operational need for current logical and physical
-                  access authorizations to information systems/facilities when individuals are
-                  reassigned or transferred to other positions within the organization;</p>
-            </part>
-            <part id="ps-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Initiates <insert param-id="ps-5_prm_1"/> within <insert param-id="ps-5_prm_2"/>;</p>
-            </part>
-            <part id="ps-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Modifies access authorization as needed to correspond with any changes in
-                  operational need due to reassignment or transfer; and</p>
-            </part>
-            <part id="ps-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Notifies <insert param-id="ps-5_prm_3"/> within <insert param-id="ps-5_prm_4"/>.</p>
-            </part>
-         </part>
-         <part id="ps-5_gdn" name="guidance">
-            <p>This control applies when reassignments or transfers of individuals are permanent or
-               of such extended durations as to make the actions warranted. Organizations define
-               actions appropriate for the types of reassignments or transfers, whether permanent or
-               extended. Actions that may be required for personnel transfers or reassignments to
-               other positions within organizations include, for example: (i) returning old and
-               issuing new keys, identification cards, and building passes; (ii) closing information
-               system accounts and establishing new accounts; (iii) changing information system
-               access authorizations (i.e., privileges); and (iv) providing for access to official
-               records to which individuals had access at previous work locations and in previous
-               information system accounts.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#ps-4">PS-4</link>
-         </part>
-         <part id="ps-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-5.a_obj" name="objective">
-               <prop name="label">PS-5(a)</prop>
-               <p>when individuals are reassigned or transferred to other positions within the
-                  organization, reviews and confirms ongoing operational need for current:</p>
-               <part id="ps-5.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">PS-5(a)[1]</prop>
-                  <p>logical access authorizations to information systems;</p>
-               </part>
-               <part id="ps-5.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">PS-5(a)[2]</prop>
-                  <p>physical access authorizations to information systems and facilities;</p>
-               </part>
-            </part>
-            <part id="ps-5.b_obj" name="objective">
-               <prop name="label">PS-5(b)</prop>
-               <part id="ps-5.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-5(b)[1]</prop>
-                  <p>defines transfer or reassignment actions to be initiated following transfer or
-                     reassignment;</p>
-               </part>
-               <part id="ps-5.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-5(b)[2]</prop>
-                  <p>defines the time period within which transfer or reassignment actions must
-                     occur following transfer or reassignment;</p>
-               </part>
-               <part id="ps-5.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-5(b)[3]</prop>
-                  <p>initiates organization-defined transfer or reassignment actions within the
-                     organization-defined time period following transfer or reassignment;</p>
-               </part>
-            </part>
-            <part id="ps-5.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PS-5(c)</prop>
-               <p>modifies access authorization as needed to correspond with any changes in
-                  operational need due to reassignment or transfer;</p>
-            </part>
-            <part id="ps-5.d_obj" name="objective">
-               <prop name="label">PS-5(d)</prop>
-               <part id="ps-5.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-5(d)[1]</prop>
-                  <p>defines personnel or roles to be notified when individuals are reassigned or
-                     transferred to other positions within the organization;</p>
-               </part>
-               <part id="ps-5.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-5(d)[2]</prop>
-                  <p>defines the time period within which to notify organization-defined personnel
-                     or roles when individuals are reassigned or transferred to other positions
-                     within the organization; and</p>
-               </part>
-               <part id="ps-5.d_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-5(d)[3]</prop>
-                  <p>notifies organization-defined personnel or roles within the
-                     organization-defined time period when individuals are reassigned or transferred
-                     to other positions within the organization.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel transfer</p>
-               <p>security plan</p>
-               <p>records of personnel transfer actions</p>
-               <p>list of information system and facility access authorizations</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities organizational
-                  personnel with account management responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for personnel transfer</p>
-               <p>automated mechanisms supporting and/or implementing personnel transfer
-                  notifications</p>
-               <p>automated mechanisms for disabling information system access/revoking
-                  authenticators</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-6">
-         <title>Access Agreements</title>
-         <param id="ps-6_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <param id="ps-6_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PS-6</prop>
-         <prop name="sort-id">ps-06</prop>
-         <part id="ps-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops and documents access agreements for organizational information
-                  systems;</p>
-            </part>
-            <part id="ps-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the access agreements <insert param-id="ps-6_prm_1"/>; and</p>
-            </part>
-            <part id="ps-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensures that individuals requiring access to organizational information and
-                  information systems:</p>
-               <part id="ps-6_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Sign appropriate access agreements prior to being granted access; and</p>
-               </part>
-               <part id="ps-6_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Re-sign access agreements to maintain access to organizational information
-                     systems when access agreements have been updated or <insert param-id="ps-6_prm_2"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ps-6_gdn" name="guidance">
-            <p>Access agreements include, for example, nondisclosure agreements, acceptable use
-               agreements, rules of behavior, and conflict-of-interest agreements. Signed access
-               agreements include an acknowledgement that individuals have read, understand, and
-               agree to abide by the constraints associated with organizational information systems
-               to which access is authorized. Organizations can use electronic signatures to
-               acknowledge access agreements unless specifically prohibited by organizational
-               policy.</p>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-2">PS-2</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <link rel="related" href="#ps-4">PS-4</link>
-            <link rel="related" href="#ps-8">PS-8</link>
-         </part>
-         <part id="ps-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-6.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PS-6(a)</prop>
-               <p>develops and documents access agreements for organizational information
-                  systems;</p>
-            </part>
-            <part id="ps-6.b_obj" name="objective">
-               <prop name="label">PS-6(b)</prop>
-               <part id="ps-6.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-6(b)[1]</prop>
-                  <p>defines the frequency to review and update the access agreements;</p>
-               </part>
-               <part id="ps-6.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-6(b)[2]</prop>
-                  <p>reviews and updates the access agreements with the organization-defined
-                     frequency;</p>
-               </part>
-            </part>
-            <part id="ps-6.c_obj" name="objective">
-               <prop name="label">PS-6(c)</prop>
-               <part id="ps-6.c.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-6(c)(1)</prop>
-                  <p>ensures that individuals requiring access to organizational information and
-                     information systems sign appropriate access agreements prior to being granted
-                     access;</p>
-               </part>
-               <part id="ps-6.c.2_obj" name="objective">
-                  <prop name="label">PS-6(c)(2)</prop>
-                  <part id="ps-6.c.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">PS-6(c)(2)[1]</prop>
-                     <p>defines the frequency to re-sign access agreements to maintain access to
-                        organizational information systems when access agreements have been
-                        updated;</p>
-                  </part>
-                  <part id="ps-6.c.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">PS-6(c)(2)[2]</prop>
-                     <p>ensures that individuals requiring access to organizational information and
-                        information systems re-sign access agreements to maintain access to
-                        organizational information systems when access agreements have been updated
-                        or with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing access agreements for organizational information and
-                  information systems</p>
-               <p>security plan</p>
-               <p>access agreements</p>
-               <p>records of access agreement reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel who have signed/resigned access agreements</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for access agreements</p>
-               <p>automated mechanisms supporting access agreements</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-7">
-         <title>Third-party Personnel Security</title>
-         <param id="ps-7_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-7_prm_2">
-            <label>organization-defined time period</label>
-            <constraint>organization-defined time period - same day</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">PS-7</prop>
-         <prop name="sort-id">ps-07</prop>
-         <link href="#0c775bc3-bfc3-42c7-a382-88949f503171" rel="reference">NIST Special Publication 800-35</link>
-         <part id="ps-7_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes personnel security requirements including security roles and
-                  responsibilities for third-party providers;</p>
-            </part>
-            <part id="ps-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Requires third-party providers to comply with personnel security policies and
-                  procedures established by the organization;</p>
-            </part>
-            <part id="ps-7_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Documents personnel security requirements;</p>
-            </part>
-            <part id="ps-7_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Requires third-party providers to notify <insert param-id="ps-7_prm_1"/> of any
-                  personnel transfers or terminations of third-party personnel who possess
-                  organizational credentials and/or badges, or who have information system
-                  privileges within <insert param-id="ps-7_prm_2"/>; and</p>
-            </part>
-            <part id="ps-7_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Monitors provider compliance.</p>
-            </part>
-         </part>
-         <part id="ps-7_gdn" name="guidance">
-            <p>Third-party providers include, for example, service bureaus, contractors, and other
-               organizations providing information system development, information technology
-               services, outsourced applications, and network and security management. Organizations
-               explicitly include personnel security requirements in acquisition-related documents.
-               Third-party providers may have personnel working at organizational facilities with
-               credentials, badges, or information system privileges issued by organizations.
-               Notifications of third-party personnel changes ensure appropriate termination of
-               privileges and credentials. Organizations define the transfers and terminations
-               deemed reportable by security-related characteristics that include, for example,
-               functions, roles, and nature of credentials/privileges associated with individuals
-               transferred or terminated.</p>
-            <link rel="related" href="#ps-2">PS-2</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <link rel="related" href="#ps-4">PS-4</link>
-            <link rel="related" href="#ps-5">PS-5</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-            <link rel="related" href="#sa-21">SA-21</link>
-         </part>
-         <part id="ps-7_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-7.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PS-7(a)</prop>
-               <p>establishes personnel security requirements, including security roles and
-                  responsibilities, for third-party providers;</p>
-            </part>
-            <part id="ps-7.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">PS-7(b)</prop>
-               <p>requires third-party providers to comply with personnel security policies and
-                  procedures established by the organization;</p>
-            </part>
-            <part id="ps-7.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PS-7(c)</prop>
-               <p>documents personnel security requirements;</p>
-            </part>
-            <part id="ps-7.d_obj" name="objective">
-               <prop name="label">PS-7(d)</prop>
-               <part id="ps-7.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-7(d)[1]</prop>
-                  <p>defines personnel or roles to be notified of any personnel transfers or
-                     terminations of third-party personnel who possess organizational credentials
-                     and/or badges, or who have information system privileges;</p>
-               </part>
-               <part id="ps-7.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-7(d)[2]</prop>
-                  <p>defines the time period within which third-party providers are required to
-                     notify organization-defined personnel or roles of any personnel transfers or
-                     terminations of third-party personnel who possess organizational credentials
-                     and/or badges, or who have information system privileges;</p>
-               </part>
-               <part id="ps-7.d_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-7(d)[3]</prop>
-                  <p>requires third-party providers to notify organization-defined personnel or
-                     roles within the organization-defined time period of any personnel transfers or
-                     terminations of third-party personnel who possess organizational credentials
-                     and/or badges, or who have information system privileges; and</p>
-               </part>
-            </part>
-            <part id="ps-7.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">PS-7(e)</prop>
-               <p>monitors provider compliance.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing third-party personnel security</p>
-               <p>list of personnel security requirements</p>
-               <p>acquisition documents</p>
-               <p>service-level agreements</p>
-               <p>compliance monitoring process</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>third-party providers</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with account management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing and monitoring third-party personnel
-                  security</p>
-               <p>automated mechanisms supporting and/or implementing monitoring of provider
-                  compliance</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-8">
-         <title>Personnel Sanctions</title>
-         <param id="ps-8_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-8_prm_2">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">PS-8</prop>
-         <prop name="sort-id">ps-08</prop>
-         <part id="ps-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Employs a formal sanctions process for individuals failing to comply with
-                  established information security policies and procedures; and</p>
-            </part>
-            <part id="ps-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Notifies <insert param-id="ps-8_prm_1"/> within <insert param-id="ps-8_prm_2"/>
-                  when a formal employee sanctions process is initiated, identifying the individual
-                  sanctioned and the reason for the sanction.</p>
-            </part>
-         </part>
-         <part id="ps-8_gdn" name="guidance">
-            <p>Organizational sanctions processes reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Sanctions processes are
-               described in access agreements and can be included as part of general personnel
-               policies and procedures for organizations. Organizations consult with the Office of
-               the General Counsel regarding matters of employee sanctions.</p>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-         </part>
-         <part id="ps-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-8.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">PS-8(a)</prop>
-               <p>employs a formal sanctions process for individuals failing to comply with
-                  established information security policies and procedures;</p>
-            </part>
-            <part id="ps-8.b_obj" name="objective">
-               <prop name="label">PS-8(b)</prop>
-               <part id="ps-8.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-8(b)[1]</prop>
-                  <p>defines personnel or roles to be notified when a formal employee sanctions
-                     process is initiated;</p>
-               </part>
-               <part id="ps-8.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">PS-8(b)[2]</prop>
-                  <p>defines the time period within which organization-defined personnel or roles
-                     must be notified when a formal employee sanctions process is initiated; and</p>
-               </part>
-               <part id="ps-8.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">PS-8(b)[3]</prop>
-                  <p>notifies organization-defined personnel or roles within the
-                     organization-defined time period when a formal employee sanctions process is
-                     initiated, identifying the individual sanctioned and the reason for the
-                     sanction.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel sanctions</p>
-               <p>rules of behavior</p>
-               <p>records of formal sanctions</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing personnel sanctions</p>
-               <p>automated mechanisms supporting and/or implementing notifications</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ra">
-      <title>Risk Assessment</title>
-      <control class="SP800-53" id="ra-1">
-         <title>Risk Assessment Policy and Procedures</title>
-         <param id="ra-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ra-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="ra-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">RA-1</prop>
-         <prop name="sort-id">ra-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15" rel="reference">NIST Special Publication 800-30</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ra-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ra-1_prm_1"/>:</p>
-               <part id="ra-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A risk assessment policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ra-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the risk assessment policy and
-                     associated risk assessment controls; and</p>
-               </part>
-            </part>
-            <part id="ra-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ra-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Risk assessment policy <insert param-id="ra-1_prm_2"/>; and</p>
-               </part>
-               <part id="ra-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Risk assessment procedures <insert param-id="ra-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ra-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the RA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ra-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-1.a_obj" name="objective">
-               <prop name="label">RA-1(a)</prop>
-               <part id="ra-1.a.1_obj" name="objective">
-                  <prop name="label">RA-1(a)(1)</prop>
-                  <part id="ra-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(a)(1)[1]</prop>
-                     <p>develops and documents a risk assessment policy that addresses:</p>
-                     <part id="ra-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ra-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the risk assessment policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ra-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">RA-1(a)(1)[3]</prop>
-                     <p>disseminates the risk assessment policy to organization-defined personnel or
-                        roles;</p>
-                  </part>
-               </part>
-               <part id="ra-1.a.2_obj" name="objective">
-                  <prop name="label">RA-1(a)(2)</prop>
-                  <part id="ra-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        risk assessment policy and associated risk assessment controls;</p>
-                  </part>
-                  <part id="ra-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ra-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">RA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-1.b_obj" name="objective">
-               <prop name="label">RA-1(b)</prop>
-               <part id="ra-1.b.1_obj" name="objective">
-                  <prop name="label">RA-1(b)(1)</prop>
-                  <part id="ra-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current risk assessment
-                        policy;</p>
-                  </part>
-                  <part id="ra-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current risk assessment policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ra-1.b.2_obj" name="objective">
-                  <prop name="label">RA-1(b)(2)</prop>
-                  <part id="ra-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current risk assessment
-                        procedures; and</p>
-                  </part>
-                  <part id="ra-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">RA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current risk assessment procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>risk assessment policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with risk assessment responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-2">
-         <title>Security Categorization</title>
-         <prop name="label">RA-2</prop>
-         <prop name="sort-id">ra-02</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15" rel="reference">NIST Special Publication 800-30</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <part id="ra-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Categorizes information and the information system in accordance with applicable
-                  federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  guidance;</p>
-            </part>
-            <part id="ra-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents the security categorization results (including supporting rationale) in
-                  the security plan for the information system; and</p>
-            </part>
-            <part id="ra-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensures that the authorizing official or authorizing official designated
-                  representative reviews and approves the security categorization decision.</p>
-            </part>
-         </part>
-         <part id="ra-2_gdn" name="guidance">
-            <p>Clearly defined authorization boundaries are a prerequisite for effective security
-               categorization decisions. Security categories describe the potential adverse impacts
-               to organizational operations, organizational assets, and individuals if
-               organizational information and information systems are comprised through a loss of
-               confidentiality, integrity, or availability. Organizations conduct the security
-               categorization process as an organization-wide activity with the involvement of chief
-               information officers, senior information security officers, information system
-               owners, mission/business owners, and information owners/stewards. Organizations also
-               consider the potential adverse impacts to other organizations and, in accordance with
-               the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential
-               national-level adverse impacts. Security categorization processes carried out by
-               organizations facilitate the development of inventories of information assets, and
-               along with CM-8, mappings to specific information system components where information
-               is processed, stored, or transmitted.</p>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="ra-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-2.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">RA-2(a)</prop>
-               <p>categorizes information and the information system in accordance with applicable
-                  federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  guidance;</p>
-            </part>
-            <part id="ra-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">RA-2(b)</prop>
-               <p>documents the security categorization results (including supporting rationale) in
-                  the security plan for the information system; and</p>
-            </part>
-            <part id="ra-2.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">RA-2(c)</prop>
-               <p>ensures the authorizing official or authorizing official designated representative
-                  reviews and approves the security categorization decision.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Risk assessment policy</p>
-               <p>security planning policy and procedures</p>
-               <p>procedures addressing security categorization of organizational information and
-                  information systems</p>
-               <p>security plan</p>
-               <p>security categorization documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security categorization and risk assessment
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security categorization</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-3">
-         <title>Risk Assessment</title>
-         <param id="ra-3_prm_1"/>
-         <param id="ra-3_prm_2" depends-on="ra-3_prm_1">
-            <label>organization-defined document</label>
-            <constraint>security assessment report</constraint>
-         </param>
-         <param id="ra-3_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least every three (3) years or when a significant change occurs</constraint>
-         </param>
-         <param id="ra-3_prm_4">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ra-3_prm_5">
-            <label>organization-defined frequency</label>
-            <constraint>at least every three (3) years or when a significant change occurs</constraint>
-         </param>
-         <prop name="label">RA-3</prop>
-         <prop name="sort-id">ra-03</prop>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15" rel="reference">NIST Special Publication 800-30</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ra-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Conducts an assessment of risk, including the likelihood and magnitude of harm,
-                  from the unauthorized access, use, disclosure, disruption, modification, or
-                  destruction of the information system and the information it processes, stores, or
-                  transmits;</p>
-            </part>
-            <part id="ra-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents risk assessment results in <insert param-id="ra-3_prm_1"/>;</p>
-            </part>
-            <part id="ra-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews risk assessment results <insert param-id="ra-3_prm_3"/>;</p>
-            </part>
-            <part id="ra-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Disseminates risk assessment results to <insert param-id="ra-3_prm_4"/>; and</p>
-            </part>
-            <part id="ra-3_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Updates the risk assessment <insert param-id="ra-3_prm_5"/> or whenever there are
-                  significant changes to the information system or environment of operation
-                  (including the identification of new threats and vulnerabilities), or other
-                  conditions that may impact the security state of the system.</p>
-            </part>
-            <part id="ra-3_fr" name="item">
-               <title>RA-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F</p>
-               </part>
-               <part id="ra-3_fr_smt.d" name="item">
-                  <prop name="label">RA-3 (d) Requirement:</prop>
-                  <p>Include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ra-3_gdn" name="guidance">
-            <p>Clearly defined authorization boundaries are a prerequisite for effective risk
-               assessments. Risk assessments take into account threats, vulnerabilities, likelihood,
-               and impact to organizational operations and assets, individuals, other organizations,
-               and the Nation based on the operation and use of information systems. Risk
-               assessments also take into account risk from external parties (e.g., service
-               providers, contractors operating information systems on behalf of the organization,
-               individuals accessing organizational information systems, outsourcing entities). In
-               accordance with OMB policy and related E-authentication initiatives, authentication
-               of public users accessing federal information systems may also be required to protect
-               nonpublic or privacy-related information. As such, organizational assessments of risk
-               also address public access to federal information systems. Risk assessments (either
-               formal or informal) can be conducted at all three tiers in the risk management
-               hierarchy (i.e., organization level, mission/business process level, or information
-               system level) and at any phase in the system development life cycle. Risk assessments
-               can also be conducted at various steps in the Risk Management Framework, including
-               categorization, security control selection, security control implementation, security
-               control assessment, information system authorization, and security control
-               monitoring. RA-3 is noteworthy in that the control must be partially implemented
-               prior to the implementation of other controls in order to complete the first two
-               steps in the Risk Management Framework. Risk assessments can play an important role
-               in security control selection processes, particularly during the application of
-               tailoring guidance, which includes security control supplementation.</p>
-            <link rel="related" href="#ra-2">RA-2</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ra-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-3.a_obj" name="objective">
-               <prop name="label">RA-3(a)</prop>
-               <p>conducts an assessment of risk, including the likelihood and magnitude of harm,
-                  from the unauthorized access, use, disclosure, disruption, modification, or
-                  destruction of:</p>
-               <part id="ra-3.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-3(a)[1]</prop>
-                  <p>the information system;</p>
-               </part>
-               <part id="ra-3.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-3(a)[2]</prop>
-                  <p>the information the system processes, stores, or transmits;</p>
-               </part>
-            </part>
-            <part id="ra-3.b_obj" name="objective">
-               <prop name="label">RA-3(b)</prop>
-               <part id="ra-3.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-3(b)[1]</prop>
-                  <p>defines a document in which risk assessment results are to be documented (if
-                     not documented in the security plan or risk assessment report);</p>
-               </part>
-               <part id="ra-3.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-3(b)[2]</prop>
-                  <p>documents risk assessment results in one of the following:</p>
-                  <part id="ra-3.b_obj.2.a" name="objective">
-                     <prop name="label">RA-3(b)[2][a]</prop>
-                     <p>the security plan;</p>
-                  </part>
-                  <part id="ra-3.b_obj.2.b" name="objective">
-                     <prop name="label">RA-3(b)[2][b]</prop>
-                     <p>the risk assessment report; or</p>
-                  </part>
-                  <part id="ra-3.b_obj.2.c" name="objective">
-                     <prop name="label">RA-3(b)[2][c]</prop>
-                     <p>the organization-defined document;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-3.c_obj" name="objective">
-               <prop name="label">RA-3(c)</prop>
-               <part id="ra-3.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-3(c)[1]</prop>
-                  <p>defines the frequency to review risk assessment results;</p>
-               </part>
-               <part id="ra-3.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-3(c)[2]</prop>
-                  <p>reviews risk assessment results with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="ra-3.d_obj" name="objective">
-               <prop name="label">RA-3(d)</prop>
-               <part id="ra-3.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-3(d)[1]</prop>
-                  <p>defines personnel or roles to whom risk assessment results are to be
-                     disseminated;</p>
-               </part>
-               <part id="ra-3.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-3(d)[2]</prop>
-                  <p>disseminates risk assessment results to organization-defined personnel or
-                     roles;</p>
-               </part>
-            </part>
-            <part id="ra-3.e_obj" name="objective">
-               <prop name="label">RA-3(e)</prop>
-               <part id="ra-3.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-3(e)[1]</prop>
-                  <p>defines the frequency to update the risk assessment;</p>
-               </part>
-               <part id="ra-3.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-3(e)[2]</prop>
-                  <p>updates the risk assessment:</p>
-                  <part id="ra-3.e_obj.2.a" name="objective">
-                     <prop name="label">RA-3(e)[2][a]</prop>
-                     <p>with the organization-defined frequency;</p>
-                  </part>
-                  <part id="ra-3.e_obj.2.b" name="objective">
-                     <prop name="label">RA-3(e)[2][b]</prop>
-                     <p>whenever there are significant changes to the information system or
-                        environment of operation (including the identification of new threats and
-                        vulnerabilities); and</p>
-                  </part>
-                  <part id="ra-3.e_obj.2.c" name="objective">
-                     <prop name="label">RA-3(e)[2][c]</prop>
-                     <p>whenever there are other conditions that may impact the security state of
-                        the system.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Risk assessment policy</p>
-               <p>security planning policy and procedures</p>
-               <p>procedures addressing organizational assessments of risk</p>
-               <p>security plan</p>
-               <p>risk assessment</p>
-               <p>risk assessment results</p>
-               <p>risk assessment reviews</p>
-               <p>risk assessment updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with risk assessment responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for risk assessment</p>
-               <p>automated mechanisms supporting and/or for conducting, documenting, reviewing,
-                  disseminating, and updating the risk assessment</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-5">
-         <title>Vulnerability Scanning</title>
-         <param id="ra-5_prm_1">
-            <label>organization-defined frequency and/or randomly in accordance with
-               organization-defined process</label>
-            <constraint>monthly operating system/infrastructure; monthly web applications and databases</constraint>
-         </param>
-         <param id="ra-5_prm_2">
-            <label>organization-defined response times</label>
-            <constraint>high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery</constraint>
-         </param>
-         <param id="ra-5_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">RA-5</prop>
-         <prop name="sort-id">ra-05</prop>
-         <link href="#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d" rel="reference">NIST Special Publication 800-40</link>
-         <link href="#84a37532-6db6-477b-9ea8-f9085ebca0fc" rel="reference">NIST Special Publication 800-70</link>
-         <link href="#c4691b88-57d1-463b-9053-2d0087913f31" rel="reference">NIST Special Publication 800-115</link>
-         <link href="#15522e92-9192-463d-9646-6a01982db8ca" rel="reference">http://cwe.mitre.org</link>
-         <link href="#275cc052-0f7f-423c-bdb6-ed503dc36228" rel="reference">http://nvd.nist.gov</link>
-         <part id="ra-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Scans for vulnerabilities in the information system and hosted applications
-                     <insert param-id="ra-5_prm_1"/> and when new vulnerabilities potentially
-                  affecting the system/applications are identified and reported;</p>
-               <part id="ra-5_fr_smt.a" name="item">
-                  <title>RA-5(a) Additional FedRAMP Requirements and Guidance</title>
-                  <prop name="label">RA-5 (a)Requirement:</prop>
-                  <p>An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.</p>
-               </part>
-            </part>
-            <part id="ra-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Employs vulnerability scanning tools and techniques that facilitate
-                  interoperability among tools and automate parts of the vulnerability management
-                  process by using standards for:</p>
-               <part id="ra-5_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Enumerating platforms, software flaws, and improper configurations;</p>
-               </part>
-               <part id="ra-5_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Formatting checklists and test procedures; and</p>
-               </part>
-               <part id="ra-5_smt.b.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Measuring vulnerability impact;</p>
-               </part>
-            </part>
-            <part id="ra-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Analyzes vulnerability scan reports and results from security control
-                  assessments;</p>
-            </part>
-            <part id="ra-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Remediates legitimate vulnerabilities <insert param-id="ra-5_prm_2"/> in
-                  accordance with an organizational assessment of risk; and</p>
-            </part>
-            <part id="ra-5_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Shares information obtained from the vulnerability scanning process and security
-                  control assessments with <insert param-id="ra-5_prm_3"/> to help eliminate similar
-                  vulnerabilities in other information systems (i.e., systemic weaknesses or
-                  deficiencies).</p>
-               <part id="ra-5_fr_smt.e" name="item">
-                  <title>RA-5(e) Additional FedRAMP Requirements and Guidance</title>
-                  <prop name="label">RA-5 (e)Requirement:</prop>
-                  <p>To include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
-               </part>
-            </part>
-            <part id="ra-5_fr" name="item">
-               <title>RA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>
-                     <strong>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents&gt; Vulnerability Scanning Requirements</strong> (<a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a>)</p>
-               </part>
-            </part>
-         </part>
-         <part id="ra-5_gdn" name="guidance">
-            <p>Security categorization of information systems guides the frequency and
-               comprehensiveness of vulnerability scans. Organizations determine the required
-               vulnerability scanning for all information system components, ensuring that potential
-               sources of vulnerabilities such as networked printers, scanners, and copiers are not
-               overlooked. Vulnerability analyses for custom software applications may require
-               additional approaches such as static analysis, dynamic analysis, binary analysis, or
-               a hybrid of the three approaches. Organizations can employ these analysis approaches
-               in a variety of tools (e.g., web-based application scanners, static analysis tools,
-               binary analyzers) and in source code reviews. Vulnerability scanning includes, for
-               example: (i) scanning for patch levels; (ii) scanning for functions, ports,
-               protocols, and services that should not be accessible to users or devices; and (iii)
-               scanning for improperly configured or incorrectly operating information flow control
-               mechanisms. Organizations consider using tools that express vulnerabilities in the
-               Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open
-               Vulnerability Assessment Language (OVAL) to determine/test for the presence of
-               vulnerabilities. Suggested sources for vulnerability information include the Common
-               Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In
-               addition, security control assessments such as red team exercises provide other
-               sources of potential vulnerabilities for which to scan. Organizations also consider
-               using tools that express vulnerability impact by the Common Vulnerability Scoring
-               System (CVSS).</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#ra-2">RA-2</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="ra-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-5.a_obj" name="objective">
-               <prop name="label">RA-5(a)</prop>
-               <part id="ra-5.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-5(a)[1]</prop>
-                  <part id="ra-5.a_obj.1.a" name="objective">
-                     <prop name="label">RA-5(a)[1][a]</prop>
-                     <p>defines the frequency for conducting vulnerability scans on the information
-                        system and hosted applications; and/or</p>
-                  </part>
-                  <part id="ra-5.a_obj.1.b" name="objective">
-                     <prop name="label">RA-5(a)[1][b]</prop>
-                     <p>defines the process for conducting random vulnerability scans on the
-                        information system and hosted applications;</p>
-                  </part>
-               </part>
-               <part id="ra-5.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(a)[2]</prop>
-                  <p>in accordance with the organization-defined frequency and/or
-                     organization-defined process for conducting random scans, scans for
-                     vulnerabilities in:</p>
-                  <part id="ra-5.a_obj.2.a" name="objective">
-                     <prop name="label">RA-5(a)[2][a]</prop>
-                     <p>the information system;</p>
-                  </part>
-                  <part id="ra-5.a_obj.2.b" name="objective">
-                     <prop name="label">RA-5(a)[2][b]</prop>
-                     <p>hosted applications;</p>
-                  </part>
-               </part>
-               <part id="ra-5.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(a)[3]</prop>
-                  <p>when new vulnerabilities potentially affecting the system/applications are
-                     identified and reported, scans for vulnerabilities in:</p>
-                  <part id="ra-5.a_obj.3.a" name="objective">
-                     <prop name="label">RA-5(a)[3][a]</prop>
-                     <p>the information system;</p>
-                  </part>
-                  <part id="ra-5.a_obj.3.b" name="objective">
-                     <prop name="label">RA-5(a)[3][b]</prop>
-                     <p>hosted applications;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-5.b_obj" name="objective">
-               <prop name="label">RA-5(b)</prop>
-               <p>employs vulnerability scanning tools and techniques that facilitate
-                  interoperability among tools and automate parts of the vulnerability management
-                  process by using standards for:</p>
-               <part id="ra-5.b.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(b)(1)</prop>
-                  <part id="ra-5.b.1_obj.1" name="objective">
-                     <prop name="label">RA-5(b)(1)[1]</prop>
-                     <p>enumerating platforms;</p>
-                  </part>
-                  <part id="ra-5.b.1_obj.2" name="objective">
-                     <prop name="label">RA-5(b)(1)[2]</prop>
-                     <p>enumerating software flaws;</p>
-                  </part>
-                  <part id="ra-5.b.1_obj.3" name="objective">
-                     <prop name="label">RA-5(b)(1)[3]</prop>
-                     <p>enumerating improper configurations;</p>
-                  </part>
-               </part>
-               <part id="ra-5.b.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(b)(2)</prop>
-                  <part id="ra-5.b.2_obj.1" name="objective">
-                     <prop name="label">RA-5(b)(2)[1]</prop>
-                     <p>formatting checklists;</p>
-                  </part>
-                  <part id="ra-5.b.2_obj.2" name="objective">
-                     <prop name="label">RA-5(b)(2)[2]</prop>
-                     <p>formatting test procedures;</p>
-                  </part>
-               </part>
-               <part id="ra-5.b.3_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(b)(3)</prop>
-                  <p>measuring vulnerability impact;</p>
-               </part>
-            </part>
-            <part id="ra-5.c_obj" name="objective">
-               <prop name="label">RA-5(c)</prop>
-               <part id="ra-5.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(c)[1]</prop>
-                  <p>analyzes vulnerability scan reports;</p>
-               </part>
-               <part id="ra-5.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(c)[2]</prop>
-                  <p>analyzes results from security control assessments;</p>
-               </part>
-            </part>
-            <part id="ra-5.d_obj" name="objective">
-               <prop name="label">RA-5(d)</prop>
-               <part id="ra-5.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-5(d)[1]</prop>
-                  <p>defines response times to remediate legitimate vulnerabilities in accordance
-                     with an organizational assessment of risk;</p>
-               </part>
-               <part id="ra-5.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(d)[2]</prop>
-                  <p>remediates legitimate vulnerabilities within the organization-defined response
-                     times in accordance with an organizational assessment of risk;</p>
-               </part>
-            </part>
-            <part id="ra-5.e_obj" name="objective">
-               <prop name="label">RA-5(e)</prop>
-               <part id="ra-5.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-5(e)[1]</prop>
-                  <p>defines personnel or roles with whom information obtained from the
-                     vulnerability scanning process and security control assessments is to be
-                     shared;</p>
-               </part>
-               <part id="ra-5.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(e)[2]</prop>
-                  <p>shares information obtained from the vulnerability scanning process with
-                     organization-defined personnel or roles to help eliminate similar
-                     vulnerabilities in other information systems (i.e., systemic weaknesses or
-                     deficiencies); and</p>
-               </part>
-               <part id="ra-5.e_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(e)[3]</prop>
-                  <p>shares information obtained from security control assessments with
-                     organization-defined personnel or roles to help eliminate similar
-                     vulnerabilities in other information systems (i.e., systemic weaknesses or
-                     deficiencies).</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Risk assessment policy</p>
-               <p>procedures addressing vulnerability scanning</p>
-               <p>risk assessment</p>
-               <p>security plan</p>
-               <p>security assessment report</p>
-               <p>vulnerability scanning tools and associated configuration documentation</p>
-               <p>vulnerability scanning results</p>
-               <p>patch and vulnerability management records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with risk assessment, security control assessment and
-                  vulnerability scanning responsibilities</p>
-               <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-               <p>organizational personnel with vulnerability remediation responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for vulnerability scanning, analysis, remediation, and
-                  information sharing</p>
-               <p>automated mechanisms supporting and/or implementing vulnerability scanning,
-                  analysis, remediation, and information sharing</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ra-5.1">
-            <title>Update Tool Capability</title>
-            <prop name="label">RA-5(1)</prop>
-            <prop name="sort-id">ra-05.01</prop>
-            <part id="ra-5.1_smt" name="statement">
-               <p>The organization employs vulnerability scanning tools that include the capability
-                  to readily update the information system vulnerabilities to be scanned.</p>
-            </part>
-            <part id="ra-5.1_gdn" name="guidance">
-               <p>The vulnerabilities to be scanned need to be readily updated as new
-                  vulnerabilities are discovered, announced, and scanning methods developed. This
-                  updating process helps to ensure that potential vulnerabilities in the information
-                  system are identified and addressed as quickly as possible.</p>
-               <link rel="related" href="#si-3">SI-3</link>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="ra-5.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs vulnerability scanning tools that include
-                  the capability to readily update the information system vulnerabilities to be
-                  scanned.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Procedures addressing vulnerability scanning</p>
-                  <p>security plan</p>
-                  <p>security assessment report</p>
-                  <p>vulnerability scanning tools and associated configuration documentation</p>
-                  <p>vulnerability scanning results</p>
-                  <p>patch and vulnerability management records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.2">
-            <title>Update by Frequency / Prior to New Scan / When Identified</title>
-            <param id="ra-5.2_prm_1">
-               <constraint>prior to a new scan</constraint>
-            </param>
-            <param id="ra-5.2_prm_2" depends-on="ra-5.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">RA-5(2)</prop>
-            <prop name="sort-id">ra-05.02</prop>
-            <part id="ra-5.2_smt" name="statement">
-               <p>The organization updates the information system vulnerabilities scanned <insert param-id="ra-5.2_prm_1"/>.</p>
-            </part>
-            <part id="ra-5.2_gdn" name="guidance">
-               <link rel="related" href="#si-3">SI-3</link>
-               <link rel="related" href="#si-5">SI-5</link>
-            </part>
-            <part id="ra-5.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ra-5.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-5(2)[1]</prop>
-                  <p>defines the frequency to update the information system vulnerabilities
-                     scanned;</p>
-               </part>
-               <part id="ra-5.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(2)[2]</prop>
-                  <p>updates the information system vulnerabilities scanned one or more of the
-                     following:</p>
-                  <part id="ra-5.2_obj.2.a" name="objective">
-                     <prop name="label">RA-5(2)[2][a]</prop>
-                     <p>with the organization-defined frequency;</p>
-                  </part>
-                  <part id="ra-5.2_obj.2.b" name="objective">
-                     <prop name="label">RA-5(2)[2][b]</prop>
-                     <p>prior to a new scan; and/or</p>
-                  </part>
-                  <part id="ra-5.2_obj.2.c" name="objective">
-                     <prop name="label">RA-5(2)[2][c]</prop>
-                     <p>when new vulnerabilities are identified and reported.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Procedures addressing vulnerability scanning</p>
-                  <p>security plan</p>
-                  <p>security assessment report</p>
-                  <p>vulnerability scanning tools and associated configuration documentation</p>
-                  <p>vulnerability scanning results</p>
-                  <p>patch and vulnerability management records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.3">
-            <title>Breadth / Depth of Coverage</title>
-            <prop name="label">RA-5(3)</prop>
-            <prop name="sort-id">ra-05.03</prop>
-            <part id="ra-5.3_smt" name="statement">
-               <p>The organization employs vulnerability scanning procedures that can identify the
-                  breadth and depth of coverage (i.e., information system components scanned and
-                  vulnerabilities checked).</p>
-            </part>
-            <part id="ra-5.3_obj" name="objective">
-               <p>Determine if the organization employs vulnerability scanning procedures that can
-                  identify:</p>
-               <part id="ra-5.3_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(3)[1]</prop>
-                  <p>the breadth of coverage (i.e., information system components scanned); and</p>
-               </part>
-               <part id="ra-5.3_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(3)[2]</prop>
-                  <p>the depth of coverage (i.e., vulnerabilities checked).</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Procedures addressing vulnerability scanning</p>
-                  <p>security plan</p>
-                  <p>security assessment report</p>
-                  <p>vulnerability scanning tools and associated configuration documentation</p>
-                  <p>vulnerability scanning results</p>
-                  <p>patch and vulnerability management records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.5">
-            <title>Privileged Access</title>
-            <param id="ra-5.5_prm_1">
-               <label>organization-identified information system components</label>
-               <constraint>operating systems / web applications / databases</constraint>
-            </param>
-            <param id="ra-5.5_prm_2">
-               <label>organization-defined vulnerability scanning activities</label>
-               <constraint>all scans</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">RA-5(5)</prop>
-            <prop name="sort-id">ra-05.05</prop>
-            <part id="ra-5.5_smt" name="statement">
-               <p>The information system implements privileged access authorization to <insert param-id="ra-5.5_prm_1"/> for selected <insert param-id="ra-5.5_prm_2"/>.</p>
-            </part>
-            <part id="ra-5.5_gdn" name="guidance">
-               <p>In certain situations, the nature of the vulnerability scanning may be more
-                  intrusive or the information system component that is the subject of the scanning
-                  may contain highly sensitive information. Privileged access authorization to
-                  selected system components facilitates more thorough vulnerability scanning and
-                  also protects the sensitive nature of such scanning.</p>
-            </part>
-            <part id="ra-5.5_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ra-5.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-5(5)[1]</prop>
-                  <p>the organization defines information system components to which privileged
-                     access is authorized for selected vulnerability scanning activities;</p>
-               </part>
-               <part id="ra-5.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">RA-5(5)[2]</prop>
-                  <p>the organization defines vulnerability scanning activities selected for
-                     privileged access authorization to organization-defined information system
-                     components; and</p>
-               </part>
-               <part id="ra-5.5_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">RA-5(5)[3]</prop>
-                  <p>the information system implements privileged access authorization to
-                     organization-defined information system components for selected
-                     organization-defined vulnerability scanning activities.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Risk assessment policy</p>
-                  <p>procedures addressing vulnerability scanning</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of information system components for vulnerability scanning</p>
-                  <p>personnel access authorization list</p>
-                  <p>authorization credentials</p>
-                  <p>access authorization records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel responsible for access control to the information
-                     system</p>
-                  <p>organizational personnel responsible for configuration management of the
-                     information system</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>organizational processes for access control</p>
-                  <p>automated mechanisms supporting and/or implementing access control</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.6">
-            <title>Automated Trend Analyses</title>
-            <prop name="label">RA-5(6)</prop>
-            <prop name="sort-id">ra-05.06</prop>
-            <part id="ra-5.6_smt" name="statement">
-               <p>The organization employs automated mechanisms to compare the results of
-                  vulnerability scans over time to determine trends in information system
-                  vulnerabilities.</p>
-               <part id="ra-5.6_fr" name="item">
-                  <title>RA-5 (6) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ra-5.6_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>Include in Continuous Monitoring ISSO digest/report to JAB/AO</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-5.6_gdn" name="guidance">
-               <link rel="related" href="#ir-4">IR-4</link>
-               <link rel="related" href="#ir-5">IR-5</link>
-               <link rel="related" href="#si-4">SI-4</link>
-            </part>
-            <part id="ra-5.6_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs automated mechanisms to compare the results
-                  of vulnerability scans over time to determine trends in information system
-                  vulnerabilities.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Risk assessment policy</p>
-                  <p>procedures addressing vulnerability scanning</p>
-                  <p>information system design documentation</p>
-                  <p>vulnerability scanning tools and techniques documentation</p>
-                  <p>vulnerability scanning results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-                  <p>automated mechanisms supporting and/or implementing trend analysis of
-                     vulnerability scan results</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.8">
-            <title>Review Historic Audit Logs</title>
-            <prop name="label">RA-5(8)</prop>
-            <prop name="sort-id">ra-05.08</prop>
-            <part id="ra-5.8_smt" name="statement">
-               <p>The organization reviews historic audit logs to determine if a vulnerability
-                  identified in the information system has been previously exploited.</p>
-               <part id="ra-5.8_fr" name="item">
-                  <title>RA-5 (8) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="ra-5.8_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>This enhancement is required for all high vulnerability scan findings.</p>
-                  </part>
-                  <part id="ra-5.8_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-5.8_gdn" name="guidance">
-               <link rel="related" href="#au-6">AU-6</link>
-            </part>
-            <part id="ra-5.8_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization reviews historic audit logs to determine if a
-                  vulnerability identified in the information system has been previously exploited.
-               </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Risk assessment policy</p>
-                  <p>procedures addressing vulnerability scanning</p>
-                  <p>audit logs</p>
-                  <p>records of audit log reviews</p>
-                  <p>vulnerability scanning results</p>
-                  <p>patch and vulnerability management records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-                  <p>organizational personnel with audit record review responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>organizational process for audit record review and response</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-                  <p>automated mechanisms supporting and/or implementing audit record review</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="sa">
-      <title>System and Services Acquisition</title>
-      <control class="SP800-53" id="sa-1">
-         <title>System and Services Acquisition Policy and Procedures</title>
-         <param id="sa-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="sa-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="sa-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SA-1</prop>
-         <prop name="sort-id">sa-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="sa-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="sa-1_prm_1"/>:</p>
-               <part id="sa-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system and services acquisition policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="sa-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system and services
-                     acquisition policy and associated system and services acquisition controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="sa-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="sa-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System and services acquisition policy <insert param-id="sa-1_prm_2"/>; and</p>
-               </part>
-               <part id="sa-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System and services acquisition procedures <insert param-id="sa-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sa-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the SA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="sa-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-1.a_obj" name="objective">
-               <prop name="label">SA-1(a)</prop>
-               <part id="sa-1.a.1_obj" name="objective">
-                  <prop name="label">SA-1(a)(1)</prop>
-                  <part id="sa-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(a)(1)[1]</prop>
-                     <p>develops and documents a system and services acquisition policy that
-                        addresses:</p>
-                     <part id="sa-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="sa-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system and services acquisition
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="sa-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SA-1(a)(1)[3]</prop>
-                     <p>disseminates the system and services acquisition policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="sa-1.a.2_obj" name="objective">
-                  <prop name="label">SA-1(a)(2)</prop>
-                  <part id="sa-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        system and services acquisition policy and associated system and services
-                        acquisition controls;</p>
-                  </part>
-                  <part id="sa-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="sa-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sa-1.b_obj" name="objective">
-               <prop name="label">SA-1(b)</prop>
-               <part id="sa-1.b.1_obj" name="objective">
-                  <prop name="label">SA-1(b)(1)</prop>
-                  <part id="sa-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system and services
-                        acquisition policy;</p>
-                  </part>
-                  <part id="sa-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system and services acquisition policy with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="sa-1.b.2_obj" name="objective">
-                  <prop name="label">SA-1(b)(2)</prop>
-                  <part id="sa-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system and services
-                        acquisition procedures; and</p>
-                  </part>
-                  <part id="sa-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system and services acquisition procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-2">
-         <title>Allocation of Resources</title>
-         <prop name="label">SA-2</prop>
-         <prop name="sort-id">sa-02</prop>
-         <link href="#29fcfe59-33cd-494a-8756-5907ae3a8f92" rel="reference">NIST Special Publication 800-65</link>
-         <part id="sa-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Determines information security requirements for the information system or
-                  information system service in mission/business process planning;</p>
-            </part>
-            <part id="sa-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Determines, documents, and allocates the resources required to protect the
-                  information system or information system service as part of its capital planning
-                  and investment control process; and</p>
-            </part>
-            <part id="sa-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Establishes a discrete line item for information security in organizational
-                  programming and budgeting documentation.</p>
-            </part>
-         </part>
-         <part id="sa-2_gdn" name="guidance">
-            <p>Resource allocation for information security includes funding for the initial
-               information system or information system service acquisition and funding for the
-               sustainment of the system/service.</p>
-            <link rel="related" href="#pm-3">PM-3</link>
-            <link rel="related" href="#pm-11">PM-11</link>
-         </part>
-         <part id="sa-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-2.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SA-2(a)</prop>
-               <p>determines information security requirements for the information system or
-                  information system service in mission/business process planning;</p>
-            </part>
-            <part id="sa-2.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-2(b)</prop>
-               <p>to protect the information system or information system service as part of its
-                  capital planning and investment control process:</p>
-               <part id="sa-2.b_obj.1" name="objective">
-                  <prop name="label">SA-2(b)[1]</prop>
-                  <p>determines the resources required;</p>
-               </part>
-               <part id="sa-2.b_obj.2" name="objective">
-                  <prop name="label">SA-2(b)[2]</prop>
-                  <p>documents the resources required;</p>
-               </part>
-               <part id="sa-2.b_obj.3" name="objective">
-                  <prop name="label">SA-2(b)[3]</prop>
-                  <p>allocates the resources required; and</p>
-               </part>
-            </part>
-            <part id="sa-2.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-2(c)</prop>
-               <p>establishes a discrete line item for information security in organizational
-                  programming and budgeting documentation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing the allocation of resources to information security
-                  requirements</p>
-               <p>procedures addressing capital planning and investment control</p>
-               <p>organizational programming and budgeting documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with capital planning, investment control, organizational
-                  programming and budgeting responsibilities</p>
-               <p>organizational personnel responsible for determining information security
-                  requirements for information systems/services</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for determining information security requirements</p>
-               <p>organizational processes for capital planning, programming, and budgeting</p>
-               <p>automated mechanisms supporting and/or implementing organizational capital
-                  planning, programming, and budgeting</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-3">
-         <title>System Development Life Cycle</title>
-         <param id="sa-3_prm_1">
-            <label>organization-defined system development life cycle</label>
-         </param>
-         <prop name="label">SA-3</prop>
-         <prop name="sort-id">sa-03</prop>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#abd950ae-092f-4b7a-b374-1c7c67fe9350" rel="reference">NIST Special Publication 800-64</link>
-         <part id="sa-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Manages the information system using <insert param-id="sa-3_prm_1"/> that
-                  incorporates information security considerations;</p>
-            </part>
-            <part id="sa-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Defines and documents information security roles and responsibilities throughout
-                  the system development life cycle;</p>
-            </part>
-            <part id="sa-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Identifies individuals having information security roles and responsibilities;
-                  and</p>
-            </part>
-            <part id="sa-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Integrates the organizational information security risk management process into
-                  system development life cycle activities.</p>
-            </part>
-         </part>
-         <part id="sa-3_gdn" name="guidance">
-            <p>A well-defined system development life cycle provides the foundation for the
-               successful development, implementation, and operation of organizational information
-               systems. To apply the required security controls within the system development life
-               cycle requires a basic understanding of information security, threats,
-               vulnerabilities, adverse impacts, and risk to critical missions/business functions.
-               The security engineering principles in SA-8 cannot be properly applied if individuals
-               that design, code, and test information systems and system components (including
-               information technology products) do not understand security. Therefore, organizations
-               include qualified personnel, for example, chief information security officers,
-               security architects, security engineers, and information system security officers in
-               system development life cycle activities to ensure that security requirements are
-               incorporated into organizational information systems. It is equally important that
-               developers include individuals on the development team that possess the requisite
-               security expertise and skills to ensure that needed security capabilities are
-               effectively integrated into the information system. Security awareness and training
-               programs can help ensure that individuals having key security roles and
-               responsibilities have the appropriate experience, skills, and expertise to conduct
-               assigned system development life cycle activities. The effective integration of
-               security requirements into enterprise architecture also helps to ensure that
-               important security considerations are addressed early in the system development life
-               cycle and that those considerations are directly related to the organizational
-               mission/business processes. This process also facilitates the integration of the
-               information security architecture into the enterprise architecture, consistent with
-               organizational risk management and information security strategies.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-         </part>
-         <part id="sa-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-3.a_obj" name="objective">
-               <prop name="label">SA-3(a)</prop>
-               <part id="sa-3.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-3(a)[1]</prop>
-                  <p>defines a system development life cycle that incorporates information security
-                     considerations to be used to manage the information system;</p>
-               </part>
-               <part id="sa-3.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-3(a)[2]</prop>
-                  <p>manages the information system using the organization-defined system
-                     development life cycle;</p>
-               </part>
-            </part>
-            <part id="sa-3.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SA-3(b)</prop>
-               <p>defines and documents information security roles and responsibilities throughout
-                  the system development life cycle;</p>
-            </part>
-            <part id="sa-3.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SA-3(c)</prop>
-               <p>identifies individuals having information security roles and responsibilities;
-                  and</p>
-            </part>
-            <part id="sa-3.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-3(d)</prop>
-               <p>integrates the organizational information security risk management process into
-                  system development life cycle activities.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing the integration of information security into the system
-                  development life cycle process</p>
-               <p>information system development life cycle documentation</p>
-               <p>information security risk management strategy/program documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security and system life cycle
-                  development responsibilities</p>
-               <p>organizational personnel with information security risk management
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for defining and documenting the SDLC</p>
-               <p>organizational processes for identifying SDLC roles and responsibilities</p>
-               <p>organizational process for integrating information security risk management into
-                  the SDLC</p>
-               <p>automated mechanisms supporting and/or implementing the SDLC</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-4">
-         <title>Acquisition Process</title>
-         <prop name="label">SA-4</prop>
-         <prop name="sort-id">sa-04</prop>
-         <link href="#ad733a42-a7ed-4774-b988-4930c28852f3" rel="reference">HSPD-12</link>
-         <link href="#1737a687-52fb-4008-b900-cbfa836f7b65" rel="reference">ISO/IEC 15408</link>
-         <link href="#d715b234-9b5b-4e07-b1ed-99836727664d" rel="reference">FIPS Publication 140-2</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#0a5db899-f033-467f-8631-f5a8ba971475" rel="reference">NIST Special Publication 800-23</link>
-         <link href="#0c775bc3-bfc3-42c7-a382-88949f503171" rel="reference">NIST Special Publication 800-35</link>
-         <link href="#d818efd3-db31-4953-8afa-9e76afe83ce2" rel="reference">NIST Special Publication 800-36</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#abd950ae-092f-4b7a-b374-1c7c67fe9350" rel="reference">NIST Special Publication 800-64</link>
-         <link href="#84a37532-6db6-477b-9ea8-f9085ebca0fc" rel="reference">NIST Special Publication 800-70</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <link href="#56d671da-6b7b-4abf-8296-84b61980390a" rel="reference">Federal Acquisition Regulation</link>
-         <link href="#c95a9986-3cd6-4a98-931b-ccfc56cb11e5" rel="reference">http://www.niap-ccevs.org</link>
-         <link href="#5ed1f4d5-1494-421b-97ed-39d3c88ab51f" rel="reference">http://fips201ep.cio.gov</link>
-         <link href="#bbd50dd1-54ce-4432-959d-63ea564b1bb4" rel="reference">http://www.acquisition.gov/far</link>
-         <part id="sa-4_smt" name="statement">
-            <p>The organization includes the following requirements, descriptions, and criteria,
-               explicitly or by reference, in the acquisition contract for the information system,
-               system component, or information system service in accordance with applicable federal
-               laws, Executive Orders, directives, policies, regulations, standards, guidelines, and
-               organizational mission/business needs:</p>
-            <part id="sa-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Security functional requirements;</p>
-            </part>
-            <part id="sa-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Security strength requirements;</p>
-            </part>
-            <part id="sa-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Security assurance requirements;</p>
-            </part>
-            <part id="sa-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Security-related documentation requirements;</p>
-            </part>
-            <part id="sa-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Requirements for protecting security-related documentation;</p>
-            </part>
-            <part id="sa-4_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Description of the information system development environment and environment in
-                  which the system is intended to operate; and</p>
-            </part>
-            <part id="sa-4_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Acceptance criteria.</p>
-            </part>
-            <part id="sa-4_fr" name="item">
-               <title>SA-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See <a href="http://www.niap-ccevs.org/vpl">http://www.niap-ccevs.org/vpl</a> or <a href="http://www.commoncriteriaportal.org/products.html">http://www.commoncriteriaportal.org/products.html</a>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sa-4_gdn" name="guidance">
-            <p>Information system components are discrete, identifiable information technology
-               assets (e.g., hardware, software, or firmware) that represent the building blocks of
-               an information system. Information system components include commercial information
-               technology products. Security functional requirements include security capabilities,
-               security functions, and security mechanisms. Security strength requirements
-               associated with such capabilities, functions, and mechanisms include degree of
-               correctness, completeness, resistance to direct attack, and resistance to tampering
-               or bypass. Security assurance requirements include: (i) development processes,
-               procedures, practices, and methodologies; and (ii) evidence from development and
-               assessment activities providing grounds for confidence that the required security
-               functionality has been implemented and the required security strength has been
-               achieved. Security documentation requirements address all phases of the system
-               development life cycle. Security functionality, assurance, and documentation
-               requirements are expressed in terms of security controls and control enhancements
-               that have been selected through the tailoring process. The security control tailoring
-               process includes, for example, the specification of parameter values through the use
-               of assignment and selection statements and the specification of platform dependencies
-               and implementation information. Security documentation provides user and
-               administrator guidance regarding the implementation and operation of security
-               controls. The level of detail required in security documentation is based on the
-               security category or classification level of the information system and the degree to
-               which organizations depend on the stated security capability, functions, or
-               mechanisms to meet overall risk response expectations (as defined in the
-               organizational risk management strategy). Security requirements can also include
-               organizationally mandated configuration settings specifying allowed functions, ports,
-               protocols, and services. Acceptance criteria for information systems, information
-               system components, and information system services are defined in the same manner as
-               such criteria for any organizational acquisition or procurement. The Federal
-               Acquisition Regulation (FAR) Section 7.103 contains information security requirements
-               from FISMA.</p>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#ps-7">PS-7</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-         </part>
-         <part id="sa-4_obj" name="objective">
-            <p>Determine if the organization includes the following requirements, descriptions, and
-               criteria, explicitly or by reference, in the acquisition contracts for the
-               information system, system component, or information system service in accordance
-               with applicable federal laws, Executive Orders, directives, policies, regulations,
-               standards, guidelines, and organizational mission/business needs:</p>
-            <part id="sa-4.a_obj" name="objective">
-               <prop name="label">SA-4(a)</prop>
-               <p>security functional requirements;</p>
-            </part>
-            <part id="sa-4.b_obj" name="objective">
-               <prop name="label">SA-4(b)</prop>
-               <p>security strength requirements;</p>
-            </part>
-            <part id="sa-4.c_obj" name="objective">
-               <prop name="label">SA-4(c)</prop>
-               <p>security assurance requirements;</p>
-            </part>
-            <part id="sa-4.d_obj" name="objective">
-               <prop name="label">SA-4(d)</prop>
-               <p>security-related documentation requirements;</p>
-            </part>
-            <part id="sa-4.e_obj" name="objective">
-               <prop name="label">SA-4(e)</prop>
-               <p>requirements for protecting security-related documentation;</p>
-            </part>
-            <part id="sa-4.f_obj" name="objective">
-               <prop name="label">SA-4(f)</prop>
-               <p>description of:</p>
-               <part id="sa-4.f_obj.1" name="objective">
-                  <prop name="label">SA-4(f)[1]</prop>
-                  <p>the information system development environment;</p>
-               </part>
-               <part id="sa-4.f_obj.2" name="objective">
-                  <prop name="label">SA-4(f)[2]</prop>
-                  <p>the environment in which the system is intended to operate; and</p>
-               </part>
-            </part>
-            <part id="sa-4.g_obj" name="objective">
-               <prop name="label">SA-4(g)</prop>
-               <p>acceptance criteria.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing the integration of information security requirements,
-                  descriptions, and criteria into the acquisition process</p>
-               <p>acquisition contracts for the information system, system component, or information
-                  system service</p>
-               <p>information system design documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with acquisition/contracting responsibilities</p>
-               <p>organizational personnel with responsibility for determining information system
-                  security functional, strength, and assurance requirements</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for determining information system security functional,
-                  strength, and assurance requirements</p>
-               <p>organizational processes for developing acquisition contracts</p>
-               <p>automated mechanisms supporting and/or implementing acquisitions and inclusion of
-                  security requirements in contracts</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-4.1">
-            <title>Functional Properties of Security Controls</title>
-            <prop name="label">SA-4(1)</prop>
-            <prop name="sort-id">sa-04.01</prop>
-            <part id="sa-4.1_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to provide a description of the
-                  functional properties of the security controls to be employed.</p>
-            </part>
-            <part id="sa-4.1_gdn" name="guidance">
-               <p>Functional properties of security controls describe the functionality (i.e.,
-                  security capability, functions, or mechanisms) visible at the interfaces of the
-                  controls and specifically exclude functionality and data structures internal to
-                  the operation of the controls.</p>
-               <link rel="related" href="#sa-5">SA-5</link>
-            </part>
-            <part id="sa-4.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to provide a description of the
-                  functional properties of the security controls to be employed.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>solicitation documents</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security functional requirements</p>
-                  <p>information system developer or service provider</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for determining information system security
-                     functional, requirements</p>
-                  <p>organizational processes for developing acquisition contracts</p>
-                  <p>automated mechanisms supporting and/or implementing acquisitions and inclusion
-                     of security requirements in contracts</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.2">
-            <title>Design / Implementation Information for Security Controls</title>
-            <param id="sa-4.2_prm_1">
-               <constraint>to include security-relevant external system interfaces and high-level design</constraint>
-            </param>
-            <param id="sa-4.2_prm_2" depends-on="sa-4.2_prm_1">
-               <label>organization-defined design/implementation information</label>
-            </param>
-            <param id="sa-4.2_prm_3">
-               <label>organization-defined level of detail</label>
-            </param>
-            <prop name="label">SA-4(2)</prop>
-            <prop name="sort-id">sa-04.02</prop>
-            <part id="sa-4.2_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to provide design and implementation
-                  information for the security controls to be employed that includes: <insert param-id="sa-4.2_prm_1"/> at <insert param-id="sa-4.2_prm_3"/>.</p>
-            </part>
-            <part id="sa-4.2_gdn" name="guidance">
-               <p>Organizations may require different levels of detail in design and implementation
-                  documentation for security controls employed in organizational information
-                  systems, system components, or information system services based on
-                  mission/business requirements, requirements for trustworthiness/resiliency, and
-                  requirements for analysis and testing. Information systems can be partitioned into
-                  multiple subsystems. Each subsystem within the system can contain one or more
-                  modules. The high-level design for the system is expressed in terms of multiple
-                  subsystems and the interfaces between subsystems providing security-relevant
-                  functionality. The low-level design for the system is expressed in terms of
-                  modules with particular emphasis on software and firmware (but not excluding
-                  hardware) and the interfaces between modules providing security-relevant
-                  functionality. Source code and hardware schematics are typically referred to as
-                  the implementation representation of the information system.</p>
-               <link rel="related" href="#sa-5">SA-5</link>
-            </part>
-            <part id="sa-4.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-4.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-4(2)[1]</prop>
-                  <p>defines level of detail that the developer is required to provide in design and
-                     implementation information for the security controls to be employed in the
-                     information system, system component, or information system service;</p>
-               </part>
-               <part id="sa-4.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-4(2)[2]</prop>
-                  <p>defines design/implementation information that the developer is to provide for
-                     the security controls to be employed (if selected);</p>
-               </part>
-               <part id="sa-4.2_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-4(2)[3]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to provide design and implementation information for
-                     the security controls to be employed that includes, at the organization-defined
-                     level of detail, one or more of the following:</p>
-                  <part id="sa-4.2_obj.3.a" name="objective">
-                     <prop name="label">SA-4(2)[3][a]</prop>
-                     <p>security-relevant external system interfaces;</p>
-                  </part>
-                  <part id="sa-4.2_obj.3.b" name="objective">
-                     <prop name="label">SA-4(2)[3][b]</prop>
-                     <p>high-level design;</p>
-                  </part>
-                  <part id="sa-4.2_obj.3.c" name="objective">
-                     <prop name="label">SA-4(2)[3][c]</prop>
-                     <p>low-level design;</p>
-                  </part>
-                  <part id="sa-4.2_obj.3.d" name="objective">
-                     <prop name="label">SA-4(2)[3][d]</prop>
-                     <p>source code;</p>
-                  </part>
-                  <part id="sa-4.2_obj.3.e" name="objective">
-                     <prop name="label">SA-4(2)[3][e]</prop>
-                     <p>hardware schematics; and/or</p>
-                  </part>
-                  <part id="sa-4.2_obj.3.f" name="objective">
-                     <prop name="label">SA-4(2)[3][f]</prop>
-                     <p>organization-defined design/implementation information.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>solicitation documents</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system components, or
-                     information system services</p>
-                  <p>design and implementation information for security controls employed in the
-                     information system, system component, or information system service</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security requirements</p>
-                  <p>information system developer or service provider</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for determining level of detail for system design and
-                     security controls</p>
-                  <p>organizational processes for developing acquisition contracts</p>
-                  <p>automated mechanisms supporting and/or implementing development of system
-                     design details</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.8">
-            <title>Continuous Monitoring Plan</title>
-            <param id="sa-4.8_prm_1">
-               <label>organization-defined level of detail</label>
-               <constraint>at least the minimum requirement as defined in control CA-7</constraint>
-            </param>
-            <prop name="label">SA-4(8)</prop>
-            <prop name="sort-id">sa-04.08</prop>
-            <part id="sa-4.8_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to produce a plan for the continuous
-                  monitoring of security control effectiveness that contains <insert param-id="sa-4.8_prm_1"/>.</p>
-               <part id="sa-4.8_fr" name="item">
-                  <title>SA-4 (8) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="sa-4.8_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>CSP must use the same security standards regardless of where the system component or information system service is acquired.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sa-4.8_gdn" name="guidance">
-               <p>The objective of continuous monitoring plans is to determine if the complete set
-                  of planned, required, and deployed security controls within the information
-                  system, system component, or information system service continue to be effective
-                  over time based on the inevitable changes that occur. Developer continuous
-                  monitoring plans include a sufficient level of detail such that the information
-                  can be incorporated into the continuous monitoring strategies and programs
-                  implemented by organizations.</p>
-               <link rel="related" href="#ca-7">CA-7</link>
-            </part>
-            <part id="sa-4.8_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-4.8_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-4(8)[1]</prop>
-                  <p>defines the level of detail the developer of the information system, system
-                     component, or information system service is required to provide when producing
-                     a plan for the continuous monitoring of security control effectiveness; and</p>
-               </part>
-               <part id="sa-4.8_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-4(8)[2]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to produce a plan for the continuous monitoring of
-                     security control effectiveness that contains the organization-defined level of
-                     detail.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing developer continuous monitoring plans</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>developer continuous monitoring plans</p>
-                  <p>security assessment plans</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>acquisition documentation</p>
-                  <p>solicitation documentation</p>
-                  <p>service-level agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security requirements</p>
-                  <p>information system developers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Vendor processes for continuous monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing developer continuous
-                     monitoring</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.9">
-            <title>Functions / Ports / Protocols / Services in Use</title>
-            <prop name="label">SA-4(9)</prop>
-            <prop name="sort-id">sa-04.09</prop>
-            <part id="sa-4.9_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to identify early in the system
-                  development life cycle, the functions, ports, protocols, and services intended for
-                  organizational use.</p>
-            </part>
-            <part id="sa-4.9_gdn" name="guidance">
-               <p>The identification of functions, ports, protocols, and services early in the
-                  system development life cycle (e.g., during the initial requirements definition
-                  and design phases) allows organizations to influence the design of the information
-                  system, information system component, or information system service. This early
-                  involvement in the life cycle helps organizations to avoid or minimize the use of
-                  functions, ports, protocols, or services that pose unnecessarily high risks and
-                  understand the trade-offs involved in blocking specific ports, protocols, or
-                  services (or when requiring information system service providers to do so). Early
-                  identification of functions, ports, protocols, and services avoids costly
-                  retrofitting of security controls after the information system, system component,
-                  or information system service has been implemented. SA-9 describes requirements
-                  for external information system services with organizations identifying which
-                  functions, ports, protocols, and services are provided from external sources.</p>
-               <link rel="related" href="#cm-7">CM-7</link>
-               <link rel="related" href="#sa-9">SA-9</link>
-            </part>
-            <part id="sa-4.9_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to identify early in the system
-                  development life cycle:</p>
-               <part id="sa-4.9_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">SA-4(9)[1]</prop>
-                  <p>the functions intended for organizational use;</p>
-               </part>
-               <part id="sa-4.9_obj.2" name="objective">
-                  <prop name="label">SA-4(9)[2]</prop>
-                  <p>the ports intended for organizational use;</p>
-               </part>
-               <part id="sa-4.9_obj.3" name="objective">
-                  <prop name="label">SA-4(9)[3]</prop>
-                  <p>the protocols intended for organizational use; and</p>
-               </part>
-               <part id="sa-4.9_obj.4" name="objective">
-                  <prop name="label">SA-4(9)[4]</prop>
-                  <p>the services intended for organizational use.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>information system design documentation</p>
-                  <p>information system documentation including functions, ports, protocols, and
-                     services intended for organizational use</p>
-                  <p>acquisition contracts for information systems or services</p>
-                  <p>acquisition documentation</p>
-                  <p>solicitation documentation</p>
-                  <p>service-level agreements</p>
-                  <p>organizational security requirements, descriptions, and criteria for developers
-                     of information systems, system components, and information system services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security requirements</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel operating, using, and/or maintaining the information
-                     system</p>
-                  <p>information system developers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.10">
-            <title>Use of Approved PIV Products</title>
-            <prop name="label">SA-4(10)</prop>
-            <prop name="sort-id">sa-04.10</prop>
-            <part id="sa-4.10_smt" name="statement">
-               <p>The organization employs only information technology products on the FIPS
-                  201-approved products list for Personal Identity Verification (PIV) capability
-                  implemented within organizational information systems.</p>
-            </part>
-            <part id="sa-4.10_gdn" name="guidance">
-               <link rel="related" href="#ia-2">IA-2</link>
-               <link rel="related" href="#ia-8">IA-8</link>
-            </part>
-            <part id="sa-4.10_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs only information technology products on the
-                  FIPS 201-approved products list for Personal Identity Verification (PIV)
-                  capability implemented within organizational information systems. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>service-level agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security requirements</p>
-                  <p>organizational personnel with responsibility for ensuring only FIPS
-                     201-approved products are implemented</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for selecting and employing FIPS 201-approved
-                     products</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-5">
-         <title>Information System Documentation</title>
-         <param id="sa-5_prm_1">
-            <label>organization-defined actions</label>
-         </param>
-         <param id="sa-5_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">SA-5</prop>
-         <prop name="sort-id">sa-05</prop>
-         <part id="sa-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Obtains administrator documentation for the information system, system component,
-                  or information system service that describes:</p>
-               <part id="sa-5_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Secure configuration, installation, and operation of the system, component, or
-                     service;</p>
-               </part>
-               <part id="sa-5_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Effective use and maintenance of security functions/mechanisms; and</p>
-               </part>
-               <part id="sa-5_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Known vulnerabilities regarding configuration and use of administrative (i.e.,
-                     privileged) functions;</p>
-               </part>
-            </part>
-            <part id="sa-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Obtains user documentation for the information system, system component, or
-                  information system service that describes:</p>
-               <part id="sa-5_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>User-accessible security functions/mechanisms and how to effectively use those
-                     security functions/mechanisms;</p>
-               </part>
-               <part id="sa-5_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Methods for user interaction, which enables individuals to use the system,
-                     component, or service in a more secure manner; and</p>
-               </part>
-               <part id="sa-5_smt.b.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>User responsibilities in maintaining the security of the system, component, or
-                     service;</p>
-               </part>
-            </part>
-            <part id="sa-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Documents attempts to obtain information system, system component, or information
-                  system service documentation when such documentation is either unavailable or
-                  nonexistent and takes <insert param-id="sa-5_prm_1"/> in response;</p>
-            </part>
-            <part id="sa-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Protects documentation as required, in accordance with the risk management
-                  strategy; and</p>
-            </part>
-            <part id="sa-5_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Distributes documentation to <insert param-id="sa-5_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="sa-5_gdn" name="guidance">
-            <p>This control helps organizational personnel understand the implementation and
-               operation of security controls associated with information systems, system
-               components, and information system services. Organizations consider establishing
-               specific measures to determine the quality/completeness of the content provided. The
-               inability to obtain needed documentation may occur, for example, due to the age of
-               the information system/component or lack of support from developers and contractors.
-               In those situations, organizations may need to recreate selected documentation if
-               such documentation is essential to the effective implementation or operation of
-               security controls. The level of protection provided for selected information system,
-               component, or service documentation is commensurate with the security category or
-               classification of the system. For example, documentation associated with a key DoD
-               weapons system or command and control system would typically require a higher level
-               of protection than a routine administrative system. Documentation that addresses
-               information system vulnerabilities may also require an increased level of protection.
-               Secure operation of the information system, includes, for example, initially starting
-               the system and resuming secure system operation after any lapse in system
-               operation.</p>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-2">PS-2</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-         </part>
-         <part id="sa-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-5.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SA-5(a)</prop>
-               <p>obtains administrator documentation for the information system, system component,
-                  or information system service that describes:</p>
-               <part id="sa-5.a.1_obj" name="objective">
-                  <prop name="label">SA-5(a)(1)</prop>
-                  <part id="sa-5.a.1_obj.1" name="objective">
-                     <prop name="label">SA-5(a)(1)[1]</prop>
-                     <p>secure configuration of the system, system component, or service;</p>
-                  </part>
-                  <part id="sa-5.a.1_obj.2" name="objective">
-                     <prop name="label">SA-5(a)(1)[2]</prop>
-                     <p>secure installation of the system, system component, or service;</p>
-                  </part>
-                  <part id="sa-5.a.1_obj.3" name="objective">
-                     <prop name="label">SA-5(a)(1)[3]</prop>
-                     <p>secure operation of the system, system component, or service;</p>
-                  </part>
-               </part>
-               <part id="sa-5.a.2_obj" name="objective">
-                  <prop name="label">SA-5(a)(2)</prop>
-                  <part id="sa-5.a.2_obj.1" name="objective">
-                     <prop name="label">SA-5(a)(2)[1]</prop>
-                     <p>effective use of the security features/mechanisms;</p>
-                  </part>
-                  <part id="sa-5.a.2_obj.2" name="objective">
-                     <prop name="label">SA-5(a)(2)[2]</prop>
-                     <p>effective maintenance of the security features/mechanisms;</p>
-                  </part>
-               </part>
-               <part id="sa-5.a.3_obj" name="objective">
-                  <prop name="label">SA-5(a)(3)</prop>
-                  <p>known vulnerabilities regarding configuration and use of administrative (i.e.,
-                     privileged) functions;</p>
-               </part>
-            </part>
-            <part id="sa-5.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SA-5(b)</prop>
-               <p>obtains user documentation for the information system, system component, or
-                  information system service that describes:</p>
-               <part id="sa-5.b.1_obj" name="objective">
-                  <prop name="label">SA-5(b)(1)</prop>
-                  <part id="sa-5.b.1_obj.1" name="objective">
-                     <prop name="label">SA-5(b)(1)[1]</prop>
-                     <p>user-accessible security functions/mechanisms;</p>
-                  </part>
-                  <part id="sa-5.b.1_obj.2" name="objective">
-                     <prop name="label">SA-5(b)(1)[2]</prop>
-                     <p>how to effectively use those functions/mechanisms;</p>
-                  </part>
-               </part>
-               <part id="sa-5.b.2_obj" name="objective">
-                  <prop name="label">SA-5(b)(2)</prop>
-                  <p>methods for user interaction, which enables individuals to use the system,
-                     component, or service in a more secure manner;</p>
-               </part>
-               <part id="sa-5.b.3_obj" name="objective">
-                  <prop name="label">SA-5(b)(3)</prop>
-                  <p>user responsibilities in maintaining the security of the system, component, or
-                     service;</p>
-               </part>
-            </part>
-            <part id="sa-5.c_obj" name="objective">
-               <prop name="label">SA-5(c)</prop>
-               <part id="sa-5.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-5(c)[1]</prop>
-                  <p>defines actions to be taken after documented attempts to obtain information
-                     system, system component, or information system service documentation when such
-                     documentation is either unavailable or nonexistent;</p>
-               </part>
-               <part id="sa-5.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-5(c)[2]</prop>
-                  <p>documents attempts to obtain information system, system component, or
-                     information system service documentation when such documentation is either
-                     unavailable or nonexistent;</p>
-               </part>
-               <part id="sa-5.c_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-5(c)[3]</prop>
-                  <p>takes organization-defined actions in response;</p>
-               </part>
-            </part>
-            <part id="sa-5.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-5(d)</prop>
-               <p>protects documentation as required, in accordance with the risk management
-                  strategy;</p>
-            </part>
-            <part id="sa-5.e_obj" name="objective">
-               <prop name="label">SA-5(e)</prop>
-               <part id="sa-5.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-5(e)[1]</prop>
-                  <p>defines personnel or roles to whom documentation is to be distributed; and</p>
-               </part>
-               <part id="sa-5.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-5(e)[2]</prop>
-                  <p>distributes documentation to organization-defined personnel or roles.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing information system documentation</p>
-               <p>information system documentation including administrator and user guides</p>
-               <p>records documenting attempts to obtain unavailable or nonexistent information
-                  system documentation</p>
-               <p>list of actions to be taken in response to documented attempts to obtain
-                  information system, system component, or information system service
-                  documentation</p>
-               <p>risk management strategy documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with acquisition/contracting responsibilities</p>
-               <p>organizational personnel with responsibility for determining information system
-                  security requirements</p>
-               <p>system administrators</p>
-               <p>organizational personnel operating, using, and/or maintaining the information
-                  system</p>
-               <p>information system developers</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for obtaining, protecting, and distributing information
-                  system administrator and user documentation</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-8">
-         <title>Security Engineering Principles</title>
-         <prop name="label">SA-8</prop>
-         <prop name="sort-id">sa-08</prop>
-         <link href="#21b1ed35-56d2-40a8-bdfe-b461fffe322f" rel="reference">NIST Special Publication 800-27</link>
-         <part id="sa-8_smt" name="statement">
-            <p>The organization applies information system security engineering principles in the
-               specification, design, development, implementation, and modification of the
-               information system.</p>
-         </part>
-         <part id="sa-8_gdn" name="guidance">
-            <p>Organizations apply security engineering principles primarily to new development
-               information systems or systems undergoing major upgrades. For legacy systems,
-               organizations apply security engineering principles to system upgrades and
-               modifications to the extent feasible, given the current state of hardware, software,
-               and firmware within those systems. Security engineering principles include, for
-               example: (i) developing layered protections; (ii) establishing sound security policy,
-               architecture, and controls as the foundation for design; (iii) incorporating security
-               requirements into the system development life cycle; (iv) delineating physical and
-               logical security boundaries; (v) ensuring that system developers are trained on how
-               to build secure software; (vi) tailoring security controls to meet organizational and
-               operational needs; (vii) performing threat modeling to identify use cases, threat
-               agents, attack vectors, and attack patterns as well as compensating controls and
-               design patterns needed to mitigate risk; and (viii) reducing risk to acceptable
-               levels, thus enabling informed risk management decisions.</p>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-17">SA-17</link>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-         </part>
-         <part id="sa-8_obj" name="objective">
-            <p>Determine if the organization applies information system security engineering
-               principles in: </p>
-            <part id="sa-8_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-8[1]</prop>
-               <p>the specification of the information system;</p>
-            </part>
-            <part id="sa-8_obj.2" name="objective">
-               <prop name="label">SA-8[2]</prop>
-               <p>the design of the information system;</p>
-            </part>
-            <part id="sa-8_obj.3" name="objective">
-               <prop name="label">SA-8[3]</prop>
-               <p>the development of the information system;</p>
-            </part>
-            <part id="sa-8_obj.4" name="objective">
-               <prop name="label">SA-8[4]</prop>
-               <p>the implementation of the information system; and</p>
-            </part>
-            <part id="sa-8_obj.5" name="objective">
-               <prop name="label">SA-8[5]</prop>
-               <p>the modification of the information system.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing security engineering principles used in the specification,
-                  design, development, implementation, and modification of the information
-                  system</p>
-               <p>information system design documentation</p>
-               <p>information security requirements and specifications for the information
-                  system</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with acquisition/contracting responsibilities</p>
-               <p>organizational personnel with responsibility for determining information system
-                  security requirements</p>
-               <p>organizational personnel with information system specification, design,
-                  development, implementation, and modification responsibilities</p>
-               <p>information system developers</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for applying security engineering principles in
-                  information system specification, design, development, implementation, and
-                  modification</p>
-               <p>automated mechanisms supporting the application of security engineering principles
-                  in information system specification, design, development, implementation, and
-                  modification</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-9">
-         <title>External Information System Services</title>
-         <param id="sa-9_prm_1">
-            <label>organization-defined security controls</label>
-            <constraint>FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system</constraint>
-         </param>
-         <param id="sa-9_prm_2">
-            <label>organization-defined processes, methods, and techniques</label>
-            <constraint>Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored</constraint>
-         </param>
-         <prop name="label">SA-9</prop>
-         <prop name="sort-id">sa-09</prop>
-         <link href="#0c775bc3-bfc3-42c7-a382-88949f503171" rel="reference">NIST Special Publication 800-35</link>
-         <part id="sa-9_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Requires that providers of external information system services comply with
-                  organizational information security requirements and employ <insert param-id="sa-9_prm_1"/> in accordance with applicable federal laws, Executive
-                  Orders, directives, policies, regulations, standards, and guidance;</p>
-            </part>
-            <part id="sa-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Defines and documents government oversight and user roles and responsibilities
-                  with regard to external information system services; and</p>
-            </part>
-            <part id="sa-9_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Employs <insert param-id="sa-9_prm_2"/> to monitor security control compliance by
-                  external service providers on an ongoing basis.</p>
-            </part>
-         </part>
-         <part id="sa-9_gdn" name="guidance">
-            <p>External information system services are services that are implemented outside of the
-               authorization boundaries of organizational information systems. This includes
-               services that are used by, but not a part of, organizational information systems.
-               FISMA and OMB policy require that organizations using external service providers that
-               are processing, storing, or transmitting federal information or operating information
-               systems on behalf of the federal government ensure that such providers meet the same
-               security requirements that federal agencies are required to meet. Organizations
-               establish relationships with external service providers in a variety of ways
-               including, for example, through joint ventures, business partnerships, contracts,
-               interagency agreements, lines of business arrangements, licensing agreements, and
-               supply chain exchanges. The responsibility for managing risks from the use of
-               external information system services remains with authorizing officials. For services
-               external to organizations, a chain of trust requires that organizations establish and
-               retain a level of confidence that each participating provider in the potentially
-               complex consumer-provider relationship provides adequate protection for the services
-               rendered. The extent and nature of this chain of trust varies based on the
-               relationships between organizations and the external providers. Organizations
-               document the basis for trust relationships so the relationships can be monitored over
-               time. External information system services documentation includes government, service
-               providers, end user security roles and responsibilities, and service-level
-               agreements. Service-level agreements define expectations of performance for security
-               controls, describe measurable outcomes, and identify remedies and response
-               requirements for identified instances of noncompliance.</p>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ir-7">IR-7</link>
-            <link rel="related" href="#ps-7">PS-7</link>
-         </part>
-         <part id="sa-9_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-9.a_obj" name="objective">
-               <prop name="label">SA-9(a)</prop>
-               <part id="sa-9.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(a)[1]</prop>
-                  <p>defines security controls to be employed by providers of external information
-                     system services;</p>
-               </part>
-               <part id="sa-9.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(a)[2]</prop>
-                  <p>requires that providers of external information system services comply with
-                     organizational information security requirements;</p>
-               </part>
-               <part id="sa-9.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(a)[3]</prop>
-                  <p>requires that providers of external information system services employ
-                     organization-defined security controls in accordance with applicable federal
-                     laws, Executive Orders, directives, policies, regulations, standards, and
-                     guidance;</p>
-               </part>
-            </part>
-            <part id="sa-9.b_obj" name="objective">
-               <prop name="label">SA-9(b)</prop>
-               <part id="sa-9.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(b)[1]</prop>
-                  <p>defines and documents government oversight with regard to external information
-                     system services;</p>
-               </part>
-               <part id="sa-9.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(b)[2]</prop>
-                  <p>defines and documents user roles and responsibilities with regard to external
-                     information system services;</p>
-               </part>
-            </part>
-            <part id="sa-9.c_obj" name="objective">
-               <prop name="label">SA-9(c)</prop>
-               <part id="sa-9.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(c)[1]</prop>
-                  <p>defines processes, methods, and techniques to be employed to monitor security
-                     control compliance by external service providers; and</p>
-               </part>
-               <part id="sa-9.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-9(c)[2]</prop>
-                  <p>employs organization-defined processes, methods, and techniques to monitor
-                     security control compliance by external service providers on an ongoing
-                     basis.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing external information system services</p>
-               <p>procedures addressing methods and techniques for monitoring security control
-                  compliance by external service providers of information system services</p>
-               <p>acquisition contracts, service-level agreements</p>
-               <p>organizational security requirements and security specifications for external
-                  provider services</p>
-               <p>security control assessment evidence from external providers of information system
-                  services</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>external providers of information system services</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for monitoring security control compliance by external
-                  service providers on an ongoing basis</p>
-               <p>automated mechanisms for monitoring security control compliance by external
-                  service providers on an ongoing basis</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-9.1">
-            <title>Risk Assessments / Organizational Approvals</title>
-            <param id="sa-9.1_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">SA-9(1)</prop>
-            <prop name="sort-id">sa-09.01</prop>
-            <part id="sa-9.1_smt" name="statement">
-               <p>The organization:</p>
-               <part id="sa-9.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Conducts an organizational assessment of risk prior to the acquisition or
-                     outsourcing of dedicated information security services; and</p>
-               </part>
-               <part id="sa-9.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Ensures that the acquisition or outsourcing of dedicated information security
-                     services is approved by <insert param-id="sa-9.1_prm_1"/>.</p>
-               </part>
-            </part>
-            <part id="sa-9.1_gdn" name="guidance">
-               <p>Dedicated information security services include, for example, incident monitoring,
-                  analysis and response, operation of information security-related devices such as
-                  firewalls, or key management services.</p>
-               <link rel="related" href="#ca-6">CA-6</link>
-               <link rel="related" href="#ra-3">RA-3</link>
-            </part>
-            <part id="sa-9.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-9.1.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-9(1)(a)</prop>
-                  <p>conducts an organizational assessment of risk prior to the acquisition or
-                     outsourcing of dedicated information security services;</p>
-                  <link rel="corresp" href="#sa-9.1_smt.a">SA-9(1)(a)</link>
-               </part>
-               <part id="sa-9.1.b_obj" name="objective">
-                  <prop name="label">SA-9(1)(b)</prop>
-                  <part id="sa-9.1.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SA-9(1)(b)[1]</prop>
-                     <p>defines personnel or roles designated to approve the acquisition or
-                        outsourcing of dedicated information security services; and</p>
-                  </part>
-                  <part id="sa-9.1.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">SA-9(1)(b)[2]</prop>
-                     <p>ensures that the acquisition or outsourcing of dedicated information
-                        security services is approved by organization-defined personnel or
-                        roles.</p>
-                  </part>
-                  <link rel="corresp" href="#sa-9.1_smt.b">SA-9(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing external information system services</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>risk assessment reports</p>
-                  <p>approval records for acquisition or outsourcing of dedicated information
-                     security services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information system security responsibilities</p>
-                  <p>external providers of information system services</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for conducting a risk assessment prior to acquiring or
-                     outsourcing dedicated information security services</p>
-                  <p>organizational processes for approving the outsourcing of dedicated information
-                     security services</p>
-                  <p>automated mechanisms supporting and/or implementing risk assessment</p>
-                  <p>automated mechanisms supporting and/or implementing approval processes</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-9.2">
-            <title>Identification of Functions / Ports / Protocols / Services</title>
-            <param id="sa-9.2_prm_1">
-               <label>organization-defined external information system services</label>
-               <constraint>all external systems where Federal information is processed or stored</constraint>
-            </param>
-            <prop name="label">SA-9(2)</prop>
-            <prop name="sort-id">sa-09.02</prop>
-            <part id="sa-9.2_smt" name="statement">
-               <p>The organization requires providers of <insert param-id="sa-9.2_prm_1"/> to
-                  identify the functions, ports, protocols, and other services required for the use
-                  of such services.</p>
-            </part>
-            <part id="sa-9.2_gdn" name="guidance">
-               <p>Information from external service providers regarding the specific functions,
-                  ports, protocols, and services used in the provision of such services can be
-                  particularly useful when the need arises to understand the trade-offs involved in
-                  restricting certain functions/services or blocking certain ports/protocols.</p>
-               <link rel="related" href="#cm-7">CM-7</link>
-            </part>
-            <part id="sa-9.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-9.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(2)[1]</prop>
-                  <p>defines external information system services for which providers of such
-                     services are to identify the functions, ports, protocols, and other services
-                     required for the use of such services;</p>
-               </part>
-               <part id="sa-9.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="label">SA-9(2)[2]</prop>
-                  <p>requires providers of organization-defined external information system services
-                     to identify:</p>
-                  <part id="sa-9.2_obj.2.a" name="objective">
-                     <prop name="label">SA-9(2)[2][a]</prop>
-                     <p>the functions required for the use of such services;</p>
-                  </part>
-                  <part id="sa-9.2_obj.2.b" name="objective">
-                     <prop name="label">SA-9(2)[2][b]</prop>
-                     <p>the ports required for the use of such services;</p>
-                  </part>
-                  <part id="sa-9.2_obj.2.c" name="objective">
-                     <prop name="label">SA-9(2)[2][c]</prop>
-                     <p>the protocols required for the use of such services; and</p>
-                  </part>
-                  <part id="sa-9.2_obj.2.d" name="objective">
-                     <prop name="label">SA-9(2)[2][d]</prop>
-                     <p>the other services required for the use of such services.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing external information system services</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>acquisition documentation</p>
-                  <p>solicitation documentation, service-level agreements</p>
-                  <p>organizational security requirements and security specifications for external
-                     service providers</p>
-                  <p>list of required functions, ports, protocols, and other services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>external providers of information system services</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-9.4">
-            <title>Consistent Interests of Consumers and Providers</title>
-            <param id="sa-9.4_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <param id="sa-9.4_prm_2">
-               <label>organization-defined external service providers</label>
-               <constraint>all external systems where Federal information is processed or stored</constraint>
-            </param>
-            <prop name="label">SA-9(4)</prop>
-            <prop name="sort-id">sa-09.04</prop>
-            <part id="sa-9.4_smt" name="statement">
-               <p>The organization employs <insert param-id="sa-9.4_prm_1"/> to ensure that the
-                  interests of <insert param-id="sa-9.4_prm_2"/> are consistent with and reflect
-                  organizational interests.</p>
-            </part>
-            <part id="sa-9.4_gdn" name="guidance">
-               <p>As organizations increasingly use external service providers, the possibility
-                  exists that the interests of the service providers may diverge from organizational
-                  interests. In such situations, simply having the correct technical, procedural, or
-                  operational safeguards in place may not be sufficient if the service providers
-                  that implement and control those safeguards are not operating in a manner
-                  consistent with the interests of the consuming organizations. Possible actions
-                  that organizations might take to address such concerns include, for example,
-                  requiring background checks for selected service provider personnel, examining
-                  ownership records, employing only trustworthy service providers (i.e., providers
-                  with which organizations have had positive experiences), and conducting
-                  periodic/unscheduled visits to service provider facilities.</p>
-            </part>
-            <part id="sa-9.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-9.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(4)[1]</prop>
-                  <p>defines external service providers whose interests are to be consistent with
-                     and reflect organizational interests;</p>
-               </part>
-               <part id="sa-9.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(4)[2]</prop>
-                  <p>defines security safeguards to be employed to ensure that the interests of
-                     organization-defined external service providers are consistent with and reflect
-                     organizational interests; and</p>
-               </part>
-               <part id="sa-9.4_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-9(4)[3]</prop>
-                  <p>employs organization-defined security safeguards to ensure that the interests
-                     of organization-defined external service providers are consistent with and
-                     reflect organizational interests.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing external information system services</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>organizational security requirements/safeguards for external service
-                     providers</p>
-                  <p>personnel security policies for external service providers</p>
-                  <p>assessments performed on external service providers</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>external providers of information system services</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for defining and employing safeguards to ensure
-                     consistent interests with external service providers</p>
-                  <p>automated mechanisms supporting and/or implementing safeguards to ensure
-                     consistent interests with external service providers</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-9.5">
-            <title>Processing, Storage, and Service Location</title>
-            <param id="sa-9.5_prm_1">
-               <constraint>information processing, information data, AND information services</constraint>
-            </param>
-            <param id="sa-9.5_prm_2">
-               <label>organization-defined locations</label>
-            </param>
-            <param id="sa-9.5_prm_3">
-               <label>organization-defined requirements or conditions</label>
-            </param>
-            <prop name="label">SA-9(5)</prop>
-            <prop name="sort-id">sa-09.05</prop>
-            <part id="sa-9.5_smt" name="statement">
-               <p>The organization restricts the location of <insert param-id="sa-9.5_prm_1"/> to
-                     <insert param-id="sa-9.5_prm_2"/> based on <insert param-id="sa-9.5_prm_3"/>.</p>
-            </part>
-            <part id="sa-9.5_gdn" name="guidance">
-               <p>The location of information processing, information/data storage, or information
-                  system services that are critical to organizations can have a direct impact on the
-                  ability of those organizations to successfully execute their missions/business
-                  functions. This situation exists when external providers control the location of
-                  processing, storage or services. The criteria external providers use for the
-                  selection of processing, storage, or service locations may be different from
-                  organizational criteria. For example, organizations may want to ensure that
-                  data/information storage locations are restricted to certain locations to
-                  facilitate incident response activities (e.g., forensic analyses, after-the-fact
-                  investigations) in case of information security breaches/compromises. Such
-                  incident response activities may be adversely affected by the governing laws or
-                  protocols in the locations where processing and storage occur and/or the locations
-                  from which information system services emanate.</p>
-            </part>
-            <part id="sa-9.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-9.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(5)[1]</prop>
-                  <p>defines locations where organization-defined information processing,
-                     information/data, and/or information system services are to be restricted;</p>
-               </part>
-               <part id="sa-9.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-9(5)[2]</prop>
-                  <p>defines requirements or conditions to restrict the location of information
-                     processing, information/data, and/or information system services;</p>
-               </part>
-               <part id="sa-9.5_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-9(5)[3]</prop>
-                  <p>restricts the location of one or more of the following to organization-defined
-                     locations based on organization-defined requirements or conditions:</p>
-                  <part id="sa-9.5_obj.3.a" name="objective">
-                     <prop name="label">SA-9(5)[3][a]</prop>
-                     <p>information processing;</p>
-                  </part>
-                  <part id="sa-9.5_obj.3.b" name="objective">
-                     <prop name="label">SA-9(5)[3][b]</prop>
-                     <p>information/data; and/or</p>
-                  </part>
-                  <part id="sa-9.5_obj.3.c" name="objective">
-                     <prop name="label">SA-9(5)[3][c]</prop>
-                     <p>information services.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing external information system services</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>restricted locations for information processing</p>
-                  <p>information/data and/or information system services</p>
-                  <p>information processing, information/data, and/or information system services to
-                     be maintained in restricted locations</p>
-                  <p>organizational security requirements or conditions for external providers</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>external providers of information system services</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for defining requirements to restrict locations of
-                     information processing, information/data, or information services</p>
-                  <p>organizational processes for ensuring the location is restricted in accordance
-                     with requirements or conditions</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-10">
-         <title>Developer Configuration Management</title>
-         <param id="sa-10_prm_1">
-            <constraint>development, implementation, AND operation</constraint>
-         </param>
-         <param id="sa-10_prm_2">
-            <label>organization-defined configuration items under configuration management</label>
-         </param>
-         <param id="sa-10_prm_3">
-            <label>organization-defined personnel</label>
-         </param>
-         <prop name="label">SA-10</prop>
-         <prop name="sort-id">sa-10</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="sa-10_smt" name="statement">
-            <p>The organization requires the developer of the information system, system component,
-               or information system service to:</p>
-            <part id="sa-10_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Perform configuration management during system, component, or service <insert param-id="sa-10_prm_1"/>;</p>
-            </part>
-            <part id="sa-10_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Document, manage, and control the integrity of changes to <insert param-id="sa-10_prm_2"/>;</p>
-            </part>
-            <part id="sa-10_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Implement only organization-approved changes to the system, component, or
-                  service;</p>
-            </part>
-            <part id="sa-10_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Document approved changes to the system, component, or service and the potential
-                  security impacts of such changes; and</p>
-            </part>
-            <part id="sa-10_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Track security flaws and flaw resolution within the system, component, or service
-                  and report findings to <insert param-id="sa-10_prm_3"/>.</p>
-            </part>
-            <part id="sa-10_fr" name="item">
-               <title>SA-10 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-10_fr_smt.1" name="item">
-                  <prop name="label">(e)  Requirement:</prop>
-                  <p>For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sa-10_gdn" name="guidance">
-            <p>This control also applies to organizations conducting internal information systems
-               development and integration. Organizations consider the quality and completeness of
-               the configuration management activities conducted by developers as evidence of
-               applying effective security safeguards. Safeguards include, for example, protecting
-               from unauthorized modification or destruction, the master copies of all material used
-               to generate security-relevant portions of the system hardware, software, and
-               firmware. Maintaining the integrity of changes to the information system, information
-               system component, or information system service requires configuration control
-               throughout the system development life cycle to track authorized changes and prevent
-               unauthorized changes. Configuration items that are placed under configuration
-               management (if existence/use is required by other security controls) include: the
-               formal model; the functional, high-level, and low-level design specifications; other
-               design data; implementation documentation; source code and hardware schematics; the
-               running version of the object code; tools for comparing new versions of
-               security-relevant hardware descriptions and software/firmware source code with
-               previous versions; and test fixtures and documentation. Depending on the
-               mission/business needs of organizations and the nature of the contractual
-               relationships in place, developers may provide configuration management support
-               during the operations and maintenance phases of the life cycle.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="sa-10_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-10.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-10(a)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to perform configuration management during one or more of the
-                  following:</p>
-               <part id="sa-10.a_obj.1" name="objective">
-                  <prop name="label">SA-10(a)[1]</prop>
-                  <p>system, component, or service design;</p>
-               </part>
-               <part id="sa-10.a_obj.2" name="objective">
-                  <prop name="label">SA-10(a)[2]</prop>
-                  <p>system, component, or service development;</p>
-               </part>
-               <part id="sa-10.a_obj.3" name="objective">
-                  <prop name="label">SA-10(a)[3]</prop>
-                  <p>system, component, or service implementation; and/or</p>
-               </part>
-               <part id="sa-10.a_obj.4" name="objective">
-                  <prop name="label">SA-10(a)[4]</prop>
-                  <p>system, component, or service operation;</p>
-               </part>
-            </part>
-            <part id="sa-10.b_obj" name="objective">
-               <prop name="label">SA-10(b)</prop>
-               <part id="sa-10.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-10(b)[1]</prop>
-                  <p>defines configuration items to be placed under configuration management;</p>
-               </part>
-               <part id="sa-10.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-10(b)[2]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to:</p>
-                  <part id="sa-10.b_obj.2.a" name="objective">
-                     <prop name="label">SA-10(b)[2][a]</prop>
-                     <p>document the integrity of changes to organization-defined items under
-                        configuration management;</p>
-                  </part>
-                  <part id="sa-10.b_obj.2.b" name="objective">
-                     <prop name="label">SA-10(b)[2][b]</prop>
-                     <p>manage the integrity of changes to organization-defined items under
-                        configuration management;</p>
-                  </part>
-                  <part id="sa-10.b_obj.2.c" name="objective">
-                     <prop name="label">SA-10(b)[2][c]</prop>
-                     <p>control the integrity of changes to organization-defined items under
-                        configuration management;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sa-10.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-10(c)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to implement only organization-approved changes to the system,
-                  component, or service;</p>
-            </part>
-            <part id="sa-10.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-10(d)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to document:</p>
-               <part id="sa-10.d_obj.1" name="objective">
-                  <prop name="label">SA-10(d)[1]</prop>
-                  <p>approved changes to the system, component, or service;</p>
-               </part>
-               <part id="sa-10.d_obj.2" name="objective">
-                  <prop name="label">SA-10(d)[2]</prop>
-                  <p>the potential security impacts of such changes;</p>
-               </part>
-            </part>
-            <part id="sa-10.e_obj" name="objective">
-               <prop name="label">SA-10(e)</prop>
-               <part id="sa-10.e_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-10(e)[1]</prop>
-                  <p>defines personnel to whom findings, resulting from security flaws and flaw
-                     resolution tracked within the system, component, or service, are to be
-                     reported;</p>
-               </part>
-               <part id="sa-10.e_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-10(e)[2]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to:</p>
-                  <part id="sa-10.e_obj.2.a" name="objective">
-                     <prop name="label">SA-10(e)[2][a]</prop>
-                     <p>track security flaws within the system, component, or service;</p>
-                  </part>
-                  <part id="sa-10.e_obj.2.b" name="objective">
-                     <prop name="label">SA-10(e)[2][b]</prop>
-                     <p>track security flaw resolution within the system, component, or service;
-                        and</p>
-                  </part>
-                  <part id="sa-10.e_obj.2.c" name="objective">
-                     <prop name="label">SA-10(e)[2][c]</prop>
-                     <p>report findings to organization-defined personnel.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing system developer configuration management</p>
-               <p>solicitation documentation</p>
-               <p>acquisition documentation</p>
-               <p>service-level agreements</p>
-               <p>acquisition contracts for the information system, system component, or information
-                  system service</p>
-               <p>system developer configuration management plan</p>
-               <p>security flaw and flaw resolution tracking records</p>
-               <p>system change authorization records</p>
-               <p>change control records</p>
-               <p>configuration management records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with configuration management responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for monitoring developer configuration management</p>
-               <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                  configuration management</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-10.1">
-            <title>Software / Firmware Integrity Verification</title>
-            <prop name="label">SA-10(1)</prop>
-            <prop name="sort-id">sa-10.01</prop>
-            <part id="sa-10.1_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to enable integrity verification of
-                  software and firmware components.</p>
-            </part>
-            <part id="sa-10.1_gdn" name="guidance">
-               <p>This control enhancement allows organizations to detect unauthorized changes to
-                  software and firmware components through the use of tools, techniques, and/or
-                  mechanisms provided by developers. Integrity checking mechanisms can also address
-                  counterfeiting of software and firmware components. Organizations verify the
-                  integrity of software and firmware components, for example, through secure one-way
-                  hashes provided by developers. Delivered software and firmware components also
-                  include any updates to such components.</p>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="sa-10.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to enable integrity verification
-                  of software and firmware components.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer configuration management</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system</p>
-                  <p>system component, or information system service</p>
-                  <p>system developer configuration management plan</p>
-                  <p>software and firmware integrity verification records</p>
-                  <p>system change authorization records</p>
-                  <p>change control records</p>
-                  <p>configuration management records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with configuration management responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer configuration management</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     configuration management</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-11">
-         <title>Developer Security Testing and Evaluation</title>
-         <param id="sa-11_prm_1"/>
-         <param id="sa-11_prm_2">
-            <label>organization-defined depth and coverage</label>
-         </param>
-         <prop name="label">SA-11</prop>
-         <prop name="sort-id">sa-11</prop>
-         <link href="#1737a687-52fb-4008-b900-cbfa836f7b65" rel="reference">ISO/IEC 15408</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#275cc052-0f7f-423c-bdb6-ed503dc36228" rel="reference">http://nvd.nist.gov</link>
-         <link href="#15522e92-9192-463d-9646-6a01982db8ca" rel="reference">http://cwe.mitre.org</link>
-         <link href="#0931209f-00ae-4132-b92c-bc645847e8f9" rel="reference">http://cve.mitre.org</link>
-         <link href="#4ef539ba-b767-4666-b0d3-168c53005fa3" rel="reference">http://capec.mitre.org</link>
-         <part id="sa-11_smt" name="statement">
-            <p>The organization requires the developer of the information system, system component,
-               or information system service to:</p>
-            <part id="sa-11_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Create and implement a security assessment plan;</p>
-            </part>
-            <part id="sa-11_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Perform <insert param-id="sa-11_prm_1"/> testing/evaluation at <insert param-id="sa-11_prm_2"/>;</p>
-            </part>
-            <part id="sa-11_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Produce evidence of the execution of the security assessment plan and the results
-                  of the security testing/evaluation;</p>
-            </part>
-            <part id="sa-11_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Implement a verifiable flaw remediation process; and</p>
-            </part>
-            <part id="sa-11_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Correct flaws identified during security testing/evaluation.</p>
-            </part>
-         </part>
-         <part id="sa-11_gdn" name="guidance">
-            <p>Developmental security testing/evaluation occurs at all post-design phases of the
-               system development life cycle. Such testing/evaluation confirms that the required
-               security controls are implemented correctly, operating as intended, enforcing the
-               desired security policy, and meeting established security requirements. Security
-               properties of information systems may be affected by the interconnection of system
-               components or changes to those components. These interconnections or changes (e.g.,
-               upgrading or replacing applications and operating systems) may adversely affect
-               previously implemented security controls. This control provides additional types of
-               security testing/evaluation that developers can conduct to reduce or eliminate
-               potential flaws. Testing custom software applications may require approaches such as
-               static analysis, dynamic analysis, binary analysis, or a hybrid of the three
-               approaches. Developers can employ these analysis approaches in a variety of tools
-               (e.g., web-based application scanners, static analysis tools, binary analyzers) and
-               in source code reviews. Security assessment plans provide the specific activities
-               that developers plan to carry out including the types of analyses, testing,
-               evaluation, and reviews of software and firmware components, the degree of rigor to
-               be applied, and the types of artifacts produced during those processes. The depth of
-               security testing/evaluation refers to the rigor and level of detail associated with
-               the assessment process (e.g., black box, gray box, or white box testing). The
-               coverage of security testing/evaluation refers to the scope (i.e., number and type)
-               of the artifacts included in the assessment process. Contracts specify the acceptance
-               criteria for security assessment plans, flaw remediation processes, and the evidence
-               that the plans/processes have been diligently applied. Methods for reviewing and
-               protecting assessment plans, evidence, and documentation are commensurate with the
-               security category or classification level of the information system. Contracts may
-               specify documentation protection requirements.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="sa-11_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-11.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-11(a)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to create and implement a security plan;</p>
-            </part>
-            <part id="sa-11.b_obj" name="objective">
-               <prop name="label">SA-11(b)</prop>
-               <part id="sa-11.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-11(b)[1]</prop>
-                  <p>defines the depth of testing/evaluation to be performed by the developer of the
-                     information system, system component, or information system service;</p>
-               </part>
-               <part id="sa-11.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SA-11(b)[2]</prop>
-                  <p>defines the coverage of testing/evaluation to be performed by the developer of
-                     the information system, system component, or information system service;</p>
-               </part>
-               <part id="sa-11.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-11(b)[3]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to perform one or more of the following
-                     testing/evaluation at the organization-defined depth and coverage:</p>
-                  <part id="sa-11.b_obj.3.a" name="objective">
-                     <prop name="label">SA-11(b)[3][a]</prop>
-                     <p>unit testing/evaluation;</p>
-                  </part>
-                  <part id="sa-11.b_obj.3.b" name="objective">
-                     <prop name="label">SA-11(b)[3][b]</prop>
-                     <p>integration testing/evaluation;</p>
-                  </part>
-                  <part id="sa-11.b_obj.3.c" name="objective">
-                     <prop name="label">SA-11(b)[3][c]</prop>
-                     <p>system testing/evaluation; and/or</p>
-                  </part>
-                  <part id="sa-11.b_obj.3.d" name="objective">
-                     <prop name="label">SA-11(b)[3][d]</prop>
-                     <p>regression testing/evaluation;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sa-11.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-11(c)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to produce evidence of:</p>
-               <part id="sa-11.c_obj.1" name="objective">
-                  <prop name="label">SA-11(c)[1]</prop>
-                  <p>the execution of the security assessment plan;</p>
-               </part>
-               <part id="sa-11.c_obj.2" name="objective">
-                  <prop name="label">SA-11(c)[2]</prop>
-                  <p>the results of the security testing/evaluation;</p>
-               </part>
-            </part>
-            <part id="sa-11.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-11(d)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to implement a verifiable flaw remediation process; and</p>
-            </part>
-            <part id="sa-11.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SA-11(e)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to correct flaws identified during security testing/evaluation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing system developer security testing</p>
-               <p>procedures addressing flaw remediation</p>
-               <p>solicitation documentation</p>
-               <p>acquisition documentation</p>
-               <p>service-level agreements</p>
-               <p>acquisition contracts for the information system, system component, or information
-                  system service</p>
-               <p>system developer security test plans</p>
-               <p>records of developer security testing results for the information system, system
-                  component, or information system service</p>
-               <p>security flaw and remediation tracking records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with developer security testing responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for monitoring developer security testing and
-                  evaluation</p>
-               <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                  security testing and evaluation</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-11.1">
-            <title>Static Code Analysis</title>
-            <prop name="label">SA-11(1)</prop>
-            <prop name="sort-id">sa-11.01</prop>
-            <part id="sa-11.1_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to employ static code analysis tools to
-                  identify common flaws and document the results of the analysis.</p>
-               <part id="sa-11.1_fr" name="item">
-                  <title>SA-11 (1) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="sa-11.1_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sa-11.1_gdn" name="guidance">
-               <p>Static code analysis provides a technology and methodology for security reviews.
-                  Such analysis can be used to identify security vulnerabilities and enforce
-                  security coding practices. Static code analysis is most effective when used early
-                  in the development process, when each code change can be automatically scanned for
-                  potential weaknesses. Static analysis can provide clear remediation guidance along
-                  with defects to enable developers to fix such defects. Evidence of correct
-                  implementation of static analysis can include, for example, aggregate defect
-                  density for critical defect types, evidence that defects were inspected by
-                  developers or security professionals, and evidence that defects were fixed. An
-                  excessively high density of ignored findings (commonly referred to as ignored or
-                  false positives) indicates a potential problem with the analysis process or tool.
-                  In such cases, organizations weigh the validity of the evidence against evidence
-                  from other sources.</p>
-            </part>
-            <part id="sa-11.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to employ static code analysis
-                  tools to identify common flaws and document the results of the analysis.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer security testing</p>
-                  <p>procedures addressing flaw remediation</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>system developer security test plans</p>
-                  <p>system developer security testing results</p>
-                  <p>security flaw and remediation tracking records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with developer security testing responsibilities</p>
-                  <p>organizational personnel with configuration management responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer security testing and
-                     evaluation</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     security testing and evaluation</p>
-                  <p>static code analysis tools</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-11.2">
-            <title>Threat and Vulnerability Analyses</title>
-            <prop name="label">SA-11(2)</prop>
-            <prop name="sort-id">sa-11.02</prop>
-            <part id="sa-11.2_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to perform threat and vulnerability
-                  analyses and subsequent testing/evaluation of the as-built system, component, or
-                  service.</p>
-            </part>
-            <part id="sa-11.2_gdn" name="guidance">
-               <p>Applications may deviate significantly from the functional and design
-                  specifications created during the requirements and design phases of the system
-                  development life cycle. Therefore, threat and vulnerability analyses of
-                  information systems, system components, and information system services prior to
-                  delivery are critical to the effective operation of those systems, components, and
-                  services. Threat and vulnerability analyses at this phase of the life cycle help
-                  to ensure that design or implementation changes have been accounted for, and that
-                  any new vulnerabilities created as a result of those changes have been reviewed
-                  and mitigated.</p>
-               <link rel="related" href="#pm-15">PM-15</link>
-               <link rel="related" href="#ra-5">RA-5</link>
-            </part>
-            <part id="sa-11.2_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to perform:</p>
-               <part id="sa-11.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SA-11(2)[1]</prop>
-                  <p>threat analyses of the as-built, system component, or service;</p>
-               </part>
-               <part id="sa-11.2_obj.2" name="objective">
-                  <prop name="label">SA-11(2)[2]</prop>
-                  <p>vulnerability analyses of the as-built, system component, or service; and</p>
-               </part>
-               <part id="sa-11.2_obj.3" name="objective">
-                  <prop name="label">SA-11(2)[3]</prop>
-                  <p>subsequent testing/evaluation of the as-built, system component, or
-                     service.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer security testing</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>system developer security test plans</p>
-                  <p>records of developer security testing results for the information system,
-                     system component, or information system service</p>
-                  <p>vulnerability scanning results</p>
-                  <p>information system risk assessment reports</p>
-                  <p>threat and vulnerability analysis reports</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with developer security testing responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer security testing and
-                     evaluation</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     security testing and evaluation</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-11.8">
-            <title>Dynamic Code Analysis</title>
-            <prop name="label">SA-11(8)</prop>
-            <prop name="sort-id">sa-11.08</prop>
-            <part id="sa-11.8_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to employ dynamic code analysis tools to
-                  identify common flaws and document the results of the analysis.</p>
-               <part id="sa-11.8_fr" name="item">
-                  <title>SA-11 (8) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="sa-11.8_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sa-11.8_gdn" name="guidance">
-               <p>Dynamic code analysis provides run-time verification of software programs, using
-                  tools capable of monitoring programs for memory corruption, user privilege issues,
-                  and other potential security problems. Dynamic code analysis employs run-time
-                  tools to help to ensure that security functionality performs in the manner in
-                  which it was designed. A specialized type of dynamic analysis, known as fuzz
-                  testing, induces program failures by deliberately introducing malformed or random
-                  data into software programs. Fuzz testing strategies derive from the intended use
-                  of applications and the functional and design specifications for the applications.
-                  To understand the scope of dynamic code analysis and hence the assurance provided,
-                  organizations may also consider conducting code coverage analysis (checking the
-                  degree to which the code has been tested using metrics such as percent of
-                  subroutines tested or percent of program statements called during execution of the
-                  test suite) and/or concordance analysis (checking for words that are out of place
-                  in software code such as non-English language words or derogatory terms).</p>
-            </part>
-            <part id="sa-11.8_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to employ dynamic code analysis
-                  tools to identify common flaws and document the results of the analysis.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer security testing</p>
-                  <p>procedures addressing flaw remediation</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>system developer security test and evaluation plans</p>
-                  <p>security test and evaluation results</p>
-                  <p>security flaw and remediation tracking reports</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with developer security testing responsibilities</p>
-                  <p>organizational personnel with configuration management responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer security testing and
-                     evaluation</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     security testing and evaluation</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="sc">
-      <title>System and Communications Protection</title>
-      <control class="SP800-53" id="sc-1">
-         <title>System and Communications Protection Policy and Procedures</title>
-         <param id="sc-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="sc-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="sc-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SC-1</prop>
-         <prop name="sort-id">sc-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="sc-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sc-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="sc-1_prm_1"/>:</p>
-               <part id="sc-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system and communications protection policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="sc-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system and communications
-                     protection policy and associated system and communications protection controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="sc-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="sc-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System and communications protection policy <insert param-id="sc-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="sc-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System and communications protection procedures <insert param-id="sc-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sc-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the SC
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="sc-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-1.a_obj" name="objective">
-               <prop name="label">SC-1(a)</prop>
-               <part id="sc-1.a.1_obj" name="objective">
-                  <prop name="label">SC-1(a)(1)</prop>
-                  <part id="sc-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(a)(1)[1]</prop>
-                     <p>develops and documents a system and communications protection policy that
-                        addresses:</p>
-                     <part id="sc-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="sc-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system and communications protection
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="sc-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SC-1(a)(1)[3]</prop>
-                     <p>disseminates the system and communications protection policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="sc-1.a.2_obj" name="objective">
-                  <prop name="label">SC-1(a)(2)</prop>
-                  <part id="sc-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        system and communications protection policy and associated system and
-                        communications protection controls;</p>
-                  </part>
-                  <part id="sc-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="sc-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SC-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sc-1.b_obj" name="objective">
-               <prop name="label">SC-1(b)</prop>
-               <part id="sc-1.b.1_obj" name="objective">
-                  <prop name="label">SC-1(b)(1)</prop>
-                  <part id="sc-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        communications protection policy;</p>
-                  </part>
-                  <part id="sc-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system and communications protection policy
-                        with the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="sc-1.b.2_obj" name="objective">
-                  <prop name="label">SC-1(b)(2)</prop>
-                  <part id="sc-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        communications protection procedures; and</p>
-                  </part>
-                  <part id="sc-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system and communications protection
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and communications protection
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-2">
-         <title>Application Partitioning</title>
-         <prop name="label">SC-2</prop>
-         <prop name="sort-id">sc-02</prop>
-         <part id="sc-2_smt" name="statement">
-            <p>The information system separates user functionality (including user interface
-               services) from information system management functionality.</p>
-         </part>
-         <part id="sc-2_gdn" name="guidance">
-            <p>Information system management functionality includes, for example, functions
-               necessary to administer databases, network components, workstations, or servers, and
-               typically requires privileged user access. The separation of user functionality from
-               information system management functionality is either physical or logical.
-               Organizations implement separation of system management-related functionality from
-               user functionality by using different computers, different central processing units,
-               different instances of operating systems, different network addresses, virtualization
-               techniques, or combinations of these or other methods, as appropriate. This type of
-               separation includes, for example, web administrative interfaces that use separate
-               authentication methods for users of any other information system resources.
-               Separation of system and user functionality may include isolating administrative
-               interfaces on different domains and with additional access controls.</p>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-         </part>
-         <part id="sc-2_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system separates user functionality (including user
-               interface services) from information system management functionality.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing application partitioning</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Separation of user functionality from information system management
-                  functionality</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-4">
-         <title>Information in Shared Resources</title>
-         <prop name="label">SC-4</prop>
-         <prop name="sort-id">sc-04</prop>
-         <part id="sc-4_smt" name="statement">
-            <p>The information system prevents unauthorized and unintended information transfer via
-               shared system resources.</p>
-         </part>
-         <part id="sc-4_gdn" name="guidance">
-            <p>This control prevents information, including encrypted representations of
-               information, produced by the actions of prior users/roles (or the actions of
-               processes acting on behalf of prior users/roles) from being available to any current
-               users/roles (or current processes) that obtain access to shared system resources
-               (e.g., registers, main memory, hard disks) after those resources have been released
-               back to information systems. The control of information in shared resources is also
-               commonly referred to as object reuse and residual information protection. This
-               control does not address: (i) information remanence which refers to residual
-               representation of data that has been nominally erased or removed; (ii) covert
-               channels (including storage and/or timing channels) where shared resources are
-               manipulated to violate information flow restrictions; or (iii) components within
-               information systems for which there are only single users/roles.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-         </part>
-         <part id="sc-4_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system prevents unauthorized and unintended information
-               transfer via shared system resources.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing information protection in shared system resources</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms preventing unauthorized and unintended transfer of
-                  information via shared system resources</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-5">
-         <title>Denial of Service Protection</title>
-         <param id="sc-5_prm_1">
-            <label>organization-defined types of denial of service attacks or references to sources
-               for such information</label>
-         </param>
-         <param id="sc-5_prm_2">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">SC-5</prop>
-         <prop name="sort-id">sc-05</prop>
-         <part id="sc-5_smt" name="statement">
-            <p>The information system protects against or limits the effects of the following types
-               of denial of service attacks: <insert param-id="sc-5_prm_1"/> by employing <insert param-id="sc-5_prm_2"/>.</p>
-         </part>
-         <part id="sc-5_gdn" name="guidance">
-            <p>A variety of technologies exist to limit, or in some cases, eliminate the effects of
-               denial of service attacks. For example, boundary protection devices can filter
-               certain types of packets to protect information system components on internal
-               organizational networks from being directly affected by denial of service attacks.
-               Employing increased capacity and bandwidth combined with service redundancy may also
-               reduce the susceptibility to denial of service attacks.</p>
-            <link rel="related" href="#sc-6">SC-6</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="sc-5_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-5_obj.1" name="objective">
-               <prop name="label">SC-5[1]</prop>
-               <p>the organization defines types of denial of service attacks or reference to source
-                  of such information for the information system to protect against or limit the
-                  effects;</p>
-            </part>
-            <part id="sc-5_obj.2" name="objective">
-               <prop name="label">SC-5[2]</prop>
-               <p>the organization defines security safeguards to be employed by the information
-                  system to protect against or limit the effects of organization-defined types of
-                  denial of service attacks; and</p>
-            </part>
-            <part id="sc-5_obj.3" name="objective">
-               <prop name="label">SC-5[3]</prop>
-               <p>the information system protects against or limits the effects of the
-                  organization-defined denial or service attacks (or reference to source for such
-                  information) by employing organization-defined security safeguards.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing denial of service protection</p>
-               <p>information system design documentation</p>
-               <p>security plan</p>
-               <p>list of denial of services attacks requiring employment of security safeguards to
-                  protect against or limit effects of such attacks</p>
-               <p>list of security safeguards protecting against or limiting the effects of denial
-                  of service attacks</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with incident response responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms protecting against or limiting the effects of denial of
-                  service attacks</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-6">
-         <title>Resource Availability</title>
-         <param id="sc-6_prm_1">
-            <label>organization-defined resources</label>
-         </param>
-         <param id="sc-6_prm_2"/>
-         <param id="sc-6_prm_3" depends-on="sc-6_prm_2">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">SC-6</prop>
-         <prop name="sort-id">sc-06</prop>
-         <part id="sc-6_smt" name="statement">
-            <p>The information system protects the availability of resources by allocating <insert param-id="sc-6_prm_1"/> by <insert param-id="sc-6_prm_2"/>.</p>
-         </part>
-         <part id="sc-6_gdn" name="guidance">
-            <p>Priority protection helps prevent lower-priority processes from delaying or
-               interfering with the information system servicing any higher-priority processes.
-               Quotas prevent users or processes from obtaining more than predetermined amounts of
-               resources. This control does not apply to information system components for which
-               there are only single users/roles.</p>
-         </part>
-         <part id="sc-6_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-6_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-6[1]</prop>
-               <p>the organization defines resources to be allocated to protect the availability of
-                  resources;</p>
-            </part>
-            <part id="sc-6_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-6[2]</prop>
-               <p>the organization defines security safeguards to be employed to protect the
-                  availability of resources;</p>
-            </part>
-            <part id="sc-6_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-6[3]</prop>
-               <p>the information system protects the availability of resources by allocating
-                  organization-defined resources by one or more of the following:</p>
-               <part id="sc-6_obj.3.a" name="objective">
-                  <prop name="label">SC-6[3][a]</prop>
-                  <p>priority;</p>
-               </part>
-               <part id="sc-6_obj.3.b" name="objective">
-                  <prop name="label">SC-6[3][b]</prop>
-                  <p>quota; and/or</p>
-               </part>
-               <part id="sc-6_obj.3.c" name="objective">
-                  <prop name="label">SC-6[3][c]</prop>
-                  <p>organization-defined safeguards.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing prioritization of information system resources</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing resource allocation
-                  capability</p>
-               <p>safeguards employed to protect availability of resources</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-7">
-         <title>Boundary Protection</title>
-         <param id="sc-7_prm_1"/>
-         <prop name="label">SC-7</prop>
-         <prop name="sort-id">sc-07</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#756a8e86-57d5-4701-8382-f7a40439665a" rel="reference">NIST Special Publication 800-41</link>
-         <link href="#99f331f2-a9f0-46c2-9856-a3cbb9b89442" rel="reference">NIST Special Publication 800-77</link>
-         <part id="sc-7_smt" name="statement">
-            <p>The information system:</p>
-            <part id="sc-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Monitors and controls communications at the external boundary of the system and at
-                  key internal boundaries within the system;</p>
-            </part>
-            <part id="sc-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Implements subnetworks for publicly accessible system components that are <insert param-id="sc-7_prm_1"/> separated from internal organizational networks;
-                  and</p>
-            </part>
-            <part id="sc-7_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Connects to external networks or information systems only through managed
-                  interfaces consisting of boundary protection devices arranged in accordance with
-                  an organizational security architecture.</p>
-            </part>
-         </part>
-         <part id="sc-7_gdn" name="guidance">
-            <p>Managed interfaces include, for example, gateways, routers, firewalls, guards,
-               network-based malicious code analysis and virtualization systems, or encrypted
-               tunnels implemented within a security architecture (e.g., routers protecting
-               firewalls or application gateways residing on protected subnetworks). Subnetworks
-               that are physically or logically separated from internal networks are referred to as
-               demilitarized zones or DMZs. Restricting or prohibiting interfaces within
-               organizational information systems includes, for example, restricting external web
-               traffic to designated web servers within managed interfaces and prohibiting external
-               traffic that appears to be spoofing internal addresses. Organizations consider the
-               shared nature of commercial telecommunications services in the implementation of
-               security controls associated with the use of such services. Commercial
-               telecommunications services are commonly based on network components and consolidated
-               management systems shared by all attached commercial customers, and may also include
-               third party-provided access lines and other service elements. Such transmission
-               services may represent sources of increased risk despite contract security
-               provisions.</p>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#cp-8">CP-8</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="sc-7_obj" name="objective">
-            <p>Determine if the information system:</p>
-            <part id="sc-7.a_obj" name="objective">
-               <prop name="label">SC-7(a)</prop>
-               <part id="sc-7.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(a)[1]</prop>
-                  <p>monitors communications at the external boundary of the information system;</p>
-               </part>
-               <part id="sc-7.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(a)[2]</prop>
-                  <p>monitors communications at key internal boundaries within the system;</p>
-               </part>
-               <part id="sc-7.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(a)[3]</prop>
-                  <p>controls communications at the external boundary of the information system;</p>
-               </part>
-               <part id="sc-7.a_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(a)[4]</prop>
-                  <p>controls communications at key internal boundaries within the system;</p>
-               </part>
-            </part>
-            <part id="sc-7.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-7(b)</prop>
-               <p>implements subnetworks for publicly accessible system components that are
-                  either:</p>
-               <part id="sc-7.b_obj.1" name="objective">
-                  <prop name="label">SC-7(b)[1]</prop>
-                  <p>physically separated from internal organizational networks; and/or</p>
-               </part>
-               <part id="sc-7.b_obj.2" name="objective">
-                  <prop name="label">SC-7(b)[2]</prop>
-                  <p>logically separated from internal organizational networks; and</p>
-               </part>
-            </part>
-            <part id="sc-7.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-7(c)</prop>
-               <p>connects to external networks or information systems only through managed
-                  interfaces consisting of boundary protection devices arranged in accordance with
-                  an organizational security architecture.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing boundary protection</p>
-               <p>list of key internal boundaries of the information system</p>
-               <p>information system design documentation</p>
-               <p>boundary protection hardware and software</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>enterprise security architecture documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel with boundary protection responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing boundary protection capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-7.3">
-            <title>Access Points</title>
-            <prop name="label">SC-7(3)</prop>
-            <prop name="sort-id">sc-07.03</prop>
-            <part id="sc-7.3_smt" name="statement">
-               <p>The organization limits the number of external network connections to the
-                  information system.</p>
-            </part>
-            <part id="sc-7.3_gdn" name="guidance">
-               <p>Limiting the number of external network connections facilitates more comprehensive
-                  monitoring of inbound and outbound communications traffic. The Trusted Internet
-                  Connection (TIC) initiative is an example of limiting the number of external
-                  network connections.</p>
-            </part>
-            <part id="sc-7.3_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization limits the number of external network connections to
-                  the information system.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>boundary protection hardware and software</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>communications and network traffic monitoring logs</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing boundary protection capability</p>
-                  <p>automated mechanisms limiting the number of external network connections to the
-                     information system</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.4">
-            <title>External Telecommunications Services</title>
-            <param id="sc-7.4_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least annually</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">SC-7(4)</prop>
-            <prop name="sort-id">sc-07.04</prop>
-            <part id="sc-7.4_smt" name="statement">
-               <p>The organization:</p>
-               <part id="sc-7.4_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Implements a managed interface for each external telecommunication service;</p>
-               </part>
-               <part id="sc-7.4_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Establishes a traffic flow policy for each managed interface;</p>
-               </part>
-               <part id="sc-7.4_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Protects the confidentiality and integrity of the information being transmitted
-                     across each interface;</p>
-               </part>
-               <part id="sc-7.4_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Documents each exception to the traffic flow policy with a supporting
-                     mission/business need and duration of that need; and</p>
-               </part>
-               <part id="sc-7.4_smt.e" name="item">
-                  <prop name="label">(e)</prop>
-                  <p>Reviews exceptions to the traffic flow policy <insert param-id="sc-7.4_prm_1"/>
-                     and removes exceptions that are no longer supported by an explicit
-                     mission/business need.</p>
-               </part>
-            </part>
-            <part id="sc-7.4_gdn" name="guidance">
-               <link rel="related" href="#sc-8">SC-8</link>
-            </part>
-            <part id="sc-7.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-7.4.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(4)(a)</prop>
-                  <p>implements a managed interface for each external telecommunication service;</p>
-                  <link rel="corresp" href="#sc-7.4_smt.a">SC-7(4)(a)</link>
-               </part>
-               <part id="sc-7.4.b_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-7(4)(b)</prop>
-                  <p>establishes a traffic flow policy for each managed interface;</p>
-                  <link rel="corresp" href="#sc-7.4_smt.b">SC-7(4)(b)</link>
-               </part>
-               <part id="sc-7.4.c_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(4)(c)</prop>
-                  <p>protects the confidentiality and integrity of the information being transmitted
-                     across each interface;</p>
-                  <link rel="corresp" href="#sc-7.4_smt.c">SC-7(4)(c)</link>
-               </part>
-               <part id="sc-7.4.d_obj" name="objective">
-                  <prop name="label">SC-7(4)(d)</prop>
-                  <p>documents each exception to the traffic flow policy with:</p>
-                  <part id="sc-7.4.d_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-7(4)(d)[1]</prop>
-                     <p>a supporting mission/business need;</p>
-                  </part>
-                  <part id="sc-7.4.d_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-7(4)(d)[2]</prop>
-                     <p>duration of that need;</p>
-                  </part>
-                  <link rel="corresp" href="#sc-7.4_smt.d">SC-7(4)(d)</link>
-               </part>
-               <part id="sc-7.4.e_obj" name="objective">
-                  <prop name="label">SC-7(4)(e)</prop>
-                  <part id="sc-7.4.e_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SC-7(4)(e)[1]</prop>
-                     <p>defines a frequency to review exceptions to traffic flow policy;</p>
-                  </part>
-                  <part id="sc-7.4.e_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">SC-7(4)(e)[2]</prop>
-                     <p>reviews exceptions to the traffic flow policy with the organization-defined
-                        frequency; and</p>
-                  </part>
-                  <part id="sc-7.4.e_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">SC-7(4)(e)[3]</prop>
-                     <p>removes traffic flow policy exceptions that are no longer supported by an
-                        explicit mission/business need</p>
-                  </part>
-                  <link rel="corresp" href="#sc-7.4_smt.e">SC-7(4)(e)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>traffic flow policy</p>
-                  <p>information flow control policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system security architecture</p>
-                  <p>information system design documentation</p>
-                  <p>boundary protection hardware and software</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>records of traffic flow policy exceptions</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for documenting and reviewing exceptions to the
-                     traffic flow policy</p>
-                  <p>organizational processes for removing exceptions to the traffic flow policy</p>
-                  <p>automated mechanisms implementing boundary protection capability</p>
-                  <p>managed interfaces implementing traffic flow policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.5">
-            <title>Deny by Default / Allow by Exception</title>
-            <prop name="label">SC-7(5)</prop>
-            <prop name="sort-id">sc-07.05</prop>
-            <part id="sc-7.5_smt" name="statement">
-               <p>The information system at managed interfaces denies network communications traffic
-                  by default and allows network communications traffic by exception (i.e., deny all,
-                  permit by exception).</p>
-            </part>
-            <part id="sc-7.5_gdn" name="guidance">
-               <p>This control enhancement applies to both inbound and outbound network
-                  communications traffic. A deny-all, permit-by-exception network communications
-                  traffic policy ensures that only those connections which are essential and
-                  approved are allowed.</p>
-            </part>
-            <part id="sc-7.5_obj" name="objective">
-               <p>Determine if the information system, at managed interfaces:</p>
-               <part id="sc-7.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(5)[1]</prop>
-                  <p>denies network traffic by default; and</p>
-               </part>
-               <part id="sc-7.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(5)[2]</prop>
-                  <p>allows network traffic by exception.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing traffic management at managed interfaces</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.7">
-            <title>Prevent Split Tunneling for Remote Devices</title>
-            <prop name="label">SC-7(7)</prop>
-            <prop name="sort-id">sc-07.07</prop>
-            <part id="sc-7.7_smt" name="statement">
-               <p>The information system, in conjunction with a remote device, prevents the device
-                  from simultaneously establishing non-remote connections with the system and
-                  communicating via some other connection to resources in external networks.</p>
-            </part>
-            <part id="sc-7.7_gdn" name="guidance">
-               <p>This control enhancement is implemented within remote devices (e.g., notebook
-                  computers) through configuration settings to disable split tunneling in those
-                  devices, and by preventing those configuration settings from being readily
-                  configurable by users. This control enhancement is implemented within the
-                  information system by the detection of split tunneling (or of configuration
-                  settings that allow split tunneling) in the remote device, and by prohibiting the
-                  connection if the remote device is using split tunneling. Split tunneling might be
-                  desirable by remote users to communicate with local information system resources
-                  such as printers/file servers. However, split tunneling would in effect allow
-                  unauthorized external connections, making the system more vulnerable to attack and
-                  to exfiltration of organizational information. The use of VPNs for remote
-                  connections, when adequately provisioned with appropriate security controls, may
-                  provide the organization with sufficient assurance that it can effectively treat
-                  such connections as non-remote connections from the confidentiality and integrity
-                  perspective. VPNs thus provide a means for allowing non-remote communications
-                  paths from remote devices. The use of an adequately provisioned VPN does not
-                  eliminate the need for preventing split tunneling.</p>
-            </part>
-            <part id="sc-7.7_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system, in conjunction with a remote device, prevents
-                  the device from simultaneously establishing non-remote connections with the system
-                  and communicating via some other connection to resources in external networks.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing boundary protection capability</p>
-                  <p>automated mechanisms supporting/restricting non-remote connections</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.8">
-            <title>Route Traffic to Authenticated Proxy Servers</title>
-            <param id="sc-7.8_prm_1">
-               <label>organization-defined internal communications traffic</label>
-            </param>
-            <param id="sc-7.8_prm_2">
-               <label>organization-defined external networks</label>
-            </param>
-            <prop name="label">SC-7(8)</prop>
-            <prop name="sort-id">sc-07.08</prop>
-            <part id="sc-7.8_smt" name="statement">
-               <p>The information system routes <insert param-id="sc-7.8_prm_1"/> to <insert param-id="sc-7.8_prm_2"/> through authenticated proxy servers at managed
-                  interfaces.</p>
-            </part>
-            <part id="sc-7.8_gdn" name="guidance">
-               <p>External networks are networks outside of organizational control. A proxy server
-                  is a server (i.e., information system or application) that acts as an intermediary
-                  for clients requesting information system resources (e.g., files, connections, web
-                  pages, or services) from other organizational servers. Client requests established
-                  through an initial connection to the proxy server are evaluated to manage
-                  complexity and to provide additional protection by limiting direct connectivity.
-                  Web content filtering devices are one of the most common proxy servers providing
-                  access to the Internet. Proxy servers support logging individual Transmission
-                  Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators
-                  (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be
-                  configured with organization-defined lists of authorized and unauthorized
-                  websites.</p>
-               <link rel="related" href="#ac-3">AC-3</link>
-               <link rel="related" href="#au-2">AU-2</link>
-            </part>
-            <part id="sc-7.8_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-7.8_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-7(8)[1]</prop>
-                  <p>the organization defines internal communications traffic to be routed to
-                     external networks;</p>
-               </part>
-               <part id="sc-7.8_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-7(8)[2]</prop>
-                  <p>the organization defines external networks to which organization-defined
-                     internal communications traffic is to be routed; and</p>
-               </part>
-               <part id="sc-7.8_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(8)[3]</prop>
-                  <p>the information system routes organization-defined internal communications
-                     traffic to organization-defined external networks through authenticated proxy
-                     servers at managed interfaces.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing traffic management through authenticated
-                     proxy servers at managed interfaces</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.12">
-            <title>Host-based Protection</title>
-            <param id="sc-7.12_prm_1">
-               <label>organization-defined host-based boundary protection mechanisms</label>
-            </param>
-            <param id="sc-7.12_prm_2">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">SC-7(12)</prop>
-            <prop name="sort-id">sc-07.12</prop>
-            <part id="sc-7.12_smt" name="statement">
-               <p>The organization implements <insert param-id="sc-7.12_prm_1"/> at <insert param-id="sc-7.12_prm_2"/>.</p>
-            </part>
-            <part id="sc-7.12_gdn" name="guidance">
-               <p>Host-based boundary protection mechanisms include, for example, host-based
-                  firewalls. Information system components employing host-based boundary protection
-                  mechanisms include, for example, servers, workstations, and mobile devices.</p>
-            </part>
-            <part id="sc-7.12_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-7.12_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-7(12)[1]</prop>
-                  <p>defines host-based boundary protection mechanisms;</p>
-               </part>
-               <part id="sc-7.12_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-7(12)[2]</prop>
-                  <p>defines information system components where organization-defined host-based
-                     boundary protection mechanisms are to be implemented; and</p>
-               </part>
-               <part id="sc-7.12_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(12)[3]</prop>
-                  <p>implements organization-defined host-based boundary protection mechanisms at
-                     organization-defined information system components.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>boundary protection hardware and software</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-                  <p>information system users</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing host-based boundary protection
-                     capabilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.13">
-            <title>Isolation of Security Tools / Mechanisms / Support Components</title>
-            <param id="sc-7.13_prm_1">
-               <label>organization-defined information security tools, mechanisms, and support
-                  components</label>
-            </param>
-            <prop name="label">SC-7(13)</prop>
-            <prop name="sort-id">sc-07.13</prop>
-            <part id="sc-7.13_smt" name="statement">
-               <p>The organization isolates <insert param-id="sc-7.13_prm_1"/> from other internal
-                  information system components by implementing physically separate subnetworks with
-                  managed interfaces to other components of the system.</p>
-               <part id="sc-7.13_fr" name="item">
-                  <title>SC-7 (13) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="sc-7.13_fr_smt.1" name="item">
-                     <prop name="label">Requirement:</prop>
-                     <p>The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sc-7.13_gdn" name="guidance">
-               <p>Physically separate subnetworks with managed interfaces are useful, for example,
-                  in isolating computer network defenses from critical operational processing
-                  networks to prevent adversaries from discovering the analysis and forensics
-                  techniques of organizations.</p>
-               <link rel="related" href="#sa-8">SA-8</link>
-               <link rel="related" href="#sc-2">SC-2</link>
-               <link rel="related" href="#sc-3">SC-3</link>
-            </part>
-            <part id="sc-7.13_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-7.13_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-7(13)[1]</prop>
-                  <p>defines information security tools, mechanisms, and support components to be
-                     isolated from other internal information system components; and</p>
-               </part>
-               <part id="sc-7.13_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-7(13)[2]</prop>
-                  <p>isolates organization-defined information security tools, mechanisms, and
-                     support components from other internal information system components by
-                     implementing physically separate subnetworks with managed interfaces to other
-                     components of the system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of security tools and support components to be isolated from other
-                     internal information system components</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing isolation of information
-                     security tools, mechanisms, and support components</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.18">
-            <title>Fail Secure</title>
-            <prop name="label">SC-7(18)</prop>
-            <prop name="sort-id">sc-07.18</prop>
-            <part id="sc-7.18_smt" name="statement">
-               <p>The information system fails securely in the event of an operational failure of a
-                  boundary protection device.</p>
-            </part>
-            <part id="sc-7.18_gdn" name="guidance">
-               <p>Fail secure is a condition achieved by employing information system mechanisms to
-                  ensure that in the event of operational failures of boundary protection devices at
-                  managed interfaces (e.g., routers, firewalls, guards, and application gateways
-                  residing on protected subnetworks commonly referred to as demilitarized zones),
-                  information systems do not enter into unsecure states where intended security
-                  properties no longer hold. Failures of boundary protection devices cannot lead to,
-                  or cause information external to the devices to enter the devices, nor can
-                  failures permit unauthorized information releases.</p>
-               <link rel="related" href="#cp-2">CP-2</link>
-               <link rel="related" href="#sc-24">SC-24</link>
-            </part>
-            <part id="sc-7.18_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system fails securely in the event of an operational
-                  failure of a boundary protection device.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing secure failure</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-8">
-         <title>Transmission Confidentiality and Integrity</title>
-         <param id="sc-8_prm_1">
-            <constraint>confidentiality AND integrity</constraint>
-         </param>
-         <prop name="label">SC-8</prop>
-         <prop name="sort-id">sc-08</prop>
-         <link href="#d715b234-9b5b-4e07-b1ed-99836727664d" rel="reference">FIPS Publication 140-2</link>
-         <link href="#f2dbd4ec-c413-4714-b85b-6b7184d1c195" rel="reference">FIPS Publication 197</link>
-         <link href="#90c5bc98-f9c4-44c9-98b7-787422f0999c" rel="reference">NIST Special Publication 800-52</link>
-         <link href="#99f331f2-a9f0-46c2-9856-a3cbb9b89442" rel="reference">NIST Special Publication 800-77</link>
-         <link href="#6af1e841-672c-46c4-b121-96f603d04be3" rel="reference">NIST Special Publication 800-81</link>
-         <link href="#349fe082-502d-464a-aa0c-1443c6a5cf40" rel="reference">NIST Special Publication 800-113</link>
-         <link href="#a4aa9645-9a8a-4b51-90a9-e223250f9a75" rel="reference">CNSS Policy 15</link>
-         <link href="#06dff0ea-3848-4945-8d91-e955ee69f05d" rel="reference">NSTISSI No. 7003</link>
-         <part id="sc-8_smt" name="statement">
-            <p>The information system protects the <insert param-id="sc-8_prm_1"/> of transmitted
-               information.</p>
-         </part>
-         <part id="sc-8_gdn" name="guidance">
-            <p>This control applies to both internal and external networks and all types of
-               information system components from which information can be transmitted (e.g.,
-               servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile
-               machines). Communication paths outside the physical protection of a controlled
-               boundary are exposed to the possibility of interception and modification. Protecting
-               the confidentiality and/or integrity of organizational information can be
-               accomplished by physical means (e.g., by employing protected distribution systems) or
-               by logical means (e.g., employing encryption techniques). Organizations relying on
-               commercial providers offering transmission services as commodity services rather than
-               as fully dedicated services (i.e., services which can be highly specialized to
-               individual customer needs), may find it difficult to obtain the necessary assurances
-               regarding the implementation of needed security controls for transmission
-               confidentiality/integrity. In such situations, organizations determine what types of
-               confidentiality/integrity services are available in standard, commercial
-               telecommunication service packages. If it is infeasible or impractical to obtain the
-               necessary security controls and assurances of control effectiveness through
-               appropriate contracting vehicles, organizations implement appropriate compensating
-               security controls or explicitly accept the additional risk.</p>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-         </part>
-         <part id="sc-8_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system protects one or more of the following:</p>
-            <part id="sc-8_obj.1" name="objective">
-               <prop name="label">SC-8[1]</prop>
-               <p>confidentiality of transmitted information; and/or</p>
-            </part>
-            <part id="sc-8_obj.2" name="objective">
-               <prop name="label">SC-8[2]</prop>
-               <p>integrity of transmitted information.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing transmission confidentiality and integrity</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing transmission confidentiality
-                  and/or integrity</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-8.1">
-            <title>Cryptographic or Alternate Physical Protection</title>
-            <param id="sc-8.1_prm_1">
-               <constraint>prevent unauthorized disclosure of information AND detect changes to information</constraint>
-            </param>
-            <param id="sc-8.1_prm_2">
-               <label>organization-defined alternative physical safeguards</label>
-               <constraint>a hardened or alarmed carrier Protective Distribution System (PDS)</constraint>
-            </param>
-            <prop name="label">SC-8(1)</prop>
-            <prop name="sort-id">sc-08.01</prop>
-            <part id="sc-8.1_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to <insert param-id="sc-8.1_prm_1"/> during transmission unless otherwise protected by
-                     <insert param-id="sc-8.1_prm_2"/>.</p>
-            </part>
-            <part id="sc-8.1_gdn" name="guidance">
-               <p>Encrypting information for transmission protects information from unauthorized
-                  disclosure and modification. Cryptographic mechanisms implemented to protect
-                  information integrity include, for example, cryptographic hash functions which
-                  have common application in digital signatures, checksums, and message
-                  authentication codes. Alternative physical security safeguards include, for
-                  example, protected distribution systems.</p>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="sc-8.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-8.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-8(1)[1]</prop>
-                  <p>the organization defines physical safeguards to be implemented to protect
-                     information during transmission when cryptographic mechanisms are not
-                     implemented; and</p>
-               </part>
-               <part id="sc-8.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-8(1)[2]</prop>
-                  <p>the information system implements cryptographic mechanisms to do one or more of
-                     the following during transmission unless otherwise protected by
-                     organization-defined alternative physical safeguards:</p>
-                  <part id="sc-8.1_obj.2.a" name="objective">
-                     <prop name="label">SC-8(1)[2][a]</prop>
-                     <p>prevent unauthorized disclosure of information; and/or</p>
-                  </part>
-                  <part id="sc-8.1_obj.2.b" name="objective">
-                     <prop name="label">SC-8(1)[2][b]</prop>
-                     <p>detect changes to information.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing transmission confidentiality and integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms supporting and/or implementing transmission
-                     confidentiality and/or integrity</p>
-                  <p>automated mechanisms supporting and/or implementing alternative physical
-                     safeguards</p>
-                  <p>organizational processes for defining and implementing alternative physical
-                     safeguards</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-10">
-         <title>Network Disconnect</title>
-         <param id="sc-10_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-interactive user sessions</constraint>
-         </param>
-         <prop name="label">SC-10</prop>
-         <prop name="sort-id">sc-10</prop>
-         <part id="sc-10_smt" name="statement">
-            <p>The information system terminates the network connection associated with a
-               communications session at the end of the session or after <insert param-id="sc-10_prm_1"/> of inactivity.</p>
-         </part>
-         <part id="sc-10_gdn" name="guidance">
-            <p>This control applies to both internal and external networks. Terminating network
-               connections associated with communications sessions include, for example,
-               de-allocating associated TCP/IP address/port pairs at the operating system level, or
-               de-allocating networking assignments at the application level if multiple application
-               sessions are using a single, operating system-level network connection. Time periods
-               of inactivity may be established by organizations and include, for example, time
-               periods by type of network access or for specific network accesses.</p>
-         </part>
-         <part id="sc-10_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-10_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-10[1]</prop>
-               <p>the organization defines a time period of inactivity after which the information
-                  system terminates a network connection associated with a communications session;
-                  and</p>
-            </part>
-            <part id="sc-10_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-10[2]</prop>
-               <p>the information system terminates the network connection associated with a
-                  communication session at the end of the session or after the organization-defined
-                  time period of inactivity.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing network disconnect</p>
-               <p>information system design documentation</p>
-               <p>security plan</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing network disconnect
-                  capability</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-12">
-         <title>Cryptographic Key Establishment and Management</title>
-         <param id="sc-12_prm_1">
-            <label>organization-defined requirements for key generation, distribution, storage,
-               access, and destruction</label>
-         </param>
-         <prop name="label">SC-12</prop>
-         <prop name="sort-id">sc-12</prop>
-         <link href="#81f09e01-d0b0-4ae2-aa6a-064ed9950070" rel="reference">NIST Special Publication 800-56</link>
-         <link href="#a6c774c0-bf50-4590-9841-2a5c1c91ac6f" rel="reference">NIST Special Publication 800-57</link>
-         <part id="sc-12_smt" name="statement">
-            <p>The organization establishes and manages cryptographic keys for required cryptography
-               employed within the information system in accordance with <insert param-id="sc-12_prm_1"/>.</p>
-            <part id="sc-12_fr" name="item">
-               <title>SC-12 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Federally approved and validated cryptography.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sc-12_gdn" name="guidance">
-            <p>Cryptographic key management and establishment can be performed using manual
-               procedures or automated mechanisms with supporting manual procedures. Organizations
-               define key management requirements in accordance with applicable federal laws,
-               Executive Orders, directives, regulations, policies, standards, and guidance,
-               specifying appropriate options, levels, and parameters. Organizations manage trust
-               stores to ensure that only approved trust anchors are in such trust stores. This
-               includes certificates with visibility external to organizational information systems
-               and certificates related to the internal operations of systems.</p>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-17">SC-17</link>
-         </part>
-         <part id="sc-12_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-12_obj.1" name="objective">
-               <prop name="label">SC-12[1]</prop>
-               <p>defines requirements for cryptographic key:</p>
-               <part id="sc-12_obj.1.a" name="objective">
-                  <prop name="label">SC-12[1][a]</prop>
-                  <p>generation;</p>
-               </part>
-               <part id="sc-12_obj.1.b" name="objective">
-                  <prop name="label">SC-12[1][b]</prop>
-                  <p>distribution;</p>
-               </part>
-               <part id="sc-12_obj.1.c" name="objective">
-                  <prop name="label">SC-12[1][c]</prop>
-                  <p>storage;</p>
-               </part>
-               <part id="sc-12_obj.1.d" name="objective">
-                  <prop name="label">SC-12[1][d]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="sc-12_obj.1.e" name="objective">
-                  <prop name="label">SC-12[1][e]</prop>
-                  <p>destruction; and</p>
-               </part>
-            </part>
-            <part id="sc-12_obj.2" name="objective">
-               <prop name="label">SC-12[2]</prop>
-               <p>establishes and manages cryptographic keys for required cryptography employed
-                  within the information system in accordance with organization-defined requirements
-                  for key generation, distribution, storage, access, and destruction.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing cryptographic key establishment and management</p>
-               <p>information system design documentation</p>
-               <p>cryptographic mechanisms</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for cryptographic key establishment
-                  and/or management</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing cryptographic key
-                  establishment and management</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-12.2">
-            <title>Symmetric Keys</title>
-            <param id="sc-12.2_prm_1">
-               <constraint>NIST FIPS-compliant</constraint>
-            </param>
-            <prop name="label">SC-12(2)</prop>
-            <prop name="sort-id">sc-12.02</prop>
-            <part id="sc-12.2_smt" name="statement">
-               <p>The organization produces, controls, and distributes symmetric cryptographic keys
-                  using <insert param-id="sc-12.2_prm_1"/> key management technology and
-                  processes.</p>
-            </part>
-            <part id="sc-12.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization produces, controls, and distributes symmetric
-                  cryptographic keys using one of the following: </p>
-               <part id="sc-12.2_obj.1" name="objective">
-                  <prop name="label">SC-12(2)[1]</prop>
-                  <p>NIST FIPS-compliant key management technology and processes; or</p>
-               </part>
-               <part id="sc-12.2_obj.2" name="objective">
-                  <prop name="label">SC-12(2)[2]</prop>
-                  <p>NSA-approved key management technology and processes.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing cryptographic key establishment and management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of FIPS validated cryptographic products</p>
-                  <p>list of NSA-approved cryptographic products</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with responsibilities for cryptographic key
-                     establishment or management</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing symmetric cryptographic key
-                     establishment and management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-12.3">
-            <title>Asymmetric Keys</title>
-            <param id="sc-12.3_prm_1"/>
-            <prop name="label">SC-12(3)</prop>
-            <prop name="sort-id">sc-12.03</prop>
-            <part id="sc-12.3_smt" name="statement">
-               <p>The organization produces, controls, and distributes asymmetric cryptographic keys
-                  using <insert param-id="sc-12.3_prm_1"/>.</p>
-            </part>
-            <part id="sc-12.3_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization produces, controls, and distributes asymmetric
-                  cryptographic keys using one of the following: </p>
-               <part id="sc-12.3_obj.1" name="objective">
-                  <prop name="label">SC-12(3)[1]</prop>
-                  <p>NSA-approved key management technology and processes;</p>
-               </part>
-               <part id="sc-12.3_obj.2" name="objective">
-                  <prop name="label">SC-12(3)[2]</prop>
-                  <p>approved PKI Class 3 certificates or prepositioned keying material; or</p>
-               </part>
-               <part id="sc-12.3_obj.3" name="objective">
-                  <prop name="label">SC-12(3)[3]</prop>
-                  <p>approved PKI Class 3 or Class 4 certificates and hardware security tokens that
-                     protect the user’s private key.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing cryptographic key establishment and management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of NSA-approved cryptographic products</p>
-                  <p>list of approved PKI Class 3 and Class 4 certificates</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with responsibilities for cryptographic key
-                     establishment or management</p>
-                  <p>organizational personnel with responsibilities for PKI certificates</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing asymmetric cryptographic
-                     key establishment and management</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-13">
-         <title>Cryptographic Protection</title>
-         <param id="sc-13_prm_1">
-            <label>organization-defined cryptographic uses and type of cryptography required for
-               each use</label>
-            <constraint>FIPS-validated or NSA-approved cryptography</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SC-13</prop>
-         <prop name="sort-id">sc-13</prop>
-         <link href="#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9" rel="reference">FIPS Publication 140</link>
-         <link href="#6a1041fc-054e-4230-946b-2e6f4f3731bb" rel="reference">http://csrc.nist.gov/cryptval</link>
-         <link href="#9b97ed27-3dd6-4f9a-ade5-1b43e9669794" rel="reference">http://www.cnss.gov</link>
-         <part id="sc-13_smt" name="statement">
-            <p>The information system implements <insert param-id="sc-13_prm_1"/> in accordance with
-               applicable federal laws, Executive Orders, directives, policies, regulations, and
-               standards.</p>
-         </part>
-         <part id="sc-13_gdn" name="guidance">
-            <p>Cryptography can be employed to support a variety of security solutions including,
-               for example, the protection of classified and Controlled Unclassified Information,
-               the provision of digital signatures, and the enforcement of information separation
-               when authorized individuals have the necessary clearances for such information but
-               lack the necessary formal access approvals. Cryptography can also be used to support
-               random number generation and hash generation. Generally applicable cryptographic
-               standards include FIPS-validated cryptography and NSA-approved cryptography. This
-               control does not impose any requirements on organizations to use cryptography.
-               However, if cryptography is required based on the selection of other security
-               controls, organizations define each type of cryptographic use and the type of
-               cryptography required (e.g., protection of classified information: NSA-approved
-               cryptography; provision of digital signatures: FIPS-validated cryptography).</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-7">AC-7</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#au-10">AU-10</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-7">IA-7</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-28">SC-28</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="sc-13_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-13_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-13[1]</prop>
-               <p>the organization defines cryptographic uses; and</p>
-            </part>
-            <part id="sc-13_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-13[2]</prop>
-               <p>the organization defines the type of cryptography required for each use; and</p>
-            </part>
-            <part id="sc-13_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-13[3]</prop>
-               <p>the information system implements the organization-defined cryptographic uses and
-                  type of cryptography required for each use in accordance with applicable federal
-                  laws, Executive Orders, directives, policies, regulations, and standards.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing cryptographic protection</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>cryptographic module validation certificates</p>
-               <p>list of FIPS validated cryptographic modules</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel with responsibilities for cryptographic protection</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing cryptographic protection</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-15">
-         <title>Collaborative Computing Devices</title>
-         <param id="sc-15_prm_1">
-            <label>organization-defined exceptions where remote activation is to be allowed</label>
-            <constraint>no exceptions</constraint>
-         </param>
-         <prop name="label">SC-15</prop>
-         <prop name="sort-id">sc-15</prop>
-         <part id="sc-15_smt" name="statement">
-            <p>The information system:</p>
-            <part id="sc-15_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Prohibits remote activation of collaborative computing devices with the following
-                  exceptions: <insert param-id="sc-15_prm_1"/>; and</p>
-            </part>
-            <part id="sc-15_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Provides an explicit indication of use to users physically present at the
-                  devices.</p>
-            </part>
-            <part id="sc-15_fr" name="item">
-               <title>SC-15 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-15_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sc-15_gdn" name="guidance">
-            <p>Collaborative computing devices include, for example, networked white boards,
-               cameras, and microphones. Explicit indication of use includes, for example, signals
-               to users when collaborative computing devices are activated.</p>
-            <link rel="related" href="#ac-21">AC-21</link>
-         </part>
-         <part id="sc-15_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-15.a_obj" name="objective">
-               <prop name="label">SC-15(a)</prop>
-               <part id="sc-15.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-15(a)[1]</prop>
-                  <p>the organization defines exceptions where remote activation of collaborative
-                     computing devices is to be allowed;</p>
-               </part>
-               <part id="sc-15.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-15(a)[2]</prop>
-                  <p>the information system prohibits remote activation of collaborative computing
-                     devices, except for organization-defined exceptions where remote activation is
-                     to be allowed; and</p>
-               </part>
-            </part>
-            <part id="sc-15.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-15(b)</prop>
-               <p>the information system provides an explicit indication of use to users physically
-                  present at the devices.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing collaborative computing</p>
-               <p>access control policy and procedures</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel with responsibilities for managing collaborative
-                  computing devices</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing management of remote
-                  activation of collaborative computing devices</p>
-               <p>automated mechanisms providing an indication of use of collaborative computing
-                  devices</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-17">
-         <title>Public Key Infrastructure Certificates</title>
-         <param id="sc-17_prm_1">
-            <label>organization-defined certificate policy</label>
-         </param>
-         <prop name="label">SC-17</prop>
-         <prop name="sort-id">sc-17</prop>
-         <link href="#58ad6f27-af99-429f-86a8-8bb767b014b9" rel="reference">OMB Memorandum 05-24</link>
-         <link href="#8f174e91-844e-4cf1-a72a-45c119a3a8dd" rel="reference">NIST Special Publication 800-32</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <part id="sc-17_smt" name="statement">
-            <p>The organization issues public key certificates under an <insert param-id="sc-17_prm_1"/> or obtains public key certificates from an approved
-               service provider.</p>
-         </part>
-         <part id="sc-17_gdn" name="guidance">
-            <p>For all certificates, organizations manage information system trust stores to ensure
-               only approved trust anchors are in the trust stores. This control addresses both
-               certificates with visibility external to organizational information systems and
-               certificates related to the internal operations of systems, for example,
-               application-specific time services.</p>
-            <link rel="related" href="#sc-12">SC-12</link>
-         </part>
-         <part id="sc-17_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-17_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-17[1]</prop>
-               <p>defines a certificate policy for issuing public key certificates;</p>
-            </part>
-            <part id="sc-17_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-17[2]</prop>
-               <p>issues public key certificates:</p>
-               <part id="sc-17_obj.2.a" name="objective">
-                  <prop name="label">SC-17[2][a]</prop>
-                  <p>under an organization-defined certificate policy: or</p>
-               </part>
-               <part id="sc-17_obj.2.b" name="objective">
-                  <prop name="label">SC-17[2][b]</prop>
-                  <p>obtains public key certificates from an approved service provider.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing public key infrastructure certificates</p>
-               <p>public key certificate policy or policies</p>
-               <p>public key issuing process</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for issuing public key
-                  certificates</p>
-               <p>service providers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing the management of public key
-                  infrastructure certificates</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-18">
-         <title>Mobile Code</title>
-         <prop name="label">SC-18</prop>
-         <prop name="sort-id">sc-18</prop>
-         <link href="#e716cd51-d1d5-4c6a-967a-22e9fbbc42f1" rel="reference">NIST Special Publication 800-28</link>
-         <link href="#e6522953-6714-435d-a0d3-140df554c186" rel="reference">DoD Instruction 8552.01</link>
-         <part id="sc-18_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sc-18_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Defines acceptable and unacceptable mobile code and mobile code technologies;</p>
-            </part>
-            <part id="sc-18_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishes usage restrictions and implementation guidance for acceptable mobile
-                  code and mobile code technologies; and</p>
-            </part>
-            <part id="sc-18_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Authorizes, monitors, and controls the use of mobile code within the information
-                  system.</p>
-            </part>
-         </part>
-         <part id="sc-18_gdn" name="guidance">
-            <p>Decisions regarding the employment of mobile code within organizational information
-               systems are based on the potential for the code to cause damage to the systems if
-               used maliciously. Mobile code technologies include, for example, Java, JavaScript,
-               ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage
-               restrictions and implementation guidance apply to both the selection and use of
-               mobile code installed on servers and mobile code downloaded and executed on
-               individual workstations and devices (e.g., smart phones). Mobile code policy and
-               procedures address preventing the development, acquisition, or introduction of
-               unacceptable mobile code within organizational information systems.</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#si-3">SI-3</link>
-         </part>
-         <part id="sc-18_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-18.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-18(a)</prop>
-               <p>defines acceptable and unacceptable mobile code and mobile code technologies;</p>
-            </part>
-            <part id="sc-18.b_obj" name="objective">
-               <prop name="label">SC-18(b)</prop>
-               <part id="sc-18.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-18(b)[1]</prop>
-                  <p>establishes usage restrictions for acceptable mobile code and mobile code
-                     technologies;</p>
-               </part>
-               <part id="sc-18.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-18(b)[2]</prop>
-                  <p>establishes implementation guidance for acceptable mobile code and mobile code
-                     technologies;</p>
-               </part>
-            </part>
-            <part id="sc-18.c_obj" name="objective">
-               <prop name="label">SC-18(c)</prop>
-               <part id="sc-18.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-18(c)[1]</prop>
-                  <p>authorizes the use of mobile code within the information system;</p>
-               </part>
-               <part id="sc-18.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-18(c)[2]</prop>
-                  <p>monitors the use of mobile code within the information system; and</p>
-               </part>
-               <part id="sc-18.c_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-18(c)[3]</prop>
-                  <p>controls the use of mobile code within the information system.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing mobile code</p>
-               <p>mobile code usage restrictions, mobile code implementation policy and
-                  procedures</p>
-               <p>list of acceptable mobile code and mobile code technologies</p>
-               <p>list of unacceptable mobile code and mobile technologies</p>
-               <p>authorization records</p>
-               <p>information system monitoring records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing mobile code</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational process for controlling, authorizing, monitoring, and restricting
-                  mobile code</p>
-               <p>automated mechanisms supporting and/or implementing the management of mobile
-                  code</p>
-               <p>automated mechanisms supporting and/or implementing the monitoring of mobile
-                  code</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-19">
-         <title>Voice Over Internet Protocol</title>
-         <prop name="label">SC-19</prop>
-         <prop name="sort-id">sc-19</prop>
-         <link href="#7783f3e7-09b3-478b-9aa2-4a76dfd0ea90" rel="reference">NIST Special Publication 800-58</link>
-         <part id="sc-19_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sc-19_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes usage restrictions and implementation guidance for Voice over Internet
-                  Protocol (VoIP) technologies based on the potential to cause damage to the
-                  information system if used maliciously; and</p>
-            </part>
-            <part id="sc-19_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Authorizes, monitors, and controls the use of VoIP within the information
-                  system.</p>
-            </part>
-         </part>
-         <part id="sc-19_gdn" name="guidance">
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-15">SC-15</link>
-         </part>
-         <part id="sc-19_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-19.a_obj" name="objective">
-               <prop name="label">SC-19(a)</prop>
-               <part id="sc-19.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-19(a)[1]</prop>
-                  <p>establishes usage restrictions for Voice over Internet Protocol (VoIP)
-                     technologies based on the potential to cause damage to the information system
-                     if used maliciously;</p>
-               </part>
-               <part id="sc-19.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-19(a)[2]</prop>
-                  <p>establishes implementation guidance for Voice over Internet Protocol (VoIP)
-                     technologies based on the potential to cause damage to the information system
-                     if used maliciously;</p>
-               </part>
-            </part>
-            <part id="sc-19.b_obj" name="objective">
-               <prop name="label">SC-19(b)</prop>
-               <part id="sc-19.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-19(b)[1]</prop>
-                  <p>authorizes the use of VoIP within the information system;</p>
-               </part>
-               <part id="sc-19.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-19(b)[2]</prop>
-                  <p>monitors the use of VoIP within the information system; and</p>
-               </part>
-               <part id="sc-19.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-19(b)[3]</prop>
-                  <p>controls the use of VoIP within the information system.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing VoIP</p>
-               <p>VoIP usage restrictions</p>
-               <p>VoIP implementation guidance</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system monitoring records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing VoIP</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational process for authorizing, monitoring, and controlling VoIP</p>
-               <p>automated mechanisms supporting and/or implementing authorizing, monitoring, and
-                  controlling VoIP</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-20">
-         <title>Secure Name / Address Resolution Service (authoritative Source)</title>
-         <prop name="label">SC-20</prop>
-         <prop name="sort-id">sc-20</prop>
-         <link href="#28115a56-da6b-4d44-b1df-51dd7f048a3e" rel="reference">OMB Memorandum 08-23</link>
-         <link href="#6af1e841-672c-46c4-b121-96f603d04be3" rel="reference">NIST Special Publication 800-81</link>
-         <part id="sc-20_smt" name="statement">
-            <p>The information system:</p>
-            <part id="sc-20_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Provides additional data origin authentication and integrity verification
-                  artifacts along with the authoritative name resolution data the system returns in
-                  response to external name/address resolution queries; and</p>
-            </part>
-            <part id="sc-20_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Provides the means to indicate the security status of child zones and (if the
-                  child supports secure resolution services) to enable verification of a chain of
-                  trust among parent and child domains, when operating as part of a distributed,
-                  hierarchical namespace.</p>
-            </part>
-         </part>
-         <part id="sc-20_gdn" name="guidance">
-            <p>This control enables external clients including, for example, remote Internet
-               clients, to obtain origin authentication and integrity verification assurances for
-               the host/service name to network address resolution information obtained through the
-               service. Information systems that provide name and address resolution services
-               include, for example, domain name system (DNS) servers. Additional artifacts include,
-               for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS
-               resource records are examples of authoritative data. The means to indicate the
-               security status of child zones includes, for example, the use of delegation signer
-               resource records in the DNS. The DNS security controls reflect (and are referenced
-               from) OMB Memorandum 08-23. Information systems that use technologies other than the
-               DNS to map between host/service names and network addresses provide other means to
-               assure the authenticity and integrity of response data.</p>
-            <link rel="related" href="#au-10">AU-10</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-21">SC-21</link>
-            <link rel="related" href="#sc-22">SC-22</link>
-         </part>
-         <part id="sc-20_obj" name="objective">
-            <p>Determine if the information system:</p>
-            <part id="sc-20.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-20(a)</prop>
-               <p>provides additional data origin and integrity verification artifacts along with
-                  the authoritative name resolution data the system returns in response to external
-                  name/address resolution queries;</p>
-            </part>
-            <part id="sc-20.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-20(b)</prop>
-               <p>provides the means to, when operating as part of a distributed, hierarchical
-                  namespace:</p>
-               <part id="sc-20.b_obj.1" name="objective">
-                  <prop name="label">SC-20(b)[1]</prop>
-                  <p>indicate the security status of child zones; and</p>
-               </part>
-               <part id="sc-20.b_obj.2" name="objective">
-                  <prop name="label">SC-20(b)[2]</prop>
-                  <p>enable verification of a chain of trust among parent and child domains (if the
-                     child supports secure resolution services).</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing secure name/address resolution service (authoritative
-                  source)</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing DNS</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing secure name/address resolution
-                  service</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-21">
-         <title>Secure Name / Address Resolution Service (recursive or Caching Resolver)</title>
-         <prop name="label">SC-21</prop>
-         <prop name="sort-id">sc-21</prop>
-         <link href="#6af1e841-672c-46c4-b121-96f603d04be3" rel="reference">NIST Special Publication 800-81</link>
-         <part id="sc-21_smt" name="statement">
-            <p>The information system requests and performs data origin authentication and data
-               integrity verification on the name/address resolution responses the system receives
-               from authoritative sources.</p>
-         </part>
-         <part id="sc-21_gdn" name="guidance">
-            <p>Each client of name resolution services either performs this validation on its own,
-               or has authenticated channels to trusted validation providers. Information systems
-               that provide name and address resolution services for local clients include, for
-               example, recursive resolving or caching domain name system (DNS) servers. DNS client
-               resolvers either perform validation of DNSSEC signatures, or clients use
-               authenticated channels to recursive resolvers that perform such validations.
-               Information systems that use technologies other than the DNS to map between
-               host/service names and network addresses provide other means to enable clients to
-               verify the authenticity and integrity of response data.</p>
-            <link rel="related" href="#sc-20">SC-20</link>
-            <link rel="related" href="#sc-22">SC-22</link>
-         </part>
-         <part id="sc-21_obj" name="objective">
-            <p>Determine if the information system: </p>
-            <part id="sc-21_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-21[1]</prop>
-               <p>requests data origin authentication on the name/address resolution responses the
-                  system receives from authoritative sources;</p>
-            </part>
-            <part id="sc-21_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SC-21[2]</prop>
-               <p>requests data integrity verification on the name/address resolution responses the
-                  system receives from authoritative sources;</p>
-            </part>
-            <part id="sc-21_obj.3" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-21[3]</prop>
-               <p>performs data origin authentication on the name/address resolution responses the
-                  system receives from authoritative sources; and</p>
-            </part>
-            <part id="sc-21_obj.4" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-21[4]</prop>
-               <p>performs data integrity verification on the name/address resolution responses the
-                  system receives from authoritative sources.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing secure name/address resolution service (recursive or caching
-                  resolver)</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing DNS</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing data origin authentication and
-                  data integrity verification for name/address resolution services</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-22">
-         <title>Architecture and Provisioning for Name / Address Resolution Service</title>
-         <prop name="label">SC-22</prop>
-         <prop name="sort-id">sc-22</prop>
-         <link href="#6af1e841-672c-46c4-b121-96f603d04be3" rel="reference">NIST Special Publication 800-81</link>
-         <part id="sc-22_smt" name="statement">
-            <p>The information systems that collectively provide name/address resolution service for
-               an organization are fault-tolerant and implement internal/external role
-               separation.</p>
-         </part>
-         <part id="sc-22_gdn" name="guidance">
-            <p>Information systems that provide name and address resolution services include, for
-               example, domain name system (DNS) servers. To eliminate single points of failure and
-               to enhance redundancy, organizations employ at least two authoritative domain name
-               system servers, one configured as the primary server and the other configured as the
-               secondary server. Additionally, organizations typically deploy the servers in two
-               geographically separated network subnetworks (i.e., not located in the same physical
-               facility). For role separation, DNS servers with internal roles only process name and
-               address resolution requests from within organizations (i.e., from internal clients).
-               DNS servers with external roles only process name and address resolution information
-               requests from clients external to organizations (i.e., on external networks including
-               the Internet). Organizations specify clients that can access authoritative DNS
-               servers in particular roles (e.g., by address ranges, explicit lists).</p>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-20">SC-20</link>
-            <link rel="related" href="#sc-21">SC-21</link>
-            <link rel="related" href="#sc-24">SC-24</link>
-         </part>
-         <part id="sc-22_obj" name="objective">
-            <p>Determine if the information systems that collectively provide name/address
-               resolution service for an organization: </p>
-            <part id="sc-22_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-22[1]</prop>
-               <p>are fault tolerant; and</p>
-            </part>
-            <part id="sc-22_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SC-22[2]</prop>
-               <p>implement internal/external role separation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing architecture and provisioning for name/address resolution
-                  service</p>
-               <p>access control policy and procedures</p>
-               <p>information system design documentation</p>
-               <p>assessment results from independent, testing organizations</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing DNS</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing name/address resolution
-                  service for fault tolerance and role separation</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-23">
-         <title>Session Authenticity</title>
-         <prop name="label">SC-23</prop>
-         <prop name="sort-id">sc-23</prop>
-         <link href="#90c5bc98-f9c4-44c9-98b7-787422f0999c" rel="reference">NIST Special Publication 800-52</link>
-         <link href="#99f331f2-a9f0-46c2-9856-a3cbb9b89442" rel="reference">NIST Special Publication 800-77</link>
-         <link href="#1ebdf782-d95d-4a7b-8ec7-ee860951eced" rel="reference">NIST Special Publication 800-95</link>
-         <part id="sc-23_smt" name="statement">
-            <p>The information system protects the authenticity of communications sessions.</p>
-         </part>
-         <part id="sc-23_gdn" name="guidance">
-            <p>This control addresses communications protection at the session, versus packet level
-               (e.g., sessions in service-oriented architectures providing web-based services) and
-               establishes grounds for confidence at both ends of communications sessions in ongoing
-               identities of other parties and in the validity of information transmitted.
-               Authenticity protection includes, for example, protecting against man-in-the-middle
-               attacks/session hijacking and the insertion of false information into sessions.</p>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-10">SC-10</link>
-            <link rel="related" href="#sc-11">SC-11</link>
-         </part>
-         <part id="sc-23_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system protects the authenticity of communications
-               sessions.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing session authenticity</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing session authenticity</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-28">
-         <title>Protection of Information at Rest</title>
-         <param id="sc-28_prm_1">
-            <constraint>confidentiality AND integrity</constraint>
-         </param>
-         <param id="sc-28_prm_2">
-            <label>organization-defined information at rest</label>
-         </param>
-         <prop name="label">SC-28</prop>
-         <prop name="sort-id">sc-28</prop>
-         <link href="#81f09e01-d0b0-4ae2-aa6a-064ed9950070" rel="reference">NIST Special Publication 800-56</link>
-         <link href="#a6c774c0-bf50-4590-9841-2a5c1c91ac6f" rel="reference">NIST Special Publication 800-57</link>
-         <link href="#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e" rel="reference">NIST Special Publication 800-111</link>
-         <part id="sc-28_smt" name="statement">
-            <p>The information system protects the <insert param-id="sc-28_prm_1"/> of <insert param-id="sc-28_prm_2"/>.</p>
-            <part id="sc-28_fr" name="item">
-               <title>SC-28 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-28_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>The organization supports the capability to use cryptographic mechanisms to protect information at rest.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sc-28_gdn" name="guidance">
-            <p>This control addresses the confidentiality and integrity of information at rest and
-               covers user information and system information. Information at rest refers to the
-               state of information when it is located on storage devices as specific components of
-               information systems. System-related information requiring protection includes, for
-               example, configurations or rule sets for firewalls, gateways, intrusion
-               detection/prevention systems, filtering routers, and authenticator content.
-               Organizations may employ different mechanisms to achieve confidentiality and
-               integrity protections, including the use of cryptographic mechanisms and file share
-               scanning. Integrity protection can be achieved, for example, by implementing
-               Write-Once-Read-Many (WORM) technologies. Organizations may also employ other
-               security controls including, for example, secure off-line storage in lieu of online
-               storage when adequate protection of information at rest cannot otherwise be achieved
-               and/or continuous monitoring to identify malicious code at rest.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="sc-28_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-28_obj.1" name="objective">
-               <prop name="label">SC-28[1]</prop>
-               <p>the organization defines information at rest requiring one or more of the
-                  following:</p>
-               <part id="sc-28_obj.1.a" name="objective">
-                  <prop name="label">SC-28[1][a]</prop>
-                  <p>confidentiality protection; and/or</p>
-               </part>
-               <part id="sc-28_obj.1.b" name="objective">
-                  <prop name="label">SC-28[1][b]</prop>
-                  <p>integrity protection;</p>
-               </part>
-            </part>
-            <part id="sc-28_obj.2" name="objective">
-               <prop name="label">SC-28[2]</prop>
-               <p>the information system protects:</p>
-               <part id="sc-28_obj.2.a" name="objective">
-                  <prop name="label">SC-28[2][a]</prop>
-                  <p>the confidentiality of organization-defined information at rest; and/or</p>
-               </part>
-               <part id="sc-28_obj.2.b" name="objective">
-                  <prop name="label">SC-28[2][b]</prop>
-                  <p>the integrity of organization-defined information at rest.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing protection of information at rest</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>cryptographic mechanisms and associated configuration documentation</p>
-               <p>list of information at rest requiring confidentiality and integrity
-                  protections</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing confidentiality and integrity
-                  protections for information at rest</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-28.1">
-            <title>Cryptographic Protection</title>
-            <param id="sc-28.1_prm_1">
-               <label>organization-defined information</label>
-            </param>
-            <param id="sc-28.1_prm_2">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">SC-28(1)</prop>
-            <prop name="sort-id">sc-28.01</prop>
-            <part id="sc-28.1_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to prevent unauthorized
-                  disclosure and modification of <insert param-id="sc-28.1_prm_1"/> on <insert param-id="sc-28.1_prm_2"/>.</p>
-            </part>
-            <part id="sc-28.1_gdn" name="guidance">
-               <p>Selection of cryptographic mechanisms is based on the need to protect the
-                  confidentiality and integrity of organizational information. The strength of
-                  mechanism is commensurate with the security category and/or classification of the
-                  information. This control enhancement applies to significant concentrations of
-                  digital media in organizational areas designated for media storage and also to
-                  limited quantities of media generally associated with information system
-                  components in operational environments (e.g., portable storage devices, mobile
-                  devices). Organizations have the flexibility to either encrypt all information on
-                  storage devices (i.e., full disk encryption) or encrypt specific data structures
-                  (e.g., files, records, or fields). Organizations employing cryptographic
-                  mechanisms to protect information at rest also consider cryptographic key
-                  management solutions.</p>
-               <link rel="related" href="#ac-19">AC-19</link>
-               <link rel="related" href="#sc-12">SC-12</link>
-            </part>
-            <part id="sc-28.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-28.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-28(1)[1]</prop>
-                  <p>the organization defines information requiring cryptographic protection;</p>
-               </part>
-               <part id="sc-28.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SC-28(1)[2]</prop>
-                  <p>the organization defines information system components with
-                     organization-defined information requiring cryptographic protection; and</p>
-               </part>
-               <part id="sc-28.1_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SC-28(1)[3]</prop>
-                  <p>the information system employs cryptographic mechanisms to prevent unauthorized
-                     disclosure and modification of organization-defined information on
-                     organization-defined information system components.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing protection of information at rest</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>cryptographic mechanisms and associated configuration documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms implementing confidentiality and integrity protections
-                     for information at rest</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-39">
-         <title>Process Isolation</title>
-         <prop name="label">SC-39</prop>
-         <prop name="sort-id">sc-39</prop>
-         <part id="sc-39_smt" name="statement">
-            <p>The information system maintains a separate execution domain for each executing
-               process.</p>
-         </part>
-         <part id="sc-39_gdn" name="guidance">
-            <p>Information systems can maintain separate execution domains for each executing
-               process by assigning each process a separate address space. Each information system
-               process has a distinct address space so that communication between processes is
-               performed in a manner controlled through the security functions, and one process
-               cannot modify the executing code of another process. Maintaining separate execution
-               domains for executing processes can be achieved, for example, by implementing
-               separate address spaces. This capability is available in most commercial operating
-               systems that employ multi-state processor technologies.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-         </part>
-         <part id="sc-39_obj" name="objective">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-            <p>Determine if the information system maintains a separate execution domain for each
-               executing process.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system design documentation</p>
-               <p>information system architecture</p>
-               <p>independent verification and validation documentation</p>
-               <p>testing and evaluation documentation, other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Information system developers/integrators</p>
-               <p>information system security architect</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing separate execution domains for
-                  each executing process</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="si">
-      <title>System and Information Integrity</title>
-      <control class="SP800-53" id="si-1">
-         <title>System and Information Integrity Policy and Procedures</title>
-         <param id="si-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-1_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least every 3 years</constraint>
-         </param>
-         <param id="si-1_prm_3">
-            <label>organization-defined frequency</label>
-            <constraint>at least annually</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SI-1</prop>
-         <prop name="sort-id">si-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="si-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="si-1_prm_1"/>:</p>
-               <part id="si-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system and information integrity policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="si-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system and information
-                     integrity policy and associated system and information integrity controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="si-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="si-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System and information integrity policy <insert param-id="si-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="si-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System and information integrity procedures <insert param-id="si-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="si-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the SI
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="si-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-1.a_obj" name="objective">
-               <prop name="label">SI-1(a)</prop>
-               <part id="si-1.a.1_obj" name="objective">
-                  <prop name="label">SI-1(a)(1)</prop>
-                  <part id="si-1.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(a)(1)[1]</prop>
-                     <p>develops and documents a system and information integrity policy that
-                        addresses:</p>
-                     <part id="si-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="si-1.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system and information integrity
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="si-1.a.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SI-1(a)(1)[3]</prop>
-                     <p>disseminates the system and information integrity policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="si-1.a.2_obj" name="objective">
-                  <prop name="label">SI-1(a)(2)</prop>
-                  <part id="si-1.a.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        system and information integrity policy and associated system and
-                        information integrity controls;</p>
-                  </part>
-                  <part id="si-1.a.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="si-1.a.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="label">SI-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-1.b_obj" name="objective">
-               <prop name="label">SI-1(b)</prop>
-               <part id="si-1.b.1_obj" name="objective">
-                  <prop name="label">SI-1(b)(1)</prop>
-                  <part id="si-1.b.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        information integrity policy;</p>
-                  </part>
-                  <part id="si-1.b.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system and information integrity policy with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="si-1.b.2_obj" name="objective">
-                  <prop name="label">SI-1(b)(2)</prop>
-                  <part id="si-1.b.2_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        information integrity procedures; and</p>
-                  </part>
-                  <part id="si-1.b.2_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system and information integrity procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and information integrity
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-2">
-         <title>Flaw Remediation</title>
-         <param id="si-2_prm_1">
-            <label>organization-defined time period</label>
-            <constraint>within 30 days of release of updates</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SI-2</prop>
-         <prop name="sort-id">si-02</prop>
-         <link href="#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d" rel="reference">NIST Special Publication 800-40</link>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="si-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Identifies, reports, and corrects information system flaws;</p>
-            </part>
-            <part id="si-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Tests software and firmware updates related to flaw remediation for effectiveness
-                  and potential side effects before installation;</p>
-            </part>
-            <part id="si-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Installs security-relevant software and firmware updates within <insert param-id="si-2_prm_1"/> of the release of the updates; and</p>
-            </part>
-            <part id="si-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Incorporates flaw remediation into the organizational configuration management
-                  process.</p>
-            </part>
-         </part>
-         <part id="si-2_gdn" name="guidance">
-            <p>Organizations identify information systems affected by announced software flaws
-               including potential vulnerabilities resulting from those flaws, and report this
-               information to designated organizational personnel with information security
-               responsibilities. Security-relevant software updates include, for example, patches,
-               service packs, hot fixes, and anti-virus signatures. Organizations also address flaws
-               discovered during security assessments, continuous monitoring, incident response
-               activities, and system error handling. Organizations take advantage of available
-               resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and
-               Exposures (CVE) databases in remediating flaws discovered in organizational
-               information systems. By incorporating flaw remediation into ongoing configuration
-               management processes, required/anticipated remediation actions can be tracked and
-               verified. Flaw remediation actions that can be tracked and verified include, for
-               example, determining whether organizations follow US-CERT guidance and Information
-               Assurance Vulnerability Alerts. Organization-defined time periods for updating
-               security-relevant software and firmware may vary based on a variety of factors
-               including, for example, the security category of the information system or the
-               criticality of the update (i.e., severity of the vulnerability related to the
-               discovered flaw). Some types of flaw remediation may require more testing than other
-               types. Organizations determine the degree and type of testing needed for the specific
-               type of flaw remediation activity under consideration and also the types of changes
-               that are to be configuration-managed. In some situations, organizations may determine
-               that the testing of software and/or firmware updates is not necessary or practical,
-               for example, when implementing simple anti-virus signature updates. Organizations may
-               also consider in testing decisions, whether security-relevant software or firmware
-               updates are obtained from authorized sources with appropriate digital signatures.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#si-11">SI-11</link>
-         </part>
-         <part id="si-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-2.a_obj" name="objective">
-               <prop name="label">SI-2(a)</prop>
-               <part id="si-2.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(a)[1]</prop>
-                  <p>identifies information system flaws;</p>
-               </part>
-               <part id="si-2.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(a)[2]</prop>
-                  <p>reports information system flaws;</p>
-               </part>
-               <part id="si-2.a_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(a)[3]</prop>
-                  <p>corrects information system flaws;</p>
-               </part>
-            </part>
-            <part id="si-2.b_obj" name="objective">
-               <prop name="label">SI-2(b)</prop>
-               <part id="si-2.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(b)[1]</prop>
-                  <p>tests software updates related to flaw remediation for effectiveness and
-                     potential side effects before installation;</p>
-               </part>
-               <part id="si-2.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(b)[2]</prop>
-                  <p>tests firmware updates related to flaw remediation for effectiveness and
-                     potential side effects before installation;</p>
-               </part>
-            </part>
-            <part id="si-2.c_obj" name="objective">
-               <prop name="label">SI-2(c)</prop>
-               <part id="si-2.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-2(c)[1]</prop>
-                  <p>defines the time period within which to install security-relevant software
-                     updates after the release of the updates;</p>
-               </part>
-               <part id="si-2.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-2(c)[2]</prop>
-                  <p>defines the time period within which to install security-relevant firmware
-                     updates after the release of the updates;</p>
-               </part>
-               <part id="si-2.c_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(c)[3]</prop>
-                  <p>installs software updates within the organization-defined time period of the
-                     release of the updates;</p>
-               </part>
-               <part id="si-2.c_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(c)[4]</prop>
-                  <p>installs firmware updates within the organization-defined time period of the
-                     release of the updates; and</p>
-               </part>
-            </part>
-            <part id="si-2.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-2(d)</prop>
-               <p>incorporates flaw remediation into the organizational configuration management
-                  process.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing flaw remediation</p>
-               <p>procedures addressing configuration management</p>
-               <p>list of flaws and vulnerabilities potentially affecting the information system</p>
-               <p>list of recent security flaw remediation actions performed on the information
-                  system (e.g., list of installed patches, service packs, hot fixes, and other
-                  software updates to correct information system flaws)</p>
-               <p>test results from the installation of software and firmware updates to correct
-                  information system flaws</p>
-               <p>installation/change control records for security-relevant software and firmware
-                  updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>organizational personnel with responsibility for flaw remediation</p>
-               <p>organizational personnel with configuration management responsibility</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for identifying, reporting, and correcting information
-                  system flaws</p>
-               <p>organizational process for installing software and firmware updates</p>
-               <p>automated mechanisms supporting and/or implementing reporting, and correcting
-                  information system flaws</p>
-               <p>automated mechanisms supporting and/or implementing testing software and firmware
-                  updates</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-2.2">
-            <title>Automated Flaw Remediation Status</title>
-            <param id="si-2.2_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>at least monthly</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">SI-2(2)</prop>
-            <prop name="sort-id">si-02.02</prop>
-            <part id="si-2.2_smt" name="statement">
-               <p>The organization employs automated mechanisms <insert param-id="si-2.2_prm_1"/> to
-                  determine the state of information system components with regard to flaw
-                  remediation.</p>
-            </part>
-            <part id="si-2.2_gdn" name="guidance">
-               <link rel="related" href="#cm-6">CM-6</link>
-               <link rel="related" href="#si-4">SI-4</link>
-            </part>
-            <part id="si-2.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-2.2_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-2(2)[1]</prop>
-                  <p>defines a frequency to employ automated mechanisms to determine the state of
-                     information system components with regard to flaw remediation; and</p>
-               </part>
-               <part id="si-2.2_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(2)[2]</prop>
-                  <p>employs automated mechanisms with the organization-defined frequency to
-                     determine the state of information system components with regard to flaw
-                     remediation.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing flaw remediation</p>
-                  <p>automated mechanisms supporting centralized management of flaw remediation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for flaw remediation</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms used to determine the state of information system
-                     components with regard to flaw remediation</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-2.3">
-            <title>Time to Remediate Flaws / Benchmarks for Corrective Actions</title>
-            <param id="si-2.3_prm_1">
-               <label>organization-defined benchmarks</label>
-            </param>
-            <prop name="label">SI-2(3)</prop>
-            <prop name="sort-id">si-02.03</prop>
-            <part id="si-2.3_smt" name="statement">
-               <p>The organization:</p>
-               <part id="si-2.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Measures the time between flaw identification and flaw remediation; and</p>
-               </part>
-               <part id="si-2.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Establishes <insert param-id="si-2.3_prm_1"/> for taking corrective
-                     actions.</p>
-               </part>
-            </part>
-            <part id="si-2.3_gdn" name="guidance">
-               <p>This control enhancement requires organizations to determine the current time it
-                  takes on the average to correct information system flaws after such flaws have
-                  been identified, and subsequently establish organizational benchmarks (i.e., time
-                  frames) for taking corrective actions. Benchmarks can be established by type of
-                  flaw and/or severity of the potential vulnerability if the flaw can be
-                  exploited.</p>
-            </part>
-            <part id="si-2.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-2.3.a_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-2(3)(a)</prop>
-                  <p>measures the time between flaw identification and flaw remediation;</p>
-                  <link rel="corresp" href="#si-2.3_smt.a">SI-2(3)(a)</link>
-               </part>
-               <part id="si-2.3.b_obj" name="objective">
-                  <prop name="label">SI-2(3)(b)</prop>
-                  <part id="si-2.3.b_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-2(3)(b)[1]</prop>
-                     <p>defines benchmarks for taking corrective actions; and</p>
-                  </part>
-                  <part id="si-2.3.b_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-2(3)(b)[2]</prop>
-                     <p>establishes organization-defined benchmarks for taking corrective
-                        actions.</p>
-                  </part>
-                  <link rel="corresp" href="#si-2.3_smt.b">SI-2(3)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing flaw remediation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of benchmarks for taking corrective action on flaws identified</p>
-                  <p>records providing time stamps of flaw identification and subsequent flaw
-                     remediation activities</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for flaw remediation</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for identifying, reporting, and correcting information
-                     system flaws</p>
-                  <p>automated mechanisms used to measure the time between flaw identification and
-                     flaw remediation</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-3">
-         <title>Malicious Code Protection</title>
-         <param id="si-3_prm_1">
-            <label>organization-defined frequency</label>
-            <constraint>at least weekly</constraint>
-         </param>
-         <param id="si-3_prm_2">
-            <constraint>to include endpoints</constraint>
-         </param>
-         <param id="si-3_prm_3">
-            <constraint>to include alerting administrator or defined security personnel</constraint>
-         </param>
-         <param id="si-3_prm_4" depends-on="si-3_prm_3">
-            <label>organization-defined action</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SI-3</prop>
-         <prop name="sort-id">si-03</prop>
-         <link href="#6d431fee-658f-4a0e-9f2e-a38b5d398fab" rel="reference">NIST Special Publication 800-83</link>
-         <part id="si-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Employs malicious code protection mechanisms at information system entry and exit
-                  points to detect and eradicate malicious code;</p>
-            </part>
-            <part id="si-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Updates malicious code protection mechanisms whenever new releases are available
-                  in accordance with organizational configuration management policy and
-                  procedures;</p>
-            </part>
-            <part id="si-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Configures malicious code protection mechanisms to:</p>
-               <part id="si-3_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Perform periodic scans of the information system <insert param-id="si-3_prm_1"/> and real-time scans of files from external sources at <insert param-id="si-3_prm_2"/> as the files are downloaded, opened, or executed in
-                     accordance with organizational security policy; and</p>
-               </part>
-               <part id="si-3_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>
-                     <insert param-id="si-3_prm_3"/> in response to malicious code detection;
-                     and</p>
-               </part>
-            </part>
-            <part id="si-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Addresses the receipt of false positives during malicious code detection and
-                  eradication and the resulting potential impact on the availability of the
-                  information system.</p>
-            </part>
-         </part>
-         <part id="si-3_gdn" name="guidance">
-            <p>Information system entry and exit points include, for example, firewalls, electronic
-               mail servers, web servers, proxy servers, remote-access servers, workstations,
-               notebook computers, and mobile devices. Malicious code includes, for example,
-               viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in
-               various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden
-               files, or hidden in files using steganography. Malicious code can be transported by
-               different means including, for example, web accesses, electronic mail, electronic
-               mail attachments, and portable storage devices. Malicious code insertions occur
-               through the exploitation of information system vulnerabilities. Malicious code
-               protection mechanisms include, for example, anti-virus signature definitions and
-               reputation-based technologies. A variety of technologies and methods exist to limit
-               or eliminate the effects of malicious code. Pervasive configuration management and
-               comprehensive software integrity controls may be effective in preventing execution of
-               unauthorized code. In addition to commercial off-the-shelf software, malicious code
-               may also be present in custom-built software. This could include, for example, logic
-               bombs, back doors, and other types of cyber attacks that could affect organizational
-               missions/business functions. Traditional malicious code protection mechanisms cannot
-               always detect such code. In these situations, organizations rely instead on other
-               safeguards including, for example, secure coding practices, configuration management
-               and control, trusted procurement processes, and monitoring practices to help ensure
-               that software does not perform functions other than the functions intended.
-               Organizations may determine that in response to the detection of malicious code,
-               different actions may be warranted. For example, organizations can define actions in
-               response to malicious code detection during periodic scans, actions in response to
-               detection of malicious downloads, and/or actions in response to detection of
-               maliciousness when attempting to open or execute files.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sa-13">SA-13</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-26">SC-26</link>
-            <link rel="related" href="#sc-44">SC-44</link>
-            <link rel="related" href="#si-2">SI-2</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="si-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-3.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-3(a)</prop>
-               <p>employs malicious code protection mechanisms to detect and eradicate malicious
-                  code at information system:</p>
-               <part id="si-3.a_obj.1" name="objective">
-                  <prop name="label">SI-3(a)[1]</prop>
-                  <p>entry points;</p>
-               </part>
-               <part id="si-3.a_obj.2" name="objective">
-                  <prop name="label">SI-3(a)[2]</prop>
-                  <p>exit points;</p>
-               </part>
-            </part>
-            <part id="si-3.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-3(b)</prop>
-               <p>updates malicious code protection mechanisms whenever new releases are available
-                  in accordance with organizational configuration management policy and procedures
-                  (as identified in CM-1);</p>
-            </part>
-            <part id="si-3.c_obj" name="objective">
-               <prop name="label">SI-3(c)</prop>
-               <part id="si-3.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-3(c)[1]</prop>
-                  <p>defines a frequency for malicious code protection mechanisms to perform
-                     periodic scans of the information system;</p>
-               </part>
-               <part id="si-3.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-3(c)[2]</prop>
-                  <p>defines action to be initiated by malicious protection mechanisms in response
-                     to malicious code detection;</p>
-               </part>
-               <part id="si-3.c_obj.3" name="objective">
-                  <prop name="label">SI-3(c)[3]</prop>
-                  <part id="si-3.c.1_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">SI-3(c)[3](1)</prop>
-                     <p>configures malicious code protection mechanisms to:</p>
-                     <part id="si-3.c.1_obj.3.a" name="objective">
-                        <prop name="label">SI-3(c)[3](1)[a]</prop>
-                        <p>perform periodic scans of the information system with the
-                           organization-defined frequency;</p>
-                     </part>
-                     <part id="si-3.c.1_obj.3.b" name="objective">
-                        <prop name="label">SI-3(c)[3](1)[b]</prop>
-                        <p>perform real-time scans of files from external sources at endpoint and/or
-                           network entry/exit points as the files are downloaded, opened, or
-                           executed in accordance with organizational security policy;</p>
-                     </part>
-                  </part>
-                  <part id="si-3.c.2_obj.3" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">SI-3(c)[3](2)</prop>
-                     <p>configures malicious code protection mechanisms to do one or more of the
-                        following:</p>
-                     <part id="si-3.c.2_obj.3.a" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[a]</prop>
-                        <p>block malicious code in response to malicious code detection;</p>
-                     </part>
-                     <part id="si-3.c.2_obj.3.b" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[b]</prop>
-                        <p>quarantine malicious code in response to malicious code detection;</p>
-                     </part>
-                     <part id="si-3.c.2_obj.3.c" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[c]</prop>
-                        <p>send alert to administrator in response to malicious code detection;
-                           and/or</p>
-                     </part>
-                     <part id="si-3.c.2_obj.3.d" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[d]</prop>
-                        <p>initiate organization-defined action in response to malicious code
-                           detection;</p>
-                     </part>
-                  </part>
-               </part>
-            </part>
-            <part id="si-3.d_obj" name="objective">
-               <prop name="label">SI-3(d)</prop>
-               <part id="si-3.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-3(d)[1]</prop>
-                  <p>addresses the receipt of false positives during malicious code detection and
-                     eradication; and</p>
-               </part>
-               <part id="si-3.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-3(d)[2]</prop>
-                  <p>addresses the resulting potential impact on the availability of the information
-                     system.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>configuration management policy and procedures</p>
-               <p>procedures addressing malicious code protection</p>
-               <p>malicious code protection mechanisms</p>
-               <p>records of malicious code protection updates</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>scan results from malicious code protection mechanisms</p>
-               <p>record of actions initiated by malicious code protection mechanisms in response to
-                  malicious code detection</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>organizational personnel with responsibility for malicious code protection</p>
-               <p>organizational personnel with configuration management responsibility</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for employing, updating, and configuring malicious code
-                  protection mechanisms</p>
-               <p>organizational process for addressing false positives and resulting potential
-                  impact</p>
-               <p>automated mechanisms supporting and/or implementing employing, updating, and
-                  configuring malicious code protection mechanisms</p>
-               <p>automated mechanisms supporting and/or implementing malicious code scanning and
-                  subsequent actions</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-3.1">
-            <title>Central Management</title>
-            <prop name="label">SI-3(1)</prop>
-            <prop name="sort-id">si-03.01</prop>
-            <part id="si-3.1_smt" name="statement">
-               <p>The organization centrally manages malicious code protection mechanisms.</p>
-            </part>
-            <part id="si-3.1_gdn" name="guidance">
-               <p>Central management is the organization-wide management and implementation of
-                  malicious code protection mechanisms. Central management includes planning,
-                  implementing, assessing, authorizing, and monitoring the organization-defined,
-                  centrally managed flaw malicious code protection security controls.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#si-8">SI-8</link>
-            </part>
-            <part id="si-3.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization centrally manages malicious code protection
-                  mechanisms.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing malicious code protection</p>
-                  <p>automated mechanisms supporting centralized management of malicious code
-                     protection mechanisms</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for malicious code protection</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for central management of malicious code protection
-                     mechanisms</p>
-                  <p>automated mechanisms supporting and/or implementing central management of
-                     malicious code protection mechanisms</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.2">
-            <title>Automatic Updates</title>
-            <prop name="label">SI-3(2)</prop>
-            <prop name="sort-id">si-03.02</prop>
-            <part id="si-3.2_smt" name="statement">
-               <p>The information system automatically updates malicious code protection
-                  mechanisms.</p>
-            </part>
-            <part id="si-3.2_gdn" name="guidance">
-               <p>Malicious code protection mechanisms include, for example, signature definitions.
-                  Due to information system integrity and availability concerns, organizations give
-                  careful consideration to the methodology used to carry out automatic updates.</p>
-               <link rel="related" href="#si-8">SI-8</link>
-            </part>
-            <part id="si-3.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system automatically updates malicious code
-                  protection mechanisms.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing malicious code protection</p>
-                  <p>automated mechanisms supporting centralized management of malicious code
-                     protection mechanisms</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for malicious code protection</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing automatic updates to
-                     malicious code protection capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.7">
-            <title>Nonsignature-based Detection</title>
-            <prop name="label">SI-3(7)</prop>
-            <prop name="sort-id">si-03.07</prop>
-            <part id="si-3.7_smt" name="statement">
-               <p>The information system implements nonsignature-based malicious code detection
-                  mechanisms.</p>
-            </part>
-            <part id="si-3.7_gdn" name="guidance">
-               <p>Nonsignature-based detection mechanisms include, for example, the use of
-                  heuristics to detect, analyze, and describe the characteristics or behavior of
-                  malicious code and to provide safeguards against malicious code for which
-                  signatures do not yet exist or for which existing signatures may not be effective.
-                  This includes polymorphic malicious code (i.e., code that changes signatures when
-                  it replicates). This control enhancement does not preclude the use of
-                  signature-based detection mechanisms.</p>
-            </part>
-            <part id="si-3.7_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system implements non signature-based malicious code
-                  detection mechanisms.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing malicious code protection</p>
-                  <p>information system design documentation</p>
-                  <p>malicious code protection mechanisms</p>
-                  <p>records of malicious code protection updates</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for malicious code protection</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing nonsignature-based
-                     malicious code protection capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-4">
-         <title>Information System Monitoring</title>
-         <param id="si-4_prm_1">
-            <label>organization-defined monitoring objectives</label>
-         </param>
-         <param id="si-4_prm_2">
-            <label>organization-defined techniques and methods</label>
-         </param>
-         <param id="si-4_prm_3">
-            <label>organization-defined information system monitoring information</label>
-         </param>
-         <param id="si-4_prm_4">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-4_prm_5"/>
-         <param id="si-4_prm_6" depends-on="si-4_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SI-4</prop>
-         <prop name="sort-id">si-04</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <link href="#6d431fee-658f-4a0e-9f2e-a38b5d398fab" rel="reference">NIST Special Publication 800-83</link>
-         <link href="#672fd561-b92b-4713-b9cf-6c9d9456728b" rel="reference">NIST Special Publication 800-92</link>
-         <link href="#d1b1d689-0f66-4474-9924-c81119758dc1" rel="reference">NIST Special Publication 800-94</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <part id="si-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Monitors the information system to detect:</p>
-               <part id="si-4_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Attacks and indicators of potential attacks in accordance with <insert param-id="si-4_prm_1"/>; and</p>
-               </part>
-               <part id="si-4_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Unauthorized local, network, and remote connections;</p>
-               </part>
-            </part>
-            <part id="si-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Identifies unauthorized use of the information system through <insert param-id="si-4_prm_2"/>;</p>
-            </part>
-            <part id="si-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Deploys monitoring devices:</p>
-               <part id="si-4_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Strategically within the information system to collect organization-determined
-                     essential information; and</p>
-               </part>
-               <part id="si-4_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>At ad hoc locations within the system to track specific types of transactions
-                     of interest to the organization;</p>
-               </part>
-            </part>
-            <part id="si-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Protects information obtained from intrusion-monitoring tools from unauthorized
-                  access, modification, and deletion;</p>
-            </part>
-            <part id="si-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Heightens the level of information system monitoring activity whenever there is an
-                  indication of increased risk to organizational operations and assets, individuals,
-                  other organizations, or the Nation based on law enforcement information,
-                  intelligence information, or other credible sources of information;</p>
-            </part>
-            <part id="si-4_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Obtains legal opinion with regard to information system monitoring activities in
-                  accordance with applicable federal laws, Executive Orders, directives, policies,
-                  or regulations; and</p>
-            </part>
-            <part id="si-4_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Provides <insert param-id="si-4_prm_3"/> to <insert param-id="si-4_prm_4"/>
-                  <insert param-id="si-4_prm_5"/>.</p>
-            </part>
-            <part id="si-4_fr" name="item">
-               <title>SI-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="si-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See US-CERT Incident Response Reporting Guidelines.</p>
-               </part>
-            </part>
-         </part>
-         <part id="si-4_gdn" name="guidance">
-            <p>Information system monitoring includes external and internal monitoring. External
-               monitoring includes the observation of events occurring at the information system
-               boundary (i.e., part of perimeter defense and boundary protection). Internal
-               monitoring includes the observation of events occurring within the information
-               system. Organizations can monitor information systems, for example, by observing
-               audit activities in real time or by observing other system aspects such as access
-               patterns, characteristics of access, and other actions. The monitoring objectives may
-               guide determination of the events. Information system monitoring capability is
-               achieved through a variety of tools and techniques (e.g., intrusion detection
-               systems, intrusion prevention systems, malicious code protection software, scanning
-               tools, audit record monitoring software, network monitoring software). Strategic
-               locations for monitoring devices include, for example, selected perimeter locations
-               and near server farms supporting critical applications, with such devices typically
-               being employed at the managed interfaces associated with controls SC-7 and AC-17.
-               Einstein network monitoring devices from the Department of Homeland Security can also
-               be included as monitoring devices. The granularity of monitoring information
-               collected is based on organizational monitoring objectives and the capability of
-               information systems to support such objectives. Specific types of transactions of
-               interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that
-               bypasses HTTP proxies. Information system monitoring is an integral part of
-               organizational continuous monitoring and incident response programs. Output from
-               system monitoring serves as input to continuous monitoring and incident response
-               programs. A network connection is any connection with a device that communicates
-               through a network (e.g., local area network, Internet). A remote connection is any
-               connection with a device communicating through an external network (e.g., the
-               Internet). Local, network, and remote connections can be either wired or
-               wireless.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-8">AC-8</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-26">SC-26</link>
-            <link rel="related" href="#sc-35">SC-35</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="si-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-4.a_obj" name="objective">
-               <prop name="label">SI-4(a)</prop>
-               <part id="si-4.a.1_obj" name="objective">
-                  <prop name="label">SI-4(a)(1)</prop>
-                  <part id="si-4.a.1_obj.1" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">EXAMINE</prop>
-                     <prop name="label">SI-4(a)(1)[1]</prop>
-                     <p>defines monitoring objectives to detect attacks and indicators of potential
-                        attacks on the information system;</p>
-                  </part>
-                  <part id="si-4.a.1_obj.2" name="objective">
-                     <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                     <prop name="method" class="fedramp">INTERVIEW</prop>
-                     <prop name="method" class="fedramp">TEST</prop>
-                     <prop name="label">SI-4(a)(1)[2]</prop>
-                     <p>monitors the information system to detect, in accordance with
-                        organization-defined monitoring objectives,:</p>
-                     <part id="si-4.a.1_obj.2.a" name="objective">
-                        <prop name="label">SI-4(a)(1)[2][a]</prop>
-                        <p>attacks;</p>
-                     </part>
-                     <part id="si-4.a.1_obj.2.b" name="objective">
-                        <prop name="label">SI-4(a)(1)[2][b]</prop>
-                        <p>indicators of potential attacks;</p>
-                     </part>
-                  </part>
-               </part>
-               <part id="si-4.a.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(a)(2)</prop>
-                  <p>monitors the information system to detect unauthorized:</p>
-                  <part id="si-4.a.2_obj.1" name="objective">
-                     <prop name="label">SI-4(a)(2)[1]</prop>
-                     <p>local connections;</p>
-                  </part>
-                  <part id="si-4.a.2_obj.2" name="objective">
-                     <prop name="label">SI-4(a)(2)[2]</prop>
-                     <p>network connections;</p>
-                  </part>
-                  <part id="si-4.a.2_obj.3" name="objective">
-                     <prop name="label">SI-4(a)(2)[3]</prop>
-                     <p>remote connections;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-4.b_obj" name="objective">
-               <prop name="label">SI-4(b)</prop>
-               <part id="si-4.b.1_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(b)(1)</prop>
-                  <p>defines techniques and methods to identify unauthorized use of the information
-                     system;</p>
-               </part>
-               <part id="si-4.b.2_obj" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(b)(2)</prop>
-                  <p>identifies unauthorized use of the information system through
-                     organization-defined techniques and methods;</p>
-               </part>
-            </part>
-            <part id="si-4.c_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-4(c)</prop>
-               <p>deploys monitoring devices:</p>
-               <part id="si-4.c_obj.1" name="objective">
-                  <prop name="label">SI-4(c)[1]</prop>
-                  <p>strategically within the information system to collect organization-determined
-                     essential information;</p>
-               </part>
-               <part id="si-4.c_obj.2" name="objective">
-                  <prop name="label">SI-4(c)[2]</prop>
-                  <p>at ad hoc locations within the system to track specific types of transactions
-                     of interest to the organization;</p>
-               </part>
-            </part>
-            <part id="si-4.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-4(d)</prop>
-               <p>protects information obtained from intrusion-monitoring tools from
-                  unauthorized:</p>
-               <part id="si-4.d_obj.1" name="objective">
-                  <prop name="label">SI-4(d)[1]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="si-4.d_obj.2" name="objective">
-                  <prop name="label">SI-4(d)[2]</prop>
-                  <p>modification;</p>
-               </part>
-               <part id="si-4.d_obj.3" name="objective">
-                  <prop name="label">SI-4(d)[3]</prop>
-                  <p>deletion;</p>
-               </part>
-            </part>
-            <part id="si-4.e_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-4(e)</prop>
-               <p>heightens the level of information system monitoring activity whenever there is an
-                  indication of increased risk to organizational operations and assets, individuals,
-                  other organizations, or the Nation based on law enforcement information,
-                  intelligence information, or other credible sources of information;</p>
-            </part>
-            <part id="si-4.f_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="label">SI-4(f)</prop>
-               <p>obtains legal opinion with regard to information system monitoring activities in
-                  accordance with applicable federal laws, Executive Orders, directives, policies,
-                  or regulations;</p>
-            </part>
-            <part id="si-4.g_obj" name="objective">
-               <prop name="label">SI-4(g)</prop>
-               <part id="si-4.g_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(g)[1]</prop>
-                  <p>defines personnel or roles to whom information system monitoring information is
-                     to be provided;</p>
-               </part>
-               <part id="si-4.g_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(g)[2]</prop>
-                  <p>defines information system monitoring information to be provided to
-                     organization-defined personnel or roles;</p>
-               </part>
-               <part id="si-4.g_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(g)[3]</prop>
-                  <p>defines a frequency to provide organization-defined information system
-                     monitoring to organization-defined personnel or roles;</p>
-               </part>
-               <part id="si-4.g_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(g)[4]</prop>
-                  <p>provides organization-defined information system monitoring information to
-                     organization-defined personnel or roles one or more of the following:</p>
-                  <part id="si-4.g_obj.4.a" name="objective">
-                     <prop name="label">SI-4(g)[4][a]</prop>
-                     <p>as needed; and/or</p>
-                  </part>
-                  <part id="si-4.g_obj.4.b" name="objective">
-                     <prop name="label">SI-4(g)[4][b]</prop>
-                     <p>with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Continuous monitoring strategy</p>
-               <p>system and information integrity policy</p>
-               <p>procedures addressing information system monitoring tools and techniques</p>
-               <p>facility diagram/layout</p>
-               <p>information system design documentation</p>
-               <p>information system monitoring tools and techniques documentation</p>
-               <p>locations within information system where monitoring devices are deployed</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>organizational personnel with responsibility monitoring the information system</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for information system monitoring</p>
-               <p>automated mechanisms supporting and/or implementing information system monitoring
-                  capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-4.1">
-            <title>System-wide Intrusion Detection System</title>
-            <prop name="label">SI-4(1)</prop>
-            <prop name="sort-id">si-04.01</prop>
-            <part id="si-4.1_smt" name="statement">
-               <p>The organization connects and configures individual intrusion detection tools into
-                  an information system-wide intrusion detection system.</p>
-            </part>
-            <part id="si-4.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(1)[1]</prop>
-                  <p>connects individual intrusion detection tools into an information system-wide
-                     intrusion detection system; and</p>
-               </part>
-               <part id="si-4.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(1)[2]</prop>
-                  <p>configures individual intrusion detection tools into an information system-wide
-                     intrusion detection system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion detection
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.2">
-            <title>Automated Tools for Real-time Analysis</title>
-            <prop name="label">SI-4(2)</prop>
-            <prop name="sort-id">si-04.02</prop>
-            <part id="si-4.2_smt" name="statement">
-               <p>The organization employs automated tools to support near real-time analysis of
-                  events.</p>
-            </part>
-            <part id="si-4.2_gdn" name="guidance">
-               <p>Automated tools include, for example, host-based, network-based, transport-based,
-                  or storage-based event monitoring tools or Security Information and Event
-                  Management (SIEM) technologies that provide real time analysis of alerts and/or
-                  notifications generated by organizational information systems.</p>
-            </part>
-            <part id="si-4.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization employs automated tools to support near real-time
-                  analysis of events.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for incident
-                     response/management</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for near real-time analysis of events</p>
-                  <p>organizational processes for information system monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing information system
-                     monitoring</p>
-                  <p>automated mechanisms/tools supporting and/or implementing analysis of
-                     events</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.4">
-            <title>Inbound and Outbound Communications Traffic</title>
-            <param id="si-4.4_prm_1">
-               <label>organization-defined frequency</label>
-               <constraint>continuously</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">SI-4(4)</prop>
-            <prop name="sort-id">si-04.04</prop>
-            <part id="si-4.4_smt" name="statement">
-               <p>The information system monitors inbound and outbound communications traffic
-                     <insert param-id="si-4.4_prm_1"/> for unusual or unauthorized activities or
-                  conditions.</p>
-            </part>
-            <part id="si-4.4_gdn" name="guidance">
-               <p>Unusual/unauthorized activities or conditions related to information system
-                  inbound and outbound communications traffic include, for example, internal traffic
-                  that indicates the presence of malicious code within organizational information
-                  systems or propagating among system components, the unauthorized exporting of
-                  information, or signaling to external information systems. Evidence of malicious
-                  code is used to identify potentially compromised information systems or
-                  information system components.</p>
-            </part>
-            <part id="si-4.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.4_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(4)[1]</prop>
-                  <p>defines a frequency to monitor:</p>
-                  <part id="si-4.4_obj.1.a" name="objective">
-                     <prop name="label">SI-4(4)[1][a]</prop>
-                     <p>inbound communications traffic for unusual or unauthorized activities or
-                        conditions;</p>
-                  </part>
-                  <part id="si-4.4_obj.1.b" name="objective">
-                     <prop name="label">SI-4(4)[1][b]</prop>
-                     <p>outbound communications traffic for unusual or unauthorized activities or
-                        conditions;</p>
-                  </part>
-               </part>
-               <part id="si-4.4_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(4)[2]</prop>
-                  <p>monitors, with the organization-defined frequency:</p>
-                  <part id="si-4.4_obj.2.a" name="objective">
-                     <prop name="label">SI-4(4)[2][a]</prop>
-                     <p>inbound communications traffic for unusual or unauthorized activities or
-                        conditions; and</p>
-                  </part>
-                  <part id="si-4.4_obj.2.b" name="objective">
-                     <prop name="label">SI-4(4)[2][b]</prop>
-                     <p>outbound communications traffic for unusual or unauthorized activities or
-                        conditions.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system protocols</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion detection
-                     capability/information system monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing monitoring of
-                     inbound/outbound communications traffic</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.5">
-            <title>System-generated Alerts</title>
-            <param id="si-4.5_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="si-4.5_prm_2">
-               <label>organization-defined compromise indicators</label>
-            </param>
-            <prop name="label">SI-4(5)</prop>
-            <prop name="sort-id">si-04.05</prop>
-            <part id="si-4.5_smt" name="statement">
-               <p>The information system alerts <insert param-id="si-4.5_prm_1"/> when the following
-                  indications of compromise or potential compromise occur: <insert param-id="si-4.5_prm_2"/>.</p>
-               <part id="si-4.5_fr" name="item">
-                  <title>SI-4 (5) Additional FedRAMP Requirements and Guidance</title>
-                  <part id="si-4.5_fr_gdn.1" name="guidance">
-                     <prop name="label">Guidance:</prop>
-                     <p>In accordance with the incident response plan.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-4.5_gdn" name="guidance">
-               <p>Alerts may be generated from a variety of sources, including, for example, audit
-                  records or inputs from malicious code protection mechanisms, intrusion detection
-                  or prevention mechanisms, or boundary protection devices such as firewalls,
-                  gateways, and routers. Alerts can be transmitted, for example, telephonically, by
-                  electronic mail messages, or by text messaging. Organizational personnel on the
-                  notification list can include, for example, system administrators,
-                  mission/business owners, system owners, or information system security
-                  officers.</p>
-               <link rel="related" href="#au-5">AU-5</link>
-               <link rel="related" href="#pe-6">PE-6</link>
-            </part>
-            <part id="si-4.5_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="si-4.5_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(5)[1]</prop>
-                  <p>the organization defines compromise indicators for the information system;</p>
-               </part>
-               <part id="si-4.5_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(5)[2]</prop>
-                  <p>the organization defines personnel or roles to be alerted when indications of
-                     compromise or potential compromise occur; and</p>
-               </part>
-               <part id="si-4.5_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(5)[3]</prop>
-                  <p>the information system alerts organization-defined personnel or roles when
-                     organization-defined compromise indicators occur.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>alerts/notifications generated based on compromise indicators</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion
-                     detection/information system monitoring capability</p>
-                  <p>automated mechanisms supporting and/or implementing alerts for compromise
-                     indicators</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.14">
-            <title>Wireless Intrusion Detection</title>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">SI-4(14)</prop>
-            <prop name="sort-id">si-04.14</prop>
-            <part id="si-4.14_smt" name="statement">
-               <p>The organization employs a wireless intrusion detection system to identify rogue
-                  wireless devices and to detect attack attempts and potential compromises/breaches
-                  to the information system.</p>
-            </part>
-            <part id="si-4.14_gdn" name="guidance">
-               <p>Wireless signals may radiate beyond the confines of organization-controlled
-                  facilities. Organizations proactively search for unauthorized wireless connections
-                  including the conduct of thorough scans for unauthorized wireless access points.
-                  Scans are not limited to those areas within facilities containing information
-                  systems, but also include areas outside of facilities as needed, to verify that
-                  unauthorized wireless access points are not connected to the systems.</p>
-               <link rel="related" href="#ac-18">AC-18</link>
-               <link rel="related" href="#ia-3">IA-3</link>
-            </part>
-            <part id="si-4.14_obj" name="objective">
-               <p>Determine if the organization employs a wireless intrusion detection system
-                  to:</p>
-               <part id="si-4.14_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(14)[1]</prop>
-                  <p>identify rogue wireless devices;</p>
-               </part>
-               <part id="si-4.14_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(14)[2]</prop>
-                  <p>detect attack attempts to the information system; and</p>
-               </part>
-               <part id="si-4.14_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(14)[3]</prop>
-                  <p>detect potential compromises/breaches to the information system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system protocols</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection</p>
-                  <p>automated mechanisms supporting and/or implementing wireless intrusion
-                     detection capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.16">
-            <title>Correlate Monitoring Information</title>
-            <prop name="label">SI-4(16)</prop>
-            <prop name="sort-id">si-04.16</prop>
-            <part id="si-4.16_smt" name="statement">
-               <p>The organization correlates information from monitoring tools employed throughout
-                  the information system.</p>
-            </part>
-            <part id="si-4.16_gdn" name="guidance">
-               <p>Correlating information from different monitoring tools can provide a more
-                  comprehensive view of information system activity. The correlation of monitoring
-                  tools that usually work in isolation (e.g., host monitoring, network monitoring,
-                  anti-virus software) can provide an organization-wide view and in so doing, may
-                  reveal otherwise unseen attack patterns. Understanding the
-                  capabilities/limitations of diverse monitoring tools and how to maximize the
-                  utility of information generated by those tools can help organizations to build,
-                  operate, and maintain effective monitoring programs.</p>
-               <link rel="related" href="#au-6">AU-6</link>
-            </part>
-            <part id="si-4.16_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization correlates information from monitoring tools
-                  employed throughout the information system.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>event correlation logs or records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion
-                     detection/information system monitoring capability</p>
-                  <p>automated mechanisms supporting and/or implementing correlation of information
-                     from monitoring tools</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.23">
-            <title>Host-based Devices</title>
-            <param id="si-4.23_prm_1">
-               <label>organization-defined host-based monitoring mechanisms</label>
-            </param>
-            <param id="si-4.23_prm_2">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">SI-4(23)</prop>
-            <prop name="sort-id">si-04.23</prop>
-            <part id="si-4.23_smt" name="statement">
-               <p>The organization implements <insert param-id="si-4.23_prm_1"/> at <insert param-id="si-4.23_prm_2"/>.</p>
-            </part>
-            <part id="si-4.23_gdn" name="guidance">
-               <p>Information system components where host-based monitoring can be implemented
-                  include, for example, servers, workstations, and mobile devices. Organizations
-                  consider employing host-based monitoring mechanisms from multiple information
-                  technology product developers.</p>
-            </part>
-            <part id="si-4.23_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.23_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(23)[1]</prop>
-                  <p>defines host-based monitoring mechanisms to be implemented;</p>
-               </part>
-               <part id="si-4.23_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-4(23)[2]</prop>
-                  <p>defines information system components where organization-defined host-based
-                     monitoring is to be implemented; and</p>
-               </part>
-               <part id="si-4.23_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-4(23)[3]</prop>
-                  <p>implements organization-defined host-based monitoring mechanisms at
-                     organization-defined information system components.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>host-based monitoring mechanisms</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of information system components requiring host-based monitoring</p>
-                  <p>information system monitoring logs or records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring information system
-                     hosts</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for information system monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing host-based monitoring
-                     capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-5">
-         <title>Security Alerts, Advisories, and Directives</title>
-         <param id="si-5_prm_1">
-            <label>organization-defined external organizations</label>
-            <constraint>to include US-CERT</constraint>
-         </param>
-         <param id="si-5_prm_2">
-            <constraint>to include system security personnel and administrators with configuration/patch-management responsibilities</constraint>
-         </param>
-         <param id="si-5_prm_3" depends-on="si-5_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-5_prm_4" depends-on="si-5_prm_2">
-            <label>organization-defined elements within the organization</label>
-         </param>
-         <param id="si-5_prm_5" depends-on="si-5_prm_2">
-            <label>organization-defined external organizations</label>
-         </param>
-         <prop name="label">SI-5</prop>
-         <prop name="sort-id">si-05</prop>
-         <link href="#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d" rel="reference">NIST Special Publication 800-40</link>
-         <part id="si-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Receives information system security alerts, advisories, and directives from
-                     <insert param-id="si-5_prm_1"/> on an ongoing basis;</p>
-            </part>
-            <part id="si-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Generates internal security alerts, advisories, and directives as deemed
-                  necessary;</p>
-            </part>
-            <part id="si-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Disseminates security alerts, advisories, and directives to: <insert param-id="si-5_prm_2"/>; and</p>
-            </part>
-            <part id="si-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Implements security directives in accordance with established time frames, or
-                  notifies the issuing organization of the degree of noncompliance.</p>
-            </part>
-         </part>
-         <part id="si-5_gdn" name="guidance">
-            <p>The United States Computer Emergency Readiness Team (US-CERT) generates security
-               alerts and advisories to maintain situational awareness across the federal
-               government. Security directives are issued by OMB or other designated organizations
-               with the responsibility and authority to issue such directives. Compliance to
-               security directives is essential due to the critical nature of many of these
-               directives and the potential immediate adverse effects on organizational operations
-               and assets, individuals, other organizations, and the Nation should the directives
-               not be implemented in a timely manner. External organizations include, for example,
-               external mission/business partners, supply chain partners, external service
-               providers, and other peer/supporting organizations.</p>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="si-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-5.a_obj" name="objective">
-               <prop name="label">SI-5(a)</prop>
-               <part id="si-5.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-5(a)[1]</prop>
-                  <p>defines external organizations from whom information system security alerts,
-                     advisories and directives are to be received;</p>
-               </part>
-               <part id="si-5.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-5(a)[2]</prop>
-                  <p>receives information system security alerts, advisories, and directives from
-                     organization-defined external organizations on an ongoing basis;</p>
-               </part>
-            </part>
-            <part id="si-5.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-5(b)</prop>
-               <p>generates internal security alerts, advisories, and directives as deemed
-                  necessary;</p>
-            </part>
-            <part id="si-5.c_obj" name="objective">
-               <prop name="label">SI-5(c)</prop>
-               <part id="si-5.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-5(c)[1]</prop>
-                  <p>defines personnel or roles to whom security alerts, advisories, and directives
-                     are to be provided;</p>
-               </part>
-               <part id="si-5.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-5(c)[2]</prop>
-                  <p>defines elements within the organization to whom security alerts, advisories,
-                     and directives are to be provided;</p>
-               </part>
-               <part id="si-5.c_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-5(c)[3]</prop>
-                  <p>defines external organizations to whom security alerts, advisories, and
-                     directives are to be provided;</p>
-               </part>
-               <part id="si-5.c_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-5(c)[4]</prop>
-                  <p>disseminates security alerts, advisories, and directives to one or more of the
-                     following:</p>
-                  <part id="si-5.c_obj.4.a" name="objective">
-                     <prop name="label">SI-5(c)[4][a]</prop>
-                     <p>organization-defined personnel or roles;</p>
-                  </part>
-                  <part id="si-5.c_obj.4.b" name="objective">
-                     <prop name="label">SI-5(c)[4][b]</prop>
-                     <p>organization-defined elements within the organization; and/or</p>
-                  </part>
-                  <part id="si-5.c_obj.4.c" name="objective">
-                     <prop name="label">SI-5(c)[4][c]</prop>
-                     <p>organization-defined external organizations; and</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-5.d_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-5(d)</prop>
-               <part id="si-5.d_obj.1" name="objective">
-                  <prop name="label">SI-5(d)[1]</prop>
-                  <p>implements security directives in accordance with established time frames;
-                     or</p>
-               </part>
-               <part id="si-5.d_obj.2" name="objective">
-                  <prop name="label">SI-5(d)[2]</prop>
-                  <p>notifies the issuing organization of the degree of noncompliance.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing security alerts, advisories, and directives</p>
-               <p>records of security alerts and advisories</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security alert and advisory responsibilities</p>
-               <p>organizational personnel implementing, operating, maintaining, and using the
-                  information system</p>
-               <p>organizational personnel, organizational elements, and/or external organizations
-                  to whom alerts, advisories, and directives are to be disseminated</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for defining, receiving, generating, disseminating, and
-                  complying with security alerts, advisories, and directives</p>
-               <p>automated mechanisms supporting and/or implementing definition, receipt,
-                  generation, and dissemination of security alerts, advisories, and directives</p>
-               <p>automated mechanisms supporting and/or implementing security directives</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-6">
-         <title>Security Function Verification</title>
-         <param id="si-6_prm_1">
-            <label>organization-defined security functions</label>
-         </param>
-         <param id="si-6_prm_2"/>
-         <param id="si-6_prm_3" depends-on="si-6_prm_2">
-            <label>organization-defined system transitional states</label>
-            <constraint>to include upon system startup and/or restart</constraint>
-         </param>
-         <param id="si-6_prm_4" depends-on="si-6_prm_2">
-            <label>organization-defined frequency</label>
-            <constraint>at least monthly</constraint>
-         </param>
-         <param id="si-6_prm_5">
-            <label>organization-defined personnel or roles</label>
-            <constraint>to include system administrators and security personnel</constraint>
-         </param>
-         <param id="si-6_prm_6"/>
-         <param id="si-6_prm_7" depends-on="si-6_prm_6">
-            <label>organization-defined alternative action(s)</label>
-            <constraint>to include notification of system administrators and security personnel</constraint>
-         </param>
-         <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         <prop name="label">SI-6</prop>
-         <prop name="sort-id">si-06</prop>
-         <part id="si-6_smt" name="statement">
-            <p>The information system:</p>
-            <part id="si-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Verifies the correct operation of <insert param-id="si-6_prm_1"/>;</p>
-            </part>
-            <part id="si-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Performs this verification <insert param-id="si-6_prm_2"/>;</p>
-            </part>
-            <part id="si-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Notifies <insert param-id="si-6_prm_5"/> of failed security verification tests;
-                  and</p>
-            </part>
-            <part id="si-6_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>
-                  <insert param-id="si-6_prm_6"/> when anomalies are discovered.</p>
-            </part>
-         </part>
-         <part id="si-6_gdn" name="guidance">
-            <p>Transitional states for information systems include, for example, system startup,
-               restart, shutdown, and abort. Notifications provided by information systems include,
-               for example, electronic alerts to system administrators, messages to local computer
-               consoles, and/or hardware indications such as lights.</p>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-         </part>
-         <part id="si-6_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="si-6.a_obj" name="objective">
-               <prop name="label">SI-6(a)</prop>
-               <part id="si-6.a_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-6(a)[1]</prop>
-                  <p>the organization defines security functions to be verified for correct
-                     operation;</p>
-               </part>
-               <part id="si-6.a_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-6(a)[2]</prop>
-                  <p>the information system verifies the correct operation of organization-defined
-                     security functions;</p>
-               </part>
-            </part>
-            <part id="si-6.b_obj" name="objective">
-               <prop name="label">SI-6(b)</prop>
-               <part id="si-6.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-6(b)[1]</prop>
-                  <p>the organization defines system transitional states requiring verification of
-                     organization-defined security functions;</p>
-               </part>
-               <part id="si-6.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-6(b)[2]</prop>
-                  <p>the organization defines a frequency to verify the correct operation of
-                     organization-defined security functions;</p>
-               </part>
-               <part id="si-6.b_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-6(b)[3]</prop>
-                  <p>the information system performs this verification one or more of the
-                     following:</p>
-                  <part id="si-6.b_obj.3.a" name="objective">
-                     <prop name="label">SI-6(b)[3][a]</prop>
-                     <p>at organization-defined system transitional states;</p>
-                  </part>
-                  <part id="si-6.b_obj.3.b" name="objective">
-                     <prop name="label">SI-6(b)[3][b]</prop>
-                     <p>upon command by user with appropriate privilege; and/or</p>
-                  </part>
-                  <part id="si-6.b_obj.3.c" name="objective">
-                     <prop name="label">SI-6(b)[3][c]</prop>
-                     <p>with the organization-defined frequency;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-6.c_obj" name="objective">
-               <prop name="label">SI-6(c)</prop>
-               <part id="si-6.c_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-6(c)[1]</prop>
-                  <p>the organization defines personnel or roles to be notified of failed security
-                     verification tests;</p>
-               </part>
-               <part id="si-6.c_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-6(c)[2]</prop>
-                  <p>the information system notifies organization-defined personnel or roles of
-                     failed security verification tests;</p>
-               </part>
-            </part>
-            <part id="si-6.d_obj" name="objective">
-               <prop name="label">SI-6(d)</prop>
-               <part id="si-6.d_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-6(d)[1]</prop>
-                  <p>the organization defines alternative action(s) to be performed when anomalies
-                     are discovered;</p>
-               </part>
-               <part id="si-6.d_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-6(d)[2]</prop>
-                  <p>the information system performs one or more of the following actions when
-                     anomalies are discovered:</p>
-                  <part id="si-6.d_obj.2.a" name="objective">
-                     <prop name="label">SI-6(d)[2][a]</prop>
-                     <p>shuts the information system down;</p>
-                  </part>
-                  <part id="si-6.d_obj.2.b" name="objective">
-                     <prop name="label">SI-6(d)[2][b]</prop>
-                     <p>restarts the information system; and/or</p>
-                  </part>
-                  <part id="si-6.d_obj.2.c" name="objective">
-                     <prop name="label">SI-6(d)[2][c]</prop>
-                     <p>performs organization-defined alternative action(s).</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing security function verification</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>alerts/notifications of failed security verification tests</p>
-               <p>list of system transition states requiring security functionality verification</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security function verification responsibilities</p>
-               <p>organizational personnel implementing, operating, and maintaining the information
-                  system</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security function verification</p>
-               <p>automated mechanisms supporting and/or implementing security function verification
-                  capability</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-7">
-         <title>Software, Firmware, and Information Integrity</title>
-         <param id="si-7_prm_1">
-            <label>organization-defined software, firmware, and information</label>
-         </param>
-         <prop name="label">SI-7</prop>
-         <prop name="sort-id">si-07</prop>
-         <link href="#6bf8d24a-78dc-4727-a2ac-0e64d71c495c" rel="reference">NIST Special Publication 800-147</link>
-         <link href="#3878cc04-144a-483e-af62-8fe6f4ad6c7a" rel="reference">NIST Special Publication 800-155</link>
-         <part id="si-7_smt" name="statement">
-            <p>The organization employs integrity verification tools to detect unauthorized changes
-               to <insert param-id="si-7_prm_1"/>.</p>
-         </part>
-         <part id="si-7_gdn" name="guidance">
-            <p>Unauthorized changes to software, firmware, and information can occur due to errors
-               or malicious activity (e.g., tampering). Software includes, for example, operating
-               systems (with key internal components such as kernels, drivers), middleware, and
-               applications. Firmware includes, for example, the Basic Input Output System (BIOS).
-               Information includes metadata such as security attributes associated with
-               information. State-of-the-practice integrity-checking mechanisms (e.g., parity
-               checks, cyclical redundancy checks, cryptographic hashes) and associated tools can
-               automatically monitor the integrity of information systems and hosted
-               applications.</p>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#si-3">SI-3</link>
-         </part>
-         <part id="si-7_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-7_obj.1" name="objective">
-               <prop name="label">SI-7[1]</prop>
-               <part id="si-7_obj.1.a" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-7[1][a]</prop>
-                  <p>defines software requiring integrity verification tools to be employed to
-                     detect unauthorized changes;</p>
-               </part>
-               <part id="si-7_obj.1.b" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-7[1][b]</prop>
-                  <p>defines firmware requiring integrity verification tools to be employed to
-                     detect unauthorized changes;</p>
-               </part>
-               <part id="si-7_obj.1.c" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-7[1][c]</prop>
-                  <p>defines information requiring integrity verification tools to be employed to
-                     detect unauthorized changes;</p>
-               </part>
-            </part>
-            <part id="si-7_obj.2" name="objective">
-               <prop name="label">SI-7[2]</prop>
-               <p>employs integrity verification tools to detect unauthorized changes to
-                  organization-defined:</p>
-               <part id="si-7_obj.2.a" name="objective">
-                  <prop name="label">SI-7[2][a]</prop>
-                  <p>software;</p>
-               </part>
-               <part id="si-7_obj.2.b" name="objective">
-                  <prop name="label">SI-7[2][b]</prop>
-                  <p>firmware; and</p>
-               </part>
-               <part id="si-7_obj.2.c" name="objective">
-                  <prop name="label">SI-7[2][c]</prop>
-                  <p>information.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing software, firmware, and information integrity</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>integrity verification tools and associated documentation</p>
-               <p>records generated/triggered from integrity verification tools regarding
-                  unauthorized software, firmware, and information changes</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for software, firmware, and/or
-                  information integrity</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Software, firmware, and information integrity verification tools</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-7.1">
-            <title>Integrity Checks</title>
-            <param id="si-7.1_prm_1">
-               <label>organization-defined software, firmware, and information</label>
-            </param>
-            <param id="si-7.1_prm_2"/>
-            <param id="si-7.1_prm_3" depends-on="si-7.1_prm_2">
-               <label>organization-defined transitional states or security-relevant events</label>
-               <constraint>Selection to include security relevant events</constraint>
-            </param>
-            <param id="si-7.1_prm_4" depends-on="si-7.1_prm_2">
-               <label>organization-defined frequency</label>
-               <constraint>at least monthly</constraint>
-            </param>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">SI-7(1)</prop>
-            <prop name="sort-id">si-07.01</prop>
-            <part id="si-7.1_smt" name="statement">
-               <p>The information system performs an integrity check of <insert param-id="si-7.1_prm_1"/>
-                  <insert param-id="si-7.1_prm_2"/>.</p>
-            </part>
-            <part id="si-7.1_gdn" name="guidance">
-               <p>Security-relevant events include, for example, the identification of a new threat
-                  to which organizational information systems are susceptible, and the installation
-                  of new hardware, software, or firmware. Transitional states include, for example,
-                  system startup, restart, shutdown, and abort.</p>
-            </part>
-            <part id="si-7.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="si-7.1_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-7(1)[1]</prop>
-                  <p>the organization defines:</p>
-                  <part id="si-7.1_obj.1.a" name="objective">
-                     <prop name="label">SI-7(1)[1][a]</prop>
-                     <p>software requiring integrity checks to be performed;</p>
-                  </part>
-                  <part id="si-7.1_obj.1.b" name="objective">
-                     <prop name="label">SI-7(1)[1][b]</prop>
-                     <p>firmware requiring integrity checks to be performed;</p>
-                  </part>
-                  <part id="si-7.1_obj.1.c" name="objective">
-                     <prop name="label">SI-7(1)[1][c]</prop>
-                     <p>information requiring integrity checks to be performed;</p>
-                  </part>
-               </part>
-               <part id="si-7.1_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-7(1)[2]</prop>
-                  <p>the organization defines transitional states or security-relevant events
-                     requiring integrity checks of organization-defined:</p>
-                  <part id="si-7.1_obj.2.a" name="objective">
-                     <prop name="label">SI-7(1)[2][a]</prop>
-                     <p>software;</p>
-                  </part>
-                  <part id="si-7.1_obj.2.b" name="objective">
-                     <prop name="label">SI-7(1)[2][b]</prop>
-                     <p>firmware;</p>
-                  </part>
-                  <part id="si-7.1_obj.2.c" name="objective">
-                     <prop name="label">SI-7(1)[2][c]</prop>
-                     <p>information;</p>
-                  </part>
-               </part>
-               <part id="si-7.1_obj.3" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-7(1)[3]</prop>
-                  <p>the organization defines a frequency with which to perform an integrity check
-                     of organization-defined:</p>
-                  <part id="si-7.1_obj.3.a" name="objective">
-                     <prop name="label">SI-7(1)[3][a]</prop>
-                     <p>software;</p>
-                  </part>
-                  <part id="si-7.1_obj.3.b" name="objective">
-                     <prop name="label">SI-7(1)[3][b]</prop>
-                     <p>firmware;</p>
-                  </part>
-                  <part id="si-7.1_obj.3.c" name="objective">
-                     <prop name="label">SI-7(1)[3][c]</prop>
-                     <p>information;</p>
-                  </part>
-               </part>
-               <part id="si-7.1_obj.4" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-7(1)[4]</prop>
-                  <p>the information system performs an integrity check of organization-defined
-                     software, firmware, and information one or more of the following:</p>
-                  <part id="si-7.1_obj.4.a" name="objective">
-                     <prop name="label">SI-7(1)[4][a]</prop>
-                     <p>at startup;</p>
-                  </part>
-                  <part id="si-7.1_obj.4.b" name="objective">
-                     <prop name="label">SI-7(1)[4][b]</prop>
-                     <p>at organization-defined transitional states or security-relevant events;
-                        and/or</p>
-                  </part>
-                  <part id="si-7.1_obj.4.c" name="objective">
-                     <prop name="label">SI-7(1)[4][c]</prop>
-                     <p>with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>integrity verification tools and associated documentation</p>
-                  <p>records of integrity scans</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Software, firmware, and information integrity verification tools</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.7">
-            <title>Integration of Detection and Response</title>
-            <param id="si-7.7_prm_1">
-               <label>organization-defined security-relevant changes to the information
-                  system</label>
-            </param>
-            <prop name="label">SI-7(7)</prop>
-            <prop name="sort-id">si-07.07</prop>
-            <part id="si-7.7_smt" name="statement">
-               <p>The organization incorporates the detection of unauthorized <insert param-id="si-7.7_prm_1"/> into the organizational incident response
-                  capability.</p>
-            </part>
-            <part id="si-7.7_gdn" name="guidance">
-               <p>This control enhancement helps to ensure that detected events are tracked,
-                  monitored, corrected, and available for historical purposes. Maintaining
-                  historical records is important both for being able to identify and discern
-                  adversary actions over an extended period of time and for possible legal actions.
-                  Security-relevant changes include, for example, unauthorized changes to
-                  established configuration settings or unauthorized elevation of information system
-                  privileges.</p>
-               <link rel="related" href="#ir-4">IR-4</link>
-               <link rel="related" href="#ir-5">IR-5</link>
-               <link rel="related" href="#si-4">SI-4</link>
-            </part>
-            <part id="si-7.7_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-7.7_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-7(7)[1]</prop>
-                  <p>defines unauthorized security-relevant changes to the information system;
-                     and</p>
-               </part>
-               <part id="si-7.7_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-7(7)[2]</prop>
-                  <p>incorporates the detection of unauthorized organization-defined
-                     security-relevant changes to the information system into the organizational
-                     incident response capability.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>procedures addressing incident response</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>incident response records</p>
-                  <p>information audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with incident response responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for incorporating detection of unauthorized
-                     security-relevant changes into the incident response capability</p>
-                  <p>software, firmware, and information integrity verification tools</p>
-                  <p>automated mechanisms supporting and/or implementing incorporation of detection
-                     of unauthorized security-relevant changes into the incident response
-                     capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-8">
-         <title>Spam Protection</title>
-         <prop name="label">SI-8</prop>
-         <prop name="sort-id">si-08</prop>
-         <link href="#c6e95ca0-5828-420e-b095-00895b72b5e8" rel="reference">NIST Special Publication 800-45</link>
-         <part id="si-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Employs spam protection mechanisms at information system entry and exit points to
-                  detect and take action on unsolicited messages; and</p>
-            </part>
-            <part id="si-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Updates spam protection mechanisms when new releases are available in accordance
-                  with organizational configuration management policy and procedures.</p>
-            </part>
-         </part>
-         <part id="si-8_gdn" name="guidance">
-            <p>Information system entry and exit points include, for example, firewalls, electronic
-               mail servers, web servers, proxy servers, remote-access servers, workstations, mobile
-               devices, and notebook/laptop computers. Spam can be transported by different means
-               including, for example, electronic mail, electronic mail attachments, and web
-               accesses. Spam protection mechanisms include, for example, signature definitions.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-3">SI-3</link>
-         </part>
-         <part id="si-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-8.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SI-8(a)</prop>
-               <p>employs spam protection mechanisms:</p>
-               <part id="si-8.a_obj.1" name="objective">
-                  <prop name="label">SI-8(a)[1]</prop>
-                  <p>at information system entry points to detect unsolicited messages;</p>
-               </part>
-               <part id="si-8.a_obj.2" name="objective">
-                  <prop name="label">SI-8(a)[2]</prop>
-                  <p>at information system entry points to take action on unsolicited messages;</p>
-               </part>
-               <part id="si-8.a_obj.3" name="objective">
-                  <prop name="label">SI-8(a)[3]</prop>
-                  <p>at information system exit points to detect unsolicited messages;</p>
-               </part>
-               <part id="si-8.a_obj.4" name="objective">
-                  <prop name="label">SI-8(a)[4]</prop>
-                  <p>at information system exit points to take action on unsolicited messages;
-                     and</p>
-               </part>
-            </part>
-            <part id="si-8.b_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-8(b)</prop>
-               <p>updates spam protection mechanisms when new releases are available in accordance
-                  with organizational configuration management policy and procedures.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>configuration management policy and procedures (CM-1)</p>
-               <p>procedures addressing spam protection</p>
-               <p>spam protection mechanisms</p>
-               <p>records of spam protection updates</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for spam protection</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for implementing spam protection</p>
-               <p>automated mechanisms supporting and/or implementing spam protection</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-8.1">
-            <title>Central Management</title>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">SI-8(1)</prop>
-            <prop name="sort-id">si-08.01</prop>
-            <part id="si-8.1_smt" name="statement">
-               <p>The organization centrally manages spam protection mechanisms.</p>
-            </part>
-            <part id="si-8.1_gdn" name="guidance">
-               <p>Central management is the organization-wide management and implementation of spam
-                  protection mechanisms. Central management includes planning, implementing,
-                  assessing, authorizing, and monitoring the organization-defined, centrally managed
-                  spam protection security controls.</p>
-               <link rel="related" href="#au-3">AU-3</link>
-               <link rel="related" href="#si-2">SI-2</link>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="si-8.1_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the organization centrally manages spam protection mechanisms.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing spam protection</p>
-                  <p>spam protection mechanisms</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for spam protection</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for central management of spam protection</p>
-                  <p>automated mechanisms supporting and/or implementing central management of spam
-                     protection</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-8.2">
-            <title>Automatic Updates</title>
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-            <prop name="label">SI-8(2)</prop>
-            <prop name="sort-id">si-08.02</prop>
-            <part id="si-8.2_smt" name="statement">
-               <p>The information system automatically updates spam protection mechanisms.</p>
-            </part>
-            <part id="si-8.2_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <p>Determine if the information system automatically updates spam protection
-                  mechanisms.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing spam protection</p>
-                  <p>spam protection mechanisms</p>
-                  <p>records of spam protection updates</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for spam protection</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for spam protection</p>
-                  <p>automated mechanisms supporting and/or implementing automatic updates to spam
-                     protection mechanisms</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-10">
-         <title>Information Input Validation</title>
-         <param id="si-10_prm_1">
-            <label>organization-defined information inputs</label>
-         </param>
-         <prop name="label">SI-10</prop>
-         <prop name="sort-id">si-10</prop>
-         <part id="si-10_smt" name="statement">
-            <p>The information system checks the validity of <insert param-id="si-10_prm_1"/>.</p>
-         </part>
-         <part id="si-10_gdn" name="guidance">
-            <p>Checking the valid syntax and semantics of information system inputs (e.g., character
-               set, length, numerical range, and acceptable values) verifies that inputs match
-               specified definitions for format and content. Software applications typically follow
-               well-defined protocols that use structured messages (i.e., commands or queries) to
-               communicate between software modules or system components. Structured messages can
-               contain raw or unstructured data interspersed with metadata or control information.
-               If software applications use attacker-supplied inputs to construct structured
-               messages without properly encoding such messages, then the attacker could insert
-               malicious commands or special characters that can cause the data to be interpreted as
-               control information or metadata. Consequently, the module or component that receives
-               the tainted output will perform the wrong operations or otherwise interpret the data
-               incorrectly. Prescreening inputs prior to passing to interpreters prevents the
-               content from being unintentionally interpreted as commands. Input validation helps to
-               ensure accurate and correct inputs and prevent attacks such as cross-site scripting
-               and a variety of injection attacks.</p>
-         </part>
-         <part id="si-10_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="si-10_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SI-10[1]</prop>
-               <p>the organization defines information inputs requiring validity checks; and</p>
-            </part>
-            <part id="si-10_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-10[2]</prop>
-               <p>the information system checks the validity of organization-defined information
-                  inputs.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>access control policy and procedures</p>
-               <p>separation of duties policy and procedures</p>
-               <p>procedures addressing information input validation</p>
-               <p>documentation for automated tools and applications to verify validity of
-                  information</p>
-               <p>list of information inputs requiring validity checks</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for information input validation</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing validity checks on information
-                  inputs</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-11">
-         <title>Error Handling</title>
-         <param id="si-11_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">SI-11</prop>
-         <prop name="sort-id">si-11</prop>
-         <part id="si-11_smt" name="statement">
-            <p>The information system:</p>
-            <part id="si-11_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Generates error messages that provide information necessary for corrective actions
-                  without revealing information that could be exploited by adversaries; and</p>
-            </part>
-            <part id="si-11_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reveals error messages only to <insert param-id="si-11_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="si-11_gdn" name="guidance">
-            <p>Organizations carefully consider the structure/content of error messages. The extent
-               to which information systems are able to identify and handle error conditions is
-               guided by organizational policy and operational requirements. Information that could
-               be exploited by adversaries includes, for example, erroneous logon attempts with
-               passwords entered by mistake as the username, mission/business information that can
-               be derived from (if not stated explicitly by) information recorded, and personal
-               information such as account numbers, social security numbers, and credit card
-               numbers. In addition, error messages may provide a covert channel for transmitting
-               information.</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#sc-31">SC-31</link>
-         </part>
-         <part id="si-11_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="si-11.a_obj" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-11(a)</prop>
-               <p>the information system generates error messages that provide information necessary
-                  for corrective actions without revealing information that could be exploited by
-                  adversaries;</p>
-            </part>
-            <part id="si-11.b_obj" name="objective">
-               <prop name="label">SI-11(b)</prop>
-               <part id="si-11.b_obj.1" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">EXAMINE</prop>
-                  <prop name="label">SI-11(b)[1]</prop>
-                  <p>the organization defines personnel or roles to whom error messages are to be
-                     revealed; and</p>
-               </part>
-               <part id="si-11.b_obj.2" name="objective">
-                  <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-                  <prop name="method" class="fedramp">INTERVIEW</prop>
-                  <prop name="method" class="fedramp">TEST</prop>
-                  <prop name="label">SI-11(b)[2]</prop>
-                  <p>the information system reveals error messages only to organization-defined
-                     personnel or roles.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing information system error handling</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>documentation providing structure/content of error messages</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for information input validation</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for error handling</p>
-               <p>automated mechanisms supporting and/or implementing error handling</p>
-               <p>automated mechanisms supporting and/or implementing management of error
-                  messages</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-12">
-         <title>Information Handling and Retention</title>
-         <prop name="label">SI-12</prop>
-         <prop name="sort-id">si-12</prop>
-         <part id="si-12_smt" name="statement">
-            <p>The organization handles and retains information within the information system and
-               information output from the system in accordance with applicable federal laws,
-               Executive Orders, directives, policies, regulations, standards, and operational
-               requirements.</p>
-         </part>
-         <part id="si-12_gdn" name="guidance">
-            <p>Information handling and retention requirements cover the full life cycle of
-               information, in some cases extending beyond the disposal of information systems. The
-               National Archives and Records Administration provides guidance on records
-               retention.</p>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <link rel="related" href="#au-5">AU-5</link>
-            <link rel="related" href="#au-11">AU-11</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-         </part>
-         <part id="si-12_obj" name="objective">
-            <p>Determine if the organization, in accordance with applicable federal laws, Executive
-               Orders, directives, policies, regulations, standards, and operational
-               requirements:</p>
-            <part id="si-12_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-12[1]</prop>
-               <p>handles information within the information system;</p>
-            </part>
-            <part id="si-12_obj.2" name="objective">
-               <prop name="label">SI-12[2]</prop>
-               <p>handles output from the information system;</p>
-            </part>
-            <part id="si-12_obj.3" name="objective">
-               <prop name="label">SI-12[3]</prop>
-               <p>retains information within the information system; and</p>
-            </part>
-            <part id="si-12_obj.4" name="objective">
-               <prop name="label">SI-12[4]</prop>
-               <p>retains output from the information system.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  operational requirements applicable to information handling and retention</p>
-               <p>media protection policy and procedures</p>
-               <p>procedures addressing information system output handling and retention</p>
-               <p>information retention records, other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for information handling and
-                  retention</p>
-               <p>organizational personnel with information security responsibilities/network
-                  administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for information handling and retention</p>
-               <p>automated mechanisms supporting and/or implementing information handling and
-                  retention</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-16">
-         <title>Memory Protection</title>
-         <param id="si-16_prm_1">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">SI-16</prop>
-         <prop name="sort-id">si-16</prop>
-         <part id="si-16_smt" name="statement">
-            <p>The information system implements <insert param-id="si-16_prm_1"/> to protect its
-               memory from unauthorized code execution.</p>
-         </part>
-         <part id="si-16_gdn" name="guidance">
-            <p>Some adversaries launch attacks with the intent of executing code in non-executable
-               regions of memory or in memory locations that are prohibited. Security safeguards
-               employed to protect memory include, for example, data execution prevention and
-               address space layout randomization. Data execution prevention safeguards can either
-               be hardware-enforced or software-enforced with hardware providing the greater
-               strength of mechanism.</p>
-            <link rel="related" href="#ac-25">AC-25</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-         </part>
-         <part id="si-16_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="si-16_obj.1" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">EXAMINE</prop>
-               <prop name="label">SI-16[1]</prop>
-               <p>the organization defines security safeguards to be implemented to protect
-                  information system memory from unauthorized code execution; and</p>
-            </part>
-            <part id="si-16_obj.2" name="objective">
-               <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-               <prop name="method" class="fedramp">INTERVIEW</prop>
-               <prop name="method" class="fedramp">TEST</prop>
-               <prop name="label">SI-16[2]</prop>
-               <p>the information system implements organization-defined security safeguards to
-                  protect its memory from unauthorized code execution.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing memory protection for the information system</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of security safeguards protecting information system memory from unauthorized
-                  code execution</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for memory protection</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing safeguards to protect
-                  information system memory from unauthorized code execution</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <back-matter>
-      <resource uuid="0c97e60b-325a-4efa-ba2b-90f20ccd5abc">
-         <title>5 C.F.R. 731.106</title>
-         <citation>
-            <text>Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106,
-               Designation of Public Trust Positions and Investigative Requirements (5 C.F.R.
-               731.106).</text>
-         </citation>
-         <rlink href="http://www.gpo.gov/fdsys/granule/CFR-2012-title5-vol2/CFR-2012-title5-vol2-sec731-106/content-detail.html"/>
-      </resource>
-      <resource uuid="bb61234b-46c3-4211-8c2b-9869222a720d">
-         <title>C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</title>
-         <citation>
-            <text>C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</text>
-         </citation>
-         <rlink href="http://www.gpo.gov/fdsys/granule/CFR-2009-title5-vol2/CFR-2009-title5-vol2-sec930-301/content-detail.html"/>
-      </resource>
-      <resource uuid="a4aa9645-9a8a-4b51-90a9-e223250f9a75">
-         <title>CNSS Policy 15</title>
-         <citation>
-            <text>CNSS Policy 15</text>
-         </citation>
-         <rlink href="https://www.cnss.gov/policies.html"/>
-      </resource>
-      <resource uuid="2d8b14e9-c8b5-4d3d-8bdc-155078f3281b">
-         <title>DoD Information Assurance Vulnerability Alerts</title>
-         <citation>
-            <text>DoD Information Assurance Vulnerability Alerts</text>
-         </citation>
-      </resource>
-      <resource uuid="61081e7f-041d-4033-96a7-44a439071683">
-         <title>DoD Instruction 5200.39</title>
-         <citation>
-            <text>DoD Instruction 5200.39</text>
-         </citation>
-         <rlink href="http://www.dtic.mil/whs/directives/corres/ins1.html"/>
-      </resource>
-      <resource uuid="e42b2099-3e1c-415b-952c-61c96533c12e">
-         <title>DoD Instruction 8551.01</title>
-         <citation>
-            <text>DoD Instruction 8551.01</text>
-         </citation>
-         <rlink href="http://www.dtic.mil/whs/directives/corres/ins1.html"/>
-      </resource>
-      <resource uuid="e6522953-6714-435d-a0d3-140df554c186">
-         <title>DoD Instruction 8552.01</title>
-         <citation>
-            <text>DoD Instruction 8552.01</text>
-         </citation>
-         <rlink href="http://www.dtic.mil/whs/directives/corres/ins1.html"/>
-      </resource>
-      <resource uuid="c5034e0c-eba6-4ecd-a541-79f0678f4ba4">
-         <title>Executive Order 13587</title>
-         <citation>
-            <text>Executive Order 13587</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net"/>
-      </resource>
-      <resource uuid="56d671da-6b7b-4abf-8296-84b61980390a">
-         <title>Federal Acquisition Regulation</title>
-         <citation>
-            <text>Federal Acquisition Regulation</text>
-         </citation>
-         <rlink href="https://acquisition.gov/far"/>
-      </resource>
-      <resource uuid="023104bc-6f75-4cd5-b7d0-fc92326f8007">
-         <title>Federal Continuity Directive 1</title>
-         <citation>
-            <text>Federal Continuity Directive 1</text>
-         </citation>
-         <rlink href="http://www.fema.gov/pdf/about/offices/fcd1.pdf"/>
-      </resource>
-      <resource uuid="ba557c91-ba3e-4792-adc6-a4ae479b39ff">
-         <title>FICAM Roadmap and Implementation Guidance</title>
-         <citation>
-            <text>FICAM Roadmap and Implementation Guidance</text>
-         </citation>
-         <rlink href="http://www.idmanagement.gov/documents/ficam-roadmap-and-implementation-guidance"/>
-      </resource>
-      <resource uuid="39f9087d-7687-46d2-8eda-b6f4b7a4d8a9">
-         <title>FIPS Publication 140</title>
-         <citation>
-            <text>FIPS Publication 140</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html"/>
-      </resource>
-      <resource uuid="d715b234-9b5b-4e07-b1ed-99836727664d">
-         <title>FIPS Publication 140-2</title>
-         <citation>
-            <text>FIPS Publication 140-2</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#140-2"/>
-      </resource>
-      <resource uuid="f2dbd4ec-c413-4714-b85b-6b7184d1c195">
-         <title>FIPS Publication 197</title>
-         <citation>
-            <text>FIPS Publication 197</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#197"/>
-      </resource>
-      <resource uuid="e85cdb3f-7f0a-4083-8639-f13f70d3760b">
-         <title>FIPS Publication 199</title>
-         <citation>
-            <text>FIPS Publication 199</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#199"/>
-      </resource>
-      <resource uuid="c80c10b3-1294-4984-a4cc-d1733ca432b9">
-         <title>FIPS Publication 201</title>
-         <citation>
-            <text>FIPS Publication 201</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#201"/>
-      </resource>
-      <resource uuid="ad733a42-a7ed-4774-b988-4930c28852f3">
-         <title>HSPD-12</title>
-         <citation>
-            <text>HSPD-12</text>
-         </citation>
-         <rlink href="http://www.dhs.gov/homeland-security-presidential-directive-12"/>
-      </resource>
-      <resource uuid="4ef539ba-b767-4666-b0d3-168c53005fa3">
-         <title>http://capec.mitre.org</title>
-         <citation>
-            <text>http://capec.mitre.org</text>
-         </citation>
-         <rlink href="http://capec.mitre.org"/>
-      </resource>
-      <resource uuid="e95dd121-2733-413e-bf1e-f1eb49f20a98">
-         <title>http://checklists.nist.gov</title>
-         <citation>
-            <text>http://checklists.nist.gov</text>
-         </citation>
-         <rlink href="http://checklists.nist.gov"/>
-      </resource>
-      <resource uuid="6a1041fc-054e-4230-946b-2e6f4f3731bb">
-         <title>http://csrc.nist.gov/cryptval</title>
-         <citation>
-            <text>http://csrc.nist.gov/cryptval</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/cryptval"/>
-      </resource>
-      <resource uuid="b09d1a31-d3c9-4138-a4f4-4c63816afd7d">
-         <title>http://csrc.nist.gov/groups/STM/cmvp/index.html</title>
-         <citation>
-            <text>http://csrc.nist.gov/groups/STM/cmvp/index.html</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/groups/STM/cmvp/index.html"/>
-      </resource>
-      <resource uuid="0931209f-00ae-4132-b92c-bc645847e8f9">
-         <title>http://cve.mitre.org</title>
-         <citation>
-            <text>http://cve.mitre.org</text>
-         </citation>
-         <rlink href="http://cve.mitre.org"/>
-      </resource>
-      <resource uuid="15522e92-9192-463d-9646-6a01982db8ca">
-         <title>http://cwe.mitre.org</title>
-         <citation>
-            <text>http://cwe.mitre.org</text>
-         </citation>
-         <rlink href="http://cwe.mitre.org"/>
-      </resource>
-      <resource uuid="5ed1f4d5-1494-421b-97ed-39d3c88ab51f">
-         <title>http://fips201ep.cio.gov</title>
-         <citation>
-            <text>http://fips201ep.cio.gov</text>
-         </citation>
-         <rlink href="http://fips201ep.cio.gov"/>
-      </resource>
-      <resource uuid="85280698-0417-489d-b214-12bb935fb939">
-         <title>http://idmanagement.gov</title>
-         <citation>
-            <text>http://idmanagement.gov</text>
-         </citation>
-         <rlink href="http://idmanagement.gov"/>
-      </resource>
-      <resource uuid="275cc052-0f7f-423c-bdb6-ed503dc36228">
-         <title>http://nvd.nist.gov</title>
-         <citation>
-            <text>http://nvd.nist.gov</text>
-         </citation>
-         <rlink href="http://nvd.nist.gov"/>
-      </resource>
-      <resource uuid="bbd50dd1-54ce-4432-959d-63ea564b1bb4">
-         <title>http://www.acquisition.gov/far</title>
-         <citation>
-            <text>http://www.acquisition.gov/far</text>
-         </citation>
-         <rlink href="http://www.acquisition.gov/far"/>
-      </resource>
-      <resource uuid="9b97ed27-3dd6-4f9a-ade5-1b43e9669794">
-         <title>http://www.cnss.gov</title>
-         <citation>
-            <text>http://www.cnss.gov</text>
-         </citation>
-         <rlink href="http://www.cnss.gov"/>
-      </resource>
-      <resource uuid="3ac12e79-f54f-4a63-9f4b-ee4bcd4df604">
-         <title>http://www.dhs.gov/telecommunications-service-priority-tsp</title>
-         <citation>
-            <text>http://www.dhs.gov/telecommunications-service-priority-tsp</text>
-         </citation>
-         <rlink href="http://www.dhs.gov/telecommunications-service-priority-tsp"/>
-      </resource>
-      <resource uuid="c95a9986-3cd6-4a98-931b-ccfc56cb11e5">
-         <title>http://www.niap-ccevs.org</title>
-         <citation>
-            <text>http://www.niap-ccevs.org</text>
-         </citation>
-         <rlink href="http://www.niap-ccevs.org"/>
-      </resource>
-      <resource uuid="647b6de3-81d0-4d22-bec1-5f1333e34380">
-         <title>http://www.nsa.gov</title>
-         <citation>
-            <text>http://www.nsa.gov</text>
-         </citation>
-         <rlink href="http://www.nsa.gov"/>
-      </resource>
-      <resource uuid="a47466c4-c837-4f06-a39f-e68412a5f73d">
-         <title>http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml</title>
-         <citation>
-            <text>http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml</text>
-         </citation>
-         <rlink href="http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"/>
-      </resource>
-      <resource uuid="02631467-668b-4233-989b-3dfded2fd184">
-         <title>http://www.us-cert.gov</title>
-         <citation>
-            <text>http://www.us-cert.gov</text>
-         </citation>
-         <rlink href="http://www.us-cert.gov"/>
-      </resource>
-      <resource uuid="6caa237b-531b-43ac-9711-d8f6b97b0377">
-         <title>ICD 704</title>
-         <citation>
-            <text>ICD 704</text>
-         </citation>
-         <rlink href="http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"/>
-      </resource>
-      <resource uuid="398e33fd-f404-4e5c-b90e-2d50d3181244">
-         <title>ICD 705</title>
-         <citation>
-            <text>ICD 705</text>
-         </citation>
-         <rlink href="http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"/>
-      </resource>
-      <resource uuid="1737a687-52fb-4008-b900-cbfa836f7b65">
-         <title>ISO/IEC 15408</title>
-         <citation>
-            <text>ISO/IEC 15408</text>
-         </citation>
-         <rlink href="http://www.iso.org/iso/iso_catalog/catalog_tc/catalog_detail.htm?csnumber=50341"/>
-      </resource>
-      <resource uuid="fb5844de-ff96-47c0-b258-4f52bcc2f30d">
-         <title>National Communications Systems Directive 3-10</title>
-         <citation>
-            <text>National Communications Systems Directive 3-10</text>
-         </citation>
-      </resource>
-      <resource uuid="654f21e2-f3bc-43b2-abdc-60ab8d09744b">
-         <title>National Strategy for Trusted Identities in Cyberspace</title>
-         <citation>
-            <text>National Strategy for Trusted Identities in Cyberspace</text>
-         </citation>
-         <rlink href="http://www.nist.gov/nstic"/>
-      </resource>
-      <resource uuid="9cb3d8fe-2127-48ba-821e-cdd2d7aee921">
-         <title>NIST Special Publication 800-100</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-100</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-100</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-100"/>
-      </resource>
-      <resource uuid="3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e">
-         <title>NIST Special Publication 800-111</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-111</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-111</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-111"/>
-      </resource>
-      <resource uuid="349fe082-502d-464a-aa0c-1443c6a5cf40">
-         <title>NIST Special Publication 800-113</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-113</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-113</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-113"/>
-      </resource>
-      <resource uuid="1201fcf3-afb1-4675-915a-fb4ae0435717">
-         <title>NIST Special Publication 800-114 Rev. 1</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-114r1</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-114 Rev. 1</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-114r1"/>
-      </resource>
-      <resource uuid="c4691b88-57d1-463b-9053-2d0087913f31">
-         <title>NIST Special Publication 800-115</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-115</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-115</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-115"/>
-      </resource>
-      <resource uuid="2157bb7e-192c-4eaa-877f-93ef6b0a3292">
-         <title>NIST Special Publication 800-116 Rev. 1</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-116r1</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-116 Rev. 1</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-116r1"/>
-      </resource>
-      <resource uuid="5c201b63-0768-417b-ac22-3f014e3941b2">
-         <title>NIST Special Publication 800-12 Rev. 1</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-12r1</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-12 Rev. 1</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-12r1"/>
-      </resource>
-      <resource uuid="d1a4e2a9-e512-4132-8795-5357aba29254">
-         <title>NIST Special Publication 800-121</title>
-         <citation>
-            <text>NIST Special Publication 800-121</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-121"/>
-      </resource>
-      <resource uuid="0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589">
-         <title>NIST Special Publication 800-124</title>
-         <citation>
-            <text>NIST Special Publication 800-124</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-124"/>
-      </resource>
-      <resource uuid="080f8068-5e3e-435e-9790-d22ba4722693">
-         <title>NIST Special Publication 800-128</title>
-         <citation>
-            <text>NIST Special Publication 800-128</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-128"/>
-      </resource>
-      <resource uuid="cee2c6ca-0261-4a6f-b630-e41d8ffdd82b">
-         <title>NIST Special Publication 800-137</title>
-         <citation>
-            <text>NIST Special Publication 800-137</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-137"/>
-      </resource>
-      <resource uuid="6bf8d24a-78dc-4727-a2ac-0e64d71c495c">
-         <title>NIST Special Publication 800-147</title>
-         <citation>
-            <text>NIST Special Publication 800-147</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-147"/>
-      </resource>
-      <resource uuid="3878cc04-144a-483e-af62-8fe6f4ad6c7a">
-         <title>NIST Special Publication 800-155</title>
-         <citation>
-            <text>NIST Special Publication 800-155</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-155"/>
-      </resource>
-      <resource uuid="825438c3-248d-4e30-a51e-246473ce6ada">
-         <title>NIST Special Publication 800-16</title>
-         <citation>
-            <text>NIST Special Publication 800-16</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-16"/>
-      </resource>
-      <resource uuid="6513e480-fada-4876-abba-1397084dfb26">
-         <title>NIST Special Publication 800-164</title>
-         <citation>
-            <text>NIST Special Publication 800-164</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-164"/>
-      </resource>
-      <resource uuid="9c5c9e8c-dc81-4f55-a11c-d71d7487790f">
-         <title>NIST Special Publication 800-18</title>
-         <citation>
-            <text>NIST Special Publication 800-18</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-18"/>
-      </resource>
-      <resource uuid="0a5db899-f033-467f-8631-f5a8ba971475">
-         <title>NIST Special Publication 800-23</title>
-         <citation>
-            <text>NIST Special Publication 800-23</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-23"/>
-      </resource>
-      <resource uuid="21b1ed35-56d2-40a8-bdfe-b461fffe322f">
-         <title>NIST Special Publication 800-27</title>
-         <citation>
-            <text>NIST Special Publication 800-27</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-27"/>
-      </resource>
-      <resource uuid="e716cd51-d1d5-4c6a-967a-22e9fbbc42f1">
-         <title>NIST Special Publication 800-28</title>
-         <citation>
-            <text>NIST Special Publication 800-28</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-28"/>
-      </resource>
-      <resource uuid="a466121b-f0e2-41f0-a5f9-deb0b5fe6b15">
-         <title>NIST Special Publication 800-30</title>
-         <citation>
-            <text>NIST Special Publication 800-30</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-30"/>
-      </resource>
-      <resource uuid="8f174e91-844e-4cf1-a72a-45c119a3a8dd">
-         <title>NIST Special Publication 800-32</title>
-         <citation>
-            <text>NIST Special Publication 800-32</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-32"/>
-      </resource>
-      <resource uuid="748a81b9-9cad-463f-abde-8b368167e70d">
-         <title>NIST Special Publication 800-34</title>
-         <citation>
-            <text>NIST Special Publication 800-34</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-34"/>
-      </resource>
-      <resource uuid="0c775bc3-bfc3-42c7-a382-88949f503171">
-         <title>NIST Special Publication 800-35</title>
-         <citation>
-            <text>NIST Special Publication 800-35</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-35"/>
-      </resource>
-      <resource uuid="d818efd3-db31-4953-8afa-9e76afe83ce2">
-         <title>NIST Special Publication 800-36</title>
-         <citation>
-            <text>NIST Special Publication 800-36</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-36"/>
-      </resource>
-      <resource uuid="0a0c26b6-fd44-4274-8b36-93442d49d998">
-         <title>NIST Special Publication 800-37</title>
-         <citation>
-            <text>NIST Special Publication 800-37</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-37"/>
-      </resource>
-      <resource uuid="d480aa6a-7a88-424e-a10c-ad1c7870354b">
-         <title>NIST Special Publication 800-39</title>
-         <citation>
-            <text>NIST Special Publication 800-39</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-39"/>
-      </resource>
-      <resource uuid="bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d">
-         <title>NIST Special Publication 800-40</title>
-         <citation>
-            <text>NIST Special Publication 800-40</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-40"/>
-      </resource>
-      <resource uuid="756a8e86-57d5-4701-8382-f7a40439665a">
-         <title>NIST Special Publication 800-41</title>
-         <citation>
-            <text>NIST Special Publication 800-41</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-41"/>
-      </resource>
-      <resource uuid="c6e95ca0-5828-420e-b095-00895b72b5e8">
-         <title>NIST Special Publication 800-45</title>
-         <citation>
-            <text>NIST Special Publication 800-45</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-45"/>
-      </resource>
-      <resource uuid="5309d4d0-46f8-4213-a749-e7584164e5e8">
-         <title>NIST Special Publication 800-46</title>
-         <citation>
-            <text>NIST Special Publication 800-46</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-46"/>
-      </resource>
-      <resource uuid="2711f068-734e-4afd-94ba-0b22247fbc88">
-         <title>NIST Special Publication 800-47</title>
-         <citation>
-            <text>NIST Special Publication 800-47</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-47"/>
-      </resource>
-      <resource uuid="238ed479-eccb-49f6-82ec-ab74a7a428cf">
-         <title>NIST Special Publication 800-48</title>
-         <citation>
-            <text>NIST Special Publication 800-48</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-48"/>
-      </resource>
-      <resource uuid="e12b5738-de74-4fb3-8317-a3995a8a1898">
-         <title>NIST Special Publication 800-50</title>
-         <citation>
-            <text>NIST Special Publication 800-50</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-50"/>
-      </resource>
-      <resource uuid="90c5bc98-f9c4-44c9-98b7-787422f0999c">
-         <title>NIST Special Publication 800-52</title>
-         <citation>
-            <text>NIST Special Publication 800-52</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-52"/>
-      </resource>
-      <resource uuid="cd4cf751-3312-4a55-b1a9-fad2f1db9119">
-         <title>NIST Special Publication 800-53A</title>
-         <citation>
-            <text>NIST Special Publication 800-53A</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-53A"/>
-      </resource>
-      <resource uuid="81f09e01-d0b0-4ae2-aa6a-064ed9950070">
-         <title>NIST Special Publication 800-56</title>
-         <citation>
-            <text>NIST Special Publication 800-56</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-56"/>
-      </resource>
-      <resource uuid="a6c774c0-bf50-4590-9841-2a5c1c91ac6f">
-         <title>NIST Special Publication 800-57</title>
-         <citation>
-            <text>NIST Special Publication 800-57</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-57"/>
-      </resource>
-      <resource uuid="7783f3e7-09b3-478b-9aa2-4a76dfd0ea90">
-         <title>NIST Special Publication 800-58</title>
-         <citation>
-            <text>NIST Special Publication 800-58</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-58"/>
-      </resource>
-      <resource uuid="f152844f-b1ef-4836-8729-6277078ebee1">
-         <title>NIST Special Publication 800-60</title>
-         <citation>
-            <text>NIST Special Publication 800-60</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-60"/>
-      </resource>
-      <resource uuid="be95fb85-a53f-4624-bdbb-140075500aa3">
-         <title>NIST Special Publication 800-61</title>
-         <citation>
-            <text>NIST Special Publication 800-61</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-61"/>
-      </resource>
-      <resource uuid="644f44a9-a2de-4494-9c04-cd37fba45471">
-         <title>NIST Special Publication 800-63</title>
-         <citation>
-            <text>NIST Special Publication 800-63</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-63"/>
-      </resource>
-      <resource uuid="abd950ae-092f-4b7a-b374-1c7c67fe9350">
-         <title>NIST Special Publication 800-64</title>
-         <citation>
-            <text>NIST Special Publication 800-64</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-64"/>
-      </resource>
-      <resource uuid="29fcfe59-33cd-494a-8756-5907ae3a8f92">
-         <title>NIST Special Publication 800-65</title>
-         <citation>
-            <text>NIST Special Publication 800-65</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-65"/>
-      </resource>
-      <resource uuid="84a37532-6db6-477b-9ea8-f9085ebca0fc">
-         <title>NIST Special Publication 800-70</title>
-         <citation>
-            <text>NIST Special Publication 800-70</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-70"/>
-      </resource>
-      <resource uuid="ead74ea9-4c9c-446d-9b92-bcbf0ad4b655">
-         <title>NIST Special Publication 800-73</title>
-         <citation>
-            <text>NIST Special Publication 800-73</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-73"/>
-      </resource>
-      <resource uuid="2a71298a-ee90-490e-80ff-48c967173a47">
-         <title>NIST Special Publication 800-76</title>
-         <citation>
-            <text>NIST Special Publication 800-76</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-76"/>
-      </resource>
-      <resource uuid="99f331f2-a9f0-46c2-9856-a3cbb9b89442">
-         <title>NIST Special Publication 800-77</title>
-         <citation>
-            <text>NIST Special Publication 800-77</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-77"/>
-      </resource>
-      <resource uuid="2042d97b-f7f6-4c74-84f8-981867684659">
-         <title>NIST Special Publication 800-78</title>
-         <citation>
-            <text>NIST Special Publication 800-78</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-78"/>
-      </resource>
-      <resource uuid="6af1e841-672c-46c4-b121-96f603d04be3">
-         <title>NIST Special Publication 800-81</title>
-         <citation>
-            <text>NIST Special Publication 800-81</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-81"/>
-      </resource>
-      <resource uuid="6d431fee-658f-4a0e-9f2e-a38b5d398fab">
-         <title>NIST Special Publication 800-83</title>
-         <citation>
-            <text>NIST Special Publication 800-83</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-83"/>
-      </resource>
-      <resource uuid="0243a05a-e8a3-4d51-9364-4a9d20b0dcdf">
-         <title>NIST Special Publication 800-84</title>
-         <citation>
-            <text>NIST Special Publication 800-84</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-84"/>
-      </resource>
-      <resource uuid="263823e0-a971-4b00-959d-315b26278b22">
-         <title>NIST Special Publication 800-88</title>
-         <citation>
-            <text>NIST Special Publication 800-88</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-88"/>
-      </resource>
-      <resource uuid="672fd561-b92b-4713-b9cf-6c9d9456728b">
-         <title>NIST Special Publication 800-92</title>
-         <citation>
-            <text>NIST Special Publication 800-92</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-92"/>
-      </resource>
-      <resource uuid="d1b1d689-0f66-4474-9924-c81119758dc1">
-         <title>NIST Special Publication 800-94</title>
-         <citation>
-            <text>NIST Special Publication 800-94</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-94"/>
-      </resource>
-      <resource uuid="1ebdf782-d95d-4a7b-8ec7-ee860951eced">
-         <title>NIST Special Publication 800-95</title>
-         <citation>
-            <text>NIST Special Publication 800-95</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-95"/>
-      </resource>
-      <resource uuid="6f336ecd-f2a0-4c84-9699-0491d81b6e0d">
-         <title>NIST Special Publication 800-97</title>
-         <citation>
-            <text>NIST Special Publication 800-97</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-97"/>
-      </resource>
-      <resource uuid="06dff0ea-3848-4945-8d91-e955ee69f05d">
-         <title>NSTISSI No. 7003</title>
-         <citation>
-            <text>NSTISSI No. 7003</text>
-         </citation>
-         <rlink href="http://www.cnss.gov/Assets/pdf/nstissi_7003.pdf"/>
-      </resource>
-      <resource uuid="9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab">
-         <title>OMB Circular A-130</title>
-         <citation>
-            <text>OMB Circular A-130</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/omb/circulars_a130_a130trans4"/>
-      </resource>
-      <resource uuid="2c5884cd-7b96-425c-862a-99877e1cf909">
-         <title>OMB Memorandum 02-01</title>
-         <citation>
-            <text>OMB Memorandum 02-01</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/omb/memoranda_m02-01"/>
-      </resource>
-      <resource uuid="ff3bfb02-79b2-411f-8735-98dfe5af2ab0">
-         <title>OMB Memorandum 04-04</title>
-         <citation>
-            <text>OMB Memorandum 04-04</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy04/m04-04.pdf"/>
-      </resource>
-      <resource uuid="58ad6f27-af99-429f-86a8-8bb767b014b9">
-         <title>OMB Memorandum 05-24</title>
-         <citation>
-            <text>OMB Memorandum 05-24</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2005/m05-24.pdf"/>
-      </resource>
-      <resource uuid="4da24a96-6cf8-435d-9d1f-c73247cad109">
-         <title>OMB Memorandum 06-16</title>
-         <citation>
-            <text>OMB Memorandum 06-16</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2006/m06-16.pdf"/>
-      </resource>
-      <resource uuid="990268bf-f4a9-4c81-91ae-dc7d3115f4b1">
-         <title>OMB Memorandum 07-11</title>
-         <citation>
-            <text>OMB Memorandum 07-11</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-11.pdf"/>
-      </resource>
-      <resource uuid="0b3d8ba9-051f-498d-81ea-97f0f018c612">
-         <title>OMB Memorandum 07-18</title>
-         <citation>
-            <text>OMB Memorandum 07-18</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-18.pdf"/>
-      </resource>
-      <resource uuid="0916ef02-3618-411b-a525-565c088849a6">
-         <title>OMB Memorandum 08-22</title>
-         <citation>
-            <text>OMB Memorandum 08-22</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-22.pdf"/>
-      </resource>
-      <resource uuid="28115a56-da6b-4d44-b1df-51dd7f048a3e">
-         <title>OMB Memorandum 08-23</title>
-         <citation>
-            <text>OMB Memorandum 08-23</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf"/>
-      </resource>
-      <resource uuid="599fe9ba-4750-4450-9eeb-b95bd19a5e8f">
-         <title>OMB Memorandum 10-06-2011</title>
-         <citation>
-            <text>OMB Memorandum 10-06-2011</text>
-         </citation>
-      </resource>
-      <resource uuid="74e740a4-c45d-49f3-a86e-eb747c549e01">
-         <title>OMB Memorandum 11-11</title>
-         <citation>
-            <text>OMB Memorandum 11-11</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf"/>
-      </resource>
-      <resource uuid="bedb15b7-ec5c-4a68-807f-385125751fcd">
-         <title>OMB Memorandum 11-33</title>
-         <citation>
-            <text>OMB Memorandum 11-33</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf"/>
-      </resource>
-      <resource uuid="dd2f5acd-08f1-435a-9837-f8203088dc1a">
-         <title>Personal Identity Verification (PIV) in Enterprise Physical Access Control System
-            (E-PACS)</title>
-         <citation>
-            <text>Personal Identity Verification (PIV) in Enterprise Physical Access Control System
-               (E-PACS)</text>
-         </citation>
-      </resource>
-      <resource uuid="8ade2fbe-e468-4ca8-9a40-54d7f23c32bb">
-         <title>US-CERT Technical Cyber Security Alerts</title>
-         <citation>
-            <text>US-CERT Technical Cyber Security Alerts</text>
-         </citation>
-         <rlink href="http://www.us-cert.gov/ncas/alerts"/>
-      </resource>
-      <resource uuid="985475ee-d4d6-4581-8fdf-d84d3d8caa48">
-         <title>FedRAMP Applicable Laws and Regulations</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-citations</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"/>
-      </resource>
-      <resource uuid="1a23a771-d481-4594-9a1a-71d584fa4123">
-         <title>FedRAMP Master Acronym and Glossary</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-acronyms</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"/>
-      </resource>
-      <resource uuid="a2381e87-3d04-4108-a30b-b4d2f36d001f">
-         <desc>FedRAMP Logo</desc>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-logo</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/img/logo-main-fedramp.png"/>
-      </resource>
-      <resource uuid="ad005eae-cc63-4e64-9109-3905a9a825e4">
-         <title>NIST Special Publication (SP) 800-53</title>
-         <prop name="version" ns="https://fedramp.gov/ns/oscal">Revision 4</prop>
-         <prop name="keep">always</prop>
-         <rlink media-type="application/xml"
-                href="../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml"/>
-      </resource>
-   </back-matter>
-</catalog>
diff --git a/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline_profile.xml b/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline_profile.xml
deleted file mode 100644
index 774b5bb6c8..0000000000
--- a/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline_profile.xml
+++ /dev/null
@@ -1,8143 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0"  uuid="8383f859-be40-453d-9588-c645af5bef6f">
-   
-   <metadata>
-      <title>FedRAMP Moderate Baseline</title>
-      <published>2020-06-01T00:00:00.000-04:00</published>
-      <last-modified>2020-06-01T10:00:00.000-04:00</last-modified>
-      <version>1.2</version>
-      <oscal-version>1.0.0-milestone3</oscal-version>
-      <role id="parpared-by">
-         <title>Document creator</title>
-      </role>
-      <role id="fedramp-pmo">
-         <title>The FedRAMP Program Management Office (PMO)</title>
-         <short-name>CSP</short-name>
-      </role>
-      <role id="fedramp-jab">
-         <title>The FedRAMP Joint Authorization Board (JAB)</title>
-         <short-name>CSP</short-name>
-      </role>
-
-      <party uuid="8cc0b8e5-9650-4d5f-9796-316f05fa9a2d" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Program Management Office</party-name>
-         <short-name>FedRAMP PMO</short-name>
-         <link href="https://fedramp.gov" rel="homepage" />
-         <address type="work">
-            <addr-line>1800 F St. NW</addr-line>
-            <addr-line/>
-            <city>Washington</city>
-            <state>DC</state>
-            <postal-code/>
-            <country>US</country>
-         </address>
-         <email>info@fedramp.gov</email>
-      </party>
-      <party uuid="ca9ba80e-1342-4bfd-b32a-abac468c24b4" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Joint Authorization Board</party-name>
-         <short-name>FedRAMP JAB</short-name>
-      </party>
-
-      <responsible-party role-id="prepared-by">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-pmo">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-jab">
-         <party-uuid>ca9ba80e-1342-4bfd-b32a-abac468c24b4</party-uuid>
-      </responsible-party>
-   </metadata>
-
-   <import href="#ad005eae-cc63-4e64-9109-3905a9a825e4">
-      <include>
-         <call control-id="ac-1"/>
-         <call control-id="ac-2"/>
-         <call control-id="ac-2.1"/>
-         <call control-id="ac-2.2"/>
-         <call control-id="ac-2.3"/>
-         <call control-id="ac-2.4"/>
-         <call control-id="ac-2.5"/>
-         <call control-id="ac-2.7"/>
-         <call control-id="ac-2.9"/>
-         <call control-id="ac-2.10"/>
-         <call control-id="ac-2.12"/>
-         <call control-id="ac-3"/>
-         <call control-id="ac-4"/>
-         <call control-id="ac-4.21"/>
-         <call control-id="ac-5"/>
-         <call control-id="ac-6"/>
-         <call control-id="ac-6.1"/>
-         <call control-id="ac-6.2"/>
-         <call control-id="ac-6.5"/>
-         <call control-id="ac-6.9"/>
-         <call control-id="ac-6.10"/>
-         <call control-id="ac-7"/>
-         <call control-id="ac-8"/>
-         <call control-id="ac-10"/>
-         <call control-id="ac-11"/>
-         <call control-id="ac-11.1"/>
-         <call control-id="ac-12"/>
-         <call control-id="ac-14"/>
-         <call control-id="ac-17"/>
-         <call control-id="ac-17.1"/>
-         <call control-id="ac-17.2"/>
-         <call control-id="ac-17.3"/>
-         <call control-id="ac-17.4"/>
-         <call control-id="ac-17.9"/>
-         <call control-id="ac-18"/>
-         <call control-id="ac-18.1"/>
-         <call control-id="ac-19"/>
-         <call control-id="ac-19.5"/>
-         <call control-id="ac-20"/>
-         <call control-id="ac-20.1"/>
-         <call control-id="ac-20.2"/>
-         <call control-id="ac-21"/>
-         <call control-id="ac-22"/>
-         <call control-id="at-1"/>
-         <call control-id="at-2"/>
-         <call control-id="at-2.2"/>
-         <call control-id="at-3"/>
-         <call control-id="at-4"/>
-         <call control-id="au-1"/>
-         <call control-id="au-2"/>
-         <call control-id="au-2.3"/>
-         <call control-id="au-3"/>
-         <call control-id="au-3.1"/>
-         <call control-id="au-4"/>
-         <call control-id="au-5"/>
-         <call control-id="au-6"/>
-         <call control-id="au-6.1"/>
-         <call control-id="au-6.3"/>
-         <call control-id="au-7"/>
-         <call control-id="au-7.1"/>
-         <call control-id="au-8"/>
-         <call control-id="au-8.1"/>
-         <call control-id="au-9"/>
-         <call control-id="au-9.2"/>
-         <call control-id="au-9.4"/>
-         <call control-id="au-11"/>
-         <call control-id="au-12"/>
-         <call control-id="ca-1"/>
-         <call control-id="ca-2"/>
-         <call control-id="ca-2.1"/>
-         <call control-id="ca-2.2"/>
-         <call control-id="ca-2.3"/>
-         <call control-id="ca-3"/>
-         <call control-id="ca-3.3"/>
-         <call control-id="ca-3.5"/>
-         <call control-id="ca-5"/>
-         <call control-id="ca-6"/>
-         <call control-id="ca-7"/>
-         <call control-id="ca-7.1"/>
-         <call control-id="ca-8"/>
-         <call control-id="ca-8.1"/>
-         <call control-id="ca-9"/>
-         <call control-id="cm-1"/>
-         <call control-id="cm-2"/>
-         <call control-id="cm-2.1"/>
-         <call control-id="cm-2.2"/>
-         <call control-id="cm-2.3"/>
-         <call control-id="cm-2.7"/>
-         <call control-id="cm-3"/>
-         <call control-id="cm-4"/>
-         <call control-id="cm-5"/>
-         <call control-id="cm-5.1"/>
-         <call control-id="cm-5.3"/>
-         <call control-id="cm-5.5"/>
-         <call control-id="cm-6"/>
-         <call control-id="cm-6.1"/>
-         <call control-id="cm-7"/>
-         <call control-id="cm-7.1"/>
-         <call control-id="cm-7.2"/>
-         <call control-id="cm-7.5"/>
-         <call control-id="cm-8"/>
-         <call control-id="cm-8.1"/>
-         <call control-id="cm-8.3"/>
-         <call control-id="cm-8.5"/>
-         <call control-id="cm-9"/>
-         <call control-id="cm-10"/>
-         <call control-id="cm-10.1"/>
-         <call control-id="cm-11"/>
-         <call control-id="cp-1"/>
-         <call control-id="cp-2"/>
-         <call control-id="cp-2.1"/>
-         <call control-id="cp-2.2"/>
-         <call control-id="cp-2.3"/>
-         <call control-id="cp-2.8"/>
-         <call control-id="cp-3"/>
-         <call control-id="cp-4"/>
-         <call control-id="cp-4.1"/>
-         <call control-id="cp-6"/>
-         <call control-id="cp-6.1"/>
-         <call control-id="cp-6.3"/>
-         <call control-id="cp-7"/>
-         <call control-id="cp-7.1"/>
-         <call control-id="cp-7.2"/>
-         <call control-id="cp-7.3"/>
-         <call control-id="cp-8"/>
-         <call control-id="cp-8.1"/>
-         <call control-id="cp-8.2"/>
-         <call control-id="cp-9"/>
-         <call control-id="cp-9.1"/>
-         <call control-id="cp-9.3"/>
-         <call control-id="cp-10"/>
-         <call control-id="cp-10.2"/>
-         <call control-id="ia-1"/>
-         <call control-id="ia-2"/>
-         <call control-id="ia-2.1"/>
-         <call control-id="ia-2.2"/>
-         <call control-id="ia-2.3"/>
-         <call control-id="ia-2.5"/>
-         <call control-id="ia-2.8"/>
-         <call control-id="ia-2.11"/>
-         <call control-id="ia-2.12"/>
-         <call control-id="ia-3"/>
-         <call control-id="ia-4"/>
-         <call control-id="ia-4.4"/>
-         <call control-id="ia-5"/>
-         <call control-id="ia-5.1"/>
-         <call control-id="ia-5.2"/>
-         <call control-id="ia-5.3"/>
-         <call control-id="ia-5.4"/>
-         <call control-id="ia-5.6"/>
-         <call control-id="ia-5.7"/>
-         <call control-id="ia-5.11"/>
-         <call control-id="ia-6"/>
-         <call control-id="ia-7"/>
-         <call control-id="ia-8"/>
-         <call control-id="ia-8.1"/>
-         <call control-id="ia-8.2"/>
-         <call control-id="ia-8.3"/>
-         <call control-id="ia-8.4"/>
-         <call control-id="ir-1"/>
-         <call control-id="ir-2"/>
-         <call control-id="ir-3"/>
-         <call control-id="ir-3.2"/>
-         <call control-id="ir-4"/>
-         <call control-id="ir-4.1"/>
-         <call control-id="ir-5"/>
-         <call control-id="ir-6"/>
-         <call control-id="ir-6.1"/>
-         <call control-id="ir-7"/>
-         <call control-id="ir-7.1"/>
-         <call control-id="ir-7.2"/>
-         <call control-id="ir-8"/>
-         <call control-id="ir-9"/>
-         <call control-id="ir-9.1"/>
-         <call control-id="ir-9.2"/>
-         <call control-id="ir-9.3"/>
-         <call control-id="ir-9.4"/>
-         <call control-id="ma-1"/>
-         <call control-id="ma-2"/>
-         <call control-id="ma-3"/>
-         <call control-id="ma-3.1"/>
-         <call control-id="ma-3.2"/>
-         <call control-id="ma-3.3"/>
-         <call control-id="ma-4"/>
-         <call control-id="ma-4.2"/>
-         <call control-id="ma-5"/>
-         <call control-id="ma-5.1"/>
-         <call control-id="ma-6"/>
-         <call control-id="mp-1"/>
-         <call control-id="mp-2"/>
-         <call control-id="mp-3"/>
-         <call control-id="mp-4"/>
-         <call control-id="mp-5"/>
-         <call control-id="mp-5.4"/>
-         <call control-id="mp-6"/>
-         <call control-id="mp-6.2"/>
-         <call control-id="mp-7"/>
-         <call control-id="mp-7.1"/>
-         <call control-id="pe-1"/>
-         <call control-id="pe-2"/>
-         <call control-id="pe-3"/>
-         <call control-id="pe-4"/>
-         <call control-id="pe-5"/>
-         <call control-id="pe-6"/>
-         <call control-id="pe-6.1"/>
-         <call control-id="pe-8"/>
-         <call control-id="pe-9"/>
-         <call control-id="pe-10"/>
-         <call control-id="pe-11"/>
-         <call control-id="pe-12"/>
-         <call control-id="pe-13"/>
-         <call control-id="pe-13.2"/>
-         <call control-id="pe-13.3"/>
-         <call control-id="pe-14"/>
-         <call control-id="pe-14.2"/>
-         <call control-id="pe-15"/>
-         <call control-id="pe-16"/>
-         <call control-id="pe-17"/>
-         <call control-id="pl-1"/>
-         <call control-id="pl-2"/>
-         <call control-id="pl-2.3"/>
-         <call control-id="pl-4"/>
-         <call control-id="pl-4.1"/>
-         <call control-id="pl-8"/>
-         <call control-id="ps-1"/>
-         <call control-id="ps-2"/>
-         <call control-id="ps-3"/>
-         <call control-id="ps-3.3"/>
-         <call control-id="ps-4"/>
-         <call control-id="ps-5"/>
-         <call control-id="ps-6"/>
-         <call control-id="ps-7"/>
-         <call control-id="ps-8"/>
-         <call control-id="ra-1"/>
-         <call control-id="ra-2"/>
-         <call control-id="ra-3"/>
-         <call control-id="ra-5"/>
-         <call control-id="ra-5.1"/>
-         <call control-id="ra-5.2"/>
-         <call control-id="ra-5.3"/>
-         <call control-id="ra-5.5"/>
-         <call control-id="ra-5.6"/>
-         <call control-id="ra-5.8"/>
-         <call control-id="sa-1"/>
-         <call control-id="sa-2"/>
-         <call control-id="sa-3"/>
-         <call control-id="sa-4"/>
-         <call control-id="sa-4.1"/>
-         <call control-id="sa-4.2"/>
-         <call control-id="sa-4.8"/>
-         <call control-id="sa-4.9"/>
-         <call control-id="sa-4.10"/>
-         <call control-id="sa-5"/>
-         <call control-id="sa-8"/>
-         <call control-id="sa-9"/>
-         <call control-id="sa-9.1"/>
-         <call control-id="sa-9.2"/>
-         <call control-id="sa-9.4"/>
-         <call control-id="sa-9.5"/>
-         <call control-id="sa-10"/>
-         <call control-id="sa-10.1"/>
-         <call control-id="sa-11"/>
-         <call control-id="sa-11.1"/>
-         <call control-id="sa-11.2"/>
-         <call control-id="sa-11.8"/>
-         <call control-id="sc-1"/>
-         <call control-id="sc-2"/>
-         <call control-id="sc-4"/>
-         <call control-id="sc-5"/>
-         <call control-id="sc-6"/>
-         <call control-id="sc-7"/>
-         <call control-id="sc-7.3"/>
-         <call control-id="sc-7.4"/>
-         <call control-id="sc-7.5"/>
-         <call control-id="sc-7.7"/>
-         <call control-id="sc-7.8"/>
-         <call control-id="sc-7.12"/>
-         <call control-id="sc-7.13"/>
-         <call control-id="sc-7.18"/>
-         <call control-id="sc-8"/>
-         <call control-id="sc-8.1"/>
-         <call control-id="sc-10"/>
-         <call control-id="sc-12"/>
-         <call control-id="sc-12.2"/>
-         <call control-id="sc-12.3"/>
-         <call control-id="sc-13"/>
-         <call control-id="sc-15"/>
-         <call control-id="sc-17"/>
-         <call control-id="sc-18"/>
-         <call control-id="sc-19"/>
-         <call control-id="sc-20"/>
-         <call control-id="sc-21"/>
-         <call control-id="sc-22"/>
-         <call control-id="sc-23"/>
-         <call control-id="sc-28"/>
-         <call control-id="sc-28.1"/>
-         <call control-id="sc-39"/>
-         <call control-id="si-1"/>
-         <call control-id="si-2"/>
-         <call control-id="si-2.2"/>
-         <call control-id="si-2.3"/>
-         <call control-id="si-3"/>
-         <call control-id="si-3.1"/>
-         <call control-id="si-3.2"/>
-         <call control-id="si-3.7"/>
-         <call control-id="si-4"/>
-         <call control-id="si-4.1"/>
-         <call control-id="si-4.2"/>
-         <call control-id="si-4.4"/>
-         <call control-id="si-4.5"/>
-         <call control-id="si-4.14"/>
-         <call control-id="si-4.16"/>
-         <call control-id="si-4.23"/>
-         <call control-id="si-5"/>
-         <call control-id="si-6"/>
-         <call control-id="si-7"/>
-         <call control-id="si-7.1"/>
-         <call control-id="si-7.7"/>
-         <call control-id="si-8"/>
-         <call control-id="si-8.1"/>
-         <call control-id="si-8.2"/>
-         <call control-id="si-10"/>
-         <call control-id="si-11"/>
-         <call control-id="si-12"/>
-         <call control-id="si-16"/>
-      </include>
-   </import>
-   <merge>
-      <combine method="keep"/>
-      <as-is>true</as-is>
-   </merge>
-   <modify>
-      <set-parameter param-id="ac-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2_prm_4">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.2_prm_2">
-         <constraint>no more than 30 days for temporary and emergency account types</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.3_prm_1">
-         <constraint>90 days for user accounts</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-6.2_prm_1">
-         <constraint>all security functions</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7_prm_1">
-         <constraint>not more than three (3)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7_prm_2">
-         <constraint>fifteen (15) minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7_prm_4">
-         <constraint>locks the account/node for thirty minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-8_prm_1">
-         <constraint>see additional Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-8_prm_2">
-         <constraint>see additional Requirements and Guidance]</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-10_prm_2">
-         <constraint>three (3) sessions for privileged access and two (2) sessions for non-privileged access</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-11_prm_1">
-         <constraint>fifteen (15) minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-17.9_prm_1">
-         <constraint>fifteen 15 minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-22_prm_1">
-         <constraint>at least quarterly</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-3_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-4_prm_1">
-         <constraint>At least one year</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-2_prm_1">
-         <constraint>successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-2_prm_2">
-         <constraint>organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-2.3_prm_1">
-         <constraint>annually or whenever there is a change in the threat environment</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-3.1_prm_1">
-         <constraint>session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-5_prm_2">
-         <constraint>organization-defined actions to be taken (overwrite oldest record)</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-6_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-8.1_prm_1">
-         <constraint>At least hourly</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-8.1_prm_2">
-         <constraint>http://tf.nist.gov/tf-cgi/servers.cgi</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-9.2_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-11_prm_1">
-         <constraint>at least ninety days</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-12_prm_1">
-         <constraint>all information system and network components where audit capability is deployed/available</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2_prm_2">
-         <constraint>individuals or roles to include FedRAMP PMO</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2.2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2.3_prm_1">
-         <constraint>any FedRAMP Accredited 3PAO</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2.3_prm_2">
-         <constraint>any FedRAMP Accredited 3PAO</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2.3_prm_3">
-         <constraint>the conditions of the JAB/AO in the FedRAMP Repository</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-3_prm_1">
-         <constraint>at least annually and on input from FedRAMP</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-3.3_prm_2">
-         <constraint>Boundary Protections which meet the Trusted Internet Connection (TIC) requirements</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-5_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-6_prm_1">
-         <constraint>at least every three (3) years or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-7_prm_4">
-         <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-7_prm_5">
-         <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-8_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-2.1_prm_1">
-         <constraint>at least annually or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-2.1_prm_2">
-         <constraint>to include when directed by the JAB</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-5.5_prm_1">
-         <constraint>at least quarterly</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-6_prm_1">
-         <guideline>
-            <p>See CM-6(a) Additional FedRAMP Requirements and Guidance</p>
-         </guideline>
-      </set-parameter>
-      <set-parameter param-id="cm-7_prm_1">
-         <constraint>United States Government Configuration Baseline (USGCB)</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-7.1_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-7.5_prm_2">
-         <constraint>at least Annually or when there is a change</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-8_prm_2">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-8.3_prm_1">
-         <constraint>Continuously, using automated mechanisms with a maximum five-minute delay in detection</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-11_prm_3">
-         <constraint>Continuously (via CM-7 (5))</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-2_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-3_prm_1">
-         <constraint>ten (10) days</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-3_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-4_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-4_prm_2">
-         <constraint>functional exercises</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_1">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_2">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_3">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9.1_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-2.11_prm_1">
-         <constraint>FIPS 140-2, NIAP Certification, or NSA approval</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-4_prm_2">
-         <constraint>IA-4 (d) [at least two years]</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-4_prm_3">
-         <constraint>ninety days for user identifiers (See additional requirements and guidance)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-4.4_prm_1">
-         <constraint>contractors; foreign nationals</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.1_prm_2">
-         <constraint>at least one</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.1_prm_4">
-         <constraint>twenty four (24)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.3_prm_1">
-         <constraint>All hardware/biometric (multifactor authenticators)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.3_prm_2">
-         <constraint>in person</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-2_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-3_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-3_prm_2">
-         <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-6_prm_1">
-         <constraint>US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-8_prm_2">
-         <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-8_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-8_prm_4">
-         <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ma-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ma-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ma-3.3_prm_1">
-         <constraint>the information owner explicitly authorizing removal of the equipment from the facility</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-3_prm_1">
-         <constraint>no removable media types</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-4_prm_1">
-         <constraint>all types of digital and non-digital media with sensitive information</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-4_prm_2">
-         <constraint>see additional FedRAMP requirements and guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-5_prm_1">
-         <constraint>all media with sensitive information</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-5_prm_2">
-         <constraint>prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digitital media, secured in locked container</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-6.2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_2">
-         <constraint>CSP defined physical access control systems/devices AND guards</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_3">
-         <constraint>CSP defined physical access control systems/devices</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_6">
-         <constraint>in all circumstances within restricted access area where the information system resides</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_8">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_9">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-6_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-8_prm_1">
-         <constraint>for a minimum of one (1) year</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-8_prm_2">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-14_prm_1">
-         <constraint>consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-14_prm_2">
-         <constraint>continuously</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-16_prm_1">
-         <constraint>all information system components</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-2_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-4_prm_1">
-         <constraint>At least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-8_prm_1">
-         <constraint>At least annually or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-2_prm_1">
-         <constraint>at least every three years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-3_prm_1">
-         <constraint>for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-3.3_prm_1">
-         <constraint>personnel screening criteria - as required by specific information</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-4_prm_1">
-         <constraint>same day</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-5_prm_4">
-         <constraint>five days of the time period following the formal transfer action (DoD 24 hours)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-6_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-6_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-7_prm_2">
-         <constraint>organization-defined time period - same day</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_2">
-         <constraint>security assessment report</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_3">
-         <constraint>at least every three (3) years or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_5">
-         <constraint>at least every three (3) years or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5_prm_1">
-         <constraint>monthly operating system/infrastructure; monthly web applications and databases</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5_prm_2">
-         <constraint>high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5.2_prm_1">
-         <constraint>prior to a new scan</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5.5_prm_1">
-         <constraint>operating systems / web applications / databases</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5.5_prm_2">
-         <constraint>all scans</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-4.2_prm_1">
-         <constraint>to include security-relevant external system interfaces and high-level design</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-4.8_prm_1">
-         <constraint>at least the minimum requirement as defined in control CA-7</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9_prm_1">
-         <constraint>FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9_prm_2">
-         <constraint>Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9.2_prm_1">
-         <constraint>all external systems where Federal information is processed or stored</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9.4_prm_2">
-         <constraint>all external systems where Federal information is processed or stored</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9.5_prm_1">
-         <constraint>information processing, information data, AND information services</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-10_prm_1">
-         <constraint>development, implementation, AND operation</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-7.4_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-8_prm_1">
-         <constraint>confidentiality AND integrity</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-8.1_prm_1">
-         <constraint>prevent unauthorized disclosure of information AND detect changes to information</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-8.1_prm_2">
-         <constraint>a hardened or alarmed carrier Protective Distribution System (PDS)</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-10_prm_1">
-         <constraint>no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-interactive user sessions</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-12.2_prm_1">
-         <constraint>NIST FIPS-compliant</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-13_prm_1">
-         <constraint>FIPS-validated or NSA-approved cryptography</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-15_prm_1">
-         <constraint>no exceptions</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-28_prm_1">
-         <constraint>confidentiality AND integrity</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-2_prm_1">
-         <constraint>within 30 days of release of updates</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-2.2_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_2">
-         <constraint>to include endpoints</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_3">
-         <constraint>to include alerting administrator or defined security personnel</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-4.4_prm_1">
-         <constraint>continuously</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-5_prm_1">
-         <constraint>to include US-CERT</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-5_prm_2">
-         <constraint>to include system security personnel and administrators with configuration/patch-management responsibilities</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-6_prm_3">
-         <constraint>to include upon system startup and/or restart</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-6_prm_4">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-6_prm_5">
-         <constraint>to include system administrators and security personnel</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-6_prm_7">
-         <constraint>to include notification of system administrators and security personnel</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-7.1_prm_3">
-         <constraint>Selection to include security relevant events</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-7.1_prm_4">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <alter control-id="ac-1">
-         <add position="starting" id-ref="ac-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-10">
-         <add position="starting" id-ref="ac-10_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-10_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-10_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-11">
-         <add position="starting" id-ref="ac-11">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-11.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-11.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-11.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-11.1">
-         <add position="starting" id-ref="ac-11.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-12">
-         <add position="starting" id-ref="ac-12">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-14">
-         <add position="starting" id-ref="ac-14.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-14.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-14.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17">
-         <add position="starting" id-ref="ac-17">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-17.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.1">
-         <add position="starting" id-ref="ac-17.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.2">
-         <add position="starting" id-ref="ac-17.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.3">
-         <add position="starting" id-ref="ac-17.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.4">
-         <add position="starting" id-ref="ac-17.4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.9">
-         <add position="starting" id-ref="ac-17.9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-17.9_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.9_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-18">
-         <add position="starting" id-ref="ac-18">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-18.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-18.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-18.1">
-         <add position="starting" id-ref="ac-18.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-19">
-         <add position="starting" id-ref="ac-19">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-19.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-19.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-19.5">
-         <add position="starting" id-ref="ac-19.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-19.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-19.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2">
-         <add position="starting" id-ref="ac-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.g_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.h_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.i_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.j_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.j_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.k_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.1">
-         <add position="starting" id-ref="ac-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.10">
-         <add position="ending" id-ref="ac-2.10_smt">
-            <part id="ac-2.10_fr" name="item">
-               <title>AC-2 (10) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2.10_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Required if shared/group accounts are deployed</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-2.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.12">
-         <add position="ending" id-ref="ac-2.12_smt">
-            <part id="ac-2.12_fr" name="item">
-               <title>AC-2 (12) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2.12_fr_gdn.1" name="guidance">
-                  <prop name="label">(a) Guidance:</prop>
-                  <p>Required for privileged accounts.</p>
-               </part>
-               <part id="ac-2.12_fr_gdn.2" name="guidance">
-                  <prop name="label">(b) Guidance:</prop>
-                  <p>Required for privileged accounts.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-2.12">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.12.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.12.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.12.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.12.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.2">
-         <add position="starting" id-ref="ac-2.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.3">
-         <add position="starting" id-ref="ac-2.3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.4">
-         <add position="starting" id-ref="ac-2.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.4_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.5">
-         <add position="ending" id-ref="ac-2.5_smt">
-            <part id="ac-2.5_fr" name="item">
-               <title>AC-2 (5) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2.5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Should use a shorter timeframe than AC-12.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-2.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.7">
-         <add position="starting" id-ref="ac-2.7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.7.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.7.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.9">
-         <add position="ending" id-ref="ac-2.9_smt">
-            <part id="ac-2.9_fr" name="item">
-               <title>AC-2 (9) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2.9_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Required if shared/group accounts are deployed</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-2.9_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.9_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-20">
-         <add position="starting" id-ref="ac-20.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-20.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-20.1">
-         <add position="starting" id-ref="ac-20.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-20.2">
-         <add position="starting" id-ref="ac-20.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-21">
-         <add position="starting" id-ref="ac-21.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-21.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-21.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-21.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-22">
-         <add position="starting" id-ref="ac-22">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-22.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-3">
-         <add position="starting" id-ref="ac-3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-4">
-         <add position="starting" id-ref="ac-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-4.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-4.21">
-         <add position="starting" id-ref="ac-4.21_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-4.21_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-4.21_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-5">
-         <add position="ending" id-ref="ac-5_smt">
-            <part id="ac-5_fr" name="item">
-               <title>AC-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac.5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6">
-         <add position="starting" id-ref="ac-6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.1">
-         <add position="starting" id-ref="ac-6.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.10">
-         <add position="starting" id-ref="ac-6.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.2">
-         <add position="ending" id-ref="ac-6.2_smt">
-            <part id="ac-6.2_fr" name="item">
-               <title>AC-6 (2) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-6.2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-6.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.5">
-         <add position="starting" id-ref="ac-6.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.9">
-         <add position="starting" id-ref="ac-6.9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-6.9_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-7">
-         <add position="starting" id-ref="ac-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-8">
-         <add position="ending" id-ref="ac-8_smt">
-            <part id="ac-8_fr" name="item">
-               <title>AC-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.</p>
-               </part>
-               <part id="ac-8_fr_smt.2" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.</p>
-               </part>
-               <part id="ac-8_fr_smt.3" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-8.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="at-1">
-         <add position="starting" id-ref="at-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="at-2">
-         <add position="starting" id-ref="at-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="at-2.2">
-         <add position="starting" id-ref="at-2.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="at-3">
-         <add position="starting" id-ref="at-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="at-4">
-         <add position="starting" id-ref="at-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="at-4.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-4.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-1">
-         <add position="starting" id-ref="au-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="au-11">
-         <add position="ending" id-ref="au-11_smt">
-            <part id="au-11_fr" name="item">
-               <title>AU-11 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-11_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-11">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-11.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-12">
-         <add position="starting" id-ref="au-12.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-12.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-12.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-2">
-         <add position="ending" id-ref="au-2_smt">
-            <part id="au-2_fr" name="item">
-               <title>AU-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-2_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-2.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-2.3">
-         <add position="ending" id-ref="au-2.3_smt">
-            <part id="au-2.3_fr" name="item">
-               <title>AU-2 (3) Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-2.3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-2.3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-3">
-         <add position="starting" id-ref="au-3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-3.1">
-         <add position="ending" id-ref="au-3.1_smt">
-            <part id="au-3.1_fr" name="item">
-               <title>AU-3 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-3.1_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines audit record types <em>[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]</em>.  The audit record types are approved and accepted by the JAB/AO.</p>
-               </part>
-               <part id="au-3.1_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-3.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-3.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-4">
-         <add position="starting" id-ref="au-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-5">
-         <add position="starting" id-ref="au-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6">
-         <add position="ending" id-ref="au-6_smt">
-            <part id="au-6_fr" name="item">
-               <title>AU-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6.1">
-         <add position="starting" id-ref="au-6.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-6.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6.3">
-         <add position="starting" id-ref="au-6.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-7">
-         <add position="starting" id-ref="au-7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-7.1">
-         <add position="starting" id-ref="au-7.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-7.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-8">
-         <add position="starting" id-ref="au-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-8.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-8.1">
-         <add position="ending" id-ref="au-8.1_smt">
-            <part id="au-8.1_fr" name="item">
-               <title>AU-8 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-8.1_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.</p>
-               </part>
-               <part id="au-8.1_fr_smt.2" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.</p>
-               </part>
-               <part id="au-8.1_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Synchronization of system clocks improves the accuracy of log analysis.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-8.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-8.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-8.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-8.1.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-8.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-8.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-9">
-         <add position="starting" id-ref="au-9.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-9.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-9.2">
-         <add position="starting" id-ref="au-9.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-9.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-9.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-9.4">
-         <add position="starting" id-ref="au-9.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-9.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-1">
-         <add position="starting" id-ref="ca-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2">
-         <add position="ending" id-ref="ca-2_smt">
-            <part id="ca-2_fr" name="item">
-               <title>CA-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2.1">
-         <add position="ending" id-ref="ca-2.1_smt">
-            <part id="ca-2.1_fr" name="item">
-               <title>CA-2 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2.1_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-2.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2.2">
-         <add position="ending" id-ref="ca-2.2_smt">
-            <part id="ca-2.2_fr" name="item">
-               <title>CA-2 (2) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2.2_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>To include 'announced', 'vulnerability scanning'</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-2.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.2_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2.3">
-         <add position="starting" id-ref="ca-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.3_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-3">
-         <add position="starting" id-ref="ca-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-3.3">
-         <add position="ending" id-ref="ca-3.3_smt">
-            <part id="ca-3.3_fr" name="item">
-               <title>CA-3 (3) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-3.3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-3.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-3.5">
-         <add position="ending" id-ref="ca-3.5_smt">
-            <part id="ca-3.5_fr" name="item">
-               <title>CA-3 (5) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-3.5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-3.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-3.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-5">
-         <add position="ending" id-ref="ca-5_smt">
-            <part id="ca-5_fr" name="item">
-               <title>CA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-5_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Plan of Action &amp; Milestones (POA&amp;M) must be provided at least monthly.</p>
-               </part>
-               <part id="ca-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action &amp; Milestones (POA&amp;M) Template Completion Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-6">
-         <add position="ending" id-ref="ca-6_smt">
-            <part id="ca-6_fr" name="item">
-               <title>CA-6(c) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-6.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-6.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-6.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-6.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-7">
-         <add position="ending" id-ref="ca-7_smt">
-            <part id="ca-7_fr" name="item">
-               <title>CA-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-7_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.</p>
-               </part>
-               <part id="ca-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&amp;M updates.</p>
-               </part>
-               <part id="ca-7_fr_gdn.2" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-7.1">
-         <add position="starting" id-ref="ca-7.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-8">
-         <add position="ending" id-ref="ca-8_smt">
-            <part id="ca-8_fr" name="item">
-               <title>CA-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-8_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance <a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-8_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-8.1">
-         <add position="starting" id-ref="ca-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-9">
-         <add position="starting" id-ref="ca-9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-9.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-9.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-9.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-1">
-         <add position="starting" id-ref="cm-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-1.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-10">
-         <add position="starting" id-ref="cm-10.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-10.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-10.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-10.1">
-         <add position="starting" id-ref="cm-10.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-10.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-11">
-         <add position="starting" id-ref="cm-11.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2">
-         <add position="starting" id-ref="cm-2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2.1">
-         <add position="starting" id-ref="cm-2.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-2.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.1.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2.2">
-         <add position="starting" id-ref="cm-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.2_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2.3">
-         <add position="starting" id-ref="cm-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2.7">
-         <add position="starting" id-ref="cm-2.7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-3">
-         <add position="ending" id-ref="cm-3_smt">
-            <part id="cm-3_fr" name="item">
-               <title>CM-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-3_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.</p>
-               </part>
-               <part id="cm-3_fr_gdn.1" name="guidance">
-                  <prop name="label">(e) Guidance:</prop>
-                  <p>In accordance with record retention policies and procedures.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.g_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.g_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-4">
-         <add position="starting" id-ref="cm-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5">
-         <add position="starting" id-ref="cm-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5_obj.7">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-5_obj.8">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5.1">
-         <add position="starting" id-ref="cm-5.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5.3">
-         <add position="ending" id-ref="cm-5.3_smt">
-            <part id="cm-5.3_fr" name="item">
-               <title>CM-5 (3) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-5.3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-5.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5.5">
-         <add position="starting" id-ref="cm-5.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-5.5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-6">
-         <add position="ending" id-ref="cm-6_smt">
-            <part id="cm-6_fr" name="item">
-               <title>CM-6(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement 1:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. </p>
-               </part>
-               <part id="cm-6_fr_smt.2" name="item">
-                  <prop name="label">Requirement 2:</prop>
-                  <p>The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (<a href="http://scap.nist.gov/">http://scap.nist.gov/</a>) validated or SCAP compatible (if validated checklists are not available).</p>
-               </part>
-               <part id="cm-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a href="https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline">https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-6.1">
-         <add position="starting" id-ref="cm-6.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7">
-         <add position="ending" id-ref="cm-7_smt">
-            <part id="cm-7_fr" name="item">
-               <title>CM-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-7_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.</p>
-               </part>
-               <part id="cm-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a href="http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc">http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc</a>. Partially derived from AC-17(8).</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7.1">
-         <add position="starting" id-ref="cm-7.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-7.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7.2">
-         <add position="ending" id-ref="cm-7.2_smt">
-            <part id="cm-7.2_fr" name="item">
-               <title>CM-7 (2) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-7.2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-7.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7.5">
-         <add position="starting" id-ref="cm-7.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-7.5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8">
-         <add position="ending" id-ref="cm-8_smt">
-            <part id="cm-8_fr" name="item">
-               <title>CM-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Must be provided at least monthly or when there is a change.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-8.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8.1">
-         <add position="starting" id-ref="cm-8.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8.3">
-         <add position="starting" id-ref="cm-8.3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-8.3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8.5">
-         <add position="starting" id-ref="cm-8.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-9">
-         <add position="starting" id-ref="cm-9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-9.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-9.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-9.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-9.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-9.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-1">
-         <add position="starting" id-ref="cp-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-10">
-         <add position="starting" id-ref="cp-10_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-10.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-10.2">
-         <add position="starting" id-ref="cp-10.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2">
-         <add position="ending" id-ref="cp-2_smt">
-            <part id="cp-2_fr" name="item">
-               <title>CP-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-2_fr_smt.1" name="item">
-                  <prop name="label">CP-2 Requirement:</prop>
-                  <p>For JAB authorizations the contingency lists include designated FedRAMP personnel.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-2.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.6_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.6_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.g_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.1">
-         <add position="starting" id-ref="cp-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.2">
-         <add position="starting" id-ref="cp-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.3">
-         <add position="starting" id-ref="cp-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.8">
-         <add position="starting" id-ref="cp-2.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-3">
-         <add position="starting" id-ref="cp-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-4">
-         <add position="ending" id-ref="cp-4_smt">
-            <part id="cp-4_fr" name="item">
-               <title>CP-4(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-4_fr_smt.a" name="item">
-                  <prop name="label">CP-4(a) Requirement:</prop>
-                  <p>The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-4.1">
-         <add position="starting" id-ref="cp-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-6">
-         <add position="starting" id-ref="cp-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-6.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-6.1">
-         <add position="starting" id-ref="cp-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-6.3">
-         <add position="starting" id-ref="cp-6.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-6.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7">
-         <add position="ending" id-ref="cp-7_smt">
-            <part id="cp-7_fr" name="item">
-               <title>CP-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-7_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7.1">
-         <add position="ending" id-ref="cp-7.1_smt">
-            <part id="cp-7.1_fr" name="item">
-               <title>CP-7 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-7.1_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7.2">
-         <add position="starting" id-ref="cp-7.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7.3">
-         <add position="starting" id-ref="cp-7.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-8">
-         <add position="ending" id-ref="cp-8_smt">
-            <part id="cp-8_fr" name="item">
-               <title>CP-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-8.1">
-         <add position="starting" id-ref="cp-8.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-8.2">
-         <add position="starting" id-ref="cp-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9">
-         <add position="ending" id-ref="cp-9_smt">
-            <part id="cp-9_fr" name="item">
-               <title>CP-9 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-9_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.</p>
-               </part>
-               <part id="cp-9_fr_smt.a" name="item">
-                  <prop name="label">CP-9(a) Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of user-level information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.b" name="item">
-                  <prop name="label">CP-9(b)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of system-level information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.c" name="item">
-                  <prop name="label">CP-9(c)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-9.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9.1">
-         <add position="starting" id-ref="cp-9.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-9.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9.3">
-         <add position="starting" id-ref="cp-9.3_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.3_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-1">
-         <add position="starting" id-ref="ia-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2">
-         <add position="starting" id-ref="ia-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.1">
-         <add position="starting" id-ref="ia-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.11">
-         <add position="ending" id-ref="ia-2.11_smt">
-            <part id="ia-2.11_fr" name="item">
-               <title>IA-2 (11) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-2.11_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.6">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.12">
-         <add position="ending" id-ref="ia-2.12_smt">
-            <part id="ia-2.12_fr" name="item">
-               <title>IA-2 (12) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-2.12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-2.12_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.2">
-         <add position="starting" id-ref="ia-2.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.3">
-         <add position="starting" id-ref="ia-2.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.5">
-         <add position="starting" id-ref="ia-2.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.8">
-         <add position="starting" id-ref="ia-2.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-3">
-         <add position="starting" id-ref="ia-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-4">
-         <add position="ending" id-ref="ia-4_smt">
-            <part id="ia-4_fr" name="item">
-               <title>IA-4(e) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-4_fr_smt.e" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines the time period of inactivity for device identifiers.</p>
-               </part>
-               <part id="ia-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP <a href="http://iase.disa.mil/cloud_security/Pages/index.aspx">http://iase.disa.mil/cloud_security/Pages/index.aspx</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-4.4">
-         <add position="starting" id-ref="ia-4.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5">
-         <add position="ending" id-ref="ia-5_smt">
-            <part id="ia-5_fr" name="item">
-               <title>IA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-5_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link <a href="https://pages.nist.gov/800-63-3">https://pages.nist.gov/800-63-3</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.f_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.h_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.i_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.i_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.j_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.1">
-         <add position="ending" id-ref="ia-5.1_smt">
-            <part id="ia-5.1_fr" name="item">
-               <title>IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-5.1_fr_gdn.1" name="guidance">
-                  <prop name="label">(a) (d) Guidance:</prop>
-                  <p>If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-5.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.11">
-         <add position="starting" id-ref="ia-5.11_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.2">
-         <add position="starting" id-ref="ia-5.2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.3">
-         <add position="starting" id-ref="ia-5.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.3_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.3_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.4">
-         <add position="ending" id-ref="ia-5.4_smt">
-            <part id="ia-5.4_fr" name="item">
-               <title>IA-5 (4) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-5.4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-5.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.6">
-         <add position="starting" id-ref="ia-5.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.7">
-         <add position="starting" id-ref="ia-5.7_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-6">
-         <add position="starting" id-ref="ia-6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-7">
-         <add position="starting" id-ref="ia-7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8">
-         <add position="starting" id-ref="ia-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.1">
-         <add position="starting" id-ref="ia-8.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-8.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.2">
-         <add position="starting" id-ref="ia-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.3">
-         <add position="starting" id-ref="ia-8.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-8.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.4">
-         <add position="starting" id-ref="ia-8.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-1">
-         <add position="starting" id-ref="ir-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-2">
-         <add position="starting" id-ref="ir-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-3">
-         <add position="ending" id-ref="ir-3_smt">
-            <part id="ir-3_fr" name="item">
-               <title>IR-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-3_fr_smt.1" name="item">
-                  <prop name="label">IR-3 -2 Requirement:</prop>
-                  <p>The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-3.2">
-         <add position="starting" id-ref="ir-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4">
-         <add position="ending" id-ref="ir-4_smt">
-            <part id="ir-4_fr" name="item">
-               <title>IR-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-4_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-4.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4.1">
-         <add position="starting" id-ref="ir-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-5">
-         <add position="starting" id-ref="ir-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-6">
-         <add position="ending" id-ref="ir-6_smt">
-            <part id="ir-6_fr" name="item">
-               <title>IR-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Report security incident information according to FedRAMP Incident Communications Procedure.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-6.1">
-         <add position="starting" id-ref="ir-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-7">
-         <add position="starting" id-ref="ir-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-7.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-7.1">
-         <add position="starting" id-ref="ir-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-7.2">
-         <add position="starting" id-ref="ir-7.2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-7.2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-8">
-         <add position="ending" id-ref="ir-8_smt">
-            <part id="ir-8_fr" name="item">
-               <title>IR-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-8_fr_smt.b" name="item">
-                  <prop name="label">(b) Requirement:</prop>
-                  <p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
-               </part>
-               <part id="ir-8_fr_smt.e" name="item">
-                  <prop name="label">(e) Requirement:</prop>
-                  <p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-8.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.b_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.b_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.e_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.e_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9">
-         <add position="starting" id-ref="ir-9.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9.1">
-         <add position="starting" id-ref="ir-9.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9.2">
-         <add position="starting" id-ref="ir-9.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-9.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9.3">
-         <add position="starting" id-ref="ir-9.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9.4">
-         <add position="starting" id-ref="ir-9.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-1">
-         <add position="starting" id-ref="ma-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ma-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-2">
-         <add position="starting" id-ref="ma-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-3">
-         <add position="starting" id-ref="ma-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-3.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-3.1">
-         <add position="starting" id-ref="ma-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-3.2">
-         <add position="starting" id-ref="ma-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-3.3">
-         <add position="starting" id-ref="ma-3.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-4">
-         <add position="starting" id-ref="ma-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ma-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-4.2">
-         <add position="starting" id-ref="ma-4.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-5">
-         <add position="starting" id-ref="ma-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-5.1">
-         <add position="ending" id-ref="ma-5.1_smt">
-            <part id="ma-5.1_fr" name="item">
-               <title>MA-5 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ma-5.1_fr_smt.b" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Only MA-5 (1)(a)(1) is required by FedRAMP Moderate Baseline</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ma-5.1.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.1.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.1.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-6">
-         <add position="starting" id-ref="ma-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-6.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-6.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-1">
-         <add position="starting" id-ref="mp-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="mp-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-2">
-         <add position="starting" id-ref="mp-2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-3">
-         <add position="ending" id-ref="mp-3_smt">
-            <part id="mp-3_fr" name="item">
-               <title>MP-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-3_fr_gdn.b" name="guidance">
-                  <prop name="label">(b) Guidance:</prop>
-                  <p>Second parameter not-applicable</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="mp-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-3.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-4">
-         <add position="ending" id-ref="mp-4_smt">
-            <part id="mp-4_fr" name="item">
-               <title>MP-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-4_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider defines controlled areas within facilities where the information and information system reside.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="mp-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-4.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-4.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-5">
-         <add position="ending" id-ref="mp-5_smt">
-            <part id="mp-5_fr" name="item">
-               <title>MP-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-5_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="mp-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-5.4">
-         <add position="starting" id-ref="mp-5.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-6">
-         <add position="starting" id-ref="mp-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-6.2">
-         <add position="ending" id-ref="mp-6.2_smt">
-            <part id="mp-6.2_fr" name="item">
-               <title>MP-6 (2) Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-6.2_fr_gdn.a" name="guidance">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>Equipment and procedures may be tested or validated for effectiveness</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="mp-6.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="mp-6.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-7">
-         <add position="starting" id-ref="mp-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-7.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-7_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-7_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-7.1">
-         <add position="starting" id-ref="mp-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-1">
-         <add position="starting" id-ref="pe-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-10">
-         <add position="starting" id-ref="pe-10.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-10.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-10.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-10.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-11">
-         <add position="starting" id-ref="pe-11_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-12">
-         <add position="starting" id-ref="pe-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-13">
-         <add position="starting" id-ref="pe-13.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-13.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-13.2">
-         <add position="starting" id-ref="pe-13.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-13.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-13.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-13.3">
-         <add position="starting" id-ref="pe-13.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-14">
-         <add position="ending" id-ref="pe-14_smt">
-            <part id="pe-14_fr" name="item">
-               <title>PE-14(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="pe-14_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider measures temperature at server inlets and humidity levels by dew point.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-14.2">
-         <add position="starting" id-ref="pe-14.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-15">
-         <add position="starting" id-ref="pe-15_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-16">
-         <add position="starting" id-ref="pe-16_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.6">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.7">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.8">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.9">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-17">
-         <add position="starting" id-ref="pe-17.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-17.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-17.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-17.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-2">
-         <add position="starting" id-ref="pe-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-3">
-         <add position="starting" id-ref="pe-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.e_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.f_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-4">
-         <add position="starting" id-ref="pe-4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-4_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-5">
-         <add position="starting" id-ref="pe-5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-6">
-         <add position="starting" id-ref="pe-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-6.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-6.1">
-         <add position="starting" id-ref="pe-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-8">
-         <add position="starting" id-ref="pe-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-8.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-8.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-9">
-         <add position="starting" id-ref="pe-9_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-1">
-         <add position="starting" id-ref="pl-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pl-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-2">
-         <add position="starting" id-ref="pl-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pl-2.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.9_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-2.3">
-         <add position="starting" id-ref="pl-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-4">
-         <add position="starting" id-ref="pl-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-4.1">
-         <add position="starting" id-ref="pl-4.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-8">
-         <add position="ending" id-ref="pl-8_smt">
-            <part id="pl-8_fr" name="item">
-               <title>PL-8(b) Additional FedRAMP Requirements and Guidance</title>
-               <part id="pl-8_fr_gdn.b" name="guidance">
-                  <prop name="label">(b) Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="pl-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pl-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-8.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-1">
-         <add position="starting" id-ref="ps-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-2">
-         <add position="starting" id-ref="ps-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-3">
-         <add position="starting" id-ref="ps-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-3.3">
-         <add position="starting" id-ref="ps-3.3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-4">
-         <add position="starting" id-ref="ps-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.f_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-5">
-         <add position="starting" id-ref="ps-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-6">
-         <add position="starting" id-ref="ps-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-6.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.c.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.c.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.c.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-7">
-         <add position="starting" id-ref="ps-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-8">
-         <add position="starting" id-ref="ps-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-8.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-1">
-         <add position="starting" id-ref="ra-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-2">
-         <add position="starting" id-ref="ra-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-3">
-         <add position="ending" id-ref="ra-3_smt">
-            <part id="ra-3_fr" name="item">
-               <title>RA-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F</p>
-               </part>
-               <part id="ra-3_fr_smt.d" name="item">
-                  <prop name="label">RA-3 (d) Requirement:</prop>
-                  <p>Include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5">
-         <add position="ending" id-ref="ra-5_smt.a">
-            <part id="ra-5_fr_smt.a" name="item">
-               <title>RA-5(a) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (a)Requirement:</prop>
-               <p>An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.</p>
-            </part>
-         </add>
-         <add position="ending" id-ref="ra-5_smt.e">
-            <part id="ra-5_fr_smt.e" name="item">
-               <title>RA-5(e) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (e)Requirement:</prop>
-               <p>To include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
-            </part>
-         </add>
-         <add position="ending" id-ref="ra-5_smt">
-            <part id="ra-5_fr" name="item">
-               <title>RA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>
-                     <strong>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents&gt; Vulnerability Scanning Requirements</strong> (<a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a>)</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.b.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.b.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.b.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.e_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.1">
-         <add position="starting" id-ref="ra-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.2">
-         <add position="starting" id-ref="ra-5.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-5.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.3">
-         <add position="starting" id-ref="ra-5.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.5">
-         <add position="starting" id-ref="ra-5.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-5.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.5_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.6">
-         <add position="ending" id-ref="ra-5.6_smt">
-            <part id="ra-5.6_fr" name="item">
-               <title>RA-5 (6) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5.6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Include in Continuous Monitoring ISSO digest/report to JAB/AO</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-5.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.8">
-         <add position="ending" id-ref="ra-5.8_smt">
-            <part id="ra-5.8_fr" name="item">
-               <title>RA-5 (8) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5.8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>This enhancement is required for all high vulnerability scan findings.</p>
-               </part>
-               <part id="ra-5.8_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-5.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-1">
-         <add position="starting" id-ref="sa-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sa-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-10">
-         <add position="ending" id-ref="sa-10_smt">
-            <part id="sa-10_fr" name="item">
-               <title>SA-10 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-10_fr_smt.1" name="item">
-                  <prop name="label">(e)  Requirement:</prop>
-                  <p>For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-10.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-10.1">
-         <add position="starting" id-ref="sa-10.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-11">
-         <add position="starting" id-ref="sa-11.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-11.1">
-         <add position="ending" id-ref="sa-11.1_smt">
-            <part id="sa-11.1_fr" name="item">
-               <title>SA-11 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-11.1_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-11.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-11.2">
-         <add position="starting" id-ref="sa-11.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-11.8">
-         <add position="ending" id-ref="sa-11.8_smt">
-            <part id="sa-11.8_fr" name="item">
-               <title>SA-11 (8) Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-11.8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-11.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-2">
-         <add position="starting" id-ref="sa-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-3">
-         <add position="starting" id-ref="sa-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4">
-         <add position="ending" id-ref="sa-4_smt">
-            <part id="sa-4_fr" name="item">
-               <title>SA-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See <a href="http://www.niap-ccevs.org/vpl">http://www.niap-ccevs.org/vpl</a> or <a href="http://www.commoncriteriaportal.org/products.html">http://www.commoncriteriaportal.org/products.html</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.1">
-         <add position="starting" id-ref="sa-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.10">
-         <add position="starting" id-ref="sa-4.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.2">
-         <add position="starting" id-ref="sa-4.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-4.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-4.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.8">
-         <add position="ending" id-ref="sa-4.8_smt">
-            <part id="sa-4.8_fr" name="item">
-               <title>SA-4 (8) Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-4.8_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>CSP must use the same security standards regardless of where the system component or information system service is acquired.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-4.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-4.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.9">
-         <add position="starting" id-ref="sa-4.9_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-5">
-         <add position="starting" id-ref="sa-5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-8">
-         <add position="starting" id-ref="sa-8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9">
-         <add position="starting" id-ref="sa-9.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9.1">
-         <add position="starting" id-ref="sa-9.1.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9.2">
-         <add position="starting" id-ref="sa-9.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9.4">
-         <add position="starting" id-ref="sa-9.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.4_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9.5">
-         <add position="starting" id-ref="sa-9.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.5_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-1">
-         <add position="starting" id-ref="sc-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sc-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-10">
-         <add position="starting" id-ref="sc-10_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-10_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-12">
-         <add position="ending" id-ref="sc-12_smt">
-            <part id="sc-12_fr" name="item">
-               <title>SC-12 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Federally approved and validated cryptography.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-12.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-12.2">
-         <add position="starting" id-ref="sc-12.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-12.3">
-         <add position="starting" id-ref="sc-12.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-13">
-         <add position="starting" id-ref="sc-13">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sc-13_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-13_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-13_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-15">
-         <add position="ending" id-ref="sc-15_smt">
-            <part id="sc-15_fr" name="item">
-               <title>SC-15 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-15_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-15.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-15.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-15.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-17">
-         <add position="starting" id-ref="sc-17_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-17_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-18">
-         <add position="starting" id-ref="sc-18.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-19">
-         <add position="starting" id-ref="sc-19.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-19.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-19.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-19.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-19.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-2">
-         <add position="starting" id-ref="sc-2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-20">
-         <add position="starting" id-ref="sc-20.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-20.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-21">
-         <add position="starting" id-ref="sc-21_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-21_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-21_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-21_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-22">
-         <add position="starting" id-ref="sc-22_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-22_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-23">
-         <add position="starting" id-ref="sc-23_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-28">
-         <add position="ending" id-ref="sc-28_smt">
-            <part id="sc-28_fr" name="item">
-               <title>SC-28 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-28_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>The organization supports the capability to use cryptographic mechanisms to protect information at rest.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-28.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-28.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-28.1">
-         <add position="starting" id-ref="sc-28.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-28.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-28.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-39">
-         <add position="starting" id-ref="sc-39_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-4">
-         <add position="starting" id-ref="sc-4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-5">
-         <add position="starting" id-ref="sc-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-5.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-5.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-6">
-         <add position="starting" id-ref="sc-6_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-6_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-6_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7">
-         <add position="starting" id-ref="sc-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.12">
-         <add position="starting" id-ref="sc-7.12_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.12_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.13">
-         <add position="ending" id-ref="sc-7.13_smt">
-            <part id="sc-7.13_fr" name="item">
-               <title>SC-7 (13) Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-7.13_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-7.13_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.13_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.18">
-         <add position="starting" id-ref="sc-7.18_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.3">
-         <add position="starting" id-ref="sc-7.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.4">
-         <add position="starting" id-ref="sc-7.4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sc-7.4.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.e_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.5">
-         <add position="starting" id-ref="sc-7.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.7">
-         <add position="starting" id-ref="sc-7.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.8">
-         <add position="starting" id-ref="sc-7.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.8_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-8">
-         <add position="starting" id-ref="sc-8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-8.1">
-         <add position="starting" id-ref="sc-8.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-8.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-1">
-         <add position="starting" id-ref="si-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="si-10">
-         <add position="starting" id-ref="si-10_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-10_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-11">
-         <add position="starting" id-ref="si-11.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-11.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-11.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-12">
-         <add position="starting" id-ref="si-12_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-16">
-         <add position="starting" id-ref="si-16_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-16_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-2">
-         <add position="starting" id-ref="si-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-2.2">
-         <add position="starting" id-ref="si-2.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-2.3">
-         <add position="starting" id-ref="si-2.3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3">
-         <add position="starting" id-ref="si-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3.1">
-         <add position="starting" id-ref="si-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3.2">
-         <add position="starting" id-ref="si-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3.7">
-         <add position="starting" id-ref="si-3.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4">
-         <add position="ending" id-ref="si-4_smt">
-            <part id="si-4_fr" name="item">
-               <title>SI-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="si-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See US-CERT Incident Response Reporting Guidelines.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="si-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-4.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.b.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.b.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.1">
-         <add position="starting" id-ref="si-4.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.14">
-         <add position="starting" id-ref="si-4.14">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-4.14_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.14_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.14_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.16">
-         <add position="starting" id-ref="si-4.16_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.2">
-         <add position="starting" id-ref="si-4.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.23">
-         <add position="starting" id-ref="si-4.23_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.23_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.23_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.4">
-         <add position="starting" id-ref="si-4.4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-4.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.5">
-         <add position="ending" id-ref="si-4.5_smt">
-            <part id="si-4.5_fr" name="item">
-               <title>SI-4 (5) Additional FedRAMP Requirements and Guidance</title>
-               <part id="si-4.5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>In accordance with the incident response plan.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="si-4.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.5_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-5">
-         <add position="starting" id-ref="si-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-6">
-         <add position="starting" id-ref="si-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-6.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-6.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7">
-         <add position="starting" id-ref="si-7_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7_obj.1.c">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7.1">
-         <add position="starting" id-ref="si-7.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-7.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.1_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7.7">
-         <add position="starting" id-ref="si-7.7_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.7_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-8">
-         <add position="starting" id-ref="si-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-8.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-8.1">
-         <add position="starting" id-ref="si-8.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-8.2">
-         <add position="starting" id-ref="si-8.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-   </modify>
-   <back-matter>
-      <resource uuid="985475ee-d4d6-4581-8fdf-d84d3d8caa48">
-         <title>FedRAMP Applicable Laws and Regulations</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-citations</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"/>
-      </resource>
-      <resource uuid="1a23a771-d481-4594-9a1a-71d584fa4123">
-         <title>FedRAMP Master Acronym and Glossary</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-acronyms</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"/>
-      </resource>
-      <resource uuid="a2381e87-3d04-4108-a30b-b4d2f36d001f">
-         <desc>FedRAMP Logo</desc>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-logo</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/img/logo-main-fedramp.png"/>
-      </resource>
-      <resource uuid="ad005eae-cc63-4e64-9109-3905a9a825e4">
-         <title>NIST Special Publication (SP) 800-53</title>
-         <prop name="version" ns="https://fedramp.gov/ns/oscal">Revision 4</prop>
-         <prop name="keep">always</prop>
-         <rlink media-type="application/xml" href="../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml"/>
-      </resource>
-   </back-matter>
-</profile>
diff --git a/content/fedramp.gov/yaml/FedRAMP_HIGH-baseline-resolved-profile_catalog.yaml b/content/fedramp.gov/yaml/FedRAMP_HIGH-baseline-resolved-profile_catalog.yaml
deleted file mode 100644
index 1ff54b3118..0000000000
--- a/content/fedramp.gov/yaml/FedRAMP_HIGH-baseline-resolved-profile_catalog.yaml
+++ /dev/null
@@ -1,86776 +0,0 @@
-catalog: 
-  uuid:        a8ace2a3-4082-40eb-be07-0b0cd7bb4c15
-  metadata: 
-    title:               FedRAMP High Baseline
-    published:           2020-06-01T00:00:00.000-04:00
-    last-modified:       2020-06-01T10:00:00.000-04:00
-    version:             1.2
-    oscal-version:       1.0.0-milestone3
-    properties: 
-      - 
-        name:  resolution-timestamp
-        value: 2020-08-31T17:38:24.694738Z
-    links: 
-      - 
-        href: FedRAMP_HIGH-baseline_profile.xml
-        rel:  resolution-source
-        text: FedRAMP High Baseline
-    roles: 
-      - 
-        id:    parpared-by
-        title: Document creator
-      - 
-        id:         fedramp-pmo
-        title:      The FedRAMP Program Management Office (PMO)
-        short-name: CSP
-      - 
-        id:         fedramp-jab
-        title:      The FedRAMP Joint Authorization Board (JAB)
-        short-name: CSP
-    parties: 
-      - 
-        uuid:            8cc0b8e5-9650-4d5f-9796-316f05fa9a2d
-        type:            organization
-        party-name:      Federal Risk and Authorization Management Program: Program Management Office
-        short-name:      FedRAMP PMO
-        links: 
-          - 
-            href: https://fedramp.gov
-            rel:  homepage
-            text: 
-        addresses: 
-          - 
-            type:           work
-            postal-address: 1800 F St. NW,
-            city:           Washington
-            state:          DC
-            postal-code:    
-            country:        US
-        email-addresses: info@fedramp.gov
-      - 
-        uuid:       ca9ba80e-1342-4bfd-b32a-abac468c24b4
-        type:       organization
-        party-name: Federal Risk and Authorization Management Program: Joint Authorization Board
-        short-name: FedRAMP JAB
-    responsible-parties: 
-      prepared-by: 
-        party-uuids: 4aa7b203-318b-4cde-96cf-feaeffc3a4b7
-      fedramp-pmo: 
-        party-uuids: 4aa7b203-318b-4cde-96cf-feaeffc3a4b7
-      fedramp-jab: 
-        party-uuids: ca9ba80e-1342-4bfd-b32a-abac468c24b4
-  groups: 
-    - 
-      id:       ac
-      class:    family
-      title:    Access Control
-      controls: 
-        - 
-          id:         ac-1
-          class:      SP800-53
-          title:      Access Control Policy and Procedures
-          parameters: 
-            - 
-              id:    ac-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ac-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          ac-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or whenever a significant change occurs
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-1
-            - 
-              name:  sort-id
-              value: ac-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ac-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ac-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ac-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          An access control policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ac-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the access control policy and
-                                               associated access controls; and
-                        """
-                - 
-                  id:         ac-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ac-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Access control policy {{ ac-1_prm_2 }}; and
-                    - 
-                      id:         ac-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Access control procedures {{ ac-1_prm_3 }}.
-            - 
-              id:    ac-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the AC
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ac-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-1(a)
-                  parts: 
-                    - 
-                      id:         ac-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ac-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(a)(1)[1]
-                          prose:      develops and documents an access control policy that addresses:
-                          parts: 
-                            - 
-                              id:         ac-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ac-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ac-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ac-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ac-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ac-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ac-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ac-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the access control policy are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ac-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: AC-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the access control policy to organization-defined personnel or
-                                                      roles;
-                            """
-                    - 
-                      id:         ac-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ac-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      access control policy and associated access control controls;
-                            """
-                        - 
-                          id:         ac-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ac-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: AC-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ac-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-1(b)
-                  parts: 
-                    - 
-                      id:         ac-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ac-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current access control
-                                                      policy;
-                            """
-                        - 
-                          id:         ac-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current access control policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ac-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ac-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current access control
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ac-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current access control procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ac-2
-          class:      SP800-53
-          title:      Account Management
-          parameters: 
-            - 
-              id:    ac-2_prm_1
-              label: organization-defined information system account types
-            - 
-              id:    ac-2_prm_2
-              label: organization-defined personnel or roles
-            - 
-              id:    ac-2_prm_3
-              label: organization-defined procedures or conditions
-            - 
-              id:          ac-2_prm_4
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: monthly for privileged accessed, every six (6) months for non-privileged access
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-2
-            - 
-              name:  sort-id
-              value: ac-02
-          parts: 
-            - 
-              id:    ac-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Identifies and selects the following types of information system accounts to
-                                        support organizational missions/business functions: {{ ac-2_prm_1 }};
-                    """
-                - 
-                  id:         ac-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Assigns account managers for information system accounts;
-                - 
-                  id:         ac-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Establishes conditions for group and role membership;
-                - 
-                  id:         ac-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Specifies authorized users of the information system, group and role membership,
-                                        and access authorizations (i.e., privileges) and other attributes (as required)
-                                        for each account;
-                    """
-                - 
-                  id:         ac-2_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Requires approvals by {{ ac-2_prm_2 }} for requests to create
-                                        information system accounts;
-                    """
-                - 
-                  id:         ac-2_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Creates, enables, modifies, disables, and removes information system accounts in
-                                        accordance with {{ ac-2_prm_3 }};
-                    """
-                - 
-                  id:         ac-2_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose:      Monitors the use of information system accounts;
-                - 
-                  id:         ac-2_smt.h
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: h.
-                  prose:      Notifies account managers:
-                  parts: 
-                    - 
-                      id:         ac-2_smt.h.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      When accounts are no longer required;
-                    - 
-                      id:         ac-2_smt.h.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      When users are terminated or transferred; and
-                    - 
-                      id:         ac-2_smt.h.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose:      When individual information system usage or need-to-know changes;
-                - 
-                  id:         ac-2_smt.i
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: i.
-                  prose:      Authorizes access to the information system based on:
-                  parts: 
-                    - 
-                      id:         ac-2_smt.i.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      A valid access authorization;
-                    - 
-                      id:         ac-2_smt.i.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Intended system usage; and
-                    - 
-                      id:         ac-2_smt.i.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Other attributes as required by the organization or associated
-                                               missions/business functions;
-                        """
-                - 
-                  id:         ac-2_smt.j
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: j.
-                  prose:      Reviews accounts for compliance with account management requirements {{ ac-2_prm_4 }}; and
-                - 
-                  id:         ac-2_smt.k
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: k.
-                  prose: 
-                    """
-                      Establishes a process for reissuing shared/group account credentials (if deployed)
-                                        when individuals are removed from the group.
-                    """
-            - 
-              id:    ac-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system account types include, for example, individual, shared, group,
-                                 system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and
-                                 service. Some of the account management requirements listed above can be implemented
-                                 by organizational information systems. The identification of authorized users of the
-                                 information system and the specification of access privileges reflects the
-                                 requirements in other security controls in the security plan. Users requiring
-                                 administrative privileges on information system accounts receive additional scrutiny
-                                 by appropriate organizational personnel (e.g., system owner, mission/business owner,
-                                 or chief information security officer) responsible for approving such accounts and
-                                 privileged access. Organizations may choose to define access privileges or other
-                                 attributes by account, by type of account, or a combination of both. Other attributes
-                                 required for authorizing access include, for example, restrictions on time-of-day,
-                                 day-of-week, and point-of-origin. In defining other account attributes, organizations
-                                 consider system-related requirements (e.g., scheduled maintenance, system upgrades)
-                                 and mission/business requirements, (e.g., time zone differences, customer
-                                 requirements, remote access to support travel requirements). Failure to consider
-                                 these factors could affect information system availability. Temporary and emergency
-                                 accounts are accounts intended for short-term use. Organizations establish temporary
-                                 accounts as a part of normal account activation procedures when there is a need for
-                                 short-term accounts without the demand for immediacy in account activation.
-                                 Organizations establish emergency accounts in response to crisis situations and with
-                                 the need for rapid account activation. Therefore, emergency account activation may
-                                 bypass normal account authorization processes. Emergency and temporary accounts are
-                                 not to be confused with infrequently used accounts (e.g., local logon accounts used
-                                 for special tasks defined by organizations or when network resources are
-                                 unavailable). Such accounts remain available and are not subject to automatic
-                                 disabling or removal dates. Conditions for disabling or deactivating accounts
-                                 include, for example: (i) when shared/group, emergency, or temporary accounts are no
-                                 longer required; or (ii) when individuals are transferred or terminated. Some types
-                                 of information system accounts may require specialized training.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-5
-                  rel:  related
-                  text: AC-5
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-10
-                  rel:  related
-                  text: AC-10
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #ma-3
-                  rel:  related
-                  text: MA-3
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ma-5
-                  rel:  related
-                  text: MA-5
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-            - 
-              id:    ac-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(a)
-                  parts: 
-                    - 
-                      id:         ac-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(a)[1]
-                      prose: 
-                        """
-                          defines information system account types to be identified and selected to
-                                               support organizational missions/business functions;
-                        """
-                    - 
-                      id:         ac-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AC-2(a)[2]
-                      prose: 
-                        """
-                          identifies and selects organization-defined information system account types to
-                                               support organizational missions/business functions;
-                        """
-                - 
-                  id:         ac-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AC-2(b)
-                  prose:      assigns account managers for information system accounts;
-                - 
-                  id:         ac-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-2(c)
-                  prose:      establishes conditions for group and role membership;
-                - 
-                  id:         ac-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-2(d)
-                  prose:      specifies for each account (as required):
-                  parts: 
-                    - 
-                      id:         ac-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(d)[1]
-                      prose:      authorized users of the information system;
-                    - 
-                      id:         ac-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(d)[2]
-                      prose:      group and role membership;
-                    - 
-                      id:         ac-2.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(d)[3]
-                      prose:      access authorizations (i.e., privileges);
-                    - 
-                      id:         ac-2.d_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(d)[4]
-                      prose:      other attributes;
-                - 
-                  id:         ac-2.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(e)
-                  parts: 
-                    - 
-                      id:         ac-2.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(e)[1]
-                      prose: 
-                        """
-                          defines personnel or roles required to approve requests to create information
-                                               system accounts;
-                        """
-                    - 
-                      id:         ac-2.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(e)[2]
-                      prose: 
-                        """
-                          requires approvals by organization-defined personnel or roles for requests to
-                                               create information system accounts;
-                        """
-                - 
-                  id:         ac-2.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(f)
-                  parts: 
-                    - 
-                      id:         ac-2.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(f)[1]
-                      prose:      defines procedures or conditions to:
-                      parts: 
-                        - 
-                          id:         ac-2.f_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][a]
-                          prose:      create information system accounts;
-                        - 
-                          id:         ac-2.f_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][b]
-                          prose:      enable information system accounts;
-                        - 
-                          id:         ac-2.f_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][c]
-                          prose:      modify information system accounts;
-                        - 
-                          id:         ac-2.f_obj.1.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][d]
-                          prose:      disable information system accounts;
-                        - 
-                          id:         ac-2.f_obj.1.e
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][e]
-                          prose:      remove information system accounts;
-                    - 
-                      id:         ac-2.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(f)[2]
-                      prose:      in accordance with organization-defined procedures or conditions:
-                      parts: 
-                        - 
-                          id:         ac-2.f_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][a]
-                          prose:      creates information system accounts;
-                        - 
-                          id:         ac-2.f_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][b]
-                          prose:      enables information system accounts;
-                        - 
-                          id:         ac-2.f_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][c]
-                          prose:      modifies information system accounts;
-                        - 
-                          id:         ac-2.f_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][d]
-                          prose:      disables information system accounts;
-                        - 
-                          id:         ac-2.f_obj.2.e
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][e]
-                          prose:      removes information system accounts;
-                - 
-                  id:         ac-2.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-2(g)
-                  prose:      monitors the use of information system accounts;
-                - 
-                  id:         ac-2.h_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-2(h)
-                  prose:      notifies account managers:
-                  parts: 
-                    - 
-                      id:         ac-2.h.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(h)(1)
-                      prose:      when accounts are no longer required;
-                    - 
-                      id:         ac-2.h.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(h)(2)
-                      prose:      when users are terminated or transferred;
-                    - 
-                      id:         ac-2.h.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(h)(3)
-                      prose:      when individual information system usage or need to know changes;
-                - 
-                  id:         ac-2.i_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-2(i)
-                  prose:      authorizes access to the information system based on;
-                  parts: 
-                    - 
-                      id:         ac-2.i.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(i)(1)
-                      prose:      a valid access authorization;
-                    - 
-                      id:         ac-2.i.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(i)(2)
-                      prose:      intended system usage;
-                    - 
-                      id:         ac-2.i.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(i)(3)
-                      prose: 
-                        """
-                          other attributes as required by the organization or associated
-                                               missions/business functions;
-                        """
-                - 
-                  id:         ac-2.j_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(j)
-                  parts: 
-                    - 
-                      id:         ac-2.j_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(j)[1]
-                      prose: 
-                        """
-                          defines the frequency to review accounts for compliance with account management
-                                               requirements;
-                        """
-                    - 
-                      id:         ac-2.j_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(j)[2]
-                      prose: 
-                        """
-                          reviews accounts for compliance with account management requirements with the
-                                               organization-defined frequency; and
-                        """
-                - 
-                  id:         ac-2.k_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-2(k)
-                  prose: 
-                    """
-                      establishes a process for reissuing shared/group account credentials (if deployed)
-                                        when individuals are removed from the group.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated
-                                        with each account\n\nlist of conditions for group and role membership\n\nnotifications or records of recently transferred, separated, or terminated
-                                        employees\n\nlist of recently disabled information system accounts along with the name of the
-                                        individual associated with each account\n\naccess authorization records\n\naccount management compliance reviews\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes account management on the information system\n\nautomated mechanisms for implementing account management
-          controls: 
-            - 
-              id:         ac-2.1
-              class:      SP800-53-enhancement
-              title:      Automated System Account Management
-              properties: 
-                - 
-                  name:  label
-                  value: AC-2(1)
-                - 
-                  name:  sort-id
-                  value: ac-02.01
-              parts: 
-                - 
-                  id:    ac-2.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to support the management of
-                                        information system accounts.
-                    """
-                - 
-                  id:    ac-2.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The use of automated mechanisms can include, for example: using email or text
-                                        messaging to automatically notify account managers when users are terminated or
-                                        transferred; using the information system to monitor account usage; and using
-                                        telephonic notification to report atypical system account usage.
-                    """
-                - 
-                  id:         ac-2.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs automated mechanisms to support the
-                                        management of information system accounts.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing account management functions
-            - 
-              id:         ac-2.2
-              class:      SP800-53-enhancement
-              title:      Removal of Temporary / Emergency Accounts
-              parameters: 
-                - 
-                  id:          ac-2.2_prm_1
-                  constraints: 
-                    - 
-                      detail: Selection: disables
-                - 
-                  id:          ac-2.2_prm_2
-                  label:       organization-defined time period for each type of account
-                  constraints: 
-                    - 
-                      detail: 24 hours from last use
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AC-2(2)
-                - 
-                  name:  sort-id
-                  value: ac-02.02
-              parts: 
-                - 
-                  id:    ac-2.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system automatically {{ ac-2.2_prm_1 }} temporary
-                                        and emergency accounts after {{ ac-2.2_prm_2 }}.
-                    """
-                - 
-                  id:    ac-2.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement requires the removal of both temporary and emergency
-                                        accounts automatically after a predefined period of time has elapsed, rather than
-                                        at the convenience of the systems administrator.
-                    """
-                - 
-                  id:    ac-2.2_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         ac-2.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(2)[1]
-                      prose: 
-                        """
-                          the organization defines the time period after which the information system
-                                               automatically removes or disables temporary and emergency accounts; and
-                        """
-                    - 
-                      id:         ac-2.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(2)[2]
-                      prose: 
-                        """
-                          the information system automatically removes or disables temporary and
-                                               emergency accounts after the organization-defined time period for each type of
-                                               account.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system-generated list of temporary accounts removed and/or
-                                               disabled\n\ninformation system-generated list of emergency accounts removed and/or
-                                               disabled\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing account management functions
-            - 
-              id:         ac-2.3
-              class:      SP800-53-enhancement
-              title:      Disable Inactive Accounts
-              parameters: 
-                - 
-                  id:          ac-2.3_prm_1
-                  label:       organization-defined time period
-                  constraints: 
-                    - 
-                      detail: 35 days for user accounts
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AC-2(3)
-                - 
-                  name:  sort-id
-                  value: ac-02.03
-              parts: 
-                - 
-                  id:    ac-2.3_smt
-                  name:  statement
-                  prose: The information system automatically disables inactive accounts after {{ ac-2.3_prm_1 }}.
-                  parts: 
-                    - 
-                      id:    ac-2.3_fr
-                      name:  item
-                      title: AC-2 (3) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ac-2.3_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.
-                - 
-                  id:    ac-2.3_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         ac-2.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(3)[1]
-                      prose: 
-                        """
-                          the organization defines the time period after which the information system
-                                               automatically disables inactive accounts; and
-                        """
-                    - 
-                      id:         ac-2.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(3)[2]
-                      prose: 
-                        """
-                          the information system automatically disables inactive accounts after the
-                                               organization-defined time period.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system-generated list of temporary accounts removed and/or
-                                               disabled\n\ninformation system-generated list of emergency accounts removed and/or
-                                               disabled\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing account management functions
-            - 
-              id:         ac-2.4
-              class:      SP800-53-enhancement
-              title:      Automated Audit Actions
-              parameters: 
-                - 
-                  id:          ac-2.4_prm_1
-                  label:       organization-defined personnel or roles
-                  constraints: 
-                    - 
-                      detail: organization and/or service provider system owner
-              properties: 
-                - 
-                  name:  label
-                  value: AC-2(4)
-                - 
-                  name:  sort-id
-                  value: ac-02.04
-              parts: 
-                - 
-                  id:    ac-2.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system automatically audits account creation, modification,
-                                        enabling, disabling, and removal actions, and notifies {{ ac-2.4_prm_1 }}.
-                    """
-                - 
-                  id:    ac-2.4_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                    - 
-                      href: #au-12
-                      rel:  related
-                      text: AU-12
-                - 
-                  id:    ac-2.4_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         ac-2.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(4)[1]
-                      prose:      the information system automatically audits the following account actions:
-                      parts: 
-                        - 
-                          id:         ac-2.4_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[1][a]
-                          prose:      creation;
-                        - 
-                          id:         ac-2.4_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[1][b]
-                          prose:      modification;
-                        - 
-                          id:         ac-2.4_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[1][c]
-                          prose:      enabling;
-                        - 
-                          id:         ac-2.4_obj.1.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[1][d]
-                          prose:      disabling;
-                        - 
-                          id:         ac-2.4_obj.1.e
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[1][e]
-                          prose:      removal;
-                    - 
-                      id:         ac-2.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(4)[2]
-                      prose: 
-                        """
-                          the organization defines personnel or roles to be notified of the following
-                                               account actions:
-                        """
-                      parts: 
-                        - 
-                          id:         ac-2.4_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[2][a]
-                          prose:      creation;
-                        - 
-                          id:         ac-2.4_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[2][b]
-                          prose:      modification;
-                        - 
-                          id:         ac-2.4_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[2][c]
-                          prose:      enabling;
-                        - 
-                          id:         ac-2.4_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[2][d]
-                          prose:      disabling;
-                        - 
-                          id:         ac-2.4_obj.2.e
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[2][e]
-                          prose:      removal;
-                    - 
-                      id:         ac-2.4_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(4)[3]
-                      prose: 
-                        """
-                          the information system notifies organization-defined personnel or roles of the
-                                               following account actions:
-                        """
-                      parts: 
-                        - 
-                          id:         ac-2.4_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[3][a]
-                          prose:      creation;
-                        - 
-                          id:         ac-2.4_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[3][b]
-                          prose:      modification;
-                        - 
-                          id:         ac-2.4_obj.3.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[3][c]
-                          prose:      enabling;
-                        - 
-                          id:         ac-2.4_obj.3.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[3][d]
-                          prose:      disabling; and
-                        - 
-                          id:         ac-2.4_obj.3.e
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[3][e]
-                          prose:      removal.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nnotifications/alerts of account creation, modification, enabling, disabling,
-                                               and removal actions\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing account management functions
-            - 
-              id:         ac-2.5
-              class:      SP800-53-enhancement
-              title:      Inactivity Logout
-              parameters: 
-                - 
-                  id:          ac-2.5_prm_1
-                  label: 
-                    """
-                      organization-defined time-period of expected inactivity or description of when
-                                        to log out
-                    """
-                  constraints: 
-                    - 
-                      detail: inactivity is anticipated to exceed Fifteen (15) minutes
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AC-2(5)
-                - 
-                  name:  sort-id
-                  value: ac-02.05
-              parts: 
-                - 
-                  id:    ac-2.5_smt
-                  name:  statement
-                  prose: The organization requires that users log out when {{ ac-2.5_prm_1 }}.
-                  parts: 
-                    - 
-                      id:    ac-2.5_fr
-                      name:  item
-                      title: AC-2 (5) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ac-2.5_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      Should use a shorter timeframe than AC-12.
-                - 
-                  id:    ac-2.5_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #sc-23
-                      rel:  related
-                      text: SC-23
-                - 
-                  id:    ac-2.5_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-2.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(5)[1]
-                      prose: 
-                        """
-                          defines either the time period of expected inactivity that requires users to
-                                               log out or the description of when users are required to log out; and
-                        """
-                    - 
-                      id:         ac-2.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(5)[2]
-                      prose: 
-                        """
-                          requires that users log out when the organization-defined time period of
-                                               inactivity is reached or in accordance with organization-defined description of
-                                               when to log out.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity violation reports\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nusers that must comply with inactivity logout policy
-            - 
-              id:         ac-2.7
-              class:      SP800-53-enhancement
-              title:      Role-based Schemes
-              parameters: 
-                - 
-                  id:          ac-2.7_prm_1
-                  label:       organization-defined actions
-                  constraints: 
-                    - 
-                      detail: disables/revokes access within a organization-specified timeframe
-              properties: 
-                - 
-                  name:  label
-                  value: AC-2(7)
-                - 
-                  name:  sort-id
-                  value: ac-02.07
-              parts: 
-                - 
-                  id:    ac-2.7_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         ac-2.7_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Establishes and administers privileged user accounts in accordance with a
-                                               role-based access scheme that organizes allowed information system access and
-                                               privileges into roles;
-                        """
-                    - 
-                      id:         ac-2.7_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      Monitors privileged role assignments; and
-                    - 
-                      id:         ac-2.7_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (c)
-                      prose: 
-                        """
-                          Takes {{ ac-2.7_prm_1 }} when privileged role assignments are no
-                                               longer appropriate.
-                        """
-                - 
-                  id:    ac-2.7_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Privileged roles are organization-defined roles assigned to individuals that allow
-                                        those individuals to perform certain security-relevant functions that ordinary
-                                        users are not authorized to perform. These privileged roles include, for example,
-                                        key management, account management, network and system administration, database
-                                        administration, and web administration.
-                    """
-                - 
-                  id:    ac-2.7_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-2.7.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(7)(a)
-                      prose: 
-                        """
-                          establishes and administers privileged user accounts in accordance with a
-                                               role-based access scheme that organizes allowed information system access and
-                                               privileges into roles;
-                        """
-                      links: 
-                        - 
-                          href: #ac-2.7_smt.a
-                          rel:  corresp
-                          text: AC-2(7)(a)
-                    - 
-                      id:         ac-2.7.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(7)(b)
-                      prose:      monitors privileged role assignments;
-                      links: 
-                        - 
-                          href: #ac-2.7_smt.b
-                          rel:  corresp
-                          text: AC-2(7)(b)
-                    - 
-                      id:         ac-2.7.c_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(7)(c)
-                      parts: 
-                        - 
-                          id:         ac-2.7.c_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-2(7)(c)[1]
-                          prose: 
-                            """
-                              defines actions to be taken when privileged role assignments are no longer
-                                                      appropriate; and
-                            """
-                        - 
-                          id:         ac-2.7.c_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: AC-2(7)(c)[2]
-                          prose: 
-                            """
-                              takes organization-defined actions when privileged role assignments are no
-                                                      longer appropriate.
-                            """
-                      links: 
-                        - 
-                          href: #ac-2.7_smt.c
-                          rel:  corresp
-                          text: AC-2(7)(c)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system-generated list of privileged user accounts and associated
-                                               role\n\nrecords of actions taken when privileged role assignments are no longer
-                                               appropriate\n\ninformation system audit records\n\naudit tracking and monitoring reports\n\ninformation system monitoring records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing account management functions\n\nautomated mechanisms monitoring privileged role assignments
-            - 
-              id:         ac-2.9
-              class:      SP800-53-enhancement
-              title:      Restrictions On Use of Shared / Group Accounts
-              parameters: 
-                - 
-                  id:          ac-2.9_prm_1
-                  label:       organization-defined conditions for establishing shared/group accounts
-                  constraints: 
-                    - 
-                      detail: organization-defined need with justification statement that explains why such accounts are necessary
-              properties: 
-                - 
-                  name:  label
-                  value: AC-2(9)
-                - 
-                  name:  sort-id
-                  value: ac-02.09
-              parts: 
-                - 
-                  id:    ac-2.9_smt
-                  name:  statement
-                  prose: The organization only permits the use of shared/group accounts that meet {{ ac-2.9_prm_1 }}.
-                  parts: 
-                    - 
-                      id:    ac-2.9_fr
-                      name:  item
-                      title: AC-2 (9) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ac-2.9_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      Required if shared/group accounts are deployed
-                - 
-                  id:    ac-2.9_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-2.9_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(9)[1]
-                      prose:      defines conditions for establishing shared/group accounts; and
-                    - 
-                      id:         ac-2.9_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(9)[2]
-                      prose: 
-                        """
-                          only permits the use of shared/group accounts that meet organization-defined
-                                               conditions for establishing shared/group accounts.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem-generated list of shared/group accounts and associated role\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing management of shared/group accounts
-            - 
-              id:         ac-2.10
-              class:      SP800-53-enhancement
-              title:      Shared / Group Account Credential Termination
-              properties: 
-                - 
-                  name:  label
-                  value: AC-2(10)
-                - 
-                  name:  sort-id
-                  value: ac-02.10
-              parts: 
-                - 
-                  id:    ac-2.10_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system terminates shared/group account credentials when members
-                                        leave the group.
-                    """
-                  parts: 
-                    - 
-                      id:    ac-2.10_fr
-                      name:  item
-                      title: AC-2 (10) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ac-2.10_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      Required if shared/group accounts are deployed
-                - 
-                  id:         ac-2.10_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system terminates shared/group account credentials
-                                        when members leave the group.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naccount access termination records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing account management functions
-            - 
-              id:         ac-2.11
-              class:      SP800-53-enhancement
-              title:      Usage Conditions
-              parameters: 
-                - 
-                  id:    ac-2.11_prm_1
-                  label: organization-defined circumstances and/or usage conditions
-                - 
-                  id:    ac-2.11_prm_2
-                  label: organization-defined information system accounts
-              properties: 
-                - 
-                  name:  label
-                  value: AC-2(11)
-                - 
-                  name:  sort-id
-                  value: ac-02.11
-              parts: 
-                - 
-                  id:    ac-2.11_smt
-                  name:  statement
-                  prose: The information system enforces {{ ac-2.11_prm_1 }} for {{ ac-2.11_prm_2 }}.
-                - 
-                  id:    ac-2.11_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations can describe the specific conditions or circumstances under which
-                                        information system accounts can be used, for example, by restricting usage to
-                                        certain days of the week, time of day, or specific durations of time.
-                    """
-                - 
-                  id:    ac-2.11_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         ac-2.11_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(11)[1]
-                      prose: 
-                        """
-                          the organization defines circumstances and/or usage conditions to be enforced
-                                               for information system accounts;
-                        """
-                    - 
-                      id:         ac-2.11_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(11)[2]
-                      prose: 
-                        """
-                          the organization defines information system accounts for which
-                                               organization-defined circumstances and/or usage conditions are to be enforced;
-                                               and
-                        """
-                    - 
-                      id:         ac-2.11_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(11)[3]
-                      prose: 
-                        """
-                          the information system enforces organization-defined circumstances and/or usage
-                                               conditions for organization-defined information system accounts.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem-generated list of information system accounts and associated assignments
-                                               of usage circumstances and/or usage conditions\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing account management functions
-            - 
-              id:         ac-2.12
-              class:      SP800-53-enhancement
-              title:      Account Monitoring / Atypical Usage
-              parameters: 
-                - 
-                  id:    ac-2.12_prm_1
-                  label: organization-defined atypical usage
-                - 
-                  id:          ac-2.12_prm_2
-                  label:       organization-defined personnel or roles
-                  constraints: 
-                    - 
-                      detail: at a minimum, the ISSO and/or similar role within the organization
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AC-2(12)
-                - 
-                  name:  sort-id
-                  value: ac-02.12
-              parts: 
-                - 
-                  id:    ac-2.12_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         ac-2.12_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Monitors information system accounts for {{ ac-2.12_prm_1 }};
-                                               and
-                        """
-                    - 
-                      id:         ac-2.12_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      Reports atypical usage of information system accounts to {{ ac-2.12_prm_2 }}.
-                    - 
-                      id:    ac-2.12_fr
-                      name:  item
-                      title: AC-2 (12) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ac-2.12_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: (a) Guidance:
-                          prose:      Required for privileged accounts.
-                        - 
-                          id:         ac-2.12_fr_gdn.2
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: (b) Guidance:
-                          prose:      Required for privileged accounts.
-                - 
-                  id:    ac-2.12_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Atypical usage includes, for example, accessing information systems at certain
-                                        times of the day and from locations that are not consistent with the normal usage
-                                        patterns of individuals working in organizations.
-                    """
-                  links: 
-                    - 
-                      href: #ca-7
-                      rel:  related
-                      text: CA-7
-                - 
-                  id:    ac-2.12_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-2.12.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(12)(a)
-                      parts: 
-                        - 
-                          id:         ac-2.12.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-2(12)(a)[1]
-                          prose:      defines atypical usage to be monitored for information system accounts;
-                        - 
-                          id:         ac-2.12.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: AC-2(12)(a)[2]
-                          prose: 
-                            """
-                              monitors information system accounts for organization-defined atypical
-                                                      usage;
-                            """
-                      links: 
-                        - 
-                          href: #ac-2.12_smt.a
-                          rel:  corresp
-                          text: AC-2(12)(a)
-                    - 
-                      id:         ac-2.12.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(12)(b)
-                      parts: 
-                        - 
-                          id:         ac-2.12.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-2(12)(b)[1]
-                          prose: 
-                            """
-                              defines personnel or roles to whom atypical usage of information system
-                                                      accounts are to be reported; and
-                            """
-                        - 
-                          id:         ac-2.12.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: AC-2(12)(b)[2]
-                          prose: 
-                            """
-                              reports atypical usage of information system accounts to
-                                                      organization-defined personnel or roles.
-                            """
-                      links: 
-                        - 
-                          href: #ac-2.12_smt.b
-                          rel:  corresp
-                          text: AC-2(12)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system monitoring records\n\ninformation system audit records\n\naudit tracking and monitoring reports\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing account management functions
-            - 
-              id:         ac-2.13
-              class:      SP800-53-enhancement
-              title:      Disable Accounts for High-risk Individuals
-              parameters: 
-                - 
-                  id:          ac-2.13_prm_1
-                  label:       organization-defined time period
-                  constraints: 
-                    - 
-                      detail: one (1) hour
-              properties: 
-                - 
-                  name:  label
-                  value: AC-2(13)
-                - 
-                  name:  sort-id
-                  value: ac-02.13
-              parts: 
-                - 
-                  id:    ac-2.13_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization disables accounts of users posing a significant risk within
-                                           {{ ac-2.13_prm_1 }} of discovery of the risk.
-                    """
-                - 
-                  id:    ac-2.13_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Users posing a significant risk to organizations include individuals for whom
-                                        reliable evidence or intelligence indicates either the intention to use authorized
-                                        access to information systems to cause harm or through whom adversaries will cause
-                                        harm. Harm includes potential adverse impacts to organizational operations and
-                                        assets, individuals, other organizations, or the Nation. Close coordination
-                                        between authorizing officials, information system administrators, and human
-                                        resource managers is essential in order for timely execution of this control
-                                        enhancement.
-                    """
-                  links: 
-                    - 
-                      href: #ps-4
-                      rel:  related
-                      text: PS-4
-                - 
-                  id:    ac-2.13_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ac-2.13_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(13)[1]
-                      prose: 
-                        """
-                          defines the time period within which accounts are disabled upon discovery of a
-                                               significant risk posed by users of such accounts; and
-                        """
-                    - 
-                      id:         ac-2.13_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(13)[2]
-                      prose: 
-                        """
-                          disables accounts of users posing a significant risk within the
-                                               organization-defined time period of discovery of the risk.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem-generated list of disabled accounts\n\nlist of user activities posing significant organizational risk\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing account management functions
-        - 
-          id:         ac-3
-          class:      SP800-53
-          title:      Access Enforcement
-          properties: 
-            - 
-              name:  label
-              value: AC-3
-            - 
-              name:  sort-id
-              value: ac-03
-          parts: 
-            - 
-              id:    ac-3_smt
-              name:  statement
-              prose: 
-                """
-                  The information system enforces approved authorizations for logical access to
-                                 information and system resources in accordance with applicable access control
-                                 policies.
-                """
-            - 
-              id:    ac-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Access control policies (e.g., identity-based policies, role-based policies, control
-                                 matrices, cryptography) control access between active entities or subjects (i.e.,
-                                 users or processes acting on behalf of users) and passive entities or objects (e.g.,
-                                 devices, files, records, domains) in information systems. In addition to enforcing
-                                 authorized access at the information system level and recognizing that information
-                                 systems can host many applications and services in support of organizational missions
-                                 and business operations, access enforcement mechanisms can also be employed at the
-                                 application and service level to provide increased information security.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-5
-                  rel:  related
-                  text: AC-5
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-16
-                  rel:  related
-                  text: AC-16
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #ac-21
-                  rel:  related
-                  text: AC-21
-                - 
-                  href: #ac-22
-                  rel:  related
-                  text: AC-22
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #ma-3
-                  rel:  related
-                  text: MA-3
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ma-5
-                  rel:  related
-                  text: MA-5
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-            - 
-              id:         ac-3_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system enforces approved authorizations for logical
-                                 access to information and system resources in accordance with applicable access
-                                 control policies.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing access enforcement\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing access control policy
-        - 
-          id:         ac-4
-          class:      SP800-53
-          title:      Information Flow Enforcement
-          parameters: 
-            - 
-              id:    ac-4_prm_1
-              label: organization-defined information flow control policies
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-4
-            - 
-              name:  sort-id
-              value: ac-04
-          parts: 
-            - 
-              id:    ac-4_smt
-              name:  statement
-              prose: 
-                """
-                  The information system enforces approved authorizations for controlling the flow of
-                                 information within the system and between interconnected systems based on {{ ac-4_prm_1 }}.
-                """
-            - 
-              id:    ac-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information flow control regulates where information is allowed to travel within an
-                                 information system and between information systems (as opposed to who is allowed to
-                                 access the information) and without explicit regard to subsequent accesses to that
-                                 information. Flow control restrictions include, for example, keeping
-                                 export-controlled information from being transmitted in the clear to the Internet,
-                                 blocking outside traffic that claims to be from within the organization, restricting
-                                 web requests to the Internet that are not from the internal web proxy server, and
-                                 limiting information transfers between organizations based on data structures and
-                                 content. Transferring information between information systems representing different
-                                 security domains with different security policies introduces risk that such transfers
-                                 violate one or more domain security policies. In such situations, information
-                                 owners/stewards provide guidance at designated policy enforcement points between
-                                 interconnected systems. Organizations consider mandating specific architectural
-                                 solutions when required to enforce specific security policies. Enforcement includes,
-                                 for example: (i) prohibiting information transfers between interconnected systems
-                                 (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way
-                                 information flows; and (iii) implementing trustworthy regrading mechanisms to
-                                 reassign security attributes and security labels. Organizations commonly employ
-                                 information flow control policies and enforcement mechanisms to control the flow of
-                                 information between designated sources and destinations (e.g., networks, individuals,
-                                 and devices) within information systems and between interconnected systems. Flow
-                                 control is based on the characteristics of the information and/or the information
-                                 path. Enforcement occurs, for example, in boundary protection devices (e.g.,
-                                 gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or
-                                 establish configuration settings that restrict information system services, provide a
-                                 packet-filtering capability based on header information, or message-filtering
-                                 capability based on message content (e.g., implementing key word searches or using
-                                 document characteristics). Organizations also consider the trustworthiness of
-                                 filtering/inspection mechanisms (i.e., hardware, firmware, and software components)
-                                 that are critical to information flow enforcement. Control enhancements 3 through 22
-                                 primarily address cross-domain solution needs which focus on more advanced filtering
-                                 techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented
-                                 in cross-domain products, for example, high-assurance guards. Such capabilities are
-                                 generally not available in commercial off-the-shelf information technology
-                                 products.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ac-21
-                  rel:  related
-                  text: AC-21
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-7
-                  rel:  related
-                  text: CM-7
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-                - 
-                  href: #sc-2
-                  rel:  related
-                  text: SC-2
-                - 
-                  href: #sc-5
-                  rel:  related
-                  text: SC-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-18
-                  rel:  related
-                  text: SC-18
-            - 
-              id:    ac-4_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         ac-4_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-4[1]
-                  prose: 
-                    """
-                      the organization defines information flow control policies to control the flow of
-                                        information within the system and between interconnected systems; and
-                    """
-                - 
-                  id:         ac-4_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-4[2]
-                  prose: 
-                    """
-                      the information system enforces approved authorizations for controlling the flow
-                                        of information within the system and between interconnected systems based on
-                                        organization-defined information flow control policies.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system baseline configuration\n\nlist of information flow authorizations\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing information flow enforcement policy
-          controls: 
-            - 
-              id:         ac-4.8
-              class:      SP800-53-enhancement
-              title:      Security Policy Filters
-              parameters: 
-                - 
-                  id:    ac-4.8_prm_1
-                  label: organization-defined security policy filters
-                - 
-                  id:    ac-4.8_prm_2
-                  label: organization-defined information flows
-              properties: 
-                - 
-                  name:  label
-                  value: AC-4(8)
-                - 
-                  name:  sort-id
-                  value: ac-04.08
-              parts: 
-                - 
-                  id:    ac-4.8_smt
-                  name:  statement
-                  prose: The information system enforces information flow control using {{ ac-4.8_prm_1 }} as a basis for flow control decisions for {{ ac-4.8_prm_2 }}.
-                - 
-                  id:    ac-4.8_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organization-defined security policy filters can address data structures and
-                                        content. For example, security policy filters for data structures can check for
-                                        maximum file lengths, maximum field sizes, and data/file types (for structured and
-                                        unstructured data). Security policy filters for data content can check for
-                                        specific words (e.g., dirty/clean word filters), enumerated values or data value
-                                        ranges, and hidden content. Structured data permits the interpretation of data
-                                        content by applications. Unstructured data typically refers to digital information
-                                        without a particular data structure or with a data structure that does not
-                                        facilitate the development of rule sets to address the particular sensitivity of
-                                        the information conveyed by the data or the associated flow enforcement decisions.
-                                        Unstructured data consists of: (i) bitmap objects that are inherently non
-                                        language-based (i.e., image, video, or audio files); and (ii) textual objects that
-                                        are based on written or printed languages (e.g., commercial off-the-shelf word
-                                        processing documents, spreadsheets, or emails). Organizations can implement more
-                                        than one security policy filter to meet information flow control objectives (e.g.,
-                                        employing clean word lists in conjunction with dirty word lists may help to reduce
-                                        false positives).
-                    """
-                - 
-                  id:    ac-4.8_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         ac-4.8_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-4(8)[1]
-                      prose: 
-                        """
-                          the organization defines security policy filters to be used as a basis for
-                                               enforcing flow control decisions;
-                        """
-                    - 
-                      id:         ac-4.8_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-4(8)[2]
-                      prose: 
-                        """
-                          the organization defines information flows for which flow control decisions are
-                                               to be applied and enforced; and
-                        """
-                    - 
-                      id:         ac-4.8_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-4(8)[3]
-                      prose: 
-                        """
-                          the information system enforces information flow control using
-                                               organization-defined security policy filters as a basis for flow control
-                                               decisions for organization-defined information flows.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of security policy filters regulating flow control decisions\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing information flow enforcement policy
-            - 
-              id:         ac-4.21
-              class:      SP800-53-enhancement
-              title:      Physical / Logical Separation of Information Flows
-              parameters: 
-                - 
-                  id:    ac-4.21_prm_1
-                  label: organization-defined mechanisms and/or techniques
-                - 
-                  id:    ac-4.21_prm_2
-                  label: organization-defined required separations by types of information
-              properties: 
-                - 
-                  name:  label
-                  value: AC-4(21)
-                - 
-                  name:  sort-id
-                  value: ac-04.21
-              parts: 
-                - 
-                  id:    ac-4.21_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system separates information flows logically or physically using
-                                           {{ ac-4.21_prm_1 }} to accomplish {{ ac-4.21_prm_2 }}.
-                    """
-                - 
-                  id:    ac-4.21_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Enforcing the separation of information flows by type can enhance protection by
-                                        ensuring that information is not commingled while in transit and by enabling flow
-                                        control by transmission paths perhaps not otherwise achievable. Types of separable
-                                        information include, for example, inbound and outbound communications traffic,
-                                        service requests and responses, and information of differing security
-                                        categories.
-                    """
-                - 
-                  id:    ac-4.21_obj
-                  name:  objective
-                  prose: Determine if: 
-                  parts: 
-                    - 
-                      id:         ac-4.21_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-4(21)[1]
-                      prose: 
-                        """
-                          the organization defines the required separations of information flows by types
-                                               of information;
-                        """
-                    - 
-                      id:         ac-4.21_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-4(21)[2]
-                      prose: 
-                        """
-                          the organization defines the mechanisms and/or techniques to be used to
-                                               separate information flows logically or physically; and
-                        """
-                    - 
-                      id:         ac-4.21_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-4(21)[3]
-                      prose: 
-                        """
-                          the information system separates information flows logically or physically
-                                               using organization-defined mechanisms and/or techniques to accomplish
-                                               organization-defined required separations by types of information.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Information flow enforcement policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of required separation of information flows by information types\n\nlist of mechanisms and/or techniques used to logically or physically separate
-                                               information flows\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing information flow enforcement functions
-        - 
-          id:         ac-5
-          class:      SP800-53
-          title:      Separation of Duties
-          parameters: 
-            - 
-              id:    ac-5_prm_1
-              label: organization-defined duties of individuals
-          properties: 
-            - 
-              name:  label
-              value: AC-5
-            - 
-              name:  sort-id
-              value: ac-05
-          parts: 
-            - 
-              id:    ac-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Separates {{ ac-5_prm_1 }};
-                - 
-                  id:         ac-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Documents separation of duties of individuals; and
-                - 
-                  id:         ac-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Defines information system access authorizations to support separation of
-                                        duties.
-                    """
-                - 
-                  id:    ac-5_fr
-                  name:  item
-                  title: AC-5 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ac-5_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.
-            - 
-              id:    ac-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Separation of duties addresses the potential for abuse of authorized privileges and
-                                 helps to reduce the risk of malevolent activity without collusion. Separation of
-                                 duties includes, for example: (i) dividing mission functions and information system
-                                 support functions among different individuals and/or roles; (ii) conducting
-                                 information system support functions with different individuals (e.g., system
-                                 management, programming, configuration management, quality assurance and testing, and
-                                 network security); and (iii) ensuring security personnel administering access control
-                                 functions do not also administer audit functions.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-                - 
-                  href: #ps-2
-                  rel:  related
-                  text: PS-2
-            - 
-              id:    ac-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-5(a)
-                  parts: 
-                    - 
-                      id:         ac-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-5(a)[1]
-                      prose:      defines duties of individuals to be separated;
-                    - 
-                      id:         ac-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-5(a)[2]
-                      prose:      separates organization-defined duties of individuals;
-                - 
-                  id:         ac-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-5(b)
-                  prose:      documents separation of duties; and
-                - 
-                  id:         ac-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-5(c)
-                  prose: 
-                    """
-                      defines information system access authorizations to support separation of
-                                        duties.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing divisions of responsibility and separation of duties\n\ninformation system configuration settings and associated documentation\n\nlist of divisions of responsibility and separation of duties\n\ninformation system access authorizations\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for defining appropriate divisions
-                                        of responsibility and separation of duties\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing separation of duties policy
-        - 
-          id:         ac-6
-          class:      SP800-53
-          title:      Least Privilege
-          properties: 
-            - 
-              name:  label
-              value: AC-6
-            - 
-              name:  sort-id
-              value: ac-06
-          parts: 
-            - 
-              id:    ac-6_smt
-              name:  statement
-              prose: 
-                """
-                  The organization employs the principle of least privilege, allowing only authorized
-                                 accesses for users (or processes acting on behalf of users) which are necessary to
-                                 accomplish assigned tasks in accordance with organizational missions and business
-                                 functions.
-                """
-            - 
-              id:    ac-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations employ least privilege for specific duties and information systems. The
-                                 principle of least privilege is also applied to information system processes,
-                                 ensuring that the processes operate at privilege levels no higher than necessary to
-                                 accomplish required organizational missions/business functions. Organizations
-                                 consider the creation of additional processes, roles, and information system accounts
-                                 as necessary, to achieve least privilege. Organizations also apply least privilege to
-                                 the development, implementation, and operation of organizational information
-                                 systems.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-5
-                  rel:  related
-                  text: AC-5
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-7
-                  rel:  related
-                  text: CM-7
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-            - 
-              id:         ac-6_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the organization employs the principle of least privilege, allowing only
-                                 authorized access for users (and processes acting on behalf of users) which are
-                                 necessary to accomplish assigned tasks in accordance with organizational missions and
-                                 business functions. 
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing least privilege\n\nlist of assigned access authorizations (user privileges)\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for defining least privileges
-                                        necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing least privilege functions
-          controls: 
-            - 
-              id:         ac-6.1
-              class:      SP800-53-enhancement
-              title:      Authorize Access to Security Functions
-              parameters: 
-                - 
-                  id:          ac-6.1_prm_1
-                  label: 
-                    """
-                      organization-defined security functions (deployed in hardware, software, and
-                                        firmware) and security-relevant information
-                    """
-                  constraints: 
-                    - 
-                      detail: all functions not publicly accessible and all security-relevant information not publicly available
-              properties: 
-                - 
-                  name:  label
-                  value: AC-6(1)
-                - 
-                  name:  sort-id
-                  value: ac-06.01
-              parts: 
-                - 
-                  id:    ac-6.1_smt
-                  name:  statement
-                  prose: The organization explicitly authorizes access to {{ ac-6.1_prm_1 }}.
-                - 
-                  id:    ac-6.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Security functions include, for example, establishing system accounts, configuring
-                                        access authorizations (i.e., permissions, privileges), setting events to be
-                                        audited, and setting intrusion detection parameters. Security-relevant information
-                                        includes, for example, filtering rules for routers/firewalls, cryptographic key
-                                        management information, configuration parameters for security services, and access
-                                        control lists. Explicitly authorized personnel include, for example, security
-                                        administrators, system and network administrators, system security officers,
-                                        system maintenance personnel, system programmers, and other privileged users.
-                    """
-                  links: 
-                    - 
-                      href: #ac-17
-                      rel:  related
-                      text: AC-17
-                    - 
-                      href: #ac-18
-                      rel:  related
-                      text: AC-18
-                    - 
-                      href: #ac-19
-                      rel:  related
-                      text: AC-19
-                - 
-                  id:    ac-6.1_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ac-6.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-6(1)[1]
-                      prose: 
-                        """
-                          defines security-relevant information for which access must be explicitly
-                                               authorized;
-                        """
-                    - 
-                      id:         ac-6.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-6(1)[2]
-                      prose:      defines security functions deployed in:
-                      parts: 
-                        - 
-                          id:         ac-6.1_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-6(1)[2][a]
-                          prose:      hardware;
-                        - 
-                          id:         ac-6.1_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-6(1)[2][b]
-                          prose:      software;
-                        - 
-                          id:         ac-6.1_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-6(1)[2][c]
-                          prose:      firmware;
-                    - 
-                      id:         ac-6.1_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-6(1)[3]
-                      prose:      explicitly authorizes access to:
-                      parts: 
-                        - 
-                          id:         ac-6.1_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-6(1)[3][a]
-                          prose:      organization-defined security functions; and
-                        - 
-                          id:         ac-6.1_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-6(1)[3][b]
-                          prose:      security-relevant information.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing least privilege\n\nlist of security functions (deployed in hardware, software, and firmware) and
-                                               security-relevant information for which access must be explicitly
-                                               authorized\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for defining least privileges
-                                               necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing least privilege functions
-            - 
-              id:         ac-6.2
-              class:      SP800-53-enhancement
-              title:      Non-privileged Access for Nonsecurity Functions
-              parameters: 
-                - 
-                  id:          ac-6.2_prm_1
-                  label: 
-                    """
-                      organization-defined security functions or security-relevant
-                                        information
-                    """
-                  constraints: 
-                    - 
-                      detail: all security functions
-              properties: 
-                - 
-                  name:  label
-                  value: AC-6(2)
-                - 
-                  name:  sort-id
-                  value: ac-06.02
-              parts: 
-                - 
-                  id:    ac-6.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires that users of information system accounts, or roles,
-                                        with access to {{ ac-6.2_prm_1 }}, use non-privileged accounts or
-                                        roles, when accessing nonsecurity functions.
-                    """
-                  parts: 
-                    - 
-                      id:    ac-6.2_fr
-                      name:  item
-                      title: AC-6 (2) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ac-6.2_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.
-                - 
-                  id:    ac-6.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement limits exposure when operating from within privileged
-                                        accounts or roles. The inclusion of roles addresses situations where organizations
-                                        implement access control policies such as role-based access control and where a
-                                        change of role provides the same degree of assurance in the change of access
-                                        authorizations for both the user and all processes acting on behalf of the user as
-                                        would be provided by a change between a privileged and non-privileged account.
-                    """
-                  links: 
-                    - 
-                      href: #pl-4
-                      rel:  related
-                      text: PL-4
-                - 
-                  id:    ac-6.2_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-6.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-6(2)[1]
-                      prose: 
-                        """
-                          defines security functions or security-relevant information to which users of
-                                               information system accounts, or roles, have access; and
-                        """
-                    - 
-                      id:         ac-6.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-6(2)[2]
-                      prose: 
-                        """
-                          requires that users of information system accounts, or roles, with access to
-                                               organization-defined security functions or security-relevant information, use
-                                               non-privileged accounts, or roles, when accessing nonsecurity functions.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated security functions or security-relevant information
-                                               assigned to information system accounts or roles\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for defining least privileges
-                                               necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing least privilege functions
-            - 
-              id:         ac-6.3
-              class:      SP800-53-enhancement
-              title:      Network Access to Privileged Commands
-              parameters: 
-                - 
-                  id:          ac-6.3_prm_1
-                  label:       organization-defined privileged commands
-                  constraints: 
-                    - 
-                      detail: all privileged commands
-                - 
-                  id:    ac-6.3_prm_2
-                  label: organization-defined compelling operational needs
-              properties: 
-                - 
-                  name:  label
-                  value: AC-6(3)
-                - 
-                  name:  sort-id
-                  value: ac-06.03
-              parts: 
-                - 
-                  id:    ac-6.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization authorizes network access to {{ ac-6.3_prm_1 }}
-                                        only for {{ ac-6.3_prm_2 }} and documents the rationale for such
-                                        access in the security plan for the information system.
-                    """
-                - 
-                  id:    ac-6.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Network access is any access across a network connection in lieu of local access
-                                        (i.e., user being physically present at the device).
-                    """
-                  links: 
-                    - 
-                      href: #ac-17
-                      rel:  related
-                      text: AC-17
-                - 
-                  id:    ac-6.3_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-6.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-6(3)[1]
-                      prose: 
-                        """
-                          defines privileged commands to which network access is to be authorized only
-                                               for compelling operational needs;
-                        """
-                    - 
-                      id:         ac-6.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-6(3)[2]
-                      prose: 
-                        """
-                          defines compelling operational needs for which network access to
-                                               organization-defined privileged commands are to be solely authorized;
-                        """
-                    - 
-                      id:         ac-6.3_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-6(3)[3]
-                      prose: 
-                        """
-                          authorizes network access to organization-defined privileged commands only for
-                                               organization-defined compelling operational needs; and
-                        """
-                    - 
-                      id:         ac-6.3_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AC-6(3)[4]
-                      prose: 
-                        """
-                          documents the rationale for authorized network access to organization-defined
-                                               privileged commands in the security plan for the information system.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing least privilege\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of operational needs for authorizing network access to privileged
-                                               commands\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for defining least privileges
-                                               necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing least privilege functions
-            - 
-              id:         ac-6.5
-              class:      SP800-53-enhancement
-              title:      Privileged Accounts
-              parameters: 
-                - 
-                  id:    ac-6.5_prm_1
-                  label: organization-defined personnel or roles
-              properties: 
-                - 
-                  name:  label
-                  value: AC-6(5)
-                - 
-                  name:  sort-id
-                  value: ac-06.05
-              parts: 
-                - 
-                  id:    ac-6.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization restricts privileged accounts on the information system to
-                                           {{ ac-6.5_prm_1 }}.
-                    """
-                - 
-                  id:    ac-6.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Privileged accounts, including super user accounts, are typically described as
-                                        system administrator for various types of commercial off-the-shelf operating
-                                        systems. Restricting privileged accounts to specific personnel or roles prevents
-                                        day-to-day users from having access to privileged information/functions.
-                                        Organizations may differentiate in the application of this control enhancement
-                                        between allowed privileges for local accounts and for domain accounts provided
-                                        organizations retain the ability to control information system configurations for
-                                        key security parameters and as otherwise necessary to sufficiently mitigate
-                                        risk.
-                    """
-                  links: 
-                    - 
-                      href: #cm-6
-                      rel:  related
-                      text: CM-6
-                - 
-                  id:    ac-6.5_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-6.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-6(5)[1]
-                      prose: 
-                        """
-                          defines personnel or roles for which privileged accounts on the information
-                                               system are to be restricted; and
-                        """
-                    - 
-                      id:         ac-6.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-6(5)[2]
-                      prose: 
-                        """
-                          restricts privileged accounts on the information system to organization-defined
-                                               personnel or roles.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of system administration personnel\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for defining least privileges
-                                               necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing least privilege functions
-            - 
-              id:         ac-6.7
-              class:      SP800-53-enhancement
-              title:      Review of User Privileges
-              parameters: 
-                - 
-                  id:          ac-6.7_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at a minimum, annually
-                - 
-                  id:          ac-6.7_prm_2
-                  label:       organization-defined roles or classes of users
-                  constraints: 
-                    - 
-                      detail: all users with privileges
-              properties: 
-                - 
-                  name:  label
-                  value: AC-6(7)
-                - 
-                  name:  sort-id
-                  value: ac-06.07
-              parts: 
-                - 
-                  id:    ac-6.7_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         ac-6.7_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose:      Reviews {{ ac-6.7_prm_1 }} the privileges assigned to {{ ac-6.7_prm_2 }} to validate the need for such privileges; and
-                    - 
-                      id:         ac-6.7_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Reassigns or removes privileges, if necessary, to correctly reflect
-                                               organizational mission/business needs.
-                        """
-                - 
-                  id:    ac-6.7_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The need for certain assigned user privileges may change over time reflecting
-                                        changes in organizational missions/business function, environments of operation,
-                                        technologies, or threat. Periodic review of assigned user privileges is necessary
-                                        to determine if the rationale for assigning such privileges remains valid. If the
-                                        need cannot be revalidated, organizations take appropriate corrective actions.
-                    """
-                  links: 
-                    - 
-                      href: #ca-7
-                      rel:  related
-                      text: CA-7
-                - 
-                  id:    ac-6.7_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ac-6.7.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-6(7)(a)
-                      parts: 
-                        - 
-                          id:         ac-6.7.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-6(7)(a)[1]
-                          prose:      defines roles or classes of users to which privileges are assigned;
-                        - 
-                          id:         ac-6.7.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-6(7)(a)[2]
-                          prose: 
-                            """
-                              defines the frequency to review the privileges assigned to
-                                                      organization-defined roles or classes of users to validate the need for such
-                                                      privileges;
-                            """
-                        - 
-                          id:         ac-6.7.a_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: AC-6(7)(a)[3]
-                          prose: 
-                            """
-                              reviews the privileges assigned to organization-defined roles or classes of
-                                                      users with the organization-defined frequency to validate the need for such
-                                                      privileges; and
-                            """
-                      links: 
-                        - 
-                          href: #ac-6.7_smt.a
-                          rel:  corresp
-                          text: AC-6(7)(a)
-                    - 
-                      id:         ac-6.7.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-6(7)(b)
-                      prose: 
-                        """
-                          reassigns or removes privileges, if necessary, to correctly reflect
-                                               organizational missions/business needs.
-                        """
-                      links: 
-                        - 
-                          href: #ac-6.7_smt.b
-                          rel:  corresp
-                          text: AC-6(7)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated roles or classes of users and assigned privileges\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nvalidation reviews of privileges assigned to roles or classes or users\n\nrecords of privilege removals or reassignments for roles or classes of
-                                               users\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for reviewing least privileges
-                                               necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing review of user privileges
-            - 
-              id:         ac-6.8
-              class:      SP800-53-enhancement
-              title:      Privilege Levels for Code Execution
-              parameters: 
-                - 
-                  id:          ac-6.8_prm_1
-                  label:       organization-defined software
-                  constraints: 
-                    - 
-                      detail: any software except software explicitly documented
-              properties: 
-                - 
-                  name:  label
-                  value: AC-6(8)
-                - 
-                  name:  sort-id
-                  value: ac-06.08
-              parts: 
-                - 
-                  id:    ac-6.8_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system prevents {{ ac-6.8_prm_1 }} from executing
-                                        at higher privilege levels than users executing the software.
-                    """
-                - 
-                  id:    ac-6.8_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      In certain situations, software applications/programs need to execute with
-                                        elevated privileges to perform required functions. However, if the privileges
-                                        required for execution are at a higher level than the privileges assigned to
-                                        organizational users invoking such applications/programs, those users are
-                                        indirectly provided with greater privileges than assigned by organizations.
-                    """
-                - 
-                  id:    ac-6.8_obj
-                  name:  objective
-                  prose: Determine if: 
-                  parts: 
-                    - 
-                      id:         ac-6.8_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-6(8)[1]
-                      prose: 
-                        """
-                          the organization defines software that should not execute at higher privilege
-                                               levels than users executing the software; and
-                        """
-                    - 
-                      id:         ac-6.8_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-6(8)[2]
-                      prose: 
-                        """
-                          the information system prevents organization-defined software from executing at
-                                               higher privilege levels than users executing the software.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing least privilege\n\nlist of software that should not execute at higher privilege levels than users
-                                               executing software\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for defining least privileges
-                                               necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing least privilege functions for software
-                                               execution
-                        """
-            - 
-              id:         ac-6.9
-              class:      SP800-53-enhancement
-              title:      Auditing Use of Privileged Functions
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AC-6(9)
-                - 
-                  name:  sort-id
-                  value: ac-06.09
-              parts: 
-                - 
-                  id:    ac-6.9_smt
-                  name:  statement
-                  prose: The information system audits the execution of privileged functions.
-                - 
-                  id:    ac-6.9_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Misuse of privileged functions, either intentionally or unintentionally by
-                                        authorized users, or by unauthorized external entities that have compromised
-                                        information system accounts, is a serious and ongoing concern and can have
-                                        significant adverse impacts on organizations. Auditing the use of privileged
-                                        functions is one way to detect such misuse, and in doing so, help mitigate the
-                                        risk from insider threats and the advanced persistent threat (APT).
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                - 
-                  id:         ac-6.9_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system audits the execution of privileged functions.
-                                     
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing least privilege\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of privileged functions to be audited\n\nlist of audited events\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for reviewing least privileges
-                                               necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms auditing the execution of least privilege functions
-            - 
-              id:         ac-6.10
-              class:      SP800-53-enhancement
-              title:      Prohibit Non-privileged Users from Executing Privileged Functions
-              properties: 
-                - 
-                  name:  label
-                  value: AC-6(10)
-                - 
-                  name:  sort-id
-                  value: ac-06.10
-              parts: 
-                - 
-                  id:    ac-6.10_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system prevents non-privileged users from executing privileged
-                                        functions to include disabling, circumventing, or altering implemented security
-                                        safeguards/countermeasures.
-                    """
-                - 
-                  id:    ac-6.10_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Privileged functions include, for example, establishing information system
-                                        accounts, performing system integrity checks, or administering cryptographic key
-                                        management activities. Non-privileged users are individuals that do not possess
-                                        appropriate authorizations. Circumventing intrusion detection and prevention
-                                        mechanisms or malicious code protection mechanisms are examples of privileged
-                                        functions that require protection from non-privileged users.
-                    """
-                - 
-                  id:         ac-6.10_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system prevents non-privileged users from executing
-                                        privileged functions to include:
-                    """
-                  parts: 
-                    - 
-                      id:         ac-6.10_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-6(10)[1]
-                      prose:      disabling implemented security safeguards/countermeasures;
-                    - 
-                      id:         ac-6.10_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-6(10)[2]
-                      prose:      circumventing security safeguards/countermeasures; or
-                    - 
-                      id:         ac-6.10_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-6(10)[3]
-                      prose:      altering implemented security safeguards/countermeasures.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing least privilege\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of privileged functions and associated user account assignments\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for defining least privileges
-                                               necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing least privilege functions for non-privileged
-                                               users
-                        """
-        - 
-          id:         ac-7
-          class:      SP800-53
-          title:      Unsuccessful Logon Attempts
-          parameters: 
-            - 
-              id:          ac-7_prm_1
-              label:       organization-defined number
-              constraints: 
-                - 
-                  detail: not more than three (3)
-            - 
-              id:          ac-7_prm_2
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: fifteen (15) minutes
-            - 
-              id: ac-7_prm_3
-            - 
-              id:          ac-7_prm_4
-              depends-on:  ac-7_prm_3
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: locks the account/node for a minimum of three (3) hours or until unlocked by an administrator
-            - 
-              id:         ac-7_prm_5
-              depends-on: ac-7_prm_3
-              label:      organization-defined delay algorithm
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-7
-            - 
-              name:  sort-id
-              value: ac-07
-          parts: 
-            - 
-              id:    ac-7_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         ac-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Enforces a limit of {{ ac-7_prm_1 }} consecutive invalid logon
-                                        attempts by a user during a {{ ac-7_prm_2 }}; and
-                    """
-                - 
-                  id:         ac-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Automatically {{ ac-7_prm_3 }} when the maximum number of
-                                        unsuccessful attempts is exceeded.
-                    """
-            - 
-              id:    ac-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies regardless of whether the logon occurs via a local or network
-                                 connection. Due to the potential for denial of service, automatic lockouts initiated
-                                 by information systems are usually temporary and automatically release after a
-                                 predetermined time period established by organizations. If a delay algorithm is
-                                 selected, organizations may choose to employ different algorithms for different
-                                 information system components based on the capabilities of those components.
-                                 Responses to unsuccessful logon attempts may be implemented at both the operating
-                                 system and the application levels.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-9
-                  rel:  related
-                  text: AC-9
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-            - 
-              id:    ac-7_obj
-              name:  objective
-              prose: Determine if: 
-              parts: 
-                - 
-                  id:         ac-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-7(a)
-                  parts: 
-                    - 
-                      id:         ac-7.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-7(a)[1]
-                      prose: 
-                        """
-                          the organization defines the number of consecutive invalid logon attempts
-                                               allowed to the information system by a user during an organization-defined time
-                                               period;
-                        """
-                    - 
-                      id:         ac-7.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-7(a)[2]
-                      prose: 
-                        """
-                          the organization defines the time period allowed by a user of the information
-                                               system for an organization-defined number of consecutive invalid logon
-                                               attempts;
-                        """
-                    - 
-                      id:         ac-7.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-7(a)[3]
-                      prose: 
-                        """
-                          the information system enforces a limit of organization-defined number of
-                                               consecutive invalid logon attempts by a user during an organization-defined
-                                               time period;
-                        """
-                - 
-                  id:         ac-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-7(b)
-                  parts: 
-                    - 
-                      id:         ac-7.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-7(b)[1]
-                      prose: 
-                        """
-                          the organization defines account/node lockout time period or logon delay
-                                               algorithm to be automatically enforced by the information system when the
-                                               maximum number of unsuccessful logon attempts is exceeded;
-                        """
-                    - 
-                      id:         ac-7.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-7(b)[2]
-                      prose: 
-                        """
-                          the information system, when the maximum number of unsuccessful logon attempts
-                                               is exceeded, automatically:
-                        """
-                      parts: 
-                        - 
-                          id:         ac-7.b_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-7(b)[2][a]
-                          prose:      locks the account/node for the organization-defined time period;
-                        - 
-                          id:         ac-7.b_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-7(b)[2][b]
-                          prose:      locks the account/node until released by an administrator; or
-                        - 
-                          id:         ac-7.b_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-7(b)[2][c]
-                          prose: 
-                            """
-                              delays next logon prompt according to the organization-defined delay
-                                                      algorithm.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms implementing access control policy for unsuccessful logon
-                                        attempts
-                    """
-          controls: 
-            - 
-              id:         ac-7.2
-              class:      SP800-53-enhancement
-              title:      Purge / Wipe Mobile Device
-              parameters: 
-                - 
-                  id:          ac-7.2_prm_1
-                  label:       organization-defined mobile devices
-                  constraints: 
-                    - 
-                      detail: mobile devices as defined by organization policy
-                - 
-                  id:    ac-7.2_prm_2
-                  label: organization-defined purging/wiping requirements/techniques
-                - 
-                  id:          ac-7.2_prm_3
-                  label:       organization-defined number
-                  constraints: 
-                    - 
-                      detail: three (3)
-              properties: 
-                - 
-                  name:  label
-                  value: AC-7(2)
-                - 
-                  name:  sort-id
-                  value: ac-07.02
-              parts: 
-                - 
-                  id:    ac-7.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system purges/wipes information from {{ ac-7.2_prm_1 }} based on {{ ac-7.2_prm_2 }} after
-                                           {{ ac-7.2_prm_3 }} consecutive, unsuccessful device logon
-                                        attempts.
-                    """
-                - 
-                  id:    ac-7.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement applies only to mobile devices for which a logon occurs
-                                        (e.g., personal digital assistants, smart phones, tablets). The logon is to the
-                                        mobile device, not to any one account on the device. Therefore, successful logons
-                                        to any accounts on mobile devices reset the unsuccessful logon count to zero.
-                                        Organizations define information to be purged/wiped carefully in order to avoid
-                                        over purging/wiping which may result in devices becoming unusable. Purging/wiping
-                                        may be unnecessary if the information on the device is protected with sufficiently
-                                        strong encryption mechanisms.
-                    """
-                  links: 
-                    - 
-                      href: #ac-19
-                      rel:  related
-                      text: AC-19
-                    - 
-                      href: #mp-5
-                      rel:  related
-                      text: MP-5
-                    - 
-                      href: #mp-6
-                      rel:  related
-                      text: MP-6
-                    - 
-                      href: #sc-13
-                      rel:  related
-                      text: SC-13
-                - 
-                  id:    ac-7.2_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         ac-7.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-7(2)[1]
-                      prose: 
-                        """
-                          the organization defines mobile devices to be purged/wiped after
-                                               organization-defined number of consecutive, unsuccessful device logon
-                                               attempts;
-                        """
-                    - 
-                      id:         ac-7.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-7(2)[2]
-                      prose: 
-                        """
-                          the organization defines purging/wiping requirements/techniques to be used when
-                                               organization-defined mobile devices are purged/wiped after organization-defined
-                                               number of consecutive, unsuccessful device logon attempts;
-                        """
-                    - 
-                      id:         ac-7.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-7(2)[3]
-                      prose: 
-                        """
-                          the organization defines the number of consecutive, unsuccessful logon attempts
-                                               allowed for accessing mobile devices before the information system purges/wipes
-                                               information from such devices; and
-                        """
-                    - 
-                      id:         ac-7.2_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-7(2)[4]
-                      prose: 
-                        """
-                          the information system purges/wipes information from organization-defined
-                                               mobile devices based on organization-defined purging/wiping
-                                               requirements/techniques after organization-defined number of consecutive,
-                                               unsuccessful logon attempts.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing unsuccessful login attempts on mobile devices\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of mobile devices to be purged/wiped after organization-defined
-                                               consecutive, unsuccessful device logon attempts\n\nlist of purging/wiping requirements or techniques for mobile devices\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing access control policy for unsuccessful device
-                                               logon attempts
-                        """
-        - 
-          id:         ac-8
-          class:      SP800-53
-          title:      System Use Notification
-          parameters: 
-            - 
-              id:          ac-8_prm_1
-              label:       organization-defined system use notification message or banner
-              constraints: 
-                - 
-                  detail: see additional Requirements and Guidance
-            - 
-              id:          ac-8_prm_2
-              label:       organization-defined conditions
-              constraints: 
-                - 
-                  detail: see additional Requirements and Guidance
-          properties: 
-            - 
-              name:  label
-              value: AC-8
-            - 
-              name:  sort-id
-              value: ac-08
-          parts: 
-            - 
-              id:    ac-8_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         ac-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Displays to users {{ ac-8_prm_1 }} before granting access to the
-                                        system that provides privacy and security notices consistent with applicable
-                                        federal laws, Executive Orders, directives, policies, regulations, standards, and
-                                        guidance and states that:
-                    """
-                  parts: 
-                    - 
-                      id:         ac-8_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Users are accessing a U.S. Government information system;
-                    - 
-                      id:         ac-8_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Information system usage may be monitored, recorded, and subject to audit;
-                    - 
-                      id:         ac-8_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Unauthorized use of the information system is prohibited and subject to
-                                               criminal and civil penalties; and
-                        """
-                    - 
-                      id:         ac-8_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose: 
-                        """
-                          Use of the information system indicates consent to monitoring and
-                                               recording;
-                        """
-                - 
-                  id:         ac-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Retains the notification message or banner on the screen until users acknowledge
-                                        the usage conditions and take explicit actions to log on to or further access the
-                                        information system; and
-                    """
-                - 
-                  id:         ac-8_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      For publicly accessible systems:
-                  parts: 
-                    - 
-                      id:         ac-8_smt.c.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Displays system use information {{ ac-8_prm_2 }}, before
-                                               granting further access;
-                        """
-                    - 
-                      id:         ac-8_smt.c.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Displays references, if any, to monitoring, recording, or auditing that are
-                                               consistent with privacy accommodations for such systems that generally prohibit
-                                               those activities; and
-                        """
-                    - 
-                      id:         ac-8_smt.c.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose:      Includes a description of the authorized uses of the system.
-                - 
-                  id:    ac-8_fr
-                  name:  item
-                  title: AC-8 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ac-8_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.
-                    - 
-                      id:         ac-8_fr_smt.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.
-                    - 
-                      id:         ac-8_fr_smt.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.
-            - 
-              id:    ac-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  System use notifications can be implemented using messages or warning banners
-                                 displayed before individuals log in to information systems. System use notifications
-                                 are used only for access via logon interfaces with human users and are not required
-                                 when such human interfaces do not exist. Organizations consider system use
-                                 notification messages/banners displayed in multiple languages based on specific
-                                 organizational needs and the demographics of information system users. Organizations
-                                 also consult with the Office of the General Counsel for legal review and approval of
-                                 warning banner content.
-                """
-            - 
-              id:    ac-8_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         ac-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-8(a)
-                  parts: 
-                    - 
-                      id:         ac-8.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-8(a)[1]
-                      prose: 
-                        """
-                          the organization defines a system use notification message or banner to be
-                                               displayed by the information system to users before granting access to the
-                                               system;
-                        """
-                    - 
-                      id:         ac-8.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-8(a)[2]
-                      prose: 
-                        """
-                          the information system displays to users the organization-defined system use
-                                               notification message or banner before granting access to the information system
-                                               that provides privacy and security notices consistent with applicable federal
-                                               laws, Executive Orders, directives, policies, regulations, standards, and
-                                               guidance, and states that:
-                        """
-                      parts: 
-                        - 
-                          id:         ac-8.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-8(a)[2](1)
-                          prose:      users are accessing a U.S. Government information system;
-                        - 
-                          id:         ac-8.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-8(a)[2](2)
-                          prose: 
-                            """
-                              information system usage may be monitored, recorded, and subject to
-                                                      audit;
-                            """
-                        - 
-                          id:         ac-8.a.3_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-8(a)[2](3)
-                          prose: 
-                            """
-                              unauthorized use of the information system is prohibited and subject to
-                                                      criminal and civil penalties;
-                            """
-                        - 
-                          id:         ac-8.a.4_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-8(a)[2](4)
-                          prose: 
-                            """
-                              use of the information system indicates consent to monitoring and
-                                                      recording;
-                            """
-                - 
-                  id:         ac-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-8(b)
-                  prose: 
-                    """
-                      the information system retains the notification message or banner on the screen
-                                        until users acknowledge the usage conditions and take explicit actions to log on
-                                        to or further access the information system;
-                    """
-                - 
-                  id:         ac-8.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-8(c)
-                  prose:      for publicly accessible systems:
-                  parts: 
-                    - 
-                      id:         ac-8.c.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-8(c)(1)
-                      parts: 
-                        - 
-                          id:         ac-8.c.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-8(c)(1)[1]
-                          prose: 
-                            """
-                              the organization defines conditions for system use to be displayed by the
-                                                      information system before granting further access;
-                            """
-                        - 
-                          id:         ac-8.c.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: AC-8(c)(1)[2]
-                          prose: 
-                            """
-                              the information system displays organization-defined conditions before
-                                                      granting further access;
-                            """
-                    - 
-                      id:         ac-8.c.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-8(c)(2)
-                      prose: 
-                        """
-                          the information system displays references, if any, to monitoring, recording,
-                                               or auditing that are consistent with privacy accommodations for such systems
-                                               that generally prohibit those activities; and
-                        """
-                    - 
-                      id:         ac-8.c.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-8(c)(3)
-                      prose: 
-                        """
-                          the information system includes a description of the authorized uses of the
-                                               system.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of information system use notification messages or banners\n\ninformation system audit records\n\nuser acknowledgements of notification message or banner\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system use notification messages\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for providing legal advice\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing system use notification
-        - 
-          id:         ac-10
-          class:      SP800-53
-          title:      Concurrent Session Control
-          parameters: 
-            - 
-              id:    ac-10_prm_1
-              label: organization-defined account and/or account type
-            - 
-              id:          ac-10_prm_2
-              label:       organization-defined number
-              constraints: 
-                - 
-                  detail: three (3) sessions for privileged access and two (2) sessions for non-privileged access
-          properties: 
-            - 
-              name:  label
-              value: AC-10
-            - 
-              name:  sort-id
-              value: ac-10
-          parts: 
-            - 
-              id:    ac-10_smt
-              name:  statement
-              prose: The information system limits the number of concurrent sessions for each {{ ac-10_prm_1 }} to {{ ac-10_prm_2 }}.
-            - 
-              id:    ac-10_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations may define the maximum number of concurrent sessions for information
-                                 system accounts globally, by account type (e.g., privileged user, non-privileged
-                                 user, domain, specific application), by account, or a combination. For example,
-                                 organizations may limit the number of concurrent sessions for system administrators
-                                 or individuals working in particularly sensitive domains or mission-critical
-                                 applications. This control addresses concurrent sessions for information system
-                                 accounts and does not address concurrent sessions by single users via multiple system
-                                 accounts.
-                """
-            - 
-              id:    ac-10_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         ac-10_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-10[1]
-                  prose: 
-                    """
-                      the organization defines account and/or account types for the information
-                                        system;
-                    """
-                - 
-                  id:         ac-10_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-10[2]
-                  prose: 
-                    """
-                      the organization defines the number of concurrent sessions to be allowed for each
-                                        organization-defined account and/or account type; and
-                    """
-                - 
-                  id:         ac-10_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-10[3]
-                  prose: 
-                    """
-                      the information system limits the number of concurrent sessions for each
-                                        organization-defined account and/or account type to the organization-defined
-                                        number of concurrent sessions allowed.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing concurrent session control\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms implementing access control policy for concurrent session
-                                        control
-                    """
-        - 
-          id:         ac-11
-          class:      SP800-53
-          title:      Session Lock
-          parameters: 
-            - 
-              id:          ac-11_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: fifteen (15) minutes
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-11
-            - 
-              name:  sort-id
-              value: ac-11
-          links: 
-            - 
-              href: #4da24a96-6cf8-435d-9d1f-c73247cad109
-              rel:  reference
-              text: OMB Memorandum 06-16
-          parts: 
-            - 
-              id:    ac-11_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         ac-11_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Prevents further access to the system by initiating a session lock after {{ ac-11_prm_1 }} of inactivity or upon receiving a request from a user;
-                                        and
-                    """
-                - 
-                  id:         ac-11_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Retains the session lock until the user reestablishes access using established
-                                        identification and authentication procedures.
-                    """
-            - 
-              id:    ac-11_gdn
-              name:  guidance
-              prose: 
-                """
-                  Session locks are temporary actions taken when users stop work and move away from the
-                                 immediate vicinity of information systems but do not want to log out because of the
-                                 temporary nature of their absences. Session locks are implemented where session
-                                 activities can be determined. This is typically at the operating system level, but
-                                 can also be at the application level. Session locks are not an acceptable substitute
-                                 for logging out of information systems, for example, if organizations require users
-                                 to log out at the end of workdays.
-                """
-              links: 
-                - 
-                  href: #ac-7
-                  rel:  related
-                  text: AC-7
-            - 
-              id:    ac-11_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         ac-11.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-11(a)
-                  parts: 
-                    - 
-                      id:         ac-11.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-11(a)[1]
-                      prose: 
-                        """
-                          the organization defines the time period of user inactivity after which the
-                                               information system initiates a session lock;
-                        """
-                    - 
-                      id:         ac-11.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-11(a)[2]
-                      prose: 
-                        """
-                          the information system prevents further access to the system by initiating a
-                                               session lock after organization-defined time period of user inactivity or upon
-                                               receiving a request from a user; and
-                        """
-                - 
-                  id:         ac-11.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-11(b)
-                  prose: 
-                    """
-                      the information system retains the session lock until the user reestablishes
-                                        access using established identification and authentication procedures.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing session lock\n\nprocedures addressing identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing access control policy for session lock
-          controls: 
-            - 
-              id:         ac-11.1
-              class:      SP800-53-enhancement
-              title:      Pattern-hiding Displays
-              properties: 
-                - 
-                  name:  label
-                  value: AC-11(1)
-                - 
-                  name:  sort-id
-                  value: ac-11.01
-              parts: 
-                - 
-                  id:    ac-11.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system conceals, via the session lock, information previously
-                                        visible on the display with a publicly viewable image.
-                    """
-                - 
-                  id:    ac-11.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Publicly viewable images can include static or dynamic images, for example,
-                                        patterns used with screen savers, photographic images, solid colors, clock,
-                                        battery life indicator, or a blank screen, with the additional caveat that none of
-                                        the images convey sensitive information.
-                    """
-                - 
-                  id:         ac-11.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system conceals, via the session lock, information
-                                        previously visible on the display with a publicly viewable image.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing session lock\n\ndisplay screen with session lock activated\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system session lock mechanisms
-        - 
-          id:         ac-12
-          class:      SP800-53
-          title:      Session Termination
-          parameters: 
-            - 
-              id:    ac-12_prm_1
-              label: 
-                """
-                  organization-defined conditions or trigger events requiring session
-                                 disconnect
-                """
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-12
-            - 
-              name:  sort-id
-              value: ac-12
-          parts: 
-            - 
-              id:    ac-12_smt
-              name:  statement
-              prose: The information system automatically terminates a user session after {{ ac-12_prm_1 }}.
-            - 
-              id:    ac-12_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the termination of user-initiated logical sessions in contrast
-                                 to SC-10 which addresses the termination of network connections that are associated
-                                 with communications sessions (i.e., network disconnect). A logical session (for
-                                 local, network, and remote access) is initiated whenever a user (or process acting on
-                                 behalf of a user) accesses an organizational information system. Such user sessions
-                                 can be terminated (and thus terminate user access) without terminating network
-                                 sessions. Session termination terminates all processes associated with a user’s
-                                 logical session except those processes that are specifically created by the user
-                                 (i.e., session owner) to continue after the session is terminated. Conditions or
-                                 trigger events requiring automatic session termination can include, for example,
-                                 organization-defined periods of user inactivity, targeted responses to certain types
-                                 of incidents, time-of-day restrictions on information system use.
-                """
-              links: 
-                - 
-                  href: #sc-10
-                  rel:  related
-                  text: SC-10
-                - 
-                  href: #sc-23
-                  rel:  related
-                  text: SC-23
-            - 
-              id:    ac-12_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         ac-12_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-12[1]
-                  prose: 
-                    """
-                      the organization defines conditions or trigger events requiring session
-                                        disconnect; and
-                    """
-                - 
-                  id:         ac-12_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-12[2]
-                  prose: 
-                    """
-                      the information system automatically terminates a user session after
-                                        organization-defined conditions or trigger events requiring session disconnect
-                                        occurs.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing session termination\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of conditions or trigger events requiring session disconnect\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing user session termination
-          controls: 
-            - 
-              id:         ac-12.1
-              class:      SP800-53-enhancement
-              title:      User-initiated Logouts / Message Displays
-              parameters: 
-                - 
-                  id:    ac-12.1_prm_1
-                  label: organization-defined information resources
-              properties: 
-                - 
-                  name:  label
-                  value: AC-12(1)
-                - 
-                  name:  sort-id
-                  value: ac-12.01
-              parts: 
-                - 
-                  id:    ac-12.1_smt
-                  name:  statement
-                  prose: The information system:
-                  parts: 
-                    - 
-                      id:         ac-12.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Provides a logout capability for user-initiated communications sessions
-                                               whenever authentication is used to gain access to {{ ac-12.1_prm_1 }}; and
-                        """
-                    - 
-                      id:         ac-12.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Displays an explicit logout message to users indicating the reliable
-                                               termination of authenticated communications sessions.
-                        """
-                    - 
-                      id:    ac-12.1_fr
-                      name:  item
-                      title: AC-12 (1) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ac-12.1_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      https://www.owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-006%29
-                - 
-                  id:    ac-12.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Information resources to which users gain access via authentication include, for
-                                        example, local workstations, databases, and password-protected websites/web-based
-                                        services. Logout messages for web page access, for example, can be displayed after
-                                        authenticated sessions have been terminated. However, for some types of
-                                        interactive sessions including, for example, file transfer protocol (FTP)
-                                        sessions, information systems typically send logout messages as final messages
-                                        prior to terminating sessions.
-                    """
-                - 
-                  id:    ac-12.1_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         ac-12.1.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-12(1)(a)
-                      parts: 
-                        - 
-                          id:         ac-12.1.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-12(1)(a)[1]
-                          prose: 
-                            """
-                              the organization defines information resources for which user authentication
-                                                      is required to gain access to such resources;
-                            """
-                        - 
-                          id:         ac-12.1.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: AC-12(1)(a)[2]
-                          prose: 
-                            """
-                              the information system provides a logout capability for user-initiated
-                                                      communications sessions whenever authentication is used to gain access to
-                                                      organization-defined information resources; and
-                            """
-                      links: 
-                        - 
-                          href: #ac-12.1_smt.a
-                          rel:  corresp
-                          text: AC-12(1)(a)
-                    - 
-                      id:         ac-12.1.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-12(1)(b)
-                      prose: 
-                        """
-                          the information system displays an explicit logout message to users indicating
-                                               the reliable termination of authenticated communications sessions.
-                        """
-                      links: 
-                        - 
-                          href: #ac-12.1_smt.b
-                          rel:  corresp
-                          text: AC-12(1)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing session termination\n\nuser logout messages\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system session lock mechanisms
-        - 
-          id:         ac-14
-          class:      SP800-53
-          title:      Permitted Actions Without Identification or Authentication
-          parameters: 
-            - 
-              id:    ac-14_prm_1
-              label: organization-defined user actions
-          properties: 
-            - 
-              name:  label
-              value: AC-14
-            - 
-              name:  sort-id
-              value: ac-14
-          parts: 
-            - 
-              id:    ac-14_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-14_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Identifies {{ ac-14_prm_1 }} that can be performed on the
-                                        information system without identification or authentication consistent with
-                                        organizational missions/business functions; and
-                    """
-                - 
-                  id:         ac-14_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Documents and provides supporting rationale in the security plan for the
-                                        information system, user actions not requiring identification or
-                                        authentication.
-                    """
-            - 
-              id:    ac-14_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses situations in which organizations determine that no
-                                 identification or authentication is required in organizational information systems.
-                                 Organizations may allow a limited number of user actions without identification or
-                                 authentication including, for example, when individuals access public websites or
-                                 other publicly accessible federal information systems, when individuals use mobile
-                                 phones to receive calls, or when facsimiles are received. Organizations also identify
-                                 actions that normally require identification or authentication but may under certain
-                                 circumstances (e.g., emergencies), allow identification or authentication mechanisms
-                                 to be bypassed. Such bypasses may occur, for example, via a software-readable
-                                 physical switch that commands bypass of the logon functionality and is protected from
-                                 accidental or unmonitored use. This control does not apply to situations where
-                                 identification and authentication have already occurred and are not repeated, but
-                                 rather to situations where identification and authentication have not yet occurred.
-                                 Organizations may decide that there are no user actions that can be performed on
-                                 organizational information systems without identification and authentication and
-                                 thus, the values for assignment statements can be none.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-            - 
-              id:    ac-14_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-14.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-14(a)
-                  parts: 
-                    - 
-                      id:         ac-14.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-14(a)[1]
-                      prose: 
-                        """
-                          defines user actions that can be performed on the information system without
-                                               identification or authentication consistent with organizational
-                                               missions/business functions;
-                        """
-                    - 
-                      id:         ac-14.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AC-14(a)[2]
-                      prose: 
-                        """
-                          identifies organization-defined user actions that can be performed on the
-                                               information system without identification or authentication consistent with
-                                               organizational missions/business functions; and
-                        """
-                - 
-                  id:         ac-14.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-14(b)
-                  prose: 
-                    """
-                      documents and provides supporting rationale in the security plan for the
-                                        information system, user actions not requiring identification or
-                                        authentication.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing permitted actions without identification or
-                                        authentication\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or
-                                        authentication\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ac-17
-          class:      SP800-53
-          title:      Remote Access
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-17
-            - 
-              name:  sort-id
-              value: ac-17
-          links: 
-            - 
-              href: #5309d4d0-46f8-4213-a749-e7584164e5e8
-              rel:  reference
-              text: NIST Special Publication 800-46
-            - 
-              href: #99f331f2-a9f0-46c2-9856-a3cbb9b89442
-              rel:  reference
-              text: NIST Special Publication 800-77
-            - 
-              href: #349fe082-502d-464a-aa0c-1443c6a5cf40
-              rel:  reference
-              text: NIST Special Publication 800-113
-            - 
-              href: #1201fcf3-afb1-4675-915a-fb4ae0435717
-              rel:  reference
-              text: NIST Special Publication 800-114
-            - 
-              href: #d1a4e2a9-e512-4132-8795-5357aba29254
-              rel:  reference
-              text: NIST Special Publication 800-121
-          parts: 
-            - 
-              id:    ac-17_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-17_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes and documents usage restrictions, configuration/connection
-                                        requirements, and implementation guidance for each type of remote access allowed;
-                                        and
-                    """
-                - 
-                  id:         ac-17_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Authorizes remote access to the information system prior to allowing such
-                                        connections.
-                    """
-            - 
-              id:    ac-17_gdn
-              name:  guidance
-              prose: 
-                """
-                  Remote access is access to organizational information systems by users (or processes
-                                 acting on behalf of users) communicating through external networks (e.g., the
-                                 Internet). Remote access methods include, for example, dial-up, broadband, and
-                                 wireless. Organizations often employ encrypted virtual private networks (VPNs) to
-                                 enhance confidentiality and integrity over remote connections. The use of encrypted
-                                 VPNs does not make the access non-remote; however, the use of VPNs, when adequately
-                                 provisioned with appropriate security controls (e.g., employing appropriate
-                                 encryption techniques for confidentiality and integrity protection) may provide
-                                 sufficient assurance to the organization that it can effectively treat such
-                                 connections as internal networks. Still, VPN connections traverse external networks,
-                                 and the encrypted VPN does not enhance the availability of remote connections. Also,
-                                 VPNs with encrypted tunnels can affect the organizational capability to adequately
-                                 monitor network communications traffic for malicious code. Remote access controls
-                                 apply to information systems other than public web servers or systems designed for
-                                 public access. This control addresses authorization prior to allowing remote access
-                                 without specifying the formats for such authorization. While organizations may use
-                                 interconnection security agreements to authorize remote access connections, such
-                                 agreements are not required by this control. Enforcing access restrictions for remote
-                                 connections is addressed in AC-3.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #pe-17
-                  rel:  related
-                  text: PE-17
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #sc-10
-                  rel:  related
-                  text: SC-10
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ac-17_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-17.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-17(a)
-                  parts: 
-                    - 
-                      id:         ac-17.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-17(a)[1]
-                      prose:      identifies the types of remote access allowed to the information system;
-                    - 
-                      id:         ac-17.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-17(a)[2]
-                      prose:      establishes for each type of remote access allowed:
-                      parts: 
-                        - 
-                          id:         ac-17.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[2][a]
-                          prose:      usage restrictions;
-                        - 
-                          id:         ac-17.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[2][b]
-                          prose:      configuration/connection requirements;
-                        - 
-                          id:         ac-17.a_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[2][c]
-                          prose:      implementation guidance;
-                    - 
-                      id:         ac-17.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-17(a)[3]
-                      prose:      documents for each type of remote access allowed:
-                      parts: 
-                        - 
-                          id:         ac-17.a_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[3][a]
-                          prose:      usage restrictions;
-                        - 
-                          id:         ac-17.a_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[3][b]
-                          prose:      configuration/connection requirements;
-                        - 
-                          id:         ac-17.a_obj.3.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[3][c]
-                          prose:      implementation guidance; and
-                - 
-                  id:         ac-17.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-17(b)
-                  prose: 
-                    """
-                      authorizes remote access to the information system prior to allowing such
-                                        connections.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing remote access implementation and usage (including
-                                        restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nremote access authorizations\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for managing remote access
-                                        connections\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Remote access management capability for the information system
-          controls: 
-            - 
-              id:         ac-17.1
-              class:      SP800-53-enhancement
-              title:      Automated Monitoring / Control
-              properties: 
-                - 
-                  name:  label
-                  value: AC-17(1)
-                - 
-                  name:  sort-id
-                  value: ac-17.01
-              parts: 
-                - 
-                  id:    ac-17.1_smt
-                  name:  statement
-                  prose: The information system monitors and controls remote access methods.
-                - 
-                  id:    ac-17.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Automated monitoring and control of remote access sessions allows organizations to
-                                        detect cyber attacks and also ensure ongoing compliance with remote access
-                                        policies by auditing connection activities of remote users on a variety of
-                                        information system components (e.g., servers, workstations, notebook computers,
-                                        smart phones, and tablets).
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                    - 
-                      href: #au-12
-                      rel:  related
-                      text: AU-12
-                - 
-                  id:         ac-17.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system monitors and controls remote access methods.
-                                     
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\ninformation system monitoring records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms monitoring and controlling remote access methods
-            - 
-              id:         ac-17.2
-              class:      SP800-53-enhancement
-              title:      Protection of Confidentiality / Integrity Using Encryption
-              properties: 
-                - 
-                  name:  label
-                  value: AC-17(2)
-                - 
-                  name:  sort-id
-                  value: ac-17.02
-              parts: 
-                - 
-                  id:    ac-17.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements cryptographic mechanisms to protect the
-                                        confidentiality and integrity of remote access sessions.
-                    """
-                - 
-                  id:    ac-17.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The encryption strength of mechanism is selected based on the security
-                                        categorization of the information.
-                    """
-                  links: 
-                    - 
-                      href: #sc-8
-                      rel:  related
-                      text: SC-8
-                    - 
-                      href: #sc-12
-                      rel:  related
-                      text: SC-12
-                    - 
-                      href: #sc-13
-                      rel:  related
-                      text: SC-13
-                - 
-                  id:         ac-17.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system implements cryptographic mechanisms to protect
-                                        the confidentiality and integrity of remote access sessions. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Cryptographic mechanisms protecting confidentiality and integrity of remote
-                                               access sessions
-                        """
-            - 
-              id:         ac-17.3
-              class:      SP800-53-enhancement
-              title:      Managed Access Control Points
-              parameters: 
-                - 
-                  id:    ac-17.3_prm_1
-                  label: organization-defined number
-              properties: 
-                - 
-                  name:  label
-                  value: AC-17(3)
-                - 
-                  name:  sort-id
-                  value: ac-17.03
-              parts: 
-                - 
-                  id:    ac-17.3_smt
-                  name:  statement
-                  prose: The information system routes all remote accesses through {{ ac-17.3_prm_1 }} managed network access control points.
-                - 
-                  id:    ac-17.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Limiting the number of access control points for remote accesses reduces the
-                                        attack surface for organizations. Organizations consider the Trusted Internet
-                                        Connections (TIC) initiative requirements for external network connections.
-                    """
-                  links: 
-                    - 
-                      href: #sc-7
-                      rel:  related
-                      text: SC-7
-                - 
-                  id:    ac-17.3_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         ac-17.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-17(3)[1]
-                      prose: 
-                        """
-                          the organization defines the number of managed network access control points
-                                               through which all remote accesses are to be routed; and
-                        """
-                    - 
-                      id:         ac-17.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-17(3)[2]
-                      prose: 
-                        """
-                          the information system routes all remote accesses through the
-                                               organization-defined number of managed network access control points.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system design documentation\n\nlist of all managed network access control points\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms routing all remote accesses through managed network access
-                                               control points
-                        """
-            - 
-              id:         ac-17.4
-              class:      SP800-53-enhancement
-              title:      Privileged Commands / Access
-              parameters: 
-                - 
-                  id:    ac-17.4_prm_1
-                  label: organization-defined needs
-              properties: 
-                - 
-                  name:  label
-                  value: AC-17(4)
-                - 
-                  name:  sort-id
-                  value: ac-17.04
-              parts: 
-                - 
-                  id:    ac-17.4_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         ac-17.4_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Authorizes the execution of privileged commands and access to security-relevant
-                                               information via remote access only for {{ ac-17.4_prm_1 }};
-                                               and
-                        """
-                    - 
-                      id:         ac-17.4_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Documents the rationale for such access in the security plan for the
-                                               information system.
-                        """
-                - 
-                  id:    ac-17.4_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ac-6
-                      rel:  related
-                      text: AC-6
-                - 
-                  id:    ac-17.4_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-17.4.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-17(4)(a)
-                      parts: 
-                        - 
-                          id:         ac-17.4.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-17(4)(a)[1]
-                          prose: 
-                            """
-                              defines needs to authorize the execution of privileged commands and access
-                                                      to security-relevant information via remote access;
-                            """
-                        - 
-                          id:         ac-17.4.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: AC-17(4)(a)[2]
-                          prose: 
-                            """
-                              authorizes the execution of privileged commands and access to
-                                                      security-relevant information via remote access only for
-                                                      organization-defined needs; and
-                            """
-                      links: 
-                        - 
-                          href: #ac-17.4_smt.a
-                          rel:  corresp
-                          text: AC-17(4)(a)
-                    - 
-                      id:         ac-17.4.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-17(4)(b)
-                      prose: 
-                        """
-                          documents the rationale for such access in the information system security
-                                               plan.
-                        """
-                      links: 
-                        - 
-                          href: #ac-17.4_smt.b
-                          rel:  corresp
-                          text: AC-17(4)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing remote access management
-            - 
-              id:         ac-17.9
-              class:      SP800-53-enhancement
-              title:      Disconnect / Disable Access
-              parameters: 
-                - 
-                  id:          ac-17.9_prm_1
-                  label:       organization-defined time period
-                  constraints: 
-                    - 
-                      detail: fifteen (15) minutes
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AC-17(9)
-                - 
-                  name:  sort-id
-                  value: ac-17.09
-              parts: 
-                - 
-                  id:    ac-17.9_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization provides the capability to expeditiously disconnect or disable
-                                        remote access to the information system within {{ ac-17.9_prm_1 }}.
-                    """
-                - 
-                  id:    ac-17.9_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement requires organizations to have the capability to rapidly
-                                        disconnect current users remotely accessing the information system and/or disable
-                                        further remote access. The speed of disconnect or disablement varies based on the
-                                        criticality of missions/business functions and the need to eliminate immediate or
-                                        future remote access to organizational information systems.
-                    """
-                - 
-                  id:    ac-17.9_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-17.9_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-17(9)[1]
-                      prose: 
-                        """
-                          defines the time period within which to expeditiously disconnect or disable
-                                               remote access to the information system; and
-                        """
-                    - 
-                      id:         ac-17.9_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-17(9)[2]
-                      prose: 
-                        """
-                          provides the capability to expeditiously disconnect or disable remote access to
-                                               the information system within the organization-defined time period.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing disconnecting or disabling remote access to the
-                                               information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity plan, information system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing capability to disconnect or disable remote
-                                               access to information system
-                        """
-        - 
-          id:         ac-18
-          class:      SP800-53
-          title:      Wireless Access
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-18
-            - 
-              name:  sort-id
-              value: ac-18
-          links: 
-            - 
-              href: #238ed479-eccb-49f6-82ec-ab74a7a428cf
-              rel:  reference
-              text: NIST Special Publication 800-48
-            - 
-              href: #d1b1d689-0f66-4474-9924-c81119758dc1
-              rel:  reference
-              text: NIST Special Publication 800-94
-            - 
-              href: #6f336ecd-f2a0-4c84-9699-0491d81b6e0d
-              rel:  reference
-              text: NIST Special Publication 800-97
-          parts: 
-            - 
-              id:    ac-18_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-18_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes usage restrictions, configuration/connection requirements, and
-                                        implementation guidance for wireless access; and
-                    """
-                - 
-                  id:         ac-18_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Authorizes wireless access to the information system prior to allowing such
-                                        connections.
-                    """
-            - 
-              id:    ac-18_gdn
-              name:  guidance
-              prose: 
-                """
-                  Wireless technologies include, for example, microwave, packet radio (UHF/VHF),
-                                 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g.,
-                                 EAP/TLS, PEAP), which provide credential protection and mutual authentication.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ac-18_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-18.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-18(a)
-                  prose:      establishes for wireless access:
-                  parts: 
-                    - 
-                      id:         ac-18.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-18(a)[1]
-                      prose:      usage restrictions;
-                    - 
-                      id:         ac-18.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-18(a)[2]
-                      prose:      configuration/connection requirement;
-                    - 
-                      id:         ac-18.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-18(a)[3]
-                      prose:      implementation guidance; and
-                - 
-                  id:         ac-18.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-18(b)
-                  prose: 
-                    """
-                      authorizes wireless access to the information system prior to allowing such
-                                        connections.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing wireless access implementation and usage (including
-                                        restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nwireless access authorizations\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for managing wireless access
-                                        connections\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Wireless access management capability for the information system
-          controls: 
-            - 
-              id:         ac-18.1
-              class:      SP800-53-enhancement
-              title:      Authentication and Encryption
-              parameters: 
-                - 
-                  id: ac-18.1_prm_1
-              properties: 
-                - 
-                  name:  label
-                  value: AC-18(1)
-                - 
-                  name:  sort-id
-                  value: ac-18.01
-              parts: 
-                - 
-                  id:    ac-18.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system protects wireless access to the system using authentication
-                                        of {{ ac-18.1_prm_1 }} and encryption.
-                    """
-                - 
-                  id:    ac-18.1_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #sc-8
-                      rel:  related
-                      text: SC-8
-                    - 
-                      href: #sc-13
-                      rel:  related
-                      text: SC-13
-                - 
-                  id:         ac-18.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system protects wireless access to the system using
-                                        encryption and one or more of the following:
-                    """
-                  parts: 
-                    - 
-                      id:         ac-18.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-18(1)[1]
-                      prose:      authentication of users; and/or
-                    - 
-                      id:         ac-18.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-18(1)[2]
-                      prose:      authentication of devices.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing wireless implementation and usage (including
-                                               restrictions)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing wireless access protections to the
-                                               information system
-                        """
-            - 
-              id:         ac-18.3
-              class:      SP800-53-enhancement
-              title:      Disable Wireless Networking
-              properties: 
-                - 
-                  name:  label
-                  value: AC-18(3)
-                - 
-                  name:  sort-id
-                  value: ac-18.03
-              parts: 
-                - 
-                  id:    ac-18.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization disables, when not intended for use, wireless networking
-                                        capabilities internally embedded within information system components prior to
-                                        issuance and deployment.
-                    """
-                - 
-                  id:    ac-18.3_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ac-19
-                      rel:  related
-                      text: AC-19
-                - 
-                  id:         ac-18.3_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization disables, when not intended for use, wireless
-                                        networking capabilities internally embedded within information system components
-                                        prior to issuance and deployment.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing wireless implementation and usage (including
-                                               restrictions)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms managing the disabling of wireless networking capabilities
-                                               internally embedded within information system components
-                        """
-            - 
-              id:         ac-18.4
-              class:      SP800-53-enhancement
-              title:      Restrict Configurations by Users
-              properties: 
-                - 
-                  name:  label
-                  value: AC-18(4)
-                - 
-                  name:  sort-id
-                  value: ac-18.04
-              parts: 
-                - 
-                  id:    ac-18.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization identifies and explicitly authorizes users allowed to
-                                        independently configure wireless networking capabilities.
-                    """
-                - 
-                  id:    ac-18.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizational authorizations to allow selected users to configure wireless
-                                        networking capability are enforced in part, by the access enforcement mechanisms
-                                        employed within organizational information systems.
-                    """
-                  links: 
-                    - 
-                      href: #ac-3
-                      rel:  related
-                      text: AC-3
-                    - 
-                      href: #sc-15
-                      rel:  related
-                      text: SC-15
-                - 
-                  id:    ac-18.4_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-18.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-18(4)[1]
-                      prose: 
-                        """
-                          identifies users allowed to independently configure wireless networking
-                                               capabilities; and
-                        """
-                    - 
-                      id:         ac-18.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-18(4)[2]
-                      prose: 
-                        """
-                          explicitly authorizes the identified users allowed to independently configure
-                                               wireless networking capabilities.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing wireless implementation and usage (including
-                                               restrictions)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms authorizing independent user configuration of wireless
-                                               networking capabilities
-                        """
-            - 
-              id:         ac-18.5
-              class:      SP800-53-enhancement
-              title:      Antennas / Transmission Power Levels
-              properties: 
-                - 
-                  name:  label
-                  value: AC-18(5)
-                - 
-                  name:  sort-id
-                  value: ac-18.05
-              parts: 
-                - 
-                  id:    ac-18.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization selects radio antennas and calibrates transmission power levels
-                                        to reduce the probability that usable signals can be received outside of
-                                        organization-controlled boundaries.
-                    """
-                - 
-                  id:    ac-18.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Actions that may be taken by organizations to limit unauthorized use of wireless
-                                        communications outside of organization-controlled boundaries include, for example:
-                                        (i) reducing the power of wireless transmissions so that the transmissions are
-                                        less likely to emit a signal that can be used by adversaries outside of the
-                                        physical perimeters of organizations; (ii) employing measures such as TEMPEST to
-                                        control wireless emanations; and (iii) using directional/beam forming antennas
-                                        that reduce the likelihood that unintended receivers will be able to intercept
-                                        signals. Prior to taking such actions, organizations can conduct periodic wireless
-                                        surveys to understand the radio frequency profile of organizational information
-                                        systems as well as other systems that may be operating in the area.
-                    """
-                  links: 
-                    - 
-                      href: #pe-19
-                      rel:  related
-                      text: PE-19
-                - 
-                  id:    ac-18.5_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ac-18.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-18(5)[1]
-                      prose: 
-                        """
-                          selects radio antennas to reduce the probability that usable signals can be
-                                               received outside of organization-controlled boundaries; and
-                        """
-                    - 
-                      id:         ac-18.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-18(5)[2]
-                      prose: 
-                        """
-                          calibrates transmission power levels to reduce the probability that usable
-                                               signals can be received outside of organization-controlled boundaries.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing wireless implementation and usage (including
-                                               restrictions)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Wireless access capability protecting usable signals from unauthorized access
-                                               outside organization-controlled boundaries
-                        """
-        - 
-          id:         ac-19
-          class:      SP800-53
-          title:      Access Control for Mobile Devices
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-19
-            - 
-              name:  sort-id
-              value: ac-19
-          links: 
-            - 
-              href: #4da24a96-6cf8-435d-9d1f-c73247cad109
-              rel:  reference
-              text: OMB Memorandum 06-16
-            - 
-              href: #1201fcf3-afb1-4675-915a-fb4ae0435717
-              rel:  reference
-              text: NIST Special Publication 800-114
-            - 
-              href: #0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589
-              rel:  reference
-              text: NIST Special Publication 800-124
-            - 
-              href: #6513e480-fada-4876-abba-1397084dfb26
-              rel:  reference
-              text: NIST Special Publication 800-164
-          parts: 
-            - 
-              id:    ac-19_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-19_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes usage restrictions, configuration requirements, connection
-                                        requirements, and implementation guidance for organization-controlled mobile
-                                        devices; and
-                    """
-                - 
-                  id:         ac-19_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Authorizes the connection of mobile devices to organizational information
-                                        systems.
-                    """
-            - 
-              id:    ac-19_gdn
-              name:  guidance
-              prose: 
-                """
-                  A mobile device is a computing device that: (i) has a small form factor such that it
-                                 can easily be carried by a single individual; (ii) is designed to operate without a
-                                 physical connection (e.g., wirelessly transmit or receive information); (iii)
-                                 possesses local, non-removable or removable data storage; and (iv) includes a
-                                 self-contained power source. Mobile devices may also include voice communication
-                                 capabilities, on-board sensors that allow the device to capture information, and/or
-                                 built-in features for synchronizing local data with remote locations. Examples
-                                 include smart phones, E-readers, and tablets. Mobile devices are typically associated
-                                 with a single individual and the device is usually in close proximity to the
-                                 individual; however, the degree of proximity can vary depending upon on the form
-                                 factor and size of the device. The processing, storage, and transmission capability
-                                 of the mobile device may be comparable to or merely a subset of desktop systems,
-                                 depending upon the nature and intended purpose of the device. Due to the large
-                                 variety of mobile devices with different technical characteristics and capabilities,
-                                 organizational restrictions may vary for the different classes/types of such devices.
-                                 Usage restrictions and specific implementation guidance for mobile devices include,
-                                 for example, configuration management, device identification and authentication,
-                                 implementation of mandatory protective software (e.g., malicious code detection,
-                                 firewall), scanning devices for malicious code, updating virus protection software,
-                                 scanning for critical software updates and patches, conducting primary operating
-                                 system (and possibly other resident software) integrity checks, and disabling
-                                 unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the
-                                 need to provide adequate security for mobile devices goes beyond the requirements in
-                                 this control. Many safeguards and countermeasures for mobile devices are reflected in
-                                 other security controls in the catalog allocated in the initial control baselines as
-                                 starting points for the development of security plans and overlays using the
-                                 tailoring process. There may also be some degree of overlap in the requirements
-                                 articulated by the security controls within the different families of controls. AC-20
-                                 addresses mobile devices that are not organization-controlled.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-7
-                  rel:  related
-                  text: AC-7
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #ca-9
-                  rel:  related
-                  text: CA-9
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-43
-                  rel:  related
-                  text: SC-43
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ac-19_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-19.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-19(a)
-                  prose:      establishes for organization-controlled mobile devices:
-                  parts: 
-                    - 
-                      id:         ac-19.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-19(a)[1]
-                      prose:      usage restrictions;
-                    - 
-                      id:         ac-19.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-19(a)[2]
-                      prose:      configuration/connection requirement;
-                    - 
-                      id:         ac-19.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-19(a)[3]
-                      prose:      implementation guidance; and
-                - 
-                  id:         ac-19.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-19(b)
-                  prose: 
-                    """
-                      authorizes the connection of mobile devices to organizational information
-                                        systems.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing access control for mobile device usage (including
-                                        restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational information
-                                        systems\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel using mobile devices to access organizational information
-                                        systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control capability authorizing mobile device connections to organizational
-                                        information systems
-                    """
-          controls: 
-            - 
-              id:         ac-19.5
-              class:      SP800-53-enhancement
-              title:      Full Device / Container-based Encryption
-              parameters: 
-                - 
-                  id: ac-19.5_prm_1
-                - 
-                  id:    ac-19.5_prm_2
-                  label: organization-defined mobile devices
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AC-19(5)
-                - 
-                  name:  sort-id
-                  value: ac-19.05
-              parts: 
-                - 
-                  id:    ac-19.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs {{ ac-19.5_prm_1 }} to protect the
-                                        confidentiality and integrity of information on {{ ac-19.5_prm_2 }}.
-                    """
-                - 
-                  id:    ac-19.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Container-based encryption provides a more fine-grained approach to the encryption
-                                        of data/information on mobile devices, including for example, encrypting selected
-                                        data structures such as files, records, or fields.
-                    """
-                  links: 
-                    - 
-                      href: #mp-5
-                      rel:  related
-                      text: MP-5
-                    - 
-                      href: #sc-13
-                      rel:  related
-                      text: SC-13
-                    - 
-                      href: #sc-28
-                      rel:  related
-                      text: SC-28
-                - 
-                  id:    ac-19.5_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-19.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-19(5)[1]
-                      prose: 
-                        """
-                          defines mobile devices for which full-device encryption or container encryption
-                                               is required to protect the confidentiality and integrity of information on such
-                                               devices; and
-                        """
-                    - 
-                      id:         ac-19.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-19(5)[2]
-                      prose: 
-                        """
-                          employs full-device encryption or container encryption to protect the
-                                               confidentiality and integrity of information on organization-defined mobile
-                                               devices.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing access control for mobile devices\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nencryption mechanism s and associated configuration documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with access control responsibilities for mobile
-                                               devices\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Encryption mechanisms protecting confidentiality and integrity of information
-                                               on mobile devices
-                        """
-        - 
-          id:         ac-20
-          class:      SP800-53
-          title:      Use of External Information Systems
-          properties: 
-            - 
-              name:  label
-              value: AC-20
-            - 
-              name:  sort-id
-              value: ac-20
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-          parts: 
-            - 
-              id:    ac-20_smt
-              name:  statement
-              prose: 
-                """
-                  The organization establishes terms and conditions, consistent with any trust
-                                 relationships established with other organizations owning, operating, and/or
-                                 maintaining external information systems, allowing authorized individuals to:
-                """
-              parts: 
-                - 
-                  id:         ac-20_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Access the information system from external information systems; and
-                - 
-                  id:         ac-20_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Process, store, or transmit organization-controlled information using external
-                                        information systems.
-                    """
-            - 
-              id:    ac-20_gdn
-              name:  guidance
-              prose: 
-                """
-                  External information systems are information systems or components of information
-                                 systems that are outside of the authorization boundary established by organizations
-                                 and for which organizations typically have no direct supervision and authority over
-                                 the application of required security controls or the assessment of control
-                                 effectiveness. External information systems include, for example: (i) personally
-                                 owned information systems/devices (e.g., notebook computers, smart phones, tablets,
-                                 personal digital assistants); (ii) privately owned computing and communications
-                                 devices resident in commercial or public facilities (e.g., hotels, train stations,
-                                 convention centers, shopping malls, or airports); (iii) information systems owned or
-                                 controlled by nonfederal governmental organizations; and (iv) federal information
-                                 systems that are not owned by, operated by, or under the direct supervision and
-                                 authority of organizations. This control also addresses the use of external
-                                 information systems for the processing, storage, or transmission of organizational
-                                 information, including, for example, accessing cloud services (e.g., infrastructure
-                                 as a service, platform as a service, or software as a service) from organizational
-                                 information systems. For some external information systems (i.e., information systems
-                                 operated by other federal agencies, including organizations subordinate to those
-                                 agencies), the trust relationships that have been established between those
-                                 organizations and the originating organization may be such, that no explicit terms
-                                 and conditions are required. Information systems within these organizations would not
-                                 be considered external. These situations occur when, for example, there are
-                                 pre-existing sharing/trust agreements (either implicit or explicit) established
-                                 between federal agencies or organizations subordinate to those agencies, or when such
-                                 trust agreements are specified by applicable laws, Executive Orders, directives, or
-                                 policies. Authorized individuals include, for example, organizational personnel,
-                                 contractors, or other individuals with authorized access to organizational
-                                 information systems and over which organizations have the authority to impose rules
-                                 of behavior with regard to system access. Restrictions that organizations impose on
-                                 authorized individuals need not be uniform, as those restrictions may vary depending
-                                 upon the trust relationships between organizations. Therefore, organizations may
-                                 choose to impose different security restrictions on contractors than on state, local,
-                                 or tribal governments. This control does not apply to the use of external information
-                                 systems to access public interfaces to organizational information systems (e.g.,
-                                 individuals accessing federal information through www.usa.gov). Organizations
-                                 establish terms and conditions for the use of external information systems in
-                                 accordance with organizational security policies and procedures. Terms and conditions
-                                 address as a minimum: types of applications that can be accessed on organizational
-                                 information systems from external information systems; and the highest security
-                                 category of information that can be processed, stored, or transmitted on external
-                                 information systems. If terms and conditions with the owners of external information
-                                 systems cannot be established, organizations may impose restrictions on
-                                 organizational personnel using those external systems.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #sa-9
-                  rel:  related
-                  text: SA-9
-            - 
-              id:    ac-20_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization establishes terms and conditions, consistent with any
-                                 trust relationships established with other organizations owning, operating, and/or
-                                 maintaining external information systems, allowing authorized individuals to: 
-                """
-              parts: 
-                - 
-                  id:         ac-20.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-20(a)
-                  prose:      access the information system from the external information systems; and
-                - 
-                  id:         ac-20.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-20(b)
-                  prose: 
-                    """
-                      process, store, or transmit organization-controlled information using external
-                                        information systems.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing the use of external information systems\n\nexternal information systems terms and conditions\n\nlist of types of applications accessible from external information systems\n\nmaximum security categorization for information processed, stored, or transmitted
-                                        on external information systems\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for defining terms and conditions
-                                        for use of external information systems to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms implementing terms and conditions on use of external
-                                        information systems
-                    """
-          controls: 
-            - 
-              id:         ac-20.1
-              class:      SP800-53-enhancement
-              title:      Limits On Authorized Use
-              properties: 
-                - 
-                  name:  label
-                  value: AC-20(1)
-                - 
-                  name:  sort-id
-                  value: ac-20.01
-              parts: 
-                - 
-                  id:    ac-20.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization permits authorized individuals to use an external information
-                                        system to access the information system or to process, store, or transmit
-                                        organization-controlled information only when the organization:
-                    """
-                  parts: 
-                    - 
-                      id:         ac-20.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Verifies the implementation of required security controls on the external
-                                               system as specified in the organization’s information security policy and
-                                               security plan; or
-                        """
-                    - 
-                      id:         ac-20.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Retains approved information system connection or processing agreements with
-                                               the organizational entity hosting the external information system.
-                        """
-                - 
-                  id:    ac-20.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement recognizes that there are circumstances where individuals
-                                        using external information systems (e.g., contractors, coalition partners) need to
-                                        access organizational information systems. In those situations, organizations need
-                                        confidence that the external information systems contain the necessary security
-                                        safeguards (i.e., security controls), so as not to compromise, damage, or
-                                        otherwise harm organizational information systems. Verification that the required
-                                        security controls have been implemented can be achieved, for example, by
-                                        third-party, independent assessments, attestations, or other means, depending on
-                                        the confidence level required by organizations.
-                    """
-                  links: 
-                    - 
-                      href: #ca-2
-                      rel:  related
-                      text: CA-2
-                - 
-                  id:         ac-20.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization permits authorized individuals to use an external
-                                        information system to access the information system or to process, store, or
-                                        transmit organization-controlled information only when the organization: 
-                    """
-                  parts: 
-                    - 
-                      id:         ac-20.1.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-20(1)(a)
-                      prose: 
-                        """
-                          verifies the implementation of required security controls on the external
-                                               system as specified in the organization’s information security policy and
-                                               security plan; or
-                        """
-                      links: 
-                        - 
-                          href: #ac-20.1_smt.a
-                          rel:  corresp
-                          text: AC-20(1)(a)
-                    - 
-                      id:         ac-20.1.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-20(1)(b)
-                      prose: 
-                        """
-                          retains approved information system connection or processing agreements with
-                                               the organizational entity hosting the external information system.
-                        """
-                      links: 
-                        - 
-                          href: #ac-20.1_smt.b
-                          rel:  corresp
-                          text: AC-20(1)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing the use of external information systems\n\nsecurity plan\n\ninformation system connection or processing agreements\n\naccount management documents\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing limits on use of external information
-                                               systems
-                        """
-            - 
-              id:         ac-20.2
-              class:      SP800-53-enhancement
-              title:      Portable Storage Devices
-              parameters: 
-                - 
-                  id: ac-20.2_prm_1
-              properties: 
-                - 
-                  name:  label
-                  value: AC-20(2)
-                - 
-                  name:  sort-id
-                  value: ac-20.02
-              parts: 
-                - 
-                  id:    ac-20.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization {{ ac-20.2_prm_1 }} the use of
-                                        organization-controlled portable storage devices by authorized individuals on
-                                        external information systems.
-                    """
-                - 
-                  id:    ac-20.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Limits on the use of organization-controlled portable storage devices in external
-                                        information systems include, for example, complete prohibition of the use of such
-                                        devices or restrictions on how the devices may be used and under what conditions
-                                        the devices may be used.
-                    """
-                - 
-                  id:         ac-20.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization restricts or prohibits the use of
-                                        organization-controlled portable storage devices by authorized individuals on
-                                        external information systems. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing the use of external information systems\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\ninformation system connection or processing agreements\n\naccount management documents\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for restricting or prohibiting
-                                               use of organization-controlled storage devices on external information
-                                               systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing restrictions on use of portable storage
-                                               devices
-                        """
-        - 
-          id:         ac-21
-          class:      SP800-53
-          title:      Information Sharing
-          parameters: 
-            - 
-              id:    ac-21_prm_1
-              label: 
-                """
-                  organization-defined information sharing circumstances where user discretion is
-                                 required
-                """
-            - 
-              id:    ac-21_prm_2
-              label: organization-defined automated mechanisms or manual processes
-          properties: 
-            - 
-              name:  label
-              value: AC-21
-            - 
-              name:  sort-id
-              value: ac-21
-          parts: 
-            - 
-              id:    ac-21_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-21_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Facilitates information sharing by enabling authorized users to determine whether
-                                        access authorizations assigned to the sharing partner match the access
-                                        restrictions on the information for {{ ac-21_prm_1 }}; and
-                    """
-                - 
-                  id:         ac-21_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Employs {{ ac-21_prm_2 }} to assist users in making information
-                                        sharing/collaboration decisions.
-                    """
-            - 
-              id:    ac-21_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to information that may be restricted in some manner (e.g.,
-                                 privileged medical information, contract-sensitive information, proprietary
-                                 information, personally identifiable information, classified information related to
-                                 special access programs or compartments) based on some formal or administrative
-                                 determination. Depending on the particular information-sharing circumstances, sharing
-                                 partners may be defined at the individual, group, or organizational level.
-                                 Information may be defined by content, type, security category, or special access
-                                 program/compartment.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-            - 
-              id:    ac-21_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ac-21.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-21(a)
-                  parts: 
-                    - 
-                      id:         ac-21.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-21(a)[1]
-                      prose: 
-                        """
-                          defines information sharing circumstances where user discretion is
-                                               required;
-                        """
-                    - 
-                      id:         ac-21.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-21(a)[2]
-                      prose: 
-                        """
-                          facilitates information sharing by enabling authorized users to determine
-                                               whether access authorizations assigned to the sharing partner match the access
-                                               restrictions on the information for organization-defined information sharing
-                                               circumstances;
-                        """
-                - 
-                  id:         ac-21.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-21(b)
-                  parts: 
-                    - 
-                      id:         ac-21.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-21(b)[1]
-                      prose: 
-                        """
-                          defines automated mechanisms or manual processes to be employed to assist users
-                                               in making information sharing/collaboration decisions; and
-                        """
-                    - 
-                      id:         ac-21.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-21(b)[2]
-                      prose: 
-                        """
-                          employs organization-defined automated mechanisms or manual processes to assist
-                                               users in making information sharing/collaboration decisions.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including
-                                        restrictions)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of users authorized to make information sharing/collaboration decisions\n\nlist of information sharing circumstances requiring user discretion\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel responsible for making information sharing/collaboration
-                                        decisions\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms or manual process implementing access authorizations
-                                        supporting information sharing/user collaboration decisions
-                    """
-        - 
-          id:         ac-22
-          class:      SP800-53
-          title:      Publicly Accessible Content
-          parameters: 
-            - 
-              id:          ac-22_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least quarterly
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-22
-            - 
-              name:  sort-id
-              value: ac-22
-          parts: 
-            - 
-              id:    ac-22_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-22_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Designates individuals authorized to post information onto a publicly accessible
-                                        information system;
-                    """
-                - 
-                  id:         ac-22_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Trains authorized individuals to ensure that publicly accessible information does
-                                        not contain nonpublic information;
-                    """
-                - 
-                  id:         ac-22_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Reviews the proposed content of information prior to posting onto the publicly
-                                        accessible information system to ensure that nonpublic information is not
-                                        included; and
-                    """
-                - 
-                  id:         ac-22_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Reviews the content on the publicly accessible information system for nonpublic
-                                        information {{ ac-22_prm_1 }} and removes such information, if
-                                        discovered.
-                    """
-            - 
-              id:    ac-22_gdn
-              name:  guidance
-              prose: 
-                """
-                  In accordance with federal laws, Executive Orders, directives, policies, regulations,
-                                 standards, and/or guidance, the general public is not authorized access to nonpublic
-                                 information (e.g., information protected under the Privacy Act and proprietary
-                                 information). This control addresses information systems that are controlled by the
-                                 organization and accessible to the general public, typically without identification
-                                 or authentication. The posting of information on non-organization information systems
-                                 is covered by organizational policy.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #au-13
-                  rel:  related
-                  text: AU-13
-            - 
-              id:    ac-22_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ac-22.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-22(a)
-                  prose: 
-                    """
-                      designates individuals authorized to post information onto a publicly accessible
-                                        information system;
-                    """
-                - 
-                  id:         ac-22.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-22(b)
-                  prose: 
-                    """
-                      trains authorized individuals to ensure that publicly accessible information does
-                                        not contain nonpublic information;
-                    """
-                - 
-                  id:         ac-22.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-22(c)
-                  prose: 
-                    """
-                      reviews the proposed content of information prior to posting onto the publicly
-                                        accessible information system to ensure that nonpublic information is not
-                                        included;
-                    """
-                - 
-                  id:         ac-22.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-22(d)
-                  parts: 
-                    - 
-                      id:         ac-22.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-22(d)[1]
-                      prose: 
-                        """
-                          defines the frequency to review the content on the publicly accessible
-                                               information system for nonpublic information;
-                        """
-                    - 
-                      id:         ac-22.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-22(d)[2]
-                      prose: 
-                        """
-                          reviews the content on the publicly accessible information system for nonpublic
-                                               information with the organization-defined frequency; and
-                        """
-                    - 
-                      id:         ac-22.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-22(d)[3]
-                      prose: 
-                        """
-                          removes nonpublic information from the publicly accessible information system,
-                                               if discovered.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational
-                                        information systems\n\ntraining materials and/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to nonpublic information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for managing publicly accessible
-                                        information posted on organizational information systems\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing management of publicly accessible content
-    - 
-      id:       at
-      class:    family
-      title:    Awareness and Training
-      controls: 
-        - 
-          id:         at-1
-          class:      SP800-53
-          title:      Security Awareness and Training Policy and Procedures
-          parameters: 
-            - 
-              id:    at-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          at-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or whenever a significant change occurs
-            - 
-              id:          at-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or whenever a significant change occurs
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AT-1
-            - 
-              name:  sort-id
-              value: at-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #825438c3-248d-4e30-a51e-246473ce6ada
-              rel:  reference
-              text: NIST Special Publication 800-16
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    at-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         at-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ at-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         at-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A security awareness and training policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         at-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the security awareness and
-                                               training policy and associated security awareness and training controls;
-                                               and
-                        """
-                - 
-                  id:         at-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         at-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Security awareness and training policy {{ at-1_prm_2 }}; and
-                    - 
-                      id:         at-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Security awareness and training procedures {{ at-1_prm_3 }}.
-            - 
-              id:    at-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the AT
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    at-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         at-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-1(a)
-                  parts: 
-                    - 
-                      id:         at-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-1(a)(1)
-                      parts: 
-                        - 
-                          id:         at-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents an security awareness and training policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         at-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         at-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         at-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         at-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         at-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         at-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         at-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         at-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the security awareness and training
-                                                      policy are to be disseminated;
-                            """
-                        - 
-                          id:         at-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: AT-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the security awareness and training policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         at-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-1(a)(2)
-                      parts: 
-                        - 
-                          id:         at-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      security awareness and training policy and associated awareness and training
-                                                      controls;
-                            """
-                        - 
-                          id:         at-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         at-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: AT-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         at-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-1(b)
-                  parts: 
-                    - 
-                      id:         at-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-1(b)(1)
-                      parts: 
-                        - 
-                          id:         at-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current security awareness
-                                                      and training policy;
-                            """
-                        - 
-                          id:         at-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current security awareness and training policy with
-                                                      the organization-defined frequency;
-                            """
-                    - 
-                      id:         at-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-1(b)(2)
-                      parts: 
-                        - 
-                          id:         at-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current security awareness
-                                                      and training procedures; and
-                            """
-                        - 
-                          id:         at-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current security awareness and training procedures
-                                                      with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security awareness and training policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with security awareness and training responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         at-2
-          class:      SP800-53
-          title:      Security Awareness Training
-          parameters: 
-            - 
-              id:          at-2_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AT-2
-            - 
-              name:  sort-id
-              value: at-02
-          links: 
-            - 
-              href: #bb61234b-46c3-4211-8c2b-9869222a720d
-              rel:  reference
-              text: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)
-            - 
-              href: #c5034e0c-eba6-4ecd-a541-79f0678f4ba4
-              rel:  reference
-              text: Executive Order 13587
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-          parts: 
-            - 
-              id:    at-2_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides basic security awareness training to information system
-                                 users (including managers, senior executives, and contractors):
-                """
-              parts: 
-                - 
-                  id:         at-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      As part of initial training for new users;
-                - 
-                  id:         at-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      When required by information system changes; and
-                - 
-                  id:         at-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      
-                                        {{ at-2_prm_1 }} thereafter.
-                    """
-            - 
-              id:    at-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations determine the appropriate content of security awareness training and
-                                 security awareness techniques based on the specific organizational requirements and
-                                 the information systems to which personnel have authorized access. The content
-                                 includes a basic understanding of the need for information security and user actions
-                                 to maintain security and to respond to suspected security incidents. The content also
-                                 addresses awareness of the need for operations security. Security awareness
-                                 techniques can include, for example, displaying posters, offering supplies inscribed
-                                 with security reminders, generating email advisories/notices from senior
-                                 organizational officials, displaying logon screen messages, and conducting
-                                 information security awareness events.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #at-4
-                  rel:  related
-                  text: AT-4
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-            - 
-              id:    at-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         at-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AT-2(a)
-                  prose: 
-                    """
-                      provides basic security awareness training to information system users (including
-                                        managers, senior executives, and contractors) as part of initial training for new
-                                        users;
-                    """
-                - 
-                  id:         at-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AT-2(b)
-                  prose: 
-                    """
-                      provides basic security awareness training to information system users (including
-                                        managers, senior executives, and contractors) when required by information system
-                                        changes; and
-                    """
-                - 
-                  id:         at-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-2(c)
-                  parts: 
-                    - 
-                      id:         at-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AT-2(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to provide refresher security awareness training
-                                               thereafter to information system users (including managers, senior executives,
-                                               and contractors); and
-                        """
-                    - 
-                      id:         at-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AT-2(c)[2]
-                      prose: 
-                        """
-                          provides refresher security awareness training to information users (including
-                                               managers, senior executives, and contractors) with the organization-defined
-                                               frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nappropriate codes of federal regulations\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for security awareness training\n\norganizational personnel with information security responsibilities\n\norganizational personnel comprising the general information system user
-                                        community
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms managing security awareness training
-          controls: 
-            - 
-              id:         at-2.2
-              class:      SP800-53-enhancement
-              title:      Insider Threat
-              properties: 
-                - 
-                  name:  label
-                  value: AT-2(2)
-                - 
-                  name:  sort-id
-                  value: at-02.02
-              parts: 
-                - 
-                  id:    at-2.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization includes security awareness training on recognizing and reporting
-                                        potential indicators of insider threat.
-                    """
-                - 
-                  id:    at-2.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Potential indicators and possible precursors of insider threat can include
-                                        behaviors such as inordinate, long-term job dissatisfaction, attempts to gain
-                                        access to information not required for job performance, unexplained access to
-                                        financial resources, bullying or sexual harassment of fellow employees, workplace
-                                        violence, and other serious violations of organizational policies, procedures,
-                                        directives, rules, or practices. Security awareness training includes how to
-                                        communicate employee and management concerns regarding potential indicators of
-                                        insider threat through appropriate organizational channels in accordance with
-                                        established organizational policies and procedures.
-                    """
-                  links: 
-                    - 
-                      href: #pl-4
-                      rel:  related
-                      text: PL-4
-                    - 
-                      href: #pm-12
-                      rel:  related
-                      text: PM-12
-                    - 
-                      href: #ps-3
-                      rel:  related
-                      text: PS-3
-                    - 
-                      href: #ps-6
-                      rel:  related
-                      text: PS-6
-                - 
-                  id:         at-2.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization includes security awareness training on recognizing
-                                        and reporting potential indicators of insider threat. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Security awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel that participate in security awareness training\n\norganizational personnel with responsibilities for basic security awareness
-                                               training\n\norganizational personnel with information security responsibilities
-                        """
-        - 
-          id:         at-3
-          class:      SP800-53
-          title:      Role-based Security Training
-          parameters: 
-            - 
-              id:          at-3_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AT-3
-            - 
-              name:  sort-id
-              value: at-03
-          links: 
-            - 
-              href: #bb61234b-46c3-4211-8c2b-9869222a720d
-              rel:  reference
-              text: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)
-            - 
-              href: #825438c3-248d-4e30-a51e-246473ce6ada
-              rel:  reference
-              text: NIST Special Publication 800-16
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-          parts: 
-            - 
-              id:    at-3_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides role-based security training to personnel with assigned
-                                 security roles and responsibilities:
-                """
-              parts: 
-                - 
-                  id:         at-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Before authorizing access to the information system or performing assigned
-                                        duties;
-                    """
-                - 
-                  id:         at-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      When required by information system changes; and
-                - 
-                  id:         at-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      
-                                        {{ at-3_prm_1 }} thereafter.
-                    """
-            - 
-              id:    at-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations determine the appropriate content of security training based on the
-                                 assigned roles and responsibilities of individuals and the specific security
-                                 requirements of organizations and the information systems to which personnel have
-                                 authorized access. In addition, organizations provide enterprise architects,
-                                 information system developers, software developers, acquisition/procurement
-                                 officials, information system managers, system/network administrators, personnel
-                                 conducting configuration management and auditing activities, personnel performing
-                                 independent verification and validation activities, security control assessors, and
-                                 other personnel having access to system-level software, adequate security-related
-                                 technical training specifically tailored for their assigned duties. Comprehensive
-                                 role-based training addresses management, operational, and technical roles and
-                                 responsibilities covering physical, personnel, and technical safeguards and
-                                 countermeasures. Such training can include for example, policies, procedures, tools,
-                                 and artifacts for the organizational security roles defined. Organizations also
-                                 provide the training necessary for individuals to carry out their responsibilities
-                                 related to operations and supply chain security within the context of organizational
-                                 information security programs. Role-based security training also applies to
-                                 contractors providing services to federal agencies.
-                """
-              links: 
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-4
-                  rel:  related
-                  text: AT-4
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-7
-                  rel:  related
-                  text: PS-7
-                - 
-                  href: #sa-3
-                  rel:  related
-                  text: SA-3
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #sa-16
-                  rel:  related
-                  text: SA-16
-            - 
-              id:    at-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         at-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AT-3(a)
-                  prose: 
-                    """
-                      provides role-based security training to personnel with assigned security roles
-                                        and responsibilities before authorizing access to the information system or
-                                        performing assigned duties;
-                    """
-                - 
-                  id:         at-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AT-3(b)
-                  prose: 
-                    """
-                      provides role-based security training to personnel with assigned security roles
-                                        and responsibilities when required by information system changes; and
-                    """
-                - 
-                  id:         at-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-3(c)
-                  parts: 
-                    - 
-                      id:         at-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AT-3(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to provide refresher role-based security training
-                                               thereafter to personnel with assigned security roles and responsibilities;
-                                               and
-                        """
-                    - 
-                      id:         at-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AT-3(c)[2]
-                      prose: 
-                        """
-                          provides refresher role-based security training to personnel with assigned
-                                               security roles and responsibilities with the organization-defined
-                                               frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security awareness and training policy\n\nprocedures addressing security training implementation\n\ncodes of federal regulations\n\nsecurity training curriculum\n\nsecurity training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for role-based security
-                                        training\n\norganizational personnel with assigned information system security roles and
-                                        responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms managing role-based security training
-          controls: 
-            - 
-              id:         at-3.3
-              class:      SP800-53-enhancement
-              title:      Practical Exercises
-              properties: 
-                - 
-                  name:  label
-                  value: AT-3(3)
-                - 
-                  name:  sort-id
-                  value: at-03.03
-              parts: 
-                - 
-                  id:    at-3.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization includes practical exercises in security training that reinforce
-                                        training objectives.
-                    """
-                - 
-                  id:    at-3.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Practical exercises may include, for example, security training for software
-                                        developers that includes simulated cyber attacks exploiting common software
-                                        vulnerabilities (e.g., buffer overflows), or spear/whale phishing attacks targeted
-                                        at senior leaders/executives. These types of practical exercises help developers
-                                        better understand the effects of such vulnerabilities and appreciate the need for
-                                        security coding standards and processes.
-                    """
-                - 
-                  id:         at-3.3_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization includes practical exercises in security training
-                                        that reinforce training objectives. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Security awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for role-based security
-                                               training\n\norganizational personnel that participate in security awareness training
-                        """
-            - 
-              id:         at-3.4
-              class:      SP800-53-enhancement
-              title:      Suspicious Communications and Anomalous System Behavior
-              parameters: 
-                - 
-                  id:          at-3.4_prm_1
-                  label:       organization-defined indicators of malicious code
-                  constraints: 
-                    - 
-                      detail: malicious code indicators as defined by organization incident policy/capability.
-              properties: 
-                - 
-                  name:  label
-                  value: AT-3(4)
-                - 
-                  name:  sort-id
-                  value: at-03.04
-              parts: 
-                - 
-                  id:    at-3.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization provides training to its personnel on {{ at-3.4_prm_1 }} to recognize suspicious communications and anomalous
-                                        behavior in organizational information systems.
-                    """
-                - 
-                  id:    at-3.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      A well-trained workforce provides another organizational safeguard that can be
-                                        employed as part of a defense-in-depth strategy to protect organizations against
-                                        malicious code coming in to organizations via email or the web applications.
-                                        Personnel are trained to look for indications of potentially suspicious email
-                                        (e.g., receiving an unexpected email, receiving an email containing strange or
-                                        poor grammar, or receiving an email from an unfamiliar sender but who appears to
-                                        be from a known sponsor or contractor). Personnel are also trained on how to
-                                        respond to such suspicious email or web communications (e.g., not opening
-                                        attachments, not clicking on embedded web links, and checking the source of email
-                                        addresses). For this process to work effectively, all organizational personnel are
-                                        trained and made aware of what constitutes suspicious communications. Training
-                                        personnel on how to recognize anomalous behaviors in organizational information
-                                        systems can potentially provide early warning for the presence of malicious code.
-                                        Recognition of such anomalous behavior by organizational personnel can supplement
-                                        automated malicious code detection and protection tools and systems employed by
-                                        organizations.
-                    """
-                - 
-                  id:    at-3.4_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         at-3.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AT-3(4)[1]
-                      prose:      defines indicators of malicious code; and
-                    - 
-                      id:         at-3.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AT-3(4)[2]
-                      prose: 
-                        """
-                          provides training to its personnel on organization-defined indicators of
-                                               malicious code to recognize suspicious communications and anomalous behavior in
-                                               organizational information systems.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Security awareness and training policy\n\nprocedures addressing security training implementation\n\nsecurity training curriculum\n\nsecurity training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for role-based security
-                                               training\n\norganizational personnel that participate in security awareness training
-                        """
-        - 
-          id:         at-4
-          class:      SP800-53
-          title:      Security Training Records
-          parameters: 
-            - 
-              id:          at-4_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: five (5) years or 5 years after completion of a specific training program
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AT-4
-            - 
-              name:  sort-id
-              value: at-04
-          parts: 
-            - 
-              id:    at-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         at-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Documents and monitors individual information system security training activities
-                                        including basic security awareness training and specific information system
-                                        security training; and
-                    """
-                - 
-                  id:         at-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Retains individual training records for {{ at-4_prm_1 }}.
-            - 
-              id:    at-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Documentation for specialized training may be maintained by individual supervisors at
-                                 the option of the organization.
-                """
-              links: 
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #pm-14
-                  rel:  related
-                  text: PM-14
-            - 
-              id:    at-4_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         at-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-4(a)
-                  parts: 
-                    - 
-                      id:         at-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AT-4(a)[1]
-                      prose: 
-                        """
-                          documents individual information system security training activities
-                                               including:
-                        """
-                      parts: 
-                        - 
-                          id:         at-4.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-4(a)[1][a]
-                          prose:      basic security awareness training;
-                        - 
-                          id:         at-4.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-4(a)[1][b]
-                          prose:      specific role-based information system security training;
-                    - 
-                      id:         at-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AT-4(a)[2]
-                      prose: 
-                        """
-                          monitors individual information system security training activities
-                                               including:
-                        """
-                      parts: 
-                        - 
-                          id:         at-4.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-4(a)[2][a]
-                          prose:      basic security awareness training;
-                        - 
-                          id:         at-4.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-4(a)[2][b]
-                          prose:      specific role-based information system security training;
-                - 
-                  id:         at-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-4(b)
-                  parts: 
-                    - 
-                      id:         at-4.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AT-4(b)[1]
-                      prose:      defines a time period to retain individual training records; and
-                    - 
-                      id:         at-4.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AT-4(b)[2]
-                      prose: 
-                        """
-                          retains individual training records for the organization-defined time
-                                               period.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security awareness and training policy\n\nprocedures addressing security training records\n\nsecurity awareness and training records\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security training record retention
-                                        responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting management of security training records
-    - 
-      id:       au
-      class:    family
-      title:    Audit and Accountability
-      controls: 
-        - 
-          id:         au-1
-          class:      SP800-53
-          title:      Audit and Accountability Policy and Procedures
-          parameters: 
-            - 
-              id:    au-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          au-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          au-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or whenever a significant change occurs
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AU-1
-            - 
-              name:  sort-id
-              value: au-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    au-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         au-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ au-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         au-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          An audit and accountability policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         au-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the audit and accountability
-                                               policy and associated audit and accountability controls; and
-                        """
-                - 
-                  id:         au-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         au-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Audit and accountability policy {{ au-1_prm_2 }}; and
-                    - 
-                      id:         au-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Audit and accountability procedures {{ au-1_prm_3 }}.
-            - 
-              id:    au-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the AU
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    au-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-1(a)
-                  parts: 
-                    - 
-                      id:         au-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-1(a)(1)
-                      parts: 
-                        - 
-                          id:         au-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents an audit and accountability policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         au-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         au-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         au-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         au-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         au-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         au-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         au-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         au-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the audit and accountability policy are
-                                                      to be disseminated;
-                            """
-                        - 
-                          id:         au-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: AU-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the audit and accountability policy to organization-defined
-                                                      personnel or roles;
-                            """
-                    - 
-                      id:         au-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-1(a)(2)
-                      parts: 
-                        - 
-                          id:         au-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      audit and accountability policy and associated audit and accountability
-                                                      controls;
-                            """
-                        - 
-                          id:         au-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         au-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: AU-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         au-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-1(b)
-                  parts: 
-                    - 
-                      id:         au-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-1(b)(1)
-                      parts: 
-                        - 
-                          id:         au-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current audit and
-                                                      accountability policy;
-                            """
-                        - 
-                          id:         au-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current audit and accountability policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         au-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-1(b)(2)
-                      parts: 
-                        - 
-                          id:         au-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current audit and
-                                                      accountability procedures; and
-                            """
-                        - 
-                          id:         au-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current audit and accountability procedures in
-                                                      accordance with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         au-2
-          class:      SP800-53
-          title:      Audit Events
-          parameters: 
-            - 
-              id:          au-2_prm_1
-              label:       organization-defined auditable events
-              constraints: 
-                - 
-                  detail: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes
-            - 
-              id:          au-2_prm_2
-              label: 
-                """
-                  organization-defined audited events (the subset of the auditable events defined
-                                 in AU-2 a.) along with the frequency of (or situation requiring) auditing for each
-                                 identified event
-                """
-              constraints: 
-                - 
-                  detail: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AU-2
-            - 
-              name:  sort-id
-              value: au-02
-          links: 
-            - 
-              href: #672fd561-b92b-4713-b9cf-6c9d9456728b
-              rel:  reference
-              text: NIST Special Publication 800-92
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    au-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         au-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Determines that the information system is capable of auditing the following
-                                        events: {{ au-2_prm_1 }};
-                    """
-                - 
-                  id:         au-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Coordinates the security audit function with other organizational entities
-                                        requiring audit-related information to enhance mutual support and to help guide
-                                        the selection of auditable events;
-                    """
-                - 
-                  id:         au-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Provides a rationale for why the auditable events are deemed to be adequate to
-                                        support after-the-fact investigations of security incidents; and
-                    """
-                - 
-                  id:         au-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Determines that the following events are to be audited within the information
-                                        system: {{ au-2_prm_2 }}.
-                    """
-                - 
-                  id:    au-2_fr
-                  name:  item
-                  title: AU-2 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         au-2_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.
-            - 
-              id:    au-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  An event is any observable occurrence in an organizational information system.
-                                 Organizations identify audit events as those events which are significant and
-                                 relevant to the security of information systems and the environments in which those
-                                 systems operate in order to meet specific and ongoing audit needs. Audit events can
-                                 include, for example, password changes, failed logons, or failed accesses related to
-                                 information systems, administrative privilege usage, PIV credential usage, or
-                                 third-party credential usage. In determining the set of auditable events,
-                                 organizations consider the auditing appropriate for each of the security controls to
-                                 be implemented. To balance auditing requirements with other information system needs,
-                                 this control also requires identifying that subset of auditable events that are
-                                 audited at a given point in time. For example, organizations may determine that
-                                 information systems must have the capability to log every file access both successful
-                                 and unsuccessful, but not activate that capability except for specific circumstances
-                                 due to the potential burden on system performance. Auditing requirements, including
-                                 the need for auditable events, may be referenced in other security controls and
-                                 control enhancements. Organizations also include auditable events that are required
-                                 by applicable federal laws, Executive Orders, directives, policies, regulations, and
-                                 standards. Audit records can be generated at various levels of abstraction, including
-                                 at the packet level as information traverses the network. Selecting the appropriate
-                                 level of abstraction is a critical aspect of an audit capability and can facilitate
-                                 the identification of root causes to problems. Organizations consider in the
-                                 definition of auditable events, the auditing necessary to cover related events such
-                                 as the steps in distributed, transaction-based processes (e.g., processes that are
-                                 distributed across multiple organizations) and actions that occur in service-oriented
-                                 architectures.
-                """
-              links: 
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #au-3
-                  rel:  related
-                  text: AU-3
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    au-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-2(a)
-                  parts: 
-                    - 
-                      id:         au-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-2(a)[1]
-                      prose: 
-                        """
-                          defines the auditable events that the information system must be capable of
-                                               auditing;
-                        """
-                    - 
-                      id:         au-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-2(a)[2]
-                      prose: 
-                        """
-                          determines that the information system is capable of auditing
-                                               organization-defined auditable events;
-                        """
-                - 
-                  id:         au-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AU-2(b)
-                  prose: 
-                    """
-                      coordinates the security audit function with other organizational entities
-                                        requiring audit-related information to enhance mutual support and to help guide
-                                        the selection of auditable events;
-                    """
-                - 
-                  id:         au-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AU-2(c)
-                  prose: 
-                    """
-                      provides a rationale for why the auditable events are deemed to be adequate to
-                                        support after-the-fact investigations of security incidents;
-                    """
-                - 
-                  id:         au-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-2(d)
-                  parts: 
-                    - 
-                      id:         au-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-2(d)[1]
-                      prose: 
-                        """
-                          defines the subset of auditable events defined in AU-2a that are to be audited
-                                               within the information system;
-                        """
-                    - 
-                      id:         au-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AU-2(d)[2]
-                      prose: 
-                        """
-                          determines that the subset of auditable events defined in AU-2a are to be
-                                               audited within the information system; and
-                        """
-                    - 
-                      id:         au-2.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AU-2(d)[3]
-                      prose: 
-                        """
-                          determines the frequency of (or situation requiring) auditing for each
-                                               identified event.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing auditable events\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\ninformation system auditable events\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing information system auditing
-          controls: 
-            - 
-              id:         au-2.3
-              class:      SP800-53-enhancement
-              title:      Reviews and Updates
-              parameters: 
-                - 
-                  id:          au-2.3_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: annually or whenever there is a change in the threat environment
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AU-2(3)
-                - 
-                  name:  sort-id
-                  value: au-02.03
-              parts: 
-                - 
-                  id:    au-2.3_smt
-                  name:  statement
-                  prose: The organization reviews and updates the audited events {{ au-2.3_prm_1 }}.
-                  parts: 
-                    - 
-                      id:    au-2.3_fr
-                      name:  item
-                      title: AU-2 (3) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         au-2.3_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.
-                - 
-                  id:    au-2.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Over time, the events that organizations believe should be audited may change.
-                                        Reviewing and updating the set of audited events periodically is necessary to
-                                        ensure that the current set is still necessary and sufficient.
-                    """
-                - 
-                  id:    au-2.3_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         au-2.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-2(3)[1]
-                      prose:      defines the frequency to review and update the audited events; and
-                    - 
-                      id:         au-2.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-2(3)[2]
-                      prose: 
-                        """
-                          reviews and updates the auditable events with organization-defined
-                                               frequency.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Audit and accountability policy\n\nprocedures addressing auditable events\n\nsecurity plan\n\nlist of organization-defined auditable events\n\nauditable events review and update records\n\ninformation system audit records\n\ninformation system incident reports\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms supporting review and update of auditable events
-        - 
-          id:         au-3
-          class:      SP800-53
-          title:      Content of Audit Records
-          properties: 
-            - 
-              name:  label
-              value: AU-3
-            - 
-              name:  sort-id
-              value: au-03
-          parts: 
-            - 
-              id:    au-3_smt
-              name:  statement
-              prose: 
-                """
-                  The information system generates audit records containing information that
-                                 establishes what type of event occurred, when the event occurred, where the event
-                                 occurred, the source of the event, the outcome of the event, and the identity of any
-                                 individuals or subjects associated with the event.
-                """
-            - 
-              id:    au-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit record content that may be necessary to satisfy the requirement of this
-                                 control, includes, for example, time stamps, source and destination addresses,
-                                 user/process identifiers, event descriptions, success/fail indications, filenames
-                                 involved, and access control or flow control rules invoked. Event outcomes can
-                                 include indicators of event success or failure and event-specific results (e.g., the
-                                 security state of the information system after the event occurred).
-                """
-              links: 
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-8
-                  rel:  related
-                  text: AU-8
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #si-11
-                  rel:  related
-                  text: SI-11
-            - 
-              id:         au-3_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system generates audit records containing information
-                                 that establishes: 
-                """
-              parts: 
-                - 
-                  id:         au-3_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[1]
-                  prose:      what type of event occurred;
-                - 
-                  id:         au-3_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[2]
-                  prose:      when the event occurred;
-                - 
-                  id:         au-3_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[3]
-                  prose:      where the event occurred;
-                - 
-                  id:         au-3_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[4]
-                  prose:      the source of the event;
-                - 
-                  id:         au-3_obj.5
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[5]
-                  prose:      the outcome of the event; and
-                - 
-                  id:         au-3_obj.6
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[6]
-                  prose:      the identity of any individuals or subjects associated with the event.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing content of audit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\ninformation system audit records\n\ninformation system incident reports\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms implementing information system auditing of auditable
-                                        events
-                    """
-          controls: 
-            - 
-              id:         au-3.1
-              class:      SP800-53-enhancement
-              title:      Additional Audit Information
-              parameters: 
-                - 
-                  id:          au-3.1_prm_1
-                  label:       organization-defined additional, more detailed information
-                  constraints: 
-                    - 
-                      detail: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands
-              properties: 
-                - 
-                  name:  label
-                  value: AU-3(1)
-                - 
-                  name:  sort-id
-                  value: au-03.01
-              parts: 
-                - 
-                  id:    au-3.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system generates audit records containing the following additional
-                                        information: {{ au-3.1_prm_1 }}.
-                    """
-                  parts: 
-                    - 
-                      id:    au-3.1_fr
-                      name:  item
-                      title: AU-3 (1) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         au-3.1_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      The service provider defines audit record types *[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]*.  The audit record types are approved and accepted by the JAB/AO.
-                        - 
-                          id:         au-3.1_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.
-                - 
-                  id:    au-3.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Detailed information that organizations may consider in audit records includes,
-                                        for example, full text recording of privileged commands or the individual
-                                        identities of group account users. Organizations consider limiting the additional
-                                        audit information to only that information explicitly needed for specific audit
-                                        requirements. This facilitates the use of audit trails and audit logs by not
-                                        including information that could potentially be misleading or could make it more
-                                        difficult to locate information of interest.
-                    """
-                - 
-                  id:    au-3.1_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         au-3.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-3(1)[1]
-                      prose: 
-                        """
-                          the organization defines additional, more detailed information to be contained
-                                               in audit records that the information system generates; and
-                        """
-                    - 
-                      id:         au-3.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-3(1)[2]
-                      prose: 
-                        """
-                          the information system generates audit records containing the
-                                               organization-defined additional, more detailed information.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Audit and accountability policy\n\nprocedures addressing content of audit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system audit capability
-            - 
-              id:         au-3.2
-              class:      SP800-53-enhancement
-              title:      Centralized Management of Planned Audit Record Content
-              parameters: 
-                - 
-                  id:          au-3.2_prm_1
-                  label:       organization-defined information system components
-                  constraints: 
-                    - 
-                      detail: all network, data storage, and computing devices
-              properties: 
-                - 
-                  name:  label
-                  value: AU-3(2)
-                - 
-                  name:  sort-id
-                  value: au-03.02
-              parts: 
-                - 
-                  id:    au-3.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system provides centralized management and configuration of the
-                                        content to be captured in audit records generated by {{ au-3.2_prm_1 }}.
-                    """
-                - 
-                  id:    au-3.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement requires that the content to be captured in audit records
-                                        be configured from a central location (necessitating automation). Organizations
-                                        coordinate the selection of required audit content to support the centralized
-                                        management and configuration capability provided by the information system.
-                    """
-                  links: 
-                    - 
-                      href: #au-6
-                      rel:  related
-                      text: AU-6
-                    - 
-                      href: #au-7
-                      rel:  related
-                      text: AU-7
-                - 
-                  id:    au-3.2_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         au-3.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-3(2)[1]
-                      prose: 
-                        """
-                          the organization defines information system components that generate audit
-                                               records whose content is to be centrally managed and configured by the
-                                               information system; and
-                        """
-                    - 
-                      id:         au-3.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-3(2)[2]
-                      prose: 
-                        """
-                          the information system provides centralized management and configuration of the
-                                               content to be captured in audit records generated by the organization-defined
-                                               information system components.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Audit and accountability policy\n\nprocedures addressing content of audit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Information system capability implementing centralized management and
-                                               configuration of audit record content
-                        """
-        - 
-          id:         au-4
-          class:      SP800-53
-          title:      Audit Storage Capacity
-          parameters: 
-            - 
-              id:    au-4_prm_1
-              label: organization-defined audit record storage requirements
-          properties: 
-            - 
-              name:  label
-              value: AU-4
-            - 
-              name:  sort-id
-              value: au-04
-          parts: 
-            - 
-              id:    au-4_smt
-              name:  statement
-              prose: The organization allocates audit record storage capacity in accordance with {{ au-4_prm_1 }}.
-            - 
-              id:    au-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations consider the types of auditing to be performed and the audit processing
-                                 requirements when allocating audit storage capacity. Allocating sufficient audit
-                                 storage capacity reduces the likelihood of such capacity being exceeded and resulting
-                                 in the potential loss or reduction of auditing capability.
-                """
-              links: 
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-5
-                  rel:  related
-                  text: AU-5
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #au-7
-                  rel:  related
-                  text: AU-7
-                - 
-                  href: #au-11
-                  rel:  related
-                  text: AU-11
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    au-4_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-4_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-4[1]
-                  prose:      defines audit record storage requirements; and
-                - 
-                  id:         au-4_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AU-4[2]
-                  prose: 
-                    """
-                      allocates audit record storage capacity in accordance with the
-                                        organization-defined audit record storage requirements.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for information system components\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit record storage capacity and related configuration settings
-        - 
-          id:         au-5
-          class:      SP800-53
-          title:      Response to Audit Processing Failures
-          parameters: 
-            - 
-              id:    au-5_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          au-5_prm_2
-              label: 
-                """
-                  organization-defined actions to be taken (e.g., shut down information system,
-                                 overwrite oldest audit records, stop generating audit records)
-                """
-              constraints: 
-                - 
-                  detail: organization-defined actions to be taken (overwrite oldest record)
-          properties: 
-            - 
-              name:  label
-              value: AU-5
-            - 
-              name:  sort-id
-              value: au-05
-          parts: 
-            - 
-              id:    au-5_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         au-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Alerts {{ au-5_prm_1 }} in the event of an audit processing
-                                        failure; and
-                    """
-                - 
-                  id:         au-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Takes the following additional actions: {{ au-5_prm_2 }}.
-            - 
-              id:    au-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit processing failures include, for example, software/hardware errors, failures in
-                                 the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
-                                 Organizations may choose to define additional actions for different audit processing
-                                 failures (e.g., by type, by location, by severity, or a combination of such factors).
-                                 This control applies to each audit data storage repository (i.e., distinct
-                                 information system component where audit records are stored), the total audit storage
-                                 capacity of organizations (i.e., all audit data storage repositories combined), or
-                                 both.
-                """
-              links: 
-                - 
-                  href: #au-4
-                  rel:  related
-                  text: AU-4
-                - 
-                  href: #si-12
-                  rel:  related
-                  text: SI-12
-            - 
-              id:    au-5_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         au-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-5(a)
-                  parts: 
-                    - 
-                      id:         au-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-5(a)[1]
-                      prose: 
-                        """
-                          the organization defines the personnel or roles to be alerted in the event of
-                                               an audit processing failure;
-                        """
-                    - 
-                      id:         au-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-5(a)[2]
-                      prose: 
-                        """
-                          the information system alerts the organization-defined personnel or roles in
-                                               the event of an audit processing failure;
-                        """
-                - 
-                  id:         au-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-5(b)
-                  parts: 
-                    - 
-                      id:         au-5.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-5(b)[1]
-                      prose: 
-                        """
-                          the organization defines additional actions to be taken (e.g., shutdown
-                                               information system, overwrite oldest audit records, stop generating audit
-                                               records) in the event of an audit processing failure; and
-                        """
-                    - 
-                      id:         au-5.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-5(b)[2]
-                      prose: 
-                        """
-                          the information system takes the additional organization-defined actions in the
-                                               event of an audit processing failure.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms implementing information system response to audit processing
-                                        failures
-                    """
-          controls: 
-            - 
-              id:         au-5.1
-              class:      SP800-53-enhancement
-              title:      Audit Storage Capacity
-              parameters: 
-                - 
-                  id:    au-5.1_prm_1
-                  label: organization-defined personnel, roles, and/or locations
-                - 
-                  id:    au-5.1_prm_2
-                  label: organization-defined time period
-                - 
-                  id:    au-5.1_prm_3
-                  label: organization-defined percentage
-              properties: 
-                - 
-                  name:  label
-                  value: AU-5(1)
-                - 
-                  name:  sort-id
-                  value: au-05.01
-              parts: 
-                - 
-                  id:    au-5.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system provides a warning to {{ au-5.1_prm_1 }}
-                                        within {{ au-5.1_prm_2 }} when allocated audit record storage
-                                        volume reaches {{ au-5.1_prm_3 }} of repository maximum audit
-                                        record storage capacity.
-                    """
-                - 
-                  id:    au-5.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations may have multiple audit data storage repositories distributed across
-                                        multiple information system components, with each repository having different
-                                        storage volume capacities.
-                    """
-                - 
-                  id:    au-5.1_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         au-5.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-5(1)[1]
-                      prose:      the organization defines:
-                      parts: 
-                        - 
-                          id:         au-5.1_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-5(1)[1][a]
-                          prose: 
-                            """
-                              personnel to be warned when allocated audit record storage volume reaches
-                                                      organization-defined percentage of repository maximum audit record storage
-                                                      capacity;
-                            """
-                        - 
-                          id:         au-5.1_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-5(1)[1][b]
-                          prose: 
-                            """
-                              roles to be warned when allocated audit record storage volume reaches
-                                                      organization-defined percentage of repository maximum audit record storage
-                                                      capacity; and/or
-                            """
-                        - 
-                          id:         au-5.1_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-5(1)[1][c]
-                          prose: 
-                            """
-                              locations to be warned when allocated audit record storage volume reaches
-                                                      organization-defined percentage of repository maximum audit record storage
-                                                      capacity;
-                            """
-                    - 
-                      id:         au-5.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-5(1)[2]
-                      prose: 
-                        """
-                          the organization defines the time period within which the information system is
-                                               to provide a warning to the organization-defined personnel, roles, and/or
-                                               locations when allocated audit record storage volume reaches the
-                                               organization-defined percentage of repository maximum audit record storage
-                                               capacity;
-                        """
-                    - 
-                      id:         au-5.1_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-5(1)[3]
-                      prose: 
-                        """
-                          the organization defines the percentage of repository maximum audit record
-                                               storage capacity that, if reached, requires a warning to be provided; and
-                        """
-                    - 
-                      id:         au-5.1_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-5(1)[4]
-                      prose: 
-                        """
-                          the information system provides a warning to the organization-defined
-                                               personnel, roles, and/or locations within the organization-defined time period
-                                               when allocated audit record storage volume reaches the organization-defined
-                                               percentage of repository maximum audit record storage capacity.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing audit storage limit warnings
-            - 
-              id:         au-5.2
-              class:      SP800-53-enhancement
-              title:      Real-time Alerts
-              parameters: 
-                - 
-                  id:          au-5.2_prm_1
-                  label:       organization-defined real-time period
-                  constraints: 
-                    - 
-                      detail: real-time
-                - 
-                  id:          au-5.2_prm_2
-                  label:       organization-defined personnel, roles, and/or locations
-                  constraints: 
-                    - 
-                      detail: service provider personnel with authority to address failed audit events
-                - 
-                  id:          au-5.2_prm_3
-                  label:       organization-defined audit failure events requiring real-time alerts
-                  constraints: 
-                    - 
-                      detail: audit failure events requiring real-time alerts, as defined by organization audit policy
-              properties: 
-                - 
-                  name:  label
-                  value: AU-5(2)
-                - 
-                  name:  sort-id
-                  value: au-05.02
-              parts: 
-                - 
-                  id:    au-5.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system provides an alert in {{ au-5.2_prm_1 }} to
-                                           {{ au-5.2_prm_2 }} when the following audit failure events
-                                        occur: {{ au-5.2_prm_3 }}.
-                    """
-                - 
-                  id:    au-5.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Alerts provide organizations with urgent messages. Real-time alerts provide these
-                                        messages at information technology speed (i.e., the time from event detection to
-                                        alert occurs in seconds or less).
-                    """
-                - 
-                  id:    au-5.2_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         au-5.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-5(2)[1]
-                      prose:      the organization defines audit failure events requiring real-time alerts;
-                    - 
-                      id:         au-5.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-5(2)[2]
-                      prose:      the organization defines:
-                      parts: 
-                        - 
-                          id:         au-5.2_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-5(2)[2][a]
-                          prose: 
-                            """
-                              personnel to be alerted when organization-defined audit failure events
-                                                      requiring real-time alerts occur;
-                            """
-                        - 
-                          id:         au-5.2_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-5(2)[2][b]
-                          prose: 
-                            """
-                              roles to be alerted when organization-defined audit failure events requiring
-                                                      real-time alerts occur; and/or
-                            """
-                        - 
-                          id:         au-5.2_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-5(2)[2][c]
-                          prose: 
-                            """
-                              locations to be alerted when organization-defined audit failure events
-                                                      requiring real-time alerts occur;
-                            """
-                    - 
-                      id:         au-5.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-5(2)[3]
-                      prose: 
-                        """
-                          the organization defines the real-time period within which the information
-                                               system is to provide an alert to the organization-defined personnel, roles,
-                                               and/or locations when the organization-defined audit failure events requiring
-                                               real-time alerts occur; and
-                        """
-                    - 
-                      id:         au-5.2_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-5(2)[4]
-                      prose: 
-                        """
-                          the information system provides an alert within the organization-defined
-                                               real-time period to the organization-defined personnel, roles, and/or locations
-                                               when organization-defined audit failure events requiring real-time alerts
-                                               occur.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nrecords of notifications or real-time alerts when audit processing failures
-                                               occur\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing real-time audit alerts when
-                                               organization-defined audit failure events occur
-                        """
-        - 
-          id:         au-6
-          class:      SP800-53
-          title:      Audit Review, Analysis, and Reporting
-          parameters: 
-            - 
-              id:          au-6_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least weekly
-            - 
-              id:    au-6_prm_2
-              label: organization-defined inappropriate or unusual activity
-            - 
-              id:    au-6_prm_3
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AU-6
-            - 
-              name:  sort-id
-              value: au-06
-          parts: 
-            - 
-              id:    au-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         au-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Reviews and analyzes information system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }};
-                                        and
-                    """
-                - 
-                  id:         au-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reports findings to {{ au-6_prm_3 }}.
-                - 
-                  id:    au-6_fr
-                  name:  item
-                  title: AU-6 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         au-6_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.
-            - 
-              id:    au-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit review, analysis, and reporting covers information security-related auditing
-                                 performed by organizations including, for example, auditing that results from
-                                 monitoring of account usage, remote access, wireless connectivity, mobile device
-                                 connection, configuration settings, system component inventory, use of maintenance
-                                 tools and nonlocal maintenance, physical access, temperature and humidity, equipment
-                                 delivery and removal, communications at the information system boundaries, use of
-                                 mobile code, and use of VoIP. Findings can be reported to organizational entities
-                                 that include, for example, incident response team, help desk, information security
-                                 group/department. If organizations are prohibited from reviewing and analyzing audit
-                                 information or unable to conduct such activities (e.g., in certain national security
-                                 applications or systems), the review/analysis may be carried out by other
-                                 organizations granted such authority.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #au-7
-                  rel:  related
-                  text: AU-7
-                - 
-                  href: #au-16
-                  rel:  related
-                  text: AU-16
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-10
-                  rel:  related
-                  text: CM-10
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ir-5
-                  rel:  related
-                  text: IR-5
-                - 
-                  href: #ir-6
-                  rel:  related
-                  text: IR-6
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-6
-                  rel:  related
-                  text: PE-6
-                - 
-                  href: #pe-14
-                  rel:  related
-                  text: PE-14
-                - 
-                  href: #pe-16
-                  rel:  related
-                  text: PE-16
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-18
-                  rel:  related
-                  text: SC-18
-                - 
-                  href: #sc-19
-                  rel:  related
-                  text: SC-19
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    au-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-6(a)
-                  parts: 
-                    - 
-                      id:         au-6.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-6(a)[1]
-                      prose: 
-                        """
-                          defines the types of inappropriate or unusual activity to look for when
-                                               information system audit records are reviewed and analyzed;
-                        """
-                    - 
-                      id:         au-6.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-6(a)[2]
-                      prose: 
-                        """
-                          defines the frequency to review and analyze information system audit records
-                                               for indications of organization-defined inappropriate or unusual activity;
-                        """
-                    - 
-                      id:         au-6.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AU-6(a)[3]
-                      prose: 
-                        """
-                          reviews and analyzes information system audit records for indications of
-                                               organization-defined inappropriate or unusual activity with the
-                                               organization-defined frequency;
-                        """
-                - 
-                  id:         au-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-6(b)
-                  parts: 
-                    - 
-                      id:         au-6.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-6(b)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom findings resulting from reviews and analysis
-                                               of information system audit records are to be reported; and
-                        """
-                    - 
-                      id:         au-6.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AU-6(b)[2]
-                      prose:      reports findings to organization-defined personnel or roles.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews/analyses of audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with audit review, analysis, and reporting
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-          controls: 
-            - 
-              id:         au-6.1
-              class:      SP800-53-enhancement
-              title:      Process Integration
-              properties: 
-                - 
-                  name:  label
-                  value: AU-6(1)
-                - 
-                  name:  sort-id
-                  value: au-06.01
-              parts: 
-                - 
-                  id:    au-6.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to integrate audit review, analysis,
-                                        and reporting processes to support organizational processes for investigation and
-                                        response to suspicious activities.
-                    """
-                - 
-                  id:    au-6.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizational processes benefiting from integrated audit review, analysis, and
-                                        reporting include, for example, incident response, continuous monitoring,
-                                        contingency planning, and Inspector General audits.
-                    """
-                  links: 
-                    - 
-                      href: #au-12
-                      rel:  related
-                      text: AU-12
-                    - 
-                      href: #pm-7
-                      rel:  related
-                      text: PM-7
-                - 
-                  id:    au-6.1_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         au-6.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-6(1)[1]
-                      prose:      employs automated mechanisms to integrate:
-                      parts: 
-                        - 
-                          id:         au-6.1_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-6(1)[1][a]
-                          prose:      audit review;
-                        - 
-                          id:         au-6.1_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-6(1)[1][b]
-                          prose:      analysis;
-                        - 
-                          id:         au-6.1_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-6(1)[1][c]
-                          prose:      reporting processes;
-                    - 
-                      id:         au-6.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AU-6(1)[2]
-                      prose: 
-                        """
-                          uses integrated audit review, analysis and reporting processes to support
-                                               organizational processes for:
-                        """
-                      parts: 
-                        - 
-                          id:         au-6.1_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-6(1)[2][a]
-                          prose:      investigation of suspicious activities; and
-                        - 
-                          id:         au-6.1_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-6(1)[2][b]
-                          prose:      response to suspicious activities.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing investigation and response to suspicious activities\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with audit review, analysis, and reporting
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms integrating audit review, analysis, and reporting
-                                               processes
-                        """
-            - 
-              id:         au-6.3
-              class:      SP800-53-enhancement
-              title:      Correlate Audit Repositories
-              properties: 
-                - 
-                  name:  label
-                  value: AU-6(3)
-                - 
-                  name:  sort-id
-                  value: au-06.03
-              parts: 
-                - 
-                  id:    au-6.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization analyzes and correlates audit records across different
-                                        repositories to gain organization-wide situational awareness.
-                    """
-                - 
-                  id:    au-6.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organization-wide situational awareness includes awareness across all three tiers
-                                        of risk management (i.e., organizational, mission/business process, and
-                                        information system) and supports cross-organization awareness.
-                    """
-                  links: 
-                    - 
-                      href: #au-12
-                      rel:  related
-                      text: AU-12
-                    - 
-                      href: #ir-4
-                      rel:  related
-                      text: IR-4
-                - 
-                  id:         au-6.3_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization analyzes and correlates audit records across
-                                        different repositories to gain organization-wide situational awareness. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records across different repositories\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with audit review, analysis, and reporting
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms supporting analysis and correlation of audit records
-            - 
-              id:         au-6.4
-              class:      SP800-53-enhancement
-              title:      Central Review and Analysis
-              properties: 
-                - 
-                  name:  label
-                  value: AU-6(4)
-                - 
-                  name:  sort-id
-                  value: au-06.04
-              parts: 
-                - 
-                  id:    au-6.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system provides the capability to centrally review and analyze
-                                        audit records from multiple components within the system.
-                    """
-                - 
-                  id:    au-6.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Automated mechanisms for centralized reviews and analyses include, for example,
-                                        Security Information Management products.
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                    - 
-                      href: #au-12
-                      rel:  related
-                      text: AU-12
-                - 
-                  id:         au-6.4_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system provides the capability to centrally review
-                                        and analyze audit records from multiple components within the system.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with audit review, analysis, and reporting
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Information system capability to centralize review and analysis of audit
-                                               records
-                        """
-            - 
-              id:         au-6.5
-              class:      SP800-53-enhancement
-              title:      Integration / Scanning and Monitoring Capabilities
-              parameters: 
-                - 
-                  id: au-6.5_prm_1
-                - 
-                  id:          au-6.5_prm_2
-                  depends-on:  au-6.5_prm_1
-                  label:       organization-defined data/information collected from other sources
-                  constraints: 
-                    - 
-                      detail: Possibly to include penetration test data.
-              properties: 
-                - 
-                  name:  label
-                  value: AU-6(5)
-                - 
-                  name:  sort-id
-                  value: au-06.05
-              parts: 
-                - 
-                  id:    au-6.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization integrates analysis of audit records with analysis of {{ au-6.5_prm_1 }} to further enhance the ability to identify
-                                        inappropriate or unusual activity.
-                    """
-                - 
-                  id:    au-6.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement does not require vulnerability scanning, the generation
-                                        of performance data, or information system monitoring. Rather, the enhancement
-                                        requires that the analysis of information being otherwise produced in these areas
-                                        is integrated with the analysis of audit information. Security Event and
-                                        Information Management System tools can facilitate audit record
-                                        aggregation/consolidation from multiple information system components as well as
-                                        audit record correlation and analysis. The use of standardized audit record
-                                        analysis scripts developed by organizations (with localized script adjustments, as
-                                        necessary) provides more cost-effective approaches for analyzing audit record
-                                        information collected. The correlation of audit record information with
-                                        vulnerability scanning information is important in determining the veracity of
-                                        vulnerability scans and correlating attack detection events with scanning results.
-                                        Correlation with performance data can help uncover denial of service attacks or
-                                        cyber attacks resulting in unauthorized use of resources. Correlation with system
-                                        monitoring information can assist in uncovering attacks and in better relating
-                                        audit information to operational situations.
-                    """
-                  links: 
-                    - 
-                      href: #au-12
-                      rel:  related
-                      text: AU-12
-                    - 
-                      href: #ir-4
-                      rel:  related
-                      text: IR-4
-                    - 
-                      href: #ra-5
-                      rel:  related
-                      text: RA-5
-                - 
-                  id:    au-6.5_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         au-6.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-6(5)[1]
-                      prose:      defines data/information to be collected from other sources;
-                    - 
-                      id:         au-6.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-6(5)[2]
-                      prose: 
-                        """
-                          selects sources of data/information to be analyzed and integrated with the
-                                               analysis of audit records from one or more of the following:
-                        """
-                      parts: 
-                        - 
-                          id:         au-6.5_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-6(5)[2][a]
-                          prose:      vulnerability scanning information;
-                        - 
-                          id:         au-6.5_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-6(5)[2][b]
-                          prose:      performance data;
-                        - 
-                          id:         au-6.5_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-6(5)[2][c]
-                          prose:      information system monitoring information; and/or
-                        - 
-                          id:         au-6.5_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-6(5)[2][d]
-                          prose:      organization-defined data/information collected from other sources; and
-                    - 
-                      id:         au-6.5_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-6(5)[3]
-                      prose: 
-                        """
-                          integrates the analysis of audit records with the analysis of selected
-                                               data/information to further enhance the ability to identify inappropriate or
-                                               unusual activity.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrated analysis of audit records, vulnerability scanning information,
-                                               performance data, network monitoring information and associated
-                                               documentation\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with audit review, analysis, and reporting
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing capability to integrate analysis of audit
-                                               records with analysis of data/information sources
-                        """
-            - 
-              id:         au-6.6
-              class:      SP800-53-enhancement
-              title:      Correlation with Physical Monitoring
-              properties: 
-                - 
-                  name:  label
-                  value: AU-6(6)
-                - 
-                  name:  sort-id
-                  value: au-06.06
-              parts: 
-                - 
-                  id:    au-6.6_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization correlates information from audit records with information
-                                        obtained from monitoring physical access to further enhance the ability to
-                                        identify suspicious, inappropriate, unusual, or malevolent activity.
-                    """
-                  parts: 
-                    - 
-                      id:    au-6.6_fr
-                      name:  item
-                      title: AU-6 (6) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         au-6.6_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.
-                - 
-                  id:    au-6.6_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The correlation of physical audit information and audit logs from information
-                                        systems may assist organizations in identifying examples of suspicious behavior or
-                                        supporting evidence of such behavior. For example, the correlation of an
-                                        individual’s identity for logical access to certain information systems with the
-                                        additional physical security information that the individual was actually present
-                                        at the facility when the logical access occurred, may prove to be useful in
-                                        investigations.
-                    """
-                - 
-                  id:         au-6.6_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization correlates information from audit records with
-                                        information obtained from monitoring physical access to enhance the ability to
-                                        identify suspicious, inappropriate, unusual, or malevolent activity.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing physical access monitoring\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ndocumentation providing evidence of correlated information obtained from audit
-                                               records and physical access monitoring records\n\nsecurity plan\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with audit review, analysis, and reporting
-                                               responsibilities\n\norganizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing capability to correlate information from
-                                               audit records with information from monitoring physical access
-                        """
-            - 
-              id:         au-6.7
-              class:      SP800-53-enhancement
-              title:      Permitted Actions
-              parameters: 
-                - 
-                  id:          au-6.7_prm_1
-                  constraints: 
-                    - 
-                      detail: information system process; role; user
-              properties: 
-                - 
-                  name:  label
-                  value: AU-6(7)
-                - 
-                  name:  sort-id
-                  value: au-06.07
-              parts: 
-                - 
-                  id:    au-6.7_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization specifies the permitted actions for each {{ au-6.7_prm_1 }} associated with the review, analysis, and reporting
-                                        of audit information.
-                    """
-                - 
-                  id:    au-6.7_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations specify permitted actions for information system processes, roles,
-                                        and/or users associated with the review, analysis, and reporting of audit records
-                                        through account management techniques. Specifying permitted actions on audit
-                                        information is a way to enforce the principle of least privilege. Permitted
-                                        actions are enforced by the information system and include, for example, read,
-                                        write, execute, append, and delete.
-                    """
-                - 
-                  id:         au-6.7_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization specifies the permitted actions for each one or more
-                                        of the following associated with the review, analysis and reporting of audit
-                                        information:
-                    """
-                  parts: 
-                    - 
-                      id:         au-6.7_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-6(7)[1]
-                      prose:      information system process;
-                    - 
-                      id:         au-6.7_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-6(7)[2]
-                      prose:      role; and/or
-                    - 
-                      id:         au-6.7_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-6(7)[3]
-                      prose:      user.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Audit and accountability policy\n\nprocedures addressing process, role and/or user permitted actions from audit
-                                               review, analysis, and reporting\n\nsecurity plan\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with audit review, analysis, and reporting
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting permitted actions for review, analysis, and
-                                               reporting of audit information
-                        """
-            - 
-              id:         au-6.10
-              class:      SP800-53-enhancement
-              title:      Audit Level Adjustment
-              properties: 
-                - 
-                  name:  label
-                  value: AU-6(10)
-                - 
-                  name:  sort-id
-                  value: au-06.10
-              parts: 
-                - 
-                  id:    au-6.10_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization adjusts the level of audit review, analysis, and reporting within
-                                        the information system when there is a change in risk based on law enforcement
-                                        information, intelligence information, or other credible sources of
-                                        information.
-                    """
-                - 
-                  id:    au-6.10_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The frequency, scope, and/or depth of the audit review, analysis, and reporting
-                                        may be adjusted to meet organizational needs based on new information
-                                        received.
-                    """
-                - 
-                  id:         au-6.10_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization adjusts the level of audit review, analysis, and
-                                        reporting within the information system when there is a change in risk based
-                                        on:
-                    """
-                  parts: 
-                    - 
-                      id:         au-6.10_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-6(10)[1]
-                      prose:      law enforcement information;
-                    - 
-                      id:         au-6.10_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-6(10)[2]
-                      prose:      intelligence information; and/or
-                    - 
-                      id:         au-6.10_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-6(10)[3]
-                      prose:      other credible sources of information.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\norganizational risk assessment\n\nsecurity control assessment\n\nvulnerability assessment\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with audit review, analysis, and reporting
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting review, analysis, and reporting of audit
-                                               information
-                        """
-        - 
-          id:         au-7
-          class:      SP800-53
-          title:      Audit Reduction and Report Generation
-          properties: 
-            - 
-              name:  label
-              value: AU-7
-            - 
-              name:  sort-id
-              value: au-07
-          parts: 
-            - 
-              id:    au-7_smt
-              name:  statement
-              prose: 
-                """
-                  The information system provides an audit reduction and report generation capability
-                                 that:
-                """
-              parts: 
-                - 
-                  id:         au-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Supports on-demand audit review, analysis, and reporting requirements and
-                                        after-the-fact investigations of security incidents; and
-                    """
-                - 
-                  id:         au-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Does not alter the original content or time ordering of audit records.
-            - 
-              id:    au-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit reduction is a process that manipulates collected audit information and
-                                 organizes such information in a summary format that is more meaningful to analysts.
-                                 Audit reduction and report generation capabilities do not always emanate from the
-                                 same information system or from the same organizational entities conducting auditing
-                                 activities. Audit reduction capability can include, for example, modern data mining
-                                 techniques with advanced data filters to identify anomalous behavior in audit
-                                 records. The report generation capability provided by the information system can
-                                 generate customizable reports. Time ordering of audit records can be a significant
-                                 issue if the granularity of the timestamp in the record is insufficient.
-                """
-              links: 
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-            - 
-              id:    au-7_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the information system provides an audit reduction and report generation
-                                 capability that supports:
-                """
-              parts: 
-                - 
-                  id:         au-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AU-7(a)
-                  parts: 
-                    - 
-                      id:         au-7.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-7(a)[1]
-                      prose:      on-demand audit review;
-                    - 
-                      id:         au-7.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-7(a)[2]
-                      prose:      analysis;
-                    - 
-                      id:         au-7.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-7(a)[3]
-                      prose:      reporting requirements;
-                    - 
-                      id:         au-7.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-7(a)[4]
-                      prose:      after-the-fact investigations of security incidents; and
-                - 
-                  id:         au-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AU-7(b)
-                  prose:      does not alter the original content or time ordering of audit records.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing audit reduction and report generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with audit reduction and report generation
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit reduction and report generation capability
-          controls: 
-            - 
-              id:         au-7.1
-              class:      SP800-53-enhancement
-              title:      Automatic Processing
-              parameters: 
-                - 
-                  id:    au-7.1_prm_1
-                  label: organization-defined audit fields within audit records
-              properties: 
-                - 
-                  name:  label
-                  value: AU-7(1)
-                - 
-                  name:  sort-id
-                  value: au-07.01
-              parts: 
-                - 
-                  id:    au-7.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system provides the capability to process audit records for events
-                                        of interest based on {{ au-7.1_prm_1 }}.
-                    """
-                - 
-                  id:    au-7.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Events of interest can be identified by the content of specific audit record
-                                        fields including, for example, identities of individuals, event types, event
-                                        locations, event times, event dates, system resources involved, IP addresses
-                                        involved, or information objects accessed. Organizations may define audit event
-                                        criteria to any degree of granularity required, for example, locations selectable
-                                        by general networking location (e.g., by network or subnetwork) or selectable by
-                                        specific information system component.
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                    - 
-                      href: #au-12
-                      rel:  related
-                      text: AU-12
-                - 
-                  id:    au-7.1_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         au-7.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-7(1)[1]
-                      prose: 
-                        """
-                          the organization defines audit fields within audit records in order to process
-                                               audit records for events of interest; and
-                        """
-                    - 
-                      id:         au-7.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-7(1)[2]
-                      prose: 
-                        """
-                          the information system provides the capability to process audit records for
-                                               events of interest based on the organization-defined audit fields within audit
-                                               records.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Audit and accountability policy\n\nprocedures addressing audit reduction and report generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\naudit record criteria (fields) establishing events of interest\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with audit reduction and report generation
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Audit reduction and report generation capability
-        - 
-          id:         au-8
-          class:      SP800-53
-          title:      Time Stamps
-          parameters: 
-            - 
-              id:          au-8_prm_1
-              label:       organization-defined granularity of time measurement
-              constraints: 
-                - 
-                  detail: one second granularity of time measurement
-          properties: 
-            - 
-              name:  label
-              value: AU-8
-            - 
-              name:  sort-id
-              value: au-08
-          parts: 
-            - 
-              id:    au-8_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         au-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Uses internal system clocks to generate time stamps for audit records; and
-                - 
-                  id:         au-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Records time stamps for audit records that can be mapped to Coordinated Universal
-                                        Time (UTC) or Greenwich Mean Time (GMT) and meets {{ au-8_prm_1 }}.
-                    """
-            - 
-              id:    au-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Time stamps generated by the information system include date and time. Time is
-                                 commonly expressed in Coordinated Universal Time (UTC), a modern continuation of
-                                 Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time
-                                 measurements refers to the degree of synchronization between information system
-                                 clocks and reference clocks, for example, clocks synchronizing within hundreds of
-                                 milliseconds or within tens of milliseconds. Organizations may define different time
-                                 granularities for different system components. Time service can also be critical to
-                                 other security capabilities such as access control and identification and
-                                 authentication, depending on the nature of the mechanisms used to support those
-                                 capabilities.
-                """
-              links: 
-                - 
-                  href: #au-3
-                  rel:  related
-                  text: AU-3
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-            - 
-              id:    au-8_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         au-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AU-8(a)
-                  prose: 
-                    """
-                      the information system uses internal system clocks to generate time stamps for
-                                        audit records;
-                    """
-                - 
-                  id:         au-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-8(b)
-                  parts: 
-                    - 
-                      id:         au-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-8(b)[1]
-                      prose: 
-                        """
-                          the information system records time stamps for audit records that can be mapped
-                                               to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);
-                        """
-                    - 
-                      id:         au-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-8(b)[2]
-                      prose: 
-                        """
-                          the organization defines the granularity of time measurement to be met when
-                                               recording time stamps for audit records; and
-                        """
-                    - 
-                      id:         au-8.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-8(b)[3]
-                      prose: 
-                        """
-                          the organization records time stamps for audit records that meet the
-                                               organization-defined granularity of time measurement.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing time stamp generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing time stamp generation
-          controls: 
-            - 
-              id:         au-8.1
-              class:      SP800-53-enhancement
-              title:      Synchronization with Authoritative Time Source
-              parameters: 
-                - 
-                  id:          au-8.1_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: At least hourly
-                - 
-                  id:          au-8.1_prm_2
-                  label:       organization-defined authoritative time source
-                  constraints: 
-                    - 
-                      detail: http://tf.nist.gov/tf-cgi/servers.cgi
-                - 
-                  id:    au-8.1_prm_3
-                  label: organization-defined time period
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AU-8(1)
-                - 
-                  name:  sort-id
-                  value: au-08.01
-              parts: 
-                - 
-                  id:    au-8.1_smt
-                  name:  statement
-                  prose: The information system:
-                  parts: 
-                    - 
-                      id:         au-8.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose:      Compares the internal information system clocks {{ au-8.1_prm_1 }} with {{ au-8.1_prm_2 }}; and
-                    - 
-                      id:         au-8.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Synchronizes the internal system clocks to the authoritative time source when
-                                               the time difference is greater than {{ au-8.1_prm_3 }}.
-                        """
-                    - 
-                      id:    au-8.1_fr
-                      name:  item
-                      title: AU-8 (1) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         au-8.1_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.
-                        - 
-                          id:         au-8.1_fr_smt.2
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.
-                        - 
-                          id:         au-8.1_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      Synchronization of system clocks improves the accuracy of log analysis.
-                - 
-                  id:    au-8.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement provides uniformity of time stamps for information
-                                        systems with multiple system clocks and systems connected over a network.
-                    """
-                - 
-                  id:    au-8.1_obj
-                  name:  objective
-                  prose: Determine if: 
-                  parts: 
-                    - 
-                      id:         au-8.1.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-8(1)(a)
-                      parts: 
-                        - 
-                          id:         au-8.1.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-8(1)(a)[1]
-                          prose: 
-                            """
-                              the organization defines the authoritative time source to which internal
-                                                      information system clocks are to be compared;
-                            """
-                        - 
-                          id:         au-8.1.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-8(1)(a)[2]
-                          prose: 
-                            """
-                              the organization defines the frequency to compare the internal information
-                                                      system clocks with the organization-defined authoritative time source;
-                                                      and
-                            """
-                        - 
-                          id:         au-8.1.a_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: AU-8(1)(a)[3]
-                          prose: 
-                            """
-                              the information system compares the internal information system clocks with
-                                                      the organization-defined authoritative time source with organization-defined
-                                                      frequency; and
-                            """
-                      links: 
-                        - 
-                          href: #au-8.1_smt.a
-                          rel:  corresp
-                          text: AU-8(1)(a)
-                    - 
-                      id:         au-8.1.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-8(1)(b)
-                      parts: 
-                        - 
-                          id:         au-8.1.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-8(1)(b)[1]
-                          prose: 
-                            """
-                              the organization defines the time period that, if exceeded by the time
-                                                      difference between the internal system clocks and the authoritative time
-                                                      source, will result in the internal system clocks being synchronized to the
-                                                      authoritative time source; and
-                            """
-                        - 
-                          id:         au-8.1.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: AU-8(1)(b)[2]
-                          prose: 
-                            """
-                              the information system synchronizes the internal information system clocks
-                                                      to the authoritative time source when the time difference is greater than
-                                                      the organization-defined time period.
-                            """
-                      links: 
-                        - 
-                          href: #au-8.1_smt.b
-                          rel:  corresp
-                          text: AU-8(1)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Audit and accountability policy\n\nprocedures addressing time stamp generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing internal information system clock
-                                               synchronization
-                        """
-        - 
-          id:         au-9
-          class:      SP800-53
-          title:      Protection of Audit Information
-          properties: 
-            - 
-              name:  label
-              value: AU-9
-            - 
-              name:  sort-id
-              value: au-09
-          parts: 
-            - 
-              id:    au-9_smt
-              name:  statement
-              prose: 
-                """
-                  The information system protects audit information and audit tools from unauthorized
-                                 access, modification, and deletion.
-                """
-            - 
-              id:    au-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit information includes all information (e.g., audit records, audit settings, and
-                                 audit reports) needed to successfully audit information system activity. This control
-                                 focuses on technical protection of audit information. Physical protection of audit
-                                 information is addressed by media protection controls and physical and environmental
-                                 protection controls.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-6
-                  rel:  related
-                  text: PE-6
-            - 
-              id:    au-9_obj
-              name:  objective
-              prose: Determine if: 
-              parts: 
-                - 
-                  id:         au-9_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-9[1]
-                  prose:      the information system protects audit information from unauthorized:
-                  parts: 
-                    - 
-                      id:         au-9_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[1][a]
-                      prose:      access;
-                    - 
-                      id:         au-9_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[1][b]
-                      prose:      modification;
-                    - 
-                      id:         au-9_obj.1.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[1][c]
-                      prose:      deletion;
-                - 
-                  id:         au-9_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-9[2]
-                  prose:      the information system protects audit tools from unauthorized:
-                  parts: 
-                    - 
-                      id:         au-9_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[2][a]
-                      prose:      access;
-                    - 
-                      id:         au-9_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[2][b]
-                      prose:      modification; and
-                    - 
-                      id:         au-9_obj.2.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[2][c]
-                      prose:      deletion.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Audit and accountability policy\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation,
-                                        information system audit records\n\naudit tools\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing audit information protection
-          controls: 
-            - 
-              id:         au-9.2
-              class:      SP800-53-enhancement
-              title:      Audit Backup On Separate Physical Systems / Components
-              parameters: 
-                - 
-                  id:          au-9.2_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least weekly
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AU-9(2)
-                - 
-                  name:  sort-id
-                  value: au-09.02
-              parts: 
-                - 
-                  id:    au-9.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system backs up audit records {{ au-9.2_prm_1 }}
-                                        onto a physically different system or system component than the system or
-                                        component being audited.
-                    """
-                - 
-                  id:    au-9.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement helps to ensure that a compromise of the information
-                                        system being audited does not also result in a compromise of the audit
-                                        records.
-                    """
-                  links: 
-                    - 
-                      href: #au-4
-                      rel:  related
-                      text: AU-4
-                    - 
-                      href: #au-5
-                      rel:  related
-                      text: AU-5
-                    - 
-                      href: #au-11
-                      rel:  related
-                      text: AU-11
-                - 
-                  id:    au-9.2_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         au-9.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-9(2)[1]
-                      prose: 
-                        """
-                          the organization defines the frequency to back up audit records onto a
-                                               physically different system or system component than the system or component
-                                               being audited; and
-                        """
-                    - 
-                      id:         au-9.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-9(2)[2]
-                      prose: 
-                        """
-                          the information system backs up audit records with the organization-defined
-                                               frequency, onto a physically different system or system component than the
-                                               system or component being audited.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Audit and accountability policy\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation, system
-                                               or media storing backups of information system audit records\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing the backing up of audit records
-            - 
-              id:         au-9.3
-              class:      SP800-53-enhancement
-              title:      Cryptographic Protection
-              properties: 
-                - 
-                  name:  label
-                  value: AU-9(3)
-                - 
-                  name:  sort-id
-                  value: au-09.03
-              parts: 
-                - 
-                  id:    au-9.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements cryptographic mechanisms to protect the
-                                        integrity of audit information and audit tools.
-                    """
-                - 
-                  id:    au-9.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Cryptographic mechanisms used for protecting the integrity of audit information
-                                        include, for example, signed hash functions using asymmetric cryptography enabling
-                                        distribution of the public key to verify the hash information while maintaining
-                                        the confidentiality of the secret key used to generate the hash.
-                    """
-                  links: 
-                    - 
-                      href: #au-10
-                      rel:  related
-                      text: AU-10
-                    - 
-                      href: #sc-12
-                      rel:  related
-                      text: SC-12
-                    - 
-                      href: #sc-13
-                      rel:  related
-                      text: SC-13
-                - 
-                  id:    au-9.3_obj
-                  name:  objective
-                  prose: Determine if the information system:
-                  parts: 
-                    - 
-                      id:         au-9.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-9(3)[1]
-                      prose: 
-                        """
-                          uses cryptographic mechanisms to protect the integrity of audit information;
-                                               and
-                        """
-                    - 
-                      id:         au-9.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-9(3)[2]
-                      prose:      uses cryptographic mechanisms to protect the integrity of audit tools.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Audit and accountability policy\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system hardware settings\n\ninformation system configuration settings and associated documentation,
-                                               information system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Cryptographic mechanisms protecting integrity of audit information and
-                                               tools
-                        """
-            - 
-              id:         au-9.4
-              class:      SP800-53-enhancement
-              title:      Access by Subset of Privileged Users
-              parameters: 
-                - 
-                  id:    au-9.4_prm_1
-                  label: organization-defined subset of privileged users
-              properties: 
-                - 
-                  name:  label
-                  value: AU-9(4)
-                - 
-                  name:  sort-id
-                  value: au-09.04
-              parts: 
-                - 
-                  id:    au-9.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization authorizes access to management of audit functionality to only
-                                           {{ au-9.4_prm_1 }}.
-                    """
-                - 
-                  id:    au-9.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Individuals with privileged access to an information system and who are also the
-                                        subject of an audit by that system, may affect the reliability of audit
-                                        information by inhibiting audit activities or modifying audit records. This
-                                        control enhancement requires that privileged access be further defined between
-                                        audit-related privileges and other privileges, thus limiting the users with
-                                        audit-related privileges.
-                    """
-                  links: 
-                    - 
-                      href: #ac-5
-                      rel:  related
-                      text: AC-5
-                - 
-                  id:    au-9.4_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         au-9.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-9(4)[1]
-                      prose: 
-                        """
-                          defines a subset of privileged users to be authorized access to management of
-                                               audit functionality; and
-                        """
-                    - 
-                      id:         au-9.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-9(4)[2]
-                      prose: 
-                        """
-                          authorizes access to management of audit functionality to only the
-                                               organization-defined subset of privileged users.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Audit and accountability policy\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation,
-                                               system-generated list of privileged users with access to management of audit
-                                               functionality\n\naccess authorizations\n\naccess control list\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms managing access to audit functionality
-        - 
-          id:         au-10
-          class:      SP800-53
-          title:      Non-repudiation
-          parameters: 
-            - 
-              id:          au-10_prm_1
-              label:       organization-defined actions to be covered by non-repudiation
-              constraints: 
-                - 
-                  detail: minimum actions including the addition, modification, deletion, approval, sending, or receiving of data
-          properties: 
-            - 
-              name:  label
-              value: AU-10
-            - 
-              name:  sort-id
-              value: au-10
-          parts: 
-            - 
-              id:    au-10_smt
-              name:  statement
-              prose: 
-                """
-                  The information system protects against an individual (or process acting on behalf of
-                                 an individual) falsely denying having performed {{ au-10_prm_1 }}.
-                """
-            - 
-              id:    au-10_gdn
-              name:  guidance
-              prose: 
-                """
-                  Types of individual actions covered by non-repudiation include, for example, creating
-                                 information, sending and receiving messages, approving information (e.g., indicating
-                                 concurrence or signing a contract). Non-repudiation protects individuals against
-                                 later claims by: (i) authors of not having authored particular documents; (ii)
-                                 senders of not having transmitted messages; (iii) receivers of not having received
-                                 messages; or (iv) signatories of not having signed documents. Non-repudiation
-                                 services can be used to determine if information originated from a particular
-                                 individual, or if an individual took specific actions (e.g., sending an email,
-                                 signing a contract, approving a procurement request) or received specific
-                                 information. Organizations obtain non-repudiation services by employing various
-                                 techniques or mechanisms (e.g., digital signatures, digital message receipts).
-                """
-              links: 
-                - 
-                  href: #sc-12
-                  rel:  related
-                  text: SC-12
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-                - 
-                  href: #sc-16
-                  rel:  related
-                  text: SC-16
-                - 
-                  href: #sc-17
-                  rel:  related
-                  text: SC-17
-                - 
-                  href: #sc-23
-                  rel:  related
-                  text: SC-23
-            - 
-              id:    au-10_obj
-              name:  objective
-              prose: Determine if: 
-              parts: 
-                - 
-                  id:         au-10_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-10[1]
-                  prose:      the organization defines actions to be covered by non-repudiation; and
-                - 
-                  id:         au-10_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-10[2]
-                  prose: 
-                    """
-                      the information system protects against an individual (or process acting on behalf
-                                        of an individual) falsely denying having performed organization-defined actions to
-                                        be covered by non-repudiation.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing non-repudiation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing non-repudiation capability
-        - 
-          id:         au-11
-          class:      SP800-53
-          title:      Audit Record Retention
-          parameters: 
-            - 
-              id:          au-11_prm_1
-              label:       organization-defined time period consistent with records retention policy
-              constraints: 
-                - 
-                  detail: at least one (1) year
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AU-11
-            - 
-              name:  sort-id
-              value: au-11
-          parts: 
-            - 
-              id:    au-11_smt
-              name:  statement
-              prose: 
-                """
-                  The organization retains audit records for {{ au-11_prm_1 }} to
-                                 provide support for after-the-fact investigations of security incidents and to meet
-                                 regulatory and organizational information retention requirements.
-                """
-              parts: 
-                - 
-                  id:    au-11_fr
-                  name:  item
-                  title: AU-11 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         au-11_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.
-            - 
-              id:    au-11_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations retain audit records until it is determined that they are no longer
-                                 needed for administrative, legal, audit, or other operational purposes. This
-                                 includes, for example, retention and availability of audit records relative to
-                                 Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions.
-                                 Organizations develop standard categories of audit records relative to such types of
-                                 actions and standard response processes for each type of action. The National
-                                 Archives and Records Administration (NARA) General Records Schedules provide federal
-                                 policy on record retention.
-                """
-              links: 
-                - 
-                  href: #au-4
-                  rel:  related
-                  text: AU-4
-                - 
-                  href: #au-5
-                  rel:  related
-                  text: AU-5
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #mp-6
-                  rel:  related
-                  text: MP-6
-            - 
-              id:    au-11_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-11_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-11[1]
-                  prose: 
-                    """
-                      defines a time period to retain audit records that is consistent with records
-                                        retention policy;
-                    """
-                - 
-                  id:         au-11_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AU-11[2]
-                  prose: 
-                    """
-                      retains audit records for the organization-defined time period consistent with
-                                        records retention policy to:
-                    """
-                  parts: 
-                    - 
-                      id:         au-11_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-11[2][a]
-                      prose: 
-                        """
-                          provide support for after-the-fact investigations of security incidents;
-                                               and
-                        """
-                    - 
-                      id:         au-11_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-11[2][b]
-                      prose:      meet regulatory and organizational information retention requirements.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-        - 
-          id:         au-12
-          class:      SP800-53
-          title:      Audit Generation
-          parameters: 
-            - 
-              id:          au-12_prm_1
-              label:       organization-defined information system components
-              constraints: 
-                - 
-                  detail: all information system and network components where audit capability is deployed/available
-            - 
-              id:    au-12_prm_2
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  label
-              value: AU-12
-            - 
-              name:  sort-id
-              value: au-12
-          parts: 
-            - 
-              id:    au-12_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         au-12_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Provides audit record generation capability for the auditable events defined in
-                                        AU-2 a. at {{ au-12_prm_1 }};
-                    """
-                - 
-                  id:         au-12_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Allows {{ au-12_prm_2 }} to select which auditable events are to be
-                                        audited by specific components of the information system; and
-                    """
-                - 
-                  id:         au-12_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Generates audit records for the events defined in AU-2 d. with the content defined
-                                        in AU-3.
-                    """
-            - 
-              id:    au-12_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit records can be generated from many different information system components. The
-                                 list of audited events is the set of events for which audits are to be generated.
-                                 These events are typically a subset of all events for which the information system is
-                                 capable of generating audit records.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-3
-                  rel:  related
-                  text: AU-3
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #au-7
-                  rel:  related
-                  text: AU-7
-            - 
-              id:    au-12_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         au-12.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-12(a)
-                  parts: 
-                    - 
-                      id:         au-12.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-12(a)[1]
-                      prose: 
-                        """
-                          the organization defines the information system components which are to provide
-                                               audit record generation capability for the auditable events defined in
-                                               AU-2a;
-                        """
-                    - 
-                      id:         au-12.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-12(a)[2]
-                      prose: 
-                        """
-                          the information system provides audit record generation capability, for the
-                                               auditable events defined in AU-2a, at organization-defined information system
-                                               components;
-                        """
-                - 
-                  id:         au-12.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-12(b)
-                  parts: 
-                    - 
-                      id:         au-12.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-12(b)[1]
-                      prose: 
-                        """
-                          the organization defines the personnel or roles allowed to select which
-                                               auditable events are to be audited by specific components of the information
-                                               system;
-                        """
-                    - 
-                      id:         au-12.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-12(b)[2]
-                      prose: 
-                        """
-                          the information system allows the organization-defined personnel or roles to
-                                               select which auditable events are to be audited by specific components of the
-                                               system; and
-                        """
-                - 
-                  id:         au-12.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AU-12(c)
-                  prose: 
-                    """
-                      the information system generates audit records for the events defined in AU-2d
-                                        with the content in defined in AU-3.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of auditable events\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing audit record generation capability
-          controls: 
-            - 
-              id:         au-12.1
-              class:      SP800-53-enhancement
-              title:      System-wide / Time-correlated Audit Trail
-              parameters: 
-                - 
-                  id:          au-12.1_prm_1
-                  label:       organization-defined information system components
-                  constraints: 
-                    - 
-                      detail: all network, data storage, and computing devices
-                - 
-                  id:    au-12.1_prm_2
-                  label: 
-                    """
-                      organization-defined level of tolerance for the relationship between time
-                                        stamps of individual records in the audit trail
-                    """
-              properties: 
-                - 
-                  name:  label
-                  value: AU-12(1)
-                - 
-                  name:  sort-id
-                  value: au-12.01
-              parts: 
-                - 
-                  id:    au-12.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system compiles audit records from {{ au-12.1_prm_1 }} into a system-wide (logical or physical) audit trail
-                                        that is time-correlated to within {{ au-12.1_prm_2 }}.
-                    """
-                - 
-                  id:    au-12.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Audit trails are time-correlated if the time stamps in the individual audit
-                                        records can be reliably related to the time stamps in other audit records to
-                                        achieve a time ordering of the records within organizational tolerances.
-                    """
-                  links: 
-                    - 
-                      href: #au-8
-                      rel:  related
-                      text: AU-8
-                    - 
-                      href: #au-12
-                      rel:  related
-                      text: AU-12
-                - 
-                  id:    au-12.1_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         au-12.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-12(1)[1]
-                      prose: 
-                        """
-                          the organization defines the information system components from which audit
-                                               records are to be compiled into a system-wide (logical or physical) audit
-                                               trail;
-                        """
-                    - 
-                      id:         au-12.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-12(1)[2]
-                      prose: 
-                        """
-                          the organization defines the level of tolerance for the relationship between
-                                               time stamps of individual records in the audit trail; and
-                        """
-                    - 
-                      id:         au-12.1_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-12(1)[3]
-                      prose: 
-                        """
-                          the information system compiles audit records from organization-defined
-                                               information system components into a system-wide (logical or physical) audit
-                                               trail that is time-correlated to within the organization-defined level of
-                                               tolerance for the relationship between time stamps of individual records in the
-                                               audit trail.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Audit and accountability policy\n\nprocedures addressing audit record generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem-wide audit trail (logical or physical)\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing audit record generation capability
-            - 
-              id:         au-12.3
-              class:      SP800-53-enhancement
-              title:      Changes by Authorized Individuals
-              parameters: 
-                - 
-                  id:          au-12.3_prm_1
-                  label:       organization-defined individuals or roles
-                  constraints: 
-                    - 
-                      detail: service provider-defined individuals or roles with audit configuration responsibilities
-                - 
-                  id:          au-12.3_prm_2
-                  label:       organization-defined information system components
-                  constraints: 
-                    - 
-                      detail: all network, data storage, and computing devices
-                - 
-                  id:    au-12.3_prm_3
-                  label: organization-defined selectable event criteria
-                - 
-                  id:    au-12.3_prm_4
-                  label: organization-defined time thresholds
-              properties: 
-                - 
-                  name:  label
-                  value: AU-12(3)
-                - 
-                  name:  sort-id
-                  value: au-12.03
-              parts: 
-                - 
-                  id:    au-12.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system provides the capability for {{ au-12.3_prm_1 }} to change the auditing to be performed on {{ au-12.3_prm_2 }} based on {{ au-12.3_prm_3 }} within
-                                           {{ au-12.3_prm_4 }}.
-                    """
-                - 
-                  id:    au-12.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement enables organizations to extend or limit auditing as
-                                        necessary to meet organizational requirements. Auditing that is limited to
-                                        conserve information system resources may be extended to address certain threat
-                                        situations. In addition, auditing may be limited to a specific set of events to
-                                        facilitate audit reduction, analysis, and reporting. Organizations can establish
-                                        time thresholds in which audit actions are changed, for example, near real-time,
-                                        within minutes, or within hours.
-                    """
-                  links: 
-                    - 
-                      href: #au-7
-                      rel:  related
-                      text: AU-7
-                - 
-                  id:    au-12.3_obj
-                  name:  objective
-                  prose: Determine if: 
-                  parts: 
-                    - 
-                      id:         au-12.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-12(3)[1]
-                      prose: 
-                        """
-                          the organization defines information system components on which auditing is to
-                                               be performed;
-                        """
-                    - 
-                      id:         au-12.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-12(3)[2]
-                      prose: 
-                        """
-                          the organization defines individuals or roles authorized to change the auditing
-                                               to be performed on organization-defined information system components;
-                        """
-                    - 
-                      id:         au-12.3_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-12(3)[3]
-                      prose: 
-                        """
-                          the organization defines time thresholds within which organization-defined
-                                               individuals or roles can change the auditing to be performed on
-                                               organization-defined information system components;
-                        """
-                    - 
-                      id:         au-12.3_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-12(3)[4]
-                      prose: 
-                        """
-                          the organization defines selectable event criteria that support the capability
-                                               for organization-defined individuals or roles to change the auditing to be
-                                               performed on organization-defined information system components; and
-                        """
-                    - 
-                      id:         au-12.3_obj.5
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-12(3)[5]
-                      prose: 
-                        """
-                          the information system provides the capability for organization-defined
-                                               individuals or roles to change the auditing to be performed on
-                                               organization-defined information system components based on
-                                               organization-defined selectable event criteria within organization-defined time
-                                               thresholds.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Audit and accountability policy\n\nprocedures addressing audit record generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem-generated list of individuals or roles authorized to change auditing to
-                                               be performed\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing audit record generation capability
-    - 
-      id:       ca
-      class:    family
-      title:    Security Assessment and Authorization
-      controls: 
-        - 
-          id:         ca-1
-          class:      SP800-53
-          title:      Security Assessment and Authorization Policy and Procedures
-          parameters: 
-            - 
-              id:    ca-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ca-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          ca-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or whenever a significant change occurs
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-1
-            - 
-              name:  sort-id
-              value: ca-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #cd4cf751-3312-4a55-b1a9-fad2f1db9119
-              rel:  reference
-              text: NIST Special Publication 800-53A
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ca-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ca-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ca-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A security assessment and authorization policy that addresses purpose, scope,
-                                               roles, responsibilities, management commitment, coordination among
-                                               organizational entities, and compliance; and
-                        """
-                    - 
-                      id:         ca-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the security assessment and
-                                               authorization policy and associated security assessment and authorization
-                                               controls; and
-                        """
-                - 
-                  id:         ca-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ca-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Security assessment and authorization policy {{ ca-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         ca-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Security assessment and authorization procedures {{ ca-1_prm_3 }}.
-            - 
-              id:    ca-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the CA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ca-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-1(a)
-                  parts: 
-                    - 
-                      id:         ca-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ca-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a security assessment and authorization policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         ca-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ca-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ca-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ca-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ca-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ca-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ca-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ca-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the security assessment and authorization
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         ca-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the security assessment and authorization policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         ca-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ca-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      security assessment and authorization policy and associated assessment and
-                                                      authorization controls;
-                            """
-                        - 
-                          id:         ca-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ca-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ca-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-1(b)
-                  parts: 
-                    - 
-                      id:         ca-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ca-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current security assessment
-                                                      and authorization policy;
-                            """
-                        - 
-                          id:         ca-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current security assessment and authorization policy
-                                                      with the organization-defined frequency;
-                            """
-                    - 
-                      id:         ca-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ca-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current security assessment
-                                                      and authorization procedures; and
-                            """
-                        - 
-                          id:         ca-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current security assessment and authorization
-                                                      procedures with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security assessment and authorization policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security assessment and authorization
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         ca-2
-          class:      SP800-53
-          title:      Security Assessments
-          parameters: 
-            - 
-              id:          ca-2_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          ca-2_prm_2
-              label:       organization-defined individuals or roles
-              constraints: 
-                - 
-                  detail: individuals or roles to include FedRAMP PMO
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-2
-            - 
-              name:  sort-id
-              value: ca-02
-          links: 
-            - 
-              href: #c5034e0c-eba6-4ecd-a541-79f0678f4ba4
-              rel:  reference
-              text: Executive Order 13587
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #d480aa6a-7a88-424e-a10c-ad1c7870354b
-              rel:  reference
-              text: NIST Special Publication 800-39
-            - 
-              href: #cd4cf751-3312-4a55-b1a9-fad2f1db9119
-              rel:  reference
-              text: NIST Special Publication 800-53A
-            - 
-              href: #c4691b88-57d1-463b-9053-2d0087913f31
-              rel:  reference
-              text: NIST Special Publication 800-115
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-          parts: 
-            - 
-              id:    ca-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Develops a security assessment plan that describes the scope of the assessment
-                                        including:
-                    """
-                  parts: 
-                    - 
-                      id:         ca-2_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Security controls and control enhancements under assessment;
-                    - 
-                      id:         ca-2_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Assessment procedures to be used to determine security control effectiveness;
-                                               and
-                        """
-                    - 
-                      id:         ca-2_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Assessment environment, assessment team, and assessment roles and
-                                               responsibilities;
-                        """
-                - 
-                  id:         ca-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Assesses the security controls in the information system and its environment of
-                                        operation {{ ca-2_prm_1 }} to determine the extent to which the
-                                        controls are implemented correctly, operating as intended, and producing the
-                                        desired outcome with respect to meeting established security requirements;
-                    """
-                - 
-                  id:         ca-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Produces a security assessment report that documents the results of the
-                                        assessment; and
-                    """
-                - 
-                  id:         ca-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Provides the results of the security control assessment to {{ ca-2_prm_2 }}.
-                - 
-                  id:    ca-2_fr
-                  name:  item
-                  title: CA-2 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ca-2_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose: 
-                        """
-                          See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                            
-                        """
-            - 
-              id:    ca-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations assess security controls in organizational information systems and the
-                                 environments in which those systems operate as part of: (i) initial and ongoing
-                                 security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring;
-                                 and (iv) system development life cycle activities. Security assessments: (i) ensure
-                                 that information security is built into organizational information systems; (ii)
-                                 identify weaknesses and deficiencies early in the development process; (iii) provide
-                                 essential information needed to make risk-based decisions as part of security
-                                 authorization processes; and (iv) ensure compliance to vulnerability mitigation
-                                 procedures. Assessments are conducted on the implemented security controls from
-                                 Appendix F (main catalog) and Appendix G (Program Management controls) as documented
-                                 in System Security Plans and Information Security Program Plans. Organizations can
-                                 use other types of assessment activities such as vulnerability scanning and system
-                                 monitoring to maintain the security posture of information systems during the entire
-                                 life cycle. Security assessment reports document assessment results in sufficient
-                                 detail as deemed necessary by organizations, to determine the accuracy and
-                                 completeness of the reports and whether the security controls are implemented
-                                 correctly, operating as intended, and producing the desired outcome with respect to
-                                 meeting security requirements. The FISMA requirement for assessing security controls
-                                 at least annually does not require additional assessment activities to those
-                                 activities already in place in organizational security authorization processes.
-                                 Security assessment results are provided to the individuals or roles appropriate for
-                                 the types of assessments being conducted. For example, assessments conducted in
-                                 support of security authorization decisions are provided to authorizing officials or
-                                 authorizing official designated representatives. To satisfy annual assessment
-                                 requirements, organizations can use assessment results from the following sources:
-                                 (i) initial or ongoing information system authorizations; (ii) continuous monitoring;
-                                 or (iii) system development life cycle activities. Organizations ensure that security
-                                 assessment results are current, relevant to the determination of security control
-                                 effectiveness, and obtained with the appropriate level of assessor independence.
-                                 Existing security control assessment results can be reused to the extent that the
-                                 results are still valid and can also be supplemented with additional assessments as
-                                 needed. Subsequent to initial authorizations and in accordance with OMB policy,
-                                 organizations assess security controls during continuous monitoring. Organizations
-                                 establish the frequency for ongoing security control assessments in accordance with
-                                 organizational continuous monitoring strategies. Information Assurance Vulnerability
-                                 Alerts provide useful examples of vulnerability mitigation procedures. External
-                                 audits (e.g., audits by external entities such as regulatory agencies) are outside
-                                 the scope of this control.
-                """
-              links: 
-                - 
-                  href: #ca-5
-                  rel:  related
-                  text: CA-5
-                - 
-                  href: #ca-6
-                  rel:  related
-                  text: CA-6
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ca-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CA-2(a)
-                  prose: 
-                    """
-                      develops a security assessment plan that describes the scope of the assessment
-                                        including:
-                    """
-                  parts: 
-                    - 
-                      id:         ca-2.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-2(a)(1)
-                      prose:      security controls and control enhancements under assessment;
-                    - 
-                      id:         ca-2.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-2(a)(2)
-                      prose: 
-                        """
-                          assessment procedures to be used to determine security control
-                                               effectiveness;
-                        """
-                    - 
-                      id:         ca-2.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-2(a)(3)
-                      parts: 
-                        - 
-                          id:         ca-2.a.3_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(a)(3)[1]
-                          prose:      assessment environment;
-                        - 
-                          id:         ca-2.a.3_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(a)(3)[2]
-                          prose:      assessment team;
-                        - 
-                          id:         ca-2.a.3_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(a)(3)[3]
-                          prose:      assessment roles and responsibilities;
-                - 
-                  id:         ca-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-2(b)
-                  parts: 
-                    - 
-                      id:         ca-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(b)[1]
-                      prose: 
-                        """
-                          defines the frequency to assess the security controls in the information system
-                                               and its environment of operation;
-                        """
-                    - 
-                      id:         ca-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-2(b)[2]
-                      prose: 
-                        """
-                          assesses the security controls in the information system with the
-                                               organization-defined frequency to determine the extent to which the controls
-                                               are implemented correctly, operating as intended, and producing the desired
-                                               outcome with respect to meeting established security requirements;
-                        """
-                - 
-                  id:         ca-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CA-2(c)
-                  prose: 
-                    """
-                      produces a security assessment report that documents the results of the
-                                        assessment;
-                    """
-                - 
-                  id:         ca-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-2(d)
-                  parts: 
-                    - 
-                      id:         ca-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(d)[1]
-                      prose: 
-                        """
-                          defines individuals or roles to whom the results of the security control
-                                               assessment are to be provided; and
-                        """
-                    - 
-                      id:         ca-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-2(d)[2]
-                      prose: 
-                        """
-                          provides the results of the security control assessment to organization-defined
-                                               individuals or roles.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security assessment and authorization policy\n\nprocedures addressing security assessment planning\n\nprocedures addressing security assessments\n\nsecurity assessment plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting security assessment, security assessment plan
-                                        development, and/or security assessment reporting
-                    """
-          controls: 
-            - 
-              id:         ca-2.1
-              class:      SP800-53-enhancement
-              title:      Independent Assessors
-              parameters: 
-                - 
-                  id:    ca-2.1_prm_1
-                  label: organization-defined level of independence
-              properties: 
-                - 
-                  name:  label
-                  value: CA-2(1)
-                - 
-                  name:  sort-id
-                  value: ca-02.01
-              parts: 
-                - 
-                  id:    ca-2.1_smt
-                  name:  statement
-                  prose: The organization employs assessors or assessment teams with {{ ca-2.1_prm_1 }} to conduct security control assessments.
-                  parts: 
-                    - 
-                      id:    ca-2.1_fr
-                      name:  item
-                      title: CA-2 (1) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ca-2.1_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).
-                - 
-                  id:    ca-2.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Independent assessors or assessment teams are individuals or groups who conduct
-                                        impartial assessments of organizational information systems. Impartiality implies
-                                        that assessors are free from any perceived or actual conflicts of interest with
-                                        regard to the development, operation, or management of the organizational
-                                        information systems under assessment or to the determination of security control
-                                        effectiveness. To achieve impartiality, assessors should not: (i) create a mutual
-                                        or conflicting interest with the organizations where the assessments are being
-                                        conducted; (ii) assess their own work; (iii) act as management or employees of the
-                                        organizations they are serving; or (iv) place themselves in positions of advocacy
-                                        for the organizations acquiring their services. Independent assessments can be
-                                        obtained from elements within organizations or can be contracted to public or
-                                        private sector entities outside of organizations. Authorizing officials determine
-                                        the required level of independence based on the security categories of information
-                                        systems and/or the ultimate risk to organizational operations, organizational
-                                        assets, or individuals. Authorizing officials also determine if the level of
-                                        assessor independence provides sufficient assurance that the results are sound and
-                                        can be used to make credible, risk-based decisions. This includes determining
-                                        whether contracted security assessment services have sufficient independence, for
-                                        example, when information system owners are not directly involved in contracting
-                                        processes or cannot unduly influence the impartiality of assessors conducting
-                                        assessments. In special situations, for example, when organizations that own the
-                                        information systems are small or organizational structures require that
-                                        assessments are conducted by individuals that are in the developmental,
-                                        operational, or management chain of system owners, independence in assessment
-                                        processes can be achieved by ensuring that assessment results are carefully
-                                        reviewed and analyzed by independent teams of experts to validate the
-                                        completeness, accuracy, integrity, and reliability of the results. Organizations
-                                        recognize that assessments performed for purposes other than direct support to
-                                        authorization decisions are, when performed by assessors with sufficient
-                                        independence, more likely to be useable for such decisions, thereby reducing the
-                                        need to repeat assessments.
-                    """
-                - 
-                  id:    ca-2.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ca-2.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(1)[1]
-                      prose: 
-                        """
-                          defines the level of independence to be employed to conduct security control
-                                               assessments; and
-                        """
-                    - 
-                      id:         ca-2.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CA-2(1)[2]
-                      prose: 
-                        """
-                          employs assessors or assessment teams with the organization-defined level of
-                                               independence to conduct security control assessments.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Security assessment and authorization policy\n\nprocedures addressing security assessments\n\nsecurity authorization package (including security plan, security assessment
-                                               plan, security assessment report, plan of action and milestones, authorization
-                                               statement)\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              id:         ca-2.2
-              class:      SP800-53-enhancement
-              title:      Specialized Assessments
-              parameters: 
-                - 
-                  id:          ca-2.2_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least annually
-                - 
-                  id: ca-2.2_prm_2
-                - 
-                  id: ca-2.2_prm_3
-                - 
-                  id:         ca-2.2_prm_4
-                  depends-on: ca-2.2_prm_3
-                  label:      organization-defined other forms of security assessment
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: CA-2(2)
-                - 
-                  name:  sort-id
-                  value: ca-02.02
-              parts: 
-                - 
-                  id:    ca-2.2_smt
-                  name:  statement
-                  prose: The organization includes as part of security control assessments, {{ ca-2.2_prm_1 }}, {{ ca-2.2_prm_2 }}, {{ ca-2.2_prm_3 }}.
-                  parts: 
-                    - 
-                      id:    ca-2.2_fr
-                      name:  item
-                      title: CA-2 (2) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ca-2.2_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      To include 'announced', 'vulnerability scanning'
-                - 
-                  id:    ca-2.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations can employ information system monitoring, insider threat
-                                        assessments, malicious user testing, and other forms of testing (e.g.,
-                                        verification and validation) to improve readiness by exercising organizational
-                                        capabilities and indicating current performance levels as a means of focusing
-                                        actions to improve security. Organizations conduct assessment activities in
-                                        accordance with applicable federal laws, Executive Orders, directives, policies,
-                                        regulations, and standards. Authorizing officials approve the assessment methods
-                                        in coordination with the organizational risk executive function. Organizations can
-                                        incorporate vulnerabilities uncovered during assessments into vulnerability
-                                        remediation processes.
-                    """
-                  links: 
-                    - 
-                      href: #pe-3
-                      rel:  related
-                      text: PE-3
-                    - 
-                      href: #si-2
-                      rel:  related
-                      text: SI-2
-                - 
-                  id:    ca-2.2_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ca-2.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(2)[1]
-                      prose: 
-                        """
-                          selects one or more of the following forms of specialized security assessment
-                                               to be included as part of security control assessments:
-                        """
-                      parts: 
-                        - 
-                          id:         ca-2.2_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(2)[1][a]
-                          prose:      in-depth monitoring;
-                        - 
-                          id:         ca-2.2_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(2)[1][b]
-                          prose:      vulnerability scanning;
-                        - 
-                          id:         ca-2.2_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(2)[1][c]
-                          prose:      malicious user testing;
-                        - 
-                          id:         ca-2.2_obj.1.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(2)[1][d]
-                          prose:      insider threat assessment;
-                        - 
-                          id:         ca-2.2_obj.1.e
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(2)[1][e]
-                          prose:      performance/load testing; and/or
-                        - 
-                          id:         ca-2.2_obj.1.f
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(2)[1][f]
-                          prose:      other forms of organization-defined specialized security assessment;
-                    - 
-                      id:         ca-2.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(2)[2]
-                      prose: 
-                        """
-                          defines the frequency for conducting the selected form(s) of specialized
-                                               security assessment;
-                        """
-                    - 
-                      id:         ca-2.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(2)[3]
-                      prose: 
-                        """
-                          defines whether the specialized security assessment will be announced or
-                                               unannounced; and
-                        """
-                    - 
-                      id:         ca-2.2_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-2(2)[4]
-                      prose: 
-                        """
-                          conducts announced or unannounced organization-defined forms of specialized
-                                               security assessments with the organization-defined frequency as part of
-                                               security control assessments.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Security assessment and authorization policy\n\nprocedures addressing security assessments\n\nsecurity plan\n\nsecurity assessment plan\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms supporting security control assessment
-            - 
-              id:         ca-2.3
-              class:      SP800-53-enhancement
-              title:      External Organizations
-              parameters: 
-                - 
-                  id:          ca-2.3_prm_1
-                  label:       organization-defined information system
-                  constraints: 
-                    - 
-                      detail: any FedRAMP Accredited 3PAO
-                - 
-                  id:          ca-2.3_prm_2
-                  label:       organization-defined external organization
-                  constraints: 
-                    - 
-                      detail: any FedRAMP Accredited 3PAO
-                - 
-                  id:          ca-2.3_prm_3
-                  label:       organization-defined requirements
-                  constraints: 
-                    - 
-                      detail: the conditions of the JAB/AO in the FedRAMP Repository
-              properties: 
-                - 
-                  name:  label
-                  value: CA-2(3)
-                - 
-                  name:  sort-id
-                  value: ca-02.03
-              parts: 
-                - 
-                  id:    ca-2.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization accepts the results of an assessment of {{ ca-2.3_prm_1 }} performed by {{ ca-2.3_prm_2 }} when
-                                        the assessment meets {{ ca-2.3_prm_3 }}.
-                    """
-                - 
-                  id:    ca-2.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations may often rely on assessments of specific information systems by
-                                        other (external) organizations. Utilizing such existing assessments (i.e., reusing
-                                        existing assessment evidence) can significantly decrease the time and resources
-                                        required for organizational assessments by limiting the amount of independent
-                                        assessment activities that organizations need to perform. The factors that
-                                        organizations may consider in determining whether to accept assessment results
-                                        from external organizations can vary. Determinations for accepting assessment
-                                        results can be based on, for example, past assessment experiences one organization
-                                        has had with another organization, the reputation that organizations have with
-                                        regard to assessments, the level of detail of supporting assessment documentation
-                                        provided, or mandates imposed upon organizations by federal legislation, policies,
-                                        or directives.
-                    """
-                - 
-                  id:    ca-2.3_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ca-2.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(3)[1]
-                      prose: 
-                        """
-                          defines an information system for which the results of a security assessment
-                                               performed by an external organization are to be accepted;
-                        """
-                    - 
-                      id:         ca-2.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(3)[2]
-                      prose: 
-                        """
-                          defines an external organization from which to accept a security assessment
-                                               performed on an organization-defined information system;
-                        """
-                    - 
-                      id:         ca-2.3_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(3)[3]
-                      prose: 
-                        """
-                          defines the requirements to be met by a security assessment performed by
-                                               organization-defined external organization on organization-defined information
-                                               system; and
-                        """
-                    - 
-                      id:         ca-2.3_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CA-2(3)[4]
-                      prose: 
-                        """
-                          accepts the results of an assessment of an organization-defined information
-                                               system performed by an organization-defined external organization when the
-                                               assessment meets organization-defined requirements.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Security assessment and authorization policy\n\nprocedures addressing security assessments\n\nsecurity plan\n\nsecurity assessment requirements\n\nsecurity assessment plan\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nplan of action and milestones\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel performing security assessments for the specified external
-                                               organization
-                        """
-        - 
-          id:         ca-3
-          class:      SP800-53
-          title:      System Interconnections
-          parameters: 
-            - 
-              id:          ca-3_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: At least annually and on input from FedRAMP
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-3
-            - 
-              name:  sort-id
-              value: ca-03
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #2711f068-734e-4afd-94ba-0b22247fbc88
-              rel:  reference
-              text: NIST Special Publication 800-47
-          parts: 
-            - 
-              id:    ca-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Authorizes connections from the information system to other information systems
-                                        through the use of Interconnection Security Agreements;
-                    """
-                - 
-                  id:         ca-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Documents, for each interconnection, the interface characteristics, security
-                                        requirements, and the nature of the information communicated; and
-                    """
-                - 
-                  id:         ca-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews and updates Interconnection Security Agreements {{ ca-3_prm_1 }}.
-            - 
-              id:    ca-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to dedicated connections between information systems (i.e.,
-                                 system interconnections) and does not apply to transitory, user-controlled
-                                 connections such as email and website browsing. Organizations carefully consider the
-                                 risks that may be introduced when information systems are connected to other systems
-                                 with different security requirements and security controls, both within organizations
-                                 and external to organizations. Authorizing officials determine the risk associated
-                                 with information system connections and the appropriate controls employed. If
-                                 interconnecting systems have the same authorizing official, organizations do not need
-                                 to develop Interconnection Security Agreements. Instead, organizations can describe
-                                 the interface characteristics between those interconnecting systems in their
-                                 respective security plans. If interconnecting systems have different authorizing
-                                 officials within the same organization, organizations can either develop
-                                 Interconnection Security Agreements or describe the interface characteristics between
-                                 systems in the security plans for the respective systems. Organizations may also
-                                 incorporate Interconnection Security Agreement information into formal contracts,
-                                 especially for interconnections established between federal agencies and nonfederal
-                                 (i.e., private sector) organizations. Risk considerations also include information
-                                 systems sharing the same networks. For certain technologies (e.g., space, unmanned
-                                 aerial vehicles, and medical devices), there may be specialized connections in place
-                                 during preoperational testing. Such connections may require Interconnection Security
-                                 Agreements and be subject to additional security controls.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #au-16
-                  rel:  related
-                  text: AU-16
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #sa-9
-                  rel:  related
-                  text: SA-9
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ca-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: CA-3(a)
-                  prose: 
-                    """
-                      authorizes connections from the information system to other information systems
-                                        through the use of Interconnection Security Agreements;
-                    """
-                - 
-                  id:         ca-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CA-3(b)
-                  prose:      documents, for each interconnection:
-                  parts: 
-                    - 
-                      id:         ca-3.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-3(b)[1]
-                      prose:      the interface characteristics;
-                    - 
-                      id:         ca-3.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-3(b)[2]
-                      prose:      the security requirements;
-                    - 
-                      id:         ca-3.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-3(b)[3]
-                      prose:      the nature of the information communicated;
-                - 
-                  id:         ca-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-3(c)
-                  parts: 
-                    - 
-                      id:         ca-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-3(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to review and update Interconnection Security Agreements;
-                                               and
-                        """
-                    - 
-                      id:         ca-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CA-3(c)[2]
-                      prose: 
-                        """
-                          reviews and updates Interconnection Security Agreements with the
-                                               organization-defined frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\ninformation system Interconnection Security Agreements\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for developing, implementing, or
-                                        approving information system interconnection agreements\n\norganizational personnel with information security responsibilities\n\npersonnel managing the system(s) to which the Interconnection Security Agreement
-                                        applies
-                    """
-          controls: 
-            - 
-              id:         ca-3.3
-              class:      SP800-53-enhancement
-              title:      Unclassified Non-national Security System Connections
-              parameters: 
-                - 
-                  id:    ca-3.3_prm_1
-                  label: organization-defined unclassified, non-national security system
-                - 
-                  id:          ca-3.3_prm_2
-                  label:       Assignment; organization-defined boundary protection device
-                  constraints: 
-                    - 
-                      detail: boundary protections which meet the Trusted Internet Connection (TIC) requirements
-              properties: 
-                - 
-                  name:  label
-                  value: CA-3(3)
-                - 
-                  name:  sort-id
-                  value: ca-03.03
-              parts: 
-                - 
-                  id:    ca-3.3_smt
-                  name:  statement
-                  prose: The organization prohibits the direct connection of an {{ ca-3.3_prm_1 }} to an external network without the use of {{ ca-3.3_prm_2 }}.
-                  parts: 
-                    - 
-                      id:    ca-3.3_fr
-                      name:  item
-                      title: CA-3 (3) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ca-3.3_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document.
-                - 
-                  id:    ca-3.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations typically do not have control over external networks (e.g., the
-                                        Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate
-                                        communications (i.e., information flows) between unclassified non-national
-                                        security systems and external networks. This control enhancement is required for
-                                        organizations processing, storing, or transmitting Controlled Unclassified
-                                        Information (CUI).
-                    """
-                - 
-                  id:    ca-3.3_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ca-3.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CA-3(3)[1]
-                      prose: 
-                        """
-                          defines an unclassified, non-national security system whose direct connection
-                                               to an external network is to be prohibited without the use of approved boundary
-                                               protection device;
-                        """
-                    - 
-                      id:         ca-3.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-3(3)[2]
-                      prose: 
-                        """
-                          defines a boundary protection device to be used to establish the direct
-                                               connection of an organization-defined unclassified, non-national security
-                                               system to an external network; and
-                        """
-                    - 
-                      id:         ca-3.3_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-3(3)[3]
-                      prose: 
-                        """
-                          prohibits the direct connection of an organization-defined unclassified,
-                                               non-national security system to an external network without the use of an
-                                               organization-defined boundary protection device.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\ninformation system interconnection security agreements\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity assessment report\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibility for managing direct connections to
-                                               external networks\n\nnetwork administrators\n\norganizational personnel with information security responsibilities\n\npersonnel managing directly connected external networks
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting the management of external network
-                                               connections
-                        """
-            - 
-              id:         ca-3.5
-              class:      SP800-53-enhancement
-              title:      Restrictions On External System Connections
-              parameters: 
-                - 
-                  id:          ca-3.5_prm_1
-                  constraints: 
-                    - 
-                      detail: deny-all, permit by exception
-                - 
-                  id:          ca-3.5_prm_2
-                  label:       organization-defined information systems
-                  constraints: 
-                    - 
-                      detail: any systems
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: CA-3(5)
-                - 
-                  name:  sort-id
-                  value: ca-03.05
-              parts: 
-                - 
-                  id:    ca-3.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs {{ ca-3.5_prm_1 }} policy for allowing
-                                           {{ ca-3.5_prm_2 }} to connect to external information
-                                        systems.
-                    """
-                  parts: 
-                    - 
-                      id:    ca-3.5_fr
-                      name:  item
-                      title: CA-3 (5) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ca-3.5_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing
-                - 
-                  id:    ca-3.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations can constrain information system connectivity to external domains
-                                        (e.g., websites) by employing one of two policies with regard to such
-                                        connectivity: (i) allow-all, deny by exception, also known as blacklisting (the
-                                        weaker of the two policies); or (ii) deny-all, allow by exception, also known as
-                                        whitelisting (the stronger of the two policies). For either policy, organizations
-                                        determine what exceptions, if any, are acceptable.
-                    """
-                  links: 
-                    - 
-                      href: #cm-7
-                      rel:  related
-                      text: CM-7
-                - 
-                  id:    ca-3.5_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ca-3.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-3(5)[1]
-                      prose: 
-                        """
-                          defines information systems to be allowed to connect to external information
-                                               systems;
-                        """
-                    - 
-                      id:         ca-3.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-3(5)[2]
-                      prose: 
-                        """
-                          employs one of the following policies for allowing organization-defined
-                                               information systems to connect to external information systems:
-                        """
-                      parts: 
-                        - 
-                          id:         ca-3.5_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-3(5)[2][a]
-                          prose:      allow-all policy;
-                        - 
-                          id:         ca-3.5_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-3(5)[2][b]
-                          prose:      deny-by-exception policy;
-                        - 
-                          id:         ca-3.5_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-3(5)[2][c]
-                          prose:      deny-all policy; or
-                        - 
-                          id:         ca-3.5_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-3(5)[2][d]
-                          prose:      permit-by-exception policy.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\ninformation system interconnection agreements\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity assessment report\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibility for managing connections to
-                                               external information systems\n\nnetwork administrators\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing restrictions on external system
-                                               connections
-                        """
-        - 
-          id:         ca-5
-          class:      SP800-53
-          title:      Plan of Action and Milestones
-          parameters: 
-            - 
-              id:          ca-5_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least monthly
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-5
-            - 
-              name:  sort-id
-              value: ca-05
-          links: 
-            - 
-              href: #2c5884cd-7b96-425c-862a-99877e1cf909
-              rel:  reference
-              text: OMB Memorandum 02-01
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-          parts: 
-            - 
-              id:    ca-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Develops a plan of action and milestones for the information system to document
-                                        the organization’s planned remedial actions to correct weaknesses or deficiencies
-                                        noted during the assessment of the security controls and to reduce or eliminate
-                                        known vulnerabilities in the system; and
-                    """
-                - 
-                  id:         ca-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Updates existing plan of action and milestones {{ ca-5_prm_1 }}
-                                        based on the findings from security controls assessments, security impact
-                                        analyses, and continuous monitoring activities.
-                    """
-                - 
-                  id:    ca-5_fr
-                  name:  item
-                  title: CA-5 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ca-5_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Plan of Action & Milestones (POA&M) must be provided at least monthly.
-                    - 
-                      id:         ca-5_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose: 
-                        """
-                          See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                            
-                        """
-            - 
-              id:    ca-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Plans of action and milestones are key documents in security authorization packages
-                                 and are subject to federal reporting requirements established by OMB.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #pm-4
-                  rel:  related
-                  text: PM-4
-            - 
-              id:    ca-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: CA-5(a)
-                  prose:      develops a plan of action and milestones for the information system to:
-                  parts: 
-                    - 
-                      id:         ca-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-5(a)[1]
-                      prose: 
-                        """
-                          document the organization’s planned remedial actions to correct weaknesses or
-                                               deficiencies noted during the assessment of the security controls;
-                        """
-                    - 
-                      id:         ca-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-5(a)[2]
-                      prose:      reduce or eliminate known vulnerabilities in the system;
-                - 
-                  id:         ca-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-5(b)
-                  parts: 
-                    - 
-                      id:         ca-5.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-5(b)[1]
-                      prose:      defines the frequency to update the existing plan of action and milestones;
-                    - 
-                      id:         ca-5.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-5(b)[2]
-                      prose: 
-                        """
-                          updates the existing plan of action and milestones with the
-                                               organization-defined frequency based on the findings from:
-                        """
-                      parts: 
-                        - 
-                          id:         ca-5.b_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-5(b)[2][a]
-                          prose:      security controls assessments;
-                        - 
-                          id:         ca-5.b_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-5(b)[2][b]
-                          prose:      security impact analyses; and
-                        - 
-                          id:         ca-5.b_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-5(b)[2][c]
-                          prose:      continuous monitoring activities.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security assessment and authorization policy\n\nprocedures addressing plan of action and milestones\n\nsecurity plan\n\nsecurity assessment plan\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nplan of action and milestones\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with plan of action and milestones development and
-                                        implementation responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms for developing, implementing, and maintaining plan of action
-                                        and milestones
-                    """
-        - 
-          id:         ca-6
-          class:      SP800-53
-          title:      Security Authorization
-          parameters: 
-            - 
-              id:          ca-6_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every three (3) years or when a significant change occurs
-          properties: 
-            - 
-              name:  label
-              value: CA-6
-            - 
-              name:  sort-id
-              value: ca-06
-          links: 
-            - 
-              href: #9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab
-              rel:  reference
-              text: OMB Circular A-130
-            - 
-              href: #bedb15b7-ec5c-4a68-807f-385125751fcd
-              rel:  reference
-              text: OMB Memorandum 11-33
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-          parts: 
-            - 
-              id:    ca-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Assigns a senior-level executive or manager as the authorizing official for the
-                                        information system;
-                    """
-                - 
-                  id:         ca-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Ensures that the authorizing official authorizes the information system for
-                                        processing before commencing operations; and
-                    """
-                - 
-                  id:         ca-6_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Updates the security authorization {{ ca-6_prm_1 }}.
-                - 
-                  id:    ca-6_fr
-                  name:  item
-                  title: CA-6(c) Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ca-6_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.
-            - 
-              id:    ca-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Security authorizations are official management decisions, conveyed through
-                                 authorization decision documents, by senior organizational officials or executives
-                                 (i.e., authorizing officials) to authorize operation of information systems and to
-                                 explicitly accept the risk to organizational operations and assets, individuals,
-                                 other organizations, and the Nation based on the implementation of agreed-upon
-                                 security controls. Authorizing officials provide budgetary oversight for
-                                 organizational information systems or assume responsibility for the mission/business
-                                 operations supported by those systems. The security authorization process is an
-                                 inherently federal responsibility and therefore, authorizing officials must be
-                                 federal employees. Through the security authorization process, authorizing officials
-                                 assume responsibility and are accountable for security risks associated with the
-                                 operation and use of organizational information systems. Accordingly, authorizing
-                                 officials are in positions with levels of authority commensurate with understanding
-                                 and accepting such information security-related risks. OMB policy requires that
-                                 organizations conduct ongoing authorizations of information systems by implementing
-                                 continuous monitoring programs. Continuous monitoring programs can satisfy three-year
-                                 reauthorization requirements, so separate reauthorization processes are not
-                                 necessary. Through the employment of comprehensive continuous monitoring processes,
-                                 critical information contained in authorization packages (i.e., security plans,
-                                 security assessment reports, and plans of action and milestones) is updated on an
-                                 ongoing basis, providing authorizing officials and information system owners with an
-                                 up-to-date status of the security state of organizational information systems and
-                                 environments of operation. To reduce the administrative cost of security
-                                 reauthorization, authorizing officials use the results of continuous monitoring
-                                 processes to the maximum extent possible as the basis for rendering reauthorization
-                                 decisions.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-                - 
-                  href: #pm-10
-                  rel:  related
-                  text: PM-10
-            - 
-              id:    ca-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CA-6(a)
-                  prose: 
-                    """
-                      assigns a senior-level executive or manager as the authorizing official for the
-                                        information system;
-                    """
-                - 
-                  id:         ca-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CA-6(b)
-                  prose: 
-                    """
-                      ensures that the authorizing official authorizes the information system for
-                                        processing before commencing operations;
-                    """
-                - 
-                  id:         ca-6.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-6(c)
-                  parts: 
-                    - 
-                      id:         ca-6.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-6(c)[1]
-                      prose:      defines the frequency to update the security authorization; and
-                    - 
-                      id:         ca-6.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-6(c)[2]
-                      prose:      updates the security authorization with the organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security assessment and authorization policy\n\nprocedures addressing security authorization\n\nsecurity authorization package (including security plan\n\nsecurity assessment report\n\nplan of action and milestones\n\nauthorization statement)\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with security authorization responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms that facilitate security authorizations and updates
-        - 
-          id:         ca-7
-          class:      SP800-53
-          title:      Continuous Monitoring
-          parameters: 
-            - 
-              id:    ca-7_prm_1
-              label: organization-defined metrics
-            - 
-              id:    ca-7_prm_2
-              label: organization-defined frequencies
-            - 
-              id:    ca-7_prm_3
-              label: organization-defined frequencies
-            - 
-              id:          ca-7_prm_4
-              label:       organization-defined personnel or roles
-              constraints: 
-                - 
-                  detail: to meet Federal and FedRAMP requirements (See additional guidance)
-            - 
-              id:          ca-7_prm_5
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: to meet Federal and FedRAMP requirements (See additional guidance)
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-7
-            - 
-              name:  sort-id
-              value: ca-07
-          links: 
-            - 
-              href: #bedb15b7-ec5c-4a68-807f-385125751fcd
-              rel:  reference
-              text: OMB Memorandum 11-33
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #d480aa6a-7a88-424e-a10c-ad1c7870354b
-              rel:  reference
-              text: NIST Special Publication 800-39
-            - 
-              href: #cd4cf751-3312-4a55-b1a9-fad2f1db9119
-              rel:  reference
-              text: NIST Special Publication 800-53A
-            - 
-              href: #c4691b88-57d1-463b-9053-2d0087913f31
-              rel:  reference
-              text: NIST Special Publication 800-115
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-            - 
-              href: #8ade2fbe-e468-4ca8-9a40-54d7f23c32bb
-              rel:  reference
-              text: US-CERT Technical Cyber Security Alerts
-            - 
-              href: #2d8b14e9-c8b5-4d3d-8bdc-155078f3281b
-              rel:  reference
-              text: DoD Information Assurance Vulnerability Alerts
-          parts: 
-            - 
-              id:    ca-7_smt
-              name:  statement
-              prose: 
-                """
-                  The organization develops a continuous monitoring strategy and implements a
-                                 continuous monitoring program that includes:
-                """
-              parts: 
-                - 
-                  id:         ca-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Establishment of {{ ca-7_prm_1 }} to be monitored;
-                - 
-                  id:         ca-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Establishment of {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessments supporting such monitoring;
-                - 
-                  id:         ca-7_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ongoing security control assessments in accordance with the organizational
-                                        continuous monitoring strategy;
-                    """
-                - 
-                  id:         ca-7_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Ongoing security status monitoring of organization-defined metrics in accordance
-                                        with the organizational continuous monitoring strategy;
-                    """
-                - 
-                  id:         ca-7_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Correlation and analysis of security-related information generated by assessments
-                                        and monitoring;
-                    """
-                - 
-                  id:         ca-7_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Response actions to address results of the analysis of security-related
-                                        information; and
-                    """
-                - 
-                  id:         ca-7_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose: 
-                    """
-                      Reporting the security status of organization and the information system to
-                                           {{ ca-7_prm_4 }}
-                                        {{ ca-7_prm_5 }}.
-                    """
-                - 
-                  id:    ca-7_fr
-                  name:  item
-                  title: CA-7 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ca-7_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.
-                    - 
-                      id:         ca-7_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates.
-                    - 
-                      id:         ca-7_fr_gdn.2
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose: 
-                        """
-                          See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                            
-                        """
-            - 
-              id:    ca-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Continuous monitoring programs facilitate ongoing awareness of threats,
-                                 vulnerabilities, and information security to support organizational risk management
-                                 decisions. The terms continuous and ongoing imply that organizations assess/analyze
-                                 security controls and information security-related risks at a frequency sufficient to
-                                 support organizational risk-based decisions. The results of continuous monitoring
-                                 programs generate appropriate risk response actions by organizations. Continuous
-                                 monitoring programs also allow organizations to maintain the security authorizations
-                                 of information systems and common controls over time in highly dynamic environments
-                                 of operation with changing mission/business needs, threats, vulnerabilities, and
-                                 technologies. Having access to security-related information on a continuing basis
-                                 through reports/dashboards gives organizational officials the capability to make more
-                                 effective and timely risk management decisions, including ongoing security
-                                 authorization decisions. Automation supports more frequent updates to security
-                                 authorization packages, hardware/software/firmware inventories, and other system
-                                 information. Effectiveness is further enhanced when continuous monitoring outputs are
-                                 formatted to provide information that is specific, measurable, actionable, relevant,
-                                 and timely. Continuous monitoring activities are scaled in accordance with the
-                                 security categories of information systems.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-5
-                  rel:  related
-                  text: CA-5
-                - 
-                  href: #ca-6
-                  rel:  related
-                  text: CA-6
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #pm-6
-                  rel:  related
-                  text: PM-6
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ca-7_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ca-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(a)
-                  parts: 
-                    - 
-                      id:         ca-7.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(a)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that defines metrics to be
-                                               monitored;
-                        """
-                    - 
-                      id:         ca-7.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(a)[2]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes monitoring of
-                                               organization-defined metrics;
-                        """
-                    - 
-                      id:         ca-7.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(a)[3]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes monitoring of
-                                               organization-defined metrics in accordance with the organizational continuous
-                                               monitoring strategy;
-                        """
-                - 
-                  id:         ca-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(b)
-                  parts: 
-                    - 
-                      id:         ca-7.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(b)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that defines frequencies for
-                                               monitoring;
-                        """
-                    - 
-                      id:         ca-7.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(b)[2]
-                      prose:      defines frequencies for assessments supporting monitoring;
-                    - 
-                      id:         ca-7.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(b)[3]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes establishment of the
-                                               organization-defined frequencies for monitoring and for assessments supporting
-                                               monitoring;
-                        """
-                    - 
-                      id:         ca-7.b_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(b)[4]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes establishment of
-                                               organization-defined frequencies for monitoring and for assessments supporting
-                                               such monitoring in accordance with the organizational continuous monitoring
-                                               strategy;
-                        """
-                - 
-                  id:         ca-7.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(c)
-                  parts: 
-                    - 
-                      id:         ca-7.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(c)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes ongoing security
-                                               control assessments;
-                        """
-                    - 
-                      id:         ca-7.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(c)[2]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes ongoing security
-                                               control assessments in accordance with the organizational continuous monitoring
-                                               strategy;
-                        """
-                - 
-                  id:         ca-7.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(d)
-                  parts: 
-                    - 
-                      id:         ca-7.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(d)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes ongoing security status
-                                               monitoring of organization-defined metrics;
-                        """
-                    - 
-                      id:         ca-7.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(d)[2]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes ongoing security
-                                               status monitoring of organization-defined metrics in accordance with the
-                                               organizational continuous monitoring strategy;
-                        """
-                - 
-                  id:         ca-7.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(e)
-                  parts: 
-                    - 
-                      id:         ca-7.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(e)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes correlation and
-                                               analysis of security-related information generated by assessments and
-                                               monitoring;
-                        """
-                    - 
-                      id:         ca-7.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(e)[2]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes correlation and
-                                               analysis of security-related information generated by assessments and
-                                               monitoring in accordance with the organizational continuous monitoring
-                                               strategy;
-                        """
-                - 
-                  id:         ca-7.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(f)
-                  parts: 
-                    - 
-                      id:         ca-7.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(f)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes response actions to
-                                               address results of the analysis of security-related information;
-                        """
-                    - 
-                      id:         ca-7.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(f)[2]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes response actions to
-                                               address results of the analysis of security-related information in accordance
-                                               with the organizational continuous monitoring strategy;
-                        """
-                - 
-                  id:         ca-7.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(g)
-                  parts: 
-                    - 
-                      id:         ca-7.g_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(g)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that defines the personnel or roles
-                                               to whom the security status of the organization and information system are to
-                                               be reported;
-                        """
-                    - 
-                      id:         ca-7.g_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(g)[2]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that defines the frequency to report
-                                               the security status of the organization and information system to
-                                               organization-defined personnel or roles;
-                        """
-                    - 
-                      id:         ca-7.g_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(g)[3]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes reporting the security
-                                               status of the organization or information system to organizational-defined
-                                               personnel or roles with the organization-defined frequency; and
-                        """
-                    - 
-                      id:         ca-7.g_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(g)[4]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes reporting the security
-                                               status of the organization and information system to organization-defined
-                                               personnel or roles with the organization-defined frequency in accordance with
-                                               the organizational continuous monitoring strategy.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Security assessment and authorization policy\n\nprocedures addressing continuous monitoring of information system security
-                                        controls\n\nprocedures addressing configuration management\n\nsecurity plan\n\nsecurity assessment report\n\nplan of action and milestones\n\ninformation system monitoring records\n\nconfiguration management records, security impact analyses\n\nstatus reports\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Mechanisms implementing continuous monitoring
-          controls: 
-            - 
-              id:         ca-7.1
-              class:      SP800-53-enhancement
-              title:      Independent Assessment
-              parameters: 
-                - 
-                  id:    ca-7.1_prm_1
-                  label: organization-defined level of independence
-              properties: 
-                - 
-                  name:  label
-                  value: CA-7(1)
-                - 
-                  name:  sort-id
-                  value: ca-07.01
-              parts: 
-                - 
-                  id:    ca-7.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs assessors or assessment teams with {{ ca-7.1_prm_1 }} to monitor the security controls in the information
-                                        system on an ongoing basis.
-                    """
-                - 
-                  id:    ca-7.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations can maximize the value of assessments of security controls during
-                                        the continuous monitoring process by requiring that such assessments be conducted
-                                        by assessors or assessment teams with appropriate levels of independence based on
-                                        continuous monitoring strategies. Assessor independence provides a degree of
-                                        impartiality to the monitoring process. To achieve such impartiality, assessors
-                                        should not: (i) create a mutual or conflicting interest with the organizations
-                                        where the assessments are being conducted; (ii) assess their own work; (iii) act
-                                        as management or employees of the organizations they are serving; or (iv) place
-                                        themselves in advocacy positions for the organizations acquiring their
-                                        services.
-                    """
-                - 
-                  id:    ca-7.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ca-7.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(1)[1]
-                      prose: 
-                        """
-                          defines a level of independence to be employed to monitor the security controls
-                                               in the information system on an ongoing basis; and
-                        """
-                    - 
-                      id:         ca-7.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CA-7(1)[2]
-                      prose: 
-                        """
-                          employs assessors or assessment teams with the organization-defined level of
-                                               independence to monitor the security controls in the information system on an
-                                               ongoing basis.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Security assessment and authorization policy\n\nprocedures addressing continuous monitoring of information system security
-                                               controls\n\nsecurity plan\n\nsecurity assessment report\n\nplan of action and milestones\n\ninformation system monitoring records\n\nsecurity impact analyses\n\nstatus reports\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              id:         ca-7.3
-              class:      SP800-53-enhancement
-              title:      Trend Analyses
-              properties: 
-                - 
-                  name:  label
-                  value: CA-7(3)
-                - 
-                  name:  sort-id
-                  value: ca-07.03
-              parts: 
-                - 
-                  id:    ca-7.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs trend analyses to determine if security control
-                                        implementations, the frequency of continuous monitoring activities, and/or the
-                                        types of activities used in the continuous monitoring process need to be modified
-                                        based on empirical data.
-                    """
-                - 
-                  id:    ca-7.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Trend analyses can include, for example, examining recent threat information
-                                        regarding the types of threat events that have occurred within the organization or
-                                        across the federal government, success rates of certain types of cyber attacks,
-                                        emerging vulnerabilities in information technologies, evolving social engineering
-                                        techniques, results from multiple security control assessments, the effectiveness
-                                        of configuration settings, and findings from Inspectors General or auditors.
-                    """
-                - 
-                  id:         ca-7.3_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization employs trend analyses to determine if the following
-                                        items need to be modified based on empirical data:
-                    """
-                  parts: 
-                    - 
-                      id:         ca-7.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(3)[1]
-                      prose:      security control implementations;
-                    - 
-                      id:         ca-7.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(3)[2]
-                      prose:      the frequency of continuous monitoring activities; and/or
-                    - 
-                      id:         ca-7.3_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(3)[3]
-                      prose:      the types of activities used in the continuous monitoring process.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Continuous monitoring strategy\n\nSecurity assessment and authorization policy\n\nprocedures addressing continuous monitoring of information system security
-                                               controls\n\nsecurity plan\n\nsecurity assessment report\n\nplan of action and milestones\n\ninformation system monitoring records\n\nsecurity impact analyses\n\nstatus reports\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ca-8
-          class:      SP800-53
-          title:      Penetration Testing
-          parameters: 
-            - 
-              id:          ca-8_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:    ca-8_prm_2
-              label: organization-defined information systems or system components
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-8
-            - 
-              name:  sort-id
-              value: ca-08
-          parts: 
-            - 
-              id:    ca-8_smt
-              name:  statement
-              prose: 
-                """
-                  The organization conducts penetration testing {{ ca-8_prm_1 }} on
-                                    {{ ca-8_prm_2 }}.
-                """
-              parts: 
-                - 
-                  id:    ca-8_fr
-                  name:  item
-                  title: CA-8 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ca-8_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose: 
-                        """
-                          See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance [https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/)
-                                            
-                        """
-            - 
-              id:    ca-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Penetration testing is a specialized type of assessment conducted on information
-                                 systems or individual system components to identify vulnerabilities that could be
-                                 exploited by adversaries. Such testing can be used to either validate vulnerabilities
-                                 or determine the degree of resistance organizational information systems have to
-                                 adversaries within a set of specified constraints (e.g., time, resources, and/or
-                                 skills). Penetration testing attempts to duplicate the actions of adversaries in
-                                 carrying out hostile cyber attacks against organizations and provides a more in-depth
-                                 analysis of security-related weaknesses/deficiencies. Organizations can also use the
-                                 results of vulnerability analyses to support penetration testing activities.
-                                 Penetration testing can be conducted on the hardware, software, or firmware
-                                 components of an information system and can exercise both physical and technical
-                                 security controls. A standard method for penetration testing includes, for example:
-                                 (i) pretest analysis based on full knowledge of the target system; (ii) pretest
-                                 identification of potential vulnerabilities based on pretest analysis; and (iii)
-                                 testing designed to determine exploitability of identified vulnerabilities. All
-                                 parties agree to the rules of engagement before the commencement of penetration
-                                 testing scenarios. Organizations correlate the penetration testing rules of
-                                 engagement with the tools, techniques, and procedures that are anticipated to be
-                                 employed by adversaries carrying out attacks. Organizational risk assessments guide
-                                 decisions on the level of independence required for personnel conducting penetration
-                                 testing.
-                """
-              links: 
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-            - 
-              id:    ca-8_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-8_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-8[1]
-                  prose: 
-                    """
-                      defines information systems or system components on which penetration testing is
-                                        to be conducted;
-                    """
-                - 
-                  id:         ca-8_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-8[2]
-                  prose: 
-                    """
-                      defines the frequency to conduct penetration testing on organization-defined
-                                        information systems or system components; and
-                    """
-                - 
-                  id:         ca-8_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CA-8[3]
-                  prose: 
-                    """
-                      conducts penetration testing on organization-defined information systems or system
-                                        components with the organization-defined frequency.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security assessment and authorization policy\n\nprocedures addressing penetration testing\n\nsecurity plan\n\nsecurity assessment plan\n\npenetration test report\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities,
-                                        system/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting penetration testing
-          controls: 
-            - 
-              id:         ca-8.1
-              class:      SP800-53-enhancement
-              title:      Independent Penetration Agent or Team
-              properties: 
-                - 
-                  name:  label
-                  value: CA-8(1)
-                - 
-                  name:  sort-id
-                  value: ca-08.01
-              parts: 
-                - 
-                  id:    ca-8.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs an independent penetration agent or penetration team to
-                                        perform penetration testing on the information system or system components.
-                    """
-                - 
-                  id:    ca-8.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Independent penetration agents or teams are individuals or groups who conduct
-                                        impartial penetration testing of organizational information systems. Impartiality
-                                        implies that penetration agents or teams are free from any perceived or actual
-                                        conflicts of interest with regard to the development, operation, or management of
-                                        the information systems that are the targets of the penetration testing.
-                                        Supplemental guidance for CA-2 (1) provides additional information regarding
-                                        independent assessments that can be applied to penetration testing.
-                    """
-                  links: 
-                    - 
-                      href: #ca-2
-                      rel:  related
-                      text: CA-2
-                - 
-                  id:         ca-8.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization employs an independent penetration agent or
-                                        penetration team to perform penetration testing on the information system or
-                                        system components. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Security assessment and authorization policy\n\nprocedures addressing penetration testing\n\nsecurity plan\n\nsecurity assessment plan\n\npenetration test report\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ca-9
-          class:      SP800-53
-          title:      Internal System Connections
-          parameters: 
-            - 
-              id:    ca-9_prm_1
-              label: 
-                """
-                  organization-defined information system components or classes of
-                                 components
-                """
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-9
-            - 
-              name:  sort-id
-              value: ca-09
-          parts: 
-            - 
-              id:    ca-9_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-9_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Authorizes internal connections of {{ ca-9_prm_1 }} to the
-                                        information system; and
-                    """
-                - 
-                  id:         ca-9_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Documents, for each internal connection, the interface characteristics, security
-                                        requirements, and the nature of the information communicated.
-                    """
-            - 
-              id:    ca-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to connections between organizational information systems and
-                                 (separate) constituent system components (i.e., intra-system connections) including,
-                                 for example, system connections with mobile devices, notebook/desktop computers,
-                                 printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of
-                                 authorizing each individual internal connection, organizations can authorize internal
-                                 connections for a class of components with common characteristics and/or
-                                 configurations, for example, all digital printers, scanners, and copiers with a
-                                 specified processing, storage, and transmission capability or all smart phones with a
-                                 specific baseline configuration.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ca-9_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-9.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-9(a)
-                  parts: 
-                    - 
-                      id:         ca-9.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-9(a)[1]
-                      prose: 
-                        """
-                          defines information system components or classes of components to be authorized
-                                               as internal connections to the information system;
-                        """
-                    - 
-                      id:         ca-9.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CA-9(a)[2]
-                      prose: 
-                        """
-                          authorizes internal connections of organization-defined information system
-                                               components or classes of components to the information system;
-                        """
-                - 
-                  id:         ca-9.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CA-9(b)
-                  prose:      documents, for each internal connection:
-                  parts: 
-                    - 
-                      id:         ca-9.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-9(b)[1]
-                      prose:      the interface characteristics;
-                    - 
-                      id:         ca-9.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-9(b)[2]
-                      prose:      the security requirements; and
-                    - 
-                      id:         ca-9.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-9(b)[3]
-                      prose:      the nature of the information communicated.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system
-                                        connections\n\nsecurity assessment report\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for developing, implementing, or
-                                        authorizing internal system connections\n\norganizational personnel with information security responsibilities
-                    """
-    - 
-      id:       cm
-      class:    family
-      title:    Configuration Management
-      controls: 
-        - 
-          id:         cm-1
-          class:      SP800-53
-          title:      Configuration Management Policy and Procedures
-          parameters: 
-            - 
-              id:    cm-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          cm-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          cm-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or whenever a significant change occurs
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CM-1
-            - 
-              name:  sort-id
-              value: cm-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    cm-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ cm-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         cm-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A configuration management policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         cm-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the configuration management
-                                               policy and associated configuration management controls; and
-                        """
-                - 
-                  id:         cm-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         cm-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Configuration management policy {{ cm-1_prm_2 }}; and
-                    - 
-                      id:         cm-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Configuration management procedures {{ cm-1_prm_3 }}.
-            - 
-              id:    cm-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the CM
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    cm-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-1(a)
-                  parts: 
-                    - 
-                      id:         cm-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-1(a)(1)
-                      parts: 
-                        - 
-                          id:         cm-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-1(a)(1)[1]
-                          prose:      develops and documents a configuration management policy that addresses:
-                          parts: 
-                            - 
-                              id:         cm-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         cm-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         cm-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         cm-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         cm-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         cm-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         cm-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         cm-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the configuration management policy is to
-                                                      be disseminated;
-                            """
-                        - 
-                          id:         cm-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CM-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the configuration management policy to organization-defined
-                                                      personnel or roles;
-                            """
-                    - 
-                      id:         cm-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-1(a)(2)
-                      parts: 
-                        - 
-                          id:         cm-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      configuration management policy and associated configuration management
-                                                      controls;
-                            """
-                        - 
-                          id:         cm-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         cm-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CM-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         cm-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-1(b)
-                  parts: 
-                    - 
-                      id:         cm-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-1(b)(1)
-                      parts: 
-                        - 
-                          id:         cm-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current configuration
-                                                      management policy;
-                            """
-                        - 
-                          id:         cm-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current configuration management policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         cm-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-1(b)(2)
-                      parts: 
-                        - 
-                          id:         cm-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current configuration
-                                                      management procedures; and
-                            """
-                        - 
-                          id:         cm-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current configuration management procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-        - 
-          id:         cm-2
-          class:      SP800-53
-          title:      Baseline Configuration
-          properties: 
-            - 
-              name:  label
-              value: CM-2
-            - 
-              name:  sort-id
-              value: cm-02
-          links: 
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    cm-2_smt
-              name:  statement
-              prose: 
-                """
-                  The organization develops, documents, and maintains under configuration control, a
-                                 current baseline configuration of the information system.
-                """
-            - 
-              id:    cm-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control establishes baseline configurations for information systems and system
-                                 components including communications and connectivity-related aspects of systems.
-                                 Baseline configurations are documented, formally reviewed and agreed-upon sets of
-                                 specifications for information systems or configuration items within those systems.
-                                 Baseline configurations serve as a basis for future builds, releases, and/or changes
-                                 to information systems. Baseline configurations include information about information
-                                 system components (e.g., standard software packages installed on workstations,
-                                 notebook computers, servers, network components, or mobile devices; current version
-                                 numbers and patch information on operating systems and applications; and
-                                 configuration settings/parameters), network topology, and the logical placement of
-                                 those components within the system architecture. Maintaining baseline configurations
-                                 requires creating new baselines as organizational information systems change over
-                                 time. Baseline configurations of information systems reflect the current enterprise
-                                 architecture.
-                """
-              links: 
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #cm-9
-                  rel:  related
-                  text: CM-9
-                - 
-                  href: #sa-10
-                  rel:  related
-                  text: SA-10
-                - 
-                  href: #pm-5
-                  rel:  related
-                  text: PM-5
-                - 
-                  href: #pm-7
-                  rel:  related
-                  text: PM-7
-            - 
-              id:    cm-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-2_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: CM-2[1]
-                  prose: 
-                    """
-                      develops and documents a current baseline configuration of the information system;
-                                        and
-                    """
-                - 
-                  id:         cm-2_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-2[2]
-                  prose: 
-                    """
-                      maintains, under configuration control, a current baseline configuration of the
-                                        information system.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for managing baseline configurations\n\nautomated mechanisms supporting configuration control of the baseline
-                                        configuration
-                    """
-          controls: 
-            - 
-              id:         cm-2.1
-              class:      SP800-53-enhancement
-              title:      Reviews and Updates
-              parameters: 
-                - 
-                  id:          cm-2.1_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least annually or when a significant change occurs
-                - 
-                  id:          cm-2.1_prm_2
-                  label:       Assignment organization-defined circumstances
-                  constraints: 
-                    - 
-                      detail: to include when directed by the JAB
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: CM-2(1)
-                - 
-                  name:  sort-id
-                  value: cm-02.01
-              parts: 
-                - 
-                  id:    cm-2.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization reviews and updates the baseline configuration of the information
-                                        system:
-                    """
-                  parts: 
-                    - 
-                      id:         cm-2.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          
-                                               {{ cm-2.1_prm_1 }};
-                        """
-                    - 
-                      id:         cm-2.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      When required due to {{ cm-2.1_prm_2 }}; and
-                    - 
-                      id:         cm-2.1_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (c)
-                      prose: 
-                        """
-                          As an integral part of information system component installations and
-                                               upgrades.
-                        """
-                    - 
-                      id:    cm-2.1_fr
-                      name:  item
-                      title: CM-8 Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         cm-2.1_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: (a) Guidance:
-                          prose:      Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.
-                - 
-                  id:    cm-2.1_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #cm-5
-                      rel:  related
-                      text: CM-5
-                - 
-                  id:    cm-2.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-2.1.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-2(1)(a)
-                      parts: 
-                        - 
-                          id:         cm-2.1.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-2(1)(a)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the baseline configuration of the
-                                                      information system;
-                            """
-                        - 
-                          id:         cm-2.1.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-2(1)(a)[2]
-                          prose: 
-                            """
-                              reviews and updates the baseline configuration of the information system
-                                                      with the organization-defined frequency;
-                            """
-                      links: 
-                        - 
-                          href: #cm-2.1_smt.a
-                          rel:  corresp
-                          text: CM-2(1)(a)
-                    - 
-                      id:         cm-2.1.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-2(1)(b)
-                      parts: 
-                        - 
-                          id:         cm-2.1.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-2(1)(b)[1]
-                          prose: 
-                            """
-                              defines circumstances that require the baseline configuration of the
-                                                      information system to be reviewed and updated;
-                            """
-                        - 
-                          id:         cm-2.1.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-2(1)(b)[2]
-                          prose: 
-                            """
-                              reviews and updates the baseline configuration of the information system
-                                                      when required due to organization-defined circumstances; and
-                            """
-                      links: 
-                        - 
-                          href: #cm-2.1_smt.b
-                          rel:  corresp
-                          text: CM-2(1)(b)
-                    - 
-                      id:         cm-2.1.c_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-2(1)(c)
-                      prose: 
-                        """
-                          reviews and updates the baseline configuration of the information system as an
-                                               integral part of information system component installations and upgrades.
-                        """
-                      links: 
-                        - 
-                          href: #cm-2.1_smt.c
-                          rel:  corresp
-                          text: CM-2(1)(c)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the information system\n\nprocedures addressing information system component installations and
-                                               upgrades\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of information system baseline configuration reviews and updates\n\ninformation system component installations/upgrades and associated records\n\nchange control records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for managing baseline configurations\n\nautomated mechanisms supporting review and update of the baseline
-                                               configuration
-                        """
-            - 
-              id:         cm-2.2
-              class:      SP800-53-enhancement
-              title:      Automation Support for Accuracy / Currency
-              properties: 
-                - 
-                  name:  label
-                  value: CM-2(2)
-                - 
-                  name:  sort-id
-                  value: cm-02.02
-              parts: 
-                - 
-                  id:    cm-2.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to maintain an up-to-date, complete,
-                                        accurate, and readily available baseline configuration of the information
-                                        system.
-                    """
-                - 
-                  id:    cm-2.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Automated mechanisms that help organizations maintain consistent baseline
-                                        configurations for information systems include, for example, hardware and software
-                                        inventory tools, configuration management tools, and network management tools.
-                                        Such tools can be deployed and/or allocated as common controls, at the information
-                                        system level, or at the operating system or component level (e.g., on
-                                        workstations, servers, notebook computers, network components, or mobile devices).
-                                        Tools can be used, for example, to track version numbers on operating system
-                                        applications, types of software installed, and current patch levels. This control
-                                        enhancement can be satisfied by the implementation of CM-8 (2) for organizations
-                                        that choose to combine information system component inventory and baseline
-                                        configuration activities.
-                    """
-                  links: 
-                    - 
-                      href: #cm-7
-                      rel:  related
-                      text: CM-7
-                    - 
-                      href: #ra-5
-                      rel:  related
-                      text: RA-5
-                - 
-                  id:    cm-2.2_obj
-                  name:  objective
-                  prose: Determine if the organization employs automated mechanisms to maintain: 
-                  parts: 
-                    - 
-                      id:         cm-2.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-2(2)[1]
-                      prose:      an up-to-date baseline configuration of the information system;
-                    - 
-                      id:         cm-2.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-2(2)[2]
-                      prose:      a complete baseline configuration of the information system;
-                    - 
-                      id:         cm-2.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-2(2)[3]
-                      prose:      an accurate baseline configuration of the information system; and
-                    - 
-                      id:         cm-2.2_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-2(2)[4]
-                      prose:      a readily available baseline configuration of the information system.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nconfiguration change control records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for managing baseline configurations\n\nautomated mechanisms implementing baseline configuration maintenance
-            - 
-              id:         cm-2.3
-              class:      SP800-53-enhancement
-              title:      Retention of Previous Configurations
-              parameters: 
-                - 
-                  id:          cm-2.3_prm_1
-                  label: 
-                    """
-                      organization-defined previous versions of baseline configurations of the
-                                        information system
-                    """
-                  constraints: 
-                    - 
-                      detail: organization-defined previous versions of baseline configurations of the previously approved baseline configuration of IS components
-              properties: 
-                - 
-                  name:  label
-                  value: CM-2(3)
-                - 
-                  name:  sort-id
-                  value: cm-02.03
-              parts: 
-                - 
-                  id:    cm-2.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization retains {{ cm-2.3_prm_1 }} to support
-                                        rollback.
-                    """
-                - 
-                  id:    cm-2.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Retaining previous versions of baseline configurations to support rollback may
-                                        include, for example, hardware, software, firmware, configuration files, and
-                                        configuration records.
-                    """
-                - 
-                  id:    cm-2.3_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-2.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-2(3)[1]
-                      prose: 
-                        """
-                          defines previous versions of baseline configurations of the information system
-                                               to be retained to support rollback; and
-                        """
-                    - 
-                      id:         cm-2.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-2(3)[2]
-                      prose: 
-                        """
-                          retains organization-defined previous versions of baseline configurations of
-                                               the information system to support rollback.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\ncopies of previous baseline configuration versions\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for managing baseline configurations
-            - 
-              id:         cm-2.7
-              class:      SP800-53-enhancement
-              title:      Configure Systems, Components, or Devices for High-risk Areas
-              parameters: 
-                - 
-                  id:    cm-2.7_prm_1
-                  label: 
-                    """
-                      organization-defined information systems, system components, or
-                                        devices
-                    """
-                - 
-                  id:    cm-2.7_prm_2
-                  label: organization-defined configurations
-                - 
-                  id:    cm-2.7_prm_3
-                  label: organization-defined security safeguards
-              properties: 
-                - 
-                  name:  label
-                  value: CM-2(7)
-                - 
-                  name:  sort-id
-                  value: cm-02.07
-              parts: 
-                - 
-                  id:    cm-2.7_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         cm-2.7_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Issues {{ cm-2.7_prm_1 }} with {{ cm-2.7_prm_2 }}
-                                               to individuals traveling to locations that the organization deems to be of
-                                               significant risk; and
-                        """
-                    - 
-                      id:         cm-2.7_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Applies {{ cm-2.7_prm_3 }} to the devices when the individuals
-                                               return.
-                        """
-                - 
-                  id:    cm-2.7_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      When it is known that information systems, system components, or devices (e.g.,
-                                        notebook computers, mobile devices) will be located in high-risk areas, additional
-                                        security controls may be implemented to counter the greater threat in such areas
-                                        coupled with the lack of physical security relative to organizational-controlled
-                                        areas. For example, organizational policies and procedures for notebook computers
-                                        used by individuals departing on and returning from travel include, for example,
-                                        determining which locations are of concern, defining required configurations for
-                                        the devices, ensuring that the devices are configured as intended before travel is
-                                        initiated, and applying specific safeguards to the device after travel is
-                                        completed. Specially configured notebook computers include, for example, computers
-                                        with sanitized hard drives, limited applications, and additional hardening (e.g.,
-                                        more stringent configuration settings). Specified safeguards applied to mobile
-                                        devices upon return from travel include, for example, examining the device for
-                                        signs of physical tampering and purging/reimaging the hard disk drive. Protecting
-                                        information residing on mobile devices is covered in the media protection
-                                        family.
-                    """
-                - 
-                  id:    cm-2.7_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-2.7.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-2(7)(a)
-                      parts: 
-                        - 
-                          id:         cm-2.7.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-2(7)(a)[1]
-                          prose: 
-                            """
-                              defines information systems, system components, or devices to be issued to
-                                                      individuals traveling to locations that the organization deems to be of
-                                                      significant risk;
-                            """
-                        - 
-                          id:         cm-2.7.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-2(7)(a)[2]
-                          prose: 
-                            """
-                              defines configurations to be employed on organization-defined information
-                                                      systems, system components, or devices issued to individuals traveling to
-                                                      such locations;
-                            """
-                        - 
-                          id:         cm-2.7.a_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-2(7)(a)[3]
-                          prose: 
-                            """
-                              issues organization-defined information systems, system components, or
-                                                      devices with organization-defined configurations to individuals traveling to
-                                                      locations that the organization deems to be of significant risk;
-                            """
-                      links: 
-                        - 
-                          href: #cm-2.7_smt.a
-                          rel:  corresp
-                          text: CM-2(7)(a)
-                    - 
-                      id:         cm-2.7.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-2(7)(b)
-                      parts: 
-                        - 
-                          id:         cm-2.7.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-2(7)(b)[1]
-                          prose: 
-                            """
-                              defines security safeguards to be applied to the devices when the
-                                                      individuals return; and
-                            """
-                        - 
-                          id:         cm-2.7.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-2(7)(b)[2]
-                          prose: 
-                            """
-                              applies organization-defined safeguards to the devices when the individuals
-                                                      return.
-                            """
-                      links: 
-                        - 
-                          href: #cm-2.7_smt.b
-                          rel:  corresp
-                          text: CM-2(7)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the information system\n\nprocedures addressing information system component installations and
-                                               upgrades\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of information system baseline configuration reviews and updates\n\ninformation system component installations/upgrades and associated records\n\nchange control records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for managing baseline configurations
-        - 
-          id:         cm-3
-          class:      SP800-53
-          title:      Configuration Change Control
-          parameters: 
-            - 
-              id:    cm-3_prm_1
-              label: organization-defined time period
-            - 
-              id:    cm-3_prm_2
-              label: 
-                """
-                  organization-defined configuration change control element (e.g., committee,
-                                 board)
-                """
-            - 
-              id: cm-3_prm_3
-            - 
-              id:         cm-3_prm_4
-              depends-on: cm-3_prm_3
-              label:      organization-defined frequency
-            - 
-              id:         cm-3_prm_5
-              depends-on: cm-3_prm_3
-              label:      organization-defined configuration change conditions
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CM-3
-            - 
-              name:  sort-id
-              value: cm-03
-          links: 
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    cm-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Determines the types of changes to the information system that are
-                                        configuration-controlled;
-                    """
-                - 
-                  id:         cm-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Reviews proposed configuration-controlled changes to the information system and
-                                        approves or disapproves such changes with explicit consideration for security
-                                        impact analyses;
-                    """
-                - 
-                  id:         cm-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Documents configuration change decisions associated with the information
-                                        system;
-                    """
-                - 
-                  id:         cm-3_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Implements approved configuration-controlled changes to the information
-                                        system;
-                    """
-                - 
-                  id:         cm-3_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Retains records of configuration-controlled changes to the information system for
-                                           {{ cm-3_prm_1 }};
-                    """
-                - 
-                  id:         cm-3_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Audits and reviews activities associated with configuration-controlled changes to
-                                        the information system; and
-                    """
-                - 
-                  id:         cm-3_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose: 
-                    """
-                      Coordinates and provides oversight for configuration change control activities
-                                        through {{ cm-3_prm_2 }} that convenes {{ cm-3_prm_3 }}.
-                    """
-                - 
-                  id:    cm-3_fr
-                  name:  item
-                  title: CM-3 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cm-3_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.
-                    - 
-                      id:         cm-3_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: (e) Guidance:
-                      prose:      In accordance with record retention policies and procedures.
-            - 
-              id:    cm-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Configuration change controls for organizational information systems involve the
-                                 systematic proposal, justification, implementation, testing, review, and disposition
-                                 of changes to the systems, including system upgrades and modifications. Configuration
-                                 change control includes changes to baseline configurations for components and
-                                 configuration items of information systems, changes to configuration settings for
-                                 information technology products (e.g., operating systems, applications, firewalls,
-                                 routers, and mobile devices), unscheduled/unauthorized changes, and changes to
-                                 remediate vulnerabilities. Typical processes for managing configuration changes to
-                                 information systems include, for example, Configuration Control Boards that approve
-                                 proposed changes to systems. For new development information systems or systems
-                                 undergoing major upgrades, organizations consider including representatives from
-                                 development organizations on the Configuration Control Boards. Auditing of changes
-                                 includes activities before and after changes are made to organizational information
-                                 systems and the auditing activities required to implement such changes.
-                """
-              links: 
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-9
-                  rel:  related
-                  text: CM-9
-                - 
-                  href: #sa-10
-                  rel:  related
-                  text: SA-10
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-                - 
-                  href: #si-12
-                  rel:  related
-                  text: SI-12
-            - 
-              id:    cm-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CM-3(a)
-                  prose: 
-                    """
-                      determines the type of changes to the information system that must be
-                                        configuration-controlled;
-                    """
-                - 
-                  id:         cm-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: CM-3(b)
-                  prose: 
-                    """
-                      reviews proposed configuration-controlled changes to the information system and
-                                        approves or disapproves such changes with explicit consideration for security
-                                        impact analyses;
-                    """
-                - 
-                  id:         cm-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: CM-3(c)
-                  prose: 
-                    """
-                      documents configuration change decisions associated with the information
-                                        system;
-                    """
-                - 
-                  id:         cm-3.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-3(d)
-                  prose: 
-                    """
-                      implements approved configuration-controlled changes to the information
-                                        system;
-                    """
-                - 
-                  id:         cm-3.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-3(e)
-                  parts: 
-                    - 
-                      id:         cm-3.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-3(e)[1]
-                      prose: 
-                        """
-                          defines a time period to retain records of configuration-controlled changes to
-                                               the information system;
-                        """
-                    - 
-                      id:         cm-3.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-3(e)[2]
-                      prose: 
-                        """
-                          retains records of configuration-controlled changes to the information system
-                                               for the organization-defined time period;
-                        """
-                - 
-                  id:         cm-3.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-3(f)
-                  prose: 
-                    """
-                      audits and reviews activities associated with configuration-controlled changes to
-                                        the information system;
-                    """
-                - 
-                  id:         cm-3.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-3(g)
-                  parts: 
-                    - 
-                      id:         cm-3.g_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-3(g)[1]
-                      prose: 
-                        """
-                          defines a configuration change control element (e.g., committee, board)
-                                               responsible for coordinating and providing oversight for configuration change
-                                               control activities;
-                        """
-                    - 
-                      id:         cm-3.g_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-3(g)[2]
-                      prose: 
-                        """
-                          defines the frequency with which the configuration change control element must
-                                               convene; and/or
-                        """
-                    - 
-                      id:         cm-3.g_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-3(g)[3]
-                      prose: 
-                        """
-                          defines configuration change conditions that prompt the configuration change
-                                               control element to convene; and
-                        """
-                    - 
-                      id:         cm-3.g_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-3(g)[4]
-                      prose: 
-                        """
-                          coordinates and provides oversight for configuration change control activities
-                                               through organization-defined configuration change control element that convenes
-                                               at organization-defined frequency and/or for any organization-defined
-                                               configuration change conditions.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing information system configuration change control\n\nconfiguration management plan\n\ninformation system architecture and configuration documentation\n\nsecurity plan\n\nchange control records\n\ninformation system audit records\n\nchange control audit and review reports\n\nagenda /minutes from configuration change control oversight meetings\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nmembers of change control board or similar
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for configuration change control\n\nautomated mechanisms that implement configuration change control
-          controls: 
-            - 
-              id:         cm-3.1
-              class:      SP800-53-enhancement
-              title:      Automated Document / Notification / Prohibition of Changes
-              parameters: 
-                - 
-                  id:    cm-3.1_prm_1
-                  label: organized-defined approval authorities
-                - 
-                  id:          cm-3.1_prm_2
-                  label:       organization-defined time period
-                  constraints: 
-                    - 
-                      detail: organization agreed upon time period
-                - 
-                  id:          cm-3.1_prm_3
-                  label:       organization-defined personnel
-                  constraints: 
-                    - 
-                      detail: organization defined configuration management approval authorities
-              properties: 
-                - 
-                  name:  label
-                  value: CM-3(1)
-                - 
-                  name:  sort-id
-                  value: cm-03.01
-              parts: 
-                - 
-                  id:    cm-3.1_smt
-                  name:  statement
-                  prose: The organization employs automated mechanisms to:
-                  parts: 
-                    - 
-                      id:         cm-3.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose:      Document proposed changes to the information system;
-                    - 
-                      id:         cm-3.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Notify {{ cm-3.1_prm_1 }} of proposed changes to the information
-                                               system and request change approval;
-                        """
-                    - 
-                      id:         cm-3.1_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (c)
-                      prose: 
-                        """
-                          Highlight proposed changes to the information system that have not been
-                                               approved or disapproved by {{ cm-3.1_prm_2 }};
-                        """
-                    - 
-                      id:         cm-3.1_smt.d
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (d)
-                      prose: 
-                        """
-                          Prohibit changes to the information system until designated approvals are
-                                               received;
-                        """
-                    - 
-                      id:         cm-3.1_smt.e
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (e)
-                      prose:      Document all changes to the information system; and
-                    - 
-                      id:         cm-3.1_smt.f
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (f)
-                      prose: 
-                        """
-                          Notify {{ cm-3.1_prm_3 }} when approved changes to the
-                                               information system are completed.
-                        """
-                - 
-                  id:    cm-3.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-3.1.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-3(1)(a)
-                      prose: 
-                        """
-                          employs automated mechanisms to document proposed changes to the information
-                                               system;
-                        """
-                      links: 
-                        - 
-                          href: #cm-3.1_smt.a
-                          rel:  corresp
-                          text: CM-3(1)(a)
-                    - 
-                      id:         cm-3.1.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-3(1)(b)
-                      parts: 
-                        - 
-                          id:         cm-3.1.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-3(1)(b)[1]
-                          prose: 
-                            """
-                              defines approval authorities to be notified of proposed changes to the
-                                                      information system and request change approval;
-                            """
-                        - 
-                          id:         cm-3.1.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-3(1)(b)[2]
-                          prose: 
-                            """
-                              employs automated mechanisms to notify organization-defined approval
-                                                      authorities of proposed changes to the information system and request change
-                                                      approval;
-                            """
-                      links: 
-                        - 
-                          href: #cm-3.1_smt.b
-                          rel:  corresp
-                          text: CM-3(1)(b)
-                    - 
-                      id:         cm-3.1.c_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-3(1)(c)
-                      parts: 
-                        - 
-                          id:         cm-3.1.c_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-3(1)(c)[1]
-                          prose: 
-                            """
-                              defines the time period within which proposed changes to the information
-                                                      system that have not been approved or disapproved must be highlighted;
-                            """
-                        - 
-                          id:         cm-3.1.c_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-3(1)(c)[2]
-                          prose: 
-                            """
-                              employs automated mechanisms to highlight proposed changes to the
-                                                      information system that have not been approved or disapproved by
-                                                      organization-defined time period;
-                            """
-                      links: 
-                        - 
-                          href: #cm-3.1_smt.c
-                          rel:  corresp
-                          text: CM-3(1)(c)
-                    - 
-                      id:         cm-3.1.d_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-3(1)(d)
-                      prose: 
-                        """
-                          employs automated mechanisms to prohibit changes to the information system
-                                               until designated approvals are received;
-                        """
-                      links: 
-                        - 
-                          href: #cm-3.1_smt.d
-                          rel:  corresp
-                          text: CM-3(1)(d)
-                    - 
-                      id:         cm-3.1.e_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-3(1)(e)
-                      prose: 
-                        """
-                          employs automated mechanisms to document all changes to the information
-                                               system;
-                        """
-                      links: 
-                        - 
-                          href: #cm-3.1_smt.e
-                          rel:  corresp
-                          text: CM-3(1)(e)
-                    - 
-                      id:         cm-3.1.f_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-3(1)(f)
-                      parts: 
-                        - 
-                          id:         cm-3.1.f_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-3(1)(f)[1]
-                          prose: 
-                            """
-                              defines personnel to be notified when approved changes to the information
-                                                      system are completed; and
-                            """
-                        - 
-                          id:         cm-3.1.f_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-3(1)(f)[2]
-                          prose: 
-                            """
-                              employs automated mechanisms to notify organization-defined personnel when
-                                                      approved changes to the information system are completed.
-                            """
-                      links: 
-                        - 
-                          href: #cm-3.1_smt.f
-                          rel:  corresp
-                          text: CM-3(1)(f)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing information system configuration change control\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\nautomated configuration control mechanisms\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\ninformation system audit records\n\nchange approval requests\n\nchange approvals\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for configuration change control\n\nautomated mechanisms implementing configuration change control activities
-            - 
-              id:         cm-3.2
-              class:      SP800-53-enhancement
-              title:      Test / Validate / Document Changes
-              properties: 
-                - 
-                  name:  label
-                  value: CM-3(2)
-                - 
-                  name:  sort-id
-                  value: cm-03.02
-              parts: 
-                - 
-                  id:    cm-3.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization tests, validates, and documents changes to the information system
-                                        before implementing the changes on the operational system.
-                    """
-                - 
-                  id:    cm-3.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Changes to information systems include modifications to hardware, software, or
-                                        firmware components and configuration settings defined in CM-6. Organizations
-                                        ensure that testing does not interfere with information system operations.
-                                        Individuals/groups conducting tests understand organizational security policies
-                                        and procedures, information system security policies and procedures, and the
-                                        specific health, safety, and environmental risks associated with particular
-                                        facilities/processes. Operational systems may need to be taken off-line, or
-                                        replicated to the extent feasible, before testing can be conducted. If information
-                                        systems must be taken off-line for testing, the tests are scheduled to occur
-                                        during planned system outages whenever possible. If testing cannot be conducted on
-                                        operational systems, organizations employ compensating controls (e.g., testing on
-                                        replicated systems).
-                    """
-                - 
-                  id:    cm-3.2_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization, before implementing changes on the operational
-                                        system:
-                    """
-                  parts: 
-                    - 
-                      id:         cm-3.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-3(2)[1]
-                      prose:      tests changes to the information system;
-                    - 
-                      id:         cm-3.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-3(2)[2]
-                      prose:      validates changes to the information system; and
-                    - 
-                      id:         cm-3.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-3(2)[3]
-                      prose:      documents changes to the information system.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing information system configuration change control\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\ntest records\n\nvalidation records\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for configuration change control\n\nautomated mechanisms supporting and/or implementing testing, validating, and
-                                               documenting information system changes
-                        """
-            - 
-              id:         cm-3.4
-              class:      SP800-53-enhancement
-              title:      Security Representative
-              parameters: 
-                - 
-                  id:          cm-3.4_prm_1
-                  label:       organization-defined configuration change control element
-                  constraints: 
-                    - 
-                      detail: Configuration control board (CCB) or similar (as defined in CM-3)
-              properties: 
-                - 
-                  name:  label
-                  value: CM-3(4)
-                - 
-                  name:  sort-id
-                  value: cm-03.04
-              parts: 
-                - 
-                  id:    cm-3.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires an information security representative to be a member of
-                                        the {{ cm-3.4_prm_1 }}.
-                    """
-                - 
-                  id:    cm-3.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Information security representatives can include, for example, senior agency
-                                        information security officers, information system security officers, or
-                                        information system security managers. Representation by personnel with information
-                                        security expertise is important because changes to information system
-                                        configurations can have unintended side effects, some of which may be
-                                        security-relevant. Detecting such changes early in the process can help avoid
-                                        unintended, negative consequences that could ultimately affect the security state
-                                        of organizational information systems. The configuration change control element in
-                                        this control enhancement reflects the change control elements defined by
-                                        organizations in CM-3.
-                    """
-                - 
-                  id:    cm-3.4_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-3.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CM-3(4)[1]
-                      prose: 
-                        """
-                          specifies the configuration change control elements (as defined in CM-3g) of
-                                               which an information security representative is to be a member; and
-                        """
-                    - 
-                      id:         cm-3.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-3(4)[2]
-                      prose: 
-                        """
-                          requires an information security representative to be a member of the specified
-                                               configuration control element.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing information system configuration change control\n\nconfiguration management plan\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for configuration change control
-            - 
-              id:         cm-3.6
-              class:      SP800-53-enhancement
-              title:      Cryptography Management
-              parameters: 
-                - 
-                  id:          cm-3.6_prm_1
-                  label:       organization-defined security safeguards
-                  constraints: 
-                    - 
-                      detail: All security safeguards that rely on cryptography
-              properties: 
-                - 
-                  name:  label
-                  value: CM-3(6)
-                - 
-                  name:  sort-id
-                  value: cm-03.06
-              parts: 
-                - 
-                  id:    cm-3.6_smt
-                  name:  statement
-                  prose: The organization ensures that cryptographic mechanisms used to provide {{ cm-3.6_prm_1 }} are under configuration management.
-                - 
-                  id:    cm-3.6_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Regardless of the cryptographic means employed (e.g., public key, private key,
-                                        shared secrets), organizations ensure that there are processes and procedures in
-                                        place to effectively manage those means. For example, if devices use certificates
-                                        as a basis for identification and authentication, there needs to be a process in
-                                        place to address the expiration of those certificates.
-                    """
-                  links: 
-                    - 
-                      href: #sc-13
-                      rel:  related
-                      text: SC-13
-                - 
-                  id:    cm-3.6_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-3.6_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-3(6)[1]
-                      prose: 
-                        """
-                          defines security safeguards provided by cryptographic mechanisms that are to be
-                                               under configuration management; and
-                        """
-                    - 
-                      id:         cm-3.6_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-3(6)[2]
-                      prose: 
-                        """
-                          ensures that cryptographic mechanisms used to provide organization-defined
-                                               security safeguards are under configuration management.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing information system configuration change control\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for configuration change control\n\ncryptographic mechanisms implementing organizational security safeguards
-        - 
-          id:         cm-4
-          class:      SP800-53
-          title:      Security Impact Analysis
-          properties: 
-            - 
-              name:  label
-              value: CM-4
-            - 
-              name:  sort-id
-              value: cm-04
-          links: 
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    cm-4_smt
-              name:  statement
-              prose: 
-                """
-                  The organization analyzes changes to the information system to determine potential
-                                 security impacts prior to change implementation.
-                """
-            - 
-              id:    cm-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizational personnel with information security responsibilities (e.g.,
-                                 Information System Administrators, Information System Security Officers, Information
-                                 System Security Managers, and Information System Security Engineers) conduct security
-                                 impact analyses. Individuals conducting security impact analyses possess the
-                                 necessary skills/technical expertise to analyze the changes to information systems
-                                 and the associated security ramifications. Security impact analysis may include, for
-                                 example, reviewing security plans to understand security control requirements and
-                                 reviewing system design documentation to understand control implementation and how
-                                 specific changes might affect the controls. Security impact analyses may also include
-                                 assessments of risk to better understand the impact of the changes and to determine
-                                 if additional security controls are required. Security impact analyses are scaled in
-                                 accordance with the security categories of the information systems.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-9
-                  rel:  related
-                  text: CM-9
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sa-10
-                  rel:  related
-                  text: SA-10
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    cm-4_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization analyzes changes to the information system to determine
-                                 potential security impacts prior to change implementation.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Configuration management policy\n\nprocedures addressing security impact analysis for changes to the information
-                                        system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for conducting security impact
-                                        analysis\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for security impact analysis
-          controls: 
-            - 
-              id:         cm-4.1
-              class:      SP800-53-enhancement
-              title:      Separate Test Environments
-              properties: 
-                - 
-                  name:  label
-                  value: CM-4(1)
-                - 
-                  name:  sort-id
-                  value: cm-04.01
-              parts: 
-                - 
-                  id:    cm-4.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization analyzes changes to the information system in a separate test
-                                        environment before implementation in an operational environment, looking for
-                                        security impacts due to flaws, weaknesses, incompatibility, or intentional
-                                        malice.
-                    """
-                - 
-                  id:    cm-4.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Separate test environment in this context means an environment that is physically
-                                        or logically isolated and distinct from the operational environment. The
-                                        separation is sufficient to ensure that activities in the test environment do not
-                                        impact activities in the operational environment, and information in the
-                                        operational environment is not inadvertently transmitted to the test environment.
-                                        Separate environments can be achieved by physical or logical means. If physically
-                                        separate test environments are not used, organizations determine the strength of
-                                        mechanism required when implementing logical separation (e.g., separation achieved
-                                        through virtual machines).
-                    """
-                  links: 
-                    - 
-                      href: #sa-11
-                      rel:  related
-                      text: SA-11
-                    - 
-                      href: #sc-3
-                      rel:  related
-                      text: SC-3
-                    - 
-                      href: #sc-7
-                      rel:  related
-                      text: SC-7
-                - 
-                  id:    cm-4.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-4.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-4(1)[1]
-                      prose: 
-                        """
-                          analyzes changes to the information system in a separate test environment
-                                               before implementation in an operational environment;
-                        """
-                    - 
-                      id:         cm-4.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-4(1)[2]
-                      prose: 
-                        """
-                          when analyzing changes to the information system in a separate test
-                                               environment, looks for security impacts due to:
-                        """
-                      parts: 
-                        - 
-                          id:         cm-4.1_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-4(1)[2][a]
-                          prose:      flaws;
-                        - 
-                          id:         cm-4.1_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-4(1)[2][b]
-                          prose:      weaknesses;
-                        - 
-                          id:         cm-4.1_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-4(1)[2][c]
-                          prose:      incompatibility; and
-                        - 
-                          id:         cm-4.1_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-4(1)[2][d]
-                          prose:      intentional malice.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Configuration management policy\n\nprocedures addressing security impact analysis for changes to the information
-                                               system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nanalysis tools and associated outputs information system design
-                                               documentation\n\ninformation system architecture and configuration documentation\n\nchange control records\n\ninformation system audit records\n\ndocumentation evidence of separate test and operational environments\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibility for conducting security impact
-                                               analysis\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for security impact analysis\n\nautomated mechanisms supporting and/or implementing security impact analysis of
-                                               changes
-                        """
-        - 
-          id:         cm-5
-          class:      SP800-53
-          title:      Access Restrictions for Change
-          properties: 
-            - 
-              name:  label
-              value: CM-5
-            - 
-              name:  sort-id
-              value: cm-05
-          parts: 
-            - 
-              id:    cm-5_smt
-              name:  statement
-              prose: 
-                """
-                  The organization defines, documents, approves, and enforces physical and logical
-                                 access restrictions associated with changes to the information system.
-                """
-            - 
-              id:    cm-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Any changes to the hardware, software, and/or firmware components of information
-                                 systems can potentially have significant effects on the overall security of the
-                                 systems. Therefore, organizations permit only qualified and authorized individuals to
-                                 access information systems for purposes of initiating changes, including upgrades and
-                                 modifications. Organizations maintain records of access to ensure that configuration
-                                 change control is implemented and to support after-the-fact actions should
-                                 organizations discover any unauthorized changes. Access restrictions for change also
-                                 include software libraries. Access restrictions include, for example, physical and
-                                 logical access controls (see AC-3 and PE-3), workflow automation, media libraries,
-                                 abstract layers (e.g., changes implemented into third-party interfaces rather than
-                                 directly into information systems), and change windows (e.g., changes occur only
-                                 during specified times, making unauthorized changes easy to discover).
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-            - 
-              id:    cm-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-5_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-5[1]
-                  prose: 
-                    """
-                      defines physical access restrictions associated with changes to the information
-                                        system;
-                    """
-                - 
-                  id:         cm-5_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-5[2]
-                  prose: 
-                    """
-                      documents physical access restrictions associated with changes to the information
-                                        system;
-                    """
-                - 
-                  id:         cm-5_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-5[3]
-                  prose: 
-                    """
-                      approves physical access restrictions associated with changes to the information
-                                        system;
-                    """
-                - 
-                  id:         cm-5_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-5[4]
-                  prose: 
-                    """
-                      enforces physical access restrictions associated with changes to the information
-                                        system;
-                    """
-                - 
-                  id:         cm-5_obj.5
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-5[5]
-                  prose: 
-                    """
-                      defines logical access restrictions associated with changes to the information
-                                        system;
-                    """
-                - 
-                  id:         cm-5_obj.6
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-5[6]
-                  prose: 
-                    """
-                      documents logical access restrictions associated with changes to the information
-                                        system;
-                    """
-                - 
-                  id:         cm-5_obj.7
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-5[7]
-                  prose: 
-                    """
-                      approves logical access restrictions associated with changes to the information
-                                        system; and
-                    """
-                - 
-                  id:         cm-5_obj.8
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-5[8]
-                  prose: 
-                    """
-                      enforces logical access restrictions associated with changes to the information
-                                        system.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Configuration management policy\n\nprocedures addressing access restrictions for changes to the information
-                                        system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for managing access restrictions to change\n\nautomated mechanisms supporting/implementing/enforcing access restrictions
-                                        associated with changes to the information system
-                    """
-          controls: 
-            - 
-              id:         cm-5.1
-              class:      SP800-53-enhancement
-              title:      Automated Access Enforcement / Auditing
-              properties: 
-                - 
-                  name:  label
-                  value: CM-5(1)
-                - 
-                  name:  sort-id
-                  value: cm-05.01
-              parts: 
-                - 
-                  id:    cm-5.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system enforces access restrictions and supports auditing of the
-                                        enforcement actions.
-                    """
-                - 
-                  id:    cm-5.1_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                    - 
-                      href: #au-12
-                      rel:  related
-                      text: AU-12
-                    - 
-                      href: #au-6
-                      rel:  related
-                      text: AU-6
-                    - 
-                      href: #cm-3
-                      rel:  related
-                      text: CM-3
-                    - 
-                      href: #cm-6
-                      rel:  related
-                      text: CM-6
-                - 
-                  id:    cm-5.1_obj
-                  name:  objective
-                  prose: Determine if the information system:
-                  parts: 
-                    - 
-                      id:         cm-5.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-5(1)[1]
-                      prose:      enforces access restrictions for change; and
-                    - 
-                      id:         cm-5.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-5(1)[2]
-                      prose:      supports auditing of the enforcement actions.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Configuration management policy\n\nprocedures addressing access restrictions for changes to the information
-                                               system\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for managing access restrictions to change\n\nautomated mechanisms implementing enforcement of access restrictions for
-                                               changes to the information system\n\nautomated mechanisms supporting auditing of enforcement actions
-                        """
-            - 
-              id:         cm-5.2
-              class:      SP800-53-enhancement
-              title:      Review System Changes
-              parameters: 
-                - 
-                  id:          cm-5.2_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least every thirty (30) days
-                - 
-                  id:    cm-5.2_prm_2
-                  label: organization-defined circumstances
-              properties: 
-                - 
-                  name:  label
-                  value: CM-5(2)
-                - 
-                  name:  sort-id
-                  value: cm-05.02
-              parts: 
-                - 
-                  id:    cm-5.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization reviews information system changes {{ cm-5.2_prm_1 }} and {{ cm-5.2_prm_2 }} to determine
-                                        whether unauthorized changes have occurred.
-                    """
-                - 
-                  id:    cm-5.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Indications that warrant review of information system changes and the specific
-                                        circumstances justifying such reviews may be obtained from activities carried out
-                                        by organizations during the configuration change process.
-                    """
-                  links: 
-                    - 
-                      href: #au-6
-                      rel:  related
-                      text: AU-6
-                    - 
-                      href: #au-7
-                      rel:  related
-                      text: AU-7
-                    - 
-                      href: #cm-3
-                      rel:  related
-                      text: CM-3
-                    - 
-                      href: #cm-5
-                      rel:  related
-                      text: CM-5
-                    - 
-                      href: #pe-6
-                      rel:  related
-                      text: PE-6
-                    - 
-                      href: #pe-8
-                      rel:  related
-                      text: PE-8
-                - 
-                  id:    cm-5.2_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization, in an effort to ascertain whether unauthorized
-                                        changes have occurred:
-                    """
-                  parts: 
-                    - 
-                      id:         cm-5.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-5(2)[1]
-                      prose:      defines the frequency to review information system changes;
-                    - 
-                      id:         cm-5.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-5(2)[2]
-                      prose:      defines circumstances that warrant review of information system changes;
-                    - 
-                      id:         cm-5.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-5(2)[3]
-                      prose: 
-                        """
-                          reviews information system changes with the organization-defined frequency;
-                                               and
-                        """
-                    - 
-                      id:         cm-5.2_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-5(2)[4]
-                      prose: 
-                        """
-                          reviews information system changes with the organization-defined
-                                               circumstances.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Configuration management policy\n\nprocedures addressing access restrictions for changes to the information
-                                               system\n\nconfiguration management plan\n\nsecurity plan\n\nreviews of information system changes\n\naudit and review reports\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for managing access restrictions to change\n\nautomated mechanisms supporting/implementing information system reviews to
-                                               determine whether unauthorized changes have occurred
-                        """
-            - 
-              id:         cm-5.3
-              class:      SP800-53-enhancement
-              title:      Signed Components
-              parameters: 
-                - 
-                  id:    cm-5.3_prm_1
-                  label: organization-defined software and firmware components
-              properties: 
-                - 
-                  name:  label
-                  value: CM-5(3)
-                - 
-                  name:  sort-id
-                  value: cm-05.03
-              parts: 
-                - 
-                  id:    cm-5.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system prevents the installation of {{ cm-5.3_prm_1 }} without verification that the component has been
-                                        digitally signed using a certificate that is recognized and approved by the
-                                        organization.
-                    """
-                  parts: 
-                    - 
-                      id:    cm-5.3_fr
-                      name:  item
-                      title: CM-5 (3) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         cm-5.3_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.
-                - 
-                  id:    cm-5.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Software and firmware components prevented from installation unless signed with
-                                        recognized and approved certificates include, for example, software and firmware
-                                        version updates, patches, service packs, device drivers, and basic input output
-                                        system (BIOS) updates. Organizations can identify applicable software and firmware
-                                        components by type, by specific items, or a combination of both. Digital
-                                        signatures and organizational verification of such signatures, is a method of code
-                                        authentication.
-                    """
-                  links: 
-                    - 
-                      href: #cm-7
-                      rel:  related
-                      text: CM-7
-                    - 
-                      href: #sc-13
-                      rel:  related
-                      text: SC-13
-                    - 
-                      href: #si-7
-                      rel:  related
-                      text: SI-7
-                - 
-                  id:    cm-5.3_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         cm-5.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-5(3)[1]
-                      prose: 
-                        """
-                          the organization defines software and firmware components that the information
-                                               system will prevent from being installed without verification that such
-                                               components have been digitally signed using a certificate that is recognized
-                                               and approved by the organization; and
-                        """
-                    - 
-                      id:         cm-5.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-5(3)[2]
-                      prose: 
-                        """
-                          the information system prevents the installation of organization-defined
-                                               software and firmware components without verification that such components have
-                                               been digitally signed using a certificate that is recognized and approved by
-                                               the organization.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Configuration management policy\n\nprocedures addressing access restrictions for changes to the information
-                                               system\n\nconfiguration management plan\n\nsecurity plan\n\nlist of software and firmware components to be prohibited from installation
-                                               without a recognized and approved certificate\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for managing access restrictions to change\n\nautomated mechanisms preventing installation of software and firmware
-                                               components not signed with an organization-recognized and approved
-                                               certificate
-                        """
-            - 
-              id:         cm-5.5
-              class:      SP800-53-enhancement
-              title:      Limit Production / Operational Privileges
-              parameters: 
-                - 
-                  id:          cm-5.5_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least quarterly
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: CM-5(5)
-                - 
-                  name:  sort-id
-                  value: cm-05.05
-              parts: 
-                - 
-                  id:    cm-5.5_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         cm-5.5_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Limits privileges to change information system components and system-related
-                                               information within a production or operational environment; and
-                        """
-                    - 
-                      id:         cm-5.5_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      Reviews and reevaluates privileges {{ cm-5.5_prm_1 }}.
-                - 
-                  id:    cm-5.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      In many organizations, information systems support multiple core missions/business
-                                        functions. Limiting privileges to change information system components with
-                                        respect to operational systems is necessary because changes to a particular
-                                        information system component may have far-reaching effects on mission/business
-                                        processes supported by the system where the component resides. The complex,
-                                        many-to-many relationships between systems and mission/business processes are in
-                                        some cases, unknown to developers.
-                    """
-                  links: 
-                    - 
-                      href: #ac-2
-                      rel:  related
-                      text: AC-2
-                - 
-                  id:    cm-5.5_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-5.5.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-5(5)(a)
-                      prose: 
-                        """
-                          limits privileges to change information system components and system-related
-                                               information within a production or operational environment;
-                        """
-                      links: 
-                        - 
-                          href: #cm-5.5_smt.a
-                          rel:  corresp
-                          text: CM-5(5)(a)
-                    - 
-                      id:         cm-5.5.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-5(5)(b)
-                      parts: 
-                        - 
-                          id:         cm-5.5.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-5(5)(b)[1]
-                          prose:      defines the frequency to review and reevaluate privileges; and
-                        - 
-                          id:         cm-5.5.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-5(5)(b)[2]
-                          prose: 
-                            """
-                              reviews and reevaluates privileges with the organization-defined
-                                                      frequency.
-                            """
-                      links: 
-                        - 
-                          href: #cm-5.5_smt.b
-                          rel:  corresp
-                          text: CM-5(5)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Configuration management policy\n\nprocedures addressing access restrictions for changes to the information
-                                               system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nuser privilege reviews\n\nuser privilege recertifications\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for managing access restrictions to change\n\nautomated mechanisms supporting and/or implementing access restrictions for
-                                               change
-                        """
-        - 
-          id:         cm-6
-          class:      SP800-53
-          title:      Configuration Settings
-          parameters: 
-            - 
-              id:       cm-6_prm_1
-              label:    organization-defined security configuration checklists
-              guidance: 
-                - 
-                  prose: See CM-6(a) Additional FedRAMP Requirements and Guidance
-            - 
-              id:    cm-6_prm_2
-              label: organization-defined information system components
-            - 
-              id:    cm-6_prm_3
-              label: organization-defined operational requirements
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CM-6
-            - 
-              name:  sort-id
-              value: cm-06
-          links: 
-            - 
-              href: #990268bf-f4a9-4c81-91ae-dc7d3115f4b1
-              rel:  reference
-              text: OMB Memorandum 07-11
-            - 
-              href: #0b3d8ba9-051f-498d-81ea-97f0f018c612
-              rel:  reference
-              text: OMB Memorandum 07-18
-            - 
-              href: #0916ef02-3618-411b-a525-565c088849a6
-              rel:  reference
-              text: OMB Memorandum 08-22
-            - 
-              href: #84a37532-6db6-477b-9ea8-f9085ebca0fc
-              rel:  reference
-              text: NIST Special Publication 800-70
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-            - 
-              href: #275cc052-0f7f-423c-bdb6-ed503dc36228
-              rel:  reference
-              text: http://nvd.nist.gov
-            - 
-              href: #e95dd121-2733-413e-bf1e-f1eb49f20a98
-              rel:  reference
-              text: http://checklists.nist.gov
-            - 
-              href: #647b6de3-81d0-4d22-bec1-5f1333e34380
-              rel:  reference
-              text: http://www.nsa.gov
-          parts: 
-            - 
-              id:    cm-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes and documents configuration settings for information technology
-                                        products employed within the information system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with
-                                        operational requirements;
-                    """
-                - 
-                  id:         cm-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Implements the configuration settings;
-                - 
-                  id:         cm-6_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Identifies, documents, and approves any deviations from established configuration
-                                        settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and
-                    """
-                - 
-                  id:         cm-6_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Monitors and controls changes to the configuration settings in accordance with
-                                        organizational policies and procedures.
-                    """
-                - 
-                  id:    cm-6_fr
-                  name:  item
-                  title: CM-6(a) Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cm-6_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement 1:
-                      prose:      The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. 
-                    - 
-                      id:         cm-6_fr_smt.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement 2:
-                      prose:      The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available).
-                    - 
-                      id:         cm-6_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline).
-            - 
-              id:    cm-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Configuration settings are the set of parameters that can be changed in hardware,
-                                 software, or firmware components of the information system that affect the security
-                                 posture and/or functionality of the system. Information technology products for which
-                                 security-related configuration settings can be defined include, for example,
-                                 mainframe computers, servers (e.g., database, electronic mail, authentication, web,
-                                 proxy, file, domain name), workstations, input/output devices (e.g., scanners,
-                                 copiers, and printers), network components (e.g., firewalls, routers, gateways, voice
-                                 and data switches, wireless access points, network appliances, sensors), operating
-                                 systems, middleware, and applications. Security-related parameters are those
-                                 parameters impacting the security state of information systems including the
-                                 parameters required to satisfy other security control requirements. Security-related
-                                 parameters include, for example: (i) registry settings; (ii) account, file, directory
-                                 permission settings; and (iii) settings for functions, ports, protocols, services,
-                                 and remote connections. Organizations establish organization-wide configuration
-                                 settings and subsequently derive specific settings for information systems. The
-                                 established settings become part of the systems configuration baseline. Common secure
-                                 configurations (also referred to as security configuration checklists, lockdown and
-                                 hardening guides, security reference guides, security technical implementation
-                                 guides) provide recognized, standardized, and established benchmarks that stipulate
-                                 secure configuration settings for specific information technology platforms/products
-                                 and instructions for configuring those information system components to meet
-                                 operational requirements. Common secure configurations can be developed by a variety
-                                 of organizations including, for example, information technology product developers,
-                                 manufacturers, vendors, consortia, academia, industry, federal agencies, and other
-                                 organizations in the public and private sectors. Common secure configurations include
-                                 the United States Government Configuration Baseline (USGCB) which affects the
-                                 implementation of CM-6 and other controls such as AC-19 and CM-7. The Security
-                                 Content Automation Protocol (SCAP) and the defined standards within the protocol
-                                 (e.g., Common Configuration Enumeration) provide an effective method to uniquely
-                                 identify, track, and control configuration settings. OMB establishes federal policy
-                                 on configuration requirements for federal information systems.
-                """
-              links: 
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-7
-                  rel:  related
-                  text: CM-7
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    cm-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-6(a)
-                  parts: 
-                    - 
-                      id:         cm-6.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-6(a)[1]
-                      prose: 
-                        """
-                          defines security configuration checklists to be used to establish and document
-                                               configuration settings for the information technology products employed;
-                        """
-                    - 
-                      id:         cm-6.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CM-6(a)[2]
-                      prose: 
-                        """
-                          ensures the defined security configuration checklists reflect the most
-                                               restrictive mode consistent with operational requirements;
-                        """
-                    - 
-                      id:         cm-6.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-6(a)[3]
-                      prose: 
-                        """
-                          establishes and documents configuration settings for information technology
-                                               products employed within the information system using organization-defined
-                                               security configuration checklists;
-                        """
-                - 
-                  id:         cm-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-6(b)
-                  prose:      implements the configuration settings established/documented in CM-6(a);;
-                - 
-                  id:         cm-6.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-6(c)
-                  parts: 
-                    - 
-                      id:         cm-6.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-6(c)[1]
-                      prose: 
-                        """
-                          defines information system components for which any deviations from established
-                                               configuration settings must be:
-                        """
-                      parts: 
-                        - 
-                          id:         cm-6.c_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[1][a]
-                          prose:      identified;
-                        - 
-                          id:         cm-6.c_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[1][b]
-                          prose:      documented;
-                        - 
-                          id:         cm-6.c_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[1][c]
-                          prose:      approved;
-                    - 
-                      id:         cm-6.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-6(c)[2]
-                      prose:      defines operational requirements to support:
-                      parts: 
-                        - 
-                          id:         cm-6.c_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[2][a]
-                          prose: 
-                            """
-                              the identification of any deviations from established configuration
-                                                      settings;
-                            """
-                        - 
-                          id:         cm-6.c_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[2][b]
-                          prose: 
-                            """
-                              the documentation of any deviations from established configuration
-                                                      settings;
-                            """
-                        - 
-                          id:         cm-6.c_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[2][c]
-                          prose:      the approval of any deviations from established configuration settings;
-                    - 
-                      id:         cm-6.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-6(c)[3]
-                      prose: 
-                        """
-                          identifies any deviations from established configuration settings for
-                                               organization-defined information system components based on
-                                               organizational-defined operational requirements;
-                        """
-                    - 
-                      id:         cm-6.c_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-6(c)[4]
-                      prose: 
-                        """
-                          documents any deviations from established configuration settings for
-                                               organization-defined information system components based on
-                                               organizational-defined operational requirements;
-                        """
-                    - 
-                      id:         cm-6.c_obj.5
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-6(c)[5]
-                      prose: 
-                        """
-                          approves any deviations from established configuration settings for
-                                               organization-defined information system components based on
-                                               organizational-defined operational requirements;
-                        """
-                - 
-                  id:         cm-6.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-6(d)
-                  parts: 
-                    - 
-                      id:         cm-6.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-6(d)[1]
-                      prose: 
-                        """
-                          monitors changes to the configuration settings in accordance with
-                                               organizational policies and procedures; and
-                        """
-                    - 
-                      id:         cm-6.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-6(d)[2]
-                      prose: 
-                        """
-                          controls changes to the configuration settings in accordance with
-                                               organizational policies and procedures.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Configuration management policy\n\nprocedures addressing configuration settings for the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nevidence supporting approved deviations from established configuration
-                                        settings\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security configuration management
-                                        responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for managing configuration settings\n\nautomated mechanisms that implement, monitor, and/or control information system
-                                        configuration settings\n\nautomated mechanisms that identify and/or document deviations from established
-                                        configuration settings
-                    """
-          controls: 
-            - 
-              id:         cm-6.1
-              class:      SP800-53-enhancement
-              title:      Automated Central Management / Application / Verification
-              parameters: 
-                - 
-                  id:    cm-6.1_prm_1
-                  label: organization-defined information system components
-              properties: 
-                - 
-                  name:  label
-                  value: CM-6(1)
-                - 
-                  name:  sort-id
-                  value: cm-06.01
-              parts: 
-                - 
-                  id:    cm-6.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to centrally manage, apply, and
-                                        verify configuration settings for {{ cm-6.1_prm_1 }}.
-                    """
-                - 
-                  id:    cm-6.1_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ca-7
-                      rel:  related
-                      text: CA-7
-                    - 
-                      href: #cm-4
-                      rel:  related
-                      text: CM-4
-                - 
-                  id:    cm-6.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-6.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-6(1)[1]
-                      prose: 
-                        """
-                          defines information system components for which automated mechanisms are to be
-                                               employed to:
-                        """
-                      parts: 
-                        - 
-                          id:         cm-6.1_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(1)[1][a]
-                          prose:      centrally manage configuration settings of such components;
-                        - 
-                          id:         cm-6.1_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(1)[1][b]
-                          prose:      apply configuration settings of such components;
-                        - 
-                          id:         cm-6.1_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(1)[1][c]
-                          prose:      verify configuration settings of such components;
-                    - 
-                      id:         cm-6.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-6(1)[2]
-                      prose:      employs automated mechanisms to:
-                      parts: 
-                        - 
-                          id:         cm-6.1_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(1)[2][a]
-                          prose: 
-                            """
-                              centrally manage configuration settings for organization-defined information
-                                                      system components;
-                            """
-                        - 
-                          id:         cm-6.1_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(1)[2][b]
-                          prose: 
-                            """
-                              apply configuration settings for organization-defined information system
-                                                      components; and
-                            """
-                        - 
-                          id:         cm-6.1_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(1)[2][c]
-                          prose: 
-                            """
-                              verify configuration settings for organization-defined information system
-                                                      components.
-                            """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing configuration settings for the information system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with security configuration management
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for managing configuration settings\n\nautomated mechanisms implemented to centrally manage, apply, and verify
-                                               information system configuration settings
-                        """
-            - 
-              id:         cm-6.2
-              class:      SP800-53-enhancement
-              title:      Respond to Unauthorized Changes
-              parameters: 
-                - 
-                  id:    cm-6.2_prm_1
-                  label: organization-defined security safeguards
-                - 
-                  id:    cm-6.2_prm_2
-                  label: organization-defined configuration settings
-              properties: 
-                - 
-                  name:  label
-                  value: CM-6(2)
-                - 
-                  name:  sort-id
-                  value: cm-06.02
-              parts: 
-                - 
-                  id:    cm-6.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs {{ cm-6.2_prm_1 }} to respond to
-                                        unauthorized changes to {{ cm-6.2_prm_2 }}.
-                    """
-                - 
-                  id:    cm-6.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Responses to unauthorized changes to configuration settings can include, for
-                                        example, alerting designated organizational personnel, restoring established
-                                        configuration settings, or in extreme cases, halting affected information system
-                                        processing.
-                    """
-                  links: 
-                    - 
-                      href: #ir-4
-                      rel:  related
-                      text: IR-4
-                    - 
-                      href: #si-7
-                      rel:  related
-                      text: SI-7
-                - 
-                  id:    cm-6.2_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-6.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-6(2)[1]
-                      prose: 
-                        """
-                          defines configuration settings that, if modified by unauthorized changes,
-                                               result in organizational security safeguards being employed to respond to such
-                                               changes;
-                        """
-                    - 
-                      id:         cm-6.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-6(2)[2]
-                      prose: 
-                        """
-                          defines security safeguards to be employed to respond to unauthorized changes
-                                               to organization-defined configuration settings; and
-                        """
-                    - 
-                      id:         cm-6.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-6(2)[3]
-                      prose: 
-                        """
-                          employs organization-defined security safeguards to respond to unauthorized
-                                               changes to organization-defined configuration settings.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Configuration management policy\n\nprocedures addressing configuration settings for the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nalerts/notifications of unauthorized changes to information system
-                                               configuration settings\n\ndocumented responses to unauthorized changes to information system
-                                               configuration settings\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with security configuration management
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational process for responding to unauthorized changes to information
-                                               system configuration settings\n\nautomated mechanisms supporting and/or implementing security safeguards for
-                                               response to unauthorized changes
-                        """
-        - 
-          id:         cm-7
-          class:      SP800-53
-          title:      Least Functionality
-          parameters: 
-            - 
-              id:          cm-7_prm_1
-              label: 
-                """
-                  organization-defined prohibited or restricted functions, ports, protocols, and/or
-                                 services
-                """
-              constraints: 
-                - 
-                  detail: United States Government Configuration Baseline (USGCB)
-          properties: 
-            - 
-              name:  label
-              value: CM-7
-            - 
-              name:  sort-id
-              value: cm-07
-          links: 
-            - 
-              href: #e42b2099-3e1c-415b-952c-61c96533c12e
-              rel:  reference
-              text: DoD Instruction 8551.01
-          parts: 
-            - 
-              id:    cm-7_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Configures the information system to provide only essential capabilities; and
-                - 
-                  id:         cm-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Prohibits or restricts the use of the following functions, ports, protocols,
-                                        and/or services: {{ cm-7_prm_1 }}.
-                    """
-                - 
-                  id:    cm-7_fr
-                  name:  item
-                  title: CM-7 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cm-7_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.
-                    - 
-                      id:         cm-7_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      Information on the USGCB checklists can be found at: [http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc](http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc). Partially derived from AC-17(8).
-            - 
-              id:    cm-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information systems can provide a wide variety of functions and services. Some of the
-                                 functions and services, provided by default, may not be necessary to support
-                                 essential organizational operations (e.g., key missions, functions). Additionally, it
-                                 is sometimes convenient to provide multiple services from single information system
-                                 components, but doing so increases risk over limiting the services provided by any
-                                 one component. Where feasible, organizations limit component functionality to a
-                                 single function per device (e.g., email servers or web servers, but not both).
-                                 Organizations review functions and services provided by information systems or
-                                 individual components of information systems, to determine which functions and
-                                 services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant
-                                 Messaging, auto-execute, and file sharing). Organizations consider disabling unused
-                                 or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File
-                                 Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to
-                                 prevent unauthorized connection of devices, unauthorized transfer of information, or
-                                 unauthorized tunneling. Organizations can utilize network scanning tools, intrusion
-                                 detection and prevention systems, and end-point protections such as firewalls and
-                                 host-based intrusion detection systems to identify and prevent the use of prohibited
-                                 functions, ports, protocols, and services.
-                """
-              links: 
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-            - 
-              id:    cm-7_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-7(a)
-                  prose:      configures the information system to provide only essential capabilities;
-                - 
-                  id:         cm-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-7(b)
-                  parts: 
-                    - 
-                      id:         cm-7.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-7(b)[1]
-                      prose:      defines prohibited or restricted:
-                      parts: 
-                        - 
-                          id:         cm-7.b_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[1][a]
-                          prose:      functions;
-                        - 
-                          id:         cm-7.b_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[1][b]
-                          prose:      ports;
-                        - 
-                          id:         cm-7.b_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[1][c]
-                          prose:      protocols; and/or
-                        - 
-                          id:         cm-7.b_obj.1.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[1][d]
-                          prose:      services;
-                    - 
-                      id:         cm-7.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-7(b)[2]
-                      prose:      prohibits or restricts the use of organization-defined:
-                      parts: 
-                        - 
-                          id:         cm-7.b_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[2][a]
-                          prose:      functions;
-                        - 
-                          id:         cm-7.b_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[2][b]
-                          prose:      ports;
-                        - 
-                          id:         cm-7.b_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[2][c]
-                          prose:      protocols; and/or
-                        - 
-                          id:         cm-7.b_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[2][d]
-                          prose:      services.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing least functionality in the information system\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security configuration management
-                                        responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes prohibiting or restricting functions, ports, protocols,
-                                        and/or services\n\nautomated mechanisms implementing restrictions or prohibition of functions, ports,
-                                        protocols, and/or services
-                    """
-          controls: 
-            - 
-              id:         cm-7.1
-              class:      SP800-53-enhancement
-              title:      Periodic Review
-              parameters: 
-                - 
-                  id:          cm-7.1_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least monthly
-                - 
-                  id:    cm-7.1_prm_2
-                  label: 
-                    """
-                      organization-defined functions, ports, protocols, and services within the
-                                        information system deemed to be unnecessary and/or nonsecure
-                    """
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: CM-7(1)
-                - 
-                  name:  sort-id
-                  value: cm-07.01
-              parts: 
-                - 
-                  id:    cm-7.1_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         cm-7.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Reviews the information system {{ cm-7.1_prm_1 }} to identify
-                                               unnecessary and/or nonsecure functions, ports, protocols, and services; and
-                        """
-                    - 
-                      id:         cm-7.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      Disables {{ cm-7.1_prm_2 }}.
-                - 
-                  id:    cm-7.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The organization can either make a determination of the relative security of the
-                                        function, port, protocol, and/or service or base the security decision on the
-                                        assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are
-                                        examples of less than secure protocols.
-                    """
-                  links: 
-                    - 
-                      href: #ac-18
-                      rel:  related
-                      text: AC-18
-                    - 
-                      href: #cm-7
-                      rel:  related
-                      text: CM-7
-                    - 
-                      href: #ia-2
-                      rel:  related
-                      text: IA-2
-                - 
-                  id:    cm-7.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-7.1.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-7(1)(a)
-                      parts: 
-                        - 
-                          id:         cm-7.1.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-7(1)(a)[1]
-                          prose: 
-                            """
-                              defines the frequency to review the information system to identify
-                                                      unnecessary and/or nonsecure:
-                            """
-                          parts: 
-                            - 
-                              id:         cm-7.1.a_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(a)[1][a]
-                              prose:      functions;
-                            - 
-                              id:         cm-7.1.a_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(a)[1][b]
-                              prose:      ports;
-                            - 
-                              id:         cm-7.1.a_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(a)[1][c]
-                              prose:      protocols; and/or
-                            - 
-                              id:         cm-7.1.a_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(a)[1][d]
-                              prose:      services;
-                        - 
-                          id:         cm-7.1.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-7(1)(a)[2]
-                          prose: 
-                            """
-                              reviews the information system with the organization-defined frequency to
-                                                      identify unnecessary and/or nonsecure:
-                            """
-                          parts: 
-                            - 
-                              id:         cm-7.1.a_obj.2.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(a)[2][a]
-                              prose:      functions;
-                            - 
-                              id:         cm-7.1.a_obj.2.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(a)[2][b]
-                              prose:      ports;
-                            - 
-                              id:         cm-7.1.a_obj.2.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(a)[2][c]
-                              prose:      protocols; and/or
-                            - 
-                              id:         cm-7.1.a_obj.2.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(a)[2][d]
-                              prose:      services;
-                      links: 
-                        - 
-                          href: #cm-7.1_smt.a
-                          rel:  corresp
-                          text: CM-7(1)(a)
-                    - 
-                      id:         cm-7.1.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-7(1)(b)
-                      parts: 
-                        - 
-                          id:         cm-7.1.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-7(1)(b)[1]
-                          prose:      defines, within the information system, unnecessary and/or nonsecure:
-                          parts: 
-                            - 
-                              id:         cm-7.1.b_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(b)[1][a]
-                              prose:      functions;
-                            - 
-                              id:         cm-7.1.b_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(b)[1][b]
-                              prose:      ports;
-                            - 
-                              id:         cm-7.1.b_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(b)[1][c]
-                              prose:      protocols; and/or
-                            - 
-                              id:         cm-7.1.b_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(b)[1][d]
-                              prose:      services;
-                        - 
-                          id:         cm-7.1.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-7(1)(b)[2]
-                          prose:      disables organization-defined unnecessary and/or nonsecure:
-                          parts: 
-                            - 
-                              id:         cm-7.1.b_obj.2.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(b)[2][a]
-                              prose:      functions;
-                            - 
-                              id:         cm-7.1.b_obj.2.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(b)[2][b]
-                              prose:      ports;
-                            - 
-                              id:         cm-7.1.b_obj.2.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(b)[2][c]
-                              prose:      protocols; and/or
-                            - 
-                              id:         cm-7.1.b_obj.2.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(b)[2][d]
-                              prose:      services.
-                      links: 
-                        - 
-                          href: #cm-7.1_smt.b
-                          rel:  corresp
-                          text: CM-7(1)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing least functionality in the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\ndocumented reviews of functions, ports, protocols, and/or services\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for reviewing functions, ports,
-                                               protocols, and services on the information system\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for reviewing/disabling nonsecure functions, ports,
-                                               protocols, and/or services\n\nautomated mechanisms implementing review and disabling of nonsecure functions,
-                                               ports, protocols, and/or services
-                        """
-            - 
-              id:         cm-7.2
-              class:      SP800-53-enhancement
-              title:      Prevent Program Execution
-              parameters: 
-                - 
-                  id: cm-7.2_prm_1
-                - 
-                  id:         cm-7.2_prm_2
-                  depends-on: cm-7.2_prm_1
-                  label: 
-                    """
-                      organization-defined policies regarding software program usage and
-                                        restrictions
-                    """
-              properties: 
-                - 
-                  name:  label
-                  value: CM-7(2)
-                - 
-                  name:  sort-id
-                  value: cm-07.02
-              parts: 
-                - 
-                  id:    cm-7.2_smt
-                  name:  statement
-                  prose: The information system prevents program execution in accordance with {{ cm-7.2_prm_1 }}.
-                  parts: 
-                    - 
-                      id:    cm-7.2_fr
-                      name:  item
-                      title: CM-7 (2) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         cm-7.2_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.
-                - 
-                  id:    cm-7.2_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #cm-8
-                      rel:  related
-                      text: CM-8
-                    - 
-                      href: #pm-5
-                      rel:  related
-                      text: PM-5
-                - 
-                  id:    cm-7.2_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         cm-7.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-7(2)[1]
-                      prose: 
-                        """
-                          the organization defines policies regarding software program usage and
-                                               restrictions;
-                        """
-                    - 
-                      id:         cm-7.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-7(2)[2]
-                      prose: 
-                        """
-                          the information system prevents program execution in accordance with one or
-                                               more of the following:
-                        """
-                      parts: 
-                        - 
-                          id:         cm-7.2_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(2)[2][a]
-                          prose: 
-                            """
-                              organization-defined policies regarding program usage and restrictions;
-                                                      and/or
-                            """
-                        - 
-                          id:         cm-7.2_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(2)[2][b]
-                          prose:      rules authorizing the terms and conditions of software program usage.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing least functionality in the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\nspecifications for preventing software program execution\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes preventing program execution on the information
-                                               system\n\norganizational processes for software program usage and restrictions\n\nautomated mechanisms preventing program execution on the information system\n\nautomated mechanisms supporting and/or implementing software program usage and
-                                               restrictions
-                        """
-            - 
-              id:         cm-7.5
-              class:      SP800-53-enhancement
-              title:      Authorized Software / Whitelisting
-              parameters: 
-                - 
-                  id:    cm-7.5_prm_1
-                  label: 
-                    """
-                      organization-defined software programs authorized to execute on the
-                                        information system
-                    """
-                - 
-                  id:          cm-7.5_prm_2
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least quarterly or when there is a change
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: CM-7(5)
-                - 
-                  name:  sort-id
-                  value: cm-07.05
-              parts: 
-                - 
-                  id:    cm-7.5_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         cm-7.5_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose:      Identifies {{ cm-7.5_prm_1 }};
-                    - 
-                      id:         cm-7.5_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Employs a deny-all, permit-by-exception policy to allow the execution of
-                                               authorized software programs on the information system; and
-                        """
-                    - 
-                      id:         cm-7.5_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (c)
-                      prose:      Reviews and updates the list of authorized software programs {{ cm-7.5_prm_2 }}.
-                - 
-                  id:    cm-7.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The process used to identify software programs that are authorized to execute on
-                                        organizational information systems is commonly referred to as whitelisting. In
-                                        addition to whitelisting, organizations consider verifying the integrity of
-                                        white-listed software programs using, for example, cryptographic checksums,
-                                        digital signatures, or hash functions. Verification of white-listed software can
-                                        occur either prior to execution or at system startup.
-                    """
-                  links: 
-                    - 
-                      href: #cm-2
-                      rel:  related
-                      text: CM-2
-                    - 
-                      href: #cm-6
-                      rel:  related
-                      text: CM-6
-                    - 
-                      href: #cm-8
-                      rel:  related
-                      text: CM-8
-                    - 
-                      href: #pm-5
-                      rel:  related
-                      text: PM-5
-                    - 
-                      href: #sa-10
-                      rel:  related
-                      text: SA-10
-                    - 
-                      href: #sc-34
-                      rel:  related
-                      text: SC-34
-                    - 
-                      href: #si-7
-                      rel:  related
-                      text: SI-7
-                - 
-                  id:    cm-7.5_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-7.5.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-7(5)(a)
-                      prose: 
-                        """
-                          Identifies/defines software programs authorized to execute on the information
-                                               system;
-                        """
-                      links: 
-                        - 
-                          href: #cm-7.5_smt.a
-                          rel:  corresp
-                          text: CM-7(5)(a)
-                    - 
-                      id:         cm-7.5.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-7(5)(b)
-                      prose: 
-                        """
-                          employs a deny-all, permit-by-exception policy to allow the execution of
-                                               authorized software programs on the information system;
-                        """
-                      links: 
-                        - 
-                          href: #cm-7.5_smt.b
-                          rel:  corresp
-                          text: CM-7(5)(b)
-                    - 
-                      id:         cm-7.5.c_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-7(5)(c)
-                      parts: 
-                        - 
-                          id:         cm-7.5.c_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-7(5)(c)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the list of authorized software
-                                                      programs on the information system; and
-                            """
-                        - 
-                          id:         cm-7.5.c_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-7(5)(c)[2]
-                          prose: 
-                            """
-                              reviews and updates the list of authorized software programs with the
-                                                      organization-defined frequency.
-                            """
-                      links: 
-                        - 
-                          href: #cm-7.5_smt.c
-                          rel:  corresp
-                          text: CM-7(5)(c)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Configuration management policy\n\nprocedures addressing least functionality in the information system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of software programs authorized to execute on the information system\n\nsecurity configuration checklists\n\nreview and update records associated with list of authorized software
-                                               programs\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for identifying software
-                                               authorized to execute on the information system\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational process for identifying, reviewing, and updating programs
-                                               authorized to execute on the information system\n\norganizational process for implementing whitelisting\n\nautomated mechanisms implementing whitelisting
-                        """
-        - 
-          id:         cm-8
-          class:      SP800-53
-          title:      Information System Component Inventory
-          parameters: 
-            - 
-              id:    cm-8_prm_1
-              label: 
-                """
-                  organization-defined information deemed necessary to achieve effective
-                                 information system component accountability
-                """
-            - 
-              id:          cm-8_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least monthly
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CM-8
-            - 
-              name:  sort-id
-              value: cm-08
-          links: 
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    cm-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops and documents an inventory of information system components that:
-                  parts: 
-                    - 
-                      id:         cm-8_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Accurately reflects the current information system;
-                    - 
-                      id:         cm-8_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Includes all components within the authorization boundary of the information
-                                               system;
-                        """
-                    - 
-                      id:         cm-8_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Is at the level of granularity deemed necessary for tracking and reporting;
-                                               and
-                        """
-                    - 
-                      id:         cm-8_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose:      Includes {{ cm-8_prm_1 }}; and
-                - 
-                  id:         cm-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the information system component inventory {{ cm-8_prm_2 }}.
-                - 
-                  id:    cm-8_fr
-                  name:  item
-                  title: CM-8 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cm-8_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Must be provided at least monthly or when there is a change.
-            - 
-              id:    cm-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations may choose to implement centralized information system component
-                                 inventories that include components from all organizational information systems. In
-                                 such situations, organizations ensure that the resulting inventories include
-                                 system-specific information required for proper component accountability (e.g.,
-                                 information system association, information system owner). Information deemed
-                                 necessary for effective accountability of information system components includes, for
-                                 example, hardware inventory specifications, software license information, software
-                                 version numbers, component owners, and for networked components or devices, machine
-                                 names and network addresses. Inventory specifications include, for example,
-                                 manufacturer, device type, model, serial number, and physical location.
-                """
-              links: 
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #pm-5
-                  rel:  related
-                  text: PM-5
-            - 
-              id:    cm-8_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-8(a)
-                  parts: 
-                    - 
-                      id:         cm-8.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-8(a)(1)
-                      prose: 
-                        """
-                          develops and documents an inventory of information system components that
-                                               accurately reflects the current information system;
-                        """
-                    - 
-                      id:         cm-8.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-8(a)(2)
-                      prose: 
-                        """
-                          develops and documents an inventory of information system components that
-                                               includes all components within the authorization boundary of the information
-                                               system;
-                        """
-                    - 
-                      id:         cm-8.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-8(a)(3)
-                      prose: 
-                        """
-                          develops and documents an inventory of information system components that is at
-                                               the level of granularity deemed necessary for tracking and reporting;
-                        """
-                    - 
-                      id:         cm-8.a.4_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(a)(4)
-                      parts: 
-                        - 
-                          id:         cm-8.a.4_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-8(a)(4)[1]
-                          prose: 
-                            """
-                              defines the information deemed necessary to achieve effective information
-                                                      system component accountability;
-                            """
-                        - 
-                          id:         cm-8.a.4_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-8(a)(4)[2]
-                          prose: 
-                            """
-                              develops and documents an inventory of information system components that
-                                                      includes organization-defined information deemed necessary to achieve
-                                                      effective information system component accountability;
-                            """
-                - 
-                  id:         cm-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-8(b)
-                  parts: 
-                    - 
-                      id:         cm-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-8(b)[1]
-                      prose: 
-                        """
-                          defines the frequency to review and update the information system component
-                                               inventory; and
-                        """
-                    - 
-                      id:         cm-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-8(b)[2]
-                      prose: 
-                        """
-                          reviews and updates the information system component inventory with the
-                                               organization-defined frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\ninventory reviews and update records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for information system component
-                                        inventory\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for developing and documenting an inventory of
-                                        information system components\n\nautomated mechanisms supporting and/or implementing the information system
-                                        component inventory
-                    """
-          controls: 
-            - 
-              id:         cm-8.1
-              class:      SP800-53-enhancement
-              title:      Updates During Installations / Removals
-              properties: 
-                - 
-                  name:  label
-                  value: CM-8(1)
-                - 
-                  name:  sort-id
-                  value: cm-08.01
-              parts: 
-                - 
-                  id:    cm-8.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization updates the inventory of information system components as an
-                                        integral part of component installations, removals, and information system
-                                        updates.
-                    """
-                - 
-                  id:    cm-8.1_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization updates the inventory of information system
-                                        components as an integral part of:
-                    """
-                  parts: 
-                    - 
-                      id:         cm-8.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-8(1)[1]
-                      prose:      component installations;
-                    - 
-                      id:         cm-8.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(1)[2]
-                      prose:      component removals; and
-                    - 
-                      id:         cm-8.1_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(1)[3]
-                      prose:      information system updates.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\ninventory reviews and update records\n\ncomponent installation records\n\ncomponent removal records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for updating the information
-                                               system component inventory\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for updating inventory of information system
-                                               components\n\nautomated mechanisms implementing updating of the information system component
-                                               inventory
-                        """
-            - 
-              id:         cm-8.2
-              class:      SP800-53-enhancement
-              title:      Automated Maintenance
-              properties: 
-                - 
-                  name:  label
-                  value: CM-8(2)
-                - 
-                  name:  sort-id
-                  value: cm-08.02
-              parts: 
-                - 
-                  id:    cm-8.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to help maintain an up-to-date,
-                                        complete, accurate, and readily available inventory of information system
-                                        components.
-                    """
-                - 
-                  id:    cm-8.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations maintain information system inventories to the extent feasible.
-                                        Virtual machines, for example, can be difficult to monitor because such machines
-                                        are not visible to the network when not in use. In such cases, organizations
-                                        maintain as up-to-date, complete, and accurate an inventory as is deemed
-                                        reasonable. This control enhancement can be satisfied by the implementation of
-                                        CM-2 (2) for organizations that choose to combine information system component
-                                        inventory and baseline configuration activities.
-                    """
-                  links: 
-                    - 
-                      href: #si-7
-                      rel:  related
-                      text: SI-7
-                - 
-                  id:    cm-8.2_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization employs automated mechanisms to maintain an
-                                        inventory of information system components that is:
-                    """
-                  parts: 
-                    - 
-                      id:         cm-8.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-8(2)[1]
-                      prose:      up-to-date;
-                    - 
-                      id:         cm-8.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(2)[2]
-                      prose:      complete;
-                    - 
-                      id:         cm-8.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(2)[3]
-                      prose:      accurate; and
-                    - 
-                      id:         cm-8.2_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(2)[4]
-                      prose:      readily available.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing information system component inventory\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system inventory records\n\nchange control records\n\ninformation system maintenance records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for managing the automated
-                                               mechanisms implementing the information system component inventory\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for maintaining the inventory of information system
-                                               components\n\nautomated mechanisms implementing the information system component
-                                               inventory
-                        """
-            - 
-              id:         cm-8.3
-              class:      SP800-53-enhancement
-              title:      Automated Unauthorized Component Detection
-              parameters: 
-                - 
-                  id:          cm-8.3_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: Continuously, using automated mechanisms with a maximum five-minute delay in detection.
-                - 
-                  id: cm-8.3_prm_2
-                - 
-                  id:         cm-8.3_prm_3
-                  depends-on: cm-8.3_prm_2
-                  label:      organization-defined personnel or roles
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: CM-8(3)
-                - 
-                  name:  sort-id
-                  value: cm-08.03
-              parts: 
-                - 
-                  id:    cm-8.3_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         cm-8.3_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Employs automated mechanisms {{ cm-8.3_prm_1 }} to detect the
-                                               presence of unauthorized hardware, software, and firmware components within the
-                                               information system; and
-                        """
-                    - 
-                      id:         cm-8.3_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      Takes the following actions when unauthorized components are detected: {{ cm-8.3_prm_2 }}.
-                - 
-                  id:    cm-8.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement is applied in addition to the monitoring for unauthorized
-                                        remote connections and mobile devices. Monitoring for unauthorized system
-                                        components may be accomplished on an ongoing basis or by the periodic scanning of
-                                        systems for that purpose. Automated mechanisms can be implemented within
-                                        information systems or in other separate devices. Isolation can be achieved, for
-                                        example, by placing unauthorized information system components in separate domains
-                                        or subnets or otherwise quarantining such components. This type of component
-                                        isolation is commonly referred to as sandboxing.
-                    """
-                  links: 
-                    - 
-                      href: #ac-17
-                      rel:  related
-                      text: AC-17
-                    - 
-                      href: #ac-18
-                      rel:  related
-                      text: AC-18
-                    - 
-                      href: #ac-19
-                      rel:  related
-                      text: AC-19
-                    - 
-                      href: #ca-7
-                      rel:  related
-                      text: CA-7
-                    - 
-                      href: #si-3
-                      rel:  related
-                      text: SI-3
-                    - 
-                      href: #si-4
-                      rel:  related
-                      text: SI-4
-                    - 
-                      href: #si-7
-                      rel:  related
-                      text: SI-7
-                    - 
-                      href: #ra-5
-                      rel:  related
-                      text: RA-5
-                - 
-                  id:    cm-8.3_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-8.3.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(3)(a)
-                      parts: 
-                        - 
-                          id:         cm-8.3.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-8(3)(a)[1]
-                          prose: 
-                            """
-                              defines the frequency to employ automated mechanisms to detect the presence
-                                                      of unauthorized:
-                            """
-                          parts: 
-                            - 
-                              id:         cm-8.3.a_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-8(3)(a)[1][a]
-                              prose:      hardware components within the information system;
-                            - 
-                              id:         cm-8.3.a_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-8(3)(a)[1][b]
-                              prose:      software components within the information system;
-                            - 
-                              id:         cm-8.3.a_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-8(3)(a)[1][c]
-                              prose:      firmware components within the information system;
-                        - 
-                          id:         cm-8.3.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-8(3)(a)[2]
-                          prose: 
-                            """
-                              employs automated mechanisms with the organization-defined frequency to
-                                                      detect the presence of unauthorized:
-                            """
-                          parts: 
-                            - 
-                              id:         cm-8.3.a_obj.2.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-8(3)(a)[2][a]
-                              prose:      hardware components within the information system;
-                            - 
-                              id:         cm-8.3.a_obj.2.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-8(3)(a)[2][b]
-                              prose:      software components within the information system;
-                            - 
-                              id:         cm-8.3.a_obj.2.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-8(3)(a)[2][c]
-                              prose:      firmware components within the information system;
-                      links: 
-                        - 
-                          href: #cm-8.3_smt.a
-                          rel:  corresp
-                          text: CM-8(3)(a)
-                    - 
-                      id:         cm-8.3.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(3)(b)
-                      parts: 
-                        - 
-                          id:         cm-8.3.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-8(3)(b)[1]
-                          prose: 
-                            """
-                              defines personnel or roles to be notified when unauthorized components are
-                                                      detected;
-                            """
-                        - 
-                          id:         cm-8.3.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-8(3)(b)[2]
-                          prose: 
-                            """
-                              takes one or more of the following actions when unauthorized components are
-                                                      detected:
-                            """
-                          parts: 
-                            - 
-                              id:         cm-8.3.b_obj.2.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-8(3)(b)[2][a]
-                              prose:      disables network access by such components;
-                            - 
-                              id:         cm-8.3.b_obj.2.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-8(3)(b)[2][b]
-                              prose:      isolates the components; and/or
-                            - 
-                              id:         cm-8.3.b_obj.2.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-8(3)(b)[2][c]
-                              prose:      notifies organization-defined personnel or roles.
-                      links: 
-                        - 
-                          href: #cm-8.3_smt.b
-                          rel:  corresp
-                          text: CM-8(3)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system inventory records\n\nalerts/notifications of unauthorized components within the information
-                                               system\n\ninformation system monitoring records\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for managing the automated
-                                               mechanisms implementing unauthorized information system component detection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for detection of unauthorized information system
-                                               components\n\nautomated mechanisms implementing the detection of unauthorized information
-                                               system components
-                        """
-            - 
-              id:         cm-8.4
-              class:      SP800-53-enhancement
-              title:      Accountability Information
-              parameters: 
-                - 
-                  id:          cm-8.4_prm_1
-                  constraints: 
-                    - 
-                      detail: position and role
-              properties: 
-                - 
-                  name:  label
-                  value: CM-8(4)
-                - 
-                  name:  sort-id
-                  value: cm-08.04
-              parts: 
-                - 
-                  id:    cm-8.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization includes in the information system component inventory
-                                        information, a means for identifying by {{ cm-8.4_prm_1 }},
-                                        individuals responsible/accountable for administering those components.
-                    """
-                - 
-                  id:    cm-8.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Identifying individuals who are both responsible and accountable for administering
-                                        information system components helps to ensure that the assigned components are
-                                        properly administered and organizations can contact those individuals if some
-                                        action is required (e.g., component is determined to be the source of a
-                                        breach/compromise, component needs to be recalled/replaced, or component needs to
-                                        be relocated).
-                    """
-                - 
-                  id:    cm-8.4_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization includes in the information system component
-                                        inventory for information system components, a means for identifying the
-                                        individuals responsible and accountable for administering those components by one
-                                        or more of the following: 
-                    """
-                  parts: 
-                    - 
-                      id:         cm-8.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-8(4)[1]
-                      prose:      name;
-                    - 
-                      id:         cm-8.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(4)[2]
-                      prose:      position; and/or
-                    - 
-                      id:         cm-8.4_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(4)[3]
-                      prose:      role.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for managing the information
-                                               system component inventory\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for maintaining the inventory of information system
-                                               components\n\nautomated mechanisms implementing the information system component
-                                               inventory
-                        """
-            - 
-              id:         cm-8.5
-              class:      SP800-53-enhancement
-              title:      No Duplicate Accounting of Components
-              properties: 
-                - 
-                  name:  label
-                  value: CM-8(5)
-                - 
-                  name:  sort-id
-                  value: cm-08.05
-              parts: 
-                - 
-                  id:    cm-8.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization verifies that all components within the authorization boundary of
-                                        the information system are not duplicated in other information system component
-                                        inventories.
-                    """
-                - 
-                  id:    cm-8.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement addresses the potential problem of duplicate accounting
-                                        of information system components in large or complex interconnected systems.
-                    """
-                - 
-                  id:         cm-8.5_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization verifies that all components within the
-                                        authorization boundary of the information system are not duplicated in other
-                                        information system inventories. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system inventory responsibilities\n\norganizational personnel with responsibilities for defining information system
-                                               components within the authorization boundary of the system\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for maintaining the inventory of information system
-                                               components\n\nautomated mechanisms implementing the information system component
-                                               inventory
-                        """
-        - 
-          id:         cm-9
-          class:      SP800-53
-          title:      Configuration Management Plan
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CM-9
-            - 
-              name:  sort-id
-              value: cm-09
-          links: 
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    cm-9_smt
-              name:  statement
-              prose: 
-                """
-                  The organization develops, documents, and implements a configuration management plan
-                                 for the information system that:
-                """
-              parts: 
-                - 
-                  id:         cm-9_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Addresses roles, responsibilities, and configuration management processes and
-                                        procedures;
-                    """
-                - 
-                  id:         cm-9_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Establishes a process for identifying configuration items throughout the system
-                                        development life cycle and for managing the configuration of the configuration
-                                        items;
-                    """
-                - 
-                  id:         cm-9_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Defines the configuration items for the information system and places the
-                                        configuration items under configuration management; and
-                    """
-                - 
-                  id:         cm-9_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Protects the configuration management plan from unauthorized disclosure and
-                                        modification.
-                    """
-            - 
-              id:    cm-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  Configuration management plans satisfy the requirements in configuration management
-                                 policies while being tailored to individual information systems. Such plans define
-                                 detailed processes and procedures for how configuration management is used to support
-                                 system development life cycle activities at the information system level.
-                                 Configuration management plans are typically developed during the
-                                 development/acquisition phase of the system development life cycle. The plans
-                                 describe how to move changes through change management processes, how to update
-                                 configuration settings and baselines, how to maintain information system component
-                                 inventories, how to control development, test, and operational environments, and how
-                                 to develop, release, and update key documents. Organizations can employ templates to
-                                 help ensure consistent and timely development and implementation of configuration
-                                 management plans. Such templates can represent a master configuration management plan
-                                 for the organization at large with subsets of the plan implemented on a system by
-                                 system basis. Configuration management approval processes include designation of key
-                                 management stakeholders responsible for reviewing and approving proposed changes to
-                                 information systems, and personnel that conduct security impact analyses prior to the
-                                 implementation of changes to the systems. Configuration items are the information
-                                 system items (hardware, software, firmware, and documentation) to be
-                                 configuration-managed. As information systems continue through the system development
-                                 life cycle, new configuration items may be identified and some existing configuration
-                                 items may no longer need to be under configuration control.
-                """
-              links: 
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #sa-10
-                  rel:  related
-                  text: SA-10
-            - 
-              id:    cm-9_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization develops, documents, and implements a configuration
-                                 management plan for the information system that:
-                """
-              parts: 
-                - 
-                  id:         cm-9.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CM-9(a)
-                  parts: 
-                    - 
-                      id:         cm-9.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-9(a)[1]
-                      prose:      addresses roles;
-                    - 
-                      id:         cm-9.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-9(a)[2]
-                      prose:      addresses responsibilities;
-                    - 
-                      id:         cm-9.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-9(a)[3]
-                      prose:      addresses configuration management processes and procedures;
-                - 
-                  id:         cm-9.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CM-9(b)
-                  prose:      establishes a process for:
-                  parts: 
-                    - 
-                      id:         cm-9.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-9(b)[1]
-                      prose:      identifying configuration items throughout the SDLC;
-                    - 
-                      id:         cm-9.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-9(b)[2]
-                      prose:      managing the configuration of the configuration items;
-                - 
-                  id:         cm-9.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-9(c)
-                  parts: 
-                    - 
-                      id:         cm-9.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-9(c)[1]
-                      prose:      defines the configuration items for the information system;
-                    - 
-                      id:         cm-9.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-9(c)[2]
-                      prose:      places the configuration items under configuration management;
-                - 
-                  id:         cm-9.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-9(d)
-                  prose:      protects the configuration management plan from unauthorized:
-                  parts: 
-                    - 
-                      id:         cm-9.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-9(d)[1]
-                      prose:      disclosure; and
-                    - 
-                      id:         cm-9.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-9(d)[2]
-                      prose:      modification.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing configuration management planning\n\nconfiguration management plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for developing the configuration
-                                        management plan\n\norganizational personnel with responsibilities for implementing and managing
-                                        processes defined in the configuration management plan\n\norganizational personnel with responsibilities for protecting the configuration
-                                        management plan\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for developing and documenting the configuration
-                                        management plan\n\norganizational processes for identifying and managing configuration items\n\norganizational processes for protecting the configuration management plan\n\nautomated mechanisms implementing the configuration management plan\n\nautomated mechanisms for managing configuration items\n\nautomated mechanisms for protecting the configuration management plan
-                    """
-        - 
-          id:         cm-10
-          class:      SP800-53
-          title:      Software Usage Restrictions
-          properties: 
-            - 
-              name:  label
-              value: CM-10
-            - 
-              name:  sort-id
-              value: cm-10
-          parts: 
-            - 
-              id:    cm-10_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-10_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Uses software and associated documentation in accordance with contract agreements
-                                        and copyright laws;
-                    """
-                - 
-                  id:         cm-10_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Tracks the use of software and associated documentation protected by quantity
-                                        licenses to control copying and distribution; and
-                    """
-                - 
-                  id:         cm-10_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Controls and documents the use of peer-to-peer file sharing technology to ensure
-                                        that this capability is not used for the unauthorized distribution, display,
-                                        performance, or reproduction of copyrighted work.
-                    """
-            - 
-              id:    cm-10_gdn
-              name:  guidance
-              prose: 
-                """
-                  Software license tracking can be accomplished by manual methods (e.g., simple
-                                 spreadsheets) or automated methods (e.g., specialized tracking applications)
-                                 depending on organizational needs.
-                """
-              links: 
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-            - 
-              id:    cm-10_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-10.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-10(a)
-                  prose: 
-                    """
-                      uses software and associated documentation in accordance with contract agreements
-                                        and copyright laws;
-                    """
-                - 
-                  id:         cm-10.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CM-10(b)
-                  prose: 
-                    """
-                      tracks the use of software and associated documentation protected by quantity
-                                        licenses to control copying and distribution; and
-                    """
-                - 
-                  id:         cm-10.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-10(c)
-                  prose: 
-                    """
-                      controls and documents the use of peer-to-peer file sharing technology to ensure
-                                        that this capability is not used for the unauthorized distribution, display,
-                                        performance, or reproduction of copyrighted work.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing software usage restrictions\n\nconfiguration management plan\n\nsecurity plan\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel operating, using, and/or maintaining the information
-                                        system\n\norganizational personnel with software license management responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational process for tracking the use of software protected by quantity
-                                        licenses\n\norganization process for controlling/documenting the use of peer-to-peer file
-                                        sharing technology\n\nautomated mechanisms implementing software license tracking\n\nautomated mechanisms implementing and controlling the use of peer-to-peer files
-                                        sharing technology
-                    """
-          controls: 
-            - 
-              id:         cm-10.1
-              class:      SP800-53-enhancement
-              title:      Open Source Software
-              parameters: 
-                - 
-                  id:    cm-10.1_prm_1
-                  label: organization-defined restrictions
-              properties: 
-                - 
-                  name:  label
-                  value: CM-10(1)
-                - 
-                  name:  sort-id
-                  value: cm-10.01
-              parts: 
-                - 
-                  id:    cm-10.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization establishes the following restrictions on the use of open source
-                                        software: {{ cm-10.1_prm_1 }}.
-                    """
-                - 
-                  id:    cm-10.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Open source software refers to software that is available in source code form.
-                                        Certain software rights normally reserved for copyright holders are routinely
-                                        provided under software license agreements that permit individuals to study,
-                                        change, and improve the software. From a security perspective, the major advantage
-                                        of open source software is that it provides organizations with the ability to
-                                        examine the source code. However, there are also various licensing issues
-                                        associated with open source software including, for example, the constraints on
-                                        derivative use of such software.
-                    """
-                - 
-                  id:    cm-10.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-10.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-10(1)[1]
-                      prose:      defines restrictions on the use of open source software; and
-                    - 
-                      id:         cm-10.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-10(1)[2]
-                      prose: 
-                        """
-                          establishes organization-defined restrictions on the use of open source
-                                               software.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing restrictions on use of open source software\n\nconfiguration management plan\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for establishing and enforcing
-                                               restrictions on use of open source software\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational process for restricting the use of open source software\n\nautomated mechanisms implementing restrictions on the use of open source
-                                               software
-                        """
-        - 
-          id:         cm-11
-          class:      SP800-53
-          title:      User-installed Software
-          parameters: 
-            - 
-              id:    cm-11_prm_1
-              label: organization-defined policies
-            - 
-              id:    cm-11_prm_2
-              label: organization-defined methods
-            - 
-              id:          cm-11_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: Continuously (via CM-7 (5))
-          properties: 
-            - 
-              name:  label
-              value: CM-11
-            - 
-              name:  sort-id
-              value: cm-11
-          parts: 
-            - 
-              id:    cm-11_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-11_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes {{ cm-11_prm_1 }} governing the installation of
-                                        software by users;
-                    """
-                - 
-                  id:         cm-11_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Enforces software installation policies through {{ cm-11_prm_2 }};
-                                        and
-                    """
-                - 
-                  id:         cm-11_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Monitors policy compliance at {{ cm-11_prm_3 }}.
-            - 
-              id:    cm-11_gdn
-              name:  guidance
-              prose: 
-                """
-                  If provided the necessary privileges, users have the ability to install software in
-                                 organizational information systems. To maintain control over the types of software
-                                 installed, organizations identify permitted and prohibited actions regarding software
-                                 installation. Permitted software installations may include, for example, updates and
-                                 security patches to existing software and downloading applications from
-                                 organization-approved “app stores” Prohibited software installations may include, for
-                                 example, software with unknown or suspect pedigrees or software that organizations
-                                 consider potentially malicious. The policies organizations select governing
-                                 user-installed software may be organization-developed or provided by some external
-                                 entity. Policy enforcement methods include procedural methods (e.g., periodic
-                                 examination of user accounts), automated methods (e.g., configuration settings
-                                 implemented on organizational information systems), or both.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-7
-                  rel:  related
-                  text: CM-7
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-            - 
-              id:    cm-11_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-11.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-11(a)
-                  parts: 
-                    - 
-                      id:         cm-11.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-11(a)[1]
-                      prose:      defines policies to govern the installation of software by users;
-                    - 
-                      id:         cm-11.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-11(a)[2]
-                      prose: 
-                        """
-                          establishes organization-defined policies governing the installation of
-                                               software by users;
-                        """
-                - 
-                  id:         cm-11.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-11(b)
-                  parts: 
-                    - 
-                      id:         cm-11.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-11(b)[1]
-                      prose:      defines methods to enforce software installation policies;
-                    - 
-                      id:         cm-11.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-11(b)[2]
-                      prose: 
-                        """
-                          enforces software installation policies through organization-defined
-                                               methods;
-                        """
-                - 
-                  id:         cm-11.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-11(c)
-                  parts: 
-                    - 
-                      id:         cm-11.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-11(c)[1]
-                      prose:      defines frequency to monitor policy compliance; and
-                    - 
-                      id:         cm-11.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-11(c)[2]
-                      prose:      monitors policy compliance at organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing user installed software\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of rules governing user installed software\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records\n\ncontinuous monitoring strategy
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for governing user-installed
-                                        software\n\norganizational personnel operating, using, and/or maintaining the information
-                                        system\n\norganizational personnel monitoring compliance with user-installed software
-                                        policy\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes governing user-installed software on the information
-                                        system\n\nautomated mechanisms enforcing rules/methods for governing the installation of
-                                        software by users\n\nautomated mechanisms monitoring policy compliance
-                    """
-          controls: 
-            - 
-              id:         cm-11.1
-              class:      SP800-53-enhancement
-              title:      Alerts for Unauthorized Installations
-              parameters: 
-                - 
-                  id:    cm-11.1_prm_1
-                  label: organization-defined personnel or roles
-              properties: 
-                - 
-                  name:  label
-                  value: CM-11(1)
-                - 
-                  name:  sort-id
-                  value: cm-11.01
-              parts: 
-                - 
-                  id:    cm-11.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system alerts {{ cm-11.1_prm_1 }} when the
-                                        unauthorized installation of software is detected.
-                    """
-                - 
-                  id:    cm-11.1_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ca-7
-                      rel:  related
-                      text: CA-7
-                    - 
-                      href: #si-4
-                      rel:  related
-                      text: SI-4
-                - 
-                  id:    cm-11.1_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         cm-11.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-11(1)[1]
-                      prose: 
-                        """
-                          the organization defines personnel or roles to be alerted when the unauthorized
-                                               installation of software is detected; and
-                        """
-                    - 
-                      id:         cm-11.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-11(1)[2]
-                      prose: 
-                        """
-                          the information system alerts organization-defined personnel or roles when the
-                                               unauthorized installation of software is detected.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing user installed software\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for governing user-installed
-                                               software\n\norganizational personnel operating, using, and/or maintaining the information
-                                               system\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes governing user-installed software on the information
-                                               system\n\nautomated mechanisms for alerting personnel/roles when unauthorized
-                                               installation of software is detected
-                        """
-    - 
-      id:       cp
-      class:    family
-      title:    Contingency Planning
-      controls: 
-        - 
-          id:         cp-1
-          class:      SP800-53
-          title:      Contingency Planning Policy and Procedures
-          parameters: 
-            - 
-              id:    cp-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          cp-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          cp-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or whenever a significant change occurs
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CP-1
-            - 
-              name:  sort-id
-              value: cp-01
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    cp-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ cp-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         cp-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A contingency planning policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         cp-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the contingency planning policy
-                                               and associated contingency planning controls; and
-                        """
-                - 
-                  id:         cp-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         cp-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Contingency planning policy {{ cp-1_prm_2 }}; and
-                    - 
-                      id:         cp-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Contingency planning procedures {{ cp-1_prm_3 }}.
-            - 
-              id:    cp-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the CP
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    cp-1_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         cp-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-1(a)
-                  parts: 
-                    - 
-                      id:         cp-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-1(a)(1)
-                      parts: 
-                        - 
-                          id:         cp-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(a)(1)[1]
-                          prose: 
-                            """
-                              the organization develops and documents a contingency planning policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         cp-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         cp-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         cp-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         cp-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         cp-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         cp-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         cp-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         cp-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(a)(1)[2]
-                          prose: 
-                            """
-                              the organization defines personnel or roles to whom the contingency planning
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         cp-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CP-1(a)(1)[3]
-                          prose: 
-                            """
-                              the organization disseminates the contingency planning policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         cp-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-1(a)(2)
-                      parts: 
-                        - 
-                          id:         cp-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(a)(2)[1]
-                          prose: 
-                            """
-                              the organization develops and documents procedures to facilitate the
-                                                      implementation of the contingency planning policy and associated contingency
-                                                      planning controls;
-                            """
-                        - 
-                          id:         cp-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(a)(2)[2]
-                          prose: 
-                            """
-                              the organization defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         cp-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CP-1(a)(2)[3]
-                          prose: 
-                            """
-                              the organization disseminates the procedures to organization-defined
-                                                      personnel or roles;
-                            """
-                - 
-                  id:         cp-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-1(b)
-                  parts: 
-                    - 
-                      id:         cp-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-1(b)(1)
-                      parts: 
-                        - 
-                          id:         cp-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(b)(1)[1]
-                          prose: 
-                            """
-                              the organization defines the frequency to review and update the current
-                                                      contingency planning policy;
-                            """
-                        - 
-                          id:         cp-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(b)(1)[2]
-                          prose: 
-                            """
-                              the organization reviews and updates the current contingency planning with
-                                                      the organization-defined frequency;
-                            """
-                    - 
-                      id:         cp-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-1(b)(2)
-                      parts: 
-                        - 
-                          id:         cp-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(b)(2)[1]
-                          prose: 
-                            """
-                              the organization defines the frequency to review and update the current
-                                                      contingency planning procedures; and
-                            """
-                        - 
-                          id:         cp-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(b)(2)[2]
-                          prose: 
-                            """
-                              the organization reviews and updates the current contingency planning
-                                                      procedures with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         cp-2
-          class:      SP800-53
-          title:      Contingency Plan
-          parameters: 
-            - 
-              id:    cp-2_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    cp-2_prm_2
-              label: 
-                """
-                  organization-defined key contingency personnel (identified by name and/or by
-                                 role) and organizational elements
-                """
-            - 
-              id:          cp-2_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:    cp-2_prm_4
-              label: 
-                """
-                  organization-defined key contingency personnel (identified by name and/or by
-                                 role) and organizational elements
-                """
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CP-2
-            - 
-              name:  sort-id
-              value: cp-02
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-          parts: 
-            - 
-              id:    cp-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops a contingency plan for the information system that:
-                  parts: 
-                    - 
-                      id:         cp-2_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Identifies essential missions and business functions and associated contingency
-                                               requirements;
-                        """
-                    - 
-                      id:         cp-2_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Provides recovery objectives, restoration priorities, and metrics;
-                    - 
-                      id:         cp-2_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Addresses contingency roles, responsibilities, assigned individuals with
-                                               contact information;
-                        """
-                    - 
-                      id:         cp-2_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose: 
-                        """
-                          Addresses maintaining essential missions and business functions despite an
-                                               information system disruption, compromise, or failure;
-                        """
-                    - 
-                      id:         cp-2_smt.a.5
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 5.
-                      prose: 
-                        """
-                          Addresses eventual, full information system restoration without deterioration
-                                               of the security safeguards originally planned and implemented; and
-                        """
-                    - 
-                      id:         cp-2_smt.a.6
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 6.
-                      prose:      Is reviewed and approved by {{ cp-2_prm_1 }};
-                - 
-                  id:         cp-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Distributes copies of the contingency plan to {{ cp-2_prm_2 }};
-                - 
-                  id:         cp-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Coordinates contingency planning activities with incident handling activities;
-                - 
-                  id:         cp-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Reviews the contingency plan for the information system {{ cp-2_prm_3 }};
-                - 
-                  id:         cp-2_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Updates the contingency plan to address changes to the organization, information
-                                        system, or environment of operation and problems encountered during contingency
-                                        plan implementation, execution, or testing;
-                    """
-                - 
-                  id:         cp-2_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose:      Communicates contingency plan changes to {{ cp-2_prm_4 }}; and
-                - 
-                  id:         cp-2_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose:      Protects the contingency plan from unauthorized disclosure and modification.
-                - 
-                  id:    cp-2_fr
-                  name:  item
-                  title: CP-2 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cp-2_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2 Requirement:
-                      prose:      For JAB authorizations the contingency lists include designated FedRAMP personnel.
-            - 
-              id:    cp-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Contingency planning for information systems is part of an overall organizational
-                                 program for achieving continuity of operations for mission/business functions.
-                                 Contingency planning addresses both information system restoration and implementation
-                                 of alternative mission/business processes when systems are compromised. The
-                                 effectiveness of contingency planning is maximized by considering such planning
-                                 throughout the phases of the system development life cycle. Performing contingency
-                                 planning on hardware, software, and firmware development can be an effective means of
-                                 achieving information system resiliency. Contingency plans reflect the degree of
-                                 restoration required for organizational information systems since not all systems may
-                                 need to fully recover to achieve the level of continuity of operations desired.
-                                 Information system recovery objectives reflect applicable laws, Executive Orders,
-                                 directives, policies, standards, regulations, and guidelines. In addition to
-                                 information system availability, contingency plans also address other
-                                 security-related events resulting in a reduction in mission and/or business
-                                 effectiveness, such as malicious attacks compromising the confidentiality or
-                                 integrity of information systems. Actions addressed in contingency plans include, for
-                                 example, orderly/graceful degradation, information system shutdown, fallback to a
-                                 manual mode, alternate information flows, and operating in modes reserved for when
-                                 systems are under attack. By closely coordinating contingency planning with incident
-                                 handling activities, organizations can ensure that the necessary contingency planning
-                                 activities are in place and activated in the event of a security incident.
-                """
-              links: 
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #cp-6
-                  rel:  related
-                  text: CP-6
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-                - 
-                  href: #cp-8
-                  rel:  related
-                  text: CP-8
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #cp-10
-                  rel:  related
-                  text: CP-10
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #pm-8
-                  rel:  related
-                  text: PM-8
-                - 
-                  href: #pm-11
-                  rel:  related
-                  text: PM-11
-            - 
-              id:    cp-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cp-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(a)
-                  prose:      develops and documents a contingency plan for the information system that:
-                  parts: 
-                    - 
-                      id:         cp-2.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(a)(1)
-                      prose: 
-                        """
-                          identifies essential missions and business functions and associated contingency
-                                               requirements;
-                        """
-                    - 
-                      id:         cp-2.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(a)(2)
-                      parts: 
-                        - 
-                          id:         cp-2.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(2)[1]
-                          prose:      provides recovery objectives;
-                        - 
-                          id:         cp-2.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(2)[2]
-                          prose:      provides restoration priorities;
-                        - 
-                          id:         cp-2.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(2)[3]
-                          prose:      provides metrics;
-                    - 
-                      id:         cp-2.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(a)(3)
-                      parts: 
-                        - 
-                          id:         cp-2.a.3_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(3)[1]
-                          prose:      addresses contingency roles;
-                        - 
-                          id:         cp-2.a.3_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(3)[2]
-                          prose:      addresses contingency responsibilities;
-                        - 
-                          id:         cp-2.a.3_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(3)[3]
-                          prose:      addresses assigned individuals with contact information;
-                    - 
-                      id:         cp-2.a.4_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(a)(4)
-                      prose: 
-                        """
-                          addresses maintaining essential missions and business functions despite an
-                                               information system disruption, compromise, or failure;
-                        """
-                    - 
-                      id:         cp-2.a.5_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(a)(5)
-                      prose: 
-                        """
-                          addresses eventual, full information system restoration without deterioration
-                                               of the security safeguards originally planned and implemented;
-                        """
-                    - 
-                      id:         cp-2.a.6_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(a)(6)
-                      parts: 
-                        - 
-                          id:         cp-2.a.6_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-2(a)(6)[1]
-                          prose: 
-                            """
-                              defines personnel or roles to review and approve the contingency plan for
-                                                      the information system;
-                            """
-                        - 
-                          id:         cp-2.a.6_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-2(a)(6)[2]
-                          prose:      is reviewed and approved by organization-defined personnel or roles;
-                - 
-                  id:         cp-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(b)
-                  parts: 
-                    - 
-                      id:         cp-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(b)[1]
-                      prose: 
-                        """
-                          defines key contingency personnel (identified by name and/or by role) and
-                                               organizational elements to whom copies of the contingency plan are to be
-                                               distributed;
-                        """
-                    - 
-                      id:         cp-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CP-2(b)[2]
-                      prose: 
-                        """
-                          distributes copies of the contingency plan to organization-defined key
-                                               contingency personnel and organizational elements;
-                        """
-                - 
-                  id:         cp-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: CP-2(c)
-                  prose:      coordinates contingency planning activities with incident handling activities;
-                - 
-                  id:         cp-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(d)
-                  parts: 
-                    - 
-                      id:         cp-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(d)[1]
-                      prose: 
-                        """
-                          defines a frequency to review the contingency plan for the information
-                                               system;
-                        """
-                    - 
-                      id:         cp-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(d)[2]
-                      prose:      reviews the contingency plan with the organization-defined frequency;
-                - 
-                  id:         cp-2.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(e)
-                  prose:      updates the contingency plan to address:
-                  parts: 
-                    - 
-                      id:         cp-2.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-2(e)[1]
-                      prose: 
-                        """
-                          changes to the organization, information system, or environment of
-                                               operation;
-                        """
-                    - 
-                      id:         cp-2.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-2(e)[2]
-                      prose:      problems encountered during plan implementation, execution, and testing;
-                - 
-                  id:         cp-2.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(f)
-                  parts: 
-                    - 
-                      id:         cp-2.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(f)[1]
-                      prose: 
-                        """
-                          defines key contingency personnel (identified by name and/or by role) and
-                                               organizational elements to whom contingency plan changes are to be
-                                               communicated;
-                        """
-                    - 
-                      id:         cp-2.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CP-2(f)[2]
-                      prose: 
-                        """
-                          communicates contingency plan changes to organization-defined key contingency
-                                               personnel and organizational elements; and
-                        """
-                - 
-                  id:         cp-2.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-2(g)
-                  prose:      protects the contingency plan from unauthorized disclosure and modification.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nsecurity plan\n\nevidence of contingency plan reviews and updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with contingency planning and plan implementation
-                                        responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for contingency plan development, review, update, and
-                                        protection\n\nautomated mechanisms for developing, reviewing, updating and/or protecting the
-                                        contingency plan
-                    """
-          controls: 
-            - 
-              id:         cp-2.1
-              class:      SP800-53-enhancement
-              title:      Coordinate with Related Plans
-              properties: 
-                - 
-                  name:  label
-                  value: CP-2(1)
-                - 
-                  name:  sort-id
-                  value: cp-02.01
-              parts: 
-                - 
-                  id:    cp-2.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization coordinates contingency plan development with organizational
-                                        elements responsible for related plans.
-                    """
-                - 
-                  id:    cp-2.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Plans related to contingency plans for organizational information systems include,
-                                        for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of
-                                        Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,
-                                        Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant
-                                        Emergency Plans.
-                    """
-                - 
-                  id:         cp-2.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization coordinates contingency plan development with
-                                        organizational elements responsible for related plans.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nbusiness contingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plan\n\ninsider threat implementation plans\n\noccupant emergency plans\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency planning and plan implementation
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel with responsibility for related plans
-                        """
-            - 
-              id:         cp-2.2
-              class:      SP800-53-enhancement
-              title:      Capacity Planning
-              properties: 
-                - 
-                  name:  label
-                  value: CP-2(2)
-                - 
-                  name:  sort-id
-                  value: cp-02.02
-              parts: 
-                - 
-                  id:    cp-2.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization conducts capacity planning so that necessary capacity for
-                                        information processing, telecommunications, and environmental support exists
-                                        during contingency operations.
-                    """
-                - 
-                  id:    cp-2.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Capacity planning is needed because different types of threats (e.g., natural
-                                        disasters, targeted cyber attacks) can result in a reduction of the available
-                                        processing, telecommunications, and support services originally intended to
-                                        support the organizational missions/business functions. Organizations may need to
-                                        anticipate degraded operations during contingency operations and factor such
-                                        degradation into capacity planning.
-                    """
-                - 
-                  id:    cp-2.2_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization conducts capacity planning so that necessary
-                                        capacity exists during contingency operations for: 
-                    """
-                  parts: 
-                    - 
-                      id:         cp-2.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CP-2(2)[1]
-                      prose:      information processing;
-                    - 
-                      id:         cp-2.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(2)[2]
-                      prose:      telecommunications; and
-                    - 
-                      id:         cp-2.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(2)[3]
-                      prose:      environmental support.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\ncapacity planning documents\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency planning and plan implementation
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-            - 
-              id:         cp-2.3
-              class:      SP800-53-enhancement
-              title:      Resume Essential Missions / Business Functions
-              parameters: 
-                - 
-                  id:    cp-2.3_prm_1
-                  label: organization-defined time period
-              properties: 
-                - 
-                  name:  label
-                  value: CP-2(3)
-                - 
-                  name:  sort-id
-                  value: cp-02.03
-              parts: 
-                - 
-                  id:    cp-2.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization plans for the resumption of essential missions and business
-                                        functions within {{ cp-2.3_prm_1 }} of contingency plan
-                                        activation.
-                    """
-                - 
-                  id:    cp-2.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations may choose to carry out the contingency planning activities in this
-                                        control enhancement as part of organizational business continuity planning
-                                        including, for example, as part of business impact analyses. The time period for
-                                        resumption of essential missions/business functions may be dependent on the
-                                        severity/extent of disruptions to the information system and its supporting
-                                        infrastructure.
-                    """
-                  links: 
-                    - 
-                      href: #pe-12
-                      rel:  related
-                      text: PE-12
-                - 
-                  id:    cp-2.3_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cp-2.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(3)[1]
-                      prose: 
-                        """
-                          defines the time period to plan for the resumption of essential missions and
-                                               business functions as a result of contingency plan activation; and
-                        """
-                    - 
-                      id:         cp-2.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-2(3)[2]
-                      prose: 
-                        """
-                          plans for the resumption of essential missions and business functions within
-                                               organization-defined time period of contingency plan activation.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nsecurity plan\n\nbusiness impact assessment\n\nother related plans\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency planning and plan implementation
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for resumption of missions and business functions
-            - 
-              id:         cp-2.4
-              class:      SP800-53-enhancement
-              title:      Resume All Missions / Business Functions
-              parameters: 
-                - 
-                  id:          cp-2.4_prm_1
-                  label:       organization-defined time period
-                  constraints: 
-                    - 
-                      detail: time period defined in service provider and organization SLA
-              properties: 
-                - 
-                  name:  label
-                  value: CP-2(4)
-                - 
-                  name:  sort-id
-                  value: cp-02.04
-              parts: 
-                - 
-                  id:    cp-2.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization plans for the resumption of all missions and business functions
-                                        within {{ cp-2.4_prm_1 }} of contingency plan activation.
-                    """
-                - 
-                  id:    cp-2.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations may choose to carry out the contingency planning activities in this
-                                        control enhancement as part of organizational business continuity planning
-                                        including, for example, as part of business impact analyses. The time period for
-                                        resumption of all missions/business functions may be dependent on the
-                                        severity/extent of disruptions to the information system and its supporting
-                                        infrastructure.
-                    """
-                  links: 
-                    - 
-                      href: #pe-12
-                      rel:  related
-                      text: PE-12
-                - 
-                  id:    cp-2.4_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cp-2.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(4)[1]
-                      prose: 
-                        """
-                          defines the time period to plan for the resumption of all missions and business
-                                               functions as a result of contingency plan activation; and
-                        """
-                    - 
-                      id:         cp-2.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-2(4)[2]
-                      prose: 
-                        """
-                          plans for the resumption of all missions and business functions within
-                                               organization-defined time period of contingency plan activation.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nsecurity plan\n\nbusiness impact assessment\n\nother related plans\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency planning and plan implementation
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for resumption of missions and business functions
-            - 
-              id:         cp-2.5
-              class:      SP800-53-enhancement
-              title:      Continue Essential Missions / Business Functions
-              properties: 
-                - 
-                  name:  label
-                  value: CP-2(5)
-                - 
-                  name:  sort-id
-                  value: cp-02.05
-              parts: 
-                - 
-                  id:    cp-2.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization plans for the continuance of essential missions and business
-                                        functions with little or no loss of operational continuity and sustains that
-                                        continuity until full information system restoration at primary processing and/or
-                                        storage sites.
-                    """
-                - 
-                  id:    cp-2.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations may choose to carry out the contingency planning activities in this
-                                        control enhancement as part of organizational business continuity planning
-                                        including, for example, as part of business impact analyses. Primary processing
-                                        and/or storage sites defined by organizations as part of contingency planning may
-                                        change depending on the circumstances associated with the contingency (e.g.,
-                                        backup sites may become primary sites).
-                    """
-                  links: 
-                    - 
-                      href: #pe-12
-                      rel:  related
-                      text: PE-12
-                - 
-                  id:    cp-2.5_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cp-2.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(5)[1]
-                      prose: 
-                        """
-                          plans for the continuance of essential missions and business functions with
-                                               little or no loss of operational continuity; and
-                        """
-                    - 
-                      id:         cp-2.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-2(5)[2]
-                      prose: 
-                        """
-                          sustains that operational continuity until full information system restoration
-                                               at primary processing and/or storage sites.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nbusiness impact assessment\n\nprimary processing site agreements\n\nprimary storage site agreements\n\nalternate processing site agreements\n\nalternate storage site agreements\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency planning and plan implementation
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for continuing missions and business functions
-            - 
-              id:         cp-2.8
-              class:      SP800-53-enhancement
-              title:      Identify Critical Assets
-              properties: 
-                - 
-                  name:  label
-                  value: CP-2(8)
-                - 
-                  name:  sort-id
-                  value: cp-02.08
-              parts: 
-                - 
-                  id:    cp-2.8_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization identifies critical information system assets supporting
-                                        essential missions and business functions.
-                    """
-                - 
-                  id:    cp-2.8_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations may choose to carry out the contingency planning activities in this
-                                        control enhancement as part of organizational business continuity planning
-                                        including, for example, as part of business impact analyses. Organizations
-                                        identify critical information system assets so that additional safeguards and
-                                        countermeasures can be employed (above and beyond those safeguards and
-                                        countermeasures routinely implemented) to help ensure that organizational
-                                        missions/business functions can continue to be conducted during contingency
-                                        operations. In addition, the identification of critical information assets
-                                        facilitates the prioritization of organizational resources. Critical information
-                                        system assets include technical and operational aspects. Technical aspects
-                                        include, for example, information technology services, information system
-                                        components, information technology products, and mechanisms. Operational aspects
-                                        include, for example, procedures (manually executed operations) and personnel
-                                        (individuals operating technical safeguards and/or executing manual procedures).
-                                        Organizational program protection plans can provide assistance in identifying
-                                        critical assets.
-                    """
-                  links: 
-                    - 
-                      href: #sa-14
-                      rel:  related
-                      text: SA-14
-                    - 
-                      href: #sa-15
-                      rel:  related
-                      text: SA-15
-                - 
-                  id:         cp-2.8_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization identifies critical information system assets
-                                        supporting essential missions and business functions.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nbusiness impact assessment\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency planning and plan implementation
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-        - 
-          id:         cp-3
-          class:      SP800-53
-          title:      Contingency Training
-          parameters: 
-            - 
-              id:          cp-3_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: ten (10) days
-            - 
-              id:          cp-3_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CP-3
-            - 
-              name:  sort-id
-              value: cp-03
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #825438c3-248d-4e30-a51e-246473ce6ada
-              rel:  reference
-              text: NIST Special Publication 800-16
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-          parts: 
-            - 
-              id:    cp-3_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides contingency training to information system users consistent
-                                 with assigned roles and responsibilities:
-                """
-              parts: 
-                - 
-                  id:         cp-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Within {{ cp-3_prm_1 }} of assuming a contingency role or
-                                        responsibility;
-                    """
-                - 
-                  id:         cp-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      When required by information system changes; and
-                - 
-                  id:         cp-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      
-                                        {{ cp-3_prm_2 }} thereafter.
-                    """
-            - 
-              id:    cp-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Contingency training provided by organizations is linked to the assigned roles and
-                                 responsibilities of organizational personnel to ensure that the appropriate content
-                                 and level of detail is included in such training. For example, regular users may only
-                                 need to know when and where to report for duty during contingency operations and if
-                                 normal duties are affected; system administrators may require additional training on
-                                 how to set up information systems at alternate processing and storage sites; and
-                                 managers/senior leaders may receive more specific training on how to conduct
-                                 mission-essential functions in designated off-site locations and how to establish
-                                 communications with other governmental entities for purposes of coordination on
-                                 contingency-related activities. Training for contingency roles/responsibilities
-                                 reflects the specific continuity requirements in the contingency plan.
-                """
-              links: 
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #ir-2
-                  rel:  related
-                  text: IR-2
-            - 
-              id:    cp-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cp-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-3(a)
-                  parts: 
-                    - 
-                      id:         cp-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-3(a)[1]
-                      prose: 
-                        """
-                          defines a time period within which contingency training is to be provided to
-                                               information system users assuming a contingency role or responsibility;
-                        """
-                    - 
-                      id:         cp-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-3(a)[2]
-                      prose: 
-                        """
-                          provides contingency training to information system users consistent with
-                                               assigned roles and responsibilities within the organization-defined time period
-                                               of assuming a contingency role or responsibility;
-                        """
-                - 
-                  id:         cp-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-3(b)
-                  prose: 
-                    """
-                      provides contingency training to information system users consistent with assigned
-                                        roles and responsibilities when required by information system changes;
-                    """
-                - 
-                  id:         cp-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-3(c)
-                  parts: 
-                    - 
-                      id:         cp-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-3(c)[1]
-                      prose:      defines the frequency for contingency training thereafter; and
-                    - 
-                      id:         cp-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-3(c)[2]
-                      prose: 
-                        """
-                          provides contingency training to information system users consistent with
-                                               assigned roles and responsibilities with the organization-defined frequency
-                                               thereafter.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsecurity plan\n\ncontingency training records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with contingency planning, plan implementation, and
-                                        training responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for contingency training
-          controls: 
-            - 
-              id:         cp-3.1
-              class:      SP800-53-enhancement
-              title:      Simulated Events
-              properties: 
-                - 
-                  name:  label
-                  value: CP-3(1)
-                - 
-                  name:  sort-id
-                  value: cp-03.01
-              parts: 
-                - 
-                  id:    cp-3.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization incorporates simulated events into contingency training to
-                                        facilitate effective response by personnel in crisis situations.
-                    """
-                - 
-                  id:         cp-3.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization incorporates simulated events into contingency
-                                        training to facilitate effective response by personnel in crisis situations.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency planning, plan implementation, and
-                                               training responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for contingency training\n\nautomated mechanisms for simulating contingency events
-        - 
-          id:         cp-4
-          class:      SP800-53
-          title:      Contingency Plan Testing
-          parameters: 
-            - 
-              id:          cp-4_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          cp-4_prm_2
-              label:       organization-defined tests
-              constraints: 
-                - 
-                  detail: functional exercises
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CP-4
-            - 
-              name:  sort-id
-              value: cp-04
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-            - 
-              href: #0243a05a-e8a3-4d51-9364-4a9d20b0dcdf
-              rel:  reference
-              text: NIST Special Publication 800-84
-          parts: 
-            - 
-              id:    cp-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Tests the contingency plan for the information system {{ cp-4_prm_1 }} using {{ cp-4_prm_2 }} to determine the
-                                        effectiveness of the plan and the organizational readiness to execute the
-                                        plan;
-                    """
-                - 
-                  id:         cp-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews the contingency plan test results; and
-                - 
-                  id:         cp-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Initiates corrective actions, if needed.
-                - 
-                  id:    cp-4_fr
-                  name:  item
-                  title: CP-4(a) Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cp-4_fr_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-4(a) Requirement:
-                      prose:      The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.
-            - 
-              id:    cp-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Methods for testing contingency plans to determine the effectiveness of the plans and
-                                 to identify potential weaknesses in the plans include, for example, walk-through and
-                                 tabletop exercises, checklists, simulations (parallel, full interrupt), and
-                                 comprehensive exercises. Organizations conduct testing based on the continuity
-                                 requirements in contingency plans and include a determination of the effects on
-                                 organizational operations, assets, and individuals arising due to contingency
-                                 operations. Organizations have flexibility and discretion in the breadth, depth, and
-                                 timelines of corrective actions.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-3
-                  rel:  related
-                  text: CP-3
-                - 
-                  href: #ir-3
-                  rel:  related
-                  text: IR-3
-            - 
-              id:    cp-4_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         cp-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-4(a)
-                  parts: 
-                    - 
-                      id:         cp-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-4(a)[1]
-                      prose: 
-                        """
-                          defines tests to determine the effectiveness of the contingency plan and the
-                                               organizational readiness to execute the plan;
-                        """
-                    - 
-                      id:         cp-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-4(a)[2]
-                      prose: 
-                        """
-                          defines a frequency to test the contingency plan for the information
-                                               system;
-                        """
-                    - 
-                      id:         cp-4.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-4(a)[3]
-                      prose: 
-                        """
-                          tests the contingency plan for the information system with the
-                                               organization-defined frequency, using organization-defined tests to determine
-                                               the effectiveness of the plan and the organizational readiness to execute the
-                                               plan;
-                        """
-                - 
-                  id:         cp-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-4(b)
-                  prose:      reviews the contingency plan test results; and
-                - 
-                  id:         cp-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-4(c)
-                  prose:      initiates corrective actions, if needed.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\nsecurity plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for contingency plan testing,
-                                        reviewing or responding to contingency plan tests\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for contingency plan testing\n\nautomated mechanisms supporting the contingency plan and/or contingency plan
-                                        testing
-                    """
-          controls: 
-            - 
-              id:         cp-4.1
-              class:      SP800-53-enhancement
-              title:      Coordinate with Related Plans
-              properties: 
-                - 
-                  name:  label
-                  value: CP-4(1)
-                - 
-                  name:  sort-id
-                  value: cp-04.01
-              parts: 
-                - 
-                  id:    cp-4.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization coordinates contingency plan testing with organizational elements
-                                        responsible for related plans.
-                    """
-                - 
-                  id:    cp-4.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Plans related to contingency plans for organizational information systems include,
-                                        for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of
-                                        Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,
-                                        Cyber Incident Response Plans, and Occupant Emergency Plans. This control
-                                        enhancement does not require organizations to create organizational elements to
-                                        handle related plans or to align such elements with specific plans. It does
-                                        require, however, that if such organizational elements are responsible for related
-                                        plans, organizations should coordinate with those elements.
-                    """
-                  links: 
-                    - 
-                      href: #ir-8
-                      rel:  related
-                      text: IR-8
-                    - 
-                      href: #pm-8
-                      rel:  related
-                      text: PM-8
-                - 
-                  id:         cp-4.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization coordinates contingency plan testing with
-                                        organizational elements responsible for related plans. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nincident response policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan testing documentation\n\ncontingency plan\n\nbusiness continuity plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plans\n\noccupant emergency plans\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel\n\npersonnel with responsibilities for related plans\n\norganizational personnel with information security responsibilities
-            - 
-              id:         cp-4.2
-              class:      SP800-53-enhancement
-              title:      Alternate Processing Site
-              properties: 
-                - 
-                  name:  label
-                  value: CP-4(2)
-                - 
-                  name:  sort-id
-                  value: cp-04.02
-              parts: 
-                - 
-                  id:    cp-4.2_smt
-                  name:  statement
-                  prose: The organization tests the contingency plan at the alternate processing site:
-                  parts: 
-                    - 
-                      id:         cp-4.2_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          To familiarize contingency personnel with the facility and available resources;
-                                               and
-                        """
-                    - 
-                      id:         cp-4.2_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          To evaluate the capabilities of the alternate processing site to support
-                                               contingency operations.
-                        """
-                - 
-                  id:    cp-4.2_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #cp-7
-                      rel:  related
-                      text: CP-7
-                - 
-                  id:    cp-4.2_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization tests the contingency plan at the alternate
-                                        processing site to:
-                    """
-                  parts: 
-                    - 
-                      id:         cp-4.2.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CP-4(2)(a)
-                      prose: 
-                        """
-                          familiarize contingency personnel with the facility and available resources;
-                                               and
-                        """
-                      links: 
-                        - 
-                          href: #cp-4.2_smt.a
-                          rel:  corresp
-                          text: CP-4(2)(a)
-                    - 
-                      id:         cp-4.2.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CP-4(2)(b)
-                      prose: 
-                        """
-                          evaluate the capabilities of the alternate processing site to support
-                                               contingency operations.
-                        """
-                      links: 
-                        - 
-                          href: #cp-4.2_smt.b
-                          rel:  corresp
-                          text: CP-4(2)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nalternate processing site agreements\n\nservice-level agreements\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency planning and plan implementation
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for contingency plan testing\n\nautomated mechanisms supporting the contingency plan and/or contingency plan
-                                               testing
-                        """
-        - 
-          id:         cp-6
-          class:      SP800-53
-          title:      Alternate Storage Site
-          properties: 
-            - 
-              name:  label
-              value: CP-6
-            - 
-              name:  sort-id
-              value: cp-06
-          links: 
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-          parts: 
-            - 
-              id:    cp-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes an alternate storage site including necessary agreements to permit the
-                                        storage and retrieval of information system backup information; and
-                    """
-                - 
-                  id:         cp-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Ensures that the alternate storage site provides information security safeguards
-                                        equivalent to that of the primary site.
-                    """
-            - 
-              id:    cp-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Alternate storage sites are sites that are geographically distinct from primary
-                                 storage sites. An alternate storage site maintains duplicate copies of information
-                                 and data in the event that the primary storage site is not available. Items covered
-                                 by alternate storage site agreements include, for example, environmental conditions
-                                 at alternate sites, access rules, physical and environmental protection requirements,
-                                 and coordination of delivery/retrieval of backup media. Alternate storage sites
-                                 reflect the requirements in contingency plans so that organizations can maintain
-                                 essential missions/business functions despite disruption, compromise, or failure in
-                                 organizational information systems.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #cp-10
-                  rel:  related
-                  text: CP-10
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-            - 
-              id:    cp-6_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         cp-6_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-6[1]
-                  prose: 
-                    """
-                      establishes an alternate storage site including necessary agreements to permit the
-                                        storage and retrieval of information system backup information; and
-                    """
-                - 
-                  id:         cp-6_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-6[2]
-                  prose: 
-                    """
-                      ensures that the alternate storage site provides information security safeguards
-                                        equivalent to that of the primary site.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with contingency plan alternate storage site
-                                        responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for storing and retrieving information system backup
-                                        information at the alternate storage site\n\nautomated mechanisms supporting and/or implementing storage and retrieval of
-                                        information system backup information at the alternate storage site
-                    """
-          controls: 
-            - 
-              id:         cp-6.1
-              class:      SP800-53-enhancement
-              title:      Separation from Primary Site
-              properties: 
-                - 
-                  name:  label
-                  value: CP-6(1)
-                - 
-                  name:  sort-id
-                  value: cp-06.01
-              parts: 
-                - 
-                  id:    cp-6.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization identifies an alternate storage site that is separated from the
-                                        primary storage site to reduce susceptibility to the same threats.
-                    """
-                - 
-                  id:    cp-6.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Threats that affect alternate storage sites are typically defined in
-                                        organizational assessments of risk and include, for example, natural disasters,
-                                        structural failures, hostile cyber attacks, and errors of omission/commission.
-                                        Organizations determine what is considered a sufficient degree of separation
-                                        between primary and alternate storage sites based on the types of threats that are
-                                        of concern. For one particular type of threat (i.e., hostile cyber attack), the
-                                        degree of separation between sites is less relevant.
-                    """
-                  links: 
-                    - 
-                      href: #ra-3
-                      rel:  related
-                      text: RA-3
-                - 
-                  id:         cp-6.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization identifies an alternate storage site that is
-                                        separated from the primary storage site to reduce susceptibility to the same
-                                        threats. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency plan alternate storage site
-                                               responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-            - 
-              id:         cp-6.2
-              class:      SP800-53-enhancement
-              title:      Recovery Time / Point Objectives
-              properties: 
-                - 
-                  name:  label
-                  value: CP-6(2)
-                - 
-                  name:  sort-id
-                  value: cp-06.02
-              parts: 
-                - 
-                  id:    cp-6.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization configures the alternate storage site to facilitate recovery
-                                        operations in accordance with recovery time and recovery point objectives.
-                    """
-                - 
-                  id:         cp-6.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization configures the alternate storage site to facilitate
-                                        recovery operations in accordance with recovery time objectives and recovery point
-                                        objectives (as specified in the information system contingency plan).
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nalternate storage site configurations\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel with responsibilities for testing related plans\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for contingency plan testing\n\nautomated mechanisms supporting recovery time/point objectives
-            - 
-              id:         cp-6.3
-              class:      SP800-53-enhancement
-              title:      Accessibility
-              properties: 
-                - 
-                  name:  label
-                  value: CP-6(3)
-                - 
-                  name:  sort-id
-                  value: cp-06.03
-              parts: 
-                - 
-                  id:    cp-6.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization identifies potential accessibility problems to the alternate
-                                        storage site in the event of an area-wide disruption or disaster and outlines
-                                        explicit mitigation actions.
-                    """
-                - 
-                  id:    cp-6.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Area-wide disruptions refer to those types of disruptions that are broad in
-                                        geographic scope (e.g., hurricane, regional power outage) with such determinations
-                                        made by organizations based on organizational assessments of risk. Explicit
-                                        mitigation actions include, for example: (i) duplicating backup information at
-                                        other alternate storage sites if access problems occur at originally designated
-                                        alternate sites; or (ii) planning for physical access to retrieve backup
-                                        information if electronic accessibility to the alternate site is disrupted.
-                    """
-                  links: 
-                    - 
-                      href: #ra-3
-                      rel:  related
-                      text: RA-3
-                - 
-                  id:    cp-6.3_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         cp-6.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-6(3)[1]
-                      prose: 
-                        """
-                          identifies potential accessibility problems to the alternate storage site in
-                                               the event of an area-wide disruption or disaster; and
-                        """
-                    - 
-                      id:         cp-6.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CP-6(3)[2]
-                      prose: 
-                        """
-                          outlines explicit mitigation actions for such potential accessibility problems
-                                               to the alternate storage site in the event of an area-wide disruption or
-                                               disaster.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nlist of potential accessibility problems to alternate storage site\n\nmitigation actions for accessibility problems to alternate storage site\n\norganizational risk assessments\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency plan alternate storage site
-                                               responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-        - 
-          id:         cp-7
-          class:      SP800-53
-          title:      Alternate Processing Site
-          parameters: 
-            - 
-              id:    cp-7_prm_1
-              label: organization-defined information system operations
-            - 
-              id:    cp-7_prm_2
-              label: 
-                """
-                  organization-defined time period consistent with recovery time and recovery point
-                                 objectives
-                """
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CP-7
-            - 
-              name:  sort-id
-              value: cp-07
-          links: 
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-          parts: 
-            - 
-              id:    cp-7_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes an alternate processing site including necessary agreements to permit
-                                        the transfer and resumption of {{ cp-7_prm_1 }} for essential
-                                        missions/business functions within {{ cp-7_prm_2 }} when the
-                                        primary processing capabilities are unavailable;
-                    """
-                - 
-                  id:         cp-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Ensures that equipment and supplies required to transfer and resume operations are
-                                        available at the alternate processing site or contracts are in place to support
-                                        delivery to the site within the organization-defined time period for
-                                        transfer/resumption; and
-                    """
-                - 
-                  id:         cp-7_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ensures that the alternate processing site provides information security
-                                        safeguards equivalent to those of the primary site.
-                    """
-                - 
-                  id:    cp-7_fr
-                  name:  item
-                  title: CP-7 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cp-7_fr_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a) Requirement:
-                      prose:      The service provider defines a time period consistent with the recovery time objectives and business impact analysis.
-            - 
-              id:    cp-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Alternate processing sites are sites that are geographically distinct from primary
-                                 processing sites. An alternate processing site provides processing capability in the
-                                 event that the primary processing site is not available. Items covered by alternate
-                                 processing site agreements include, for example, environmental conditions at
-                                 alternate sites, access rules, physical and environmental protection requirements,
-                                 and coordination for the transfer/assignment of personnel. Requirements are
-                                 specifically allocated to alternate processing sites that reflect the requirements in
-                                 contingency plans to maintain essential missions/business functions despite
-                                 disruption, compromise, or failure in organizational information systems.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-6
-                  rel:  related
-                  text: CP-6
-                - 
-                  href: #cp-8
-                  rel:  related
-                  text: CP-8
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #cp-10
-                  rel:  related
-                  text: CP-10
-                - 
-                  href: #ma-6
-                  rel:  related
-                  text: MA-6
-            - 
-              id:    cp-7_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         cp-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-7(a)
-                  parts: 
-                    - 
-                      id:         cp-7.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-7(a)[1]
-                      prose: 
-                        """
-                          defines information system operations requiring an alternate processing site to
-                                               be established to permit the transfer and resumption of such operations;
-                        """
-                    - 
-                      id:         cp-7.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-7(a)[2]
-                      prose: 
-                        """
-                          defines the time period consistent with recovery time objectives and recovery
-                                               point objectives (as specified in the information system contingency plan) for
-                                               transfer/resumption of organization-defined information system operations for
-                                               essential missions/business functions;
-                        """
-                    - 
-                      id:         cp-7.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-7(a)[3]
-                      prose: 
-                        """
-                          establishes an alternate processing site including necessary agreements to
-                                               permit the transfer and resumption of organization-defined information system
-                                               operations for essential missions/business functions, within the
-                                               organization-defined time period, when the primary processing capabilities are
-                                               unavailable;
-                        """
-                - 
-                  id:         cp-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-7(b)
-                  parts: 
-                    - 
-                      id:         cp-7.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-7(b)[1]
-                      prose: 
-                        """
-                          ensures that equipment and supplies required to transfer and resume operations
-                                               are available at the alternate processing site; or
-                        """
-                    - 
-                      id:         cp-7.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-7(b)[2]
-                      prose: 
-                        """
-                          ensures that contracts are in place to support delivery to the site within the
-                                               organization-defined time period for transfer/resumption; and
-                        """
-                - 
-                  id:         cp-7.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-7(c)
-                  prose: 
-                    """
-                      ensures that the alternate processing site provides information security
-                                        safeguards equivalent to those of the primary site.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nspare equipment and supplies inventory at alternate processing site\n\nequipment and supply contracts\n\nservice-level agreements\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for contingency planning and/or
-                                        alternate site arrangements\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for recovery at the alternate site\n\nautomated mechanisms supporting and/or implementing recovery at the alternate
-                                        processing site
-                    """
-          controls: 
-            - 
-              id:         cp-7.1
-              class:      SP800-53-enhancement
-              title:      Separation from Primary Site
-              properties: 
-                - 
-                  name:  label
-                  value: CP-7(1)
-                - 
-                  name:  sort-id
-                  value: cp-07.01
-              parts: 
-                - 
-                  id:    cp-7.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization identifies an alternate processing site that is separated from
-                                        the primary processing site to reduce susceptibility to the same threats.
-                    """
-                  parts: 
-                    - 
-                      id:    cp-7.1_fr
-                      name:  item
-                      title: CP-7 (1) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         cp-7.1_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.
-                - 
-                  id:    cp-7.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Threats that affect alternate processing sites are typically defined in
-                                        organizational assessments of risk and include, for example, natural disasters,
-                                        structural failures, hostile cyber attacks, and errors of omission/commission.
-                                        Organizations determine what is considered a sufficient degree of separation
-                                        between primary and alternate processing sites based on the types of threats that
-                                        are of concern. For one particular type of threat (i.e., hostile cyber attack),
-                                        the degree of separation between sites is less relevant.
-                    """
-                  links: 
-                    - 
-                      href: #ra-3
-                      rel:  related
-                      text: RA-3
-                - 
-                  id:         cp-7.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization identifies an alternate processing site that is
-                                        separated from the primary storage site to reduce susceptibility to the same
-                                        threats. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency plan alternate processing site
-                                               responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-            - 
-              id:         cp-7.2
-              class:      SP800-53-enhancement
-              title:      Accessibility
-              properties: 
-                - 
-                  name:  label
-                  value: CP-7(2)
-                - 
-                  name:  sort-id
-                  value: cp-07.02
-              parts: 
-                - 
-                  id:    cp-7.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization identifies potential accessibility problems to the alternate
-                                        processing site in the event of an area-wide disruption or disaster and outlines
-                                        explicit mitigation actions.
-                    """
-                - 
-                  id:    cp-7.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Area-wide disruptions refer to those types of disruptions that are broad in
-                                        geographic scope (e.g., hurricane, regional power outage) with such determinations
-                                        made by organizations based on organizational assessments of risk.
-                    """
-                  links: 
-                    - 
-                      href: #ra-3
-                      rel:  related
-                      text: RA-3
-                - 
-                  id:    cp-7.2_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         cp-7.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-7(2)[1]
-                      prose: 
-                        """
-                          identifies potential accessibility problems to the alternate processing site in
-                                               the event of an area-wide disruption or disaster; and
-                        """
-                    - 
-                      id:         cp-7.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CP-7(2)[2]
-                      prose: 
-                        """
-                          outlines explicit mitigation actions for such potential accessibility problems
-                                               to the alternate processing site in the event of an area-wide disruption or
-                                               disaster.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency plan alternate processing site
-                                               responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-            - 
-              id:         cp-7.3
-              class:      SP800-53-enhancement
-              title:      Priority of Service
-              properties: 
-                - 
-                  name:  label
-                  value: CP-7(3)
-                - 
-                  name:  sort-id
-                  value: cp-07.03
-              parts: 
-                - 
-                  id:    cp-7.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization develops alternate processing site agreements that contain
-                                        priority-of-service provisions in accordance with organizational availability
-                                        requirements (including recovery time objectives).
-                    """
-                - 
-                  id:    cp-7.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Priority-of-service agreements refer to negotiated agreements with service
-                                        providers that ensure that organizations receive priority treatment consistent
-                                        with their availability requirements and the availability of information resources
-                                        at the alternate processing site.
-                    """
-                - 
-                  id:         cp-7.3_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization develops alternate processing site agreements that
-                                        contain priority-of-service provisions in accordance with organizational
-                                        availability requirements (including recovery time objectives as specified in the
-                                        information system contingency plan).
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nservice-level agreements\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency plan alternate processing site
-                                               responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual
-                                               agreements
-                        """
-            - 
-              id:         cp-7.4
-              class:      SP800-53-enhancement
-              title:      Preparation for Use
-              properties: 
-                - 
-                  name:  label
-                  value: CP-7(4)
-                - 
-                  name:  sort-id
-                  value: cp-07.04
-              parts: 
-                - 
-                  id:    cp-7.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization prepares the alternate processing site so that the site is ready
-                                        to be used as the operational site supporting essential missions and business
-                                        functions.
-                    """
-                - 
-                  id:    cp-7.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Site preparation includes, for example, establishing configuration settings for
-                                        information system components at the alternate processing site consistent with the
-                                        requirements for such settings at the primary site and ensuring that essential
-                                        supplies and other logistical considerations are in place.
-                    """
-                  links: 
-                    - 
-                      href: #cm-2
-                      rel:  related
-                      text: CM-2
-                    - 
-                      href: #cm-6
-                      rel:  related
-                      text: CM-6
-                - 
-                  id:         cp-7.4_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization prepares the alternate processing site so that the
-                                        site is ready to be used as the operational site supporting essential missions and
-                                        business functions.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nalternate processing site configurations\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency plan alternate processing site
-                                               responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing recovery at the alternate
-                                               processing site
-                        """
-        - 
-          id:         cp-8
-          class:      SP800-53
-          title:      Telecommunications Services
-          parameters: 
-            - 
-              id:    cp-8_prm_1
-              label: organization-defined information system operations
-            - 
-              id:    cp-8_prm_2
-              label: organization-defined time period
-          properties: 
-            - 
-              name:  label
-              value: CP-8
-            - 
-              name:  sort-id
-              value: cp-08
-          links: 
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-            - 
-              href: #fb5844de-ff96-47c0-b258-4f52bcc2f30d
-              rel:  reference
-              text: National Communications Systems Directive 3-10
-            - 
-              href: #3ac12e79-f54f-4a63-9f4b-ee4bcd4df604
-              rel:  reference
-              text: http://www.dhs.gov/telecommunications-service-priority-tsp
-          parts: 
-            - 
-              id:    cp-8_smt
-              name:  statement
-              prose: 
-                """
-                  The organization establishes alternate telecommunications services including
-                                 necessary agreements to permit the resumption of {{ cp-8_prm_1 }} for
-                                 essential missions and business functions within {{ cp-8_prm_2 }} when
-                                 the primary telecommunications capabilities are unavailable at either the primary or
-                                 alternate processing or storage sites.
-                """
-              parts: 
-                - 
-                  id:    cp-8_fr
-                  name:  item
-                  title: CP-8 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cp-8_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider defines a time period consistent with the recovery time objectives and business impact analysis.
-            - 
-              id:    cp-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to telecommunications services (data and voice) for primary and
-                                 alternate processing and storage sites. Alternate telecommunications services reflect
-                                 the continuity requirements in contingency plans to maintain essential
-                                 missions/business functions despite the loss of primary telecommunications services.
-                                 Organizations may specify different time periods for primary/alternate sites.
-                                 Alternate telecommunications services include, for example, additional organizational
-                                 or commercial ground-based circuits/lines or satellites in lieu of ground-based
-                                 communications. Organizations consider factors such as availability, quality of
-                                 service, and access when entering into alternate telecommunications agreements.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-6
-                  rel:  related
-                  text: CP-6
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-            - 
-              id:    cp-8_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         cp-8_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-8[1]
-                  prose: 
-                    """
-                      defines information system operations requiring alternate telecommunications
-                                        services to be established to permit the resumption of such operations;
-                    """
-                - 
-                  id:         cp-8_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-8[2]
-                  prose: 
-                    """
-                      defines the time period to permit resumption of organization-defined information
-                                        system operations for essential missions and business functions; and
-                    """
-                - 
-                  id:         cp-8_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-8[3]
-                  prose: 
-                    """
-                      establishes alternate telecommunications services including necessary agreements
-                                        to permit the resumption of organization-defined information system operations for
-                                        essential missions and business functions, within the organization-defined time
-                                        period, when the primary telecommunications capabilities are unavailable at either
-                                        the primary or alternate processing or storage sites.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with contingency plan telecommunications
-                                        responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual
-                                        agreements
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting telecommunications
-          controls: 
-            - 
-              id:         cp-8.1
-              class:      SP800-53-enhancement
-              title:      Priority of Service Provisions
-              properties: 
-                - 
-                  name:  label
-                  value: CP-8(1)
-                - 
-                  name:  sort-id
-                  value: cp-08.01
-              parts: 
-                - 
-                  id:    cp-8.1_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         cp-8.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Develops primary and alternate telecommunications service agreements that
-                                               contain priority-of-service provisions in accordance with organizational
-                                               availability requirements (including recovery time objectives); and
-                        """
-                    - 
-                      id:         cp-8.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Requests Telecommunications Service Priority for all telecommunications
-                                               services used for national security emergency preparedness in the event that
-                                               the primary and/or alternate telecommunications services are provided by a
-                                               common carrier.
-                        """
-                - 
-                  id:    cp-8.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations consider the potential mission/business impact in situations where
-                                        telecommunications service providers are servicing other organizations with
-                                        similar priority-of-service provisions.
-                    """
-                - 
-                  id:    cp-8.1_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         cp-8.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-8(1)[1]
-                      prose: 
-                        """
-                          develops primary and alternate telecommunications service agreements that
-                                               contain priority-of-service provisions in accordance with organizational
-                                               availability requirements (including recovery time objectives as specified in
-                                               the information system contingency plan); and
-                        """
-                    - 
-                      id:         cp-8.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-8(1)[2]
-                      prose: 
-                        """
-                          requests Telecommunications Service Priority for all telecommunications
-                                               services used for national security emergency preparedness in the event that
-                                               the primary and/or alternate telecommunications services are provided by a
-                                               common carrier.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nTelecommunications Service Priority documentation\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency plan telecommunications
-                                               responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual
-                                               agreements
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms supporting telecommunications
-            - 
-              id:         cp-8.2
-              class:      SP800-53-enhancement
-              title:      Single Points of Failure
-              properties: 
-                - 
-                  name:  label
-                  value: CP-8(2)
-                - 
-                  name:  sort-id
-                  value: cp-08.02
-              parts: 
-                - 
-                  id:    cp-8.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization obtains alternate telecommunications services to reduce the
-                                        likelihood of sharing a single point of failure with primary telecommunications
-                                        services.
-                    """
-                - 
-                  id:         cp-8.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization obtains alternate telecommunications services to
-                                        reduce the likelihood of sharing a single point of failure with primary
-                                        telecommunications services. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency plan telecommunications
-                                               responsibilities\n\norganizational personnel with information system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities
-                        """
-            - 
-              id:         cp-8.3
-              class:      SP800-53-enhancement
-              title:      Separation of Primary / Alternate Providers
-              properties: 
-                - 
-                  name:  label
-                  value: CP-8(3)
-                - 
-                  name:  sort-id
-                  value: cp-08.03
-              parts: 
-                - 
-                  id:    cp-8.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization obtains alternate telecommunications services from providers that
-                                        are separated from primary service providers to reduce susceptibility to the same
-                                        threats.
-                    """
-                - 
-                  id:    cp-8.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Threats that affect telecommunications services are typically defined in
-                                        organizational assessments of risk and include, for example, natural disasters,
-                                        structural failures, hostile cyber/physical attacks, and errors of
-                                        omission/commission. Organizations seek to reduce common susceptibilities by, for
-                                        example, minimizing shared infrastructure among telecommunications service
-                                        providers and achieving sufficient geographic separation between services.
-                                        Organizations may consider using a single service provider in situations where the
-                                        service provider can provide alternate telecommunications services meeting the
-                                        separation needs addressed in the risk assessment.
-                    """
-                - 
-                  id:         cp-8.3_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization obtains alternate telecommunications services from
-                                        providers that are separated from primary service providers to reduce
-                                        susceptibility to the same threats. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nalternate telecommunications service provider site\n\nprimary telecommunications service provider site\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency plan telecommunications
-                                               responsibilities\n\norganizational personnel with information system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities
-                        """
-            - 
-              id:         cp-8.4
-              class:      SP800-53-enhancement
-              title:      Provider Contingency Plan
-              parameters: 
-                - 
-                  id:          cp-8.4_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: annually
-              properties: 
-                - 
-                  name:  label
-                  value: CP-8(4)
-                - 
-                  name:  sort-id
-                  value: cp-08.04
-              parts: 
-                - 
-                  id:    cp-8.4_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         cp-8.4_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Requires primary and alternate telecommunications service providers to have
-                                               contingency plans;
-                        """
-                    - 
-                      id:         cp-8.4_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Reviews provider contingency plans to ensure that the plans meet organizational
-                                               contingency requirements; and
-                        """
-                    - 
-                      id:         cp-8.4_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (c)
-                      prose:      Obtains evidence of contingency testing/training by providers {{ cp-8.4_prm_1 }}.
-                - 
-                  id:    cp-8.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Reviews of provider contingency plans consider the proprietary nature of such
-                                        plans. In some situations, a summary of provider contingency plans may be
-                                        sufficient evidence for organizations to satisfy the review requirement.
-                                        Telecommunications service providers may also participate in ongoing disaster
-                                        recovery exercises in coordination with the Department of Homeland Security,
-                                        state, and local governments. Organizations may use these types of activities to
-                                        satisfy evidentiary requirements related to service provider contingency plan
-                                        reviews, testing, and training.
-                    """
-                - 
-                  id:    cp-8.4_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         cp-8.4.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-8(4)(a)
-                      parts: 
-                        - 
-                          id:         cp-8.4.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CP-8(4)(a)[1]
-                          prose: 
-                            """
-                              requires primary telecommunications service provider to have contingency
-                                                      plans;
-                            """
-                        - 
-                          id:         cp-8.4.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CP-8(4)(a)[2]
-                          prose: 
-                            """
-                              requires alternate telecommunications service provider(s) to have
-                                                      contingency plans;
-                            """
-                      links: 
-                        - 
-                          href: #cp-8.4_smt.a
-                          rel:  corresp
-                          text: CP-8(4)(a)
-                    - 
-                      id:         cp-8.4.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CP-8(4)(b)
-                      prose: 
-                        """
-                          reviews provider contingency plans to ensure that the plans meet organizational
-                                               contingency requirements;
-                        """
-                      links: 
-                        - 
-                          href: #cp-8.4_smt.b
-                          rel:  corresp
-                          text: CP-8(4)(b)
-                    - 
-                      id:         cp-8.4.c_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-8(4)(c)
-                      parts: 
-                        - 
-                          id:         cp-8.4.c_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-8(4)(c)[1]
-                          prose: 
-                            """
-                              defines the frequency to obtain evidence of contingency testing/training by
-                                                      providers; and
-                            """
-                        - 
-                          id:         cp-8.4.c_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CP-8(4)(c)[2]
-                          prose: 
-                            """
-                              obtains evidence of contingency testing/training by providers with the
-                                                      organization-defined frequency.
-                            """
-                      links: 
-                        - 
-                          href: #cp-8.4_smt.c
-                          rel:  corresp
-                          text: CP-8(4)(c)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprovider contingency plans\n\nevidence of contingency testing/training by providers\n\nprimary and alternate telecommunications service agreements\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency planning, plan implementation, and
-                                               testing responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual
-                                               agreements
-                        """
-        - 
-          id:         cp-9
-          class:      SP800-53
-          title:      Information System Backup
-          parameters: 
-            - 
-              id:          cp-9_prm_1
-              label: 
-                """
-                  organization-defined frequency consistent with recovery time and recovery point
-                                 objectives
-                """
-              constraints: 
-                - 
-                  detail: daily incremental; weekly full
-            - 
-              id:          cp-9_prm_2
-              label: 
-                """
-                  organization-defined frequency consistent with recovery time and recovery point
-                                 objectives
-                """
-              constraints: 
-                - 
-                  detail: daily incremental; weekly full
-            - 
-              id:          cp-9_prm_3
-              label: 
-                """
-                  organization-defined frequency consistent with recovery time and recovery point
-                                 objectives
-                """
-              constraints: 
-                - 
-                  detail: daily incremental; weekly full
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CP-9
-            - 
-              name:  sort-id
-              value: cp-09
-          links: 
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-          parts: 
-            - 
-              id:    cp-9_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-9_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Conducts backups of user-level information contained in the information system
-                                           {{ cp-9_prm_1 }};
-                    """
-                - 
-                  id:         cp-9_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Conducts backups of system-level information contained in the information system
-                                           {{ cp-9_prm_2 }};
-                    """
-                - 
-                  id:         cp-9_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Conducts backups of information system documentation including security-related
-                                        documentation {{ cp-9_prm_3 }}; and
-                    """
-                - 
-                  id:         cp-9_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Protects the confidentiality, integrity, and availability of backup information at
-                                        storage locations.
-                    """
-                - 
-                  id:    cp-9_fr
-                  name:  item
-                  title: CP-9 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cp-9_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.
-                    - 
-                      id:         cp-9_fr_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-9(a) Requirement:
-                      prose:      The service provider maintains at least three backup copies of user-level information (at least one of which is available online).
-                    - 
-                      id:         cp-9_fr_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-9(b)Requirement:
-                      prose:      The service provider maintains at least three backup copies of system-level information (at least one of which is available online).
-                    - 
-                      id:         cp-9_fr_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-9(c)Requirement:
-                      prose:      The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).
-            - 
-              id:    cp-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  System-level information includes, for example, system-state information, operating
-                                 system and application software, and licenses. User-level information includes any
-                                 information other than system-level information. Mechanisms employed by organizations
-                                 to protect the integrity of information system backups include, for example, digital
-                                 signatures and cryptographic hashes. Protection of system backup information while in
-                                 transit is beyond the scope of this control. Information system backups reflect the
-                                 requirements in contingency plans as well as other organizational requirements for
-                                 backing up information.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-6
-                  rel:  related
-                  text: CP-6
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-            - 
-              id:    cp-9_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         cp-9.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-9(a)
-                  parts: 
-                    - 
-                      id:         cp-9.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-9(a)[1]
-                      prose: 
-                        """
-                          defines a frequency, consistent with recovery time objectives and recovery
-                                               point objectives as specified in the information system contingency plan, to
-                                               conduct backups of user-level information contained in the information
-                                               system;
-                        """
-                    - 
-                      id:         cp-9.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-9(a)[2]
-                      prose: 
-                        """
-                          conducts backups of user-level information contained in the information system
-                                               with the organization-defined frequency;
-                        """
-                - 
-                  id:         cp-9.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-9(b)
-                  parts: 
-                    - 
-                      id:         cp-9.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-9(b)[1]
-                      prose: 
-                        """
-                          defines a frequency, consistent with recovery time objectives and recovery
-                                               point objectives as specified in the information system contingency plan, to
-                                               conduct backups of system-level information contained in the information
-                                               system;
-                        """
-                    - 
-                      id:         cp-9.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-9(b)[2]
-                      prose: 
-                        """
-                          conducts backups of system-level information contained in the information
-                                               system with the organization-defined frequency;
-                        """
-                - 
-                  id:         cp-9.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-9(c)
-                  parts: 
-                    - 
-                      id:         cp-9.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-9(c)[1]
-                      prose: 
-                        """
-                          defines a frequency, consistent with recovery time objectives and recovery
-                                               point objectives as specified in the information system contingency plan, to
-                                               conduct backups of information system documentation including security-related
-                                               documentation;
-                        """
-                    - 
-                      id:         cp-9.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-9(c)[2]
-                      prose: 
-                        """
-                          conducts backups of information system documentation, including
-                                               security-related documentation, with the organization-defined frequency;
-                                               and
-                        """
-                - 
-                  id:         cp-9.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-9(d)
-                  prose: 
-                    """
-                      protects the confidentiality, integrity, and availability of backup information at
-                                        storage locations.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\nbackup storage location(s)\n\ninformation system backup logs or records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for conducting information system backups\n\nautomated mechanisms supporting and/or implementing information system backups
-          controls: 
-            - 
-              id:         cp-9.1
-              class:      SP800-53-enhancement
-              title:      Testing for Reliability / Integrity
-              parameters: 
-                - 
-                  id:          cp-9.1_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least monthly
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: CP-9(1)
-                - 
-                  name:  sort-id
-                  value: cp-09.01
-              parts: 
-                - 
-                  id:    cp-9.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization tests backup information {{ cp-9.1_prm_1 }} to
-                                        verify media reliability and information integrity.
-                    """
-                - 
-                  id:    cp-9.1_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #cp-4
-                      rel:  related
-                      text: CP-4
-                - 
-                  id:    cp-9.1_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         cp-9.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-9(1)[1]
-                      prose: 
-                        """
-                          defines the frequency to test backup information to verify media reliability
-                                               and information integrity; and
-                        """
-                    - 
-                      id:         cp-9.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-9(1)[2]
-                      prose: 
-                        """
-                          tests backup information with the organization-defined frequency to verify
-                                               media reliability and information integrity.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for conducting information system backups\n\nautomated mechanisms supporting and/or implementing information system
-                                               backups
-                        """
-            - 
-              id:         cp-9.2
-              class:      SP800-53-enhancement
-              title:      Test Restoration Using Sampling
-              properties: 
-                - 
-                  name:  label
-                  value: CP-9(2)
-                - 
-                  name:  sort-id
-                  value: cp-09.02
-              parts: 
-                - 
-                  id:    cp-9.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization uses a sample of backup information in the restoration of
-                                        selected information system functions as part of contingency plan testing.
-                    """
-                - 
-                  id:    cp-9.2_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #cp-4
-                      rel:  related
-                      text: CP-4
-                - 
-                  id:         cp-9.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization uses a sample of backup information in the
-                                        restoration of selected information system functions as part of contingency plan
-                                        testing. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system backup responsibilities\n\norganizational personnel with contingency planning/contingency plan testing
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for conducting information system backups\n\nautomated mechanisms supporting and/or implementing information system
-                                               backups
-                        """
-            - 
-              id:         cp-9.3
-              class:      SP800-53-enhancement
-              title:      Separate Storage for Critical Information
-              parameters: 
-                - 
-                  id:    cp-9.3_prm_1
-                  label: 
-                    """
-                      organization-defined critical information system software and other
-                                        security-related information
-                    """
-              properties: 
-                - 
-                  name:  label
-                  value: CP-9(3)
-                - 
-                  name:  sort-id
-                  value: cp-09.03
-              parts: 
-                - 
-                  id:    cp-9.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization stores backup copies of {{ cp-9.3_prm_1 }} in a
-                                        separate facility or in a fire-rated container that is not collocated with the
-                                        operational system.
-                    """
-                - 
-                  id:    cp-9.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Critical information system software includes, for example, operating systems,
-                                        cryptographic key management systems, and intrusion detection/prevention systems.
-                                        Security-related information includes, for example, organizational inventories of
-                                        hardware, software, and firmware components. Alternate storage sites typically
-                                        serve as separate storage facilities for organizations.
-                    """
-                  links: 
-                    - 
-                      href: #cm-2
-                      rel:  related
-                      text: CM-2
-                    - 
-                      href: #cm-8
-                      rel:  related
-                      text: CM-8
-                - 
-                  id:    cp-9.3_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         cp-9.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-9(3)[1]
-                      parts: 
-                        - 
-                          id:         cp-9.3_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-9(3)[1][a]
-                          prose: 
-                            """
-                              defines critical information system software and other security-related
-                                                      information requiring backup copies to be stored in a separate facility;
-                                                      or
-                            """
-                        - 
-                          id:         cp-9.3_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-9(3)[1][b]
-                          prose: 
-                            """
-                              defines critical information system software and other security-related
-                                                      information requiring backup copies to be stored in a fire-rated container
-                                                      that is not collocated with the operational system; and
-                            """
-                    - 
-                      id:         cp-9.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CP-9(3)[2]
-                      prose: 
-                        """
-                          stores backup copies of organization-defined critical information system
-                                               software and other security-related information in a separate facility or in a
-                                               fire-rated container that is not collocated with the operational system.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\nbackup storage location(s)\n\ninformation system backup configurations and associated documentation\n\ninformation system backup logs or records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency planning and plan implementation
-                                               responsibilities\n\norganizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-            - 
-              id:         cp-9.5
-              class:      SP800-53-enhancement
-              title:      Transfer to Alternate Storage Site
-              parameters: 
-                - 
-                  id:          cp-9.5_prm_1
-                  label: 
-                    """
-                      organization-defined time period and transfer rate consistent with the
-                                        recovery time and recovery point objectives
-                    """
-                  constraints: 
-                    - 
-                      detail: time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA
-              properties: 
-                - 
-                  name:  label
-                  value: CP-9(5)
-                - 
-                  name:  sort-id
-                  value: cp-09.05
-              parts: 
-                - 
-                  id:    cp-9.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization transfers information system backup information to the alternate
-                                        storage site {{ cp-9.5_prm_1 }}.
-                    """
-                - 
-                  id:    cp-9.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Information system backup information can be transferred to alternate storage
-                                        sites either electronically or by physical shipment of storage media.
-                    """
-                - 
-                  id:    cp-9.5_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         cp-9.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-9(5)[1]
-                      prose: 
-                        """
-                          defines a time period, consistent with recovery time objectives and recovery
-                                               point objectives as specified in the information system contingency plan, to
-                                               transfer information system backup information to the alternate storage
-                                               site;
-                        """
-                    - 
-                      id:         cp-9.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-9(5)[2]
-                      prose: 
-                        """
-                          defines a transfer rate, consistent with recovery time objectives and recovery
-                                               point objectives as specified in the information system contingency plan, to
-                                               transfer information system backup information to the alternate storage site;
-                                               and
-                        """
-                    - 
-                      id:         cp-9.5_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-9(5)[3]
-                      prose: 
-                        """
-                          transfers information system backup information to the alternate storage site
-                                               with the organization-defined time period and transfer rate.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup logs or records\n\nevidence of system backup information transferred to alternate storage site\n\nalternate storage site agreements\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for transferring information system backups to the
-                                               alternate storage site\n\nautomated mechanisms supporting and/or implementing information system
-                                               backups\n\nautomated mechanisms supporting and/or implementing information transfer to the
-                                               alternate storage site
-                        """
-        - 
-          id:         cp-10
-          class:      SP800-53
-          title:      Information System Recovery and Reconstitution
-          properties: 
-            - 
-              name:  label
-              value: CP-10
-            - 
-              name:  sort-id
-              value: cp-10
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-          parts: 
-            - 
-              id:    cp-10_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides for the recovery and reconstitution of the information
-                                 system to a known state after a disruption, compromise, or failure.
-                """
-            - 
-              id:    cp-10_gdn
-              name:  guidance
-              prose: 
-                """
-                  Recovery is executing information system contingency plan activities to restore
-                                 organizational missions/business functions. Reconstitution takes place following
-                                 recovery and includes activities for returning organizational information systems to
-                                 fully operational states. Recovery and reconstitution operations reflect mission and
-                                 business priorities, recovery point/time and reconstitution objectives, and
-                                 established organizational metrics consistent with contingency plan requirements.
-                                 Reconstitution includes the deactivation of any interim information system
-                                 capabilities that may have been needed during recovery operations. Reconstitution
-                                 also includes assessments of fully restored information system capabilities,
-                                 reestablishment of continuous monitoring activities, potential information system
-                                 reauthorizations, and activities to prepare the systems against future disruptions,
-                                 compromises, or failures. Recovery/reconstitution capabilities employed by
-                                 organizations can include both automated mechanisms and manual procedures.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-6
-                  rel:  related
-                  text: CA-6
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-6
-                  rel:  related
-                  text: CP-6
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #sc-24
-                  rel:  related
-                  text: SC-24
-            - 
-              id:    cp-10_obj
-              name:  objective
-              prose: Determine if the organization provides for: 
-              parts: 
-                - 
-                  id:         cp-10_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-10[1]
-                  prose:      the recovery of the information system to a known state after:
-                  parts: 
-                    - 
-                      id:         cp-10_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[1][a]
-                      prose:      a disruption;
-                    - 
-                      id:         cp-10_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[1][b]
-                      prose:      a compromise; or
-                    - 
-                      id:         cp-10_obj.1.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[1][c]
-                      prose:      a failure;
-                - 
-                  id:         cp-10_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-10[2]
-                  prose:      the reconstitution of the information system to a known state after:
-                  parts: 
-                    - 
-                      id:         cp-10_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[2][a]
-                      prose:      a disruption;
-                    - 
-                      id:         cp-10_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[2][b]
-                      prose:      a compromise; or
-                    - 
-                      id:         cp-10_obj.2.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[2][c]
-                      prose:      a failure.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for information system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with contingency planning, recovery, and/or
-                                        reconstitution responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes implementing information system recovery and
-                                        reconstitution operations\n\nautomated mechanisms supporting and/or implementing information system recovery
-                                        and reconstitution operations
-                    """
-          controls: 
-            - 
-              id:         cp-10.2
-              class:      SP800-53-enhancement
-              title:      Transaction Recovery
-              properties: 
-                - 
-                  name:  label
-                  value: CP-10(2)
-                - 
-                  name:  sort-id
-                  value: cp-10.02
-              parts: 
-                - 
-                  id:    cp-10.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements transaction recovery for systems that are
-                                        transaction-based.
-                    """
-                - 
-                  id:    cp-10.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Transaction-based information systems include, for example, database management
-                                        systems and transaction processing systems. Mechanisms supporting transaction
-                                        recovery include, for example, transaction rollback and transaction
-                                        journaling.
-                    """
-                - 
-                  id:         cp-10.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system implements transaction recovery for systems
-                                        that are transaction-based. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing information system recovery and reconstitution\n\ncontingency plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\ninformation system transaction recovery records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with responsibility for transaction recovery\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing transaction recovery
-                                               capability
-                        """
-            - 
-              id:         cp-10.4
-              class:      SP800-53-enhancement
-              title:      Restore Within Time Period
-              parameters: 
-                - 
-                  id:          cp-10.4_prm_1
-                  label:       organization-defined restoration time-periods
-                  constraints: 
-                    - 
-                      detail: time period consistent with the restoration time-periods defined in the service provider and organization SLA
-              properties: 
-                - 
-                  name:  label
-                  value: CP-10(4)
-                - 
-                  name:  sort-id
-                  value: cp-10.04
-              parts: 
-                - 
-                  id:    cp-10.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization provides the capability to restore information system components
-                                        within {{ cp-10.4_prm_1 }} from configuration-controlled and
-                                        integrity-protected information representing a known, operational state for the
-                                        components.
-                    """
-                - 
-                  id:    cp-10.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Restoration of information system components includes, for example, reimaging
-                                        which restores components to known, operational states.
-                    """
-                  links: 
-                    - 
-                      href: #cm-2
-                      rel:  related
-                      text: CM-2
-                - 
-                  id:    cp-10.4_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         cp-10.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-10(4)[1]
-                      prose: 
-                        """
-                          defines a time period to restore information system components from
-                                               configuration-controlled and integrity-protected information representing a
-                                               known, operational state for the components; and
-                        """
-                    - 
-                      id:         cp-10.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-10(4)[2]
-                      prose: 
-                        """
-                          provides the capability to restore information system components within the
-                                               organization-defined time period from configuration-controlled and
-                                               integrity-protected information representing a known, operational state for the
-                                               components.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing information system recovery and reconstitution\n\ncontingency plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nevidence of information system recovery and reconstitution operations\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system recovery and reconstitution
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing recovery/reconstitution of
-                                               information system information
-                        """
-    - 
-      id:       ia
-      class:    family
-      title:    Identification and Authentication
-      controls: 
-        - 
-          id:         ia-1
-          class:      SP800-53
-          title:      Identification and Authentication Policy and Procedures
-          parameters: 
-            - 
-              id:    ia-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ia-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          ia-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or whenever a significant change occurs
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IA-1
-            - 
-              name:  sort-id
-              value: ia-01
-          links: 
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ia-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ia-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ia-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ia-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          An identification and authentication policy that addresses purpose, scope,
-                                               roles, responsibilities, management commitment, coordination among
-                                               organizational entities, and compliance; and
-                        """
-                    - 
-                      id:         ia-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the identification and
-                                               authentication policy and associated identification and authentication
-                                               controls; and
-                        """
-                - 
-                  id:         ia-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ia-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Identification and authentication policy {{ ia-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         ia-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Identification and authentication procedures {{ ia-1_prm_3 }}.
-            - 
-              id:    ia-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the IA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ia-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ia-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-1(a)
-                  parts: 
-                    - 
-                      id:         ia-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ia-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents an identification and authentication policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         ia-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ia-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ia-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ia-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ia-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ia-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ia-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ia-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the identification and authentication
-                                                      policy is to be disseminated; and
-                            """
-                        - 
-                          id:         ia-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: IA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the identification and authentication policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         ia-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ia-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      identification and authentication policy and associated identification and
-                                                      authentication controls;
-                            """
-                        - 
-                          id:         ia-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ia-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: IA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ia-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-1(b)
-                  parts: 
-                    - 
-                      id:         ia-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ia-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current identification and
-                                                      authentication policy;
-                            """
-                        - 
-                          id:         ia-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current identification and authentication policy
-                                                      with the organization-defined frequency; and
-                            """
-                    - 
-                      id:         ia-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ia-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current identification and
-                                                      authentication procedures; and
-                            """
-                        - 
-                          id:         ia-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current identification and authentication procedures
-                                                      with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with identification and authentication
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         ia-2
-          class:      SP800-53
-          title:      Identification and Authentication (organizational Users)
-          properties: 
-            - 
-              name:  label
-              value: IA-2
-            - 
-              name:  sort-id
-              value: ia-02
-          links: 
-            - 
-              href: #ad733a42-a7ed-4774-b988-4930c28852f3
-              rel:  reference
-              text: HSPD-12
-            - 
-              href: #ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-              rel:  reference
-              text: OMB Memorandum 04-04
-            - 
-              href: #4da24a96-6cf8-435d-9d1f-c73247cad109
-              rel:  reference
-              text: OMB Memorandum 06-16
-            - 
-              href: #74e740a4-c45d-49f3-a86e-eb747c549e01
-              rel:  reference
-              text: OMB Memorandum 11-11
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #ba557c91-ba3e-4792-adc6-a4ae479b39ff
-              rel:  reference
-              text: FICAM Roadmap and Implementation Guidance
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    ia-2_smt
-              name:  statement
-              prose: 
-                """
-                  The information system uniquely identifies and authenticates organizational users (or
-                                 processes acting on behalf of organizational users).
-                """
-            - 
-              id:    ia-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizational users include employees or individuals that organizations deem to have
-                                 equivalent status of employees (e.g., contractors, guest researchers). This control
-                                 applies to all accesses other than: (i) accesses that are explicitly identified and
-                                 documented in AC-14; and (ii) accesses that occur through authorized use of group
-                                 authenticators without individual authentication. Organizations may require unique
-                                 identification of individuals in group accounts (e.g., shared privilege accounts) or
-                                 for detailed accountability of individual activity. Organizations employ passwords,
-                                 tokens, or biometrics to authenticate user identities, or in the case multifactor
-                                 authentication, or some combination thereof. Access to organizational information
-                                 systems is defined as either local access or network access. Local access is any
-                                 access to organizational information systems by users (or processes acting on behalf
-                                 of users) where such access is obtained by direct connections without the use of
-                                 networks. Network access is access to organizational information systems by users (or
-                                 processes acting on behalf of users) where such access is obtained through network
-                                 connections (i.e., nonlocal accesses). Remote access is a type of network access that
-                                 involves communication through external networks (e.g., the Internet). Internal
-                                 networks include local area networks and wide area networks. In addition, the use of
-                                 encrypted virtual private networks (VPNs) for network connections between
-                                 organization-controlled endpoints and non-organization controlled endpoints may be
-                                 treated as internal networks from the perspective of protecting the confidentiality
-                                 and integrity of information traversing the network. Organizations can satisfy the
-                                 identification and authentication requirements in this control by complying with the
-                                 requirements in Homeland Security Presidential Directive 12 consistent with the
-                                 specific organizational implementation plans. Multifactor authentication requires the
-                                 use of two or more different factors to achieve authentication. The factors are
-                                 defined as: (i) something you know (e.g., password, personal identification number
-                                 [PIN]); (ii) something you have (e.g., cryptographic identification device, token);
-                                 or (iii) something you are (e.g., biometric). Multifactor solutions that require
-                                 devices separate from information systems gaining access include, for example,
-                                 hardware tokens providing time-based or challenge-response authenticators and smart
-                                 cards such as the U.S. Government Personal Identity Verification card and the DoD
-                                 common access card. In addition to identifying and authenticating users at the
-                                 information system level (i.e., at logon), organizations also employ identification
-                                 and authentication mechanisms at the application level, when necessary, to provide
-                                 increased information security. Identification and authentication requirements for
-                                 other than organizational users are described in IA-8.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-            - 
-              id:    ia-2_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the information system uniquely identifies and authenticates
-                                 organizational users (or processes acting on behalf of organizational users).
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for uniquely identifying and authenticating users\n\nautomated mechanisms supporting and/or implementing identification and
-                                        authentication capability
-                    """
-          controls: 
-            - 
-              id:         ia-2.1
-              class:      SP800-53-enhancement
-              title:      Network Access to Privileged Accounts
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(1)
-                - 
-                  name:  sort-id
-                  value: ia-02.01
-              parts: 
-                - 
-                  id:    ia-2.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements multifactor authentication for network access to
-                                        privileged accounts.
-                    """
-                - 
-                  id:    ia-2.1_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ac-6
-                      rel:  related
-                      text: AC-6
-                - 
-                  id:         ia-2.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system implements multifactor authentication for
-                                        network access to privileged accounts.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing multifactor authentication
-                                               capability
-                        """
-            - 
-              id:         ia-2.2
-              class:      SP800-53-enhancement
-              title:      Network Access to Non-privileged Accounts
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(2)
-                - 
-                  name:  sort-id
-                  value: ia-02.02
-              parts: 
-                - 
-                  id:    ia-2.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements multifactor authentication for network access to
-                                        non-privileged accounts.
-                    """
-                - 
-                  id:         ia-2.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system implements multifactor authentication for
-                                        network access to non-privileged accounts.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing multifactor authentication
-                                               capability
-                        """
-            - 
-              id:         ia-2.3
-              class:      SP800-53-enhancement
-              title:      Local Access to Privileged Accounts
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(3)
-                - 
-                  name:  sort-id
-                  value: ia-02.03
-              parts: 
-                - 
-                  id:    ia-2.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements multifactor authentication for local access to
-                                        privileged accounts.
-                    """
-                - 
-                  id:    ia-2.3_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ac-6
-                      rel:  related
-                      text: AC-6
-                - 
-                  id:         ia-2.3_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system implements multifactor authentication for
-                                        local access to privileged accounts.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing multifactor authentication
-                                               capability
-                        """
-            - 
-              id:         ia-2.4
-              class:      SP800-53-enhancement
-              title:      Local Access to Non-privileged Accounts
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(4)
-                - 
-                  name:  sort-id
-                  value: ia-02.04
-              parts: 
-                - 
-                  id:    ia-2.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements multifactor authentication for local access to
-                                        non-privileged accounts.
-                    """
-                - 
-                  id:         ia-2.4_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system implements multifactor authentication for
-                                        local access to non-privileged accounts.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing multifactor authentication
-                                               capability
-                        """
-            - 
-              id:         ia-2.5
-              class:      SP800-53-enhancement
-              title:      Group Authentication
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(5)
-                - 
-                  name:  sort-id
-                  value: ia-02.05
-              parts: 
-                - 
-                  id:    ia-2.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires individuals to be authenticated with an individual
-                                        authenticator when a group authenticator is employed.
-                    """
-                - 
-                  id:    ia-2.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Requiring individuals to use individual authenticators as a second level of
-                                        authentication helps organizations to mitigate the risk of using group
-                                        authenticators.
-                    """
-                - 
-                  id:         ia-2.5_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization requires individuals to be authenticated with an
-                                        individual authenticator when a group authenticator is employed.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing authentication capability
-                                               for group accounts
-                        """
-            - 
-              id:         ia-2.8
-              class:      SP800-53-enhancement
-              title:      Network Access to Privileged Accounts - Replay Resistant
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(8)
-                - 
-                  name:  sort-id
-                  value: ia-02.08
-              parts: 
-                - 
-                  id:    ia-2.8_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements replay-resistant authentication mechanisms for
-                                        network access to privileged accounts.
-                    """
-                - 
-                  id:    ia-2.8_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Authentication processes resist replay attacks if it is impractical to achieve
-                                        successful authentications by replaying previous authentication messages.
-                                        Replay-resistant techniques include, for example, protocols that use nonces or
-                                        challenges such as Transport Layer Security (TLS) and time synchronous or
-                                        challenge-response one-time authenticators.
-                    """
-                - 
-                  id:         ia-2.8_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system implements replay-resistant authentication
-                                        mechanisms for network access to privileged accounts. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of privileged information system accounts\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability\n\nautomated mechanisms supporting and/or implementing replay resistant
-                                               authentication mechanisms
-                        """
-            - 
-              id:         ia-2.9
-              class:      SP800-53-enhancement
-              title:      Network Access to Non-privileged Accounts - Replay Resistant
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(9)
-                - 
-                  name:  sort-id
-                  value: ia-02.09
-              parts: 
-                - 
-                  id:    ia-2.9_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements replay-resistant authentication mechanisms for
-                                        network access to non-privileged accounts.
-                    """
-                - 
-                  id:    ia-2.9_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Authentication processes resist replay attacks if it is impractical to achieve
-                                        successful authentications by recording/replaying previous authentication
-                                        messages. Replay-resistant techniques include, for example, protocols that use
-                                        nonces or challenges such as Transport Layer Security (TLS) and time synchronous
-                                        or challenge-response one-time authenticators.
-                    """
-                - 
-                  id:         ia-2.9_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system implements replay-resistant authentication
-                                        mechanisms for network access to non-privileged accounts. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of non-privileged information system accounts\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability\n\nautomated mechanisms supporting and/or implementing replay resistant
-                                               authentication mechanisms
-                        """
-            - 
-              id:         ia-2.11
-              class:      SP800-53-enhancement
-              title:      Remote Access - Separate Device
-              parameters: 
-                - 
-                  id:          ia-2.11_prm_1
-                  label:       organization-defined strength of mechanism requirements
-                  constraints: 
-                    - 
-                      detail: FIPS 140-2, NIAP Certification, or NSA approval
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(11)
-                - 
-                  name:  sort-id
-                  value: ia-02.11
-              parts: 
-                - 
-                  id:    ia-2.11_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements multifactor authentication for remote access to
-                                        privileged and non-privileged accounts such that one of the factors is provided by
-                                        a device separate from the system gaining access and the device meets {{ ia-2.11_prm_1 }}.
-                    """
-                  parts: 
-                    - 
-                      id:    ia-2.11_fr
-                      name:  item
-                      title: IA-2 (11) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ia-2.11_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.
-                - 
-                  id:    ia-2.11_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      For remote access to privileged/non-privileged accounts, the purpose of requiring
-                                        a device that is separate from the information system gaining access for one of
-                                        the factors during multifactor authentication is to reduce the likelihood of
-                                        compromising authentication credentials stored on the system. For example,
-                                        adversaries deploying malicious code on organizational information systems can
-                                        potentially compromise such credentials resident on the system and subsequently
-                                        impersonate authorized users.
-                    """
-                  links: 
-                    - 
-                      href: #ac-6
-                      rel:  related
-                      text: AC-6
-                - 
-                  id:    ia-2.11_obj
-                  name:  objective
-                  prose: Determine if: 
-                  parts: 
-                    - 
-                      id:         ia-2.11_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-2(11)[1]
-                      prose: 
-                        """
-                          the information system implements multifactor authentication for remote access
-                                               to privileged accounts such that one of the factors is provided by a device
-                                               separate from the system gaining access;
-                        """
-                    - 
-                      id:         ia-2.11_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-2(11)[2]
-                      prose: 
-                        """
-                          the information system implements multifactor authentication for remote access
-                                               to non-privileged accounts such that one of the factors is provided by a device
-                                               separate from the system gaining access;
-                        """
-                    - 
-                      id:         ia-2.11_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-2(11)[3]
-                      prose: 
-                        """
-                          the organization defines strength of mechanism requirements to be enforced by a
-                                               device separate from the system gaining remote access to privileged
-                                               accounts;
-                        """
-                    - 
-                      id:         ia-2.11_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-2(11)[4]
-                      prose: 
-                        """
-                          the organization defines strength of mechanism requirements to be enforced by a
-                                               device separate from the system gaining remote access to non-privileged
-                                               accounts;
-                        """
-                    - 
-                      id:         ia-2.11_obj.5
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-2(11)[5]
-                      prose: 
-                        """
-                          the information system implements multifactor authentication for remote access
-                                               to privileged accounts such that a device, separate from the system gaining
-                                               access, meets organization-defined strength of mechanism requirements; and
-                        """
-                    - 
-                      id:         ia-2.11_obj.6
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-2(11)[6]
-                      prose: 
-                        """
-                          the information system implements multifactor authentication for remote access
-                                               to non-privileged accounts such that a device, separate from the system gaining
-                                               access, meets organization-defined strength of mechanism requirements.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of privileged and non-privileged information system accounts\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability
-                        """
-            - 
-              id:         ia-2.12
-              class:      SP800-53-enhancement
-              title:      Acceptance of PIV Credentials
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(12)
-                - 
-                  name:  sort-id
-                  value: ia-02.12
-              parts: 
-                - 
-                  id:    ia-2.12_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system accepts and electronically verifies Personal Identity
-                                        Verification (PIV) credentials.
-                    """
-                  parts: 
-                    - 
-                      id:    ia-2.12_fr
-                      name:  item
-                      title: IA-2 (12) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ia-2.12_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.
-                - 
-                  id:    ia-2.12_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement applies to organizations implementing logical access
-                                        control systems (LACS) and physical access control systems (PACS). Personal
-                                        Identity Verification (PIV) credentials are those credentials issued by federal
-                                        agencies that conform to FIPS Publication 201 and supporting guidance documents.
-                                        OMB Memorandum 11-11 requires federal agencies to continue implementing the
-                                        requirements specified in HSPD-12 to enable agency-wide use of PIV
-                                        credentials.
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                    - 
-                      href: #pe-3
-                      rel:  related
-                      text: PE-3
-                    - 
-                      href: #sa-4
-                      rel:  related
-                      text: SA-4
-                - 
-                  id:    ia-2.12_obj
-                  name:  objective
-                  prose: Determine if the information system: 
-                  parts: 
-                    - 
-                      id:         ia-2.12_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-2(12)[1]
-                      prose:      accepts Personal Identity Verification (PIV) credentials; and
-                    - 
-                      id:         ia-2.12_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-2(12)[2]
-                      prose:      electronically verifies Personal Identity Verification (PIV) credentials.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing acceptance and verification
-                                               of PIV credentials
-                        """
-        - 
-          id:         ia-3
-          class:      SP800-53
-          title:      Device Identification and Authentication
-          parameters: 
-            - 
-              id:    ia-3_prm_1
-              label: organization-defined specific and/or types of devices
-            - 
-              id: ia-3_prm_2
-          properties: 
-            - 
-              name:  label
-              value: IA-3
-            - 
-              name:  sort-id
-              value: ia-03
-          parts: 
-            - 
-              id:    ia-3_smt
-              name:  statement
-              prose: 
-                """
-                  The information system uniquely identifies and authenticates {{ ia-3_prm_1 }} before establishing a {{ ia-3_prm_2 }}
-                                 connection.
-                """
-            - 
-              id:    ia-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizational devices requiring unique device-to-device identification and
-                                 authentication may be defined by type, by device, or by a combination of type/device.
-                                 Information systems typically use either shared known information (e.g., Media Access
-                                 Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses)
-                                 for device identification or organizational authentication solutions (e.g., IEEE
-                                 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport
-                                 Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on
-                                 local and/or wide area networks. Organizations determine the required strength of
-                                 authentication mechanisms by the security categories of information systems. Because
-                                 of the challenges of applying this control on large scale, organizations are
-                                 encouraged to only apply the control to those limited number (and type) of devices
-                                 that truly need to support this capability.
-                """
-              links: 
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-            - 
-              id:    ia-3_obj
-              name:  objective
-              prose: Determine if: 
-              parts: 
-                - 
-                  id:         ia-3_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-3[1]
-                  prose: 
-                    """
-                      the organization defines specific and/or types of devices that the information
-                                        system uniquely identifies and authenticates before establishing one or more of
-                                        the following:
-                    """
-                  parts: 
-                    - 
-                      id:         ia-3_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-3[1][a]
-                      prose:      a local connection;
-                    - 
-                      id:         ia-3_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-3[1][b]
-                      prose:      a remote connection; and/or
-                    - 
-                      id:         ia-3_obj.1.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-3[1][c]
-                      prose:      a network connection; and
-                - 
-                  id:         ia-3_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-3[2]
-                  prose: 
-                    """
-                      the information system uniquely identifies and authenticates organization-defined
-                                        devices before establishing one or more of the following:
-                    """
-                  parts: 
-                    - 
-                      id:         ia-3_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-3[2][a]
-                      prose:      a local connection;
-                    - 
-                      id:         ia-3_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-3[2][b]
-                      prose:      a remote connection; and/or
-                    - 
-                      id:         ia-3_obj.2.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-3[2][c]
-                      prose:      a network connection.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing device identification and authentication\n\ninformation system design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with operational responsibilities for device
-                                        identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing device identification and
-                                        authentication capability
-                    """
-        - 
-          id:         ia-4
-          class:      SP800-53
-          title:      Identifier Management
-          parameters: 
-            - 
-              id:          ia-4_prm_1
-              label:       organization-defined personnel or roles
-              constraints: 
-                - 
-                  detail: at a minimum, the ISSO (or similar role within the organization)
-            - 
-              id:          ia-4_prm_2
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: at least two (2) years
-            - 
-              id:          ia-4_prm_3
-              label:       organization-defined time period of inactivity
-              constraints: 
-                - 
-                  detail: thirty-five (35) days (See additional requirements and guidance.)
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IA-4
-            - 
-              name:  sort-id
-              value: ia-04
-          links: 
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-          parts: 
-            - 
-              id:    ia-4_smt
-              name:  statement
-              prose: The organization manages information system identifiers by:
-              parts: 
-                - 
-                  id:         ia-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Receiving authorization from {{ ia-4_prm_1 }} to assign an
-                                        individual, group, role, or device identifier;
-                    """
-                - 
-                  id:         ia-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Selecting an identifier that identifies an individual, group, role, or device;
-                - 
-                  id:         ia-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Assigning the identifier to the intended individual, group, role, or device;
-                - 
-                  id:         ia-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Preventing reuse of identifiers for {{ ia-4_prm_2 }}; and
-                - 
-                  id:         ia-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Disabling the identifier after {{ ia-4_prm_3 }}.
-                - 
-                  id:    ia-4_fr
-                  name:  item
-                  title: IA-4(e) Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ia-4_fr_smt.e
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider defines the time period of inactivity for device identifiers.
-                    - 
-                      id:         ia-4_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP [http://iase.disa.mil/cloud_security/Pages/index.aspx](http://iase.disa.mil/cloud_security/Pages/index.aspx).
-            - 
-              id:    ia-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Common device identifiers include, for example, media access control (MAC), Internet
-                                 protocol (IP) addresses, or device-unique token identifiers. Management of individual
-                                 identifiers is not applicable to shared information system accounts (e.g., guest and
-                                 anonymous accounts). Typically, individual identifiers are the user names of the
-                                 information system accounts assigned to those individuals. In such instances, the
-                                 account management activities of AC-2 use account names provided by IA-4. This
-                                 control also addresses individual identifiers not necessarily associated with
-                                 information system accounts (e.g., identifiers used in physical security control
-                                 databases accessed by badge reader systems for access to information systems).
-                                 Preventing reuse of identifiers implies preventing the assignment of previously used
-                                 individual, group, role, or device identifiers to different individuals, groups,
-                                 roles, or devices.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #sc-37
-                  rel:  related
-                  text: SC-37
-            - 
-              id:    ia-4_obj
-              name:  objective
-              prose: Determine if the organization manages information system identifiers by: 
-              parts: 
-                - 
-                  id:         ia-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-4(a)
-                  parts: 
-                    - 
-                      id:         ia-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-4(a)[1]
-                      prose: 
-                        """
-                          defining personnel or roles from whom authorization must be received to
-                                               assign:
-                        """
-                      parts: 
-                        - 
-                          id:         ia-4.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[1][a]
-                          prose:      an individual identifier;
-                        - 
-                          id:         ia-4.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[1][b]
-                          prose:      a group identifier;
-                        - 
-                          id:         ia-4.a_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[1][c]
-                          prose:      a role identifier; and/or
-                        - 
-                          id:         ia-4.a_obj.1.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[1][d]
-                          prose:      a device identifier;
-                    - 
-                      id:         ia-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-4(a)[2]
-                      prose: 
-                        """
-                          receiving authorization from organization-defined personnel or roles to
-                                               assign:
-                        """
-                      parts: 
-                        - 
-                          id:         ia-4.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[2][a]
-                          prose:      an individual identifier;
-                        - 
-                          id:         ia-4.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[2][b]
-                          prose:      a group identifier;
-                        - 
-                          id:         ia-4.a_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[2][c]
-                          prose:      a role identifier; and/or
-                        - 
-                          id:         ia-4.a_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[2][d]
-                          prose:      a device identifier;
-                - 
-                  id:         ia-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-4(b)
-                  prose:      selecting an identifier that identifies:
-                  parts: 
-                    - 
-                      id:         ia-4.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(b)[1]
-                      prose:      an individual;
-                    - 
-                      id:         ia-4.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(b)[2]
-                      prose:      a group;
-                    - 
-                      id:         ia-4.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(b)[3]
-                      prose:      a role; and/or
-                    - 
-                      id:         ia-4.b_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(b)[4]
-                      prose:      a device;
-                - 
-                  id:         ia-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-4(c)
-                  prose:      assigning the identifier to the intended:
-                  parts: 
-                    - 
-                      id:         ia-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(c)[1]
-                      prose:      individual;
-                    - 
-                      id:         ia-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(c)[2]
-                      prose:      group;
-                    - 
-                      id:         ia-4.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(c)[3]
-                      prose:      role; and/or
-                    - 
-                      id:         ia-4.c_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(c)[4]
-                      prose:      device;
-                - 
-                  id:         ia-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-4(d)
-                  parts: 
-                    - 
-                      id:         ia-4.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-4(d)[1]
-                      prose:      defining a time period for preventing reuse of identifiers;
-                    - 
-                      id:         ia-4.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-4(d)[2]
-                      prose:      preventing reuse of identifiers for the organization-defined time period;
-                - 
-                  id:         ia-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-4(e)
-                  parts: 
-                    - 
-                      id:         ia-4.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-4(e)[1]
-                      prose:      defining a time period of inactivity to disable the identifier; and
-                    - 
-                      id:         ia-4.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-4(e)[2]
-                      prose: 
-                        """
-                          disabling the identifier after the organization-defined time period of
-                                               inactivity.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting and/or implementing identifier management
-          controls: 
-            - 
-              id:         ia-4.4
-              class:      SP800-53-enhancement
-              title:      Identify User Status
-              parameters: 
-                - 
-                  id:          ia-4.4_prm_1
-                  label:       organization-defined characteristic identifying individual status
-                  constraints: 
-                    - 
-                      detail: contractors; foreign nationals]
-              properties: 
-                - 
-                  name:  label
-                  value: IA-4(4)
-                - 
-                  name:  sort-id
-                  value: ia-04.04
-              parts: 
-                - 
-                  id:    ia-4.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization manages individual identifiers by uniquely identifying each
-                                        individual as {{ ia-4.4_prm_1 }}.
-                    """
-                - 
-                  id:    ia-4.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Characteristics identifying the status of individuals include, for example,
-                                        contractors and foreign nationals. Identifying the status of individuals by
-                                        specific characteristics provides additional information about the people with
-                                        whom organizational personnel are communicating. For example, it might be useful
-                                        for a government employee to know that one of the individuals on an email message
-                                        is a contractor.
-                    """
-                  links: 
-                    - 
-                      href: #at-2
-                      rel:  related
-                      text: AT-2
-                - 
-                  id:    ia-4.4_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ia-4.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-4(4)[1]
-                      prose:      defines a characteristic to be used to identify individual status; and
-                    - 
-                      id:         ia-4.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-4(4)[2]
-                      prose: 
-                        """
-                          manages individual identifiers by uniquely identifying each individual as the
-                                               organization-defined characteristic identifying individual status.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nlist of characteristics identifying individual status\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms supporting and/or implementing identifier management
-        - 
-          id:         ia-5
-          class:      SP800-53
-          title:      Authenticator Management
-          parameters: 
-            - 
-              id:    ia-5_prm_1
-              label: organization-defined time period by authenticator type
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IA-5
-            - 
-              name:  sort-id
-              value: ia-05
-          links: 
-            - 
-              href: #ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-              rel:  reference
-              text: OMB Memorandum 04-04
-            - 
-              href: #74e740a4-c45d-49f3-a86e-eb747c549e01
-              rel:  reference
-              text: OMB Memorandum 11-11
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #ba557c91-ba3e-4792-adc6-a4ae479b39ff
-              rel:  reference
-              text: FICAM Roadmap and Implementation Guidance
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    ia-5_smt
-              name:  statement
-              prose: The organization manages information system authenticators by:
-              parts: 
-                - 
-                  id:         ia-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Verifying, as part of the initial authenticator distribution, the identity of the
-                                        individual, group, role, or device receiving the authenticator;
-                    """
-                - 
-                  id:         ia-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Establishing initial authenticator content for authenticators defined by the
-                                        organization;
-                    """
-                - 
-                  id:         ia-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ensuring that authenticators have sufficient strength of mechanism for their
-                                        intended use;
-                    """
-                - 
-                  id:         ia-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Establishing and implementing administrative procedures for initial authenticator
-                                        distribution, for lost/compromised or damaged authenticators, and for revoking
-                                        authenticators;
-                    """
-                - 
-                  id:         ia-5_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Changing default content of authenticators prior to information system
-                                        installation;
-                    """
-                - 
-                  id:         ia-5_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Establishing minimum and maximum lifetime restrictions and reuse conditions for
-                                        authenticators;
-                    """
-                - 
-                  id:         ia-5_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose:      Changing/refreshing authenticators {{ ia-5_prm_1 }};
-                - 
-                  id:         ia-5_smt.h
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: h.
-                  prose: 
-                    """
-                      Protecting authenticator content from unauthorized disclosure and
-                                        modification;
-                    """
-                - 
-                  id:         ia-5_smt.i
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: i.
-                  prose: 
-                    """
-                      Requiring individuals to take, and having devices implement, specific security
-                                        safeguards to protect authenticators; and
-                    """
-                - 
-                  id:         ia-5_smt.j
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: j.
-                  prose: 
-                    """
-                      Changing authenticators for group/role accounts when membership to those accounts
-                                        changes.
-                    """
-                - 
-                  id:    ia-5_fr
-                  name:  item
-                  title: IA-5 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ia-5_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link [https://pages.nist.gov/800-63-3](https://pages.nist.gov/800-63-3).
-            - 
-              id:    ia-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Individual authenticators include, for example, passwords, tokens, biometrics, PKI
-                                 certificates, and key cards. Initial authenticator content is the actual content
-                                 (e.g., the initial password) as opposed to requirements about authenticator content
-                                 (e.g., minimum password length). In many cases, developers ship information system
-                                 components with factory default authentication credentials to allow for initial
-                                 installation and configuration. Default authentication credentials are often well
-                                 known, easily discoverable, and present a significant security risk. The requirement
-                                 to protect individual authenticators may be implemented via control PL-4 or PS-6 for
-                                 authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28
-                                 for authenticators stored within organizational information systems (e.g., passwords
-                                 stored in hashed or encrypted formats, files containing encrypted or hashed passwords
-                                 accessible with administrator privileges). Information systems support individual
-                                 authenticator management by organization-defined settings and restrictions for
-                                 various authenticator characteristics including, for example, minimum password
-                                 length, password composition, validation time window for time synchronous one-time
-                                 tokens, and number of allowed rejections during the verification stage of biometric
-                                 authentication. Specific actions that can be taken to safeguard authenticators
-                                 include, for example, maintaining possession of individual authenticators, not
-                                 loaning or sharing individual authenticators with others, and reporting lost, stolen,
-                                 or compromised authenticators immediately. Authenticator management includes issuing
-                                 and revoking, when no longer needed, authenticators for temporary access such as that
-                                 required for remote maintenance. Device authenticators include, for example,
-                                 certificates and passwords.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-5
-                  rel:  related
-                  text: PS-5
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-                - 
-                  href: #sc-12
-                  rel:  related
-                  text: SC-12
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-                - 
-                  href: #sc-17
-                  rel:  related
-                  text: SC-17
-                - 
-                  href: #sc-28
-                  rel:  related
-                  text: SC-28
-            - 
-              id:    ia-5_obj
-              name:  objective
-              prose: Determine if the organization manages information system authenticators by: 
-              parts: 
-                - 
-                  id:         ia-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-5(a)
-                  prose:      verifying, as part of the initial authenticator distribution, the identity of:
-                  parts: 
-                    - 
-                      id:         ia-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(a)[1]
-                      prose:      the individual receiving the authenticator;
-                    - 
-                      id:         ia-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(a)[2]
-                      prose:      the group receiving the authenticator;
-                    - 
-                      id:         ia-5.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(a)[3]
-                      prose:      the role receiving the authenticator; and/or
-                    - 
-                      id:         ia-5.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(a)[4]
-                      prose:      the device receiving the authenticator;
-                - 
-                  id:         ia-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: IA-5(b)
-                  prose: 
-                    """
-                      establishing initial authenticator content for authenticators defined by the
-                                        organization;
-                    """
-                - 
-                  id:         ia-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-5(c)
-                  prose: 
-                    """
-                      ensuring that authenticators have sufficient strength of mechanism for their
-                                        intended use;
-                    """
-                - 
-                  id:         ia-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(d)
-                  parts: 
-                    - 
-                      id:         ia-5.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(d)[1]
-                      prose: 
-                        """
-                          establishing and implementing administrative procedures for initial
-                                               authenticator distribution;
-                        """
-                    - 
-                      id:         ia-5.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(d)[2]
-                      prose: 
-                        """
-                          establishing and implementing administrative procedures for lost/compromised or
-                                               damaged authenticators;
-                        """
-                    - 
-                      id:         ia-5.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(d)[3]
-                      prose: 
-                        """
-                          establishing and implementing administrative procedures for revoking
-                                               authenticators;
-                        """
-                - 
-                  id:         ia-5.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-5(e)
-                  prose: 
-                    """
-                      changing default content of authenticators prior to information system
-                                        installation;
-                    """
-                - 
-                  id:         ia-5.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(f)
-                  parts: 
-                    - 
-                      id:         ia-5.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(f)[1]
-                      prose:      establishing minimum lifetime restrictions for authenticators;
-                    - 
-                      id:         ia-5.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(f)[2]
-                      prose:      establishing maximum lifetime restrictions for authenticators;
-                    - 
-                      id:         ia-5.f_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(f)[3]
-                      prose:      establishing reuse conditions for authenticators;
-                - 
-                  id:         ia-5.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(g)
-                  parts: 
-                    - 
-                      id:         ia-5.g_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(g)[1]
-                      prose: 
-                        """
-                          defining a time period (by authenticator type) for changing/refreshing
-                                               authenticators;
-                        """
-                    - 
-                      id:         ia-5.g_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(g)[2]
-                      prose: 
-                        """
-                          changing/refreshing authenticators with the organization-defined time period by
-                                               authenticator type;
-                        """
-                - 
-                  id:         ia-5.h_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-5(h)
-                  prose:      protecting authenticator content from unauthorized:
-                  parts: 
-                    - 
-                      id:         ia-5.h_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(h)[1]
-                      prose:      disclosure;
-                    - 
-                      id:         ia-5.h_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(h)[2]
-                      prose:      modification;
-                - 
-                  id:         ia-5.i_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(i)
-                  parts: 
-                    - 
-                      id:         ia-5.i_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IA-5(i)[1]
-                      prose: 
-                        """
-                          requiring individuals to take specific security safeguards to protect
-                                               authenticators;
-                        """
-                    - 
-                      id:         ia-5.i_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(i)[2]
-                      prose: 
-                        """
-                          having devices implement specific security safeguards to protect
-                                               authenticators; and
-                        """
-                - 
-                  id:         ia-5.j_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-5(j)
-                  prose: 
-                    """
-                      changing authenticators for group/role accounts when membership to those accounts
-                                        changes.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Identification and authentication policy\n\nprocedures addressing authenticator management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system authenticator types\n\nchange control records associated with managing information system
-                                        authenticators\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing authenticator management
-                                        capability
-                    """
-          controls: 
-            - 
-              id:         ia-5.1
-              class:      SP800-53-enhancement
-              title:      Password-based Authentication
-              parameters: 
-                - 
-                  id:    ia-5.1_prm_1
-                  label: 
-                    """
-                      organization-defined requirements for case sensitivity, number of characters,
-                                        mix of upper-case letters, lower-case letters, numbers, and special characters,
-                                        including minimum requirements for each type
-                    """
-                - 
-                  id:          ia-5.1_prm_2
-                  label:       organization-defined number
-                  constraints: 
-                    - 
-                      detail: at least fifty percent (50%)
-                - 
-                  id:    ia-5.1_prm_3
-                  label: organization-defined numbers for lifetime minimum, lifetime maximum
-                - 
-                  id:          ia-5.1_prm_4
-                  label:       organization-defined number
-                  constraints: 
-                    - 
-                      detail: twenty four (24)
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: IA-5(1)
-                - 
-                  name:  sort-id
-                  value: ia-05.01
-              parts: 
-                - 
-                  id:    ia-5.1_smt
-                  name:  statement
-                  prose: The information system, for password-based authentication:
-                  parts: 
-                    - 
-                      id:         ia-5.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose:      Enforces minimum password complexity of {{ ia-5.1_prm_1 }};
-                    - 
-                      id:         ia-5.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Enforces at least the following number of changed characters when new passwords
-                                               are created: {{ ia-5.1_prm_2 }};
-                        """
-                    - 
-                      id:         ia-5.1_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (c)
-                      prose:      Stores and transmits only cryptographically-protected passwords;
-                    - 
-                      id:         ia-5.1_smt.d
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (d)
-                      prose:      Enforces password minimum and maximum lifetime restrictions of {{ ia-5.1_prm_3 }};
-                    - 
-                      id:         ia-5.1_smt.e
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (e)
-                      prose: 
-                        """
-                          Prohibits password reuse for {{ ia-5.1_prm_4 }} generations;
-                                               and
-                        """
-                    - 
-                      id:         ia-5.1_smt.f
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (f)
-                      prose: 
-                        """
-                          Allows the use of a temporary password for system logons with an immediate
-                                               change to a permanent password.
-                        """
-                    - 
-                      id:    ia-5.1_fr
-                      name:  item
-                      title: IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ia-5.1_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: (a) (d) Guidance:
-                          prose:      If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.
-                - 
-                  id:    ia-5.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement applies to single-factor authentication of individuals
-                                        using passwords as individual or group authenticators, and in a similar manner,
-                                        when passwords are part of multifactor authenticators. This control enhancement
-                                        does not apply when passwords are used to unlock hardware authenticators (e.g.,
-                                        Personal Identity Verification cards). The implementation of such password
-                                        mechanisms may not meet all of the requirements in the enhancement.
-                                        Cryptographically-protected passwords include, for example, encrypted versions of
-                                        passwords and one-way cryptographic hashes of passwords. The number of changed
-                                        characters refers to the number of changes required with respect to the total
-                                        number of positions in the current password. Password lifetime restrictions do not
-                                        apply to temporary passwords. To mitigate certain brute force attacks against
-                                        passwords, organizations may also consider salting passwords.
-                    """
-                  links: 
-                    - 
-                      href: #ia-6
-                      rel:  related
-                      text: IA-6
-                - 
-                  id:    ia-5.1_obj
-                  name:  objective
-                  prose: Determine if, for password-based authentication: 
-                  parts: 
-                    - 
-                      id:         ia-5.1.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(1)(a)
-                      parts: 
-                        - 
-                          id:         ia-5.1.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[1]
-                          prose:      the organization defines requirements for case sensitivity;
-                        - 
-                          id:         ia-5.1.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[2]
-                          prose:      the organization defines requirements for number of characters;
-                        - 
-                          id:         ia-5.1.a_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[3]
-                          prose: 
-                            """
-                              the organization defines requirements for the mix of upper-case letters,
-                                                      lower-case letters, numbers and special characters;
-                            """
-                        - 
-                          id:         ia-5.1.a_obj.4
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[4]
-                          prose: 
-                            """
-                              the organization defines minimum requirements for each type of
-                                                      character;
-                            """
-                        - 
-                          id:         ia-5.1.a_obj.5
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[5]
-                          prose: 
-                            """
-                              the information system enforces minimum password complexity of
-                                                      organization-defined requirements for case sensitivity, number of
-                                                      characters, mix of upper-case letters, lower-case letters, numbers, and
-                                                      special characters, including minimum requirements for each type;
-                            """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.a
-                          rel:  corresp
-                          text: IA-5(1)(a)
-                    - 
-                      id:         ia-5.1.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(1)(b)
-                      parts: 
-                        - 
-                          id:         ia-5.1.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(b)[1]
-                          prose: 
-                            """
-                              the organization defines a minimum number of changed characters to be
-                                                      enforced when new passwords are created;
-                            """
-                        - 
-                          id:         ia-5.1.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(1)(b)[2]
-                          prose: 
-                            """
-                              the information system enforces at least the organization-defined minimum
-                                                      number of characters that must be changed when new passwords are
-                                                      created;
-                            """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.b
-                          rel:  corresp
-                          text: IA-5(1)(b)
-                    - 
-                      id:         ia-5.1.c_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(1)(c)
-                      prose: 
-                        """
-                          the information system stores and transmits only encrypted representations of
-                                               passwords;
-                        """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.c
-                          rel:  corresp
-                          text: IA-5(1)(c)
-                    - 
-                      id:         ia-5.1.d_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(1)(d)
-                      parts: 
-                        - 
-                          id:         ia-5.1.d_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(d)[1]
-                          prose: 
-                            """
-                              the organization defines numbers for password minimum lifetime restrictions
-                                                      to be enforced for passwords;
-                            """
-                        - 
-                          id:         ia-5.1.d_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(d)[2]
-                          prose: 
-                            """
-                              the organization defines numbers for password maximum lifetime restrictions
-                                                      to be enforced for passwords;
-                            """
-                        - 
-                          id:         ia-5.1.d_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(1)(d)[3]
-                          prose: 
-                            """
-                              the information system enforces password minimum lifetime restrictions of
-                                                      organization-defined numbers for lifetime minimum;
-                            """
-                        - 
-                          id:         ia-5.1.d_obj.4
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(1)(d)[4]
-                          prose: 
-                            """
-                              the information system enforces password maximum lifetime restrictions of
-                                                      organization-defined numbers for lifetime maximum;
-                            """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.d
-                          rel:  corresp
-                          text: IA-5(1)(d)
-                    - 
-                      id:         ia-5.1.e_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(1)(e)
-                      parts: 
-                        - 
-                          id:         ia-5.1.e_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(e)[1]
-                          prose: 
-                            """
-                              the organization defines the number of password generations to be prohibited
-                                                      from password reuse;
-                            """
-                        - 
-                          id:         ia-5.1.e_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(1)(e)[2]
-                          prose: 
-                            """
-                              the information system prohibits password reuse for the organization-defined
-                                                      number of generations; and
-                            """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.e
-                          rel:  corresp
-                          text: IA-5(1)(e)
-                    - 
-                      id:         ia-5.1.f_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(1)(f)
-                      prose: 
-                        """
-                          the information system allows the use of a temporary password for system logons
-                                               with an immediate change to a permanent password.
-                        """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.f
-                          rel:  corresp
-                          text: IA-5(1)(f)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing password-based
-                                               authenticator management capability
-                        """
-            - 
-              id:         ia-5.2
-              class:      SP800-53-enhancement
-              title:      Pki-based Authentication
-              properties: 
-                - 
-                  name:  label
-                  value: IA-5(2)
-                - 
-                  name:  sort-id
-                  value: ia-05.02
-              parts: 
-                - 
-                  id:    ia-5.2_smt
-                  name:  statement
-                  prose: The information system, for PKI-based authentication:
-                  parts: 
-                    - 
-                      id:         ia-5.2_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Validates certifications by constructing and verifying a certification path to
-                                               an accepted trust anchor including checking certificate status information;
-                        """
-                    - 
-                      id:         ia-5.2_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      Enforces authorized access to the corresponding private key;
-                    - 
-                      id:         ia-5.2_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (c)
-                      prose: 
-                        """
-                          Maps the authenticated identity to the account of the individual or group;
-                                               and
-                        """
-                    - 
-                      id:         ia-5.2_smt.d
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (d)
-                      prose: 
-                        """
-                          Implements a local cache of revocation data to support path discovery and
-                                               validation in case of inability to access revocation information via the
-                                               network.
-                        """
-                - 
-                  id:    ia-5.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Status information for certification paths includes, for example, certificate
-                                        revocation lists or certificate status protocol responses. For PIV cards,
-                                        validation of certifications involves the construction and verification of a
-                                        certification path to the Common Policy Root trust anchor including certificate
-                                        policy processing.
-                    """
-                  links: 
-                    - 
-                      href: #ia-6
-                      rel:  related
-                      text: IA-6
-                - 
-                  id:    ia-5.2_obj
-                  name:  objective
-                  prose: Determine if the information system, for PKI-based authentication: 
-                  parts: 
-                    - 
-                      id:         ia-5.2.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(2)(a)
-                      parts: 
-                        - 
-                          id:         ia-5.2.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(2)(a)[1]
-                          prose: 
-                            """
-                              validates certifications by constructing a certification path to an accepted
-                                                      trust anchor;
-                            """
-                        - 
-                          id:         ia-5.2.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(2)(a)[2]
-                          prose: 
-                            """
-                              validates certifications by verifying a certification path to an accepted
-                                                      trust anchor;
-                            """
-                        - 
-                          id:         ia-5.2.a_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(2)(a)[3]
-                          prose: 
-                            """
-                              includes checking certificate status information when constructing and
-                                                      verifying the certification path;
-                            """
-                      links: 
-                        - 
-                          href: #ia-5.2_smt.a
-                          rel:  corresp
-                          text: IA-5(2)(a)
-                    - 
-                      id:         ia-5.2.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(2)(b)
-                      prose:      enforces authorized access to the corresponding private key;
-                      links: 
-                        - 
-                          href: #ia-5.2_smt.b
-                          rel:  corresp
-                          text: IA-5(2)(b)
-                    - 
-                      id:         ia-5.2.c_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(2)(c)
-                      prose: 
-                        """
-                          maps the authenticated identity to the account of the individual or group;
-                                               and
-                        """
-                      links: 
-                        - 
-                          href: #ia-5.2_smt.c
-                          rel:  corresp
-                          text: IA-5(2)(c)
-                    - 
-                      id:         ia-5.2.d_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(2)(d)
-                      prose: 
-                        """
-                          implements a local cache of revocation data to support path discovery and
-                                               validation in case of inability to access revocation information via the
-                                               network.
-                        """
-                      links: 
-                        - 
-                          href: #ia-5.2_smt.d
-                          rel:  corresp
-                          text: IA-5(2)(d)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nPKI certification validation records\n\nPKI certification revocation lists\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with PKI-based, authenticator management
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing PKI-based, authenticator
-                                               management capability
-                        """
-            - 
-              id:         ia-5.3
-              class:      SP800-53-enhancement
-              title:      In-person or Trusted Third-party Registration
-              parameters: 
-                - 
-                  id:          ia-5.3_prm_1
-                  label:       organization-defined types of and/or specific authenticators
-                  constraints: 
-                    - 
-                      detail: All hardware/biometric (multifactor authenticators)
-                - 
-                  id:          ia-5.3_prm_2
-                  constraints: 
-                    - 
-                      detail: in person
-                - 
-                  id:    ia-5.3_prm_3
-                  label: organization-defined registration authority
-                - 
-                  id:    ia-5.3_prm_4
-                  label: organization-defined personnel or roles
-              properties: 
-                - 
-                  name:  label
-                  value: IA-5(3)
-                - 
-                  name:  sort-id
-                  value: ia-05.03
-              parts: 
-                - 
-                  id:    ia-5.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires that the registration process to receive {{ ia-5.3_prm_1 }} be conducted {{ ia-5.3_prm_2 }} before
-                                           {{ ia-5.3_prm_3 }} with authorization by {{ ia-5.3_prm_4 }}.
-                    """
-                - 
-                  id:    ia-5.3_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ia-5.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(3)[1]
-                      prose: 
-                        """
-                          defines types of and/or specific authenticators to be received in person or by
-                                               a trusted third party;
-                        """
-                    - 
-                      id:         ia-5.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(3)[2]
-                      prose: 
-                        """
-                          defines the registration authority with oversight of the registration process
-                                               for receipt of organization-defined types of and/or specific
-                                               authenticators;
-                        """
-                    - 
-                      id:         ia-5.3_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(3)[3]
-                      prose: 
-                        """
-                          defines personnel or roles responsible for authorizing organization-defined
-                                               registration authority;
-                        """
-                    - 
-                      id:         ia-5.3_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(3)[4]
-                      prose:      defines if the registration process is to be conducted:
-                      parts: 
-                        - 
-                          id:         ia-5.3_obj.4.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-5(3)[4][a]
-                          prose:      in person; or
-                        - 
-                          id:         ia-5.3_obj.4.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-5(3)[4][b]
-                          prose:      by a trusted third party; and
-                    - 
-                      id:         ia-5.3_obj.5
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IA-5(3)[5]
-                      prose: 
-                        """
-                          requires that the registration process to receive organization-defined types of
-                                               and/or specific authenticators be conducted in person or by a trusted third
-                                               party before organization-defined registration authority with authorization by
-                                               organization-defined personnel or roles.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing authenticator management\n\nregistration process for receiving information system authenticators\n\nlist of authenticators requiring in-person registration\n\nlist of authenticators requiring trusted third party registration\n\nauthenticator registration documentation\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with authenticator management responsibilities\n\nregistration authority\n\norganizational personnel with information security responsibilities
-            - 
-              id:         ia-5.4
-              class:      SP800-53-enhancement
-              title:      Automated Support for Password Strength Determination
-              parameters: 
-                - 
-                  id:          ia-5.4_prm_1
-                  label:       organization-defined requirements
-                  constraints: 
-                    - 
-                      detail: complexity as identified in IA-5 (1) Control Enhancement Part (a)
-              properties: 
-                - 
-                  name:  label
-                  value: IA-5(4)
-                - 
-                  name:  sort-id
-                  value: ia-05.04
-              parts: 
-                - 
-                  id:    ia-5.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated tools to determine if password authenticators
-                                        are sufficiently strong to satisfy {{ ia-5.4_prm_1 }}.
-                    """
-                  parts: 
-                    - 
-                      id:    ia-5.4_fr
-                      name:  item
-                      title: IA-5 (4) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ia-5.4_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.
-                - 
-                  id:    ia-5.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement focuses on the creation of strong passwords and the
-                                        characteristics of such passwords (e.g., complexity) prior to use, the enforcement
-                                        of which is carried out by organizational information systems in IA-5 (1).
-                    """
-                  links: 
-                    - 
-                      href: #ca-2
-                      rel:  related
-                      text: CA-2
-                    - 
-                      href: #ca-7
-                      rel:  related
-                      text: CA-7
-                    - 
-                      href: #ra-5
-                      rel:  related
-                      text: RA-5
-                - 
-                  id:    ia-5.4_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ia-5.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(4)[1]
-                      prose:      defines requirements to be satisfied by password authenticators; and
-                    - 
-                      id:         ia-5.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(4)[2]
-                      prose: 
-                        """
-                          employs automated tools to determine if password authenticators are
-                                               sufficiently strong to satisfy organization-defined requirements.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing authenticator management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nautomated tools for evaluating password authenticators\n\npassword strength assessment results\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing password-based
-                                               authenticator management capability\n\nautomated tools for determining password strength
-                        """
-            - 
-              id:         ia-5.6
-              class:      SP800-53-enhancement
-              title:      Protection of Authenticators
-              properties: 
-                - 
-                  name:  label
-                  value: IA-5(6)
-                - 
-                  name:  sort-id
-                  value: ia-05.06
-              parts: 
-                - 
-                  id:    ia-5.6_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization protects authenticators commensurate with the security category
-                                        of the information to which use of the authenticator permits access.
-                    """
-                - 
-                  id:    ia-5.6_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      For information systems containing multiple security categories of information
-                                        without reliable physical or logical separation between categories, authenticators
-                                        used to grant access to the systems are protected commensurate with the highest
-                                        security category of information on the systems.
-                    """
-                - 
-                  id:         ia-5.6_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization protects authenticators commensurate with the
-                                        security category of the information to which use of the authenticator permits
-                                        access.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity categorization documentation for the information system\n\nsecurity assessments of authenticator protections\n\nrisk assessment results\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with authenticator management responsibilities\n\norganizational personnel implementing and/or maintaining authenticator
-                                               protections\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing authenticator management
-                                               capability\n\nautomated mechanisms protecting authenticators
-                        """
-            - 
-              id:         ia-5.7
-              class:      SP800-53-enhancement
-              title:      No Embedded Unencrypted Static Authenticators
-              properties: 
-                - 
-                  name:  label
-                  value: IA-5(7)
-                - 
-                  name:  sort-id
-                  value: ia-05.07
-              parts: 
-                - 
-                  id:    ia-5.7_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization ensures that unencrypted static authenticators are not embedded
-                                        in applications or access scripts or stored on function keys.
-                    """
-                - 
-                  id:    ia-5.7_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations exercise caution in determining whether embedded or stored
-                                        authenticators are in encrypted or unencrypted form. If authenticators are used in
-                                        the manner stored, then those representations are considered unencrypted
-                                        authenticators. This is irrespective of whether that representation is perhaps an
-                                        encrypted version of something else (e.g., a password).
-                    """
-                - 
-                  id:    ia-5.7_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization ensures that unencrypted static authenticators are
-                                        not: 
-                    """
-                  parts: 
-                    - 
-                      id:         ia-5.7_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(7)[1]
-                      prose:      embedded in applications;
-                    - 
-                      id:         ia-5.7_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(7)[2]
-                      prose:      embedded in access scripts; or
-                    - 
-                      id:         ia-5.7_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(7)[3]
-                      prose:      stored on function keys.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing authenticator management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlogical access scripts\n\napplication code reviews for detecting unencrypted static authenticators\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing authenticator management
-                                               capability\n\nautomated mechanisms implementing authentication in applications
-                        """
-            - 
-              id:         ia-5.8
-              class:      SP800-53-enhancement
-              title:      Multiple Information System Accounts
-              parameters: 
-                - 
-                  id:          ia-5.8_prm_1
-                  label:       organization-defined security safeguards
-                  constraints: 
-                    - 
-                      detail: different authenticators on different systems
-              properties: 
-                - 
-                  name:  label
-                  value: IA-5(8)
-                - 
-                  name:  sort-id
-                  value: ia-05.08
-              parts: 
-                - 
-                  id:    ia-5.8_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization implements {{ ia-5.8_prm_1 }} to manage the risk
-                                        of compromise due to individuals having accounts on multiple information
-                                        systems.
-                    """
-                - 
-                  id:    ia-5.8_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      When individuals have accounts on multiple information systems, there is the risk
-                                        that the compromise of one account may lead to the compromise of other accounts if
-                                        individuals use the same authenticators. Possible alternatives include, for
-                                        example: (i) having different authenticators on all systems; (ii) employing some
-                                        form of single sign-on mechanism; or (iii) including some form of one-time
-                                        passwords on all systems.
-                    """
-                - 
-                  id:    ia-5.8_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ia-5.8_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(8)[1]
-                      prose: 
-                        """
-                          defines security safeguards to manage the risk of compromise due to individuals
-                                               having accounts on multiple information systems; and
-                        """
-                    - 
-                      id:         ia-5.8_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(8)[2]
-                      prose: 
-                        """
-                          implements organization-defined security safeguards to manage the risk of
-                                               compromise due to individuals having accounts on multiple information
-                                               systems.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\nlist of individuals having accounts on multiple information systems\n\nlist of security safeguards intended to manage risk of compromise due to
-                                               individuals having accounts on multiple information systems\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing safeguards for
-                                               authenticator management
-                        """
-            - 
-              id:         ia-5.11
-              class:      SP800-53-enhancement
-              title:      Hardware Token-based Authentication
-              parameters: 
-                - 
-                  id:    ia-5.11_prm_1
-                  label: organization-defined token quality requirements
-              properties: 
-                - 
-                  name:  label
-                  value: IA-5(11)
-                - 
-                  name:  sort-id
-                  value: ia-05.11
-              parts: 
-                - 
-                  id:    ia-5.11_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system, for hardware token-based authentication, employs
-                                        mechanisms that satisfy {{ ia-5.11_prm_1 }}.
-                    """
-                - 
-                  id:    ia-5.11_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Hardware token-based authentication typically refers to the use of PKI-based
-                                        tokens, such as the U.S. Government Personal Identity Verification (PIV) card.
-                                        Organizations define specific requirements for tokens, such as working with a
-                                        particular PKI.
-                    """
-                - 
-                  id:    ia-5.11_obj
-                  name:  objective
-                  prose: Determine if, for hardware token-based authentication: 
-                  parts: 
-                    - 
-                      id:         ia-5.11_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(11)[1]
-                      prose:      the organization defines token quality requirements to be satisfied; and
-                    - 
-                      id:         ia-5.11_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(11)[2]
-                      prose: 
-                        """
-                          the information system employs mechanisms that satisfy organization-defined
-                                               token quality requirements.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\nautomated mechanisms employing hardware token-based authentication for the
-                                               information system\n\nlist of token quality requirements\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing hardware token-based
-                                               authenticator management capability
-                        """
-            - 
-              id:         ia-5.13
-              class:      SP800-53-enhancement
-              title:      Expiration of Cached Authenticators
-              parameters: 
-                - 
-                  id:    ia-5.13_prm_1
-                  label: organization-defined time period
-              properties: 
-                - 
-                  name:  label
-                  value: IA-5(13)
-                - 
-                  name:  sort-id
-                  value: ia-05.13
-              parts: 
-                - 
-                  id:    ia-5.13_smt
-                  name:  statement
-                  prose: The information system prohibits the use of cached authenticators after {{ ia-5.13_prm_1 }}.
-                - 
-                  id:    ia-5.13_obj
-                  name:  objective
-                  prose: Determine if: 
-                  parts: 
-                    - 
-                      id:         ia-5.13_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(13)[1]
-                      prose: 
-                        """
-                          the organization defines the time period after which the information system is
-                                               to prohibit the use of cached authenticators; and
-                        """
-                    - 
-                      id:         ia-5.13_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(13)[2]
-                      prose: 
-                        """
-                          the information system prohibits the use of cached authenticators after the
-                                               organization-defined time period.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing authenticator management
-                                               capability
-                        """
-        - 
-          id:         ia-6
-          class:      SP800-53
-          title:      Authenticator Feedback
-          properties: 
-            - 
-              name:  label
-              value: IA-6
-            - 
-              name:  sort-id
-              value: ia-06
-          parts: 
-            - 
-              id:    ia-6_smt
-              name:  statement
-              prose: 
-                """
-                  The information system obscures feedback of authentication information during the
-                                 authentication process to protect the information from possible exploitation/use by
-                                 unauthorized individuals.
-                """
-            - 
-              id:    ia-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  The feedback from information systems does not provide information that would allow
-                                 unauthorized individuals to compromise authentication mechanisms. For some types of
-                                 information systems or system components, for example, desktops/notebooks with
-                                 relatively large monitors, the threat (often referred to as shoulder surfing) may be
-                                 significant. For other types of systems or components, for example, mobile devices
-                                 with 2-4 inch screens, this threat may be less significant, and may need to be
-                                 balanced against the increased likelihood of typographic input errors due to the
-                                 small keyboards. Therefore, the means for obscuring the authenticator feedback is
-                                 selected accordingly. Obscuring the feedback of authentication information includes,
-                                 for example, displaying asterisks when users type passwords into input devices, or
-                                 displaying feedback for a very limited time before fully obscuring it.
-                """
-              links: 
-                - 
-                  href: #pe-18
-                  rel:  related
-                  text: PE-18
-            - 
-              id:         ia-6_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system obscures feedback of authentication information
-                                 during the authentication process to protect the information from possible
-                                 exploitation/use by unauthorized individuals.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing authenticator feedback\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing the obscuring of feedback of
-                                        authentication information during authentication
-                    """
-        - 
-          id:         ia-7
-          class:      SP800-53
-          title:      Cryptographic Module Authentication
-          properties: 
-            - 
-              name:  label
-              value: IA-7
-            - 
-              name:  sort-id
-              value: ia-07
-          links: 
-            - 
-              href: #39f9087d-7687-46d2-8eda-b6f4b7a4d8a9
-              rel:  reference
-              text: FIPS Publication 140
-            - 
-              href: #b09d1a31-d3c9-4138-a4f4-4c63816afd7d
-              rel:  reference
-              text: http://csrc.nist.gov/groups/STM/cmvp/index.html
-          parts: 
-            - 
-              id:    ia-7_smt
-              name:  statement
-              prose: 
-                """
-                  The information system implements mechanisms for authentication to a cryptographic
-                                 module that meet the requirements of applicable federal laws, Executive Orders,
-                                 directives, policies, regulations, standards, and guidance for such
-                                 authentication.
-                """
-            - 
-              id:    ia-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Authentication mechanisms may be required within a cryptographic module to
-                                 authenticate an operator accessing the module and to verify that the operator is
-                                 authorized to assume the requested role and perform services within that role.
-                """
-              links: 
-                - 
-                  href: #sc-12
-                  rel:  related
-                  text: SC-12
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-            - 
-              id:         ia-7_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system implements mechanisms for authentication to a
-                                 cryptographic module that meet the requirements of applicable federal laws, Executive
-                                 Orders, directives, policies, regulations, standards, and guidance for such
-                                 authentication.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing cryptographic module authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for cryptographic module
-                                        authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing cryptographic module
-                                        authentication
-                    """
-        - 
-          id:         ia-8
-          class:      SP800-53
-          title:      Identification and Authentication (non-organizational Users)
-          properties: 
-            - 
-              name:  label
-              value: IA-8
-            - 
-              name:  sort-id
-              value: ia-08
-          links: 
-            - 
-              href: #ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-              rel:  reference
-              text: OMB Memorandum 04-04
-            - 
-              href: #74e740a4-c45d-49f3-a86e-eb747c549e01
-              rel:  reference
-              text: OMB Memorandum 11-11
-            - 
-              href: #599fe9ba-4750-4450-9eeb-b95bd19a5e8f
-              rel:  reference
-              text: OMB Memorandum 10-06-2011
-            - 
-              href: #ba557c91-ba3e-4792-adc6-a4ae479b39ff
-              rel:  reference
-              text: FICAM Roadmap and Implementation Guidance
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #2157bb7e-192c-4eaa-877f-93ef6b0a3292
-              rel:  reference
-              text: NIST Special Publication 800-116
-            - 
-              href: #654f21e2-f3bc-43b2-abdc-60ab8d09744b
-              rel:  reference
-              text: 
-                """
-                  National Strategy for Trusted Identities in
-                              Cyberspace
-                """
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    ia-8_smt
-              name:  statement
-              prose: 
-                """
-                  The information system uniquely identifies and authenticates non-organizational users
-                                 (or processes acting on behalf of non-organizational users).
-                """
-            - 
-              id:    ia-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Non-organizational users include information system users other than organizational
-                                 users explicitly covered by IA-2. These individuals are uniquely identified and
-                                 authenticated for accesses other than those accesses explicitly identified and
-                                 documented in AC-14. In accordance with the E-Authentication E-Government initiative,
-                                 authentication of non-organizational users accessing federal information systems may
-                                 be required to protect federal, proprietary, or privacy-related information (with
-                                 exceptions noted for national security systems). Organizations use risk assessments
-                                 to determine authentication needs and consider scalability, practicality, and
-                                 security in balancing the need to ensure ease of use for access to federal
-                                 information and information systems with the need to protect and adequately mitigate
-                                 risk. IA-2 addresses identification and authentication requirements for access to
-                                 information systems by organizational users.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-            - 
-              id:    ia-8_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the information system uniquely identifies and authenticates
-                                 non-organizational users (or processes acting on behalf of non-organizational
-                                 users).
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing identification and
-                                        authentication capability
-                    """
-          controls: 
-            - 
-              id:         ia-8.1
-              class:      SP800-53-enhancement
-              title:      Acceptance of PIV Credentials from Other Agencies
-              properties: 
-                - 
-                  name:  label
-                  value: IA-8(1)
-                - 
-                  name:  sort-id
-                  value: ia-08.01
-              parts: 
-                - 
-                  id:    ia-8.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system accepts and electronically verifies Personal Identity
-                                        Verification (PIV) credentials from other federal agencies.
-                    """
-                - 
-                  id:    ia-8.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement applies to logical access control systems (LACS) and
-                                        physical access control systems (PACS). Personal Identity Verification (PIV)
-                                        credentials are those credentials issued by federal agencies that conform to FIPS
-                                        Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires
-                                        federal agencies to continue implementing the requirements specified in HSPD-12 to
-                                        enable agency-wide use of PIV credentials.
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                    - 
-                      href: #pe-3
-                      rel:  related
-                      text: PE-3
-                    - 
-                      href: #sa-4
-                      rel:  related
-                      text: SA-4
-                - 
-                  id:    ia-8.1_obj
-                  name:  objective
-                  prose: Determine if the information system: 
-                  parts: 
-                    - 
-                      id:         ia-8.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-8(1)[1]
-                      prose: 
-                        """
-                          accepts Personal Identity Verification (PIV) credentials from other agencies;
-                                               and
-                        """
-                    - 
-                      id:         ia-8.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-8(1)[2]
-                      prose: 
-                        """
-                          electronically verifies Personal Identity Verification (PIV) credentials from
-                                               other agencies.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability\n\nautomated mechanisms that accept and verify PIV credentials
-                        """
-            - 
-              id:         ia-8.2
-              class:      SP800-53-enhancement
-              title:      Acceptance of Third-party Credentials
-              properties: 
-                - 
-                  name:  label
-                  value: IA-8(2)
-                - 
-                  name:  sort-id
-                  value: ia-08.02
-              parts: 
-                - 
-                  id:    ia-8.2_smt
-                  name:  statement
-                  prose: The information system accepts only FICAM-approved third-party credentials.
-                - 
-                  id:    ia-8.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement typically applies to organizational information systems
-                                        that are accessible to the general public, for example, public-facing websites.
-                                        Third-party credentials are those credentials issued by nonfederal government
-                                        entities approved by the Federal Identity, Credential, and Access Management
-                                        (FICAM) Trust Framework Solutions initiative. Approved third-party credentials
-                                        meet or exceed the set of minimum federal government-wide technical, security,
-                                        privacy, and organizational maturity requirements. This allows federal government
-                                        relying parties to trust such credentials at their approved assurance levels.
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                - 
-                  id:         ia-8.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system accepts only FICAM-approved third-party
-                                        credentials. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-approved, third-party credentialing products, components, or
-                                               services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of FICAM-approved third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability\n\nautomated mechanisms that accept FICAM-approved credentials
-                        """
-            - 
-              id:         ia-8.3
-              class:      SP800-53-enhancement
-              title:      Use of Ficam-approved Products
-              parameters: 
-                - 
-                  id:    ia-8.3_prm_1
-                  label: organization-defined information systems
-              properties: 
-                - 
-                  name:  label
-                  value: IA-8(3)
-                - 
-                  name:  sort-id
-                  value: ia-08.03
-              parts: 
-                - 
-                  id:    ia-8.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs only FICAM-approved information system components in
-                                           {{ ia-8.3_prm_1 }} to accept third-party credentials.
-                    """
-                - 
-                  id:    ia-8.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement typically applies to information systems that are
-                                        accessible to the general public, for example, public-facing websites.
-                                        FICAM-approved information system components include, for example, information
-                                        technology products and software libraries that have been approved by the Federal
-                                        Identity, Credential, and Access Management conformance program.
-                    """
-                  links: 
-                    - 
-                      href: #sa-4
-                      rel:  related
-                      text: SA-4
-                - 
-                  id:    ia-8.3_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ia-8.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-8(3)[1]
-                      prose: 
-                        """
-                          defines information systems in which only FICAM-approved information system
-                                               components are to be employed to accept third-party credentials; and
-                        """
-                    - 
-                      id:         ia-8.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-8(3)[2]
-                      prose: 
-                        """
-                          employs only FICAM-approved information system components in
-                                               organization-defined information systems to accept third-party credentials.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the
-                                               acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nthird-party credential validations\n\nthird-party credential authorizations\n\nthird-party credential records\n\nlist of FICAM-approved information system components procured and implemented
-                                               by organization\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information system security, acquisition, and
-                                               contracting responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability
-                        """
-            - 
-              id:         ia-8.4
-              class:      SP800-53-enhancement
-              title:      Use of Ficam-issued Profiles
-              properties: 
-                - 
-                  name:  label
-                  value: IA-8(4)
-                - 
-                  name:  sort-id
-                  value: ia-08.04
-              parts: 
-                - 
-                  id:    ia-8.4_smt
-                  name:  statement
-                  prose: The information system conforms to FICAM-issued profiles.
-                - 
-                  id:    ia-8.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement addresses open identity management standards. To ensure
-                                        that these standards are viable, robust, reliable, sustainable (e.g., available in
-                                        commercial information technology products), and interoperable as documented, the
-                                        United States Government assesses and scopes identity management standards and
-                                        technology implementations against applicable federal legislation, directives,
-                                        policies, and requirements. The result is FICAM-issued implementation profiles of
-                                        approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and
-                                        OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute
-                                        Exchange).
-                    """
-                  links: 
-                    - 
-                      href: #sa-4
-                      rel:  related
-                      text: SA-4
-                - 
-                  id:         ia-8.4_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose:      Determine if the information system conforms to FICAM-issued profiles. 
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the
-                                               acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-issued profiles and associated, approved protocols\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability\n\nautomated mechanisms supporting and/or implementing conformance with
-                                               FICAM-issued profiles
-                        """
-    - 
-      id:       ir
-      class:    family
-      title:    Incident Response
-      controls: 
-        - 
-          id:         ir-1
-          class:      SP800-53
-          title:      Incident Response Policy and Procedures
-          parameters: 
-            - 
-              id:    ir-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ir-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          ir-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or whenever a significant change occurs
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IR-1
-            - 
-              name:  sort-id
-              value: ir-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-            - 
-              href: #6d431fee-658f-4a0e-9f2e-a38b5d398fab
-              rel:  reference
-              text: NIST Special Publication 800-83
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ir-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ir-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ir-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ir-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          An incident response policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ir-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the incident response policy and
-                                               associated incident response controls; and
-                        """
-                - 
-                  id:         ir-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ir-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Incident response policy {{ ir-1_prm_2 }}; and
-                    - 
-                      id:         ir-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Incident response procedures {{ ir-1_prm_3 }}.
-            - 
-              id:    ir-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the IR
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ir-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-1(a)
-                  parts: 
-                    - 
-                      id:         ir-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ir-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(a)(1)[1]
-                          prose:      develops and documents an incident response policy that addresses:
-                          parts: 
-                            - 
-                              id:         ir-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ir-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ir-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ir-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ir-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ir-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ir-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ir-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the incident response policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ir-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: IR-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the incident response policy to organization-defined personnel
-                                                      or roles;
-                            """
-                    - 
-                      id:         ir-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ir-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      incident response policy and associated incident response controls;
-                            """
-                        - 
-                          id:         ir-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ir-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: IR-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ir-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-1(b)
-                  parts: 
-                    - 
-                      id:         ir-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ir-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current incident response
-                                                      policy;
-                            """
-                        - 
-                          id:         ir-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current incident response policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ir-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ir-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current incident response
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ir-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current incident response procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ir-2
-          class:      SP800-53
-          title:      Incident Response Training
-          parameters: 
-            - 
-              id:          ir-2_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: within ten (10) days
-            - 
-              id:          ir-2_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IR-2
-            - 
-              name:  sort-id
-              value: ir-02
-          links: 
-            - 
-              href: #825438c3-248d-4e30-a51e-246473ce6ada
-              rel:  reference
-              text: NIST Special Publication 800-16
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-          parts: 
-            - 
-              id:    ir-2_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides incident response training to information system users
-                                 consistent with assigned roles and responsibilities:
-                """
-              parts: 
-                - 
-                  id:         ir-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Within {{ ir-2_prm_1 }} of assuming an incident response role or
-                                        responsibility;
-                    """
-                - 
-                  id:         ir-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      When required by information system changes; and
-                - 
-                  id:         ir-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      
-                                        {{ ir-2_prm_2 }} thereafter.
-                    """
-            - 
-              id:    ir-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Incident response training provided by organizations is linked to the assigned roles
-                                 and responsibilities of organizational personnel to ensure the appropriate content
-                                 and level of detail is included in such training. For example, regular users may only
-                                 need to know who to call or how to recognize an incident on the information system;
-                                 system administrators may require additional training on how to handle/remediate
-                                 incidents; and incident responders may receive more specific training on forensics,
-                                 reporting, system recovery, and restoration. Incident response training includes user
-                                 training in the identification and reporting of suspicious activities, both from
-                                 external and internal sources.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #cp-3
-                  rel:  related
-                  text: CP-3
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-            - 
-              id:    ir-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-2(a)
-                  parts: 
-                    - 
-                      id:         ir-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-2(a)[1]
-                      prose: 
-                        """
-                          defines a time period within which incident response training is to be provided
-                                               to information system users assuming an incident response role or
-                                               responsibility;
-                        """
-                    - 
-                      id:         ir-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IR-2(a)[2]
-                      prose: 
-                        """
-                          provides incident response training to information system users consistent with
-                                               assigned roles and responsibilities within the organization-defined time period
-                                               of assuming an incident response role or responsibility;
-                        """
-                - 
-                  id:         ir-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: IR-2(b)
-                  prose: 
-                    """
-                      provides incident response training to information system users consistent with
-                                        assigned roles and responsibilities when required by information system
-                                        changes;
-                    """
-                - 
-                  id:         ir-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-2(c)
-                  parts: 
-                    - 
-                      id:         ir-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-2(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to provide refresher incident response training to
-                                               information system users consistent with assigned roles or responsibilities;
-                                               and
-                        """
-                    - 
-                      id:         ir-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IR-2(c)[2]
-                      prose: 
-                        """
-                          after the initial incident response training, provides refresher incident
-                                               response training to information system users consistent with assigned roles
-                                               and responsibilities in accordance with the organization-defined frequency to
-                                               provide refresher training.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nsecurity plan\n\nincident response plan\n\nsecurity plan\n\nincident response training records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with incident response training and operational
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-          controls: 
-            - 
-              id:         ir-2.1
-              class:      SP800-53-enhancement
-              title:      Simulated Events
-              properties: 
-                - 
-                  name:  label
-                  value: IR-2(1)
-                - 
-                  name:  sort-id
-                  value: ir-02.01
-              parts: 
-                - 
-                  id:    ir-2.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization incorporates simulated events into incident response training to
-                                        facilitate effective response by personnel in crisis situations.
-                    """
-                - 
-                  id:         ir-2.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization incorporates simulated events into incident response
-                                        training to facilitate effective response by personnel in crisis situations. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with incident response training and operational
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms that support and/or implement simulated events for
-                                               incident response training
-                        """
-            - 
-              id:         ir-2.2
-              class:      SP800-53-enhancement
-              title:      Automated Training Environments
-              properties: 
-                - 
-                  name:  label
-                  value: IR-2(2)
-                - 
-                  name:  sort-id
-                  value: ir-02.02
-              parts: 
-                - 
-                  id:    ir-2.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to provide a more thorough and
-                                        realistic incident response training environment.
-                    """
-                - 
-                  id:         ir-2.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs automated mechanisms to provide a more
-                                        thorough and realistic incident response training environment. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nautomated mechanisms supporting incident response training\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with incident response training and operational
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms that provide a thorough and realistic incident response
-                                               training environment
-                        """
-        - 
-          id:         ir-3
-          class:      SP800-53
-          title:      Incident Response Testing
-          parameters: 
-            - 
-              id:          ir-3_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every six (6) months
-            - 
-              id:    ir-3_prm_2
-              label: organization-defined tests
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IR-3
-            - 
-              name:  sort-id
-              value: ir-03
-          links: 
-            - 
-              href: #0243a05a-e8a3-4d51-9364-4a9d20b0dcdf
-              rel:  reference
-              text: NIST Special Publication 800-84
-            - 
-              href: #c4691b88-57d1-463b-9053-2d0087913f31
-              rel:  reference
-              text: NIST Special Publication 800-115
-          parts: 
-            - 
-              id:    ir-3_smt
-              name:  statement
-              prose: 
-                """
-                  The organization tests the incident response capability for the information system
-                                    {{ ir-3_prm_1 }} using {{ ir-3_prm_2 }} to determine
-                                 the incident response effectiveness and documents the results.
-                """
-              parts: 
-                - 
-                  id:    ir-3_fr
-                  name:  item
-                  title: IR-3 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ir-3_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-3 -2 Requirement:
-                      prose:      The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.
-            - 
-              id:    ir-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations test incident response capabilities to determine the overall
-                                 effectiveness of the capabilities and to identify potential weaknesses or
-                                 deficiencies. Incident response testing includes, for example, the use of checklists,
-                                 walk-through or tabletop exercises, simulations (parallel/full interrupt), and
-                                 comprehensive exercises. Incident response testing can also include a determination
-                                 of the effects on organizational operations (e.g., reduction in mission
-                                 capabilities), organizational assets, and individuals due to incident response.
-                """
-              links: 
-                - 
-                  href: #cp-4
-                  rel:  related
-                  text: CP-4
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-            - 
-              id:    ir-3_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ir-3_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-3[1]
-                  prose: 
-                    """
-                      defines incident response tests to test the incident response capability for the
-                                        information system;
-                    """
-                - 
-                  id:         ir-3_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-3[2]
-                  prose: 
-                    """
-                      defines the frequency to test the incident response capability for the information
-                                        system; and
-                    """
-                - 
-                  id:         ir-3_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: IR-3[3]
-                  prose: 
-                    """
-                      tests the incident response capability for the information system with the
-                                        organization-defined frequency, using organization-defined tests to determine the
-                                        incident response effectiveness and documents the results.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security responsibilities
-          controls: 
-            - 
-              id:         ir-3.2
-              class:      SP800-53-enhancement
-              title:      Coordination with Related Plans
-              properties: 
-                - 
-                  name:  label
-                  value: IR-3(2)
-                - 
-                  name:  sort-id
-                  value: ir-03.02
-              parts: 
-                - 
-                  id:    ir-3.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization coordinates incident response testing with organizational
-                                        elements responsible for related plans.
-                    """
-                - 
-                  id:    ir-3.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizational plans related to incident response testing include, for example,
-                                        Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity
-                                        of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,
-                                        and Occupant Emergency Plans.
-                    """
-                - 
-                  id:         ir-3.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization coordinates incident response testing with
-                                        organizational elements responsible for related plans. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans
-                                               related to incident response testing\n\norganizational personnel with information security responsibilities
-                        """
-        - 
-          id:         ir-4
-          class:      SP800-53
-          title:      Incident Handling
-          properties: 
-            - 
-              name:  label
-              value: IR-4
-            - 
-              name:  sort-id
-              value: ir-04
-          links: 
-            - 
-              href: #c5034e0c-eba6-4ecd-a541-79f0678f4ba4
-              rel:  reference
-              text: Executive Order 13587
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-          parts: 
-            - 
-              id:    ir-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ir-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Implements an incident handling capability for security incidents that includes
-                                        preparation, detection and analysis, containment, eradication, and recovery;
-                    """
-                - 
-                  id:         ir-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Coordinates incident handling activities with contingency planning activities;
-                                        and
-                    """
-                - 
-                  id:         ir-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Incorporates lessons learned from ongoing incident handling activities into
-                                        incident response procedures, training, and testing, and implements the resulting
-                                        changes accordingly.
-                    """
-                - 
-                  id:    ir-4_fr
-                  name:  item
-                  title: IR-4 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ir-4_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.
-            - 
-              id:    ir-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations recognize that incident response capability is dependent on the
-                                 capabilities of organizational information systems and the mission/business processes
-                                 being supported by those systems. Therefore, organizations consider incident response
-                                 as part of the definition, design, and development of mission/business processes and
-                                 information systems. Incident-related information can be obtained from a variety of
-                                 sources including, for example, audit monitoring, network monitoring, physical access
-                                 monitoring, user/administrator reports, and reported supply chain events. Effective
-                                 incident handling capability includes coordination among many organizational entities
-                                 including, for example, mission/business owners, information system owners,
-                                 authorizing officials, human resources offices, physical and personnel security
-                                 offices, legal departments, operations personnel, procurement offices, and the risk
-                                 executive (function).
-                """
-              links: 
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-4
-                  rel:  related
-                  text: CP-4
-                - 
-                  href: #ir-2
-                  rel:  related
-                  text: IR-2
-                - 
-                  href: #ir-3
-                  rel:  related
-                  text: IR-3
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #pe-6
-                  rel:  related
-                  text: PE-6
-                - 
-                  href: #sc-5
-                  rel:  related
-                  text: SC-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    ir-4_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: IR-4(a)
-                  prose: 
-                    """
-                      implements an incident handling capability for security incidents that
-                                        includes:
-                    """
-                  parts: 
-                    - 
-                      id:         ir-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[1]
-                      prose:      preparation;
-                    - 
-                      id:         ir-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[2]
-                      prose:      detection and analysis;
-                    - 
-                      id:         ir-4.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[3]
-                      prose:      containment;
-                    - 
-                      id:         ir-4.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[4]
-                      prose:      eradication;
-                    - 
-                      id:         ir-4.a_obj.5
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[5]
-                      prose:      recovery;
-                - 
-                  id:         ir-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: IR-4(b)
-                  prose:      coordinates incident handling activities with contingency planning activities;
-                - 
-                  id:         ir-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-4(c)
-                  parts: 
-                    - 
-                      id:         ir-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-4(c)[1]
-                      prose: 
-                        """
-                          incorporates lessons learned from ongoing incident handling activities
-                                               into:
-                        """
-                      parts: 
-                        - 
-                          id:         ir-4.c_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[1][a]
-                          prose:      incident response procedures;
-                        - 
-                          id:         ir-4.c_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[1][b]
-                          prose:      training;
-                        - 
-                          id:         ir-4.c_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[1][c]
-                          prose:      testing/exercises;
-                    - 
-                      id:         ir-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-4(c)[2]
-                      prose:      implements the resulting changes accordingly to:
-                      parts: 
-                        - 
-                          id:         ir-4.c_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[2][a]
-                          prose:      incident response procedures;
-                        - 
-                          id:         ir-4.c_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[2][b]
-                          prose:      training; and
-                        - 
-                          id:         ir-4.c_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[2][c]
-                          prose:      testing/exercises.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident handling capability for the organization
-          controls: 
-            - 
-              id:         ir-4.1
-              class:      SP800-53-enhancement
-              title:      Automated Incident Handling Processes
-              properties: 
-                - 
-                  name:  label
-                  value: IR-4(1)
-                - 
-                  name:  sort-id
-                  value: ir-04.01
-              parts: 
-                - 
-                  id:    ir-4.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to support the incident handling
-                                        process.
-                    """
-                - 
-                  id:    ir-4.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Automated mechanisms supporting incident handling processes include, for example,
-                                        online incident management systems.
-                    """
-                - 
-                  id:         ir-4.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs automated mechanisms to support the incident
-                                        handling process. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms that support and/or implement the incident handling
-                                               process
-                        """
-            - 
-              id:         ir-4.2
-              class:      SP800-53-enhancement
-              title:      Dynamic Reconfiguration
-              parameters: 
-                - 
-                  id:          ir-4.2_prm_1
-                  label:       organization-defined information system components
-                  constraints: 
-                    - 
-                      detail: all network, data storage, and computing devices
-              properties: 
-                - 
-                  name:  label
-                  value: IR-4(2)
-                - 
-                  name:  sort-id
-                  value: ir-04.02
-              parts: 
-                - 
-                  id:    ir-4.2_smt
-                  name:  statement
-                  prose: The organization includes dynamic reconfiguration of {{ ir-4.2_prm_1 }} as part of the incident response capability.
-                - 
-                  id:    ir-4.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Dynamic reconfiguration includes, for example, changes to router rules, access
-                                        control lists, intrusion detection/prevention system parameters, and filter rules
-                                        for firewalls and gateways. Organizations perform dynamic reconfiguration of
-                                        information systems, for example, to stop attacks, to misdirect attackers, and to
-                                        isolate components of systems, thus limiting the extent of the damage from
-                                        breaches or compromises. Organizations include time frames for achieving the
-                                        reconfiguration of information systems in the definition of the reconfiguration
-                                        capability, considering the potential need for rapid response in order to
-                                        effectively address sophisticated cyber threats.
-                    """
-                  links: 
-                    - 
-                      href: #ac-2
-                      rel:  related
-                      text: AC-2
-                    - 
-                      href: #ac-4
-                      rel:  related
-                      text: AC-4
-                    - 
-                      href: #ac-16
-                      rel:  related
-                      text: AC-16
-                    - 
-                      href: #cm-2
-                      rel:  related
-                      text: CM-2
-                    - 
-                      href: #cm-3
-                      rel:  related
-                      text: CM-3
-                    - 
-                      href: #cm-4
-                      rel:  related
-                      text: CM-4
-                - 
-                  id:    ir-4.2_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ir-4.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-4(2)[1]
-                      prose: 
-                        """
-                          defines information system components to be dynamically reconfigured as part of
-                                               the incident response capability; and
-                        """
-                    - 
-                      id:         ir-4.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-4(2)[2]
-                      prose: 
-                        """
-                          includes dynamic reconfiguration of organization-defined information system
-                                               components as part of the incident response capability.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\nlist of system components to be dynamically reconfigured as part of incident
-                                               response capability\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms that support and/or implement dynamic reconfiguration of
-                                               components as part of incident response
-                        """
-            - 
-              id:         ir-4.3
-              class:      SP800-53-enhancement
-              title:      Continuity of Operations
-              parameters: 
-                - 
-                  id:    ir-4.3_prm_1
-                  label: organization-defined classes of incidents
-                - 
-                  id:    ir-4.3_prm_2
-                  label: 
-                    """
-                      organization-defined actions to take in response to classes of
-                                        incidents
-                    """
-              properties: 
-                - 
-                  name:  label
-                  value: IR-4(3)
-                - 
-                  name:  sort-id
-                  value: ir-04.03
-              parts: 
-                - 
-                  id:    ir-4.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization identifies {{ ir-4.3_prm_1 }} and {{ ir-4.3_prm_2 }} to ensure continuation of organizational missions and
-                                        business functions.
-                    """
-                - 
-                  id:    ir-4.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Classes of incidents include, for example, malfunctions due to
-                                        design/implementation errors and omissions, targeted malicious attacks, and
-                                        untargeted malicious attacks. Appropriate incident response actions include, for
-                                        example, graceful degradation, information system shutdown, fall back to manual
-                                        mode/alternative technology whereby the system operates differently, employing
-                                        deceptive measures, alternate information flows, or operating in a mode that is
-                                        reserved solely for when systems are under attack.
-                    """
-                - 
-                  id:    ir-4.3_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ir-4.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-4(3)[1]
-                      prose: 
-                        """
-                          defines classes of incidents requiring an organization-defined action to be
-                                               taken;
-                        """
-                    - 
-                      id:         ir-4.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-4(3)[2]
-                      prose: 
-                        """
-                          defines actions to be taken in response to organization-defined classes of
-                                               incidents; and
-                        """
-                    - 
-                      id:         ir-4.3_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-4(3)[3]
-                      prose: 
-                        """
-                          identifies organization-defined classes of incidents and organization-defined
-                                               actions to take in response to classes of incidents to ensure continuation of
-                                               organizational missions and business functions.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing incident handling\n\nincident response plan\n\nsecurity plan\n\nlist of classes of incidents\n\nlist of appropriate incident response actions\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms that support and/or implement continuity of operations
-            - 
-              id:         ir-4.4
-              class:      SP800-53-enhancement
-              title:      Information Correlation
-              properties: 
-                - 
-                  name:  label
-                  value: IR-4(4)
-                - 
-                  name:  sort-id
-                  value: ir-04.04
-              parts: 
-                - 
-                  id:    ir-4.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization correlates incident information and individual incident responses
-                                        to achieve an organization-wide perspective on incident awareness and
-                                        response.
-                    """
-                - 
-                  id:    ir-4.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Sometimes the nature of a threat event, for example, a hostile cyber attack, is
-                                        such that it can only be observed by bringing together information from different
-                                        sources including various reports and reporting procedures established by
-                                        organizations.
-                    """
-                - 
-                  id:         ir-4.4_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization correlates incident information and individual
-                                        incident responses to achieve an organization-wide perspective on incident
-                                        awareness and response. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing incident handling\n\nincident response plan\n\nsecurity plan\n\nautomated mechanisms supporting incident and event correlation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident management correlation logs\n\nevent management correlation logs\n\nsecurity information and event management logs\n\nincident management correlation reports\n\nevent management correlation reports\n\nsecurity information and event management reports\n\naudit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with whom incident information and individual incident
-                                               responses are to be correlated
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for correlating incident information and individual
-                                               incident responses\n\nautomated mechanisms that support and or implement correlation of incident
-                                               response information with individual incident responses
-                        """
-            - 
-              id:         ir-4.6
-              class:      SP800-53-enhancement
-              title:      Insider Threats - Specific Capabilities
-              properties: 
-                - 
-                  name:  label
-                  value: IR-4(6)
-                - 
-                  name:  sort-id
-                  value: ir-04.06
-              parts: 
-                - 
-                  id:    ir-4.6_smt
-                  name:  statement
-                  prose: The organization implements incident handling capability for insider threats.
-                - 
-                  id:    ir-4.6_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      While many organizations address insider threat incidents as an inherent part of
-                                        their organizational incident response capability, this control enhancement
-                                        provides additional emphasis on this type of threat and the need for specific
-                                        incident handling capabilities (as defined within organizations) to provide
-                                        appropriate and timely responses.
-                    """
-                - 
-                  id:         ir-4.6_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization implements incident handling capability for insider
-                                        threats.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response plan\n\nsecurity plan\n\naudit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident handling capability for the organization
-            - 
-              id:         ir-4.8
-              class:      SP800-53-enhancement
-              title:      Correlation with External Organizations
-              parameters: 
-                - 
-                  id:          ir-4.8_prm_1
-                  label:       organization-defined external organizations
-                  constraints: 
-                    - 
-                      detail: external organizations including consumer incident responders and network defenders and the appropriate CIRT/CERT (such as US-CERT, DOD CERT, IC CERT)
-                - 
-                  id:    ir-4.8_prm_2
-                  label: organization-defined incident information
-              properties: 
-                - 
-                  name:  label
-                  value: IR-4(8)
-                - 
-                  name:  sort-id
-                  value: ir-04.08
-              parts: 
-                - 
-                  id:    ir-4.8_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization coordinates with {{ ir-4.8_prm_1 }} to correlate
-                                        and share {{ ir-4.8_prm_2 }} to achieve a cross-organization
-                                        perspective on incident awareness and more effective incident responses.
-                    """
-                - 
-                  id:    ir-4.8_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The coordination of incident information with external organizations including,
-                                        for example, mission/business partners, military/coalition partners, customers,
-                                        and multitiered developers, can provide significant benefits. Cross-organizational
-                                        coordination with respect to incident handling can serve as an important risk
-                                        management capability. This capability allows organizations to leverage critical
-                                        information from a variety of sources to effectively respond to information
-                                        security-related incidents potentially affecting the organization’s operations,
-                                        assets, and individuals.
-                    """
-                - 
-                  id:    ir-4.8_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ir-4.8_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-4(8)[1]
-                      prose: 
-                        """
-                          defines external organizations with whom organizational incident information is
-                                               to be coordinated;
-                        """
-                    - 
-                      id:         ir-4.8_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-4(8)[2]
-                      prose: 
-                        """
-                          defines incident information to be correlated and shared with
-                                               organization-defined external organizations; and
-                        """
-                    - 
-                      id:         ir-4.8_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-4(8)[3]
-                      prose: 
-                        """
-                          the organization coordinates with organization-defined external organizations
-                                               to correlate and share organization-defined information to achieve a
-                                               cross-organization perspective on incident awareness and more effective
-                                               incident responses.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing incident handling\n\nlist of external organizations\n\nrecords of incident handling coordination with external organizations\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel from external organizations with whom incident response information
-                                               is to be coordinated/shared/correlated
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for coordinating incident handling information with
-                                               external organizations
-                        """
-        - 
-          id:         ir-5
-          class:      SP800-53
-          title:      Incident Monitoring
-          properties: 
-            - 
-              name:  label
-              value: IR-5
-            - 
-              name:  sort-id
-              value: ir-05
-          links: 
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-          parts: 
-            - 
-              id:    ir-5_smt
-              name:  statement
-              prose: The organization tracks and documents information system security incidents.
-            - 
-              id:    ir-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Documenting information system security incidents includes, for example, maintaining
-                                 records about each incident, the status of the incident, and other pertinent
-                                 information necessary for forensics, evaluating incident details, trends, and
-                                 handling. Incident information can be obtained from a variety of sources including,
-                                 for example, incident reports, incident response teams, audit monitoring, network
-                                 monitoring, physical access monitoring, and user/administrator reports.
-                """
-              links: 
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #pe-6
-                  rel:  related
-                  text: PE-6
-                - 
-                  href: #sc-5
-                  rel:  related
-                  text: SC-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    ir-5_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ir-5_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-5[1]
-                  prose:      tracks information system security incidents; and
-                - 
-                  id:         ir-5_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IR-5[2]
-                  prose:      documents information system security incidents.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Incident monitoring capability for the organization\n\nautomated mechanisms supporting and/or implementing tracking and documenting of
-                                        system security incidents
-                    """
-          controls: 
-            - 
-              id:         ir-5.1
-              class:      SP800-53-enhancement
-              title:      Automated Tracking / Data Collection / Analysis
-              properties: 
-                - 
-                  name:  label
-                  value: IR-5(1)
-                - 
-                  name:  sort-id
-                  value: ir-05.01
-              parts: 
-                - 
-                  id:    ir-5.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to assist in the tracking of
-                                        security incidents and in the collection and analysis of incident information.
-                    """
-                - 
-                  id:    ir-5.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Automated mechanisms for tracking security incidents and collecting/analyzing
-                                        incident information include, for example, the Einstein network monitoring device
-                                        and monitoring online Computer Incident Response Centers (CIRCs) or other
-                                        electronic databases of incidents.
-                    """
-                  links: 
-                    - 
-                      href: #au-7
-                      rel:  related
-                      text: AU-7
-                    - 
-                      href: #ir-4
-                      rel:  related
-                      text: IR-4
-                - 
-                  id:    ir-5.1_obj
-                  name:  objective
-                  prose: Determine if the organization employs automated mechanisms to assist in:
-                  parts: 
-                    - 
-                      id:         ir-5.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-5(1)[1]
-                      prose:      the tracking of security incidents;
-                    - 
-                      id:         ir-5.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-5(1)[2]
-                      prose:      the collection of incident information; and
-                    - 
-                      id:         ir-5.1_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-5(1)[3]
-                      prose:      the analysis of incident information.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing incident monitoring\n\nautomated mechanisms supporting incident monitoring\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response plan\n\nsecurity plan\n\naudit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms assisting in tracking of security incidents and in the
-                                               collection and analysis of incident information
-                        """
-        - 
-          id:         ir-6
-          class:      SP800-53
-          title:      Incident Reporting
-          parameters: 
-            - 
-              id:          ir-6_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)
-            - 
-              id:    ir-6_prm_2
-              label: organization-defined authorities
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IR-6
-            - 
-              name:  sort-id
-              value: ir-06
-          links: 
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-            - 
-              href: #02631467-668b-4233-989b-3dfded2fd184
-              rel:  reference
-              text: http://www.us-cert.gov
-          parts: 
-            - 
-              id:    ir-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ir-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Requires personnel to report suspected security incidents to the organizational
-                                        incident response capability within {{ ir-6_prm_1 }}; and
-                    """
-                - 
-                  id:         ir-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reports security incident information to {{ ir-6_prm_2 }}.
-                - 
-                  id:    ir-6_fr
-                  name:  item
-                  title: IR-6 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ir-6_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Report security incident information according to FedRAMP Incident Communications Procedure.
-            - 
-              id:    ir-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  The intent of this control is to address both specific incident reporting
-                                 requirements within an organization and the formal incident reporting requirements
-                                 for federal agencies and their subordinate organizations. Suspected security
-                                 incidents include, for example, the receipt of suspicious email communications that
-                                 can potentially contain malicious code. The types of security incidents reported, the
-                                 content and timeliness of the reports, and the designated reporting authorities
-                                 reflect applicable federal laws, Executive Orders, directives, regulations, policies,
-                                 standards, and guidance. Current federal policy requires that all federal agencies
-                                 (unless specifically exempted from such requirements) report security incidents to
-                                 the United States Computer Emergency Readiness Team (US-CERT) within specified time
-                                 frames designated in the US-CERT Concept of Operations for Federal Cyber Security
-                                 Incident Handling.
-                """
-              links: 
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ir-5
-                  rel:  related
-                  text: IR-5
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-            - 
-              id:    ir-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-6(a)
-                  parts: 
-                    - 
-                      id:         ir-6.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-6(a)[1]
-                      prose: 
-                        """
-                          defines the time period within which personnel report suspected security
-                                               incidents to the organizational incident response capability;
-                        """
-                    - 
-                      id:         ir-6.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-6(a)[2]
-                      prose: 
-                        """
-                          requires personnel to report suspected security incidents to the organizational
-                                               incident response capability within the organization-defined time period;
-                        """
-                - 
-                  id:         ir-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-6(b)
-                  parts: 
-                    - 
-                      id:         ir-6.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-6(b)[1]
-                      prose: 
-                        """
-                          defines authorities to whom security incident information is to be reported;
-                                               and
-                        """
-                    - 
-                      id:         ir-6.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-6(b)[2]
-                      prose:      reports security incident information to organization-defined authorities.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel who have/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for incident reporting\n\nautomated mechanisms supporting and/or implementing incident reporting
-          controls: 
-            - 
-              id:         ir-6.1
-              class:      SP800-53-enhancement
-              title:      Automated Reporting
-              properties: 
-                - 
-                  name:  label
-                  value: IR-6(1)
-                - 
-                  name:  sort-id
-                  value: ir-06.01
-              parts: 
-                - 
-                  id:    ir-6.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to assist in the reporting of
-                                        security incidents.
-                    """
-                - 
-                  id:    ir-6.1_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ir-7
-                      rel:  related
-                      text: IR-7
-                - 
-                  id:         ir-6.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs automated mechanisms to assist in the
-                                        reporting of security incidents.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing incident reporting\n\nautomated mechanisms supporting incident reporting\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for incident reporting\n\nautomated mechanisms supporting and/or implementing reporting of security
-                                               incidents
-                        """
-        - 
-          id:         ir-7
-          class:      SP800-53
-          title:      Incident Response Assistance
-          properties: 
-            - 
-              name:  label
-              value: IR-7
-            - 
-              name:  sort-id
-              value: ir-07
-          parts: 
-            - 
-              id:    ir-7_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides an incident response support resource, integral to the
-                                 organizational incident response capability that offers advice and assistance to
-                                 users of the information system for the handling and reporting of security
-                                 incidents.
-                """
-            - 
-              id:    ir-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Incident response support resources provided by organizations include, for example,
-                                 help desks, assistance groups, and access to forensics services, when required.
-                """
-              links: 
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ir-6
-                  rel:  related
-                  text: IR-6
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #sa-9
-                  rel:  related
-                  text: SA-9
-            - 
-              id:    ir-7_obj
-              name:  objective
-              prose: Determine if the organization provides an incident response support resource:
-              parts: 
-                - 
-                  id:         ir-7_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-7[1]
-                  prose:      that is integral to the organizational incident response capability; and
-                - 
-                  id:         ir-7_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-7[2]
-                  prose: 
-                    """
-                      that offers advice and assistance to users of the information system for the
-                                        handling and reporting of security incidents.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with incident response assistance and support
-                                        responsibilities\n\norganizational personnel with access to incident response support and assistance
-                                        capability\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for incident response assistance\n\nautomated mechanisms supporting and/or implementing incident response
-                                        assistance
-                    """
-          controls: 
-            - 
-              id:         ir-7.1
-              class:      SP800-53-enhancement
-              title:      Automation Support for Availability of Information / Support
-              properties: 
-                - 
-                  name:  label
-                  value: IR-7(1)
-                - 
-                  name:  sort-id
-                  value: ir-07.01
-              parts: 
-                - 
-                  id:    ir-7.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to increase the availability of
-                                        incident response-related information and support.
-                    """
-                - 
-                  id:    ir-7.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Automated mechanisms can provide a push and/or pull capability for users to obtain
-                                        incident response assistance. For example, individuals might have access to a
-                                        website to query the assistance capability, or conversely, the assistance
-                                        capability may have the ability to proactively send information to users (general
-                                        distribution or targeted) as part of increasing understanding of current response
-                                        capabilities and support.
-                    """
-                - 
-                  id:         ir-7.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs automated mechanisms to increase the
-                                        availability of incident response-related information and support.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing incident response assistance\n\nautomated mechanisms supporting incident response support and assistance\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with incident response support and assistance
-                                               responsibilities\n\norganizational personnel with access to incident response support and
-                                               assistance capability\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for incident response assistance\n\nautomated mechanisms supporting and/or implementing an increase in the
-                                               availability of incident response information and support
-                        """
-            - 
-              id:         ir-7.2
-              class:      SP800-53-enhancement
-              title:      Coordination with External Providers
-              properties: 
-                - 
-                  name:  label
-                  value: IR-7(2)
-                - 
-                  name:  sort-id
-                  value: ir-07.02
-              parts: 
-                - 
-                  id:    ir-7.2_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         ir-7.2_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Establishes a direct, cooperative relationship between its incident response
-                                               capability and external providers of information system protection capability;
-                                               and
-                        """
-                    - 
-                      id:         ir-7.2_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Identifies organizational incident response team members to the external
-                                               providers.
-                        """
-                - 
-                  id:    ir-7.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      External providers of information system protection capability include, for
-                                        example, the Computer Network Defense program within the U.S. Department of
-                                        Defense. External providers help to protect, monitor, analyze, detect, and respond
-                                        to unauthorized activity within organizational information systems and
-                                        networks.
-                    """
-                - 
-                  id:    ir-7.2_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ir-7.2.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IR-7(2)(a)
-                      prose: 
-                        """
-                          establishes a direct, cooperative relationship between its incident response
-                                               capability and external providers of information system protection capability;
-                                               and
-                        """
-                      links: 
-                        - 
-                          href: #ir-7.2_smt.a
-                          rel:  corresp
-                          text: IR-7(2)(a)
-                    - 
-                      id:         ir-7.2.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IR-7(2)(b)
-                      prose: 
-                        """
-                          identifies organizational incident response team members to the external
-                                               providers.
-                        """
-                      links: 
-                        - 
-                          href: #ir-7.2_smt.b
-                          rel:  corresp
-                          text: IR-7(2)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with incident response support and assistance
-                                               responsibilities\n\nexternal providers of information system protection capability\n\norganizational personnel with information security responsibilities
-                        """
-        - 
-          id:         ir-8
-          class:      SP800-53
-          title:      Incident Response Plan
-          parameters: 
-            - 
-              id:    ir-8_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ir-8_prm_2
-              label: 
-                """
-                  organization-defined incident response personnel (identified by name and/or by
-                                 role) and organizational elements
-                """
-              constraints: 
-                - 
-                  detail: see additional FedRAMP Requirements and Guidance
-            - 
-              id:          ir-8_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          ir-8_prm_4
-              label: 
-                """
-                  organization-defined incident response personnel (identified by name and/or by
-                                 role) and organizational elements
-                """
-              constraints: 
-                - 
-                  detail: see additional FedRAMP Requirements and Guidance
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IR-8
-            - 
-              name:  sort-id
-              value: ir-08
-          links: 
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-          parts: 
-            - 
-              id:    ir-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ir-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops an incident response plan that:
-                  parts: 
-                    - 
-                      id:         ir-8_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Provides the organization with a roadmap for implementing its incident response
-                                               capability;
-                        """
-                    - 
-                      id:         ir-8_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Describes the structure and organization of the incident response
-                                               capability;
-                        """
-                    - 
-                      id:         ir-8_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Provides a high-level approach for how the incident response capability fits
-                                               into the overall organization;
-                        """
-                    - 
-                      id:         ir-8_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose: 
-                        """
-                          Meets the unique requirements of the organization, which relate to mission,
-                                               size, structure, and functions;
-                        """
-                    - 
-                      id:         ir-8_smt.a.5
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 5.
-                      prose:      Defines reportable incidents;
-                    - 
-                      id:         ir-8_smt.a.6
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 6.
-                      prose: 
-                        """
-                          Provides metrics for measuring the incident response capability within the
-                                               organization;
-                        """
-                    - 
-                      id:         ir-8_smt.a.7
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 7.
-                      prose: 
-                        """
-                          Defines the resources and management support needed to effectively maintain and
-                                               mature an incident response capability; and
-                        """
-                    - 
-                      id:         ir-8_smt.a.8
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 8.
-                      prose:      Is reviewed and approved by {{ ir-8_prm_1 }};
-                - 
-                  id:         ir-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Distributes copies of the incident response plan to {{ ir-8_prm_2 }};
-                - 
-                  id:         ir-8_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews the incident response plan {{ ir-8_prm_3 }};
-                - 
-                  id:         ir-8_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Updates the incident response plan to address system/organizational changes or
-                                        problems encountered during plan implementation, execution, or testing;
-                    """
-                - 
-                  id:         ir-8_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Communicates incident response plan changes to {{ ir-8_prm_4 }};
-                                        and
-                    """
-                - 
-                  id:         ir-8_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Protects the incident response plan from unauthorized disclosure and
-                                        modification.
-                    """
-                - 
-                  id:    ir-8_fr
-                  name:  item
-                  title: IR-8 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ir-8_fr_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b) Requirement:
-                      prose:      The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.
-                    - 
-                      id:         ir-8_fr_smt.e
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (e) Requirement:
-                      prose:      The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.
-            - 
-              id:    ir-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  It is important that organizations develop and implement a coordinated approach to
-                                 incident response. Organizational missions, business functions, strategies, goals,
-                                 and objectives for incident response help to determine the structure of incident
-                                 response capabilities. As part of a comprehensive incident response capability,
-                                 organizations consider the coordination and sharing of information with external
-                                 organizations, including, for example, external service providers and organizations
-                                 involved in the supply chain for organizational information systems.
-                """
-              links: 
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-            - 
-              id:    ir-8_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-8(a)
-                  prose:      develops an incident response plan that:
-                  parts: 
-                    - 
-                      id:         ir-8.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(a)(1)
-                      prose: 
-                        """
-                          provides the organization with a roadmap for implementing its incident response
-                                               capability;
-                        """
-                    - 
-                      id:         ir-8.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(a)(2)
-                      prose: 
-                        """
-                          describes the structure and organization of the incident response
-                                               capability;
-                        """
-                    - 
-                      id:         ir-8.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(a)(3)
-                      prose: 
-                        """
-                          provides a high-level approach for how the incident response capability fits
-                                               into the overall organization;
-                        """
-                    - 
-                      id:         ir-8.a.4_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(a)(4)
-                      prose:      meets the unique requirements of the organization, which relate to:
-                      parts: 
-                        - 
-                          id:         ir-8.a.4_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(a)(4)[1]
-                          prose:      mission;
-                        - 
-                          id:         ir-8.a.4_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(a)(4)[2]
-                          prose:      size;
-                        - 
-                          id:         ir-8.a.4_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(a)(4)[3]
-                          prose:      structure;
-                        - 
-                          id:         ir-8.a.4_obj.4
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(a)(4)[4]
-                          prose:      functions;
-                    - 
-                      id:         ir-8.a.5_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(a)(5)
-                      prose:      defines reportable incidents;
-                    - 
-                      id:         ir-8.a.6_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-8(a)(6)
-                      prose: 
-                        """
-                          provides metrics for measuring the incident response capability within the
-                                               organization;
-                        """
-                    - 
-                      id:         ir-8.a.7_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(a)(7)
-                      prose: 
-                        """
-                          defines the resources and management support needed to effectively maintain and
-                                               mature an incident response capability;
-                        """
-                    - 
-                      id:         ir-8.a.8_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(a)(8)
-                      parts: 
-                        - 
-                          id:         ir-8.a.8_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-8(a)(8)[1]
-                          prose: 
-                            """
-                              defines personnel or roles to review and approve the incident response
-                                                      plan;
-                            """
-                        - 
-                          id:         ir-8.a.8_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: IR-8(a)(8)[2]
-                          prose:      is reviewed and approved by organization-defined personnel or roles;
-                - 
-                  id:         ir-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-8(b)
-                  parts: 
-                    - 
-                      id:         ir-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(b)[1]
-                      parts: 
-                        - 
-                          id:         ir-8.b_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-8(b)[1][a]
-                          prose: 
-                            """
-                              defines incident response personnel (identified by name and/or by role) to
-                                                      whom copies of the incident response plan are to be distributed;
-                            """
-                        - 
-                          id:         ir-8.b_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-8(b)[1][b]
-                          prose: 
-                            """
-                              defines organizational elements to whom copies of the incident response plan
-                                                      are to be distributed;
-                            """
-                    - 
-                      id:         ir-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-8(b)[2]
-                      prose: 
-                        """
-                          distributes copies of the incident response plan to organization-defined
-                                               incident response personnel (identified by name and/or by role) and
-                                               organizational elements;
-                        """
-                - 
-                  id:         ir-8.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-8(c)
-                  parts: 
-                    - 
-                      id:         ir-8.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(c)[1]
-                      prose:      defines the frequency to review the incident response plan;
-                    - 
-                      id:         ir-8.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IR-8(c)[2]
-                      prose:      reviews the incident response plan with the organization-defined frequency;
-                - 
-                  id:         ir-8.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IR-8(d)
-                  prose: 
-                    """
-                      updates the incident response plan to address system/organizational changes or
-                                        problems encountered during plan:
-                    """
-                  parts: 
-                    - 
-                      id:         ir-8.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(d)[1]
-                      prose:      implementation;
-                    - 
-                      id:         ir-8.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(d)[2]
-                      prose:      execution; or
-                    - 
-                      id:         ir-8.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(d)[3]
-                      prose:      testing;
-                - 
-                  id:         ir-8.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-8(e)
-                  parts: 
-                    - 
-                      id:         ir-8.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(e)[1]
-                      parts: 
-                        - 
-                          id:         ir-8.e_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-8(e)[1][a]
-                          prose: 
-                            """
-                              defines incident response personnel (identified by name and/or by role) to
-                                                      whom incident response plan changes are to be communicated;
-                            """
-                        - 
-                          id:         ir-8.e_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IR-8(e)[1][b]
-                          prose: 
-                            """
-                              defines organizational elements to whom incident response plan changes are
-                                                      to be communicated;
-                            """
-                    - 
-                      id:         ir-8.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-8(e)[2]
-                      prose: 
-                        """
-                          communicates incident response plan changes to organization-defined incident
-                                               response personnel (identified by name and/or by role) and organizational
-                                               elements; and
-                        """
-                - 
-                  id:         ir-8.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IR-8(f)
-                  prose: 
-                    """
-                      protects the incident response plan from unauthorized disclosure and
-                                        modification.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational incident response plan and related organizational processes
-        - 
-          id:         ir-9
-          class:      SP800-53
-          title:      Information Spillage Response
-          parameters: 
-            - 
-              id:    ir-9_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ir-9_prm_2
-              label: organization-defined actions
-          properties: 
-            - 
-              name:  label
-              value: IR-9
-            - 
-              name:  sort-id
-              value: ir-09
-          parts: 
-            - 
-              id:    ir-9_smt
-              name:  statement
-              prose: The organization responds to information spills by:
-              parts: 
-                - 
-                  id:         ir-9_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Identifying the specific information involved in the information system
-                                        contamination;
-                    """
-                - 
-                  id:         ir-9_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Alerting {{ ir-9_prm_1 }} of the information spill using a method
-                                        of communication not associated with the spill;
-                    """
-                - 
-                  id:         ir-9_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Isolating the contaminated information system or system component;
-                - 
-                  id:         ir-9_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Eradicating the information from the contaminated information system or
-                                        component;
-                    """
-                - 
-                  id:         ir-9_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Identifying other information systems or system components that may have been
-                                        subsequently contaminated; and
-                    """
-                - 
-                  id:         ir-9_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose:      Performing other {{ ir-9_prm_2 }}.
-            - 
-              id:    ir-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information spillage refers to instances where either classified or sensitive
-                                 information is inadvertently placed on information systems that are not authorized to
-                                 process such information. Such information spills often occur when information that
-                                 is initially thought to be of lower sensitivity is transmitted to an information
-                                 system and then is subsequently determined to be of higher sensitivity. At that
-                                 point, corrective action is required. The nature of the organizational response is
-                                 generally based upon the degree of sensitivity of the spilled information (e.g.,
-                                 security category or classification level), the security capabilities of the
-                                 information system, the specific nature of contaminated storage media, and the access
-                                 authorizations (e.g., security clearances) of individuals with authorized access to
-                                 the contaminated system. The methods used to communicate information about the spill
-                                 after the fact do not involve methods directly associated with the actual spill to
-                                 minimize the risk of further spreading the contamination before such contamination is
-                                 isolated and eradicated.
-                """
-            - 
-              id:    ir-9_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ir-9.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IR-9(a)
-                  prose: 
-                    """
-                      responds to information spills by identifying the specific information causing the
-                                        information system contamination;
-                    """
-                - 
-                  id:         ir-9.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-9(b)
-                  parts: 
-                    - 
-                      id:         ir-9.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-9(b)[1]
-                      prose:      defines personnel to be alerted of the information spillage;
-                    - 
-                      id:         ir-9.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IR-9(b)[2]
-                      prose: 
-                        """
-                          identifies a method of communication not associated with the information spill
-                                               to use to alert organization-defined personnel of the spill;
-                        """
-                    - 
-                      id:         ir-9.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-9(b)[3]
-                      prose: 
-                        """
-                          responds to information spills by alerting organization-defined personnel of
-                                               the information spill using a method of communication not associated with the
-                                               spill;
-                        """
-                - 
-                  id:         ir-9.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IR-9(c)
-                  prose: 
-                    """
-                      responds to information spills by isolating the contaminated information
-                                        system;
-                    """
-                - 
-                  id:         ir-9.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IR-9(d)
-                  prose: 
-                    """
-                      responds to information spills by eradicating the information from the
-                                        contaminated information system;
-                    """
-                - 
-                  id:         ir-9.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IR-9(e)
-                  prose: 
-                    """
-                      responds to information spills by identifying other information systems that may
-                                        have been subsequently contaminated;
-                    """
-                - 
-                  id:         ir-9.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-9(f)
-                  parts: 
-                    - 
-                      id:         ir-9.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-9(f)[1]
-                      prose: 
-                        """
-                          defines other actions to be performed in response to information spills;
-                                               and
-                        """
-                    - 
-                      id:         ir-9.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-9(f)[2]
-                      prose: 
-                        """
-                          responds to information spills by performing other organization-defined
-                                               actions.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Incident response policy\n\nprocedures addressing information spillage\n\nincident response plan\n\nrecords of information spillage alerts/notifications, list of personnel who should
-                                        receive alerts of information spillage\n\nlist of actions to be performed regarding information spillage\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for information spillage response\n\nautomated mechanisms supporting and/or implementing information spillage response
-                                        actions and related communications
-                    """
-          controls: 
-            - 
-              id:         ir-9.1
-              class:      SP800-53-enhancement
-              title:      Responsible Personnel
-              parameters: 
-                - 
-                  id:    ir-9.1_prm_1
-                  label: organization-defined personnel or roles
-              properties: 
-                - 
-                  name:  label
-                  value: IR-9(1)
-                - 
-                  name:  sort-id
-                  value: ir-09.01
-              parts: 
-                - 
-                  id:    ir-9.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization assigns {{ ir-9.1_prm_1 }} with responsibility for
-                                        responding to information spills.
-                    """
-                - 
-                  id:    ir-9.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ir-9.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-9(1)[1]
-                      prose: 
-                        """
-                          defines personnel with responsibility for responding to information spills;
-                                               and
-                        """
-                    - 
-                      id:         ir-9.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IR-9(1)[2]
-                      prose: 
-                        """
-                          assigns organization-defined personnel with responsibility for responding to
-                                               information spills.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing information spillage\n\nincident response plan\n\nlist of personnel responsible for responding to information spillage\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              id:         ir-9.2
-              class:      SP800-53-enhancement
-              title:      Training
-              parameters: 
-                - 
-                  id:          ir-9.2_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least annually
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: IR-9(2)
-                - 
-                  name:  sort-id
-                  value: ir-09.02
-              parts: 
-                - 
-                  id:    ir-9.2_smt
-                  name:  statement
-                  prose: The organization provides information spillage response training {{ ir-9.2_prm_1 }}.
-                - 
-                  id:    ir-9.2_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ir-9.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-9(2)[1]
-                      prose: 
-                        """
-                          defines the frequency to provide information spillage response training;
-                                               and
-                        """
-                    - 
-                      id:         ir-9.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IR-9(2)[2]
-                      prose: 
-                        """
-                          provides information spillage response training with the organization-defined
-                                               frequency.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing information spillage response training\n\ninformation spillage response training curriculum\n\ninformation spillage response training materials\n\nincident response plan\n\ninformation spillage response training records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with incident response training responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              id:         ir-9.3
-              class:      SP800-53-enhancement
-              title:      Post-spill Operations
-              parameters: 
-                - 
-                  id:    ir-9.3_prm_1
-                  label: organization-defined procedures
-              properties: 
-                - 
-                  name:  label
-                  value: IR-9(3)
-                - 
-                  name:  sort-id
-                  value: ir-09.03
-              parts: 
-                - 
-                  id:    ir-9.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization implements {{ ir-9.3_prm_1 }} to ensure that
-                                        organizational personnel impacted by information spills can continue to carry out
-                                        assigned tasks while contaminated systems are undergoing corrective actions.
-                    """
-                - 
-                  id:    ir-9.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Correction actions for information systems contaminated due to information
-                                        spillages may be very time-consuming. During those periods, personnel may not have
-                                        access to the contaminated systems, which may potentially affect their ability to
-                                        conduct organizational business.
-                    """
-                - 
-                  id:    ir-9.3_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ir-9.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-9(3)[1]
-                      prose: 
-                        """
-                          defines procedures that ensure organizational personnel impacted by information
-                                               spills can continue to carry out assigned tasks while contaminated systems are
-                                               undergoing corrective actions; and
-                        """
-                    - 
-                      id:         ir-9.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-9(3)[2]
-                      prose: 
-                        """
-                          implements organization-defined procedures to ensure that organizational
-                                               personnel impacted by information spills can continue to carry out assigned
-                                               tasks while contaminated systems are undergoing corrective actions.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing incident handling\n\nprocedures addressing information spillage\n\nincident response plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for post-spill operations
-            - 
-              id:         ir-9.4
-              class:      SP800-53-enhancement
-              title:      Exposure to Unauthorized Personnel
-              parameters: 
-                - 
-                  id:    ir-9.4_prm_1
-                  label: organization-defined security safeguards
-              properties: 
-                - 
-                  name:  label
-                  value: IR-9(4)
-                - 
-                  name:  sort-id
-                  value: ir-09.04
-              parts: 
-                - 
-                  id:    ir-9.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs {{ ir-9.4_prm_1 }} for personnel exposed
-                                        to information not within assigned access authorizations.
-                    """
-                - 
-                  id:    ir-9.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Security safeguards include, for example, making personnel exposed to spilled
-                                        information aware of the federal laws, directives, policies, and/or regulations
-                                        regarding the information and the restrictions imposed based on exposure to such
-                                        information.
-                    """
-                - 
-                  id:    ir-9.4_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ir-9.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-9(4)[1]
-                      prose: 
-                        """
-                          defines security safeguards to be employed for personnel exposed to information
-                                               not within assigned access authorizations; and
-                        """
-                    - 
-                      id:         ir-9.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-9(4)[2]
-                      prose: 
-                        """
-                          employs organization-defined security safeguards for personnel exposed to
-                                               information not within assigned access authorizations.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Incident response policy\n\nprocedures addressing incident handling\n\nprocedures addressing information spillage\n\nincident response plan\n\nsecurity safeguards regarding information spillage/exposure to unauthorized
-                                               personnel\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for dealing with information exposed to unauthorized
-                                               personnel\n\nautomated mechanisms supporting and/or implementing safeguards for personnel
-                                               exposed to information not within assigned access authorizations
-                        """
-    - 
-      id:       ma
-      class:    family
-      title:    Maintenance
-      controls: 
-        - 
-          id:         ma-1
-          class:      SP800-53
-          title:      System Maintenance Policy and Procedures
-          parameters: 
-            - 
-              id:    ma-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ma-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          ma-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or whenever a significant change occurs
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: MA-1
-            - 
-              name:  sort-id
-              value: ma-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ma-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ma-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ma-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ma-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A system maintenance policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ma-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the system maintenance policy
-                                               and associated system maintenance controls; and
-                        """
-                - 
-                  id:         ma-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ma-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      System maintenance policy {{ ma-1_prm_2 }}; and
-                    - 
-                      id:         ma-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      System maintenance procedures {{ ma-1_prm_3 }}.
-            - 
-              id:    ma-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the MA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ma-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ma-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-1(a)
-                  parts: 
-                    - 
-                      id:         ma-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ma-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(a)(1)[1]
-                          prose:      develops and documents a system maintenance policy that addresses:
-                          parts: 
-                            - 
-                              id:         ma-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ma-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ma-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ma-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ma-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ma-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ma-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ma-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the system maintenance policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ma-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: MA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the system maintenance policy to organization-defined personnel
-                                                      or roles;
-                            """
-                    - 
-                      id:         ma-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ma-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      maintenance policy and associated system maintenance controls;
-                            """
-                        - 
-                          id:         ma-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ma-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: MA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ma-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-1(b)
-                  parts: 
-                    - 
-                      id:         ma-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ma-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system maintenance
-                                                      policy;
-                            """
-                        - 
-                          id:         ma-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system maintenance policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ma-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ma-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system maintenance
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ma-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system maintenance procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Maintenance policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ma-2
-          class:      SP800-53
-          title:      Controlled Maintenance
-          parameters: 
-            - 
-              id:    ma-2_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ma-2_prm_2
-              label: organization-defined maintenance-related information
-          properties: 
-            - 
-              name:  label
-              value: MA-2
-            - 
-              name:  sort-id
-              value: ma-02
-          parts: 
-            - 
-              id:    ma-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ma-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Schedules, performs, documents, and reviews records of maintenance and repairs on
-                                        information system components in accordance with manufacturer or vendor
-                                        specifications and/or organizational requirements;
-                    """
-                - 
-                  id:         ma-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Approves and monitors all maintenance activities, whether performed on site or
-                                        remotely and whether the equipment is serviced on site or removed to another
-                                        location;
-                    """
-                - 
-                  id:         ma-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Requires that {{ ma-2_prm_1 }} explicitly approve the removal of
-                                        the information system or system components from organizational facilities for
-                                        off-site maintenance or repairs;
-                    """
-                - 
-                  id:         ma-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Sanitizes equipment to remove all information from associated media prior to
-                                        removal from organizational facilities for off-site maintenance or repairs;
-                    """
-                - 
-                  id:         ma-2_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Checks all potentially impacted security controls to verify that the controls are
-                                        still functioning properly following maintenance or repair actions; and
-                    """
-                - 
-                  id:         ma-2_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Includes {{ ma-2_prm_2 }} in organizational maintenance
-                                        records.
-                    """
-            - 
-              id:    ma-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the information security aspects of the information system
-                                 maintenance program and applies to all types of maintenance to any system component
-                                 (including applications) conducted by any local or nonlocal entity (e.g.,
-                                 in-contract, warranty, in-house, software maintenance agreement). System maintenance
-                                 also includes those components not directly associated with information processing
-                                 and/or data/information retention such as scanners, copiers, and printers.
-                                 Information necessary for creating effective maintenance records includes, for
-                                 example: (i) date and time of maintenance; (ii) name of individuals or group
-                                 performing the maintenance; (iii) name of escort, if necessary; (iv) a description of
-                                 the maintenance performed; and (v) information system components/equipment removed or
-                                 replaced (including identification numbers, if applicable). The level of detail
-                                 included in maintenance records can be informed by the security categories of
-                                 organizational information systems. Organizations consider supply chain issues
-                                 associated with replacement components for information systems.
-                """
-              links: 
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #mp-6
-                  rel:  related
-                  text: MP-6
-                - 
-                  href: #pe-16
-                  rel:  related
-                  text: PE-16
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    ma-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ma-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-2(a)
-                  parts: 
-                    - 
-                      id:         ma-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-2(a)[1]
-                      prose: 
-                        """
-                          schedules maintenance and repairs on information system components in
-                                               accordance with:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-2.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[1][a]
-                          prose:      manufacturer or vendor specifications; and/or
-                        - 
-                          id:         ma-2.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[1][b]
-                          prose:      organizational requirements;
-                    - 
-                      id:         ma-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: MA-2(a)[2]
-                      prose: 
-                        """
-                          performs maintenance and repairs on information system components in accordance
-                                               with:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-2.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[2][a]
-                          prose:      manufacturer or vendor specifications; and/or
-                        - 
-                          id:         ma-2.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[2][b]
-                          prose:      organizational requirements;
-                    - 
-                      id:         ma-2.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-2(a)[3]
-                      prose: 
-                        """
-                          documents maintenance and repairs on information system components in
-                                               accordance with:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-2.a_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[3][a]
-                          prose:      manufacturer or vendor specifications; and/or
-                        - 
-                          id:         ma-2.a_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[3][b]
-                          prose:      organizational requirements;
-                    - 
-                      id:         ma-2.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: MA-2(a)[4]
-                      prose: 
-                        """
-                          reviews records of maintenance and repairs on information system components in
-                                               accordance with:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-2.a_obj.4.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[4][a]
-                          prose:      manufacturer or vendor specifications; and/or
-                        - 
-                          id:         ma-2.a_obj.4.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[4][b]
-                          prose:      organizational requirements;
-                - 
-                  id:         ma-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-2(b)
-                  parts: 
-                    - 
-                      id:         ma-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: MA-2(b)[1]
-                      prose: 
-                        """
-                          approves all maintenance activities, whether performed on site or remotely and
-                                               whether the equipment is serviced on site or removed to another location;
-                        """
-                    - 
-                      id:         ma-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MA-2(b)[2]
-                      prose: 
-                        """
-                          monitors all maintenance activities, whether performed on site or remotely and
-                                               whether the equipment is serviced on site or removed to another location;
-                        """
-                - 
-                  id:         ma-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-2(c)
-                  parts: 
-                    - 
-                      id:         ma-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-2(c)[1]
-                      prose: 
-                        """
-                          defines personnel or roles required to explicitly approve the removal of the
-                                               information system or system components from organizational facilities for
-                                               off-site maintenance or repairs;
-                        """
-                    - 
-                      id:         ma-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-2(c)[2]
-                      prose: 
-                        """
-                          requires that organization-defined personnel or roles explicitly approve the
-                                               removal of the information system or system components from organizational
-                                               facilities for off-site maintenance or repairs;
-                        """
-                - 
-                  id:         ma-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MA-2(d)
-                  prose: 
-                    """
-                      sanitizes equipment to remove all information from associated media prior to
-                                        removal from organizational facilities for off-site maintenance or repairs;
-                    """
-                - 
-                  id:         ma-2.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MA-2(e)
-                  prose: 
-                    """
-                      checks all potentially impacted security controls to verify that the controls are
-                                        still functioning properly following maintenance or repair actions;
-                    """
-                - 
-                  id:         ma-2.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-2(f)
-                  parts: 
-                    - 
-                      id:         ma-2.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-2(f)[1]
-                      prose: 
-                        """
-                          defines maintenance-related information to be included in organizational
-                                               maintenance records; and
-                        """
-                    - 
-                      id:         ma-2.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-2(f)[2]
-                      prose: 
-                        """
-                          includes organization-defined maintenance-related information in organizational
-                                               maintenance records.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system maintenance policy\n\nprocedures addressing controlled information system maintenance\n\nmaintenance records\n\nmanufacturer/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for scheduling, performing, documenting, reviewing,
-                                        approving, and monitoring maintenance and repairs for the information system\n\norganizational processes for sanitizing information system components\n\nautomated mechanisms supporting and/or implementing controlled maintenance\n\nautomated mechanisms implementing sanitization of information system
-                                        components
-                    """
-          controls: 
-            - 
-              id:         ma-2.2
-              class:      SP800-53-enhancement
-              title:      Automated Maintenance Activities
-              properties: 
-                - 
-                  name:  label
-                  value: MA-2(2)
-                - 
-                  name:  sort-id
-                  value: ma-02.02
-              parts: 
-                - 
-                  id:    ma-2.2_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         ma-2.2_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Employs automated mechanisms to schedule, conduct, and document maintenance and
-                                               repairs; and
-                        """
-                    - 
-                      id:         ma-2.2_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Produces up-to date, accurate, and complete records of all maintenance and
-                                               repair actions requested, scheduled, in process, and completed.
-                        """
-                - 
-                  id:    ma-2.2_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ca-7
-                      rel:  related
-                      text: CA-7
-                    - 
-                      href: #ma-3
-                      rel:  related
-                      text: MA-3
-                - 
-                  id:    ma-2.2_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ma-2.2.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-2(2)(a)
-                      prose:      employs automated mechanisms to:
-                      parts: 
-                        - 
-                          id:         ma-2.2.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(2)(a)[1]
-                          prose:      schedule maintenance and repairs;
-                        - 
-                          id:         ma-2.2.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(2)(a)[2]
-                          prose:      conduct maintenance and repairs;
-                        - 
-                          id:         ma-2.2.a_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(2)(a)[3]
-                          prose:      document maintenance and repairs;
-                      links: 
-                        - 
-                          href: #ma-2.2_smt.a
-                          rel:  corresp
-                          text: MA-2(2)(a)
-                    - 
-                      id:         ma-2.2.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MA-2(2)(b)
-                      prose: 
-                        """
-                          produces up-to-date, accurate, and complete records of all maintenance and
-                                               repair actions:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-2.2.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(2)(b)[1]
-                          prose:      requested;
-                        - 
-                          id:         ma-2.2.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(2)(b)[2]
-                          prose:      scheduled;
-                        - 
-                          id:         ma-2.2.b_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(2)(b)[3]
-                          prose:      in process; and
-                        - 
-                          id:         ma-2.2.b_obj.4
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(2)(b)[4]
-                          prose:      completed.
-                      links: 
-                        - 
-                          href: #ma-2.2_smt.b
-                          rel:  corresp
-                          text: MA-2(2)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system maintenance policy\n\nprocedures addressing controlled information system maintenance\n\nautomated mechanisms supporting information system maintenance activities\n\ninformation system configuration settings and associated documentation\n\nmaintenance records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system maintenance
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing controlled maintenance\n\nautomated mechanisms supporting and/or implementing production of records of
-                                               maintenance and repair actions
-                        """
-        - 
-          id:         ma-3
-          class:      SP800-53
-          title:      Maintenance Tools
-          properties: 
-            - 
-              name:  label
-              value: MA-3
-            - 
-              name:  sort-id
-              value: ma-03
-          links: 
-            - 
-              href: #263823e0-a971-4b00-959d-315b26278b22
-              rel:  reference
-              text: NIST Special Publication 800-88
-          parts: 
-            - 
-              id:    ma-3_smt
-              name:  statement
-              prose: 
-                """
-                  The organization approves, controls, and monitors information system maintenance
-                                 tools.
-                """
-            - 
-              id:    ma-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses security-related issues associated with maintenance tools used
-                                 specifically for diagnostic and repair actions on organizational information systems.
-                                 Maintenance tools can include hardware, software, and firmware items. Maintenance
-                                 tools are potential vehicles for transporting malicious code, either intentionally or
-                                 unintentionally, into a facility and subsequently into organizational information
-                                 systems. Maintenance tools can include, for example, hardware/software diagnostic
-                                 test equipment and hardware/software packet sniffers. This control does not cover
-                                 hardware/software components that may support information system maintenance, yet are
-                                 a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,
-                                 or the hardware and software implementing the monitoring port of an Ethernet
-                                 switch.
-                """
-              links: 
-                - 
-                  href: #ma-2
-                  rel:  related
-                  text: MA-2
-                - 
-                  href: #ma-5
-                  rel:  related
-                  text: MA-5
-                - 
-                  href: #mp-6
-                  rel:  related
-                  text: MP-6
-            - 
-              id:    ma-3_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ma-3_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-3[1]
-                  prose:      approves information system maintenance tools;
-                - 
-                  id:         ma-3_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-3[2]
-                  prose:      controls information system maintenance tools; and
-                - 
-                  id:         ma-3_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-3[3]
-                  prose:      monitors information system maintenance tools.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for approving, controlling, and monitoring maintenance
-                                        tools\n\nautomated mechanisms supporting and/or implementing approval, control, and/or
-                                        monitoring of maintenance tools
-                    """
-          controls: 
-            - 
-              id:         ma-3.1
-              class:      SP800-53-enhancement
-              title:      Inspect Tools
-              properties: 
-                - 
-                  name:  label
-                  value: MA-3(1)
-                - 
-                  name:  sort-id
-                  value: ma-03.01
-              parts: 
-                - 
-                  id:    ma-3.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization inspects the maintenance tools carried into a facility by
-                                        maintenance personnel for improper or unauthorized modifications.
-                    """
-                - 
-                  id:    ma-3.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      If, upon inspection of maintenance tools, organizations determine that the tools
-                                        have been modified in an improper/unauthorized manner or contain malicious code,
-                                        the incident is handled consistent with organizational policies and procedures for
-                                        incident handling.
-                    """
-                  links: 
-                    - 
-                      href: #si-7
-                      rel:  related
-                      text: SI-7
-                - 
-                  id:         ma-3.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization inspects the maintenance tools carried into a
-                                        facility by maintenance personnel for improper or unauthorized modifications. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance tool inspection records\n\nmaintenance records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system maintenance
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for inspecting maintenance tools\n\nautomated mechanisms supporting and/or implementing inspection of maintenance
-                                               tools
-                        """
-            - 
-              id:         ma-3.2
-              class:      SP800-53-enhancement
-              title:      Inspect Media
-              properties: 
-                - 
-                  name:  label
-                  value: MA-3(2)
-                - 
-                  name:  sort-id
-                  value: ma-03.02
-              parts: 
-                - 
-                  id:    ma-3.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization checks media containing diagnostic and test programs for
-                                        malicious code before the media are used in the information system.
-                    """
-                - 
-                  id:    ma-3.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      If, upon inspection of media containing maintenance diagnostic and test programs,
-                                        organizations determine that the media contain malicious code, the incident is
-                                        handled consistent with organizational incident handling policies and
-                                        procedures.
-                    """
-                  links: 
-                    - 
-                      href: #si-3
-                      rel:  related
-                      text: SI-3
-                - 
-                  id:         ma-3.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization checks media containing diagnostic and test programs
-                                        for malicious code before the media are used in the information system. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system maintenance
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational process for inspecting media for malicious code\n\nautomated mechanisms supporting and/or implementing inspection of media used
-                                               for maintenance
-                        """
-            - 
-              id:         ma-3.3
-              class:      SP800-53-enhancement
-              title:      Prevent Unauthorized Removal
-              parameters: 
-                - 
-                  id:          ma-3.3_prm_1
-                  label:       organization-defined personnel or roles
-                  constraints: 
-                    - 
-                      detail: the information owner explicitly authorizing removal of the equipment from the facility
-              properties: 
-                - 
-                  name:  label
-                  value: MA-3(3)
-                - 
-                  name:  sort-id
-                  value: ma-03.03
-              parts: 
-                - 
-                  id:    ma-3.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization prevents the unauthorized removal of maintenance equipment
-                                        containing organizational information by:
-                    """
-                  parts: 
-                    - 
-                      id:         ma-3.3_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Verifying that there is no organizational information contained on the
-                                               equipment;
-                        """
-                    - 
-                      id:         ma-3.3_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      Sanitizing or destroying the equipment;
-                    - 
-                      id:         ma-3.3_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (c)
-                      prose:      Retaining the equipment within the facility; or
-                    - 
-                      id:         ma-3.3_smt.d
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (d)
-                      prose: 
-                        """
-                          Obtaining an exemption from {{ ma-3.3_prm_1 }} explicitly
-                                               authorizing removal of the equipment from the facility.
-                        """
-                - 
-                  id:    ma-3.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizational information includes all information specifically owned by
-                                        organizations and information provided to organizations in which organizations
-                                        serve as information stewards.
-                    """
-                - 
-                  id:         ma-3.3_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization prevents the unauthorized removal of maintenance
-                                        equipment containing organizational information by: 
-                    """
-                  parts: 
-                    - 
-                      id:         ma-3.3.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-3(3)(a)
-                      prose: 
-                        """
-                          verifying that there is no organizational information contained on the
-                                               equipment;
-                        """
-                      links: 
-                        - 
-                          href: #ma-3.3_smt.a
-                          rel:  corresp
-                          text: MA-3(3)(a)
-                    - 
-                      id:         ma-3.3.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-3(3)(b)
-                      prose:      sanitizing or destroying the equipment;
-                      links: 
-                        - 
-                          href: #ma-3.3_smt.b
-                          rel:  corresp
-                          text: MA-3(3)(b)
-                    - 
-                      id:         ma-3.3.c_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-3(3)(c)
-                      prose:      retaining the equipment within the facility; or
-                      links: 
-                        - 
-                          href: #ma-3.3_smt.c
-                          rel:  corresp
-                          text: MA-3(3)(c)
-                    - 
-                      id:         ma-3.3.d_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-3(3)(d)
-                      parts: 
-                        - 
-                          id:         ma-3.3.d_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-3(3)(d)[1]
-                          prose: 
-                            """
-                              defining personnel or roles that can grant an exemption from explicitly
-                                                      authorizing removal of the equipment from the facility; and
-                            """
-                        - 
-                          id:         ma-3.3.d_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-3(3)(d)[2]
-                          prose: 
-                            """
-                              obtaining an exemption from organization-defined personnel or roles
-                                                      explicitly authorizing removal of the equipment from the facility.
-                            """
-                      links: 
-                        - 
-                          href: #ma-3.3_smt.d
-                          rel:  corresp
-                          text: MA-3(3)(d)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance records\n\nequipment sanitization records\n\nmedia sanitization records\n\nexemptions for equipment removal\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system maintenance
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational process for preventing unauthorized removal of information\n\nautomated mechanisms supporting media sanitization or destruction of
-                                               equipment\n\nautomated mechanisms supporting verification of media sanitization
-                        """
-        - 
-          id:         ma-4
-          class:      SP800-53
-          title:      Nonlocal Maintenance
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: MA-4
-            - 
-              name:  sort-id
-              value: ma-04
-          links: 
-            - 
-              href: #d715b234-9b5b-4e07-b1ed-99836727664d
-              rel:  reference
-              text: FIPS Publication 140-2
-            - 
-              href: #f2dbd4ec-c413-4714-b85b-6b7184d1c195
-              rel:  reference
-              text: FIPS Publication 197
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #263823e0-a971-4b00-959d-315b26278b22
-              rel:  reference
-              text: NIST Special Publication 800-88
-            - 
-              href: #a4aa9645-9a8a-4b51-90a9-e223250f9a75
-              rel:  reference
-              text: CNSS Policy 15
-          parts: 
-            - 
-              id:    ma-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ma-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Approves and monitors nonlocal maintenance and diagnostic activities;
-                - 
-                  id:         ma-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Allows the use of nonlocal maintenance and diagnostic tools only as consistent
-                                        with organizational policy and documented in the security plan for the information
-                                        system;
-                    """
-                - 
-                  id:         ma-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Employs strong authenticators in the establishment of nonlocal maintenance and
-                                        diagnostic sessions;
-                    """
-                - 
-                  id:         ma-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Maintains records for nonlocal maintenance and diagnostic activities; and
-                - 
-                  id:         ma-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Terminates session and network connections when nonlocal maintenance is
-                                        completed.
-                    """
-            - 
-              id:    ma-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Nonlocal maintenance and diagnostic activities are those activities conducted by
-                                 individuals communicating through a network, either an external network (e.g., the
-                                 Internet) or an internal network. Local maintenance and diagnostic activities are
-                                 those activities carried out by individuals physically present at the information
-                                 system or information system component and not communicating across a network
-                                 connection. Authentication techniques used in the establishment of nonlocal
-                                 maintenance and diagnostic sessions reflect the network access requirements in IA-2.
-                                 Typically, strong authentication requires authenticators that are resistant to replay
-                                 attacks and employ multifactor authentication. Strong authenticators include, for
-                                 example, PKI where certificates are stored on a token protected by a password,
-                                 passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by
-                                 other controls.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-3
-                  rel:  related
-                  text: AU-3
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #ma-2
-                  rel:  related
-                  text: MA-2
-                - 
-                  href: #ma-5
-                  rel:  related
-                  text: MA-5
-                - 
-                  href: #mp-6
-                  rel:  related
-                  text: MP-6
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-10
-                  rel:  related
-                  text: SC-10
-                - 
-                  href: #sc-17
-                  rel:  related
-                  text: SC-17
-            - 
-              id:    ma-4_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ma-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-4(a)
-                  parts: 
-                    - 
-                      id:         ma-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-4(a)[1]
-                      prose:      approves nonlocal maintenance and diagnostic activities;
-                    - 
-                      id:         ma-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MA-4(a)[2]
-                      prose:      monitors nonlocal maintenance and diagnostic activities;
-                - 
-                  id:         ma-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MA-4(b)
-                  prose:      allows the use of nonlocal maintenance and diagnostic tools only:
-                  parts: 
-                    - 
-                      id:         ma-4.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-4(b)[1]
-                      prose:      as consistent with organizational policy;
-                    - 
-                      id:         ma-4.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-4(b)[2]
-                      prose:      as documented in the security plan for the information system;
-                - 
-                  id:         ma-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MA-4(c)
-                  prose: 
-                    """
-                      employs strong authenticators in the establishment of nonlocal maintenance and
-                                        diagnostic sessions;
-                    """
-                - 
-                  id:         ma-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MA-4(d)
-                  prose:      maintains records for nonlocal maintenance and diagnostic activities;
-                - 
-                  id:         ma-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-4(e)
-                  parts: 
-                    - 
-                      id:         ma-4.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MA-4(e)[1]
-                      prose: 
-                        """
-                          terminates sessions when nonlocal maintenance or diagnostics is completed;
-                                               and
-                        """
-                    - 
-                      id:         ma-4.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MA-4(e)[2]
-                      prose: 
-                        """
-                          terminates network connections when nonlocal maintenance or diagnostics is
-                                               completed.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system maintenance policy\n\nprocedures addressing nonlocal information system maintenance\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nmaintenance records\n\ndiagnostic records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for managing nonlocal maintenance\n\nautomated mechanisms implementing, supporting, and/or managing nonlocal
-                                        maintenance\n\nautomated mechanisms for strong authentication of nonlocal maintenance diagnostic
-                                        sessions\n\nautomated mechanisms for terminating nonlocal maintenance sessions and network
-                                        connections
-                    """
-          controls: 
-            - 
-              id:         ma-4.2
-              class:      SP800-53-enhancement
-              title:      Document Nonlocal Maintenance
-              properties: 
-                - 
-                  name:  label
-                  value: MA-4(2)
-                - 
-                  name:  sort-id
-                  value: ma-04.02
-              parts: 
-                - 
-                  id:    ma-4.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization documents in the security plan for the information system, the
-                                        policies and procedures for the establishment and use of nonlocal maintenance and
-                                        diagnostic connections.
-                    """
-                - 
-                  id:    ma-4.2_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization documents in the security plan for the information
-                                        system: 
-                    """
-                  parts: 
-                    - 
-                      id:         ma-4.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: MA-4(2)[1]
-                      prose: 
-                        """
-                          the policies for the establishment and use of nonlocal maintenance and
-                                               diagnostic connections; and
-                        """
-                    - 
-                      id:         ma-4.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: MA-4(2)[2]
-                      prose: 
-                        """
-                          the procedures for the establishment and use of nonlocal maintenance and
-                                               diagnostic connections.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system maintenance policy\n\nprocedures addressing non-local information system maintenance\n\nsecurity plan\n\nmaintenance records\n\ndiagnostic records\n\naudit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system maintenance
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-            - 
-              id:         ma-4.3
-              class:      SP800-53-enhancement
-              title:      Comparable Security / Sanitization
-              properties: 
-                - 
-                  name:  label
-                  value: MA-4(3)
-                - 
-                  name:  sort-id
-                  value: ma-04.03
-              parts: 
-                - 
-                  id:    ma-4.3_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         ma-4.3_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Requires that nonlocal maintenance and diagnostic services be performed from an
-                                               information system that implements a security capability comparable to the
-                                               capability implemented on the system being serviced; or
-                        """
-                    - 
-                      id:         ma-4.3_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Removes the component to be serviced from the information system prior to
-                                               nonlocal maintenance or diagnostic services, sanitizes the component (with
-                                               regard to organizational information) before removal from organizational
-                                               facilities, and after the service is performed, inspects and sanitizes the
-                                               component (with regard to potentially malicious software) before reconnecting
-                                               the component to the information system.
-                        """
-                - 
-                  id:    ma-4.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Comparable security capability on information systems, diagnostic tools, and
-                                        equipment providing maintenance services implies that the implemented security
-                                        controls on those systems, tools, and equipment are at least as comprehensive as
-                                        the controls on the information system being serviced.
-                    """
-                  links: 
-                    - 
-                      href: #ma-3
-                      rel:  related
-                      text: MA-3
-                    - 
-                      href: #sa-12
-                      rel:  related
-                      text: SA-12
-                    - 
-                      href: #si-3
-                      rel:  related
-                      text: SI-3
-                    - 
-                      href: #si-7
-                      rel:  related
-                      text: SI-7
-                - 
-                  id:    ma-4.3_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ma-4.3.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-4(3)(a)
-                      prose: 
-                        """
-                          requires that nonlocal maintenance and diagnostic services be performed from an
-                                               information system that implements a security capability comparable to the
-                                               capability implemented on the system being serviced; or
-                        """
-                      links: 
-                        - 
-                          href: #ma-4.3_smt.a
-                          rel:  corresp
-                          text: MA-4(3)(a)
-                    - 
-                      id:         ma-4.3.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MA-4(3)(b)
-                      parts: 
-                        - 
-                          id:         ma-4.3.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-4(3)(b)[1]
-                          prose:      removes the component to be serviced from the information system;
-                        - 
-                          id:         ma-4.3.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-4(3)(b)[2]
-                          prose: 
-                            """
-                              sanitizes the component (with regard to organizational information) prior to
-                                                      nonlocal maintenance or diagnostic services and/or before removal from
-                                                      organizational facilities; and
-                            """
-                        - 
-                          id:         ma-4.3.b_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-4(3)(b)[3]
-                          prose: 
-                            """
-                              inspects and sanitizes the component (with regard to potentially malicious
-                                                      software) after service is performed on the component and before
-                                                      reconnecting the component to the information system.
-                            """
-                      links: 
-                        - 
-                          href: #ma-4.3_smt.b
-                          rel:  corresp
-                          text: MA-4(3)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system maintenance policy\n\nprocedures addressing nonlocal information system maintenance\n\nservice provider contracts and/or service-level agreements\n\nmaintenance records\n\ninspection records\n\naudit records\n\nequipment sanitization records\n\nmedia sanitization records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system maintenance
-                                               responsibilities\n\ninformation system maintenance provider\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for comparable security and sanitization for nonlocal
-                                               maintenance\n\norganizational processes for removal, sanitization, and inspection of
-                                               components serviced via nonlocal maintenance\n\nautomated mechanisms supporting and/or implementing component sanitization and
-                                               inspection
-                        """
-            - 
-              id:         ma-4.6
-              class:      SP800-53-enhancement
-              title:      Cryptographic Protection
-              properties: 
-                - 
-                  name:  label
-                  value: MA-4(6)
-                - 
-                  name:  sort-id
-                  value: ma-04.06
-              parts: 
-                - 
-                  id:    ma-4.6_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements cryptographic mechanisms to protect the
-                                        integrity and confidentiality of nonlocal maintenance and diagnostic
-                                        communications.
-                    """
-                - 
-                  id:    ma-4.6_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #sc-8
-                      rel:  related
-                      text: SC-8
-                    - 
-                      href: #sc-13
-                      rel:  related
-                      text: SC-13
-                - 
-                  id:         ma-4.6_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system implements cryptographic mechanisms to protect
-                                        the integrity and confidentiality of nonlocal maintenance and diagnostic
-                                        communications. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system maintenance policy\n\nprocedures addressing non-local information system maintenance\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic mechanisms protecting nonlocal maintenance activities\n\nmaintenance records\n\ndiagnostic records\n\naudit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system maintenance
-                                               responsibilities\n\nnetwork engineers\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Cryptographic mechanisms protecting nonlocal maintenance and diagnostic
-                                               communications
-                        """
-        - 
-          id:         ma-5
-          class:      SP800-53
-          title:      Maintenance Personnel
-          properties: 
-            - 
-              name:  label
-              value: MA-5
-            - 
-              name:  sort-id
-              value: ma-05
-          parts: 
-            - 
-              id:    ma-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ma-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes a process for maintenance personnel authorization and maintains a list
-                                        of authorized maintenance organizations or personnel;
-                    """
-                - 
-                  id:         ma-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Ensures that non-escorted personnel performing maintenance on the information
-                                        system have required access authorizations; and
-                    """
-                - 
-                  id:         ma-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Designates organizational personnel with required access authorizations and
-                                        technical competence to supervise the maintenance activities of personnel who do
-                                        not possess the required access authorizations.
-                    """
-            - 
-              id:    ma-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to individuals performing hardware or software maintenance on
-                                 organizational information systems, while PE-2 addresses physical access for
-                                 individuals whose maintenance duties place them within the physical protection
-                                 perimeter of the systems (e.g., custodial staff, physical plant maintenance
-                                 personnel). Technical competence of supervising individuals relates to the
-                                 maintenance performed on the information systems while having required access
-                                 authorizations refers to maintenance on and near the systems. Individuals not
-                                 previously identified as authorized maintenance personnel, such as information
-                                 technology manufacturers, vendors, systems integrators, and consultants, may require
-                                 privileged access to organizational information systems, for example, when required
-                                 to conduct maintenance activities with little or no notice. Based on organizational
-                                 assessments of risk, organizations may issue temporary credentials to these
-                                 individuals. Temporary credentials may be for one-time use or for very limited time
-                                 periods.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-            - 
-              id:    ma-5_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ma-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-5(a)
-                  parts: 
-                    - 
-                      id:         ma-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-5(a)[1]
-                      prose:      establishes a process for maintenance personnel authorization;
-                    - 
-                      id:         ma-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-5(a)[2]
-                      prose:      maintains a list of authorized maintenance organizations or personnel;
-                - 
-                  id:         ma-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MA-5(b)
-                  prose: 
-                    """
-                      ensures that non-escorted personnel performing maintenance on the information
-                                        system have required access authorizations; and
-                    """
-                - 
-                  id:         ma-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MA-5(c)
-                  prose: 
-                    """
-                      designates organizational personnel with required access authorizations and
-                                        technical competence to supervise the maintenance activities of personnel who do
-                                        not possess the required access authorizations.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for authorizing and managing maintenance personnel\n\nautomated mechanisms supporting and/or implementing authorization of maintenance
-                                        personnel
-                    """
-          controls: 
-            - 
-              id:         ma-5.1
-              class:      SP800-53-enhancement
-              title:      Individuals Without Appropriate Access
-              properties: 
-                - 
-                  name:  label
-                  value: MA-5(1)
-                - 
-                  name:  sort-id
-                  value: ma-05.01
-              parts: 
-                - 
-                  id:    ma-5.1_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         ma-5.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Implements procedures for the use of maintenance personnel that lack
-                                               appropriate security clearances or are not U.S. citizens, that include the
-                                               following requirements:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-5.1_smt.a.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: (1)
-                          prose: 
-                            """
-                              Maintenance personnel who do not have needed access authorizations,
-                                                      clearances, or formal access approvals are escorted and supervised during
-                                                      the performance of maintenance and diagnostic activities on the information
-                                                      system by approved organizational personnel who are fully cleared, have
-                                                      appropriate access authorizations, and are technically qualified;
-                            """
-                        - 
-                          id:         ma-5.1_smt.a.2
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: (2)
-                          prose: 
-                            """
-                              Prior to initiating maintenance or diagnostic activities by personnel who do
-                                                      not have needed access authorizations, clearances or formal access
-                                                      approvals, all volatile information storage components within the
-                                                      information system are sanitized and all nonvolatile storage media are
-                                                      removed or physically disconnected from the system and secured; and
-                            """
-                    - 
-                      id:         ma-5.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Develops and implements alternate security safeguards in the event an
-                                               information system component cannot be sanitized, removed, or disconnected from
-                                               the system.
-                        """
-                - 
-                  id:    ma-5.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement denies individuals who lack appropriate security
-                                        clearances (i.e., individuals who do not possess security clearances or possess
-                                        security clearances at a lower level than required) or who are not U.S. citizens,
-                                        visual and electronic access to any classified information, Controlled
-                                        Unclassified Information (CUI), or any other sensitive information contained on
-                                        organizational information systems. Procedures for the use of maintenance
-                                        personnel can be documented in security plans for the information systems.
-                    """
-                  links: 
-                    - 
-                      href: #mp-6
-                      rel:  related
-                      text: MP-6
-                    - 
-                      href: #pl-2
-                      rel:  related
-                      text: PL-2
-                - 
-                  id:    ma-5.1_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ma-5.1.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-5(1)(a)
-                      prose: 
-                        """
-                          implements procedures for the use of maintenance personnel that lack
-                                               appropriate security clearances or are not U.S. citizens, that include the
-                                               following requirements:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-5.1.a.1_obj
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: MA-5(1)(a)(1)
-                          prose: 
-                            """
-                              maintenance personnel who do not have needed access authorizations,
-                                                      clearances, or formal access approvals are escorted and supervised during
-                                                      the performance of maintenance and diagnostic activities on the information
-                                                      system by approved organizational personnel who:
-                            """
-                          parts: 
-                            - 
-                              id:         ma-5.1.a.1_obj.1
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-5(1)(a)(1)[1]
-                              prose:      are fully cleared;
-                            - 
-                              id:         ma-5.1.a.1_obj.2
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-5(1)(a)(1)[2]
-                              prose:      have appropriate access authorizations;
-                            - 
-                              id:         ma-5.1.a.1_obj.3
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-5(1)(a)(1)[3]
-                              prose:      are technically qualified;
-                          links: 
-                            - 
-                              href: #ma-5.1_smt.a.1
-                              rel:  corresp
-                              text: MA-5(1)(a)(1)
-                        - 
-                          id:         ma-5.1.a.2_obj
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: MA-5(1)(a)(2)
-                          prose: 
-                            """
-                              prior to initiating maintenance or diagnostic activities by personnel who do
-                                                      not have needed access authorizations, clearances, or formal access
-                                                      approvals:
-                            """
-                          parts: 
-                            - 
-                              id:         ma-5.1.a.2_obj.1
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-5(1)(a)(2)[1]
-                              prose: 
-                                """
-                                  all volatile information storage components within the information system
-                                                             are sanitized; and
-                                """
-                            - 
-                              id:         ma-5.1.a.2_obj.2
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-5(1)(a)(2)[2]
-                              prose:      all nonvolatile storage media are removed; or
-                            - 
-                              id:         ma-5.1.a.2_obj.3
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-5(1)(a)(2)[3]
-                              prose: 
-                                """
-                                  all nonvolatile storage media are physically disconnected from the system
-                                                             and secured; and
-                                """
-                          links: 
-                            - 
-                              href: #ma-5.1_smt.a.2
-                              rel:  corresp
-                              text: MA-5(1)(a)(2)
-                      links: 
-                        - 
-                          href: #ma-5.1_smt.a
-                          rel:  corresp
-                          text: MA-5(1)(a)
-                    - 
-                      id:         ma-5.1.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MA-5(1)(b)
-                      prose: 
-                        """
-                          develops and implements alternative security safeguards in the event an
-                                               information system component cannot be sanitized, removed, or disconnected from
-                                               the system.
-                        """
-                      links: 
-                        - 
-                          href: #ma-5.1_smt.b
-                          rel:  corresp
-                          text: MA-5(1)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system maintenance policy\n\nprocedures addressing maintenance personnel\n\ninformation system media protection policy\n\nphysical and environmental protection policy\n\nsecurity plan\n\nlist of maintenance personnel requiring escort/supervision\n\nmaintenance records\n\naccess control records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system maintenance
-                                               responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for managing maintenance personnel without appropriate
-                                               access\n\nautomated mechanisms supporting and/or implementing alternative security
-                                               safeguards\n\nautomated mechanisms supporting and/or implementing information storage
-                                               component sanitization
-                        """
-        - 
-          id:         ma-6
-          class:      SP800-53
-          title:      Timely Maintenance
-          parameters: 
-            - 
-              id:    ma-6_prm_1
-              label: organization-defined information system components
-            - 
-              id:    ma-6_prm_2
-              label: organization-defined time period
-          properties: 
-            - 
-              name:  label
-              value: MA-6
-            - 
-              name:  sort-id
-              value: ma-06
-          parts: 
-            - 
-              id:    ma-6_smt
-              name:  statement
-              prose: The organization obtains maintenance support and/or spare parts for {{ ma-6_prm_1 }} within {{ ma-6_prm_2 }} of failure.
-            - 
-              id:    ma-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations specify the information system components that result in increased risk
-                                 to organizational operations and assets, individuals, other organizations, or the
-                                 Nation when the functionality provided by those components is not operational.
-                                 Organizational actions to obtain maintenance support typically include having
-                                 appropriate contracts in place.
-                """
-              links: 
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-                - 
-                  href: #sa-14
-                  rel:  related
-                  text: SA-14
-                - 
-                  href: #sa-15
-                  rel:  related
-                  text: SA-15
-            - 
-              id:    ma-6_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ma-6_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-6[1]
-                  prose: 
-                    """
-                      defines information system components for which maintenance support and/or spare
-                                        parts are to be obtained;
-                    """
-                - 
-                  id:         ma-6_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-6[2]
-                  prose: 
-                    """
-                      defines the time period within which maintenance support and/or spare parts are to
-                                        be obtained after a failure;
-                    """
-                - 
-                  id:         ma-6_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-6[3]
-                  parts: 
-                    - 
-                      id:         ma-6_obj.3.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-6[3][a]
-                      prose: 
-                        """
-                          obtains maintenance support for organization-defined information system
-                                               components within the organization-defined time period of failure; and/or
-                        """
-                    - 
-                      id:         ma-6_obj.3.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-6[3][b]
-                      prose: 
-                        """
-                          obtains spare parts for organization-defined information system components
-                                               within the organization-defined time period of failure.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system maintenance policy\n\nprocedures addressing information system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\ninventory and availability of spare parts\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for ensuring timely maintenance
-    - 
-      id:       mp
-      class:    family
-      title:    Media Protection
-      controls: 
-        - 
-          id:         mp-1
-          class:      SP800-53
-          title:      Media Protection Policy and Procedures
-          parameters: 
-            - 
-              id:    mp-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          mp-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          mp-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or whenever a significant change occurs
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: MP-1
-            - 
-              name:  sort-id
-              value: mp-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    mp-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         mp-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ mp-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         mp-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A media protection policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         mp-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the media protection policy and
-                                               associated media protection controls; and
-                        """
-                - 
-                  id:         mp-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         mp-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Media protection policy {{ mp-1_prm_2 }}; and
-                    - 
-                      id:         mp-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Media protection procedures {{ mp-1_prm_3 }}.
-            - 
-              id:    mp-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the MP
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    mp-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         mp-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-1(a)
-                  parts: 
-                    - 
-                      id:         mp-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-1(a)(1)
-                      parts: 
-                        - 
-                          id:         mp-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(a)(1)[1]
-                          prose:      develops and documents a media protection policy that addresses:
-                          parts: 
-                            - 
-                              id:         mp-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         mp-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         mp-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         mp-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         mp-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         mp-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         mp-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         mp-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the media protection policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         mp-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: MP-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the media protection policy to organization-defined personnel
-                                                      or roles;
-                            """
-                    - 
-                      id:         mp-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-1(a)(2)
-                      parts: 
-                        - 
-                          id:         mp-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      media protection policy and associated media protection controls;
-                            """
-                        - 
-                          id:         mp-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         mp-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: MP-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         mp-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-1(b)
-                  parts: 
-                    - 
-                      id:         mp-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-1(b)(1)
-                      parts: 
-                        - 
-                          id:         mp-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current media protection
-                                                      policy;
-                            """
-                        - 
-                          id:         mp-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current media protection policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         mp-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-1(b)(2)
-                      parts: 
-                        - 
-                          id:         mp-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current media protection
-                                                      procedures; and
-                            """
-                        - 
-                          id:         mp-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current media protection procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Media protection policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with media protection responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         mp-2
-          class:      SP800-53
-          title:      Media Access
-          parameters: 
-            - 
-              id:          mp-2_prm_1
-              label:       organization-defined types of digital and/or non-digital media
-              constraints: 
-                - 
-                  detail: any digital and non-digital media deemed sensitive
-            - 
-              id:    mp-2_prm_2
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  label
-              value: MP-2
-            - 
-              name:  sort-id
-              value: mp-02
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e
-              rel:  reference
-              text: NIST Special Publication 800-111
-          parts: 
-            - 
-              id:    mp-2_smt
-              name:  statement
-              prose: The organization restricts access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}.
-            - 
-              id:    mp-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system media includes both digital and non-digital media. Digital media
-                                 includes, for example, diskettes, magnetic tapes, external/removable hard disk
-                                 drives, flash drives, compact disks, and digital video disks. Non-digital media
-                                 includes, for example, paper and microfilm. Restricting non-digital media access
-                                 includes, for example, denying access to patient medical records in a community
-                                 hospital unless the individuals seeking access to such records are authorized
-                                 healthcare providers. Restricting access to digital media includes, for example,
-                                 limiting access to design specifications stored on compact disks in the media library
-                                 to the project leader and the individuals on the development team.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-            - 
-              id:    mp-2_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         mp-2_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MP-2[1]
-                  prose:      defines types of digital and/or non-digital media requiring restricted access;
-                - 
-                  id:         mp-2_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MP-2[2]
-                  prose: 
-                    """
-                      defines personnel or roles authorized to access organization-defined types of
-                                        digital and/or non-digital media; and
-                    """
-                - 
-                  id:         mp-2_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MP-2[3]
-                  prose: 
-                    """
-                      restricts access to organization-defined types of digital and/or non-digital media
-                                        to organization-defined personnel or roles.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with information system media protection
-                                        responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for restricting information media\n\nautomated mechanisms supporting and/or implementing media access restrictions
-        - 
-          id:         mp-3
-          class:      SP800-53
-          title:      Media Marking
-          parameters: 
-            - 
-              id:          mp-3_prm_1
-              label:       organization-defined types of information system media
-              constraints: 
-                - 
-                  detail: no removable media types
-            - 
-              id:          mp-3_prm_2
-              label:       organization-defined controlled areas
-              constraints: 
-                - 
-                  detail: organization-defined security safeguards not applicable
-          properties: 
-            - 
-              name:  label
-              value: MP-3
-            - 
-              name:  sort-id
-              value: mp-03
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-          parts: 
-            - 
-              id:    mp-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         mp-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Marks information system media indicating the distribution limitations, handling
-                                        caveats, and applicable security markings (if any) of the information; and
-                    """
-                - 
-                  id:         mp-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Exempts {{ mp-3_prm_1 }} from marking as long as the media remain
-                                        within {{ mp-3_prm_2 }}.
-                    """
-                - 
-                  id:    mp-3_fr
-                  name:  item
-                  title: MP-3 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         mp-3_fr_gdn.b
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b) Guidance:
-                      prose:      Second parameter not-applicable
-            - 
-              id:    mp-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  The term security marking refers to the application/use of human-readable security
-                                 attributes. The term security labeling refers to the application/use of security
-                                 attributes with regard to internal data structures within information systems (see
-                                 AC-16). Information system media includes both digital and non-digital media. Digital
-                                 media includes, for example, diskettes, magnetic tapes, external/removable hard disk
-                                 drives, flash drives, compact disks, and digital video disks. Non-digital media
-                                 includes, for example, paper and microfilm. Security marking is generally not
-                                 required for media containing information determined by organizations to be in the
-                                 public domain or to be publicly releasable. However, some organizations may require
-                                 markings for public information indicating that the information is publicly
-                                 releasable. Marking of information system media reflects applicable federal laws,
-                                 Executive Orders, directives, policies, regulations, standards, and guidance.
-                """
-              links: 
-                - 
-                  href: #ac-16
-                  rel:  related
-                  text: AC-16
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-            - 
-              id:    mp-3_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         mp-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MP-3(a)
-                  prose:      marks information system media indicating the:
-                  parts: 
-                    - 
-                      id:         mp-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-3(a)[1]
-                      prose:      distribution limitations of the information;
-                    - 
-                      id:         mp-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-3(a)[2]
-                      prose:      handling caveats of the information;
-                    - 
-                      id:         mp-3.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-3(a)[3]
-                      prose:      applicable security markings (if any) of the information;
-                - 
-                  id:         mp-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-3(b)
-                  parts: 
-                    - 
-                      id:         mp-3.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-3(b)[1]
-                      prose: 
-                        """
-                          defines types of information system media to be exempted from marking as long
-                                               as the media remain in designated controlled areas;
-                        """
-                    - 
-                      id:         mp-3.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-3(b)[2]
-                      prose: 
-                        """
-                          defines controlled areas where organization-defined types of information system
-                                               media exempt from marking are to be retained; and
-                        """
-                    - 
-                      id:         mp-3.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MP-3(b)[3]
-                      prose: 
-                        """
-                          exempts organization-defined types of information system media from marking as
-                                               long as the media remain within organization-defined controlled areas.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system media protection policy\n\nprocedures addressing media marking\n\nphysical and environmental protection policy and procedures\n\nsecurity plan\n\nlist of information system media marking security attributes\n\ndesignated controlled areas\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with information system media protection and marking
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for marking information media\n\nautomated mechanisms supporting and/or implementing media marking
-        - 
-          id:         mp-4
-          class:      SP800-53
-          title:      Media Storage
-          parameters: 
-            - 
-              id:          mp-4_prm_1
-              label:       organization-defined types of digital and/or non-digital media
-              constraints: 
-                - 
-                  detail: all types of digital and non-digital media with sensitive information
-            - 
-              id:          mp-4_prm_2
-              label:       organization-defined controlled areas
-              constraints: 
-                - 
-                  detail: see additional FedRAMP requirements and guidance
-          properties: 
-            - 
-              name:  label
-              value: MP-4
-            - 
-              name:  sort-id
-              value: mp-04
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #81f09e01-d0b0-4ae2-aa6a-064ed9950070
-              rel:  reference
-              text: NIST Special Publication 800-56
-            - 
-              href: #a6c774c0-bf50-4590-9841-2a5c1c91ac6f
-              rel:  reference
-              text: NIST Special Publication 800-57
-            - 
-              href: #3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e
-              rel:  reference
-              text: NIST Special Publication 800-111
-          parts: 
-            - 
-              id:    mp-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         mp-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Physically controls and securely stores {{ mp-4_prm_1 }} within
-                                           {{ mp-4_prm_2 }}; and
-                    """
-                - 
-                  id:         mp-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Protects information system media until the media are destroyed or sanitized using
-                                        approved equipment, techniques, and procedures.
-                    """
-                - 
-                  id:    mp-4_fr
-                  name:  item
-                  title: MP-4 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         mp-4_fr_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a) Requirement:
-                      prose:      The service provider defines controlled areas within facilities where the information and information system reside.
-            - 
-              id:    mp-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system media includes both digital and non-digital media. Digital media
-                                 includes, for example, diskettes, magnetic tapes, external/removable hard disk
-                                 drives, flash drives, compact disks, and digital video disks. Non-digital media
-                                 includes, for example, paper and microfilm. Physically controlling information system
-                                 media includes, for example, conducting inventories, ensuring procedures are in place
-                                 to allow individuals to check out and return media to the media library, and
-                                 maintaining accountability for all stored media. Secure storage includes, for
-                                 example, a locked drawer, desk, or cabinet, or a controlled media library. The type
-                                 of media storage is commensurate with the security category and/or classification of
-                                 the information residing on the media. Controlled areas are areas for which
-                                 organizations provide sufficient physical and procedural safeguards to meet the
-                                 requirements established for protecting information and/or information systems. For
-                                 media containing information determined by organizations to be in the public domain,
-                                 to be publicly releasable, or to have limited or no adverse impact on organizations
-                                 or individuals if accessed by other than authorized personnel, fewer safeguards may
-                                 be needed. In these situations, physical access controls provide adequate
-                                 protection.
-                """
-              links: 
-                - 
-                  href: #cp-6
-                  rel:  related
-                  text: CP-6
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-7
-                  rel:  related
-                  text: MP-7
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-            - 
-              id:    mp-4_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         mp-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-4(a)
-                  parts: 
-                    - 
-                      id:         mp-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-4(a)[1]
-                      prose: 
-                        """
-                          defines types of digital and/or non-digital media to be physically controlled
-                                               and securely stored within designated controlled areas;
-                        """
-                    - 
-                      id:         mp-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-4(a)[2]
-                      prose: 
-                        """
-                          defines controlled areas designated to physically control and securely store
-                                               organization-defined types of digital and/or non-digital media;
-                        """
-                    - 
-                      id:         mp-4.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MP-4(a)[3]
-                      prose: 
-                        """
-                          physically controls organization-defined types of digital and/or non-digital
-                                               media within organization-defined controlled areas;
-                        """
-                    - 
-                      id:         mp-4.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MP-4(a)[4]
-                      prose: 
-                        """
-                          securely stores organization-defined types of digital and/or non-digital media
-                                               within organization-defined controlled areas; and
-                        """
-                - 
-                  id:         mp-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MP-4(b)
-                  prose: 
-                    """
-                      protects information system media until the media are destroyed or sanitized using
-                                        approved equipment, techniques, and procedures.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsecurity plan\n\ninformation system media\n\ndesignated controlled areas\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with information system media protection and storage
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for storing information media\n\nautomated mechanisms supporting and/or implementing secure media storage/media
-                                        protection
-                    """
-        - 
-          id:         mp-5
-          class:      SP800-53
-          title:      Media Transport
-          parameters: 
-            - 
-              id:          mp-5_prm_1
-              label:       organization-defined types of information system media
-              constraints: 
-                - 
-                  detail: all media with sensitive information
-            - 
-              id:          mp-5_prm_2
-              label:       organization-defined security safeguards
-              constraints: 
-                - 
-                  detail: prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container
-          properties: 
-            - 
-              name:  label
-              value: MP-5
-            - 
-              name:  sort-id
-              value: mp-05
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #f152844f-b1ef-4836-8729-6277078ebee1
-              rel:  reference
-              text: NIST Special Publication 800-60
-          parts: 
-            - 
-              id:    mp-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         mp-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Protects and controls {{ mp-5_prm_1 }} during transport outside of
-                                        controlled areas using {{ mp-5_prm_2 }};
-                    """
-                - 
-                  id:         mp-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Maintains accountability for information system media during transport outside of
-                                        controlled areas;
-                    """
-                - 
-                  id:         mp-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Documents activities associated with the transport of information system media;
-                                        and
-                    """
-                - 
-                  id:         mp-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Restricts the activities associated with the transport of information system media
-                                        to authorized personnel.
-                    """
-                - 
-                  id:    mp-5_fr
-                  name:  item
-                  title: MP-5 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         mp-5_fr_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a) Requirement:
-                      prose:      The service provider defines security measures to protect digital and non-digital media in transport.  The security measures are approved and accepted by the JAB.
-            - 
-              id:    mp-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system media includes both digital and non-digital media. Digital media
-                                 includes, for example, diskettes, magnetic tapes, external/removable hard disk
-                                 drives, flash drives, compact disks, and digital video disks. Non-digital media
-                                 includes, for example, paper and microfilm. This control also applies to mobile
-                                 devices with information storage capability (e.g., smart phones, tablets, E-readers),
-                                 that are transported outside of controlled areas. Controlled areas are areas or
-                                 spaces for which organizations provide sufficient physical and/or procedural
-                                 safeguards to meet the requirements established for protecting information and/or
-                                 information systems. Physical and technical safeguards for media are commensurate
-                                 with the security category or classification of the information residing on the
-                                 media. Safeguards to protect media during transport include, for example, locked
-                                 containers and cryptography. Cryptographic mechanisms can provide confidentiality and
-                                 integrity protections depending upon the mechanisms used. Activities associated with
-                                 transport include the actual transport as well as those activities such as releasing
-                                 media for transport and ensuring that media enters the appropriate transport
-                                 processes. For the actual transport, authorized transport and courier personnel may
-                                 include individuals from outside the organization (e.g., U.S. Postal Service or a
-                                 commercial transport or delivery service). Maintaining accountability of media during
-                                 transport includes, for example, restricting transport activities to authorized
-                                 personnel, and tracking and/or obtaining explicit records of transport activities as
-                                 the media moves through the transportation system to prevent and detect loss,
-                                 destruction, or tampering. Organizations establish documentation requirements for
-                                 activities associated with the transport of information system media in accordance
-                                 with organizational assessments of risk to include the flexibility to define
-                                 different record-keeping methods for the different types of media transport as part
-                                 of an overall system of transport-related records.
-                """
-              links: 
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #mp-3
-                  rel:  related
-                  text: MP-3
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-                - 
-                  href: #sc-28
-                  rel:  related
-                  text: SC-28
-            - 
-              id:    mp-5_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         mp-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-5(a)
-                  parts: 
-                    - 
-                      id:         mp-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-5(a)[1]
-                      prose: 
-                        """
-                          defines types of information system media to be protected and controlled during
-                                               transport outside of controlled areas;
-                        """
-                    - 
-                      id:         mp-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-5(a)[2]
-                      prose: 
-                        """
-                          defines security safeguards to protect and control organization-defined
-                                               information system media during transport outside of controlled areas;
-                        """
-                    - 
-                      id:         mp-5.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MP-5(a)[3]
-                      prose: 
-                        """
-                          protects and controls organization-defined information system media during
-                                               transport outside of controlled areas using organization-defined security
-                                               safeguards;
-                        """
-                - 
-                  id:         mp-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MP-5(b)
-                  prose: 
-                    """
-                      maintains accountability for information system media during transport outside of
-                                        controlled areas;
-                    """
-                - 
-                  id:         mp-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MP-5(c)
-                  prose: 
-                    """
-                      documents activities associated with the transport of information system media;
-                                        and
-                    """
-                - 
-                  id:         mp-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MP-5(d)
-                  prose: 
-                    """
-                      restricts the activities associated with transport of information system media to
-                                        authorized personnel.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsecurity plan\n\ninformation system media\n\ndesignated controlled areas\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with information system media protection and storage
-                                        responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for storing information media\n\nautomated mechanisms supporting and/or implementing media storage/media
-                                        protection
-                    """
-          controls: 
-            - 
-              id:         mp-5.4
-              class:      SP800-53-enhancement
-              title:      Cryptographic Protection
-              properties: 
-                - 
-                  name:  label
-                  value: MP-5(4)
-                - 
-                  name:  sort-id
-                  value: mp-05.04
-              parts: 
-                - 
-                  id:    mp-5.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements cryptographic mechanisms to protect the
-                                        confidentiality and integrity of information stored on digital media during
-                                        transport outside of controlled areas.
-                    """
-                - 
-                  id:    mp-5.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement applies to both portable storage devices (e.g., USB
-                                        memory sticks, compact disks, digital video disks, external/removable hard disk
-                                        drives) and mobile devices with storage capability (e.g., smart phones, tablets,
-                                        E-readers).
-                    """
-                  links: 
-                    - 
-                      href: #mp-2
-                      rel:  related
-                      text: MP-2
-                - 
-                  id:         mp-5.4_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs cryptographic mechanisms to protect the
-                                        confidentiality and integrity of information stored on digital media during
-                                        transport outside of controlled areas. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system media protection policy\n\nprocedures addressing media transport\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system media transport records\n\naudit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system media transport
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Cryptographic mechanisms protecting information on digital media during
-                                               transportation outside controlled areas
-                        """
-        - 
-          id:         mp-6
-          class:      SP800-53
-          title:      Media Sanitization
-          parameters: 
-            - 
-              id:    mp-6_prm_1
-              label: organization-defined information system media
-            - 
-              id:          mp-6_prm_2
-              label:       organization-defined sanitization techniques and procedures
-              constraints: 
-                - 
-                  detail: techniques and procedures IAW NIST SP 800-88 R1, Appendix A - Minimum Sanitization Recommendations
-          properties: 
-            - 
-              name:  label
-              value: MP-6
-            - 
-              name:  sort-id
-              value: mp-06
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #f152844f-b1ef-4836-8729-6277078ebee1
-              rel:  reference
-              text: NIST Special Publication 800-60
-            - 
-              href: #263823e0-a971-4b00-959d-315b26278b22
-              rel:  reference
-              text: NIST Special Publication 800-88
-            - 
-              href: #a47466c4-c837-4f06-a39f-e68412a5f73d
-              rel:  reference
-              text: http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml
-          parts: 
-            - 
-              id:    mp-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         mp-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Sanitizes {{ mp-6_prm_1 }} prior to disposal, release out of
-                                        organizational control, or release for reuse using {{ mp-6_prm_2 }}
-                                        in accordance with applicable federal and organizational standards and policies;
-                                        and
-                    """
-                - 
-                  id:         mp-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Employs sanitization mechanisms with the strength and integrity commensurate with
-                                        the security category or classification of the information.
-                    """
-            - 
-              id:    mp-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to all information system media, both digital and non-digital,
-                                 subject to disposal or reuse, whether or not the media is considered removable.
-                                 Examples include media found in scanners, copiers, printers, notebook computers,
-                                 workstations, network components, and mobile devices. The sanitization process
-                                 removes information from the media such that the information cannot be retrieved or
-                                 reconstructed. Sanitization techniques, including clearing, purging, cryptographic
-                                 erase, and destruction, prevent the disclosure of information to unauthorized
-                                 individuals when such media is reused or released for disposal. Organizations
-                                 determine the appropriate sanitization methods recognizing that destruction is
-                                 sometimes necessary when other methods cannot be applied to media requiring
-                                 sanitization. Organizations use discretion on the employment of approved sanitization
-                                 techniques and procedures for media containing information deemed to be in the public
-                                 domain or publicly releasable, or deemed to have no adverse impact on organizations
-                                 or individuals if released for reuse or disposal. Sanitization of non-digital media
-                                 includes, for example, removing a classified appendix from an otherwise unclassified
-                                 document, or redacting selected sections or words from a document by obscuring the
-                                 redacted sections/words in a manner equivalent in effectiveness to removing them from
-                                 the document. NSA standards and policies control the sanitization process for media
-                                 containing classified information.
-                """
-              links: 
-                - 
-                  href: #ma-2
-                  rel:  related
-                  text: MA-2
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sc-4
-                  rel:  related
-                  text: SC-4
-            - 
-              id:    mp-6_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         mp-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-6(a)
-                  parts: 
-                    - 
-                      id:         mp-6.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-6(a)[1]
-                      prose:      defines information system media to be sanitized prior to:
-                      parts: 
-                        - 
-                          id:         mp-6.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[1][a]
-                          prose:      disposal;
-                        - 
-                          id:         mp-6.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[1][b]
-                          prose:      release out of organizational control; or
-                        - 
-                          id:         mp-6.a_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[1][c]
-                          prose:      release for reuse;
-                    - 
-                      id:         mp-6.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-6(a)[2]
-                      prose: 
-                        """
-                          defines sanitization techniques or procedures to be used for sanitizing
-                                               organization-defined information system media prior to:
-                        """
-                      parts: 
-                        - 
-                          id:         mp-6.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[2][a]
-                          prose:      disposal;
-                        - 
-                          id:         mp-6.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[2][b]
-                          prose:      release out of organizational control; or
-                        - 
-                          id:         mp-6.a_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[2][c]
-                          prose:      release for reuse;
-                    - 
-                      id:         mp-6.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MP-6(a)[3]
-                      prose: 
-                        """
-                          sanitizes organization-defined information system media prior to disposal,
-                                               release out of organizational control, or release for reuse using
-                                               organization-defined sanitization techniques or procedures in accordance with
-                                               applicable federal and organizational standards and policies; and
-                        """
-                - 
-                  id:         mp-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MP-6(b)
-                  prose: 
-                    """
-                      employs sanitization mechanisms with strength and integrity commensurate with the
-                                        security category or classification of the information.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization\n\nmedia sanitization records\n\naudit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with media sanitization responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for media sanitization\n\nautomated mechanisms supporting and/or implementing media sanitization
-          controls: 
-            - 
-              id:         mp-6.1
-              class:      SP800-53-enhancement
-              title:      Review / Approve / Track / Document / Verify
-              properties: 
-                - 
-                  name:  label
-                  value: MP-6(1)
-                - 
-                  name:  sort-id
-                  value: mp-06.01
-              parts: 
-                - 
-                  id:    mp-6.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization reviews, approves, tracks, documents, and verifies media
-                                        sanitization and disposal actions.
-                    """
-                - 
-                  id:    mp-6.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations review and approve media to be sanitized to ensure compliance with
-                                        records-retention policies. Tracking/documenting actions include, for example,
-                                        listing personnel who reviewed and approved sanitization and disposal actions,
-                                        types of media sanitized, specific files stored on the media, sanitization methods
-                                        used, date and time of the sanitization actions, personnel who performed the
-                                        sanitization, verification actions taken, personnel who performed the
-                                        verification, and disposal action taken. Organizations verify that the
-                                        sanitization of the media was effective prior to disposal.
-                    """
-                  links: 
-                    - 
-                      href: #si-12
-                      rel:  related
-                      text: SI-12
-                - 
-                  id:    mp-6.1_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         mp-6.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-6(1)[1]
-                      prose:      reviews media sanitization and disposal actions;
-                    - 
-                      id:         mp-6.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-6(1)[2]
-                      prose:      approves media sanitization and disposal actions;
-                    - 
-                      id:         mp-6.1_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-6(1)[3]
-                      prose:      tracks media sanitization and disposal actions;
-                    - 
-                      id:         mp-6.1_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-6(1)[4]
-                      prose:      documents media sanitization and disposal actions; and
-                    - 
-                      id:         mp-6.1_obj.5
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MP-6(1)[5]
-                      prose:      verifies media sanitization and disposal actions.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\nmedia sanitization and disposal records\n\nreview records for media sanitization and disposal actions\n\napprovals for media sanitization and disposal actions\n\ntracking records\n\nverification records\n\naudit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system media sanitization and
-                                               disposal responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for media sanitization\n\nautomated mechanisms supporting and/or implementing media sanitization
-            - 
-              id:         mp-6.2
-              class:      SP800-53-enhancement
-              title:      Equipment Testing
-              parameters: 
-                - 
-                  id:          mp-6.2_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least every six (6) months
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: MP-6(2)
-                - 
-                  name:  sort-id
-                  value: mp-06.02
-              parts: 
-                - 
-                  id:    mp-6.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization tests sanitization equipment and procedures {{ mp-6.2_prm_1 }} to verify that the intended sanitization is being
-                                        achieved.
-                    """
-                  parts: 
-                    - 
-                      id:    mp-6.2_fr
-                      name:  item
-                      title: MP-6 (2) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         mp-6.2_fr_gdn.a
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: (a) Requirement:
-                          prose:      Equipment and procedures may be tested or validated for effectiveness
-                - 
-                  id:    mp-6.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Testing of sanitization equipment and procedures may be conducted by qualified and
-                                        authorized external entities (e.g., other federal agencies or external service
-                                        providers).
-                    """
-                - 
-                  id:    mp-6.2_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         mp-6.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-6(2)[1]
-                      prose: 
-                        """
-                          defines the frequency for testing sanitization equipment and procedures to
-                                               verify that the intended sanitization is being achieved; and
-                        """
-                    - 
-                      id:         mp-6.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MP-6(2)[2]
-                      prose: 
-                        """
-                          tests sanitization equipment and procedures with the organization-defined
-                                               frequency to verify that the intended sanitization is being achieved.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\nprocedures addressing testing of media sanitization equipment\n\nresults of media sanitization equipment and procedures testing\n\naudit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system media sanitization
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for media sanitization\n\nautomated mechanisms supporting and/or implementing media sanitization
-            - 
-              id:         mp-6.3
-              class:      SP800-53-enhancement
-              title:      Nondestructive Techniques
-              parameters: 
-                - 
-                  id:    mp-6.3_prm_1
-                  label: 
-                    """
-                      organization-defined circumstances requiring sanitization of portable storage
-                                        devices
-                    """
-              properties: 
-                - 
-                  name:  label
-                  value: MP-6(3)
-                - 
-                  name:  sort-id
-                  value: mp-06.03
-              parts: 
-                - 
-                  id:    mp-6.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization applies nondestructive sanitization techniques to portable
-                                        storage devices prior to connecting such devices to the information system under
-                                        the following circumstances: {{ mp-6.3_prm_1 }}.
-                    """
-                - 
-                  id:    mp-6.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement applies to digital media containing classified
-                                        information and Controlled Unclassified Information (CUI). Portable storage
-                                        devices can be the source of malicious code insertions into organizational
-                                        information systems. Many of these devices are obtained from unknown and
-                                        potentially untrustworthy sources and may contain malicious code that can be
-                                        readily transferred to information systems through USB ports or other entry
-                                        portals. While scanning such storage devices is always recommended, sanitization
-                                        provides additional assurance that the devices are free of malicious code to
-                                        include code capable of initiating zero-day attacks. Organizations consider
-                                        nondestructive sanitization of portable storage devices when such devices are
-                                        first purchased from the manufacturer or vendor prior to initial use or when
-                                        organizations lose a positive chain of custody for the devices.
-                    """
-                  links: 
-                    - 
-                      href: #si-3
-                      rel:  related
-                      text: SI-3
-                - 
-                  id:    mp-6.3_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         mp-6.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-6(3)[1]
-                      prose: 
-                        """
-                          defines circumstances requiring sanitization of portable storage devices;
-                                               and
-                        """
-                    - 
-                      id:         mp-6.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MP-6(3)[2]
-                      prose: 
-                        """
-                          applies nondestructive sanitization techniques to portable storage devices
-                                               prior to connecting such devices to the information system under
-                                               organization-defined circumstances requiring sanitization of portable storage
-                                               devices.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\nlist of circumstances requiring sanitization of portable storage devices\n\nmedia sanitization records\n\naudit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system media sanitization
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for media sanitization of portable storage devices\n\nautomated mechanisms supporting and/or implementing media sanitization
-        - 
-          id:         mp-7
-          class:      SP800-53
-          title:      Media Use
-          parameters: 
-            - 
-              id: mp-7_prm_1
-            - 
-              id:    mp-7_prm_2
-              label: organization-defined types of information system media
-            - 
-              id:    mp-7_prm_3
-              label: organization-defined information systems or system components
-            - 
-              id:    mp-7_prm_4
-              label: organization-defined security safeguards
-          properties: 
-            - 
-              name:  label
-              value: MP-7
-            - 
-              name:  sort-id
-              value: mp-07
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e
-              rel:  reference
-              text: NIST Special Publication 800-111
-          parts: 
-            - 
-              id:    mp-7_smt
-              name:  statement
-              prose: The organization {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}.
-            - 
-              id:    mp-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system media includes both digital and non-digital media. Digital media
-                                 includes, for example, diskettes, magnetic tapes, external/removable hard disk
-                                 drives, flash drives, compact disks, and digital video disks. Non-digital media
-                                 includes, for example, paper and microfilm. This control also applies to mobile
-                                 devices with information storage capability (e.g., smart phones, tablets, E-readers).
-                                 In contrast to MP-2, which restricts user access to media, this control restricts the
-                                 use of certain types of media on information systems, for example,
-                                 restricting/prohibiting the use of flash drives or external hard disk drives.
-                                 Organizations can employ technical and nontechnical safeguards (e.g., policies,
-                                 procedures, rules of behavior) to restrict the use of information system media.
-                                 Organizations may restrict the use of portable storage devices, for example, by using
-                                 physical cages on workstations to prohibit access to certain external ports, or
-                                 disabling/removing the ability to insert, read or write to such devices.
-                                 Organizations may also limit the use of portable storage devices to only approved
-                                 devices including, for example, devices provided by the organization, devices
-                                 provided by other approved organizations, and devices that are not personally owned.
-                                 Finally, organizations may restrict the use of portable storage devices based on the
-                                 type of device, for example, prohibiting the use of writeable, portable storage
-                                 devices, and implementing this restriction by disabling or removing the capability to
-                                 write to such devices.
-                """
-              links: 
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-            - 
-              id:    mp-7_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         mp-7_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-7[1]
-                  prose:      defines types of information system media to be:
-                  parts: 
-                    - 
-                      id:         mp-7_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-7[1][a]
-                      prose:      restricted on information systems or system components; or
-                    - 
-                      id:         mp-7_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-7[1][b]
-                      prose:      prohibited from use on information systems or system components;
-                - 
-                  id:         mp-7_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-7[2]
-                  prose: 
-                    """
-                      defines information systems or system components on which the use of
-                                        organization-defined types of information system media is to be one of the
-                                        following:
-                    """
-                  parts: 
-                    - 
-                      id:         mp-7_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-7[2][a]
-                      prose:      restricted; or
-                    - 
-                      id:         mp-7_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-7[2][b]
-                      prose:      prohibited;
-                - 
-                  id:         mp-7_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MP-7[3]
-                  prose: 
-                    """
-                      defines security safeguards to be employed to restrict or prohibit the use of
-                                        organization-defined types of information system media on organization-defined
-                                        information systems or system components; and
-                    """
-                - 
-                  id:         mp-7_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MP-7[4]
-                  prose: 
-                    """
-                      restricts or prohibits the use of organization-defined information system media on
-                                        organization-defined information systems or system components using
-                                        organization-defined security safeguards.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nsecurity plan\n\nrules of behavior\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for media use\n\nautomated mechanisms restricting or prohibiting use of information system media on
-                                        information systems or system components
-                    """
-          controls: 
-            - 
-              id:         mp-7.1
-              class:      SP800-53-enhancement
-              title:      Prohibit Use Without Owner
-              properties: 
-                - 
-                  name:  label
-                  value: MP-7(1)
-                - 
-                  name:  sort-id
-                  value: mp-07.01
-              parts: 
-                - 
-                  id:    mp-7.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization prohibits the use of portable storage devices in organizational
-                                        information systems when such devices have no identifiable owner.
-                    """
-                - 
-                  id:    mp-7.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Requiring identifiable owners (e.g., individuals, organizations, or projects) for
-                                        portable storage devices reduces the risk of using such technologies by allowing
-                                        organizations to assign responsibility and accountability for addressing known
-                                        vulnerabilities in the devices (e.g., malicious code insertion).
-                    """
-                  links: 
-                    - 
-                      href: #pl-4
-                      rel:  related
-                      text: PL-4
-                - 
-                  id:         mp-7.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization prohibits the use of portable storage devices in
-                                        organizational information systems when such devices have no identifiable owner.
-                                     
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nsecurity plan\n\nrules of behavior\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with information system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for media use\n\nautomated mechanisms prohibiting use of media on information systems or system
-                                               components
-                        """
-    - 
-      id:       pe
-      class:    family
-      title:    Physical and Environmental Protection
-      controls: 
-        - 
-          id:         pe-1
-          class:      SP800-53
-          title:      Physical and Environmental Protection Policy and Procedures
-          parameters: 
-            - 
-              id:    pe-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          pe-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          pe-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or whenever a significant change occurs
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PE-1
-            - 
-              name:  sort-id
-              value: pe-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    pe-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ pe-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         pe-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A physical and environmental protection policy that addresses purpose, scope,
-                                               roles, responsibilities, management commitment, coordination among
-                                               organizational entities, and compliance; and
-                        """
-                    - 
-                      id:         pe-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the physical and environmental
-                                               protection policy and associated physical and environmental protection
-                                               controls; and
-                        """
-                - 
-                  id:         pe-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         pe-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Physical and environmental protection policy {{ pe-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         pe-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Physical and environmental protection procedures {{ pe-1_prm_3 }}.
-            - 
-              id:    pe-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the PE
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    pe-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         pe-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-1(a)
-                  parts: 
-                    - 
-                      id:         pe-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-1(a)(1)
-                      parts: 
-                        - 
-                          id:         pe-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a physical and environmental protection policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         pe-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         pe-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         pe-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         pe-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         pe-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         pe-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         pe-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         pe-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the physical and environmental protection
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         pe-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: PE-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the physical and environmental protection policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         pe-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-1(a)(2)
-                      parts: 
-                        - 
-                          id:         pe-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      physical and environmental protection policy and associated physical and
-                                                      environmental protection controls;
-                            """
-                        - 
-                          id:         pe-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         pe-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: PE-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         pe-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-1(b)
-                  parts: 
-                    - 
-                      id:         pe-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-1(b)(1)
-                      parts: 
-                        - 
-                          id:         pe-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current physical and
-                                                      environmental protection policy;
-                            """
-                        - 
-                          id:         pe-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current physical and environmental protection policy
-                                                      with the organization-defined frequency;
-                            """
-                    - 
-                      id:         pe-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-1(b)(2)
-                      parts: 
-                        - 
-                          id:         pe-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current physical and
-                                                      environmental protection procedures; and
-                            """
-                        - 
-                          id:         pe-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current physical and environmental protection
-                                                      procedures with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with physical and environmental protection
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         pe-2
-          class:      SP800-53
-          title:      Physical Access Authorizations
-          parameters: 
-            - 
-              id:          pe-2_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every ninety (90) days
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PE-2
-            - 
-              name:  sort-id
-              value: pe-02
-          parts: 
-            - 
-              id:    pe-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Develops, approves, and maintains a list of individuals with authorized access to
-                                        the facility where the information system resides;
-                    """
-                - 
-                  id:         pe-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Issues authorization credentials for facility access;
-                - 
-                  id:         pe-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Reviews the access list detailing authorized facility access by individuals
-                                           {{ pe-2_prm_1 }}; and
-                    """
-                - 
-                  id:         pe-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Removes individuals from the facility access list when access is no longer
-                                        required.
-                    """
-            - 
-              id:    pe-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to organizational employees and visitors. Individuals (e.g.,
-                                 employees, contractors, and others) with permanent physical access authorization
-                                 credentials are not considered visitors. Authorization credentials include, for
-                                 example, badges, identification cards, and smart cards. Organizations determine the
-                                 strength of authorization credentials needed (including level of forge-proof badges,
-                                 smart cards, or identification cards) consistent with federal standards, policies,
-                                 and procedures. This control only applies to areas within facilities that have not
-                                 been designated as publicly accessible.
-                """
-              links: 
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-            - 
-              id:    pe-2_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-2(a)
-                  parts: 
-                    - 
-                      id:         pe-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: PE-2(a)[1]
-                      prose: 
-                        """
-                          develops a list of individuals with authorized access to the facility where the
-                                               information system resides;
-                        """
-                    - 
-                      id:         pe-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-2(a)[2]
-                      prose: 
-                        """
-                          approves a list of individuals with authorized access to the facility where the
-                                               information system resides;
-                        """
-                    - 
-                      id:         pe-2.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: PE-2(a)[3]
-                      prose: 
-                        """
-                          maintains a list of individuals with authorized access to the facility where
-                                               the information system resides;
-                        """
-                - 
-                  id:         pe-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-2(b)
-                  prose:      issues authorization credentials for facility access;
-                - 
-                  id:         pe-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-2(c)
-                  parts: 
-                    - 
-                      id:         pe-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-2(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to review the access list detailing authorized facility
-                                               access by individuals;
-                        """
-                    - 
-                      id:         pe-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-2(c)[2]
-                      prose: 
-                        """
-                          reviews the access list detailing authorized facility access by individuals
-                                               with the organization-defined frequency; and
-                        """
-                - 
-                  id:         pe-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-2(d)
-                  prose: 
-                    """
-                      removes individuals from the facility access list when access is no longer
-                                        required.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nsecurity plan\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to information system facility\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for physical access authorizations\n\nautomated mechanisms supporting and/or implementing physical access
-                                        authorizations
-                    """
-        - 
-          id:         pe-3
-          class:      SP800-53
-          title:      Physical Access Control
-          parameters: 
-            - 
-              id:    pe-3_prm_1
-              label: 
-                """
-                  organization-defined entry/exit points to the facility where the information
-                                 system resides
-                """
-            - 
-              id:          pe-3_prm_2
-              constraints: 
-                - 
-                  detail: CSP defined physical access control systems/devices AND guards
-            - 
-              id:          pe-3_prm_3
-              depends-on:  pe-3_prm_2
-              label:       organization-defined physical access control systems/devices
-              constraints: 
-                - 
-                  detail: CSP defined physical access control systems/devices
-            - 
-              id:    pe-3_prm_4
-              label: organization-defined entry/exit points
-            - 
-              id:    pe-3_prm_5
-              label: organization-defined security safeguards
-            - 
-              id:          pe-3_prm_6
-              label: 
-                """
-                  organization-defined circumstances requiring visitor escorts and
-                                 monitoring
-                """
-              constraints: 
-                - 
-                  detail: in all circumstances within restricted access area where the information system resides
-            - 
-              id:    pe-3_prm_7
-              label: organization-defined physical access devices
-            - 
-              id:          pe-3_prm_8
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          pe-3_prm_9
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PE-3
-            - 
-              name:  sort-id
-              value: pe-03
-          links: 
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #2157bb7e-192c-4eaa-877f-93ef6b0a3292
-              rel:  reference
-              text: NIST Special Publication 800-116
-            - 
-              href: #6caa237b-531b-43ac-9711-d8f6b97b0377
-              rel:  reference
-              text: ICD 704
-            - 
-              href: #398e33fd-f404-4e5c-b90e-2d50d3181244
-              rel:  reference
-              text: ICD 705
-            - 
-              href: #61081e7f-041d-4033-96a7-44a439071683
-              rel:  reference
-              text: DoD Instruction 5200.39
-            - 
-              href: #dd2f5acd-08f1-435a-9837-f8203088dc1a
-              rel:  reference
-              text: 
-                """
-                  Personal Identity Verification (PIV) in Enterprise
-                              Physical Access Control System (E-PACS)
-                """
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-            - 
-              href: #5ed1f4d5-1494-421b-97ed-39d3c88ab51f
-              rel:  reference
-              text: http://fips201ep.cio.gov
-          parts: 
-            - 
-              id:    pe-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Enforces physical access authorizations at {{ pe-3_prm_1 }} by;
-                  parts: 
-                    - 
-                      id:         pe-3_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Verifying individual access authorizations before granting access to the
-                                               facility; and
-                        """
-                    - 
-                      id:         pe-3_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Controlling ingress/egress to the facility using {{ pe-3_prm_2 }};
-                - 
-                  id:         pe-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Maintains physical access audit logs for {{ pe-3_prm_4 }};
-                - 
-                  id:         pe-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Provides {{ pe-3_prm_5 }} to control access to areas within the
-                                        facility officially designated as publicly accessible;
-                    """
-                - 
-                  id:         pe-3_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Escorts visitors and monitors visitor activity {{ pe-3_prm_6 }};
-                - 
-                  id:         pe-3_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Secures keys, combinations, and other physical access devices;
-                - 
-                  id:         pe-3_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Inventories {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }};
-                                        and
-                    """
-                - 
-                  id:         pe-3_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose: 
-                    """
-                      Changes combinations and keys {{ pe-3_prm_9 }} and/or when keys are
-                                        lost, combinations are compromised, or individuals are transferred or
-                                        terminated.
-                    """
-            - 
-              id:    pe-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to organizational employees and visitors. Individuals (e.g.,
-                                 employees, contractors, and others) with permanent physical access authorization
-                                 credentials are not considered visitors. Organizations determine the types of
-                                 facility guards needed including, for example, professional physical security staff
-                                 or other personnel such as administrative staff or information system users. Physical
-                                 access devices include, for example, keys, locks, combinations, and card readers.
-                                 Safeguards for publicly accessible areas within organizational facilities include,
-                                 for example, cameras, monitoring by guards, and isolating selected information
-                                 systems and/or system components in secured areas. Physical access control systems
-                                 comply with applicable federal laws, Executive Orders, directives, policies,
-                                 regulations, standards, and guidance. The Federal Identity, Credential, and Access
-                                 Management Program provides implementation guidance for identity, credential, and
-                                 access management capabilities for physical access control systems. Organizations
-                                 have flexibility in the types of audit logs employed. Audit logs can be procedural
-                                 (e.g., a written log of individuals accessing the facility and when such access
-                                 occurred), automated (e.g., capturing ID provided by a PIV card), or some combination
-                                 thereof. Physical access points can include facility access points, interior access
-                                 points to information systems and/or components requiring supplemental access
-                                 controls, or both. Components of organizational information systems (e.g.,
-                                 workstations, terminals) may be located in areas designated as publicly accessible
-                                 with organizations safeguarding access to such devices.
-                """
-              links: 
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-                - 
-                  href: #pe-5
-                  rel:  related
-                  text: PE-5
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-            - 
-              id:    pe-3_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(a)
-                  parts: 
-                    - 
-                      id:         pe-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(a)[1]
-                      prose: 
-                        """
-                          defines entry/exit points to the facility where the information system
-                                               resides;
-                        """
-                    - 
-                      id:         pe-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(a)[2]
-                      prose: 
-                        """
-                          enforces physical access authorizations at organization-defined entry/exit
-                                               points to the facility where the information system resides by:
-                        """
-                      parts: 
-                        - 
-                          id:         pe-3.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(a)[2](1)
-                          prose: 
-                            """
-                              verifying individual access authorizations before granting access to the
-                                                      facility;
-                            """
-                        - 
-                          id:         pe-3.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-3(a)[2](2)
-                          parts: 
-                            - 
-                              id:         pe-3.a.2_obj.2.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-3(a)[2](2)[a]
-                              prose: 
-                                """
-                                  defining physical access control systems/devices to be employed to
-                                                             control ingress/egress to the facility where the information system
-                                                             resides;
-                                """
-                            - 
-                              id:         pe-3.a.2_obj.2.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-3(a)[2](2)[b]
-                              prose: 
-                                """
-                                  using one or more of the following ways to control ingress/egress to the
-                                                             facility:
-                                """
-                              parts: 
-                                - 
-                                  id:         pe-3.a.2_obj.2.b.1
-                                  name:       objective
-                                  properties: 
-                                    - 
-                                      name:  label
-                                      value: PE-3(a)[2](2)[b][1]
-                                  prose: 
-                                    """
-                                      organization-defined physical access control systems/devices;
-                                                                    and/or
-                                    """
-                                - 
-                                  id:         pe-3.a.2_obj.2.b.2
-                                  name:       objective
-                                  properties: 
-                                    - 
-                                      name:  label
-                                      value: PE-3(a)[2](2)[b][2]
-                                  prose:      guards;
-                - 
-                  id:         pe-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(b)
-                  parts: 
-                    - 
-                      id:         pe-3.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(b)[1]
-                      prose: 
-                        """
-                          defines entry/exit points for which physical access audit logs are to be
-                                               maintained;
-                        """
-                    - 
-                      id:         pe-3.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(b)[2]
-                      prose: 
-                        """
-                          maintains physical access audit logs for organization-defined entry/exit
-                                               points;
-                        """
-                - 
-                  id:         pe-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(c)
-                  parts: 
-                    - 
-                      id:         pe-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(c)[1]
-                      prose: 
-                        """
-                          defines security safeguards to be employed to control access to areas within
-                                               the facility officially designated as publicly accessible;
-                        """
-                    - 
-                      id:         pe-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(c)[2]
-                      prose: 
-                        """
-                          provides organization-defined security safeguards to control access to areas
-                                               within the facility officially designated as publicly accessible;
-                        """
-                - 
-                  id:         pe-3.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(d)
-                  parts: 
-                    - 
-                      id:         pe-3.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(d)[1]
-                      prose:      defines circumstances requiring visitor:
-                      parts: 
-                        - 
-                          id:         pe-3.d_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(d)[1][a]
-                          prose:      escorts;
-                        - 
-                          id:         pe-3.d_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(d)[1][b]
-                          prose:      monitoring;
-                    - 
-                      id:         pe-3.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(d)[2]
-                      prose: 
-                        """
-                          in accordance with organization-defined circumstances requiring visitor escorts
-                                               and monitoring:
-                        """
-                      parts: 
-                        - 
-                          id:         pe-3.d_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(d)[2][a]
-                          prose:      escorts visitors;
-                        - 
-                          id:         pe-3.d_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(d)[2][b]
-                          prose:      monitors visitor activities;
-                - 
-                  id:         pe-3.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(e)
-                  parts: 
-                    - 
-                      id:         pe-3.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(e)[1]
-                      prose:      secures keys;
-                    - 
-                      id:         pe-3.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(e)[2]
-                      prose:      secures combinations;
-                    - 
-                      id:         pe-3.e_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(e)[3]
-                      prose:      secures other physical access devices;
-                - 
-                  id:         pe-3.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(f)
-                  parts: 
-                    - 
-                      id:         pe-3.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(f)[1]
-                      prose:      defines physical access devices to be inventoried;
-                    - 
-                      id:         pe-3.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(f)[2]
-                      prose: 
-                        """
-                          defines the frequency to inventory organization-defined physical access
-                                               devices;
-                        """
-                    - 
-                      id:         pe-3.f_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(f)[3]
-                      prose: 
-                        """
-                          inventories the organization-defined physical access devices with the
-                                               organization-defined frequency;
-                        """
-                - 
-                  id:         pe-3.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(g)
-                  parts: 
-                    - 
-                      id:         pe-3.g_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(g)[1]
-                      prose:      defines the frequency to change combinations and keys; and
-                    - 
-                      id:         pe-3.g_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(g)[2]
-                      prose: 
-                        """
-                          changes combinations and keys with the organization-defined frequency and/or
-                                               when:
-                        """
-                      parts: 
-                        - 
-                          id:         pe-3.g_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(g)[2][a]
-                          prose:      keys are lost;
-                        - 
-                          id:         pe-3.g_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(g)[2][b]
-                          prose:      combinations are compromised;
-                        - 
-                          id:         pe-3.g_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(g)[2][c]
-                          prose:      individuals are transferred or terminated.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nsecurity plan\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\ninformation system entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible
-                                        areas within facility\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for physical access control\n\nautomated mechanisms supporting and/or implementing physical access control\n\nphysical access control devices
-          controls: 
-            - 
-              id:         pe-3.1
-              class:      SP800-53-enhancement
-              title:      Information System Access
-              parameters: 
-                - 
-                  id:    pe-3.1_prm_1
-                  label: 
-                    """
-                      organization-defined physical spaces containing one or more components of the
-                                        information system
-                    """
-              properties: 
-                - 
-                  name:  label
-                  value: PE-3(1)
-                - 
-                  name:  sort-id
-                  value: pe-03.01
-              parts: 
-                - 
-                  id:    pe-3.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization enforces physical access authorizations to the information system
-                                        in addition to the physical access controls for the facility at {{ pe-3.1_prm_1 }}.
-                    """
-                - 
-                  id:    pe-3.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement provides additional physical security for those areas
-                                        within facilities where there is a concentration of information system components
-                                        (e.g., server rooms, media storage areas, data and communications centers).
-                    """
-                  links: 
-                    - 
-                      href: #ps-2
-                      rel:  related
-                      text: PS-2
-                - 
-                  id:    pe-3.1_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         pe-3.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(1)[1]
-                      prose: 
-                        """
-                          defines physical spaces containing one or more components of the information
-                                               system; and
-                        """
-                    - 
-                      id:         pe-3.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(1)[2]
-                      prose: 
-                        """
-                          enforces physical access authorizations to the information system in addition
-                                               to the physical access controls for the facility at organization-defined
-                                               physical spaces containing one or more components of the information
-                                               system.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\ninformation system entry and exit points\n\nlist of areas within the facility containing concentrations of information
-                                               system components or information system components requiring additional
-                                               physical protection\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with physical access authorization
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for physical access control to the information
-                                               system/components\n\nautomated mechanisms supporting and/or implementing physical access control for
-                                               facility areas containing information system components
-                        """
-        - 
-          id:         pe-4
-          class:      SP800-53
-          title:      Access Control for Transmission Medium
-          parameters: 
-            - 
-              id:    pe-4_prm_1
-              label: 
-                """
-                  organization-defined information system distribution and transmission
-                                 lines
-                """
-            - 
-              id:    pe-4_prm_2
-              label: organization-defined security safeguards
-          properties: 
-            - 
-              name:  label
-              value: PE-4
-            - 
-              name:  sort-id
-              value: pe-04
-          links: 
-            - 
-              href: #06dff0ea-3848-4945-8d91-e955ee69f05d
-              rel:  reference
-              text: NSTISSI No. 7003
-          parts: 
-            - 
-              id:    pe-4_smt
-              name:  statement
-              prose: 
-                """
-                  The organization controls physical access to {{ pe-4_prm_1 }} within
-                                 organizational facilities using {{ pe-4_prm_2 }}.
-                """
-            - 
-              id:    pe-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Physical security safeguards applied to information system distribution and
-                                 transmission lines help to prevent accidental damage, disruption, and physical
-                                 tampering. In addition, physical safeguards may be necessary to help prevent
-                                 eavesdropping or in transit modification of unencrypted transmissions. Security
-                                 safeguards to control physical access to system distribution and transmission lines
-                                 include, for example: (i) locked wiring closets; (ii) disconnected or locked spare
-                                 jacks; and/or (iii) protection of cabling by conduit or cable trays.
-                """
-              links: 
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-5
-                  rel:  related
-                  text: PE-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-            - 
-              id:    pe-4_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-4_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PE-4[1]
-                  prose: 
-                    """
-                      defines information system distribution and transmission lines requiring physical
-                                        access controls;
-                    """
-                - 
-                  id:         pe-4_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PE-4[2]
-                  prose: 
-                    """
-                      defines security safeguards to be employed to control physical access to
-                                        organization-defined information system distribution and transmission lines within
-                                        organizational facilities; and
-                    """
-                - 
-                  id:         pe-4_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-4[3]
-                  prose: 
-                    """
-                      controls physical access to organization-defined information system distribution
-                                        and transmission lines within organizational facilities using organization-defined
-                                        security safeguards.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Physical and environmental protection policy\n\nprocedures addressing access control for transmission medium\n\ninformation system design documentation\n\nfacility communications and wiring diagrams\n\nlist of physical security safeguards applied to information system distribution
-                                        and transmission lines\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for access control to distribution and transmission
-                                        lines\n\nautomated mechanisms/security safeguards supporting and/or implementing access
-                                        control to distribution and transmission lines
-                    """
-        - 
-          id:         pe-5
-          class:      SP800-53
-          title:      Access Control for Output Devices
-          properties: 
-            - 
-              name:  label
-              value: PE-5
-            - 
-              name:  sort-id
-              value: pe-05
-          parts: 
-            - 
-              id:    pe-5_smt
-              name:  statement
-              prose: 
-                """
-                  The organization controls physical access to information system output devices to
-                                 prevent unauthorized individuals from obtaining the output.
-                """
-            - 
-              id:    pe-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Controlling physical access to output devices includes, for example, placing output
-                                 devices in locked rooms or other secured areas and allowing access to authorized
-                                 individuals only, and placing output devices in locations that can be monitored by
-                                 organizational personnel. Monitors, printers, copiers, scanners, facsimile machines,
-                                 and audio devices are examples of information system output devices.
-                """
-              links: 
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-                - 
-                  href: #pe-18
-                  rel:  related
-                  text: PE-18
-            - 
-              id:         pe-5_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the organization controls physical access to information system output
-                                 devices to prevent unauthorized individuals from obtaining the output. 
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing access control for display medium\n\nfacility layout of information system components\n\nactual displays from information system components\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for access control to output devices\n\nautomated mechanisms supporting and/or implementing access control to output
-                                        devices
-                    """
-        - 
-          id:         pe-6
-          class:      SP800-53
-          title:      Monitoring Physical Access
-          parameters: 
-            - 
-              id:          pe-6_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least monthly
-            - 
-              id:    pe-6_prm_2
-              label: organization-defined events or potential indications of events
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PE-6
-            - 
-              name:  sort-id
-              value: pe-06
-          parts: 
-            - 
-              id:    pe-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Monitors physical access to the facility where the information system resides to
-                                        detect and respond to physical security incidents;
-                    """
-                - 
-                  id:         pe-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Reviews physical access logs {{ pe-6_prm_1 }} and upon occurrence
-                                        of {{ pe-6_prm_2 }}; and
-                    """
-                - 
-                  id:         pe-6_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Coordinates results of reviews and investigations with the organizational incident
-                                        response capability.
-                    """
-            - 
-              id:    pe-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizational incident response capabilities include investigations of and responses
-                                 to detected physical security incidents. Security incidents include, for example,
-                                 apparent security violations or suspicious physical access activities. Suspicious
-                                 physical access activities include, for example: (i) accesses outside of normal work
-                                 hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for
-                                 unusual lengths of time; and (iv) out-of-sequence accesses.
-                """
-              links: 
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-            - 
-              id:    pe-6_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-6(a)
-                  prose: 
-                    """
-                      monitors physical access to the facility where the information system resides to
-                                        detect and respond to physical security incidents;
-                    """
-                - 
-                  id:         pe-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-6(b)
-                  parts: 
-                    - 
-                      id:         pe-6.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-6(b)[1]
-                      prose:      defines the frequency to review physical access logs;
-                    - 
-                      id:         pe-6.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-6(b)[2]
-                      prose: 
-                        """
-                          defines events or potential indication of events requiring physical access logs
-                                               to be reviewed;
-                        """
-                    - 
-                      id:         pe-6.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-6(b)[3]
-                      prose: 
-                        """
-                          reviews physical access logs with the organization-defined frequency and upon
-                                               occurrence of organization-defined events or potential indications of events;
-                                               and
-                        """
-                - 
-                  id:         pe-6.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PE-6(c)
-                  prose: 
-                    """
-                      coordinates results of reviews and investigations with the organizational incident
-                                        response capability.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nsecurity plan\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for monitoring physical access\n\nautomated mechanisms supporting and/or implementing physical access monitoring\n\nautomated mechanisms supporting and/or implementing reviewing of physical access
-                                        logs
-                    """
-          controls: 
-            - 
-              id:         pe-6.1
-              class:      SP800-53-enhancement
-              title:      Intrusion Alarms / Surveillance Equipment
-              properties: 
-                - 
-                  name:  label
-                  value: PE-6(1)
-                - 
-                  name:  sort-id
-                  value: pe-06.01
-              parts: 
-                - 
-                  id:    pe-6.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization monitors physical intrusion alarms and surveillance
-                                        equipment.
-                    """
-                - 
-                  id:         pe-6.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization monitors physical intrusion alarms and surveillance
-                                        equipment. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nsecurity plan\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for monitoring physical intrusion alarms and
-                                               surveillance equipment\n\nautomated mechanisms supporting and/or implementing physical access
-                                               monitoring\n\nautomated mechanisms supporting and/or implementing physical intrusion alarms
-                                               and surveillance equipment
-                        """
-            - 
-              id:         pe-6.4
-              class:      SP800-53-enhancement
-              title:      Monitoring Physical Access to Information Systems
-              parameters: 
-                - 
-                  id:    pe-6.4_prm_1
-                  label: 
-                    """
-                      organization-defined physical spaces containing one or more components of the
-                                        information system
-                    """
-              properties: 
-                - 
-                  name:  label
-                  value: PE-6(4)
-                - 
-                  name:  sort-id
-                  value: pe-06.04
-              parts: 
-                - 
-                  id:    pe-6.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization monitors physical access to the information system in addition to
-                                        the physical access monitoring of the facility as {{ pe-6.4_prm_1 }}.
-                    """
-                - 
-                  id:    pe-6.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement provides additional monitoring for those areas within
-                                        facilities where there is a concentration of information system components (e.g.,
-                                        server rooms, media storage areas, communications centers).
-                    """
-                  links: 
-                    - 
-                      href: #ps-2
-                      rel:  related
-                      text: PS-2
-                    - 
-                      href: #ps-3
-                      rel:  related
-                      text: PS-3
-                - 
-                  id:    pe-6.4_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         pe-6.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-6(4)[1]
-                      prose: 
-                        """
-                          defines physical spaces containing one or more components of the information
-                                               system; and
-                        """
-                    - 
-                      id:         pe-6.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-6(4)[2]
-                      prose: 
-                        """
-                          monitors physical access to the information system in addition to the physical
-                                               access monitoring of the facility at organization-defined physical spaces
-                                               containing one or more components of the information system.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\nlist of areas within the facility containing concentrations of information
-                                               system components or information system components requiring additional
-                                               physical access monitoring\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for monitoring physical access to the information
-                                               system\n\nautomated mechanisms supporting and/or implementing physical access monitoring
-                                               for facility areas containing information system components
-                        """
-        - 
-          id:         pe-8
-          class:      SP800-53
-          title:      Visitor Access Records
-          parameters: 
-            - 
-              id:          pe-8_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: for a minimum of one (1) year
-            - 
-              id:          pe-8_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least monthly
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PE-8
-            - 
-              name:  sort-id
-              value: pe-08
-          parts: 
-            - 
-              id:    pe-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Maintains visitor access records to the facility where the information system
-                                        resides for {{ pe-8_prm_1 }}; and
-                    """
-                - 
-                  id:         pe-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews visitor access records {{ pe-8_prm_2 }}.
-            - 
-              id:    pe-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Visitor access records include, for example, names and organizations of persons
-                                 visiting, visitor signatures, forms of identification, dates of access, entry and
-                                 departure times, purposes of visits, and names and organizations of persons visited.
-                                 Visitor access records are not required for publicly accessible areas.
-                """
-            - 
-              id:    pe-8_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-8(a)
-                  parts: 
-                    - 
-                      id:         pe-8.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-8(a)[1]
-                      prose: 
-                        """
-                          defines the time period to maintain visitor access records to the facility
-                                               where the information system resides;
-                        """
-                    - 
-                      id:         pe-8.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-8(a)[2]
-                      prose: 
-                        """
-                          maintains visitor access records to the facility where the information system
-                                               resides for the organization-defined time period;
-                        """
-                - 
-                  id:         pe-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-8(b)
-                  parts: 
-                    - 
-                      id:         pe-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-8(b)[1]
-                      prose:      defines the frequency to review visitor access records; and
-                    - 
-                      id:         pe-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-8(b)[2]
-                      prose:      reviews visitor access records with the organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nsecurity plan\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with visitor access records responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for maintaining and reviewing visitor access records\n\nautomated mechanisms supporting and/or implementing maintenance and review of
-                                        visitor access records
-                    """
-          controls: 
-            - 
-              id:         pe-8.1
-              class:      SP800-53-enhancement
-              title:      Automated Records Maintenance / Review
-              properties: 
-                - 
-                  name:  label
-                  value: PE-8(1)
-                - 
-                  name:  sort-id
-                  value: pe-08.01
-              parts: 
-                - 
-                  id:    pe-8.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to facilitate the maintenance and
-                                        review of visitor access records.
-                    """
-                - 
-                  id:         pe-8.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs automated mechanisms to facilitate the
-                                        maintenance and review of visitor access records. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nautomated mechanisms supporting management of visitor access records\n\nvisitor access control logs or records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with visitor access records responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for maintaining and reviewing visitor access
-                                               records\n\nautomated mechanisms supporting and/or implementing maintenance and review of
-                                               visitor access records
-                        """
-        - 
-          id:         pe-9
-          class:      SP800-53
-          title:      Power Equipment and Cabling
-          properties: 
-            - 
-              name:  label
-              value: PE-9
-            - 
-              name:  sort-id
-              value: pe-09
-          parts: 
-            - 
-              id:    pe-9_smt
-              name:  statement
-              prose: 
-                """
-                  The organization protects power equipment and power cabling for the information
-                                 system from damage and destruction.
-                """
-            - 
-              id:    pe-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations determine the types of protection necessary for power equipment and
-                                 cabling employed at different locations both internal and external to organizational
-                                 facilities and environments of operation. This includes, for example, generators and
-                                 power cabling outside of buildings, internal cabling and uninterruptable power
-                                 sources within an office or data center, and power sources for self-contained
-                                 entities such as vehicles and satellites.
-                """
-              links: 
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-            - 
-              id:         pe-9_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the organization protects power equipment and power cabling for the
-                                 information system from damage and destruction. 
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing power equipment/cabling protection\n\nfacilities housing power equipment/cabling\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for protecting power
-                                        equipment/cabling\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing protection of power
-                                        equipment/cabling
-                    """
-        - 
-          id:         pe-10
-          class:      SP800-53
-          title:      Emergency Shutoff
-          parameters: 
-            - 
-              id:    pe-10_prm_1
-              label: organization-defined location by information system or system component
-          properties: 
-            - 
-              name:  label
-              value: PE-10
-            - 
-              name:  sort-id
-              value: pe-10
-          parts: 
-            - 
-              id:    pe-10_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-10_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Provides the capability of shutting off power to the information system or
-                                        individual system components in emergency situations;
-                    """
-                - 
-                  id:         pe-10_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Places emergency shutoff switches or devices in {{ pe-10_prm_1 }}
-                                        to facilitate safe and easy access for personnel; and
-                    """
-                - 
-                  id:         pe-10_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Protects emergency power shutoff capability from unauthorized activation.
-            - 
-              id:    pe-10_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies primarily to facilities containing concentrations of information
-                                 system resources including, for example, data centers, server rooms, and mainframe
-                                 computer rooms.
-                """
-              links: 
-                - 
-                  href: #pe-15
-                  rel:  related
-                  text: PE-15
-            - 
-              id:    pe-10_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-10.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PE-10(a)
-                  prose: 
-                    """
-                      provides the capability of shutting off power to the information system or
-                                        individual system components in emergency situations;
-                    """
-                - 
-                  id:         pe-10.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-10(b)
-                  parts: 
-                    - 
-                      id:         pe-10.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-10(b)[1]
-                      prose: 
-                        """
-                          defines the location of emergency shutoff switches or devices by information
-                                               system or system component;
-                        """
-                    - 
-                      id:         pe-10.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-10(b)[2]
-                      prose: 
-                        """
-                          places emergency shutoff switches or devices in the organization-defined
-                                               location by information system or system component to facilitate safe and easy
-                                               access for personnel; and
-                        """
-                - 
-                  id:         pe-10.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-10(c)
-                  prose:      protects emergency power shutoff capability from unauthorized activation.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Physical and environmental protection policy\n\nprocedures addressing power source emergency shutoff\n\nsecurity plan\n\nemergency shutoff controls or switches\n\nlocations housing emergency shutoff switches and devices\n\nsecurity safeguards protecting emergency power shutoff capability from
-                                        unauthorized activation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for emergency power shutoff
-                                        capability (both implementing and using the capability)\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting and/or implementing emergency power shutoff
-        - 
-          id:         pe-11
-          class:      SP800-53
-          title:      Emergency Power
-          parameters: 
-            - 
-              id: pe-11_prm_1
-          properties: 
-            - 
-              name:  label
-              value: PE-11
-            - 
-              name:  sort-id
-              value: pe-11
-          parts: 
-            - 
-              id:    pe-11_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides a short-term uninterruptible power supply to facilitate
-                                    {{ pe-11_prm_1 }} in the event of a primary power source loss.
-                """
-            - 
-              id:    pe-11_gdn
-              name:  guidance
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-            - 
-              id:         pe-11_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the organization provides a short-term uninterruptible power supply to
-                                 facilitate one or more of the following in the event of a primary power source loss: 
-                """
-              parts: 
-                - 
-                  id:         pe-11_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-11[1]
-                  prose:      an orderly shutdown of the information system; and/or
-                - 
-                  id:         pe-11_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-11[2]
-                  prose:      transition of the information system to long-term alternate power.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nuninterruptible power supply\n\nuninterruptible power supply documentation\n\nuninterruptible power supply test records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for emergency power and/or
-                                        planning\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing uninterruptible power
-                                        supply\n\nthe uninterruptable power supply
-                    """
-          controls: 
-            - 
-              id:         pe-11.1
-              class:      SP800-53-enhancement
-              title:      Long-term Alternate Power Supply - Minimal Operational Capability
-              properties: 
-                - 
-                  name:  label
-                  value: PE-11(1)
-                - 
-                  name:  sort-id
-                  value: pe-11.01
-              parts: 
-                - 
-                  id:    pe-11.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization provides a long-term alternate power supply for the information
-                                        system that is capable of maintaining minimally required operational capability in
-                                        the event of an extended loss of the primary power source.
-                    """
-                - 
-                  id:    pe-11.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement can be satisfied, for example, by the use of a secondary
-                                        commercial power supply or other external power supply. Long-term alternate power
-                                        supplies for the information system can be either manually or automatically
-                                        activated.
-                    """
-                - 
-                  id:         pe-11.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization provides a long-term alternate power supply for the
-                                        information system that is capable of maintaining minimally required operational
-                                        capability in the event of an extended loss of the primary power source. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nalternate power supply\n\nalternate power supply documentation\n\nalternate power supply test records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibility for emergency power and/or
-                                               planning\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms supporting and/or implementing alternate power supply\n\nthe alternate power supply
-        - 
-          id:         pe-12
-          class:      SP800-53
-          title:      Emergency Lighting
-          properties: 
-            - 
-              name:  label
-              value: PE-12
-            - 
-              name:  sort-id
-              value: pe-12
-          parts: 
-            - 
-              id:    pe-12_smt
-              name:  statement
-              prose: 
-                """
-                  The organization employs and maintains automatic emergency lighting for the
-                                 information system that activates in the event of a power outage or disruption and
-                                 that covers emergency exits and evacuation routes within the facility.
-                """
-            - 
-              id:    pe-12_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies primarily to facilities containing concentrations of information
-                                 system resources including, for example, data centers, server rooms, and mainframe
-                                 computer rooms.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-            - 
-              id:    pe-12_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization employs and maintains automatic emergency lighting for
-                                 the information system that: 
-                """
-              parts: 
-                - 
-                  id:         pe-12_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-12[1]
-                  prose:      activates in the event of a power outage or disruption; and
-                - 
-                  id:         pe-12_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-12[2]
-                  prose:      covers emergency exits and evacuation routes within the facility.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for emergency lighting and/or
-                                        planning\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing emergency lighting
-                                        capability
-                    """
-        - 
-          id:         pe-13
-          class:      SP800-53
-          title:      Fire Protection
-          properties: 
-            - 
-              name:  label
-              value: PE-13
-            - 
-              name:  sort-id
-              value: pe-13
-          parts: 
-            - 
-              id:    pe-13_smt
-              name:  statement
-              prose: 
-                """
-                  The organization employs and maintains fire suppression and detection devices/systems
-                                 for the information system that are supported by an independent energy source.
-                """
-            - 
-              id:    pe-13_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies primarily to facilities containing concentrations of information
-                                 system resources including, for example, data centers, server rooms, and mainframe
-                                 computer rooms. Fire suppression and detection devices/systems include, for example,
-                                 sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke
-                                 detectors.
-                """
-            - 
-              id:    pe-13_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-13_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-13[1]
-                  prose: 
-                    """
-                      employs fire suppression and detection devices/systems for the information system
-                                        that are supported by an independent energy source; and
-                    """
-                - 
-                  id:         pe-13_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-13[2]
-                  prose: 
-                    """
-                      maintains fire suppression and detection devices/systems for the information
-                                        system that are supported by an independent energy source.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\ntest records of fire suppression and detection devices/systems\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for fire detection and suppression
-                                        devices/systems\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing fire suppression/detection
-                                        devices/systems
-                    """
-          controls: 
-            - 
-              id:         pe-13.1
-              class:      SP800-53-enhancement
-              title:      Detection Devices / Systems
-              parameters: 
-                - 
-                  id:          pe-13.1_prm_1
-                  label:       organization-defined personnel or roles
-                  constraints: 
-                    - 
-                      detail: service provider building maintenance/physical security personnel
-                - 
-                  id:          pe-13.1_prm_2
-                  label:       organization-defined emergency responders
-                  constraints: 
-                    - 
-                      detail: service provider emergency responders with incident response responsibilities
-              properties: 
-                - 
-                  name:  label
-                  value: PE-13(1)
-                - 
-                  name:  sort-id
-                  value: pe-13.01
-              parts: 
-                - 
-                  id:    pe-13.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs fire detection devices/systems for the information system
-                                        that activate automatically and notify {{ pe-13.1_prm_1 }} and
-                                           {{ pe-13.1_prm_2 }} in the event of a fire.
-                    """
-                - 
-                  id:    pe-13.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations can identify specific personnel, roles, and emergency responders in
-                                        the event that individuals on the notification list must have appropriate access
-                                        authorizations and/or clearances, for example, to obtain access to facilities
-                                        where classified operations are taking place or where there are information
-                                        systems containing classified information.
-                    """
-                - 
-                  id:    pe-13.1_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         pe-13.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-13(1)[1]
-                      prose:      defines personnel or roles to be notified in the event of a fire;
-                    - 
-                      id:         pe-13.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-13(1)[2]
-                      prose:      defines emergency responders to be notified in the event of a fire;
-                    - 
-                      id:         pe-13.1_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-13(1)[3]
-                      prose: 
-                        """
-                          employs fire detection devices/systems for the information system that, in the
-                                               event of a fire,:
-                        """
-                      parts: 
-                        - 
-                          id:         pe-13.1_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-13(1)[3][a]
-                          prose:      activate automatically;
-                        - 
-                          id:         pe-13.1_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-13(1)[3][b]
-                          prose:      notify organization-defined personnel or roles; and
-                        - 
-                          id:         pe-13.1_obj.3.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-13(1)[3][c]
-                          prose:      notify organization-defined emergency responders.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\nalerts/notifications of fire events\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for fire detection and
-                                               suppression devices/systems\n\norganizational personnel with responsibilities for notifying appropriate
-                                               personnel, roles, and emergency responders of fires\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing fire detection
-                                               devices/systems\n\nactivation of fire detection devices/systems (simulated)\n\nautomated notifications
-                        """
-            - 
-              id:         pe-13.2
-              class:      SP800-53-enhancement
-              title:      Suppression Devices / Systems
-              parameters: 
-                - 
-                  id:    pe-13.2_prm_1
-                  label: organization-defined personnel or roles
-                - 
-                  id:    pe-13.2_prm_2
-                  label: organization-defined emergency responders
-              properties: 
-                - 
-                  name:  label
-                  value: PE-13(2)
-                - 
-                  name:  sort-id
-                  value: pe-13.02
-              parts: 
-                - 
-                  id:    pe-13.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs fire suppression devices/systems for the information
-                                        system that provide automatic notification of any activation to {{ pe-13.2_prm_1 }} and {{ pe-13.2_prm_2 }}.
-                    """
-                - 
-                  id:    pe-13.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations can identify specific personnel, roles, and emergency responders in
-                                        the event that individuals on the notification list must have appropriate access
-                                        authorizations and/or clearances, for example, to obtain access to facilities
-                                        where classified operations are taking place or where there are information
-                                        systems containing classified information.
-                    """
-                - 
-                  id:    pe-13.2_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         pe-13.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-13(2)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to be provided automatic notification of any
-                                               activation of fire suppression devices/systems for the information system;
-                        """
-                    - 
-                      id:         pe-13.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-13(2)[2]
-                      prose: 
-                        """
-                          defines emergency responders to be provided automatic notification of any
-                                               activation of fire suppression devices/systems for the information system;
-                        """
-                    - 
-                      id:         pe-13.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-13(2)[3]
-                      prose: 
-                        """
-                          employs fire suppression devices/systems for the information system that
-                                               provide automatic notification of any activation to:
-                        """
-                      parts: 
-                        - 
-                          id:         pe-13.2_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-13(2)[3][a]
-                          prose:      organization-defined personnel or roles; and
-                        - 
-                          id:         pe-13.2_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-13(2)[3][b]
-                          prose:      organization-defined emergency responders.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems documentation\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices/systems\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for fire detection and
-                                               suppression devices/systems\n\norganizational personnel with responsibilities for providing automatic
-                                               notifications of any activation of fire suppression devices/systems to
-                                               appropriate personnel, roles, and emergency responders\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing fire suppression
-                                               devices/systems\n\nactivation of fire suppression devices/systems (simulated)\n\nautomated notifications
-                        """
-            - 
-              id:         pe-13.3
-              class:      SP800-53-enhancement
-              title:      Automatic Fire Suppression
-              properties: 
-                - 
-                  name:  label
-                  value: PE-13(3)
-                - 
-                  name:  sort-id
-                  value: pe-13.03
-              parts: 
-                - 
-                  id:    pe-13.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs an automatic fire suppression capability for the
-                                        information system when the facility is not staffed on a continuous basis.
-                    """
-                - 
-                  id:         pe-13.3_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs an automatic fire suppression capability for
-                                        the information system when the facility is not staffed on a continuous basis.
-                                     
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems documentation\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices/systems\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for fire detection and
-                                               suppression devices/systems\n\norganizational personnel with responsibilities for providing automatic
-                                               notifications of any activation of fire suppression devices/systems to
-                                               appropriate personnel, roles, and emergency responders\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing fire suppression
-                                               devices/systems\n\nactivation of fire suppression devices/systems (simulated)
-                        """
-        - 
-          id:         pe-14
-          class:      SP800-53
-          title:      Temperature and Humidity Controls
-          parameters: 
-            - 
-              id:          pe-14_prm_1
-              label:       organization-defined acceptable levels
-              constraints: 
-                - 
-                  detail: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments
-            - 
-              id:          pe-14_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: continuously
-          properties: 
-            - 
-              name:  label
-              value: PE-14
-            - 
-              name:  sort-id
-              value: pe-14
-          parts: 
-            - 
-              id:    pe-14_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-14_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Maintains temperature and humidity levels within the facility where the
-                                        information system resides at {{ pe-14_prm_1 }}; and
-                    """
-                - 
-                  id:         pe-14_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Monitors temperature and humidity levels {{ pe-14_prm_2 }}.
-                - 
-                  id:    pe-14_fr
-                  name:  item
-                  title: PE-14(a) Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         pe-14_fr_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a) Requirement:
-                      prose:      The service provider measures temperature at server inlets and humidity levels by dew point.
-            - 
-              id:    pe-14_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies primarily to facilities containing concentrations of information
-                                 system resources, for example, data centers, server rooms, and mainframe computer
-                                 rooms.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-            - 
-              id:    pe-14_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-14.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-14(a)
-                  parts: 
-                    - 
-                      id:         pe-14.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-14(a)[1]
-                      prose: 
-                        """
-                          defines acceptable temperature levels to be maintained within the facility
-                                               where the information system resides;
-                        """
-                    - 
-                      id:         pe-14.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-14(a)[2]
-                      prose: 
-                        """
-                          defines acceptable humidity levels to be maintained within the facility where
-                                               the information system resides;
-                        """
-                    - 
-                      id:         pe-14.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-14(a)[3]
-                      prose: 
-                        """
-                          maintains temperature levels within the facility where the information system
-                                               resides at the organization-defined levels;
-                        """
-                    - 
-                      id:         pe-14.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-14(a)[4]
-                      prose: 
-                        """
-                          maintains humidity levels within the facility where the information system
-                                               resides at the organization-defined levels;
-                        """
-                - 
-                  id:         pe-14.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-14(b)
-                  parts: 
-                    - 
-                      id:         pe-14.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-14(b)[1]
-                      prose:      defines the frequency to monitor temperature levels;
-                    - 
-                      id:         pe-14.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-14(b)[2]
-                      prose:      defines the frequency to monitor humidity levels;
-                    - 
-                      id:         pe-14.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-14(b)[3]
-                      prose:      monitors temperature levels with the organization-defined frequency; and
-                    - 
-                      id:         pe-14.b_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-14(b)[4]
-                      prose:      monitors humidity levels with the organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\nsecurity plan\n\ntemperature and humidity controls\n\nfacility housing the information system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for information system
-                                        environmental controls\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing maintenance and monitoring of
-                                        temperature and humidity levels
-                    """
-          controls: 
-            - 
-              id:         pe-14.2
-              class:      SP800-53-enhancement
-              title:      Monitoring with Alarms / Notifications
-              properties: 
-                - 
-                  name:  label
-                  value: PE-14(2)
-                - 
-                  name:  sort-id
-                  value: pe-14.02
-              parts: 
-                - 
-                  id:    pe-14.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs temperature and humidity monitoring that provides an
-                                        alarm or notification of changes potentially harmful to personnel or
-                                        equipment.
-                    """
-                - 
-                  id:    pe-14.2_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         pe-14.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-14(2)[1]
-                      prose: 
-                        """
-                          employs temperature monitoring that provides an alarm of changes potentially
-                                               harmful to personnel or equipment; and/or
-                        """
-                    - 
-                      id:         pe-14.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-14(2)[2]
-                      prose: 
-                        """
-                          employs temperature monitoring that provides notification of changes
-                                               potentially harmful to personnel or equipment;
-                        """
-                    - 
-                      id:         pe-14.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-14(2)[3]
-                      prose: 
-                        """
-                          employs humidity monitoring that provides an alarm of changes potentially
-                                               harmful to personnel or equipment; and/or
-                        """
-                    - 
-                      id:         pe-14.2_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-14(2)[4]
-                      prose: 
-                        """
-                          employs humidity monitoring that provides notification of changes potentially
-                                               harmful to personnel or equipment.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Physical and environmental protection policy\n\nprocedures addressing temperature and humidity monitoring\n\nfacility housing the information system\n\nlogs or records of temperature and humidity monitoring\n\nrecords of changes to temperature and humidity levels that generate alarms or
-                                               notifications\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for information system
-                                               environmental controls\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing temperature and humidity
-                                               monitoring
-                        """
-        - 
-          id:         pe-15
-          class:      SP800-53
-          title:      Water Damage Protection
-          properties: 
-            - 
-              name:  label
-              value: PE-15
-            - 
-              name:  sort-id
-              value: pe-15
-          parts: 
-            - 
-              id:    pe-15_smt
-              name:  statement
-              prose: 
-                """
-                  The organization protects the information system from damage resulting from water
-                                 leakage by providing master shutoff or isolation valves that are accessible, working
-                                 properly, and known to key personnel.
-                """
-            - 
-              id:    pe-15_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies primarily to facilities containing concentrations of information
-                                 system resources including, for example, data centers, server rooms, and mainframe
-                                 computer rooms. Isolation valves can be employed in addition to or in lieu of master
-                                 shutoff valves to shut off water supplies in specific areas of concern, without
-                                 affecting entire organizations.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-            - 
-              id:         pe-15_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the organization protects the information system from damage resulting
-                                 from water leakage by providing master shutoff or isolation valves that are: 
-                """
-              parts: 
-                - 
-                  id:         pe-15_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-15[1]
-                  prose:      accessible;
-                - 
-                  id:         pe-15_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-15[2]
-                  prose:      working properly; and
-                - 
-                  id:         pe-15_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-15[3]
-                  prose:      known to key personnel.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the information system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for
-                                        master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for information system
-                                        environmental controls\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Master water-shutoff valves\n\norganizational process for activating master water-shutoff
-          controls: 
-            - 
-              id:         pe-15.1
-              class:      SP800-53-enhancement
-              title:      Automation Support
-              parameters: 
-                - 
-                  id:          pe-15.1_prm_1
-                  label:       organization-defined personnel or roles
-                  constraints: 
-                    - 
-                      detail: service provider building maintenance/physical security personnel
-              properties: 
-                - 
-                  name:  label
-                  value: PE-15(1)
-                - 
-                  name:  sort-id
-                  value: pe-15.01
-              parts: 
-                - 
-                  id:    pe-15.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to detect the presence of water in
-                                        the vicinity of the information system and alerts {{ pe-15.1_prm_1 }}.
-                    """
-                - 
-                  id:    pe-15.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Automated mechanisms can include, for example, water detection sensors, alarms,
-                                        and notification systems.
-                    """
-                - 
-                  id:    pe-15.1_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         pe-15.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-15(1)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to be alerted when the presence of water is detected
-                                               in the vicinity of the information system;
-                        """
-                    - 
-                      id:         pe-15.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-15(1)[2]
-                      prose: 
-                        """
-                          employs automated mechanisms to detect the presence of water in the vicinity of
-                                               the information system; and
-                        """
-                    - 
-                      id:         pe-15.1_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-15(1)[3]
-                      prose: 
-                        """
-                          alerts organization-defined personnel or roles when the presence of water is
-                                               detected in the vicinity of the information system.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the information system\n\nautomated mechanisms for water shutoff valves\n\nautomated mechanisms detecting presence of water in vicinity of information
-                                               system\n\nalerts/notifications of water detection in information system facility\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for information system
-                                               environmental controls\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing water detection capability
-                                               and alerts for the information system
-                        """
-        - 
-          id:         pe-16
-          class:      SP800-53
-          title:      Delivery and Removal
-          parameters: 
-            - 
-              id:          pe-16_prm_1
-              label:       organization-defined types of information system components
-              constraints: 
-                - 
-                  detail: all information system components
-          properties: 
-            - 
-              name:  label
-              value: PE-16
-            - 
-              name:  sort-id
-              value: pe-16
-          parts: 
-            - 
-              id:    pe-16_smt
-              name:  statement
-              prose: 
-                """
-                  The organization authorizes, monitors, and controls {{ pe-16_prm_1 }}
-                                 entering and exiting the facility and maintains records of those items.
-                """
-            - 
-              id:    pe-16_gdn
-              name:  guidance
-              prose: 
-                """
-                  Effectively enforcing authorizations for entry and exit of information system
-                                 components may require restricting access to delivery areas and possibly isolating
-                                 the areas from the information system and media libraries.
-                """
-              links: 
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #ma-2
-                  rel:  related
-                  text: MA-2
-                - 
-                  href: #ma-3
-                  rel:  related
-                  text: MA-3
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-            - 
-              id:    pe-16_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-16_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PE-16[1]
-                  prose: 
-                    """
-                      defines types of information system components to be authorized, monitored, and
-                                        controlled as such components are entering and exiting the facility;
-                    """
-                - 
-                  id:         pe-16_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-16[2]
-                  prose: 
-                    """
-                      authorizes organization-defined information system components entering the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-16[3]
-                  prose: 
-                    """
-                      monitors organization-defined information system components entering the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-16[4]
-                  prose: 
-                    """
-                      controls organization-defined information system components entering the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.5
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-16[5]
-                  prose: 
-                    """
-                      authorizes organization-defined information system components exiting the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.6
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-16[6]
-                  prose: 
-                    """
-                      monitors organization-defined information system components exiting the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.7
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-16[7]
-                  prose: 
-                    """
-                      controls organization-defined information system components exiting the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.8
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PE-16[8]
-                  prose:      maintains records of information system components entering the facility; and
-                - 
-                  id:         pe-16_obj.9
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PE-16[9]
-                  prose:      maintains records of information system components exiting the facility.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Physical and environmental protection policy\n\nprocedures addressing delivery and removal of information system components from
-                                        the facility\n\nsecurity plan\n\nfacility housing the information system\n\nrecords of items entering and exiting the facility\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for controlling information system
-                                        components entering and exiting the facility\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational process for authorizing, monitoring, and controlling information
-                                        system-related items entering and exiting the facility\n\nautomated mechanisms supporting and/or implementing authorizing, monitoring, and
-                                        controlling information system-related items entering and exiting the facility
-                    """
-        - 
-          id:         pe-17
-          class:      SP800-53
-          title:      Alternate Work Site
-          parameters: 
-            - 
-              id:    pe-17_prm_1
-              label: organization-defined security controls
-          properties: 
-            - 
-              name:  label
-              value: PE-17
-            - 
-              name:  sort-id
-              value: pe-17
-          links: 
-            - 
-              href: #5309d4d0-46f8-4213-a749-e7584164e5e8
-              rel:  reference
-              text: NIST Special Publication 800-46
-          parts: 
-            - 
-              id:    pe-17_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-17_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Employs {{ pe-17_prm_1 }} at alternate work sites;
-                - 
-                  id:         pe-17_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Assesses as feasible, the effectiveness of security controls at alternate work
-                                        sites; and
-                    """
-                - 
-                  id:         pe-17_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Provides a means for employees to communicate with information security personnel
-                                        in case of security incidents or problems.
-                    """
-            - 
-              id:    pe-17_gdn
-              name:  guidance
-              prose: 
-                """
-                  Alternate work sites may include, for example, government facilities or private
-                                 residences of employees. While commonly distinct from alternative processing sites,
-                                 alternate work sites may provide readily available alternate locations as part of
-                                 contingency operations. Organizations may define different sets of security controls
-                                 for specific alternate work sites or types of sites depending on the work-related
-                                 activities conducted at those sites. This control supports the contingency planning
-                                 activities of organizations and the federal telework initiative.
-                """
-              links: 
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-            - 
-              id:    pe-17_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-17.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-17(a)
-                  parts: 
-                    - 
-                      id:         pe-17.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-17(a)[1]
-                      prose:      defines security controls to be employed at alternate work sites;
-                    - 
-                      id:         pe-17.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: PE-17(a)[2]
-                      prose:      employs organization-defined security controls at alternate work sites;
-                - 
-                  id:         pe-17.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PE-17(b)
-                  prose: 
-                    """
-                      assesses, as feasible, the effectiveness of security controls at alternate work
-                                        sites; and
-                    """
-                - 
-                  id:         pe-17.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-17(c)
-                  prose: 
-                    """
-                      provides a means for employees to communicate with information security personnel
-                                        in case of security incidents or problems.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing alternate work sites for organizational personnel\n\nsecurity plan\n\nlist of security controls required for alternate work sites\n\nassessments of security controls at alternate work sites\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel approving use of alternate work sites\n\norganizational personnel using alternate work sites\n\norganizational personnel assessing controls at alternate work sites\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for security at alternate work sites\n\nautomated mechanisms supporting alternate work sites\n\nsecurity controls employed at alternate work sites\n\nmeans of communications between personnel at alternate work sites and security
-                                        personnel
-                    """
-        - 
-          id:         pe-18
-          class:      SP800-53
-          title:      Location of Information System Components
-          parameters: 
-            - 
-              id:          pe-18_prm_1
-              label:       organization-defined physical and environmental hazards
-              constraints: 
-                - 
-                  detail: physical and environmental hazards identified during threat assessment
-          properties: 
-            - 
-              name:  label
-              value: PE-18
-            - 
-              name:  sort-id
-              value: pe-18
-          parts: 
-            - 
-              id:    pe-18_smt
-              name:  statement
-              prose: 
-                """
-                  The organization positions information system components within the facility to
-                                 minimize potential damage from {{ pe-18_prm_1 }} and to minimize the
-                                 opportunity for unauthorized access.
-                """
-            - 
-              id:    pe-18_gdn
-              name:  guidance
-              prose: 
-                """
-                  Physical and environmental hazards include, for example, flooding, fire, tornados,
-                                 earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse,
-                                 electrical interference, and other forms of incoming electromagnetic radiation. In
-                                 addition, organizations consider the location of physical entry points where
-                                 unauthorized individuals, while not being granted access, might nonetheless be in
-                                 close proximity to information systems and therefore increase the potential for
-                                 unauthorized access to organizational communications (e.g., through the use of
-                                 wireless sniffers or microphones).
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #pe-19
-                  rel:  related
-                  text: PE-19
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-            - 
-              id:    pe-18_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-18_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-18[1]
-                  prose: 
-                    """
-                      defines physical hazards that could result in potential damage to information
-                                        system components within the facility;
-                    """
-                - 
-                  id:         pe-18_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PE-18[2]
-                  prose: 
-                    """
-                      defines environmental hazards that could result in potential damage to information
-                                        system components within the facility;
-                    """
-                - 
-                  id:         pe-18_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-18[3]
-                  prose: 
-                    """
-                      positions information system components within the facility to minimize potential
-                                        damage from organization-defined physical and environmental hazards; and
-                    """
-                - 
-                  id:         pe-18_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-18[4]
-                  prose: 
-                    """
-                      positions information system components within the facility to minimize the
-                                        opportunity for unauthorized access.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Physical and environmental protection policy\n\nprocedures addressing positioning of information system components\n\ndocumentation providing the location and position of information system components
-                                        within the facility\n\nlocations housing information system components within the facility\n\nlist of physical and environmental hazards with potential to damage information
-                                        system components within the facility\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for positioning information system
-                                        components\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for positioning information system components
-    - 
-      id:       pl
-      class:    family
-      title:    Planning
-      controls: 
-        - 
-          id:         pl-1
-          class:      SP800-53
-          title:      Security Planning Policy and Procedures
-          parameters: 
-            - 
-              id:    pl-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          pl-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          pl-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or whenever a significant change occurs
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PL-1
-            - 
-              name:  sort-id
-              value: pl-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9c5c9e8c-dc81-4f55-a11c-d71d7487790f
-              rel:  reference
-              text: NIST Special Publication 800-18
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    pl-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pl-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ pl-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         pl-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A security planning policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         pl-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the security planning policy and
-                                               associated security planning controls; and
-                        """
-                - 
-                  id:         pl-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         pl-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Security planning policy {{ pl-1_prm_2 }}; and
-                    - 
-                      id:         pl-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Security planning procedures {{ pl-1_prm_3 }}.
-            - 
-              id:    pl-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the PL
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    pl-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         pl-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-1(a)
-                  parts: 
-                    - 
-                      id:         pl-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-1(a)(1)
-                      parts: 
-                        - 
-                          id:         pl-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(a)(1)[1]
-                          prose:      develops and documents a planning policy that addresses:
-                          parts: 
-                            - 
-                              id:         pl-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         pl-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         pl-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         pl-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         pl-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         pl-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         pl-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         pl-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the planning policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         pl-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: PL-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the planning policy to organization-defined personnel or
-                                                      roles;
-                            """
-                    - 
-                      id:         pl-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-1(a)(2)
-                      parts: 
-                        - 
-                          id:         pl-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      planning policy and associated planning controls;
-                            """
-                        - 
-                          id:         pl-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         pl-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: PL-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         pl-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-1(b)
-                  parts: 
-                    - 
-                      id:         pl-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-1(b)(1)
-                      parts: 
-                        - 
-                          id:         pl-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(b)(1)[1]
-                          prose:      defines the frequency to review and update the current planning policy;
-                        - 
-                          id:         pl-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current planning policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         pl-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-1(b)(2)
-                      parts: 
-                        - 
-                          id:         pl-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current planning procedures;
-                                                      and
-                            """
-                        - 
-                          id:         pl-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current planning procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Planning policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with planning responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         pl-2
-          class:      SP800-53
-          title:      System Security Plan
-          parameters: 
-            - 
-              id:    pl-2_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          pl-2_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PL-2
-            - 
-              name:  sort-id
-              value: pl-02
-          links: 
-            - 
-              href: #9c5c9e8c-dc81-4f55-a11c-d71d7487790f
-              rel:  reference
-              text: NIST Special Publication 800-18
-          parts: 
-            - 
-              id:    pl-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pl-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops a security plan for the information system that:
-                  parts: 
-                    - 
-                      id:         pl-2_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Is consistent with the organization’s enterprise architecture;
-                    - 
-                      id:         pl-2_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Explicitly defines the authorization boundary for the system;
-                    - 
-                      id:         pl-2_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Describes the operational context of the information system in terms of
-                                               missions and business processes;
-                        """
-                    - 
-                      id:         pl-2_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose: 
-                        """
-                          Provides the security categorization of the information system including
-                                               supporting rationale;
-                        """
-                    - 
-                      id:         pl-2_smt.a.5
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 5.
-                      prose: 
-                        """
-                          Describes the operational environment for the information system and
-                                               relationships with or connections to other information systems;
-                        """
-                    - 
-                      id:         pl-2_smt.a.6
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 6.
-                      prose:      Provides an overview of the security requirements for the system;
-                    - 
-                      id:         pl-2_smt.a.7
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 7.
-                      prose:      Identifies any relevant overlays, if applicable;
-                    - 
-                      id:         pl-2_smt.a.8
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 8.
-                      prose: 
-                        """
-                          Describes the security controls in place or planned for meeting those
-                                               requirements including a rationale for the tailoring decisions; and
-                        """
-                    - 
-                      id:         pl-2_smt.a.9
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 9.
-                      prose: 
-                        """
-                          Is reviewed and approved by the authorizing official or designated
-                                               representative prior to plan implementation;
-                        """
-                - 
-                  id:         pl-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Distributes copies of the security plan and communicates subsequent changes to the
-                                        plan to {{ pl-2_prm_1 }};
-                    """
-                - 
-                  id:         pl-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews the security plan for the information system {{ pl-2_prm_2 }};
-                - 
-                  id:         pl-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Updates the plan to address changes to the information system/environment of
-                                        operation or problems identified during plan implementation or security control
-                                        assessments; and
-                    """
-                - 
-                  id:         pl-2_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Protects the security plan from unauthorized disclosure and modification.
-            - 
-              id:    pl-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Security plans relate security requirements to a set of security controls and control
-                                 enhancements. Security plans also describe, at a high level, how the security
-                                 controls and control enhancements meet those security requirements, but do not
-                                 provide detailed, technical descriptions of the specific design or implementation of
-                                 the controls/enhancements. Security plans contain sufficient information (including
-                                 the specification of parameter values for assignment and selection statements either
-                                 explicitly or by reference) to enable a design and implementation that is
-                                 unambiguously compliant with the intent of the plans and subsequent determinations of
-                                 risk to organizational operations and assets, individuals, other organizations, and
-                                 the Nation if the plan is implemented as intended. Organizations can also apply
-                                 tailoring guidance to the security control baselines in Appendix D and CNSS
-                                 Instruction 1253 to develop overlays for community-wide use or to address specialized
-                                 requirements, technologies, or missions/environments of operation (e.g.,
-                                 DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and
-                                 Access Management, space operations). Appendix I provides guidance on developing
-                                 overlays. Security plans need not be single documents; the plans can be a collection
-                                 of various documents including documents that already exist. Effective security plans
-                                 make extensive use of references to policies, procedures, and additional documents
-                                 (e.g., design and implementation specifications) where more detailed information can
-                                 be obtained. This reduces the documentation requirements associated with security
-                                 programs and maintains security-related information in other established
-                                 management/operational areas related to enterprise architecture, system development
-                                 life cycle, systems engineering, and acquisition. For example, security plans do not
-                                 contain detailed contingency plan or incident response plan information but instead
-                                 provide explicitly or by reference, sufficient information to define what needs to be
-                                 accomplished by those plans.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-9
-                  rel:  related
-                  text: CM-9
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ma-5
-                  rel:  related
-                  text: MA-5
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #pl-7
-                  rel:  related
-                  text: PL-7
-                - 
-                  href: #pm-1
-                  rel:  related
-                  text: PM-1
-                - 
-                  href: #pm-7
-                  rel:  related
-                  text: PM-7
-                - 
-                  href: #pm-8
-                  rel:  related
-                  text: PM-8
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-                - 
-                  href: #pm-11
-                  rel:  related
-                  text: PM-11
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sa-17
-                  rel:  related
-                  text: SA-17
-            - 
-              id:    pl-2_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pl-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-2(a)
-                  prose:      develops a security plan for the information system that:
-                  parts: 
-                    - 
-                      id:         pl-2.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(1)
-                      prose:      is consistent with the organization’s enterprise architecture;
-                    - 
-                      id:         pl-2.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(2)
-                      prose:      explicitly defines the authorization boundary for the system;
-                    - 
-                      id:         pl-2.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(3)
-                      prose: 
-                        """
-                          describes the operational context of the information system in terms of
-                                               missions and business processes;
-                        """
-                    - 
-                      id:         pl-2.a.4_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(4)
-                      prose: 
-                        """
-                          provides the security categorization of the information system including
-                                               supporting rationale;
-                        """
-                    - 
-                      id:         pl-2.a.5_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(5)
-                      prose: 
-                        """
-                          describes the operational environment for the information system and
-                                               relationships with or connections to other information systems;
-                        """
-                    - 
-                      id:         pl-2.a.6_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(6)
-                      prose:      provides an overview of the security requirements for the system;
-                    - 
-                      id:         pl-2.a.7_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(7)
-                      prose:      identifies any relevant overlays, if applicable;
-                    - 
-                      id:         pl-2.a.8_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(8)
-                      prose: 
-                        """
-                          describes the security controls in place or planned for meeting those
-                                               requirements including a rationale for the tailoring and supplemental
-                                               decisions;
-                        """
-                    - 
-                      id:         pl-2.a.9_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PL-2(a)(9)
-                      prose: 
-                        """
-                          is reviewed and approved by the authorizing official or designated
-                                               representative prior to plan implementation;
-                        """
-                - 
-                  id:         pl-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-2(b)
-                  parts: 
-                    - 
-                      id:         pl-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(b)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom copies of the security plan are to be
-                                               distributed and subsequent changes to the plan are to be communicated;
-                        """
-                    - 
-                      id:         pl-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PL-2(b)[2]
-                      prose: 
-                        """
-                          distributes copies of the security plan and communicates subsequent changes to
-                                               the plan to organization-defined personnel or roles;
-                        """
-                - 
-                  id:         pl-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-2(c)
-                  parts: 
-                    - 
-                      id:         pl-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to review the security plan for the information
-                                               system;
-                        """
-                    - 
-                      id:         pl-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(c)[2]
-                      prose: 
-                        """
-                          reviews the security plan for the information system with the
-                                               organization-defined frequency;
-                        """
-                - 
-                  id:         pl-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PL-2(d)
-                  prose:      updates the plan to address:
-                  parts: 
-                    - 
-                      id:         pl-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(d)[1]
-                      prose:      changes to the information system/environment of operation;
-                    - 
-                      id:         pl-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(d)[2]
-                      prose:      problems identified during plan implementation;
-                    - 
-                      id:         pl-2.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(d)[3]
-                      prose:      problems identified during security control assessments;
-                - 
-                  id:         pl-2.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PL-2(e)
-                  prose:      protects the security plan from unauthorized:
-                  parts: 
-                    - 
-                      id:         pl-2.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(e)[1]
-                      prose:      disclosure; and
-                    - 
-                      id:         pl-2.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(e)[2]
-                      prose:      modification.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security planning policy\n\nprocedures addressing security plan development and implementation\n\nprocedures addressing security plan reviews and updates\n\nenterprise architecture documentation\n\nsecurity plan for the information system\n\nrecords of security plan reviews and updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security planning and plan implementation
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for security plan development/review/update/approval\n\nautomated mechanisms supporting the information system security plan
-          controls: 
-            - 
-              id:         pl-2.3
-              class:      SP800-53-enhancement
-              title:      Plan / Coordinate with Other Organizational Entities
-              parameters: 
-                - 
-                  id:    pl-2.3_prm_1
-                  label: organization-defined individuals or groups
-              properties: 
-                - 
-                  name:  label
-                  value: PL-2(3)
-                - 
-                  name:  sort-id
-                  value: pl-02.03
-              parts: 
-                - 
-                  id:    pl-2.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization plans and coordinates security-related activities affecting the
-                                        information system with {{ pl-2.3_prm_1 }} before conducting such
-                                        activities in order to reduce the impact on other organizational entities.
-                    """
-                - 
-                  id:    pl-2.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Security-related activities include, for example, security assessments, audits,
-                                        hardware and software maintenance, patch management, and contingency plan testing.
-                                        Advance planning and coordination includes emergency and nonemergency (i.e.,
-                                        planned or nonurgent unplanned) situations. The process defined by organizations
-                                        to plan and coordinate security-related activities can be included in security
-                                        plans for information systems or other documents, as appropriate.
-                    """
-                  links: 
-                    - 
-                      href: #cp-4
-                      rel:  related
-                      text: CP-4
-                    - 
-                      href: #ir-4
-                      rel:  related
-                      text: IR-4
-                - 
-                  id:    pl-2.3_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         pl-2.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(3)[1]
-                      prose: 
-                        """
-                          defines individuals or groups with whom security-related activities affecting
-                                               the information system are to be planned and coordinated before conducting such
-                                               activities in order to reduce the impact on other organizational entities;
-                                               and
-                        """
-                    - 
-                      id:         pl-2.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: PL-2(3)[2]
-                      prose: 
-                        """
-                          plans and coordinates security-related activities affecting the information
-                                               system with organization-defined individuals or groups before conducting such
-                                               activities in order to reduce the impact on other organizational entities.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Security planning policy\n\naccess control policy\n\ncontingency planning policy\n\nprocedures addressing security-related activity planning for the information
-                                               system\n\nsecurity plan for the information system\n\ncontingency plan for the information system\n\ninformation system design documentation\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with security planning and plan implementation
-                                               responsibilities\n\norganizational individuals or groups with whom security-related activities are
-                                               to be planned and coordinated\n\norganizational personnel with information security responsibilities
-                        """
-        - 
-          id:         pl-4
-          class:      SP800-53
-          title:      Rules of Behavior
-          parameters: 
-            - 
-              id:          pl-4_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: annually
-          properties: 
-            - 
-              name:  label
-              value: PL-4
-            - 
-              name:  sort-id
-              value: pl-04
-          links: 
-            - 
-              href: #9c5c9e8c-dc81-4f55-a11c-d71d7487790f
-              rel:  reference
-              text: NIST Special Publication 800-18
-          parts: 
-            - 
-              id:    pl-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pl-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes and makes readily available to individuals requiring access to the
-                                        information system, the rules that describe their responsibilities and expected
-                                        behavior with regard to information and information system usage;
-                    """
-                - 
-                  id:         pl-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Receives a signed acknowledgment from such individuals, indicating that they have
-                                        read, understand, and agree to abide by the rules of behavior, before authorizing
-                                        access to information and the information system;
-                    """
-                - 
-                  id:         pl-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews and updates the rules of behavior {{ pl-4_prm_1 }}; and
-                - 
-                  id:         pl-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Requires individuals who have signed a previous version of the rules of behavior
-                                        to read and re-sign when the rules of behavior are revised/updated.
-                    """
-            - 
-              id:    pl-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control enhancement applies to organizational users. Organizations consider
-                                 rules of behavior based on individual user roles and responsibilities,
-                                 differentiating, for example, between rules that apply to privileged users and rules
-                                 that apply to general users. Establishing rules of behavior for some types of
-                                 non-organizational users including, for example, individuals who simply receive
-                                 data/information from federal information systems, is often not feasible given the
-                                 large number of such users and the limited nature of their interactions with the
-                                 systems. Rules of behavior for both organizational and non-organizational users can
-                                 also be established in AC-8, System Use Notification. PL-4 b. (the signed
-                                 acknowledgment portion of this control) may be satisfied by the security awareness
-                                 training and role-based security training programs conducted by organizations if such
-                                 training includes rules of behavior. Organizations can use electronic signatures for
-                                 acknowledging rules of behavior.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-8
-                  rel:  related
-                  text: AC-8
-                - 
-                  href: #ac-9
-                  rel:  related
-                  text: AC-9
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #mp-7
-                  rel:  related
-                  text: MP-7
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-                - 
-                  href: #ps-8
-                  rel:  related
-                  text: PS-8
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-            - 
-              id:    pl-4_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pl-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-4(a)
-                  parts: 
-                    - 
-                      id:         pl-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-4(a)[1]
-                      prose: 
-                        """
-                          establishes, for individuals requiring access to the information system, the
-                                               rules that describe their responsibilities and expected behavior with regard to
-                                               information and information system usage;
-                        """
-                    - 
-                      id:         pl-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PL-4(a)[2]
-                      prose: 
-                        """
-                          makes readily available to individuals requiring access to the information
-                                               system, the rules that describe their responsibilities and expected behavior
-                                               with regard to information and information system usage;
-                        """
-                - 
-                  id:         pl-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PL-4(b)
-                  prose: 
-                    """
-                      receives a signed acknowledgement from such individuals, indicating that they have
-                                        read, understand, and agree to abide by the rules of behavior, before authorizing
-                                        access to information and the information system;
-                    """
-                - 
-                  id:         pl-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-4(c)
-                  parts: 
-                    - 
-                      id:         pl-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-4(c)[1]
-                      prose:      defines the frequency to review and update the rules of behavior;
-                    - 
-                      id:         pl-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PL-4(c)[2]
-                      prose: 
-                        """
-                          reviews and updates the rules of behavior with the organization-defined
-                                               frequency; and
-                        """
-                - 
-                  id:         pl-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PL-4(d)
-                  prose: 
-                    """
-                      requires individuals who have signed a previous version of the rules of behavior
-                                        to read and resign when the rules of behavior are revised/updated.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security planning policy\n\nprocedures addressing rules of behavior for information system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for establishing, reviewing, and
-                                        updating rules of behavior\n\norganizational personnel who are authorized users of the information system and
-                                        have signed and resigned rules of behavior\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for establishing, reviewing, disseminating, and updating
-                                        rules of behavior\n\nautomated mechanisms supporting and/or implementing the establishment, review,
-                                        dissemination, and update of rules of behavior
-                    """
-          controls: 
-            - 
-              id:         pl-4.1
-              class:      SP800-53-enhancement
-              title:      Social Media and Networking Restrictions
-              properties: 
-                - 
-                  name:  label
-                  value: PL-4(1)
-                - 
-                  name:  sort-id
-                  value: pl-04.01
-              parts: 
-                - 
-                  id:    pl-4.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization includes in the rules of behavior, explicit restrictions on the
-                                        use of social media/networking sites and posting organizational information on
-                                        public websites.
-                    """
-                - 
-                  id:    pl-4.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement addresses rules of behavior related to the use of social
-                                        media/networking sites: (i) when organizational personnel are using such sites for
-                                        official duties or in the conduct of official business; (ii) when organizational
-                                        information is involved in social media/networking transactions; and (iii) when
-                                        personnel are accessing social media/networking sites from organizational
-                                        information systems. Organizations also address specific rules that prevent
-                                        unauthorized entities from obtaining and/or inferring non-public organizational
-                                        information (e.g., system account information, personally identifiable
-                                        information) from social media/networking sites.
-                    """
-                - 
-                  id:    pl-4.1_obj
-                  name:  objective
-                  prose: Determine if the organization includes the following in the rules of behavior: 
-                  parts: 
-                    - 
-                      id:         pl-4.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PL-4(1)[1]
-                      prose:      explicit restrictions on the use of social media/networking sites; and
-                    - 
-                      id:         pl-4.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PL-4(1)[2]
-                      prose:      posting organizational information on public websites.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Security planning policy\n\nprocedures addressing rules of behavior for information system users\n\nrules of behavior\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibility for establishing, reviewing, and
-                                               updating rules of behavior\n\norganizational personnel who are authorized users of the information system and
-                                               have signed rules of behavior\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for establishing rules of behavior\n\nautomated mechanisms supporting and/or implementing the establishment of rules
-                                               of behavior
-                        """
-        - 
-          id:         pl-8
-          class:      SP800-53
-          title:      Information Security Architecture
-          parameters: 
-            - 
-              id:          pl-8_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or when a significant change occurs
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PL-8
-            - 
-              name:  sort-id
-              value: pl-08
-          parts: 
-            - 
-              id:    pl-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pl-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops an information security architecture for the information system that:
-                  parts: 
-                    - 
-                      id:         pl-8_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Describes the overall philosophy, requirements, and approach to be taken with
-                                               regard to protecting the confidentiality, integrity, and availability of
-                                               organizational information;
-                        """
-                    - 
-                      id:         pl-8_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Describes how the information security architecture is integrated into and
-                                               supports the enterprise architecture; and
-                        """
-                    - 
-                      id:         pl-8_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Describes any information security assumptions about, and dependencies on,
-                                               external services;
-                        """
-                - 
-                  id:         pl-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Reviews and updates the information security architecture {{ pl-8_prm_1 }} to reflect updates in the enterprise architecture;
-                                        and
-                    """
-                - 
-                  id:         pl-8_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ensures that planned information security architecture changes are reflected in
-                                        the security plan, the security Concept of Operations (CONOPS), and organizational
-                                        procurements/acquisitions.
-                    """
-                - 
-                  id:    pl-8_fr
-                  name:  item
-                  title: PL-8(b) Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         pl-8_fr_gdn.b
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b) Guidance:
-                      prose:      Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.
-            - 
-              id:    pl-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses actions taken by organizations in the design and development
-                                 of information systems. The information security architecture at the individual
-                                 information system level is consistent with and complements the more global,
-                                 organization-wide information security architecture described in PM-7 that is
-                                 integral to and developed as part of the enterprise architecture. The information
-                                 security architecture includes an architectural description, the placement/allocation
-                                 of security functionality (including security controls), security-related information
-                                 for external interfaces, information being exchanged across the interfaces, and the
-                                 protection mechanisms associated with each interface. In addition, the security
-                                 architecture can include other important security-related information, for example,
-                                 user roles and access privileges assigned to each role, unique security requirements,
-                                 the types of information processed, stored, and transmitted by the information
-                                 system, restoration priorities of information and information system services, and
-                                 any other specific protection needs. In today’s modern architecture, it is becoming
-                                 less common for organizations to control all information resources. There are going
-                                 to be key dependencies on external information services and service providers.
-                                 Describing such dependencies in the information security architecture is important to
-                                 developing a comprehensive mission/business protection strategy. Establishing,
-                                 developing, documenting, and maintaining under configuration control, a baseline
-                                 configuration for organizational information systems is critical to implementing and
-                                 maintaining an effective information security architecture. The development of the
-                                 information security architecture is coordinated with the Senior Agency Official for
-                                 Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to
-                                 support privacy requirements are identified and effectively implemented. PL-8 is
-                                 primarily directed at organizations (i.e., internally focused) to help ensure that
-                                 organizations develop an information security architecture for the information
-                                 system, and that the security architecture is integrated with or tightly coupled to
-                                 the enterprise architecture through the organization-wide information security
-                                 architecture. In contrast, SA-17 is primarily directed at external information
-                                 technology product/system developers and integrators (although SA-17 could be used
-                                 internally within organizations for in-house system development). SA-17, which is
-                                 complementary to PL-8, is selected when organizations outsource the development of
-                                 information systems or information system components to external entities, and there
-                                 is a need to demonstrate/show consistency with the organization’s enterprise
-                                 architecture and information security architecture.
-                """
-              links: 
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #pm-7
-                  rel:  related
-                  text: PM-7
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sa-17
-                  rel:  related
-                  text: SA-17
-                - 
-                  href: https://doi.org/10.6028/NIST.SP.800-53r4
-                  rel:  related
-                  text: Appendix J
-            - 
-              id:    pl-8_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pl-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PL-8(a)
-                  prose: 
-                    """
-                      develops an information security architecture for the information system that
-                                        describes:
-                    """
-                  parts: 
-                    - 
-                      id:         pl-8.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-8(a)(1)
-                      prose: 
-                        """
-                          the overall philosophy, requirements, and approach to be taken with regard to
-                                               protecting the confidentiality, integrity, and availability of organizational
-                                               information;
-                        """
-                    - 
-                      id:         pl-8.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-8(a)(2)
-                      prose: 
-                        """
-                          how the information security architecture is integrated into and supports the
-                                               enterprise architecture;
-                        """
-                    - 
-                      id:         pl-8.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-8(a)(3)
-                      prose: 
-                        """
-                          any information security assumptions about, and dependencies on, external
-                                               services;
-                        """
-                - 
-                  id:         pl-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-8(b)
-                  parts: 
-                    - 
-                      id:         pl-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-8(b)[1]
-                      prose: 
-                        """
-                          defines the frequency to review and update the information security
-                                               architecture;
-                        """
-                    - 
-                      id:         pl-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PL-8(b)[2]
-                      prose: 
-                        """
-                          reviews and updates the information security architecture with the
-                                               organization-defined frequency to reflect updates in the enterprise
-                                               architecture;
-                        """
-                - 
-                  id:         pl-8.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PL-8(c)
-                  prose: 
-                    """
-                      ensures that planned information security architecture changes are reflected
-                                        in:
-                    """
-                  parts: 
-                    - 
-                      id:         pl-8.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-8(c)[1]
-                      prose:      the security plan;
-                    - 
-                      id:         pl-8.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-8(c)[2]
-                      prose:      the security Concept of Operations (CONOPS); and
-                    - 
-                      id:         pl-8.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-8(c)[3]
-                      prose:      the organizational procurements/acquisitions.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security planning policy\n\nprocedures addressing information security architecture development\n\nprocedures addressing information security architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security architecture documentation\n\nsecurity plan for the information system\n\nsecurity CONOPS for the information system\n\nrecords of information security architecture reviews and updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security planning and plan implementation
-                                        responsibilities\n\norganizational personnel with information security architecture development
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for developing, reviewing, and updating the information
-                                        security architecture\n\nautomated mechanisms supporting and/or implementing the development, review, and
-                                        update of the information security architecture
-                    """
-    - 
-      id:       ps
-      class:    family
-      title:    Personnel Security
-      controls: 
-        - 
-          id:         ps-1
-          class:      SP800-53
-          title:      Personnel Security Policy and Procedures
-          parameters: 
-            - 
-              id:    ps-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ps-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          ps-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or whenever a significant change occurs
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PS-1
-            - 
-              name:  sort-id
-              value: ps-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ps-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ps-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ps-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A personnel security policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ps-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the personnel security policy
-                                               and associated personnel security controls; and
-                        """
-                - 
-                  id:         ps-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ps-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Personnel security policy {{ ps-1_prm_2 }}; and
-                    - 
-                      id:         ps-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Personnel security procedures {{ ps-1_prm_3 }}.
-            - 
-              id:    ps-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the PS
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ps-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-1(a)
-                  parts: 
-                    - 
-                      id:         ps-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ps-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(a)(1)[1]
-                          prose:      develops and documents an personnel security policy that addresses:
-                          parts: 
-                            - 
-                              id:         ps-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ps-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ps-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ps-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ps-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ps-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ps-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ps-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the personnel security policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ps-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: PS-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the personnel security policy to organization-defined personnel
-                                                      or roles;
-                            """
-                    - 
-                      id:         ps-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ps-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      personnel security policy and associated personnel security controls;
-                            """
-                        - 
-                          id:         ps-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ps-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: PS-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ps-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-1(b)
-                  parts: 
-                    - 
-                      id:         ps-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ps-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current personnel security
-                                                      policy;
-                            """
-                        - 
-                          id:         ps-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current personnel security policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ps-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ps-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current personnel security
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ps-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current personnel security procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ps-2
-          class:      SP800-53
-          title:      Position Risk Designation
-          parameters: 
-            - 
-              id:          ps-2_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  label
-              value: PS-2
-            - 
-              name:  sort-id
-              value: ps-02
-          links: 
-            - 
-              href: #0c97e60b-325a-4efa-ba2b-90f20ccd5abc
-              rel:  reference
-              text: 5 C.F.R. 731.106
-          parts: 
-            - 
-              id:    ps-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Assigns a risk designation to all organizational positions;
-                - 
-                  id:         ps-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Establishes screening criteria for individuals filling those positions; and
-                - 
-                  id:         ps-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews and updates position risk designations {{ ps-2_prm_1 }}.
-            - 
-              id:    ps-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Position risk designations reflect Office of Personnel Management policy and
-                                 guidance. Risk designations can guide and inform the types of authorizations
-                                 individuals receive when accessing organizational information and information
-                                 systems. Position screening criteria include explicit information security role
-                                 appointment requirements (e.g., training, security clearances).
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-            - 
-              id:    ps-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PS-2(a)
-                  prose:      assigns a risk designation to all organizational positions;
-                - 
-                  id:         ps-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PS-2(b)
-                  prose:      establishes screening criteria for individuals filling those positions;
-                - 
-                  id:         ps-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-2(c)
-                  parts: 
-                    - 
-                      id:         ps-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-2(c)[1]
-                      prose:      defines the frequency to review and update position risk designations; and
-                    - 
-                      id:         ps-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-2(c)[2]
-                      prose: 
-                        """
-                          reviews and updates position risk designations with the organization-defined
-                                               frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nsecurity plan\n\nrecords of position risk designation reviews and updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for assigning, reviewing, and updating position risk
-                                        designations\n\norganizational processes for establishing screening criteria
-                    """
-        - 
-          id:         ps-3
-          class:      SP800-53
-          title:      Personnel Screening
-          parameters: 
-            - 
-              id:          ps-3_prm_1
-              label: 
-                """
-                  organization-defined conditions requiring rescreening and, where rescreening is
-                                 so indicated, the frequency of such rescreening
-                """
-              constraints: 
-                - 
-                  detail: for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PS-3
-            - 
-              name:  sort-id
-              value: ps-03
-          links: 
-            - 
-              href: #0c97e60b-325a-4efa-ba2b-90f20ccd5abc
-              rel:  reference
-              text: 5 C.F.R. 731.106
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #f152844f-b1ef-4836-8729-6277078ebee1
-              rel:  reference
-              text: NIST Special Publication 800-60
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #6caa237b-531b-43ac-9711-d8f6b97b0377
-              rel:  reference
-              text: ICD 704
-          parts: 
-            - 
-              id:    ps-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Screens individuals prior to authorizing access to the information system; and
-                - 
-                  id:         ps-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Rescreens individuals according to {{ ps-3_prm_1 }}.
-            - 
-              id:    ps-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Personnel screening and rescreening activities reflect applicable federal laws,
-                                 Executive Orders, directives, regulations, policies, standards, guidance, and
-                                 specific criteria established for the risk designations of assigned positions.
-                                 Organizations may define different rescreening conditions and frequencies for
-                                 personnel accessing information systems based on types of information processed,
-                                 stored, or transmitted by the systems.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #ps-2
-                  rel:  related
-                  text: PS-2
-            - 
-              id:    ps-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PS-3(a)
-                  prose:      screens individuals prior to authorizing access to the information system;
-                - 
-                  id:         ps-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-3(b)
-                  parts: 
-                    - 
-                      id:         ps-3.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-3(b)[1]
-                      prose:      defines conditions requiring re-screening;
-                    - 
-                      id:         ps-3.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-3(b)[2]
-                      prose:      defines the frequency of re-screening where it is so indicated; and
-                    - 
-                      id:         ps-3.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-3(b)[3]
-                      prose: 
-                        """
-                          re-screens individuals in accordance with organization-defined conditions
-                                               requiring re-screening and, where re-screening is so indicated, with the
-                                               organization-defined frequency of such re-screening.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for personnel screening
-          controls: 
-            - 
-              id:         ps-3.3
-              class:      SP800-53-enhancement
-              title:      Information with Special Protection Measures
-              parameters: 
-                - 
-                  id:          ps-3.3_prm_1
-                  label:       organization-defined additional personnel screening criteria
-                  constraints: 
-                    - 
-                      detail: personnel screening criteria - as required by specific information
-              properties: 
-                - 
-                  name:  label
-                  value: PS-3(3)
-                - 
-                  name:  sort-id
-                  value: ps-03.03
-              parts: 
-                - 
-                  id:    ps-3.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization ensures that individuals accessing an information system
-                                        processing, storing, or transmitting information requiring special protection:
-                    """
-                  parts: 
-                    - 
-                      id:         ps-3.3_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Have valid access authorizations that are demonstrated by assigned official
-                                               government duties; and
-                        """
-                    - 
-                      id:         ps-3.3_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      Satisfy {{ ps-3.3_prm_1 }}.
-                - 
-                  id:    ps-3.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizational information requiring special protection includes, for example,
-                                        Controlled Unclassified Information (CUI) and Sources and Methods Information
-                                        (SAMI). Personnel security criteria include, for example, position sensitivity
-                                        background screening requirements.
-                    """
-                - 
-                  id:    ps-3.3_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ps-3.3.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-3(3)(a)
-                      prose: 
-                        """
-                          ensures that individuals accessing an information system processing, storing,
-                                               or transmitting information requiring special protection have valid access
-                                               authorizations that are demonstrated by assigned official government
-                                               duties;
-                        """
-                      links: 
-                        - 
-                          href: #ps-3.3_smt.a
-                          rel:  corresp
-                          text: PS-3(3)(a)
-                    - 
-                      id:         ps-3.3.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-3(3)(b)
-                      parts: 
-                        - 
-                          id:         ps-3.3.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-3(3)(b)[1]
-                          prose: 
-                            """
-                              defines additional personnel screening criteria to be satisfied for
-                                                      individuals accessing an information system processing, storing, or
-                                                      transmitting information requiring special protection; and
-                            """
-                        - 
-                          id:         ps-3.3.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: PS-3(3)(b)[2]
-                          prose: 
-                            """
-                              ensures that individuals accessing an information system processing,
-                                                      storing, or transmitting information requiring special protection satisfy
-                                                      organization-defined additional personnel screening criteria.
-                            """
-                      links: 
-                        - 
-                          href: #ps-3.3_smt.b
-                          rel:  corresp
-                          text: PS-3(3)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Personnel security policy\n\naccess control policy, procedures addressing personnel screening\n\nrecords of screened personnel\n\nscreening criteria\n\nrecords of access authorizations\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for ensuring valid access authorizations for
-                                               information requiring special protection\n\norganizational process for additional personnel screening for information
-                                               requiring special protection
-                        """
-        - 
-          id:         ps-4
-          class:      SP800-53
-          title:      Personnel Termination
-          parameters: 
-            - 
-              id:          ps-4_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: eight (8) hours
-            - 
-              id:    ps-4_prm_2
-              label: organization-defined information security topics
-            - 
-              id:    ps-4_prm_3
-              label: organization-defined personnel or roles
-            - 
-              id:    ps-4_prm_4
-              label: organization-defined time period
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PS-4
-            - 
-              name:  sort-id
-              value: ps-04
-          parts: 
-            - 
-              id:    ps-4_smt
-              name:  statement
-              prose: The organization, upon termination of individual employment:
-              parts: 
-                - 
-                  id:         ps-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Disables information system access within {{ ps-4_prm_1 }};
-                - 
-                  id:         ps-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Terminates/revokes any authenticators/credentials associated with the
-                                        individual;
-                    """
-                - 
-                  id:         ps-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Conducts exit interviews that include a discussion of {{ ps-4_prm_2 }};
-                - 
-                  id:         ps-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Retrieves all security-related organizational information system-related
-                                        property;
-                    """
-                - 
-                  id:         ps-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Retains access to organizational information and information systems formerly
-                                        controlled by terminated individual; and
-                    """
-                - 
-                  id:         ps-4_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose:      Notifies {{ ps-4_prm_3 }} within {{ ps-4_prm_4 }}.
-            - 
-              id:    ps-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system-related property includes, for example, hardware authentication
-                                 tokens, system administration technical manuals, keys, identification cards, and
-                                 building passes. Exit interviews ensure that terminated individuals understand the
-                                 security constraints imposed by being former employees and that proper accountability
-                                 is achieved for information system-related property. Security topics of interest at
-                                 exit interviews can include, for example, reminding terminated individuals of
-                                 nondisclosure agreements and potential limitations on future employment. Exit
-                                 interviews may not be possible for some terminated individuals, for example, in cases
-                                 related to job abandonment, illnesses, and nonavailability of supervisors. Exit
-                                 interviews are important for individuals with security clearances. Timely execution
-                                 of termination actions is essential for individuals terminated for cause. In certain
-                                 situations, organizations consider disabling the information system accounts of
-                                 individuals that are being terminated prior to the individuals being notified.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #ps-5
-                  rel:  related
-                  text: PS-5
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-            - 
-              id:    ps-4_obj
-              name:  objective
-              prose: Determine if the organization, upon termination of individual employment,:
-              parts: 
-                - 
-                  id:         ps-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-4(a)
-                  parts: 
-                    - 
-                      id:         ps-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-4(a)[1]
-                      prose:      defines a time period within which to disable information system access;
-                    - 
-                      id:         ps-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-4(a)[2]
-                      prose: 
-                        """
-                          disables information system access within the organization-defined time
-                                               period;
-                        """
-                - 
-                  id:         ps-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PS-4(b)
-                  prose: 
-                    """
-                      terminates/revokes any authenticators/credentials associated with the
-                                        individual;
-                    """
-                - 
-                  id:         ps-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-4(c)
-                  parts: 
-                    - 
-                      id:         ps-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-4(c)[1]
-                      prose: 
-                        """
-                          defines information security topics to be discussed when conducting exit
-                                               interviews;
-                        """
-                    - 
-                      id:         ps-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: PS-4(c)[2]
-                      prose: 
-                        """
-                          conducts exit interviews that include a discussion of organization-defined
-                                               information security topics;
-                        """
-                - 
-                  id:         ps-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PS-4(d)
-                  prose: 
-                    """
-                      retrieves all security-related organizational information system-related
-                                        property;
-                    """
-                - 
-                  id:         ps-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PS-4(e)
-                  prose: 
-                    """
-                      retains access to organizational information and information systems formerly
-                                        controlled by the terminated individual;
-                    """
-                - 
-                  id:         ps-4.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-4(f)
-                  parts: 
-                    - 
-                      id:         ps-4.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-4(f)[1]
-                      prose:      defines personnel or roles to be notified of the termination;
-                    - 
-                      id:         ps-4.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-4(f)[2]
-                      prose: 
-                        """
-                          defines the time period within which to notify organization-defined personnel
-                                               or roles; and
-                        """
-                    - 
-                      id:         ps-4.f_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-4(f)[3]
-                      prose: 
-                        """
-                          notifies organization-defined personnel or roles within the
-                                               organization-defined time period.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of information system accounts\n\nrecords of terminated or revoked authenticators/credentials\n\nrecords of exit interviews\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for personnel termination\n\nautomated mechanisms supporting and/or implementing personnel termination
-                                        notifications\n\nautomated mechanisms for disabling information system access/revoking
-                                        authenticators
-                    """
-          controls: 
-            - 
-              id:         ps-4.2
-              class:      SP800-53-enhancement
-              title:      Automated Notification
-              parameters: 
-                - 
-                  id:          ps-4.2_prm_1
-                  label:       organization-defined personnel or roles
-                  constraints: 
-                    - 
-                      detail: access control personnel responsible for disabling access to the system
-              properties: 
-                - 
-                  name:  label
-                  value: PS-4(2)
-                - 
-                  name:  sort-id
-                  value: ps-04.02
-              parts: 
-                - 
-                  id:    ps-4.2_smt
-                  name:  statement
-                  prose: The organization employs automated mechanisms to notify {{ ps-4.2_prm_1 }} upon termination of an individual.
-                - 
-                  id:    ps-4.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      In organizations with a large number of employees, not all personnel who need to
-                                        know about termination actions receive the appropriate notifications—or, if such
-                                        notifications are received, they may not occur in a timely manner. Automated
-                                        mechanisms can be used to send automatic alerts or notifications to specific
-                                        organizational personnel or roles (e.g., management personnel, supervisors,
-                                        personnel security officers, information security officers, systems
-                                        administrators, or information technology administrators) when individuals are
-                                        terminated. Such automatic alerts or notifications can be conveyed in a variety of
-                                        ways, including, for example, telephonically, via electronic mail, via text
-                                        message, or via websites.
-                    """
-                - 
-                  id:    ps-4.2_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ps-4.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-4(2)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to be notified upon termination of an individual;
-                                               and
-                        """
-                    - 
-                      id:         ps-4.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-4(2)[2]
-                      prose: 
-                        """
-                          employs automated mechanisms to notify organization-defined personnel or roles
-                                               upon termination of an individual.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Personnel security policy\n\nprocedures addressing personnel termination\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of personnel termination actions\n\nautomated notifications of employee terminations\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for personnel termination\n\nautomated mechanisms supporting and/or implementing personnel termination
-                                               notifications
-                        """
-        - 
-          id:         ps-5
-          class:      SP800-53
-          title:      Personnel Transfer
-          parameters: 
-            - 
-              id:    ps-5_prm_1
-              label: organization-defined transfer or reassignment actions
-            - 
-              id:          ps-5_prm_2
-              label:       organization-defined time period following the formal transfer action
-              constraints: 
-                - 
-                  detail: twenty-four (24) hours
-            - 
-              id:    ps-5_prm_3
-              label: organization-defined personnel or roles
-            - 
-              id:          ps-5_prm_4
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: twenty-four (24) hours
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PS-5
-            - 
-              name:  sort-id
-              value: ps-05
-          parts: 
-            - 
-              id:    ps-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Reviews and confirms ongoing operational need for current logical and physical
-                                        access authorizations to information systems/facilities when individuals are
-                                        reassigned or transferred to other positions within the organization;
-                    """
-                - 
-                  id:         ps-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Initiates {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }};
-                - 
-                  id:         ps-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Modifies access authorization as needed to correspond with any changes in
-                                        operational need due to reassignment or transfer; and
-                    """
-                - 
-                  id:         ps-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Notifies {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}.
-            - 
-              id:    ps-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies when reassignments or transfers of individuals are permanent or
-                                 of such extended durations as to make the actions warranted. Organizations define
-                                 actions appropriate for the types of reassignments or transfers, whether permanent or
-                                 extended. Actions that may be required for personnel transfers or reassignments to
-                                 other positions within organizations include, for example: (i) returning old and
-                                 issuing new keys, identification cards, and building passes; (ii) closing information
-                                 system accounts and establishing new accounts; (iii) changing information system
-                                 access authorizations (i.e., privileges); and (iv) providing for access to official
-                                 records to which individuals had access at previous work locations and in previous
-                                 information system accounts.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #ps-4
-                  rel:  related
-                  text: PS-4
-            - 
-              id:    ps-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-5(a)
-                  prose: 
-                    """
-                      when individuals are reassigned or transferred to other positions within the
-                                        organization, reviews and confirms ongoing operational need for current:
-                    """
-                  parts: 
-                    - 
-                      id:         ps-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: PS-5(a)[1]
-                      prose:      logical access authorizations to information systems;
-                    - 
-                      id:         ps-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: PS-5(a)[2]
-                      prose:      physical access authorizations to information systems and facilities;
-                - 
-                  id:         ps-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-5(b)
-                  parts: 
-                    - 
-                      id:         ps-5.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-5(b)[1]
-                      prose: 
-                        """
-                          defines transfer or reassignment actions to be initiated following transfer or
-                                               reassignment;
-                        """
-                    - 
-                      id:         ps-5.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-5(b)[2]
-                      prose: 
-                        """
-                          defines the time period within which transfer or reassignment actions must
-                                               occur following transfer or reassignment;
-                        """
-                    - 
-                      id:         ps-5.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-5(b)[3]
-                      prose: 
-                        """
-                          initiates organization-defined transfer or reassignment actions within the
-                                               organization-defined time period following transfer or reassignment;
-                        """
-                - 
-                  id:         ps-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PS-5(c)
-                  prose: 
-                    """
-                      modifies access authorization as needed to correspond with any changes in
-                                        operational need due to reassignment or transfer;
-                    """
-                - 
-                  id:         ps-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-5(d)
-                  parts: 
-                    - 
-                      id:         ps-5.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-5(d)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to be notified when individuals are reassigned or
-                                               transferred to other positions within the organization;
-                        """
-                    - 
-                      id:         ps-5.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-5(d)[2]
-                      prose: 
-                        """
-                          defines the time period within which to notify organization-defined personnel
-                                               or roles when individuals are reassigned or transferred to other positions
-                                               within the organization; and
-                        """
-                    - 
-                      id:         ps-5.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-5(d)[3]
-                      prose: 
-                        """
-                          notifies organization-defined personnel or roles within the
-                                               organization-defined time period when individuals are reassigned or transferred
-                                               to other positions within the organization.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing personnel transfer\n\nsecurity plan\n\nrecords of personnel transfer actions\n\nlist of information system and facility access authorizations\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with personnel security responsibilities organizational
-                                        personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for personnel transfer\n\nautomated mechanisms supporting and/or implementing personnel transfer
-                                        notifications\n\nautomated mechanisms for disabling information system access/revoking
-                                        authenticators
-                    """
-        - 
-          id:         ps-6
-          class:      SP800-53
-          title:      Access Agreements
-          parameters: 
-            - 
-              id:          ps-6_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          ps-6_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually and any time there is a change to the user's level of access
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PS-6
-            - 
-              name:  sort-id
-              value: ps-06
-          parts: 
-            - 
-              id:    ps-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Develops and documents access agreements for organizational information
-                                        systems;
-                    """
-                - 
-                  id:         ps-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the access agreements {{ ps-6_prm_1 }}; and
-                - 
-                  id:         ps-6_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ensures that individuals requiring access to organizational information and
-                                        information systems:
-                    """
-                  parts: 
-                    - 
-                      id:         ps-6_smt.c.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Sign appropriate access agreements prior to being granted access; and
-                    - 
-                      id:         ps-6_smt.c.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Re-sign access agreements to maintain access to organizational information
-                                               systems when access agreements have been updated or {{ ps-6_prm_2 }}.
-                        """
-            - 
-              id:    ps-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Access agreements include, for example, nondisclosure agreements, acceptable use
-                                 agreements, rules of behavior, and conflict-of-interest agreements. Signed access
-                                 agreements include an acknowledgement that individuals have read, understand, and
-                                 agree to abide by the constraints associated with organizational information systems
-                                 to which access is authorized. Organizations can use electronic signatures to
-                                 acknowledge access agreements unless specifically prohibited by organizational
-                                 policy.
-                """
-              links: 
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-2
-                  rel:  related
-                  text: PS-2
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-                - 
-                  href: #ps-4
-                  rel:  related
-                  text: PS-4
-                - 
-                  href: #ps-8
-                  rel:  related
-                  text: PS-8
-            - 
-              id:    ps-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PS-6(a)
-                  prose: 
-                    """
-                      develops and documents access agreements for organizational information
-                                        systems;
-                    """
-                - 
-                  id:         ps-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-6(b)
-                  parts: 
-                    - 
-                      id:         ps-6.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-6(b)[1]
-                      prose:      defines the frequency to review and update the access agreements;
-                    - 
-                      id:         ps-6.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-6(b)[2]
-                      prose: 
-                        """
-                          reviews and updates the access agreements with the organization-defined
-                                               frequency;
-                        """
-                - 
-                  id:         ps-6.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-6(c)
-                  parts: 
-                    - 
-                      id:         ps-6.c.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-6(c)(1)
-                      prose: 
-                        """
-                          ensures that individuals requiring access to organizational information and
-                                               information systems sign appropriate access agreements prior to being granted
-                                               access;
-                        """
-                    - 
-                      id:         ps-6.c.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-6(c)(2)
-                      parts: 
-                        - 
-                          id:         ps-6.c.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-6(c)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to re-sign access agreements to maintain access to
-                                                      organizational information systems when access agreements have been
-                                                      updated;
-                            """
-                        - 
-                          id:         ps-6.c.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: PS-6(c)(2)[2]
-                          prose: 
-                            """
-                              ensures that individuals requiring access to organizational information and
-                                                      information systems re-sign access agreements to maintain access to
-                                                      organizational information systems when access agreements have been updated
-                                                      or with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Personnel security policy\n\nprocedures addressing access agreements for organizational information and
-                                        information systems\n\nsecurity plan\n\naccess agreements\n\nrecords of access agreement reviews and updates\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed/resigned access agreements\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for access agreements\n\nautomated mechanisms supporting access agreements
-        - 
-          id:         ps-7
-          class:      SP800-53
-          title:      Third-party Personnel Security
-          parameters: 
-            - 
-              id:    ps-7_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ps-7_prm_2
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: terminations: immediately; transfers: within twenty-four (24) hours
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PS-7
-            - 
-              name:  sort-id
-              value: ps-07
-          links: 
-            - 
-              href: #0c775bc3-bfc3-42c7-a382-88949f503171
-              rel:  reference
-              text: NIST Special Publication 800-35
-          parts: 
-            - 
-              id:    ps-7_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes personnel security requirements including security roles and
-                                        responsibilities for third-party providers;
-                    """
-                - 
-                  id:         ps-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Requires third-party providers to comply with personnel security policies and
-                                        procedures established by the organization;
-                    """
-                - 
-                  id:         ps-7_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Documents personnel security requirements;
-                - 
-                  id:         ps-7_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Requires third-party providers to notify {{ ps-7_prm_1 }} of any
-                                        personnel transfers or terminations of third-party personnel who possess
-                                        organizational credentials and/or badges, or who have information system
-                                        privileges within {{ ps-7_prm_2 }}; and
-                    """
-                - 
-                  id:         ps-7_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Monitors provider compliance.
-            - 
-              id:    ps-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Third-party providers include, for example, service bureaus, contractors, and other
-                                 organizations providing information system development, information technology
-                                 services, outsourced applications, and network and security management. Organizations
-                                 explicitly include personnel security requirements in acquisition-related documents.
-                                 Third-party providers may have personnel working at organizational facilities with
-                                 credentials, badges, or information system privileges issued by organizations.
-                                 Notifications of third-party personnel changes ensure appropriate termination of
-                                 privileges and credentials. Organizations define the transfers and terminations
-                                 deemed reportable by security-related characteristics that include, for example,
-                                 functions, roles, and nature of credentials/privileges associated with individuals
-                                 transferred or terminated.
-                """
-              links: 
-                - 
-                  href: #ps-2
-                  rel:  related
-                  text: PS-2
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-                - 
-                  href: #ps-4
-                  rel:  related
-                  text: PS-4
-                - 
-                  href: #ps-5
-                  rel:  related
-                  text: PS-5
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-                - 
-                  href: #sa-9
-                  rel:  related
-                  text: SA-9
-                - 
-                  href: #sa-21
-                  rel:  related
-                  text: SA-21
-            - 
-              id:    ps-7_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PS-7(a)
-                  prose: 
-                    """
-                      establishes personnel security requirements, including security roles and
-                                        responsibilities, for third-party providers;
-                    """
-                - 
-                  id:         ps-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PS-7(b)
-                  prose: 
-                    """
-                      requires third-party providers to comply with personnel security policies and
-                                        procedures established by the organization;
-                    """
-                - 
-                  id:         ps-7.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PS-7(c)
-                  prose:      documents personnel security requirements;
-                - 
-                  id:         ps-7.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-7(d)
-                  parts: 
-                    - 
-                      id:         ps-7.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-7(d)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to be notified of any personnel transfers or
-                                               terminations of third-party personnel who possess organizational credentials
-                                               and/or badges, or who have information system privileges;
-                        """
-                    - 
-                      id:         ps-7.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-7(d)[2]
-                      prose: 
-                        """
-                          defines the time period within which third-party providers are required to
-                                               notify organization-defined personnel or roles of any personnel transfers or
-                                               terminations of third-party personnel who possess organizational credentials
-                                               and/or badges, or who have information system privileges;
-                        """
-                    - 
-                      id:         ps-7.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-7(d)[3]
-                      prose: 
-                        """
-                          requires third-party providers to notify organization-defined personnel or
-                                               roles within the organization-defined time period of any personnel transfers or
-                                               terminations of third-party personnel who possess organizational credentials
-                                               and/or badges, or who have information system privileges; and
-                        """
-                - 
-                  id:         ps-7.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PS-7(e)
-                  prose:      monitors provider compliance.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing third-party personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\nthird-party providers\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for managing and monitoring third-party personnel
-                                        security\n\nautomated mechanisms supporting and/or implementing monitoring of provider
-                                        compliance
-                    """
-        - 
-          id:         ps-8
-          class:      SP800-53
-          title:      Personnel Sanctions
-          parameters: 
-            - 
-              id:          ps-8_prm_1
-              label:       organization-defined personnel or roles
-              constraints: 
-                - 
-                  detail: at a minimum, the ISSO and/or similar role within the organization
-            - 
-              id:    ps-8_prm_2
-              label: organization-defined time period
-          properties: 
-            - 
-              name:  label
-              value: PS-8
-            - 
-              name:  sort-id
-              value: ps-08
-          parts: 
-            - 
-              id:    ps-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Employs a formal sanctions process for individuals failing to comply with
-                                        established information security policies and procedures; and
-                    """
-                - 
-                  id:         ps-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Notifies {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }}
-                                        when a formal employee sanctions process is initiated, identifying the individual
-                                        sanctioned and the reason for the sanction.
-                    """
-            - 
-              id:    ps-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizational sanctions processes reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Sanctions processes are
-                                 described in access agreements and can be included as part of general personnel
-                                 policies and procedures for organizations. Organizations consult with the Office of
-                                 the General Counsel regarding matters of employee sanctions.
-                """
-              links: 
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-            - 
-              id:    ps-8_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PS-8(a)
-                  prose: 
-                    """
-                      employs a formal sanctions process for individuals failing to comply with
-                                        established information security policies and procedures;
-                    """
-                - 
-                  id:         ps-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-8(b)
-                  parts: 
-                    - 
-                      id:         ps-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-8(b)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to be notified when a formal employee sanctions
-                                               process is initiated;
-                        """
-                    - 
-                      id:         ps-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-8(b)[2]
-                      prose: 
-                        """
-                          defines the time period within which organization-defined personnel or roles
-                                               must be notified when a formal employee sanctions process is initiated; and
-                        """
-                    - 
-                      id:         ps-8.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-8(b)[3]
-                      prose: 
-                        """
-                          notifies organization-defined personnel or roles within the
-                                               organization-defined time period when a formal employee sanctions process is
-                                               initiated, identifying the individual sanctioned and the reason for the
-                                               sanction.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing personnel sanctions\n\nrules of behavior\n\nrecords of formal sanctions\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for managing personnel sanctions\n\nautomated mechanisms supporting and/or implementing notifications
-    - 
-      id:       ra
-      class:    family
-      title:    Risk Assessment
-      controls: 
-        - 
-          id:         ra-1
-          class:      SP800-53
-          title:      Risk Assessment Policy and Procedures
-          parameters: 
-            - 
-              id:    ra-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ra-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          ra-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or whenever a significant change occurs
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: RA-1
-            - 
-              name:  sort-id
-              value: ra-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #a466121b-f0e2-41f0-a5f9-deb0b5fe6b15
-              rel:  reference
-              text: NIST Special Publication 800-30
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ra-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ra-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ra-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ra-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A risk assessment policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ra-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the risk assessment policy and
-                                               associated risk assessment controls; and
-                        """
-                - 
-                  id:         ra-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ra-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Risk assessment policy {{ ra-1_prm_2 }}; and
-                    - 
-                      id:         ra-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Risk assessment procedures {{ ra-1_prm_3 }}.
-            - 
-              id:    ra-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the RA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ra-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ra-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-1(a)
-                  parts: 
-                    - 
-                      id:         ra-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ra-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(a)(1)[1]
-                          prose:      develops and documents a risk assessment policy that addresses:
-                          parts: 
-                            - 
-                              id:         ra-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ra-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ra-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ra-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ra-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ra-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ra-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ra-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the risk assessment policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ra-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: RA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the risk assessment policy to organization-defined personnel or
-                                                      roles;
-                            """
-                    - 
-                      id:         ra-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ra-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      risk assessment policy and associated risk assessment controls;
-                            """
-                        - 
-                          id:         ra-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ra-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: RA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ra-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-1(b)
-                  parts: 
-                    - 
-                      id:         ra-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ra-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current risk assessment
-                                                      policy;
-                            """
-                        - 
-                          id:         ra-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current risk assessment policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ra-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ra-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current risk assessment
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ra-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current risk assessment procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: risk assessment policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ra-2
-          class:      SP800-53
-          title:      Security Categorization
-          properties: 
-            - 
-              name:  label
-              value: RA-2
-            - 
-              name:  sort-id
-              value: ra-02
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #a466121b-f0e2-41f0-a5f9-deb0b5fe6b15
-              rel:  reference
-              text: NIST Special Publication 800-30
-            - 
-              href: #d480aa6a-7a88-424e-a10c-ad1c7870354b
-              rel:  reference
-              text: NIST Special Publication 800-39
-            - 
-              href: #f152844f-b1ef-4836-8729-6277078ebee1
-              rel:  reference
-              text: NIST Special Publication 800-60
-          parts: 
-            - 
-              id:    ra-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ra-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Categorizes information and the information system in accordance with applicable
-                                        federal laws, Executive Orders, directives, policies, regulations, standards, and
-                                        guidance;
-                    """
-                - 
-                  id:         ra-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Documents the security categorization results (including supporting rationale) in
-                                        the security plan for the information system; and
-                    """
-                - 
-                  id:         ra-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ensures that the authorizing official or authorizing official designated
-                                        representative reviews and approves the security categorization decision.
-                    """
-            - 
-              id:    ra-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Clearly defined authorization boundaries are a prerequisite for effective security
-                                 categorization decisions. Security categories describe the potential adverse impacts
-                                 to organizational operations, organizational assets, and individuals if
-                                 organizational information and information systems are comprised through a loss of
-                                 confidentiality, integrity, or availability. Organizations conduct the security
-                                 categorization process as an organization-wide activity with the involvement of chief
-                                 information officers, senior information security officers, information system
-                                 owners, mission/business owners, and information owners/stewards. Organizations also
-                                 consider the potential adverse impacts to other organizations and, in accordance with
-                                 the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential
-                                 national-level adverse impacts. Security categorization processes carried out by
-                                 organizations facilitate the development of inventories of information assets, and
-                                 along with CM-8, mappings to specific information system components where information
-                                 is processed, stored, or transmitted.
-                """
-              links: 
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-            - 
-              id:    ra-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ra-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: RA-2(a)
-                  prose: 
-                    """
-                      categorizes information and the information system in accordance with applicable
-                                        federal laws, Executive Orders, directives, policies, regulations, standards, and
-                                        guidance;
-                    """
-                - 
-                  id:         ra-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: RA-2(b)
-                  prose: 
-                    """
-                      documents the security categorization results (including supporting rationale) in
-                                        the security plan for the information system; and
-                    """
-                - 
-                  id:         ra-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: RA-2(c)
-                  prose: 
-                    """
-                      ensures the authorizing official or authorizing official designated representative
-                                        reviews and approves the security categorization decision.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and
-                                        information systems\n\nsecurity plan\n\nsecurity categorization documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security categorization and risk assessment
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for security categorization
-        - 
-          id:         ra-3
-          class:      SP800-53
-          title:      Risk Assessment
-          parameters: 
-            - 
-              id: ra-3_prm_1
-            - 
-              id:          ra-3_prm_2
-              depends-on:  ra-3_prm_1
-              label:       organization-defined document
-              constraints: 
-                - 
-                  detail: security assessment report
-            - 
-              id:          ra-3_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or whenever a significant change occurs
-            - 
-              id:    ra-3_prm_4
-              label: organization-defined personnel or roles
-            - 
-              id:          ra-3_prm_5
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: annually
-          properties: 
-            - 
-              name:  label
-              value: RA-3
-            - 
-              name:  sort-id
-              value: ra-03
-          links: 
-            - 
-              href: #ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-              rel:  reference
-              text: OMB Memorandum 04-04
-            - 
-              href: #a466121b-f0e2-41f0-a5f9-deb0b5fe6b15
-              rel:  reference
-              text: NIST Special Publication 800-30
-            - 
-              href: #d480aa6a-7a88-424e-a10c-ad1c7870354b
-              rel:  reference
-              text: NIST Special Publication 800-39
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    ra-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ra-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Conducts an assessment of risk, including the likelihood and magnitude of harm,
-                                        from the unauthorized access, use, disclosure, disruption, modification, or
-                                        destruction of the information system and the information it processes, stores, or
-                                        transmits;
-                    """
-                - 
-                  id:         ra-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Documents risk assessment results in {{ ra-3_prm_1 }};
-                - 
-                  id:         ra-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews risk assessment results {{ ra-3_prm_3 }};
-                - 
-                  id:         ra-3_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Disseminates risk assessment results to {{ ra-3_prm_4 }}; and
-                - 
-                  id:         ra-3_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Updates the risk assessment {{ ra-3_prm_5 }} or whenever there are
-                                        significant changes to the information system or environment of operation
-                                        (including the identification of new threats and vulnerabilities), or other
-                                        conditions that may impact the security state of the system.
-                    """
-                - 
-                  id:    ra-3_fr
-                  name:  item
-                  title: RA-3 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ra-3_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F
-                    - 
-                      id:         ra-3_fr_smt.d
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-3 (d) Requirement:
-                      prose:      Include all Authorizing Officials; for JAB authorizations to include FedRAMP.
-            - 
-              id:    ra-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Clearly defined authorization boundaries are a prerequisite for effective risk
-                                 assessments. Risk assessments take into account threats, vulnerabilities, likelihood,
-                                 and impact to organizational operations and assets, individuals, other organizations,
-                                 and the Nation based on the operation and use of information systems. Risk
-                                 assessments also take into account risk from external parties (e.g., service
-                                 providers, contractors operating information systems on behalf of the organization,
-                                 individuals accessing organizational information systems, outsourcing entities). In
-                                 accordance with OMB policy and related E-authentication initiatives, authentication
-                                 of public users accessing federal information systems may also be required to protect
-                                 nonpublic or privacy-related information. As such, organizational assessments of risk
-                                 also address public access to federal information systems. Risk assessments (either
-                                 formal or informal) can be conducted at all three tiers in the risk management
-                                 hierarchy (i.e., organization level, mission/business process level, or information
-                                 system level) and at any phase in the system development life cycle. Risk assessments
-                                 can also be conducted at various steps in the Risk Management Framework, including
-                                 categorization, security control selection, security control implementation, security
-                                 control assessment, information system authorization, and security control
-                                 monitoring. RA-3 is noteworthy in that the control must be partially implemented
-                                 prior to the implementation of other controls in order to complete the first two
-                                 steps in the Risk Management Framework. Risk assessments can play an important role
-                                 in security control selection processes, particularly during the application of
-                                 tailoring guidance, which includes security control supplementation.
-                """
-              links: 
-                - 
-                  href: #ra-2
-                  rel:  related
-                  text: RA-2
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ra-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ra-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(a)
-                  prose: 
-                    """
-                      conducts an assessment of risk, including the likelihood and magnitude of harm,
-                                        from the unauthorized access, use, disclosure, disruption, modification, or
-                                        destruction of:
-                    """
-                  parts: 
-                    - 
-                      id:         ra-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-3(a)[1]
-                      prose:      the information system;
-                    - 
-                      id:         ra-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-3(a)[2]
-                      prose:      the information the system processes, stores, or transmits;
-                - 
-                  id:         ra-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(b)
-                  parts: 
-                    - 
-                      id:         ra-3.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-3(b)[1]
-                      prose: 
-                        """
-                          defines a document in which risk assessment results are to be documented (if
-                                               not documented in the security plan or risk assessment report);
-                        """
-                    - 
-                      id:         ra-3.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-3(b)[2]
-                      prose:      documents risk assessment results in one of the following:
-                      parts: 
-                        - 
-                          id:         ra-3.b_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(b)[2][a]
-                          prose:      the security plan;
-                        - 
-                          id:         ra-3.b_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(b)[2][b]
-                          prose:      the risk assessment report; or
-                        - 
-                          id:         ra-3.b_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(b)[2][c]
-                          prose:      the organization-defined document;
-                - 
-                  id:         ra-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(c)
-                  parts: 
-                    - 
-                      id:         ra-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-3(c)[1]
-                      prose:      defines the frequency to review risk assessment results;
-                    - 
-                      id:         ra-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-3(c)[2]
-                      prose:      reviews risk assessment results with the organization-defined frequency;
-                - 
-                  id:         ra-3.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(d)
-                  parts: 
-                    - 
-                      id:         ra-3.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-3(d)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom risk assessment results are to be
-                                               disseminated;
-                        """
-                    - 
-                      id:         ra-3.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-3(d)[2]
-                      prose: 
-                        """
-                          disseminates risk assessment results to organization-defined personnel or
-                                               roles;
-                        """
-                - 
-                  id:         ra-3.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(e)
-                  parts: 
-                    - 
-                      id:         ra-3.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-3(e)[1]
-                      prose:      defines the frequency to update the risk assessment;
-                    - 
-                      id:         ra-3.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-3(e)[2]
-                      prose:      updates the risk assessment:
-                      parts: 
-                        - 
-                          id:         ra-3.e_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(e)[2][a]
-                          prose:      with the organization-defined frequency;
-                        - 
-                          id:         ra-3.e_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(e)[2][b]
-                          prose: 
-                            """
-                              whenever there are significant changes to the information system or
-                                                      environment of operation (including the identification of new threats and
-                                                      vulnerabilities); and
-                            """
-                        - 
-                          id:         ra-3.e_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(e)[2][c]
-                          prose: 
-                            """
-                              whenever there are other conditions that may impact the security state of
-                                                      the system.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nsecurity plan\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for risk assessment\n\nautomated mechanisms supporting and/or for conducting, documenting, reviewing,
-                                        disseminating, and updating the risk assessment
-                    """
-        - 
-          id:         ra-5
-          class:      SP800-53
-          title:      Vulnerability Scanning
-          parameters: 
-            - 
-              id:          ra-5_prm_1
-              label: 
-                """
-                  organization-defined frequency and/or randomly in accordance with
-                                 organization-defined process
-                """
-              constraints: 
-                - 
-                  detail: monthly operating system/infrastructure; monthly web applications and databases
-            - 
-              id:          ra-5_prm_2
-              label:       organization-defined response times
-              constraints: 
-                - 
-                  detail: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery
-            - 
-              id:    ra-5_prm_3
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: RA-5
-            - 
-              name:  sort-id
-              value: ra-05
-          links: 
-            - 
-              href: #bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d
-              rel:  reference
-              text: NIST Special Publication 800-40
-            - 
-              href: #84a37532-6db6-477b-9ea8-f9085ebca0fc
-              rel:  reference
-              text: NIST Special Publication 800-70
-            - 
-              href: #c4691b88-57d1-463b-9053-2d0087913f31
-              rel:  reference
-              text: NIST Special Publication 800-115
-            - 
-              href: #15522e92-9192-463d-9646-6a01982db8ca
-              rel:  reference
-              text: http://cwe.mitre.org
-            - 
-              href: #275cc052-0f7f-423c-bdb6-ed503dc36228
-              rel:  reference
-              text: http://nvd.nist.gov
-          parts: 
-            - 
-              id:    ra-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ra-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Scans for vulnerabilities in the information system and hosted applications
-                                           {{ ra-5_prm_1 }} and when new vulnerabilities potentially
-                                        affecting the system/applications are identified and reported;
-                    """
-                - 
-                  id:         ra-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Employs vulnerability scanning tools and techniques that facilitate
-                                        interoperability among tools and automate parts of the vulnerability management
-                                        process by using standards for:
-                    """
-                  parts: 
-                    - 
-                      id:         ra-5_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Enumerating platforms, software flaws, and improper configurations;
-                    - 
-                      id:         ra-5_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Formatting checklists and test procedures; and
-                    - 
-                      id:         ra-5_smt.b.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose:      Measuring vulnerability impact;
-                - 
-                  id:         ra-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Analyzes vulnerability scan reports and results from security control
-                                        assessments;
-                    """
-                - 
-                  id:         ra-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Remediates legitimate vulnerabilities {{ ra-5_prm_2 }} in
-                                        accordance with an organizational assessment of risk; and
-                    """
-                - 
-                  id:         ra-5_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Shares information obtained from the vulnerability scanning process and security
-                                        control assessments with {{ ra-5_prm_3 }} to help eliminate similar
-                                        vulnerabilities in other information systems (i.e., systemic weaknesses or
-                                        deficiencies).
-                    """
-                - 
-                  id:         ra-5_fr_smt.a
-                  name:       item
-                  title:      RA-5(a) Additional FedRAMP Requirements and Guidance
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5 (a)Requirement:
-                  prose:      An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.
-                - 
-                  id:         ra-5_fr_smt.e
-                  name:       item
-                  title:      RA-5(e) Additional FedRAMP Requirements and Guidance
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5 (e)Requirement:
-                  prose:      To include all Authorizing Officials; for JAB authorizations to include FedRAMP.
-                - 
-                  id:    ra-5_fr
-                  name:  item
-                  title: RA-5 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ra-5_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose: 
-                        """
-                          
-                                               **See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))
-                        """
-            - 
-              id:    ra-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Security categorization of information systems guides the frequency and
-                                 comprehensiveness of vulnerability scans. Organizations determine the required
-                                 vulnerability scanning for all information system components, ensuring that potential
-                                 sources of vulnerabilities such as networked printers, scanners, and copiers are not
-                                 overlooked. Vulnerability analyses for custom software applications may require
-                                 additional approaches such as static analysis, dynamic analysis, binary analysis, or
-                                 a hybrid of the three approaches. Organizations can employ these analysis approaches
-                                 in a variety of tools (e.g., web-based application scanners, static analysis tools,
-                                 binary analyzers) and in source code reviews. Vulnerability scanning includes, for
-                                 example: (i) scanning for patch levels; (ii) scanning for functions, ports,
-                                 protocols, and services that should not be accessible to users or devices; and (iii)
-                                 scanning for improperly configured or incorrectly operating information flow control
-                                 mechanisms. Organizations consider using tools that express vulnerabilities in the
-                                 Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open
-                                 Vulnerability Assessment Language (OVAL) to determine/test for the presence of
-                                 vulnerabilities. Suggested sources for vulnerability information include the Common
-                                 Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In
-                                 addition, security control assessments such as red team exercises provide other
-                                 sources of potential vulnerabilities for which to scan. Organizations also consider
-                                 using tools that express vulnerability impact by the Common Vulnerability Scoring
-                                 System (CVSS).
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #ra-2
-                  rel:  related
-                  text: RA-2
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    ra-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ra-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(a)
-                  parts: 
-                    - 
-                      id:         ra-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-5(a)[1]
-                      parts: 
-                        - 
-                          id:         ra-5.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[1][a]
-                          prose: 
-                            """
-                              defines the frequency for conducting vulnerability scans on the information
-                                                      system and hosted applications; and/or
-                            """
-                        - 
-                          id:         ra-5.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[1][b]
-                          prose: 
-                            """
-                              defines the process for conducting random vulnerability scans on the
-                                                      information system and hosted applications;
-                            """
-                    - 
-                      id:         ra-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(a)[2]
-                      prose: 
-                        """
-                          in accordance with the organization-defined frequency and/or
-                                               organization-defined process for conducting random scans, scans for
-                                               vulnerabilities in:
-                        """
-                      parts: 
-                        - 
-                          id:         ra-5.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[2][a]
-                          prose:      the information system;
-                        - 
-                          id:         ra-5.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[2][b]
-                          prose:      hosted applications;
-                    - 
-                      id:         ra-5.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(a)[3]
-                      prose: 
-                        """
-                          when new vulnerabilities potentially affecting the system/applications are
-                                               identified and reported, scans for vulnerabilities in:
-                        """
-                      parts: 
-                        - 
-                          id:         ra-5.a_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[3][a]
-                          prose:      the information system;
-                        - 
-                          id:         ra-5.a_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[3][b]
-                          prose:      hosted applications;
-                - 
-                  id:         ra-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(b)
-                  prose: 
-                    """
-                      employs vulnerability scanning tools and techniques that facilitate
-                                        interoperability among tools and automate parts of the vulnerability management
-                                        process by using standards for:
-                    """
-                  parts: 
-                    - 
-                      id:         ra-5.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(b)(1)
-                      parts: 
-                        - 
-                          id:         ra-5.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(1)[1]
-                          prose:      enumerating platforms;
-                        - 
-                          id:         ra-5.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(1)[2]
-                          prose:      enumerating software flaws;
-                        - 
-                          id:         ra-5.b.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(1)[3]
-                          prose:      enumerating improper configurations;
-                    - 
-                      id:         ra-5.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(b)(2)
-                      parts: 
-                        - 
-                          id:         ra-5.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(2)[1]
-                          prose:      formatting checklists;
-                        - 
-                          id:         ra-5.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(2)[2]
-                          prose:      formatting test procedures;
-                    - 
-                      id:         ra-5.b.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(b)(3)
-                      prose:      measuring vulnerability impact;
-                - 
-                  id:         ra-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(c)
-                  parts: 
-                    - 
-                      id:         ra-5.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(c)[1]
-                      prose:      analyzes vulnerability scan reports;
-                    - 
-                      id:         ra-5.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(c)[2]
-                      prose:      analyzes results from security control assessments;
-                - 
-                  id:         ra-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(d)
-                  parts: 
-                    - 
-                      id:         ra-5.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-5(d)[1]
-                      prose: 
-                        """
-                          defines response times to remediate legitimate vulnerabilities in accordance
-                                               with an organizational assessment of risk;
-                        """
-                    - 
-                      id:         ra-5.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(d)[2]
-                      prose: 
-                        """
-                          remediates legitimate vulnerabilities within the organization-defined response
-                                               times in accordance with an organizational assessment of risk;
-                        """
-                - 
-                  id:         ra-5.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(e)
-                  parts: 
-                    - 
-                      id:         ra-5.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-5(e)[1]
-                      prose: 
-                        """
-                          defines personnel or roles with whom information obtained from the
-                                               vulnerability scanning process and security control assessments is to be
-                                               shared;
-                        """
-                    - 
-                      id:         ra-5.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(e)[2]
-                      prose: 
-                        """
-                          shares information obtained from the vulnerability scanning process with
-                                               organization-defined personnel or roles to help eliminate similar
-                                               vulnerabilities in other information systems (i.e., systemic weaknesses or
-                                               deficiencies); and
-                        """
-                    - 
-                      id:         ra-5.e_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(e)[3]
-                      prose: 
-                        """
-                          shares information obtained from security control assessments with
-                                               organization-defined personnel or roles to help eliminate similar
-                                               vulnerabilities in other information systems (i.e., systemic weaknesses or
-                                               deficiencies).
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with risk assessment, security control assessment and
-                                        vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for vulnerability scanning, analysis, remediation, and
-                                        information sharing\n\nautomated mechanisms supporting and/or implementing vulnerability scanning,
-                                        analysis, remediation, and information sharing
-                    """
-          controls: 
-            - 
-              id:         ra-5.1
-              class:      SP800-53-enhancement
-              title:      Update Tool Capability
-              properties: 
-                - 
-                  name:  label
-                  value: RA-5(1)
-                - 
-                  name:  sort-id
-                  value: ra-05.01
-              parts: 
-                - 
-                  id:    ra-5.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs vulnerability scanning tools that include the capability
-                                        to readily update the information system vulnerabilities to be scanned.
-                    """
-                - 
-                  id:    ra-5.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The vulnerabilities to be scanned need to be readily updated as new
-                                        vulnerabilities are discovered, announced, and scanning methods developed. This
-                                        updating process helps to ensure that potential vulnerabilities in the information
-                                        system are identified and addressed as quickly as possible.
-                    """
-                  links: 
-                    - 
-                      href: #si-3
-                      rel:  related
-                      text: SI-3
-                    - 
-                      href: #si-7
-                      rel:  related
-                      text: SI-7
-                - 
-                  id:         ra-5.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs vulnerability scanning tools that include
-                                        the capability to readily update the information system vulnerabilities to be
-                                        scanned.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Procedures addressing vulnerability scanning\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for vulnerability scanning\n\nautomated mechanisms/tools supporting and/or implementing vulnerability
-                                               scanning
-                        """
-            - 
-              id:         ra-5.2
-              class:      SP800-53-enhancement
-              title:      Update by Frequency / Prior to New Scan / When Identified
-              parameters: 
-                - 
-                  id:          ra-5.2_prm_1
-                  constraints: 
-                    - 
-                      detail: prior to a new scan
-                - 
-                  id:         ra-5.2_prm_2
-                  depends-on: ra-5.2_prm_1
-                  label:      organization-defined frequency
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: RA-5(2)
-                - 
-                  name:  sort-id
-                  value: ra-05.02
-              parts: 
-                - 
-                  id:    ra-5.2_smt
-                  name:  statement
-                  prose: The organization updates the information system vulnerabilities scanned {{ ra-5.2_prm_1 }}.
-                - 
-                  id:    ra-5.2_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #si-3
-                      rel:  related
-                      text: SI-3
-                    - 
-                      href: #si-5
-                      rel:  related
-                      text: SI-5
-                - 
-                  id:    ra-5.2_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ra-5.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-5(2)[1]
-                      prose: 
-                        """
-                          defines the frequency to update the information system vulnerabilities
-                                               scanned;
-                        """
-                    - 
-                      id:         ra-5.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(2)[2]
-                      prose: 
-                        """
-                          updates the information system vulnerabilities scanned one or more of the
-                                               following:
-                        """
-                      parts: 
-                        - 
-                          id:         ra-5.2_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(2)[2][a]
-                          prose:      with the organization-defined frequency;
-                        - 
-                          id:         ra-5.2_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(2)[2][b]
-                          prose:      prior to a new scan; and/or
-                        - 
-                          id:         ra-5.2_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(2)[2][c]
-                          prose:      when new vulnerabilities are identified and reported.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Procedures addressing vulnerability scanning\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for vulnerability scanning\n\nautomated mechanisms/tools supporting and/or implementing vulnerability
-                                               scanning
-                        """
-            - 
-              id:         ra-5.3
-              class:      SP800-53-enhancement
-              title:      Breadth / Depth of Coverage
-              properties: 
-                - 
-                  name:  label
-                  value: RA-5(3)
-                - 
-                  name:  sort-id
-                  value: ra-05.03
-              parts: 
-                - 
-                  id:    ra-5.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs vulnerability scanning procedures that can identify the
-                                        breadth and depth of coverage (i.e., information system components scanned and
-                                        vulnerabilities checked).
-                    """
-                - 
-                  id:    ra-5.3_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization employs vulnerability scanning procedures that can
-                                        identify:
-                    """
-                  parts: 
-                    - 
-                      id:         ra-5.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(3)[1]
-                      prose:      the breadth of coverage (i.e., information system components scanned); and
-                    - 
-                      id:         ra-5.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(3)[2]
-                      prose:      the depth of coverage (i.e., vulnerabilities checked).
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Procedures addressing vulnerability scanning\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for vulnerability scanning\n\nautomated mechanisms/tools supporting and/or implementing vulnerability
-                                               scanning
-                        """
-            - 
-              id:         ra-5.4
-              class:      SP800-53-enhancement
-              title:      Discoverable Information
-              parameters: 
-                - 
-                  id:          ra-5.4_prm_1
-                  label:       organization-defined corrective actions
-                  constraints: 
-                    - 
-                      detail: notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions
-              properties: 
-                - 
-                  name:  label
-                  value: RA-5(4)
-                - 
-                  name:  sort-id
-                  value: ra-05.04
-              parts: 
-                - 
-                  id:    ra-5.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization determines what information about the information system is
-                                        discoverable by adversaries and subsequently takes {{ ra-5.4_prm_1 }}.
-                    """
-                - 
-                  id:    ra-5.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Discoverable information includes information that adversaries could obtain
-                                        without directly compromising or breaching the information system, for example, by
-                                        collecting information the system is exposing or by conducting extensive searches
-                                        of the web. Corrective actions can include, for example, notifying appropriate
-                                        organizational personnel, removing designated information, or changing the
-                                        information system to make designated information less relevant or attractive to
-                                        adversaries.
-                    """
-                  links: 
-                    - 
-                      href: #au-13
-                      rel:  related
-                      text: AU-13
-                - 
-                  id:    ra-5.4_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ra-5.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-5(4)[1]
-                      prose: 
-                        """
-                          defines corrective actions to be taken if information about the information
-                                               system is discoverable by adversaries;
-                        """
-                    - 
-                      id:         ra-5.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(4)[2]
-                      prose: 
-                        """
-                          determines what information about the information system is discoverable by
-                                               adversaries; and
-                        """
-                    - 
-                      id:         ra-5.4_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(4)[3]
-                      prose:      subsequently takes organization-defined corrective actions.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Procedures addressing vulnerability scanning\n\nsecurity assessment report\n\npenetration test results\n\nvulnerability scanning results\n\nrisk assessment report\n\nrecords of corrective actions taken\n\nincident response records\n\naudit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with vulnerability scanning and/or penetration testing
-                                               responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel responsible for risk response\n\norganizational personnel responsible for incident management and response\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for vulnerability scanning\n\norganizational processes for risk response\n\norganizational processes for incident management and response\n\nautomated mechanisms/tools supporting and/or implementing vulnerability
-                                               scanning\n\nautomated mechanisms supporting and/or implementing risk response\n\nautomated mechanisms supporting and/or implementing incident management and
-                                               response
-                        """
-            - 
-              id:         ra-5.5
-              class:      SP800-53-enhancement
-              title:      Privileged Access
-              parameters: 
-                - 
-                  id:          ra-5.5_prm_1
-                  label:       organization-identified information system components
-                  constraints: 
-                    - 
-                      detail: operating systems / web applications / databases
-                - 
-                  id:          ra-5.5_prm_2
-                  label:       organization-defined vulnerability scanning activities
-                  constraints: 
-                    - 
-                      detail: all scans
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: RA-5(5)
-                - 
-                  name:  sort-id
-                  value: ra-05.05
-              parts: 
-                - 
-                  id:    ra-5.5_smt
-                  name:  statement
-                  prose: The information system implements privileged access authorization to {{ ra-5.5_prm_1 }} for selected {{ ra-5.5_prm_2 }}.
-                - 
-                  id:    ra-5.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      In certain situations, the nature of the vulnerability scanning may be more
-                                        intrusive or the information system component that is the subject of the scanning
-                                        may contain highly sensitive information. Privileged access authorization to
-                                        selected system components facilitates more thorough vulnerability scanning and
-                                        also protects the sensitive nature of such scanning.
-                    """
-                - 
-                  id:    ra-5.5_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         ra-5.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-5(5)[1]
-                      prose: 
-                        """
-                          the organization defines information system components to which privileged
-                                               access is authorized for selected vulnerability scanning activities;
-                        """
-                    - 
-                      id:         ra-5.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-5(5)[2]
-                      prose: 
-                        """
-                          the organization defines vulnerability scanning activities selected for
-                                               privileged access authorization to organization-defined information system
-                                               components; and
-                        """
-                    - 
-                      id:         ra-5.5_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(5)[3]
-                      prose: 
-                        """
-                          the information system implements privileged access authorization to
-                                               organization-defined information system components for selected
-                                               organization-defined vulnerability scanning activities.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system components for vulnerability scanning\n\npersonnel access authorization list\n\nauthorization credentials\n\naccess authorization records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with vulnerability scanning responsibilities\n\nsystem/network administrators\n\norganizational personnel responsible for access control to the information
-                                               system\n\norganizational personnel responsible for configuration management of the
-                                               information system\n\nsystem developers\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for vulnerability scanning\n\norganizational processes for access control\n\nautomated mechanisms supporting and/or implementing access control\n\nautomated mechanisms/tools supporting and/or implementing vulnerability
-                                               scanning
-                        """
-            - 
-              id:         ra-5.6
-              class:      SP800-53-enhancement
-              title:      Automated Trend Analyses
-              properties: 
-                - 
-                  name:  label
-                  value: RA-5(6)
-                - 
-                  name:  sort-id
-                  value: ra-05.06
-              parts: 
-                - 
-                  id:    ra-5.6_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to compare the results of
-                                        vulnerability scans over time to determine trends in information system
-                                        vulnerabilities.
-                    """
-                  parts: 
-                    - 
-                      id:    ra-5.6_fr
-                      name:  item
-                      title: RA-5 (6) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ra-5.6_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      Include in Continuous Monitoring ISSO digest/report to JAB/AO
-                - 
-                  id:    ra-5.6_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ir-4
-                      rel:  related
-                      text: IR-4
-                    - 
-                      href: #ir-5
-                      rel:  related
-                      text: IR-5
-                    - 
-                      href: #si-4
-                      rel:  related
-                      text: SI-4
-                - 
-                  id:         ra-5.6_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs automated mechanisms to compare the results
-                                        of vulnerability scans over time to determine trends in information system
-                                        vulnerabilities.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\ninformation system design documentation\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for vulnerability scanning\n\nautomated mechanisms/tools supporting and/or implementing vulnerability
-                                               scanning\n\nautomated mechanisms supporting and/or implementing trend analysis of
-                                               vulnerability scan results
-                        """
-            - 
-              id:         ra-5.8
-              class:      SP800-53-enhancement
-              title:      Review Historic Audit Logs
-              properties: 
-                - 
-                  name:  label
-                  value: RA-5(8)
-                - 
-                  name:  sort-id
-                  value: ra-05.08
-              parts: 
-                - 
-                  id:    ra-5.8_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization reviews historic audit logs to determine if a vulnerability
-                                        identified in the information system has been previously exploited.
-                    """
-                  parts: 
-                    - 
-                      id:    ra-5.8_fr
-                      name:  item
-                      title: RA-5 (8) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ra-5.8_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      This enhancement is required for all high vulnerability scan findings.
-                        - 
-                          id:         ra-5.8_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.
-                - 
-                  id:    ra-5.8_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #au-6
-                      rel:  related
-                      text: AU-6
-                - 
-                  id:         ra-5.8_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization reviews historic audit logs to determine if a
-                                        vulnerability identified in the information system has been previously exploited.
-                                     
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\naudit logs\n\nrecords of audit log reviews\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with audit record review responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for vulnerability scanning\n\norganizational process for audit record review and response\n\nautomated mechanisms/tools supporting and/or implementing vulnerability
-                                               scanning\n\nautomated mechanisms supporting and/or implementing audit record review
-                        """
-            - 
-              id:         ra-5.10
-              class:      SP800-53-enhancement
-              title:      Correlate Scanning Information
-              properties: 
-                - 
-                  name:  label
-                  value: RA-5(10)
-                - 
-                  name:  sort-id
-                  value: ra-05.10
-              parts: 
-                - 
-                  id:    ra-5.10_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization correlates the output from vulnerability scanning tools to
-                                        determine the presence of multi-vulnerability/multi-hop attack vectors.
-                    """
-                  parts: 
-                    - 
-                      id:    ra-5.10_fr
-                      name:  item
-                      title: RA-5 (10) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ra-5.10_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      If multiple tools are not used, this control is not applicable.
-                - 
-                  id:         ra-5.10_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization correlates the output from vulnerability scanning
-                                        tools to determine the presence of multi-vulnerability/multi-hop attack vectors.
-                                     
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nsecurity plan\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\nevent/vulnerability correlation logs\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for vulnerability scanning\n\nautomated mechanisms/tools supporting and/or implementing vulnerability
-                                               scanning\n\nautomated mechanisms implementing correlation of vulnerability scan results
-                        """
-    - 
-      id:       sa
-      class:    family
-      title:    System and Services Acquisition
-      controls: 
-        - 
-          id:         sa-1
-          class:      SP800-53
-          title:      System and Services Acquisition Policy and Procedures
-          parameters: 
-            - 
-              id:    sa-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          sa-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          sa-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or whenever a significant change occurs
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SA-1
-            - 
-              name:  sort-id
-              value: sa-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    sa-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ sa-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         sa-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A system and services acquisition policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         sa-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the system and services
-                                               acquisition policy and associated system and services acquisition controls;
-                                               and
-                        """
-                - 
-                  id:         sa-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         sa-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      System and services acquisition policy {{ sa-1_prm_2 }}; and
-                    - 
-                      id:         sa-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      System and services acquisition procedures {{ sa-1_prm_3 }}.
-            - 
-              id:    sa-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the SA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    sa-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-1(a)
-                  parts: 
-                    - 
-                      id:         sa-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         sa-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a system and services acquisition policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         sa-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         sa-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         sa-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         sa-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         sa-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         sa-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         sa-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         sa-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the system and services acquisition
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         sa-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the system and services acquisition policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         sa-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         sa-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      system and services acquisition policy and associated system and services
-                                                      acquisition controls;
-                            """
-                        - 
-                          id:         sa-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         sa-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         sa-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-1(b)
-                  parts: 
-                    - 
-                      id:         sa-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         sa-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and services
-                                                      acquisition policy;
-                            """
-                        - 
-                          id:         sa-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and services acquisition policy with
-                                                      the organization-defined frequency;
-                            """
-                    - 
-                      id:         sa-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         sa-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and services
-                                                      acquisition procedures; and
-                            """
-                        - 
-                          id:         sa-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and services acquisition procedures
-                                                      with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and services acquisition policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         sa-2
-          class:      SP800-53
-          title:      Allocation of Resources
-          properties: 
-            - 
-              name:  label
-              value: SA-2
-            - 
-              name:  sort-id
-              value: sa-02
-          links: 
-            - 
-              href: #29fcfe59-33cd-494a-8756-5907ae3a8f92
-              rel:  reference
-              text: NIST Special Publication 800-65
-          parts: 
-            - 
-              id:    sa-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Determines information security requirements for the information system or
-                                        information system service in mission/business process planning;
-                    """
-                - 
-                  id:         sa-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Determines, documents, and allocates the resources required to protect the
-                                        information system or information system service as part of its capital planning
-                                        and investment control process; and
-                    """
-                - 
-                  id:         sa-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Establishes a discrete line item for information security in organizational
-                                        programming and budgeting documentation.
-                    """
-            - 
-              id:    sa-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Resource allocation for information security includes funding for the initial
-                                 information system or information system service acquisition and funding for the
-                                 sustainment of the system/service.
-                """
-              links: 
-                - 
-                  href: #pm-3
-                  rel:  related
-                  text: PM-3
-                - 
-                  href: #pm-11
-                  rel:  related
-                  text: PM-11
-            - 
-              id:    sa-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SA-2(a)
-                  prose: 
-                    """
-                      determines information security requirements for the information system or
-                                        information system service in mission/business process planning;
-                    """
-                - 
-                  id:         sa-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-2(b)
-                  prose: 
-                    """
-                      to protect the information system or information system service as part of its
-                                        capital planning and investment control process:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-2(b)[1]
-                      prose:      determines the resources required;
-                    - 
-                      id:         sa-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-2(b)[2]
-                      prose:      documents the resources required;
-                    - 
-                      id:         sa-2.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-2(b)[3]
-                      prose:      allocates the resources required; and
-                - 
-                  id:         sa-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-2(c)
-                  prose: 
-                    """
-                      establishes a discrete line item for information security in organizational
-                                        programming and budgeting documentation.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing the allocation of resources to information security
-                                        requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with capital planning, investment control, organizational
-                                        programming and budgeting responsibilities\n\norganizational personnel responsible for determining information security
-                                        requirements for information systems/services\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for determining information security requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nautomated mechanisms supporting and/or implementing organizational capital
-                                        planning, programming, and budgeting
-                    """
-        - 
-          id:         sa-3
-          class:      SP800-53
-          title:      System Development Life Cycle
-          parameters: 
-            - 
-              id:    sa-3_prm_1
-              label: organization-defined system development life cycle
-          properties: 
-            - 
-              name:  label
-              value: SA-3
-            - 
-              name:  sort-id
-              value: sa-03
-          links: 
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #abd950ae-092f-4b7a-b374-1c7c67fe9350
-              rel:  reference
-              text: NIST Special Publication 800-64
-          parts: 
-            - 
-              id:    sa-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Manages the information system using {{ sa-3_prm_1 }} that
-                                        incorporates information security considerations;
-                    """
-                - 
-                  id:         sa-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Defines and documents information security roles and responsibilities throughout
-                                        the system development life cycle;
-                    """
-                - 
-                  id:         sa-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Identifies individuals having information security roles and responsibilities;
-                                        and
-                    """
-                - 
-                  id:         sa-3_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Integrates the organizational information security risk management process into
-                                        system development life cycle activities.
-                    """
-            - 
-              id:    sa-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  A well-defined system development life cycle provides the foundation for the
-                                 successful development, implementation, and operation of organizational information
-                                 systems. To apply the required security controls within the system development life
-                                 cycle requires a basic understanding of information security, threats,
-                                 vulnerabilities, adverse impacts, and risk to critical missions/business functions.
-                                 The security engineering principles in SA-8 cannot be properly applied if individuals
-                                 that design, code, and test information systems and system components (including
-                                 information technology products) do not understand security. Therefore, organizations
-                                 include qualified personnel, for example, chief information security officers,
-                                 security architects, security engineers, and information system security officers in
-                                 system development life cycle activities to ensure that security requirements are
-                                 incorporated into organizational information systems. It is equally important that
-                                 developers include individuals on the development team that possess the requisite
-                                 security expertise and skills to ensure that needed security capabilities are
-                                 effectively integrated into the information system. Security awareness and training
-                                 programs can help ensure that individuals having key security roles and
-                                 responsibilities have the appropriate experience, skills, and expertise to conduct
-                                 assigned system development life cycle activities. The effective integration of
-                                 security requirements into enterprise architecture also helps to ensure that
-                                 important security considerations are addressed early in the system development life
-                                 cycle and that those considerations are directly related to the organizational
-                                 mission/business processes. This process also facilitates the integration of the
-                                 information security architecture into the enterprise architecture, consistent with
-                                 organizational risk management and information security strategies.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #pm-7
-                  rel:  related
-                  text: PM-7
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-            - 
-              id:    sa-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-3(a)
-                  parts: 
-                    - 
-                      id:         sa-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-3(a)[1]
-                      prose: 
-                        """
-                          defines a system development life cycle that incorporates information security
-                                               considerations to be used to manage the information system;
-                        """
-                    - 
-                      id:         sa-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-3(a)[2]
-                      prose: 
-                        """
-                          manages the information system using the organization-defined system
-                                               development life cycle;
-                        """
-                - 
-                  id:         sa-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SA-3(b)
-                  prose: 
-                    """
-                      defines and documents information security roles and responsibilities throughout
-                                        the system development life cycle;
-                    """
-                - 
-                  id:         sa-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SA-3(c)
-                  prose: 
-                    """
-                      identifies individuals having information security roles and responsibilities;
-                                        and
-                    """
-                - 
-                  id:         sa-3.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-3(d)
-                  prose: 
-                    """
-                      integrates the organizational information security risk management process into
-                                        system development life cycle activities.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing the integration of information security into the system
-                                        development life cycle process\n\ninformation system development life cycle documentation\n\ninformation security risk management strategy/program documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with information security and system life cycle
-                                        development responsibilities\n\norganizational personnel with information security risk management
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for defining and documenting the SDLC\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational process for integrating information security risk management into
-                                        the SDLC\n\nautomated mechanisms supporting and/or implementing the SDLC
-                    """
-        - 
-          id:         sa-4
-          class:      SP800-53
-          title:      Acquisition Process
-          properties: 
-            - 
-              name:  label
-              value: SA-4
-            - 
-              name:  sort-id
-              value: sa-04
-          links: 
-            - 
-              href: #ad733a42-a7ed-4774-b988-4930c28852f3
-              rel:  reference
-              text: HSPD-12
-            - 
-              href: #1737a687-52fb-4008-b900-cbfa836f7b65
-              rel:  reference
-              text: ISO/IEC 15408
-            - 
-              href: #d715b234-9b5b-4e07-b1ed-99836727664d
-              rel:  reference
-              text: FIPS Publication 140-2
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #0a5db899-f033-467f-8631-f5a8ba971475
-              rel:  reference
-              text: NIST Special Publication 800-23
-            - 
-              href: #0c775bc3-bfc3-42c7-a382-88949f503171
-              rel:  reference
-              text: NIST Special Publication 800-35
-            - 
-              href: #d818efd3-db31-4953-8afa-9e76afe83ce2
-              rel:  reference
-              text: NIST Special Publication 800-36
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #abd950ae-092f-4b7a-b374-1c7c67fe9350
-              rel:  reference
-              text: NIST Special Publication 800-64
-            - 
-              href: #84a37532-6db6-477b-9ea8-f9085ebca0fc
-              rel:  reference
-              text: NIST Special Publication 800-70
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-            - 
-              href: #56d671da-6b7b-4abf-8296-84b61980390a
-              rel:  reference
-              text: Federal Acquisition Regulation
-            - 
-              href: #c95a9986-3cd6-4a98-931b-ccfc56cb11e5
-              rel:  reference
-              text: http://www.niap-ccevs.org
-            - 
-              href: #5ed1f4d5-1494-421b-97ed-39d3c88ab51f
-              rel:  reference
-              text: http://fips201ep.cio.gov
-            - 
-              href: #bbd50dd1-54ce-4432-959d-63ea564b1bb4
-              rel:  reference
-              text: http://www.acquisition.gov/far
-          parts: 
-            - 
-              id:    sa-4_smt
-              name:  statement
-              prose: 
-                """
-                  The organization includes the following requirements, descriptions, and criteria,
-                                 explicitly or by reference, in the acquisition contract for the information system,
-                                 system component, or information system service in accordance with applicable federal
-                                 laws, Executive Orders, directives, policies, regulations, standards, guidelines, and
-                                 organizational mission/business needs:
-                """
-              parts: 
-                - 
-                  id:         sa-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Security functional requirements;
-                - 
-                  id:         sa-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Security strength requirements;
-                - 
-                  id:         sa-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Security assurance requirements;
-                - 
-                  id:         sa-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Security-related documentation requirements;
-                - 
-                  id:         sa-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Requirements for protecting security-related documentation;
-                - 
-                  id:         sa-4_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Description of the information system development environment and environment in
-                                        which the system is intended to operate; and
-                    """
-                - 
-                  id:         sa-4_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose:      Acceptance criteria.
-                - 
-                  id:    sa-4_fr
-                  name:  item
-                  title: SA-4 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         sa-4_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See [http://www.niap-ccevs.org/vpl](http://www.niap-ccevs.org/vpl) or [http://www.commoncriteriaportal.org/products.html](http://www.commoncriteriaportal.org/products.html).
-            - 
-              id:    sa-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system components are discrete, identifiable information technology
-                                 assets (e.g., hardware, software, or firmware) that represent the building blocks of
-                                 an information system. Information system components include commercial information
-                                 technology products. Security functional requirements include security capabilities,
-                                 security functions, and security mechanisms. Security strength requirements
-                                 associated with such capabilities, functions, and mechanisms include degree of
-                                 correctness, completeness, resistance to direct attack, and resistance to tampering
-                                 or bypass. Security assurance requirements include: (i) development processes,
-                                 procedures, practices, and methodologies; and (ii) evidence from development and
-                                 assessment activities providing grounds for confidence that the required security
-                                 functionality has been implemented and the required security strength has been
-                                 achieved. Security documentation requirements address all phases of the system
-                                 development life cycle. Security functionality, assurance, and documentation
-                                 requirements are expressed in terms of security controls and control enhancements
-                                 that have been selected through the tailoring process. The security control tailoring
-                                 process includes, for example, the specification of parameter values through the use
-                                 of assignment and selection statements and the specification of platform dependencies
-                                 and implementation information. Security documentation provides user and
-                                 administrator guidance regarding the implementation and operation of security
-                                 controls. The level of detail required in security documentation is based on the
-                                 security category or classification level of the information system and the degree to
-                                 which organizations depend on the stated security capability, functions, or
-                                 mechanisms to meet overall risk response expectations (as defined in the
-                                 organizational risk management strategy). Security requirements can also include
-                                 organizationally mandated configuration settings specifying allowed functions, ports,
-                                 protocols, and services. Acceptance criteria for information systems, information
-                                 system components, and information system services are defined in the same manner as
-                                 such criteria for any organizational acquisition or procurement. The Federal
-                                 Acquisition Regulation (FAR) Section 7.103 contains information security requirements
-                                 from FISMA.
-                """
-              links: 
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #ps-7
-                  rel:  related
-                  text: PS-7
-                - 
-                  href: #sa-3
-                  rel:  related
-                  text: SA-3
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-            - 
-              id:    sa-4_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization includes the following requirements, descriptions, and
-                                 criteria, explicitly or by reference, in the acquisition contracts for the
-                                 information system, system component, or information system service in accordance
-                                 with applicable federal laws, Executive Orders, directives, policies, regulations,
-                                 standards, guidelines, and organizational mission/business needs:
-                """
-              parts: 
-                - 
-                  id:         sa-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(a)
-                  prose:      security functional requirements;
-                - 
-                  id:         sa-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(b)
-                  prose:      security strength requirements;
-                - 
-                  id:         sa-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(c)
-                  prose:      security assurance requirements;
-                - 
-                  id:         sa-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(d)
-                  prose:      security-related documentation requirements;
-                - 
-                  id:         sa-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(e)
-                  prose:      requirements for protecting security-related documentation;
-                - 
-                  id:         sa-4.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(f)
-                  prose:      description of:
-                  parts: 
-                    - 
-                      id:         sa-4.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-4(f)[1]
-                      prose:      the information system development environment;
-                    - 
-                      id:         sa-4.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-4(f)[2]
-                      prose:      the environment in which the system is intended to operate; and
-                - 
-                  id:         sa-4.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(g)
-                  prose:      acceptance criteria.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing the integration of information security requirements,
-                                        descriptions, and criteria into the acquisition process\n\nacquisition contracts for the information system, system component, or information
-                                        system service\n\ninformation system design documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                        security functional, strength, and assurance requirements\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for determining information system security functional,
-                                        strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and/or implementing acquisitions and inclusion of
-                                        security requirements in contracts
-                    """
-          controls: 
-            - 
-              id:         sa-4.1
-              class:      SP800-53-enhancement
-              title:      Functional Properties of Security Controls
-              properties: 
-                - 
-                  name:  label
-                  value: SA-4(1)
-                - 
-                  name:  sort-id
-                  value: sa-04.01
-              parts: 
-                - 
-                  id:    sa-4.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires the developer of the information system, system
-                                        component, or information system service to provide a description of the
-                                        functional properties of the security controls to be employed.
-                    """
-                - 
-                  id:    sa-4.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Functional properties of security controls describe the functionality (i.e.,
-                                        security capability, functions, or mechanisms) visible at the interfaces of the
-                                        controls and specifically exclude functionality and data structures internal to
-                                        the operation of the controls.
-                    """
-                  links: 
-                    - 
-                      href: #sa-5
-                      rel:  related
-                      text: SA-5
-                - 
-                  id:         sa-4.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization requires the developer of the information system,
-                                        system component, or information system service to provide a description of the
-                                        functional properties of the security controls to be employed.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing the integration of information security requirements,
-                                               descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the information system, system component, or
-                                               information system services\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                               security functional requirements\n\ninformation system developer or service provider\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for determining information system security
-                                               functional, requirements\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and/or implementing acquisitions and inclusion
-                                               of security requirements in contracts
-                        """
-            - 
-              id:         sa-4.2
-              class:      SP800-53-enhancement
-              title:      Design / Implementation Information for Security Controls
-              parameters: 
-                - 
-                  id:          sa-4.2_prm_1
-                  constraints: 
-                    - 
-                      detail: at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram; [organization-defined design/implementation information]
-                - 
-                  id:         sa-4.2_prm_2
-                  depends-on: sa-4.2_prm_1
-                  label:      organization-defined design/implementation information
-                - 
-                  id:    sa-4.2_prm_3
-                  label: organization-defined level of detail
-              properties: 
-                - 
-                  name:  label
-                  value: SA-4(2)
-                - 
-                  name:  sort-id
-                  value: sa-04.02
-              parts: 
-                - 
-                  id:    sa-4.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires the developer of the information system, system
-                                        component, or information system service to provide design and implementation
-                                        information for the security controls to be employed that includes: {{ sa-4.2_prm_1 }} at {{ sa-4.2_prm_3 }}.
-                    """
-                - 
-                  id:    sa-4.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations may require different levels of detail in design and implementation
-                                        documentation for security controls employed in organizational information
-                                        systems, system components, or information system services based on
-                                        mission/business requirements, requirements for trustworthiness/resiliency, and
-                                        requirements for analysis and testing. Information systems can be partitioned into
-                                        multiple subsystems. Each subsystem within the system can contain one or more
-                                        modules. The high-level design for the system is expressed in terms of multiple
-                                        subsystems and the interfaces between subsystems providing security-relevant
-                                        functionality. The low-level design for the system is expressed in terms of
-                                        modules with particular emphasis on software and firmware (but not excluding
-                                        hardware) and the interfaces between modules providing security-relevant
-                                        functionality. Source code and hardware schematics are typically referred to as
-                                        the implementation representation of the information system.
-                    """
-                  links: 
-                    - 
-                      href: #sa-5
-                      rel:  related
-                      text: SA-5
-                - 
-                  id:    sa-4.2_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         sa-4.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-4(2)[1]
-                      prose: 
-                        """
-                          defines level of detail that the developer is required to provide in design and
-                                               implementation information for the security controls to be employed in the
-                                               information system, system component, or information system service;
-                        """
-                    - 
-                      id:         sa-4.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-4(2)[2]
-                      prose: 
-                        """
-                          defines design/implementation information that the developer is to provide for
-                                               the security controls to be employed (if selected);
-                        """
-                    - 
-                      id:         sa-4.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-4(2)[3]
-                      prose: 
-                        """
-                          requires the developer of the information system, system component, or
-                                               information system service to provide design and implementation information for
-                                               the security controls to be employed that includes, at the organization-defined
-                                               level of detail, one or more of the following:
-                        """
-                      parts: 
-                        - 
-                          id:         sa-4.2_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-4(2)[3][a]
-                          prose:      security-relevant external system interfaces;
-                        - 
-                          id:         sa-4.2_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-4(2)[3][b]
-                          prose:      high-level design;
-                        - 
-                          id:         sa-4.2_obj.3.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-4(2)[3][c]
-                          prose:      low-level design;
-                        - 
-                          id:         sa-4.2_obj.3.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-4(2)[3][d]
-                          prose:      source code;
-                        - 
-                          id:         sa-4.2_obj.3.e
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-4(2)[3][e]
-                          prose:      hardware schematics; and/or
-                        - 
-                          id:         sa-4.2_obj.3.f
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-4(2)[3][f]
-                          prose:      organization-defined design/implementation information.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing the integration of information security requirements,
-                                               descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the information system, system components, or
-                                               information system services\n\ndesign and implementation information for security controls employed in the
-                                               information system, system component, or information system service\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                               security requirements\n\ninformation system developer or service provider\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for determining level of detail for system design and
-                                               security controls\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and/or implementing development of system
-                                               design details
-                        """
-            - 
-              id:         sa-4.8
-              class:      SP800-53-enhancement
-              title:      Continuous Monitoring Plan
-              parameters: 
-                - 
-                  id:          sa-4.8_prm_1
-                  label:       organization-defined level of detail
-                  constraints: 
-                    - 
-                      detail: at least the minimum requirement as defined in control CA-7
-              properties: 
-                - 
-                  name:  label
-                  value: SA-4(8)
-                - 
-                  name:  sort-id
-                  value: sa-04.08
-              parts: 
-                - 
-                  id:    sa-4.8_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires the developer of the information system, system
-                                        component, or information system service to produce a plan for the continuous
-                                        monitoring of security control effectiveness that contains {{ sa-4.8_prm_1 }}.
-                    """
-                  parts: 
-                    - 
-                      id:    sa-4.8_fr
-                      name:  item
-                      title: SA-4 (8) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         sa-4.8_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      CSP must use the same security standards regardless of where the system component or information system service is acquired.
-                - 
-                  id:    sa-4.8_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The objective of continuous monitoring plans is to determine if the complete set
-                                        of planned, required, and deployed security controls within the information
-                                        system, system component, or information system service continue to be effective
-                                        over time based on the inevitable changes that occur. Developer continuous
-                                        monitoring plans include a sufficient level of detail such that the information
-                                        can be incorporated into the continuous monitoring strategies and programs
-                                        implemented by organizations.
-                    """
-                  links: 
-                    - 
-                      href: #ca-7
-                      rel:  related
-                      text: CA-7
-                - 
-                  id:    sa-4.8_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         sa-4.8_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-4(8)[1]
-                      prose: 
-                        """
-                          defines the level of detail the developer of the information system, system
-                                               component, or information system service is required to provide when producing
-                                               a plan for the continuous monitoring of security control effectiveness; and
-                        """
-                    - 
-                      id:         sa-4.8_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-4(8)[2]
-                      prose: 
-                        """
-                          requires the developer of the information system, system component, or
-                                               information system service to produce a plan for the continuous monitoring of
-                                               security control effectiveness that contains the organization-defined level of
-                                               detail.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing developer continuous monitoring plans\n\nprocedures addressing the integration of information security requirements,
-                                               descriptions, and criteria into the acquisition process\n\ndeveloper continuous monitoring plans\n\nsecurity assessment plans\n\nacquisition contracts for the information system, system component, or
-                                               information system service\n\nacquisition documentation\n\nsolicitation documentation\n\nservice-level agreements\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                               security requirements\n\ninformation system developers\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Vendor processes for continuous monitoring\n\nautomated mechanisms supporting and/or implementing developer continuous
-                                               monitoring
-                        """
-            - 
-              id:         sa-4.9
-              class:      SP800-53-enhancement
-              title:      Functions / Ports / Protocols / Services in Use
-              properties: 
-                - 
-                  name:  label
-                  value: SA-4(9)
-                - 
-                  name:  sort-id
-                  value: sa-04.09
-              parts: 
-                - 
-                  id:    sa-4.9_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires the developer of the information system, system
-                                        component, or information system service to identify early in the system
-                                        development life cycle, the functions, ports, protocols, and services intended for
-                                        organizational use.
-                    """
-                - 
-                  id:    sa-4.9_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The identification of functions, ports, protocols, and services early in the
-                                        system development life cycle (e.g., during the initial requirements definition
-                                        and design phases) allows organizations to influence the design of the information
-                                        system, information system component, or information system service. This early
-                                        involvement in the life cycle helps organizations to avoid or minimize the use of
-                                        functions, ports, protocols, or services that pose unnecessarily high risks and
-                                        understand the trade-offs involved in blocking specific ports, protocols, or
-                                        services (or when requiring information system service providers to do so). Early
-                                        identification of functions, ports, protocols, and services avoids costly
-                                        retrofitting of security controls after the information system, system component,
-                                        or information system service has been implemented. SA-9 describes requirements
-                                        for external information system services with organizations identifying which
-                                        functions, ports, protocols, and services are provided from external sources.
-                    """
-                  links: 
-                    - 
-                      href: #cm-7
-                      rel:  related
-                      text: CM-7
-                    - 
-                      href: #sa-9
-                      rel:  related
-                      text: SA-9
-                - 
-                  id:    sa-4.9_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization requires the developer of the information system,
-                                        system component, or information system service to identify early in the system
-                                        development life cycle:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-4.9_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: SA-4(9)[1]
-                      prose:      the functions intended for organizational use;
-                    - 
-                      id:         sa-4.9_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-4(9)[2]
-                      prose:      the ports intended for organizational use;
-                    - 
-                      id:         sa-4.9_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-4(9)[3]
-                      prose:      the protocols intended for organizational use; and
-                    - 
-                      id:         sa-4.9_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-4(9)[4]
-                      prose:      the services intended for organizational use.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing the integration of information security requirements,
-                                               descriptions, and criteria into the acquisition process\n\ninformation system design documentation\n\ninformation system documentation including functions, ports, protocols, and
-                                               services intended for organizational use\n\nacquisition contracts for information systems or services\n\nacquisition documentation\n\nsolicitation documentation\n\nservice-level agreements\n\norganizational security requirements, descriptions, and criteria for developers
-                                               of information systems, system components, and information system services\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                               security requirements\n\nsystem/network administrators\n\norganizational personnel operating, using, and/or maintaining the information
-                                               system\n\ninformation system developers\n\norganizational personnel with information security responsibilities
-                        """
-            - 
-              id:         sa-4.10
-              class:      SP800-53-enhancement
-              title:      Use of Approved PIV Products
-              properties: 
-                - 
-                  name:  label
-                  value: SA-4(10)
-                - 
-                  name:  sort-id
-                  value: sa-04.10
-              parts: 
-                - 
-                  id:    sa-4.10_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs only information technology products on the FIPS
-                                        201-approved products list for Personal Identity Verification (PIV) capability
-                                        implemented within organizational information systems.
-                    """
-                - 
-                  id:    sa-4.10_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ia-2
-                      rel:  related
-                      text: IA-2
-                    - 
-                      href: #ia-8
-                      rel:  related
-                      text: IA-8
-                - 
-                  id:         sa-4.10_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs only information technology products on the
-                                        FIPS 201-approved products list for Personal Identity Verification (PIV)
-                                        capability implemented within organizational information systems. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing the integration of information security requirements,
-                                               descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the information system, system component, or
-                                               information system service\n\nservice-level agreements\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                               security requirements\n\norganizational personnel with responsibility for ensuring only FIPS
-                                               201-approved products are implemented\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for selecting and employing FIPS 201-approved
-                                               products
-                        """
-        - 
-          id:         sa-5
-          class:      SP800-53
-          title:      Information System Documentation
-          parameters: 
-            - 
-              id:    sa-5_prm_1
-              label: organization-defined actions
-            - 
-              id:          sa-5_prm_2
-              label:       organization-defined personnel or roles
-              constraints: 
-                - 
-                  detail: at a minimum, the ISSO (or similar role within the organization)
-          properties: 
-            - 
-              name:  label
-              value: SA-5
-            - 
-              name:  sort-id
-              value: sa-05
-          parts: 
-            - 
-              id:    sa-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Obtains administrator documentation for the information system, system component,
-                                        or information system service that describes:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-5_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Secure configuration, installation, and operation of the system, component, or
-                                               service;
-                        """
-                    - 
-                      id:         sa-5_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Effective use and maintenance of security functions/mechanisms; and
-                    - 
-                      id:         sa-5_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Known vulnerabilities regarding configuration and use of administrative (i.e.,
-                                               privileged) functions;
-                        """
-                - 
-                  id:         sa-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Obtains user documentation for the information system, system component, or
-                                        information system service that describes:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-5_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          User-accessible security functions/mechanisms and how to effectively use those
-                                               security functions/mechanisms;
-                        """
-                    - 
-                      id:         sa-5_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Methods for user interaction, which enables individuals to use the system,
-                                               component, or service in a more secure manner; and
-                        """
-                    - 
-                      id:         sa-5_smt.b.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          User responsibilities in maintaining the security of the system, component, or
-                                               service;
-                        """
-                - 
-                  id:         sa-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Documents attempts to obtain information system, system component, or information
-                                        system service documentation when such documentation is either unavailable or
-                                        nonexistent and takes {{ sa-5_prm_1 }} in response;
-                    """
-                - 
-                  id:         sa-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Protects documentation as required, in accordance with the risk management
-                                        strategy; and
-                    """
-                - 
-                  id:         sa-5_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Distributes documentation to {{ sa-5_prm_2 }}.
-            - 
-              id:    sa-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control helps organizational personnel understand the implementation and
-                                 operation of security controls associated with information systems, system
-                                 components, and information system services. Organizations consider establishing
-                                 specific measures to determine the quality/completeness of the content provided. The
-                                 inability to obtain needed documentation may occur, for example, due to the age of
-                                 the information system/component or lack of support from developers and contractors.
-                                 In those situations, organizations may need to recreate selected documentation if
-                                 such documentation is essential to the effective implementation or operation of
-                                 security controls. The level of protection provided for selected information system,
-                                 component, or service documentation is commensurate with the security category or
-                                 classification of the system. For example, documentation associated with a key DoD
-                                 weapons system or command and control system would typically require a higher level
-                                 of protection than a routine administrative system. Documentation that addresses
-                                 information system vulnerabilities may also require an increased level of protection.
-                                 Secure operation of the information system, includes, for example, initially starting
-                                 the system and resuming secure system operation after any lapse in system
-                                 operation.
-                """
-              links: 
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-2
-                  rel:  related
-                  text: PS-2
-                - 
-                  href: #sa-3
-                  rel:  related
-                  text: SA-3
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-            - 
-              id:    sa-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SA-5(a)
-                  prose: 
-                    """
-                      obtains administrator documentation for the information system, system component,
-                                        or information system service that describes:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-5.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(a)(1)
-                      parts: 
-                        - 
-                          id:         sa-5.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(1)[1]
-                          prose:      secure configuration of the system, system component, or service;
-                        - 
-                          id:         sa-5.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(1)[2]
-                          prose:      secure installation of the system, system component, or service;
-                        - 
-                          id:         sa-5.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(1)[3]
-                          prose:      secure operation of the system, system component, or service;
-                    - 
-                      id:         sa-5.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(a)(2)
-                      parts: 
-                        - 
-                          id:         sa-5.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(2)[1]
-                          prose:      effective use of the security features/mechanisms;
-                        - 
-                          id:         sa-5.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(2)[2]
-                          prose:      effective maintenance of the security features/mechanisms;
-                    - 
-                      id:         sa-5.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(a)(3)
-                      prose: 
-                        """
-                          known vulnerabilities regarding configuration and use of administrative (i.e.,
-                                               privileged) functions;
-                        """
-                - 
-                  id:         sa-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SA-5(b)
-                  prose: 
-                    """
-                      obtains user documentation for the information system, system component, or
-                                        information system service that describes:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-5.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(b)(1)
-                      parts: 
-                        - 
-                          id:         sa-5.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(b)(1)[1]
-                          prose:      user-accessible security functions/mechanisms;
-                        - 
-                          id:         sa-5.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(b)(1)[2]
-                          prose:      how to effectively use those functions/mechanisms;
-                    - 
-                      id:         sa-5.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(b)(2)
-                      prose: 
-                        """
-                          methods for user interaction, which enables individuals to use the system,
-                                               component, or service in a more secure manner;
-                        """
-                    - 
-                      id:         sa-5.b.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(b)(3)
-                      prose: 
-                        """
-                          user responsibilities in maintaining the security of the system, component, or
-                                               service;
-                        """
-                - 
-                  id:         sa-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-5(c)
-                  parts: 
-                    - 
-                      id:         sa-5.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-5(c)[1]
-                      prose: 
-                        """
-                          defines actions to be taken after documented attempts to obtain information
-                                               system, system component, or information system service documentation when such
-                                               documentation is either unavailable or nonexistent;
-                        """
-                    - 
-                      id:         sa-5.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-5(c)[2]
-                      prose: 
-                        """
-                          documents attempts to obtain information system, system component, or
-                                               information system service documentation when such documentation is either
-                                               unavailable or nonexistent;
-                        """
-                    - 
-                      id:         sa-5.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-5(c)[3]
-                      prose:      takes organization-defined actions in response;
-                - 
-                  id:         sa-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-5(d)
-                  prose: 
-                    """
-                      protects documentation as required, in accordance with the risk management
-                                        strategy;
-                    """
-                - 
-                  id:         sa-5.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-5(e)
-                  parts: 
-                    - 
-                      id:         sa-5.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-5(e)[1]
-                      prose:      defines personnel or roles to whom documentation is to be distributed; and
-                    - 
-                      id:         sa-5.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-5(e)[2]
-                      prose:      distributes documentation to organization-defined personnel or roles.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing information system documentation\n\ninformation system documentation including administrator and user guides\n\nrecords documenting attempts to obtain unavailable or nonexistent information
-                                        system documentation\n\nlist of actions to be taken in response to documented attempts to obtain
-                                        information system, system component, or information system service
-                                        documentation\n\nrisk management strategy documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                        security requirements\n\nsystem administrators\n\norganizational personnel operating, using, and/or maintaining the information
-                                        system\n\ninformation system developers\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for obtaining, protecting, and distributing information
-                                        system administrator and user documentation
-                    """
-        - 
-          id:         sa-8
-          class:      SP800-53
-          title:      Security Engineering Principles
-          properties: 
-            - 
-              name:  label
-              value: SA-8
-            - 
-              name:  sort-id
-              value: sa-08
-          links: 
-            - 
-              href: #21b1ed35-56d2-40a8-bdfe-b461fffe322f
-              rel:  reference
-              text: NIST Special Publication 800-27
-          parts: 
-            - 
-              id:    sa-8_smt
-              name:  statement
-              prose: 
-                """
-                  The organization applies information system security engineering principles in the
-                                 specification, design, development, implementation, and modification of the
-                                 information system.
-                """
-            - 
-              id:    sa-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations apply security engineering principles primarily to new development
-                                 information systems or systems undergoing major upgrades. For legacy systems,
-                                 organizations apply security engineering principles to system upgrades and
-                                 modifications to the extent feasible, given the current state of hardware, software,
-                                 and firmware within those systems. Security engineering principles include, for
-                                 example: (i) developing layered protections; (ii) establishing sound security policy,
-                                 architecture, and controls as the foundation for design; (iii) incorporating security
-                                 requirements into the system development life cycle; (iv) delineating physical and
-                                 logical security boundaries; (v) ensuring that system developers are trained on how
-                                 to build secure software; (vi) tailoring security controls to meet organizational and
-                                 operational needs; (vii) performing threat modeling to identify use cases, threat
-                                 agents, attack vectors, and attack patterns as well as compensating controls and
-                                 design patterns needed to mitigate risk; and (viii) reducing risk to acceptable
-                                 levels, thus enabling informed risk management decisions.
-                """
-              links: 
-                - 
-                  href: #pm-7
-                  rel:  related
-                  text: PM-7
-                - 
-                  href: #sa-3
-                  rel:  related
-                  text: SA-3
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-17
-                  rel:  related
-                  text: SA-17
-                - 
-                  href: #sc-2
-                  rel:  related
-                  text: SC-2
-                - 
-                  href: #sc-3
-                  rel:  related
-                  text: SC-3
-            - 
-              id:    sa-8_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization applies information system security engineering
-                                 principles in: 
-                """
-              parts: 
-                - 
-                  id:         sa-8_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-8[1]
-                  prose:      the specification of the information system;
-                - 
-                  id:         sa-8_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-8[2]
-                  prose:      the design of the information system;
-                - 
-                  id:         sa-8_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-8[3]
-                  prose:      the development of the information system;
-                - 
-                  id:         sa-8_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-8[4]
-                  prose:      the implementation of the information system; and
-                - 
-                  id:         sa-8_obj.5
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-8[5]
-                  prose:      the modification of the information system.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing security engineering principles used in the specification,
-                                        design, development, implementation, and modification of the information
-                                        system\n\ninformation system design documentation\n\ninformation security requirements and specifications for the information
-                                        system\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                        security requirements\n\norganizational personnel with information system specification, design,
-                                        development, implementation, and modification responsibilities\n\ninformation system developers\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for applying security engineering principles in
-                                        information system specification, design, development, implementation, and
-                                        modification\n\nautomated mechanisms supporting the application of security engineering principles
-                                        in information system specification, design, development, implementation, and
-                                        modification
-                    """
-        - 
-          id:         sa-9
-          class:      SP800-53
-          title:      External Information System Services
-          parameters: 
-            - 
-              id:          sa-9_prm_1
-              label:       organization-defined security controls
-              constraints: 
-                - 
-                  detail: FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system
-            - 
-              id:          sa-9_prm_2
-              label:       organization-defined processes, methods, and techniques
-              constraints: 
-                - 
-                  detail: Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored
-          properties: 
-            - 
-              name:  label
-              value: SA-9
-            - 
-              name:  sort-id
-              value: sa-09
-          links: 
-            - 
-              href: #0c775bc3-bfc3-42c7-a382-88949f503171
-              rel:  reference
-              text: NIST Special Publication 800-35
-          parts: 
-            - 
-              id:    sa-9_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-9_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Requires that providers of external information system services comply with
-                                        organizational information security requirements and employ {{ sa-9_prm_1 }} in accordance with applicable federal laws, Executive
-                                        Orders, directives, policies, regulations, standards, and guidance;
-                    """
-                - 
-                  id:         sa-9_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Defines and documents government oversight and user roles and responsibilities
-                                        with regard to external information system services; and
-                    """
-                - 
-                  id:         sa-9_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Employs {{ sa-9_prm_2 }} to monitor security control compliance by
-                                        external service providers on an ongoing basis.
-                    """
-            - 
-              id:    sa-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  External information system services are services that are implemented outside of the
-                                 authorization boundaries of organizational information systems. This includes
-                                 services that are used by, but not a part of, organizational information systems.
-                                 FISMA and OMB policy require that organizations using external service providers that
-                                 are processing, storing, or transmitting federal information or operating information
-                                 systems on behalf of the federal government ensure that such providers meet the same
-                                 security requirements that federal agencies are required to meet. Organizations
-                                 establish relationships with external service providers in a variety of ways
-                                 including, for example, through joint ventures, business partnerships, contracts,
-                                 interagency agreements, lines of business arrangements, licensing agreements, and
-                                 supply chain exchanges. The responsibility for managing risks from the use of
-                                 external information system services remains with authorizing officials. For services
-                                 external to organizations, a chain of trust requires that organizations establish and
-                                 retain a level of confidence that each participating provider in the potentially
-                                 complex consumer-provider relationship provides adequate protection for the services
-                                 rendered. The extent and nature of this chain of trust varies based on the
-                                 relationships between organizations and the external providers. Organizations
-                                 document the basis for trust relationships so the relationships can be monitored over
-                                 time. External information system services documentation includes government, service
-                                 providers, end user security roles and responsibilities, and service-level
-                                 agreements. Service-level agreements define expectations of performance for security
-                                 controls, describe measurable outcomes, and identify remedies and response
-                                 requirements for identified instances of noncompliance.
-                """
-              links: 
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #ir-7
-                  rel:  related
-                  text: IR-7
-                - 
-                  href: #ps-7
-                  rel:  related
-                  text: PS-7
-            - 
-              id:    sa-9_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-9.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-9(a)
-                  parts: 
-                    - 
-                      id:         sa-9.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(a)[1]
-                      prose: 
-                        """
-                          defines security controls to be employed by providers of external information
-                                               system services;
-                        """
-                    - 
-                      id:         sa-9.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(a)[2]
-                      prose: 
-                        """
-                          requires that providers of external information system services comply with
-                                               organizational information security requirements;
-                        """
-                    - 
-                      id:         sa-9.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(a)[3]
-                      prose: 
-                        """
-                          requires that providers of external information system services employ
-                                               organization-defined security controls in accordance with applicable federal
-                                               laws, Executive Orders, directives, policies, regulations, standards, and
-                                               guidance;
-                        """
-                - 
-                  id:         sa-9.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-9(b)
-                  parts: 
-                    - 
-                      id:         sa-9.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(b)[1]
-                      prose: 
-                        """
-                          defines and documents government oversight with regard to external information
-                                               system services;
-                        """
-                    - 
-                      id:         sa-9.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(b)[2]
-                      prose: 
-                        """
-                          defines and documents user roles and responsibilities with regard to external
-                                               information system services;
-                        """
-                - 
-                  id:         sa-9.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-9(c)
-                  parts: 
-                    - 
-                      id:         sa-9.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(c)[1]
-                      prose: 
-                        """
-                          defines processes, methods, and techniques to be employed to monitor security
-                                               control compliance by external service providers; and
-                        """
-                    - 
-                      id:         sa-9.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-9(c)[2]
-                      prose: 
-                        """
-                          employs organization-defined processes, methods, and techniques to monitor
-                                               security control compliance by external service providers on an ongoing
-                                               basis.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing external information system services\n\nprocedures addressing methods and techniques for monitoring security control
-                                        compliance by external service providers of information system services\n\nacquisition contracts, service-level agreements\n\norganizational security requirements and security specifications for external
-                                        provider services\n\nsecurity control assessment evidence from external providers of information system
-                                        services\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with system and services acquisition responsibilities\n\nexternal providers of information system services\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for monitoring security control compliance by external
-                                        service providers on an ongoing basis\n\nautomated mechanisms for monitoring security control compliance by external
-                                        service providers on an ongoing basis
-                    """
-          controls: 
-            - 
-              id:         sa-9.1
-              class:      SP800-53-enhancement
-              title:      Risk Assessments / Organizational Approvals
-              parameters: 
-                - 
-                  id:    sa-9.1_prm_1
-                  label: organization-defined personnel or roles
-              properties: 
-                - 
-                  name:  label
-                  value: SA-9(1)
-                - 
-                  name:  sort-id
-                  value: sa-09.01
-              parts: 
-                - 
-                  id:    sa-9.1_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         sa-9.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Conducts an organizational assessment of risk prior to the acquisition or
-                                               outsourcing of dedicated information security services; and
-                        """
-                    - 
-                      id:         sa-9.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Ensures that the acquisition or outsourcing of dedicated information security
-                                               services is approved by {{ sa-9.1_prm_1 }}.
-                        """
-                - 
-                  id:    sa-9.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Dedicated information security services include, for example, incident monitoring,
-                                        analysis and response, operation of information security-related devices such as
-                                        firewalls, or key management services.
-                    """
-                  links: 
-                    - 
-                      href: #ca-6
-                      rel:  related
-                      text: CA-6
-                    - 
-                      href: #ra-3
-                      rel:  related
-                      text: RA-3
-                - 
-                  id:    sa-9.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         sa-9.1.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-9(1)(a)
-                      prose: 
-                        """
-                          conducts an organizational assessment of risk prior to the acquisition or
-                                               outsourcing of dedicated information security services;
-                        """
-                      links: 
-                        - 
-                          href: #sa-9.1_smt.a
-                          rel:  corresp
-                          text: SA-9(1)(a)
-                    - 
-                      id:         sa-9.1.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-9(1)(b)
-                      parts: 
-                        - 
-                          id:         sa-9.1.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-9(1)(b)[1]
-                          prose: 
-                            """
-                              defines personnel or roles designated to approve the acquisition or
-                                                      outsourcing of dedicated information security services; and
-                            """
-                        - 
-                          id:         sa-9.1.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: SA-9(1)(b)[2]
-                          prose: 
-                            """
-                              ensures that the acquisition or outsourcing of dedicated information
-                                                      security services is approved by organization-defined personnel or
-                                                      roles.
-                            """
-                      links: 
-                        - 
-                          href: #sa-9.1_smt.b
-                          rel:  corresp
-                          text: SA-9(1)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing external information system services\n\nacquisition documentation\n\nacquisition contracts for the information system, system component, or
-                                               information system service\n\nrisk assessment reports\n\napproval records for acquisition or outsourcing of dedicated information
-                                               security services\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with system and services acquisition
-                                               responsibilities\n\norganizational personnel with information system security responsibilities\n\nexternal providers of information system services\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for conducting a risk assessment prior to acquiring or
-                                               outsourcing dedicated information security services\n\norganizational processes for approving the outsourcing of dedicated information
-                                               security services\n\nautomated mechanisms supporting and/or implementing risk assessment\n\nautomated mechanisms supporting and/or implementing approval processes
-                        """
-            - 
-              id:         sa-9.2
-              class:      SP800-53-enhancement
-              title:      Identification of Functions / Ports / Protocols / Services
-              parameters: 
-                - 
-                  id:          sa-9.2_prm_1
-                  label:       organization-defined external information system services
-                  constraints: 
-                    - 
-                      detail: all external systems where Federal information is processed or stored
-              properties: 
-                - 
-                  name:  label
-                  value: SA-9(2)
-                - 
-                  name:  sort-id
-                  value: sa-09.02
-              parts: 
-                - 
-                  id:    sa-9.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires providers of {{ sa-9.2_prm_1 }} to
-                                        identify the functions, ports, protocols, and other services required for the use
-                                        of such services.
-                    """
-                - 
-                  id:    sa-9.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Information from external service providers regarding the specific functions,
-                                        ports, protocols, and services used in the provision of such services can be
-                                        particularly useful when the need arises to understand the trade-offs involved in
-                                        restricting certain functions/services or blocking certain ports/protocols.
-                    """
-                  links: 
-                    - 
-                      href: #cm-7
-                      rel:  related
-                      text: CM-7
-                - 
-                  id:    sa-9.2_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         sa-9.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(2)[1]
-                      prose: 
-                        """
-                          defines external information system services for which providers of such
-                                               services are to identify the functions, ports, protocols, and other services
-                                               required for the use of such services;
-                        """
-                    - 
-                      id:         sa-9.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: SA-9(2)[2]
-                      prose: 
-                        """
-                          requires providers of organization-defined external information system services
-                                               to identify:
-                        """
-                      parts: 
-                        - 
-                          id:         sa-9.2_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-9(2)[2][a]
-                          prose:      the functions required for the use of such services;
-                        - 
-                          id:         sa-9.2_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-9(2)[2][b]
-                          prose:      the ports required for the use of such services;
-                        - 
-                          id:         sa-9.2_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-9(2)[2][c]
-                          prose:      the protocols required for the use of such services; and
-                        - 
-                          id:         sa-9.2_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-9(2)[2][d]
-                          prose:      the other services required for the use of such services.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing external information system services\n\nacquisition contracts for the information system, system component, or
-                                               information system service\n\nacquisition documentation\n\nsolicitation documentation, service-level agreements\n\norganizational security requirements and security specifications for external
-                                               service providers\n\nlist of required functions, ports, protocols, and other services\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with system and services acquisition
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nexternal providers of information system services
-                        """
-            - 
-              id:         sa-9.4
-              class:      SP800-53-enhancement
-              title:      Consistent Interests of Consumers and Providers
-              parameters: 
-                - 
-                  id:    sa-9.4_prm_1
-                  label: organization-defined security safeguards
-                - 
-                  id:          sa-9.4_prm_2
-                  label:       organization-defined external service providers
-                  constraints: 
-                    - 
-                      detail: all external systems where Federal information is processed or stored
-              properties: 
-                - 
-                  name:  label
-                  value: SA-9(4)
-                - 
-                  name:  sort-id
-                  value: sa-09.04
-              parts: 
-                - 
-                  id:    sa-9.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs {{ sa-9.4_prm_1 }} to ensure that the
-                                        interests of {{ sa-9.4_prm_2 }} are consistent with and reflect
-                                        organizational interests.
-                    """
-                - 
-                  id:    sa-9.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      As organizations increasingly use external service providers, the possibility
-                                        exists that the interests of the service providers may diverge from organizational
-                                        interests. In such situations, simply having the correct technical, procedural, or
-                                        operational safeguards in place may not be sufficient if the service providers
-                                        that implement and control those safeguards are not operating in a manner
-                                        consistent with the interests of the consuming organizations. Possible actions
-                                        that organizations might take to address such concerns include, for example,
-                                        requiring background checks for selected service provider personnel, examining
-                                        ownership records, employing only trustworthy service providers (i.e., providers
-                                        with which organizations have had positive experiences), and conducting
-                                        periodic/unscheduled visits to service provider facilities.
-                    """
-                - 
-                  id:    sa-9.4_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         sa-9.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(4)[1]
-                      prose: 
-                        """
-                          defines external service providers whose interests are to be consistent with
-                                               and reflect organizational interests;
-                        """
-                    - 
-                      id:         sa-9.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(4)[2]
-                      prose: 
-                        """
-                          defines security safeguards to be employed to ensure that the interests of
-                                               organization-defined external service providers are consistent with and reflect
-                                               organizational interests; and
-                        """
-                    - 
-                      id:         sa-9.4_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-9(4)[3]
-                      prose: 
-                        """
-                          employs organization-defined security safeguards to ensure that the interests
-                                               of organization-defined external service providers are consistent with and
-                                               reflect organizational interests.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing external information system services\n\nacquisition contracts for the information system, system component, or
-                                               information system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\norganizational security requirements/safeguards for external service
-                                               providers\n\npersonnel security policies for external service providers\n\nassessments performed on external service providers\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with system and services acquisition
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nexternal providers of information system services
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for defining and employing safeguards to ensure
-                                               consistent interests with external service providers\n\nautomated mechanisms supporting and/or implementing safeguards to ensure
-                                               consistent interests with external service providers
-                        """
-            - 
-              id:         sa-9.5
-              class:      SP800-53-enhancement
-              title:      Processing, Storage, and Service Location
-              parameters: 
-                - 
-                  id:          sa-9.5_prm_1
-                  constraints: 
-                    - 
-                      detail: information processing, information data, AND information services
-                - 
-                  id:          sa-9.5_prm_2
-                  label:       organization-defined locations
-                  constraints: 
-                    - 
-                      detail: U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction
-                - 
-                  id:          sa-9.5_prm_3
-                  label:       organization-defined requirements or conditions
-                  constraints: 
-                    - 
-                      detail: all High Impact Data, Systems, or Services
-              properties: 
-                - 
-                  name:  label
-                  value: SA-9(5)
-                - 
-                  name:  sort-id
-                  value: sa-09.05
-              parts: 
-                - 
-                  id:    sa-9.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization restricts the location of {{ sa-9.5_prm_1 }} to
-                                           {{ sa-9.5_prm_2 }} based on {{ sa-9.5_prm_3 }}.
-                    """
-                - 
-                  id:    sa-9.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The location of information processing, information/data storage, or information
-                                        system services that are critical to organizations can have a direct impact on the
-                                        ability of those organizations to successfully execute their missions/business
-                                        functions. This situation exists when external providers control the location of
-                                        processing, storage or services. The criteria external providers use for the
-                                        selection of processing, storage, or service locations may be different from
-                                        organizational criteria. For example, organizations may want to ensure that
-                                        data/information storage locations are restricted to certain locations to
-                                        facilitate incident response activities (e.g., forensic analyses, after-the-fact
-                                        investigations) in case of information security breaches/compromises. Such
-                                        incident response activities may be adversely affected by the governing laws or
-                                        protocols in the locations where processing and storage occur and/or the locations
-                                        from which information system services emanate.
-                    """
-                - 
-                  id:    sa-9.5_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         sa-9.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(5)[1]
-                      prose: 
-                        """
-                          defines locations where organization-defined information processing,
-                                               information/data, and/or information system services are to be restricted;
-                        """
-                    - 
-                      id:         sa-9.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(5)[2]
-                      prose: 
-                        """
-                          defines requirements or conditions to restrict the location of information
-                                               processing, information/data, and/or information system services;
-                        """
-                    - 
-                      id:         sa-9.5_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-9(5)[3]
-                      prose: 
-                        """
-                          restricts the location of one or more of the following to organization-defined
-                                               locations based on organization-defined requirements or conditions:
-                        """
-                      parts: 
-                        - 
-                          id:         sa-9.5_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-9(5)[3][a]
-                          prose:      information processing;
-                        - 
-                          id:         sa-9.5_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-9(5)[3][b]
-                          prose:      information/data; and/or
-                        - 
-                          id:         sa-9.5_obj.3.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-9(5)[3][c]
-                          prose:      information services.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing external information system services\n\nacquisition contracts for the information system, system component, or
-                                               information system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nrestricted locations for information processing\n\ninformation/data and/or information system services\n\ninformation processing, information/data, and/or information system services to
-                                               be maintained in restricted locations\n\norganizational security requirements or conditions for external providers\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with system and services acquisition
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nexternal providers of information system services
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for defining requirements to restrict locations of
-                                               information processing, information/data, or information services\n\norganizational processes for ensuring the location is restricted in accordance
-                                               with requirements or conditions
-                        """
-        - 
-          id:         sa-10
-          class:      SP800-53
-          title:      Developer Configuration Management
-          parameters: 
-            - 
-              id:          sa-10_prm_1
-              constraints: 
-                - 
-                  detail: development, implementation, AND operation
-            - 
-              id:    sa-10_prm_2
-              label: organization-defined configuration items under configuration management
-            - 
-              id:    sa-10_prm_3
-              label: organization-defined personnel
-          properties: 
-            - 
-              name:  label
-              value: SA-10
-            - 
-              name:  sort-id
-              value: sa-10
-          links: 
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    sa-10_smt
-              name:  statement
-              prose: 
-                """
-                  The organization requires the developer of the information system, system component,
-                                 or information system service to:
-                """
-              parts: 
-                - 
-                  id:         sa-10_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Perform configuration management during system, component, or service {{ sa-10_prm_1 }};
-                - 
-                  id:         sa-10_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Document, manage, and control the integrity of changes to {{ sa-10_prm_2 }};
-                - 
-                  id:         sa-10_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Implement only organization-approved changes to the system, component, or
-                                        service;
-                    """
-                - 
-                  id:         sa-10_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Document approved changes to the system, component, or service and the potential
-                                        security impacts of such changes; and
-                    """
-                - 
-                  id:         sa-10_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Track security flaws and flaw resolution within the system, component, or service
-                                        and report findings to {{ sa-10_prm_3 }}.
-                    """
-                - 
-                  id:    sa-10_fr
-                  name:  item
-                  title: SA-10 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         sa-10_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (e)  Requirement:
-                      prose:      For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.
-            - 
-              id:    sa-10_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control also applies to organizations conducting internal information systems
-                                 development and integration. Organizations consider the quality and completeness of
-                                 the configuration management activities conducted by developers as evidence of
-                                 applying effective security safeguards. Safeguards include, for example, protecting
-                                 from unauthorized modification or destruction, the master copies of all material used
-                                 to generate security-relevant portions of the system hardware, software, and
-                                 firmware. Maintaining the integrity of changes to the information system, information
-                                 system component, or information system service requires configuration control
-                                 throughout the system development life cycle to track authorized changes and prevent
-                                 unauthorized changes. Configuration items that are placed under configuration
-                                 management (if existence/use is required by other security controls) include: the
-                                 formal model; the functional, high-level, and low-level design specifications; other
-                                 design data; implementation documentation; source code and hardware schematics; the
-                                 running version of the object code; tools for comparing new versions of
-                                 security-relevant hardware descriptions and software/firmware source code with
-                                 previous versions; and test fixtures and documentation. Depending on the
-                                 mission/business needs of organizations and the nature of the contractual
-                                 relationships in place, developers may provide configuration management support
-                                 during the operations and maintenance phases of the life cycle.
-                """
-              links: 
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #cm-9
-                  rel:  related
-                  text: CM-9
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    sa-10_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-10.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-10(a)
-                  prose: 
-                    """
-                      requires the developer of the information system, system component, or information
-                                        system service to perform configuration management during one or more of the
-                                        following:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-10.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-10(a)[1]
-                      prose:      system, component, or service design;
-                    - 
-                      id:         sa-10.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-10(a)[2]
-                      prose:      system, component, or service development;
-                    - 
-                      id:         sa-10.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-10(a)[3]
-                      prose:      system, component, or service implementation; and/or
-                    - 
-                      id:         sa-10.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-10(a)[4]
-                      prose:      system, component, or service operation;
-                - 
-                  id:         sa-10.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-10(b)
-                  parts: 
-                    - 
-                      id:         sa-10.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-10(b)[1]
-                      prose:      defines configuration items to be placed under configuration management;
-                    - 
-                      id:         sa-10.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-10(b)[2]
-                      prose: 
-                        """
-                          requires the developer of the information system, system component, or
-                                               information system service to:
-                        """
-                      parts: 
-                        - 
-                          id:         sa-10.b_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-10(b)[2][a]
-                          prose: 
-                            """
-                              document the integrity of changes to organization-defined items under
-                                                      configuration management;
-                            """
-                        - 
-                          id:         sa-10.b_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-10(b)[2][b]
-                          prose: 
-                            """
-                              manage the integrity of changes to organization-defined items under
-                                                      configuration management;
-                            """
-                        - 
-                          id:         sa-10.b_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-10(b)[2][c]
-                          prose: 
-                            """
-                              control the integrity of changes to organization-defined items under
-                                                      configuration management;
-                            """
-                - 
-                  id:         sa-10.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-10(c)
-                  prose: 
-                    """
-                      requires the developer of the information system, system component, or information
-                                        system service to implement only organization-approved changes to the system,
-                                        component, or service;
-                    """
-                - 
-                  id:         sa-10.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-10(d)
-                  prose: 
-                    """
-                      requires the developer of the information system, system component, or information
-                                        system service to document:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-10.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-10(d)[1]
-                      prose:      approved changes to the system, component, or service;
-                    - 
-                      id:         sa-10.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-10(d)[2]
-                      prose:      the potential security impacts of such changes;
-                - 
-                  id:         sa-10.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-10(e)
-                  parts: 
-                    - 
-                      id:         sa-10.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-10(e)[1]
-                      prose: 
-                        """
-                          defines personnel to whom findings, resulting from security flaws and flaw
-                                               resolution tracked within the system, component, or service, are to be
-                                               reported;
-                        """
-                    - 
-                      id:         sa-10.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-10(e)[2]
-                      prose: 
-                        """
-                          requires the developer of the information system, system component, or
-                                               information system service to:
-                        """
-                      parts: 
-                        - 
-                          id:         sa-10.e_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-10(e)[2][a]
-                          prose:      track security flaws within the system, component, or service;
-                        - 
-                          id:         sa-10.e_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-10(e)[2][b]
-                          prose: 
-                            """
-                              track security flaw resolution within the system, component, or service;
-                                                      and
-                            """
-                        - 
-                          id:         sa-10.e_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-10(e)[2][c]
-                          prose:      report findings to organization-defined personnel.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information
-                                        system service\n\nsystem developer configuration management plan\n\nsecurity flaw and flaw resolution tracking records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for monitoring developer configuration management\n\nautomated mechanisms supporting and/or implementing the monitoring of developer
-                                        configuration management
-                    """
-          controls: 
-            - 
-              id:         sa-10.1
-              class:      SP800-53-enhancement
-              title:      Software / Firmware Integrity Verification
-              properties: 
-                - 
-                  name:  label
-                  value: SA-10(1)
-                - 
-                  name:  sort-id
-                  value: sa-10.01
-              parts: 
-                - 
-                  id:    sa-10.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires the developer of the information system, system
-                                        component, or information system service to enable integrity verification of
-                                        software and firmware components.
-                    """
-                - 
-                  id:    sa-10.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement allows organizations to detect unauthorized changes to
-                                        software and firmware components through the use of tools, techniques, and/or
-                                        mechanisms provided by developers. Integrity checking mechanisms can also address
-                                        counterfeiting of software and firmware components. Organizations verify the
-                                        integrity of software and firmware components, for example, through secure one-way
-                                        hashes provided by developers. Delivered software and firmware components also
-                                        include any updates to such components.
-                    """
-                  links: 
-                    - 
-                      href: #si-7
-                      rel:  related
-                      text: SI-7
-                - 
-                  id:         sa-10.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization requires the developer of the information system,
-                                        system component, or information system service to enable integrity verification
-                                        of software and firmware components.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system\n\nsystem component, or information system service\n\nsystem developer configuration management plan\n\nsoftware and firmware integrity verification records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with system and services acquisition
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for monitoring developer configuration management\n\nautomated mechanisms supporting and/or implementing the monitoring of developer
-                                               configuration management
-                        """
-        - 
-          id:         sa-11
-          class:      SP800-53
-          title:      Developer Security Testing and Evaluation
-          parameters: 
-            - 
-              id: sa-11_prm_1
-            - 
-              id:    sa-11_prm_2
-              label: organization-defined depth and coverage
-          properties: 
-            - 
-              name:  label
-              value: SA-11
-            - 
-              name:  sort-id
-              value: sa-11
-          links: 
-            - 
-              href: #1737a687-52fb-4008-b900-cbfa836f7b65
-              rel:  reference
-              text: ISO/IEC 15408
-            - 
-              href: #cd4cf751-3312-4a55-b1a9-fad2f1db9119
-              rel:  reference
-              text: NIST Special Publication 800-53A
-            - 
-              href: #275cc052-0f7f-423c-bdb6-ed503dc36228
-              rel:  reference
-              text: http://nvd.nist.gov
-            - 
-              href: #15522e92-9192-463d-9646-6a01982db8ca
-              rel:  reference
-              text: http://cwe.mitre.org
-            - 
-              href: #0931209f-00ae-4132-b92c-bc645847e8f9
-              rel:  reference
-              text: http://cve.mitre.org
-            - 
-              href: #4ef539ba-b767-4666-b0d3-168c53005fa3
-              rel:  reference
-              text: http://capec.mitre.org
-          parts: 
-            - 
-              id:    sa-11_smt
-              name:  statement
-              prose: 
-                """
-                  The organization requires the developer of the information system, system component,
-                                 or information system service to:
-                """
-              parts: 
-                - 
-                  id:         sa-11_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Create and implement a security assessment plan;
-                - 
-                  id:         sa-11_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Perform {{ sa-11_prm_1 }} testing/evaluation at {{ sa-11_prm_2 }};
-                - 
-                  id:         sa-11_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Produce evidence of the execution of the security assessment plan and the results
-                                        of the security testing/evaluation;
-                    """
-                - 
-                  id:         sa-11_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Implement a verifiable flaw remediation process; and
-                - 
-                  id:         sa-11_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Correct flaws identified during security testing/evaluation.
-            - 
-              id:    sa-11_gdn
-              name:  guidance
-              prose: 
-                """
-                  Developmental security testing/evaluation occurs at all post-design phases of the
-                                 system development life cycle. Such testing/evaluation confirms that the required
-                                 security controls are implemented correctly, operating as intended, enforcing the
-                                 desired security policy, and meeting established security requirements. Security
-                                 properties of information systems may be affected by the interconnection of system
-                                 components or changes to those components. These interconnections or changes (e.g.,
-                                 upgrading or replacing applications and operating systems) may adversely affect
-                                 previously implemented security controls. This control provides additional types of
-                                 security testing/evaluation that developers can conduct to reduce or eliminate
-                                 potential flaws. Testing custom software applications may require approaches such as
-                                 static analysis, dynamic analysis, binary analysis, or a hybrid of the three
-                                 approaches. Developers can employ these analysis approaches in a variety of tools
-                                 (e.g., web-based application scanners, static analysis tools, binary analyzers) and
-                                 in source code reviews. Security assessment plans provide the specific activities
-                                 that developers plan to carry out including the types of analyses, testing,
-                                 evaluation, and reviews of software and firmware components, the degree of rigor to
-                                 be applied, and the types of artifacts produced during those processes. The depth of
-                                 security testing/evaluation refers to the rigor and level of detail associated with
-                                 the assessment process (e.g., black box, gray box, or white box testing). The
-                                 coverage of security testing/evaluation refers to the scope (i.e., number and type)
-                                 of the artifacts included in the assessment process. Contracts specify the acceptance
-                                 criteria for security assessment plans, flaw remediation processes, and the evidence
-                                 that the plans/processes have been diligently applied. Methods for reviewing and
-                                 protecting assessment plans, evidence, and documentation are commensurate with the
-                                 security category or classification level of the information system. Contracts may
-                                 specify documentation protection requirements.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #sa-3
-                  rel:  related
-                  text: SA-3
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    sa-11_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-11.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-11(a)
-                  prose: 
-                    """
-                      requires the developer of the information system, system component, or information
-                                        system service to create and implement a security plan;
-                    """
-                - 
-                  id:         sa-11.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-11(b)
-                  parts: 
-                    - 
-                      id:         sa-11.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-11(b)[1]
-                      prose: 
-                        """
-                          defines the depth of testing/evaluation to be performed by the developer of the
-                                               information system, system component, or information system service;
-                        """
-                    - 
-                      id:         sa-11.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-11(b)[2]
-                      prose: 
-                        """
-                          defines the coverage of testing/evaluation to be performed by the developer of
-                                               the information system, system component, or information system service;
-                        """
-                    - 
-                      id:         sa-11.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-11(b)[3]
-                      prose: 
-                        """
-                          requires the developer of the information system, system component, or
-                                               information system service to perform one or more of the following
-                                               testing/evaluation at the organization-defined depth and coverage:
-                        """
-                      parts: 
-                        - 
-                          id:         sa-11.b_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-11(b)[3][a]
-                          prose:      unit testing/evaluation;
-                        - 
-                          id:         sa-11.b_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-11(b)[3][b]
-                          prose:      integration testing/evaluation;
-                        - 
-                          id:         sa-11.b_obj.3.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-11(b)[3][c]
-                          prose:      system testing/evaluation; and/or
-                        - 
-                          id:         sa-11.b_obj.3.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-11(b)[3][d]
-                          prose:      regression testing/evaluation;
-                - 
-                  id:         sa-11.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-11(c)
-                  prose: 
-                    """
-                      requires the developer of the information system, system component, or information
-                                        system service to produce evidence of:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-11.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-11(c)[1]
-                      prose:      the execution of the security assessment plan;
-                    - 
-                      id:         sa-11.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-11(c)[2]
-                      prose:      the results of the security testing/evaluation;
-                - 
-                  id:         sa-11.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-11(d)
-                  prose: 
-                    """
-                      requires the developer of the information system, system component, or information
-                                        system service to implement a verifiable flaw remediation process; and
-                    """
-                - 
-                  id:         sa-11.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-11(e)
-                  prose: 
-                    """
-                      requires the developer of the information system, system component, or information
-                                        system service to correct flaws identified during security testing/evaluation.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information
-                                        system service\n\nsystem developer security test plans\n\nrecords of developer security testing results for the information system, system
-                                        component, or information system service\n\nsecurity flaw and remediation tracking records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for monitoring developer security testing and
-                                        evaluation\n\nautomated mechanisms supporting and/or implementing the monitoring of developer
-                                        security testing and evaluation
-                    """
-          controls: 
-            - 
-              id:         sa-11.1
-              class:      SP800-53-enhancement
-              title:      Static Code Analysis
-              properties: 
-                - 
-                  name:  label
-                  value: SA-11(1)
-                - 
-                  name:  sort-id
-                  value: sa-11.01
-              parts: 
-                - 
-                  id:    sa-11.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires the developer of the information system, system
-                                        component, or information system service to employ static code analysis tools to
-                                        identify common flaws and document the results of the analysis.
-                    """
-                  parts: 
-                    - 
-                      id:    sa-11.1_fr
-                      name:  item
-                      title: SA-11 (1) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         sa-11.1_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.
-                - 
-                  id:    sa-11.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Static code analysis provides a technology and methodology for security reviews.
-                                        Such analysis can be used to identify security vulnerabilities and enforce
-                                        security coding practices. Static code analysis is most effective when used early
-                                        in the development process, when each code change can be automatically scanned for
-                                        potential weaknesses. Static analysis can provide clear remediation guidance along
-                                        with defects to enable developers to fix such defects. Evidence of correct
-                                        implementation of static analysis can include, for example, aggregate defect
-                                        density for critical defect types, evidence that defects were inspected by
-                                        developers or security professionals, and evidence that defects were fixed. An
-                                        excessively high density of ignored findings (commonly referred to as ignored or
-                                        false positives) indicates a potential problem with the analysis process or tool.
-                                        In such cases, organizations weigh the validity of the evidence against evidence
-                                        from other sources.
-                    """
-                - 
-                  id:         sa-11.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization requires the developer of the information system,
-                                        system component, or information system service to employ static code analysis
-                                        tools to identify common flaws and document the results of the analysis.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or
-                                               information system service\n\nsystem developer security test plans\n\nsystem developer security testing results\n\nsecurity flaw and remediation tracking records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with system and services acquisition
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for monitoring developer security testing and
-                                               evaluation\n\nautomated mechanisms supporting and/or implementing the monitoring of developer
-                                               security testing and evaluation\n\nstatic code analysis tools
-                        """
-            - 
-              id:         sa-11.2
-              class:      SP800-53-enhancement
-              title:      Threat and Vulnerability Analyses
-              properties: 
-                - 
-                  name:  label
-                  value: SA-11(2)
-                - 
-                  name:  sort-id
-                  value: sa-11.02
-              parts: 
-                - 
-                  id:    sa-11.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires the developer of the information system, system
-                                        component, or information system service to perform threat and vulnerability
-                                        analyses and subsequent testing/evaluation of the as-built system, component, or
-                                        service.
-                    """
-                - 
-                  id:    sa-11.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Applications may deviate significantly from the functional and design
-                                        specifications created during the requirements and design phases of the system
-                                        development life cycle. Therefore, threat and vulnerability analyses of
-                                        information systems, system components, and information system services prior to
-                                        delivery are critical to the effective operation of those systems, components, and
-                                        services. Threat and vulnerability analyses at this phase of the life cycle help
-                                        to ensure that design or implementation changes have been accounted for, and that
-                                        any new vulnerabilities created as a result of those changes have been reviewed
-                                        and mitigated.
-                    """
-                  links: 
-                    - 
-                      href: #pm-15
-                      rel:  related
-                      text: PM-15
-                    - 
-                      href: #ra-5
-                      rel:  related
-                      text: RA-5
-                - 
-                  id:    sa-11.2_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization requires the developer of the information system,
-                                        system component, or information system service to perform:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-11.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-11(2)[1]
-                      prose:      threat analyses of the as-built, system component, or service;
-                    - 
-                      id:         sa-11.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-11(2)[2]
-                      prose:      vulnerability analyses of the as-built, system component, or service; and
-                    - 
-                      id:         sa-11.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-11(2)[3]
-                      prose: 
-                        """
-                          subsequent testing/evaluation of the as-built, system component, or
-                                               service.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or
-                                               information system service\n\nsystem developer security test plans\n\nrecords of developer security testing results for the information system,
-                                               system component, or information system service\n\nvulnerability scanning results\n\ninformation system risk assessment reports\n\nthreat and vulnerability analysis reports\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with system and services acquisition
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for monitoring developer security testing and
-                                               evaluation\n\nautomated mechanisms supporting and/or implementing the monitoring of developer
-                                               security testing and evaluation
-                        """
-            - 
-              id:         sa-11.8
-              class:      SP800-53-enhancement
-              title:      Dynamic Code Analysis
-              properties: 
-                - 
-                  name:  label
-                  value: SA-11(8)
-                - 
-                  name:  sort-id
-                  value: sa-11.08
-              parts: 
-                - 
-                  id:    sa-11.8_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires the developer of the information system, system
-                                        component, or information system service to employ dynamic code analysis tools to
-                                        identify common flaws and document the results of the analysis.
-                    """
-                  parts: 
-                    - 
-                      id:    sa-11.8_fr
-                      name:  item
-                      title: SA-11 (8) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         sa-11.8_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.
-                - 
-                  id:    sa-11.8_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Dynamic code analysis provides run-time verification of software programs, using
-                                        tools capable of monitoring programs for memory corruption, user privilege issues,
-                                        and other potential security problems. Dynamic code analysis employs run-time
-                                        tools to help to ensure that security functionality performs in the manner in
-                                        which it was designed. A specialized type of dynamic analysis, known as fuzz
-                                        testing, induces program failures by deliberately introducing malformed or random
-                                        data into software programs. Fuzz testing strategies derive from the intended use
-                                        of applications and the functional and design specifications for the applications.
-                                        To understand the scope of dynamic code analysis and hence the assurance provided,
-                                        organizations may also consider conducting code coverage analysis (checking the
-                                        degree to which the code has been tested using metrics such as percent of
-                                        subroutines tested or percent of program statements called during execution of the
-                                        test suite) and/or concordance analysis (checking for words that are out of place
-                                        in software code such as non-English language words or derogatory terms).
-                    """
-                - 
-                  id:         sa-11.8_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization requires the developer of the information system,
-                                        system component, or information system service to employ dynamic code analysis
-                                        tools to identify common flaws and document the results of the analysis.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or
-                                               information system service\n\nsystem developer security test and evaluation plans\n\nsecurity test and evaluation results\n\nsecurity flaw and remediation tracking reports\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with system and services acquisition
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for monitoring developer security testing and
-                                               evaluation\n\nautomated mechanisms supporting and/or implementing the monitoring of developer
-                                               security testing and evaluation
-                        """
-        - 
-          id:         sa-12
-          class:      SP800-53
-          title:      Supply Chain Protection
-          parameters: 
-            - 
-              id:          sa-12_prm_1
-              label:       organization-defined security safeguards
-              constraints: 
-                - 
-                  detail: organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures
-          properties: 
-            - 
-              name:  label
-              value: SA-12
-            - 
-              name:  sort-id
-              value: sa-12
-          links: 
-            - 
-              href: #8ab6bcdc-339b-4068-b45e-994814a6e187
-              rel:  reference
-              text: NIST Special Publication 800-161
-            - 
-              href: #bdd2f49e-edf7-491f-a178-4487898228f3
-              rel:  reference
-              text: NIST Interagency Report 7622
-          parts: 
-            - 
-              id:    sa-12_smt
-              name:  statement
-              prose: 
-                """
-                  The organization protects against supply chain threats to the information system,
-                                 system component, or information system service by employing {{ sa-12_prm_1 }} as part of a comprehensive, defense-in-breadth
-                                 information security strategy.
-                """
-            - 
-              id:    sa-12_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information systems (including system components that compose those systems) need to
-                                 be protected throughout the system development life cycle (i.e., during design,
-                                 development, manufacturing, packaging, assembly, distribution, system integration,
-                                 operations, maintenance, and retirement). Protection of organizational information
-                                 systems is accomplished through threat awareness, by the identification, management,
-                                 and reduction of vulnerabilities at each phase of the life cycle and the use of
-                                 complementary, mutually reinforcing strategies to respond to risk. Organizations
-                                 consider implementing a standardized process to address supply chain risk with
-                                 respect to information systems and system components, and to educate the acquisition
-                                 workforce on threats, risk, and required security controls. Organizations use the
-                                 acquisition/procurement processes to require supply chain entities to implement
-                                 necessary security safeguards to: (i) reduce the likelihood of unauthorized
-                                 modifications at each stage in the supply chain; and (ii) protect information systems
-                                 and information system components, prior to taking delivery of such
-                                 systems/components. This control also applies to information system services.
-                                 Security safeguards include, for example: (i) security controls for development
-                                 systems, development facilities, and external connections to development systems;
-                                 (ii) vetting development personnel; and (iii) use of tamper-evident packaging during
-                                 shipping/warehousing. Methods for reviewing and protecting development plans,
-                                 evidence, and documentation are commensurate with the security category or
-                                 classification level of the information system. Contracts may specify documentation
-                                 protection requirements.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #pe-16
-                  rel:  related
-                  text: PE-16
-                - 
-                  href: #pl-8
-                  rel:  related
-                  text: PL-8
-                - 
-                  href: #sa-3
-                  rel:  related
-                  text: SA-3
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-                - 
-                  href: #sa-10
-                  rel:  related
-                  text: SA-10
-                - 
-                  href: #sa-14
-                  rel:  related
-                  text: SA-14
-                - 
-                  href: #sa-15
-                  rel:  related
-                  text: SA-15
-                - 
-                  href: #sa-18
-                  rel:  related
-                  text: SA-18
-                - 
-                  href: #sa-19
-                  rel:  related
-                  text: SA-19
-                - 
-                  href: #sc-29
-                  rel:  related
-                  text: SC-29
-                - 
-                  href: #sc-30
-                  rel:  related
-                  text: SC-30
-                - 
-                  href: #sc-38
-                  rel:  related
-                  text: SC-38
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    sa-12_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-12_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-12[1]
-                  prose: 
-                    """
-                      defines security safeguards to be employed to protect against supply chain threats
-                                        to the information system, system component, or information system service;
-                                        and
-                    """
-                - 
-                  id:         sa-12_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-12[2]
-                  prose: 
-                    """
-                      protects against supply chain threats to the information system, system component,
-                                        or information system service by employing organization-defined security
-                                        safeguards as part of a comprehensive, defense-in-breadth information security
-                                        strategy.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into
-                                        the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information
-                                        system service\n\nlist of supply chain threats\n\nlist of security safeguards to be taken against supply chain threats\n\nsystem development life cycle documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for defining safeguards for and protecting against supply
-                                        chain threats\n\nautomated mechanisms supporting and/or implementing safeguards for supply chain
-                                        threats
-                    """
-        - 
-          id:         sa-15
-          class:      SP800-53
-          title:      Development Process, Standards, and Tools
-          parameters: 
-            - 
-              id:          sa-15_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: as needed and as dictated by the current threat posture
-            - 
-              id:          sa-15_prm_2
-              label:       organization-defined security requirements
-              constraints: 
-                - 
-                  detail: organization and service provider- defined security requirements
-          properties: 
-            - 
-              name:  label
-              value: SA-15
-            - 
-              name:  sort-id
-              value: sa-15
-          parts: 
-            - 
-              id:    sa-15_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-15_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Requires the developer of the information system, system component, or information
-                                        system service to follow a documented development process that:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-15_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Explicitly addresses security requirements;
-                    - 
-                      id:         sa-15_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Identifies the standards and tools used in the development process;
-                    - 
-                      id:         sa-15_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Documents the specific tool options and tool configurations used in the
-                                               development process; and
-                        """
-                    - 
-                      id:         sa-15_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose: 
-                        """
-                          Documents, manages, and ensures the integrity of changes to the process and/or
-                                               tools used in development; and
-                        """
-                - 
-                  id:         sa-15_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Reviews the development process, standards, tools, and tool options/configurations
-                                           {{ sa-15_prm_1 }} to determine if the process, standards, tools,
-                                        and tool options/configurations selected and employed can satisfy {{ sa-15_prm_2 }}.
-                    """
-            - 
-              id:    sa-15_gdn
-              name:  guidance
-              prose: 
-                """
-                  Development tools include, for example, programming languages and computer-aided
-                                 design (CAD) systems. Reviews of development processes can include, for example, the
-                                 use of maturity models to determine the potential effectiveness of such processes.
-                                 Maintaining the integrity of changes to tools and processes enables accurate supply
-                                 chain risk assessment and mitigation, and requires robust configuration control
-                                 throughout the life cycle (including design, development, transport, delivery,
-                                 integration, and maintenance) to track authorized changes and prevent unauthorized
-                                 changes.
-                """
-              links: 
-                - 
-                  href: #sa-3
-                  rel:  related
-                  text: SA-3
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-            - 
-              id:    sa-15_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-15.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SA-15(a)
-                  prose: 
-                    """
-                      requires the developer of the information system, system component, or information
-                                        system service to follow a documented development process that:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-15.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-15(a)(1)
-                      prose:      explicitly addresses security requirements;
-                    - 
-                      id:         sa-15.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-15(a)(2)
-                      prose:      identifies the standards and tools used in the development process;
-                    - 
-                      id:         sa-15.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-15(a)(3)
-                      parts: 
-                        - 
-                          id:         sa-15.a.3_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-15(a)(3)[1]
-                          prose:      documents the specific tool options used in the development process;
-                        - 
-                          id:         sa-15.a.3_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-15(a)(3)[2]
-                          prose: 
-                            """
-                              documents the specific tool configurations used in the development
-                                                      process;
-                            """
-                    - 
-                      id:         sa-15.a.4_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-15(a)(4)
-                      parts: 
-                        - 
-                          id:         sa-15.a.4_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-15(a)(4)[1]
-                          prose:      documents changes to the process and/or tools used in the development;
-                        - 
-                          id:         sa-15.a.4_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-15(a)(4)[2]
-                          prose:      manages changes to the process and/or tools used in the development;
-                        - 
-                          id:         sa-15.a.4_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-15(a)(4)[3]
-                          prose: 
-                            """
-                              ensures the integrity of changes to the process and/or tools used in the
-                                                      development;
-                            """
-                - 
-                  id:         sa-15.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-15(b)
-                  parts: 
-                    - 
-                      id:         sa-15.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-15(b)[1]
-                      prose: 
-                        """
-                          defines a frequency to review the development process, standards, tools, and
-                                               tool options/configurations;
-                        """
-                    - 
-                      id:         sa-15.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-15(b)[2]
-                      prose: 
-                        """
-                          defines security requirements to be satisfied by the process, standards, tools,
-                                               and tool option/configurations selected and employed; and
-                        """
-                    - 
-                      id:         sa-15.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-15(b)[3]
-                      parts: 
-                        - 
-                          id:         sa-15.b_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SA-15(b)[3][a]
-                          prose: 
-                            """
-                              reviews the development process with the organization-defined frequency to
-                                                      determine if the process selected and employed can satisfy
-                                                      organization-defined security requirements;
-                            """
-                        - 
-                          id:         sa-15.b_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SA-15(b)[3][b]
-                          prose: 
-                            """
-                              reviews the development standards with the organization-defined frequency to
-                                                      determine if the standards selected and employed can satisfy
-                                                      organization-defined security requirements;
-                            """
-                        - 
-                          id:         sa-15.b_obj.3.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SA-15(b)[3][c]
-                          prose: 
-                            """
-                              reviews the development tools with the organization-defined frequency to
-                                                      determine if the tools selected and employed can satisfy
-                                                      organization-defined security requirements; and
-                            """
-                        - 
-                          id:         sa-15.b_obj.3.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SA-15(b)[3][d]
-                          prose: 
-                            """
-                              reviews the development tool options/configurations with the
-                                                      organization-defined frequency to determine if the tool
-                                                      options/configurations selected and employed can satisfy
-                                                      organization-defined security requirements.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing the integration of security requirements during the
-                                        development process\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information
-                                        system service\n\nsystem developer documentation listing tool options/configuration guides,
-                                        configuration management records\n\nchange control records\n\nconfiguration control records\n\ndocumented reviews of development process, standards, tools, and tool
-                                        options/configurations\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer
-        - 
-          id:         sa-16
-          class:      SP800-53
-          title:      Developer-provided Training
-          parameters: 
-            - 
-              id:    sa-16_prm_1
-              label: organization-defined training
-          properties: 
-            - 
-              name:  label
-              value: SA-16
-            - 
-              name:  sort-id
-              value: sa-16
-          parts: 
-            - 
-              id:    sa-16_smt
-              name:  statement
-              prose: 
-                """
-                  The organization requires the developer of the information system, system component,
-                                 or information system service to provide {{ sa-16_prm_1 }} on the
-                                 correct use and operation of the implemented security functions, controls, and/or
-                                 mechanisms.
-                """
-            - 
-              id:    sa-16_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to external and internal (in-house) developers. Training of
-                                 personnel is an essential element to ensure the effectiveness of security controls
-                                 implemented within organizational information systems. Training options include, for
-                                 example, classroom-style training, web-based/computer-based training, and hands-on
-                                 training. Organizations can also request sufficient training materials from
-                                 developers to conduct in-house training or offer self-training to organizational
-                                 personnel. Organizations determine the type of training necessary and may require
-                                 different types of training for different security functions, controls, or
-                                 mechanisms.
-                """
-              links: 
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-            - 
-              id:    sa-16_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-16_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SA-16[1]
-                  prose: 
-                    """
-                      defines training to be provided by the developer of the information system, system
-                                        component, or information system service; and
-                    """
-                - 
-                  id:         sa-16_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: SA-16[2]
-                  prose: 
-                    """
-                      requires the developer of the information system, system component, or information
-                                        system service to provide organization-defined training on the correct use and
-                                        operation of the implemented security functions, controls, and/or mechanisms.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing developer-provided training\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information
-                                        system service\n\ndeveloper-provided training materials\n\ntraining records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information system security responsibilities\n\nsystem developer\n\norganizational or third-party developers with training responsibilities for the
-                                        information system, system component, or information system service
-                    """
-        - 
-          id:         sa-17
-          class:      SP800-53
-          title:      Developer Security Architecture and Design
-          properties: 
-            - 
-              name:  label
-              value: SA-17
-            - 
-              name:  sort-id
-              value: sa-17
-          parts: 
-            - 
-              id:    sa-17_smt
-              name:  statement
-              prose: 
-                """
-                  The organization requires the developer of the information system, system component,
-                                 or information system service to produce a design specification and security
-                                 architecture that:
-                """
-              parts: 
-                - 
-                  id:         sa-17_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Is consistent with and supportive of the organization’s security architecture
-                                        which is established within and is an integrated part of the organization’s
-                                        enterprise architecture;
-                    """
-                - 
-                  id:         sa-17_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Accurately and completely describes the required security functionality, and the
-                                        allocation of security controls among physical and logical components; and
-                    """
-                - 
-                  id:         sa-17_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Expresses how individual security functions, mechanisms, and services work
-                                        together to provide required security capabilities and a unified approach to
-                                        protection.
-                    """
-            - 
-              id:    sa-17_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control is primarily directed at external developers, although it could also be
-                                 used for internal (in-house) development. In contrast, PL-8 is primarily directed at
-                                 internal developers to help ensure that organizations develop an information security
-                                 architecture and such security architecture is integrated or tightly coupled to the
-                                 enterprise architecture. This distinction is important if/when organizations
-                                 outsource the development of information systems, information system components, or
-                                 information system services to external entities, and there is a requirement to
-                                 demonstrate consistency with the organization’s enterprise architecture and
-                                 information security architecture.
-                """
-              links: 
-                - 
-                  href: #pl-8
-                  rel:  related
-                  text: PL-8
-                - 
-                  href: #pm-7
-                  rel:  related
-                  text: PM-7
-                - 
-                  href: #sa-3
-                  rel:  related
-                  text: SA-3
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-            - 
-              id:    sa-17_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization requires the developer of the information system,
-                                 system component, or information system service to produce a design specification and
-                                 security architecture that:
-                """
-              parts: 
-                - 
-                  id:         sa-17.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: SA-17(a)
-                  prose: 
-                    """
-                      is consistent with and supportive of the organization’s security architecture
-                                        which is established within and is an integrated part of the organization’s
-                                        enterprise architecture;
-                    """
-                - 
-                  id:         sa-17.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: SA-17(b)
-                  prose:      accurately and completely describes:
-                  parts: 
-                    - 
-                      id:         sa-17.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-17(b)[1]
-                      prose:      the required security functionality;
-                    - 
-                      id:         sa-17.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-17(b)[2]
-                      prose: 
-                        """
-                          the allocation of security controls among physical and logical components;
-                                               and
-                        """
-                - 
-                  id:         sa-17.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: SA-17(c)
-                  prose: 
-                    """
-                      expresses how individual security functions, mechanisms, and services work
-                                        together to provide required security capabilities and a unified approach to
-                                        protection.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nenterprise architecture policy\n\nprocedures addressing developer security architecture and design specification for
-                                        the information system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information
-                                        system service\n\ndesign specification and security architecture documentation for the system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with security architecture and design
-                                        responsibilities
-                    """
-    - 
-      id:       sc
-      class:    family
-      title:    System and Communications Protection
-      controls: 
-        - 
-          id:         sc-1
-          class:      SP800-53
-          title:      System and Communications Protection Policy and Procedures
-          parameters: 
-            - 
-              id:    sc-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          sc-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          sc-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or whenever a significant change occurs
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SC-1
-            - 
-              name:  sort-id
-              value: sc-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    sc-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sc-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ sc-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         sc-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A system and communications protection policy that addresses purpose, scope,
-                                               roles, responsibilities, management commitment, coordination among
-                                               organizational entities, and compliance; and
-                        """
-                    - 
-                      id:         sc-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the system and communications
-                                               protection policy and associated system and communications protection controls;
-                                               and
-                        """
-                - 
-                  id:         sc-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         sc-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          System and communications protection policy {{ sc-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         sc-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      System and communications protection procedures {{ sc-1_prm_3 }}.
-            - 
-              id:    sc-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the SC
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    sc-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sc-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-1(a)
-                  parts: 
-                    - 
-                      id:         sc-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-1(a)(1)
-                      parts: 
-                        - 
-                          id:         sc-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a system and communications protection policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         sc-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         sc-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         sc-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         sc-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         sc-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         sc-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         sc-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         sc-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the system and communications protection
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         sc-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SC-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the system and communications protection policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         sc-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-1(a)(2)
-                      parts: 
-                        - 
-                          id:         sc-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      system and communications protection policy and associated system and
-                                                      communications protection controls;
-                            """
-                        - 
-                          id:         sc-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         sc-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SC-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         sc-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-1(b)
-                  parts: 
-                    - 
-                      id:         sc-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-1(b)(1)
-                      parts: 
-                        - 
-                          id:         sc-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and
-                                                      communications protection policy;
-                            """
-                        - 
-                          id:         sc-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and communications protection policy
-                                                      with the organization-defined frequency;
-                            """
-                    - 
-                      id:         sc-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-1(b)(2)
-                      parts: 
-                        - 
-                          id:         sc-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and
-                                                      communications protection procedures; and
-                            """
-                        - 
-                          id:         sc-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and communications protection
-                                                      procedures with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with system and communications protection
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         sc-2
-          class:      SP800-53
-          title:      Application Partitioning
-          properties: 
-            - 
-              name:  label
-              value: SC-2
-            - 
-              name:  sort-id
-              value: sc-02
-          parts: 
-            - 
-              id:    sc-2_smt
-              name:  statement
-              prose: 
-                """
-                  The information system separates user functionality (including user interface
-                                 services) from information system management functionality.
-                """
-            - 
-              id:    sc-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system management functionality includes, for example, functions
-                                 necessary to administer databases, network components, workstations, or servers, and
-                                 typically requires privileged user access. The separation of user functionality from
-                                 information system management functionality is either physical or logical.
-                                 Organizations implement separation of system management-related functionality from
-                                 user functionality by using different computers, different central processing units,
-                                 different instances of operating systems, different network addresses, virtualization
-                                 techniques, or combinations of these or other methods, as appropriate. This type of
-                                 separation includes, for example, web administrative interfaces that use separate
-                                 authentication methods for users of any other information system resources.
-                                 Separation of system and user functionality may include isolating administrative
-                                 interfaces on different domains and with additional access controls.
-                """
-              links: 
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-                - 
-                  href: #sc-3
-                  rel:  related
-                  text: SC-3
-            - 
-              id:         sc-2_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system separates user functionality (including user
-                                 interface services) from information system management functionality.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing application partitioning\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Separation of user functionality from information system management
-                                        functionality
-                    """
-        - 
-          id:         sc-3
-          class:      SP800-53
-          title:      Security Function Isolation
-          properties: 
-            - 
-              name:  label
-              value: SC-3
-            - 
-              name:  sort-id
-              value: sc-03
-          parts: 
-            - 
-              id:    sc-3_smt
-              name:  statement
-              prose: The information system isolates security functions from nonsecurity functions.
-            - 
-              id:    sc-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  The information system isolates security functions from nonsecurity functions by
-                                 means of an isolation boundary (implemented via partitions and domains). Such
-                                 isolation controls access to and protects the integrity of the hardware, software,
-                                 and firmware that perform those security functions. Information systems implement
-                                 code separation (i.e., separation of security functions from nonsecurity functions)
-                                 in a number of ways, including, for example, through the provision of security
-                                 kernels via processor rings or processor modes. For non-kernel code, security
-                                 function isolation is often achieved through file system protections that serve to
-                                 protect the code on disk, and address space protections that protect executing code.
-                                 Information systems restrict access to security functions through the use of access
-                                 control mechanisms and by implementing least privilege capabilities. While the ideal
-                                 is for all of the code within the security function isolation boundary to only
-                                 contain security-relevant code, it is sometimes necessary to include nonsecurity
-                                 functions within the isolation boundary as an exception.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-                - 
-                  href: #sa-13
-                  rel:  related
-                  text: SA-13
-                - 
-                  href: #sc-2
-                  rel:  related
-                  text: SC-2
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-39
-                  rel:  related
-                  text: SC-39
-            - 
-              id:         sc-3_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system isolates security functions from nonsecurity
-                                 functions.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing security function isolation\n\nlist of security functions to be isolated from nonsecurity functions\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Separation of security functions from nonsecurity functions within the information
-                                        system
-                    """
-        - 
-          id:         sc-4
-          class:      SP800-53
-          title:      Information in Shared Resources
-          properties: 
-            - 
-              name:  label
-              value: SC-4
-            - 
-              name:  sort-id
-              value: sc-04
-          parts: 
-            - 
-              id:    sc-4_smt
-              name:  statement
-              prose: 
-                """
-                  The information system prevents unauthorized and unintended information transfer via
-                                 shared system resources.
-                """
-            - 
-              id:    sc-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control prevents information, including encrypted representations of
-                                 information, produced by the actions of prior users/roles (or the actions of
-                                 processes acting on behalf of prior users/roles) from being available to any current
-                                 users/roles (or current processes) that obtain access to shared system resources
-                                 (e.g., registers, main memory, hard disks) after those resources have been released
-                                 back to information systems. The control of information in shared resources is also
-                                 commonly referred to as object reuse and residual information protection. This
-                                 control does not address: (i) information remanence which refers to residual
-                                 representation of data that has been nominally erased or removed; (ii) covert
-                                 channels (including storage and/or timing channels) where shared resources are
-                                 manipulated to violate information flow restrictions; or (iii) components within
-                                 information systems for which there are only single users/roles.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #mp-6
-                  rel:  related
-                  text: MP-6
-            - 
-              id:         sc-4_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system prevents unauthorized and unintended information
-                                 transfer via shared system resources.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing information protection in shared system resources\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms preventing unauthorized and unintended transfer of
-                                        information via shared system resources
-                    """
-        - 
-          id:         sc-5
-          class:      SP800-53
-          title:      Denial of Service Protection
-          parameters: 
-            - 
-              id:    sc-5_prm_1
-              label: 
-                """
-                  organization-defined types of denial of service attacks or references to sources
-                                 for such information
-                """
-            - 
-              id:    sc-5_prm_2
-              label: organization-defined security safeguards
-          properties: 
-            - 
-              name:  label
-              value: SC-5
-            - 
-              name:  sort-id
-              value: sc-05
-          parts: 
-            - 
-              id:    sc-5_smt
-              name:  statement
-              prose: 
-                """
-                  The information system protects against or limits the effects of the following types
-                                 of denial of service attacks: {{ sc-5_prm_1 }} by employing {{ sc-5_prm_2 }}.
-                """
-            - 
-              id:    sc-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  A variety of technologies exist to limit, or in some cases, eliminate the effects of
-                                 denial of service attacks. For example, boundary protection devices can filter
-                                 certain types of packets to protect information system components on internal
-                                 organizational networks from being directly affected by denial of service attacks.
-                                 Employing increased capacity and bandwidth combined with service redundancy may also
-                                 reduce the susceptibility to denial of service attacks.
-                """
-              links: 
-                - 
-                  href: #sc-6
-                  rel:  related
-                  text: SC-6
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-            - 
-              id:    sc-5_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         sc-5_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-5[1]
-                  prose: 
-                    """
-                      the organization defines types of denial of service attacks or reference to source
-                                        of such information for the information system to protect against or limit the
-                                        effects;
-                    """
-                - 
-                  id:         sc-5_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-5[2]
-                  prose: 
-                    """
-                      the organization defines security safeguards to be employed by the information
-                                        system to protect against or limit the effects of organization-defined types of
-                                        denial of service attacks; and
-                    """
-                - 
-                  id:         sc-5_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-5[3]
-                  prose: 
-                    """
-                      the information system protects against or limits the effects of the
-                                        organization-defined denial or service attacks (or reference to source for such
-                                        information) by employing organization-defined security safeguards.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing denial of service protection\n\ninformation system design documentation\n\nsecurity plan\n\nlist of denial of services attacks requiring employment of security safeguards to
-                                        protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial
-                                        of service attacks\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms protecting against or limiting the effects of denial of
-                                        service attacks
-                    """
-        - 
-          id:         sc-6
-          class:      SP800-53
-          title:      Resource Availability
-          parameters: 
-            - 
-              id:    sc-6_prm_1
-              label: organization-defined resources
-            - 
-              id: sc-6_prm_2
-            - 
-              id:         sc-6_prm_3
-              depends-on: sc-6_prm_2
-              label:      organization-defined security safeguards
-          properties: 
-            - 
-              name:  label
-              value: SC-6
-            - 
-              name:  sort-id
-              value: sc-06
-          parts: 
-            - 
-              id:    sc-6_smt
-              name:  statement
-              prose: The information system protects the availability of resources by allocating {{ sc-6_prm_1 }} by {{ sc-6_prm_2 }}.
-            - 
-              id:    sc-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Priority protection helps prevent lower-priority processes from delaying or
-                                 interfering with the information system servicing any higher-priority processes.
-                                 Quotas prevent users or processes from obtaining more than predetermined amounts of
-                                 resources. This control does not apply to information system components for which
-                                 there are only single users/roles.
-                """
-            - 
-              id:    sc-6_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         sc-6_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-6[1]
-                  prose: 
-                    """
-                      the organization defines resources to be allocated to protect the availability of
-                                        resources;
-                    """
-                - 
-                  id:         sc-6_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-6[2]
-                  prose: 
-                    """
-                      the organization defines security safeguards to be employed to protect the
-                                        availability of resources;
-                    """
-                - 
-                  id:         sc-6_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-6[3]
-                  prose: 
-                    """
-                      the information system protects the availability of resources by allocating
-                                        organization-defined resources by one or more of the following:
-                    """
-                  parts: 
-                    - 
-                      id:         sc-6_obj.3.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-6[3][a]
-                      prose:      priority;
-                    - 
-                      id:         sc-6_obj.3.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-6[3][b]
-                      prose:      quota; and/or
-                    - 
-                      id:         sc-6_obj.3.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-6[3][c]
-                      prose:      organization-defined safeguards.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing prioritization of information system resources\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing resource allocation
-                                        capability\n\nsafeguards employed to protect availability of resources
-                    """
-        - 
-          id:         sc-7
-          class:      SP800-53
-          title:      Boundary Protection
-          parameters: 
-            - 
-              id: sc-7_prm_1
-          properties: 
-            - 
-              name:  label
-              value: SC-7
-            - 
-              name:  sort-id
-              value: sc-07
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #756a8e86-57d5-4701-8382-f7a40439665a
-              rel:  reference
-              text: NIST Special Publication 800-41
-            - 
-              href: #99f331f2-a9f0-46c2-9856-a3cbb9b89442
-              rel:  reference
-              text: NIST Special Publication 800-77
-          parts: 
-            - 
-              id:    sc-7_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         sc-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Monitors and controls communications at the external boundary of the system and at
-                                        key internal boundaries within the system;
-                    """
-                - 
-                  id:         sc-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Implements subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks;
-                                        and
-                    """
-                - 
-                  id:         sc-7_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Connects to external networks or information systems only through managed
-                                        interfaces consisting of boundary protection devices arranged in accordance with
-                                        an organizational security architecture.
-                    """
-            - 
-              id:    sc-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Managed interfaces include, for example, gateways, routers, firewalls, guards,
-                                 network-based malicious code analysis and virtualization systems, or encrypted
-                                 tunnels implemented within a security architecture (e.g., routers protecting
-                                 firewalls or application gateways residing on protected subnetworks). Subnetworks
-                                 that are physically or logically separated from internal networks are referred to as
-                                 demilitarized zones or DMZs. Restricting or prohibiting interfaces within
-                                 organizational information systems includes, for example, restricting external web
-                                 traffic to designated web servers within managed interfaces and prohibiting external
-                                 traffic that appears to be spoofing internal addresses. Organizations consider the
-                                 shared nature of commercial telecommunications services in the implementation of
-                                 security controls associated with the use of such services. Commercial
-                                 telecommunications services are commonly based on network components and consolidated
-                                 management systems shared by all attached commercial customers, and may also include
-                                 third party-provided access lines and other service elements. Such transmission
-                                 services may represent sources of increased risk despite contract security
-                                 provisions.
-                """
-              links: 
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #cm-7
-                  rel:  related
-                  text: CM-7
-                - 
-                  href: #cp-8
-                  rel:  related
-                  text: CP-8
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sc-5
-                  rel:  related
-                  text: SC-5
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-            - 
-              id:    sc-7_obj
-              name:  objective
-              prose: Determine if the information system:
-              parts: 
-                - 
-                  id:         sc-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-7(a)
-                  parts: 
-                    - 
-                      id:         sc-7.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(a)[1]
-                      prose:      monitors communications at the external boundary of the information system;
-                    - 
-                      id:         sc-7.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(a)[2]
-                      prose:      monitors communications at key internal boundaries within the system;
-                    - 
-                      id:         sc-7.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(a)[3]
-                      prose:      controls communications at the external boundary of the information system;
-                    - 
-                      id:         sc-7.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(a)[4]
-                      prose:      controls communications at key internal boundaries within the system;
-                - 
-                  id:         sc-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-7(b)
-                  prose: 
-                    """
-                      implements subnetworks for publicly accessible system components that are
-                                        either:
-                    """
-                  parts: 
-                    - 
-                      id:         sc-7.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-7(b)[1]
-                      prose:      physically separated from internal organizational networks; and/or
-                    - 
-                      id:         sc-7.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-7(b)[2]
-                      prose:      logically separated from internal organizational networks; and
-                - 
-                  id:         sc-7.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-7(c)
-                  prose: 
-                    """
-                      connects to external networks or information systems only through managed
-                                        interfaces consisting of boundary protection devices arranged in accordance with
-                                        an organizational security architecture.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the information system\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system configuration settings and associated documentation\n\nenterprise security architecture documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing boundary protection capability
-          controls: 
-            - 
-              id:         sc-7.3
-              class:      SP800-53-enhancement
-              title:      Access Points
-              properties: 
-                - 
-                  name:  label
-                  value: SC-7(3)
-                - 
-                  name:  sort-id
-                  value: sc-07.03
-              parts: 
-                - 
-                  id:    sc-7.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization limits the number of external network connections to the
-                                        information system.
-                    """
-                - 
-                  id:    sc-7.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Limiting the number of external network connections facilitates more comprehensive
-                                        monitoring of inbound and outbound communications traffic. The Trusted Internet
-                                        Connection (TIC) initiative is an example of limiting the number of external
-                                        network connections.
-                    """
-                - 
-                  id:         sc-7.3_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization limits the number of external network connections to
-                                        the information system.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\ncommunications and network traffic monitoring logs\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing boundary protection capability\n\nautomated mechanisms limiting the number of external network connections to the
-                                               information system
-                        """
-            - 
-              id:         sc-7.4
-              class:      SP800-53-enhancement
-              title:      External Telecommunications Services
-              parameters: 
-                - 
-                  id:          sc-7.4_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: SC-7(4)
-                - 
-                  name:  sort-id
-                  value: sc-07.04
-              parts: 
-                - 
-                  id:    sc-7.4_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         sc-7.4_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose:      Implements a managed interface for each external telecommunication service;
-                    - 
-                      id:         sc-7.4_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      Establishes a traffic flow policy for each managed interface;
-                    - 
-                      id:         sc-7.4_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (c)
-                      prose: 
-                        """
-                          Protects the confidentiality and integrity of the information being transmitted
-                                               across each interface;
-                        """
-                    - 
-                      id:         sc-7.4_smt.d
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (d)
-                      prose: 
-                        """
-                          Documents each exception to the traffic flow policy with a supporting
-                                               mission/business need and duration of that need; and
-                        """
-                    - 
-                      id:         sc-7.4_smt.e
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (e)
-                      prose: 
-                        """
-                          Reviews exceptions to the traffic flow policy {{ sc-7.4_prm_1 }}
-                                               and removes exceptions that are no longer supported by an explicit
-                                               mission/business need.
-                        """
-                - 
-                  id:    sc-7.4_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #sc-8
-                      rel:  related
-                      text: SC-8
-                - 
-                  id:    sc-7.4_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         sc-7.4.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(4)(a)
-                      prose:      implements a managed interface for each external telecommunication service;
-                      links: 
-                        - 
-                          href: #sc-7.4_smt.a
-                          rel:  corresp
-                          text: SC-7(4)(a)
-                    - 
-                      id:         sc-7.4.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-7(4)(b)
-                      prose:      establishes a traffic flow policy for each managed interface;
-                      links: 
-                        - 
-                          href: #sc-7.4_smt.b
-                          rel:  corresp
-                          text: SC-7(4)(b)
-                    - 
-                      id:         sc-7.4.c_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(4)(c)
-                      prose: 
-                        """
-                          protects the confidentiality and integrity of the information being transmitted
-                                               across each interface;
-                        """
-                      links: 
-                        - 
-                          href: #sc-7.4_smt.c
-                          rel:  corresp
-                          text: SC-7(4)(c)
-                    - 
-                      id:         sc-7.4.d_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-7(4)(d)
-                      prose:      documents each exception to the traffic flow policy with:
-                      parts: 
-                        - 
-                          id:         sc-7.4.d_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-7(4)(d)[1]
-                          prose:      a supporting mission/business need;
-                        - 
-                          id:         sc-7.4.d_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-7(4)(d)[2]
-                          prose:      duration of that need;
-                      links: 
-                        - 
-                          href: #sc-7.4_smt.d
-                          rel:  corresp
-                          text: SC-7(4)(d)
-                    - 
-                      id:         sc-7.4.e_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-7(4)(e)
-                      parts: 
-                        - 
-                          id:         sc-7.4.e_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-7(4)(e)[1]
-                          prose:      defines a frequency to review exceptions to traffic flow policy;
-                        - 
-                          id:         sc-7.4.e_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: SC-7(4)(e)[2]
-                          prose: 
-                            """
-                              reviews exceptions to the traffic flow policy with the organization-defined
-                                                      frequency; and
-                            """
-                        - 
-                          id:         sc-7.4.e_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: SC-7(4)(e)[3]
-                          prose: 
-                            """
-                              removes traffic flow policy exceptions that are no longer supported by an
-                                                      explicit mission/business need
-                            """
-                      links: 
-                        - 
-                          href: #sc-7.4_smt.e
-                          rel:  corresp
-                          text: SC-7(4)(e)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\ntraffic flow policy\n\ninformation flow control policy\n\nprocedures addressing boundary protection\n\ninformation system security architecture\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of traffic flow policy exceptions\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for documenting and reviewing exceptions to the
-                                               traffic flow policy\n\norganizational processes for removing exceptions to the traffic flow policy\n\nautomated mechanisms implementing boundary protection capability\n\nmanaged interfaces implementing traffic flow policy
-                        """
-            - 
-              id:         sc-7.5
-              class:      SP800-53-enhancement
-              title:      Deny by Default / Allow by Exception
-              properties: 
-                - 
-                  name:  label
-                  value: SC-7(5)
-                - 
-                  name:  sort-id
-                  value: sc-07.05
-              parts: 
-                - 
-                  id:    sc-7.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system at managed interfaces denies network communications traffic
-                                        by default and allows network communications traffic by exception (i.e., deny all,
-                                        permit by exception).
-                    """
-                - 
-                  id:    sc-7.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement applies to both inbound and outbound network
-                                        communications traffic. A deny-all, permit-by-exception network communications
-                                        traffic policy ensures that only those connections which are essential and
-                                        approved are allowed.
-                    """
-                - 
-                  id:    sc-7.5_obj
-                  name:  objective
-                  prose: Determine if the information system, at managed interfaces:
-                  parts: 
-                    - 
-                      id:         sc-7.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(5)[1]
-                      prose:      denies network traffic by default; and
-                    - 
-                      id:         sc-7.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(5)[2]
-                      prose:      allows network traffic by exception.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing traffic management at managed interfaces
-            - 
-              id:         sc-7.7
-              class:      SP800-53-enhancement
-              title:      Prevent Split Tunneling for Remote Devices
-              properties: 
-                - 
-                  name:  label
-                  value: SC-7(7)
-                - 
-                  name:  sort-id
-                  value: sc-07.07
-              parts: 
-                - 
-                  id:    sc-7.7_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system, in conjunction with a remote device, prevents the device
-                                        from simultaneously establishing non-remote connections with the system and
-                                        communicating via some other connection to resources in external networks.
-                    """
-                - 
-                  id:    sc-7.7_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement is implemented within remote devices (e.g., notebook
-                                        computers) through configuration settings to disable split tunneling in those
-                                        devices, and by preventing those configuration settings from being readily
-                                        configurable by users. This control enhancement is implemented within the
-                                        information system by the detection of split tunneling (or of configuration
-                                        settings that allow split tunneling) in the remote device, and by prohibiting the
-                                        connection if the remote device is using split tunneling. Split tunneling might be
-                                        desirable by remote users to communicate with local information system resources
-                                        such as printers/file servers. However, split tunneling would in effect allow
-                                        unauthorized external connections, making the system more vulnerable to attack and
-                                        to exfiltration of organizational information. The use of VPNs for remote
-                                        connections, when adequately provisioned with appropriate security controls, may
-                                        provide the organization with sufficient assurance that it can effectively treat
-                                        such connections as non-remote connections from the confidentiality and integrity
-                                        perspective. VPNs thus provide a means for allowing non-remote communications
-                                        paths from remote devices. The use of an adequately provisioned VPN does not
-                                        eliminate the need for preventing split tunneling.
-                    """
-                - 
-                  id:         sc-7.7_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system, in conjunction with a remote device, prevents
-                                        the device from simultaneously establishing non-remote connections with the system
-                                        and communicating via some other connection to resources in external networks.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system hardware and software\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing boundary protection capability\n\nautomated mechanisms supporting/restricting non-remote connections
-            - 
-              id:         sc-7.8
-              class:      SP800-53-enhancement
-              title:      Route Traffic to Authenticated Proxy Servers
-              parameters: 
-                - 
-                  id:    sc-7.8_prm_1
-                  label: organization-defined internal communications traffic
-                - 
-                  id:    sc-7.8_prm_2
-                  label: organization-defined external networks
-              properties: 
-                - 
-                  name:  label
-                  value: SC-7(8)
-                - 
-                  name:  sort-id
-                  value: sc-07.08
-              parts: 
-                - 
-                  id:    sc-7.8_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system routes {{ sc-7.8_prm_1 }} to {{ sc-7.8_prm_2 }} through authenticated proxy servers at managed
-                                        interfaces.
-                    """
-                - 
-                  id:    sc-7.8_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      External networks are networks outside of organizational control. A proxy server
-                                        is a server (i.e., information system or application) that acts as an intermediary
-                                        for clients requesting information system resources (e.g., files, connections, web
-                                        pages, or services) from other organizational servers. Client requests established
-                                        through an initial connection to the proxy server are evaluated to manage
-                                        complexity and to provide additional protection by limiting direct connectivity.
-                                        Web content filtering devices are one of the most common proxy servers providing
-                                        access to the Internet. Proxy servers support logging individual Transmission
-                                        Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators
-                                        (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be
-                                        configured with organization-defined lists of authorized and unauthorized
-                                        websites.
-                    """
-                  links: 
-                    - 
-                      href: #ac-3
-                      rel:  related
-                      text: AC-3
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                - 
-                  id:    sc-7.8_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         sc-7.8_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-7(8)[1]
-                      prose: 
-                        """
-                          the organization defines internal communications traffic to be routed to
-                                               external networks;
-                        """
-                    - 
-                      id:         sc-7.8_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-7(8)[2]
-                      prose: 
-                        """
-                          the organization defines external networks to which organization-defined
-                                               internal communications traffic is to be routed; and
-                        """
-                    - 
-                      id:         sc-7.8_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(8)[3]
-                      prose: 
-                        """
-                          the information system routes organization-defined internal communications
-                                               traffic to organization-defined external networks through authenticated proxy
-                                               servers at managed interfaces.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system hardware and software\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing traffic management through authenticated
-                                               proxy servers at managed interfaces
-                        """
-            - 
-              id:         sc-7.10
-              class:      SP800-53-enhancement
-              title:      Prevent Unauthorized Exfiltration
-              properties: 
-                - 
-                  name:  label
-                  value: SC-7(10)
-                - 
-                  name:  sort-id
-                  value: sc-07.10
-              parts: 
-                - 
-                  id:    sc-7.10_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization prevents the unauthorized exfiltration of information across
-                                        managed interfaces.
-                    """
-                - 
-                  id:    sc-7.10_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Safeguards implemented by organizations to prevent unauthorized exfiltration of
-                                        information from information systems include, for example: (i) strict adherence to
-                                        protocol formats; (ii) monitoring for beaconing from information systems; (iii)
-                                        monitoring for steganography; (iv) disconnecting external network interfaces
-                                        except when explicitly needed; (v) disassembling and reassembling packet headers;
-                                        and (vi) employing traffic profile analysis to detect deviations from the
-                                        volume/types of traffic expected within organizations or call backs to command and
-                                        control centers. Devices enforcing strict adherence to protocol formats include,
-                                        for example, deep packet inspection firewalls and XML gateways. These devices
-                                        verify adherence to protocol formats and specification at the application layer
-                                        and serve to identify vulnerabilities that cannot be detected by devices operating
-                                        at the network or transport layers. This control enhancement is closely associated
-                                        with cross-domain solutions and system guards enforcing information flow
-                                        requirements.
-                    """
-                  links: 
-                    - 
-                      href: #si-3
-                      rel:  related
-                      text: SI-3
-                - 
-                  id:         sc-7.10_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization prevents the unauthorized exfiltration of
-                                        information across managed interfaces.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing boundary protection capability\n\npreventing unauthorized exfiltration of information across managed
-                                               interfaces
-                        """
-            - 
-              id:         sc-7.12
-              class:      SP800-53-enhancement
-              title:      Host-based Protection
-              parameters: 
-                - 
-                  id:          sc-7.12_prm_1
-                  label:       organization-defined host-based boundary protection mechanisms
-                  constraints: 
-                    - 
-                      detail: Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall
-                - 
-                  id:    sc-7.12_prm_2
-                  label: organization-defined information system components
-              properties: 
-                - 
-                  name:  label
-                  value: SC-7(12)
-                - 
-                  name:  sort-id
-                  value: sc-07.12
-              parts: 
-                - 
-                  id:    sc-7.12_smt
-                  name:  statement
-                  prose: The organization implements {{ sc-7.12_prm_1 }} at {{ sc-7.12_prm_2 }}.
-                - 
-                  id:    sc-7.12_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Host-based boundary protection mechanisms include, for example, host-based
-                                        firewalls. Information system components employing host-based boundary protection
-                                        mechanisms include, for example, servers, workstations, and mobile devices.
-                    """
-                - 
-                  id:    sc-7.12_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         sc-7.12_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-7(12)[1]
-                      prose:      defines host-based boundary protection mechanisms;
-                    - 
-                      id:         sc-7.12_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-7(12)[2]
-                      prose: 
-                        """
-                          defines information system components where organization-defined host-based
-                                               boundary protection mechanisms are to be implemented; and
-                        """
-                    - 
-                      id:         sc-7.12_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(12)[3]
-                      prose: 
-                        """
-                          implements organization-defined host-based boundary protection mechanisms at
-                                               organization-defined information system components.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities\n\ninformation system users
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing host-based boundary protection
-                                               capabilities
-                        """
-            - 
-              id:         sc-7.13
-              class:      SP800-53-enhancement
-              title:      Isolation of Security Tools / Mechanisms / Support Components
-              parameters: 
-                - 
-                  id:    sc-7.13_prm_1
-                  label: 
-                    """
-                      organization-defined information security tools, mechanisms, and support
-                                        components
-                    """
-              properties: 
-                - 
-                  name:  label
-                  value: SC-7(13)
-                - 
-                  name:  sort-id
-                  value: sc-07.13
-              parts: 
-                - 
-                  id:    sc-7.13_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization isolates {{ sc-7.13_prm_1 }} from other internal
-                                        information system components by implementing physically separate subnetworks with
-                                        managed interfaces to other components of the system.
-                    """
-                  parts: 
-                    - 
-                      id:    sc-7.13_fr
-                      name:  item
-                      title: SC-7 (13) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         sc-7.13_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.
-                        - 
-                          id:         sc-7.13_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      Examples include: information security tools, mechanisms, and support components such as, but not limited to PKI, patching infrastructure, cyber defense tools, special purpose gateway, vulnerability tracking systems, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc.
-                - 
-                  id:    sc-7.13_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Physically separate subnetworks with managed interfaces are useful, for example,
-                                        in isolating computer network defenses from critical operational processing
-                                        networks to prevent adversaries from discovering the analysis and forensics
-                                        techniques of organizations.
-                    """
-                  links: 
-                    - 
-                      href: #sa-8
-                      rel:  related
-                      text: SA-8
-                    - 
-                      href: #sc-2
-                      rel:  related
-                      text: SC-2
-                    - 
-                      href: #sc-3
-                      rel:  related
-                      text: SC-3
-                - 
-                  id:    sc-7.13_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         sc-7.13_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-7(13)[1]
-                      prose: 
-                        """
-                          defines information security tools, mechanisms, and support components to be
-                                               isolated from other internal information system components; and
-                        """
-                    - 
-                      id:         sc-7.13_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(13)[2]
-                      prose: 
-                        """
-                          isolates organization-defined information security tools, mechanisms, and
-                                               support components from other internal information system components by
-                                               implementing physically separate subnetworks with managed interfaces to other
-                                               components of the system.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system hardware and software\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\nlist of security tools and support components to be isolated from other
-                                               internal information system components\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing isolation of information
-                                               security tools, mechanisms, and support components
-                        """
-            - 
-              id:         sc-7.18
-              class:      SP800-53-enhancement
-              title:      Fail Secure
-              properties: 
-                - 
-                  name:  label
-                  value: SC-7(18)
-                - 
-                  name:  sort-id
-                  value: sc-07.18
-              parts: 
-                - 
-                  id:    sc-7.18_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system fails securely in the event of an operational failure of a
-                                        boundary protection device.
-                    """
-                - 
-                  id:    sc-7.18_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Fail secure is a condition achieved by employing information system mechanisms to
-                                        ensure that in the event of operational failures of boundary protection devices at
-                                        managed interfaces (e.g., routers, firewalls, guards, and application gateways
-                                        residing on protected subnetworks commonly referred to as demilitarized zones),
-                                        information systems do not enter into unsecure states where intended security
-                                        properties no longer hold. Failures of boundary protection devices cannot lead to,
-                                        or cause information external to the devices to enter the devices, nor can
-                                        failures permit unauthorized information releases.
-                    """
-                  links: 
-                    - 
-                      href: #cp-2
-                      rel:  related
-                      text: CP-2
-                    - 
-                      href: #sc-24
-                      rel:  related
-                      text: SC-24
-                - 
-                  id:         sc-7.18_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system fails securely in the event of an operational
-                                        failure of a boundary protection device.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms supporting and/or implementing secure failure
-            - 
-              id:         sc-7.20
-              class:      SP800-53-enhancement
-              title:      Dynamic Isolation / Segregation
-              parameters: 
-                - 
-                  id:    sc-7.20_prm_1
-                  label: organization-defined information system components
-              properties: 
-                - 
-                  name:  label
-                  value: SC-7(20)
-                - 
-                  name:  sort-id
-                  value: sc-07.20
-              parts: 
-                - 
-                  id:    sc-7.20_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system provides the capability to dynamically isolate/segregate
-                                           {{ sc-7.20_prm_1 }} from other components of the system.
-                    """
-                - 
-                  id:    sc-7.20_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The capability to dynamically isolate or segregate certain internal components of
-                                        organizational information systems is useful when it is necessary to partition or
-                                        separate certain components of dubious origin from those components possessing
-                                        greater trustworthiness. Component isolation reduces the attack surface of
-                                        organizational information systems. Isolation of selected information system
-                                        components is also a means of limiting the damage from successful cyber attacks
-                                        when those attacks occur.
-                    """
-                - 
-                  id:    sc-7.20_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         sc-7.20_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-7(20)[1]
-                      prose: 
-                        """
-                          the organization defines information system components to be dynamically
-                                               isolated/segregated from other components of the system; and
-                        """
-                    - 
-                      id:         sc-7.20_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(20)[2]
-                      prose: 
-                        """
-                          the information system provides the capability to dynamically isolate/segregate
-                                               organization-defined information system components from other components of the
-                                               system.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system hardware and software\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\nlist of information system components to be dynamically isolated/segregated
-                                               from other components of the system\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing the capability to
-                                               dynamically isolate/segregate information system components
-                        """
-            - 
-              id:         sc-7.21
-              class:      SP800-53-enhancement
-              title:      Isolation of Information System Components
-              parameters: 
-                - 
-                  id:    sc-7.21_prm_1
-                  label: organization-defined information system components
-                - 
-                  id:    sc-7.21_prm_2
-                  label: organization-defined missions and/or business functions
-              properties: 
-                - 
-                  name:  label
-                  value: SC-7(21)
-                - 
-                  name:  sort-id
-                  value: sc-07.21
-              parts: 
-                - 
-                  id:    sc-7.21_smt
-                  name:  statement
-                  prose: The organization employs boundary protection mechanisms to separate {{ sc-7.21_prm_1 }} supporting {{ sc-7.21_prm_2 }}.
-                - 
-                  id:    sc-7.21_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations can isolate information system components performing different
-                                        missions and/or business functions. Such isolation limits unauthorized information
-                                        flows among system components and also provides the opportunity to deploy greater
-                                        levels of protection for selected components. Separating system components with
-                                        boundary protection mechanisms provides the capability for increased protection of
-                                        individual components and to more effectively control information flows between
-                                        those components. This type of enhanced protection limits the potential harm from
-                                        cyber attacks and errors. The degree of separation provided varies depending upon
-                                        the mechanisms chosen. Boundary protection mechanisms include, for example,
-                                        routers, gateways, and firewalls separating system components into physically
-                                        separate networks or subnetworks, cross-domain devices separating subnetworks,
-                                        virtualization techniques, and encrypting information flows among system
-                                        components using distinct encryption keys.
-                    """
-                  links: 
-                    - 
-                      href: #ca-9
-                      rel:  related
-                      text: CA-9
-                    - 
-                      href: #sc-3
-                      rel:  related
-                      text: SC-3
-                - 
-                  id:    sc-7.21_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         sc-7.21_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-7(21)[1]
-                      prose: 
-                        """
-                          defines information system components to be separated by boundary protection
-                                               mechanisms;
-                        """
-                    - 
-                      id:         sc-7.21_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-7(21)[2]
-                      prose: 
-                        """
-                          defines missions and/or business functions to be supported by
-                                               organization-defined information system components separated by boundary
-                                               protection mechanisms; and
-                        """
-                    - 
-                      id:         sc-7.21_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(21)[3]
-                      prose: 
-                        """
-                          employs boundary protection mechanisms to separate organization-defined
-                                               information system components supporting organization-defined missions and/or
-                                               business functions.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system hardware and software\n\nenterprise architecture documentation\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing the capability to separate
-                                               information system components supporting organizational missions and/or
-                                               business functions
-                        """
-        - 
-          id:         sc-8
-          class:      SP800-53
-          title:      Transmission Confidentiality and Integrity
-          parameters: 
-            - 
-              id:          sc-8_prm_1
-              constraints: 
-                - 
-                  detail: confidentiality AND integrity
-          properties: 
-            - 
-              name:  label
-              value: SC-8
-            - 
-              name:  sort-id
-              value: sc-08
-          links: 
-            - 
-              href: #d715b234-9b5b-4e07-b1ed-99836727664d
-              rel:  reference
-              text: FIPS Publication 140-2
-            - 
-              href: #f2dbd4ec-c413-4714-b85b-6b7184d1c195
-              rel:  reference
-              text: FIPS Publication 197
-            - 
-              href: #90c5bc98-f9c4-44c9-98b7-787422f0999c
-              rel:  reference
-              text: NIST Special Publication 800-52
-            - 
-              href: #99f331f2-a9f0-46c2-9856-a3cbb9b89442
-              rel:  reference
-              text: NIST Special Publication 800-77
-            - 
-              href: #6af1e841-672c-46c4-b121-96f603d04be3
-              rel:  reference
-              text: NIST Special Publication 800-81
-            - 
-              href: #349fe082-502d-464a-aa0c-1443c6a5cf40
-              rel:  reference
-              text: NIST Special Publication 800-113
-            - 
-              href: #a4aa9645-9a8a-4b51-90a9-e223250f9a75
-              rel:  reference
-              text: CNSS Policy 15
-            - 
-              href: #06dff0ea-3848-4945-8d91-e955ee69f05d
-              rel:  reference
-              text: NSTISSI No. 7003
-          parts: 
-            - 
-              id:    sc-8_smt
-              name:  statement
-              prose: 
-                """
-                  The information system protects the {{ sc-8_prm_1 }} of transmitted
-                                 information.
-                """
-            - 
-              id:    sc-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to both internal and external networks and all types of
-                                 information system components from which information can be transmitted (e.g.,
-                                 servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile
-                                 machines). Communication paths outside the physical protection of a controlled
-                                 boundary are exposed to the possibility of interception and modification. Protecting
-                                 the confidentiality and/or integrity of organizational information can be
-                                 accomplished by physical means (e.g., by employing protected distribution systems) or
-                                 by logical means (e.g., employing encryption techniques). Organizations relying on
-                                 commercial providers offering transmission services as commodity services rather than
-                                 as fully dedicated services (i.e., services which can be highly specialized to
-                                 individual customer needs), may find it difficult to obtain the necessary assurances
-                                 regarding the implementation of needed security controls for transmission
-                                 confidentiality/integrity. In such situations, organizations determine what types of
-                                 confidentiality/integrity services are available in standard, commercial
-                                 telecommunication service packages. If it is infeasible or impractical to obtain the
-                                 necessary security controls and assurances of control effectiveness through
-                                 appropriate contracting vehicles, organizations implement appropriate compensating
-                                 security controls or explicitly accept the additional risk.
-                """
-              links: 
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-            - 
-              id:         sc-8_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose:      Determine if the information system protects one or more of the following:
-              parts: 
-                - 
-                  id:         sc-8_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-8[1]
-                  prose:      confidentiality of transmitted information; and/or
-                - 
-                  id:         sc-8_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-8[2]
-                  prose:      integrity of transmitted information.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing transmission confidentiality
-                                        and/or integrity
-                    """
-          controls: 
-            - 
-              id:         sc-8.1
-              class:      SP800-53-enhancement
-              title:      Cryptographic or Alternate Physical Protection
-              parameters: 
-                - 
-                  id:          sc-8.1_prm_1
-                  constraints: 
-                    - 
-                      detail: prevent unauthorized disclosure of information AND detect changes to information
-                - 
-                  id:          sc-8.1_prm_2
-                  label:       organization-defined alternative physical safeguards
-                  constraints: 
-                    - 
-                      detail: a hardened or alarmed carrier Protective Distribution System (PDS)
-              properties: 
-                - 
-                  name:  label
-                  value: SC-8(1)
-                - 
-                  name:  sort-id
-                  value: sc-08.01
-              parts: 
-                - 
-                  id:    sc-8.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements cryptographic mechanisms to {{ sc-8.1_prm_1 }} during transmission unless otherwise protected by
-                                           {{ sc-8.1_prm_2 }}.
-                    """
-                - 
-                  id:    sc-8.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Encrypting information for transmission protects information from unauthorized
-                                        disclosure and modification. Cryptographic mechanisms implemented to protect
-                                        information integrity include, for example, cryptographic hash functions which
-                                        have common application in digital signatures, checksums, and message
-                                        authentication codes. Alternative physical security safeguards include, for
-                                        example, protected distribution systems.
-                    """
-                  links: 
-                    - 
-                      href: #sc-13
-                      rel:  related
-                      text: SC-13
-                - 
-                  id:    sc-8.1_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         sc-8.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-8(1)[1]
-                      prose: 
-                        """
-                          the organization defines physical safeguards to be implemented to protect
-                                               information during transmission when cryptographic mechanisms are not
-                                               implemented; and
-                        """
-                    - 
-                      id:         sc-8.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-8(1)[2]
-                      prose: 
-                        """
-                          the information system implements cryptographic mechanisms to do one or more of
-                                               the following during transmission unless otherwise protected by
-                                               organization-defined alternative physical safeguards:
-                        """
-                      parts: 
-                        - 
-                          id:         sc-8.1_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SC-8(1)[2][a]
-                          prose:      prevent unauthorized disclosure of information; and/or
-                        - 
-                          id:         sc-8.1_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SC-8(1)[2][b]
-                          prose:      detect changes to information.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Cryptographic mechanisms supporting and/or implementing transmission
-                                               confidentiality and/or integrity\n\nautomated mechanisms supporting and/or implementing alternative physical
-                                               safeguards\n\norganizational processes for defining and implementing alternative physical
-                                               safeguards
-                        """
-        - 
-          id:         sc-10
-          class:      SP800-53
-          title:      Network Disconnect
-          parameters: 
-            - 
-              id:          sc-10_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions
-          properties: 
-            - 
-              name:  label
-              value: SC-10
-            - 
-              name:  sort-id
-              value: sc-10
-          parts: 
-            - 
-              id:    sc-10_smt
-              name:  statement
-              prose: 
-                """
-                  The information system terminates the network connection associated with a
-                                 communications session at the end of the session or after {{ sc-10_prm_1 }} of inactivity.
-                """
-            - 
-              id:    sc-10_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to both internal and external networks. Terminating network
-                                 connections associated with communications sessions include, for example,
-                                 de-allocating associated TCP/IP address/port pairs at the operating system level, or
-                                 de-allocating networking assignments at the application level if multiple application
-                                 sessions are using a single, operating system-level network connection. Time periods
-                                 of inactivity may be established by organizations and include, for example, time
-                                 periods by type of network access or for specific network accesses.
-                """
-            - 
-              id:    sc-10_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         sc-10_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-10[1]
-                  prose: 
-                    """
-                      the organization defines a time period of inactivity after which the information
-                                        system terminates a network connection associated with a communications session;
-                                        and
-                    """
-                - 
-                  id:         sc-10_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-10[2]
-                  prose: 
-                    """
-                      the information system terminates the network connection associated with a
-                                        communication session at the end of the session or after the organization-defined
-                                        time period of inactivity.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing network disconnect\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing network disconnect
-                                        capability
-                    """
-        - 
-          id:         sc-12
-          class:      SP800-53
-          title:      Cryptographic Key Establishment and Management
-          parameters: 
-            - 
-              id:    sc-12_prm_1
-              label: 
-                """
-                  organization-defined requirements for key generation, distribution, storage,
-                                 access, and destruction
-                """
-          properties: 
-            - 
-              name:  label
-              value: SC-12
-            - 
-              name:  sort-id
-              value: sc-12
-          links: 
-            - 
-              href: #81f09e01-d0b0-4ae2-aa6a-064ed9950070
-              rel:  reference
-              text: NIST Special Publication 800-56
-            - 
-              href: #a6c774c0-bf50-4590-9841-2a5c1c91ac6f
-              rel:  reference
-              text: NIST Special Publication 800-57
-          parts: 
-            - 
-              id:    sc-12_smt
-              name:  statement
-              prose: 
-                """
-                  The organization establishes and manages cryptographic keys for required cryptography
-                                 employed within the information system in accordance with {{ sc-12_prm_1 }}.
-                """
-              parts: 
-                - 
-                  id:    sc-12_fr
-                  name:  item
-                  title: SC-12 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         sc-12_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      Federally approved and validated cryptography.
-            - 
-              id:    sc-12_gdn
-              name:  guidance
-              prose: 
-                """
-                  Cryptographic key management and establishment can be performed using manual
-                                 procedures or automated mechanisms with supporting manual procedures. Organizations
-                                 define key management requirements in accordance with applicable federal laws,
-                                 Executive Orders, directives, regulations, policies, standards, and guidance,
-                                 specifying appropriate options, levels, and parameters. Organizations manage trust
-                                 stores to ensure that only approved trust anchors are in such trust stores. This
-                                 includes certificates with visibility external to organizational information systems
-                                 and certificates related to the internal operations of systems.
-                """
-              links: 
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-                - 
-                  href: #sc-17
-                  rel:  related
-                  text: SC-17
-            - 
-              id:    sc-12_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sc-12_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-12[1]
-                  prose:      defines requirements for cryptographic key:
-                  parts: 
-                    - 
-                      id:         sc-12_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][a]
-                      prose:      generation;
-                    - 
-                      id:         sc-12_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][b]
-                      prose:      distribution;
-                    - 
-                      id:         sc-12_obj.1.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][c]
-                      prose:      storage;
-                    - 
-                      id:         sc-12_obj.1.d
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][d]
-                      prose:      access;
-                    - 
-                      id:         sc-12_obj.1.e
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][e]
-                      prose:      destruction; and
-                - 
-                  id:         sc-12_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-12[2]
-                  prose: 
-                    """
-                      establishes and manages cryptographic keys for required cryptography employed
-                                        within the information system in accordance with organization-defined requirements
-                                        for key generation, distribution, storage, access, and destruction.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\ninformation system design documentation\n\ncryptographic mechanisms\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment
-                                        and/or management
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing cryptographic key
-                                        establishment and management
-                    """
-          controls: 
-            - 
-              id:         sc-12.1
-              class:      SP800-53-enhancement
-              title:      Availability
-              properties: 
-                - 
-                  name:  label
-                  value: SC-12(1)
-                - 
-                  name:  sort-id
-                  value: sc-12.01
-              parts: 
-                - 
-                  id:    sc-12.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization maintains availability of information in the event of the loss of
-                                        cryptographic keys by users.
-                    """
-                - 
-                  id:    sc-12.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Escrowing of encryption keys is a common practice for ensuring availability in the
-                                        event of loss of keys (e.g., due to forgotten passphrase).
-                    """
-                - 
-                  id:         sc-12.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization maintains availability of information in the event
-                                        of the loss of cryptographic keys by users.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and communications protection policy\n\nprocedures addressing cryptographic key establishment, management, and
-                                               recovery\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key
-                                               establishment or management
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing cryptographic key
-                                               establishment and management
-                        """
-            - 
-              id:         sc-12.2
-              class:      SP800-53-enhancement
-              title:      Symmetric Keys
-              parameters: 
-                - 
-                  id:          sc-12.2_prm_1
-                  constraints: 
-                    - 
-                      detail: NIST FIPS-compliant
-              properties: 
-                - 
-                  name:  label
-                  value: SC-12(2)
-                - 
-                  name:  sort-id
-                  value: sc-12.02
-              parts: 
-                - 
-                  id:    sc-12.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization produces, controls, and distributes symmetric cryptographic keys
-                                        using {{ sc-12.2_prm_1 }} key management technology and
-                                        processes.
-                    """
-                - 
-                  id:         sc-12.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization produces, controls, and distributes symmetric
-                                        cryptographic keys using one of the following: 
-                    """
-                  parts: 
-                    - 
-                      id:         sc-12.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12(2)[1]
-                      prose:      NIST FIPS-compliant key management technology and processes; or
-                    - 
-                      id:         sc-12.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12(2)[2]
-                      prose:      NSA-approved key management technology and processes.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FIPS validated cryptographic products\n\nlist of NSA-approved cryptographic products\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic key
-                                               establishment or management
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing symmetric cryptographic key
-                                               establishment and management
-                        """
-            - 
-              id:         sc-12.3
-              class:      SP800-53-enhancement
-              title:      Asymmetric Keys
-              parameters: 
-                - 
-                  id: sc-12.3_prm_1
-              properties: 
-                - 
-                  name:  label
-                  value: SC-12(3)
-                - 
-                  name:  sort-id
-                  value: sc-12.03
-              parts: 
-                - 
-                  id:    sc-12.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization produces, controls, and distributes asymmetric cryptographic keys
-                                        using {{ sc-12.3_prm_1 }}.
-                    """
-                - 
-                  id:         sc-12.3_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization produces, controls, and distributes asymmetric
-                                        cryptographic keys using one of the following: 
-                    """
-                  parts: 
-                    - 
-                      id:         sc-12.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12(3)[1]
-                      prose:      NSA-approved key management technology and processes;
-                    - 
-                      id:         sc-12.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12(3)[2]
-                      prose:      approved PKI Class 3 certificates or prepositioned keying material; or
-                    - 
-                      id:         sc-12.3_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12(3)[3]
-                      prose: 
-                        """
-                          approved PKI Class 3 or Class 4 certificates and hardware security tokens that
-                                               protect the user’s private key.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of NSA-approved cryptographic products\n\nlist of approved PKI Class 3 and Class 4 certificates\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic key
-                                               establishment or management\n\norganizational personnel with responsibilities for PKI certificates
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing asymmetric cryptographic
-                                               key establishment and management
-                        """
-        - 
-          id:         sc-13
-          class:      SP800-53
-          title:      Cryptographic Protection
-          parameters: 
-            - 
-              id:          sc-13_prm_1
-              label: 
-                """
-                  organization-defined cryptographic uses and type of cryptography required for
-                                 each use
-                """
-              constraints: 
-                - 
-                  detail: FIPS-validated or NSA-approved cryptography
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SC-13
-            - 
-              name:  sort-id
-              value: sc-13
-          links: 
-            - 
-              href: #39f9087d-7687-46d2-8eda-b6f4b7a4d8a9
-              rel:  reference
-              text: FIPS Publication 140
-            - 
-              href: #6a1041fc-054e-4230-946b-2e6f4f3731bb
-              rel:  reference
-              text: http://csrc.nist.gov/cryptval
-            - 
-              href: #9b97ed27-3dd6-4f9a-ade5-1b43e9669794
-              rel:  reference
-              text: http://www.cnss.gov
-          parts: 
-            - 
-              id:    sc-13_smt
-              name:  statement
-              prose: 
-                """
-                  The information system implements {{ sc-13_prm_1 }} in accordance with
-                                 applicable federal laws, Executive Orders, directives, policies, regulations, and
-                                 standards.
-                """
-            - 
-              id:    sc-13_gdn
-              name:  guidance
-              prose: 
-                """
-                  Cryptography can be employed to support a variety of security solutions including,
-                                 for example, the protection of classified and Controlled Unclassified Information,
-                                 the provision of digital signatures, and the enforcement of information separation
-                                 when authorized individuals have the necessary clearances for such information but
-                                 lack the necessary formal access approvals. Cryptography can also be used to support
-                                 random number generation and hash generation. Generally applicable cryptographic
-                                 standards include FIPS-validated cryptography and NSA-approved cryptography. This
-                                 control does not impose any requirements on organizations to use cryptography.
-                                 However, if cryptography is required based on the selection of other security
-                                 controls, organizations define each type of cryptographic use and the type of
-                                 cryptography required (e.g., protection of classified information: NSA-approved
-                                 cryptography; provision of digital signatures: FIPS-validated cryptography).
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-7
-                  rel:  related
-                  text: AC-7
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #au-10
-                  rel:  related
-                  text: AU-10
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-7
-                  rel:  related
-                  text: IA-7
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-                - 
-                  href: #sc-12
-                  rel:  related
-                  text: SC-12
-                - 
-                  href: #sc-28
-                  rel:  related
-                  text: SC-28
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    sc-13_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         sc-13_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-13[1]
-                  prose:      the organization defines cryptographic uses; and
-                - 
-                  id:         sc-13_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-13[2]
-                  prose:      the organization defines the type of cryptography required for each use; and
-                - 
-                  id:         sc-13_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-13[3]
-                  prose: 
-                    """
-                      the information system implements the organization-defined cryptographic uses and
-                                        type of cryptography required for each use in accordance with applicable federal
-                                        laws, Executive Orders, directives, policies, regulations, and standards.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing cryptographic protection\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS validated cryptographic modules\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting and/or implementing cryptographic protection
-        - 
-          id:         sc-15
-          class:      SP800-53
-          title:      Collaborative Computing Devices
-          parameters: 
-            - 
-              id:          sc-15_prm_1
-              label:       organization-defined exceptions where remote activation is to be allowed
-              constraints: 
-                - 
-                  detail: no exceptions
-          properties: 
-            - 
-              name:  label
-              value: SC-15
-            - 
-              name:  sort-id
-              value: sc-15
-          parts: 
-            - 
-              id:    sc-15_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         sc-15_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Prohibits remote activation of collaborative computing devices with the following
-                                        exceptions: {{ sc-15_prm_1 }}; and
-                    """
-                - 
-                  id:         sc-15_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Provides an explicit indication of use to users physically present at the
-                                        devices.
-                    """
-                - 
-                  id:    sc-15_fr
-                  name:  item
-                  title: SC-15 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         sc-15_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.
-            - 
-              id:    sc-15_gdn
-              name:  guidance
-              prose: 
-                """
-                  Collaborative computing devices include, for example, networked white boards,
-                                 cameras, and microphones. Explicit indication of use includes, for example, signals
-                                 to users when collaborative computing devices are activated.
-                """
-              links: 
-                - 
-                  href: #ac-21
-                  rel:  related
-                  text: AC-21
-            - 
-              id:    sc-15_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         sc-15.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-15(a)
-                  parts: 
-                    - 
-                      id:         sc-15.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-15(a)[1]
-                      prose: 
-                        """
-                          the organization defines exceptions where remote activation of collaborative
-                                               computing devices is to be allowed;
-                        """
-                    - 
-                      id:         sc-15.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-15(a)[2]
-                      prose: 
-                        """
-                          the information system prohibits remote activation of collaborative computing
-                                               devices, except for organization-defined exceptions where remote activation is
-                                               to be allowed; and
-                        """
-                - 
-                  id:         sc-15.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-15(b)
-                  prose: 
-                    """
-                      the information system provides an explicit indication of use to users physically
-                                        present at the devices.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative
-                                        computing devices
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing management of remote
-                                        activation of collaborative computing devices\n\nautomated mechanisms providing an indication of use of collaborative computing
-                                        devices
-                    """
-        - 
-          id:         sc-17
-          class:      SP800-53
-          title:      Public Key Infrastructure Certificates
-          parameters: 
-            - 
-              id:    sc-17_prm_1
-              label: organization-defined certificate policy
-          properties: 
-            - 
-              name:  label
-              value: SC-17
-            - 
-              name:  sort-id
-              value: sc-17
-          links: 
-            - 
-              href: #58ad6f27-af99-429f-86a8-8bb767b014b9
-              rel:  reference
-              text: OMB Memorandum 05-24
-            - 
-              href: #8f174e91-844e-4cf1-a72a-45c119a3a8dd
-              rel:  reference
-              text: NIST Special Publication 800-32
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-          parts: 
-            - 
-              id:    sc-17_smt
-              name:  statement
-              prose: 
-                """
-                  The organization issues public key certificates under an {{ sc-17_prm_1 }} or obtains public key certificates from an approved
-                                 service provider.
-                """
-            - 
-              id:    sc-17_gdn
-              name:  guidance
-              prose: 
-                """
-                  For all certificates, organizations manage information system trust stores to ensure
-                                 only approved trust anchors are in the trust stores. This control addresses both
-                                 certificates with visibility external to organizational information systems and
-                                 certificates related to the internal operations of systems, for example,
-                                 application-specific time services.
-                """
-              links: 
-                - 
-                  href: #sc-12
-                  rel:  related
-                  text: SC-12
-            - 
-              id:    sc-17_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sc-17_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-17[1]
-                  prose:      defines a certificate policy for issuing public key certificates;
-                - 
-                  id:         sc-17_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-17[2]
-                  prose:      issues public key certificates:
-                  parts: 
-                    - 
-                      id:         sc-17_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-17[2][a]
-                      prose:      under an organization-defined certificate policy: or
-                    - 
-                      id:         sc-17_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-17[2][b]
-                      prose:      obtains public key certificates from an approved service provider.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing public key infrastructure certificates\n\npublic key certificate policy or policies\n\npublic key issuing process\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for issuing public key
-                                        certificates\n\nservice providers
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing the management of public key
-                                        infrastructure certificates
-                    """
-        - 
-          id:         sc-18
-          class:      SP800-53
-          title:      Mobile Code
-          properties: 
-            - 
-              name:  label
-              value: SC-18
-            - 
-              name:  sort-id
-              value: sc-18
-          links: 
-            - 
-              href: #e716cd51-d1d5-4c6a-967a-22e9fbbc42f1
-              rel:  reference
-              text: NIST Special Publication 800-28
-            - 
-              href: #e6522953-6714-435d-a0d3-140df554c186
-              rel:  reference
-              text: DoD Instruction 8552.01
-          parts: 
-            - 
-              id:    sc-18_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sc-18_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Defines acceptable and unacceptable mobile code and mobile code technologies;
-                - 
-                  id:         sc-18_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Establishes usage restrictions and implementation guidance for acceptable mobile
-                                        code and mobile code technologies; and
-                    """
-                - 
-                  id:         sc-18_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Authorizes, monitors, and controls the use of mobile code within the information
-                                        system.
-                    """
-            - 
-              id:    sc-18_gdn
-              name:  guidance
-              prose: 
-                """
-                  Decisions regarding the employment of mobile code within organizational information
-                                 systems are based on the potential for the code to cause damage to the systems if
-                                 used maliciously. Mobile code technologies include, for example, Java, JavaScript,
-                                 ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage
-                                 restrictions and implementation guidance apply to both the selection and use of
-                                 mobile code installed on servers and mobile code downloaded and executed on
-                                 individual workstations and devices (e.g., smart phones). Mobile code policy and
-                                 procedures address preventing the development, acquisition, or introduction of
-                                 unacceptable mobile code within organizational information systems.
-                """
-              links: 
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-            - 
-              id:    sc-18_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sc-18.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-18(a)
-                  prose:      defines acceptable and unacceptable mobile code and mobile code technologies;
-                - 
-                  id:         sc-18.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-18(b)
-                  parts: 
-                    - 
-                      id:         sc-18.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-18(b)[1]
-                      prose: 
-                        """
-                          establishes usage restrictions for acceptable mobile code and mobile code
-                                               technologies;
-                        """
-                    - 
-                      id:         sc-18.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-18(b)[2]
-                      prose: 
-                        """
-                          establishes implementation guidance for acceptable mobile code and mobile code
-                                               technologies;
-                        """
-                - 
-                  id:         sc-18.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-18(c)
-                  parts: 
-                    - 
-                      id:         sc-18.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-18(c)[1]
-                      prose:      authorizes the use of mobile code within the information system;
-                    - 
-                      id:         sc-18.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-18(c)[2]
-                      prose:      monitors the use of mobile code within the information system; and
-                    - 
-                      id:         sc-18.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-18(c)[3]
-                      prose:      controls the use of mobile code within the information system.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code usage restrictions, mobile code implementation policy and
-                                        procedures\n\nlist of acceptable mobile code and mobile code technologies\n\nlist of unacceptable mobile code and mobile technologies\n\nauthorization records\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing mobile code
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational process for controlling, authorizing, monitoring, and restricting
-                                        mobile code\n\nautomated mechanisms supporting and/or implementing the management of mobile
-                                        code\n\nautomated mechanisms supporting and/or implementing the monitoring of mobile
-                                        code
-                    """
-        - 
-          id:         sc-19
-          class:      SP800-53
-          title:      Voice Over Internet Protocol
-          properties: 
-            - 
-              name:  label
-              value: SC-19
-            - 
-              name:  sort-id
-              value: sc-19
-          links: 
-            - 
-              href: #7783f3e7-09b3-478b-9aa2-4a76dfd0ea90
-              rel:  reference
-              text: NIST Special Publication 800-58
-          parts: 
-            - 
-              id:    sc-19_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sc-19_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes usage restrictions and implementation guidance for Voice over Internet
-                                        Protocol (VoIP) technologies based on the potential to cause damage to the
-                                        information system if used maliciously; and
-                    """
-                - 
-                  id:         sc-19_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Authorizes, monitors, and controls the use of VoIP within the information
-                                        system.
-                    """
-            - 
-              id:    sc-19_gdn
-              name:  guidance
-              links: 
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-15
-                  rel:  related
-                  text: SC-15
-            - 
-              id:    sc-19_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sc-19.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-19(a)
-                  parts: 
-                    - 
-                      id:         sc-19.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-19(a)[1]
-                      prose: 
-                        """
-                          establishes usage restrictions for Voice over Internet Protocol (VoIP)
-                                               technologies based on the potential to cause damage to the information system
-                                               if used maliciously;
-                        """
-                    - 
-                      id:         sc-19.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-19(a)[2]
-                      prose: 
-                        """
-                          establishes implementation guidance for Voice over Internet Protocol (VoIP)
-                                               technologies based on the potential to cause damage to the information system
-                                               if used maliciously;
-                        """
-                - 
-                  id:         sc-19.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-19(b)
-                  parts: 
-                    - 
-                      id:         sc-19.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-19(b)[1]
-                      prose:      authorizes the use of VoIP within the information system;
-                    - 
-                      id:         sc-19.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-19(b)[2]
-                      prose:      monitors the use of VoIP within the information system; and
-                    - 
-                      id:         sc-19.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-19(b)[3]
-                      prose:      controls the use of VoIP within the information system.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing VoIP\n\nVoIP usage restrictions\n\nVoIP implementation guidance\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing VoIP
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational process for authorizing, monitoring, and controlling VoIP\n\nautomated mechanisms supporting and/or implementing authorizing, monitoring, and
-                                        controlling VoIP
-                    """
-        - 
-          id:         sc-20
-          class:      SP800-53
-          title:      Secure Name / Address Resolution Service (authoritative Source)
-          properties: 
-            - 
-              name:  label
-              value: SC-20
-            - 
-              name:  sort-id
-              value: sc-20
-          links: 
-            - 
-              href: #28115a56-da6b-4d44-b1df-51dd7f048a3e
-              rel:  reference
-              text: OMB Memorandum 08-23
-            - 
-              href: #6af1e841-672c-46c4-b121-96f603d04be3
-              rel:  reference
-              text: NIST Special Publication 800-81
-          parts: 
-            - 
-              id:    sc-20_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         sc-20_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Provides additional data origin authentication and integrity verification
-                                        artifacts along with the authoritative name resolution data the system returns in
-                                        response to external name/address resolution queries; and
-                    """
-                - 
-                  id:         sc-20_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Provides the means to indicate the security status of child zones and (if the
-                                        child supports secure resolution services) to enable verification of a chain of
-                                        trust among parent and child domains, when operating as part of a distributed,
-                                        hierarchical namespace.
-                    """
-            - 
-              id:    sc-20_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control enables external clients including, for example, remote Internet
-                                 clients, to obtain origin authentication and integrity verification assurances for
-                                 the host/service name to network address resolution information obtained through the
-                                 service. Information systems that provide name and address resolution services
-                                 include, for example, domain name system (DNS) servers. Additional artifacts include,
-                                 for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS
-                                 resource records are examples of authoritative data. The means to indicate the
-                                 security status of child zones includes, for example, the use of delegation signer
-                                 resource records in the DNS. The DNS security controls reflect (and are referenced
-                                 from) OMB Memorandum 08-23. Information systems that use technologies other than the
-                                 DNS to map between host/service names and network addresses provide other means to
-                                 assure the authenticity and integrity of response data.
-                """
-              links: 
-                - 
-                  href: #au-10
-                  rel:  related
-                  text: AU-10
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-                - 
-                  href: #sc-12
-                  rel:  related
-                  text: SC-12
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-                - 
-                  href: #sc-21
-                  rel:  related
-                  text: SC-21
-                - 
-                  href: #sc-22
-                  rel:  related
-                  text: SC-22
-            - 
-              id:    sc-20_obj
-              name:  objective
-              prose: Determine if the information system:
-              parts: 
-                - 
-                  id:         sc-20.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-20(a)
-                  prose: 
-                    """
-                      provides additional data origin and integrity verification artifacts along with
-                                        the authoritative name resolution data the system returns in response to external
-                                        name/address resolution queries;
-                    """
-                - 
-                  id:         sc-20.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-20(b)
-                  prose: 
-                    """
-                      provides the means to, when operating as part of a distributed, hierarchical
-                                        namespace:
-                    """
-                  parts: 
-                    - 
-                      id:         sc-20.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-20(b)[1]
-                      prose:      indicate the security status of child zones; and
-                    - 
-                      id:         sc-20.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-20(b)[2]
-                      prose: 
-                        """
-                          enable verification of a chain of trust among parent and child domains (if the
-                                               child supports secure resolution services).
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing secure name/address resolution service (authoritative
-                                        source)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing secure name/address resolution
-                                        service
-                    """
-        - 
-          id:         sc-21
-          class:      SP800-53
-          title:      Secure Name / Address Resolution Service (recursive or Caching Resolver)
-          properties: 
-            - 
-              name:  label
-              value: SC-21
-            - 
-              name:  sort-id
-              value: sc-21
-          links: 
-            - 
-              href: #6af1e841-672c-46c4-b121-96f603d04be3
-              rel:  reference
-              text: NIST Special Publication 800-81
-          parts: 
-            - 
-              id:    sc-21_smt
-              name:  statement
-              prose: 
-                """
-                  The information system requests and performs data origin authentication and data
-                                 integrity verification on the name/address resolution responses the system receives
-                                 from authoritative sources.
-                """
-            - 
-              id:    sc-21_gdn
-              name:  guidance
-              prose: 
-                """
-                  Each client of name resolution services either performs this validation on its own,
-                                 or has authenticated channels to trusted validation providers. Information systems
-                                 that provide name and address resolution services for local clients include, for
-                                 example, recursive resolving or caching domain name system (DNS) servers. DNS client
-                                 resolvers either perform validation of DNSSEC signatures, or clients use
-                                 authenticated channels to recursive resolvers that perform such validations.
-                                 Information systems that use technologies other than the DNS to map between
-                                 host/service names and network addresses provide other means to enable clients to
-                                 verify the authenticity and integrity of response data.
-                """
-              links: 
-                - 
-                  href: #sc-20
-                  rel:  related
-                  text: SC-20
-                - 
-                  href: #sc-22
-                  rel:  related
-                  text: SC-22
-            - 
-              id:    sc-21_obj
-              name:  objective
-              prose: Determine if the information system: 
-              parts: 
-                - 
-                  id:         sc-21_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-21[1]
-                  prose: 
-                    """
-                      requests data origin authentication on the name/address resolution responses the
-                                        system receives from authoritative sources;
-                    """
-                - 
-                  id:         sc-21_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-21[2]
-                  prose: 
-                    """
-                      requests data integrity verification on the name/address resolution responses the
-                                        system receives from authoritative sources;
-                    """
-                - 
-                  id:         sc-21_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-21[3]
-                  prose: 
-                    """
-                      performs data origin authentication on the name/address resolution responses the
-                                        system receives from authoritative sources; and
-                    """
-                - 
-                  id:         sc-21_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-21[4]
-                  prose: 
-                    """
-                      performs data integrity verification on the name/address resolution responses the
-                                        system receives from authoritative sources.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing secure name/address resolution service (recursive or caching
-                                        resolver)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing data origin authentication and
-                                        data integrity verification for name/address resolution services
-                    """
-        - 
-          id:         sc-22
-          class:      SP800-53
-          title:      Architecture and Provisioning for Name / Address Resolution Service
-          properties: 
-            - 
-              name:  label
-              value: SC-22
-            - 
-              name:  sort-id
-              value: sc-22
-          links: 
-            - 
-              href: #6af1e841-672c-46c4-b121-96f603d04be3
-              rel:  reference
-              text: NIST Special Publication 800-81
-          parts: 
-            - 
-              id:    sc-22_smt
-              name:  statement
-              prose: 
-                """
-                  The information systems that collectively provide name/address resolution service for
-                                 an organization are fault-tolerant and implement internal/external role
-                                 separation.
-                """
-            - 
-              id:    sc-22_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information systems that provide name and address resolution services include, for
-                                 example, domain name system (DNS) servers. To eliminate single points of failure and
-                                 to enhance redundancy, organizations employ at least two authoritative domain name
-                                 system servers, one configured as the primary server and the other configured as the
-                                 secondary server. Additionally, organizations typically deploy the servers in two
-                                 geographically separated network subnetworks (i.e., not located in the same physical
-                                 facility). For role separation, DNS servers with internal roles only process name and
-                                 address resolution requests from within organizations (i.e., from internal clients).
-                                 DNS servers with external roles only process name and address resolution information
-                                 requests from clients external to organizations (i.e., on external networks including
-                                 the Internet). Organizations specify clients that can access authoritative DNS
-                                 servers in particular roles (e.g., by address ranges, explicit lists).
-                """
-              links: 
-                - 
-                  href: #sc-2
-                  rel:  related
-                  text: SC-2
-                - 
-                  href: #sc-20
-                  rel:  related
-                  text: SC-20
-                - 
-                  href: #sc-21
-                  rel:  related
-                  text: SC-21
-                - 
-                  href: #sc-24
-                  rel:  related
-                  text: SC-24
-            - 
-              id:    sc-22_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the information systems that collectively provide name/address
-                                 resolution service for an organization: 
-                """
-              parts: 
-                - 
-                  id:         sc-22_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-22[1]
-                  prose:      are fault tolerant; and
-                - 
-                  id:         sc-22_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-22[2]
-                  prose:      implement internal/external role separation.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing architecture and provisioning for name/address resolution
-                                        service\n\naccess control policy and procedures\n\ninformation system design documentation\n\nassessment results from independent, testing organizations\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing name/address resolution
-                                        service for fault tolerance and role separation
-                    """
-        - 
-          id:         sc-23
-          class:      SP800-53
-          title:      Session Authenticity
-          properties: 
-            - 
-              name:  label
-              value: SC-23
-            - 
-              name:  sort-id
-              value: sc-23
-          links: 
-            - 
-              href: #90c5bc98-f9c4-44c9-98b7-787422f0999c
-              rel:  reference
-              text: NIST Special Publication 800-52
-            - 
-              href: #99f331f2-a9f0-46c2-9856-a3cbb9b89442
-              rel:  reference
-              text: NIST Special Publication 800-77
-            - 
-              href: #1ebdf782-d95d-4a7b-8ec7-ee860951eced
-              rel:  reference
-              text: NIST Special Publication 800-95
-          parts: 
-            - 
-              id:    sc-23_smt
-              name:  statement
-              prose: The information system protects the authenticity of communications sessions.
-            - 
-              id:    sc-23_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses communications protection at the session, versus packet level
-                                 (e.g., sessions in service-oriented architectures providing web-based services) and
-                                 establishes grounds for confidence at both ends of communications sessions in ongoing
-                                 identities of other parties and in the validity of information transmitted.
-                                 Authenticity protection includes, for example, protecting against man-in-the-middle
-                                 attacks/session hijacking and the insertion of false information into sessions.
-                """
-              links: 
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-                - 
-                  href: #sc-10
-                  rel:  related
-                  text: SC-10
-                - 
-                  href: #sc-11
-                  rel:  related
-                  text: SC-11
-            - 
-              id:         sc-23_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system protects the authenticity of communications
-                                 sessions.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing session authenticity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting and/or implementing session authenticity
-          controls: 
-            - 
-              id:         sc-23.1
-              class:      SP800-53-enhancement
-              title:      Invalidate Session Identifiers at Logout
-              properties: 
-                - 
-                  name:  label
-                  value: SC-23(1)
-                - 
-                  name:  sort-id
-                  value: sc-23.01
-              parts: 
-                - 
-                  id:    sc-23.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system invalidates session identifiers upon user logout or other
-                                        session termination.
-                    """
-                - 
-                  id:    sc-23.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement curtails the ability of adversaries from capturing and
-                                        continuing to employ previously valid session IDs.
-                    """
-                - 
-                  id:         sc-23.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system invalidates session identifiers upon user
-                                        logout or other session termination.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing session authenticity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing session identifier
-                                               invalidation upon session termination
-                        """
-        - 
-          id:         sc-24
-          class:      SP800-53
-          title:      Fail in Known State
-          parameters: 
-            - 
-              id:    sc-24_prm_1
-              label: organization-defined known-state
-            - 
-              id:    sc-24_prm_2
-              label: organization-defined types of failures
-            - 
-              id:    sc-24_prm_3
-              label: organization-defined system state information
-          properties: 
-            - 
-              name:  label
-              value: SC-24
-            - 
-              name:  sort-id
-              value: sc-24
-          parts: 
-            - 
-              id:    sc-24_smt
-              name:  statement
-              prose: 
-                """
-                  The information system fails to a {{ sc-24_prm_1 }} for {{ sc-24_prm_2 }} preserving {{ sc-24_prm_3 }} in
-                                 failure.
-                """
-            - 
-              id:    sc-24_gdn
-              name:  guidance
-              prose: 
-                """
-                  Failure in a known state addresses security concerns in accordance with the
-                                 mission/business needs of organizations. Failure in a known secure state helps to
-                                 prevent the loss of confidentiality, integrity, or availability of information in the
-                                 event of failures of organizational information systems or system components. Failure
-                                 in a known safe state helps to prevent systems from failing to a state that may cause
-                                 injury to individuals or destruction to property. Preserving information system state
-                                 information facilitates system restart and return to the operational mode of
-                                 organizations with less disruption of mission/business processes.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-10
-                  rel:  related
-                  text: CP-10
-                - 
-                  href: #cp-12
-                  rel:  related
-                  text: CP-12
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-22
-                  rel:  related
-                  text: SC-22
-            - 
-              id:    sc-24_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         sc-24_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-24[1]
-                  prose: 
-                    """
-                      the organization defines a known-state to which the information system is to fail
-                                        in the event of a system failure;
-                    """
-                - 
-                  id:         sc-24_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-24[2]
-                  prose: 
-                    """
-                      the organization defines types of failures for which the information system is to
-                                        fail to an organization-defined known-state;
-                    """
-                - 
-                  id:         sc-24_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-24[3]
-                  prose: 
-                    """
-                      the organization defines system state information to be preserved in the event of
-                                        a system failure;
-                    """
-                - 
-                  id:         sc-24_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-24[4]
-                  prose: 
-                    """
-                      the information system fails to the organization-defined known-state for
-                                        organization-defined types of failures; and
-                    """
-                - 
-                  id:         sc-24_obj.5
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-24[5]
-                  prose: 
-                    """
-                      the information system preserves the organization-defined system state information
-                                        in the event of a system failure.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing information system failure to known state\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of failures requiring information system to fail in a known state\n\nstate information to be preserved in system failure\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing fail-in-known state
-                                        capability\n\nautomated mechanisms preserving system state information in the event of a system
-                                        failure
-                    """
-        - 
-          id:         sc-28
-          class:      SP800-53
-          title:      Protection of Information at Rest
-          parameters: 
-            - 
-              id:          sc-28_prm_1
-              constraints: 
-                - 
-                  detail: confidentiality AND integrity
-            - 
-              id:    sc-28_prm_2
-              label: organization-defined information at rest
-          properties: 
-            - 
-              name:  label
-              value: SC-28
-            - 
-              name:  sort-id
-              value: sc-28
-          links: 
-            - 
-              href: #81f09e01-d0b0-4ae2-aa6a-064ed9950070
-              rel:  reference
-              text: NIST Special Publication 800-56
-            - 
-              href: #a6c774c0-bf50-4590-9841-2a5c1c91ac6f
-              rel:  reference
-              text: NIST Special Publication 800-57
-            - 
-              href: #3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e
-              rel:  reference
-              text: NIST Special Publication 800-111
-          parts: 
-            - 
-              id:    sc-28_smt
-              name:  statement
-              prose: The information system protects the {{ sc-28_prm_1 }} of {{ sc-28_prm_2 }}.
-              parts: 
-                - 
-                  id:    sc-28_fr
-                  name:  item
-                  title: SC-28 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         sc-28_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      The organization supports the capability to use cryptographic mechanisms to protect information at rest.
-            - 
-              id:    sc-28_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the confidentiality and integrity of information at rest and
-                                 covers user information and system information. Information at rest refers to the
-                                 state of information when it is located on storage devices as specific components of
-                                 information systems. System-related information requiring protection includes, for
-                                 example, configurations or rule sets for firewalls, gateways, intrusion
-                                 detection/prevention systems, filtering routers, and authenticator content.
-                                 Organizations may employ different mechanisms to achieve confidentiality and
-                                 integrity protections, including the use of cryptographic mechanisms and file share
-                                 scanning. Integrity protection can be achieved, for example, by implementing
-                                 Write-Once-Read-Many (WORM) technologies. Organizations may also employ other
-                                 security controls including, for example, secure off-line storage in lieu of online
-                                 storage when adequate protection of information at rest cannot otherwise be achieved
-                                 and/or continuous monitoring to identify malicious code at rest.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    sc-28_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         sc-28_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-28[1]
-                  prose: 
-                    """
-                      the organization defines information at rest requiring one or more of the
-                                        following:
-                    """
-                  parts: 
-                    - 
-                      id:         sc-28_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-28[1][a]
-                      prose:      confidentiality protection; and/or
-                    - 
-                      id:         sc-28_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-28[1][b]
-                      prose:      integrity protection;
-                - 
-                  id:         sc-28_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-28[2]
-                  prose:      the information system protects:
-                  parts: 
-                    - 
-                      id:         sc-28_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-28[2][a]
-                      prose:      the confidentiality of organization-defined information at rest; and/or
-                    - 
-                      id:         sc-28_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-28[2][b]
-                      prose:      the integrity of organization-defined information at rest.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing protection of information at rest\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity
-                                        protections\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing confidentiality and integrity
-                                        protections for information at rest
-                    """
-          controls: 
-            - 
-              id:         sc-28.1
-              class:      SP800-53-enhancement
-              title:      Cryptographic Protection
-              parameters: 
-                - 
-                  id:    sc-28.1_prm_1
-                  label: organization-defined information
-                - 
-                  id:          sc-28.1_prm_2
-                  label:       organization-defined information system components
-                  constraints: 
-                    - 
-                      detail: all information system components storing customer data deemed sensitive
-              properties: 
-                - 
-                  name:  label
-                  value: SC-28(1)
-                - 
-                  name:  sort-id
-                  value: sc-28.01
-              parts: 
-                - 
-                  id:    sc-28.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements cryptographic mechanisms to prevent unauthorized
-                                        disclosure and modification of {{ sc-28.1_prm_1 }} on {{ sc-28.1_prm_2 }}.
-                    """
-                - 
-                  id:    sc-28.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Selection of cryptographic mechanisms is based on the need to protect the
-                                        confidentiality and integrity of organizational information. The strength of
-                                        mechanism is commensurate with the security category and/or classification of the
-                                        information. This control enhancement applies to significant concentrations of
-                                        digital media in organizational areas designated for media storage and also to
-                                        limited quantities of media generally associated with information system
-                                        components in operational environments (e.g., portable storage devices, mobile
-                                        devices). Organizations have the flexibility to either encrypt all information on
-                                        storage devices (i.e., full disk encryption) or encrypt specific data structures
-                                        (e.g., files, records, or fields). Organizations employing cryptographic
-                                        mechanisms to protect information at rest also consider cryptographic key
-                                        management solutions.
-                    """
-                  links: 
-                    - 
-                      href: #ac-19
-                      rel:  related
-                      text: AC-19
-                    - 
-                      href: #sc-12
-                      rel:  related
-                      text: SC-12
-                - 
-                  id:    sc-28.1_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         sc-28.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-28(1)[1]
-                      prose:      the organization defines information requiring cryptographic protection;
-                    - 
-                      id:         sc-28.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-28(1)[2]
-                      prose: 
-                        """
-                          the organization defines information system components with
-                                               organization-defined information requiring cryptographic protection; and
-                        """
-                    - 
-                      id:         sc-28.1_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-28(1)[3]
-                      prose: 
-                        """
-                          the information system employs cryptographic mechanisms to prevent unauthorized
-                                               disclosure and modification of organization-defined information on
-                                               organization-defined information system components.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing protection of information at rest\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Cryptographic mechanisms implementing confidentiality and integrity protections
-                                               for information at rest
-                        """
-        - 
-          id:         sc-39
-          class:      SP800-53
-          title:      Process Isolation
-          properties: 
-            - 
-              name:  label
-              value: SC-39
-            - 
-              name:  sort-id
-              value: sc-39
-          parts: 
-            - 
-              id:    sc-39_smt
-              name:  statement
-              prose: 
-                """
-                  The information system maintains a separate execution domain for each executing
-                                 process.
-                """
-            - 
-              id:    sc-39_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information systems can maintain separate execution domains for each executing
-                                 process by assigning each process a separate address space. Each information system
-                                 process has a distinct address space so that communication between processes is
-                                 performed in a manner controlled through the security functions, and one process
-                                 cannot modify the executing code of another process. Maintaining separate execution
-                                 domains for executing processes can be achieved, for example, by implementing
-                                 separate address spaces. This capability is available in most commercial operating
-                                 systems that employ multi-state processor technologies.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-                - 
-                  href: #sc-2
-                  rel:  related
-                  text: SC-2
-                - 
-                  href: #sc-3
-                  rel:  related
-                  text: SC-3
-            - 
-              id:         sc-39_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system maintains a separate execution domain for each
-                                 executing process.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system design documentation\n\ninformation system architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation, other relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system developers/integrators\n\ninformation system security architect
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing separate execution domains for
-                                        each executing process
-                    """
-    - 
-      id:       si
-      class:    family
-      title:    System and Information Integrity
-      controls: 
-        - 
-          id:         si-1
-          class:      SP800-53
-          title:      System and Information Integrity Policy and Procedures
-          parameters: 
-            - 
-              id:    si-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          si-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          si-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually or whenever a significant change occurs
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SI-1
-            - 
-              name:  sort-id
-              value: si-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    si-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ si-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         si-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A system and information integrity policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         si-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the system and information
-                                               integrity policy and associated system and information integrity controls;
-                                               and
-                        """
-                - 
-                  id:         si-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         si-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          System and information integrity policy {{ si-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         si-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      System and information integrity procedures {{ si-1_prm_3 }}.
-            - 
-              id:    si-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the SI
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    si-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-1(a)
-                  parts: 
-                    - 
-                      id:         si-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-1(a)(1)
-                      parts: 
-                        - 
-                          id:         si-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a system and information integrity policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         si-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         si-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         si-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         si-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         si-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         si-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         si-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         si-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the system and information integrity
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         si-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SI-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the system and information integrity policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         si-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-1(a)(2)
-                      parts: 
-                        - 
-                          id:         si-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      system and information integrity policy and associated system and
-                                                      information integrity controls;
-                            """
-                        - 
-                          id:         si-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         si-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SI-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         si-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-1(b)
-                  parts: 
-                    - 
-                      id:         si-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-1(b)(1)
-                      parts: 
-                        - 
-                          id:         si-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and
-                                                      information integrity policy;
-                            """
-                        - 
-                          id:         si-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and information integrity policy with
-                                                      the organization-defined frequency;
-                            """
-                    - 
-                      id:         si-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-1(b)(2)
-                      parts: 
-                        - 
-                          id:         si-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and
-                                                      information integrity procedures; and
-                            """
-                        - 
-                          id:         si-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and information integrity procedures
-                                                      with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and information integrity policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with system and information integrity
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         si-2
-          class:      SP800-53
-          title:      Flaw Remediation
-          parameters: 
-            - 
-              id:          si-2_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: thirty (30) days of release of updates
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SI-2
-            - 
-              name:  sort-id
-              value: si-02
-          links: 
-            - 
-              href: #bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d
-              rel:  reference
-              text: NIST Special Publication 800-40
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    si-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Identifies, reports, and corrects information system flaws;
-                - 
-                  id:         si-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Tests software and firmware updates related to flaw remediation for effectiveness
-                                        and potential side effects before installation;
-                    """
-                - 
-                  id:         si-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Installs security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and
-                - 
-                  id:         si-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Incorporates flaw remediation into the organizational configuration management
-                                        process.
-                    """
-            - 
-              id:    si-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations identify information systems affected by announced software flaws
-                                 including potential vulnerabilities resulting from those flaws, and report this
-                                 information to designated organizational personnel with information security
-                                 responsibilities. Security-relevant software updates include, for example, patches,
-                                 service packs, hot fixes, and anti-virus signatures. Organizations also address flaws
-                                 discovered during security assessments, continuous monitoring, incident response
-                                 activities, and system error handling. Organizations take advantage of available
-                                 resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and
-                                 Exposures (CVE) databases in remediating flaws discovered in organizational
-                                 information systems. By incorporating flaw remediation into ongoing configuration
-                                 management processes, required/anticipated remediation actions can be tracked and
-                                 verified. Flaw remediation actions that can be tracked and verified include, for
-                                 example, determining whether organizations follow US-CERT guidance and Information
-                                 Assurance Vulnerability Alerts. Organization-defined time periods for updating
-                                 security-relevant software and firmware may vary based on a variety of factors
-                                 including, for example, the security category of the information system or the
-                                 criticality of the update (i.e., severity of the vulnerability related to the
-                                 discovered flaw). Some types of flaw remediation may require more testing than other
-                                 types. Organizations determine the degree and type of testing needed for the specific
-                                 type of flaw remediation activity under consideration and also the types of changes
-                                 that are to be configuration-managed. In some situations, organizations may determine
-                                 that the testing of software and/or firmware updates is not necessary or practical,
-                                 for example, when implementing simple anti-virus signature updates. Organizations may
-                                 also consider in testing decisions, whether security-relevant software or firmware
-                                 updates are obtained from authorized sources with appropriate digital signatures.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #ma-2
-                  rel:  related
-                  text: MA-2
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sa-10
-                  rel:  related
-                  text: SA-10
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #si-11
-                  rel:  related
-                  text: SI-11
-            - 
-              id:    si-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-2(a)
-                  parts: 
-                    - 
-                      id:         si-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(a)[1]
-                      prose:      identifies information system flaws;
-                    - 
-                      id:         si-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(a)[2]
-                      prose:      reports information system flaws;
-                    - 
-                      id:         si-2.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(a)[3]
-                      prose:      corrects information system flaws;
-                - 
-                  id:         si-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-2(b)
-                  parts: 
-                    - 
-                      id:         si-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(b)[1]
-                      prose: 
-                        """
-                          tests software updates related to flaw remediation for effectiveness and
-                                               potential side effects before installation;
-                        """
-                    - 
-                      id:         si-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(b)[2]
-                      prose: 
-                        """
-                          tests firmware updates related to flaw remediation for effectiveness and
-                                               potential side effects before installation;
-                        """
-                - 
-                  id:         si-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-2(c)
-                  parts: 
-                    - 
-                      id:         si-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-2(c)[1]
-                      prose: 
-                        """
-                          defines the time period within which to install security-relevant software
-                                               updates after the release of the updates;
-                        """
-                    - 
-                      id:         si-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-2(c)[2]
-                      prose: 
-                        """
-                          defines the time period within which to install security-relevant firmware
-                                               updates after the release of the updates;
-                        """
-                    - 
-                      id:         si-2.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(c)[3]
-                      prose: 
-                        """
-                          installs software updates within the organization-defined time period of the
-                                               release of the updates;
-                        """
-                    - 
-                      id:         si-2.c_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(c)[4]
-                      prose: 
-                        """
-                          installs firmware updates within the organization-defined time period of the
-                                               release of the updates; and
-                        """
-                - 
-                  id:         si-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-2(d)
-                  prose: 
-                    """
-                      incorporates flaw remediation into the organizational configuration management
-                                        process.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and information integrity policy\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the information system\n\nlist of recent security flaw remediation actions performed on the information
-                                        system (e.g., list of installed patches, service packs, hot fixes, and other
-                                        software updates to correct information system flaws)\n\ntest results from the installation of software and firmware updates to correct
-                                        information system flaws\n\ninstallation/change control records for security-relevant software and firmware
-                                        updates\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                        information system\n\norganizational personnel with responsibility for flaw remediation\n\norganizational personnel with configuration management responsibility
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for identifying, reporting, and correcting information
-                                        system flaws\n\norganizational process for installing software and firmware updates\n\nautomated mechanisms supporting and/or implementing reporting, and correcting
-                                        information system flaws\n\nautomated mechanisms supporting and/or implementing testing software and firmware
-                                        updates
-                    """
-          controls: 
-            - 
-              id:         si-2.1
-              class:      SP800-53-enhancement
-              title:      Central Management
-              properties: 
-                - 
-                  name:  label
-                  value: SI-2(1)
-                - 
-                  name:  sort-id
-                  value: si-02.01
-              parts: 
-                - 
-                  id:    si-2.1_smt
-                  name:  statement
-                  prose: The organization centrally manages the flaw remediation process.
-                - 
-                  id:    si-2.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Central management is the organization-wide management and implementation of flaw
-                                        remediation processes. Central management includes planning, implementing,
-                                        assessing, authorizing, and monitoring the organization-defined, centrally managed
-                                        flaw remediation security controls.
-                    """
-                - 
-                  id:         si-2.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose:      Determine if the organization centrally manages the flaw remediation process.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing flaw remediation\n\nautomated mechanisms supporting centralized management of flaw remediation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for flaw remediation
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for central management of the flaw remediation
-                                               process\n\nautomated mechanisms supporting and/or implementing central management of the
-                                               flaw remediation process
-                        """
-            - 
-              id:         si-2.2
-              class:      SP800-53-enhancement
-              title:      Automated Flaw Remediation Status
-              parameters: 
-                - 
-                  id:          si-2.2_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least monthly
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: SI-2(2)
-                - 
-                  name:  sort-id
-                  value: si-02.02
-              parts: 
-                - 
-                  id:    si-2.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms {{ si-2.2_prm_1 }} to
-                                        determine the state of information system components with regard to flaw
-                                        remediation.
-                    """
-                - 
-                  id:    si-2.2_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #cm-6
-                      rel:  related
-                      text: CM-6
-                    - 
-                      href: #si-4
-                      rel:  related
-                      text: SI-4
-                - 
-                  id:    si-2.2_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         si-2.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-2(2)[1]
-                      prose: 
-                        """
-                          defines a frequency to employ automated mechanisms to determine the state of
-                                               information system components with regard to flaw remediation; and
-                        """
-                    - 
-                      id:         si-2.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(2)[2]
-                      prose: 
-                        """
-                          employs automated mechanisms with the organization-defined frequency to
-                                               determine the state of information system components with regard to flaw
-                                               remediation.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing flaw remediation\n\nautomated mechanisms supporting centralized management of flaw remediation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for flaw remediation
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms used to determine the state of information system
-                                               components with regard to flaw remediation
-                        """
-            - 
-              id:         si-2.3
-              class:      SP800-53-enhancement
-              title:      Time to Remediate Flaws / Benchmarks for Corrective Actions
-              parameters: 
-                - 
-                  id:    si-2.3_prm_1
-                  label: organization-defined benchmarks
-              properties: 
-                - 
-                  name:  label
-                  value: SI-2(3)
-                - 
-                  name:  sort-id
-                  value: si-02.03
-              parts: 
-                - 
-                  id:    si-2.3_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         si-2.3_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose:      Measures the time between flaw identification and flaw remediation; and
-                    - 
-                      id:         si-2.3_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Establishes {{ si-2.3_prm_1 }} for taking corrective
-                                               actions.
-                        """
-                - 
-                  id:    si-2.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement requires organizations to determine the current time it
-                                        takes on the average to correct information system flaws after such flaws have
-                                        been identified, and subsequently establish organizational benchmarks (i.e., time
-                                        frames) for taking corrective actions. Benchmarks can be established by type of
-                                        flaw and/or severity of the potential vulnerability if the flaw can be
-                                        exploited.
-                    """
-                - 
-                  id:    si-2.3_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         si-2.3.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(3)(a)
-                      prose:      measures the time between flaw identification and flaw remediation;
-                      links: 
-                        - 
-                          href: #si-2.3_smt.a
-                          rel:  corresp
-                          text: SI-2(3)(a)
-                    - 
-                      id:         si-2.3.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-2(3)(b)
-                      parts: 
-                        - 
-                          id:         si-2.3.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-2(3)(b)[1]
-                          prose:      defines benchmarks for taking corrective actions; and
-                        - 
-                          id:         si-2.3.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-2(3)(b)[2]
-                          prose: 
-                            """
-                              establishes organization-defined benchmarks for taking corrective
-                                                      actions.
-                            """
-                      links: 
-                        - 
-                          href: #si-2.3_smt.b
-                          rel:  corresp
-                          text: SI-2(3)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and information integrity policy\n\nprocedures addressing flaw remediation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of benchmarks for taking corrective action on flaws identified\n\nrecords providing time stamps of flaw identification and subsequent flaw
-                                               remediation activities\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for flaw remediation
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for identifying, reporting, and correcting information
-                                               system flaws\n\nautomated mechanisms used to measure the time between flaw identification and
-                                               flaw remediation
-                        """
-        - 
-          id:         si-3
-          class:      SP800-53
-          title:      Malicious Code Protection
-          parameters: 
-            - 
-              id:          si-3_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least weekly
-            - 
-              id:          si-3_prm_2
-              constraints: 
-                - 
-                  detail: to include endpoints
-            - 
-              id:          si-3_prm_3
-              constraints: 
-                - 
-                  detail: to include blocking and quarantining malicious code and alerting administrator or defined security personnel near-realtime
-            - 
-              id:         si-3_prm_4
-              depends-on: si-3_prm_3
-              label:      organization-defined action
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SI-3
-            - 
-              name:  sort-id
-              value: si-03
-          links: 
-            - 
-              href: #6d431fee-658f-4a0e-9f2e-a38b5d398fab
-              rel:  reference
-              text: NIST Special Publication 800-83
-          parts: 
-            - 
-              id:    si-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Employs malicious code protection mechanisms at information system entry and exit
-                                        points to detect and eradicate malicious code;
-                    """
-                - 
-                  id:         si-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Updates malicious code protection mechanisms whenever new releases are available
-                                        in accordance with organizational configuration management policy and
-                                        procedures;
-                    """
-                - 
-                  id:         si-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Configures malicious code protection mechanisms to:
-                  parts: 
-                    - 
-                      id:         si-3_smt.c.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Perform periodic scans of the information system {{ si-3_prm_1 }} and real-time scans of files from external sources at {{ si-3_prm_2 }} as the files are downloaded, opened, or executed in
-                                               accordance with organizational security policy; and
-                        """
-                    - 
-                      id:         si-3_smt.c.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          
-                                               {{ si-3_prm_3 }} in response to malicious code detection;
-                                               and
-                        """
-                - 
-                  id:         si-3_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Addresses the receipt of false positives during malicious code detection and
-                                        eradication and the resulting potential impact on the availability of the
-                                        information system.
-                    """
-            - 
-              id:    si-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system entry and exit points include, for example, firewalls, electronic
-                                 mail servers, web servers, proxy servers, remote-access servers, workstations,
-                                 notebook computers, and mobile devices. Malicious code includes, for example,
-                                 viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in
-                                 various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden
-                                 files, or hidden in files using steganography. Malicious code can be transported by
-                                 different means including, for example, web accesses, electronic mail, electronic
-                                 mail attachments, and portable storage devices. Malicious code insertions occur
-                                 through the exploitation of information system vulnerabilities. Malicious code
-                                 protection mechanisms include, for example, anti-virus signature definitions and
-                                 reputation-based technologies. A variety of technologies and methods exist to limit
-                                 or eliminate the effects of malicious code. Pervasive configuration management and
-                                 comprehensive software integrity controls may be effective in preventing execution of
-                                 unauthorized code. In addition to commercial off-the-shelf software, malicious code
-                                 may also be present in custom-built software. This could include, for example, logic
-                                 bombs, back doors, and other types of cyber attacks that could affect organizational
-                                 missions/business functions. Traditional malicious code protection mechanisms cannot
-                                 always detect such code. In these situations, organizations rely instead on other
-                                 safeguards including, for example, secure coding practices, configuration management
-                                 and control, trusted procurement processes, and monitoring practices to help ensure
-                                 that software does not perform functions other than the functions intended.
-                                 Organizations may determine that in response to the detection of malicious code,
-                                 different actions may be warranted. For example, organizations can define actions in
-                                 response to malicious code detection during periodic scans, actions in response to
-                                 detection of malicious downloads, and/or actions in response to detection of
-                                 maliciousness when attempting to open or execute files.
-                """
-              links: 
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #sa-13
-                  rel:  related
-                  text: SA-13
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-26
-                  rel:  related
-                  text: SC-26
-                - 
-                  href: #sc-44
-                  rel:  related
-                  text: SC-44
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    si-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-3(a)
-                  prose: 
-                    """
-                      employs malicious code protection mechanisms to detect and eradicate malicious
-                                        code at information system:
-                    """
-                  parts: 
-                    - 
-                      id:         si-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-3(a)[1]
-                      prose:      entry points;
-                    - 
-                      id:         si-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-3(a)[2]
-                      prose:      exit points;
-                - 
-                  id:         si-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-3(b)
-                  prose: 
-                    """
-                      updates malicious code protection mechanisms whenever new releases are available
-                                        in accordance with organizational configuration management policy and procedures
-                                        (as identified in CM-1);
-                    """
-                - 
-                  id:         si-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-3(c)
-                  parts: 
-                    - 
-                      id:         si-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-3(c)[1]
-                      prose: 
-                        """
-                          defines a frequency for malicious code protection mechanisms to perform
-                                               periodic scans of the information system;
-                        """
-                    - 
-                      id:         si-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-3(c)[2]
-                      prose: 
-                        """
-                          defines action to be initiated by malicious protection mechanisms in response
-                                               to malicious code detection;
-                        """
-                    - 
-                      id:         si-3.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-3(c)[3]
-                      parts: 
-                        - 
-                          id:         si-3.c.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: SI-3(c)[3](1)
-                          prose:      configures malicious code protection mechanisms to:
-                          parts: 
-                            - 
-                              id:         si-3.c.1_obj.3.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](1)[a]
-                              prose: 
-                                """
-                                  perform periodic scans of the information system with the
-                                                             organization-defined frequency;
-                                """
-                            - 
-                              id:         si-3.c.1_obj.3.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](1)[b]
-                              prose: 
-                                """
-                                  perform real-time scans of files from external sources at endpoint and/or
-                                                             network entry/exit points as the files are downloaded, opened, or
-                                                             executed in accordance with organizational security policy;
-                                """
-                        - 
-                          id:         si-3.c.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: SI-3(c)[3](2)
-                          prose: 
-                            """
-                              configures malicious code protection mechanisms to do one or more of the
-                                                      following:
-                            """
-                          parts: 
-                            - 
-                              id:         si-3.c.2_obj.3.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](2)[a]
-                              prose:      block malicious code in response to malicious code detection;
-                            - 
-                              id:         si-3.c.2_obj.3.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](2)[b]
-                              prose:      quarantine malicious code in response to malicious code detection;
-                            - 
-                              id:         si-3.c.2_obj.3.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](2)[c]
-                              prose: 
-                                """
-                                  send alert to administrator in response to malicious code detection;
-                                                             and/or
-                                """
-                            - 
-                              id:         si-3.c.2_obj.3.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](2)[d]
-                              prose: 
-                                """
-                                  initiate organization-defined action in response to malicious code
-                                                             detection;
-                                """
-                - 
-                  id:         si-3.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-3(d)
-                  parts: 
-                    - 
-                      id:         si-3.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-3(d)[1]
-                      prose: 
-                        """
-                          addresses the receipt of false positives during malicious code detection and
-                                               eradication; and
-                        """
-                    - 
-                      id:         si-3.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-3(d)[2]
-                      prose: 
-                        """
-                          addresses the resulting potential impact on the availability of the information
-                                               system.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and information integrity policy\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to
-                                        malicious code detection\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                        information system\n\norganizational personnel with responsibility for malicious code protection\n\norganizational personnel with configuration management responsibility
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for employing, updating, and configuring malicious code
-                                        protection mechanisms\n\norganizational process for addressing false positives and resulting potential
-                                        impact\n\nautomated mechanisms supporting and/or implementing employing, updating, and
-                                        configuring malicious code protection mechanisms\n\nautomated mechanisms supporting and/or implementing malicious code scanning and
-                                        subsequent actions
-                    """
-          controls: 
-            - 
-              id:         si-3.1
-              class:      SP800-53-enhancement
-              title:      Central Management
-              properties: 
-                - 
-                  name:  label
-                  value: SI-3(1)
-                - 
-                  name:  sort-id
-                  value: si-03.01
-              parts: 
-                - 
-                  id:    si-3.1_smt
-                  name:  statement
-                  prose: The organization centrally manages malicious code protection mechanisms.
-                - 
-                  id:    si-3.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Central management is the organization-wide management and implementation of
-                                        malicious code protection mechanisms. Central management includes planning,
-                                        implementing, assessing, authorizing, and monitoring the organization-defined,
-                                        centrally managed flaw malicious code protection security controls.
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                    - 
-                      href: #si-8
-                      rel:  related
-                      text: SI-8
-                - 
-                  id:         si-3.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization centrally manages malicious code protection
-                                        mechanisms.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and information integrity policy\n\nprocedures addressing malicious code protection\n\nautomated mechanisms supporting centralized management of malicious code
-                                               protection mechanisms\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for malicious code protection
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for central management of malicious code protection
-                                               mechanisms\n\nautomated mechanisms supporting and/or implementing central management of
-                                               malicious code protection mechanisms
-                        """
-            - 
-              id:         si-3.2
-              class:      SP800-53-enhancement
-              title:      Automatic Updates
-              properties: 
-                - 
-                  name:  label
-                  value: SI-3(2)
-                - 
-                  name:  sort-id
-                  value: si-03.02
-              parts: 
-                - 
-                  id:    si-3.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system automatically updates malicious code protection
-                                        mechanisms.
-                    """
-                - 
-                  id:    si-3.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Malicious code protection mechanisms include, for example, signature definitions.
-                                        Due to information system integrity and availability concerns, organizations give
-                                        careful consideration to the methodology used to carry out automatic updates.
-                    """
-                  links: 
-                    - 
-                      href: #si-8
-                      rel:  related
-                      text: SI-8
-                - 
-                  id:         si-3.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system automatically updates malicious code
-                                        protection mechanisms.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and information integrity policy\n\nprocedures addressing malicious code protection\n\nautomated mechanisms supporting centralized management of malicious code
-                                               protection mechanisms\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for malicious code protection
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing automatic updates to
-                                               malicious code protection capability
-                        """
-            - 
-              id:         si-3.7
-              class:      SP800-53-enhancement
-              title:      Nonsignature-based Detection
-              properties: 
-                - 
-                  name:  label
-                  value: SI-3(7)
-                - 
-                  name:  sort-id
-                  value: si-03.07
-              parts: 
-                - 
-                  id:    si-3.7_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements nonsignature-based malicious code detection
-                                        mechanisms.
-                    """
-                - 
-                  id:    si-3.7_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Nonsignature-based detection mechanisms include, for example, the use of
-                                        heuristics to detect, analyze, and describe the characteristics or behavior of
-                                        malicious code and to provide safeguards against malicious code for which
-                                        signatures do not yet exist or for which existing signatures may not be effective.
-                                        This includes polymorphic malicious code (i.e., code that changes signatures when
-                                        it replicates). This control enhancement does not preclude the use of
-                                        signature-based detection mechanisms.
-                    """
-                - 
-                  id:         si-3.7_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system implements non signature-based malicious code
-                                        detection mechanisms.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing malicious code protection\n\ninformation system design documentation\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for malicious code protection
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing nonsignature-based
-                                               malicious code protection capability
-                        """
-        - 
-          id:         si-4
-          class:      SP800-53
-          title:      Information System Monitoring
-          parameters: 
-            - 
-              id:    si-4_prm_1
-              label: organization-defined monitoring objectives
-            - 
-              id:    si-4_prm_2
-              label: organization-defined techniques and methods
-            - 
-              id:    si-4_prm_3
-              label: organization-defined information system monitoring information
-            - 
-              id:    si-4_prm_4
-              label: organization-defined personnel or roles
-            - 
-              id: si-4_prm_5
-            - 
-              id:         si-4_prm_6
-              depends-on: si-4_prm_5
-              label:      organization-defined frequency
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SI-4
-            - 
-              name:  sort-id
-              value: si-04
-          links: 
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-            - 
-              href: #6d431fee-658f-4a0e-9f2e-a38b5d398fab
-              rel:  reference
-              text: NIST Special Publication 800-83
-            - 
-              href: #672fd561-b92b-4713-b9cf-6c9d9456728b
-              rel:  reference
-              text: NIST Special Publication 800-92
-            - 
-              href: #d1b1d689-0f66-4474-9924-c81119758dc1
-              rel:  reference
-              text: NIST Special Publication 800-94
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-          parts: 
-            - 
-              id:    si-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Monitors the information system to detect:
-                  parts: 
-                    - 
-                      id:         si-4_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Attacks and indicators of potential attacks in accordance with {{ si-4_prm_1 }}; and
-                    - 
-                      id:         si-4_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Unauthorized local, network, and remote connections;
-                - 
-                  id:         si-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Identifies unauthorized use of the information system through {{ si-4_prm_2 }};
-                - 
-                  id:         si-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Deploys monitoring devices:
-                  parts: 
-                    - 
-                      id:         si-4_smt.c.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Strategically within the information system to collect organization-determined
-                                               essential information; and
-                        """
-                    - 
-                      id:         si-4_smt.c.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          At ad hoc locations within the system to track specific types of transactions
-                                               of interest to the organization;
-                        """
-                - 
-                  id:         si-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Protects information obtained from intrusion-monitoring tools from unauthorized
-                                        access, modification, and deletion;
-                    """
-                - 
-                  id:         si-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Heightens the level of information system monitoring activity whenever there is an
-                                        indication of increased risk to organizational operations and assets, individuals,
-                                        other organizations, or the Nation based on law enforcement information,
-                                        intelligence information, or other credible sources of information;
-                    """
-                - 
-                  id:         si-4_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Obtains legal opinion with regard to information system monitoring activities in
-                                        accordance with applicable federal laws, Executive Orders, directives, policies,
-                                        or regulations; and
-                    """
-                - 
-                  id:         si-4_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose: 
-                    """
-                      Provides {{ si-4_prm_3 }} to {{ si-4_prm_4 }}
-                                        {{ si-4_prm_5 }}.
-                    """
-                - 
-                  id:    si-4_fr
-                  name:  item
-                  title: SI-4 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         si-4_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      See US-CERT Incident Response Reporting Guidelines.
-            - 
-              id:    si-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system monitoring includes external and internal monitoring. External
-                                 monitoring includes the observation of events occurring at the information system
-                                 boundary (i.e., part of perimeter defense and boundary protection). Internal
-                                 monitoring includes the observation of events occurring within the information
-                                 system. Organizations can monitor information systems, for example, by observing
-                                 audit activities in real time or by observing other system aspects such as access
-                                 patterns, characteristics of access, and other actions. The monitoring objectives may
-                                 guide determination of the events. Information system monitoring capability is
-                                 achieved through a variety of tools and techniques (e.g., intrusion detection
-                                 systems, intrusion prevention systems, malicious code protection software, scanning
-                                 tools, audit record monitoring software, network monitoring software). Strategic
-                                 locations for monitoring devices include, for example, selected perimeter locations
-                                 and near server farms supporting critical applications, with such devices typically
-                                 being employed at the managed interfaces associated with controls SC-7 and AC-17.
-                                 Einstein network monitoring devices from the Department of Homeland Security can also
-                                 be included as monitoring devices. The granularity of monitoring information
-                                 collected is based on organizational monitoring objectives and the capability of
-                                 information systems to support such objectives. Specific types of transactions of
-                                 interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that
-                                 bypasses HTTP proxies. Information system monitoring is an integral part of
-                                 organizational continuous monitoring and incident response programs. Output from
-                                 system monitoring serves as input to continuous monitoring and incident response
-                                 programs. A network connection is any connection with a device that communicates
-                                 through a network (e.g., local area network, Internet). A remote connection is any
-                                 connection with a device communicating through an external network (e.g., the
-                                 Internet). Local, network, and remote connections can be either wired or
-                                 wireless.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-8
-                  rel:  related
-                  text: AC-8
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #au-7
-                  rel:  related
-                  text: AU-7
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-26
-                  rel:  related
-                  text: SC-26
-                - 
-                  href: #sc-35
-                  rel:  related
-                  text: SC-35
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    si-4_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-4(a)
-                  parts: 
-                    - 
-                      id:         si-4.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(a)(1)
-                      parts: 
-                        - 
-                          id:         si-4.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-4(a)(1)[1]
-                          prose: 
-                            """
-                              defines monitoring objectives to detect attacks and indicators of potential
-                                                      attacks on the information system;
-                            """
-                        - 
-                          id:         si-4.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: SI-4(a)(1)[2]
-                          prose: 
-                            """
-                              monitors the information system to detect, in accordance with
-                                                      organization-defined monitoring objectives,:
-                            """
-                          parts: 
-                            - 
-                              id:         si-4.a.1_obj.2.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-4(a)(1)[2][a]
-                              prose:      attacks;
-                            - 
-                              id:         si-4.a.1_obj.2.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-4(a)(1)[2][b]
-                              prose:      indicators of potential attacks;
-                    - 
-                      id:         si-4.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(a)(2)
-                      prose:      monitors the information system to detect unauthorized:
-                      parts: 
-                        - 
-                          id:         si-4.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(a)(2)[1]
-                          prose:      local connections;
-                        - 
-                          id:         si-4.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(a)(2)[2]
-                          prose:      network connections;
-                        - 
-                          id:         si-4.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(a)(2)[3]
-                          prose:      remote connections;
-                - 
-                  id:         si-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-4(b)
-                  parts: 
-                    - 
-                      id:         si-4.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(b)(1)
-                      prose: 
-                        """
-                          defines techniques and methods to identify unauthorized use of the information
-                                               system;
-                        """
-                    - 
-                      id:         si-4.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(b)(2)
-                      prose: 
-                        """
-                          identifies unauthorized use of the information system through
-                                               organization-defined techniques and methods;
-                        """
-                - 
-                  id:         si-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-4(c)
-                  prose:      deploys monitoring devices:
-                  parts: 
-                    - 
-                      id:         si-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(c)[1]
-                      prose: 
-                        """
-                          strategically within the information system to collect organization-determined
-                                               essential information;
-                        """
-                    - 
-                      id:         si-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(c)[2]
-                      prose: 
-                        """
-                          at ad hoc locations within the system to track specific types of transactions
-                                               of interest to the organization;
-                        """
-                - 
-                  id:         si-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-4(d)
-                  prose: 
-                    """
-                      protects information obtained from intrusion-monitoring tools from
-                                        unauthorized:
-                    """
-                  parts: 
-                    - 
-                      id:         si-4.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(d)[1]
-                      prose:      access;
-                    - 
-                      id:         si-4.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(d)[2]
-                      prose:      modification;
-                    - 
-                      id:         si-4.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(d)[3]
-                      prose:      deletion;
-                - 
-                  id:         si-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-4(e)
-                  prose: 
-                    """
-                      heightens the level of information system monitoring activity whenever there is an
-                                        indication of increased risk to organizational operations and assets, individuals,
-                                        other organizations, or the Nation based on law enforcement information,
-                                        intelligence information, or other credible sources of information;
-                    """
-                - 
-                  id:         si-4.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: SI-4(f)
-                  prose: 
-                    """
-                      obtains legal opinion with regard to information system monitoring activities in
-                                        accordance with applicable federal laws, Executive Orders, directives, policies,
-                                        or regulations;
-                    """
-                - 
-                  id:         si-4.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-4(g)
-                  parts: 
-                    - 
-                      id:         si-4.g_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(g)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom information system monitoring information is
-                                               to be provided;
-                        """
-                    - 
-                      id:         si-4.g_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(g)[2]
-                      prose: 
-                        """
-                          defines information system monitoring information to be provided to
-                                               organization-defined personnel or roles;
-                        """
-                    - 
-                      id:         si-4.g_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(g)[3]
-                      prose: 
-                        """
-                          defines a frequency to provide organization-defined information system
-                                               monitoring to organization-defined personnel or roles;
-                        """
-                    - 
-                      id:         si-4.g_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(g)[4]
-                      prose: 
-                        """
-                          provides organization-defined information system monitoring information to
-                                               organization-defined personnel or roles one or more of the following:
-                        """
-                      parts: 
-                        - 
-                          id:         si-4.g_obj.4.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(g)[4][a]
-                          prose:      as needed; and/or
-                        - 
-                          id:         si-4.g_obj.4.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(g)[4][b]
-                          prose:      with the organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Continuous monitoring strategy\n\nsystem and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\nfacility diagram/layout\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\nlocations within information system where monitoring devices are deployed\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                        information system\n\norganizational personnel with responsibility monitoring the information system
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for information system monitoring\n\nautomated mechanisms supporting and/or implementing information system monitoring
-                                        capability
-                    """
-          controls: 
-            - 
-              id:         si-4.1
-              class:      SP800-53-enhancement
-              title:      System-wide Intrusion Detection System
-              properties: 
-                - 
-                  name:  label
-                  value: SI-4(1)
-                - 
-                  name:  sort-id
-                  value: si-04.01
-              parts: 
-                - 
-                  id:    si-4.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization connects and configures individual intrusion detection tools into
-                                        an information system-wide intrusion detection system.
-                    """
-                - 
-                  id:    si-4.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         si-4.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(1)[1]
-                      prose: 
-                        """
-                          connects individual intrusion detection tools into an information system-wide
-                                               intrusion detection system; and
-                        """
-                    - 
-                      id:         si-4.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(1)[2]
-                      prose: 
-                        """
-                          configures individual intrusion detection tools into an information system-wide
-                                               intrusion detection system.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring the information
-                                               system\n\norganizational personnel with responsibility for the intrusion detection
-                                               system
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for intrusion detection/information system
-                                               monitoring\n\nautomated mechanisms supporting and/or implementing intrusion detection
-                                               capability
-                        """
-            - 
-              id:         si-4.2
-              class:      SP800-53-enhancement
-              title:      Automated Tools for Real-time Analysis
-              properties: 
-                - 
-                  name:  label
-                  value: SI-4(2)
-                - 
-                  name:  sort-id
-                  value: si-04.02
-              parts: 
-                - 
-                  id:    si-4.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated tools to support near real-time analysis of
-                                        events.
-                    """
-                - 
-                  id:    si-4.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Automated tools include, for example, host-based, network-based, transport-based,
-                                        or storage-based event monitoring tools or Security Information and Event
-                                        Management (SIEM) technologies that provide real time analysis of alerts and/or
-                                        notifications generated by organizational information systems.
-                    """
-                - 
-                  id:         si-4.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs automated tools to support near real-time
-                                        analysis of events.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring the information
-                                               system\n\norganizational personnel with responsibility for incident
-                                               response/management
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for near real-time analysis of events\n\norganizational processes for information system monitoring\n\nautomated mechanisms supporting and/or implementing information system
-                                               monitoring\n\nautomated mechanisms/tools supporting and/or implementing analysis of
-                                               events
-                        """
-            - 
-              id:         si-4.4
-              class:      SP800-53-enhancement
-              title:      Inbound and Outbound Communications Traffic
-              parameters: 
-                - 
-                  id:          si-4.4_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: continuously
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: SI-4(4)
-                - 
-                  name:  sort-id
-                  value: si-04.04
-              parts: 
-                - 
-                  id:    si-4.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system monitors inbound and outbound communications traffic
-                                           {{ si-4.4_prm_1 }} for unusual or unauthorized activities or
-                                        conditions.
-                    """
-                - 
-                  id:    si-4.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Unusual/unauthorized activities or conditions related to information system
-                                        inbound and outbound communications traffic include, for example, internal traffic
-                                        that indicates the presence of malicious code within organizational information
-                                        systems or propagating among system components, the unauthorized exporting of
-                                        information, or signaling to external information systems. Evidence of malicious
-                                        code is used to identify potentially compromised information systems or
-                                        information system components.
-                    """
-                - 
-                  id:    si-4.4_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         si-4.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(4)[1]
-                      prose:      defines a frequency to monitor:
-                      parts: 
-                        - 
-                          id:         si-4.4_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(4)[1][a]
-                          prose: 
-                            """
-                              inbound communications traffic for unusual or unauthorized activities or
-                                                      conditions;
-                            """
-                        - 
-                          id:         si-4.4_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(4)[1][b]
-                          prose: 
-                            """
-                              outbound communications traffic for unusual or unauthorized activities or
-                                                      conditions;
-                            """
-                    - 
-                      id:         si-4.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(4)[2]
-                      prose:      monitors, with the organization-defined frequency:
-                      parts: 
-                        - 
-                          id:         si-4.4_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(4)[2][a]
-                          prose: 
-                            """
-                              inbound communications traffic for unusual or unauthorized activities or
-                                                      conditions; and
-                            """
-                        - 
-                          id:         si-4.4_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(4)[2][b]
-                          prose: 
-                            """
-                              outbound communications traffic for unusual or unauthorized activities or
-                                                      conditions.
-                            """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system protocols\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring the information
-                                               system\n\norganizational personnel with responsibility for the intrusion detection
-                                               system
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for intrusion detection/information system
-                                               monitoring\n\nautomated mechanisms supporting and/or implementing intrusion detection
-                                               capability/information system monitoring\n\nautomated mechanisms supporting and/or implementing monitoring of
-                                               inbound/outbound communications traffic
-                        """
-            - 
-              id:         si-4.5
-              class:      SP800-53-enhancement
-              title:      System-generated Alerts
-              parameters: 
-                - 
-                  id:    si-4.5_prm_1
-                  label: organization-defined personnel or roles
-                - 
-                  id:    si-4.5_prm_2
-                  label: organization-defined compromise indicators
-              properties: 
-                - 
-                  name:  label
-                  value: SI-4(5)
-                - 
-                  name:  sort-id
-                  value: si-04.05
-              parts: 
-                - 
-                  id:    si-4.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system alerts {{ si-4.5_prm_1 }} when the following
-                                        indications of compromise or potential compromise occur: {{ si-4.5_prm_2 }}.
-                    """
-                  parts: 
-                    - 
-                      id:    si-4.5_fr
-                      name:  item
-                      title: SI-4 (5) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         si-4.5_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      In accordance with the incident response plan.
-                - 
-                  id:    si-4.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Alerts may be generated from a variety of sources, including, for example, audit
-                                        records or inputs from malicious code protection mechanisms, intrusion detection
-                                        or prevention mechanisms, or boundary protection devices such as firewalls,
-                                        gateways, and routers. Alerts can be transmitted, for example, telephonically, by
-                                        electronic mail messages, or by text messaging. Organizational personnel on the
-                                        notification list can include, for example, system administrators,
-                                        mission/business owners, system owners, or information system security
-                                        officers.
-                    """
-                  links: 
-                    - 
-                      href: #au-5
-                      rel:  related
-                      text: AU-5
-                    - 
-                      href: #pe-6
-                      rel:  related
-                      text: PE-6
-                - 
-                  id:    si-4.5_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         si-4.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(5)[1]
-                      prose:      the organization defines compromise indicators for the information system;
-                    - 
-                      id:         si-4.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(5)[2]
-                      prose: 
-                        """
-                          the organization defines personnel or roles to be alerted when indications of
-                                               compromise or potential compromise occur; and
-                        """
-                    - 
-                      id:         si-4.5_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(5)[3]
-                      prose: 
-                        """
-                          the information system alerts organization-defined personnel or roles when
-                                               organization-defined compromise indicators occur.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\nalerts/notifications generated based on compromise indicators\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring the information
-                                               system\n\norganizational personnel with responsibility for the intrusion detection
-                                               system
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for intrusion detection/information system
-                                               monitoring\n\nautomated mechanisms supporting and/or implementing intrusion
-                                               detection/information system monitoring capability\n\nautomated mechanisms supporting and/or implementing alerts for compromise
-                                               indicators
-                        """
-            - 
-              id:         si-4.11
-              class:      SP800-53-enhancement
-              title:      Analyze Communications Traffic Anomalies
-              parameters: 
-                - 
-                  id:    si-4.11_prm_1
-                  label: 
-                    """
-                      organization-defined interior points within the system (e.g., subnetworks,
-                                        subsystems)
-                    """
-              properties: 
-                - 
-                  name:  label
-                  value: SI-4(11)
-                - 
-                  name:  sort-id
-                  value: si-04.11
-              parts: 
-                - 
-                  id:    si-4.11_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization analyzes outbound communications traffic at the external boundary
-                                        of the information system and selected {{ si-4.11_prm_1 }} to
-                                        discover anomalies.
-                    """
-                - 
-                  id:    si-4.11_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Anomalies within organizational information systems include, for example, large
-                                        file transfers, long-time persistent connections, unusual protocols and ports in
-                                        use, and attempted communications with suspected malicious external addresses.
-                    """
-                - 
-                  id:    si-4.11_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         si-4.11_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(11)[1]
-                      prose: 
-                        """
-                          defines interior points within the system (e.g., subnetworks, subsystems) where
-                                               communications traffic is to be analyzed;
-                        """
-                    - 
-                      id:         si-4.11_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(11)[2]
-                      prose:      analyzes outbound communications traffic to discover anomalies at:
-                      parts: 
-                        - 
-                          id:         si-4.11_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(11)[2][a]
-                          prose:      the external boundary of the information system; and
-                        - 
-                          id:         si-4.11_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(11)[2][b]
-                          prose:      selected organization-defined interior points within the system.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\nnetwork diagram\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system monitoring logs or records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring the information
-                                               system\n\norganizational personnel with responsibility for the intrusion detection
-                                               system
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for intrusion detection/information system
-                                               monitoring\n\nautomated mechanisms supporting and/or implementing intrusion
-                                               detection/information system monitoring capability\n\nautomated mechanisms supporting and/or implementing analysis of communications
-                                               traffic
-                        """
-            - 
-              id:         si-4.14
-              class:      SP800-53-enhancement
-              title:      Wireless Intrusion Detection
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: SI-4(14)
-                - 
-                  name:  sort-id
-                  value: si-04.14
-              parts: 
-                - 
-                  id:    si-4.14_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs a wireless intrusion detection system to identify rogue
-                                        wireless devices and to detect attack attempts and potential compromises/breaches
-                                        to the information system.
-                    """
-                - 
-                  id:    si-4.14_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Wireless signals may radiate beyond the confines of organization-controlled
-                                        facilities. Organizations proactively search for unauthorized wireless connections
-                                        including the conduct of thorough scans for unauthorized wireless access points.
-                                        Scans are not limited to those areas within facilities containing information
-                                        systems, but also include areas outside of facilities as needed, to verify that
-                                        unauthorized wireless access points are not connected to the systems.
-                    """
-                  links: 
-                    - 
-                      href: #ac-18
-                      rel:  related
-                      text: AC-18
-                    - 
-                      href: #ia-3
-                      rel:  related
-                      text: IA-3
-                - 
-                  id:    si-4.14_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization employs a wireless intrusion detection system
-                                        to:
-                    """
-                  parts: 
-                    - 
-                      id:         si-4.14_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(14)[1]
-                      prose:      identify rogue wireless devices;
-                    - 
-                      id:         si-4.14_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(14)[2]
-                      prose:      detect attack attempts to the information system; and
-                    - 
-                      id:         si-4.14_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(14)[3]
-                      prose:      detect potential compromises/breaches to the information system.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system protocols\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring the information
-                                               system\n\norganizational personnel with responsibility for the intrusion detection
-                                               system
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for intrusion detection\n\nautomated mechanisms supporting and/or implementing wireless intrusion
-                                               detection capability
-                        """
-            - 
-              id:         si-4.16
-              class:      SP800-53-enhancement
-              title:      Correlate Monitoring Information
-              properties: 
-                - 
-                  name:  label
-                  value: SI-4(16)
-                - 
-                  name:  sort-id
-                  value: si-04.16
-              parts: 
-                - 
-                  id:    si-4.16_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization correlates information from monitoring tools employed throughout
-                                        the information system.
-                    """
-                - 
-                  id:    si-4.16_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Correlating information from different monitoring tools can provide a more
-                                        comprehensive view of information system activity. The correlation of monitoring
-                                        tools that usually work in isolation (e.g., host monitoring, network monitoring,
-                                        anti-virus software) can provide an organization-wide view and in so doing, may
-                                        reveal otherwise unseen attack patterns. Understanding the
-                                        capabilities/limitations of diverse monitoring tools and how to maximize the
-                                        utility of information generated by those tools can help organizations to build,
-                                        operate, and maintain effective monitoring programs.
-                    """
-                  links: 
-                    - 
-                      href: #au-6
-                      rel:  related
-                      text: AU-6
-                - 
-                  id:         si-4.16_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization correlates information from monitoring tools
-                                        employed throughout the information system.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\nevent correlation logs or records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring the information
-                                               system\n\norganizational personnel with responsibility for the intrusion detection
-                                               system
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for intrusion detection/information system
-                                               monitoring\n\nautomated mechanisms supporting and/or implementing intrusion
-                                               detection/information system monitoring capability\n\nautomated mechanisms supporting and/or implementing correlation of information
-                                               from monitoring tools
-                        """
-            - 
-              id:         si-4.18
-              class:      SP800-53-enhancement
-              title:      Analyze Traffic / Covert Exfiltration
-              parameters: 
-                - 
-                  id:    si-4.18_prm_1
-                  label: 
-                    """
-                      organization-defined interior points within the system (e.g., subsystems,
-                                        subnetworks)
-                    """
-              properties: 
-                - 
-                  name:  label
-                  value: SI-4(18)
-                - 
-                  name:  sort-id
-                  value: si-04.18
-              parts: 
-                - 
-                  id:    si-4.18_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization analyzes outbound communications traffic at the external boundary
-                                        of the information system (i.e., system perimeter) and at {{ si-4.18_prm_1 }} to detect covert exfiltration of information.
-                    """
-                - 
-                  id:    si-4.18_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Covert means that can be used for the unauthorized exfiltration of organizational
-                                        information include, for example, steganography.
-                    """
-                - 
-                  id:    si-4.18_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         si-4.18_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(18)[1]
-                      prose: 
-                        """
-                          defines interior points within the system (e.g., subsystems, subnetworks) where
-                                               communications traffic is to be analyzed;
-                        """
-                    - 
-                      id:         si-4.18_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(18)[2]
-                      prose: 
-                        """
-                          to detect covert exfiltration of information, analyzes outbound communications
-                                               traffic at:
-                        """
-                      parts: 
-                        - 
-                          id:         si-4.18_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(18)[2][a]
-                          prose: 
-                            """
-                              the external boundary of the information system (i.e., system perimeter);
-                                                      and
-                            """
-                        - 
-                          id:         si-4.18_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(18)[2][b]
-                          prose:      organization-defined interior points within the system.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\nnetwork diagram\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system monitoring logs or records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring the information
-                                               system\n\norganizational personnel with responsibility for the intrusion detection
-                                               system
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for intrusion detection/information system
-                                               monitoring\n\nautomated mechanisms supporting and/or implementing intrusion detection/system
-                                               monitoring capability\n\nautomated mechanisms supporting and/or implementing analysis of outbound
-                                               communications traffic
-                        """
-            - 
-              id:         si-4.19
-              class:      SP800-53-enhancement
-              title:      Individuals Posing Greater Risk
-              parameters: 
-                - 
-                  id:    si-4.19_prm_1
-                  label: organization-defined additional monitoring
-                - 
-                  id:    si-4.19_prm_2
-                  label: organization-defined sources
-              properties: 
-                - 
-                  name:  label
-                  value: SI-4(19)
-                - 
-                  name:  sort-id
-                  value: si-04.19
-              parts: 
-                - 
-                  id:    si-4.19_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization implements {{ si-4.19_prm_1 }} of individuals who
-                                        have been identified by {{ si-4.19_prm_2 }} as posing an increased
-                                        level of risk.
-                    """
-                - 
-                  id:    si-4.19_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Indications of increased risk from individuals can be obtained from a variety of
-                                        sources including, for example, human resource records, intelligence agencies, law
-                                        enforcement organizations, and/or other credible sources. The monitoring of
-                                        individuals is closely coordinated with management, legal, security, and human
-                                        resources officials within organizations conducting such monitoring and complies
-                                        with federal legislation, Executive Orders, policies, directives, regulations, and
-                                        standards.
-                    """
-                - 
-                  id:    si-4.19_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         si-4.19_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(19)[1]
-                      prose: 
-                        """
-                          defines sources that identify individuals who pose an increased level of
-                                               risk;
-                        """
-                    - 
-                      id:         si-4.19_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(19)[2]
-                      prose: 
-                        """
-                          defines additional monitoring to be implemented on individuals who have been
-                                               identified by organization-defined sources as posing an increased level of
-                                               risk; and
-                        """
-                    - 
-                      id:         si-4.19_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(19)[3]
-                      prose: 
-                        """
-                          implements organization-defined additional monitoring of individuals who have
-                                               been identified by organization-defined sources as posing an increased level of
-                                               risk.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and information integrity policy\n\nprocedures addressing information system monitoring\n\ninformation system design documentation\n\nlist of individuals who have been identified as posing an increased level of
-                                               risk\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring the information
-                                               system
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for information system monitoring\n\nautomated mechanisms supporting and/or implementing system monitoring
-                                               capability
-                        """
-            - 
-              id:         si-4.20
-              class:      SP800-53-enhancement
-              title:      Privileged Users
-              parameters: 
-                - 
-                  id:    si-4.20_prm_1
-                  label: organization-defined additional monitoring
-              properties: 
-                - 
-                  name:  label
-                  value: SI-4(20)
-                - 
-                  name:  sort-id
-                  value: si-04.20
-              parts: 
-                - 
-                  id:    si-4.20_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization implements {{ si-4.20_prm_1 }} of privileged
-                                        users.
-                    """
-                - 
-                  id:    si-4.20_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         si-4.20_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(20)[1]
-                      prose:      defines additional monitoring to be implemented on privileged users; and
-                    - 
-                      id:         si-4.20_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(20)[2]
-                      prose:      implements organization-defined additional monitoring of privileged users;
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\nlist of privileged users\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system monitoring logs or records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring the information
-                                               system
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for information system monitoring\n\nautomated mechanisms supporting and/or implementing system monitoring
-                                               capability
-                        """
-            - 
-              id:         si-4.22
-              class:      SP800-53-enhancement
-              title:      Unauthorized Network Services
-              parameters: 
-                - 
-                  id:    si-4.22_prm_1
-                  label: organization-defined authorization or approval processes
-                - 
-                  id: si-4.22_prm_2
-                - 
-                  id:         si-4.22_prm_3
-                  depends-on: si-4.22_prm_2
-                  label:      organization-defined personnel or roles
-              properties: 
-                - 
-                  name:  label
-                  value: SI-4(22)
-                - 
-                  name:  sort-id
-                  value: si-04.22
-              parts: 
-                - 
-                  id:    si-4.22_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system detects network services that have not been authorized or
-                                        approved by {{ si-4.22_prm_1 }} and {{ si-4.22_prm_2 }}.
-                    """
-                - 
-                  id:    si-4.22_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Unauthorized or unapproved network services include, for example, services in
-                                        service-oriented architectures that lack organizational verification or validation
-                                        and therefore may be unreliable or serve as malicious rogues for valid
-                                        services.
-                    """
-                  links: 
-                    - 
-                      href: #ac-6
-                      rel:  related
-                      text: AC-6
-                    - 
-                      href: #cm-7
-                      rel:  related
-                      text: CM-7
-                    - 
-                      href: #sa-5
-                      rel:  related
-                      text: SA-5
-                    - 
-                      href: #sa-9
-                      rel:  related
-                      text: SA-9
-                - 
-                  id:    si-4.22_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         si-4.22_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(22)[1]
-                      prose: 
-                        """
-                          the organization defines authorization or approval processes for network
-                                               services;
-                        """
-                    - 
-                      id:         si-4.22_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(22)[2]
-                      prose: 
-                        """
-                          the organization defines personnel or roles to be alerted upon detection of
-                                               network services that have not been authorized or approved by
-                                               organization-defined authorization or approval processes;
-                        """
-                    - 
-                      id:         si-4.22_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(22)[3]
-                      prose: 
-                        """
-                          the information system detects network services that have not been authorized
-                                               or approved by organization-defined authorization or approval processes and
-                                               does one or more of the following:
-                        """
-                      parts: 
-                        - 
-                          id:         si-4.22_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(22)[3][a]
-                          prose:      audits; and/or
-                        - 
-                          id:         si-4.22_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(22)[3][b]
-                          prose:      alerts organization-defined personnel or roles.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ndocumented authorization/approval of network services\n\nnotifications or alerts of unauthorized network services\n\ninformation system monitoring logs or records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring the information
-                                               system
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for information system monitoring\n\nautomated mechanisms supporting and/or implementing system monitoring
-                                               capability\n\nautomated mechanisms for auditing network services\n\nautomated mechanisms for providing alerts
-                        """
-            - 
-              id:         si-4.23
-              class:      SP800-53-enhancement
-              title:      Host-based Devices
-              parameters: 
-                - 
-                  id:    si-4.23_prm_1
-                  label: organization-defined host-based monitoring mechanisms
-                - 
-                  id:    si-4.23_prm_2
-                  label: organization-defined information system components
-              properties: 
-                - 
-                  name:  label
-                  value: SI-4(23)
-                - 
-                  name:  sort-id
-                  value: si-04.23
-              parts: 
-                - 
-                  id:    si-4.23_smt
-                  name:  statement
-                  prose: The organization implements {{ si-4.23_prm_1 }} at {{ si-4.23_prm_2 }}.
-                - 
-                  id:    si-4.23_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Information system components where host-based monitoring can be implemented
-                                        include, for example, servers, workstations, and mobile devices. Organizations
-                                        consider employing host-based monitoring mechanisms from multiple information
-                                        technology product developers.
-                    """
-                - 
-                  id:    si-4.23_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         si-4.23_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(23)[1]
-                      prose:      defines host-based monitoring mechanisms to be implemented;
-                    - 
-                      id:         si-4.23_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(23)[2]
-                      prose: 
-                        """
-                          defines information system components where organization-defined host-based
-                                               monitoring is to be implemented; and
-                        """
-                    - 
-                      id:         si-4.23_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(23)[3]
-                      prose: 
-                        """
-                          implements organization-defined host-based monitoring mechanisms at
-                                               organization-defined information system components.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\nhost-based monitoring mechanisms\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system components requiring host-based monitoring\n\ninformation system monitoring logs or records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring information system
-                                               hosts
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for information system monitoring\n\nautomated mechanisms supporting and/or implementing host-based monitoring
-                                               capability
-                        """
-            - 
-              id:         si-4.24
-              class:      SP800-53-enhancement
-              title:      Indicators of Compromise
-              properties: 
-                - 
-                  name:  label
-                  value: SI-4(24)
-                - 
-                  name:  sort-id
-                  value: si-04.24
-              parts: 
-                - 
-                  id:    si-4.24_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system discovers, collects, distributes, and uses indicators of
-                                        compromise.
-                    """
-                - 
-                  id:    si-4.24_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Indicators of compromise (IOC) are forensic artifacts from intrusions that are
-                                        identified on organizational information systems (at the host or network level).
-                                        IOCs provide organizations with valuable information on objects or information
-                                        systems that have been compromised. IOCs for the discovery of compromised hosts
-                                        can include for example, the creation of registry key values. IOCs for network
-                                        traffic include, for example, Universal Resource Locator (URL) or protocol
-                                        elements that indicate malware command and control servers. The rapid distribution
-                                        and adoption of IOCs can improve information security by reducing the time that
-                                        information systems and organizations are vulnerable to the same exploit or
-                                        attack.
-                    """
-                - 
-                  id:    si-4.24_obj
-                  name:  objective
-                  prose: Determine if the information system:
-                  parts: 
-                    - 
-                      id:         si-4.24_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(24)[1]
-                      prose:      discovers indicators of compromise;
-                    - 
-                      id:         si-4.24_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(24)[2]
-                      prose:      collects indicators of compromise;
-                    - 
-                      id:         si-4.24_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(24)[3]
-                      prose:      distributes indicators of compromise; and
-                    - 
-                      id:         si-4.24_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(24)[4]
-                      prose:      uses indicators of compromise.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing information system monitoring\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system monitoring logs or records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring information system
-                                               hosts
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for information system monitoring\n\norganizational processes for discovery, collection, distribution, and use of
-                                               indicators of compromise\n\nautomated mechanisms supporting and/or implementing system monitoring
-                                               capability\n\nautomated mechanisms supporting and/or implementing the discovery, collection,
-                                               distribution, and use of indicators of compromise
-                        """
-        - 
-          id:         si-5
-          class:      SP800-53
-          title:      Security Alerts, Advisories, and Directives
-          parameters: 
-            - 
-              id:          si-5_prm_1
-              label:       organization-defined external organizations
-              constraints: 
-                - 
-                  detail: to include US-CERT
-            - 
-              id:          si-5_prm_2
-              constraints: 
-                - 
-                  detail: to include system security personnel and administrators with configuration/patch-management responsibilities
-            - 
-              id:         si-5_prm_3
-              depends-on: si-5_prm_2
-              label:      organization-defined personnel or roles
-            - 
-              id:         si-5_prm_4
-              depends-on: si-5_prm_2
-              label:      organization-defined elements within the organization
-            - 
-              id:         si-5_prm_5
-              depends-on: si-5_prm_2
-              label:      organization-defined external organizations
-          properties: 
-            - 
-              name:  label
-              value: SI-5
-            - 
-              name:  sort-id
-              value: si-05
-          links: 
-            - 
-              href: #bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d
-              rel:  reference
-              text: NIST Special Publication 800-40
-          parts: 
-            - 
-              id:    si-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Receives information system security alerts, advisories, and directives from
-                                           {{ si-5_prm_1 }} on an ongoing basis;
-                    """
-                - 
-                  id:         si-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Generates internal security alerts, advisories, and directives as deemed
-                                        necessary;
-                    """
-                - 
-                  id:         si-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Disseminates security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and
-                - 
-                  id:         si-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Implements security directives in accordance with established time frames, or
-                                        notifies the issuing organization of the degree of noncompliance.
-                    """
-            - 
-              id:    si-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  The United States Computer Emergency Readiness Team (US-CERT) generates security
-                                 alerts and advisories to maintain situational awareness across the federal
-                                 government. Security directives are issued by OMB or other designated organizations
-                                 with the responsibility and authority to issue such directives. Compliance to
-                                 security directives is essential due to the critical nature of many of these
-                                 directives and the potential immediate adverse effects on organizational operations
-                                 and assets, individuals, other organizations, and the Nation should the directives
-                                 not be implemented in a timely manner. External organizations include, for example,
-                                 external mission/business partners, supply chain partners, external service
-                                 providers, and other peer/supporting organizations.
-                """
-              links: 
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    si-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-5(a)
-                  parts: 
-                    - 
-                      id:         si-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-5(a)[1]
-                      prose: 
-                        """
-                          defines external organizations from whom information system security alerts,
-                                               advisories and directives are to be received;
-                        """
-                    - 
-                      id:         si-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-5(a)[2]
-                      prose: 
-                        """
-                          receives information system security alerts, advisories, and directives from
-                                               organization-defined external organizations on an ongoing basis;
-                        """
-                - 
-                  id:         si-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-5(b)
-                  prose: 
-                    """
-                      generates internal security alerts, advisories, and directives as deemed
-                                        necessary;
-                    """
-                - 
-                  id:         si-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-5(c)
-                  parts: 
-                    - 
-                      id:         si-5.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-5(c)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom security alerts, advisories, and directives
-                                               are to be provided;
-                        """
-                    - 
-                      id:         si-5.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-5(c)[2]
-                      prose: 
-                        """
-                          defines elements within the organization to whom security alerts, advisories,
-                                               and directives are to be provided;
-                        """
-                    - 
-                      id:         si-5.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-5(c)[3]
-                      prose: 
-                        """
-                          defines external organizations to whom security alerts, advisories, and
-                                               directives are to be provided;
-                        """
-                    - 
-                      id:         si-5.c_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-5(c)[4]
-                      prose: 
-                        """
-                          disseminates security alerts, advisories, and directives to one or more of the
-                                               following:
-                        """
-                      parts: 
-                        - 
-                          id:         si-5.c_obj.4.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-5(c)[4][a]
-                          prose:      organization-defined personnel or roles;
-                        - 
-                          id:         si-5.c_obj.4.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-5(c)[4][b]
-                          prose:      organization-defined elements within the organization; and/or
-                        - 
-                          id:         si-5.c_obj.4.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-5(c)[4][c]
-                          prose:      organization-defined external organizations; and
-                - 
-                  id:         si-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-5(d)
-                  parts: 
-                    - 
-                      id:         si-5.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-5(d)[1]
-                      prose: 
-                        """
-                          implements security directives in accordance with established time frames;
-                                               or
-                        """
-                    - 
-                      id:         si-5.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-5(d)[2]
-                      prose:      notifies the issuing organization of the degree of noncompliance.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and information integrity policy\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the
-                                        information system\n\norganizational personnel, organizational elements, and/or external organizations
-                                        to whom alerts, advisories, and directives are to be disseminated\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for defining, receiving, generating, disseminating, and
-                                        complying with security alerts, advisories, and directives\n\nautomated mechanisms supporting and/or implementing definition, receipt,
-                                        generation, and dissemination of security alerts, advisories, and directives\n\nautomated mechanisms supporting and/or implementing security directives
-                    """
-          controls: 
-            - 
-              id:         si-5.1
-              class:      SP800-53-enhancement
-              title:      Automated Alerts and Advisories
-              properties: 
-                - 
-                  name:  label
-                  value: SI-5(1)
-                - 
-                  name:  sort-id
-                  value: si-05.01
-              parts: 
-                - 
-                  id:    si-5.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to make security alert and advisory
-                                        information available throughout the organization.
-                    """
-                - 
-                  id:    si-5.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The significant number of changes to organizational information systems and the
-                                        environments in which those systems operate requires the dissemination of
-                                        security-related information to a variety of organizational entities that have a
-                                        direct interest in the success of organizational missions and business functions.
-                                        Based on the information provided by the security alerts and advisories, changes
-                                        may be required at one or more of the three tiers related to the management of
-                                        information security risk including the governance level, mission/business
-                                        process/enterprise architecture level, and the information system level.
-                    """
-                - 
-                  id:         si-5.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs automated mechanisms to make security alert
-                                        and advisory information available throughout the organization.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and information integrity policy\n\nprocedures addressing security alerts, advisories, and directives\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nautomated mechanisms supporting the distribution of security alert and advisory
-                                               information\n\nrecords of security alerts and advisories\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the
-                                               information system\n\norganizational personnel, organizational elements, and/or external
-                                               organizations to whom alerts and advisories are to be disseminated\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for defining, receiving, generating, and disseminating
-                                               security alerts and advisories\n\nautomated mechanisms supporting and/or implementing dissemination of security
-                                               alerts and advisories
-                        """
-        - 
-          id:         si-6
-          class:      SP800-53
-          title:      Security Function Verification
-          parameters: 
-            - 
-              id:    si-6_prm_1
-              label: organization-defined security functions
-            - 
-              id: si-6_prm_2
-            - 
-              id:          si-6_prm_3
-              depends-on:  si-6_prm_2
-              label:       organization-defined system transitional states
-              constraints: 
-                - 
-                  detail: to include upon system startup and/or restart
-            - 
-              id:          si-6_prm_4
-              depends-on:  si-6_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least monthly
-            - 
-              id:          si-6_prm_5
-              label:       organization-defined personnel or roles
-              constraints: 
-                - 
-                  detail: to include system administrators and security personnel
-            - 
-              id: si-6_prm_6
-            - 
-              id:          si-6_prm_7
-              depends-on:  si-6_prm_6
-              label:       organization-defined alternative action(s)
-              constraints: 
-                - 
-                  detail: to include notification of system administrators and security personnel
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SI-6
-            - 
-              name:  sort-id
-              value: si-06
-          parts: 
-            - 
-              id:    si-6_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         si-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Verifies the correct operation of {{ si-6_prm_1 }};
-                - 
-                  id:         si-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Performs this verification {{ si-6_prm_2 }};
-                - 
-                  id:         si-6_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Notifies {{ si-6_prm_5 }} of failed security verification tests;
-                                        and
-                    """
-                - 
-                  id:         si-6_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      
-                                        {{ si-6_prm_6 }} when anomalies are discovered.
-                    """
-            - 
-              id:    si-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Transitional states for information systems include, for example, system startup,
-                                 restart, shutdown, and abort. Notifications provided by information systems include,
-                                 for example, electronic alerts to system administrators, messages to local computer
-                                 consoles, and/or hardware indications such as lights.
-                """
-              links: 
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-            - 
-              id:    si-6_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         si-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-6(a)
-                  parts: 
-                    - 
-                      id:         si-6.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-6(a)[1]
-                      prose: 
-                        """
-                          the organization defines security functions to be verified for correct
-                                               operation;
-                        """
-                    - 
-                      id:         si-6.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-6(a)[2]
-                      prose: 
-                        """
-                          the information system verifies the correct operation of organization-defined
-                                               security functions;
-                        """
-                - 
-                  id:         si-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-6(b)
-                  parts: 
-                    - 
-                      id:         si-6.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-6(b)[1]
-                      prose: 
-                        """
-                          the organization defines system transitional states requiring verification of
-                                               organization-defined security functions;
-                        """
-                    - 
-                      id:         si-6.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-6(b)[2]
-                      prose: 
-                        """
-                          the organization defines a frequency to verify the correct operation of
-                                               organization-defined security functions;
-                        """
-                    - 
-                      id:         si-6.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-6(b)[3]
-                      prose: 
-                        """
-                          the information system performs this verification one or more of the
-                                               following:
-                        """
-                      parts: 
-                        - 
-                          id:         si-6.b_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-6(b)[3][a]
-                          prose:      at organization-defined system transitional states;
-                        - 
-                          id:         si-6.b_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-6(b)[3][b]
-                          prose:      upon command by user with appropriate privilege; and/or
-                        - 
-                          id:         si-6.b_obj.3.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-6(b)[3][c]
-                          prose:      with the organization-defined frequency;
-                - 
-                  id:         si-6.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-6(c)
-                  parts: 
-                    - 
-                      id:         si-6.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-6(c)[1]
-                      prose: 
-                        """
-                          the organization defines personnel or roles to be notified of failed security
-                                               verification tests;
-                        """
-                    - 
-                      id:         si-6.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-6(c)[2]
-                      prose: 
-                        """
-                          the information system notifies organization-defined personnel or roles of
-                                               failed security verification tests;
-                        """
-                - 
-                  id:         si-6.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-6(d)
-                  parts: 
-                    - 
-                      id:         si-6.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-6(d)[1]
-                      prose: 
-                        """
-                          the organization defines alternative action(s) to be performed when anomalies
-                                               are discovered;
-                        """
-                    - 
-                      id:         si-6.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-6(d)[2]
-                      prose: 
-                        """
-                          the information system performs one or more of the following actions when
-                                               anomalies are discovered:
-                        """
-                      parts: 
-                        - 
-                          id:         si-6.d_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-6(d)[2][a]
-                          prose:      shuts the information system down;
-                        - 
-                          id:         si-6.d_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-6(d)[2][b]
-                          prose:      restarts the information system; and/or
-                        - 
-                          id:         si-6.d_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-6(d)[2][c]
-                          prose:      performs organization-defined alternative action(s).
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and information integrity policy\n\nprocedures addressing security function verification\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nalerts/notifications of failed security verification tests\n\nlist of system transition states requiring security functionality verification\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security function verification responsibilities\n\norganizational personnel implementing, operating, and maintaining the information
-                                        system\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for security function verification\n\nautomated mechanisms supporting and/or implementing security function verification
-                                        capability
-                    """
-        - 
-          id:         si-7
-          class:      SP800-53
-          title:      Software, Firmware, and Information Integrity
-          parameters: 
-            - 
-              id:    si-7_prm_1
-              label: organization-defined software, firmware, and information
-          properties: 
-            - 
-              name:  label
-              value: SI-7
-            - 
-              name:  sort-id
-              value: si-07
-          links: 
-            - 
-              href: #6bf8d24a-78dc-4727-a2ac-0e64d71c495c
-              rel:  reference
-              text: NIST Special Publication 800-147
-            - 
-              href: #3878cc04-144a-483e-af62-8fe6f4ad6c7a
-              rel:  reference
-              text: NIST Special Publication 800-155
-          parts: 
-            - 
-              id:    si-7_smt
-              name:  statement
-              prose: 
-                """
-                  The organization employs integrity verification tools to detect unauthorized changes
-                                 to {{ si-7_prm_1 }}.
-                """
-            - 
-              id:    si-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Unauthorized changes to software, firmware, and information can occur due to errors
-                                 or malicious activity (e.g., tampering). Software includes, for example, operating
-                                 systems (with key internal components such as kernels, drivers), middleware, and
-                                 applications. Firmware includes, for example, the Basic Input Output System (BIOS).
-                                 Information includes metadata such as security attributes associated with
-                                 information. State-of-the-practice integrity-checking mechanisms (e.g., parity
-                                 checks, cyclical redundancy checks, cryptographic hashes) and associated tools can
-                                 automatically monitor the integrity of information systems and hosted
-                                 applications.
-                """
-              links: 
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-            - 
-              id:    si-7_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-7_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-7[1]
-                  parts: 
-                    - 
-                      id:         si-7_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-7[1][a]
-                      prose: 
-                        """
-                          defines software requiring integrity verification tools to be employed to
-                                               detect unauthorized changes;
-                        """
-                    - 
-                      id:         si-7_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-7[1][b]
-                      prose: 
-                        """
-                          defines firmware requiring integrity verification tools to be employed to
-                                               detect unauthorized changes;
-                        """
-                    - 
-                      id:         si-7_obj.1.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-7[1][c]
-                      prose: 
-                        """
-                          defines information requiring integrity verification tools to be employed to
-                                               detect unauthorized changes;
-                        """
-                - 
-                  id:         si-7_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-7[2]
-                  prose: 
-                    """
-                      employs integrity verification tools to detect unauthorized changes to
-                                        organization-defined:
-                    """
-                  parts: 
-                    - 
-                      id:         si-7_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-7[2][a]
-                      prose:      software;
-                    - 
-                      id:         si-7_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-7[2][b]
-                      prose:      firmware; and
-                    - 
-                      id:         si-7_obj.2.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-7[2][c]
-                      prose:      information.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords generated/triggered from integrity verification tools regarding
-                                        unauthorized software, firmware, and information changes\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for software, firmware, and/or
-                                        information integrity\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Software, firmware, and information integrity verification tools
-          controls: 
-            - 
-              id:         si-7.1
-              class:      SP800-53-enhancement
-              title:      Integrity Checks
-              parameters: 
-                - 
-                  id:    si-7.1_prm_1
-                  label: organization-defined software, firmware, and information
-                - 
-                  id: si-7.1_prm_2
-                - 
-                  id:          si-7.1_prm_3
-                  depends-on:  si-7.1_prm_2
-                  label:       organization-defined transitional states or security-relevant events
-                  constraints: 
-                    - 
-                      detail: selection to include security relevant events
-                - 
-                  id:          si-7.1_prm_4
-                  depends-on:  si-7.1_prm_2
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least monthly
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: SI-7(1)
-                - 
-                  name:  sort-id
-                  value: si-07.01
-              parts: 
-                - 
-                  id:    si-7.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system performs an integrity check of {{ si-7.1_prm_1 }}
-                                        {{ si-7.1_prm_2 }}.
-                    """
-                - 
-                  id:    si-7.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Security-relevant events include, for example, the identification of a new threat
-                                        to which organizational information systems are susceptible, and the installation
-                                        of new hardware, software, or firmware. Transitional states include, for example,
-                                        system startup, restart, shutdown, and abort.
-                    """
-                - 
-                  id:    si-7.1_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         si-7.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-7(1)[1]
-                      prose:      the organization defines:
-                      parts: 
-                        - 
-                          id:         si-7.1_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[1][a]
-                          prose:      software requiring integrity checks to be performed;
-                        - 
-                          id:         si-7.1_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[1][b]
-                          prose:      firmware requiring integrity checks to be performed;
-                        - 
-                          id:         si-7.1_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[1][c]
-                          prose:      information requiring integrity checks to be performed;
-                    - 
-                      id:         si-7.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-7(1)[2]
-                      prose: 
-                        """
-                          the organization defines transitional states or security-relevant events
-                                               requiring integrity checks of organization-defined:
-                        """
-                      parts: 
-                        - 
-                          id:         si-7.1_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[2][a]
-                          prose:      software;
-                        - 
-                          id:         si-7.1_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[2][b]
-                          prose:      firmware;
-                        - 
-                          id:         si-7.1_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[2][c]
-                          prose:      information;
-                    - 
-                      id:         si-7.1_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-7(1)[3]
-                      prose: 
-                        """
-                          the organization defines a frequency with which to perform an integrity check
-                                               of organization-defined:
-                        """
-                      parts: 
-                        - 
-                          id:         si-7.1_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[3][a]
-                          prose:      software;
-                        - 
-                          id:         si-7.1_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[3][b]
-                          prose:      firmware;
-                        - 
-                          id:         si-7.1_obj.3.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[3][c]
-                          prose:      information;
-                    - 
-                      id:         si-7.1_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-7(1)[4]
-                      prose: 
-                        """
-                          the information system performs an integrity check of organization-defined
-                                               software, firmware, and information one or more of the following:
-                        """
-                      parts: 
-                        - 
-                          id:         si-7.1_obj.4.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[4][a]
-                          prose:      at startup;
-                        - 
-                          id:         si-7.1_obj.4.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[4][b]
-                          prose: 
-                            """
-                              at organization-defined transitional states or security-relevant events;
-                                                      and/or
-                            """
-                        - 
-                          id:         si-7.1_obj.4.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[4][c]
-                          prose:      with the organization-defined frequency.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibility for software, firmware, and/or
-                                               information integrity\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Software, firmware, and information integrity verification tools
-            - 
-              id:         si-7.2
-              class:      SP800-53-enhancement
-              title:      Automated Notifications of Integrity Violations
-              parameters: 
-                - 
-                  id:    si-7.2_prm_1
-                  label: organization-defined personnel or roles
-              properties: 
-                - 
-                  name:  label
-                  value: SI-7(2)
-                - 
-                  name:  sort-id
-                  value: si-07.02
-              parts: 
-                - 
-                  id:    si-7.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated tools that provide notification to {{ si-7.2_prm_1 }} upon discovering discrepancies during integrity
-                                        verification.
-                    """
-                - 
-                  id:    si-7.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The use of automated tools to report integrity violations and to notify
-                                        organizational personnel in a timely matter is an essential precursor to effective
-                                        risk response. Personnel having an interest in integrity violations include, for
-                                        example, mission/business owners, information system owners, systems
-                                        administrators, software developers, systems integrators, and information security
-                                        officers.
-                    """
-                - 
-                  id:    si-7.2_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         si-7.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-7(2)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom notification is to be provided upon
-                                               discovering discrepancies during integrity verification; and
-                        """
-                    - 
-                      id:         si-7.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-7(2)[2]
-                      prose: 
-                        """
-                          employs automated tools that provide notification to organization-defined
-                                               personnel or roles upon discovering discrepancies during integrity
-                                               verification.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nautomated tools supporting alerts and notifications for integrity
-                                               discrepancies\n\nalerts/notifications provided upon discovering discrepancies during integrity
-                                               verifications\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibility for software, firmware, and/or
-                                               information integrity\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Software, firmware, and information integrity verification tools\n\nautomated mechanisms providing integrity discrepancy notifications
-            - 
-              id:         si-7.5
-              class:      SP800-53-enhancement
-              title:      Automated Response to Integrity Violations
-              parameters: 
-                - 
-                  id: si-7.5_prm_1
-                - 
-                  id:         si-7.5_prm_2
-                  depends-on: si-7.5_prm_1
-                  label:      organization-defined security safeguards
-              properties: 
-                - 
-                  name:  label
-                  value: SI-7(5)
-                - 
-                  name:  sort-id
-                  value: si-07.05
-              parts: 
-                - 
-                  id:    si-7.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system automatically {{ si-7.5_prm_1 }} when
-                                        integrity violations are discovered.
-                    """
-                - 
-                  id:    si-7.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations may define different integrity checking and anomaly responses: (i)
-                                        by type of information (e.g., firmware, software, user data); (ii) by specific
-                                        information (e.g., boot firmware, boot firmware for a specific types of machines);
-                                        or (iii) a combination of both. Automatic implementation of specific safeguards
-                                        within organizational information systems includes, for example, reversing the
-                                        changes, halting the information system, or triggering audit alerts when
-                                        unauthorized modifications to critical security files occur.
-                    """
-                - 
-                  id:    si-7.5_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         si-7.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-7(5)[1]
-                      prose: 
-                        """
-                          the organization defines security safeguards to be implemented when integrity
-                                               violations are discovered;
-                        """
-                    - 
-                      id:         si-7.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-7(5)[2]
-                      prose: 
-                        """
-                          the information system automatically performs one or more of the following
-                                               actions when integrity violations are discovered:
-                        """
-                      parts: 
-                        - 
-                          id:         si-7.5_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(5)[2][a]
-                          prose:      shuts the information system down;
-                        - 
-                          id:         si-7.5_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(5)[2][b]
-                          prose:      restarts the information system; and/or
-                        - 
-                          id:         si-7.5_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(5)[2][c]
-                          prose:      implements the organization-defined security safeguards.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nrecords of integrity checks and responses to integrity violations\n\ninformation audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibility for software, firmware, and/or
-                                               information integrity\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Software, firmware, and information integrity verification tools\n\nautomated mechanisms providing an automated response to integrity
-                                               violations\n\nautomated mechanisms supporting and/or implementing security safeguards to be
-                                               implemented when integrity violations are discovered
-                        """
-            - 
-              id:         si-7.7
-              class:      SP800-53-enhancement
-              title:      Integration of Detection and Response
-              parameters: 
-                - 
-                  id:    si-7.7_prm_1
-                  label: 
-                    """
-                      organization-defined security-relevant changes to the information
-                                        system
-                    """
-              properties: 
-                - 
-                  name:  label
-                  value: SI-7(7)
-                - 
-                  name:  sort-id
-                  value: si-07.07
-              parts: 
-                - 
-                  id:    si-7.7_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization incorporates the detection of unauthorized {{ si-7.7_prm_1 }} into the organizational incident response
-                                        capability.
-                    """
-                - 
-                  id:    si-7.7_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement helps to ensure that detected events are tracked,
-                                        monitored, corrected, and available for historical purposes. Maintaining
-                                        historical records is important both for being able to identify and discern
-                                        adversary actions over an extended period of time and for possible legal actions.
-                                        Security-relevant changes include, for example, unauthorized changes to
-                                        established configuration settings or unauthorized elevation of information system
-                                        privileges.
-                    """
-                  links: 
-                    - 
-                      href: #ir-4
-                      rel:  related
-                      text: IR-4
-                    - 
-                      href: #ir-5
-                      rel:  related
-                      text: IR-5
-                    - 
-                      href: #si-4
-                      rel:  related
-                      text: SI-4
-                - 
-                  id:    si-7.7_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         si-7.7_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-7(7)[1]
-                      prose: 
-                        """
-                          defines unauthorized security-relevant changes to the information system;
-                                               and
-                        """
-                    - 
-                      id:         si-7.7_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-7(7)[2]
-                      prose: 
-                        """
-                          incorporates the detection of unauthorized organization-defined
-                                               security-relevant changes to the information system into the organizational
-                                               incident response capability.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\nprocedures addressing incident response\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response records\n\ninformation audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibility for software, firmware, and/or
-                                               information integrity\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for incorporating detection of unauthorized
-                                               security-relevant changes into the incident response capability\n\nsoftware, firmware, and information integrity verification tools\n\nautomated mechanisms supporting and/or implementing incorporation of detection
-                                               of unauthorized security-relevant changes into the incident response
-                                               capability
-                        """
-            - 
-              id:         si-7.14
-              class:      SP800-53-enhancement
-              title:      Binary or Machine Executable Code
-              properties: 
-                - 
-                  name:  label
-                  value: SI-7(14)
-                - 
-                  name:  sort-id
-                  value: si-07.14
-              parts: 
-                - 
-                  id:    si-7.14_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         si-7.14_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Prohibits the use of binary or machine-executable code from sources with
-                                               limited or no warranty and without the provision of source code; and
-                        """
-                    - 
-                      id:         si-7.14_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Provides exceptions to the source code requirement only for compelling
-                                               mission/operational requirements and with the approval of the authorizing
-                                               official.
-                        """
-                - 
-                  id:    si-7.14_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement applies to all sources of binary or machine-executable
-                                        code including, for example, commercial software/firmware and open source
-                                        software. Organizations assess software products without accompanying source code
-                                        from sources with limited or no warranty for potential security impacts. The
-                                        assessments address the fact that these types of software products may be very
-                                        difficult to review, repair, or extend, given that organizations, in most cases,
-                                        do not have access to the original source code, and there may be no owners who
-                                        could make such repairs on behalf of organizations.
-                    """
-                  links: 
-                    - 
-                      href: #sa-5
-                      rel:  related
-                      text: SA-5
-                - 
-                  id:    si-7.14_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         si-7.14.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-7(14)(a)
-                      parts: 
-                        - 
-                          id:         si-7.14.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-7(14)(a)[1]
-                          prose: 
-                            """
-                              prohibits the use of binary or machine-executable code from sources with
-                                                      limited or no warranty;
-                            """
-                        - 
-                          id:         si-7.14.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-7(14)(a)[2]
-                          prose: 
-                            """
-                              prohibits the use of binary or machine-executable code without the provision
-                                                      of source code;
-                            """
-                      links: 
-                        - 
-                          href: #si-7.14_smt.a
-                          rel:  corresp
-                          text: SI-7(14)(a)
-                    - 
-                      id:         si-7.14.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-7(14)(b)
-                      parts: 
-                        - 
-                          id:         si-7.14.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: SI-7(14)(b)[1]
-                          prose: 
-                            """
-                              provides exceptions to the source code requirement only for compelling
-                                                      mission/operational requirements; and
-                            """
-                        - 
-                          id:         si-7.14.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: SI-7(14)(b)[2]
-                          prose: 
-                            """
-                              provides exceptions to the source code requirement only with the approval of
-                                                      the authorizing official.
-                            """
-                      links: 
-                        - 
-                          href: #si-7.14_smt.b
-                          rel:  corresp
-                          text: SI-7(14)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\napproval records for execution of binary and machine-executable code\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibility for software, firmware, and/or
-                                               information integrity\n\norganizational personnel with information security responsibilities\n\nauthorizing official\n\nsystem/network administrators\n\nsystem developer
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing prohibition of the
-                                               execution of binary or machine-executable code
-                        """
-        - 
-          id:         si-8
-          class:      SP800-53
-          title:      Spam Protection
-          properties: 
-            - 
-              name:  label
-              value: SI-8
-            - 
-              name:  sort-id
-              value: si-08
-          links: 
-            - 
-              href: #c6e95ca0-5828-420e-b095-00895b72b5e8
-              rel:  reference
-              text: NIST Special Publication 800-45
-          parts: 
-            - 
-              id:    si-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Employs spam protection mechanisms at information system entry and exit points to
-                                        detect and take action on unsolicited messages; and
-                    """
-                - 
-                  id:         si-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Updates spam protection mechanisms when new releases are available in accordance
-                                        with organizational configuration management policy and procedures.
-                    """
-            - 
-              id:    si-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system entry and exit points include, for example, firewalls, electronic
-                                 mail servers, web servers, proxy servers, remote-access servers, workstations, mobile
-                                 devices, and notebook/laptop computers. Spam can be transported by different means
-                                 including, for example, electronic mail, electronic mail attachments, and web
-                                 accesses. Spam protection mechanisms include, for example, signature definitions.
-                """
-              links: 
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #sc-5
-                  rel:  related
-                  text: SC-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-            - 
-              id:    si-8_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SI-8(a)
-                  prose:      employs spam protection mechanisms:
-                  parts: 
-                    - 
-                      id:         si-8.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-8(a)[1]
-                      prose:      at information system entry points to detect unsolicited messages;
-                    - 
-                      id:         si-8.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-8(a)[2]
-                      prose:      at information system entry points to take action on unsolicited messages;
-                    - 
-                      id:         si-8.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-8(a)[3]
-                      prose:      at information system exit points to detect unsolicited messages;
-                    - 
-                      id:         si-8.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-8(a)[4]
-                      prose: 
-                        """
-                          at information system exit points to take action on unsolicited messages;
-                                               and
-                        """
-                - 
-                  id:         si-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-8(b)
-                  prose: 
-                    """
-                      updates spam protection mechanisms when new releases are available in accordance
-                                        with organizational configuration management policy and procedures.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and information integrity policy\n\nconfiguration management policy and procedures (CM-1)\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with responsibility for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for implementing spam protection\n\nautomated mechanisms supporting and/or implementing spam protection
-          controls: 
-            - 
-              id:         si-8.1
-              class:      SP800-53-enhancement
-              title:      Central Management
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: SI-8(1)
-                - 
-                  name:  sort-id
-                  value: si-08.01
-              parts: 
-                - 
-                  id:    si-8.1_smt
-                  name:  statement
-                  prose: The organization centrally manages spam protection mechanisms.
-                - 
-                  id:    si-8.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Central management is the organization-wide management and implementation of spam
-                                        protection mechanisms. Central management includes planning, implementing,
-                                        assessing, authorizing, and monitoring the organization-defined, centrally managed
-                                        spam protection security controls.
-                    """
-                  links: 
-                    - 
-                      href: #au-3
-                      rel:  related
-                      text: AU-3
-                    - 
-                      href: #si-2
-                      rel:  related
-                      text: SI-2
-                    - 
-                      href: #si-7
-                      rel:  related
-                      text: SI-7
-                - 
-                  id:         si-8.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose:      Determine if the organization centrally manages spam protection mechanisms.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with responsibility for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for central management of spam protection\n\nautomated mechanisms supporting and/or implementing central management of spam
-                                               protection
-                        """
-            - 
-              id:         si-8.2
-              class:      SP800-53-enhancement
-              title:      Automatic Updates
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: SI-8(2)
-                - 
-                  name:  sort-id
-                  value: si-08.02
-              parts: 
-                - 
-                  id:    si-8.2_smt
-                  name:  statement
-                  prose: The information system automatically updates spam protection mechanisms.
-                - 
-                  id:         si-8.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system automatically updates spam protection
-                                        mechanisms.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with responsibility for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for spam protection\n\nautomated mechanisms supporting and/or implementing automatic updates to spam
-                                               protection mechanisms
-                        """
-        - 
-          id:         si-10
-          class:      SP800-53
-          title:      Information Input Validation
-          parameters: 
-            - 
-              id:    si-10_prm_1
-              label: organization-defined information inputs
-          properties: 
-            - 
-              name:  label
-              value: SI-10
-            - 
-              name:  sort-id
-              value: si-10
-          parts: 
-            - 
-              id:    si-10_smt
-              name:  statement
-              prose: The information system checks the validity of {{ si-10_prm_1 }}.
-            - 
-              id:    si-10_gdn
-              name:  guidance
-              prose: 
-                """
-                  Checking the valid syntax and semantics of information system inputs (e.g., character
-                                 set, length, numerical range, and acceptable values) verifies that inputs match
-                                 specified definitions for format and content. Software applications typically follow
-                                 well-defined protocols that use structured messages (i.e., commands or queries) to
-                                 communicate between software modules or system components. Structured messages can
-                                 contain raw or unstructured data interspersed with metadata or control information.
-                                 If software applications use attacker-supplied inputs to construct structured
-                                 messages without properly encoding such messages, then the attacker could insert
-                                 malicious commands or special characters that can cause the data to be interpreted as
-                                 control information or metadata. Consequently, the module or component that receives
-                                 the tainted output will perform the wrong operations or otherwise interpret the data
-                                 incorrectly. Prescreening inputs prior to passing to interpreters prevents the
-                                 content from being unintentionally interpreted as commands. Input validation helps to
-                                 ensure accurate and correct inputs and prevent attacks such as cross-site scripting
-                                 and a variety of injection attacks.
-                """
-            - 
-              id:    si-10_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         si-10_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SI-10[1]
-                  prose:      the organization defines information inputs requiring validity checks; and
-                - 
-                  id:         si-10_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-10[2]
-                  prose: 
-                    """
-                      the information system checks the validity of organization-defined information
-                                        inputs.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and information integrity policy\n\naccess control policy and procedures\n\nseparation of duties policy and procedures\n\nprocedures addressing information input validation\n\ndocumentation for automated tools and applications to verify validity of
-                                        information\n\nlist of information inputs requiring validity checks\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with responsibility for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing validity checks on information
-                                        inputs
-                    """
-        - 
-          id:         si-11
-          class:      SP800-53
-          title:      Error Handling
-          parameters: 
-            - 
-              id:    si-11_prm_1
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  label
-              value: SI-11
-            - 
-              name:  sort-id
-              value: si-11
-          parts: 
-            - 
-              id:    si-11_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         si-11_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Generates error messages that provide information necessary for corrective actions
-                                        without revealing information that could be exploited by adversaries; and
-                    """
-                - 
-                  id:         si-11_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reveals error messages only to {{ si-11_prm_1 }}.
-            - 
-              id:    si-11_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations carefully consider the structure/content of error messages. The extent
-                                 to which information systems are able to identify and handle error conditions is
-                                 guided by organizational policy and operational requirements. Information that could
-                                 be exploited by adversaries includes, for example, erroneous logon attempts with
-                                 passwords entered by mistake as the username, mission/business information that can
-                                 be derived from (if not stated explicitly by) information recorded, and personal
-                                 information such as account numbers, social security numbers, and credit card
-                                 numbers. In addition, error messages may provide a covert channel for transmitting
-                                 information.
-                """
-              links: 
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-3
-                  rel:  related
-                  text: AU-3
-                - 
-                  href: #sc-31
-                  rel:  related
-                  text: SC-31
-            - 
-              id:    si-11_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         si-11.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-11(a)
-                  prose: 
-                    """
-                      the information system generates error messages that provide information necessary
-                                        for corrective actions without revealing information that could be exploited by
-                                        adversaries;
-                    """
-                - 
-                  id:         si-11.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-11(b)
-                  parts: 
-                    - 
-                      id:         si-11.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-11(b)[1]
-                      prose: 
-                        """
-                          the organization defines personnel or roles to whom error messages are to be
-                                               revealed; and
-                        """
-                    - 
-                      id:         si-11.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-11(b)[2]
-                      prose: 
-                        """
-                          the information system reveals error messages only to organization-defined
-                                               personnel or roles.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and information integrity policy\n\nprocedures addressing information system error handling\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ndocumentation providing structure/content of error messages\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with responsibility for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for error handling\n\nautomated mechanisms supporting and/or implementing error handling\n\nautomated mechanisms supporting and/or implementing management of error
-                                        messages
-                    """
-        - 
-          id:         si-12
-          class:      SP800-53
-          title:      Information Handling and Retention
-          properties: 
-            - 
-              name:  label
-              value: SI-12
-            - 
-              name:  sort-id
-              value: si-12
-          parts: 
-            - 
-              id:    si-12_smt
-              name:  statement
-              prose: 
-                """
-                  The organization handles and retains information within the information system and
-                                 information output from the system in accordance with applicable federal laws,
-                                 Executive Orders, directives, policies, regulations, standards, and operational
-                                 requirements.
-                """
-            - 
-              id:    si-12_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information handling and retention requirements cover the full life cycle of
-                                 information, in some cases extending beyond the disposal of information systems. The
-                                 National Archives and Records Administration provides guidance on records
-                                 retention.
-                """
-              links: 
-                - 
-                  href: #ac-16
-                  rel:  related
-                  text: AC-16
-                - 
-                  href: #au-5
-                  rel:  related
-                  text: AU-5
-                - 
-                  href: #au-11
-                  rel:  related
-                  text: AU-11
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-            - 
-              id:    si-12_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization, in accordance with applicable federal laws, Executive
-                                 Orders, directives, policies, regulations, standards, and operational
-                                 requirements:
-                """
-              parts: 
-                - 
-                  id:         si-12_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-12[1]
-                  prose:      handles information within the information system;
-                - 
-                  id:         si-12_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-12[2]
-                  prose:      handles output from the information system;
-                - 
-                  id:         si-12_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-12[3]
-                  prose:      retains information within the information system; and
-                - 
-                  id:         si-12_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-12[4]
-                  prose:      retains output from the information system.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and information integrity policy\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and
-                                        operational requirements applicable to information handling and retention\n\nmedia protection policy and procedures\n\nprocedures addressing information system output handling and retention\n\ninformation retention records, other relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for information handling and
-                                        retention\n\norganizational personnel with information security responsibilities/network
-                                        administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for information handling and retention\n\nautomated mechanisms supporting and/or implementing information handling and
-                                        retention
-                    """
-        - 
-          id:         si-16
-          class:      SP800-53
-          title:      Memory Protection
-          parameters: 
-            - 
-              id:    si-16_prm_1
-              label: organization-defined security safeguards
-          properties: 
-            - 
-              name:  label
-              value: SI-16
-            - 
-              name:  sort-id
-              value: si-16
-          parts: 
-            - 
-              id:    si-16_smt
-              name:  statement
-              prose: 
-                """
-                  The information system implements {{ si-16_prm_1 }} to protect its
-                                 memory from unauthorized code execution.
-                """
-            - 
-              id:    si-16_gdn
-              name:  guidance
-              prose: 
-                """
-                  Some adversaries launch attacks with the intent of executing code in non-executable
-                                 regions of memory or in memory locations that are prohibited. Security safeguards
-                                 employed to protect memory include, for example, data execution prevention and
-                                 address space layout randomization. Data execution prevention safeguards can either
-                                 be hardware-enforced or software-enforced with hardware providing the greater
-                                 strength of mechanism.
-                """
-              links: 
-                - 
-                  href: #ac-25
-                  rel:  related
-                  text: AC-25
-                - 
-                  href: #sc-3
-                  rel:  related
-                  text: SC-3
-            - 
-              id:    si-16_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         si-16_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SI-16[1]
-                  prose: 
-                    """
-                      the organization defines security safeguards to be implemented to protect
-                                        information system memory from unauthorized code execution; and
-                    """
-                - 
-                  id:         si-16_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-16[2]
-                  prose: 
-                    """
-                      the information system implements organization-defined security safeguards to
-                                        protect its memory from unauthorized code execution.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and information integrity policy\n\nprocedures addressing memory protection for the information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of security safeguards protecting information system memory from unauthorized
-                                        code execution\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with responsibility for memory protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing safeguards to protect
-                                        information system memory from unauthorized code execution
-                    """
-  back-matter: 
-    resources: 
-      - 
-        uuid:     0c97e60b-325a-4efa-ba2b-90f20ccd5abc
-        title:    5 C.F.R. 731.106
-        citation: 
-          text: 
-            """
-              Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106,
-                             Designation of Public Trust Positions and Investigative Requirements (5 C.F.R.
-                             731.106).
-            """
-        rlinks: 
-          - 
-            href: http://www.gpo.gov/fdsys/granule/CFR-2012-title5-vol2/CFR-2012-title5-vol2-sec731-106/content-detail.html
-      - 
-        uuid:     bb61234b-46c3-4211-8c2b-9869222a720d
-        title:    C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)
-        citation: 
-          text: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)
-        rlinks: 
-          - 
-            href: http://www.gpo.gov/fdsys/granule/CFR-2009-title5-vol2/CFR-2009-title5-vol2-sec930-301/content-detail.html
-      - 
-        uuid:     a4aa9645-9a8a-4b51-90a9-e223250f9a75
-        title:    CNSS Policy 15
-        citation: 
-          text: CNSS Policy 15
-        rlinks: 
-          - 
-            href: https://www.cnss.gov/policies.html
-      - 
-        uuid:     2d8b14e9-c8b5-4d3d-8bdc-155078f3281b
-        title:    DoD Information Assurance Vulnerability Alerts
-        citation: 
-          text: DoD Information Assurance Vulnerability Alerts
-      - 
-        uuid:     61081e7f-041d-4033-96a7-44a439071683
-        title:    DoD Instruction 5200.39
-        citation: 
-          text: DoD Instruction 5200.39
-        rlinks: 
-          - 
-            href: http://www.dtic.mil/whs/directives/corres/ins1.html
-      - 
-        uuid:     e42b2099-3e1c-415b-952c-61c96533c12e
-        title:    DoD Instruction 8551.01
-        citation: 
-          text: DoD Instruction 8551.01
-        rlinks: 
-          - 
-            href: http://www.dtic.mil/whs/directives/corres/ins1.html
-      - 
-        uuid:     e6522953-6714-435d-a0d3-140df554c186
-        title:    DoD Instruction 8552.01
-        citation: 
-          text: DoD Instruction 8552.01
-        rlinks: 
-          - 
-            href: http://www.dtic.mil/whs/directives/corres/ins1.html
-      - 
-        uuid:     c5034e0c-eba6-4ecd-a541-79f0678f4ba4
-        title:    Executive Order 13587
-        citation: 
-          text: Executive Order 13587
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net
-      - 
-        uuid:     56d671da-6b7b-4abf-8296-84b61980390a
-        title:    Federal Acquisition Regulation
-        citation: 
-          text: Federal Acquisition Regulation
-        rlinks: 
-          - 
-            href: https://acquisition.gov/far
-      - 
-        uuid:     023104bc-6f75-4cd5-b7d0-fc92326f8007
-        title:    Federal Continuity Directive 1
-        citation: 
-          text: Federal Continuity Directive 1
-        rlinks: 
-          - 
-            href: http://www.fema.gov/pdf/about/offices/fcd1.pdf
-      - 
-        uuid:     ba557c91-ba3e-4792-adc6-a4ae479b39ff
-        title:    FICAM Roadmap and Implementation Guidance
-        citation: 
-          text: FICAM Roadmap and Implementation Guidance
-        rlinks: 
-          - 
-            href: http://www.idmanagement.gov/documents/ficam-roadmap-and-implementation-guidance
-      - 
-        uuid:     39f9087d-7687-46d2-8eda-b6f4b7a4d8a9
-        title:    FIPS Publication 140
-        citation: 
-          text: FIPS Publication 140
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html
-      - 
-        uuid:     d715b234-9b5b-4e07-b1ed-99836727664d
-        title:    FIPS Publication 140-2
-        citation: 
-          text: FIPS Publication 140-2
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html#140-2
-      - 
-        uuid:     f2dbd4ec-c413-4714-b85b-6b7184d1c195
-        title:    FIPS Publication 197
-        citation: 
-          text: FIPS Publication 197
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html#197
-      - 
-        uuid:     e85cdb3f-7f0a-4083-8639-f13f70d3760b
-        title:    FIPS Publication 199
-        citation: 
-          text: FIPS Publication 199
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html#199
-      - 
-        uuid:     c80c10b3-1294-4984-a4cc-d1733ca432b9
-        title:    FIPS Publication 201
-        citation: 
-          text: FIPS Publication 201
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html#201
-      - 
-        uuid:     ad733a42-a7ed-4774-b988-4930c28852f3
-        title:    HSPD-12
-        citation: 
-          text: HSPD-12
-        rlinks: 
-          - 
-            href: http://www.dhs.gov/homeland-security-presidential-directive-12
-      - 
-        uuid:     4ef539ba-b767-4666-b0d3-168c53005fa3
-        title:    http://capec.mitre.org
-        citation: 
-          text: http://capec.mitre.org
-        rlinks: 
-          - 
-            href: http://capec.mitre.org
-      - 
-        uuid:     e95dd121-2733-413e-bf1e-f1eb49f20a98
-        title:    http://checklists.nist.gov
-        citation: 
-          text: http://checklists.nist.gov
-        rlinks: 
-          - 
-            href: http://checklists.nist.gov
-      - 
-        uuid:     6a1041fc-054e-4230-946b-2e6f4f3731bb
-        title:    http://csrc.nist.gov/cryptval
-        citation: 
-          text: http://csrc.nist.gov/cryptval
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/cryptval
-      - 
-        uuid:     b09d1a31-d3c9-4138-a4f4-4c63816afd7d
-        title:    http://csrc.nist.gov/groups/STM/cmvp/index.html
-        citation: 
-          text: http://csrc.nist.gov/groups/STM/cmvp/index.html
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/groups/STM/cmvp/index.html
-      - 
-        uuid:     0931209f-00ae-4132-b92c-bc645847e8f9
-        title:    http://cve.mitre.org
-        citation: 
-          text: http://cve.mitre.org
-        rlinks: 
-          - 
-            href: http://cve.mitre.org
-      - 
-        uuid:     15522e92-9192-463d-9646-6a01982db8ca
-        title:    http://cwe.mitre.org
-        citation: 
-          text: http://cwe.mitre.org
-        rlinks: 
-          - 
-            href: http://cwe.mitre.org
-      - 
-        uuid:     5ed1f4d5-1494-421b-97ed-39d3c88ab51f
-        title:    http://fips201ep.cio.gov
-        citation: 
-          text: http://fips201ep.cio.gov
-        rlinks: 
-          - 
-            href: http://fips201ep.cio.gov
-      - 
-        uuid:     85280698-0417-489d-b214-12bb935fb939
-        title:    http://idmanagement.gov
-        citation: 
-          text: http://idmanagement.gov
-        rlinks: 
-          - 
-            href: http://idmanagement.gov
-      - 
-        uuid:     275cc052-0f7f-423c-bdb6-ed503dc36228
-        title:    http://nvd.nist.gov
-        citation: 
-          text: http://nvd.nist.gov
-        rlinks: 
-          - 
-            href: http://nvd.nist.gov
-      - 
-        uuid:     bbd50dd1-54ce-4432-959d-63ea564b1bb4
-        title:    http://www.acquisition.gov/far
-        citation: 
-          text: http://www.acquisition.gov/far
-        rlinks: 
-          - 
-            href: http://www.acquisition.gov/far
-      - 
-        uuid:     9b97ed27-3dd6-4f9a-ade5-1b43e9669794
-        title:    http://www.cnss.gov
-        citation: 
-          text: http://www.cnss.gov
-        rlinks: 
-          - 
-            href: http://www.cnss.gov
-      - 
-        uuid:     3ac12e79-f54f-4a63-9f4b-ee4bcd4df604
-        title:    http://www.dhs.gov/telecommunications-service-priority-tsp
-        citation: 
-          text: http://www.dhs.gov/telecommunications-service-priority-tsp
-        rlinks: 
-          - 
-            href: http://www.dhs.gov/telecommunications-service-priority-tsp
-      - 
-        uuid:     c95a9986-3cd6-4a98-931b-ccfc56cb11e5
-        title:    http://www.niap-ccevs.org
-        citation: 
-          text: http://www.niap-ccevs.org
-        rlinks: 
-          - 
-            href: http://www.niap-ccevs.org
-      - 
-        uuid:     647b6de3-81d0-4d22-bec1-5f1333e34380
-        title:    http://www.nsa.gov
-        citation: 
-          text: http://www.nsa.gov
-        rlinks: 
-          - 
-            href: http://www.nsa.gov
-      - 
-        uuid:     a47466c4-c837-4f06-a39f-e68412a5f73d
-        title:    http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml
-        citation: 
-          text: http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml
-        rlinks: 
-          - 
-            href: http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml
-      - 
-        uuid:     02631467-668b-4233-989b-3dfded2fd184
-        title:    http://www.us-cert.gov
-        citation: 
-          text: http://www.us-cert.gov
-        rlinks: 
-          - 
-            href: http://www.us-cert.gov
-      - 
-        uuid:     6caa237b-531b-43ac-9711-d8f6b97b0377
-        title:    ICD 704
-        citation: 
-          text: ICD 704
-        rlinks: 
-          - 
-            href: http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives
-      - 
-        uuid:     398e33fd-f404-4e5c-b90e-2d50d3181244
-        title:    ICD 705
-        citation: 
-          text: ICD 705
-        rlinks: 
-          - 
-            href: http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives
-      - 
-        uuid:     1737a687-52fb-4008-b900-cbfa836f7b65
-        title:    ISO/IEC 15408
-        citation: 
-          text: ISO/IEC 15408
-        rlinks: 
-          - 
-            href: http://www.iso.org/iso/iso_catalog/catalog_tc/catalog_detail.htm?csnumber=50341
-      - 
-        uuid:     fb5844de-ff96-47c0-b258-4f52bcc2f30d
-        title:    National Communications Systems Directive 3-10
-        citation: 
-          text: National Communications Systems Directive 3-10
-      - 
-        uuid:     654f21e2-f3bc-43b2-abdc-60ab8d09744b
-        title:    National Strategy for Trusted Identities in Cyberspace
-        citation: 
-          text: National Strategy for Trusted Identities in Cyberspace
-        rlinks: 
-          - 
-            href: http://www.nist.gov/nstic
-      - 
-        uuid:     bdd2f49e-edf7-491f-a178-4487898228f3
-        title:    NIST Interagency Report 7622
-        citation: 
-          text: NIST Interagency Report 7622
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7622
-      - 
-        uuid:         9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-        title:        NIST Special Publication 800-100
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-100
-        citation: 
-          text: NIST Special Publication 800-100
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-100
-      - 
-        uuid:         3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e
-        title:        NIST Special Publication 800-111
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-111
-        citation: 
-          text: NIST Special Publication 800-111
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-111
-      - 
-        uuid:         349fe082-502d-464a-aa0c-1443c6a5cf40
-        title:        NIST Special Publication 800-113
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-113
-        citation: 
-          text: NIST Special Publication 800-113
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-113
-      - 
-        uuid:         1201fcf3-afb1-4675-915a-fb4ae0435717
-        title:        NIST Special Publication 800-114 Rev. 1
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-114r1
-        citation: 
-          text: NIST Special Publication 800-114 Rev. 1
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-114r1
-      - 
-        uuid:         c4691b88-57d1-463b-9053-2d0087913f31
-        title:        NIST Special Publication 800-115
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-115
-        citation: 
-          text: NIST Special Publication 800-115
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-115
-      - 
-        uuid:         2157bb7e-192c-4eaa-877f-93ef6b0a3292
-        title:        NIST Special Publication 800-116 Rev. 1
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-116r1
-        citation: 
-          text: NIST Special Publication 800-116 Rev. 1
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-116r1
-      - 
-        uuid:         5c201b63-0768-417b-ac22-3f014e3941b2
-        title:        NIST Special Publication 800-12 Rev. 1
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-12r1
-        citation: 
-          text: NIST Special Publication 800-12 Rev. 1
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-12r1
-      - 
-        uuid:     d1a4e2a9-e512-4132-8795-5357aba29254
-        title:    NIST Special Publication 800-121
-        citation: 
-          text: NIST Special Publication 800-121
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-121
-      - 
-        uuid:     0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589
-        title:    NIST Special Publication 800-124
-        citation: 
-          text: NIST Special Publication 800-124
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-124
-      - 
-        uuid:     080f8068-5e3e-435e-9790-d22ba4722693
-        title:    NIST Special Publication 800-128
-        citation: 
-          text: NIST Special Publication 800-128
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-128
-      - 
-        uuid:     cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-        title:    NIST Special Publication 800-137
-        citation: 
-          text: NIST Special Publication 800-137
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-137
-      - 
-        uuid:     6bf8d24a-78dc-4727-a2ac-0e64d71c495c
-        title:    NIST Special Publication 800-147
-        citation: 
-          text: NIST Special Publication 800-147
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-147
-      - 
-        uuid:     3878cc04-144a-483e-af62-8fe6f4ad6c7a
-        title:    NIST Special Publication 800-155
-        citation: 
-          text: NIST Special Publication 800-155
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-155
-      - 
-        uuid:     825438c3-248d-4e30-a51e-246473ce6ada
-        title:    NIST Special Publication 800-16
-        citation: 
-          text: NIST Special Publication 800-16
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-16
-      - 
-        uuid:     8ab6bcdc-339b-4068-b45e-994814a6e187
-        title:    NIST Special Publication 800-161
-        citation: 
-          text: NIST Special Publication 800-161
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-161
-      - 
-        uuid:     6513e480-fada-4876-abba-1397084dfb26
-        title:    NIST Special Publication 800-164
-        citation: 
-          text: NIST Special Publication 800-164
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-164
-      - 
-        uuid:     9c5c9e8c-dc81-4f55-a11c-d71d7487790f
-        title:    NIST Special Publication 800-18
-        citation: 
-          text: NIST Special Publication 800-18
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-18
-      - 
-        uuid:     0a5db899-f033-467f-8631-f5a8ba971475
-        title:    NIST Special Publication 800-23
-        citation: 
-          text: NIST Special Publication 800-23
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-23
-      - 
-        uuid:     21b1ed35-56d2-40a8-bdfe-b461fffe322f
-        title:    NIST Special Publication 800-27
-        citation: 
-          text: NIST Special Publication 800-27
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-27
-      - 
-        uuid:     e716cd51-d1d5-4c6a-967a-22e9fbbc42f1
-        title:    NIST Special Publication 800-28
-        citation: 
-          text: NIST Special Publication 800-28
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-28
-      - 
-        uuid:     a466121b-f0e2-41f0-a5f9-deb0b5fe6b15
-        title:    NIST Special Publication 800-30
-        citation: 
-          text: NIST Special Publication 800-30
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-30
-      - 
-        uuid:     8f174e91-844e-4cf1-a72a-45c119a3a8dd
-        title:    NIST Special Publication 800-32
-        citation: 
-          text: NIST Special Publication 800-32
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-32
-      - 
-        uuid:     748a81b9-9cad-463f-abde-8b368167e70d
-        title:    NIST Special Publication 800-34
-        citation: 
-          text: NIST Special Publication 800-34
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-34
-      - 
-        uuid:     0c775bc3-bfc3-42c7-a382-88949f503171
-        title:    NIST Special Publication 800-35
-        citation: 
-          text: NIST Special Publication 800-35
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-35
-      - 
-        uuid:     d818efd3-db31-4953-8afa-9e76afe83ce2
-        title:    NIST Special Publication 800-36
-        citation: 
-          text: NIST Special Publication 800-36
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-36
-      - 
-        uuid:     0a0c26b6-fd44-4274-8b36-93442d49d998
-        title:    NIST Special Publication 800-37
-        citation: 
-          text: NIST Special Publication 800-37
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-37
-      - 
-        uuid:     d480aa6a-7a88-424e-a10c-ad1c7870354b
-        title:    NIST Special Publication 800-39
-        citation: 
-          text: NIST Special Publication 800-39
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-39
-      - 
-        uuid:     bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d
-        title:    NIST Special Publication 800-40
-        citation: 
-          text: NIST Special Publication 800-40
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-40
-      - 
-        uuid:     756a8e86-57d5-4701-8382-f7a40439665a
-        title:    NIST Special Publication 800-41
-        citation: 
-          text: NIST Special Publication 800-41
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-41
-      - 
-        uuid:     c6e95ca0-5828-420e-b095-00895b72b5e8
-        title:    NIST Special Publication 800-45
-        citation: 
-          text: NIST Special Publication 800-45
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-45
-      - 
-        uuid:     5309d4d0-46f8-4213-a749-e7584164e5e8
-        title:    NIST Special Publication 800-46
-        citation: 
-          text: NIST Special Publication 800-46
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-46
-      - 
-        uuid:     2711f068-734e-4afd-94ba-0b22247fbc88
-        title:    NIST Special Publication 800-47
-        citation: 
-          text: NIST Special Publication 800-47
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-47
-      - 
-        uuid:     238ed479-eccb-49f6-82ec-ab74a7a428cf
-        title:    NIST Special Publication 800-48
-        citation: 
-          text: NIST Special Publication 800-48
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-48
-      - 
-        uuid:     e12b5738-de74-4fb3-8317-a3995a8a1898
-        title:    NIST Special Publication 800-50
-        citation: 
-          text: NIST Special Publication 800-50
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-50
-      - 
-        uuid:     90c5bc98-f9c4-44c9-98b7-787422f0999c
-        title:    NIST Special Publication 800-52
-        citation: 
-          text: NIST Special Publication 800-52
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-52
-      - 
-        uuid:     cd4cf751-3312-4a55-b1a9-fad2f1db9119
-        title:    NIST Special Publication 800-53A
-        citation: 
-          text: NIST Special Publication 800-53A
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-53A
-      - 
-        uuid:     81f09e01-d0b0-4ae2-aa6a-064ed9950070
-        title:    NIST Special Publication 800-56
-        citation: 
-          text: NIST Special Publication 800-56
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-56
-      - 
-        uuid:     a6c774c0-bf50-4590-9841-2a5c1c91ac6f
-        title:    NIST Special Publication 800-57
-        citation: 
-          text: NIST Special Publication 800-57
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-57
-      - 
-        uuid:     7783f3e7-09b3-478b-9aa2-4a76dfd0ea90
-        title:    NIST Special Publication 800-58
-        citation: 
-          text: NIST Special Publication 800-58
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-58
-      - 
-        uuid:     f152844f-b1ef-4836-8729-6277078ebee1
-        title:    NIST Special Publication 800-60
-        citation: 
-          text: NIST Special Publication 800-60
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-60
-      - 
-        uuid:     be95fb85-a53f-4624-bdbb-140075500aa3
-        title:    NIST Special Publication 800-61
-        citation: 
-          text: NIST Special Publication 800-61
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-61
-      - 
-        uuid:     644f44a9-a2de-4494-9c04-cd37fba45471
-        title:    NIST Special Publication 800-63
-        citation: 
-          text: NIST Special Publication 800-63
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-63
-      - 
-        uuid:     abd950ae-092f-4b7a-b374-1c7c67fe9350
-        title:    NIST Special Publication 800-64
-        citation: 
-          text: NIST Special Publication 800-64
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-64
-      - 
-        uuid:     29fcfe59-33cd-494a-8756-5907ae3a8f92
-        title:    NIST Special Publication 800-65
-        citation: 
-          text: NIST Special Publication 800-65
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-65
-      - 
-        uuid:     84a37532-6db6-477b-9ea8-f9085ebca0fc
-        title:    NIST Special Publication 800-70
-        citation: 
-          text: NIST Special Publication 800-70
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-70
-      - 
-        uuid:     ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-        title:    NIST Special Publication 800-73
-        citation: 
-          text: NIST Special Publication 800-73
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-73
-      - 
-        uuid:     2a71298a-ee90-490e-80ff-48c967173a47
-        title:    NIST Special Publication 800-76
-        citation: 
-          text: NIST Special Publication 800-76
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-76
-      - 
-        uuid:     99f331f2-a9f0-46c2-9856-a3cbb9b89442
-        title:    NIST Special Publication 800-77
-        citation: 
-          text: NIST Special Publication 800-77
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-77
-      - 
-        uuid:     2042d97b-f7f6-4c74-84f8-981867684659
-        title:    NIST Special Publication 800-78
-        citation: 
-          text: NIST Special Publication 800-78
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-78
-      - 
-        uuid:     6af1e841-672c-46c4-b121-96f603d04be3
-        title:    NIST Special Publication 800-81
-        citation: 
-          text: NIST Special Publication 800-81
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-81
-      - 
-        uuid:     6d431fee-658f-4a0e-9f2e-a38b5d398fab
-        title:    NIST Special Publication 800-83
-        citation: 
-          text: NIST Special Publication 800-83
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-83
-      - 
-        uuid:     0243a05a-e8a3-4d51-9364-4a9d20b0dcdf
-        title:    NIST Special Publication 800-84
-        citation: 
-          text: NIST Special Publication 800-84
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-84
-      - 
-        uuid:     263823e0-a971-4b00-959d-315b26278b22
-        title:    NIST Special Publication 800-88
-        citation: 
-          text: NIST Special Publication 800-88
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-88
-      - 
-        uuid:     672fd561-b92b-4713-b9cf-6c9d9456728b
-        title:    NIST Special Publication 800-92
-        citation: 
-          text: NIST Special Publication 800-92
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-92
-      - 
-        uuid:     d1b1d689-0f66-4474-9924-c81119758dc1
-        title:    NIST Special Publication 800-94
-        citation: 
-          text: NIST Special Publication 800-94
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-94
-      - 
-        uuid:     1ebdf782-d95d-4a7b-8ec7-ee860951eced
-        title:    NIST Special Publication 800-95
-        citation: 
-          text: NIST Special Publication 800-95
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-95
-      - 
-        uuid:     6f336ecd-f2a0-4c84-9699-0491d81b6e0d
-        title:    NIST Special Publication 800-97
-        citation: 
-          text: NIST Special Publication 800-97
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-97
-      - 
-        uuid:     06dff0ea-3848-4945-8d91-e955ee69f05d
-        title:    NSTISSI No. 7003
-        citation: 
-          text: NSTISSI No. 7003
-        rlinks: 
-          - 
-            href: http://www.cnss.gov/Assets/pdf/nstissi_7003.pdf
-      - 
-        uuid:     9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab
-        title:    OMB Circular A-130
-        citation: 
-          text: OMB Circular A-130
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/omb/circulars_a130_a130trans4
-      - 
-        uuid:     2c5884cd-7b96-425c-862a-99877e1cf909
-        title:    OMB Memorandum 02-01
-        citation: 
-          text: OMB Memorandum 02-01
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/omb/memoranda_m02-01
-      - 
-        uuid:     ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-        title:    OMB Memorandum 04-04
-        citation: 
-          text: OMB Memorandum 04-04
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy04/m04-04.pdf
-      - 
-        uuid:     58ad6f27-af99-429f-86a8-8bb767b014b9
-        title:    OMB Memorandum 05-24
-        citation: 
-          text: OMB Memorandum 05-24
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2005/m05-24.pdf
-      - 
-        uuid:     4da24a96-6cf8-435d-9d1f-c73247cad109
-        title:    OMB Memorandum 06-16
-        citation: 
-          text: OMB Memorandum 06-16
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2006/m06-16.pdf
-      - 
-        uuid:     990268bf-f4a9-4c81-91ae-dc7d3115f4b1
-        title:    OMB Memorandum 07-11
-        citation: 
-          text: OMB Memorandum 07-11
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-11.pdf
-      - 
-        uuid:     0b3d8ba9-051f-498d-81ea-97f0f018c612
-        title:    OMB Memorandum 07-18
-        citation: 
-          text: OMB Memorandum 07-18
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-18.pdf
-      - 
-        uuid:     0916ef02-3618-411b-a525-565c088849a6
-        title:    OMB Memorandum 08-22
-        citation: 
-          text: OMB Memorandum 08-22
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-22.pdf
-      - 
-        uuid:     28115a56-da6b-4d44-b1df-51dd7f048a3e
-        title:    OMB Memorandum 08-23
-        citation: 
-          text: OMB Memorandum 08-23
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf
-      - 
-        uuid:     599fe9ba-4750-4450-9eeb-b95bd19a5e8f
-        title:    OMB Memorandum 10-06-2011
-        citation: 
-          text: OMB Memorandum 10-06-2011
-      - 
-        uuid:     74e740a4-c45d-49f3-a86e-eb747c549e01
-        title:    OMB Memorandum 11-11
-        citation: 
-          text: OMB Memorandum 11-11
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf
-      - 
-        uuid:     bedb15b7-ec5c-4a68-807f-385125751fcd
-        title:    OMB Memorandum 11-33
-        citation: 
-          text: OMB Memorandum 11-33
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf
-      - 
-        uuid:     dd2f5acd-08f1-435a-9837-f8203088dc1a
-        title: 
-          """
-            Personal Identity Verification (PIV) in Enterprise Physical Access Control System
-                        (E-PACS)
-          """
-        citation: 
-          text: 
-            """
-              Personal Identity Verification (PIV) in Enterprise Physical Access Control System
-                             (E-PACS)
-            """
-      - 
-        uuid:     8ade2fbe-e468-4ca8-9a40-54d7f23c32bb
-        title:    US-CERT Technical Cyber Security Alerts
-        citation: 
-          text: US-CERT Technical Cyber Security Alerts
-        rlinks: 
-          - 
-            href: http://www.us-cert.gov/ncas/alerts
-      - 
-        uuid:       985475ee-d4d6-4581-8fdf-d84d3d8caa48
-        title:      FedRAMP Applicable Laws and Regulations
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-citations
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx
-      - 
-        uuid:       1a23a771-d481-4594-9a1a-71d584fa4123
-        title:      FedRAMP Master Acronym and Glossary
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-acronyms
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf
-      - 
-        uuid:       a2381e87-3d04-4108-a30b-b4d2f36d001f
-        desc:       FedRAMP Logo
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-logo
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/img/logo-main-fedramp.png
-      - 
-        uuid:       ad005eae-cc63-4e64-9109-3905a9a825e4
-        title:      NIST Special Publication (SP) 800-53
-        properties: 
-          - 
-            name:  version
-            ns:    https://fedramp.gov/ns/oscal
-            value: Revision 4
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href:       https://raw.githubusercontent.com/usnistgov/OSCAL/v1.0.0-milestone3/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml
-            media-type: application/xml
diff --git a/content/fedramp.gov/yaml/FedRAMP_HIGH-baseline_profile.yaml b/content/fedramp.gov/yaml/FedRAMP_HIGH-baseline_profile.yaml
deleted file mode 100644
index f6044af9a5..0000000000
--- a/content/fedramp.gov/yaml/FedRAMP_HIGH-baseline_profile.yaml
+++ /dev/null
@@ -1,25999 +0,0 @@
-profile: 
-  uuid:        b11dba1c-0c68-4724-9eaf-02de2d5bbb89
-  metadata: 
-    title:               FedRAMP High Baseline
-    published:           2020-06-01T00:00:00.000-04:00
-    last-modified:       2020-06-01T10:00:00.000-04:00
-    version:             1.2
-    oscal-version:       1.0.0-milestone3
-    roles: 
-      - 
-        id:    parpared-by
-        title: Document creator
-      - 
-        id:         fedramp-pmo
-        title:      The FedRAMP Program Management Office (PMO)
-        short-name: CSP
-      - 
-        id:         fedramp-jab
-        title:      The FedRAMP Joint Authorization Board (JAB)
-        short-name: CSP
-    parties: 
-      - 
-        uuid:            8cc0b8e5-9650-4d5f-9796-316f05fa9a2d
-        type:            organization
-        party-name:      Federal Risk and Authorization Management Program: Program Management Office
-        short-name:      FedRAMP PMO
-        links: 
-          - 
-            href: https://fedramp.gov
-            rel:  homepage
-            text: 
-        addresses: 
-          - 
-            type:           work
-            postal-address: 1800 F St. NW,
-            city:           Washington
-            state:          DC
-            postal-code:    
-            country:        US
-        email-addresses: info@fedramp.gov
-      - 
-        uuid:       ca9ba80e-1342-4bfd-b32a-abac468c24b4
-        type:       organization
-        party-name: Federal Risk and Authorization Management Program: Joint Authorization Board
-        short-name: FedRAMP JAB
-    responsible-parties: 
-      prepared-by: 
-        party-uuids: 4aa7b203-318b-4cde-96cf-feaeffc3a4b7
-      fedramp-pmo: 
-        party-uuids: 4aa7b203-318b-4cde-96cf-feaeffc3a4b7
-      fedramp-jab: 
-        party-uuids: ca9ba80e-1342-4bfd-b32a-abac468c24b4
-  imports: 
-    - 
-      href:    #ad005eae-cc63-4e64-9109-3905a9a825e4
-      include: 
-        id-selectors: 
-          - 
-            control-id: ac-1
-          - 
-            control-id: ac-2
-          - 
-            control-id: ac-2.1
-          - 
-            control-id: ac-2.2
-          - 
-            control-id: ac-2.3
-          - 
-            control-id: ac-2.4
-          - 
-            control-id: ac-2.5
-          - 
-            control-id: ac-2.7
-          - 
-            control-id: ac-2.9
-          - 
-            control-id: ac-2.10
-          - 
-            control-id: ac-2.11
-          - 
-            control-id: ac-2.12
-          - 
-            control-id: ac-2.13
-          - 
-            control-id: ac-3
-          - 
-            control-id: ac-4
-          - 
-            control-id: ac-4.8
-          - 
-            control-id: ac-4.21
-          - 
-            control-id: ac-5
-          - 
-            control-id: ac-6
-          - 
-            control-id: ac-6.1
-          - 
-            control-id: ac-6.2
-          - 
-            control-id: ac-6.3
-          - 
-            control-id: ac-6.5
-          - 
-            control-id: ac-6.7
-          - 
-            control-id: ac-6.8
-          - 
-            control-id: ac-6.9
-          - 
-            control-id: ac-6.10
-          - 
-            control-id: ac-7
-          - 
-            control-id: ac-7.2
-          - 
-            control-id: ac-8
-          - 
-            control-id: ac-10
-          - 
-            control-id: ac-11
-          - 
-            control-id: ac-11.1
-          - 
-            control-id: ac-12
-          - 
-            control-id: ac-12.1
-          - 
-            control-id: ac-14
-          - 
-            control-id: ac-17
-          - 
-            control-id: ac-17.1
-          - 
-            control-id: ac-17.2
-          - 
-            control-id: ac-17.3
-          - 
-            control-id: ac-17.4
-          - 
-            control-id: ac-17.9
-          - 
-            control-id: ac-18
-          - 
-            control-id: ac-18.1
-          - 
-            control-id: ac-18.3
-          - 
-            control-id: ac-18.4
-          - 
-            control-id: ac-18.5
-          - 
-            control-id: ac-19
-          - 
-            control-id: ac-19.5
-          - 
-            control-id: ac-20
-          - 
-            control-id: ac-20.1
-          - 
-            control-id: ac-20.2
-          - 
-            control-id: ac-21
-          - 
-            control-id: ac-22
-          - 
-            control-id: at-1
-          - 
-            control-id: at-2
-          - 
-            control-id: at-2.2
-          - 
-            control-id: at-3
-          - 
-            control-id: at-3.3
-          - 
-            control-id: at-3.4
-          - 
-            control-id: at-4
-          - 
-            control-id: au-1
-          - 
-            control-id: au-2
-          - 
-            control-id: au-2.3
-          - 
-            control-id: au-3
-          - 
-            control-id: au-3.1
-          - 
-            control-id: au-3.2
-          - 
-            control-id: au-4
-          - 
-            control-id: au-5
-          - 
-            control-id: au-5.1
-          - 
-            control-id: au-5.2
-          - 
-            control-id: au-6
-          - 
-            control-id: au-6.1
-          - 
-            control-id: au-6.3
-          - 
-            control-id: au-6.4
-          - 
-            control-id: au-6.5
-          - 
-            control-id: au-6.6
-          - 
-            control-id: au-6.7
-          - 
-            control-id: au-6.10
-          - 
-            control-id: au-7
-          - 
-            control-id: au-7.1
-          - 
-            control-id: au-8
-          - 
-            control-id: au-8.1
-          - 
-            control-id: au-9
-          - 
-            control-id: au-9.2
-          - 
-            control-id: au-9.3
-          - 
-            control-id: au-9.4
-          - 
-            control-id: au-10
-          - 
-            control-id: au-11
-          - 
-            control-id: au-12
-          - 
-            control-id: au-12.1
-          - 
-            control-id: au-12.3
-          - 
-            control-id: ca-1
-          - 
-            control-id: ca-2
-          - 
-            control-id: ca-2.1
-          - 
-            control-id: ca-2.2
-          - 
-            control-id: ca-2.3
-          - 
-            control-id: ca-3
-          - 
-            control-id: ca-3.3
-          - 
-            control-id: ca-3.5
-          - 
-            control-id: ca-5
-          - 
-            control-id: ca-6
-          - 
-            control-id: ca-7
-          - 
-            control-id: ca-7.1
-          - 
-            control-id: ca-7.3
-          - 
-            control-id: ca-8
-          - 
-            control-id: ca-8.1
-          - 
-            control-id: ca-9
-          - 
-            control-id: cm-1
-          - 
-            control-id: cm-2
-          - 
-            control-id: cm-2.1
-          - 
-            control-id: cm-2.2
-          - 
-            control-id: cm-2.3
-          - 
-            control-id: cm-2.7
-          - 
-            control-id: cm-3
-          - 
-            control-id: cm-3.1
-          - 
-            control-id: cm-3.2
-          - 
-            control-id: cm-3.4
-          - 
-            control-id: cm-3.6
-          - 
-            control-id: cm-4
-          - 
-            control-id: cm-4.1
-          - 
-            control-id: cm-5
-          - 
-            control-id: cm-5.1
-          - 
-            control-id: cm-5.2
-          - 
-            control-id: cm-5.3
-          - 
-            control-id: cm-5.5
-          - 
-            control-id: cm-6
-          - 
-            control-id: cm-6.1
-          - 
-            control-id: cm-6.2
-          - 
-            control-id: cm-7
-          - 
-            control-id: cm-7.1
-          - 
-            control-id: cm-7.2
-          - 
-            control-id: cm-7.5
-          - 
-            control-id: cm-8
-          - 
-            control-id: cm-8.1
-          - 
-            control-id: cm-8.2
-          - 
-            control-id: cm-8.3
-          - 
-            control-id: cm-8.4
-          - 
-            control-id: cm-8.5
-          - 
-            control-id: cm-9
-          - 
-            control-id: cm-10
-          - 
-            control-id: cm-10.1
-          - 
-            control-id: cm-11
-          - 
-            control-id: cm-11.1
-          - 
-            control-id: cp-1
-          - 
-            control-id: cp-2
-          - 
-            control-id: cp-2.1
-          - 
-            control-id: cp-2.2
-          - 
-            control-id: cp-2.3
-          - 
-            control-id: cp-2.4
-          - 
-            control-id: cp-2.5
-          - 
-            control-id: cp-2.8
-          - 
-            control-id: cp-3
-          - 
-            control-id: cp-3.1
-          - 
-            control-id: cp-4
-          - 
-            control-id: cp-4.1
-          - 
-            control-id: cp-4.2
-          - 
-            control-id: cp-6
-          - 
-            control-id: cp-6.1
-          - 
-            control-id: cp-6.2
-          - 
-            control-id: cp-6.3
-          - 
-            control-id: cp-7
-          - 
-            control-id: cp-7.1
-          - 
-            control-id: cp-7.2
-          - 
-            control-id: cp-7.3
-          - 
-            control-id: cp-7.4
-          - 
-            control-id: cp-8
-          - 
-            control-id: cp-8.1
-          - 
-            control-id: cp-8.2
-          - 
-            control-id: cp-8.3
-          - 
-            control-id: cp-8.4
-          - 
-            control-id: cp-9
-          - 
-            control-id: cp-9.1
-          - 
-            control-id: cp-9.2
-          - 
-            control-id: cp-9.3
-          - 
-            control-id: cp-9.5
-          - 
-            control-id: cp-10
-          - 
-            control-id: cp-10.2
-          - 
-            control-id: cp-10.4
-          - 
-            control-id: ia-1
-          - 
-            control-id: ia-2
-          - 
-            control-id: ia-2.1
-          - 
-            control-id: ia-2.2
-          - 
-            control-id: ia-2.3
-          - 
-            control-id: ia-2.4
-          - 
-            control-id: ia-2.5
-          - 
-            control-id: ia-2.8
-          - 
-            control-id: ia-2.9
-          - 
-            control-id: ia-2.11
-          - 
-            control-id: ia-2.12
-          - 
-            control-id: ia-3
-          - 
-            control-id: ia-4
-          - 
-            control-id: ia-4.4
-          - 
-            control-id: ia-5
-          - 
-            control-id: ia-5.1
-          - 
-            control-id: ia-5.2
-          - 
-            control-id: ia-5.3
-          - 
-            control-id: ia-5.4
-          - 
-            control-id: ia-5.6
-          - 
-            control-id: ia-5.7
-          - 
-            control-id: ia-5.8
-          - 
-            control-id: ia-5.11
-          - 
-            control-id: ia-5.13
-          - 
-            control-id: ia-6
-          - 
-            control-id: ia-7
-          - 
-            control-id: ia-8
-          - 
-            control-id: ia-8.1
-          - 
-            control-id: ia-8.2
-          - 
-            control-id: ia-8.3
-          - 
-            control-id: ia-8.4
-          - 
-            control-id: ir-1
-          - 
-            control-id: ir-2
-          - 
-            control-id: ir-2.1
-          - 
-            control-id: ir-2.2
-          - 
-            control-id: ir-3
-          - 
-            control-id: ir-3.2
-          - 
-            control-id: ir-4
-          - 
-            control-id: ir-4.1
-          - 
-            control-id: ir-4.2
-          - 
-            control-id: ir-4.3
-          - 
-            control-id: ir-4.4
-          - 
-            control-id: ir-4.6
-          - 
-            control-id: ir-4.8
-          - 
-            control-id: ir-5
-          - 
-            control-id: ir-5.1
-          - 
-            control-id: ir-6
-          - 
-            control-id: ir-6.1
-          - 
-            control-id: ir-7
-          - 
-            control-id: ir-7.1
-          - 
-            control-id: ir-7.2
-          - 
-            control-id: ir-8
-          - 
-            control-id: ir-9
-          - 
-            control-id: ir-9.1
-          - 
-            control-id: ir-9.2
-          - 
-            control-id: ir-9.3
-          - 
-            control-id: ir-9.4
-          - 
-            control-id: ma-1
-          - 
-            control-id: ma-2
-          - 
-            control-id: ma-2.2
-          - 
-            control-id: ma-3
-          - 
-            control-id: ma-3.1
-          - 
-            control-id: ma-3.2
-          - 
-            control-id: ma-3.3
-          - 
-            control-id: ma-4
-          - 
-            control-id: ma-4.2
-          - 
-            control-id: ma-4.3
-          - 
-            control-id: ma-4.6
-          - 
-            control-id: ma-5
-          - 
-            control-id: ma-5.1
-          - 
-            control-id: ma-6
-          - 
-            control-id: mp-1
-          - 
-            control-id: mp-2
-          - 
-            control-id: mp-3
-          - 
-            control-id: mp-4
-          - 
-            control-id: mp-5
-          - 
-            control-id: mp-5.4
-          - 
-            control-id: mp-6
-          - 
-            control-id: mp-6.1
-          - 
-            control-id: mp-6.2
-          - 
-            control-id: mp-6.3
-          - 
-            control-id: mp-7
-          - 
-            control-id: mp-7.1
-          - 
-            control-id: pe-1
-          - 
-            control-id: pe-2
-          - 
-            control-id: pe-3
-          - 
-            control-id: pe-3.1
-          - 
-            control-id: pe-4
-          - 
-            control-id: pe-5
-          - 
-            control-id: pe-6
-          - 
-            control-id: pe-6.1
-          - 
-            control-id: pe-6.4
-          - 
-            control-id: pe-8
-          - 
-            control-id: pe-8.1
-          - 
-            control-id: pe-9
-          - 
-            control-id: pe-10
-          - 
-            control-id: pe-11
-          - 
-            control-id: pe-11.1
-          - 
-            control-id: pe-12
-          - 
-            control-id: pe-13
-          - 
-            control-id: pe-13.1
-          - 
-            control-id: pe-13.2
-          - 
-            control-id: pe-13.3
-          - 
-            control-id: pe-14
-          - 
-            control-id: pe-14.2
-          - 
-            control-id: pe-15
-          - 
-            control-id: pe-15.1
-          - 
-            control-id: pe-16
-          - 
-            control-id: pe-17
-          - 
-            control-id: pe-18
-          - 
-            control-id: pl-1
-          - 
-            control-id: pl-2
-          - 
-            control-id: pl-2.3
-          - 
-            control-id: pl-4
-          - 
-            control-id: pl-4.1
-          - 
-            control-id: pl-8
-          - 
-            control-id: ps-1
-          - 
-            control-id: ps-2
-          - 
-            control-id: ps-3
-          - 
-            control-id: ps-3.3
-          - 
-            control-id: ps-4
-          - 
-            control-id: ps-4.2
-          - 
-            control-id: ps-5
-          - 
-            control-id: ps-6
-          - 
-            control-id: ps-7
-          - 
-            control-id: ps-8
-          - 
-            control-id: ra-1
-          - 
-            control-id: ra-2
-          - 
-            control-id: ra-3
-          - 
-            control-id: ra-5
-          - 
-            control-id: ra-5.1
-          - 
-            control-id: ra-5.2
-          - 
-            control-id: ra-5.3
-          - 
-            control-id: ra-5.4
-          - 
-            control-id: ra-5.5
-          - 
-            control-id: ra-5.6
-          - 
-            control-id: ra-5.8
-          - 
-            control-id: ra-5.10
-          - 
-            control-id: sa-1
-          - 
-            control-id: sa-2
-          - 
-            control-id: sa-3
-          - 
-            control-id: sa-4
-          - 
-            control-id: sa-4.1
-          - 
-            control-id: sa-4.2
-          - 
-            control-id: sa-4.8
-          - 
-            control-id: sa-4.9
-          - 
-            control-id: sa-4.10
-          - 
-            control-id: sa-5
-          - 
-            control-id: sa-8
-          - 
-            control-id: sa-9
-          - 
-            control-id: sa-9.1
-          - 
-            control-id: sa-9.2
-          - 
-            control-id: sa-9.4
-          - 
-            control-id: sa-9.5
-          - 
-            control-id: sa-10
-          - 
-            control-id: sa-10.1
-          - 
-            control-id: sa-11
-          - 
-            control-id: sa-11.1
-          - 
-            control-id: sa-11.2
-          - 
-            control-id: sa-11.8
-          - 
-            control-id: sa-12
-          - 
-            control-id: sa-15
-          - 
-            control-id: sa-16
-          - 
-            control-id: sa-17
-          - 
-            control-id: sc-1
-          - 
-            control-id: sc-2
-          - 
-            control-id: sc-3
-          - 
-            control-id: sc-4
-          - 
-            control-id: sc-5
-          - 
-            control-id: sc-6
-          - 
-            control-id: sc-7
-          - 
-            control-id: sc-7.3
-          - 
-            control-id: sc-7.4
-          - 
-            control-id: sc-7.5
-          - 
-            control-id: sc-7.7
-          - 
-            control-id: sc-7.8
-          - 
-            control-id: sc-7.10
-          - 
-            control-id: sc-7.12
-          - 
-            control-id: sc-7.13
-          - 
-            control-id: sc-7.18
-          - 
-            control-id: sc-7.20
-          - 
-            control-id: sc-7.21
-          - 
-            control-id: sc-8
-          - 
-            control-id: sc-8.1
-          - 
-            control-id: sc-10
-          - 
-            control-id: sc-12
-          - 
-            control-id: sc-12.1
-          - 
-            control-id: sc-12.2
-          - 
-            control-id: sc-12.3
-          - 
-            control-id: sc-13
-          - 
-            control-id: sc-15
-          - 
-            control-id: sc-17
-          - 
-            control-id: sc-18
-          - 
-            control-id: sc-19
-          - 
-            control-id: sc-20
-          - 
-            control-id: sc-21
-          - 
-            control-id: sc-22
-          - 
-            control-id: sc-23
-          - 
-            control-id: sc-23.1
-          - 
-            control-id: sc-24
-          - 
-            control-id: sc-28
-          - 
-            control-id: sc-28.1
-          - 
-            control-id: sc-39
-          - 
-            control-id: si-1
-          - 
-            control-id: si-2
-          - 
-            control-id: si-2.1
-          - 
-            control-id: si-2.2
-          - 
-            control-id: si-2.3
-          - 
-            control-id: si-3
-          - 
-            control-id: si-3.1
-          - 
-            control-id: si-3.2
-          - 
-            control-id: si-3.7
-          - 
-            control-id: si-4
-          - 
-            control-id: si-4.1
-          - 
-            control-id: si-4.2
-          - 
-            control-id: si-4.4
-          - 
-            control-id: si-4.5
-          - 
-            control-id: si-4.11
-          - 
-            control-id: si-4.14
-          - 
-            control-id: si-4.16
-          - 
-            control-id: si-4.18
-          - 
-            control-id: si-4.19
-          - 
-            control-id: si-4.20
-          - 
-            control-id: si-4.22
-          - 
-            control-id: si-4.23
-          - 
-            control-id: si-4.24
-          - 
-            control-id: si-5
-          - 
-            control-id: si-5.1
-          - 
-            control-id: si-6
-          - 
-            control-id: si-7
-          - 
-            control-id: si-7.1
-          - 
-            control-id: si-7.2
-          - 
-            control-id: si-7.5
-          - 
-            control-id: si-7.7
-          - 
-            control-id: si-7.14
-          - 
-            control-id: si-8
-          - 
-            control-id: si-8.1
-          - 
-            control-id: si-8.2
-          - 
-            control-id: si-10
-          - 
-            control-id: si-11
-          - 
-            control-id: si-12
-          - 
-            control-id: si-16
-  merge: 
-    combine: 
-      method: keep
-    as-is:   true
-  modify: 
-    parameter-settings: 
-      ac-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      ac-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually or whenever a significant change occurs
-      ac-2_prm_4: 
-        constraints: 
-          - 
-            detail: monthly for privileged accessed, every six (6) months for non-privileged access
-      ac-2.2_prm_1: 
-        constraints: 
-          - 
-            detail: Selection: disables
-      ac-2.2_prm_2: 
-        constraints: 
-          - 
-            detail: 24 hours from last use
-      ac-2.3_prm_1: 
-        constraints: 
-          - 
-            detail: 35 days for user accounts
-      ac-2.4_prm_1: 
-        constraints: 
-          - 
-            detail: organization and/or service provider system owner
-      ac-2.5_prm_1: 
-        constraints: 
-          - 
-            detail: inactivity is anticipated to exceed Fifteen (15) minutes
-      ac-2.7_prm_1: 
-        constraints: 
-          - 
-            detail: disables/revokes access within a organization-specified timeframe
-      ac-2.9_prm_1: 
-        constraints: 
-          - 
-            detail: organization-defined need with justification statement that explains why such accounts are necessary
-      ac-2.12_prm_2: 
-        constraints: 
-          - 
-            detail: at a minimum, the ISSO and/or similar role within the organization
-      ac-2.13_prm_1: 
-        constraints: 
-          - 
-            detail: one (1) hour
-      ac-6.1_prm_1: 
-        constraints: 
-          - 
-            detail: all functions not publicly accessible and all security-relevant information not publicly available
-      ac-6.2_prm_1: 
-        constraints: 
-          - 
-            detail: all security functions
-      ac-6.3_prm_1: 
-        constraints: 
-          - 
-            detail: all privileged commands
-      ac-6.7_prm_1: 
-        constraints: 
-          - 
-            detail: at a minimum, annually
-      ac-6.7_prm_2: 
-        constraints: 
-          - 
-            detail: all users with privileges
-      ac-6.8_prm_1: 
-        constraints: 
-          - 
-            detail: any software except software explicitly documented
-      ac-7_prm_1: 
-        constraints: 
-          - 
-            detail: not more than three (3)
-      ac-7_prm_2: 
-        constraints: 
-          - 
-            detail: fifteen (15) minutes
-      ac-7_prm_4: 
-        constraints: 
-          - 
-            detail: locks the account/node for a minimum of three (3) hours or until unlocked by an administrator
-      ac-7.2_prm_1: 
-        constraints: 
-          - 
-            detail: mobile devices as defined by organization policy
-      ac-7.2_prm_3: 
-        constraints: 
-          - 
-            detail: three (3)
-      ac-8_prm_1: 
-        constraints: 
-          - 
-            detail: see additional Requirements and Guidance
-      ac-8_prm_2: 
-        constraints: 
-          - 
-            detail: see additional Requirements and Guidance
-      ac-10_prm_2: 
-        constraints: 
-          - 
-            detail: three (3) sessions for privileged access and two (2) sessions for non-privileged access
-      ac-11_prm_1: 
-        constraints: 
-          - 
-            detail: fifteen (15) minutes
-      ac-17.9_prm_1: 
-        constraints: 
-          - 
-            detail: fifteen (15) minutes
-      ac-22_prm_1: 
-        constraints: 
-          - 
-            detail: at least quarterly
-      at-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually or whenever a significant change occurs
-      at-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually or whenever a significant change occurs
-      at-2_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      at-3_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      at-3.4_prm_1: 
-        constraints: 
-          - 
-            detail: malicious code indicators as defined by organization incident policy/capability.
-      at-4_prm_1: 
-        constraints: 
-          - 
-            detail: five (5) years or 5 years after completion of a specific training program
-      au-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      au-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually or whenever a significant change occurs
-      au-2_prm_1: 
-        constraints: 
-          - 
-            detail: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes
-      au-2_prm_2: 
-        constraints: 
-          - 
-            detail: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event
-      au-2.3_prm_1: 
-        constraints: 
-          - 
-            detail: annually or whenever there is a change in the threat environment
-      au-3.1_prm_1: 
-        constraints: 
-          - 
-            detail: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands
-      au-3.2_prm_1: 
-        constraints: 
-          - 
-            detail: all network, data storage, and computing devices
-      au-5_prm_2: 
-        constraints: 
-          - 
-            detail: organization-defined actions to be taken (overwrite oldest record)
-      au-5.2_prm_1: 
-        constraints: 
-          - 
-            detail: real-time
-      au-5.2_prm_2: 
-        constraints: 
-          - 
-            detail: service provider personnel with authority to address failed audit events
-      au-5.2_prm_3: 
-        constraints: 
-          - 
-            detail: audit failure events requiring real-time alerts, as defined by organization audit policy
-      au-6_prm_1: 
-        constraints: 
-          - 
-            detail: at least weekly
-      au-6.5_prm_2: 
-        constraints: 
-          - 
-            detail: Possibly to include penetration test data.
-      au-6.7_prm_1: 
-        constraints: 
-          - 
-            detail: information system process; role; user
-      au-8_prm_1: 
-        constraints: 
-          - 
-            detail: one second granularity of time measurement
-      au-8.1_prm_1: 
-        constraints: 
-          - 
-            detail: At least hourly
-      au-8.1_prm_2: 
-        constraints: 
-          - 
-            detail: http://tf.nist.gov/tf-cgi/servers.cgi
-      au-9.2_prm_1: 
-        constraints: 
-          - 
-            detail: at least weekly
-      au-10_prm_1: 
-        constraints: 
-          - 
-            detail: minimum actions including the addition, modification, deletion, approval, sending, or receiving of data
-      au-11_prm_1: 
-        constraints: 
-          - 
-            detail: at least one (1) year
-      au-12_prm_1: 
-        constraints: 
-          - 
-            detail: all information system and network components where audit capability is deployed/available
-      au-12.1_prm_1: 
-        constraints: 
-          - 
-            detail: all network, data storage, and computing devices
-      au-12.3_prm_1: 
-        constraints: 
-          - 
-            detail: service provider-defined individuals or roles with audit configuration responsibilities
-      au-12.3_prm_2: 
-        constraints: 
-          - 
-            detail: all network, data storage, and computing devices
-      ca-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      ca-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually or whenever a significant change occurs
-      ca-2_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      ca-2_prm_2: 
-        constraints: 
-          - 
-            detail: individuals or roles to include FedRAMP PMO
-      ca-2.2_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      ca-2.3_prm_1: 
-        constraints: 
-          - 
-            detail: any FedRAMP Accredited 3PAO
-      ca-2.3_prm_2: 
-        constraints: 
-          - 
-            detail: any FedRAMP Accredited 3PAO
-      ca-2.3_prm_3: 
-        constraints: 
-          - 
-            detail: the conditions of the JAB/AO in the FedRAMP Repository
-      ca-3_prm_1: 
-        constraints: 
-          - 
-            detail: At least annually and on input from FedRAMP
-      ca-3.3_prm_2: 
-        constraints: 
-          - 
-            detail: boundary protections which meet the Trusted Internet Connection (TIC) requirements
-      ca-3.5_prm_1: 
-        constraints: 
-          - 
-            detail: deny-all, permit by exception
-      ca-3.5_prm_2: 
-        constraints: 
-          - 
-            detail: any systems
-      ca-5_prm_1: 
-        constraints: 
-          - 
-            detail: at least monthly
-      ca-6_prm_1: 
-        constraints: 
-          - 
-            detail: at least every three (3) years or when a significant change occurs
-      ca-7_prm_4: 
-        constraints: 
-          - 
-            detail: to meet Federal and FedRAMP requirements (See additional guidance)
-      ca-7_prm_5: 
-        constraints: 
-          - 
-            detail: to meet Federal and FedRAMP requirements (See additional guidance)
-      ca-8_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      cm-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      cm-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually or whenever a significant change occurs
-      cm-2.1_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually or when a significant change occurs
-      cm-2.1_prm_2: 
-        constraints: 
-          - 
-            detail: to include when directed by the JAB
-      cm-2.3_prm_1: 
-        constraints: 
-          - 
-            detail: organization-defined previous versions of baseline configurations of the previously approved baseline configuration of IS components
-      cm-3.1_prm_2: 
-        constraints: 
-          - 
-            detail: organization agreed upon time period
-      cm-3.1_prm_3: 
-        constraints: 
-          - 
-            detail: organization defined configuration management approval authorities
-      cm-3.4_prm_1: 
-        constraints: 
-          - 
-            detail: Configuration control board (CCB) or similar (as defined in CM-3)
-      cm-3.6_prm_1: 
-        constraints: 
-          - 
-            detail: All security safeguards that rely on cryptography
-      cm-5.2_prm_1: 
-        constraints: 
-          - 
-            detail: at least every thirty (30) days
-      cm-5.5_prm_1: 
-        constraints: 
-          - 
-            detail: at least quarterly
-      cm-6_prm_1: 
-        guidance: 
-          - 
-            prose: See CM-6(a) Additional FedRAMP Requirements and Guidance
-      cm-7_prm_1: 
-        constraints: 
-          - 
-            detail: United States Government Configuration Baseline (USGCB)
-      cm-7.1_prm_1: 
-        constraints: 
-          - 
-            detail: at least monthly
-      cm-7.5_prm_2: 
-        constraints: 
-          - 
-            detail: at least quarterly or when there is a change
-      cm-8_prm_2: 
-        constraints: 
-          - 
-            detail: at least monthly
-      cm-8.3_prm_1: 
-        constraints: 
-          - 
-            detail: Continuously, using automated mechanisms with a maximum five-minute delay in detection.
-      cm-8.4_prm_1: 
-        constraints: 
-          - 
-            detail: position and role
-      cm-11_prm_3: 
-        constraints: 
-          - 
-            detail: Continuously (via CM-7 (5))
-      cp-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      cp-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually or whenever a significant change occurs
-      cp-2_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      cp-2.4_prm_1: 
-        constraints: 
-          - 
-            detail: time period defined in service provider and organization SLA
-      cp-3_prm_1: 
-        constraints: 
-          - 
-            detail: ten (10) days
-      cp-3_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      cp-4_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      cp-4_prm_2: 
-        constraints: 
-          - 
-            detail: functional exercises
-      cp-8.4_prm_1: 
-        constraints: 
-          - 
-            detail: annually
-      cp-9_prm_1: 
-        constraints: 
-          - 
-            detail: daily incremental; weekly full
-      cp-9_prm_2: 
-        constraints: 
-          - 
-            detail: daily incremental; weekly full
-      cp-9_prm_3: 
-        constraints: 
-          - 
-            detail: daily incremental; weekly full
-      cp-9.1_prm_1: 
-        constraints: 
-          - 
-            detail: at least monthly
-      cp-9.5_prm_1: 
-        constraints: 
-          - 
-            detail: time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA
-      cp-10.4_prm_1: 
-        constraints: 
-          - 
-            detail: time period consistent with the restoration time-periods defined in the service provider and organization SLA
-      ia-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      ia-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually or whenever a significant change occurs
-      ia-2.11_prm_1: 
-        constraints: 
-          - 
-            detail: FIPS 140-2, NIAP Certification, or NSA approval
-      ia-4_prm_1: 
-        constraints: 
-          - 
-            detail: at a minimum, the ISSO (or similar role within the organization)
-      ia-4_prm_2: 
-        constraints: 
-          - 
-            detail: at least two (2) years
-      ia-4_prm_3: 
-        constraints: 
-          - 
-            detail: thirty-five (35) days (See additional requirements and guidance.)
-      ia-4.4_prm_1: 
-        constraints: 
-          - 
-            detail: contractors; foreign nationals]
-      ia-5.1_prm_2: 
-        constraints: 
-          - 
-            detail: at least fifty percent (50%)
-      ia-5.1_prm_4: 
-        constraints: 
-          - 
-            detail: twenty four (24)
-      ia-5.3_prm_1: 
-        constraints: 
-          - 
-            detail: All hardware/biometric (multifactor authenticators)
-      ia-5.3_prm_2: 
-        constraints: 
-          - 
-            detail: in person
-      ia-5.4_prm_1: 
-        constraints: 
-          - 
-            detail: complexity as identified in IA-5 (1) Control Enhancement Part (a)
-      ia-5.8_prm_1: 
-        constraints: 
-          - 
-            detail: different authenticators on different systems
-      ir-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      ir-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually or whenever a significant change occurs
-      ir-2_prm_1: 
-        constraints: 
-          - 
-            detail: within ten (10) days
-      ir-2_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      ir-3_prm_1: 
-        constraints: 
-          - 
-            detail: at least every six (6) months
-      ir-4.2_prm_1: 
-        constraints: 
-          - 
-            detail: all network, data storage, and computing devices
-      ir-4.8_prm_1: 
-        constraints: 
-          - 
-            detail: external organizations including consumer incident responders and network defenders and the appropriate CIRT/CERT (such as US-CERT, DOD CERT, IC CERT)
-      ir-6_prm_1: 
-        constraints: 
-          - 
-            detail: US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)
-      ir-8_prm_2: 
-        constraints: 
-          - 
-            detail: see additional FedRAMP Requirements and Guidance
-      ir-8_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      ir-8_prm_4: 
-        constraints: 
-          - 
-            detail: see additional FedRAMP Requirements and Guidance
-      ir-9.2_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      ma-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      ma-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually or whenever a significant change occurs
-      ma-3.3_prm_1: 
-        constraints: 
-          - 
-            detail: the information owner explicitly authorizing removal of the equipment from the facility
-      mp-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      mp-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually or whenever a significant change occurs
-      mp-2_prm_1: 
-        constraints: 
-          - 
-            detail: any digital and non-digital media deemed sensitive
-      mp-3_prm_1: 
-        constraints: 
-          - 
-            detail: no removable media types
-      mp-3_prm_2: 
-        constraints: 
-          - 
-            detail: organization-defined security safeguards not applicable
-      mp-4_prm_1: 
-        constraints: 
-          - 
-            detail: all types of digital and non-digital media with sensitive information
-      mp-4_prm_2: 
-        constraints: 
-          - 
-            detail: see additional FedRAMP requirements and guidance
-      mp-5_prm_1: 
-        constraints: 
-          - 
-            detail: all media with sensitive information
-      mp-5_prm_2: 
-        constraints: 
-          - 
-            detail: prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container
-      mp-6_prm_2: 
-        constraints: 
-          - 
-            detail: techniques and procedures IAW NIST SP 800-88 R1, Appendix A - Minimum Sanitization Recommendations
-      mp-6.2_prm_1: 
-        constraints: 
-          - 
-            detail: at least every six (6) months
-      pe-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      pe-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually or whenever a significant change occurs
-      pe-2_prm_1: 
-        constraints: 
-          - 
-            detail: at least every ninety (90) days
-      pe-3_prm_2: 
-        constraints: 
-          - 
-            detail: CSP defined physical access control systems/devices AND guards
-      pe-3_prm_3: 
-        constraints: 
-          - 
-            detail: CSP defined physical access control systems/devices
-      pe-3_prm_6: 
-        constraints: 
-          - 
-            detail: in all circumstances within restricted access area where the information system resides
-      pe-3_prm_8: 
-        constraints: 
-          - 
-            detail: at least annually
-      pe-3_prm_9: 
-        constraints: 
-          - 
-            detail: at least annually
-      pe-6_prm_1: 
-        constraints: 
-          - 
-            detail: at least monthly
-      pe-8_prm_1: 
-        constraints: 
-          - 
-            detail: for a minimum of one (1) year
-      pe-8_prm_2: 
-        constraints: 
-          - 
-            detail: at least monthly
-      pe-13.1_prm_1: 
-        constraints: 
-          - 
-            detail: service provider building maintenance/physical security personnel
-      pe-13.1_prm_2: 
-        constraints: 
-          - 
-            detail: service provider emergency responders with incident response responsibilities
-      pe-14_prm_1: 
-        constraints: 
-          - 
-            detail: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments
-      pe-14_prm_2: 
-        constraints: 
-          - 
-            detail: continuously
-      pe-15.1_prm_1: 
-        constraints: 
-          - 
-            detail: service provider building maintenance/physical security personnel
-      pe-16_prm_1: 
-        constraints: 
-          - 
-            detail: all information system components
-      pe-18_prm_1: 
-        constraints: 
-          - 
-            detail: physical and environmental hazards identified during threat assessment
-      pl-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      pl-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually or whenever a significant change occurs
-      pl-2_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      pl-4_prm_1: 
-        constraints: 
-          - 
-            detail: annually
-      pl-8_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually or when a significant change occurs
-      ps-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      ps-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually or whenever a significant change occurs
-      ps-2_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      ps-3_prm_1: 
-        constraints: 
-          - 
-            detail: for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions
-      ps-3.3_prm_1: 
-        constraints: 
-          - 
-            detail: personnel screening criteria - as required by specific information
-      ps-4_prm_1: 
-        constraints: 
-          - 
-            detail: eight (8) hours
-      ps-4.2_prm_1: 
-        constraints: 
-          - 
-            detail: access control personnel responsible for disabling access to the system
-      ps-5_prm_2: 
-        constraints: 
-          - 
-            detail: twenty-four (24) hours
-      ps-5_prm_4: 
-        constraints: 
-          - 
-            detail: twenty-four (24) hours
-      ps-6_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      ps-6_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually and any time there is a change to the user's level of access
-      ps-7_prm_2: 
-        constraints: 
-          - 
-            detail: terminations: immediately; transfers: within twenty-four (24) hours
-      ps-8_prm_1: 
-        constraints: 
-          - 
-            detail: at a minimum, the ISSO and/or similar role within the organization
-      ra-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      ra-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually or whenever a significant change occurs
-      ra-3_prm_2: 
-        constraints: 
-          - 
-            detail: security assessment report
-      ra-3_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually or whenever a significant change occurs
-      ra-3_prm_5: 
-        constraints: 
-          - 
-            detail: annually
-      ra-5_prm_1: 
-        constraints: 
-          - 
-            detail: monthly operating system/infrastructure; monthly web applications and databases
-      ra-5_prm_2: 
-        constraints: 
-          - 
-            detail: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery
-      ra-5.2_prm_1: 
-        constraints: 
-          - 
-            detail: prior to a new scan
-      ra-5.4_prm_1: 
-        constraints: 
-          - 
-            detail: notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions
-      ra-5.5_prm_1: 
-        constraints: 
-          - 
-            detail: operating systems / web applications / databases
-      ra-5.5_prm_2: 
-        constraints: 
-          - 
-            detail: all scans
-      sa-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      sa-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually or whenever a significant change occurs
-      sa-4.2_prm_1: 
-        constraints: 
-          - 
-            detail: at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram; [organization-defined design/implementation information]
-      sa-4.8_prm_1: 
-        constraints: 
-          - 
-            detail: at least the minimum requirement as defined in control CA-7
-      sa-5_prm_2: 
-        constraints: 
-          - 
-            detail: at a minimum, the ISSO (or similar role within the organization)
-      sa-9_prm_1: 
-        constraints: 
-          - 
-            detail: FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system
-      sa-9_prm_2: 
-        constraints: 
-          - 
-            detail: Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored
-      sa-9.2_prm_1: 
-        constraints: 
-          - 
-            detail: all external systems where Federal information is processed or stored
-      sa-9.4_prm_2: 
-        constraints: 
-          - 
-            detail: all external systems where Federal information is processed or stored
-      sa-9.5_prm_1: 
-        constraints: 
-          - 
-            detail: information processing, information data, AND information services
-      sa-9.5_prm_2: 
-        constraints: 
-          - 
-            detail: U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction
-      sa-9.5_prm_3: 
-        constraints: 
-          - 
-            detail: all High Impact Data, Systems, or Services
-      sa-10_prm_1: 
-        constraints: 
-          - 
-            detail: development, implementation, AND operation
-      sa-12_prm_1: 
-        constraints: 
-          - 
-            detail: organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures
-      sa-15_prm_1: 
-        constraints: 
-          - 
-            detail: as needed and as dictated by the current threat posture
-      sa-15_prm_2: 
-        constraints: 
-          - 
-            detail: organization and service provider- defined security requirements
-      sc-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      sc-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually or whenever a significant change occurs
-      sc-7.4_prm_1: 
-        constraints: 
-          - 
-            detail: at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions
-      sc-7.12_prm_1: 
-        constraints: 
-          - 
-            detail: Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall
-      sc-8_prm_1: 
-        constraints: 
-          - 
-            detail: confidentiality AND integrity
-      sc-8.1_prm_1: 
-        constraints: 
-          - 
-            detail: prevent unauthorized disclosure of information AND detect changes to information
-      sc-8.1_prm_2: 
-        constraints: 
-          - 
-            detail: a hardened or alarmed carrier Protective Distribution System (PDS)
-      sc-10_prm_1: 
-        constraints: 
-          - 
-            detail: no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions
-      sc-12.2_prm_1: 
-        constraints: 
-          - 
-            detail: NIST FIPS-compliant
-      sc-13_prm_1: 
-        constraints: 
-          - 
-            detail: FIPS-validated or NSA-approved cryptography
-      sc-15_prm_1: 
-        constraints: 
-          - 
-            detail: no exceptions
-      sc-28_prm_1: 
-        constraints: 
-          - 
-            detail: confidentiality AND integrity
-      sc-28.1_prm_2: 
-        constraints: 
-          - 
-            detail: all information system components storing customer data deemed sensitive
-      si-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      si-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually or whenever a significant change occurs
-      si-2_prm_1: 
-        constraints: 
-          - 
-            detail: thirty (30) days of release of updates
-      si-2.2_prm_1: 
-        constraints: 
-          - 
-            detail: at least monthly
-      si-3_prm_1: 
-        constraints: 
-          - 
-            detail: at least weekly
-      si-3_prm_2: 
-        constraints: 
-          - 
-            detail: to include endpoints
-      si-3_prm_3: 
-        constraints: 
-          - 
-            detail: to include blocking and quarantining malicious code and alerting administrator or defined security personnel near-realtime
-      si-4.4_prm_1: 
-        constraints: 
-          - 
-            detail: continuously
-      si-5_prm_1: 
-        constraints: 
-          - 
-            detail: to include US-CERT
-      si-5_prm_2: 
-        constraints: 
-          - 
-            detail: to include system security personnel and administrators with configuration/patch-management responsibilities
-      si-6_prm_3: 
-        constraints: 
-          - 
-            detail: to include upon system startup and/or restart
-      si-6_prm_4: 
-        constraints: 
-          - 
-            detail: at least monthly
-      si-6_prm_5: 
-        constraints: 
-          - 
-            detail: to include system administrators and security personnel
-      si-6_prm_7: 
-        constraints: 
-          - 
-            detail: to include notification of system administrators and security personnel
-      si-7.1_prm_3: 
-        constraints: 
-          - 
-            detail: selection to include security relevant events
-      si-7.1_prm_4: 
-        constraints: 
-          - 
-            detail: at least monthly
-    alterations: 
-      - 
-        control-id: ac-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ac-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ac-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ac-10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-10_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-10_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-10_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-11
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-11
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-11.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-11.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-11.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-11.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-11.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-12
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-12
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-12.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-12_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-12.1
-        additions: 
-          - 
-            position: ending
-            id-ref:   ac-12.1_smt
-            parts: 
-              - 
-                id:    ac-12.1_fr
-                name:  item
-                title: AC-12 (1) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ac-12.1_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      https://www.owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-006%29
-          - 
-            position:   starting
-            id-ref:     ac-12.1.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-12.1.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-12.1.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-14
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-14.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-14.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ac-14.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ac-17
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-17
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-17.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-17.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-17.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-17.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-17.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-17.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-17.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-17.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-17.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-17.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-17.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-17.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-17.4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-17.4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-17.4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ac-17.9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-17.9
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-17.9_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-17.9_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-18
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-18
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-18.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-18.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-18.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-18.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-18.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-18.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-18.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-18.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-18.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-18.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-18.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-18.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-19
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-19
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-19.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-19.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-19.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-19.5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-19.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-19.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ac-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ac-2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.g_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.h_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.i_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.j_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.j_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.k_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ac-2.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-2.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2.10
-        additions: 
-          - 
-            position: ending
-            id-ref:   ac-2.10_smt
-            parts: 
-              - 
-                id:    ac-2.10_fr
-                name:  item
-                title: AC-2 (10) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ac-2.10_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Required if shared/group accounts are deployed
-          - 
-            position:   starting
-            id-ref:     ac-2.10_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2.11
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-2.11_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.11_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.11_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2.12
-        additions: 
-          - 
-            position: ending
-            id-ref:   ac-2.12_smt
-            parts: 
-              - 
-                id:    ac-2.12_fr
-                name:  item
-                title: AC-2 (12) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ac-2.12_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: (a) Guidance:
-                    prose:      Required for privileged accounts.
-                  - 
-                    id:         ac-2.12_fr_gdn.2
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: (b) Guidance:
-                    prose:      Required for privileged accounts.
-          - 
-            position:   starting
-            id-ref:     ac-2.12
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-2.12.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.12.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.12.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.12.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2.13
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-2.13_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.13_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-2.2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-2.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2.3
-        additions: 
-          - 
-            position: ending
-            id-ref:   ac-2.3_smt
-            parts: 
-              - 
-                id:    ac-2.3_fr
-                name:  item
-                title: AC-2 (3) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ac-2.3_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.
-          - 
-            position:   starting
-            id-ref:     ac-2.3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-2.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-2.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.4_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2.5
-        additions: 
-          - 
-            position: ending
-            id-ref:   ac-2.5_smt
-            parts: 
-              - 
-                id:    ac-2.5_fr
-                name:  item
-                title: AC-2 (5) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ac-2.5_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Should use a shorter timeframe than AC-12.
-          - 
-            position:   starting
-            id-ref:     ac-2.5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-2.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2.7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-2.7.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.7.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.7.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.7.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2.9
-        additions: 
-          - 
-            position: ending
-            id-ref:   ac-2.9_smt
-            parts: 
-              - 
-                id:    ac-2.9_fr
-                name:  item
-                title: AC-2 (9) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ac-2.9_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Required if shared/group accounts are deployed
-          - 
-            position:   starting
-            id-ref:     ac-2.9_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.9_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-20
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-20.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-20.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-20.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-20.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-20.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-20.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-21
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-21.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-21.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-21.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-21.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-22
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-22
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-22.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-22.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-22.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-22.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-22.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-22.d_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-4.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-4.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-4.21
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-4.21_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-4.21_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-4.21_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-4.8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-4.8_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-4.8_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-4.8_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-5
-        additions: 
-          - 
-            position: ending
-            id-ref:   ac-5_smt
-            parts: 
-              - 
-                id:    ac-5_fr
-                name:  item
-                title: AC-5 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ac-5_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.
-          - 
-            position:   starting
-            id-ref:     ac-5.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-5.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-5.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-5.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ac-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-6.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-6.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-6.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-6.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-6.10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-6.10_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-6.2
-        additions: 
-          - 
-            position: ending
-            id-ref:   ac-6.2_smt
-            parts: 
-              - 
-                id:    ac-6.2_fr
-                name:  item
-                title: AC-6 (2) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ac-6.2_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.
-          - 
-            position:   starting
-            id-ref:     ac-6.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-6.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-6.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-6.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-6.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-6.3_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-6.3_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ac-6.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-6.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-6.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-6.7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-6.7.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-6.7.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-6.7.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ac-6.7.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-6.8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-6.8_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-6.8_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-6.9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-6.9
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-6.9_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-7
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-7.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-7.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-7.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-7.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-7.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-7.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-7.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-7.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-7.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-7.2_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-8
-        additions: 
-          - 
-            position: ending
-            id-ref:   ac-8_smt
-            parts: 
-              - 
-                id:    ac-8_fr
-                name:  item
-                title: AC-8 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ac-8_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.
-                  - 
-                    id:         ac-8_fr_smt.2
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.
-                  - 
-                    id:         ac-8_fr_smt.3
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.
-          - 
-            position:   starting
-            id-ref:     ac-8.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-8.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-8.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-8.c.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-8.c.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-8.c.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-8.c.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: at-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     at-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     at-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     at-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     at-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: at-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     at-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     at-2.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     at-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     at-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: at-2.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     at-2.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: at-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     at-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     at-3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     at-3.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     at-3.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-3.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: at-3.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     at-3.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: at-3.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     at-3.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-3.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: at-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     at-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     at-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     at-4.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-4.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     au-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     au-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     au-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: au-10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-10.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-10.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-11
-        additions: 
-          - 
-            position: ending
-            id-ref:   au-11_smt
-            parts: 
-              - 
-                id:    au-11_fr
-                name:  item
-                title: AU-11 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         au-11_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.
-          - 
-            position:   starting
-            id-ref:     au-11
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     au-11.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-11_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: au-12
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-12.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-12.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-12.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-12.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-12.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-12.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-12.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-12.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-12.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-12.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-12.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-12.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-12.3_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-12.3_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-12.3_obj.5
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-2
-        additions: 
-          - 
-            position: ending
-            id-ref:   au-2_smt
-            parts: 
-              - 
-                id:    au-2_fr
-                name:  item
-                title: AU-2 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         au-2_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.
-          - 
-            position:   starting
-            id-ref:     au-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     au-2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     au-2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-2.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-2.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     au-2.d_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: au-2.3
-        additions: 
-          - 
-            position: ending
-            id-ref:   au-2.3_smt
-            parts: 
-              - 
-                id:    au-2.3_fr
-                name:  item
-                title: AU-2 (3) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         au-2.3_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.
-          - 
-            position:   starting
-            id-ref:     au-2.3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     au-2.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-2.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-3.1
-        additions: 
-          - 
-            position: ending
-            id-ref:   au-3.1_smt
-            parts: 
-              - 
-                id:    au-3.1_fr
-                name:  item
-                title: AU-3 (1) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         au-3.1_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider defines audit record types *[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]*.  The audit record types are approved and accepted by the JAB/AO.
-                  - 
-                    id:         au-3.1_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.
-          - 
-            position:   starting
-            id-ref:     au-3.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-3.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-3.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-3.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-3.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-4.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-5.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-5.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-5.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-5.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-5.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-5.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-5.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-5.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-5.1_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-5.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-5.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-5.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-5.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-5.2_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-6
-        additions: 
-          - 
-            position: ending
-            id-ref:   au-6_smt
-            parts: 
-              - 
-                id:    au-6_fr
-                name:  item
-                title: AU-6 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         au-6_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.
-          - 
-            position:   starting
-            id-ref:     au-6
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     au-6.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-6.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-6.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     au-6.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-6.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: au-6.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-6.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-6.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: au-6.10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-6.10_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-6.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-6.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-6.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-6.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-6.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-6.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-6.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-6.5_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-6.6
-        additions: 
-          - 
-            position: ending
-            id-ref:   au-6.6_smt
-            parts: 
-              - 
-                id:    au-6.6_fr
-                name:  item
-                title: AU-6 (6) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         au-6.6_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.
-          - 
-            position:   starting
-            id-ref:     au-6.6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-6.7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-6.7_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-7.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     au-7.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-7.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-7.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-7.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-8.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-8.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-8.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-8.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-8.1
-        additions: 
-          - 
-            position: ending
-            id-ref:   au-8.1_smt
-            parts: 
-              - 
-                id:    au-8.1_fr
-                name:  item
-                title: AU-8 (1) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         au-8.1_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.
-                  - 
-                    id:         au-8.1_fr_smt.2
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.
-                  - 
-                    id:         au-8.1_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Synchronization of system clocks improves the accuracy of log analysis.
-          - 
-            position:   starting
-            id-ref:     au-8.1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     au-8.1.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-8.1.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-8.1.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-8.1.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-8.1.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-9.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-9.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-9.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-9.2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     au-9.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-9.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-9.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-9.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-9.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-9.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-9.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-9.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ca-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ca-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ca-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ca-2
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-2_smt
-            parts: 
-              - 
-                id:    ca-2_fr
-                name:  item
-                title: CA-2 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-2_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                          
-                      """
-          - 
-            position:   starting
-            id-ref:     ca-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-2.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-2.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-2.1
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-2.1_smt
-            parts: 
-              - 
-                id:    ca-2.1_fr
-                name:  item
-                title: CA-2 (1) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-2.1_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).
-          - 
-            position:   starting
-            id-ref:     ca-2.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ca-2.2
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-2.2_smt
-            parts: 
-              - 
-                id:    ca-2.2_fr
-                name:  item
-                title: CA-2 (2) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-2.2_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      To include 'announced', 'vulnerability scanning'
-          - 
-            position:   starting
-            id-ref:     ca-2.2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-2.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.2_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-2.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ca-2.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.3_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.3_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ca-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ca-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ca-3.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-3.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-3.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ca-3.3
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-3.3_smt
-            parts: 
-              - 
-                id:    ca-3.3_fr
-                name:  item
-                title: CA-3 (3) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-3.3_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document.
-          - 
-            position:   starting
-            id-ref:     ca-3.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ca-3.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-3.3_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-3.5
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-3.5_smt
-            parts: 
-              - 
-                id:    ca-3.5_fr
-                name:  item
-                title: CA-3 (5) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-3.5_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing
-          - 
-            position:   starting
-            id-ref:     ca-3.5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-3.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-3.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-5
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-5_smt
-            parts: 
-              - 
-                id:    ca-5_fr
-                name:  item
-                title: CA-5 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-5_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Plan of Action & Milestones (POA&M) must be provided at least monthly.
-                  - 
-                    id:         ca-5_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                          
-                      """
-          - 
-            position:   starting
-            id-ref:     ca-5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-5.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ca-5.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-5.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-6
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-6_smt
-            parts: 
-              - 
-                id:    ca-6_fr
-                name:  item
-                title: CA-6(c) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-6_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.
-          - 
-            position:   starting
-            id-ref:     ca-6.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-6.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-6.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-6.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-7
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-7_smt
-            parts: 
-              - 
-                id:    ca-7_fr
-                name:  item
-                title: CA-7 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-7_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.
-                  - 
-                    id:         ca-7_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates.
-                  - 
-                    id:         ca-7_fr_gdn.2
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                          
-                      """
-          - 
-            position:   starting
-            id-ref:     ca-7
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-7.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-7.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.b_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-7.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-7.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-7.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-7.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-7.g_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.g_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.g_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.g_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-7.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ca-7.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ca-7.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ca-7.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ca-8
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-8_smt
-            parts: 
-              - 
-                id:    ca-8_fr
-                name:  item
-                title: CA-8 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-8_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance [https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/)
-                                          
-                      """
-          - 
-            position:   starting
-            id-ref:     ca-8
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-8.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-8.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-8_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-8.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ca-8.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ca-9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ca-9
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-9.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-9.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ca-9.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: cm-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-1.a.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cm-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cm-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: cm-10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-10.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-10.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-10.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-10.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-10.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-10.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-11
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-11.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-11.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-11.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-11.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-11.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-11.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-11.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-11.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-11.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cm-2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-2.1
-        additions: 
-          - 
-            position: ending
-            id-ref:   cm-2.1_smt
-            parts: 
-              - 
-                id:    cm-2.1_fr
-                name:  item
-                title: CM-8 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cm-2.1_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: (a) Guidance:
-                    prose:      Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.
-          - 
-            position:   starting
-            id-ref:     cm-2.1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-2.1.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-2.1.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-2.1.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-2.1.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-2.1.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-2.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-2.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-2.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-2.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-2.2_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-2.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-2.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-2.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-2.7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-2.7.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-2.7.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-2.7.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-2.7.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-2.7.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-3
-        additions: 
-          - 
-            position: ending
-            id-ref:   cm-3_smt
-            parts: 
-              - 
-                id:    cm-3_fr
-                name:  item
-                title: CM-3 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cm-3_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.
-                  - 
-                    id:         cm-3_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: (e) Guidance:
-                    prose:      In accordance with record retention policies and procedures.
-          - 
-            position:   starting
-            id-ref:     cm-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-3.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cm-3.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cm-3.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-3.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-3.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-3.f_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-3.g_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-3.g_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-3.g_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-3.g_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-3.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-3.1.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-3.1.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-3.1.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-3.1.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-3.1.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-3.1.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-3.1.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-3.1.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-3.1.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-3.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-3.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-3.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-3.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: cm-3.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-3.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cm-3.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-3.6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-3.6_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-3.6_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-4.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-4.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-4.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-4.1_obj.2.a
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-4.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-4.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-4.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-5.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-5.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-5.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-5.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cm-5.5_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-5.6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-5_obj.7
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-5_obj.8
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-5.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-5.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-5.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-5.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-5.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-5.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-5.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-5.2_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-5.3
-        additions: 
-          - 
-            position: ending
-            id-ref:   cm-5.3_smt
-            parts: 
-              - 
-                id:    cm-5.3_fr
-                name:  item
-                title: CM-5 (3) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cm-5.3_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.
-          - 
-            position:   starting
-            id-ref:     cm-5.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-5.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-5.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-5.5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-5.5.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-5.5.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-5.5.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: cm-6
-        additions: 
-          - 
-            position: ending
-            id-ref:   cm-6_smt
-            parts: 
-              - 
-                id:    cm-6_fr
-                name:  item
-                title: CM-6(a) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cm-6_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement 1:
-                    prose:      The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. 
-                  - 
-                    id:         cm-6_fr_smt.2
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement 2:
-                    prose:      The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available).
-                  - 
-                    id:         cm-6_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline).
-          - 
-            position:   starting
-            id-ref:     cm-6
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-6.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-6.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cm-6.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-6.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-6.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-6.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-6.c_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-6.c_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-6.c_obj.5
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-6.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-6.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-6.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-6.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-6.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-6.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-6.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-6.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-6.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-7
-        additions: 
-          - 
-            position: ending
-            id-ref:   cm-7_smt
-            parts: 
-              - 
-                id:    cm-7_fr
-                name:  item
-                title: CM-7 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cm-7_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.
-                  - 
-                    id:         cm-7_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Information on the USGCB checklists can be found at: [http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc](http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc). Partially derived from AC-17(8).
-          - 
-            position:   starting
-            id-ref:     cm-7.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-7.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-7.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-7.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-7.1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-7.1.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-7.1.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-7.1.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-7.1.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-7.2
-        additions: 
-          - 
-            position: ending
-            id-ref:   cm-7.2_smt
-            parts: 
-              - 
-                id:    cm-7.2_fr
-                name:  item
-                title: CM-7 (2) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cm-7.2_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.
-          - 
-            position:   starting
-            id-ref:     cm-7.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-7.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-7.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-7.5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-7.5.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-7.5.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-7.5.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-7.5.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-8
-        additions: 
-          - 
-            position: ending
-            id-ref:   cm-8_smt
-            parts: 
-              - 
-                id:    cm-8_fr
-                name:  item
-                title: CM-8 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cm-8_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Must be provided at least monthly or when there is a change.
-          - 
-            position:   starting
-            id-ref:     cm-8
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-8.a.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.a.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.a.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.a.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.a.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-8.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-8.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-8.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-8.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-8.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-8.3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-8.3.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.3.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-8.3.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.3.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-8.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-8.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-8.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-8.5_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-9
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-9.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-9.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-9.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-9.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-9.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cp-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: cp-10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-10_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-10.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-10.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-10.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-10.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-10.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-10.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-2
-        additions: 
-          - 
-            position: ending
-            id-ref:   cp-2_smt
-            parts: 
-              - 
-                id:    cp-2_fr
-                name:  item
-                title: CP-2 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cp-2_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: CP-2 Requirement:
-                    prose:      For JAB authorizations the contingency lists include designated FedRAMP personnel.
-          - 
-            position:   starting
-            id-ref:     cp-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cp-2.a.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.a.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.a.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.a.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.a.5_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.a.6_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.a.6_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-2.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-2.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-2.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-2.g_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-2.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-2.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-2.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-2.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-2.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-2.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-2.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-2.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-2.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-2.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-2.8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-2.8_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cp-3.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-3.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-3.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-3.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-3.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-3.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-3.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-4
-        additions: 
-          - 
-            position: ending
-            id-ref:   cp-4_smt
-            parts: 
-              - 
-                id:    cp-4_fr
-                name:  item
-                title: CP-4(a) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cp-4_fr_smt.a
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: CP-4(a) Requirement:
-                    prose:      The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.
-          - 
-            position:   starting
-            id-ref:     cp-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cp-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-4.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-4.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-4.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-4.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-4.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-4.2.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-4.2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-6.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-6.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-6.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-6.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-6.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-6.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-6.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-6.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-6.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-7
-        additions: 
-          - 
-            position: ending
-            id-ref:   cp-7_smt
-            parts: 
-              - 
-                id:    cp-7_fr
-                name:  item
-                title: CP-7 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cp-7_fr_smt.a
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: (a) Requirement:
-                    prose:      The service provider defines a time period consistent with the recovery time objectives and business impact analysis.
-          - 
-            position:   starting
-            id-ref:     cp-7
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cp-7.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-7.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-7.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-7.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-7.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-7.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-7.1
-        additions: 
-          - 
-            position: ending
-            id-ref:   cp-7.1_smt
-            parts: 
-              - 
-                id:    cp-7.1_fr
-                name:  item
-                title: CP-7 (1) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cp-7.1_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.
-          - 
-            position:   starting
-            id-ref:     cp-7.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-7.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-7.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-7.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-7.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-7.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-7.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-7.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-8
-        additions: 
-          - 
-            position: ending
-            id-ref:   cp-8_smt
-            parts: 
-              - 
-                id:    cp-8_fr
-                name:  item
-                title: CP-8 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cp-8_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider defines a time period consistent with the recovery time objectives and business impact analysis.
-          - 
-            position:   starting
-            id-ref:     cp-8.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-8.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-8.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-8.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-8.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-8.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-8.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-8.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-8.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-8.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-8.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-8.4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-8.4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-8.4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-8.4.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-8.4.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-9
-        additions: 
-          - 
-            position: ending
-            id-ref:   cp-9_smt
-            parts: 
-              - 
-                id:    cp-9_fr
-                name:  item
-                title: CP-9 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cp-9_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.
-                  - 
-                    id:         cp-9_fr_smt.a
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: CP-9(a) Requirement:
-                    prose:      The service provider maintains at least three backup copies of user-level information (at least one of which is available online).
-                  - 
-                    id:         cp-9_fr_smt.b
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: CP-9(b)Requirement:
-                    prose:      The service provider maintains at least three backup copies of system-level information (at least one of which is available online).
-                  - 
-                    id:         cp-9_fr_smt.c
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: CP-9(c)Requirement:
-                    prose:      The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).
-          - 
-            position:   starting
-            id-ref:     cp-9
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cp-9.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-9.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-9.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-9.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-9.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-9.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-9.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-9.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-9.1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cp-9.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-9.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-9.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-9.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-9.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-9.3_obj.1.a
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-9.3_obj.1.b
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-9.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-9.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-9.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-9.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-9.5_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ia-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ia-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ia-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ia-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-2.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-2.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-2.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-2.11
-        additions: 
-          - 
-            position: ending
-            id-ref:   ia-2.11_smt
-            parts: 
-              - 
-                id:    ia-2.11_fr
-                name:  item
-                title: IA-2 (11) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ia-2.11_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.
-          - 
-            position:   starting
-            id-ref:     ia-2.11_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-2.11_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-2.11_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-2.11_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-2.11_obj.5
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-2.11_obj.6
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-2.12
-        additions: 
-          - 
-            position: ending
-            id-ref:   ia-2.12_smt
-            parts: 
-              - 
-                id:    ia-2.12_fr
-                name:  item
-                title: IA-2 (12) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ia-2.12_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.
-          - 
-            position:   starting
-            id-ref:     ia-2.12_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-2.12_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-2.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-2.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-2.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-2.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-2.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-2.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-2.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-2.5_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-2.8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-2.8_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-2.9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-2.9_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-3.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-4
-        additions: 
-          - 
-            position: ending
-            id-ref:   ia-4_smt
-            parts: 
-              - 
-                id:    ia-4_fr
-                name:  item
-                title: IA-4(e) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ia-4_fr_smt.e
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider defines the time period of inactivity for device identifiers.
-                  - 
-                    id:         ia-4_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP [http://iase.disa.mil/cloud_security/Pages/index.aspx](http://iase.disa.mil/cloud_security/Pages/index.aspx).
-          - 
-            position:   starting
-            id-ref:     ia-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ia-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-4.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-4.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-4.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-4.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-4.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-4.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-4.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-4.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-5
-        additions: 
-          - 
-            position: ending
-            id-ref:   ia-5_smt
-            parts: 
-              - 
-                id:    ia-5_fr
-                name:  item
-                title: IA-5 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ia-5_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link [https://pages.nist.gov/800-63-3](https://pages.nist.gov/800-63-3).
-          - 
-            position:   starting
-            id-ref:     ia-5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ia-5.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.d_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.f_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.g_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.g_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.h_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.i_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ia-5.i_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.j_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-5.1
-        additions: 
-          - 
-            position: ending
-            id-ref:   ia-5.1_smt
-            parts: 
-              - 
-                id:    ia-5.1_fr
-                name:  item
-                title: IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ia-5.1_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: (a) (d) Guidance:
-                    prose:      If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.
-          - 
-            position:   starting
-            id-ref:     ia-5.1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ia-5.1.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.a_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.a_obj.5
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.1.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.1.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.1.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.d_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.1.d_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.1.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.1.f_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-5.11
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-5.11_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.11_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-5.13
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-5.13_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.13_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-5.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-5.2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.2.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.2.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-5.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-5.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.3_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.3_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.3_obj.5
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ia-5.4
-        additions: 
-          - 
-            position: ending
-            id-ref:   ia-5.4_smt
-            parts: 
-              - 
-                id:    ia-5.4_fr
-                name:  item
-                title: IA-5 (4) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ia-5.4_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.
-          - 
-            position:   starting
-            id-ref:     ia-5.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-5.6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-5.6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-5.7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-5.7_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-5.8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-5.8_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.8_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-7_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-8.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-8.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-8.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-8.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-8.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-8.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-8.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-8.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-8.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-8.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-8.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ir-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ir-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ir-2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ir-2.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-2.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-2.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-2.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-3
-        additions: 
-          - 
-            position: ending
-            id-ref:   ir-3_smt
-            parts: 
-              - 
-                id:    ir-3_fr
-                name:  item
-                title: IR-3 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ir-3_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: IR-3 -2 Requirement:
-                    prose:      The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.
-          - 
-            position:   starting
-            id-ref:     ir-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ir-3.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-3.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-3_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ir-3.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-3.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ir-4
-        additions: 
-          - 
-            position: ending
-            id-ref:   ir-4_smt
-            parts: 
-              - 
-                id:    ir-4_fr
-                name:  item
-                title: IR-4 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ir-4_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.
-          - 
-            position:   starting
-            id-ref:     ir-4.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-4.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-4.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-4.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-4.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-4.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-4.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-4.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-4.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-4.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-4.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-4.3_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-4.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-4.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-4.6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-4.6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-4.8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-4.8_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-4.8_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-4.8_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-5.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-5.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-5.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-6
-        additions: 
-          - 
-            position: ending
-            id-ref:   ir-6_smt
-            parts: 
-              - 
-                id:    ir-6_fr
-                name:  item
-                title: IR-6 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ir-6_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Report security incident information according to FedRAMP Incident Communications Procedure.
-          - 
-            position:   starting
-            id-ref:     ir-6
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ir-6.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-6.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-6.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-6.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-6.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-6.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-7.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-7.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-7.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-7.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-7.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-7.2.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-7.2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ir-8
-        additions: 
-          - 
-            position: ending
-            id-ref:   ir-8_smt
-            parts: 
-              - 
-                id:    ir-8_fr
-                name:  item
-                title: IR-8 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ir-8_fr_smt.b
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: (b) Requirement:
-                    prose:      The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.
-                  - 
-                    id:         ir-8_fr_smt.e
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: (e) Requirement:
-                    prose:      The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.
-          - 
-            position:   starting
-            id-ref:     ir-8
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ir-8.a.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.5_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-8.a.7_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.8_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.8_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-8.b_obj.1.a
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.b_obj.1.b
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-8.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-8.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-8.e_obj.1.a
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.e_obj.1.b
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-8.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-8.f_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-9.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-9.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-9.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-9.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-9.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-9.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-9.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-9.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-9.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-9.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-9.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-9.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ir-9.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-9.2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ir-9.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-9.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ir-9.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-9.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-9.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-9.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-9.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-9.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ma-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ma-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ma-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-2.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-2.a_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-2.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-2.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-2.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-2.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-2.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-2.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ma-2.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-2.2.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-2.2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ma-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-3.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-3.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-3.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ma-3.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-3.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ma-3.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-3.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ma-3.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-3.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ma-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ma-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-4.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-4.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-4.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-4.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ma-4.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-4.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-4.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ma-4.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-4.3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-4.3.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ma-4.6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-4.6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ma-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-5.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-5.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-5.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-5.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ma-5.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-5.1.a.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-5.1.a.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-5.1.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ma-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-6.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-6.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-6.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     mp-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     mp-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     mp-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     mp-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: mp-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     mp-2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-3
-        additions: 
-          - 
-            position: ending
-            id-ref:   mp-3_smt
-            parts: 
-              - 
-                id:    mp-3_fr
-                name:  item
-                title: MP-3 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         mp-3_fr_gdn.b
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: (b) Guidance:
-                    prose:      Second parameter not-applicable
-          - 
-            position:   starting
-            id-ref:     mp-3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     mp-3.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-3.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-3.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-4
-        additions: 
-          - 
-            position: ending
-            id-ref:   mp-4_smt
-            parts: 
-              - 
-                id:    mp-4_fr
-                name:  item
-                title: MP-4 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         mp-4_fr_smt.a
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: (a) Requirement:
-                    prose:      The service provider defines controlled areas within facilities where the information and information system reside.
-          - 
-            position:   starting
-            id-ref:     mp-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-4.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     mp-4.a_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     mp-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-5
-        additions: 
-          - 
-            position: ending
-            id-ref:   mp-5_smt
-            parts: 
-              - 
-                id:    mp-5_fr
-                name:  item
-                title: MP-5 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         mp-5_fr_smt.a
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: (a) Requirement:
-                    prose:      The service provider defines security measures to protect digital and non-digital media in transport.  The security measures are approved and accepted by the JAB.
-          - 
-            position:   starting
-            id-ref:     mp-5.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-5.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-5.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     mp-5.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     mp-5.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-5.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-5.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     mp-5.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     mp-6.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-6.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-6.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     mp-6.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-6.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     mp-6.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-6.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-6.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-6.1_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-6.1_obj.5
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-6.2
-        additions: 
-          - 
-            position: ending
-            id-ref:   mp-6.2_smt
-            parts: 
-              - 
-                id:    mp-6.2_fr
-                name:  item
-                title: MP-6 (2) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         mp-6.2_fr_gdn.a
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: (a) Requirement:
-                    prose:      Equipment and procedures may be tested or validated for effectiveness
-          - 
-            position:   starting
-            id-ref:     mp-6.2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     mp-6.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-6.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-6.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     mp-6.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-6.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     mp-7.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-7.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-7_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-7_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-7.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     mp-7.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pe-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: pe-10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-10.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-10.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-10.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-10.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-11
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-11_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-11.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-11.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-12
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-12.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-12_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-13
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-13.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-13.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-13.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-13.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-13.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-13.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-13.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-13.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-13.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-13.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-13.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-13.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-14
-        additions: 
-          - 
-            position: ending
-            id-ref:   pe-14_smt
-            parts: 
-              - 
-                id:    pe-14_fr
-                name:  item
-                title: PE-14(a) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         pe-14_fr_smt.a
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: (a) Requirement:
-                    prose:      The service provider measures temperature at server inlets and humidity levels by dew point.
-          - 
-            position:   starting
-            id-ref:     pe-14.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-14.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-14.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-14.a_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-14.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-14.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-14.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-14.b_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-14.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-14.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-14.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-15
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-15_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-15.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-15.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-15.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-15.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-16
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.5
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.6
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.7
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.8
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.9
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: pe-17
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-17.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-17.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-17.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-17.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-18
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-18.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-18_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-18_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-18_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pe-2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-2.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-2.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pe-3.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.e_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.f_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.g_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.g_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-3.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-3.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-4_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-5_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-6
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pe-6.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-6.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-6.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-6.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-6.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: pe-6.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-6.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-6.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-6.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-6.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-8
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pe-8.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-8.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-8.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-8.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-8.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-8.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-9_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pl-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pl-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pl-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pl-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pl-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: pl-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pl-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pl-2.a.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.5_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.7_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.8_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.9_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-2.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-2.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pl-2.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pl-2.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: pl-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pl-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-4.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-4.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-4.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pl-4.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pl-4.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-4.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pl-8
-        additions: 
-          - 
-            position: ending
-            id-ref:   pl-8_smt
-            parts: 
-              - 
-                id:    pl-8_fr
-                name:  item
-                title: PL-8(b) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         pl-8_fr_gdn.b
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: (b) Guidance:
-                    prose:      Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.
-          - 
-            position:   starting
-            id-ref:     pl-8
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pl-8.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-8.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-8.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-8.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ps-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ps-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-2.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ps-3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-3.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-3.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-3.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-3.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-3.3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ps-3.3.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-3.3.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ps-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ps-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ps-4.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-4.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-4.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-4.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-4.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-4.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-4.f_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-4.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-4.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-4.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ps-5.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-5.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-5.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-5.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-5.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ps-5.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ps-5.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-5.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-5.d_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-6
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ps-6.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-6.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-6.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-6.c.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ps-6.c.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-6.c.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-7
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ps-7.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-7.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-7.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-7.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-7.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-7.d_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-7.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-8.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-8.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-8.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-8.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ra-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ra-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ra-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ra-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ra-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ra-2.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-3
-        additions: 
-          - 
-            position: ending
-            id-ref:   ra-3_smt
-            parts: 
-              - 
-                id:    ra-3_fr
-                name:  item
-                title: RA-3 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ra-3_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F
-                  - 
-                    id:         ra-3_fr_smt.d
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: RA-3 (d) Requirement:
-                    prose:      Include all Authorizing Officials; for JAB authorizations to include FedRAMP.
-          - 
-            position:   starting
-            id-ref:     ra-3.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-3.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-3.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-3.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-3.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-3.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-3.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-3.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-3.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-3.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-5
-        additions: 
-          - 
-            id-ref: ra-5_smt
-            parts: 
-              - 
-                id:         ra-5_fr_smt.a
-                name:       item
-                title:      RA-5(a) Additional FedRAMP Requirements and Guidance
-                properties: 
-                  - 
-                    name:  label
-                    value: RA-5 (a)Requirement:
-                prose:      An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.
-              - 
-                id:         ra-5_fr_smt.e
-                name:       item
-                title:      RA-5(e) Additional FedRAMP Requirements and Guidance
-                properties: 
-                  - 
-                    name:  label
-                    value: RA-5 (e)Requirement:
-                prose:      To include all Authorizing Officials; for JAB authorizations to include FedRAMP.
-              - 
-                id:    ra-5_fr
-                name:  item
-                title: RA-5 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ra-5_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        
-                                             **See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))
-                      """
-          - 
-            position:   starting
-            id-ref:     ra-5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ra-5.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-5.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.b.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.b.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.b.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-5.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-5.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.e_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-5.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ra-5.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-5.10
-        additions: 
-          - 
-            position: ending
-            id-ref:   ra-5.10_smt
-            parts: 
-              - 
-                id:    ra-5.10_fr
-                name:  item
-                title: RA-5 (10) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ra-5.10_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      If multiple tools are not used, this control is not applicable.
-          - 
-            position:   starting
-            id-ref:     ra-5.10_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-5.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ra-5.2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ra-5.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-5.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-5.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ra-5.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-5.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ra-5.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-5.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.4_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-5.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ra-5.5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ra-5.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-5.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-5.5_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-5.6
-        additions: 
-          - 
-            position: ending
-            id-ref:   ra-5.6_smt
-            parts: 
-              - 
-                id:    ra-5.6_fr
-                name:  item
-                title: RA-5 (6) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ra-5.6_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Include in Continuous Monitoring ISSO digest/report to JAB/AO
-          - 
-            position:   starting
-            id-ref:     ra-5.6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-5.8
-        additions: 
-          - 
-            position: ending
-            id-ref:   ra-5.8_smt
-            parts: 
-              - 
-                id:    ra-5.8_fr
-                name:  item
-                title: RA-5 (8) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ra-5.8_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      This enhancement is required for all high vulnerability scan findings.
-                  - 
-                    id:         ra-5.8_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.
-          - 
-            position:   starting
-            id-ref:     ra-5.8_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     sa-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     sa-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     sa-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: sa-10
-        additions: 
-          - 
-            position: ending
-            id-ref:   sa-10_smt
-            parts: 
-              - 
-                id:    sa-10_fr
-                name:  item
-                title: SA-10 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sa-10_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: (e)  Requirement:
-                    prose:      For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.
-          - 
-            position:   starting
-            id-ref:     sa-10.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-10.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-10.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-10.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-10.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-10.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-10.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-10.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-10.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-11
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-11.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-11.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-11.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-11.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-11.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-11.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-11.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-11.1
-        additions: 
-          - 
-            position: ending
-            id-ref:   sa-11.1_smt
-            parts: 
-              - 
-                id:    sa-11.1_fr
-                name:  item
-                title: SA-11 (1) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sa-11.1_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.
-          - 
-            position:   starting
-            id-ref:     sa-11.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-11.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-11.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-11.8
-        additions: 
-          - 
-            position: ending
-            id-ref:   sa-11.8_smt
-            parts: 
-              - 
-                id:    sa-11.8_fr
-                name:  item
-                title: SA-11 (8) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sa-11.8_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.
-          - 
-            position:   starting
-            id-ref:     sa-11.8_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-12
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-12.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-12.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-15
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-15.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-15.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-15.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-15.b_obj.3.a
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     sa-15.b_obj.3.b
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     sa-15.b_obj.3.c
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     sa-15.b_obj.3.d
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: sa-16
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-16_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-16_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: sa-17
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-17.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     sa-17.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     sa-17.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: sa-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-2.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-3.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-3.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-3.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-3.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-3.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-4
-        additions: 
-          - 
-            position: ending
-            id-ref:   sa-4_smt
-            parts: 
-              - 
-                id:    sa-4_fr
-                name:  item
-                title: SA-4 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sa-4_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See [http://www.niap-ccevs.org/vpl](http://www.niap-ccevs.org/vpl) or [http://www.commoncriteriaportal.org/products.html](http://www.commoncriteriaportal.org/products.html).
-          - 
-            position:   starting
-            id-ref:     sa-4.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-4.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-4.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-4.10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-4.10_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-4.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-4.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-4.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-4.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-4.8
-        additions: 
-          - 
-            position: ending
-            id-ref:   sa-4.8_smt
-            parts: 
-              - 
-                id:    sa-4.8_fr
-                name:  item
-                title: SA-4 (8) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sa-4.8_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      CSP must use the same security standards regardless of where the system component or information system service is acquired.
-          - 
-            position:   starting
-            id-ref:     sa-4.8_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-4.8_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-4.9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-4.9_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: sa-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-5.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-5.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-5.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-5.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-5.c_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-5.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-5.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-5.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-8_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-9.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-9.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-9.1.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-9.1.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.1.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-9.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-9.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: sa-9.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-9.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.4_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-9.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-9.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.5_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     sc-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     sc-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     sc-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: sc-10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-10_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-10_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-12
-        additions: 
-          - 
-            position: ending
-            id-ref:   sc-12_smt
-            parts: 
-              - 
-                id:    sc-12_fr
-                name:  item
-                title: SC-12 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sc-12_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Federally approved and validated cryptography.
-          - 
-            position:   starting
-            id-ref:     sc-12.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-12.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-12.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-12.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-12.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-12.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-12.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-12.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-13
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-13
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     sc-13_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-13_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-13_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-15
-        additions: 
-          - 
-            position: ending
-            id-ref:   sc-15_smt
-            parts: 
-              - 
-                id:    sc-15_fr
-                name:  item
-                title: SC-15 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sc-15_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.
-          - 
-            position:   starting
-            id-ref:     sc-15.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-15.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-15.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-17
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-17_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-17_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-18
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-18.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-18.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-18.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-18.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-18.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-18.c_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-19
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-19.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-19.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-19.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-19.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-19.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-20
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-20.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-20.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-21
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-21_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-21_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-21_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-21_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-22
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-22_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-22_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-23
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-23_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-23.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-23.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-24
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-24_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-24_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-24_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-24_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-24_obj.5
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-28
-        additions: 
-          - 
-            position: ending
-            id-ref:   sc-28_smt
-            parts: 
-              - 
-                id:    sc-28_fr
-                name:  item
-                title: SC-28 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sc-28_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      The organization supports the capability to use cryptographic mechanisms to protect information at rest.
-          - 
-            position:   starting
-            id-ref:     sc-28.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-28.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-28.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-28.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-28.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-28.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-39
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-39_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-5.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-5.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-5.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-6_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-6_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-6_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.a_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7.10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.10_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7.12
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.12_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.12_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.12_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7.13
-        additions: 
-          - 
-            position: ending
-            id-ref:   sc-7.13_smt
-            parts: 
-              - 
-                id:    sc-7.13_fr
-                name:  item
-                title: SC-7 (13) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sc-7.13_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.
-                  - 
-                    id:         sc-7.13_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Examples include: information security tools, mechanisms, and support components such as, but not limited to PKI, patching infrastructure, cyber defense tools, special purpose gateway, vulnerability tracking systems, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc.
-          - 
-            position:   starting
-            id-ref:     sc-7.13_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.13_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7.18
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.18_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7.20
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.20_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.20_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7.21
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.21_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.21_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.21_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     sc-7.4.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.4.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.4.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.4.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.4.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.4.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.4.e_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7.7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.7_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7.8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.8_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.8_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.8_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-8_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-8.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-8.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-8.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     si-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     si-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: si-10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-10_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-10_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-11
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-11.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-11.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-11.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-12
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-12_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-16
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-16_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-16_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-2.c_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.c_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-2.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-2.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-2.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-2.2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-2.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-2.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-2.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-2.3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.3.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-2.3.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: si-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-3.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-3.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-3.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-3.c.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-3.c.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-3.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-3.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-3.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-3.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-3.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-3.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-3.7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-3.7_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4
-        additions: 
-          - 
-            position: ending
-            id-ref:   si-4_smt
-            parts: 
-              - 
-                id:    si-4_fr
-                name:  item
-                title: SI-4 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         si-4_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      See US-CERT Incident Response Reporting Guidelines.
-          - 
-            position:   starting
-            id-ref:     si-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-4.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.a.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.b.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.b.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.f_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     si-4.g_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.g_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.g_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.g_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-4.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.11
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-4.11_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.11_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.14
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-4.14
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-4.14_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.14_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.14_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.16
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-4.16_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.18
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-4.18_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.18_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.19
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-4.19_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.19_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.19_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-4.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.20
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-4.20_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.20_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.22
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-4.22_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.22_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.22_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.23
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-4.23_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.23_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.23_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.24
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-4.24_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-4.4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-4.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.5
-        additions: 
-          - 
-            position: ending
-            id-ref:   si-4.5_smt
-            parts: 
-              - 
-                id:    si-4.5_fr
-                name:  item
-                title: SI-4 (5) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         si-4.5_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      In accordance with the incident response plan.
-          - 
-            position:   starting
-            id-ref:     si-4.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.5_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-5.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-5.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-5.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-5.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-5.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-5.c_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-5.c_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-5.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-5.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-5.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-6
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-6.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-6.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-6.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-6.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-6.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-6.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-6.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-6.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-6.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-7_obj.1.a
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-7_obj.1.b
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-7_obj.1.c
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-7.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-7.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-7.1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-7.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-7.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-7.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-7.1_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-7.14
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-7.14.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-7.14.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-7.14.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-7.14.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-7.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-7.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-7.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-7.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-7.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-7.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-7.7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-7.7_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-7.7_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-8.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-8.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-8.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-8.1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-8.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-8.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-8.2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-8.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-  back-matter: 
-    resources: 
-      - 
-        uuid:       985475ee-d4d6-4581-8fdf-d84d3d8caa48
-        title:      FedRAMP Applicable Laws and Regulations
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-citations
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx
-      - 
-        uuid:       1a23a771-d481-4594-9a1a-71d584fa4123
-        title:      FedRAMP Master Acronym and Glossary
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-acronyms
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf
-      - 
-        uuid:       a2381e87-3d04-4108-a30b-b4d2f36d001f
-        desc:       FedRAMP Logo
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-logo
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/img/logo-main-fedramp.png
-      - 
-        uuid:       ad005eae-cc63-4e64-9109-3905a9a825e4
-        title:      NIST Special Publication (SP) 800-53
-        properties: 
-          - 
-            name:  version
-            ns:    https://fedramp.gov/ns/oscal
-            value: Revision 4
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href:       https://raw.githubusercontent.com/usnistgov/OSCAL/v1.0.0-milestone3/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml
-            media-type: application/xml
diff --git a/content/fedramp.gov/yaml/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.yaml b/content/fedramp.gov/yaml/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.yaml
deleted file mode 100644
index 7ed3043660..0000000000
--- a/content/fedramp.gov/yaml/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.yaml
+++ /dev/null
@@ -1,34573 +0,0 @@
-catalog: 
-  uuid:        7ec7633b-cbd4-4e1d-9015-e5b3d44c2550
-  metadata: 
-    title:               FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline
-    published:           2020-02-02T00:00:00.000-05:00
-    last-modified:       2020-06-01T10:00:00.000-05:00
-    version:             1.2
-    oscal-version:       1.0.0-milestone3
-    properties: 
-      - 
-        name:  resolution-timestamp
-        value: 2020-08-31T17:38:37.186738Z
-    links: 
-      - 
-        href: FedRAMP_LI-SaaS-baseline_profile.xml
-        rel:  resolution-source
-        text: FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline
-    roles: 
-      - 
-        id:    parpared-by
-        title: Document creator
-      - 
-        id:         fedramp-pmo
-        title:      The FedRAMP Program Management Office (PMO)
-        short-name: CSP
-      - 
-        id:         fedramp-jab
-        title:      The FedRAMP Joint Authorization Board (JAB)
-        short-name: CSP
-    parties: 
-      - 
-        uuid:            8cc0b8e5-9650-4d5f-9796-316f05fa9a2d
-        type:            organization
-        party-name:      Federal Risk and Authorization Management Program: Program Management Office
-        short-name:      FedRAMP PMO
-        links: 
-          - 
-            href: https://fedramp.gov
-            rel:  homepage
-            text: 
-        addresses: 
-          - 
-            type:           work
-            postal-address: 1800 F St. NW,
-            city:           Washington
-            state:          DC
-            postal-code:    
-            country:        US
-        email-addresses: info@fedramp.gov
-      - 
-        uuid:       ca9ba80e-1342-4bfd-b32a-abac468c24b4
-        type:       organization
-        party-name: Federal Risk and Authorization Management Program: Joint Authorization Board
-        short-name: FedRAMP JAB
-    responsible-parties: 
-      prepared-by: 
-        party-uuids: 4aa7b203-318b-4cde-96cf-feaeffc3a4b7
-      fedramp-pmo: 
-        party-uuids: 4aa7b203-318b-4cde-96cf-feaeffc3a4b7
-      fedramp-jab: 
-        party-uuids: ca9ba80e-1342-4bfd-b32a-abac468c24b4
-  groups: 
-    - 
-      id:       ac
-      class:    family
-      title:    Access Control
-      controls: 
-        - 
-          id:         ac-1
-          class:      SP800-53
-          title:      Access Control Policy and Procedures
-          parameters: 
-            - 
-              id:    ac-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ac-1_prm_2
-              label: organization-defined frequency
-            - 
-              id:    ac-1_prm_3
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: AC-1
-            - 
-              name:  sort-id
-              value: ac-01
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ac-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ac-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ac-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          An access control policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ac-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the access control policy and
-                                               associated access controls; and
-                        """
-                - 
-                  id:         ac-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ac-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Access control policy {{ ac-1_prm_2 }}; and
-                    - 
-                      id:         ac-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Access control procedures {{ ac-1_prm_3 }}.
-            - 
-              id:    ac-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the AC
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ac-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-1(a)
-                  parts: 
-                    - 
-                      id:         ac-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ac-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-1(a)(1)[1]
-                          prose:      develops and documents an access control policy that addresses:
-                          parts: 
-                            - 
-                              id:         ac-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ac-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ac-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ac-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ac-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ac-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ac-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ac-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the access control policy are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ac-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the access control policy to organization-defined personnel or
-                                                      roles;
-                            """
-                    - 
-                      id:         ac-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ac-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      access control policy and associated access control controls;
-                            """
-                        - 
-                          id:         ac-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ac-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ac-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-1(b)
-                  parts: 
-                    - 
-                      id:         ac-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ac-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current access control
-                                                      policy;
-                            """
-                        - 
-                          id:         ac-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current access control policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ac-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ac-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current access control
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ac-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current access control procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ac-2
-          class:      SP800-53
-          title:      Account Management
-          parameters: 
-            - 
-              id:    ac-2_prm_1
-              label: organization-defined information system account types
-            - 
-              id:    ac-2_prm_2
-              label: organization-defined personnel or roles
-            - 
-              id:    ac-2_prm_3
-              label: organization-defined procedures or conditions
-            - 
-              id:    ac-2_prm_4
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: AC-2
-            - 
-              name:  sort-id
-              value: ac-02
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          parts: 
-            - 
-              id:    ac-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Identifies and selects the following types of information system accounts to
-                                        support organizational missions/business functions: {{ ac-2_prm_1 }};
-                    """
-                - 
-                  id:         ac-2_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Creates, enables, modifies, disables, and removes information system accounts in
-                                        accordance with {{ ac-2_prm_3 }};
-                    """
-                - 
-                  id:         ac-2_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose:      Monitors the use of information system accounts;
-                - 
-                  id:         ac-2_smt.h
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: h.
-                  prose:      Notifies account managers:
-                  parts: 
-                    - 
-                      id:         ac-2_smt.h.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      When accounts are no longer required;
-                    - 
-                      id:         ac-2_smt.h.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      When users are terminated or transferred; and
-                    - 
-                      id:         ac-2_smt.h.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose:      When individual information system usage or need-to-know changes;
-            - 
-              id:    ac-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system account types include, for example, individual, shared, group,
-                                 system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and
-                                 service. Some of the account management requirements listed above can be implemented
-                                 by organizational information systems. The identification of authorized users of the
-                                 information system and the specification of access privileges reflects the
-                                 requirements in other security controls in the security plan. Users requiring
-                                 administrative privileges on information system accounts receive additional scrutiny
-                                 by appropriate organizational personnel (e.g., system owner, mission/business owner,
-                                 or chief information security officer) responsible for approving such accounts and
-                                 privileged access. Organizations may choose to define access privileges or other
-                                 attributes by account, by type of account, or a combination of both. Other attributes
-                                 required for authorizing access include, for example, restrictions on time-of-day,
-                                 day-of-week, and point-of-origin. In defining other account attributes, organizations
-                                 consider system-related requirements (e.g., scheduled maintenance, system upgrades)
-                                 and mission/business requirements, (e.g., time zone differences, customer
-                                 requirements, remote access to support travel requirements). Failure to consider
-                                 these factors could affect information system availability. Temporary and emergency
-                                 accounts are accounts intended for short-term use. Organizations establish temporary
-                                 accounts as a part of normal account activation procedures when there is a need for
-                                 short-term accounts without the demand for immediacy in account activation.
-                                 Organizations establish emergency accounts in response to crisis situations and with
-                                 the need for rapid account activation. Therefore, emergency account activation may
-                                 bypass normal account authorization processes. Emergency and temporary accounts are
-                                 not to be confused with infrequently used accounts (e.g., local logon accounts used
-                                 for special tasks defined by organizations or when network resources are
-                                 unavailable). Such accounts remain available and are not subject to automatic
-                                 disabling or removal dates. Conditions for disabling or deactivating accounts
-                                 include, for example: (i) when shared/group, emergency, or temporary accounts are no
-                                 longer required; or (ii) when individuals are transferred or terminated. Some types
-                                 of information system accounts may require specialized training.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-5
-                  rel:  related
-                  text: AC-5
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-10
-                  rel:  related
-                  text: AC-10
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #ma-3
-                  rel:  related
-                  text: MA-3
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ma-5
-                  rel:  related
-                  text: MA-5
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-            - 
-              id:    ac-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(a)
-                  parts: 
-                    - 
-                      id:         ac-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(a)[1]
-                      prose: 
-                        """
-                          defines information system account types to be identified and selected to
-                                               support organizational missions/business functions;
-                        """
-                    - 
-                      id:         ac-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(a)[2]
-                      prose: 
-                        """
-                          identifies and selects organization-defined information system account types to
-                                               support organizational missions/business functions;
-                        """
-                - 
-                  id:         ac-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(b)
-                  prose:      assigns account managers for information system accounts;
-                - 
-                  id:         ac-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(c)
-                  prose:      establishes conditions for group and role membership;
-                - 
-                  id:         ac-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(d)
-                  prose:      specifies for each account (as required):
-                  parts: 
-                    - 
-                      id:         ac-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(d)[1]
-                      prose:      authorized users of the information system;
-                    - 
-                      id:         ac-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(d)[2]
-                      prose:      group and role membership;
-                    - 
-                      id:         ac-2.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(d)[3]
-                      prose:      access authorizations (i.e., privileges);
-                    - 
-                      id:         ac-2.d_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(d)[4]
-                      prose:      other attributes;
-                - 
-                  id:         ac-2.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(e)
-                  parts: 
-                    - 
-                      id:         ac-2.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(e)[1]
-                      prose: 
-                        """
-                          defines personnel or roles required to approve requests to create information
-                                               system accounts;
-                        """
-                    - 
-                      id:         ac-2.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(e)[2]
-                      prose: 
-                        """
-                          requires approvals by organization-defined personnel or roles for requests to
-                                               create information system accounts;
-                        """
-                - 
-                  id:         ac-2.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(f)
-                  parts: 
-                    - 
-                      id:         ac-2.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(f)[1]
-                      prose:      defines procedures or conditions to:
-                      parts: 
-                        - 
-                          id:         ac-2.f_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][a]
-                          prose:      create information system accounts;
-                        - 
-                          id:         ac-2.f_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][b]
-                          prose:      enable information system accounts;
-                        - 
-                          id:         ac-2.f_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][c]
-                          prose:      modify information system accounts;
-                        - 
-                          id:         ac-2.f_obj.1.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][d]
-                          prose:      disable information system accounts;
-                        - 
-                          id:         ac-2.f_obj.1.e
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][e]
-                          prose:      remove information system accounts;
-                    - 
-                      id:         ac-2.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(f)[2]
-                      prose:      in accordance with organization-defined procedures or conditions:
-                      parts: 
-                        - 
-                          id:         ac-2.f_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][a]
-                          prose:      creates information system accounts;
-                        - 
-                          id:         ac-2.f_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][b]
-                          prose:      enables information system accounts;
-                        - 
-                          id:         ac-2.f_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][c]
-                          prose:      modifies information system accounts;
-                        - 
-                          id:         ac-2.f_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][d]
-                          prose:      disables information system accounts;
-                        - 
-                          id:         ac-2.f_obj.2.e
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][e]
-                          prose:      removes information system accounts;
-                - 
-                  id:         ac-2.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(g)
-                  prose:      monitors the use of information system accounts;
-                - 
-                  id:         ac-2.h_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(h)
-                  prose:      notifies account managers:
-                  parts: 
-                    - 
-                      id:         ac-2.h.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(h)(1)
-                      prose:      when accounts are no longer required;
-                    - 
-                      id:         ac-2.h.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(h)(2)
-                      prose:      when users are terminated or transferred;
-                    - 
-                      id:         ac-2.h.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(h)(3)
-                      prose:      when individual information system usage or need to know changes;
-                - 
-                  id:         ac-2.i_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(i)
-                  prose:      authorizes access to the information system based on;
-                  parts: 
-                    - 
-                      id:         ac-2.i.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(i)(1)
-                      prose:      a valid access authorization;
-                    - 
-                      id:         ac-2.i.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(i)(2)
-                      prose:      intended system usage;
-                    - 
-                      id:         ac-2.i.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(i)(3)
-                      prose: 
-                        """
-                          other attributes as required by the organization or associated
-                                               missions/business functions;
-                        """
-                - 
-                  id:         ac-2.j_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(j)
-                  parts: 
-                    - 
-                      id:         ac-2.j_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(j)[1]
-                      prose: 
-                        """
-                          defines the frequency to review accounts for compliance with account management
-                                               requirements;
-                        """
-                    - 
-                      id:         ac-2.j_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(j)[2]
-                      prose: 
-                        """
-                          reviews accounts for compliance with account management requirements with the
-                                               organization-defined frequency; and
-                        """
-                - 
-                  id:         ac-2.k_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(k)
-                  prose: 
-                    """
-                      establishes a process for reissuing shared/group account credentials (if deployed)
-                                        when individuals are removed from the group.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated
-                                        with each account\n\nlist of conditions for group and role membership\n\nnotifications or records of recently transferred, separated, or terminated
-                                        employees\n\nlist of recently disabled information system accounts along with the name of the
-                                        individual associated with each account\n\naccess authorization records\n\naccount management compliance reviews\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes account management on the information system\n\nautomated mechanisms for implementing account management
-            - 
-              id:    ac-2_fr
-              name:  item
-              title: AC-2 Additional FedRAMP Requirements and Guidance
-              parts: 
-                - 
-                  id:         ac-2_fr_gdn.1
-                  name:       guidance
-                  properties: 
-                    - 
-                      name:  label
-                      value: Guidance:
-                  prose: 
-                    """
-                      Parts (b), (c), (d), (e), (i), (j), and (k) are excluded from FedRAMP Tailored
-                                           for LI-SaaS.
-                    """
-        - 
-          id:         ac-3
-          class:      SP800-53
-          title:      Access Enforcement
-          properties: 
-            - 
-              name:  label
-              value: AC-3
-            - 
-              name:  sort-id
-              value: ac-03
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          parts: 
-            - 
-              id:    ac-3_smt
-              name:  statement
-              prose: 
-                """
-                  The information system enforces approved authorizations for logical access to
-                                 information and system resources in accordance with applicable access control
-                                 policies.
-                """
-            - 
-              id:    ac-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Access control policies (e.g., identity-based policies, role-based policies, control
-                                 matrices, cryptography) control access between active entities or subjects (i.e.,
-                                 users or processes acting on behalf of users) and passive entities or objects (e.g.,
-                                 devices, files, records, domains) in information systems. In addition to enforcing
-                                 authorized access at the information system level and recognizing that information
-                                 systems can host many applications and services in support of organizational missions
-                                 and business operations, access enforcement mechanisms can also be employed at the
-                                 application and service level to provide increased information security.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-5
-                  rel:  related
-                  text: AC-5
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-16
-                  rel:  related
-                  text: AC-16
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #ac-21
-                  rel:  related
-                  text: AC-21
-                - 
-                  href: #ac-22
-                  rel:  related
-                  text: AC-22
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #ma-3
-                  rel:  related
-                  text: MA-3
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ma-5
-                  rel:  related
-                  text: MA-5
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-            - 
-              id:    ac-3_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the information system enforces approved authorizations for logical
-                                 access to information and system resources in accordance with applicable access
-                                 control policies.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing access enforcement\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing access control policy
-        - 
-          id:         ac-7
-          class:      SP800-53
-          title:      Unsuccessful Logon Attempts
-          parameters: 
-            - 
-              id:    ac-7_prm_1
-              label: organization-defined number
-            - 
-              id:    ac-7_prm_2
-              label: organization-defined time period
-            - 
-              id: ac-7_prm_3
-            - 
-              id:         ac-7_prm_4
-              depends-on: ac-7_prm_3
-              label:      organization-defined time period
-            - 
-              id:         ac-7_prm_5
-              depends-on: ac-7_prm_3
-              label:      organization-defined delay algorithm
-          properties: 
-            - 
-              name:  label
-              value: AC-7
-            - 
-              name:  sort-id
-              value: ac-07
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: NSO
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          parts: 
-            - 
-              id:    ac-7_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         ac-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Enforces a limit of {{ ac-7_prm_1 }} consecutive invalid logon
-                                        attempts by a user during a {{ ac-7_prm_2 }}; and
-                    """
-                - 
-                  id:         ac-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Automatically {{ ac-7_prm_3 }} when the maximum number of
-                                        unsuccessful attempts is exceeded.
-                    """
-            - 
-              id:    ac-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies regardless of whether the logon occurs via a local or network
-                                 connection. Due to the potential for denial of service, automatic lockouts initiated
-                                 by information systems are usually temporary and automatically release after a
-                                 predetermined time period established by organizations. If a delay algorithm is
-                                 selected, organizations may choose to employ different algorithms for different
-                                 information system components based on the capabilities of those components.
-                                 Responses to unsuccessful logon attempts may be implemented at both the operating
-                                 system and the application levels.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-9
-                  rel:  related
-                  text: AC-9
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-            - 
-              id:    ac-7_obj
-              name:  objective
-              prose: Determine if: 
-              parts: 
-                - 
-                  id:         ac-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-7(a)
-                  parts: 
-                    - 
-                      id:         ac-7.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-7(a)[1]
-                      prose: 
-                        """
-                          the organization defines the number of consecutive invalid logon attempts
-                                               allowed to the information system by a user during an organization-defined time
-                                               period;
-                        """
-                    - 
-                      id:         ac-7.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-7(a)[2]
-                      prose: 
-                        """
-                          the organization defines the time period allowed by a user of the information
-                                               system for an organization-defined number of consecutive invalid logon
-                                               attempts;
-                        """
-                    - 
-                      id:         ac-7.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-7(a)[3]
-                      prose: 
-                        """
-                          the information system enforces a limit of organization-defined number of
-                                               consecutive invalid logon attempts by a user during an organization-defined
-                                               time period;
-                        """
-                - 
-                  id:         ac-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-7(b)
-                  parts: 
-                    - 
-                      id:         ac-7.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-7(b)[1]
-                      prose: 
-                        """
-                          the organization defines account/node lockout time period or logon delay
-                                               algorithm to be automatically enforced by the information system when the
-                                               maximum number of unsuccessful logon attempts is exceeded;
-                        """
-                    - 
-                      id:         ac-7.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-7(b)[2]
-                      prose: 
-                        """
-                          the information system, when the maximum number of unsuccessful logon attempts
-                                               is exceeded, automatically:
-                        """
-                      parts: 
-                        - 
-                          id:         ac-7.b_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-7(b)[2][a]
-                          prose:      locks the account/node for the organization-defined time period;
-                        - 
-                          id:         ac-7.b_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-7(b)[2][b]
-                          prose:      locks the account/node until released by an administrator; or
-                        - 
-                          id:         ac-7.b_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-7(b)[2][c]
-                          prose: 
-                            """
-                              delays next logon prompt according to the organization-defined delay
-                                                      algorithm.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms implementing access control policy for unsuccessful logon
-                                        attempts
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: 
-                """
-                  NSO for non-privileged users. Attestation for privileged users related to
-                                    multi-factor identification and authentication.
-                """
-        - 
-          id:         ac-8
-          class:      SP800-53
-          title:      System Use Notification
-          parameters: 
-            - 
-              id:    ac-8_prm_1
-              label: organization-defined system use notification message or banner
-            - 
-              id:    ac-8_prm_2
-              label: organization-defined conditions
-          properties: 
-            - 
-              name:  label
-              value: AC-8
-            - 
-              name:  sort-id
-              value: ac-08
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: FED
-          parts: 
-            - 
-              id:    ac-8_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         ac-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Displays to users {{ ac-8_prm_1 }} before granting access to the
-                                        system that provides privacy and security notices consistent with applicable
-                                        federal laws, Executive Orders, directives, policies, regulations, standards, and
-                                        guidance and states that:
-                    """
-                  parts: 
-                    - 
-                      id:         ac-8_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Users are accessing a U.S. Government information system;
-                    - 
-                      id:         ac-8_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Information system usage may be monitored, recorded, and subject to audit;
-                    - 
-                      id:         ac-8_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Unauthorized use of the information system is prohibited and subject to
-                                               criminal and civil penalties; and
-                        """
-                    - 
-                      id:         ac-8_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose: 
-                        """
-                          Use of the information system indicates consent to monitoring and
-                                               recording;
-                        """
-                - 
-                  id:         ac-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Retains the notification message or banner on the screen until users acknowledge
-                                        the usage conditions and take explicit actions to log on to or further access the
-                                        information system; and
-                    """
-                - 
-                  id:         ac-8_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      For publicly accessible systems:
-                  parts: 
-                    - 
-                      id:         ac-8_smt.c.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Displays system use information {{ ac-8_prm_2 }}, before
-                                               granting further access;
-                        """
-                    - 
-                      id:         ac-8_smt.c.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Displays references, if any, to monitoring, recording, or auditing that are
-                                               consistent with privacy accommodations for such systems that generally prohibit
-                                               those activities; and
-                        """
-                    - 
-                      id:         ac-8_smt.c.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose:      Includes a description of the authorized uses of the system.
-            - 
-              id:    ac-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  System use notifications can be implemented using messages or warning banners
-                                 displayed before individuals log in to information systems. System use notifications
-                                 are used only for access via logon interfaces with human users and are not required
-                                 when such human interfaces do not exist. Organizations consider system use
-                                 notification messages/banners displayed in multiple languages based on specific
-                                 organizational needs and the demographics of information system users. Organizations
-                                 also consult with the Office of the General Counsel for legal review and approval of
-                                 warning banner content.
-                """
-            - 
-              id:    ac-8_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         ac-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-8(a)
-                  parts: 
-                    - 
-                      id:         ac-8.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-8(a)[1]
-                      prose: 
-                        """
-                          the organization defines a system use notification message or banner to be
-                                               displayed by the information system to users before granting access to the
-                                               system;
-                        """
-                    - 
-                      id:         ac-8.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-8(a)[2]
-                      prose: 
-                        """
-                          the information system displays to users the organization-defined system use
-                                               notification message or banner before granting access to the information system
-                                               that provides privacy and security notices consistent with applicable federal
-                                               laws, Executive Orders, directives, policies, regulations, standards, and
-                                               guidance, and states that:
-                        """
-                      parts: 
-                        - 
-                          id:         ac-8.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-8(a)[2](1)
-                          prose:      users are accessing a U.S. Government information system;
-                        - 
-                          id:         ac-8.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-8(a)[2](2)
-                          prose: 
-                            """
-                              information system usage may be monitored, recorded, and subject to
-                                                      audit;
-                            """
-                        - 
-                          id:         ac-8.a.3_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-8(a)[2](3)
-                          prose: 
-                            """
-                              unauthorized use of the information system is prohibited and subject to
-                                                      criminal and civil penalties;
-                            """
-                        - 
-                          id:         ac-8.a.4_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-8(a)[2](4)
-                          prose: 
-                            """
-                              use of the information system indicates consent to monitoring and
-                                                      recording;
-                            """
-                - 
-                  id:         ac-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-8(b)
-                  prose: 
-                    """
-                      the information system retains the notification message or banner on the screen
-                                        until users acknowledge the usage conditions and take explicit actions to log on
-                                        to or further access the information system;
-                    """
-                - 
-                  id:         ac-8.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-8(c)
-                  prose:      for publicly accessible systems:
-                  parts: 
-                    - 
-                      id:         ac-8.c.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-8(c)(1)
-                      parts: 
-                        - 
-                          id:         ac-8.c.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-8(c)(1)[1]
-                          prose: 
-                            """
-                              the organization defines conditions for system use to be displayed by the
-                                                      information system before granting further access;
-                            """
-                        - 
-                          id:         ac-8.c.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-8(c)(1)[2]
-                          prose: 
-                            """
-                              the information system displays organization-defined conditions before
-                                                      granting further access;
-                            """
-                    - 
-                      id:         ac-8.c.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-8(c)(2)
-                      prose: 
-                        """
-                          the information system displays references, if any, to monitoring, recording,
-                                               or auditing that are consistent with privacy accommodations for such systems
-                                               that generally prohibit those activities; and
-                        """
-                    - 
-                      id:         ac-8.c.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-8(c)(3)
-                      prose: 
-                        """
-                          the information system includes a description of the authorized uses of the
-                                               system.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of information system use notification messages or banners\n\ninformation system audit records\n\nuser acknowledgements of notification message or banner\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system use notification messages\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for providing legal advice\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing system use notification
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: FED - This is related to agency data and agency policy solution.
-        - 
-          id:         ac-14
-          class:      SP800-53
-          title:      Permitted Actions Without Identification or Authentication
-          parameters: 
-            - 
-              id:    ac-14_prm_1
-              label: organization-defined user actions
-          properties: 
-            - 
-              name:  label
-              value: AC-14
-            - 
-              name:  sort-id
-              value: ac-14
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: FED
-          parts: 
-            - 
-              id:    ac-14_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-14_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Identifies {{ ac-14_prm_1 }} that can be performed on the
-                                        information system without identification or authentication consistent with
-                                        organizational missions/business functions; and
-                    """
-                - 
-                  id:         ac-14_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Documents and provides supporting rationale in the security plan for the
-                                        information system, user actions not requiring identification or
-                                        authentication.
-                    """
-            - 
-              id:    ac-14_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses situations in which organizations determine that no
-                                 identification or authentication is required in organizational information systems.
-                                 Organizations may allow a limited number of user actions without identification or
-                                 authentication including, for example, when individuals access public websites or
-                                 other publicly accessible federal information systems, when individuals use mobile
-                                 phones to receive calls, or when facsimiles are received. Organizations also identify
-                                 actions that normally require identification or authentication but may under certain
-                                 circumstances (e.g., emergencies), allow identification or authentication mechanisms
-                                 to be bypassed. Such bypasses may occur, for example, via a software-readable
-                                 physical switch that commands bypass of the logon functionality and is protected from
-                                 accidental or unmonitored use. This control does not apply to situations where
-                                 identification and authentication have already occurred and are not repeated, but
-                                 rather to situations where identification and authentication have not yet occurred.
-                                 Organizations may decide that there are no user actions that can be performed on
-                                 organizational information systems without identification and authentication and
-                                 thus, the values for assignment statements can be none.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-            - 
-              id:    ac-14_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-14.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-14(a)
-                  parts: 
-                    - 
-                      id:         ac-14.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-14(a)[1]
-                      prose: 
-                        """
-                          defines user actions that can be performed on the information system without
-                                               identification or authentication consistent with organizational
-                                               missions/business functions;
-                        """
-                    - 
-                      id:         ac-14.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-14(a)[2]
-                      prose: 
-                        """
-                          identifies organization-defined user actions that can be performed on the
-                                               information system without identification or authentication consistent with
-                                               organizational missions/business functions; and
-                        """
-                - 
-                  id:         ac-14.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-14(b)
-                  prose: 
-                    """
-                      documents and provides supporting rationale in the security plan for the
-                                        information system, user actions not requiring identification or
-                                        authentication.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing permitted actions without identification or
-                                        authentication\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or
-                                        authentication\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: FED - This is related to agency data and agency policy solution.
-        - 
-          id:         ac-17
-          class:      SP800-53
-          title:      Remote Access
-          properties: 
-            - 
-              name:  label
-              value: AC-17
-            - 
-              name:  sort-id
-              value: ac-17
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #5309d4d0-46f8-4213-a749-e7584164e5e8
-              rel:  reference
-              text: NIST Special Publication 800-46
-            - 
-              href: #99f331f2-a9f0-46c2-9856-a3cbb9b89442
-              rel:  reference
-              text: NIST Special Publication 800-77
-            - 
-              href: #349fe082-502d-464a-aa0c-1443c6a5cf40
-              rel:  reference
-              text: NIST Special Publication 800-113
-            - 
-              href: #1201fcf3-afb1-4675-915a-fb4ae0435717
-              rel:  reference
-              text: NIST Special Publication 800-114
-            - 
-              href: #d1a4e2a9-e512-4132-8795-5357aba29254
-              rel:  reference
-              text: NIST Special Publication 800-121
-          parts: 
-            - 
-              id:    ac-17_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-17_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes and documents usage restrictions, configuration/connection
-                                        requirements, and implementation guidance for each type of remote access allowed;
-                                        and
-                    """
-                - 
-                  id:         ac-17_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Authorizes remote access to the information system prior to allowing such
-                                        connections.
-                    """
-            - 
-              id:    ac-17_gdn
-              name:  guidance
-              prose: 
-                """
-                  Remote access is access to organizational information systems by users (or processes
-                                 acting on behalf of users) communicating through external networks (e.g., the
-                                 Internet). Remote access methods include, for example, dial-up, broadband, and
-                                 wireless. Organizations often employ encrypted virtual private networks (VPNs) to
-                                 enhance confidentiality and integrity over remote connections. The use of encrypted
-                                 VPNs does not make the access non-remote; however, the use of VPNs, when adequately
-                                 provisioned with appropriate security controls (e.g., employing appropriate
-                                 encryption techniques for confidentiality and integrity protection) may provide
-                                 sufficient assurance to the organization that it can effectively treat such
-                                 connections as internal networks. Still, VPN connections traverse external networks,
-                                 and the encrypted VPN does not enhance the availability of remote connections. Also,
-                                 VPNs with encrypted tunnels can affect the organizational capability to adequately
-                                 monitor network communications traffic for malicious code. Remote access controls
-                                 apply to information systems other than public web servers or systems designed for
-                                 public access. This control addresses authorization prior to allowing remote access
-                                 without specifying the formats for such authorization. While organizations may use
-                                 interconnection security agreements to authorize remote access connections, such
-                                 agreements are not required by this control. Enforcing access restrictions for remote
-                                 connections is addressed in AC-3.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #pe-17
-                  rel:  related
-                  text: PE-17
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #sc-10
-                  rel:  related
-                  text: SC-10
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ac-17_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-17.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-17(a)
-                  parts: 
-                    - 
-                      id:         ac-17.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-17(a)[1]
-                      prose:      identifies the types of remote access allowed to the information system;
-                    - 
-                      id:         ac-17.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-17(a)[2]
-                      prose:      establishes for each type of remote access allowed:
-                      parts: 
-                        - 
-                          id:         ac-17.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[2][a]
-                          prose:      usage restrictions;
-                        - 
-                          id:         ac-17.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[2][b]
-                          prose:      configuration/connection requirements;
-                        - 
-                          id:         ac-17.a_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[2][c]
-                          prose:      implementation guidance;
-                    - 
-                      id:         ac-17.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-17(a)[3]
-                      prose:      documents for each type of remote access allowed:
-                      parts: 
-                        - 
-                          id:         ac-17.a_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[3][a]
-                          prose:      usage restrictions;
-                        - 
-                          id:         ac-17.a_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[3][b]
-                          prose:      configuration/connection requirements;
-                        - 
-                          id:         ac-17.a_obj.3.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[3][c]
-                          prose:      implementation guidance; and
-                - 
-                  id:         ac-17.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-17(b)
-                  prose: 
-                    """
-                      authorizes remote access to the information system prior to allowing such
-                                        connections.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing remote access implementation and usage (including
-                                        restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nremote access authorizations\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for managing remote access
-                                        connections\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Remote access management capability for the information system
-        - 
-          id:         ac-18
-          class:      SP800-53
-          title:      Wireless Access
-          properties: 
-            - 
-              name:  label
-              value: AC-18
-            - 
-              name:  sort-id
-              value: ac-18
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: NSO
-          links: 
-            - 
-              href: #238ed479-eccb-49f6-82ec-ab74a7a428cf
-              rel:  reference
-              text: NIST Special Publication 800-48
-            - 
-              href: #d1b1d689-0f66-4474-9924-c81119758dc1
-              rel:  reference
-              text: NIST Special Publication 800-94
-            - 
-              href: #6f336ecd-f2a0-4c84-9699-0491d81b6e0d
-              rel:  reference
-              text: NIST Special Publication 800-97
-          parts: 
-            - 
-              id:    ac-18_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-18_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes usage restrictions, configuration/connection requirements, and
-                                        implementation guidance for wireless access; and
-                    """
-                - 
-                  id:         ac-18_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Authorizes wireless access to the information system prior to allowing such
-                                        connections.
-                    """
-            - 
-              id:    ac-18_gdn
-              name:  guidance
-              prose: 
-                """
-                  Wireless technologies include, for example, microwave, packet radio (UHF/VHF),
-                                 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g.,
-                                 EAP/TLS, PEAP), which provide credential protection and mutual authentication.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ac-18_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-18.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-18(a)
-                  prose:      establishes for wireless access:
-                  parts: 
-                    - 
-                      id:         ac-18.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-18(a)[1]
-                      prose:      usage restrictions;
-                    - 
-                      id:         ac-18.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-18(a)[2]
-                      prose:      configuration/connection requirement;
-                    - 
-                      id:         ac-18.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-18(a)[3]
-                      prose:      implementation guidance; and
-                - 
-                  id:         ac-18.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-18(b)
-                  prose: 
-                    """
-                      authorizes wireless access to the information system prior to allowing such
-                                        connections.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing wireless access implementation and usage (including
-                                        restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nwireless access authorizations\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for managing wireless access
-                                        connections\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Wireless access management capability for the information system
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: 
-                """
-                  NSO - All access to Cloud SaaS are via web services and/or API. The device
-                                    accessed from or whether via wired or wireless connection is out of scope.
-                                    Regardless of device accessed from, must utilize approved remote access methods
-                                    (AC-17), secure communication with strong encryption (SC-13), key management
-                                    (SC-12), and multi-factor authentication for privileged access (IA-2[1]).
-                """
-        - 
-          id:         ac-19
-          class:      SP800-53
-          title:      Access Control for Mobile Devices
-          properties: 
-            - 
-              name:  label
-              value: AC-19
-            - 
-              name:  sort-id
-              value: ac-19
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: NSO
-          links: 
-            - 
-              href: #4da24a96-6cf8-435d-9d1f-c73247cad109
-              rel:  reference
-              text: OMB Memorandum 06-16
-            - 
-              href: #1201fcf3-afb1-4675-915a-fb4ae0435717
-              rel:  reference
-              text: NIST Special Publication 800-114
-            - 
-              href: #0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589
-              rel:  reference
-              text: NIST Special Publication 800-124
-            - 
-              href: #6513e480-fada-4876-abba-1397084dfb26
-              rel:  reference
-              text: NIST Special Publication 800-164
-          parts: 
-            - 
-              id:    ac-19_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-19_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes usage restrictions, configuration requirements, connection
-                                        requirements, and implementation guidance for organization-controlled mobile
-                                        devices; and
-                    """
-                - 
-                  id:         ac-19_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Authorizes the connection of mobile devices to organizational information
-                                        systems.
-                    """
-            - 
-              id:    ac-19_gdn
-              name:  guidance
-              prose: 
-                """
-                  A mobile device is a computing device that: (i) has a small form factor such that it
-                                 can easily be carried by a single individual; (ii) is designed to operate without a
-                                 physical connection (e.g., wirelessly transmit or receive information); (iii)
-                                 possesses local, non-removable or removable data storage; and (iv) includes a
-                                 self-contained power source. Mobile devices may also include voice communication
-                                 capabilities, on-board sensors that allow the device to capture information, and/or
-                                 built-in features for synchronizing local data with remote locations. Examples
-                                 include smart phones, E-readers, and tablets. Mobile devices are typically associated
-                                 with a single individual and the device is usually in close proximity to the
-                                 individual; however, the degree of proximity can vary depending upon on the form
-                                 factor and size of the device. The processing, storage, and transmission capability
-                                 of the mobile device may be comparable to or merely a subset of desktop systems,
-                                 depending upon the nature and intended purpose of the device. Due to the large
-                                 variety of mobile devices with different technical characteristics and capabilities,
-                                 organizational restrictions may vary for the different classes/types of such devices.
-                                 Usage restrictions and specific implementation guidance for mobile devices include,
-                                 for example, configuration management, device identification and authentication,
-                                 implementation of mandatory protective software (e.g., malicious code detection,
-                                 firewall), scanning devices for malicious code, updating virus protection software,
-                                 scanning for critical software updates and patches, conducting primary operating
-                                 system (and possibly other resident software) integrity checks, and disabling
-                                 unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the
-                                 need to provide adequate security for mobile devices goes beyond the requirements in
-                                 this control. Many safeguards and countermeasures for mobile devices are reflected in
-                                 other security controls in the catalog allocated in the initial control baselines as
-                                 starting points for the development of security plans and overlays using the
-                                 tailoring process. There may also be some degree of overlap in the requirements
-                                 articulated by the security controls within the different families of controls. AC-20
-                                 addresses mobile devices that are not organization-controlled.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-7
-                  rel:  related
-                  text: AC-7
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #ca-9
-                  rel:  related
-                  text: CA-9
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-43
-                  rel:  related
-                  text: SC-43
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ac-19_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-19.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-19(a)
-                  prose:      establishes for organization-controlled mobile devices:
-                  parts: 
-                    - 
-                      id:         ac-19.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-19(a)[1]
-                      prose:      usage restrictions;
-                    - 
-                      id:         ac-19.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-19(a)[2]
-                      prose:      configuration/connection requirement;
-                    - 
-                      id:         ac-19.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-19(a)[3]
-                      prose:      implementation guidance; and
-                - 
-                  id:         ac-19.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-19(b)
-                  prose: 
-                    """
-                      authorizes the connection of mobile devices to organizational information
-                                        systems.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing access control for mobile device usage (including
-                                        restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational information
-                                        systems\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel using mobile devices to access organizational information
-                                        systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control capability authorizing mobile device connections to organizational
-                                        information systems
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: 
-                """
-                  NSO - All access to Cloud SaaS are via web service and/or API. The device accessed
-                                    from is out of the scope. Regardless of device accessed from, must utilize
-                                    approved remote access methods (AC-17), secure communication with strong
-                                    encryption (SC-13), key management (SC-12), and multi-factor authentication for
-                                    privileged access (IA-2 [1]).
-                """
-        - 
-          id:         ac-20
-          class:      SP800-53
-          title:      Use of External Information Systems
-          properties: 
-            - 
-              name:  label
-              value: AC-20
-            - 
-              name:  sort-id
-              value: ac-20
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-          parts: 
-            - 
-              id:    ac-20_smt
-              name:  statement
-              prose: 
-                """
-                  The organization establishes terms and conditions, consistent with any trust
-                                 relationships established with other organizations owning, operating, and/or
-                                 maintaining external information systems, allowing authorized individuals to:
-                """
-              parts: 
-                - 
-                  id:         ac-20_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Access the information system from external information systems; and
-                - 
-                  id:         ac-20_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Process, store, or transmit organization-controlled information using external
-                                        information systems.
-                    """
-            - 
-              id:    ac-20_gdn
-              name:  guidance
-              prose: 
-                """
-                  External information systems are information systems or components of information
-                                 systems that are outside of the authorization boundary established by organizations
-                                 and for which organizations typically have no direct supervision and authority over
-                                 the application of required security controls or the assessment of control
-                                 effectiveness. External information systems include, for example: (i) personally
-                                 owned information systems/devices (e.g., notebook computers, smart phones, tablets,
-                                 personal digital assistants); (ii) privately owned computing and communications
-                                 devices resident in commercial or public facilities (e.g., hotels, train stations,
-                                 convention centers, shopping malls, or airports); (iii) information systems owned or
-                                 controlled by nonfederal governmental organizations; and (iv) federal information
-                                 systems that are not owned by, operated by, or under the direct supervision and
-                                 authority of organizations. This control also addresses the use of external
-                                 information systems for the processing, storage, or transmission of organizational
-                                 information, including, for example, accessing cloud services (e.g., infrastructure
-                                 as a service, platform as a service, or software as a service) from organizational
-                                 information systems. For some external information systems (i.e., information systems
-                                 operated by other federal agencies, including organizations subordinate to those
-                                 agencies), the trust relationships that have been established between those
-                                 organizations and the originating organization may be such, that no explicit terms
-                                 and conditions are required. Information systems within these organizations would not
-                                 be considered external. These situations occur when, for example, there are
-                                 pre-existing sharing/trust agreements (either implicit or explicit) established
-                                 between federal agencies or organizations subordinate to those agencies, or when such
-                                 trust agreements are specified by applicable laws, Executive Orders, directives, or
-                                 policies. Authorized individuals include, for example, organizational personnel,
-                                 contractors, or other individuals with authorized access to organizational
-                                 information systems and over which organizations have the authority to impose rules
-                                 of behavior with regard to system access. Restrictions that organizations impose on
-                                 authorized individuals need not be uniform, as those restrictions may vary depending
-                                 upon the trust relationships between organizations. Therefore, organizations may
-                                 choose to impose different security restrictions on contractors than on state, local,
-                                 or tribal governments. This control does not apply to the use of external information
-                                 systems to access public interfaces to organizational information systems (e.g.,
-                                 individuals accessing federal information through www.usa.gov). Organizations
-                                 establish terms and conditions for the use of external information systems in
-                                 accordance with organizational security policies and procedures. Terms and conditions
-                                 address as a minimum: types of applications that can be accessed on organizational
-                                 information systems from external information systems; and the highest security
-                                 category of information that can be processed, stored, or transmitted on external
-                                 information systems. If terms and conditions with the owners of external information
-                                 systems cannot be established, organizations may impose restrictions on
-                                 organizational personnel using those external systems.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #sa-9
-                  rel:  related
-                  text: SA-9
-            - 
-              id:    ac-20_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization establishes terms and conditions, consistent with any
-                                 trust relationships established with other organizations owning, operating, and/or
-                                 maintaining external information systems, allowing authorized individuals to: 
-                """
-              parts: 
-                - 
-                  id:         ac-20.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-20(a)
-                  prose:      access the information system from the external information systems; and
-                - 
-                  id:         ac-20.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-20(b)
-                  prose: 
-                    """
-                      process, store, or transmit organization-controlled information using external
-                                        information systems.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing the use of external information systems\n\nexternal information systems terms and conditions\n\nlist of types of applications accessible from external information systems\n\nmaximum security categorization for information processed, stored, or transmitted
-                                        on external information systems\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for defining terms and conditions
-                                        for use of external information systems to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms implementing terms and conditions on use of external
-                                        information systems
-                    """
-        - 
-          id:         ac-22
-          class:      SP800-53
-          title:      Publicly Accessible Content
-          parameters: 
-            - 
-              id:          ac-22_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least quarterly
-          properties: 
-            - 
-              name:  label
-              value: AC-22
-            - 
-              name:  sort-id
-              value: ac-22
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          parts: 
-            - 
-              id:    ac-22_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-22_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Designates individuals authorized to post information onto a publicly accessible
-                                        information system;
-                    """
-                - 
-                  id:         ac-22_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Trains authorized individuals to ensure that publicly accessible information does
-                                        not contain nonpublic information;
-                    """
-                - 
-                  id:         ac-22_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Reviews the proposed content of information prior to posting onto the publicly
-                                        accessible information system to ensure that nonpublic information is not
-                                        included; and
-                    """
-                - 
-                  id:         ac-22_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Reviews the content on the publicly accessible information system for nonpublic
-                                        information {{ ac-22_prm_1 }} and removes such information, if
-                                        discovered.
-                    """
-            - 
-              id:    ac-22_gdn
-              name:  guidance
-              prose: 
-                """
-                  In accordance with federal laws, Executive Orders, directives, policies, regulations,
-                                 standards, and/or guidance, the general public is not authorized access to nonpublic
-                                 information (e.g., information protected under the Privacy Act and proprietary
-                                 information). This control addresses information systems that are controlled by the
-                                 organization and accessible to the general public, typically without identification
-                                 or authentication. The posting of information on non-organization information systems
-                                 is covered by organizational policy.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #au-13
-                  rel:  related
-                  text: AU-13
-            - 
-              id:    ac-22_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ac-22.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-22(a)
-                  prose: 
-                    """
-                      designates individuals authorized to post information onto a publicly accessible
-                                        information system;
-                    """
-                - 
-                  id:         ac-22.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-22(b)
-                  prose: 
-                    """
-                      trains authorized individuals to ensure that publicly accessible information does
-                                        not contain nonpublic information;
-                    """
-                - 
-                  id:         ac-22.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-22(c)
-                  prose: 
-                    """
-                      reviews the proposed content of information prior to posting onto the publicly
-                                        accessible information system to ensure that nonpublic information is not
-                                        included;
-                    """
-                - 
-                  id:         ac-22.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-22(d)
-                  parts: 
-                    - 
-                      id:         ac-22.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-22(d)[1]
-                      prose: 
-                        """
-                          defines the frequency to review the content on the publicly accessible
-                                               information system for nonpublic information;
-                        """
-                    - 
-                      id:         ac-22.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-22(d)[2]
-                      prose: 
-                        """
-                          reviews the content on the publicly accessible information system for nonpublic
-                                               information with the organization-defined frequency; and
-                        """
-                    - 
-                      id:         ac-22.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-22(d)[3]
-                      prose: 
-                        """
-                          removes nonpublic information from the publicly accessible information system,
-                                               if discovered.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational
-                                        information systems\n\ntraining materials and/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to nonpublic information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for managing publicly accessible
-                                        information posted on organizational information systems\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing management of publicly accessible content
-    - 
-      id:       at
-      class:    family
-      title:    Awareness and Training
-      controls: 
-        - 
-          id:         at-1
-          class:      SP800-53
-          title:      Security Awareness and Training Policy and Procedures
-          parameters: 
-            - 
-              id:    at-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    at-1_prm_2
-              label: organization-defined frequency
-            - 
-              id:    at-1_prm_3
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: AT-1
-            - 
-              name:  sort-id
-              value: at-01
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #825438c3-248d-4e30-a51e-246473ce6ada
-              rel:  reference
-              text: NIST Special Publication 800-16
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    at-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         at-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ at-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         at-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A security awareness and training policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         at-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the security awareness and
-                                               training policy and associated security awareness and training controls;
-                                               and
-                        """
-                - 
-                  id:         at-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         at-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Security awareness and training policy {{ at-1_prm_2 }}; and
-                    - 
-                      id:         at-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Security awareness and training procedures {{ at-1_prm_3 }}.
-            - 
-              id:    at-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the AT
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    at-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         at-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-1(a)
-                  parts: 
-                    - 
-                      id:         at-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-1(a)(1)
-                      parts: 
-                        - 
-                          id:         at-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents an security awareness and training policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         at-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         at-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         at-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         at-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         at-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         at-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         at-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         at-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the security awareness and training
-                                                      policy are to be disseminated;
-                            """
-                        - 
-                          id:         at-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the security awareness and training policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         at-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-1(a)(2)
-                      parts: 
-                        - 
-                          id:         at-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      security awareness and training policy and associated awareness and training
-                                                      controls;
-                            """
-                        - 
-                          id:         at-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         at-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         at-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-1(b)
-                  parts: 
-                    - 
-                      id:         at-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-1(b)(1)
-                      parts: 
-                        - 
-                          id:         at-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current security awareness
-                                                      and training policy;
-                            """
-                        - 
-                          id:         at-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current security awareness and training policy with
-                                                      the organization-defined frequency;
-                            """
-                    - 
-                      id:         at-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-1(b)(2)
-                      parts: 
-                        - 
-                          id:         at-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current security awareness
-                                                      and training procedures; and
-                            """
-                        - 
-                          id:         at-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current security awareness and training procedures
-                                                      with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security awareness and training policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with security awareness and training responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         at-2
-          class:      SP800-53
-          title:      Security Awareness Training
-          parameters: 
-            - 
-              id:    at-2_prm_1
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: AT-2
-            - 
-              name:  sort-id
-              value: at-02
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #bb61234b-46c3-4211-8c2b-9869222a720d
-              rel:  reference
-              text: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)
-            - 
-              href: #c5034e0c-eba6-4ecd-a541-79f0678f4ba4
-              rel:  reference
-              text: Executive Order 13587
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-          parts: 
-            - 
-              id:    at-2_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides basic security awareness training to information system
-                                 users (including managers, senior executives, and contractors):
-                """
-              parts: 
-                - 
-                  id:         at-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      As part of initial training for new users;
-                - 
-                  id:         at-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      When required by information system changes; and
-                - 
-                  id:         at-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      
-                                        {{ at-2_prm_1 }} thereafter.
-                    """
-            - 
-              id:    at-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations determine the appropriate content of security awareness training and
-                                 security awareness techniques based on the specific organizational requirements and
-                                 the information systems to which personnel have authorized access. The content
-                                 includes a basic understanding of the need for information security and user actions
-                                 to maintain security and to respond to suspected security incidents. The content also
-                                 addresses awareness of the need for operations security. Security awareness
-                                 techniques can include, for example, displaying posters, offering supplies inscribed
-                                 with security reminders, generating email advisories/notices from senior
-                                 organizational officials, displaying logon screen messages, and conducting
-                                 information security awareness events.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #at-4
-                  rel:  related
-                  text: AT-4
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-            - 
-              id:    at-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         at-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-2(a)
-                  prose: 
-                    """
-                      provides basic security awareness training to information system users (including
-                                        managers, senior executives, and contractors) as part of initial training for new
-                                        users;
-                    """
-                - 
-                  id:         at-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-2(b)
-                  prose: 
-                    """
-                      provides basic security awareness training to information system users (including
-                                        managers, senior executives, and contractors) when required by information system
-                                        changes; and
-                    """
-                - 
-                  id:         at-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-2(c)
-                  parts: 
-                    - 
-                      id:         at-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-2(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to provide refresher security awareness training
-                                               thereafter to information system users (including managers, senior executives,
-                                               and contractors); and
-                        """
-                    - 
-                      id:         at-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-2(c)[2]
-                      prose: 
-                        """
-                          provides refresher security awareness training to information users (including
-                                               managers, senior executives, and contractors) with the organization-defined
-                                               frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nappropriate codes of federal regulations\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for security awareness training\n\norganizational personnel with information security responsibilities\n\norganizational personnel comprising the general information system user
-                                        community
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms managing security awareness training
-        - 
-          id:         at-3
-          class:      SP800-53
-          title:      Role-based Security Training
-          parameters: 
-            - 
-              id:    at-3_prm_1
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: AT-3
-            - 
-              name:  sort-id
-              value: at-03
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #bb61234b-46c3-4211-8c2b-9869222a720d
-              rel:  reference
-              text: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)
-            - 
-              href: #825438c3-248d-4e30-a51e-246473ce6ada
-              rel:  reference
-              text: NIST Special Publication 800-16
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-          parts: 
-            - 
-              id:    at-3_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides role-based security training to personnel with assigned
-                                 security roles and responsibilities:
-                """
-              parts: 
-                - 
-                  id:         at-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Before authorizing access to the information system or performing assigned
-                                        duties;
-                    """
-                - 
-                  id:         at-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      When required by information system changes; and
-                - 
-                  id:         at-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      
-                                        {{ at-3_prm_1 }} thereafter.
-                    """
-            - 
-              id:    at-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations determine the appropriate content of security training based on the
-                                 assigned roles and responsibilities of individuals and the specific security
-                                 requirements of organizations and the information systems to which personnel have
-                                 authorized access. In addition, organizations provide enterprise architects,
-                                 information system developers, software developers, acquisition/procurement
-                                 officials, information system managers, system/network administrators, personnel
-                                 conducting configuration management and auditing activities, personnel performing
-                                 independent verification and validation activities, security control assessors, and
-                                 other personnel having access to system-level software, adequate security-related
-                                 technical training specifically tailored for their assigned duties. Comprehensive
-                                 role-based training addresses management, operational, and technical roles and
-                                 responsibilities covering physical, personnel, and technical safeguards and
-                                 countermeasures. Such training can include for example, policies, procedures, tools,
-                                 and artifacts for the organizational security roles defined. Organizations also
-                                 provide the training necessary for individuals to carry out their responsibilities
-                                 related to operations and supply chain security within the context of organizational
-                                 information security programs. Role-based security training also applies to
-                                 contractors providing services to federal agencies.
-                """
-              links: 
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-4
-                  rel:  related
-                  text: AT-4
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-7
-                  rel:  related
-                  text: PS-7
-                - 
-                  href: #sa-3
-                  rel:  related
-                  text: SA-3
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #sa-16
-                  rel:  related
-                  text: SA-16
-            - 
-              id:    at-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         at-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-3(a)
-                  prose: 
-                    """
-                      provides role-based security training to personnel with assigned security roles
-                                        and responsibilities before authorizing access to the information system or
-                                        performing assigned duties;
-                    """
-                - 
-                  id:         at-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-3(b)
-                  prose: 
-                    """
-                      provides role-based security training to personnel with assigned security roles
-                                        and responsibilities when required by information system changes; and
-                    """
-                - 
-                  id:         at-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-3(c)
-                  parts: 
-                    - 
-                      id:         at-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-3(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to provide refresher role-based security training
-                                               thereafter to personnel with assigned security roles and responsibilities;
-                                               and
-                        """
-                    - 
-                      id:         at-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-3(c)[2]
-                      prose: 
-                        """
-                          provides refresher role-based security training to personnel with assigned
-                                               security roles and responsibilities with the organization-defined
-                                               frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security awareness and training policy\n\nprocedures addressing security training implementation\n\ncodes of federal regulations\n\nsecurity training curriculum\n\nsecurity training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for role-based security
-                                        training\n\norganizational personnel with assigned information system security roles and
-                                        responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms managing role-based security training
-        - 
-          id:         at-4
-          class:      SP800-53
-          title:      Security Training Records
-          parameters: 
-            - 
-              id:    at-4_prm_1
-              label: organization-defined time period
-          properties: 
-            - 
-              name:  label
-              value: AT-4
-            - 
-              name:  sort-id
-              value: at-04
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          parts: 
-            - 
-              id:    at-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         at-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Documents and monitors individual information system security training activities
-                                        including basic security awareness training and specific information system
-                                        security training; and
-                    """
-                - 
-                  id:         at-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Retains individual training records for {{ at-4_prm_1 }}.
-            - 
-              id:    at-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Documentation for specialized training may be maintained by individual supervisors at
-                                 the option of the organization.
-                """
-              links: 
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #pm-14
-                  rel:  related
-                  text: PM-14
-            - 
-              id:    at-4_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         at-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-4(a)
-                  parts: 
-                    - 
-                      id:         at-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-4(a)[1]
-                      prose: 
-                        """
-                          documents individual information system security training activities
-                                               including:
-                        """
-                      parts: 
-                        - 
-                          id:         at-4.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-4(a)[1][a]
-                          prose:      basic security awareness training;
-                        - 
-                          id:         at-4.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-4(a)[1][b]
-                          prose:      specific role-based information system security training;
-                    - 
-                      id:         at-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-4(a)[2]
-                      prose: 
-                        """
-                          monitors individual information system security training activities
-                                               including:
-                        """
-                      parts: 
-                        - 
-                          id:         at-4.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-4(a)[2][a]
-                          prose:      basic security awareness training;
-                        - 
-                          id:         at-4.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-4(a)[2][b]
-                          prose:      specific role-based information system security training;
-                - 
-                  id:         at-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-4(b)
-                  parts: 
-                    - 
-                      id:         at-4.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-4(b)[1]
-                      prose:      defines a time period to retain individual training records; and
-                    - 
-                      id:         at-4.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-4(b)[2]
-                      prose: 
-                        """
-                          retains individual training records for the organization-defined time
-                                               period.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security awareness and training policy\n\nprocedures addressing security training records\n\nsecurity awareness and training records\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security training record retention
-                                        responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting management of security training records
-    - 
-      id:       au
-      class:    family
-      title:    Audit and Accountability
-      controls: 
-        - 
-          id:         au-1
-          class:      SP800-53
-          title:      Audit and Accountability Policy and Procedures
-          parameters: 
-            - 
-              id:    au-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    au-1_prm_2
-              label: organization-defined frequency
-            - 
-              id:    au-1_prm_3
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: AU-1
-            - 
-              name:  sort-id
-              value: au-01
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    au-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         au-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ au-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         au-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          An audit and accountability policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         au-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the audit and accountability
-                                               policy and associated audit and accountability controls; and
-                        """
-                - 
-                  id:         au-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         au-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Audit and accountability policy {{ au-1_prm_2 }}; and
-                    - 
-                      id:         au-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Audit and accountability procedures {{ au-1_prm_3 }}.
-            - 
-              id:    au-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the AU
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    au-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-1(a)
-                  parts: 
-                    - 
-                      id:         au-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-1(a)(1)
-                      parts: 
-                        - 
-                          id:         au-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents an audit and accountability policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         au-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         au-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         au-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         au-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         au-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         au-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         au-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         au-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the audit and accountability policy are
-                                                      to be disseminated;
-                            """
-                        - 
-                          id:         au-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the audit and accountability policy to organization-defined
-                                                      personnel or roles;
-                            """
-                    - 
-                      id:         au-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-1(a)(2)
-                      parts: 
-                        - 
-                          id:         au-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      audit and accountability policy and associated audit and accountability
-                                                      controls;
-                            """
-                        - 
-                          id:         au-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         au-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         au-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-1(b)
-                  parts: 
-                    - 
-                      id:         au-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-1(b)(1)
-                      parts: 
-                        - 
-                          id:         au-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current audit and
-                                                      accountability policy;
-                            """
-                        - 
-                          id:         au-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current audit and accountability policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         au-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-1(b)(2)
-                      parts: 
-                        - 
-                          id:         au-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current audit and
-                                                      accountability procedures; and
-                            """
-                        - 
-                          id:         au-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current audit and accountability procedures in
-                                                      accordance with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         au-2
-          class:      SP800-53
-          title:      Audit Events
-          parameters: 
-            - 
-              id:    au-2_prm_1
-              label: organization-defined auditable events
-            - 
-              id:    au-2_prm_2
-              label: 
-                """
-                  organization-defined audited events (the subset of the auditable events defined
-                                 in AU-2 a.) along with the frequency of (or situation requiring) auditing for each
-                                 identified event
-                """
-          properties: 
-            - 
-              name:  label
-              value: AU-2
-            - 
-              name:  sort-id
-              value: au-02
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #672fd561-b92b-4713-b9cf-6c9d9456728b
-              rel:  reference
-              text: NIST Special Publication 800-92
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    au-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         au-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Determines that the information system is capable of auditing the following
-                                        events: {{ au-2_prm_1 }};
-                    """
-                - 
-                  id:         au-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Coordinates the security audit function with other organizational entities
-                                        requiring audit-related information to enhance mutual support and to help guide
-                                        the selection of auditable events;
-                    """
-                - 
-                  id:         au-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Provides a rationale for why the auditable events are deemed to be adequate to
-                                        support after-the-fact investigations of security incidents; and
-                    """
-                - 
-                  id:         au-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Determines that the following events are to be audited within the information
-                                        system: {{ au-2_prm_2 }}.
-                    """
-            - 
-              id:    au-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  An event is any observable occurrence in an organizational information system.
-                                 Organizations identify audit events as those events which are significant and
-                                 relevant to the security of information systems and the environments in which those
-                                 systems operate in order to meet specific and ongoing audit needs. Audit events can
-                                 include, for example, password changes, failed logons, or failed accesses related to
-                                 information systems, administrative privilege usage, PIV credential usage, or
-                                 third-party credential usage. In determining the set of auditable events,
-                                 organizations consider the auditing appropriate for each of the security controls to
-                                 be implemented. To balance auditing requirements with other information system needs,
-                                 this control also requires identifying that subset of auditable events that are
-                                 audited at a given point in time. For example, organizations may determine that
-                                 information systems must have the capability to log every file access both successful
-                                 and unsuccessful, but not activate that capability except for specific circumstances
-                                 due to the potential burden on system performance. Auditing requirements, including
-                                 the need for auditable events, may be referenced in other security controls and
-                                 control enhancements. Organizations also include auditable events that are required
-                                 by applicable federal laws, Executive Orders, directives, policies, regulations, and
-                                 standards. Audit records can be generated at various levels of abstraction, including
-                                 at the packet level as information traverses the network. Selecting the appropriate
-                                 level of abstraction is a critical aspect of an audit capability and can facilitate
-                                 the identification of root causes to problems. Organizations consider in the
-                                 definition of auditable events, the auditing necessary to cover related events such
-                                 as the steps in distributed, transaction-based processes (e.g., processes that are
-                                 distributed across multiple organizations) and actions that occur in service-oriented
-                                 architectures.
-                """
-              links: 
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #au-3
-                  rel:  related
-                  text: AU-3
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    au-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-2(a)
-                  parts: 
-                    - 
-                      id:         au-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-2(a)[1]
-                      prose: 
-                        """
-                          defines the auditable events that the information system must be capable of
-                                               auditing;
-                        """
-                    - 
-                      id:         au-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-2(a)[2]
-                      prose: 
-                        """
-                          determines that the information system is capable of auditing
-                                               organization-defined auditable events;
-                        """
-                - 
-                  id:         au-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-2(b)
-                  prose: 
-                    """
-                      coordinates the security audit function with other organizational entities
-                                        requiring audit-related information to enhance mutual support and to help guide
-                                        the selection of auditable events;
-                    """
-                - 
-                  id:         au-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-2(c)
-                  prose: 
-                    """
-                      provides a rationale for why the auditable events are deemed to be adequate to
-                                        support after-the-fact investigations of security incidents;
-                    """
-                - 
-                  id:         au-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-2(d)
-                  parts: 
-                    - 
-                      id:         au-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-2(d)[1]
-                      prose: 
-                        """
-                          defines the subset of auditable events defined in AU-2a that are to be audited
-                                               within the information system;
-                        """
-                    - 
-                      id:         au-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-2(d)[2]
-                      prose: 
-                        """
-                          determines that the subset of auditable events defined in AU-2a are to be
-                                               audited within the information system; and
-                        """
-                    - 
-                      id:         au-2.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-2(d)[3]
-                      prose: 
-                        """
-                          determines the frequency of (or situation requiring) auditing for each
-                                               identified event.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing auditable events\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\ninformation system auditable events\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing information system auditing
-        - 
-          id:         au-3
-          class:      SP800-53
-          title:      Content of Audit Records
-          properties: 
-            - 
-              name:  label
-              value: AU-3
-            - 
-              name:  sort-id
-              value: au-03
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          parts: 
-            - 
-              id:    au-3_smt
-              name:  statement
-              prose: 
-                """
-                  The information system generates audit records containing information that
-                                 establishes what type of event occurred, when the event occurred, where the event
-                                 occurred, the source of the event, the outcome of the event, and the identity of any
-                                 individuals or subjects associated with the event.
-                """
-            - 
-              id:    au-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit record content that may be necessary to satisfy the requirement of this
-                                 control, includes, for example, time stamps, source and destination addresses,
-                                 user/process identifiers, event descriptions, success/fail indications, filenames
-                                 involved, and access control or flow control rules invoked. Event outcomes can
-                                 include indicators of event success or failure and event-specific results (e.g., the
-                                 security state of the information system after the event occurred).
-                """
-              links: 
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-8
-                  rel:  related
-                  text: AU-8
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #si-11
-                  rel:  related
-                  text: SI-11
-            - 
-              id:    au-3_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the information system generates audit records containing information
-                                 that establishes: 
-                """
-              parts: 
-                - 
-                  id:         au-3_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[1]
-                  prose:      what type of event occurred;
-                - 
-                  id:         au-3_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[2]
-                  prose:      when the event occurred;
-                - 
-                  id:         au-3_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[3]
-                  prose:      where the event occurred;
-                - 
-                  id:         au-3_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[4]
-                  prose:      the source of the event;
-                - 
-                  id:         au-3_obj.5
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[5]
-                  prose:      the outcome of the event; and
-                - 
-                  id:         au-3_obj.6
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[6]
-                  prose:      the identity of any individuals or subjects associated with the event.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing content of audit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\ninformation system audit records\n\ninformation system incident reports\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms implementing information system auditing of auditable
-                                        events
-                    """
-        - 
-          id:         au-4
-          class:      SP800-53
-          title:      Audit Storage Capacity
-          parameters: 
-            - 
-              id:    au-4_prm_1
-              label: organization-defined audit record storage requirements
-          properties: 
-            - 
-              name:  label
-              value: AU-4
-            - 
-              name:  sort-id
-              value: au-04
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: NSO
-          parts: 
-            - 
-              id:    au-4_smt
-              name:  statement
-              prose: The organization allocates audit record storage capacity in accordance with {{ au-4_prm_1 }}.
-            - 
-              id:    au-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations consider the types of auditing to be performed and the audit processing
-                                 requirements when allocating audit storage capacity. Allocating sufficient audit
-                                 storage capacity reduces the likelihood of such capacity being exceeded and resulting
-                                 in the potential loss or reduction of auditing capability.
-                """
-              links: 
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-5
-                  rel:  related
-                  text: AU-5
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #au-7
-                  rel:  related
-                  text: AU-7
-                - 
-                  href: #au-11
-                  rel:  related
-                  text: AU-11
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    au-4_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-4_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-4[1]
-                  prose:      defines audit record storage requirements; and
-                - 
-                  id:         au-4_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-4[2]
-                  prose: 
-                    """
-                      allocates audit record storage capacity in accordance with the
-                                        organization-defined audit record storage requirements.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for information system components\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit record storage capacity and related configuration settings
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: 
-                """
-                  NSO - Loss of availability of the audit data has been determined to have little or
-                                    no impact to government business/mission needs.
-                """
-        - 
-          id:         au-5
-          class:      SP800-53
-          title:      Response to Audit Processing Failures
-          parameters: 
-            - 
-              id:    au-5_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          au-5_prm_2
-              label: 
-                """
-                  organization-defined actions to be taken (e.g., shut down information system,
-                                 overwrite oldest audit records, stop generating audit records)
-                """
-              constraints: 
-                - 
-                  detail: organization-defined actions to be taken (overwrite oldest record)
-          properties: 
-            - 
-              name:  label
-              value: AU-5
-            - 
-              name:  sort-id
-              value: au-05
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          parts: 
-            - 
-              id:    au-5_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         au-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Alerts {{ au-5_prm_1 }} in the event of an audit processing
-                                        failure; and
-                    """
-                - 
-                  id:         au-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Takes the following additional actions: {{ au-5_prm_2 }}.
-            - 
-              id:    au-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit processing failures include, for example, software/hardware errors, failures in
-                                 the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
-                                 Organizations may choose to define additional actions for different audit processing
-                                 failures (e.g., by type, by location, by severity, or a combination of such factors).
-                                 This control applies to each audit data storage repository (i.e., distinct
-                                 information system component where audit records are stored), the total audit storage
-                                 capacity of organizations (i.e., all audit data storage repositories combined), or
-                                 both.
-                """
-              links: 
-                - 
-                  href: #au-4
-                  rel:  related
-                  text: AU-4
-                - 
-                  href: #si-12
-                  rel:  related
-                  text: SI-12
-            - 
-              id:    au-5_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         au-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-5(a)
-                  parts: 
-                    - 
-                      id:         au-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-5(a)[1]
-                      prose: 
-                        """
-                          the organization defines the personnel or roles to be alerted in the event of
-                                               an audit processing failure;
-                        """
-                    - 
-                      id:         au-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-5(a)[2]
-                      prose: 
-                        """
-                          the information system alerts the organization-defined personnel or roles in
-                                               the event of an audit processing failure;
-                        """
-                - 
-                  id:         au-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-5(b)
-                  parts: 
-                    - 
-                      id:         au-5.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-5(b)[1]
-                      prose: 
-                        """
-                          the organization defines additional actions to be taken (e.g., shutdown
-                                               information system, overwrite oldest audit records, stop generating audit
-                                               records) in the event of an audit processing failure; and
-                        """
-                    - 
-                      id:         au-5.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-5(b)[2]
-                      prose: 
-                        """
-                          the information system takes the additional organization-defined actions in the
-                                               event of an audit processing failure.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms implementing information system response to audit processing
-                                        failures
-                    """
-        - 
-          id:         au-6
-          class:      SP800-53
-          title:      Audit Review, Analysis, and Reporting
-          parameters: 
-            - 
-              id:          au-6_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least weekly
-            - 
-              id:    au-6_prm_2
-              label: organization-defined inappropriate or unusual activity
-            - 
-              id:    au-6_prm_3
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  label
-              value: AU-6
-            - 
-              name:  sort-id
-              value: au-06
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          parts: 
-            - 
-              id:    au-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         au-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Reviews and analyzes information system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }};
-                                        and
-                    """
-                - 
-                  id:         au-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reports findings to {{ au-6_prm_3 }}.
-            - 
-              id:    au-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit review, analysis, and reporting covers information security-related auditing
-                                 performed by organizations including, for example, auditing that results from
-                                 monitoring of account usage, remote access, wireless connectivity, mobile device
-                                 connection, configuration settings, system component inventory, use of maintenance
-                                 tools and nonlocal maintenance, physical access, temperature and humidity, equipment
-                                 delivery and removal, communications at the information system boundaries, use of
-                                 mobile code, and use of VoIP. Findings can be reported to organizational entities
-                                 that include, for example, incident response team, help desk, information security
-                                 group/department. If organizations are prohibited from reviewing and analyzing audit
-                                 information or unable to conduct such activities (e.g., in certain national security
-                                 applications or systems), the review/analysis may be carried out by other
-                                 organizations granted such authority.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #au-7
-                  rel:  related
-                  text: AU-7
-                - 
-                  href: #au-16
-                  rel:  related
-                  text: AU-16
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-10
-                  rel:  related
-                  text: CM-10
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ir-5
-                  rel:  related
-                  text: IR-5
-                - 
-                  href: #ir-6
-                  rel:  related
-                  text: IR-6
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-6
-                  rel:  related
-                  text: PE-6
-                - 
-                  href: #pe-14
-                  rel:  related
-                  text: PE-14
-                - 
-                  href: #pe-16
-                  rel:  related
-                  text: PE-16
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-18
-                  rel:  related
-                  text: SC-18
-                - 
-                  href: #sc-19
-                  rel:  related
-                  text: SC-19
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    au-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-6(a)
-                  parts: 
-                    - 
-                      id:         au-6.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-6(a)[1]
-                      prose: 
-                        """
-                          defines the types of inappropriate or unusual activity to look for when
-                                               information system audit records are reviewed and analyzed;
-                        """
-                    - 
-                      id:         au-6.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-6(a)[2]
-                      prose: 
-                        """
-                          defines the frequency to review and analyze information system audit records
-                                               for indications of organization-defined inappropriate or unusual activity;
-                        """
-                    - 
-                      id:         au-6.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-6(a)[3]
-                      prose: 
-                        """
-                          reviews and analyzes information system audit records for indications of
-                                               organization-defined inappropriate or unusual activity with the
-                                               organization-defined frequency;
-                        """
-                - 
-                  id:         au-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-6(b)
-                  parts: 
-                    - 
-                      id:         au-6.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-6(b)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom findings resulting from reviews and analysis
-                                               of information system audit records are to be reported; and
-                        """
-                    - 
-                      id:         au-6.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-6(b)[2]
-                      prose:      reports findings to organization-defined personnel or roles.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews/analyses of audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with audit review, analysis, and reporting
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         au-8
-          class:      SP800-53
-          title:      Time Stamps
-          parameters: 
-            - 
-              id:    au-8_prm_1
-              label: organization-defined granularity of time measurement
-          properties: 
-            - 
-              name:  label
-              value: AU-8
-            - 
-              name:  sort-id
-              value: au-08
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          parts: 
-            - 
-              id:    au-8_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         au-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Uses internal system clocks to generate time stamps for audit records; and
-                - 
-                  id:         au-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Records time stamps for audit records that can be mapped to Coordinated Universal
-                                        Time (UTC) or Greenwich Mean Time (GMT) and meets {{ au-8_prm_1 }}.
-                    """
-            - 
-              id:    au-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Time stamps generated by the information system include date and time. Time is
-                                 commonly expressed in Coordinated Universal Time (UTC), a modern continuation of
-                                 Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time
-                                 measurements refers to the degree of synchronization between information system
-                                 clocks and reference clocks, for example, clocks synchronizing within hundreds of
-                                 milliseconds or within tens of milliseconds. Organizations may define different time
-                                 granularities for different system components. Time service can also be critical to
-                                 other security capabilities such as access control and identification and
-                                 authentication, depending on the nature of the mechanisms used to support those
-                                 capabilities.
-                """
-              links: 
-                - 
-                  href: #au-3
-                  rel:  related
-                  text: AU-3
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-            - 
-              id:    au-8_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         au-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-8(a)
-                  prose: 
-                    """
-                      the information system uses internal system clocks to generate time stamps for
-                                        audit records;
-                    """
-                - 
-                  id:         au-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-8(b)
-                  parts: 
-                    - 
-                      id:         au-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-8(b)[1]
-                      prose: 
-                        """
-                          the information system records time stamps for audit records that can be mapped
-                                               to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);
-                        """
-                    - 
-                      id:         au-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-8(b)[2]
-                      prose: 
-                        """
-                          the organization defines the granularity of time measurement to be met when
-                                               recording time stamps for audit records; and
-                        """
-                    - 
-                      id:         au-8.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-8(b)[3]
-                      prose: 
-                        """
-                          the organization records time stamps for audit records that meet the
-                                               organization-defined granularity of time measurement.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing time stamp generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing time stamp generation
-        - 
-          id:         au-9
-          class:      SP800-53
-          title:      Protection of Audit Information
-          properties: 
-            - 
-              name:  label
-              value: AU-9
-            - 
-              name:  sort-id
-              value: au-09
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          parts: 
-            - 
-              id:    au-9_smt
-              name:  statement
-              prose: 
-                """
-                  The information system protects audit information and audit tools from unauthorized
-                                 access, modification, and deletion.
-                """
-            - 
-              id:    au-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit information includes all information (e.g., audit records, audit settings, and
-                                 audit reports) needed to successfully audit information system activity. This control
-                                 focuses on technical protection of audit information. Physical protection of audit
-                                 information is addressed by media protection controls and physical and environmental
-                                 protection controls.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-6
-                  rel:  related
-                  text: PE-6
-            - 
-              id:    au-9_obj
-              name:  objective
-              prose: Determine if: 
-              parts: 
-                - 
-                  id:         au-9_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-9[1]
-                  prose:      the information system protects audit information from unauthorized:
-                  parts: 
-                    - 
-                      id:         au-9_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[1][a]
-                      prose:      access;
-                    - 
-                      id:         au-9_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[1][b]
-                      prose:      modification;
-                    - 
-                      id:         au-9_obj.1.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[1][c]
-                      prose:      deletion;
-                - 
-                  id:         au-9_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-9[2]
-                  prose:      the information system protects audit tools from unauthorized:
-                  parts: 
-                    - 
-                      id:         au-9_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[2][a]
-                      prose:      access;
-                    - 
-                      id:         au-9_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[2][b]
-                      prose:      modification; and
-                    - 
-                      id:         au-9_obj.2.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[2][c]
-                      prose:      deletion.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Audit and accountability policy\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation,
-                                        information system audit records\n\naudit tools\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing audit information protection
-        - 
-          id:         au-11
-          class:      SP800-53
-          title:      Audit Record Retention
-          parameters: 
-            - 
-              id:    au-11_prm_1
-              label: organization-defined time period consistent with records retention policy
-          properties: 
-            - 
-              name:  label
-              value: AU-11
-            - 
-              name:  sort-id
-              value: au-11
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: NSO
-          parts: 
-            - 
-              id:    au-11_smt
-              name:  statement
-              prose: 
-                """
-                  The organization retains audit records for {{ au-11_prm_1 }} to
-                                 provide support for after-the-fact investigations of security incidents and to meet
-                                 regulatory and organizational information retention requirements.
-                """
-            - 
-              id:    au-11_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations retain audit records until it is determined that they are no longer
-                                 needed for administrative, legal, audit, or other operational purposes. This
-                                 includes, for example, retention and availability of audit records relative to
-                                 Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions.
-                                 Organizations develop standard categories of audit records relative to such types of
-                                 actions and standard response processes for each type of action. The National
-                                 Archives and Records Administration (NARA) General Records Schedules provide federal
-                                 policy on record retention.
-                """
-              links: 
-                - 
-                  href: #au-4
-                  rel:  related
-                  text: AU-4
-                - 
-                  href: #au-5
-                  rel:  related
-                  text: AU-5
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #mp-6
-                  rel:  related
-                  text: MP-6
-            - 
-              id:    au-11_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-11_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-11[1]
-                  prose: 
-                    """
-                      defines a time period to retain audit records that is consistent with records
-                                        retention policy;
-                    """
-                - 
-                  id:         au-11_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-11[2]
-                  prose: 
-                    """
-                      retains audit records for the organization-defined time period consistent with
-                                        records retention policy to:
-                    """
-                  parts: 
-                    - 
-                      id:         au-11_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-11[2][a]
-                      prose: 
-                        """
-                          provide support for after-the-fact investigations of security incidents;
-                                               and
-                        """
-                    - 
-                      id:         au-11_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-11[2][b]
-                      prose:      meet regulatory and organizational information retention requirements.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: 
-                """
-                  NSO - Loss of availability of the audit data has been determined as little or no
-                                    impact to government business/mission needs.
-                """
-        - 
-          id:         au-12
-          class:      SP800-53
-          title:      Audit Generation
-          parameters: 
-            - 
-              id:    au-12_prm_1
-              label: organization-defined information system components
-            - 
-              id:    au-12_prm_2
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  label
-              value: AU-12
-            - 
-              name:  sort-id
-              value: au-12
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          parts: 
-            - 
-              id:    au-12_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         au-12_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Provides audit record generation capability for the auditable events defined in
-                                        AU-2 a. at {{ au-12_prm_1 }};
-                    """
-                - 
-                  id:         au-12_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Allows {{ au-12_prm_2 }} to select which auditable events are to be
-                                        audited by specific components of the information system; and
-                    """
-                - 
-                  id:         au-12_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Generates audit records for the events defined in AU-2 d. with the content defined
-                                        in AU-3.
-                    """
-            - 
-              id:    au-12_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit records can be generated from many different information system components. The
-                                 list of audited events is the set of events for which audits are to be generated.
-                                 These events are typically a subset of all events for which the information system is
-                                 capable of generating audit records.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-3
-                  rel:  related
-                  text: AU-3
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #au-7
-                  rel:  related
-                  text: AU-7
-            - 
-              id:    au-12_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         au-12.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-12(a)
-                  parts: 
-                    - 
-                      id:         au-12.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-12(a)[1]
-                      prose: 
-                        """
-                          the organization defines the information system components which are to provide
-                                               audit record generation capability for the auditable events defined in
-                                               AU-2a;
-                        """
-                    - 
-                      id:         au-12.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-12(a)[2]
-                      prose: 
-                        """
-                          the information system provides audit record generation capability, for the
-                                               auditable events defined in AU-2a, at organization-defined information system
-                                               components;
-                        """
-                - 
-                  id:         au-12.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-12(b)
-                  parts: 
-                    - 
-                      id:         au-12.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-12(b)[1]
-                      prose: 
-                        """
-                          the organization defines the personnel or roles allowed to select which
-                                               auditable events are to be audited by specific components of the information
-                                               system;
-                        """
-                    - 
-                      id:         au-12.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-12(b)[2]
-                      prose: 
-                        """
-                          the information system allows the organization-defined personnel or roles to
-                                               select which auditable events are to be audited by specific components of the
-                                               system; and
-                        """
-                - 
-                  id:         au-12.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-12(c)
-                  prose: 
-                    """
-                      the information system generates audit records for the events defined in AU-2d
-                                        with the content in defined in AU-3.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of auditable events\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing audit record generation capability
-    - 
-      id:       ca
-      class:    family
-      title:    Security Assessment and Authorization
-      controls: 
-        - 
-          id:         ca-1
-          class:      SP800-53
-          title:      Security Assessment and Authorization Policy and Procedures
-          parameters: 
-            - 
-              id:    ca-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ca-1_prm_2
-              label: organization-defined frequency
-            - 
-              id:    ca-1_prm_3
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: CA-1
-            - 
-              name:  sort-id
-              value: ca-01
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #cd4cf751-3312-4a55-b1a9-fad2f1db9119
-              rel:  reference
-              text: NIST Special Publication 800-53A
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ca-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ca-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ca-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A security assessment and authorization policy that addresses purpose, scope,
-                                               roles, responsibilities, management commitment, coordination among
-                                               organizational entities, and compliance; and
-                        """
-                    - 
-                      id:         ca-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the security assessment and
-                                               authorization policy and associated security assessment and authorization
-                                               controls; and
-                        """
-                - 
-                  id:         ca-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ca-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Security assessment and authorization policy {{ ca-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         ca-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Security assessment and authorization procedures {{ ca-1_prm_3 }}.
-            - 
-              id:    ca-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the CA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ca-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-1(a)
-                  parts: 
-                    - 
-                      id:         ca-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ca-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a security assessment and authorization policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         ca-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ca-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ca-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ca-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ca-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ca-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ca-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ca-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the security assessment and authorization
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         ca-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the security assessment and authorization policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         ca-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ca-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      security assessment and authorization policy and associated assessment and
-                                                      authorization controls;
-                            """
-                        - 
-                          id:         ca-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ca-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ca-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-1(b)
-                  parts: 
-                    - 
-                      id:         ca-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ca-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current security assessment
-                                                      and authorization policy;
-                            """
-                        - 
-                          id:         ca-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current security assessment and authorization policy
-                                                      with the organization-defined frequency;
-                            """
-                    - 
-                      id:         ca-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ca-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current security assessment
-                                                      and authorization procedures; and
-                            """
-                        - 
-                          id:         ca-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current security assessment and authorization
-                                                      procedures with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security assessment and authorization policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security assessment and authorization
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         ca-2
-          class:      SP800-53
-          title:      Security Assessments
-          parameters: 
-            - 
-              id:          ca-2_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          ca-2_prm_2
-              label:       organization-defined individuals or roles
-              constraints: 
-                - 
-                  detail: individuals or roles to include FedRAMP PMO
-          properties: 
-            - 
-              name:  label
-              value: CA-2
-            - 
-              name:  sort-id
-              value: ca-02
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #c5034e0c-eba6-4ecd-a541-79f0678f4ba4
-              rel:  reference
-              text: Executive Order 13587
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #d480aa6a-7a88-424e-a10c-ad1c7870354b
-              rel:  reference
-              text: NIST Special Publication 800-39
-            - 
-              href: #cd4cf751-3312-4a55-b1a9-fad2f1db9119
-              rel:  reference
-              text: NIST Special Publication 800-53A
-            - 
-              href: #c4691b88-57d1-463b-9053-2d0087913f31
-              rel:  reference
-              text: NIST Special Publication 800-115
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-          parts: 
-            - 
-              id:    ca-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Develops a security assessment plan that describes the scope of the assessment
-                                        including:
-                    """
-                  parts: 
-                    - 
-                      id:         ca-2_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Security controls and control enhancements under assessment;
-                    - 
-                      id:         ca-2_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Assessment procedures to be used to determine security control effectiveness;
-                                               and
-                        """
-                    - 
-                      id:         ca-2_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Assessment environment, assessment team, and assessment roles and
-                                               responsibilities;
-                        """
-                - 
-                  id:         ca-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Assesses the security controls in the information system and its environment of
-                                        operation {{ ca-2_prm_1 }} to determine the extent to which the
-                                        controls are implemented correctly, operating as intended, and producing the
-                                        desired outcome with respect to meeting established security requirements;
-                    """
-                - 
-                  id:         ca-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Produces a security assessment report that documents the results of the
-                                        assessment; and
-                    """
-                - 
-                  id:         ca-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Provides the results of the security control assessment to {{ ca-2_prm_2 }}.
-            - 
-              id:    ca-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations assess security controls in organizational information systems and the
-                                 environments in which those systems operate as part of: (i) initial and ongoing
-                                 security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring;
-                                 and (iv) system development life cycle activities. Security assessments: (i) ensure
-                                 that information security is built into organizational information systems; (ii)
-                                 identify weaknesses and deficiencies early in the development process; (iii) provide
-                                 essential information needed to make risk-based decisions as part of security
-                                 authorization processes; and (iv) ensure compliance to vulnerability mitigation
-                                 procedures. Assessments are conducted on the implemented security controls from
-                                 Appendix F (main catalog) and Appendix G (Program Management controls) as documented
-                                 in System Security Plans and Information Security Program Plans. Organizations can
-                                 use other types of assessment activities such as vulnerability scanning and system
-                                 monitoring to maintain the security posture of information systems during the entire
-                                 life cycle. Security assessment reports document assessment results in sufficient
-                                 detail as deemed necessary by organizations, to determine the accuracy and
-                                 completeness of the reports and whether the security controls are implemented
-                                 correctly, operating as intended, and producing the desired outcome with respect to
-                                 meeting security requirements. The FISMA requirement for assessing security controls
-                                 at least annually does not require additional assessment activities to those
-                                 activities already in place in organizational security authorization processes.
-                                 Security assessment results are provided to the individuals or roles appropriate for
-                                 the types of assessments being conducted. For example, assessments conducted in
-                                 support of security authorization decisions are provided to authorizing officials or
-                                 authorizing official designated representatives. To satisfy annual assessment
-                                 requirements, organizations can use assessment results from the following sources:
-                                 (i) initial or ongoing information system authorizations; (ii) continuous monitoring;
-                                 or (iii) system development life cycle activities. Organizations ensure that security
-                                 assessment results are current, relevant to the determination of security control
-                                 effectiveness, and obtained with the appropriate level of assessor independence.
-                                 Existing security control assessment results can be reused to the extent that the
-                                 results are still valid and can also be supplemented with additional assessments as
-                                 needed. Subsequent to initial authorizations and in accordance with OMB policy,
-                                 organizations assess security controls during continuous monitoring. Organizations
-                                 establish the frequency for ongoing security control assessments in accordance with
-                                 organizational continuous monitoring strategies. Information Assurance Vulnerability
-                                 Alerts provide useful examples of vulnerability mitigation procedures. External
-                                 audits (e.g., audits by external entities such as regulatory agencies) are outside
-                                 the scope of this control.
-                """
-              links: 
-                - 
-                  href: #ca-5
-                  rel:  related
-                  text: CA-5
-                - 
-                  href: #ca-6
-                  rel:  related
-                  text: CA-6
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ca-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-2(a)
-                  prose: 
-                    """
-                      develops a security assessment plan that describes the scope of the assessment
-                                        including:
-                    """
-                  parts: 
-                    - 
-                      id:         ca-2.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-2(a)(1)
-                      prose:      security controls and control enhancements under assessment;
-                    - 
-                      id:         ca-2.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-2(a)(2)
-                      prose: 
-                        """
-                          assessment procedures to be used to determine security control
-                                               effectiveness;
-                        """
-                    - 
-                      id:         ca-2.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-2(a)(3)
-                      parts: 
-                        - 
-                          id:         ca-2.a.3_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(a)(3)[1]
-                          prose:      assessment environment;
-                        - 
-                          id:         ca-2.a.3_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(a)(3)[2]
-                          prose:      assessment team;
-                        - 
-                          id:         ca-2.a.3_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(a)(3)[3]
-                          prose:      assessment roles and responsibilities;
-                - 
-                  id:         ca-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-2(b)
-                  parts: 
-                    - 
-                      id:         ca-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-2(b)[1]
-                      prose: 
-                        """
-                          defines the frequency to assess the security controls in the information system
-                                               and its environment of operation;
-                        """
-                    - 
-                      id:         ca-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-2(b)[2]
-                      prose: 
-                        """
-                          assesses the security controls in the information system with the
-                                               organization-defined frequency to determine the extent to which the controls
-                                               are implemented correctly, operating as intended, and producing the desired
-                                               outcome with respect to meeting established security requirements;
-                        """
-                - 
-                  id:         ca-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-2(c)
-                  prose: 
-                    """
-                      produces a security assessment report that documents the results of the
-                                        assessment;
-                    """
-                - 
-                  id:         ca-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-2(d)
-                  parts: 
-                    - 
-                      id:         ca-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-2(d)[1]
-                      prose: 
-                        """
-                          defines individuals or roles to whom the results of the security control
-                                               assessment are to be provided; and
-                        """
-                    - 
-                      id:         ca-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-2(d)[2]
-                      prose: 
-                        """
-                          provides the results of the security control assessment to organization-defined
-                                               individuals or roles.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security assessment and authorization policy\n\nprocedures addressing security assessment planning\n\nprocedures addressing security assessments\n\nsecurity assessment plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting security assessment, security assessment plan
-                                        development, and/or security assessment reporting
-                    """
-            - 
-              id:    ca-2_fr
-              name:  item
-              title: CA-2 Additional FedRAMP Requirements and Guidance
-              parts: 
-                - 
-                  id:         ca-2_fr_gdn.1
-                  name:       guidance
-                  properties: 
-                    - 
-                      name:  label
-                      value: Guidance:
-                  prose: 
-                    """
-                      See the FedRAMP Documents page under Key Cloud Service Provider (CSP)
-                                           Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                     
-                    """
-          controls: 
-            - 
-              id:         ca-2.1
-              class:      SP800-53-enhancement
-              title:      Independent Assessors
-              parameters: 
-                - 
-                  id:    ca-2.1_prm_1
-                  label: organization-defined level of independence
-              properties: 
-                - 
-                  name:  label
-                  value: CA-2(1)
-                - 
-                  name:  sort-id
-                  value: ca-02.01
-                - 
-                  name:  method
-                  class: FedRAMP-Tailored-LI-SaaS
-                  value: ATTEST
-              parts: 
-                - 
-                  id:    ca-2.1_smt
-                  name:  statement
-                  prose: The organization employs assessors or assessment teams with {{ ca-2.1_prm_1 }} to conduct security control assessments.
-                - 
-                  id:    ca-2.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Independent assessors or assessment teams are individuals or groups who conduct
-                                        impartial assessments of organizational information systems. Impartiality implies
-                                        that assessors are free from any perceived or actual conflicts of interest with
-                                        regard to the development, operation, or management of the organizational
-                                        information systems under assessment or to the determination of security control
-                                        effectiveness. To achieve impartiality, assessors should not: (i) create a mutual
-                                        or conflicting interest with the organizations where the assessments are being
-                                        conducted; (ii) assess their own work; (iii) act as management or employees of the
-                                        organizations they are serving; or (iv) place themselves in positions of advocacy
-                                        for the organizations acquiring their services. Independent assessments can be
-                                        obtained from elements within organizations or can be contracted to public or
-                                        private sector entities outside of organizations. Authorizing officials determine
-                                        the required level of independence based on the security categories of information
-                                        systems and/or the ultimate risk to organizational operations, organizational
-                                        assets, or individuals. Authorizing officials also determine if the level of
-                                        assessor independence provides sufficient assurance that the results are sound and
-                                        can be used to make credible, risk-based decisions. This includes determining
-                                        whether contracted security assessment services have sufficient independence, for
-                                        example, when information system owners are not directly involved in contracting
-                                        processes or cannot unduly influence the impartiality of assessors conducting
-                                        assessments. In special situations, for example, when organizations that own the
-                                        information systems are small or organizational structures require that
-                                        assessments are conducted by individuals that are in the developmental,
-                                        operational, or management chain of system owners, independence in assessment
-                                        processes can be achieved by ensuring that assessment results are carefully
-                                        reviewed and analyzed by independent teams of experts to validate the
-                                        completeness, accuracy, integrity, and reliability of the results. Organizations
-                                        recognize that assessments performed for purposes other than direct support to
-                                        authorization decisions are, when performed by assessors with sufficient
-                                        independence, more likely to be useable for such decisions, thereby reducing the
-                                        need to repeat assessments.
-                    """
-                - 
-                  id:    ca-2.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ca-2.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-2(1)[1]
-                      prose: 
-                        """
-                          defines the level of independence to be employed to conduct security control
-                                               assessments; and
-                        """
-                    - 
-                      id:         ca-2.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-2(1)[2]
-                      prose: 
-                        """
-                          employs assessors or assessment teams with the organization-defined level of
-                                               independence to conduct security control assessments.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Security assessment and authorization policy\n\nprocedures addressing security assessments\n\nsecurity authorization package (including security plan, security assessment
-                                               plan, security assessment report, plan of action and milestones, authorization
-                                               statement)\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ca-3
-          class:      SP800-53
-          title:      System Interconnections
-          parameters: 
-            - 
-              id:          ca-3_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually and on input from FedRAMP
-          properties: 
-            - 
-              name:  label
-              value: CA-3
-            - 
-              name:  sort-id
-              value: ca-03
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: CONDITIONAL
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #2711f068-734e-4afd-94ba-0b22247fbc88
-              rel:  reference
-              text: NIST Special Publication 800-47
-          parts: 
-            - 
-              id:    ca-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Authorizes connections from the information system to other information systems
-                                        through the use of Interconnection Security Agreements;
-                    """
-                - 
-                  id:         ca-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Documents, for each interconnection, the interface characteristics, security
-                                        requirements, and the nature of the information communicated; and
-                    """
-                - 
-                  id:         ca-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews and updates Interconnection Security Agreements {{ ca-3_prm_1 }}.
-            - 
-              id:    ca-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to dedicated connections between information systems (i.e.,
-                                 system interconnections) and does not apply to transitory, user-controlled
-                                 connections such as email and website browsing. Organizations carefully consider the
-                                 risks that may be introduced when information systems are connected to other systems
-                                 with different security requirements and security controls, both within organizations
-                                 and external to organizations. Authorizing officials determine the risk associated
-                                 with information system connections and the appropriate controls employed. If
-                                 interconnecting systems have the same authorizing official, organizations do not need
-                                 to develop Interconnection Security Agreements. Instead, organizations can describe
-                                 the interface characteristics between those interconnecting systems in their
-                                 respective security plans. If interconnecting systems have different authorizing
-                                 officials within the same organization, organizations can either develop
-                                 Interconnection Security Agreements or describe the interface characteristics between
-                                 systems in the security plans for the respective systems. Organizations may also
-                                 incorporate Interconnection Security Agreement information into formal contracts,
-                                 especially for interconnections established between federal agencies and nonfederal
-                                 (i.e., private sector) organizations. Risk considerations also include information
-                                 systems sharing the same networks. For certain technologies (e.g., space, unmanned
-                                 aerial vehicles, and medical devices), there may be specialized connections in place
-                                 during preoperational testing. Such connections may require Interconnection Security
-                                 Agreements and be subject to additional security controls.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #au-16
-                  rel:  related
-                  text: AU-16
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #sa-9
-                  rel:  related
-                  text: SA-9
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ca-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-3(a)
-                  prose: 
-                    """
-                      authorizes connections from the information system to other information systems
-                                        through the use of Interconnection Security Agreements;
-                    """
-                - 
-                  id:         ca-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-3(b)
-                  prose:      documents, for each interconnection:
-                  parts: 
-                    - 
-                      id:         ca-3.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-3(b)[1]
-                      prose:      the interface characteristics;
-                    - 
-                      id:         ca-3.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-3(b)[2]
-                      prose:      the security requirements;
-                    - 
-                      id:         ca-3.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-3(b)[3]
-                      prose:      the nature of the information communicated;
-                - 
-                  id:         ca-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-3(c)
-                  parts: 
-                    - 
-                      id:         ca-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-3(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to review and update Interconnection Security Agreements;
-                                               and
-                        """
-                    - 
-                      id:         ca-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-3(c)[2]
-                      prose: 
-                        """
-                          reviews and updates Interconnection Security Agreements with the
-                                               organization-defined frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\ninformation system Interconnection Security Agreements\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for developing, implementing, or
-                                        approving information system interconnection agreements\n\norganizational personnel with information security responsibilities\n\npersonnel managing the system(s) to which the Interconnection Security Agreement
-                                        applies
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: 
-                """
-                  Condition: There are connection(s) to external systems. Connections (if any) shall
-                                    be authorized and must: 1) Identify the interface/connection. 2) Detail what data
-                                    is involved and its sensitivity. 3) Determine whether the connection is one-way or
-                                    bi-directional. 4) Identify how the connection is secured.
-                """
-        - 
-          id:         ca-5
-          class:      SP800-53
-          title:      Plan of Action and Milestones
-          parameters: 
-            - 
-              id:          ca-5_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least monthly
-          properties: 
-            - 
-              name:  label
-              value: CA-5
-            - 
-              name:  sort-id
-              value: ca-05
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #2c5884cd-7b96-425c-862a-99877e1cf909
-              rel:  reference
-              text: OMB Memorandum 02-01
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-          parts: 
-            - 
-              id:    ca-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Develops a plan of action and milestones for the information system to document
-                                        the organization’s planned remedial actions to correct weaknesses or deficiencies
-                                        noted during the assessment of the security controls and to reduce or eliminate
-                                        known vulnerabilities in the system; and
-                    """
-                - 
-                  id:         ca-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Updates existing plan of action and milestones {{ ca-5_prm_1 }}
-                                        based on the findings from security controls assessments, security impact
-                                        analyses, and continuous monitoring activities.
-                    """
-            - 
-              id:    ca-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Plans of action and milestones are key documents in security authorization packages
-                                 and are subject to federal reporting requirements established by OMB.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #pm-4
-                  rel:  related
-                  text: PM-4
-            - 
-              id:    ca-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-5(a)
-                  prose:      develops a plan of action and milestones for the information system to:
-                  parts: 
-                    - 
-                      id:         ca-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-5(a)[1]
-                      prose: 
-                        """
-                          document the organization’s planned remedial actions to correct weaknesses or
-                                               deficiencies noted during the assessment of the security controls;
-                        """
-                    - 
-                      id:         ca-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-5(a)[2]
-                      prose:      reduce or eliminate known vulnerabilities in the system;
-                - 
-                  id:         ca-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-5(b)
-                  parts: 
-                    - 
-                      id:         ca-5.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-5(b)[1]
-                      prose:      defines the frequency to update the existing plan of action and milestones;
-                    - 
-                      id:         ca-5.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-5(b)[2]
-                      prose: 
-                        """
-                          updates the existing plan of action and milestones with the
-                                               organization-defined frequency based on the findings from:
-                        """
-                      parts: 
-                        - 
-                          id:         ca-5.b_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-5(b)[2][a]
-                          prose:      security controls assessments;
-                        - 
-                          id:         ca-5.b_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-5(b)[2][b]
-                          prose:      security impact analyses; and
-                        - 
-                          id:         ca-5.b_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-5(b)[2][c]
-                          prose:      continuous monitoring activities.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security assessment and authorization policy\n\nprocedures addressing plan of action and milestones\n\nsecurity plan\n\nsecurity assessment plan\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nplan of action and milestones\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with plan of action and milestones development and
-                                        implementation responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms for developing, implementing, and maintaining plan of action
-                                        and milestones
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: 
-                """
-                  Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring
-                                    Requirements.
-                """
-        - 
-          id:         ca-6
-          class:      SP800-53
-          title:      Security Authorization
-          parameters: 
-            - 
-              id:          ca-6_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every three years or when a significant change occurs
-          properties: 
-            - 
-              name:  label
-              value: CA-6
-            - 
-              name:  sort-id
-              value: ca-06
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab
-              rel:  reference
-              text: OMB Circular A-130
-            - 
-              href: #bedb15b7-ec5c-4a68-807f-385125751fcd
-              rel:  reference
-              text: OMB Memorandum 11-33
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-          parts: 
-            - 
-              id:    ca-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Assigns a senior-level executive or manager as the authorizing official for the
-                                        information system;
-                    """
-                - 
-                  id:         ca-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Ensures that the authorizing official authorizes the information system for
-                                        processing before commencing operations; and
-                    """
-                - 
-                  id:         ca-6_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Updates the security authorization {{ ca-6_prm_1 }}.
-            - 
-              id:    ca-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Security authorizations are official management decisions, conveyed through
-                                 authorization decision documents, by senior organizational officials or executives
-                                 (i.e., authorizing officials) to authorize operation of information systems and to
-                                 explicitly accept the risk to organizational operations and assets, individuals,
-                                 other organizations, and the Nation based on the implementation of agreed-upon
-                                 security controls. Authorizing officials provide budgetary oversight for
-                                 organizational information systems or assume responsibility for the mission/business
-                                 operations supported by those systems. The security authorization process is an
-                                 inherently federal responsibility and therefore, authorizing officials must be
-                                 federal employees. Through the security authorization process, authorizing officials
-                                 assume responsibility and are accountable for security risks associated with the
-                                 operation and use of organizational information systems. Accordingly, authorizing
-                                 officials are in positions with levels of authority commensurate with understanding
-                                 and accepting such information security-related risks. OMB policy requires that
-                                 organizations conduct ongoing authorizations of information systems by implementing
-                                 continuous monitoring programs. Continuous monitoring programs can satisfy three-year
-                                 reauthorization requirements, so separate reauthorization processes are not
-                                 necessary. Through the employment of comprehensive continuous monitoring processes,
-                                 critical information contained in authorization packages (i.e., security plans,
-                                 security assessment reports, and plans of action and milestones) is updated on an
-                                 ongoing basis, providing authorizing officials and information system owners with an
-                                 up-to-date status of the security state of organizational information systems and
-                                 environments of operation. To reduce the administrative cost of security
-                                 reauthorization, authorizing officials use the results of continuous monitoring
-                                 processes to the maximum extent possible as the basis for rendering reauthorization
-                                 decisions.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-                - 
-                  href: #pm-10
-                  rel:  related
-                  text: PM-10
-            - 
-              id:    ca-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-6(a)
-                  prose: 
-                    """
-                      assigns a senior-level executive or manager as the authorizing official for the
-                                        information system;
-                    """
-                - 
-                  id:         ca-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-6(b)
-                  prose: 
-                    """
-                      ensures that the authorizing official authorizes the information system for
-                                        processing before commencing operations;
-                    """
-                - 
-                  id:         ca-6.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-6(c)
-                  parts: 
-                    - 
-                      id:         ca-6.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-6(c)[1]
-                      prose:      defines the frequency to update the security authorization; and
-                    - 
-                      id:         ca-6.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-6(c)[2]
-                      prose:      updates the security authorization with the organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security assessment and authorization policy\n\nprocedures addressing security authorization\n\nsecurity authorization package (including security plan\n\nsecurity assessment report\n\nplan of action and milestones\n\nauthorization statement)\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with security authorization responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms that facilitate security authorizations and updates
-            - 
-              id:    ca-6_fr
-              name:  item
-              title: CA-6(c) Additional FedRAMP Requirements and Guidance
-              parts: 
-                - 
-                  id:         ca-6_fr_gdn.1
-                  name:       guidance
-                  properties: 
-                    - 
-                      name:  label
-                      value: Guidance:
-                  prose: 
-                    """
-                      Significant change is defined in NIST Special Publication 800-37 Revision 1,
-                                           Appendix F. The service provider describes the types of changes to the
-                                           information system or the environment of operations that would impact the risk
-                                           posture. The types of changes are approved and accepted by the Authorizing
-                                           Official.
-                    """
-        - 
-          id:         ca-7
-          class:      SP800-53
-          title:      Continuous Monitoring
-          parameters: 
-            - 
-              id:    ca-7_prm_1
-              label: organization-defined metrics
-            - 
-              id:    ca-7_prm_2
-              label: organization-defined frequencies
-            - 
-              id:    ca-7_prm_3
-              label: organization-defined frequencies
-            - 
-              id:          ca-7_prm_4
-              label:       organization-defined personnel or roles
-              constraints: 
-                - 
-                  detail: to meet Federal and FedRAMP requirements (See additional guidance)
-            - 
-              id:          ca-7_prm_5
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: to meet Federal and FedRAMP requirements (See additional guidance)
-          properties: 
-            - 
-              name:  label
-              value: CA-7
-            - 
-              name:  sort-id
-              value: ca-07
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #bedb15b7-ec5c-4a68-807f-385125751fcd
-              rel:  reference
-              text: OMB Memorandum 11-33
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #d480aa6a-7a88-424e-a10c-ad1c7870354b
-              rel:  reference
-              text: NIST Special Publication 800-39
-            - 
-              href: #cd4cf751-3312-4a55-b1a9-fad2f1db9119
-              rel:  reference
-              text: NIST Special Publication 800-53A
-            - 
-              href: #c4691b88-57d1-463b-9053-2d0087913f31
-              rel:  reference
-              text: NIST Special Publication 800-115
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-            - 
-              href: #8ade2fbe-e468-4ca8-9a40-54d7f23c32bb
-              rel:  reference
-              text: US-CERT Technical Cyber Security Alerts
-            - 
-              href: #2d8b14e9-c8b5-4d3d-8bdc-155078f3281b
-              rel:  reference
-              text: DoD Information Assurance Vulnerability Alerts
-          parts: 
-            - 
-              id:    ca-7_smt
-              name:  statement
-              prose: 
-                """
-                  The organization develops a continuous monitoring strategy and implements a
-                                 continuous monitoring program that includes:
-                """
-              parts: 
-                - 
-                  id:         ca-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Establishment of {{ ca-7_prm_1 }} to be monitored;
-                - 
-                  id:         ca-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Establishment of {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessments supporting such monitoring;
-                - 
-                  id:         ca-7_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ongoing security control assessments in accordance with the organizational
-                                        continuous monitoring strategy;
-                    """
-                - 
-                  id:         ca-7_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Ongoing security status monitoring of organization-defined metrics in accordance
-                                        with the organizational continuous monitoring strategy;
-                    """
-                - 
-                  id:         ca-7_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Correlation and analysis of security-related information generated by assessments
-                                        and monitoring;
-                    """
-                - 
-                  id:         ca-7_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Response actions to address results of the analysis of security-related
-                                        information; and
-                    """
-                - 
-                  id:         ca-7_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose: 
-                    """
-                      Reporting the security status of organization and the information system to
-                                           {{ ca-7_prm_4 }}
-                                        {{ ca-7_prm_5 }}.
-                    """
-            - 
-              id:    ca-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Continuous monitoring programs facilitate ongoing awareness of threats,
-                                 vulnerabilities, and information security to support organizational risk management
-                                 decisions. The terms continuous and ongoing imply that organizations assess/analyze
-                                 security controls and information security-related risks at a frequency sufficient to
-                                 support organizational risk-based decisions. The results of continuous monitoring
-                                 programs generate appropriate risk response actions by organizations. Continuous
-                                 monitoring programs also allow organizations to maintain the security authorizations
-                                 of information systems and common controls over time in highly dynamic environments
-                                 of operation with changing mission/business needs, threats, vulnerabilities, and
-                                 technologies. Having access to security-related information on a continuing basis
-                                 through reports/dashboards gives organizational officials the capability to make more
-                                 effective and timely risk management decisions, including ongoing security
-                                 authorization decisions. Automation supports more frequent updates to security
-                                 authorization packages, hardware/software/firmware inventories, and other system
-                                 information. Effectiveness is further enhanced when continuous monitoring outputs are
-                                 formatted to provide information that is specific, measurable, actionable, relevant,
-                                 and timely. Continuous monitoring activities are scaled in accordance with the
-                                 security categories of information systems.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-5
-                  rel:  related
-                  text: CA-5
-                - 
-                  href: #ca-6
-                  rel:  related
-                  text: CA-6
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #pm-6
-                  rel:  related
-                  text: PM-6
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ca-7_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ca-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(a)
-                  parts: 
-                    - 
-                      id:         ca-7.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(a)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that defines metrics to be
-                                               monitored;
-                        """
-                    - 
-                      id:         ca-7.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(a)[2]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes monitoring of
-                                               organization-defined metrics;
-                        """
-                    - 
-                      id:         ca-7.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(a)[3]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes monitoring of
-                                               organization-defined metrics in accordance with the organizational continuous
-                                               monitoring strategy;
-                        """
-                - 
-                  id:         ca-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(b)
-                  parts: 
-                    - 
-                      id:         ca-7.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(b)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that defines frequencies for
-                                               monitoring;
-                        """
-                    - 
-                      id:         ca-7.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(b)[2]
-                      prose:      defines frequencies for assessments supporting monitoring;
-                    - 
-                      id:         ca-7.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(b)[3]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes establishment of the
-                                               organization-defined frequencies for monitoring and for assessments supporting
-                                               monitoring;
-                        """
-                    - 
-                      id:         ca-7.b_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(b)[4]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes establishment of
-                                               organization-defined frequencies for monitoring and for assessments supporting
-                                               such monitoring in accordance with the organizational continuous monitoring
-                                               strategy;
-                        """
-                - 
-                  id:         ca-7.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(c)
-                  parts: 
-                    - 
-                      id:         ca-7.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(c)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes ongoing security
-                                               control assessments;
-                        """
-                    - 
-                      id:         ca-7.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(c)[2]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes ongoing security
-                                               control assessments in accordance with the organizational continuous monitoring
-                                               strategy;
-                        """
-                - 
-                  id:         ca-7.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(d)
-                  parts: 
-                    - 
-                      id:         ca-7.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(d)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes ongoing security status
-                                               monitoring of organization-defined metrics;
-                        """
-                    - 
-                      id:         ca-7.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(d)[2]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes ongoing security
-                                               status monitoring of organization-defined metrics in accordance with the
-                                               organizational continuous monitoring strategy;
-                        """
-                - 
-                  id:         ca-7.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(e)
-                  parts: 
-                    - 
-                      id:         ca-7.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(e)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes correlation and
-                                               analysis of security-related information generated by assessments and
-                                               monitoring;
-                        """
-                    - 
-                      id:         ca-7.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(e)[2]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes correlation and
-                                               analysis of security-related information generated by assessments and
-                                               monitoring in accordance with the organizational continuous monitoring
-                                               strategy;
-                        """
-                - 
-                  id:         ca-7.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(f)
-                  parts: 
-                    - 
-                      id:         ca-7.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(f)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes response actions to
-                                               address results of the analysis of security-related information;
-                        """
-                    - 
-                      id:         ca-7.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(f)[2]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes response actions to
-                                               address results of the analysis of security-related information in accordance
-                                               with the organizational continuous monitoring strategy;
-                        """
-                - 
-                  id:         ca-7.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(g)
-                  parts: 
-                    - 
-                      id:         ca-7.g_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(g)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that defines the personnel or roles
-                                               to whom the security status of the organization and information system are to
-                                               be reported;
-                        """
-                    - 
-                      id:         ca-7.g_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(g)[2]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that defines the frequency to report
-                                               the security status of the organization and information system to
-                                               organization-defined personnel or roles;
-                        """
-                    - 
-                      id:         ca-7.g_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(g)[3]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes reporting the security
-                                               status of the organization or information system to organizational-defined
-                                               personnel or roles with the organization-defined frequency; and
-                        """
-                    - 
-                      id:         ca-7.g_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-7(g)[4]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes reporting the security
-                                               status of the organization and information system to organization-defined
-                                               personnel or roles with the organization-defined frequency in accordance with
-                                               the organizational continuous monitoring strategy.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Security assessment and authorization policy\n\nprocedures addressing continuous monitoring of information system security
-                                        controls\n\nprocedures addressing configuration management\n\nsecurity plan\n\nsecurity assessment report\n\nplan of action and milestones\n\ninformation system monitoring records\n\nconfiguration management records, security impact analyses\n\nstatus reports\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Mechanisms implementing continuous monitoring
-            - 
-              id:    ca-7_fr
-              name:  item
-              title: CA-7 Additional FedRAMP Requirements and Guidance
-              parts: 
-                - 
-                  id:         ca-7_fr_gdn.1
-                  name:       guidance
-                  properties: 
-                    - 
-                      name:  label
-                      value: Guidance:
-                  prose: 
-                    """
-                      CSPs must provide evidence of closure and remediation of high vulnerabilities
-                                           within the timeframe for standard POA&M updates.
-                    """
-                - 
-                  id:         ca-7_fr_gdn.2
-                  name:       guidance
-                  properties: 
-                    - 
-                      name:  label
-                      value: Guidance:
-                  prose: 
-                    """
-                      See the FedRAMP Documents page under Key Cloud Service Provider (CSP)
-                                           Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                     
-                    """
-        - 
-          id:         ca-9
-          class:      SP800-53
-          title:      Internal System Connections
-          parameters: 
-            - 
-              id:    ca-9_prm_1
-              label: 
-                """
-                  organization-defined information system components or classes of
-                                 components
-                """
-          properties: 
-            - 
-              name:  label
-              value: CA-9
-            - 
-              name:  sort-id
-              value: ca-09
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: CONDITIONAL
-          parts: 
-            - 
-              id:    ca-9_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-9_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Authorizes internal connections of {{ ca-9_prm_1 }} to the
-                                        information system; and
-                    """
-                - 
-                  id:         ca-9_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Documents, for each internal connection, the interface characteristics, security
-                                        requirements, and the nature of the information communicated.
-                    """
-            - 
-              id:    ca-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to connections between organizational information systems and
-                                 (separate) constituent system components (i.e., intra-system connections) including,
-                                 for example, system connections with mobile devices, notebook/desktop computers,
-                                 printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of
-                                 authorizing each individual internal connection, organizations can authorize internal
-                                 connections for a class of components with common characteristics and/or
-                                 configurations, for example, all digital printers, scanners, and copiers with a
-                                 specified processing, storage, and transmission capability or all smart phones with a
-                                 specific baseline configuration.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ca-9_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-9.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-9(a)
-                  parts: 
-                    - 
-                      id:         ca-9.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-9(a)[1]
-                      prose: 
-                        """
-                          defines information system components or classes of components to be authorized
-                                               as internal connections to the information system;
-                        """
-                    - 
-                      id:         ca-9.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-9(a)[2]
-                      prose: 
-                        """
-                          authorizes internal connections of organization-defined information system
-                                               components or classes of components to the information system;
-                        """
-                - 
-                  id:         ca-9.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-9(b)
-                  prose:      documents, for each internal connection:
-                  parts: 
-                    - 
-                      id:         ca-9.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-9(b)[1]
-                      prose:      the interface characteristics;
-                    - 
-                      id:         ca-9.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-9(b)[2]
-                      prose:      the security requirements; and
-                    - 
-                      id:         ca-9.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-9(b)[3]
-                      prose:      the nature of the information communicated.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system
-                                        connections\n\nsecurity assessment report\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for developing, implementing, or
-                                        authorizing internal system connections\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: 
-                """
-                  Condition: There are connection(s) to external systems. Connections (if any) shall
-                                    be authorized and must: 1) Identify the interface/connection. 2) Detail what data
-                                    is involved and its sensitivity. 3) Determine whether the connection is one-way or
-                                    bi-directional. 4) Identify how the connection is secured.
-                """
-    - 
-      id:       cm
-      class:    family
-      title:    Configuration Management
-      controls: 
-        - 
-          id:         cm-1
-          class:      SP800-53
-          title:      Configuration Management Policy and Procedures
-          parameters: 
-            - 
-              id:    cm-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    cm-1_prm_2
-              label: organization-defined frequency
-            - 
-              id:    cm-1_prm_3
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: CM-1
-            - 
-              name:  sort-id
-              value: cm-01
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    cm-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ cm-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         cm-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A configuration management policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         cm-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the configuration management
-                                               policy and associated configuration management controls; and
-                        """
-                - 
-                  id:         cm-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         cm-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Configuration management policy {{ cm-1_prm_2 }}; and
-                    - 
-                      id:         cm-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Configuration management procedures {{ cm-1_prm_3 }}.
-            - 
-              id:    cm-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the CM
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    cm-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-1(a)
-                  parts: 
-                    - 
-                      id:         cm-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-1(a)(1)
-                      parts: 
-                        - 
-                          id:         cm-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-1(a)(1)[1]
-                          prose:      develops and documents a configuration management policy that addresses:
-                          parts: 
-                            - 
-                              id:         cm-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         cm-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         cm-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         cm-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         cm-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         cm-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         cm-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         cm-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the configuration management policy is to
-                                                      be disseminated;
-                            """
-                        - 
-                          id:         cm-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the configuration management policy to organization-defined
-                                                      personnel or roles;
-                            """
-                    - 
-                      id:         cm-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-1(a)(2)
-                      parts: 
-                        - 
-                          id:         cm-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      configuration management policy and associated configuration management
-                                                      controls;
-                            """
-                        - 
-                          id:         cm-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         cm-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         cm-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-1(b)
-                  parts: 
-                    - 
-                      id:         cm-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-1(b)(1)
-                      parts: 
-                        - 
-                          id:         cm-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current configuration
-                                                      management policy;
-                            """
-                        - 
-                          id:         cm-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current configuration management policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         cm-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-1(b)(2)
-                      parts: 
-                        - 
-                          id:         cm-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current configuration
-                                                      management procedures; and
-                            """
-                        - 
-                          id:         cm-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current configuration management procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-        - 
-          id:         cm-2
-          class:      SP800-53
-          title:      Baseline Configuration
-          properties: 
-            - 
-              name:  label
-              value: CM-2
-            - 
-              name:  sort-id
-              value: cm-02
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    cm-2_smt
-              name:  statement
-              prose: 
-                """
-                  The organization develops, documents, and maintains under configuration control, a
-                                 current baseline configuration of the information system.
-                """
-            - 
-              id:    cm-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control establishes baseline configurations for information systems and system
-                                 components including communications and connectivity-related aspects of systems.
-                                 Baseline configurations are documented, formally reviewed and agreed-upon sets of
-                                 specifications for information systems or configuration items within those systems.
-                                 Baseline configurations serve as a basis for future builds, releases, and/or changes
-                                 to information systems. Baseline configurations include information about information
-                                 system components (e.g., standard software packages installed on workstations,
-                                 notebook computers, servers, network components, or mobile devices; current version
-                                 numbers and patch information on operating systems and applications; and
-                                 configuration settings/parameters), network topology, and the logical placement of
-                                 those components within the system architecture. Maintaining baseline configurations
-                                 requires creating new baselines as organizational information systems change over
-                                 time. Baseline configurations of information systems reflect the current enterprise
-                                 architecture.
-                """
-              links: 
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #cm-9
-                  rel:  related
-                  text: CM-9
-                - 
-                  href: #sa-10
-                  rel:  related
-                  text: SA-10
-                - 
-                  href: #pm-5
-                  rel:  related
-                  text: PM-5
-                - 
-                  href: #pm-7
-                  rel:  related
-                  text: PM-7
-            - 
-              id:    cm-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-2_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-2[1]
-                  prose: 
-                    """
-                      develops and documents a current baseline configuration of the information system;
-                                        and
-                    """
-                - 
-                  id:         cm-2_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-2[2]
-                  prose: 
-                    """
-                      maintains, under configuration control, a current baseline configuration of the
-                                        information system.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for managing baseline configurations\n\nautomated mechanisms supporting configuration control of the baseline
-                                        configuration
-                    """
-        - 
-          id:         cm-4
-          class:      SP800-53
-          title:      Security Impact Analysis
-          properties: 
-            - 
-              name:  label
-              value: CM-4
-            - 
-              name:  sort-id
-              value: cm-04
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    cm-4_smt
-              name:  statement
-              prose: 
-                """
-                  The organization analyzes changes to the information system to determine potential
-                                 security impacts prior to change implementation.
-                """
-            - 
-              id:    cm-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizational personnel with information security responsibilities (e.g.,
-                                 Information System Administrators, Information System Security Officers, Information
-                                 System Security Managers, and Information System Security Engineers) conduct security
-                                 impact analyses. Individuals conducting security impact analyses possess the
-                                 necessary skills/technical expertise to analyze the changes to information systems
-                                 and the associated security ramifications. Security impact analysis may include, for
-                                 example, reviewing security plans to understand security control requirements and
-                                 reviewing system design documentation to understand control implementation and how
-                                 specific changes might affect the controls. Security impact analyses may also include
-                                 assessments of risk to better understand the impact of the changes and to determine
-                                 if additional security controls are required. Security impact analyses are scaled in
-                                 accordance with the security categories of the information systems.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-9
-                  rel:  related
-                  text: CM-9
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sa-10
-                  rel:  related
-                  text: SA-10
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    cm-4_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization analyzes changes to the information system to determine
-                                 potential security impacts prior to change implementation.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Configuration management policy\n\nprocedures addressing security impact analysis for changes to the information
-                                        system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for conducting security impact
-                                        analysis\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for security impact analysis
-        - 
-          id:         cm-6
-          class:      SP800-53
-          title:      Configuration Settings
-          parameters: 
-            - 
-              id:          cm-6_prm_1
-              label:       organization-defined security configuration checklists
-              constraints: 
-                - 
-                  detail: see CM-6(a) Additional FedRAMP Requirements and Guidance
-            - 
-              id:    cm-6_prm_2
-              label: organization-defined information system components
-            - 
-              id:    cm-6_prm_3
-              label: organization-defined operational requirements
-          properties: 
-            - 
-              name:  label
-              value: CM-6
-            - 
-              name:  sort-id
-              value: cm-06
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #990268bf-f4a9-4c81-91ae-dc7d3115f4b1
-              rel:  reference
-              text: OMB Memorandum 07-11
-            - 
-              href: #0b3d8ba9-051f-498d-81ea-97f0f018c612
-              rel:  reference
-              text: OMB Memorandum 07-18
-            - 
-              href: #0916ef02-3618-411b-a525-565c088849a6
-              rel:  reference
-              text: OMB Memorandum 08-22
-            - 
-              href: #84a37532-6db6-477b-9ea8-f9085ebca0fc
-              rel:  reference
-              text: NIST Special Publication 800-70
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-            - 
-              href: #275cc052-0f7f-423c-bdb6-ed503dc36228
-              rel:  reference
-              text: http://nvd.nist.gov
-            - 
-              href: #e95dd121-2733-413e-bf1e-f1eb49f20a98
-              rel:  reference
-              text: http://checklists.nist.gov
-            - 
-              href: #647b6de3-81d0-4d22-bec1-5f1333e34380
-              rel:  reference
-              text: http://www.nsa.gov
-          parts: 
-            - 
-              id:    cm-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes and documents configuration settings for information technology
-                                        products employed within the information system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with
-                                        operational requirements;
-                    """
-                - 
-                  id:         cm-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Implements the configuration settings;
-                - 
-                  id:         cm-6_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Identifies, documents, and approves any deviations from established configuration
-                                        settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and
-                    """
-                - 
-                  id:         cm-6_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Monitors and controls changes to the configuration settings in accordance with
-                                        organizational policies and procedures.
-                    """
-            - 
-              id:    cm-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Configuration settings are the set of parameters that can be changed in hardware,
-                                 software, or firmware components of the information system that affect the security
-                                 posture and/or functionality of the system. Information technology products for which
-                                 security-related configuration settings can be defined include, for example,
-                                 mainframe computers, servers (e.g., database, electronic mail, authentication, web,
-                                 proxy, file, domain name), workstations, input/output devices (e.g., scanners,
-                                 copiers, and printers), network components (e.g., firewalls, routers, gateways, voice
-                                 and data switches, wireless access points, network appliances, sensors), operating
-                                 systems, middleware, and applications. Security-related parameters are those
-                                 parameters impacting the security state of information systems including the
-                                 parameters required to satisfy other security control requirements. Security-related
-                                 parameters include, for example: (i) registry settings; (ii) account, file, directory
-                                 permission settings; and (iii) settings for functions, ports, protocols, services,
-                                 and remote connections. Organizations establish organization-wide configuration
-                                 settings and subsequently derive specific settings for information systems. The
-                                 established settings become part of the systems configuration baseline. Common secure
-                                 configurations (also referred to as security configuration checklists, lockdown and
-                                 hardening guides, security reference guides, security technical implementation
-                                 guides) provide recognized, standardized, and established benchmarks that stipulate
-                                 secure configuration settings for specific information technology platforms/products
-                                 and instructions for configuring those information system components to meet
-                                 operational requirements. Common secure configurations can be developed by a variety
-                                 of organizations including, for example, information technology product developers,
-                                 manufacturers, vendors, consortia, academia, industry, federal agencies, and other
-                                 organizations in the public and private sectors. Common secure configurations include
-                                 the United States Government Configuration Baseline (USGCB) which affects the
-                                 implementation of CM-6 and other controls such as AC-19 and CM-7. The Security
-                                 Content Automation Protocol (SCAP) and the defined standards within the protocol
-                                 (e.g., Common Configuration Enumeration) provide an effective method to uniquely
-                                 identify, track, and control configuration settings. OMB establishes federal policy
-                                 on configuration requirements for federal information systems.
-                """
-              links: 
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-7
-                  rel:  related
-                  text: CM-7
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    cm-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-6(a)
-                  parts: 
-                    - 
-                      id:         cm-6.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-6(a)[1]
-                      prose: 
-                        """
-                          defines security configuration checklists to be used to establish and document
-                                               configuration settings for the information technology products employed;
-                        """
-                    - 
-                      id:         cm-6.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-6(a)[2]
-                      prose: 
-                        """
-                          ensures the defined security configuration checklists reflect the most
-                                               restrictive mode consistent with operational requirements;
-                        """
-                    - 
-                      id:         cm-6.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-6(a)[3]
-                      prose: 
-                        """
-                          establishes and documents configuration settings for information technology
-                                               products employed within the information system using organization-defined
-                                               security configuration checklists;
-                        """
-                - 
-                  id:         cm-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-6(b)
-                  prose:      implements the configuration settings established/documented in CM-6(a);;
-                - 
-                  id:         cm-6.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-6(c)
-                  parts: 
-                    - 
-                      id:         cm-6.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-6(c)[1]
-                      prose: 
-                        """
-                          defines information system components for which any deviations from established
-                                               configuration settings must be:
-                        """
-                      parts: 
-                        - 
-                          id:         cm-6.c_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[1][a]
-                          prose:      identified;
-                        - 
-                          id:         cm-6.c_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[1][b]
-                          prose:      documented;
-                        - 
-                          id:         cm-6.c_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[1][c]
-                          prose:      approved;
-                    - 
-                      id:         cm-6.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-6(c)[2]
-                      prose:      defines operational requirements to support:
-                      parts: 
-                        - 
-                          id:         cm-6.c_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[2][a]
-                          prose: 
-                            """
-                              the identification of any deviations from established configuration
-                                                      settings;
-                            """
-                        - 
-                          id:         cm-6.c_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[2][b]
-                          prose: 
-                            """
-                              the documentation of any deviations from established configuration
-                                                      settings;
-                            """
-                        - 
-                          id:         cm-6.c_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[2][c]
-                          prose:      the approval of any deviations from established configuration settings;
-                    - 
-                      id:         cm-6.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-6(c)[3]
-                      prose: 
-                        """
-                          identifies any deviations from established configuration settings for
-                                               organization-defined information system components based on
-                                               organizational-defined operational requirements;
-                        """
-                    - 
-                      id:         cm-6.c_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-6(c)[4]
-                      prose: 
-                        """
-                          documents any deviations from established configuration settings for
-                                               organization-defined information system components based on
-                                               organizational-defined operational requirements;
-                        """
-                    - 
-                      id:         cm-6.c_obj.5
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-6(c)[5]
-                      prose: 
-                        """
-                          approves any deviations from established configuration settings for
-                                               organization-defined information system components based on
-                                               organizational-defined operational requirements;
-                        """
-                - 
-                  id:         cm-6.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-6(d)
-                  parts: 
-                    - 
-                      id:         cm-6.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-6(d)[1]
-                      prose: 
-                        """
-                          monitors changes to the configuration settings in accordance with
-                                               organizational policies and procedures; and
-                        """
-                    - 
-                      id:         cm-6.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-6(d)[2]
-                      prose: 
-                        """
-                          controls changes to the configuration settings in accordance with
-                                               organizational policies and procedures.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Configuration management policy\n\nprocedures addressing configuration settings for the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nevidence supporting approved deviations from established configuration
-                                        settings\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security configuration management
-                                        responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for managing configuration settings\n\nautomated mechanisms that implement, monitor, and/or control information system
-                                        configuration settings\n\nautomated mechanisms that identify and/or document deviations from established
-                                        configuration settings
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: Required - Specifically include details of least functionality.
-            - 
-              id:    cm-6_fr
-              name:  item
-              title: CM-6(a) Additional FedRAMP Requirements and Guidance
-              parts: 
-                - 
-                  id:         cm-6_fr_smt.1
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: Requirement 1:
-                  prose: 
-                    """
-                      The service provider shall use the Center for Internet Security guidelines
-                                           (Level 1) to establish configuration settings or establishes its own
-                                           configuration settings if USGCB is not available. 
-                    """
-                - 
-                  id:         cm-6_fr_smt.2
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: Requirement 2:
-                  prose: 
-                    """
-                      The service provider shall ensure that checklists for configuration settings
-                                           are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP
-                                           compatible (if validated checklists are not available).
-                    """
-                - 
-                  id:         cm-6_fr_gdn.1
-                  name:       guidance
-                  properties: 
-                    - 
-                      name:  label
-                      value: Guidance:
-                  prose:      Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline).
-        - 
-          id:         cm-7
-          class:      SP800-53
-          title:      Least Functionality
-          parameters: 
-            - 
-              id:    cm-7_prm_1
-              label: 
-                """
-                  organization-defined prohibited or restricted functions, ports, protocols, and/or
-                                 services
-                """
-          properties: 
-            - 
-              name:  label
-              value: CM-7
-            - 
-              name:  sort-id
-              value: cm-07
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #e42b2099-3e1c-415b-952c-61c96533c12e
-              rel:  reference
-              text: DoD Instruction 8551.01
-          parts: 
-            - 
-              id:    cm-7_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Configures the information system to provide only essential capabilities; and
-                - 
-                  id:         cm-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Prohibits or restricts the use of the following functions, ports, protocols,
-                                        and/or services: {{ cm-7_prm_1 }}.
-                    """
-            - 
-              id:    cm-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information systems can provide a wide variety of functions and services. Some of the
-                                 functions and services, provided by default, may not be necessary to support
-                                 essential organizational operations (e.g., key missions, functions). Additionally, it
-                                 is sometimes convenient to provide multiple services from single information system
-                                 components, but doing so increases risk over limiting the services provided by any
-                                 one component. Where feasible, organizations limit component functionality to a
-                                 single function per device (e.g., email servers or web servers, but not both).
-                                 Organizations review functions and services provided by information systems or
-                                 individual components of information systems, to determine which functions and
-                                 services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant
-                                 Messaging, auto-execute, and file sharing). Organizations consider disabling unused
-                                 or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File
-                                 Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to
-                                 prevent unauthorized connection of devices, unauthorized transfer of information, or
-                                 unauthorized tunneling. Organizations can utilize network scanning tools, intrusion
-                                 detection and prevention systems, and end-point protections such as firewalls and
-                                 host-based intrusion detection systems to identify and prevent the use of prohibited
-                                 functions, ports, protocols, and services.
-                """
-              links: 
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-            - 
-              id:    cm-7_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-7(a)
-                  prose:      configures the information system to provide only essential capabilities;
-                - 
-                  id:         cm-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-7(b)
-                  parts: 
-                    - 
-                      id:         cm-7.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-7(b)[1]
-                      prose:      defines prohibited or restricted:
-                      parts: 
-                        - 
-                          id:         cm-7.b_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[1][a]
-                          prose:      functions;
-                        - 
-                          id:         cm-7.b_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[1][b]
-                          prose:      ports;
-                        - 
-                          id:         cm-7.b_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[1][c]
-                          prose:      protocols; and/or
-                        - 
-                          id:         cm-7.b_obj.1.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[1][d]
-                          prose:      services;
-                    - 
-                      id:         cm-7.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-7(b)[2]
-                      prose:      prohibits or restricts the use of organization-defined:
-                      parts: 
-                        - 
-                          id:         cm-7.b_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[2][a]
-                          prose:      functions;
-                        - 
-                          id:         cm-7.b_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[2][b]
-                          prose:      ports;
-                        - 
-                          id:         cm-7.b_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[2][c]
-                          prose:      protocols; and/or
-                        - 
-                          id:         cm-7.b_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[2][d]
-                          prose:      services.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing least functionality in the information system\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security configuration management
-                                        responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes prohibiting or restricting functions, ports, protocols,
-                                        and/or services\n\nautomated mechanisms implementing restrictions or prohibition of functions, ports,
-                                        protocols, and/or services
-                    """
-        - 
-          id:         cm-8
-          class:      SP800-53
-          title:      Information System Component Inventory
-          parameters: 
-            - 
-              id:    cm-8_prm_1
-              label: 
-                """
-                  organization-defined information deemed necessary to achieve effective
-                                 information system component accountability
-                """
-            - 
-              id:          cm-8_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least monthly
-          properties: 
-            - 
-              name:  label
-              value: CM-8
-            - 
-              name:  sort-id
-              value: cm-08
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    cm-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops and documents an inventory of information system components that:
-                  parts: 
-                    - 
-                      id:         cm-8_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Accurately reflects the current information system;
-                    - 
-                      id:         cm-8_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Includes all components within the authorization boundary of the information
-                                               system;
-                        """
-                    - 
-                      id:         cm-8_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Is at the level of granularity deemed necessary for tracking and reporting;
-                                               and
-                        """
-                    - 
-                      id:         cm-8_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose:      Includes {{ cm-8_prm_1 }}; and
-                - 
-                  id:         cm-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the information system component inventory {{ cm-8_prm_2 }}.
-            - 
-              id:    cm-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations may choose to implement centralized information system component
-                                 inventories that include components from all organizational information systems. In
-                                 such situations, organizations ensure that the resulting inventories include
-                                 system-specific information required for proper component accountability (e.g.,
-                                 information system association, information system owner). Information deemed
-                                 necessary for effective accountability of information system components includes, for
-                                 example, hardware inventory specifications, software license information, software
-                                 version numbers, component owners, and for networked components or devices, machine
-                                 names and network addresses. Inventory specifications include, for example,
-                                 manufacturer, device type, model, serial number, and physical location.
-                """
-              links: 
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #pm-5
-                  rel:  related
-                  text: PM-5
-            - 
-              id:    cm-8_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-8(a)
-                  parts: 
-                    - 
-                      id:         cm-8.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(a)(1)
-                      prose: 
-                        """
-                          develops and documents an inventory of information system components that
-                                               accurately reflects the current information system;
-                        """
-                    - 
-                      id:         cm-8.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(a)(2)
-                      prose: 
-                        """
-                          develops and documents an inventory of information system components that
-                                               includes all components within the authorization boundary of the information
-                                               system;
-                        """
-                    - 
-                      id:         cm-8.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(a)(3)
-                      prose: 
-                        """
-                          develops and documents an inventory of information system components that is at
-                                               the level of granularity deemed necessary for tracking and reporting;
-                        """
-                    - 
-                      id:         cm-8.a.4_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(a)(4)
-                      parts: 
-                        - 
-                          id:         cm-8.a.4_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-8(a)(4)[1]
-                          prose: 
-                            """
-                              defines the information deemed necessary to achieve effective information
-                                                      system component accountability;
-                            """
-                        - 
-                          id:         cm-8.a.4_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-8(a)(4)[2]
-                          prose: 
-                            """
-                              develops and documents an inventory of information system components that
-                                                      includes organization-defined information deemed necessary to achieve
-                                                      effective information system component accountability;
-                            """
-                - 
-                  id:         cm-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-8(b)
-                  parts: 
-                    - 
-                      id:         cm-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(b)[1]
-                      prose: 
-                        """
-                          defines the frequency to review and update the information system component
-                                               inventory; and
-                        """
-                    - 
-                      id:         cm-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(b)[2]
-                      prose: 
-                        """
-                          reviews and updates the information system component inventory with the
-                                               organization-defined frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\ninventory reviews and update records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for information system component
-                                        inventory\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for developing and documenting an inventory of
-                                        information system components\n\nautomated mechanisms supporting and/or implementing the information system
-                                        component inventory
-                    """
-            - 
-              id:    cm-8_fr
-              name:  item
-              title: CM-8 Additional FedRAMP Requirements and Guidance
-              parts: 
-                - 
-                  id:         cm-8_fr_smt.1
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: Requirement:
-                  prose:      Must be provided at least monthly or when there is a change.
-        - 
-          id:         cm-10
-          class:      SP800-53
-          title:      Software Usage Restrictions
-          properties: 
-            - 
-              name:  label
-              value: CM-10
-            - 
-              name:  sort-id
-              value: cm-10
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: NSO
-          parts: 
-            - 
-              id:    cm-10_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-10_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Uses software and associated documentation in accordance with contract agreements
-                                        and copyright laws;
-                    """
-                - 
-                  id:         cm-10_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Tracks the use of software and associated documentation protected by quantity
-                                        licenses to control copying and distribution; and
-                    """
-                - 
-                  id:         cm-10_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Controls and documents the use of peer-to-peer file sharing technology to ensure
-                                        that this capability is not used for the unauthorized distribution, display,
-                                        performance, or reproduction of copyrighted work.
-                    """
-            - 
-              id:    cm-10_gdn
-              name:  guidance
-              prose: 
-                """
-                  Software license tracking can be accomplished by manual methods (e.g., simple
-                                 spreadsheets) or automated methods (e.g., specialized tracking applications)
-                                 depending on organizational needs.
-                """
-              links: 
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-            - 
-              id:    cm-10_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-10.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-10(a)
-                  prose: 
-                    """
-                      uses software and associated documentation in accordance with contract agreements
-                                        and copyright laws;
-                    """
-                - 
-                  id:         cm-10.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-10(b)
-                  prose: 
-                    """
-                      tracks the use of software and associated documentation protected by quantity
-                                        licenses to control copying and distribution; and
-                    """
-                - 
-                  id:         cm-10.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-10(c)
-                  prose: 
-                    """
-                      controls and documents the use of peer-to-peer file sharing technology to ensure
-                                        that this capability is not used for the unauthorized distribution, display,
-                                        performance, or reproduction of copyrighted work.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing software usage restrictions\n\nconfiguration management plan\n\nsecurity plan\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel operating, using, and/or maintaining the information
-                                        system\n\norganizational personnel with software license management responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational process for tracking the use of software protected by quantity
-                                        licenses\n\norganization process for controlling/documenting the use of peer-to-peer file
-                                        sharing technology\n\nautomated mechanisms implementing software license tracking\n\nautomated mechanisms implementing and controlling the use of peer-to-peer files
-                                        sharing technology
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: NSO- Not directly related to protection of the data.
-        - 
-          id:         cm-11
-          class:      SP800-53
-          title:      User-installed Software
-          parameters: 
-            - 
-              id:    cm-11_prm_1
-              label: organization-defined policies
-            - 
-              id:    cm-11_prm_2
-              label: organization-defined methods
-            - 
-              id:    cm-11_prm_3
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: CM-11
-            - 
-              name:  sort-id
-              value: cm-11
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: NSO
-          parts: 
-            - 
-              id:    cm-11_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-11_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes {{ cm-11_prm_1 }} governing the installation of
-                                        software by users;
-                    """
-                - 
-                  id:         cm-11_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Enforces software installation policies through {{ cm-11_prm_2 }};
-                                        and
-                    """
-                - 
-                  id:         cm-11_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Monitors policy compliance at {{ cm-11_prm_3 }}.
-            - 
-              id:    cm-11_gdn
-              name:  guidance
-              prose: 
-                """
-                  If provided the necessary privileges, users have the ability to install software in
-                                 organizational information systems. To maintain control over the types of software
-                                 installed, organizations identify permitted and prohibited actions regarding software
-                                 installation. Permitted software installations may include, for example, updates and
-                                 security patches to existing software and downloading applications from
-                                 organization-approved “app stores” Prohibited software installations may include, for
-                                 example, software with unknown or suspect pedigrees or software that organizations
-                                 consider potentially malicious. The policies organizations select governing
-                                 user-installed software may be organization-developed or provided by some external
-                                 entity. Policy enforcement methods include procedural methods (e.g., periodic
-                                 examination of user accounts), automated methods (e.g., configuration settings
-                                 implemented on organizational information systems), or both.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-7
-                  rel:  related
-                  text: CM-7
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-            - 
-              id:    cm-11_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-11.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-11(a)
-                  parts: 
-                    - 
-                      id:         cm-11.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-11(a)[1]
-                      prose:      defines policies to govern the installation of software by users;
-                    - 
-                      id:         cm-11.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-11(a)[2]
-                      prose: 
-                        """
-                          establishes organization-defined policies governing the installation of
-                                               software by users;
-                        """
-                - 
-                  id:         cm-11.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-11(b)
-                  parts: 
-                    - 
-                      id:         cm-11.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-11(b)[1]
-                      prose:      defines methods to enforce software installation policies;
-                    - 
-                      id:         cm-11.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-11(b)[2]
-                      prose: 
-                        """
-                          enforces software installation policies through organization-defined
-                                               methods;
-                        """
-                - 
-                  id:         cm-11.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-11(c)
-                  parts: 
-                    - 
-                      id:         cm-11.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-11(c)[1]
-                      prose:      defines frequency to monitor policy compliance; and
-                    - 
-                      id:         cm-11.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-11(c)[2]
-                      prose:      monitors policy compliance at organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing user installed software\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of rules governing user installed software\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records\n\ncontinuous monitoring strategy
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for governing user-installed
-                                        software\n\norganizational personnel operating, using, and/or maintaining the information
-                                        system\n\norganizational personnel monitoring compliance with user-installed software
-                                        policy\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes governing user-installed software on the information
-                                        system\n\nautomated mechanisms enforcing rules/methods for governing the installation of
-                                        software by users\n\nautomated mechanisms monitoring policy compliance
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: 
-                """
-                  NSO - Boundary is specific to SaaS environment; all access is via web services;
-                                    users' machine or internal network are not contemplated. External services (SA-9),
-                                    internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and
-                                    SC-13), and privileged authentication (IA-2[1]) are considerations.
-                """
-    - 
-      id:       cp
-      class:    family
-      title:    Contingency Planning
-      controls: 
-        - 
-          id:         cp-1
-          class:      SP800-53
-          title:      Contingency Planning Policy and Procedures
-          parameters: 
-            - 
-              id:    cp-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    cp-1_prm_2
-              label: organization-defined frequency
-            - 
-              id:    cp-1_prm_3
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: CP-1
-            - 
-              name:  sort-id
-              value: cp-01
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    cp-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ cp-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         cp-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A contingency planning policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         cp-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the contingency planning policy
-                                               and associated contingency planning controls; and
-                        """
-                - 
-                  id:         cp-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         cp-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Contingency planning policy {{ cp-1_prm_2 }}; and
-                    - 
-                      id:         cp-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Contingency planning procedures {{ cp-1_prm_3 }}.
-            - 
-              id:    cp-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the CP
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    cp-1_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         cp-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-1(a)
-                  parts: 
-                    - 
-                      id:         cp-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-1(a)(1)
-                      parts: 
-                        - 
-                          id:         cp-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-1(a)(1)[1]
-                          prose: 
-                            """
-                              the organization develops and documents a contingency planning policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         cp-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         cp-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         cp-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         cp-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         cp-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         cp-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         cp-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         cp-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-1(a)(1)[2]
-                          prose: 
-                            """
-                              the organization defines personnel or roles to whom the contingency planning
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         cp-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-1(a)(1)[3]
-                          prose: 
-                            """
-                              the organization disseminates the contingency planning policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         cp-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-1(a)(2)
-                      parts: 
-                        - 
-                          id:         cp-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-1(a)(2)[1]
-                          prose: 
-                            """
-                              the organization develops and documents procedures to facilitate the
-                                                      implementation of the contingency planning policy and associated contingency
-                                                      planning controls;
-                            """
-                        - 
-                          id:         cp-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-1(a)(2)[2]
-                          prose: 
-                            """
-                              the organization defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         cp-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-1(a)(2)[3]
-                          prose: 
-                            """
-                              the organization disseminates the procedures to organization-defined
-                                                      personnel or roles;
-                            """
-                - 
-                  id:         cp-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-1(b)
-                  parts: 
-                    - 
-                      id:         cp-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-1(b)(1)
-                      parts: 
-                        - 
-                          id:         cp-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-1(b)(1)[1]
-                          prose: 
-                            """
-                              the organization defines the frequency to review and update the current
-                                                      contingency planning policy;
-                            """
-                        - 
-                          id:         cp-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-1(b)(1)[2]
-                          prose: 
-                            """
-                              the organization reviews and updates the current contingency planning with
-                                                      the organization-defined frequency;
-                            """
-                    - 
-                      id:         cp-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-1(b)(2)
-                      parts: 
-                        - 
-                          id:         cp-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-1(b)(2)[1]
-                          prose: 
-                            """
-                              the organization defines the frequency to review and update the current
-                                                      contingency planning procedures; and
-                            """
-                        - 
-                          id:         cp-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-1(b)(2)[2]
-                          prose: 
-                            """
-                              the organization reviews and updates the current contingency planning
-                                                      procedures with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         cp-2
-          class:      SP800-53
-          title:      Contingency Plan
-          parameters: 
-            - 
-              id:    cp-2_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    cp-2_prm_2
-              label: 
-                """
-                  organization-defined key contingency personnel (identified by name and/or by
-                                 role) and organizational elements
-                """
-            - 
-              id:    cp-2_prm_3
-              label: organization-defined frequency
-            - 
-              id:    cp-2_prm_4
-              label: 
-                """
-                  organization-defined key contingency personnel (identified by name and/or by
-                                 role) and organizational elements
-                """
-          properties: 
-            - 
-              name:  label
-              value: CP-2
-            - 
-              name:  sort-id
-              value: cp-02
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: NSO
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-          parts: 
-            - 
-              id:    cp-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops a contingency plan for the information system that:
-                  parts: 
-                    - 
-                      id:         cp-2_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Identifies essential missions and business functions and associated contingency
-                                               requirements;
-                        """
-                    - 
-                      id:         cp-2_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Provides recovery objectives, restoration priorities, and metrics;
-                    - 
-                      id:         cp-2_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Addresses contingency roles, responsibilities, assigned individuals with
-                                               contact information;
-                        """
-                    - 
-                      id:         cp-2_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose: 
-                        """
-                          Addresses maintaining essential missions and business functions despite an
-                                               information system disruption, compromise, or failure;
-                        """
-                    - 
-                      id:         cp-2_smt.a.5
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 5.
-                      prose: 
-                        """
-                          Addresses eventual, full information system restoration without deterioration
-                                               of the security safeguards originally planned and implemented; and
-                        """
-                    - 
-                      id:         cp-2_smt.a.6
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 6.
-                      prose:      Is reviewed and approved by {{ cp-2_prm_1 }};
-                - 
-                  id:         cp-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Distributes copies of the contingency plan to {{ cp-2_prm_2 }};
-                - 
-                  id:         cp-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Coordinates contingency planning activities with incident handling activities;
-                - 
-                  id:         cp-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Reviews the contingency plan for the information system {{ cp-2_prm_3 }};
-                - 
-                  id:         cp-2_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Updates the contingency plan to address changes to the organization, information
-                                        system, or environment of operation and problems encountered during contingency
-                                        plan implementation, execution, or testing;
-                    """
-                - 
-                  id:         cp-2_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose:      Communicates contingency plan changes to {{ cp-2_prm_4 }}; and
-                - 
-                  id:         cp-2_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose:      Protects the contingency plan from unauthorized disclosure and modification.
-            - 
-              id:    cp-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Contingency planning for information systems is part of an overall organizational
-                                 program for achieving continuity of operations for mission/business functions.
-                                 Contingency planning addresses both information system restoration and implementation
-                                 of alternative mission/business processes when systems are compromised. The
-                                 effectiveness of contingency planning is maximized by considering such planning
-                                 throughout the phases of the system development life cycle. Performing contingency
-                                 planning on hardware, software, and firmware development can be an effective means of
-                                 achieving information system resiliency. Contingency plans reflect the degree of
-                                 restoration required for organizational information systems since not all systems may
-                                 need to fully recover to achieve the level of continuity of operations desired.
-                                 Information system recovery objectives reflect applicable laws, Executive Orders,
-                                 directives, policies, standards, regulations, and guidelines. In addition to
-                                 information system availability, contingency plans also address other
-                                 security-related events resulting in a reduction in mission and/or business
-                                 effectiveness, such as malicious attacks compromising the confidentiality or
-                                 integrity of information systems. Actions addressed in contingency plans include, for
-                                 example, orderly/graceful degradation, information system shutdown, fallback to a
-                                 manual mode, alternate information flows, and operating in modes reserved for when
-                                 systems are under attack. By closely coordinating contingency planning with incident
-                                 handling activities, organizations can ensure that the necessary contingency planning
-                                 activities are in place and activated in the event of a security incident.
-                """
-              links: 
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #cp-6
-                  rel:  related
-                  text: CP-6
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-                - 
-                  href: #cp-8
-                  rel:  related
-                  text: CP-8
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #cp-10
-                  rel:  related
-                  text: CP-10
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #pm-8
-                  rel:  related
-                  text: PM-8
-                - 
-                  href: #pm-11
-                  rel:  related
-                  text: PM-11
-            - 
-              id:    cp-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cp-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(a)
-                  prose:      develops and documents a contingency plan for the information system that:
-                  parts: 
-                    - 
-                      id:         cp-2.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(a)(1)
-                      prose: 
-                        """
-                          identifies essential missions and business functions and associated contingency
-                                               requirements;
-                        """
-                    - 
-                      id:         cp-2.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(a)(2)
-                      parts: 
-                        - 
-                          id:         cp-2.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(2)[1]
-                          prose:      provides recovery objectives;
-                        - 
-                          id:         cp-2.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(2)[2]
-                          prose:      provides restoration priorities;
-                        - 
-                          id:         cp-2.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(2)[3]
-                          prose:      provides metrics;
-                    - 
-                      id:         cp-2.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(a)(3)
-                      parts: 
-                        - 
-                          id:         cp-2.a.3_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(3)[1]
-                          prose:      addresses contingency roles;
-                        - 
-                          id:         cp-2.a.3_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(3)[2]
-                          prose:      addresses contingency responsibilities;
-                        - 
-                          id:         cp-2.a.3_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(3)[3]
-                          prose:      addresses assigned individuals with contact information;
-                    - 
-                      id:         cp-2.a.4_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(a)(4)
-                      prose: 
-                        """
-                          addresses maintaining essential missions and business functions despite an
-                                               information system disruption, compromise, or failure;
-                        """
-                    - 
-                      id:         cp-2.a.5_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(a)(5)
-                      prose: 
-                        """
-                          addresses eventual, full information system restoration without deterioration
-                                               of the security safeguards originally planned and implemented;
-                        """
-                    - 
-                      id:         cp-2.a.6_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(a)(6)
-                      parts: 
-                        - 
-                          id:         cp-2.a.6_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(6)[1]
-                          prose: 
-                            """
-                              defines personnel or roles to review and approve the contingency plan for
-                                                      the information system;
-                            """
-                        - 
-                          id:         cp-2.a.6_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(6)[2]
-                          prose:      is reviewed and approved by organization-defined personnel or roles;
-                - 
-                  id:         cp-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(b)
-                  parts: 
-                    - 
-                      id:         cp-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(b)[1]
-                      prose: 
-                        """
-                          defines key contingency personnel (identified by name and/or by role) and
-                                               organizational elements to whom copies of the contingency plan are to be
-                                               distributed;
-                        """
-                    - 
-                      id:         cp-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(b)[2]
-                      prose: 
-                        """
-                          distributes copies of the contingency plan to organization-defined key
-                                               contingency personnel and organizational elements;
-                        """
-                - 
-                  id:         cp-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(c)
-                  prose:      coordinates contingency planning activities with incident handling activities;
-                - 
-                  id:         cp-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(d)
-                  parts: 
-                    - 
-                      id:         cp-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(d)[1]
-                      prose: 
-                        """
-                          defines a frequency to review the contingency plan for the information
-                                               system;
-                        """
-                    - 
-                      id:         cp-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(d)[2]
-                      prose:      reviews the contingency plan with the organization-defined frequency;
-                - 
-                  id:         cp-2.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(e)
-                  prose:      updates the contingency plan to address:
-                  parts: 
-                    - 
-                      id:         cp-2.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(e)[1]
-                      prose: 
-                        """
-                          changes to the organization, information system, or environment of
-                                               operation;
-                        """
-                    - 
-                      id:         cp-2.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(e)[2]
-                      prose:      problems encountered during plan implementation, execution, and testing;
-                - 
-                  id:         cp-2.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(f)
-                  parts: 
-                    - 
-                      id:         cp-2.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(f)[1]
-                      prose: 
-                        """
-                          defines key contingency personnel (identified by name and/or by role) and
-                                               organizational elements to whom contingency plan changes are to be
-                                               communicated;
-                        """
-                    - 
-                      id:         cp-2.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(f)[2]
-                      prose: 
-                        """
-                          communicates contingency plan changes to organization-defined key contingency
-                                               personnel and organizational elements; and
-                        """
-                - 
-                  id:         cp-2.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(g)
-                  prose:      protects the contingency plan from unauthorized disclosure and modification.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nsecurity plan\n\nevidence of contingency plan reviews and updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with contingency planning and plan implementation
-                                        responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for contingency plan development, review, update, and
-                                        protection\n\nautomated mechanisms for developing, reviewing, updating and/or protecting the
-                                        contingency plan
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: 
-                """
-                  NSO - Loss of availability of the SaaS has been determined as little or no impact
-                                    to government business/mission needs.
-                """
-        - 
-          id:         cp-3
-          class:      SP800-53
-          title:      Contingency Training
-          parameters: 
-            - 
-              id:    cp-3_prm_1
-              label: organization-defined time period
-            - 
-              id:    cp-3_prm_2
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: CP-3
-            - 
-              name:  sort-id
-              value: cp-03
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: NSO
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #825438c3-248d-4e30-a51e-246473ce6ada
-              rel:  reference
-              text: NIST Special Publication 800-16
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-          parts: 
-            - 
-              id:    cp-3_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides contingency training to information system users consistent
-                                 with assigned roles and responsibilities:
-                """
-              parts: 
-                - 
-                  id:         cp-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Within {{ cp-3_prm_1 }} of assuming a contingency role or
-                                        responsibility;
-                    """
-                - 
-                  id:         cp-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      When required by information system changes; and
-                - 
-                  id:         cp-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      
-                                        {{ cp-3_prm_2 }} thereafter.
-                    """
-            - 
-              id:    cp-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Contingency training provided by organizations is linked to the assigned roles and
-                                 responsibilities of organizational personnel to ensure that the appropriate content
-                                 and level of detail is included in such training. For example, regular users may only
-                                 need to know when and where to report for duty during contingency operations and if
-                                 normal duties are affected; system administrators may require additional training on
-                                 how to set up information systems at alternate processing and storage sites; and
-                                 managers/senior leaders may receive more specific training on how to conduct
-                                 mission-essential functions in designated off-site locations and how to establish
-                                 communications with other governmental entities for purposes of coordination on
-                                 contingency-related activities. Training for contingency roles/responsibilities
-                                 reflects the specific continuity requirements in the contingency plan.
-                """
-              links: 
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #ir-2
-                  rel:  related
-                  text: IR-2
-            - 
-              id:    cp-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cp-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-3(a)
-                  parts: 
-                    - 
-                      id:         cp-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-3(a)[1]
-                      prose: 
-                        """
-                          defines a time period within which contingency training is to be provided to
-                                               information system users assuming a contingency role or responsibility;
-                        """
-                    - 
-                      id:         cp-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-3(a)[2]
-                      prose: 
-                        """
-                          provides contingency training to information system users consistent with
-                                               assigned roles and responsibilities within the organization-defined time period
-                                               of assuming a contingency role or responsibility;
-                        """
-                - 
-                  id:         cp-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-3(b)
-                  prose: 
-                    """
-                      provides contingency training to information system users consistent with assigned
-                                        roles and responsibilities when required by information system changes;
-                    """
-                - 
-                  id:         cp-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-3(c)
-                  parts: 
-                    - 
-                      id:         cp-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-3(c)[1]
-                      prose:      defines the frequency for contingency training thereafter; and
-                    - 
-                      id:         cp-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-3(c)[2]
-                      prose: 
-                        """
-                          provides contingency training to information system users consistent with
-                                               assigned roles and responsibilities with the organization-defined frequency
-                                               thereafter.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsecurity plan\n\ncontingency training records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with contingency planning, plan implementation, and
-                                        training responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for contingency training
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: 
-                """
-                  NSO - Loss of availability of the SaaS has been determined as little or no impact
-                                    to government business/mission needs.
-                """
-        - 
-          id:         cp-4
-          class:      SP800-53
-          title:      Contingency Plan Testing
-          parameters: 
-            - 
-              id:    cp-4_prm_1
-              label: organization-defined frequency
-            - 
-              id:    cp-4_prm_2
-              label: organization-defined tests
-          properties: 
-            - 
-              name:  label
-              value: CP-4
-            - 
-              name:  sort-id
-              value: cp-04
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: NSO
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-            - 
-              href: #0243a05a-e8a3-4d51-9364-4a9d20b0dcdf
-              rel:  reference
-              text: NIST Special Publication 800-84
-          parts: 
-            - 
-              id:    cp-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Tests the contingency plan for the information system {{ cp-4_prm_1 }} using {{ cp-4_prm_2 }} to determine the
-                                        effectiveness of the plan and the organizational readiness to execute the
-                                        plan;
-                    """
-                - 
-                  id:         cp-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews the contingency plan test results; and
-                - 
-                  id:         cp-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Initiates corrective actions, if needed.
-            - 
-              id:    cp-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Methods for testing contingency plans to determine the effectiveness of the plans and
-                                 to identify potential weaknesses in the plans include, for example, walk-through and
-                                 tabletop exercises, checklists, simulations (parallel, full interrupt), and
-                                 comprehensive exercises. Organizations conduct testing based on the continuity
-                                 requirements in contingency plans and include a determination of the effects on
-                                 organizational operations, assets, and individuals arising due to contingency
-                                 operations. Organizations have flexibility and discretion in the breadth, depth, and
-                                 timelines of corrective actions.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-3
-                  rel:  related
-                  text: CP-3
-                - 
-                  href: #ir-3
-                  rel:  related
-                  text: IR-3
-            - 
-              id:    cp-4_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         cp-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-4(a)
-                  parts: 
-                    - 
-                      id:         cp-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-4(a)[1]
-                      prose: 
-                        """
-                          defines tests to determine the effectiveness of the contingency plan and the
-                                               organizational readiness to execute the plan;
-                        """
-                    - 
-                      id:         cp-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-4(a)[2]
-                      prose: 
-                        """
-                          defines a frequency to test the contingency plan for the information
-                                               system;
-                        """
-                    - 
-                      id:         cp-4.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-4(a)[3]
-                      prose: 
-                        """
-                          tests the contingency plan for the information system with the
-                                               organization-defined frequency, using organization-defined tests to determine
-                                               the effectiveness of the plan and the organizational readiness to execute the
-                                               plan;
-                        """
-                - 
-                  id:         cp-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-4(b)
-                  prose:      reviews the contingency plan test results; and
-                - 
-                  id:         cp-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-4(c)
-                  prose:      initiates corrective actions, if needed.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\nsecurity plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for contingency plan testing,
-                                        reviewing or responding to contingency plan tests\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for contingency plan testing\n\nautomated mechanisms supporting the contingency plan and/or contingency plan
-                                        testing
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: 
-                """
-                  NSO - Loss of availability of the SaaS has been determined as little or no impact
-                                    to government business/mission needs.
-                """
-        - 
-          id:         cp-9
-          class:      SP800-53
-          title:      Information System Backup
-          parameters: 
-            - 
-              id:          cp-9_prm_1
-              label: 
-                """
-                  organization-defined frequency consistent with recovery time and recovery point
-                                 objectives
-                """
-              constraints: 
-                - 
-                  detail: daily incremental; weekly full
-            - 
-              id:          cp-9_prm_2
-              label: 
-                """
-                  organization-defined frequency consistent with recovery time and recovery point
-                                 objectives
-                """
-              constraints: 
-                - 
-                  detail: daily incremental; weekly full
-            - 
-              id:          cp-9_prm_3
-              label: 
-                """
-                  organization-defined frequency consistent with recovery time and recovery point
-                                 objectives
-                """
-              constraints: 
-                - 
-                  detail: daily incremental; weekly full
-          properties: 
-            - 
-              name:  label
-              value: CP-9
-            - 
-              name:  sort-id
-              value: cp-09
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-          parts: 
-            - 
-              id:    cp-9_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-9_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Conducts backups of user-level information contained in the information system
-                                           {{ cp-9_prm_1 }};
-                    """
-                - 
-                  id:         cp-9_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Conducts backups of system-level information contained in the information system
-                                           {{ cp-9_prm_2 }};
-                    """
-                - 
-                  id:         cp-9_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Conducts backups of information system documentation including security-related
-                                        documentation {{ cp-9_prm_3 }}; and
-                    """
-                - 
-                  id:         cp-9_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Protects the confidentiality, integrity, and availability of backup information at
-                                        storage locations.
-                    """
-            - 
-              id:    cp-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  System-level information includes, for example, system-state information, operating
-                                 system and application software, and licenses. User-level information includes any
-                                 information other than system-level information. Mechanisms employed by organizations
-                                 to protect the integrity of information system backups include, for example, digital
-                                 signatures and cryptographic hashes. Protection of system backup information while in
-                                 transit is beyond the scope of this control. Information system backups reflect the
-                                 requirements in contingency plans as well as other organizational requirements for
-                                 backing up information.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-6
-                  rel:  related
-                  text: CP-6
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-            - 
-              id:    cp-9_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         cp-9.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-9(a)
-                  parts: 
-                    - 
-                      id:         cp-9.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-9(a)[1]
-                      prose: 
-                        """
-                          defines a frequency, consistent with recovery time objectives and recovery
-                                               point objectives as specified in the information system contingency plan, to
-                                               conduct backups of user-level information contained in the information
-                                               system;
-                        """
-                    - 
-                      id:         cp-9.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-9(a)[2]
-                      prose: 
-                        """
-                          conducts backups of user-level information contained in the information system
-                                               with the organization-defined frequency;
-                        """
-                - 
-                  id:         cp-9.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-9(b)
-                  parts: 
-                    - 
-                      id:         cp-9.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-9(b)[1]
-                      prose: 
-                        """
-                          defines a frequency, consistent with recovery time objectives and recovery
-                                               point objectives as specified in the information system contingency plan, to
-                                               conduct backups of system-level information contained in the information
-                                               system;
-                        """
-                    - 
-                      id:         cp-9.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-9(b)[2]
-                      prose: 
-                        """
-                          conducts backups of system-level information contained in the information
-                                               system with the organization-defined frequency;
-                        """
-                - 
-                  id:         cp-9.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-9(c)
-                  parts: 
-                    - 
-                      id:         cp-9.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-9(c)[1]
-                      prose: 
-                        """
-                          defines a frequency, consistent with recovery time objectives and recovery
-                                               point objectives as specified in the information system contingency plan, to
-                                               conduct backups of information system documentation including security-related
-                                               documentation;
-                        """
-                    - 
-                      id:         cp-9.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-9(c)[2]
-                      prose: 
-                        """
-                          conducts backups of information system documentation, including
-                                               security-related documentation, with the organization-defined frequency;
-                                               and
-                        """
-                - 
-                  id:         cp-9.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-9(d)
-                  prose: 
-                    """
-                      protects the confidentiality, integrity, and availability of backup information at
-                                        storage locations.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\nbackup storage location(s)\n\ninformation system backup logs or records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for conducting information system backups\n\nautomated mechanisms supporting and/or implementing information system backups
-            - 
-              id:    cp-9_fr
-              name:  item
-              title: CP-9 Additional FedRAMP Requirements and Guidance
-              parts: 
-                - 
-                  id:         cp-9_fr_smt.1
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: Requirement:
-                  prose: 
-                    """
-                      The service provider shall determine what elements of the cloud environment
-                                           require the Information System Backup control. The service provider shall
-                                           determine how Information System Backup is going to be verified and appropriate
-                                           periodicity of the check.
-                    """
-                - 
-                  id:         cp-9_fr_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-9(a) Requirement:
-                  prose: 
-                    """
-                      The service provider maintains at least three backup copies of user-level
-                                           information (at least one of which is available online).
-                    """
-                - 
-                  id:         cp-9_fr_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-9(b)Requirement:
-                  prose: 
-                    """
-                      The service provider maintains at least three backup copies of system-level
-                                           information (at least one of which is available online).
-                    """
-                - 
-                  id:         cp-9_fr_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-9(c)Requirement:
-                  prose: 
-                    """
-                      The service provider maintains at least three backup copies of information
-                                           system documentation including security information (at least one of which is
-                                           available online).
-                    """
-        - 
-          id:         cp-10
-          class:      SP800-53
-          title:      Information System Recovery and Reconstitution
-          properties: 
-            - 
-              name:  label
-              value: CP-10
-            - 
-              name:  sort-id
-              value: cp-10
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: NSO
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-          parts: 
-            - 
-              id:    cp-10_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides for the recovery and reconstitution of the information
-                                 system to a known state after a disruption, compromise, or failure.
-                """
-            - 
-              id:    cp-10_gdn
-              name:  guidance
-              prose: 
-                """
-                  Recovery is executing information system contingency plan activities to restore
-                                 organizational missions/business functions. Reconstitution takes place following
-                                 recovery and includes activities for returning organizational information systems to
-                                 fully operational states. Recovery and reconstitution operations reflect mission and
-                                 business priorities, recovery point/time and reconstitution objectives, and
-                                 established organizational metrics consistent with contingency plan requirements.
-                                 Reconstitution includes the deactivation of any interim information system
-                                 capabilities that may have been needed during recovery operations. Reconstitution
-                                 also includes assessments of fully restored information system capabilities,
-                                 reestablishment of continuous monitoring activities, potential information system
-                                 reauthorizations, and activities to prepare the systems against future disruptions,
-                                 compromises, or failures. Recovery/reconstitution capabilities employed by
-                                 organizations can include both automated mechanisms and manual procedures.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-6
-                  rel:  related
-                  text: CA-6
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-6
-                  rel:  related
-                  text: CP-6
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #sc-24
-                  rel:  related
-                  text: SC-24
-            - 
-              id:    cp-10_obj
-              name:  objective
-              prose: Determine if the organization provides for: 
-              parts: 
-                - 
-                  id:         cp-10_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-10[1]
-                  prose:      the recovery of the information system to a known state after:
-                  parts: 
-                    - 
-                      id:         cp-10_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[1][a]
-                      prose:      a disruption;
-                    - 
-                      id:         cp-10_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[1][b]
-                      prose:      a compromise; or
-                    - 
-                      id:         cp-10_obj.1.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[1][c]
-                      prose:      a failure;
-                - 
-                  id:         cp-10_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-10[2]
-                  prose:      the reconstitution of the information system to a known state after:
-                  parts: 
-                    - 
-                      id:         cp-10_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[2][a]
-                      prose:      a disruption;
-                    - 
-                      id:         cp-10_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[2][b]
-                      prose:      a compromise; or
-                    - 
-                      id:         cp-10_obj.2.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[2][c]
-                      prose:      a failure.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for information system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with contingency planning, recovery, and/or
-                                        reconstitution responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes implementing information system recovery and
-                                        reconstitution operations\n\nautomated mechanisms supporting and/or implementing information system recovery
-                                        and reconstitution operations
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: 
-                """
-                  NSO - Loss of availability of the SaaS has been determined as little or no impact
-                                    to government business/mission needs.
-                """
-    - 
-      id:       ia
-      class:    family
-      title:    Identification and Authentication
-      controls: 
-        - 
-          id:         ia-1
-          class:      SP800-53
-          title:      Identification and Authentication Policy and Procedures
-          parameters: 
-            - 
-              id:    ia-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ia-1_prm_2
-              label: organization-defined frequency
-            - 
-              id:    ia-1_prm_3
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: IA-1
-            - 
-              name:  sort-id
-              value: ia-01
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ia-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ia-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ia-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ia-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          An identification and authentication policy that addresses purpose, scope,
-                                               roles, responsibilities, management commitment, coordination among
-                                               organizational entities, and compliance; and
-                        """
-                    - 
-                      id:         ia-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the identification and
-                                               authentication policy and associated identification and authentication
-                                               controls; and
-                        """
-                - 
-                  id:         ia-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ia-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Identification and authentication policy {{ ia-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         ia-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Identification and authentication procedures {{ ia-1_prm_3 }}.
-            - 
-              id:    ia-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the IA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ia-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ia-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-1(a)
-                  parts: 
-                    - 
-                      id:         ia-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ia-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents an identification and authentication policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         ia-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ia-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ia-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ia-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ia-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ia-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ia-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ia-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the identification and authentication
-                                                      policy is to be disseminated; and
-                            """
-                        - 
-                          id:         ia-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the identification and authentication policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         ia-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ia-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      identification and authentication policy and associated identification and
-                                                      authentication controls;
-                            """
-                        - 
-                          id:         ia-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ia-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ia-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-1(b)
-                  parts: 
-                    - 
-                      id:         ia-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ia-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current identification and
-                                                      authentication policy;
-                            """
-                        - 
-                          id:         ia-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current identification and authentication policy
-                                                      with the organization-defined frequency; and
-                            """
-                    - 
-                      id:         ia-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ia-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current identification and
-                                                      authentication procedures; and
-                            """
-                        - 
-                          id:         ia-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current identification and authentication procedures
-                                                      with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with identification and authentication
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         ia-2
-          class:      SP800-53
-          title:      Identification and Authentication (organizational Users)
-          properties: 
-            - 
-              name:  label
-              value: IA-2
-            - 
-              name:  sort-id
-              value: ia-02
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: NSO
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #ad733a42-a7ed-4774-b988-4930c28852f3
-              rel:  reference
-              text: HSPD-12
-            - 
-              href: #ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-              rel:  reference
-              text: OMB Memorandum 04-04
-            - 
-              href: #4da24a96-6cf8-435d-9d1f-c73247cad109
-              rel:  reference
-              text: OMB Memorandum 06-16
-            - 
-              href: #74e740a4-c45d-49f3-a86e-eb747c549e01
-              rel:  reference
-              text: OMB Memorandum 11-11
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #ba557c91-ba3e-4792-adc6-a4ae479b39ff
-              rel:  reference
-              text: FICAM Roadmap and Implementation Guidance
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    ia-2_smt
-              name:  statement
-              prose: 
-                """
-                  The information system uniquely identifies and authenticates organizational users (or
-                                 processes acting on behalf of organizational users).
-                """
-            - 
-              id:    ia-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizational users include employees or individuals that organizations deem to have
-                                 equivalent status of employees (e.g., contractors, guest researchers). This control
-                                 applies to all accesses other than: (i) accesses that are explicitly identified and
-                                 documented in AC-14; and (ii) accesses that occur through authorized use of group
-                                 authenticators without individual authentication. Organizations may require unique
-                                 identification of individuals in group accounts (e.g., shared privilege accounts) or
-                                 for detailed accountability of individual activity. Organizations employ passwords,
-                                 tokens, or biometrics to authenticate user identities, or in the case multifactor
-                                 authentication, or some combination thereof. Access to organizational information
-                                 systems is defined as either local access or network access. Local access is any
-                                 access to organizational information systems by users (or processes acting on behalf
-                                 of users) where such access is obtained by direct connections without the use of
-                                 networks. Network access is access to organizational information systems by users (or
-                                 processes acting on behalf of users) where such access is obtained through network
-                                 connections (i.e., nonlocal accesses). Remote access is a type of network access that
-                                 involves communication through external networks (e.g., the Internet). Internal
-                                 networks include local area networks and wide area networks. In addition, the use of
-                                 encrypted virtual private networks (VPNs) for network connections between
-                                 organization-controlled endpoints and non-organization controlled endpoints may be
-                                 treated as internal networks from the perspective of protecting the confidentiality
-                                 and integrity of information traversing the network. Organizations can satisfy the
-                                 identification and authentication requirements in this control by complying with the
-                                 requirements in Homeland Security Presidential Directive 12 consistent with the
-                                 specific organizational implementation plans. Multifactor authentication requires the
-                                 use of two or more different factors to achieve authentication. The factors are
-                                 defined as: (i) something you know (e.g., password, personal identification number
-                                 [PIN]); (ii) something you have (e.g., cryptographic identification device, token);
-                                 or (iii) something you are (e.g., biometric). Multifactor solutions that require
-                                 devices separate from information systems gaining access include, for example,
-                                 hardware tokens providing time-based or challenge-response authenticators and smart
-                                 cards such as the U.S. Government Personal Identity Verification card and the DoD
-                                 common access card. In addition to identifying and authenticating users at the
-                                 information system level (i.e., at logon), organizations also employ identification
-                                 and authentication mechanisms at the application level, when necessary, to provide
-                                 increased information security. Identification and authentication requirements for
-                                 other than organizational users are described in IA-8.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-            - 
-              id:    ia-2_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the information system uniquely identifies and authenticates
-                                 organizational users (or processes acting on behalf of organizational users).
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for uniquely identifying and authenticating users\n\nautomated mechanisms supporting and/or implementing identification and
-                                        authentication capability
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: 
-                """
-                  NSO for non-privileged users. Attestation for privileged users related to
-                                    multi-factor identification and authentication - specifically include description
-                                    of management of service accounts.
-                """
-          controls: 
-            - 
-              id:         ia-2.1
-              class:      SP800-53-enhancement
-              title:      Network Access to Privileged Accounts
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(1)
-                - 
-                  name:  sort-id
-                  value: ia-02.01
-                - 
-                  name:  method
-                  class: FedRAMP-Tailored-LI-SaaS
-                  value: ASSESS
-              parts: 
-                - 
-                  id:    ia-2.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements multifactor authentication for network access to
-                                        privileged accounts.
-                    """
-                - 
-                  id:    ia-2.1_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ac-6
-                      rel:  related
-                      text: AC-6
-                - 
-                  id:    ia-2.1_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the information system implements multifactor authentication for
-                                        network access to privileged accounts.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing multifactor authentication
-                                               capability
-                        """
-            - 
-              id:         ia-2.12
-              class:      SP800-53-enhancement
-              title:      Acceptance of PIV Credentials
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(12)
-                - 
-                  name:  sort-id
-                  value: ia-02.12
-                - 
-                  name:  method
-                  class: FedRAMP-Tailored-LI-SaaS
-                  value: CONDITIONAL
-              parts: 
-                - 
-                  id:    ia-2.12_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system accepts and electronically verifies Personal Identity
-                                        Verification (PIV) credentials.
-                    """
-                - 
-                  id:    ia-2.12_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement applies to organizations implementing logical access
-                                        control systems (LACS) and physical access control systems (PACS). Personal
-                                        Identity Verification (PIV) credentials are those credentials issued by federal
-                                        agencies that conform to FIPS Publication 201 and supporting guidance documents.
-                                        OMB Memorandum 11-11 requires federal agencies to continue implementing the
-                                        requirements specified in HSPD-12 to enable agency-wide use of PIV
-                                        credentials.
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                    - 
-                      href: #pe-3
-                      rel:  related
-                      text: PE-3
-                    - 
-                      href: #sa-4
-                      rel:  related
-                      text: SA-4
-                - 
-                  id:    ia-2.12_obj
-                  name:  objective
-                  prose: Determine if the information system: 
-                  parts: 
-                    - 
-                      id:         ia-2.12_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-2(12)[1]
-                      prose:      accepts Personal Identity Verification (PIV) credentials; and
-                    - 
-                      id:         ia-2.12_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-2(12)[2]
-                      prose:      electronically verifies Personal Identity Verification (PIV) credentials.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing acceptance and verification
-                                               of PIV credentials
-                        """
-                - 
-                  name:  guidance
-                  class: FedRAMP-Tailored-LI-SaaS
-                  prose: 
-                    """
-                      Condition: Must document and assess for privileged users. May attest to this
-                                        control for non-privileged users. FedRAMP requires a minimum of multi-factor
-                                        authentication for all Federal privileged users, if acceptance of PIV credentials
-                                        is not supported. The implementation status and details of how this control is
-                                        implemented must be clearly defined by the CSP.
-                    """
-                - 
-                  id:    ia-2.12_fr
-                  name:  item
-                  title: IA-2 (12) Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ia-2.12_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose: 
-                        """
-                          Include Common Access Card (CAC), i.e., the DoD technical implementation of
-                                               PIV/FIPS 201/HSPD-12.
-                        """
-        - 
-          id:         ia-4
-          class:      SP800-53
-          title:      Identifier Management
-          parameters: 
-            - 
-              id:    ia-4_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ia-4_prm_2
-              label: organization-defined time period
-            - 
-              id:    ia-4_prm_3
-              label: organization-defined time period of inactivity
-          properties: 
-            - 
-              name:  label
-              value: IA-4
-            - 
-              name:  sort-id
-              value: ia-04
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-          parts: 
-            - 
-              id:    ia-4_smt
-              name:  statement
-              prose: The organization manages information system identifiers by:
-              parts: 
-                - 
-                  id:         ia-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Receiving authorization from {{ ia-4_prm_1 }} to assign an
-                                        individual, group, role, or device identifier;
-                    """
-                - 
-                  id:         ia-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Selecting an identifier that identifies an individual, group, role, or device;
-                - 
-                  id:         ia-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Assigning the identifier to the intended individual, group, role, or device;
-                - 
-                  id:         ia-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Preventing reuse of identifiers for {{ ia-4_prm_2 }}; and
-                - 
-                  id:         ia-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Disabling the identifier after {{ ia-4_prm_3 }}.
-            - 
-              id:    ia-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Common device identifiers include, for example, media access control (MAC), Internet
-                                 protocol (IP) addresses, or device-unique token identifiers. Management of individual
-                                 identifiers is not applicable to shared information system accounts (e.g., guest and
-                                 anonymous accounts). Typically, individual identifiers are the user names of the
-                                 information system accounts assigned to those individuals. In such instances, the
-                                 account management activities of AC-2 use account names provided by IA-4. This
-                                 control also addresses individual identifiers not necessarily associated with
-                                 information system accounts (e.g., identifiers used in physical security control
-                                 databases accessed by badge reader systems for access to information systems).
-                                 Preventing reuse of identifiers implies preventing the assignment of previously used
-                                 individual, group, role, or device identifiers to different individuals, groups,
-                                 roles, or devices.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #sc-37
-                  rel:  related
-                  text: SC-37
-            - 
-              id:    ia-4_obj
-              name:  objective
-              prose: Determine if the organization manages information system identifiers by: 
-              parts: 
-                - 
-                  id:         ia-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-4(a)
-                  parts: 
-                    - 
-                      id:         ia-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(a)[1]
-                      prose: 
-                        """
-                          defining personnel or roles from whom authorization must be received to
-                                               assign:
-                        """
-                      parts: 
-                        - 
-                          id:         ia-4.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[1][a]
-                          prose:      an individual identifier;
-                        - 
-                          id:         ia-4.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[1][b]
-                          prose:      a group identifier;
-                        - 
-                          id:         ia-4.a_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[1][c]
-                          prose:      a role identifier; and/or
-                        - 
-                          id:         ia-4.a_obj.1.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[1][d]
-                          prose:      a device identifier;
-                    - 
-                      id:         ia-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(a)[2]
-                      prose: 
-                        """
-                          receiving authorization from organization-defined personnel or roles to
-                                               assign:
-                        """
-                      parts: 
-                        - 
-                          id:         ia-4.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[2][a]
-                          prose:      an individual identifier;
-                        - 
-                          id:         ia-4.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[2][b]
-                          prose:      a group identifier;
-                        - 
-                          id:         ia-4.a_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[2][c]
-                          prose:      a role identifier; and/or
-                        - 
-                          id:         ia-4.a_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[2][d]
-                          prose:      a device identifier;
-                - 
-                  id:         ia-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-4(b)
-                  prose:      selecting an identifier that identifies:
-                  parts: 
-                    - 
-                      id:         ia-4.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(b)[1]
-                      prose:      an individual;
-                    - 
-                      id:         ia-4.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(b)[2]
-                      prose:      a group;
-                    - 
-                      id:         ia-4.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(b)[3]
-                      prose:      a role; and/or
-                    - 
-                      id:         ia-4.b_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(b)[4]
-                      prose:      a device;
-                - 
-                  id:         ia-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-4(c)
-                  prose:      assigning the identifier to the intended:
-                  parts: 
-                    - 
-                      id:         ia-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(c)[1]
-                      prose:      individual;
-                    - 
-                      id:         ia-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(c)[2]
-                      prose:      group;
-                    - 
-                      id:         ia-4.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(c)[3]
-                      prose:      role; and/or
-                    - 
-                      id:         ia-4.c_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(c)[4]
-                      prose:      device;
-                - 
-                  id:         ia-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-4(d)
-                  parts: 
-                    - 
-                      id:         ia-4.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(d)[1]
-                      prose:      defining a time period for preventing reuse of identifiers;
-                    - 
-                      id:         ia-4.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(d)[2]
-                      prose:      preventing reuse of identifiers for the organization-defined time period;
-                - 
-                  id:         ia-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-4(e)
-                  parts: 
-                    - 
-                      id:         ia-4.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(e)[1]
-                      prose:      defining a time period of inactivity to disable the identifier; and
-                    - 
-                      id:         ia-4.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(e)[2]
-                      prose: 
-                        """
-                          disabling the identifier after the organization-defined time period of
-                                               inactivity.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting and/or implementing identifier management
-        - 
-          id:         ia-5
-          class:      SP800-53
-          title:      Authenticator Management
-          parameters: 
-            - 
-              id:    ia-5_prm_1
-              label: organization-defined time period by authenticator type
-          properties: 
-            - 
-              name:  label
-              value: IA-5
-            - 
-              name:  sort-id
-              value: ia-05
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-              rel:  reference
-              text: OMB Memorandum 04-04
-            - 
-              href: #74e740a4-c45d-49f3-a86e-eb747c549e01
-              rel:  reference
-              text: OMB Memorandum 11-11
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #ba557c91-ba3e-4792-adc6-a4ae479b39ff
-              rel:  reference
-              text: FICAM Roadmap and Implementation Guidance
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    ia-5_smt
-              name:  statement
-              prose: The organization manages information system authenticators by:
-              parts: 
-                - 
-                  id:         ia-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Verifying, as part of the initial authenticator distribution, the identity of the
-                                        individual, group, role, or device receiving the authenticator;
-                    """
-                - 
-                  id:         ia-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Establishing initial authenticator content for authenticators defined by the
-                                        organization;
-                    """
-                - 
-                  id:         ia-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ensuring that authenticators have sufficient strength of mechanism for their
-                                        intended use;
-                    """
-                - 
-                  id:         ia-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Establishing and implementing administrative procedures for initial authenticator
-                                        distribution, for lost/compromised or damaged authenticators, and for revoking
-                                        authenticators;
-                    """
-                - 
-                  id:         ia-5_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Changing default content of authenticators prior to information system
-                                        installation;
-                    """
-                - 
-                  id:         ia-5_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Establishing minimum and maximum lifetime restrictions and reuse conditions for
-                                        authenticators;
-                    """
-                - 
-                  id:         ia-5_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose:      Changing/refreshing authenticators {{ ia-5_prm_1 }};
-                - 
-                  id:         ia-5_smt.h
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: h.
-                  prose: 
-                    """
-                      Protecting authenticator content from unauthorized disclosure and
-                                        modification;
-                    """
-                - 
-                  id:         ia-5_smt.i
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: i.
-                  prose: 
-                    """
-                      Requiring individuals to take, and having devices implement, specific security
-                                        safeguards to protect authenticators; and
-                    """
-                - 
-                  id:         ia-5_smt.j
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: j.
-                  prose: 
-                    """
-                      Changing authenticators for group/role accounts when membership to those accounts
-                                        changes.
-                    """
-            - 
-              id:    ia-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Individual authenticators include, for example, passwords, tokens, biometrics, PKI
-                                 certificates, and key cards. Initial authenticator content is the actual content
-                                 (e.g., the initial password) as opposed to requirements about authenticator content
-                                 (e.g., minimum password length). In many cases, developers ship information system
-                                 components with factory default authentication credentials to allow for initial
-                                 installation and configuration. Default authentication credentials are often well
-                                 known, easily discoverable, and present a significant security risk. The requirement
-                                 to protect individual authenticators may be implemented via control PL-4 or PS-6 for
-                                 authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28
-                                 for authenticators stored within organizational information systems (e.g., passwords
-                                 stored in hashed or encrypted formats, files containing encrypted or hashed passwords
-                                 accessible with administrator privileges). Information systems support individual
-                                 authenticator management by organization-defined settings and restrictions for
-                                 various authenticator characteristics including, for example, minimum password
-                                 length, password composition, validation time window for time synchronous one-time
-                                 tokens, and number of allowed rejections during the verification stage of biometric
-                                 authentication. Specific actions that can be taken to safeguard authenticators
-                                 include, for example, maintaining possession of individual authenticators, not
-                                 loaning or sharing individual authenticators with others, and reporting lost, stolen,
-                                 or compromised authenticators immediately. Authenticator management includes issuing
-                                 and revoking, when no longer needed, authenticators for temporary access such as that
-                                 required for remote maintenance. Device authenticators include, for example,
-                                 certificates and passwords.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-5
-                  rel:  related
-                  text: PS-5
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-                - 
-                  href: #sc-12
-                  rel:  related
-                  text: SC-12
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-                - 
-                  href: #sc-17
-                  rel:  related
-                  text: SC-17
-                - 
-                  href: #sc-28
-                  rel:  related
-                  text: SC-28
-            - 
-              id:    ia-5_obj
-              name:  objective
-              prose: Determine if the organization manages information system authenticators by: 
-              parts: 
-                - 
-                  id:         ia-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(a)
-                  prose:      verifying, as part of the initial authenticator distribution, the identity of:
-                  parts: 
-                    - 
-                      id:         ia-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(a)[1]
-                      prose:      the individual receiving the authenticator;
-                    - 
-                      id:         ia-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(a)[2]
-                      prose:      the group receiving the authenticator;
-                    - 
-                      id:         ia-5.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(a)[3]
-                      prose:      the role receiving the authenticator; and/or
-                    - 
-                      id:         ia-5.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(a)[4]
-                      prose:      the device receiving the authenticator;
-                - 
-                  id:         ia-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(b)
-                  prose: 
-                    """
-                      establishing initial authenticator content for authenticators defined by the
-                                        organization;
-                    """
-                - 
-                  id:         ia-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(c)
-                  prose: 
-                    """
-                      ensuring that authenticators have sufficient strength of mechanism for their
-                                        intended use;
-                    """
-                - 
-                  id:         ia-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(d)
-                  parts: 
-                    - 
-                      id:         ia-5.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(d)[1]
-                      prose: 
-                        """
-                          establishing and implementing administrative procedures for initial
-                                               authenticator distribution;
-                        """
-                    - 
-                      id:         ia-5.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(d)[2]
-                      prose: 
-                        """
-                          establishing and implementing administrative procedures for lost/compromised or
-                                               damaged authenticators;
-                        """
-                    - 
-                      id:         ia-5.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(d)[3]
-                      prose: 
-                        """
-                          establishing and implementing administrative procedures for revoking
-                                               authenticators;
-                        """
-                - 
-                  id:         ia-5.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(e)
-                  prose: 
-                    """
-                      changing default content of authenticators prior to information system
-                                        installation;
-                    """
-                - 
-                  id:         ia-5.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(f)
-                  parts: 
-                    - 
-                      id:         ia-5.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(f)[1]
-                      prose:      establishing minimum lifetime restrictions for authenticators;
-                    - 
-                      id:         ia-5.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(f)[2]
-                      prose:      establishing maximum lifetime restrictions for authenticators;
-                    - 
-                      id:         ia-5.f_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(f)[3]
-                      prose:      establishing reuse conditions for authenticators;
-                - 
-                  id:         ia-5.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(g)
-                  parts: 
-                    - 
-                      id:         ia-5.g_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(g)[1]
-                      prose: 
-                        """
-                          defining a time period (by authenticator type) for changing/refreshing
-                                               authenticators;
-                        """
-                    - 
-                      id:         ia-5.g_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(g)[2]
-                      prose: 
-                        """
-                          changing/refreshing authenticators with the organization-defined time period by
-                                               authenticator type;
-                        """
-                - 
-                  id:         ia-5.h_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(h)
-                  prose:      protecting authenticator content from unauthorized:
-                  parts: 
-                    - 
-                      id:         ia-5.h_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(h)[1]
-                      prose:      disclosure;
-                    - 
-                      id:         ia-5.h_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(h)[2]
-                      prose:      modification;
-                - 
-                  id:         ia-5.i_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(i)
-                  parts: 
-                    - 
-                      id:         ia-5.i_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(i)[1]
-                      prose: 
-                        """
-                          requiring individuals to take specific security safeguards to protect
-                                               authenticators;
-                        """
-                    - 
-                      id:         ia-5.i_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(i)[2]
-                      prose: 
-                        """
-                          having devices implement specific security safeguards to protect
-                                               authenticators; and
-                        """
-                - 
-                  id:         ia-5.j_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(j)
-                  prose: 
-                    """
-                      changing authenticators for group/role accounts when membership to those accounts
-                                        changes.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Identification and authentication policy\n\nprocedures addressing authenticator management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system authenticator types\n\nchange control records associated with managing information system
-                                        authenticators\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing authenticator management
-                                        capability
-                    """
-          controls: 
-            - 
-              id:         ia-5.1
-              class:      SP800-53-enhancement
-              title:      Password-based Authentication
-              parameters: 
-                - 
-                  id:    ia-5.1_prm_1
-                  label: 
-                    """
-                      organization-defined requirements for case sensitivity, number of characters,
-                                        mix of upper-case letters, lower-case letters, numbers, and special characters,
-                                        including minimum requirements for each type
-                    """
-                - 
-                  id:    ia-5.1_prm_2
-                  label: organization-defined number
-                - 
-                  id:    ia-5.1_prm_3
-                  label: organization-defined numbers for lifetime minimum, lifetime maximum
-                - 
-                  id:    ia-5.1_prm_4
-                  label: organization-defined number
-              properties: 
-                - 
-                  name:  label
-                  value: IA-5(1)
-                - 
-                  name:  sort-id
-                  value: ia-05.01
-                - 
-                  name:  method
-                  class: FedRAMP-Tailored-LI-SaaS
-                  value: ATTEST
-              parts: 
-                - 
-                  id:    ia-5.1_smt
-                  name:  statement
-                  prose: The information system, for password-based authentication:
-                  parts: 
-                    - 
-                      id:         ia-5.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose:      Enforces minimum password complexity of {{ ia-5.1_prm_1 }};
-                    - 
-                      id:         ia-5.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Enforces at least the following number of changed characters when new passwords
-                                               are created: {{ ia-5.1_prm_2 }};
-                        """
-                    - 
-                      id:         ia-5.1_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (c)
-                      prose:      Stores and transmits only cryptographically-protected passwords;
-                    - 
-                      id:         ia-5.1_smt.d
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (d)
-                      prose:      Enforces password minimum and maximum lifetime restrictions of {{ ia-5.1_prm_3 }};
-                    - 
-                      id:         ia-5.1_smt.e
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (e)
-                      prose: 
-                        """
-                          Prohibits password reuse for {{ ia-5.1_prm_4 }} generations;
-                                               and
-                        """
-                    - 
-                      id:         ia-5.1_smt.f
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (f)
-                      prose: 
-                        """
-                          Allows the use of a temporary password for system logons with an immediate
-                                               change to a permanent password.
-                        """
-                - 
-                  id:    ia-5.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement applies to single-factor authentication of individuals
-                                        using passwords as individual or group authenticators, and in a similar manner,
-                                        when passwords are part of multifactor authenticators. This control enhancement
-                                        does not apply when passwords are used to unlock hardware authenticators (e.g.,
-                                        Personal Identity Verification cards). The implementation of such password
-                                        mechanisms may not meet all of the requirements in the enhancement.
-                                        Cryptographically-protected passwords include, for example, encrypted versions of
-                                        passwords and one-way cryptographic hashes of passwords. The number of changed
-                                        characters refers to the number of changes required with respect to the total
-                                        number of positions in the current password. Password lifetime restrictions do not
-                                        apply to temporary passwords. To mitigate certain brute force attacks against
-                                        passwords, organizations may also consider salting passwords.
-                    """
-                  links: 
-                    - 
-                      href: #ia-6
-                      rel:  related
-                      text: IA-6
-                - 
-                  id:    ia-5.1_obj
-                  name:  objective
-                  prose: Determine if, for password-based authentication: 
-                  parts: 
-                    - 
-                      id:         ia-5.1.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(1)(a)
-                      parts: 
-                        - 
-                          id:         ia-5.1.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[1]
-                          prose:      the organization defines requirements for case sensitivity;
-                        - 
-                          id:         ia-5.1.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[2]
-                          prose:      the organization defines requirements for number of characters;
-                        - 
-                          id:         ia-5.1.a_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[3]
-                          prose: 
-                            """
-                              the organization defines requirements for the mix of upper-case letters,
-                                                      lower-case letters, numbers and special characters;
-                            """
-                        - 
-                          id:         ia-5.1.a_obj.4
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[4]
-                          prose: 
-                            """
-                              the organization defines minimum requirements for each type of
-                                                      character;
-                            """
-                        - 
-                          id:         ia-5.1.a_obj.5
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[5]
-                          prose: 
-                            """
-                              the information system enforces minimum password complexity of
-                                                      organization-defined requirements for case sensitivity, number of
-                                                      characters, mix of upper-case letters, lower-case letters, numbers, and
-                                                      special characters, including minimum requirements for each type;
-                            """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.a
-                          rel:  corresp
-                          text: IA-5(1)(a)
-                    - 
-                      id:         ia-5.1.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(1)(b)
-                      parts: 
-                        - 
-                          id:         ia-5.1.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-5(1)(b)[1]
-                          prose: 
-                            """
-                              the organization defines a minimum number of changed characters to be
-                                                      enforced when new passwords are created;
-                            """
-                        - 
-                          id:         ia-5.1.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-5(1)(b)[2]
-                          prose: 
-                            """
-                              the information system enforces at least the organization-defined minimum
-                                                      number of characters that must be changed when new passwords are
-                                                      created;
-                            """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.b
-                          rel:  corresp
-                          text: IA-5(1)(b)
-                    - 
-                      id:         ia-5.1.c_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(1)(c)
-                      prose: 
-                        """
-                          the information system stores and transmits only encrypted representations of
-                                               passwords;
-                        """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.c
-                          rel:  corresp
-                          text: IA-5(1)(c)
-                    - 
-                      id:         ia-5.1.d_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(1)(d)
-                      parts: 
-                        - 
-                          id:         ia-5.1.d_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-5(1)(d)[1]
-                          prose: 
-                            """
-                              the organization defines numbers for password minimum lifetime restrictions
-                                                      to be enforced for passwords;
-                            """
-                        - 
-                          id:         ia-5.1.d_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-5(1)(d)[2]
-                          prose: 
-                            """
-                              the organization defines numbers for password maximum lifetime restrictions
-                                                      to be enforced for passwords;
-                            """
-                        - 
-                          id:         ia-5.1.d_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-5(1)(d)[3]
-                          prose: 
-                            """
-                              the information system enforces password minimum lifetime restrictions of
-                                                      organization-defined numbers for lifetime minimum;
-                            """
-                        - 
-                          id:         ia-5.1.d_obj.4
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-5(1)(d)[4]
-                          prose: 
-                            """
-                              the information system enforces password maximum lifetime restrictions of
-                                                      organization-defined numbers for lifetime maximum;
-                            """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.d
-                          rel:  corresp
-                          text: IA-5(1)(d)
-                    - 
-                      id:         ia-5.1.e_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(1)(e)
-                      parts: 
-                        - 
-                          id:         ia-5.1.e_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-5(1)(e)[1]
-                          prose: 
-                            """
-                              the organization defines the number of password generations to be prohibited
-                                                      from password reuse;
-                            """
-                        - 
-                          id:         ia-5.1.e_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-5(1)(e)[2]
-                          prose: 
-                            """
-                              the information system prohibits password reuse for the organization-defined
-                                                      number of generations; and
-                            """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.e
-                          rel:  corresp
-                          text: IA-5(1)(e)
-                    - 
-                      id:         ia-5.1.f_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(1)(f)
-                      prose: 
-                        """
-                          the information system allows the use of a temporary password for system logons
-                                               with an immediate change to a permanent password.
-                        """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.f
-                          rel:  corresp
-                          text: IA-5(1)(f)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing password-based
-                                               authenticator management capability
-                        """
-            - 
-              id:         ia-5.11
-              class:      SP800-53-enhancement
-              title:      Hardware Token-based Authentication
-              parameters: 
-                - 
-                  id:    ia-5.11_prm_1
-                  label: organization-defined token quality requirements
-              properties: 
-                - 
-                  name:  label
-                  value: IA-5(11)
-                - 
-                  name:  sort-id
-                  value: ia-05.11
-                - 
-                  name:  method
-                  class: FedRAMP-Tailored-LI-SaaS
-                  value: FED
-                - 
-                  name:  method
-                  class: FedRAMP-Tailored-LI-SaaS
-                  value: CONDITIONAL
-              parts: 
-                - 
-                  id:    ia-5.11_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system, for hardware token-based authentication, employs
-                                        mechanisms that satisfy {{ ia-5.11_prm_1 }}.
-                    """
-                - 
-                  id:    ia-5.11_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Hardware token-based authentication typically refers to the use of PKI-based
-                                        tokens, such as the U.S. Government Personal Identity Verification (PIV) card.
-                                        Organizations define specific requirements for tokens, such as working with a
-                                        particular PKI.
-                    """
-                - 
-                  id:    ia-5.11_obj
-                  name:  objective
-                  prose: Determine if, for hardware token-based authentication: 
-                  parts: 
-                    - 
-                      id:         ia-5.11_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(11)[1]
-                      prose:      the organization defines token quality requirements to be satisfied; and
-                    - 
-                      id:         ia-5.11_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(11)[2]
-                      prose: 
-                        """
-                          the information system employs mechanisms that satisfy organization-defined
-                                               token quality requirements.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\nautomated mechanisms employing hardware token-based authentication for the
-                                               information system\n\nlist of token quality requirements\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing hardware token-based
-                                               authenticator management capability
-                        """
-                - 
-                  name:  guidance
-                  class: FedRAMP-Tailored-LI-SaaS
-                  prose: 
-                    """
-                      FED - for Federal privileged users. Condition - Must document and assess for
-                                        privileged users. May attest to this control for non-privileged users.
-                    """
-        - 
-          id:         ia-6
-          class:      SP800-53
-          title:      Authenticator Feedback
-          properties: 
-            - 
-              name:  label
-              value: IA-6
-            - 
-              name:  sort-id
-              value: ia-06
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          parts: 
-            - 
-              id:    ia-6_smt
-              name:  statement
-              prose: 
-                """
-                  The information system obscures feedback of authentication information during the
-                                 authentication process to protect the information from possible exploitation/use by
-                                 unauthorized individuals.
-                """
-            - 
-              id:    ia-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  The feedback from information systems does not provide information that would allow
-                                 unauthorized individuals to compromise authentication mechanisms. For some types of
-                                 information systems or system components, for example, desktops/notebooks with
-                                 relatively large monitors, the threat (often referred to as shoulder surfing) may be
-                                 significant. For other types of systems or components, for example, mobile devices
-                                 with 2-4 inch screens, this threat may be less significant, and may need to be
-                                 balanced against the increased likelihood of typographic input errors due to the
-                                 small keyboards. Therefore, the means for obscuring the authenticator feedback is
-                                 selected accordingly. Obscuring the feedback of authentication information includes,
-                                 for example, displaying asterisks when users type passwords into input devices, or
-                                 displaying feedback for a very limited time before fully obscuring it.
-                """
-              links: 
-                - 
-                  href: #pe-18
-                  rel:  related
-                  text: PE-18
-            - 
-              id:    ia-6_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the information system obscures feedback of authentication information
-                                 during the authentication process to protect the information from possible
-                                 exploitation/use by unauthorized individuals.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing authenticator feedback\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing the obscuring of feedback of
-                                        authentication information during authentication
-                    """
-        - 
-          id:         ia-7
-          class:      SP800-53
-          title:      Cryptographic Module Authentication
-          properties: 
-            - 
-              name:  label
-              value: IA-7
-            - 
-              name:  sort-id
-              value: ia-07
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #39f9087d-7687-46d2-8eda-b6f4b7a4d8a9
-              rel:  reference
-              text: FIPS Publication 140
-            - 
-              href: #b09d1a31-d3c9-4138-a4f4-4c63816afd7d
-              rel:  reference
-              text: http://csrc.nist.gov/groups/STM/cmvp/index.html
-          parts: 
-            - 
-              id:    ia-7_smt
-              name:  statement
-              prose: 
-                """
-                  The information system implements mechanisms for authentication to a cryptographic
-                                 module that meet the requirements of applicable federal laws, Executive Orders,
-                                 directives, policies, regulations, standards, and guidance for such
-                                 authentication.
-                """
-            - 
-              id:    ia-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Authentication mechanisms may be required within a cryptographic module to
-                                 authenticate an operator accessing the module and to verify that the operator is
-                                 authorized to assume the requested role and perform services within that role.
-                """
-              links: 
-                - 
-                  href: #sc-12
-                  rel:  related
-                  text: SC-12
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-            - 
-              id:    ia-7_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the information system implements mechanisms for authentication to a
-                                 cryptographic module that meet the requirements of applicable federal laws, Executive
-                                 Orders, directives, policies, regulations, standards, and guidance for such
-                                 authentication.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing cryptographic module authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for cryptographic module
-                                        authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing cryptographic module
-                                        authentication
-                    """
-        - 
-          id:         ia-8
-          class:      SP800-53
-          title:      Identification and Authentication (non-organizational Users)
-          properties: 
-            - 
-              name:  label
-              value: IA-8
-            - 
-              name:  sort-id
-              value: ia-08
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-              rel:  reference
-              text: OMB Memorandum 04-04
-            - 
-              href: #74e740a4-c45d-49f3-a86e-eb747c549e01
-              rel:  reference
-              text: OMB Memorandum 11-11
-            - 
-              href: #599fe9ba-4750-4450-9eeb-b95bd19a5e8f
-              rel:  reference
-              text: OMB Memorandum 10-06-2011
-            - 
-              href: #ba557c91-ba3e-4792-adc6-a4ae479b39ff
-              rel:  reference
-              text: FICAM Roadmap and Implementation Guidance
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #2157bb7e-192c-4eaa-877f-93ef6b0a3292
-              rel:  reference
-              text: NIST Special Publication 800-116
-            - 
-              href: #654f21e2-f3bc-43b2-abdc-60ab8d09744b
-              rel:  reference
-              text: 
-                """
-                  National Strategy for Trusted Identities in
-                              Cyberspace
-                """
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    ia-8_smt
-              name:  statement
-              prose: 
-                """
-                  The information system uniquely identifies and authenticates non-organizational users
-                                 (or processes acting on behalf of non-organizational users).
-                """
-            - 
-              id:    ia-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Non-organizational users include information system users other than organizational
-                                 users explicitly covered by IA-2. These individuals are uniquely identified and
-                                 authenticated for accesses other than those accesses explicitly identified and
-                                 documented in AC-14. In accordance with the E-Authentication E-Government initiative,
-                                 authentication of non-organizational users accessing federal information systems may
-                                 be required to protect federal, proprietary, or privacy-related information (with
-                                 exceptions noted for national security systems). Organizations use risk assessments
-                                 to determine authentication needs and consider scalability, practicality, and
-                                 security in balancing the need to ensure ease of use for access to federal
-                                 information and information systems with the need to protect and adequately mitigate
-                                 risk. IA-2 addresses identification and authentication requirements for access to
-                                 information systems by organizational users.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-            - 
-              id:    ia-8_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the information system uniquely identifies and authenticates
-                                 non-organizational users (or processes acting on behalf of non-organizational
-                                 users).
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing identification and
-                                        authentication capability
-                    """
-          controls: 
-            - 
-              id:         ia-8.1
-              class:      SP800-53-enhancement
-              title:      Acceptance of PIV Credentials from Other Agencies
-              properties: 
-                - 
-                  name:  label
-                  value: IA-8(1)
-                - 
-                  name:  sort-id
-                  value: ia-08.01
-                - 
-                  name:  method
-                  class: FedRAMP-Tailored-LI-SaaS
-                  value: CONDITIONAL
-              parts: 
-                - 
-                  id:    ia-8.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system accepts and electronically verifies Personal Identity
-                                        Verification (PIV) credentials from other federal agencies.
-                    """
-                - 
-                  id:    ia-8.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement applies to logical access control systems (LACS) and
-                                        physical access control systems (PACS). Personal Identity Verification (PIV)
-                                        credentials are those credentials issued by federal agencies that conform to FIPS
-                                        Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires
-                                        federal agencies to continue implementing the requirements specified in HSPD-12 to
-                                        enable agency-wide use of PIV credentials.
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                    - 
-                      href: #pe-3
-                      rel:  related
-                      text: PE-3
-                    - 
-                      href: #sa-4
-                      rel:  related
-                      text: SA-4
-                - 
-                  id:    ia-8.1_obj
-                  name:  objective
-                  prose: Determine if the information system: 
-                  parts: 
-                    - 
-                      id:         ia-8.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-8(1)[1]
-                      prose: 
-                        """
-                          accepts Personal Identity Verification (PIV) credentials from other agencies;
-                                               and
-                        """
-                    - 
-                      id:         ia-8.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-8(1)[2]
-                      prose: 
-                        """
-                          electronically verifies Personal Identity Verification (PIV) credentials from
-                                               other agencies.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability\n\nautomated mechanisms that accept and verify PIV credentials
-                        """
-                - 
-                  name:  guidance
-                  class: FedRAMP-Tailored-LI-SaaS
-                  prose: 
-                    """
-                      Condition: Must document and assess for privileged users. May attest to this
-                                        control for non-privileged users. FedRAMP requires a minimum of multi-factor
-                                        authentication for all Federal privileged users, if acceptance of PIV credentials
-                                        is not supported. The implementation status and details of how this control is
-                                        implemented must be clearly defined by the CSP.
-                    """
-            - 
-              id:         ia-8.2
-              class:      SP800-53-enhancement
-              title:      Acceptance of Third-party Credentials
-              properties: 
-                - 
-                  name:  label
-                  value: IA-8(2)
-                - 
-                  name:  sort-id
-                  value: ia-08.02
-                - 
-                  name:  method
-                  class: FedRAMP-Tailored-LI-SaaS
-                  value: CONDITIONAL
-              parts: 
-                - 
-                  id:    ia-8.2_smt
-                  name:  statement
-                  prose: The information system accepts only FICAM-approved third-party credentials.
-                - 
-                  id:    ia-8.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement typically applies to organizational information systems
-                                        that are accessible to the general public, for example, public-facing websites.
-                                        Third-party credentials are those credentials issued by nonfederal government
-                                        entities approved by the Federal Identity, Credential, and Access Management
-                                        (FICAM) Trust Framework Solutions initiative. Approved third-party credentials
-                                        meet or exceed the set of minimum federal government-wide technical, security,
-                                        privacy, and organizational maturity requirements. This allows federal government
-                                        relying parties to trust such credentials at their approved assurance levels.
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                - 
-                  id:    ia-8.2_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the information system accepts only FICAM-approved third-party
-                                        credentials. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-approved, third-party credentialing products, components, or
-                                               services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of FICAM-approved third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability\n\nautomated mechanisms that accept FICAM-approved credentials
-                        """
-                - 
-                  name:  guidance
-                  class: FedRAMP-Tailored-LI-SaaS
-                  prose: 
-                    """
-                      Condition: Must document and assess for privileged users. May attest to this
-                                        control for non-privileged users. FedRAMP requires a minimum of multi-factor
-                                        authentication for all Federal privileged users, if acceptance of PIV credentials
-                                        is not supported. The implementation status and details of how this control is
-                                        implemented must be clearly defined by the CSP.
-                    """
-            - 
-              id:         ia-8.3
-              class:      SP800-53-enhancement
-              title:      Use of Ficam-approved Products
-              parameters: 
-                - 
-                  id:    ia-8.3_prm_1
-                  label: organization-defined information systems
-              properties: 
-                - 
-                  name:  label
-                  value: IA-8(3)
-                - 
-                  name:  sort-id
-                  value: ia-08.03
-                - 
-                  name:  method
-                  class: FedRAMP-Tailored-LI-SaaS
-                  value: ATTEST
-              parts: 
-                - 
-                  id:    ia-8.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs only FICAM-approved information system components in
-                                           {{ ia-8.3_prm_1 }} to accept third-party credentials.
-                    """
-                - 
-                  id:    ia-8.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement typically applies to information systems that are
-                                        accessible to the general public, for example, public-facing websites.
-                                        FICAM-approved information system components include, for example, information
-                                        technology products and software libraries that have been approved by the Federal
-                                        Identity, Credential, and Access Management conformance program.
-                    """
-                  links: 
-                    - 
-                      href: #sa-4
-                      rel:  related
-                      text: SA-4
-                - 
-                  id:    ia-8.3_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ia-8.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-8(3)[1]
-                      prose: 
-                        """
-                          defines information systems in which only FICAM-approved information system
-                                               components are to be employed to accept third-party credentials; and
-                        """
-                    - 
-                      id:         ia-8.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-8(3)[2]
-                      prose: 
-                        """
-                          employs only FICAM-approved information system components in
-                                               organization-defined information systems to accept third-party credentials.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the
-                                               acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nthird-party credential validations\n\nthird-party credential authorizations\n\nthird-party credential records\n\nlist of FICAM-approved information system components procured and implemented
-                                               by organization\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information system security, acquisition, and
-                                               contracting responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability
-                        """
-            - 
-              id:         ia-8.4
-              class:      SP800-53-enhancement
-              title:      Use of Ficam-issued Profiles
-              properties: 
-                - 
-                  name:  label
-                  value: IA-8(4)
-                - 
-                  name:  sort-id
-                  value: ia-08.04
-                - 
-                  name:  method
-                  class: FedRAMP-Tailored-LI-SaaS
-                  value: ATTEST
-              parts: 
-                - 
-                  id:    ia-8.4_smt
-                  name:  statement
-                  prose: The information system conforms to FICAM-issued profiles.
-                - 
-                  id:    ia-8.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement addresses open identity management standards. To ensure
-                                        that these standards are viable, robust, reliable, sustainable (e.g., available in
-                                        commercial information technology products), and interoperable as documented, the
-                                        United States Government assesses and scopes identity management standards and
-                                        technology implementations against applicable federal legislation, directives,
-                                        policies, and requirements. The result is FICAM-issued implementation profiles of
-                                        approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and
-                                        OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute
-                                        Exchange).
-                    """
-                  links: 
-                    - 
-                      href: #sa-4
-                      rel:  related
-                      text: SA-4
-                - 
-                  id:    ia-8.4_obj
-                  name:  objective
-                  prose: Determine if the information system conforms to FICAM-issued profiles. 
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the
-                                               acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-issued profiles and associated, approved protocols\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability\n\nautomated mechanisms supporting and/or implementing conformance with
-                                               FICAM-issued profiles
-                        """
-    - 
-      id:       ir
-      class:    family
-      title:    Incident Response
-      controls: 
-        - 
-          id:         ir-1
-          class:      SP800-53
-          title:      Incident Response Policy and Procedures
-          parameters: 
-            - 
-              id:    ir-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ir-1_prm_2
-              label: organization-defined frequency
-            - 
-              id:    ir-1_prm_3
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: IR-1
-            - 
-              name:  sort-id
-              value: ir-01
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-            - 
-              href: #6d431fee-658f-4a0e-9f2e-a38b5d398fab
-              rel:  reference
-              text: NIST Special Publication 800-83
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ir-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ir-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ir-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ir-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          An incident response policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ir-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the incident response policy and
-                                               associated incident response controls; and
-                        """
-                - 
-                  id:         ir-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ir-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Incident response policy {{ ir-1_prm_2 }}; and
-                    - 
-                      id:         ir-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Incident response procedures {{ ir-1_prm_3 }}.
-            - 
-              id:    ir-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the IR
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ir-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-1(a)
-                  parts: 
-                    - 
-                      id:         ir-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ir-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-1(a)(1)[1]
-                          prose:      develops and documents an incident response policy that addresses:
-                          parts: 
-                            - 
-                              id:         ir-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ir-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ir-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ir-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ir-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ir-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ir-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ir-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the incident response policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ir-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the incident response policy to organization-defined personnel
-                                                      or roles;
-                            """
-                    - 
-                      id:         ir-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ir-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      incident response policy and associated incident response controls;
-                            """
-                        - 
-                          id:         ir-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ir-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ir-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-1(b)
-                  parts: 
-                    - 
-                      id:         ir-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ir-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current incident response
-                                                      policy;
-                            """
-                        - 
-                          id:         ir-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current incident response policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ir-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ir-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current incident response
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ir-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current incident response procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ir-2
-          class:      SP800-53
-          title:      Incident Response Training
-          parameters: 
-            - 
-              id:    ir-2_prm_1
-              label: organization-defined time period
-            - 
-              id:    ir-2_prm_2
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: IR-2
-            - 
-              name:  sort-id
-              value: ir-02
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #825438c3-248d-4e30-a51e-246473ce6ada
-              rel:  reference
-              text: NIST Special Publication 800-16
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-          parts: 
-            - 
-              id:    ir-2_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides incident response training to information system users
-                                 consistent with assigned roles and responsibilities:
-                """
-              parts: 
-                - 
-                  id:         ir-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Within {{ ir-2_prm_1 }} of assuming an incident response role or
-                                        responsibility;
-                    """
-                - 
-                  id:         ir-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      When required by information system changes; and
-                - 
-                  id:         ir-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      
-                                        {{ ir-2_prm_2 }} thereafter.
-                    """
-            - 
-              id:    ir-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Incident response training provided by organizations is linked to the assigned roles
-                                 and responsibilities of organizational personnel to ensure the appropriate content
-                                 and level of detail is included in such training. For example, regular users may only
-                                 need to know who to call or how to recognize an incident on the information system;
-                                 system administrators may require additional training on how to handle/remediate
-                                 incidents; and incident responders may receive more specific training on forensics,
-                                 reporting, system recovery, and restoration. Incident response training includes user
-                                 training in the identification and reporting of suspicious activities, both from
-                                 external and internal sources.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #cp-3
-                  rel:  related
-                  text: CP-3
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-            - 
-              id:    ir-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-2(a)
-                  parts: 
-                    - 
-                      id:         ir-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-2(a)[1]
-                      prose: 
-                        """
-                          defines a time period within which incident response training is to be provided
-                                               to information system users assuming an incident response role or
-                                               responsibility;
-                        """
-                    - 
-                      id:         ir-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-2(a)[2]
-                      prose: 
-                        """
-                          provides incident response training to information system users consistent with
-                                               assigned roles and responsibilities within the organization-defined time period
-                                               of assuming an incident response role or responsibility;
-                        """
-                - 
-                  id:         ir-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-2(b)
-                  prose: 
-                    """
-                      provides incident response training to information system users consistent with
-                                        assigned roles and responsibilities when required by information system
-                                        changes;
-                    """
-                - 
-                  id:         ir-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-2(c)
-                  parts: 
-                    - 
-                      id:         ir-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-2(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to provide refresher incident response training to
-                                               information system users consistent with assigned roles or responsibilities;
-                                               and
-                        """
-                    - 
-                      id:         ir-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-2(c)[2]
-                      prose: 
-                        """
-                          after the initial incident response training, provides refresher incident
-                                               response training to information system users consistent with assigned roles
-                                               and responsibilities in accordance with the organization-defined frequency to
-                                               provide refresher training.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nsecurity plan\n\nincident response plan\n\nsecurity plan\n\nincident response training records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with incident response training and operational
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         ir-4
-          class:      SP800-53
-          title:      Incident Handling
-          properties: 
-            - 
-              name:  label
-              value: IR-4
-            - 
-              name:  sort-id
-              value: ir-04
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #c5034e0c-eba6-4ecd-a541-79f0678f4ba4
-              rel:  reference
-              text: Executive Order 13587
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-          parts: 
-            - 
-              id:    ir-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ir-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Implements an incident handling capability for security incidents that includes
-                                        preparation, detection and analysis, containment, eradication, and recovery;
-                    """
-                - 
-                  id:         ir-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Coordinates incident handling activities with contingency planning activities;
-                                        and
-                    """
-                - 
-                  id:         ir-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Incorporates lessons learned from ongoing incident handling activities into
-                                        incident response procedures, training, and testing, and implements the resulting
-                                        changes accordingly.
-                    """
-            - 
-              id:    ir-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations recognize that incident response capability is dependent on the
-                                 capabilities of organizational information systems and the mission/business processes
-                                 being supported by those systems. Therefore, organizations consider incident response
-                                 as part of the definition, design, and development of mission/business processes and
-                                 information systems. Incident-related information can be obtained from a variety of
-                                 sources including, for example, audit monitoring, network monitoring, physical access
-                                 monitoring, user/administrator reports, and reported supply chain events. Effective
-                                 incident handling capability includes coordination among many organizational entities
-                                 including, for example, mission/business owners, information system owners,
-                                 authorizing officials, human resources offices, physical and personnel security
-                                 offices, legal departments, operations personnel, procurement offices, and the risk
-                                 executive (function).
-                """
-              links: 
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-4
-                  rel:  related
-                  text: CP-4
-                - 
-                  href: #ir-2
-                  rel:  related
-                  text: IR-2
-                - 
-                  href: #ir-3
-                  rel:  related
-                  text: IR-3
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #pe-6
-                  rel:  related
-                  text: PE-6
-                - 
-                  href: #sc-5
-                  rel:  related
-                  text: SC-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    ir-4_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-4(a)
-                  prose: 
-                    """
-                      implements an incident handling capability for security incidents that
-                                        includes:
-                    """
-                  parts: 
-                    - 
-                      id:         ir-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[1]
-                      prose:      preparation;
-                    - 
-                      id:         ir-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[2]
-                      prose:      detection and analysis;
-                    - 
-                      id:         ir-4.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[3]
-                      prose:      containment;
-                    - 
-                      id:         ir-4.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[4]
-                      prose:      eradication;
-                    - 
-                      id:         ir-4.a_obj.5
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[5]
-                      prose:      recovery;
-                - 
-                  id:         ir-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-4(b)
-                  prose:      coordinates incident handling activities with contingency planning activities;
-                - 
-                  id:         ir-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-4(c)
-                  parts: 
-                    - 
-                      id:         ir-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(c)[1]
-                      prose: 
-                        """
-                          incorporates lessons learned from ongoing incident handling activities
-                                               into:
-                        """
-                      parts: 
-                        - 
-                          id:         ir-4.c_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[1][a]
-                          prose:      incident response procedures;
-                        - 
-                          id:         ir-4.c_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[1][b]
-                          prose:      training;
-                        - 
-                          id:         ir-4.c_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[1][c]
-                          prose:      testing/exercises;
-                    - 
-                      id:         ir-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(c)[2]
-                      prose:      implements the resulting changes accordingly to:
-                      parts: 
-                        - 
-                          id:         ir-4.c_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[2][a]
-                          prose:      incident response procedures;
-                        - 
-                          id:         ir-4.c_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[2][b]
-                          prose:      training; and
-                        - 
-                          id:         ir-4.c_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[2][c]
-                          prose:      testing/exercises.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident handling capability for the organization
-            - 
-              id:    ir-4_fr
-              name:  item
-              title: IR-4 Additional FedRAMP Requirements and Guidance
-              parts: 
-                - 
-                  id:         ir-4_fr_smt.1
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: Requirement:
-                  prose: 
-                    """
-                      The service provider ensures that individuals conducting incident handling meet
-                                           personnel security requirements commensurate with the criticality/sensitivity
-                                           of the information being processed, stored, and transmitted by the information
-                                           system.
-                    """
-        - 
-          id:         ir-5
-          class:      SP800-53
-          title:      Incident Monitoring
-          properties: 
-            - 
-              name:  label
-              value: IR-5
-            - 
-              name:  sort-id
-              value: ir-05
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-          parts: 
-            - 
-              id:    ir-5_smt
-              name:  statement
-              prose: The organization tracks and documents information system security incidents.
-            - 
-              id:    ir-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Documenting information system security incidents includes, for example, maintaining
-                                 records about each incident, the status of the incident, and other pertinent
-                                 information necessary for forensics, evaluating incident details, trends, and
-                                 handling. Incident information can be obtained from a variety of sources including,
-                                 for example, incident reports, incident response teams, audit monitoring, network
-                                 monitoring, physical access monitoring, and user/administrator reports.
-                """
-              links: 
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #pe-6
-                  rel:  related
-                  text: PE-6
-                - 
-                  href: #sc-5
-                  rel:  related
-                  text: SC-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    ir-5_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ir-5_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-5[1]
-                  prose:      tracks information system security incidents; and
-                - 
-                  id:         ir-5_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-5[2]
-                  prose:      documents information system security incidents.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Incident monitoring capability for the organization\n\nautomated mechanisms supporting and/or implementing tracking and documenting of
-                                        system security incidents
-                    """
-        - 
-          id:         ir-6
-          class:      SP800-53
-          title:      Incident Reporting
-          parameters: 
-            - 
-              id:          ir-6_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)
-            - 
-              id:    ir-6_prm_2
-              label: organization-defined authorities
-          properties: 
-            - 
-              name:  label
-              value: IR-6
-            - 
-              name:  sort-id
-              value: ir-06
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-            - 
-              href: #02631467-668b-4233-989b-3dfded2fd184
-              rel:  reference
-              text: http://www.us-cert.gov
-          parts: 
-            - 
-              id:    ir-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ir-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Requires personnel to report suspected security incidents to the organizational
-                                        incident response capability within {{ ir-6_prm_1 }}; and
-                    """
-                - 
-                  id:         ir-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reports security incident information to {{ ir-6_prm_2 }}.
-            - 
-              id:    ir-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  The intent of this control is to address both specific incident reporting
-                                 requirements within an organization and the formal incident reporting requirements
-                                 for federal agencies and their subordinate organizations. Suspected security
-                                 incidents include, for example, the receipt of suspicious email communications that
-                                 can potentially contain malicious code. The types of security incidents reported, the
-                                 content and timeliness of the reports, and the designated reporting authorities
-                                 reflect applicable federal laws, Executive Orders, directives, regulations, policies,
-                                 standards, and guidance. Current federal policy requires that all federal agencies
-                                 (unless specifically exempted from such requirements) report security incidents to
-                                 the United States Computer Emergency Readiness Team (US-CERT) within specified time
-                                 frames designated in the US-CERT Concept of Operations for Federal Cyber Security
-                                 Incident Handling.
-                """
-              links: 
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ir-5
-                  rel:  related
-                  text: IR-5
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-            - 
-              id:    ir-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-6(a)
-                  parts: 
-                    - 
-                      id:         ir-6.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-6(a)[1]
-                      prose: 
-                        """
-                          defines the time period within which personnel report suspected security
-                                               incidents to the organizational incident response capability;
-                        """
-                    - 
-                      id:         ir-6.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-6(a)[2]
-                      prose: 
-                        """
-                          requires personnel to report suspected security incidents to the organizational
-                                               incident response capability within the organization-defined time period;
-                        """
-                - 
-                  id:         ir-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-6(b)
-                  parts: 
-                    - 
-                      id:         ir-6.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-6(b)[1]
-                      prose: 
-                        """
-                          defines authorities to whom security incident information is to be reported;
-                                               and
-                        """
-                    - 
-                      id:         ir-6.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-6(b)[2]
-                      prose:      reports security incident information to organization-defined authorities.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel who have/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for incident reporting\n\nautomated mechanisms supporting and/or implementing incident reporting
-            - 
-              id:    ir-6_fr
-              name:  item
-              title: IR-6 Additional FedRAMP Requirements and Guidance
-              parts: 
-                - 
-                  id:         ir-6_fr_smt.1
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: Requirement:
-                  prose: 
-                    """
-                      Report security incident information according to FedRAMP Incident
-                                           Communications Procedure.
-                    """
-        - 
-          id:         ir-7
-          class:      SP800-53
-          title:      Incident Response Assistance
-          properties: 
-            - 
-              name:  label
-              value: IR-7
-            - 
-              name:  sort-id
-              value: ir-07
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          parts: 
-            - 
-              id:    ir-7_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides an incident response support resource, integral to the
-                                 organizational incident response capability that offers advice and assistance to
-                                 users of the information system for the handling and reporting of security
-                                 incidents.
-                """
-            - 
-              id:    ir-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Incident response support resources provided by organizations include, for example,
-                                 help desks, assistance groups, and access to forensics services, when required.
-                """
-              links: 
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ir-6
-                  rel:  related
-                  text: IR-6
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #sa-9
-                  rel:  related
-                  text: SA-9
-            - 
-              id:    ir-7_obj
-              name:  objective
-              prose: Determine if the organization provides an incident response support resource:
-              parts: 
-                - 
-                  id:         ir-7_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-7[1]
-                  prose:      that is integral to the organizational incident response capability; and
-                - 
-                  id:         ir-7_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-7[2]
-                  prose: 
-                    """
-                      that offers advice and assistance to users of the information system for the
-                                        handling and reporting of security incidents.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with incident response assistance and support
-                                        responsibilities\n\norganizational personnel with access to incident response support and assistance
-                                        capability\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for incident response assistance\n\nautomated mechanisms supporting and/or implementing incident response
-                                        assistance
-                    """
-        - 
-          id:         ir-8
-          class:      SP800-53
-          title:      Incident Response Plan
-          parameters: 
-            - 
-              id:    ir-8_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ir-8_prm_2
-              label: 
-                """
-                  organization-defined incident response personnel (identified by name and/or by
-                                 role) and organizational elements
-                """
-            - 
-              id:    ir-8_prm_3
-              label: organization-defined frequency
-            - 
-              id:    ir-8_prm_4
-              label: 
-                """
-                  organization-defined incident response personnel (identified by name and/or by
-                                 role) and organizational elements
-                """
-          properties: 
-            - 
-              name:  label
-              value: IR-8
-            - 
-              name:  sort-id
-              value: ir-08
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-          parts: 
-            - 
-              id:    ir-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ir-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops an incident response plan that:
-                  parts: 
-                    - 
-                      id:         ir-8_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Provides the organization with a roadmap for implementing its incident response
-                                               capability;
-                        """
-                    - 
-                      id:         ir-8_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Describes the structure and organization of the incident response
-                                               capability;
-                        """
-                    - 
-                      id:         ir-8_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Provides a high-level approach for how the incident response capability fits
-                                               into the overall organization;
-                        """
-                    - 
-                      id:         ir-8_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose: 
-                        """
-                          Meets the unique requirements of the organization, which relate to mission,
-                                               size, structure, and functions;
-                        """
-                    - 
-                      id:         ir-8_smt.a.5
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 5.
-                      prose:      Defines reportable incidents;
-                    - 
-                      id:         ir-8_smt.a.6
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 6.
-                      prose: 
-                        """
-                          Provides metrics for measuring the incident response capability within the
-                                               organization;
-                        """
-                    - 
-                      id:         ir-8_smt.a.7
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 7.
-                      prose: 
-                        """
-                          Defines the resources and management support needed to effectively maintain and
-                                               mature an incident response capability; and
-                        """
-                    - 
-                      id:         ir-8_smt.a.8
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 8.
-                      prose:      Is reviewed and approved by {{ ir-8_prm_1 }};
-                - 
-                  id:         ir-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Distributes copies of the incident response plan to {{ ir-8_prm_2 }};
-                - 
-                  id:         ir-8_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews the incident response plan {{ ir-8_prm_3 }};
-                - 
-                  id:         ir-8_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Updates the incident response plan to address system/organizational changes or
-                                        problems encountered during plan implementation, execution, or testing;
-                    """
-                - 
-                  id:         ir-8_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Communicates incident response plan changes to {{ ir-8_prm_4 }};
-                                        and
-                    """
-                - 
-                  id:         ir-8_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Protects the incident response plan from unauthorized disclosure and
-                                        modification.
-                    """
-            - 
-              id:    ir-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  It is important that organizations develop and implement a coordinated approach to
-                                 incident response. Organizational missions, business functions, strategies, goals,
-                                 and objectives for incident response help to determine the structure of incident
-                                 response capabilities. As part of a comprehensive incident response capability,
-                                 organizations consider the coordination and sharing of information with external
-                                 organizations, including, for example, external service providers and organizations
-                                 involved in the supply chain for organizational information systems.
-                """
-              links: 
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-            - 
-              id:    ir-8_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-8(a)
-                  prose:      develops an incident response plan that:
-                  parts: 
-                    - 
-                      id:         ir-8.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(a)(1)
-                      prose: 
-                        """
-                          provides the organization with a roadmap for implementing its incident response
-                                               capability;
-                        """
-                    - 
-                      id:         ir-8.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(a)(2)
-                      prose: 
-                        """
-                          describes the structure and organization of the incident response
-                                               capability;
-                        """
-                    - 
-                      id:         ir-8.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(a)(3)
-                      prose: 
-                        """
-                          provides a high-level approach for how the incident response capability fits
-                                               into the overall organization;
-                        """
-                    - 
-                      id:         ir-8.a.4_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(a)(4)
-                      prose:      meets the unique requirements of the organization, which relate to:
-                      parts: 
-                        - 
-                          id:         ir-8.a.4_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(a)(4)[1]
-                          prose:      mission;
-                        - 
-                          id:         ir-8.a.4_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(a)(4)[2]
-                          prose:      size;
-                        - 
-                          id:         ir-8.a.4_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(a)(4)[3]
-                          prose:      structure;
-                        - 
-                          id:         ir-8.a.4_obj.4
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(a)(4)[4]
-                          prose:      functions;
-                    - 
-                      id:         ir-8.a.5_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(a)(5)
-                      prose:      defines reportable incidents;
-                    - 
-                      id:         ir-8.a.6_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(a)(6)
-                      prose: 
-                        """
-                          provides metrics for measuring the incident response capability within the
-                                               organization;
-                        """
-                    - 
-                      id:         ir-8.a.7_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(a)(7)
-                      prose: 
-                        """
-                          defines the resources and management support needed to effectively maintain and
-                                               mature an incident response capability;
-                        """
-                    - 
-                      id:         ir-8.a.8_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(a)(8)
-                      parts: 
-                        - 
-                          id:         ir-8.a.8_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(a)(8)[1]
-                          prose: 
-                            """
-                              defines personnel or roles to review and approve the incident response
-                                                      plan;
-                            """
-                        - 
-                          id:         ir-8.a.8_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(a)(8)[2]
-                          prose:      is reviewed and approved by organization-defined personnel or roles;
-                - 
-                  id:         ir-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-8(b)
-                  parts: 
-                    - 
-                      id:         ir-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(b)[1]
-                      parts: 
-                        - 
-                          id:         ir-8.b_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(b)[1][a]
-                          prose: 
-                            """
-                              defines incident response personnel (identified by name and/or by role) to
-                                                      whom copies of the incident response plan are to be distributed;
-                            """
-                        - 
-                          id:         ir-8.b_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(b)[1][b]
-                          prose: 
-                            """
-                              defines organizational elements to whom copies of the incident response plan
-                                                      are to be distributed;
-                            """
-                    - 
-                      id:         ir-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(b)[2]
-                      prose: 
-                        """
-                          distributes copies of the incident response plan to organization-defined
-                                               incident response personnel (identified by name and/or by role) and
-                                               organizational elements;
-                        """
-                - 
-                  id:         ir-8.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-8(c)
-                  parts: 
-                    - 
-                      id:         ir-8.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(c)[1]
-                      prose:      defines the frequency to review the incident response plan;
-                    - 
-                      id:         ir-8.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(c)[2]
-                      prose:      reviews the incident response plan with the organization-defined frequency;
-                - 
-                  id:         ir-8.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-8(d)
-                  prose: 
-                    """
-                      updates the incident response plan to address system/organizational changes or
-                                        problems encountered during plan:
-                    """
-                  parts: 
-                    - 
-                      id:         ir-8.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(d)[1]
-                      prose:      implementation;
-                    - 
-                      id:         ir-8.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(d)[2]
-                      prose:      execution; or
-                    - 
-                      id:         ir-8.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(d)[3]
-                      prose:      testing;
-                - 
-                  id:         ir-8.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-8(e)
-                  parts: 
-                    - 
-                      id:         ir-8.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(e)[1]
-                      parts: 
-                        - 
-                          id:         ir-8.e_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(e)[1][a]
-                          prose: 
-                            """
-                              defines incident response personnel (identified by name and/or by role) to
-                                                      whom incident response plan changes are to be communicated;
-                            """
-                        - 
-                          id:         ir-8.e_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(e)[1][b]
-                          prose: 
-                            """
-                              defines organizational elements to whom incident response plan changes are
-                                                      to be communicated;
-                            """
-                    - 
-                      id:         ir-8.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(e)[2]
-                      prose: 
-                        """
-                          communicates incident response plan changes to organization-defined incident
-                                               response personnel (identified by name and/or by role) and organizational
-                                               elements; and
-                        """
-                - 
-                  id:         ir-8.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-8(f)
-                  prose: 
-                    """
-                      protects the incident response plan from unauthorized disclosure and
-                                        modification.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational incident response plan and related organizational processes
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: Attestation - Specifically attest to US-CERT compliance.
-        - 
-          id:         ir-9
-          class:      SP800-53
-          title:      Information Spillage Response
-          parameters: 
-            - 
-              id:    ir-9_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ir-9_prm_2
-              label: organization-defined actions
-          properties: 
-            - 
-              name:  label
-              value: IR-9
-            - 
-              name:  sort-id
-              value: ir-09
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          parts: 
-            - 
-              id:    ir-9_smt
-              name:  statement
-              prose: The organization responds to information spills by:
-              parts: 
-                - 
-                  id:         ir-9_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Identifying the specific information involved in the information system
-                                        contamination;
-                    """
-                - 
-                  id:         ir-9_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Alerting {{ ir-9_prm_1 }} of the information spill using a method
-                                        of communication not associated with the spill;
-                    """
-                - 
-                  id:         ir-9_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Isolating the contaminated information system or system component;
-                - 
-                  id:         ir-9_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Eradicating the information from the contaminated information system or
-                                        component;
-                    """
-                - 
-                  id:         ir-9_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Identifying other information systems or system components that may have been
-                                        subsequently contaminated; and
-                    """
-                - 
-                  id:         ir-9_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose:      Performing other {{ ir-9_prm_2 }}.
-            - 
-              id:    ir-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information spillage refers to instances where either classified or sensitive
-                                 information is inadvertently placed on information systems that are not authorized to
-                                 process such information. Such information spills often occur when information that
-                                 is initially thought to be of lower sensitivity is transmitted to an information
-                                 system and then is subsequently determined to be of higher sensitivity. At that
-                                 point, corrective action is required. The nature of the organizational response is
-                                 generally based upon the degree of sensitivity of the spilled information (e.g.,
-                                 security category or classification level), the security capabilities of the
-                                 information system, the specific nature of contaminated storage media, and the access
-                                 authorizations (e.g., security clearances) of individuals with authorized access to
-                                 the contaminated system. The methods used to communicate information about the spill
-                                 after the fact do not involve methods directly associated with the actual spill to
-                                 minimize the risk of further spreading the contamination before such contamination is
-                                 isolated and eradicated.
-                """
-            - 
-              id:    ir-9_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ir-9.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-9(a)
-                  prose: 
-                    """
-                      responds to information spills by identifying the specific information causing the
-                                        information system contamination;
-                    """
-                - 
-                  id:         ir-9.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-9(b)
-                  parts: 
-                    - 
-                      id:         ir-9.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-9(b)[1]
-                      prose:      defines personnel to be alerted of the information spillage;
-                    - 
-                      id:         ir-9.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-9(b)[2]
-                      prose: 
-                        """
-                          identifies a method of communication not associated with the information spill
-                                               to use to alert organization-defined personnel of the spill;
-                        """
-                    - 
-                      id:         ir-9.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-9(b)[3]
-                      prose: 
-                        """
-                          responds to information spills by alerting organization-defined personnel of
-                                               the information spill using a method of communication not associated with the
-                                               spill;
-                        """
-                - 
-                  id:         ir-9.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-9(c)
-                  prose: 
-                    """
-                      responds to information spills by isolating the contaminated information
-                                        system;
-                    """
-                - 
-                  id:         ir-9.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-9(d)
-                  prose: 
-                    """
-                      responds to information spills by eradicating the information from the
-                                        contaminated information system;
-                    """
-                - 
-                  id:         ir-9.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-9(e)
-                  prose: 
-                    """
-                      responds to information spills by identifying other information systems that may
-                                        have been subsequently contaminated;
-                    """
-                - 
-                  id:         ir-9.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-9(f)
-                  parts: 
-                    - 
-                      id:         ir-9.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-9(f)[1]
-                      prose: 
-                        """
-                          defines other actions to be performed in response to information spills;
-                                               and
-                        """
-                    - 
-                      id:         ir-9.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-9(f)[2]
-                      prose: 
-                        """
-                          responds to information spills by performing other organization-defined
-                                               actions.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Incident response policy\n\nprocedures addressing information spillage\n\nincident response plan\n\nrecords of information spillage alerts/notifications, list of personnel who should
-                                        receive alerts of information spillage\n\nlist of actions to be performed regarding information spillage\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for information spillage response\n\nautomated mechanisms supporting and/or implementing information spillage response
-                                        actions and related communications
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: Attestation - Specifically describe information spillage response processes.
-    - 
-      id:       ma
-      class:    family
-      title:    Maintenance
-      controls: 
-        - 
-          id:         ma-1
-          class:      SP800-53
-          title:      System Maintenance Policy and Procedures
-          parameters: 
-            - 
-              id:    ma-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ma-1_prm_2
-              label: organization-defined frequency
-            - 
-              id:    ma-1_prm_3
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: MA-1
-            - 
-              name:  sort-id
-              value: ma-01
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ma-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ma-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ma-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ma-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A system maintenance policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ma-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the system maintenance policy
-                                               and associated system maintenance controls; and
-                        """
-                - 
-                  id:         ma-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ma-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      System maintenance policy {{ ma-1_prm_2 }}; and
-                    - 
-                      id:         ma-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      System maintenance procedures {{ ma-1_prm_3 }}.
-            - 
-              id:    ma-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the MA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ma-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ma-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-1(a)
-                  parts: 
-                    - 
-                      id:         ma-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ma-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-1(a)(1)[1]
-                          prose:      develops and documents a system maintenance policy that addresses:
-                          parts: 
-                            - 
-                              id:         ma-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ma-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ma-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ma-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ma-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ma-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ma-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ma-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the system maintenance policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ma-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the system maintenance policy to organization-defined personnel
-                                                      or roles;
-                            """
-                    - 
-                      id:         ma-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ma-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      maintenance policy and associated system maintenance controls;
-                            """
-                        - 
-                          id:         ma-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ma-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ma-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-1(b)
-                  parts: 
-                    - 
-                      id:         ma-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ma-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system maintenance
-                                                      policy;
-                            """
-                        - 
-                          id:         ma-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system maintenance policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ma-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ma-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system maintenance
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ma-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system maintenance procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Maintenance policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ma-2
-          class:      SP800-53
-          title:      Controlled Maintenance
-          parameters: 
-            - 
-              id:    ma-2_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ma-2_prm_2
-              label: organization-defined maintenance-related information
-          properties: 
-            - 
-              name:  label
-              value: MA-2
-            - 
-              name:  sort-id
-              value: ma-02
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: CONDITIONAL
-          parts: 
-            - 
-              id:    ma-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ma-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Schedules, performs, documents, and reviews records of maintenance and repairs on
-                                        information system components in accordance with manufacturer or vendor
-                                        specifications and/or organizational requirements;
-                    """
-                - 
-                  id:         ma-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Approves and monitors all maintenance activities, whether performed on site or
-                                        remotely and whether the equipment is serviced on site or removed to another
-                                        location;
-                    """
-                - 
-                  id:         ma-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Requires that {{ ma-2_prm_1 }} explicitly approve the removal of
-                                        the information system or system components from organizational facilities for
-                                        off-site maintenance or repairs;
-                    """
-                - 
-                  id:         ma-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Sanitizes equipment to remove all information from associated media prior to
-                                        removal from organizational facilities for off-site maintenance or repairs;
-                    """
-                - 
-                  id:         ma-2_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Checks all potentially impacted security controls to verify that the controls are
-                                        still functioning properly following maintenance or repair actions; and
-                    """
-                - 
-                  id:         ma-2_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Includes {{ ma-2_prm_2 }} in organizational maintenance
-                                        records.
-                    """
-            - 
-              id:    ma-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the information security aspects of the information system
-                                 maintenance program and applies to all types of maintenance to any system component
-                                 (including applications) conducted by any local or nonlocal entity (e.g.,
-                                 in-contract, warranty, in-house, software maintenance agreement). System maintenance
-                                 also includes those components not directly associated with information processing
-                                 and/or data/information retention such as scanners, copiers, and printers.
-                                 Information necessary for creating effective maintenance records includes, for
-                                 example: (i) date and time of maintenance; (ii) name of individuals or group
-                                 performing the maintenance; (iii) name of escort, if necessary; (iv) a description of
-                                 the maintenance performed; and (v) information system components/equipment removed or
-                                 replaced (including identification numbers, if applicable). The level of detail
-                                 included in maintenance records can be informed by the security categories of
-                                 organizational information systems. Organizations consider supply chain issues
-                                 associated with replacement components for information systems.
-                """
-              links: 
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #mp-6
-                  rel:  related
-                  text: MP-6
-                - 
-                  href: #pe-16
-                  rel:  related
-                  text: PE-16
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    ma-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ma-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-2(a)
-                  parts: 
-                    - 
-                      id:         ma-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-2(a)[1]
-                      prose: 
-                        """
-                          schedules maintenance and repairs on information system components in
-                                               accordance with:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-2.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[1][a]
-                          prose:      manufacturer or vendor specifications; and/or
-                        - 
-                          id:         ma-2.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[1][b]
-                          prose:      organizational requirements;
-                    - 
-                      id:         ma-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-2(a)[2]
-                      prose: 
-                        """
-                          performs maintenance and repairs on information system components in accordance
-                                               with:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-2.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[2][a]
-                          prose:      manufacturer or vendor specifications; and/or
-                        - 
-                          id:         ma-2.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[2][b]
-                          prose:      organizational requirements;
-                    - 
-                      id:         ma-2.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-2(a)[3]
-                      prose: 
-                        """
-                          documents maintenance and repairs on information system components in
-                                               accordance with:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-2.a_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[3][a]
-                          prose:      manufacturer or vendor specifications; and/or
-                        - 
-                          id:         ma-2.a_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[3][b]
-                          prose:      organizational requirements;
-                    - 
-                      id:         ma-2.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-2(a)[4]
-                      prose: 
-                        """
-                          reviews records of maintenance and repairs on information system components in
-                                               accordance with:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-2.a_obj.4.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[4][a]
-                          prose:      manufacturer or vendor specifications; and/or
-                        - 
-                          id:         ma-2.a_obj.4.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[4][b]
-                          prose:      organizational requirements;
-                - 
-                  id:         ma-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-2(b)
-                  parts: 
-                    - 
-                      id:         ma-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-2(b)[1]
-                      prose: 
-                        """
-                          approves all maintenance activities, whether performed on site or remotely and
-                                               whether the equipment is serviced on site or removed to another location;
-                        """
-                    - 
-                      id:         ma-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-2(b)[2]
-                      prose: 
-                        """
-                          monitors all maintenance activities, whether performed on site or remotely and
-                                               whether the equipment is serviced on site or removed to another location;
-                        """
-                - 
-                  id:         ma-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-2(c)
-                  parts: 
-                    - 
-                      id:         ma-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-2(c)[1]
-                      prose: 
-                        """
-                          defines personnel or roles required to explicitly approve the removal of the
-                                               information system or system components from organizational facilities for
-                                               off-site maintenance or repairs;
-                        """
-                    - 
-                      id:         ma-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-2(c)[2]
-                      prose: 
-                        """
-                          requires that organization-defined personnel or roles explicitly approve the
-                                               removal of the information system or system components from organizational
-                                               facilities for off-site maintenance or repairs;
-                        """
-                - 
-                  id:         ma-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-2(d)
-                  prose: 
-                    """
-                      sanitizes equipment to remove all information from associated media prior to
-                                        removal from organizational facilities for off-site maintenance or repairs;
-                    """
-                - 
-                  id:         ma-2.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-2(e)
-                  prose: 
-                    """
-                      checks all potentially impacted security controls to verify that the controls are
-                                        still functioning properly following maintenance or repair actions;
-                    """
-                - 
-                  id:         ma-2.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-2(f)
-                  parts: 
-                    - 
-                      id:         ma-2.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-2(f)[1]
-                      prose: 
-                        """
-                          defines maintenance-related information to be included in organizational
-                                               maintenance records; and
-                        """
-                    - 
-                      id:         ma-2.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-2(f)[2]
-                      prose: 
-                        """
-                          includes organization-defined maintenance-related information in organizational
-                                               maintenance records.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system maintenance policy\n\nprocedures addressing controlled information system maintenance\n\nmaintenance records\n\nmanufacturer/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for scheduling, performing, documenting, reviewing,
-                                        approving, and monitoring maintenance and repairs for the information system\n\norganizational processes for sanitizing information system components\n\nautomated mechanisms supporting and/or implementing controlled maintenance\n\nautomated mechanisms implementing sanitization of information system
-                                        components
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-        - 
-          id:         ma-4
-          class:      SP800-53
-          title:      Nonlocal Maintenance
-          properties: 
-            - 
-              name:  label
-              value: MA-4
-            - 
-              name:  sort-id
-              value: ma-04
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #d715b234-9b5b-4e07-b1ed-99836727664d
-              rel:  reference
-              text: FIPS Publication 140-2
-            - 
-              href: #f2dbd4ec-c413-4714-b85b-6b7184d1c195
-              rel:  reference
-              text: FIPS Publication 197
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #263823e0-a971-4b00-959d-315b26278b22
-              rel:  reference
-              text: NIST Special Publication 800-88
-            - 
-              href: #a4aa9645-9a8a-4b51-90a9-e223250f9a75
-              rel:  reference
-              text: CNSS Policy 15
-          parts: 
-            - 
-              id:    ma-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ma-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Approves and monitors nonlocal maintenance and diagnostic activities;
-                - 
-                  id:         ma-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Allows the use of nonlocal maintenance and diagnostic tools only as consistent
-                                        with organizational policy and documented in the security plan for the information
-                                        system;
-                    """
-                - 
-                  id:         ma-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Employs strong authenticators in the establishment of nonlocal maintenance and
-                                        diagnostic sessions;
-                    """
-                - 
-                  id:         ma-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Maintains records for nonlocal maintenance and diagnostic activities; and
-                - 
-                  id:         ma-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Terminates session and network connections when nonlocal maintenance is
-                                        completed.
-                    """
-            - 
-              id:    ma-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Nonlocal maintenance and diagnostic activities are those activities conducted by
-                                 individuals communicating through a network, either an external network (e.g., the
-                                 Internet) or an internal network. Local maintenance and diagnostic activities are
-                                 those activities carried out by individuals physically present at the information
-                                 system or information system component and not communicating across a network
-                                 connection. Authentication techniques used in the establishment of nonlocal
-                                 maintenance and diagnostic sessions reflect the network access requirements in IA-2.
-                                 Typically, strong authentication requires authenticators that are resistant to replay
-                                 attacks and employ multifactor authentication. Strong authenticators include, for
-                                 example, PKI where certificates are stored on a token protected by a password,
-                                 passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by
-                                 other controls.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-3
-                  rel:  related
-                  text: AU-3
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #ma-2
-                  rel:  related
-                  text: MA-2
-                - 
-                  href: #ma-5
-                  rel:  related
-                  text: MA-5
-                - 
-                  href: #mp-6
-                  rel:  related
-                  text: MP-6
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-10
-                  rel:  related
-                  text: SC-10
-                - 
-                  href: #sc-17
-                  rel:  related
-                  text: SC-17
-            - 
-              id:    ma-4_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ma-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-4(a)
-                  parts: 
-                    - 
-                      id:         ma-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-4(a)[1]
-                      prose:      approves nonlocal maintenance and diagnostic activities;
-                    - 
-                      id:         ma-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-4(a)[2]
-                      prose:      monitors nonlocal maintenance and diagnostic activities;
-                - 
-                  id:         ma-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-4(b)
-                  prose:      allows the use of nonlocal maintenance and diagnostic tools only:
-                  parts: 
-                    - 
-                      id:         ma-4.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-4(b)[1]
-                      prose:      as consistent with organizational policy;
-                    - 
-                      id:         ma-4.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-4(b)[2]
-                      prose:      as documented in the security plan for the information system;
-                - 
-                  id:         ma-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-4(c)
-                  prose: 
-                    """
-                      employs strong authenticators in the establishment of nonlocal maintenance and
-                                        diagnostic sessions;
-                    """
-                - 
-                  id:         ma-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-4(d)
-                  prose:      maintains records for nonlocal maintenance and diagnostic activities;
-                - 
-                  id:         ma-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-4(e)
-                  parts: 
-                    - 
-                      id:         ma-4.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-4(e)[1]
-                      prose: 
-                        """
-                          terminates sessions when nonlocal maintenance or diagnostics is completed;
-                                               and
-                        """
-                    - 
-                      id:         ma-4.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-4(e)[2]
-                      prose: 
-                        """
-                          terminates network connections when nonlocal maintenance or diagnostics is
-                                               completed.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system maintenance policy\n\nprocedures addressing nonlocal information system maintenance\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nmaintenance records\n\ndiagnostic records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for managing nonlocal maintenance\n\nautomated mechanisms implementing, supporting, and/or managing nonlocal
-                                        maintenance\n\nautomated mechanisms for strong authentication of nonlocal maintenance diagnostic
-                                        sessions\n\nautomated mechanisms for terminating nonlocal maintenance sessions and network
-                                        connections
-                    """
-        - 
-          id:         ma-5
-          class:      SP800-53
-          title:      Maintenance Personnel
-          properties: 
-            - 
-              name:  label
-              value: MA-5
-            - 
-              name:  sort-id
-              value: ma-05
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: CONDITIONAL
-          parts: 
-            - 
-              id:    ma-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ma-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes a process for maintenance personnel authorization and maintains a list
-                                        of authorized maintenance organizations or personnel;
-                    """
-                - 
-                  id:         ma-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Ensures that non-escorted personnel performing maintenance on the information
-                                        system have required access authorizations; and
-                    """
-                - 
-                  id:         ma-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Designates organizational personnel with required access authorizations and
-                                        technical competence to supervise the maintenance activities of personnel who do
-                                        not possess the required access authorizations.
-                    """
-            - 
-              id:    ma-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to individuals performing hardware or software maintenance on
-                                 organizational information systems, while PE-2 addresses physical access for
-                                 individuals whose maintenance duties place them within the physical protection
-                                 perimeter of the systems (e.g., custodial staff, physical plant maintenance
-                                 personnel). Technical competence of supervising individuals relates to the
-                                 maintenance performed on the information systems while having required access
-                                 authorizations refers to maintenance on and near the systems. Individuals not
-                                 previously identified as authorized maintenance personnel, such as information
-                                 technology manufacturers, vendors, systems integrators, and consultants, may require
-                                 privileged access to organizational information systems, for example, when required
-                                 to conduct maintenance activities with little or no notice. Based on organizational
-                                 assessments of risk, organizations may issue temporary credentials to these
-                                 individuals. Temporary credentials may be for one-time use or for very limited time
-                                 periods.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-            - 
-              id:    ma-5_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ma-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-5(a)
-                  parts: 
-                    - 
-                      id:         ma-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-5(a)[1]
-                      prose:      establishes a process for maintenance personnel authorization;
-                    - 
-                      id:         ma-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-5(a)[2]
-                      prose:      maintains a list of authorized maintenance organizations or personnel;
-                - 
-                  id:         ma-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-5(b)
-                  prose: 
-                    """
-                      ensures that non-escorted personnel performing maintenance on the information
-                                        system have required access authorizations; and
-                    """
-                - 
-                  id:         ma-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-5(c)
-                  prose: 
-                    """
-                      designates organizational personnel with required access authorizations and
-                                        technical competence to supervise the maintenance activities of personnel who do
-                                        not possess the required access authorizations.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for authorizing and managing maintenance personnel\n\nautomated mechanisms supporting and/or implementing authorization of maintenance
-                                        personnel
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-    - 
-      id:       mp
-      class:    family
-      title:    Media Protection
-      controls: 
-        - 
-          id:         mp-1
-          class:      SP800-53
-          title:      Media Protection Policy and Procedures
-          parameters: 
-            - 
-              id:    mp-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    mp-1_prm_2
-              label: organization-defined frequency
-            - 
-              id:    mp-1_prm_3
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: MP-1
-            - 
-              name:  sort-id
-              value: mp-01
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    mp-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         mp-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ mp-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         mp-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A media protection policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         mp-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the media protection policy and
-                                               associated media protection controls; and
-                        """
-                - 
-                  id:         mp-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         mp-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Media protection policy {{ mp-1_prm_2 }}; and
-                    - 
-                      id:         mp-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Media protection procedures {{ mp-1_prm_3 }}.
-            - 
-              id:    mp-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the MP
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    mp-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         mp-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-1(a)
-                  parts: 
-                    - 
-                      id:         mp-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-1(a)(1)
-                      parts: 
-                        - 
-                          id:         mp-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-1(a)(1)[1]
-                          prose:      develops and documents a media protection policy that addresses:
-                          parts: 
-                            - 
-                              id:         mp-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         mp-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         mp-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         mp-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         mp-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         mp-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         mp-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         mp-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the media protection policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         mp-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the media protection policy to organization-defined personnel
-                                                      or roles;
-                            """
-                    - 
-                      id:         mp-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-1(a)(2)
-                      parts: 
-                        - 
-                          id:         mp-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      media protection policy and associated media protection controls;
-                            """
-                        - 
-                          id:         mp-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         mp-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         mp-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-1(b)
-                  parts: 
-                    - 
-                      id:         mp-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-1(b)(1)
-                      parts: 
-                        - 
-                          id:         mp-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current media protection
-                                                      policy;
-                            """
-                        - 
-                          id:         mp-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current media protection policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         mp-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-1(b)(2)
-                      parts: 
-                        - 
-                          id:         mp-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current media protection
-                                                      procedures; and
-                            """
-                        - 
-                          id:         mp-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current media protection procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Media protection policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with media protection responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         mp-2
-          class:      SP800-53
-          title:      Media Access
-          parameters: 
-            - 
-              id:    mp-2_prm_1
-              label: organization-defined types of digital and/or non-digital media
-            - 
-              id:    mp-2_prm_2
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  label
-              value: MP-2
-            - 
-              name:  sort-id
-              value: mp-02
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: CONDITIONAL
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e
-              rel:  reference
-              text: NIST Special Publication 800-111
-          parts: 
-            - 
-              id:    mp-2_smt
-              name:  statement
-              prose: The organization restricts access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}.
-            - 
-              id:    mp-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system media includes both digital and non-digital media. Digital media
-                                 includes, for example, diskettes, magnetic tapes, external/removable hard disk
-                                 drives, flash drives, compact disks, and digital video disks. Non-digital media
-                                 includes, for example, paper and microfilm. Restricting non-digital media access
-                                 includes, for example, denying access to patient medical records in a community
-                                 hospital unless the individuals seeking access to such records are authorized
-                                 healthcare providers. Restricting access to digital media includes, for example,
-                                 limiting access to design specifications stored on compact disks in the media library
-                                 to the project leader and the individuals on the development team.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-            - 
-              id:    mp-2_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         mp-2_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-2[1]
-                  prose:      defines types of digital and/or non-digital media requiring restricted access;
-                - 
-                  id:         mp-2_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-2[2]
-                  prose: 
-                    """
-                      defines personnel or roles authorized to access organization-defined types of
-                                        digital and/or non-digital media; and
-                    """
-                - 
-                  id:         mp-2_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-2[3]
-                  prose: 
-                    """
-                      restricts access to organization-defined types of digital and/or non-digital media
-                                        to organization-defined personnel or roles.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with information system media protection
-                                        responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for restricting information media\n\nautomated mechanisms supporting and/or implementing media access restrictions
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-        - 
-          id:         mp-6
-          class:      SP800-53
-          title:      Media Sanitization
-          parameters: 
-            - 
-              id:    mp-6_prm_1
-              label: organization-defined information system media
-            - 
-              id:    mp-6_prm_2
-              label: organization-defined sanitization techniques and procedures
-          properties: 
-            - 
-              name:  label
-              value: MP-6
-            - 
-              name:  sort-id
-              value: mp-06
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: CONDITIONAL
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #f152844f-b1ef-4836-8729-6277078ebee1
-              rel:  reference
-              text: NIST Special Publication 800-60
-            - 
-              href: #263823e0-a971-4b00-959d-315b26278b22
-              rel:  reference
-              text: NIST Special Publication 800-88
-            - 
-              href: #a47466c4-c837-4f06-a39f-e68412a5f73d
-              rel:  reference
-              text: http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml
-          parts: 
-            - 
-              id:    mp-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         mp-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Sanitizes {{ mp-6_prm_1 }} prior to disposal, release out of
-                                        organizational control, or release for reuse using {{ mp-6_prm_2 }}
-                                        in accordance with applicable federal and organizational standards and policies;
-                                        and
-                    """
-                - 
-                  id:         mp-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Employs sanitization mechanisms with the strength and integrity commensurate with
-                                        the security category or classification of the information.
-                    """
-            - 
-              id:    mp-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to all information system media, both digital and non-digital,
-                                 subject to disposal or reuse, whether or not the media is considered removable.
-                                 Examples include media found in scanners, copiers, printers, notebook computers,
-                                 workstations, network components, and mobile devices. The sanitization process
-                                 removes information from the media such that the information cannot be retrieved or
-                                 reconstructed. Sanitization techniques, including clearing, purging, cryptographic
-                                 erase, and destruction, prevent the disclosure of information to unauthorized
-                                 individuals when such media is reused or released for disposal. Organizations
-                                 determine the appropriate sanitization methods recognizing that destruction is
-                                 sometimes necessary when other methods cannot be applied to media requiring
-                                 sanitization. Organizations use discretion on the employment of approved sanitization
-                                 techniques and procedures for media containing information deemed to be in the public
-                                 domain or publicly releasable, or deemed to have no adverse impact on organizations
-                                 or individuals if released for reuse or disposal. Sanitization of non-digital media
-                                 includes, for example, removing a classified appendix from an otherwise unclassified
-                                 document, or redacting selected sections or words from a document by obscuring the
-                                 redacted sections/words in a manner equivalent in effectiveness to removing them from
-                                 the document. NSA standards and policies control the sanitization process for media
-                                 containing classified information.
-                """
-              links: 
-                - 
-                  href: #ma-2
-                  rel:  related
-                  text: MA-2
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sc-4
-                  rel:  related
-                  text: SC-4
-            - 
-              id:    mp-6_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         mp-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-6(a)
-                  parts: 
-                    - 
-                      id:         mp-6.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-6(a)[1]
-                      prose:      defines information system media to be sanitized prior to:
-                      parts: 
-                        - 
-                          id:         mp-6.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[1][a]
-                          prose:      disposal;
-                        - 
-                          id:         mp-6.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[1][b]
-                          prose:      release out of organizational control; or
-                        - 
-                          id:         mp-6.a_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[1][c]
-                          prose:      release for reuse;
-                    - 
-                      id:         mp-6.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-6(a)[2]
-                      prose: 
-                        """
-                          defines sanitization techniques or procedures to be used for sanitizing
-                                               organization-defined information system media prior to:
-                        """
-                      parts: 
-                        - 
-                          id:         mp-6.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[2][a]
-                          prose:      disposal;
-                        - 
-                          id:         mp-6.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[2][b]
-                          prose:      release out of organizational control; or
-                        - 
-                          id:         mp-6.a_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[2][c]
-                          prose:      release for reuse;
-                    - 
-                      id:         mp-6.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-6(a)[3]
-                      prose: 
-                        """
-                          sanitizes organization-defined information system media prior to disposal,
-                                               release out of organizational control, or release for reuse using
-                                               organization-defined sanitization techniques or procedures in accordance with
-                                               applicable federal and organizational standards and policies; and
-                        """
-                - 
-                  id:         mp-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-6(b)
-                  prose: 
-                    """
-                      employs sanitization mechanisms with strength and integrity commensurate with the
-                                        security category or classification of the information.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization\n\nmedia sanitization records\n\naudit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with media sanitization responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for media sanitization\n\nautomated mechanisms supporting and/or implementing media sanitization
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-        - 
-          id:         mp-7
-          class:      SP800-53
-          title:      Media Use
-          parameters: 
-            - 
-              id: mp-7_prm_1
-            - 
-              id:    mp-7_prm_2
-              label: organization-defined types of information system media
-            - 
-              id:    mp-7_prm_3
-              label: organization-defined information systems or system components
-            - 
-              id:    mp-7_prm_4
-              label: organization-defined security safeguards
-          properties: 
-            - 
-              name:  label
-              value: MP-7
-            - 
-              name:  sort-id
-              value: mp-07
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: CONDITIONAL
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e
-              rel:  reference
-              text: NIST Special Publication 800-111
-          parts: 
-            - 
-              id:    mp-7_smt
-              name:  statement
-              prose: The organization {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}.
-            - 
-              id:    mp-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system media includes both digital and non-digital media. Digital media
-                                 includes, for example, diskettes, magnetic tapes, external/removable hard disk
-                                 drives, flash drives, compact disks, and digital video disks. Non-digital media
-                                 includes, for example, paper and microfilm. This control also applies to mobile
-                                 devices with information storage capability (e.g., smart phones, tablets, E-readers).
-                                 In contrast to MP-2, which restricts user access to media, this control restricts the
-                                 use of certain types of media on information systems, for example,
-                                 restricting/prohibiting the use of flash drives or external hard disk drives.
-                                 Organizations can employ technical and nontechnical safeguards (e.g., policies,
-                                 procedures, rules of behavior) to restrict the use of information system media.
-                                 Organizations may restrict the use of portable storage devices, for example, by using
-                                 physical cages on workstations to prohibit access to certain external ports, or
-                                 disabling/removing the ability to insert, read or write to such devices.
-                                 Organizations may also limit the use of portable storage devices to only approved
-                                 devices including, for example, devices provided by the organization, devices
-                                 provided by other approved organizations, and devices that are not personally owned.
-                                 Finally, organizations may restrict the use of portable storage devices based on the
-                                 type of device, for example, prohibiting the use of writeable, portable storage
-                                 devices, and implementing this restriction by disabling or removing the capability to
-                                 write to such devices.
-                """
-              links: 
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-            - 
-              id:    mp-7_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         mp-7_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-7[1]
-                  prose:      defines types of information system media to be:
-                  parts: 
-                    - 
-                      id:         mp-7_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-7[1][a]
-                      prose:      restricted on information systems or system components; or
-                    - 
-                      id:         mp-7_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-7[1][b]
-                      prose:      prohibited from use on information systems or system components;
-                - 
-                  id:         mp-7_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-7[2]
-                  prose: 
-                    """
-                      defines information systems or system components on which the use of
-                                        organization-defined types of information system media is to be one of the
-                                        following:
-                    """
-                  parts: 
-                    - 
-                      id:         mp-7_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-7[2][a]
-                      prose:      restricted; or
-                    - 
-                      id:         mp-7_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-7[2][b]
-                      prose:      prohibited;
-                - 
-                  id:         mp-7_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-7[3]
-                  prose: 
-                    """
-                      defines security safeguards to be employed to restrict or prohibit the use of
-                                        organization-defined types of information system media on organization-defined
-                                        information systems or system components; and
-                    """
-                - 
-                  id:         mp-7_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-7[4]
-                  prose: 
-                    """
-                      restricts or prohibits the use of organization-defined information system media on
-                                        organization-defined information systems or system components using
-                                        organization-defined security safeguards.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nsecurity plan\n\nrules of behavior\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for media use\n\nautomated mechanisms restricting or prohibiting use of information system media on
-                                        information systems or system components
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-    - 
-      id:       pe
-      class:    family
-      title:    Physical and Environmental Protection
-      controls: 
-        - 
-          id:         pe-1
-          class:      SP800-53
-          title:      Physical and Environmental Protection Policy and Procedures
-          parameters: 
-            - 
-              id:    pe-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    pe-1_prm_2
-              label: organization-defined frequency
-            - 
-              id:    pe-1_prm_3
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: PE-1
-            - 
-              name:  sort-id
-              value: pe-01
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    pe-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ pe-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         pe-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A physical and environmental protection policy that addresses purpose, scope,
-                                               roles, responsibilities, management commitment, coordination among
-                                               organizational entities, and compliance; and
-                        """
-                    - 
-                      id:         pe-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the physical and environmental
-                                               protection policy and associated physical and environmental protection
-                                               controls; and
-                        """
-                - 
-                  id:         pe-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         pe-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Physical and environmental protection policy {{ pe-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         pe-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Physical and environmental protection procedures {{ pe-1_prm_3 }}.
-            - 
-              id:    pe-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the PE
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    pe-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         pe-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-1(a)
-                  parts: 
-                    - 
-                      id:         pe-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-1(a)(1)
-                      parts: 
-                        - 
-                          id:         pe-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a physical and environmental protection policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         pe-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         pe-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         pe-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         pe-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         pe-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         pe-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         pe-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         pe-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the physical and environmental protection
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         pe-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the physical and environmental protection policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         pe-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-1(a)(2)
-                      parts: 
-                        - 
-                          id:         pe-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      physical and environmental protection policy and associated physical and
-                                                      environmental protection controls;
-                            """
-                        - 
-                          id:         pe-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         pe-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         pe-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-1(b)
-                  parts: 
-                    - 
-                      id:         pe-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-1(b)(1)
-                      parts: 
-                        - 
-                          id:         pe-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current physical and
-                                                      environmental protection policy;
-                            """
-                        - 
-                          id:         pe-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current physical and environmental protection policy
-                                                      with the organization-defined frequency;
-                            """
-                    - 
-                      id:         pe-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-1(b)(2)
-                      parts: 
-                        - 
-                          id:         pe-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current physical and
-                                                      environmental protection procedures; and
-                            """
-                        - 
-                          id:         pe-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current physical and environmental protection
-                                                      procedures with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with physical and environmental protection
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         pe-2
-          class:      SP800-53
-          title:      Physical Access Authorizations
-          parameters: 
-            - 
-              id:          pe-2_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  label
-              value: PE-2
-            - 
-              name:  sort-id
-              value: pe-02
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: CONDITIONAL
-          parts: 
-            - 
-              id:    pe-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Develops, approves, and maintains a list of individuals with authorized access to
-                                        the facility where the information system resides;
-                    """
-                - 
-                  id:         pe-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Issues authorization credentials for facility access;
-                - 
-                  id:         pe-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Reviews the access list detailing authorized facility access by individuals
-                                           {{ pe-2_prm_1 }}; and
-                    """
-                - 
-                  id:         pe-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Removes individuals from the facility access list when access is no longer
-                                        required.
-                    """
-            - 
-              id:    pe-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to organizational employees and visitors. Individuals (e.g.,
-                                 employees, contractors, and others) with permanent physical access authorization
-                                 credentials are not considered visitors. Authorization credentials include, for
-                                 example, badges, identification cards, and smart cards. Organizations determine the
-                                 strength of authorization credentials needed (including level of forge-proof badges,
-                                 smart cards, or identification cards) consistent with federal standards, policies,
-                                 and procedures. This control only applies to areas within facilities that have not
-                                 been designated as publicly accessible.
-                """
-              links: 
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-            - 
-              id:    pe-2_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-2(a)
-                  parts: 
-                    - 
-                      id:         pe-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-2(a)[1]
-                      prose: 
-                        """
-                          develops a list of individuals with authorized access to the facility where the
-                                               information system resides;
-                        """
-                    - 
-                      id:         pe-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-2(a)[2]
-                      prose: 
-                        """
-                          approves a list of individuals with authorized access to the facility where the
-                                               information system resides;
-                        """
-                    - 
-                      id:         pe-2.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-2(a)[3]
-                      prose: 
-                        """
-                          maintains a list of individuals with authorized access to the facility where
-                                               the information system resides;
-                        """
-                - 
-                  id:         pe-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-2(b)
-                  prose:      issues authorization credentials for facility access;
-                - 
-                  id:         pe-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-2(c)
-                  parts: 
-                    - 
-                      id:         pe-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-2(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to review the access list detailing authorized facility
-                                               access by individuals;
-                        """
-                    - 
-                      id:         pe-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-2(c)[2]
-                      prose: 
-                        """
-                          reviews the access list detailing authorized facility access by individuals
-                                               with the organization-defined frequency; and
-                        """
-                - 
-                  id:         pe-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-2(d)
-                  prose: 
-                    """
-                      removes individuals from the facility access list when access is no longer
-                                        required.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nsecurity plan\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to information system facility\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for physical access authorizations\n\nautomated mechanisms supporting and/or implementing physical access
-                                        authorizations
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-        - 
-          id:         pe-3
-          class:      SP800-53
-          title:      Physical Access Control
-          parameters: 
-            - 
-              id:    pe-3_prm_1
-              label: 
-                """
-                  organization-defined entry/exit points to the facility where the information
-                                 system resides
-                """
-            - 
-              id:          pe-3_prm_2
-              constraints: 
-                - 
-                  detail: CSP defined physical access control systems/devices AND guards
-            - 
-              id:         pe-3_prm_3
-              depends-on: pe-3_prm_2
-              label:      organization-defined physical access control systems/devices
-            - 
-              id:    pe-3_prm_4
-              label: organization-defined entry/exit points
-            - 
-              id:    pe-3_prm_5
-              label: organization-defined security safeguards
-            - 
-              id:          pe-3_prm_6
-              label: 
-                """
-                  organization-defined circumstances requiring visitor escorts and
-                                 monitoring
-                """
-              constraints: 
-                - 
-                  detail: in all circumstances within restricted access area where the information system resides
-            - 
-              id:    pe-3_prm_7
-              label: organization-defined physical access devices
-            - 
-              id:          pe-3_prm_8
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          pe-3_prm_9
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  label
-              value: PE-3
-            - 
-              name:  sort-id
-              value: pe-03
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: CONDITIONAL
-          links: 
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #2157bb7e-192c-4eaa-877f-93ef6b0a3292
-              rel:  reference
-              text: NIST Special Publication 800-116
-            - 
-              href: #6caa237b-531b-43ac-9711-d8f6b97b0377
-              rel:  reference
-              text: ICD 704
-            - 
-              href: #398e33fd-f404-4e5c-b90e-2d50d3181244
-              rel:  reference
-              text: ICD 705
-            - 
-              href: #61081e7f-041d-4033-96a7-44a439071683
-              rel:  reference
-              text: DoD Instruction 5200.39
-            - 
-              href: #dd2f5acd-08f1-435a-9837-f8203088dc1a
-              rel:  reference
-              text: 
-                """
-                  Personal Identity Verification (PIV) in Enterprise
-                              Physical Access Control System (E-PACS)
-                """
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-            - 
-              href: #5ed1f4d5-1494-421b-97ed-39d3c88ab51f
-              rel:  reference
-              text: http://fips201ep.cio.gov
-          parts: 
-            - 
-              id:    pe-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Enforces physical access authorizations at {{ pe-3_prm_1 }} by;
-                  parts: 
-                    - 
-                      id:         pe-3_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Verifying individual access authorizations before granting access to the
-                                               facility; and
-                        """
-                    - 
-                      id:         pe-3_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Controlling ingress/egress to the facility using {{ pe-3_prm_2 }};
-                - 
-                  id:         pe-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Maintains physical access audit logs for {{ pe-3_prm_4 }};
-                - 
-                  id:         pe-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Provides {{ pe-3_prm_5 }} to control access to areas within the
-                                        facility officially designated as publicly accessible;
-                    """
-                - 
-                  id:         pe-3_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Escorts visitors and monitors visitor activity {{ pe-3_prm_6 }};
-                - 
-                  id:         pe-3_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Secures keys, combinations, and other physical access devices;
-                - 
-                  id:         pe-3_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Inventories {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }};
-                                        and
-                    """
-                - 
-                  id:         pe-3_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose: 
-                    """
-                      Changes combinations and keys {{ pe-3_prm_9 }} and/or when keys are
-                                        lost, combinations are compromised, or individuals are transferred or
-                                        terminated.
-                    """
-            - 
-              id:    pe-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to organizational employees and visitors. Individuals (e.g.,
-                                 employees, contractors, and others) with permanent physical access authorization
-                                 credentials are not considered visitors. Organizations determine the types of
-                                 facility guards needed including, for example, professional physical security staff
-                                 or other personnel such as administrative staff or information system users. Physical
-                                 access devices include, for example, keys, locks, combinations, and card readers.
-                                 Safeguards for publicly accessible areas within organizational facilities include,
-                                 for example, cameras, monitoring by guards, and isolating selected information
-                                 systems and/or system components in secured areas. Physical access control systems
-                                 comply with applicable federal laws, Executive Orders, directives, policies,
-                                 regulations, standards, and guidance. The Federal Identity, Credential, and Access
-                                 Management Program provides implementation guidance for identity, credential, and
-                                 access management capabilities for physical access control systems. Organizations
-                                 have flexibility in the types of audit logs employed. Audit logs can be procedural
-                                 (e.g., a written log of individuals accessing the facility and when such access
-                                 occurred), automated (e.g., capturing ID provided by a PIV card), or some combination
-                                 thereof. Physical access points can include facility access points, interior access
-                                 points to information systems and/or components requiring supplemental access
-                                 controls, or both. Components of organizational information systems (e.g.,
-                                 workstations, terminals) may be located in areas designated as publicly accessible
-                                 with organizations safeguarding access to such devices.
-                """
-              links: 
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-                - 
-                  href: #pe-5
-                  rel:  related
-                  text: PE-5
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-            - 
-              id:    pe-3_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(a)
-                  parts: 
-                    - 
-                      id:         pe-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-3(a)[1]
-                      prose: 
-                        """
-                          defines entry/exit points to the facility where the information system
-                                               resides;
-                        """
-                    - 
-                      id:         pe-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-3(a)[2]
-                      prose: 
-                        """
-                          enforces physical access authorizations at organization-defined entry/exit
-                                               points to the facility where the information system resides by:
-                        """
-                      parts: 
-                        - 
-                          id:         pe-3.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(a)[2](1)
-                          prose: 
-                            """
-                              verifying individual access authorizations before granting access to the
-                                                      facility;
-                            """
-                        - 
-                          id:         pe-3.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(a)[2](2)
-                          parts: 
-                            - 
-                              id:         pe-3.a.2_obj.2.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-3(a)[2](2)[a]
-                              prose: 
-                                """
-                                  defining physical access control systems/devices to be employed to
-                                                             control ingress/egress to the facility where the information system
-                                                             resides;
-                                """
-                            - 
-                              id:         pe-3.a.2_obj.2.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-3(a)[2](2)[b]
-                              prose: 
-                                """
-                                  using one or more of the following ways to control ingress/egress to the
-                                                             facility:
-                                """
-                              parts: 
-                                - 
-                                  id:         pe-3.a.2_obj.2.b.1
-                                  name:       objective
-                                  properties: 
-                                    - 
-                                      name:  label
-                                      value: PE-3(a)[2](2)[b][1]
-                                  prose: 
-                                    """
-                                      organization-defined physical access control systems/devices;
-                                                                    and/or
-                                    """
-                                - 
-                                  id:         pe-3.a.2_obj.2.b.2
-                                  name:       objective
-                                  properties: 
-                                    - 
-                                      name:  label
-                                      value: PE-3(a)[2](2)[b][2]
-                                  prose:      guards;
-                - 
-                  id:         pe-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(b)
-                  parts: 
-                    - 
-                      id:         pe-3.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-3(b)[1]
-                      prose: 
-                        """
-                          defines entry/exit points for which physical access audit logs are to be
-                                               maintained;
-                        """
-                    - 
-                      id:         pe-3.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-3(b)[2]
-                      prose: 
-                        """
-                          maintains physical access audit logs for organization-defined entry/exit
-                                               points;
-                        """
-                - 
-                  id:         pe-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(c)
-                  parts: 
-                    - 
-                      id:         pe-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-3(c)[1]
-                      prose: 
-                        """
-                          defines security safeguards to be employed to control access to areas within
-                                               the facility officially designated as publicly accessible;
-                        """
-                    - 
-                      id:         pe-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-3(c)[2]
-                      prose: 
-                        """
-                          provides organization-defined security safeguards to control access to areas
-                                               within the facility officially designated as publicly accessible;
-                        """
-                - 
-                  id:         pe-3.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(d)
-                  parts: 
-                    - 
-                      id:         pe-3.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-3(d)[1]
-                      prose:      defines circumstances requiring visitor:
-                      parts: 
-                        - 
-                          id:         pe-3.d_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(d)[1][a]
-                          prose:      escorts;
-                        - 
-                          id:         pe-3.d_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(d)[1][b]
-                          prose:      monitoring;
-                    - 
-                      id:         pe-3.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-3(d)[2]
-                      prose: 
-                        """
-                          in accordance with organization-defined circumstances requiring visitor escorts
-                                               and monitoring:
-                        """
-                      parts: 
-                        - 
-                          id:         pe-3.d_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(d)[2][a]
-                          prose:      escorts visitors;
-                        - 
-                          id:         pe-3.d_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(d)[2][b]
-                          prose:      monitors visitor activities;
-                - 
-                  id:         pe-3.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(e)
-                  parts: 
-                    - 
-                      id:         pe-3.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-3(e)[1]
-                      prose:      secures keys;
-                    - 
-                      id:         pe-3.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-3(e)[2]
-                      prose:      secures combinations;
-                    - 
-                      id:         pe-3.e_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-3(e)[3]
-                      prose:      secures other physical access devices;
-                - 
-                  id:         pe-3.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(f)
-                  parts: 
-                    - 
-                      id:         pe-3.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-3(f)[1]
-                      prose:      defines physical access devices to be inventoried;
-                    - 
-                      id:         pe-3.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-3(f)[2]
-                      prose: 
-                        """
-                          defines the frequency to inventory organization-defined physical access
-                                               devices;
-                        """
-                    - 
-                      id:         pe-3.f_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-3(f)[3]
-                      prose: 
-                        """
-                          inventories the organization-defined physical access devices with the
-                                               organization-defined frequency;
-                        """
-                - 
-                  id:         pe-3.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(g)
-                  parts: 
-                    - 
-                      id:         pe-3.g_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-3(g)[1]
-                      prose:      defines the frequency to change combinations and keys; and
-                    - 
-                      id:         pe-3.g_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-3(g)[2]
-                      prose: 
-                        """
-                          changes combinations and keys with the organization-defined frequency and/or
-                                               when:
-                        """
-                      parts: 
-                        - 
-                          id:         pe-3.g_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(g)[2][a]
-                          prose:      keys are lost;
-                        - 
-                          id:         pe-3.g_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(g)[2][b]
-                          prose:      combinations are compromised;
-                        - 
-                          id:         pe-3.g_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(g)[2][c]
-                          prose:      individuals are transferred or terminated.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nsecurity plan\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\ninformation system entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible
-                                        areas within facility\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for physical access control\n\nautomated mechanisms supporting and/or implementing physical access control\n\nphysical access control devices
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-        - 
-          id:         pe-6
-          class:      SP800-53
-          title:      Monitoring Physical Access
-          parameters: 
-            - 
-              id:          pe-6_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least monthly
-            - 
-              id:    pe-6_prm_2
-              label: organization-defined events or potential indications of events
-          properties: 
-            - 
-              name:  label
-              value: PE-6
-            - 
-              name:  sort-id
-              value: pe-06
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: CONDITIONAL
-          parts: 
-            - 
-              id:    pe-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Monitors physical access to the facility where the information system resides to
-                                        detect and respond to physical security incidents;
-                    """
-                - 
-                  id:         pe-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Reviews physical access logs {{ pe-6_prm_1 }} and upon occurrence
-                                        of {{ pe-6_prm_2 }}; and
-                    """
-                - 
-                  id:         pe-6_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Coordinates results of reviews and investigations with the organizational incident
-                                        response capability.
-                    """
-            - 
-              id:    pe-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizational incident response capabilities include investigations of and responses
-                                 to detected physical security incidents. Security incidents include, for example,
-                                 apparent security violations or suspicious physical access activities. Suspicious
-                                 physical access activities include, for example: (i) accesses outside of normal work
-                                 hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for
-                                 unusual lengths of time; and (iv) out-of-sequence accesses.
-                """
-              links: 
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-            - 
-              id:    pe-6_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-6(a)
-                  prose: 
-                    """
-                      monitors physical access to the facility where the information system resides to
-                                        detect and respond to physical security incidents;
-                    """
-                - 
-                  id:         pe-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-6(b)
-                  parts: 
-                    - 
-                      id:         pe-6.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-6(b)[1]
-                      prose:      defines the frequency to review physical access logs;
-                    - 
-                      id:         pe-6.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-6(b)[2]
-                      prose: 
-                        """
-                          defines events or potential indication of events requiring physical access logs
-                                               to be reviewed;
-                        """
-                    - 
-                      id:         pe-6.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-6(b)[3]
-                      prose: 
-                        """
-                          reviews physical access logs with the organization-defined frequency and upon
-                                               occurrence of organization-defined events or potential indications of events;
-                                               and
-                        """
-                - 
-                  id:         pe-6.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-6(c)
-                  prose: 
-                    """
-                      coordinates results of reviews and investigations with the organizational incident
-                                        response capability.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nsecurity plan\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for monitoring physical access\n\nautomated mechanisms supporting and/or implementing physical access monitoring\n\nautomated mechanisms supporting and/or implementing reviewing of physical access
-                                        logs
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-        - 
-          id:         pe-8
-          class:      SP800-53
-          title:      Visitor Access Records
-          parameters: 
-            - 
-              id:          pe-8_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: for a minimum of one (1) year
-            - 
-              id:          pe-8_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least monthly
-          properties: 
-            - 
-              name:  label
-              value: PE-8
-            - 
-              name:  sort-id
-              value: pe-08
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: CONDITIONAL
-          parts: 
-            - 
-              id:    pe-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Maintains visitor access records to the facility where the information system
-                                        resides for {{ pe-8_prm_1 }}; and
-                    """
-                - 
-                  id:         pe-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews visitor access records {{ pe-8_prm_2 }}.
-            - 
-              id:    pe-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Visitor access records include, for example, names and organizations of persons
-                                 visiting, visitor signatures, forms of identification, dates of access, entry and
-                                 departure times, purposes of visits, and names and organizations of persons visited.
-                                 Visitor access records are not required for publicly accessible areas.
-                """
-            - 
-              id:    pe-8_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-8(a)
-                  parts: 
-                    - 
-                      id:         pe-8.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-8(a)[1]
-                      prose: 
-                        """
-                          defines the time period to maintain visitor access records to the facility
-                                               where the information system resides;
-                        """
-                    - 
-                      id:         pe-8.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-8(a)[2]
-                      prose: 
-                        """
-                          maintains visitor access records to the facility where the information system
-                                               resides for the organization-defined time period;
-                        """
-                - 
-                  id:         pe-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-8(b)
-                  parts: 
-                    - 
-                      id:         pe-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-8(b)[1]
-                      prose:      defines the frequency to review visitor access records; and
-                    - 
-                      id:         pe-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-8(b)[2]
-                      prose:      reviews visitor access records with the organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nsecurity plan\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with visitor access records responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for maintaining and reviewing visitor access records\n\nautomated mechanisms supporting and/or implementing maintenance and review of
-                                        visitor access records
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-        - 
-          id:         pe-12
-          class:      SP800-53
-          title:      Emergency Lighting
-          properties: 
-            - 
-              name:  label
-              value: PE-12
-            - 
-              name:  sort-id
-              value: pe-12
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: CONDITIONAL
-          parts: 
-            - 
-              id:    pe-12_smt
-              name:  statement
-              prose: 
-                """
-                  The organization employs and maintains automatic emergency lighting for the
-                                 information system that activates in the event of a power outage or disruption and
-                                 that covers emergency exits and evacuation routes within the facility.
-                """
-            - 
-              id:    pe-12_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies primarily to facilities containing concentrations of information
-                                 system resources including, for example, data centers, server rooms, and mainframe
-                                 computer rooms.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-            - 
-              id:    pe-12_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization employs and maintains automatic emergency lighting for
-                                 the information system that: 
-                """
-              parts: 
-                - 
-                  id:         pe-12_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-12[1]
-                  prose:      activates in the event of a power outage or disruption; and
-                - 
-                  id:         pe-12_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-12[2]
-                  prose:      covers emergency exits and evacuation routes within the facility.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for emergency lighting and/or
-                                        planning\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing emergency lighting
-                                        capability
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-        - 
-          id:         pe-13
-          class:      SP800-53
-          title:      Fire Protection
-          properties: 
-            - 
-              name:  label
-              value: PE-13
-            - 
-              name:  sort-id
-              value: pe-13
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: CONDITIONAL
-          parts: 
-            - 
-              id:    pe-13_smt
-              name:  statement
-              prose: 
-                """
-                  The organization employs and maintains fire suppression and detection devices/systems
-                                 for the information system that are supported by an independent energy source.
-                """
-            - 
-              id:    pe-13_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies primarily to facilities containing concentrations of information
-                                 system resources including, for example, data centers, server rooms, and mainframe
-                                 computer rooms. Fire suppression and detection devices/systems include, for example,
-                                 sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke
-                                 detectors.
-                """
-            - 
-              id:    pe-13_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-13_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-13[1]
-                  prose: 
-                    """
-                      employs fire suppression and detection devices/systems for the information system
-                                        that are supported by an independent energy source; and
-                    """
-                - 
-                  id:         pe-13_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-13[2]
-                  prose: 
-                    """
-                      maintains fire suppression and detection devices/systems for the information
-                                        system that are supported by an independent energy source.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\ntest records of fire suppression and detection devices/systems\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for fire detection and suppression
-                                        devices/systems\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing fire suppression/detection
-                                        devices/systems
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-        - 
-          id:         pe-14
-          class:      SP800-53
-          title:      Temperature and Humidity Controls
-          parameters: 
-            - 
-              id:          pe-14_prm_1
-              label:       organization-defined acceptable levels
-              constraints: 
-                - 
-                  detail: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments
-            - 
-              id:          pe-14_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: continuously
-          properties: 
-            - 
-              name:  label
-              value: PE-14
-            - 
-              name:  sort-id
-              value: pe-14
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: CONDITIONAL
-          parts: 
-            - 
-              id:    pe-14_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-14_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Maintains temperature and humidity levels within the facility where the
-                                        information system resides at {{ pe-14_prm_1 }}; and
-                    """
-                - 
-                  id:         pe-14_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Monitors temperature and humidity levels {{ pe-14_prm_2 }}.
-            - 
-              id:    pe-14_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies primarily to facilities containing concentrations of information
-                                 system resources, for example, data centers, server rooms, and mainframe computer
-                                 rooms.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-            - 
-              id:    pe-14_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-14.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-14(a)
-                  parts: 
-                    - 
-                      id:         pe-14.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-14(a)[1]
-                      prose: 
-                        """
-                          defines acceptable temperature levels to be maintained within the facility
-                                               where the information system resides;
-                        """
-                    - 
-                      id:         pe-14.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-14(a)[2]
-                      prose: 
-                        """
-                          defines acceptable humidity levels to be maintained within the facility where
-                                               the information system resides;
-                        """
-                    - 
-                      id:         pe-14.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-14(a)[3]
-                      prose: 
-                        """
-                          maintains temperature levels within the facility where the information system
-                                               resides at the organization-defined levels;
-                        """
-                    - 
-                      id:         pe-14.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-14(a)[4]
-                      prose: 
-                        """
-                          maintains humidity levels within the facility where the information system
-                                               resides at the organization-defined levels;
-                        """
-                - 
-                  id:         pe-14.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-14(b)
-                  parts: 
-                    - 
-                      id:         pe-14.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-14(b)[1]
-                      prose:      defines the frequency to monitor temperature levels;
-                    - 
-                      id:         pe-14.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-14(b)[2]
-                      prose:      defines the frequency to monitor humidity levels;
-                    - 
-                      id:         pe-14.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-14(b)[3]
-                      prose:      monitors temperature levels with the organization-defined frequency; and
-                    - 
-                      id:         pe-14.b_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-14(b)[4]
-                      prose:      monitors humidity levels with the organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\nsecurity plan\n\ntemperature and humidity controls\n\nfacility housing the information system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for information system
-                                        environmental controls\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing maintenance and monitoring of
-                                        temperature and humidity levels
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-            - 
-              id:    pe-14_fr
-              name:  item
-              title: PE-14(a) Additional FedRAMP Requirements and Guidance
-              parts: 
-                - 
-                  id:         pe-14_fr_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: (a) Requirement:
-                  prose: 
-                    """
-                      The service provider measures temperature at server inlets and humidity levels
-                                           by dew point.
-                    """
-        - 
-          id:         pe-15
-          class:      SP800-53
-          title:      Water Damage Protection
-          properties: 
-            - 
-              name:  label
-              value: PE-15
-            - 
-              name:  sort-id
-              value: pe-15
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: CONDITIONAL
-          parts: 
-            - 
-              id:    pe-15_smt
-              name:  statement
-              prose: 
-                """
-                  The organization protects the information system from damage resulting from water
-                                 leakage by providing master shutoff or isolation valves that are accessible, working
-                                 properly, and known to key personnel.
-                """
-            - 
-              id:    pe-15_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies primarily to facilities containing concentrations of information
-                                 system resources including, for example, data centers, server rooms, and mainframe
-                                 computer rooms. Isolation valves can be employed in addition to or in lieu of master
-                                 shutoff valves to shut off water supplies in specific areas of concern, without
-                                 affecting entire organizations.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-            - 
-              id:    pe-15_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization protects the information system from damage resulting
-                                 from water leakage by providing master shutoff or isolation valves that are: 
-                """
-              parts: 
-                - 
-                  id:         pe-15_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-15[1]
-                  prose:      accessible;
-                - 
-                  id:         pe-15_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-15[2]
-                  prose:      working properly; and
-                - 
-                  id:         pe-15_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-15[3]
-                  prose:      known to key personnel.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the information system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for
-                                        master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for information system
-                                        environmental controls\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Master water-shutoff valves\n\norganizational process for activating master water-shutoff
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-        - 
-          id:         pe-16
-          class:      SP800-53
-          title:      Delivery and Removal
-          parameters: 
-            - 
-              id:          pe-16_prm_1
-              label:       organization-defined types of information system components
-              constraints: 
-                - 
-                  detail: all information system components
-          properties: 
-            - 
-              name:  label
-              value: PE-16
-            - 
-              name:  sort-id
-              value: pe-16
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: CONDITIONAL
-          parts: 
-            - 
-              id:    pe-16_smt
-              name:  statement
-              prose: 
-                """
-                  The organization authorizes, monitors, and controls {{ pe-16_prm_1 }}
-                                 entering and exiting the facility and maintains records of those items.
-                """
-            - 
-              id:    pe-16_gdn
-              name:  guidance
-              prose: 
-                """
-                  Effectively enforcing authorizations for entry and exit of information system
-                                 components may require restricting access to delivery areas and possibly isolating
-                                 the areas from the information system and media libraries.
-                """
-              links: 
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #ma-2
-                  rel:  related
-                  text: MA-2
-                - 
-                  href: #ma-3
-                  rel:  related
-                  text: MA-3
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-            - 
-              id:    pe-16_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-16_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-16[1]
-                  prose: 
-                    """
-                      defines types of information system components to be authorized, monitored, and
-                                        controlled as such components are entering and exiting the facility;
-                    """
-                - 
-                  id:         pe-16_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-16[2]
-                  prose: 
-                    """
-                      authorizes organization-defined information system components entering the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-16[3]
-                  prose: 
-                    """
-                      monitors organization-defined information system components entering the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-16[4]
-                  prose: 
-                    """
-                      controls organization-defined information system components entering the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.5
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-16[5]
-                  prose: 
-                    """
-                      authorizes organization-defined information system components exiting the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.6
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-16[6]
-                  prose: 
-                    """
-                      monitors organization-defined information system components exiting the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.7
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-16[7]
-                  prose: 
-                    """
-                      controls organization-defined information system components exiting the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.8
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-16[8]
-                  prose:      maintains records of information system components entering the facility; and
-                - 
-                  id:         pe-16_obj.9
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-16[9]
-                  prose:      maintains records of information system components exiting the facility.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Physical and environmental protection policy\n\nprocedures addressing delivery and removal of information system components from
-                                        the facility\n\nsecurity plan\n\nfacility housing the information system\n\nrecords of items entering and exiting the facility\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for controlling information system
-                                        components entering and exiting the facility\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational process for authorizing, monitoring, and controlling information
-                                        system-related items entering and exiting the facility\n\nautomated mechanisms supporting and/or implementing authorizing, monitoring, and
-                                        controlling information system-related items entering and exiting the facility
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-    - 
-      id:       pl
-      class:    family
-      title:    Planning
-      controls: 
-        - 
-          id:         pl-1
-          class:      SP800-53
-          title:      Security Planning Policy and Procedures
-          parameters: 
-            - 
-              id:    pl-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    pl-1_prm_2
-              label: organization-defined frequency
-            - 
-              id:    pl-1_prm_3
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: PL-1
-            - 
-              name:  sort-id
-              value: pl-01
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9c5c9e8c-dc81-4f55-a11c-d71d7487790f
-              rel:  reference
-              text: NIST Special Publication 800-18
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    pl-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pl-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ pl-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         pl-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A security planning policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         pl-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the security planning policy and
-                                               associated security planning controls; and
-                        """
-                - 
-                  id:         pl-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         pl-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Security planning policy {{ pl-1_prm_2 }}; and
-                    - 
-                      id:         pl-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Security planning procedures {{ pl-1_prm_3 }}.
-            - 
-              id:    pl-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the PL
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    pl-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         pl-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-1(a)
-                  parts: 
-                    - 
-                      id:         pl-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-1(a)(1)
-                      parts: 
-                        - 
-                          id:         pl-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PL-1(a)(1)[1]
-                          prose:      develops and documents a planning policy that addresses:
-                          parts: 
-                            - 
-                              id:         pl-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         pl-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         pl-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         pl-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         pl-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         pl-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         pl-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         pl-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PL-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the planning policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         pl-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PL-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the planning policy to organization-defined personnel or
-                                                      roles;
-                            """
-                    - 
-                      id:         pl-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-1(a)(2)
-                      parts: 
-                        - 
-                          id:         pl-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PL-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      planning policy and associated planning controls;
-                            """
-                        - 
-                          id:         pl-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PL-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         pl-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PL-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         pl-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-1(b)
-                  parts: 
-                    - 
-                      id:         pl-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-1(b)(1)
-                      parts: 
-                        - 
-                          id:         pl-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PL-1(b)(1)[1]
-                          prose:      defines the frequency to review and update the current planning policy;
-                        - 
-                          id:         pl-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PL-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current planning policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         pl-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-1(b)(2)
-                      parts: 
-                        - 
-                          id:         pl-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PL-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current planning procedures;
-                                                      and
-                            """
-                        - 
-                          id:         pl-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PL-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current planning procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Planning policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with planning responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         pl-2
-          class:      SP800-53
-          title:      System Security Plan
-          parameters: 
-            - 
-              id:    pl-2_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          pl-2_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  label
-              value: PL-2
-            - 
-              name:  sort-id
-              value: pl-02
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #9c5c9e8c-dc81-4f55-a11c-d71d7487790f
-              rel:  reference
-              text: NIST Special Publication 800-18
-          parts: 
-            - 
-              id:    pl-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pl-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops a security plan for the information system that:
-                  parts: 
-                    - 
-                      id:         pl-2_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Is consistent with the organization’s enterprise architecture;
-                    - 
-                      id:         pl-2_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Explicitly defines the authorization boundary for the system;
-                    - 
-                      id:         pl-2_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Describes the operational context of the information system in terms of
-                                               missions and business processes;
-                        """
-                    - 
-                      id:         pl-2_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose: 
-                        """
-                          Provides the security categorization of the information system including
-                                               supporting rationale;
-                        """
-                    - 
-                      id:         pl-2_smt.a.5
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 5.
-                      prose: 
-                        """
-                          Describes the operational environment for the information system and
-                                               relationships with or connections to other information systems;
-                        """
-                    - 
-                      id:         pl-2_smt.a.6
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 6.
-                      prose:      Provides an overview of the security requirements for the system;
-                    - 
-                      id:         pl-2_smt.a.7
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 7.
-                      prose:      Identifies any relevant overlays, if applicable;
-                    - 
-                      id:         pl-2_smt.a.8
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 8.
-                      prose: 
-                        """
-                          Describes the security controls in place or planned for meeting those
-                                               requirements including a rationale for the tailoring decisions; and
-                        """
-                    - 
-                      id:         pl-2_smt.a.9
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 9.
-                      prose: 
-                        """
-                          Is reviewed and approved by the authorizing official or designated
-                                               representative prior to plan implementation;
-                        """
-                - 
-                  id:         pl-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Distributes copies of the security plan and communicates subsequent changes to the
-                                        plan to {{ pl-2_prm_1 }};
-                    """
-                - 
-                  id:         pl-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews the security plan for the information system {{ pl-2_prm_2 }};
-                - 
-                  id:         pl-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Updates the plan to address changes to the information system/environment of
-                                        operation or problems identified during plan implementation or security control
-                                        assessments; and
-                    """
-                - 
-                  id:         pl-2_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Protects the security plan from unauthorized disclosure and modification.
-            - 
-              id:    pl-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Security plans relate security requirements to a set of security controls and control
-                                 enhancements. Security plans also describe, at a high level, how the security
-                                 controls and control enhancements meet those security requirements, but do not
-                                 provide detailed, technical descriptions of the specific design or implementation of
-                                 the controls/enhancements. Security plans contain sufficient information (including
-                                 the specification of parameter values for assignment and selection statements either
-                                 explicitly or by reference) to enable a design and implementation that is
-                                 unambiguously compliant with the intent of the plans and subsequent determinations of
-                                 risk to organizational operations and assets, individuals, other organizations, and
-                                 the Nation if the plan is implemented as intended. Organizations can also apply
-                                 tailoring guidance to the security control baselines in Appendix D and CNSS
-                                 Instruction 1253 to develop overlays for community-wide use or to address specialized
-                                 requirements, technologies, or missions/environments of operation (e.g.,
-                                 DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and
-                                 Access Management, space operations). Appendix I provides guidance on developing
-                                 overlays. Security plans need not be single documents; the plans can be a collection
-                                 of various documents including documents that already exist. Effective security plans
-                                 make extensive use of references to policies, procedures, and additional documents
-                                 (e.g., design and implementation specifications) where more detailed information can
-                                 be obtained. This reduces the documentation requirements associated with security
-                                 programs and maintains security-related information in other established
-                                 management/operational areas related to enterprise architecture, system development
-                                 life cycle, systems engineering, and acquisition. For example, security plans do not
-                                 contain detailed contingency plan or incident response plan information but instead
-                                 provide explicitly or by reference, sufficient information to define what needs to be
-                                 accomplished by those plans.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-9
-                  rel:  related
-                  text: CM-9
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ma-5
-                  rel:  related
-                  text: MA-5
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #pl-7
-                  rel:  related
-                  text: PL-7
-                - 
-                  href: #pm-1
-                  rel:  related
-                  text: PM-1
-                - 
-                  href: #pm-7
-                  rel:  related
-                  text: PM-7
-                - 
-                  href: #pm-8
-                  rel:  related
-                  text: PM-8
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-                - 
-                  href: #pm-11
-                  rel:  related
-                  text: PM-11
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sa-17
-                  rel:  related
-                  text: SA-17
-            - 
-              id:    pl-2_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pl-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-2(a)
-                  prose:      develops a security plan for the information system that:
-                  parts: 
-                    - 
-                      id:         pl-2.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(a)(1)
-                      prose:      is consistent with the organization’s enterprise architecture;
-                    - 
-                      id:         pl-2.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(a)(2)
-                      prose:      explicitly defines the authorization boundary for the system;
-                    - 
-                      id:         pl-2.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(a)(3)
-                      prose: 
-                        """
-                          describes the operational context of the information system in terms of
-                                               missions and business processes;
-                        """
-                    - 
-                      id:         pl-2.a.4_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(a)(4)
-                      prose: 
-                        """
-                          provides the security categorization of the information system including
-                                               supporting rationale;
-                        """
-                    - 
-                      id:         pl-2.a.5_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(a)(5)
-                      prose: 
-                        """
-                          describes the operational environment for the information system and
-                                               relationships with or connections to other information systems;
-                        """
-                    - 
-                      id:         pl-2.a.6_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(a)(6)
-                      prose:      provides an overview of the security requirements for the system;
-                    - 
-                      id:         pl-2.a.7_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(a)(7)
-                      prose:      identifies any relevant overlays, if applicable;
-                    - 
-                      id:         pl-2.a.8_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(a)(8)
-                      prose: 
-                        """
-                          describes the security controls in place or planned for meeting those
-                                               requirements including a rationale for the tailoring and supplemental
-                                               decisions;
-                        """
-                    - 
-                      id:         pl-2.a.9_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(a)(9)
-                      prose: 
-                        """
-                          is reviewed and approved by the authorizing official or designated
-                                               representative prior to plan implementation;
-                        """
-                - 
-                  id:         pl-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-2(b)
-                  parts: 
-                    - 
-                      id:         pl-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(b)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom copies of the security plan are to be
-                                               distributed and subsequent changes to the plan are to be communicated;
-                        """
-                    - 
-                      id:         pl-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(b)[2]
-                      prose: 
-                        """
-                          distributes copies of the security plan and communicates subsequent changes to
-                                               the plan to organization-defined personnel or roles;
-                        """
-                - 
-                  id:         pl-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-2(c)
-                  parts: 
-                    - 
-                      id:         pl-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to review the security plan for the information
-                                               system;
-                        """
-                    - 
-                      id:         pl-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(c)[2]
-                      prose: 
-                        """
-                          reviews the security plan for the information system with the
-                                               organization-defined frequency;
-                        """
-                - 
-                  id:         pl-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-2(d)
-                  prose:      updates the plan to address:
-                  parts: 
-                    - 
-                      id:         pl-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(d)[1]
-                      prose:      changes to the information system/environment of operation;
-                    - 
-                      id:         pl-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(d)[2]
-                      prose:      problems identified during plan implementation;
-                    - 
-                      id:         pl-2.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(d)[3]
-                      prose:      problems identified during security control assessments;
-                - 
-                  id:         pl-2.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-2(e)
-                  prose:      protects the security plan from unauthorized:
-                  parts: 
-                    - 
-                      id:         pl-2.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(e)[1]
-                      prose:      disclosure; and
-                    - 
-                      id:         pl-2.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(e)[2]
-                      prose:      modification.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security planning policy\n\nprocedures addressing security plan development and implementation\n\nprocedures addressing security plan reviews and updates\n\nenterprise architecture documentation\n\nsecurity plan for the information system\n\nrecords of security plan reviews and updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security planning and plan implementation
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for security plan development/review/update/approval\n\nautomated mechanisms supporting the information system security plan
-        - 
-          id:         pl-4
-          class:      SP800-53
-          title:      Rules of Behavior
-          parameters: 
-            - 
-              id:    pl-4_prm_1
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: PL-4
-            - 
-              name:  sort-id
-              value: pl-04
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #9c5c9e8c-dc81-4f55-a11c-d71d7487790f
-              rel:  reference
-              text: NIST Special Publication 800-18
-          parts: 
-            - 
-              id:    pl-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pl-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes and makes readily available to individuals requiring access to the
-                                        information system, the rules that describe their responsibilities and expected
-                                        behavior with regard to information and information system usage;
-                    """
-                - 
-                  id:         pl-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Receives a signed acknowledgment from such individuals, indicating that they have
-                                        read, understand, and agree to abide by the rules of behavior, before authorizing
-                                        access to information and the information system;
-                    """
-                - 
-                  id:         pl-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews and updates the rules of behavior {{ pl-4_prm_1 }}; and
-                - 
-                  id:         pl-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Requires individuals who have signed a previous version of the rules of behavior
-                                        to read and re-sign when the rules of behavior are revised/updated.
-                    """
-            - 
-              id:    pl-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control enhancement applies to organizational users. Organizations consider
-                                 rules of behavior based on individual user roles and responsibilities,
-                                 differentiating, for example, between rules that apply to privileged users and rules
-                                 that apply to general users. Establishing rules of behavior for some types of
-                                 non-organizational users including, for example, individuals who simply receive
-                                 data/information from federal information systems, is often not feasible given the
-                                 large number of such users and the limited nature of their interactions with the
-                                 systems. Rules of behavior for both organizational and non-organizational users can
-                                 also be established in AC-8, System Use Notification. PL-4 b. (the signed
-                                 acknowledgment portion of this control) may be satisfied by the security awareness
-                                 training and role-based security training programs conducted by organizations if such
-                                 training includes rules of behavior. Organizations can use electronic signatures for
-                                 acknowledging rules of behavior.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-8
-                  rel:  related
-                  text: AC-8
-                - 
-                  href: #ac-9
-                  rel:  related
-                  text: AC-9
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #mp-7
-                  rel:  related
-                  text: MP-7
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-                - 
-                  href: #ps-8
-                  rel:  related
-                  text: PS-8
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-            - 
-              id:    pl-4_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pl-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-4(a)
-                  parts: 
-                    - 
-                      id:         pl-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-4(a)[1]
-                      prose: 
-                        """
-                          establishes, for individuals requiring access to the information system, the
-                                               rules that describe their responsibilities and expected behavior with regard to
-                                               information and information system usage;
-                        """
-                    - 
-                      id:         pl-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-4(a)[2]
-                      prose: 
-                        """
-                          makes readily available to individuals requiring access to the information
-                                               system, the rules that describe their responsibilities and expected behavior
-                                               with regard to information and information system usage;
-                        """
-                - 
-                  id:         pl-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-4(b)
-                  prose: 
-                    """
-                      receives a signed acknowledgement from such individuals, indicating that they have
-                                        read, understand, and agree to abide by the rules of behavior, before authorizing
-                                        access to information and the information system;
-                    """
-                - 
-                  id:         pl-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-4(c)
-                  parts: 
-                    - 
-                      id:         pl-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-4(c)[1]
-                      prose:      defines the frequency to review and update the rules of behavior;
-                    - 
-                      id:         pl-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-4(c)[2]
-                      prose: 
-                        """
-                          reviews and updates the rules of behavior with the organization-defined
-                                               frequency; and
-                        """
-                - 
-                  id:         pl-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-4(d)
-                  prose: 
-                    """
-                      requires individuals who have signed a previous version of the rules of behavior
-                                        to read and resign when the rules of behavior are revised/updated.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security planning policy\n\nprocedures addressing rules of behavior for information system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for establishing, reviewing, and
-                                        updating rules of behavior\n\norganizational personnel who are authorized users of the information system and
-                                        have signed and resigned rules of behavior\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for establishing, reviewing, disseminating, and updating
-                                        rules of behavior\n\nautomated mechanisms supporting and/or implementing the establishment, review,
-                                        dissemination, and update of rules of behavior
-                    """
-    - 
-      id:       ps
-      class:    family
-      title:    Personnel Security
-      controls: 
-        - 
-          id:         ps-1
-          class:      SP800-53
-          title:      Personnel Security Policy and Procedures
-          parameters: 
-            - 
-              id:    ps-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ps-1_prm_2
-              label: organization-defined frequency
-            - 
-              id:    ps-1_prm_3
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: PS-1
-            - 
-              name:  sort-id
-              value: ps-01
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ps-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ps-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ps-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A personnel security policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ps-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the personnel security policy
-                                               and associated personnel security controls; and
-                        """
-                - 
-                  id:         ps-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ps-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Personnel security policy {{ ps-1_prm_2 }}; and
-                    - 
-                      id:         ps-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Personnel security procedures {{ ps-1_prm_3 }}.
-            - 
-              id:    ps-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the PS
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ps-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-1(a)
-                  parts: 
-                    - 
-                      id:         ps-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ps-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PS-1(a)(1)[1]
-                          prose:      develops and documents an personnel security policy that addresses:
-                          parts: 
-                            - 
-                              id:         ps-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ps-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ps-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ps-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ps-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ps-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ps-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ps-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PS-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the personnel security policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ps-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PS-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the personnel security policy to organization-defined personnel
-                                                      or roles;
-                            """
-                    - 
-                      id:         ps-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ps-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PS-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      personnel security policy and associated personnel security controls;
-                            """
-                        - 
-                          id:         ps-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PS-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ps-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PS-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ps-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-1(b)
-                  parts: 
-                    - 
-                      id:         ps-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ps-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PS-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current personnel security
-                                                      policy;
-                            """
-                        - 
-                          id:         ps-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PS-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current personnel security policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ps-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ps-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PS-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current personnel security
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ps-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PS-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current personnel security procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ps-2
-          class:      SP800-53
-          title:      Position Risk Designation
-          parameters: 
-            - 
-              id:    ps-2_prm_1
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: PS-2
-            - 
-              name:  sort-id
-              value: ps-02
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: FED
-          links: 
-            - 
-              href: #0c97e60b-325a-4efa-ba2b-90f20ccd5abc
-              rel:  reference
-              text: 5 C.F.R. 731.106
-          parts: 
-            - 
-              id:    ps-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Assigns a risk designation to all organizational positions;
-                - 
-                  id:         ps-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Establishes screening criteria for individuals filling those positions; and
-                - 
-                  id:         ps-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews and updates position risk designations {{ ps-2_prm_1 }}.
-            - 
-              id:    ps-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Position risk designations reflect Office of Personnel Management policy and
-                                 guidance. Risk designations can guide and inform the types of authorizations
-                                 individuals receive when accessing organizational information and information
-                                 systems. Position screening criteria include explicit information security role
-                                 appointment requirements (e.g., training, security clearances).
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-            - 
-              id:    ps-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-2(a)
-                  prose:      assigns a risk designation to all organizational positions;
-                - 
-                  id:         ps-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-2(b)
-                  prose:      establishes screening criteria for individuals filling those positions;
-                - 
-                  id:         ps-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-2(c)
-                  parts: 
-                    - 
-                      id:         ps-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-2(c)[1]
-                      prose:      defines the frequency to review and update position risk designations; and
-                    - 
-                      id:         ps-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-2(c)[2]
-                      prose: 
-                        """
-                          reviews and updates position risk designations with the organization-defined
-                                               frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nsecurity plan\n\nrecords of position risk designation reviews and updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for assigning, reviewing, and updating position risk
-                                        designations\n\norganizational processes for establishing screening criteria
-                    """
-        - 
-          id:         ps-3
-          class:      SP800-53
-          title:      Personnel Screening
-          parameters: 
-            - 
-              id:          ps-3_prm_1
-              label: 
-                """
-                  organization-defined conditions requiring rescreening and, where rescreening is
-                                 so indicated, the frequency of such rescreening
-                """
-              constraints: 
-                - 
-                  detail: For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions.
-          properties: 
-            - 
-              name:  label
-              value: PS-3
-            - 
-              name:  sort-id
-              value: ps-03
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #0c97e60b-325a-4efa-ba2b-90f20ccd5abc
-              rel:  reference
-              text: 5 C.F.R. 731.106
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #f152844f-b1ef-4836-8729-6277078ebee1
-              rel:  reference
-              text: NIST Special Publication 800-60
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #6caa237b-531b-43ac-9711-d8f6b97b0377
-              rel:  reference
-              text: ICD 704
-          parts: 
-            - 
-              id:    ps-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Screens individuals prior to authorizing access to the information system; and
-                - 
-                  id:         ps-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Rescreens individuals according to {{ ps-3_prm_1 }}.
-            - 
-              id:    ps-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Personnel screening and rescreening activities reflect applicable federal laws,
-                                 Executive Orders, directives, regulations, policies, standards, guidance, and
-                                 specific criteria established for the risk designations of assigned positions.
-                                 Organizations may define different rescreening conditions and frequencies for
-                                 personnel accessing information systems based on types of information processed,
-                                 stored, or transmitted by the systems.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #ps-2
-                  rel:  related
-                  text: PS-2
-            - 
-              id:    ps-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-3(a)
-                  prose:      screens individuals prior to authorizing access to the information system;
-                - 
-                  id:         ps-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-3(b)
-                  parts: 
-                    - 
-                      id:         ps-3.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-3(b)[1]
-                      prose:      defines conditions requiring re-screening;
-                    - 
-                      id:         ps-3.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-3(b)[2]
-                      prose:      defines the frequency of re-screening where it is so indicated; and
-                    - 
-                      id:         ps-3.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-3(b)[3]
-                      prose: 
-                        """
-                          re-screens individuals in accordance with organization-defined conditions
-                                               requiring re-screening and, where re-screening is so indicated, with the
-                                               organization-defined frequency of such re-screening.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for personnel screening
-        - 
-          id:         ps-4
-          class:      SP800-53
-          title:      Personnel Termination
-          parameters: 
-            - 
-              id:    ps-4_prm_1
-              label: organization-defined time period
-            - 
-              id:    ps-4_prm_2
-              label: organization-defined information security topics
-            - 
-              id:    ps-4_prm_3
-              label: organization-defined personnel or roles
-            - 
-              id:    ps-4_prm_4
-              label: organization-defined time period
-          properties: 
-            - 
-              name:  label
-              value: PS-4
-            - 
-              name:  sort-id
-              value: ps-04
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          parts: 
-            - 
-              id:    ps-4_smt
-              name:  statement
-              prose: The organization, upon termination of individual employment:
-              parts: 
-                - 
-                  id:         ps-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Disables information system access within {{ ps-4_prm_1 }};
-                - 
-                  id:         ps-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Terminates/revokes any authenticators/credentials associated with the
-                                        individual;
-                    """
-                - 
-                  id:         ps-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Conducts exit interviews that include a discussion of {{ ps-4_prm_2 }};
-                - 
-                  id:         ps-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Retrieves all security-related organizational information system-related
-                                        property;
-                    """
-                - 
-                  id:         ps-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Retains access to organizational information and information systems formerly
-                                        controlled by terminated individual; and
-                    """
-                - 
-                  id:         ps-4_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose:      Notifies {{ ps-4_prm_3 }} within {{ ps-4_prm_4 }}.
-            - 
-              id:    ps-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system-related property includes, for example, hardware authentication
-                                 tokens, system administration technical manuals, keys, identification cards, and
-                                 building passes. Exit interviews ensure that terminated individuals understand the
-                                 security constraints imposed by being former employees and that proper accountability
-                                 is achieved for information system-related property. Security topics of interest at
-                                 exit interviews can include, for example, reminding terminated individuals of
-                                 nondisclosure agreements and potential limitations on future employment. Exit
-                                 interviews may not be possible for some terminated individuals, for example, in cases
-                                 related to job abandonment, illnesses, and nonavailability of supervisors. Exit
-                                 interviews are important for individuals with security clearances. Timely execution
-                                 of termination actions is essential for individuals terminated for cause. In certain
-                                 situations, organizations consider disabling the information system accounts of
-                                 individuals that are being terminated prior to the individuals being notified.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #ps-5
-                  rel:  related
-                  text: PS-5
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-            - 
-              id:    ps-4_obj
-              name:  objective
-              prose: Determine if the organization, upon termination of individual employment,:
-              parts: 
-                - 
-                  id:         ps-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-4(a)
-                  parts: 
-                    - 
-                      id:         ps-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-4(a)[1]
-                      prose:      defines a time period within which to disable information system access;
-                    - 
-                      id:         ps-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-4(a)[2]
-                      prose: 
-                        """
-                          disables information system access within the organization-defined time
-                                               period;
-                        """
-                - 
-                  id:         ps-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-4(b)
-                  prose: 
-                    """
-                      terminates/revokes any authenticators/credentials associated with the
-                                        individual;
-                    """
-                - 
-                  id:         ps-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-4(c)
-                  parts: 
-                    - 
-                      id:         ps-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-4(c)[1]
-                      prose: 
-                        """
-                          defines information security topics to be discussed when conducting exit
-                                               interviews;
-                        """
-                    - 
-                      id:         ps-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-4(c)[2]
-                      prose: 
-                        """
-                          conducts exit interviews that include a discussion of organization-defined
-                                               information security topics;
-                        """
-                - 
-                  id:         ps-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-4(d)
-                  prose: 
-                    """
-                      retrieves all security-related organizational information system-related
-                                        property;
-                    """
-                - 
-                  id:         ps-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-4(e)
-                  prose: 
-                    """
-                      retains access to organizational information and information systems formerly
-                                        controlled by the terminated individual;
-                    """
-                - 
-                  id:         ps-4.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-4(f)
-                  parts: 
-                    - 
-                      id:         ps-4.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-4(f)[1]
-                      prose:      defines personnel or roles to be notified of the termination;
-                    - 
-                      id:         ps-4.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-4(f)[2]
-                      prose: 
-                        """
-                          defines the time period within which to notify organization-defined personnel
-                                               or roles; and
-                        """
-                    - 
-                      id:         ps-4.f_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-4(f)[3]
-                      prose: 
-                        """
-                          notifies organization-defined personnel or roles within the
-                                               organization-defined time period.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of information system accounts\n\nrecords of terminated or revoked authenticators/credentials\n\nrecords of exit interviews\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for personnel termination\n\nautomated mechanisms supporting and/or implementing personnel termination
-                                        notifications\n\nautomated mechanisms for disabling information system access/revoking
-                                        authenticators
-                    """
-        - 
-          id:         ps-5
-          class:      SP800-53
-          title:      Personnel Transfer
-          parameters: 
-            - 
-              id:    ps-5_prm_1
-              label: organization-defined transfer or reassignment actions
-            - 
-              id:    ps-5_prm_2
-              label: organization-defined time period following the formal transfer action
-            - 
-              id:    ps-5_prm_3
-              label: organization-defined personnel or roles
-            - 
-              id:    ps-5_prm_4
-              label: organization-defined time period
-          properties: 
-            - 
-              name:  label
-              value: PS-5
-            - 
-              name:  sort-id
-              value: ps-05
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          parts: 
-            - 
-              id:    ps-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Reviews and confirms ongoing operational need for current logical and physical
-                                        access authorizations to information systems/facilities when individuals are
-                                        reassigned or transferred to other positions within the organization;
-                    """
-                - 
-                  id:         ps-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Initiates {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }};
-                - 
-                  id:         ps-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Modifies access authorization as needed to correspond with any changes in
-                                        operational need due to reassignment or transfer; and
-                    """
-                - 
-                  id:         ps-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Notifies {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}.
-            - 
-              id:    ps-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies when reassignments or transfers of individuals are permanent or
-                                 of such extended durations as to make the actions warranted. Organizations define
-                                 actions appropriate for the types of reassignments or transfers, whether permanent or
-                                 extended. Actions that may be required for personnel transfers or reassignments to
-                                 other positions within organizations include, for example: (i) returning old and
-                                 issuing new keys, identification cards, and building passes; (ii) closing information
-                                 system accounts and establishing new accounts; (iii) changing information system
-                                 access authorizations (i.e., privileges); and (iv) providing for access to official
-                                 records to which individuals had access at previous work locations and in previous
-                                 information system accounts.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #ps-4
-                  rel:  related
-                  text: PS-4
-            - 
-              id:    ps-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-5(a)
-                  prose: 
-                    """
-                      when individuals are reassigned or transferred to other positions within the
-                                        organization, reviews and confirms ongoing operational need for current:
-                    """
-                  parts: 
-                    - 
-                      id:         ps-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-5(a)[1]
-                      prose:      logical access authorizations to information systems;
-                    - 
-                      id:         ps-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-5(a)[2]
-                      prose:      physical access authorizations to information systems and facilities;
-                - 
-                  id:         ps-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-5(b)
-                  parts: 
-                    - 
-                      id:         ps-5.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-5(b)[1]
-                      prose: 
-                        """
-                          defines transfer or reassignment actions to be initiated following transfer or
-                                               reassignment;
-                        """
-                    - 
-                      id:         ps-5.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-5(b)[2]
-                      prose: 
-                        """
-                          defines the time period within which transfer or reassignment actions must
-                                               occur following transfer or reassignment;
-                        """
-                    - 
-                      id:         ps-5.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-5(b)[3]
-                      prose: 
-                        """
-                          initiates organization-defined transfer or reassignment actions within the
-                                               organization-defined time period following transfer or reassignment;
-                        """
-                - 
-                  id:         ps-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-5(c)
-                  prose: 
-                    """
-                      modifies access authorization as needed to correspond with any changes in
-                                        operational need due to reassignment or transfer;
-                    """
-                - 
-                  id:         ps-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-5(d)
-                  parts: 
-                    - 
-                      id:         ps-5.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-5(d)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to be notified when individuals are reassigned or
-                                               transferred to other positions within the organization;
-                        """
-                    - 
-                      id:         ps-5.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-5(d)[2]
-                      prose: 
-                        """
-                          defines the time period within which to notify organization-defined personnel
-                                               or roles when individuals are reassigned or transferred to other positions
-                                               within the organization; and
-                        """
-                    - 
-                      id:         ps-5.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-5(d)[3]
-                      prose: 
-                        """
-                          notifies organization-defined personnel or roles within the
-                                               organization-defined time period when individuals are reassigned or transferred
-                                               to other positions within the organization.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing personnel transfer\n\nsecurity plan\n\nrecords of personnel transfer actions\n\nlist of information system and facility access authorizations\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with personnel security responsibilities organizational
-                                        personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for personnel transfer\n\nautomated mechanisms supporting and/or implementing personnel transfer
-                                        notifications\n\nautomated mechanisms for disabling information system access/revoking
-                                        authenticators
-                    """
-        - 
-          id:         ps-6
-          class:      SP800-53
-          title:      Access Agreements
-          parameters: 
-            - 
-              id:    ps-6_prm_1
-              label: organization-defined frequency
-            - 
-              id:    ps-6_prm_2
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: PS-6
-            - 
-              name:  sort-id
-              value: ps-06
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          parts: 
-            - 
-              id:    ps-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Develops and documents access agreements for organizational information
-                                        systems;
-                    """
-                - 
-                  id:         ps-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the access agreements {{ ps-6_prm_1 }}; and
-                - 
-                  id:         ps-6_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ensures that individuals requiring access to organizational information and
-                                        information systems:
-                    """
-                  parts: 
-                    - 
-                      id:         ps-6_smt.c.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Sign appropriate access agreements prior to being granted access; and
-                    - 
-                      id:         ps-6_smt.c.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Re-sign access agreements to maintain access to organizational information
-                                               systems when access agreements have been updated or {{ ps-6_prm_2 }}.
-                        """
-            - 
-              id:    ps-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Access agreements include, for example, nondisclosure agreements, acceptable use
-                                 agreements, rules of behavior, and conflict-of-interest agreements. Signed access
-                                 agreements include an acknowledgement that individuals have read, understand, and
-                                 agree to abide by the constraints associated with organizational information systems
-                                 to which access is authorized. Organizations can use electronic signatures to
-                                 acknowledge access agreements unless specifically prohibited by organizational
-                                 policy.
-                """
-              links: 
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-2
-                  rel:  related
-                  text: PS-2
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-                - 
-                  href: #ps-4
-                  rel:  related
-                  text: PS-4
-                - 
-                  href: #ps-8
-                  rel:  related
-                  text: PS-8
-            - 
-              id:    ps-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-6(a)
-                  prose: 
-                    """
-                      develops and documents access agreements for organizational information
-                                        systems;
-                    """
-                - 
-                  id:         ps-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-6(b)
-                  parts: 
-                    - 
-                      id:         ps-6.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-6(b)[1]
-                      prose:      defines the frequency to review and update the access agreements;
-                    - 
-                      id:         ps-6.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-6(b)[2]
-                      prose: 
-                        """
-                          reviews and updates the access agreements with the organization-defined
-                                               frequency;
-                        """
-                - 
-                  id:         ps-6.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-6(c)
-                  parts: 
-                    - 
-                      id:         ps-6.c.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-6(c)(1)
-                      prose: 
-                        """
-                          ensures that individuals requiring access to organizational information and
-                                               information systems sign appropriate access agreements prior to being granted
-                                               access;
-                        """
-                    - 
-                      id:         ps-6.c.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-6(c)(2)
-                      parts: 
-                        - 
-                          id:         ps-6.c.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PS-6(c)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to re-sign access agreements to maintain access to
-                                                      organizational information systems when access agreements have been
-                                                      updated;
-                            """
-                        - 
-                          id:         ps-6.c.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PS-6(c)(2)[2]
-                          prose: 
-                            """
-                              ensures that individuals requiring access to organizational information and
-                                                      information systems re-sign access agreements to maintain access to
-                                                      organizational information systems when access agreements have been updated
-                                                      or with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Personnel security policy\n\nprocedures addressing access agreements for organizational information and
-                                        information systems\n\nsecurity plan\n\naccess agreements\n\nrecords of access agreement reviews and updates\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed/resigned access agreements\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for access agreements\n\nautomated mechanisms supporting access agreements
-        - 
-          id:         ps-7
-          class:      SP800-53
-          title:      Third-party Personnel Security
-          parameters: 
-            - 
-              id:    ps-7_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ps-7_prm_2
-              label: organization-defined time period
-          properties: 
-            - 
-              name:  label
-              value: PS-7
-            - 
-              name:  sort-id
-              value: ps-07
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #0c775bc3-bfc3-42c7-a382-88949f503171
-              rel:  reference
-              text: NIST Special Publication 800-35
-          parts: 
-            - 
-              id:    ps-7_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes personnel security requirements including security roles and
-                                        responsibilities for third-party providers;
-                    """
-                - 
-                  id:         ps-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Requires third-party providers to comply with personnel security policies and
-                                        procedures established by the organization;
-                    """
-                - 
-                  id:         ps-7_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Documents personnel security requirements;
-                - 
-                  id:         ps-7_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Requires third-party providers to notify {{ ps-7_prm_1 }} of any
-                                        personnel transfers or terminations of third-party personnel who possess
-                                        organizational credentials and/or badges, or who have information system
-                                        privileges within {{ ps-7_prm_2 }}; and
-                    """
-                - 
-                  id:         ps-7_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Monitors provider compliance.
-            - 
-              id:    ps-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Third-party providers include, for example, service bureaus, contractors, and other
-                                 organizations providing information system development, information technology
-                                 services, outsourced applications, and network and security management. Organizations
-                                 explicitly include personnel security requirements in acquisition-related documents.
-                                 Third-party providers may have personnel working at organizational facilities with
-                                 credentials, badges, or information system privileges issued by organizations.
-                                 Notifications of third-party personnel changes ensure appropriate termination of
-                                 privileges and credentials. Organizations define the transfers and terminations
-                                 deemed reportable by security-related characteristics that include, for example,
-                                 functions, roles, and nature of credentials/privileges associated with individuals
-                                 transferred or terminated.
-                """
-              links: 
-                - 
-                  href: #ps-2
-                  rel:  related
-                  text: PS-2
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-                - 
-                  href: #ps-4
-                  rel:  related
-                  text: PS-4
-                - 
-                  href: #ps-5
-                  rel:  related
-                  text: PS-5
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-                - 
-                  href: #sa-9
-                  rel:  related
-                  text: SA-9
-                - 
-                  href: #sa-21
-                  rel:  related
-                  text: SA-21
-            - 
-              id:    ps-7_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-7(a)
-                  prose: 
-                    """
-                      establishes personnel security requirements, including security roles and
-                                        responsibilities, for third-party providers;
-                    """
-                - 
-                  id:         ps-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-7(b)
-                  prose: 
-                    """
-                      requires third-party providers to comply with personnel security policies and
-                                        procedures established by the organization;
-                    """
-                - 
-                  id:         ps-7.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-7(c)
-                  prose:      documents personnel security requirements;
-                - 
-                  id:         ps-7.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-7(d)
-                  parts: 
-                    - 
-                      id:         ps-7.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-7(d)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to be notified of any personnel transfers or
-                                               terminations of third-party personnel who possess organizational credentials
-                                               and/or badges, or who have information system privileges;
-                        """
-                    - 
-                      id:         ps-7.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-7(d)[2]
-                      prose: 
-                        """
-                          defines the time period within which third-party providers are required to
-                                               notify organization-defined personnel or roles of any personnel transfers or
-                                               terminations of third-party personnel who possess organizational credentials
-                                               and/or badges, or who have information system privileges;
-                        """
-                    - 
-                      id:         ps-7.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-7(d)[3]
-                      prose: 
-                        """
-                          requires third-party providers to notify organization-defined personnel or
-                                               roles within the organization-defined time period of any personnel transfers or
-                                               terminations of third-party personnel who possess organizational credentials
-                                               and/or badges, or who have information system privileges; and
-                        """
-                - 
-                  id:         ps-7.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-7(e)
-                  prose:      monitors provider compliance.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing third-party personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\nthird-party providers\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for managing and monitoring third-party personnel
-                                        security\n\nautomated mechanisms supporting and/or implementing monitoring of provider
-                                        compliance
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: 
-                """
-                  Attestation - Specifically stating that any third-party security personnel are
-                                    treated as CSP employees.
-                """
-        - 
-          id:         ps-8
-          class:      SP800-53
-          title:      Personnel Sanctions
-          parameters: 
-            - 
-              id:    ps-8_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ps-8_prm_2
-              label: organization-defined time period
-          properties: 
-            - 
-              name:  label
-              value: PS-8
-            - 
-              name:  sort-id
-              value: ps-08
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          parts: 
-            - 
-              id:    ps-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Employs a formal sanctions process for individuals failing to comply with
-                                        established information security policies and procedures; and
-                    """
-                - 
-                  id:         ps-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Notifies {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }}
-                                        when a formal employee sanctions process is initiated, identifying the individual
-                                        sanctioned and the reason for the sanction.
-                    """
-            - 
-              id:    ps-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizational sanctions processes reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Sanctions processes are
-                                 described in access agreements and can be included as part of general personnel
-                                 policies and procedures for organizations. Organizations consult with the Office of
-                                 the General Counsel regarding matters of employee sanctions.
-                """
-              links: 
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-            - 
-              id:    ps-8_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-8(a)
-                  prose: 
-                    """
-                      employs a formal sanctions process for individuals failing to comply with
-                                        established information security policies and procedures;
-                    """
-                - 
-                  id:         ps-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-8(b)
-                  parts: 
-                    - 
-                      id:         ps-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-8(b)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to be notified when a formal employee sanctions
-                                               process is initiated;
-                        """
-                    - 
-                      id:         ps-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-8(b)[2]
-                      prose: 
-                        """
-                          defines the time period within which organization-defined personnel or roles
-                                               must be notified when a formal employee sanctions process is initiated; and
-                        """
-                    - 
-                      id:         ps-8.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-8(b)[3]
-                      prose: 
-                        """
-                          notifies organization-defined personnel or roles within the
-                                               organization-defined time period when a formal employee sanctions process is
-                                               initiated, identifying the individual sanctioned and the reason for the
-                                               sanction.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing personnel sanctions\n\nrules of behavior\n\nrecords of formal sanctions\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for managing personnel sanctions\n\nautomated mechanisms supporting and/or implementing notifications
-    - 
-      id:       ra
-      class:    family
-      title:    Risk Assessment
-      controls: 
-        - 
-          id:         ra-1
-          class:      SP800-53
-          title:      Risk Assessment Policy and Procedures
-          parameters: 
-            - 
-              id:    ra-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ra-1_prm_2
-              label: organization-defined frequency
-            - 
-              id:    ra-1_prm_3
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: RA-1
-            - 
-              name:  sort-id
-              value: ra-01
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #a466121b-f0e2-41f0-a5f9-deb0b5fe6b15
-              rel:  reference
-              text: NIST Special Publication 800-30
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ra-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ra-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ra-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ra-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A risk assessment policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ra-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the risk assessment policy and
-                                               associated risk assessment controls; and
-                        """
-                - 
-                  id:         ra-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ra-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Risk assessment policy {{ ra-1_prm_2 }}; and
-                    - 
-                      id:         ra-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Risk assessment procedures {{ ra-1_prm_3 }}.
-            - 
-              id:    ra-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the RA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ra-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ra-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-1(a)
-                  parts: 
-                    - 
-                      id:         ra-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ra-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-1(a)(1)[1]
-                          prose:      develops and documents a risk assessment policy that addresses:
-                          parts: 
-                            - 
-                              id:         ra-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ra-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ra-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ra-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ra-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ra-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ra-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ra-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the risk assessment policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ra-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the risk assessment policy to organization-defined personnel or
-                                                      roles;
-                            """
-                    - 
-                      id:         ra-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ra-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      risk assessment policy and associated risk assessment controls;
-                            """
-                        - 
-                          id:         ra-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ra-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ra-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-1(b)
-                  parts: 
-                    - 
-                      id:         ra-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ra-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current risk assessment
-                                                      policy;
-                            """
-                        - 
-                          id:         ra-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current risk assessment policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ra-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ra-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current risk assessment
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ra-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current risk assessment procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: risk assessment policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ra-2
-          class:      SP800-53
-          title:      Security Categorization
-          properties: 
-            - 
-              name:  label
-              value: RA-2
-            - 
-              name:  sort-id
-              value: ra-02
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #a466121b-f0e2-41f0-a5f9-deb0b5fe6b15
-              rel:  reference
-              text: NIST Special Publication 800-30
-            - 
-              href: #d480aa6a-7a88-424e-a10c-ad1c7870354b
-              rel:  reference
-              text: NIST Special Publication 800-39
-            - 
-              href: #f152844f-b1ef-4836-8729-6277078ebee1
-              rel:  reference
-              text: NIST Special Publication 800-60
-          parts: 
-            - 
-              id:    ra-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ra-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Categorizes information and the information system in accordance with applicable
-                                        federal laws, Executive Orders, directives, policies, regulations, standards, and
-                                        guidance;
-                    """
-                - 
-                  id:         ra-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Documents the security categorization results (including supporting rationale) in
-                                        the security plan for the information system; and
-                    """
-                - 
-                  id:         ra-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ensures that the authorizing official or authorizing official designated
-                                        representative reviews and approves the security categorization decision.
-                    """
-            - 
-              id:    ra-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Clearly defined authorization boundaries are a prerequisite for effective security
-                                 categorization decisions. Security categories describe the potential adverse impacts
-                                 to organizational operations, organizational assets, and individuals if
-                                 organizational information and information systems are comprised through a loss of
-                                 confidentiality, integrity, or availability. Organizations conduct the security
-                                 categorization process as an organization-wide activity with the involvement of chief
-                                 information officers, senior information security officers, information system
-                                 owners, mission/business owners, and information owners/stewards. Organizations also
-                                 consider the potential adverse impacts to other organizations and, in accordance with
-                                 the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential
-                                 national-level adverse impacts. Security categorization processes carried out by
-                                 organizations facilitate the development of inventories of information assets, and
-                                 along with CM-8, mappings to specific information system components where information
-                                 is processed, stored, or transmitted.
-                """
-              links: 
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-            - 
-              id:    ra-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ra-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-2(a)
-                  prose: 
-                    """
-                      categorizes information and the information system in accordance with applicable
-                                        federal laws, Executive Orders, directives, policies, regulations, standards, and
-                                        guidance;
-                    """
-                - 
-                  id:         ra-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-2(b)
-                  prose: 
-                    """
-                      documents the security categorization results (including supporting rationale) in
-                                        the security plan for the information system; and
-                    """
-                - 
-                  id:         ra-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-2(c)
-                  prose: 
-                    """
-                      ensures the authorizing official or authorizing official designated representative
-                                        reviews and approves the security categorization decision.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and
-                                        information systems\n\nsecurity plan\n\nsecurity categorization documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security categorization and risk assessment
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for security categorization
-        - 
-          id:         ra-3
-          class:      SP800-53
-          title:      Risk Assessment
-          parameters: 
-            - 
-              id: ra-3_prm_1
-            - 
-              id:          ra-3_prm_2
-              depends-on:  ra-3_prm_1
-              label:       organization-defined document
-              constraints: 
-                - 
-                  detail: security assessment report
-            - 
-              id:          ra-3_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every three (3) years or when a significant change occurs
-            - 
-              id:    ra-3_prm_4
-              label: organization-defined personnel or roles
-            - 
-              id:          ra-3_prm_5
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every three (3) years or when a significant change occurs
-          properties: 
-            - 
-              name:  label
-              value: RA-3
-            - 
-              name:  sort-id
-              value: ra-03
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-              rel:  reference
-              text: OMB Memorandum 04-04
-            - 
-              href: #a466121b-f0e2-41f0-a5f9-deb0b5fe6b15
-              rel:  reference
-              text: NIST Special Publication 800-30
-            - 
-              href: #d480aa6a-7a88-424e-a10c-ad1c7870354b
-              rel:  reference
-              text: NIST Special Publication 800-39
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    ra-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ra-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Conducts an assessment of risk, including the likelihood and magnitude of harm,
-                                        from the unauthorized access, use, disclosure, disruption, modification, or
-                                        destruction of the information system and the information it processes, stores, or
-                                        transmits;
-                    """
-                - 
-                  id:         ra-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Documents risk assessment results in {{ ra-3_prm_1 }};
-                - 
-                  id:         ra-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews risk assessment results {{ ra-3_prm_3 }};
-                - 
-                  id:         ra-3_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Disseminates risk assessment results to {{ ra-3_prm_4 }}; and
-                - 
-                  id:         ra-3_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Updates the risk assessment {{ ra-3_prm_5 }} or whenever there are
-                                        significant changes to the information system or environment of operation
-                                        (including the identification of new threats and vulnerabilities), or other
-                                        conditions that may impact the security state of the system.
-                    """
-            - 
-              id:    ra-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Clearly defined authorization boundaries are a prerequisite for effective risk
-                                 assessments. Risk assessments take into account threats, vulnerabilities, likelihood,
-                                 and impact to organizational operations and assets, individuals, other organizations,
-                                 and the Nation based on the operation and use of information systems. Risk
-                                 assessments also take into account risk from external parties (e.g., service
-                                 providers, contractors operating information systems on behalf of the organization,
-                                 individuals accessing organizational information systems, outsourcing entities). In
-                                 accordance with OMB policy and related E-authentication initiatives, authentication
-                                 of public users accessing federal information systems may also be required to protect
-                                 nonpublic or privacy-related information. As such, organizational assessments of risk
-                                 also address public access to federal information systems. Risk assessments (either
-                                 formal or informal) can be conducted at all three tiers in the risk management
-                                 hierarchy (i.e., organization level, mission/business process level, or information
-                                 system level) and at any phase in the system development life cycle. Risk assessments
-                                 can also be conducted at various steps in the Risk Management Framework, including
-                                 categorization, security control selection, security control implementation, security
-                                 control assessment, information system authorization, and security control
-                                 monitoring. RA-3 is noteworthy in that the control must be partially implemented
-                                 prior to the implementation of other controls in order to complete the first two
-                                 steps in the Risk Management Framework. Risk assessments can play an important role
-                                 in security control selection processes, particularly during the application of
-                                 tailoring guidance, which includes security control supplementation.
-                """
-              links: 
-                - 
-                  href: #ra-2
-                  rel:  related
-                  text: RA-2
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ra-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ra-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(a)
-                  prose: 
-                    """
-                      conducts an assessment of risk, including the likelihood and magnitude of harm,
-                                        from the unauthorized access, use, disclosure, disruption, modification, or
-                                        destruction of:
-                    """
-                  parts: 
-                    - 
-                      id:         ra-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-3(a)[1]
-                      prose:      the information system;
-                    - 
-                      id:         ra-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-3(a)[2]
-                      prose:      the information the system processes, stores, or transmits;
-                - 
-                  id:         ra-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(b)
-                  parts: 
-                    - 
-                      id:         ra-3.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-3(b)[1]
-                      prose: 
-                        """
-                          defines a document in which risk assessment results are to be documented (if
-                                               not documented in the security plan or risk assessment report);
-                        """
-                    - 
-                      id:         ra-3.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-3(b)[2]
-                      prose:      documents risk assessment results in one of the following:
-                      parts: 
-                        - 
-                          id:         ra-3.b_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(b)[2][a]
-                          prose:      the security plan;
-                        - 
-                          id:         ra-3.b_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(b)[2][b]
-                          prose:      the risk assessment report; or
-                        - 
-                          id:         ra-3.b_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(b)[2][c]
-                          prose:      the organization-defined document;
-                - 
-                  id:         ra-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(c)
-                  parts: 
-                    - 
-                      id:         ra-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-3(c)[1]
-                      prose:      defines the frequency to review risk assessment results;
-                    - 
-                      id:         ra-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-3(c)[2]
-                      prose:      reviews risk assessment results with the organization-defined frequency;
-                - 
-                  id:         ra-3.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(d)
-                  parts: 
-                    - 
-                      id:         ra-3.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-3(d)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom risk assessment results are to be
-                                               disseminated;
-                        """
-                    - 
-                      id:         ra-3.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-3(d)[2]
-                      prose: 
-                        """
-                          disseminates risk assessment results to organization-defined personnel or
-                                               roles;
-                        """
-                - 
-                  id:         ra-3.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(e)
-                  parts: 
-                    - 
-                      id:         ra-3.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-3(e)[1]
-                      prose:      defines the frequency to update the risk assessment;
-                    - 
-                      id:         ra-3.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-3(e)[2]
-                      prose:      updates the risk assessment:
-                      parts: 
-                        - 
-                          id:         ra-3.e_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(e)[2][a]
-                          prose:      with the organization-defined frequency;
-                        - 
-                          id:         ra-3.e_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(e)[2][b]
-                          prose: 
-                            """
-                              whenever there are significant changes to the information system or
-                                                      environment of operation (including the identification of new threats and
-                                                      vulnerabilities); and
-                            """
-                        - 
-                          id:         ra-3.e_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(e)[2][c]
-                          prose: 
-                            """
-                              whenever there are other conditions that may impact the security state of
-                                                      the system.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nsecurity plan\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for risk assessment\n\nautomated mechanisms supporting and/or for conducting, documenting, reviewing,
-                                        disseminating, and updating the risk assessment
-                    """
-            - 
-              id:    ra-3_fr
-              name:  item
-              title: RA-3 Additional FedRAMP Requirements and Guidance
-              parts: 
-                - 
-                  id:         ra-3_fr_gdn.1
-                  name:       guidance
-                  properties: 
-                    - 
-                      name:  label
-                      value: Guidance:
-                  prose: 
-                    """
-                      Significant change is defined in NIST Special Publication 800-37 Revision 1,
-                                           Appendix F
-                    """
-                - 
-                  id:         ra-3_fr_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3 (d) Requirement:
-                  prose: 
-                    """
-                      Include all Authorizing Officials; for JAB authorizations to include
-                                           FedRAMP.
-                    """
-        - 
-          id:         ra-5
-          class:      SP800-53
-          title:      Vulnerability Scanning
-          parameters: 
-            - 
-              id:          ra-5_prm_1
-              label: 
-                """
-                  organization-defined frequency and/or randomly in accordance with
-                                 organization-defined process
-                """
-              constraints: 
-                - 
-                  detail: monthly operating system/infrastructure; monthly web applications and databases
-            - 
-              id:          ra-5_prm_2
-              label:       organization-defined response times
-              constraints: 
-                - 
-                  detail: [high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery.
-            - 
-              id:    ra-5_prm_3
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  label
-              value: RA-5
-            - 
-              name:  sort-id
-              value: ra-05
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d
-              rel:  reference
-              text: NIST Special Publication 800-40
-            - 
-              href: #84a37532-6db6-477b-9ea8-f9085ebca0fc
-              rel:  reference
-              text: NIST Special Publication 800-70
-            - 
-              href: #c4691b88-57d1-463b-9053-2d0087913f31
-              rel:  reference
-              text: NIST Special Publication 800-115
-            - 
-              href: #15522e92-9192-463d-9646-6a01982db8ca
-              rel:  reference
-              text: http://cwe.mitre.org
-            - 
-              href: #275cc052-0f7f-423c-bdb6-ed503dc36228
-              rel:  reference
-              text: http://nvd.nist.gov
-          parts: 
-            - 
-              id:    ra-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ra-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Scans for vulnerabilities in the information system and hosted applications
-                                           {{ ra-5_prm_1 }} and when new vulnerabilities potentially
-                                        affecting the system/applications are identified and reported;
-                    """
-                - 
-                  id:         ra-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Employs vulnerability scanning tools and techniques that facilitate
-                                        interoperability among tools and automate parts of the vulnerability management
-                                        process by using standards for:
-                    """
-                  parts: 
-                    - 
-                      id:         ra-5_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Enumerating platforms, software flaws, and improper configurations;
-                    - 
-                      id:         ra-5_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Formatting checklists and test procedures; and
-                    - 
-                      id:         ra-5_smt.b.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose:      Measuring vulnerability impact;
-                - 
-                  id:         ra-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Analyzes vulnerability scan reports and results from security control
-                                        assessments;
-                    """
-                - 
-                  id:         ra-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Remediates legitimate vulnerabilities {{ ra-5_prm_2 }} in
-                                        accordance with an organizational assessment of risk; and
-                    """
-                - 
-                  id:         ra-5_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Shares information obtained from the vulnerability scanning process and security
-                                        control assessments with {{ ra-5_prm_3 }} to help eliminate similar
-                                        vulnerabilities in other information systems (i.e., systemic weaknesses or
-                                        deficiencies).
-                    """
-            - 
-              id:    ra-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Security categorization of information systems guides the frequency and
-                                 comprehensiveness of vulnerability scans. Organizations determine the required
-                                 vulnerability scanning for all information system components, ensuring that potential
-                                 sources of vulnerabilities such as networked printers, scanners, and copiers are not
-                                 overlooked. Vulnerability analyses for custom software applications may require
-                                 additional approaches such as static analysis, dynamic analysis, binary analysis, or
-                                 a hybrid of the three approaches. Organizations can employ these analysis approaches
-                                 in a variety of tools (e.g., web-based application scanners, static analysis tools,
-                                 binary analyzers) and in source code reviews. Vulnerability scanning includes, for
-                                 example: (i) scanning for patch levels; (ii) scanning for functions, ports,
-                                 protocols, and services that should not be accessible to users or devices; and (iii)
-                                 scanning for improperly configured or incorrectly operating information flow control
-                                 mechanisms. Organizations consider using tools that express vulnerabilities in the
-                                 Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open
-                                 Vulnerability Assessment Language (OVAL) to determine/test for the presence of
-                                 vulnerabilities. Suggested sources for vulnerability information include the Common
-                                 Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In
-                                 addition, security control assessments such as red team exercises provide other
-                                 sources of potential vulnerabilities for which to scan. Organizations also consider
-                                 using tools that express vulnerability impact by the Common Vulnerability Scoring
-                                 System (CVSS).
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #ra-2
-                  rel:  related
-                  text: RA-2
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    ra-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ra-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(a)
-                  parts: 
-                    - 
-                      id:         ra-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-5(a)[1]
-                      parts: 
-                        - 
-                          id:         ra-5.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[1][a]
-                          prose: 
-                            """
-                              defines the frequency for conducting vulnerability scans on the information
-                                                      system and hosted applications; and/or
-                            """
-                        - 
-                          id:         ra-5.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[1][b]
-                          prose: 
-                            """
-                              defines the process for conducting random vulnerability scans on the
-                                                      information system and hosted applications;
-                            """
-                    - 
-                      id:         ra-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-5(a)[2]
-                      prose: 
-                        """
-                          in accordance with the organization-defined frequency and/or
-                                               organization-defined process for conducting random scans, scans for
-                                               vulnerabilities in:
-                        """
-                      parts: 
-                        - 
-                          id:         ra-5.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[2][a]
-                          prose:      the information system;
-                        - 
-                          id:         ra-5.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[2][b]
-                          prose:      hosted applications;
-                    - 
-                      id:         ra-5.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-5(a)[3]
-                      prose: 
-                        """
-                          when new vulnerabilities potentially affecting the system/applications are
-                                               identified and reported, scans for vulnerabilities in:
-                        """
-                      parts: 
-                        - 
-                          id:         ra-5.a_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[3][a]
-                          prose:      the information system;
-                        - 
-                          id:         ra-5.a_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[3][b]
-                          prose:      hosted applications;
-                - 
-                  id:         ra-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(b)
-                  prose: 
-                    """
-                      employs vulnerability scanning tools and techniques that facilitate
-                                        interoperability among tools and automate parts of the vulnerability management
-                                        process by using standards for:
-                    """
-                  parts: 
-                    - 
-                      id:         ra-5.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-5(b)(1)
-                      parts: 
-                        - 
-                          id:         ra-5.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(1)[1]
-                          prose:      enumerating platforms;
-                        - 
-                          id:         ra-5.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(1)[2]
-                          prose:      enumerating software flaws;
-                        - 
-                          id:         ra-5.b.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(1)[3]
-                          prose:      enumerating improper configurations;
-                    - 
-                      id:         ra-5.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-5(b)(2)
-                      parts: 
-                        - 
-                          id:         ra-5.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(2)[1]
-                          prose:      formatting checklists;
-                        - 
-                          id:         ra-5.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(2)[2]
-                          prose:      formatting test procedures;
-                    - 
-                      id:         ra-5.b.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-5(b)(3)
-                      prose:      measuring vulnerability impact;
-                - 
-                  id:         ra-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(c)
-                  parts: 
-                    - 
-                      id:         ra-5.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-5(c)[1]
-                      prose:      analyzes vulnerability scan reports;
-                    - 
-                      id:         ra-5.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-5(c)[2]
-                      prose:      analyzes results from security control assessments;
-                - 
-                  id:         ra-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(d)
-                  parts: 
-                    - 
-                      id:         ra-5.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-5(d)[1]
-                      prose: 
-                        """
-                          defines response times to remediate legitimate vulnerabilities in accordance
-                                               with an organizational assessment of risk;
-                        """
-                    - 
-                      id:         ra-5.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-5(d)[2]
-                      prose: 
-                        """
-                          remediates legitimate vulnerabilities within the organization-defined response
-                                               times in accordance with an organizational assessment of risk;
-                        """
-                - 
-                  id:         ra-5.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(e)
-                  parts: 
-                    - 
-                      id:         ra-5.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-5(e)[1]
-                      prose: 
-                        """
-                          defines personnel or roles with whom information obtained from the
-                                               vulnerability scanning process and security control assessments is to be
-                                               shared;
-                        """
-                    - 
-                      id:         ra-5.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-5(e)[2]
-                      prose: 
-                        """
-                          shares information obtained from the vulnerability scanning process with
-                                               organization-defined personnel or roles to help eliminate similar
-                                               vulnerabilities in other information systems (i.e., systemic weaknesses or
-                                               deficiencies); and
-                        """
-                    - 
-                      id:         ra-5.e_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-5(e)[3]
-                      prose: 
-                        """
-                          shares information obtained from security control assessments with
-                                               organization-defined personnel or roles to help eliminate similar
-                                               vulnerabilities in other information systems (i.e., systemic weaknesses or
-                                               deficiencies).
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with risk assessment, security control assessment and
-                                        vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for vulnerability scanning, analysis, remediation, and
-                                        information sharing\n\nautomated mechanisms supporting and/or implementing vulnerability scanning,
-                                        analysis, remediation, and information sharing
-                    """
-            - 
-              id:         ra-5_fr_smt.a
-              name:       item
-              title:      RA-5(a) Additional FedRAMP Requirements and Guidance
-              properties: 
-                - 
-                  name:  label
-                  value: RA-5 (a)Requirement:
-              prose: 
-                """
-                  An accredited independent assessor scans operating systems/infrastructure, web
-                                    applications, and databases once annually.
-                """
-            - 
-              id:         ra-5_fr_smt.e
-              name:       item
-              title:      RA-5(e) Additional FedRAMP Requirements and Guidance
-              properties: 
-                - 
-                  name:  label
-                  value: RA-5 (e)Requirement:
-              prose: 
-                """
-                  To include all Authorizing Officials; for JAB authorizations to include
-                                    FedRAMP.
-                """
-            - 
-              id:    ra-5_fr
-              name:  item
-              title: RA-5 Additional FedRAMP Requirements and Guidance
-              parts: 
-                - 
-                  id:         ra-5_fr_gdn.1
-                  name:       guidance
-                  properties: 
-                    - 
-                      name:  label
-                      value: Guidance:
-                  prose: 
-                    """
-                      
-                                        **See the FedRAMP Documents page under Key Cloud Service Provider (CSP)
-                                              Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))
-                    """
-    - 
-      id:       sa
-      class:    family
-      title:    System and Services Acquisition
-      controls: 
-        - 
-          id:         sa-1
-          class:      SP800-53
-          title:      System and Services Acquisition Policy and Procedures
-          parameters: 
-            - 
-              id:    sa-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    sa-1_prm_2
-              label: organization-defined frequency
-            - 
-              id:    sa-1_prm_3
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: SA-1
-            - 
-              name:  sort-id
-              value: sa-01
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    sa-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ sa-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         sa-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A system and services acquisition policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         sa-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the system and services
-                                               acquisition policy and associated system and services acquisition controls;
-                                               and
-                        """
-                - 
-                  id:         sa-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         sa-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      System and services acquisition policy {{ sa-1_prm_2 }}; and
-                    - 
-                      id:         sa-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      System and services acquisition procedures {{ sa-1_prm_3 }}.
-            - 
-              id:    sa-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the SA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    sa-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-1(a)
-                  parts: 
-                    - 
-                      id:         sa-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         sa-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a system and services acquisition policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         sa-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         sa-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         sa-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         sa-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         sa-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         sa-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         sa-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         sa-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the system and services acquisition
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         sa-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the system and services acquisition policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         sa-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         sa-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      system and services acquisition policy and associated system and services
-                                                      acquisition controls;
-                            """
-                        - 
-                          id:         sa-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         sa-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         sa-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-1(b)
-                  parts: 
-                    - 
-                      id:         sa-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         sa-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and services
-                                                      acquisition policy;
-                            """
-                        - 
-                          id:         sa-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and services acquisition policy with
-                                                      the organization-defined frequency;
-                            """
-                    - 
-                      id:         sa-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         sa-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and services
-                                                      acquisition procedures; and
-                            """
-                        - 
-                          id:         sa-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and services acquisition procedures
-                                                      with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and services acquisition policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         sa-2
-          class:      SP800-53
-          title:      Allocation of Resources
-          properties: 
-            - 
-              name:  label
-              value: SA-2
-            - 
-              name:  sort-id
-              value: sa-02
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #29fcfe59-33cd-494a-8756-5907ae3a8f92
-              rel:  reference
-              text: NIST Special Publication 800-65
-          parts: 
-            - 
-              id:    sa-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Determines information security requirements for the information system or
-                                        information system service in mission/business process planning;
-                    """
-                - 
-                  id:         sa-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Determines, documents, and allocates the resources required to protect the
-                                        information system or information system service as part of its capital planning
-                                        and investment control process; and
-                    """
-                - 
-                  id:         sa-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Establishes a discrete line item for information security in organizational
-                                        programming and budgeting documentation.
-                    """
-            - 
-              id:    sa-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Resource allocation for information security includes funding for the initial
-                                 information system or information system service acquisition and funding for the
-                                 sustainment of the system/service.
-                """
-              links: 
-                - 
-                  href: #pm-3
-                  rel:  related
-                  text: PM-3
-                - 
-                  href: #pm-11
-                  rel:  related
-                  text: PM-11
-            - 
-              id:    sa-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-2(a)
-                  prose: 
-                    """
-                      determines information security requirements for the information system or
-                                        information system service in mission/business process planning;
-                    """
-                - 
-                  id:         sa-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-2(b)
-                  prose: 
-                    """
-                      to protect the information system or information system service as part of its
-                                        capital planning and investment control process:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-2(b)[1]
-                      prose:      determines the resources required;
-                    - 
-                      id:         sa-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-2(b)[2]
-                      prose:      documents the resources required;
-                    - 
-                      id:         sa-2.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-2(b)[3]
-                      prose:      allocates the resources required; and
-                - 
-                  id:         sa-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-2(c)
-                  prose: 
-                    """
-                      establishes a discrete line item for information security in organizational
-                                        programming and budgeting documentation.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing the allocation of resources to information security
-                                        requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with capital planning, investment control, organizational
-                                        programming and budgeting responsibilities\n\norganizational personnel responsible for determining information security
-                                        requirements for information systems/services\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for determining information security requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nautomated mechanisms supporting and/or implementing organizational capital
-                                        planning, programming, and budgeting
-                    """
-        - 
-          id:         sa-3
-          class:      SP800-53
-          title:      System Development Life Cycle
-          parameters: 
-            - 
-              id:    sa-3_prm_1
-              label: organization-defined system development life cycle
-          properties: 
-            - 
-              name:  label
-              value: SA-3
-            - 
-              name:  sort-id
-              value: sa-03
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #abd950ae-092f-4b7a-b374-1c7c67fe9350
-              rel:  reference
-              text: NIST Special Publication 800-64
-          parts: 
-            - 
-              id:    sa-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Manages the information system using {{ sa-3_prm_1 }} that
-                                        incorporates information security considerations;
-                    """
-                - 
-                  id:         sa-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Defines and documents information security roles and responsibilities throughout
-                                        the system development life cycle;
-                    """
-                - 
-                  id:         sa-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Identifies individuals having information security roles and responsibilities;
-                                        and
-                    """
-                - 
-                  id:         sa-3_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Integrates the organizational information security risk management process into
-                                        system development life cycle activities.
-                    """
-            - 
-              id:    sa-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  A well-defined system development life cycle provides the foundation for the
-                                 successful development, implementation, and operation of organizational information
-                                 systems. To apply the required security controls within the system development life
-                                 cycle requires a basic understanding of information security, threats,
-                                 vulnerabilities, adverse impacts, and risk to critical missions/business functions.
-                                 The security engineering principles in SA-8 cannot be properly applied if individuals
-                                 that design, code, and test information systems and system components (including
-                                 information technology products) do not understand security. Therefore, organizations
-                                 include qualified personnel, for example, chief information security officers,
-                                 security architects, security engineers, and information system security officers in
-                                 system development life cycle activities to ensure that security requirements are
-                                 incorporated into organizational information systems. It is equally important that
-                                 developers include individuals on the development team that possess the requisite
-                                 security expertise and skills to ensure that needed security capabilities are
-                                 effectively integrated into the information system. Security awareness and training
-                                 programs can help ensure that individuals having key security roles and
-                                 responsibilities have the appropriate experience, skills, and expertise to conduct
-                                 assigned system development life cycle activities. The effective integration of
-                                 security requirements into enterprise architecture also helps to ensure that
-                                 important security considerations are addressed early in the system development life
-                                 cycle and that those considerations are directly related to the organizational
-                                 mission/business processes. This process also facilitates the integration of the
-                                 information security architecture into the enterprise architecture, consistent with
-                                 organizational risk management and information security strategies.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #pm-7
-                  rel:  related
-                  text: PM-7
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-            - 
-              id:    sa-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-3(a)
-                  parts: 
-                    - 
-                      id:         sa-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-3(a)[1]
-                      prose: 
-                        """
-                          defines a system development life cycle that incorporates information security
-                                               considerations to be used to manage the information system;
-                        """
-                    - 
-                      id:         sa-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-3(a)[2]
-                      prose: 
-                        """
-                          manages the information system using the organization-defined system
-                                               development life cycle;
-                        """
-                - 
-                  id:         sa-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-3(b)
-                  prose: 
-                    """
-                      defines and documents information security roles and responsibilities throughout
-                                        the system development life cycle;
-                    """
-                - 
-                  id:         sa-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-3(c)
-                  prose: 
-                    """
-                      identifies individuals having information security roles and responsibilities;
-                                        and
-                    """
-                - 
-                  id:         sa-3.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-3(d)
-                  prose: 
-                    """
-                      integrates the organizational information security risk management process into
-                                        system development life cycle activities.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing the integration of information security into the system
-                                        development life cycle process\n\ninformation system development life cycle documentation\n\ninformation security risk management strategy/program documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with information security and system life cycle
-                                        development responsibilities\n\norganizational personnel with information security risk management
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for defining and documenting the SDLC\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational process for integrating information security risk management into
-                                        the SDLC\n\nautomated mechanisms supporting and/or implementing the SDLC
-                    """
-        - 
-          id:         sa-4
-          class:      SP800-53
-          title:      Acquisition Process
-          properties: 
-            - 
-              name:  label
-              value: SA-4
-            - 
-              name:  sort-id
-              value: sa-04
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #ad733a42-a7ed-4774-b988-4930c28852f3
-              rel:  reference
-              text: HSPD-12
-            - 
-              href: #1737a687-52fb-4008-b900-cbfa836f7b65
-              rel:  reference
-              text: ISO/IEC 15408
-            - 
-              href: #d715b234-9b5b-4e07-b1ed-99836727664d
-              rel:  reference
-              text: FIPS Publication 140-2
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #0a5db899-f033-467f-8631-f5a8ba971475
-              rel:  reference
-              text: NIST Special Publication 800-23
-            - 
-              href: #0c775bc3-bfc3-42c7-a382-88949f503171
-              rel:  reference
-              text: NIST Special Publication 800-35
-            - 
-              href: #d818efd3-db31-4953-8afa-9e76afe83ce2
-              rel:  reference
-              text: NIST Special Publication 800-36
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #abd950ae-092f-4b7a-b374-1c7c67fe9350
-              rel:  reference
-              text: NIST Special Publication 800-64
-            - 
-              href: #84a37532-6db6-477b-9ea8-f9085ebca0fc
-              rel:  reference
-              text: NIST Special Publication 800-70
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-            - 
-              href: #56d671da-6b7b-4abf-8296-84b61980390a
-              rel:  reference
-              text: Federal Acquisition Regulation
-            - 
-              href: #c95a9986-3cd6-4a98-931b-ccfc56cb11e5
-              rel:  reference
-              text: http://www.niap-ccevs.org
-            - 
-              href: #5ed1f4d5-1494-421b-97ed-39d3c88ab51f
-              rel:  reference
-              text: http://fips201ep.cio.gov
-            - 
-              href: #bbd50dd1-54ce-4432-959d-63ea564b1bb4
-              rel:  reference
-              text: http://www.acquisition.gov/far
-          parts: 
-            - 
-              id:    sa-4_smt
-              name:  statement
-              prose: 
-                """
-                  The organization includes the following requirements, descriptions, and criteria,
-                                 explicitly or by reference, in the acquisition contract for the information system,
-                                 system component, or information system service in accordance with applicable federal
-                                 laws, Executive Orders, directives, policies, regulations, standards, guidelines, and
-                                 organizational mission/business needs:
-                """
-              parts: 
-                - 
-                  id:         sa-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Security functional requirements;
-                - 
-                  id:         sa-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Security strength requirements;
-                - 
-                  id:         sa-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Security assurance requirements;
-                - 
-                  id:         sa-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Security-related documentation requirements;
-                - 
-                  id:         sa-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Requirements for protecting security-related documentation;
-                - 
-                  id:         sa-4_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Description of the information system development environment and environment in
-                                        which the system is intended to operate; and
-                    """
-                - 
-                  id:         sa-4_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose:      Acceptance criteria.
-            - 
-              id:    sa-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system components are discrete, identifiable information technology
-                                 assets (e.g., hardware, software, or firmware) that represent the building blocks of
-                                 an information system. Information system components include commercial information
-                                 technology products. Security functional requirements include security capabilities,
-                                 security functions, and security mechanisms. Security strength requirements
-                                 associated with such capabilities, functions, and mechanisms include degree of
-                                 correctness, completeness, resistance to direct attack, and resistance to tampering
-                                 or bypass. Security assurance requirements include: (i) development processes,
-                                 procedures, practices, and methodologies; and (ii) evidence from development and
-                                 assessment activities providing grounds for confidence that the required security
-                                 functionality has been implemented and the required security strength has been
-                                 achieved. Security documentation requirements address all phases of the system
-                                 development life cycle. Security functionality, assurance, and documentation
-                                 requirements are expressed in terms of security controls and control enhancements
-                                 that have been selected through the tailoring process. The security control tailoring
-                                 process includes, for example, the specification of parameter values through the use
-                                 of assignment and selection statements and the specification of platform dependencies
-                                 and implementation information. Security documentation provides user and
-                                 administrator guidance regarding the implementation and operation of security
-                                 controls. The level of detail required in security documentation is based on the
-                                 security category or classification level of the information system and the degree to
-                                 which organizations depend on the stated security capability, functions, or
-                                 mechanisms to meet overall risk response expectations (as defined in the
-                                 organizational risk management strategy). Security requirements can also include
-                                 organizationally mandated configuration settings specifying allowed functions, ports,
-                                 protocols, and services. Acceptance criteria for information systems, information
-                                 system components, and information system services are defined in the same manner as
-                                 such criteria for any organizational acquisition or procurement. The Federal
-                                 Acquisition Regulation (FAR) Section 7.103 contains information security requirements
-                                 from FISMA.
-                """
-              links: 
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #ps-7
-                  rel:  related
-                  text: PS-7
-                - 
-                  href: #sa-3
-                  rel:  related
-                  text: SA-3
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-            - 
-              id:    sa-4_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization includes the following requirements, descriptions, and
-                                 criteria, explicitly or by reference, in the acquisition contracts for the
-                                 information system, system component, or information system service in accordance
-                                 with applicable federal laws, Executive Orders, directives, policies, regulations,
-                                 standards, guidelines, and organizational mission/business needs:
-                """
-              parts: 
-                - 
-                  id:         sa-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(a)
-                  prose:      security functional requirements;
-                - 
-                  id:         sa-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(b)
-                  prose:      security strength requirements;
-                - 
-                  id:         sa-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(c)
-                  prose:      security assurance requirements;
-                - 
-                  id:         sa-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(d)
-                  prose:      security-related documentation requirements;
-                - 
-                  id:         sa-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(e)
-                  prose:      requirements for protecting security-related documentation;
-                - 
-                  id:         sa-4.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(f)
-                  prose:      description of:
-                  parts: 
-                    - 
-                      id:         sa-4.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-4(f)[1]
-                      prose:      the information system development environment;
-                    - 
-                      id:         sa-4.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-4(f)[2]
-                      prose:      the environment in which the system is intended to operate; and
-                - 
-                  id:         sa-4.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(g)
-                  prose:      acceptance criteria.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing the integration of information security requirements,
-                                        descriptions, and criteria into the acquisition process\n\nacquisition contracts for the information system, system component, or information
-                                        system service\n\ninformation system design documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                        security functional, strength, and assurance requirements\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for determining information system security functional,
-                                        strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and/or implementing acquisitions and inclusion of
-                                        security requirements in contracts
-                    """
-          controls: 
-            - 
-              id:         sa-4.10
-              class:      SP800-53-enhancement
-              title:      Use of Approved PIV Products
-              properties: 
-                - 
-                  name:  label
-                  value: SA-4(10)
-                - 
-                  name:  sort-id
-                  value: sa-04.10
-                - 
-                  name:  method
-                  class: FedRAMP-Tailored-LI-SaaS
-                  value: ATTEST
-              parts: 
-                - 
-                  id:    sa-4.10_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs only information technology products on the FIPS
-                                        201-approved products list for Personal Identity Verification (PIV) capability
-                                        implemented within organizational information systems.
-                    """
-                - 
-                  id:    sa-4.10_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ia-2
-                      rel:  related
-                      text: IA-2
-                    - 
-                      href: #ia-8
-                      rel:  related
-                      text: IA-8
-                - 
-                  id:    sa-4.10_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization employs only information technology products on the
-                                        FIPS 201-approved products list for Personal Identity Verification (PIV)
-                                        capability implemented within organizational information systems. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing the integration of information security requirements,
-                                               descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the information system, system component, or
-                                               information system service\n\nservice-level agreements\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                               security requirements\n\norganizational personnel with responsibility for ensuring only FIPS
-                                               201-approved products are implemented\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for selecting and employing FIPS 201-approved
-                                               products
-                        """
-        - 
-          id:         sa-5
-          class:      SP800-53
-          title:      Information System Documentation
-          parameters: 
-            - 
-              id:    sa-5_prm_1
-              label: organization-defined actions
-            - 
-              id:    sa-5_prm_2
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  label
-              value: SA-5
-            - 
-              name:  sort-id
-              value: sa-05
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          parts: 
-            - 
-              id:    sa-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Obtains administrator documentation for the information system, system component,
-                                        or information system service that describes:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-5_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Secure configuration, installation, and operation of the system, component, or
-                                               service;
-                        """
-                    - 
-                      id:         sa-5_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Effective use and maintenance of security functions/mechanisms; and
-                    - 
-                      id:         sa-5_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Known vulnerabilities regarding configuration and use of administrative (i.e.,
-                                               privileged) functions;
-                        """
-                - 
-                  id:         sa-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Obtains user documentation for the information system, system component, or
-                                        information system service that describes:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-5_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          User-accessible security functions/mechanisms and how to effectively use those
-                                               security functions/mechanisms;
-                        """
-                    - 
-                      id:         sa-5_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Methods for user interaction, which enables individuals to use the system,
-                                               component, or service in a more secure manner; and
-                        """
-                    - 
-                      id:         sa-5_smt.b.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          User responsibilities in maintaining the security of the system, component, or
-                                               service;
-                        """
-                - 
-                  id:         sa-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Documents attempts to obtain information system, system component, or information
-                                        system service documentation when such documentation is either unavailable or
-                                        nonexistent and takes {{ sa-5_prm_1 }} in response;
-                    """
-                - 
-                  id:         sa-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Protects documentation as required, in accordance with the risk management
-                                        strategy; and
-                    """
-                - 
-                  id:         sa-5_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Distributes documentation to {{ sa-5_prm_2 }}.
-            - 
-              id:    sa-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control helps organizational personnel understand the implementation and
-                                 operation of security controls associated with information systems, system
-                                 components, and information system services. Organizations consider establishing
-                                 specific measures to determine the quality/completeness of the content provided. The
-                                 inability to obtain needed documentation may occur, for example, due to the age of
-                                 the information system/component or lack of support from developers and contractors.
-                                 In those situations, organizations may need to recreate selected documentation if
-                                 such documentation is essential to the effective implementation or operation of
-                                 security controls. The level of protection provided for selected information system,
-                                 component, or service documentation is commensurate with the security category or
-                                 classification of the system. For example, documentation associated with a key DoD
-                                 weapons system or command and control system would typically require a higher level
-                                 of protection than a routine administrative system. Documentation that addresses
-                                 information system vulnerabilities may also require an increased level of protection.
-                                 Secure operation of the information system, includes, for example, initially starting
-                                 the system and resuming secure system operation after any lapse in system
-                                 operation.
-                """
-              links: 
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-2
-                  rel:  related
-                  text: PS-2
-                - 
-                  href: #sa-3
-                  rel:  related
-                  text: SA-3
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-            - 
-              id:    sa-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-5(a)
-                  prose: 
-                    """
-                      obtains administrator documentation for the information system, system component,
-                                        or information system service that describes:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-5.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(a)(1)
-                      parts: 
-                        - 
-                          id:         sa-5.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(1)[1]
-                          prose:      secure configuration of the system, system component, or service;
-                        - 
-                          id:         sa-5.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(1)[2]
-                          prose:      secure installation of the system, system component, or service;
-                        - 
-                          id:         sa-5.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(1)[3]
-                          prose:      secure operation of the system, system component, or service;
-                    - 
-                      id:         sa-5.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(a)(2)
-                      parts: 
-                        - 
-                          id:         sa-5.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(2)[1]
-                          prose:      effective use of the security features/mechanisms;
-                        - 
-                          id:         sa-5.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(2)[2]
-                          prose:      effective maintenance of the security features/mechanisms;
-                    - 
-                      id:         sa-5.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(a)(3)
-                      prose: 
-                        """
-                          known vulnerabilities regarding configuration and use of administrative (i.e.,
-                                               privileged) functions;
-                        """
-                - 
-                  id:         sa-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-5(b)
-                  prose: 
-                    """
-                      obtains user documentation for the information system, system component, or
-                                        information system service that describes:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-5.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(b)(1)
-                      parts: 
-                        - 
-                          id:         sa-5.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(b)(1)[1]
-                          prose:      user-accessible security functions/mechanisms;
-                        - 
-                          id:         sa-5.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(b)(1)[2]
-                          prose:      how to effectively use those functions/mechanisms;
-                    - 
-                      id:         sa-5.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(b)(2)
-                      prose: 
-                        """
-                          methods for user interaction, which enables individuals to use the system,
-                                               component, or service in a more secure manner;
-                        """
-                    - 
-                      id:         sa-5.b.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(b)(3)
-                      prose: 
-                        """
-                          user responsibilities in maintaining the security of the system, component, or
-                                               service;
-                        """
-                - 
-                  id:         sa-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-5(c)
-                  parts: 
-                    - 
-                      id:         sa-5.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(c)[1]
-                      prose: 
-                        """
-                          defines actions to be taken after documented attempts to obtain information
-                                               system, system component, or information system service documentation when such
-                                               documentation is either unavailable or nonexistent;
-                        """
-                    - 
-                      id:         sa-5.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(c)[2]
-                      prose: 
-                        """
-                          documents attempts to obtain information system, system component, or
-                                               information system service documentation when such documentation is either
-                                               unavailable or nonexistent;
-                        """
-                    - 
-                      id:         sa-5.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(c)[3]
-                      prose:      takes organization-defined actions in response;
-                - 
-                  id:         sa-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-5(d)
-                  prose: 
-                    """
-                      protects documentation as required, in accordance with the risk management
-                                        strategy;
-                    """
-                - 
-                  id:         sa-5.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-5(e)
-                  parts: 
-                    - 
-                      id:         sa-5.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(e)[1]
-                      prose:      defines personnel or roles to whom documentation is to be distributed; and
-                    - 
-                      id:         sa-5.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(e)[2]
-                      prose:      distributes documentation to organization-defined personnel or roles.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing information system documentation\n\ninformation system documentation including administrator and user guides\n\nrecords documenting attempts to obtain unavailable or nonexistent information
-                                        system documentation\n\nlist of actions to be taken in response to documented attempts to obtain
-                                        information system, system component, or information system service
-                                        documentation\n\nrisk management strategy documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                        security requirements\n\nsystem administrators\n\norganizational personnel operating, using, and/or maintaining the information
-                                        system\n\ninformation system developers\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for obtaining, protecting, and distributing information
-                                        system administrator and user documentation
-                    """
-        - 
-          id:         sa-9
-          class:      SP800-53
-          title:      External Information System Services
-          parameters: 
-            - 
-              id:          sa-9_prm_1
-              label:       organization-defined security controls
-              constraints: 
-                - 
-                  detail: FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system
-            - 
-              id:          sa-9_prm_2
-              label:       organization-defined processes, methods, and techniques
-              constraints: 
-                - 
-                  detail: Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored
-          properties: 
-            - 
-              name:  label
-              value: SA-9
-            - 
-              name:  sort-id
-              value: sa-09
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #0c775bc3-bfc3-42c7-a382-88949f503171
-              rel:  reference
-              text: NIST Special Publication 800-35
-          parts: 
-            - 
-              id:    sa-9_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-9_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Requires that providers of external information system services comply with
-                                        organizational information security requirements and employ {{ sa-9_prm_1 }} in accordance with applicable federal laws, Executive
-                                        Orders, directives, policies, regulations, standards, and guidance;
-                    """
-                - 
-                  id:         sa-9_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Defines and documents government oversight and user roles and responsibilities
-                                        with regard to external information system services; and
-                    """
-                - 
-                  id:         sa-9_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Employs {{ sa-9_prm_2 }} to monitor security control compliance by
-                                        external service providers on an ongoing basis.
-                    """
-            - 
-              id:    sa-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  External information system services are services that are implemented outside of the
-                                 authorization boundaries of organizational information systems. This includes
-                                 services that are used by, but not a part of, organizational information systems.
-                                 FISMA and OMB policy require that organizations using external service providers that
-                                 are processing, storing, or transmitting federal information or operating information
-                                 systems on behalf of the federal government ensure that such providers meet the same
-                                 security requirements that federal agencies are required to meet. Organizations
-                                 establish relationships with external service providers in a variety of ways
-                                 including, for example, through joint ventures, business partnerships, contracts,
-                                 interagency agreements, lines of business arrangements, licensing agreements, and
-                                 supply chain exchanges. The responsibility for managing risks from the use of
-                                 external information system services remains with authorizing officials. For services
-                                 external to organizations, a chain of trust requires that organizations establish and
-                                 retain a level of confidence that each participating provider in the potentially
-                                 complex consumer-provider relationship provides adequate protection for the services
-                                 rendered. The extent and nature of this chain of trust varies based on the
-                                 relationships between organizations and the external providers. Organizations
-                                 document the basis for trust relationships so the relationships can be monitored over
-                                 time. External information system services documentation includes government, service
-                                 providers, end user security roles and responsibilities, and service-level
-                                 agreements. Service-level agreements define expectations of performance for security
-                                 controls, describe measurable outcomes, and identify remedies and response
-                                 requirements for identified instances of noncompliance.
-                """
-              links: 
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #ir-7
-                  rel:  related
-                  text: IR-7
-                - 
-                  href: #ps-7
-                  rel:  related
-                  text: PS-7
-            - 
-              id:    sa-9_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-9.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-9(a)
-                  parts: 
-                    - 
-                      id:         sa-9.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-9(a)[1]
-                      prose: 
-                        """
-                          defines security controls to be employed by providers of external information
-                                               system services;
-                        """
-                    - 
-                      id:         sa-9.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-9(a)[2]
-                      prose: 
-                        """
-                          requires that providers of external information system services comply with
-                                               organizational information security requirements;
-                        """
-                    - 
-                      id:         sa-9.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-9(a)[3]
-                      prose: 
-                        """
-                          requires that providers of external information system services employ
-                                               organization-defined security controls in accordance with applicable federal
-                                               laws, Executive Orders, directives, policies, regulations, standards, and
-                                               guidance;
-                        """
-                - 
-                  id:         sa-9.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-9(b)
-                  parts: 
-                    - 
-                      id:         sa-9.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-9(b)[1]
-                      prose: 
-                        """
-                          defines and documents government oversight with regard to external information
-                                               system services;
-                        """
-                    - 
-                      id:         sa-9.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-9(b)[2]
-                      prose: 
-                        """
-                          defines and documents user roles and responsibilities with regard to external
-                                               information system services;
-                        """
-                - 
-                  id:         sa-9.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-9(c)
-                  parts: 
-                    - 
-                      id:         sa-9.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-9(c)[1]
-                      prose: 
-                        """
-                          defines processes, methods, and techniques to be employed to monitor security
-                                               control compliance by external service providers; and
-                        """
-                    - 
-                      id:         sa-9.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-9(c)[2]
-                      prose: 
-                        """
-                          employs organization-defined processes, methods, and techniques to monitor
-                                               security control compliance by external service providers on an ongoing
-                                               basis.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing external information system services\n\nprocedures addressing methods and techniques for monitoring security control
-                                        compliance by external service providers of information system services\n\nacquisition contracts, service-level agreements\n\norganizational security requirements and security specifications for external
-                                        provider services\n\nsecurity control assessment evidence from external providers of information system
-                                        services\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with system and services acquisition responsibilities\n\nexternal providers of information system services\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for monitoring security control compliance by external
-                                        service providers on an ongoing basis\n\nautomated mechanisms for monitoring security control compliance by external
-                                        service providers on an ongoing basis
-                    """
-    - 
-      id:       sc
-      class:    family
-      title:    System and Communications Protection
-      controls: 
-        - 
-          id:         sc-1
-          class:      SP800-53
-          title:      System and Communications Protection Policy and Procedures
-          parameters: 
-            - 
-              id:    sc-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    sc-1_prm_2
-              label: organization-defined frequency
-            - 
-              id:    sc-1_prm_3
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: SC-1
-            - 
-              name:  sort-id
-              value: sc-01
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    sc-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sc-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ sc-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         sc-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A system and communications protection policy that addresses purpose, scope,
-                                               roles, responsibilities, management commitment, coordination among
-                                               organizational entities, and compliance; and
-                        """
-                    - 
-                      id:         sc-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the system and communications
-                                               protection policy and associated system and communications protection controls;
-                                               and
-                        """
-                - 
-                  id:         sc-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         sc-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          System and communications protection policy {{ sc-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         sc-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      System and communications protection procedures {{ sc-1_prm_3 }}.
-            - 
-              id:    sc-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the SC
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    sc-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sc-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-1(a)
-                  parts: 
-                    - 
-                      id:         sc-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-1(a)(1)
-                      parts: 
-                        - 
-                          id:         sc-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SC-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a system and communications protection policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         sc-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         sc-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         sc-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         sc-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         sc-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         sc-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         sc-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         sc-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SC-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the system and communications protection
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         sc-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SC-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the system and communications protection policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         sc-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-1(a)(2)
-                      parts: 
-                        - 
-                          id:         sc-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SC-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      system and communications protection policy and associated system and
-                                                      communications protection controls;
-                            """
-                        - 
-                          id:         sc-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SC-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         sc-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SC-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         sc-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-1(b)
-                  parts: 
-                    - 
-                      id:         sc-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-1(b)(1)
-                      parts: 
-                        - 
-                          id:         sc-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SC-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and
-                                                      communications protection policy;
-                            """
-                        - 
-                          id:         sc-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SC-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and communications protection policy
-                                                      with the organization-defined frequency;
-                            """
-                    - 
-                      id:         sc-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-1(b)(2)
-                      parts: 
-                        - 
-                          id:         sc-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SC-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and
-                                                      communications protection procedures; and
-                            """
-                        - 
-                          id:         sc-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SC-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and communications protection
-                                                      procedures with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with system and communications protection
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         sc-5
-          class:      SP800-53
-          title:      Denial of Service Protection
-          parameters: 
-            - 
-              id:    sc-5_prm_1
-              label: 
-                """
-                  organization-defined types of denial of service attacks or references to sources
-                                 for such information
-                """
-            - 
-              id:    sc-5_prm_2
-              label: organization-defined security safeguards
-          properties: 
-            - 
-              name:  label
-              value: SC-5
-            - 
-              name:  sort-id
-              value: sc-05
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: CONDITIONAL
-          parts: 
-            - 
-              id:    sc-5_smt
-              name:  statement
-              prose: 
-                """
-                  The information system protects against or limits the effects of the following types
-                                 of denial of service attacks: {{ sc-5_prm_1 }} by employing {{ sc-5_prm_2 }}.
-                """
-            - 
-              id:    sc-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  A variety of technologies exist to limit, or in some cases, eliminate the effects of
-                                 denial of service attacks. For example, boundary protection devices can filter
-                                 certain types of packets to protect information system components on internal
-                                 organizational networks from being directly affected by denial of service attacks.
-                                 Employing increased capacity and bandwidth combined with service redundancy may also
-                                 reduce the susceptibility to denial of service attacks.
-                """
-              links: 
-                - 
-                  href: #sc-6
-                  rel:  related
-                  text: SC-6
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-            - 
-              id:    sc-5_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         sc-5_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-5[1]
-                  prose: 
-                    """
-                      the organization defines types of denial of service attacks or reference to source
-                                        of such information for the information system to protect against or limit the
-                                        effects;
-                    """
-                - 
-                  id:         sc-5_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-5[2]
-                  prose: 
-                    """
-                      the organization defines security safeguards to be employed by the information
-                                        system to protect against or limit the effects of organization-defined types of
-                                        denial of service attacks; and
-                    """
-                - 
-                  id:         sc-5_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-5[3]
-                  prose: 
-                    """
-                      the information system protects against or limits the effects of the
-                                        organization-defined denial or service attacks (or reference to source for such
-                                        information) by employing organization-defined security safeguards.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing denial of service protection\n\ninformation system design documentation\n\nsecurity plan\n\nlist of denial of services attacks requiring employment of security safeguards to
-                                        protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial
-                                        of service attacks\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms protecting against or limiting the effects of denial of
-                                        service attacks
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: 
-                """
-                  Condition: If availability is a requirement, define protections in place as per
-                                    control requirement.
-                """
-        - 
-          id:         sc-7
-          class:      SP800-53
-          title:      Boundary Protection
-          parameters: 
-            - 
-              id: sc-7_prm_1
-          properties: 
-            - 
-              name:  label
-              value: SC-7
-            - 
-              name:  sort-id
-              value: sc-07
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #756a8e86-57d5-4701-8382-f7a40439665a
-              rel:  reference
-              text: NIST Special Publication 800-41
-            - 
-              href: #99f331f2-a9f0-46c2-9856-a3cbb9b89442
-              rel:  reference
-              text: NIST Special Publication 800-77
-          parts: 
-            - 
-              id:    sc-7_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         sc-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Monitors and controls communications at the external boundary of the system and at
-                                        key internal boundaries within the system;
-                    """
-                - 
-                  id:         sc-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Implements subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks;
-                                        and
-                    """
-                - 
-                  id:         sc-7_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Connects to external networks or information systems only through managed
-                                        interfaces consisting of boundary protection devices arranged in accordance with
-                                        an organizational security architecture.
-                    """
-            - 
-              id:    sc-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Managed interfaces include, for example, gateways, routers, firewalls, guards,
-                                 network-based malicious code analysis and virtualization systems, or encrypted
-                                 tunnels implemented within a security architecture (e.g., routers protecting
-                                 firewalls or application gateways residing on protected subnetworks). Subnetworks
-                                 that are physically or logically separated from internal networks are referred to as
-                                 demilitarized zones or DMZs. Restricting or prohibiting interfaces within
-                                 organizational information systems includes, for example, restricting external web
-                                 traffic to designated web servers within managed interfaces and prohibiting external
-                                 traffic that appears to be spoofing internal addresses. Organizations consider the
-                                 shared nature of commercial telecommunications services in the implementation of
-                                 security controls associated with the use of such services. Commercial
-                                 telecommunications services are commonly based on network components and consolidated
-                                 management systems shared by all attached commercial customers, and may also include
-                                 third party-provided access lines and other service elements. Such transmission
-                                 services may represent sources of increased risk despite contract security
-                                 provisions.
-                """
-              links: 
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #cm-7
-                  rel:  related
-                  text: CM-7
-                - 
-                  href: #cp-8
-                  rel:  related
-                  text: CP-8
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sc-5
-                  rel:  related
-                  text: SC-5
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-            - 
-              id:    sc-7_obj
-              name:  objective
-              prose: Determine if the information system:
-              parts: 
-                - 
-                  id:         sc-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-7(a)
-                  parts: 
-                    - 
-                      id:         sc-7.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-7(a)[1]
-                      prose:      monitors communications at the external boundary of the information system;
-                    - 
-                      id:         sc-7.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-7(a)[2]
-                      prose:      monitors communications at key internal boundaries within the system;
-                    - 
-                      id:         sc-7.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-7(a)[3]
-                      prose:      controls communications at the external boundary of the information system;
-                    - 
-                      id:         sc-7.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-7(a)[4]
-                      prose:      controls communications at key internal boundaries within the system;
-                - 
-                  id:         sc-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-7(b)
-                  prose: 
-                    """
-                      implements subnetworks for publicly accessible system components that are
-                                        either:
-                    """
-                  parts: 
-                    - 
-                      id:         sc-7.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-7(b)[1]
-                      prose:      physically separated from internal organizational networks; and/or
-                    - 
-                      id:         sc-7.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-7(b)[2]
-                      prose:      logically separated from internal organizational networks; and
-                - 
-                  id:         sc-7.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-7(c)
-                  prose: 
-                    """
-                      connects to external networks or information systems only through managed
-                                        interfaces consisting of boundary protection devices arranged in accordance with
-                                        an organizational security architecture.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the information system\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system configuration settings and associated documentation\n\nenterprise security architecture documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing boundary protection capability
-        - 
-          id:         sc-12
-          class:      SP800-53
-          title:      Cryptographic Key Establishment and Management
-          parameters: 
-            - 
-              id:    sc-12_prm_1
-              label: 
-                """
-                  organization-defined requirements for key generation, distribution, storage,
-                                 access, and destruction
-                """
-          properties: 
-            - 
-              name:  label
-              value: SC-12
-            - 
-              name:  sort-id
-              value: sc-12
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #81f09e01-d0b0-4ae2-aa6a-064ed9950070
-              rel:  reference
-              text: NIST Special Publication 800-56
-            - 
-              href: #a6c774c0-bf50-4590-9841-2a5c1c91ac6f
-              rel:  reference
-              text: NIST Special Publication 800-57
-          parts: 
-            - 
-              id:    sc-12_smt
-              name:  statement
-              prose: 
-                """
-                  The organization establishes and manages cryptographic keys for required cryptography
-                                 employed within the information system in accordance with {{ sc-12_prm_1 }}.
-                """
-            - 
-              id:    sc-12_gdn
-              name:  guidance
-              prose: 
-                """
-                  Cryptographic key management and establishment can be performed using manual
-                                 procedures or automated mechanisms with supporting manual procedures. Organizations
-                                 define key management requirements in accordance with applicable federal laws,
-                                 Executive Orders, directives, regulations, policies, standards, and guidance,
-                                 specifying appropriate options, levels, and parameters. Organizations manage trust
-                                 stores to ensure that only approved trust anchors are in such trust stores. This
-                                 includes certificates with visibility external to organizational information systems
-                                 and certificates related to the internal operations of systems.
-                """
-              links: 
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-                - 
-                  href: #sc-17
-                  rel:  related
-                  text: SC-17
-            - 
-              id:    sc-12_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sc-12_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-12[1]
-                  prose:      defines requirements for cryptographic key:
-                  parts: 
-                    - 
-                      id:         sc-12_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][a]
-                      prose:      generation;
-                    - 
-                      id:         sc-12_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][b]
-                      prose:      distribution;
-                    - 
-                      id:         sc-12_obj.1.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][c]
-                      prose:      storage;
-                    - 
-                      id:         sc-12_obj.1.d
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][d]
-                      prose:      access;
-                    - 
-                      id:         sc-12_obj.1.e
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][e]
-                      prose:      destruction; and
-                - 
-                  id:         sc-12_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-12[2]
-                  prose: 
-                    """
-                      establishes and manages cryptographic keys for required cryptography employed
-                                        within the information system in accordance with organization-defined requirements
-                                        for key generation, distribution, storage, access, and destruction.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\ninformation system design documentation\n\ncryptographic mechanisms\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment
-                                        and/or management
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing cryptographic key
-                                        establishment and management
-                    """
-            - 
-              id:    sc-12_fr
-              name:  item
-              title: SC-12 Additional FedRAMP Requirements and Guidance
-              parts: 
-                - 
-                  id:         sc-12_fr_gdn.1
-                  name:       guidance
-                  properties: 
-                    - 
-                      name:  label
-                      value: Guidance:
-                  prose:      Federally approved cryptography.
-        - 
-          id:         sc-13
-          class:      SP800-53
-          title:      Cryptographic Protection
-          parameters: 
-            - 
-              id:          sc-13_prm_1
-              label: 
-                """
-                  organization-defined cryptographic uses and type of cryptography required for
-                                 each use
-                """
-              constraints: 
-                - 
-                  detail: FIPS-validated or NSA-approved cryptography
-          properties: 
-            - 
-              name:  label
-              value: SC-13
-            - 
-              name:  sort-id
-              value: sc-13
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: CONDITIONAL
-          links: 
-            - 
-              href: #39f9087d-7687-46d2-8eda-b6f4b7a4d8a9
-              rel:  reference
-              text: FIPS Publication 140
-            - 
-              href: #6a1041fc-054e-4230-946b-2e6f4f3731bb
-              rel:  reference
-              text: http://csrc.nist.gov/cryptval
-            - 
-              href: #9b97ed27-3dd6-4f9a-ade5-1b43e9669794
-              rel:  reference
-              text: http://www.cnss.gov
-          parts: 
-            - 
-              id:    sc-13_smt
-              name:  statement
-              prose: 
-                """
-                  The information system implements {{ sc-13_prm_1 }} in accordance with
-                                 applicable federal laws, Executive Orders, directives, policies, regulations, and
-                                 standards.
-                """
-            - 
-              id:    sc-13_gdn
-              name:  guidance
-              prose: 
-                """
-                  Cryptography can be employed to support a variety of security solutions including,
-                                 for example, the protection of classified and Controlled Unclassified Information,
-                                 the provision of digital signatures, and the enforcement of information separation
-                                 when authorized individuals have the necessary clearances for such information but
-                                 lack the necessary formal access approvals. Cryptography can also be used to support
-                                 random number generation and hash generation. Generally applicable cryptographic
-                                 standards include FIPS-validated cryptography and NSA-approved cryptography. This
-                                 control does not impose any requirements on organizations to use cryptography.
-                                 However, if cryptography is required based on the selection of other security
-                                 controls, organizations define each type of cryptographic use and the type of
-                                 cryptography required (e.g., protection of classified information: NSA-approved
-                                 cryptography; provision of digital signatures: FIPS-validated cryptography).
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-7
-                  rel:  related
-                  text: AC-7
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #au-10
-                  rel:  related
-                  text: AU-10
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-7
-                  rel:  related
-                  text: IA-7
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-                - 
-                  href: #sc-12
-                  rel:  related
-                  text: SC-12
-                - 
-                  href: #sc-28
-                  rel:  related
-                  text: SC-28
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    sc-13_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         sc-13_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-13[1]
-                  prose:      the organization defines cryptographic uses; and
-                - 
-                  id:         sc-13_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-13[2]
-                  prose:      the organization defines the type of cryptography required for each use; and
-                - 
-                  id:         sc-13_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-13[3]
-                  prose: 
-                    """
-                      the information system implements the organization-defined cryptographic uses and
-                                        type of cryptography required for each use in accordance with applicable federal
-                                        laws, Executive Orders, directives, policies, regulations, and standards.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing cryptographic protection\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS validated cryptographic modules\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting and/or implementing cryptographic protection
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: Condition: If implementing need to detail how they meet it or don't meet it.
-        - 
-          id:         sc-15
-          class:      SP800-53
-          title:      Collaborative Computing Devices
-          parameters: 
-            - 
-              id:    sc-15_prm_1
-              label: organization-defined exceptions where remote activation is to be allowed
-          properties: 
-            - 
-              name:  label
-              value: SC-15
-            - 
-              name:  sort-id
-              value: sc-15
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: NSO
-          parts: 
-            - 
-              id:    sc-15_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         sc-15_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Prohibits remote activation of collaborative computing devices with the following
-                                        exceptions: {{ sc-15_prm_1 }}; and
-                    """
-                - 
-                  id:         sc-15_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Provides an explicit indication of use to users physically present at the
-                                        devices.
-                    """
-            - 
-              id:    sc-15_gdn
-              name:  guidance
-              prose: 
-                """
-                  Collaborative computing devices include, for example, networked white boards,
-                                 cameras, and microphones. Explicit indication of use includes, for example, signals
-                                 to users when collaborative computing devices are activated.
-                """
-              links: 
-                - 
-                  href: #ac-21
-                  rel:  related
-                  text: AC-21
-            - 
-              id:    sc-15_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         sc-15.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-15(a)
-                  parts: 
-                    - 
-                      id:         sc-15.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-15(a)[1]
-                      prose: 
-                        """
-                          the organization defines exceptions where remote activation of collaborative
-                                               computing devices is to be allowed;
-                        """
-                    - 
-                      id:         sc-15.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-15(a)[2]
-                      prose: 
-                        """
-                          the information system prohibits remote activation of collaborative computing
-                                               devices, except for organization-defined exceptions where remote activation is
-                                               to be allowed; and
-                        """
-                - 
-                  id:         sc-15.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-15(b)
-                  prose: 
-                    """
-                      the information system provides an explicit indication of use to users physically
-                                        present at the devices.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative
-                                        computing devices
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing management of remote
-                                        activation of collaborative computing devices\n\nautomated mechanisms providing an indication of use of collaborative computing
-                                        devices
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: NSO - Not directly related to the security of the SaaS.
-        - 
-          id:         sc-20
-          class:      SP800-53
-          title:      Secure Name / Address Resolution Service (authoritative Source)
-          properties: 
-            - 
-              name:  label
-              value: SC-20
-            - 
-              name:  sort-id
-              value: sc-20
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #28115a56-da6b-4d44-b1df-51dd7f048a3e
-              rel:  reference
-              text: OMB Memorandum 08-23
-            - 
-              href: #6af1e841-672c-46c4-b121-96f603d04be3
-              rel:  reference
-              text: NIST Special Publication 800-81
-          parts: 
-            - 
-              id:    sc-20_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         sc-20_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Provides additional data origin authentication and integrity verification
-                                        artifacts along with the authoritative name resolution data the system returns in
-                                        response to external name/address resolution queries; and
-                    """
-                - 
-                  id:         sc-20_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Provides the means to indicate the security status of child zones and (if the
-                                        child supports secure resolution services) to enable verification of a chain of
-                                        trust among parent and child domains, when operating as part of a distributed,
-                                        hierarchical namespace.
-                    """
-            - 
-              id:    sc-20_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control enables external clients including, for example, remote Internet
-                                 clients, to obtain origin authentication and integrity verification assurances for
-                                 the host/service name to network address resolution information obtained through the
-                                 service. Information systems that provide name and address resolution services
-                                 include, for example, domain name system (DNS) servers. Additional artifacts include,
-                                 for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS
-                                 resource records are examples of authoritative data. The means to indicate the
-                                 security status of child zones includes, for example, the use of delegation signer
-                                 resource records in the DNS. The DNS security controls reflect (and are referenced
-                                 from) OMB Memorandum 08-23. Information systems that use technologies other than the
-                                 DNS to map between host/service names and network addresses provide other means to
-                                 assure the authenticity and integrity of response data.
-                """
-              links: 
-                - 
-                  href: #au-10
-                  rel:  related
-                  text: AU-10
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-                - 
-                  href: #sc-12
-                  rel:  related
-                  text: SC-12
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-                - 
-                  href: #sc-21
-                  rel:  related
-                  text: SC-21
-                - 
-                  href: #sc-22
-                  rel:  related
-                  text: SC-22
-            - 
-              id:    sc-20_obj
-              name:  objective
-              prose: Determine if the information system:
-              parts: 
-                - 
-                  id:         sc-20.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-20(a)
-                  prose: 
-                    """
-                      provides additional data origin and integrity verification artifacts along with
-                                        the authoritative name resolution data the system returns in response to external
-                                        name/address resolution queries;
-                    """
-                - 
-                  id:         sc-20.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-20(b)
-                  prose: 
-                    """
-                      provides the means to, when operating as part of a distributed, hierarchical
-                                        namespace:
-                    """
-                  parts: 
-                    - 
-                      id:         sc-20.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-20(b)[1]
-                      prose:      indicate the security status of child zones; and
-                    - 
-                      id:         sc-20.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-20(b)[2]
-                      prose: 
-                        """
-                          enable verification of a chain of trust among parent and child domains (if the
-                                               child supports secure resolution services).
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing secure name/address resolution service (authoritative
-                                        source)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing secure name/address resolution
-                                        service
-                    """
-        - 
-          id:         sc-21
-          class:      SP800-53
-          title:      Secure Name / Address Resolution Service (recursive or Caching Resolver)
-          properties: 
-            - 
-              name:  label
-              value: SC-21
-            - 
-              name:  sort-id
-              value: sc-21
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #6af1e841-672c-46c4-b121-96f603d04be3
-              rel:  reference
-              text: NIST Special Publication 800-81
-          parts: 
-            - 
-              id:    sc-21_smt
-              name:  statement
-              prose: 
-                """
-                  The information system requests and performs data origin authentication and data
-                                 integrity verification on the name/address resolution responses the system receives
-                                 from authoritative sources.
-                """
-            - 
-              id:    sc-21_gdn
-              name:  guidance
-              prose: 
-                """
-                  Each client of name resolution services either performs this validation on its own,
-                                 or has authenticated channels to trusted validation providers. Information systems
-                                 that provide name and address resolution services for local clients include, for
-                                 example, recursive resolving or caching domain name system (DNS) servers. DNS client
-                                 resolvers either perform validation of DNSSEC signatures, or clients use
-                                 authenticated channels to recursive resolvers that perform such validations.
-                                 Information systems that use technologies other than the DNS to map between
-                                 host/service names and network addresses provide other means to enable clients to
-                                 verify the authenticity and integrity of response data.
-                """
-              links: 
-                - 
-                  href: #sc-20
-                  rel:  related
-                  text: SC-20
-                - 
-                  href: #sc-22
-                  rel:  related
-                  text: SC-22
-            - 
-              id:    sc-21_obj
-              name:  objective
-              prose: Determine if the information system: 
-              parts: 
-                - 
-                  id:         sc-21_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-21[1]
-                  prose: 
-                    """
-                      requests data origin authentication on the name/address resolution responses the
-                                        system receives from authoritative sources;
-                    """
-                - 
-                  id:         sc-21_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-21[2]
-                  prose: 
-                    """
-                      requests data integrity verification on the name/address resolution responses the
-                                        system receives from authoritative sources;
-                    """
-                - 
-                  id:         sc-21_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-21[3]
-                  prose: 
-                    """
-                      performs data origin authentication on the name/address resolution responses the
-                                        system receives from authoritative sources; and
-                    """
-                - 
-                  id:         sc-21_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-21[4]
-                  prose: 
-                    """
-                      performs data integrity verification on the name/address resolution responses the
-                                        system receives from authoritative sources.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing secure name/address resolution service (recursive or caching
-                                        resolver)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing data origin authentication and
-                                        data integrity verification for name/address resolution services
-                    """
-        - 
-          id:         sc-22
-          class:      SP800-53
-          title:      Architecture and Provisioning for Name / Address Resolution Service
-          properties: 
-            - 
-              name:  label
-              value: SC-22
-            - 
-              name:  sort-id
-              value: sc-22
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #6af1e841-672c-46c4-b121-96f603d04be3
-              rel:  reference
-              text: NIST Special Publication 800-81
-          parts: 
-            - 
-              id:    sc-22_smt
-              name:  statement
-              prose: 
-                """
-                  The information systems that collectively provide name/address resolution service for
-                                 an organization are fault-tolerant and implement internal/external role
-                                 separation.
-                """
-            - 
-              id:    sc-22_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information systems that provide name and address resolution services include, for
-                                 example, domain name system (DNS) servers. To eliminate single points of failure and
-                                 to enhance redundancy, organizations employ at least two authoritative domain name
-                                 system servers, one configured as the primary server and the other configured as the
-                                 secondary server. Additionally, organizations typically deploy the servers in two
-                                 geographically separated network subnetworks (i.e., not located in the same physical
-                                 facility). For role separation, DNS servers with internal roles only process name and
-                                 address resolution requests from within organizations (i.e., from internal clients).
-                                 DNS servers with external roles only process name and address resolution information
-                                 requests from clients external to organizations (i.e., on external networks including
-                                 the Internet). Organizations specify clients that can access authoritative DNS
-                                 servers in particular roles (e.g., by address ranges, explicit lists).
-                """
-              links: 
-                - 
-                  href: #sc-2
-                  rel:  related
-                  text: SC-2
-                - 
-                  href: #sc-20
-                  rel:  related
-                  text: SC-20
-                - 
-                  href: #sc-21
-                  rel:  related
-                  text: SC-21
-                - 
-                  href: #sc-24
-                  rel:  related
-                  text: SC-24
-            - 
-              id:    sc-22_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the information systems that collectively provide name/address
-                                 resolution service for an organization: 
-                """
-              parts: 
-                - 
-                  id:         sc-22_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-22[1]
-                  prose:      are fault tolerant; and
-                - 
-                  id:         sc-22_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-22[2]
-                  prose:      implement internal/external role separation.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing architecture and provisioning for name/address resolution
-                                        service\n\naccess control policy and procedures\n\ninformation system design documentation\n\nassessment results from independent, testing organizations\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing name/address resolution
-                                        service for fault tolerance and role separation
-                    """
-        - 
-          id:         sc-39
-          class:      SP800-53
-          title:      Process Isolation
-          properties: 
-            - 
-              name:  label
-              value: SC-39
-            - 
-              name:  sort-id
-              value: sc-39
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          parts: 
-            - 
-              id:    sc-39_smt
-              name:  statement
-              prose: 
-                """
-                  The information system maintains a separate execution domain for each executing
-                                 process.
-                """
-            - 
-              id:    sc-39_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information systems can maintain separate execution domains for each executing
-                                 process by assigning each process a separate address space. Each information system
-                                 process has a distinct address space so that communication between processes is
-                                 performed in a manner controlled through the security functions, and one process
-                                 cannot modify the executing code of another process. Maintaining separate execution
-                                 domains for executing processes can be achieved, for example, by implementing
-                                 separate address spaces. This capability is available in most commercial operating
-                                 systems that employ multi-state processor technologies.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-                - 
-                  href: #sc-2
-                  rel:  related
-                  text: SC-2
-                - 
-                  href: #sc-3
-                  rel:  related
-                  text: SC-3
-            - 
-              id:    sc-39_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the information system maintains a separate execution domain for each
-                                 executing process.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system design documentation\n\ninformation system architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation, other relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system developers/integrators\n\ninformation system security architect
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing separate execution domains for
-                                        each executing process
-                    """
-    - 
-      id:       si
-      class:    family
-      title:    System and Information Integrity
-      controls: 
-        - 
-          id:         si-1
-          class:      SP800-53
-          title:      System and Information Integrity Policy and Procedures
-          parameters: 
-            - 
-              id:    si-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    si-1_prm_2
-              label: organization-defined frequency
-            - 
-              id:    si-1_prm_3
-              label: organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: SI-1
-            - 
-              name:  sort-id
-              value: si-01
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    si-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ si-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         si-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A system and information integrity policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         si-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the system and information
-                                               integrity policy and associated system and information integrity controls;
-                                               and
-                        """
-                - 
-                  id:         si-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         si-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          System and information integrity policy {{ si-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         si-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      System and information integrity procedures {{ si-1_prm_3 }}.
-            - 
-              id:    si-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the SI
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    si-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-1(a)
-                  parts: 
-                    - 
-                      id:         si-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-1(a)(1)
-                      parts: 
-                        - 
-                          id:         si-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a system and information integrity policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         si-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         si-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         si-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         si-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         si-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         si-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         si-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         si-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the system and information integrity
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         si-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the system and information integrity policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         si-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-1(a)(2)
-                      parts: 
-                        - 
-                          id:         si-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      system and information integrity policy and associated system and
-                                                      information integrity controls;
-                            """
-                        - 
-                          id:         si-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         si-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         si-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-1(b)
-                  parts: 
-                    - 
-                      id:         si-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-1(b)(1)
-                      parts: 
-                        - 
-                          id:         si-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and
-                                                      information integrity policy;
-                            """
-                        - 
-                          id:         si-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and information integrity policy with
-                                                      the organization-defined frequency;
-                            """
-                    - 
-                      id:         si-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-1(b)(2)
-                      parts: 
-                        - 
-                          id:         si-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and
-                                                      information integrity procedures; and
-                            """
-                        - 
-                          id:         si-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and information integrity procedures
-                                                      with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and information integrity policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with system and information integrity
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         si-2
-          class:      SP800-53
-          title:      Flaw Remediation
-          parameters: 
-            - 
-              id:          si-2_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: within 30 days of release of updates
-          properties: 
-            - 
-              name:  label
-              value: SI-2
-            - 
-              name:  sort-id
-              value: si-02
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d
-              rel:  reference
-              text: NIST Special Publication 800-40
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    si-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Identifies, reports, and corrects information system flaws;
-                - 
-                  id:         si-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Tests software and firmware updates related to flaw remediation for effectiveness
-                                        and potential side effects before installation;
-                    """
-                - 
-                  id:         si-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Installs security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and
-                - 
-                  id:         si-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Incorporates flaw remediation into the organizational configuration management
-                                        process.
-                    """
-            - 
-              id:    si-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations identify information systems affected by announced software flaws
-                                 including potential vulnerabilities resulting from those flaws, and report this
-                                 information to designated organizational personnel with information security
-                                 responsibilities. Security-relevant software updates include, for example, patches,
-                                 service packs, hot fixes, and anti-virus signatures. Organizations also address flaws
-                                 discovered during security assessments, continuous monitoring, incident response
-                                 activities, and system error handling. Organizations take advantage of available
-                                 resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and
-                                 Exposures (CVE) databases in remediating flaws discovered in organizational
-                                 information systems. By incorporating flaw remediation into ongoing configuration
-                                 management processes, required/anticipated remediation actions can be tracked and
-                                 verified. Flaw remediation actions that can be tracked and verified include, for
-                                 example, determining whether organizations follow US-CERT guidance and Information
-                                 Assurance Vulnerability Alerts. Organization-defined time periods for updating
-                                 security-relevant software and firmware may vary based on a variety of factors
-                                 including, for example, the security category of the information system or the
-                                 criticality of the update (i.e., severity of the vulnerability related to the
-                                 discovered flaw). Some types of flaw remediation may require more testing than other
-                                 types. Organizations determine the degree and type of testing needed for the specific
-                                 type of flaw remediation activity under consideration and also the types of changes
-                                 that are to be configuration-managed. In some situations, organizations may determine
-                                 that the testing of software and/or firmware updates is not necessary or practical,
-                                 for example, when implementing simple anti-virus signature updates. Organizations may
-                                 also consider in testing decisions, whether security-relevant software or firmware
-                                 updates are obtained from authorized sources with appropriate digital signatures.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #ma-2
-                  rel:  related
-                  text: MA-2
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sa-10
-                  rel:  related
-                  text: SA-10
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #si-11
-                  rel:  related
-                  text: SI-11
-            - 
-              id:    si-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-2(a)
-                  parts: 
-                    - 
-                      id:         si-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-2(a)[1]
-                      prose:      identifies information system flaws;
-                    - 
-                      id:         si-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-2(a)[2]
-                      prose:      reports information system flaws;
-                    - 
-                      id:         si-2.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-2(a)[3]
-                      prose:      corrects information system flaws;
-                - 
-                  id:         si-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-2(b)
-                  parts: 
-                    - 
-                      id:         si-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-2(b)[1]
-                      prose: 
-                        """
-                          tests software updates related to flaw remediation for effectiveness and
-                                               potential side effects before installation;
-                        """
-                    - 
-                      id:         si-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-2(b)[2]
-                      prose: 
-                        """
-                          tests firmware updates related to flaw remediation for effectiveness and
-                                               potential side effects before installation;
-                        """
-                - 
-                  id:         si-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-2(c)
-                  parts: 
-                    - 
-                      id:         si-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-2(c)[1]
-                      prose: 
-                        """
-                          defines the time period within which to install security-relevant software
-                                               updates after the release of the updates;
-                        """
-                    - 
-                      id:         si-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-2(c)[2]
-                      prose: 
-                        """
-                          defines the time period within which to install security-relevant firmware
-                                               updates after the release of the updates;
-                        """
-                    - 
-                      id:         si-2.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-2(c)[3]
-                      prose: 
-                        """
-                          installs software updates within the organization-defined time period of the
-                                               release of the updates;
-                        """
-                    - 
-                      id:         si-2.c_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-2(c)[4]
-                      prose: 
-                        """
-                          installs firmware updates within the organization-defined time period of the
-                                               release of the updates; and
-                        """
-                - 
-                  id:         si-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-2(d)
-                  prose: 
-                    """
-                      incorporates flaw remediation into the organizational configuration management
-                                        process.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and information integrity policy\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the information system\n\nlist of recent security flaw remediation actions performed on the information
-                                        system (e.g., list of installed patches, service packs, hot fixes, and other
-                                        software updates to correct information system flaws)\n\ntest results from the installation of software and firmware updates to correct
-                                        information system flaws\n\ninstallation/change control records for security-relevant software and firmware
-                                        updates\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                        information system\n\norganizational personnel with responsibility for flaw remediation\n\norganizational personnel with configuration management responsibility
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for identifying, reporting, and correcting information
-                                        system flaws\n\norganizational process for installing software and firmware updates\n\nautomated mechanisms supporting and/or implementing reporting, and correcting
-                                        information system flaws\n\nautomated mechanisms supporting and/or implementing testing software and firmware
-                                        updates
-                    """
-        - 
-          id:         si-3
-          class:      SP800-53
-          title:      Malicious Code Protection
-          parameters: 
-            - 
-              id:          si-3_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least weekly
-            - 
-              id:          si-3_prm_2
-              constraints: 
-                - 
-                  detail: to include endpoints
-            - 
-              id:          si-3_prm_3
-              constraints: 
-                - 
-                  detail: to include alerting administrator or defined security personnel
-            - 
-              id:         si-3_prm_4
-              depends-on: si-3_prm_3
-              label:      organization-defined action
-          properties: 
-            - 
-              name:  label
-              value: SI-3
-            - 
-              name:  sort-id
-              value: si-03
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #6d431fee-658f-4a0e-9f2e-a38b5d398fab
-              rel:  reference
-              text: NIST Special Publication 800-83
-          parts: 
-            - 
-              id:    si-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Employs malicious code protection mechanisms at information system entry and exit
-                                        points to detect and eradicate malicious code;
-                    """
-                - 
-                  id:         si-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Updates malicious code protection mechanisms whenever new releases are available
-                                        in accordance with organizational configuration management policy and
-                                        procedures;
-                    """
-                - 
-                  id:         si-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Configures malicious code protection mechanisms to:
-                  parts: 
-                    - 
-                      id:         si-3_smt.c.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Perform periodic scans of the information system {{ si-3_prm_1 }} and real-time scans of files from external sources at {{ si-3_prm_2 }} as the files are downloaded, opened, or executed in
-                                               accordance with organizational security policy; and
-                        """
-                    - 
-                      id:         si-3_smt.c.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          
-                                               {{ si-3_prm_3 }} in response to malicious code detection;
-                                               and
-                        """
-                - 
-                  id:         si-3_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Addresses the receipt of false positives during malicious code detection and
-                                        eradication and the resulting potential impact on the availability of the
-                                        information system.
-                    """
-            - 
-              id:    si-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system entry and exit points include, for example, firewalls, electronic
-                                 mail servers, web servers, proxy servers, remote-access servers, workstations,
-                                 notebook computers, and mobile devices. Malicious code includes, for example,
-                                 viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in
-                                 various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden
-                                 files, or hidden in files using steganography. Malicious code can be transported by
-                                 different means including, for example, web accesses, electronic mail, electronic
-                                 mail attachments, and portable storage devices. Malicious code insertions occur
-                                 through the exploitation of information system vulnerabilities. Malicious code
-                                 protection mechanisms include, for example, anti-virus signature definitions and
-                                 reputation-based technologies. A variety of technologies and methods exist to limit
-                                 or eliminate the effects of malicious code. Pervasive configuration management and
-                                 comprehensive software integrity controls may be effective in preventing execution of
-                                 unauthorized code. In addition to commercial off-the-shelf software, malicious code
-                                 may also be present in custom-built software. This could include, for example, logic
-                                 bombs, back doors, and other types of cyber attacks that could affect organizational
-                                 missions/business functions. Traditional malicious code protection mechanisms cannot
-                                 always detect such code. In these situations, organizations rely instead on other
-                                 safeguards including, for example, secure coding practices, configuration management
-                                 and control, trusted procurement processes, and monitoring practices to help ensure
-                                 that software does not perform functions other than the functions intended.
-                                 Organizations may determine that in response to the detection of malicious code,
-                                 different actions may be warranted. For example, organizations can define actions in
-                                 response to malicious code detection during periodic scans, actions in response to
-                                 detection of malicious downloads, and/or actions in response to detection of
-                                 maliciousness when attempting to open or execute files.
-                """
-              links: 
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #sa-13
-                  rel:  related
-                  text: SA-13
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-26
-                  rel:  related
-                  text: SC-26
-                - 
-                  href: #sc-44
-                  rel:  related
-                  text: SC-44
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    si-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-3(a)
-                  prose: 
-                    """
-                      employs malicious code protection mechanisms to detect and eradicate malicious
-                                        code at information system:
-                    """
-                  parts: 
-                    - 
-                      id:         si-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-3(a)[1]
-                      prose:      entry points;
-                    - 
-                      id:         si-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-3(a)[2]
-                      prose:      exit points;
-                - 
-                  id:         si-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-3(b)
-                  prose: 
-                    """
-                      updates malicious code protection mechanisms whenever new releases are available
-                                        in accordance with organizational configuration management policy and procedures
-                                        (as identified in CM-1);
-                    """
-                - 
-                  id:         si-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-3(c)
-                  parts: 
-                    - 
-                      id:         si-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-3(c)[1]
-                      prose: 
-                        """
-                          defines a frequency for malicious code protection mechanisms to perform
-                                               periodic scans of the information system;
-                        """
-                    - 
-                      id:         si-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-3(c)[2]
-                      prose: 
-                        """
-                          defines action to be initiated by malicious protection mechanisms in response
-                                               to malicious code detection;
-                        """
-                    - 
-                      id:         si-3.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-3(c)[3]
-                      parts: 
-                        - 
-                          id:         si-3.c.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-3(c)[3](1)
-                          prose:      configures malicious code protection mechanisms to:
-                          parts: 
-                            - 
-                              id:         si-3.c.1_obj.3.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](1)[a]
-                              prose: 
-                                """
-                                  perform periodic scans of the information system with the
-                                                             organization-defined frequency;
-                                """
-                            - 
-                              id:         si-3.c.1_obj.3.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](1)[b]
-                              prose: 
-                                """
-                                  perform real-time scans of files from external sources at endpoint and/or
-                                                             network entry/exit points as the files are downloaded, opened, or
-                                                             executed in accordance with organizational security policy;
-                                """
-                        - 
-                          id:         si-3.c.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-3(c)[3](2)
-                          prose: 
-                            """
-                              configures malicious code protection mechanisms to do one or more of the
-                                                      following:
-                            """
-                          parts: 
-                            - 
-                              id:         si-3.c.2_obj.3.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](2)[a]
-                              prose:      block malicious code in response to malicious code detection;
-                            - 
-                              id:         si-3.c.2_obj.3.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](2)[b]
-                              prose:      quarantine malicious code in response to malicious code detection;
-                            - 
-                              id:         si-3.c.2_obj.3.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](2)[c]
-                              prose: 
-                                """
-                                  send alert to administrator in response to malicious code detection;
-                                                             and/or
-                                """
-                            - 
-                              id:         si-3.c.2_obj.3.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](2)[d]
-                              prose: 
-                                """
-                                  initiate organization-defined action in response to malicious code
-                                                             detection;
-                                """
-                - 
-                  id:         si-3.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-3(d)
-                  parts: 
-                    - 
-                      id:         si-3.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-3(d)[1]
-                      prose: 
-                        """
-                          addresses the receipt of false positives during malicious code detection and
-                                               eradication; and
-                        """
-                    - 
-                      id:         si-3.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-3(d)[2]
-                      prose: 
-                        """
-                          addresses the resulting potential impact on the availability of the information
-                                               system.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and information integrity policy\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to
-                                        malicious code detection\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                        information system\n\norganizational personnel with responsibility for malicious code protection\n\norganizational personnel with configuration management responsibility
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for employing, updating, and configuring malicious code
-                                        protection mechanisms\n\norganizational process for addressing false positives and resulting potential
-                                        impact\n\nautomated mechanisms supporting and/or implementing employing, updating, and
-                                        configuring malicious code protection mechanisms\n\nautomated mechanisms supporting and/or implementing malicious code scanning and
-                                        subsequent actions
-                    """
-        - 
-          id:         si-4
-          class:      SP800-53
-          title:      Information System Monitoring
-          parameters: 
-            - 
-              id:    si-4_prm_1
-              label: organization-defined monitoring objectives
-            - 
-              id:    si-4_prm_2
-              label: organization-defined techniques and methods
-            - 
-              id:    si-4_prm_3
-              label: organization-defined information system monitoring information
-            - 
-              id:    si-4_prm_4
-              label: organization-defined personnel or roles
-            - 
-              id: si-4_prm_5
-            - 
-              id:         si-4_prm_6
-              depends-on: si-4_prm_5
-              label:      organization-defined frequency
-          properties: 
-            - 
-              name:  label
-              value: SI-4
-            - 
-              name:  sort-id
-              value: si-04
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ASSESS
-          links: 
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-            - 
-              href: #6d431fee-658f-4a0e-9f2e-a38b5d398fab
-              rel:  reference
-              text: NIST Special Publication 800-83
-            - 
-              href: #672fd561-b92b-4713-b9cf-6c9d9456728b
-              rel:  reference
-              text: NIST Special Publication 800-92
-            - 
-              href: #d1b1d689-0f66-4474-9924-c81119758dc1
-              rel:  reference
-              text: NIST Special Publication 800-94
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-          parts: 
-            - 
-              id:    si-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Monitors the information system to detect:
-                  parts: 
-                    - 
-                      id:         si-4_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Attacks and indicators of potential attacks in accordance with {{ si-4_prm_1 }}; and
-                    - 
-                      id:         si-4_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Unauthorized local, network, and remote connections;
-                - 
-                  id:         si-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Identifies unauthorized use of the information system through {{ si-4_prm_2 }};
-                - 
-                  id:         si-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Deploys monitoring devices:
-                  parts: 
-                    - 
-                      id:         si-4_smt.c.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Strategically within the information system to collect organization-determined
-                                               essential information; and
-                        """
-                    - 
-                      id:         si-4_smt.c.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          At ad hoc locations within the system to track specific types of transactions
-                                               of interest to the organization;
-                        """
-                - 
-                  id:         si-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Protects information obtained from intrusion-monitoring tools from unauthorized
-                                        access, modification, and deletion;
-                    """
-                - 
-                  id:         si-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Heightens the level of information system monitoring activity whenever there is an
-                                        indication of increased risk to organizational operations and assets, individuals,
-                                        other organizations, or the Nation based on law enforcement information,
-                                        intelligence information, or other credible sources of information;
-                    """
-                - 
-                  id:         si-4_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Obtains legal opinion with regard to information system monitoring activities in
-                                        accordance with applicable federal laws, Executive Orders, directives, policies,
-                                        or regulations; and
-                    """
-                - 
-                  id:         si-4_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose: 
-                    """
-                      Provides {{ si-4_prm_3 }} to {{ si-4_prm_4 }}
-                                        {{ si-4_prm_5 }}.
-                    """
-            - 
-              id:    si-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system monitoring includes external and internal monitoring. External
-                                 monitoring includes the observation of events occurring at the information system
-                                 boundary (i.e., part of perimeter defense and boundary protection). Internal
-                                 monitoring includes the observation of events occurring within the information
-                                 system. Organizations can monitor information systems, for example, by observing
-                                 audit activities in real time or by observing other system aspects such as access
-                                 patterns, characteristics of access, and other actions. The monitoring objectives may
-                                 guide determination of the events. Information system monitoring capability is
-                                 achieved through a variety of tools and techniques (e.g., intrusion detection
-                                 systems, intrusion prevention systems, malicious code protection software, scanning
-                                 tools, audit record monitoring software, network monitoring software). Strategic
-                                 locations for monitoring devices include, for example, selected perimeter locations
-                                 and near server farms supporting critical applications, with such devices typically
-                                 being employed at the managed interfaces associated with controls SC-7 and AC-17.
-                                 Einstein network monitoring devices from the Department of Homeland Security can also
-                                 be included as monitoring devices. The granularity of monitoring information
-                                 collected is based on organizational monitoring objectives and the capability of
-                                 information systems to support such objectives. Specific types of transactions of
-                                 interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that
-                                 bypasses HTTP proxies. Information system monitoring is an integral part of
-                                 organizational continuous monitoring and incident response programs. Output from
-                                 system monitoring serves as input to continuous monitoring and incident response
-                                 programs. A network connection is any connection with a device that communicates
-                                 through a network (e.g., local area network, Internet). A remote connection is any
-                                 connection with a device communicating through an external network (e.g., the
-                                 Internet). Local, network, and remote connections can be either wired or
-                                 wireless.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-8
-                  rel:  related
-                  text: AC-8
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #au-7
-                  rel:  related
-                  text: AU-7
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-26
-                  rel:  related
-                  text: SC-26
-                - 
-                  href: #sc-35
-                  rel:  related
-                  text: SC-35
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    si-4_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-4(a)
-                  parts: 
-                    - 
-                      id:         si-4.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(a)(1)
-                      parts: 
-                        - 
-                          id:         si-4.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(a)(1)[1]
-                          prose: 
-                            """
-                              defines monitoring objectives to detect attacks and indicators of potential
-                                                      attacks on the information system;
-                            """
-                        - 
-                          id:         si-4.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(a)(1)[2]
-                          prose: 
-                            """
-                              monitors the information system to detect, in accordance with
-                                                      organization-defined monitoring objectives,:
-                            """
-                          parts: 
-                            - 
-                              id:         si-4.a.1_obj.2.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-4(a)(1)[2][a]
-                              prose:      attacks;
-                            - 
-                              id:         si-4.a.1_obj.2.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-4(a)(1)[2][b]
-                              prose:      indicators of potential attacks;
-                    - 
-                      id:         si-4.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(a)(2)
-                      prose:      monitors the information system to detect unauthorized:
-                      parts: 
-                        - 
-                          id:         si-4.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(a)(2)[1]
-                          prose:      local connections;
-                        - 
-                          id:         si-4.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(a)(2)[2]
-                          prose:      network connections;
-                        - 
-                          id:         si-4.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(a)(2)[3]
-                          prose:      remote connections;
-                - 
-                  id:         si-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-4(b)
-                  parts: 
-                    - 
-                      id:         si-4.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(b)(1)
-                      prose: 
-                        """
-                          defines techniques and methods to identify unauthorized use of the information
-                                               system;
-                        """
-                    - 
-                      id:         si-4.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(b)(2)
-                      prose: 
-                        """
-                          identifies unauthorized use of the information system through
-                                               organization-defined techniques and methods;
-                        """
-                - 
-                  id:         si-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-4(c)
-                  prose:      deploys monitoring devices:
-                  parts: 
-                    - 
-                      id:         si-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(c)[1]
-                      prose: 
-                        """
-                          strategically within the information system to collect organization-determined
-                                               essential information;
-                        """
-                    - 
-                      id:         si-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(c)[2]
-                      prose: 
-                        """
-                          at ad hoc locations within the system to track specific types of transactions
-                                               of interest to the organization;
-                        """
-                - 
-                  id:         si-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-4(d)
-                  prose: 
-                    """
-                      protects information obtained from intrusion-monitoring tools from
-                                        unauthorized:
-                    """
-                  parts: 
-                    - 
-                      id:         si-4.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(d)[1]
-                      prose:      access;
-                    - 
-                      id:         si-4.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(d)[2]
-                      prose:      modification;
-                    - 
-                      id:         si-4.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(d)[3]
-                      prose:      deletion;
-                - 
-                  id:         si-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-4(e)
-                  prose: 
-                    """
-                      heightens the level of information system monitoring activity whenever there is an
-                                        indication of increased risk to organizational operations and assets, individuals,
-                                        other organizations, or the Nation based on law enforcement information,
-                                        intelligence information, or other credible sources of information;
-                    """
-                - 
-                  id:         si-4.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-4(f)
-                  prose: 
-                    """
-                      obtains legal opinion with regard to information system monitoring activities in
-                                        accordance with applicable federal laws, Executive Orders, directives, policies,
-                                        or regulations;
-                    """
-                - 
-                  id:         si-4.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-4(g)
-                  parts: 
-                    - 
-                      id:         si-4.g_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(g)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom information system monitoring information is
-                                               to be provided;
-                        """
-                    - 
-                      id:         si-4.g_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(g)[2]
-                      prose: 
-                        """
-                          defines information system monitoring information to be provided to
-                                               organization-defined personnel or roles;
-                        """
-                    - 
-                      id:         si-4.g_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(g)[3]
-                      prose: 
-                        """
-                          defines a frequency to provide organization-defined information system
-                                               monitoring to organization-defined personnel or roles;
-                        """
-                    - 
-                      id:         si-4.g_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(g)[4]
-                      prose: 
-                        """
-                          provides organization-defined information system monitoring information to
-                                               organization-defined personnel or roles one or more of the following:
-                        """
-                      parts: 
-                        - 
-                          id:         si-4.g_obj.4.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(g)[4][a]
-                          prose:      as needed; and/or
-                        - 
-                          id:         si-4.g_obj.4.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(g)[4][b]
-                          prose:      with the organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Continuous monitoring strategy\n\nsystem and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\nfacility diagram/layout\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\nlocations within information system where monitoring devices are deployed\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                        information system\n\norganizational personnel with responsibility monitoring the information system
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for information system monitoring\n\nautomated mechanisms supporting and/or implementing information system monitoring
-                                        capability
-                    """
-        - 
-          id:         si-5
-          class:      SP800-53
-          title:      Security Alerts, Advisories, and Directives
-          parameters: 
-            - 
-              id:    si-5_prm_1
-              label: organization-defined external organizations
-            - 
-              id: si-5_prm_2
-            - 
-              id:         si-5_prm_3
-              depends-on: si-5_prm_2
-              label:      organization-defined personnel or roles
-            - 
-              id:         si-5_prm_4
-              depends-on: si-5_prm_2
-              label:      organization-defined elements within the organization
-            - 
-              id:         si-5_prm_5
-              depends-on: si-5_prm_2
-              label:      organization-defined external organizations
-          properties: 
-            - 
-              name:  label
-              value: SI-5
-            - 
-              name:  sort-id
-              value: si-05
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          links: 
-            - 
-              href: #bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d
-              rel:  reference
-              text: NIST Special Publication 800-40
-          parts: 
-            - 
-              id:    si-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Receives information system security alerts, advisories, and directives from
-                                           {{ si-5_prm_1 }} on an ongoing basis;
-                    """
-                - 
-                  id:         si-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Generates internal security alerts, advisories, and directives as deemed
-                                        necessary;
-                    """
-                - 
-                  id:         si-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Disseminates security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and
-                - 
-                  id:         si-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Implements security directives in accordance with established time frames, or
-                                        notifies the issuing organization of the degree of noncompliance.
-                    """
-            - 
-              id:    si-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  The United States Computer Emergency Readiness Team (US-CERT) generates security
-                                 alerts and advisories to maintain situational awareness across the federal
-                                 government. Security directives are issued by OMB or other designated organizations
-                                 with the responsibility and authority to issue such directives. Compliance to
-                                 security directives is essential due to the critical nature of many of these
-                                 directives and the potential immediate adverse effects on organizational operations
-                                 and assets, individuals, other organizations, and the Nation should the directives
-                                 not be implemented in a timely manner. External organizations include, for example,
-                                 external mission/business partners, supply chain partners, external service
-                                 providers, and other peer/supporting organizations.
-                """
-              links: 
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    si-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-5(a)
-                  parts: 
-                    - 
-                      id:         si-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-5(a)[1]
-                      prose: 
-                        """
-                          defines external organizations from whom information system security alerts,
-                                               advisories and directives are to be received;
-                        """
-                    - 
-                      id:         si-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-5(a)[2]
-                      prose: 
-                        """
-                          receives information system security alerts, advisories, and directives from
-                                               organization-defined external organizations on an ongoing basis;
-                        """
-                - 
-                  id:         si-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-5(b)
-                  prose: 
-                    """
-                      generates internal security alerts, advisories, and directives as deemed
-                                        necessary;
-                    """
-                - 
-                  id:         si-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-5(c)
-                  parts: 
-                    - 
-                      id:         si-5.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-5(c)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom security alerts, advisories, and directives
-                                               are to be provided;
-                        """
-                    - 
-                      id:         si-5.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-5(c)[2]
-                      prose: 
-                        """
-                          defines elements within the organization to whom security alerts, advisories,
-                                               and directives are to be provided;
-                        """
-                    - 
-                      id:         si-5.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-5(c)[3]
-                      prose: 
-                        """
-                          defines external organizations to whom security alerts, advisories, and
-                                               directives are to be provided;
-                        """
-                    - 
-                      id:         si-5.c_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-5(c)[4]
-                      prose: 
-                        """
-                          disseminates security alerts, advisories, and directives to one or more of the
-                                               following:
-                        """
-                      parts: 
-                        - 
-                          id:         si-5.c_obj.4.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-5(c)[4][a]
-                          prose:      organization-defined personnel or roles;
-                        - 
-                          id:         si-5.c_obj.4.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-5(c)[4][b]
-                          prose:      organization-defined elements within the organization; and/or
-                        - 
-                          id:         si-5.c_obj.4.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-5(c)[4][c]
-                          prose:      organization-defined external organizations; and
-                - 
-                  id:         si-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-5(d)
-                  parts: 
-                    - 
-                      id:         si-5.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-5(d)[1]
-                      prose: 
-                        """
-                          implements security directives in accordance with established time frames;
-                                               or
-                        """
-                    - 
-                      id:         si-5.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-5(d)[2]
-                      prose:      notifies the issuing organization of the degree of noncompliance.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and information integrity policy\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the
-                                        information system\n\norganizational personnel, organizational elements, and/or external organizations
-                                        to whom alerts, advisories, and directives are to be disseminated\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for defining, receiving, generating, disseminating, and
-                                        complying with security alerts, advisories, and directives\n\nautomated mechanisms supporting and/or implementing definition, receipt,
-                                        generation, and dissemination of security alerts, advisories, and directives\n\nautomated mechanisms supporting and/or implementing security directives
-                    """
-        - 
-          id:         si-12
-          class:      SP800-53
-          title:      Information Handling and Retention
-          properties: 
-            - 
-              name:  label
-              value: SI-12
-            - 
-              name:  sort-id
-              value: si-12
-            - 
-              name:  method
-              class: FedRAMP-Tailored-LI-SaaS
-              value: ATTEST
-          parts: 
-            - 
-              id:    si-12_smt
-              name:  statement
-              prose: 
-                """
-                  The organization handles and retains information within the information system and
-                                 information output from the system in accordance with applicable federal laws,
-                                 Executive Orders, directives, policies, regulations, standards, and operational
-                                 requirements.
-                """
-            - 
-              id:    si-12_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information handling and retention requirements cover the full life cycle of
-                                 information, in some cases extending beyond the disposal of information systems. The
-                                 National Archives and Records Administration provides guidance on records
-                                 retention.
-                """
-              links: 
-                - 
-                  href: #ac-16
-                  rel:  related
-                  text: AC-16
-                - 
-                  href: #au-5
-                  rel:  related
-                  text: AU-5
-                - 
-                  href: #au-11
-                  rel:  related
-                  text: AU-11
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-            - 
-              id:    si-12_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization, in accordance with applicable federal laws, Executive
-                                 Orders, directives, policies, regulations, standards, and operational
-                                 requirements:
-                """
-              parts: 
-                - 
-                  id:         si-12_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-12[1]
-                  prose:      handles information within the information system;
-                - 
-                  id:         si-12_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-12[2]
-                  prose:      handles output from the information system;
-                - 
-                  id:         si-12_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-12[3]
-                  prose:      retains information within the information system; and
-                - 
-                  id:         si-12_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-12[4]
-                  prose:      retains output from the information system.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and information integrity policy\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and
-                                        operational requirements applicable to information handling and retention\n\nmedia protection policy and procedures\n\nprocedures addressing information system output handling and retention\n\ninformation retention records, other relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for information handling and
-                                        retention\n\norganizational personnel with information security responsibilities/network
-                                        administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for information handling and retention\n\nautomated mechanisms supporting and/or implementing information handling and
-                                        retention
-                    """
-            - 
-              name:  guidance
-              class: FedRAMP-Tailored-LI-SaaS
-              prose: 
-                """
-                  Attestation - Specifically related to US-CERT and FedRAMP communications
-                                    procedures.
-                """
-  back-matter: 
-    resources: 
-      - 
-        uuid:     0c97e60b-325a-4efa-ba2b-90f20ccd5abc
-        title:    5 C.F.R. 731.106
-        citation: 
-          text: 
-            """
-              Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106,
-                             Designation of Public Trust Positions and Investigative Requirements (5 C.F.R.
-                             731.106).
-            """
-        rlinks: 
-          - 
-            href: http://www.gpo.gov/fdsys/granule/CFR-2012-title5-vol2/CFR-2012-title5-vol2-sec731-106/content-detail.html
-      - 
-        uuid:     bb61234b-46c3-4211-8c2b-9869222a720d
-        title:    C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)
-        citation: 
-          text: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)
-        rlinks: 
-          - 
-            href: http://www.gpo.gov/fdsys/granule/CFR-2009-title5-vol2/CFR-2009-title5-vol2-sec930-301/content-detail.html
-      - 
-        uuid:     a4aa9645-9a8a-4b51-90a9-e223250f9a75
-        title:    CNSS Policy 15
-        citation: 
-          text: CNSS Policy 15
-        rlinks: 
-          - 
-            href: https://www.cnss.gov/policies.html
-      - 
-        uuid:     2d8b14e9-c8b5-4d3d-8bdc-155078f3281b
-        title:    DoD Information Assurance Vulnerability Alerts
-        citation: 
-          text: DoD Information Assurance Vulnerability Alerts
-      - 
-        uuid:     61081e7f-041d-4033-96a7-44a439071683
-        title:    DoD Instruction 5200.39
-        citation: 
-          text: DoD Instruction 5200.39
-        rlinks: 
-          - 
-            href: http://www.dtic.mil/whs/directives/corres/ins1.html
-      - 
-        uuid:     e42b2099-3e1c-415b-952c-61c96533c12e
-        title:    DoD Instruction 8551.01
-        citation: 
-          text: DoD Instruction 8551.01
-        rlinks: 
-          - 
-            href: http://www.dtic.mil/whs/directives/corres/ins1.html
-      - 
-        uuid:     c5034e0c-eba6-4ecd-a541-79f0678f4ba4
-        title:    Executive Order 13587
-        citation: 
-          text: Executive Order 13587
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net
-      - 
-        uuid:     56d671da-6b7b-4abf-8296-84b61980390a
-        title:    Federal Acquisition Regulation
-        citation: 
-          text: Federal Acquisition Regulation
-        rlinks: 
-          - 
-            href: https://acquisition.gov/far
-      - 
-        uuid:     023104bc-6f75-4cd5-b7d0-fc92326f8007
-        title:    Federal Continuity Directive 1
-        citation: 
-          text: Federal Continuity Directive 1
-        rlinks: 
-          - 
-            href: http://www.fema.gov/pdf/about/offices/fcd1.pdf
-      - 
-        uuid:     ba557c91-ba3e-4792-adc6-a4ae479b39ff
-        title:    FICAM Roadmap and Implementation Guidance
-        citation: 
-          text: FICAM Roadmap and Implementation Guidance
-        rlinks: 
-          - 
-            href: http://www.idmanagement.gov/documents/ficam-roadmap-and-implementation-guidance
-      - 
-        uuid:     39f9087d-7687-46d2-8eda-b6f4b7a4d8a9
-        title:    FIPS Publication 140
-        citation: 
-          text: FIPS Publication 140
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html
-      - 
-        uuid:     d715b234-9b5b-4e07-b1ed-99836727664d
-        title:    FIPS Publication 140-2
-        citation: 
-          text: FIPS Publication 140-2
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html#140-2
-      - 
-        uuid:     f2dbd4ec-c413-4714-b85b-6b7184d1c195
-        title:    FIPS Publication 197
-        citation: 
-          text: FIPS Publication 197
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html#197
-      - 
-        uuid:     e85cdb3f-7f0a-4083-8639-f13f70d3760b
-        title:    FIPS Publication 199
-        citation: 
-          text: FIPS Publication 199
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html#199
-      - 
-        uuid:     c80c10b3-1294-4984-a4cc-d1733ca432b9
-        title:    FIPS Publication 201
-        citation: 
-          text: FIPS Publication 201
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html#201
-      - 
-        uuid:     ad733a42-a7ed-4774-b988-4930c28852f3
-        title:    HSPD-12
-        citation: 
-          text: HSPD-12
-        rlinks: 
-          - 
-            href: http://www.dhs.gov/homeland-security-presidential-directive-12
-      - 
-        uuid:     e95dd121-2733-413e-bf1e-f1eb49f20a98
-        title:    http://checklists.nist.gov
-        citation: 
-          text: http://checklists.nist.gov
-        rlinks: 
-          - 
-            href: http://checklists.nist.gov
-      - 
-        uuid:     6a1041fc-054e-4230-946b-2e6f4f3731bb
-        title:    http://csrc.nist.gov/cryptval
-        citation: 
-          text: http://csrc.nist.gov/cryptval
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/cryptval
-      - 
-        uuid:     b09d1a31-d3c9-4138-a4f4-4c63816afd7d
-        title:    http://csrc.nist.gov/groups/STM/cmvp/index.html
-        citation: 
-          text: http://csrc.nist.gov/groups/STM/cmvp/index.html
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/groups/STM/cmvp/index.html
-      - 
-        uuid:     15522e92-9192-463d-9646-6a01982db8ca
-        title:    http://cwe.mitre.org
-        citation: 
-          text: http://cwe.mitre.org
-        rlinks: 
-          - 
-            href: http://cwe.mitre.org
-      - 
-        uuid:     5ed1f4d5-1494-421b-97ed-39d3c88ab51f
-        title:    http://fips201ep.cio.gov
-        citation: 
-          text: http://fips201ep.cio.gov
-        rlinks: 
-          - 
-            href: http://fips201ep.cio.gov
-      - 
-        uuid:     85280698-0417-489d-b214-12bb935fb939
-        title:    http://idmanagement.gov
-        citation: 
-          text: http://idmanagement.gov
-        rlinks: 
-          - 
-            href: http://idmanagement.gov
-      - 
-        uuid:     275cc052-0f7f-423c-bdb6-ed503dc36228
-        title:    http://nvd.nist.gov
-        citation: 
-          text: http://nvd.nist.gov
-        rlinks: 
-          - 
-            href: http://nvd.nist.gov
-      - 
-        uuid:     bbd50dd1-54ce-4432-959d-63ea564b1bb4
-        title:    http://www.acquisition.gov/far
-        citation: 
-          text: http://www.acquisition.gov/far
-        rlinks: 
-          - 
-            href: http://www.acquisition.gov/far
-      - 
-        uuid:     9b97ed27-3dd6-4f9a-ade5-1b43e9669794
-        title:    http://www.cnss.gov
-        citation: 
-          text: http://www.cnss.gov
-        rlinks: 
-          - 
-            href: http://www.cnss.gov
-      - 
-        uuid:     c95a9986-3cd6-4a98-931b-ccfc56cb11e5
-        title:    http://www.niap-ccevs.org
-        citation: 
-          text: http://www.niap-ccevs.org
-        rlinks: 
-          - 
-            href: http://www.niap-ccevs.org
-      - 
-        uuid:     647b6de3-81d0-4d22-bec1-5f1333e34380
-        title:    http://www.nsa.gov
-        citation: 
-          text: http://www.nsa.gov
-        rlinks: 
-          - 
-            href: http://www.nsa.gov
-      - 
-        uuid:     a47466c4-c837-4f06-a39f-e68412a5f73d
-        title:    http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml
-        citation: 
-          text: http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml
-        rlinks: 
-          - 
-            href: http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml
-      - 
-        uuid:     02631467-668b-4233-989b-3dfded2fd184
-        title:    http://www.us-cert.gov
-        citation: 
-          text: http://www.us-cert.gov
-        rlinks: 
-          - 
-            href: http://www.us-cert.gov
-      - 
-        uuid:     6caa237b-531b-43ac-9711-d8f6b97b0377
-        title:    ICD 704
-        citation: 
-          text: ICD 704
-        rlinks: 
-          - 
-            href: http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives
-      - 
-        uuid:     398e33fd-f404-4e5c-b90e-2d50d3181244
-        title:    ICD 705
-        citation: 
-          text: ICD 705
-        rlinks: 
-          - 
-            href: http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives
-      - 
-        uuid:     1737a687-52fb-4008-b900-cbfa836f7b65
-        title:    ISO/IEC 15408
-        citation: 
-          text: ISO/IEC 15408
-        rlinks: 
-          - 
-            href: http://www.iso.org/iso/iso_catalog/catalog_tc/catalog_detail.htm?csnumber=50341
-      - 
-        uuid:     654f21e2-f3bc-43b2-abdc-60ab8d09744b
-        title:    National Strategy for Trusted Identities in Cyberspace
-        citation: 
-          text: National Strategy for Trusted Identities in Cyberspace
-        rlinks: 
-          - 
-            href: http://www.nist.gov/nstic
-      - 
-        uuid:         9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-        title:        NIST Special Publication 800-100
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-100
-        citation: 
-          text: NIST Special Publication 800-100
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-100
-      - 
-        uuid:         3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e
-        title:        NIST Special Publication 800-111
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-111
-        citation: 
-          text: NIST Special Publication 800-111
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-111
-      - 
-        uuid:         349fe082-502d-464a-aa0c-1443c6a5cf40
-        title:        NIST Special Publication 800-113
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-113
-        citation: 
-          text: NIST Special Publication 800-113
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-113
-      - 
-        uuid:         1201fcf3-afb1-4675-915a-fb4ae0435717
-        title:        NIST Special Publication 800-114 Rev. 1
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-114r1
-        citation: 
-          text: NIST Special Publication 800-114 Rev. 1
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-114r1
-      - 
-        uuid:         c4691b88-57d1-463b-9053-2d0087913f31
-        title:        NIST Special Publication 800-115
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-115
-        citation: 
-          text: NIST Special Publication 800-115
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-115
-      - 
-        uuid:         2157bb7e-192c-4eaa-877f-93ef6b0a3292
-        title:        NIST Special Publication 800-116 Rev. 1
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-116r1
-        citation: 
-          text: NIST Special Publication 800-116 Rev. 1
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-116r1
-      - 
-        uuid:         5c201b63-0768-417b-ac22-3f014e3941b2
-        title:        NIST Special Publication 800-12 Rev. 1
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-12r1
-        citation: 
-          text: NIST Special Publication 800-12 Rev. 1
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-12r1
-      - 
-        uuid:     d1a4e2a9-e512-4132-8795-5357aba29254
-        title:    NIST Special Publication 800-121
-        citation: 
-          text: NIST Special Publication 800-121
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-121
-      - 
-        uuid:     0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589
-        title:    NIST Special Publication 800-124
-        citation: 
-          text: NIST Special Publication 800-124
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-124
-      - 
-        uuid:     080f8068-5e3e-435e-9790-d22ba4722693
-        title:    NIST Special Publication 800-128
-        citation: 
-          text: NIST Special Publication 800-128
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-128
-      - 
-        uuid:     cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-        title:    NIST Special Publication 800-137
-        citation: 
-          text: NIST Special Publication 800-137
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-137
-      - 
-        uuid:     825438c3-248d-4e30-a51e-246473ce6ada
-        title:    NIST Special Publication 800-16
-        citation: 
-          text: NIST Special Publication 800-16
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-16
-      - 
-        uuid:     6513e480-fada-4876-abba-1397084dfb26
-        title:    NIST Special Publication 800-164
-        citation: 
-          text: NIST Special Publication 800-164
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-164
-      - 
-        uuid:     9c5c9e8c-dc81-4f55-a11c-d71d7487790f
-        title:    NIST Special Publication 800-18
-        citation: 
-          text: NIST Special Publication 800-18
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-18
-      - 
-        uuid:     0a5db899-f033-467f-8631-f5a8ba971475
-        title:    NIST Special Publication 800-23
-        citation: 
-          text: NIST Special Publication 800-23
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-23
-      - 
-        uuid:     a466121b-f0e2-41f0-a5f9-deb0b5fe6b15
-        title:    NIST Special Publication 800-30
-        citation: 
-          text: NIST Special Publication 800-30
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-30
-      - 
-        uuid:     748a81b9-9cad-463f-abde-8b368167e70d
-        title:    NIST Special Publication 800-34
-        citation: 
-          text: NIST Special Publication 800-34
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-34
-      - 
-        uuid:     0c775bc3-bfc3-42c7-a382-88949f503171
-        title:    NIST Special Publication 800-35
-        citation: 
-          text: NIST Special Publication 800-35
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-35
-      - 
-        uuid:     d818efd3-db31-4953-8afa-9e76afe83ce2
-        title:    NIST Special Publication 800-36
-        citation: 
-          text: NIST Special Publication 800-36
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-36
-      - 
-        uuid:     0a0c26b6-fd44-4274-8b36-93442d49d998
-        title:    NIST Special Publication 800-37
-        citation: 
-          text: NIST Special Publication 800-37
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-37
-      - 
-        uuid:     d480aa6a-7a88-424e-a10c-ad1c7870354b
-        title:    NIST Special Publication 800-39
-        citation: 
-          text: NIST Special Publication 800-39
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-39
-      - 
-        uuid:     bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d
-        title:    NIST Special Publication 800-40
-        citation: 
-          text: NIST Special Publication 800-40
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-40
-      - 
-        uuid:     756a8e86-57d5-4701-8382-f7a40439665a
-        title:    NIST Special Publication 800-41
-        citation: 
-          text: NIST Special Publication 800-41
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-41
-      - 
-        uuid:     5309d4d0-46f8-4213-a749-e7584164e5e8
-        title:    NIST Special Publication 800-46
-        citation: 
-          text: NIST Special Publication 800-46
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-46
-      - 
-        uuid:     2711f068-734e-4afd-94ba-0b22247fbc88
-        title:    NIST Special Publication 800-47
-        citation: 
-          text: NIST Special Publication 800-47
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-47
-      - 
-        uuid:     238ed479-eccb-49f6-82ec-ab74a7a428cf
-        title:    NIST Special Publication 800-48
-        citation: 
-          text: NIST Special Publication 800-48
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-48
-      - 
-        uuid:     e12b5738-de74-4fb3-8317-a3995a8a1898
-        title:    NIST Special Publication 800-50
-        citation: 
-          text: NIST Special Publication 800-50
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-50
-      - 
-        uuid:     cd4cf751-3312-4a55-b1a9-fad2f1db9119
-        title:    NIST Special Publication 800-53A
-        citation: 
-          text: NIST Special Publication 800-53A
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-53A
-      - 
-        uuid:     81f09e01-d0b0-4ae2-aa6a-064ed9950070
-        title:    NIST Special Publication 800-56
-        citation: 
-          text: NIST Special Publication 800-56
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-56
-      - 
-        uuid:     a6c774c0-bf50-4590-9841-2a5c1c91ac6f
-        title:    NIST Special Publication 800-57
-        citation: 
-          text: NIST Special Publication 800-57
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-57
-      - 
-        uuid:     f152844f-b1ef-4836-8729-6277078ebee1
-        title:    NIST Special Publication 800-60
-        citation: 
-          text: NIST Special Publication 800-60
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-60
-      - 
-        uuid:     be95fb85-a53f-4624-bdbb-140075500aa3
-        title:    NIST Special Publication 800-61
-        citation: 
-          text: NIST Special Publication 800-61
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-61
-      - 
-        uuid:     644f44a9-a2de-4494-9c04-cd37fba45471
-        title:    NIST Special Publication 800-63
-        citation: 
-          text: NIST Special Publication 800-63
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-63
-      - 
-        uuid:     abd950ae-092f-4b7a-b374-1c7c67fe9350
-        title:    NIST Special Publication 800-64
-        citation: 
-          text: NIST Special Publication 800-64
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-64
-      - 
-        uuid:     29fcfe59-33cd-494a-8756-5907ae3a8f92
-        title:    NIST Special Publication 800-65
-        citation: 
-          text: NIST Special Publication 800-65
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-65
-      - 
-        uuid:     84a37532-6db6-477b-9ea8-f9085ebca0fc
-        title:    NIST Special Publication 800-70
-        citation: 
-          text: NIST Special Publication 800-70
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-70
-      - 
-        uuid:     ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-        title:    NIST Special Publication 800-73
-        citation: 
-          text: NIST Special Publication 800-73
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-73
-      - 
-        uuid:     2a71298a-ee90-490e-80ff-48c967173a47
-        title:    NIST Special Publication 800-76
-        citation: 
-          text: NIST Special Publication 800-76
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-76
-      - 
-        uuid:     99f331f2-a9f0-46c2-9856-a3cbb9b89442
-        title:    NIST Special Publication 800-77
-        citation: 
-          text: NIST Special Publication 800-77
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-77
-      - 
-        uuid:     2042d97b-f7f6-4c74-84f8-981867684659
-        title:    NIST Special Publication 800-78
-        citation: 
-          text: NIST Special Publication 800-78
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-78
-      - 
-        uuid:     6af1e841-672c-46c4-b121-96f603d04be3
-        title:    NIST Special Publication 800-81
-        citation: 
-          text: NIST Special Publication 800-81
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-81
-      - 
-        uuid:     6d431fee-658f-4a0e-9f2e-a38b5d398fab
-        title:    NIST Special Publication 800-83
-        citation: 
-          text: NIST Special Publication 800-83
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-83
-      - 
-        uuid:     0243a05a-e8a3-4d51-9364-4a9d20b0dcdf
-        title:    NIST Special Publication 800-84
-        citation: 
-          text: NIST Special Publication 800-84
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-84
-      - 
-        uuid:     263823e0-a971-4b00-959d-315b26278b22
-        title:    NIST Special Publication 800-88
-        citation: 
-          text: NIST Special Publication 800-88
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-88
-      - 
-        uuid:     672fd561-b92b-4713-b9cf-6c9d9456728b
-        title:    NIST Special Publication 800-92
-        citation: 
-          text: NIST Special Publication 800-92
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-92
-      - 
-        uuid:     d1b1d689-0f66-4474-9924-c81119758dc1
-        title:    NIST Special Publication 800-94
-        citation: 
-          text: NIST Special Publication 800-94
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-94
-      - 
-        uuid:     6f336ecd-f2a0-4c84-9699-0491d81b6e0d
-        title:    NIST Special Publication 800-97
-        citation: 
-          text: NIST Special Publication 800-97
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-97
-      - 
-        uuid:     9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab
-        title:    OMB Circular A-130
-        citation: 
-          text: OMB Circular A-130
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/omb/circulars_a130_a130trans4
-      - 
-        uuid:     2c5884cd-7b96-425c-862a-99877e1cf909
-        title:    OMB Memorandum 02-01
-        citation: 
-          text: OMB Memorandum 02-01
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/omb/memoranda_m02-01
-      - 
-        uuid:     ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-        title:    OMB Memorandum 04-04
-        citation: 
-          text: OMB Memorandum 04-04
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy04/m04-04.pdf
-      - 
-        uuid:     4da24a96-6cf8-435d-9d1f-c73247cad109
-        title:    OMB Memorandum 06-16
-        citation: 
-          text: OMB Memorandum 06-16
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2006/m06-16.pdf
-      - 
-        uuid:     990268bf-f4a9-4c81-91ae-dc7d3115f4b1
-        title:    OMB Memorandum 07-11
-        citation: 
-          text: OMB Memorandum 07-11
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-11.pdf
-      - 
-        uuid:     0b3d8ba9-051f-498d-81ea-97f0f018c612
-        title:    OMB Memorandum 07-18
-        citation: 
-          text: OMB Memorandum 07-18
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-18.pdf
-      - 
-        uuid:     0916ef02-3618-411b-a525-565c088849a6
-        title:    OMB Memorandum 08-22
-        citation: 
-          text: OMB Memorandum 08-22
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-22.pdf
-      - 
-        uuid:     28115a56-da6b-4d44-b1df-51dd7f048a3e
-        title:    OMB Memorandum 08-23
-        citation: 
-          text: OMB Memorandum 08-23
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf
-      - 
-        uuid:     599fe9ba-4750-4450-9eeb-b95bd19a5e8f
-        title:    OMB Memorandum 10-06-2011
-        citation: 
-          text: OMB Memorandum 10-06-2011
-      - 
-        uuid:     74e740a4-c45d-49f3-a86e-eb747c549e01
-        title:    OMB Memorandum 11-11
-        citation: 
-          text: OMB Memorandum 11-11
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf
-      - 
-        uuid:     bedb15b7-ec5c-4a68-807f-385125751fcd
-        title:    OMB Memorandum 11-33
-        citation: 
-          text: OMB Memorandum 11-33
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf
-      - 
-        uuid:     dd2f5acd-08f1-435a-9837-f8203088dc1a
-        title: 
-          """
-            Personal Identity Verification (PIV) in Enterprise Physical Access Control System
-                        (E-PACS)
-          """
-        citation: 
-          text: 
-            """
-              Personal Identity Verification (PIV) in Enterprise Physical Access Control System
-                             (E-PACS)
-            """
-      - 
-        uuid:     8ade2fbe-e468-4ca8-9a40-54d7f23c32bb
-        title:    US-CERT Technical Cyber Security Alerts
-        citation: 
-          text: US-CERT Technical Cyber Security Alerts
-        rlinks: 
-          - 
-            href: http://www.us-cert.gov/ncas/alerts
-      - 
-        uuid:       985475ee-d4d6-4581-8fdf-d84d3d8caa48
-        title:      FedRAMP Applicable Laws and Regulations
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-citations
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx
-      - 
-        uuid:       1a23a771-d481-4594-9a1a-71d584fa4123
-        title:      FedRAMP Master Acronym and Glossary
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-acronyms
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf
-      - 
-        uuid:       a2381e87-3d04-4108-a30b-b4d2f36d001f
-        desc:       FedRAMP Logo
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-logo
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/img/logo-main-fedramp.png
-      - 
-        uuid:       ad005eae-cc63-4e64-9109-3905a9a825e4
-        title:      NIST Special Publication (SP) 800-53
-        properties: 
-          - 
-            name:  version
-            ns:    https://fedramp.gov/ns/oscal
-            value: Revision 4
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href:       ../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_catalog.yaml
-            media-type: application/xml
diff --git a/content/fedramp.gov/yaml/FedRAMP_LI-SaaS-baseline_profile.yaml b/content/fedramp.gov/yaml/FedRAMP_LI-SaaS-baseline_profile.yaml
deleted file mode 100644
index aedd77bef1..0000000000
--- a/content/fedramp.gov/yaml/FedRAMP_LI-SaaS-baseline_profile.yaml
+++ /dev/null
@@ -1,3132 +0,0 @@
-profile: 
-  uuid:        48d3387b-e554-4232-97bc-a8617cf238d9
-  metadata: 
-    title:               FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline
-    published:           2020-02-02T00:00:00.000-05:00
-    last-modified:       2020-06-01T10:00:00.000-05:00
-    version:             1.2
-    oscal-version:       1.0.0-milestone3
-    roles: 
-      - 
-        id:    parpared-by
-        title: Document creator
-      - 
-        id:         fedramp-pmo
-        title:      The FedRAMP Program Management Office (PMO)
-        short-name: CSP
-      - 
-        id:         fedramp-jab
-        title:      The FedRAMP Joint Authorization Board (JAB)
-        short-name: CSP
-    parties: 
-      - 
-        uuid:            8cc0b8e5-9650-4d5f-9796-316f05fa9a2d
-        type:            organization
-        party-name:      Federal Risk and Authorization Management Program: Program Management Office
-        short-name:      FedRAMP PMO
-        links: 
-          - 
-            href: https://fedramp.gov
-            rel:  homepage
-            text: 
-        addresses: 
-          - 
-            type:           work
-            postal-address: 1800 F St. NW,
-            city:           Washington
-            state:          DC
-            postal-code:    
-            country:        US
-        email-addresses: info@fedramp.gov
-      - 
-        uuid:       ca9ba80e-1342-4bfd-b32a-abac468c24b4
-        type:       organization
-        party-name: Federal Risk and Authorization Management Program: Joint Authorization Board
-        short-name: FedRAMP JAB
-    responsible-parties: 
-      prepared-by: 
-        party-uuids: 4aa7b203-318b-4cde-96cf-feaeffc3a4b7
-      fedramp-pmo: 
-        party-uuids: 4aa7b203-318b-4cde-96cf-feaeffc3a4b7
-      fedramp-jab: 
-        party-uuids: ca9ba80e-1342-4bfd-b32a-abac468c24b4
-  imports: 
-    - 
-      href:    #ad005eae-cc63-4e64-9109-3905a9a825e4
-      include: 
-        id-selectors: 
-          - 
-            control-id: ac-1
-          - 
-            control-id: ac-2
-          - 
-            control-id: ac-3
-          - 
-            control-id: ac-7
-          - 
-            control-id: ac-8
-          - 
-            control-id: ac-14
-          - 
-            control-id: ac-17
-          - 
-            control-id: ac-18
-          - 
-            control-id: ac-19
-          - 
-            control-id: ac-20
-          - 
-            control-id: ac-22
-          - 
-            control-id: at-1
-          - 
-            control-id: at-2
-          - 
-            control-id: at-3
-          - 
-            control-id: at-4
-          - 
-            control-id: au-1
-          - 
-            control-id: au-2
-          - 
-            control-id: au-3
-          - 
-            control-id: au-4
-          - 
-            control-id: au-5
-          - 
-            control-id: au-6
-          - 
-            control-id: au-8
-          - 
-            control-id: au-9
-          - 
-            control-id: au-11
-          - 
-            control-id: au-12
-          - 
-            control-id: ca-1
-          - 
-            control-id: ca-2
-          - 
-            control-id: ca-2.1
-          - 
-            control-id: ca-3
-          - 
-            control-id: ca-5
-          - 
-            control-id: ca-6
-          - 
-            control-id: ca-7
-          - 
-            control-id: ca-9
-          - 
-            control-id: cm-1
-          - 
-            control-id: cm-2
-          - 
-            control-id: cm-4
-          - 
-            control-id: cm-6
-          - 
-            control-id: cm-7
-          - 
-            control-id: cm-8
-          - 
-            control-id: cm-10
-          - 
-            control-id: cm-11
-          - 
-            control-id: cp-1
-          - 
-            control-id: cp-2
-          - 
-            control-id: cp-3
-          - 
-            control-id: cp-4
-          - 
-            control-id: cp-9
-          - 
-            control-id: cp-10
-          - 
-            control-id: ia-1
-          - 
-            control-id: ia-2
-          - 
-            control-id: ia-2.1
-          - 
-            control-id: ia-2.12
-          - 
-            control-id: ia-4
-          - 
-            control-id: ia-5
-          - 
-            control-id: ia-5.1
-          - 
-            control-id: ia-5.11
-          - 
-            control-id: ia-6
-          - 
-            control-id: ia-7
-          - 
-            control-id: ia-8
-          - 
-            control-id: ia-8.1
-          - 
-            control-id: ia-8.2
-          - 
-            control-id: ia-8.3
-          - 
-            control-id: ia-8.4
-          - 
-            control-id: ir-1
-          - 
-            control-id: ir-2
-          - 
-            control-id: ir-4
-          - 
-            control-id: ir-5
-          - 
-            control-id: ir-6
-          - 
-            control-id: ir-7
-          - 
-            control-id: ir-8
-          - 
-            control-id: ir-9
-          - 
-            control-id: ma-1
-          - 
-            control-id: ma-2
-          - 
-            control-id: ma-4
-          - 
-            control-id: ma-5
-          - 
-            control-id: mp-1
-          - 
-            control-id: mp-2
-          - 
-            control-id: mp-6
-          - 
-            control-id: mp-7
-          - 
-            control-id: pe-1
-          - 
-            control-id: pe-2
-          - 
-            control-id: pe-3
-          - 
-            control-id: pe-6
-          - 
-            control-id: pe-8
-          - 
-            control-id: pe-12
-          - 
-            control-id: pe-13
-          - 
-            control-id: pe-14
-          - 
-            control-id: pe-15
-          - 
-            control-id: pe-16
-          - 
-            control-id: pl-1
-          - 
-            control-id: pl-2
-          - 
-            control-id: pl-4
-          - 
-            control-id: ps-1
-          - 
-            control-id: ps-2
-          - 
-            control-id: ps-3
-          - 
-            control-id: ps-4
-          - 
-            control-id: ps-5
-          - 
-            control-id: ps-6
-          - 
-            control-id: ps-7
-          - 
-            control-id: ps-8
-          - 
-            control-id: ra-1
-          - 
-            control-id: ra-2
-          - 
-            control-id: ra-3
-          - 
-            control-id: ra-5
-          - 
-            control-id: sa-1
-          - 
-            control-id: sa-2
-          - 
-            control-id: sa-3
-          - 
-            control-id: sa-4
-          - 
-            control-id: sa-4.10
-          - 
-            control-id: sa-5
-          - 
-            control-id: sa-9
-          - 
-            control-id: sc-1
-          - 
-            control-id: sc-5
-          - 
-            control-id: sc-7
-          - 
-            control-id: sc-12
-          - 
-            control-id: sc-13
-          - 
-            control-id: sc-15
-          - 
-            control-id: sc-20
-          - 
-            control-id: sc-21
-          - 
-            control-id: sc-22
-          - 
-            control-id: sc-39
-          - 
-            control-id: si-1
-          - 
-            control-id: si-2
-          - 
-            control-id: si-3
-          - 
-            control-id: si-4
-          - 
-            control-id: si-5
-          - 
-            control-id: si-12
-  merge: 
-    combine: 
-      method: keep
-    as-is:   true
-  modify: 
-    parameter-settings: 
-      ac-22_prm_1: 
-        constraints: 
-          - 
-            detail: at least quarterly
-      au-5_prm_2: 
-        constraints: 
-          - 
-            detail: organization-defined actions to be taken (overwrite oldest record)
-      au-6_prm_1: 
-        constraints: 
-          - 
-            detail: at least weekly
-      ca-2_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      ca-2_prm_2: 
-        constraints: 
-          - 
-            detail: individuals or roles to include FedRAMP PMO
-      ca-3_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually and on input from FedRAMP
-      ca-5_prm_1: 
-        constraints: 
-          - 
-            detail: at least monthly
-      ca-6_prm_1: 
-        constraints: 
-          - 
-            detail: at least every three years or when a significant change occurs
-      ca-7_prm_4: 
-        constraints: 
-          - 
-            detail: to meet Federal and FedRAMP requirements (See additional guidance)
-      ca-7_prm_5: 
-        constraints: 
-          - 
-            detail: to meet Federal and FedRAMP requirements (See additional guidance)
-      cm-6_prm_1: 
-        constraints: 
-          - 
-            detail: see CM-6(a) Additional FedRAMP Requirements and Guidance
-      cm-8_prm_2: 
-        constraints: 
-          - 
-            detail: at least monthly
-      cp-9_prm_1: 
-        constraints: 
-          - 
-            detail: daily incremental; weekly full
-      cp-9_prm_2: 
-        constraints: 
-          - 
-            detail: daily incremental; weekly full
-      cp-9_prm_3: 
-        constraints: 
-          - 
-            detail: daily incremental; weekly full
-      ir-6_prm_1: 
-        constraints: 
-          - 
-            detail: US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)
-      pe-2_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      pe-3_prm_2: 
-        constraints: 
-          - 
-            detail: CSP defined physical access control systems/devices AND guards
-      pe-3_prm_6: 
-        constraints: 
-          - 
-            detail: in all circumstances within restricted access area where the information system resides
-      pe-3_prm_8: 
-        constraints: 
-          - 
-            detail: at least annually
-      pe-3_prm_9: 
-        constraints: 
-          - 
-            detail: at least annually
-      pe-6_prm_1: 
-        constraints: 
-          - 
-            detail: at least monthly
-      pe-8_prm_1: 
-        constraints: 
-          - 
-            detail: for a minimum of one (1) year
-      pe-8_prm_2: 
-        constraints: 
-          - 
-            detail: at least monthly
-      pe-14_prm_1: 
-        constraints: 
-          - 
-            detail: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments
-      pe-14_prm_2: 
-        constraints: 
-          - 
-            detail: continuously
-      pe-16_prm_1: 
-        constraints: 
-          - 
-            detail: all information system components
-      pl-2_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      ps-3_prm_1: 
-        constraints: 
-          - 
-            detail: For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions.
-      ra-3_prm_2: 
-        constraints: 
-          - 
-            detail: security assessment report
-      ra-3_prm_3: 
-        constraints: 
-          - 
-            detail: at least every three (3) years or when a significant change occurs
-      ra-3_prm_5: 
-        constraints: 
-          - 
-            detail: at least every three (3) years or when a significant change occurs
-      ra-5_prm_1: 
-        constraints: 
-          - 
-            detail: monthly operating system/infrastructure; monthly web applications and databases
-      ra-5_prm_2: 
-        constraints: 
-          - 
-            detail: [high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery.
-      sa-9_prm_1: 
-        constraints: 
-          - 
-            detail: FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system
-      sa-9_prm_2: 
-        constraints: 
-          - 
-            detail: Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored
-      sc-13_prm_1: 
-        constraints: 
-          - 
-            detail: FIPS-validated or NSA-approved cryptography
-      si-2_prm_1: 
-        constraints: 
-          - 
-            detail: within 30 days of release of updates
-      si-3_prm_1: 
-        constraints: 
-          - 
-            detail: at least weekly
-      si-3_prm_2: 
-        constraints: 
-          - 
-            detail: to include endpoints
-      si-3_prm_3: 
-        constraints: 
-          - 
-            detail: to include alerting administrator or defined security personnel
-    alterations: 
-      - 
-        control-id: ac-1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ac-2
-        removals: 
-          - 
-            id-ref: ac-2_smt.b
-          - 
-            id-ref: ac-2_smt.c
-          - 
-            id-ref: ac-2_smt.d
-          - 
-            id-ref: ac-2_smt.e
-          - 
-            id-ref: ac-2_smt.i
-          - 
-            id-ref: ac-2_smt.j
-          - 
-            id-ref: ac-2_smt.k
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-            parts: 
-              - 
-                id:    ac-2_fr
-                name:  item
-                title: AC-2 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ac-2_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        Parts (b), (c), (d), (e), (i), (j), and (k) are excluded from FedRAMP Tailored
-                                             for LI-SaaS.
-                      """
-      - 
-        control-id: ac-3
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-      - 
-        control-id: ac-7
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: NSO
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    NSO for non-privileged users. Attestation for privileged users related to
-                                      multi-factor identification and authentication.
-                  """
-      - 
-        control-id: ac-8
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: FED
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: FED - This is related to agency data and agency policy solution.
-      - 
-        control-id: ac-14
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: FED
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: FED - This is related to agency data and agency policy solution.
-      - 
-        control-id: ac-17
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-      - 
-        control-id: ac-18
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: NSO
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    NSO - All access to Cloud SaaS are via web services and/or API. The device
-                                      accessed from or whether via wired or wireless connection is out of scope.
-                                      Regardless of device accessed from, must utilize approved remote access methods
-                                      (AC-17), secure communication with strong encryption (SC-13), key management
-                                      (SC-12), and multi-factor authentication for privileged access (IA-2[1]).
-                  """
-      - 
-        control-id: ac-19
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: NSO
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    NSO - All access to Cloud SaaS are via web service and/or API. The device accessed
-                                      from is out of the scope. Regardless of device accessed from, must utilize
-                                      approved remote access methods (AC-17), secure communication with strong
-                                      encryption (SC-13), key management (SC-12), and multi-factor authentication for
-                                      privileged access (IA-2 [1]).
-                  """
-      - 
-        control-id: ac-20
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ac-22
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-      - 
-        control-id: at-1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: at-2
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: at-3
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: at-4
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: au-1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: au-2
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: au-3
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-      - 
-        control-id: au-4
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: NSO
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    NSO - Loss of availability of the audit data has been determined to have little or
-                                      no impact to government business/mission needs.
-                  """
-      - 
-        control-id: au-5
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-      - 
-        control-id: au-6
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-      - 
-        control-id: au-8
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: au-9
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: au-11
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: NSO
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    NSO - Loss of availability of the audit data has been determined as little or no
-                                      impact to government business/mission needs.
-                  """
-      - 
-        control-id: au-12
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ca-1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ca-2
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-            parts: 
-              - 
-                id:    ca-2_fr
-                name:  item
-                title: CA-2 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-2_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        See the FedRAMP Documents page under Key Cloud Service Provider (CSP)
-                                             Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                      """
-      - 
-        control-id: ca-2.1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ca-3
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    Condition: There are connection(s) to external systems. Connections (if any) shall
-                                      be authorized and must: 1) Identify the interface/connection. 2) Detail what data
-                                      is involved and its sensitivity. 3) Determine whether the connection is one-way or
-                                      bi-directional. 4) Identify how the connection is secured.
-                  """
-      - 
-        control-id: ca-5
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring
-                                      Requirements.
-                  """
-      - 
-        control-id: ca-6
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-            parts: 
-              - 
-                id:    ca-6_fr
-                name:  item
-                title: CA-6(c) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-6_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        Significant change is defined in NIST Special Publication 800-37 Revision 1,
-                                             Appendix F. The service provider describes the types of changes to the
-                                             information system or the environment of operations that would impact the risk
-                                             posture. The types of changes are approved and accepted by the Authorizing
-                                             Official.
-                      """
-      - 
-        control-id: ca-7
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-            parts: 
-              - 
-                id:    ca-7_fr
-                name:  item
-                title: CA-7 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-7_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        CSPs must provide evidence of closure and remediation of high vulnerabilities
-                                             within the timeframe for standard POA&M updates.
-                      """
-                  - 
-                    id:         ca-7_fr_gdn.2
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        See the FedRAMP Documents page under Key Cloud Service Provider (CSP)
-                                             Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                      """
-      - 
-        control-id: ca-9
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    Condition: There are connection(s) to external systems. Connections (if any) shall
-                                      be authorized and must: 1) Identify the interface/connection. 2) Detail what data
-                                      is involved and its sensitivity. 3) Determine whether the connection is one-way or
-                                      bi-directional. 4) Identify how the connection is secured.
-                  """
-      - 
-        control-id: cm-1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: cm-2
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: cm-4
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-      - 
-        control-id: cm-6
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: Required - Specifically include details of least functionality.
-              - 
-                id:    cm-6_fr
-                name:  item
-                title: CM-6(a) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cm-6_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement 1:
-                    prose: 
-                      """
-                        The service provider shall use the Center for Internet Security guidelines
-                                             (Level 1) to establish configuration settings or establishes its own
-                                             configuration settings if USGCB is not available. 
-                      """
-                  - 
-                    id:         cm-6_fr_smt.2
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement 2:
-                    prose: 
-                      """
-                        The service provider shall ensure that checklists for configuration settings
-                                             are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP
-                                             compatible (if validated checklists are not available).
-                      """
-                  - 
-                    id:         cm-6_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline).
-      - 
-        control-id: cm-7
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: cm-8
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-            parts: 
-              - 
-                id:    cm-8_fr
-                name:  item
-                title: CM-8 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cm-8_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Must be provided at least monthly or when there is a change.
-      - 
-        control-id: cm-10
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: NSO
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: NSO- Not directly related to protection of the data.
-      - 
-        control-id: cm-11
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: NSO
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    NSO - Boundary is specific to SaaS environment; all access is via web services;
-                                      users' machine or internal network are not contemplated. External services (SA-9),
-                                      internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and
-                                      SC-13), and privileged authentication (IA-2[1]) are considerations.
-                  """
-      - 
-        control-id: cp-1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: cp-2
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: NSO
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    NSO - Loss of availability of the SaaS has been determined as little or no impact
-                                      to government business/mission needs.
-                  """
-      - 
-        control-id: cp-3
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: NSO
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    NSO - Loss of availability of the SaaS has been determined as little or no impact
-                                      to government business/mission needs.
-                  """
-      - 
-        control-id: cp-4
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: NSO
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    NSO - Loss of availability of the SaaS has been determined as little or no impact
-                                      to government business/mission needs.
-                  """
-      - 
-        control-id: cp-9
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-            parts: 
-              - 
-                id:    cp-9_fr
-                name:  item
-                title: CP-9 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cp-9_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose: 
-                      """
-                        The service provider shall determine what elements of the cloud environment
-                                             require the Information System Backup control. The service provider shall
-                                             determine how Information System Backup is going to be verified and appropriate
-                                             periodicity of the check.
-                      """
-                  - 
-                    id:         cp-9_fr_smt.a
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: CP-9(a) Requirement:
-                    prose: 
-                      """
-                        The service provider maintains at least three backup copies of user-level
-                                             information (at least one of which is available online).
-                      """
-                  - 
-                    id:         cp-9_fr_smt.b
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: CP-9(b)Requirement:
-                    prose: 
-                      """
-                        The service provider maintains at least three backup copies of system-level
-                                             information (at least one of which is available online).
-                      """
-                  - 
-                    id:         cp-9_fr_smt.c
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: CP-9(c)Requirement:
-                    prose: 
-                      """
-                        The service provider maintains at least three backup copies of information
-                                             system documentation including security information (at least one of which is
-                                             available online).
-                      """
-      - 
-        control-id: cp-10
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: NSO
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    NSO - Loss of availability of the SaaS has been determined as little or no impact
-                                      to government business/mission needs.
-                  """
-      - 
-        control-id: ia-1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ia-2
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: NSO
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    NSO for non-privileged users. Attestation for privileged users related to
-                                      multi-factor identification and authentication - specifically include description
-                                      of management of service accounts.
-                  """
-      - 
-        control-id: ia-2.1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-      - 
-        control-id: ia-2.12
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    Condition: Must document and assess for privileged users. May attest to this
-                                      control for non-privileged users. FedRAMP requires a minimum of multi-factor
-                                      authentication for all Federal privileged users, if acceptance of PIV credentials
-                                      is not supported. The implementation status and details of how this control is
-                                      implemented must be clearly defined by the CSP.
-                  """
-              - 
-                id:    ia-2.12_fr
-                name:  item
-                title: IA-2 (12) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ia-2.12_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        Include Common Access Card (CAC), i.e., the DoD technical implementation of
-                                             PIV/FIPS 201/HSPD-12.
-                      """
-      - 
-        control-id: ia-4
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ia-5
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ia-5.1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ia-5.11
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: FED
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    FED - for Federal privileged users. Condition - Must document and assess for
-                                      privileged users. May attest to this control for non-privileged users.
-                  """
-      - 
-        control-id: ia-6
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-      - 
-        control-id: ia-7
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ia-8
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ia-8.1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    Condition: Must document and assess for privileged users. May attest to this
-                                      control for non-privileged users. FedRAMP requires a minimum of multi-factor
-                                      authentication for all Federal privileged users, if acceptance of PIV credentials
-                                      is not supported. The implementation status and details of how this control is
-                                      implemented must be clearly defined by the CSP.
-                  """
-      - 
-        control-id: ia-8.2
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    Condition: Must document and assess for privileged users. May attest to this
-                                      control for non-privileged users. FedRAMP requires a minimum of multi-factor
-                                      authentication for all Federal privileged users, if acceptance of PIV credentials
-                                      is not supported. The implementation status and details of how this control is
-                                      implemented must be clearly defined by the CSP.
-                  """
-      - 
-        control-id: ia-8.3
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ia-8.4
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ir-1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ir-2
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ir-4
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-            parts: 
-              - 
-                id:    ir-4_fr
-                name:  item
-                title: IR-4 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ir-4_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose: 
-                      """
-                        The service provider ensures that individuals conducting incident handling meet
-                                             personnel security requirements commensurate with the criticality/sensitivity
-                                             of the information being processed, stored, and transmitted by the information
-                                             system.
-                      """
-      - 
-        control-id: ir-5
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ir-6
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-            parts: 
-              - 
-                id:    ir-6_fr
-                name:  item
-                title: IR-6 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ir-6_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose: 
-                      """
-                        Report security incident information according to FedRAMP Incident
-                                             Communications Procedure.
-                      """
-      - 
-        control-id: ir-7
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ir-8
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: Attestation - Specifically attest to US-CERT compliance.
-      - 
-        control-id: ir-9
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: Attestation - Specifically describe information spillage response processes.
-      - 
-        control-id: ma-1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ma-2
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-      - 
-        control-id: ma-4
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ma-5
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-      - 
-        control-id: mp-1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: mp-2
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-      - 
-        control-id: mp-6
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-      - 
-        control-id: mp-7
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-      - 
-        control-id: pe-1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: pe-2
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-      - 
-        control-id: pe-3
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-      - 
-        control-id: pe-6
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-      - 
-        control-id: pe-8
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-      - 
-        control-id: pe-12
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-      - 
-        control-id: pe-13
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-      - 
-        control-id: pe-14
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-              - 
-                id:    pe-14_fr
-                name:  item
-                title: PE-14(a) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         pe-14_fr_smt.a
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: (a) Requirement:
-                    prose: 
-                      """
-                        The service provider measures temperature at server inlets and humidity levels
-                                             by dew point.
-                      """
-      - 
-        control-id: pe-15
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-      - 
-        control-id: pe-16
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-      - 
-        control-id: pl-1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: pl-2
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-      - 
-        control-id: pl-4
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ps-1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ps-2
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: FED
-      - 
-        control-id: ps-3
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-      - 
-        control-id: ps-4
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ps-5
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ps-6
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ps-7
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    Attestation - Specifically stating that any third-party security personnel are
-                                      treated as CSP employees.
-                  """
-      - 
-        control-id: ps-8
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ra-1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: ra-2
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-      - 
-        control-id: ra-3
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-            parts: 
-              - 
-                id:    ra-3_fr
-                name:  item
-                title: RA-3 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ra-3_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        Significant change is defined in NIST Special Publication 800-37 Revision 1,
-                                             Appendix F
-                      """
-                  - 
-                    id:         ra-3_fr_smt.d
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: RA-3 (d) Requirement:
-                    prose: 
-                      """
-                        Include all Authorizing Officials; for JAB authorizations to include
-                                             FedRAMP.
-                      """
-      - 
-        control-id: ra-5
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-            parts: 
-              - 
-                id:         ra-5_fr_smt.a
-                name:       item
-                title:      RA-5(a) Additional FedRAMP Requirements and Guidance
-                properties: 
-                  - 
-                    name:  label
-                    value: RA-5 (a)Requirement:
-                prose: 
-                  """
-                    An accredited independent assessor scans operating systems/infrastructure, web
-                                      applications, and databases once annually.
-                  """
-              - 
-                id:         ra-5_fr_smt.e
-                name:       item
-                title:      RA-5(e) Additional FedRAMP Requirements and Guidance
-                properties: 
-                  - 
-                    name:  label
-                    value: RA-5 (e)Requirement:
-                prose: 
-                  """
-                    To include all Authorizing Officials; for JAB authorizations to include
-                                      FedRAMP.
-                  """
-              - 
-                id:    ra-5_fr
-                name:  item
-                title: RA-5 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ra-5_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        **See the FedRAMP Documents page under Key Cloud Service Provider (CSP)
-                                                Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))
-                      """
-      - 
-        control-id: sa-1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: sa-2
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: sa-3
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: sa-4
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: sa-4.10
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: sa-5
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: sa-9
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-      - 
-        control-id: sc-1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: sc-5
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    Condition: If availability is a requirement, define protections in place as per
-                                      control requirement.
-                  """
-      - 
-        control-id: sc-7
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-      - 
-        control-id: sc-12
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-            parts: 
-              - 
-                id:    sc-12_fr
-                name:  item
-                title: SC-12 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sc-12_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Federally approved cryptography.
-      - 
-        control-id: sc-13
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: CONDITIONAL
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: Condition: If implementing need to detail how they meet it or don't meet it.
-      - 
-        control-id: sc-15
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: NSO
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: NSO - Not directly related to the security of the SaaS.
-      - 
-        control-id: sc-20
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: sc-21
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: sc-22
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: sc-39
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: si-1
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: si-2
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-      - 
-        control-id: si-3
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-      - 
-        control-id: si-4
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ASSESS
-      - 
-        control-id: si-5
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-      - 
-        control-id: si-12
-        removals: 
-          - 
-            name-ref: objective
-          - 
-            name-ref: assessment
-        additions: 
-          - 
-            position:   ending
-            properties: 
-              - 
-                name:  method
-                class: FedRAMP-Tailored-LI-SaaS
-                value: ATTEST
-            parts: 
-              - 
-                name:  guidance
-                class: FedRAMP-Tailored-LI-SaaS
-                prose: 
-                  """
-                    Attestation - Specifically related to US-CERT and FedRAMP communications
-                                      procedures.
-                  """
-  back-matter: 
-    resources: 
-      - 
-        uuid:       985475ee-d4d6-4581-8fdf-d84d3d8caa48
-        title:      FedRAMP Applicable Laws and Regulations
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-citations
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx
-      - 
-        uuid:       1a23a771-d481-4594-9a1a-71d584fa4123
-        title:      FedRAMP Master Acronym and Glossary
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-acronyms
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf
-      - 
-        uuid:       a2381e87-3d04-4108-a30b-b4d2f36d001f
-        desc:       FedRAMP Logo
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-logo
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/img/logo-main-fedramp.png
-      - 
-        uuid:       ad005eae-cc63-4e64-9109-3905a9a825e4
-        title:      NIST Special Publication (SP) 800-53
-        properties: 
-          - 
-            name:  version
-            ns:    https://fedramp.gov/ns/oscal
-            value: Revision 4
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href:       ../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_catalog.yaml
-            media-type: application/xml
diff --git a/content/fedramp.gov/yaml/FedRAMP_LOW-baseline-resolved-profile_catalog.yaml b/content/fedramp.gov/yaml/FedRAMP_LOW-baseline-resolved-profile_catalog.yaml
deleted file mode 100644
index ce79e3a5fb..0000000000
--- a/content/fedramp.gov/yaml/FedRAMP_LOW-baseline-resolved-profile_catalog.yaml
+++ /dev/null
@@ -1,41309 +0,0 @@
-catalog: 
-  uuid:        d320d731-1aea-4d48-a4df-05b1c9f48c04
-  metadata: 
-    title:               FedRAMP Low Baseline
-    published:           2020-06-01T00:00:00.000-04:00
-    last-modified:       2020-06-01T10:00:00.000-04:00
-    version:             1.2
-    oscal-version:       1.0.0-milestone3
-    properties: 
-      - 
-        name:  resolution-timestamp
-        value: 2020-08-31T17:38:45.129825Z
-    links: 
-      - 
-        href: FedRAMP_LOW-baseline_profile.xml
-        rel:  resolution-source
-        text: FedRAMP Low Baseline
-    roles: 
-      - 
-        id:    parpared-by
-        title: Document creator
-      - 
-        id:         fedramp-pmo
-        title:      The FedRAMP Program Management Office (PMO)
-        short-name: CSP
-      - 
-        id:         fedramp-jab
-        title:      The FedRAMP Joint Authorization Board (JAB)
-        short-name: CSP
-    parties: 
-      - 
-        uuid:            8cc0b8e5-9650-4d5f-9796-316f05fa9a2d
-        type:            organization
-        party-name:      Federal Risk and Authorization Management Program: Program Management Office
-        short-name:      FedRAMP PMO
-        links: 
-          - 
-            href: https://fedramp.gov
-            rel:  homepage
-            text: 
-        addresses: 
-          - 
-            type:           work
-            postal-address: 1800 F St. NW,
-            city:           Washington
-            state:          DC
-            postal-code:    
-            country:        US
-        email-addresses: info@fedramp.gov
-      - 
-        uuid:       ca9ba80e-1342-4bfd-b32a-abac468c24b4
-        type:       organization
-        party-name: Federal Risk and Authorization Management Program: Joint Authorization Board
-        short-name: FedRAMP JAB
-    responsible-parties: 
-      prepared-by: 
-        party-uuids: 4aa7b203-318b-4cde-96cf-feaeffc3a4b7
-      fedramp-pmo: 
-        party-uuids: 4aa7b203-318b-4cde-96cf-feaeffc3a4b7
-      fedramp-jab: 
-        party-uuids: ca9ba80e-1342-4bfd-b32a-abac468c24b4
-  groups: 
-    - 
-      id:       ac
-      class:    family
-      title:    Access Control
-      controls: 
-        - 
-          id:         ac-1
-          class:      SP800-53
-          title:      Access Control Policy and Procedures
-          parameters: 
-            - 
-              id:    ac-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ac-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          ac-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-1
-            - 
-              name:  sort-id
-              value: ac-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ac-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ac-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ac-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          An access control policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ac-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the access control policy and
-                                               associated access controls; and
-                        """
-                - 
-                  id:         ac-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ac-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Access control policy {{ ac-1_prm_2 }}; and
-                    - 
-                      id:         ac-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Access control procedures {{ ac-1_prm_3 }}.
-            - 
-              id:    ac-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the AC
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ac-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-1(a)
-                  parts: 
-                    - 
-                      id:         ac-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ac-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(a)(1)[1]
-                          prose:      develops and documents an access control policy that addresses:
-                          parts: 
-                            - 
-                              id:         ac-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ac-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ac-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ac-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ac-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ac-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ac-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ac-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the access control policy are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ac-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: AC-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the access control policy to organization-defined personnel or
-                                                      roles;
-                            """
-                    - 
-                      id:         ac-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ac-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      access control policy and associated access control controls;
-                            """
-                        - 
-                          id:         ac-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ac-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: AC-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ac-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-1(b)
-                  parts: 
-                    - 
-                      id:         ac-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ac-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current access control
-                                                      policy;
-                            """
-                        - 
-                          id:         ac-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current access control policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ac-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ac-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current access control
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ac-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current access control procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ac-2
-          class:      SP800-53
-          title:      Account Management
-          parameters: 
-            - 
-              id:    ac-2_prm_1
-              label: organization-defined information system account types
-            - 
-              id:    ac-2_prm_2
-              label: organization-defined personnel or roles
-            - 
-              id:    ac-2_prm_3
-              label: organization-defined procedures or conditions
-            - 
-              id:          ac-2_prm_4
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-2
-            - 
-              name:  sort-id
-              value: ac-02
-          parts: 
-            - 
-              id:    ac-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Identifies and selects the following types of information system accounts to
-                                        support organizational missions/business functions: {{ ac-2_prm_1 }};
-                    """
-                - 
-                  id:         ac-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Assigns account managers for information system accounts;
-                - 
-                  id:         ac-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Establishes conditions for group and role membership;
-                - 
-                  id:         ac-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Specifies authorized users of the information system, group and role membership,
-                                        and access authorizations (i.e., privileges) and other attributes (as required)
-                                        for each account;
-                    """
-                - 
-                  id:         ac-2_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Requires approvals by {{ ac-2_prm_2 }} for requests to create
-                                        information system accounts;
-                    """
-                - 
-                  id:         ac-2_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Creates, enables, modifies, disables, and removes information system accounts in
-                                        accordance with {{ ac-2_prm_3 }};
-                    """
-                - 
-                  id:         ac-2_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose:      Monitors the use of information system accounts;
-                - 
-                  id:         ac-2_smt.h
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: h.
-                  prose:      Notifies account managers:
-                  parts: 
-                    - 
-                      id:         ac-2_smt.h.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      When accounts are no longer required;
-                    - 
-                      id:         ac-2_smt.h.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      When users are terminated or transferred; and
-                    - 
-                      id:         ac-2_smt.h.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose:      When individual information system usage or need-to-know changes;
-                - 
-                  id:         ac-2_smt.i
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: i.
-                  prose:      Authorizes access to the information system based on:
-                  parts: 
-                    - 
-                      id:         ac-2_smt.i.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      A valid access authorization;
-                    - 
-                      id:         ac-2_smt.i.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Intended system usage; and
-                    - 
-                      id:         ac-2_smt.i.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Other attributes as required by the organization or associated
-                                               missions/business functions;
-                        """
-                - 
-                  id:         ac-2_smt.j
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: j.
-                  prose:      Reviews accounts for compliance with account management requirements {{ ac-2_prm_4 }}; and
-                - 
-                  id:         ac-2_smt.k
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: k.
-                  prose: 
-                    """
-                      Establishes a process for reissuing shared/group account credentials (if deployed)
-                                        when individuals are removed from the group.
-                    """
-            - 
-              id:    ac-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system account types include, for example, individual, shared, group,
-                                 system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and
-                                 service. Some of the account management requirements listed above can be implemented
-                                 by organizational information systems. The identification of authorized users of the
-                                 information system and the specification of access privileges reflects the
-                                 requirements in other security controls in the security plan. Users requiring
-                                 administrative privileges on information system accounts receive additional scrutiny
-                                 by appropriate organizational personnel (e.g., system owner, mission/business owner,
-                                 or chief information security officer) responsible for approving such accounts and
-                                 privileged access. Organizations may choose to define access privileges or other
-                                 attributes by account, by type of account, or a combination of both. Other attributes
-                                 required for authorizing access include, for example, restrictions on time-of-day,
-                                 day-of-week, and point-of-origin. In defining other account attributes, organizations
-                                 consider system-related requirements (e.g., scheduled maintenance, system upgrades)
-                                 and mission/business requirements, (e.g., time zone differences, customer
-                                 requirements, remote access to support travel requirements). Failure to consider
-                                 these factors could affect information system availability. Temporary and emergency
-                                 accounts are accounts intended for short-term use. Organizations establish temporary
-                                 accounts as a part of normal account activation procedures when there is a need for
-                                 short-term accounts without the demand for immediacy in account activation.
-                                 Organizations establish emergency accounts in response to crisis situations and with
-                                 the need for rapid account activation. Therefore, emergency account activation may
-                                 bypass normal account authorization processes. Emergency and temporary accounts are
-                                 not to be confused with infrequently used accounts (e.g., local logon accounts used
-                                 for special tasks defined by organizations or when network resources are
-                                 unavailable). Such accounts remain available and are not subject to automatic
-                                 disabling or removal dates. Conditions for disabling or deactivating accounts
-                                 include, for example: (i) when shared/group, emergency, or temporary accounts are no
-                                 longer required; or (ii) when individuals are transferred or terminated. Some types
-                                 of information system accounts may require specialized training.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-5
-                  rel:  related
-                  text: AC-5
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-10
-                  rel:  related
-                  text: AC-10
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #ma-3
-                  rel:  related
-                  text: MA-3
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ma-5
-                  rel:  related
-                  text: MA-5
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-            - 
-              id:    ac-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(a)
-                  parts: 
-                    - 
-                      id:         ac-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(a)[1]
-                      prose: 
-                        """
-                          defines information system account types to be identified and selected to
-                                               support organizational missions/business functions;
-                        """
-                    - 
-                      id:         ac-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AC-2(a)[2]
-                      prose: 
-                        """
-                          identifies and selects organization-defined information system account types to
-                                               support organizational missions/business functions;
-                        """
-                - 
-                  id:         ac-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AC-2(b)
-                  prose:      assigns account managers for information system accounts;
-                - 
-                  id:         ac-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-2(c)
-                  prose:      establishes conditions for group and role membership;
-                - 
-                  id:         ac-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-2(d)
-                  prose:      specifies for each account (as required):
-                  parts: 
-                    - 
-                      id:         ac-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(d)[1]
-                      prose:      authorized users of the information system;
-                    - 
-                      id:         ac-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(d)[2]
-                      prose:      group and role membership;
-                    - 
-                      id:         ac-2.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(d)[3]
-                      prose:      access authorizations (i.e., privileges);
-                    - 
-                      id:         ac-2.d_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(d)[4]
-                      prose:      other attributes;
-                - 
-                  id:         ac-2.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(e)
-                  parts: 
-                    - 
-                      id:         ac-2.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(e)[1]
-                      prose: 
-                        """
-                          defines personnel or roles required to approve requests to create information
-                                               system accounts;
-                        """
-                    - 
-                      id:         ac-2.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(e)[2]
-                      prose: 
-                        """
-                          requires approvals by organization-defined personnel or roles for requests to
-                                               create information system accounts;
-                        """
-                - 
-                  id:         ac-2.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(f)
-                  parts: 
-                    - 
-                      id:         ac-2.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(f)[1]
-                      prose:      defines procedures or conditions to:
-                      parts: 
-                        - 
-                          id:         ac-2.f_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][a]
-                          prose:      create information system accounts;
-                        - 
-                          id:         ac-2.f_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][b]
-                          prose:      enable information system accounts;
-                        - 
-                          id:         ac-2.f_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][c]
-                          prose:      modify information system accounts;
-                        - 
-                          id:         ac-2.f_obj.1.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][d]
-                          prose:      disable information system accounts;
-                        - 
-                          id:         ac-2.f_obj.1.e
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][e]
-                          prose:      remove information system accounts;
-                    - 
-                      id:         ac-2.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(f)[2]
-                      prose:      in accordance with organization-defined procedures or conditions:
-                      parts: 
-                        - 
-                          id:         ac-2.f_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][a]
-                          prose:      creates information system accounts;
-                        - 
-                          id:         ac-2.f_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][b]
-                          prose:      enables information system accounts;
-                        - 
-                          id:         ac-2.f_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][c]
-                          prose:      modifies information system accounts;
-                        - 
-                          id:         ac-2.f_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][d]
-                          prose:      disables information system accounts;
-                        - 
-                          id:         ac-2.f_obj.2.e
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][e]
-                          prose:      removes information system accounts;
-                - 
-                  id:         ac-2.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-2(g)
-                  prose:      monitors the use of information system accounts;
-                - 
-                  id:         ac-2.h_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-2(h)
-                  prose:      notifies account managers:
-                  parts: 
-                    - 
-                      id:         ac-2.h.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(h)(1)
-                      prose:      when accounts are no longer required;
-                    - 
-                      id:         ac-2.h.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(h)(2)
-                      prose:      when users are terminated or transferred;
-                    - 
-                      id:         ac-2.h.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(h)(3)
-                      prose:      when individual information system usage or need to know changes;
-                - 
-                  id:         ac-2.i_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-2(i)
-                  prose:      authorizes access to the information system based on;
-                  parts: 
-                    - 
-                      id:         ac-2.i.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(i)(1)
-                      prose:      a valid access authorization;
-                    - 
-                      id:         ac-2.i.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(i)(2)
-                      prose:      intended system usage;
-                    - 
-                      id:         ac-2.i.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(i)(3)
-                      prose: 
-                        """
-                          other attributes as required by the organization or associated
-                                               missions/business functions;
-                        """
-                - 
-                  id:         ac-2.j_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(j)
-                  parts: 
-                    - 
-                      id:         ac-2.j_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(j)[1]
-                      prose: 
-                        """
-                          defines the frequency to review accounts for compliance with account management
-                                               requirements;
-                        """
-                    - 
-                      id:         ac-2.j_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(j)[2]
-                      prose: 
-                        """
-                          reviews accounts for compliance with account management requirements with the
-                                               organization-defined frequency; and
-                        """
-                - 
-                  id:         ac-2.k_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-2(k)
-                  prose: 
-                    """
-                      establishes a process for reissuing shared/group account credentials (if deployed)
-                                        when individuals are removed from the group.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated
-                                        with each account\n\nlist of conditions for group and role membership\n\nnotifications or records of recently transferred, separated, or terminated
-                                        employees\n\nlist of recently disabled information system accounts along with the name of the
-                                        individual associated with each account\n\naccess authorization records\n\naccount management compliance reviews\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes account management on the information system\n\nautomated mechanisms for implementing account management
-        - 
-          id:         ac-3
-          class:      SP800-53
-          title:      Access Enforcement
-          properties: 
-            - 
-              name:  label
-              value: AC-3
-            - 
-              name:  sort-id
-              value: ac-03
-          parts: 
-            - 
-              id:    ac-3_smt
-              name:  statement
-              prose: 
-                """
-                  The information system enforces approved authorizations for logical access to
-                                 information and system resources in accordance with applicable access control
-                                 policies.
-                """
-            - 
-              id:    ac-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Access control policies (e.g., identity-based policies, role-based policies, control
-                                 matrices, cryptography) control access between active entities or subjects (i.e.,
-                                 users or processes acting on behalf of users) and passive entities or objects (e.g.,
-                                 devices, files, records, domains) in information systems. In addition to enforcing
-                                 authorized access at the information system level and recognizing that information
-                                 systems can host many applications and services in support of organizational missions
-                                 and business operations, access enforcement mechanisms can also be employed at the
-                                 application and service level to provide increased information security.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-5
-                  rel:  related
-                  text: AC-5
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-16
-                  rel:  related
-                  text: AC-16
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #ac-21
-                  rel:  related
-                  text: AC-21
-                - 
-                  href: #ac-22
-                  rel:  related
-                  text: AC-22
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #ma-3
-                  rel:  related
-                  text: MA-3
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ma-5
-                  rel:  related
-                  text: MA-5
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-            - 
-              id:         ac-3_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system enforces approved authorizations for logical
-                                 access to information and system resources in accordance with applicable access
-                                 control policies.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing access enforcement\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing access control policy
-        - 
-          id:         ac-7
-          class:      SP800-53
-          title:      Unsuccessful Logon Attempts
-          parameters: 
-            - 
-              id:          ac-7_prm_1
-              label:       organization-defined number
-              constraints: 
-                - 
-                  detail: not more than three (3)
-            - 
-              id:          ac-7_prm_2
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: fifteen (15) minutes
-            - 
-              id: ac-7_prm_3
-            - 
-              id:          ac-7_prm_4
-              depends-on:  ac-7_prm_3
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: thirty (30) minutes
-            - 
-              id:         ac-7_prm_5
-              depends-on: ac-7_prm_3
-              label:      organization-defined delay algorithm
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-7
-            - 
-              name:  sort-id
-              value: ac-07
-          parts: 
-            - 
-              id:    ac-7_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         ac-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Enforces a limit of {{ ac-7_prm_1 }} consecutive invalid logon
-                                        attempts by a user during a {{ ac-7_prm_2 }}; and
-                    """
-                - 
-                  id:         ac-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Automatically {{ ac-7_prm_3 }} when the maximum number of
-                                        unsuccessful attempts is exceeded.
-                    """
-            - 
-              id:    ac-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies regardless of whether the logon occurs via a local or network
-                                 connection. Due to the potential for denial of service, automatic lockouts initiated
-                                 by information systems are usually temporary and automatically release after a
-                                 predetermined time period established by organizations. If a delay algorithm is
-                                 selected, organizations may choose to employ different algorithms for different
-                                 information system components based on the capabilities of those components.
-                                 Responses to unsuccessful logon attempts may be implemented at both the operating
-                                 system and the application levels.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-9
-                  rel:  related
-                  text: AC-9
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-            - 
-              id:    ac-7_obj
-              name:  objective
-              prose: Determine if: 
-              parts: 
-                - 
-                  id:         ac-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-7(a)
-                  parts: 
-                    - 
-                      id:         ac-7.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-7(a)[1]
-                      prose: 
-                        """
-                          the organization defines the number of consecutive invalid logon attempts
-                                               allowed to the information system by a user during an organization-defined time
-                                               period;
-                        """
-                    - 
-                      id:         ac-7.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-7(a)[2]
-                      prose: 
-                        """
-                          the organization defines the time period allowed by a user of the information
-                                               system for an organization-defined number of consecutive invalid logon
-                                               attempts;
-                        """
-                    - 
-                      id:         ac-7.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-7(a)[3]
-                      prose: 
-                        """
-                          the information system enforces a limit of organization-defined number of
-                                               consecutive invalid logon attempts by a user during an organization-defined
-                                               time period;
-                        """
-                - 
-                  id:         ac-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-7(b)
-                  parts: 
-                    - 
-                      id:         ac-7.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-7(b)[1]
-                      prose: 
-                        """
-                          the organization defines account/node lockout time period or logon delay
-                                               algorithm to be automatically enforced by the information system when the
-                                               maximum number of unsuccessful logon attempts is exceeded;
-                        """
-                    - 
-                      id:         ac-7.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-7(b)[2]
-                      prose: 
-                        """
-                          the information system, when the maximum number of unsuccessful logon attempts
-                                               is exceeded, automatically:
-                        """
-                      parts: 
-                        - 
-                          id:         ac-7.b_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-7(b)[2][a]
-                          prose:      locks the account/node for the organization-defined time period;
-                        - 
-                          id:         ac-7.b_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-7(b)[2][b]
-                          prose:      locks the account/node until released by an administrator; or
-                        - 
-                          id:         ac-7.b_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-7(b)[2][c]
-                          prose: 
-                            """
-                              delays next logon prompt according to the organization-defined delay
-                                                      algorithm.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms implementing access control policy for unsuccessful logon
-                                        attempts
-                    """
-        - 
-          id:         ac-8
-          class:      SP800-53
-          title:      System Use Notification
-          parameters: 
-            - 
-              id:          ac-8_prm_1
-              label:       organization-defined system use notification message or banner
-              constraints: 
-                - 
-                  detail: see additional Requirements and Guidance
-            - 
-              id:          ac-8_prm_2
-              label:       organization-defined conditions
-              constraints: 
-                - 
-                  detail: see additional Requirements and Guidance
-          properties: 
-            - 
-              name:  label
-              value: AC-8
-            - 
-              name:  sort-id
-              value: ac-08
-          parts: 
-            - 
-              id:    ac-8_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         ac-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Displays to users {{ ac-8_prm_1 }} before granting access to the
-                                        system that provides privacy and security notices consistent with applicable
-                                        federal laws, Executive Orders, directives, policies, regulations, standards, and
-                                        guidance and states that:
-                    """
-                  parts: 
-                    - 
-                      id:         ac-8_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Users are accessing a U.S. Government information system;
-                    - 
-                      id:         ac-8_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Information system usage may be monitored, recorded, and subject to audit;
-                    - 
-                      id:         ac-8_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Unauthorized use of the information system is prohibited and subject to
-                                               criminal and civil penalties; and
-                        """
-                    - 
-                      id:         ac-8_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose: 
-                        """
-                          Use of the information system indicates consent to monitoring and
-                                               recording;
-                        """
-                - 
-                  id:         ac-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Retains the notification message or banner on the screen until users acknowledge
-                                        the usage conditions and take explicit actions to log on to or further access the
-                                        information system; and
-                    """
-                - 
-                  id:         ac-8_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      For publicly accessible systems:
-                  parts: 
-                    - 
-                      id:         ac-8_smt.c.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Displays system use information {{ ac-8_prm_2 }}, before
-                                               granting further access;
-                        """
-                    - 
-                      id:         ac-8_smt.c.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Displays references, if any, to monitoring, recording, or auditing that are
-                                               consistent with privacy accommodations for such systems that generally prohibit
-                                               those activities; and
-                        """
-                    - 
-                      id:         ac-8_smt.c.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose:      Includes a description of the authorized uses of the system.
-                - 
-                  id:    ac-8_fr
-                  name:  item
-                  title: AC-8 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ac-8_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.
-                    - 
-                      id:         ac-8_fr_smt.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.
-                    - 
-                      id:         ac-8_fr_smt.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.
-            - 
-              id:    ac-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  System use notifications can be implemented using messages or warning banners
-                                 displayed before individuals log in to information systems. System use notifications
-                                 are used only for access via logon interfaces with human users and are not required
-                                 when such human interfaces do not exist. Organizations consider system use
-                                 notification messages/banners displayed in multiple languages based on specific
-                                 organizational needs and the demographics of information system users. Organizations
-                                 also consult with the Office of the General Counsel for legal review and approval of
-                                 warning banner content.
-                """
-            - 
-              id:    ac-8_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         ac-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-8(a)
-                  parts: 
-                    - 
-                      id:         ac-8.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-8(a)[1]
-                      prose: 
-                        """
-                          the organization defines a system use notification message or banner to be
-                                               displayed by the information system to users before granting access to the
-                                               system;
-                        """
-                    - 
-                      id:         ac-8.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-8(a)[2]
-                      prose: 
-                        """
-                          the information system displays to users the organization-defined system use
-                                               notification message or banner before granting access to the information system
-                                               that provides privacy and security notices consistent with applicable federal
-                                               laws, Executive Orders, directives, policies, regulations, standards, and
-                                               guidance, and states that:
-                        """
-                      parts: 
-                        - 
-                          id:         ac-8.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-8(a)[2](1)
-                          prose:      users are accessing a U.S. Government information system;
-                        - 
-                          id:         ac-8.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-8(a)[2](2)
-                          prose: 
-                            """
-                              information system usage may be monitored, recorded, and subject to
-                                                      audit;
-                            """
-                        - 
-                          id:         ac-8.a.3_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-8(a)[2](3)
-                          prose: 
-                            """
-                              unauthorized use of the information system is prohibited and subject to
-                                                      criminal and civil penalties;
-                            """
-                        - 
-                          id:         ac-8.a.4_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-8(a)[2](4)
-                          prose: 
-                            """
-                              use of the information system indicates consent to monitoring and
-                                                      recording;
-                            """
-                - 
-                  id:         ac-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-8(b)
-                  prose: 
-                    """
-                      the information system retains the notification message or banner on the screen
-                                        until users acknowledge the usage conditions and take explicit actions to log on
-                                        to or further access the information system;
-                    """
-                - 
-                  id:         ac-8.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-8(c)
-                  prose:      for publicly accessible systems:
-                  parts: 
-                    - 
-                      id:         ac-8.c.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-8(c)(1)
-                      parts: 
-                        - 
-                          id:         ac-8.c.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-8(c)(1)[1]
-                          prose: 
-                            """
-                              the organization defines conditions for system use to be displayed by the
-                                                      information system before granting further access;
-                            """
-                        - 
-                          id:         ac-8.c.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: AC-8(c)(1)[2]
-                          prose: 
-                            """
-                              the information system displays organization-defined conditions before
-                                                      granting further access;
-                            """
-                    - 
-                      id:         ac-8.c.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-8(c)(2)
-                      prose: 
-                        """
-                          the information system displays references, if any, to monitoring, recording,
-                                               or auditing that are consistent with privacy accommodations for such systems
-                                               that generally prohibit those activities; and
-                        """
-                    - 
-                      id:         ac-8.c.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-8(c)(3)
-                      prose: 
-                        """
-                          the information system includes a description of the authorized uses of the
-                                               system.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of information system use notification messages or banners\n\ninformation system audit records\n\nuser acknowledgements of notification message or banner\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system use notification messages\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for providing legal advice\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing system use notification
-        - 
-          id:         ac-14
-          class:      SP800-53
-          title:      Permitted Actions Without Identification or Authentication
-          parameters: 
-            - 
-              id:    ac-14_prm_1
-              label: organization-defined user actions
-          properties: 
-            - 
-              name:  label
-              value: AC-14
-            - 
-              name:  sort-id
-              value: ac-14
-          parts: 
-            - 
-              id:    ac-14_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-14_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Identifies {{ ac-14_prm_1 }} that can be performed on the
-                                        information system without identification or authentication consistent with
-                                        organizational missions/business functions; and
-                    """
-                - 
-                  id:         ac-14_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Documents and provides supporting rationale in the security plan for the
-                                        information system, user actions not requiring identification or
-                                        authentication.
-                    """
-            - 
-              id:    ac-14_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses situations in which organizations determine that no
-                                 identification or authentication is required in organizational information systems.
-                                 Organizations may allow a limited number of user actions without identification or
-                                 authentication including, for example, when individuals access public websites or
-                                 other publicly accessible federal information systems, when individuals use mobile
-                                 phones to receive calls, or when facsimiles are received. Organizations also identify
-                                 actions that normally require identification or authentication but may under certain
-                                 circumstances (e.g., emergencies), allow identification or authentication mechanisms
-                                 to be bypassed. Such bypasses may occur, for example, via a software-readable
-                                 physical switch that commands bypass of the logon functionality and is protected from
-                                 accidental or unmonitored use. This control does not apply to situations where
-                                 identification and authentication have already occurred and are not repeated, but
-                                 rather to situations where identification and authentication have not yet occurred.
-                                 Organizations may decide that there are no user actions that can be performed on
-                                 organizational information systems without identification and authentication and
-                                 thus, the values for assignment statements can be none.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-            - 
-              id:    ac-14_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-14.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-14(a)
-                  parts: 
-                    - 
-                      id:         ac-14.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-14(a)[1]
-                      prose: 
-                        """
-                          defines user actions that can be performed on the information system without
-                                               identification or authentication consistent with organizational
-                                               missions/business functions;
-                        """
-                    - 
-                      id:         ac-14.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AC-14(a)[2]
-                      prose: 
-                        """
-                          identifies organization-defined user actions that can be performed on the
-                                               information system without identification or authentication consistent with
-                                               organizational missions/business functions; and
-                        """
-                - 
-                  id:         ac-14.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-14(b)
-                  prose: 
-                    """
-                      documents and provides supporting rationale in the security plan for the
-                                        information system, user actions not requiring identification or
-                                        authentication.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing permitted actions without identification or
-                                        authentication\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or
-                                        authentication\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ac-17
-          class:      SP800-53
-          title:      Remote Access
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-17
-            - 
-              name:  sort-id
-              value: ac-17
-          links: 
-            - 
-              href: #5309d4d0-46f8-4213-a749-e7584164e5e8
-              rel:  reference
-              text: NIST Special Publication 800-46
-            - 
-              href: #99f331f2-a9f0-46c2-9856-a3cbb9b89442
-              rel:  reference
-              text: NIST Special Publication 800-77
-            - 
-              href: #349fe082-502d-464a-aa0c-1443c6a5cf40
-              rel:  reference
-              text: NIST Special Publication 800-113
-            - 
-              href: #1201fcf3-afb1-4675-915a-fb4ae0435717
-              rel:  reference
-              text: NIST Special Publication 800-114
-            - 
-              href: #d1a4e2a9-e512-4132-8795-5357aba29254
-              rel:  reference
-              text: NIST Special Publication 800-121
-          parts: 
-            - 
-              id:    ac-17_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-17_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes and documents usage restrictions, configuration/connection
-                                        requirements, and implementation guidance for each type of remote access allowed;
-                                        and
-                    """
-                - 
-                  id:         ac-17_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Authorizes remote access to the information system prior to allowing such
-                                        connections.
-                    """
-            - 
-              id:    ac-17_gdn
-              name:  guidance
-              prose: 
-                """
-                  Remote access is access to organizational information systems by users (or processes
-                                 acting on behalf of users) communicating through external networks (e.g., the
-                                 Internet). Remote access methods include, for example, dial-up, broadband, and
-                                 wireless. Organizations often employ encrypted virtual private networks (VPNs) to
-                                 enhance confidentiality and integrity over remote connections. The use of encrypted
-                                 VPNs does not make the access non-remote; however, the use of VPNs, when adequately
-                                 provisioned with appropriate security controls (e.g., employing appropriate
-                                 encryption techniques for confidentiality and integrity protection) may provide
-                                 sufficient assurance to the organization that it can effectively treat such
-                                 connections as internal networks. Still, VPN connections traverse external networks,
-                                 and the encrypted VPN does not enhance the availability of remote connections. Also,
-                                 VPNs with encrypted tunnels can affect the organizational capability to adequately
-                                 monitor network communications traffic for malicious code. Remote access controls
-                                 apply to information systems other than public web servers or systems designed for
-                                 public access. This control addresses authorization prior to allowing remote access
-                                 without specifying the formats for such authorization. While organizations may use
-                                 interconnection security agreements to authorize remote access connections, such
-                                 agreements are not required by this control. Enforcing access restrictions for remote
-                                 connections is addressed in AC-3.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #pe-17
-                  rel:  related
-                  text: PE-17
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #sc-10
-                  rel:  related
-                  text: SC-10
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ac-17_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-17.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-17(a)
-                  parts: 
-                    - 
-                      id:         ac-17.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-17(a)[1]
-                      prose:      identifies the types of remote access allowed to the information system;
-                    - 
-                      id:         ac-17.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-17(a)[2]
-                      prose:      establishes for each type of remote access allowed:
-                      parts: 
-                        - 
-                          id:         ac-17.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[2][a]
-                          prose:      usage restrictions;
-                        - 
-                          id:         ac-17.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[2][b]
-                          prose:      configuration/connection requirements;
-                        - 
-                          id:         ac-17.a_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[2][c]
-                          prose:      implementation guidance;
-                    - 
-                      id:         ac-17.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-17(a)[3]
-                      prose:      documents for each type of remote access allowed:
-                      parts: 
-                        - 
-                          id:         ac-17.a_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[3][a]
-                          prose:      usage restrictions;
-                        - 
-                          id:         ac-17.a_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[3][b]
-                          prose:      configuration/connection requirements;
-                        - 
-                          id:         ac-17.a_obj.3.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[3][c]
-                          prose:      implementation guidance; and
-                - 
-                  id:         ac-17.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-17(b)
-                  prose: 
-                    """
-                      authorizes remote access to the information system prior to allowing such
-                                        connections.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing remote access implementation and usage (including
-                                        restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nremote access authorizations\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for managing remote access
-                                        connections\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Remote access management capability for the information system
-        - 
-          id:         ac-18
-          class:      SP800-53
-          title:      Wireless Access
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-18
-            - 
-              name:  sort-id
-              value: ac-18
-          links: 
-            - 
-              href: #238ed479-eccb-49f6-82ec-ab74a7a428cf
-              rel:  reference
-              text: NIST Special Publication 800-48
-            - 
-              href: #d1b1d689-0f66-4474-9924-c81119758dc1
-              rel:  reference
-              text: NIST Special Publication 800-94
-            - 
-              href: #6f336ecd-f2a0-4c84-9699-0491d81b6e0d
-              rel:  reference
-              text: NIST Special Publication 800-97
-          parts: 
-            - 
-              id:    ac-18_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-18_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes usage restrictions, configuration/connection requirements, and
-                                        implementation guidance for wireless access; and
-                    """
-                - 
-                  id:         ac-18_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Authorizes wireless access to the information system prior to allowing such
-                                        connections.
-                    """
-            - 
-              id:    ac-18_gdn
-              name:  guidance
-              prose: 
-                """
-                  Wireless technologies include, for example, microwave, packet radio (UHF/VHF),
-                                 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g.,
-                                 EAP/TLS, PEAP), which provide credential protection and mutual authentication.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ac-18_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-18.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-18(a)
-                  prose:      establishes for wireless access:
-                  parts: 
-                    - 
-                      id:         ac-18.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-18(a)[1]
-                      prose:      usage restrictions;
-                    - 
-                      id:         ac-18.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-18(a)[2]
-                      prose:      configuration/connection requirement;
-                    - 
-                      id:         ac-18.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-18(a)[3]
-                      prose:      implementation guidance; and
-                - 
-                  id:         ac-18.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-18(b)
-                  prose: 
-                    """
-                      authorizes wireless access to the information system prior to allowing such
-                                        connections.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing wireless access implementation and usage (including
-                                        restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nwireless access authorizations\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for managing wireless access
-                                        connections\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Wireless access management capability for the information system
-        - 
-          id:         ac-19
-          class:      SP800-53
-          title:      Access Control for Mobile Devices
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-19
-            - 
-              name:  sort-id
-              value: ac-19
-          links: 
-            - 
-              href: #4da24a96-6cf8-435d-9d1f-c73247cad109
-              rel:  reference
-              text: OMB Memorandum 06-16
-            - 
-              href: #1201fcf3-afb1-4675-915a-fb4ae0435717
-              rel:  reference
-              text: NIST Special Publication 800-114
-            - 
-              href: #0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589
-              rel:  reference
-              text: NIST Special Publication 800-124
-            - 
-              href: #6513e480-fada-4876-abba-1397084dfb26
-              rel:  reference
-              text: NIST Special Publication 800-164
-          parts: 
-            - 
-              id:    ac-19_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-19_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes usage restrictions, configuration requirements, connection
-                                        requirements, and implementation guidance for organization-controlled mobile
-                                        devices; and
-                    """
-                - 
-                  id:         ac-19_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Authorizes the connection of mobile devices to organizational information
-                                        systems.
-                    """
-            - 
-              id:    ac-19_gdn
-              name:  guidance
-              prose: 
-                """
-                  A mobile device is a computing device that: (i) has a small form factor such that it
-                                 can easily be carried by a single individual; (ii) is designed to operate without a
-                                 physical connection (e.g., wirelessly transmit or receive information); (iii)
-                                 possesses local, non-removable or removable data storage; and (iv) includes a
-                                 self-contained power source. Mobile devices may also include voice communication
-                                 capabilities, on-board sensors that allow the device to capture information, and/or
-                                 built-in features for synchronizing local data with remote locations. Examples
-                                 include smart phones, E-readers, and tablets. Mobile devices are typically associated
-                                 with a single individual and the device is usually in close proximity to the
-                                 individual; however, the degree of proximity can vary depending upon on the form
-                                 factor and size of the device. The processing, storage, and transmission capability
-                                 of the mobile device may be comparable to or merely a subset of desktop systems,
-                                 depending upon the nature and intended purpose of the device. Due to the large
-                                 variety of mobile devices with different technical characteristics and capabilities,
-                                 organizational restrictions may vary for the different classes/types of such devices.
-                                 Usage restrictions and specific implementation guidance for mobile devices include,
-                                 for example, configuration management, device identification and authentication,
-                                 implementation of mandatory protective software (e.g., malicious code detection,
-                                 firewall), scanning devices for malicious code, updating virus protection software,
-                                 scanning for critical software updates and patches, conducting primary operating
-                                 system (and possibly other resident software) integrity checks, and disabling
-                                 unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the
-                                 need to provide adequate security for mobile devices goes beyond the requirements in
-                                 this control. Many safeguards and countermeasures for mobile devices are reflected in
-                                 other security controls in the catalog allocated in the initial control baselines as
-                                 starting points for the development of security plans and overlays using the
-                                 tailoring process. There may also be some degree of overlap in the requirements
-                                 articulated by the security controls within the different families of controls. AC-20
-                                 addresses mobile devices that are not organization-controlled.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-7
-                  rel:  related
-                  text: AC-7
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #ca-9
-                  rel:  related
-                  text: CA-9
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-43
-                  rel:  related
-                  text: SC-43
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ac-19_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-19.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-19(a)
-                  prose:      establishes for organization-controlled mobile devices:
-                  parts: 
-                    - 
-                      id:         ac-19.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-19(a)[1]
-                      prose:      usage restrictions;
-                    - 
-                      id:         ac-19.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-19(a)[2]
-                      prose:      configuration/connection requirement;
-                    - 
-                      id:         ac-19.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-19(a)[3]
-                      prose:      implementation guidance; and
-                - 
-                  id:         ac-19.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-19(b)
-                  prose: 
-                    """
-                      authorizes the connection of mobile devices to organizational information
-                                        systems.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing access control for mobile device usage (including
-                                        restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational information
-                                        systems\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel using mobile devices to access organizational information
-                                        systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control capability authorizing mobile device connections to organizational
-                                        information systems
-                    """
-        - 
-          id:         ac-20
-          class:      SP800-53
-          title:      Use of External Information Systems
-          properties: 
-            - 
-              name:  label
-              value: AC-20
-            - 
-              name:  sort-id
-              value: ac-20
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-          parts: 
-            - 
-              id:    ac-20_smt
-              name:  statement
-              prose: 
-                """
-                  The organization establishes terms and conditions, consistent with any trust
-                                 relationships established with other organizations owning, operating, and/or
-                                 maintaining external information systems, allowing authorized individuals to:
-                """
-              parts: 
-                - 
-                  id:         ac-20_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Access the information system from external information systems; and
-                - 
-                  id:         ac-20_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Process, store, or transmit organization-controlled information using external
-                                        information systems.
-                    """
-            - 
-              id:    ac-20_gdn
-              name:  guidance
-              prose: 
-                """
-                  External information systems are information systems or components of information
-                                 systems that are outside of the authorization boundary established by organizations
-                                 and for which organizations typically have no direct supervision and authority over
-                                 the application of required security controls or the assessment of control
-                                 effectiveness. External information systems include, for example: (i) personally
-                                 owned information systems/devices (e.g., notebook computers, smart phones, tablets,
-                                 personal digital assistants); (ii) privately owned computing and communications
-                                 devices resident in commercial or public facilities (e.g., hotels, train stations,
-                                 convention centers, shopping malls, or airports); (iii) information systems owned or
-                                 controlled by nonfederal governmental organizations; and (iv) federal information
-                                 systems that are not owned by, operated by, or under the direct supervision and
-                                 authority of organizations. This control also addresses the use of external
-                                 information systems for the processing, storage, or transmission of organizational
-                                 information, including, for example, accessing cloud services (e.g., infrastructure
-                                 as a service, platform as a service, or software as a service) from organizational
-                                 information systems. For some external information systems (i.e., information systems
-                                 operated by other federal agencies, including organizations subordinate to those
-                                 agencies), the trust relationships that have been established between those
-                                 organizations and the originating organization may be such, that no explicit terms
-                                 and conditions are required. Information systems within these organizations would not
-                                 be considered external. These situations occur when, for example, there are
-                                 pre-existing sharing/trust agreements (either implicit or explicit) established
-                                 between federal agencies or organizations subordinate to those agencies, or when such
-                                 trust agreements are specified by applicable laws, Executive Orders, directives, or
-                                 policies. Authorized individuals include, for example, organizational personnel,
-                                 contractors, or other individuals with authorized access to organizational
-                                 information systems and over which organizations have the authority to impose rules
-                                 of behavior with regard to system access. Restrictions that organizations impose on
-                                 authorized individuals need not be uniform, as those restrictions may vary depending
-                                 upon the trust relationships between organizations. Therefore, organizations may
-                                 choose to impose different security restrictions on contractors than on state, local,
-                                 or tribal governments. This control does not apply to the use of external information
-                                 systems to access public interfaces to organizational information systems (e.g.,
-                                 individuals accessing federal information through www.usa.gov). Organizations
-                                 establish terms and conditions for the use of external information systems in
-                                 accordance with organizational security policies and procedures. Terms and conditions
-                                 address as a minimum: types of applications that can be accessed on organizational
-                                 information systems from external information systems; and the highest security
-                                 category of information that can be processed, stored, or transmitted on external
-                                 information systems. If terms and conditions with the owners of external information
-                                 systems cannot be established, organizations may impose restrictions on
-                                 organizational personnel using those external systems.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #sa-9
-                  rel:  related
-                  text: SA-9
-            - 
-              id:    ac-20_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization establishes terms and conditions, consistent with any
-                                 trust relationships established with other organizations owning, operating, and/or
-                                 maintaining external information systems, allowing authorized individuals to: 
-                """
-              parts: 
-                - 
-                  id:         ac-20.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-20(a)
-                  prose:      access the information system from the external information systems; and
-                - 
-                  id:         ac-20.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-20(b)
-                  prose: 
-                    """
-                      process, store, or transmit organization-controlled information using external
-                                        information systems.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing the use of external information systems\n\nexternal information systems terms and conditions\n\nlist of types of applications accessible from external information systems\n\nmaximum security categorization for information processed, stored, or transmitted
-                                        on external information systems\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for defining terms and conditions
-                                        for use of external information systems to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms implementing terms and conditions on use of external
-                                        information systems
-                    """
-        - 
-          id:         ac-22
-          class:      SP800-53
-          title:      Publicly Accessible Content
-          parameters: 
-            - 
-              id:          ac-22_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least quarterly
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-22
-            - 
-              name:  sort-id
-              value: ac-22
-          parts: 
-            - 
-              id:    ac-22_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-22_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Designates individuals authorized to post information onto a publicly accessible
-                                        information system;
-                    """
-                - 
-                  id:         ac-22_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Trains authorized individuals to ensure that publicly accessible information does
-                                        not contain nonpublic information;
-                    """
-                - 
-                  id:         ac-22_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Reviews the proposed content of information prior to posting onto the publicly
-                                        accessible information system to ensure that nonpublic information is not
-                                        included; and
-                    """
-                - 
-                  id:         ac-22_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Reviews the content on the publicly accessible information system for nonpublic
-                                        information {{ ac-22_prm_1 }} and removes such information, if
-                                        discovered.
-                    """
-            - 
-              id:    ac-22_gdn
-              name:  guidance
-              prose: 
-                """
-                  In accordance with federal laws, Executive Orders, directives, policies, regulations,
-                                 standards, and/or guidance, the general public is not authorized access to nonpublic
-                                 information (e.g., information protected under the Privacy Act and proprietary
-                                 information). This control addresses information systems that are controlled by the
-                                 organization and accessible to the general public, typically without identification
-                                 or authentication. The posting of information on non-organization information systems
-                                 is covered by organizational policy.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #au-13
-                  rel:  related
-                  text: AU-13
-            - 
-              id:    ac-22_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ac-22.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-22(a)
-                  prose: 
-                    """
-                      designates individuals authorized to post information onto a publicly accessible
-                                        information system;
-                    """
-                - 
-                  id:         ac-22.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-22(b)
-                  prose: 
-                    """
-                      trains authorized individuals to ensure that publicly accessible information does
-                                        not contain nonpublic information;
-                    """
-                - 
-                  id:         ac-22.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-22(c)
-                  prose: 
-                    """
-                      reviews the proposed content of information prior to posting onto the publicly
-                                        accessible information system to ensure that nonpublic information is not
-                                        included;
-                    """
-                - 
-                  id:         ac-22.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-22(d)
-                  parts: 
-                    - 
-                      id:         ac-22.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-22(d)[1]
-                      prose: 
-                        """
-                          defines the frequency to review the content on the publicly accessible
-                                               information system for nonpublic information;
-                        """
-                    - 
-                      id:         ac-22.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-22(d)[2]
-                      prose: 
-                        """
-                          reviews the content on the publicly accessible information system for nonpublic
-                                               information with the organization-defined frequency; and
-                        """
-                    - 
-                      id:         ac-22.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-22(d)[3]
-                      prose: 
-                        """
-                          removes nonpublic information from the publicly accessible information system,
-                                               if discovered.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational
-                                        information systems\n\ntraining materials and/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to nonpublic information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for managing publicly accessible
-                                        information posted on organizational information systems\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing management of publicly accessible content
-    - 
-      id:       at
-      class:    family
-      title:    Awareness and Training
-      controls: 
-        - 
-          id:         at-1
-          class:      SP800-53
-          title:      Security Awareness and Training Policy and Procedures
-          parameters: 
-            - 
-              id:    at-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          at-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          at-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AT-1
-            - 
-              name:  sort-id
-              value: at-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #825438c3-248d-4e30-a51e-246473ce6ada
-              rel:  reference
-              text: NIST Special Publication 800-16
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    at-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         at-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ at-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         at-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A security awareness and training policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         at-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the security awareness and
-                                               training policy and associated security awareness and training controls;
-                                               and
-                        """
-                - 
-                  id:         at-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         at-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Security awareness and training policy {{ at-1_prm_2 }}; and
-                    - 
-                      id:         at-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Security awareness and training procedures {{ at-1_prm_3 }}.
-            - 
-              id:    at-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the AT
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    at-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         at-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-1(a)
-                  parts: 
-                    - 
-                      id:         at-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-1(a)(1)
-                      parts: 
-                        - 
-                          id:         at-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents an security awareness and training policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         at-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         at-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         at-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         at-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         at-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         at-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         at-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         at-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the security awareness and training
-                                                      policy are to be disseminated;
-                            """
-                        - 
-                          id:         at-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: AT-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the security awareness and training policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         at-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-1(a)(2)
-                      parts: 
-                        - 
-                          id:         at-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      security awareness and training policy and associated awareness and training
-                                                      controls;
-                            """
-                        - 
-                          id:         at-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         at-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: AT-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         at-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-1(b)
-                  parts: 
-                    - 
-                      id:         at-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-1(b)(1)
-                      parts: 
-                        - 
-                          id:         at-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current security awareness
-                                                      and training policy;
-                            """
-                        - 
-                          id:         at-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current security awareness and training policy with
-                                                      the organization-defined frequency;
-                            """
-                    - 
-                      id:         at-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-1(b)(2)
-                      parts: 
-                        - 
-                          id:         at-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current security awareness
-                                                      and training procedures; and
-                            """
-                        - 
-                          id:         at-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current security awareness and training procedures
-                                                      with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security awareness and training policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with security awareness and training responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         at-2
-          class:      SP800-53
-          title:      Security Awareness Training
-          parameters: 
-            - 
-              id:          at-2_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AT-2
-            - 
-              name:  sort-id
-              value: at-02
-          links: 
-            - 
-              href: #bb61234b-46c3-4211-8c2b-9869222a720d
-              rel:  reference
-              text: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)
-            - 
-              href: #c5034e0c-eba6-4ecd-a541-79f0678f4ba4
-              rel:  reference
-              text: Executive Order 13587
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-          parts: 
-            - 
-              id:    at-2_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides basic security awareness training to information system
-                                 users (including managers, senior executives, and contractors):
-                """
-              parts: 
-                - 
-                  id:         at-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      As part of initial training for new users;
-                - 
-                  id:         at-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      When required by information system changes; and
-                - 
-                  id:         at-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      
-                                        {{ at-2_prm_1 }} thereafter.
-                    """
-            - 
-              id:    at-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations determine the appropriate content of security awareness training and
-                                 security awareness techniques based on the specific organizational requirements and
-                                 the information systems to which personnel have authorized access. The content
-                                 includes a basic understanding of the need for information security and user actions
-                                 to maintain security and to respond to suspected security incidents. The content also
-                                 addresses awareness of the need for operations security. Security awareness
-                                 techniques can include, for example, displaying posters, offering supplies inscribed
-                                 with security reminders, generating email advisories/notices from senior
-                                 organizational officials, displaying logon screen messages, and conducting
-                                 information security awareness events.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #at-4
-                  rel:  related
-                  text: AT-4
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-            - 
-              id:    at-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         at-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AT-2(a)
-                  prose: 
-                    """
-                      provides basic security awareness training to information system users (including
-                                        managers, senior executives, and contractors) as part of initial training for new
-                                        users;
-                    """
-                - 
-                  id:         at-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AT-2(b)
-                  prose: 
-                    """
-                      provides basic security awareness training to information system users (including
-                                        managers, senior executives, and contractors) when required by information system
-                                        changes; and
-                    """
-                - 
-                  id:         at-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-2(c)
-                  parts: 
-                    - 
-                      id:         at-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AT-2(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to provide refresher security awareness training
-                                               thereafter to information system users (including managers, senior executives,
-                                               and contractors); and
-                        """
-                    - 
-                      id:         at-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AT-2(c)[2]
-                      prose: 
-                        """
-                          provides refresher security awareness training to information users (including
-                                               managers, senior executives, and contractors) with the organization-defined
-                                               frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nappropriate codes of federal regulations\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for security awareness training\n\norganizational personnel with information security responsibilities\n\norganizational personnel comprising the general information system user
-                                        community
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms managing security awareness training
-        - 
-          id:         at-3
-          class:      SP800-53
-          title:      Role-based Security Training
-          parameters: 
-            - 
-              id:          at-3_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AT-3
-            - 
-              name:  sort-id
-              value: at-03
-          links: 
-            - 
-              href: #bb61234b-46c3-4211-8c2b-9869222a720d
-              rel:  reference
-              text: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)
-            - 
-              href: #825438c3-248d-4e30-a51e-246473ce6ada
-              rel:  reference
-              text: NIST Special Publication 800-16
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-          parts: 
-            - 
-              id:    at-3_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides role-based security training to personnel with assigned
-                                 security roles and responsibilities:
-                """
-              parts: 
-                - 
-                  id:         at-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Before authorizing access to the information system or performing assigned
-                                        duties;
-                    """
-                - 
-                  id:         at-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      When required by information system changes; and
-                - 
-                  id:         at-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      
-                                        {{ at-3_prm_1 }} thereafter.
-                    """
-            - 
-              id:    at-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations determine the appropriate content of security training based on the
-                                 assigned roles and responsibilities of individuals and the specific security
-                                 requirements of organizations and the information systems to which personnel have
-                                 authorized access. In addition, organizations provide enterprise architects,
-                                 information system developers, software developers, acquisition/procurement
-                                 officials, information system managers, system/network administrators, personnel
-                                 conducting configuration management and auditing activities, personnel performing
-                                 independent verification and validation activities, security control assessors, and
-                                 other personnel having access to system-level software, adequate security-related
-                                 technical training specifically tailored for their assigned duties. Comprehensive
-                                 role-based training addresses management, operational, and technical roles and
-                                 responsibilities covering physical, personnel, and technical safeguards and
-                                 countermeasures. Such training can include for example, policies, procedures, tools,
-                                 and artifacts for the organizational security roles defined. Organizations also
-                                 provide the training necessary for individuals to carry out their responsibilities
-                                 related to operations and supply chain security within the context of organizational
-                                 information security programs. Role-based security training also applies to
-                                 contractors providing services to federal agencies.
-                """
-              links: 
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-4
-                  rel:  related
-                  text: AT-4
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-7
-                  rel:  related
-                  text: PS-7
-                - 
-                  href: #sa-3
-                  rel:  related
-                  text: SA-3
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #sa-16
-                  rel:  related
-                  text: SA-16
-            - 
-              id:    at-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         at-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AT-3(a)
-                  prose: 
-                    """
-                      provides role-based security training to personnel with assigned security roles
-                                        and responsibilities before authorizing access to the information system or
-                                        performing assigned duties;
-                    """
-                - 
-                  id:         at-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AT-3(b)
-                  prose: 
-                    """
-                      provides role-based security training to personnel with assigned security roles
-                                        and responsibilities when required by information system changes; and
-                    """
-                - 
-                  id:         at-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-3(c)
-                  parts: 
-                    - 
-                      id:         at-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AT-3(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to provide refresher role-based security training
-                                               thereafter to personnel with assigned security roles and responsibilities;
-                                               and
-                        """
-                    - 
-                      id:         at-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AT-3(c)[2]
-                      prose: 
-                        """
-                          provides refresher role-based security training to personnel with assigned
-                                               security roles and responsibilities with the organization-defined
-                                               frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security awareness and training policy\n\nprocedures addressing security training implementation\n\ncodes of federal regulations\n\nsecurity training curriculum\n\nsecurity training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for role-based security
-                                        training\n\norganizational personnel with assigned information system security roles and
-                                        responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms managing role-based security training
-        - 
-          id:         at-4
-          class:      SP800-53
-          title:      Security Training Records
-          parameters: 
-            - 
-              id:          at-4_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: At least one year
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AT-4
-            - 
-              name:  sort-id
-              value: at-04
-          parts: 
-            - 
-              id:    at-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         at-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Documents and monitors individual information system security training activities
-                                        including basic security awareness training and specific information system
-                                        security training; and
-                    """
-                - 
-                  id:         at-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Retains individual training records for {{ at-4_prm_1 }}.
-            - 
-              id:    at-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Documentation for specialized training may be maintained by individual supervisors at
-                                 the option of the organization.
-                """
-              links: 
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #pm-14
-                  rel:  related
-                  text: PM-14
-            - 
-              id:    at-4_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         at-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-4(a)
-                  parts: 
-                    - 
-                      id:         at-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AT-4(a)[1]
-                      prose: 
-                        """
-                          documents individual information system security training activities
-                                               including:
-                        """
-                      parts: 
-                        - 
-                          id:         at-4.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-4(a)[1][a]
-                          prose:      basic security awareness training;
-                        - 
-                          id:         at-4.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-4(a)[1][b]
-                          prose:      specific role-based information system security training;
-                    - 
-                      id:         at-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AT-4(a)[2]
-                      prose: 
-                        """
-                          monitors individual information system security training activities
-                                               including:
-                        """
-                      parts: 
-                        - 
-                          id:         at-4.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-4(a)[2][a]
-                          prose:      basic security awareness training;
-                        - 
-                          id:         at-4.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-4(a)[2][b]
-                          prose:      specific role-based information system security training;
-                - 
-                  id:         at-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-4(b)
-                  parts: 
-                    - 
-                      id:         at-4.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AT-4(b)[1]
-                      prose:      defines a time period to retain individual training records; and
-                    - 
-                      id:         at-4.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AT-4(b)[2]
-                      prose: 
-                        """
-                          retains individual training records for the organization-defined time
-                                               period.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security awareness and training policy\n\nprocedures addressing security training records\n\nsecurity awareness and training records\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security training record retention
-                                        responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting management of security training records
-    - 
-      id:       au
-      class:    family
-      title:    Audit and Accountability
-      controls: 
-        - 
-          id:         au-1
-          class:      SP800-53
-          title:      Audit and Accountability Policy and Procedures
-          parameters: 
-            - 
-              id:    au-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          au-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          au-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AU-1
-            - 
-              name:  sort-id
-              value: au-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    au-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         au-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ au-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         au-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          An audit and accountability policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         au-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the audit and accountability
-                                               policy and associated audit and accountability controls; and
-                        """
-                - 
-                  id:         au-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         au-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Audit and accountability policy {{ au-1_prm_2 }}; and
-                    - 
-                      id:         au-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Audit and accountability procedures {{ au-1_prm_3 }}.
-            - 
-              id:    au-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the AU
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    au-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-1(a)
-                  parts: 
-                    - 
-                      id:         au-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-1(a)(1)
-                      parts: 
-                        - 
-                          id:         au-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents an audit and accountability policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         au-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         au-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         au-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         au-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         au-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         au-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         au-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         au-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the audit and accountability policy are
-                                                      to be disseminated;
-                            """
-                        - 
-                          id:         au-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: AU-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the audit and accountability policy to organization-defined
-                                                      personnel or roles;
-                            """
-                    - 
-                      id:         au-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-1(a)(2)
-                      parts: 
-                        - 
-                          id:         au-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      audit and accountability policy and associated audit and accountability
-                                                      controls;
-                            """
-                        - 
-                          id:         au-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         au-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: AU-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         au-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-1(b)
-                  parts: 
-                    - 
-                      id:         au-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-1(b)(1)
-                      parts: 
-                        - 
-                          id:         au-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current audit and
-                                                      accountability policy;
-                            """
-                        - 
-                          id:         au-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current audit and accountability policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         au-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-1(b)(2)
-                      parts: 
-                        - 
-                          id:         au-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current audit and
-                                                      accountability procedures; and
-                            """
-                        - 
-                          id:         au-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current audit and accountability procedures in
-                                                      accordance with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         au-2
-          class:      SP800-53
-          title:      Audit Events
-          parameters: 
-            - 
-              id:          au-2_prm_1
-              label:       organization-defined auditable events
-              constraints: 
-                - 
-                  detail: Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes
-            - 
-              id:          au-2_prm_2
-              label: 
-                """
-                  organization-defined audited events (the subset of the auditable events defined
-                                 in AU-2 a.) along with the frequency of (or situation requiring) auditing for each
-                                 identified event
-                """
-              constraints: 
-                - 
-                  detail: organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AU-2
-            - 
-              name:  sort-id
-              value: au-02
-          links: 
-            - 
-              href: #672fd561-b92b-4713-b9cf-6c9d9456728b
-              rel:  reference
-              text: NIST Special Publication 800-92
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    au-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         au-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Determines that the information system is capable of auditing the following
-                                        events: {{ au-2_prm_1 }};
-                    """
-                - 
-                  id:         au-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Coordinates the security audit function with other organizational entities
-                                        requiring audit-related information to enhance mutual support and to help guide
-                                        the selection of auditable events;
-                    """
-                - 
-                  id:         au-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Provides a rationale for why the auditable events are deemed to be adequate to
-                                        support after-the-fact investigations of security incidents; and
-                    """
-                - 
-                  id:         au-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Determines that the following events are to be audited within the information
-                                        system: {{ au-2_prm_2 }}.
-                    """
-                - 
-                  id:    au-2_fr
-                  name:  item
-                  title: AU-2 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         au-2_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.
-            - 
-              id:    au-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  An event is any observable occurrence in an organizational information system.
-                                 Organizations identify audit events as those events which are significant and
-                                 relevant to the security of information systems and the environments in which those
-                                 systems operate in order to meet specific and ongoing audit needs. Audit events can
-                                 include, for example, password changes, failed logons, or failed accesses related to
-                                 information systems, administrative privilege usage, PIV credential usage, or
-                                 third-party credential usage. In determining the set of auditable events,
-                                 organizations consider the auditing appropriate for each of the security controls to
-                                 be implemented. To balance auditing requirements with other information system needs,
-                                 this control also requires identifying that subset of auditable events that are
-                                 audited at a given point in time. For example, organizations may determine that
-                                 information systems must have the capability to log every file access both successful
-                                 and unsuccessful, but not activate that capability except for specific circumstances
-                                 due to the potential burden on system performance. Auditing requirements, including
-                                 the need for auditable events, may be referenced in other security controls and
-                                 control enhancements. Organizations also include auditable events that are required
-                                 by applicable federal laws, Executive Orders, directives, policies, regulations, and
-                                 standards. Audit records can be generated at various levels of abstraction, including
-                                 at the packet level as information traverses the network. Selecting the appropriate
-                                 level of abstraction is a critical aspect of an audit capability and can facilitate
-                                 the identification of root causes to problems. Organizations consider in the
-                                 definition of auditable events, the auditing necessary to cover related events such
-                                 as the steps in distributed, transaction-based processes (e.g., processes that are
-                                 distributed across multiple organizations) and actions that occur in service-oriented
-                                 architectures.
-                """
-              links: 
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #au-3
-                  rel:  related
-                  text: AU-3
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    au-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-2(a)
-                  parts: 
-                    - 
-                      id:         au-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-2(a)[1]
-                      prose: 
-                        """
-                          defines the auditable events that the information system must be capable of
-                                               auditing;
-                        """
-                    - 
-                      id:         au-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-2(a)[2]
-                      prose: 
-                        """
-                          determines that the information system is capable of auditing
-                                               organization-defined auditable events;
-                        """
-                - 
-                  id:         au-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AU-2(b)
-                  prose: 
-                    """
-                      coordinates the security audit function with other organizational entities
-                                        requiring audit-related information to enhance mutual support and to help guide
-                                        the selection of auditable events;
-                    """
-                - 
-                  id:         au-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AU-2(c)
-                  prose: 
-                    """
-                      provides a rationale for why the auditable events are deemed to be adequate to
-                                        support after-the-fact investigations of security incidents;
-                    """
-                - 
-                  id:         au-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-2(d)
-                  parts: 
-                    - 
-                      id:         au-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-2(d)[1]
-                      prose: 
-                        """
-                          defines the subset of auditable events defined in AU-2a that are to be audited
-                                               within the information system;
-                        """
-                    - 
-                      id:         au-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AU-2(d)[2]
-                      prose: 
-                        """
-                          determines that the subset of auditable events defined in AU-2a are to be
-                                               audited within the information system; and
-                        """
-                    - 
-                      id:         au-2.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AU-2(d)[3]
-                      prose: 
-                        """
-                          determines the frequency of (or situation requiring) auditing for each
-                                               identified event.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing auditable events\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\ninformation system auditable events\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing information system auditing
-        - 
-          id:         au-3
-          class:      SP800-53
-          title:      Content of Audit Records
-          properties: 
-            - 
-              name:  label
-              value: AU-3
-            - 
-              name:  sort-id
-              value: au-03
-          parts: 
-            - 
-              id:    au-3_smt
-              name:  statement
-              prose: 
-                """
-                  The information system generates audit records containing information that
-                                 establishes what type of event occurred, when the event occurred, where the event
-                                 occurred, the source of the event, the outcome of the event, and the identity of any
-                                 individuals or subjects associated with the event.
-                """
-            - 
-              id:    au-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit record content that may be necessary to satisfy the requirement of this
-                                 control, includes, for example, time stamps, source and destination addresses,
-                                 user/process identifiers, event descriptions, success/fail indications, filenames
-                                 involved, and access control or flow control rules invoked. Event outcomes can
-                                 include indicators of event success or failure and event-specific results (e.g., the
-                                 security state of the information system after the event occurred).
-                """
-              links: 
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-8
-                  rel:  related
-                  text: AU-8
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #si-11
-                  rel:  related
-                  text: SI-11
-            - 
-              id:         au-3_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system generates audit records containing information
-                                 that establishes: 
-                """
-              parts: 
-                - 
-                  id:         au-3_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[1]
-                  prose:      what type of event occurred;
-                - 
-                  id:         au-3_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[2]
-                  prose:      when the event occurred;
-                - 
-                  id:         au-3_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[3]
-                  prose:      where the event occurred;
-                - 
-                  id:         au-3_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[4]
-                  prose:      the source of the event;
-                - 
-                  id:         au-3_obj.5
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[5]
-                  prose:      the outcome of the event; and
-                - 
-                  id:         au-3_obj.6
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[6]
-                  prose:      the identity of any individuals or subjects associated with the event.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing content of audit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\ninformation system audit records\n\ninformation system incident reports\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms implementing information system auditing of auditable
-                                        events
-                    """
-        - 
-          id:         au-4
-          class:      SP800-53
-          title:      Audit Storage Capacity
-          parameters: 
-            - 
-              id:    au-4_prm_1
-              label: organization-defined audit record storage requirements
-          properties: 
-            - 
-              name:  label
-              value: AU-4
-            - 
-              name:  sort-id
-              value: au-04
-          parts: 
-            - 
-              id:    au-4_smt
-              name:  statement
-              prose: The organization allocates audit record storage capacity in accordance with {{ au-4_prm_1 }}.
-            - 
-              id:    au-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations consider the types of auditing to be performed and the audit processing
-                                 requirements when allocating audit storage capacity. Allocating sufficient audit
-                                 storage capacity reduces the likelihood of such capacity being exceeded and resulting
-                                 in the potential loss or reduction of auditing capability.
-                """
-              links: 
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-5
-                  rel:  related
-                  text: AU-5
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #au-7
-                  rel:  related
-                  text: AU-7
-                - 
-                  href: #au-11
-                  rel:  related
-                  text: AU-11
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    au-4_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-4_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-4[1]
-                  prose:      defines audit record storage requirements; and
-                - 
-                  id:         au-4_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AU-4[2]
-                  prose: 
-                    """
-                      allocates audit record storage capacity in accordance with the
-                                        organization-defined audit record storage requirements.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for information system components\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit record storage capacity and related configuration settings
-        - 
-          id:         au-5
-          class:      SP800-53
-          title:      Response to Audit Processing Failures
-          parameters: 
-            - 
-              id:    au-5_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          au-5_prm_2
-              label: 
-                """
-                  organization-defined actions to be taken (e.g., shut down information system,
-                                 overwrite oldest audit records, stop generating audit records)
-                """
-              constraints: 
-                - 
-                  detail: organization-defined actions to be taken (overwrite oldest record)
-          properties: 
-            - 
-              name:  label
-              value: AU-5
-            - 
-              name:  sort-id
-              value: au-05
-          parts: 
-            - 
-              id:    au-5_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         au-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Alerts {{ au-5_prm_1 }} in the event of an audit processing
-                                        failure; and
-                    """
-                - 
-                  id:         au-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Takes the following additional actions: {{ au-5_prm_2 }}.
-            - 
-              id:    au-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit processing failures include, for example, software/hardware errors, failures in
-                                 the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
-                                 Organizations may choose to define additional actions for different audit processing
-                                 failures (e.g., by type, by location, by severity, or a combination of such factors).
-                                 This control applies to each audit data storage repository (i.e., distinct
-                                 information system component where audit records are stored), the total audit storage
-                                 capacity of organizations (i.e., all audit data storage repositories combined), or
-                                 both.
-                """
-              links: 
-                - 
-                  href: #au-4
-                  rel:  related
-                  text: AU-4
-                - 
-                  href: #si-12
-                  rel:  related
-                  text: SI-12
-            - 
-              id:    au-5_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         au-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-5(a)
-                  parts: 
-                    - 
-                      id:         au-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-5(a)[1]
-                      prose: 
-                        """
-                          the organization defines the personnel or roles to be alerted in the event of
-                                               an audit processing failure;
-                        """
-                    - 
-                      id:         au-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-5(a)[2]
-                      prose: 
-                        """
-                          the information system alerts the organization-defined personnel or roles in
-                                               the event of an audit processing failure;
-                        """
-                - 
-                  id:         au-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-5(b)
-                  parts: 
-                    - 
-                      id:         au-5.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-5(b)[1]
-                      prose: 
-                        """
-                          the organization defines additional actions to be taken (e.g., shutdown
-                                               information system, overwrite oldest audit records, stop generating audit
-                                               records) in the event of an audit processing failure; and
-                        """
-                    - 
-                      id:         au-5.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-5(b)[2]
-                      prose: 
-                        """
-                          the information system takes the additional organization-defined actions in the
-                                               event of an audit processing failure.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms implementing information system response to audit processing
-                                        failures
-                    """
-        - 
-          id:         au-6
-          class:      SP800-53
-          title:      Audit Review, Analysis, and Reporting
-          parameters: 
-            - 
-              id:          au-6_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least weekly
-            - 
-              id:    au-6_prm_2
-              label: organization-defined inappropriate or unusual activity
-            - 
-              id:    au-6_prm_3
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AU-6
-            - 
-              name:  sort-id
-              value: au-06
-          parts: 
-            - 
-              id:    au-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         au-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Reviews and analyzes information system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }};
-                                        and
-                    """
-                - 
-                  id:         au-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reports findings to {{ au-6_prm_3 }}.
-                - 
-                  id:    au-6_fr
-                  name:  item
-                  title: AU-6 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         au-6_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.
-            - 
-              id:    au-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit review, analysis, and reporting covers information security-related auditing
-                                 performed by organizations including, for example, auditing that results from
-                                 monitoring of account usage, remote access, wireless connectivity, mobile device
-                                 connection, configuration settings, system component inventory, use of maintenance
-                                 tools and nonlocal maintenance, physical access, temperature and humidity, equipment
-                                 delivery and removal, communications at the information system boundaries, use of
-                                 mobile code, and use of VoIP. Findings can be reported to organizational entities
-                                 that include, for example, incident response team, help desk, information security
-                                 group/department. If organizations are prohibited from reviewing and analyzing audit
-                                 information or unable to conduct such activities (e.g., in certain national security
-                                 applications or systems), the review/analysis may be carried out by other
-                                 organizations granted such authority.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #au-7
-                  rel:  related
-                  text: AU-7
-                - 
-                  href: #au-16
-                  rel:  related
-                  text: AU-16
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-10
-                  rel:  related
-                  text: CM-10
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ir-5
-                  rel:  related
-                  text: IR-5
-                - 
-                  href: #ir-6
-                  rel:  related
-                  text: IR-6
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-6
-                  rel:  related
-                  text: PE-6
-                - 
-                  href: #pe-14
-                  rel:  related
-                  text: PE-14
-                - 
-                  href: #pe-16
-                  rel:  related
-                  text: PE-16
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-18
-                  rel:  related
-                  text: SC-18
-                - 
-                  href: #sc-19
-                  rel:  related
-                  text: SC-19
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    au-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-6(a)
-                  parts: 
-                    - 
-                      id:         au-6.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-6(a)[1]
-                      prose: 
-                        """
-                          defines the types of inappropriate or unusual activity to look for when
-                                               information system audit records are reviewed and analyzed;
-                        """
-                    - 
-                      id:         au-6.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-6(a)[2]
-                      prose: 
-                        """
-                          defines the frequency to review and analyze information system audit records
-                                               for indications of organization-defined inappropriate or unusual activity;
-                        """
-                    - 
-                      id:         au-6.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AU-6(a)[3]
-                      prose: 
-                        """
-                          reviews and analyzes information system audit records for indications of
-                                               organization-defined inappropriate or unusual activity with the
-                                               organization-defined frequency;
-                        """
-                - 
-                  id:         au-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-6(b)
-                  parts: 
-                    - 
-                      id:         au-6.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-6(b)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom findings resulting from reviews and analysis
-                                               of information system audit records are to be reported; and
-                        """
-                    - 
-                      id:         au-6.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AU-6(b)[2]
-                      prose:      reports findings to organization-defined personnel or roles.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews/analyses of audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with audit review, analysis, and reporting
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         au-8
-          class:      SP800-53
-          title:      Time Stamps
-          parameters: 
-            - 
-              id:    au-8_prm_1
-              label: organization-defined granularity of time measurement
-          properties: 
-            - 
-              name:  label
-              value: AU-8
-            - 
-              name:  sort-id
-              value: au-08
-          parts: 
-            - 
-              id:    au-8_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         au-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Uses internal system clocks to generate time stamps for audit records; and
-                - 
-                  id:         au-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Records time stamps for audit records that can be mapped to Coordinated Universal
-                                        Time (UTC) or Greenwich Mean Time (GMT) and meets {{ au-8_prm_1 }}.
-                    """
-            - 
-              id:    au-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Time stamps generated by the information system include date and time. Time is
-                                 commonly expressed in Coordinated Universal Time (UTC), a modern continuation of
-                                 Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time
-                                 measurements refers to the degree of synchronization between information system
-                                 clocks and reference clocks, for example, clocks synchronizing within hundreds of
-                                 milliseconds or within tens of milliseconds. Organizations may define different time
-                                 granularities for different system components. Time service can also be critical to
-                                 other security capabilities such as access control and identification and
-                                 authentication, depending on the nature of the mechanisms used to support those
-                                 capabilities.
-                """
-              links: 
-                - 
-                  href: #au-3
-                  rel:  related
-                  text: AU-3
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-            - 
-              id:    au-8_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         au-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AU-8(a)
-                  prose: 
-                    """
-                      the information system uses internal system clocks to generate time stamps for
-                                        audit records;
-                    """
-                - 
-                  id:         au-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-8(b)
-                  parts: 
-                    - 
-                      id:         au-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-8(b)[1]
-                      prose: 
-                        """
-                          the information system records time stamps for audit records that can be mapped
-                                               to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);
-                        """
-                    - 
-                      id:         au-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-8(b)[2]
-                      prose: 
-                        """
-                          the organization defines the granularity of time measurement to be met when
-                                               recording time stamps for audit records; and
-                        """
-                    - 
-                      id:         au-8.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-8(b)[3]
-                      prose: 
-                        """
-                          the organization records time stamps for audit records that meet the
-                                               organization-defined granularity of time measurement.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing time stamp generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing time stamp generation
-        - 
-          id:         au-9
-          class:      SP800-53
-          title:      Protection of Audit Information
-          properties: 
-            - 
-              name:  label
-              value: AU-9
-            - 
-              name:  sort-id
-              value: au-09
-          parts: 
-            - 
-              id:    au-9_smt
-              name:  statement
-              prose: 
-                """
-                  The information system protects audit information and audit tools from unauthorized
-                                 access, modification, and deletion.
-                """
-            - 
-              id:    au-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit information includes all information (e.g., audit records, audit settings, and
-                                 audit reports) needed to successfully audit information system activity. This control
-                                 focuses on technical protection of audit information. Physical protection of audit
-                                 information is addressed by media protection controls and physical and environmental
-                                 protection controls.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-6
-                  rel:  related
-                  text: PE-6
-            - 
-              id:    au-9_obj
-              name:  objective
-              prose: Determine if: 
-              parts: 
-                - 
-                  id:         au-9_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-9[1]
-                  prose:      the information system protects audit information from unauthorized:
-                  parts: 
-                    - 
-                      id:         au-9_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[1][a]
-                      prose:      access;
-                    - 
-                      id:         au-9_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[1][b]
-                      prose:      modification;
-                    - 
-                      id:         au-9_obj.1.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[1][c]
-                      prose:      deletion;
-                - 
-                  id:         au-9_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-9[2]
-                  prose:      the information system protects audit tools from unauthorized:
-                  parts: 
-                    - 
-                      id:         au-9_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[2][a]
-                      prose:      access;
-                    - 
-                      id:         au-9_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[2][b]
-                      prose:      modification; and
-                    - 
-                      id:         au-9_obj.2.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[2][c]
-                      prose:      deletion.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Audit and accountability policy\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation,
-                                        information system audit records\n\naudit tools\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing audit information protection
-        - 
-          id:         au-11
-          class:      SP800-53
-          title:      Audit Record Retention
-          parameters: 
-            - 
-              id:          au-11_prm_1
-              label:       organization-defined time period consistent with records retention policy
-              constraints: 
-                - 
-                  detail: at least ninety days
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AU-11
-            - 
-              name:  sort-id
-              value: au-11
-          parts: 
-            - 
-              id:    au-11_smt
-              name:  statement
-              prose: 
-                """
-                  The organization retains audit records for {{ au-11_prm_1 }} to
-                                 provide support for after-the-fact investigations of security incidents and to meet
-                                 regulatory and organizational information retention requirements.
-                """
-              parts: 
-                - 
-                  id:    au-11_fr
-                  name:  item
-                  title: AU-11 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         au-11_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.
-            - 
-              id:    au-11_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations retain audit records until it is determined that they are no longer
-                                 needed for administrative, legal, audit, or other operational purposes. This
-                                 includes, for example, retention and availability of audit records relative to
-                                 Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions.
-                                 Organizations develop standard categories of audit records relative to such types of
-                                 actions and standard response processes for each type of action. The National
-                                 Archives and Records Administration (NARA) General Records Schedules provide federal
-                                 policy on record retention.
-                """
-              links: 
-                - 
-                  href: #au-4
-                  rel:  related
-                  text: AU-4
-                - 
-                  href: #au-5
-                  rel:  related
-                  text: AU-5
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #mp-6
-                  rel:  related
-                  text: MP-6
-            - 
-              id:    au-11_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-11_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-11[1]
-                  prose: 
-                    """
-                      defines a time period to retain audit records that is consistent with records
-                                        retention policy;
-                    """
-                - 
-                  id:         au-11_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AU-11[2]
-                  prose: 
-                    """
-                      retains audit records for the organization-defined time period consistent with
-                                        records retention policy to:
-                    """
-                  parts: 
-                    - 
-                      id:         au-11_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-11[2][a]
-                      prose: 
-                        """
-                          provide support for after-the-fact investigations of security incidents;
-                                               and
-                        """
-                    - 
-                      id:         au-11_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-11[2][b]
-                      prose:      meet regulatory and organizational information retention requirements.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-        - 
-          id:         au-12
-          class:      SP800-53
-          title:      Audit Generation
-          parameters: 
-            - 
-              id:          au-12_prm_1
-              label:       organization-defined information system components
-              constraints: 
-                - 
-                  detail: all information system and network components where audit capability is deployed/available
-            - 
-              id:    au-12_prm_2
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  label
-              value: AU-12
-            - 
-              name:  sort-id
-              value: au-12
-          parts: 
-            - 
-              id:    au-12_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         au-12_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Provides audit record generation capability for the auditable events defined in
-                                        AU-2 a. at {{ au-12_prm_1 }};
-                    """
-                - 
-                  id:         au-12_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Allows {{ au-12_prm_2 }} to select which auditable events are to be
-                                        audited by specific components of the information system; and
-                    """
-                - 
-                  id:         au-12_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Generates audit records for the events defined in AU-2 d. with the content defined
-                                        in AU-3.
-                    """
-            - 
-              id:    au-12_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit records can be generated from many different information system components. The
-                                 list of audited events is the set of events for which audits are to be generated.
-                                 These events are typically a subset of all events for which the information system is
-                                 capable of generating audit records.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-3
-                  rel:  related
-                  text: AU-3
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #au-7
-                  rel:  related
-                  text: AU-7
-            - 
-              id:    au-12_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         au-12.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-12(a)
-                  parts: 
-                    - 
-                      id:         au-12.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-12(a)[1]
-                      prose: 
-                        """
-                          the organization defines the information system components which are to provide
-                                               audit record generation capability for the auditable events defined in
-                                               AU-2a;
-                        """
-                    - 
-                      id:         au-12.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-12(a)[2]
-                      prose: 
-                        """
-                          the information system provides audit record generation capability, for the
-                                               auditable events defined in AU-2a, at organization-defined information system
-                                               components;
-                        """
-                - 
-                  id:         au-12.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-12(b)
-                  parts: 
-                    - 
-                      id:         au-12.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-12(b)[1]
-                      prose: 
-                        """
-                          the organization defines the personnel or roles allowed to select which
-                                               auditable events are to be audited by specific components of the information
-                                               system;
-                        """
-                    - 
-                      id:         au-12.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-12(b)[2]
-                      prose: 
-                        """
-                          the information system allows the organization-defined personnel or roles to
-                                               select which auditable events are to be audited by specific components of the
-                                               system; and
-                        """
-                - 
-                  id:         au-12.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AU-12(c)
-                  prose: 
-                    """
-                      the information system generates audit records for the events defined in AU-2d
-                                        with the content in defined in AU-3.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of auditable events\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing audit record generation capability
-    - 
-      id:       ca
-      class:    family
-      title:    Security Assessment and Authorization
-      controls: 
-        - 
-          id:         ca-1
-          class:      SP800-53
-          title:      Security Assessment and Authorization Policy and Procedures
-          parameters: 
-            - 
-              id:    ca-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ca-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          ca-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-1
-            - 
-              name:  sort-id
-              value: ca-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #cd4cf751-3312-4a55-b1a9-fad2f1db9119
-              rel:  reference
-              text: NIST Special Publication 800-53A
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ca-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ca-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ca-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A security assessment and authorization policy that addresses purpose, scope,
-                                               roles, responsibilities, management commitment, coordination among
-                                               organizational entities, and compliance; and
-                        """
-                    - 
-                      id:         ca-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the security assessment and
-                                               authorization policy and associated security assessment and authorization
-                                               controls; and
-                        """
-                - 
-                  id:         ca-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ca-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Security assessment and authorization policy {{ ca-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         ca-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Security assessment and authorization procedures {{ ca-1_prm_3 }}.
-            - 
-              id:    ca-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the CA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ca-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-1(a)
-                  parts: 
-                    - 
-                      id:         ca-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ca-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a security assessment and authorization policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         ca-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ca-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ca-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ca-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ca-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ca-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ca-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ca-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the security assessment and authorization
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         ca-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the security assessment and authorization policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         ca-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ca-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      security assessment and authorization policy and associated assessment and
-                                                      authorization controls;
-                            """
-                        - 
-                          id:         ca-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ca-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ca-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-1(b)
-                  parts: 
-                    - 
-                      id:         ca-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ca-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current security assessment
-                                                      and authorization policy;
-                            """
-                        - 
-                          id:         ca-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current security assessment and authorization policy
-                                                      with the organization-defined frequency;
-                            """
-                    - 
-                      id:         ca-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ca-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current security assessment
-                                                      and authorization procedures; and
-                            """
-                        - 
-                          id:         ca-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current security assessment and authorization
-                                                      procedures with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security assessment and authorization policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security assessment and authorization
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         ca-2
-          class:      SP800-53
-          title:      Security Assessments
-          parameters: 
-            - 
-              id:          ca-2_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          ca-2_prm_2
-              label:       organization-defined individuals or roles
-              constraints: 
-                - 
-                  detail: individuals or roles to include FedRAMP PMO
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-2
-            - 
-              name:  sort-id
-              value: ca-02
-          links: 
-            - 
-              href: #c5034e0c-eba6-4ecd-a541-79f0678f4ba4
-              rel:  reference
-              text: Executive Order 13587
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #d480aa6a-7a88-424e-a10c-ad1c7870354b
-              rel:  reference
-              text: NIST Special Publication 800-39
-            - 
-              href: #cd4cf751-3312-4a55-b1a9-fad2f1db9119
-              rel:  reference
-              text: NIST Special Publication 800-53A
-            - 
-              href: #c4691b88-57d1-463b-9053-2d0087913f31
-              rel:  reference
-              text: NIST Special Publication 800-115
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-          parts: 
-            - 
-              id:    ca-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Develops a security assessment plan that describes the scope of the assessment
-                                        including:
-                    """
-                  parts: 
-                    - 
-                      id:         ca-2_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Security controls and control enhancements under assessment;
-                    - 
-                      id:         ca-2_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Assessment procedures to be used to determine security control effectiveness;
-                                               and
-                        """
-                    - 
-                      id:         ca-2_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Assessment environment, assessment team, and assessment roles and
-                                               responsibilities;
-                        """
-                - 
-                  id:         ca-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Assesses the security controls in the information system and its environment of
-                                        operation {{ ca-2_prm_1 }} to determine the extent to which the
-                                        controls are implemented correctly, operating as intended, and producing the
-                                        desired outcome with respect to meeting established security requirements;
-                    """
-                - 
-                  id:         ca-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Produces a security assessment report that documents the results of the
-                                        assessment; and
-                    """
-                - 
-                  id:         ca-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Provides the results of the security control assessment to {{ ca-2_prm_2 }}.
-                - 
-                  id:    ca-2_fr
-                  name:  item
-                  title: CA-2 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ca-2_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose: 
-                        """
-                          See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                            
-                        """
-            - 
-              id:    ca-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations assess security controls in organizational information systems and the
-                                 environments in which those systems operate as part of: (i) initial and ongoing
-                                 security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring;
-                                 and (iv) system development life cycle activities. Security assessments: (i) ensure
-                                 that information security is built into organizational information systems; (ii)
-                                 identify weaknesses and deficiencies early in the development process; (iii) provide
-                                 essential information needed to make risk-based decisions as part of security
-                                 authorization processes; and (iv) ensure compliance to vulnerability mitigation
-                                 procedures. Assessments are conducted on the implemented security controls from
-                                 Appendix F (main catalog) and Appendix G (Program Management controls) as documented
-                                 in System Security Plans and Information Security Program Plans. Organizations can
-                                 use other types of assessment activities such as vulnerability scanning and system
-                                 monitoring to maintain the security posture of information systems during the entire
-                                 life cycle. Security assessment reports document assessment results in sufficient
-                                 detail as deemed necessary by organizations, to determine the accuracy and
-                                 completeness of the reports and whether the security controls are implemented
-                                 correctly, operating as intended, and producing the desired outcome with respect to
-                                 meeting security requirements. The FISMA requirement for assessing security controls
-                                 at least annually does not require additional assessment activities to those
-                                 activities already in place in organizational security authorization processes.
-                                 Security assessment results are provided to the individuals or roles appropriate for
-                                 the types of assessments being conducted. For example, assessments conducted in
-                                 support of security authorization decisions are provided to authorizing officials or
-                                 authorizing official designated representatives. To satisfy annual assessment
-                                 requirements, organizations can use assessment results from the following sources:
-                                 (i) initial or ongoing information system authorizations; (ii) continuous monitoring;
-                                 or (iii) system development life cycle activities. Organizations ensure that security
-                                 assessment results are current, relevant to the determination of security control
-                                 effectiveness, and obtained with the appropriate level of assessor independence.
-                                 Existing security control assessment results can be reused to the extent that the
-                                 results are still valid and can also be supplemented with additional assessments as
-                                 needed. Subsequent to initial authorizations and in accordance with OMB policy,
-                                 organizations assess security controls during continuous monitoring. Organizations
-                                 establish the frequency for ongoing security control assessments in accordance with
-                                 organizational continuous monitoring strategies. Information Assurance Vulnerability
-                                 Alerts provide useful examples of vulnerability mitigation procedures. External
-                                 audits (e.g., audits by external entities such as regulatory agencies) are outside
-                                 the scope of this control.
-                """
-              links: 
-                - 
-                  href: #ca-5
-                  rel:  related
-                  text: CA-5
-                - 
-                  href: #ca-6
-                  rel:  related
-                  text: CA-6
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ca-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CA-2(a)
-                  prose: 
-                    """
-                      develops a security assessment plan that describes the scope of the assessment
-                                        including:
-                    """
-                  parts: 
-                    - 
-                      id:         ca-2.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-2(a)(1)
-                      prose:      security controls and control enhancements under assessment;
-                    - 
-                      id:         ca-2.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-2(a)(2)
-                      prose: 
-                        """
-                          assessment procedures to be used to determine security control
-                                               effectiveness;
-                        """
-                    - 
-                      id:         ca-2.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-2(a)(3)
-                      parts: 
-                        - 
-                          id:         ca-2.a.3_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(a)(3)[1]
-                          prose:      assessment environment;
-                        - 
-                          id:         ca-2.a.3_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(a)(3)[2]
-                          prose:      assessment team;
-                        - 
-                          id:         ca-2.a.3_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(a)(3)[3]
-                          prose:      assessment roles and responsibilities;
-                - 
-                  id:         ca-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-2(b)
-                  parts: 
-                    - 
-                      id:         ca-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(b)[1]
-                      prose: 
-                        """
-                          defines the frequency to assess the security controls in the information system
-                                               and its environment of operation;
-                        """
-                    - 
-                      id:         ca-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-2(b)[2]
-                      prose: 
-                        """
-                          assesses the security controls in the information system with the
-                                               organization-defined frequency to determine the extent to which the controls
-                                               are implemented correctly, operating as intended, and producing the desired
-                                               outcome with respect to meeting established security requirements;
-                        """
-                - 
-                  id:         ca-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CA-2(c)
-                  prose: 
-                    """
-                      produces a security assessment report that documents the results of the
-                                        assessment;
-                    """
-                - 
-                  id:         ca-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-2(d)
-                  parts: 
-                    - 
-                      id:         ca-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(d)[1]
-                      prose: 
-                        """
-                          defines individuals or roles to whom the results of the security control
-                                               assessment are to be provided; and
-                        """
-                    - 
-                      id:         ca-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-2(d)[2]
-                      prose: 
-                        """
-                          provides the results of the security control assessment to organization-defined
-                                               individuals or roles.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security assessment and authorization policy\n\nprocedures addressing security assessment planning\n\nprocedures addressing security assessments\n\nsecurity assessment plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting security assessment, security assessment plan
-                                        development, and/or security assessment reporting
-                    """
-          controls: 
-            - 
-              id:         ca-2.1
-              class:      SP800-53-enhancement
-              title:      Independent Assessors
-              parameters: 
-                - 
-                  id:    ca-2.1_prm_1
-                  label: organization-defined level of independence
-              properties: 
-                - 
-                  name:  label
-                  value: CA-2(1)
-                - 
-                  name:  sort-id
-                  value: ca-02.01
-              parts: 
-                - 
-                  id:    ca-2.1_smt
-                  name:  statement
-                  prose: The organization employs assessors or assessment teams with {{ ca-2.1_prm_1 }} to conduct security control assessments.
-                  parts: 
-                    - 
-                      id:    ca-2.1_fr
-                      name:  item
-                      title: CA-2 (1) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ca-2.1_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).
-                - 
-                  id:    ca-2.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Independent assessors or assessment teams are individuals or groups who conduct
-                                        impartial assessments of organizational information systems. Impartiality implies
-                                        that assessors are free from any perceived or actual conflicts of interest with
-                                        regard to the development, operation, or management of the organizational
-                                        information systems under assessment or to the determination of security control
-                                        effectiveness. To achieve impartiality, assessors should not: (i) create a mutual
-                                        or conflicting interest with the organizations where the assessments are being
-                                        conducted; (ii) assess their own work; (iii) act as management or employees of the
-                                        organizations they are serving; or (iv) place themselves in positions of advocacy
-                                        for the organizations acquiring their services. Independent assessments can be
-                                        obtained from elements within organizations or can be contracted to public or
-                                        private sector entities outside of organizations. Authorizing officials determine
-                                        the required level of independence based on the security categories of information
-                                        systems and/or the ultimate risk to organizational operations, organizational
-                                        assets, or individuals. Authorizing officials also determine if the level of
-                                        assessor independence provides sufficient assurance that the results are sound and
-                                        can be used to make credible, risk-based decisions. This includes determining
-                                        whether contracted security assessment services have sufficient independence, for
-                                        example, when information system owners are not directly involved in contracting
-                                        processes or cannot unduly influence the impartiality of assessors conducting
-                                        assessments. In special situations, for example, when organizations that own the
-                                        information systems are small or organizational structures require that
-                                        assessments are conducted by individuals that are in the developmental,
-                                        operational, or management chain of system owners, independence in assessment
-                                        processes can be achieved by ensuring that assessment results are carefully
-                                        reviewed and analyzed by independent teams of experts to validate the
-                                        completeness, accuracy, integrity, and reliability of the results. Organizations
-                                        recognize that assessments performed for purposes other than direct support to
-                                        authorization decisions are, when performed by assessors with sufficient
-                                        independence, more likely to be useable for such decisions, thereby reducing the
-                                        need to repeat assessments.
-                    """
-                - 
-                  id:    ca-2.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ca-2.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(1)[1]
-                      prose: 
-                        """
-                          defines the level of independence to be employed to conduct security control
-                                               assessments; and
-                        """
-                    - 
-                      id:         ca-2.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CA-2(1)[2]
-                      prose: 
-                        """
-                          employs assessors or assessment teams with the organization-defined level of
-                                               independence to conduct security control assessments.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Security assessment and authorization policy\n\nprocedures addressing security assessments\n\nsecurity authorization package (including security plan, security assessment
-                                               plan, security assessment report, plan of action and milestones, authorization
-                                               statement)\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ca-3
-          class:      SP800-53
-          title:      System Interconnections
-          parameters: 
-            - 
-              id:          ca-3_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually and on input from FedRAMP
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-3
-            - 
-              name:  sort-id
-              value: ca-03
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #2711f068-734e-4afd-94ba-0b22247fbc88
-              rel:  reference
-              text: NIST Special Publication 800-47
-          parts: 
-            - 
-              id:    ca-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Authorizes connections from the information system to other information systems
-                                        through the use of Interconnection Security Agreements;
-                    """
-                - 
-                  id:         ca-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Documents, for each interconnection, the interface characteristics, security
-                                        requirements, and the nature of the information communicated; and
-                    """
-                - 
-                  id:         ca-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews and updates Interconnection Security Agreements {{ ca-3_prm_1 }}.
-            - 
-              id:    ca-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to dedicated connections between information systems (i.e.,
-                                 system interconnections) and does not apply to transitory, user-controlled
-                                 connections such as email and website browsing. Organizations carefully consider the
-                                 risks that may be introduced when information systems are connected to other systems
-                                 with different security requirements and security controls, both within organizations
-                                 and external to organizations. Authorizing officials determine the risk associated
-                                 with information system connections and the appropriate controls employed. If
-                                 interconnecting systems have the same authorizing official, organizations do not need
-                                 to develop Interconnection Security Agreements. Instead, organizations can describe
-                                 the interface characteristics between those interconnecting systems in their
-                                 respective security plans. If interconnecting systems have different authorizing
-                                 officials within the same organization, organizations can either develop
-                                 Interconnection Security Agreements or describe the interface characteristics between
-                                 systems in the security plans for the respective systems. Organizations may also
-                                 incorporate Interconnection Security Agreement information into formal contracts,
-                                 especially for interconnections established between federal agencies and nonfederal
-                                 (i.e., private sector) organizations. Risk considerations also include information
-                                 systems sharing the same networks. For certain technologies (e.g., space, unmanned
-                                 aerial vehicles, and medical devices), there may be specialized connections in place
-                                 during preoperational testing. Such connections may require Interconnection Security
-                                 Agreements and be subject to additional security controls.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #au-16
-                  rel:  related
-                  text: AU-16
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #sa-9
-                  rel:  related
-                  text: SA-9
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ca-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: CA-3(a)
-                  prose: 
-                    """
-                      authorizes connections from the information system to other information systems
-                                        through the use of Interconnection Security Agreements;
-                    """
-                - 
-                  id:         ca-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CA-3(b)
-                  prose:      documents, for each interconnection:
-                  parts: 
-                    - 
-                      id:         ca-3.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-3(b)[1]
-                      prose:      the interface characteristics;
-                    - 
-                      id:         ca-3.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-3(b)[2]
-                      prose:      the security requirements;
-                    - 
-                      id:         ca-3.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-3(b)[3]
-                      prose:      the nature of the information communicated;
-                - 
-                  id:         ca-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-3(c)
-                  parts: 
-                    - 
-                      id:         ca-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-3(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to review and update Interconnection Security Agreements;
-                                               and
-                        """
-                    - 
-                      id:         ca-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CA-3(c)[2]
-                      prose: 
-                        """
-                          reviews and updates Interconnection Security Agreements with the
-                                               organization-defined frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\ninformation system Interconnection Security Agreements\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for developing, implementing, or
-                                        approving information system interconnection agreements\n\norganizational personnel with information security responsibilities\n\npersonnel managing the system(s) to which the Interconnection Security Agreement
-                                        applies
-                    """
-        - 
-          id:         ca-5
-          class:      SP800-53
-          title:      Plan of Action and Milestones
-          parameters: 
-            - 
-              id:          ca-5_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least monthly
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-5
-            - 
-              name:  sort-id
-              value: ca-05
-          links: 
-            - 
-              href: #2c5884cd-7b96-425c-862a-99877e1cf909
-              rel:  reference
-              text: OMB Memorandum 02-01
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-          parts: 
-            - 
-              id:    ca-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Develops a plan of action and milestones for the information system to document
-                                        the organization’s planned remedial actions to correct weaknesses or deficiencies
-                                        noted during the assessment of the security controls and to reduce or eliminate
-                                        known vulnerabilities in the system; and
-                    """
-                - 
-                  id:         ca-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Updates existing plan of action and milestones {{ ca-5_prm_1 }}
-                                        based on the findings from security controls assessments, security impact
-                                        analyses, and continuous monitoring activities.
-                    """
-                - 
-                  id:    ca-5_fr
-                  name:  item
-                  title: CA-5 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ca-5_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Plan of Action & Milestones (POA&M) must be provided at least monthly.
-                    - 
-                      id:         ca-5_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose: 
-                        """
-                          See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                            
-                        """
-            - 
-              id:    ca-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Plans of action and milestones are key documents in security authorization packages
-                                 and are subject to federal reporting requirements established by OMB.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #pm-4
-                  rel:  related
-                  text: PM-4
-            - 
-              id:    ca-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: CA-5(a)
-                  prose:      develops a plan of action and milestones for the information system to:
-                  parts: 
-                    - 
-                      id:         ca-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-5(a)[1]
-                      prose: 
-                        """
-                          document the organization’s planned remedial actions to correct weaknesses or
-                                               deficiencies noted during the assessment of the security controls;
-                        """
-                    - 
-                      id:         ca-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-5(a)[2]
-                      prose:      reduce or eliminate known vulnerabilities in the system;
-                - 
-                  id:         ca-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-5(b)
-                  parts: 
-                    - 
-                      id:         ca-5.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-5(b)[1]
-                      prose:      defines the frequency to update the existing plan of action and milestones;
-                    - 
-                      id:         ca-5.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-5(b)[2]
-                      prose: 
-                        """
-                          updates the existing plan of action and milestones with the
-                                               organization-defined frequency based on the findings from:
-                        """
-                      parts: 
-                        - 
-                          id:         ca-5.b_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-5(b)[2][a]
-                          prose:      security controls assessments;
-                        - 
-                          id:         ca-5.b_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-5(b)[2][b]
-                          prose:      security impact analyses; and
-                        - 
-                          id:         ca-5.b_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-5(b)[2][c]
-                          prose:      continuous monitoring activities.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security assessment and authorization policy\n\nprocedures addressing plan of action and milestones\n\nsecurity plan\n\nsecurity assessment plan\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nplan of action and milestones\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with plan of action and milestones development and
-                                        implementation responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms for developing, implementing, and maintaining plan of action
-                                        and milestones
-                    """
-        - 
-          id:         ca-6
-          class:      SP800-53
-          title:      Security Authorization
-          parameters: 
-            - 
-              id:          ca-6_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every three years or when a significant change occurs
-          properties: 
-            - 
-              name:  label
-              value: CA-6
-            - 
-              name:  sort-id
-              value: ca-06
-          links: 
-            - 
-              href: #9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab
-              rel:  reference
-              text: OMB Circular A-130
-            - 
-              href: #bedb15b7-ec5c-4a68-807f-385125751fcd
-              rel:  reference
-              text: OMB Memorandum 11-33
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-          parts: 
-            - 
-              id:    ca-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Assigns a senior-level executive or manager as the authorizing official for the
-                                        information system;
-                    """
-                - 
-                  id:         ca-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Ensures that the authorizing official authorizes the information system for
-                                        processing before commencing operations; and
-                    """
-                - 
-                  id:         ca-6_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Updates the security authorization {{ ca-6_prm_1 }}.
-                - 
-                  id:    ca-6_fr
-                  name:  item
-                  title: CA-6(c) Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ca-6_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.
-            - 
-              id:    ca-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Security authorizations are official management decisions, conveyed through
-                                 authorization decision documents, by senior organizational officials or executives
-                                 (i.e., authorizing officials) to authorize operation of information systems and to
-                                 explicitly accept the risk to organizational operations and assets, individuals,
-                                 other organizations, and the Nation based on the implementation of agreed-upon
-                                 security controls. Authorizing officials provide budgetary oversight for
-                                 organizational information systems or assume responsibility for the mission/business
-                                 operations supported by those systems. The security authorization process is an
-                                 inherently federal responsibility and therefore, authorizing officials must be
-                                 federal employees. Through the security authorization process, authorizing officials
-                                 assume responsibility and are accountable for security risks associated with the
-                                 operation and use of organizational information systems. Accordingly, authorizing
-                                 officials are in positions with levels of authority commensurate with understanding
-                                 and accepting such information security-related risks. OMB policy requires that
-                                 organizations conduct ongoing authorizations of information systems by implementing
-                                 continuous monitoring programs. Continuous monitoring programs can satisfy three-year
-                                 reauthorization requirements, so separate reauthorization processes are not
-                                 necessary. Through the employment of comprehensive continuous monitoring processes,
-                                 critical information contained in authorization packages (i.e., security plans,
-                                 security assessment reports, and plans of action and milestones) is updated on an
-                                 ongoing basis, providing authorizing officials and information system owners with an
-                                 up-to-date status of the security state of organizational information systems and
-                                 environments of operation. To reduce the administrative cost of security
-                                 reauthorization, authorizing officials use the results of continuous monitoring
-                                 processes to the maximum extent possible as the basis for rendering reauthorization
-                                 decisions.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-                - 
-                  href: #pm-10
-                  rel:  related
-                  text: PM-10
-            - 
-              id:    ca-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CA-6(a)
-                  prose: 
-                    """
-                      assigns a senior-level executive or manager as the authorizing official for the
-                                        information system;
-                    """
-                - 
-                  id:         ca-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CA-6(b)
-                  prose: 
-                    """
-                      ensures that the authorizing official authorizes the information system for
-                                        processing before commencing operations;
-                    """
-                - 
-                  id:         ca-6.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-6(c)
-                  parts: 
-                    - 
-                      id:         ca-6.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-6(c)[1]
-                      prose:      defines the frequency to update the security authorization; and
-                    - 
-                      id:         ca-6.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-6(c)[2]
-                      prose:      updates the security authorization with the organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security assessment and authorization policy\n\nprocedures addressing security authorization\n\nsecurity authorization package (including security plan\n\nsecurity assessment report\n\nplan of action and milestones\n\nauthorization statement)\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with security authorization responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms that facilitate security authorizations and updates
-        - 
-          id:         ca-7
-          class:      SP800-53
-          title:      Continuous Monitoring
-          parameters: 
-            - 
-              id:    ca-7_prm_1
-              label: organization-defined metrics
-            - 
-              id:    ca-7_prm_2
-              label: organization-defined frequencies
-            - 
-              id:    ca-7_prm_3
-              label: organization-defined frequencies
-            - 
-              id:          ca-7_prm_4
-              label:       organization-defined personnel or roles
-              constraints: 
-                - 
-                  detail: to meet Federal and FedRAMP requirements (See additional guidance)
-            - 
-              id:          ca-7_prm_5
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: to meet Federal and FedRAMP requirements (See additional guidance)
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-7
-            - 
-              name:  sort-id
-              value: ca-07
-          links: 
-            - 
-              href: #bedb15b7-ec5c-4a68-807f-385125751fcd
-              rel:  reference
-              text: OMB Memorandum 11-33
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #d480aa6a-7a88-424e-a10c-ad1c7870354b
-              rel:  reference
-              text: NIST Special Publication 800-39
-            - 
-              href: #cd4cf751-3312-4a55-b1a9-fad2f1db9119
-              rel:  reference
-              text: NIST Special Publication 800-53A
-            - 
-              href: #c4691b88-57d1-463b-9053-2d0087913f31
-              rel:  reference
-              text: NIST Special Publication 800-115
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-            - 
-              href: #8ade2fbe-e468-4ca8-9a40-54d7f23c32bb
-              rel:  reference
-              text: US-CERT Technical Cyber Security Alerts
-            - 
-              href: #2d8b14e9-c8b5-4d3d-8bdc-155078f3281b
-              rel:  reference
-              text: DoD Information Assurance Vulnerability Alerts
-          parts: 
-            - 
-              id:    ca-7_smt
-              name:  statement
-              prose: 
-                """
-                  The organization develops a continuous monitoring strategy and implements a
-                                 continuous monitoring program that includes:
-                """
-              parts: 
-                - 
-                  id:         ca-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Establishment of {{ ca-7_prm_1 }} to be monitored;
-                - 
-                  id:         ca-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Establishment of {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessments supporting such monitoring;
-                - 
-                  id:         ca-7_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ongoing security control assessments in accordance with the organizational
-                                        continuous monitoring strategy;
-                    """
-                - 
-                  id:         ca-7_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Ongoing security status monitoring of organization-defined metrics in accordance
-                                        with the organizational continuous monitoring strategy;
-                    """
-                - 
-                  id:         ca-7_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Correlation and analysis of security-related information generated by assessments
-                                        and monitoring;
-                    """
-                - 
-                  id:         ca-7_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Response actions to address results of the analysis of security-related
-                                        information; and
-                    """
-                - 
-                  id:         ca-7_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose: 
-                    """
-                      Reporting the security status of organization and the information system to
-                                           {{ ca-7_prm_4 }}
-                                        {{ ca-7_prm_5 }}.
-                    """
-                - 
-                  id:    ca-7_fr
-                  name:  item
-                  title: CA-7 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ca-7_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.
-                    - 
-                      id:         ca-7_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates.
-                    - 
-                      id:         ca-7_fr_gdn.2
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose: 
-                        """
-                          See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                            
-                        """
-            - 
-              id:    ca-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Continuous monitoring programs facilitate ongoing awareness of threats,
-                                 vulnerabilities, and information security to support organizational risk management
-                                 decisions. The terms continuous and ongoing imply that organizations assess/analyze
-                                 security controls and information security-related risks at a frequency sufficient to
-                                 support organizational risk-based decisions. The results of continuous monitoring
-                                 programs generate appropriate risk response actions by organizations. Continuous
-                                 monitoring programs also allow organizations to maintain the security authorizations
-                                 of information systems and common controls over time in highly dynamic environments
-                                 of operation with changing mission/business needs, threats, vulnerabilities, and
-                                 technologies. Having access to security-related information on a continuing basis
-                                 through reports/dashboards gives organizational officials the capability to make more
-                                 effective and timely risk management decisions, including ongoing security
-                                 authorization decisions. Automation supports more frequent updates to security
-                                 authorization packages, hardware/software/firmware inventories, and other system
-                                 information. Effectiveness is further enhanced when continuous monitoring outputs are
-                                 formatted to provide information that is specific, measurable, actionable, relevant,
-                                 and timely. Continuous monitoring activities are scaled in accordance with the
-                                 security categories of information systems.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-5
-                  rel:  related
-                  text: CA-5
-                - 
-                  href: #ca-6
-                  rel:  related
-                  text: CA-6
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #pm-6
-                  rel:  related
-                  text: PM-6
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ca-7_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ca-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(a)
-                  parts: 
-                    - 
-                      id:         ca-7.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(a)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that defines metrics to be
-                                               monitored;
-                        """
-                    - 
-                      id:         ca-7.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(a)[2]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes monitoring of
-                                               organization-defined metrics;
-                        """
-                    - 
-                      id:         ca-7.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(a)[3]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes monitoring of
-                                               organization-defined metrics in accordance with the organizational continuous
-                                               monitoring strategy;
-                        """
-                - 
-                  id:         ca-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(b)
-                  parts: 
-                    - 
-                      id:         ca-7.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(b)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that defines frequencies for
-                                               monitoring;
-                        """
-                    - 
-                      id:         ca-7.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(b)[2]
-                      prose:      defines frequencies for assessments supporting monitoring;
-                    - 
-                      id:         ca-7.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(b)[3]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes establishment of the
-                                               organization-defined frequencies for monitoring and for assessments supporting
-                                               monitoring;
-                        """
-                    - 
-                      id:         ca-7.b_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(b)[4]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes establishment of
-                                               organization-defined frequencies for monitoring and for assessments supporting
-                                               such monitoring in accordance with the organizational continuous monitoring
-                                               strategy;
-                        """
-                - 
-                  id:         ca-7.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(c)
-                  parts: 
-                    - 
-                      id:         ca-7.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(c)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes ongoing security
-                                               control assessments;
-                        """
-                    - 
-                      id:         ca-7.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(c)[2]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes ongoing security
-                                               control assessments in accordance with the organizational continuous monitoring
-                                               strategy;
-                        """
-                - 
-                  id:         ca-7.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(d)
-                  parts: 
-                    - 
-                      id:         ca-7.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(d)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes ongoing security status
-                                               monitoring of organization-defined metrics;
-                        """
-                    - 
-                      id:         ca-7.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(d)[2]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes ongoing security
-                                               status monitoring of organization-defined metrics in accordance with the
-                                               organizational continuous monitoring strategy;
-                        """
-                - 
-                  id:         ca-7.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(e)
-                  parts: 
-                    - 
-                      id:         ca-7.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(e)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes correlation and
-                                               analysis of security-related information generated by assessments and
-                                               monitoring;
-                        """
-                    - 
-                      id:         ca-7.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(e)[2]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes correlation and
-                                               analysis of security-related information generated by assessments and
-                                               monitoring in accordance with the organizational continuous monitoring
-                                               strategy;
-                        """
-                - 
-                  id:         ca-7.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(f)
-                  parts: 
-                    - 
-                      id:         ca-7.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(f)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes response actions to
-                                               address results of the analysis of security-related information;
-                        """
-                    - 
-                      id:         ca-7.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(f)[2]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes response actions to
-                                               address results of the analysis of security-related information in accordance
-                                               with the organizational continuous monitoring strategy;
-                        """
-                - 
-                  id:         ca-7.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(g)
-                  parts: 
-                    - 
-                      id:         ca-7.g_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(g)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that defines the personnel or roles
-                                               to whom the security status of the organization and information system are to
-                                               be reported;
-                        """
-                    - 
-                      id:         ca-7.g_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(g)[2]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that defines the frequency to report
-                                               the security status of the organization and information system to
-                                               organization-defined personnel or roles;
-                        """
-                    - 
-                      id:         ca-7.g_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(g)[3]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes reporting the security
-                                               status of the organization or information system to organizational-defined
-                                               personnel or roles with the organization-defined frequency; and
-                        """
-                    - 
-                      id:         ca-7.g_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(g)[4]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes reporting the security
-                                               status of the organization and information system to organization-defined
-                                               personnel or roles with the organization-defined frequency in accordance with
-                                               the organizational continuous monitoring strategy.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Security assessment and authorization policy\n\nprocedures addressing continuous monitoring of information system security
-                                        controls\n\nprocedures addressing configuration management\n\nsecurity plan\n\nsecurity assessment report\n\nplan of action and milestones\n\ninformation system monitoring records\n\nconfiguration management records, security impact analyses\n\nstatus reports\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Mechanisms implementing continuous monitoring
-        - 
-          id:         ca-9
-          class:      SP800-53
-          title:      Internal System Connections
-          parameters: 
-            - 
-              id:    ca-9_prm_1
-              label: 
-                """
-                  organization-defined information system components or classes of
-                                 components
-                """
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-9
-            - 
-              name:  sort-id
-              value: ca-09
-          parts: 
-            - 
-              id:    ca-9_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-9_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Authorizes internal connections of {{ ca-9_prm_1 }} to the
-                                        information system; and
-                    """
-                - 
-                  id:         ca-9_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Documents, for each internal connection, the interface characteristics, security
-                                        requirements, and the nature of the information communicated.
-                    """
-            - 
-              id:    ca-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to connections between organizational information systems and
-                                 (separate) constituent system components (i.e., intra-system connections) including,
-                                 for example, system connections with mobile devices, notebook/desktop computers,
-                                 printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of
-                                 authorizing each individual internal connection, organizations can authorize internal
-                                 connections for a class of components with common characteristics and/or
-                                 configurations, for example, all digital printers, scanners, and copiers with a
-                                 specified processing, storage, and transmission capability or all smart phones with a
-                                 specific baseline configuration.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ca-9_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-9.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-9(a)
-                  parts: 
-                    - 
-                      id:         ca-9.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-9(a)[1]
-                      prose: 
-                        """
-                          defines information system components or classes of components to be authorized
-                                               as internal connections to the information system;
-                        """
-                    - 
-                      id:         ca-9.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CA-9(a)[2]
-                      prose: 
-                        """
-                          authorizes internal connections of organization-defined information system
-                                               components or classes of components to the information system;
-                        """
-                - 
-                  id:         ca-9.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CA-9(b)
-                  prose:      documents, for each internal connection:
-                  parts: 
-                    - 
-                      id:         ca-9.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-9(b)[1]
-                      prose:      the interface characteristics;
-                    - 
-                      id:         ca-9.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-9(b)[2]
-                      prose:      the security requirements; and
-                    - 
-                      id:         ca-9.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-9(b)[3]
-                      prose:      the nature of the information communicated.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system
-                                        connections\n\nsecurity assessment report\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for developing, implementing, or
-                                        authorizing internal system connections\n\norganizational personnel with information security responsibilities
-                    """
-    - 
-      id:       cm
-      class:    family
-      title:    Configuration Management
-      controls: 
-        - 
-          id:         cm-1
-          class:      SP800-53
-          title:      Configuration Management Policy and Procedures
-          parameters: 
-            - 
-              id:    cm-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          cm-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          cm-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CM-1
-            - 
-              name:  sort-id
-              value: cm-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    cm-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ cm-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         cm-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A configuration management policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         cm-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the configuration management
-                                               policy and associated configuration management controls; and
-                        """
-                - 
-                  id:         cm-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         cm-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Configuration management policy {{ cm-1_prm_2 }}; and
-                    - 
-                      id:         cm-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Configuration management procedures {{ cm-1_prm_3 }}.
-            - 
-              id:    cm-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the CM
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    cm-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-1(a)
-                  parts: 
-                    - 
-                      id:         cm-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-1(a)(1)
-                      parts: 
-                        - 
-                          id:         cm-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-1(a)(1)[1]
-                          prose:      develops and documents a configuration management policy that addresses:
-                          parts: 
-                            - 
-                              id:         cm-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         cm-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         cm-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         cm-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         cm-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         cm-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         cm-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         cm-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the configuration management policy is to
-                                                      be disseminated;
-                            """
-                        - 
-                          id:         cm-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CM-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the configuration management policy to organization-defined
-                                                      personnel or roles;
-                            """
-                    - 
-                      id:         cm-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-1(a)(2)
-                      parts: 
-                        - 
-                          id:         cm-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      configuration management policy and associated configuration management
-                                                      controls;
-                            """
-                        - 
-                          id:         cm-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         cm-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CM-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         cm-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-1(b)
-                  parts: 
-                    - 
-                      id:         cm-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-1(b)(1)
-                      parts: 
-                        - 
-                          id:         cm-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current configuration
-                                                      management policy;
-                            """
-                        - 
-                          id:         cm-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current configuration management policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         cm-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-1(b)(2)
-                      parts: 
-                        - 
-                          id:         cm-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current configuration
-                                                      management procedures; and
-                            """
-                        - 
-                          id:         cm-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current configuration management procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-        - 
-          id:         cm-2
-          class:      SP800-53
-          title:      Baseline Configuration
-          properties: 
-            - 
-              name:  label
-              value: CM-2
-            - 
-              name:  sort-id
-              value: cm-02
-          links: 
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    cm-2_smt
-              name:  statement
-              prose: 
-                """
-                  The organization develops, documents, and maintains under configuration control, a
-                                 current baseline configuration of the information system.
-                """
-            - 
-              id:    cm-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control establishes baseline configurations for information systems and system
-                                 components including communications and connectivity-related aspects of systems.
-                                 Baseline configurations are documented, formally reviewed and agreed-upon sets of
-                                 specifications for information systems or configuration items within those systems.
-                                 Baseline configurations serve as a basis for future builds, releases, and/or changes
-                                 to information systems. Baseline configurations include information about information
-                                 system components (e.g., standard software packages installed on workstations,
-                                 notebook computers, servers, network components, or mobile devices; current version
-                                 numbers and patch information on operating systems and applications; and
-                                 configuration settings/parameters), network topology, and the logical placement of
-                                 those components within the system architecture. Maintaining baseline configurations
-                                 requires creating new baselines as organizational information systems change over
-                                 time. Baseline configurations of information systems reflect the current enterprise
-                                 architecture.
-                """
-              links: 
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #cm-9
-                  rel:  related
-                  text: CM-9
-                - 
-                  href: #sa-10
-                  rel:  related
-                  text: SA-10
-                - 
-                  href: #pm-5
-                  rel:  related
-                  text: PM-5
-                - 
-                  href: #pm-7
-                  rel:  related
-                  text: PM-7
-            - 
-              id:    cm-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-2_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: CM-2[1]
-                  prose: 
-                    """
-                      develops and documents a current baseline configuration of the information system;
-                                        and
-                    """
-                - 
-                  id:         cm-2_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-2[2]
-                  prose: 
-                    """
-                      maintains, under configuration control, a current baseline configuration of the
-                                        information system.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for managing baseline configurations\n\nautomated mechanisms supporting configuration control of the baseline
-                                        configuration
-                    """
-        - 
-          id:         cm-4
-          class:      SP800-53
-          title:      Security Impact Analysis
-          properties: 
-            - 
-              name:  label
-              value: CM-4
-            - 
-              name:  sort-id
-              value: cm-04
-          links: 
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    cm-4_smt
-              name:  statement
-              prose: 
-                """
-                  The organization analyzes changes to the information system to determine potential
-                                 security impacts prior to change implementation.
-                """
-            - 
-              id:    cm-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizational personnel with information security responsibilities (e.g.,
-                                 Information System Administrators, Information System Security Officers, Information
-                                 System Security Managers, and Information System Security Engineers) conduct security
-                                 impact analyses. Individuals conducting security impact analyses possess the
-                                 necessary skills/technical expertise to analyze the changes to information systems
-                                 and the associated security ramifications. Security impact analysis may include, for
-                                 example, reviewing security plans to understand security control requirements and
-                                 reviewing system design documentation to understand control implementation and how
-                                 specific changes might affect the controls. Security impact analyses may also include
-                                 assessments of risk to better understand the impact of the changes and to determine
-                                 if additional security controls are required. Security impact analyses are scaled in
-                                 accordance with the security categories of the information systems.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-9
-                  rel:  related
-                  text: CM-9
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sa-10
-                  rel:  related
-                  text: SA-10
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    cm-4_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization analyzes changes to the information system to determine
-                                 potential security impacts prior to change implementation.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Configuration management policy\n\nprocedures addressing security impact analysis for changes to the information
-                                        system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for conducting security impact
-                                        analysis\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for security impact analysis
-        - 
-          id:         cm-6
-          class:      SP800-53
-          title:      Configuration Settings
-          parameters: 
-            - 
-              id:          cm-6_prm_1
-              label:       organization-defined security configuration checklists
-              constraints: 
-                - 
-                  detail: United States Government Configuration Baseline (USGCB)
-            - 
-              id:    cm-6_prm_2
-              label: organization-defined information system components
-            - 
-              id:    cm-6_prm_3
-              label: organization-defined operational requirements
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CM-6
-            - 
-              name:  sort-id
-              value: cm-06
-          links: 
-            - 
-              href: #990268bf-f4a9-4c81-91ae-dc7d3115f4b1
-              rel:  reference
-              text: OMB Memorandum 07-11
-            - 
-              href: #0b3d8ba9-051f-498d-81ea-97f0f018c612
-              rel:  reference
-              text: OMB Memorandum 07-18
-            - 
-              href: #0916ef02-3618-411b-a525-565c088849a6
-              rel:  reference
-              text: OMB Memorandum 08-22
-            - 
-              href: #84a37532-6db6-477b-9ea8-f9085ebca0fc
-              rel:  reference
-              text: NIST Special Publication 800-70
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-            - 
-              href: #275cc052-0f7f-423c-bdb6-ed503dc36228
-              rel:  reference
-              text: http://nvd.nist.gov
-            - 
-              href: #e95dd121-2733-413e-bf1e-f1eb49f20a98
-              rel:  reference
-              text: http://checklists.nist.gov
-            - 
-              href: #647b6de3-81d0-4d22-bec1-5f1333e34380
-              rel:  reference
-              text: http://www.nsa.gov
-          parts: 
-            - 
-              id:    cm-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes and documents configuration settings for information technology
-                                        products employed within the information system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with
-                                        operational requirements;
-                    """
-                - 
-                  id:         cm-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Implements the configuration settings;
-                - 
-                  id:         cm-6_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Identifies, documents, and approves any deviations from established configuration
-                                        settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and
-                    """
-                - 
-                  id:         cm-6_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Monitors and controls changes to the configuration settings in accordance with
-                                        organizational policies and procedures.
-                    """
-                - 
-                  id:    cm-6_fr
-                  name:  item
-                  title: CM-6(a) Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cm-6_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement 1:
-                      prose:      The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. 
-                    - 
-                      id:         cm-6_fr_smt.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement 2:
-                      prose:      The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available).
-                    - 
-                      id:         cm-6_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline).
-            - 
-              id:    cm-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Configuration settings are the set of parameters that can be changed in hardware,
-                                 software, or firmware components of the information system that affect the security
-                                 posture and/or functionality of the system. Information technology products for which
-                                 security-related configuration settings can be defined include, for example,
-                                 mainframe computers, servers (e.g., database, electronic mail, authentication, web,
-                                 proxy, file, domain name), workstations, input/output devices (e.g., scanners,
-                                 copiers, and printers), network components (e.g., firewalls, routers, gateways, voice
-                                 and data switches, wireless access points, network appliances, sensors), operating
-                                 systems, middleware, and applications. Security-related parameters are those
-                                 parameters impacting the security state of information systems including the
-                                 parameters required to satisfy other security control requirements. Security-related
-                                 parameters include, for example: (i) registry settings; (ii) account, file, directory
-                                 permission settings; and (iii) settings for functions, ports, protocols, services,
-                                 and remote connections. Organizations establish organization-wide configuration
-                                 settings and subsequently derive specific settings for information systems. The
-                                 established settings become part of the systems configuration baseline. Common secure
-                                 configurations (also referred to as security configuration checklists, lockdown and
-                                 hardening guides, security reference guides, security technical implementation
-                                 guides) provide recognized, standardized, and established benchmarks that stipulate
-                                 secure configuration settings for specific information technology platforms/products
-                                 and instructions for configuring those information system components to meet
-                                 operational requirements. Common secure configurations can be developed by a variety
-                                 of organizations including, for example, information technology product developers,
-                                 manufacturers, vendors, consortia, academia, industry, federal agencies, and other
-                                 organizations in the public and private sectors. Common secure configurations include
-                                 the United States Government Configuration Baseline (USGCB) which affects the
-                                 implementation of CM-6 and other controls such as AC-19 and CM-7. The Security
-                                 Content Automation Protocol (SCAP) and the defined standards within the protocol
-                                 (e.g., Common Configuration Enumeration) provide an effective method to uniquely
-                                 identify, track, and control configuration settings. OMB establishes federal policy
-                                 on configuration requirements for federal information systems.
-                """
-              links: 
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-7
-                  rel:  related
-                  text: CM-7
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    cm-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-6(a)
-                  parts: 
-                    - 
-                      id:         cm-6.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-6(a)[1]
-                      prose: 
-                        """
-                          defines security configuration checklists to be used to establish and document
-                                               configuration settings for the information technology products employed;
-                        """
-                    - 
-                      id:         cm-6.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CM-6(a)[2]
-                      prose: 
-                        """
-                          ensures the defined security configuration checklists reflect the most
-                                               restrictive mode consistent with operational requirements;
-                        """
-                    - 
-                      id:         cm-6.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-6(a)[3]
-                      prose: 
-                        """
-                          establishes and documents configuration settings for information technology
-                                               products employed within the information system using organization-defined
-                                               security configuration checklists;
-                        """
-                - 
-                  id:         cm-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-6(b)
-                  prose:      implements the configuration settings established/documented in CM-6(a);;
-                - 
-                  id:         cm-6.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-6(c)
-                  parts: 
-                    - 
-                      id:         cm-6.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-6(c)[1]
-                      prose: 
-                        """
-                          defines information system components for which any deviations from established
-                                               configuration settings must be:
-                        """
-                      parts: 
-                        - 
-                          id:         cm-6.c_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[1][a]
-                          prose:      identified;
-                        - 
-                          id:         cm-6.c_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[1][b]
-                          prose:      documented;
-                        - 
-                          id:         cm-6.c_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[1][c]
-                          prose:      approved;
-                    - 
-                      id:         cm-6.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-6(c)[2]
-                      prose:      defines operational requirements to support:
-                      parts: 
-                        - 
-                          id:         cm-6.c_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[2][a]
-                          prose: 
-                            """
-                              the identification of any deviations from established configuration
-                                                      settings;
-                            """
-                        - 
-                          id:         cm-6.c_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[2][b]
-                          prose: 
-                            """
-                              the documentation of any deviations from established configuration
-                                                      settings;
-                            """
-                        - 
-                          id:         cm-6.c_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[2][c]
-                          prose:      the approval of any deviations from established configuration settings;
-                    - 
-                      id:         cm-6.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-6(c)[3]
-                      prose: 
-                        """
-                          identifies any deviations from established configuration settings for
-                                               organization-defined information system components based on
-                                               organizational-defined operational requirements;
-                        """
-                    - 
-                      id:         cm-6.c_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-6(c)[4]
-                      prose: 
-                        """
-                          documents any deviations from established configuration settings for
-                                               organization-defined information system components based on
-                                               organizational-defined operational requirements;
-                        """
-                    - 
-                      id:         cm-6.c_obj.5
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-6(c)[5]
-                      prose: 
-                        """
-                          approves any deviations from established configuration settings for
-                                               organization-defined information system components based on
-                                               organizational-defined operational requirements;
-                        """
-                - 
-                  id:         cm-6.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-6(d)
-                  parts: 
-                    - 
-                      id:         cm-6.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-6(d)[1]
-                      prose: 
-                        """
-                          monitors changes to the configuration settings in accordance with
-                                               organizational policies and procedures; and
-                        """
-                    - 
-                      id:         cm-6.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-6(d)[2]
-                      prose: 
-                        """
-                          controls changes to the configuration settings in accordance with
-                                               organizational policies and procedures.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Configuration management policy\n\nprocedures addressing configuration settings for the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nevidence supporting approved deviations from established configuration
-                                        settings\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security configuration management
-                                        responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for managing configuration settings\n\nautomated mechanisms that implement, monitor, and/or control information system
-                                        configuration settings\n\nautomated mechanisms that identify and/or document deviations from established
-                                        configuration settings
-                    """
-        - 
-          id:         cm-7
-          class:      SP800-53
-          title:      Least Functionality
-          parameters: 
-            - 
-              id:          cm-7_prm_1
-              label: 
-                """
-                  organization-defined prohibited or restricted functions, ports, protocols, and/or
-                                 services
-                """
-              constraints: 
-                - 
-                  detail: United States Government Configuration Baseline (USGCB)
-          properties: 
-            - 
-              name:  label
-              value: CM-7
-            - 
-              name:  sort-id
-              value: cm-07
-          links: 
-            - 
-              href: #e42b2099-3e1c-415b-952c-61c96533c12e
-              rel:  reference
-              text: DoD Instruction 8551.01
-          parts: 
-            - 
-              id:    cm-7_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Configures the information system to provide only essential capabilities; and
-                - 
-                  id:         cm-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Prohibits or restricts the use of the following functions, ports, protocols,
-                                        and/or services: {{ cm-7_prm_1 }}.
-                    """
-                - 
-                  id:    cm-7_fr
-                  name:  item
-                  title: CM-7 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cm-7_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.
-                    - 
-                      id:         cm-7_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose: 
-                        """
-                          Information on the USGCB checklists can be found at: [http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc](http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc)
-                          							Partially derived from AC-17(8).
-                        """
-            - 
-              id:    cm-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information systems can provide a wide variety of functions and services. Some of the
-                                 functions and services, provided by default, may not be necessary to support
-                                 essential organizational operations (e.g., key missions, functions). Additionally, it
-                                 is sometimes convenient to provide multiple services from single information system
-                                 components, but doing so increases risk over limiting the services provided by any
-                                 one component. Where feasible, organizations limit component functionality to a
-                                 single function per device (e.g., email servers or web servers, but not both).
-                                 Organizations review functions and services provided by information systems or
-                                 individual components of information systems, to determine which functions and
-                                 services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant
-                                 Messaging, auto-execute, and file sharing). Organizations consider disabling unused
-                                 or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File
-                                 Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to
-                                 prevent unauthorized connection of devices, unauthorized transfer of information, or
-                                 unauthorized tunneling. Organizations can utilize network scanning tools, intrusion
-                                 detection and prevention systems, and end-point protections such as firewalls and
-                                 host-based intrusion detection systems to identify and prevent the use of prohibited
-                                 functions, ports, protocols, and services.
-                """
-              links: 
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-            - 
-              id:    cm-7_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-7(a)
-                  prose:      configures the information system to provide only essential capabilities;
-                - 
-                  id:         cm-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-7(b)
-                  parts: 
-                    - 
-                      id:         cm-7.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-7(b)[1]
-                      prose:      defines prohibited or restricted:
-                      parts: 
-                        - 
-                          id:         cm-7.b_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[1][a]
-                          prose:      functions;
-                        - 
-                          id:         cm-7.b_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[1][b]
-                          prose:      ports;
-                        - 
-                          id:         cm-7.b_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[1][c]
-                          prose:      protocols; and/or
-                        - 
-                          id:         cm-7.b_obj.1.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[1][d]
-                          prose:      services;
-                    - 
-                      id:         cm-7.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-7(b)[2]
-                      prose:      prohibits or restricts the use of organization-defined:
-                      parts: 
-                        - 
-                          id:         cm-7.b_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[2][a]
-                          prose:      functions;
-                        - 
-                          id:         cm-7.b_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[2][b]
-                          prose:      ports;
-                        - 
-                          id:         cm-7.b_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[2][c]
-                          prose:      protocols; and/or
-                        - 
-                          id:         cm-7.b_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[2][d]
-                          prose:      services.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing least functionality in the information system\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security configuration management
-                                        responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes prohibiting or restricting functions, ports, protocols,
-                                        and/or services\n\nautomated mechanisms implementing restrictions or prohibition of functions, ports,
-                                        protocols, and/or services
-                    """
-        - 
-          id:         cm-8
-          class:      SP800-53
-          title:      Information System Component Inventory
-          parameters: 
-            - 
-              id:    cm-8_prm_1
-              label: 
-                """
-                  organization-defined information deemed necessary to achieve effective
-                                 information system component accountability
-                """
-            - 
-              id:          cm-8_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least monthly
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CM-8
-            - 
-              name:  sort-id
-              value: cm-08
-          links: 
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    cm-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops and documents an inventory of information system components that:
-                  parts: 
-                    - 
-                      id:         cm-8_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Accurately reflects the current information system;
-                    - 
-                      id:         cm-8_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Includes all components within the authorization boundary of the information
-                                               system;
-                        """
-                    - 
-                      id:         cm-8_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Is at the level of granularity deemed necessary for tracking and reporting;
-                                               and
-                        """
-                    - 
-                      id:         cm-8_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose:      Includes {{ cm-8_prm_1 }}; and
-                - 
-                  id:         cm-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the information system component inventory {{ cm-8_prm_2 }}.
-                - 
-                  id:    cm-8_fr
-                  name:  item
-                  title: CM-8 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cm-8_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Must be provided at least monthly or when there is a change.
-            - 
-              id:    cm-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations may choose to implement centralized information system component
-                                 inventories that include components from all organizational information systems. In
-                                 such situations, organizations ensure that the resulting inventories include
-                                 system-specific information required for proper component accountability (e.g.,
-                                 information system association, information system owner). Information deemed
-                                 necessary for effective accountability of information system components includes, for
-                                 example, hardware inventory specifications, software license information, software
-                                 version numbers, component owners, and for networked components or devices, machine
-                                 names and network addresses. Inventory specifications include, for example,
-                                 manufacturer, device type, model, serial number, and physical location.
-                """
-              links: 
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #pm-5
-                  rel:  related
-                  text: PM-5
-            - 
-              id:    cm-8_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-8(a)
-                  parts: 
-                    - 
-                      id:         cm-8.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-8(a)(1)
-                      prose: 
-                        """
-                          develops and documents an inventory of information system components that
-                                               accurately reflects the current information system;
-                        """
-                    - 
-                      id:         cm-8.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-8(a)(2)
-                      prose: 
-                        """
-                          develops and documents an inventory of information system components that
-                                               includes all components within the authorization boundary of the information
-                                               system;
-                        """
-                    - 
-                      id:         cm-8.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-8(a)(3)
-                      prose: 
-                        """
-                          develops and documents an inventory of information system components that is at
-                                               the level of granularity deemed necessary for tracking and reporting;
-                        """
-                    - 
-                      id:         cm-8.a.4_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(a)(4)
-                      parts: 
-                        - 
-                          id:         cm-8.a.4_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-8(a)(4)[1]
-                          prose: 
-                            """
-                              defines the information deemed necessary to achieve effective information
-                                                      system component accountability;
-                            """
-                        - 
-                          id:         cm-8.a.4_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-8(a)(4)[2]
-                          prose: 
-                            """
-                              develops and documents an inventory of information system components that
-                                                      includes organization-defined information deemed necessary to achieve
-                                                      effective information system component accountability;
-                            """
-                - 
-                  id:         cm-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-8(b)
-                  parts: 
-                    - 
-                      id:         cm-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-8(b)[1]
-                      prose: 
-                        """
-                          defines the frequency to review and update the information system component
-                                               inventory; and
-                        """
-                    - 
-                      id:         cm-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-8(b)[2]
-                      prose: 
-                        """
-                          reviews and updates the information system component inventory with the
-                                               organization-defined frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\ninventory reviews and update records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for information system component
-                                        inventory\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for developing and documenting an inventory of
-                                        information system components\n\nautomated mechanisms supporting and/or implementing the information system
-                                        component inventory
-                    """
-        - 
-          id:         cm-10
-          class:      SP800-53
-          title:      Software Usage Restrictions
-          properties: 
-            - 
-              name:  label
-              value: CM-10
-            - 
-              name:  sort-id
-              value: cm-10
-          parts: 
-            - 
-              id:    cm-10_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-10_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Uses software and associated documentation in accordance with contract agreements
-                                        and copyright laws;
-                    """
-                - 
-                  id:         cm-10_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Tracks the use of software and associated documentation protected by quantity
-                                        licenses to control copying and distribution; and
-                    """
-                - 
-                  id:         cm-10_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Controls and documents the use of peer-to-peer file sharing technology to ensure
-                                        that this capability is not used for the unauthorized distribution, display,
-                                        performance, or reproduction of copyrighted work.
-                    """
-            - 
-              id:    cm-10_gdn
-              name:  guidance
-              prose: 
-                """
-                  Software license tracking can be accomplished by manual methods (e.g., simple
-                                 spreadsheets) or automated methods (e.g., specialized tracking applications)
-                                 depending on organizational needs.
-                """
-              links: 
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-            - 
-              id:    cm-10_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-10.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-10(a)
-                  prose: 
-                    """
-                      uses software and associated documentation in accordance with contract agreements
-                                        and copyright laws;
-                    """
-                - 
-                  id:         cm-10.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CM-10(b)
-                  prose: 
-                    """
-                      tracks the use of software and associated documentation protected by quantity
-                                        licenses to control copying and distribution; and
-                    """
-                - 
-                  id:         cm-10.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-10(c)
-                  prose: 
-                    """
-                      controls and documents the use of peer-to-peer file sharing technology to ensure
-                                        that this capability is not used for the unauthorized distribution, display,
-                                        performance, or reproduction of copyrighted work.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing software usage restrictions\n\nconfiguration management plan\n\nsecurity plan\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel operating, using, and/or maintaining the information
-                                        system\n\norganizational personnel with software license management responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational process for tracking the use of software protected by quantity
-                                        licenses\n\norganization process for controlling/documenting the use of peer-to-peer file
-                                        sharing technology\n\nautomated mechanisms implementing software license tracking\n\nautomated mechanisms implementing and controlling the use of peer-to-peer files
-                                        sharing technology
-                    """
-        - 
-          id:         cm-11
-          class:      SP800-53
-          title:      User-installed Software
-          parameters: 
-            - 
-              id:    cm-11_prm_1
-              label: organization-defined policies
-            - 
-              id:    cm-11_prm_2
-              label: organization-defined methods
-            - 
-              id:          cm-11_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: Continuously (via CM-7 (5))
-          properties: 
-            - 
-              name:  label
-              value: CM-11
-            - 
-              name:  sort-id
-              value: cm-11
-          parts: 
-            - 
-              id:    cm-11_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-11_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes {{ cm-11_prm_1 }} governing the installation of
-                                        software by users;
-                    """
-                - 
-                  id:         cm-11_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Enforces software installation policies through {{ cm-11_prm_2 }};
-                                        and
-                    """
-                - 
-                  id:         cm-11_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Monitors policy compliance at {{ cm-11_prm_3 }}.
-            - 
-              id:    cm-11_gdn
-              name:  guidance
-              prose: 
-                """
-                  If provided the necessary privileges, users have the ability to install software in
-                                 organizational information systems. To maintain control over the types of software
-                                 installed, organizations identify permitted and prohibited actions regarding software
-                                 installation. Permitted software installations may include, for example, updates and
-                                 security patches to existing software and downloading applications from
-                                 organization-approved “app stores” Prohibited software installations may include, for
-                                 example, software with unknown or suspect pedigrees or software that organizations
-                                 consider potentially malicious. The policies organizations select governing
-                                 user-installed software may be organization-developed or provided by some external
-                                 entity. Policy enforcement methods include procedural methods (e.g., periodic
-                                 examination of user accounts), automated methods (e.g., configuration settings
-                                 implemented on organizational information systems), or both.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-7
-                  rel:  related
-                  text: CM-7
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-            - 
-              id:    cm-11_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-11.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-11(a)
-                  parts: 
-                    - 
-                      id:         cm-11.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-11(a)[1]
-                      prose:      defines policies to govern the installation of software by users;
-                    - 
-                      id:         cm-11.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-11(a)[2]
-                      prose: 
-                        """
-                          establishes organization-defined policies governing the installation of
-                                               software by users;
-                        """
-                - 
-                  id:         cm-11.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-11(b)
-                  parts: 
-                    - 
-                      id:         cm-11.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-11(b)[1]
-                      prose:      defines methods to enforce software installation policies;
-                    - 
-                      id:         cm-11.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-11(b)[2]
-                      prose: 
-                        """
-                          enforces software installation policies through organization-defined
-                                               methods;
-                        """
-                - 
-                  id:         cm-11.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-11(c)
-                  parts: 
-                    - 
-                      id:         cm-11.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-11(c)[1]
-                      prose:      defines frequency to monitor policy compliance; and
-                    - 
-                      id:         cm-11.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-11(c)[2]
-                      prose:      monitors policy compliance at organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing user installed software\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of rules governing user installed software\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records\n\ncontinuous monitoring strategy
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for governing user-installed
-                                        software\n\norganizational personnel operating, using, and/or maintaining the information
-                                        system\n\norganizational personnel monitoring compliance with user-installed software
-                                        policy\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes governing user-installed software on the information
-                                        system\n\nautomated mechanisms enforcing rules/methods for governing the installation of
-                                        software by users\n\nautomated mechanisms monitoring policy compliance
-                    """
-    - 
-      id:       cp
-      class:    family
-      title:    Contingency Planning
-      controls: 
-        - 
-          id:         cp-1
-          class:      SP800-53
-          title:      Contingency Planning Policy and Procedures
-          parameters: 
-            - 
-              id:    cp-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          cp-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          cp-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CP-1
-            - 
-              name:  sort-id
-              value: cp-01
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    cp-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ cp-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         cp-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A contingency planning policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         cp-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the contingency planning policy
-                                               and associated contingency planning controls; and
-                        """
-                - 
-                  id:         cp-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         cp-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Contingency planning policy {{ cp-1_prm_2 }}; and
-                    - 
-                      id:         cp-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Contingency planning procedures {{ cp-1_prm_3 }}.
-            - 
-              id:    cp-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the CP
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    cp-1_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         cp-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-1(a)
-                  parts: 
-                    - 
-                      id:         cp-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-1(a)(1)
-                      parts: 
-                        - 
-                          id:         cp-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(a)(1)[1]
-                          prose: 
-                            """
-                              the organization develops and documents a contingency planning policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         cp-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         cp-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         cp-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         cp-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         cp-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         cp-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         cp-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         cp-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(a)(1)[2]
-                          prose: 
-                            """
-                              the organization defines personnel or roles to whom the contingency planning
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         cp-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CP-1(a)(1)[3]
-                          prose: 
-                            """
-                              the organization disseminates the contingency planning policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         cp-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-1(a)(2)
-                      parts: 
-                        - 
-                          id:         cp-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(a)(2)[1]
-                          prose: 
-                            """
-                              the organization develops and documents procedures to facilitate the
-                                                      implementation of the contingency planning policy and associated contingency
-                                                      planning controls;
-                            """
-                        - 
-                          id:         cp-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(a)(2)[2]
-                          prose: 
-                            """
-                              the organization defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         cp-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CP-1(a)(2)[3]
-                          prose: 
-                            """
-                              the organization disseminates the procedures to organization-defined
-                                                      personnel or roles;
-                            """
-                - 
-                  id:         cp-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-1(b)
-                  parts: 
-                    - 
-                      id:         cp-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-1(b)(1)
-                      parts: 
-                        - 
-                          id:         cp-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(b)(1)[1]
-                          prose: 
-                            """
-                              the organization defines the frequency to review and update the current
-                                                      contingency planning policy;
-                            """
-                        - 
-                          id:         cp-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(b)(1)[2]
-                          prose: 
-                            """
-                              the organization reviews and updates the current contingency planning with
-                                                      the organization-defined frequency;
-                            """
-                    - 
-                      id:         cp-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-1(b)(2)
-                      parts: 
-                        - 
-                          id:         cp-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(b)(2)[1]
-                          prose: 
-                            """
-                              the organization defines the frequency to review and update the current
-                                                      contingency planning procedures; and
-                            """
-                        - 
-                          id:         cp-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(b)(2)[2]
-                          prose: 
-                            """
-                              the organization reviews and updates the current contingency planning
-                                                      procedures with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         cp-2
-          class:      SP800-53
-          title:      Contingency Plan
-          parameters: 
-            - 
-              id:    cp-2_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    cp-2_prm_2
-              label: 
-                """
-                  organization-defined key contingency personnel (identified by name and/or by
-                                 role) and organizational elements
-                """
-            - 
-              id:          cp-2_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:    cp-2_prm_4
-              label: 
-                """
-                  organization-defined key contingency personnel (identified by name and/or by
-                                 role) and organizational elements
-                """
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CP-2
-            - 
-              name:  sort-id
-              value: cp-02
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-          parts: 
-            - 
-              id:    cp-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops a contingency plan for the information system that:
-                  parts: 
-                    - 
-                      id:         cp-2_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Identifies essential missions and business functions and associated contingency
-                                               requirements;
-                        """
-                    - 
-                      id:         cp-2_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Provides recovery objectives, restoration priorities, and metrics;
-                    - 
-                      id:         cp-2_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Addresses contingency roles, responsibilities, assigned individuals with
-                                               contact information;
-                        """
-                    - 
-                      id:         cp-2_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose: 
-                        """
-                          Addresses maintaining essential missions and business functions despite an
-                                               information system disruption, compromise, or failure;
-                        """
-                    - 
-                      id:         cp-2_smt.a.5
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 5.
-                      prose: 
-                        """
-                          Addresses eventual, full information system restoration without deterioration
-                                               of the security safeguards originally planned and implemented; and
-                        """
-                    - 
-                      id:         cp-2_smt.a.6
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 6.
-                      prose:      Is reviewed and approved by {{ cp-2_prm_1 }};
-                - 
-                  id:         cp-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Distributes copies of the contingency plan to {{ cp-2_prm_2 }};
-                - 
-                  id:         cp-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Coordinates contingency planning activities with incident handling activities;
-                - 
-                  id:         cp-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Reviews the contingency plan for the information system {{ cp-2_prm_3 }};
-                - 
-                  id:         cp-2_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Updates the contingency plan to address changes to the organization, information
-                                        system, or environment of operation and problems encountered during contingency
-                                        plan implementation, execution, or testing;
-                    """
-                - 
-                  id:         cp-2_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose:      Communicates contingency plan changes to {{ cp-2_prm_4 }}; and
-                - 
-                  id:         cp-2_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose:      Protects the contingency plan from unauthorized disclosure and modification.
-                - 
-                  id:    cp-2_fr
-                  name:  item
-                  title: CP-2 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cp-2_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2 Requirement:
-                      prose:      For JAB authorizations the contingency lists include designated FedRAMP personnel.
-            - 
-              id:    cp-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Contingency planning for information systems is part of an overall organizational
-                                 program for achieving continuity of operations for mission/business functions.
-                                 Contingency planning addresses both information system restoration and implementation
-                                 of alternative mission/business processes when systems are compromised. The
-                                 effectiveness of contingency planning is maximized by considering such planning
-                                 throughout the phases of the system development life cycle. Performing contingency
-                                 planning on hardware, software, and firmware development can be an effective means of
-                                 achieving information system resiliency. Contingency plans reflect the degree of
-                                 restoration required for organizational information systems since not all systems may
-                                 need to fully recover to achieve the level of continuity of operations desired.
-                                 Information system recovery objectives reflect applicable laws, Executive Orders,
-                                 directives, policies, standards, regulations, and guidelines. In addition to
-                                 information system availability, contingency plans also address other
-                                 security-related events resulting in a reduction in mission and/or business
-                                 effectiveness, such as malicious attacks compromising the confidentiality or
-                                 integrity of information systems. Actions addressed in contingency plans include, for
-                                 example, orderly/graceful degradation, information system shutdown, fallback to a
-                                 manual mode, alternate information flows, and operating in modes reserved for when
-                                 systems are under attack. By closely coordinating contingency planning with incident
-                                 handling activities, organizations can ensure that the necessary contingency planning
-                                 activities are in place and activated in the event of a security incident.
-                """
-              links: 
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #cp-6
-                  rel:  related
-                  text: CP-6
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-                - 
-                  href: #cp-8
-                  rel:  related
-                  text: CP-8
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #cp-10
-                  rel:  related
-                  text: CP-10
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #pm-8
-                  rel:  related
-                  text: PM-8
-                - 
-                  href: #pm-11
-                  rel:  related
-                  text: PM-11
-            - 
-              id:    cp-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cp-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(a)
-                  prose:      develops and documents a contingency plan for the information system that:
-                  parts: 
-                    - 
-                      id:         cp-2.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(a)(1)
-                      prose: 
-                        """
-                          identifies essential missions and business functions and associated contingency
-                                               requirements;
-                        """
-                    - 
-                      id:         cp-2.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(a)(2)
-                      parts: 
-                        - 
-                          id:         cp-2.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(2)[1]
-                          prose:      provides recovery objectives;
-                        - 
-                          id:         cp-2.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(2)[2]
-                          prose:      provides restoration priorities;
-                        - 
-                          id:         cp-2.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(2)[3]
-                          prose:      provides metrics;
-                    - 
-                      id:         cp-2.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(a)(3)
-                      parts: 
-                        - 
-                          id:         cp-2.a.3_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(3)[1]
-                          prose:      addresses contingency roles;
-                        - 
-                          id:         cp-2.a.3_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(3)[2]
-                          prose:      addresses contingency responsibilities;
-                        - 
-                          id:         cp-2.a.3_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(3)[3]
-                          prose:      addresses assigned individuals with contact information;
-                    - 
-                      id:         cp-2.a.4_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(a)(4)
-                      prose: 
-                        """
-                          addresses maintaining essential missions and business functions despite an
-                                               information system disruption, compromise, or failure;
-                        """
-                    - 
-                      id:         cp-2.a.5_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(a)(5)
-                      prose: 
-                        """
-                          addresses eventual, full information system restoration without deterioration
-                                               of the security safeguards originally planned and implemented;
-                        """
-                    - 
-                      id:         cp-2.a.6_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(a)(6)
-                      parts: 
-                        - 
-                          id:         cp-2.a.6_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-2(a)(6)[1]
-                          prose: 
-                            """
-                              defines personnel or roles to review and approve the contingency plan for
-                                                      the information system;
-                            """
-                        - 
-                          id:         cp-2.a.6_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-2(a)(6)[2]
-                          prose:      is reviewed and approved by organization-defined personnel or roles;
-                - 
-                  id:         cp-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(b)
-                  parts: 
-                    - 
-                      id:         cp-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(b)[1]
-                      prose: 
-                        """
-                          defines key contingency personnel (identified by name and/or by role) and
-                                               organizational elements to whom copies of the contingency plan are to be
-                                               distributed;
-                        """
-                    - 
-                      id:         cp-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CP-2(b)[2]
-                      prose: 
-                        """
-                          distributes copies of the contingency plan to organization-defined key
-                                               contingency personnel and organizational elements;
-                        """
-                - 
-                  id:         cp-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: CP-2(c)
-                  prose:      coordinates contingency planning activities with incident handling activities;
-                - 
-                  id:         cp-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(d)
-                  parts: 
-                    - 
-                      id:         cp-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(d)[1]
-                      prose: 
-                        """
-                          defines a frequency to review the contingency plan for the information
-                                               system;
-                        """
-                    - 
-                      id:         cp-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(d)[2]
-                      prose:      reviews the contingency plan with the organization-defined frequency;
-                - 
-                  id:         cp-2.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(e)
-                  prose:      updates the contingency plan to address:
-                  parts: 
-                    - 
-                      id:         cp-2.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-2(e)[1]
-                      prose: 
-                        """
-                          changes to the organization, information system, or environment of
-                                               operation;
-                        """
-                    - 
-                      id:         cp-2.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-2(e)[2]
-                      prose:      problems encountered during plan implementation, execution, and testing;
-                - 
-                  id:         cp-2.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(f)
-                  parts: 
-                    - 
-                      id:         cp-2.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(f)[1]
-                      prose: 
-                        """
-                          defines key contingency personnel (identified by name and/or by role) and
-                                               organizational elements to whom contingency plan changes are to be
-                                               communicated;
-                        """
-                    - 
-                      id:         cp-2.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CP-2(f)[2]
-                      prose: 
-                        """
-                          communicates contingency plan changes to organization-defined key contingency
-                                               personnel and organizational elements; and
-                        """
-                - 
-                  id:         cp-2.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-2(g)
-                  prose:      protects the contingency plan from unauthorized disclosure and modification.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nsecurity plan\n\nevidence of contingency plan reviews and updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with contingency planning and plan implementation
-                                        responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for contingency plan development, review, update, and
-                                        protection\n\nautomated mechanisms for developing, reviewing, updating and/or protecting the
-                                        contingency plan
-                    """
-        - 
-          id:         cp-3
-          class:      SP800-53
-          title:      Contingency Training
-          parameters: 
-            - 
-              id:          cp-3_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: ten (10) days
-            - 
-              id:          cp-3_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CP-3
-            - 
-              name:  sort-id
-              value: cp-03
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #825438c3-248d-4e30-a51e-246473ce6ada
-              rel:  reference
-              text: NIST Special Publication 800-16
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-          parts: 
-            - 
-              id:    cp-3_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides contingency training to information system users consistent
-                                 with assigned roles and responsibilities:
-                """
-              parts: 
-                - 
-                  id:         cp-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Within {{ cp-3_prm_1 }} of assuming a contingency role or
-                                        responsibility;
-                    """
-                - 
-                  id:         cp-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      When required by information system changes; and
-                - 
-                  id:         cp-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      
-                                        {{ cp-3_prm_2 }} thereafter.
-                    """
-            - 
-              id:    cp-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Contingency training provided by organizations is linked to the assigned roles and
-                                 responsibilities of organizational personnel to ensure that the appropriate content
-                                 and level of detail is included in such training. For example, regular users may only
-                                 need to know when and where to report for duty during contingency operations and if
-                                 normal duties are affected; system administrators may require additional training on
-                                 how to set up information systems at alternate processing and storage sites; and
-                                 managers/senior leaders may receive more specific training on how to conduct
-                                 mission-essential functions in designated off-site locations and how to establish
-                                 communications with other governmental entities for purposes of coordination on
-                                 contingency-related activities. Training for contingency roles/responsibilities
-                                 reflects the specific continuity requirements in the contingency plan.
-                """
-              links: 
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #ir-2
-                  rel:  related
-                  text: IR-2
-            - 
-              id:    cp-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cp-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-3(a)
-                  parts: 
-                    - 
-                      id:         cp-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-3(a)[1]
-                      prose: 
-                        """
-                          defines a time period within which contingency training is to be provided to
-                                               information system users assuming a contingency role or responsibility;
-                        """
-                    - 
-                      id:         cp-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-3(a)[2]
-                      prose: 
-                        """
-                          provides contingency training to information system users consistent with
-                                               assigned roles and responsibilities within the organization-defined time period
-                                               of assuming a contingency role or responsibility;
-                        """
-                - 
-                  id:         cp-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-3(b)
-                  prose: 
-                    """
-                      provides contingency training to information system users consistent with assigned
-                                        roles and responsibilities when required by information system changes;
-                    """
-                - 
-                  id:         cp-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-3(c)
-                  parts: 
-                    - 
-                      id:         cp-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-3(c)[1]
-                      prose:      defines the frequency for contingency training thereafter; and
-                    - 
-                      id:         cp-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-3(c)[2]
-                      prose: 
-                        """
-                          provides contingency training to information system users consistent with
-                                               assigned roles and responsibilities with the organization-defined frequency
-                                               thereafter.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsecurity plan\n\ncontingency training records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with contingency planning, plan implementation, and
-                                        training responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for contingency training
-        - 
-          id:         cp-4
-          class:      SP800-53
-          title:      Contingency Plan Testing
-          parameters: 
-            - 
-              id:          cp-4_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every three years
-            - 
-              id:          cp-4_prm_2
-              label:       organization-defined tests
-              constraints: 
-                - 
-                  detail: classroom exercises/table top written tests
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CP-4
-            - 
-              name:  sort-id
-              value: cp-04
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-            - 
-              href: #0243a05a-e8a3-4d51-9364-4a9d20b0dcdf
-              rel:  reference
-              text: NIST Special Publication 800-84
-          parts: 
-            - 
-              id:    cp-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Tests the contingency plan for the information system {{ cp-4_prm_1 }} using {{ cp-4_prm_2 }} to determine the
-                                        effectiveness of the plan and the organizational readiness to execute the
-                                        plan;
-                    """
-                - 
-                  id:         cp-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews the contingency plan test results; and
-                - 
-                  id:         cp-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Initiates corrective actions, if needed.
-                - 
-                  id:    cp-4_fr
-                  name:  item
-                  title: CP-4(a) Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cp-4_fr_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-4(a) Requirement:
-                      prose:      The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.
-            - 
-              id:    cp-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Methods for testing contingency plans to determine the effectiveness of the plans and
-                                 to identify potential weaknesses in the plans include, for example, walk-through and
-                                 tabletop exercises, checklists, simulations (parallel, full interrupt), and
-                                 comprehensive exercises. Organizations conduct testing based on the continuity
-                                 requirements in contingency plans and include a determination of the effects on
-                                 organizational operations, assets, and individuals arising due to contingency
-                                 operations. Organizations have flexibility and discretion in the breadth, depth, and
-                                 timelines of corrective actions.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-3
-                  rel:  related
-                  text: CP-3
-                - 
-                  href: #ir-3
-                  rel:  related
-                  text: IR-3
-            - 
-              id:    cp-4_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         cp-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-4(a)
-                  parts: 
-                    - 
-                      id:         cp-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-4(a)[1]
-                      prose: 
-                        """
-                          defines tests to determine the effectiveness of the contingency plan and the
-                                               organizational readiness to execute the plan;
-                        """
-                    - 
-                      id:         cp-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-4(a)[2]
-                      prose: 
-                        """
-                          defines a frequency to test the contingency plan for the information
-                                               system;
-                        """
-                    - 
-                      id:         cp-4.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-4(a)[3]
-                      prose: 
-                        """
-                          tests the contingency plan for the information system with the
-                                               organization-defined frequency, using organization-defined tests to determine
-                                               the effectiveness of the plan and the organizational readiness to execute the
-                                               plan;
-                        """
-                - 
-                  id:         cp-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-4(b)
-                  prose:      reviews the contingency plan test results; and
-                - 
-                  id:         cp-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-4(c)
-                  prose:      initiates corrective actions, if needed.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\nsecurity plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for contingency plan testing,
-                                        reviewing or responding to contingency plan tests\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for contingency plan testing\n\nautomated mechanisms supporting the contingency plan and/or contingency plan
-                                        testing
-                    """
-        - 
-          id:         cp-9
-          class:      SP800-53
-          title:      Information System Backup
-          parameters: 
-            - 
-              id:          cp-9_prm_1
-              label: 
-                """
-                  organization-defined frequency consistent with recovery time and recovery point
-                                 objectives
-                """
-              constraints: 
-                - 
-                  detail: daily incremental; weekly full
-            - 
-              id:          cp-9_prm_2
-              label: 
-                """
-                  organization-defined frequency consistent with recovery time and recovery point
-                                 objectives
-                """
-              constraints: 
-                - 
-                  detail: daily incremental; weekly full
-            - 
-              id:          cp-9_prm_3
-              label: 
-                """
-                  organization-defined frequency consistent with recovery time and recovery point
-                                 objectives
-                """
-              constraints: 
-                - 
-                  detail: daily incremental; weekly full
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CP-9
-            - 
-              name:  sort-id
-              value: cp-09
-          links: 
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-          parts: 
-            - 
-              id:    cp-9_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-9_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Conducts backups of user-level information contained in the information system
-                                           {{ cp-9_prm_1 }};
-                    """
-                - 
-                  id:         cp-9_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Conducts backups of system-level information contained in the information system
-                                           {{ cp-9_prm_2 }};
-                    """
-                - 
-                  id:         cp-9_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Conducts backups of information system documentation including security-related
-                                        documentation {{ cp-9_prm_3 }}; and
-                    """
-                - 
-                  id:         cp-9_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Protects the confidentiality, integrity, and availability of backup information at
-                                        storage locations.
-                    """
-                - 
-                  id:    cp-9_fr
-                  name:  item
-                  title: CP-9 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cp-9_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.
-                    - 
-                      id:         cp-9_fr_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-9(a) Requirement:
-                      prose:      The service provider maintains at least three backup copies of user-level information (at least one of which is available online).
-                    - 
-                      id:         cp-9_fr_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-9(b)Requirement:
-                      prose:      The service provider maintains at least three backup copies of system-level information (at least one of which is available online).
-                    - 
-                      id:         cp-9_fr_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-9(c)Requirement:
-                      prose:      The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).
-            - 
-              id:    cp-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  System-level information includes, for example, system-state information, operating
-                                 system and application software, and licenses. User-level information includes any
-                                 information other than system-level information. Mechanisms employed by organizations
-                                 to protect the integrity of information system backups include, for example, digital
-                                 signatures and cryptographic hashes. Protection of system backup information while in
-                                 transit is beyond the scope of this control. Information system backups reflect the
-                                 requirements in contingency plans as well as other organizational requirements for
-                                 backing up information.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-6
-                  rel:  related
-                  text: CP-6
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-            - 
-              id:    cp-9_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         cp-9.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-9(a)
-                  parts: 
-                    - 
-                      id:         cp-9.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-9(a)[1]
-                      prose: 
-                        """
-                          defines a frequency, consistent with recovery time objectives and recovery
-                                               point objectives as specified in the information system contingency plan, to
-                                               conduct backups of user-level information contained in the information
-                                               system;
-                        """
-                    - 
-                      id:         cp-9.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-9(a)[2]
-                      prose: 
-                        """
-                          conducts backups of user-level information contained in the information system
-                                               with the organization-defined frequency;
-                        """
-                - 
-                  id:         cp-9.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-9(b)
-                  parts: 
-                    - 
-                      id:         cp-9.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-9(b)[1]
-                      prose: 
-                        """
-                          defines a frequency, consistent with recovery time objectives and recovery
-                                               point objectives as specified in the information system contingency plan, to
-                                               conduct backups of system-level information contained in the information
-                                               system;
-                        """
-                    - 
-                      id:         cp-9.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-9(b)[2]
-                      prose: 
-                        """
-                          conducts backups of system-level information contained in the information
-                                               system with the organization-defined frequency;
-                        """
-                - 
-                  id:         cp-9.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-9(c)
-                  parts: 
-                    - 
-                      id:         cp-9.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-9(c)[1]
-                      prose: 
-                        """
-                          defines a frequency, consistent with recovery time objectives and recovery
-                                               point objectives as specified in the information system contingency plan, to
-                                               conduct backups of information system documentation including security-related
-                                               documentation;
-                        """
-                    - 
-                      id:         cp-9.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-9(c)[2]
-                      prose: 
-                        """
-                          conducts backups of information system documentation, including
-                                               security-related documentation, with the organization-defined frequency;
-                                               and
-                        """
-                - 
-                  id:         cp-9.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-9(d)
-                  prose: 
-                    """
-                      protects the confidentiality, integrity, and availability of backup information at
-                                        storage locations.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\nbackup storage location(s)\n\ninformation system backup logs or records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for conducting information system backups\n\nautomated mechanisms supporting and/or implementing information system backups
-        - 
-          id:         cp-10
-          class:      SP800-53
-          title:      Information System Recovery and Reconstitution
-          properties: 
-            - 
-              name:  label
-              value: CP-10
-            - 
-              name:  sort-id
-              value: cp-10
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-          parts: 
-            - 
-              id:    cp-10_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides for the recovery and reconstitution of the information
-                                 system to a known state after a disruption, compromise, or failure.
-                """
-            - 
-              id:    cp-10_gdn
-              name:  guidance
-              prose: 
-                """
-                  Recovery is executing information system contingency plan activities to restore
-                                 organizational missions/business functions. Reconstitution takes place following
-                                 recovery and includes activities for returning organizational information systems to
-                                 fully operational states. Recovery and reconstitution operations reflect mission and
-                                 business priorities, recovery point/time and reconstitution objectives, and
-                                 established organizational metrics consistent with contingency plan requirements.
-                                 Reconstitution includes the deactivation of any interim information system
-                                 capabilities that may have been needed during recovery operations. Reconstitution
-                                 also includes assessments of fully restored information system capabilities,
-                                 reestablishment of continuous monitoring activities, potential information system
-                                 reauthorizations, and activities to prepare the systems against future disruptions,
-                                 compromises, or failures. Recovery/reconstitution capabilities employed by
-                                 organizations can include both automated mechanisms and manual procedures.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-6
-                  rel:  related
-                  text: CA-6
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-6
-                  rel:  related
-                  text: CP-6
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #sc-24
-                  rel:  related
-                  text: SC-24
-            - 
-              id:    cp-10_obj
-              name:  objective
-              prose: Determine if the organization provides for: 
-              parts: 
-                - 
-                  id:         cp-10_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-10[1]
-                  prose:      the recovery of the information system to a known state after:
-                  parts: 
-                    - 
-                      id:         cp-10_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[1][a]
-                      prose:      a disruption;
-                    - 
-                      id:         cp-10_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[1][b]
-                      prose:      a compromise; or
-                    - 
-                      id:         cp-10_obj.1.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[1][c]
-                      prose:      a failure;
-                - 
-                  id:         cp-10_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-10[2]
-                  prose:      the reconstitution of the information system to a known state after:
-                  parts: 
-                    - 
-                      id:         cp-10_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[2][a]
-                      prose:      a disruption;
-                    - 
-                      id:         cp-10_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[2][b]
-                      prose:      a compromise; or
-                    - 
-                      id:         cp-10_obj.2.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[2][c]
-                      prose:      a failure.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for information system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with contingency planning, recovery, and/or
-                                        reconstitution responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes implementing information system recovery and
-                                        reconstitution operations\n\nautomated mechanisms supporting and/or implementing information system recovery
-                                        and reconstitution operations
-                    """
-    - 
-      id:       ia
-      class:    family
-      title:    Identification and Authentication
-      controls: 
-        - 
-          id:         ia-1
-          class:      SP800-53
-          title:      Identification and Authentication Policy and Procedures
-          parameters: 
-            - 
-              id:    ia-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ia-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          ia-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IA-1
-            - 
-              name:  sort-id
-              value: ia-01
-          links: 
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ia-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ia-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ia-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ia-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          An identification and authentication policy that addresses purpose, scope,
-                                               roles, responsibilities, management commitment, coordination among
-                                               organizational entities, and compliance; and
-                        """
-                    - 
-                      id:         ia-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the identification and
-                                               authentication policy and associated identification and authentication
-                                               controls; and
-                        """
-                - 
-                  id:         ia-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ia-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Identification and authentication policy {{ ia-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         ia-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Identification and authentication procedures {{ ia-1_prm_3 }}.
-            - 
-              id:    ia-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the IA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ia-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ia-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-1(a)
-                  parts: 
-                    - 
-                      id:         ia-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ia-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents an identification and authentication policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         ia-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ia-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ia-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ia-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ia-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ia-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ia-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ia-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the identification and authentication
-                                                      policy is to be disseminated; and
-                            """
-                        - 
-                          id:         ia-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: IA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the identification and authentication policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         ia-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ia-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      identification and authentication policy and associated identification and
-                                                      authentication controls;
-                            """
-                        - 
-                          id:         ia-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ia-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: IA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ia-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-1(b)
-                  parts: 
-                    - 
-                      id:         ia-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ia-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current identification and
-                                                      authentication policy;
-                            """
-                        - 
-                          id:         ia-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current identification and authentication policy
-                                                      with the organization-defined frequency; and
-                            """
-                    - 
-                      id:         ia-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ia-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current identification and
-                                                      authentication procedures; and
-                            """
-                        - 
-                          id:         ia-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current identification and authentication procedures
-                                                      with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with identification and authentication
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         ia-2
-          class:      SP800-53
-          title:      Identification and Authentication (organizational Users)
-          properties: 
-            - 
-              name:  label
-              value: IA-2
-            - 
-              name:  sort-id
-              value: ia-02
-          links: 
-            - 
-              href: #ad733a42-a7ed-4774-b988-4930c28852f3
-              rel:  reference
-              text: HSPD-12
-            - 
-              href: #ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-              rel:  reference
-              text: OMB Memorandum 04-04
-            - 
-              href: #4da24a96-6cf8-435d-9d1f-c73247cad109
-              rel:  reference
-              text: OMB Memorandum 06-16
-            - 
-              href: #74e740a4-c45d-49f3-a86e-eb747c549e01
-              rel:  reference
-              text: OMB Memorandum 11-11
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #ba557c91-ba3e-4792-adc6-a4ae479b39ff
-              rel:  reference
-              text: FICAM Roadmap and Implementation Guidance
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    ia-2_smt
-              name:  statement
-              prose: 
-                """
-                  The information system uniquely identifies and authenticates organizational users (or
-                                 processes acting on behalf of organizational users).
-                """
-            - 
-              id:    ia-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizational users include employees or individuals that organizations deem to have
-                                 equivalent status of employees (e.g., contractors, guest researchers). This control
-                                 applies to all accesses other than: (i) accesses that are explicitly identified and
-                                 documented in AC-14; and (ii) accesses that occur through authorized use of group
-                                 authenticators without individual authentication. Organizations may require unique
-                                 identification of individuals in group accounts (e.g., shared privilege accounts) or
-                                 for detailed accountability of individual activity. Organizations employ passwords,
-                                 tokens, or biometrics to authenticate user identities, or in the case multifactor
-                                 authentication, or some combination thereof. Access to organizational information
-                                 systems is defined as either local access or network access. Local access is any
-                                 access to organizational information systems by users (or processes acting on behalf
-                                 of users) where such access is obtained by direct connections without the use of
-                                 networks. Network access is access to organizational information systems by users (or
-                                 processes acting on behalf of users) where such access is obtained through network
-                                 connections (i.e., nonlocal accesses). Remote access is a type of network access that
-                                 involves communication through external networks (e.g., the Internet). Internal
-                                 networks include local area networks and wide area networks. In addition, the use of
-                                 encrypted virtual private networks (VPNs) for network connections between
-                                 organization-controlled endpoints and non-organization controlled endpoints may be
-                                 treated as internal networks from the perspective of protecting the confidentiality
-                                 and integrity of information traversing the network. Organizations can satisfy the
-                                 identification and authentication requirements in this control by complying with the
-                                 requirements in Homeland Security Presidential Directive 12 consistent with the
-                                 specific organizational implementation plans. Multifactor authentication requires the
-                                 use of two or more different factors to achieve authentication. The factors are
-                                 defined as: (i) something you know (e.g., password, personal identification number
-                                 [PIN]); (ii) something you have (e.g., cryptographic identification device, token);
-                                 or (iii) something you are (e.g., biometric). Multifactor solutions that require
-                                 devices separate from information systems gaining access include, for example,
-                                 hardware tokens providing time-based or challenge-response authenticators and smart
-                                 cards such as the U.S. Government Personal Identity Verification card and the DoD
-                                 common access card. In addition to identifying and authenticating users at the
-                                 information system level (i.e., at logon), organizations also employ identification
-                                 and authentication mechanisms at the application level, when necessary, to provide
-                                 increased information security. Identification and authentication requirements for
-                                 other than organizational users are described in IA-8.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-            - 
-              id:    ia-2_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the information system uniquely identifies and authenticates
-                                 organizational users (or processes acting on behalf of organizational users).
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for uniquely identifying and authenticating users\n\nautomated mechanisms supporting and/or implementing identification and
-                                        authentication capability
-                    """
-          controls: 
-            - 
-              id:         ia-2.1
-              class:      SP800-53-enhancement
-              title:      Network Access to Privileged Accounts
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(1)
-                - 
-                  name:  sort-id
-                  value: ia-02.01
-              parts: 
-                - 
-                  id:    ia-2.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements multifactor authentication for network access to
-                                        privileged accounts.
-                    """
-                - 
-                  id:    ia-2.1_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ac-6
-                      rel:  related
-                      text: AC-6
-                - 
-                  id:         ia-2.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system implements multifactor authentication for
-                                        network access to privileged accounts.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing multifactor authentication
-                                               capability
-                        """
-            - 
-              id:         ia-2.12
-              class:      SP800-53-enhancement
-              title:      Acceptance of PIV Credentials
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(12)
-                - 
-                  name:  sort-id
-                  value: ia-02.12
-              parts: 
-                - 
-                  id:    ia-2.12_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system accepts and electronically verifies Personal Identity
-                                        Verification (PIV) credentials.
-                    """
-                  parts: 
-                    - 
-                      id:    ia-2.12_fr
-                      name:  item
-                      title: IA-2 (12) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ia-2.12_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.
-                - 
-                  id:    ia-2.12_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement applies to organizations implementing logical access
-                                        control systems (LACS) and physical access control systems (PACS). Personal
-                                        Identity Verification (PIV) credentials are those credentials issued by federal
-                                        agencies that conform to FIPS Publication 201 and supporting guidance documents.
-                                        OMB Memorandum 11-11 requires federal agencies to continue implementing the
-                                        requirements specified in HSPD-12 to enable agency-wide use of PIV
-                                        credentials.
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                    - 
-                      href: #pe-3
-                      rel:  related
-                      text: PE-3
-                    - 
-                      href: #sa-4
-                      rel:  related
-                      text: SA-4
-                - 
-                  id:    ia-2.12_obj
-                  name:  objective
-                  prose: Determine if the information system: 
-                  parts: 
-                    - 
-                      id:         ia-2.12_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-2(12)[1]
-                      prose:      accepts Personal Identity Verification (PIV) credentials; and
-                    - 
-                      id:         ia-2.12_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-2(12)[2]
-                      prose:      electronically verifies Personal Identity Verification (PIV) credentials.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing acceptance and verification
-                                               of PIV credentials
-                        """
-        - 
-          id:         ia-4
-          class:      SP800-53
-          title:      Identifier Management
-          parameters: 
-            - 
-              id:    ia-4_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ia-4_prm_2
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: IA-4 (d) [at least two years]
-            - 
-              id:          ia-4_prm_3
-              label:       organization-defined time period of inactivity
-              constraints: 
-                - 
-                  detail: ninety days for user identifiers (See additional requirements and guidance)
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IA-4
-            - 
-              name:  sort-id
-              value: ia-04
-          links: 
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-          parts: 
-            - 
-              id:    ia-4_smt
-              name:  statement
-              prose: The organization manages information system identifiers by:
-              parts: 
-                - 
-                  id:         ia-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Receiving authorization from {{ ia-4_prm_1 }} to assign an
-                                        individual, group, role, or device identifier;
-                    """
-                - 
-                  id:         ia-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Selecting an identifier that identifies an individual, group, role, or device;
-                - 
-                  id:         ia-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Assigning the identifier to the intended individual, group, role, or device;
-                - 
-                  id:         ia-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Preventing reuse of identifiers for {{ ia-4_prm_2 }}; and
-                - 
-                  id:         ia-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Disabling the identifier after {{ ia-4_prm_3 }}.
-                - 
-                  id:    ia-4_fr
-                  name:  item
-                  title: IA-4(e) Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ia-4_fr_smt.e
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider defines the time period of inactivity for device identifiers.
-                    - 
-                      id:         ia-4_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP [http://iase.disa.mil/cloud_security/Pages/index.aspx](http://iase.disa.mil/cloud_security/Pages/index.aspx).
-            - 
-              id:    ia-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Common device identifiers include, for example, media access control (MAC), Internet
-                                 protocol (IP) addresses, or device-unique token identifiers. Management of individual
-                                 identifiers is not applicable to shared information system accounts (e.g., guest and
-                                 anonymous accounts). Typically, individual identifiers are the user names of the
-                                 information system accounts assigned to those individuals. In such instances, the
-                                 account management activities of AC-2 use account names provided by IA-4. This
-                                 control also addresses individual identifiers not necessarily associated with
-                                 information system accounts (e.g., identifiers used in physical security control
-                                 databases accessed by badge reader systems for access to information systems).
-                                 Preventing reuse of identifiers implies preventing the assignment of previously used
-                                 individual, group, role, or device identifiers to different individuals, groups,
-                                 roles, or devices.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #sc-37
-                  rel:  related
-                  text: SC-37
-            - 
-              id:    ia-4_obj
-              name:  objective
-              prose: Determine if the organization manages information system identifiers by: 
-              parts: 
-                - 
-                  id:         ia-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-4(a)
-                  parts: 
-                    - 
-                      id:         ia-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-4(a)[1]
-                      prose: 
-                        """
-                          defining personnel or roles from whom authorization must be received to
-                                               assign:
-                        """
-                      parts: 
-                        - 
-                          id:         ia-4.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[1][a]
-                          prose:      an individual identifier;
-                        - 
-                          id:         ia-4.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[1][b]
-                          prose:      a group identifier;
-                        - 
-                          id:         ia-4.a_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[1][c]
-                          prose:      a role identifier; and/or
-                        - 
-                          id:         ia-4.a_obj.1.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[1][d]
-                          prose:      a device identifier;
-                    - 
-                      id:         ia-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-4(a)[2]
-                      prose: 
-                        """
-                          receiving authorization from organization-defined personnel or roles to
-                                               assign:
-                        """
-                      parts: 
-                        - 
-                          id:         ia-4.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[2][a]
-                          prose:      an individual identifier;
-                        - 
-                          id:         ia-4.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[2][b]
-                          prose:      a group identifier;
-                        - 
-                          id:         ia-4.a_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[2][c]
-                          prose:      a role identifier; and/or
-                        - 
-                          id:         ia-4.a_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[2][d]
-                          prose:      a device identifier;
-                - 
-                  id:         ia-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-4(b)
-                  prose:      selecting an identifier that identifies:
-                  parts: 
-                    - 
-                      id:         ia-4.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(b)[1]
-                      prose:      an individual;
-                    - 
-                      id:         ia-4.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(b)[2]
-                      prose:      a group;
-                    - 
-                      id:         ia-4.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(b)[3]
-                      prose:      a role; and/or
-                    - 
-                      id:         ia-4.b_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(b)[4]
-                      prose:      a device;
-                - 
-                  id:         ia-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-4(c)
-                  prose:      assigning the identifier to the intended:
-                  parts: 
-                    - 
-                      id:         ia-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(c)[1]
-                      prose:      individual;
-                    - 
-                      id:         ia-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(c)[2]
-                      prose:      group;
-                    - 
-                      id:         ia-4.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(c)[3]
-                      prose:      role; and/or
-                    - 
-                      id:         ia-4.c_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(c)[4]
-                      prose:      device;
-                - 
-                  id:         ia-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-4(d)
-                  parts: 
-                    - 
-                      id:         ia-4.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-4(d)[1]
-                      prose:      defining a time period for preventing reuse of identifiers;
-                    - 
-                      id:         ia-4.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-4(d)[2]
-                      prose:      preventing reuse of identifiers for the organization-defined time period;
-                - 
-                  id:         ia-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-4(e)
-                  parts: 
-                    - 
-                      id:         ia-4.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-4(e)[1]
-                      prose:      defining a time period of inactivity to disable the identifier; and
-                    - 
-                      id:         ia-4.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-4(e)[2]
-                      prose: 
-                        """
-                          disabling the identifier after the organization-defined time period of
-                                               inactivity.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting and/or implementing identifier management
-        - 
-          id:         ia-5
-          class:      SP800-53
-          title:      Authenticator Management
-          parameters: 
-            - 
-              id:    ia-5_prm_1
-              label: organization-defined time period by authenticator type
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IA-5
-            - 
-              name:  sort-id
-              value: ia-05
-          links: 
-            - 
-              href: #ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-              rel:  reference
-              text: OMB Memorandum 04-04
-            - 
-              href: #74e740a4-c45d-49f3-a86e-eb747c549e01
-              rel:  reference
-              text: OMB Memorandum 11-11
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #ba557c91-ba3e-4792-adc6-a4ae479b39ff
-              rel:  reference
-              text: FICAM Roadmap and Implementation Guidance
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    ia-5_smt
-              name:  statement
-              prose: The organization manages information system authenticators by:
-              parts: 
-                - 
-                  id:         ia-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Verifying, as part of the initial authenticator distribution, the identity of the
-                                        individual, group, role, or device receiving the authenticator;
-                    """
-                - 
-                  id:         ia-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Establishing initial authenticator content for authenticators defined by the
-                                        organization;
-                    """
-                - 
-                  id:         ia-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ensuring that authenticators have sufficient strength of mechanism for their
-                                        intended use;
-                    """
-                - 
-                  id:         ia-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Establishing and implementing administrative procedures for initial authenticator
-                                        distribution, for lost/compromised or damaged authenticators, and for revoking
-                                        authenticators;
-                    """
-                - 
-                  id:         ia-5_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Changing default content of authenticators prior to information system
-                                        installation;
-                    """
-                - 
-                  id:         ia-5_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Establishing minimum and maximum lifetime restrictions and reuse conditions for
-                                        authenticators;
-                    """
-                - 
-                  id:         ia-5_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose:      Changing/refreshing authenticators {{ ia-5_prm_1 }};
-                - 
-                  id:         ia-5_smt.h
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: h.
-                  prose: 
-                    """
-                      Protecting authenticator content from unauthorized disclosure and
-                                        modification;
-                    """
-                - 
-                  id:         ia-5_smt.i
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: i.
-                  prose: 
-                    """
-                      Requiring individuals to take, and having devices implement, specific security
-                                        safeguards to protect authenticators; and
-                    """
-                - 
-                  id:         ia-5_smt.j
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: j.
-                  prose: 
-                    """
-                      Changing authenticators for group/role accounts when membership to those accounts
-                                        changes.
-                    """
-                - 
-                  id:    ia-5_fr
-                  name:  item
-                  title: IA-5 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ia-5_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link [https://pages.nist.gov/800-63-3](https://pages.nist.gov/800-63-3).
-            - 
-              id:    ia-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Individual authenticators include, for example, passwords, tokens, biometrics, PKI
-                                 certificates, and key cards. Initial authenticator content is the actual content
-                                 (e.g., the initial password) as opposed to requirements about authenticator content
-                                 (e.g., minimum password length). In many cases, developers ship information system
-                                 components with factory default authentication credentials to allow for initial
-                                 installation and configuration. Default authentication credentials are often well
-                                 known, easily discoverable, and present a significant security risk. The requirement
-                                 to protect individual authenticators may be implemented via control PL-4 or PS-6 for
-                                 authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28
-                                 for authenticators stored within organizational information systems (e.g., passwords
-                                 stored in hashed or encrypted formats, files containing encrypted or hashed passwords
-                                 accessible with administrator privileges). Information systems support individual
-                                 authenticator management by organization-defined settings and restrictions for
-                                 various authenticator characteristics including, for example, minimum password
-                                 length, password composition, validation time window for time synchronous one-time
-                                 tokens, and number of allowed rejections during the verification stage of biometric
-                                 authentication. Specific actions that can be taken to safeguard authenticators
-                                 include, for example, maintaining possession of individual authenticators, not
-                                 loaning or sharing individual authenticators with others, and reporting lost, stolen,
-                                 or compromised authenticators immediately. Authenticator management includes issuing
-                                 and revoking, when no longer needed, authenticators for temporary access such as that
-                                 required for remote maintenance. Device authenticators include, for example,
-                                 certificates and passwords.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-5
-                  rel:  related
-                  text: PS-5
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-                - 
-                  href: #sc-12
-                  rel:  related
-                  text: SC-12
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-                - 
-                  href: #sc-17
-                  rel:  related
-                  text: SC-17
-                - 
-                  href: #sc-28
-                  rel:  related
-                  text: SC-28
-            - 
-              id:    ia-5_obj
-              name:  objective
-              prose: Determine if the organization manages information system authenticators by: 
-              parts: 
-                - 
-                  id:         ia-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-5(a)
-                  prose:      verifying, as part of the initial authenticator distribution, the identity of:
-                  parts: 
-                    - 
-                      id:         ia-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(a)[1]
-                      prose:      the individual receiving the authenticator;
-                    - 
-                      id:         ia-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(a)[2]
-                      prose:      the group receiving the authenticator;
-                    - 
-                      id:         ia-5.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(a)[3]
-                      prose:      the role receiving the authenticator; and/or
-                    - 
-                      id:         ia-5.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(a)[4]
-                      prose:      the device receiving the authenticator;
-                - 
-                  id:         ia-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: IA-5(b)
-                  prose: 
-                    """
-                      establishing initial authenticator content for authenticators defined by the
-                                        organization;
-                    """
-                - 
-                  id:         ia-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-5(c)
-                  prose: 
-                    """
-                      ensuring that authenticators have sufficient strength of mechanism for their
-                                        intended use;
-                    """
-                - 
-                  id:         ia-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(d)
-                  parts: 
-                    - 
-                      id:         ia-5.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(d)[1]
-                      prose: 
-                        """
-                          establishing and implementing administrative procedures for initial
-                                               authenticator distribution;
-                        """
-                    - 
-                      id:         ia-5.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(d)[2]
-                      prose: 
-                        """
-                          establishing and implementing administrative procedures for lost/compromised or
-                                               damaged authenticators;
-                        """
-                    - 
-                      id:         ia-5.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(d)[3]
-                      prose: 
-                        """
-                          establishing and implementing administrative procedures for revoking
-                                               authenticators;
-                        """
-                - 
-                  id:         ia-5.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-5(e)
-                  prose: 
-                    """
-                      changing default content of authenticators prior to information system
-                                        installation;
-                    """
-                - 
-                  id:         ia-5.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(f)
-                  parts: 
-                    - 
-                      id:         ia-5.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(f)[1]
-                      prose:      establishing minimum lifetime restrictions for authenticators;
-                    - 
-                      id:         ia-5.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(f)[2]
-                      prose:      establishing maximum lifetime restrictions for authenticators;
-                    - 
-                      id:         ia-5.f_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(f)[3]
-                      prose:      establishing reuse conditions for authenticators;
-                - 
-                  id:         ia-5.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(g)
-                  parts: 
-                    - 
-                      id:         ia-5.g_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(g)[1]
-                      prose: 
-                        """
-                          defining a time period (by authenticator type) for changing/refreshing
-                                               authenticators;
-                        """
-                    - 
-                      id:         ia-5.g_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(g)[2]
-                      prose: 
-                        """
-                          changing/refreshing authenticators with the organization-defined time period by
-                                               authenticator type;
-                        """
-                - 
-                  id:         ia-5.h_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-5(h)
-                  prose:      protecting authenticator content from unauthorized:
-                  parts: 
-                    - 
-                      id:         ia-5.h_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(h)[1]
-                      prose:      disclosure;
-                    - 
-                      id:         ia-5.h_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(h)[2]
-                      prose:      modification;
-                - 
-                  id:         ia-5.i_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(i)
-                  parts: 
-                    - 
-                      id:         ia-5.i_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IA-5(i)[1]
-                      prose: 
-                        """
-                          requiring individuals to take specific security safeguards to protect
-                                               authenticators;
-                        """
-                    - 
-                      id:         ia-5.i_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(i)[2]
-                      prose: 
-                        """
-                          having devices implement specific security safeguards to protect
-                                               authenticators; and
-                        """
-                - 
-                  id:         ia-5.j_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-5(j)
-                  prose: 
-                    """
-                      changing authenticators for group/role accounts when membership to those accounts
-                                        changes.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Identification and authentication policy\n\nprocedures addressing authenticator management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system authenticator types\n\nchange control records associated with managing information system
-                                        authenticators\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing authenticator management
-                                        capability
-                    """
-          controls: 
-            - 
-              id:         ia-5.1
-              class:      SP800-53-enhancement
-              title:      Password-based Authentication
-              parameters: 
-                - 
-                  id:    ia-5.1_prm_1
-                  label: 
-                    """
-                      organization-defined requirements for case sensitivity, number of characters,
-                                        mix of upper-case letters, lower-case letters, numbers, and special characters,
-                                        including minimum requirements for each type
-                    """
-                - 
-                  id:          ia-5.1_prm_2
-                  label:       organization-defined number
-                  constraints: 
-                    - 
-                      detail: at least one
-                - 
-                  id:    ia-5.1_prm_3
-                  label: organization-defined numbers for lifetime minimum, lifetime maximum
-                - 
-                  id:          ia-5.1_prm_4
-                  label:       organization-defined number
-                  constraints: 
-                    - 
-                      detail: twenty four
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: IA-5(1)
-                - 
-                  name:  sort-id
-                  value: ia-05.01
-              parts: 
-                - 
-                  id:    ia-5.1_smt
-                  name:  statement
-                  prose: The information system, for password-based authentication:
-                  parts: 
-                    - 
-                      id:         ia-5.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose:      Enforces minimum password complexity of {{ ia-5.1_prm_1 }};
-                    - 
-                      id:         ia-5.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Enforces at least the following number of changed characters when new passwords
-                                               are created: {{ ia-5.1_prm_2 }};
-                        """
-                    - 
-                      id:         ia-5.1_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (c)
-                      prose:      Stores and transmits only cryptographically-protected passwords;
-                    - 
-                      id:         ia-5.1_smt.d
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (d)
-                      prose:      Enforces password minimum and maximum lifetime restrictions of {{ ia-5.1_prm_3 }};
-                    - 
-                      id:         ia-5.1_smt.e
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (e)
-                      prose: 
-                        """
-                          Prohibits password reuse for {{ ia-5.1_prm_4 }} generations;
-                                               and
-                        """
-                    - 
-                      id:         ia-5.1_smt.f
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (f)
-                      prose: 
-                        """
-                          Allows the use of a temporary password for system logons with an immediate
-                                               change to a permanent password.
-                        """
-                    - 
-                      id:    ia-5.1_fr
-                      name:  item
-                      title: IA-5 (1) (a) and (d) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ia-5.1_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance (a) (d):
-                          prose:      If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.
-                - 
-                  id:    ia-5.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement applies to single-factor authentication of individuals
-                                        using passwords as individual or group authenticators, and in a similar manner,
-                                        when passwords are part of multifactor authenticators. This control enhancement
-                                        does not apply when passwords are used to unlock hardware authenticators (e.g.,
-                                        Personal Identity Verification cards). The implementation of such password
-                                        mechanisms may not meet all of the requirements in the enhancement.
-                                        Cryptographically-protected passwords include, for example, encrypted versions of
-                                        passwords and one-way cryptographic hashes of passwords. The number of changed
-                                        characters refers to the number of changes required with respect to the total
-                                        number of positions in the current password. Password lifetime restrictions do not
-                                        apply to temporary passwords. To mitigate certain brute force attacks against
-                                        passwords, organizations may also consider salting passwords.
-                    """
-                  links: 
-                    - 
-                      href: #ia-6
-                      rel:  related
-                      text: IA-6
-                - 
-                  id:    ia-5.1_obj
-                  name:  objective
-                  prose: Determine if, for password-based authentication: 
-                  parts: 
-                    - 
-                      id:         ia-5.1.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(1)(a)
-                      parts: 
-                        - 
-                          id:         ia-5.1.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[1]
-                          prose:      the organization defines requirements for case sensitivity;
-                        - 
-                          id:         ia-5.1.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[2]
-                          prose:      the organization defines requirements for number of characters;
-                        - 
-                          id:         ia-5.1.a_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[3]
-                          prose: 
-                            """
-                              the organization defines requirements for the mix of upper-case letters,
-                                                      lower-case letters, numbers and special characters;
-                            """
-                        - 
-                          id:         ia-5.1.a_obj.4
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[4]
-                          prose: 
-                            """
-                              the organization defines minimum requirements for each type of
-                                                      character;
-                            """
-                        - 
-                          id:         ia-5.1.a_obj.5
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[5]
-                          prose: 
-                            """
-                              the information system enforces minimum password complexity of
-                                                      organization-defined requirements for case sensitivity, number of
-                                                      characters, mix of upper-case letters, lower-case letters, numbers, and
-                                                      special characters, including minimum requirements for each type;
-                            """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.a
-                          rel:  corresp
-                          text: IA-5(1)(a)
-                    - 
-                      id:         ia-5.1.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(1)(b)
-                      parts: 
-                        - 
-                          id:         ia-5.1.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(b)[1]
-                          prose: 
-                            """
-                              the organization defines a minimum number of changed characters to be
-                                                      enforced when new passwords are created;
-                            """
-                        - 
-                          id:         ia-5.1.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(1)(b)[2]
-                          prose: 
-                            """
-                              the information system enforces at least the organization-defined minimum
-                                                      number of characters that must be changed when new passwords are
-                                                      created;
-                            """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.b
-                          rel:  corresp
-                          text: IA-5(1)(b)
-                    - 
-                      id:         ia-5.1.c_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(1)(c)
-                      prose: 
-                        """
-                          the information system stores and transmits only encrypted representations of
-                                               passwords;
-                        """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.c
-                          rel:  corresp
-                          text: IA-5(1)(c)
-                    - 
-                      id:         ia-5.1.d_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(1)(d)
-                      parts: 
-                        - 
-                          id:         ia-5.1.d_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(d)[1]
-                          prose: 
-                            """
-                              the organization defines numbers for password minimum lifetime restrictions
-                                                      to be enforced for passwords;
-                            """
-                        - 
-                          id:         ia-5.1.d_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(d)[2]
-                          prose: 
-                            """
-                              the organization defines numbers for password maximum lifetime restrictions
-                                                      to be enforced for passwords;
-                            """
-                        - 
-                          id:         ia-5.1.d_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(1)(d)[3]
-                          prose: 
-                            """
-                              the information system enforces password minimum lifetime restrictions of
-                                                      organization-defined numbers for lifetime minimum;
-                            """
-                        - 
-                          id:         ia-5.1.d_obj.4
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(1)(d)[4]
-                          prose: 
-                            """
-                              the information system enforces password maximum lifetime restrictions of
-                                                      organization-defined numbers for lifetime maximum;
-                            """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.d
-                          rel:  corresp
-                          text: IA-5(1)(d)
-                    - 
-                      id:         ia-5.1.e_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(1)(e)
-                      parts: 
-                        - 
-                          id:         ia-5.1.e_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(e)[1]
-                          prose: 
-                            """
-                              the organization defines the number of password generations to be prohibited
-                                                      from password reuse;
-                            """
-                        - 
-                          id:         ia-5.1.e_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(1)(e)[2]
-                          prose: 
-                            """
-                              the information system prohibits password reuse for the organization-defined
-                                                      number of generations; and
-                            """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.e
-                          rel:  corresp
-                          text: IA-5(1)(e)
-                    - 
-                      id:         ia-5.1.f_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(1)(f)
-                      prose: 
-                        """
-                          the information system allows the use of a temporary password for system logons
-                                               with an immediate change to a permanent password.
-                        """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.f
-                          rel:  corresp
-                          text: IA-5(1)(f)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing password-based
-                                               authenticator management capability
-                        """
-            - 
-              id:         ia-5.11
-              class:      SP800-53-enhancement
-              title:      Hardware Token-based Authentication
-              parameters: 
-                - 
-                  id:    ia-5.11_prm_1
-                  label: organization-defined token quality requirements
-              properties: 
-                - 
-                  name:  label
-                  value: IA-5(11)
-                - 
-                  name:  sort-id
-                  value: ia-05.11
-              parts: 
-                - 
-                  id:    ia-5.11_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system, for hardware token-based authentication, employs
-                                        mechanisms that satisfy {{ ia-5.11_prm_1 }}.
-                    """
-                - 
-                  id:    ia-5.11_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Hardware token-based authentication typically refers to the use of PKI-based
-                                        tokens, such as the U.S. Government Personal Identity Verification (PIV) card.
-                                        Organizations define specific requirements for tokens, such as working with a
-                                        particular PKI.
-                    """
-                - 
-                  id:    ia-5.11_obj
-                  name:  objective
-                  prose: Determine if, for hardware token-based authentication: 
-                  parts: 
-                    - 
-                      id:         ia-5.11_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(11)[1]
-                      prose:      the organization defines token quality requirements to be satisfied; and
-                    - 
-                      id:         ia-5.11_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(11)[2]
-                      prose: 
-                        """
-                          the information system employs mechanisms that satisfy organization-defined
-                                               token quality requirements.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\nautomated mechanisms employing hardware token-based authentication for the
-                                               information system\n\nlist of token quality requirements\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing hardware token-based
-                                               authenticator management capability
-                        """
-        - 
-          id:         ia-6
-          class:      SP800-53
-          title:      Authenticator Feedback
-          properties: 
-            - 
-              name:  label
-              value: IA-6
-            - 
-              name:  sort-id
-              value: ia-06
-          parts: 
-            - 
-              id:    ia-6_smt
-              name:  statement
-              prose: 
-                """
-                  The information system obscures feedback of authentication information during the
-                                 authentication process to protect the information from possible exploitation/use by
-                                 unauthorized individuals.
-                """
-            - 
-              id:    ia-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  The feedback from information systems does not provide information that would allow
-                                 unauthorized individuals to compromise authentication mechanisms. For some types of
-                                 information systems or system components, for example, desktops/notebooks with
-                                 relatively large monitors, the threat (often referred to as shoulder surfing) may be
-                                 significant. For other types of systems or components, for example, mobile devices
-                                 with 2-4 inch screens, this threat may be less significant, and may need to be
-                                 balanced against the increased likelihood of typographic input errors due to the
-                                 small keyboards. Therefore, the means for obscuring the authenticator feedback is
-                                 selected accordingly. Obscuring the feedback of authentication information includes,
-                                 for example, displaying asterisks when users type passwords into input devices, or
-                                 displaying feedback for a very limited time before fully obscuring it.
-                """
-              links: 
-                - 
-                  href: #pe-18
-                  rel:  related
-                  text: PE-18
-            - 
-              id:         ia-6_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system obscures feedback of authentication information
-                                 during the authentication process to protect the information from possible
-                                 exploitation/use by unauthorized individuals.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing authenticator feedback\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing the obscuring of feedback of
-                                        authentication information during authentication
-                    """
-        - 
-          id:         ia-7
-          class:      SP800-53
-          title:      Cryptographic Module Authentication
-          properties: 
-            - 
-              name:  label
-              value: IA-7
-            - 
-              name:  sort-id
-              value: ia-07
-          links: 
-            - 
-              href: #39f9087d-7687-46d2-8eda-b6f4b7a4d8a9
-              rel:  reference
-              text: FIPS Publication 140
-            - 
-              href: #b09d1a31-d3c9-4138-a4f4-4c63816afd7d
-              rel:  reference
-              text: http://csrc.nist.gov/groups/STM/cmvp/index.html
-          parts: 
-            - 
-              id:    ia-7_smt
-              name:  statement
-              prose: 
-                """
-                  The information system implements mechanisms for authentication to a cryptographic
-                                 module that meet the requirements of applicable federal laws, Executive Orders,
-                                 directives, policies, regulations, standards, and guidance for such
-                                 authentication.
-                """
-            - 
-              id:    ia-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Authentication mechanisms may be required within a cryptographic module to
-                                 authenticate an operator accessing the module and to verify that the operator is
-                                 authorized to assume the requested role and perform services within that role.
-                """
-              links: 
-                - 
-                  href: #sc-12
-                  rel:  related
-                  text: SC-12
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-            - 
-              id:         ia-7_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system implements mechanisms for authentication to a
-                                 cryptographic module that meet the requirements of applicable federal laws, Executive
-                                 Orders, directives, policies, regulations, standards, and guidance for such
-                                 authentication.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing cryptographic module authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for cryptographic module
-                                        authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing cryptographic module
-                                        authentication
-                    """
-        - 
-          id:         ia-8
-          class:      SP800-53
-          title:      Identification and Authentication (non-organizational Users)
-          properties: 
-            - 
-              name:  label
-              value: IA-8
-            - 
-              name:  sort-id
-              value: ia-08
-          links: 
-            - 
-              href: #ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-              rel:  reference
-              text: OMB Memorandum 04-04
-            - 
-              href: #74e740a4-c45d-49f3-a86e-eb747c549e01
-              rel:  reference
-              text: OMB Memorandum 11-11
-            - 
-              href: #599fe9ba-4750-4450-9eeb-b95bd19a5e8f
-              rel:  reference
-              text: OMB Memorandum 10-06-2011
-            - 
-              href: #ba557c91-ba3e-4792-adc6-a4ae479b39ff
-              rel:  reference
-              text: FICAM Roadmap and Implementation Guidance
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #2157bb7e-192c-4eaa-877f-93ef6b0a3292
-              rel:  reference
-              text: NIST Special Publication 800-116
-            - 
-              href: #654f21e2-f3bc-43b2-abdc-60ab8d09744b
-              rel:  reference
-              text: 
-                """
-                  National Strategy for Trusted Identities in
-                              Cyberspace
-                """
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    ia-8_smt
-              name:  statement
-              prose: 
-                """
-                  The information system uniquely identifies and authenticates non-organizational users
-                                 (or processes acting on behalf of non-organizational users).
-                """
-            - 
-              id:    ia-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Non-organizational users include information system users other than organizational
-                                 users explicitly covered by IA-2. These individuals are uniquely identified and
-                                 authenticated for accesses other than those accesses explicitly identified and
-                                 documented in AC-14. In accordance with the E-Authentication E-Government initiative,
-                                 authentication of non-organizational users accessing federal information systems may
-                                 be required to protect federal, proprietary, or privacy-related information (with
-                                 exceptions noted for national security systems). Organizations use risk assessments
-                                 to determine authentication needs and consider scalability, practicality, and
-                                 security in balancing the need to ensure ease of use for access to federal
-                                 information and information systems with the need to protect and adequately mitigate
-                                 risk. IA-2 addresses identification and authentication requirements for access to
-                                 information systems by organizational users.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-            - 
-              id:    ia-8_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the information system uniquely identifies and authenticates
-                                 non-organizational users (or processes acting on behalf of non-organizational
-                                 users).
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing identification and
-                                        authentication capability
-                    """
-          controls: 
-            - 
-              id:         ia-8.1
-              class:      SP800-53-enhancement
-              title:      Acceptance of PIV Credentials from Other Agencies
-              properties: 
-                - 
-                  name:  label
-                  value: IA-8(1)
-                - 
-                  name:  sort-id
-                  value: ia-08.01
-              parts: 
-                - 
-                  id:    ia-8.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system accepts and electronically verifies Personal Identity
-                                        Verification (PIV) credentials from other federal agencies.
-                    """
-                - 
-                  id:    ia-8.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement applies to logical access control systems (LACS) and
-                                        physical access control systems (PACS). Personal Identity Verification (PIV)
-                                        credentials are those credentials issued by federal agencies that conform to FIPS
-                                        Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires
-                                        federal agencies to continue implementing the requirements specified in HSPD-12 to
-                                        enable agency-wide use of PIV credentials.
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                    - 
-                      href: #pe-3
-                      rel:  related
-                      text: PE-3
-                    - 
-                      href: #sa-4
-                      rel:  related
-                      text: SA-4
-                - 
-                  id:    ia-8.1_obj
-                  name:  objective
-                  prose: Determine if the information system: 
-                  parts: 
-                    - 
-                      id:         ia-8.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-8(1)[1]
-                      prose: 
-                        """
-                          accepts Personal Identity Verification (PIV) credentials from other agencies;
-                                               and
-                        """
-                    - 
-                      id:         ia-8.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-8(1)[2]
-                      prose: 
-                        """
-                          electronically verifies Personal Identity Verification (PIV) credentials from
-                                               other agencies.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability\n\nautomated mechanisms that accept and verify PIV credentials
-                        """
-            - 
-              id:         ia-8.2
-              class:      SP800-53-enhancement
-              title:      Acceptance of Third-party Credentials
-              properties: 
-                - 
-                  name:  label
-                  value: IA-8(2)
-                - 
-                  name:  sort-id
-                  value: ia-08.02
-              parts: 
-                - 
-                  id:    ia-8.2_smt
-                  name:  statement
-                  prose: The information system accepts only FICAM-approved third-party credentials.
-                - 
-                  id:    ia-8.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement typically applies to organizational information systems
-                                        that are accessible to the general public, for example, public-facing websites.
-                                        Third-party credentials are those credentials issued by nonfederal government
-                                        entities approved by the Federal Identity, Credential, and Access Management
-                                        (FICAM) Trust Framework Solutions initiative. Approved third-party credentials
-                                        meet or exceed the set of minimum federal government-wide technical, security,
-                                        privacy, and organizational maturity requirements. This allows federal government
-                                        relying parties to trust such credentials at their approved assurance levels.
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                - 
-                  id:         ia-8.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system accepts only FICAM-approved third-party
-                                        credentials. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-approved, third-party credentialing products, components, or
-                                               services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of FICAM-approved third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability\n\nautomated mechanisms that accept FICAM-approved credentials
-                        """
-            - 
-              id:         ia-8.3
-              class:      SP800-53-enhancement
-              title:      Use of Ficam-approved Products
-              parameters: 
-                - 
-                  id:    ia-8.3_prm_1
-                  label: organization-defined information systems
-              properties: 
-                - 
-                  name:  label
-                  value: IA-8(3)
-                - 
-                  name:  sort-id
-                  value: ia-08.03
-              parts: 
-                - 
-                  id:    ia-8.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs only FICAM-approved information system components in
-                                           {{ ia-8.3_prm_1 }} to accept third-party credentials.
-                    """
-                - 
-                  id:    ia-8.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement typically applies to information systems that are
-                                        accessible to the general public, for example, public-facing websites.
-                                        FICAM-approved information system components include, for example, information
-                                        technology products and software libraries that have been approved by the Federal
-                                        Identity, Credential, and Access Management conformance program.
-                    """
-                  links: 
-                    - 
-                      href: #sa-4
-                      rel:  related
-                      text: SA-4
-                - 
-                  id:    ia-8.3_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ia-8.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-8(3)[1]
-                      prose: 
-                        """
-                          defines information systems in which only FICAM-approved information system
-                                               components are to be employed to accept third-party credentials; and
-                        """
-                    - 
-                      id:         ia-8.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-8(3)[2]
-                      prose: 
-                        """
-                          employs only FICAM-approved information system components in
-                                               organization-defined information systems to accept third-party credentials.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the
-                                               acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nthird-party credential validations\n\nthird-party credential authorizations\n\nthird-party credential records\n\nlist of FICAM-approved information system components procured and implemented
-                                               by organization\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information system security, acquisition, and
-                                               contracting responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability
-                        """
-            - 
-              id:         ia-8.4
-              class:      SP800-53-enhancement
-              title:      Use of Ficam-issued Profiles
-              properties: 
-                - 
-                  name:  label
-                  value: IA-8(4)
-                - 
-                  name:  sort-id
-                  value: ia-08.04
-              parts: 
-                - 
-                  id:    ia-8.4_smt
-                  name:  statement
-                  prose: The information system conforms to FICAM-issued profiles.
-                - 
-                  id:    ia-8.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement addresses open identity management standards. To ensure
-                                        that these standards are viable, robust, reliable, sustainable (e.g., available in
-                                        commercial information technology products), and interoperable as documented, the
-                                        United States Government assesses and scopes identity management standards and
-                                        technology implementations against applicable federal legislation, directives,
-                                        policies, and requirements. The result is FICAM-issued implementation profiles of
-                                        approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and
-                                        OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute
-                                        Exchange).
-                    """
-                  links: 
-                    - 
-                      href: #sa-4
-                      rel:  related
-                      text: SA-4
-                - 
-                  id:         ia-8.4_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose:      Determine if the information system conforms to FICAM-issued profiles. 
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the
-                                               acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-issued profiles and associated, approved protocols\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability\n\nautomated mechanisms supporting and/or implementing conformance with
-                                               FICAM-issued profiles
-                        """
-    - 
-      id:       ir
-      class:    family
-      title:    Incident Response
-      controls: 
-        - 
-          id:         ir-1
-          class:      SP800-53
-          title:      Incident Response Policy and Procedures
-          parameters: 
-            - 
-              id:    ir-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ir-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          ir-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IR-1
-            - 
-              name:  sort-id
-              value: ir-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-            - 
-              href: #6d431fee-658f-4a0e-9f2e-a38b5d398fab
-              rel:  reference
-              text: NIST Special Publication 800-83
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ir-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ir-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ir-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ir-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          An incident response policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ir-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the incident response policy and
-                                               associated incident response controls; and
-                        """
-                - 
-                  id:         ir-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ir-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Incident response policy {{ ir-1_prm_2 }}; and
-                    - 
-                      id:         ir-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Incident response procedures {{ ir-1_prm_3 }}.
-            - 
-              id:    ir-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the IR
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ir-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-1(a)
-                  parts: 
-                    - 
-                      id:         ir-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ir-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(a)(1)[1]
-                          prose:      develops and documents an incident response policy that addresses:
-                          parts: 
-                            - 
-                              id:         ir-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ir-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ir-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ir-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ir-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ir-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ir-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ir-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the incident response policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ir-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: IR-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the incident response policy to organization-defined personnel
-                                                      or roles;
-                            """
-                    - 
-                      id:         ir-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ir-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      incident response policy and associated incident response controls;
-                            """
-                        - 
-                          id:         ir-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ir-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: IR-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ir-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-1(b)
-                  parts: 
-                    - 
-                      id:         ir-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ir-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current incident response
-                                                      policy;
-                            """
-                        - 
-                          id:         ir-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current incident response policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ir-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ir-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current incident response
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ir-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current incident response procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ir-2
-          class:      SP800-53
-          title:      Incident Response Training
-          parameters: 
-            - 
-              id:    ir-2_prm_1
-              label: organization-defined time period
-            - 
-              id:          ir-2_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IR-2
-            - 
-              name:  sort-id
-              value: ir-02
-          links: 
-            - 
-              href: #825438c3-248d-4e30-a51e-246473ce6ada
-              rel:  reference
-              text: NIST Special Publication 800-16
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-          parts: 
-            - 
-              id:    ir-2_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides incident response training to information system users
-                                 consistent with assigned roles and responsibilities:
-                """
-              parts: 
-                - 
-                  id:         ir-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Within {{ ir-2_prm_1 }} of assuming an incident response role or
-                                        responsibility;
-                    """
-                - 
-                  id:         ir-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      When required by information system changes; and
-                - 
-                  id:         ir-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      
-                                        {{ ir-2_prm_2 }} thereafter.
-                    """
-            - 
-              id:    ir-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Incident response training provided by organizations is linked to the assigned roles
-                                 and responsibilities of organizational personnel to ensure the appropriate content
-                                 and level of detail is included in such training. For example, regular users may only
-                                 need to know who to call or how to recognize an incident on the information system;
-                                 system administrators may require additional training on how to handle/remediate
-                                 incidents; and incident responders may receive more specific training on forensics,
-                                 reporting, system recovery, and restoration. Incident response training includes user
-                                 training in the identification and reporting of suspicious activities, both from
-                                 external and internal sources.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #cp-3
-                  rel:  related
-                  text: CP-3
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-            - 
-              id:    ir-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-2(a)
-                  parts: 
-                    - 
-                      id:         ir-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-2(a)[1]
-                      prose: 
-                        """
-                          defines a time period within which incident response training is to be provided
-                                               to information system users assuming an incident response role or
-                                               responsibility;
-                        """
-                    - 
-                      id:         ir-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IR-2(a)[2]
-                      prose: 
-                        """
-                          provides incident response training to information system users consistent with
-                                               assigned roles and responsibilities within the organization-defined time period
-                                               of assuming an incident response role or responsibility;
-                        """
-                - 
-                  id:         ir-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: IR-2(b)
-                  prose: 
-                    """
-                      provides incident response training to information system users consistent with
-                                        assigned roles and responsibilities when required by information system
-                                        changes;
-                    """
-                - 
-                  id:         ir-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-2(c)
-                  parts: 
-                    - 
-                      id:         ir-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-2(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to provide refresher incident response training to
-                                               information system users consistent with assigned roles or responsibilities;
-                                               and
-                        """
-                    - 
-                      id:         ir-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IR-2(c)[2]
-                      prose: 
-                        """
-                          after the initial incident response training, provides refresher incident
-                                               response training to information system users consistent with assigned roles
-                                               and responsibilities in accordance with the organization-defined frequency to
-                                               provide refresher training.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nsecurity plan\n\nincident response plan\n\nsecurity plan\n\nincident response training records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with incident response training and operational
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         ir-4
-          class:      SP800-53
-          title:      Incident Handling
-          properties: 
-            - 
-              name:  label
-              value: IR-4
-            - 
-              name:  sort-id
-              value: ir-04
-          links: 
-            - 
-              href: #c5034e0c-eba6-4ecd-a541-79f0678f4ba4
-              rel:  reference
-              text: Executive Order 13587
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-          parts: 
-            - 
-              id:    ir-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ir-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Implements an incident handling capability for security incidents that includes
-                                        preparation, detection and analysis, containment, eradication, and recovery;
-                    """
-                - 
-                  id:         ir-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Coordinates incident handling activities with contingency planning activities;
-                                        and
-                    """
-                - 
-                  id:         ir-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Incorporates lessons learned from ongoing incident handling activities into
-                                        incident response procedures, training, and testing, and implements the resulting
-                                        changes accordingly.
-                    """
-                - 
-                  id:    ir-4_fr
-                  name:  item
-                  title: IR-4 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ir-4_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.
-            - 
-              id:    ir-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations recognize that incident response capability is dependent on the
-                                 capabilities of organizational information systems and the mission/business processes
-                                 being supported by those systems. Therefore, organizations consider incident response
-                                 as part of the definition, design, and development of mission/business processes and
-                                 information systems. Incident-related information can be obtained from a variety of
-                                 sources including, for example, audit monitoring, network monitoring, physical access
-                                 monitoring, user/administrator reports, and reported supply chain events. Effective
-                                 incident handling capability includes coordination among many organizational entities
-                                 including, for example, mission/business owners, information system owners,
-                                 authorizing officials, human resources offices, physical and personnel security
-                                 offices, legal departments, operations personnel, procurement offices, and the risk
-                                 executive (function).
-                """
-              links: 
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-4
-                  rel:  related
-                  text: CP-4
-                - 
-                  href: #ir-2
-                  rel:  related
-                  text: IR-2
-                - 
-                  href: #ir-3
-                  rel:  related
-                  text: IR-3
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #pe-6
-                  rel:  related
-                  text: PE-6
-                - 
-                  href: #sc-5
-                  rel:  related
-                  text: SC-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    ir-4_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: IR-4(a)
-                  prose: 
-                    """
-                      implements an incident handling capability for security incidents that
-                                        includes:
-                    """
-                  parts: 
-                    - 
-                      id:         ir-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[1]
-                      prose:      preparation;
-                    - 
-                      id:         ir-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[2]
-                      prose:      detection and analysis;
-                    - 
-                      id:         ir-4.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[3]
-                      prose:      containment;
-                    - 
-                      id:         ir-4.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[4]
-                      prose:      eradication;
-                    - 
-                      id:         ir-4.a_obj.5
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[5]
-                      prose:      recovery;
-                - 
-                  id:         ir-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: IR-4(b)
-                  prose:      coordinates incident handling activities with contingency planning activities;
-                - 
-                  id:         ir-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-4(c)
-                  parts: 
-                    - 
-                      id:         ir-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-4(c)[1]
-                      prose: 
-                        """
-                          incorporates lessons learned from ongoing incident handling activities
-                                               into:
-                        """
-                      parts: 
-                        - 
-                          id:         ir-4.c_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[1][a]
-                          prose:      incident response procedures;
-                        - 
-                          id:         ir-4.c_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[1][b]
-                          prose:      training;
-                        - 
-                          id:         ir-4.c_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[1][c]
-                          prose:      testing/exercises;
-                    - 
-                      id:         ir-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-4(c)[2]
-                      prose:      implements the resulting changes accordingly to:
-                      parts: 
-                        - 
-                          id:         ir-4.c_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[2][a]
-                          prose:      incident response procedures;
-                        - 
-                          id:         ir-4.c_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[2][b]
-                          prose:      training; and
-                        - 
-                          id:         ir-4.c_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[2][c]
-                          prose:      testing/exercises.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident handling capability for the organization
-        - 
-          id:         ir-5
-          class:      SP800-53
-          title:      Incident Monitoring
-          properties: 
-            - 
-              name:  label
-              value: IR-5
-            - 
-              name:  sort-id
-              value: ir-05
-          links: 
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-          parts: 
-            - 
-              id:    ir-5_smt
-              name:  statement
-              prose: The organization tracks and documents information system security incidents.
-            - 
-              id:    ir-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Documenting information system security incidents includes, for example, maintaining
-                                 records about each incident, the status of the incident, and other pertinent
-                                 information necessary for forensics, evaluating incident details, trends, and
-                                 handling. Incident information can be obtained from a variety of sources including,
-                                 for example, incident reports, incident response teams, audit monitoring, network
-                                 monitoring, physical access monitoring, and user/administrator reports.
-                """
-              links: 
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #pe-6
-                  rel:  related
-                  text: PE-6
-                - 
-                  href: #sc-5
-                  rel:  related
-                  text: SC-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    ir-5_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ir-5_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-5[1]
-                  prose:      tracks information system security incidents; and
-                - 
-                  id:         ir-5_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IR-5[2]
-                  prose:      documents information system security incidents.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Incident monitoring capability for the organization\n\nautomated mechanisms supporting and/or implementing tracking and documenting of
-                                        system security incidents
-                    """
-        - 
-          id:         ir-6
-          class:      SP800-53
-          title:      Incident Reporting
-          parameters: 
-            - 
-              id:          ir-6_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)
-            - 
-              id:    ir-6_prm_2
-              label: organization-defined authorities
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IR-6
-            - 
-              name:  sort-id
-              value: ir-06
-          links: 
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-            - 
-              href: #02631467-668b-4233-989b-3dfded2fd184
-              rel:  reference
-              text: http://www.us-cert.gov
-          parts: 
-            - 
-              id:    ir-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ir-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Requires personnel to report suspected security incidents to the organizational
-                                        incident response capability within {{ ir-6_prm_1 }}; and
-                    """
-                - 
-                  id:         ir-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reports security incident information to {{ ir-6_prm_2 }}.
-                - 
-                  id:    ir-6_fr
-                  name:  item
-                  title: IR-6 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ir-6_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Report security incident information according to FedRAMP Incident Communications Procedure.
-            - 
-              id:    ir-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  The intent of this control is to address both specific incident reporting
-                                 requirements within an organization and the formal incident reporting requirements
-                                 for federal agencies and their subordinate organizations. Suspected security
-                                 incidents include, for example, the receipt of suspicious email communications that
-                                 can potentially contain malicious code. The types of security incidents reported, the
-                                 content and timeliness of the reports, and the designated reporting authorities
-                                 reflect applicable federal laws, Executive Orders, directives, regulations, policies,
-                                 standards, and guidance. Current federal policy requires that all federal agencies
-                                 (unless specifically exempted from such requirements) report security incidents to
-                                 the United States Computer Emergency Readiness Team (US-CERT) within specified time
-                                 frames designated in the US-CERT Concept of Operations for Federal Cyber Security
-                                 Incident Handling.
-                """
-              links: 
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ir-5
-                  rel:  related
-                  text: IR-5
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-            - 
-              id:    ir-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-6(a)
-                  parts: 
-                    - 
-                      id:         ir-6.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-6(a)[1]
-                      prose: 
-                        """
-                          defines the time period within which personnel report suspected security
-                                               incidents to the organizational incident response capability;
-                        """
-                    - 
-                      id:         ir-6.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-6(a)[2]
-                      prose: 
-                        """
-                          requires personnel to report suspected security incidents to the organizational
-                                               incident response capability within the organization-defined time period;
-                        """
-                - 
-                  id:         ir-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-6(b)
-                  parts: 
-                    - 
-                      id:         ir-6.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-6(b)[1]
-                      prose: 
-                        """
-                          defines authorities to whom security incident information is to be reported;
-                                               and
-                        """
-                    - 
-                      id:         ir-6.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-6(b)[2]
-                      prose:      reports security incident information to organization-defined authorities.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel who have/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for incident reporting\n\nautomated mechanisms supporting and/or implementing incident reporting
-        - 
-          id:         ir-7
-          class:      SP800-53
-          title:      Incident Response Assistance
-          properties: 
-            - 
-              name:  label
-              value: IR-7
-            - 
-              name:  sort-id
-              value: ir-07
-          parts: 
-            - 
-              id:    ir-7_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides an incident response support resource, integral to the
-                                 organizational incident response capability that offers advice and assistance to
-                                 users of the information system for the handling and reporting of security
-                                 incidents.
-                """
-            - 
-              id:    ir-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Incident response support resources provided by organizations include, for example,
-                                 help desks, assistance groups, and access to forensics services, when required.
-                """
-              links: 
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ir-6
-                  rel:  related
-                  text: IR-6
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #sa-9
-                  rel:  related
-                  text: SA-9
-            - 
-              id:    ir-7_obj
-              name:  objective
-              prose: Determine if the organization provides an incident response support resource:
-              parts: 
-                - 
-                  id:         ir-7_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-7[1]
-                  prose:      that is integral to the organizational incident response capability; and
-                - 
-                  id:         ir-7_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-7[2]
-                  prose: 
-                    """
-                      that offers advice and assistance to users of the information system for the
-                                        handling and reporting of security incidents.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with incident response assistance and support
-                                        responsibilities\n\norganizational personnel with access to incident response support and assistance
-                                        capability\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for incident response assistance\n\nautomated mechanisms supporting and/or implementing incident response
-                                        assistance
-                    """
-        - 
-          id:         ir-8
-          class:      SP800-53
-          title:      Incident Response Plan
-          parameters: 
-            - 
-              id:    ir-8_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ir-8_prm_2
-              label: 
-                """
-                  organization-defined incident response personnel (identified by name and/or by
-                                 role) and organizational elements
-                """
-              constraints: 
-                - 
-                  detail: see additional FedRAMP Requirements and Guidance
-            - 
-              id:          ir-8_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          ir-8_prm_4
-              label: 
-                """
-                  organization-defined incident response personnel (identified by name and/or by
-                                 role) and organizational elements
-                """
-              constraints: 
-                - 
-                  detail: see additional FedRAMP Requirements and Guidance
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IR-8
-            - 
-              name:  sort-id
-              value: ir-08
-          links: 
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-          parts: 
-            - 
-              id:    ir-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ir-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops an incident response plan that:
-                  parts: 
-                    - 
-                      id:         ir-8_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Provides the organization with a roadmap for implementing its incident response
-                                               capability;
-                        """
-                    - 
-                      id:         ir-8_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Describes the structure and organization of the incident response
-                                               capability;
-                        """
-                    - 
-                      id:         ir-8_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Provides a high-level approach for how the incident response capability fits
-                                               into the overall organization;
-                        """
-                    - 
-                      id:         ir-8_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose: 
-                        """
-                          Meets the unique requirements of the organization, which relate to mission,
-                                               size, structure, and functions;
-                        """
-                    - 
-                      id:         ir-8_smt.a.5
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 5.
-                      prose:      Defines reportable incidents;
-                    - 
-                      id:         ir-8_smt.a.6
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 6.
-                      prose: 
-                        """
-                          Provides metrics for measuring the incident response capability within the
-                                               organization;
-                        """
-                    - 
-                      id:         ir-8_smt.a.7
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 7.
-                      prose: 
-                        """
-                          Defines the resources and management support needed to effectively maintain and
-                                               mature an incident response capability; and
-                        """
-                    - 
-                      id:         ir-8_smt.a.8
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 8.
-                      prose:      Is reviewed and approved by {{ ir-8_prm_1 }};
-                - 
-                  id:         ir-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Distributes copies of the incident response plan to {{ ir-8_prm_2 }};
-                - 
-                  id:         ir-8_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews the incident response plan {{ ir-8_prm_3 }};
-                - 
-                  id:         ir-8_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Updates the incident response plan to address system/organizational changes or
-                                        problems encountered during plan implementation, execution, or testing;
-                    """
-                - 
-                  id:         ir-8_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Communicates incident response plan changes to {{ ir-8_prm_4 }};
-                                        and
-                    """
-                - 
-                  id:         ir-8_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Protects the incident response plan from unauthorized disclosure and
-                                        modification.
-                    """
-                - 
-                  id:    ir-8_fr
-                  name:  item
-                  title: IR-8 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ir-8_fr_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b) Requirement:
-                      prose:      The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.
-                    - 
-                      id:         ir-8_fr_smt.e
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (e) Requirement:
-                      prose:      The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.
-            - 
-              id:    ir-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  It is important that organizations develop and implement a coordinated approach to
-                                 incident response. Organizational missions, business functions, strategies, goals,
-                                 and objectives for incident response help to determine the structure of incident
-                                 response capabilities. As part of a comprehensive incident response capability,
-                                 organizations consider the coordination and sharing of information with external
-                                 organizations, including, for example, external service providers and organizations
-                                 involved in the supply chain for organizational information systems.
-                """
-              links: 
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-            - 
-              id:    ir-8_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-8(a)
-                  prose:      develops an incident response plan that:
-                  parts: 
-                    - 
-                      id:         ir-8.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(a)(1)
-                      prose: 
-                        """
-                          provides the organization with a roadmap for implementing its incident response
-                                               capability;
-                        """
-                    - 
-                      id:         ir-8.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(a)(2)
-                      prose: 
-                        """
-                          describes the structure and organization of the incident response
-                                               capability;
-                        """
-                    - 
-                      id:         ir-8.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(a)(3)
-                      prose: 
-                        """
-                          provides a high-level approach for how the incident response capability fits
-                                               into the overall organization;
-                        """
-                    - 
-                      id:         ir-8.a.4_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(a)(4)
-                      prose:      meets the unique requirements of the organization, which relate to:
-                      parts: 
-                        - 
-                          id:         ir-8.a.4_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(a)(4)[1]
-                          prose:      mission;
-                        - 
-                          id:         ir-8.a.4_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(a)(4)[2]
-                          prose:      size;
-                        - 
-                          id:         ir-8.a.4_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(a)(4)[3]
-                          prose:      structure;
-                        - 
-                          id:         ir-8.a.4_obj.4
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(a)(4)[4]
-                          prose:      functions;
-                    - 
-                      id:         ir-8.a.5_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(a)(5)
-                      prose:      defines reportable incidents;
-                    - 
-                      id:         ir-8.a.6_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-8(a)(6)
-                      prose: 
-                        """
-                          provides metrics for measuring the incident response capability within the
-                                               organization;
-                        """
-                    - 
-                      id:         ir-8.a.7_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(a)(7)
-                      prose: 
-                        """
-                          defines the resources and management support needed to effectively maintain and
-                                               mature an incident response capability;
-                        """
-                    - 
-                      id:         ir-8.a.8_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(a)(8)
-                      parts: 
-                        - 
-                          id:         ir-8.a.8_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-8(a)(8)[1]
-                          prose: 
-                            """
-                              defines personnel or roles to review and approve the incident response
-                                                      plan;
-                            """
-                        - 
-                          id:         ir-8.a.8_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: IR-8(a)(8)[2]
-                          prose:      is reviewed and approved by organization-defined personnel or roles;
-                - 
-                  id:         ir-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-8(b)
-                  parts: 
-                    - 
-                      id:         ir-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(b)[1]
-                      parts: 
-                        - 
-                          id:         ir-8.b_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-8(b)[1][a]
-                          prose: 
-                            """
-                              defines incident response personnel (identified by name and/or by role) to
-                                                      whom copies of the incident response plan are to be distributed;
-                            """
-                        - 
-                          id:         ir-8.b_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-8(b)[1][b]
-                          prose: 
-                            """
-                              defines organizational elements to whom copies of the incident response plan
-                                                      are to be distributed;
-                            """
-                    - 
-                      id:         ir-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-8(b)[2]
-                      prose: 
-                        """
-                          distributes copies of the incident response plan to organization-defined
-                                               incident response personnel (identified by name and/or by role) and
-                                               organizational elements;
-                        """
-                - 
-                  id:         ir-8.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-8(c)
-                  parts: 
-                    - 
-                      id:         ir-8.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(c)[1]
-                      prose:      defines the frequency to review the incident response plan;
-                    - 
-                      id:         ir-8.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IR-8(c)[2]
-                      prose:      reviews the incident response plan with the organization-defined frequency;
-                - 
-                  id:         ir-8.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IR-8(d)
-                  prose: 
-                    """
-                      updates the incident response plan to address system/organizational changes or
-                                        problems encountered during plan:
-                    """
-                  parts: 
-                    - 
-                      id:         ir-8.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(d)[1]
-                      prose:      implementation;
-                    - 
-                      id:         ir-8.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(d)[2]
-                      prose:      execution; or
-                    - 
-                      id:         ir-8.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(d)[3]
-                      prose:      testing;
-                - 
-                  id:         ir-8.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-8(e)
-                  parts: 
-                    - 
-                      id:         ir-8.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(e)[1]
-                      parts: 
-                        - 
-                          id:         ir-8.e_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-8(e)[1][a]
-                          prose: 
-                            """
-                              defines incident response personnel (identified by name and/or by role) to
-                                                      whom incident response plan changes are to be communicated;
-                            """
-                        - 
-                          id:         ir-8.e_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IR-8(e)[1][b]
-                          prose: 
-                            """
-                              defines organizational elements to whom incident response plan changes are
-                                                      to be communicated;
-                            """
-                    - 
-                      id:         ir-8.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-8(e)[2]
-                      prose: 
-                        """
-                          communicates incident response plan changes to organization-defined incident
-                                               response personnel (identified by name and/or by role) and organizational
-                                               elements; and
-                        """
-                - 
-                  id:         ir-8.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IR-8(f)
-                  prose: 
-                    """
-                      protects the incident response plan from unauthorized disclosure and
-                                        modification.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational incident response plan and related organizational processes
-    - 
-      id:       ma
-      class:    family
-      title:    Maintenance
-      controls: 
-        - 
-          id:         ma-1
-          class:      SP800-53
-          title:      System Maintenance Policy and Procedures
-          parameters: 
-            - 
-              id:    ma-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ma-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          ma-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: MA-1
-            - 
-              name:  sort-id
-              value: ma-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ma-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ma-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ma-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ma-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A system maintenance policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ma-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the system maintenance policy
-                                               and associated system maintenance controls; and
-                        """
-                - 
-                  id:         ma-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ma-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      System maintenance policy {{ ma-1_prm_2 }}; and
-                    - 
-                      id:         ma-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      System maintenance procedures {{ ma-1_prm_3 }}.
-            - 
-              id:    ma-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the MA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ma-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ma-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-1(a)
-                  parts: 
-                    - 
-                      id:         ma-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ma-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(a)(1)[1]
-                          prose:      develops and documents a system maintenance policy that addresses:
-                          parts: 
-                            - 
-                              id:         ma-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ma-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ma-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ma-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ma-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ma-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ma-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ma-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the system maintenance policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ma-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: MA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the system maintenance policy to organization-defined personnel
-                                                      or roles;
-                            """
-                    - 
-                      id:         ma-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ma-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      maintenance policy and associated system maintenance controls;
-                            """
-                        - 
-                          id:         ma-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ma-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: MA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ma-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-1(b)
-                  parts: 
-                    - 
-                      id:         ma-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ma-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system maintenance
-                                                      policy;
-                            """
-                        - 
-                          id:         ma-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system maintenance policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ma-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ma-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system maintenance
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ma-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system maintenance procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Maintenance policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ma-2
-          class:      SP800-53
-          title:      Controlled Maintenance
-          parameters: 
-            - 
-              id:    ma-2_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ma-2_prm_2
-              label: organization-defined maintenance-related information
-          properties: 
-            - 
-              name:  label
-              value: MA-2
-            - 
-              name:  sort-id
-              value: ma-02
-          parts: 
-            - 
-              id:    ma-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ma-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Schedules, performs, documents, and reviews records of maintenance and repairs on
-                                        information system components in accordance with manufacturer or vendor
-                                        specifications and/or organizational requirements;
-                    """
-                - 
-                  id:         ma-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Approves and monitors all maintenance activities, whether performed on site or
-                                        remotely and whether the equipment is serviced on site or removed to another
-                                        location;
-                    """
-                - 
-                  id:         ma-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Requires that {{ ma-2_prm_1 }} explicitly approve the removal of
-                                        the information system or system components from organizational facilities for
-                                        off-site maintenance or repairs;
-                    """
-                - 
-                  id:         ma-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Sanitizes equipment to remove all information from associated media prior to
-                                        removal from organizational facilities for off-site maintenance or repairs;
-                    """
-                - 
-                  id:         ma-2_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Checks all potentially impacted security controls to verify that the controls are
-                                        still functioning properly following maintenance or repair actions; and
-                    """
-                - 
-                  id:         ma-2_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Includes {{ ma-2_prm_2 }} in organizational maintenance
-                                        records.
-                    """
-            - 
-              id:    ma-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the information security aspects of the information system
-                                 maintenance program and applies to all types of maintenance to any system component
-                                 (including applications) conducted by any local or nonlocal entity (e.g.,
-                                 in-contract, warranty, in-house, software maintenance agreement). System maintenance
-                                 also includes those components not directly associated with information processing
-                                 and/or data/information retention such as scanners, copiers, and printers.
-                                 Information necessary for creating effective maintenance records includes, for
-                                 example: (i) date and time of maintenance; (ii) name of individuals or group
-                                 performing the maintenance; (iii) name of escort, if necessary; (iv) a description of
-                                 the maintenance performed; and (v) information system components/equipment removed or
-                                 replaced (including identification numbers, if applicable). The level of detail
-                                 included in maintenance records can be informed by the security categories of
-                                 organizational information systems. Organizations consider supply chain issues
-                                 associated with replacement components for information systems.
-                """
-              links: 
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #mp-6
-                  rel:  related
-                  text: MP-6
-                - 
-                  href: #pe-16
-                  rel:  related
-                  text: PE-16
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    ma-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ma-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-2(a)
-                  parts: 
-                    - 
-                      id:         ma-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-2(a)[1]
-                      prose: 
-                        """
-                          schedules maintenance and repairs on information system components in
-                                               accordance with:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-2.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[1][a]
-                          prose:      manufacturer or vendor specifications; and/or
-                        - 
-                          id:         ma-2.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[1][b]
-                          prose:      organizational requirements;
-                    - 
-                      id:         ma-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: MA-2(a)[2]
-                      prose: 
-                        """
-                          performs maintenance and repairs on information system components in accordance
-                                               with:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-2.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[2][a]
-                          prose:      manufacturer or vendor specifications; and/or
-                        - 
-                          id:         ma-2.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[2][b]
-                          prose:      organizational requirements;
-                    - 
-                      id:         ma-2.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-2(a)[3]
-                      prose: 
-                        """
-                          documents maintenance and repairs on information system components in
-                                               accordance with:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-2.a_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[3][a]
-                          prose:      manufacturer or vendor specifications; and/or
-                        - 
-                          id:         ma-2.a_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[3][b]
-                          prose:      organizational requirements;
-                    - 
-                      id:         ma-2.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: MA-2(a)[4]
-                      prose: 
-                        """
-                          reviews records of maintenance and repairs on information system components in
-                                               accordance with:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-2.a_obj.4.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[4][a]
-                          prose:      manufacturer or vendor specifications; and/or
-                        - 
-                          id:         ma-2.a_obj.4.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[4][b]
-                          prose:      organizational requirements;
-                - 
-                  id:         ma-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-2(b)
-                  parts: 
-                    - 
-                      id:         ma-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: MA-2(b)[1]
-                      prose: 
-                        """
-                          approves all maintenance activities, whether performed on site or remotely and
-                                               whether the equipment is serviced on site or removed to another location;
-                        """
-                    - 
-                      id:         ma-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MA-2(b)[2]
-                      prose: 
-                        """
-                          monitors all maintenance activities, whether performed on site or remotely and
-                                               whether the equipment is serviced on site or removed to another location;
-                        """
-                - 
-                  id:         ma-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-2(c)
-                  parts: 
-                    - 
-                      id:         ma-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-2(c)[1]
-                      prose: 
-                        """
-                          defines personnel or roles required to explicitly approve the removal of the
-                                               information system or system components from organizational facilities for
-                                               off-site maintenance or repairs;
-                        """
-                    - 
-                      id:         ma-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-2(c)[2]
-                      prose: 
-                        """
-                          requires that organization-defined personnel or roles explicitly approve the
-                                               removal of the information system or system components from organizational
-                                               facilities for off-site maintenance or repairs;
-                        """
-                - 
-                  id:         ma-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MA-2(d)
-                  prose: 
-                    """
-                      sanitizes equipment to remove all information from associated media prior to
-                                        removal from organizational facilities for off-site maintenance or repairs;
-                    """
-                - 
-                  id:         ma-2.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MA-2(e)
-                  prose: 
-                    """
-                      checks all potentially impacted security controls to verify that the controls are
-                                        still functioning properly following maintenance or repair actions;
-                    """
-                - 
-                  id:         ma-2.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-2(f)
-                  parts: 
-                    - 
-                      id:         ma-2.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-2(f)[1]
-                      prose: 
-                        """
-                          defines maintenance-related information to be included in organizational
-                                               maintenance records; and
-                        """
-                    - 
-                      id:         ma-2.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-2(f)[2]
-                      prose: 
-                        """
-                          includes organization-defined maintenance-related information in organizational
-                                               maintenance records.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system maintenance policy\n\nprocedures addressing controlled information system maintenance\n\nmaintenance records\n\nmanufacturer/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for scheduling, performing, documenting, reviewing,
-                                        approving, and monitoring maintenance and repairs for the information system\n\norganizational processes for sanitizing information system components\n\nautomated mechanisms supporting and/or implementing controlled maintenance\n\nautomated mechanisms implementing sanitization of information system
-                                        components
-                    """
-        - 
-          id:         ma-4
-          class:      SP800-53
-          title:      Nonlocal Maintenance
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: MA-4
-            - 
-              name:  sort-id
-              value: ma-04
-          links: 
-            - 
-              href: #d715b234-9b5b-4e07-b1ed-99836727664d
-              rel:  reference
-              text: FIPS Publication 140-2
-            - 
-              href: #f2dbd4ec-c413-4714-b85b-6b7184d1c195
-              rel:  reference
-              text: FIPS Publication 197
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #263823e0-a971-4b00-959d-315b26278b22
-              rel:  reference
-              text: NIST Special Publication 800-88
-            - 
-              href: #a4aa9645-9a8a-4b51-90a9-e223250f9a75
-              rel:  reference
-              text: CNSS Policy 15
-          parts: 
-            - 
-              id:    ma-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ma-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Approves and monitors nonlocal maintenance and diagnostic activities;
-                - 
-                  id:         ma-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Allows the use of nonlocal maintenance and diagnostic tools only as consistent
-                                        with organizational policy and documented in the security plan for the information
-                                        system;
-                    """
-                - 
-                  id:         ma-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Employs strong authenticators in the establishment of nonlocal maintenance and
-                                        diagnostic sessions;
-                    """
-                - 
-                  id:         ma-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Maintains records for nonlocal maintenance and diagnostic activities; and
-                - 
-                  id:         ma-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Terminates session and network connections when nonlocal maintenance is
-                                        completed.
-                    """
-            - 
-              id:    ma-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Nonlocal maintenance and diagnostic activities are those activities conducted by
-                                 individuals communicating through a network, either an external network (e.g., the
-                                 Internet) or an internal network. Local maintenance and diagnostic activities are
-                                 those activities carried out by individuals physically present at the information
-                                 system or information system component and not communicating across a network
-                                 connection. Authentication techniques used in the establishment of nonlocal
-                                 maintenance and diagnostic sessions reflect the network access requirements in IA-2.
-                                 Typically, strong authentication requires authenticators that are resistant to replay
-                                 attacks and employ multifactor authentication. Strong authenticators include, for
-                                 example, PKI where certificates are stored on a token protected by a password,
-                                 passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by
-                                 other controls.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-3
-                  rel:  related
-                  text: AU-3
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #ma-2
-                  rel:  related
-                  text: MA-2
-                - 
-                  href: #ma-5
-                  rel:  related
-                  text: MA-5
-                - 
-                  href: #mp-6
-                  rel:  related
-                  text: MP-6
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-10
-                  rel:  related
-                  text: SC-10
-                - 
-                  href: #sc-17
-                  rel:  related
-                  text: SC-17
-            - 
-              id:    ma-4_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ma-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-4(a)
-                  parts: 
-                    - 
-                      id:         ma-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-4(a)[1]
-                      prose:      approves nonlocal maintenance and diagnostic activities;
-                    - 
-                      id:         ma-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MA-4(a)[2]
-                      prose:      monitors nonlocal maintenance and diagnostic activities;
-                - 
-                  id:         ma-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MA-4(b)
-                  prose:      allows the use of nonlocal maintenance and diagnostic tools only:
-                  parts: 
-                    - 
-                      id:         ma-4.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-4(b)[1]
-                      prose:      as consistent with organizational policy;
-                    - 
-                      id:         ma-4.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-4(b)[2]
-                      prose:      as documented in the security plan for the information system;
-                - 
-                  id:         ma-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MA-4(c)
-                  prose: 
-                    """
-                      employs strong authenticators in the establishment of nonlocal maintenance and
-                                        diagnostic sessions;
-                    """
-                - 
-                  id:         ma-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MA-4(d)
-                  prose:      maintains records for nonlocal maintenance and diagnostic activities;
-                - 
-                  id:         ma-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-4(e)
-                  parts: 
-                    - 
-                      id:         ma-4.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MA-4(e)[1]
-                      prose: 
-                        """
-                          terminates sessions when nonlocal maintenance or diagnostics is completed;
-                                               and
-                        """
-                    - 
-                      id:         ma-4.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MA-4(e)[2]
-                      prose: 
-                        """
-                          terminates network connections when nonlocal maintenance or diagnostics is
-                                               completed.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system maintenance policy\n\nprocedures addressing nonlocal information system maintenance\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nmaintenance records\n\ndiagnostic records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for managing nonlocal maintenance\n\nautomated mechanisms implementing, supporting, and/or managing nonlocal
-                                        maintenance\n\nautomated mechanisms for strong authentication of nonlocal maintenance diagnostic
-                                        sessions\n\nautomated mechanisms for terminating nonlocal maintenance sessions and network
-                                        connections
-                    """
-        - 
-          id:         ma-5
-          class:      SP800-53
-          title:      Maintenance Personnel
-          properties: 
-            - 
-              name:  label
-              value: MA-5
-            - 
-              name:  sort-id
-              value: ma-05
-          parts: 
-            - 
-              id:    ma-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ma-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes a process for maintenance personnel authorization and maintains a list
-                                        of authorized maintenance organizations or personnel;
-                    """
-                - 
-                  id:         ma-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Ensures that non-escorted personnel performing maintenance on the information
-                                        system have required access authorizations; and
-                    """
-                - 
-                  id:         ma-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Designates organizational personnel with required access authorizations and
-                                        technical competence to supervise the maintenance activities of personnel who do
-                                        not possess the required access authorizations.
-                    """
-            - 
-              id:    ma-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to individuals performing hardware or software maintenance on
-                                 organizational information systems, while PE-2 addresses physical access for
-                                 individuals whose maintenance duties place them within the physical protection
-                                 perimeter of the systems (e.g., custodial staff, physical plant maintenance
-                                 personnel). Technical competence of supervising individuals relates to the
-                                 maintenance performed on the information systems while having required access
-                                 authorizations refers to maintenance on and near the systems. Individuals not
-                                 previously identified as authorized maintenance personnel, such as information
-                                 technology manufacturers, vendors, systems integrators, and consultants, may require
-                                 privileged access to organizational information systems, for example, when required
-                                 to conduct maintenance activities with little or no notice. Based on organizational
-                                 assessments of risk, organizations may issue temporary credentials to these
-                                 individuals. Temporary credentials may be for one-time use or for very limited time
-                                 periods.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-            - 
-              id:    ma-5_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ma-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-5(a)
-                  parts: 
-                    - 
-                      id:         ma-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-5(a)[1]
-                      prose:      establishes a process for maintenance personnel authorization;
-                    - 
-                      id:         ma-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-5(a)[2]
-                      prose:      maintains a list of authorized maintenance organizations or personnel;
-                - 
-                  id:         ma-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MA-5(b)
-                  prose: 
-                    """
-                      ensures that non-escorted personnel performing maintenance on the information
-                                        system have required access authorizations; and
-                    """
-                - 
-                  id:         ma-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MA-5(c)
-                  prose: 
-                    """
-                      designates organizational personnel with required access authorizations and
-                                        technical competence to supervise the maintenance activities of personnel who do
-                                        not possess the required access authorizations.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for authorizing and managing maintenance personnel\n\nautomated mechanisms supporting and/or implementing authorization of maintenance
-                                        personnel
-                    """
-    - 
-      id:       mp
-      class:    family
-      title:    Media Protection
-      controls: 
-        - 
-          id:         mp-1
-          class:      SP800-53
-          title:      Media Protection Policy and Procedures
-          parameters: 
-            - 
-              id:    mp-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          mp-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          mp-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: MP-1
-            - 
-              name:  sort-id
-              value: mp-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    mp-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         mp-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ mp-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         mp-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A media protection policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         mp-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the media protection policy and
-                                               associated media protection controls; and
-                        """
-                - 
-                  id:         mp-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         mp-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Media protection policy {{ mp-1_prm_2 }}; and
-                    - 
-                      id:         mp-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Media protection procedures {{ mp-1_prm_3 }}.
-            - 
-              id:    mp-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the MP
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    mp-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         mp-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-1(a)
-                  parts: 
-                    - 
-                      id:         mp-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-1(a)(1)
-                      parts: 
-                        - 
-                          id:         mp-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(a)(1)[1]
-                          prose:      develops and documents a media protection policy that addresses:
-                          parts: 
-                            - 
-                              id:         mp-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         mp-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         mp-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         mp-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         mp-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         mp-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         mp-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         mp-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the media protection policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         mp-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: MP-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the media protection policy to organization-defined personnel
-                                                      or roles;
-                            """
-                    - 
-                      id:         mp-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-1(a)(2)
-                      parts: 
-                        - 
-                          id:         mp-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      media protection policy and associated media protection controls;
-                            """
-                        - 
-                          id:         mp-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         mp-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: MP-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         mp-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-1(b)
-                  parts: 
-                    - 
-                      id:         mp-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-1(b)(1)
-                      parts: 
-                        - 
-                          id:         mp-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current media protection
-                                                      policy;
-                            """
-                        - 
-                          id:         mp-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current media protection policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         mp-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-1(b)(2)
-                      parts: 
-                        - 
-                          id:         mp-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current media protection
-                                                      procedures; and
-                            """
-                        - 
-                          id:         mp-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current media protection procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Media protection policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with media protection responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         mp-2
-          class:      SP800-53
-          title:      Media Access
-          parameters: 
-            - 
-              id:    mp-2_prm_1
-              label: organization-defined types of digital and/or non-digital media
-            - 
-              id:    mp-2_prm_2
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  label
-              value: MP-2
-            - 
-              name:  sort-id
-              value: mp-02
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e
-              rel:  reference
-              text: NIST Special Publication 800-111
-          parts: 
-            - 
-              id:    mp-2_smt
-              name:  statement
-              prose: The organization restricts access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}.
-            - 
-              id:    mp-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system media includes both digital and non-digital media. Digital media
-                                 includes, for example, diskettes, magnetic tapes, external/removable hard disk
-                                 drives, flash drives, compact disks, and digital video disks. Non-digital media
-                                 includes, for example, paper and microfilm. Restricting non-digital media access
-                                 includes, for example, denying access to patient medical records in a community
-                                 hospital unless the individuals seeking access to such records are authorized
-                                 healthcare providers. Restricting access to digital media includes, for example,
-                                 limiting access to design specifications stored on compact disks in the media library
-                                 to the project leader and the individuals on the development team.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-            - 
-              id:    mp-2_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         mp-2_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MP-2[1]
-                  prose:      defines types of digital and/or non-digital media requiring restricted access;
-                - 
-                  id:         mp-2_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MP-2[2]
-                  prose: 
-                    """
-                      defines personnel or roles authorized to access organization-defined types of
-                                        digital and/or non-digital media; and
-                    """
-                - 
-                  id:         mp-2_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MP-2[3]
-                  prose: 
-                    """
-                      restricts access to organization-defined types of digital and/or non-digital media
-                                        to organization-defined personnel or roles.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with information system media protection
-                                        responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for restricting information media\n\nautomated mechanisms supporting and/or implementing media access restrictions
-        - 
-          id:         mp-6
-          class:      SP800-53
-          title:      Media Sanitization
-          parameters: 
-            - 
-              id:    mp-6_prm_1
-              label: organization-defined information system media
-            - 
-              id:    mp-6_prm_2
-              label: organization-defined sanitization techniques and procedures
-          properties: 
-            - 
-              name:  label
-              value: MP-6
-            - 
-              name:  sort-id
-              value: mp-06
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #f152844f-b1ef-4836-8729-6277078ebee1
-              rel:  reference
-              text: NIST Special Publication 800-60
-            - 
-              href: #263823e0-a971-4b00-959d-315b26278b22
-              rel:  reference
-              text: NIST Special Publication 800-88
-            - 
-              href: #a47466c4-c837-4f06-a39f-e68412a5f73d
-              rel:  reference
-              text: http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml
-          parts: 
-            - 
-              id:    mp-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         mp-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Sanitizes {{ mp-6_prm_1 }} prior to disposal, release out of
-                                        organizational control, or release for reuse using {{ mp-6_prm_2 }}
-                                        in accordance with applicable federal and organizational standards and policies;
-                                        and
-                    """
-                - 
-                  id:         mp-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Employs sanitization mechanisms with the strength and integrity commensurate with
-                                        the security category or classification of the information.
-                    """
-            - 
-              id:    mp-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to all information system media, both digital and non-digital,
-                                 subject to disposal or reuse, whether or not the media is considered removable.
-                                 Examples include media found in scanners, copiers, printers, notebook computers,
-                                 workstations, network components, and mobile devices. The sanitization process
-                                 removes information from the media such that the information cannot be retrieved or
-                                 reconstructed. Sanitization techniques, including clearing, purging, cryptographic
-                                 erase, and destruction, prevent the disclosure of information to unauthorized
-                                 individuals when such media is reused or released for disposal. Organizations
-                                 determine the appropriate sanitization methods recognizing that destruction is
-                                 sometimes necessary when other methods cannot be applied to media requiring
-                                 sanitization. Organizations use discretion on the employment of approved sanitization
-                                 techniques and procedures for media containing information deemed to be in the public
-                                 domain or publicly releasable, or deemed to have no adverse impact on organizations
-                                 or individuals if released for reuse or disposal. Sanitization of non-digital media
-                                 includes, for example, removing a classified appendix from an otherwise unclassified
-                                 document, or redacting selected sections or words from a document by obscuring the
-                                 redacted sections/words in a manner equivalent in effectiveness to removing them from
-                                 the document. NSA standards and policies control the sanitization process for media
-                                 containing classified information.
-                """
-              links: 
-                - 
-                  href: #ma-2
-                  rel:  related
-                  text: MA-2
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sc-4
-                  rel:  related
-                  text: SC-4
-            - 
-              id:    mp-6_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         mp-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-6(a)
-                  parts: 
-                    - 
-                      id:         mp-6.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-6(a)[1]
-                      prose:      defines information system media to be sanitized prior to:
-                      parts: 
-                        - 
-                          id:         mp-6.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[1][a]
-                          prose:      disposal;
-                        - 
-                          id:         mp-6.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[1][b]
-                          prose:      release out of organizational control; or
-                        - 
-                          id:         mp-6.a_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[1][c]
-                          prose:      release for reuse;
-                    - 
-                      id:         mp-6.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-6(a)[2]
-                      prose: 
-                        """
-                          defines sanitization techniques or procedures to be used for sanitizing
-                                               organization-defined information system media prior to:
-                        """
-                      parts: 
-                        - 
-                          id:         mp-6.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[2][a]
-                          prose:      disposal;
-                        - 
-                          id:         mp-6.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[2][b]
-                          prose:      release out of organizational control; or
-                        - 
-                          id:         mp-6.a_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[2][c]
-                          prose:      release for reuse;
-                    - 
-                      id:         mp-6.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MP-6(a)[3]
-                      prose: 
-                        """
-                          sanitizes organization-defined information system media prior to disposal,
-                                               release out of organizational control, or release for reuse using
-                                               organization-defined sanitization techniques or procedures in accordance with
-                                               applicable federal and organizational standards and policies; and
-                        """
-                - 
-                  id:         mp-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MP-6(b)
-                  prose: 
-                    """
-                      employs sanitization mechanisms with strength and integrity commensurate with the
-                                        security category or classification of the information.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization\n\nmedia sanitization records\n\naudit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with media sanitization responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for media sanitization\n\nautomated mechanisms supporting and/or implementing media sanitization
-        - 
-          id:         mp-7
-          class:      SP800-53
-          title:      Media Use
-          parameters: 
-            - 
-              id: mp-7_prm_1
-            - 
-              id:    mp-7_prm_2
-              label: organization-defined types of information system media
-            - 
-              id:    mp-7_prm_3
-              label: organization-defined information systems or system components
-            - 
-              id:    mp-7_prm_4
-              label: organization-defined security safeguards
-          properties: 
-            - 
-              name:  label
-              value: MP-7
-            - 
-              name:  sort-id
-              value: mp-07
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e
-              rel:  reference
-              text: NIST Special Publication 800-111
-          parts: 
-            - 
-              id:    mp-7_smt
-              name:  statement
-              prose: The organization {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}.
-            - 
-              id:    mp-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system media includes both digital and non-digital media. Digital media
-                                 includes, for example, diskettes, magnetic tapes, external/removable hard disk
-                                 drives, flash drives, compact disks, and digital video disks. Non-digital media
-                                 includes, for example, paper and microfilm. This control also applies to mobile
-                                 devices with information storage capability (e.g., smart phones, tablets, E-readers).
-                                 In contrast to MP-2, which restricts user access to media, this control restricts the
-                                 use of certain types of media on information systems, for example,
-                                 restricting/prohibiting the use of flash drives or external hard disk drives.
-                                 Organizations can employ technical and nontechnical safeguards (e.g., policies,
-                                 procedures, rules of behavior) to restrict the use of information system media.
-                                 Organizations may restrict the use of portable storage devices, for example, by using
-                                 physical cages on workstations to prohibit access to certain external ports, or
-                                 disabling/removing the ability to insert, read or write to such devices.
-                                 Organizations may also limit the use of portable storage devices to only approved
-                                 devices including, for example, devices provided by the organization, devices
-                                 provided by other approved organizations, and devices that are not personally owned.
-                                 Finally, organizations may restrict the use of portable storage devices based on the
-                                 type of device, for example, prohibiting the use of writeable, portable storage
-                                 devices, and implementing this restriction by disabling or removing the capability to
-                                 write to such devices.
-                """
-              links: 
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-            - 
-              id:    mp-7_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         mp-7_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-7[1]
-                  prose:      defines types of information system media to be:
-                  parts: 
-                    - 
-                      id:         mp-7_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-7[1][a]
-                      prose:      restricted on information systems or system components; or
-                    - 
-                      id:         mp-7_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-7[1][b]
-                      prose:      prohibited from use on information systems or system components;
-                - 
-                  id:         mp-7_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-7[2]
-                  prose: 
-                    """
-                      defines information systems or system components on which the use of
-                                        organization-defined types of information system media is to be one of the
-                                        following:
-                    """
-                  parts: 
-                    - 
-                      id:         mp-7_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-7[2][a]
-                      prose:      restricted; or
-                    - 
-                      id:         mp-7_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-7[2][b]
-                      prose:      prohibited;
-                - 
-                  id:         mp-7_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MP-7[3]
-                  prose: 
-                    """
-                      defines security safeguards to be employed to restrict or prohibit the use of
-                                        organization-defined types of information system media on organization-defined
-                                        information systems or system components; and
-                    """
-                - 
-                  id:         mp-7_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MP-7[4]
-                  prose: 
-                    """
-                      restricts or prohibits the use of organization-defined information system media on
-                                        organization-defined information systems or system components using
-                                        organization-defined security safeguards.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nsecurity plan\n\nrules of behavior\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for media use\n\nautomated mechanisms restricting or prohibiting use of information system media on
-                                        information systems or system components
-                    """
-    - 
-      id:       pe
-      class:    family
-      title:    Physical and Environmental Protection
-      controls: 
-        - 
-          id:         pe-1
-          class:      SP800-53
-          title:      Physical and Environmental Protection Policy and Procedures
-          parameters: 
-            - 
-              id:    pe-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          pe-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          pe-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PE-1
-            - 
-              name:  sort-id
-              value: pe-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    pe-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ pe-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         pe-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A physical and environmental protection policy that addresses purpose, scope,
-                                               roles, responsibilities, management commitment, coordination among
-                                               organizational entities, and compliance; and
-                        """
-                    - 
-                      id:         pe-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the physical and environmental
-                                               protection policy and associated physical and environmental protection
-                                               controls; and
-                        """
-                - 
-                  id:         pe-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         pe-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Physical and environmental protection policy {{ pe-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         pe-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Physical and environmental protection procedures {{ pe-1_prm_3 }}.
-            - 
-              id:    pe-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the PE
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    pe-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         pe-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-1(a)
-                  parts: 
-                    - 
-                      id:         pe-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-1(a)(1)
-                      parts: 
-                        - 
-                          id:         pe-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a physical and environmental protection policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         pe-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         pe-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         pe-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         pe-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         pe-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         pe-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         pe-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         pe-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the physical and environmental protection
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         pe-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: PE-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the physical and environmental protection policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         pe-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-1(a)(2)
-                      parts: 
-                        - 
-                          id:         pe-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      physical and environmental protection policy and associated physical and
-                                                      environmental protection controls;
-                            """
-                        - 
-                          id:         pe-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         pe-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: PE-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         pe-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-1(b)
-                  parts: 
-                    - 
-                      id:         pe-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-1(b)(1)
-                      parts: 
-                        - 
-                          id:         pe-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current physical and
-                                                      environmental protection policy;
-                            """
-                        - 
-                          id:         pe-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current physical and environmental protection policy
-                                                      with the organization-defined frequency;
-                            """
-                    - 
-                      id:         pe-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-1(b)(2)
-                      parts: 
-                        - 
-                          id:         pe-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current physical and
-                                                      environmental protection procedures; and
-                            """
-                        - 
-                          id:         pe-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current physical and environmental protection
-                                                      procedures with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with physical and environmental protection
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         pe-2
-          class:      SP800-53
-          title:      Physical Access Authorizations
-          parameters: 
-            - 
-              id:          pe-2_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PE-2
-            - 
-              name:  sort-id
-              value: pe-02
-          parts: 
-            - 
-              id:    pe-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Develops, approves, and maintains a list of individuals with authorized access to
-                                        the facility where the information system resides;
-                    """
-                - 
-                  id:         pe-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Issues authorization credentials for facility access;
-                - 
-                  id:         pe-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Reviews the access list detailing authorized facility access by individuals
-                                           {{ pe-2_prm_1 }}; and
-                    """
-                - 
-                  id:         pe-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Removes individuals from the facility access list when access is no longer
-                                        required.
-                    """
-            - 
-              id:    pe-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to organizational employees and visitors. Individuals (e.g.,
-                                 employees, contractors, and others) with permanent physical access authorization
-                                 credentials are not considered visitors. Authorization credentials include, for
-                                 example, badges, identification cards, and smart cards. Organizations determine the
-                                 strength of authorization credentials needed (including level of forge-proof badges,
-                                 smart cards, or identification cards) consistent with federal standards, policies,
-                                 and procedures. This control only applies to areas within facilities that have not
-                                 been designated as publicly accessible.
-                """
-              links: 
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-            - 
-              id:    pe-2_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-2(a)
-                  parts: 
-                    - 
-                      id:         pe-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: PE-2(a)[1]
-                      prose: 
-                        """
-                          develops a list of individuals with authorized access to the facility where the
-                                               information system resides;
-                        """
-                    - 
-                      id:         pe-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-2(a)[2]
-                      prose: 
-                        """
-                          approves a list of individuals with authorized access to the facility where the
-                                               information system resides;
-                        """
-                    - 
-                      id:         pe-2.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: PE-2(a)[3]
-                      prose: 
-                        """
-                          maintains a list of individuals with authorized access to the facility where
-                                               the information system resides;
-                        """
-                - 
-                  id:         pe-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-2(b)
-                  prose:      issues authorization credentials for facility access;
-                - 
-                  id:         pe-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-2(c)
-                  parts: 
-                    - 
-                      id:         pe-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-2(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to review the access list detailing authorized facility
-                                               access by individuals;
-                        """
-                    - 
-                      id:         pe-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-2(c)[2]
-                      prose: 
-                        """
-                          reviews the access list detailing authorized facility access by individuals
-                                               with the organization-defined frequency; and
-                        """
-                - 
-                  id:         pe-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-2(d)
-                  prose: 
-                    """
-                      removes individuals from the facility access list when access is no longer
-                                        required.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nsecurity plan\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to information system facility\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for physical access authorizations\n\nautomated mechanisms supporting and/or implementing physical access
-                                        authorizations
-                    """
-        - 
-          id:         pe-3
-          class:      SP800-53
-          title:      Physical Access Control
-          parameters: 
-            - 
-              id:    pe-3_prm_1
-              label: 
-                """
-                  organization-defined entry/exit points to the facility where the information
-                                 system resides
-                """
-            - 
-              id:          pe-3_prm_2
-              constraints: 
-                - 
-                  detail: CSP defined physical access control systems/devices AND guards
-            - 
-              id:          pe-3_prm_3
-              depends-on:  pe-3_prm_2
-              label:       organization-defined physical access control systems/devices
-              constraints: 
-                - 
-                  detail: CSP defined physical access control systems/devices
-            - 
-              id:    pe-3_prm_4
-              label: organization-defined entry/exit points
-            - 
-              id:    pe-3_prm_5
-              label: organization-defined security safeguards
-            - 
-              id:          pe-3_prm_6
-              label: 
-                """
-                  organization-defined circumstances requiring visitor escorts and
-                                 monitoring
-                """
-              constraints: 
-                - 
-                  detail: in all circumstances within restricted access area where the information system resides
-            - 
-              id:    pe-3_prm_7
-              label: organization-defined physical access devices
-            - 
-              id:          pe-3_prm_8
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          pe-3_prm_9
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PE-3
-            - 
-              name:  sort-id
-              value: pe-03
-          links: 
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #2157bb7e-192c-4eaa-877f-93ef6b0a3292
-              rel:  reference
-              text: NIST Special Publication 800-116
-            - 
-              href: #6caa237b-531b-43ac-9711-d8f6b97b0377
-              rel:  reference
-              text: ICD 704
-            - 
-              href: #398e33fd-f404-4e5c-b90e-2d50d3181244
-              rel:  reference
-              text: ICD 705
-            - 
-              href: #61081e7f-041d-4033-96a7-44a439071683
-              rel:  reference
-              text: DoD Instruction 5200.39
-            - 
-              href: #dd2f5acd-08f1-435a-9837-f8203088dc1a
-              rel:  reference
-              text: 
-                """
-                  Personal Identity Verification (PIV) in Enterprise
-                              Physical Access Control System (E-PACS)
-                """
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-            - 
-              href: #5ed1f4d5-1494-421b-97ed-39d3c88ab51f
-              rel:  reference
-              text: http://fips201ep.cio.gov
-          parts: 
-            - 
-              id:    pe-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Enforces physical access authorizations at {{ pe-3_prm_1 }} by;
-                  parts: 
-                    - 
-                      id:         pe-3_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Verifying individual access authorizations before granting access to the
-                                               facility; and
-                        """
-                    - 
-                      id:         pe-3_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Controlling ingress/egress to the facility using {{ pe-3_prm_2 }};
-                - 
-                  id:         pe-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Maintains physical access audit logs for {{ pe-3_prm_4 }};
-                - 
-                  id:         pe-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Provides {{ pe-3_prm_5 }} to control access to areas within the
-                                        facility officially designated as publicly accessible;
-                    """
-                - 
-                  id:         pe-3_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Escorts visitors and monitors visitor activity {{ pe-3_prm_6 }};
-                - 
-                  id:         pe-3_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Secures keys, combinations, and other physical access devices;
-                - 
-                  id:         pe-3_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Inventories {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }};
-                                        and
-                    """
-                - 
-                  id:         pe-3_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose: 
-                    """
-                      Changes combinations and keys {{ pe-3_prm_9 }} and/or when keys are
-                                        lost, combinations are compromised, or individuals are transferred or
-                                        terminated.
-                    """
-            - 
-              id:    pe-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to organizational employees and visitors. Individuals (e.g.,
-                                 employees, contractors, and others) with permanent physical access authorization
-                                 credentials are not considered visitors. Organizations determine the types of
-                                 facility guards needed including, for example, professional physical security staff
-                                 or other personnel such as administrative staff or information system users. Physical
-                                 access devices include, for example, keys, locks, combinations, and card readers.
-                                 Safeguards for publicly accessible areas within organizational facilities include,
-                                 for example, cameras, monitoring by guards, and isolating selected information
-                                 systems and/or system components in secured areas. Physical access control systems
-                                 comply with applicable federal laws, Executive Orders, directives, policies,
-                                 regulations, standards, and guidance. The Federal Identity, Credential, and Access
-                                 Management Program provides implementation guidance for identity, credential, and
-                                 access management capabilities for physical access control systems. Organizations
-                                 have flexibility in the types of audit logs employed. Audit logs can be procedural
-                                 (e.g., a written log of individuals accessing the facility and when such access
-                                 occurred), automated (e.g., capturing ID provided by a PIV card), or some combination
-                                 thereof. Physical access points can include facility access points, interior access
-                                 points to information systems and/or components requiring supplemental access
-                                 controls, or both. Components of organizational information systems (e.g.,
-                                 workstations, terminals) may be located in areas designated as publicly accessible
-                                 with organizations safeguarding access to such devices.
-                """
-              links: 
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-                - 
-                  href: #pe-5
-                  rel:  related
-                  text: PE-5
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-            - 
-              id:    pe-3_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(a)
-                  parts: 
-                    - 
-                      id:         pe-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(a)[1]
-                      prose: 
-                        """
-                          defines entry/exit points to the facility where the information system
-                                               resides;
-                        """
-                    - 
-                      id:         pe-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-3(a)[2]
-                      prose: 
-                        """
-                          enforces physical access authorizations at organization-defined entry/exit
-                                               points to the facility where the information system resides by:
-                        """
-                      parts: 
-                        - 
-                          id:         pe-3.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(a)[2](1)
-                          prose: 
-                            """
-                              verifying individual access authorizations before granting access to the
-                                                      facility;
-                            """
-                        - 
-                          id:         pe-3.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-3(a)[2](2)
-                          parts: 
-                            - 
-                              id:         pe-3.a.2_obj.2.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-3(a)[2](2)[a]
-                              prose: 
-                                """
-                                  defining physical access control systems/devices to be employed to
-                                                             control ingress/egress to the facility where the information system
-                                                             resides;
-                                """
-                            - 
-                              id:         pe-3.a.2_obj.2.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-3(a)[2](2)[b]
-                              prose: 
-                                """
-                                  using one or more of the following ways to control ingress/egress to the
-                                                             facility:
-                                """
-                              parts: 
-                                - 
-                                  id:         pe-3.a.2_obj.2.b.1
-                                  name:       objective
-                                  properties: 
-                                    - 
-                                      name:  label
-                                      value: PE-3(a)[2](2)[b][1]
-                                  prose: 
-                                    """
-                                      organization-defined physical access control systems/devices;
-                                                                    and/or
-                                    """
-                                - 
-                                  id:         pe-3.a.2_obj.2.b.2
-                                  name:       objective
-                                  properties: 
-                                    - 
-                                      name:  label
-                                      value: PE-3(a)[2](2)[b][2]
-                                  prose:      guards;
-                - 
-                  id:         pe-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(b)
-                  parts: 
-                    - 
-                      id:         pe-3.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(b)[1]
-                      prose: 
-                        """
-                          defines entry/exit points for which physical access audit logs are to be
-                                               maintained;
-                        """
-                    - 
-                      id:         pe-3.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(b)[2]
-                      prose: 
-                        """
-                          maintains physical access audit logs for organization-defined entry/exit
-                                               points;
-                        """
-                - 
-                  id:         pe-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(c)
-                  parts: 
-                    - 
-                      id:         pe-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(c)[1]
-                      prose: 
-                        """
-                          defines security safeguards to be employed to control access to areas within
-                                               the facility officially designated as publicly accessible;
-                        """
-                    - 
-                      id:         pe-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(c)[2]
-                      prose: 
-                        """
-                          provides organization-defined security safeguards to control access to areas
-                                               within the facility officially designated as publicly accessible;
-                        """
-                - 
-                  id:         pe-3.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(d)
-                  parts: 
-                    - 
-                      id:         pe-3.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(d)[1]
-                      prose:      defines circumstances requiring visitor:
-                      parts: 
-                        - 
-                          id:         pe-3.d_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(d)[1][a]
-                          prose:      escorts;
-                        - 
-                          id:         pe-3.d_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(d)[1][b]
-                          prose:      monitoring;
-                    - 
-                      id:         pe-3.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(d)[2]
-                      prose: 
-                        """
-                          in accordance with organization-defined circumstances requiring visitor escorts
-                                               and monitoring:
-                        """
-                      parts: 
-                        - 
-                          id:         pe-3.d_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(d)[2][a]
-                          prose:      escorts visitors;
-                        - 
-                          id:         pe-3.d_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(d)[2][b]
-                          prose:      monitors visitor activities;
-                - 
-                  id:         pe-3.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(e)
-                  parts: 
-                    - 
-                      id:         pe-3.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(e)[1]
-                      prose:      secures keys;
-                    - 
-                      id:         pe-3.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(e)[2]
-                      prose:      secures combinations;
-                    - 
-                      id:         pe-3.e_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(e)[3]
-                      prose:      secures other physical access devices;
-                - 
-                  id:         pe-3.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(f)
-                  parts: 
-                    - 
-                      id:         pe-3.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(f)[1]
-                      prose:      defines physical access devices to be inventoried;
-                    - 
-                      id:         pe-3.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(f)[2]
-                      prose: 
-                        """
-                          defines the frequency to inventory organization-defined physical access
-                                               devices;
-                        """
-                    - 
-                      id:         pe-3.f_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(f)[3]
-                      prose: 
-                        """
-                          inventories the organization-defined physical access devices with the
-                                               organization-defined frequency;
-                        """
-                - 
-                  id:         pe-3.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(g)
-                  parts: 
-                    - 
-                      id:         pe-3.g_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(g)[1]
-                      prose:      defines the frequency to change combinations and keys; and
-                    - 
-                      id:         pe-3.g_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(g)[2]
-                      prose: 
-                        """
-                          changes combinations and keys with the organization-defined frequency and/or
-                                               when:
-                        """
-                      parts: 
-                        - 
-                          id:         pe-3.g_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(g)[2][a]
-                          prose:      keys are lost;
-                        - 
-                          id:         pe-3.g_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(g)[2][b]
-                          prose:      combinations are compromised;
-                        - 
-                          id:         pe-3.g_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(g)[2][c]
-                          prose:      individuals are transferred or terminated.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nsecurity plan\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\ninformation system entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible
-                                        areas within facility\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for physical access control\n\nautomated mechanisms supporting and/or implementing physical access control\n\nphysical access control devices
-        - 
-          id:         pe-6
-          class:      SP800-53
-          title:      Monitoring Physical Access
-          parameters: 
-            - 
-              id:          pe-6_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least monthly
-            - 
-              id:    pe-6_prm_2
-              label: organization-defined events or potential indications of events
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PE-6
-            - 
-              name:  sort-id
-              value: pe-06
-          parts: 
-            - 
-              id:    pe-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Monitors physical access to the facility where the information system resides to
-                                        detect and respond to physical security incidents;
-                    """
-                - 
-                  id:         pe-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Reviews physical access logs {{ pe-6_prm_1 }} and upon occurrence
-                                        of {{ pe-6_prm_2 }}; and
-                    """
-                - 
-                  id:         pe-6_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Coordinates results of reviews and investigations with the organizational incident
-                                        response capability.
-                    """
-            - 
-              id:    pe-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizational incident response capabilities include investigations of and responses
-                                 to detected physical security incidents. Security incidents include, for example,
-                                 apparent security violations or suspicious physical access activities. Suspicious
-                                 physical access activities include, for example: (i) accesses outside of normal work
-                                 hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for
-                                 unusual lengths of time; and (iv) out-of-sequence accesses.
-                """
-              links: 
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-            - 
-              id:    pe-6_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-6(a)
-                  prose: 
-                    """
-                      monitors physical access to the facility where the information system resides to
-                                        detect and respond to physical security incidents;
-                    """
-                - 
-                  id:         pe-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-6(b)
-                  parts: 
-                    - 
-                      id:         pe-6.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-6(b)[1]
-                      prose:      defines the frequency to review physical access logs;
-                    - 
-                      id:         pe-6.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-6(b)[2]
-                      prose: 
-                        """
-                          defines events or potential indication of events requiring physical access logs
-                                               to be reviewed;
-                        """
-                    - 
-                      id:         pe-6.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-6(b)[3]
-                      prose: 
-                        """
-                          reviews physical access logs with the organization-defined frequency and upon
-                                               occurrence of organization-defined events or potential indications of events;
-                                               and
-                        """
-                - 
-                  id:         pe-6.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PE-6(c)
-                  prose: 
-                    """
-                      coordinates results of reviews and investigations with the organizational incident
-                                        response capability.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nsecurity plan\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for monitoring physical access\n\nautomated mechanisms supporting and/or implementing physical access monitoring\n\nautomated mechanisms supporting and/or implementing reviewing of physical access
-                                        logs
-                    """
-        - 
-          id:         pe-8
-          class:      SP800-53
-          title:      Visitor Access Records
-          parameters: 
-            - 
-              id:          pe-8_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: for a minimum of one (1) year
-            - 
-              id:          pe-8_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least monthly
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PE-8
-            - 
-              name:  sort-id
-              value: pe-08
-          parts: 
-            - 
-              id:    pe-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Maintains visitor access records to the facility where the information system
-                                        resides for {{ pe-8_prm_1 }}; and
-                    """
-                - 
-                  id:         pe-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews visitor access records {{ pe-8_prm_2 }}.
-            - 
-              id:    pe-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Visitor access records include, for example, names and organizations of persons
-                                 visiting, visitor signatures, forms of identification, dates of access, entry and
-                                 departure times, purposes of visits, and names and organizations of persons visited.
-                                 Visitor access records are not required for publicly accessible areas.
-                """
-            - 
-              id:    pe-8_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-8(a)
-                  parts: 
-                    - 
-                      id:         pe-8.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-8(a)[1]
-                      prose: 
-                        """
-                          defines the time period to maintain visitor access records to the facility
-                                               where the information system resides;
-                        """
-                    - 
-                      id:         pe-8.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-8(a)[2]
-                      prose: 
-                        """
-                          maintains visitor access records to the facility where the information system
-                                               resides for the organization-defined time period;
-                        """
-                - 
-                  id:         pe-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-8(b)
-                  parts: 
-                    - 
-                      id:         pe-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-8(b)[1]
-                      prose:      defines the frequency to review visitor access records; and
-                    - 
-                      id:         pe-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-8(b)[2]
-                      prose:      reviews visitor access records with the organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nsecurity plan\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with visitor access records responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for maintaining and reviewing visitor access records\n\nautomated mechanisms supporting and/or implementing maintenance and review of
-                                        visitor access records
-                    """
-        - 
-          id:         pe-12
-          class:      SP800-53
-          title:      Emergency Lighting
-          properties: 
-            - 
-              name:  label
-              value: PE-12
-            - 
-              name:  sort-id
-              value: pe-12
-          parts: 
-            - 
-              id:    pe-12_smt
-              name:  statement
-              prose: 
-                """
-                  The organization employs and maintains automatic emergency lighting for the
-                                 information system that activates in the event of a power outage or disruption and
-                                 that covers emergency exits and evacuation routes within the facility.
-                """
-            - 
-              id:    pe-12_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies primarily to facilities containing concentrations of information
-                                 system resources including, for example, data centers, server rooms, and mainframe
-                                 computer rooms.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-            - 
-              id:    pe-12_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization employs and maintains automatic emergency lighting for
-                                 the information system that: 
-                """
-              parts: 
-                - 
-                  id:         pe-12_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-12[1]
-                  prose:      activates in the event of a power outage or disruption; and
-                - 
-                  id:         pe-12_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-12[2]
-                  prose:      covers emergency exits and evacuation routes within the facility.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for emergency lighting and/or
-                                        planning\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing emergency lighting
-                                        capability
-                    """
-        - 
-          id:         pe-13
-          class:      SP800-53
-          title:      Fire Protection
-          properties: 
-            - 
-              name:  label
-              value: PE-13
-            - 
-              name:  sort-id
-              value: pe-13
-          parts: 
-            - 
-              id:    pe-13_smt
-              name:  statement
-              prose: 
-                """
-                  The organization employs and maintains fire suppression and detection devices/systems
-                                 for the information system that are supported by an independent energy source.
-                """
-            - 
-              id:    pe-13_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies primarily to facilities containing concentrations of information
-                                 system resources including, for example, data centers, server rooms, and mainframe
-                                 computer rooms. Fire suppression and detection devices/systems include, for example,
-                                 sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke
-                                 detectors.
-                """
-            - 
-              id:    pe-13_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-13_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-13[1]
-                  prose: 
-                    """
-                      employs fire suppression and detection devices/systems for the information system
-                                        that are supported by an independent energy source; and
-                    """
-                - 
-                  id:         pe-13_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-13[2]
-                  prose: 
-                    """
-                      maintains fire suppression and detection devices/systems for the information
-                                        system that are supported by an independent energy source.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\ntest records of fire suppression and detection devices/systems\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for fire detection and suppression
-                                        devices/systems\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing fire suppression/detection
-                                        devices/systems
-                    """
-        - 
-          id:         pe-14
-          class:      SP800-53
-          title:      Temperature and Humidity Controls
-          parameters: 
-            - 
-              id:          pe-14_prm_1
-              label:       organization-defined acceptable levels
-              constraints: 
-                - 
-                  detail: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments
-            - 
-              id:          pe-14_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: continuously
-          properties: 
-            - 
-              name:  label
-              value: PE-14
-            - 
-              name:  sort-id
-              value: pe-14
-          parts: 
-            - 
-              id:    pe-14_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-14_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Maintains temperature and humidity levels within the facility where the
-                                        information system resides at {{ pe-14_prm_1 }}; and
-                    """
-                - 
-                  id:         pe-14_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Monitors temperature and humidity levels {{ pe-14_prm_2 }}.
-                - 
-                  id:    pe-14_fr
-                  name:  item
-                  title: PE-14(a) Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         pe-14_fr_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a) Requirement:
-                      prose:      The service provider measures temperature at server inlets and humidity levels by dew point.
-            - 
-              id:    pe-14_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies primarily to facilities containing concentrations of information
-                                 system resources, for example, data centers, server rooms, and mainframe computer
-                                 rooms.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-            - 
-              id:    pe-14_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-14.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-14(a)
-                  parts: 
-                    - 
-                      id:         pe-14.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-14(a)[1]
-                      prose: 
-                        """
-                          defines acceptable temperature levels to be maintained within the facility
-                                               where the information system resides;
-                        """
-                    - 
-                      id:         pe-14.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-14(a)[2]
-                      prose: 
-                        """
-                          defines acceptable humidity levels to be maintained within the facility where
-                                               the information system resides;
-                        """
-                    - 
-                      id:         pe-14.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-14(a)[3]
-                      prose: 
-                        """
-                          maintains temperature levels within the facility where the information system
-                                               resides at the organization-defined levels;
-                        """
-                    - 
-                      id:         pe-14.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-14(a)[4]
-                      prose: 
-                        """
-                          maintains humidity levels within the facility where the information system
-                                               resides at the organization-defined levels;
-                        """
-                - 
-                  id:         pe-14.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-14(b)
-                  parts: 
-                    - 
-                      id:         pe-14.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-14(b)[1]
-                      prose:      defines the frequency to monitor temperature levels;
-                    - 
-                      id:         pe-14.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-14(b)[2]
-                      prose:      defines the frequency to monitor humidity levels;
-                    - 
-                      id:         pe-14.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-14(b)[3]
-                      prose:      monitors temperature levels with the organization-defined frequency; and
-                    - 
-                      id:         pe-14.b_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-14(b)[4]
-                      prose:      monitors humidity levels with the organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\nsecurity plan\n\ntemperature and humidity controls\n\nfacility housing the information system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for information system
-                                        environmental controls\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing maintenance and monitoring of
-                                        temperature and humidity levels
-                    """
-        - 
-          id:         pe-15
-          class:      SP800-53
-          title:      Water Damage Protection
-          properties: 
-            - 
-              name:  label
-              value: PE-15
-            - 
-              name:  sort-id
-              value: pe-15
-          parts: 
-            - 
-              id:    pe-15_smt
-              name:  statement
-              prose: 
-                """
-                  The organization protects the information system from damage resulting from water
-                                 leakage by providing master shutoff or isolation valves that are accessible, working
-                                 properly, and known to key personnel.
-                """
-            - 
-              id:    pe-15_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies primarily to facilities containing concentrations of information
-                                 system resources including, for example, data centers, server rooms, and mainframe
-                                 computer rooms. Isolation valves can be employed in addition to or in lieu of master
-                                 shutoff valves to shut off water supplies in specific areas of concern, without
-                                 affecting entire organizations.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-            - 
-              id:         pe-15_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the organization protects the information system from damage resulting
-                                 from water leakage by providing master shutoff or isolation valves that are: 
-                """
-              parts: 
-                - 
-                  id:         pe-15_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-15[1]
-                  prose:      accessible;
-                - 
-                  id:         pe-15_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-15[2]
-                  prose:      working properly; and
-                - 
-                  id:         pe-15_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-15[3]
-                  prose:      known to key personnel.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the information system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for
-                                        master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for information system
-                                        environmental controls\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Master water-shutoff valves\n\norganizational process for activating master water-shutoff
-        - 
-          id:         pe-16
-          class:      SP800-53
-          title:      Delivery and Removal
-          parameters: 
-            - 
-              id:          pe-16_prm_1
-              label:       organization-defined types of information system components
-              constraints: 
-                - 
-                  detail: all information system components
-          properties: 
-            - 
-              name:  label
-              value: PE-16
-            - 
-              name:  sort-id
-              value: pe-16
-          parts: 
-            - 
-              id:    pe-16_smt
-              name:  statement
-              prose: 
-                """
-                  The organization authorizes, monitors, and controls {{ pe-16_prm_1 }}
-                                 entering and exiting the facility and maintains records of those items.
-                """
-            - 
-              id:    pe-16_gdn
-              name:  guidance
-              prose: 
-                """
-                  Effectively enforcing authorizations for entry and exit of information system
-                                 components may require restricting access to delivery areas and possibly isolating
-                                 the areas from the information system and media libraries.
-                """
-              links: 
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #ma-2
-                  rel:  related
-                  text: MA-2
-                - 
-                  href: #ma-3
-                  rel:  related
-                  text: MA-3
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-            - 
-              id:    pe-16_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-16_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PE-16[1]
-                  prose: 
-                    """
-                      defines types of information system components to be authorized, monitored, and
-                                        controlled as such components are entering and exiting the facility;
-                    """
-                - 
-                  id:         pe-16_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-16[2]
-                  prose: 
-                    """
-                      authorizes organization-defined information system components entering the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-16[3]
-                  prose: 
-                    """
-                      monitors organization-defined information system components entering the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-16[4]
-                  prose: 
-                    """
-                      controls organization-defined information system components entering the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.5
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-16[5]
-                  prose: 
-                    """
-                      authorizes organization-defined information system components exiting the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.6
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-16[6]
-                  prose: 
-                    """
-                      monitors organization-defined information system components exiting the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.7
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-16[7]
-                  prose: 
-                    """
-                      controls organization-defined information system components exiting the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.8
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PE-16[8]
-                  prose:      maintains records of information system components entering the facility; and
-                - 
-                  id:         pe-16_obj.9
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PE-16[9]
-                  prose:      maintains records of information system components exiting the facility.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Physical and environmental protection policy\n\nprocedures addressing delivery and removal of information system components from
-                                        the facility\n\nsecurity plan\n\nfacility housing the information system\n\nrecords of items entering and exiting the facility\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for controlling information system
-                                        components entering and exiting the facility\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational process for authorizing, monitoring, and controlling information
-                                        system-related items entering and exiting the facility\n\nautomated mechanisms supporting and/or implementing authorizing, monitoring, and
-                                        controlling information system-related items entering and exiting the facility
-                    """
-    - 
-      id:       pl
-      class:    family
-      title:    Planning
-      controls: 
-        - 
-          id:         pl-1
-          class:      SP800-53
-          title:      Security Planning Policy and Procedures
-          parameters: 
-            - 
-              id:    pl-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          pl-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          pl-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PL-1
-            - 
-              name:  sort-id
-              value: pl-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9c5c9e8c-dc81-4f55-a11c-d71d7487790f
-              rel:  reference
-              text: NIST Special Publication 800-18
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    pl-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pl-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ pl-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         pl-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A security planning policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         pl-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the security planning policy and
-                                               associated security planning controls; and
-                        """
-                - 
-                  id:         pl-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         pl-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Security planning policy {{ pl-1_prm_2 }}; and
-                    - 
-                      id:         pl-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Security planning procedures {{ pl-1_prm_3 }}.
-            - 
-              id:    pl-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the PL
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    pl-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         pl-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-1(a)
-                  parts: 
-                    - 
-                      id:         pl-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-1(a)(1)
-                      parts: 
-                        - 
-                          id:         pl-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(a)(1)[1]
-                          prose:      develops and documents a planning policy that addresses:
-                          parts: 
-                            - 
-                              id:         pl-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         pl-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         pl-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         pl-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         pl-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         pl-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         pl-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         pl-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the planning policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         pl-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: PL-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the planning policy to organization-defined personnel or
-                                                      roles;
-                            """
-                    - 
-                      id:         pl-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-1(a)(2)
-                      parts: 
-                        - 
-                          id:         pl-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      planning policy and associated planning controls;
-                            """
-                        - 
-                          id:         pl-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         pl-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: PL-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         pl-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-1(b)
-                  parts: 
-                    - 
-                      id:         pl-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-1(b)(1)
-                      parts: 
-                        - 
-                          id:         pl-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(b)(1)[1]
-                          prose:      defines the frequency to review and update the current planning policy;
-                        - 
-                          id:         pl-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current planning policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         pl-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-1(b)(2)
-                      parts: 
-                        - 
-                          id:         pl-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current planning procedures;
-                                                      and
-                            """
-                        - 
-                          id:         pl-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current planning procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Planning policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with planning responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         pl-2
-          class:      SP800-53
-          title:      System Security Plan
-          parameters: 
-            - 
-              id:    pl-2_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          pl-2_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PL-2
-            - 
-              name:  sort-id
-              value: pl-02
-          links: 
-            - 
-              href: #9c5c9e8c-dc81-4f55-a11c-d71d7487790f
-              rel:  reference
-              text: NIST Special Publication 800-18
-          parts: 
-            - 
-              id:    pl-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pl-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops a security plan for the information system that:
-                  parts: 
-                    - 
-                      id:         pl-2_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Is consistent with the organization’s enterprise architecture;
-                    - 
-                      id:         pl-2_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Explicitly defines the authorization boundary for the system;
-                    - 
-                      id:         pl-2_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Describes the operational context of the information system in terms of
-                                               missions and business processes;
-                        """
-                    - 
-                      id:         pl-2_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose: 
-                        """
-                          Provides the security categorization of the information system including
-                                               supporting rationale;
-                        """
-                    - 
-                      id:         pl-2_smt.a.5
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 5.
-                      prose: 
-                        """
-                          Describes the operational environment for the information system and
-                                               relationships with or connections to other information systems;
-                        """
-                    - 
-                      id:         pl-2_smt.a.6
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 6.
-                      prose:      Provides an overview of the security requirements for the system;
-                    - 
-                      id:         pl-2_smt.a.7
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 7.
-                      prose:      Identifies any relevant overlays, if applicable;
-                    - 
-                      id:         pl-2_smt.a.8
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 8.
-                      prose: 
-                        """
-                          Describes the security controls in place or planned for meeting those
-                                               requirements including a rationale for the tailoring decisions; and
-                        """
-                    - 
-                      id:         pl-2_smt.a.9
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 9.
-                      prose: 
-                        """
-                          Is reviewed and approved by the authorizing official or designated
-                                               representative prior to plan implementation;
-                        """
-                - 
-                  id:         pl-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Distributes copies of the security plan and communicates subsequent changes to the
-                                        plan to {{ pl-2_prm_1 }};
-                    """
-                - 
-                  id:         pl-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews the security plan for the information system {{ pl-2_prm_2 }};
-                - 
-                  id:         pl-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Updates the plan to address changes to the information system/environment of
-                                        operation or problems identified during plan implementation or security control
-                                        assessments; and
-                    """
-                - 
-                  id:         pl-2_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Protects the security plan from unauthorized disclosure and modification.
-            - 
-              id:    pl-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Security plans relate security requirements to a set of security controls and control
-                                 enhancements. Security plans also describe, at a high level, how the security
-                                 controls and control enhancements meet those security requirements, but do not
-                                 provide detailed, technical descriptions of the specific design or implementation of
-                                 the controls/enhancements. Security plans contain sufficient information (including
-                                 the specification of parameter values for assignment and selection statements either
-                                 explicitly or by reference) to enable a design and implementation that is
-                                 unambiguously compliant with the intent of the plans and subsequent determinations of
-                                 risk to organizational operations and assets, individuals, other organizations, and
-                                 the Nation if the plan is implemented as intended. Organizations can also apply
-                                 tailoring guidance to the security control baselines in Appendix D and CNSS
-                                 Instruction 1253 to develop overlays for community-wide use or to address specialized
-                                 requirements, technologies, or missions/environments of operation (e.g.,
-                                 DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and
-                                 Access Management, space operations). Appendix I provides guidance on developing
-                                 overlays. Security plans need not be single documents; the plans can be a collection
-                                 of various documents including documents that already exist. Effective security plans
-                                 make extensive use of references to policies, procedures, and additional documents
-                                 (e.g., design and implementation specifications) where more detailed information can
-                                 be obtained. This reduces the documentation requirements associated with security
-                                 programs and maintains security-related information in other established
-                                 management/operational areas related to enterprise architecture, system development
-                                 life cycle, systems engineering, and acquisition. For example, security plans do not
-                                 contain detailed contingency plan or incident response plan information but instead
-                                 provide explicitly or by reference, sufficient information to define what needs to be
-                                 accomplished by those plans.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-9
-                  rel:  related
-                  text: CM-9
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ma-5
-                  rel:  related
-                  text: MA-5
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #pl-7
-                  rel:  related
-                  text: PL-7
-                - 
-                  href: #pm-1
-                  rel:  related
-                  text: PM-1
-                - 
-                  href: #pm-7
-                  rel:  related
-                  text: PM-7
-                - 
-                  href: #pm-8
-                  rel:  related
-                  text: PM-8
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-                - 
-                  href: #pm-11
-                  rel:  related
-                  text: PM-11
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sa-17
-                  rel:  related
-                  text: SA-17
-            - 
-              id:    pl-2_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pl-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-2(a)
-                  prose:      develops a security plan for the information system that:
-                  parts: 
-                    - 
-                      id:         pl-2.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(1)
-                      prose:      is consistent with the organization’s enterprise architecture;
-                    - 
-                      id:         pl-2.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(2)
-                      prose:      explicitly defines the authorization boundary for the system;
-                    - 
-                      id:         pl-2.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(3)
-                      prose: 
-                        """
-                          describes the operational context of the information system in terms of
-                                               missions and business processes;
-                        """
-                    - 
-                      id:         pl-2.a.4_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(4)
-                      prose: 
-                        """
-                          provides the security categorization of the information system including
-                                               supporting rationale;
-                        """
-                    - 
-                      id:         pl-2.a.5_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(5)
-                      prose: 
-                        """
-                          describes the operational environment for the information system and
-                                               relationships with or connections to other information systems;
-                        """
-                    - 
-                      id:         pl-2.a.6_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(6)
-                      prose:      provides an overview of the security requirements for the system;
-                    - 
-                      id:         pl-2.a.7_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(7)
-                      prose:      identifies any relevant overlays, if applicable;
-                    - 
-                      id:         pl-2.a.8_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(8)
-                      prose: 
-                        """
-                          describes the security controls in place or planned for meeting those
-                                               requirements including a rationale for the tailoring and supplemental
-                                               decisions;
-                        """
-                    - 
-                      id:         pl-2.a.9_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PL-2(a)(9)
-                      prose: 
-                        """
-                          is reviewed and approved by the authorizing official or designated
-                                               representative prior to plan implementation;
-                        """
-                - 
-                  id:         pl-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-2(b)
-                  parts: 
-                    - 
-                      id:         pl-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(b)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom copies of the security plan are to be
-                                               distributed and subsequent changes to the plan are to be communicated;
-                        """
-                    - 
-                      id:         pl-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PL-2(b)[2]
-                      prose: 
-                        """
-                          distributes copies of the security plan and communicates subsequent changes to
-                                               the plan to organization-defined personnel or roles;
-                        """
-                - 
-                  id:         pl-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-2(c)
-                  parts: 
-                    - 
-                      id:         pl-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to review the security plan for the information
-                                               system;
-                        """
-                    - 
-                      id:         pl-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(c)[2]
-                      prose: 
-                        """
-                          reviews the security plan for the information system with the
-                                               organization-defined frequency;
-                        """
-                - 
-                  id:         pl-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PL-2(d)
-                  prose:      updates the plan to address:
-                  parts: 
-                    - 
-                      id:         pl-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(d)[1]
-                      prose:      changes to the information system/environment of operation;
-                    - 
-                      id:         pl-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(d)[2]
-                      prose:      problems identified during plan implementation;
-                    - 
-                      id:         pl-2.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(d)[3]
-                      prose:      problems identified during security control assessments;
-                - 
-                  id:         pl-2.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PL-2(e)
-                  prose:      protects the security plan from unauthorized:
-                  parts: 
-                    - 
-                      id:         pl-2.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(e)[1]
-                      prose:      disclosure; and
-                    - 
-                      id:         pl-2.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(e)[2]
-                      prose:      modification.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security planning policy\n\nprocedures addressing security plan development and implementation\n\nprocedures addressing security plan reviews and updates\n\nenterprise architecture documentation\n\nsecurity plan for the information system\n\nrecords of security plan reviews and updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security planning and plan implementation
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for security plan development/review/update/approval\n\nautomated mechanisms supporting the information system security plan
-        - 
-          id:         pl-4
-          class:      SP800-53
-          title:      Rules of Behavior
-          parameters: 
-            - 
-              id:          pl-4_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: At least every 3 years
-          properties: 
-            - 
-              name:  label
-              value: PL-4
-            - 
-              name:  sort-id
-              value: pl-04
-          links: 
-            - 
-              href: #9c5c9e8c-dc81-4f55-a11c-d71d7487790f
-              rel:  reference
-              text: NIST Special Publication 800-18
-          parts: 
-            - 
-              id:    pl-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pl-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes and makes readily available to individuals requiring access to the
-                                        information system, the rules that describe their responsibilities and expected
-                                        behavior with regard to information and information system usage;
-                    """
-                - 
-                  id:         pl-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Receives a signed acknowledgment from such individuals, indicating that they have
-                                        read, understand, and agree to abide by the rules of behavior, before authorizing
-                                        access to information and the information system;
-                    """
-                - 
-                  id:         pl-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews and updates the rules of behavior {{ pl-4_prm_1 }}; and
-                - 
-                  id:         pl-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Requires individuals who have signed a previous version of the rules of behavior
-                                        to read and re-sign when the rules of behavior are revised/updated.
-                    """
-            - 
-              id:    pl-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control enhancement applies to organizational users. Organizations consider
-                                 rules of behavior based on individual user roles and responsibilities,
-                                 differentiating, for example, between rules that apply to privileged users and rules
-                                 that apply to general users. Establishing rules of behavior for some types of
-                                 non-organizational users including, for example, individuals who simply receive
-                                 data/information from federal information systems, is often not feasible given the
-                                 large number of such users and the limited nature of their interactions with the
-                                 systems. Rules of behavior for both organizational and non-organizational users can
-                                 also be established in AC-8, System Use Notification. PL-4 b. (the signed
-                                 acknowledgment portion of this control) may be satisfied by the security awareness
-                                 training and role-based security training programs conducted by organizations if such
-                                 training includes rules of behavior. Organizations can use electronic signatures for
-                                 acknowledging rules of behavior.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-8
-                  rel:  related
-                  text: AC-8
-                - 
-                  href: #ac-9
-                  rel:  related
-                  text: AC-9
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #mp-7
-                  rel:  related
-                  text: MP-7
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-                - 
-                  href: #ps-8
-                  rel:  related
-                  text: PS-8
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-            - 
-              id:    pl-4_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pl-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-4(a)
-                  parts: 
-                    - 
-                      id:         pl-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-4(a)[1]
-                      prose: 
-                        """
-                          establishes, for individuals requiring access to the information system, the
-                                               rules that describe their responsibilities and expected behavior with regard to
-                                               information and information system usage;
-                        """
-                    - 
-                      id:         pl-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PL-4(a)[2]
-                      prose: 
-                        """
-                          makes readily available to individuals requiring access to the information
-                                               system, the rules that describe their responsibilities and expected behavior
-                                               with regard to information and information system usage;
-                        """
-                - 
-                  id:         pl-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PL-4(b)
-                  prose: 
-                    """
-                      receives a signed acknowledgement from such individuals, indicating that they have
-                                        read, understand, and agree to abide by the rules of behavior, before authorizing
-                                        access to information and the information system;
-                    """
-                - 
-                  id:         pl-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-4(c)
-                  parts: 
-                    - 
-                      id:         pl-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-4(c)[1]
-                      prose:      defines the frequency to review and update the rules of behavior;
-                    - 
-                      id:         pl-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PL-4(c)[2]
-                      prose: 
-                        """
-                          reviews and updates the rules of behavior with the organization-defined
-                                               frequency; and
-                        """
-                - 
-                  id:         pl-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PL-4(d)
-                  prose: 
-                    """
-                      requires individuals who have signed a previous version of the rules of behavior
-                                        to read and resign when the rules of behavior are revised/updated.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security planning policy\n\nprocedures addressing rules of behavior for information system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for establishing, reviewing, and
-                                        updating rules of behavior\n\norganizational personnel who are authorized users of the information system and
-                                        have signed and resigned rules of behavior\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for establishing, reviewing, disseminating, and updating
-                                        rules of behavior\n\nautomated mechanisms supporting and/or implementing the establishment, review,
-                                        dissemination, and update of rules of behavior
-                    """
-    - 
-      id:       ps
-      class:    family
-      title:    Personnel Security
-      controls: 
-        - 
-          id:         ps-1
-          class:      SP800-53
-          title:      Personnel Security Policy and Procedures
-          parameters: 
-            - 
-              id:    ps-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ps-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          ps-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PS-1
-            - 
-              name:  sort-id
-              value: ps-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ps-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ps-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ps-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A personnel security policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ps-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the personnel security policy
-                                               and associated personnel security controls; and
-                        """
-                - 
-                  id:         ps-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ps-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Personnel security policy {{ ps-1_prm_2 }}; and
-                    - 
-                      id:         ps-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Personnel security procedures {{ ps-1_prm_3 }}.
-            - 
-              id:    ps-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the PS
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ps-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-1(a)
-                  parts: 
-                    - 
-                      id:         ps-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ps-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(a)(1)[1]
-                          prose:      develops and documents an personnel security policy that addresses:
-                          parts: 
-                            - 
-                              id:         ps-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ps-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ps-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ps-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ps-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ps-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ps-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ps-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the personnel security policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ps-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: PS-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the personnel security policy to organization-defined personnel
-                                                      or roles;
-                            """
-                    - 
-                      id:         ps-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ps-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      personnel security policy and associated personnel security controls;
-                            """
-                        - 
-                          id:         ps-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ps-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: PS-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ps-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-1(b)
-                  parts: 
-                    - 
-                      id:         ps-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ps-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current personnel security
-                                                      policy;
-                            """
-                        - 
-                          id:         ps-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current personnel security policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ps-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ps-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current personnel security
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ps-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current personnel security procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ps-2
-          class:      SP800-53
-          title:      Position Risk Designation
-          parameters: 
-            - 
-              id:          ps-2_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every three years
-          properties: 
-            - 
-              name:  label
-              value: PS-2
-            - 
-              name:  sort-id
-              value: ps-02
-          links: 
-            - 
-              href: #0c97e60b-325a-4efa-ba2b-90f20ccd5abc
-              rel:  reference
-              text: 5 C.F.R. 731.106
-          parts: 
-            - 
-              id:    ps-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Assigns a risk designation to all organizational positions;
-                - 
-                  id:         ps-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Establishes screening criteria for individuals filling those positions; and
-                - 
-                  id:         ps-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews and updates position risk designations {{ ps-2_prm_1 }}.
-            - 
-              id:    ps-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Position risk designations reflect Office of Personnel Management policy and
-                                 guidance. Risk designations can guide and inform the types of authorizations
-                                 individuals receive when accessing organizational information and information
-                                 systems. Position screening criteria include explicit information security role
-                                 appointment requirements (e.g., training, security clearances).
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-            - 
-              id:    ps-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PS-2(a)
-                  prose:      assigns a risk designation to all organizational positions;
-                - 
-                  id:         ps-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PS-2(b)
-                  prose:      establishes screening criteria for individuals filling those positions;
-                - 
-                  id:         ps-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-2(c)
-                  parts: 
-                    - 
-                      id:         ps-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-2(c)[1]
-                      prose:      defines the frequency to review and update position risk designations; and
-                    - 
-                      id:         ps-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-2(c)[2]
-                      prose: 
-                        """
-                          reviews and updates position risk designations with the organization-defined
-                                               frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nsecurity plan\n\nrecords of position risk designation reviews and updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for assigning, reviewing, and updating position risk
-                                        designations\n\norganizational processes for establishing screening criteria
-                    """
-        - 
-          id:         ps-3
-          class:      SP800-53
-          title:      Personnel Screening
-          parameters: 
-            - 
-              id:          ps-3_prm_1
-              label: 
-                """
-                  organization-defined conditions requiring rescreening and, where rescreening is
-                                 so indicated, the frequency of such rescreening
-                """
-              constraints: 
-                - 
-                  detail: For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions.
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PS-3
-            - 
-              name:  sort-id
-              value: ps-03
-          links: 
-            - 
-              href: #0c97e60b-325a-4efa-ba2b-90f20ccd5abc
-              rel:  reference
-              text: 5 C.F.R. 731.106
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #f152844f-b1ef-4836-8729-6277078ebee1
-              rel:  reference
-              text: NIST Special Publication 800-60
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #6caa237b-531b-43ac-9711-d8f6b97b0377
-              rel:  reference
-              text: ICD 704
-          parts: 
-            - 
-              id:    ps-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Screens individuals prior to authorizing access to the information system; and
-                - 
-                  id:         ps-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Rescreens individuals according to {{ ps-3_prm_1 }}.
-            - 
-              id:    ps-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Personnel screening and rescreening activities reflect applicable federal laws,
-                                 Executive Orders, directives, regulations, policies, standards, guidance, and
-                                 specific criteria established for the risk designations of assigned positions.
-                                 Organizations may define different rescreening conditions and frequencies for
-                                 personnel accessing information systems based on types of information processed,
-                                 stored, or transmitted by the systems.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #ps-2
-                  rel:  related
-                  text: PS-2
-            - 
-              id:    ps-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PS-3(a)
-                  prose:      screens individuals prior to authorizing access to the information system;
-                - 
-                  id:         ps-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-3(b)
-                  parts: 
-                    - 
-                      id:         ps-3.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-3(b)[1]
-                      prose:      defines conditions requiring re-screening;
-                    - 
-                      id:         ps-3.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-3(b)[2]
-                      prose:      defines the frequency of re-screening where it is so indicated; and
-                    - 
-                      id:         ps-3.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-3(b)[3]
-                      prose: 
-                        """
-                          re-screens individuals in accordance with organization-defined conditions
-                                               requiring re-screening and, where re-screening is so indicated, with the
-                                               organization-defined frequency of such re-screening.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for personnel screening
-        - 
-          id:         ps-4
-          class:      SP800-53
-          title:      Personnel Termination
-          parameters: 
-            - 
-              id:          ps-4_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: same day
-            - 
-              id:    ps-4_prm_2
-              label: organization-defined information security topics
-            - 
-              id:    ps-4_prm_3
-              label: organization-defined personnel or roles
-            - 
-              id:    ps-4_prm_4
-              label: organization-defined time period
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PS-4
-            - 
-              name:  sort-id
-              value: ps-04
-          parts: 
-            - 
-              id:    ps-4_smt
-              name:  statement
-              prose: The organization, upon termination of individual employment:
-              parts: 
-                - 
-                  id:         ps-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Disables information system access within {{ ps-4_prm_1 }};
-                - 
-                  id:         ps-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Terminates/revokes any authenticators/credentials associated with the
-                                        individual;
-                    """
-                - 
-                  id:         ps-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Conducts exit interviews that include a discussion of {{ ps-4_prm_2 }};
-                - 
-                  id:         ps-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Retrieves all security-related organizational information system-related
-                                        property;
-                    """
-                - 
-                  id:         ps-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Retains access to organizational information and information systems formerly
-                                        controlled by terminated individual; and
-                    """
-                - 
-                  id:         ps-4_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose:      Notifies {{ ps-4_prm_3 }} within {{ ps-4_prm_4 }}.
-            - 
-              id:    ps-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system-related property includes, for example, hardware authentication
-                                 tokens, system administration technical manuals, keys, identification cards, and
-                                 building passes. Exit interviews ensure that terminated individuals understand the
-                                 security constraints imposed by being former employees and that proper accountability
-                                 is achieved for information system-related property. Security topics of interest at
-                                 exit interviews can include, for example, reminding terminated individuals of
-                                 nondisclosure agreements and potential limitations on future employment. Exit
-                                 interviews may not be possible for some terminated individuals, for example, in cases
-                                 related to job abandonment, illnesses, and nonavailability of supervisors. Exit
-                                 interviews are important for individuals with security clearances. Timely execution
-                                 of termination actions is essential for individuals terminated for cause. In certain
-                                 situations, organizations consider disabling the information system accounts of
-                                 individuals that are being terminated prior to the individuals being notified.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #ps-5
-                  rel:  related
-                  text: PS-5
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-            - 
-              id:    ps-4_obj
-              name:  objective
-              prose: Determine if the organization, upon termination of individual employment,:
-              parts: 
-                - 
-                  id:         ps-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-4(a)
-                  parts: 
-                    - 
-                      id:         ps-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-4(a)[1]
-                      prose:      defines a time period within which to disable information system access;
-                    - 
-                      id:         ps-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-4(a)[2]
-                      prose: 
-                        """
-                          disables information system access within the organization-defined time
-                                               period;
-                        """
-                - 
-                  id:         ps-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PS-4(b)
-                  prose: 
-                    """
-                      terminates/revokes any authenticators/credentials associated with the
-                                        individual;
-                    """
-                - 
-                  id:         ps-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-4(c)
-                  parts: 
-                    - 
-                      id:         ps-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-4(c)[1]
-                      prose: 
-                        """
-                          defines information security topics to be discussed when conducting exit
-                                               interviews;
-                        """
-                    - 
-                      id:         ps-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: PS-4(c)[2]
-                      prose: 
-                        """
-                          conducts exit interviews that include a discussion of organization-defined
-                                               information security topics;
-                        """
-                - 
-                  id:         ps-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PS-4(d)
-                  prose: 
-                    """
-                      retrieves all security-related organizational information system-related
-                                        property;
-                    """
-                - 
-                  id:         ps-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PS-4(e)
-                  prose: 
-                    """
-                      retains access to organizational information and information systems formerly
-                                        controlled by the terminated individual;
-                    """
-                - 
-                  id:         ps-4.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-4(f)
-                  parts: 
-                    - 
-                      id:         ps-4.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-4(f)[1]
-                      prose:      defines personnel or roles to be notified of the termination;
-                    - 
-                      id:         ps-4.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-4(f)[2]
-                      prose: 
-                        """
-                          defines the time period within which to notify organization-defined personnel
-                                               or roles; and
-                        """
-                    - 
-                      id:         ps-4.f_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-4(f)[3]
-                      prose: 
-                        """
-                          notifies organization-defined personnel or roles within the
-                                               organization-defined time period.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of information system accounts\n\nrecords of terminated or revoked authenticators/credentials\n\nrecords of exit interviews\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for personnel termination\n\nautomated mechanisms supporting and/or implementing personnel termination
-                                        notifications\n\nautomated mechanisms for disabling information system access/revoking
-                                        authenticators
-                    """
-        - 
-          id:         ps-5
-          class:      SP800-53
-          title:      Personnel Transfer
-          parameters: 
-            - 
-              id:    ps-5_prm_1
-              label: organization-defined transfer or reassignment actions
-            - 
-              id:    ps-5_prm_2
-              label: organization-defined time period following the formal transfer action
-            - 
-              id:    ps-5_prm_3
-              label: organization-defined personnel or roles
-            - 
-              id:          ps-5_prm_4
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: five days of the time period following the formal transfer action (DoD 24 hours)
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PS-5
-            - 
-              name:  sort-id
-              value: ps-05
-          parts: 
-            - 
-              id:    ps-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Reviews and confirms ongoing operational need for current logical and physical
-                                        access authorizations to information systems/facilities when individuals are
-                                        reassigned or transferred to other positions within the organization;
-                    """
-                - 
-                  id:         ps-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Initiates {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }};
-                - 
-                  id:         ps-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Modifies access authorization as needed to correspond with any changes in
-                                        operational need due to reassignment or transfer; and
-                    """
-                - 
-                  id:         ps-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Notifies {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}.
-            - 
-              id:    ps-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies when reassignments or transfers of individuals are permanent or
-                                 of such extended durations as to make the actions warranted. Organizations define
-                                 actions appropriate for the types of reassignments or transfers, whether permanent or
-                                 extended. Actions that may be required for personnel transfers or reassignments to
-                                 other positions within organizations include, for example: (i) returning old and
-                                 issuing new keys, identification cards, and building passes; (ii) closing information
-                                 system accounts and establishing new accounts; (iii) changing information system
-                                 access authorizations (i.e., privileges); and (iv) providing for access to official
-                                 records to which individuals had access at previous work locations and in previous
-                                 information system accounts.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #ps-4
-                  rel:  related
-                  text: PS-4
-            - 
-              id:    ps-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-5(a)
-                  prose: 
-                    """
-                      when individuals are reassigned or transferred to other positions within the
-                                        organization, reviews and confirms ongoing operational need for current:
-                    """
-                  parts: 
-                    - 
-                      id:         ps-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: PS-5(a)[1]
-                      prose:      logical access authorizations to information systems;
-                    - 
-                      id:         ps-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: PS-5(a)[2]
-                      prose:      physical access authorizations to information systems and facilities;
-                - 
-                  id:         ps-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-5(b)
-                  parts: 
-                    - 
-                      id:         ps-5.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-5(b)[1]
-                      prose: 
-                        """
-                          defines transfer or reassignment actions to be initiated following transfer or
-                                               reassignment;
-                        """
-                    - 
-                      id:         ps-5.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-5(b)[2]
-                      prose: 
-                        """
-                          defines the time period within which transfer or reassignment actions must
-                                               occur following transfer or reassignment;
-                        """
-                    - 
-                      id:         ps-5.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-5(b)[3]
-                      prose: 
-                        """
-                          initiates organization-defined transfer or reassignment actions within the
-                                               organization-defined time period following transfer or reassignment;
-                        """
-                - 
-                  id:         ps-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PS-5(c)
-                  prose: 
-                    """
-                      modifies access authorization as needed to correspond with any changes in
-                                        operational need due to reassignment or transfer;
-                    """
-                - 
-                  id:         ps-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-5(d)
-                  parts: 
-                    - 
-                      id:         ps-5.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-5(d)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to be notified when individuals are reassigned or
-                                               transferred to other positions within the organization;
-                        """
-                    - 
-                      id:         ps-5.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-5(d)[2]
-                      prose: 
-                        """
-                          defines the time period within which to notify organization-defined personnel
-                                               or roles when individuals are reassigned or transferred to other positions
-                                               within the organization; and
-                        """
-                    - 
-                      id:         ps-5.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-5(d)[3]
-                      prose: 
-                        """
-                          notifies organization-defined personnel or roles within the
-                                               organization-defined time period when individuals are reassigned or transferred
-                                               to other positions within the organization.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing personnel transfer\n\nsecurity plan\n\nrecords of personnel transfer actions\n\nlist of information system and facility access authorizations\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with personnel security responsibilities organizational
-                                        personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for personnel transfer\n\nautomated mechanisms supporting and/or implementing personnel transfer
-                                        notifications\n\nautomated mechanisms for disabling information system access/revoking
-                                        authenticators
-                    """
-        - 
-          id:         ps-6
-          class:      SP800-53
-          title:      Access Agreements
-          parameters: 
-            - 
-              id:          ps-6_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          ps-6_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PS-6
-            - 
-              name:  sort-id
-              value: ps-06
-          parts: 
-            - 
-              id:    ps-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Develops and documents access agreements for organizational information
-                                        systems;
-                    """
-                - 
-                  id:         ps-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the access agreements {{ ps-6_prm_1 }}; and
-                - 
-                  id:         ps-6_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ensures that individuals requiring access to organizational information and
-                                        information systems:
-                    """
-                  parts: 
-                    - 
-                      id:         ps-6_smt.c.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Sign appropriate access agreements prior to being granted access; and
-                    - 
-                      id:         ps-6_smt.c.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Re-sign access agreements to maintain access to organizational information
-                                               systems when access agreements have been updated or {{ ps-6_prm_2 }}.
-                        """
-            - 
-              id:    ps-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Access agreements include, for example, nondisclosure agreements, acceptable use
-                                 agreements, rules of behavior, and conflict-of-interest agreements. Signed access
-                                 agreements include an acknowledgement that individuals have read, understand, and
-                                 agree to abide by the constraints associated with organizational information systems
-                                 to which access is authorized. Organizations can use electronic signatures to
-                                 acknowledge access agreements unless specifically prohibited by organizational
-                                 policy.
-                """
-              links: 
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-2
-                  rel:  related
-                  text: PS-2
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-                - 
-                  href: #ps-4
-                  rel:  related
-                  text: PS-4
-                - 
-                  href: #ps-8
-                  rel:  related
-                  text: PS-8
-            - 
-              id:    ps-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PS-6(a)
-                  prose: 
-                    """
-                      develops and documents access agreements for organizational information
-                                        systems;
-                    """
-                - 
-                  id:         ps-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-6(b)
-                  parts: 
-                    - 
-                      id:         ps-6.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-6(b)[1]
-                      prose:      defines the frequency to review and update the access agreements;
-                    - 
-                      id:         ps-6.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-6(b)[2]
-                      prose: 
-                        """
-                          reviews and updates the access agreements with the organization-defined
-                                               frequency;
-                        """
-                - 
-                  id:         ps-6.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-6(c)
-                  parts: 
-                    - 
-                      id:         ps-6.c.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-6(c)(1)
-                      prose: 
-                        """
-                          ensures that individuals requiring access to organizational information and
-                                               information systems sign appropriate access agreements prior to being granted
-                                               access;
-                        """
-                    - 
-                      id:         ps-6.c.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-6(c)(2)
-                      parts: 
-                        - 
-                          id:         ps-6.c.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-6(c)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to re-sign access agreements to maintain access to
-                                                      organizational information systems when access agreements have been
-                                                      updated;
-                            """
-                        - 
-                          id:         ps-6.c.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: PS-6(c)(2)[2]
-                          prose: 
-                            """
-                              ensures that individuals requiring access to organizational information and
-                                                      information systems re-sign access agreements to maintain access to
-                                                      organizational information systems when access agreements have been updated
-                                                      or with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Personnel security policy\n\nprocedures addressing access agreements for organizational information and
-                                        information systems\n\nsecurity plan\n\naccess agreements\n\nrecords of access agreement reviews and updates\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed/resigned access agreements\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for access agreements\n\nautomated mechanisms supporting access agreements
-        - 
-          id:         ps-7
-          class:      SP800-53
-          title:      Third-party Personnel Security
-          parameters: 
-            - 
-              id:    ps-7_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ps-7_prm_2
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: organization-defined time period - same day
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PS-7
-            - 
-              name:  sort-id
-              value: ps-07
-          links: 
-            - 
-              href: #0c775bc3-bfc3-42c7-a382-88949f503171
-              rel:  reference
-              text: NIST Special Publication 800-35
-          parts: 
-            - 
-              id:    ps-7_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes personnel security requirements including security roles and
-                                        responsibilities for third-party providers;
-                    """
-                - 
-                  id:         ps-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Requires third-party providers to comply with personnel security policies and
-                                        procedures established by the organization;
-                    """
-                - 
-                  id:         ps-7_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Documents personnel security requirements;
-                - 
-                  id:         ps-7_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Requires third-party providers to notify {{ ps-7_prm_1 }} of any
-                                        personnel transfers or terminations of third-party personnel who possess
-                                        organizational credentials and/or badges, or who have information system
-                                        privileges within {{ ps-7_prm_2 }}; and
-                    """
-                - 
-                  id:         ps-7_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Monitors provider compliance.
-            - 
-              id:    ps-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Third-party providers include, for example, service bureaus, contractors, and other
-                                 organizations providing information system development, information technology
-                                 services, outsourced applications, and network and security management. Organizations
-                                 explicitly include personnel security requirements in acquisition-related documents.
-                                 Third-party providers may have personnel working at organizational facilities with
-                                 credentials, badges, or information system privileges issued by organizations.
-                                 Notifications of third-party personnel changes ensure appropriate termination of
-                                 privileges and credentials. Organizations define the transfers and terminations
-                                 deemed reportable by security-related characteristics that include, for example,
-                                 functions, roles, and nature of credentials/privileges associated with individuals
-                                 transferred or terminated.
-                """
-              links: 
-                - 
-                  href: #ps-2
-                  rel:  related
-                  text: PS-2
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-                - 
-                  href: #ps-4
-                  rel:  related
-                  text: PS-4
-                - 
-                  href: #ps-5
-                  rel:  related
-                  text: PS-5
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-                - 
-                  href: #sa-9
-                  rel:  related
-                  text: SA-9
-                - 
-                  href: #sa-21
-                  rel:  related
-                  text: SA-21
-            - 
-              id:    ps-7_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PS-7(a)
-                  prose: 
-                    """
-                      establishes personnel security requirements, including security roles and
-                                        responsibilities, for third-party providers;
-                    """
-                - 
-                  id:         ps-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PS-7(b)
-                  prose: 
-                    """
-                      requires third-party providers to comply with personnel security policies and
-                                        procedures established by the organization;
-                    """
-                - 
-                  id:         ps-7.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PS-7(c)
-                  prose:      documents personnel security requirements;
-                - 
-                  id:         ps-7.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-7(d)
-                  parts: 
-                    - 
-                      id:         ps-7.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-7(d)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to be notified of any personnel transfers or
-                                               terminations of third-party personnel who possess organizational credentials
-                                               and/or badges, or who have information system privileges;
-                        """
-                    - 
-                      id:         ps-7.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-7(d)[2]
-                      prose: 
-                        """
-                          defines the time period within which third-party providers are required to
-                                               notify organization-defined personnel or roles of any personnel transfers or
-                                               terminations of third-party personnel who possess organizational credentials
-                                               and/or badges, or who have information system privileges;
-                        """
-                    - 
-                      id:         ps-7.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-7(d)[3]
-                      prose: 
-                        """
-                          requires third-party providers to notify organization-defined personnel or
-                                               roles within the organization-defined time period of any personnel transfers or
-                                               terminations of third-party personnel who possess organizational credentials
-                                               and/or badges, or who have information system privileges; and
-                        """
-                - 
-                  id:         ps-7.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PS-7(e)
-                  prose:      monitors provider compliance.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing third-party personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\nthird-party providers\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for managing and monitoring third-party personnel
-                                        security\n\nautomated mechanisms supporting and/or implementing monitoring of provider
-                                        compliance
-                    """
-        - 
-          id:         ps-8
-          class:      SP800-53
-          title:      Personnel Sanctions
-          parameters: 
-            - 
-              id:    ps-8_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ps-8_prm_2
-              label: organization-defined time period
-          properties: 
-            - 
-              name:  label
-              value: PS-8
-            - 
-              name:  sort-id
-              value: ps-08
-          parts: 
-            - 
-              id:    ps-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Employs a formal sanctions process for individuals failing to comply with
-                                        established information security policies and procedures; and
-                    """
-                - 
-                  id:         ps-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Notifies {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }}
-                                        when a formal employee sanctions process is initiated, identifying the individual
-                                        sanctioned and the reason for the sanction.
-                    """
-            - 
-              id:    ps-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizational sanctions processes reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Sanctions processes are
-                                 described in access agreements and can be included as part of general personnel
-                                 policies and procedures for organizations. Organizations consult with the Office of
-                                 the General Counsel regarding matters of employee sanctions.
-                """
-              links: 
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-            - 
-              id:    ps-8_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PS-8(a)
-                  prose: 
-                    """
-                      employs a formal sanctions process for individuals failing to comply with
-                                        established information security policies and procedures;
-                    """
-                - 
-                  id:         ps-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-8(b)
-                  parts: 
-                    - 
-                      id:         ps-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-8(b)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to be notified when a formal employee sanctions
-                                               process is initiated;
-                        """
-                    - 
-                      id:         ps-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-8(b)[2]
-                      prose: 
-                        """
-                          defines the time period within which organization-defined personnel or roles
-                                               must be notified when a formal employee sanctions process is initiated; and
-                        """
-                    - 
-                      id:         ps-8.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-8(b)[3]
-                      prose: 
-                        """
-                          notifies organization-defined personnel or roles within the
-                                               organization-defined time period when a formal employee sanctions process is
-                                               initiated, identifying the individual sanctioned and the reason for the
-                                               sanction.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing personnel sanctions\n\nrules of behavior\n\nrecords of formal sanctions\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for managing personnel sanctions\n\nautomated mechanisms supporting and/or implementing notifications
-    - 
-      id:       ra
-      class:    family
-      title:    Risk Assessment
-      controls: 
-        - 
-          id:         ra-1
-          class:      SP800-53
-          title:      Risk Assessment Policy and Procedures
-          parameters: 
-            - 
-              id:    ra-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ra-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          ra-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: RA-1
-            - 
-              name:  sort-id
-              value: ra-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #a466121b-f0e2-41f0-a5f9-deb0b5fe6b15
-              rel:  reference
-              text: NIST Special Publication 800-30
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ra-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ra-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ra-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ra-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A risk assessment policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ra-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the risk assessment policy and
-                                               associated risk assessment controls; and
-                        """
-                - 
-                  id:         ra-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ra-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Risk assessment policy {{ ra-1_prm_2 }}; and
-                    - 
-                      id:         ra-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Risk assessment procedures {{ ra-1_prm_3 }}.
-            - 
-              id:    ra-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the RA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ra-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ra-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-1(a)
-                  parts: 
-                    - 
-                      id:         ra-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ra-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(a)(1)[1]
-                          prose:      develops and documents a risk assessment policy that addresses:
-                          parts: 
-                            - 
-                              id:         ra-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ra-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ra-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ra-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ra-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ra-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ra-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ra-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the risk assessment policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ra-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: RA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the risk assessment policy to organization-defined personnel or
-                                                      roles;
-                            """
-                    - 
-                      id:         ra-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ra-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      risk assessment policy and associated risk assessment controls;
-                            """
-                        - 
-                          id:         ra-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ra-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: RA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ra-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-1(b)
-                  parts: 
-                    - 
-                      id:         ra-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ra-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current risk assessment
-                                                      policy;
-                            """
-                        - 
-                          id:         ra-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current risk assessment policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ra-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ra-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current risk assessment
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ra-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current risk assessment procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: risk assessment policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ra-2
-          class:      SP800-53
-          title:      Security Categorization
-          properties: 
-            - 
-              name:  label
-              value: RA-2
-            - 
-              name:  sort-id
-              value: ra-02
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #a466121b-f0e2-41f0-a5f9-deb0b5fe6b15
-              rel:  reference
-              text: NIST Special Publication 800-30
-            - 
-              href: #d480aa6a-7a88-424e-a10c-ad1c7870354b
-              rel:  reference
-              text: NIST Special Publication 800-39
-            - 
-              href: #f152844f-b1ef-4836-8729-6277078ebee1
-              rel:  reference
-              text: NIST Special Publication 800-60
-          parts: 
-            - 
-              id:    ra-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ra-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Categorizes information and the information system in accordance with applicable
-                                        federal laws, Executive Orders, directives, policies, regulations, standards, and
-                                        guidance;
-                    """
-                - 
-                  id:         ra-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Documents the security categorization results (including supporting rationale) in
-                                        the security plan for the information system; and
-                    """
-                - 
-                  id:         ra-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ensures that the authorizing official or authorizing official designated
-                                        representative reviews and approves the security categorization decision.
-                    """
-            - 
-              id:    ra-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Clearly defined authorization boundaries are a prerequisite for effective security
-                                 categorization decisions. Security categories describe the potential adverse impacts
-                                 to organizational operations, organizational assets, and individuals if
-                                 organizational information and information systems are comprised through a loss of
-                                 confidentiality, integrity, or availability. Organizations conduct the security
-                                 categorization process as an organization-wide activity with the involvement of chief
-                                 information officers, senior information security officers, information system
-                                 owners, mission/business owners, and information owners/stewards. Organizations also
-                                 consider the potential adverse impacts to other organizations and, in accordance with
-                                 the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential
-                                 national-level adverse impacts. Security categorization processes carried out by
-                                 organizations facilitate the development of inventories of information assets, and
-                                 along with CM-8, mappings to specific information system components where information
-                                 is processed, stored, or transmitted.
-                """
-              links: 
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-            - 
-              id:    ra-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ra-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: RA-2(a)
-                  prose: 
-                    """
-                      categorizes information and the information system in accordance with applicable
-                                        federal laws, Executive Orders, directives, policies, regulations, standards, and
-                                        guidance;
-                    """
-                - 
-                  id:         ra-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: RA-2(b)
-                  prose: 
-                    """
-                      documents the security categorization results (including supporting rationale) in
-                                        the security plan for the information system; and
-                    """
-                - 
-                  id:         ra-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: RA-2(c)
-                  prose: 
-                    """
-                      ensures the authorizing official or authorizing official designated representative
-                                        reviews and approves the security categorization decision.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and
-                                        information systems\n\nsecurity plan\n\nsecurity categorization documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security categorization and risk assessment
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for security categorization
-        - 
-          id:         ra-3
-          class:      SP800-53
-          title:      Risk Assessment
-          parameters: 
-            - 
-              id: ra-3_prm_1
-            - 
-              id:          ra-3_prm_2
-              depends-on:  ra-3_prm_1
-              label:       organization-defined document
-              constraints: 
-                - 
-                  detail: security assessment report
-            - 
-              id:          ra-3_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every three (3) years or when a significant change occurs
-            - 
-              id:    ra-3_prm_4
-              label: organization-defined personnel or roles
-            - 
-              id:          ra-3_prm_5
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every three (3) years or when a significant change occurs
-          properties: 
-            - 
-              name:  label
-              value: RA-3
-            - 
-              name:  sort-id
-              value: ra-03
-          links: 
-            - 
-              href: #ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-              rel:  reference
-              text: OMB Memorandum 04-04
-            - 
-              href: #a466121b-f0e2-41f0-a5f9-deb0b5fe6b15
-              rel:  reference
-              text: NIST Special Publication 800-30
-            - 
-              href: #d480aa6a-7a88-424e-a10c-ad1c7870354b
-              rel:  reference
-              text: NIST Special Publication 800-39
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    ra-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ra-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Conducts an assessment of risk, including the likelihood and magnitude of harm,
-                                        from the unauthorized access, use, disclosure, disruption, modification, or
-                                        destruction of the information system and the information it processes, stores, or
-                                        transmits;
-                    """
-                - 
-                  id:         ra-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Documents risk assessment results in {{ ra-3_prm_1 }};
-                - 
-                  id:         ra-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews risk assessment results {{ ra-3_prm_3 }};
-                - 
-                  id:         ra-3_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Disseminates risk assessment results to {{ ra-3_prm_4 }}; and
-                - 
-                  id:         ra-3_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Updates the risk assessment {{ ra-3_prm_5 }} or whenever there are
-                                        significant changes to the information system or environment of operation
-                                        (including the identification of new threats and vulnerabilities), or other
-                                        conditions that may impact the security state of the system.
-                    """
-                - 
-                  id:    ra-3_fr
-                  name:  item
-                  title: RA-3 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ra-3_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F
-                    - 
-                      id:         ra-3_fr_smt.d
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-3 (d) Requirement:
-                      prose:      Include all Authorizing Officials; for JAB authorizations to include FedRAMP.
-            - 
-              id:    ra-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Clearly defined authorization boundaries are a prerequisite for effective risk
-                                 assessments. Risk assessments take into account threats, vulnerabilities, likelihood,
-                                 and impact to organizational operations and assets, individuals, other organizations,
-                                 and the Nation based on the operation and use of information systems. Risk
-                                 assessments also take into account risk from external parties (e.g., service
-                                 providers, contractors operating information systems on behalf of the organization,
-                                 individuals accessing organizational information systems, outsourcing entities). In
-                                 accordance with OMB policy and related E-authentication initiatives, authentication
-                                 of public users accessing federal information systems may also be required to protect
-                                 nonpublic or privacy-related information. As such, organizational assessments of risk
-                                 also address public access to federal information systems. Risk assessments (either
-                                 formal or informal) can be conducted at all three tiers in the risk management
-                                 hierarchy (i.e., organization level, mission/business process level, or information
-                                 system level) and at any phase in the system development life cycle. Risk assessments
-                                 can also be conducted at various steps in the Risk Management Framework, including
-                                 categorization, security control selection, security control implementation, security
-                                 control assessment, information system authorization, and security control
-                                 monitoring. RA-3 is noteworthy in that the control must be partially implemented
-                                 prior to the implementation of other controls in order to complete the first two
-                                 steps in the Risk Management Framework. Risk assessments can play an important role
-                                 in security control selection processes, particularly during the application of
-                                 tailoring guidance, which includes security control supplementation.
-                """
-              links: 
-                - 
-                  href: #ra-2
-                  rel:  related
-                  text: RA-2
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ra-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ra-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(a)
-                  prose: 
-                    """
-                      conducts an assessment of risk, including the likelihood and magnitude of harm,
-                                        from the unauthorized access, use, disclosure, disruption, modification, or
-                                        destruction of:
-                    """
-                  parts: 
-                    - 
-                      id:         ra-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-3(a)[1]
-                      prose:      the information system;
-                    - 
-                      id:         ra-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-3(a)[2]
-                      prose:      the information the system processes, stores, or transmits;
-                - 
-                  id:         ra-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(b)
-                  parts: 
-                    - 
-                      id:         ra-3.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-3(b)[1]
-                      prose: 
-                        """
-                          defines a document in which risk assessment results are to be documented (if
-                                               not documented in the security plan or risk assessment report);
-                        """
-                    - 
-                      id:         ra-3.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-3(b)[2]
-                      prose:      documents risk assessment results in one of the following:
-                      parts: 
-                        - 
-                          id:         ra-3.b_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(b)[2][a]
-                          prose:      the security plan;
-                        - 
-                          id:         ra-3.b_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(b)[2][b]
-                          prose:      the risk assessment report; or
-                        - 
-                          id:         ra-3.b_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(b)[2][c]
-                          prose:      the organization-defined document;
-                - 
-                  id:         ra-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(c)
-                  parts: 
-                    - 
-                      id:         ra-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-3(c)[1]
-                      prose:      defines the frequency to review risk assessment results;
-                    - 
-                      id:         ra-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-3(c)[2]
-                      prose:      reviews risk assessment results with the organization-defined frequency;
-                - 
-                  id:         ra-3.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(d)
-                  parts: 
-                    - 
-                      id:         ra-3.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-3(d)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom risk assessment results are to be
-                                               disseminated;
-                        """
-                    - 
-                      id:         ra-3.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-3(d)[2]
-                      prose: 
-                        """
-                          disseminates risk assessment results to organization-defined personnel or
-                                               roles;
-                        """
-                - 
-                  id:         ra-3.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(e)
-                  parts: 
-                    - 
-                      id:         ra-3.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-3(e)[1]
-                      prose:      defines the frequency to update the risk assessment;
-                    - 
-                      id:         ra-3.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-3(e)[2]
-                      prose:      updates the risk assessment:
-                      parts: 
-                        - 
-                          id:         ra-3.e_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(e)[2][a]
-                          prose:      with the organization-defined frequency;
-                        - 
-                          id:         ra-3.e_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(e)[2][b]
-                          prose: 
-                            """
-                              whenever there are significant changes to the information system or
-                                                      environment of operation (including the identification of new threats and
-                                                      vulnerabilities); and
-                            """
-                        - 
-                          id:         ra-3.e_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(e)[2][c]
-                          prose: 
-                            """
-                              whenever there are other conditions that may impact the security state of
-                                                      the system.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nsecurity plan\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for risk assessment\n\nautomated mechanisms supporting and/or for conducting, documenting, reviewing,
-                                        disseminating, and updating the risk assessment
-                    """
-        - 
-          id:         ra-5
-          class:      SP800-53
-          title:      Vulnerability Scanning
-          parameters: 
-            - 
-              id:          ra-5_prm_1
-              label: 
-                """
-                  organization-defined frequency and/or randomly in accordance with
-                                 organization-defined process
-                """
-              constraints: 
-                - 
-                  detail: monthly operating system/infrastructure; monthly web applications and databases
-            - 
-              id:          ra-5_prm_2
-              label:       organization-defined response times
-              constraints: 
-                - 
-                  detail: [high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery.
-            - 
-              id:    ra-5_prm_3
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: RA-5
-            - 
-              name:  sort-id
-              value: ra-05
-          links: 
-            - 
-              href: #bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d
-              rel:  reference
-              text: NIST Special Publication 800-40
-            - 
-              href: #84a37532-6db6-477b-9ea8-f9085ebca0fc
-              rel:  reference
-              text: NIST Special Publication 800-70
-            - 
-              href: #c4691b88-57d1-463b-9053-2d0087913f31
-              rel:  reference
-              text: NIST Special Publication 800-115
-            - 
-              href: #15522e92-9192-463d-9646-6a01982db8ca
-              rel:  reference
-              text: http://cwe.mitre.org
-            - 
-              href: #275cc052-0f7f-423c-bdb6-ed503dc36228
-              rel:  reference
-              text: http://nvd.nist.gov
-          parts: 
-            - 
-              id:    ra-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ra-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Scans for vulnerabilities in the information system and hosted applications
-                                           {{ ra-5_prm_1 }} and when new vulnerabilities potentially
-                                        affecting the system/applications are identified and reported;
-                    """
-                - 
-                  id:         ra-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Employs vulnerability scanning tools and techniques that facilitate
-                                        interoperability among tools and automate parts of the vulnerability management
-                                        process by using standards for:
-                    """
-                  parts: 
-                    - 
-                      id:         ra-5_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Enumerating platforms, software flaws, and improper configurations;
-                    - 
-                      id:         ra-5_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Formatting checklists and test procedures; and
-                    - 
-                      id:         ra-5_smt.b.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose:      Measuring vulnerability impact;
-                - 
-                  id:         ra-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Analyzes vulnerability scan reports and results from security control
-                                        assessments;
-                    """
-                - 
-                  id:         ra-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Remediates legitimate vulnerabilities {{ ra-5_prm_2 }} in
-                                        accordance with an organizational assessment of risk; and
-                    """
-                - 
-                  id:         ra-5_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Shares information obtained from the vulnerability scanning process and security
-                                        control assessments with {{ ra-5_prm_3 }} to help eliminate similar
-                                        vulnerabilities in other information systems (i.e., systemic weaknesses or
-                                        deficiencies).
-                    """
-                - 
-                  id:         ra-5_fr_smt.a
-                  name:       item
-                  title:      RA-5(a) Additional FedRAMP Requirements and Guidance
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5 (a)Requirement:
-                  prose:      An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.
-                - 
-                  id:         ra-5_fr_smt.e
-                  name:       item
-                  title:      RA-5(e) Additional FedRAMP Requirements and Guidance
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5 (e)Requirement:
-                  prose:      To include all Authorizing Officials; for JAB authorizations to include FedRAMP.
-                - 
-                  id:    ra-5_fr
-                  name:  item
-                  title: RA-5 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ra-5_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose: 
-                        """
-                          
-                                               **See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))
-                        """
-            - 
-              id:    ra-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Security categorization of information systems guides the frequency and
-                                 comprehensiveness of vulnerability scans. Organizations determine the required
-                                 vulnerability scanning for all information system components, ensuring that potential
-                                 sources of vulnerabilities such as networked printers, scanners, and copiers are not
-                                 overlooked. Vulnerability analyses for custom software applications may require
-                                 additional approaches such as static analysis, dynamic analysis, binary analysis, or
-                                 a hybrid of the three approaches. Organizations can employ these analysis approaches
-                                 in a variety of tools (e.g., web-based application scanners, static analysis tools,
-                                 binary analyzers) and in source code reviews. Vulnerability scanning includes, for
-                                 example: (i) scanning for patch levels; (ii) scanning for functions, ports,
-                                 protocols, and services that should not be accessible to users or devices; and (iii)
-                                 scanning for improperly configured or incorrectly operating information flow control
-                                 mechanisms. Organizations consider using tools that express vulnerabilities in the
-                                 Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open
-                                 Vulnerability Assessment Language (OVAL) to determine/test for the presence of
-                                 vulnerabilities. Suggested sources for vulnerability information include the Common
-                                 Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In
-                                 addition, security control assessments such as red team exercises provide other
-                                 sources of potential vulnerabilities for which to scan. Organizations also consider
-                                 using tools that express vulnerability impact by the Common Vulnerability Scoring
-                                 System (CVSS).
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #ra-2
-                  rel:  related
-                  text: RA-2
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    ra-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ra-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(a)
-                  parts: 
-                    - 
-                      id:         ra-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-5(a)[1]
-                      parts: 
-                        - 
-                          id:         ra-5.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[1][a]
-                          prose: 
-                            """
-                              defines the frequency for conducting vulnerability scans on the information
-                                                      system and hosted applications; and/or
-                            """
-                        - 
-                          id:         ra-5.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[1][b]
-                          prose: 
-                            """
-                              defines the process for conducting random vulnerability scans on the
-                                                      information system and hosted applications;
-                            """
-                    - 
-                      id:         ra-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(a)[2]
-                      prose: 
-                        """
-                          in accordance with the organization-defined frequency and/or
-                                               organization-defined process for conducting random scans, scans for
-                                               vulnerabilities in:
-                        """
-                      parts: 
-                        - 
-                          id:         ra-5.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[2][a]
-                          prose:      the information system;
-                        - 
-                          id:         ra-5.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[2][b]
-                          prose:      hosted applications;
-                    - 
-                      id:         ra-5.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(a)[3]
-                      prose: 
-                        """
-                          when new vulnerabilities potentially affecting the system/applications are
-                                               identified and reported, scans for vulnerabilities in:
-                        """
-                      parts: 
-                        - 
-                          id:         ra-5.a_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[3][a]
-                          prose:      the information system;
-                        - 
-                          id:         ra-5.a_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[3][b]
-                          prose:      hosted applications;
-                - 
-                  id:         ra-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(b)
-                  prose: 
-                    """
-                      employs vulnerability scanning tools and techniques that facilitate
-                                        interoperability among tools and automate parts of the vulnerability management
-                                        process by using standards for:
-                    """
-                  parts: 
-                    - 
-                      id:         ra-5.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(b)(1)
-                      parts: 
-                        - 
-                          id:         ra-5.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(1)[1]
-                          prose:      enumerating platforms;
-                        - 
-                          id:         ra-5.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(1)[2]
-                          prose:      enumerating software flaws;
-                        - 
-                          id:         ra-5.b.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(1)[3]
-                          prose:      enumerating improper configurations;
-                    - 
-                      id:         ra-5.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(b)(2)
-                      parts: 
-                        - 
-                          id:         ra-5.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(2)[1]
-                          prose:      formatting checklists;
-                        - 
-                          id:         ra-5.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(2)[2]
-                          prose:      formatting test procedures;
-                    - 
-                      id:         ra-5.b.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(b)(3)
-                      prose:      measuring vulnerability impact;
-                - 
-                  id:         ra-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(c)
-                  parts: 
-                    - 
-                      id:         ra-5.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(c)[1]
-                      prose:      analyzes vulnerability scan reports;
-                    - 
-                      id:         ra-5.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(c)[2]
-                      prose:      analyzes results from security control assessments;
-                - 
-                  id:         ra-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(d)
-                  parts: 
-                    - 
-                      id:         ra-5.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-5(d)[1]
-                      prose: 
-                        """
-                          defines response times to remediate legitimate vulnerabilities in accordance
-                                               with an organizational assessment of risk;
-                        """
-                    - 
-                      id:         ra-5.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(d)[2]
-                      prose: 
-                        """
-                          remediates legitimate vulnerabilities within the organization-defined response
-                                               times in accordance with an organizational assessment of risk;
-                        """
-                - 
-                  id:         ra-5.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(e)
-                  parts: 
-                    - 
-                      id:         ra-5.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-5(e)[1]
-                      prose: 
-                        """
-                          defines personnel or roles with whom information obtained from the
-                                               vulnerability scanning process and security control assessments is to be
-                                               shared;
-                        """
-                    - 
-                      id:         ra-5.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(e)[2]
-                      prose: 
-                        """
-                          shares information obtained from the vulnerability scanning process with
-                                               organization-defined personnel or roles to help eliminate similar
-                                               vulnerabilities in other information systems (i.e., systemic weaknesses or
-                                               deficiencies); and
-                        """
-                    - 
-                      id:         ra-5.e_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(e)[3]
-                      prose: 
-                        """
-                          shares information obtained from security control assessments with
-                                               organization-defined personnel or roles to help eliminate similar
-                                               vulnerabilities in other information systems (i.e., systemic weaknesses or
-                                               deficiencies).
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with risk assessment, security control assessment and
-                                        vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for vulnerability scanning, analysis, remediation, and
-                                        information sharing\n\nautomated mechanisms supporting and/or implementing vulnerability scanning,
-                                        analysis, remediation, and information sharing
-                    """
-    - 
-      id:       sa
-      class:    family
-      title:    System and Services Acquisition
-      controls: 
-        - 
-          id:         sa-1
-          class:      SP800-53
-          title:      System and Services Acquisition Policy and Procedures
-          parameters: 
-            - 
-              id:    sa-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          sa-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          sa-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SA-1
-            - 
-              name:  sort-id
-              value: sa-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    sa-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ sa-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         sa-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A system and services acquisition policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         sa-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the system and services
-                                               acquisition policy and associated system and services acquisition controls;
-                                               and
-                        """
-                - 
-                  id:         sa-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         sa-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      System and services acquisition policy {{ sa-1_prm_2 }}; and
-                    - 
-                      id:         sa-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      System and services acquisition procedures {{ sa-1_prm_3 }}.
-            - 
-              id:    sa-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the SA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    sa-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-1(a)
-                  parts: 
-                    - 
-                      id:         sa-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         sa-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a system and services acquisition policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         sa-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         sa-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         sa-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         sa-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         sa-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         sa-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         sa-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         sa-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the system and services acquisition
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         sa-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the system and services acquisition policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         sa-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         sa-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      system and services acquisition policy and associated system and services
-                                                      acquisition controls;
-                            """
-                        - 
-                          id:         sa-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         sa-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         sa-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-1(b)
-                  parts: 
-                    - 
-                      id:         sa-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         sa-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and services
-                                                      acquisition policy;
-                            """
-                        - 
-                          id:         sa-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and services acquisition policy with
-                                                      the organization-defined frequency;
-                            """
-                    - 
-                      id:         sa-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         sa-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and services
-                                                      acquisition procedures; and
-                            """
-                        - 
-                          id:         sa-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and services acquisition procedures
-                                                      with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and services acquisition policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         sa-2
-          class:      SP800-53
-          title:      Allocation of Resources
-          properties: 
-            - 
-              name:  label
-              value: SA-2
-            - 
-              name:  sort-id
-              value: sa-02
-          links: 
-            - 
-              href: #29fcfe59-33cd-494a-8756-5907ae3a8f92
-              rel:  reference
-              text: NIST Special Publication 800-65
-          parts: 
-            - 
-              id:    sa-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Determines information security requirements for the information system or
-                                        information system service in mission/business process planning;
-                    """
-                - 
-                  id:         sa-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Determines, documents, and allocates the resources required to protect the
-                                        information system or information system service as part of its capital planning
-                                        and investment control process; and
-                    """
-                - 
-                  id:         sa-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Establishes a discrete line item for information security in organizational
-                                        programming and budgeting documentation.
-                    """
-            - 
-              id:    sa-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Resource allocation for information security includes funding for the initial
-                                 information system or information system service acquisition and funding for the
-                                 sustainment of the system/service.
-                """
-              links: 
-                - 
-                  href: #pm-3
-                  rel:  related
-                  text: PM-3
-                - 
-                  href: #pm-11
-                  rel:  related
-                  text: PM-11
-            - 
-              id:    sa-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SA-2(a)
-                  prose: 
-                    """
-                      determines information security requirements for the information system or
-                                        information system service in mission/business process planning;
-                    """
-                - 
-                  id:         sa-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-2(b)
-                  prose: 
-                    """
-                      to protect the information system or information system service as part of its
-                                        capital planning and investment control process:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-2(b)[1]
-                      prose:      determines the resources required;
-                    - 
-                      id:         sa-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-2(b)[2]
-                      prose:      documents the resources required;
-                    - 
-                      id:         sa-2.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-2(b)[3]
-                      prose:      allocates the resources required; and
-                - 
-                  id:         sa-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-2(c)
-                  prose: 
-                    """
-                      establishes a discrete line item for information security in organizational
-                                        programming and budgeting documentation.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing the allocation of resources to information security
-                                        requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with capital planning, investment control, organizational
-                                        programming and budgeting responsibilities\n\norganizational personnel responsible for determining information security
-                                        requirements for information systems/services\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for determining information security requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nautomated mechanisms supporting and/or implementing organizational capital
-                                        planning, programming, and budgeting
-                    """
-        - 
-          id:         sa-3
-          class:      SP800-53
-          title:      System Development Life Cycle
-          parameters: 
-            - 
-              id:    sa-3_prm_1
-              label: organization-defined system development life cycle
-          properties: 
-            - 
-              name:  label
-              value: SA-3
-            - 
-              name:  sort-id
-              value: sa-03
-          links: 
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #abd950ae-092f-4b7a-b374-1c7c67fe9350
-              rel:  reference
-              text: NIST Special Publication 800-64
-          parts: 
-            - 
-              id:    sa-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Manages the information system using {{ sa-3_prm_1 }} that
-                                        incorporates information security considerations;
-                    """
-                - 
-                  id:         sa-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Defines and documents information security roles and responsibilities throughout
-                                        the system development life cycle;
-                    """
-                - 
-                  id:         sa-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Identifies individuals having information security roles and responsibilities;
-                                        and
-                    """
-                - 
-                  id:         sa-3_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Integrates the organizational information security risk management process into
-                                        system development life cycle activities.
-                    """
-            - 
-              id:    sa-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  A well-defined system development life cycle provides the foundation for the
-                                 successful development, implementation, and operation of organizational information
-                                 systems. To apply the required security controls within the system development life
-                                 cycle requires a basic understanding of information security, threats,
-                                 vulnerabilities, adverse impacts, and risk to critical missions/business functions.
-                                 The security engineering principles in SA-8 cannot be properly applied if individuals
-                                 that design, code, and test information systems and system components (including
-                                 information technology products) do not understand security. Therefore, organizations
-                                 include qualified personnel, for example, chief information security officers,
-                                 security architects, security engineers, and information system security officers in
-                                 system development life cycle activities to ensure that security requirements are
-                                 incorporated into organizational information systems. It is equally important that
-                                 developers include individuals on the development team that possess the requisite
-                                 security expertise and skills to ensure that needed security capabilities are
-                                 effectively integrated into the information system. Security awareness and training
-                                 programs can help ensure that individuals having key security roles and
-                                 responsibilities have the appropriate experience, skills, and expertise to conduct
-                                 assigned system development life cycle activities. The effective integration of
-                                 security requirements into enterprise architecture also helps to ensure that
-                                 important security considerations are addressed early in the system development life
-                                 cycle and that those considerations are directly related to the organizational
-                                 mission/business processes. This process also facilitates the integration of the
-                                 information security architecture into the enterprise architecture, consistent with
-                                 organizational risk management and information security strategies.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #pm-7
-                  rel:  related
-                  text: PM-7
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-            - 
-              id:    sa-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-3(a)
-                  parts: 
-                    - 
-                      id:         sa-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-3(a)[1]
-                      prose: 
-                        """
-                          defines a system development life cycle that incorporates information security
-                                               considerations to be used to manage the information system;
-                        """
-                    - 
-                      id:         sa-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-3(a)[2]
-                      prose: 
-                        """
-                          manages the information system using the organization-defined system
-                                               development life cycle;
-                        """
-                - 
-                  id:         sa-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SA-3(b)
-                  prose: 
-                    """
-                      defines and documents information security roles and responsibilities throughout
-                                        the system development life cycle;
-                    """
-                - 
-                  id:         sa-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SA-3(c)
-                  prose: 
-                    """
-                      identifies individuals having information security roles and responsibilities;
-                                        and
-                    """
-                - 
-                  id:         sa-3.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-3(d)
-                  prose: 
-                    """
-                      integrates the organizational information security risk management process into
-                                        system development life cycle activities.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing the integration of information security into the system
-                                        development life cycle process\n\ninformation system development life cycle documentation\n\ninformation security risk management strategy/program documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with information security and system life cycle
-                                        development responsibilities\n\norganizational personnel with information security risk management
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for defining and documenting the SDLC\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational process for integrating information security risk management into
-                                        the SDLC\n\nautomated mechanisms supporting and/or implementing the SDLC
-                    """
-        - 
-          id:         sa-4
-          class:      SP800-53
-          title:      Acquisition Process
-          properties: 
-            - 
-              name:  label
-              value: SA-4
-            - 
-              name:  sort-id
-              value: sa-04
-          links: 
-            - 
-              href: #ad733a42-a7ed-4774-b988-4930c28852f3
-              rel:  reference
-              text: HSPD-12
-            - 
-              href: #1737a687-52fb-4008-b900-cbfa836f7b65
-              rel:  reference
-              text: ISO/IEC 15408
-            - 
-              href: #d715b234-9b5b-4e07-b1ed-99836727664d
-              rel:  reference
-              text: FIPS Publication 140-2
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #0a5db899-f033-467f-8631-f5a8ba971475
-              rel:  reference
-              text: NIST Special Publication 800-23
-            - 
-              href: #0c775bc3-bfc3-42c7-a382-88949f503171
-              rel:  reference
-              text: NIST Special Publication 800-35
-            - 
-              href: #d818efd3-db31-4953-8afa-9e76afe83ce2
-              rel:  reference
-              text: NIST Special Publication 800-36
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #abd950ae-092f-4b7a-b374-1c7c67fe9350
-              rel:  reference
-              text: NIST Special Publication 800-64
-            - 
-              href: #84a37532-6db6-477b-9ea8-f9085ebca0fc
-              rel:  reference
-              text: NIST Special Publication 800-70
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-            - 
-              href: #56d671da-6b7b-4abf-8296-84b61980390a
-              rel:  reference
-              text: Federal Acquisition Regulation
-            - 
-              href: #c95a9986-3cd6-4a98-931b-ccfc56cb11e5
-              rel:  reference
-              text: http://www.niap-ccevs.org
-            - 
-              href: #5ed1f4d5-1494-421b-97ed-39d3c88ab51f
-              rel:  reference
-              text: http://fips201ep.cio.gov
-            - 
-              href: #bbd50dd1-54ce-4432-959d-63ea564b1bb4
-              rel:  reference
-              text: http://www.acquisition.gov/far
-          parts: 
-            - 
-              id:    sa-4_smt
-              name:  statement
-              prose: 
-                """
-                  The organization includes the following requirements, descriptions, and criteria,
-                                 explicitly or by reference, in the acquisition contract for the information system,
-                                 system component, or information system service in accordance with applicable federal
-                                 laws, Executive Orders, directives, policies, regulations, standards, guidelines, and
-                                 organizational mission/business needs:
-                """
-              parts: 
-                - 
-                  id:         sa-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Security functional requirements;
-                - 
-                  id:         sa-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Security strength requirements;
-                - 
-                  id:         sa-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Security assurance requirements;
-                - 
-                  id:         sa-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Security-related documentation requirements;
-                - 
-                  id:         sa-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Requirements for protecting security-related documentation;
-                - 
-                  id:         sa-4_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Description of the information system development environment and environment in
-                                        which the system is intended to operate; and
-                    """
-                - 
-                  id:         sa-4_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose:      Acceptance criteria.
-                - 
-                  id:    sa-4_fr
-                  name:  item
-                  title: SA-4 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         sa-4_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See [http://www.niap-ccevs.org/vpl](http://www.niap-ccevs.org/vpl) or [http://www.commoncriteriaportal.org/products.html](http://www.commoncriteriaportal.org/products.html).
-            - 
-              id:    sa-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system components are discrete, identifiable information technology
-                                 assets (e.g., hardware, software, or firmware) that represent the building blocks of
-                                 an information system. Information system components include commercial information
-                                 technology products. Security functional requirements include security capabilities,
-                                 security functions, and security mechanisms. Security strength requirements
-                                 associated with such capabilities, functions, and mechanisms include degree of
-                                 correctness, completeness, resistance to direct attack, and resistance to tampering
-                                 or bypass. Security assurance requirements include: (i) development processes,
-                                 procedures, practices, and methodologies; and (ii) evidence from development and
-                                 assessment activities providing grounds for confidence that the required security
-                                 functionality has been implemented and the required security strength has been
-                                 achieved. Security documentation requirements address all phases of the system
-                                 development life cycle. Security functionality, assurance, and documentation
-                                 requirements are expressed in terms of security controls and control enhancements
-                                 that have been selected through the tailoring process. The security control tailoring
-                                 process includes, for example, the specification of parameter values through the use
-                                 of assignment and selection statements and the specification of platform dependencies
-                                 and implementation information. Security documentation provides user and
-                                 administrator guidance regarding the implementation and operation of security
-                                 controls. The level of detail required in security documentation is based on the
-                                 security category or classification level of the information system and the degree to
-                                 which organizations depend on the stated security capability, functions, or
-                                 mechanisms to meet overall risk response expectations (as defined in the
-                                 organizational risk management strategy). Security requirements can also include
-                                 organizationally mandated configuration settings specifying allowed functions, ports,
-                                 protocols, and services. Acceptance criteria for information systems, information
-                                 system components, and information system services are defined in the same manner as
-                                 such criteria for any organizational acquisition or procurement. The Federal
-                                 Acquisition Regulation (FAR) Section 7.103 contains information security requirements
-                                 from FISMA.
-                """
-              links: 
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #ps-7
-                  rel:  related
-                  text: PS-7
-                - 
-                  href: #sa-3
-                  rel:  related
-                  text: SA-3
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-            - 
-              id:    sa-4_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization includes the following requirements, descriptions, and
-                                 criteria, explicitly or by reference, in the acquisition contracts for the
-                                 information system, system component, or information system service in accordance
-                                 with applicable federal laws, Executive Orders, directives, policies, regulations,
-                                 standards, guidelines, and organizational mission/business needs:
-                """
-              parts: 
-                - 
-                  id:         sa-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(a)
-                  prose:      security functional requirements;
-                - 
-                  id:         sa-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(b)
-                  prose:      security strength requirements;
-                - 
-                  id:         sa-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(c)
-                  prose:      security assurance requirements;
-                - 
-                  id:         sa-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(d)
-                  prose:      security-related documentation requirements;
-                - 
-                  id:         sa-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(e)
-                  prose:      requirements for protecting security-related documentation;
-                - 
-                  id:         sa-4.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(f)
-                  prose:      description of:
-                  parts: 
-                    - 
-                      id:         sa-4.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-4(f)[1]
-                      prose:      the information system development environment;
-                    - 
-                      id:         sa-4.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-4(f)[2]
-                      prose:      the environment in which the system is intended to operate; and
-                - 
-                  id:         sa-4.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(g)
-                  prose:      acceptance criteria.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing the integration of information security requirements,
-                                        descriptions, and criteria into the acquisition process\n\nacquisition contracts for the information system, system component, or information
-                                        system service\n\ninformation system design documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                        security functional, strength, and assurance requirements\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for determining information system security functional,
-                                        strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and/or implementing acquisitions and inclusion of
-                                        security requirements in contracts
-                    """
-        - 
-          id:         sa-5
-          class:      SP800-53
-          title:      Information System Documentation
-          parameters: 
-            - 
-              id:    sa-5_prm_1
-              label: organization-defined actions
-            - 
-              id:    sa-5_prm_2
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  label
-              value: SA-5
-            - 
-              name:  sort-id
-              value: sa-05
-          parts: 
-            - 
-              id:    sa-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Obtains administrator documentation for the information system, system component,
-                                        or information system service that describes:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-5_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Secure configuration, installation, and operation of the system, component, or
-                                               service;
-                        """
-                    - 
-                      id:         sa-5_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Effective use and maintenance of security functions/mechanisms; and
-                    - 
-                      id:         sa-5_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Known vulnerabilities regarding configuration and use of administrative (i.e.,
-                                               privileged) functions;
-                        """
-                - 
-                  id:         sa-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Obtains user documentation for the information system, system component, or
-                                        information system service that describes:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-5_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          User-accessible security functions/mechanisms and how to effectively use those
-                                               security functions/mechanisms;
-                        """
-                    - 
-                      id:         sa-5_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Methods for user interaction, which enables individuals to use the system,
-                                               component, or service in a more secure manner; and
-                        """
-                    - 
-                      id:         sa-5_smt.b.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          User responsibilities in maintaining the security of the system, component, or
-                                               service;
-                        """
-                - 
-                  id:         sa-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Documents attempts to obtain information system, system component, or information
-                                        system service documentation when such documentation is either unavailable or
-                                        nonexistent and takes {{ sa-5_prm_1 }} in response;
-                    """
-                - 
-                  id:         sa-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Protects documentation as required, in accordance with the risk management
-                                        strategy; and
-                    """
-                - 
-                  id:         sa-5_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Distributes documentation to {{ sa-5_prm_2 }}.
-            - 
-              id:    sa-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control helps organizational personnel understand the implementation and
-                                 operation of security controls associated with information systems, system
-                                 components, and information system services. Organizations consider establishing
-                                 specific measures to determine the quality/completeness of the content provided. The
-                                 inability to obtain needed documentation may occur, for example, due to the age of
-                                 the information system/component or lack of support from developers and contractors.
-                                 In those situations, organizations may need to recreate selected documentation if
-                                 such documentation is essential to the effective implementation or operation of
-                                 security controls. The level of protection provided for selected information system,
-                                 component, or service documentation is commensurate with the security category or
-                                 classification of the system. For example, documentation associated with a key DoD
-                                 weapons system or command and control system would typically require a higher level
-                                 of protection than a routine administrative system. Documentation that addresses
-                                 information system vulnerabilities may also require an increased level of protection.
-                                 Secure operation of the information system, includes, for example, initially starting
-                                 the system and resuming secure system operation after any lapse in system
-                                 operation.
-                """
-              links: 
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-2
-                  rel:  related
-                  text: PS-2
-                - 
-                  href: #sa-3
-                  rel:  related
-                  text: SA-3
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-            - 
-              id:    sa-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SA-5(a)
-                  prose: 
-                    """
-                      obtains administrator documentation for the information system, system component,
-                                        or information system service that describes:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-5.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(a)(1)
-                      parts: 
-                        - 
-                          id:         sa-5.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(1)[1]
-                          prose:      secure configuration of the system, system component, or service;
-                        - 
-                          id:         sa-5.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(1)[2]
-                          prose:      secure installation of the system, system component, or service;
-                        - 
-                          id:         sa-5.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(1)[3]
-                          prose:      secure operation of the system, system component, or service;
-                    - 
-                      id:         sa-5.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(a)(2)
-                      parts: 
-                        - 
-                          id:         sa-5.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(2)[1]
-                          prose:      effective use of the security features/mechanisms;
-                        - 
-                          id:         sa-5.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(2)[2]
-                          prose:      effective maintenance of the security features/mechanisms;
-                    - 
-                      id:         sa-5.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(a)(3)
-                      prose: 
-                        """
-                          known vulnerabilities regarding configuration and use of administrative (i.e.,
-                                               privileged) functions;
-                        """
-                - 
-                  id:         sa-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SA-5(b)
-                  prose: 
-                    """
-                      obtains user documentation for the information system, system component, or
-                                        information system service that describes:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-5.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(b)(1)
-                      parts: 
-                        - 
-                          id:         sa-5.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(b)(1)[1]
-                          prose:      user-accessible security functions/mechanisms;
-                        - 
-                          id:         sa-5.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(b)(1)[2]
-                          prose:      how to effectively use those functions/mechanisms;
-                    - 
-                      id:         sa-5.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(b)(2)
-                      prose: 
-                        """
-                          methods for user interaction, which enables individuals to use the system,
-                                               component, or service in a more secure manner;
-                        """
-                    - 
-                      id:         sa-5.b.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(b)(3)
-                      prose: 
-                        """
-                          user responsibilities in maintaining the security of the system, component, or
-                                               service;
-                        """
-                - 
-                  id:         sa-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-5(c)
-                  parts: 
-                    - 
-                      id:         sa-5.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-5(c)[1]
-                      prose: 
-                        """
-                          defines actions to be taken after documented attempts to obtain information
-                                               system, system component, or information system service documentation when such
-                                               documentation is either unavailable or nonexistent;
-                        """
-                    - 
-                      id:         sa-5.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-5(c)[2]
-                      prose: 
-                        """
-                          documents attempts to obtain information system, system component, or
-                                               information system service documentation when such documentation is either
-                                               unavailable or nonexistent;
-                        """
-                    - 
-                      id:         sa-5.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-5(c)[3]
-                      prose:      takes organization-defined actions in response;
-                - 
-                  id:         sa-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-5(d)
-                  prose: 
-                    """
-                      protects documentation as required, in accordance with the risk management
-                                        strategy;
-                    """
-                - 
-                  id:         sa-5.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-5(e)
-                  parts: 
-                    - 
-                      id:         sa-5.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-5(e)[1]
-                      prose:      defines personnel or roles to whom documentation is to be distributed; and
-                    - 
-                      id:         sa-5.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-5(e)[2]
-                      prose:      distributes documentation to organization-defined personnel or roles.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing information system documentation\n\ninformation system documentation including administrator and user guides\n\nrecords documenting attempts to obtain unavailable or nonexistent information
-                                        system documentation\n\nlist of actions to be taken in response to documented attempts to obtain
-                                        information system, system component, or information system service
-                                        documentation\n\nrisk management strategy documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                        security requirements\n\nsystem administrators\n\norganizational personnel operating, using, and/or maintaining the information
-                                        system\n\ninformation system developers\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for obtaining, protecting, and distributing information
-                                        system administrator and user documentation
-                    """
-        - 
-          id:         sa-9
-          class:      SP800-53
-          title:      External Information System Services
-          parameters: 
-            - 
-              id:          sa-9_prm_1
-              label:       organization-defined security controls
-              constraints: 
-                - 
-                  detail: FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system
-            - 
-              id:          sa-9_prm_2
-              label:       organization-defined processes, methods, and techniques
-              constraints: 
-                - 
-                  detail: Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored
-          properties: 
-            - 
-              name:  label
-              value: SA-9
-            - 
-              name:  sort-id
-              value: sa-09
-          links: 
-            - 
-              href: #0c775bc3-bfc3-42c7-a382-88949f503171
-              rel:  reference
-              text: NIST Special Publication 800-35
-          parts: 
-            - 
-              id:    sa-9_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-9_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Requires that providers of external information system services comply with
-                                        organizational information security requirements and employ {{ sa-9_prm_1 }} in accordance with applicable federal laws, Executive
-                                        Orders, directives, policies, regulations, standards, and guidance;
-                    """
-                - 
-                  id:         sa-9_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Defines and documents government oversight and user roles and responsibilities
-                                        with regard to external information system services; and
-                    """
-                - 
-                  id:         sa-9_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Employs {{ sa-9_prm_2 }} to monitor security control compliance by
-                                        external service providers on an ongoing basis.
-                    """
-                - 
-                  id:    sa-9_fr
-                  name:  item
-                  title: SA-9 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         sa-9_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose: 
-                        """
-                          See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Continuous Monitoring Strategy Guide [https://www.FedRAMP.gov/documents](https://www.FedRAMP.gov/documents)
-                                            
-                        """
-                    - 
-                      id:         sa-9_fr_gdn.2
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      Independent Assessors should assess the risk associated with the use of external services. See the FedRAMP page under Key Cloud Service Provider (CSP) Documents>FedRAMP Authorization Boundary Guidance
-            - 
-              id:    sa-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  External information system services are services that are implemented outside of the
-                                 authorization boundaries of organizational information systems. This includes
-                                 services that are used by, but not a part of, organizational information systems.
-                                 FISMA and OMB policy require that organizations using external service providers that
-                                 are processing, storing, or transmitting federal information or operating information
-                                 systems on behalf of the federal government ensure that such providers meet the same
-                                 security requirements that federal agencies are required to meet. Organizations
-                                 establish relationships with external service providers in a variety of ways
-                                 including, for example, through joint ventures, business partnerships, contracts,
-                                 interagency agreements, lines of business arrangements, licensing agreements, and
-                                 supply chain exchanges. The responsibility for managing risks from the use of
-                                 external information system services remains with authorizing officials. For services
-                                 external to organizations, a chain of trust requires that organizations establish and
-                                 retain a level of confidence that each participating provider in the potentially
-                                 complex consumer-provider relationship provides adequate protection for the services
-                                 rendered. The extent and nature of this chain of trust varies based on the
-                                 relationships between organizations and the external providers. Organizations
-                                 document the basis for trust relationships so the relationships can be monitored over
-                                 time. External information system services documentation includes government, service
-                                 providers, end user security roles and responsibilities, and service-level
-                                 agreements. Service-level agreements define expectations of performance for security
-                                 controls, describe measurable outcomes, and identify remedies and response
-                                 requirements for identified instances of noncompliance.
-                """
-              links: 
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #ir-7
-                  rel:  related
-                  text: IR-7
-                - 
-                  href: #ps-7
-                  rel:  related
-                  text: PS-7
-            - 
-              id:    sa-9_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-9.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-9(a)
-                  parts: 
-                    - 
-                      id:         sa-9.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(a)[1]
-                      prose: 
-                        """
-                          defines security controls to be employed by providers of external information
-                                               system services;
-                        """
-                    - 
-                      id:         sa-9.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(a)[2]
-                      prose: 
-                        """
-                          requires that providers of external information system services comply with
-                                               organizational information security requirements;
-                        """
-                    - 
-                      id:         sa-9.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(a)[3]
-                      prose: 
-                        """
-                          requires that providers of external information system services employ
-                                               organization-defined security controls in accordance with applicable federal
-                                               laws, Executive Orders, directives, policies, regulations, standards, and
-                                               guidance;
-                        """
-                - 
-                  id:         sa-9.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-9(b)
-                  parts: 
-                    - 
-                      id:         sa-9.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(b)[1]
-                      prose: 
-                        """
-                          defines and documents government oversight with regard to external information
-                                               system services;
-                        """
-                    - 
-                      id:         sa-9.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(b)[2]
-                      prose: 
-                        """
-                          defines and documents user roles and responsibilities with regard to external
-                                               information system services;
-                        """
-                - 
-                  id:         sa-9.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-9(c)
-                  parts: 
-                    - 
-                      id:         sa-9.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(c)[1]
-                      prose: 
-                        """
-                          defines processes, methods, and techniques to be employed to monitor security
-                                               control compliance by external service providers; and
-                        """
-                    - 
-                      id:         sa-9.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-9(c)[2]
-                      prose: 
-                        """
-                          employs organization-defined processes, methods, and techniques to monitor
-                                               security control compliance by external service providers on an ongoing
-                                               basis.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing external information system services\n\nprocedures addressing methods and techniques for monitoring security control
-                                        compliance by external service providers of information system services\n\nacquisition contracts, service-level agreements\n\norganizational security requirements and security specifications for external
-                                        provider services\n\nsecurity control assessment evidence from external providers of information system
-                                        services\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with system and services acquisition responsibilities\n\nexternal providers of information system services\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for monitoring security control compliance by external
-                                        service providers on an ongoing basis\n\nautomated mechanisms for monitoring security control compliance by external
-                                        service providers on an ongoing basis
-                    """
-    - 
-      id:       sc
-      class:    family
-      title:    System and Communications Protection
-      controls: 
-        - 
-          id:         sc-1
-          class:      SP800-53
-          title:      System and Communications Protection Policy and Procedures
-          parameters: 
-            - 
-              id:    sc-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          sc-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          sc-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SC-1
-            - 
-              name:  sort-id
-              value: sc-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    sc-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sc-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ sc-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         sc-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A system and communications protection policy that addresses purpose, scope,
-                                               roles, responsibilities, management commitment, coordination among
-                                               organizational entities, and compliance; and
-                        """
-                    - 
-                      id:         sc-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the system and communications
-                                               protection policy and associated system and communications protection controls;
-                                               and
-                        """
-                - 
-                  id:         sc-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         sc-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          System and communications protection policy {{ sc-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         sc-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      System and communications protection procedures {{ sc-1_prm_3 }}.
-            - 
-              id:    sc-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the SC
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    sc-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sc-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-1(a)
-                  parts: 
-                    - 
-                      id:         sc-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-1(a)(1)
-                      parts: 
-                        - 
-                          id:         sc-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a system and communications protection policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         sc-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         sc-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         sc-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         sc-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         sc-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         sc-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         sc-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         sc-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the system and communications protection
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         sc-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SC-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the system and communications protection policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         sc-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-1(a)(2)
-                      parts: 
-                        - 
-                          id:         sc-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      system and communications protection policy and associated system and
-                                                      communications protection controls;
-                            """
-                        - 
-                          id:         sc-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         sc-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SC-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         sc-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-1(b)
-                  parts: 
-                    - 
-                      id:         sc-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-1(b)(1)
-                      parts: 
-                        - 
-                          id:         sc-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and
-                                                      communications protection policy;
-                            """
-                        - 
-                          id:         sc-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and communications protection policy
-                                                      with the organization-defined frequency;
-                            """
-                    - 
-                      id:         sc-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-1(b)(2)
-                      parts: 
-                        - 
-                          id:         sc-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and
-                                                      communications protection procedures; and
-                            """
-                        - 
-                          id:         sc-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and communications protection
-                                                      procedures with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with system and communications protection
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         sc-5
-          class:      SP800-53
-          title:      Denial of Service Protection
-          parameters: 
-            - 
-              id:    sc-5_prm_1
-              label: 
-                """
-                  organization-defined types of denial of service attacks or references to sources
-                                 for such information
-                """
-            - 
-              id:    sc-5_prm_2
-              label: organization-defined security safeguards
-          properties: 
-            - 
-              name:  label
-              value: SC-5
-            - 
-              name:  sort-id
-              value: sc-05
-          parts: 
-            - 
-              id:    sc-5_smt
-              name:  statement
-              prose: 
-                """
-                  The information system protects against or limits the effects of the following types
-                                 of denial of service attacks: {{ sc-5_prm_1 }} by employing {{ sc-5_prm_2 }}.
-                """
-            - 
-              id:    sc-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  A variety of technologies exist to limit, or in some cases, eliminate the effects of
-                                 denial of service attacks. For example, boundary protection devices can filter
-                                 certain types of packets to protect information system components on internal
-                                 organizational networks from being directly affected by denial of service attacks.
-                                 Employing increased capacity and bandwidth combined with service redundancy may also
-                                 reduce the susceptibility to denial of service attacks.
-                """
-              links: 
-                - 
-                  href: #sc-6
-                  rel:  related
-                  text: SC-6
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-            - 
-              id:    sc-5_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         sc-5_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-5[1]
-                  prose: 
-                    """
-                      the organization defines types of denial of service attacks or reference to source
-                                        of such information for the information system to protect against or limit the
-                                        effects;
-                    """
-                - 
-                  id:         sc-5_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-5[2]
-                  prose: 
-                    """
-                      the organization defines security safeguards to be employed by the information
-                                        system to protect against or limit the effects of organization-defined types of
-                                        denial of service attacks; and
-                    """
-                - 
-                  id:         sc-5_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-5[3]
-                  prose: 
-                    """
-                      the information system protects against or limits the effects of the
-                                        organization-defined denial or service attacks (or reference to source for such
-                                        information) by employing organization-defined security safeguards.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing denial of service protection\n\ninformation system design documentation\n\nsecurity plan\n\nlist of denial of services attacks requiring employment of security safeguards to
-                                        protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial
-                                        of service attacks\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms protecting against or limiting the effects of denial of
-                                        service attacks
-                    """
-        - 
-          id:         sc-7
-          class:      SP800-53
-          title:      Boundary Protection
-          parameters: 
-            - 
-              id: sc-7_prm_1
-          properties: 
-            - 
-              name:  label
-              value: SC-7
-            - 
-              name:  sort-id
-              value: sc-07
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #756a8e86-57d5-4701-8382-f7a40439665a
-              rel:  reference
-              text: NIST Special Publication 800-41
-            - 
-              href: #99f331f2-a9f0-46c2-9856-a3cbb9b89442
-              rel:  reference
-              text: NIST Special Publication 800-77
-          parts: 
-            - 
-              id:    sc-7_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         sc-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Monitors and controls communications at the external boundary of the system and at
-                                        key internal boundaries within the system;
-                    """
-                - 
-                  id:         sc-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Implements subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks;
-                                        and
-                    """
-                - 
-                  id:         sc-7_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Connects to external networks or information systems only through managed
-                                        interfaces consisting of boundary protection devices arranged in accordance with
-                                        an organizational security architecture.
-                    """
-            - 
-              id:    sc-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Managed interfaces include, for example, gateways, routers, firewalls, guards,
-                                 network-based malicious code analysis and virtualization systems, or encrypted
-                                 tunnels implemented within a security architecture (e.g., routers protecting
-                                 firewalls or application gateways residing on protected subnetworks). Subnetworks
-                                 that are physically or logically separated from internal networks are referred to as
-                                 demilitarized zones or DMZs. Restricting or prohibiting interfaces within
-                                 organizational information systems includes, for example, restricting external web
-                                 traffic to designated web servers within managed interfaces and prohibiting external
-                                 traffic that appears to be spoofing internal addresses. Organizations consider the
-                                 shared nature of commercial telecommunications services in the implementation of
-                                 security controls associated with the use of such services. Commercial
-                                 telecommunications services are commonly based on network components and consolidated
-                                 management systems shared by all attached commercial customers, and may also include
-                                 third party-provided access lines and other service elements. Such transmission
-                                 services may represent sources of increased risk despite contract security
-                                 provisions.
-                """
-              links: 
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #cm-7
-                  rel:  related
-                  text: CM-7
-                - 
-                  href: #cp-8
-                  rel:  related
-                  text: CP-8
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sc-5
-                  rel:  related
-                  text: SC-5
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-            - 
-              id:    sc-7_obj
-              name:  objective
-              prose: Determine if the information system:
-              parts: 
-                - 
-                  id:         sc-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-7(a)
-                  parts: 
-                    - 
-                      id:         sc-7.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(a)[1]
-                      prose:      monitors communications at the external boundary of the information system;
-                    - 
-                      id:         sc-7.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(a)[2]
-                      prose:      monitors communications at key internal boundaries within the system;
-                    - 
-                      id:         sc-7.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(a)[3]
-                      prose:      controls communications at the external boundary of the information system;
-                    - 
-                      id:         sc-7.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(a)[4]
-                      prose:      controls communications at key internal boundaries within the system;
-                - 
-                  id:         sc-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-7(b)
-                  prose: 
-                    """
-                      implements subnetworks for publicly accessible system components that are
-                                        either:
-                    """
-                  parts: 
-                    - 
-                      id:         sc-7.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-7(b)[1]
-                      prose:      physically separated from internal organizational networks; and/or
-                    - 
-                      id:         sc-7.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-7(b)[2]
-                      prose:      logically separated from internal organizational networks; and
-                - 
-                  id:         sc-7.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-7(c)
-                  prose: 
-                    """
-                      connects to external networks or information systems only through managed
-                                        interfaces consisting of boundary protection devices arranged in accordance with
-                                        an organizational security architecture.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the information system\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system configuration settings and associated documentation\n\nenterprise security architecture documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing boundary protection capability
-        - 
-          id:         sc-12
-          class:      SP800-53
-          title:      Cryptographic Key Establishment and Management
-          parameters: 
-            - 
-              id:    sc-12_prm_1
-              label: 
-                """
-                  organization-defined requirements for key generation, distribution, storage,
-                                 access, and destruction
-                """
-          properties: 
-            - 
-              name:  label
-              value: SC-12
-            - 
-              name:  sort-id
-              value: sc-12
-          links: 
-            - 
-              href: #81f09e01-d0b0-4ae2-aa6a-064ed9950070
-              rel:  reference
-              text: NIST Special Publication 800-56
-            - 
-              href: #a6c774c0-bf50-4590-9841-2a5c1c91ac6f
-              rel:  reference
-              text: NIST Special Publication 800-57
-          parts: 
-            - 
-              id:    sc-12_smt
-              name:  statement
-              prose: 
-                """
-                  The organization establishes and manages cryptographic keys for required cryptography
-                                 employed within the information system in accordance with {{ sc-12_prm_1 }}.
-                """
-              parts: 
-                - 
-                  id:    sc-12_fr
-                  name:  item
-                  title: SC-12 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         sc-12_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      Federally approved and validated cryptography.
-            - 
-              id:    sc-12_gdn
-              name:  guidance
-              prose: 
-                """
-                  Cryptographic key management and establishment can be performed using manual
-                                 procedures or automated mechanisms with supporting manual procedures. Organizations
-                                 define key management requirements in accordance with applicable federal laws,
-                                 Executive Orders, directives, regulations, policies, standards, and guidance,
-                                 specifying appropriate options, levels, and parameters. Organizations manage trust
-                                 stores to ensure that only approved trust anchors are in such trust stores. This
-                                 includes certificates with visibility external to organizational information systems
-                                 and certificates related to the internal operations of systems.
-                """
-              links: 
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-                - 
-                  href: #sc-17
-                  rel:  related
-                  text: SC-17
-            - 
-              id:    sc-12_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sc-12_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-12[1]
-                  prose:      defines requirements for cryptographic key:
-                  parts: 
-                    - 
-                      id:         sc-12_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][a]
-                      prose:      generation;
-                    - 
-                      id:         sc-12_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][b]
-                      prose:      distribution;
-                    - 
-                      id:         sc-12_obj.1.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][c]
-                      prose:      storage;
-                    - 
-                      id:         sc-12_obj.1.d
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][d]
-                      prose:      access;
-                    - 
-                      id:         sc-12_obj.1.e
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][e]
-                      prose:      destruction; and
-                - 
-                  id:         sc-12_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-12[2]
-                  prose: 
-                    """
-                      establishes and manages cryptographic keys for required cryptography employed
-                                        within the information system in accordance with organization-defined requirements
-                                        for key generation, distribution, storage, access, and destruction.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\ninformation system design documentation\n\ncryptographic mechanisms\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment
-                                        and/or management
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing cryptographic key
-                                        establishment and management
-                    """
-        - 
-          id:         sc-13
-          class:      SP800-53
-          title:      Cryptographic Protection
-          parameters: 
-            - 
-              id:          sc-13_prm_1
-              label: 
-                """
-                  organization-defined cryptographic uses and type of cryptography required for
-                                 each use
-                """
-              constraints: 
-                - 
-                  detail: FIPS-validated or NSA-approved cryptography
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SC-13
-            - 
-              name:  sort-id
-              value: sc-13
-          links: 
-            - 
-              href: #39f9087d-7687-46d2-8eda-b6f4b7a4d8a9
-              rel:  reference
-              text: FIPS Publication 140
-            - 
-              href: #6a1041fc-054e-4230-946b-2e6f4f3731bb
-              rel:  reference
-              text: http://csrc.nist.gov/cryptval
-            - 
-              href: #9b97ed27-3dd6-4f9a-ade5-1b43e9669794
-              rel:  reference
-              text: http://www.cnss.gov
-          parts: 
-            - 
-              id:    sc-13_smt
-              name:  statement
-              prose: 
-                """
-                  The information system implements {{ sc-13_prm_1 }} in accordance with
-                                 applicable federal laws, Executive Orders, directives, policies, regulations, and
-                                 standards.
-                """
-            - 
-              id:    sc-13_gdn
-              name:  guidance
-              prose: 
-                """
-                  Cryptography can be employed to support a variety of security solutions including,
-                                 for example, the protection of classified and Controlled Unclassified Information,
-                                 the provision of digital signatures, and the enforcement of information separation
-                                 when authorized individuals have the necessary clearances for such information but
-                                 lack the necessary formal access approvals. Cryptography can also be used to support
-                                 random number generation and hash generation. Generally applicable cryptographic
-                                 standards include FIPS-validated cryptography and NSA-approved cryptography. This
-                                 control does not impose any requirements on organizations to use cryptography.
-                                 However, if cryptography is required based on the selection of other security
-                                 controls, organizations define each type of cryptographic use and the type of
-                                 cryptography required (e.g., protection of classified information: NSA-approved
-                                 cryptography; provision of digital signatures: FIPS-validated cryptography).
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-7
-                  rel:  related
-                  text: AC-7
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #au-10
-                  rel:  related
-                  text: AU-10
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-7
-                  rel:  related
-                  text: IA-7
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-                - 
-                  href: #sc-12
-                  rel:  related
-                  text: SC-12
-                - 
-                  href: #sc-28
-                  rel:  related
-                  text: SC-28
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    sc-13_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         sc-13_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-13[1]
-                  prose:      the organization defines cryptographic uses; and
-                - 
-                  id:         sc-13_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-13[2]
-                  prose:      the organization defines the type of cryptography required for each use; and
-                - 
-                  id:         sc-13_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-13[3]
-                  prose: 
-                    """
-                      the information system implements the organization-defined cryptographic uses and
-                                        type of cryptography required for each use in accordance with applicable federal
-                                        laws, Executive Orders, directives, policies, regulations, and standards.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing cryptographic protection\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS validated cryptographic modules\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting and/or implementing cryptographic protection
-        - 
-          id:         sc-15
-          class:      SP800-53
-          title:      Collaborative Computing Devices
-          parameters: 
-            - 
-              id:          sc-15_prm_1
-              label:       organization-defined exceptions where remote activation is to be allowed
-              constraints: 
-                - 
-                  detail: no exceptions
-          properties: 
-            - 
-              name:  label
-              value: SC-15
-            - 
-              name:  sort-id
-              value: sc-15
-          parts: 
-            - 
-              id:    sc-15_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         sc-15_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Prohibits remote activation of collaborative computing devices with the following
-                                        exceptions: {{ sc-15_prm_1 }}; and
-                    """
-                - 
-                  id:         sc-15_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Provides an explicit indication of use to users physically present at the
-                                        devices.
-                    """
-                - 
-                  id:    sc-15_fr
-                  name:  item
-                  title: SC-15 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         sc-15_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.
-            - 
-              id:    sc-15_gdn
-              name:  guidance
-              prose: 
-                """
-                  Collaborative computing devices include, for example, networked white boards,
-                                 cameras, and microphones. Explicit indication of use includes, for example, signals
-                                 to users when collaborative computing devices are activated.
-                """
-              links: 
-                - 
-                  href: #ac-21
-                  rel:  related
-                  text: AC-21
-            - 
-              id:    sc-15_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         sc-15.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-15(a)
-                  parts: 
-                    - 
-                      id:         sc-15.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-15(a)[1]
-                      prose: 
-                        """
-                          the organization defines exceptions where remote activation of collaborative
-                                               computing devices is to be allowed;
-                        """
-                    - 
-                      id:         sc-15.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-15(a)[2]
-                      prose: 
-                        """
-                          the information system prohibits remote activation of collaborative computing
-                                               devices, except for organization-defined exceptions where remote activation is
-                                               to be allowed; and
-                        """
-                - 
-                  id:         sc-15.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-15(b)
-                  prose: 
-                    """
-                      the information system provides an explicit indication of use to users physically
-                                        present at the devices.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative
-                                        computing devices
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing management of remote
-                                        activation of collaborative computing devices\n\nautomated mechanisms providing an indication of use of collaborative computing
-                                        devices
-                    """
-        - 
-          id:         sc-20
-          class:      SP800-53
-          title:      Secure Name / Address Resolution Service (authoritative Source)
-          properties: 
-            - 
-              name:  label
-              value: SC-20
-            - 
-              name:  sort-id
-              value: sc-20
-          links: 
-            - 
-              href: #28115a56-da6b-4d44-b1df-51dd7f048a3e
-              rel:  reference
-              text: OMB Memorandum 08-23
-            - 
-              href: #6af1e841-672c-46c4-b121-96f603d04be3
-              rel:  reference
-              text: NIST Special Publication 800-81
-          parts: 
-            - 
-              id:    sc-20_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         sc-20_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Provides additional data origin authentication and integrity verification
-                                        artifacts along with the authoritative name resolution data the system returns in
-                                        response to external name/address resolution queries; and
-                    """
-                - 
-                  id:         sc-20_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Provides the means to indicate the security status of child zones and (if the
-                                        child supports secure resolution services) to enable verification of a chain of
-                                        trust among parent and child domains, when operating as part of a distributed,
-                                        hierarchical namespace.
-                    """
-            - 
-              id:    sc-20_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control enables external clients including, for example, remote Internet
-                                 clients, to obtain origin authentication and integrity verification assurances for
-                                 the host/service name to network address resolution information obtained through the
-                                 service. Information systems that provide name and address resolution services
-                                 include, for example, domain name system (DNS) servers. Additional artifacts include,
-                                 for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS
-                                 resource records are examples of authoritative data. The means to indicate the
-                                 security status of child zones includes, for example, the use of delegation signer
-                                 resource records in the DNS. The DNS security controls reflect (and are referenced
-                                 from) OMB Memorandum 08-23. Information systems that use technologies other than the
-                                 DNS to map between host/service names and network addresses provide other means to
-                                 assure the authenticity and integrity of response data.
-                """
-              links: 
-                - 
-                  href: #au-10
-                  rel:  related
-                  text: AU-10
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-                - 
-                  href: #sc-12
-                  rel:  related
-                  text: SC-12
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-                - 
-                  href: #sc-21
-                  rel:  related
-                  text: SC-21
-                - 
-                  href: #sc-22
-                  rel:  related
-                  text: SC-22
-            - 
-              id:    sc-20_obj
-              name:  objective
-              prose: Determine if the information system:
-              parts: 
-                - 
-                  id:         sc-20.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-20(a)
-                  prose: 
-                    """
-                      provides additional data origin and integrity verification artifacts along with
-                                        the authoritative name resolution data the system returns in response to external
-                                        name/address resolution queries;
-                    """
-                - 
-                  id:         sc-20.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-20(b)
-                  prose: 
-                    """
-                      provides the means to, when operating as part of a distributed, hierarchical
-                                        namespace:
-                    """
-                  parts: 
-                    - 
-                      id:         sc-20.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-20(b)[1]
-                      prose:      indicate the security status of child zones; and
-                    - 
-                      id:         sc-20.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-20(b)[2]
-                      prose: 
-                        """
-                          enable verification of a chain of trust among parent and child domains (if the
-                                               child supports secure resolution services).
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing secure name/address resolution service (authoritative
-                                        source)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing secure name/address resolution
-                                        service
-                    """
-        - 
-          id:         sc-21
-          class:      SP800-53
-          title:      Secure Name / Address Resolution Service (recursive or Caching Resolver)
-          properties: 
-            - 
-              name:  label
-              value: SC-21
-            - 
-              name:  sort-id
-              value: sc-21
-          links: 
-            - 
-              href: #6af1e841-672c-46c4-b121-96f603d04be3
-              rel:  reference
-              text: NIST Special Publication 800-81
-          parts: 
-            - 
-              id:    sc-21_smt
-              name:  statement
-              prose: 
-                """
-                  The information system requests and performs data origin authentication and data
-                                 integrity verification on the name/address resolution responses the system receives
-                                 from authoritative sources.
-                """
-            - 
-              id:    sc-21_gdn
-              name:  guidance
-              prose: 
-                """
-                  Each client of name resolution services either performs this validation on its own,
-                                 or has authenticated channels to trusted validation providers. Information systems
-                                 that provide name and address resolution services for local clients include, for
-                                 example, recursive resolving or caching domain name system (DNS) servers. DNS client
-                                 resolvers either perform validation of DNSSEC signatures, or clients use
-                                 authenticated channels to recursive resolvers that perform such validations.
-                                 Information systems that use technologies other than the DNS to map between
-                                 host/service names and network addresses provide other means to enable clients to
-                                 verify the authenticity and integrity of response data.
-                """
-              links: 
-                - 
-                  href: #sc-20
-                  rel:  related
-                  text: SC-20
-                - 
-                  href: #sc-22
-                  rel:  related
-                  text: SC-22
-            - 
-              id:    sc-21_obj
-              name:  objective
-              prose: Determine if the information system: 
-              parts: 
-                - 
-                  id:         sc-21_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-21[1]
-                  prose: 
-                    """
-                      requests data origin authentication on the name/address resolution responses the
-                                        system receives from authoritative sources;
-                    """
-                - 
-                  id:         sc-21_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-21[2]
-                  prose: 
-                    """
-                      requests data integrity verification on the name/address resolution responses the
-                                        system receives from authoritative sources;
-                    """
-                - 
-                  id:         sc-21_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-21[3]
-                  prose: 
-                    """
-                      performs data origin authentication on the name/address resolution responses the
-                                        system receives from authoritative sources; and
-                    """
-                - 
-                  id:         sc-21_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-21[4]
-                  prose: 
-                    """
-                      performs data integrity verification on the name/address resolution responses the
-                                        system receives from authoritative sources.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing secure name/address resolution service (recursive or caching
-                                        resolver)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing data origin authentication and
-                                        data integrity verification for name/address resolution services
-                    """
-        - 
-          id:         sc-22
-          class:      SP800-53
-          title:      Architecture and Provisioning for Name / Address Resolution Service
-          properties: 
-            - 
-              name:  label
-              value: SC-22
-            - 
-              name:  sort-id
-              value: sc-22
-          links: 
-            - 
-              href: #6af1e841-672c-46c4-b121-96f603d04be3
-              rel:  reference
-              text: NIST Special Publication 800-81
-          parts: 
-            - 
-              id:    sc-22_smt
-              name:  statement
-              prose: 
-                """
-                  The information systems that collectively provide name/address resolution service for
-                                 an organization are fault-tolerant and implement internal/external role
-                                 separation.
-                """
-            - 
-              id:    sc-22_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information systems that provide name and address resolution services include, for
-                                 example, domain name system (DNS) servers. To eliminate single points of failure and
-                                 to enhance redundancy, organizations employ at least two authoritative domain name
-                                 system servers, one configured as the primary server and the other configured as the
-                                 secondary server. Additionally, organizations typically deploy the servers in two
-                                 geographically separated network subnetworks (i.e., not located in the same physical
-                                 facility). For role separation, DNS servers with internal roles only process name and
-                                 address resolution requests from within organizations (i.e., from internal clients).
-                                 DNS servers with external roles only process name and address resolution information
-                                 requests from clients external to organizations (i.e., on external networks including
-                                 the Internet). Organizations specify clients that can access authoritative DNS
-                                 servers in particular roles (e.g., by address ranges, explicit lists).
-                """
-              links: 
-                - 
-                  href: #sc-2
-                  rel:  related
-                  text: SC-2
-                - 
-                  href: #sc-20
-                  rel:  related
-                  text: SC-20
-                - 
-                  href: #sc-21
-                  rel:  related
-                  text: SC-21
-                - 
-                  href: #sc-24
-                  rel:  related
-                  text: SC-24
-            - 
-              id:    sc-22_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the information systems that collectively provide name/address
-                                 resolution service for an organization: 
-                """
-              parts: 
-                - 
-                  id:         sc-22_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-22[1]
-                  prose:      are fault tolerant; and
-                - 
-                  id:         sc-22_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-22[2]
-                  prose:      implement internal/external role separation.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing architecture and provisioning for name/address resolution
-                                        service\n\naccess control policy and procedures\n\ninformation system design documentation\n\nassessment results from independent, testing organizations\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing name/address resolution
-                                        service for fault tolerance and role separation
-                    """
-        - 
-          id:         sc-39
-          class:      SP800-53
-          title:      Process Isolation
-          properties: 
-            - 
-              name:  label
-              value: SC-39
-            - 
-              name:  sort-id
-              value: sc-39
-          parts: 
-            - 
-              id:    sc-39_smt
-              name:  statement
-              prose: 
-                """
-                  The information system maintains a separate execution domain for each executing
-                                 process.
-                """
-            - 
-              id:    sc-39_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information systems can maintain separate execution domains for each executing
-                                 process by assigning each process a separate address space. Each information system
-                                 process has a distinct address space so that communication between processes is
-                                 performed in a manner controlled through the security functions, and one process
-                                 cannot modify the executing code of another process. Maintaining separate execution
-                                 domains for executing processes can be achieved, for example, by implementing
-                                 separate address spaces. This capability is available in most commercial operating
-                                 systems that employ multi-state processor technologies.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-                - 
-                  href: #sc-2
-                  rel:  related
-                  text: SC-2
-                - 
-                  href: #sc-3
-                  rel:  related
-                  text: SC-3
-            - 
-              id:         sc-39_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system maintains a separate execution domain for each
-                                 executing process.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system design documentation\n\ninformation system architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation, other relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system developers/integrators\n\ninformation system security architect
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing separate execution domains for
-                                        each executing process
-                    """
-    - 
-      id:       si
-      class:    family
-      title:    System and Information Integrity
-      controls: 
-        - 
-          id:         si-1
-          class:      SP800-53
-          title:      System and Information Integrity Policy and Procedures
-          parameters: 
-            - 
-              id:    si-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          si-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          si-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SI-1
-            - 
-              name:  sort-id
-              value: si-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    si-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ si-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         si-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A system and information integrity policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         si-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the system and information
-                                               integrity policy and associated system and information integrity controls;
-                                               and
-                        """
-                - 
-                  id:         si-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         si-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          System and information integrity policy {{ si-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         si-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      System and information integrity procedures {{ si-1_prm_3 }}.
-            - 
-              id:    si-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the SI
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    si-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-1(a)
-                  parts: 
-                    - 
-                      id:         si-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-1(a)(1)
-                      parts: 
-                        - 
-                          id:         si-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a system and information integrity policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         si-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         si-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         si-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         si-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         si-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         si-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         si-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         si-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the system and information integrity
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         si-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SI-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the system and information integrity policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         si-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-1(a)(2)
-                      parts: 
-                        - 
-                          id:         si-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      system and information integrity policy and associated system and
-                                                      information integrity controls;
-                            """
-                        - 
-                          id:         si-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         si-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SI-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         si-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-1(b)
-                  parts: 
-                    - 
-                      id:         si-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-1(b)(1)
-                      parts: 
-                        - 
-                          id:         si-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and
-                                                      information integrity policy;
-                            """
-                        - 
-                          id:         si-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and information integrity policy with
-                                                      the organization-defined frequency;
-                            """
-                    - 
-                      id:         si-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-1(b)(2)
-                      parts: 
-                        - 
-                          id:         si-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and
-                                                      information integrity procedures; and
-                            """
-                        - 
-                          id:         si-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and information integrity procedures
-                                                      with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and information integrity policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with system and information integrity
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         si-2
-          class:      SP800-53
-          title:      Flaw Remediation
-          parameters: 
-            - 
-              id:          si-2_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: within 30 days of release of updates
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SI-2
-            - 
-              name:  sort-id
-              value: si-02
-          links: 
-            - 
-              href: #bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d
-              rel:  reference
-              text: NIST Special Publication 800-40
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    si-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Identifies, reports, and corrects information system flaws;
-                - 
-                  id:         si-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Tests software and firmware updates related to flaw remediation for effectiveness
-                                        and potential side effects before installation;
-                    """
-                - 
-                  id:         si-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Installs security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and
-                - 
-                  id:         si-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Incorporates flaw remediation into the organizational configuration management
-                                        process.
-                    """
-            - 
-              id:    si-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations identify information systems affected by announced software flaws
-                                 including potential vulnerabilities resulting from those flaws, and report this
-                                 information to designated organizational personnel with information security
-                                 responsibilities. Security-relevant software updates include, for example, patches,
-                                 service packs, hot fixes, and anti-virus signatures. Organizations also address flaws
-                                 discovered during security assessments, continuous monitoring, incident response
-                                 activities, and system error handling. Organizations take advantage of available
-                                 resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and
-                                 Exposures (CVE) databases in remediating flaws discovered in organizational
-                                 information systems. By incorporating flaw remediation into ongoing configuration
-                                 management processes, required/anticipated remediation actions can be tracked and
-                                 verified. Flaw remediation actions that can be tracked and verified include, for
-                                 example, determining whether organizations follow US-CERT guidance and Information
-                                 Assurance Vulnerability Alerts. Organization-defined time periods for updating
-                                 security-relevant software and firmware may vary based on a variety of factors
-                                 including, for example, the security category of the information system or the
-                                 criticality of the update (i.e., severity of the vulnerability related to the
-                                 discovered flaw). Some types of flaw remediation may require more testing than other
-                                 types. Organizations determine the degree and type of testing needed for the specific
-                                 type of flaw remediation activity under consideration and also the types of changes
-                                 that are to be configuration-managed. In some situations, organizations may determine
-                                 that the testing of software and/or firmware updates is not necessary or practical,
-                                 for example, when implementing simple anti-virus signature updates. Organizations may
-                                 also consider in testing decisions, whether security-relevant software or firmware
-                                 updates are obtained from authorized sources with appropriate digital signatures.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #ma-2
-                  rel:  related
-                  text: MA-2
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sa-10
-                  rel:  related
-                  text: SA-10
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #si-11
-                  rel:  related
-                  text: SI-11
-            - 
-              id:    si-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-2(a)
-                  parts: 
-                    - 
-                      id:         si-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(a)[1]
-                      prose:      identifies information system flaws;
-                    - 
-                      id:         si-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(a)[2]
-                      prose:      reports information system flaws;
-                    - 
-                      id:         si-2.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(a)[3]
-                      prose:      corrects information system flaws;
-                - 
-                  id:         si-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-2(b)
-                  parts: 
-                    - 
-                      id:         si-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(b)[1]
-                      prose: 
-                        """
-                          tests software updates related to flaw remediation for effectiveness and
-                                               potential side effects before installation;
-                        """
-                    - 
-                      id:         si-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(b)[2]
-                      prose: 
-                        """
-                          tests firmware updates related to flaw remediation for effectiveness and
-                                               potential side effects before installation;
-                        """
-                - 
-                  id:         si-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-2(c)
-                  parts: 
-                    - 
-                      id:         si-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-2(c)[1]
-                      prose: 
-                        """
-                          defines the time period within which to install security-relevant software
-                                               updates after the release of the updates;
-                        """
-                    - 
-                      id:         si-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-2(c)[2]
-                      prose: 
-                        """
-                          defines the time period within which to install security-relevant firmware
-                                               updates after the release of the updates;
-                        """
-                    - 
-                      id:         si-2.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(c)[3]
-                      prose: 
-                        """
-                          installs software updates within the organization-defined time period of the
-                                               release of the updates;
-                        """
-                    - 
-                      id:         si-2.c_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(c)[4]
-                      prose: 
-                        """
-                          installs firmware updates within the organization-defined time period of the
-                                               release of the updates; and
-                        """
-                - 
-                  id:         si-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-2(d)
-                  prose: 
-                    """
-                      incorporates flaw remediation into the organizational configuration management
-                                        process.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and information integrity policy\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the information system\n\nlist of recent security flaw remediation actions performed on the information
-                                        system (e.g., list of installed patches, service packs, hot fixes, and other
-                                        software updates to correct information system flaws)\n\ntest results from the installation of software and firmware updates to correct
-                                        information system flaws\n\ninstallation/change control records for security-relevant software and firmware
-                                        updates\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                        information system\n\norganizational personnel with responsibility for flaw remediation\n\norganizational personnel with configuration management responsibility
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for identifying, reporting, and correcting information
-                                        system flaws\n\norganizational process for installing software and firmware updates\n\nautomated mechanisms supporting and/or implementing reporting, and correcting
-                                        information system flaws\n\nautomated mechanisms supporting and/or implementing testing software and firmware
-                                        updates
-                    """
-        - 
-          id:         si-3
-          class:      SP800-53
-          title:      Malicious Code Protection
-          parameters: 
-            - 
-              id:          si-3_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least weekly
-            - 
-              id:          si-3_prm_2
-              constraints: 
-                - 
-                  detail: to include endpoints
-            - 
-              id:          si-3_prm_3
-              constraints: 
-                - 
-                  detail: to include alerting administrator or defined security personnel
-            - 
-              id:         si-3_prm_4
-              depends-on: si-3_prm_3
-              label:      organization-defined action
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SI-3
-            - 
-              name:  sort-id
-              value: si-03
-          links: 
-            - 
-              href: #6d431fee-658f-4a0e-9f2e-a38b5d398fab
-              rel:  reference
-              text: NIST Special Publication 800-83
-          parts: 
-            - 
-              id:    si-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Employs malicious code protection mechanisms at information system entry and exit
-                                        points to detect and eradicate malicious code;
-                    """
-                - 
-                  id:         si-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Updates malicious code protection mechanisms whenever new releases are available
-                                        in accordance with organizational configuration management policy and
-                                        procedures;
-                    """
-                - 
-                  id:         si-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Configures malicious code protection mechanisms to:
-                  parts: 
-                    - 
-                      id:         si-3_smt.c.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Perform periodic scans of the information system {{ si-3_prm_1 }} and real-time scans of files from external sources at {{ si-3_prm_2 }} as the files are downloaded, opened, or executed in
-                                               accordance with organizational security policy; and
-                        """
-                    - 
-                      id:         si-3_smt.c.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          
-                                               {{ si-3_prm_3 }} in response to malicious code detection;
-                                               and
-                        """
-                - 
-                  id:         si-3_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Addresses the receipt of false positives during malicious code detection and
-                                        eradication and the resulting potential impact on the availability of the
-                                        information system.
-                    """
-            - 
-              id:    si-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system entry and exit points include, for example, firewalls, electronic
-                                 mail servers, web servers, proxy servers, remote-access servers, workstations,
-                                 notebook computers, and mobile devices. Malicious code includes, for example,
-                                 viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in
-                                 various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden
-                                 files, or hidden in files using steganography. Malicious code can be transported by
-                                 different means including, for example, web accesses, electronic mail, electronic
-                                 mail attachments, and portable storage devices. Malicious code insertions occur
-                                 through the exploitation of information system vulnerabilities. Malicious code
-                                 protection mechanisms include, for example, anti-virus signature definitions and
-                                 reputation-based technologies. A variety of technologies and methods exist to limit
-                                 or eliminate the effects of malicious code. Pervasive configuration management and
-                                 comprehensive software integrity controls may be effective in preventing execution of
-                                 unauthorized code. In addition to commercial off-the-shelf software, malicious code
-                                 may also be present in custom-built software. This could include, for example, logic
-                                 bombs, back doors, and other types of cyber attacks that could affect organizational
-                                 missions/business functions. Traditional malicious code protection mechanisms cannot
-                                 always detect such code. In these situations, organizations rely instead on other
-                                 safeguards including, for example, secure coding practices, configuration management
-                                 and control, trusted procurement processes, and monitoring practices to help ensure
-                                 that software does not perform functions other than the functions intended.
-                                 Organizations may determine that in response to the detection of malicious code,
-                                 different actions may be warranted. For example, organizations can define actions in
-                                 response to malicious code detection during periodic scans, actions in response to
-                                 detection of malicious downloads, and/or actions in response to detection of
-                                 maliciousness when attempting to open or execute files.
-                """
-              links: 
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #sa-13
-                  rel:  related
-                  text: SA-13
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-26
-                  rel:  related
-                  text: SC-26
-                - 
-                  href: #sc-44
-                  rel:  related
-                  text: SC-44
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    si-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-3(a)
-                  prose: 
-                    """
-                      employs malicious code protection mechanisms to detect and eradicate malicious
-                                        code at information system:
-                    """
-                  parts: 
-                    - 
-                      id:         si-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-3(a)[1]
-                      prose:      entry points;
-                    - 
-                      id:         si-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-3(a)[2]
-                      prose:      exit points;
-                - 
-                  id:         si-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-3(b)
-                  prose: 
-                    """
-                      updates malicious code protection mechanisms whenever new releases are available
-                                        in accordance with organizational configuration management policy and procedures
-                                        (as identified in CM-1);
-                    """
-                - 
-                  id:         si-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-3(c)
-                  parts: 
-                    - 
-                      id:         si-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-3(c)[1]
-                      prose: 
-                        """
-                          defines a frequency for malicious code protection mechanisms to perform
-                                               periodic scans of the information system;
-                        """
-                    - 
-                      id:         si-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-3(c)[2]
-                      prose: 
-                        """
-                          defines action to be initiated by malicious protection mechanisms in response
-                                               to malicious code detection;
-                        """
-                    - 
-                      id:         si-3.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-3(c)[3]
-                      parts: 
-                        - 
-                          id:         si-3.c.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-3(c)[3](1)
-                          prose:      configures malicious code protection mechanisms to:
-                          parts: 
-                            - 
-                              id:         si-3.c.1_obj.3.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](1)[a]
-                              prose: 
-                                """
-                                  perform periodic scans of the information system with the
-                                                             organization-defined frequency;
-                                """
-                            - 
-                              id:         si-3.c.1_obj.3.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](1)[b]
-                              prose: 
-                                """
-                                  perform real-time scans of files from external sources at endpoint and/or
-                                                             network entry/exit points as the files are downloaded, opened, or
-                                                             executed in accordance with organizational security policy;
-                                """
-                        - 
-                          id:         si-3.c.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: SI-3(c)[3](2)
-                          prose: 
-                            """
-                              configures malicious code protection mechanisms to do one or more of the
-                                                      following:
-                            """
-                          parts: 
-                            - 
-                              id:         si-3.c.2_obj.3.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](2)[a]
-                              prose:      block malicious code in response to malicious code detection;
-                            - 
-                              id:         si-3.c.2_obj.3.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](2)[b]
-                              prose:      quarantine malicious code in response to malicious code detection;
-                            - 
-                              id:         si-3.c.2_obj.3.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](2)[c]
-                              prose: 
-                                """
-                                  send alert to administrator in response to malicious code detection;
-                                                             and/or
-                                """
-                            - 
-                              id:         si-3.c.2_obj.3.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](2)[d]
-                              prose: 
-                                """
-                                  initiate organization-defined action in response to malicious code
-                                                             detection;
-                                """
-                - 
-                  id:         si-3.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-3(d)
-                  parts: 
-                    - 
-                      id:         si-3.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-3(d)[1]
-                      prose: 
-                        """
-                          addresses the receipt of false positives during malicious code detection and
-                                               eradication; and
-                        """
-                    - 
-                      id:         si-3.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-3(d)[2]
-                      prose: 
-                        """
-                          addresses the resulting potential impact on the availability of the information
-                                               system.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and information integrity policy\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to
-                                        malicious code detection\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                        information system\n\norganizational personnel with responsibility for malicious code protection\n\norganizational personnel with configuration management responsibility
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for employing, updating, and configuring malicious code
-                                        protection mechanisms\n\norganizational process for addressing false positives and resulting potential
-                                        impact\n\nautomated mechanisms supporting and/or implementing employing, updating, and
-                                        configuring malicious code protection mechanisms\n\nautomated mechanisms supporting and/or implementing malicious code scanning and
-                                        subsequent actions
-                    """
-        - 
-          id:         si-4
-          class:      SP800-53
-          title:      Information System Monitoring
-          parameters: 
-            - 
-              id:    si-4_prm_1
-              label: organization-defined monitoring objectives
-            - 
-              id:    si-4_prm_2
-              label: organization-defined techniques and methods
-            - 
-              id:    si-4_prm_3
-              label: organization-defined information system monitoring information
-            - 
-              id:    si-4_prm_4
-              label: organization-defined personnel or roles
-            - 
-              id: si-4_prm_5
-            - 
-              id:         si-4_prm_6
-              depends-on: si-4_prm_5
-              label:      organization-defined frequency
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SI-4
-            - 
-              name:  sort-id
-              value: si-04
-          links: 
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-            - 
-              href: #6d431fee-658f-4a0e-9f2e-a38b5d398fab
-              rel:  reference
-              text: NIST Special Publication 800-83
-            - 
-              href: #672fd561-b92b-4713-b9cf-6c9d9456728b
-              rel:  reference
-              text: NIST Special Publication 800-92
-            - 
-              href: #d1b1d689-0f66-4474-9924-c81119758dc1
-              rel:  reference
-              text: NIST Special Publication 800-94
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-          parts: 
-            - 
-              id:    si-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Monitors the information system to detect:
-                  parts: 
-                    - 
-                      id:         si-4_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Attacks and indicators of potential attacks in accordance with {{ si-4_prm_1 }}; and
-                    - 
-                      id:         si-4_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Unauthorized local, network, and remote connections;
-                - 
-                  id:         si-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Identifies unauthorized use of the information system through {{ si-4_prm_2 }};
-                - 
-                  id:         si-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Deploys monitoring devices:
-                  parts: 
-                    - 
-                      id:         si-4_smt.c.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Strategically within the information system to collect organization-determined
-                                               essential information; and
-                        """
-                    - 
-                      id:         si-4_smt.c.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          At ad hoc locations within the system to track specific types of transactions
-                                               of interest to the organization;
-                        """
-                - 
-                  id:         si-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Protects information obtained from intrusion-monitoring tools from unauthorized
-                                        access, modification, and deletion;
-                    """
-                - 
-                  id:         si-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Heightens the level of information system monitoring activity whenever there is an
-                                        indication of increased risk to organizational operations and assets, individuals,
-                                        other organizations, or the Nation based on law enforcement information,
-                                        intelligence information, or other credible sources of information;
-                    """
-                - 
-                  id:         si-4_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Obtains legal opinion with regard to information system monitoring activities in
-                                        accordance with applicable federal laws, Executive Orders, directives, policies,
-                                        or regulations; and
-                    """
-                - 
-                  id:         si-4_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose: 
-                    """
-                      Provides {{ si-4_prm_3 }} to {{ si-4_prm_4 }}
-                                        {{ si-4_prm_5 }}.
-                    """
-                - 
-                  id:    si-4_fr
-                  name:  item
-                  title: SI-4 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         si-4_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      See US-CERT Incident Response Reporting Guidelines.
-            - 
-              id:    si-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system monitoring includes external and internal monitoring. External
-                                 monitoring includes the observation of events occurring at the information system
-                                 boundary (i.e., part of perimeter defense and boundary protection). Internal
-                                 monitoring includes the observation of events occurring within the information
-                                 system. Organizations can monitor information systems, for example, by observing
-                                 audit activities in real time or by observing other system aspects such as access
-                                 patterns, characteristics of access, and other actions. The monitoring objectives may
-                                 guide determination of the events. Information system monitoring capability is
-                                 achieved through a variety of tools and techniques (e.g., intrusion detection
-                                 systems, intrusion prevention systems, malicious code protection software, scanning
-                                 tools, audit record monitoring software, network monitoring software). Strategic
-                                 locations for monitoring devices include, for example, selected perimeter locations
-                                 and near server farms supporting critical applications, with such devices typically
-                                 being employed at the managed interfaces associated with controls SC-7 and AC-17.
-                                 Einstein network monitoring devices from the Department of Homeland Security can also
-                                 be included as monitoring devices. The granularity of monitoring information
-                                 collected is based on organizational monitoring objectives and the capability of
-                                 information systems to support such objectives. Specific types of transactions of
-                                 interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that
-                                 bypasses HTTP proxies. Information system monitoring is an integral part of
-                                 organizational continuous monitoring and incident response programs. Output from
-                                 system monitoring serves as input to continuous monitoring and incident response
-                                 programs. A network connection is any connection with a device that communicates
-                                 through a network (e.g., local area network, Internet). A remote connection is any
-                                 connection with a device communicating through an external network (e.g., the
-                                 Internet). Local, network, and remote connections can be either wired or
-                                 wireless.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-8
-                  rel:  related
-                  text: AC-8
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #au-7
-                  rel:  related
-                  text: AU-7
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-26
-                  rel:  related
-                  text: SC-26
-                - 
-                  href: #sc-35
-                  rel:  related
-                  text: SC-35
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    si-4_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-4(a)
-                  parts: 
-                    - 
-                      id:         si-4.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(a)(1)
-                      parts: 
-                        - 
-                          id:         si-4.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-4(a)(1)[1]
-                          prose: 
-                            """
-                              defines monitoring objectives to detect attacks and indicators of potential
-                                                      attacks on the information system;
-                            """
-                        - 
-                          id:         si-4.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: SI-4(a)(1)[2]
-                          prose: 
-                            """
-                              monitors the information system to detect, in accordance with
-                                                      organization-defined monitoring objectives,:
-                            """
-                          parts: 
-                            - 
-                              id:         si-4.a.1_obj.2.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-4(a)(1)[2][a]
-                              prose:      attacks;
-                            - 
-                              id:         si-4.a.1_obj.2.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-4(a)(1)[2][b]
-                              prose:      indicators of potential attacks;
-                    - 
-                      id:         si-4.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(a)(2)
-                      prose:      monitors the information system to detect unauthorized:
-                      parts: 
-                        - 
-                          id:         si-4.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(a)(2)[1]
-                          prose:      local connections;
-                        - 
-                          id:         si-4.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(a)(2)[2]
-                          prose:      network connections;
-                        - 
-                          id:         si-4.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(a)(2)[3]
-                          prose:      remote connections;
-                - 
-                  id:         si-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-4(b)
-                  parts: 
-                    - 
-                      id:         si-4.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(b)(1)
-                      prose: 
-                        """
-                          defines techniques and methods to identify unauthorized use of the information
-                                               system;
-                        """
-                    - 
-                      id:         si-4.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(b)(2)
-                      prose: 
-                        """
-                          identifies unauthorized use of the information system through
-                                               organization-defined techniques and methods;
-                        """
-                - 
-                  id:         si-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-4(c)
-                  prose:      deploys monitoring devices:
-                  parts: 
-                    - 
-                      id:         si-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(c)[1]
-                      prose: 
-                        """
-                          strategically within the information system to collect organization-determined
-                                               essential information;
-                        """
-                    - 
-                      id:         si-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(c)[2]
-                      prose: 
-                        """
-                          at ad hoc locations within the system to track specific types of transactions
-                                               of interest to the organization;
-                        """
-                - 
-                  id:         si-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-4(d)
-                  prose: 
-                    """
-                      protects information obtained from intrusion-monitoring tools from
-                                        unauthorized:
-                    """
-                  parts: 
-                    - 
-                      id:         si-4.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(d)[1]
-                      prose:      access;
-                    - 
-                      id:         si-4.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(d)[2]
-                      prose:      modification;
-                    - 
-                      id:         si-4.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(d)[3]
-                      prose:      deletion;
-                - 
-                  id:         si-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-4(e)
-                  prose: 
-                    """
-                      heightens the level of information system monitoring activity whenever there is an
-                                        indication of increased risk to organizational operations and assets, individuals,
-                                        other organizations, or the Nation based on law enforcement information,
-                                        intelligence information, or other credible sources of information;
-                    """
-                - 
-                  id:         si-4.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: SI-4(f)
-                  prose: 
-                    """
-                      obtains legal opinion with regard to information system monitoring activities in
-                                        accordance with applicable federal laws, Executive Orders, directives, policies,
-                                        or regulations;
-                    """
-                - 
-                  id:         si-4.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-4(g)
-                  parts: 
-                    - 
-                      id:         si-4.g_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(g)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom information system monitoring information is
-                                               to be provided;
-                        """
-                    - 
-                      id:         si-4.g_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(g)[2]
-                      prose: 
-                        """
-                          defines information system monitoring information to be provided to
-                                               organization-defined personnel or roles;
-                        """
-                    - 
-                      id:         si-4.g_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(g)[3]
-                      prose: 
-                        """
-                          defines a frequency to provide organization-defined information system
-                                               monitoring to organization-defined personnel or roles;
-                        """
-                    - 
-                      id:         si-4.g_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(g)[4]
-                      prose: 
-                        """
-                          provides organization-defined information system monitoring information to
-                                               organization-defined personnel or roles one or more of the following:
-                        """
-                      parts: 
-                        - 
-                          id:         si-4.g_obj.4.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(g)[4][a]
-                          prose:      as needed; and/or
-                        - 
-                          id:         si-4.g_obj.4.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(g)[4][b]
-                          prose:      with the organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Continuous monitoring strategy\n\nsystem and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\nfacility diagram/layout\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\nlocations within information system where monitoring devices are deployed\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                        information system\n\norganizational personnel with responsibility monitoring the information system
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for information system monitoring\n\nautomated mechanisms supporting and/or implementing information system monitoring
-                                        capability
-                    """
-        - 
-          id:         si-5
-          class:      SP800-53
-          title:      Security Alerts, Advisories, and Directives
-          parameters: 
-            - 
-              id:          si-5_prm_1
-              label:       organization-defined external organizations
-              constraints: 
-                - 
-                  detail: to include US-CERT
-            - 
-              id:          si-5_prm_2
-              constraints: 
-                - 
-                  detail: to include system security personnel and administrators with configuration/patch-management responsibilities
-            - 
-              id:         si-5_prm_3
-              depends-on: si-5_prm_2
-              label:      organization-defined personnel or roles
-            - 
-              id:         si-5_prm_4
-              depends-on: si-5_prm_2
-              label:      organization-defined elements within the organization
-            - 
-              id:         si-5_prm_5
-              depends-on: si-5_prm_2
-              label:      organization-defined external organizations
-          properties: 
-            - 
-              name:  label
-              value: SI-5
-            - 
-              name:  sort-id
-              value: si-05
-          links: 
-            - 
-              href: #bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d
-              rel:  reference
-              text: NIST Special Publication 800-40
-          parts: 
-            - 
-              id:    si-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Receives information system security alerts, advisories, and directives from
-                                           {{ si-5_prm_1 }} on an ongoing basis;
-                    """
-                - 
-                  id:         si-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Generates internal security alerts, advisories, and directives as deemed
-                                        necessary;
-                    """
-                - 
-                  id:         si-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Disseminates security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and
-                - 
-                  id:         si-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Implements security directives in accordance with established time frames, or
-                                        notifies the issuing organization of the degree of noncompliance.
-                    """
-            - 
-              id:    si-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  The United States Computer Emergency Readiness Team (US-CERT) generates security
-                                 alerts and advisories to maintain situational awareness across the federal
-                                 government. Security directives are issued by OMB or other designated organizations
-                                 with the responsibility and authority to issue such directives. Compliance to
-                                 security directives is essential due to the critical nature of many of these
-                                 directives and the potential immediate adverse effects on organizational operations
-                                 and assets, individuals, other organizations, and the Nation should the directives
-                                 not be implemented in a timely manner. External organizations include, for example,
-                                 external mission/business partners, supply chain partners, external service
-                                 providers, and other peer/supporting organizations.
-                """
-              links: 
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    si-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-5(a)
-                  parts: 
-                    - 
-                      id:         si-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-5(a)[1]
-                      prose: 
-                        """
-                          defines external organizations from whom information system security alerts,
-                                               advisories and directives are to be received;
-                        """
-                    - 
-                      id:         si-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-5(a)[2]
-                      prose: 
-                        """
-                          receives information system security alerts, advisories, and directives from
-                                               organization-defined external organizations on an ongoing basis;
-                        """
-                - 
-                  id:         si-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-5(b)
-                  prose: 
-                    """
-                      generates internal security alerts, advisories, and directives as deemed
-                                        necessary;
-                    """
-                - 
-                  id:         si-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-5(c)
-                  parts: 
-                    - 
-                      id:         si-5.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-5(c)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom security alerts, advisories, and directives
-                                               are to be provided;
-                        """
-                    - 
-                      id:         si-5.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-5(c)[2]
-                      prose: 
-                        """
-                          defines elements within the organization to whom security alerts, advisories,
-                                               and directives are to be provided;
-                        """
-                    - 
-                      id:         si-5.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-5(c)[3]
-                      prose: 
-                        """
-                          defines external organizations to whom security alerts, advisories, and
-                                               directives are to be provided;
-                        """
-                    - 
-                      id:         si-5.c_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-5(c)[4]
-                      prose: 
-                        """
-                          disseminates security alerts, advisories, and directives to one or more of the
-                                               following:
-                        """
-                      parts: 
-                        - 
-                          id:         si-5.c_obj.4.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-5(c)[4][a]
-                          prose:      organization-defined personnel or roles;
-                        - 
-                          id:         si-5.c_obj.4.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-5(c)[4][b]
-                          prose:      organization-defined elements within the organization; and/or
-                        - 
-                          id:         si-5.c_obj.4.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-5(c)[4][c]
-                          prose:      organization-defined external organizations; and
-                - 
-                  id:         si-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-5(d)
-                  parts: 
-                    - 
-                      id:         si-5.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-5(d)[1]
-                      prose: 
-                        """
-                          implements security directives in accordance with established time frames;
-                                               or
-                        """
-                    - 
-                      id:         si-5.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-5(d)[2]
-                      prose:      notifies the issuing organization of the degree of noncompliance.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and information integrity policy\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the
-                                        information system\n\norganizational personnel, organizational elements, and/or external organizations
-                                        to whom alerts, advisories, and directives are to be disseminated\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for defining, receiving, generating, disseminating, and
-                                        complying with security alerts, advisories, and directives\n\nautomated mechanisms supporting and/or implementing definition, receipt,
-                                        generation, and dissemination of security alerts, advisories, and directives\n\nautomated mechanisms supporting and/or implementing security directives
-                    """
-        - 
-          id:         si-12
-          class:      SP800-53
-          title:      Information Handling and Retention
-          properties: 
-            - 
-              name:  label
-              value: SI-12
-            - 
-              name:  sort-id
-              value: si-12
-          parts: 
-            - 
-              id:    si-12_smt
-              name:  statement
-              prose: 
-                """
-                  The organization handles and retains information within the information system and
-                                 information output from the system in accordance with applicable federal laws,
-                                 Executive Orders, directives, policies, regulations, standards, and operational
-                                 requirements.
-                """
-            - 
-              id:    si-12_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information handling and retention requirements cover the full life cycle of
-                                 information, in some cases extending beyond the disposal of information systems. The
-                                 National Archives and Records Administration provides guidance on records
-                                 retention.
-                """
-              links: 
-                - 
-                  href: #ac-16
-                  rel:  related
-                  text: AC-16
-                - 
-                  href: #au-5
-                  rel:  related
-                  text: AU-5
-                - 
-                  href: #au-11
-                  rel:  related
-                  text: AU-11
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-            - 
-              id:    si-12_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization, in accordance with applicable federal laws, Executive
-                                 Orders, directives, policies, regulations, standards, and operational
-                                 requirements:
-                """
-              parts: 
-                - 
-                  id:         si-12_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-12[1]
-                  prose:      handles information within the information system;
-                - 
-                  id:         si-12_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-12[2]
-                  prose:      handles output from the information system;
-                - 
-                  id:         si-12_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-12[3]
-                  prose:      retains information within the information system; and
-                - 
-                  id:         si-12_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-12[4]
-                  prose:      retains output from the information system.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and information integrity policy\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and
-                                        operational requirements applicable to information handling and retention\n\nmedia protection policy and procedures\n\nprocedures addressing information system output handling and retention\n\ninformation retention records, other relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for information handling and
-                                        retention\n\norganizational personnel with information security responsibilities/network
-                                        administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for information handling and retention\n\nautomated mechanisms supporting and/or implementing information handling and
-                                        retention
-                    """
-        - 
-          id:         si-16
-          class:      SP800-53
-          title:      Memory Protection
-          parameters: 
-            - 
-              id:    si-16_prm_1
-              label: organization-defined security safeguards
-          properties: 
-            - 
-              name:  label
-              value: SI-16
-            - 
-              name:  sort-id
-              value: si-16
-          parts: 
-            - 
-              id:    si-16_smt
-              name:  statement
-              prose: 
-                """
-                  The information system implements {{ si-16_prm_1 }} to protect its
-                                 memory from unauthorized code execution.
-                """
-            - 
-              id:    si-16_gdn
-              name:  guidance
-              prose: 
-                """
-                  Some adversaries launch attacks with the intent of executing code in non-executable
-                                 regions of memory or in memory locations that are prohibited. Security safeguards
-                                 employed to protect memory include, for example, data execution prevention and
-                                 address space layout randomization. Data execution prevention safeguards can either
-                                 be hardware-enforced or software-enforced with hardware providing the greater
-                                 strength of mechanism.
-                """
-              links: 
-                - 
-                  href: #ac-25
-                  rel:  related
-                  text: AC-25
-                - 
-                  href: #sc-3
-                  rel:  related
-                  text: SC-3
-            - 
-              id:    si-16_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         si-16_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-16[1]
-                  prose: 
-                    """
-                      the organization defines security safeguards to be implemented to protect
-                                        information system memory from unauthorized code execution; and
-                    """
-                - 
-                  id:         si-16_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-16[2]
-                  prose: 
-                    """
-                      the information system implements organization-defined security safeguards to
-                                        protect its memory from unauthorized code execution.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and information integrity policy\n\nprocedures addressing memory protection for the information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of security safeguards protecting information system memory from unauthorized
-                                        code execution\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with responsibility for memory protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing safeguards to protect
-                                        information system memory from unauthorized code execution
-                    """
-  back-matter: 
-    resources: 
-      - 
-        uuid:     0c97e60b-325a-4efa-ba2b-90f20ccd5abc
-        title:    5 C.F.R. 731.106
-        citation: 
-          text: 
-            """
-              Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106,
-                             Designation of Public Trust Positions and Investigative Requirements (5 C.F.R.
-                             731.106).
-            """
-        rlinks: 
-          - 
-            href: http://www.gpo.gov/fdsys/granule/CFR-2012-title5-vol2/CFR-2012-title5-vol2-sec731-106/content-detail.html
-      - 
-        uuid:     bb61234b-46c3-4211-8c2b-9869222a720d
-        title:    C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)
-        citation: 
-          text: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)
-        rlinks: 
-          - 
-            href: http://www.gpo.gov/fdsys/granule/CFR-2009-title5-vol2/CFR-2009-title5-vol2-sec930-301/content-detail.html
-      - 
-        uuid:     a4aa9645-9a8a-4b51-90a9-e223250f9a75
-        title:    CNSS Policy 15
-        citation: 
-          text: CNSS Policy 15
-        rlinks: 
-          - 
-            href: https://www.cnss.gov/policies.html
-      - 
-        uuid:     2d8b14e9-c8b5-4d3d-8bdc-155078f3281b
-        title:    DoD Information Assurance Vulnerability Alerts
-        citation: 
-          text: DoD Information Assurance Vulnerability Alerts
-      - 
-        uuid:     61081e7f-041d-4033-96a7-44a439071683
-        title:    DoD Instruction 5200.39
-        citation: 
-          text: DoD Instruction 5200.39
-        rlinks: 
-          - 
-            href: http://www.dtic.mil/whs/directives/corres/ins1.html
-      - 
-        uuid:     e42b2099-3e1c-415b-952c-61c96533c12e
-        title:    DoD Instruction 8551.01
-        citation: 
-          text: DoD Instruction 8551.01
-        rlinks: 
-          - 
-            href: http://www.dtic.mil/whs/directives/corres/ins1.html
-      - 
-        uuid:     c5034e0c-eba6-4ecd-a541-79f0678f4ba4
-        title:    Executive Order 13587
-        citation: 
-          text: Executive Order 13587
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net
-      - 
-        uuid:     56d671da-6b7b-4abf-8296-84b61980390a
-        title:    Federal Acquisition Regulation
-        citation: 
-          text: Federal Acquisition Regulation
-        rlinks: 
-          - 
-            href: https://acquisition.gov/far
-      - 
-        uuid:     023104bc-6f75-4cd5-b7d0-fc92326f8007
-        title:    Federal Continuity Directive 1
-        citation: 
-          text: Federal Continuity Directive 1
-        rlinks: 
-          - 
-            href: http://www.fema.gov/pdf/about/offices/fcd1.pdf
-      - 
-        uuid:     ba557c91-ba3e-4792-adc6-a4ae479b39ff
-        title:    FICAM Roadmap and Implementation Guidance
-        citation: 
-          text: FICAM Roadmap and Implementation Guidance
-        rlinks: 
-          - 
-            href: http://www.idmanagement.gov/documents/ficam-roadmap-and-implementation-guidance
-      - 
-        uuid:     39f9087d-7687-46d2-8eda-b6f4b7a4d8a9
-        title:    FIPS Publication 140
-        citation: 
-          text: FIPS Publication 140
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html
-      - 
-        uuid:     d715b234-9b5b-4e07-b1ed-99836727664d
-        title:    FIPS Publication 140-2
-        citation: 
-          text: FIPS Publication 140-2
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html#140-2
-      - 
-        uuid:     f2dbd4ec-c413-4714-b85b-6b7184d1c195
-        title:    FIPS Publication 197
-        citation: 
-          text: FIPS Publication 197
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html#197
-      - 
-        uuid:     e85cdb3f-7f0a-4083-8639-f13f70d3760b
-        title:    FIPS Publication 199
-        citation: 
-          text: FIPS Publication 199
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html#199
-      - 
-        uuid:     c80c10b3-1294-4984-a4cc-d1733ca432b9
-        title:    FIPS Publication 201
-        citation: 
-          text: FIPS Publication 201
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html#201
-      - 
-        uuid:     ad733a42-a7ed-4774-b988-4930c28852f3
-        title:    HSPD-12
-        citation: 
-          text: HSPD-12
-        rlinks: 
-          - 
-            href: http://www.dhs.gov/homeland-security-presidential-directive-12
-      - 
-        uuid:     e95dd121-2733-413e-bf1e-f1eb49f20a98
-        title:    http://checklists.nist.gov
-        citation: 
-          text: http://checklists.nist.gov
-        rlinks: 
-          - 
-            href: http://checklists.nist.gov
-      - 
-        uuid:     6a1041fc-054e-4230-946b-2e6f4f3731bb
-        title:    http://csrc.nist.gov/cryptval
-        citation: 
-          text: http://csrc.nist.gov/cryptval
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/cryptval
-      - 
-        uuid:     b09d1a31-d3c9-4138-a4f4-4c63816afd7d
-        title:    http://csrc.nist.gov/groups/STM/cmvp/index.html
-        citation: 
-          text: http://csrc.nist.gov/groups/STM/cmvp/index.html
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/groups/STM/cmvp/index.html
-      - 
-        uuid:     15522e92-9192-463d-9646-6a01982db8ca
-        title:    http://cwe.mitre.org
-        citation: 
-          text: http://cwe.mitre.org
-        rlinks: 
-          - 
-            href: http://cwe.mitre.org
-      - 
-        uuid:     5ed1f4d5-1494-421b-97ed-39d3c88ab51f
-        title:    http://fips201ep.cio.gov
-        citation: 
-          text: http://fips201ep.cio.gov
-        rlinks: 
-          - 
-            href: http://fips201ep.cio.gov
-      - 
-        uuid:     85280698-0417-489d-b214-12bb935fb939
-        title:    http://idmanagement.gov
-        citation: 
-          text: http://idmanagement.gov
-        rlinks: 
-          - 
-            href: http://idmanagement.gov
-      - 
-        uuid:     275cc052-0f7f-423c-bdb6-ed503dc36228
-        title:    http://nvd.nist.gov
-        citation: 
-          text: http://nvd.nist.gov
-        rlinks: 
-          - 
-            href: http://nvd.nist.gov
-      - 
-        uuid:     bbd50dd1-54ce-4432-959d-63ea564b1bb4
-        title:    http://www.acquisition.gov/far
-        citation: 
-          text: http://www.acquisition.gov/far
-        rlinks: 
-          - 
-            href: http://www.acquisition.gov/far
-      - 
-        uuid:     9b97ed27-3dd6-4f9a-ade5-1b43e9669794
-        title:    http://www.cnss.gov
-        citation: 
-          text: http://www.cnss.gov
-        rlinks: 
-          - 
-            href: http://www.cnss.gov
-      - 
-        uuid:     c95a9986-3cd6-4a98-931b-ccfc56cb11e5
-        title:    http://www.niap-ccevs.org
-        citation: 
-          text: http://www.niap-ccevs.org
-        rlinks: 
-          - 
-            href: http://www.niap-ccevs.org
-      - 
-        uuid:     647b6de3-81d0-4d22-bec1-5f1333e34380
-        title:    http://www.nsa.gov
-        citation: 
-          text: http://www.nsa.gov
-        rlinks: 
-          - 
-            href: http://www.nsa.gov
-      - 
-        uuid:     a47466c4-c837-4f06-a39f-e68412a5f73d
-        title:    http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml
-        citation: 
-          text: http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml
-        rlinks: 
-          - 
-            href: http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml
-      - 
-        uuid:     02631467-668b-4233-989b-3dfded2fd184
-        title:    http://www.us-cert.gov
-        citation: 
-          text: http://www.us-cert.gov
-        rlinks: 
-          - 
-            href: http://www.us-cert.gov
-      - 
-        uuid:     6caa237b-531b-43ac-9711-d8f6b97b0377
-        title:    ICD 704
-        citation: 
-          text: ICD 704
-        rlinks: 
-          - 
-            href: http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives
-      - 
-        uuid:     398e33fd-f404-4e5c-b90e-2d50d3181244
-        title:    ICD 705
-        citation: 
-          text: ICD 705
-        rlinks: 
-          - 
-            href: http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives
-      - 
-        uuid:     1737a687-52fb-4008-b900-cbfa836f7b65
-        title:    ISO/IEC 15408
-        citation: 
-          text: ISO/IEC 15408
-        rlinks: 
-          - 
-            href: http://www.iso.org/iso/iso_catalog/catalog_tc/catalog_detail.htm?csnumber=50341
-      - 
-        uuid:     654f21e2-f3bc-43b2-abdc-60ab8d09744b
-        title:    National Strategy for Trusted Identities in Cyberspace
-        citation: 
-          text: National Strategy for Trusted Identities in Cyberspace
-        rlinks: 
-          - 
-            href: http://www.nist.gov/nstic
-      - 
-        uuid:         9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-        title:        NIST Special Publication 800-100
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-100
-        citation: 
-          text: NIST Special Publication 800-100
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-100
-      - 
-        uuid:         3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e
-        title:        NIST Special Publication 800-111
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-111
-        citation: 
-          text: NIST Special Publication 800-111
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-111
-      - 
-        uuid:         349fe082-502d-464a-aa0c-1443c6a5cf40
-        title:        NIST Special Publication 800-113
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-113
-        citation: 
-          text: NIST Special Publication 800-113
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-113
-      - 
-        uuid:         1201fcf3-afb1-4675-915a-fb4ae0435717
-        title:        NIST Special Publication 800-114 Rev. 1
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-114r1
-        citation: 
-          text: NIST Special Publication 800-114 Rev. 1
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-114r1
-      - 
-        uuid:         c4691b88-57d1-463b-9053-2d0087913f31
-        title:        NIST Special Publication 800-115
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-115
-        citation: 
-          text: NIST Special Publication 800-115
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-115
-      - 
-        uuid:         2157bb7e-192c-4eaa-877f-93ef6b0a3292
-        title:        NIST Special Publication 800-116 Rev. 1
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-116r1
-        citation: 
-          text: NIST Special Publication 800-116 Rev. 1
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-116r1
-      - 
-        uuid:         5c201b63-0768-417b-ac22-3f014e3941b2
-        title:        NIST Special Publication 800-12 Rev. 1
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-12r1
-        citation: 
-          text: NIST Special Publication 800-12 Rev. 1
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-12r1
-      - 
-        uuid:     d1a4e2a9-e512-4132-8795-5357aba29254
-        title:    NIST Special Publication 800-121
-        citation: 
-          text: NIST Special Publication 800-121
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-121
-      - 
-        uuid:     0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589
-        title:    NIST Special Publication 800-124
-        citation: 
-          text: NIST Special Publication 800-124
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-124
-      - 
-        uuid:     080f8068-5e3e-435e-9790-d22ba4722693
-        title:    NIST Special Publication 800-128
-        citation: 
-          text: NIST Special Publication 800-128
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-128
-      - 
-        uuid:     cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-        title:    NIST Special Publication 800-137
-        citation: 
-          text: NIST Special Publication 800-137
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-137
-      - 
-        uuid:     825438c3-248d-4e30-a51e-246473ce6ada
-        title:    NIST Special Publication 800-16
-        citation: 
-          text: NIST Special Publication 800-16
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-16
-      - 
-        uuid:     6513e480-fada-4876-abba-1397084dfb26
-        title:    NIST Special Publication 800-164
-        citation: 
-          text: NIST Special Publication 800-164
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-164
-      - 
-        uuid:     9c5c9e8c-dc81-4f55-a11c-d71d7487790f
-        title:    NIST Special Publication 800-18
-        citation: 
-          text: NIST Special Publication 800-18
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-18
-      - 
-        uuid:     0a5db899-f033-467f-8631-f5a8ba971475
-        title:    NIST Special Publication 800-23
-        citation: 
-          text: NIST Special Publication 800-23
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-23
-      - 
-        uuid:     a466121b-f0e2-41f0-a5f9-deb0b5fe6b15
-        title:    NIST Special Publication 800-30
-        citation: 
-          text: NIST Special Publication 800-30
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-30
-      - 
-        uuid:     748a81b9-9cad-463f-abde-8b368167e70d
-        title:    NIST Special Publication 800-34
-        citation: 
-          text: NIST Special Publication 800-34
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-34
-      - 
-        uuid:     0c775bc3-bfc3-42c7-a382-88949f503171
-        title:    NIST Special Publication 800-35
-        citation: 
-          text: NIST Special Publication 800-35
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-35
-      - 
-        uuid:     d818efd3-db31-4953-8afa-9e76afe83ce2
-        title:    NIST Special Publication 800-36
-        citation: 
-          text: NIST Special Publication 800-36
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-36
-      - 
-        uuid:     0a0c26b6-fd44-4274-8b36-93442d49d998
-        title:    NIST Special Publication 800-37
-        citation: 
-          text: NIST Special Publication 800-37
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-37
-      - 
-        uuid:     d480aa6a-7a88-424e-a10c-ad1c7870354b
-        title:    NIST Special Publication 800-39
-        citation: 
-          text: NIST Special Publication 800-39
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-39
-      - 
-        uuid:     bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d
-        title:    NIST Special Publication 800-40
-        citation: 
-          text: NIST Special Publication 800-40
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-40
-      - 
-        uuid:     756a8e86-57d5-4701-8382-f7a40439665a
-        title:    NIST Special Publication 800-41
-        citation: 
-          text: NIST Special Publication 800-41
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-41
-      - 
-        uuid:     5309d4d0-46f8-4213-a749-e7584164e5e8
-        title:    NIST Special Publication 800-46
-        citation: 
-          text: NIST Special Publication 800-46
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-46
-      - 
-        uuid:     2711f068-734e-4afd-94ba-0b22247fbc88
-        title:    NIST Special Publication 800-47
-        citation: 
-          text: NIST Special Publication 800-47
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-47
-      - 
-        uuid:     238ed479-eccb-49f6-82ec-ab74a7a428cf
-        title:    NIST Special Publication 800-48
-        citation: 
-          text: NIST Special Publication 800-48
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-48
-      - 
-        uuid:     e12b5738-de74-4fb3-8317-a3995a8a1898
-        title:    NIST Special Publication 800-50
-        citation: 
-          text: NIST Special Publication 800-50
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-50
-      - 
-        uuid:     cd4cf751-3312-4a55-b1a9-fad2f1db9119
-        title:    NIST Special Publication 800-53A
-        citation: 
-          text: NIST Special Publication 800-53A
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-53A
-      - 
-        uuid:     81f09e01-d0b0-4ae2-aa6a-064ed9950070
-        title:    NIST Special Publication 800-56
-        citation: 
-          text: NIST Special Publication 800-56
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-56
-      - 
-        uuid:     a6c774c0-bf50-4590-9841-2a5c1c91ac6f
-        title:    NIST Special Publication 800-57
-        citation: 
-          text: NIST Special Publication 800-57
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-57
-      - 
-        uuid:     f152844f-b1ef-4836-8729-6277078ebee1
-        title:    NIST Special Publication 800-60
-        citation: 
-          text: NIST Special Publication 800-60
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-60
-      - 
-        uuid:     be95fb85-a53f-4624-bdbb-140075500aa3
-        title:    NIST Special Publication 800-61
-        citation: 
-          text: NIST Special Publication 800-61
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-61
-      - 
-        uuid:     644f44a9-a2de-4494-9c04-cd37fba45471
-        title:    NIST Special Publication 800-63
-        citation: 
-          text: NIST Special Publication 800-63
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-63
-      - 
-        uuid:     abd950ae-092f-4b7a-b374-1c7c67fe9350
-        title:    NIST Special Publication 800-64
-        citation: 
-          text: NIST Special Publication 800-64
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-64
-      - 
-        uuid:     29fcfe59-33cd-494a-8756-5907ae3a8f92
-        title:    NIST Special Publication 800-65
-        citation: 
-          text: NIST Special Publication 800-65
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-65
-      - 
-        uuid:     84a37532-6db6-477b-9ea8-f9085ebca0fc
-        title:    NIST Special Publication 800-70
-        citation: 
-          text: NIST Special Publication 800-70
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-70
-      - 
-        uuid:     ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-        title:    NIST Special Publication 800-73
-        citation: 
-          text: NIST Special Publication 800-73
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-73
-      - 
-        uuid:     2a71298a-ee90-490e-80ff-48c967173a47
-        title:    NIST Special Publication 800-76
-        citation: 
-          text: NIST Special Publication 800-76
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-76
-      - 
-        uuid:     99f331f2-a9f0-46c2-9856-a3cbb9b89442
-        title:    NIST Special Publication 800-77
-        citation: 
-          text: NIST Special Publication 800-77
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-77
-      - 
-        uuid:     2042d97b-f7f6-4c74-84f8-981867684659
-        title:    NIST Special Publication 800-78
-        citation: 
-          text: NIST Special Publication 800-78
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-78
-      - 
-        uuid:     6af1e841-672c-46c4-b121-96f603d04be3
-        title:    NIST Special Publication 800-81
-        citation: 
-          text: NIST Special Publication 800-81
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-81
-      - 
-        uuid:     6d431fee-658f-4a0e-9f2e-a38b5d398fab
-        title:    NIST Special Publication 800-83
-        citation: 
-          text: NIST Special Publication 800-83
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-83
-      - 
-        uuid:     0243a05a-e8a3-4d51-9364-4a9d20b0dcdf
-        title:    NIST Special Publication 800-84
-        citation: 
-          text: NIST Special Publication 800-84
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-84
-      - 
-        uuid:     263823e0-a971-4b00-959d-315b26278b22
-        title:    NIST Special Publication 800-88
-        citation: 
-          text: NIST Special Publication 800-88
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-88
-      - 
-        uuid:     672fd561-b92b-4713-b9cf-6c9d9456728b
-        title:    NIST Special Publication 800-92
-        citation: 
-          text: NIST Special Publication 800-92
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-92
-      - 
-        uuid:     d1b1d689-0f66-4474-9924-c81119758dc1
-        title:    NIST Special Publication 800-94
-        citation: 
-          text: NIST Special Publication 800-94
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-94
-      - 
-        uuid:     6f336ecd-f2a0-4c84-9699-0491d81b6e0d
-        title:    NIST Special Publication 800-97
-        citation: 
-          text: NIST Special Publication 800-97
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-97
-      - 
-        uuid:     9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab
-        title:    OMB Circular A-130
-        citation: 
-          text: OMB Circular A-130
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/omb/circulars_a130_a130trans4
-      - 
-        uuid:     2c5884cd-7b96-425c-862a-99877e1cf909
-        title:    OMB Memorandum 02-01
-        citation: 
-          text: OMB Memorandum 02-01
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/omb/memoranda_m02-01
-      - 
-        uuid:     ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-        title:    OMB Memorandum 04-04
-        citation: 
-          text: OMB Memorandum 04-04
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy04/m04-04.pdf
-      - 
-        uuid:     4da24a96-6cf8-435d-9d1f-c73247cad109
-        title:    OMB Memorandum 06-16
-        citation: 
-          text: OMB Memorandum 06-16
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2006/m06-16.pdf
-      - 
-        uuid:     990268bf-f4a9-4c81-91ae-dc7d3115f4b1
-        title:    OMB Memorandum 07-11
-        citation: 
-          text: OMB Memorandum 07-11
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-11.pdf
-      - 
-        uuid:     0b3d8ba9-051f-498d-81ea-97f0f018c612
-        title:    OMB Memorandum 07-18
-        citation: 
-          text: OMB Memorandum 07-18
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-18.pdf
-      - 
-        uuid:     0916ef02-3618-411b-a525-565c088849a6
-        title:    OMB Memorandum 08-22
-        citation: 
-          text: OMB Memorandum 08-22
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-22.pdf
-      - 
-        uuid:     28115a56-da6b-4d44-b1df-51dd7f048a3e
-        title:    OMB Memorandum 08-23
-        citation: 
-          text: OMB Memorandum 08-23
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf
-      - 
-        uuid:     599fe9ba-4750-4450-9eeb-b95bd19a5e8f
-        title:    OMB Memorandum 10-06-2011
-        citation: 
-          text: OMB Memorandum 10-06-2011
-      - 
-        uuid:     74e740a4-c45d-49f3-a86e-eb747c549e01
-        title:    OMB Memorandum 11-11
-        citation: 
-          text: OMB Memorandum 11-11
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf
-      - 
-        uuid:     bedb15b7-ec5c-4a68-807f-385125751fcd
-        title:    OMB Memorandum 11-33
-        citation: 
-          text: OMB Memorandum 11-33
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf
-      - 
-        uuid:     dd2f5acd-08f1-435a-9837-f8203088dc1a
-        title: 
-          """
-            Personal Identity Verification (PIV) in Enterprise Physical Access Control System
-                        (E-PACS)
-          """
-        citation: 
-          text: 
-            """
-              Personal Identity Verification (PIV) in Enterprise Physical Access Control System
-                             (E-PACS)
-            """
-      - 
-        uuid:     8ade2fbe-e468-4ca8-9a40-54d7f23c32bb
-        title:    US-CERT Technical Cyber Security Alerts
-        citation: 
-          text: US-CERT Technical Cyber Security Alerts
-        rlinks: 
-          - 
-            href: http://www.us-cert.gov/ncas/alerts
-      - 
-        uuid:       985475ee-d4d6-4581-8fdf-d84d3d8caa48
-        title:      FedRAMP Applicable Laws and Regulations
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-citations
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx
-      - 
-        uuid:       1a23a771-d481-4594-9a1a-71d584fa4123
-        title:      FedRAMP Master Acronym and Glossary
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-acronyms
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf
-      - 
-        uuid:       a2381e87-3d04-4108-a30b-b4d2f36d001f
-        desc:       FedRAMP Logo
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-logo
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/img/logo-main-fedramp.png
-      - 
-        uuid:       ad005eae-cc63-4e64-9109-3905a9a825e4
-        title:      NIST Special Publication (SP) 800-53
-        properties: 
-          - 
-            name:  version
-            ns:    https://fedramp.gov/ns/oscal
-            value: Revision 4
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href:       ../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_catalog.yaml
-            media-type: application/xml
diff --git a/content/fedramp.gov/yaml/FedRAMP_LOW-baseline_profile.yaml b/content/fedramp.gov/yaml/FedRAMP_LOW-baseline_profile.yaml
deleted file mode 100644
index 0dbb71278c..0000000000
--- a/content/fedramp.gov/yaml/FedRAMP_LOW-baseline_profile.yaml
+++ /dev/null
@@ -1,12591 +0,0 @@
-profile: 
-  uuid:        4678df89-bdc1-4804-bdfd-0bb1fc5bba1a
-  metadata: 
-    title:               FedRAMP Low Baseline
-    published:           2020-06-01T00:00:00.000-04:00
-    last-modified:       2020-06-01T10:00:00.000-04:00
-    version:             1.2
-    oscal-version:       1.0.0-milestone3
-    roles: 
-      - 
-        id:    parpared-by
-        title: Document creator
-      - 
-        id:         fedramp-pmo
-        title:      The FedRAMP Program Management Office (PMO)
-        short-name: CSP
-      - 
-        id:         fedramp-jab
-        title:      The FedRAMP Joint Authorization Board (JAB)
-        short-name: CSP
-    parties: 
-      - 
-        uuid:            8cc0b8e5-9650-4d5f-9796-316f05fa9a2d
-        type:            organization
-        party-name:      Federal Risk and Authorization Management Program: Program Management Office
-        short-name:      FedRAMP PMO
-        links: 
-          - 
-            href: https://fedramp.gov
-            rel:  homepage
-            text: 
-        addresses: 
-          - 
-            type:           work
-            postal-address: 1800 F St. NW,
-            city:           Washington
-            state:          DC
-            postal-code:    
-            country:        US
-        email-addresses: info@fedramp.gov
-      - 
-        uuid:       ca9ba80e-1342-4bfd-b32a-abac468c24b4
-        type:       organization
-        party-name: Federal Risk and Authorization Management Program: Joint Authorization Board
-        short-name: FedRAMP JAB
-    responsible-parties: 
-      prepared-by: 
-        party-uuids: 4aa7b203-318b-4cde-96cf-feaeffc3a4b7
-      fedramp-pmo: 
-        party-uuids: 4aa7b203-318b-4cde-96cf-feaeffc3a4b7
-      fedramp-jab: 
-        party-uuids: ca9ba80e-1342-4bfd-b32a-abac468c24b4
-  imports: 
-    - 
-      href:    #ad005eae-cc63-4e64-9109-3905a9a825e4
-      include: 
-        id-selectors: 
-          - 
-            control-id: ac-1
-          - 
-            control-id: ac-2
-          - 
-            control-id: ac-3
-          - 
-            control-id: ac-7
-          - 
-            control-id: ac-8
-          - 
-            control-id: ac-14
-          - 
-            control-id: ac-17
-          - 
-            control-id: ac-18
-          - 
-            control-id: ac-19
-          - 
-            control-id: ac-20
-          - 
-            control-id: ac-22
-          - 
-            control-id: at-1
-          - 
-            control-id: at-2
-          - 
-            control-id: at-3
-          - 
-            control-id: at-4
-          - 
-            control-id: au-1
-          - 
-            control-id: au-2
-          - 
-            control-id: au-3
-          - 
-            control-id: au-4
-          - 
-            control-id: au-5
-          - 
-            control-id: au-6
-          - 
-            control-id: au-8
-          - 
-            control-id: au-9
-          - 
-            control-id: au-11
-          - 
-            control-id: au-12
-          - 
-            control-id: ca-1
-          - 
-            control-id: ca-2
-          - 
-            control-id: ca-2.1
-          - 
-            control-id: ca-3
-          - 
-            control-id: ca-5
-          - 
-            control-id: ca-6
-          - 
-            control-id: ca-7
-          - 
-            control-id: ca-9
-          - 
-            control-id: cm-1
-          - 
-            control-id: cm-2
-          - 
-            control-id: cm-4
-          - 
-            control-id: cm-6
-          - 
-            control-id: cm-7
-          - 
-            control-id: cm-8
-          - 
-            control-id: cm-10
-          - 
-            control-id: cm-11
-          - 
-            control-id: cp-1
-          - 
-            control-id: cp-2
-          - 
-            control-id: cp-3
-          - 
-            control-id: cp-4
-          - 
-            control-id: cp-9
-          - 
-            control-id: cp-10
-          - 
-            control-id: ia-1
-          - 
-            control-id: ia-2
-          - 
-            control-id: ia-2.1
-          - 
-            control-id: ia-2.12
-          - 
-            control-id: ia-4
-          - 
-            control-id: ia-5
-          - 
-            control-id: ia-5.1
-          - 
-            control-id: ia-5.11
-          - 
-            control-id: ia-6
-          - 
-            control-id: ia-7
-          - 
-            control-id: ia-8
-          - 
-            control-id: ia-8.1
-          - 
-            control-id: ia-8.2
-          - 
-            control-id: ia-8.3
-          - 
-            control-id: ia-8.4
-          - 
-            control-id: ir-1
-          - 
-            control-id: ir-2
-          - 
-            control-id: ir-4
-          - 
-            control-id: ir-5
-          - 
-            control-id: ir-6
-          - 
-            control-id: ir-7
-          - 
-            control-id: ir-8
-          - 
-            control-id: ma-1
-          - 
-            control-id: ma-2
-          - 
-            control-id: ma-4
-          - 
-            control-id: ma-5
-          - 
-            control-id: mp-1
-          - 
-            control-id: mp-2
-          - 
-            control-id: mp-6
-          - 
-            control-id: mp-7
-          - 
-            control-id: pe-1
-          - 
-            control-id: pe-2
-          - 
-            control-id: pe-3
-          - 
-            control-id: pe-6
-          - 
-            control-id: pe-8
-          - 
-            control-id: pe-12
-          - 
-            control-id: pe-13
-          - 
-            control-id: pe-14
-          - 
-            control-id: pe-15
-          - 
-            control-id: pe-16
-          - 
-            control-id: pl-1
-          - 
-            control-id: pl-2
-          - 
-            control-id: pl-4
-          - 
-            control-id: ps-1
-          - 
-            control-id: ps-2
-          - 
-            control-id: ps-3
-          - 
-            control-id: ps-4
-          - 
-            control-id: ps-5
-          - 
-            control-id: ps-6
-          - 
-            control-id: ps-7
-          - 
-            control-id: ps-8
-          - 
-            control-id: ra-1
-          - 
-            control-id: ra-2
-          - 
-            control-id: ra-3
-          - 
-            control-id: ra-5
-          - 
-            control-id: sa-1
-          - 
-            control-id: sa-2
-          - 
-            control-id: sa-3
-          - 
-            control-id: sa-4
-          - 
-            control-id: sa-5
-          - 
-            control-id: sa-9
-          - 
-            control-id: sc-1
-          - 
-            control-id: sc-5
-          - 
-            control-id: sc-7
-          - 
-            control-id: sc-12
-          - 
-            control-id: sc-13
-          - 
-            control-id: sc-15
-          - 
-            control-id: sc-20
-          - 
-            control-id: sc-21
-          - 
-            control-id: sc-22
-          - 
-            control-id: sc-39
-          - 
-            control-id: si-1
-          - 
-            control-id: si-2
-          - 
-            control-id: si-3
-          - 
-            control-id: si-4
-          - 
-            control-id: si-5
-          - 
-            control-id: si-12
-          - 
-            control-id: si-16
-  merge: 
-    combine: 
-      method: keep
-    as-is:   true
-  modify: 
-    parameter-settings: 
-      ac-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      ac-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      ac-2_prm_4: 
-        constraints: 
-          - 
-            detail: at least annually
-      ac-7_prm_1: 
-        constraints: 
-          - 
-            detail: not more than three (3)
-      ac-7_prm_2: 
-        constraints: 
-          - 
-            detail: fifteen (15) minutes
-      ac-7_prm_4: 
-        constraints: 
-          - 
-            detail: thirty (30) minutes
-      ac-8_prm_1: 
-        constraints: 
-          - 
-            detail: see additional Requirements and Guidance
-      ac-8_prm_2: 
-        constraints: 
-          - 
-            detail: see additional Requirements and Guidance
-      ac-22_prm_1: 
-        constraints: 
-          - 
-            detail: at least quarterly
-      at-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      at-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      at-2_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      at-3_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      at-4_prm_1: 
-        constraints: 
-          - 
-            detail: At least one year
-      au-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      au-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      au-2_prm_1: 
-        constraints: 
-          - 
-            detail: Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes
-      au-2_prm_2: 
-        constraints: 
-          - 
-            detail: organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event
-      au-5_prm_2: 
-        constraints: 
-          - 
-            detail: organization-defined actions to be taken (overwrite oldest record)
-      au-6_prm_1: 
-        constraints: 
-          - 
-            detail: at least weekly
-      au-11_prm_1: 
-        constraints: 
-          - 
-            detail: at least ninety days
-      au-12_prm_1: 
-        constraints: 
-          - 
-            detail: all information system and network components where audit capability is deployed/available
-      ca-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      ca-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      ca-2_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      ca-2_prm_2: 
-        constraints: 
-          - 
-            detail: individuals or roles to include FedRAMP PMO
-      ca-3_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually and on input from FedRAMP
-      ca-5_prm_1: 
-        constraints: 
-          - 
-            detail: at least monthly
-      ca-6_prm_1: 
-        constraints: 
-          - 
-            detail: at least every three years or when a significant change occurs
-      ca-7_prm_4: 
-        constraints: 
-          - 
-            detail: to meet Federal and FedRAMP requirements (See additional guidance)
-      ca-7_prm_5: 
-        constraints: 
-          - 
-            detail: to meet Federal and FedRAMP requirements (See additional guidance)
-      cm-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      cm-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      cm-6_prm_1: 
-        constraints: 
-          - 
-            detail: United States Government Configuration Baseline (USGCB)
-      cm-7_prm_1: 
-        constraints: 
-          - 
-            detail: United States Government Configuration Baseline (USGCB)
-      cm-8_prm_2: 
-        constraints: 
-          - 
-            detail: at least monthly
-      cm-11_prm_3: 
-        constraints: 
-          - 
-            detail: Continuously (via CM-7 (5))
-      cp-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      cp-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      cp-2_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      cp-3_prm_1: 
-        constraints: 
-          - 
-            detail: ten (10) days
-      cp-3_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      cp-4_prm_1: 
-        constraints: 
-          - 
-            detail: at least every three years
-      cp-4_prm_2: 
-        constraints: 
-          - 
-            detail: classroom exercises/table top written tests
-      cp-9_prm_1: 
-        constraints: 
-          - 
-            detail: daily incremental; weekly full
-      cp-9_prm_2: 
-        constraints: 
-          - 
-            detail: daily incremental; weekly full
-      cp-9_prm_3: 
-        constraints: 
-          - 
-            detail: daily incremental; weekly full
-      ia-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      ia-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      ia-4_prm_2: 
-        constraints: 
-          - 
-            detail: IA-4 (d) [at least two years]
-      ia-4_prm_3: 
-        constraints: 
-          - 
-            detail: ninety days for user identifiers (See additional requirements and guidance)
-      ia-5.1_prm_2: 
-        constraints: 
-          - 
-            detail: at least one
-      ia-5.1_prm_4: 
-        constraints: 
-          - 
-            detail: twenty four
-      ir-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      ir-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      ir-2_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      ir-6_prm_1: 
-        constraints: 
-          - 
-            detail: US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)
-      ir-8_prm_2: 
-        constraints: 
-          - 
-            detail: see additional FedRAMP Requirements and Guidance
-      ir-8_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      ir-8_prm_4: 
-        constraints: 
-          - 
-            detail: see additional FedRAMP Requirements and Guidance
-      ma-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      ma-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      mp-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      mp-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      pe-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      pe-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      pe-2_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      pe-3_prm_2: 
-        constraints: 
-          - 
-            detail: CSP defined physical access control systems/devices AND guards
-      pe-3_prm_3: 
-        constraints: 
-          - 
-            detail: CSP defined physical access control systems/devices
-      pe-3_prm_6: 
-        constraints: 
-          - 
-            detail: in all circumstances within restricted access area where the information system resides
-      pe-3_prm_8: 
-        constraints: 
-          - 
-            detail: at least annually
-      pe-3_prm_9: 
-        constraints: 
-          - 
-            detail: at least annually
-      pe-6_prm_1: 
-        constraints: 
-          - 
-            detail: at least monthly
-      pe-8_prm_1: 
-        constraints: 
-          - 
-            detail: for a minimum of one (1) year
-      pe-8_prm_2: 
-        constraints: 
-          - 
-            detail: at least monthly
-      pe-14_prm_1: 
-        constraints: 
-          - 
-            detail: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments
-      pe-14_prm_2: 
-        constraints: 
-          - 
-            detail: continuously
-      pe-16_prm_1: 
-        constraints: 
-          - 
-            detail: all information system components
-      pl-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      pl-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      pl-2_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      pl-4_prm_1: 
-        constraints: 
-          - 
-            detail: At least every 3 years
-      ps-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      ps-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      ps-2_prm_1: 
-        constraints: 
-          - 
-            detail: at least every three years
-      ps-3_prm_1: 
-        constraints: 
-          - 
-            detail: For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions.
-      ps-4_prm_1: 
-        constraints: 
-          - 
-            detail: same day
-      ps-5_prm_4: 
-        constraints: 
-          - 
-            detail: five days of the time period following the formal transfer action (DoD 24 hours)
-      ps-6_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      ps-6_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      ps-7_prm_2: 
-        constraints: 
-          - 
-            detail: organization-defined time period - same day
-      ra-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      ra-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      ra-3_prm_2: 
-        constraints: 
-          - 
-            detail: security assessment report
-      ra-3_prm_3: 
-        constraints: 
-          - 
-            detail: at least every three (3) years or when a significant change occurs
-      ra-3_prm_5: 
-        constraints: 
-          - 
-            detail: at least every three (3) years or when a significant change occurs
-      ra-5_prm_1: 
-        constraints: 
-          - 
-            detail: monthly operating system/infrastructure; monthly web applications and databases
-      ra-5_prm_2: 
-        constraints: 
-          - 
-            detail: [high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery.
-      sa-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      sa-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      sa-9_prm_1: 
-        constraints: 
-          - 
-            detail: FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system
-      sa-9_prm_2: 
-        constraints: 
-          - 
-            detail: Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored
-      sc-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      sc-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      sc-13_prm_1: 
-        constraints: 
-          - 
-            detail: FIPS-validated or NSA-approved cryptography
-      sc-15_prm_1: 
-        constraints: 
-          - 
-            detail: no exceptions
-      si-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      si-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      si-2_prm_1: 
-        constraints: 
-          - 
-            detail: within 30 days of release of updates
-      si-3_prm_1: 
-        constraints: 
-          - 
-            detail: at least weekly
-      si-3_prm_2: 
-        constraints: 
-          - 
-            detail: to include endpoints
-      si-3_prm_3: 
-        constraints: 
-          - 
-            detail: to include alerting administrator or defined security personnel
-      si-5_prm_1: 
-        constraints: 
-          - 
-            detail: to include US-CERT
-      si-5_prm_2: 
-        constraints: 
-          - 
-            detail: to include system security personnel and administrators with configuration/patch-management responsibilities
-    alterations: 
-      - 
-        control-id: ac-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ac-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ac-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ac-14
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-14.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-14.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ac-14.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ac-17
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-17
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-17.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-17.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-17.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-17.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-18
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-18
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-18.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-18.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-19
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-19
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-19.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-19.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ac-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ac-2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.g_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.h_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.i_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.j_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.j_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.k_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ac-20
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-20.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-20.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-22
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-22
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-22.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-22.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-22.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-22.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-22.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-22.d_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-7
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-7.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-7.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-7.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-7.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-7.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-8
-        additions: 
-          - 
-            position: ending
-            id-ref:   ac-8_smt
-            parts: 
-              - 
-                id:    ac-8_fr
-                name:  item
-                title: AC-8 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ac-8_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.
-                  - 
-                    id:         ac-8_fr_smt.2
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.
-                  - 
-                    id:         ac-8_fr_smt.3
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.
-          - 
-            position:   starting
-            id-ref:     ac-8.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-8.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-8.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-8.c.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-8.c.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-8.c.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-8.c.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: at-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     at-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     at-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     at-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     at-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: at-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     at-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     at-2.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     at-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     at-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: at-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     at-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     at-3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     at-3.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     at-3.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-3.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: at-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     at-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     at-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     at-4.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-4.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     au-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     au-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     au-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: au-11
-        additions: 
-          - 
-            position: ending
-            id-ref:   au-11_smt
-            parts: 
-              - 
-                id:    au-11_fr
-                name:  item
-                title: AU-11 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         au-11_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.
-          - 
-            position:   starting
-            id-ref:     au-11
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     au-11.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-11_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: au-12
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-12.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-12.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-12.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-12.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-12.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-2
-        additions: 
-          - 
-            position: ending
-            id-ref:   au-2_smt
-            parts: 
-              - 
-                id:    au-2_fr
-                name:  item
-                title: AU-2 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         au-2_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.
-          - 
-            position:   starting
-            id-ref:     au-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     au-2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     au-2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-2.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-2.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     au-2.d_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: au-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-4.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-5.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-5.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-5.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-5.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-6
-        additions: 
-          - 
-            position: ending
-            id-ref:   au-6_smt
-            parts: 
-              - 
-                id:    au-6_fr
-                name:  item
-                title: AU-6 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         au-6_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.
-          - 
-            position:   starting
-            id-ref:     au-6
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     au-6.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-6.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-6.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     au-6.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-6.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: au-8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-8.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-8.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-8.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-8.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-9.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-9.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ca-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ca-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ca-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ca-2
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-2_smt
-            parts: 
-              - 
-                id:    ca-2_fr
-                name:  item
-                title: CA-2 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-2_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                          
-                      """
-          - 
-            position:   starting
-            id-ref:     ca-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-2.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-2.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-2.1
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-2.1_smt
-            parts: 
-              - 
-                id:    ca-2.1_fr
-                name:  item
-                title: CA-2 (1) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-2.1_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).
-          - 
-            position:   starting
-            id-ref:     ca-2.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ca-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ca-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ca-3.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-3.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-3.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ca-5
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-5_smt
-            parts: 
-              - 
-                id:    ca-5_fr
-                name:  item
-                title: CA-5 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-5_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Plan of Action & Milestones (POA&M) must be provided at least monthly.
-                  - 
-                    id:         ca-5_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                          
-                      """
-          - 
-            position:   starting
-            id-ref:     ca-5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-5.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ca-5.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-5.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-6
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-6_smt
-            parts: 
-              - 
-                id:    ca-6_fr
-                name:  item
-                title: CA-6(c) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-6_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.
-          - 
-            position:   starting
-            id-ref:     ca-6.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-6.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-6.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-6.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-7
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-7_smt
-            parts: 
-              - 
-                id:    ca-7_fr
-                name:  item
-                title: CA-7 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-7_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.
-                  - 
-                    id:         ca-7_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates.
-                  - 
-                    id:         ca-7_fr_gdn.2
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                          
-                      """
-          - 
-            position:   starting
-            id-ref:     ca-7
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-7.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-7.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.b_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-7.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-7.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-7.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-7.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-7.g_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.g_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.g_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.g_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ca-9
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-9.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-9.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ca-9.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: cm-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-1.a.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cm-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cm-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: cm-10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-10.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-10.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-10.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-11
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-11.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-11.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-11.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-11.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-11.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-11.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cm-2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-4.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-6
-        additions: 
-          - 
-            position: ending
-            id-ref:   cm-6_smt
-            parts: 
-              - 
-                id:    cm-6_fr
-                name:  item
-                title: CM-6(a) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cm-6_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement 1:
-                    prose:      The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. 
-                  - 
-                    id:         cm-6_fr_smt.2
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement 2:
-                    prose:      The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available).
-                  - 
-                    id:         cm-6_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline).
-          - 
-            position:   starting
-            id-ref:     cm-6
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-6.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-6.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cm-6.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-6.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-6.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-6.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-6.c_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-6.c_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-6.c_obj.5
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-6.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-6.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-7
-        additions: 
-          - 
-            position: ending
-            id-ref:   cm-7_smt
-            parts: 
-              - 
-                id:    cm-7_fr
-                name:  item
-                title: CM-7 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cm-7_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.
-                  - 
-                    id:         cm-7_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        Information on the USGCB checklists can be found at: [http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc](http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc)
-                        							Partially derived from AC-17(8).
-                      """
-          - 
-            position:   starting
-            id-ref:     cm-7.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-7.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-7.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-8
-        additions: 
-          - 
-            position: ending
-            id-ref:   cm-8_smt
-            parts: 
-              - 
-                id:    cm-8_fr
-                name:  item
-                title: CM-8 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cm-8_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Must be provided at least monthly or when there is a change.
-          - 
-            position:   starting
-            id-ref:     cm-8
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-8.a.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.a.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.a.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.a.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.a.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cp-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: cp-10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-10_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-10.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-2
-        additions: 
-          - 
-            position: ending
-            id-ref:   cp-2_smt
-            parts: 
-              - 
-                id:    cp-2_fr
-                name:  item
-                title: CP-2 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cp-2_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: CP-2 Requirement:
-                    prose:      For JAB authorizations the contingency lists include designated FedRAMP personnel.
-          - 
-            position:   starting
-            id-ref:     cp-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cp-2.a.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.a.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.a.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.a.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.a.5_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.a.6_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.a.6_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-2.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-2.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-2.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-2.g_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cp-3.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-3.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-3.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-3.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-3.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-4
-        additions: 
-          - 
-            position: ending
-            id-ref:   cp-4_smt
-            parts: 
-              - 
-                id:    cp-4_fr
-                name:  item
-                title: CP-4(a) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cp-4_fr_smt.a
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: CP-4(a) Requirement:
-                    prose:      The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.
-          - 
-            position:   starting
-            id-ref:     cp-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cp-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-4.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-4.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-9
-        additions: 
-          - 
-            position: ending
-            id-ref:   cp-9_smt
-            parts: 
-              - 
-                id:    cp-9_fr
-                name:  item
-                title: CP-9 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cp-9_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.
-                  - 
-                    id:         cp-9_fr_smt.a
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: CP-9(a) Requirement:
-                    prose:      The service provider maintains at least three backup copies of user-level information (at least one of which is available online).
-                  - 
-                    id:         cp-9_fr_smt.b
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: CP-9(b)Requirement:
-                    prose:      The service provider maintains at least three backup copies of system-level information (at least one of which is available online).
-                  - 
-                    id:         cp-9_fr_smt.c
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: CP-9(c)Requirement:
-                    prose:      The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).
-          - 
-            position:   starting
-            id-ref:     cp-9
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cp-9.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-9.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-9.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-9.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-9.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-9.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-9.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ia-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ia-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ia-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ia-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-2.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-2.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-2.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-2.12
-        additions: 
-          - 
-            position: ending
-            id-ref:   ia-2.12_smt
-            parts: 
-              - 
-                id:    ia-2.12_fr
-                name:  item
-                title: IA-2 (12) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ia-2.12_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.
-          - 
-            position:   starting
-            id-ref:     ia-2.12_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-2.12_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-4
-        additions: 
-          - 
-            position: ending
-            id-ref:   ia-4_smt
-            parts: 
-              - 
-                id:    ia-4_fr
-                name:  item
-                title: IA-4(e) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ia-4_fr_smt.e
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider defines the time period of inactivity for device identifiers.
-                  - 
-                    id:         ia-4_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP [http://iase.disa.mil/cloud_security/Pages/index.aspx](http://iase.disa.mil/cloud_security/Pages/index.aspx).
-          - 
-            position:   starting
-            id-ref:     ia-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ia-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-4.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-4.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-4.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-4.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-4.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-5
-        additions: 
-          - 
-            position: ending
-            id-ref:   ia-5_smt
-            parts: 
-              - 
-                id:    ia-5_fr
-                name:  item
-                title: IA-5 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ia-5_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link [https://pages.nist.gov/800-63-3](https://pages.nist.gov/800-63-3).
-          - 
-            position:   starting
-            id-ref:     ia-5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ia-5.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.d_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.f_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.g_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.g_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.h_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.i_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ia-5.i_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.j_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-5.1
-        additions: 
-          - 
-            position: ending
-            id-ref:   ia-5.1_smt
-            parts: 
-              - 
-                id:    ia-5.1_fr
-                name:  item
-                title: IA-5 (1) (a) and (d) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ia-5.1_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance (a) (d):
-                    prose:      If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.
-          - 
-            position:   starting
-            id-ref:     ia-5.1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ia-5.1.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.a_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.a_obj.5
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.1.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.1.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.1.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.d_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.1.d_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.1.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.1.f_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-5.11
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-5.11_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.11_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-7_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-8.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-8.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-8.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-8.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-8.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-8.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-8.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-8.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-8.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-8.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-8.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ir-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ir-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ir-2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ir-4
-        additions: 
-          - 
-            position: ending
-            id-ref:   ir-4_smt
-            parts: 
-              - 
-                id:    ir-4_fr
-                name:  item
-                title: IR-4 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ir-4_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.
-          - 
-            position:   starting
-            id-ref:     ir-4.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-4.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-4.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-5.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-6
-        additions: 
-          - 
-            position: ending
-            id-ref:   ir-6_smt
-            parts: 
-              - 
-                id:    ir-6_fr
-                name:  item
-                title: IR-6 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ir-6_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Report security incident information according to FedRAMP Incident Communications Procedure.
-          - 
-            position:   starting
-            id-ref:     ir-6
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ir-6.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-6.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-6.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-6.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-7.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-7.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-8
-        additions: 
-          - 
-            position: ending
-            id-ref:   ir-8_smt
-            parts: 
-              - 
-                id:    ir-8_fr
-                name:  item
-                title: IR-8 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ir-8_fr_smt.b
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: (b) Requirement:
-                    prose:      The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.
-                  - 
-                    id:         ir-8_fr_smt.e
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: (e) Requirement:
-                    prose:      The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.
-          - 
-            position:   starting
-            id-ref:     ir-8
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ir-8.a.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.5_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-8.a.7_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.8_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.8_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-8.b_obj.1.a
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.b_obj.1.b
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-8.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-8.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-8.e_obj.1.a
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.e_obj.1.b
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-8.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-8.f_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ma-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ma-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ma-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-2.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-2.a_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-2.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-2.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-2.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-2.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-2.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-2.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ma-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ma-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-4.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-4.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-4.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-4.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ma-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-5.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-5.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-5.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-5.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: mp-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     mp-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     mp-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     mp-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     mp-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: mp-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     mp-2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     mp-6.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-6.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-6.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     mp-6.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     mp-7.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-7.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-7_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-7_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pe-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: pe-12
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-12.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-12_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-13
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-13.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-13.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-14
-        additions: 
-          - 
-            position: ending
-            id-ref:   pe-14_smt
-            parts: 
-              - 
-                id:    pe-14_fr
-                name:  item
-                title: PE-14(a) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         pe-14_fr_smt.a
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: (a) Requirement:
-                    prose:      The service provider measures temperature at server inlets and humidity levels by dew point.
-          - 
-            position:   starting
-            id-ref:     pe-14.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-14.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-14.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-14.a_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-14.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-14.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-14.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-14.b_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-15
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-15_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-16
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.5
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.6
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.7
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.8
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.9
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: pe-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pe-2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-2.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-2.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pe-3.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.e_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.f_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.g_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.g_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-6
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pe-6.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-6.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-6.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-6.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-6.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: pe-8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-8
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pe-8.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-8.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-8.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-8.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pl-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pl-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pl-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pl-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pl-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: pl-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pl-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pl-2.a.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.5_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.7_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.8_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.9_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-2.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-2.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pl-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pl-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-4.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-4.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-4.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ps-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ps-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-2.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ps-3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-3.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-3.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-3.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ps-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ps-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ps-4.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-4.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-4.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-4.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-4.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-4.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-4.f_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ps-5.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-5.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-5.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-5.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-5.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ps-5.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ps-5.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-5.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-5.d_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-6
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ps-6.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-6.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-6.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-6.c.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ps-6.c.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-6.c.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-7
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ps-7.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-7.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-7.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-7.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-7.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-7.d_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-7.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-8.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-8.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-8.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-8.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ra-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ra-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ra-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ra-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ra-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ra-2.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-3
-        additions: 
-          - 
-            position: ending
-            id-ref:   ra-3_smt
-            parts: 
-              - 
-                id:    ra-3_fr
-                name:  item
-                title: RA-3 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ra-3_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F
-                  - 
-                    id:         ra-3_fr_smt.d
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: RA-3 (d) Requirement:
-                    prose:      Include all Authorizing Officials; for JAB authorizations to include FedRAMP.
-          - 
-            position:   starting
-            id-ref:     ra-3.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-3.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-3.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-3.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-3.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-3.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-3.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-3.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-3.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-3.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-5
-        additions: 
-          - 
-            id-ref: ra-5_smt
-            parts: 
-              - 
-                id:         ra-5_fr_smt.a
-                name:       item
-                title:      RA-5(a) Additional FedRAMP Requirements and Guidance
-                properties: 
-                  - 
-                    name:  label
-                    value: RA-5 (a)Requirement:
-                prose:      An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.
-              - 
-                id:         ra-5_fr_smt.e
-                name:       item
-                title:      RA-5(e) Additional FedRAMP Requirements and Guidance
-                properties: 
-                  - 
-                    name:  label
-                    value: RA-5 (e)Requirement:
-                prose:      To include all Authorizing Officials; for JAB authorizations to include FedRAMP.
-              - 
-                id:    ra-5_fr
-                name:  item
-                title: RA-5 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ra-5_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        
-                                             **See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))
-                      """
-          - 
-            position:   starting
-            id-ref:     ra-5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ra-5.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-5.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.b.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.b.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.b.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-5.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-5.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.e_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     sa-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     sa-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     sa-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: sa-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-2.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-3.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-3.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-3.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-3.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-3.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-4
-        additions: 
-          - 
-            position: ending
-            id-ref:   sa-4_smt
-            parts: 
-              - 
-                id:    sa-4_fr
-                name:  item
-                title: SA-4 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sa-4_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See [http://www.niap-ccevs.org/vpl](http://www.niap-ccevs.org/vpl) or [http://www.commoncriteriaportal.org/products.html](http://www.commoncriteriaportal.org/products.html).
-          - 
-            position:   starting
-            id-ref:     sa-4.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-4.10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-4.10_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-5.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-5.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-5.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-5.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-5.c_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-5.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-5.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-5.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-9
-        additions: 
-          - 
-            position: ending
-            id-ref:   sa-9_smt
-            parts: 
-              - 
-                id:    sa-9_fr
-                name:  item
-                title: SA-9 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sa-9_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Continuous Monitoring Strategy Guide [https://www.FedRAMP.gov/documents](https://www.FedRAMP.gov/documents)
-                                          
-                      """
-                  - 
-                    id:         sa-9_fr_gdn.2
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Independent Assessors should assess the risk associated with the use of external services. See the FedRAMP page under Key Cloud Service Provider (CSP) Documents>FedRAMP Authorization Boundary Guidance
-          - 
-            position:   starting
-            id-ref:     sa-9.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     sc-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     sc-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     sc-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: sc-12
-        additions: 
-          - 
-            position: ending
-            id-ref:   sc-12_smt
-            parts: 
-              - 
-                id:    sc-12_fr
-                name:  item
-                title: SC-12 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sc-12_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Federally approved and validated cryptography.
-          - 
-            position:   starting
-            id-ref:     sc-12.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-12.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-13
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-13
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     sc-13_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-13_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-13_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-15
-        additions: 
-          - 
-            position: ending
-            id-ref:   sc-15_smt
-            parts: 
-              - 
-                id:    sc-15_fr
-                name:  item
-                title: SC-15 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sc-15_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.
-          - 
-            position:   starting
-            id-ref:     sc-15.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-15.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-15.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-20
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-20.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-20.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-21
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-21_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-21_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-21_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-21_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-22
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-22_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-22_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-39
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-39_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-5.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-5.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-5.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.a_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     si-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     si-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: si-12
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-12_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-2.c_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.c_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-3.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-3.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-3.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-3.c_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-3.c.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-3.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-3.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4
-        additions: 
-          - 
-            position: ending
-            id-ref:   si-4_smt
-            parts: 
-              - 
-                id:    si-4_fr
-                name:  item
-                title: SI-4 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         si-4_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      See US-CERT Incident Response Reporting Guidelines.
-          - 
-            position:   starting
-            id-ref:     si-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-4.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.a.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.b.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.b.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.f_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     si-4.g_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.g_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.g_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.g_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-5.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-5.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-5.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-5.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-5.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-5.c_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-5.c_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-5.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-  back-matter: 
-    resources: 
-      - 
-        uuid:       985475ee-d4d6-4581-8fdf-d84d3d8caa48
-        title:      FedRAMP Applicable Laws and Regulations
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-citations
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx
-      - 
-        uuid:       1a23a771-d481-4594-9a1a-71d584fa4123
-        title:      FedRAMP Master Acronym and Glossary
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-acronyms
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf
-      - 
-        uuid:       a2381e87-3d04-4108-a30b-b4d2f36d001f
-        desc:       FedRAMP Logo
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-logo
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/img/logo-main-fedramp.png
-      - 
-        uuid:       ad005eae-cc63-4e64-9109-3905a9a825e4
-        title:      NIST Special Publication (SP) 800-53
-        properties: 
-          - 
-            name:  version
-            ns:    https://fedramp.gov/ns/oscal
-            value: Revision 4
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href:       ../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_catalog.yaml
-            media-type: application/xml
diff --git a/content/fedramp.gov/yaml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.yaml b/content/fedramp.gov/yaml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.yaml
deleted file mode 100644
index 7f24697171..0000000000
--- a/content/fedramp.gov/yaml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.yaml
+++ /dev/null
@@ -1,72916 +0,0 @@
-catalog: 
-  uuid:        c9301b61-9f2b-431e-9c7f-c8ffcd110388
-  metadata: 
-    title:               FedRAMP Moderate Baseline
-    published:           2020-06-01T00:00:00.000-04:00
-    last-modified:       2020-06-01T10:00:00.000-04:00
-    version:             1.2
-    oscal-version:       1.0.0-milestone3
-    properties: 
-      - 
-        name:  resolution-timestamp
-        value: 2020-08-31T17:38:53.967424Z
-    links: 
-      - 
-        href: FedRAMP_MODERATE-baseline_profile.xml
-        rel:  resolution-source
-        text: FedRAMP Moderate Baseline
-    roles: 
-      - 
-        id:    parpared-by
-        title: Document creator
-      - 
-        id:         fedramp-pmo
-        title:      The FedRAMP Program Management Office (PMO)
-        short-name: CSP
-      - 
-        id:         fedramp-jab
-        title:      The FedRAMP Joint Authorization Board (JAB)
-        short-name: CSP
-    parties: 
-      - 
-        uuid:            8cc0b8e5-9650-4d5f-9796-316f05fa9a2d
-        type:            organization
-        party-name:      Federal Risk and Authorization Management Program: Program Management Office
-        short-name:      FedRAMP PMO
-        links: 
-          - 
-            href: https://fedramp.gov
-            rel:  homepage
-            text: 
-        addresses: 
-          - 
-            type:           work
-            postal-address: 1800 F St. NW,
-            city:           Washington
-            state:          DC
-            postal-code:    
-            country:        US
-        email-addresses: info@fedramp.gov
-      - 
-        uuid:       ca9ba80e-1342-4bfd-b32a-abac468c24b4
-        type:       organization
-        party-name: Federal Risk and Authorization Management Program: Joint Authorization Board
-        short-name: FedRAMP JAB
-    responsible-parties: 
-      prepared-by: 
-        party-uuids: 4aa7b203-318b-4cde-96cf-feaeffc3a4b7
-      fedramp-pmo: 
-        party-uuids: 4aa7b203-318b-4cde-96cf-feaeffc3a4b7
-      fedramp-jab: 
-        party-uuids: ca9ba80e-1342-4bfd-b32a-abac468c24b4
-  groups: 
-    - 
-      id:       ac
-      class:    family
-      title:    Access Control
-      controls: 
-        - 
-          id:         ac-1
-          class:      SP800-53
-          title:      Access Control Policy and Procedures
-          parameters: 
-            - 
-              id:    ac-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ac-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          ac-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-1
-            - 
-              name:  sort-id
-              value: ac-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ac-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ac-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ac-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          An access control policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ac-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the access control policy and
-                                               associated access controls; and
-                        """
-                - 
-                  id:         ac-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ac-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Access control policy {{ ac-1_prm_2 }}; and
-                    - 
-                      id:         ac-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Access control procedures {{ ac-1_prm_3 }}.
-            - 
-              id:    ac-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the AC
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ac-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-1(a)
-                  parts: 
-                    - 
-                      id:         ac-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ac-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(a)(1)[1]
-                          prose:      develops and documents an access control policy that addresses:
-                          parts: 
-                            - 
-                              id:         ac-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ac-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ac-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ac-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ac-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ac-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ac-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AC-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ac-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the access control policy are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ac-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: AC-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the access control policy to organization-defined personnel or
-                                                      roles;
-                            """
-                    - 
-                      id:         ac-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ac-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      access control policy and associated access control controls;
-                            """
-                        - 
-                          id:         ac-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ac-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: AC-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ac-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-1(b)
-                  parts: 
-                    - 
-                      id:         ac-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ac-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current access control
-                                                      policy;
-                            """
-                        - 
-                          id:         ac-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current access control policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ac-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ac-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current access control
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ac-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current access control procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ac-2
-          class:      SP800-53
-          title:      Account Management
-          parameters: 
-            - 
-              id:    ac-2_prm_1
-              label: organization-defined information system account types
-            - 
-              id:    ac-2_prm_2
-              label: organization-defined personnel or roles
-            - 
-              id:    ac-2_prm_3
-              label: organization-defined procedures or conditions
-            - 
-              id:          ac-2_prm_4
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-2
-            - 
-              name:  sort-id
-              value: ac-02
-          parts: 
-            - 
-              id:    ac-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Identifies and selects the following types of information system accounts to
-                                        support organizational missions/business functions: {{ ac-2_prm_1 }};
-                    """
-                - 
-                  id:         ac-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Assigns account managers for information system accounts;
-                - 
-                  id:         ac-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Establishes conditions for group and role membership;
-                - 
-                  id:         ac-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Specifies authorized users of the information system, group and role membership,
-                                        and access authorizations (i.e., privileges) and other attributes (as required)
-                                        for each account;
-                    """
-                - 
-                  id:         ac-2_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Requires approvals by {{ ac-2_prm_2 }} for requests to create
-                                        information system accounts;
-                    """
-                - 
-                  id:         ac-2_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Creates, enables, modifies, disables, and removes information system accounts in
-                                        accordance with {{ ac-2_prm_3 }};
-                    """
-                - 
-                  id:         ac-2_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose:      Monitors the use of information system accounts;
-                - 
-                  id:         ac-2_smt.h
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: h.
-                  prose:      Notifies account managers:
-                  parts: 
-                    - 
-                      id:         ac-2_smt.h.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      When accounts are no longer required;
-                    - 
-                      id:         ac-2_smt.h.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      When users are terminated or transferred; and
-                    - 
-                      id:         ac-2_smt.h.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose:      When individual information system usage or need-to-know changes;
-                - 
-                  id:         ac-2_smt.i
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: i.
-                  prose:      Authorizes access to the information system based on:
-                  parts: 
-                    - 
-                      id:         ac-2_smt.i.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      A valid access authorization;
-                    - 
-                      id:         ac-2_smt.i.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Intended system usage; and
-                    - 
-                      id:         ac-2_smt.i.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Other attributes as required by the organization or associated
-                                               missions/business functions;
-                        """
-                - 
-                  id:         ac-2_smt.j
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: j.
-                  prose:      Reviews accounts for compliance with account management requirements {{ ac-2_prm_4 }}; and
-                - 
-                  id:         ac-2_smt.k
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: k.
-                  prose: 
-                    """
-                      Establishes a process for reissuing shared/group account credentials (if deployed)
-                                        when individuals are removed from the group.
-                    """
-            - 
-              id:    ac-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system account types include, for example, individual, shared, group,
-                                 system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and
-                                 service. Some of the account management requirements listed above can be implemented
-                                 by organizational information systems. The identification of authorized users of the
-                                 information system and the specification of access privileges reflects the
-                                 requirements in other security controls in the security plan. Users requiring
-                                 administrative privileges on information system accounts receive additional scrutiny
-                                 by appropriate organizational personnel (e.g., system owner, mission/business owner,
-                                 or chief information security officer) responsible for approving such accounts and
-                                 privileged access. Organizations may choose to define access privileges or other
-                                 attributes by account, by type of account, or a combination of both. Other attributes
-                                 required for authorizing access include, for example, restrictions on time-of-day,
-                                 day-of-week, and point-of-origin. In defining other account attributes, organizations
-                                 consider system-related requirements (e.g., scheduled maintenance, system upgrades)
-                                 and mission/business requirements, (e.g., time zone differences, customer
-                                 requirements, remote access to support travel requirements). Failure to consider
-                                 these factors could affect information system availability. Temporary and emergency
-                                 accounts are accounts intended for short-term use. Organizations establish temporary
-                                 accounts as a part of normal account activation procedures when there is a need for
-                                 short-term accounts without the demand for immediacy in account activation.
-                                 Organizations establish emergency accounts in response to crisis situations and with
-                                 the need for rapid account activation. Therefore, emergency account activation may
-                                 bypass normal account authorization processes. Emergency and temporary accounts are
-                                 not to be confused with infrequently used accounts (e.g., local logon accounts used
-                                 for special tasks defined by organizations or when network resources are
-                                 unavailable). Such accounts remain available and are not subject to automatic
-                                 disabling or removal dates. Conditions for disabling or deactivating accounts
-                                 include, for example: (i) when shared/group, emergency, or temporary accounts are no
-                                 longer required; or (ii) when individuals are transferred or terminated. Some types
-                                 of information system accounts may require specialized training.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-5
-                  rel:  related
-                  text: AC-5
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-10
-                  rel:  related
-                  text: AC-10
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #ma-3
-                  rel:  related
-                  text: MA-3
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ma-5
-                  rel:  related
-                  text: MA-5
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-            - 
-              id:    ac-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(a)
-                  parts: 
-                    - 
-                      id:         ac-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(a)[1]
-                      prose: 
-                        """
-                          defines information system account types to be identified and selected to
-                                               support organizational missions/business functions;
-                        """
-                    - 
-                      id:         ac-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AC-2(a)[2]
-                      prose: 
-                        """
-                          identifies and selects organization-defined information system account types to
-                                               support organizational missions/business functions;
-                        """
-                - 
-                  id:         ac-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AC-2(b)
-                  prose:      assigns account managers for information system accounts;
-                - 
-                  id:         ac-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-2(c)
-                  prose:      establishes conditions for group and role membership;
-                - 
-                  id:         ac-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-2(d)
-                  prose:      specifies for each account (as required):
-                  parts: 
-                    - 
-                      id:         ac-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(d)[1]
-                      prose:      authorized users of the information system;
-                    - 
-                      id:         ac-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(d)[2]
-                      prose:      group and role membership;
-                    - 
-                      id:         ac-2.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(d)[3]
-                      prose:      access authorizations (i.e., privileges);
-                    - 
-                      id:         ac-2.d_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(d)[4]
-                      prose:      other attributes;
-                - 
-                  id:         ac-2.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(e)
-                  parts: 
-                    - 
-                      id:         ac-2.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(e)[1]
-                      prose: 
-                        """
-                          defines personnel or roles required to approve requests to create information
-                                               system accounts;
-                        """
-                    - 
-                      id:         ac-2.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(e)[2]
-                      prose: 
-                        """
-                          requires approvals by organization-defined personnel or roles for requests to
-                                               create information system accounts;
-                        """
-                - 
-                  id:         ac-2.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(f)
-                  parts: 
-                    - 
-                      id:         ac-2.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(f)[1]
-                      prose:      defines procedures or conditions to:
-                      parts: 
-                        - 
-                          id:         ac-2.f_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][a]
-                          prose:      create information system accounts;
-                        - 
-                          id:         ac-2.f_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][b]
-                          prose:      enable information system accounts;
-                        - 
-                          id:         ac-2.f_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][c]
-                          prose:      modify information system accounts;
-                        - 
-                          id:         ac-2.f_obj.1.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][d]
-                          prose:      disable information system accounts;
-                        - 
-                          id:         ac-2.f_obj.1.e
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[1][e]
-                          prose:      remove information system accounts;
-                    - 
-                      id:         ac-2.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(f)[2]
-                      prose:      in accordance with organization-defined procedures or conditions:
-                      parts: 
-                        - 
-                          id:         ac-2.f_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][a]
-                          prose:      creates information system accounts;
-                        - 
-                          id:         ac-2.f_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][b]
-                          prose:      enables information system accounts;
-                        - 
-                          id:         ac-2.f_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][c]
-                          prose:      modifies information system accounts;
-                        - 
-                          id:         ac-2.f_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][d]
-                          prose:      disables information system accounts;
-                        - 
-                          id:         ac-2.f_obj.2.e
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(f)[2][e]
-                          prose:      removes information system accounts;
-                - 
-                  id:         ac-2.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-2(g)
-                  prose:      monitors the use of information system accounts;
-                - 
-                  id:         ac-2.h_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-2(h)
-                  prose:      notifies account managers:
-                  parts: 
-                    - 
-                      id:         ac-2.h.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(h)(1)
-                      prose:      when accounts are no longer required;
-                    - 
-                      id:         ac-2.h.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(h)(2)
-                      prose:      when users are terminated or transferred;
-                    - 
-                      id:         ac-2.h.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(h)(3)
-                      prose:      when individual information system usage or need to know changes;
-                - 
-                  id:         ac-2.i_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-2(i)
-                  prose:      authorizes access to the information system based on;
-                  parts: 
-                    - 
-                      id:         ac-2.i.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(i)(1)
-                      prose:      a valid access authorization;
-                    - 
-                      id:         ac-2.i.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(i)(2)
-                      prose:      intended system usage;
-                    - 
-                      id:         ac-2.i.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(i)(3)
-                      prose: 
-                        """
-                          other attributes as required by the organization or associated
-                                               missions/business functions;
-                        """
-                - 
-                  id:         ac-2.j_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-2(j)
-                  parts: 
-                    - 
-                      id:         ac-2.j_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(j)[1]
-                      prose: 
-                        """
-                          defines the frequency to review accounts for compliance with account management
-                                               requirements;
-                        """
-                    - 
-                      id:         ac-2.j_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(j)[2]
-                      prose: 
-                        """
-                          reviews accounts for compliance with account management requirements with the
-                                               organization-defined frequency; and
-                        """
-                - 
-                  id:         ac-2.k_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-2(k)
-                  prose: 
-                    """
-                      establishes a process for reissuing shared/group account credentials (if deployed)
-                                        when individuals are removed from the group.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated
-                                        with each account\n\nlist of conditions for group and role membership\n\nnotifications or records of recently transferred, separated, or terminated
-                                        employees\n\nlist of recently disabled information system accounts along with the name of the
-                                        individual associated with each account\n\naccess authorization records\n\naccount management compliance reviews\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes account management on the information system\n\nautomated mechanisms for implementing account management
-          controls: 
-            - 
-              id:         ac-2.1
-              class:      SP800-53-enhancement
-              title:      Automated System Account Management
-              properties: 
-                - 
-                  name:  label
-                  value: AC-2(1)
-                - 
-                  name:  sort-id
-                  value: ac-02.01
-              parts: 
-                - 
-                  id:    ac-2.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to support the management of
-                                        information system accounts.
-                    """
-                - 
-                  id:    ac-2.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The use of automated mechanisms can include, for example: using email or text
-                                        messaging to automatically notify account managers when users are terminated or
-                                        transferred; using the information system to monitor account usage; and using
-                                        telephonic notification to report atypical system account usage.
-                    """
-                - 
-                  id:         ac-2.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs automated mechanisms to support the
-                                        management of information system accounts.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing account management functions
-            - 
-              id:         ac-2.2
-              class:      SP800-53-enhancement
-              title:      Removal of Temporary / Emergency Accounts
-              parameters: 
-                - 
-                  id: ac-2.2_prm_1
-                - 
-                  id:          ac-2.2_prm_2
-                  label:       organization-defined time period for each type of account
-                  constraints: 
-                    - 
-                      detail: no more than 30 days for temporary and emergency account types
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AC-2(2)
-                - 
-                  name:  sort-id
-                  value: ac-02.02
-              parts: 
-                - 
-                  id:    ac-2.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system automatically {{ ac-2.2_prm_1 }} temporary
-                                        and emergency accounts after {{ ac-2.2_prm_2 }}.
-                    """
-                - 
-                  id:    ac-2.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement requires the removal of both temporary and emergency
-                                        accounts automatically after a predefined period of time has elapsed, rather than
-                                        at the convenience of the systems administrator.
-                    """
-                - 
-                  id:    ac-2.2_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         ac-2.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(2)[1]
-                      prose: 
-                        """
-                          the organization defines the time period after which the information system
-                                               automatically removes or disables temporary and emergency accounts; and
-                        """
-                    - 
-                      id:         ac-2.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(2)[2]
-                      prose: 
-                        """
-                          the information system automatically removes or disables temporary and
-                                               emergency accounts after the organization-defined time period for each type of
-                                               account.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system-generated list of temporary accounts removed and/or
-                                               disabled\n\ninformation system-generated list of emergency accounts removed and/or
-                                               disabled\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing account management functions
-            - 
-              id:         ac-2.3
-              class:      SP800-53-enhancement
-              title:      Disable Inactive Accounts
-              parameters: 
-                - 
-                  id:          ac-2.3_prm_1
-                  label:       organization-defined time period
-                  constraints: 
-                    - 
-                      detail: 90 days for user accounts
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AC-2(3)
-                - 
-                  name:  sort-id
-                  value: ac-02.03
-              parts: 
-                - 
-                  id:    ac-2.3_smt
-                  name:  statement
-                  prose: The information system automatically disables inactive accounts after {{ ac-2.3_prm_1 }}.
-                - 
-                  id:    ac-2.3_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         ac-2.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(3)[1]
-                      prose: 
-                        """
-                          the organization defines the time period after which the information system
-                                               automatically disables inactive accounts; and
-                        """
-                    - 
-                      id:         ac-2.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(3)[2]
-                      prose: 
-                        """
-                          the information system automatically disables inactive accounts after the
-                                               organization-defined time period.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system-generated list of temporary accounts removed and/or
-                                               disabled\n\ninformation system-generated list of emergency accounts removed and/or
-                                               disabled\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing account management functions
-            - 
-              id:         ac-2.4
-              class:      SP800-53-enhancement
-              title:      Automated Audit Actions
-              parameters: 
-                - 
-                  id:    ac-2.4_prm_1
-                  label: organization-defined personnel or roles
-              properties: 
-                - 
-                  name:  label
-                  value: AC-2(4)
-                - 
-                  name:  sort-id
-                  value: ac-02.04
-              parts: 
-                - 
-                  id:    ac-2.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system automatically audits account creation, modification,
-                                        enabling, disabling, and removal actions, and notifies {{ ac-2.4_prm_1 }}.
-                    """
-                - 
-                  id:    ac-2.4_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                    - 
-                      href: #au-12
-                      rel:  related
-                      text: AU-12
-                - 
-                  id:    ac-2.4_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         ac-2.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(4)[1]
-                      prose:      the information system automatically audits the following account actions:
-                      parts: 
-                        - 
-                          id:         ac-2.4_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[1][a]
-                          prose:      creation;
-                        - 
-                          id:         ac-2.4_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[1][b]
-                          prose:      modification;
-                        - 
-                          id:         ac-2.4_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[1][c]
-                          prose:      enabling;
-                        - 
-                          id:         ac-2.4_obj.1.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[1][d]
-                          prose:      disabling;
-                        - 
-                          id:         ac-2.4_obj.1.e
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[1][e]
-                          prose:      removal;
-                    - 
-                      id:         ac-2.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(4)[2]
-                      prose: 
-                        """
-                          the organization defines personnel or roles to be notified of the following
-                                               account actions:
-                        """
-                      parts: 
-                        - 
-                          id:         ac-2.4_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[2][a]
-                          prose:      creation;
-                        - 
-                          id:         ac-2.4_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[2][b]
-                          prose:      modification;
-                        - 
-                          id:         ac-2.4_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[2][c]
-                          prose:      enabling;
-                        - 
-                          id:         ac-2.4_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[2][d]
-                          prose:      disabling;
-                        - 
-                          id:         ac-2.4_obj.2.e
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[2][e]
-                          prose:      removal;
-                    - 
-                      id:         ac-2.4_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(4)[3]
-                      prose: 
-                        """
-                          the information system notifies organization-defined personnel or roles of the
-                                               following account actions:
-                        """
-                      parts: 
-                        - 
-                          id:         ac-2.4_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[3][a]
-                          prose:      creation;
-                        - 
-                          id:         ac-2.4_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[3][b]
-                          prose:      modification;
-                        - 
-                          id:         ac-2.4_obj.3.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[3][c]
-                          prose:      enabling;
-                        - 
-                          id:         ac-2.4_obj.3.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[3][d]
-                          prose:      disabling; and
-                        - 
-                          id:         ac-2.4_obj.3.e
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-2(4)[3][e]
-                          prose:      removal.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nnotifications/alerts of account creation, modification, enabling, disabling,
-                                               and removal actions\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing account management functions
-            - 
-              id:         ac-2.5
-              class:      SP800-53-enhancement
-              title:      Inactivity Logout
-              parameters: 
-                - 
-                  id:    ac-2.5_prm_1
-                  label: 
-                    """
-                      organization-defined time-period of expected inactivity or description of when
-                                        to log out
-                    """
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AC-2(5)
-                - 
-                  name:  sort-id
-                  value: ac-02.05
-              parts: 
-                - 
-                  id:    ac-2.5_smt
-                  name:  statement
-                  prose: The organization requires that users log out when {{ ac-2.5_prm_1 }}.
-                  parts: 
-                    - 
-                      id:    ac-2.5_fr
-                      name:  item
-                      title: AC-2 (5) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ac-2.5_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      Should use a shorter timeframe than AC-12.
-                - 
-                  id:    ac-2.5_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #sc-23
-                      rel:  related
-                      text: SC-23
-                - 
-                  id:    ac-2.5_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-2.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(5)[1]
-                      prose: 
-                        """
-                          defines either the time period of expected inactivity that requires users to
-                                               log out or the description of when users are required to log out; and
-                        """
-                    - 
-                      id:         ac-2.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(5)[2]
-                      prose: 
-                        """
-                          requires that users log out when the organization-defined time period of
-                                               inactivity is reached or in accordance with organization-defined description of
-                                               when to log out.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity violation reports\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nusers that must comply with inactivity logout policy
-            - 
-              id:         ac-2.7
-              class:      SP800-53-enhancement
-              title:      Role-based Schemes
-              parameters: 
-                - 
-                  id:    ac-2.7_prm_1
-                  label: organization-defined actions
-              properties: 
-                - 
-                  name:  label
-                  value: AC-2(7)
-                - 
-                  name:  sort-id
-                  value: ac-02.07
-              parts: 
-                - 
-                  id:    ac-2.7_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         ac-2.7_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Establishes and administers privileged user accounts in accordance with a
-                                               role-based access scheme that organizes allowed information system access and
-                                               privileges into roles;
-                        """
-                    - 
-                      id:         ac-2.7_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      Monitors privileged role assignments; and
-                    - 
-                      id:         ac-2.7_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (c)
-                      prose: 
-                        """
-                          Takes {{ ac-2.7_prm_1 }} when privileged role assignments are no
-                                               longer appropriate.
-                        """
-                - 
-                  id:    ac-2.7_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Privileged roles are organization-defined roles assigned to individuals that allow
-                                        those individuals to perform certain security-relevant functions that ordinary
-                                        users are not authorized to perform. These privileged roles include, for example,
-                                        key management, account management, network and system administration, database
-                                        administration, and web administration.
-                    """
-                - 
-                  id:    ac-2.7_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-2.7.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(7)(a)
-                      prose: 
-                        """
-                          establishes and administers privileged user accounts in accordance with a
-                                               role-based access scheme that organizes allowed information system access and
-                                               privileges into roles;
-                        """
-                      links: 
-                        - 
-                          href: #ac-2.7_smt.a
-                          rel:  corresp
-                          text: AC-2(7)(a)
-                    - 
-                      id:         ac-2.7.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(7)(b)
-                      prose:      monitors privileged role assignments;
-                      links: 
-                        - 
-                          href: #ac-2.7_smt.b
-                          rel:  corresp
-                          text: AC-2(7)(b)
-                    - 
-                      id:         ac-2.7.c_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(7)(c)
-                      parts: 
-                        - 
-                          id:         ac-2.7.c_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-2(7)(c)[1]
-                          prose: 
-                            """
-                              defines actions to be taken when privileged role assignments are no longer
-                                                      appropriate; and
-                            """
-                        - 
-                          id:         ac-2.7.c_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: AC-2(7)(c)[2]
-                          prose: 
-                            """
-                              takes organization-defined actions when privileged role assignments are no
-                                                      longer appropriate.
-                            """
-                      links: 
-                        - 
-                          href: #ac-2.7_smt.c
-                          rel:  corresp
-                          text: AC-2(7)(c)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system-generated list of privileged user accounts and associated
-                                               role\n\nrecords of actions taken when privileged role assignments are no longer
-                                               appropriate\n\ninformation system audit records\n\naudit tracking and monitoring reports\n\ninformation system monitoring records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing account management functions\n\nautomated mechanisms monitoring privileged role assignments
-            - 
-              id:         ac-2.9
-              class:      SP800-53-enhancement
-              title:      Restrictions On Use of Shared / Group Accounts
-              parameters: 
-                - 
-                  id:    ac-2.9_prm_1
-                  label: organization-defined conditions for establishing shared/group accounts
-              properties: 
-                - 
-                  name:  label
-                  value: AC-2(9)
-                - 
-                  name:  sort-id
-                  value: ac-02.09
-              parts: 
-                - 
-                  id:    ac-2.9_smt
-                  name:  statement
-                  prose: The organization only permits the use of shared/group accounts that meet {{ ac-2.9_prm_1 }}.
-                  parts: 
-                    - 
-                      id:    ac-2.9_fr
-                      name:  item
-                      title: AC-2 (9) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ac-2.9_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      Required if shared/group accounts are deployed
-                - 
-                  id:    ac-2.9_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-2.9_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-2(9)[1]
-                      prose:      defines conditions for establishing shared/group accounts; and
-                    - 
-                      id:         ac-2.9_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-2(9)[2]
-                      prose: 
-                        """
-                          only permits the use of shared/group accounts that meet organization-defined
-                                               conditions for establishing shared/group accounts.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem-generated list of shared/group accounts and associated role\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing management of shared/group accounts
-            - 
-              id:         ac-2.10
-              class:      SP800-53-enhancement
-              title:      Shared / Group Account Credential Termination
-              properties: 
-                - 
-                  name:  label
-                  value: AC-2(10)
-                - 
-                  name:  sort-id
-                  value: ac-02.10
-              parts: 
-                - 
-                  id:    ac-2.10_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system terminates shared/group account credentials when members
-                                        leave the group.
-                    """
-                  parts: 
-                    - 
-                      id:    ac-2.10_fr
-                      name:  item
-                      title: AC-2 (10) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ac-2.10_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      Required if shared/group accounts are deployed
-                - 
-                  id:         ac-2.10_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system terminates shared/group account credentials
-                                        when members leave the group.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naccount access termination records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing account management functions
-            - 
-              id:         ac-2.12
-              class:      SP800-53-enhancement
-              title:      Account Monitoring / Atypical Usage
-              parameters: 
-                - 
-                  id:    ac-2.12_prm_1
-                  label: organization-defined atypical usage
-                - 
-                  id:    ac-2.12_prm_2
-                  label: organization-defined personnel or roles
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AC-2(12)
-                - 
-                  name:  sort-id
-                  value: ac-02.12
-              parts: 
-                - 
-                  id:    ac-2.12_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         ac-2.12_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Monitors information system accounts for {{ ac-2.12_prm_1 }};
-                                               and
-                        """
-                    - 
-                      id:         ac-2.12_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      Reports atypical usage of information system accounts to {{ ac-2.12_prm_2 }}.
-                    - 
-                      id:    ac-2.12_fr
-                      name:  item
-                      title: AC-2 (12) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ac-2.12_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: (a) Guidance:
-                          prose:      Required for privileged accounts.
-                        - 
-                          id:         ac-2.12_fr_gdn.2
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: (b) Guidance:
-                          prose:      Required for privileged accounts.
-                - 
-                  id:    ac-2.12_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Atypical usage includes, for example, accessing information systems at certain
-                                        times of the day and from locations that are not consistent with the normal usage
-                                        patterns of individuals working in organizations.
-                    """
-                  links: 
-                    - 
-                      href: #ca-7
-                      rel:  related
-                      text: CA-7
-                - 
-                  id:    ac-2.12_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-2.12.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(12)(a)
-                      parts: 
-                        - 
-                          id:         ac-2.12.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-2(12)(a)[1]
-                          prose:      defines atypical usage to be monitored for information system accounts;
-                        - 
-                          id:         ac-2.12.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: AC-2(12)(a)[2]
-                          prose: 
-                            """
-                              monitors information system accounts for organization-defined atypical
-                                                      usage;
-                            """
-                      links: 
-                        - 
-                          href: #ac-2.12_smt.a
-                          rel:  corresp
-                          text: AC-2(12)(a)
-                    - 
-                      id:         ac-2.12.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-2(12)(b)
-                      parts: 
-                        - 
-                          id:         ac-2.12.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-2(12)(b)[1]
-                          prose: 
-                            """
-                              defines personnel or roles to whom atypical usage of information system
-                                                      accounts are to be reported; and
-                            """
-                        - 
-                          id:         ac-2.12.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: AC-2(12)(b)[2]
-                          prose: 
-                            """
-                              reports atypical usage of information system accounts to
-                                                      organization-defined personnel or roles.
-                            """
-                      links: 
-                        - 
-                          href: #ac-2.12_smt.b
-                          rel:  corresp
-                          text: AC-2(12)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system monitoring records\n\ninformation system audit records\n\naudit tracking and monitoring reports\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing account management functions
-        - 
-          id:         ac-3
-          class:      SP800-53
-          title:      Access Enforcement
-          properties: 
-            - 
-              name:  label
-              value: AC-3
-            - 
-              name:  sort-id
-              value: ac-03
-          parts: 
-            - 
-              id:    ac-3_smt
-              name:  statement
-              prose: 
-                """
-                  The information system enforces approved authorizations for logical access to
-                                 information and system resources in accordance with applicable access control
-                                 policies.
-                """
-            - 
-              id:    ac-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Access control policies (e.g., identity-based policies, role-based policies, control
-                                 matrices, cryptography) control access between active entities or subjects (i.e.,
-                                 users or processes acting on behalf of users) and passive entities or objects (e.g.,
-                                 devices, files, records, domains) in information systems. In addition to enforcing
-                                 authorized access at the information system level and recognizing that information
-                                 systems can host many applications and services in support of organizational missions
-                                 and business operations, access enforcement mechanisms can also be employed at the
-                                 application and service level to provide increased information security.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-5
-                  rel:  related
-                  text: AC-5
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-16
-                  rel:  related
-                  text: AC-16
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #ac-21
-                  rel:  related
-                  text: AC-21
-                - 
-                  href: #ac-22
-                  rel:  related
-                  text: AC-22
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #ma-3
-                  rel:  related
-                  text: MA-3
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ma-5
-                  rel:  related
-                  text: MA-5
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-            - 
-              id:         ac-3_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system enforces approved authorizations for logical
-                                 access to information and system resources in accordance with applicable access
-                                 control policies.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing access enforcement\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing access control policy
-        - 
-          id:         ac-4
-          class:      SP800-53
-          title:      Information Flow Enforcement
-          parameters: 
-            - 
-              id:    ac-4_prm_1
-              label: organization-defined information flow control policies
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-4
-            - 
-              name:  sort-id
-              value: ac-04
-          parts: 
-            - 
-              id:    ac-4_smt
-              name:  statement
-              prose: 
-                """
-                  The information system enforces approved authorizations for controlling the flow of
-                                 information within the system and between interconnected systems based on {{ ac-4_prm_1 }}.
-                """
-            - 
-              id:    ac-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information flow control regulates where information is allowed to travel within an
-                                 information system and between information systems (as opposed to who is allowed to
-                                 access the information) and without explicit regard to subsequent accesses to that
-                                 information. Flow control restrictions include, for example, keeping
-                                 export-controlled information from being transmitted in the clear to the Internet,
-                                 blocking outside traffic that claims to be from within the organization, restricting
-                                 web requests to the Internet that are not from the internal web proxy server, and
-                                 limiting information transfers between organizations based on data structures and
-                                 content. Transferring information between information systems representing different
-                                 security domains with different security policies introduces risk that such transfers
-                                 violate one or more domain security policies. In such situations, information
-                                 owners/stewards provide guidance at designated policy enforcement points between
-                                 interconnected systems. Organizations consider mandating specific architectural
-                                 solutions when required to enforce specific security policies. Enforcement includes,
-                                 for example: (i) prohibiting information transfers between interconnected systems
-                                 (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way
-                                 information flows; and (iii) implementing trustworthy regrading mechanisms to
-                                 reassign security attributes and security labels. Organizations commonly employ
-                                 information flow control policies and enforcement mechanisms to control the flow of
-                                 information between designated sources and destinations (e.g., networks, individuals,
-                                 and devices) within information systems and between interconnected systems. Flow
-                                 control is based on the characteristics of the information and/or the information
-                                 path. Enforcement occurs, for example, in boundary protection devices (e.g.,
-                                 gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or
-                                 establish configuration settings that restrict information system services, provide a
-                                 packet-filtering capability based on header information, or message-filtering
-                                 capability based on message content (e.g., implementing key word searches or using
-                                 document characteristics). Organizations also consider the trustworthiness of
-                                 filtering/inspection mechanisms (i.e., hardware, firmware, and software components)
-                                 that are critical to information flow enforcement. Control enhancements 3 through 22
-                                 primarily address cross-domain solution needs which focus on more advanced filtering
-                                 techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented
-                                 in cross-domain products, for example, high-assurance guards. Such capabilities are
-                                 generally not available in commercial off-the-shelf information technology
-                                 products.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ac-21
-                  rel:  related
-                  text: AC-21
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-7
-                  rel:  related
-                  text: CM-7
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-                - 
-                  href: #sc-2
-                  rel:  related
-                  text: SC-2
-                - 
-                  href: #sc-5
-                  rel:  related
-                  text: SC-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-18
-                  rel:  related
-                  text: SC-18
-            - 
-              id:    ac-4_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         ac-4_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-4[1]
-                  prose: 
-                    """
-                      the organization defines information flow control policies to control the flow of
-                                        information within the system and between interconnected systems; and
-                    """
-                - 
-                  id:         ac-4_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-4[2]
-                  prose: 
-                    """
-                      the information system enforces approved authorizations for controlling the flow
-                                        of information within the system and between interconnected systems based on
-                                        organization-defined information flow control policies.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system baseline configuration\n\nlist of information flow authorizations\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing information flow enforcement policy
-          controls: 
-            - 
-              id:         ac-4.21
-              class:      SP800-53-enhancement
-              title:      Physical / Logical Separation of Information Flows
-              parameters: 
-                - 
-                  id:    ac-4.21_prm_1
-                  label: organization-defined mechanisms and/or techniques
-                - 
-                  id:    ac-4.21_prm_2
-                  label: organization-defined required separations by types of information
-              properties: 
-                - 
-                  name:  label
-                  value: AC-4(21)
-                - 
-                  name:  sort-id
-                  value: ac-04.21
-              parts: 
-                - 
-                  id:    ac-4.21_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system separates information flows logically or physically using
-                                           {{ ac-4.21_prm_1 }} to accomplish {{ ac-4.21_prm_2 }}.
-                    """
-                - 
-                  id:    ac-4.21_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Enforcing the separation of information flows by type can enhance protection by
-                                        ensuring that information is not commingled while in transit and by enabling flow
-                                        control by transmission paths perhaps not otherwise achievable. Types of separable
-                                        information include, for example, inbound and outbound communications traffic,
-                                        service requests and responses, and information of differing security
-                                        categories.
-                    """
-                - 
-                  id:    ac-4.21_obj
-                  name:  objective
-                  prose: Determine if: 
-                  parts: 
-                    - 
-                      id:         ac-4.21_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-4(21)[1]
-                      prose: 
-                        """
-                          the organization defines the required separations of information flows by types
-                                               of information;
-                        """
-                    - 
-                      id:         ac-4.21_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-4(21)[2]
-                      prose: 
-                        """
-                          the organization defines the mechanisms and/or techniques to be used to
-                                               separate information flows logically or physically; and
-                        """
-                    - 
-                      id:         ac-4.21_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-4(21)[3]
-                      prose: 
-                        """
-                          the information system separates information flows logically or physically
-                                               using organization-defined mechanisms and/or techniques to accomplish
-                                               organization-defined required separations by types of information.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Information flow enforcement policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of required separation of information flows by information types\n\nlist of mechanisms and/or techniques used to logically or physically separate
-                                               information flows\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing information flow enforcement functions
-        - 
-          id:         ac-5
-          class:      SP800-53
-          title:      Separation of Duties
-          parameters: 
-            - 
-              id:    ac-5_prm_1
-              label: organization-defined duties of individuals
-          properties: 
-            - 
-              name:  label
-              value: AC-5
-            - 
-              name:  sort-id
-              value: ac-05
-          parts: 
-            - 
-              id:    ac-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Separates {{ ac-5_prm_1 }};
-                - 
-                  id:         ac-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Documents separation of duties of individuals; and
-                - 
-                  id:         ac-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Defines information system access authorizations to support separation of
-                                        duties.
-                    """
-                - 
-                  id:    ac-5_fr
-                  name:  item
-                  title: AC-5 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ac.5_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.
-            - 
-              id:    ac-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Separation of duties addresses the potential for abuse of authorized privileges and
-                                 helps to reduce the risk of malevolent activity without collusion. Separation of
-                                 duties includes, for example: (i) dividing mission functions and information system
-                                 support functions among different individuals and/or roles; (ii) conducting
-                                 information system support functions with different individuals (e.g., system
-                                 management, programming, configuration management, quality assurance and testing, and
-                                 network security); and (iii) ensuring security personnel administering access control
-                                 functions do not also administer audit functions.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-                - 
-                  href: #ps-2
-                  rel:  related
-                  text: PS-2
-            - 
-              id:    ac-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-5(a)
-                  parts: 
-                    - 
-                      id:         ac-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-5(a)[1]
-                      prose:      defines duties of individuals to be separated;
-                    - 
-                      id:         ac-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-5(a)[2]
-                      prose:      separates organization-defined duties of individuals;
-                - 
-                  id:         ac-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-5(b)
-                  prose:      documents separation of duties; and
-                - 
-                  id:         ac-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-5(c)
-                  prose: 
-                    """
-                      defines information system access authorizations to support separation of
-                                        duties.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing divisions of responsibility and separation of duties\n\ninformation system configuration settings and associated documentation\n\nlist of divisions of responsibility and separation of duties\n\ninformation system access authorizations\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for defining appropriate divisions
-                                        of responsibility and separation of duties\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing separation of duties policy
-        - 
-          id:         ac-6
-          class:      SP800-53
-          title:      Least Privilege
-          properties: 
-            - 
-              name:  label
-              value: AC-6
-            - 
-              name:  sort-id
-              value: ac-06
-          parts: 
-            - 
-              id:    ac-6_smt
-              name:  statement
-              prose: 
-                """
-                  The organization employs the principle of least privilege, allowing only authorized
-                                 accesses for users (or processes acting on behalf of users) which are necessary to
-                                 accomplish assigned tasks in accordance with organizational missions and business
-                                 functions.
-                """
-            - 
-              id:    ac-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations employ least privilege for specific duties and information systems. The
-                                 principle of least privilege is also applied to information system processes,
-                                 ensuring that the processes operate at privilege levels no higher than necessary to
-                                 accomplish required organizational missions/business functions. Organizations
-                                 consider the creation of additional processes, roles, and information system accounts
-                                 as necessary, to achieve least privilege. Organizations also apply least privilege to
-                                 the development, implementation, and operation of organizational information
-                                 systems.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-5
-                  rel:  related
-                  text: AC-5
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-7
-                  rel:  related
-                  text: CM-7
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-            - 
-              id:         ac-6_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the organization employs the principle of least privilege, allowing only
-                                 authorized access for users (and processes acting on behalf of users) which are
-                                 necessary to accomplish assigned tasks in accordance with organizational missions and
-                                 business functions. 
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing least privilege\n\nlist of assigned access authorizations (user privileges)\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for defining least privileges
-                                        necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing least privilege functions
-          controls: 
-            - 
-              id:         ac-6.1
-              class:      SP800-53-enhancement
-              title:      Authorize Access to Security Functions
-              parameters: 
-                - 
-                  id:    ac-6.1_prm_1
-                  label: 
-                    """
-                      organization-defined security functions (deployed in hardware, software, and
-                                        firmware) and security-relevant information
-                    """
-              properties: 
-                - 
-                  name:  label
-                  value: AC-6(1)
-                - 
-                  name:  sort-id
-                  value: ac-06.01
-              parts: 
-                - 
-                  id:    ac-6.1_smt
-                  name:  statement
-                  prose: The organization explicitly authorizes access to {{ ac-6.1_prm_1 }}.
-                - 
-                  id:    ac-6.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Security functions include, for example, establishing system accounts, configuring
-                                        access authorizations (i.e., permissions, privileges), setting events to be
-                                        audited, and setting intrusion detection parameters. Security-relevant information
-                                        includes, for example, filtering rules for routers/firewalls, cryptographic key
-                                        management information, configuration parameters for security services, and access
-                                        control lists. Explicitly authorized personnel include, for example, security
-                                        administrators, system and network administrators, system security officers,
-                                        system maintenance personnel, system programmers, and other privileged users.
-                    """
-                  links: 
-                    - 
-                      href: #ac-17
-                      rel:  related
-                      text: AC-17
-                    - 
-                      href: #ac-18
-                      rel:  related
-                      text: AC-18
-                    - 
-                      href: #ac-19
-                      rel:  related
-                      text: AC-19
-                - 
-                  id:    ac-6.1_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ac-6.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-6(1)[1]
-                      prose: 
-                        """
-                          defines security-relevant information for which access must be explicitly
-                                               authorized;
-                        """
-                    - 
-                      id:         ac-6.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-6(1)[2]
-                      prose:      defines security functions deployed in:
-                      parts: 
-                        - 
-                          id:         ac-6.1_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-6(1)[2][a]
-                          prose:      hardware;
-                        - 
-                          id:         ac-6.1_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-6(1)[2][b]
-                          prose:      software;
-                        - 
-                          id:         ac-6.1_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-6(1)[2][c]
-                          prose:      firmware;
-                    - 
-                      id:         ac-6.1_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-6(1)[3]
-                      prose:      explicitly authorizes access to:
-                      parts: 
-                        - 
-                          id:         ac-6.1_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-6(1)[3][a]
-                          prose:      organization-defined security functions; and
-                        - 
-                          id:         ac-6.1_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-6(1)[3][b]
-                          prose:      security-relevant information.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing least privilege\n\nlist of security functions (deployed in hardware, software, and firmware) and
-                                               security-relevant information for which access must be explicitly
-                                               authorized\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for defining least privileges
-                                               necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing least privilege functions
-            - 
-              id:         ac-6.2
-              class:      SP800-53-enhancement
-              title:      Non-privileged Access for Nonsecurity Functions
-              parameters: 
-                - 
-                  id:          ac-6.2_prm_1
-                  label: 
-                    """
-                      organization-defined security functions or security-relevant
-                                        information
-                    """
-                  constraints: 
-                    - 
-                      detail: all security functions
-              properties: 
-                - 
-                  name:  label
-                  value: AC-6(2)
-                - 
-                  name:  sort-id
-                  value: ac-06.02
-              parts: 
-                - 
-                  id:    ac-6.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires that users of information system accounts, or roles,
-                                        with access to {{ ac-6.2_prm_1 }}, use non-privileged accounts or
-                                        roles, when accessing nonsecurity functions.
-                    """
-                  parts: 
-                    - 
-                      id:    ac-6.2_fr
-                      name:  item
-                      title: AC-6 (2) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ac-6.2_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.
-                - 
-                  id:    ac-6.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement limits exposure when operating from within privileged
-                                        accounts or roles. The inclusion of roles addresses situations where organizations
-                                        implement access control policies such as role-based access control and where a
-                                        change of role provides the same degree of assurance in the change of access
-                                        authorizations for both the user and all processes acting on behalf of the user as
-                                        would be provided by a change between a privileged and non-privileged account.
-                    """
-                  links: 
-                    - 
-                      href: #pl-4
-                      rel:  related
-                      text: PL-4
-                - 
-                  id:    ac-6.2_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-6.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-6(2)[1]
-                      prose: 
-                        """
-                          defines security functions or security-relevant information to which users of
-                                               information system accounts, or roles, have access; and
-                        """
-                    - 
-                      id:         ac-6.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-6(2)[2]
-                      prose: 
-                        """
-                          requires that users of information system accounts, or roles, with access to
-                                               organization-defined security functions or security-relevant information, use
-                                               non-privileged accounts, or roles, when accessing nonsecurity functions.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated security functions or security-relevant information
-                                               assigned to information system accounts or roles\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for defining least privileges
-                                               necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing least privilege functions
-            - 
-              id:         ac-6.5
-              class:      SP800-53-enhancement
-              title:      Privileged Accounts
-              parameters: 
-                - 
-                  id:    ac-6.5_prm_1
-                  label: organization-defined personnel or roles
-              properties: 
-                - 
-                  name:  label
-                  value: AC-6(5)
-                - 
-                  name:  sort-id
-                  value: ac-06.05
-              parts: 
-                - 
-                  id:    ac-6.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization restricts privileged accounts on the information system to
-                                           {{ ac-6.5_prm_1 }}.
-                    """
-                - 
-                  id:    ac-6.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Privileged accounts, including super user accounts, are typically described as
-                                        system administrator for various types of commercial off-the-shelf operating
-                                        systems. Restricting privileged accounts to specific personnel or roles prevents
-                                        day-to-day users from having access to privileged information/functions.
-                                        Organizations may differentiate in the application of this control enhancement
-                                        between allowed privileges for local accounts and for domain accounts provided
-                                        organizations retain the ability to control information system configurations for
-                                        key security parameters and as otherwise necessary to sufficiently mitigate
-                                        risk.
-                    """
-                  links: 
-                    - 
-                      href: #cm-6
-                      rel:  related
-                      text: CM-6
-                - 
-                  id:    ac-6.5_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-6.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-6(5)[1]
-                      prose: 
-                        """
-                          defines personnel or roles for which privileged accounts on the information
-                                               system are to be restricted; and
-                        """
-                    - 
-                      id:         ac-6.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-6(5)[2]
-                      prose: 
-                        """
-                          restricts privileged accounts on the information system to organization-defined
-                                               personnel or roles.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of system administration personnel\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for defining least privileges
-                                               necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing least privilege functions
-            - 
-              id:         ac-6.9
-              class:      SP800-53-enhancement
-              title:      Auditing Use of Privileged Functions
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AC-6(9)
-                - 
-                  name:  sort-id
-                  value: ac-06.09
-              parts: 
-                - 
-                  id:    ac-6.9_smt
-                  name:  statement
-                  prose: The information system audits the execution of privileged functions.
-                - 
-                  id:    ac-6.9_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Misuse of privileged functions, either intentionally or unintentionally by
-                                        authorized users, or by unauthorized external entities that have compromised
-                                        information system accounts, is a serious and ongoing concern and can have
-                                        significant adverse impacts on organizations. Auditing the use of privileged
-                                        functions is one way to detect such misuse, and in doing so, help mitigate the
-                                        risk from insider threats and the advanced persistent threat (APT).
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                - 
-                  id:         ac-6.9_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system audits the execution of privileged functions.
-                                     
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing least privilege\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of privileged functions to be audited\n\nlist of audited events\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for reviewing least privileges
-                                               necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms auditing the execution of least privilege functions
-            - 
-              id:         ac-6.10
-              class:      SP800-53-enhancement
-              title:      Prohibit Non-privileged Users from Executing Privileged Functions
-              properties: 
-                - 
-                  name:  label
-                  value: AC-6(10)
-                - 
-                  name:  sort-id
-                  value: ac-06.10
-              parts: 
-                - 
-                  id:    ac-6.10_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system prevents non-privileged users from executing privileged
-                                        functions to include disabling, circumventing, or altering implemented security
-                                        safeguards/countermeasures.
-                    """
-                - 
-                  id:    ac-6.10_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Privileged functions include, for example, establishing information system
-                                        accounts, performing system integrity checks, or administering cryptographic key
-                                        management activities. Non-privileged users are individuals that do not possess
-                                        appropriate authorizations. Circumventing intrusion detection and prevention
-                                        mechanisms or malicious code protection mechanisms are examples of privileged
-                                        functions that require protection from non-privileged users.
-                    """
-                - 
-                  id:         ac-6.10_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system prevents non-privileged users from executing
-                                        privileged functions to include:
-                    """
-                  parts: 
-                    - 
-                      id:         ac-6.10_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-6(10)[1]
-                      prose:      disabling implemented security safeguards/countermeasures;
-                    - 
-                      id:         ac-6.10_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-6(10)[2]
-                      prose:      circumventing security safeguards/countermeasures; or
-                    - 
-                      id:         ac-6.10_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-6(10)[3]
-                      prose:      altering implemented security safeguards/countermeasures.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing least privilege\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of privileged functions and associated user account assignments\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for defining least privileges
-                                               necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing least privilege functions for non-privileged
-                                               users
-                        """
-        - 
-          id:         ac-7
-          class:      SP800-53
-          title:      Unsuccessful Logon Attempts
-          parameters: 
-            - 
-              id:          ac-7_prm_1
-              label:       organization-defined number
-              constraints: 
-                - 
-                  detail: not more than three (3)
-            - 
-              id:          ac-7_prm_2
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: fifteen (15) minutes
-            - 
-              id: ac-7_prm_3
-            - 
-              id:          ac-7_prm_4
-              depends-on:  ac-7_prm_3
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: locks the account/node for thirty minutes
-            - 
-              id:         ac-7_prm_5
-              depends-on: ac-7_prm_3
-              label:      organization-defined delay algorithm
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-7
-            - 
-              name:  sort-id
-              value: ac-07
-          parts: 
-            - 
-              id:    ac-7_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         ac-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Enforces a limit of {{ ac-7_prm_1 }} consecutive invalid logon
-                                        attempts by a user during a {{ ac-7_prm_2 }}; and
-                    """
-                - 
-                  id:         ac-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Automatically {{ ac-7_prm_3 }} when the maximum number of
-                                        unsuccessful attempts is exceeded.
-                    """
-            - 
-              id:    ac-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies regardless of whether the logon occurs via a local or network
-                                 connection. Due to the potential for denial of service, automatic lockouts initiated
-                                 by information systems are usually temporary and automatically release after a
-                                 predetermined time period established by organizations. If a delay algorithm is
-                                 selected, organizations may choose to employ different algorithms for different
-                                 information system components based on the capabilities of those components.
-                                 Responses to unsuccessful logon attempts may be implemented at both the operating
-                                 system and the application levels.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-9
-                  rel:  related
-                  text: AC-9
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-            - 
-              id:    ac-7_obj
-              name:  objective
-              prose: Determine if: 
-              parts: 
-                - 
-                  id:         ac-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-7(a)
-                  parts: 
-                    - 
-                      id:         ac-7.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-7(a)[1]
-                      prose: 
-                        """
-                          the organization defines the number of consecutive invalid logon attempts
-                                               allowed to the information system by a user during an organization-defined time
-                                               period;
-                        """
-                    - 
-                      id:         ac-7.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-7(a)[2]
-                      prose: 
-                        """
-                          the organization defines the time period allowed by a user of the information
-                                               system for an organization-defined number of consecutive invalid logon
-                                               attempts;
-                        """
-                    - 
-                      id:         ac-7.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-7(a)[3]
-                      prose: 
-                        """
-                          the information system enforces a limit of organization-defined number of
-                                               consecutive invalid logon attempts by a user during an organization-defined
-                                               time period;
-                        """
-                - 
-                  id:         ac-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-7(b)
-                  parts: 
-                    - 
-                      id:         ac-7.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-7(b)[1]
-                      prose: 
-                        """
-                          the organization defines account/node lockout time period or logon delay
-                                               algorithm to be automatically enforced by the information system when the
-                                               maximum number of unsuccessful logon attempts is exceeded;
-                        """
-                    - 
-                      id:         ac-7.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-7(b)[2]
-                      prose: 
-                        """
-                          the information system, when the maximum number of unsuccessful logon attempts
-                                               is exceeded, automatically:
-                        """
-                      parts: 
-                        - 
-                          id:         ac-7.b_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-7(b)[2][a]
-                          prose:      locks the account/node for the organization-defined time period;
-                        - 
-                          id:         ac-7.b_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-7(b)[2][b]
-                          prose:      locks the account/node until released by an administrator; or
-                        - 
-                          id:         ac-7.b_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-7(b)[2][c]
-                          prose: 
-                            """
-                              delays next logon prompt according to the organization-defined delay
-                                                      algorithm.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms implementing access control policy for unsuccessful logon
-                                        attempts
-                    """
-        - 
-          id:         ac-8
-          class:      SP800-53
-          title:      System Use Notification
-          parameters: 
-            - 
-              id:          ac-8_prm_1
-              label:       organization-defined system use notification message or banner
-              constraints: 
-                - 
-                  detail: see additional Requirements and Guidance
-            - 
-              id:          ac-8_prm_2
-              label:       organization-defined conditions
-              constraints: 
-                - 
-                  detail: see additional Requirements and Guidance]
-          properties: 
-            - 
-              name:  label
-              value: AC-8
-            - 
-              name:  sort-id
-              value: ac-08
-          parts: 
-            - 
-              id:    ac-8_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         ac-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Displays to users {{ ac-8_prm_1 }} before granting access to the
-                                        system that provides privacy and security notices consistent with applicable
-                                        federal laws, Executive Orders, directives, policies, regulations, standards, and
-                                        guidance and states that:
-                    """
-                  parts: 
-                    - 
-                      id:         ac-8_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Users are accessing a U.S. Government information system;
-                    - 
-                      id:         ac-8_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Information system usage may be monitored, recorded, and subject to audit;
-                    - 
-                      id:         ac-8_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Unauthorized use of the information system is prohibited and subject to
-                                               criminal and civil penalties; and
-                        """
-                    - 
-                      id:         ac-8_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose: 
-                        """
-                          Use of the information system indicates consent to monitoring and
-                                               recording;
-                        """
-                - 
-                  id:         ac-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Retains the notification message or banner on the screen until users acknowledge
-                                        the usage conditions and take explicit actions to log on to or further access the
-                                        information system; and
-                    """
-                - 
-                  id:         ac-8_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      For publicly accessible systems:
-                  parts: 
-                    - 
-                      id:         ac-8_smt.c.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Displays system use information {{ ac-8_prm_2 }}, before
-                                               granting further access;
-                        """
-                    - 
-                      id:         ac-8_smt.c.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Displays references, if any, to monitoring, recording, or auditing that are
-                                               consistent with privacy accommodations for such systems that generally prohibit
-                                               those activities; and
-                        """
-                    - 
-                      id:         ac-8_smt.c.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose:      Includes a description of the authorized uses of the system.
-                - 
-                  id:    ac-8_fr
-                  name:  item
-                  title: AC-8 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ac-8_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.
-                    - 
-                      id:         ac-8_fr_smt.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.
-                    - 
-                      id:         ac-8_fr_smt.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.
-            - 
-              id:    ac-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  System use notifications can be implemented using messages or warning banners
-                                 displayed before individuals log in to information systems. System use notifications
-                                 are used only for access via logon interfaces with human users and are not required
-                                 when such human interfaces do not exist. Organizations consider system use
-                                 notification messages/banners displayed in multiple languages based on specific
-                                 organizational needs and the demographics of information system users. Organizations
-                                 also consult with the Office of the General Counsel for legal review and approval of
-                                 warning banner content.
-                """
-            - 
-              id:    ac-8_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         ac-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-8(a)
-                  parts: 
-                    - 
-                      id:         ac-8.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-8(a)[1]
-                      prose: 
-                        """
-                          the organization defines a system use notification message or banner to be
-                                               displayed by the information system to users before granting access to the
-                                               system;
-                        """
-                    - 
-                      id:         ac-8.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-8(a)[2]
-                      prose: 
-                        """
-                          the information system displays to users the organization-defined system use
-                                               notification message or banner before granting access to the information system
-                                               that provides privacy and security notices consistent with applicable federal
-                                               laws, Executive Orders, directives, policies, regulations, standards, and
-                                               guidance, and states that:
-                        """
-                      parts: 
-                        - 
-                          id:         ac-8.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-8(a)[2](1)
-                          prose:      users are accessing a U.S. Government information system;
-                        - 
-                          id:         ac-8.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-8(a)[2](2)
-                          prose: 
-                            """
-                              information system usage may be monitored, recorded, and subject to
-                                                      audit;
-                            """
-                        - 
-                          id:         ac-8.a.3_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-8(a)[2](3)
-                          prose: 
-                            """
-                              unauthorized use of the information system is prohibited and subject to
-                                                      criminal and civil penalties;
-                            """
-                        - 
-                          id:         ac-8.a.4_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-8(a)[2](4)
-                          prose: 
-                            """
-                              use of the information system indicates consent to monitoring and
-                                                      recording;
-                            """
-                - 
-                  id:         ac-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-8(b)
-                  prose: 
-                    """
-                      the information system retains the notification message or banner on the screen
-                                        until users acknowledge the usage conditions and take explicit actions to log on
-                                        to or further access the information system;
-                    """
-                - 
-                  id:         ac-8.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-8(c)
-                  prose:      for publicly accessible systems:
-                  parts: 
-                    - 
-                      id:         ac-8.c.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-8(c)(1)
-                      parts: 
-                        - 
-                          id:         ac-8.c.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-8(c)(1)[1]
-                          prose: 
-                            """
-                              the organization defines conditions for system use to be displayed by the
-                                                      information system before granting further access;
-                            """
-                        - 
-                          id:         ac-8.c.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: AC-8(c)(1)[2]
-                          prose: 
-                            """
-                              the information system displays organization-defined conditions before
-                                                      granting further access;
-                            """
-                    - 
-                      id:         ac-8.c.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-8(c)(2)
-                      prose: 
-                        """
-                          the information system displays references, if any, to monitoring, recording,
-                                               or auditing that are consistent with privacy accommodations for such systems
-                                               that generally prohibit those activities; and
-                        """
-                    - 
-                      id:         ac-8.c.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-8(c)(3)
-                      prose: 
-                        """
-                          the information system includes a description of the authorized uses of the
-                                               system.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of information system use notification messages or banners\n\ninformation system audit records\n\nuser acknowledgements of notification message or banner\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system use notification messages\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for providing legal advice\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing system use notification
-        - 
-          id:         ac-10
-          class:      SP800-53
-          title:      Concurrent Session Control
-          parameters: 
-            - 
-              id:    ac-10_prm_1
-              label: organization-defined account and/or account type
-            - 
-              id:          ac-10_prm_2
-              label:       organization-defined number
-              constraints: 
-                - 
-                  detail: three (3) sessions for privileged access and two (2) sessions for non-privileged access
-          properties: 
-            - 
-              name:  label
-              value: AC-10
-            - 
-              name:  sort-id
-              value: ac-10
-          parts: 
-            - 
-              id:    ac-10_smt
-              name:  statement
-              prose: The information system limits the number of concurrent sessions for each {{ ac-10_prm_1 }} to {{ ac-10_prm_2 }}.
-            - 
-              id:    ac-10_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations may define the maximum number of concurrent sessions for information
-                                 system accounts globally, by account type (e.g., privileged user, non-privileged
-                                 user, domain, specific application), by account, or a combination. For example,
-                                 organizations may limit the number of concurrent sessions for system administrators
-                                 or individuals working in particularly sensitive domains or mission-critical
-                                 applications. This control addresses concurrent sessions for information system
-                                 accounts and does not address concurrent sessions by single users via multiple system
-                                 accounts.
-                """
-            - 
-              id:    ac-10_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         ac-10_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-10[1]
-                  prose: 
-                    """
-                      the organization defines account and/or account types for the information
-                                        system;
-                    """
-                - 
-                  id:         ac-10_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-10[2]
-                  prose: 
-                    """
-                      the organization defines the number of concurrent sessions to be allowed for each
-                                        organization-defined account and/or account type; and
-                    """
-                - 
-                  id:         ac-10_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-10[3]
-                  prose: 
-                    """
-                      the information system limits the number of concurrent sessions for each
-                                        organization-defined account and/or account type to the organization-defined
-                                        number of concurrent sessions allowed.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing concurrent session control\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms implementing access control policy for concurrent session
-                                        control
-                    """
-        - 
-          id:         ac-11
-          class:      SP800-53
-          title:      Session Lock
-          parameters: 
-            - 
-              id:          ac-11_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: fifteen (15) minutes
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-11
-            - 
-              name:  sort-id
-              value: ac-11
-          links: 
-            - 
-              href: #4da24a96-6cf8-435d-9d1f-c73247cad109
-              rel:  reference
-              text: OMB Memorandum 06-16
-          parts: 
-            - 
-              id:    ac-11_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         ac-11_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Prevents further access to the system by initiating a session lock after {{ ac-11_prm_1 }} of inactivity or upon receiving a request from a user;
-                                        and
-                    """
-                - 
-                  id:         ac-11_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Retains the session lock until the user reestablishes access using established
-                                        identification and authentication procedures.
-                    """
-            - 
-              id:    ac-11_gdn
-              name:  guidance
-              prose: 
-                """
-                  Session locks are temporary actions taken when users stop work and move away from the
-                                 immediate vicinity of information systems but do not want to log out because of the
-                                 temporary nature of their absences. Session locks are implemented where session
-                                 activities can be determined. This is typically at the operating system level, but
-                                 can also be at the application level. Session locks are not an acceptable substitute
-                                 for logging out of information systems, for example, if organizations require users
-                                 to log out at the end of workdays.
-                """
-              links: 
-                - 
-                  href: #ac-7
-                  rel:  related
-                  text: AC-7
-            - 
-              id:    ac-11_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         ac-11.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-11(a)
-                  parts: 
-                    - 
-                      id:         ac-11.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-11(a)[1]
-                      prose: 
-                        """
-                          the organization defines the time period of user inactivity after which the
-                                               information system initiates a session lock;
-                        """
-                    - 
-                      id:         ac-11.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-11(a)[2]
-                      prose: 
-                        """
-                          the information system prevents further access to the system by initiating a
-                                               session lock after organization-defined time period of user inactivity or upon
-                                               receiving a request from a user; and
-                        """
-                - 
-                  id:         ac-11.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-11(b)
-                  prose: 
-                    """
-                      the information system retains the session lock until the user reestablishes
-                                        access using established identification and authentication procedures.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing session lock\n\nprocedures addressing identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing access control policy for session lock
-          controls: 
-            - 
-              id:         ac-11.1
-              class:      SP800-53-enhancement
-              title:      Pattern-hiding Displays
-              properties: 
-                - 
-                  name:  label
-                  value: AC-11(1)
-                - 
-                  name:  sort-id
-                  value: ac-11.01
-              parts: 
-                - 
-                  id:    ac-11.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system conceals, via the session lock, information previously
-                                        visible on the display with a publicly viewable image.
-                    """
-                - 
-                  id:    ac-11.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Publicly viewable images can include static or dynamic images, for example,
-                                        patterns used with screen savers, photographic images, solid colors, clock,
-                                        battery life indicator, or a blank screen, with the additional caveat that none of
-                                        the images convey sensitive information.
-                    """
-                - 
-                  id:         ac-11.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system conceals, via the session lock, information
-                                        previously visible on the display with a publicly viewable image.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing session lock\n\ndisplay screen with session lock activated\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system session lock mechanisms
-        - 
-          id:         ac-12
-          class:      SP800-53
-          title:      Session Termination
-          parameters: 
-            - 
-              id:    ac-12_prm_1
-              label: 
-                """
-                  organization-defined conditions or trigger events requiring session
-                                 disconnect
-                """
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-12
-            - 
-              name:  sort-id
-              value: ac-12
-          parts: 
-            - 
-              id:    ac-12_smt
-              name:  statement
-              prose: The information system automatically terminates a user session after {{ ac-12_prm_1 }}.
-            - 
-              id:    ac-12_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the termination of user-initiated logical sessions in contrast
-                                 to SC-10 which addresses the termination of network connections that are associated
-                                 with communications sessions (i.e., network disconnect). A logical session (for
-                                 local, network, and remote access) is initiated whenever a user (or process acting on
-                                 behalf of a user) accesses an organizational information system. Such user sessions
-                                 can be terminated (and thus terminate user access) without terminating network
-                                 sessions. Session termination terminates all processes associated with a user’s
-                                 logical session except those processes that are specifically created by the user
-                                 (i.e., session owner) to continue after the session is terminated. Conditions or
-                                 trigger events requiring automatic session termination can include, for example,
-                                 organization-defined periods of user inactivity, targeted responses to certain types
-                                 of incidents, time-of-day restrictions on information system use.
-                """
-              links: 
-                - 
-                  href: #sc-10
-                  rel:  related
-                  text: SC-10
-                - 
-                  href: #sc-23
-                  rel:  related
-                  text: SC-23
-            - 
-              id:    ac-12_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         ac-12_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-12[1]
-                  prose: 
-                    """
-                      the organization defines conditions or trigger events requiring session
-                                        disconnect; and
-                    """
-                - 
-                  id:         ac-12_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-12[2]
-                  prose: 
-                    """
-                      the information system automatically terminates a user session after
-                                        organization-defined conditions or trigger events requiring session disconnect
-                                        occurs.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing session termination\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of conditions or trigger events requiring session disconnect\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing user session termination
-        - 
-          id:         ac-14
-          class:      SP800-53
-          title:      Permitted Actions Without Identification or Authentication
-          parameters: 
-            - 
-              id:    ac-14_prm_1
-              label: organization-defined user actions
-          properties: 
-            - 
-              name:  label
-              value: AC-14
-            - 
-              name:  sort-id
-              value: ac-14
-          parts: 
-            - 
-              id:    ac-14_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-14_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Identifies {{ ac-14_prm_1 }} that can be performed on the
-                                        information system without identification or authentication consistent with
-                                        organizational missions/business functions; and
-                    """
-                - 
-                  id:         ac-14_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Documents and provides supporting rationale in the security plan for the
-                                        information system, user actions not requiring identification or
-                                        authentication.
-                    """
-            - 
-              id:    ac-14_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses situations in which organizations determine that no
-                                 identification or authentication is required in organizational information systems.
-                                 Organizations may allow a limited number of user actions without identification or
-                                 authentication including, for example, when individuals access public websites or
-                                 other publicly accessible federal information systems, when individuals use mobile
-                                 phones to receive calls, or when facsimiles are received. Organizations also identify
-                                 actions that normally require identification or authentication but may under certain
-                                 circumstances (e.g., emergencies), allow identification or authentication mechanisms
-                                 to be bypassed. Such bypasses may occur, for example, via a software-readable
-                                 physical switch that commands bypass of the logon functionality and is protected from
-                                 accidental or unmonitored use. This control does not apply to situations where
-                                 identification and authentication have already occurred and are not repeated, but
-                                 rather to situations where identification and authentication have not yet occurred.
-                                 Organizations may decide that there are no user actions that can be performed on
-                                 organizational information systems without identification and authentication and
-                                 thus, the values for assignment statements can be none.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-            - 
-              id:    ac-14_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-14.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-14(a)
-                  parts: 
-                    - 
-                      id:         ac-14.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-14(a)[1]
-                      prose: 
-                        """
-                          defines user actions that can be performed on the information system without
-                                               identification or authentication consistent with organizational
-                                               missions/business functions;
-                        """
-                    - 
-                      id:         ac-14.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AC-14(a)[2]
-                      prose: 
-                        """
-                          identifies organization-defined user actions that can be performed on the
-                                               information system without identification or authentication consistent with
-                                               organizational missions/business functions; and
-                        """
-                - 
-                  id:         ac-14.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-14(b)
-                  prose: 
-                    """
-                      documents and provides supporting rationale in the security plan for the
-                                        information system, user actions not requiring identification or
-                                        authentication.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing permitted actions without identification or
-                                        authentication\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or
-                                        authentication\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ac-17
-          class:      SP800-53
-          title:      Remote Access
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-17
-            - 
-              name:  sort-id
-              value: ac-17
-          links: 
-            - 
-              href: #5309d4d0-46f8-4213-a749-e7584164e5e8
-              rel:  reference
-              text: NIST Special Publication 800-46
-            - 
-              href: #99f331f2-a9f0-46c2-9856-a3cbb9b89442
-              rel:  reference
-              text: NIST Special Publication 800-77
-            - 
-              href: #349fe082-502d-464a-aa0c-1443c6a5cf40
-              rel:  reference
-              text: NIST Special Publication 800-113
-            - 
-              href: #1201fcf3-afb1-4675-915a-fb4ae0435717
-              rel:  reference
-              text: NIST Special Publication 800-114
-            - 
-              href: #d1a4e2a9-e512-4132-8795-5357aba29254
-              rel:  reference
-              text: NIST Special Publication 800-121
-          parts: 
-            - 
-              id:    ac-17_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-17_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes and documents usage restrictions, configuration/connection
-                                        requirements, and implementation guidance for each type of remote access allowed;
-                                        and
-                    """
-                - 
-                  id:         ac-17_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Authorizes remote access to the information system prior to allowing such
-                                        connections.
-                    """
-            - 
-              id:    ac-17_gdn
-              name:  guidance
-              prose: 
-                """
-                  Remote access is access to organizational information systems by users (or processes
-                                 acting on behalf of users) communicating through external networks (e.g., the
-                                 Internet). Remote access methods include, for example, dial-up, broadband, and
-                                 wireless. Organizations often employ encrypted virtual private networks (VPNs) to
-                                 enhance confidentiality and integrity over remote connections. The use of encrypted
-                                 VPNs does not make the access non-remote; however, the use of VPNs, when adequately
-                                 provisioned with appropriate security controls (e.g., employing appropriate
-                                 encryption techniques for confidentiality and integrity protection) may provide
-                                 sufficient assurance to the organization that it can effectively treat such
-                                 connections as internal networks. Still, VPN connections traverse external networks,
-                                 and the encrypted VPN does not enhance the availability of remote connections. Also,
-                                 VPNs with encrypted tunnels can affect the organizational capability to adequately
-                                 monitor network communications traffic for malicious code. Remote access controls
-                                 apply to information systems other than public web servers or systems designed for
-                                 public access. This control addresses authorization prior to allowing remote access
-                                 without specifying the formats for such authorization. While organizations may use
-                                 interconnection security agreements to authorize remote access connections, such
-                                 agreements are not required by this control. Enforcing access restrictions for remote
-                                 connections is addressed in AC-3.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #pe-17
-                  rel:  related
-                  text: PE-17
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #sc-10
-                  rel:  related
-                  text: SC-10
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ac-17_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-17.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-17(a)
-                  parts: 
-                    - 
-                      id:         ac-17.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-17(a)[1]
-                      prose:      identifies the types of remote access allowed to the information system;
-                    - 
-                      id:         ac-17.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-17(a)[2]
-                      prose:      establishes for each type of remote access allowed:
-                      parts: 
-                        - 
-                          id:         ac-17.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[2][a]
-                          prose:      usage restrictions;
-                        - 
-                          id:         ac-17.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[2][b]
-                          prose:      configuration/connection requirements;
-                        - 
-                          id:         ac-17.a_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[2][c]
-                          prose:      implementation guidance;
-                    - 
-                      id:         ac-17.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-17(a)[3]
-                      prose:      documents for each type of remote access allowed:
-                      parts: 
-                        - 
-                          id:         ac-17.a_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[3][a]
-                          prose:      usage restrictions;
-                        - 
-                          id:         ac-17.a_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[3][b]
-                          prose:      configuration/connection requirements;
-                        - 
-                          id:         ac-17.a_obj.3.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AC-17(a)[3][c]
-                          prose:      implementation guidance; and
-                - 
-                  id:         ac-17.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-17(b)
-                  prose: 
-                    """
-                      authorizes remote access to the information system prior to allowing such
-                                        connections.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing remote access implementation and usage (including
-                                        restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nremote access authorizations\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for managing remote access
-                                        connections\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Remote access management capability for the information system
-          controls: 
-            - 
-              id:         ac-17.1
-              class:      SP800-53-enhancement
-              title:      Automated Monitoring / Control
-              properties: 
-                - 
-                  name:  label
-                  value: AC-17(1)
-                - 
-                  name:  sort-id
-                  value: ac-17.01
-              parts: 
-                - 
-                  id:    ac-17.1_smt
-                  name:  statement
-                  prose: The information system monitors and controls remote access methods.
-                - 
-                  id:    ac-17.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Automated monitoring and control of remote access sessions allows organizations to
-                                        detect cyber attacks and also ensure ongoing compliance with remote access
-                                        policies by auditing connection activities of remote users on a variety of
-                                        information system components (e.g., servers, workstations, notebook computers,
-                                        smart phones, and tablets).
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                    - 
-                      href: #au-12
-                      rel:  related
-                      text: AU-12
-                - 
-                  id:         ac-17.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system monitors and controls remote access methods.
-                                     
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\ninformation system monitoring records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms monitoring and controlling remote access methods
-            - 
-              id:         ac-17.2
-              class:      SP800-53-enhancement
-              title:      Protection of Confidentiality / Integrity Using Encryption
-              properties: 
-                - 
-                  name:  label
-                  value: AC-17(2)
-                - 
-                  name:  sort-id
-                  value: ac-17.02
-              parts: 
-                - 
-                  id:    ac-17.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements cryptographic mechanisms to protect the
-                                        confidentiality and integrity of remote access sessions.
-                    """
-                - 
-                  id:    ac-17.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The encryption strength of mechanism is selected based on the security
-                                        categorization of the information.
-                    """
-                  links: 
-                    - 
-                      href: #sc-8
-                      rel:  related
-                      text: SC-8
-                    - 
-                      href: #sc-12
-                      rel:  related
-                      text: SC-12
-                    - 
-                      href: #sc-13
-                      rel:  related
-                      text: SC-13
-                - 
-                  id:         ac-17.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system implements cryptographic mechanisms to protect
-                                        the confidentiality and integrity of remote access sessions. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Cryptographic mechanisms protecting confidentiality and integrity of remote
-                                               access sessions
-                        """
-            - 
-              id:         ac-17.3
-              class:      SP800-53-enhancement
-              title:      Managed Access Control Points
-              parameters: 
-                - 
-                  id:    ac-17.3_prm_1
-                  label: organization-defined number
-              properties: 
-                - 
-                  name:  label
-                  value: AC-17(3)
-                - 
-                  name:  sort-id
-                  value: ac-17.03
-              parts: 
-                - 
-                  id:    ac-17.3_smt
-                  name:  statement
-                  prose: The information system routes all remote accesses through {{ ac-17.3_prm_1 }} managed network access control points.
-                - 
-                  id:    ac-17.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Limiting the number of access control points for remote accesses reduces the
-                                        attack surface for organizations. Organizations consider the Trusted Internet
-                                        Connections (TIC) initiative requirements for external network connections.
-                    """
-                  links: 
-                    - 
-                      href: #sc-7
-                      rel:  related
-                      text: SC-7
-                - 
-                  id:    ac-17.3_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         ac-17.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-17(3)[1]
-                      prose: 
-                        """
-                          the organization defines the number of managed network access control points
-                                               through which all remote accesses are to be routed; and
-                        """
-                    - 
-                      id:         ac-17.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-17(3)[2]
-                      prose: 
-                        """
-                          the information system routes all remote accesses through the
-                                               organization-defined number of managed network access control points.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system design documentation\n\nlist of all managed network access control points\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms routing all remote accesses through managed network access
-                                               control points
-                        """
-            - 
-              id:         ac-17.4
-              class:      SP800-53-enhancement
-              title:      Privileged Commands / Access
-              parameters: 
-                - 
-                  id:    ac-17.4_prm_1
-                  label: organization-defined needs
-              properties: 
-                - 
-                  name:  label
-                  value: AC-17(4)
-                - 
-                  name:  sort-id
-                  value: ac-17.04
-              parts: 
-                - 
-                  id:    ac-17.4_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         ac-17.4_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Authorizes the execution of privileged commands and access to security-relevant
-                                               information via remote access only for {{ ac-17.4_prm_1 }};
-                                               and
-                        """
-                    - 
-                      id:         ac-17.4_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Documents the rationale for such access in the security plan for the
-                                               information system.
-                        """
-                - 
-                  id:    ac-17.4_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ac-6
-                      rel:  related
-                      text: AC-6
-                - 
-                  id:    ac-17.4_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-17.4.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-17(4)(a)
-                      parts: 
-                        - 
-                          id:         ac-17.4.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AC-17(4)(a)[1]
-                          prose: 
-                            """
-                              defines needs to authorize the execution of privileged commands and access
-                                                      to security-relevant information via remote access;
-                            """
-                        - 
-                          id:         ac-17.4.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: AC-17(4)(a)[2]
-                          prose: 
-                            """
-                              authorizes the execution of privileged commands and access to
-                                                      security-relevant information via remote access only for
-                                                      organization-defined needs; and
-                            """
-                      links: 
-                        - 
-                          href: #ac-17.4_smt.a
-                          rel:  corresp
-                          text: AC-17(4)(a)
-                    - 
-                      id:         ac-17.4.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-17(4)(b)
-                      prose: 
-                        """
-                          documents the rationale for such access in the information system security
-                                               plan.
-                        """
-                      links: 
-                        - 
-                          href: #ac-17.4_smt.b
-                          rel:  corresp
-                          text: AC-17(4)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing remote access management
-            - 
-              id:         ac-17.9
-              class:      SP800-53-enhancement
-              title:      Disconnect / Disable Access
-              parameters: 
-                - 
-                  id:          ac-17.9_prm_1
-                  label:       organization-defined time period
-                  constraints: 
-                    - 
-                      detail: fifteen 15 minutes
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AC-17(9)
-                - 
-                  name:  sort-id
-                  value: ac-17.09
-              parts: 
-                - 
-                  id:    ac-17.9_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization provides the capability to expeditiously disconnect or disable
-                                        remote access to the information system within {{ ac-17.9_prm_1 }}.
-                    """
-                - 
-                  id:    ac-17.9_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement requires organizations to have the capability to rapidly
-                                        disconnect current users remotely accessing the information system and/or disable
-                                        further remote access. The speed of disconnect or disablement varies based on the
-                                        criticality of missions/business functions and the need to eliminate immediate or
-                                        future remote access to organizational information systems.
-                    """
-                - 
-                  id:    ac-17.9_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-17.9_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-17(9)[1]
-                      prose: 
-                        """
-                          defines the time period within which to expeditiously disconnect or disable
-                                               remote access to the information system; and
-                        """
-                    - 
-                      id:         ac-17.9_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-17(9)[2]
-                      prose: 
-                        """
-                          provides the capability to expeditiously disconnect or disable remote access to
-                                               the information system within the organization-defined time period.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing disconnecting or disabling remote access to the
-                                               information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity plan, information system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing capability to disconnect or disable remote
-                                               access to information system
-                        """
-        - 
-          id:         ac-18
-          class:      SP800-53
-          title:      Wireless Access
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-18
-            - 
-              name:  sort-id
-              value: ac-18
-          links: 
-            - 
-              href: #238ed479-eccb-49f6-82ec-ab74a7a428cf
-              rel:  reference
-              text: NIST Special Publication 800-48
-            - 
-              href: #d1b1d689-0f66-4474-9924-c81119758dc1
-              rel:  reference
-              text: NIST Special Publication 800-94
-            - 
-              href: #6f336ecd-f2a0-4c84-9699-0491d81b6e0d
-              rel:  reference
-              text: NIST Special Publication 800-97
-          parts: 
-            - 
-              id:    ac-18_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-18_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes usage restrictions, configuration/connection requirements, and
-                                        implementation guidance for wireless access; and
-                    """
-                - 
-                  id:         ac-18_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Authorizes wireless access to the information system prior to allowing such
-                                        connections.
-                    """
-            - 
-              id:    ac-18_gdn
-              name:  guidance
-              prose: 
-                """
-                  Wireless technologies include, for example, microwave, packet radio (UHF/VHF),
-                                 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g.,
-                                 EAP/TLS, PEAP), which provide credential protection and mutual authentication.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ac-18_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-18.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-18(a)
-                  prose:      establishes for wireless access:
-                  parts: 
-                    - 
-                      id:         ac-18.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-18(a)[1]
-                      prose:      usage restrictions;
-                    - 
-                      id:         ac-18.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-18(a)[2]
-                      prose:      configuration/connection requirement;
-                    - 
-                      id:         ac-18.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-18(a)[3]
-                      prose:      implementation guidance; and
-                - 
-                  id:         ac-18.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-18(b)
-                  prose: 
-                    """
-                      authorizes wireless access to the information system prior to allowing such
-                                        connections.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing wireless access implementation and usage (including
-                                        restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nwireless access authorizations\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for managing wireless access
-                                        connections\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Wireless access management capability for the information system
-          controls: 
-            - 
-              id:         ac-18.1
-              class:      SP800-53-enhancement
-              title:      Authentication and Encryption
-              parameters: 
-                - 
-                  id: ac-18.1_prm_1
-              properties: 
-                - 
-                  name:  label
-                  value: AC-18(1)
-                - 
-                  name:  sort-id
-                  value: ac-18.01
-              parts: 
-                - 
-                  id:    ac-18.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system protects wireless access to the system using authentication
-                                        of {{ ac-18.1_prm_1 }} and encryption.
-                    """
-                - 
-                  id:    ac-18.1_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #sc-8
-                      rel:  related
-                      text: SC-8
-                    - 
-                      href: #sc-13
-                      rel:  related
-                      text: SC-13
-                - 
-                  id:         ac-18.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system protects wireless access to the system using
-                                        encryption and one or more of the following:
-                    """
-                  parts: 
-                    - 
-                      id:         ac-18.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-18(1)[1]
-                      prose:      authentication of users; and/or
-                    - 
-                      id:         ac-18.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-18(1)[2]
-                      prose:      authentication of devices.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Access control policy\n\nprocedures addressing wireless implementation and usage (including
-                                               restrictions)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing wireless access protections to the
-                                               information system
-                        """
-        - 
-          id:         ac-19
-          class:      SP800-53
-          title:      Access Control for Mobile Devices
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-19
-            - 
-              name:  sort-id
-              value: ac-19
-          links: 
-            - 
-              href: #4da24a96-6cf8-435d-9d1f-c73247cad109
-              rel:  reference
-              text: OMB Memorandum 06-16
-            - 
-              href: #1201fcf3-afb1-4675-915a-fb4ae0435717
-              rel:  reference
-              text: NIST Special Publication 800-114
-            - 
-              href: #0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589
-              rel:  reference
-              text: NIST Special Publication 800-124
-            - 
-              href: #6513e480-fada-4876-abba-1397084dfb26
-              rel:  reference
-              text: NIST Special Publication 800-164
-          parts: 
-            - 
-              id:    ac-19_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-19_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes usage restrictions, configuration requirements, connection
-                                        requirements, and implementation guidance for organization-controlled mobile
-                                        devices; and
-                    """
-                - 
-                  id:         ac-19_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Authorizes the connection of mobile devices to organizational information
-                                        systems.
-                    """
-            - 
-              id:    ac-19_gdn
-              name:  guidance
-              prose: 
-                """
-                  A mobile device is a computing device that: (i) has a small form factor such that it
-                                 can easily be carried by a single individual; (ii) is designed to operate without a
-                                 physical connection (e.g., wirelessly transmit or receive information); (iii)
-                                 possesses local, non-removable or removable data storage; and (iv) includes a
-                                 self-contained power source. Mobile devices may also include voice communication
-                                 capabilities, on-board sensors that allow the device to capture information, and/or
-                                 built-in features for synchronizing local data with remote locations. Examples
-                                 include smart phones, E-readers, and tablets. Mobile devices are typically associated
-                                 with a single individual and the device is usually in close proximity to the
-                                 individual; however, the degree of proximity can vary depending upon on the form
-                                 factor and size of the device. The processing, storage, and transmission capability
-                                 of the mobile device may be comparable to or merely a subset of desktop systems,
-                                 depending upon the nature and intended purpose of the device. Due to the large
-                                 variety of mobile devices with different technical characteristics and capabilities,
-                                 organizational restrictions may vary for the different classes/types of such devices.
-                                 Usage restrictions and specific implementation guidance for mobile devices include,
-                                 for example, configuration management, device identification and authentication,
-                                 implementation of mandatory protective software (e.g., malicious code detection,
-                                 firewall), scanning devices for malicious code, updating virus protection software,
-                                 scanning for critical software updates and patches, conducting primary operating
-                                 system (and possibly other resident software) integrity checks, and disabling
-                                 unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the
-                                 need to provide adequate security for mobile devices goes beyond the requirements in
-                                 this control. Many safeguards and countermeasures for mobile devices are reflected in
-                                 other security controls in the catalog allocated in the initial control baselines as
-                                 starting points for the development of security plans and overlays using the
-                                 tailoring process. There may also be some degree of overlap in the requirements
-                                 articulated by the security controls within the different families of controls. AC-20
-                                 addresses mobile devices that are not organization-controlled.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-7
-                  rel:  related
-                  text: AC-7
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #ca-9
-                  rel:  related
-                  text: CA-9
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-43
-                  rel:  related
-                  text: SC-43
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ac-19_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ac-19.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-19(a)
-                  prose:      establishes for organization-controlled mobile devices:
-                  parts: 
-                    - 
-                      id:         ac-19.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-19(a)[1]
-                      prose:      usage restrictions;
-                    - 
-                      id:         ac-19.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-19(a)[2]
-                      prose:      configuration/connection requirement;
-                    - 
-                      id:         ac-19.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-19(a)[3]
-                      prose:      implementation guidance; and
-                - 
-                  id:         ac-19.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-19(b)
-                  prose: 
-                    """
-                      authorizes the connection of mobile devices to organizational information
-                                        systems.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing access control for mobile device usage (including
-                                        restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational information
-                                        systems\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel using mobile devices to access organizational information
-                                        systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control capability authorizing mobile device connections to organizational
-                                        information systems
-                    """
-          controls: 
-            - 
-              id:         ac-19.5
-              class:      SP800-53-enhancement
-              title:      Full Device / Container-based Encryption
-              parameters: 
-                - 
-                  id: ac-19.5_prm_1
-                - 
-                  id:    ac-19.5_prm_2
-                  label: organization-defined mobile devices
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AC-19(5)
-                - 
-                  name:  sort-id
-                  value: ac-19.05
-              parts: 
-                - 
-                  id:    ac-19.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs {{ ac-19.5_prm_1 }} to protect the
-                                        confidentiality and integrity of information on {{ ac-19.5_prm_2 }}.
-                    """
-                - 
-                  id:    ac-19.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Container-based encryption provides a more fine-grained approach to the encryption
-                                        of data/information on mobile devices, including for example, encrypting selected
-                                        data structures such as files, records, or fields.
-                    """
-                  links: 
-                    - 
-                      href: #mp-5
-                      rel:  related
-                      text: MP-5
-                    - 
-                      href: #sc-13
-                      rel:  related
-                      text: SC-13
-                    - 
-                      href: #sc-28
-                      rel:  related
-                      text: SC-28
-                - 
-                  id:    ac-19.5_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ac-19.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-19(5)[1]
-                      prose: 
-                        """
-                          defines mobile devices for which full-device encryption or container encryption
-                                               is required to protect the confidentiality and integrity of information on such
-                                               devices; and
-                        """
-                    - 
-                      id:         ac-19.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-19(5)[2]
-                      prose: 
-                        """
-                          employs full-device encryption or container encryption to protect the
-                                               confidentiality and integrity of information on organization-defined mobile
-                                               devices.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing access control for mobile devices\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nencryption mechanism s and associated configuration documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with access control responsibilities for mobile
-                                               devices\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Encryption mechanisms protecting confidentiality and integrity of information
-                                               on mobile devices
-                        """
-        - 
-          id:         ac-20
-          class:      SP800-53
-          title:      Use of External Information Systems
-          properties: 
-            - 
-              name:  label
-              value: AC-20
-            - 
-              name:  sort-id
-              value: ac-20
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-          parts: 
-            - 
-              id:    ac-20_smt
-              name:  statement
-              prose: 
-                """
-                  The organization establishes terms and conditions, consistent with any trust
-                                 relationships established with other organizations owning, operating, and/or
-                                 maintaining external information systems, allowing authorized individuals to:
-                """
-              parts: 
-                - 
-                  id:         ac-20_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Access the information system from external information systems; and
-                - 
-                  id:         ac-20_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Process, store, or transmit organization-controlled information using external
-                                        information systems.
-                    """
-            - 
-              id:    ac-20_gdn
-              name:  guidance
-              prose: 
-                """
-                  External information systems are information systems or components of information
-                                 systems that are outside of the authorization boundary established by organizations
-                                 and for which organizations typically have no direct supervision and authority over
-                                 the application of required security controls or the assessment of control
-                                 effectiveness. External information systems include, for example: (i) personally
-                                 owned information systems/devices (e.g., notebook computers, smart phones, tablets,
-                                 personal digital assistants); (ii) privately owned computing and communications
-                                 devices resident in commercial or public facilities (e.g., hotels, train stations,
-                                 convention centers, shopping malls, or airports); (iii) information systems owned or
-                                 controlled by nonfederal governmental organizations; and (iv) federal information
-                                 systems that are not owned by, operated by, or under the direct supervision and
-                                 authority of organizations. This control also addresses the use of external
-                                 information systems for the processing, storage, or transmission of organizational
-                                 information, including, for example, accessing cloud services (e.g., infrastructure
-                                 as a service, platform as a service, or software as a service) from organizational
-                                 information systems. For some external information systems (i.e., information systems
-                                 operated by other federal agencies, including organizations subordinate to those
-                                 agencies), the trust relationships that have been established between those
-                                 organizations and the originating organization may be such, that no explicit terms
-                                 and conditions are required. Information systems within these organizations would not
-                                 be considered external. These situations occur when, for example, there are
-                                 pre-existing sharing/trust agreements (either implicit or explicit) established
-                                 between federal agencies or organizations subordinate to those agencies, or when such
-                                 trust agreements are specified by applicable laws, Executive Orders, directives, or
-                                 policies. Authorized individuals include, for example, organizational personnel,
-                                 contractors, or other individuals with authorized access to organizational
-                                 information systems and over which organizations have the authority to impose rules
-                                 of behavior with regard to system access. Restrictions that organizations impose on
-                                 authorized individuals need not be uniform, as those restrictions may vary depending
-                                 upon the trust relationships between organizations. Therefore, organizations may
-                                 choose to impose different security restrictions on contractors than on state, local,
-                                 or tribal governments. This control does not apply to the use of external information
-                                 systems to access public interfaces to organizational information systems (e.g.,
-                                 individuals accessing federal information through www.usa.gov). Organizations
-                                 establish terms and conditions for the use of external information systems in
-                                 accordance with organizational security policies and procedures. Terms and conditions
-                                 address as a minimum: types of applications that can be accessed on organizational
-                                 information systems from external information systems; and the highest security
-                                 category of information that can be processed, stored, or transmitted on external
-                                 information systems. If terms and conditions with the owners of external information
-                                 systems cannot be established, organizations may impose restrictions on
-                                 organizational personnel using those external systems.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #sa-9
-                  rel:  related
-                  text: SA-9
-            - 
-              id:    ac-20_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization establishes terms and conditions, consistent with any
-                                 trust relationships established with other organizations owning, operating, and/or
-                                 maintaining external information systems, allowing authorized individuals to: 
-                """
-              parts: 
-                - 
-                  id:         ac-20.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-20(a)
-                  prose:      access the information system from the external information systems; and
-                - 
-                  id:         ac-20.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-20(b)
-                  prose: 
-                    """
-                      process, store, or transmit organization-controlled information using external
-                                        information systems.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing the use of external information systems\n\nexternal information systems terms and conditions\n\nlist of types of applications accessible from external information systems\n\nmaximum security categorization for information processed, stored, or transmitted
-                                        on external information systems\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for defining terms and conditions
-                                        for use of external information systems to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms implementing terms and conditions on use of external
-                                        information systems
-                    """
-          controls: 
-            - 
-              id:         ac-20.1
-              class:      SP800-53-enhancement
-              title:      Limits On Authorized Use
-              properties: 
-                - 
-                  name:  label
-                  value: AC-20(1)
-                - 
-                  name:  sort-id
-                  value: ac-20.01
-              parts: 
-                - 
-                  id:    ac-20.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization permits authorized individuals to use an external information
-                                        system to access the information system or to process, store, or transmit
-                                        organization-controlled information only when the organization:
-                    """
-                  parts: 
-                    - 
-                      id:         ac-20.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Verifies the implementation of required security controls on the external
-                                               system as specified in the organization’s information security policy and
-                                               security plan; or
-                        """
-                    - 
-                      id:         ac-20.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Retains approved information system connection or processing agreements with
-                                               the organizational entity hosting the external information system.
-                        """
-                - 
-                  id:    ac-20.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement recognizes that there are circumstances where individuals
-                                        using external information systems (e.g., contractors, coalition partners) need to
-                                        access organizational information systems. In those situations, organizations need
-                                        confidence that the external information systems contain the necessary security
-                                        safeguards (i.e., security controls), so as not to compromise, damage, or
-                                        otherwise harm organizational information systems. Verification that the required
-                                        security controls have been implemented can be achieved, for example, by
-                                        third-party, independent assessments, attestations, or other means, depending on
-                                        the confidence level required by organizations.
-                    """
-                  links: 
-                    - 
-                      href: #ca-2
-                      rel:  related
-                      text: CA-2
-                - 
-                  id:         ac-20.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization permits authorized individuals to use an external
-                                        information system to access the information system or to process, store, or
-                                        transmit organization-controlled information only when the organization: 
-                    """
-                  parts: 
-                    - 
-                      id:         ac-20.1.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-20(1)(a)
-                      prose: 
-                        """
-                          verifies the implementation of required security controls on the external
-                                               system as specified in the organization’s information security policy and
-                                               security plan; or
-                        """
-                      links: 
-                        - 
-                          href: #ac-20.1_smt.a
-                          rel:  corresp
-                          text: AC-20(1)(a)
-                    - 
-                      id:         ac-20.1.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AC-20(1)(b)
-                      prose: 
-                        """
-                          retains approved information system connection or processing agreements with
-                                               the organizational entity hosting the external information system.
-                        """
-                      links: 
-                        - 
-                          href: #ac-20.1_smt.b
-                          rel:  corresp
-                          text: AC-20(1)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing the use of external information systems\n\nsecurity plan\n\ninformation system connection or processing agreements\n\naccount management documents\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing limits on use of external information
-                                               systems
-                        """
-            - 
-              id:         ac-20.2
-              class:      SP800-53-enhancement
-              title:      Portable Storage Devices
-              parameters: 
-                - 
-                  id: ac-20.2_prm_1
-              properties: 
-                - 
-                  name:  label
-                  value: AC-20(2)
-                - 
-                  name:  sort-id
-                  value: ac-20.02
-              parts: 
-                - 
-                  id:    ac-20.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization {{ ac-20.2_prm_1 }} the use of
-                                        organization-controlled portable storage devices by authorized individuals on
-                                        external information systems.
-                    """
-                - 
-                  id:    ac-20.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Limits on the use of organization-controlled portable storage devices in external
-                                        information systems include, for example, complete prohibition of the use of such
-                                        devices or restrictions on how the devices may be used and under what conditions
-                                        the devices may be used.
-                    """
-                - 
-                  id:         ac-20.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization restricts or prohibits the use of
-                                        organization-controlled portable storage devices by authorized individuals on
-                                        external information systems. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing the use of external information systems\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\ninformation system connection or processing agreements\n\naccount management documents\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for restricting or prohibiting
-                                               use of organization-controlled storage devices on external information
-                                               systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing restrictions on use of portable storage
-                                               devices
-                        """
-        - 
-          id:         ac-21
-          class:      SP800-53
-          title:      Information Sharing
-          parameters: 
-            - 
-              id:    ac-21_prm_1
-              label: 
-                """
-                  organization-defined information sharing circumstances where user discretion is
-                                 required
-                """
-            - 
-              id:    ac-21_prm_2
-              label: organization-defined automated mechanisms or manual processes
-          properties: 
-            - 
-              name:  label
-              value: AC-21
-            - 
-              name:  sort-id
-              value: ac-21
-          parts: 
-            - 
-              id:    ac-21_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-21_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Facilitates information sharing by enabling authorized users to determine whether
-                                        access authorizations assigned to the sharing partner match the access
-                                        restrictions on the information for {{ ac-21_prm_1 }}; and
-                    """
-                - 
-                  id:         ac-21_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Employs {{ ac-21_prm_2 }} to assist users in making information
-                                        sharing/collaboration decisions.
-                    """
-            - 
-              id:    ac-21_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to information that may be restricted in some manner (e.g.,
-                                 privileged medical information, contract-sensitive information, proprietary
-                                 information, personally identifiable information, classified information related to
-                                 special access programs or compartments) based on some formal or administrative
-                                 determination. Depending on the particular information-sharing circumstances, sharing
-                                 partners may be defined at the individual, group, or organizational level.
-                                 Information may be defined by content, type, security category, or special access
-                                 program/compartment.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-            - 
-              id:    ac-21_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ac-21.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-21(a)
-                  parts: 
-                    - 
-                      id:         ac-21.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-21(a)[1]
-                      prose: 
-                        """
-                          defines information sharing circumstances where user discretion is
-                                               required;
-                        """
-                    - 
-                      id:         ac-21.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-21(a)[2]
-                      prose: 
-                        """
-                          facilitates information sharing by enabling authorized users to determine
-                                               whether access authorizations assigned to the sharing partner match the access
-                                               restrictions on the information for organization-defined information sharing
-                                               circumstances;
-                        """
-                - 
-                  id:         ac-21.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-21(b)
-                  parts: 
-                    - 
-                      id:         ac-21.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-21(b)[1]
-                      prose: 
-                        """
-                          defines automated mechanisms or manual processes to be employed to assist users
-                                               in making information sharing/collaboration decisions; and
-                        """
-                    - 
-                      id:         ac-21.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-21(b)[2]
-                      prose: 
-                        """
-                          employs organization-defined automated mechanisms or manual processes to assist
-                                               users in making information sharing/collaboration decisions.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including
-                                        restrictions)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of users authorized to make information sharing/collaboration decisions\n\nlist of information sharing circumstances requiring user discretion\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel responsible for making information sharing/collaboration
-                                        decisions\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms or manual process implementing access authorizations
-                                        supporting information sharing/user collaboration decisions
-                    """
-        - 
-          id:         ac-22
-          class:      SP800-53
-          title:      Publicly Accessible Content
-          parameters: 
-            - 
-              id:          ac-22_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least quarterly
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AC-22
-            - 
-              name:  sort-id
-              value: ac-22
-          parts: 
-            - 
-              id:    ac-22_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ac-22_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Designates individuals authorized to post information onto a publicly accessible
-                                        information system;
-                    """
-                - 
-                  id:         ac-22_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Trains authorized individuals to ensure that publicly accessible information does
-                                        not contain nonpublic information;
-                    """
-                - 
-                  id:         ac-22_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Reviews the proposed content of information prior to posting onto the publicly
-                                        accessible information system to ensure that nonpublic information is not
-                                        included; and
-                    """
-                - 
-                  id:         ac-22_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Reviews the content on the publicly accessible information system for nonpublic
-                                        information {{ ac-22_prm_1 }} and removes such information, if
-                                        discovered.
-                    """
-            - 
-              id:    ac-22_gdn
-              name:  guidance
-              prose: 
-                """
-                  In accordance with federal laws, Executive Orders, directives, policies, regulations,
-                                 standards, and/or guidance, the general public is not authorized access to nonpublic
-                                 information (e.g., information protected under the Privacy Act and proprietary
-                                 information). This control addresses information systems that are controlled by the
-                                 organization and accessible to the general public, typically without identification
-                                 or authentication. The posting of information on non-organization information systems
-                                 is covered by organizational policy.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #au-13
-                  rel:  related
-                  text: AU-13
-            - 
-              id:    ac-22_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ac-22.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AC-22(a)
-                  prose: 
-                    """
-                      designates individuals authorized to post information onto a publicly accessible
-                                        information system;
-                    """
-                - 
-                  id:         ac-22.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-22(b)
-                  prose: 
-                    """
-                      trains authorized individuals to ensure that publicly accessible information does
-                                        not contain nonpublic information;
-                    """
-                - 
-                  id:         ac-22.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AC-22(c)
-                  prose: 
-                    """
-                      reviews the proposed content of information prior to posting onto the publicly
-                                        accessible information system to ensure that nonpublic information is not
-                                        included;
-                    """
-                - 
-                  id:         ac-22.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AC-22(d)
-                  parts: 
-                    - 
-                      id:         ac-22.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AC-22(d)[1]
-                      prose: 
-                        """
-                          defines the frequency to review the content on the publicly accessible
-                                               information system for nonpublic information;
-                        """
-                    - 
-                      id:         ac-22.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-22(d)[2]
-                      prose: 
-                        """
-                          reviews the content on the publicly accessible information system for nonpublic
-                                               information with the organization-defined frequency; and
-                        """
-                    - 
-                      id:         ac-22.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AC-22(d)[3]
-                      prose: 
-                        """
-                          removes nonpublic information from the publicly accessible information system,
-                                               if discovered.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational
-                                        information systems\n\ntraining materials and/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to nonpublic information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for managing publicly accessible
-                                        information posted on organizational information systems\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing management of publicly accessible content
-    - 
-      id:       at
-      class:    family
-      title:    Awareness and Training
-      controls: 
-        - 
-          id:         at-1
-          class:      SP800-53
-          title:      Security Awareness and Training Policy and Procedures
-          parameters: 
-            - 
-              id:    at-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          at-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          at-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AT-1
-            - 
-              name:  sort-id
-              value: at-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #825438c3-248d-4e30-a51e-246473ce6ada
-              rel:  reference
-              text: NIST Special Publication 800-16
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    at-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         at-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ at-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         at-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A security awareness and training policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         at-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the security awareness and
-                                               training policy and associated security awareness and training controls;
-                                               and
-                        """
-                - 
-                  id:         at-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         at-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Security awareness and training policy {{ at-1_prm_2 }}; and
-                    - 
-                      id:         at-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Security awareness and training procedures {{ at-1_prm_3 }}.
-            - 
-              id:    at-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the AT
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    at-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         at-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-1(a)
-                  parts: 
-                    - 
-                      id:         at-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-1(a)(1)
-                      parts: 
-                        - 
-                          id:         at-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents an security awareness and training policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         at-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         at-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         at-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         at-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         at-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         at-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         at-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AT-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         at-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the security awareness and training
-                                                      policy are to be disseminated;
-                            """
-                        - 
-                          id:         at-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: AT-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the security awareness and training policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         at-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-1(a)(2)
-                      parts: 
-                        - 
-                          id:         at-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      security awareness and training policy and associated awareness and training
-                                                      controls;
-                            """
-                        - 
-                          id:         at-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         at-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: AT-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         at-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-1(b)
-                  parts: 
-                    - 
-                      id:         at-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-1(b)(1)
-                      parts: 
-                        - 
-                          id:         at-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current security awareness
-                                                      and training policy;
-                            """
-                        - 
-                          id:         at-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current security awareness and training policy with
-                                                      the organization-defined frequency;
-                            """
-                    - 
-                      id:         at-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AT-1(b)(2)
-                      parts: 
-                        - 
-                          id:         at-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current security awareness
-                                                      and training procedures; and
-                            """
-                        - 
-                          id:         at-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AT-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current security awareness and training procedures
-                                                      with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security awareness and training policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with security awareness and training responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         at-2
-          class:      SP800-53
-          title:      Security Awareness Training
-          parameters: 
-            - 
-              id:          at-2_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AT-2
-            - 
-              name:  sort-id
-              value: at-02
-          links: 
-            - 
-              href: #bb61234b-46c3-4211-8c2b-9869222a720d
-              rel:  reference
-              text: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)
-            - 
-              href: #c5034e0c-eba6-4ecd-a541-79f0678f4ba4
-              rel:  reference
-              text: Executive Order 13587
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-          parts: 
-            - 
-              id:    at-2_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides basic security awareness training to information system
-                                 users (including managers, senior executives, and contractors):
-                """
-              parts: 
-                - 
-                  id:         at-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      As part of initial training for new users;
-                - 
-                  id:         at-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      When required by information system changes; and
-                - 
-                  id:         at-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      
-                                        {{ at-2_prm_1 }} thereafter.
-                    """
-            - 
-              id:    at-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations determine the appropriate content of security awareness training and
-                                 security awareness techniques based on the specific organizational requirements and
-                                 the information systems to which personnel have authorized access. The content
-                                 includes a basic understanding of the need for information security and user actions
-                                 to maintain security and to respond to suspected security incidents. The content also
-                                 addresses awareness of the need for operations security. Security awareness
-                                 techniques can include, for example, displaying posters, offering supplies inscribed
-                                 with security reminders, generating email advisories/notices from senior
-                                 organizational officials, displaying logon screen messages, and conducting
-                                 information security awareness events.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #at-4
-                  rel:  related
-                  text: AT-4
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-            - 
-              id:    at-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         at-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AT-2(a)
-                  prose: 
-                    """
-                      provides basic security awareness training to information system users (including
-                                        managers, senior executives, and contractors) as part of initial training for new
-                                        users;
-                    """
-                - 
-                  id:         at-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AT-2(b)
-                  prose: 
-                    """
-                      provides basic security awareness training to information system users (including
-                                        managers, senior executives, and contractors) when required by information system
-                                        changes; and
-                    """
-                - 
-                  id:         at-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-2(c)
-                  parts: 
-                    - 
-                      id:         at-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AT-2(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to provide refresher security awareness training
-                                               thereafter to information system users (including managers, senior executives,
-                                               and contractors); and
-                        """
-                    - 
-                      id:         at-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AT-2(c)[2]
-                      prose: 
-                        """
-                          provides refresher security awareness training to information users (including
-                                               managers, senior executives, and contractors) with the organization-defined
-                                               frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nappropriate codes of federal regulations\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for security awareness training\n\norganizational personnel with information security responsibilities\n\norganizational personnel comprising the general information system user
-                                        community
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms managing security awareness training
-          controls: 
-            - 
-              id:         at-2.2
-              class:      SP800-53-enhancement
-              title:      Insider Threat
-              properties: 
-                - 
-                  name:  label
-                  value: AT-2(2)
-                - 
-                  name:  sort-id
-                  value: at-02.02
-              parts: 
-                - 
-                  id:    at-2.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization includes security awareness training on recognizing and reporting
-                                        potential indicators of insider threat.
-                    """
-                - 
-                  id:    at-2.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Potential indicators and possible precursors of insider threat can include
-                                        behaviors such as inordinate, long-term job dissatisfaction, attempts to gain
-                                        access to information not required for job performance, unexplained access to
-                                        financial resources, bullying or sexual harassment of fellow employees, workplace
-                                        violence, and other serious violations of organizational policies, procedures,
-                                        directives, rules, or practices. Security awareness training includes how to
-                                        communicate employee and management concerns regarding potential indicators of
-                                        insider threat through appropriate organizational channels in accordance with
-                                        established organizational policies and procedures.
-                    """
-                  links: 
-                    - 
-                      href: #pl-4
-                      rel:  related
-                      text: PL-4
-                    - 
-                      href: #pm-12
-                      rel:  related
-                      text: PM-12
-                    - 
-                      href: #ps-3
-                      rel:  related
-                      text: PS-3
-                    - 
-                      href: #ps-6
-                      rel:  related
-                      text: PS-6
-                - 
-                  id:         at-2.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization includes security awareness training on recognizing
-                                        and reporting potential indicators of insider threat. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Security awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel that participate in security awareness training\n\norganizational personnel with responsibilities for basic security awareness
-                                               training\n\norganizational personnel with information security responsibilities
-                        """
-        - 
-          id:         at-3
-          class:      SP800-53
-          title:      Role-based Security Training
-          parameters: 
-            - 
-              id:          at-3_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AT-3
-            - 
-              name:  sort-id
-              value: at-03
-          links: 
-            - 
-              href: #bb61234b-46c3-4211-8c2b-9869222a720d
-              rel:  reference
-              text: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)
-            - 
-              href: #825438c3-248d-4e30-a51e-246473ce6ada
-              rel:  reference
-              text: NIST Special Publication 800-16
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-          parts: 
-            - 
-              id:    at-3_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides role-based security training to personnel with assigned
-                                 security roles and responsibilities:
-                """
-              parts: 
-                - 
-                  id:         at-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Before authorizing access to the information system or performing assigned
-                                        duties;
-                    """
-                - 
-                  id:         at-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      When required by information system changes; and
-                - 
-                  id:         at-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      
-                                        {{ at-3_prm_1 }} thereafter.
-                    """
-            - 
-              id:    at-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations determine the appropriate content of security training based on the
-                                 assigned roles and responsibilities of individuals and the specific security
-                                 requirements of organizations and the information systems to which personnel have
-                                 authorized access. In addition, organizations provide enterprise architects,
-                                 information system developers, software developers, acquisition/procurement
-                                 officials, information system managers, system/network administrators, personnel
-                                 conducting configuration management and auditing activities, personnel performing
-                                 independent verification and validation activities, security control assessors, and
-                                 other personnel having access to system-level software, adequate security-related
-                                 technical training specifically tailored for their assigned duties. Comprehensive
-                                 role-based training addresses management, operational, and technical roles and
-                                 responsibilities covering physical, personnel, and technical safeguards and
-                                 countermeasures. Such training can include for example, policies, procedures, tools,
-                                 and artifacts for the organizational security roles defined. Organizations also
-                                 provide the training necessary for individuals to carry out their responsibilities
-                                 related to operations and supply chain security within the context of organizational
-                                 information security programs. Role-based security training also applies to
-                                 contractors providing services to federal agencies.
-                """
-              links: 
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-4
-                  rel:  related
-                  text: AT-4
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-7
-                  rel:  related
-                  text: PS-7
-                - 
-                  href: #sa-3
-                  rel:  related
-                  text: SA-3
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #sa-16
-                  rel:  related
-                  text: SA-16
-            - 
-              id:    at-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         at-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AT-3(a)
-                  prose: 
-                    """
-                      provides role-based security training to personnel with assigned security roles
-                                        and responsibilities before authorizing access to the information system or
-                                        performing assigned duties;
-                    """
-                - 
-                  id:         at-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AT-3(b)
-                  prose: 
-                    """
-                      provides role-based security training to personnel with assigned security roles
-                                        and responsibilities when required by information system changes; and
-                    """
-                - 
-                  id:         at-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-3(c)
-                  parts: 
-                    - 
-                      id:         at-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AT-3(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to provide refresher role-based security training
-                                               thereafter to personnel with assigned security roles and responsibilities;
-                                               and
-                        """
-                    - 
-                      id:         at-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AT-3(c)[2]
-                      prose: 
-                        """
-                          provides refresher role-based security training to personnel with assigned
-                                               security roles and responsibilities with the organization-defined
-                                               frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security awareness and training policy\n\nprocedures addressing security training implementation\n\ncodes of federal regulations\n\nsecurity training curriculum\n\nsecurity training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for role-based security
-                                        training\n\norganizational personnel with assigned information system security roles and
-                                        responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms managing role-based security training
-        - 
-          id:         at-4
-          class:      SP800-53
-          title:      Security Training Records
-          parameters: 
-            - 
-              id:          at-4_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: At least one year
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AT-4
-            - 
-              name:  sort-id
-              value: at-04
-          parts: 
-            - 
-              id:    at-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         at-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Documents and monitors individual information system security training activities
-                                        including basic security awareness training and specific information system
-                                        security training; and
-                    """
-                - 
-                  id:         at-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Retains individual training records for {{ at-4_prm_1 }}.
-            - 
-              id:    at-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Documentation for specialized training may be maintained by individual supervisors at
-                                 the option of the organization.
-                """
-              links: 
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #pm-14
-                  rel:  related
-                  text: PM-14
-            - 
-              id:    at-4_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         at-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-4(a)
-                  parts: 
-                    - 
-                      id:         at-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AT-4(a)[1]
-                      prose: 
-                        """
-                          documents individual information system security training activities
-                                               including:
-                        """
-                      parts: 
-                        - 
-                          id:         at-4.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-4(a)[1][a]
-                          prose:      basic security awareness training;
-                        - 
-                          id:         at-4.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-4(a)[1][b]
-                          prose:      specific role-based information system security training;
-                    - 
-                      id:         at-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AT-4(a)[2]
-                      prose: 
-                        """
-                          monitors individual information system security training activities
-                                               including:
-                        """
-                      parts: 
-                        - 
-                          id:         at-4.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-4(a)[2][a]
-                          prose:      basic security awareness training;
-                        - 
-                          id:         at-4.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AT-4(a)[2][b]
-                          prose:      specific role-based information system security training;
-                - 
-                  id:         at-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AT-4(b)
-                  parts: 
-                    - 
-                      id:         at-4.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AT-4(b)[1]
-                      prose:      defines a time period to retain individual training records; and
-                    - 
-                      id:         at-4.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AT-4(b)[2]
-                      prose: 
-                        """
-                          retains individual training records for the organization-defined time
-                                               period.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security awareness and training policy\n\nprocedures addressing security training records\n\nsecurity awareness and training records\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security training record retention
-                                        responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting management of security training records
-    - 
-      id:       au
-      class:    family
-      title:    Audit and Accountability
-      controls: 
-        - 
-          id:         au-1
-          class:      SP800-53
-          title:      Audit and Accountability Policy and Procedures
-          parameters: 
-            - 
-              id:    au-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          au-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          au-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AU-1
-            - 
-              name:  sort-id
-              value: au-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    au-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         au-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ au-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         au-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          An audit and accountability policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         au-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the audit and accountability
-                                               policy and associated audit and accountability controls; and
-                        """
-                - 
-                  id:         au-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         au-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Audit and accountability policy {{ au-1_prm_2 }}; and
-                    - 
-                      id:         au-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Audit and accountability procedures {{ au-1_prm_3 }}.
-            - 
-              id:    au-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the AU
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    au-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-1(a)
-                  parts: 
-                    - 
-                      id:         au-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-1(a)(1)
-                      parts: 
-                        - 
-                          id:         au-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents an audit and accountability policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         au-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         au-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         au-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         au-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         au-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         au-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         au-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: AU-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         au-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the audit and accountability policy are
-                                                      to be disseminated;
-                            """
-                        - 
-                          id:         au-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: AU-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the audit and accountability policy to organization-defined
-                                                      personnel or roles;
-                            """
-                    - 
-                      id:         au-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-1(a)(2)
-                      parts: 
-                        - 
-                          id:         au-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      audit and accountability policy and associated audit and accountability
-                                                      controls;
-                            """
-                        - 
-                          id:         au-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         au-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: AU-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         au-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-1(b)
-                  parts: 
-                    - 
-                      id:         au-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-1(b)(1)
-                      parts: 
-                        - 
-                          id:         au-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current audit and
-                                                      accountability policy;
-                            """
-                        - 
-                          id:         au-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current audit and accountability policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         au-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-1(b)(2)
-                      parts: 
-                        - 
-                          id:         au-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current audit and
-                                                      accountability procedures; and
-                            """
-                        - 
-                          id:         au-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current audit and accountability procedures in
-                                                      accordance with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         au-2
-          class:      SP800-53
-          title:      Audit Events
-          parameters: 
-            - 
-              id:          au-2_prm_1
-              label:       organization-defined auditable events
-              constraints: 
-                - 
-                  detail: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes
-            - 
-              id:          au-2_prm_2
-              label: 
-                """
-                  organization-defined audited events (the subset of the auditable events defined
-                                 in AU-2 a.) along with the frequency of (or situation requiring) auditing for each
-                                 identified event
-                """
-              constraints: 
-                - 
-                  detail: organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AU-2
-            - 
-              name:  sort-id
-              value: au-02
-          links: 
-            - 
-              href: #672fd561-b92b-4713-b9cf-6c9d9456728b
-              rel:  reference
-              text: NIST Special Publication 800-92
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    au-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         au-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Determines that the information system is capable of auditing the following
-                                        events: {{ au-2_prm_1 }};
-                    """
-                - 
-                  id:         au-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Coordinates the security audit function with other organizational entities
-                                        requiring audit-related information to enhance mutual support and to help guide
-                                        the selection of auditable events;
-                    """
-                - 
-                  id:         au-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Provides a rationale for why the auditable events are deemed to be adequate to
-                                        support after-the-fact investigations of security incidents; and
-                    """
-                - 
-                  id:         au-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Determines that the following events are to be audited within the information
-                                        system: {{ au-2_prm_2 }}.
-                    """
-                - 
-                  id:    au-2_fr
-                  name:  item
-                  title: AU-2 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         au-2_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.
-            - 
-              id:    au-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  An event is any observable occurrence in an organizational information system.
-                                 Organizations identify audit events as those events which are significant and
-                                 relevant to the security of information systems and the environments in which those
-                                 systems operate in order to meet specific and ongoing audit needs. Audit events can
-                                 include, for example, password changes, failed logons, or failed accesses related to
-                                 information systems, administrative privilege usage, PIV credential usage, or
-                                 third-party credential usage. In determining the set of auditable events,
-                                 organizations consider the auditing appropriate for each of the security controls to
-                                 be implemented. To balance auditing requirements with other information system needs,
-                                 this control also requires identifying that subset of auditable events that are
-                                 audited at a given point in time. For example, organizations may determine that
-                                 information systems must have the capability to log every file access both successful
-                                 and unsuccessful, but not activate that capability except for specific circumstances
-                                 due to the potential burden on system performance. Auditing requirements, including
-                                 the need for auditable events, may be referenced in other security controls and
-                                 control enhancements. Organizations also include auditable events that are required
-                                 by applicable federal laws, Executive Orders, directives, policies, regulations, and
-                                 standards. Audit records can be generated at various levels of abstraction, including
-                                 at the packet level as information traverses the network. Selecting the appropriate
-                                 level of abstraction is a critical aspect of an audit capability and can facilitate
-                                 the identification of root causes to problems. Organizations consider in the
-                                 definition of auditable events, the auditing necessary to cover related events such
-                                 as the steps in distributed, transaction-based processes (e.g., processes that are
-                                 distributed across multiple organizations) and actions that occur in service-oriented
-                                 architectures.
-                """
-              links: 
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #au-3
-                  rel:  related
-                  text: AU-3
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    au-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-2(a)
-                  parts: 
-                    - 
-                      id:         au-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-2(a)[1]
-                      prose: 
-                        """
-                          defines the auditable events that the information system must be capable of
-                                               auditing;
-                        """
-                    - 
-                      id:         au-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-2(a)[2]
-                      prose: 
-                        """
-                          determines that the information system is capable of auditing
-                                               organization-defined auditable events;
-                        """
-                - 
-                  id:         au-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AU-2(b)
-                  prose: 
-                    """
-                      coordinates the security audit function with other organizational entities
-                                        requiring audit-related information to enhance mutual support and to help guide
-                                        the selection of auditable events;
-                    """
-                - 
-                  id:         au-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: AU-2(c)
-                  prose: 
-                    """
-                      provides a rationale for why the auditable events are deemed to be adequate to
-                                        support after-the-fact investigations of security incidents;
-                    """
-                - 
-                  id:         au-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-2(d)
-                  parts: 
-                    - 
-                      id:         au-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-2(d)[1]
-                      prose: 
-                        """
-                          defines the subset of auditable events defined in AU-2a that are to be audited
-                                               within the information system;
-                        """
-                    - 
-                      id:         au-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AU-2(d)[2]
-                      prose: 
-                        """
-                          determines that the subset of auditable events defined in AU-2a are to be
-                                               audited within the information system; and
-                        """
-                    - 
-                      id:         au-2.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AU-2(d)[3]
-                      prose: 
-                        """
-                          determines the frequency of (or situation requiring) auditing for each
-                                               identified event.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing auditable events\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\ninformation system auditable events\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing information system auditing
-          controls: 
-            - 
-              id:         au-2.3
-              class:      SP800-53-enhancement
-              title:      Reviews and Updates
-              parameters: 
-                - 
-                  id:          au-2.3_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: annually or whenever there is a change in the threat environment
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AU-2(3)
-                - 
-                  name:  sort-id
-                  value: au-02.03
-              parts: 
-                - 
-                  id:    au-2.3_smt
-                  name:  statement
-                  prose: The organization reviews and updates the audited events {{ au-2.3_prm_1 }}.
-                  parts: 
-                    - 
-                      id:    au-2.3_fr
-                      name:  item
-                      title: AU-2 (3) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         au-2.3_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.
-                - 
-                  id:    au-2.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Over time, the events that organizations believe should be audited may change.
-                                        Reviewing and updating the set of audited events periodically is necessary to
-                                        ensure that the current set is still necessary and sufficient.
-                    """
-                - 
-                  id:    au-2.3_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         au-2.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-2(3)[1]
-                      prose:      defines the frequency to review and update the audited events; and
-                    - 
-                      id:         au-2.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-2(3)[2]
-                      prose: 
-                        """
-                          reviews and updates the auditable events with organization-defined
-                                               frequency.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Audit and accountability policy\n\nprocedures addressing auditable events\n\nsecurity plan\n\nlist of organization-defined auditable events\n\nauditable events review and update records\n\ninformation system audit records\n\ninformation system incident reports\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms supporting review and update of auditable events
-        - 
-          id:         au-3
-          class:      SP800-53
-          title:      Content of Audit Records
-          properties: 
-            - 
-              name:  label
-              value: AU-3
-            - 
-              name:  sort-id
-              value: au-03
-          parts: 
-            - 
-              id:    au-3_smt
-              name:  statement
-              prose: 
-                """
-                  The information system generates audit records containing information that
-                                 establishes what type of event occurred, when the event occurred, where the event
-                                 occurred, the source of the event, the outcome of the event, and the identity of any
-                                 individuals or subjects associated with the event.
-                """
-            - 
-              id:    au-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit record content that may be necessary to satisfy the requirement of this
-                                 control, includes, for example, time stamps, source and destination addresses,
-                                 user/process identifiers, event descriptions, success/fail indications, filenames
-                                 involved, and access control or flow control rules invoked. Event outcomes can
-                                 include indicators of event success or failure and event-specific results (e.g., the
-                                 security state of the information system after the event occurred).
-                """
-              links: 
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-8
-                  rel:  related
-                  text: AU-8
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #si-11
-                  rel:  related
-                  text: SI-11
-            - 
-              id:         au-3_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system generates audit records containing information
-                                 that establishes: 
-                """
-              parts: 
-                - 
-                  id:         au-3_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[1]
-                  prose:      what type of event occurred;
-                - 
-                  id:         au-3_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[2]
-                  prose:      when the event occurred;
-                - 
-                  id:         au-3_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[3]
-                  prose:      where the event occurred;
-                - 
-                  id:         au-3_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[4]
-                  prose:      the source of the event;
-                - 
-                  id:         au-3_obj.5
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[5]
-                  prose:      the outcome of the event; and
-                - 
-                  id:         au-3_obj.6
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-3[6]
-                  prose:      the identity of any individuals or subjects associated with the event.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing content of audit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\ninformation system audit records\n\ninformation system incident reports\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms implementing information system auditing of auditable
-                                        events
-                    """
-          controls: 
-            - 
-              id:         au-3.1
-              class:      SP800-53-enhancement
-              title:      Additional Audit Information
-              parameters: 
-                - 
-                  id:          au-3.1_prm_1
-                  label:       organization-defined additional, more detailed information
-                  constraints: 
-                    - 
-                      detail: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon
-              properties: 
-                - 
-                  name:  label
-                  value: AU-3(1)
-                - 
-                  name:  sort-id
-                  value: au-03.01
-              parts: 
-                - 
-                  id:    au-3.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system generates audit records containing the following additional
-                                        information: {{ au-3.1_prm_1 }}.
-                    """
-                  parts: 
-                    - 
-                      id:    au-3.1_fr
-                      name:  item
-                      title: AU-3 (1) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         au-3.1_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      The service provider defines audit record types *[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]*.  The audit record types are approved and accepted by the JAB/AO.
-                        - 
-                          id:         au-3.1_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.
-                - 
-                  id:    au-3.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Detailed information that organizations may consider in audit records includes,
-                                        for example, full text recording of privileged commands or the individual
-                                        identities of group account users. Organizations consider limiting the additional
-                                        audit information to only that information explicitly needed for specific audit
-                                        requirements. This facilitates the use of audit trails and audit logs by not
-                                        including information that could potentially be misleading or could make it more
-                                        difficult to locate information of interest.
-                    """
-                - 
-                  id:    au-3.1_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         au-3.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-3(1)[1]
-                      prose: 
-                        """
-                          the organization defines additional, more detailed information to be contained
-                                               in audit records that the information system generates; and
-                        """
-                    - 
-                      id:         au-3.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-3(1)[2]
-                      prose: 
-                        """
-                          the information system generates audit records containing the
-                                               organization-defined additional, more detailed information.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Audit and accountability policy\n\nprocedures addressing content of audit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system audit capability
-        - 
-          id:         au-4
-          class:      SP800-53
-          title:      Audit Storage Capacity
-          parameters: 
-            - 
-              id:    au-4_prm_1
-              label: organization-defined audit record storage requirements
-          properties: 
-            - 
-              name:  label
-              value: AU-4
-            - 
-              name:  sort-id
-              value: au-04
-          parts: 
-            - 
-              id:    au-4_smt
-              name:  statement
-              prose: The organization allocates audit record storage capacity in accordance with {{ au-4_prm_1 }}.
-            - 
-              id:    au-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations consider the types of auditing to be performed and the audit processing
-                                 requirements when allocating audit storage capacity. Allocating sufficient audit
-                                 storage capacity reduces the likelihood of such capacity being exceeded and resulting
-                                 in the potential loss or reduction of auditing capability.
-                """
-              links: 
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-5
-                  rel:  related
-                  text: AU-5
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #au-7
-                  rel:  related
-                  text: AU-7
-                - 
-                  href: #au-11
-                  rel:  related
-                  text: AU-11
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    au-4_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-4_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-4[1]
-                  prose:      defines audit record storage requirements; and
-                - 
-                  id:         au-4_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AU-4[2]
-                  prose: 
-                    """
-                      allocates audit record storage capacity in accordance with the
-                                        organization-defined audit record storage requirements.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for information system components\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit record storage capacity and related configuration settings
-        - 
-          id:         au-5
-          class:      SP800-53
-          title:      Response to Audit Processing Failures
-          parameters: 
-            - 
-              id:    au-5_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          au-5_prm_2
-              label: 
-                """
-                  organization-defined actions to be taken (e.g., shut down information system,
-                                 overwrite oldest audit records, stop generating audit records)
-                """
-              constraints: 
-                - 
-                  detail: organization-defined actions to be taken (overwrite oldest record)
-          properties: 
-            - 
-              name:  label
-              value: AU-5
-            - 
-              name:  sort-id
-              value: au-05
-          parts: 
-            - 
-              id:    au-5_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         au-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Alerts {{ au-5_prm_1 }} in the event of an audit processing
-                                        failure; and
-                    """
-                - 
-                  id:         au-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Takes the following additional actions: {{ au-5_prm_2 }}.
-            - 
-              id:    au-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit processing failures include, for example, software/hardware errors, failures in
-                                 the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
-                                 Organizations may choose to define additional actions for different audit processing
-                                 failures (e.g., by type, by location, by severity, or a combination of such factors).
-                                 This control applies to each audit data storage repository (i.e., distinct
-                                 information system component where audit records are stored), the total audit storage
-                                 capacity of organizations (i.e., all audit data storage repositories combined), or
-                                 both.
-                """
-              links: 
-                - 
-                  href: #au-4
-                  rel:  related
-                  text: AU-4
-                - 
-                  href: #si-12
-                  rel:  related
-                  text: SI-12
-            - 
-              id:    au-5_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         au-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-5(a)
-                  parts: 
-                    - 
-                      id:         au-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-5(a)[1]
-                      prose: 
-                        """
-                          the organization defines the personnel or roles to be alerted in the event of
-                                               an audit processing failure;
-                        """
-                    - 
-                      id:         au-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-5(a)[2]
-                      prose: 
-                        """
-                          the information system alerts the organization-defined personnel or roles in
-                                               the event of an audit processing failure;
-                        """
-                - 
-                  id:         au-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-5(b)
-                  parts: 
-                    - 
-                      id:         au-5.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-5(b)[1]
-                      prose: 
-                        """
-                          the organization defines additional actions to be taken (e.g., shutdown
-                                               information system, overwrite oldest audit records, stop generating audit
-                                               records) in the event of an audit processing failure; and
-                        """
-                    - 
-                      id:         au-5.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-5(b)[2]
-                      prose: 
-                        """
-                          the information system takes the additional organization-defined actions in the
-                                               event of an audit processing failure.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms implementing information system response to audit processing
-                                        failures
-                    """
-        - 
-          id:         au-6
-          class:      SP800-53
-          title:      Audit Review, Analysis, and Reporting
-          parameters: 
-            - 
-              id:          au-6_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least weekly
-            - 
-              id:    au-6_prm_2
-              label: organization-defined inappropriate or unusual activity
-            - 
-              id:    au-6_prm_3
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AU-6
-            - 
-              name:  sort-id
-              value: au-06
-          parts: 
-            - 
-              id:    au-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         au-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Reviews and analyzes information system audit records {{ au-6_prm_1 }} for indications of {{ au-6_prm_2 }};
-                                        and
-                    """
-                - 
-                  id:         au-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reports findings to {{ au-6_prm_3 }}.
-                - 
-                  id:    au-6_fr
-                  name:  item
-                  title: AU-6 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         au-6_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.
-            - 
-              id:    au-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit review, analysis, and reporting covers information security-related auditing
-                                 performed by organizations including, for example, auditing that results from
-                                 monitoring of account usage, remote access, wireless connectivity, mobile device
-                                 connection, configuration settings, system component inventory, use of maintenance
-                                 tools and nonlocal maintenance, physical access, temperature and humidity, equipment
-                                 delivery and removal, communications at the information system boundaries, use of
-                                 mobile code, and use of VoIP. Findings can be reported to organizational entities
-                                 that include, for example, incident response team, help desk, information security
-                                 group/department. If organizations are prohibited from reviewing and analyzing audit
-                                 information or unable to conduct such activities (e.g., in certain national security
-                                 applications or systems), the review/analysis may be carried out by other
-                                 organizations granted such authority.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #au-7
-                  rel:  related
-                  text: AU-7
-                - 
-                  href: #au-16
-                  rel:  related
-                  text: AU-16
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-10
-                  rel:  related
-                  text: CM-10
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ir-5
-                  rel:  related
-                  text: IR-5
-                - 
-                  href: #ir-6
-                  rel:  related
-                  text: IR-6
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-6
-                  rel:  related
-                  text: PE-6
-                - 
-                  href: #pe-14
-                  rel:  related
-                  text: PE-14
-                - 
-                  href: #pe-16
-                  rel:  related
-                  text: PE-16
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-18
-                  rel:  related
-                  text: SC-18
-                - 
-                  href: #sc-19
-                  rel:  related
-                  text: SC-19
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    au-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-6(a)
-                  parts: 
-                    - 
-                      id:         au-6.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-6(a)[1]
-                      prose: 
-                        """
-                          defines the types of inappropriate or unusual activity to look for when
-                                               information system audit records are reviewed and analyzed;
-                        """
-                    - 
-                      id:         au-6.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-6(a)[2]
-                      prose: 
-                        """
-                          defines the frequency to review and analyze information system audit records
-                                               for indications of organization-defined inappropriate or unusual activity;
-                        """
-                    - 
-                      id:         au-6.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AU-6(a)[3]
-                      prose: 
-                        """
-                          reviews and analyzes information system audit records for indications of
-                                               organization-defined inappropriate or unusual activity with the
-                                               organization-defined frequency;
-                        """
-                - 
-                  id:         au-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-6(b)
-                  parts: 
-                    - 
-                      id:         au-6.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-6(b)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom findings resulting from reviews and analysis
-                                               of information system audit records are to be reported; and
-                        """
-                    - 
-                      id:         au-6.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AU-6(b)[2]
-                      prose:      reports findings to organization-defined personnel or roles.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews/analyses of audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with audit review, analysis, and reporting
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-          controls: 
-            - 
-              id:         au-6.1
-              class:      SP800-53-enhancement
-              title:      Process Integration
-              properties: 
-                - 
-                  name:  label
-                  value: AU-6(1)
-                - 
-                  name:  sort-id
-                  value: au-06.01
-              parts: 
-                - 
-                  id:    au-6.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to integrate audit review, analysis,
-                                        and reporting processes to support organizational processes for investigation and
-                                        response to suspicious activities.
-                    """
-                - 
-                  id:    au-6.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizational processes benefiting from integrated audit review, analysis, and
-                                        reporting include, for example, incident response, continuous monitoring,
-                                        contingency planning, and Inspector General audits.
-                    """
-                  links: 
-                    - 
-                      href: #au-12
-                      rel:  related
-                      text: AU-12
-                    - 
-                      href: #pm-7
-                      rel:  related
-                      text: PM-7
-                - 
-                  id:    au-6.1_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         au-6.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-6(1)[1]
-                      prose:      employs automated mechanisms to integrate:
-                      parts: 
-                        - 
-                          id:         au-6.1_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-6(1)[1][a]
-                          prose:      audit review;
-                        - 
-                          id:         au-6.1_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-6(1)[1][b]
-                          prose:      analysis;
-                        - 
-                          id:         au-6.1_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-6(1)[1][c]
-                          prose:      reporting processes;
-                    - 
-                      id:         au-6.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: AU-6(1)[2]
-                      prose: 
-                        """
-                          uses integrated audit review, analysis and reporting processes to support
-                                               organizational processes for:
-                        """
-                      parts: 
-                        - 
-                          id:         au-6.1_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-6(1)[2][a]
-                          prose:      investigation of suspicious activities; and
-                        - 
-                          id:         au-6.1_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: AU-6(1)[2][b]
-                          prose:      response to suspicious activities.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing investigation and response to suspicious activities\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with audit review, analysis, and reporting
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms integrating audit review, analysis, and reporting
-                                               processes
-                        """
-            - 
-              id:         au-6.3
-              class:      SP800-53-enhancement
-              title:      Correlate Audit Repositories
-              properties: 
-                - 
-                  name:  label
-                  value: AU-6(3)
-                - 
-                  name:  sort-id
-                  value: au-06.03
-              parts: 
-                - 
-                  id:    au-6.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization analyzes and correlates audit records across different
-                                        repositories to gain organization-wide situational awareness.
-                    """
-                - 
-                  id:    au-6.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organization-wide situational awareness includes awareness across all three tiers
-                                        of risk management (i.e., organizational, mission/business process, and
-                                        information system) and supports cross-organization awareness.
-                    """
-                  links: 
-                    - 
-                      href: #au-12
-                      rel:  related
-                      text: AU-12
-                    - 
-                      href: #ir-4
-                      rel:  related
-                      text: IR-4
-                - 
-                  id:         au-6.3_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization analyzes and correlates audit records across
-                                        different repositories to gain organization-wide situational awareness. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records across different repositories\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with audit review, analysis, and reporting
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms supporting analysis and correlation of audit records
-        - 
-          id:         au-7
-          class:      SP800-53
-          title:      Audit Reduction and Report Generation
-          properties: 
-            - 
-              name:  label
-              value: AU-7
-            - 
-              name:  sort-id
-              value: au-07
-          parts: 
-            - 
-              id:    au-7_smt
-              name:  statement
-              prose: 
-                """
-                  The information system provides an audit reduction and report generation capability
-                                 that:
-                """
-              parts: 
-                - 
-                  id:         au-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Supports on-demand audit review, analysis, and reporting requirements and
-                                        after-the-fact investigations of security incidents; and
-                    """
-                - 
-                  id:         au-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Does not alter the original content or time ordering of audit records.
-            - 
-              id:    au-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit reduction is a process that manipulates collected audit information and
-                                 organizes such information in a summary format that is more meaningful to analysts.
-                                 Audit reduction and report generation capabilities do not always emanate from the
-                                 same information system or from the same organizational entities conducting auditing
-                                 activities. Audit reduction capability can include, for example, modern data mining
-                                 techniques with advanced data filters to identify anomalous behavior in audit
-                                 records. The report generation capability provided by the information system can
-                                 generate customizable reports. Time ordering of audit records can be a significant
-                                 issue if the granularity of the timestamp in the record is insufficient.
-                """
-              links: 
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-            - 
-              id:    au-7_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the information system provides an audit reduction and report generation
-                                 capability that supports:
-                """
-              parts: 
-                - 
-                  id:         au-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AU-7(a)
-                  parts: 
-                    - 
-                      id:         au-7.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-7(a)[1]
-                      prose:      on-demand audit review;
-                    - 
-                      id:         au-7.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-7(a)[2]
-                      prose:      analysis;
-                    - 
-                      id:         au-7.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-7(a)[3]
-                      prose:      reporting requirements;
-                    - 
-                      id:         au-7.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-7(a)[4]
-                      prose:      after-the-fact investigations of security incidents; and
-                - 
-                  id:         au-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AU-7(b)
-                  prose:      does not alter the original content or time ordering of audit records.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing audit reduction and report generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with audit reduction and report generation
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit reduction and report generation capability
-          controls: 
-            - 
-              id:         au-7.1
-              class:      SP800-53-enhancement
-              title:      Automatic Processing
-              parameters: 
-                - 
-                  id:    au-7.1_prm_1
-                  label: organization-defined audit fields within audit records
-              properties: 
-                - 
-                  name:  label
-                  value: AU-7(1)
-                - 
-                  name:  sort-id
-                  value: au-07.01
-              parts: 
-                - 
-                  id:    au-7.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system provides the capability to process audit records for events
-                                        of interest based on {{ au-7.1_prm_1 }}.
-                    """
-                - 
-                  id:    au-7.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Events of interest can be identified by the content of specific audit record
-                                        fields including, for example, identities of individuals, event types, event
-                                        locations, event times, event dates, system resources involved, IP addresses
-                                        involved, or information objects accessed. Organizations may define audit event
-                                        criteria to any degree of granularity required, for example, locations selectable
-                                        by general networking location (e.g., by network or subnetwork) or selectable by
-                                        specific information system component.
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                    - 
-                      href: #au-12
-                      rel:  related
-                      text: AU-12
-                - 
-                  id:    au-7.1_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         au-7.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-7(1)[1]
-                      prose: 
-                        """
-                          the organization defines audit fields within audit records in order to process
-                                               audit records for events of interest; and
-                        """
-                    - 
-                      id:         au-7.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-7(1)[2]
-                      prose: 
-                        """
-                          the information system provides the capability to process audit records for
-                                               events of interest based on the organization-defined audit fields within audit
-                                               records.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Audit and accountability policy\n\nprocedures addressing audit reduction and report generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\naudit record criteria (fields) establishing events of interest\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with audit reduction and report generation
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Audit reduction and report generation capability
-        - 
-          id:         au-8
-          class:      SP800-53
-          title:      Time Stamps
-          parameters: 
-            - 
-              id:    au-8_prm_1
-              label: organization-defined granularity of time measurement
-          properties: 
-            - 
-              name:  label
-              value: AU-8
-            - 
-              name:  sort-id
-              value: au-08
-          parts: 
-            - 
-              id:    au-8_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         au-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Uses internal system clocks to generate time stamps for audit records; and
-                - 
-                  id:         au-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Records time stamps for audit records that can be mapped to Coordinated Universal
-                                        Time (UTC) or Greenwich Mean Time (GMT) and meets {{ au-8_prm_1 }}.
-                    """
-            - 
-              id:    au-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Time stamps generated by the information system include date and time. Time is
-                                 commonly expressed in Coordinated Universal Time (UTC), a modern continuation of
-                                 Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time
-                                 measurements refers to the degree of synchronization between information system
-                                 clocks and reference clocks, for example, clocks synchronizing within hundreds of
-                                 milliseconds or within tens of milliseconds. Organizations may define different time
-                                 granularities for different system components. Time service can also be critical to
-                                 other security capabilities such as access control and identification and
-                                 authentication, depending on the nature of the mechanisms used to support those
-                                 capabilities.
-                """
-              links: 
-                - 
-                  href: #au-3
-                  rel:  related
-                  text: AU-3
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-            - 
-              id:    au-8_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         au-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AU-8(a)
-                  prose: 
-                    """
-                      the information system uses internal system clocks to generate time stamps for
-                                        audit records;
-                    """
-                - 
-                  id:         au-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-8(b)
-                  parts: 
-                    - 
-                      id:         au-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-8(b)[1]
-                      prose: 
-                        """
-                          the information system records time stamps for audit records that can be mapped
-                                               to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);
-                        """
-                    - 
-                      id:         au-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-8(b)[2]
-                      prose: 
-                        """
-                          the organization defines the granularity of time measurement to be met when
-                                               recording time stamps for audit records; and
-                        """
-                    - 
-                      id:         au-8.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-8(b)[3]
-                      prose: 
-                        """
-                          the organization records time stamps for audit records that meet the
-                                               organization-defined granularity of time measurement.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing time stamp generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing time stamp generation
-          controls: 
-            - 
-              id:         au-8.1
-              class:      SP800-53-enhancement
-              title:      Synchronization with Authoritative Time Source
-              parameters: 
-                - 
-                  id:          au-8.1_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: At least hourly
-                - 
-                  id:          au-8.1_prm_2
-                  label:       organization-defined authoritative time source
-                  constraints: 
-                    - 
-                      detail: http://tf.nist.gov/tf-cgi/servers.cgi
-                - 
-                  id:    au-8.1_prm_3
-                  label: organization-defined time period
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AU-8(1)
-                - 
-                  name:  sort-id
-                  value: au-08.01
-              parts: 
-                - 
-                  id:    au-8.1_smt
-                  name:  statement
-                  prose: The information system:
-                  parts: 
-                    - 
-                      id:         au-8.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose:      Compares the internal information system clocks {{ au-8.1_prm_1 }} with {{ au-8.1_prm_2 }}; and
-                    - 
-                      id:         au-8.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Synchronizes the internal system clocks to the authoritative time source when
-                                               the time difference is greater than {{ au-8.1_prm_3 }}.
-                        """
-                    - 
-                      id:    au-8.1_fr
-                      name:  item
-                      title: AU-8 (1) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         au-8.1_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.
-                        - 
-                          id:         au-8.1_fr_smt.2
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.
-                        - 
-                          id:         au-8.1_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      Synchronization of system clocks improves the accuracy of log analysis.
-                - 
-                  id:    au-8.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement provides uniformity of time stamps for information
-                                        systems with multiple system clocks and systems connected over a network.
-                    """
-                - 
-                  id:    au-8.1_obj
-                  name:  objective
-                  prose: Determine if: 
-                  parts: 
-                    - 
-                      id:         au-8.1.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-8(1)(a)
-                      parts: 
-                        - 
-                          id:         au-8.1.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-8(1)(a)[1]
-                          prose: 
-                            """
-                              the organization defines the authoritative time source to which internal
-                                                      information system clocks are to be compared;
-                            """
-                        - 
-                          id:         au-8.1.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-8(1)(a)[2]
-                          prose: 
-                            """
-                              the organization defines the frequency to compare the internal information
-                                                      system clocks with the organization-defined authoritative time source;
-                                                      and
-                            """
-                        - 
-                          id:         au-8.1.a_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: AU-8(1)(a)[3]
-                          prose: 
-                            """
-                              the information system compares the internal information system clocks with
-                                                      the organization-defined authoritative time source with organization-defined
-                                                      frequency; and
-                            """
-                      links: 
-                        - 
-                          href: #au-8.1_smt.a
-                          rel:  corresp
-                          text: AU-8(1)(a)
-                    - 
-                      id:         au-8.1.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-8(1)(b)
-                      parts: 
-                        - 
-                          id:         au-8.1.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: AU-8(1)(b)[1]
-                          prose: 
-                            """
-                              the organization defines the time period that, if exceeded by the time
-                                                      difference between the internal system clocks and the authoritative time
-                                                      source, will result in the internal system clocks being synchronized to the
-                                                      authoritative time source; and
-                            """
-                        - 
-                          id:         au-8.1.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: AU-8(1)(b)[2]
-                          prose: 
-                            """
-                              the information system synchronizes the internal information system clocks
-                                                      to the authoritative time source when the time difference is greater than
-                                                      the organization-defined time period.
-                            """
-                      links: 
-                        - 
-                          href: #au-8.1_smt.b
-                          rel:  corresp
-                          text: AU-8(1)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Audit and accountability policy\n\nprocedures addressing time stamp generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing internal information system clock
-                                               synchronization
-                        """
-        - 
-          id:         au-9
-          class:      SP800-53
-          title:      Protection of Audit Information
-          properties: 
-            - 
-              name:  label
-              value: AU-9
-            - 
-              name:  sort-id
-              value: au-09
-          parts: 
-            - 
-              id:    au-9_smt
-              name:  statement
-              prose: 
-                """
-                  The information system protects audit information and audit tools from unauthorized
-                                 access, modification, and deletion.
-                """
-            - 
-              id:    au-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit information includes all information (e.g., audit records, audit settings, and
-                                 audit reports) needed to successfully audit information system activity. This control
-                                 focuses on technical protection of audit information. Physical protection of audit
-                                 information is addressed by media protection controls and physical and environmental
-                                 protection controls.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-6
-                  rel:  related
-                  text: PE-6
-            - 
-              id:    au-9_obj
-              name:  objective
-              prose: Determine if: 
-              parts: 
-                - 
-                  id:         au-9_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-9[1]
-                  prose:      the information system protects audit information from unauthorized:
-                  parts: 
-                    - 
-                      id:         au-9_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[1][a]
-                      prose:      access;
-                    - 
-                      id:         au-9_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[1][b]
-                      prose:      modification;
-                    - 
-                      id:         au-9_obj.1.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[1][c]
-                      prose:      deletion;
-                - 
-                  id:         au-9_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-9[2]
-                  prose:      the information system protects audit tools from unauthorized:
-                  parts: 
-                    - 
-                      id:         au-9_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[2][a]
-                      prose:      access;
-                    - 
-                      id:         au-9_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[2][b]
-                      prose:      modification; and
-                    - 
-                      id:         au-9_obj.2.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-9[2][c]
-                      prose:      deletion.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Audit and accountability policy\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation,
-                                        information system audit records\n\naudit tools\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing audit information protection
-          controls: 
-            - 
-              id:         au-9.2
-              class:      SP800-53-enhancement
-              title:      Audit Backup On Separate Physical Systems / Components
-              parameters: 
-                - 
-                  id:          au-9.2_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least weekly
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: AU-9(2)
-                - 
-                  name:  sort-id
-                  value: au-09.02
-              parts: 
-                - 
-                  id:    au-9.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system backs up audit records {{ au-9.2_prm_1 }}
-                                        onto a physically different system or system component than the system or
-                                        component being audited.
-                    """
-                - 
-                  id:    au-9.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement helps to ensure that a compromise of the information
-                                        system being audited does not also result in a compromise of the audit
-                                        records.
-                    """
-                  links: 
-                    - 
-                      href: #au-4
-                      rel:  related
-                      text: AU-4
-                    - 
-                      href: #au-5
-                      rel:  related
-                      text: AU-5
-                    - 
-                      href: #au-11
-                      rel:  related
-                      text: AU-11
-                - 
-                  id:    au-9.2_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         au-9.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-9(2)[1]
-                      prose: 
-                        """
-                          the organization defines the frequency to back up audit records onto a
-                                               physically different system or system component than the system or component
-                                               being audited; and
-                        """
-                    - 
-                      id:         au-9.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-9(2)[2]
-                      prose: 
-                        """
-                          the information system backs up audit records with the organization-defined
-                                               frequency, onto a physically different system or system component than the
-                                               system or component being audited.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Audit and accountability policy\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation, system
-                                               or media storing backups of information system audit records\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing the backing up of audit records
-            - 
-              id:         au-9.4
-              class:      SP800-53-enhancement
-              title:      Access by Subset of Privileged Users
-              parameters: 
-                - 
-                  id:    au-9.4_prm_1
-                  label: organization-defined subset of privileged users
-              properties: 
-                - 
-                  name:  label
-                  value: AU-9(4)
-                - 
-                  name:  sort-id
-                  value: au-09.04
-              parts: 
-                - 
-                  id:    au-9.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization authorizes access to management of audit functionality to only
-                                           {{ au-9.4_prm_1 }}.
-                    """
-                - 
-                  id:    au-9.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Individuals with privileged access to an information system and who are also the
-                                        subject of an audit by that system, may affect the reliability of audit
-                                        information by inhibiting audit activities or modifying audit records. This
-                                        control enhancement requires that privileged access be further defined between
-                                        audit-related privileges and other privileges, thus limiting the users with
-                                        audit-related privileges.
-                    """
-                  links: 
-                    - 
-                      href: #ac-5
-                      rel:  related
-                      text: AC-5
-                - 
-                  id:    au-9.4_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         au-9.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-9(4)[1]
-                      prose: 
-                        """
-                          defines a subset of privileged users to be authorized access to management of
-                                               audit functionality; and
-                        """
-                    - 
-                      id:         au-9.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-9(4)[2]
-                      prose: 
-                        """
-                          authorizes access to management of audit functionality to only the
-                                               organization-defined subset of privileged users.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Audit and accountability policy\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation,
-                                               system-generated list of privileged users with access to management of audit
-                                               functionality\n\naccess authorizations\n\naccess control list\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms managing access to audit functionality
-        - 
-          id:         au-11
-          class:      SP800-53
-          title:      Audit Record Retention
-          parameters: 
-            - 
-              id:          au-11_prm_1
-              label:       organization-defined time period consistent with records retention policy
-              constraints: 
-                - 
-                  detail: at least ninety days
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: AU-11
-            - 
-              name:  sort-id
-              value: au-11
-          parts: 
-            - 
-              id:    au-11_smt
-              name:  statement
-              prose: 
-                """
-                  The organization retains audit records for {{ au-11_prm_1 }} to
-                                 provide support for after-the-fact investigations of security incidents and to meet
-                                 regulatory and organizational information retention requirements.
-                """
-              parts: 
-                - 
-                  id:    au-11_fr
-                  name:  item
-                  title: AU-11 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         au-11_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.
-            - 
-              id:    au-11_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations retain audit records until it is determined that they are no longer
-                                 needed for administrative, legal, audit, or other operational purposes. This
-                                 includes, for example, retention and availability of audit records relative to
-                                 Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions.
-                                 Organizations develop standard categories of audit records relative to such types of
-                                 actions and standard response processes for each type of action. The National
-                                 Archives and Records Administration (NARA) General Records Schedules provide federal
-                                 policy on record retention.
-                """
-              links: 
-                - 
-                  href: #au-4
-                  rel:  related
-                  text: AU-4
-                - 
-                  href: #au-5
-                  rel:  related
-                  text: AU-5
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #mp-6
-                  rel:  related
-                  text: MP-6
-            - 
-              id:    au-11_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         au-11_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-11[1]
-                  prose: 
-                    """
-                      defines a time period to retain audit records that is consistent with records
-                                        retention policy;
-                    """
-                - 
-                  id:         au-11_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: AU-11[2]
-                  prose: 
-                    """
-                      retains audit records for the organization-defined time period consistent with
-                                        records retention policy to:
-                    """
-                  parts: 
-                    - 
-                      id:         au-11_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-11[2][a]
-                      prose: 
-                        """
-                          provide support for after-the-fact investigations of security incidents;
-                                               and
-                        """
-                    - 
-                      id:         au-11_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: AU-11[2][b]
-                      prose:      meet regulatory and organizational information retention requirements.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-        - 
-          id:         au-12
-          class:      SP800-53
-          title:      Audit Generation
-          parameters: 
-            - 
-              id:          au-12_prm_1
-              label:       organization-defined information system components
-              constraints: 
-                - 
-                  detail: all information system and network components where audit capability is deployed/available
-            - 
-              id:    au-12_prm_2
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  label
-              value: AU-12
-            - 
-              name:  sort-id
-              value: au-12
-          parts: 
-            - 
-              id:    au-12_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         au-12_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Provides audit record generation capability for the auditable events defined in
-                                        AU-2 a. at {{ au-12_prm_1 }};
-                    """
-                - 
-                  id:         au-12_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Allows {{ au-12_prm_2 }} to select which auditable events are to be
-                                        audited by specific components of the information system; and
-                    """
-                - 
-                  id:         au-12_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Generates audit records for the events defined in AU-2 d. with the content defined
-                                        in AU-3.
-                    """
-            - 
-              id:    au-12_gdn
-              name:  guidance
-              prose: 
-                """
-                  Audit records can be generated from many different information system components. The
-                                 list of audited events is the set of events for which audits are to be generated.
-                                 These events are typically a subset of all events for which the information system is
-                                 capable of generating audit records.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-3
-                  rel:  related
-                  text: AU-3
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #au-7
-                  rel:  related
-                  text: AU-7
-            - 
-              id:    au-12_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         au-12.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-12(a)
-                  parts: 
-                    - 
-                      id:         au-12.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-12(a)[1]
-                      prose: 
-                        """
-                          the organization defines the information system components which are to provide
-                                               audit record generation capability for the auditable events defined in
-                                               AU-2a;
-                        """
-                    - 
-                      id:         au-12.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-12(a)[2]
-                      prose: 
-                        """
-                          the information system provides audit record generation capability, for the
-                                               auditable events defined in AU-2a, at organization-defined information system
-                                               components;
-                        """
-                - 
-                  id:         au-12.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: AU-12(b)
-                  parts: 
-                    - 
-                      id:         au-12.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: AU-12(b)[1]
-                      prose: 
-                        """
-                          the organization defines the personnel or roles allowed to select which
-                                               auditable events are to be audited by specific components of the information
-                                               system;
-                        """
-                    - 
-                      id:         au-12.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: AU-12(b)[2]
-                      prose: 
-                        """
-                          the information system allows the organization-defined personnel or roles to
-                                               select which auditable events are to be audited by specific components of the
-                                               system; and
-                        """
-                - 
-                  id:         au-12.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: AU-12(c)
-                  prose: 
-                    """
-                      the information system generates audit records for the events defined in AU-2d
-                                        with the content in defined in AU-3.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of auditable events\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing audit record generation capability
-    - 
-      id:       ca
-      class:    family
-      title:    Security Assessment and Authorization
-      controls: 
-        - 
-          id:         ca-1
-          class:      SP800-53
-          title:      Security Assessment and Authorization Policy and Procedures
-          parameters: 
-            - 
-              id:    ca-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ca-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          ca-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-1
-            - 
-              name:  sort-id
-              value: ca-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #cd4cf751-3312-4a55-b1a9-fad2f1db9119
-              rel:  reference
-              text: NIST Special Publication 800-53A
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ca-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ca-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ca-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A security assessment and authorization policy that addresses purpose, scope,
-                                               roles, responsibilities, management commitment, coordination among
-                                               organizational entities, and compliance; and
-                        """
-                    - 
-                      id:         ca-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the security assessment and
-                                               authorization policy and associated security assessment and authorization
-                                               controls; and
-                        """
-                - 
-                  id:         ca-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ca-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Security assessment and authorization policy {{ ca-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         ca-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Security assessment and authorization procedures {{ ca-1_prm_3 }}.
-            - 
-              id:    ca-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the CA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ca-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-1(a)
-                  parts: 
-                    - 
-                      id:         ca-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ca-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a security assessment and authorization policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         ca-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ca-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ca-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ca-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ca-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ca-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ca-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ca-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the security assessment and authorization
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         ca-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the security assessment and authorization policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         ca-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ca-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      security assessment and authorization policy and associated assessment and
-                                                      authorization controls;
-                            """
-                        - 
-                          id:         ca-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ca-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ca-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-1(b)
-                  parts: 
-                    - 
-                      id:         ca-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ca-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current security assessment
-                                                      and authorization policy;
-                            """
-                        - 
-                          id:         ca-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current security assessment and authorization policy
-                                                      with the organization-defined frequency;
-                            """
-                    - 
-                      id:         ca-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ca-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current security assessment
-                                                      and authorization procedures; and
-                            """
-                        - 
-                          id:         ca-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current security assessment and authorization
-                                                      procedures with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security assessment and authorization policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security assessment and authorization
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         ca-2
-          class:      SP800-53
-          title:      Security Assessments
-          parameters: 
-            - 
-              id:          ca-2_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          ca-2_prm_2
-              label:       organization-defined individuals or roles
-              constraints: 
-                - 
-                  detail: individuals or roles to include FedRAMP PMO
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-2
-            - 
-              name:  sort-id
-              value: ca-02
-          links: 
-            - 
-              href: #c5034e0c-eba6-4ecd-a541-79f0678f4ba4
-              rel:  reference
-              text: Executive Order 13587
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #d480aa6a-7a88-424e-a10c-ad1c7870354b
-              rel:  reference
-              text: NIST Special Publication 800-39
-            - 
-              href: #cd4cf751-3312-4a55-b1a9-fad2f1db9119
-              rel:  reference
-              text: NIST Special Publication 800-53A
-            - 
-              href: #c4691b88-57d1-463b-9053-2d0087913f31
-              rel:  reference
-              text: NIST Special Publication 800-115
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-          parts: 
-            - 
-              id:    ca-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Develops a security assessment plan that describes the scope of the assessment
-                                        including:
-                    """
-                  parts: 
-                    - 
-                      id:         ca-2_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Security controls and control enhancements under assessment;
-                    - 
-                      id:         ca-2_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Assessment procedures to be used to determine security control effectiveness;
-                                               and
-                        """
-                    - 
-                      id:         ca-2_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Assessment environment, assessment team, and assessment roles and
-                                               responsibilities;
-                        """
-                - 
-                  id:         ca-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Assesses the security controls in the information system and its environment of
-                                        operation {{ ca-2_prm_1 }} to determine the extent to which the
-                                        controls are implemented correctly, operating as intended, and producing the
-                                        desired outcome with respect to meeting established security requirements;
-                    """
-                - 
-                  id:         ca-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Produces a security assessment report that documents the results of the
-                                        assessment; and
-                    """
-                - 
-                  id:         ca-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Provides the results of the security control assessment to {{ ca-2_prm_2 }}.
-                - 
-                  id:    ca-2_fr
-                  name:  item
-                  title: CA-2 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ca-2_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose: 
-                        """
-                          See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                            
-                        """
-            - 
-              id:    ca-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations assess security controls in organizational information systems and the
-                                 environments in which those systems operate as part of: (i) initial and ongoing
-                                 security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring;
-                                 and (iv) system development life cycle activities. Security assessments: (i) ensure
-                                 that information security is built into organizational information systems; (ii)
-                                 identify weaknesses and deficiencies early in the development process; (iii) provide
-                                 essential information needed to make risk-based decisions as part of security
-                                 authorization processes; and (iv) ensure compliance to vulnerability mitigation
-                                 procedures. Assessments are conducted on the implemented security controls from
-                                 Appendix F (main catalog) and Appendix G (Program Management controls) as documented
-                                 in System Security Plans and Information Security Program Plans. Organizations can
-                                 use other types of assessment activities such as vulnerability scanning and system
-                                 monitoring to maintain the security posture of information systems during the entire
-                                 life cycle. Security assessment reports document assessment results in sufficient
-                                 detail as deemed necessary by organizations, to determine the accuracy and
-                                 completeness of the reports and whether the security controls are implemented
-                                 correctly, operating as intended, and producing the desired outcome with respect to
-                                 meeting security requirements. The FISMA requirement for assessing security controls
-                                 at least annually does not require additional assessment activities to those
-                                 activities already in place in organizational security authorization processes.
-                                 Security assessment results are provided to the individuals or roles appropriate for
-                                 the types of assessments being conducted. For example, assessments conducted in
-                                 support of security authorization decisions are provided to authorizing officials or
-                                 authorizing official designated representatives. To satisfy annual assessment
-                                 requirements, organizations can use assessment results from the following sources:
-                                 (i) initial or ongoing information system authorizations; (ii) continuous monitoring;
-                                 or (iii) system development life cycle activities. Organizations ensure that security
-                                 assessment results are current, relevant to the determination of security control
-                                 effectiveness, and obtained with the appropriate level of assessor independence.
-                                 Existing security control assessment results can be reused to the extent that the
-                                 results are still valid and can also be supplemented with additional assessments as
-                                 needed. Subsequent to initial authorizations and in accordance with OMB policy,
-                                 organizations assess security controls during continuous monitoring. Organizations
-                                 establish the frequency for ongoing security control assessments in accordance with
-                                 organizational continuous monitoring strategies. Information Assurance Vulnerability
-                                 Alerts provide useful examples of vulnerability mitigation procedures. External
-                                 audits (e.g., audits by external entities such as regulatory agencies) are outside
-                                 the scope of this control.
-                """
-              links: 
-                - 
-                  href: #ca-5
-                  rel:  related
-                  text: CA-5
-                - 
-                  href: #ca-6
-                  rel:  related
-                  text: CA-6
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ca-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CA-2(a)
-                  prose: 
-                    """
-                      develops a security assessment plan that describes the scope of the assessment
-                                        including:
-                    """
-                  parts: 
-                    - 
-                      id:         ca-2.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-2(a)(1)
-                      prose:      security controls and control enhancements under assessment;
-                    - 
-                      id:         ca-2.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-2(a)(2)
-                      prose: 
-                        """
-                          assessment procedures to be used to determine security control
-                                               effectiveness;
-                        """
-                    - 
-                      id:         ca-2.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-2(a)(3)
-                      parts: 
-                        - 
-                          id:         ca-2.a.3_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(a)(3)[1]
-                          prose:      assessment environment;
-                        - 
-                          id:         ca-2.a.3_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(a)(3)[2]
-                          prose:      assessment team;
-                        - 
-                          id:         ca-2.a.3_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(a)(3)[3]
-                          prose:      assessment roles and responsibilities;
-                - 
-                  id:         ca-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-2(b)
-                  parts: 
-                    - 
-                      id:         ca-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(b)[1]
-                      prose: 
-                        """
-                          defines the frequency to assess the security controls in the information system
-                                               and its environment of operation;
-                        """
-                    - 
-                      id:         ca-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-2(b)[2]
-                      prose: 
-                        """
-                          assesses the security controls in the information system with the
-                                               organization-defined frequency to determine the extent to which the controls
-                                               are implemented correctly, operating as intended, and producing the desired
-                                               outcome with respect to meeting established security requirements;
-                        """
-                - 
-                  id:         ca-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CA-2(c)
-                  prose: 
-                    """
-                      produces a security assessment report that documents the results of the
-                                        assessment;
-                    """
-                - 
-                  id:         ca-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-2(d)
-                  parts: 
-                    - 
-                      id:         ca-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(d)[1]
-                      prose: 
-                        """
-                          defines individuals or roles to whom the results of the security control
-                                               assessment are to be provided; and
-                        """
-                    - 
-                      id:         ca-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-2(d)[2]
-                      prose: 
-                        """
-                          provides the results of the security control assessment to organization-defined
-                                               individuals or roles.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security assessment and authorization policy\n\nprocedures addressing security assessment planning\n\nprocedures addressing security assessments\n\nsecurity assessment plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting security assessment, security assessment plan
-                                        development, and/or security assessment reporting
-                    """
-          controls: 
-            - 
-              id:         ca-2.1
-              class:      SP800-53-enhancement
-              title:      Independent Assessors
-              parameters: 
-                - 
-                  id:    ca-2.1_prm_1
-                  label: organization-defined level of independence
-              properties: 
-                - 
-                  name:  label
-                  value: CA-2(1)
-                - 
-                  name:  sort-id
-                  value: ca-02.01
-              parts: 
-                - 
-                  id:    ca-2.1_smt
-                  name:  statement
-                  prose: The organization employs assessors or assessment teams with {{ ca-2.1_prm_1 }} to conduct security control assessments.
-                  parts: 
-                    - 
-                      id:    ca-2.1_fr
-                      name:  item
-                      title: CA-2 (1) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ca-2.1_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).
-                - 
-                  id:    ca-2.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Independent assessors or assessment teams are individuals or groups who conduct
-                                        impartial assessments of organizational information systems. Impartiality implies
-                                        that assessors are free from any perceived or actual conflicts of interest with
-                                        regard to the development, operation, or management of the organizational
-                                        information systems under assessment or to the determination of security control
-                                        effectiveness. To achieve impartiality, assessors should not: (i) create a mutual
-                                        or conflicting interest with the organizations where the assessments are being
-                                        conducted; (ii) assess their own work; (iii) act as management or employees of the
-                                        organizations they are serving; or (iv) place themselves in positions of advocacy
-                                        for the organizations acquiring their services. Independent assessments can be
-                                        obtained from elements within organizations or can be contracted to public or
-                                        private sector entities outside of organizations. Authorizing officials determine
-                                        the required level of independence based on the security categories of information
-                                        systems and/or the ultimate risk to organizational operations, organizational
-                                        assets, or individuals. Authorizing officials also determine if the level of
-                                        assessor independence provides sufficient assurance that the results are sound and
-                                        can be used to make credible, risk-based decisions. This includes determining
-                                        whether contracted security assessment services have sufficient independence, for
-                                        example, when information system owners are not directly involved in contracting
-                                        processes or cannot unduly influence the impartiality of assessors conducting
-                                        assessments. In special situations, for example, when organizations that own the
-                                        information systems are small or organizational structures require that
-                                        assessments are conducted by individuals that are in the developmental,
-                                        operational, or management chain of system owners, independence in assessment
-                                        processes can be achieved by ensuring that assessment results are carefully
-                                        reviewed and analyzed by independent teams of experts to validate the
-                                        completeness, accuracy, integrity, and reliability of the results. Organizations
-                                        recognize that assessments performed for purposes other than direct support to
-                                        authorization decisions are, when performed by assessors with sufficient
-                                        independence, more likely to be useable for such decisions, thereby reducing the
-                                        need to repeat assessments.
-                    """
-                - 
-                  id:    ca-2.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ca-2.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(1)[1]
-                      prose: 
-                        """
-                          defines the level of independence to be employed to conduct security control
-                                               assessments; and
-                        """
-                    - 
-                      id:         ca-2.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CA-2(1)[2]
-                      prose: 
-                        """
-                          employs assessors or assessment teams with the organization-defined level of
-                                               independence to conduct security control assessments.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Security assessment and authorization policy\n\nprocedures addressing security assessments\n\nsecurity authorization package (including security plan, security assessment
-                                               plan, security assessment report, plan of action and milestones, authorization
-                                               statement)\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              id:         ca-2.2
-              class:      SP800-53-enhancement
-              title:      Specialized Assessments
-              parameters: 
-                - 
-                  id:          ca-2.2_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least annually
-                - 
-                  id: ca-2.2_prm_2
-                - 
-                  id: ca-2.2_prm_3
-                - 
-                  id:         ca-2.2_prm_4
-                  depends-on: ca-2.2_prm_3
-                  label:      organization-defined other forms of security assessment
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: CA-2(2)
-                - 
-                  name:  sort-id
-                  value: ca-02.02
-              parts: 
-                - 
-                  id:    ca-2.2_smt
-                  name:  statement
-                  prose: The organization includes as part of security control assessments, {{ ca-2.2_prm_1 }}, {{ ca-2.2_prm_2 }}, {{ ca-2.2_prm_3 }}.
-                  parts: 
-                    - 
-                      id:    ca-2.2_fr
-                      name:  item
-                      title: CA-2 (2) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ca-2.2_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      To include 'announced', 'vulnerability scanning'
-                - 
-                  id:    ca-2.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations can employ information system monitoring, insider threat
-                                        assessments, malicious user testing, and other forms of testing (e.g.,
-                                        verification and validation) to improve readiness by exercising organizational
-                                        capabilities and indicating current performance levels as a means of focusing
-                                        actions to improve security. Organizations conduct assessment activities in
-                                        accordance with applicable federal laws, Executive Orders, directives, policies,
-                                        regulations, and standards. Authorizing officials approve the assessment methods
-                                        in coordination with the organizational risk executive function. Organizations can
-                                        incorporate vulnerabilities uncovered during assessments into vulnerability
-                                        remediation processes.
-                    """
-                  links: 
-                    - 
-                      href: #pe-3
-                      rel:  related
-                      text: PE-3
-                    - 
-                      href: #si-2
-                      rel:  related
-                      text: SI-2
-                - 
-                  id:    ca-2.2_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ca-2.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(2)[1]
-                      prose: 
-                        """
-                          selects one or more of the following forms of specialized security assessment
-                                               to be included as part of security control assessments:
-                        """
-                      parts: 
-                        - 
-                          id:         ca-2.2_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(2)[1][a]
-                          prose:      in-depth monitoring;
-                        - 
-                          id:         ca-2.2_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(2)[1][b]
-                          prose:      vulnerability scanning;
-                        - 
-                          id:         ca-2.2_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(2)[1][c]
-                          prose:      malicious user testing;
-                        - 
-                          id:         ca-2.2_obj.1.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(2)[1][d]
-                          prose:      insider threat assessment;
-                        - 
-                          id:         ca-2.2_obj.1.e
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(2)[1][e]
-                          prose:      performance/load testing; and/or
-                        - 
-                          id:         ca-2.2_obj.1.f
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-2(2)[1][f]
-                          prose:      other forms of organization-defined specialized security assessment;
-                    - 
-                      id:         ca-2.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(2)[2]
-                      prose: 
-                        """
-                          defines the frequency for conducting the selected form(s) of specialized
-                                               security assessment;
-                        """
-                    - 
-                      id:         ca-2.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(2)[3]
-                      prose: 
-                        """
-                          defines whether the specialized security assessment will be announced or
-                                               unannounced; and
-                        """
-                    - 
-                      id:         ca-2.2_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-2(2)[4]
-                      prose: 
-                        """
-                          conducts announced or unannounced organization-defined forms of specialized
-                                               security assessments with the organization-defined frequency as part of
-                                               security control assessments.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Security assessment and authorization policy\n\nprocedures addressing security assessments\n\nsecurity plan\n\nsecurity assessment plan\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms supporting security control assessment
-            - 
-              id:         ca-2.3
-              class:      SP800-53-enhancement
-              title:      External Organizations
-              parameters: 
-                - 
-                  id:          ca-2.3_prm_1
-                  label:       organization-defined information system
-                  constraints: 
-                    - 
-                      detail: any FedRAMP Accredited 3PAO
-                - 
-                  id:          ca-2.3_prm_2
-                  label:       organization-defined external organization
-                  constraints: 
-                    - 
-                      detail: any FedRAMP Accredited 3PAO
-                - 
-                  id:          ca-2.3_prm_3
-                  label:       organization-defined requirements
-                  constraints: 
-                    - 
-                      detail: the conditions of the JAB/AO in the FedRAMP Repository
-              properties: 
-                - 
-                  name:  label
-                  value: CA-2(3)
-                - 
-                  name:  sort-id
-                  value: ca-02.03
-              parts: 
-                - 
-                  id:    ca-2.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization accepts the results of an assessment of {{ ca-2.3_prm_1 }} performed by {{ ca-2.3_prm_2 }} when
-                                        the assessment meets {{ ca-2.3_prm_3 }}.
-                    """
-                - 
-                  id:    ca-2.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations may often rely on assessments of specific information systems by
-                                        other (external) organizations. Utilizing such existing assessments (i.e., reusing
-                                        existing assessment evidence) can significantly decrease the time and resources
-                                        required for organizational assessments by limiting the amount of independent
-                                        assessment activities that organizations need to perform. The factors that
-                                        organizations may consider in determining whether to accept assessment results
-                                        from external organizations can vary. Determinations for accepting assessment
-                                        results can be based on, for example, past assessment experiences one organization
-                                        has had with another organization, the reputation that organizations have with
-                                        regard to assessments, the level of detail of supporting assessment documentation
-                                        provided, or mandates imposed upon organizations by federal legislation, policies,
-                                        or directives.
-                    """
-                - 
-                  id:    ca-2.3_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ca-2.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(3)[1]
-                      prose: 
-                        """
-                          defines an information system for which the results of a security assessment
-                                               performed by an external organization are to be accepted;
-                        """
-                    - 
-                      id:         ca-2.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(3)[2]
-                      prose: 
-                        """
-                          defines an external organization from which to accept a security assessment
-                                               performed on an organization-defined information system;
-                        """
-                    - 
-                      id:         ca-2.3_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-2(3)[3]
-                      prose: 
-                        """
-                          defines the requirements to be met by a security assessment performed by
-                                               organization-defined external organization on organization-defined information
-                                               system; and
-                        """
-                    - 
-                      id:         ca-2.3_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CA-2(3)[4]
-                      prose: 
-                        """
-                          accepts the results of an assessment of an organization-defined information
-                                               system performed by an organization-defined external organization when the
-                                               assessment meets organization-defined requirements.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Security assessment and authorization policy\n\nprocedures addressing security assessments\n\nsecurity plan\n\nsecurity assessment requirements\n\nsecurity assessment plan\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nplan of action and milestones\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel performing security assessments for the specified external
-                                               organization
-                        """
-        - 
-          id:         ca-3
-          class:      SP800-53
-          title:      System Interconnections
-          parameters: 
-            - 
-              id:          ca-3_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually and on input from FedRAMP
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-3
-            - 
-              name:  sort-id
-              value: ca-03
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #2711f068-734e-4afd-94ba-0b22247fbc88
-              rel:  reference
-              text: NIST Special Publication 800-47
-          parts: 
-            - 
-              id:    ca-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Authorizes connections from the information system to other information systems
-                                        through the use of Interconnection Security Agreements;
-                    """
-                - 
-                  id:         ca-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Documents, for each interconnection, the interface characteristics, security
-                                        requirements, and the nature of the information communicated; and
-                    """
-                - 
-                  id:         ca-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews and updates Interconnection Security Agreements {{ ca-3_prm_1 }}.
-            - 
-              id:    ca-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to dedicated connections between information systems (i.e.,
-                                 system interconnections) and does not apply to transitory, user-controlled
-                                 connections such as email and website browsing. Organizations carefully consider the
-                                 risks that may be introduced when information systems are connected to other systems
-                                 with different security requirements and security controls, both within organizations
-                                 and external to organizations. Authorizing officials determine the risk associated
-                                 with information system connections and the appropriate controls employed. If
-                                 interconnecting systems have the same authorizing official, organizations do not need
-                                 to develop Interconnection Security Agreements. Instead, organizations can describe
-                                 the interface characteristics between those interconnecting systems in their
-                                 respective security plans. If interconnecting systems have different authorizing
-                                 officials within the same organization, organizations can either develop
-                                 Interconnection Security Agreements or describe the interface characteristics between
-                                 systems in the security plans for the respective systems. Organizations may also
-                                 incorporate Interconnection Security Agreement information into formal contracts,
-                                 especially for interconnections established between federal agencies and nonfederal
-                                 (i.e., private sector) organizations. Risk considerations also include information
-                                 systems sharing the same networks. For certain technologies (e.g., space, unmanned
-                                 aerial vehicles, and medical devices), there may be specialized connections in place
-                                 during preoperational testing. Such connections may require Interconnection Security
-                                 Agreements and be subject to additional security controls.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #au-16
-                  rel:  related
-                  text: AU-16
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #sa-9
-                  rel:  related
-                  text: SA-9
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ca-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: CA-3(a)
-                  prose: 
-                    """
-                      authorizes connections from the information system to other information systems
-                                        through the use of Interconnection Security Agreements;
-                    """
-                - 
-                  id:         ca-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CA-3(b)
-                  prose:      documents, for each interconnection:
-                  parts: 
-                    - 
-                      id:         ca-3.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-3(b)[1]
-                      prose:      the interface characteristics;
-                    - 
-                      id:         ca-3.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-3(b)[2]
-                      prose:      the security requirements;
-                    - 
-                      id:         ca-3.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-3(b)[3]
-                      prose:      the nature of the information communicated;
-                - 
-                  id:         ca-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-3(c)
-                  parts: 
-                    - 
-                      id:         ca-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-3(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to review and update Interconnection Security Agreements;
-                                               and
-                        """
-                    - 
-                      id:         ca-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CA-3(c)[2]
-                      prose: 
-                        """
-                          reviews and updates Interconnection Security Agreements with the
-                                               organization-defined frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\ninformation system Interconnection Security Agreements\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for developing, implementing, or
-                                        approving information system interconnection agreements\n\norganizational personnel with information security responsibilities\n\npersonnel managing the system(s) to which the Interconnection Security Agreement
-                                        applies
-                    """
-          controls: 
-            - 
-              id:         ca-3.3
-              class:      SP800-53-enhancement
-              title:      Unclassified Non-national Security System Connections
-              parameters: 
-                - 
-                  id:    ca-3.3_prm_1
-                  label: organization-defined unclassified, non-national security system
-                - 
-                  id:          ca-3.3_prm_2
-                  label:       Assignment; organization-defined boundary protection device
-                  constraints: 
-                    - 
-                      detail: Boundary Protections which meet the Trusted Internet Connection (TIC) requirements
-              properties: 
-                - 
-                  name:  label
-                  value: CA-3(3)
-                - 
-                  name:  sort-id
-                  value: ca-03.03
-              parts: 
-                - 
-                  id:    ca-3.3_smt
-                  name:  statement
-                  prose: The organization prohibits the direct connection of an {{ ca-3.3_prm_1 }} to an external network without the use of {{ ca-3.3_prm_2 }}.
-                  parts: 
-                    - 
-                      id:    ca-3.3_fr
-                      name:  item
-                      title: CA-3 (3) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ca-3.3_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document.
-                - 
-                  id:    ca-3.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations typically do not have control over external networks (e.g., the
-                                        Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate
-                                        communications (i.e., information flows) between unclassified non-national
-                                        security systems and external networks. This control enhancement is required for
-                                        organizations processing, storing, or transmitting Controlled Unclassified
-                                        Information (CUI).
-                    """
-                - 
-                  id:    ca-3.3_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ca-3.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CA-3(3)[1]
-                      prose: 
-                        """
-                          defines an unclassified, non-national security system whose direct connection
-                                               to an external network is to be prohibited without the use of approved boundary
-                                               protection device;
-                        """
-                    - 
-                      id:         ca-3.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-3(3)[2]
-                      prose: 
-                        """
-                          defines a boundary protection device to be used to establish the direct
-                                               connection of an organization-defined unclassified, non-national security
-                                               system to an external network; and
-                        """
-                    - 
-                      id:         ca-3.3_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-3(3)[3]
-                      prose: 
-                        """
-                          prohibits the direct connection of an organization-defined unclassified,
-                                               non-national security system to an external network without the use of an
-                                               organization-defined boundary protection device.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\ninformation system interconnection security agreements\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity assessment report\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibility for managing direct connections to
-                                               external networks\n\nnetwork administrators\n\norganizational personnel with information security responsibilities\n\npersonnel managing directly connected external networks
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting the management of external network
-                                               connections
-                        """
-            - 
-              id:         ca-3.5
-              class:      SP800-53-enhancement
-              title:      Restrictions On External System Connections
-              parameters: 
-                - 
-                  id: ca-3.5_prm_1
-                - 
-                  id:    ca-3.5_prm_2
-                  label: organization-defined information systems
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: CA-3(5)
-                - 
-                  name:  sort-id
-                  value: ca-03.05
-              parts: 
-                - 
-                  id:    ca-3.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs {{ ca-3.5_prm_1 }} policy for allowing
-                                           {{ ca-3.5_prm_2 }} to connect to external information
-                                        systems.
-                    """
-                  parts: 
-                    - 
-                      id:    ca-3.5_fr
-                      name:  item
-                      title: CA-3 (5) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ca-3.5_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing
-                - 
-                  id:    ca-3.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations can constrain information system connectivity to external domains
-                                        (e.g., websites) by employing one of two policies with regard to such
-                                        connectivity: (i) allow-all, deny by exception, also known as blacklisting (the
-                                        weaker of the two policies); or (ii) deny-all, allow by exception, also known as
-                                        whitelisting (the stronger of the two policies). For either policy, organizations
-                                        determine what exceptions, if any, are acceptable.
-                    """
-                  links: 
-                    - 
-                      href: #cm-7
-                      rel:  related
-                      text: CM-7
-                - 
-                  id:    ca-3.5_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ca-3.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-3(5)[1]
-                      prose: 
-                        """
-                          defines information systems to be allowed to connect to external information
-                                               systems;
-                        """
-                    - 
-                      id:         ca-3.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-3(5)[2]
-                      prose: 
-                        """
-                          employs one of the following policies for allowing organization-defined
-                                               information systems to connect to external information systems:
-                        """
-                      parts: 
-                        - 
-                          id:         ca-3.5_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-3(5)[2][a]
-                          prose:      allow-all policy;
-                        - 
-                          id:         ca-3.5_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-3(5)[2][b]
-                          prose:      deny-by-exception policy;
-                        - 
-                          id:         ca-3.5_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-3(5)[2][c]
-                          prose:      deny-all policy; or
-                        - 
-                          id:         ca-3.5_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-3(5)[2][d]
-                          prose:      permit-by-exception policy.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\ninformation system interconnection agreements\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity assessment report\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibility for managing connections to
-                                               external information systems\n\nnetwork administrators\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing restrictions on external system
-                                               connections
-                        """
-        - 
-          id:         ca-5
-          class:      SP800-53
-          title:      Plan of Action and Milestones
-          parameters: 
-            - 
-              id:          ca-5_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least monthly
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-5
-            - 
-              name:  sort-id
-              value: ca-05
-          links: 
-            - 
-              href: #2c5884cd-7b96-425c-862a-99877e1cf909
-              rel:  reference
-              text: OMB Memorandum 02-01
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-          parts: 
-            - 
-              id:    ca-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Develops a plan of action and milestones for the information system to document
-                                        the organization’s planned remedial actions to correct weaknesses or deficiencies
-                                        noted during the assessment of the security controls and to reduce or eliminate
-                                        known vulnerabilities in the system; and
-                    """
-                - 
-                  id:         ca-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Updates existing plan of action and milestones {{ ca-5_prm_1 }}
-                                        based on the findings from security controls assessments, security impact
-                                        analyses, and continuous monitoring activities.
-                    """
-                - 
-                  id:    ca-5_fr
-                  name:  item
-                  title: CA-5 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ca-5_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Plan of Action & Milestones (POA&M) must be provided at least monthly.
-                    - 
-                      id:         ca-5_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose: 
-                        """
-                          See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                            
-                        """
-            - 
-              id:    ca-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Plans of action and milestones are key documents in security authorization packages
-                                 and are subject to federal reporting requirements established by OMB.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #pm-4
-                  rel:  related
-                  text: PM-4
-            - 
-              id:    ca-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: CA-5(a)
-                  prose:      develops a plan of action and milestones for the information system to:
-                  parts: 
-                    - 
-                      id:         ca-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-5(a)[1]
-                      prose: 
-                        """
-                          document the organization’s planned remedial actions to correct weaknesses or
-                                               deficiencies noted during the assessment of the security controls;
-                        """
-                    - 
-                      id:         ca-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-5(a)[2]
-                      prose:      reduce or eliminate known vulnerabilities in the system;
-                - 
-                  id:         ca-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-5(b)
-                  parts: 
-                    - 
-                      id:         ca-5.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-5(b)[1]
-                      prose:      defines the frequency to update the existing plan of action and milestones;
-                    - 
-                      id:         ca-5.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-5(b)[2]
-                      prose: 
-                        """
-                          updates the existing plan of action and milestones with the
-                                               organization-defined frequency based on the findings from:
-                        """
-                      parts: 
-                        - 
-                          id:         ca-5.b_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-5(b)[2][a]
-                          prose:      security controls assessments;
-                        - 
-                          id:         ca-5.b_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-5(b)[2][b]
-                          prose:      security impact analyses; and
-                        - 
-                          id:         ca-5.b_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CA-5(b)[2][c]
-                          prose:      continuous monitoring activities.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security assessment and authorization policy\n\nprocedures addressing plan of action and milestones\n\nsecurity plan\n\nsecurity assessment plan\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nplan of action and milestones\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with plan of action and milestones development and
-                                        implementation responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms for developing, implementing, and maintaining plan of action
-                                        and milestones
-                    """
-        - 
-          id:         ca-6
-          class:      SP800-53
-          title:      Security Authorization
-          parameters: 
-            - 
-              id:          ca-6_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every three (3) years or when a significant change occurs
-          properties: 
-            - 
-              name:  label
-              value: CA-6
-            - 
-              name:  sort-id
-              value: ca-06
-          links: 
-            - 
-              href: #9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab
-              rel:  reference
-              text: OMB Circular A-130
-            - 
-              href: #bedb15b7-ec5c-4a68-807f-385125751fcd
-              rel:  reference
-              text: OMB Memorandum 11-33
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-          parts: 
-            - 
-              id:    ca-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Assigns a senior-level executive or manager as the authorizing official for the
-                                        information system;
-                    """
-                - 
-                  id:         ca-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Ensures that the authorizing official authorizes the information system for
-                                        processing before commencing operations; and
-                    """
-                - 
-                  id:         ca-6_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Updates the security authorization {{ ca-6_prm_1 }}.
-                - 
-                  id:    ca-6_fr
-                  name:  item
-                  title: CA-6(c) Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ca-6_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.
-            - 
-              id:    ca-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Security authorizations are official management decisions, conveyed through
-                                 authorization decision documents, by senior organizational officials or executives
-                                 (i.e., authorizing officials) to authorize operation of information systems and to
-                                 explicitly accept the risk to organizational operations and assets, individuals,
-                                 other organizations, and the Nation based on the implementation of agreed-upon
-                                 security controls. Authorizing officials provide budgetary oversight for
-                                 organizational information systems or assume responsibility for the mission/business
-                                 operations supported by those systems. The security authorization process is an
-                                 inherently federal responsibility and therefore, authorizing officials must be
-                                 federal employees. Through the security authorization process, authorizing officials
-                                 assume responsibility and are accountable for security risks associated with the
-                                 operation and use of organizational information systems. Accordingly, authorizing
-                                 officials are in positions with levels of authority commensurate with understanding
-                                 and accepting such information security-related risks. OMB policy requires that
-                                 organizations conduct ongoing authorizations of information systems by implementing
-                                 continuous monitoring programs. Continuous monitoring programs can satisfy three-year
-                                 reauthorization requirements, so separate reauthorization processes are not
-                                 necessary. Through the employment of comprehensive continuous monitoring processes,
-                                 critical information contained in authorization packages (i.e., security plans,
-                                 security assessment reports, and plans of action and milestones) is updated on an
-                                 ongoing basis, providing authorizing officials and information system owners with an
-                                 up-to-date status of the security state of organizational information systems and
-                                 environments of operation. To reduce the administrative cost of security
-                                 reauthorization, authorizing officials use the results of continuous monitoring
-                                 processes to the maximum extent possible as the basis for rendering reauthorization
-                                 decisions.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-                - 
-                  href: #pm-10
-                  rel:  related
-                  text: PM-10
-            - 
-              id:    ca-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CA-6(a)
-                  prose: 
-                    """
-                      assigns a senior-level executive or manager as the authorizing official for the
-                                        information system;
-                    """
-                - 
-                  id:         ca-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CA-6(b)
-                  prose: 
-                    """
-                      ensures that the authorizing official authorizes the information system for
-                                        processing before commencing operations;
-                    """
-                - 
-                  id:         ca-6.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-6(c)
-                  parts: 
-                    - 
-                      id:         ca-6.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-6(c)[1]
-                      prose:      defines the frequency to update the security authorization; and
-                    - 
-                      id:         ca-6.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-6(c)[2]
-                      prose:      updates the security authorization with the organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security assessment and authorization policy\n\nprocedures addressing security authorization\n\nsecurity authorization package (including security plan\n\nsecurity assessment report\n\nplan of action and milestones\n\nauthorization statement)\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with security authorization responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms that facilitate security authorizations and updates
-        - 
-          id:         ca-7
-          class:      SP800-53
-          title:      Continuous Monitoring
-          parameters: 
-            - 
-              id:    ca-7_prm_1
-              label: organization-defined metrics
-            - 
-              id:    ca-7_prm_2
-              label: organization-defined frequencies
-            - 
-              id:    ca-7_prm_3
-              label: organization-defined frequencies
-            - 
-              id:          ca-7_prm_4
-              label:       organization-defined personnel or roles
-              constraints: 
-                - 
-                  detail: to meet Federal and FedRAMP requirements (See additional guidance)
-            - 
-              id:          ca-7_prm_5
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: to meet Federal and FedRAMP requirements (See additional guidance)
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-7
-            - 
-              name:  sort-id
-              value: ca-07
-          links: 
-            - 
-              href: #bedb15b7-ec5c-4a68-807f-385125751fcd
-              rel:  reference
-              text: OMB Memorandum 11-33
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #d480aa6a-7a88-424e-a10c-ad1c7870354b
-              rel:  reference
-              text: NIST Special Publication 800-39
-            - 
-              href: #cd4cf751-3312-4a55-b1a9-fad2f1db9119
-              rel:  reference
-              text: NIST Special Publication 800-53A
-            - 
-              href: #c4691b88-57d1-463b-9053-2d0087913f31
-              rel:  reference
-              text: NIST Special Publication 800-115
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-            - 
-              href: #8ade2fbe-e468-4ca8-9a40-54d7f23c32bb
-              rel:  reference
-              text: US-CERT Technical Cyber Security Alerts
-            - 
-              href: #2d8b14e9-c8b5-4d3d-8bdc-155078f3281b
-              rel:  reference
-              text: DoD Information Assurance Vulnerability Alerts
-          parts: 
-            - 
-              id:    ca-7_smt
-              name:  statement
-              prose: 
-                """
-                  The organization develops a continuous monitoring strategy and implements a
-                                 continuous monitoring program that includes:
-                """
-              parts: 
-                - 
-                  id:         ca-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Establishment of {{ ca-7_prm_1 }} to be monitored;
-                - 
-                  id:         ca-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Establishment of {{ ca-7_prm_2 }} for monitoring and {{ ca-7_prm_3 }} for assessments supporting such monitoring;
-                - 
-                  id:         ca-7_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ongoing security control assessments in accordance with the organizational
-                                        continuous monitoring strategy;
-                    """
-                - 
-                  id:         ca-7_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Ongoing security status monitoring of organization-defined metrics in accordance
-                                        with the organizational continuous monitoring strategy;
-                    """
-                - 
-                  id:         ca-7_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Correlation and analysis of security-related information generated by assessments
-                                        and monitoring;
-                    """
-                - 
-                  id:         ca-7_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Response actions to address results of the analysis of security-related
-                                        information; and
-                    """
-                - 
-                  id:         ca-7_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose: 
-                    """
-                      Reporting the security status of organization and the information system to
-                                           {{ ca-7_prm_4 }}
-                                        {{ ca-7_prm_5 }}.
-                    """
-                - 
-                  id:    ca-7_fr
-                  name:  item
-                  title: CA-7 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ca-7_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.
-                    - 
-                      id:         ca-7_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates.
-                    - 
-                      id:         ca-7_fr_gdn.2
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose: 
-                        """
-                          See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                            
-                        """
-            - 
-              id:    ca-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Continuous monitoring programs facilitate ongoing awareness of threats,
-                                 vulnerabilities, and information security to support organizational risk management
-                                 decisions. The terms continuous and ongoing imply that organizations assess/analyze
-                                 security controls and information security-related risks at a frequency sufficient to
-                                 support organizational risk-based decisions. The results of continuous monitoring
-                                 programs generate appropriate risk response actions by organizations. Continuous
-                                 monitoring programs also allow organizations to maintain the security authorizations
-                                 of information systems and common controls over time in highly dynamic environments
-                                 of operation with changing mission/business needs, threats, vulnerabilities, and
-                                 technologies. Having access to security-related information on a continuing basis
-                                 through reports/dashboards gives organizational officials the capability to make more
-                                 effective and timely risk management decisions, including ongoing security
-                                 authorization decisions. Automation supports more frequent updates to security
-                                 authorization packages, hardware/software/firmware inventories, and other system
-                                 information. Effectiveness is further enhanced when continuous monitoring outputs are
-                                 formatted to provide information that is specific, measurable, actionable, relevant,
-                                 and timely. Continuous monitoring activities are scaled in accordance with the
-                                 security categories of information systems.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-5
-                  rel:  related
-                  text: CA-5
-                - 
-                  href: #ca-6
-                  rel:  related
-                  text: CA-6
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #pm-6
-                  rel:  related
-                  text: PM-6
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ca-7_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ca-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(a)
-                  parts: 
-                    - 
-                      id:         ca-7.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(a)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that defines metrics to be
-                                               monitored;
-                        """
-                    - 
-                      id:         ca-7.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(a)[2]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes monitoring of
-                                               organization-defined metrics;
-                        """
-                    - 
-                      id:         ca-7.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(a)[3]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes monitoring of
-                                               organization-defined metrics in accordance with the organizational continuous
-                                               monitoring strategy;
-                        """
-                - 
-                  id:         ca-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(b)
-                  parts: 
-                    - 
-                      id:         ca-7.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(b)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that defines frequencies for
-                                               monitoring;
-                        """
-                    - 
-                      id:         ca-7.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(b)[2]
-                      prose:      defines frequencies for assessments supporting monitoring;
-                    - 
-                      id:         ca-7.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(b)[3]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes establishment of the
-                                               organization-defined frequencies for monitoring and for assessments supporting
-                                               monitoring;
-                        """
-                    - 
-                      id:         ca-7.b_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(b)[4]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes establishment of
-                                               organization-defined frequencies for monitoring and for assessments supporting
-                                               such monitoring in accordance with the organizational continuous monitoring
-                                               strategy;
-                        """
-                - 
-                  id:         ca-7.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(c)
-                  parts: 
-                    - 
-                      id:         ca-7.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(c)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes ongoing security
-                                               control assessments;
-                        """
-                    - 
-                      id:         ca-7.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(c)[2]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes ongoing security
-                                               control assessments in accordance with the organizational continuous monitoring
-                                               strategy;
-                        """
-                - 
-                  id:         ca-7.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(d)
-                  parts: 
-                    - 
-                      id:         ca-7.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(d)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes ongoing security status
-                                               monitoring of organization-defined metrics;
-                        """
-                    - 
-                      id:         ca-7.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(d)[2]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes ongoing security
-                                               status monitoring of organization-defined metrics in accordance with the
-                                               organizational continuous monitoring strategy;
-                        """
-                - 
-                  id:         ca-7.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(e)
-                  parts: 
-                    - 
-                      id:         ca-7.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(e)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes correlation and
-                                               analysis of security-related information generated by assessments and
-                                               monitoring;
-                        """
-                    - 
-                      id:         ca-7.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(e)[2]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes correlation and
-                                               analysis of security-related information generated by assessments and
-                                               monitoring in accordance with the organizational continuous monitoring
-                                               strategy;
-                        """
-                - 
-                  id:         ca-7.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(f)
-                  parts: 
-                    - 
-                      id:         ca-7.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(f)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes response actions to
-                                               address results of the analysis of security-related information;
-                        """
-                    - 
-                      id:         ca-7.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(f)[2]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes response actions to
-                                               address results of the analysis of security-related information in accordance
-                                               with the organizational continuous monitoring strategy;
-                        """
-                - 
-                  id:         ca-7.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-7(g)
-                  parts: 
-                    - 
-                      id:         ca-7.g_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(g)[1]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that defines the personnel or roles
-                                               to whom the security status of the organization and information system are to
-                                               be reported;
-                        """
-                    - 
-                      id:         ca-7.g_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(g)[2]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that defines the frequency to report
-                                               the security status of the organization and information system to
-                                               organization-defined personnel or roles;
-                        """
-                    - 
-                      id:         ca-7.g_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(g)[3]
-                      prose: 
-                        """
-                          develops a continuous monitoring strategy that includes reporting the security
-                                               status of the organization or information system to organizational-defined
-                                               personnel or roles with the organization-defined frequency; and
-                        """
-                    - 
-                      id:         ca-7.g_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CA-7(g)[4]
-                      prose: 
-                        """
-                          implements a continuous monitoring program that includes reporting the security
-                                               status of the organization and information system to organization-defined
-                                               personnel or roles with the organization-defined frequency in accordance with
-                                               the organizational continuous monitoring strategy.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Security assessment and authorization policy\n\nprocedures addressing continuous monitoring of information system security
-                                        controls\n\nprocedures addressing configuration management\n\nsecurity plan\n\nsecurity assessment report\n\nplan of action and milestones\n\ninformation system monitoring records\n\nconfiguration management records, security impact analyses\n\nstatus reports\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Mechanisms implementing continuous monitoring
-          controls: 
-            - 
-              id:         ca-7.1
-              class:      SP800-53-enhancement
-              title:      Independent Assessment
-              parameters: 
-                - 
-                  id:    ca-7.1_prm_1
-                  label: organization-defined level of independence
-              properties: 
-                - 
-                  name:  label
-                  value: CA-7(1)
-                - 
-                  name:  sort-id
-                  value: ca-07.01
-              parts: 
-                - 
-                  id:    ca-7.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs assessors or assessment teams with {{ ca-7.1_prm_1 }} to monitor the security controls in the information
-                                        system on an ongoing basis.
-                    """
-                - 
-                  id:    ca-7.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations can maximize the value of assessments of security controls during
-                                        the continuous monitoring process by requiring that such assessments be conducted
-                                        by assessors or assessment teams with appropriate levels of independence based on
-                                        continuous monitoring strategies. Assessor independence provides a degree of
-                                        impartiality to the monitoring process. To achieve such impartiality, assessors
-                                        should not: (i) create a mutual or conflicting interest with the organizations
-                                        where the assessments are being conducted; (ii) assess their own work; (iii) act
-                                        as management or employees of the organizations they are serving; or (iv) place
-                                        themselves in advocacy positions for the organizations acquiring their
-                                        services.
-                    """
-                - 
-                  id:    ca-7.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ca-7.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-7(1)[1]
-                      prose: 
-                        """
-                          defines a level of independence to be employed to monitor the security controls
-                                               in the information system on an ongoing basis; and
-                        """
-                    - 
-                      id:         ca-7.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CA-7(1)[2]
-                      prose: 
-                        """
-                          employs assessors or assessment teams with the organization-defined level of
-                                               independence to monitor the security controls in the information system on an
-                                               ongoing basis.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Security assessment and authorization policy\n\nprocedures addressing continuous monitoring of information system security
-                                               controls\n\nsecurity plan\n\nsecurity assessment report\n\nplan of action and milestones\n\ninformation system monitoring records\n\nsecurity impact analyses\n\nstatus reports\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ca-8
-          class:      SP800-53
-          title:      Penetration Testing
-          parameters: 
-            - 
-              id:          ca-8_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:    ca-8_prm_2
-              label: organization-defined information systems or system components
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-8
-            - 
-              name:  sort-id
-              value: ca-08
-          parts: 
-            - 
-              id:    ca-8_smt
-              name:  statement
-              prose: 
-                """
-                  The organization conducts penetration testing {{ ca-8_prm_1 }} on
-                                    {{ ca-8_prm_2 }}.
-                """
-              parts: 
-                - 
-                  id:    ca-8_fr
-                  name:  item
-                  title: CA-8 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ca-8_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose: 
-                        """
-                          See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance [https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/)
-                                            
-                        """
-            - 
-              id:    ca-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Penetration testing is a specialized type of assessment conducted on information
-                                 systems or individual system components to identify vulnerabilities that could be
-                                 exploited by adversaries. Such testing can be used to either validate vulnerabilities
-                                 or determine the degree of resistance organizational information systems have to
-                                 adversaries within a set of specified constraints (e.g., time, resources, and/or
-                                 skills). Penetration testing attempts to duplicate the actions of adversaries in
-                                 carrying out hostile cyber attacks against organizations and provides a more in-depth
-                                 analysis of security-related weaknesses/deficiencies. Organizations can also use the
-                                 results of vulnerability analyses to support penetration testing activities.
-                                 Penetration testing can be conducted on the hardware, software, or firmware
-                                 components of an information system and can exercise both physical and technical
-                                 security controls. A standard method for penetration testing includes, for example:
-                                 (i) pretest analysis based on full knowledge of the target system; (ii) pretest
-                                 identification of potential vulnerabilities based on pretest analysis; and (iii)
-                                 testing designed to determine exploitability of identified vulnerabilities. All
-                                 parties agree to the rules of engagement before the commencement of penetration
-                                 testing scenarios. Organizations correlate the penetration testing rules of
-                                 engagement with the tools, techniques, and procedures that are anticipated to be
-                                 employed by adversaries carrying out attacks. Organizational risk assessments guide
-                                 decisions on the level of independence required for personnel conducting penetration
-                                 testing.
-                """
-              links: 
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-            - 
-              id:    ca-8_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-8_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-8[1]
-                  prose: 
-                    """
-                      defines information systems or system components on which penetration testing is
-                                        to be conducted;
-                    """
-                - 
-                  id:         ca-8_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-8[2]
-                  prose: 
-                    """
-                      defines the frequency to conduct penetration testing on organization-defined
-                                        information systems or system components; and
-                    """
-                - 
-                  id:         ca-8_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CA-8[3]
-                  prose: 
-                    """
-                      conducts penetration testing on organization-defined information systems or system
-                                        components with the organization-defined frequency.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security assessment and authorization policy\n\nprocedures addressing penetration testing\n\nsecurity plan\n\nsecurity assessment plan\n\npenetration test report\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities,
-                                        system/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting penetration testing
-          controls: 
-            - 
-              id:         ca-8.1
-              class:      SP800-53-enhancement
-              title:      Independent Penetration Agent or Team
-              properties: 
-                - 
-                  name:  label
-                  value: CA-8(1)
-                - 
-                  name:  sort-id
-                  value: ca-08.01
-              parts: 
-                - 
-                  id:    ca-8.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs an independent penetration agent or penetration team to
-                                        perform penetration testing on the information system or system components.
-                    """
-                - 
-                  id:    ca-8.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Independent penetration agents or teams are individuals or groups who conduct
-                                        impartial penetration testing of organizational information systems. Impartiality
-                                        implies that penetration agents or teams are free from any perceived or actual
-                                        conflicts of interest with regard to the development, operation, or management of
-                                        the information systems that are the targets of the penetration testing.
-                                        Supplemental guidance for CA-2 (1) provides additional information regarding
-                                        independent assessments that can be applied to penetration testing.
-                    """
-                  links: 
-                    - 
-                      href: #ca-2
-                      rel:  related
-                      text: CA-2
-                - 
-                  id:         ca-8.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization employs an independent penetration agent or
-                                        penetration team to perform penetration testing on the information system or
-                                        system components. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Security assessment and authorization policy\n\nprocedures addressing penetration testing\n\nsecurity plan\n\nsecurity assessment plan\n\npenetration test report\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ca-9
-          class:      SP800-53
-          title:      Internal System Connections
-          parameters: 
-            - 
-              id:    ca-9_prm_1
-              label: 
-                """
-                  organization-defined information system components or classes of
-                                 components
-                """
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CA-9
-            - 
-              name:  sort-id
-              value: ca-09
-          parts: 
-            - 
-              id:    ca-9_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ca-9_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Authorizes internal connections of {{ ca-9_prm_1 }} to the
-                                        information system; and
-                    """
-                - 
-                  id:         ca-9_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Documents, for each internal connection, the interface characteristics, security
-                                        requirements, and the nature of the information communicated.
-                    """
-            - 
-              id:    ca-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to connections between organizational information systems and
-                                 (separate) constituent system components (i.e., intra-system connections) including,
-                                 for example, system connections with mobile devices, notebook/desktop computers,
-                                 printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of
-                                 authorizing each individual internal connection, organizations can authorize internal
-                                 connections for a class of components with common characteristics and/or
-                                 configurations, for example, all digital printers, scanners, and copiers with a
-                                 specified processing, storage, and transmission capability or all smart phones with a
-                                 specific baseline configuration.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    ca-9_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ca-9.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CA-9(a)
-                  parts: 
-                    - 
-                      id:         ca-9.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CA-9(a)[1]
-                      prose: 
-                        """
-                          defines information system components or classes of components to be authorized
-                                               as internal connections to the information system;
-                        """
-                    - 
-                      id:         ca-9.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CA-9(a)[2]
-                      prose: 
-                        """
-                          authorizes internal connections of organization-defined information system
-                                               components or classes of components to the information system;
-                        """
-                - 
-                  id:         ca-9.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CA-9(b)
-                  prose:      documents, for each internal connection:
-                  parts: 
-                    - 
-                      id:         ca-9.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-9(b)[1]
-                      prose:      the interface characteristics;
-                    - 
-                      id:         ca-9.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-9(b)[2]
-                      prose:      the security requirements; and
-                    - 
-                      id:         ca-9.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CA-9(b)[3]
-                      prose:      the nature of the information communicated.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system
-                                        connections\n\nsecurity assessment report\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for developing, implementing, or
-                                        authorizing internal system connections\n\norganizational personnel with information security responsibilities
-                    """
-    - 
-      id:       cm
-      class:    family
-      title:    Configuration Management
-      controls: 
-        - 
-          id:         cm-1
-          class:      SP800-53
-          title:      Configuration Management Policy and Procedures
-          parameters: 
-            - 
-              id:    cm-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          cm-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          cm-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CM-1
-            - 
-              name:  sort-id
-              value: cm-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    cm-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ cm-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         cm-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A configuration management policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         cm-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the configuration management
-                                               policy and associated configuration management controls; and
-                        """
-                - 
-                  id:         cm-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         cm-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Configuration management policy {{ cm-1_prm_2 }}; and
-                    - 
-                      id:         cm-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Configuration management procedures {{ cm-1_prm_3 }}.
-            - 
-              id:    cm-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the CM
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    cm-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-1(a)
-                  parts: 
-                    - 
-                      id:         cm-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-1(a)(1)
-                      parts: 
-                        - 
-                          id:         cm-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-1(a)(1)[1]
-                          prose:      develops and documents a configuration management policy that addresses:
-                          parts: 
-                            - 
-                              id:         cm-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         cm-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         cm-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         cm-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         cm-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         cm-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         cm-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         cm-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the configuration management policy is to
-                                                      be disseminated;
-                            """
-                        - 
-                          id:         cm-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CM-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the configuration management policy to organization-defined
-                                                      personnel or roles;
-                            """
-                    - 
-                      id:         cm-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-1(a)(2)
-                      parts: 
-                        - 
-                          id:         cm-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      configuration management policy and associated configuration management
-                                                      controls;
-                            """
-                        - 
-                          id:         cm-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         cm-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CM-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         cm-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-1(b)
-                  parts: 
-                    - 
-                      id:         cm-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-1(b)(1)
-                      parts: 
-                        - 
-                          id:         cm-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current configuration
-                                                      management policy;
-                            """
-                        - 
-                          id:         cm-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current configuration management policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         cm-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-1(b)(2)
-                      parts: 
-                        - 
-                          id:         cm-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current configuration
-                                                      management procedures; and
-                            """
-                        - 
-                          id:         cm-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current configuration management procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-        - 
-          id:         cm-2
-          class:      SP800-53
-          title:      Baseline Configuration
-          properties: 
-            - 
-              name:  label
-              value: CM-2
-            - 
-              name:  sort-id
-              value: cm-02
-          links: 
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    cm-2_smt
-              name:  statement
-              prose: 
-                """
-                  The organization develops, documents, and maintains under configuration control, a
-                                 current baseline configuration of the information system.
-                """
-            - 
-              id:    cm-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control establishes baseline configurations for information systems and system
-                                 components including communications and connectivity-related aspects of systems.
-                                 Baseline configurations are documented, formally reviewed and agreed-upon sets of
-                                 specifications for information systems or configuration items within those systems.
-                                 Baseline configurations serve as a basis for future builds, releases, and/or changes
-                                 to information systems. Baseline configurations include information about information
-                                 system components (e.g., standard software packages installed on workstations,
-                                 notebook computers, servers, network components, or mobile devices; current version
-                                 numbers and patch information on operating systems and applications; and
-                                 configuration settings/parameters), network topology, and the logical placement of
-                                 those components within the system architecture. Maintaining baseline configurations
-                                 requires creating new baselines as organizational information systems change over
-                                 time. Baseline configurations of information systems reflect the current enterprise
-                                 architecture.
-                """
-              links: 
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #cm-9
-                  rel:  related
-                  text: CM-9
-                - 
-                  href: #sa-10
-                  rel:  related
-                  text: SA-10
-                - 
-                  href: #pm-5
-                  rel:  related
-                  text: PM-5
-                - 
-                  href: #pm-7
-                  rel:  related
-                  text: PM-7
-            - 
-              id:    cm-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-2_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: CM-2[1]
-                  prose: 
-                    """
-                      develops and documents a current baseline configuration of the information system;
-                                        and
-                    """
-                - 
-                  id:         cm-2_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-2[2]
-                  prose: 
-                    """
-                      maintains, under configuration control, a current baseline configuration of the
-                                        information system.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for managing baseline configurations\n\nautomated mechanisms supporting configuration control of the baseline
-                                        configuration
-                    """
-          controls: 
-            - 
-              id:         cm-2.1
-              class:      SP800-53-enhancement
-              title:      Reviews and Updates
-              parameters: 
-                - 
-                  id:          cm-2.1_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least annually or when a significant change occurs
-                - 
-                  id:          cm-2.1_prm_2
-                  label:       Assignment organization-defined circumstances
-                  constraints: 
-                    - 
-                      detail: to include when directed by the JAB
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: CM-2(1)
-                - 
-                  name:  sort-id
-                  value: cm-02.01
-              parts: 
-                - 
-                  id:    cm-2.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization reviews and updates the baseline configuration of the information
-                                        system:
-                    """
-                  parts: 
-                    - 
-                      id:         cm-2.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          
-                                               {{ cm-2.1_prm_1 }};
-                        """
-                    - 
-                      id:         cm-2.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      When required due to {{ cm-2.1_prm_2 }}; and
-                    - 
-                      id:         cm-2.1_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (c)
-                      prose: 
-                        """
-                          As an integral part of information system component installations and
-                                               upgrades.
-                        """
-                - 
-                  id:    cm-2.1_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #cm-5
-                      rel:  related
-                      text: CM-5
-                - 
-                  id:    cm-2.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-2.1.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-2(1)(a)
-                      parts: 
-                        - 
-                          id:         cm-2.1.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-2(1)(a)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the baseline configuration of the
-                                                      information system;
-                            """
-                        - 
-                          id:         cm-2.1.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-2(1)(a)[2]
-                          prose: 
-                            """
-                              reviews and updates the baseline configuration of the information system
-                                                      with the organization-defined frequency;
-                            """
-                      links: 
-                        - 
-                          href: #cm-2.1_smt.a
-                          rel:  corresp
-                          text: CM-2(1)(a)
-                    - 
-                      id:         cm-2.1.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-2(1)(b)
-                      parts: 
-                        - 
-                          id:         cm-2.1.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-2(1)(b)[1]
-                          prose: 
-                            """
-                              defines circumstances that require the baseline configuration of the
-                                                      information system to be reviewed and updated;
-                            """
-                        - 
-                          id:         cm-2.1.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-2(1)(b)[2]
-                          prose: 
-                            """
-                              reviews and updates the baseline configuration of the information system
-                                                      when required due to organization-defined circumstances; and
-                            """
-                      links: 
-                        - 
-                          href: #cm-2.1_smt.b
-                          rel:  corresp
-                          text: CM-2(1)(b)
-                    - 
-                      id:         cm-2.1.c_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-2(1)(c)
-                      prose: 
-                        """
-                          reviews and updates the baseline configuration of the information system as an
-                                               integral part of information system component installations and upgrades.
-                        """
-                      links: 
-                        - 
-                          href: #cm-2.1_smt.c
-                          rel:  corresp
-                          text: CM-2(1)(c)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the information system\n\nprocedures addressing information system component installations and
-                                               upgrades\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of information system baseline configuration reviews and updates\n\ninformation system component installations/upgrades and associated records\n\nchange control records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for managing baseline configurations\n\nautomated mechanisms supporting review and update of the baseline
-                                               configuration
-                        """
-            - 
-              id:         cm-2.2
-              class:      SP800-53-enhancement
-              title:      Automation Support for Accuracy / Currency
-              properties: 
-                - 
-                  name:  label
-                  value: CM-2(2)
-                - 
-                  name:  sort-id
-                  value: cm-02.02
-              parts: 
-                - 
-                  id:    cm-2.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to maintain an up-to-date, complete,
-                                        accurate, and readily available baseline configuration of the information
-                                        system.
-                    """
-                - 
-                  id:    cm-2.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Automated mechanisms that help organizations maintain consistent baseline
-                                        configurations for information systems include, for example, hardware and software
-                                        inventory tools, configuration management tools, and network management tools.
-                                        Such tools can be deployed and/or allocated as common controls, at the information
-                                        system level, or at the operating system or component level (e.g., on
-                                        workstations, servers, notebook computers, network components, or mobile devices).
-                                        Tools can be used, for example, to track version numbers on operating system
-                                        applications, types of software installed, and current patch levels. This control
-                                        enhancement can be satisfied by the implementation of CM-8 (2) for organizations
-                                        that choose to combine information system component inventory and baseline
-                                        configuration activities.
-                    """
-                  links: 
-                    - 
-                      href: #cm-7
-                      rel:  related
-                      text: CM-7
-                    - 
-                      href: #ra-5
-                      rel:  related
-                      text: RA-5
-                - 
-                  id:    cm-2.2_obj
-                  name:  objective
-                  prose: Determine if the organization employs automated mechanisms to maintain: 
-                  parts: 
-                    - 
-                      id:         cm-2.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-2(2)[1]
-                      prose:      an up-to-date baseline configuration of the information system;
-                    - 
-                      id:         cm-2.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-2(2)[2]
-                      prose:      a complete baseline configuration of the information system;
-                    - 
-                      id:         cm-2.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-2(2)[3]
-                      prose:      an accurate baseline configuration of the information system; and
-                    - 
-                      id:         cm-2.2_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-2(2)[4]
-                      prose:      a readily available baseline configuration of the information system.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nconfiguration change control records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for managing baseline configurations\n\nautomated mechanisms implementing baseline configuration maintenance
-            - 
-              id:         cm-2.3
-              class:      SP800-53-enhancement
-              title:      Retention of Previous Configurations
-              parameters: 
-                - 
-                  id:    cm-2.3_prm_1
-                  label: 
-                    """
-                      organization-defined previous versions of baseline configurations of the
-                                        information system
-                    """
-              properties: 
-                - 
-                  name:  label
-                  value: CM-2(3)
-                - 
-                  name:  sort-id
-                  value: cm-02.03
-              parts: 
-                - 
-                  id:    cm-2.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization retains {{ cm-2.3_prm_1 }} to support
-                                        rollback.
-                    """
-                - 
-                  id:    cm-2.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Retaining previous versions of baseline configurations to support rollback may
-                                        include, for example, hardware, software, firmware, configuration files, and
-                                        configuration records.
-                    """
-                - 
-                  id:    cm-2.3_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-2.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-2(3)[1]
-                      prose: 
-                        """
-                          defines previous versions of baseline configurations of the information system
-                                               to be retained to support rollback; and
-                        """
-                    - 
-                      id:         cm-2.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-2(3)[2]
-                      prose: 
-                        """
-                          retains organization-defined previous versions of baseline configurations of
-                                               the information system to support rollback.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\ncopies of previous baseline configuration versions\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for managing baseline configurations
-            - 
-              id:         cm-2.7
-              class:      SP800-53-enhancement
-              title:      Configure Systems, Components, or Devices for High-risk Areas
-              parameters: 
-                - 
-                  id:    cm-2.7_prm_1
-                  label: 
-                    """
-                      organization-defined information systems, system components, or
-                                        devices
-                    """
-                - 
-                  id:    cm-2.7_prm_2
-                  label: organization-defined configurations
-                - 
-                  id:    cm-2.7_prm_3
-                  label: organization-defined security safeguards
-              properties: 
-                - 
-                  name:  label
-                  value: CM-2(7)
-                - 
-                  name:  sort-id
-                  value: cm-02.07
-              parts: 
-                - 
-                  id:    cm-2.7_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         cm-2.7_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Issues {{ cm-2.7_prm_1 }} with {{ cm-2.7_prm_2 }}
-                                               to individuals traveling to locations that the organization deems to be of
-                                               significant risk; and
-                        """
-                    - 
-                      id:         cm-2.7_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Applies {{ cm-2.7_prm_3 }} to the devices when the individuals
-                                               return.
-                        """
-                - 
-                  id:    cm-2.7_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      When it is known that information systems, system components, or devices (e.g.,
-                                        notebook computers, mobile devices) will be located in high-risk areas, additional
-                                        security controls may be implemented to counter the greater threat in such areas
-                                        coupled with the lack of physical security relative to organizational-controlled
-                                        areas. For example, organizational policies and procedures for notebook computers
-                                        used by individuals departing on and returning from travel include, for example,
-                                        determining which locations are of concern, defining required configurations for
-                                        the devices, ensuring that the devices are configured as intended before travel is
-                                        initiated, and applying specific safeguards to the device after travel is
-                                        completed. Specially configured notebook computers include, for example, computers
-                                        with sanitized hard drives, limited applications, and additional hardening (e.g.,
-                                        more stringent configuration settings). Specified safeguards applied to mobile
-                                        devices upon return from travel include, for example, examining the device for
-                                        signs of physical tampering and purging/reimaging the hard disk drive. Protecting
-                                        information residing on mobile devices is covered in the media protection
-                                        family.
-                    """
-                - 
-                  id:    cm-2.7_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-2.7.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-2(7)(a)
-                      parts: 
-                        - 
-                          id:         cm-2.7.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-2(7)(a)[1]
-                          prose: 
-                            """
-                              defines information systems, system components, or devices to be issued to
-                                                      individuals traveling to locations that the organization deems to be of
-                                                      significant risk;
-                            """
-                        - 
-                          id:         cm-2.7.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-2(7)(a)[2]
-                          prose: 
-                            """
-                              defines configurations to be employed on organization-defined information
-                                                      systems, system components, or devices issued to individuals traveling to
-                                                      such locations;
-                            """
-                        - 
-                          id:         cm-2.7.a_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-2(7)(a)[3]
-                          prose: 
-                            """
-                              issues organization-defined information systems, system components, or
-                                                      devices with organization-defined configurations to individuals traveling to
-                                                      locations that the organization deems to be of significant risk;
-                            """
-                      links: 
-                        - 
-                          href: #cm-2.7_smt.a
-                          rel:  corresp
-                          text: CM-2(7)(a)
-                    - 
-                      id:         cm-2.7.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-2(7)(b)
-                      parts: 
-                        - 
-                          id:         cm-2.7.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-2(7)(b)[1]
-                          prose: 
-                            """
-                              defines security safeguards to be applied to the devices when the
-                                                      individuals return; and
-                            """
-                        - 
-                          id:         cm-2.7.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-2(7)(b)[2]
-                          prose: 
-                            """
-                              applies organization-defined safeguards to the devices when the individuals
-                                                      return.
-                            """
-                      links: 
-                        - 
-                          href: #cm-2.7_smt.b
-                          rel:  corresp
-                          text: CM-2(7)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the information system\n\nprocedures addressing information system component installations and
-                                               upgrades\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of information system baseline configuration reviews and updates\n\ninformation system component installations/upgrades and associated records\n\nchange control records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for managing baseline configurations
-        - 
-          id:         cm-3
-          class:      SP800-53
-          title:      Configuration Change Control
-          parameters: 
-            - 
-              id:    cm-3_prm_1
-              label: organization-defined time period
-            - 
-              id:    cm-3_prm_2
-              label: 
-                """
-                  organization-defined configuration change control element (e.g., committee,
-                                 board)
-                """
-            - 
-              id: cm-3_prm_3
-            - 
-              id:         cm-3_prm_4
-              depends-on: cm-3_prm_3
-              label:      organization-defined frequency
-            - 
-              id:         cm-3_prm_5
-              depends-on: cm-3_prm_3
-              label:      organization-defined configuration change conditions
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CM-3
-            - 
-              name:  sort-id
-              value: cm-03
-          links: 
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    cm-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Determines the types of changes to the information system that are
-                                        configuration-controlled;
-                    """
-                - 
-                  id:         cm-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Reviews proposed configuration-controlled changes to the information system and
-                                        approves or disapproves such changes with explicit consideration for security
-                                        impact analyses;
-                    """
-                - 
-                  id:         cm-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Documents configuration change decisions associated with the information
-                                        system;
-                    """
-                - 
-                  id:         cm-3_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Implements approved configuration-controlled changes to the information
-                                        system;
-                    """
-                - 
-                  id:         cm-3_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Retains records of configuration-controlled changes to the information system for
-                                           {{ cm-3_prm_1 }};
-                    """
-                - 
-                  id:         cm-3_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Audits and reviews activities associated with configuration-controlled changes to
-                                        the information system; and
-                    """
-                - 
-                  id:         cm-3_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose: 
-                    """
-                      Coordinates and provides oversight for configuration change control activities
-                                        through {{ cm-3_prm_2 }} that convenes {{ cm-3_prm_3 }}.
-                    """
-                - 
-                  id:    cm-3_fr
-                  name:  item
-                  title: CM-3 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cm-3_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.
-                    - 
-                      id:         cm-3_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: (e) Guidance:
-                      prose:      In accordance with record retention policies and procedures.
-            - 
-              id:    cm-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Configuration change controls for organizational information systems involve the
-                                 systematic proposal, justification, implementation, testing, review, and disposition
-                                 of changes to the systems, including system upgrades and modifications. Configuration
-                                 change control includes changes to baseline configurations for components and
-                                 configuration items of information systems, changes to configuration settings for
-                                 information technology products (e.g., operating systems, applications, firewalls,
-                                 routers, and mobile devices), unscheduled/unauthorized changes, and changes to
-                                 remediate vulnerabilities. Typical processes for managing configuration changes to
-                                 information systems include, for example, Configuration Control Boards that approve
-                                 proposed changes to systems. For new development information systems or systems
-                                 undergoing major upgrades, organizations consider including representatives from
-                                 development organizations on the Configuration Control Boards. Auditing of changes
-                                 includes activities before and after changes are made to organizational information
-                                 systems and the auditing activities required to implement such changes.
-                """
-              links: 
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-9
-                  rel:  related
-                  text: CM-9
-                - 
-                  href: #sa-10
-                  rel:  related
-                  text: SA-10
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-                - 
-                  href: #si-12
-                  rel:  related
-                  text: SI-12
-            - 
-              id:    cm-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CM-3(a)
-                  prose: 
-                    """
-                      determines the type of changes to the information system that must be
-                                        configuration-controlled;
-                    """
-                - 
-                  id:         cm-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: CM-3(b)
-                  prose: 
-                    """
-                      reviews proposed configuration-controlled changes to the information system and
-                                        approves or disapproves such changes with explicit consideration for security
-                                        impact analyses;
-                    """
-                - 
-                  id:         cm-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: CM-3(c)
-                  prose: 
-                    """
-                      documents configuration change decisions associated with the information
-                                        system;
-                    """
-                - 
-                  id:         cm-3.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-3(d)
-                  prose: 
-                    """
-                      implements approved configuration-controlled changes to the information
-                                        system;
-                    """
-                - 
-                  id:         cm-3.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-3(e)
-                  parts: 
-                    - 
-                      id:         cm-3.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-3(e)[1]
-                      prose: 
-                        """
-                          defines a time period to retain records of configuration-controlled changes to
-                                               the information system;
-                        """
-                    - 
-                      id:         cm-3.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-3(e)[2]
-                      prose: 
-                        """
-                          retains records of configuration-controlled changes to the information system
-                                               for the organization-defined time period;
-                        """
-                - 
-                  id:         cm-3.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-3(f)
-                  prose: 
-                    """
-                      audits and reviews activities associated with configuration-controlled changes to
-                                        the information system;
-                    """
-                - 
-                  id:         cm-3.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-3(g)
-                  parts: 
-                    - 
-                      id:         cm-3.g_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-3(g)[1]
-                      prose: 
-                        """
-                          defines a configuration change control element (e.g., committee, board)
-                                               responsible for coordinating and providing oversight for configuration change
-                                               control activities;
-                        """
-                    - 
-                      id:         cm-3.g_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-3(g)[2]
-                      prose: 
-                        """
-                          defines the frequency with which the configuration change control element must
-                                               convene; and/or
-                        """
-                    - 
-                      id:         cm-3.g_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-3(g)[3]
-                      prose: 
-                        """
-                          defines configuration change conditions that prompt the configuration change
-                                               control element to convene; and
-                        """
-                    - 
-                      id:         cm-3.g_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-3(g)[4]
-                      prose: 
-                        """
-                          coordinates and provides oversight for configuration change control activities
-                                               through organization-defined configuration change control element that convenes
-                                               at organization-defined frequency and/or for any organization-defined
-                                               configuration change conditions.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing information system configuration change control\n\nconfiguration management plan\n\ninformation system architecture and configuration documentation\n\nsecurity plan\n\nchange control records\n\ninformation system audit records\n\nchange control audit and review reports\n\nagenda /minutes from configuration change control oversight meetings\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nmembers of change control board or similar
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for configuration change control\n\nautomated mechanisms that implement configuration change control
-        - 
-          id:         cm-4
-          class:      SP800-53
-          title:      Security Impact Analysis
-          properties: 
-            - 
-              name:  label
-              value: CM-4
-            - 
-              name:  sort-id
-              value: cm-04
-          links: 
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    cm-4_smt
-              name:  statement
-              prose: 
-                """
-                  The organization analyzes changes to the information system to determine potential
-                                 security impacts prior to change implementation.
-                """
-            - 
-              id:    cm-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizational personnel with information security responsibilities (e.g.,
-                                 Information System Administrators, Information System Security Officers, Information
-                                 System Security Managers, and Information System Security Engineers) conduct security
-                                 impact analyses. Individuals conducting security impact analyses possess the
-                                 necessary skills/technical expertise to analyze the changes to information systems
-                                 and the associated security ramifications. Security impact analysis may include, for
-                                 example, reviewing security plans to understand security control requirements and
-                                 reviewing system design documentation to understand control implementation and how
-                                 specific changes might affect the controls. Security impact analyses may also include
-                                 assessments of risk to better understand the impact of the changes and to determine
-                                 if additional security controls are required. Security impact analyses are scaled in
-                                 accordance with the security categories of the information systems.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-9
-                  rel:  related
-                  text: CM-9
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sa-10
-                  rel:  related
-                  text: SA-10
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    cm-4_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization analyzes changes to the information system to determine
-                                 potential security impacts prior to change implementation.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Configuration management policy\n\nprocedures addressing security impact analysis for changes to the information
-                                        system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for conducting security impact
-                                        analysis\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for security impact analysis
-        - 
-          id:         cm-5
-          class:      SP800-53
-          title:      Access Restrictions for Change
-          properties: 
-            - 
-              name:  label
-              value: CM-5
-            - 
-              name:  sort-id
-              value: cm-05
-          parts: 
-            - 
-              id:    cm-5_smt
-              name:  statement
-              prose: 
-                """
-                  The organization defines, documents, approves, and enforces physical and logical
-                                 access restrictions associated with changes to the information system.
-                """
-            - 
-              id:    cm-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Any changes to the hardware, software, and/or firmware components of information
-                                 systems can potentially have significant effects on the overall security of the
-                                 systems. Therefore, organizations permit only qualified and authorized individuals to
-                                 access information systems for purposes of initiating changes, including upgrades and
-                                 modifications. Organizations maintain records of access to ensure that configuration
-                                 change control is implemented and to support after-the-fact actions should
-                                 organizations discover any unauthorized changes. Access restrictions for change also
-                                 include software libraries. Access restrictions include, for example, physical and
-                                 logical access controls (see AC-3 and PE-3), workflow automation, media libraries,
-                                 abstract layers (e.g., changes implemented into third-party interfaces rather than
-                                 directly into information systems), and change windows (e.g., changes occur only
-                                 during specified times, making unauthorized changes easy to discover).
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-            - 
-              id:    cm-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-5_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-5[1]
-                  prose: 
-                    """
-                      defines physical access restrictions associated with changes to the information
-                                        system;
-                    """
-                - 
-                  id:         cm-5_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-5[2]
-                  prose: 
-                    """
-                      documents physical access restrictions associated with changes to the information
-                                        system;
-                    """
-                - 
-                  id:         cm-5_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-5[3]
-                  prose: 
-                    """
-                      approves physical access restrictions associated with changes to the information
-                                        system;
-                    """
-                - 
-                  id:         cm-5_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-5[4]
-                  prose: 
-                    """
-                      enforces physical access restrictions associated with changes to the information
-                                        system;
-                    """
-                - 
-                  id:         cm-5_obj.5
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-5[5]
-                  prose: 
-                    """
-                      defines logical access restrictions associated with changes to the information
-                                        system;
-                    """
-                - 
-                  id:         cm-5_obj.6
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-5[6]
-                  prose: 
-                    """
-                      documents logical access restrictions associated with changes to the information
-                                        system;
-                    """
-                - 
-                  id:         cm-5_obj.7
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-5[7]
-                  prose: 
-                    """
-                      approves logical access restrictions associated with changes to the information
-                                        system; and
-                    """
-                - 
-                  id:         cm-5_obj.8
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-5[8]
-                  prose: 
-                    """
-                      enforces logical access restrictions associated with changes to the information
-                                        system.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Configuration management policy\n\nprocedures addressing access restrictions for changes to the information
-                                        system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for managing access restrictions to change\n\nautomated mechanisms supporting/implementing/enforcing access restrictions
-                                        associated with changes to the information system
-                    """
-          controls: 
-            - 
-              id:         cm-5.1
-              class:      SP800-53-enhancement
-              title:      Automated Access Enforcement / Auditing
-              properties: 
-                - 
-                  name:  label
-                  value: CM-5(1)
-                - 
-                  name:  sort-id
-                  value: cm-05.01
-              parts: 
-                - 
-                  id:    cm-5.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system enforces access restrictions and supports auditing of the
-                                        enforcement actions.
-                    """
-                - 
-                  id:    cm-5.1_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                    - 
-                      href: #au-12
-                      rel:  related
-                      text: AU-12
-                    - 
-                      href: #au-6
-                      rel:  related
-                      text: AU-6
-                    - 
-                      href: #cm-3
-                      rel:  related
-                      text: CM-3
-                    - 
-                      href: #cm-6
-                      rel:  related
-                      text: CM-6
-                - 
-                  id:    cm-5.1_obj
-                  name:  objective
-                  prose: Determine if the information system:
-                  parts: 
-                    - 
-                      id:         cm-5.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-5(1)[1]
-                      prose:      enforces access restrictions for change; and
-                    - 
-                      id:         cm-5.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-5(1)[2]
-                      prose:      supports auditing of the enforcement actions.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Configuration management policy\n\nprocedures addressing access restrictions for changes to the information
-                                               system\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for managing access restrictions to change\n\nautomated mechanisms implementing enforcement of access restrictions for
-                                               changes to the information system\n\nautomated mechanisms supporting auditing of enforcement actions
-                        """
-            - 
-              id:         cm-5.3
-              class:      SP800-53-enhancement
-              title:      Signed Components
-              parameters: 
-                - 
-                  id:    cm-5.3_prm_1
-                  label: organization-defined software and firmware components
-              properties: 
-                - 
-                  name:  label
-                  value: CM-5(3)
-                - 
-                  name:  sort-id
-                  value: cm-05.03
-              parts: 
-                - 
-                  id:    cm-5.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system prevents the installation of {{ cm-5.3_prm_1 }} without verification that the component has been
-                                        digitally signed using a certificate that is recognized and approved by the
-                                        organization.
-                    """
-                  parts: 
-                    - 
-                      id:    cm-5.3_fr
-                      name:  item
-                      title: CM-5 (3) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         cm-5.3_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.
-                - 
-                  id:    cm-5.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Software and firmware components prevented from installation unless signed with
-                                        recognized and approved certificates include, for example, software and firmware
-                                        version updates, patches, service packs, device drivers, and basic input output
-                                        system (BIOS) updates. Organizations can identify applicable software and firmware
-                                        components by type, by specific items, or a combination of both. Digital
-                                        signatures and organizational verification of such signatures, is a method of code
-                                        authentication.
-                    """
-                  links: 
-                    - 
-                      href: #cm-7
-                      rel:  related
-                      text: CM-7
-                    - 
-                      href: #sc-13
-                      rel:  related
-                      text: SC-13
-                    - 
-                      href: #si-7
-                      rel:  related
-                      text: SI-7
-                - 
-                  id:    cm-5.3_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         cm-5.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-5(3)[1]
-                      prose: 
-                        """
-                          the organization defines software and firmware components that the information
-                                               system will prevent from being installed without verification that such
-                                               components have been digitally signed using a certificate that is recognized
-                                               and approved by the organization; and
-                        """
-                    - 
-                      id:         cm-5.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-5(3)[2]
-                      prose: 
-                        """
-                          the information system prevents the installation of organization-defined
-                                               software and firmware components without verification that such components have
-                                               been digitally signed using a certificate that is recognized and approved by
-                                               the organization.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Configuration management policy\n\nprocedures addressing access restrictions for changes to the information
-                                               system\n\nconfiguration management plan\n\nsecurity plan\n\nlist of software and firmware components to be prohibited from installation
-                                               without a recognized and approved certificate\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for managing access restrictions to change\n\nautomated mechanisms preventing installation of software and firmware
-                                               components not signed with an organization-recognized and approved
-                                               certificate
-                        """
-            - 
-              id:         cm-5.5
-              class:      SP800-53-enhancement
-              title:      Limit Production / Operational Privileges
-              parameters: 
-                - 
-                  id:          cm-5.5_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least quarterly
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: CM-5(5)
-                - 
-                  name:  sort-id
-                  value: cm-05.05
-              parts: 
-                - 
-                  id:    cm-5.5_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         cm-5.5_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Limits privileges to change information system components and system-related
-                                               information within a production or operational environment; and
-                        """
-                    - 
-                      id:         cm-5.5_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      Reviews and reevaluates privileges {{ cm-5.5_prm_1 }}.
-                - 
-                  id:    cm-5.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      In many organizations, information systems support multiple core missions/business
-                                        functions. Limiting privileges to change information system components with
-                                        respect to operational systems is necessary because changes to a particular
-                                        information system component may have far-reaching effects on mission/business
-                                        processes supported by the system where the component resides. The complex,
-                                        many-to-many relationships between systems and mission/business processes are in
-                                        some cases, unknown to developers.
-                    """
-                  links: 
-                    - 
-                      href: #ac-2
-                      rel:  related
-                      text: AC-2
-                - 
-                  id:    cm-5.5_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-5.5.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-5(5)(a)
-                      prose: 
-                        """
-                          limits privileges to change information system components and system-related
-                                               information within a production or operational environment;
-                        """
-                      links: 
-                        - 
-                          href: #cm-5.5_smt.a
-                          rel:  corresp
-                          text: CM-5(5)(a)
-                    - 
-                      id:         cm-5.5.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-5(5)(b)
-                      parts: 
-                        - 
-                          id:         cm-5.5.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-5(5)(b)[1]
-                          prose:      defines the frequency to review and reevaluate privileges; and
-                        - 
-                          id:         cm-5.5.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-5(5)(b)[2]
-                          prose: 
-                            """
-                              reviews and reevaluates privileges with the organization-defined
-                                                      frequency.
-                            """
-                      links: 
-                        - 
-                          href: #cm-5.5_smt.b
-                          rel:  corresp
-                          text: CM-5(5)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Configuration management policy\n\nprocedures addressing access restrictions for changes to the information
-                                               system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nuser privilege reviews\n\nuser privilege recertifications\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for managing access restrictions to change\n\nautomated mechanisms supporting and/or implementing access restrictions for
-                                               change
-                        """
-        - 
-          id:         cm-6
-          class:      SP800-53
-          title:      Configuration Settings
-          parameters: 
-            - 
-              id:       cm-6_prm_1
-              label:    organization-defined security configuration checklists
-              guidance: 
-                - 
-                  prose: See CM-6(a) Additional FedRAMP Requirements and Guidance
-            - 
-              id:    cm-6_prm_2
-              label: organization-defined information system components
-            - 
-              id:    cm-6_prm_3
-              label: organization-defined operational requirements
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CM-6
-            - 
-              name:  sort-id
-              value: cm-06
-          links: 
-            - 
-              href: #990268bf-f4a9-4c81-91ae-dc7d3115f4b1
-              rel:  reference
-              text: OMB Memorandum 07-11
-            - 
-              href: #0b3d8ba9-051f-498d-81ea-97f0f018c612
-              rel:  reference
-              text: OMB Memorandum 07-18
-            - 
-              href: #0916ef02-3618-411b-a525-565c088849a6
-              rel:  reference
-              text: OMB Memorandum 08-22
-            - 
-              href: #84a37532-6db6-477b-9ea8-f9085ebca0fc
-              rel:  reference
-              text: NIST Special Publication 800-70
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-            - 
-              href: #275cc052-0f7f-423c-bdb6-ed503dc36228
-              rel:  reference
-              text: http://nvd.nist.gov
-            - 
-              href: #e95dd121-2733-413e-bf1e-f1eb49f20a98
-              rel:  reference
-              text: http://checklists.nist.gov
-            - 
-              href: #647b6de3-81d0-4d22-bec1-5f1333e34380
-              rel:  reference
-              text: http://www.nsa.gov
-          parts: 
-            - 
-              id:    cm-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes and documents configuration settings for information technology
-                                        products employed within the information system using {{ cm-6_prm_1 }} that reflect the most restrictive mode consistent with
-                                        operational requirements;
-                    """
-                - 
-                  id:         cm-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Implements the configuration settings;
-                - 
-                  id:         cm-6_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Identifies, documents, and approves any deviations from established configuration
-                                        settings for {{ cm-6_prm_2 }} based on {{ cm-6_prm_3 }}; and
-                    """
-                - 
-                  id:         cm-6_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Monitors and controls changes to the configuration settings in accordance with
-                                        organizational policies and procedures.
-                    """
-                - 
-                  id:    cm-6_fr
-                  name:  item
-                  title: CM-6(a) Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cm-6_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement 1:
-                      prose:      The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. 
-                    - 
-                      id:         cm-6_fr_smt.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement 2:
-                      prose:      The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available).
-                    - 
-                      id:         cm-6_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline).
-            - 
-              id:    cm-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Configuration settings are the set of parameters that can be changed in hardware,
-                                 software, or firmware components of the information system that affect the security
-                                 posture and/or functionality of the system. Information technology products for which
-                                 security-related configuration settings can be defined include, for example,
-                                 mainframe computers, servers (e.g., database, electronic mail, authentication, web,
-                                 proxy, file, domain name), workstations, input/output devices (e.g., scanners,
-                                 copiers, and printers), network components (e.g., firewalls, routers, gateways, voice
-                                 and data switches, wireless access points, network appliances, sensors), operating
-                                 systems, middleware, and applications. Security-related parameters are those
-                                 parameters impacting the security state of information systems including the
-                                 parameters required to satisfy other security control requirements. Security-related
-                                 parameters include, for example: (i) registry settings; (ii) account, file, directory
-                                 permission settings; and (iii) settings for functions, ports, protocols, services,
-                                 and remote connections. Organizations establish organization-wide configuration
-                                 settings and subsequently derive specific settings for information systems. The
-                                 established settings become part of the systems configuration baseline. Common secure
-                                 configurations (also referred to as security configuration checklists, lockdown and
-                                 hardening guides, security reference guides, security technical implementation
-                                 guides) provide recognized, standardized, and established benchmarks that stipulate
-                                 secure configuration settings for specific information technology platforms/products
-                                 and instructions for configuring those information system components to meet
-                                 operational requirements. Common secure configurations can be developed by a variety
-                                 of organizations including, for example, information technology product developers,
-                                 manufacturers, vendors, consortia, academia, industry, federal agencies, and other
-                                 organizations in the public and private sectors. Common secure configurations include
-                                 the United States Government Configuration Baseline (USGCB) which affects the
-                                 implementation of CM-6 and other controls such as AC-19 and CM-7. The Security
-                                 Content Automation Protocol (SCAP) and the defined standards within the protocol
-                                 (e.g., Common Configuration Enumeration) provide an effective method to uniquely
-                                 identify, track, and control configuration settings. OMB establishes federal policy
-                                 on configuration requirements for federal information systems.
-                """
-              links: 
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-7
-                  rel:  related
-                  text: CM-7
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-            - 
-              id:    cm-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-6(a)
-                  parts: 
-                    - 
-                      id:         cm-6.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-6(a)[1]
-                      prose: 
-                        """
-                          defines security configuration checklists to be used to establish and document
-                                               configuration settings for the information technology products employed;
-                        """
-                    - 
-                      id:         cm-6.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CM-6(a)[2]
-                      prose: 
-                        """
-                          ensures the defined security configuration checklists reflect the most
-                                               restrictive mode consistent with operational requirements;
-                        """
-                    - 
-                      id:         cm-6.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-6(a)[3]
-                      prose: 
-                        """
-                          establishes and documents configuration settings for information technology
-                                               products employed within the information system using organization-defined
-                                               security configuration checklists;
-                        """
-                - 
-                  id:         cm-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-6(b)
-                  prose:      implements the configuration settings established/documented in CM-6(a);;
-                - 
-                  id:         cm-6.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-6(c)
-                  parts: 
-                    - 
-                      id:         cm-6.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-6(c)[1]
-                      prose: 
-                        """
-                          defines information system components for which any deviations from established
-                                               configuration settings must be:
-                        """
-                      parts: 
-                        - 
-                          id:         cm-6.c_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[1][a]
-                          prose:      identified;
-                        - 
-                          id:         cm-6.c_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[1][b]
-                          prose:      documented;
-                        - 
-                          id:         cm-6.c_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[1][c]
-                          prose:      approved;
-                    - 
-                      id:         cm-6.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-6(c)[2]
-                      prose:      defines operational requirements to support:
-                      parts: 
-                        - 
-                          id:         cm-6.c_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[2][a]
-                          prose: 
-                            """
-                              the identification of any deviations from established configuration
-                                                      settings;
-                            """
-                        - 
-                          id:         cm-6.c_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[2][b]
-                          prose: 
-                            """
-                              the documentation of any deviations from established configuration
-                                                      settings;
-                            """
-                        - 
-                          id:         cm-6.c_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(c)[2][c]
-                          prose:      the approval of any deviations from established configuration settings;
-                    - 
-                      id:         cm-6.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-6(c)[3]
-                      prose: 
-                        """
-                          identifies any deviations from established configuration settings for
-                                               organization-defined information system components based on
-                                               organizational-defined operational requirements;
-                        """
-                    - 
-                      id:         cm-6.c_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-6(c)[4]
-                      prose: 
-                        """
-                          documents any deviations from established configuration settings for
-                                               organization-defined information system components based on
-                                               organizational-defined operational requirements;
-                        """
-                    - 
-                      id:         cm-6.c_obj.5
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-6(c)[5]
-                      prose: 
-                        """
-                          approves any deviations from established configuration settings for
-                                               organization-defined information system components based on
-                                               organizational-defined operational requirements;
-                        """
-                - 
-                  id:         cm-6.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-6(d)
-                  parts: 
-                    - 
-                      id:         cm-6.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-6(d)[1]
-                      prose: 
-                        """
-                          monitors changes to the configuration settings in accordance with
-                                               organizational policies and procedures; and
-                        """
-                    - 
-                      id:         cm-6.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-6(d)[2]
-                      prose: 
-                        """
-                          controls changes to the configuration settings in accordance with
-                                               organizational policies and procedures.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Configuration management policy\n\nprocedures addressing configuration settings for the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nevidence supporting approved deviations from established configuration
-                                        settings\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security configuration management
-                                        responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for managing configuration settings\n\nautomated mechanisms that implement, monitor, and/or control information system
-                                        configuration settings\n\nautomated mechanisms that identify and/or document deviations from established
-                                        configuration settings
-                    """
-          controls: 
-            - 
-              id:         cm-6.1
-              class:      SP800-53-enhancement
-              title:      Automated Central Management / Application / Verification
-              parameters: 
-                - 
-                  id:    cm-6.1_prm_1
-                  label: organization-defined information system components
-              properties: 
-                - 
-                  name:  label
-                  value: CM-6(1)
-                - 
-                  name:  sort-id
-                  value: cm-06.01
-              parts: 
-                - 
-                  id:    cm-6.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to centrally manage, apply, and
-                                        verify configuration settings for {{ cm-6.1_prm_1 }}.
-                    """
-                - 
-                  id:    cm-6.1_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ca-7
-                      rel:  related
-                      text: CA-7
-                    - 
-                      href: #cm-4
-                      rel:  related
-                      text: CM-4
-                - 
-                  id:    cm-6.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-6.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-6(1)[1]
-                      prose: 
-                        """
-                          defines information system components for which automated mechanisms are to be
-                                               employed to:
-                        """
-                      parts: 
-                        - 
-                          id:         cm-6.1_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(1)[1][a]
-                          prose:      centrally manage configuration settings of such components;
-                        - 
-                          id:         cm-6.1_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(1)[1][b]
-                          prose:      apply configuration settings of such components;
-                        - 
-                          id:         cm-6.1_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(1)[1][c]
-                          prose:      verify configuration settings of such components;
-                    - 
-                      id:         cm-6.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-6(1)[2]
-                      prose:      employs automated mechanisms to:
-                      parts: 
-                        - 
-                          id:         cm-6.1_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(1)[2][a]
-                          prose: 
-                            """
-                              centrally manage configuration settings for organization-defined information
-                                                      system components;
-                            """
-                        - 
-                          id:         cm-6.1_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(1)[2][b]
-                          prose: 
-                            """
-                              apply configuration settings for organization-defined information system
-                                                      components; and
-                            """
-                        - 
-                          id:         cm-6.1_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-6(1)[2][c]
-                          prose: 
-                            """
-                              verify configuration settings for organization-defined information system
-                                                      components.
-                            """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing configuration settings for the information system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with security configuration management
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for managing configuration settings\n\nautomated mechanisms implemented to centrally manage, apply, and verify
-                                               information system configuration settings
-                        """
-        - 
-          id:         cm-7
-          class:      SP800-53
-          title:      Least Functionality
-          parameters: 
-            - 
-              id:          cm-7_prm_1
-              label: 
-                """
-                  organization-defined prohibited or restricted functions, ports, protocols, and/or
-                                 services
-                """
-              constraints: 
-                - 
-                  detail: United States Government Configuration Baseline (USGCB)
-          properties: 
-            - 
-              name:  label
-              value: CM-7
-            - 
-              name:  sort-id
-              value: cm-07
-          links: 
-            - 
-              href: #e42b2099-3e1c-415b-952c-61c96533c12e
-              rel:  reference
-              text: DoD Instruction 8551.01
-          parts: 
-            - 
-              id:    cm-7_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Configures the information system to provide only essential capabilities; and
-                - 
-                  id:         cm-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Prohibits or restricts the use of the following functions, ports, protocols,
-                                        and/or services: {{ cm-7_prm_1 }}.
-                    """
-                - 
-                  id:    cm-7_fr
-                  name:  item
-                  title: CM-7 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cm-7_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.
-                    - 
-                      id:         cm-7_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      Information on the USGCB checklists can be found at: [http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc](http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc). Partially derived from AC-17(8).
-            - 
-              id:    cm-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information systems can provide a wide variety of functions and services. Some of the
-                                 functions and services, provided by default, may not be necessary to support
-                                 essential organizational operations (e.g., key missions, functions). Additionally, it
-                                 is sometimes convenient to provide multiple services from single information system
-                                 components, but doing so increases risk over limiting the services provided by any
-                                 one component. Where feasible, organizations limit component functionality to a
-                                 single function per device (e.g., email servers or web servers, but not both).
-                                 Organizations review functions and services provided by information systems or
-                                 individual components of information systems, to determine which functions and
-                                 services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant
-                                 Messaging, auto-execute, and file sharing). Organizations consider disabling unused
-                                 or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File
-                                 Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to
-                                 prevent unauthorized connection of devices, unauthorized transfer of information, or
-                                 unauthorized tunneling. Organizations can utilize network scanning tools, intrusion
-                                 detection and prevention systems, and end-point protections such as firewalls and
-                                 host-based intrusion detection systems to identify and prevent the use of prohibited
-                                 functions, ports, protocols, and services.
-                """
-              links: 
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-            - 
-              id:    cm-7_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-7(a)
-                  prose:      configures the information system to provide only essential capabilities;
-                - 
-                  id:         cm-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-7(b)
-                  parts: 
-                    - 
-                      id:         cm-7.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-7(b)[1]
-                      prose:      defines prohibited or restricted:
-                      parts: 
-                        - 
-                          id:         cm-7.b_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[1][a]
-                          prose:      functions;
-                        - 
-                          id:         cm-7.b_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[1][b]
-                          prose:      ports;
-                        - 
-                          id:         cm-7.b_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[1][c]
-                          prose:      protocols; and/or
-                        - 
-                          id:         cm-7.b_obj.1.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[1][d]
-                          prose:      services;
-                    - 
-                      id:         cm-7.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-7(b)[2]
-                      prose:      prohibits or restricts the use of organization-defined:
-                      parts: 
-                        - 
-                          id:         cm-7.b_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[2][a]
-                          prose:      functions;
-                        - 
-                          id:         cm-7.b_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[2][b]
-                          prose:      ports;
-                        - 
-                          id:         cm-7.b_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[2][c]
-                          prose:      protocols; and/or
-                        - 
-                          id:         cm-7.b_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(b)[2][d]
-                          prose:      services.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing least functionality in the information system\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security configuration management
-                                        responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes prohibiting or restricting functions, ports, protocols,
-                                        and/or services\n\nautomated mechanisms implementing restrictions or prohibition of functions, ports,
-                                        protocols, and/or services
-                    """
-          controls: 
-            - 
-              id:         cm-7.1
-              class:      SP800-53-enhancement
-              title:      Periodic Review
-              parameters: 
-                - 
-                  id:          cm-7.1_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least monthly
-                - 
-                  id:    cm-7.1_prm_2
-                  label: 
-                    """
-                      organization-defined functions, ports, protocols, and services within the
-                                        information system deemed to be unnecessary and/or nonsecure
-                    """
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: CM-7(1)
-                - 
-                  name:  sort-id
-                  value: cm-07.01
-              parts: 
-                - 
-                  id:    cm-7.1_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         cm-7.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Reviews the information system {{ cm-7.1_prm_1 }} to identify
-                                               unnecessary and/or nonsecure functions, ports, protocols, and services; and
-                        """
-                    - 
-                      id:         cm-7.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      Disables {{ cm-7.1_prm_2 }}.
-                - 
-                  id:    cm-7.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The organization can either make a determination of the relative security of the
-                                        function, port, protocol, and/or service or base the security decision on the
-                                        assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are
-                                        examples of less than secure protocols.
-                    """
-                  links: 
-                    - 
-                      href: #ac-18
-                      rel:  related
-                      text: AC-18
-                    - 
-                      href: #cm-7
-                      rel:  related
-                      text: CM-7
-                    - 
-                      href: #ia-2
-                      rel:  related
-                      text: IA-2
-                - 
-                  id:    cm-7.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-7.1.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-7(1)(a)
-                      parts: 
-                        - 
-                          id:         cm-7.1.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-7(1)(a)[1]
-                          prose: 
-                            """
-                              defines the frequency to review the information system to identify
-                                                      unnecessary and/or nonsecure:
-                            """
-                          parts: 
-                            - 
-                              id:         cm-7.1.a_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(a)[1][a]
-                              prose:      functions;
-                            - 
-                              id:         cm-7.1.a_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(a)[1][b]
-                              prose:      ports;
-                            - 
-                              id:         cm-7.1.a_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(a)[1][c]
-                              prose:      protocols; and/or
-                            - 
-                              id:         cm-7.1.a_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(a)[1][d]
-                              prose:      services;
-                        - 
-                          id:         cm-7.1.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-7(1)(a)[2]
-                          prose: 
-                            """
-                              reviews the information system with the organization-defined frequency to
-                                                      identify unnecessary and/or nonsecure:
-                            """
-                          parts: 
-                            - 
-                              id:         cm-7.1.a_obj.2.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(a)[2][a]
-                              prose:      functions;
-                            - 
-                              id:         cm-7.1.a_obj.2.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(a)[2][b]
-                              prose:      ports;
-                            - 
-                              id:         cm-7.1.a_obj.2.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(a)[2][c]
-                              prose:      protocols; and/or
-                            - 
-                              id:         cm-7.1.a_obj.2.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(a)[2][d]
-                              prose:      services;
-                      links: 
-                        - 
-                          href: #cm-7.1_smt.a
-                          rel:  corresp
-                          text: CM-7(1)(a)
-                    - 
-                      id:         cm-7.1.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-7(1)(b)
-                      parts: 
-                        - 
-                          id:         cm-7.1.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-7(1)(b)[1]
-                          prose:      defines, within the information system, unnecessary and/or nonsecure:
-                          parts: 
-                            - 
-                              id:         cm-7.1.b_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(b)[1][a]
-                              prose:      functions;
-                            - 
-                              id:         cm-7.1.b_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(b)[1][b]
-                              prose:      ports;
-                            - 
-                              id:         cm-7.1.b_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(b)[1][c]
-                              prose:      protocols; and/or
-                            - 
-                              id:         cm-7.1.b_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(b)[1][d]
-                              prose:      services;
-                        - 
-                          id:         cm-7.1.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-7(1)(b)[2]
-                          prose:      disables organization-defined unnecessary and/or nonsecure:
-                          parts: 
-                            - 
-                              id:         cm-7.1.b_obj.2.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(b)[2][a]
-                              prose:      functions;
-                            - 
-                              id:         cm-7.1.b_obj.2.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(b)[2][b]
-                              prose:      ports;
-                            - 
-                              id:         cm-7.1.b_obj.2.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(b)[2][c]
-                              prose:      protocols; and/or
-                            - 
-                              id:         cm-7.1.b_obj.2.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-7(1)(b)[2][d]
-                              prose:      services.
-                      links: 
-                        - 
-                          href: #cm-7.1_smt.b
-                          rel:  corresp
-                          text: CM-7(1)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing least functionality in the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\ndocumented reviews of functions, ports, protocols, and/or services\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for reviewing functions, ports,
-                                               protocols, and services on the information system\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for reviewing/disabling nonsecure functions, ports,
-                                               protocols, and/or services\n\nautomated mechanisms implementing review and disabling of nonsecure functions,
-                                               ports, protocols, and/or services
-                        """
-            - 
-              id:         cm-7.2
-              class:      SP800-53-enhancement
-              title:      Prevent Program Execution
-              parameters: 
-                - 
-                  id: cm-7.2_prm_1
-                - 
-                  id:         cm-7.2_prm_2
-                  depends-on: cm-7.2_prm_1
-                  label: 
-                    """
-                      organization-defined policies regarding software program usage and
-                                        restrictions
-                    """
-              properties: 
-                - 
-                  name:  label
-                  value: CM-7(2)
-                - 
-                  name:  sort-id
-                  value: cm-07.02
-              parts: 
-                - 
-                  id:    cm-7.2_smt
-                  name:  statement
-                  prose: The information system prevents program execution in accordance with {{ cm-7.2_prm_1 }}.
-                  parts: 
-                    - 
-                      id:    cm-7.2_fr
-                      name:  item
-                      title: CM-7 (2) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         cm-7.2_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.
-                - 
-                  id:    cm-7.2_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #cm-8
-                      rel:  related
-                      text: CM-8
-                    - 
-                      href: #pm-5
-                      rel:  related
-                      text: PM-5
-                - 
-                  id:    cm-7.2_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         cm-7.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-7(2)[1]
-                      prose: 
-                        """
-                          the organization defines policies regarding software program usage and
-                                               restrictions;
-                        """
-                    - 
-                      id:         cm-7.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-7(2)[2]
-                      prose: 
-                        """
-                          the information system prevents program execution in accordance with one or
-                                               more of the following:
-                        """
-                      parts: 
-                        - 
-                          id:         cm-7.2_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(2)[2][a]
-                          prose: 
-                            """
-                              organization-defined policies regarding program usage and restrictions;
-                                                      and/or
-                            """
-                        - 
-                          id:         cm-7.2_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CM-7(2)[2][b]
-                          prose:      rules authorizing the terms and conditions of software program usage.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing least functionality in the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\nspecifications for preventing software program execution\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes preventing program execution on the information
-                                               system\n\norganizational processes for software program usage and restrictions\n\nautomated mechanisms preventing program execution on the information system\n\nautomated mechanisms supporting and/or implementing software program usage and
-                                               restrictions
-                        """
-            - 
-              id:         cm-7.5
-              class:      SP800-53-enhancement
-              title:      Authorized Software / Whitelisting
-              parameters: 
-                - 
-                  id:    cm-7.5_prm_1
-                  label: 
-                    """
-                      organization-defined software programs authorized to execute on the
-                                        information system
-                    """
-                - 
-                  id:          cm-7.5_prm_2
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least Annually or when there is a change
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: CM-7(5)
-                - 
-                  name:  sort-id
-                  value: cm-07.05
-              parts: 
-                - 
-                  id:    cm-7.5_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         cm-7.5_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose:      Identifies {{ cm-7.5_prm_1 }};
-                    - 
-                      id:         cm-7.5_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Employs a deny-all, permit-by-exception policy to allow the execution of
-                                               authorized software programs on the information system; and
-                        """
-                    - 
-                      id:         cm-7.5_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (c)
-                      prose:      Reviews and updates the list of authorized software programs {{ cm-7.5_prm_2 }}.
-                - 
-                  id:    cm-7.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The process used to identify software programs that are authorized to execute on
-                                        organizational information systems is commonly referred to as whitelisting. In
-                                        addition to whitelisting, organizations consider verifying the integrity of
-                                        white-listed software programs using, for example, cryptographic checksums,
-                                        digital signatures, or hash functions. Verification of white-listed software can
-                                        occur either prior to execution or at system startup.
-                    """
-                  links: 
-                    - 
-                      href: #cm-2
-                      rel:  related
-                      text: CM-2
-                    - 
-                      href: #cm-6
-                      rel:  related
-                      text: CM-6
-                    - 
-                      href: #cm-8
-                      rel:  related
-                      text: CM-8
-                    - 
-                      href: #pm-5
-                      rel:  related
-                      text: PM-5
-                    - 
-                      href: #sa-10
-                      rel:  related
-                      text: SA-10
-                    - 
-                      href: #sc-34
-                      rel:  related
-                      text: SC-34
-                    - 
-                      href: #si-7
-                      rel:  related
-                      text: SI-7
-                - 
-                  id:    cm-7.5_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-7.5.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-7(5)(a)
-                      prose: 
-                        """
-                          Identifies/defines software programs authorized to execute on the information
-                                               system;
-                        """
-                      links: 
-                        - 
-                          href: #cm-7.5_smt.a
-                          rel:  corresp
-                          text: CM-7(5)(a)
-                    - 
-                      id:         cm-7.5.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-7(5)(b)
-                      prose: 
-                        """
-                          employs a deny-all, permit-by-exception policy to allow the execution of
-                                               authorized software programs on the information system;
-                        """
-                      links: 
-                        - 
-                          href: #cm-7.5_smt.b
-                          rel:  corresp
-                          text: CM-7(5)(b)
-                    - 
-                      id:         cm-7.5.c_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-7(5)(c)
-                      parts: 
-                        - 
-                          id:         cm-7.5.c_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-7(5)(c)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the list of authorized software
-                                                      programs on the information system; and
-                            """
-                        - 
-                          id:         cm-7.5.c_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-7(5)(c)[2]
-                          prose: 
-                            """
-                              reviews and updates the list of authorized software programs with the
-                                                      organization-defined frequency.
-                            """
-                      links: 
-                        - 
-                          href: #cm-7.5_smt.c
-                          rel:  corresp
-                          text: CM-7(5)(c)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Configuration management policy\n\nprocedures addressing least functionality in the information system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of software programs authorized to execute on the information system\n\nsecurity configuration checklists\n\nreview and update records associated with list of authorized software
-                                               programs\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for identifying software
-                                               authorized to execute on the information system\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational process for identifying, reviewing, and updating programs
-                                               authorized to execute on the information system\n\norganizational process for implementing whitelisting\n\nautomated mechanisms implementing whitelisting
-                        """
-        - 
-          id:         cm-8
-          class:      SP800-53
-          title:      Information System Component Inventory
-          parameters: 
-            - 
-              id:    cm-8_prm_1
-              label: 
-                """
-                  organization-defined information deemed necessary to achieve effective
-                                 information system component accountability
-                """
-            - 
-              id:          cm-8_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least monthly
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CM-8
-            - 
-              name:  sort-id
-              value: cm-08
-          links: 
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    cm-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops and documents an inventory of information system components that:
-                  parts: 
-                    - 
-                      id:         cm-8_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Accurately reflects the current information system;
-                    - 
-                      id:         cm-8_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Includes all components within the authorization boundary of the information
-                                               system;
-                        """
-                    - 
-                      id:         cm-8_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Is at the level of granularity deemed necessary for tracking and reporting;
-                                               and
-                        """
-                    - 
-                      id:         cm-8_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose:      Includes {{ cm-8_prm_1 }}; and
-                - 
-                  id:         cm-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the information system component inventory {{ cm-8_prm_2 }}.
-                - 
-                  id:    cm-8_fr
-                  name:  item
-                  title: CM-8 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cm-8_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Must be provided at least monthly or when there is a change.
-            - 
-              id:    cm-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations may choose to implement centralized information system component
-                                 inventories that include components from all organizational information systems. In
-                                 such situations, organizations ensure that the resulting inventories include
-                                 system-specific information required for proper component accountability (e.g.,
-                                 information system association, information system owner). Information deemed
-                                 necessary for effective accountability of information system components includes, for
-                                 example, hardware inventory specifications, software license information, software
-                                 version numbers, component owners, and for networked components or devices, machine
-                                 names and network addresses. Inventory specifications include, for example,
-                                 manufacturer, device type, model, serial number, and physical location.
-                """
-              links: 
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #pm-5
-                  rel:  related
-                  text: PM-5
-            - 
-              id:    cm-8_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-8(a)
-                  parts: 
-                    - 
-                      id:         cm-8.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-8(a)(1)
-                      prose: 
-                        """
-                          develops and documents an inventory of information system components that
-                                               accurately reflects the current information system;
-                        """
-                    - 
-                      id:         cm-8.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-8(a)(2)
-                      prose: 
-                        """
-                          develops and documents an inventory of information system components that
-                                               includes all components within the authorization boundary of the information
-                                               system;
-                        """
-                    - 
-                      id:         cm-8.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-8(a)(3)
-                      prose: 
-                        """
-                          develops and documents an inventory of information system components that is at
-                                               the level of granularity deemed necessary for tracking and reporting;
-                        """
-                    - 
-                      id:         cm-8.a.4_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(a)(4)
-                      parts: 
-                        - 
-                          id:         cm-8.a.4_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-8(a)(4)[1]
-                          prose: 
-                            """
-                              defines the information deemed necessary to achieve effective information
-                                                      system component accountability;
-                            """
-                        - 
-                          id:         cm-8.a.4_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-8(a)(4)[2]
-                          prose: 
-                            """
-                              develops and documents an inventory of information system components that
-                                                      includes organization-defined information deemed necessary to achieve
-                                                      effective information system component accountability;
-                            """
-                - 
-                  id:         cm-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-8(b)
-                  parts: 
-                    - 
-                      id:         cm-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-8(b)[1]
-                      prose: 
-                        """
-                          defines the frequency to review and update the information system component
-                                               inventory; and
-                        """
-                    - 
-                      id:         cm-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-8(b)[2]
-                      prose: 
-                        """
-                          reviews and updates the information system component inventory with the
-                                               organization-defined frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\ninventory reviews and update records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for information system component
-                                        inventory\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for developing and documenting an inventory of
-                                        information system components\n\nautomated mechanisms supporting and/or implementing the information system
-                                        component inventory
-                    """
-          controls: 
-            - 
-              id:         cm-8.1
-              class:      SP800-53-enhancement
-              title:      Updates During Installations / Removals
-              properties: 
-                - 
-                  name:  label
-                  value: CM-8(1)
-                - 
-                  name:  sort-id
-                  value: cm-08.01
-              parts: 
-                - 
-                  id:    cm-8.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization updates the inventory of information system components as an
-                                        integral part of component installations, removals, and information system
-                                        updates.
-                    """
-                - 
-                  id:    cm-8.1_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization updates the inventory of information system
-                                        components as an integral part of:
-                    """
-                  parts: 
-                    - 
-                      id:         cm-8.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-8(1)[1]
-                      prose:      component installations;
-                    - 
-                      id:         cm-8.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(1)[2]
-                      prose:      component removals; and
-                    - 
-                      id:         cm-8.1_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(1)[3]
-                      prose:      information system updates.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\ninventory reviews and update records\n\ncomponent installation records\n\ncomponent removal records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for updating the information
-                                               system component inventory\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for updating inventory of information system
-                                               components\n\nautomated mechanisms implementing updating of the information system component
-                                               inventory
-                        """
-            - 
-              id:         cm-8.3
-              class:      SP800-53-enhancement
-              title:      Automated Unauthorized Component Detection
-              parameters: 
-                - 
-                  id:          cm-8.3_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: Continuously, using automated mechanisms with a maximum five-minute delay in detection
-                - 
-                  id: cm-8.3_prm_2
-                - 
-                  id:         cm-8.3_prm_3
-                  depends-on: cm-8.3_prm_2
-                  label:      organization-defined personnel or roles
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: CM-8(3)
-                - 
-                  name:  sort-id
-                  value: cm-08.03
-              parts: 
-                - 
-                  id:    cm-8.3_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         cm-8.3_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Employs automated mechanisms {{ cm-8.3_prm_1 }} to detect the
-                                               presence of unauthorized hardware, software, and firmware components within the
-                                               information system; and
-                        """
-                    - 
-                      id:         cm-8.3_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      Takes the following actions when unauthorized components are detected: {{ cm-8.3_prm_2 }}.
-                - 
-                  id:    cm-8.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement is applied in addition to the monitoring for unauthorized
-                                        remote connections and mobile devices. Monitoring for unauthorized system
-                                        components may be accomplished on an ongoing basis or by the periodic scanning of
-                                        systems for that purpose. Automated mechanisms can be implemented within
-                                        information systems or in other separate devices. Isolation can be achieved, for
-                                        example, by placing unauthorized information system components in separate domains
-                                        or subnets or otherwise quarantining such components. This type of component
-                                        isolation is commonly referred to as sandboxing.
-                    """
-                  links: 
-                    - 
-                      href: #ac-17
-                      rel:  related
-                      text: AC-17
-                    - 
-                      href: #ac-18
-                      rel:  related
-                      text: AC-18
-                    - 
-                      href: #ac-19
-                      rel:  related
-                      text: AC-19
-                    - 
-                      href: #ca-7
-                      rel:  related
-                      text: CA-7
-                    - 
-                      href: #si-3
-                      rel:  related
-                      text: SI-3
-                    - 
-                      href: #si-4
-                      rel:  related
-                      text: SI-4
-                    - 
-                      href: #si-7
-                      rel:  related
-                      text: SI-7
-                    - 
-                      href: #ra-5
-                      rel:  related
-                      text: RA-5
-                - 
-                  id:    cm-8.3_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-8.3.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(3)(a)
-                      parts: 
-                        - 
-                          id:         cm-8.3.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-8(3)(a)[1]
-                          prose: 
-                            """
-                              defines the frequency to employ automated mechanisms to detect the presence
-                                                      of unauthorized:
-                            """
-                          parts: 
-                            - 
-                              id:         cm-8.3.a_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-8(3)(a)[1][a]
-                              prose:      hardware components within the information system;
-                            - 
-                              id:         cm-8.3.a_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-8(3)(a)[1][b]
-                              prose:      software components within the information system;
-                            - 
-                              id:         cm-8.3.a_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-8(3)(a)[1][c]
-                              prose:      firmware components within the information system;
-                        - 
-                          id:         cm-8.3.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-8(3)(a)[2]
-                          prose: 
-                            """
-                              employs automated mechanisms with the organization-defined frequency to
-                                                      detect the presence of unauthorized:
-                            """
-                          parts: 
-                            - 
-                              id:         cm-8.3.a_obj.2.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-8(3)(a)[2][a]
-                              prose:      hardware components within the information system;
-                            - 
-                              id:         cm-8.3.a_obj.2.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-8(3)(a)[2][b]
-                              prose:      software components within the information system;
-                            - 
-                              id:         cm-8.3.a_obj.2.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-8(3)(a)[2][c]
-                              prose:      firmware components within the information system;
-                      links: 
-                        - 
-                          href: #cm-8.3_smt.a
-                          rel:  corresp
-                          text: CM-8(3)(a)
-                    - 
-                      id:         cm-8.3.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-8(3)(b)
-                      parts: 
-                        - 
-                          id:         cm-8.3.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CM-8(3)(b)[1]
-                          prose: 
-                            """
-                              defines personnel or roles to be notified when unauthorized components are
-                                                      detected;
-                            """
-                        - 
-                          id:         cm-8.3.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: CM-8(3)(b)[2]
-                          prose: 
-                            """
-                              takes one or more of the following actions when unauthorized components are
-                                                      detected:
-                            """
-                          parts: 
-                            - 
-                              id:         cm-8.3.b_obj.2.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-8(3)(b)[2][a]
-                              prose:      disables network access by such components;
-                            - 
-                              id:         cm-8.3.b_obj.2.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-8(3)(b)[2][b]
-                              prose:      isolates the components; and/or
-                            - 
-                              id:         cm-8.3.b_obj.2.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CM-8(3)(b)[2][c]
-                              prose:      notifies organization-defined personnel or roles.
-                      links: 
-                        - 
-                          href: #cm-8.3_smt.b
-                          rel:  corresp
-                          text: CM-8(3)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system inventory records\n\nalerts/notifications of unauthorized components within the information
-                                               system\n\ninformation system monitoring records\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for managing the automated
-                                               mechanisms implementing unauthorized information system component detection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for detection of unauthorized information system
-                                               components\n\nautomated mechanisms implementing the detection of unauthorized information
-                                               system components
-                        """
-            - 
-              id:         cm-8.5
-              class:      SP800-53-enhancement
-              title:      No Duplicate Accounting of Components
-              properties: 
-                - 
-                  name:  label
-                  value: CM-8(5)
-                - 
-                  name:  sort-id
-                  value: cm-08.05
-              parts: 
-                - 
-                  id:    cm-8.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization verifies that all components within the authorization boundary of
-                                        the information system are not duplicated in other information system component
-                                        inventories.
-                    """
-                - 
-                  id:    cm-8.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement addresses the potential problem of duplicate accounting
-                                        of information system components in large or complex interconnected systems.
-                    """
-                - 
-                  id:         cm-8.5_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization verifies that all components within the
-                                        authorization boundary of the information system are not duplicated in other
-                                        information system inventories. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system inventory responsibilities\n\norganizational personnel with responsibilities for defining information system
-                                               components within the authorization boundary of the system\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for maintaining the inventory of information system
-                                               components\n\nautomated mechanisms implementing the information system component
-                                               inventory
-                        """
-        - 
-          id:         cm-9
-          class:      SP800-53
-          title:      Configuration Management Plan
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CM-9
-            - 
-              name:  sort-id
-              value: cm-09
-          links: 
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    cm-9_smt
-              name:  statement
-              prose: 
-                """
-                  The organization develops, documents, and implements a configuration management plan
-                                 for the information system that:
-                """
-              parts: 
-                - 
-                  id:         cm-9_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Addresses roles, responsibilities, and configuration management processes and
-                                        procedures;
-                    """
-                - 
-                  id:         cm-9_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Establishes a process for identifying configuration items throughout the system
-                                        development life cycle and for managing the configuration of the configuration
-                                        items;
-                    """
-                - 
-                  id:         cm-9_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Defines the configuration items for the information system and places the
-                                        configuration items under configuration management; and
-                    """
-                - 
-                  id:         cm-9_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Protects the configuration management plan from unauthorized disclosure and
-                                        modification.
-                    """
-            - 
-              id:    cm-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  Configuration management plans satisfy the requirements in configuration management
-                                 policies while being tailored to individual information systems. Such plans define
-                                 detailed processes and procedures for how configuration management is used to support
-                                 system development life cycle activities at the information system level.
-                                 Configuration management plans are typically developed during the
-                                 development/acquisition phase of the system development life cycle. The plans
-                                 describe how to move changes through change management processes, how to update
-                                 configuration settings and baselines, how to maintain information system component
-                                 inventories, how to control development, test, and operational environments, and how
-                                 to develop, release, and update key documents. Organizations can employ templates to
-                                 help ensure consistent and timely development and implementation of configuration
-                                 management plans. Such templates can represent a master configuration management plan
-                                 for the organization at large with subsets of the plan implemented on a system by
-                                 system basis. Configuration management approval processes include designation of key
-                                 management stakeholders responsible for reviewing and approving proposed changes to
-                                 information systems, and personnel that conduct security impact analyses prior to the
-                                 implementation of changes to the systems. Configuration items are the information
-                                 system items (hardware, software, firmware, and documentation) to be
-                                 configuration-managed. As information systems continue through the system development
-                                 life cycle, new configuration items may be identified and some existing configuration
-                                 items may no longer need to be under configuration control.
-                """
-              links: 
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #sa-10
-                  rel:  related
-                  text: SA-10
-            - 
-              id:    cm-9_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization develops, documents, and implements a configuration
-                                 management plan for the information system that:
-                """
-              parts: 
-                - 
-                  id:         cm-9.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CM-9(a)
-                  parts: 
-                    - 
-                      id:         cm-9.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-9(a)[1]
-                      prose:      addresses roles;
-                    - 
-                      id:         cm-9.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-9(a)[2]
-                      prose:      addresses responsibilities;
-                    - 
-                      id:         cm-9.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-9(a)[3]
-                      prose:      addresses configuration management processes and procedures;
-                - 
-                  id:         cm-9.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CM-9(b)
-                  prose:      establishes a process for:
-                  parts: 
-                    - 
-                      id:         cm-9.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-9(b)[1]
-                      prose:      identifying configuration items throughout the SDLC;
-                    - 
-                      id:         cm-9.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-9(b)[2]
-                      prose:      managing the configuration of the configuration items;
-                - 
-                  id:         cm-9.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-9(c)
-                  parts: 
-                    - 
-                      id:         cm-9.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-9(c)[1]
-                      prose:      defines the configuration items for the information system;
-                    - 
-                      id:         cm-9.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-9(c)[2]
-                      prose:      places the configuration items under configuration management;
-                - 
-                  id:         cm-9.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-9(d)
-                  prose:      protects the configuration management plan from unauthorized:
-                  parts: 
-                    - 
-                      id:         cm-9.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-9(d)[1]
-                      prose:      disclosure; and
-                    - 
-                      id:         cm-9.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CM-9(d)[2]
-                      prose:      modification.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing configuration management planning\n\nconfiguration management plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for developing the configuration
-                                        management plan\n\norganizational personnel with responsibilities for implementing and managing
-                                        processes defined in the configuration management plan\n\norganizational personnel with responsibilities for protecting the configuration
-                                        management plan\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for developing and documenting the configuration
-                                        management plan\n\norganizational processes for identifying and managing configuration items\n\norganizational processes for protecting the configuration management plan\n\nautomated mechanisms implementing the configuration management plan\n\nautomated mechanisms for managing configuration items\n\nautomated mechanisms for protecting the configuration management plan
-                    """
-        - 
-          id:         cm-10
-          class:      SP800-53
-          title:      Software Usage Restrictions
-          properties: 
-            - 
-              name:  label
-              value: CM-10
-            - 
-              name:  sort-id
-              value: cm-10
-          parts: 
-            - 
-              id:    cm-10_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-10_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Uses software and associated documentation in accordance with contract agreements
-                                        and copyright laws;
-                    """
-                - 
-                  id:         cm-10_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Tracks the use of software and associated documentation protected by quantity
-                                        licenses to control copying and distribution; and
-                    """
-                - 
-                  id:         cm-10_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Controls and documents the use of peer-to-peer file sharing technology to ensure
-                                        that this capability is not used for the unauthorized distribution, display,
-                                        performance, or reproduction of copyrighted work.
-                    """
-            - 
-              id:    cm-10_gdn
-              name:  guidance
-              prose: 
-                """
-                  Software license tracking can be accomplished by manual methods (e.g., simple
-                                 spreadsheets) or automated methods (e.g., specialized tracking applications)
-                                 depending on organizational needs.
-                """
-              links: 
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-            - 
-              id:    cm-10_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-10.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-10(a)
-                  prose: 
-                    """
-                      uses software and associated documentation in accordance with contract agreements
-                                        and copyright laws;
-                    """
-                - 
-                  id:         cm-10.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: CM-10(b)
-                  prose: 
-                    """
-                      tracks the use of software and associated documentation protected by quantity
-                                        licenses to control copying and distribution; and
-                    """
-                - 
-                  id:         cm-10.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CM-10(c)
-                  prose: 
-                    """
-                      controls and documents the use of peer-to-peer file sharing technology to ensure
-                                        that this capability is not used for the unauthorized distribution, display,
-                                        performance, or reproduction of copyrighted work.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing software usage restrictions\n\nconfiguration management plan\n\nsecurity plan\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel operating, using, and/or maintaining the information
-                                        system\n\norganizational personnel with software license management responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational process for tracking the use of software protected by quantity
-                                        licenses\n\norganization process for controlling/documenting the use of peer-to-peer file
-                                        sharing technology\n\nautomated mechanisms implementing software license tracking\n\nautomated mechanisms implementing and controlling the use of peer-to-peer files
-                                        sharing technology
-                    """
-          controls: 
-            - 
-              id:         cm-10.1
-              class:      SP800-53-enhancement
-              title:      Open Source Software
-              parameters: 
-                - 
-                  id:    cm-10.1_prm_1
-                  label: organization-defined restrictions
-              properties: 
-                - 
-                  name:  label
-                  value: CM-10(1)
-                - 
-                  name:  sort-id
-                  value: cm-10.01
-              parts: 
-                - 
-                  id:    cm-10.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization establishes the following restrictions on the use of open source
-                                        software: {{ cm-10.1_prm_1 }}.
-                    """
-                - 
-                  id:    cm-10.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Open source software refers to software that is available in source code form.
-                                        Certain software rights normally reserved for copyright holders are routinely
-                                        provided under software license agreements that permit individuals to study,
-                                        change, and improve the software. From a security perspective, the major advantage
-                                        of open source software is that it provides organizations with the ability to
-                                        examine the source code. However, there are also various licensing issues
-                                        associated with open source software including, for example, the constraints on
-                                        derivative use of such software.
-                    """
-                - 
-                  id:    cm-10.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cm-10.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-10(1)[1]
-                      prose:      defines restrictions on the use of open source software; and
-                    - 
-                      id:         cm-10.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-10(1)[2]
-                      prose: 
-                        """
-                          establishes organization-defined restrictions on the use of open source
-                                               software.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Configuration management policy\n\nprocedures addressing restrictions on use of open source software\n\nconfiguration management plan\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for establishing and enforcing
-                                               restrictions on use of open source software\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational process for restricting the use of open source software\n\nautomated mechanisms implementing restrictions on the use of open source
-                                               software
-                        """
-        - 
-          id:         cm-11
-          class:      SP800-53
-          title:      User-installed Software
-          parameters: 
-            - 
-              id:    cm-11_prm_1
-              label: organization-defined policies
-            - 
-              id:    cm-11_prm_2
-              label: organization-defined methods
-            - 
-              id:          cm-11_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: Continuously (via CM-7 (5))
-          properties: 
-            - 
-              name:  label
-              value: CM-11
-            - 
-              name:  sort-id
-              value: cm-11
-          parts: 
-            - 
-              id:    cm-11_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cm-11_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes {{ cm-11_prm_1 }} governing the installation of
-                                        software by users;
-                    """
-                - 
-                  id:         cm-11_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Enforces software installation policies through {{ cm-11_prm_2 }};
-                                        and
-                    """
-                - 
-                  id:         cm-11_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Monitors policy compliance at {{ cm-11_prm_3 }}.
-            - 
-              id:    cm-11_gdn
-              name:  guidance
-              prose: 
-                """
-                  If provided the necessary privileges, users have the ability to install software in
-                                 organizational information systems. To maintain control over the types of software
-                                 installed, organizations identify permitted and prohibited actions regarding software
-                                 installation. Permitted software installations may include, for example, updates and
-                                 security patches to existing software and downloading applications from
-                                 organization-approved “app stores” Prohibited software installations may include, for
-                                 example, software with unknown or suspect pedigrees or software that organizations
-                                 consider potentially malicious. The policies organizations select governing
-                                 user-installed software may be organization-developed or provided by some external
-                                 entity. Policy enforcement methods include procedural methods (e.g., periodic
-                                 examination of user accounts), automated methods (e.g., configuration settings
-                                 implemented on organizational information systems), or both.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-7
-                  rel:  related
-                  text: CM-7
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-            - 
-              id:    cm-11_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cm-11.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-11(a)
-                  parts: 
-                    - 
-                      id:         cm-11.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-11(a)[1]
-                      prose:      defines policies to govern the installation of software by users;
-                    - 
-                      id:         cm-11.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-11(a)[2]
-                      prose: 
-                        """
-                          establishes organization-defined policies governing the installation of
-                                               software by users;
-                        """
-                - 
-                  id:         cm-11.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-11(b)
-                  parts: 
-                    - 
-                      id:         cm-11.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-11(b)[1]
-                      prose:      defines methods to enforce software installation policies;
-                    - 
-                      id:         cm-11.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-11(b)[2]
-                      prose: 
-                        """
-                          enforces software installation policies through organization-defined
-                                               methods;
-                        """
-                - 
-                  id:         cm-11.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CM-11(c)
-                  parts: 
-                    - 
-                      id:         cm-11.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CM-11(c)[1]
-                      prose:      defines frequency to monitor policy compliance; and
-                    - 
-                      id:         cm-11.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CM-11(c)[2]
-                      prose:      monitors policy compliance at organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Configuration management policy\n\nprocedures addressing user installed software\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of rules governing user installed software\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records\n\ncontinuous monitoring strategy
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for governing user-installed
-                                        software\n\norganizational personnel operating, using, and/or maintaining the information
-                                        system\n\norganizational personnel monitoring compliance with user-installed software
-                                        policy\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes governing user-installed software on the information
-                                        system\n\nautomated mechanisms enforcing rules/methods for governing the installation of
-                                        software by users\n\nautomated mechanisms monitoring policy compliance
-                    """
-    - 
-      id:       cp
-      class:    family
-      title:    Contingency Planning
-      controls: 
-        - 
-          id:         cp-1
-          class:      SP800-53
-          title:      Contingency Planning Policy and Procedures
-          parameters: 
-            - 
-              id:    cp-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          cp-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          cp-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CP-1
-            - 
-              name:  sort-id
-              value: cp-01
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    cp-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ cp-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         cp-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A contingency planning policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         cp-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the contingency planning policy
-                                               and associated contingency planning controls; and
-                        """
-                - 
-                  id:         cp-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         cp-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Contingency planning policy {{ cp-1_prm_2 }}; and
-                    - 
-                      id:         cp-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Contingency planning procedures {{ cp-1_prm_3 }}.
-            - 
-              id:    cp-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the CP
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    cp-1_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         cp-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-1(a)
-                  parts: 
-                    - 
-                      id:         cp-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-1(a)(1)
-                      parts: 
-                        - 
-                          id:         cp-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(a)(1)[1]
-                          prose: 
-                            """
-                              the organization develops and documents a contingency planning policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         cp-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         cp-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         cp-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         cp-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         cp-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         cp-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         cp-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: CP-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         cp-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(a)(1)[2]
-                          prose: 
-                            """
-                              the organization defines personnel or roles to whom the contingency planning
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         cp-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CP-1(a)(1)[3]
-                          prose: 
-                            """
-                              the organization disseminates the contingency planning policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         cp-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-1(a)(2)
-                      parts: 
-                        - 
-                          id:         cp-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(a)(2)[1]
-                          prose: 
-                            """
-                              the organization develops and documents procedures to facilitate the
-                                                      implementation of the contingency planning policy and associated contingency
-                                                      planning controls;
-                            """
-                        - 
-                          id:         cp-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(a)(2)[2]
-                          prose: 
-                            """
-                              the organization defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         cp-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: CP-1(a)(2)[3]
-                          prose: 
-                            """
-                              the organization disseminates the procedures to organization-defined
-                                                      personnel or roles;
-                            """
-                - 
-                  id:         cp-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-1(b)
-                  parts: 
-                    - 
-                      id:         cp-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-1(b)(1)
-                      parts: 
-                        - 
-                          id:         cp-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(b)(1)[1]
-                          prose: 
-                            """
-                              the organization defines the frequency to review and update the current
-                                                      contingency planning policy;
-                            """
-                        - 
-                          id:         cp-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(b)(1)[2]
-                          prose: 
-                            """
-                              the organization reviews and updates the current contingency planning with
-                                                      the organization-defined frequency;
-                            """
-                    - 
-                      id:         cp-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-1(b)(2)
-                      parts: 
-                        - 
-                          id:         cp-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(b)(2)[1]
-                          prose: 
-                            """
-                              the organization defines the frequency to review and update the current
-                                                      contingency planning procedures; and
-                            """
-                        - 
-                          id:         cp-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-1(b)(2)[2]
-                          prose: 
-                            """
-                              the organization reviews and updates the current contingency planning
-                                                      procedures with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         cp-2
-          class:      SP800-53
-          title:      Contingency Plan
-          parameters: 
-            - 
-              id:    cp-2_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    cp-2_prm_2
-              label: 
-                """
-                  organization-defined key contingency personnel (identified by name and/or by
-                                 role) and organizational elements
-                """
-            - 
-              id:          cp-2_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:    cp-2_prm_4
-              label: 
-                """
-                  organization-defined key contingency personnel (identified by name and/or by
-                                 role) and organizational elements
-                """
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CP-2
-            - 
-              name:  sort-id
-              value: cp-02
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-          parts: 
-            - 
-              id:    cp-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops a contingency plan for the information system that:
-                  parts: 
-                    - 
-                      id:         cp-2_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Identifies essential missions and business functions and associated contingency
-                                               requirements;
-                        """
-                    - 
-                      id:         cp-2_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Provides recovery objectives, restoration priorities, and metrics;
-                    - 
-                      id:         cp-2_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Addresses contingency roles, responsibilities, assigned individuals with
-                                               contact information;
-                        """
-                    - 
-                      id:         cp-2_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose: 
-                        """
-                          Addresses maintaining essential missions and business functions despite an
-                                               information system disruption, compromise, or failure;
-                        """
-                    - 
-                      id:         cp-2_smt.a.5
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 5.
-                      prose: 
-                        """
-                          Addresses eventual, full information system restoration without deterioration
-                                               of the security safeguards originally planned and implemented; and
-                        """
-                    - 
-                      id:         cp-2_smt.a.6
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 6.
-                      prose:      Is reviewed and approved by {{ cp-2_prm_1 }};
-                - 
-                  id:         cp-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Distributes copies of the contingency plan to {{ cp-2_prm_2 }};
-                - 
-                  id:         cp-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Coordinates contingency planning activities with incident handling activities;
-                - 
-                  id:         cp-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Reviews the contingency plan for the information system {{ cp-2_prm_3 }};
-                - 
-                  id:         cp-2_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Updates the contingency plan to address changes to the organization, information
-                                        system, or environment of operation and problems encountered during contingency
-                                        plan implementation, execution, or testing;
-                    """
-                - 
-                  id:         cp-2_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose:      Communicates contingency plan changes to {{ cp-2_prm_4 }}; and
-                - 
-                  id:         cp-2_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose:      Protects the contingency plan from unauthorized disclosure and modification.
-                - 
-                  id:    cp-2_fr
-                  name:  item
-                  title: CP-2 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cp-2_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2 Requirement:
-                      prose:      For JAB authorizations the contingency lists include designated FedRAMP personnel.
-            - 
-              id:    cp-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Contingency planning for information systems is part of an overall organizational
-                                 program for achieving continuity of operations for mission/business functions.
-                                 Contingency planning addresses both information system restoration and implementation
-                                 of alternative mission/business processes when systems are compromised. The
-                                 effectiveness of contingency planning is maximized by considering such planning
-                                 throughout the phases of the system development life cycle. Performing contingency
-                                 planning on hardware, software, and firmware development can be an effective means of
-                                 achieving information system resiliency. Contingency plans reflect the degree of
-                                 restoration required for organizational information systems since not all systems may
-                                 need to fully recover to achieve the level of continuity of operations desired.
-                                 Information system recovery objectives reflect applicable laws, Executive Orders,
-                                 directives, policies, standards, regulations, and guidelines. In addition to
-                                 information system availability, contingency plans also address other
-                                 security-related events resulting in a reduction in mission and/or business
-                                 effectiveness, such as malicious attacks compromising the confidentiality or
-                                 integrity of information systems. Actions addressed in contingency plans include, for
-                                 example, orderly/graceful degradation, information system shutdown, fallback to a
-                                 manual mode, alternate information flows, and operating in modes reserved for when
-                                 systems are under attack. By closely coordinating contingency planning with incident
-                                 handling activities, organizations can ensure that the necessary contingency planning
-                                 activities are in place and activated in the event of a security incident.
-                """
-              links: 
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #cp-6
-                  rel:  related
-                  text: CP-6
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-                - 
-                  href: #cp-8
-                  rel:  related
-                  text: CP-8
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #cp-10
-                  rel:  related
-                  text: CP-10
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #pm-8
-                  rel:  related
-                  text: PM-8
-                - 
-                  href: #pm-11
-                  rel:  related
-                  text: PM-11
-            - 
-              id:    cp-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cp-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(a)
-                  prose:      develops and documents a contingency plan for the information system that:
-                  parts: 
-                    - 
-                      id:         cp-2.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(a)(1)
-                      prose: 
-                        """
-                          identifies essential missions and business functions and associated contingency
-                                               requirements;
-                        """
-                    - 
-                      id:         cp-2.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(a)(2)
-                      parts: 
-                        - 
-                          id:         cp-2.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(2)[1]
-                          prose:      provides recovery objectives;
-                        - 
-                          id:         cp-2.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(2)[2]
-                          prose:      provides restoration priorities;
-                        - 
-                          id:         cp-2.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(2)[3]
-                          prose:      provides metrics;
-                    - 
-                      id:         cp-2.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(a)(3)
-                      parts: 
-                        - 
-                          id:         cp-2.a.3_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(3)[1]
-                          prose:      addresses contingency roles;
-                        - 
-                          id:         cp-2.a.3_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(3)[2]
-                          prose:      addresses contingency responsibilities;
-                        - 
-                          id:         cp-2.a.3_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: CP-2(a)(3)[3]
-                          prose:      addresses assigned individuals with contact information;
-                    - 
-                      id:         cp-2.a.4_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(a)(4)
-                      prose: 
-                        """
-                          addresses maintaining essential missions and business functions despite an
-                                               information system disruption, compromise, or failure;
-                        """
-                    - 
-                      id:         cp-2.a.5_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(a)(5)
-                      prose: 
-                        """
-                          addresses eventual, full information system restoration without deterioration
-                                               of the security safeguards originally planned and implemented;
-                        """
-                    - 
-                      id:         cp-2.a.6_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(a)(6)
-                      parts: 
-                        - 
-                          id:         cp-2.a.6_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-2(a)(6)[1]
-                          prose: 
-                            """
-                              defines personnel or roles to review and approve the contingency plan for
-                                                      the information system;
-                            """
-                        - 
-                          id:         cp-2.a.6_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-2(a)(6)[2]
-                          prose:      is reviewed and approved by organization-defined personnel or roles;
-                - 
-                  id:         cp-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(b)
-                  parts: 
-                    - 
-                      id:         cp-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(b)[1]
-                      prose: 
-                        """
-                          defines key contingency personnel (identified by name and/or by role) and
-                                               organizational elements to whom copies of the contingency plan are to be
-                                               distributed;
-                        """
-                    - 
-                      id:         cp-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CP-2(b)[2]
-                      prose: 
-                        """
-                          distributes copies of the contingency plan to organization-defined key
-                                               contingency personnel and organizational elements;
-                        """
-                - 
-                  id:         cp-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: CP-2(c)
-                  prose:      coordinates contingency planning activities with incident handling activities;
-                - 
-                  id:         cp-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(d)
-                  parts: 
-                    - 
-                      id:         cp-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(d)[1]
-                      prose: 
-                        """
-                          defines a frequency to review the contingency plan for the information
-                                               system;
-                        """
-                    - 
-                      id:         cp-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(d)[2]
-                      prose:      reviews the contingency plan with the organization-defined frequency;
-                - 
-                  id:         cp-2.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(e)
-                  prose:      updates the contingency plan to address:
-                  parts: 
-                    - 
-                      id:         cp-2.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-2(e)[1]
-                      prose: 
-                        """
-                          changes to the organization, information system, or environment of
-                                               operation;
-                        """
-                    - 
-                      id:         cp-2.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-2(e)[2]
-                      prose:      problems encountered during plan implementation, execution, and testing;
-                - 
-                  id:         cp-2.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-2(f)
-                  parts: 
-                    - 
-                      id:         cp-2.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(f)[1]
-                      prose: 
-                        """
-                          defines key contingency personnel (identified by name and/or by role) and
-                                               organizational elements to whom contingency plan changes are to be
-                                               communicated;
-                        """
-                    - 
-                      id:         cp-2.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CP-2(f)[2]
-                      prose: 
-                        """
-                          communicates contingency plan changes to organization-defined key contingency
-                                               personnel and organizational elements; and
-                        """
-                - 
-                  id:         cp-2.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-2(g)
-                  prose:      protects the contingency plan from unauthorized disclosure and modification.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nsecurity plan\n\nevidence of contingency plan reviews and updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with contingency planning and plan implementation
-                                        responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for contingency plan development, review, update, and
-                                        protection\n\nautomated mechanisms for developing, reviewing, updating and/or protecting the
-                                        contingency plan
-                    """
-          controls: 
-            - 
-              id:         cp-2.1
-              class:      SP800-53-enhancement
-              title:      Coordinate with Related Plans
-              properties: 
-                - 
-                  name:  label
-                  value: CP-2(1)
-                - 
-                  name:  sort-id
-                  value: cp-02.01
-              parts: 
-                - 
-                  id:    cp-2.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization coordinates contingency plan development with organizational
-                                        elements responsible for related plans.
-                    """
-                - 
-                  id:    cp-2.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Plans related to contingency plans for organizational information systems include,
-                                        for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of
-                                        Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,
-                                        Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant
-                                        Emergency Plans.
-                    """
-                - 
-                  id:         cp-2.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization coordinates contingency plan development with
-                                        organizational elements responsible for related plans.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nbusiness contingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plan\n\ninsider threat implementation plans\n\noccupant emergency plans\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency planning and plan implementation
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel with responsibility for related plans
-                        """
-            - 
-              id:         cp-2.2
-              class:      SP800-53-enhancement
-              title:      Capacity Planning
-              properties: 
-                - 
-                  name:  label
-                  value: CP-2(2)
-                - 
-                  name:  sort-id
-                  value: cp-02.02
-              parts: 
-                - 
-                  id:    cp-2.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization conducts capacity planning so that necessary capacity for
-                                        information processing, telecommunications, and environmental support exists
-                                        during contingency operations.
-                    """
-                - 
-                  id:    cp-2.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Capacity planning is needed because different types of threats (e.g., natural
-                                        disasters, targeted cyber attacks) can result in a reduction of the available
-                                        processing, telecommunications, and support services originally intended to
-                                        support the organizational missions/business functions. Organizations may need to
-                                        anticipate degraded operations during contingency operations and factor such
-                                        degradation into capacity planning.
-                    """
-                - 
-                  id:    cp-2.2_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization conducts capacity planning so that necessary
-                                        capacity exists during contingency operations for: 
-                    """
-                  parts: 
-                    - 
-                      id:         cp-2.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CP-2(2)[1]
-                      prose:      information processing;
-                    - 
-                      id:         cp-2.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(2)[2]
-                      prose:      telecommunications; and
-                    - 
-                      id:         cp-2.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-2(2)[3]
-                      prose:      environmental support.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\ncapacity planning documents\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency planning and plan implementation
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-            - 
-              id:         cp-2.3
-              class:      SP800-53-enhancement
-              title:      Resume Essential Missions / Business Functions
-              parameters: 
-                - 
-                  id:    cp-2.3_prm_1
-                  label: organization-defined time period
-              properties: 
-                - 
-                  name:  label
-                  value: CP-2(3)
-                - 
-                  name:  sort-id
-                  value: cp-02.03
-              parts: 
-                - 
-                  id:    cp-2.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization plans for the resumption of essential missions and business
-                                        functions within {{ cp-2.3_prm_1 }} of contingency plan
-                                        activation.
-                    """
-                - 
-                  id:    cp-2.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations may choose to carry out the contingency planning activities in this
-                                        control enhancement as part of organizational business continuity planning
-                                        including, for example, as part of business impact analyses. The time period for
-                                        resumption of essential missions/business functions may be dependent on the
-                                        severity/extent of disruptions to the information system and its supporting
-                                        infrastructure.
-                    """
-                  links: 
-                    - 
-                      href: #pe-12
-                      rel:  related
-                      text: PE-12
-                - 
-                  id:    cp-2.3_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         cp-2.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-2(3)[1]
-                      prose: 
-                        """
-                          defines the time period to plan for the resumption of essential missions and
-                                               business functions as a result of contingency plan activation; and
-                        """
-                    - 
-                      id:         cp-2.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-2(3)[2]
-                      prose: 
-                        """
-                          plans for the resumption of essential missions and business functions within
-                                               organization-defined time period of contingency plan activation.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nsecurity plan\n\nbusiness impact assessment\n\nother related plans\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency planning and plan implementation
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for resumption of missions and business functions
-            - 
-              id:         cp-2.8
-              class:      SP800-53-enhancement
-              title:      Identify Critical Assets
-              properties: 
-                - 
-                  name:  label
-                  value: CP-2(8)
-                - 
-                  name:  sort-id
-                  value: cp-02.08
-              parts: 
-                - 
-                  id:    cp-2.8_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization identifies critical information system assets supporting
-                                        essential missions and business functions.
-                    """
-                - 
-                  id:    cp-2.8_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations may choose to carry out the contingency planning activities in this
-                                        control enhancement as part of organizational business continuity planning
-                                        including, for example, as part of business impact analyses. Organizations
-                                        identify critical information system assets so that additional safeguards and
-                                        countermeasures can be employed (above and beyond those safeguards and
-                                        countermeasures routinely implemented) to help ensure that organizational
-                                        missions/business functions can continue to be conducted during contingency
-                                        operations. In addition, the identification of critical information assets
-                                        facilitates the prioritization of organizational resources. Critical information
-                                        system assets include technical and operational aspects. Technical aspects
-                                        include, for example, information technology services, information system
-                                        components, information technology products, and mechanisms. Operational aspects
-                                        include, for example, procedures (manually executed operations) and personnel
-                                        (individuals operating technical safeguards and/or executing manual procedures).
-                                        Organizational program protection plans can provide assistance in identifying
-                                        critical assets.
-                    """
-                  links: 
-                    - 
-                      href: #sa-14
-                      rel:  related
-                      text: SA-14
-                    - 
-                      href: #sa-15
-                      rel:  related
-                      text: SA-15
-                - 
-                  id:         cp-2.8_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization identifies critical information system assets
-                                        supporting essential missions and business functions.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nbusiness impact assessment\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency planning and plan implementation
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-        - 
-          id:         cp-3
-          class:      SP800-53
-          title:      Contingency Training
-          parameters: 
-            - 
-              id:          cp-3_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: ten (10) days
-            - 
-              id:          cp-3_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CP-3
-            - 
-              name:  sort-id
-              value: cp-03
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #825438c3-248d-4e30-a51e-246473ce6ada
-              rel:  reference
-              text: NIST Special Publication 800-16
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-          parts: 
-            - 
-              id:    cp-3_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides contingency training to information system users consistent
-                                 with assigned roles and responsibilities:
-                """
-              parts: 
-                - 
-                  id:         cp-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Within {{ cp-3_prm_1 }} of assuming a contingency role or
-                                        responsibility;
-                    """
-                - 
-                  id:         cp-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      When required by information system changes; and
-                - 
-                  id:         cp-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      
-                                        {{ cp-3_prm_2 }} thereafter.
-                    """
-            - 
-              id:    cp-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Contingency training provided by organizations is linked to the assigned roles and
-                                 responsibilities of organizational personnel to ensure that the appropriate content
-                                 and level of detail is included in such training. For example, regular users may only
-                                 need to know when and where to report for duty during contingency operations and if
-                                 normal duties are affected; system administrators may require additional training on
-                                 how to set up information systems at alternate processing and storage sites; and
-                                 managers/senior leaders may receive more specific training on how to conduct
-                                 mission-essential functions in designated off-site locations and how to establish
-                                 communications with other governmental entities for purposes of coordination on
-                                 contingency-related activities. Training for contingency roles/responsibilities
-                                 reflects the specific continuity requirements in the contingency plan.
-                """
-              links: 
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #ir-2
-                  rel:  related
-                  text: IR-2
-            - 
-              id:    cp-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         cp-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-3(a)
-                  parts: 
-                    - 
-                      id:         cp-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-3(a)[1]
-                      prose: 
-                        """
-                          defines a time period within which contingency training is to be provided to
-                                               information system users assuming a contingency role or responsibility;
-                        """
-                    - 
-                      id:         cp-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-3(a)[2]
-                      prose: 
-                        """
-                          provides contingency training to information system users consistent with
-                                               assigned roles and responsibilities within the organization-defined time period
-                                               of assuming a contingency role or responsibility;
-                        """
-                - 
-                  id:         cp-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-3(b)
-                  prose: 
-                    """
-                      provides contingency training to information system users consistent with assigned
-                                        roles and responsibilities when required by information system changes;
-                    """
-                - 
-                  id:         cp-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-3(c)
-                  parts: 
-                    - 
-                      id:         cp-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-3(c)[1]
-                      prose:      defines the frequency for contingency training thereafter; and
-                    - 
-                      id:         cp-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-3(c)[2]
-                      prose: 
-                        """
-                          provides contingency training to information system users consistent with
-                                               assigned roles and responsibilities with the organization-defined frequency
-                                               thereafter.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsecurity plan\n\ncontingency training records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with contingency planning, plan implementation, and
-                                        training responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for contingency training
-        - 
-          id:         cp-4
-          class:      SP800-53
-          title:      Contingency Plan Testing
-          parameters: 
-            - 
-              id:          cp-4_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          cp-4_prm_2
-              label:       organization-defined tests
-              constraints: 
-                - 
-                  detail: functional exercises
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CP-4
-            - 
-              name:  sort-id
-              value: cp-04
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-            - 
-              href: #0243a05a-e8a3-4d51-9364-4a9d20b0dcdf
-              rel:  reference
-              text: NIST Special Publication 800-84
-          parts: 
-            - 
-              id:    cp-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Tests the contingency plan for the information system {{ cp-4_prm_1 }} using {{ cp-4_prm_2 }} to determine the
-                                        effectiveness of the plan and the organizational readiness to execute the
-                                        plan;
-                    """
-                - 
-                  id:         cp-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews the contingency plan test results; and
-                - 
-                  id:         cp-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Initiates corrective actions, if needed.
-                - 
-                  id:    cp-4_fr
-                  name:  item
-                  title: CP-4(a) Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cp-4_fr_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-4(a) Requirement:
-                      prose:      The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.
-            - 
-              id:    cp-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Methods for testing contingency plans to determine the effectiveness of the plans and
-                                 to identify potential weaknesses in the plans include, for example, walk-through and
-                                 tabletop exercises, checklists, simulations (parallel, full interrupt), and
-                                 comprehensive exercises. Organizations conduct testing based on the continuity
-                                 requirements in contingency plans and include a determination of the effects on
-                                 organizational operations, assets, and individuals arising due to contingency
-                                 operations. Organizations have flexibility and discretion in the breadth, depth, and
-                                 timelines of corrective actions.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-3
-                  rel:  related
-                  text: CP-3
-                - 
-                  href: #ir-3
-                  rel:  related
-                  text: IR-3
-            - 
-              id:    cp-4_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         cp-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-4(a)
-                  parts: 
-                    - 
-                      id:         cp-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-4(a)[1]
-                      prose: 
-                        """
-                          defines tests to determine the effectiveness of the contingency plan and the
-                                               organizational readiness to execute the plan;
-                        """
-                    - 
-                      id:         cp-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-4(a)[2]
-                      prose: 
-                        """
-                          defines a frequency to test the contingency plan for the information
-                                               system;
-                        """
-                    - 
-                      id:         cp-4.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-4(a)[3]
-                      prose: 
-                        """
-                          tests the contingency plan for the information system with the
-                                               organization-defined frequency, using organization-defined tests to determine
-                                               the effectiveness of the plan and the organizational readiness to execute the
-                                               plan;
-                        """
-                - 
-                  id:         cp-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-4(b)
-                  prose:      reviews the contingency plan test results; and
-                - 
-                  id:         cp-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-4(c)
-                  prose:      initiates corrective actions, if needed.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\nsecurity plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for contingency plan testing,
-                                        reviewing or responding to contingency plan tests\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for contingency plan testing\n\nautomated mechanisms supporting the contingency plan and/or contingency plan
-                                        testing
-                    """
-          controls: 
-            - 
-              id:         cp-4.1
-              class:      SP800-53-enhancement
-              title:      Coordinate with Related Plans
-              properties: 
-                - 
-                  name:  label
-                  value: CP-4(1)
-                - 
-                  name:  sort-id
-                  value: cp-04.01
-              parts: 
-                - 
-                  id:    cp-4.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization coordinates contingency plan testing with organizational elements
-                                        responsible for related plans.
-                    """
-                - 
-                  id:    cp-4.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Plans related to contingency plans for organizational information systems include,
-                                        for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of
-                                        Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,
-                                        Cyber Incident Response Plans, and Occupant Emergency Plans. This control
-                                        enhancement does not require organizations to create organizational elements to
-                                        handle related plans or to align such elements with specific plans. It does
-                                        require, however, that if such organizational elements are responsible for related
-                                        plans, organizations should coordinate with those elements.
-                    """
-                  links: 
-                    - 
-                      href: #ir-8
-                      rel:  related
-                      text: IR-8
-                    - 
-                      href: #pm-8
-                      rel:  related
-                      text: PM-8
-                - 
-                  id:         cp-4.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization coordinates contingency plan testing with
-                                        organizational elements responsible for related plans. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nincident response policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan testing documentation\n\ncontingency plan\n\nbusiness continuity plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plans\n\noccupant emergency plans\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel\n\npersonnel with responsibilities for related plans\n\norganizational personnel with information security responsibilities
-        - 
-          id:         cp-6
-          class:      SP800-53
-          title:      Alternate Storage Site
-          properties: 
-            - 
-              name:  label
-              value: CP-6
-            - 
-              name:  sort-id
-              value: cp-06
-          links: 
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-          parts: 
-            - 
-              id:    cp-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes an alternate storage site including necessary agreements to permit the
-                                        storage and retrieval of information system backup information; and
-                    """
-                - 
-                  id:         cp-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Ensures that the alternate storage site provides information security safeguards
-                                        equivalent to that of the primary site.
-                    """
-            - 
-              id:    cp-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Alternate storage sites are sites that are geographically distinct from primary
-                                 storage sites. An alternate storage site maintains duplicate copies of information
-                                 and data in the event that the primary storage site is not available. Items covered
-                                 by alternate storage site agreements include, for example, environmental conditions
-                                 at alternate sites, access rules, physical and environmental protection requirements,
-                                 and coordination of delivery/retrieval of backup media. Alternate storage sites
-                                 reflect the requirements in contingency plans so that organizations can maintain
-                                 essential missions/business functions despite disruption, compromise, or failure in
-                                 organizational information systems.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #cp-10
-                  rel:  related
-                  text: CP-10
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-            - 
-              id:    cp-6_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         cp-6_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-6[1]
-                  prose: 
-                    """
-                      establishes an alternate storage site including necessary agreements to permit the
-                                        storage and retrieval of information system backup information; and
-                    """
-                - 
-                  id:         cp-6_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-6[2]
-                  prose: 
-                    """
-                      ensures that the alternate storage site provides information security safeguards
-                                        equivalent to that of the primary site.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with contingency plan alternate storage site
-                                        responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for storing and retrieving information system backup
-                                        information at the alternate storage site\n\nautomated mechanisms supporting and/or implementing storage and retrieval of
-                                        information system backup information at the alternate storage site
-                    """
-          controls: 
-            - 
-              id:         cp-6.1
-              class:      SP800-53-enhancement
-              title:      Separation from Primary Site
-              properties: 
-                - 
-                  name:  label
-                  value: CP-6(1)
-                - 
-                  name:  sort-id
-                  value: cp-06.01
-              parts: 
-                - 
-                  id:    cp-6.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization identifies an alternate storage site that is separated from the
-                                        primary storage site to reduce susceptibility to the same threats.
-                    """
-                - 
-                  id:    cp-6.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Threats that affect alternate storage sites are typically defined in
-                                        organizational assessments of risk and include, for example, natural disasters,
-                                        structural failures, hostile cyber attacks, and errors of omission/commission.
-                                        Organizations determine what is considered a sufficient degree of separation
-                                        between primary and alternate storage sites based on the types of threats that are
-                                        of concern. For one particular type of threat (i.e., hostile cyber attack), the
-                                        degree of separation between sites is less relevant.
-                    """
-                  links: 
-                    - 
-                      href: #ra-3
-                      rel:  related
-                      text: RA-3
-                - 
-                  id:         cp-6.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization identifies an alternate storage site that is
-                                        separated from the primary storage site to reduce susceptibility to the same
-                                        threats. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency plan alternate storage site
-                                               responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-            - 
-              id:         cp-6.3
-              class:      SP800-53-enhancement
-              title:      Accessibility
-              properties: 
-                - 
-                  name:  label
-                  value: CP-6(3)
-                - 
-                  name:  sort-id
-                  value: cp-06.03
-              parts: 
-                - 
-                  id:    cp-6.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization identifies potential accessibility problems to the alternate
-                                        storage site in the event of an area-wide disruption or disaster and outlines
-                                        explicit mitigation actions.
-                    """
-                - 
-                  id:    cp-6.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Area-wide disruptions refer to those types of disruptions that are broad in
-                                        geographic scope (e.g., hurricane, regional power outage) with such determinations
-                                        made by organizations based on organizational assessments of risk. Explicit
-                                        mitigation actions include, for example: (i) duplicating backup information at
-                                        other alternate storage sites if access problems occur at originally designated
-                                        alternate sites; or (ii) planning for physical access to retrieve backup
-                                        information if electronic accessibility to the alternate site is disrupted.
-                    """
-                  links: 
-                    - 
-                      href: #ra-3
-                      rel:  related
-                      text: RA-3
-                - 
-                  id:    cp-6.3_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         cp-6.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-6(3)[1]
-                      prose: 
-                        """
-                          identifies potential accessibility problems to the alternate storage site in
-                                               the event of an area-wide disruption or disaster; and
-                        """
-                    - 
-                      id:         cp-6.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CP-6(3)[2]
-                      prose: 
-                        """
-                          outlines explicit mitigation actions for such potential accessibility problems
-                                               to the alternate storage site in the event of an area-wide disruption or
-                                               disaster.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nlist of potential accessibility problems to alternate storage site\n\nmitigation actions for accessibility problems to alternate storage site\n\norganizational risk assessments\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency plan alternate storage site
-                                               responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-        - 
-          id:         cp-7
-          class:      SP800-53
-          title:      Alternate Processing Site
-          parameters: 
-            - 
-              id:    cp-7_prm_1
-              label: organization-defined information system operations
-            - 
-              id:    cp-7_prm_2
-              label: 
-                """
-                  organization-defined time period consistent with recovery time and recovery point
-                                 objectives
-                """
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CP-7
-            - 
-              name:  sort-id
-              value: cp-07
-          links: 
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-          parts: 
-            - 
-              id:    cp-7_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes an alternate processing site including necessary agreements to permit
-                                        the transfer and resumption of {{ cp-7_prm_1 }} for essential
-                                        missions/business functions within {{ cp-7_prm_2 }} when the
-                                        primary processing capabilities are unavailable;
-                    """
-                - 
-                  id:         cp-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Ensures that equipment and supplies required to transfer and resume operations are
-                                        available at the alternate processing site or contracts are in place to support
-                                        delivery to the site within the organization-defined time period for
-                                        transfer/resumption; and
-                    """
-                - 
-                  id:         cp-7_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ensures that the alternate processing site provides information security
-                                        safeguards equivalent to those of the primary site.
-                    """
-                - 
-                  id:    cp-7_fr
-                  name:  item
-                  title: CP-7 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cp-7_fr_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a) Requirement:
-                      prose:      The service provider defines a time period consistent with the recovery time objectives and business impact analysis.
-            - 
-              id:    cp-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Alternate processing sites are sites that are geographically distinct from primary
-                                 processing sites. An alternate processing site provides processing capability in the
-                                 event that the primary processing site is not available. Items covered by alternate
-                                 processing site agreements include, for example, environmental conditions at
-                                 alternate sites, access rules, physical and environmental protection requirements,
-                                 and coordination for the transfer/assignment of personnel. Requirements are
-                                 specifically allocated to alternate processing sites that reflect the requirements in
-                                 contingency plans to maintain essential missions/business functions despite
-                                 disruption, compromise, or failure in organizational information systems.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-6
-                  rel:  related
-                  text: CP-6
-                - 
-                  href: #cp-8
-                  rel:  related
-                  text: CP-8
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #cp-10
-                  rel:  related
-                  text: CP-10
-                - 
-                  href: #ma-6
-                  rel:  related
-                  text: MA-6
-            - 
-              id:    cp-7_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         cp-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-7(a)
-                  parts: 
-                    - 
-                      id:         cp-7.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-7(a)[1]
-                      prose: 
-                        """
-                          defines information system operations requiring an alternate processing site to
-                                               be established to permit the transfer and resumption of such operations;
-                        """
-                    - 
-                      id:         cp-7.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-7(a)[2]
-                      prose: 
-                        """
-                          defines the time period consistent with recovery time objectives and recovery
-                                               point objectives (as specified in the information system contingency plan) for
-                                               transfer/resumption of organization-defined information system operations for
-                                               essential missions/business functions;
-                        """
-                    - 
-                      id:         cp-7.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-7(a)[3]
-                      prose: 
-                        """
-                          establishes an alternate processing site including necessary agreements to
-                                               permit the transfer and resumption of organization-defined information system
-                                               operations for essential missions/business functions, within the
-                                               organization-defined time period, when the primary processing capabilities are
-                                               unavailable;
-                        """
-                - 
-                  id:         cp-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-7(b)
-                  parts: 
-                    - 
-                      id:         cp-7.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-7(b)[1]
-                      prose: 
-                        """
-                          ensures that equipment and supplies required to transfer and resume operations
-                                               are available at the alternate processing site; or
-                        """
-                    - 
-                      id:         cp-7.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-7(b)[2]
-                      prose: 
-                        """
-                          ensures that contracts are in place to support delivery to the site within the
-                                               organization-defined time period for transfer/resumption; and
-                        """
-                - 
-                  id:         cp-7.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-7(c)
-                  prose: 
-                    """
-                      ensures that the alternate processing site provides information security
-                                        safeguards equivalent to those of the primary site.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nspare equipment and supplies inventory at alternate processing site\n\nequipment and supply contracts\n\nservice-level agreements\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for contingency planning and/or
-                                        alternate site arrangements\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for recovery at the alternate site\n\nautomated mechanisms supporting and/or implementing recovery at the alternate
-                                        processing site
-                    """
-          controls: 
-            - 
-              id:         cp-7.1
-              class:      SP800-53-enhancement
-              title:      Separation from Primary Site
-              properties: 
-                - 
-                  name:  label
-                  value: CP-7(1)
-                - 
-                  name:  sort-id
-                  value: cp-07.01
-              parts: 
-                - 
-                  id:    cp-7.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization identifies an alternate processing site that is separated from
-                                        the primary processing site to reduce susceptibility to the same threats.
-                    """
-                  parts: 
-                    - 
-                      id:    cp-7.1_fr
-                      name:  item
-                      title: CP-7 (1) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         cp-7.1_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.
-                - 
-                  id:    cp-7.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Threats that affect alternate processing sites are typically defined in
-                                        organizational assessments of risk and include, for example, natural disasters,
-                                        structural failures, hostile cyber attacks, and errors of omission/commission.
-                                        Organizations determine what is considered a sufficient degree of separation
-                                        between primary and alternate processing sites based on the types of threats that
-                                        are of concern. For one particular type of threat (i.e., hostile cyber attack),
-                                        the degree of separation between sites is less relevant.
-                    """
-                  links: 
-                    - 
-                      href: #ra-3
-                      rel:  related
-                      text: RA-3
-                - 
-                  id:         cp-7.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization identifies an alternate processing site that is
-                                        separated from the primary storage site to reduce susceptibility to the same
-                                        threats. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency plan alternate processing site
-                                               responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-            - 
-              id:         cp-7.2
-              class:      SP800-53-enhancement
-              title:      Accessibility
-              properties: 
-                - 
-                  name:  label
-                  value: CP-7(2)
-                - 
-                  name:  sort-id
-                  value: cp-07.02
-              parts: 
-                - 
-                  id:    cp-7.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization identifies potential accessibility problems to the alternate
-                                        processing site in the event of an area-wide disruption or disaster and outlines
-                                        explicit mitigation actions.
-                    """
-                - 
-                  id:    cp-7.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Area-wide disruptions refer to those types of disruptions that are broad in
-                                        geographic scope (e.g., hurricane, regional power outage) with such determinations
-                                        made by organizations based on organizational assessments of risk.
-                    """
-                  links: 
-                    - 
-                      href: #ra-3
-                      rel:  related
-                      text: RA-3
-                - 
-                  id:    cp-7.2_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         cp-7.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-7(2)[1]
-                      prose: 
-                        """
-                          identifies potential accessibility problems to the alternate processing site in
-                                               the event of an area-wide disruption or disaster; and
-                        """
-                    - 
-                      id:         cp-7.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CP-7(2)[2]
-                      prose: 
-                        """
-                          outlines explicit mitigation actions for such potential accessibility problems
-                                               to the alternate processing site in the event of an area-wide disruption or
-                                               disaster.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency plan alternate processing site
-                                               responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-            - 
-              id:         cp-7.3
-              class:      SP800-53-enhancement
-              title:      Priority of Service
-              properties: 
-                - 
-                  name:  label
-                  value: CP-7(3)
-                - 
-                  name:  sort-id
-                  value: cp-07.03
-              parts: 
-                - 
-                  id:    cp-7.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization develops alternate processing site agreements that contain
-                                        priority-of-service provisions in accordance with organizational availability
-                                        requirements (including recovery time objectives).
-                    """
-                - 
-                  id:    cp-7.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Priority-of-service agreements refer to negotiated agreements with service
-                                        providers that ensure that organizations receive priority treatment consistent
-                                        with their availability requirements and the availability of information resources
-                                        at the alternate processing site.
-                    """
-                - 
-                  id:         cp-7.3_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization develops alternate processing site agreements that
-                                        contain priority-of-service provisions in accordance with organizational
-                                        availability requirements (including recovery time objectives as specified in the
-                                        information system contingency plan).
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nservice-level agreements\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency plan alternate processing site
-                                               responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual
-                                               agreements
-                        """
-        - 
-          id:         cp-8
-          class:      SP800-53
-          title:      Telecommunications Services
-          parameters: 
-            - 
-              id:    cp-8_prm_1
-              label: organization-defined information system operations
-            - 
-              id:    cp-8_prm_2
-              label: organization-defined time period
-          properties: 
-            - 
-              name:  label
-              value: CP-8
-            - 
-              name:  sort-id
-              value: cp-08
-          links: 
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-            - 
-              href: #fb5844de-ff96-47c0-b258-4f52bcc2f30d
-              rel:  reference
-              text: National Communications Systems Directive 3-10
-            - 
-              href: #3ac12e79-f54f-4a63-9f4b-ee4bcd4df604
-              rel:  reference
-              text: http://www.dhs.gov/telecommunications-service-priority-tsp
-          parts: 
-            - 
-              id:    cp-8_smt
-              name:  statement
-              prose: 
-                """
-                  The organization establishes alternate telecommunications services including
-                                 necessary agreements to permit the resumption of {{ cp-8_prm_1 }} for
-                                 essential missions and business functions within {{ cp-8_prm_2 }} when
-                                 the primary telecommunications capabilities are unavailable at either the primary or
-                                 alternate processing or storage sites.
-                """
-              parts: 
-                - 
-                  id:    cp-8_fr
-                  name:  item
-                  title: CP-8 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cp-8_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider defines a time period consistent with the recovery time objectives and business impact analysis.
-            - 
-              id:    cp-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to telecommunications services (data and voice) for primary and
-                                 alternate processing and storage sites. Alternate telecommunications services reflect
-                                 the continuity requirements in contingency plans to maintain essential
-                                 missions/business functions despite the loss of primary telecommunications services.
-                                 Organizations may specify different time periods for primary/alternate sites.
-                                 Alternate telecommunications services include, for example, additional organizational
-                                 or commercial ground-based circuits/lines or satellites in lieu of ground-based
-                                 communications. Organizations consider factors such as availability, quality of
-                                 service, and access when entering into alternate telecommunications agreements.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-6
-                  rel:  related
-                  text: CP-6
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-            - 
-              id:    cp-8_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         cp-8_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-8[1]
-                  prose: 
-                    """
-                      defines information system operations requiring alternate telecommunications
-                                        services to be established to permit the resumption of such operations;
-                    """
-                - 
-                  id:         cp-8_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-8[2]
-                  prose: 
-                    """
-                      defines the time period to permit resumption of organization-defined information
-                                        system operations for essential missions and business functions; and
-                    """
-                - 
-                  id:         cp-8_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-8[3]
-                  prose: 
-                    """
-                      establishes alternate telecommunications services including necessary agreements
-                                        to permit the resumption of organization-defined information system operations for
-                                        essential missions and business functions, within the organization-defined time
-                                        period, when the primary telecommunications capabilities are unavailable at either
-                                        the primary or alternate processing or storage sites.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with contingency plan telecommunications
-                                        responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual
-                                        agreements
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting telecommunications
-          controls: 
-            - 
-              id:         cp-8.1
-              class:      SP800-53-enhancement
-              title:      Priority of Service Provisions
-              properties: 
-                - 
-                  name:  label
-                  value: CP-8(1)
-                - 
-                  name:  sort-id
-                  value: cp-08.01
-              parts: 
-                - 
-                  id:    cp-8.1_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         cp-8.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Develops primary and alternate telecommunications service agreements that
-                                               contain priority-of-service provisions in accordance with organizational
-                                               availability requirements (including recovery time objectives); and
-                        """
-                    - 
-                      id:         cp-8.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Requests Telecommunications Service Priority for all telecommunications
-                                               services used for national security emergency preparedness in the event that
-                                               the primary and/or alternate telecommunications services are provided by a
-                                               common carrier.
-                        """
-                - 
-                  id:    cp-8.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations consider the potential mission/business impact in situations where
-                                        telecommunications service providers are servicing other organizations with
-                                        similar priority-of-service provisions.
-                    """
-                - 
-                  id:    cp-8.1_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         cp-8.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-8(1)[1]
-                      prose: 
-                        """
-                          develops primary and alternate telecommunications service agreements that
-                                               contain priority-of-service provisions in accordance with organizational
-                                               availability requirements (including recovery time objectives as specified in
-                                               the information system contingency plan); and
-                        """
-                    - 
-                      id:         cp-8.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-8(1)[2]
-                      prose: 
-                        """
-                          requests Telecommunications Service Priority for all telecommunications
-                                               services used for national security emergency preparedness in the event that
-                                               the primary and/or alternate telecommunications services are provided by a
-                                               common carrier.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nTelecommunications Service Priority documentation\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency plan telecommunications
-                                               responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual
-                                               agreements
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms supporting telecommunications
-            - 
-              id:         cp-8.2
-              class:      SP800-53-enhancement
-              title:      Single Points of Failure
-              properties: 
-                - 
-                  name:  label
-                  value: CP-8(2)
-                - 
-                  name:  sort-id
-                  value: cp-08.02
-              parts: 
-                - 
-                  id:    cp-8.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization obtains alternate telecommunications services to reduce the
-                                        likelihood of sharing a single point of failure with primary telecommunications
-                                        services.
-                    """
-                - 
-                  id:         cp-8.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization obtains alternate telecommunications services to
-                                        reduce the likelihood of sharing a single point of failure with primary
-                                        telecommunications services. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency plan telecommunications
-                                               responsibilities\n\norganizational personnel with information system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities
-                        """
-        - 
-          id:         cp-9
-          class:      SP800-53
-          title:      Information System Backup
-          parameters: 
-            - 
-              id:          cp-9_prm_1
-              label: 
-                """
-                  organization-defined frequency consistent with recovery time and recovery point
-                                 objectives
-                """
-              constraints: 
-                - 
-                  detail: daily incremental; weekly full
-            - 
-              id:          cp-9_prm_2
-              label: 
-                """
-                  organization-defined frequency consistent with recovery time and recovery point
-                                 objectives
-                """
-              constraints: 
-                - 
-                  detail: daily incremental; weekly full
-            - 
-              id:          cp-9_prm_3
-              label: 
-                """
-                  organization-defined frequency consistent with recovery time and recovery point
-                                 objectives
-                """
-              constraints: 
-                - 
-                  detail: daily incremental; weekly full
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: CP-9
-            - 
-              name:  sort-id
-              value: cp-09
-          links: 
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-          parts: 
-            - 
-              id:    cp-9_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         cp-9_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Conducts backups of user-level information contained in the information system
-                                           {{ cp-9_prm_1 }};
-                    """
-                - 
-                  id:         cp-9_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Conducts backups of system-level information contained in the information system
-                                           {{ cp-9_prm_2 }};
-                    """
-                - 
-                  id:         cp-9_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Conducts backups of information system documentation including security-related
-                                        documentation {{ cp-9_prm_3 }}; and
-                    """
-                - 
-                  id:         cp-9_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Protects the confidentiality, integrity, and availability of backup information at
-                                        storage locations.
-                    """
-                - 
-                  id:    cp-9_fr
-                  name:  item
-                  title: CP-9 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         cp-9_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.
-                    - 
-                      id:         cp-9_fr_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-9(a) Requirement:
-                      prose:      The service provider maintains at least three backup copies of user-level information (at least one of which is available online).
-                    - 
-                      id:         cp-9_fr_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-9(b)Requirement:
-                      prose:      The service provider maintains at least three backup copies of system-level information (at least one of which is available online).
-                    - 
-                      id:         cp-9_fr_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-9(c)Requirement:
-                      prose:      The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).
-            - 
-              id:    cp-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  System-level information includes, for example, system-state information, operating
-                                 system and application software, and licenses. User-level information includes any
-                                 information other than system-level information. Mechanisms employed by organizations
-                                 to protect the integrity of information system backups include, for example, digital
-                                 signatures and cryptographic hashes. Protection of system backup information while in
-                                 transit is beyond the scope of this control. Information system backups reflect the
-                                 requirements in contingency plans as well as other organizational requirements for
-                                 backing up information.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-6
-                  rel:  related
-                  text: CP-6
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-            - 
-              id:    cp-9_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         cp-9.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-9(a)
-                  parts: 
-                    - 
-                      id:         cp-9.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-9(a)[1]
-                      prose: 
-                        """
-                          defines a frequency, consistent with recovery time objectives and recovery
-                                               point objectives as specified in the information system contingency plan, to
-                                               conduct backups of user-level information contained in the information
-                                               system;
-                        """
-                    - 
-                      id:         cp-9.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-9(a)[2]
-                      prose: 
-                        """
-                          conducts backups of user-level information contained in the information system
-                                               with the organization-defined frequency;
-                        """
-                - 
-                  id:         cp-9.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-9(b)
-                  parts: 
-                    - 
-                      id:         cp-9.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-9(b)[1]
-                      prose: 
-                        """
-                          defines a frequency, consistent with recovery time objectives and recovery
-                                               point objectives as specified in the information system contingency plan, to
-                                               conduct backups of system-level information contained in the information
-                                               system;
-                        """
-                    - 
-                      id:         cp-9.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-9(b)[2]
-                      prose: 
-                        """
-                          conducts backups of system-level information contained in the information
-                                               system with the organization-defined frequency;
-                        """
-                - 
-                  id:         cp-9.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-9(c)
-                  parts: 
-                    - 
-                      id:         cp-9.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-9(c)[1]
-                      prose: 
-                        """
-                          defines a frequency, consistent with recovery time objectives and recovery
-                                               point objectives as specified in the information system contingency plan, to
-                                               conduct backups of information system documentation including security-related
-                                               documentation;
-                        """
-                    - 
-                      id:         cp-9.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-9(c)[2]
-                      prose: 
-                        """
-                          conducts backups of information system documentation, including
-                                               security-related documentation, with the organization-defined frequency;
-                                               and
-                        """
-                - 
-                  id:         cp-9.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-9(d)
-                  prose: 
-                    """
-                      protects the confidentiality, integrity, and availability of backup information at
-                                        storage locations.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\nbackup storage location(s)\n\ninformation system backup logs or records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for conducting information system backups\n\nautomated mechanisms supporting and/or implementing information system backups
-          controls: 
-            - 
-              id:         cp-9.1
-              class:      SP800-53-enhancement
-              title:      Testing for Reliability / Integrity
-              parameters: 
-                - 
-                  id:          cp-9.1_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least annually
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: CP-9(1)
-                - 
-                  name:  sort-id
-                  value: cp-09.01
-              parts: 
-                - 
-                  id:    cp-9.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization tests backup information {{ cp-9.1_prm_1 }} to
-                                        verify media reliability and information integrity.
-                    """
-                - 
-                  id:    cp-9.1_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #cp-4
-                      rel:  related
-                      text: CP-4
-                - 
-                  id:    cp-9.1_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         cp-9.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: CP-9(1)[1]
-                      prose: 
-                        """
-                          defines the frequency to test backup information to verify media reliability
-                                               and information integrity; and
-                        """
-                    - 
-                      id:         cp-9.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: CP-9(1)[2]
-                      prose: 
-                        """
-                          tests backup information with the organization-defined frequency to verify
-                                               media reliability and information integrity.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for conducting information system backups\n\nautomated mechanisms supporting and/or implementing information system
-                                               backups
-                        """
-            - 
-              id:         cp-9.3
-              class:      SP800-53-enhancement
-              title:      Separate Storage for Critical Information
-              parameters: 
-                - 
-                  id:    cp-9.3_prm_1
-                  label: 
-                    """
-                      organization-defined critical information system software and other
-                                        security-related information
-                    """
-              properties: 
-                - 
-                  name:  label
-                  value: CP-9(3)
-                - 
-                  name:  sort-id
-                  value: cp-09.03
-              parts: 
-                - 
-                  id:    cp-9.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization stores backup copies of {{ cp-9.3_prm_1 }} in a
-                                        separate facility or in a fire-rated container that is not collocated with the
-                                        operational system.
-                    """
-                - 
-                  id:    cp-9.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Critical information system software includes, for example, operating systems,
-                                        cryptographic key management systems, and intrusion detection/prevention systems.
-                                        Security-related information includes, for example, organizational inventories of
-                                        hardware, software, and firmware components. Alternate storage sites typically
-                                        serve as separate storage facilities for organizations.
-                    """
-                  links: 
-                    - 
-                      href: #cm-2
-                      rel:  related
-                      text: CM-2
-                    - 
-                      href: #cm-8
-                      rel:  related
-                      text: CM-8
-                - 
-                  id:    cp-9.3_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         cp-9.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-9(3)[1]
-                      parts: 
-                        - 
-                          id:         cp-9.3_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-9(3)[1][a]
-                          prose: 
-                            """
-                              defines critical information system software and other security-related
-                                                      information requiring backup copies to be stored in a separate facility;
-                                                      or
-                            """
-                        - 
-                          id:         cp-9.3_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: CP-9(3)[1][b]
-                          prose: 
-                            """
-                              defines critical information system software and other security-related
-                                                      information requiring backup copies to be stored in a fire-rated container
-                                                      that is not collocated with the operational system; and
-                            """
-                    - 
-                      id:         cp-9.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: CP-9(3)[2]
-                      prose: 
-                        """
-                          stores backup copies of organization-defined critical information system
-                                               software and other security-related information in a separate facility or in a
-                                               fire-rated container that is not collocated with the operational system.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\nbackup storage location(s)\n\ninformation system backup configurations and associated documentation\n\ninformation system backup logs or records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with contingency planning and plan implementation
-                                               responsibilities\n\norganizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-        - 
-          id:         cp-10
-          class:      SP800-53
-          title:      Information System Recovery and Reconstitution
-          properties: 
-            - 
-              name:  label
-              value: CP-10
-            - 
-              name:  sort-id
-              value: cp-10
-          links: 
-            - 
-              href: #023104bc-6f75-4cd5-b7d0-fc92326f8007
-              rel:  reference
-              text: Federal Continuity Directive 1
-            - 
-              href: #748a81b9-9cad-463f-abde-8b368167e70d
-              rel:  reference
-              text: NIST Special Publication 800-34
-          parts: 
-            - 
-              id:    cp-10_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides for the recovery and reconstitution of the information
-                                 system to a known state after a disruption, compromise, or failure.
-                """
-            - 
-              id:    cp-10_gdn
-              name:  guidance
-              prose: 
-                """
-                  Recovery is executing information system contingency plan activities to restore
-                                 organizational missions/business functions. Reconstitution takes place following
-                                 recovery and includes activities for returning organizational information systems to
-                                 fully operational states. Recovery and reconstitution operations reflect mission and
-                                 business priorities, recovery point/time and reconstitution objectives, and
-                                 established organizational metrics consistent with contingency plan requirements.
-                                 Reconstitution includes the deactivation of any interim information system
-                                 capabilities that may have been needed during recovery operations. Reconstitution
-                                 also includes assessments of fully restored information system capabilities,
-                                 reestablishment of continuous monitoring activities, potential information system
-                                 reauthorizations, and activities to prepare the systems against future disruptions,
-                                 compromises, or failures. Recovery/reconstitution capabilities employed by
-                                 organizations can include both automated mechanisms and manual procedures.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-6
-                  rel:  related
-                  text: CA-6
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-6
-                  rel:  related
-                  text: CP-6
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #sc-24
-                  rel:  related
-                  text: SC-24
-            - 
-              id:    cp-10_obj
-              name:  objective
-              prose: Determine if the organization provides for: 
-              parts: 
-                - 
-                  id:         cp-10_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: CP-10[1]
-                  prose:      the recovery of the information system to a known state after:
-                  parts: 
-                    - 
-                      id:         cp-10_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[1][a]
-                      prose:      a disruption;
-                    - 
-                      id:         cp-10_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[1][b]
-                      prose:      a compromise; or
-                    - 
-                      id:         cp-10_obj.1.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[1][c]
-                      prose:      a failure;
-                - 
-                  id:         cp-10_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: CP-10[2]
-                  prose:      the reconstitution of the information system to a known state after:
-                  parts: 
-                    - 
-                      id:         cp-10_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[2][a]
-                      prose:      a disruption;
-                    - 
-                      id:         cp-10_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[2][b]
-                      prose:      a compromise; or
-                    - 
-                      id:         cp-10_obj.2.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: CP-10[2][c]
-                      prose:      a failure.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for information system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with contingency planning, recovery, and/or
-                                        reconstitution responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes implementing information system recovery and
-                                        reconstitution operations\n\nautomated mechanisms supporting and/or implementing information system recovery
-                                        and reconstitution operations
-                    """
-          controls: 
-            - 
-              id:         cp-10.2
-              class:      SP800-53-enhancement
-              title:      Transaction Recovery
-              properties: 
-                - 
-                  name:  label
-                  value: CP-10(2)
-                - 
-                  name:  sort-id
-                  value: cp-10.02
-              parts: 
-                - 
-                  id:    cp-10.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements transaction recovery for systems that are
-                                        transaction-based.
-                    """
-                - 
-                  id:    cp-10.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Transaction-based information systems include, for example, database management
-                                        systems and transaction processing systems. Mechanisms supporting transaction
-                                        recovery include, for example, transaction rollback and transaction
-                                        journaling.
-                    """
-                - 
-                  id:         cp-10.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system implements transaction recovery for systems
-                                        that are transaction-based. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Contingency planning policy\n\nprocedures addressing information system recovery and reconstitution\n\ncontingency plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\ninformation system transaction recovery records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with responsibility for transaction recovery\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing transaction recovery
-                                               capability
-                        """
-    - 
-      id:       ia
-      class:    family
-      title:    Identification and Authentication
-      controls: 
-        - 
-          id:         ia-1
-          class:      SP800-53
-          title:      Identification and Authentication Policy and Procedures
-          parameters: 
-            - 
-              id:    ia-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ia-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          ia-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IA-1
-            - 
-              name:  sort-id
-              value: ia-01
-          links: 
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ia-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ia-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ia-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ia-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          An identification and authentication policy that addresses purpose, scope,
-                                               roles, responsibilities, management commitment, coordination among
-                                               organizational entities, and compliance; and
-                        """
-                    - 
-                      id:         ia-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the identification and
-                                               authentication policy and associated identification and authentication
-                                               controls; and
-                        """
-                - 
-                  id:         ia-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ia-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Identification and authentication policy {{ ia-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         ia-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Identification and authentication procedures {{ ia-1_prm_3 }}.
-            - 
-              id:    ia-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the IA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ia-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ia-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-1(a)
-                  parts: 
-                    - 
-                      id:         ia-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ia-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents an identification and authentication policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         ia-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ia-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ia-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ia-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ia-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ia-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ia-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ia-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the identification and authentication
-                                                      policy is to be disseminated; and
-                            """
-                        - 
-                          id:         ia-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: IA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the identification and authentication policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         ia-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ia-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      identification and authentication policy and associated identification and
-                                                      authentication controls;
-                            """
-                        - 
-                          id:         ia-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ia-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: IA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ia-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-1(b)
-                  parts: 
-                    - 
-                      id:         ia-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ia-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current identification and
-                                                      authentication policy;
-                            """
-                        - 
-                          id:         ia-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current identification and authentication policy
-                                                      with the organization-defined frequency; and
-                            """
-                    - 
-                      id:         ia-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ia-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current identification and
-                                                      authentication procedures; and
-                            """
-                        - 
-                          id:         ia-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current identification and authentication procedures
-                                                      with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with identification and authentication
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         ia-2
-          class:      SP800-53
-          title:      Identification and Authentication (organizational Users)
-          properties: 
-            - 
-              name:  label
-              value: IA-2
-            - 
-              name:  sort-id
-              value: ia-02
-          links: 
-            - 
-              href: #ad733a42-a7ed-4774-b988-4930c28852f3
-              rel:  reference
-              text: HSPD-12
-            - 
-              href: #ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-              rel:  reference
-              text: OMB Memorandum 04-04
-            - 
-              href: #4da24a96-6cf8-435d-9d1f-c73247cad109
-              rel:  reference
-              text: OMB Memorandum 06-16
-            - 
-              href: #74e740a4-c45d-49f3-a86e-eb747c549e01
-              rel:  reference
-              text: OMB Memorandum 11-11
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #ba557c91-ba3e-4792-adc6-a4ae479b39ff
-              rel:  reference
-              text: FICAM Roadmap and Implementation Guidance
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    ia-2_smt
-              name:  statement
-              prose: 
-                """
-                  The information system uniquely identifies and authenticates organizational users (or
-                                 processes acting on behalf of organizational users).
-                """
-            - 
-              id:    ia-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizational users include employees or individuals that organizations deem to have
-                                 equivalent status of employees (e.g., contractors, guest researchers). This control
-                                 applies to all accesses other than: (i) accesses that are explicitly identified and
-                                 documented in AC-14; and (ii) accesses that occur through authorized use of group
-                                 authenticators without individual authentication. Organizations may require unique
-                                 identification of individuals in group accounts (e.g., shared privilege accounts) or
-                                 for detailed accountability of individual activity. Organizations employ passwords,
-                                 tokens, or biometrics to authenticate user identities, or in the case multifactor
-                                 authentication, or some combination thereof. Access to organizational information
-                                 systems is defined as either local access or network access. Local access is any
-                                 access to organizational information systems by users (or processes acting on behalf
-                                 of users) where such access is obtained by direct connections without the use of
-                                 networks. Network access is access to organizational information systems by users (or
-                                 processes acting on behalf of users) where such access is obtained through network
-                                 connections (i.e., nonlocal accesses). Remote access is a type of network access that
-                                 involves communication through external networks (e.g., the Internet). Internal
-                                 networks include local area networks and wide area networks. In addition, the use of
-                                 encrypted virtual private networks (VPNs) for network connections between
-                                 organization-controlled endpoints and non-organization controlled endpoints may be
-                                 treated as internal networks from the perspective of protecting the confidentiality
-                                 and integrity of information traversing the network. Organizations can satisfy the
-                                 identification and authentication requirements in this control by complying with the
-                                 requirements in Homeland Security Presidential Directive 12 consistent with the
-                                 specific organizational implementation plans. Multifactor authentication requires the
-                                 use of two or more different factors to achieve authentication. The factors are
-                                 defined as: (i) something you know (e.g., password, personal identification number
-                                 [PIN]); (ii) something you have (e.g., cryptographic identification device, token);
-                                 or (iii) something you are (e.g., biometric). Multifactor solutions that require
-                                 devices separate from information systems gaining access include, for example,
-                                 hardware tokens providing time-based or challenge-response authenticators and smart
-                                 cards such as the U.S. Government Personal Identity Verification card and the DoD
-                                 common access card. In addition to identifying and authenticating users at the
-                                 information system level (i.e., at logon), organizations also employ identification
-                                 and authentication mechanisms at the application level, when necessary, to provide
-                                 increased information security. Identification and authentication requirements for
-                                 other than organizational users are described in IA-8.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-            - 
-              id:    ia-2_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the information system uniquely identifies and authenticates
-                                 organizational users (or processes acting on behalf of organizational users).
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for uniquely identifying and authenticating users\n\nautomated mechanisms supporting and/or implementing identification and
-                                        authentication capability
-                    """
-          controls: 
-            - 
-              id:         ia-2.1
-              class:      SP800-53-enhancement
-              title:      Network Access to Privileged Accounts
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(1)
-                - 
-                  name:  sort-id
-                  value: ia-02.01
-              parts: 
-                - 
-                  id:    ia-2.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements multifactor authentication for network access to
-                                        privileged accounts.
-                    """
-                - 
-                  id:    ia-2.1_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ac-6
-                      rel:  related
-                      text: AC-6
-                - 
-                  id:         ia-2.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system implements multifactor authentication for
-                                        network access to privileged accounts.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing multifactor authentication
-                                               capability
-                        """
-            - 
-              id:         ia-2.2
-              class:      SP800-53-enhancement
-              title:      Network Access to Non-privileged Accounts
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(2)
-                - 
-                  name:  sort-id
-                  value: ia-02.02
-              parts: 
-                - 
-                  id:    ia-2.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements multifactor authentication for network access to
-                                        non-privileged accounts.
-                    """
-                - 
-                  id:         ia-2.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system implements multifactor authentication for
-                                        network access to non-privileged accounts.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing multifactor authentication
-                                               capability
-                        """
-            - 
-              id:         ia-2.3
-              class:      SP800-53-enhancement
-              title:      Local Access to Privileged Accounts
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(3)
-                - 
-                  name:  sort-id
-                  value: ia-02.03
-              parts: 
-                - 
-                  id:    ia-2.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements multifactor authentication for local access to
-                                        privileged accounts.
-                    """
-                - 
-                  id:    ia-2.3_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ac-6
-                      rel:  related
-                      text: AC-6
-                - 
-                  id:         ia-2.3_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system implements multifactor authentication for
-                                        local access to privileged accounts.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing multifactor authentication
-                                               capability
-                        """
-            - 
-              id:         ia-2.5
-              class:      SP800-53-enhancement
-              title:      Group Authentication
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(5)
-                - 
-                  name:  sort-id
-                  value: ia-02.05
-              parts: 
-                - 
-                  id:    ia-2.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires individuals to be authenticated with an individual
-                                        authenticator when a group authenticator is employed.
-                    """
-                - 
-                  id:    ia-2.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Requiring individuals to use individual authenticators as a second level of
-                                        authentication helps organizations to mitigate the risk of using group
-                                        authenticators.
-                    """
-                - 
-                  id:         ia-2.5_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization requires individuals to be authenticated with an
-                                        individual authenticator when a group authenticator is employed.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing authentication capability
-                                               for group accounts
-                        """
-            - 
-              id:         ia-2.8
-              class:      SP800-53-enhancement
-              title:      Network Access to Privileged Accounts - Replay Resistant
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(8)
-                - 
-                  name:  sort-id
-                  value: ia-02.08
-              parts: 
-                - 
-                  id:    ia-2.8_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements replay-resistant authentication mechanisms for
-                                        network access to privileged accounts.
-                    """
-                - 
-                  id:    ia-2.8_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Authentication processes resist replay attacks if it is impractical to achieve
-                                        successful authentications by replaying previous authentication messages.
-                                        Replay-resistant techniques include, for example, protocols that use nonces or
-                                        challenges such as Transport Layer Security (TLS) and time synchronous or
-                                        challenge-response one-time authenticators.
-                    """
-                - 
-                  id:         ia-2.8_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system implements replay-resistant authentication
-                                        mechanisms for network access to privileged accounts. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of privileged information system accounts\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability\n\nautomated mechanisms supporting and/or implementing replay resistant
-                                               authentication mechanisms
-                        """
-            - 
-              id:         ia-2.11
-              class:      SP800-53-enhancement
-              title:      Remote Access - Separate Device
-              parameters: 
-                - 
-                  id:          ia-2.11_prm_1
-                  label:       organization-defined strength of mechanism requirements
-                  constraints: 
-                    - 
-                      detail: FIPS 140-2, NIAP Certification, or NSA approval
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(11)
-                - 
-                  name:  sort-id
-                  value: ia-02.11
-              parts: 
-                - 
-                  id:    ia-2.11_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements multifactor authentication for remote access to
-                                        privileged and non-privileged accounts such that one of the factors is provided by
-                                        a device separate from the system gaining access and the device meets {{ ia-2.11_prm_1 }}.
-                    """
-                  parts: 
-                    - 
-                      id:    ia-2.11_fr
-                      name:  item
-                      title: IA-2 (11) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ia-2.11_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.
-                - 
-                  id:    ia-2.11_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      For remote access to privileged/non-privileged accounts, the purpose of requiring
-                                        a device that is separate from the information system gaining access for one of
-                                        the factors during multifactor authentication is to reduce the likelihood of
-                                        compromising authentication credentials stored on the system. For example,
-                                        adversaries deploying malicious code on organizational information systems can
-                                        potentially compromise such credentials resident on the system and subsequently
-                                        impersonate authorized users.
-                    """
-                  links: 
-                    - 
-                      href: #ac-6
-                      rel:  related
-                      text: AC-6
-                - 
-                  id:    ia-2.11_obj
-                  name:  objective
-                  prose: Determine if: 
-                  parts: 
-                    - 
-                      id:         ia-2.11_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-2(11)[1]
-                      prose: 
-                        """
-                          the information system implements multifactor authentication for remote access
-                                               to privileged accounts such that one of the factors is provided by a device
-                                               separate from the system gaining access;
-                        """
-                    - 
-                      id:         ia-2.11_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-2(11)[2]
-                      prose: 
-                        """
-                          the information system implements multifactor authentication for remote access
-                                               to non-privileged accounts such that one of the factors is provided by a device
-                                               separate from the system gaining access;
-                        """
-                    - 
-                      id:         ia-2.11_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-2(11)[3]
-                      prose: 
-                        """
-                          the organization defines strength of mechanism requirements to be enforced by a
-                                               device separate from the system gaining remote access to privileged
-                                               accounts;
-                        """
-                    - 
-                      id:         ia-2.11_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-2(11)[4]
-                      prose: 
-                        """
-                          the organization defines strength of mechanism requirements to be enforced by a
-                                               device separate from the system gaining remote access to non-privileged
-                                               accounts;
-                        """
-                    - 
-                      id:         ia-2.11_obj.5
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-2(11)[5]
-                      prose: 
-                        """
-                          the information system implements multifactor authentication for remote access
-                                               to privileged accounts such that a device, separate from the system gaining
-                                               access, meets organization-defined strength of mechanism requirements; and
-                        """
-                    - 
-                      id:         ia-2.11_obj.6
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-2(11)[6]
-                      prose: 
-                        """
-                          the information system implements multifactor authentication for remote access
-                                               to non-privileged accounts such that a device, separate from the system gaining
-                                               access, meets organization-defined strength of mechanism requirements.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of privileged and non-privileged information system accounts\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability
-                        """
-            - 
-              id:         ia-2.12
-              class:      SP800-53-enhancement
-              title:      Acceptance of PIV Credentials
-              properties: 
-                - 
-                  name:  label
-                  value: IA-2(12)
-                - 
-                  name:  sort-id
-                  value: ia-02.12
-              parts: 
-                - 
-                  id:    ia-2.12_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system accepts and electronically verifies Personal Identity
-                                        Verification (PIV) credentials.
-                    """
-                  parts: 
-                    - 
-                      id:    ia-2.12_fr
-                      name:  item
-                      title: IA-2 (12) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ia-2.12_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.
-                - 
-                  id:    ia-2.12_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement applies to organizations implementing logical access
-                                        control systems (LACS) and physical access control systems (PACS). Personal
-                                        Identity Verification (PIV) credentials are those credentials issued by federal
-                                        agencies that conform to FIPS Publication 201 and supporting guidance documents.
-                                        OMB Memorandum 11-11 requires federal agencies to continue implementing the
-                                        requirements specified in HSPD-12 to enable agency-wide use of PIV
-                                        credentials.
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                    - 
-                      href: #pe-3
-                      rel:  related
-                      text: PE-3
-                    - 
-                      href: #sa-4
-                      rel:  related
-                      text: SA-4
-                - 
-                  id:    ia-2.12_obj
-                  name:  objective
-                  prose: Determine if the information system: 
-                  parts: 
-                    - 
-                      id:         ia-2.12_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-2(12)[1]
-                      prose:      accepts Personal Identity Verification (PIV) credentials; and
-                    - 
-                      id:         ia-2.12_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-2(12)[2]
-                      prose:      electronically verifies Personal Identity Verification (PIV) credentials.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing acceptance and verification
-                                               of PIV credentials
-                        """
-        - 
-          id:         ia-3
-          class:      SP800-53
-          title:      Device Identification and Authentication
-          parameters: 
-            - 
-              id:    ia-3_prm_1
-              label: organization-defined specific and/or types of devices
-            - 
-              id: ia-3_prm_2
-          properties: 
-            - 
-              name:  label
-              value: IA-3
-            - 
-              name:  sort-id
-              value: ia-03
-          parts: 
-            - 
-              id:    ia-3_smt
-              name:  statement
-              prose: 
-                """
-                  The information system uniquely identifies and authenticates {{ ia-3_prm_1 }} before establishing a {{ ia-3_prm_2 }}
-                                 connection.
-                """
-            - 
-              id:    ia-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizational devices requiring unique device-to-device identification and
-                                 authentication may be defined by type, by device, or by a combination of type/device.
-                                 Information systems typically use either shared known information (e.g., Media Access
-                                 Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses)
-                                 for device identification or organizational authentication solutions (e.g., IEEE
-                                 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport
-                                 Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on
-                                 local and/or wide area networks. Organizations determine the required strength of
-                                 authentication mechanisms by the security categories of information systems. Because
-                                 of the challenges of applying this control on large scale, organizations are
-                                 encouraged to only apply the control to those limited number (and type) of devices
-                                 that truly need to support this capability.
-                """
-              links: 
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-            - 
-              id:    ia-3_obj
-              name:  objective
-              prose: Determine if: 
-              parts: 
-                - 
-                  id:         ia-3_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-3[1]
-                  prose: 
-                    """
-                      the organization defines specific and/or types of devices that the information
-                                        system uniquely identifies and authenticates before establishing one or more of
-                                        the following:
-                    """
-                  parts: 
-                    - 
-                      id:         ia-3_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-3[1][a]
-                      prose:      a local connection;
-                    - 
-                      id:         ia-3_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-3[1][b]
-                      prose:      a remote connection; and/or
-                    - 
-                      id:         ia-3_obj.1.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-3[1][c]
-                      prose:      a network connection; and
-                - 
-                  id:         ia-3_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-3[2]
-                  prose: 
-                    """
-                      the information system uniquely identifies and authenticates organization-defined
-                                        devices before establishing one or more of the following:
-                    """
-                  parts: 
-                    - 
-                      id:         ia-3_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-3[2][a]
-                      prose:      a local connection;
-                    - 
-                      id:         ia-3_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-3[2][b]
-                      prose:      a remote connection; and/or
-                    - 
-                      id:         ia-3_obj.2.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-3[2][c]
-                      prose:      a network connection.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing device identification and authentication\n\ninformation system design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with operational responsibilities for device
-                                        identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing device identification and
-                                        authentication capability
-                    """
-        - 
-          id:         ia-4
-          class:      SP800-53
-          title:      Identifier Management
-          parameters: 
-            - 
-              id:    ia-4_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ia-4_prm_2
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: IA-4 (d) [at least two years]
-            - 
-              id:          ia-4_prm_3
-              label:       organization-defined time period of inactivity
-              constraints: 
-                - 
-                  detail: ninety days for user identifiers (See additional requirements and guidance)
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IA-4
-            - 
-              name:  sort-id
-              value: ia-04
-          links: 
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-          parts: 
-            - 
-              id:    ia-4_smt
-              name:  statement
-              prose: The organization manages information system identifiers by:
-              parts: 
-                - 
-                  id:         ia-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Receiving authorization from {{ ia-4_prm_1 }} to assign an
-                                        individual, group, role, or device identifier;
-                    """
-                - 
-                  id:         ia-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Selecting an identifier that identifies an individual, group, role, or device;
-                - 
-                  id:         ia-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Assigning the identifier to the intended individual, group, role, or device;
-                - 
-                  id:         ia-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Preventing reuse of identifiers for {{ ia-4_prm_2 }}; and
-                - 
-                  id:         ia-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Disabling the identifier after {{ ia-4_prm_3 }}.
-                - 
-                  id:    ia-4_fr
-                  name:  item
-                  title: IA-4(e) Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ia-4_fr_smt.e
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider defines the time period of inactivity for device identifiers.
-                    - 
-                      id:         ia-4_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP [http://iase.disa.mil/cloud_security/Pages/index.aspx](http://iase.disa.mil/cloud_security/Pages/index.aspx).
-            - 
-              id:    ia-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Common device identifiers include, for example, media access control (MAC), Internet
-                                 protocol (IP) addresses, or device-unique token identifiers. Management of individual
-                                 identifiers is not applicable to shared information system accounts (e.g., guest and
-                                 anonymous accounts). Typically, individual identifiers are the user names of the
-                                 information system accounts assigned to those individuals. In such instances, the
-                                 account management activities of AC-2 use account names provided by IA-4. This
-                                 control also addresses individual identifiers not necessarily associated with
-                                 information system accounts (e.g., identifiers used in physical security control
-                                 databases accessed by badge reader systems for access to information systems).
-                                 Preventing reuse of identifiers implies preventing the assignment of previously used
-                                 individual, group, role, or device identifiers to different individuals, groups,
-                                 roles, or devices.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #sc-37
-                  rel:  related
-                  text: SC-37
-            - 
-              id:    ia-4_obj
-              name:  objective
-              prose: Determine if the organization manages information system identifiers by: 
-              parts: 
-                - 
-                  id:         ia-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-4(a)
-                  parts: 
-                    - 
-                      id:         ia-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-4(a)[1]
-                      prose: 
-                        """
-                          defining personnel or roles from whom authorization must be received to
-                                               assign:
-                        """
-                      parts: 
-                        - 
-                          id:         ia-4.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[1][a]
-                          prose:      an individual identifier;
-                        - 
-                          id:         ia-4.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[1][b]
-                          prose:      a group identifier;
-                        - 
-                          id:         ia-4.a_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[1][c]
-                          prose:      a role identifier; and/or
-                        - 
-                          id:         ia-4.a_obj.1.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[1][d]
-                          prose:      a device identifier;
-                    - 
-                      id:         ia-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-4(a)[2]
-                      prose: 
-                        """
-                          receiving authorization from organization-defined personnel or roles to
-                                               assign:
-                        """
-                      parts: 
-                        - 
-                          id:         ia-4.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[2][a]
-                          prose:      an individual identifier;
-                        - 
-                          id:         ia-4.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[2][b]
-                          prose:      a group identifier;
-                        - 
-                          id:         ia-4.a_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[2][c]
-                          prose:      a role identifier; and/or
-                        - 
-                          id:         ia-4.a_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-4(a)[2][d]
-                          prose:      a device identifier;
-                - 
-                  id:         ia-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-4(b)
-                  prose:      selecting an identifier that identifies:
-                  parts: 
-                    - 
-                      id:         ia-4.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(b)[1]
-                      prose:      an individual;
-                    - 
-                      id:         ia-4.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(b)[2]
-                      prose:      a group;
-                    - 
-                      id:         ia-4.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(b)[3]
-                      prose:      a role; and/or
-                    - 
-                      id:         ia-4.b_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(b)[4]
-                      prose:      a device;
-                - 
-                  id:         ia-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-4(c)
-                  prose:      assigning the identifier to the intended:
-                  parts: 
-                    - 
-                      id:         ia-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(c)[1]
-                      prose:      individual;
-                    - 
-                      id:         ia-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(c)[2]
-                      prose:      group;
-                    - 
-                      id:         ia-4.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(c)[3]
-                      prose:      role; and/or
-                    - 
-                      id:         ia-4.c_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-4(c)[4]
-                      prose:      device;
-                - 
-                  id:         ia-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-4(d)
-                  parts: 
-                    - 
-                      id:         ia-4.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-4(d)[1]
-                      prose:      defining a time period for preventing reuse of identifiers;
-                    - 
-                      id:         ia-4.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-4(d)[2]
-                      prose:      preventing reuse of identifiers for the organization-defined time period;
-                - 
-                  id:         ia-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-4(e)
-                  parts: 
-                    - 
-                      id:         ia-4.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-4(e)[1]
-                      prose:      defining a time period of inactivity to disable the identifier; and
-                    - 
-                      id:         ia-4.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-4(e)[2]
-                      prose: 
-                        """
-                          disabling the identifier after the organization-defined time period of
-                                               inactivity.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting and/or implementing identifier management
-          controls: 
-            - 
-              id:         ia-4.4
-              class:      SP800-53-enhancement
-              title:      Identify User Status
-              parameters: 
-                - 
-                  id:          ia-4.4_prm_1
-                  label:       organization-defined characteristic identifying individual status
-                  constraints: 
-                    - 
-                      detail: contractors; foreign nationals
-              properties: 
-                - 
-                  name:  label
-                  value: IA-4(4)
-                - 
-                  name:  sort-id
-                  value: ia-04.04
-              parts: 
-                - 
-                  id:    ia-4.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization manages individual identifiers by uniquely identifying each
-                                        individual as {{ ia-4.4_prm_1 }}.
-                    """
-                - 
-                  id:    ia-4.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Characteristics identifying the status of individuals include, for example,
-                                        contractors and foreign nationals. Identifying the status of individuals by
-                                        specific characteristics provides additional information about the people with
-                                        whom organizational personnel are communicating. For example, it might be useful
-                                        for a government employee to know that one of the individuals on an email message
-                                        is a contractor.
-                    """
-                  links: 
-                    - 
-                      href: #at-2
-                      rel:  related
-                      text: AT-2
-                - 
-                  id:    ia-4.4_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ia-4.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-4(4)[1]
-                      prose:      defines a characteristic to be used to identify individual status; and
-                    - 
-                      id:         ia-4.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-4(4)[2]
-                      prose: 
-                        """
-                          manages individual identifiers by uniquely identifying each individual as the
-                                               organization-defined characteristic identifying individual status.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nlist of characteristics identifying individual status\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms supporting and/or implementing identifier management
-        - 
-          id:         ia-5
-          class:      SP800-53
-          title:      Authenticator Management
-          parameters: 
-            - 
-              id:    ia-5_prm_1
-              label: organization-defined time period by authenticator type
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IA-5
-            - 
-              name:  sort-id
-              value: ia-05
-          links: 
-            - 
-              href: #ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-              rel:  reference
-              text: OMB Memorandum 04-04
-            - 
-              href: #74e740a4-c45d-49f3-a86e-eb747c549e01
-              rel:  reference
-              text: OMB Memorandum 11-11
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #ba557c91-ba3e-4792-adc6-a4ae479b39ff
-              rel:  reference
-              text: FICAM Roadmap and Implementation Guidance
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    ia-5_smt
-              name:  statement
-              prose: The organization manages information system authenticators by:
-              parts: 
-                - 
-                  id:         ia-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Verifying, as part of the initial authenticator distribution, the identity of the
-                                        individual, group, role, or device receiving the authenticator;
-                    """
-                - 
-                  id:         ia-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Establishing initial authenticator content for authenticators defined by the
-                                        organization;
-                    """
-                - 
-                  id:         ia-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ensuring that authenticators have sufficient strength of mechanism for their
-                                        intended use;
-                    """
-                - 
-                  id:         ia-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Establishing and implementing administrative procedures for initial authenticator
-                                        distribution, for lost/compromised or damaged authenticators, and for revoking
-                                        authenticators;
-                    """
-                - 
-                  id:         ia-5_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Changing default content of authenticators prior to information system
-                                        installation;
-                    """
-                - 
-                  id:         ia-5_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Establishing minimum and maximum lifetime restrictions and reuse conditions for
-                                        authenticators;
-                    """
-                - 
-                  id:         ia-5_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose:      Changing/refreshing authenticators {{ ia-5_prm_1 }};
-                - 
-                  id:         ia-5_smt.h
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: h.
-                  prose: 
-                    """
-                      Protecting authenticator content from unauthorized disclosure and
-                                        modification;
-                    """
-                - 
-                  id:         ia-5_smt.i
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: i.
-                  prose: 
-                    """
-                      Requiring individuals to take, and having devices implement, specific security
-                                        safeguards to protect authenticators; and
-                    """
-                - 
-                  id:         ia-5_smt.j
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: j.
-                  prose: 
-                    """
-                      Changing authenticators for group/role accounts when membership to those accounts
-                                        changes.
-                    """
-                - 
-                  id:    ia-5_fr
-                  name:  item
-                  title: IA-5 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ia-5_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link [https://pages.nist.gov/800-63-3](https://pages.nist.gov/800-63-3).
-            - 
-              id:    ia-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Individual authenticators include, for example, passwords, tokens, biometrics, PKI
-                                 certificates, and key cards. Initial authenticator content is the actual content
-                                 (e.g., the initial password) as opposed to requirements about authenticator content
-                                 (e.g., minimum password length). In many cases, developers ship information system
-                                 components with factory default authentication credentials to allow for initial
-                                 installation and configuration. Default authentication credentials are often well
-                                 known, easily discoverable, and present a significant security risk. The requirement
-                                 to protect individual authenticators may be implemented via control PL-4 or PS-6 for
-                                 authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28
-                                 for authenticators stored within organizational information systems (e.g., passwords
-                                 stored in hashed or encrypted formats, files containing encrypted or hashed passwords
-                                 accessible with administrator privileges). Information systems support individual
-                                 authenticator management by organization-defined settings and restrictions for
-                                 various authenticator characteristics including, for example, minimum password
-                                 length, password composition, validation time window for time synchronous one-time
-                                 tokens, and number of allowed rejections during the verification stage of biometric
-                                 authentication. Specific actions that can be taken to safeguard authenticators
-                                 include, for example, maintaining possession of individual authenticators, not
-                                 loaning or sharing individual authenticators with others, and reporting lost, stolen,
-                                 or compromised authenticators immediately. Authenticator management includes issuing
-                                 and revoking, when no longer needed, authenticators for temporary access such as that
-                                 required for remote maintenance. Device authenticators include, for example,
-                                 certificates and passwords.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-5
-                  rel:  related
-                  text: PS-5
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-                - 
-                  href: #sc-12
-                  rel:  related
-                  text: SC-12
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-                - 
-                  href: #sc-17
-                  rel:  related
-                  text: SC-17
-                - 
-                  href: #sc-28
-                  rel:  related
-                  text: SC-28
-            - 
-              id:    ia-5_obj
-              name:  objective
-              prose: Determine if the organization manages information system authenticators by: 
-              parts: 
-                - 
-                  id:         ia-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-5(a)
-                  prose:      verifying, as part of the initial authenticator distribution, the identity of:
-                  parts: 
-                    - 
-                      id:         ia-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(a)[1]
-                      prose:      the individual receiving the authenticator;
-                    - 
-                      id:         ia-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(a)[2]
-                      prose:      the group receiving the authenticator;
-                    - 
-                      id:         ia-5.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(a)[3]
-                      prose:      the role receiving the authenticator; and/or
-                    - 
-                      id:         ia-5.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(a)[4]
-                      prose:      the device receiving the authenticator;
-                - 
-                  id:         ia-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: IA-5(b)
-                  prose: 
-                    """
-                      establishing initial authenticator content for authenticators defined by the
-                                        organization;
-                    """
-                - 
-                  id:         ia-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-5(c)
-                  prose: 
-                    """
-                      ensuring that authenticators have sufficient strength of mechanism for their
-                                        intended use;
-                    """
-                - 
-                  id:         ia-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(d)
-                  parts: 
-                    - 
-                      id:         ia-5.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(d)[1]
-                      prose: 
-                        """
-                          establishing and implementing administrative procedures for initial
-                                               authenticator distribution;
-                        """
-                    - 
-                      id:         ia-5.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(d)[2]
-                      prose: 
-                        """
-                          establishing and implementing administrative procedures for lost/compromised or
-                                               damaged authenticators;
-                        """
-                    - 
-                      id:         ia-5.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(d)[3]
-                      prose: 
-                        """
-                          establishing and implementing administrative procedures for revoking
-                                               authenticators;
-                        """
-                - 
-                  id:         ia-5.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-5(e)
-                  prose: 
-                    """
-                      changing default content of authenticators prior to information system
-                                        installation;
-                    """
-                - 
-                  id:         ia-5.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(f)
-                  parts: 
-                    - 
-                      id:         ia-5.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(f)[1]
-                      prose:      establishing minimum lifetime restrictions for authenticators;
-                    - 
-                      id:         ia-5.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(f)[2]
-                      prose:      establishing maximum lifetime restrictions for authenticators;
-                    - 
-                      id:         ia-5.f_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(f)[3]
-                      prose:      establishing reuse conditions for authenticators;
-                - 
-                  id:         ia-5.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(g)
-                  parts: 
-                    - 
-                      id:         ia-5.g_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(g)[1]
-                      prose: 
-                        """
-                          defining a time period (by authenticator type) for changing/refreshing
-                                               authenticators;
-                        """
-                    - 
-                      id:         ia-5.g_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(g)[2]
-                      prose: 
-                        """
-                          changing/refreshing authenticators with the organization-defined time period by
-                                               authenticator type;
-                        """
-                - 
-                  id:         ia-5.h_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-5(h)
-                  prose:      protecting authenticator content from unauthorized:
-                  parts: 
-                    - 
-                      id:         ia-5.h_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(h)[1]
-                      prose:      disclosure;
-                    - 
-                      id:         ia-5.h_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(h)[2]
-                      prose:      modification;
-                - 
-                  id:         ia-5.i_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IA-5(i)
-                  parts: 
-                    - 
-                      id:         ia-5.i_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IA-5(i)[1]
-                      prose: 
-                        """
-                          requiring individuals to take specific security safeguards to protect
-                                               authenticators;
-                        """
-                    - 
-                      id:         ia-5.i_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(i)[2]
-                      prose: 
-                        """
-                          having devices implement specific security safeguards to protect
-                                               authenticators; and
-                        """
-                - 
-                  id:         ia-5.j_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IA-5(j)
-                  prose: 
-                    """
-                      changing authenticators for group/role accounts when membership to those accounts
-                                        changes.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Identification and authentication policy\n\nprocedures addressing authenticator management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system authenticator types\n\nchange control records associated with managing information system
-                                        authenticators\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing authenticator management
-                                        capability
-                    """
-          controls: 
-            - 
-              id:         ia-5.1
-              class:      SP800-53-enhancement
-              title:      Password-based Authentication
-              parameters: 
-                - 
-                  id:    ia-5.1_prm_1
-                  label: 
-                    """
-                      organization-defined requirements for case sensitivity, number of characters,
-                                        mix of upper-case letters, lower-case letters, numbers, and special characters,
-                                        including minimum requirements for each type
-                    """
-                - 
-                  id:          ia-5.1_prm_2
-                  label:       organization-defined number
-                  constraints: 
-                    - 
-                      detail: at least one
-                - 
-                  id:    ia-5.1_prm_3
-                  label: organization-defined numbers for lifetime minimum, lifetime maximum
-                - 
-                  id:          ia-5.1_prm_4
-                  label:       organization-defined number
-                  constraints: 
-                    - 
-                      detail: twenty four (24)
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: IA-5(1)
-                - 
-                  name:  sort-id
-                  value: ia-05.01
-              parts: 
-                - 
-                  id:    ia-5.1_smt
-                  name:  statement
-                  prose: The information system, for password-based authentication:
-                  parts: 
-                    - 
-                      id:         ia-5.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose:      Enforces minimum password complexity of {{ ia-5.1_prm_1 }};
-                    - 
-                      id:         ia-5.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Enforces at least the following number of changed characters when new passwords
-                                               are created: {{ ia-5.1_prm_2 }};
-                        """
-                    - 
-                      id:         ia-5.1_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (c)
-                      prose:      Stores and transmits only cryptographically-protected passwords;
-                    - 
-                      id:         ia-5.1_smt.d
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (d)
-                      prose:      Enforces password minimum and maximum lifetime restrictions of {{ ia-5.1_prm_3 }};
-                    - 
-                      id:         ia-5.1_smt.e
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (e)
-                      prose: 
-                        """
-                          Prohibits password reuse for {{ ia-5.1_prm_4 }} generations;
-                                               and
-                        """
-                    - 
-                      id:         ia-5.1_smt.f
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (f)
-                      prose: 
-                        """
-                          Allows the use of a temporary password for system logons with an immediate
-                                               change to a permanent password.
-                        """
-                    - 
-                      id:    ia-5.1_fr
-                      name:  item
-                      title: IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ia-5.1_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: (a) (d) Guidance:
-                          prose:      If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.
-                - 
-                  id:    ia-5.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement applies to single-factor authentication of individuals
-                                        using passwords as individual or group authenticators, and in a similar manner,
-                                        when passwords are part of multifactor authenticators. This control enhancement
-                                        does not apply when passwords are used to unlock hardware authenticators (e.g.,
-                                        Personal Identity Verification cards). The implementation of such password
-                                        mechanisms may not meet all of the requirements in the enhancement.
-                                        Cryptographically-protected passwords include, for example, encrypted versions of
-                                        passwords and one-way cryptographic hashes of passwords. The number of changed
-                                        characters refers to the number of changes required with respect to the total
-                                        number of positions in the current password. Password lifetime restrictions do not
-                                        apply to temporary passwords. To mitigate certain brute force attacks against
-                                        passwords, organizations may also consider salting passwords.
-                    """
-                  links: 
-                    - 
-                      href: #ia-6
-                      rel:  related
-                      text: IA-6
-                - 
-                  id:    ia-5.1_obj
-                  name:  objective
-                  prose: Determine if, for password-based authentication: 
-                  parts: 
-                    - 
-                      id:         ia-5.1.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(1)(a)
-                      parts: 
-                        - 
-                          id:         ia-5.1.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[1]
-                          prose:      the organization defines requirements for case sensitivity;
-                        - 
-                          id:         ia-5.1.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[2]
-                          prose:      the organization defines requirements for number of characters;
-                        - 
-                          id:         ia-5.1.a_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[3]
-                          prose: 
-                            """
-                              the organization defines requirements for the mix of upper-case letters,
-                                                      lower-case letters, numbers and special characters;
-                            """
-                        - 
-                          id:         ia-5.1.a_obj.4
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[4]
-                          prose: 
-                            """
-                              the organization defines minimum requirements for each type of
-                                                      character;
-                            """
-                        - 
-                          id:         ia-5.1.a_obj.5
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(1)(a)[5]
-                          prose: 
-                            """
-                              the information system enforces minimum password complexity of
-                                                      organization-defined requirements for case sensitivity, number of
-                                                      characters, mix of upper-case letters, lower-case letters, numbers, and
-                                                      special characters, including minimum requirements for each type;
-                            """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.a
-                          rel:  corresp
-                          text: IA-5(1)(a)
-                    - 
-                      id:         ia-5.1.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(1)(b)
-                      parts: 
-                        - 
-                          id:         ia-5.1.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(b)[1]
-                          prose: 
-                            """
-                              the organization defines a minimum number of changed characters to be
-                                                      enforced when new passwords are created;
-                            """
-                        - 
-                          id:         ia-5.1.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(1)(b)[2]
-                          prose: 
-                            """
-                              the information system enforces at least the organization-defined minimum
-                                                      number of characters that must be changed when new passwords are
-                                                      created;
-                            """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.b
-                          rel:  corresp
-                          text: IA-5(1)(b)
-                    - 
-                      id:         ia-5.1.c_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(1)(c)
-                      prose: 
-                        """
-                          the information system stores and transmits only encrypted representations of
-                                               passwords;
-                        """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.c
-                          rel:  corresp
-                          text: IA-5(1)(c)
-                    - 
-                      id:         ia-5.1.d_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(1)(d)
-                      parts: 
-                        - 
-                          id:         ia-5.1.d_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(d)[1]
-                          prose: 
-                            """
-                              the organization defines numbers for password minimum lifetime restrictions
-                                                      to be enforced for passwords;
-                            """
-                        - 
-                          id:         ia-5.1.d_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(d)[2]
-                          prose: 
-                            """
-                              the organization defines numbers for password maximum lifetime restrictions
-                                                      to be enforced for passwords;
-                            """
-                        - 
-                          id:         ia-5.1.d_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(1)(d)[3]
-                          prose: 
-                            """
-                              the information system enforces password minimum lifetime restrictions of
-                                                      organization-defined numbers for lifetime minimum;
-                            """
-                        - 
-                          id:         ia-5.1.d_obj.4
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(1)(d)[4]
-                          prose: 
-                            """
-                              the information system enforces password maximum lifetime restrictions of
-                                                      organization-defined numbers for lifetime maximum;
-                            """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.d
-                          rel:  corresp
-                          text: IA-5(1)(d)
-                    - 
-                      id:         ia-5.1.e_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(1)(e)
-                      parts: 
-                        - 
-                          id:         ia-5.1.e_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IA-5(1)(e)[1]
-                          prose: 
-                            """
-                              the organization defines the number of password generations to be prohibited
-                                                      from password reuse;
-                            """
-                        - 
-                          id:         ia-5.1.e_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(1)(e)[2]
-                          prose: 
-                            """
-                              the information system prohibits password reuse for the organization-defined
-                                                      number of generations; and
-                            """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.e
-                          rel:  corresp
-                          text: IA-5(1)(e)
-                    - 
-                      id:         ia-5.1.f_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(1)(f)
-                      prose: 
-                        """
-                          the information system allows the use of a temporary password for system logons
-                                               with an immediate change to a permanent password.
-                        """
-                      links: 
-                        - 
-                          href: #ia-5.1_smt.f
-                          rel:  corresp
-                          text: IA-5(1)(f)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing password-based
-                                               authenticator management capability
-                        """
-            - 
-              id:         ia-5.2
-              class:      SP800-53-enhancement
-              title:      Pki-based Authentication
-              properties: 
-                - 
-                  name:  label
-                  value: IA-5(2)
-                - 
-                  name:  sort-id
-                  value: ia-05.02
-              parts: 
-                - 
-                  id:    ia-5.2_smt
-                  name:  statement
-                  prose: The information system, for PKI-based authentication:
-                  parts: 
-                    - 
-                      id:         ia-5.2_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Validates certifications by constructing and verifying a certification path to
-                                               an accepted trust anchor including checking certificate status information;
-                        """
-                    - 
-                      id:         ia-5.2_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      Enforces authorized access to the corresponding private key;
-                    - 
-                      id:         ia-5.2_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (c)
-                      prose: 
-                        """
-                          Maps the authenticated identity to the account of the individual or group;
-                                               and
-                        """
-                    - 
-                      id:         ia-5.2_smt.d
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (d)
-                      prose: 
-                        """
-                          Implements a local cache of revocation data to support path discovery and
-                                               validation in case of inability to access revocation information via the
-                                               network.
-                        """
-                - 
-                  id:    ia-5.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Status information for certification paths includes, for example, certificate
-                                        revocation lists or certificate status protocol responses. For PIV cards,
-                                        validation of certifications involves the construction and verification of a
-                                        certification path to the Common Policy Root trust anchor including certificate
-                                        policy processing.
-                    """
-                  links: 
-                    - 
-                      href: #ia-6
-                      rel:  related
-                      text: IA-6
-                - 
-                  id:    ia-5.2_obj
-                  name:  objective
-                  prose: Determine if the information system, for PKI-based authentication: 
-                  parts: 
-                    - 
-                      id:         ia-5.2.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(2)(a)
-                      parts: 
-                        - 
-                          id:         ia-5.2.a_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(2)(a)[1]
-                          prose: 
-                            """
-                              validates certifications by constructing a certification path to an accepted
-                                                      trust anchor;
-                            """
-                        - 
-                          id:         ia-5.2.a_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(2)(a)[2]
-                          prose: 
-                            """
-                              validates certifications by verifying a certification path to an accepted
-                                                      trust anchor;
-                            """
-                        - 
-                          id:         ia-5.2.a_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IA-5(2)(a)[3]
-                          prose: 
-                            """
-                              includes checking certificate status information when constructing and
-                                                      verifying the certification path;
-                            """
-                      links: 
-                        - 
-                          href: #ia-5.2_smt.a
-                          rel:  corresp
-                          text: IA-5(2)(a)
-                    - 
-                      id:         ia-5.2.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(2)(b)
-                      prose:      enforces authorized access to the corresponding private key;
-                      links: 
-                        - 
-                          href: #ia-5.2_smt.b
-                          rel:  corresp
-                          text: IA-5(2)(b)
-                    - 
-                      id:         ia-5.2.c_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(2)(c)
-                      prose: 
-                        """
-                          maps the authenticated identity to the account of the individual or group;
-                                               and
-                        """
-                      links: 
-                        - 
-                          href: #ia-5.2_smt.c
-                          rel:  corresp
-                          text: IA-5(2)(c)
-                    - 
-                      id:         ia-5.2.d_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(2)(d)
-                      prose: 
-                        """
-                          implements a local cache of revocation data to support path discovery and
-                                               validation in case of inability to access revocation information via the
-                                               network.
-                        """
-                      links: 
-                        - 
-                          href: #ia-5.2_smt.d
-                          rel:  corresp
-                          text: IA-5(2)(d)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nPKI certification validation records\n\nPKI certification revocation lists\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with PKI-based, authenticator management
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing PKI-based, authenticator
-                                               management capability
-                        """
-            - 
-              id:         ia-5.3
-              class:      SP800-53-enhancement
-              title:      In-person or Trusted Third-party Registration
-              parameters: 
-                - 
-                  id:          ia-5.3_prm_1
-                  label:       organization-defined types of and/or specific authenticators
-                  constraints: 
-                    - 
-                      detail: All hardware/biometric (multifactor authenticators)
-                - 
-                  id:          ia-5.3_prm_2
-                  constraints: 
-                    - 
-                      detail: in person
-                - 
-                  id:    ia-5.3_prm_3
-                  label: organization-defined registration authority
-                - 
-                  id:    ia-5.3_prm_4
-                  label: organization-defined personnel or roles
-              properties: 
-                - 
-                  name:  label
-                  value: IA-5(3)
-                - 
-                  name:  sort-id
-                  value: ia-05.03
-              parts: 
-                - 
-                  id:    ia-5.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires that the registration process to receive {{ ia-5.3_prm_1 }} be conducted {{ ia-5.3_prm_2 }} before
-                                           {{ ia-5.3_prm_3 }} with authorization by {{ ia-5.3_prm_4 }}.
-                    """
-                - 
-                  id:    ia-5.3_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ia-5.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(3)[1]
-                      prose: 
-                        """
-                          defines types of and/or specific authenticators to be received in person or by
-                                               a trusted third party;
-                        """
-                    - 
-                      id:         ia-5.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(3)[2]
-                      prose: 
-                        """
-                          defines the registration authority with oversight of the registration process
-                                               for receipt of organization-defined types of and/or specific
-                                               authenticators;
-                        """
-                    - 
-                      id:         ia-5.3_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(3)[3]
-                      prose: 
-                        """
-                          defines personnel or roles responsible for authorizing organization-defined
-                                               registration authority;
-                        """
-                    - 
-                      id:         ia-5.3_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(3)[4]
-                      prose:      defines if the registration process is to be conducted:
-                      parts: 
-                        - 
-                          id:         ia-5.3_obj.4.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-5(3)[4][a]
-                          prose:      in person; or
-                        - 
-                          id:         ia-5.3_obj.4.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IA-5(3)[4][b]
-                          prose:      by a trusted third party; and
-                    - 
-                      id:         ia-5.3_obj.5
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IA-5(3)[5]
-                      prose: 
-                        """
-                          requires that the registration process to receive organization-defined types of
-                                               and/or specific authenticators be conducted in person or by a trusted third
-                                               party before organization-defined registration authority with authorization by
-                                               organization-defined personnel or roles.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing authenticator management\n\nregistration process for receiving information system authenticators\n\nlist of authenticators requiring in-person registration\n\nlist of authenticators requiring trusted third party registration\n\nauthenticator registration documentation\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with authenticator management responsibilities\n\nregistration authority\n\norganizational personnel with information security responsibilities
-            - 
-              id:         ia-5.4
-              class:      SP800-53-enhancement
-              title:      Automated Support for Password Strength Determination
-              parameters: 
-                - 
-                  id:    ia-5.4_prm_1
-                  label: organization-defined requirements
-              properties: 
-                - 
-                  name:  label
-                  value: IA-5(4)
-                - 
-                  name:  sort-id
-                  value: ia-05.04
-              parts: 
-                - 
-                  id:    ia-5.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated tools to determine if password authenticators
-                                        are sufficiently strong to satisfy {{ ia-5.4_prm_1 }}.
-                    """
-                  parts: 
-                    - 
-                      id:    ia-5.4_fr
-                      name:  item
-                      title: IA-5 (4) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ia-5.4_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.
-                - 
-                  id:    ia-5.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement focuses on the creation of strong passwords and the
-                                        characteristics of such passwords (e.g., complexity) prior to use, the enforcement
-                                        of which is carried out by organizational information systems in IA-5 (1).
-                    """
-                  links: 
-                    - 
-                      href: #ca-2
-                      rel:  related
-                      text: CA-2
-                    - 
-                      href: #ca-7
-                      rel:  related
-                      text: CA-7
-                    - 
-                      href: #ra-5
-                      rel:  related
-                      text: RA-5
-                - 
-                  id:    ia-5.4_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ia-5.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(4)[1]
-                      prose:      defines requirements to be satisfied by password authenticators; and
-                    - 
-                      id:         ia-5.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(4)[2]
-                      prose: 
-                        """
-                          employs automated tools to determine if password authenticators are
-                                               sufficiently strong to satisfy organization-defined requirements.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing authenticator management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nautomated tools for evaluating password authenticators\n\npassword strength assessment results\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing password-based
-                                               authenticator management capability\n\nautomated tools for determining password strength
-                        """
-            - 
-              id:         ia-5.6
-              class:      SP800-53-enhancement
-              title:      Protection of Authenticators
-              properties: 
-                - 
-                  name:  label
-                  value: IA-5(6)
-                - 
-                  name:  sort-id
-                  value: ia-05.06
-              parts: 
-                - 
-                  id:    ia-5.6_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization protects authenticators commensurate with the security category
-                                        of the information to which use of the authenticator permits access.
-                    """
-                - 
-                  id:    ia-5.6_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      For information systems containing multiple security categories of information
-                                        without reliable physical or logical separation between categories, authenticators
-                                        used to grant access to the systems are protected commensurate with the highest
-                                        security category of information on the systems.
-                    """
-                - 
-                  id:         ia-5.6_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization protects authenticators commensurate with the
-                                        security category of the information to which use of the authenticator permits
-                                        access.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity categorization documentation for the information system\n\nsecurity assessments of authenticator protections\n\nrisk assessment results\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with authenticator management responsibilities\n\norganizational personnel implementing and/or maintaining authenticator
-                                               protections\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing authenticator management
-                                               capability\n\nautomated mechanisms protecting authenticators
-                        """
-            - 
-              id:         ia-5.7
-              class:      SP800-53-enhancement
-              title:      No Embedded Unencrypted Static Authenticators
-              properties: 
-                - 
-                  name:  label
-                  value: IA-5(7)
-                - 
-                  name:  sort-id
-                  value: ia-05.07
-              parts: 
-                - 
-                  id:    ia-5.7_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization ensures that unencrypted static authenticators are not embedded
-                                        in applications or access scripts or stored on function keys.
-                    """
-                - 
-                  id:    ia-5.7_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations exercise caution in determining whether embedded or stored
-                                        authenticators are in encrypted or unencrypted form. If authenticators are used in
-                                        the manner stored, then those representations are considered unencrypted
-                                        authenticators. This is irrespective of whether that representation is perhaps an
-                                        encrypted version of something else (e.g., a password).
-                    """
-                - 
-                  id:    ia-5.7_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization ensures that unencrypted static authenticators are
-                                        not: 
-                    """
-                  parts: 
-                    - 
-                      id:         ia-5.7_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(7)[1]
-                      prose:      embedded in applications;
-                    - 
-                      id:         ia-5.7_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(7)[2]
-                      prose:      embedded in access scripts; or
-                    - 
-                      id:         ia-5.7_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IA-5(7)[3]
-                      prose:      stored on function keys.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing authenticator management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlogical access scripts\n\napplication code reviews for detecting unencrypted static authenticators\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing authenticator management
-                                               capability\n\nautomated mechanisms implementing authentication in applications
-                        """
-            - 
-              id:         ia-5.11
-              class:      SP800-53-enhancement
-              title:      Hardware Token-based Authentication
-              parameters: 
-                - 
-                  id:    ia-5.11_prm_1
-                  label: organization-defined token quality requirements
-              properties: 
-                - 
-                  name:  label
-                  value: IA-5(11)
-                - 
-                  name:  sort-id
-                  value: ia-05.11
-              parts: 
-                - 
-                  id:    ia-5.11_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system, for hardware token-based authentication, employs
-                                        mechanisms that satisfy {{ ia-5.11_prm_1 }}.
-                    """
-                - 
-                  id:    ia-5.11_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Hardware token-based authentication typically refers to the use of PKI-based
-                                        tokens, such as the U.S. Government Personal Identity Verification (PIV) card.
-                                        Organizations define specific requirements for tokens, such as working with a
-                                        particular PKI.
-                    """
-                - 
-                  id:    ia-5.11_obj
-                  name:  objective
-                  prose: Determine if, for hardware token-based authentication: 
-                  parts: 
-                    - 
-                      id:         ia-5.11_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-5(11)[1]
-                      prose:      the organization defines token quality requirements to be satisfied; and
-                    - 
-                      id:         ia-5.11_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-5(11)[2]
-                      prose: 
-                        """
-                          the information system employs mechanisms that satisfy organization-defined
-                                               token quality requirements.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\nautomated mechanisms employing hardware token-based authentication for the
-                                               information system\n\nlist of token quality requirements\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing hardware token-based
-                                               authenticator management capability
-                        """
-        - 
-          id:         ia-6
-          class:      SP800-53
-          title:      Authenticator Feedback
-          properties: 
-            - 
-              name:  label
-              value: IA-6
-            - 
-              name:  sort-id
-              value: ia-06
-          parts: 
-            - 
-              id:    ia-6_smt
-              name:  statement
-              prose: 
-                """
-                  The information system obscures feedback of authentication information during the
-                                 authentication process to protect the information from possible exploitation/use by
-                                 unauthorized individuals.
-                """
-            - 
-              id:    ia-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  The feedback from information systems does not provide information that would allow
-                                 unauthorized individuals to compromise authentication mechanisms. For some types of
-                                 information systems or system components, for example, desktops/notebooks with
-                                 relatively large monitors, the threat (often referred to as shoulder surfing) may be
-                                 significant. For other types of systems or components, for example, mobile devices
-                                 with 2-4 inch screens, this threat may be less significant, and may need to be
-                                 balanced against the increased likelihood of typographic input errors due to the
-                                 small keyboards. Therefore, the means for obscuring the authenticator feedback is
-                                 selected accordingly. Obscuring the feedback of authentication information includes,
-                                 for example, displaying asterisks when users type passwords into input devices, or
-                                 displaying feedback for a very limited time before fully obscuring it.
-                """
-              links: 
-                - 
-                  href: #pe-18
-                  rel:  related
-                  text: PE-18
-            - 
-              id:         ia-6_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system obscures feedback of authentication information
-                                 during the authentication process to protect the information from possible
-                                 exploitation/use by unauthorized individuals.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing authenticator feedback\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing the obscuring of feedback of
-                                        authentication information during authentication
-                    """
-        - 
-          id:         ia-7
-          class:      SP800-53
-          title:      Cryptographic Module Authentication
-          properties: 
-            - 
-              name:  label
-              value: IA-7
-            - 
-              name:  sort-id
-              value: ia-07
-          links: 
-            - 
-              href: #39f9087d-7687-46d2-8eda-b6f4b7a4d8a9
-              rel:  reference
-              text: FIPS Publication 140
-            - 
-              href: #b09d1a31-d3c9-4138-a4f4-4c63816afd7d
-              rel:  reference
-              text: http://csrc.nist.gov/groups/STM/cmvp/index.html
-          parts: 
-            - 
-              id:    ia-7_smt
-              name:  statement
-              prose: 
-                """
-                  The information system implements mechanisms for authentication to a cryptographic
-                                 module that meet the requirements of applicable federal laws, Executive Orders,
-                                 directives, policies, regulations, standards, and guidance for such
-                                 authentication.
-                """
-            - 
-              id:    ia-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Authentication mechanisms may be required within a cryptographic module to
-                                 authenticate an operator accessing the module and to verify that the operator is
-                                 authorized to assume the requested role and perform services within that role.
-                """
-              links: 
-                - 
-                  href: #sc-12
-                  rel:  related
-                  text: SC-12
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-            - 
-              id:         ia-7_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system implements mechanisms for authentication to a
-                                 cryptographic module that meet the requirements of applicable federal laws, Executive
-                                 Orders, directives, policies, regulations, standards, and guidance for such
-                                 authentication.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing cryptographic module authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for cryptographic module
-                                        authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing cryptographic module
-                                        authentication
-                    """
-        - 
-          id:         ia-8
-          class:      SP800-53
-          title:      Identification and Authentication (non-organizational Users)
-          properties: 
-            - 
-              name:  label
-              value: IA-8
-            - 
-              name:  sort-id
-              value: ia-08
-          links: 
-            - 
-              href: #ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-              rel:  reference
-              text: OMB Memorandum 04-04
-            - 
-              href: #74e740a4-c45d-49f3-a86e-eb747c549e01
-              rel:  reference
-              text: OMB Memorandum 11-11
-            - 
-              href: #599fe9ba-4750-4450-9eeb-b95bd19a5e8f
-              rel:  reference
-              text: OMB Memorandum 10-06-2011
-            - 
-              href: #ba557c91-ba3e-4792-adc6-a4ae479b39ff
-              rel:  reference
-              text: FICAM Roadmap and Implementation Guidance
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #2157bb7e-192c-4eaa-877f-93ef6b0a3292
-              rel:  reference
-              text: NIST Special Publication 800-116
-            - 
-              href: #654f21e2-f3bc-43b2-abdc-60ab8d09744b
-              rel:  reference
-              text: 
-                """
-                  National Strategy for Trusted Identities in
-                              Cyberspace
-                """
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    ia-8_smt
-              name:  statement
-              prose: 
-                """
-                  The information system uniquely identifies and authenticates non-organizational users
-                                 (or processes acting on behalf of non-organizational users).
-                """
-            - 
-              id:    ia-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Non-organizational users include information system users other than organizational
-                                 users explicitly covered by IA-2. These individuals are uniquely identified and
-                                 authenticated for accesses other than those accesses explicitly identified and
-                                 documented in AC-14. In accordance with the E-Authentication E-Government initiative,
-                                 authentication of non-organizational users accessing federal information systems may
-                                 be required to protect federal, proprietary, or privacy-related information (with
-                                 exceptions noted for national security systems). Organizations use risk assessments
-                                 to determine authentication needs and consider scalability, practicality, and
-                                 security in balancing the need to ensure ease of use for access to federal
-                                 information and information systems with the need to protect and adequately mitigate
-                                 risk. IA-2 addresses identification and authentication requirements for access to
-                                 information systems by organizational users.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-            - 
-              id:    ia-8_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the information system uniquely identifies and authenticates
-                                 non-organizational users (or processes acting on behalf of non-organizational
-                                 users).
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing identification and
-                                        authentication capability
-                    """
-          controls: 
-            - 
-              id:         ia-8.1
-              class:      SP800-53-enhancement
-              title:      Acceptance of PIV Credentials from Other Agencies
-              properties: 
-                - 
-                  name:  label
-                  value: IA-8(1)
-                - 
-                  name:  sort-id
-                  value: ia-08.01
-              parts: 
-                - 
-                  id:    ia-8.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system accepts and electronically verifies Personal Identity
-                                        Verification (PIV) credentials from other federal agencies.
-                    """
-                - 
-                  id:    ia-8.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement applies to logical access control systems (LACS) and
-                                        physical access control systems (PACS). Personal Identity Verification (PIV)
-                                        credentials are those credentials issued by federal agencies that conform to FIPS
-                                        Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires
-                                        federal agencies to continue implementing the requirements specified in HSPD-12 to
-                                        enable agency-wide use of PIV credentials.
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                    - 
-                      href: #pe-3
-                      rel:  related
-                      text: PE-3
-                    - 
-                      href: #sa-4
-                      rel:  related
-                      text: SA-4
-                - 
-                  id:    ia-8.1_obj
-                  name:  objective
-                  prose: Determine if the information system: 
-                  parts: 
-                    - 
-                      id:         ia-8.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-8(1)[1]
-                      prose: 
-                        """
-                          accepts Personal Identity Verification (PIV) credentials from other agencies;
-                                               and
-                        """
-                    - 
-                      id:         ia-8.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-8(1)[2]
-                      prose: 
-                        """
-                          electronically verifies Personal Identity Verification (PIV) credentials from
-                                               other agencies.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability\n\nautomated mechanisms that accept and verify PIV credentials
-                        """
-            - 
-              id:         ia-8.2
-              class:      SP800-53-enhancement
-              title:      Acceptance of Third-party Credentials
-              properties: 
-                - 
-                  name:  label
-                  value: IA-8(2)
-                - 
-                  name:  sort-id
-                  value: ia-08.02
-              parts: 
-                - 
-                  id:    ia-8.2_smt
-                  name:  statement
-                  prose: The information system accepts only FICAM-approved third-party credentials.
-                - 
-                  id:    ia-8.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement typically applies to organizational information systems
-                                        that are accessible to the general public, for example, public-facing websites.
-                                        Third-party credentials are those credentials issued by nonfederal government
-                                        entities approved by the Federal Identity, Credential, and Access Management
-                                        (FICAM) Trust Framework Solutions initiative. Approved third-party credentials
-                                        meet or exceed the set of minimum federal government-wide technical, security,
-                                        privacy, and organizational maturity requirements. This allows federal government
-                                        relying parties to trust such credentials at their approved assurance levels.
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                - 
-                  id:         ia-8.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system accepts only FICAM-approved third-party
-                                        credentials. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-approved, third-party credentialing products, components, or
-                                               services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of FICAM-approved third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability\n\nautomated mechanisms that accept FICAM-approved credentials
-                        """
-            - 
-              id:         ia-8.3
-              class:      SP800-53-enhancement
-              title:      Use of Ficam-approved Products
-              parameters: 
-                - 
-                  id:    ia-8.3_prm_1
-                  label: organization-defined information systems
-              properties: 
-                - 
-                  name:  label
-                  value: IA-8(3)
-                - 
-                  name:  sort-id
-                  value: ia-08.03
-              parts: 
-                - 
-                  id:    ia-8.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs only FICAM-approved information system components in
-                                           {{ ia-8.3_prm_1 }} to accept third-party credentials.
-                    """
-                - 
-                  id:    ia-8.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement typically applies to information systems that are
-                                        accessible to the general public, for example, public-facing websites.
-                                        FICAM-approved information system components include, for example, information
-                                        technology products and software libraries that have been approved by the Federal
-                                        Identity, Credential, and Access Management conformance program.
-                    """
-                  links: 
-                    - 
-                      href: #sa-4
-                      rel:  related
-                      text: SA-4
-                - 
-                  id:    ia-8.3_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ia-8.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IA-8(3)[1]
-                      prose: 
-                        """
-                          defines information systems in which only FICAM-approved information system
-                                               components are to be employed to accept third-party credentials; and
-                        """
-                    - 
-                      id:         ia-8.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IA-8(3)[2]
-                      prose: 
-                        """
-                          employs only FICAM-approved information system components in
-                                               organization-defined information systems to accept third-party credentials.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the
-                                               acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nthird-party credential validations\n\nthird-party credential authorizations\n\nthird-party credential records\n\nlist of FICAM-approved information system components procured and implemented
-                                               by organization\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information system security, acquisition, and
-                                               contracting responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability
-                        """
-            - 
-              id:         ia-8.4
-              class:      SP800-53-enhancement
-              title:      Use of Ficam-issued Profiles
-              properties: 
-                - 
-                  name:  label
-                  value: IA-8(4)
-                - 
-                  name:  sort-id
-                  value: ia-08.04
-              parts: 
-                - 
-                  id:    ia-8.4_smt
-                  name:  statement
-                  prose: The information system conforms to FICAM-issued profiles.
-                - 
-                  id:    ia-8.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement addresses open identity management standards. To ensure
-                                        that these standards are viable, robust, reliable, sustainable (e.g., available in
-                                        commercial information technology products), and interoperable as documented, the
-                                        United States Government assesses and scopes identity management standards and
-                                        technology implementations against applicable federal legislation, directives,
-                                        policies, and requirements. The result is FICAM-issued implementation profiles of
-                                        approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and
-                                        OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute
-                                        Exchange).
-                    """
-                  links: 
-                    - 
-                      href: #sa-4
-                      rel:  related
-                      text: SA-4
-                - 
-                  id:         ia-8.4_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose:      Determine if the information system conforms to FICAM-issued profiles. 
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the
-                                               acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-issued profiles and associated, approved protocols\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system operations
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing identification and
-                                               authentication capability\n\nautomated mechanisms supporting and/or implementing conformance with
-                                               FICAM-issued profiles
-                        """
-    - 
-      id:       ir
-      class:    family
-      title:    Incident Response
-      controls: 
-        - 
-          id:         ir-1
-          class:      SP800-53
-          title:      Incident Response Policy and Procedures
-          parameters: 
-            - 
-              id:    ir-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ir-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          ir-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IR-1
-            - 
-              name:  sort-id
-              value: ir-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-            - 
-              href: #6d431fee-658f-4a0e-9f2e-a38b5d398fab
-              rel:  reference
-              text: NIST Special Publication 800-83
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ir-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ir-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ir-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ir-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          An incident response policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ir-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the incident response policy and
-                                               associated incident response controls; and
-                        """
-                - 
-                  id:         ir-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ir-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Incident response policy {{ ir-1_prm_2 }}; and
-                    - 
-                      id:         ir-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Incident response procedures {{ ir-1_prm_3 }}.
-            - 
-              id:    ir-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the IR
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ir-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-1(a)
-                  parts: 
-                    - 
-                      id:         ir-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ir-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(a)(1)[1]
-                          prose:      develops and documents an incident response policy that addresses:
-                          parts: 
-                            - 
-                              id:         ir-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ir-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ir-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ir-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ir-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ir-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ir-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: IR-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ir-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the incident response policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ir-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: IR-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the incident response policy to organization-defined personnel
-                                                      or roles;
-                            """
-                    - 
-                      id:         ir-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ir-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      incident response policy and associated incident response controls;
-                            """
-                        - 
-                          id:         ir-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ir-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: IR-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ir-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-1(b)
-                  parts: 
-                    - 
-                      id:         ir-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ir-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current incident response
-                                                      policy;
-                            """
-                        - 
-                          id:         ir-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current incident response policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ir-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ir-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current incident response
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ir-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current incident response procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ir-2
-          class:      SP800-53
-          title:      Incident Response Training
-          parameters: 
-            - 
-              id:    ir-2_prm_1
-              label: organization-defined time period
-            - 
-              id:          ir-2_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IR-2
-            - 
-              name:  sort-id
-              value: ir-02
-          links: 
-            - 
-              href: #825438c3-248d-4e30-a51e-246473ce6ada
-              rel:  reference
-              text: NIST Special Publication 800-16
-            - 
-              href: #e12b5738-de74-4fb3-8317-a3995a8a1898
-              rel:  reference
-              text: NIST Special Publication 800-50
-          parts: 
-            - 
-              id:    ir-2_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides incident response training to information system users
-                                 consistent with assigned roles and responsibilities:
-                """
-              parts: 
-                - 
-                  id:         ir-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Within {{ ir-2_prm_1 }} of assuming an incident response role or
-                                        responsibility;
-                    """
-                - 
-                  id:         ir-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      When required by information system changes; and
-                - 
-                  id:         ir-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      
-                                        {{ ir-2_prm_2 }} thereafter.
-                    """
-            - 
-              id:    ir-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Incident response training provided by organizations is linked to the assigned roles
-                                 and responsibilities of organizational personnel to ensure the appropriate content
-                                 and level of detail is included in such training. For example, regular users may only
-                                 need to know who to call or how to recognize an incident on the information system;
-                                 system administrators may require additional training on how to handle/remediate
-                                 incidents; and incident responders may receive more specific training on forensics,
-                                 reporting, system recovery, and restoration. Incident response training includes user
-                                 training in the identification and reporting of suspicious activities, both from
-                                 external and internal sources.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #cp-3
-                  rel:  related
-                  text: CP-3
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-            - 
-              id:    ir-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-2(a)
-                  parts: 
-                    - 
-                      id:         ir-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-2(a)[1]
-                      prose: 
-                        """
-                          defines a time period within which incident response training is to be provided
-                                               to information system users assuming an incident response role or
-                                               responsibility;
-                        """
-                    - 
-                      id:         ir-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IR-2(a)[2]
-                      prose: 
-                        """
-                          provides incident response training to information system users consistent with
-                                               assigned roles and responsibilities within the organization-defined time period
-                                               of assuming an incident response role or responsibility;
-                        """
-                - 
-                  id:         ir-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: IR-2(b)
-                  prose: 
-                    """
-                      provides incident response training to information system users consistent with
-                                        assigned roles and responsibilities when required by information system
-                                        changes;
-                    """
-                - 
-                  id:         ir-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-2(c)
-                  parts: 
-                    - 
-                      id:         ir-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-2(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to provide refresher incident response training to
-                                               information system users consistent with assigned roles or responsibilities;
-                                               and
-                        """
-                    - 
-                      id:         ir-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IR-2(c)[2]
-                      prose: 
-                        """
-                          after the initial incident response training, provides refresher incident
-                                               response training to information system users consistent with assigned roles
-                                               and responsibilities in accordance with the organization-defined frequency to
-                                               provide refresher training.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nsecurity plan\n\nincident response plan\n\nsecurity plan\n\nincident response training records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with incident response training and operational
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         ir-3
-          class:      SP800-53
-          title:      Incident Response Testing
-          parameters: 
-            - 
-              id:          ir-3_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          ir-3_prm_2
-              label:       organization-defined tests
-              constraints: 
-                - 
-                  detail: see additional FedRAMP Requirements and Guidance
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IR-3
-            - 
-              name:  sort-id
-              value: ir-03
-          links: 
-            - 
-              href: #0243a05a-e8a3-4d51-9364-4a9d20b0dcdf
-              rel:  reference
-              text: NIST Special Publication 800-84
-            - 
-              href: #c4691b88-57d1-463b-9053-2d0087913f31
-              rel:  reference
-              text: NIST Special Publication 800-115
-          parts: 
-            - 
-              id:    ir-3_smt
-              name:  statement
-              prose: 
-                """
-                  The organization tests the incident response capability for the information system
-                                    {{ ir-3_prm_1 }} using {{ ir-3_prm_2 }} to determine
-                                 the incident response effectiveness and documents the results.
-                """
-              parts: 
-                - 
-                  id:    ir-3_fr
-                  name:  item
-                  title: IR-3 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ir-3_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-3 -2 Requirement:
-                      prose:      The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.
-            - 
-              id:    ir-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations test incident response capabilities to determine the overall
-                                 effectiveness of the capabilities and to identify potential weaknesses or
-                                 deficiencies. Incident response testing includes, for example, the use of checklists,
-                                 walk-through or tabletop exercises, simulations (parallel/full interrupt), and
-                                 comprehensive exercises. Incident response testing can also include a determination
-                                 of the effects on organizational operations (e.g., reduction in mission
-                                 capabilities), organizational assets, and individuals due to incident response.
-                """
-              links: 
-                - 
-                  href: #cp-4
-                  rel:  related
-                  text: CP-4
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-            - 
-              id:    ir-3_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ir-3_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-3[1]
-                  prose: 
-                    """
-                      defines incident response tests to test the incident response capability for the
-                                        information system;
-                    """
-                - 
-                  id:         ir-3_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-3[2]
-                  prose: 
-                    """
-                      defines the frequency to test the incident response capability for the information
-                                        system; and
-                    """
-                - 
-                  id:         ir-3_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: IR-3[3]
-                  prose: 
-                    """
-                      tests the incident response capability for the information system with the
-                                        organization-defined frequency, using organization-defined tests to determine the
-                                        incident response effectiveness and documents the results.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security responsibilities
-          controls: 
-            - 
-              id:         ir-3.2
-              class:      SP800-53-enhancement
-              title:      Coordination with Related Plans
-              properties: 
-                - 
-                  name:  label
-                  value: IR-3(2)
-                - 
-                  name:  sort-id
-                  value: ir-03.02
-              parts: 
-                - 
-                  id:    ir-3.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization coordinates incident response testing with organizational
-                                        elements responsible for related plans.
-                    """
-                - 
-                  id:    ir-3.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizational plans related to incident response testing include, for example,
-                                        Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity
-                                        of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,
-                                        and Occupant Emergency Plans.
-                    """
-                - 
-                  id:         ir-3.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                  prose: 
-                    """
-                      Determine if the organization coordinates incident response testing with
-                                        organizational elements responsible for related plans. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans
-                                               related to incident response testing\n\norganizational personnel with information security responsibilities
-                        """
-        - 
-          id:         ir-4
-          class:      SP800-53
-          title:      Incident Handling
-          properties: 
-            - 
-              name:  label
-              value: IR-4
-            - 
-              name:  sort-id
-              value: ir-04
-          links: 
-            - 
-              href: #c5034e0c-eba6-4ecd-a541-79f0678f4ba4
-              rel:  reference
-              text: Executive Order 13587
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-          parts: 
-            - 
-              id:    ir-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ir-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Implements an incident handling capability for security incidents that includes
-                                        preparation, detection and analysis, containment, eradication, and recovery;
-                    """
-                - 
-                  id:         ir-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Coordinates incident handling activities with contingency planning activities;
-                                        and
-                    """
-                - 
-                  id:         ir-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Incorporates lessons learned from ongoing incident handling activities into
-                                        incident response procedures, training, and testing, and implements the resulting
-                                        changes accordingly.
-                    """
-                - 
-                  id:    ir-4_fr
-                  name:  item
-                  title: IR-4 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ir-4_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.
-            - 
-              id:    ir-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations recognize that incident response capability is dependent on the
-                                 capabilities of organizational information systems and the mission/business processes
-                                 being supported by those systems. Therefore, organizations consider incident response
-                                 as part of the definition, design, and development of mission/business processes and
-                                 information systems. Incident-related information can be obtained from a variety of
-                                 sources including, for example, audit monitoring, network monitoring, physical access
-                                 monitoring, user/administrator reports, and reported supply chain events. Effective
-                                 incident handling capability includes coordination among many organizational entities
-                                 including, for example, mission/business owners, information system owners,
-                                 authorizing officials, human resources offices, physical and personnel security
-                                 offices, legal departments, operations personnel, procurement offices, and the risk
-                                 executive (function).
-                """
-              links: 
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-4
-                  rel:  related
-                  text: CP-4
-                - 
-                  href: #ir-2
-                  rel:  related
-                  text: IR-2
-                - 
-                  href: #ir-3
-                  rel:  related
-                  text: IR-3
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #pe-6
-                  rel:  related
-                  text: PE-6
-                - 
-                  href: #sc-5
-                  rel:  related
-                  text: SC-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    ir-4_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: IR-4(a)
-                  prose: 
-                    """
-                      implements an incident handling capability for security incidents that
-                                        includes:
-                    """
-                  parts: 
-                    - 
-                      id:         ir-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[1]
-                      prose:      preparation;
-                    - 
-                      id:         ir-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[2]
-                      prose:      detection and analysis;
-                    - 
-                      id:         ir-4.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[3]
-                      prose:      containment;
-                    - 
-                      id:         ir-4.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[4]
-                      prose:      eradication;
-                    - 
-                      id:         ir-4.a_obj.5
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-4(a)[5]
-                      prose:      recovery;
-                - 
-                  id:         ir-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: IR-4(b)
-                  prose:      coordinates incident handling activities with contingency planning activities;
-                - 
-                  id:         ir-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-4(c)
-                  parts: 
-                    - 
-                      id:         ir-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-4(c)[1]
-                      prose: 
-                        """
-                          incorporates lessons learned from ongoing incident handling activities
-                                               into:
-                        """
-                      parts: 
-                        - 
-                          id:         ir-4.c_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[1][a]
-                          prose:      incident response procedures;
-                        - 
-                          id:         ir-4.c_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[1][b]
-                          prose:      training;
-                        - 
-                          id:         ir-4.c_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[1][c]
-                          prose:      testing/exercises;
-                    - 
-                      id:         ir-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-4(c)[2]
-                      prose:      implements the resulting changes accordingly to:
-                      parts: 
-                        - 
-                          id:         ir-4.c_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[2][a]
-                          prose:      incident response procedures;
-                        - 
-                          id:         ir-4.c_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[2][b]
-                          prose:      training; and
-                        - 
-                          id:         ir-4.c_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-4(c)[2][c]
-                          prose:      testing/exercises.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident handling capability for the organization
-          controls: 
-            - 
-              id:         ir-4.1
-              class:      SP800-53-enhancement
-              title:      Automated Incident Handling Processes
-              properties: 
-                - 
-                  name:  label
-                  value: IR-4(1)
-                - 
-                  name:  sort-id
-                  value: ir-04.01
-              parts: 
-                - 
-                  id:    ir-4.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to support the incident handling
-                                        process.
-                    """
-                - 
-                  id:    ir-4.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Automated mechanisms supporting incident handling processes include, for example,
-                                        online incident management systems.
-                    """
-                - 
-                  id:         ir-4.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs automated mechanisms to support the incident
-                                        handling process. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms that support and/or implement the incident handling
-                                               process
-                        """
-        - 
-          id:         ir-5
-          class:      SP800-53
-          title:      Incident Monitoring
-          properties: 
-            - 
-              name:  label
-              value: IR-5
-            - 
-              name:  sort-id
-              value: ir-05
-          links: 
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-          parts: 
-            - 
-              id:    ir-5_smt
-              name:  statement
-              prose: The organization tracks and documents information system security incidents.
-            - 
-              id:    ir-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Documenting information system security incidents includes, for example, maintaining
-                                 records about each incident, the status of the incident, and other pertinent
-                                 information necessary for forensics, evaluating incident details, trends, and
-                                 handling. Incident information can be obtained from a variety of sources including,
-                                 for example, incident reports, incident response teams, audit monitoring, network
-                                 monitoring, physical access monitoring, and user/administrator reports.
-                """
-              links: 
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #pe-6
-                  rel:  related
-                  text: PE-6
-                - 
-                  href: #sc-5
-                  rel:  related
-                  text: SC-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    ir-5_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ir-5_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-5[1]
-                  prose:      tracks information system security incidents; and
-                - 
-                  id:         ir-5_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IR-5[2]
-                  prose:      documents information system security incidents.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Incident monitoring capability for the organization\n\nautomated mechanisms supporting and/or implementing tracking and documenting of
-                                        system security incidents
-                    """
-        - 
-          id:         ir-6
-          class:      SP800-53
-          title:      Incident Reporting
-          parameters: 
-            - 
-              id:          ir-6_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)
-            - 
-              id:    ir-6_prm_2
-              label: organization-defined authorities
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IR-6
-            - 
-              name:  sort-id
-              value: ir-06
-          links: 
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-            - 
-              href: #02631467-668b-4233-989b-3dfded2fd184
-              rel:  reference
-              text: http://www.us-cert.gov
-          parts: 
-            - 
-              id:    ir-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ir-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Requires personnel to report suspected security incidents to the organizational
-                                        incident response capability within {{ ir-6_prm_1 }}; and
-                    """
-                - 
-                  id:         ir-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reports security incident information to {{ ir-6_prm_2 }}.
-                - 
-                  id:    ir-6_fr
-                  name:  item
-                  title: IR-6 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ir-6_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      Report security incident information according to FedRAMP Incident Communications Procedure.
-            - 
-              id:    ir-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  The intent of this control is to address both specific incident reporting
-                                 requirements within an organization and the formal incident reporting requirements
-                                 for federal agencies and their subordinate organizations. Suspected security
-                                 incidents include, for example, the receipt of suspicious email communications that
-                                 can potentially contain malicious code. The types of security incidents reported, the
-                                 content and timeliness of the reports, and the designated reporting authorities
-                                 reflect applicable federal laws, Executive Orders, directives, regulations, policies,
-                                 standards, and guidance. Current federal policy requires that all federal agencies
-                                 (unless specifically exempted from such requirements) report security incidents to
-                                 the United States Computer Emergency Readiness Team (US-CERT) within specified time
-                                 frames designated in the US-CERT Concept of Operations for Federal Cyber Security
-                                 Incident Handling.
-                """
-              links: 
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ir-5
-                  rel:  related
-                  text: IR-5
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-            - 
-              id:    ir-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-6(a)
-                  parts: 
-                    - 
-                      id:         ir-6.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-6(a)[1]
-                      prose: 
-                        """
-                          defines the time period within which personnel report suspected security
-                                               incidents to the organizational incident response capability;
-                        """
-                    - 
-                      id:         ir-6.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-6(a)[2]
-                      prose: 
-                        """
-                          requires personnel to report suspected security incidents to the organizational
-                                               incident response capability within the organization-defined time period;
-                        """
-                - 
-                  id:         ir-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-6(b)
-                  parts: 
-                    - 
-                      id:         ir-6.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-6(b)[1]
-                      prose: 
-                        """
-                          defines authorities to whom security incident information is to be reported;
-                                               and
-                        """
-                    - 
-                      id:         ir-6.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-6(b)[2]
-                      prose:      reports security incident information to organization-defined authorities.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel who have/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for incident reporting\n\nautomated mechanisms supporting and/or implementing incident reporting
-          controls: 
-            - 
-              id:         ir-6.1
-              class:      SP800-53-enhancement
-              title:      Automated Reporting
-              properties: 
-                - 
-                  name:  label
-                  value: IR-6(1)
-                - 
-                  name:  sort-id
-                  value: ir-06.01
-              parts: 
-                - 
-                  id:    ir-6.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to assist in the reporting of
-                                        security incidents.
-                    """
-                - 
-                  id:    ir-6.1_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ir-7
-                      rel:  related
-                      text: IR-7
-                - 
-                  id:         ir-6.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs automated mechanisms to assist in the
-                                        reporting of security incidents.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing incident reporting\n\nautomated mechanisms supporting incident reporting\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for incident reporting\n\nautomated mechanisms supporting and/or implementing reporting of security
-                                               incidents
-                        """
-        - 
-          id:         ir-7
-          class:      SP800-53
-          title:      Incident Response Assistance
-          properties: 
-            - 
-              name:  label
-              value: IR-7
-            - 
-              name:  sort-id
-              value: ir-07
-          parts: 
-            - 
-              id:    ir-7_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides an incident response support resource, integral to the
-                                 organizational incident response capability that offers advice and assistance to
-                                 users of the information system for the handling and reporting of security
-                                 incidents.
-                """
-            - 
-              id:    ir-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Incident response support resources provided by organizations include, for example,
-                                 help desks, assistance groups, and access to forensics services, when required.
-                """
-              links: 
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ir-6
-                  rel:  related
-                  text: IR-6
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #sa-9
-                  rel:  related
-                  text: SA-9
-            - 
-              id:    ir-7_obj
-              name:  objective
-              prose: Determine if the organization provides an incident response support resource:
-              parts: 
-                - 
-                  id:         ir-7_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-7[1]
-                  prose:      that is integral to the organizational incident response capability; and
-                - 
-                  id:         ir-7_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-7[2]
-                  prose: 
-                    """
-                      that offers advice and assistance to users of the information system for the
-                                        handling and reporting of security incidents.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with incident response assistance and support
-                                        responsibilities\n\norganizational personnel with access to incident response support and assistance
-                                        capability\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for incident response assistance\n\nautomated mechanisms supporting and/or implementing incident response
-                                        assistance
-                    """
-          controls: 
-            - 
-              id:         ir-7.1
-              class:      SP800-53-enhancement
-              title:      Automation Support for Availability of Information / Support
-              properties: 
-                - 
-                  name:  label
-                  value: IR-7(1)
-                - 
-                  name:  sort-id
-                  value: ir-07.01
-              parts: 
-                - 
-                  id:    ir-7.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to increase the availability of
-                                        incident response-related information and support.
-                    """
-                - 
-                  id:    ir-7.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Automated mechanisms can provide a push and/or pull capability for users to obtain
-                                        incident response assistance. For example, individuals might have access to a
-                                        website to query the assistance capability, or conversely, the assistance
-                                        capability may have the ability to proactively send information to users (general
-                                        distribution or targeted) as part of increasing understanding of current response
-                                        capabilities and support.
-                    """
-                - 
-                  id:         ir-7.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs automated mechanisms to increase the
-                                        availability of incident response-related information and support.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing incident response assistance\n\nautomated mechanisms supporting incident response support and assistance\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with incident response support and assistance
-                                               responsibilities\n\norganizational personnel with access to incident response support and
-                                               assistance capability\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for incident response assistance\n\nautomated mechanisms supporting and/or implementing an increase in the
-                                               availability of incident response information and support
-                        """
-            - 
-              id:         ir-7.2
-              class:      SP800-53-enhancement
-              title:      Coordination with External Providers
-              properties: 
-                - 
-                  name:  label
-                  value: IR-7(2)
-                - 
-                  name:  sort-id
-                  value: ir-07.02
-              parts: 
-                - 
-                  id:    ir-7.2_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         ir-7.2_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Establishes a direct, cooperative relationship between its incident response
-                                               capability and external providers of information system protection capability;
-                                               and
-                        """
-                    - 
-                      id:         ir-7.2_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Identifies organizational incident response team members to the external
-                                               providers.
-                        """
-                - 
-                  id:    ir-7.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      External providers of information system protection capability include, for
-                                        example, the Computer Network Defense program within the U.S. Department of
-                                        Defense. External providers help to protect, monitor, analyze, detect, and respond
-                                        to unauthorized activity within organizational information systems and
-                                        networks.
-                    """
-                - 
-                  id:    ir-7.2_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ir-7.2.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IR-7(2)(a)
-                      prose: 
-                        """
-                          establishes a direct, cooperative relationship between its incident response
-                                               capability and external providers of information system protection capability;
-                                               and
-                        """
-                      links: 
-                        - 
-                          href: #ir-7.2_smt.a
-                          rel:  corresp
-                          text: IR-7(2)(a)
-                    - 
-                      id:         ir-7.2.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IR-7(2)(b)
-                      prose: 
-                        """
-                          identifies organizational incident response team members to the external
-                                               providers.
-                        """
-                      links: 
-                        - 
-                          href: #ir-7.2_smt.b
-                          rel:  corresp
-                          text: IR-7(2)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with incident response support and assistance
-                                               responsibilities\n\nexternal providers of information system protection capability\n\norganizational personnel with information security responsibilities
-                        """
-        - 
-          id:         ir-8
-          class:      SP800-53
-          title:      Incident Response Plan
-          parameters: 
-            - 
-              id:    ir-8_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ir-8_prm_2
-              label: 
-                """
-                  organization-defined incident response personnel (identified by name and/or by
-                                 role) and organizational elements
-                """
-              constraints: 
-                - 
-                  detail: see additional FedRAMP Requirements and Guidance
-            - 
-              id:          ir-8_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          ir-8_prm_4
-              label: 
-                """
-                  organization-defined incident response personnel (identified by name and/or by
-                                 role) and organizational elements
-                """
-              constraints: 
-                - 
-                  detail: see additional FedRAMP Requirements and Guidance
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: IR-8
-            - 
-              name:  sort-id
-              value: ir-08
-          links: 
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-          parts: 
-            - 
-              id:    ir-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ir-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops an incident response plan that:
-                  parts: 
-                    - 
-                      id:         ir-8_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Provides the organization with a roadmap for implementing its incident response
-                                               capability;
-                        """
-                    - 
-                      id:         ir-8_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Describes the structure and organization of the incident response
-                                               capability;
-                        """
-                    - 
-                      id:         ir-8_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Provides a high-level approach for how the incident response capability fits
-                                               into the overall organization;
-                        """
-                    - 
-                      id:         ir-8_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose: 
-                        """
-                          Meets the unique requirements of the organization, which relate to mission,
-                                               size, structure, and functions;
-                        """
-                    - 
-                      id:         ir-8_smt.a.5
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 5.
-                      prose:      Defines reportable incidents;
-                    - 
-                      id:         ir-8_smt.a.6
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 6.
-                      prose: 
-                        """
-                          Provides metrics for measuring the incident response capability within the
-                                               organization;
-                        """
-                    - 
-                      id:         ir-8_smt.a.7
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 7.
-                      prose: 
-                        """
-                          Defines the resources and management support needed to effectively maintain and
-                                               mature an incident response capability; and
-                        """
-                    - 
-                      id:         ir-8_smt.a.8
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 8.
-                      prose:      Is reviewed and approved by {{ ir-8_prm_1 }};
-                - 
-                  id:         ir-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Distributes copies of the incident response plan to {{ ir-8_prm_2 }};
-                - 
-                  id:         ir-8_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews the incident response plan {{ ir-8_prm_3 }};
-                - 
-                  id:         ir-8_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Updates the incident response plan to address system/organizational changes or
-                                        problems encountered during plan implementation, execution, or testing;
-                    """
-                - 
-                  id:         ir-8_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Communicates incident response plan changes to {{ ir-8_prm_4 }};
-                                        and
-                    """
-                - 
-                  id:         ir-8_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Protects the incident response plan from unauthorized disclosure and
-                                        modification.
-                    """
-                - 
-                  id:    ir-8_fr
-                  name:  item
-                  title: IR-8 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ir-8_fr_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b) Requirement:
-                      prose:      The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.
-                    - 
-                      id:         ir-8_fr_smt.e
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (e) Requirement:
-                      prose:      The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.
-            - 
-              id:    ir-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  It is important that organizations develop and implement a coordinated approach to
-                                 incident response. Organizational missions, business functions, strategies, goals,
-                                 and objectives for incident response help to determine the structure of incident
-                                 response capabilities. As part of a comprehensive incident response capability,
-                                 organizations consider the coordination and sharing of information with external
-                                 organizations, including, for example, external service providers and organizations
-                                 involved in the supply chain for organizational information systems.
-                """
-              links: 
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-            - 
-              id:    ir-8_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ir-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-8(a)
-                  prose:      develops an incident response plan that:
-                  parts: 
-                    - 
-                      id:         ir-8.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(a)(1)
-                      prose: 
-                        """
-                          provides the organization with a roadmap for implementing its incident response
-                                               capability;
-                        """
-                    - 
-                      id:         ir-8.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(a)(2)
-                      prose: 
-                        """
-                          describes the structure and organization of the incident response
-                                               capability;
-                        """
-                    - 
-                      id:         ir-8.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(a)(3)
-                      prose: 
-                        """
-                          provides a high-level approach for how the incident response capability fits
-                                               into the overall organization;
-                        """
-                    - 
-                      id:         ir-8.a.4_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(a)(4)
-                      prose:      meets the unique requirements of the organization, which relate to:
-                      parts: 
-                        - 
-                          id:         ir-8.a.4_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(a)(4)[1]
-                          prose:      mission;
-                        - 
-                          id:         ir-8.a.4_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(a)(4)[2]
-                          prose:      size;
-                        - 
-                          id:         ir-8.a.4_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(a)(4)[3]
-                          prose:      structure;
-                        - 
-                          id:         ir-8.a.4_obj.4
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: IR-8(a)(4)[4]
-                          prose:      functions;
-                    - 
-                      id:         ir-8.a.5_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(a)(5)
-                      prose:      defines reportable incidents;
-                    - 
-                      id:         ir-8.a.6_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-8(a)(6)
-                      prose: 
-                        """
-                          provides metrics for measuring the incident response capability within the
-                                               organization;
-                        """
-                    - 
-                      id:         ir-8.a.7_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(a)(7)
-                      prose: 
-                        """
-                          defines the resources and management support needed to effectively maintain and
-                                               mature an incident response capability;
-                        """
-                    - 
-                      id:         ir-8.a.8_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(a)(8)
-                      parts: 
-                        - 
-                          id:         ir-8.a.8_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-8(a)(8)[1]
-                          prose: 
-                            """
-                              defines personnel or roles to review and approve the incident response
-                                                      plan;
-                            """
-                        - 
-                          id:         ir-8.a.8_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: IR-8(a)(8)[2]
-                          prose:      is reviewed and approved by organization-defined personnel or roles;
-                - 
-                  id:         ir-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-8(b)
-                  parts: 
-                    - 
-                      id:         ir-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(b)[1]
-                      parts: 
-                        - 
-                          id:         ir-8.b_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-8(b)[1][a]
-                          prose: 
-                            """
-                              defines incident response personnel (identified by name and/or by role) to
-                                                      whom copies of the incident response plan are to be distributed;
-                            """
-                        - 
-                          id:         ir-8.b_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-8(b)[1][b]
-                          prose: 
-                            """
-                              defines organizational elements to whom copies of the incident response plan
-                                                      are to be distributed;
-                            """
-                    - 
-                      id:         ir-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-8(b)[2]
-                      prose: 
-                        """
-                          distributes copies of the incident response plan to organization-defined
-                                               incident response personnel (identified by name and/or by role) and
-                                               organizational elements;
-                        """
-                - 
-                  id:         ir-8.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-8(c)
-                  parts: 
-                    - 
-                      id:         ir-8.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-8(c)[1]
-                      prose:      defines the frequency to review the incident response plan;
-                    - 
-                      id:         ir-8.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IR-8(c)[2]
-                      prose:      reviews the incident response plan with the organization-defined frequency;
-                - 
-                  id:         ir-8.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IR-8(d)
-                  prose: 
-                    """
-                      updates the incident response plan to address system/organizational changes or
-                                        problems encountered during plan:
-                    """
-                  parts: 
-                    - 
-                      id:         ir-8.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(d)[1]
-                      prose:      implementation;
-                    - 
-                      id:         ir-8.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(d)[2]
-                      prose:      execution; or
-                    - 
-                      id:         ir-8.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(d)[3]
-                      prose:      testing;
-                - 
-                  id:         ir-8.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-8(e)
-                  parts: 
-                    - 
-                      id:         ir-8.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: IR-8(e)[1]
-                      parts: 
-                        - 
-                          id:         ir-8.e_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: IR-8(e)[1][a]
-                          prose: 
-                            """
-                              defines incident response personnel (identified by name and/or by role) to
-                                                      whom incident response plan changes are to be communicated;
-                            """
-                        - 
-                          id:         ir-8.e_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: IR-8(e)[1][b]
-                          prose: 
-                            """
-                              defines organizational elements to whom incident response plan changes are
-                                                      to be communicated;
-                            """
-                    - 
-                      id:         ir-8.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-8(e)[2]
-                      prose: 
-                        """
-                          communicates incident response plan changes to organization-defined incident
-                                               response personnel (identified by name and/or by role) and organizational
-                                               elements; and
-                        """
-                - 
-                  id:         ir-8.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IR-8(f)
-                  prose: 
-                    """
-                      protects the incident response plan from unauthorized disclosure and
-                                        modification.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational incident response plan and related organizational processes
-        - 
-          id:         ir-9
-          class:      SP800-53
-          title:      Information Spillage Response
-          parameters: 
-            - 
-              id:    ir-9_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ir-9_prm_2
-              label: organization-defined actions
-          properties: 
-            - 
-              name:  label
-              value: IR-9
-            - 
-              name:  sort-id
-              value: ir-09
-          parts: 
-            - 
-              id:    ir-9_smt
-              name:  statement
-              prose: The organization responds to information spills by:
-              parts: 
-                - 
-                  id:         ir-9_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Identifying the specific information involved in the information system
-                                        contamination;
-                    """
-                - 
-                  id:         ir-9_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Alerting {{ ir-9_prm_1 }} of the information spill using a method
-                                        of communication not associated with the spill;
-                    """
-                - 
-                  id:         ir-9_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Isolating the contaminated information system or system component;
-                - 
-                  id:         ir-9_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Eradicating the information from the contaminated information system or
-                                        component;
-                    """
-                - 
-                  id:         ir-9_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Identifying other information systems or system components that may have been
-                                        subsequently contaminated; and
-                    """
-                - 
-                  id:         ir-9_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose:      Performing other {{ ir-9_prm_2 }}.
-            - 
-              id:    ir-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information spillage refers to instances where either classified or sensitive
-                                 information is inadvertently placed on information systems that are not authorized to
-                                 process such information. Such information spills often occur when information that
-                                 is initially thought to be of lower sensitivity is transmitted to an information
-                                 system and then is subsequently determined to be of higher sensitivity. At that
-                                 point, corrective action is required. The nature of the organizational response is
-                                 generally based upon the degree of sensitivity of the spilled information (e.g.,
-                                 security category or classification level), the security capabilities of the
-                                 information system, the specific nature of contaminated storage media, and the access
-                                 authorizations (e.g., security clearances) of individuals with authorized access to
-                                 the contaminated system. The methods used to communicate information about the spill
-                                 after the fact do not involve methods directly associated with the actual spill to
-                                 minimize the risk of further spreading the contamination before such contamination is
-                                 isolated and eradicated.
-                """
-            - 
-              id:    ir-9_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ir-9.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IR-9(a)
-                  prose: 
-                    """
-                      responds to information spills by identifying the specific information causing the
-                                        information system contamination;
-                    """
-                - 
-                  id:         ir-9.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-9(b)
-                  parts: 
-                    - 
-                      id:         ir-9.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-9(b)[1]
-                      prose:      defines personnel to be alerted of the information spillage;
-                    - 
-                      id:         ir-9.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IR-9(b)[2]
-                      prose: 
-                        """
-                          identifies a method of communication not associated with the information spill
-                                               to use to alert organization-defined personnel of the spill;
-                        """
-                    - 
-                      id:         ir-9.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-9(b)[3]
-                      prose: 
-                        """
-                          responds to information spills by alerting organization-defined personnel of
-                                               the information spill using a method of communication not associated with the
-                                               spill;
-                        """
-                - 
-                  id:         ir-9.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IR-9(c)
-                  prose: 
-                    """
-                      responds to information spills by isolating the contaminated information
-                                        system;
-                    """
-                - 
-                  id:         ir-9.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IR-9(d)
-                  prose: 
-                    """
-                      responds to information spills by eradicating the information from the
-                                        contaminated information system;
-                    """
-                - 
-                  id:         ir-9.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: IR-9(e)
-                  prose: 
-                    """
-                      responds to information spills by identifying other information systems that may
-                                        have been subsequently contaminated;
-                    """
-                - 
-                  id:         ir-9.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: IR-9(f)
-                  parts: 
-                    - 
-                      id:         ir-9.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-9(f)[1]
-                      prose: 
-                        """
-                          defines other actions to be performed in response to information spills;
-                                               and
-                        """
-                    - 
-                      id:         ir-9.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-9(f)[2]
-                      prose: 
-                        """
-                          responds to information spills by performing other organization-defined
-                                               actions.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Incident response policy\n\nprocedures addressing information spillage\n\nincident response plan\n\nrecords of information spillage alerts/notifications, list of personnel who should
-                                        receive alerts of information spillage\n\nlist of actions to be performed regarding information spillage\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for information spillage response\n\nautomated mechanisms supporting and/or implementing information spillage response
-                                        actions and related communications
-                    """
-          controls: 
-            - 
-              id:         ir-9.1
-              class:      SP800-53-enhancement
-              title:      Responsible Personnel
-              parameters: 
-                - 
-                  id:    ir-9.1_prm_1
-                  label: organization-defined personnel or roles
-              properties: 
-                - 
-                  name:  label
-                  value: IR-9(1)
-                - 
-                  name:  sort-id
-                  value: ir-09.01
-              parts: 
-                - 
-                  id:    ir-9.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization assigns {{ ir-9.1_prm_1 }} with responsibility for
-                                        responding to information spills.
-                    """
-                - 
-                  id:    ir-9.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ir-9.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-9(1)[1]
-                      prose: 
-                        """
-                          defines personnel with responsibility for responding to information spills;
-                                               and
-                        """
-                    - 
-                      id:         ir-9.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IR-9(1)[2]
-                      prose: 
-                        """
-                          assigns organization-defined personnel with responsibility for responding to
-                                               information spills.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing information spillage\n\nincident response plan\n\nlist of personnel responsible for responding to information spillage\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              id:         ir-9.2
-              class:      SP800-53-enhancement
-              title:      Training
-              parameters: 
-                - 
-                  id:    ir-9.2_prm_1
-                  label: organization-defined frequency
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: IR-9(2)
-                - 
-                  name:  sort-id
-                  value: ir-09.02
-              parts: 
-                - 
-                  id:    ir-9.2_smt
-                  name:  statement
-                  prose: The organization provides information spillage response training {{ ir-9.2_prm_1 }}.
-                - 
-                  id:    ir-9.2_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ir-9.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-9(2)[1]
-                      prose: 
-                        """
-                          defines the frequency to provide information spillage response training;
-                                               and
-                        """
-                    - 
-                      id:         ir-9.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: IR-9(2)[2]
-                      prose: 
-                        """
-                          provides information spillage response training with the organization-defined
-                                               frequency.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing information spillage response training\n\ninformation spillage response training curriculum\n\ninformation spillage response training materials\n\nincident response plan\n\ninformation spillage response training records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with incident response training responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              id:         ir-9.3
-              class:      SP800-53-enhancement
-              title:      Post-spill Operations
-              parameters: 
-                - 
-                  id:    ir-9.3_prm_1
-                  label: organization-defined procedures
-              properties: 
-                - 
-                  name:  label
-                  value: IR-9(3)
-                - 
-                  name:  sort-id
-                  value: ir-09.03
-              parts: 
-                - 
-                  id:    ir-9.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization implements {{ ir-9.3_prm_1 }} to ensure that
-                                        organizational personnel impacted by information spills can continue to carry out
-                                        assigned tasks while contaminated systems are undergoing corrective actions.
-                    """
-                - 
-                  id:    ir-9.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Correction actions for information systems contaminated due to information
-                                        spillages may be very time-consuming. During those periods, personnel may not have
-                                        access to the contaminated systems, which may potentially affect their ability to
-                                        conduct organizational business.
-                    """
-                - 
-                  id:    ir-9.3_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ir-9.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-9(3)[1]
-                      prose: 
-                        """
-                          defines procedures that ensure organizational personnel impacted by information
-                                               spills can continue to carry out assigned tasks while contaminated systems are
-                                               undergoing corrective actions; and
-                        """
-                    - 
-                      id:         ir-9.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-9(3)[2]
-                      prose: 
-                        """
-                          implements organization-defined procedures to ensure that organizational
-                                               personnel impacted by information spills can continue to carry out assigned
-                                               tasks while contaminated systems are undergoing corrective actions.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Incident response policy\n\nprocedures addressing incident handling\n\nprocedures addressing information spillage\n\nincident response plan\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for post-spill operations
-            - 
-              id:         ir-9.4
-              class:      SP800-53-enhancement
-              title:      Exposure to Unauthorized Personnel
-              parameters: 
-                - 
-                  id:    ir-9.4_prm_1
-                  label: organization-defined security safeguards
-              properties: 
-                - 
-                  name:  label
-                  value: IR-9(4)
-                - 
-                  name:  sort-id
-                  value: ir-09.04
-              parts: 
-                - 
-                  id:    ir-9.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs {{ ir-9.4_prm_1 }} for personnel exposed
-                                        to information not within assigned access authorizations.
-                    """
-                - 
-                  id:    ir-9.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Security safeguards include, for example, making personnel exposed to spilled
-                                        information aware of the federal laws, directives, policies, and/or regulations
-                                        regarding the information and the restrictions imposed based on exposure to such
-                                        information.
-                    """
-                - 
-                  id:    ir-9.4_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ir-9.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: IR-9(4)[1]
-                      prose: 
-                        """
-                          defines security safeguards to be employed for personnel exposed to information
-                                               not within assigned access authorizations; and
-                        """
-                    - 
-                      id:         ir-9.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: IR-9(4)[2]
-                      prose: 
-                        """
-                          employs organization-defined security safeguards for personnel exposed to
-                                               information not within assigned access authorizations.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Incident response policy\n\nprocedures addressing incident handling\n\nprocedures addressing information spillage\n\nincident response plan\n\nsecurity safeguards regarding information spillage/exposure to unauthorized
-                                               personnel\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for dealing with information exposed to unauthorized
-                                               personnel\n\nautomated mechanisms supporting and/or implementing safeguards for personnel
-                                               exposed to information not within assigned access authorizations
-                        """
-    - 
-      id:       ma
-      class:    family
-      title:    Maintenance
-      controls: 
-        - 
-          id:         ma-1
-          class:      SP800-53
-          title:      System Maintenance Policy and Procedures
-          parameters: 
-            - 
-              id:    ma-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ma-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          ma-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: MA-1
-            - 
-              name:  sort-id
-              value: ma-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ma-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ma-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ma-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ma-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A system maintenance policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ma-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the system maintenance policy
-                                               and associated system maintenance controls; and
-                        """
-                - 
-                  id:         ma-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ma-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      System maintenance policy {{ ma-1_prm_2 }}; and
-                    - 
-                      id:         ma-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      System maintenance procedures {{ ma-1_prm_3 }}.
-            - 
-              id:    ma-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the MA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ma-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ma-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-1(a)
-                  parts: 
-                    - 
-                      id:         ma-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ma-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(a)(1)[1]
-                          prose:      develops and documents a system maintenance policy that addresses:
-                          parts: 
-                            - 
-                              id:         ma-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ma-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ma-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ma-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ma-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ma-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ma-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ma-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the system maintenance policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ma-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: MA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the system maintenance policy to organization-defined personnel
-                                                      or roles;
-                            """
-                    - 
-                      id:         ma-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ma-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      maintenance policy and associated system maintenance controls;
-                            """
-                        - 
-                          id:         ma-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ma-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: MA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ma-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-1(b)
-                  parts: 
-                    - 
-                      id:         ma-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ma-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system maintenance
-                                                      policy;
-                            """
-                        - 
-                          id:         ma-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system maintenance policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ma-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ma-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system maintenance
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ma-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system maintenance procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Maintenance policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ma-2
-          class:      SP800-53
-          title:      Controlled Maintenance
-          parameters: 
-            - 
-              id:    ma-2_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ma-2_prm_2
-              label: organization-defined maintenance-related information
-          properties: 
-            - 
-              name:  label
-              value: MA-2
-            - 
-              name:  sort-id
-              value: ma-02
-          parts: 
-            - 
-              id:    ma-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ma-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Schedules, performs, documents, and reviews records of maintenance and repairs on
-                                        information system components in accordance with manufacturer or vendor
-                                        specifications and/or organizational requirements;
-                    """
-                - 
-                  id:         ma-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Approves and monitors all maintenance activities, whether performed on site or
-                                        remotely and whether the equipment is serviced on site or removed to another
-                                        location;
-                    """
-                - 
-                  id:         ma-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Requires that {{ ma-2_prm_1 }} explicitly approve the removal of
-                                        the information system or system components from organizational facilities for
-                                        off-site maintenance or repairs;
-                    """
-                - 
-                  id:         ma-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Sanitizes equipment to remove all information from associated media prior to
-                                        removal from organizational facilities for off-site maintenance or repairs;
-                    """
-                - 
-                  id:         ma-2_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Checks all potentially impacted security controls to verify that the controls are
-                                        still functioning properly following maintenance or repair actions; and
-                    """
-                - 
-                  id:         ma-2_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Includes {{ ma-2_prm_2 }} in organizational maintenance
-                                        records.
-                    """
-            - 
-              id:    ma-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the information security aspects of the information system
-                                 maintenance program and applies to all types of maintenance to any system component
-                                 (including applications) conducted by any local or nonlocal entity (e.g.,
-                                 in-contract, warranty, in-house, software maintenance agreement). System maintenance
-                                 also includes those components not directly associated with information processing
-                                 and/or data/information retention such as scanners, copiers, and printers.
-                                 Information necessary for creating effective maintenance records includes, for
-                                 example: (i) date and time of maintenance; (ii) name of individuals or group
-                                 performing the maintenance; (iii) name of escort, if necessary; (iv) a description of
-                                 the maintenance performed; and (v) information system components/equipment removed or
-                                 replaced (including identification numbers, if applicable). The level of detail
-                                 included in maintenance records can be informed by the security categories of
-                                 organizational information systems. Organizations consider supply chain issues
-                                 associated with replacement components for information systems.
-                """
-              links: 
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #mp-6
-                  rel:  related
-                  text: MP-6
-                - 
-                  href: #pe-16
-                  rel:  related
-                  text: PE-16
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    ma-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ma-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-2(a)
-                  parts: 
-                    - 
-                      id:         ma-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-2(a)[1]
-                      prose: 
-                        """
-                          schedules maintenance and repairs on information system components in
-                                               accordance with:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-2.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[1][a]
-                          prose:      manufacturer or vendor specifications; and/or
-                        - 
-                          id:         ma-2.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[1][b]
-                          prose:      organizational requirements;
-                    - 
-                      id:         ma-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: MA-2(a)[2]
-                      prose: 
-                        """
-                          performs maintenance and repairs on information system components in accordance
-                                               with:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-2.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[2][a]
-                          prose:      manufacturer or vendor specifications; and/or
-                        - 
-                          id:         ma-2.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[2][b]
-                          prose:      organizational requirements;
-                    - 
-                      id:         ma-2.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-2(a)[3]
-                      prose: 
-                        """
-                          documents maintenance and repairs on information system components in
-                                               accordance with:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-2.a_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[3][a]
-                          prose:      manufacturer or vendor specifications; and/or
-                        - 
-                          id:         ma-2.a_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[3][b]
-                          prose:      organizational requirements;
-                    - 
-                      id:         ma-2.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: MA-2(a)[4]
-                      prose: 
-                        """
-                          reviews records of maintenance and repairs on information system components in
-                                               accordance with:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-2.a_obj.4.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[4][a]
-                          prose:      manufacturer or vendor specifications; and/or
-                        - 
-                          id:         ma-2.a_obj.4.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-2(a)[4][b]
-                          prose:      organizational requirements;
-                - 
-                  id:         ma-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-2(b)
-                  parts: 
-                    - 
-                      id:         ma-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: MA-2(b)[1]
-                      prose: 
-                        """
-                          approves all maintenance activities, whether performed on site or remotely and
-                                               whether the equipment is serviced on site or removed to another location;
-                        """
-                    - 
-                      id:         ma-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MA-2(b)[2]
-                      prose: 
-                        """
-                          monitors all maintenance activities, whether performed on site or remotely and
-                                               whether the equipment is serviced on site or removed to another location;
-                        """
-                - 
-                  id:         ma-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-2(c)
-                  parts: 
-                    - 
-                      id:         ma-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-2(c)[1]
-                      prose: 
-                        """
-                          defines personnel or roles required to explicitly approve the removal of the
-                                               information system or system components from organizational facilities for
-                                               off-site maintenance or repairs;
-                        """
-                    - 
-                      id:         ma-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-2(c)[2]
-                      prose: 
-                        """
-                          requires that organization-defined personnel or roles explicitly approve the
-                                               removal of the information system or system components from organizational
-                                               facilities for off-site maintenance or repairs;
-                        """
-                - 
-                  id:         ma-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MA-2(d)
-                  prose: 
-                    """
-                      sanitizes equipment to remove all information from associated media prior to
-                                        removal from organizational facilities for off-site maintenance or repairs;
-                    """
-                - 
-                  id:         ma-2.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MA-2(e)
-                  prose: 
-                    """
-                      checks all potentially impacted security controls to verify that the controls are
-                                        still functioning properly following maintenance or repair actions;
-                    """
-                - 
-                  id:         ma-2.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-2(f)
-                  parts: 
-                    - 
-                      id:         ma-2.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-2(f)[1]
-                      prose: 
-                        """
-                          defines maintenance-related information to be included in organizational
-                                               maintenance records; and
-                        """
-                    - 
-                      id:         ma-2.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-2(f)[2]
-                      prose: 
-                        """
-                          includes organization-defined maintenance-related information in organizational
-                                               maintenance records.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system maintenance policy\n\nprocedures addressing controlled information system maintenance\n\nmaintenance records\n\nmanufacturer/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for scheduling, performing, documenting, reviewing,
-                                        approving, and monitoring maintenance and repairs for the information system\n\norganizational processes for sanitizing information system components\n\nautomated mechanisms supporting and/or implementing controlled maintenance\n\nautomated mechanisms implementing sanitization of information system
-                                        components
-                    """
-        - 
-          id:         ma-3
-          class:      SP800-53
-          title:      Maintenance Tools
-          properties: 
-            - 
-              name:  label
-              value: MA-3
-            - 
-              name:  sort-id
-              value: ma-03
-          links: 
-            - 
-              href: #263823e0-a971-4b00-959d-315b26278b22
-              rel:  reference
-              text: NIST Special Publication 800-88
-          parts: 
-            - 
-              id:    ma-3_smt
-              name:  statement
-              prose: 
-                """
-                  The organization approves, controls, and monitors information system maintenance
-                                 tools.
-                """
-            - 
-              id:    ma-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses security-related issues associated with maintenance tools used
-                                 specifically for diagnostic and repair actions on organizational information systems.
-                                 Maintenance tools can include hardware, software, and firmware items. Maintenance
-                                 tools are potential vehicles for transporting malicious code, either intentionally or
-                                 unintentionally, into a facility and subsequently into organizational information
-                                 systems. Maintenance tools can include, for example, hardware/software diagnostic
-                                 test equipment and hardware/software packet sniffers. This control does not cover
-                                 hardware/software components that may support information system maintenance, yet are
-                                 a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,
-                                 or the hardware and software implementing the monitoring port of an Ethernet
-                                 switch.
-                """
-              links: 
-                - 
-                  href: #ma-2
-                  rel:  related
-                  text: MA-2
-                - 
-                  href: #ma-5
-                  rel:  related
-                  text: MA-5
-                - 
-                  href: #mp-6
-                  rel:  related
-                  text: MP-6
-            - 
-              id:    ma-3_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ma-3_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-3[1]
-                  prose:      approves information system maintenance tools;
-                - 
-                  id:         ma-3_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-3[2]
-                  prose:      controls information system maintenance tools; and
-                - 
-                  id:         ma-3_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-3[3]
-                  prose:      monitors information system maintenance tools.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for approving, controlling, and monitoring maintenance
-                                        tools\n\nautomated mechanisms supporting and/or implementing approval, control, and/or
-                                        monitoring of maintenance tools
-                    """
-          controls: 
-            - 
-              id:         ma-3.1
-              class:      SP800-53-enhancement
-              title:      Inspect Tools
-              properties: 
-                - 
-                  name:  label
-                  value: MA-3(1)
-                - 
-                  name:  sort-id
-                  value: ma-03.01
-              parts: 
-                - 
-                  id:    ma-3.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization inspects the maintenance tools carried into a facility by
-                                        maintenance personnel for improper or unauthorized modifications.
-                    """
-                - 
-                  id:    ma-3.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      If, upon inspection of maintenance tools, organizations determine that the tools
-                                        have been modified in an improper/unauthorized manner or contain malicious code,
-                                        the incident is handled consistent with organizational policies and procedures for
-                                        incident handling.
-                    """
-                  links: 
-                    - 
-                      href: #si-7
-                      rel:  related
-                      text: SI-7
-                - 
-                  id:         ma-3.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization inspects the maintenance tools carried into a
-                                        facility by maintenance personnel for improper or unauthorized modifications. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance tool inspection records\n\nmaintenance records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system maintenance
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for inspecting maintenance tools\n\nautomated mechanisms supporting and/or implementing inspection of maintenance
-                                               tools
-                        """
-            - 
-              id:         ma-3.2
-              class:      SP800-53-enhancement
-              title:      Inspect Media
-              properties: 
-                - 
-                  name:  label
-                  value: MA-3(2)
-                - 
-                  name:  sort-id
-                  value: ma-03.02
-              parts: 
-                - 
-                  id:    ma-3.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization checks media containing diagnostic and test programs for
-                                        malicious code before the media are used in the information system.
-                    """
-                - 
-                  id:    ma-3.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      If, upon inspection of media containing maintenance diagnostic and test programs,
-                                        organizations determine that the media contain malicious code, the incident is
-                                        handled consistent with organizational incident handling policies and
-                                        procedures.
-                    """
-                  links: 
-                    - 
-                      href: #si-3
-                      rel:  related
-                      text: SI-3
-                - 
-                  id:         ma-3.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization checks media containing diagnostic and test programs
-                                        for malicious code before the media are used in the information system. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system maintenance
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational process for inspecting media for malicious code\n\nautomated mechanisms supporting and/or implementing inspection of media used
-                                               for maintenance
-                        """
-            - 
-              id:         ma-3.3
-              class:      SP800-53-enhancement
-              title:      Prevent Unauthorized Removal
-              parameters: 
-                - 
-                  id:          ma-3.3_prm_1
-                  label:       organization-defined personnel or roles
-                  constraints: 
-                    - 
-                      detail: the information owner explicitly authorizing removal of the equipment from the facility
-              properties: 
-                - 
-                  name:  label
-                  value: MA-3(3)
-                - 
-                  name:  sort-id
-                  value: ma-03.03
-              parts: 
-                - 
-                  id:    ma-3.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization prevents the unauthorized removal of maintenance equipment
-                                        containing organizational information by:
-                    """
-                  parts: 
-                    - 
-                      id:         ma-3.3_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Verifying that there is no organizational information contained on the
-                                               equipment;
-                        """
-                    - 
-                      id:         ma-3.3_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      Sanitizing or destroying the equipment;
-                    - 
-                      id:         ma-3.3_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (c)
-                      prose:      Retaining the equipment within the facility; or
-                    - 
-                      id:         ma-3.3_smt.d
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (d)
-                      prose: 
-                        """
-                          Obtaining an exemption from {{ ma-3.3_prm_1 }} explicitly
-                                               authorizing removal of the equipment from the facility.
-                        """
-                - 
-                  id:    ma-3.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizational information includes all information specifically owned by
-                                        organizations and information provided to organizations in which organizations
-                                        serve as information stewards.
-                    """
-                - 
-                  id:         ma-3.3_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization prevents the unauthorized removal of maintenance
-                                        equipment containing organizational information by: 
-                    """
-                  parts: 
-                    - 
-                      id:         ma-3.3.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-3(3)(a)
-                      prose: 
-                        """
-                          verifying that there is no organizational information contained on the
-                                               equipment;
-                        """
-                      links: 
-                        - 
-                          href: #ma-3.3_smt.a
-                          rel:  corresp
-                          text: MA-3(3)(a)
-                    - 
-                      id:         ma-3.3.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-3(3)(b)
-                      prose:      sanitizing or destroying the equipment;
-                      links: 
-                        - 
-                          href: #ma-3.3_smt.b
-                          rel:  corresp
-                          text: MA-3(3)(b)
-                    - 
-                      id:         ma-3.3.c_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-3(3)(c)
-                      prose:      retaining the equipment within the facility; or
-                      links: 
-                        - 
-                          href: #ma-3.3_smt.c
-                          rel:  corresp
-                          text: MA-3(3)(c)
-                    - 
-                      id:         ma-3.3.d_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-3(3)(d)
-                      parts: 
-                        - 
-                          id:         ma-3.3.d_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-3(3)(d)[1]
-                          prose: 
-                            """
-                              defining personnel or roles that can grant an exemption from explicitly
-                                                      authorizing removal of the equipment from the facility; and
-                            """
-                        - 
-                          id:         ma-3.3.d_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MA-3(3)(d)[2]
-                          prose: 
-                            """
-                              obtaining an exemption from organization-defined personnel or roles
-                                                      explicitly authorizing removal of the equipment from the facility.
-                            """
-                      links: 
-                        - 
-                          href: #ma-3.3_smt.d
-                          rel:  corresp
-                          text: MA-3(3)(d)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance records\n\nequipment sanitization records\n\nmedia sanitization records\n\nexemptions for equipment removal\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system maintenance
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational process for preventing unauthorized removal of information\n\nautomated mechanisms supporting media sanitization or destruction of
-                                               equipment\n\nautomated mechanisms supporting verification of media sanitization
-                        """
-        - 
-          id:         ma-4
-          class:      SP800-53
-          title:      Nonlocal Maintenance
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: MA-4
-            - 
-              name:  sort-id
-              value: ma-04
-          links: 
-            - 
-              href: #d715b234-9b5b-4e07-b1ed-99836727664d
-              rel:  reference
-              text: FIPS Publication 140-2
-            - 
-              href: #f2dbd4ec-c413-4714-b85b-6b7184d1c195
-              rel:  reference
-              text: FIPS Publication 197
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-            - 
-              href: #263823e0-a971-4b00-959d-315b26278b22
-              rel:  reference
-              text: NIST Special Publication 800-88
-            - 
-              href: #a4aa9645-9a8a-4b51-90a9-e223250f9a75
-              rel:  reference
-              text: CNSS Policy 15
-          parts: 
-            - 
-              id:    ma-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ma-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Approves and monitors nonlocal maintenance and diagnostic activities;
-                - 
-                  id:         ma-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Allows the use of nonlocal maintenance and diagnostic tools only as consistent
-                                        with organizational policy and documented in the security plan for the information
-                                        system;
-                    """
-                - 
-                  id:         ma-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Employs strong authenticators in the establishment of nonlocal maintenance and
-                                        diagnostic sessions;
-                    """
-                - 
-                  id:         ma-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Maintains records for nonlocal maintenance and diagnostic activities; and
-                - 
-                  id:         ma-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Terminates session and network connections when nonlocal maintenance is
-                                        completed.
-                    """
-            - 
-              id:    ma-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Nonlocal maintenance and diagnostic activities are those activities conducted by
-                                 individuals communicating through a network, either an external network (e.g., the
-                                 Internet) or an internal network. Local maintenance and diagnostic activities are
-                                 those activities carried out by individuals physically present at the information
-                                 system or information system component and not communicating across a network
-                                 connection. Authentication techniques used in the establishment of nonlocal
-                                 maintenance and diagnostic sessions reflect the network access requirements in IA-2.
-                                 Typically, strong authentication requires authenticators that are resistant to replay
-                                 attacks and employ multifactor authentication. Strong authenticators include, for
-                                 example, PKI where certificates are stored on a token protected by a password,
-                                 passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by
-                                 other controls.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-3
-                  rel:  related
-                  text: AU-3
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #ma-2
-                  rel:  related
-                  text: MA-2
-                - 
-                  href: #ma-5
-                  rel:  related
-                  text: MA-5
-                - 
-                  href: #mp-6
-                  rel:  related
-                  text: MP-6
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-10
-                  rel:  related
-                  text: SC-10
-                - 
-                  href: #sc-17
-                  rel:  related
-                  text: SC-17
-            - 
-              id:    ma-4_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ma-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-4(a)
-                  parts: 
-                    - 
-                      id:         ma-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-4(a)[1]
-                      prose:      approves nonlocal maintenance and diagnostic activities;
-                    - 
-                      id:         ma-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MA-4(a)[2]
-                      prose:      monitors nonlocal maintenance and diagnostic activities;
-                - 
-                  id:         ma-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MA-4(b)
-                  prose:      allows the use of nonlocal maintenance and diagnostic tools only:
-                  parts: 
-                    - 
-                      id:         ma-4.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-4(b)[1]
-                      prose:      as consistent with organizational policy;
-                    - 
-                      id:         ma-4.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-4(b)[2]
-                      prose:      as documented in the security plan for the information system;
-                - 
-                  id:         ma-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MA-4(c)
-                  prose: 
-                    """
-                      employs strong authenticators in the establishment of nonlocal maintenance and
-                                        diagnostic sessions;
-                    """
-                - 
-                  id:         ma-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MA-4(d)
-                  prose:      maintains records for nonlocal maintenance and diagnostic activities;
-                - 
-                  id:         ma-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-4(e)
-                  parts: 
-                    - 
-                      id:         ma-4.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MA-4(e)[1]
-                      prose: 
-                        """
-                          terminates sessions when nonlocal maintenance or diagnostics is completed;
-                                               and
-                        """
-                    - 
-                      id:         ma-4.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MA-4(e)[2]
-                      prose: 
-                        """
-                          terminates network connections when nonlocal maintenance or diagnostics is
-                                               completed.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system maintenance policy\n\nprocedures addressing nonlocal information system maintenance\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nmaintenance records\n\ndiagnostic records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for managing nonlocal maintenance\n\nautomated mechanisms implementing, supporting, and/or managing nonlocal
-                                        maintenance\n\nautomated mechanisms for strong authentication of nonlocal maintenance diagnostic
-                                        sessions\n\nautomated mechanisms for terminating nonlocal maintenance sessions and network
-                                        connections
-                    """
-          controls: 
-            - 
-              id:         ma-4.2
-              class:      SP800-53-enhancement
-              title:      Document Nonlocal Maintenance
-              properties: 
-                - 
-                  name:  label
-                  value: MA-4(2)
-                - 
-                  name:  sort-id
-                  value: ma-04.02
-              parts: 
-                - 
-                  id:    ma-4.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization documents in the security plan for the information system, the
-                                        policies and procedures for the establishment and use of nonlocal maintenance and
-                                        diagnostic connections.
-                    """
-                - 
-                  id:    ma-4.2_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization documents in the security plan for the information
-                                        system: 
-                    """
-                  parts: 
-                    - 
-                      id:         ma-4.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: MA-4(2)[1]
-                      prose: 
-                        """
-                          the policies for the establishment and use of nonlocal maintenance and
-                                               diagnostic connections; and
-                        """
-                    - 
-                      id:         ma-4.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: MA-4(2)[2]
-                      prose: 
-                        """
-                          the procedures for the establishment and use of nonlocal maintenance and
-                                               diagnostic connections.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system maintenance policy\n\nprocedures addressing non-local information system maintenance\n\nsecurity plan\n\nmaintenance records\n\ndiagnostic records\n\naudit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system maintenance
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-        - 
-          id:         ma-5
-          class:      SP800-53
-          title:      Maintenance Personnel
-          properties: 
-            - 
-              name:  label
-              value: MA-5
-            - 
-              name:  sort-id
-              value: ma-05
-          parts: 
-            - 
-              id:    ma-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ma-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes a process for maintenance personnel authorization and maintains a list
-                                        of authorized maintenance organizations or personnel;
-                    """
-                - 
-                  id:         ma-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Ensures that non-escorted personnel performing maintenance on the information
-                                        system have required access authorizations; and
-                    """
-                - 
-                  id:         ma-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Designates organizational personnel with required access authorizations and
-                                        technical competence to supervise the maintenance activities of personnel who do
-                                        not possess the required access authorizations.
-                    """
-            - 
-              id:    ma-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to individuals performing hardware or software maintenance on
-                                 organizational information systems, while PE-2 addresses physical access for
-                                 individuals whose maintenance duties place them within the physical protection
-                                 perimeter of the systems (e.g., custodial staff, physical plant maintenance
-                                 personnel). Technical competence of supervising individuals relates to the
-                                 maintenance performed on the information systems while having required access
-                                 authorizations refers to maintenance on and near the systems. Individuals not
-                                 previously identified as authorized maintenance personnel, such as information
-                                 technology manufacturers, vendors, systems integrators, and consultants, may require
-                                 privileged access to organizational information systems, for example, when required
-                                 to conduct maintenance activities with little or no notice. Based on organizational
-                                 assessments of risk, organizations may issue temporary credentials to these
-                                 individuals. Temporary credentials may be for one-time use or for very limited time
-                                 periods.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-8
-                  rel:  related
-                  text: IA-8
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-            - 
-              id:    ma-5_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ma-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-5(a)
-                  parts: 
-                    - 
-                      id:         ma-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-5(a)[1]
-                      prose:      establishes a process for maintenance personnel authorization;
-                    - 
-                      id:         ma-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MA-5(a)[2]
-                      prose:      maintains a list of authorized maintenance organizations or personnel;
-                - 
-                  id:         ma-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MA-5(b)
-                  prose: 
-                    """
-                      ensures that non-escorted personnel performing maintenance on the information
-                                        system have required access authorizations; and
-                    """
-                - 
-                  id:         ma-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MA-5(c)
-                  prose: 
-                    """
-                      designates organizational personnel with required access authorizations and
-                                        technical competence to supervise the maintenance activities of personnel who do
-                                        not possess the required access authorizations.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for authorizing and managing maintenance personnel\n\nautomated mechanisms supporting and/or implementing authorization of maintenance
-                                        personnel
-                    """
-          controls: 
-            - 
-              id:         ma-5.1
-              class:      SP800-53-enhancement
-              title:      Individuals Without Appropriate Access
-              properties: 
-                - 
-                  name:  label
-                  value: MA-5(1)
-                - 
-                  name:  sort-id
-                  value: ma-05.01
-              parts: 
-                - 
-                  id:    ma-5.1_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         ma-5.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Implements procedures for the use of maintenance personnel that lack
-                                               appropriate security clearances or are not U.S. citizens, that include the
-                                               following requirements:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-5.1_smt.a.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: (1)
-                          prose: 
-                            """
-                              Maintenance personnel who do not have needed access authorizations,
-                                                      clearances, or formal access approvals are escorted and supervised during
-                                                      the performance of maintenance and diagnostic activities on the information
-                                                      system by approved organizational personnel who are fully cleared, have
-                                                      appropriate access authorizations, and are technically qualified;
-                            """
-                        - 
-                          id:         ma-5.1_smt.a.2
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: (2)
-                          prose: 
-                            """
-                              Prior to initiating maintenance or diagnostic activities by personnel who do
-                                                      not have needed access authorizations, clearances or formal access
-                                                      approvals, all volatile information storage components within the
-                                                      information system are sanitized and all nonvolatile storage media are
-                                                      removed or physically disconnected from the system and secured; and
-                            """
-                    - 
-                      id:         ma-5.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Develops and implements alternate security safeguards in the event an
-                                               information system component cannot be sanitized, removed, or disconnected from
-                                               the system.
-                        """
-                    - 
-                      id:    ma-5.1_fr
-                      name:  item
-                      title: MA-5 (1) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ma-5.1_fr_smt.b
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      Only MA-5 (1)(a)(1) is required by FedRAMP Moderate Baseline
-                - 
-                  id:    ma-5.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement denies individuals who lack appropriate security
-                                        clearances (i.e., individuals who do not possess security clearances or possess
-                                        security clearances at a lower level than required) or who are not U.S. citizens,
-                                        visual and electronic access to any classified information, Controlled
-                                        Unclassified Information (CUI), or any other sensitive information contained on
-                                        organizational information systems. Procedures for the use of maintenance
-                                        personnel can be documented in security plans for the information systems.
-                    """
-                  links: 
-                    - 
-                      href: #mp-6
-                      rel:  related
-                      text: MP-6
-                    - 
-                      href: #pl-2
-                      rel:  related
-                      text: PL-2
-                - 
-                  id:    ma-5.1_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ma-5.1.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-5(1)(a)
-                      prose: 
-                        """
-                          implements procedures for the use of maintenance personnel that lack
-                                               appropriate security clearances or are not U.S. citizens, that include the
-                                               following requirements:
-                        """
-                      parts: 
-                        - 
-                          id:         ma-5.1.a.1_obj
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: MA-5(1)(a)(1)
-                          prose: 
-                            """
-                              maintenance personnel who do not have needed access authorizations,
-                                                      clearances, or formal access approvals are escorted and supervised during
-                                                      the performance of maintenance and diagnostic activities on the information
-                                                      system by approved organizational personnel who:
-                            """
-                          parts: 
-                            - 
-                              id:         ma-5.1.a.1_obj.1
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-5(1)(a)(1)[1]
-                              prose:      are fully cleared;
-                            - 
-                              id:         ma-5.1.a.1_obj.2
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-5(1)(a)(1)[2]
-                              prose:      have appropriate access authorizations;
-                            - 
-                              id:         ma-5.1.a.1_obj.3
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-5(1)(a)(1)[3]
-                              prose:      are technically qualified;
-                          links: 
-                            - 
-                              href: #ma-5.1_smt.a.1
-                              rel:  corresp
-                              text: MA-5(1)(a)(1)
-                        - 
-                          id:         ma-5.1.a.2_obj
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: MA-5(1)(a)(2)
-                          prose: 
-                            """
-                              prior to initiating maintenance or diagnostic activities by personnel who do
-                                                      not have needed access authorizations, clearances, or formal access
-                                                      approvals:
-                            """
-                          parts: 
-                            - 
-                              id:         ma-5.1.a.2_obj.1
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-5(1)(a)(2)[1]
-                              prose: 
-                                """
-                                  all volatile information storage components within the information system
-                                                             are sanitized; and
-                                """
-                            - 
-                              id:         ma-5.1.a.2_obj.2
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-5(1)(a)(2)[2]
-                              prose:      all nonvolatile storage media are removed; or
-                            - 
-                              id:         ma-5.1.a.2_obj.3
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MA-5(1)(a)(2)[3]
-                              prose: 
-                                """
-                                  all nonvolatile storage media are physically disconnected from the system
-                                                             and secured; and
-                                """
-                          links: 
-                            - 
-                              href: #ma-5.1_smt.a.2
-                              rel:  corresp
-                              text: MA-5(1)(a)(2)
-                      links: 
-                        - 
-                          href: #ma-5.1_smt.a
-                          rel:  corresp
-                          text: MA-5(1)(a)
-                    - 
-                      id:         ma-5.1.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MA-5(1)(b)
-                      prose: 
-                        """
-                          develops and implements alternative security safeguards in the event an
-                                               information system component cannot be sanitized, removed, or disconnected from
-                                               the system.
-                        """
-                      links: 
-                        - 
-                          href: #ma-5.1_smt.b
-                          rel:  corresp
-                          text: MA-5(1)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system maintenance policy\n\nprocedures addressing maintenance personnel\n\ninformation system media protection policy\n\nphysical and environmental protection policy\n\nsecurity plan\n\nlist of maintenance personnel requiring escort/supervision\n\nmaintenance records\n\naccess control records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system maintenance
-                                               responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for managing maintenance personnel without appropriate
-                                               access\n\nautomated mechanisms supporting and/or implementing alternative security
-                                               safeguards\n\nautomated mechanisms supporting and/or implementing information storage
-                                               component sanitization
-                        """
-        - 
-          id:         ma-6
-          class:      SP800-53
-          title:      Timely Maintenance
-          parameters: 
-            - 
-              id:    ma-6_prm_1
-              label: organization-defined information system components
-            - 
-              id:    ma-6_prm_2
-              label: organization-defined time period
-          properties: 
-            - 
-              name:  label
-              value: MA-6
-            - 
-              name:  sort-id
-              value: ma-06
-          parts: 
-            - 
-              id:    ma-6_smt
-              name:  statement
-              prose: The organization obtains maintenance support and/or spare parts for {{ ma-6_prm_1 }} within {{ ma-6_prm_2 }} of failure.
-            - 
-              id:    ma-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations specify the information system components that result in increased risk
-                                 to organizational operations and assets, individuals, other organizations, or the
-                                 Nation when the functionality provided by those components is not operational.
-                                 Organizational actions to obtain maintenance support typically include having
-                                 appropriate contracts in place.
-                """
-              links: 
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-                - 
-                  href: #sa-14
-                  rel:  related
-                  text: SA-14
-                - 
-                  href: #sa-15
-                  rel:  related
-                  text: SA-15
-            - 
-              id:    ma-6_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         ma-6_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-6[1]
-                  prose: 
-                    """
-                      defines information system components for which maintenance support and/or spare
-                                        parts are to be obtained;
-                    """
-                - 
-                  id:         ma-6_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-6[2]
-                  prose: 
-                    """
-                      defines the time period within which maintenance support and/or spare parts are to
-                                        be obtained after a failure;
-                    """
-                - 
-                  id:         ma-6_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MA-6[3]
-                  parts: 
-                    - 
-                      id:         ma-6_obj.3.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-6[3][a]
-                      prose: 
-                        """
-                          obtains maintenance support for organization-defined information system
-                                               components within the organization-defined time period of failure; and/or
-                        """
-                    - 
-                      id:         ma-6_obj.3.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MA-6[3][b]
-                      prose: 
-                        """
-                          obtains spare parts for organization-defined information system components
-                                               within the organization-defined time period of failure.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system maintenance policy\n\nprocedures addressing information system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\ninventory and availability of spare parts\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for ensuring timely maintenance
-    - 
-      id:       mp
-      class:    family
-      title:    Media Protection
-      controls: 
-        - 
-          id:         mp-1
-          class:      SP800-53
-          title:      Media Protection Policy and Procedures
-          parameters: 
-            - 
-              id:    mp-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          mp-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          mp-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: MP-1
-            - 
-              name:  sort-id
-              value: mp-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    mp-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         mp-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ mp-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         mp-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A media protection policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         mp-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the media protection policy and
-                                               associated media protection controls; and
-                        """
-                - 
-                  id:         mp-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         mp-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Media protection policy {{ mp-1_prm_2 }}; and
-                    - 
-                      id:         mp-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Media protection procedures {{ mp-1_prm_3 }}.
-            - 
-              id:    mp-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the MP
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    mp-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         mp-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-1(a)
-                  parts: 
-                    - 
-                      id:         mp-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-1(a)(1)
-                      parts: 
-                        - 
-                          id:         mp-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(a)(1)[1]
-                          prose:      develops and documents a media protection policy that addresses:
-                          parts: 
-                            - 
-                              id:         mp-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         mp-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         mp-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         mp-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         mp-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         mp-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         mp-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: MP-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         mp-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the media protection policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         mp-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: MP-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the media protection policy to organization-defined personnel
-                                                      or roles;
-                            """
-                    - 
-                      id:         mp-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-1(a)(2)
-                      parts: 
-                        - 
-                          id:         mp-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      media protection policy and associated media protection controls;
-                            """
-                        - 
-                          id:         mp-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         mp-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: MP-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         mp-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-1(b)
-                  parts: 
-                    - 
-                      id:         mp-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-1(b)(1)
-                      parts: 
-                        - 
-                          id:         mp-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current media protection
-                                                      policy;
-                            """
-                        - 
-                          id:         mp-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current media protection policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         mp-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-1(b)(2)
-                      parts: 
-                        - 
-                          id:         mp-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current media protection
-                                                      procedures; and
-                            """
-                        - 
-                          id:         mp-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: MP-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current media protection procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Media protection policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with media protection responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         mp-2
-          class:      SP800-53
-          title:      Media Access
-          parameters: 
-            - 
-              id:    mp-2_prm_1
-              label: organization-defined types of digital and/or non-digital media
-            - 
-              id:    mp-2_prm_2
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  label
-              value: MP-2
-            - 
-              name:  sort-id
-              value: mp-02
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e
-              rel:  reference
-              text: NIST Special Publication 800-111
-          parts: 
-            - 
-              id:    mp-2_smt
-              name:  statement
-              prose: The organization restricts access to {{ mp-2_prm_1 }} to {{ mp-2_prm_2 }}.
-            - 
-              id:    mp-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system media includes both digital and non-digital media. Digital media
-                                 includes, for example, diskettes, magnetic tapes, external/removable hard disk
-                                 drives, flash drives, compact disks, and digital video disks. Non-digital media
-                                 includes, for example, paper and microfilm. Restricting non-digital media access
-                                 includes, for example, denying access to patient medical records in a community
-                                 hospital unless the individuals seeking access to such records are authorized
-                                 healthcare providers. Restricting access to digital media includes, for example,
-                                 limiting access to design specifications stored on compact disks in the media library
-                                 to the project leader and the individuals on the development team.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-            - 
-              id:    mp-2_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         mp-2_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MP-2[1]
-                  prose:      defines types of digital and/or non-digital media requiring restricted access;
-                - 
-                  id:         mp-2_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MP-2[2]
-                  prose: 
-                    """
-                      defines personnel or roles authorized to access organization-defined types of
-                                        digital and/or non-digital media; and
-                    """
-                - 
-                  id:         mp-2_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MP-2[3]
-                  prose: 
-                    """
-                      restricts access to organization-defined types of digital and/or non-digital media
-                                        to organization-defined personnel or roles.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with information system media protection
-                                        responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for restricting information media\n\nautomated mechanisms supporting and/or implementing media access restrictions
-        - 
-          id:         mp-3
-          class:      SP800-53
-          title:      Media Marking
-          parameters: 
-            - 
-              id:          mp-3_prm_1
-              label:       organization-defined types of information system media
-              constraints: 
-                - 
-                  detail: no removable media types
-            - 
-              id:    mp-3_prm_2
-              label: organization-defined controlled areas
-          properties: 
-            - 
-              name:  label
-              value: MP-3
-            - 
-              name:  sort-id
-              value: mp-03
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-          parts: 
-            - 
-              id:    mp-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         mp-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Marks information system media indicating the distribution limitations, handling
-                                        caveats, and applicable security markings (if any) of the information; and
-                    """
-                - 
-                  id:         mp-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Exempts {{ mp-3_prm_1 }} from marking as long as the media remain
-                                        within {{ mp-3_prm_2 }}.
-                    """
-                - 
-                  id:    mp-3_fr
-                  name:  item
-                  title: MP-3 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         mp-3_fr_gdn.b
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b) Guidance:
-                      prose:      Second parameter not-applicable
-            - 
-              id:    mp-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  The term security marking refers to the application/use of human-readable security
-                                 attributes. The term security labeling refers to the application/use of security
-                                 attributes with regard to internal data structures within information systems (see
-                                 AC-16). Information system media includes both digital and non-digital media. Digital
-                                 media includes, for example, diskettes, magnetic tapes, external/removable hard disk
-                                 drives, flash drives, compact disks, and digital video disks. Non-digital media
-                                 includes, for example, paper and microfilm. Security marking is generally not
-                                 required for media containing information determined by organizations to be in the
-                                 public domain or to be publicly releasable. However, some organizations may require
-                                 markings for public information indicating that the information is publicly
-                                 releasable. Marking of information system media reflects applicable federal laws,
-                                 Executive Orders, directives, policies, regulations, standards, and guidance.
-                """
-              links: 
-                - 
-                  href: #ac-16
-                  rel:  related
-                  text: AC-16
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-            - 
-              id:    mp-3_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         mp-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MP-3(a)
-                  prose:      marks information system media indicating the:
-                  parts: 
-                    - 
-                      id:         mp-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-3(a)[1]
-                      prose:      distribution limitations of the information;
-                    - 
-                      id:         mp-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-3(a)[2]
-                      prose:      handling caveats of the information;
-                    - 
-                      id:         mp-3.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-3(a)[3]
-                      prose:      applicable security markings (if any) of the information;
-                - 
-                  id:         mp-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-3(b)
-                  parts: 
-                    - 
-                      id:         mp-3.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-3(b)[1]
-                      prose: 
-                        """
-                          defines types of information system media to be exempted from marking as long
-                                               as the media remain in designated controlled areas;
-                        """
-                    - 
-                      id:         mp-3.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-3(b)[2]
-                      prose: 
-                        """
-                          defines controlled areas where organization-defined types of information system
-                                               media exempt from marking are to be retained; and
-                        """
-                    - 
-                      id:         mp-3.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MP-3(b)[3]
-                      prose: 
-                        """
-                          exempts organization-defined types of information system media from marking as
-                                               long as the media remain within organization-defined controlled areas.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system media protection policy\n\nprocedures addressing media marking\n\nphysical and environmental protection policy and procedures\n\nsecurity plan\n\nlist of information system media marking security attributes\n\ndesignated controlled areas\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with information system media protection and marking
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for marking information media\n\nautomated mechanisms supporting and/or implementing media marking
-        - 
-          id:         mp-4
-          class:      SP800-53
-          title:      Media Storage
-          parameters: 
-            - 
-              id:          mp-4_prm_1
-              label:       organization-defined types of digital and/or non-digital media
-              constraints: 
-                - 
-                  detail: all types of digital and non-digital media with sensitive information
-            - 
-              id:          mp-4_prm_2
-              label:       organization-defined controlled areas
-              constraints: 
-                - 
-                  detail: see additional FedRAMP requirements and guidance
-          properties: 
-            - 
-              name:  label
-              value: MP-4
-            - 
-              name:  sort-id
-              value: mp-04
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #81f09e01-d0b0-4ae2-aa6a-064ed9950070
-              rel:  reference
-              text: NIST Special Publication 800-56
-            - 
-              href: #a6c774c0-bf50-4590-9841-2a5c1c91ac6f
-              rel:  reference
-              text: NIST Special Publication 800-57
-            - 
-              href: #3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e
-              rel:  reference
-              text: NIST Special Publication 800-111
-          parts: 
-            - 
-              id:    mp-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         mp-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Physically controls and securely stores {{ mp-4_prm_1 }} within
-                                           {{ mp-4_prm_2 }}; and
-                    """
-                - 
-                  id:         mp-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Protects information system media until the media are destroyed or sanitized using
-                                        approved equipment, techniques, and procedures.
-                    """
-                - 
-                  id:    mp-4_fr
-                  name:  item
-                  title: MP-4 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         mp-4_fr_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a) Requirement:
-                      prose:      The service provider defines controlled areas within facilities where the information and information system reside.
-            - 
-              id:    mp-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system media includes both digital and non-digital media. Digital media
-                                 includes, for example, diskettes, magnetic tapes, external/removable hard disk
-                                 drives, flash drives, compact disks, and digital video disks. Non-digital media
-                                 includes, for example, paper and microfilm. Physically controlling information system
-                                 media includes, for example, conducting inventories, ensuring procedures are in place
-                                 to allow individuals to check out and return media to the media library, and
-                                 maintaining accountability for all stored media. Secure storage includes, for
-                                 example, a locked drawer, desk, or cabinet, or a controlled media library. The type
-                                 of media storage is commensurate with the security category and/or classification of
-                                 the information residing on the media. Controlled areas are areas for which
-                                 organizations provide sufficient physical and procedural safeguards to meet the
-                                 requirements established for protecting information and/or information systems. For
-                                 media containing information determined by organizations to be in the public domain,
-                                 to be publicly releasable, or to have limited or no adverse impact on organizations
-                                 or individuals if accessed by other than authorized personnel, fewer safeguards may
-                                 be needed. In these situations, physical access controls provide adequate
-                                 protection.
-                """
-              links: 
-                - 
-                  href: #cp-6
-                  rel:  related
-                  text: CP-6
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-7
-                  rel:  related
-                  text: MP-7
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-            - 
-              id:    mp-4_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         mp-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-4(a)
-                  parts: 
-                    - 
-                      id:         mp-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-4(a)[1]
-                      prose: 
-                        """
-                          defines types of digital and/or non-digital media to be physically controlled
-                                               and securely stored within designated controlled areas;
-                        """
-                    - 
-                      id:         mp-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-4(a)[2]
-                      prose: 
-                        """
-                          defines controlled areas designated to physically control and securely store
-                                               organization-defined types of digital and/or non-digital media;
-                        """
-                    - 
-                      id:         mp-4.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MP-4(a)[3]
-                      prose: 
-                        """
-                          physically controls organization-defined types of digital and/or non-digital
-                                               media within organization-defined controlled areas;
-                        """
-                    - 
-                      id:         mp-4.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MP-4(a)[4]
-                      prose: 
-                        """
-                          securely stores organization-defined types of digital and/or non-digital media
-                                               within organization-defined controlled areas; and
-                        """
-                - 
-                  id:         mp-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MP-4(b)
-                  prose: 
-                    """
-                      protects information system media until the media are destroyed or sanitized using
-                                        approved equipment, techniques, and procedures.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsecurity plan\n\ninformation system media\n\ndesignated controlled areas\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with information system media protection and storage
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for storing information media\n\nautomated mechanisms supporting and/or implementing secure media storage/media
-                                        protection
-                    """
-        - 
-          id:         mp-5
-          class:      SP800-53
-          title:      Media Transport
-          parameters: 
-            - 
-              id:          mp-5_prm_1
-              label:       organization-defined types of information system media
-              constraints: 
-                - 
-                  detail: all media with sensitive information
-            - 
-              id:          mp-5_prm_2
-              label:       organization-defined security safeguards
-              constraints: 
-                - 
-                  detail: prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digitital media, secured in locked container
-          properties: 
-            - 
-              name:  label
-              value: MP-5
-            - 
-              name:  sort-id
-              value: mp-05
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #f152844f-b1ef-4836-8729-6277078ebee1
-              rel:  reference
-              text: NIST Special Publication 800-60
-          parts: 
-            - 
-              id:    mp-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         mp-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Protects and controls {{ mp-5_prm_1 }} during transport outside of
-                                        controlled areas using {{ mp-5_prm_2 }};
-                    """
-                - 
-                  id:         mp-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Maintains accountability for information system media during transport outside of
-                                        controlled areas;
-                    """
-                - 
-                  id:         mp-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Documents activities associated with the transport of information system media;
-                                        and
-                    """
-                - 
-                  id:         mp-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Restricts the activities associated with the transport of information system media
-                                        to authorized personnel.
-                    """
-                - 
-                  id:    mp-5_fr
-                  name:  item
-                  title: MP-5 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         mp-5_fr_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a) Requirement:
-                      prose:      The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB.
-            - 
-              id:    mp-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system media includes both digital and non-digital media. Digital media
-                                 includes, for example, diskettes, magnetic tapes, external/removable hard disk
-                                 drives, flash drives, compact disks, and digital video disks. Non-digital media
-                                 includes, for example, paper and microfilm. This control also applies to mobile
-                                 devices with information storage capability (e.g., smart phones, tablets, E-readers),
-                                 that are transported outside of controlled areas. Controlled areas are areas or
-                                 spaces for which organizations provide sufficient physical and/or procedural
-                                 safeguards to meet the requirements established for protecting information and/or
-                                 information systems. Physical and technical safeguards for media are commensurate
-                                 with the security category or classification of the information residing on the
-                                 media. Safeguards to protect media during transport include, for example, locked
-                                 containers and cryptography. Cryptographic mechanisms can provide confidentiality and
-                                 integrity protections depending upon the mechanisms used. Activities associated with
-                                 transport include the actual transport as well as those activities such as releasing
-                                 media for transport and ensuring that media enters the appropriate transport
-                                 processes. For the actual transport, authorized transport and courier personnel may
-                                 include individuals from outside the organization (e.g., U.S. Postal Service or a
-                                 commercial transport or delivery service). Maintaining accountability of media during
-                                 transport includes, for example, restricting transport activities to authorized
-                                 personnel, and tracking and/or obtaining explicit records of transport activities as
-                                 the media moves through the transportation system to prevent and detect loss,
-                                 destruction, or tampering. Organizations establish documentation requirements for
-                                 activities associated with the transport of information system media in accordance
-                                 with organizational assessments of risk to include the flexibility to define
-                                 different record-keeping methods for the different types of media transport as part
-                                 of an overall system of transport-related records.
-                """
-              links: 
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #mp-3
-                  rel:  related
-                  text: MP-3
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-                - 
-                  href: #sc-28
-                  rel:  related
-                  text: SC-28
-            - 
-              id:    mp-5_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         mp-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-5(a)
-                  parts: 
-                    - 
-                      id:         mp-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-5(a)[1]
-                      prose: 
-                        """
-                          defines types of information system media to be protected and controlled during
-                                               transport outside of controlled areas;
-                        """
-                    - 
-                      id:         mp-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-5(a)[2]
-                      prose: 
-                        """
-                          defines security safeguards to protect and control organization-defined
-                                               information system media during transport outside of controlled areas;
-                        """
-                    - 
-                      id:         mp-5.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MP-5(a)[3]
-                      prose: 
-                        """
-                          protects and controls organization-defined information system media during
-                                               transport outside of controlled areas using organization-defined security
-                                               safeguards;
-                        """
-                - 
-                  id:         mp-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MP-5(b)
-                  prose: 
-                    """
-                      maintains accountability for information system media during transport outside of
-                                        controlled areas;
-                    """
-                - 
-                  id:         mp-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MP-5(c)
-                  prose: 
-                    """
-                      documents activities associated with the transport of information system media;
-                                        and
-                    """
-                - 
-                  id:         mp-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MP-5(d)
-                  prose: 
-                    """
-                      restricts the activities associated with transport of information system media to
-                                        authorized personnel.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsecurity plan\n\ninformation system media\n\ndesignated controlled areas\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with information system media protection and storage
-                                        responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for storing information media\n\nautomated mechanisms supporting and/or implementing media storage/media
-                                        protection
-                    """
-          controls: 
-            - 
-              id:         mp-5.4
-              class:      SP800-53-enhancement
-              title:      Cryptographic Protection
-              properties: 
-                - 
-                  name:  label
-                  value: MP-5(4)
-                - 
-                  name:  sort-id
-                  value: mp-05.04
-              parts: 
-                - 
-                  id:    mp-5.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements cryptographic mechanisms to protect the
-                                        confidentiality and integrity of information stored on digital media during
-                                        transport outside of controlled areas.
-                    """
-                - 
-                  id:    mp-5.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement applies to both portable storage devices (e.g., USB
-                                        memory sticks, compact disks, digital video disks, external/removable hard disk
-                                        drives) and mobile devices with storage capability (e.g., smart phones, tablets,
-                                        E-readers).
-                    """
-                  links: 
-                    - 
-                      href: #mp-2
-                      rel:  related
-                      text: MP-2
-                - 
-                  id:         mp-5.4_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs cryptographic mechanisms to protect the
-                                        confidentiality and integrity of information stored on digital media during
-                                        transport outside of controlled areas. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system media protection policy\n\nprocedures addressing media transport\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system media transport records\n\naudit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system media transport
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Cryptographic mechanisms protecting information on digital media during
-                                               transportation outside controlled areas
-                        """
-        - 
-          id:         mp-6
-          class:      SP800-53
-          title:      Media Sanitization
-          parameters: 
-            - 
-              id:    mp-6_prm_1
-              label: organization-defined information system media
-            - 
-              id:    mp-6_prm_2
-              label: organization-defined sanitization techniques and procedures
-          properties: 
-            - 
-              name:  label
-              value: MP-6
-            - 
-              name:  sort-id
-              value: mp-06
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #f152844f-b1ef-4836-8729-6277078ebee1
-              rel:  reference
-              text: NIST Special Publication 800-60
-            - 
-              href: #263823e0-a971-4b00-959d-315b26278b22
-              rel:  reference
-              text: NIST Special Publication 800-88
-            - 
-              href: #a47466c4-c837-4f06-a39f-e68412a5f73d
-              rel:  reference
-              text: http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml
-          parts: 
-            - 
-              id:    mp-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         mp-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Sanitizes {{ mp-6_prm_1 }} prior to disposal, release out of
-                                        organizational control, or release for reuse using {{ mp-6_prm_2 }}
-                                        in accordance with applicable federal and organizational standards and policies;
-                                        and
-                    """
-                - 
-                  id:         mp-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Employs sanitization mechanisms with the strength and integrity commensurate with
-                                        the security category or classification of the information.
-                    """
-            - 
-              id:    mp-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to all information system media, both digital and non-digital,
-                                 subject to disposal or reuse, whether or not the media is considered removable.
-                                 Examples include media found in scanners, copiers, printers, notebook computers,
-                                 workstations, network components, and mobile devices. The sanitization process
-                                 removes information from the media such that the information cannot be retrieved or
-                                 reconstructed. Sanitization techniques, including clearing, purging, cryptographic
-                                 erase, and destruction, prevent the disclosure of information to unauthorized
-                                 individuals when such media is reused or released for disposal. Organizations
-                                 determine the appropriate sanitization methods recognizing that destruction is
-                                 sometimes necessary when other methods cannot be applied to media requiring
-                                 sanitization. Organizations use discretion on the employment of approved sanitization
-                                 techniques and procedures for media containing information deemed to be in the public
-                                 domain or publicly releasable, or deemed to have no adverse impact on organizations
-                                 or individuals if released for reuse or disposal. Sanitization of non-digital media
-                                 includes, for example, removing a classified appendix from an otherwise unclassified
-                                 document, or redacting selected sections or words from a document by obscuring the
-                                 redacted sections/words in a manner equivalent in effectiveness to removing them from
-                                 the document. NSA standards and policies control the sanitization process for media
-                                 containing classified information.
-                """
-              links: 
-                - 
-                  href: #ma-2
-                  rel:  related
-                  text: MA-2
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sc-4
-                  rel:  related
-                  text: SC-4
-            - 
-              id:    mp-6_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         mp-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-6(a)
-                  parts: 
-                    - 
-                      id:         mp-6.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-6(a)[1]
-                      prose:      defines information system media to be sanitized prior to:
-                      parts: 
-                        - 
-                          id:         mp-6.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[1][a]
-                          prose:      disposal;
-                        - 
-                          id:         mp-6.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[1][b]
-                          prose:      release out of organizational control; or
-                        - 
-                          id:         mp-6.a_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[1][c]
-                          prose:      release for reuse;
-                    - 
-                      id:         mp-6.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-6(a)[2]
-                      prose: 
-                        """
-                          defines sanitization techniques or procedures to be used for sanitizing
-                                               organization-defined information system media prior to:
-                        """
-                      parts: 
-                        - 
-                          id:         mp-6.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[2][a]
-                          prose:      disposal;
-                        - 
-                          id:         mp-6.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[2][b]
-                          prose:      release out of organizational control; or
-                        - 
-                          id:         mp-6.a_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: MP-6(a)[2][c]
-                          prose:      release for reuse;
-                    - 
-                      id:         mp-6.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MP-6(a)[3]
-                      prose: 
-                        """
-                          sanitizes organization-defined information system media prior to disposal,
-                                               release out of organizational control, or release for reuse using
-                                               organization-defined sanitization techniques or procedures in accordance with
-                                               applicable federal and organizational standards and policies; and
-                        """
-                - 
-                  id:         mp-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MP-6(b)
-                  prose: 
-                    """
-                      employs sanitization mechanisms with strength and integrity commensurate with the
-                                        security category or classification of the information.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization\n\nmedia sanitization records\n\naudit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with media sanitization responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for media sanitization\n\nautomated mechanisms supporting and/or implementing media sanitization
-          controls: 
-            - 
-              id:         mp-6.2
-              class:      SP800-53-enhancement
-              title:      Equipment Testing
-              parameters: 
-                - 
-                  id:          mp-6.2_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least annually
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: MP-6(2)
-                - 
-                  name:  sort-id
-                  value: mp-06.02
-              parts: 
-                - 
-                  id:    mp-6.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization tests sanitization equipment and procedures {{ mp-6.2_prm_1 }} to verify that the intended sanitization is being
-                                        achieved.
-                    """
-                  parts: 
-                    - 
-                      id:    mp-6.2_fr
-                      name:  item
-                      title: MP-6 (2) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         mp-6.2_fr_gdn.a
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: (a) Requirement:
-                          prose:      Equipment and procedures may be tested or validated for effectiveness
-                - 
-                  id:    mp-6.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Testing of sanitization equipment and procedures may be conducted by qualified and
-                                        authorized external entities (e.g., other federal agencies or external service
-                                        providers).
-                    """
-                - 
-                  id:    mp-6.2_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         mp-6.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: MP-6(2)[1]
-                      prose: 
-                        """
-                          defines the frequency for testing sanitization equipment and procedures to
-                                               verify that the intended sanitization is being achieved; and
-                        """
-                    - 
-                      id:         mp-6.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: MP-6(2)[2]
-                      prose: 
-                        """
-                          tests sanitization equipment and procedures with the organization-defined
-                                               frequency to verify that the intended sanitization is being achieved.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\nprocedures addressing testing of media sanitization equipment\n\nresults of media sanitization equipment and procedures testing\n\naudit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with information system media sanitization
-                                               responsibilities\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational processes for media sanitization\n\nautomated mechanisms supporting and/or implementing media sanitization
-        - 
-          id:         mp-7
-          class:      SP800-53
-          title:      Media Use
-          parameters: 
-            - 
-              id: mp-7_prm_1
-            - 
-              id:    mp-7_prm_2
-              label: organization-defined types of information system media
-            - 
-              id:    mp-7_prm_3
-              label: organization-defined information systems or system components
-            - 
-              id:    mp-7_prm_4
-              label: organization-defined security safeguards
-          properties: 
-            - 
-              name:  label
-              value: MP-7
-            - 
-              name:  sort-id
-              value: mp-07
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e
-              rel:  reference
-              text: NIST Special Publication 800-111
-          parts: 
-            - 
-              id:    mp-7_smt
-              name:  statement
-              prose: The organization {{ mp-7_prm_1 }} the use of {{ mp-7_prm_2 }} on {{ mp-7_prm_3 }} using {{ mp-7_prm_4 }}.
-            - 
-              id:    mp-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system media includes both digital and non-digital media. Digital media
-                                 includes, for example, diskettes, magnetic tapes, external/removable hard disk
-                                 drives, flash drives, compact disks, and digital video disks. Non-digital media
-                                 includes, for example, paper and microfilm. This control also applies to mobile
-                                 devices with information storage capability (e.g., smart phones, tablets, E-readers).
-                                 In contrast to MP-2, which restricts user access to media, this control restricts the
-                                 use of certain types of media on information systems, for example,
-                                 restricting/prohibiting the use of flash drives or external hard disk drives.
-                                 Organizations can employ technical and nontechnical safeguards (e.g., policies,
-                                 procedures, rules of behavior) to restrict the use of information system media.
-                                 Organizations may restrict the use of portable storage devices, for example, by using
-                                 physical cages on workstations to prohibit access to certain external ports, or
-                                 disabling/removing the ability to insert, read or write to such devices.
-                                 Organizations may also limit the use of portable storage devices to only approved
-                                 devices including, for example, devices provided by the organization, devices
-                                 provided by other approved organizations, and devices that are not personally owned.
-                                 Finally, organizations may restrict the use of portable storage devices based on the
-                                 type of device, for example, prohibiting the use of writeable, portable storage
-                                 devices, and implementing this restriction by disabling or removing the capability to
-                                 write to such devices.
-                """
-              links: 
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-            - 
-              id:    mp-7_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         mp-7_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-7[1]
-                  prose:      defines types of information system media to be:
-                  parts: 
-                    - 
-                      id:         mp-7_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-7[1][a]
-                      prose:      restricted on information systems or system components; or
-                    - 
-                      id:         mp-7_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-7[1][b]
-                      prose:      prohibited from use on information systems or system components;
-                - 
-                  id:         mp-7_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: MP-7[2]
-                  prose: 
-                    """
-                      defines information systems or system components on which the use of
-                                        organization-defined types of information system media is to be one of the
-                                        following:
-                    """
-                  parts: 
-                    - 
-                      id:         mp-7_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-7[2][a]
-                      prose:      restricted; or
-                    - 
-                      id:         mp-7_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: MP-7[2][b]
-                      prose:      prohibited;
-                - 
-                  id:         mp-7_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: MP-7[3]
-                  prose: 
-                    """
-                      defines security safeguards to be employed to restrict or prohibit the use of
-                                        organization-defined types of information system media on organization-defined
-                                        information systems or system components; and
-                    """
-                - 
-                  id:         mp-7_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: MP-7[4]
-                  prose: 
-                    """
-                      restricts or prohibits the use of organization-defined information system media on
-                                        organization-defined information systems or system components using
-                                        organization-defined security safeguards.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nsecurity plan\n\nrules of behavior\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with information system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for media use\n\nautomated mechanisms restricting or prohibiting use of information system media on
-                                        information systems or system components
-                    """
-          controls: 
-            - 
-              id:         mp-7.1
-              class:      SP800-53-enhancement
-              title:      Prohibit Use Without Owner
-              properties: 
-                - 
-                  name:  label
-                  value: MP-7(1)
-                - 
-                  name:  sort-id
-                  value: mp-07.01
-              parts: 
-                - 
-                  id:    mp-7.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization prohibits the use of portable storage devices in organizational
-                                        information systems when such devices have no identifiable owner.
-                    """
-                - 
-                  id:    mp-7.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Requiring identifiable owners (e.g., individuals, organizations, or projects) for
-                                        portable storage devices reduces the risk of using such technologies by allowing
-                                        organizations to assign responsibility and accountability for addressing known
-                                        vulnerabilities in the devices (e.g., malicious code insertion).
-                    """
-                  links: 
-                    - 
-                      href: #pl-4
-                      rel:  related
-                      text: PL-4
-                - 
-                  id:         mp-7.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization prohibits the use of portable storage devices in
-                                        organizational information systems when such devices have no identifiable owner.
-                                     
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Information system media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nsecurity plan\n\nrules of behavior\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with information system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for media use\n\nautomated mechanisms prohibiting use of media on information systems or system
-                                               components
-                        """
-    - 
-      id:       pe
-      class:    family
-      title:    Physical and Environmental Protection
-      controls: 
-        - 
-          id:         pe-1
-          class:      SP800-53
-          title:      Physical and Environmental Protection Policy and Procedures
-          parameters: 
-            - 
-              id:    pe-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          pe-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          pe-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PE-1
-            - 
-              name:  sort-id
-              value: pe-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    pe-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ pe-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         pe-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A physical and environmental protection policy that addresses purpose, scope,
-                                               roles, responsibilities, management commitment, coordination among
-                                               organizational entities, and compliance; and
-                        """
-                    - 
-                      id:         pe-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the physical and environmental
-                                               protection policy and associated physical and environmental protection
-                                               controls; and
-                        """
-                - 
-                  id:         pe-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         pe-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Physical and environmental protection policy {{ pe-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         pe-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Physical and environmental protection procedures {{ pe-1_prm_3 }}.
-            - 
-              id:    pe-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the PE
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    pe-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         pe-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-1(a)
-                  parts: 
-                    - 
-                      id:         pe-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-1(a)(1)
-                      parts: 
-                        - 
-                          id:         pe-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a physical and environmental protection policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         pe-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         pe-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         pe-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         pe-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         pe-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         pe-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         pe-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         pe-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the physical and environmental protection
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         pe-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: PE-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the physical and environmental protection policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         pe-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-1(a)(2)
-                      parts: 
-                        - 
-                          id:         pe-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      physical and environmental protection policy and associated physical and
-                                                      environmental protection controls;
-                            """
-                        - 
-                          id:         pe-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         pe-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: PE-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         pe-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-1(b)
-                  parts: 
-                    - 
-                      id:         pe-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-1(b)(1)
-                      parts: 
-                        - 
-                          id:         pe-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current physical and
-                                                      environmental protection policy;
-                            """
-                        - 
-                          id:         pe-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current physical and environmental protection policy
-                                                      with the organization-defined frequency;
-                            """
-                    - 
-                      id:         pe-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-1(b)(2)
-                      parts: 
-                        - 
-                          id:         pe-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current physical and
-                                                      environmental protection procedures; and
-                            """
-                        - 
-                          id:         pe-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current physical and environmental protection
-                                                      procedures with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with physical and environmental protection
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         pe-2
-          class:      SP800-53
-          title:      Physical Access Authorizations
-          parameters: 
-            - 
-              id:          pe-2_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PE-2
-            - 
-              name:  sort-id
-              value: pe-02
-          parts: 
-            - 
-              id:    pe-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Develops, approves, and maintains a list of individuals with authorized access to
-                                        the facility where the information system resides;
-                    """
-                - 
-                  id:         pe-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Issues authorization credentials for facility access;
-                - 
-                  id:         pe-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Reviews the access list detailing authorized facility access by individuals
-                                           {{ pe-2_prm_1 }}; and
-                    """
-                - 
-                  id:         pe-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Removes individuals from the facility access list when access is no longer
-                                        required.
-                    """
-            - 
-              id:    pe-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to organizational employees and visitors. Individuals (e.g.,
-                                 employees, contractors, and others) with permanent physical access authorization
-                                 credentials are not considered visitors. Authorization credentials include, for
-                                 example, badges, identification cards, and smart cards. Organizations determine the
-                                 strength of authorization credentials needed (including level of forge-proof badges,
-                                 smart cards, or identification cards) consistent with federal standards, policies,
-                                 and procedures. This control only applies to areas within facilities that have not
-                                 been designated as publicly accessible.
-                """
-              links: 
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-            - 
-              id:    pe-2_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-2(a)
-                  parts: 
-                    - 
-                      id:         pe-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: PE-2(a)[1]
-                      prose: 
-                        """
-                          develops a list of individuals with authorized access to the facility where the
-                                               information system resides;
-                        """
-                    - 
-                      id:         pe-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-2(a)[2]
-                      prose: 
-                        """
-                          approves a list of individuals with authorized access to the facility where the
-                                               information system resides;
-                        """
-                    - 
-                      id:         pe-2.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: PE-2(a)[3]
-                      prose: 
-                        """
-                          maintains a list of individuals with authorized access to the facility where
-                                               the information system resides;
-                        """
-                - 
-                  id:         pe-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-2(b)
-                  prose:      issues authorization credentials for facility access;
-                - 
-                  id:         pe-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-2(c)
-                  parts: 
-                    - 
-                      id:         pe-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-2(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to review the access list detailing authorized facility
-                                               access by individuals;
-                        """
-                    - 
-                      id:         pe-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-2(c)[2]
-                      prose: 
-                        """
-                          reviews the access list detailing authorized facility access by individuals
-                                               with the organization-defined frequency; and
-                        """
-                - 
-                  id:         pe-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-2(d)
-                  prose: 
-                    """
-                      removes individuals from the facility access list when access is no longer
-                                        required.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nsecurity plan\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to information system facility\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for physical access authorizations\n\nautomated mechanisms supporting and/or implementing physical access
-                                        authorizations
-                    """
-        - 
-          id:         pe-3
-          class:      SP800-53
-          title:      Physical Access Control
-          parameters: 
-            - 
-              id:    pe-3_prm_1
-              label: 
-                """
-                  organization-defined entry/exit points to the facility where the information
-                                 system resides
-                """
-            - 
-              id:          pe-3_prm_2
-              constraints: 
-                - 
-                  detail: CSP defined physical access control systems/devices AND guards
-            - 
-              id:          pe-3_prm_3
-              depends-on:  pe-3_prm_2
-              label:       organization-defined physical access control systems/devices
-              constraints: 
-                - 
-                  detail: CSP defined physical access control systems/devices
-            - 
-              id:    pe-3_prm_4
-              label: organization-defined entry/exit points
-            - 
-              id:    pe-3_prm_5
-              label: organization-defined security safeguards
-            - 
-              id:          pe-3_prm_6
-              label: 
-                """
-                  organization-defined circumstances requiring visitor escorts and
-                                 monitoring
-                """
-              constraints: 
-                - 
-                  detail: in all circumstances within restricted access area where the information system resides
-            - 
-              id:    pe-3_prm_7
-              label: organization-defined physical access devices
-            - 
-              id:          pe-3_prm_8
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          pe-3_prm_9
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PE-3
-            - 
-              name:  sort-id
-              value: pe-03
-          links: 
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #2157bb7e-192c-4eaa-877f-93ef6b0a3292
-              rel:  reference
-              text: NIST Special Publication 800-116
-            - 
-              href: #6caa237b-531b-43ac-9711-d8f6b97b0377
-              rel:  reference
-              text: ICD 704
-            - 
-              href: #398e33fd-f404-4e5c-b90e-2d50d3181244
-              rel:  reference
-              text: ICD 705
-            - 
-              href: #61081e7f-041d-4033-96a7-44a439071683
-              rel:  reference
-              text: DoD Instruction 5200.39
-            - 
-              href: #dd2f5acd-08f1-435a-9837-f8203088dc1a
-              rel:  reference
-              text: 
-                """
-                  Personal Identity Verification (PIV) in Enterprise
-                              Physical Access Control System (E-PACS)
-                """
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-            - 
-              href: #5ed1f4d5-1494-421b-97ed-39d3c88ab51f
-              rel:  reference
-              text: http://fips201ep.cio.gov
-          parts: 
-            - 
-              id:    pe-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Enforces physical access authorizations at {{ pe-3_prm_1 }} by;
-                  parts: 
-                    - 
-                      id:         pe-3_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Verifying individual access authorizations before granting access to the
-                                               facility; and
-                        """
-                    - 
-                      id:         pe-3_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Controlling ingress/egress to the facility using {{ pe-3_prm_2 }};
-                - 
-                  id:         pe-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Maintains physical access audit logs for {{ pe-3_prm_4 }};
-                - 
-                  id:         pe-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Provides {{ pe-3_prm_5 }} to control access to areas within the
-                                        facility officially designated as publicly accessible;
-                    """
-                - 
-                  id:         pe-3_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Escorts visitors and monitors visitor activity {{ pe-3_prm_6 }};
-                - 
-                  id:         pe-3_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Secures keys, combinations, and other physical access devices;
-                - 
-                  id:         pe-3_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Inventories {{ pe-3_prm_7 }} every {{ pe-3_prm_8 }};
-                                        and
-                    """
-                - 
-                  id:         pe-3_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose: 
-                    """
-                      Changes combinations and keys {{ pe-3_prm_9 }} and/or when keys are
-                                        lost, combinations are compromised, or individuals are transferred or
-                                        terminated.
-                    """
-            - 
-              id:    pe-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to organizational employees and visitors. Individuals (e.g.,
-                                 employees, contractors, and others) with permanent physical access authorization
-                                 credentials are not considered visitors. Organizations determine the types of
-                                 facility guards needed including, for example, professional physical security staff
-                                 or other personnel such as administrative staff or information system users. Physical
-                                 access devices include, for example, keys, locks, combinations, and card readers.
-                                 Safeguards for publicly accessible areas within organizational facilities include,
-                                 for example, cameras, monitoring by guards, and isolating selected information
-                                 systems and/or system components in secured areas. Physical access control systems
-                                 comply with applicable federal laws, Executive Orders, directives, policies,
-                                 regulations, standards, and guidance. The Federal Identity, Credential, and Access
-                                 Management Program provides implementation guidance for identity, credential, and
-                                 access management capabilities for physical access control systems. Organizations
-                                 have flexibility in the types of audit logs employed. Audit logs can be procedural
-                                 (e.g., a written log of individuals accessing the facility and when such access
-                                 occurred), automated (e.g., capturing ID provided by a PIV card), or some combination
-                                 thereof. Physical access points can include facility access points, interior access
-                                 points to information systems and/or components requiring supplemental access
-                                 controls, or both. Components of organizational information systems (e.g.,
-                                 workstations, terminals) may be located in areas designated as publicly accessible
-                                 with organizations safeguarding access to such devices.
-                """
-              links: 
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-                - 
-                  href: #pe-5
-                  rel:  related
-                  text: PE-5
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-            - 
-              id:    pe-3_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(a)
-                  parts: 
-                    - 
-                      id:         pe-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(a)[1]
-                      prose: 
-                        """
-                          defines entry/exit points to the facility where the information system
-                                               resides;
-                        """
-                    - 
-                      id:         pe-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(a)[2]
-                      prose: 
-                        """
-                          enforces physical access authorizations at organization-defined entry/exit
-                                               points to the facility where the information system resides by:
-                        """
-                      parts: 
-                        - 
-                          id:         pe-3.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(a)[2](1)
-                          prose: 
-                            """
-                              verifying individual access authorizations before granting access to the
-                                                      facility;
-                            """
-                        - 
-                          id:         pe-3.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PE-3(a)[2](2)
-                          parts: 
-                            - 
-                              id:         pe-3.a.2_obj.2.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-3(a)[2](2)[a]
-                              prose: 
-                                """
-                                  defining physical access control systems/devices to be employed to
-                                                             control ingress/egress to the facility where the information system
-                                                             resides;
-                                """
-                            - 
-                              id:         pe-3.a.2_obj.2.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PE-3(a)[2](2)[b]
-                              prose: 
-                                """
-                                  using one or more of the following ways to control ingress/egress to the
-                                                             facility:
-                                """
-                              parts: 
-                                - 
-                                  id:         pe-3.a.2_obj.2.b.1
-                                  name:       objective
-                                  properties: 
-                                    - 
-                                      name:  label
-                                      value: PE-3(a)[2](2)[b][1]
-                                  prose: 
-                                    """
-                                      organization-defined physical access control systems/devices;
-                                                                    and/or
-                                    """
-                                - 
-                                  id:         pe-3.a.2_obj.2.b.2
-                                  name:       objective
-                                  properties: 
-                                    - 
-                                      name:  label
-                                      value: PE-3(a)[2](2)[b][2]
-                                  prose:      guards;
-                - 
-                  id:         pe-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(b)
-                  parts: 
-                    - 
-                      id:         pe-3.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(b)[1]
-                      prose: 
-                        """
-                          defines entry/exit points for which physical access audit logs are to be
-                                               maintained;
-                        """
-                    - 
-                      id:         pe-3.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(b)[2]
-                      prose: 
-                        """
-                          maintains physical access audit logs for organization-defined entry/exit
-                                               points;
-                        """
-                - 
-                  id:         pe-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(c)
-                  parts: 
-                    - 
-                      id:         pe-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(c)[1]
-                      prose: 
-                        """
-                          defines security safeguards to be employed to control access to areas within
-                                               the facility officially designated as publicly accessible;
-                        """
-                    - 
-                      id:         pe-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(c)[2]
-                      prose: 
-                        """
-                          provides organization-defined security safeguards to control access to areas
-                                               within the facility officially designated as publicly accessible;
-                        """
-                - 
-                  id:         pe-3.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(d)
-                  parts: 
-                    - 
-                      id:         pe-3.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(d)[1]
-                      prose:      defines circumstances requiring visitor:
-                      parts: 
-                        - 
-                          id:         pe-3.d_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(d)[1][a]
-                          prose:      escorts;
-                        - 
-                          id:         pe-3.d_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(d)[1][b]
-                          prose:      monitoring;
-                    - 
-                      id:         pe-3.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(d)[2]
-                      prose: 
-                        """
-                          in accordance with organization-defined circumstances requiring visitor escorts
-                                               and monitoring:
-                        """
-                      parts: 
-                        - 
-                          id:         pe-3.d_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(d)[2][a]
-                          prose:      escorts visitors;
-                        - 
-                          id:         pe-3.d_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(d)[2][b]
-                          prose:      monitors visitor activities;
-                - 
-                  id:         pe-3.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(e)
-                  parts: 
-                    - 
-                      id:         pe-3.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(e)[1]
-                      prose:      secures keys;
-                    - 
-                      id:         pe-3.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(e)[2]
-                      prose:      secures combinations;
-                    - 
-                      id:         pe-3.e_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(e)[3]
-                      prose:      secures other physical access devices;
-                - 
-                  id:         pe-3.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(f)
-                  parts: 
-                    - 
-                      id:         pe-3.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(f)[1]
-                      prose:      defines physical access devices to be inventoried;
-                    - 
-                      id:         pe-3.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(f)[2]
-                      prose: 
-                        """
-                          defines the frequency to inventory organization-defined physical access
-                                               devices;
-                        """
-                    - 
-                      id:         pe-3.f_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(f)[3]
-                      prose: 
-                        """
-                          inventories the organization-defined physical access devices with the
-                                               organization-defined frequency;
-                        """
-                - 
-                  id:         pe-3.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-3(g)
-                  parts: 
-                    - 
-                      id:         pe-3.g_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-3(g)[1]
-                      prose:      defines the frequency to change combinations and keys; and
-                    - 
-                      id:         pe-3.g_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-3(g)[2]
-                      prose: 
-                        """
-                          changes combinations and keys with the organization-defined frequency and/or
-                                               when:
-                        """
-                      parts: 
-                        - 
-                          id:         pe-3.g_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(g)[2][a]
-                          prose:      keys are lost;
-                        - 
-                          id:         pe-3.g_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(g)[2][b]
-                          prose:      combinations are compromised;
-                        - 
-                          id:         pe-3.g_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-3(g)[2][c]
-                          prose:      individuals are transferred or terminated.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nsecurity plan\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\ninformation system entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible
-                                        areas within facility\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for physical access control\n\nautomated mechanisms supporting and/or implementing physical access control\n\nphysical access control devices
-        - 
-          id:         pe-4
-          class:      SP800-53
-          title:      Access Control for Transmission Medium
-          parameters: 
-            - 
-              id:    pe-4_prm_1
-              label: 
-                """
-                  organization-defined information system distribution and transmission
-                                 lines
-                """
-            - 
-              id:    pe-4_prm_2
-              label: organization-defined security safeguards
-          properties: 
-            - 
-              name:  label
-              value: PE-4
-            - 
-              name:  sort-id
-              value: pe-04
-          links: 
-            - 
-              href: #06dff0ea-3848-4945-8d91-e955ee69f05d
-              rel:  reference
-              text: NSTISSI No. 7003
-          parts: 
-            - 
-              id:    pe-4_smt
-              name:  statement
-              prose: 
-                """
-                  The organization controls physical access to {{ pe-4_prm_1 }} within
-                                 organizational facilities using {{ pe-4_prm_2 }}.
-                """
-            - 
-              id:    pe-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Physical security safeguards applied to information system distribution and
-                                 transmission lines help to prevent accidental damage, disruption, and physical
-                                 tampering. In addition, physical safeguards may be necessary to help prevent
-                                 eavesdropping or in transit modification of unencrypted transmissions. Security
-                                 safeguards to control physical access to system distribution and transmission lines
-                                 include, for example: (i) locked wiring closets; (ii) disconnected or locked spare
-                                 jacks; and/or (iii) protection of cabling by conduit or cable trays.
-                """
-              links: 
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-5
-                  rel:  related
-                  text: PE-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-            - 
-              id:    pe-4_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-4_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PE-4[1]
-                  prose: 
-                    """
-                      defines information system distribution and transmission lines requiring physical
-                                        access controls;
-                    """
-                - 
-                  id:         pe-4_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PE-4[2]
-                  prose: 
-                    """
-                      defines security safeguards to be employed to control physical access to
-                                        organization-defined information system distribution and transmission lines within
-                                        organizational facilities; and
-                    """
-                - 
-                  id:         pe-4_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-4[3]
-                  prose: 
-                    """
-                      controls physical access to organization-defined information system distribution
-                                        and transmission lines within organizational facilities using organization-defined
-                                        security safeguards.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Physical and environmental protection policy\n\nprocedures addressing access control for transmission medium\n\ninformation system design documentation\n\nfacility communications and wiring diagrams\n\nlist of physical security safeguards applied to information system distribution
-                                        and transmission lines\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for access control to distribution and transmission
-                                        lines\n\nautomated mechanisms/security safeguards supporting and/or implementing access
-                                        control to distribution and transmission lines
-                    """
-        - 
-          id:         pe-5
-          class:      SP800-53
-          title:      Access Control for Output Devices
-          properties: 
-            - 
-              name:  label
-              value: PE-5
-            - 
-              name:  sort-id
-              value: pe-05
-          parts: 
-            - 
-              id:    pe-5_smt
-              name:  statement
-              prose: 
-                """
-                  The organization controls physical access to information system output devices to
-                                 prevent unauthorized individuals from obtaining the output.
-                """
-            - 
-              id:    pe-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Controlling physical access to output devices includes, for example, placing output
-                                 devices in locked rooms or other secured areas and allowing access to authorized
-                                 individuals only, and placing output devices in locations that can be monitored by
-                                 organizational personnel. Monitors, printers, copiers, scanners, facsimile machines,
-                                 and audio devices are examples of information system output devices.
-                """
-              links: 
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-                - 
-                  href: #pe-18
-                  rel:  related
-                  text: PE-18
-            - 
-              id:         pe-5_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the organization controls physical access to information system output
-                                 devices to prevent unauthorized individuals from obtaining the output. 
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing access control for display medium\n\nfacility layout of information system components\n\nactual displays from information system components\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for access control to output devices\n\nautomated mechanisms supporting and/or implementing access control to output
-                                        devices
-                    """
-        - 
-          id:         pe-6
-          class:      SP800-53
-          title:      Monitoring Physical Access
-          parameters: 
-            - 
-              id:          pe-6_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least monthly
-            - 
-              id:    pe-6_prm_2
-              label: organization-defined events or potential indications of events
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PE-6
-            - 
-              name:  sort-id
-              value: pe-06
-          parts: 
-            - 
-              id:    pe-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Monitors physical access to the facility where the information system resides to
-                                        detect and respond to physical security incidents;
-                    """
-                - 
-                  id:         pe-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Reviews physical access logs {{ pe-6_prm_1 }} and upon occurrence
-                                        of {{ pe-6_prm_2 }}; and
-                    """
-                - 
-                  id:         pe-6_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Coordinates results of reviews and investigations with the organizational incident
-                                        response capability.
-                    """
-            - 
-              id:    pe-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizational incident response capabilities include investigations of and responses
-                                 to detected physical security incidents. Security incidents include, for example,
-                                 apparent security violations or suspicious physical access activities. Suspicious
-                                 physical access activities include, for example: (i) accesses outside of normal work
-                                 hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for
-                                 unusual lengths of time; and (iv) out-of-sequence accesses.
-                """
-              links: 
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-            - 
-              id:    pe-6_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-6(a)
-                  prose: 
-                    """
-                      monitors physical access to the facility where the information system resides to
-                                        detect and respond to physical security incidents;
-                    """
-                - 
-                  id:         pe-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-6(b)
-                  parts: 
-                    - 
-                      id:         pe-6.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-6(b)[1]
-                      prose:      defines the frequency to review physical access logs;
-                    - 
-                      id:         pe-6.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-6(b)[2]
-                      prose: 
-                        """
-                          defines events or potential indication of events requiring physical access logs
-                                               to be reviewed;
-                        """
-                    - 
-                      id:         pe-6.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-6(b)[3]
-                      prose: 
-                        """
-                          reviews physical access logs with the organization-defined frequency and upon
-                                               occurrence of organization-defined events or potential indications of events;
-                                               and
-                        """
-                - 
-                  id:         pe-6.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PE-6(c)
-                  prose: 
-                    """
-                      coordinates results of reviews and investigations with the organizational incident
-                                        response capability.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nsecurity plan\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for monitoring physical access\n\nautomated mechanisms supporting and/or implementing physical access monitoring\n\nautomated mechanisms supporting and/or implementing reviewing of physical access
-                                        logs
-                    """
-          controls: 
-            - 
-              id:         pe-6.1
-              class:      SP800-53-enhancement
-              title:      Intrusion Alarms / Surveillance Equipment
-              properties: 
-                - 
-                  name:  label
-                  value: PE-6(1)
-                - 
-                  name:  sort-id
-                  value: pe-06.01
-              parts: 
-                - 
-                  id:    pe-6.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization monitors physical intrusion alarms and surveillance
-                                        equipment.
-                    """
-                - 
-                  id:         pe-6.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization monitors physical intrusion alarms and surveillance
-                                        equipment. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nsecurity plan\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for monitoring physical intrusion alarms and
-                                               surveillance equipment\n\nautomated mechanisms supporting and/or implementing physical access
-                                               monitoring\n\nautomated mechanisms supporting and/or implementing physical intrusion alarms
-                                               and surveillance equipment
-                        """
-        - 
-          id:         pe-8
-          class:      SP800-53
-          title:      Visitor Access Records
-          parameters: 
-            - 
-              id:          pe-8_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: for a minimum of one (1) year
-            - 
-              id:          pe-8_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least monthly
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PE-8
-            - 
-              name:  sort-id
-              value: pe-08
-          parts: 
-            - 
-              id:    pe-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Maintains visitor access records to the facility where the information system
-                                        resides for {{ pe-8_prm_1 }}; and
-                    """
-                - 
-                  id:         pe-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews visitor access records {{ pe-8_prm_2 }}.
-            - 
-              id:    pe-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Visitor access records include, for example, names and organizations of persons
-                                 visiting, visitor signatures, forms of identification, dates of access, entry and
-                                 departure times, purposes of visits, and names and organizations of persons visited.
-                                 Visitor access records are not required for publicly accessible areas.
-                """
-            - 
-              id:    pe-8_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-8(a)
-                  parts: 
-                    - 
-                      id:         pe-8.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-8(a)[1]
-                      prose: 
-                        """
-                          defines the time period to maintain visitor access records to the facility
-                                               where the information system resides;
-                        """
-                    - 
-                      id:         pe-8.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-8(a)[2]
-                      prose: 
-                        """
-                          maintains visitor access records to the facility where the information system
-                                               resides for the organization-defined time period;
-                        """
-                - 
-                  id:         pe-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-8(b)
-                  parts: 
-                    - 
-                      id:         pe-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-8(b)[1]
-                      prose:      defines the frequency to review visitor access records; and
-                    - 
-                      id:         pe-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-8(b)[2]
-                      prose:      reviews visitor access records with the organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nsecurity plan\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with visitor access records responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for maintaining and reviewing visitor access records\n\nautomated mechanisms supporting and/or implementing maintenance and review of
-                                        visitor access records
-                    """
-        - 
-          id:         pe-9
-          class:      SP800-53
-          title:      Power Equipment and Cabling
-          properties: 
-            - 
-              name:  label
-              value: PE-9
-            - 
-              name:  sort-id
-              value: pe-09
-          parts: 
-            - 
-              id:    pe-9_smt
-              name:  statement
-              prose: 
-                """
-                  The organization protects power equipment and power cabling for the information
-                                 system from damage and destruction.
-                """
-            - 
-              id:    pe-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations determine the types of protection necessary for power equipment and
-                                 cabling employed at different locations both internal and external to organizational
-                                 facilities and environments of operation. This includes, for example, generators and
-                                 power cabling outside of buildings, internal cabling and uninterruptable power
-                                 sources within an office or data center, and power sources for self-contained
-                                 entities such as vehicles and satellites.
-                """
-              links: 
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-            - 
-              id:         pe-9_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the organization protects power equipment and power cabling for the
-                                 information system from damage and destruction. 
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing power equipment/cabling protection\n\nfacilities housing power equipment/cabling\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for protecting power
-                                        equipment/cabling\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing protection of power
-                                        equipment/cabling
-                    """
-        - 
-          id:         pe-10
-          class:      SP800-53
-          title:      Emergency Shutoff
-          parameters: 
-            - 
-              id:    pe-10_prm_1
-              label: organization-defined location by information system or system component
-          properties: 
-            - 
-              name:  label
-              value: PE-10
-            - 
-              name:  sort-id
-              value: pe-10
-          parts: 
-            - 
-              id:    pe-10_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-10_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Provides the capability of shutting off power to the information system or
-                                        individual system components in emergency situations;
-                    """
-                - 
-                  id:         pe-10_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Places emergency shutoff switches or devices in {{ pe-10_prm_1 }}
-                                        to facilitate safe and easy access for personnel; and
-                    """
-                - 
-                  id:         pe-10_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Protects emergency power shutoff capability from unauthorized activation.
-            - 
-              id:    pe-10_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies primarily to facilities containing concentrations of information
-                                 system resources including, for example, data centers, server rooms, and mainframe
-                                 computer rooms.
-                """
-              links: 
-                - 
-                  href: #pe-15
-                  rel:  related
-                  text: PE-15
-            - 
-              id:    pe-10_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-10.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PE-10(a)
-                  prose: 
-                    """
-                      provides the capability of shutting off power to the information system or
-                                        individual system components in emergency situations;
-                    """
-                - 
-                  id:         pe-10.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-10(b)
-                  parts: 
-                    - 
-                      id:         pe-10.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-10(b)[1]
-                      prose: 
-                        """
-                          defines the location of emergency shutoff switches or devices by information
-                                               system or system component;
-                        """
-                    - 
-                      id:         pe-10.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-10(b)[2]
-                      prose: 
-                        """
-                          places emergency shutoff switches or devices in the organization-defined
-                                               location by information system or system component to facilitate safe and easy
-                                               access for personnel; and
-                        """
-                - 
-                  id:         pe-10.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-10(c)
-                  prose:      protects emergency power shutoff capability from unauthorized activation.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Physical and environmental protection policy\n\nprocedures addressing power source emergency shutoff\n\nsecurity plan\n\nemergency shutoff controls or switches\n\nlocations housing emergency shutoff switches and devices\n\nsecurity safeguards protecting emergency power shutoff capability from
-                                        unauthorized activation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for emergency power shutoff
-                                        capability (both implementing and using the capability)\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting and/or implementing emergency power shutoff
-        - 
-          id:         pe-11
-          class:      SP800-53
-          title:      Emergency Power
-          parameters: 
-            - 
-              id: pe-11_prm_1
-          properties: 
-            - 
-              name:  label
-              value: PE-11
-            - 
-              name:  sort-id
-              value: pe-11
-          parts: 
-            - 
-              id:    pe-11_smt
-              name:  statement
-              prose: 
-                """
-                  The organization provides a short-term uninterruptible power supply to facilitate
-                                    {{ pe-11_prm_1 }} in the event of a primary power source loss.
-                """
-            - 
-              id:    pe-11_gdn
-              name:  guidance
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-            - 
-              id:         pe-11_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the organization provides a short-term uninterruptible power supply to
-                                 facilitate one or more of the following in the event of a primary power source loss: 
-                """
-              parts: 
-                - 
-                  id:         pe-11_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-11[1]
-                  prose:      an orderly shutdown of the information system; and/or
-                - 
-                  id:         pe-11_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-11[2]
-                  prose:      transition of the information system to long-term alternate power.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nuninterruptible power supply\n\nuninterruptible power supply documentation\n\nuninterruptible power supply test records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for emergency power and/or
-                                        planning\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing uninterruptible power
-                                        supply\n\nthe uninterruptable power supply
-                    """
-        - 
-          id:         pe-12
-          class:      SP800-53
-          title:      Emergency Lighting
-          properties: 
-            - 
-              name:  label
-              value: PE-12
-            - 
-              name:  sort-id
-              value: pe-12
-          parts: 
-            - 
-              id:    pe-12_smt
-              name:  statement
-              prose: 
-                """
-                  The organization employs and maintains automatic emergency lighting for the
-                                 information system that activates in the event of a power outage or disruption and
-                                 that covers emergency exits and evacuation routes within the facility.
-                """
-            - 
-              id:    pe-12_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies primarily to facilities containing concentrations of information
-                                 system resources including, for example, data centers, server rooms, and mainframe
-                                 computer rooms.
-                """
-              links: 
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-            - 
-              id:    pe-12_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization employs and maintains automatic emergency lighting for
-                                 the information system that: 
-                """
-              parts: 
-                - 
-                  id:         pe-12_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-12[1]
-                  prose:      activates in the event of a power outage or disruption; and
-                - 
-                  id:         pe-12_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-12[2]
-                  prose:      covers emergency exits and evacuation routes within the facility.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for emergency lighting and/or
-                                        planning\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing emergency lighting
-                                        capability
-                    """
-        - 
-          id:         pe-13
-          class:      SP800-53
-          title:      Fire Protection
-          properties: 
-            - 
-              name:  label
-              value: PE-13
-            - 
-              name:  sort-id
-              value: pe-13
-          parts: 
-            - 
-              id:    pe-13_smt
-              name:  statement
-              prose: 
-                """
-                  The organization employs and maintains fire suppression and detection devices/systems
-                                 for the information system that are supported by an independent energy source.
-                """
-            - 
-              id:    pe-13_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies primarily to facilities containing concentrations of information
-                                 system resources including, for example, data centers, server rooms, and mainframe
-                                 computer rooms. Fire suppression and detection devices/systems include, for example,
-                                 sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke
-                                 detectors.
-                """
-            - 
-              id:    pe-13_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-13_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-13[1]
-                  prose: 
-                    """
-                      employs fire suppression and detection devices/systems for the information system
-                                        that are supported by an independent energy source; and
-                    """
-                - 
-                  id:         pe-13_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-13[2]
-                  prose: 
-                    """
-                      maintains fire suppression and detection devices/systems for the information
-                                        system that are supported by an independent energy source.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\ntest records of fire suppression and detection devices/systems\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for fire detection and suppression
-                                        devices/systems\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing fire suppression/detection
-                                        devices/systems
-                    """
-          controls: 
-            - 
-              id:         pe-13.2
-              class:      SP800-53-enhancement
-              title:      Suppression Devices / Systems
-              parameters: 
-                - 
-                  id:    pe-13.2_prm_1
-                  label: organization-defined personnel or roles
-                - 
-                  id:    pe-13.2_prm_2
-                  label: organization-defined emergency responders
-              properties: 
-                - 
-                  name:  label
-                  value: PE-13(2)
-                - 
-                  name:  sort-id
-                  value: pe-13.02
-              parts: 
-                - 
-                  id:    pe-13.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs fire suppression devices/systems for the information
-                                        system that provide automatic notification of any activation to {{ pe-13.2_prm_1 }} and {{ pe-13.2_prm_2 }}.
-                    """
-                - 
-                  id:    pe-13.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations can identify specific personnel, roles, and emergency responders in
-                                        the event that individuals on the notification list must have appropriate access
-                                        authorizations and/or clearances, for example, to obtain access to facilities
-                                        where classified operations are taking place or where there are information
-                                        systems containing classified information.
-                    """
-                - 
-                  id:    pe-13.2_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         pe-13.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-13(2)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to be provided automatic notification of any
-                                               activation of fire suppression devices/systems for the information system;
-                        """
-                    - 
-                      id:         pe-13.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-13(2)[2]
-                      prose: 
-                        """
-                          defines emergency responders to be provided automatic notification of any
-                                               activation of fire suppression devices/systems for the information system;
-                        """
-                    - 
-                      id:         pe-13.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-13(2)[3]
-                      prose: 
-                        """
-                          employs fire suppression devices/systems for the information system that
-                                               provide automatic notification of any activation to:
-                        """
-                      parts: 
-                        - 
-                          id:         pe-13.2_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-13(2)[3][a]
-                          prose:      organization-defined personnel or roles; and
-                        - 
-                          id:         pe-13.2_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: PE-13(2)[3][b]
-                          prose:      organization-defined emergency responders.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems documentation\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices/systems\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for fire detection and
-                                               suppression devices/systems\n\norganizational personnel with responsibilities for providing automatic
-                                               notifications of any activation of fire suppression devices/systems to
-                                               appropriate personnel, roles, and emergency responders\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing fire suppression
-                                               devices/systems\n\nactivation of fire suppression devices/systems (simulated)\n\nautomated notifications
-                        """
-            - 
-              id:         pe-13.3
-              class:      SP800-53-enhancement
-              title:      Automatic Fire Suppression
-              properties: 
-                - 
-                  name:  label
-                  value: PE-13(3)
-                - 
-                  name:  sort-id
-                  value: pe-13.03
-              parts: 
-                - 
-                  id:    pe-13.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs an automatic fire suppression capability for the
-                                        information system when the facility is not staffed on a continuous basis.
-                    """
-                - 
-                  id:         pe-13.3_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs an automatic fire suppression capability for
-                                        the information system when the facility is not staffed on a continuous basis.
-                                     
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems documentation\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices/systems\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for fire detection and
-                                               suppression devices/systems\n\norganizational personnel with responsibilities for providing automatic
-                                               notifications of any activation of fire suppression devices/systems to
-                                               appropriate personnel, roles, and emergency responders\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing fire suppression
-                                               devices/systems\n\nactivation of fire suppression devices/systems (simulated)
-                        """
-        - 
-          id:         pe-14
-          class:      SP800-53
-          title:      Temperature and Humidity Controls
-          parameters: 
-            - 
-              id:          pe-14_prm_1
-              label:       organization-defined acceptable levels
-              constraints: 
-                - 
-                  detail: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments
-            - 
-              id:          pe-14_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: continuously
-          properties: 
-            - 
-              name:  label
-              value: PE-14
-            - 
-              name:  sort-id
-              value: pe-14
-          parts: 
-            - 
-              id:    pe-14_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-14_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Maintains temperature and humidity levels within the facility where the
-                                        information system resides at {{ pe-14_prm_1 }}; and
-                    """
-                - 
-                  id:         pe-14_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Monitors temperature and humidity levels {{ pe-14_prm_2 }}.
-                - 
-                  id:    pe-14_fr
-                  name:  item
-                  title: PE-14(a) Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         pe-14_fr_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a) Requirement:
-                      prose:      The service provider measures temperature at server inlets and humidity levels by dew point.
-            - 
-              id:    pe-14_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies primarily to facilities containing concentrations of information
-                                 system resources, for example, data centers, server rooms, and mainframe computer
-                                 rooms.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-            - 
-              id:    pe-14_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-14.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-14(a)
-                  parts: 
-                    - 
-                      id:         pe-14.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-14(a)[1]
-                      prose: 
-                        """
-                          defines acceptable temperature levels to be maintained within the facility
-                                               where the information system resides;
-                        """
-                    - 
-                      id:         pe-14.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-14(a)[2]
-                      prose: 
-                        """
-                          defines acceptable humidity levels to be maintained within the facility where
-                                               the information system resides;
-                        """
-                    - 
-                      id:         pe-14.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-14(a)[3]
-                      prose: 
-                        """
-                          maintains temperature levels within the facility where the information system
-                                               resides at the organization-defined levels;
-                        """
-                    - 
-                      id:         pe-14.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-14(a)[4]
-                      prose: 
-                        """
-                          maintains humidity levels within the facility where the information system
-                                               resides at the organization-defined levels;
-                        """
-                - 
-                  id:         pe-14.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-14(b)
-                  parts: 
-                    - 
-                      id:         pe-14.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-14(b)[1]
-                      prose:      defines the frequency to monitor temperature levels;
-                    - 
-                      id:         pe-14.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-14(b)[2]
-                      prose:      defines the frequency to monitor humidity levels;
-                    - 
-                      id:         pe-14.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-14(b)[3]
-                      prose:      monitors temperature levels with the organization-defined frequency; and
-                    - 
-                      id:         pe-14.b_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-14(b)[4]
-                      prose:      monitors humidity levels with the organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\nsecurity plan\n\ntemperature and humidity controls\n\nfacility housing the information system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for information system
-                                        environmental controls\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing maintenance and monitoring of
-                                        temperature and humidity levels
-                    """
-          controls: 
-            - 
-              id:         pe-14.2
-              class:      SP800-53-enhancement
-              title:      Monitoring with Alarms / Notifications
-              properties: 
-                - 
-                  name:  label
-                  value: PE-14(2)
-                - 
-                  name:  sort-id
-                  value: pe-14.02
-              parts: 
-                - 
-                  id:    pe-14.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs temperature and humidity monitoring that provides an
-                                        alarm or notification of changes potentially harmful to personnel or
-                                        equipment.
-                    """
-                - 
-                  id:    pe-14.2_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         pe-14.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-14(2)[1]
-                      prose: 
-                        """
-                          employs temperature monitoring that provides an alarm of changes potentially
-                                               harmful to personnel or equipment; and/or
-                        """
-                    - 
-                      id:         pe-14.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PE-14(2)[2]
-                      prose: 
-                        """
-                          employs temperature monitoring that provides notification of changes
-                                               potentially harmful to personnel or equipment;
-                        """
-                    - 
-                      id:         pe-14.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-14(2)[3]
-                      prose: 
-                        """
-                          employs humidity monitoring that provides an alarm of changes potentially
-                                               harmful to personnel or equipment; and/or
-                        """
-                    - 
-                      id:         pe-14.2_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PE-14(2)[4]
-                      prose: 
-                        """
-                          employs humidity monitoring that provides notification of changes potentially
-                                               harmful to personnel or equipment.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Physical and environmental protection policy\n\nprocedures addressing temperature and humidity monitoring\n\nfacility housing the information system\n\nlogs or records of temperature and humidity monitoring\n\nrecords of changes to temperature and humidity levels that generate alarms or
-                                               notifications\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibilities for information system
-                                               environmental controls\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing temperature and humidity
-                                               monitoring
-                        """
-        - 
-          id:         pe-15
-          class:      SP800-53
-          title:      Water Damage Protection
-          properties: 
-            - 
-              name:  label
-              value: PE-15
-            - 
-              name:  sort-id
-              value: pe-15
-          parts: 
-            - 
-              id:    pe-15_smt
-              name:  statement
-              prose: 
-                """
-                  The organization protects the information system from damage resulting from water
-                                 leakage by providing master shutoff or isolation valves that are accessible, working
-                                 properly, and known to key personnel.
-                """
-            - 
-              id:    pe-15_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies primarily to facilities containing concentrations of information
-                                 system resources including, for example, data centers, server rooms, and mainframe
-                                 computer rooms. Isolation valves can be employed in addition to or in lieu of master
-                                 shutoff valves to shut off water supplies in specific areas of concern, without
-                                 affecting entire organizations.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-            - 
-              id:         pe-15_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the organization protects the information system from damage resulting
-                                 from water leakage by providing master shutoff or isolation valves that are: 
-                """
-              parts: 
-                - 
-                  id:         pe-15_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-15[1]
-                  prose:      accessible;
-                - 
-                  id:         pe-15_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-15[2]
-                  prose:      working properly; and
-                - 
-                  id:         pe-15_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-15[3]
-                  prose:      known to key personnel.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the information system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for
-                                        master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for information system
-                                        environmental controls\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Master water-shutoff valves\n\norganizational process for activating master water-shutoff
-        - 
-          id:         pe-16
-          class:      SP800-53
-          title:      Delivery and Removal
-          parameters: 
-            - 
-              id:          pe-16_prm_1
-              label:       organization-defined types of information system components
-              constraints: 
-                - 
-                  detail: all information system components
-          properties: 
-            - 
-              name:  label
-              value: PE-16
-            - 
-              name:  sort-id
-              value: pe-16
-          parts: 
-            - 
-              id:    pe-16_smt
-              name:  statement
-              prose: 
-                """
-                  The organization authorizes, monitors, and controls {{ pe-16_prm_1 }}
-                                 entering and exiting the facility and maintains records of those items.
-                """
-            - 
-              id:    pe-16_gdn
-              name:  guidance
-              prose: 
-                """
-                  Effectively enforcing authorizations for entry and exit of information system
-                                 components may require restricting access to delivery areas and possibly isolating
-                                 the areas from the information system and media libraries.
-                """
-              links: 
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #ma-2
-                  rel:  related
-                  text: MA-2
-                - 
-                  href: #ma-3
-                  rel:  related
-                  text: MA-3
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-            - 
-              id:    pe-16_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-16_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PE-16[1]
-                  prose: 
-                    """
-                      defines types of information system components to be authorized, monitored, and
-                                        controlled as such components are entering and exiting the facility;
-                    """
-                - 
-                  id:         pe-16_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-16[2]
-                  prose: 
-                    """
-                      authorizes organization-defined information system components entering the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-16[3]
-                  prose: 
-                    """
-                      monitors organization-defined information system components entering the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-16[4]
-                  prose: 
-                    """
-                      controls organization-defined information system components entering the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.5
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-16[5]
-                  prose: 
-                    """
-                      authorizes organization-defined information system components exiting the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.6
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-16[6]
-                  prose: 
-                    """
-                      monitors organization-defined information system components exiting the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.7
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-16[7]
-                  prose: 
-                    """
-                      controls organization-defined information system components exiting the
-                                        facility;
-                    """
-                - 
-                  id:         pe-16_obj.8
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PE-16[8]
-                  prose:      maintains records of information system components entering the facility; and
-                - 
-                  id:         pe-16_obj.9
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PE-16[9]
-                  prose:      maintains records of information system components exiting the facility.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Physical and environmental protection policy\n\nprocedures addressing delivery and removal of information system components from
-                                        the facility\n\nsecurity plan\n\nfacility housing the information system\n\nrecords of items entering and exiting the facility\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibilities for controlling information system
-                                        components entering and exiting the facility\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational process for authorizing, monitoring, and controlling information
-                                        system-related items entering and exiting the facility\n\nautomated mechanisms supporting and/or implementing authorizing, monitoring, and
-                                        controlling information system-related items entering and exiting the facility
-                    """
-        - 
-          id:         pe-17
-          class:      SP800-53
-          title:      Alternate Work Site
-          parameters: 
-            - 
-              id:    pe-17_prm_1
-              label: organization-defined security controls
-          properties: 
-            - 
-              name:  label
-              value: PE-17
-            - 
-              name:  sort-id
-              value: pe-17
-          links: 
-            - 
-              href: #5309d4d0-46f8-4213-a749-e7584164e5e8
-              rel:  reference
-              text: NIST Special Publication 800-46
-          parts: 
-            - 
-              id:    pe-17_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pe-17_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Employs {{ pe-17_prm_1 }} at alternate work sites;
-                - 
-                  id:         pe-17_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Assesses as feasible, the effectiveness of security controls at alternate work
-                                        sites; and
-                    """
-                - 
-                  id:         pe-17_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Provides a means for employees to communicate with information security personnel
-                                        in case of security incidents or problems.
-                    """
-            - 
-              id:    pe-17_gdn
-              name:  guidance
-              prose: 
-                """
-                  Alternate work sites may include, for example, government facilities or private
-                                 residences of employees. While commonly distinct from alternative processing sites,
-                                 alternate work sites may provide readily available alternate locations as part of
-                                 contingency operations. Organizations may define different sets of security controls
-                                 for specific alternate work sites or types of sites depending on the work-related
-                                 activities conducted at those sites. This control supports the contingency planning
-                                 activities of organizations and the federal telework initiative.
-                """
-              links: 
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #cp-7
-                  rel:  related
-                  text: CP-7
-            - 
-              id:    pe-17_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pe-17.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PE-17(a)
-                  parts: 
-                    - 
-                      id:         pe-17.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PE-17(a)[1]
-                      prose:      defines security controls to be employed at alternate work sites;
-                    - 
-                      id:         pe-17.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: PE-17(a)[2]
-                      prose:      employs organization-defined security controls at alternate work sites;
-                - 
-                  id:         pe-17.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PE-17(b)
-                  prose: 
-                    """
-                      assesses, as feasible, the effectiveness of security controls at alternate work
-                                        sites; and
-                    """
-                - 
-                  id:         pe-17.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PE-17(c)
-                  prose: 
-                    """
-                      provides a means for employees to communicate with information security personnel
-                                        in case of security incidents or problems.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Physical and environmental protection policy\n\nprocedures addressing alternate work sites for organizational personnel\n\nsecurity plan\n\nlist of security controls required for alternate work sites\n\nassessments of security controls at alternate work sites\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel approving use of alternate work sites\n\norganizational personnel using alternate work sites\n\norganizational personnel assessing controls at alternate work sites\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for security at alternate work sites\n\nautomated mechanisms supporting alternate work sites\n\nsecurity controls employed at alternate work sites\n\nmeans of communications between personnel at alternate work sites and security
-                                        personnel
-                    """
-    - 
-      id:       pl
-      class:    family
-      title:    Planning
-      controls: 
-        - 
-          id:         pl-1
-          class:      SP800-53
-          title:      Security Planning Policy and Procedures
-          parameters: 
-            - 
-              id:    pl-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          pl-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          pl-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PL-1
-            - 
-              name:  sort-id
-              value: pl-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9c5c9e8c-dc81-4f55-a11c-d71d7487790f
-              rel:  reference
-              text: NIST Special Publication 800-18
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    pl-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pl-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ pl-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         pl-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A security planning policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         pl-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the security planning policy and
-                                               associated security planning controls; and
-                        """
-                - 
-                  id:         pl-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         pl-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Security planning policy {{ pl-1_prm_2 }}; and
-                    - 
-                      id:         pl-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Security planning procedures {{ pl-1_prm_3 }}.
-            - 
-              id:    pl-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the PL
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    pl-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         pl-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-1(a)
-                  parts: 
-                    - 
-                      id:         pl-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-1(a)(1)
-                      parts: 
-                        - 
-                          id:         pl-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(a)(1)[1]
-                          prose:      develops and documents a planning policy that addresses:
-                          parts: 
-                            - 
-                              id:         pl-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         pl-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         pl-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         pl-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         pl-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         pl-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         pl-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PL-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         pl-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the planning policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         pl-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: PL-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the planning policy to organization-defined personnel or
-                                                      roles;
-                            """
-                    - 
-                      id:         pl-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-1(a)(2)
-                      parts: 
-                        - 
-                          id:         pl-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      planning policy and associated planning controls;
-                            """
-                        - 
-                          id:         pl-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         pl-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: PL-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         pl-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-1(b)
-                  parts: 
-                    - 
-                      id:         pl-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-1(b)(1)
-                      parts: 
-                        - 
-                          id:         pl-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(b)(1)[1]
-                          prose:      defines the frequency to review and update the current planning policy;
-                        - 
-                          id:         pl-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current planning policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         pl-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-1(b)(2)
-                      parts: 
-                        - 
-                          id:         pl-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current planning procedures;
-                                                      and
-                            """
-                        - 
-                          id:         pl-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PL-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current planning procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Planning policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with planning responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         pl-2
-          class:      SP800-53
-          title:      System Security Plan
-          parameters: 
-            - 
-              id:    pl-2_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          pl-2_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PL-2
-            - 
-              name:  sort-id
-              value: pl-02
-          links: 
-            - 
-              href: #9c5c9e8c-dc81-4f55-a11c-d71d7487790f
-              rel:  reference
-              text: NIST Special Publication 800-18
-          parts: 
-            - 
-              id:    pl-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pl-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops a security plan for the information system that:
-                  parts: 
-                    - 
-                      id:         pl-2_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Is consistent with the organization’s enterprise architecture;
-                    - 
-                      id:         pl-2_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Explicitly defines the authorization boundary for the system;
-                    - 
-                      id:         pl-2_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Describes the operational context of the information system in terms of
-                                               missions and business processes;
-                        """
-                    - 
-                      id:         pl-2_smt.a.4
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 4.
-                      prose: 
-                        """
-                          Provides the security categorization of the information system including
-                                               supporting rationale;
-                        """
-                    - 
-                      id:         pl-2_smt.a.5
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 5.
-                      prose: 
-                        """
-                          Describes the operational environment for the information system and
-                                               relationships with or connections to other information systems;
-                        """
-                    - 
-                      id:         pl-2_smt.a.6
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 6.
-                      prose:      Provides an overview of the security requirements for the system;
-                    - 
-                      id:         pl-2_smt.a.7
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 7.
-                      prose:      Identifies any relevant overlays, if applicable;
-                    - 
-                      id:         pl-2_smt.a.8
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 8.
-                      prose: 
-                        """
-                          Describes the security controls in place or planned for meeting those
-                                               requirements including a rationale for the tailoring decisions; and
-                        """
-                    - 
-                      id:         pl-2_smt.a.9
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 9.
-                      prose: 
-                        """
-                          Is reviewed and approved by the authorizing official or designated
-                                               representative prior to plan implementation;
-                        """
-                - 
-                  id:         pl-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Distributes copies of the security plan and communicates subsequent changes to the
-                                        plan to {{ pl-2_prm_1 }};
-                    """
-                - 
-                  id:         pl-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews the security plan for the information system {{ pl-2_prm_2 }};
-                - 
-                  id:         pl-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Updates the plan to address changes to the information system/environment of
-                                        operation or problems identified during plan implementation or security control
-                                        assessments; and
-                    """
-                - 
-                  id:         pl-2_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Protects the security plan from unauthorized disclosure and modification.
-            - 
-              id:    pl-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Security plans relate security requirements to a set of security controls and control
-                                 enhancements. Security plans also describe, at a high level, how the security
-                                 controls and control enhancements meet those security requirements, but do not
-                                 provide detailed, technical descriptions of the specific design or implementation of
-                                 the controls/enhancements. Security plans contain sufficient information (including
-                                 the specification of parameter values for assignment and selection statements either
-                                 explicitly or by reference) to enable a design and implementation that is
-                                 unambiguously compliant with the intent of the plans and subsequent determinations of
-                                 risk to organizational operations and assets, individuals, other organizations, and
-                                 the Nation if the plan is implemented as intended. Organizations can also apply
-                                 tailoring guidance to the security control baselines in Appendix D and CNSS
-                                 Instruction 1253 to develop overlays for community-wide use or to address specialized
-                                 requirements, technologies, or missions/environments of operation (e.g.,
-                                 DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and
-                                 Access Management, space operations). Appendix I provides guidance on developing
-                                 overlays. Security plans need not be single documents; the plans can be a collection
-                                 of various documents including documents that already exist. Effective security plans
-                                 make extensive use of references to policies, procedures, and additional documents
-                                 (e.g., design and implementation specifications) where more detailed information can
-                                 be obtained. This reduces the documentation requirements associated with security
-                                 programs and maintains security-related information in other established
-                                 management/operational areas related to enterprise architecture, system development
-                                 life cycle, systems engineering, and acquisition. For example, security plans do not
-                                 contain detailed contingency plan or incident response plan information but instead
-                                 provide explicitly or by reference, sufficient information to define what needs to be
-                                 accomplished by those plans.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-14
-                  rel:  related
-                  text: AC-14
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-9
-                  rel:  related
-                  text: CM-9
-                - 
-                  href: #cp-2
-                  rel:  related
-                  text: CP-2
-                - 
-                  href: #ir-8
-                  rel:  related
-                  text: IR-8
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #ma-5
-                  rel:  related
-                  text: MA-5
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #pl-7
-                  rel:  related
-                  text: PL-7
-                - 
-                  href: #pm-1
-                  rel:  related
-                  text: PM-1
-                - 
-                  href: #pm-7
-                  rel:  related
-                  text: PM-7
-                - 
-                  href: #pm-8
-                  rel:  related
-                  text: PM-8
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-                - 
-                  href: #pm-11
-                  rel:  related
-                  text: PM-11
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sa-17
-                  rel:  related
-                  text: SA-17
-            - 
-              id:    pl-2_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pl-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-2(a)
-                  prose:      develops a security plan for the information system that:
-                  parts: 
-                    - 
-                      id:         pl-2.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(1)
-                      prose:      is consistent with the organization’s enterprise architecture;
-                    - 
-                      id:         pl-2.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(2)
-                      prose:      explicitly defines the authorization boundary for the system;
-                    - 
-                      id:         pl-2.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(3)
-                      prose: 
-                        """
-                          describes the operational context of the information system in terms of
-                                               missions and business processes;
-                        """
-                    - 
-                      id:         pl-2.a.4_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(4)
-                      prose: 
-                        """
-                          provides the security categorization of the information system including
-                                               supporting rationale;
-                        """
-                    - 
-                      id:         pl-2.a.5_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(5)
-                      prose: 
-                        """
-                          describes the operational environment for the information system and
-                                               relationships with or connections to other information systems;
-                        """
-                    - 
-                      id:         pl-2.a.6_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(6)
-                      prose:      provides an overview of the security requirements for the system;
-                    - 
-                      id:         pl-2.a.7_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(7)
-                      prose:      identifies any relevant overlays, if applicable;
-                    - 
-                      id:         pl-2.a.8_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(a)(8)
-                      prose: 
-                        """
-                          describes the security controls in place or planned for meeting those
-                                               requirements including a rationale for the tailoring and supplemental
-                                               decisions;
-                        """
-                    - 
-                      id:         pl-2.a.9_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PL-2(a)(9)
-                      prose: 
-                        """
-                          is reviewed and approved by the authorizing official or designated
-                                               representative prior to plan implementation;
-                        """
-                - 
-                  id:         pl-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-2(b)
-                  parts: 
-                    - 
-                      id:         pl-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(b)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom copies of the security plan are to be
-                                               distributed and subsequent changes to the plan are to be communicated;
-                        """
-                    - 
-                      id:         pl-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PL-2(b)[2]
-                      prose: 
-                        """
-                          distributes copies of the security plan and communicates subsequent changes to
-                                               the plan to organization-defined personnel or roles;
-                        """
-                - 
-                  id:         pl-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-2(c)
-                  parts: 
-                    - 
-                      id:         pl-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(c)[1]
-                      prose: 
-                        """
-                          defines the frequency to review the security plan for the information
-                                               system;
-                        """
-                    - 
-                      id:         pl-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(c)[2]
-                      prose: 
-                        """
-                          reviews the security plan for the information system with the
-                                               organization-defined frequency;
-                        """
-                - 
-                  id:         pl-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PL-2(d)
-                  prose:      updates the plan to address:
-                  parts: 
-                    - 
-                      id:         pl-2.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(d)[1]
-                      prose:      changes to the information system/environment of operation;
-                    - 
-                      id:         pl-2.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(d)[2]
-                      prose:      problems identified during plan implementation;
-                    - 
-                      id:         pl-2.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(d)[3]
-                      prose:      problems identified during security control assessments;
-                - 
-                  id:         pl-2.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PL-2(e)
-                  prose:      protects the security plan from unauthorized:
-                  parts: 
-                    - 
-                      id:         pl-2.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(e)[1]
-                      prose:      disclosure; and
-                    - 
-                      id:         pl-2.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-2(e)[2]
-                      prose:      modification.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security planning policy\n\nprocedures addressing security plan development and implementation\n\nprocedures addressing security plan reviews and updates\n\nenterprise architecture documentation\n\nsecurity plan for the information system\n\nrecords of security plan reviews and updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security planning and plan implementation
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for security plan development/review/update/approval\n\nautomated mechanisms supporting the information system security plan
-          controls: 
-            - 
-              id:         pl-2.3
-              class:      SP800-53-enhancement
-              title:      Plan / Coordinate with Other Organizational Entities
-              parameters: 
-                - 
-                  id:    pl-2.3_prm_1
-                  label: organization-defined individuals or groups
-              properties: 
-                - 
-                  name:  label
-                  value: PL-2(3)
-                - 
-                  name:  sort-id
-                  value: pl-02.03
-              parts: 
-                - 
-                  id:    pl-2.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization plans and coordinates security-related activities affecting the
-                                        information system with {{ pl-2.3_prm_1 }} before conducting such
-                                        activities in order to reduce the impact on other organizational entities.
-                    """
-                - 
-                  id:    pl-2.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Security-related activities include, for example, security assessments, audits,
-                                        hardware and software maintenance, patch management, and contingency plan testing.
-                                        Advance planning and coordination includes emergency and nonemergency (i.e.,
-                                        planned or nonurgent unplanned) situations. The process defined by organizations
-                                        to plan and coordinate security-related activities can be included in security
-                                        plans for information systems or other documents, as appropriate.
-                    """
-                  links: 
-                    - 
-                      href: #cp-4
-                      rel:  related
-                      text: CP-4
-                    - 
-                      href: #ir-4
-                      rel:  related
-                      text: IR-4
-                - 
-                  id:    pl-2.3_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         pl-2.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-2(3)[1]
-                      prose: 
-                        """
-                          defines individuals or groups with whom security-related activities affecting
-                                               the information system are to be planned and coordinated before conducting such
-                                               activities in order to reduce the impact on other organizational entities;
-                                               and
-                        """
-                    - 
-                      id:         pl-2.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: PL-2(3)[2]
-                      prose: 
-                        """
-                          plans and coordinates security-related activities affecting the information
-                                               system with organization-defined individuals or groups before conducting such
-                                               activities in order to reduce the impact on other organizational entities.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Security planning policy\n\naccess control policy\n\ncontingency planning policy\n\nprocedures addressing security-related activity planning for the information
-                                               system\n\nsecurity plan for the information system\n\ncontingency plan for the information system\n\ninformation system design documentation\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with security planning and plan implementation
-                                               responsibilities\n\norganizational individuals or groups with whom security-related activities are
-                                               to be planned and coordinated\n\norganizational personnel with information security responsibilities
-                        """
-        - 
-          id:         pl-4
-          class:      SP800-53
-          title:      Rules of Behavior
-          parameters: 
-            - 
-              id:          pl-4_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: At least every 3 years
-          properties: 
-            - 
-              name:  label
-              value: PL-4
-            - 
-              name:  sort-id
-              value: pl-04
-          links: 
-            - 
-              href: #9c5c9e8c-dc81-4f55-a11c-d71d7487790f
-              rel:  reference
-              text: NIST Special Publication 800-18
-          parts: 
-            - 
-              id:    pl-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pl-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes and makes readily available to individuals requiring access to the
-                                        information system, the rules that describe their responsibilities and expected
-                                        behavior with regard to information and information system usage;
-                    """
-                - 
-                  id:         pl-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Receives a signed acknowledgment from such individuals, indicating that they have
-                                        read, understand, and agree to abide by the rules of behavior, before authorizing
-                                        access to information and the information system;
-                    """
-                - 
-                  id:         pl-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews and updates the rules of behavior {{ pl-4_prm_1 }}; and
-                - 
-                  id:         pl-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Requires individuals who have signed a previous version of the rules of behavior
-                                        to read and re-sign when the rules of behavior are revised/updated.
-                    """
-            - 
-              id:    pl-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control enhancement applies to organizational users. Organizations consider
-                                 rules of behavior based on individual user roles and responsibilities,
-                                 differentiating, for example, between rules that apply to privileged users and rules
-                                 that apply to general users. Establishing rules of behavior for some types of
-                                 non-organizational users including, for example, individuals who simply receive
-                                 data/information from federal information systems, is often not feasible given the
-                                 large number of such users and the limited nature of their interactions with the
-                                 systems. Rules of behavior for both organizational and non-organizational users can
-                                 also be established in AC-8, System Use Notification. PL-4 b. (the signed
-                                 acknowledgment portion of this control) may be satisfied by the security awareness
-                                 training and role-based security training programs conducted by organizations if such
-                                 training includes rules of behavior. Organizations can use electronic signatures for
-                                 acknowledging rules of behavior.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ac-8
-                  rel:  related
-                  text: AC-8
-                - 
-                  href: #ac-9
-                  rel:  related
-                  text: AC-9
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #ac-19
-                  rel:  related
-                  text: AC-19
-                - 
-                  href: #ac-20
-                  rel:  related
-                  text: AC-20
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #ia-2
-                  rel:  related
-                  text: IA-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #ia-5
-                  rel:  related
-                  text: IA-5
-                - 
-                  href: #mp-7
-                  rel:  related
-                  text: MP-7
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-                - 
-                  href: #ps-8
-                  rel:  related
-                  text: PS-8
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-            - 
-              id:    pl-4_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pl-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-4(a)
-                  parts: 
-                    - 
-                      id:         pl-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-4(a)[1]
-                      prose: 
-                        """
-                          establishes, for individuals requiring access to the information system, the
-                                               rules that describe their responsibilities and expected behavior with regard to
-                                               information and information system usage;
-                        """
-                    - 
-                      id:         pl-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PL-4(a)[2]
-                      prose: 
-                        """
-                          makes readily available to individuals requiring access to the information
-                                               system, the rules that describe their responsibilities and expected behavior
-                                               with regard to information and information system usage;
-                        """
-                - 
-                  id:         pl-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PL-4(b)
-                  prose: 
-                    """
-                      receives a signed acknowledgement from such individuals, indicating that they have
-                                        read, understand, and agree to abide by the rules of behavior, before authorizing
-                                        access to information and the information system;
-                    """
-                - 
-                  id:         pl-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-4(c)
-                  parts: 
-                    - 
-                      id:         pl-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-4(c)[1]
-                      prose:      defines the frequency to review and update the rules of behavior;
-                    - 
-                      id:         pl-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PL-4(c)[2]
-                      prose: 
-                        """
-                          reviews and updates the rules of behavior with the organization-defined
-                                               frequency; and
-                        """
-                - 
-                  id:         pl-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PL-4(d)
-                  prose: 
-                    """
-                      requires individuals who have signed a previous version of the rules of behavior
-                                        to read and resign when the rules of behavior are revised/updated.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security planning policy\n\nprocedures addressing rules of behavior for information system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for establishing, reviewing, and
-                                        updating rules of behavior\n\norganizational personnel who are authorized users of the information system and
-                                        have signed and resigned rules of behavior\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for establishing, reviewing, disseminating, and updating
-                                        rules of behavior\n\nautomated mechanisms supporting and/or implementing the establishment, review,
-                                        dissemination, and update of rules of behavior
-                    """
-          controls: 
-            - 
-              id:         pl-4.1
-              class:      SP800-53-enhancement
-              title:      Social Media and Networking Restrictions
-              properties: 
-                - 
-                  name:  label
-                  value: PL-4(1)
-                - 
-                  name:  sort-id
-                  value: pl-04.01
-              parts: 
-                - 
-                  id:    pl-4.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization includes in the rules of behavior, explicit restrictions on the
-                                        use of social media/networking sites and posting organizational information on
-                                        public websites.
-                    """
-                - 
-                  id:    pl-4.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement addresses rules of behavior related to the use of social
-                                        media/networking sites: (i) when organizational personnel are using such sites for
-                                        official duties or in the conduct of official business; (ii) when organizational
-                                        information is involved in social media/networking transactions; and (iii) when
-                                        personnel are accessing social media/networking sites from organizational
-                                        information systems. Organizations also address specific rules that prevent
-                                        unauthorized entities from obtaining and/or inferring non-public organizational
-                                        information (e.g., system account information, personally identifiable
-                                        information) from social media/networking sites.
-                    """
-                - 
-                  id:    pl-4.1_obj
-                  name:  objective
-                  prose: Determine if the organization includes the following in the rules of behavior: 
-                  parts: 
-                    - 
-                      id:         pl-4.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PL-4(1)[1]
-                      prose:      explicit restrictions on the use of social media/networking sites; and
-                    - 
-                      id:         pl-4.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PL-4(1)[2]
-                      prose:      posting organizational information on public websites.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Security planning policy\n\nprocedures addressing rules of behavior for information system users\n\nrules of behavior\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibility for establishing, reviewing, and
-                                               updating rules of behavior\n\norganizational personnel who are authorized users of the information system and
-                                               have signed rules of behavior\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for establishing rules of behavior\n\nautomated mechanisms supporting and/or implementing the establishment of rules
-                                               of behavior
-                        """
-        - 
-          id:         pl-8
-          class:      SP800-53
-          title:      Information Security Architecture
-          parameters: 
-            - 
-              id:          pl-8_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: At least annually or when a significant change occurs
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PL-8
-            - 
-              name:  sort-id
-              value: pl-08
-          parts: 
-            - 
-              id:    pl-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         pl-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops an information security architecture for the information system that:
-                  parts: 
-                    - 
-                      id:         pl-8_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Describes the overall philosophy, requirements, and approach to be taken with
-                                               regard to protecting the confidentiality, integrity, and availability of
-                                               organizational information;
-                        """
-                    - 
-                      id:         pl-8_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Describes how the information security architecture is integrated into and
-                                               supports the enterprise architecture; and
-                        """
-                    - 
-                      id:         pl-8_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Describes any information security assumptions about, and dependencies on,
-                                               external services;
-                        """
-                - 
-                  id:         pl-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Reviews and updates the information security architecture {{ pl-8_prm_1 }} to reflect updates in the enterprise architecture;
-                                        and
-                    """
-                - 
-                  id:         pl-8_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ensures that planned information security architecture changes are reflected in
-                                        the security plan, the security Concept of Operations (CONOPS), and organizational
-                                        procurements/acquisitions.
-                    """
-                - 
-                  id:    pl-8_fr
-                  name:  item
-                  title: PL-8(b) Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         pl-8_fr_gdn.b
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b) Guidance:
-                      prose:      Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.
-            - 
-              id:    pl-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses actions taken by organizations in the design and development
-                                 of information systems. The information security architecture at the individual
-                                 information system level is consistent with and complements the more global,
-                                 organization-wide information security architecture described in PM-7 that is
-                                 integral to and developed as part of the enterprise architecture. The information
-                                 security architecture includes an architectural description, the placement/allocation
-                                 of security functionality (including security controls), security-related information
-                                 for external interfaces, information being exchanged across the interfaces, and the
-                                 protection mechanisms associated with each interface. In addition, the security
-                                 architecture can include other important security-related information, for example,
-                                 user roles and access privileges assigned to each role, unique security requirements,
-                                 the types of information processed, stored, and transmitted by the information
-                                 system, restoration priorities of information and information system services, and
-                                 any other specific protection needs. In today’s modern architecture, it is becoming
-                                 less common for organizations to control all information resources. There are going
-                                 to be key dependencies on external information services and service providers.
-                                 Describing such dependencies in the information security architecture is important to
-                                 developing a comprehensive mission/business protection strategy. Establishing,
-                                 developing, documenting, and maintaining under configuration control, a baseline
-                                 configuration for organizational information systems is critical to implementing and
-                                 maintaining an effective information security architecture. The development of the
-                                 information security architecture is coordinated with the Senior Agency Official for
-                                 Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to
-                                 support privacy requirements are identified and effectively implemented. PL-8 is
-                                 primarily directed at organizations (i.e., internally focused) to help ensure that
-                                 organizations develop an information security architecture for the information
-                                 system, and that the security architecture is integrated with or tightly coupled to
-                                 the enterprise architecture through the organization-wide information security
-                                 architecture. In contrast, SA-17 is primarily directed at external information
-                                 technology product/system developers and integrators (although SA-17 could be used
-                                 internally within organizations for in-house system development). SA-17, which is
-                                 complementary to PL-8, is selected when organizations outsource the development of
-                                 information systems or information system components to external entities, and there
-                                 is a need to demonstrate/show consistency with the organization’s enterprise
-                                 architecture and information security architecture.
-                """
-              links: 
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #pm-7
-                  rel:  related
-                  text: PM-7
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sa-17
-                  rel:  related
-                  text: SA-17
-                - 
-                  href: https://doi.org/10.6028/NIST.SP.800-53r4
-                  rel:  related
-                  text: Appendix J
-            - 
-              id:    pl-8_obj
-              name:  objective
-              prose: Determine if the organization: 
-              parts: 
-                - 
-                  id:         pl-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PL-8(a)
-                  prose: 
-                    """
-                      develops an information security architecture for the information system that
-                                        describes:
-                    """
-                  parts: 
-                    - 
-                      id:         pl-8.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-8(a)(1)
-                      prose: 
-                        """
-                          the overall philosophy, requirements, and approach to be taken with regard to
-                                               protecting the confidentiality, integrity, and availability of organizational
-                                               information;
-                        """
-                    - 
-                      id:         pl-8.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-8(a)(2)
-                      prose: 
-                        """
-                          how the information security architecture is integrated into and supports the
-                                               enterprise architecture;
-                        """
-                    - 
-                      id:         pl-8.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-8(a)(3)
-                      prose: 
-                        """
-                          any information security assumptions about, and dependencies on, external
-                                               services;
-                        """
-                - 
-                  id:         pl-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PL-8(b)
-                  parts: 
-                    - 
-                      id:         pl-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PL-8(b)[1]
-                      prose: 
-                        """
-                          defines the frequency to review and update the information security
-                                               architecture;
-                        """
-                    - 
-                      id:         pl-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PL-8(b)[2]
-                      prose: 
-                        """
-                          reviews and updates the information security architecture with the
-                                               organization-defined frequency to reflect updates in the enterprise
-                                               architecture;
-                        """
-                - 
-                  id:         pl-8.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PL-8(c)
-                  prose: 
-                    """
-                      ensures that planned information security architecture changes are reflected
-                                        in:
-                    """
-                  parts: 
-                    - 
-                      id:         pl-8.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-8(c)[1]
-                      prose:      the security plan;
-                    - 
-                      id:         pl-8.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-8(c)[2]
-                      prose:      the security Concept of Operations (CONOPS); and
-                    - 
-                      id:         pl-8.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PL-8(c)[3]
-                      prose:      the organizational procurements/acquisitions.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Security planning policy\n\nprocedures addressing information security architecture development\n\nprocedures addressing information security architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security architecture documentation\n\nsecurity plan for the information system\n\nsecurity CONOPS for the information system\n\nrecords of information security architecture reviews and updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security planning and plan implementation
-                                        responsibilities\n\norganizational personnel with information security architecture development
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for developing, reviewing, and updating the information
-                                        security architecture\n\nautomated mechanisms supporting and/or implementing the development, review, and
-                                        update of the information security architecture
-                    """
-    - 
-      id:       ps
-      class:    family
-      title:    Personnel Security
-      controls: 
-        - 
-          id:         ps-1
-          class:      SP800-53
-          title:      Personnel Security Policy and Procedures
-          parameters: 
-            - 
-              id:    ps-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ps-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          ps-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PS-1
-            - 
-              name:  sort-id
-              value: ps-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ps-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ps-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ps-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A personnel security policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ps-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the personnel security policy
-                                               and associated personnel security controls; and
-                        """
-                - 
-                  id:         ps-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ps-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Personnel security policy {{ ps-1_prm_2 }}; and
-                    - 
-                      id:         ps-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Personnel security procedures {{ ps-1_prm_3 }}.
-            - 
-              id:    ps-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the PS
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ps-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-1(a)
-                  parts: 
-                    - 
-                      id:         ps-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ps-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(a)(1)[1]
-                          prose:      develops and documents an personnel security policy that addresses:
-                          parts: 
-                            - 
-                              id:         ps-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ps-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ps-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ps-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ps-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ps-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ps-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: PS-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ps-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the personnel security policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ps-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: PS-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the personnel security policy to organization-defined personnel
-                                                      or roles;
-                            """
-                    - 
-                      id:         ps-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ps-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      personnel security policy and associated personnel security controls;
-                            """
-                        - 
-                          id:         ps-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ps-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: PS-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ps-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-1(b)
-                  parts: 
-                    - 
-                      id:         ps-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ps-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current personnel security
-                                                      policy;
-                            """
-                        - 
-                          id:         ps-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current personnel security policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ps-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ps-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current personnel security
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ps-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current personnel security procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ps-2
-          class:      SP800-53
-          title:      Position Risk Designation
-          parameters: 
-            - 
-              id:          ps-2_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every three years
-          properties: 
-            - 
-              name:  label
-              value: PS-2
-            - 
-              name:  sort-id
-              value: ps-02
-          links: 
-            - 
-              href: #0c97e60b-325a-4efa-ba2b-90f20ccd5abc
-              rel:  reference
-              text: 5 C.F.R. 731.106
-          parts: 
-            - 
-              id:    ps-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Assigns a risk designation to all organizational positions;
-                - 
-                  id:         ps-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Establishes screening criteria for individuals filling those positions; and
-                - 
-                  id:         ps-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews and updates position risk designations {{ ps-2_prm_1 }}.
-            - 
-              id:    ps-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Position risk designations reflect Office of Personnel Management policy and
-                                 guidance. Risk designations can guide and inform the types of authorizations
-                                 individuals receive when accessing organizational information and information
-                                 systems. Position screening criteria include explicit information security role
-                                 appointment requirements (e.g., training, security clearances).
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-            - 
-              id:    ps-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PS-2(a)
-                  prose:      assigns a risk designation to all organizational positions;
-                - 
-                  id:         ps-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PS-2(b)
-                  prose:      establishes screening criteria for individuals filling those positions;
-                - 
-                  id:         ps-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-2(c)
-                  parts: 
-                    - 
-                      id:         ps-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-2(c)[1]
-                      prose:      defines the frequency to review and update position risk designations; and
-                    - 
-                      id:         ps-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-2(c)[2]
-                      prose: 
-                        """
-                          reviews and updates position risk designations with the organization-defined
-                                               frequency.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nsecurity plan\n\nrecords of position risk designation reviews and updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for assigning, reviewing, and updating position risk
-                                        designations\n\norganizational processes for establishing screening criteria
-                    """
-        - 
-          id:         ps-3
-          class:      SP800-53
-          title:      Personnel Screening
-          parameters: 
-            - 
-              id:          ps-3_prm_1
-              label: 
-                """
-                  organization-defined conditions requiring rescreening and, where rescreening is
-                                 so indicated, the frequency of such rescreening
-                """
-              constraints: 
-                - 
-                  detail: for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PS-3
-            - 
-              name:  sort-id
-              value: ps-03
-          links: 
-            - 
-              href: #0c97e60b-325a-4efa-ba2b-90f20ccd5abc
-              rel:  reference
-              text: 5 C.F.R. 731.106
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #f152844f-b1ef-4836-8729-6277078ebee1
-              rel:  reference
-              text: NIST Special Publication 800-60
-            - 
-              href: #ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-              rel:  reference
-              text: NIST Special Publication 800-73
-            - 
-              href: #2a71298a-ee90-490e-80ff-48c967173a47
-              rel:  reference
-              text: NIST Special Publication 800-76
-            - 
-              href: #2042d97b-f7f6-4c74-84f8-981867684659
-              rel:  reference
-              text: NIST Special Publication 800-78
-            - 
-              href: #6caa237b-531b-43ac-9711-d8f6b97b0377
-              rel:  reference
-              text: ICD 704
-          parts: 
-            - 
-              id:    ps-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Screens individuals prior to authorizing access to the information system; and
-                - 
-                  id:         ps-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Rescreens individuals according to {{ ps-3_prm_1 }}.
-            - 
-              id:    ps-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Personnel screening and rescreening activities reflect applicable federal laws,
-                                 Executive Orders, directives, regulations, policies, standards, guidance, and
-                                 specific criteria established for the risk designations of assigned positions.
-                                 Organizations may define different rescreening conditions and frequencies for
-                                 personnel accessing information systems based on types of information processed,
-                                 stored, or transmitted by the systems.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #ps-2
-                  rel:  related
-                  text: PS-2
-            - 
-              id:    ps-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PS-3(a)
-                  prose:      screens individuals prior to authorizing access to the information system;
-                - 
-                  id:         ps-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-3(b)
-                  parts: 
-                    - 
-                      id:         ps-3.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-3(b)[1]
-                      prose:      defines conditions requiring re-screening;
-                    - 
-                      id:         ps-3.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-3(b)[2]
-                      prose:      defines the frequency of re-screening where it is so indicated; and
-                    - 
-                      id:         ps-3.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-3(b)[3]
-                      prose: 
-                        """
-                          re-screens individuals in accordance with organization-defined conditions
-                                               requiring re-screening and, where re-screening is so indicated, with the
-                                               organization-defined frequency of such re-screening.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsecurity plan\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for personnel screening
-          controls: 
-            - 
-              id:         ps-3.3
-              class:      SP800-53-enhancement
-              title:      Information with Special Protection Measures
-              parameters: 
-                - 
-                  id:          ps-3.3_prm_1
-                  label:       organization-defined additional personnel screening criteria
-                  constraints: 
-                    - 
-                      detail: personnel screening criteria - as required by specific information
-              properties: 
-                - 
-                  name:  label
-                  value: PS-3(3)
-                - 
-                  name:  sort-id
-                  value: ps-03.03
-              parts: 
-                - 
-                  id:    ps-3.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization ensures that individuals accessing an information system
-                                        processing, storing, or transmitting information requiring special protection:
-                    """
-                  parts: 
-                    - 
-                      id:         ps-3.3_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Have valid access authorizations that are demonstrated by assigned official
-                                               government duties; and
-                        """
-                    - 
-                      id:         ps-3.3_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      Satisfy {{ ps-3.3_prm_1 }}.
-                - 
-                  id:    ps-3.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizational information requiring special protection includes, for example,
-                                        Controlled Unclassified Information (CUI) and Sources and Methods Information
-                                        (SAMI). Personnel security criteria include, for example, position sensitivity
-                                        background screening requirements.
-                    """
-                - 
-                  id:    ps-3.3_obj
-                  name:  objective
-                  prose: Determine if the organization: 
-                  parts: 
-                    - 
-                      id:         ps-3.3.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-3(3)(a)
-                      prose: 
-                        """
-                          ensures that individuals accessing an information system processing, storing,
-                                               or transmitting information requiring special protection have valid access
-                                               authorizations that are demonstrated by assigned official government
-                                               duties;
-                        """
-                      links: 
-                        - 
-                          href: #ps-3.3_smt.a
-                          rel:  corresp
-                          text: PS-3(3)(a)
-                    - 
-                      id:         ps-3.3.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-3(3)(b)
-                      parts: 
-                        - 
-                          id:         ps-3.3.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-3(3)(b)[1]
-                          prose: 
-                            """
-                              defines additional personnel screening criteria to be satisfied for
-                                                      individuals accessing an information system processing, storing, or
-                                                      transmitting information requiring special protection; and
-                            """
-                        - 
-                          id:         ps-3.3.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: PS-3(3)(b)[2]
-                          prose: 
-                            """
-                              ensures that individuals accessing an information system processing,
-                                                      storing, or transmitting information requiring special protection satisfy
-                                                      organization-defined additional personnel screening criteria.
-                            """
-                      links: 
-                        - 
-                          href: #ps-3.3_smt.b
-                          rel:  corresp
-                          text: PS-3(3)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Personnel security policy\n\naccess control policy, procedures addressing personnel screening\n\nrecords of screened personnel\n\nscreening criteria\n\nrecords of access authorizations\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for ensuring valid access authorizations for
-                                               information requiring special protection\n\norganizational process for additional personnel screening for information
-                                               requiring special protection
-                        """
-        - 
-          id:         ps-4
-          class:      SP800-53
-          title:      Personnel Termination
-          parameters: 
-            - 
-              id:          ps-4_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: same day
-            - 
-              id:    ps-4_prm_2
-              label: organization-defined information security topics
-            - 
-              id:    ps-4_prm_3
-              label: organization-defined personnel or roles
-            - 
-              id:    ps-4_prm_4
-              label: organization-defined time period
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PS-4
-            - 
-              name:  sort-id
-              value: ps-04
-          parts: 
-            - 
-              id:    ps-4_smt
-              name:  statement
-              prose: The organization, upon termination of individual employment:
-              parts: 
-                - 
-                  id:         ps-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Disables information system access within {{ ps-4_prm_1 }};
-                - 
-                  id:         ps-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Terminates/revokes any authenticators/credentials associated with the
-                                        individual;
-                    """
-                - 
-                  id:         ps-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Conducts exit interviews that include a discussion of {{ ps-4_prm_2 }};
-                - 
-                  id:         ps-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Retrieves all security-related organizational information system-related
-                                        property;
-                    """
-                - 
-                  id:         ps-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Retains access to organizational information and information systems formerly
-                                        controlled by terminated individual; and
-                    """
-                - 
-                  id:         ps-4_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose:      Notifies {{ ps-4_prm_3 }} within {{ ps-4_prm_4 }}.
-            - 
-              id:    ps-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system-related property includes, for example, hardware authentication
-                                 tokens, system administration technical manuals, keys, identification cards, and
-                                 building passes. Exit interviews ensure that terminated individuals understand the
-                                 security constraints imposed by being former employees and that proper accountability
-                                 is achieved for information system-related property. Security topics of interest at
-                                 exit interviews can include, for example, reminding terminated individuals of
-                                 nondisclosure agreements and potential limitations on future employment. Exit
-                                 interviews may not be possible for some terminated individuals, for example, in cases
-                                 related to job abandonment, illnesses, and nonavailability of supervisors. Exit
-                                 interviews are important for individuals with security clearances. Timely execution
-                                 of termination actions is essential for individuals terminated for cause. In certain
-                                 situations, organizations consider disabling the information system accounts of
-                                 individuals that are being terminated prior to the individuals being notified.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #ps-5
-                  rel:  related
-                  text: PS-5
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-            - 
-              id:    ps-4_obj
-              name:  objective
-              prose: Determine if the organization, upon termination of individual employment,:
-              parts: 
-                - 
-                  id:         ps-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-4(a)
-                  parts: 
-                    - 
-                      id:         ps-4.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-4(a)[1]
-                      prose:      defines a time period within which to disable information system access;
-                    - 
-                      id:         ps-4.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-4(a)[2]
-                      prose: 
-                        """
-                          disables information system access within the organization-defined time
-                                               period;
-                        """
-                - 
-                  id:         ps-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PS-4(b)
-                  prose: 
-                    """
-                      terminates/revokes any authenticators/credentials associated with the
-                                        individual;
-                    """
-                - 
-                  id:         ps-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-4(c)
-                  parts: 
-                    - 
-                      id:         ps-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-4(c)[1]
-                      prose: 
-                        """
-                          defines information security topics to be discussed when conducting exit
-                                               interviews;
-                        """
-                    - 
-                      id:         ps-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: PS-4(c)[2]
-                      prose: 
-                        """
-                          conducts exit interviews that include a discussion of organization-defined
-                                               information security topics;
-                        """
-                - 
-                  id:         ps-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PS-4(d)
-                  prose: 
-                    """
-                      retrieves all security-related organizational information system-related
-                                        property;
-                    """
-                - 
-                  id:         ps-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PS-4(e)
-                  prose: 
-                    """
-                      retains access to organizational information and information systems formerly
-                                        controlled by the terminated individual;
-                    """
-                - 
-                  id:         ps-4.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-4(f)
-                  parts: 
-                    - 
-                      id:         ps-4.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-4(f)[1]
-                      prose:      defines personnel or roles to be notified of the termination;
-                    - 
-                      id:         ps-4.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-4(f)[2]
-                      prose: 
-                        """
-                          defines the time period within which to notify organization-defined personnel
-                                               or roles; and
-                        """
-                    - 
-                      id:         ps-4.f_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-4(f)[3]
-                      prose: 
-                        """
-                          notifies organization-defined personnel or roles within the
-                                               organization-defined time period.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of information system accounts\n\nrecords of terminated or revoked authenticators/credentials\n\nrecords of exit interviews\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for personnel termination\n\nautomated mechanisms supporting and/or implementing personnel termination
-                                        notifications\n\nautomated mechanisms for disabling information system access/revoking
-                                        authenticators
-                    """
-        - 
-          id:         ps-5
-          class:      SP800-53
-          title:      Personnel Transfer
-          parameters: 
-            - 
-              id:    ps-5_prm_1
-              label: organization-defined transfer or reassignment actions
-            - 
-              id:    ps-5_prm_2
-              label: organization-defined time period following the formal transfer action
-            - 
-              id:    ps-5_prm_3
-              label: organization-defined personnel or roles
-            - 
-              id:          ps-5_prm_4
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: five days of the time period following the formal transfer action (DoD 24 hours)
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PS-5
-            - 
-              name:  sort-id
-              value: ps-05
-          parts: 
-            - 
-              id:    ps-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Reviews and confirms ongoing operational need for current logical and physical
-                                        access authorizations to information systems/facilities when individuals are
-                                        reassigned or transferred to other positions within the organization;
-                    """
-                - 
-                  id:         ps-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Initiates {{ ps-5_prm_1 }} within {{ ps-5_prm_2 }};
-                - 
-                  id:         ps-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Modifies access authorization as needed to correspond with any changes in
-                                        operational need due to reassignment or transfer; and
-                    """
-                - 
-                  id:         ps-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Notifies {{ ps-5_prm_3 }} within {{ ps-5_prm_4 }}.
-            - 
-              id:    ps-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies when reassignments or transfers of individuals are permanent or
-                                 of such extended durations as to make the actions warranted. Organizations define
-                                 actions appropriate for the types of reassignments or transfers, whether permanent or
-                                 extended. Actions that may be required for personnel transfers or reassignments to
-                                 other positions within organizations include, for example: (i) returning old and
-                                 issuing new keys, identification cards, and building passes; (ii) closing information
-                                 system accounts and establishing new accounts; (iii) changing information system
-                                 access authorizations (i.e., privileges); and (iv) providing for access to official
-                                 records to which individuals had access at previous work locations and in previous
-                                 information system accounts.
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ia-4
-                  rel:  related
-                  text: IA-4
-                - 
-                  href: #pe-2
-                  rel:  related
-                  text: PE-2
-                - 
-                  href: #ps-4
-                  rel:  related
-                  text: PS-4
-            - 
-              id:    ps-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-5(a)
-                  prose: 
-                    """
-                      when individuals are reassigned or transferred to other positions within the
-                                        organization, reviews and confirms ongoing operational need for current:
-                    """
-                  parts: 
-                    - 
-                      id:         ps-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: PS-5(a)[1]
-                      prose:      logical access authorizations to information systems;
-                    - 
-                      id:         ps-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: PS-5(a)[2]
-                      prose:      physical access authorizations to information systems and facilities;
-                - 
-                  id:         ps-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-5(b)
-                  parts: 
-                    - 
-                      id:         ps-5.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-5(b)[1]
-                      prose: 
-                        """
-                          defines transfer or reassignment actions to be initiated following transfer or
-                                               reassignment;
-                        """
-                    - 
-                      id:         ps-5.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-5(b)[2]
-                      prose: 
-                        """
-                          defines the time period within which transfer or reassignment actions must
-                                               occur following transfer or reassignment;
-                        """
-                    - 
-                      id:         ps-5.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-5(b)[3]
-                      prose: 
-                        """
-                          initiates organization-defined transfer or reassignment actions within the
-                                               organization-defined time period following transfer or reassignment;
-                        """
-                - 
-                  id:         ps-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PS-5(c)
-                  prose: 
-                    """
-                      modifies access authorization as needed to correspond with any changes in
-                                        operational need due to reassignment or transfer;
-                    """
-                - 
-                  id:         ps-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-5(d)
-                  parts: 
-                    - 
-                      id:         ps-5.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-5(d)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to be notified when individuals are reassigned or
-                                               transferred to other positions within the organization;
-                        """
-                    - 
-                      id:         ps-5.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-5(d)[2]
-                      prose: 
-                        """
-                          defines the time period within which to notify organization-defined personnel
-                                               or roles when individuals are reassigned or transferred to other positions
-                                               within the organization; and
-                        """
-                    - 
-                      id:         ps-5.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-5(d)[3]
-                      prose: 
-                        """
-                          notifies organization-defined personnel or roles within the
-                                               organization-defined time period when individuals are reassigned or transferred
-                                               to other positions within the organization.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing personnel transfer\n\nsecurity plan\n\nrecords of personnel transfer actions\n\nlist of information system and facility access authorizations\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with personnel security responsibilities organizational
-                                        personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for personnel transfer\n\nautomated mechanisms supporting and/or implementing personnel transfer
-                                        notifications\n\nautomated mechanisms for disabling information system access/revoking
-                                        authenticators
-                    """
-        - 
-          id:         ps-6
-          class:      SP800-53
-          title:      Access Agreements
-          parameters: 
-            - 
-              id:          ps-6_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-            - 
-              id:          ps-6_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PS-6
-            - 
-              name:  sort-id
-              value: ps-06
-          parts: 
-            - 
-              id:    ps-6_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Develops and documents access agreements for organizational information
-                                        systems;
-                    """
-                - 
-                  id:         ps-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the access agreements {{ ps-6_prm_1 }}; and
-                - 
-                  id:         ps-6_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ensures that individuals requiring access to organizational information and
-                                        information systems:
-                    """
-                  parts: 
-                    - 
-                      id:         ps-6_smt.c.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Sign appropriate access agreements prior to being granted access; and
-                    - 
-                      id:         ps-6_smt.c.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Re-sign access agreements to maintain access to organizational information
-                                               systems when access agreements have been updated or {{ ps-6_prm_2 }}.
-                        """
-            - 
-              id:    ps-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Access agreements include, for example, nondisclosure agreements, acceptable use
-                                 agreements, rules of behavior, and conflict-of-interest agreements. Signed access
-                                 agreements include an acknowledgement that individuals have read, understand, and
-                                 agree to abide by the constraints associated with organizational information systems
-                                 to which access is authorized. Organizations can use electronic signatures to
-                                 acknowledge access agreements unless specifically prohibited by organizational
-                                 policy.
-                """
-              links: 
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-2
-                  rel:  related
-                  text: PS-2
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-                - 
-                  href: #ps-4
-                  rel:  related
-                  text: PS-4
-                - 
-                  href: #ps-8
-                  rel:  related
-                  text: PS-8
-            - 
-              id:    ps-6_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PS-6(a)
-                  prose: 
-                    """
-                      develops and documents access agreements for organizational information
-                                        systems;
-                    """
-                - 
-                  id:         ps-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-6(b)
-                  parts: 
-                    - 
-                      id:         ps-6.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-6(b)[1]
-                      prose:      defines the frequency to review and update the access agreements;
-                    - 
-                      id:         ps-6.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-6(b)[2]
-                      prose: 
-                        """
-                          reviews and updates the access agreements with the organization-defined
-                                               frequency;
-                        """
-                - 
-                  id:         ps-6.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-6(c)
-                  parts: 
-                    - 
-                      id:         ps-6.c.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-6(c)(1)
-                      prose: 
-                        """
-                          ensures that individuals requiring access to organizational information and
-                                               information systems sign appropriate access agreements prior to being granted
-                                               access;
-                        """
-                    - 
-                      id:         ps-6.c.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: PS-6(c)(2)
-                      parts: 
-                        - 
-                          id:         ps-6.c.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: PS-6(c)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to re-sign access agreements to maintain access to
-                                                      organizational information systems when access agreements have been
-                                                      updated;
-                            """
-                        - 
-                          id:         ps-6.c.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: PS-6(c)(2)[2]
-                          prose: 
-                            """
-                              ensures that individuals requiring access to organizational information and
-                                                      information systems re-sign access agreements to maintain access to
-                                                      organizational information systems when access agreements have been updated
-                                                      or with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Personnel security policy\n\nprocedures addressing access agreements for organizational information and
-                                        information systems\n\nsecurity plan\n\naccess agreements\n\nrecords of access agreement reviews and updates\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed/resigned access agreements\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for access agreements\n\nautomated mechanisms supporting access agreements
-        - 
-          id:         ps-7
-          class:      SP800-53
-          title:      Third-party Personnel Security
-          parameters: 
-            - 
-              id:    ps-7_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ps-7_prm_2
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: organization-defined time period - same day
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: PS-7
-            - 
-              name:  sort-id
-              value: ps-07
-          links: 
-            - 
-              href: #0c775bc3-bfc3-42c7-a382-88949f503171
-              rel:  reference
-              text: NIST Special Publication 800-35
-          parts: 
-            - 
-              id:    ps-7_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes personnel security requirements including security roles and
-                                        responsibilities for third-party providers;
-                    """
-                - 
-                  id:         ps-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Requires third-party providers to comply with personnel security policies and
-                                        procedures established by the organization;
-                    """
-                - 
-                  id:         ps-7_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Documents personnel security requirements;
-                - 
-                  id:         ps-7_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Requires third-party providers to notify {{ ps-7_prm_1 }} of any
-                                        personnel transfers or terminations of third-party personnel who possess
-                                        organizational credentials and/or badges, or who have information system
-                                        privileges within {{ ps-7_prm_2 }}; and
-                    """
-                - 
-                  id:         ps-7_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Monitors provider compliance.
-            - 
-              id:    ps-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Third-party providers include, for example, service bureaus, contractors, and other
-                                 organizations providing information system development, information technology
-                                 services, outsourced applications, and network and security management. Organizations
-                                 explicitly include personnel security requirements in acquisition-related documents.
-                                 Third-party providers may have personnel working at organizational facilities with
-                                 credentials, badges, or information system privileges issued by organizations.
-                                 Notifications of third-party personnel changes ensure appropriate termination of
-                                 privileges and credentials. Organizations define the transfers and terminations
-                                 deemed reportable by security-related characteristics that include, for example,
-                                 functions, roles, and nature of credentials/privileges associated with individuals
-                                 transferred or terminated.
-                """
-              links: 
-                - 
-                  href: #ps-2
-                  rel:  related
-                  text: PS-2
-                - 
-                  href: #ps-3
-                  rel:  related
-                  text: PS-3
-                - 
-                  href: #ps-4
-                  rel:  related
-                  text: PS-4
-                - 
-                  href: #ps-5
-                  rel:  related
-                  text: PS-5
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-                - 
-                  href: #sa-9
-                  rel:  related
-                  text: SA-9
-                - 
-                  href: #sa-21
-                  rel:  related
-                  text: SA-21
-            - 
-              id:    ps-7_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PS-7(a)
-                  prose: 
-                    """
-                      establishes personnel security requirements, including security roles and
-                                        responsibilities, for third-party providers;
-                    """
-                - 
-                  id:         ps-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: PS-7(b)
-                  prose: 
-                    """
-                      requires third-party providers to comply with personnel security policies and
-                                        procedures established by the organization;
-                    """
-                - 
-                  id:         ps-7.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PS-7(c)
-                  prose:      documents personnel security requirements;
-                - 
-                  id:         ps-7.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-7(d)
-                  parts: 
-                    - 
-                      id:         ps-7.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-7(d)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to be notified of any personnel transfers or
-                                               terminations of third-party personnel who possess organizational credentials
-                                               and/or badges, or who have information system privileges;
-                        """
-                    - 
-                      id:         ps-7.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-7(d)[2]
-                      prose: 
-                        """
-                          defines the time period within which third-party providers are required to
-                                               notify organization-defined personnel or roles of any personnel transfers or
-                                               terminations of third-party personnel who possess organizational credentials
-                                               and/or badges, or who have information system privileges;
-                        """
-                    - 
-                      id:         ps-7.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-7(d)[3]
-                      prose: 
-                        """
-                          requires third-party providers to notify organization-defined personnel or
-                                               roles within the organization-defined time period of any personnel transfers or
-                                               terminations of third-party personnel who possess organizational credentials
-                                               and/or badges, or who have information system privileges; and
-                        """
-                - 
-                  id:         ps-7.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: PS-7(e)
-                  prose:      monitors provider compliance.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing third-party personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\nthird-party providers\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for managing and monitoring third-party personnel
-                                        security\n\nautomated mechanisms supporting and/or implementing monitoring of provider
-                                        compliance
-                    """
-        - 
-          id:         ps-8
-          class:      SP800-53
-          title:      Personnel Sanctions
-          parameters: 
-            - 
-              id:    ps-8_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:    ps-8_prm_2
-              label: organization-defined time period
-          properties: 
-            - 
-              name:  label
-              value: PS-8
-            - 
-              name:  sort-id
-              value: ps-08
-          parts: 
-            - 
-              id:    ps-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ps-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Employs a formal sanctions process for individuals failing to comply with
-                                        established information security policies and procedures; and
-                    """
-                - 
-                  id:         ps-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Notifies {{ ps-8_prm_1 }} within {{ ps-8_prm_2 }}
-                                        when a formal employee sanctions process is initiated, identifying the individual
-                                        sanctioned and the reason for the sanction.
-                    """
-            - 
-              id:    ps-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizational sanctions processes reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Sanctions processes are
-                                 described in access agreements and can be included as part of general personnel
-                                 policies and procedures for organizations. Organizations consult with the Office of
-                                 the General Counsel regarding matters of employee sanctions.
-                """
-              links: 
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-6
-                  rel:  related
-                  text: PS-6
-            - 
-              id:    ps-8_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ps-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: PS-8(a)
-                  prose: 
-                    """
-                      employs a formal sanctions process for individuals failing to comply with
-                                        established information security policies and procedures;
-                    """
-                - 
-                  id:         ps-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: PS-8(b)
-                  parts: 
-                    - 
-                      id:         ps-8.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-8(b)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to be notified when a formal employee sanctions
-                                               process is initiated;
-                        """
-                    - 
-                      id:         ps-8.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: PS-8(b)[2]
-                      prose: 
-                        """
-                          defines the time period within which organization-defined personnel or roles
-                                               must be notified when a formal employee sanctions process is initiated; and
-                        """
-                    - 
-                      id:         ps-8.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: PS-8(b)[3]
-                      prose: 
-                        """
-                          notifies organization-defined personnel or roles within the
-                                               organization-defined time period when a formal employee sanctions process is
-                                               initiated, identifying the individual sanctioned and the reason for the
-                                               sanction.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Personnel security policy\n\nprocedures addressing personnel sanctions\n\nrules of behavior\n\nrecords of formal sanctions\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for managing personnel sanctions\n\nautomated mechanisms supporting and/or implementing notifications
-    - 
-      id:       ra
-      class:    family
-      title:    Risk Assessment
-      controls: 
-        - 
-          id:         ra-1
-          class:      SP800-53
-          title:      Risk Assessment Policy and Procedures
-          parameters: 
-            - 
-              id:    ra-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          ra-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          ra-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: RA-1
-            - 
-              name:  sort-id
-              value: ra-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #a466121b-f0e2-41f0-a5f9-deb0b5fe6b15
-              rel:  reference
-              text: NIST Special Publication 800-30
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    ra-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ra-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ ra-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         ra-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A risk assessment policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         ra-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the risk assessment policy and
-                                               associated risk assessment controls; and
-                        """
-                - 
-                  id:         ra-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         ra-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Risk assessment policy {{ ra-1_prm_2 }}; and
-                    - 
-                      id:         ra-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Risk assessment procedures {{ ra-1_prm_3 }}.
-            - 
-              id:    ra-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the RA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ra-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ra-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-1(a)
-                  parts: 
-                    - 
-                      id:         ra-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         ra-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(a)(1)[1]
-                          prose:      develops and documents a risk assessment policy that addresses:
-                          parts: 
-                            - 
-                              id:         ra-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         ra-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         ra-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         ra-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         ra-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         ra-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         ra-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: RA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         ra-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the risk assessment policy is to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ra-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: RA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the risk assessment policy to organization-defined personnel or
-                                                      roles;
-                            """
-                    - 
-                      id:         ra-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         ra-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      risk assessment policy and associated risk assessment controls;
-                            """
-                        - 
-                          id:         ra-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         ra-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: RA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         ra-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-1(b)
-                  parts: 
-                    - 
-                      id:         ra-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         ra-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current risk assessment
-                                                      policy;
-                            """
-                        - 
-                          id:         ra-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current risk assessment policy with the
-                                                      organization-defined frequency;
-                            """
-                    - 
-                      id:         ra-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         ra-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current risk assessment
-                                                      procedures; and
-                            """
-                        - 
-                          id:         ra-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: RA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current risk assessment procedures with the
-                                                      organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: risk assessment policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         ra-2
-          class:      SP800-53
-          title:      Security Categorization
-          properties: 
-            - 
-              name:  label
-              value: RA-2
-            - 
-              name:  sort-id
-              value: ra-02
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #a466121b-f0e2-41f0-a5f9-deb0b5fe6b15
-              rel:  reference
-              text: NIST Special Publication 800-30
-            - 
-              href: #d480aa6a-7a88-424e-a10c-ad1c7870354b
-              rel:  reference
-              text: NIST Special Publication 800-39
-            - 
-              href: #f152844f-b1ef-4836-8729-6277078ebee1
-              rel:  reference
-              text: NIST Special Publication 800-60
-          parts: 
-            - 
-              id:    ra-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ra-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Categorizes information and the information system in accordance with applicable
-                                        federal laws, Executive Orders, directives, policies, regulations, standards, and
-                                        guidance;
-                    """
-                - 
-                  id:         ra-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Documents the security categorization results (including supporting rationale) in
-                                        the security plan for the information system; and
-                    """
-                - 
-                  id:         ra-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Ensures that the authorizing official or authorizing official designated
-                                        representative reviews and approves the security categorization decision.
-                    """
-            - 
-              id:    ra-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Clearly defined authorization boundaries are a prerequisite for effective security
-                                 categorization decisions. Security categories describe the potential adverse impacts
-                                 to organizational operations, organizational assets, and individuals if
-                                 organizational information and information systems are comprised through a loss of
-                                 confidentiality, integrity, or availability. Organizations conduct the security
-                                 categorization process as an organization-wide activity with the involvement of chief
-                                 information officers, senior information security officers, information system
-                                 owners, mission/business owners, and information owners/stewards. Organizations also
-                                 consider the potential adverse impacts to other organizations and, in accordance with
-                                 the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential
-                                 national-level adverse impacts. Security categorization processes carried out by
-                                 organizations facilitate the development of inventories of information assets, and
-                                 along with CM-8, mappings to specific information system components where information
-                                 is processed, stored, or transmitted.
-                """
-              links: 
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-            - 
-              id:    ra-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ra-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: RA-2(a)
-                  prose: 
-                    """
-                      categorizes information and the information system in accordance with applicable
-                                        federal laws, Executive Orders, directives, policies, regulations, standards, and
-                                        guidance;
-                    """
-                - 
-                  id:         ra-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: RA-2(b)
-                  prose: 
-                    """
-                      documents the security categorization results (including supporting rationale) in
-                                        the security plan for the information system; and
-                    """
-                - 
-                  id:         ra-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: RA-2(c)
-                  prose: 
-                    """
-                      ensures the authorizing official or authorizing official designated representative
-                                        reviews and approves the security categorization decision.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and
-                                        information systems\n\nsecurity plan\n\nsecurity categorization documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security categorization and risk assessment
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for security categorization
-        - 
-          id:         ra-3
-          class:      SP800-53
-          title:      Risk Assessment
-          parameters: 
-            - 
-              id: ra-3_prm_1
-            - 
-              id:          ra-3_prm_2
-              depends-on:  ra-3_prm_1
-              label:       organization-defined document
-              constraints: 
-                - 
-                  detail: security assessment report
-            - 
-              id:          ra-3_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every three (3) years or when a significant change occurs
-            - 
-              id:    ra-3_prm_4
-              label: organization-defined personnel or roles
-            - 
-              id:          ra-3_prm_5
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every three (3) years or when a significant change occurs
-          properties: 
-            - 
-              name:  label
-              value: RA-3
-            - 
-              name:  sort-id
-              value: ra-03
-          links: 
-            - 
-              href: #ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-              rel:  reference
-              text: OMB Memorandum 04-04
-            - 
-              href: #a466121b-f0e2-41f0-a5f9-deb0b5fe6b15
-              rel:  reference
-              text: NIST Special Publication 800-30
-            - 
-              href: #d480aa6a-7a88-424e-a10c-ad1c7870354b
-              rel:  reference
-              text: NIST Special Publication 800-39
-            - 
-              href: #85280698-0417-489d-b214-12bb935fb939
-              rel:  reference
-              text: http://idmanagement.gov
-          parts: 
-            - 
-              id:    ra-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ra-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Conducts an assessment of risk, including the likelihood and magnitude of harm,
-                                        from the unauthorized access, use, disclosure, disruption, modification, or
-                                        destruction of the information system and the information it processes, stores, or
-                                        transmits;
-                    """
-                - 
-                  id:         ra-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Documents risk assessment results in {{ ra-3_prm_1 }};
-                - 
-                  id:         ra-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Reviews risk assessment results {{ ra-3_prm_3 }};
-                - 
-                  id:         ra-3_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Disseminates risk assessment results to {{ ra-3_prm_4 }}; and
-                - 
-                  id:         ra-3_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Updates the risk assessment {{ ra-3_prm_5 }} or whenever there are
-                                        significant changes to the information system or environment of operation
-                                        (including the identification of new threats and vulnerabilities), or other
-                                        conditions that may impact the security state of the system.
-                    """
-                - 
-                  id:    ra-3_fr
-                  name:  item
-                  title: RA-3 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ra-3_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F
-                    - 
-                      id:         ra-3_fr_smt.d
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-3 (d) Requirement:
-                      prose:      Include all Authorizing Officials; for JAB authorizations to include FedRAMP.
-            - 
-              id:    ra-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Clearly defined authorization boundaries are a prerequisite for effective risk
-                                 assessments. Risk assessments take into account threats, vulnerabilities, likelihood,
-                                 and impact to organizational operations and assets, individuals, other organizations,
-                                 and the Nation based on the operation and use of information systems. Risk
-                                 assessments also take into account risk from external parties (e.g., service
-                                 providers, contractors operating information systems on behalf of the organization,
-                                 individuals accessing organizational information systems, outsourcing entities). In
-                                 accordance with OMB policy and related E-authentication initiatives, authentication
-                                 of public users accessing federal information systems may also be required to protect
-                                 nonpublic or privacy-related information. As such, organizational assessments of risk
-                                 also address public access to federal information systems. Risk assessments (either
-                                 formal or informal) can be conducted at all three tiers in the risk management
-                                 hierarchy (i.e., organization level, mission/business process level, or information
-                                 system level) and at any phase in the system development life cycle. Risk assessments
-                                 can also be conducted at various steps in the Risk Management Framework, including
-                                 categorization, security control selection, security control implementation, security
-                                 control assessment, information system authorization, and security control
-                                 monitoring. RA-3 is noteworthy in that the control must be partially implemented
-                                 prior to the implementation of other controls in order to complete the first two
-                                 steps in the Risk Management Framework. Risk assessments can play an important role
-                                 in security control selection processes, particularly during the application of
-                                 tailoring guidance, which includes security control supplementation.
-                """
-              links: 
-                - 
-                  href: #ra-2
-                  rel:  related
-                  text: RA-2
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    ra-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ra-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(a)
-                  prose: 
-                    """
-                      conducts an assessment of risk, including the likelihood and magnitude of harm,
-                                        from the unauthorized access, use, disclosure, disruption, modification, or
-                                        destruction of:
-                    """
-                  parts: 
-                    - 
-                      id:         ra-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-3(a)[1]
-                      prose:      the information system;
-                    - 
-                      id:         ra-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-3(a)[2]
-                      prose:      the information the system processes, stores, or transmits;
-                - 
-                  id:         ra-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(b)
-                  parts: 
-                    - 
-                      id:         ra-3.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-3(b)[1]
-                      prose: 
-                        """
-                          defines a document in which risk assessment results are to be documented (if
-                                               not documented in the security plan or risk assessment report);
-                        """
-                    - 
-                      id:         ra-3.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-3(b)[2]
-                      prose:      documents risk assessment results in one of the following:
-                      parts: 
-                        - 
-                          id:         ra-3.b_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(b)[2][a]
-                          prose:      the security plan;
-                        - 
-                          id:         ra-3.b_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(b)[2][b]
-                          prose:      the risk assessment report; or
-                        - 
-                          id:         ra-3.b_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(b)[2][c]
-                          prose:      the organization-defined document;
-                - 
-                  id:         ra-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(c)
-                  parts: 
-                    - 
-                      id:         ra-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-3(c)[1]
-                      prose:      defines the frequency to review risk assessment results;
-                    - 
-                      id:         ra-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-3(c)[2]
-                      prose:      reviews risk assessment results with the organization-defined frequency;
-                - 
-                  id:         ra-3.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(d)
-                  parts: 
-                    - 
-                      id:         ra-3.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-3(d)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom risk assessment results are to be
-                                               disseminated;
-                        """
-                    - 
-                      id:         ra-3.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-3(d)[2]
-                      prose: 
-                        """
-                          disseminates risk assessment results to organization-defined personnel or
-                                               roles;
-                        """
-                - 
-                  id:         ra-3.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-3(e)
-                  parts: 
-                    - 
-                      id:         ra-3.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-3(e)[1]
-                      prose:      defines the frequency to update the risk assessment;
-                    - 
-                      id:         ra-3.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-3(e)[2]
-                      prose:      updates the risk assessment:
-                      parts: 
-                        - 
-                          id:         ra-3.e_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(e)[2][a]
-                          prose:      with the organization-defined frequency;
-                        - 
-                          id:         ra-3.e_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(e)[2][b]
-                          prose: 
-                            """
-                              whenever there are significant changes to the information system or
-                                                      environment of operation (including the identification of new threats and
-                                                      vulnerabilities); and
-                            """
-                        - 
-                          id:         ra-3.e_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-3(e)[2][c]
-                          prose: 
-                            """
-                              whenever there are other conditions that may impact the security state of
-                                                      the system.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nsecurity plan\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for risk assessment\n\nautomated mechanisms supporting and/or for conducting, documenting, reviewing,
-                                        disseminating, and updating the risk assessment
-                    """
-        - 
-          id:         ra-5
-          class:      SP800-53
-          title:      Vulnerability Scanning
-          parameters: 
-            - 
-              id:          ra-5_prm_1
-              label: 
-                """
-                  organization-defined frequency and/or randomly in accordance with
-                                 organization-defined process
-                """
-              constraints: 
-                - 
-                  detail: monthly operating system/infrastructure; monthly web applications and databases
-            - 
-              id:          ra-5_prm_2
-              label:       organization-defined response times
-              constraints: 
-                - 
-                  detail: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery
-            - 
-              id:    ra-5_prm_3
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: RA-5
-            - 
-              name:  sort-id
-              value: ra-05
-          links: 
-            - 
-              href: #bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d
-              rel:  reference
-              text: NIST Special Publication 800-40
-            - 
-              href: #84a37532-6db6-477b-9ea8-f9085ebca0fc
-              rel:  reference
-              text: NIST Special Publication 800-70
-            - 
-              href: #c4691b88-57d1-463b-9053-2d0087913f31
-              rel:  reference
-              text: NIST Special Publication 800-115
-            - 
-              href: #15522e92-9192-463d-9646-6a01982db8ca
-              rel:  reference
-              text: http://cwe.mitre.org
-            - 
-              href: #275cc052-0f7f-423c-bdb6-ed503dc36228
-              rel:  reference
-              text: http://nvd.nist.gov
-          parts: 
-            - 
-              id:    ra-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         ra-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Scans for vulnerabilities in the information system and hosted applications
-                                           {{ ra-5_prm_1 }} and when new vulnerabilities potentially
-                                        affecting the system/applications are identified and reported;
-                    """
-                  parts: 
-                    - 
-                      id:         ra-5_fr_smt.a
-                      name:       item
-                      title:      RA-5(a) Additional FedRAMP Requirements and Guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-5 (a)Requirement:
-                      prose:      An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.
-                - 
-                  id:         ra-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Employs vulnerability scanning tools and techniques that facilitate
-                                        interoperability among tools and automate parts of the vulnerability management
-                                        process by using standards for:
-                    """
-                  parts: 
-                    - 
-                      id:         ra-5_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Enumerating platforms, software flaws, and improper configurations;
-                    - 
-                      id:         ra-5_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Formatting checklists and test procedures; and
-                    - 
-                      id:         ra-5_smt.b.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose:      Measuring vulnerability impact;
-                - 
-                  id:         ra-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Analyzes vulnerability scan reports and results from security control
-                                        assessments;
-                    """
-                - 
-                  id:         ra-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Remediates legitimate vulnerabilities {{ ra-5_prm_2 }} in
-                                        accordance with an organizational assessment of risk; and
-                    """
-                - 
-                  id:         ra-5_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Shares information obtained from the vulnerability scanning process and security
-                                        control assessments with {{ ra-5_prm_3 }} to help eliminate similar
-                                        vulnerabilities in other information systems (i.e., systemic weaknesses or
-                                        deficiencies).
-                    """
-                  parts: 
-                    - 
-                      id:         ra-5_fr_smt.e
-                      name:       item
-                      title:      RA-5(e) Additional FedRAMP Requirements and Guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: RA-5 (e)Requirement:
-                      prose:      To include all Authorizing Officials; for JAB authorizations to include FedRAMP.
-                - 
-                  id:    ra-5_fr
-                  name:  item
-                  title: RA-5 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         ra-5_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose: 
-                        """
-                          
-                                               **See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))
-                        """
-            - 
-              id:    ra-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  Security categorization of information systems guides the frequency and
-                                 comprehensiveness of vulnerability scans. Organizations determine the required
-                                 vulnerability scanning for all information system components, ensuring that potential
-                                 sources of vulnerabilities such as networked printers, scanners, and copiers are not
-                                 overlooked. Vulnerability analyses for custom software applications may require
-                                 additional approaches such as static analysis, dynamic analysis, binary analysis, or
-                                 a hybrid of the three approaches. Organizations can employ these analysis approaches
-                                 in a variety of tools (e.g., web-based application scanners, static analysis tools,
-                                 binary analyzers) and in source code reviews. Vulnerability scanning includes, for
-                                 example: (i) scanning for patch levels; (ii) scanning for functions, ports,
-                                 protocols, and services that should not be accessible to users or devices; and (iii)
-                                 scanning for improperly configured or incorrectly operating information flow control
-                                 mechanisms. Organizations consider using tools that express vulnerabilities in the
-                                 Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open
-                                 Vulnerability Assessment Language (OVAL) to determine/test for the presence of
-                                 vulnerabilities. Suggested sources for vulnerability information include the Common
-                                 Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In
-                                 addition, security control assessments such as red team exercises provide other
-                                 sources of potential vulnerabilities for which to scan. Organizations also consider
-                                 using tools that express vulnerability impact by the Common Vulnerability Scoring
-                                 System (CVSS).
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #ra-2
-                  rel:  related
-                  text: RA-2
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    ra-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         ra-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(a)
-                  parts: 
-                    - 
-                      id:         ra-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-5(a)[1]
-                      parts: 
-                        - 
-                          id:         ra-5.a_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[1][a]
-                          prose: 
-                            """
-                              defines the frequency for conducting vulnerability scans on the information
-                                                      system and hosted applications; and/or
-                            """
-                        - 
-                          id:         ra-5.a_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[1][b]
-                          prose: 
-                            """
-                              defines the process for conducting random vulnerability scans on the
-                                                      information system and hosted applications;
-                            """
-                    - 
-                      id:         ra-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(a)[2]
-                      prose: 
-                        """
-                          in accordance with the organization-defined frequency and/or
-                                               organization-defined process for conducting random scans, scans for
-                                               vulnerabilities in:
-                        """
-                      parts: 
-                        - 
-                          id:         ra-5.a_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[2][a]
-                          prose:      the information system;
-                        - 
-                          id:         ra-5.a_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[2][b]
-                          prose:      hosted applications;
-                    - 
-                      id:         ra-5.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(a)[3]
-                      prose: 
-                        """
-                          when new vulnerabilities potentially affecting the system/applications are
-                                               identified and reported, scans for vulnerabilities in:
-                        """
-                      parts: 
-                        - 
-                          id:         ra-5.a_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[3][a]
-                          prose:      the information system;
-                        - 
-                          id:         ra-5.a_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(a)[3][b]
-                          prose:      hosted applications;
-                - 
-                  id:         ra-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(b)
-                  prose: 
-                    """
-                      employs vulnerability scanning tools and techniques that facilitate
-                                        interoperability among tools and automate parts of the vulnerability management
-                                        process by using standards for:
-                    """
-                  parts: 
-                    - 
-                      id:         ra-5.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(b)(1)
-                      parts: 
-                        - 
-                          id:         ra-5.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(1)[1]
-                          prose:      enumerating platforms;
-                        - 
-                          id:         ra-5.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(1)[2]
-                          prose:      enumerating software flaws;
-                        - 
-                          id:         ra-5.b.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(1)[3]
-                          prose:      enumerating improper configurations;
-                    - 
-                      id:         ra-5.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(b)(2)
-                      parts: 
-                        - 
-                          id:         ra-5.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(2)[1]
-                          prose:      formatting checklists;
-                        - 
-                          id:         ra-5.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(b)(2)[2]
-                          prose:      formatting test procedures;
-                    - 
-                      id:         ra-5.b.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(b)(3)
-                      prose:      measuring vulnerability impact;
-                - 
-                  id:         ra-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(c)
-                  parts: 
-                    - 
-                      id:         ra-5.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(c)[1]
-                      prose:      analyzes vulnerability scan reports;
-                    - 
-                      id:         ra-5.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(c)[2]
-                      prose:      analyzes results from security control assessments;
-                - 
-                  id:         ra-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(d)
-                  parts: 
-                    - 
-                      id:         ra-5.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-5(d)[1]
-                      prose: 
-                        """
-                          defines response times to remediate legitimate vulnerabilities in accordance
-                                               with an organizational assessment of risk;
-                        """
-                    - 
-                      id:         ra-5.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(d)[2]
-                      prose: 
-                        """
-                          remediates legitimate vulnerabilities within the organization-defined response
-                                               times in accordance with an organizational assessment of risk;
-                        """
-                - 
-                  id:         ra-5.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: RA-5(e)
-                  parts: 
-                    - 
-                      id:         ra-5.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-5(e)[1]
-                      prose: 
-                        """
-                          defines personnel or roles with whom information obtained from the
-                                               vulnerability scanning process and security control assessments is to be
-                                               shared;
-                        """
-                    - 
-                      id:         ra-5.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(e)[2]
-                      prose: 
-                        """
-                          shares information obtained from the vulnerability scanning process with
-                                               organization-defined personnel or roles to help eliminate similar
-                                               vulnerabilities in other information systems (i.e., systemic weaknesses or
-                                               deficiencies); and
-                        """
-                    - 
-                      id:         ra-5.e_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(e)[3]
-                      prose: 
-                        """
-                          shares information obtained from security control assessments with
-                                               organization-defined personnel or roles to help eliminate similar
-                                               vulnerabilities in other information systems (i.e., systemic weaknesses or
-                                               deficiencies).
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with risk assessment, security control assessment and
-                                        vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for vulnerability scanning, analysis, remediation, and
-                                        information sharing\n\nautomated mechanisms supporting and/or implementing vulnerability scanning,
-                                        analysis, remediation, and information sharing
-                    """
-          controls: 
-            - 
-              id:         ra-5.1
-              class:      SP800-53-enhancement
-              title:      Update Tool Capability
-              properties: 
-                - 
-                  name:  label
-                  value: RA-5(1)
-                - 
-                  name:  sort-id
-                  value: ra-05.01
-              parts: 
-                - 
-                  id:    ra-5.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs vulnerability scanning tools that include the capability
-                                        to readily update the information system vulnerabilities to be scanned.
-                    """
-                - 
-                  id:    ra-5.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The vulnerabilities to be scanned need to be readily updated as new
-                                        vulnerabilities are discovered, announced, and scanning methods developed. This
-                                        updating process helps to ensure that potential vulnerabilities in the information
-                                        system are identified and addressed as quickly as possible.
-                    """
-                  links: 
-                    - 
-                      href: #si-3
-                      rel:  related
-                      text: SI-3
-                    - 
-                      href: #si-7
-                      rel:  related
-                      text: SI-7
-                - 
-                  id:         ra-5.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs vulnerability scanning tools that include
-                                        the capability to readily update the information system vulnerabilities to be
-                                        scanned.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Procedures addressing vulnerability scanning\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for vulnerability scanning\n\nautomated mechanisms/tools supporting and/or implementing vulnerability
-                                               scanning
-                        """
-            - 
-              id:         ra-5.2
-              class:      SP800-53-enhancement
-              title:      Update by Frequency / Prior to New Scan / When Identified
-              parameters: 
-                - 
-                  id:          ra-5.2_prm_1
-                  constraints: 
-                    - 
-                      detail: prior to a new scan
-                - 
-                  id:         ra-5.2_prm_2
-                  depends-on: ra-5.2_prm_1
-                  label:      organization-defined frequency
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: RA-5(2)
-                - 
-                  name:  sort-id
-                  value: ra-05.02
-              parts: 
-                - 
-                  id:    ra-5.2_smt
-                  name:  statement
-                  prose: The organization updates the information system vulnerabilities scanned {{ ra-5.2_prm_1 }}.
-                - 
-                  id:    ra-5.2_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #si-3
-                      rel:  related
-                      text: SI-3
-                    - 
-                      href: #si-5
-                      rel:  related
-                      text: SI-5
-                - 
-                  id:    ra-5.2_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         ra-5.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-5(2)[1]
-                      prose: 
-                        """
-                          defines the frequency to update the information system vulnerabilities
-                                               scanned;
-                        """
-                    - 
-                      id:         ra-5.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(2)[2]
-                      prose: 
-                        """
-                          updates the information system vulnerabilities scanned one or more of the
-                                               following:
-                        """
-                      parts: 
-                        - 
-                          id:         ra-5.2_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(2)[2][a]
-                          prose:      with the organization-defined frequency;
-                        - 
-                          id:         ra-5.2_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(2)[2][b]
-                          prose:      prior to a new scan; and/or
-                        - 
-                          id:         ra-5.2_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: RA-5(2)[2][c]
-                          prose:      when new vulnerabilities are identified and reported.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Procedures addressing vulnerability scanning\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for vulnerability scanning\n\nautomated mechanisms/tools supporting and/or implementing vulnerability
-                                               scanning
-                        """
-            - 
-              id:         ra-5.3
-              class:      SP800-53-enhancement
-              title:      Breadth / Depth of Coverage
-              properties: 
-                - 
-                  name:  label
-                  value: RA-5(3)
-                - 
-                  name:  sort-id
-                  value: ra-05.03
-              parts: 
-                - 
-                  id:    ra-5.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs vulnerability scanning procedures that can identify the
-                                        breadth and depth of coverage (i.e., information system components scanned and
-                                        vulnerabilities checked).
-                    """
-                - 
-                  id:    ra-5.3_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization employs vulnerability scanning procedures that can
-                                        identify:
-                    """
-                  parts: 
-                    - 
-                      id:         ra-5.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(3)[1]
-                      prose:      the breadth of coverage (i.e., information system components scanned); and
-                    - 
-                      id:         ra-5.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(3)[2]
-                      prose:      the depth of coverage (i.e., vulnerabilities checked).
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Procedures addressing vulnerability scanning\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for vulnerability scanning\n\nautomated mechanisms/tools supporting and/or implementing vulnerability
-                                               scanning
-                        """
-            - 
-              id:         ra-5.5
-              class:      SP800-53-enhancement
-              title:      Privileged Access
-              parameters: 
-                - 
-                  id:          ra-5.5_prm_1
-                  label:       organization-identified information system components
-                  constraints: 
-                    - 
-                      detail: operating systems / web applications / databases
-                - 
-                  id:          ra-5.5_prm_2
-                  label:       organization-defined vulnerability scanning activities
-                  constraints: 
-                    - 
-                      detail: all scans
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: RA-5(5)
-                - 
-                  name:  sort-id
-                  value: ra-05.05
-              parts: 
-                - 
-                  id:    ra-5.5_smt
-                  name:  statement
-                  prose: The information system implements privileged access authorization to {{ ra-5.5_prm_1 }} for selected {{ ra-5.5_prm_2 }}.
-                - 
-                  id:    ra-5.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      In certain situations, the nature of the vulnerability scanning may be more
-                                        intrusive or the information system component that is the subject of the scanning
-                                        may contain highly sensitive information. Privileged access authorization to
-                                        selected system components facilitates more thorough vulnerability scanning and
-                                        also protects the sensitive nature of such scanning.
-                    """
-                - 
-                  id:    ra-5.5_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         ra-5.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-5(5)[1]
-                      prose: 
-                        """
-                          the organization defines information system components to which privileged
-                                               access is authorized for selected vulnerability scanning activities;
-                        """
-                    - 
-                      id:         ra-5.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: RA-5(5)[2]
-                      prose: 
-                        """
-                          the organization defines vulnerability scanning activities selected for
-                                               privileged access authorization to organization-defined information system
-                                               components; and
-                        """
-                    - 
-                      id:         ra-5.5_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: RA-5(5)[3]
-                      prose: 
-                        """
-                          the information system implements privileged access authorization to
-                                               organization-defined information system components for selected
-                                               organization-defined vulnerability scanning activities.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system components for vulnerability scanning\n\npersonnel access authorization list\n\nauthorization credentials\n\naccess authorization records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with vulnerability scanning responsibilities\n\nsystem/network administrators\n\norganizational personnel responsible for access control to the information
-                                               system\n\norganizational personnel responsible for configuration management of the
-                                               information system\n\nsystem developers\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for vulnerability scanning\n\norganizational processes for access control\n\nautomated mechanisms supporting and/or implementing access control\n\nautomated mechanisms/tools supporting and/or implementing vulnerability
-                                               scanning
-                        """
-            - 
-              id:         ra-5.6
-              class:      SP800-53-enhancement
-              title:      Automated Trend Analyses
-              properties: 
-                - 
-                  name:  label
-                  value: RA-5(6)
-                - 
-                  name:  sort-id
-                  value: ra-05.06
-              parts: 
-                - 
-                  id:    ra-5.6_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms to compare the results of
-                                        vulnerability scans over time to determine trends in information system
-                                        vulnerabilities.
-                    """
-                  parts: 
-                    - 
-                      id:    ra-5.6_fr
-                      name:  item
-                      title: RA-5 (6) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ra-5.6_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      Include in Continuous Monitoring ISSO digest/report to JAB/AO
-                - 
-                  id:    ra-5.6_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ir-4
-                      rel:  related
-                      text: IR-4
-                    - 
-                      href: #ir-5
-                      rel:  related
-                      text: IR-5
-                    - 
-                      href: #si-4
-                      rel:  related
-                      text: SI-4
-                - 
-                  id:         ra-5.6_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs automated mechanisms to compare the results
-                                        of vulnerability scans over time to determine trends in information system
-                                        vulnerabilities.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\ninformation system design documentation\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for vulnerability scanning\n\nautomated mechanisms/tools supporting and/or implementing vulnerability
-                                               scanning\n\nautomated mechanisms supporting and/or implementing trend analysis of
-                                               vulnerability scan results
-                        """
-            - 
-              id:         ra-5.8
-              class:      SP800-53-enhancement
-              title:      Review Historic Audit Logs
-              properties: 
-                - 
-                  name:  label
-                  value: RA-5(8)
-                - 
-                  name:  sort-id
-                  value: ra-05.08
-              parts: 
-                - 
-                  id:    ra-5.8_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization reviews historic audit logs to determine if a vulnerability
-                                        identified in the information system has been previously exploited.
-                    """
-                  parts: 
-                    - 
-                      id:    ra-5.8_fr
-                      name:  item
-                      title: RA-5 (8) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         ra-5.8_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      This enhancement is required for all high vulnerability scan findings.
-                        - 
-                          id:         ra-5.8_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.
-                - 
-                  id:    ra-5.8_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #au-6
-                      rel:  related
-                      text: AU-6
-                - 
-                  id:         ra-5.8_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization reviews historic audit logs to determine if a
-                                        vulnerability identified in the information system has been previously exploited.
-                                     
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\naudit logs\n\nrecords of audit log reviews\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with audit record review responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for vulnerability scanning\n\norganizational process for audit record review and response\n\nautomated mechanisms/tools supporting and/or implementing vulnerability
-                                               scanning\n\nautomated mechanisms supporting and/or implementing audit record review
-                        """
-    - 
-      id:       sa
-      class:    family
-      title:    System and Services Acquisition
-      controls: 
-        - 
-          id:         sa-1
-          class:      SP800-53
-          title:      System and Services Acquisition Policy and Procedures
-          parameters: 
-            - 
-              id:    sa-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          sa-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          sa-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SA-1
-            - 
-              name:  sort-id
-              value: sa-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    sa-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ sa-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         sa-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A system and services acquisition policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         sa-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the system and services
-                                               acquisition policy and associated system and services acquisition controls;
-                                               and
-                        """
-                - 
-                  id:         sa-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         sa-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      System and services acquisition policy {{ sa-1_prm_2 }}; and
-                    - 
-                      id:         sa-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      System and services acquisition procedures {{ sa-1_prm_3 }}.
-            - 
-              id:    sa-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the SA
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    sa-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-1(a)
-                  parts: 
-                    - 
-                      id:         sa-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-1(a)(1)
-                      parts: 
-                        - 
-                          id:         sa-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a system and services acquisition policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         sa-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         sa-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         sa-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         sa-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         sa-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         sa-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         sa-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SA-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         sa-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the system and services acquisition
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         sa-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SA-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the system and services acquisition policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         sa-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-1(a)(2)
-                      parts: 
-                        - 
-                          id:         sa-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      system and services acquisition policy and associated system and services
-                                                      acquisition controls;
-                            """
-                        - 
-                          id:         sa-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         sa-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SA-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         sa-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-1(b)
-                  parts: 
-                    - 
-                      id:         sa-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-1(b)(1)
-                      parts: 
-                        - 
-                          id:         sa-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and services
-                                                      acquisition policy;
-                            """
-                        - 
-                          id:         sa-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and services acquisition policy with
-                                                      the organization-defined frequency;
-                            """
-                    - 
-                      id:         sa-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-1(b)(2)
-                      parts: 
-                        - 
-                          id:         sa-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and services
-                                                      acquisition procedures; and
-                            """
-                        - 
-                          id:         sa-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and services acquisition procedures
-                                                      with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and services acquisition policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities
-        - 
-          id:         sa-2
-          class:      SP800-53
-          title:      Allocation of Resources
-          properties: 
-            - 
-              name:  label
-              value: SA-2
-            - 
-              name:  sort-id
-              value: sa-02
-          links: 
-            - 
-              href: #29fcfe59-33cd-494a-8756-5907ae3a8f92
-              rel:  reference
-              text: NIST Special Publication 800-65
-          parts: 
-            - 
-              id:    sa-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Determines information security requirements for the information system or
-                                        information system service in mission/business process planning;
-                    """
-                - 
-                  id:         sa-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Determines, documents, and allocates the resources required to protect the
-                                        information system or information system service as part of its capital planning
-                                        and investment control process; and
-                    """
-                - 
-                  id:         sa-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Establishes a discrete line item for information security in organizational
-                                        programming and budgeting documentation.
-                    """
-            - 
-              id:    sa-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Resource allocation for information security includes funding for the initial
-                                 information system or information system service acquisition and funding for the
-                                 sustainment of the system/service.
-                """
-              links: 
-                - 
-                  href: #pm-3
-                  rel:  related
-                  text: PM-3
-                - 
-                  href: #pm-11
-                  rel:  related
-                  text: PM-11
-            - 
-              id:    sa-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SA-2(a)
-                  prose: 
-                    """
-                      determines information security requirements for the information system or
-                                        information system service in mission/business process planning;
-                    """
-                - 
-                  id:         sa-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-2(b)
-                  prose: 
-                    """
-                      to protect the information system or information system service as part of its
-                                        capital planning and investment control process:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-2(b)[1]
-                      prose:      determines the resources required;
-                    - 
-                      id:         sa-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-2(b)[2]
-                      prose:      documents the resources required;
-                    - 
-                      id:         sa-2.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-2(b)[3]
-                      prose:      allocates the resources required; and
-                - 
-                  id:         sa-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-2(c)
-                  prose: 
-                    """
-                      establishes a discrete line item for information security in organizational
-                                        programming and budgeting documentation.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing the allocation of resources to information security
-                                        requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with capital planning, investment control, organizational
-                                        programming and budgeting responsibilities\n\norganizational personnel responsible for determining information security
-                                        requirements for information systems/services\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for determining information security requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nautomated mechanisms supporting and/or implementing organizational capital
-                                        planning, programming, and budgeting
-                    """
-        - 
-          id:         sa-3
-          class:      SP800-53
-          title:      System Development Life Cycle
-          parameters: 
-            - 
-              id:    sa-3_prm_1
-              label: organization-defined system development life cycle
-          properties: 
-            - 
-              name:  label
-              value: SA-3
-            - 
-              name:  sort-id
-              value: sa-03
-          links: 
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #abd950ae-092f-4b7a-b374-1c7c67fe9350
-              rel:  reference
-              text: NIST Special Publication 800-64
-          parts: 
-            - 
-              id:    sa-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Manages the information system using {{ sa-3_prm_1 }} that
-                                        incorporates information security considerations;
-                    """
-                - 
-                  id:         sa-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Defines and documents information security roles and responsibilities throughout
-                                        the system development life cycle;
-                    """
-                - 
-                  id:         sa-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Identifies individuals having information security roles and responsibilities;
-                                        and
-                    """
-                - 
-                  id:         sa-3_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Integrates the organizational information security risk management process into
-                                        system development life cycle activities.
-                    """
-            - 
-              id:    sa-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  A well-defined system development life cycle provides the foundation for the
-                                 successful development, implementation, and operation of organizational information
-                                 systems. To apply the required security controls within the system development life
-                                 cycle requires a basic understanding of information security, threats,
-                                 vulnerabilities, adverse impacts, and risk to critical missions/business functions.
-                                 The security engineering principles in SA-8 cannot be properly applied if individuals
-                                 that design, code, and test information systems and system components (including
-                                 information technology products) do not understand security. Therefore, organizations
-                                 include qualified personnel, for example, chief information security officers,
-                                 security architects, security engineers, and information system security officers in
-                                 system development life cycle activities to ensure that security requirements are
-                                 incorporated into organizational information systems. It is equally important that
-                                 developers include individuals on the development team that possess the requisite
-                                 security expertise and skills to ensure that needed security capabilities are
-                                 effectively integrated into the information system. Security awareness and training
-                                 programs can help ensure that individuals having key security roles and
-                                 responsibilities have the appropriate experience, skills, and expertise to conduct
-                                 assigned system development life cycle activities. The effective integration of
-                                 security requirements into enterprise architecture also helps to ensure that
-                                 important security considerations are addressed early in the system development life
-                                 cycle and that those considerations are directly related to the organizational
-                                 mission/business processes. This process also facilitates the integration of the
-                                 information security architecture into the enterprise architecture, consistent with
-                                 organizational risk management and information security strategies.
-                """
-              links: 
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #pm-7
-                  rel:  related
-                  text: PM-7
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-            - 
-              id:    sa-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-3(a)
-                  parts: 
-                    - 
-                      id:         sa-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-3(a)[1]
-                      prose: 
-                        """
-                          defines a system development life cycle that incorporates information security
-                                               considerations to be used to manage the information system;
-                        """
-                    - 
-                      id:         sa-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-3(a)[2]
-                      prose: 
-                        """
-                          manages the information system using the organization-defined system
-                                               development life cycle;
-                        """
-                - 
-                  id:         sa-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SA-3(b)
-                  prose: 
-                    """
-                      defines and documents information security roles and responsibilities throughout
-                                        the system development life cycle;
-                    """
-                - 
-                  id:         sa-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SA-3(c)
-                  prose: 
-                    """
-                      identifies individuals having information security roles and responsibilities;
-                                        and
-                    """
-                - 
-                  id:         sa-3.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-3(d)
-                  prose: 
-                    """
-                      integrates the organizational information security risk management process into
-                                        system development life cycle activities.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing the integration of information security into the system
-                                        development life cycle process\n\ninformation system development life cycle documentation\n\ninformation security risk management strategy/program documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with information security and system life cycle
-                                        development responsibilities\n\norganizational personnel with information security risk management
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for defining and documenting the SDLC\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational process for integrating information security risk management into
-                                        the SDLC\n\nautomated mechanisms supporting and/or implementing the SDLC
-                    """
-        - 
-          id:         sa-4
-          class:      SP800-53
-          title:      Acquisition Process
-          properties: 
-            - 
-              name:  label
-              value: SA-4
-            - 
-              name:  sort-id
-              value: sa-04
-          links: 
-            - 
-              href: #ad733a42-a7ed-4774-b988-4930c28852f3
-              rel:  reference
-              text: HSPD-12
-            - 
-              href: #1737a687-52fb-4008-b900-cbfa836f7b65
-              rel:  reference
-              text: ISO/IEC 15408
-            - 
-              href: #d715b234-9b5b-4e07-b1ed-99836727664d
-              rel:  reference
-              text: FIPS Publication 140-2
-            - 
-              href: #c80c10b3-1294-4984-a4cc-d1733ca432b9
-              rel:  reference
-              text: FIPS Publication 201
-            - 
-              href: #0a5db899-f033-467f-8631-f5a8ba971475
-              rel:  reference
-              text: NIST Special Publication 800-23
-            - 
-              href: #0c775bc3-bfc3-42c7-a382-88949f503171
-              rel:  reference
-              text: NIST Special Publication 800-35
-            - 
-              href: #d818efd3-db31-4953-8afa-9e76afe83ce2
-              rel:  reference
-              text: NIST Special Publication 800-36
-            - 
-              href: #0a0c26b6-fd44-4274-8b36-93442d49d998
-              rel:  reference
-              text: NIST Special Publication 800-37
-            - 
-              href: #abd950ae-092f-4b7a-b374-1c7c67fe9350
-              rel:  reference
-              text: NIST Special Publication 800-64
-            - 
-              href: #84a37532-6db6-477b-9ea8-f9085ebca0fc
-              rel:  reference
-              text: NIST Special Publication 800-70
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-            - 
-              href: #56d671da-6b7b-4abf-8296-84b61980390a
-              rel:  reference
-              text: Federal Acquisition Regulation
-            - 
-              href: #c95a9986-3cd6-4a98-931b-ccfc56cb11e5
-              rel:  reference
-              text: http://www.niap-ccevs.org
-            - 
-              href: #5ed1f4d5-1494-421b-97ed-39d3c88ab51f
-              rel:  reference
-              text: http://fips201ep.cio.gov
-            - 
-              href: #bbd50dd1-54ce-4432-959d-63ea564b1bb4
-              rel:  reference
-              text: http://www.acquisition.gov/far
-          parts: 
-            - 
-              id:    sa-4_smt
-              name:  statement
-              prose: 
-                """
-                  The organization includes the following requirements, descriptions, and criteria,
-                                 explicitly or by reference, in the acquisition contract for the information system,
-                                 system component, or information system service in accordance with applicable federal
-                                 laws, Executive Orders, directives, policies, regulations, standards, guidelines, and
-                                 organizational mission/business needs:
-                """
-              parts: 
-                - 
-                  id:         sa-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Security functional requirements;
-                - 
-                  id:         sa-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Security strength requirements;
-                - 
-                  id:         sa-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Security assurance requirements;
-                - 
-                  id:         sa-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Security-related documentation requirements;
-                - 
-                  id:         sa-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Requirements for protecting security-related documentation;
-                - 
-                  id:         sa-4_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Description of the information system development environment and environment in
-                                        which the system is intended to operate; and
-                    """
-                - 
-                  id:         sa-4_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose:      Acceptance criteria.
-                - 
-                  id:    sa-4_fr
-                  name:  item
-                  title: SA-4 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         sa-4_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See [http://www.niap-ccevs.org/vpl](http://www.niap-ccevs.org/vpl) or [http://www.commoncriteriaportal.org/products.html](http://www.commoncriteriaportal.org/products.html).
-            - 
-              id:    sa-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system components are discrete, identifiable information technology
-                                 assets (e.g., hardware, software, or firmware) that represent the building blocks of
-                                 an information system. Information system components include commercial information
-                                 technology products. Security functional requirements include security capabilities,
-                                 security functions, and security mechanisms. Security strength requirements
-                                 associated with such capabilities, functions, and mechanisms include degree of
-                                 correctness, completeness, resistance to direct attack, and resistance to tampering
-                                 or bypass. Security assurance requirements include: (i) development processes,
-                                 procedures, practices, and methodologies; and (ii) evidence from development and
-                                 assessment activities providing grounds for confidence that the required security
-                                 functionality has been implemented and the required security strength has been
-                                 achieved. Security documentation requirements address all phases of the system
-                                 development life cycle. Security functionality, assurance, and documentation
-                                 requirements are expressed in terms of security controls and control enhancements
-                                 that have been selected through the tailoring process. The security control tailoring
-                                 process includes, for example, the specification of parameter values through the use
-                                 of assignment and selection statements and the specification of platform dependencies
-                                 and implementation information. Security documentation provides user and
-                                 administrator guidance regarding the implementation and operation of security
-                                 controls. The level of detail required in security documentation is based on the
-                                 security category or classification level of the information system and the degree to
-                                 which organizations depend on the stated security capability, functions, or
-                                 mechanisms to meet overall risk response expectations (as defined in the
-                                 organizational risk management strategy). Security requirements can also include
-                                 organizationally mandated configuration settings specifying allowed functions, ports,
-                                 protocols, and services. Acceptance criteria for information systems, information
-                                 system components, and information system services are defined in the same manner as
-                                 such criteria for any organizational acquisition or procurement. The Federal
-                                 Acquisition Regulation (FAR) Section 7.103 contains information security requirements
-                                 from FISMA.
-                """
-              links: 
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #ps-7
-                  rel:  related
-                  text: PS-7
-                - 
-                  href: #sa-3
-                  rel:  related
-                  text: SA-3
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-            - 
-              id:    sa-4_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization includes the following requirements, descriptions, and
-                                 criteria, explicitly or by reference, in the acquisition contracts for the
-                                 information system, system component, or information system service in accordance
-                                 with applicable federal laws, Executive Orders, directives, policies, regulations,
-                                 standards, guidelines, and organizational mission/business needs:
-                """
-              parts: 
-                - 
-                  id:         sa-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(a)
-                  prose:      security functional requirements;
-                - 
-                  id:         sa-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(b)
-                  prose:      security strength requirements;
-                - 
-                  id:         sa-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(c)
-                  prose:      security assurance requirements;
-                - 
-                  id:         sa-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(d)
-                  prose:      security-related documentation requirements;
-                - 
-                  id:         sa-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(e)
-                  prose:      requirements for protecting security-related documentation;
-                - 
-                  id:         sa-4.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(f)
-                  prose:      description of:
-                  parts: 
-                    - 
-                      id:         sa-4.f_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-4(f)[1]
-                      prose:      the information system development environment;
-                    - 
-                      id:         sa-4.f_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-4(f)[2]
-                      prose:      the environment in which the system is intended to operate; and
-                - 
-                  id:         sa-4.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-4(g)
-                  prose:      acceptance criteria.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing the integration of information security requirements,
-                                        descriptions, and criteria into the acquisition process\n\nacquisition contracts for the information system, system component, or information
-                                        system service\n\ninformation system design documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                        security functional, strength, and assurance requirements\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for determining information system security functional,
-                                        strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and/or implementing acquisitions and inclusion of
-                                        security requirements in contracts
-                    """
-          controls: 
-            - 
-              id:         sa-4.1
-              class:      SP800-53-enhancement
-              title:      Functional Properties of Security Controls
-              properties: 
-                - 
-                  name:  label
-                  value: SA-4(1)
-                - 
-                  name:  sort-id
-                  value: sa-04.01
-              parts: 
-                - 
-                  id:    sa-4.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires the developer of the information system, system
-                                        component, or information system service to provide a description of the
-                                        functional properties of the security controls to be employed.
-                    """
-                - 
-                  id:    sa-4.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Functional properties of security controls describe the functionality (i.e.,
-                                        security capability, functions, or mechanisms) visible at the interfaces of the
-                                        controls and specifically exclude functionality and data structures internal to
-                                        the operation of the controls.
-                    """
-                  links: 
-                    - 
-                      href: #sa-5
-                      rel:  related
-                      text: SA-5
-                - 
-                  id:         sa-4.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization requires the developer of the information system,
-                                        system component, or information system service to provide a description of the
-                                        functional properties of the security controls to be employed.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing the integration of information security requirements,
-                                               descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the information system, system component, or
-                                               information system services\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                               security functional requirements\n\ninformation system developer or service provider\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for determining information system security
-                                               functional, requirements\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and/or implementing acquisitions and inclusion
-                                               of security requirements in contracts
-                        """
-            - 
-              id:         sa-4.2
-              class:      SP800-53-enhancement
-              title:      Design / Implementation Information for Security Controls
-              parameters: 
-                - 
-                  id:          sa-4.2_prm_1
-                  constraints: 
-                    - 
-                      detail: to include security-relevant external system interfaces and high-level design
-                - 
-                  id:         sa-4.2_prm_2
-                  depends-on: sa-4.2_prm_1
-                  label:      organization-defined design/implementation information
-                - 
-                  id:    sa-4.2_prm_3
-                  label: organization-defined level of detail
-              properties: 
-                - 
-                  name:  label
-                  value: SA-4(2)
-                - 
-                  name:  sort-id
-                  value: sa-04.02
-              parts: 
-                - 
-                  id:    sa-4.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires the developer of the information system, system
-                                        component, or information system service to provide design and implementation
-                                        information for the security controls to be employed that includes: {{ sa-4.2_prm_1 }} at {{ sa-4.2_prm_3 }}.
-                    """
-                - 
-                  id:    sa-4.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Organizations may require different levels of detail in design and implementation
-                                        documentation for security controls employed in organizational information
-                                        systems, system components, or information system services based on
-                                        mission/business requirements, requirements for trustworthiness/resiliency, and
-                                        requirements for analysis and testing. Information systems can be partitioned into
-                                        multiple subsystems. Each subsystem within the system can contain one or more
-                                        modules. The high-level design for the system is expressed in terms of multiple
-                                        subsystems and the interfaces between subsystems providing security-relevant
-                                        functionality. The low-level design for the system is expressed in terms of
-                                        modules with particular emphasis on software and firmware (but not excluding
-                                        hardware) and the interfaces between modules providing security-relevant
-                                        functionality. Source code and hardware schematics are typically referred to as
-                                        the implementation representation of the information system.
-                    """
-                  links: 
-                    - 
-                      href: #sa-5
-                      rel:  related
-                      text: SA-5
-                - 
-                  id:    sa-4.2_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         sa-4.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-4(2)[1]
-                      prose: 
-                        """
-                          defines level of detail that the developer is required to provide in design and
-                                               implementation information for the security controls to be employed in the
-                                               information system, system component, or information system service;
-                        """
-                    - 
-                      id:         sa-4.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-4(2)[2]
-                      prose: 
-                        """
-                          defines design/implementation information that the developer is to provide for
-                                               the security controls to be employed (if selected);
-                        """
-                    - 
-                      id:         sa-4.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-4(2)[3]
-                      prose: 
-                        """
-                          requires the developer of the information system, system component, or
-                                               information system service to provide design and implementation information for
-                                               the security controls to be employed that includes, at the organization-defined
-                                               level of detail, one or more of the following:
-                        """
-                      parts: 
-                        - 
-                          id:         sa-4.2_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-4(2)[3][a]
-                          prose:      security-relevant external system interfaces;
-                        - 
-                          id:         sa-4.2_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-4(2)[3][b]
-                          prose:      high-level design;
-                        - 
-                          id:         sa-4.2_obj.3.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-4(2)[3][c]
-                          prose:      low-level design;
-                        - 
-                          id:         sa-4.2_obj.3.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-4(2)[3][d]
-                          prose:      source code;
-                        - 
-                          id:         sa-4.2_obj.3.e
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-4(2)[3][e]
-                          prose:      hardware schematics; and/or
-                        - 
-                          id:         sa-4.2_obj.3.f
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-4(2)[3][f]
-                          prose:      organization-defined design/implementation information.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing the integration of information security requirements,
-                                               descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the information system, system components, or
-                                               information system services\n\ndesign and implementation information for security controls employed in the
-                                               information system, system component, or information system service\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                               security requirements\n\ninformation system developer or service provider\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for determining level of detail for system design and
-                                               security controls\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and/or implementing development of system
-                                               design details
-                        """
-            - 
-              id:         sa-4.8
-              class:      SP800-53-enhancement
-              title:      Continuous Monitoring Plan
-              parameters: 
-                - 
-                  id:          sa-4.8_prm_1
-                  label:       organization-defined level of detail
-                  constraints: 
-                    - 
-                      detail: at least the minimum requirement as defined in control CA-7
-              properties: 
-                - 
-                  name:  label
-                  value: SA-4(8)
-                - 
-                  name:  sort-id
-                  value: sa-04.08
-              parts: 
-                - 
-                  id:    sa-4.8_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires the developer of the information system, system
-                                        component, or information system service to produce a plan for the continuous
-                                        monitoring of security control effectiveness that contains {{ sa-4.8_prm_1 }}.
-                    """
-                  parts: 
-                    - 
-                      id:    sa-4.8_fr
-                      name:  item
-                      title: SA-4 (8) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         sa-4.8_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      CSP must use the same security standards regardless of where the system component or information system service is acquired.
-                - 
-                  id:    sa-4.8_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The objective of continuous monitoring plans is to determine if the complete set
-                                        of planned, required, and deployed security controls within the information
-                                        system, system component, or information system service continue to be effective
-                                        over time based on the inevitable changes that occur. Developer continuous
-                                        monitoring plans include a sufficient level of detail such that the information
-                                        can be incorporated into the continuous monitoring strategies and programs
-                                        implemented by organizations.
-                    """
-                  links: 
-                    - 
-                      href: #ca-7
-                      rel:  related
-                      text: CA-7
-                - 
-                  id:    sa-4.8_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         sa-4.8_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-4(8)[1]
-                      prose: 
-                        """
-                          defines the level of detail the developer of the information system, system
-                                               component, or information system service is required to provide when producing
-                                               a plan for the continuous monitoring of security control effectiveness; and
-                        """
-                    - 
-                      id:         sa-4.8_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-4(8)[2]
-                      prose: 
-                        """
-                          requires the developer of the information system, system component, or
-                                               information system service to produce a plan for the continuous monitoring of
-                                               security control effectiveness that contains the organization-defined level of
-                                               detail.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing developer continuous monitoring plans\n\nprocedures addressing the integration of information security requirements,
-                                               descriptions, and criteria into the acquisition process\n\ndeveloper continuous monitoring plans\n\nsecurity assessment plans\n\nacquisition contracts for the information system, system component, or
-                                               information system service\n\nacquisition documentation\n\nsolicitation documentation\n\nservice-level agreements\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                               security requirements\n\ninformation system developers\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Vendor processes for continuous monitoring\n\nautomated mechanisms supporting and/or implementing developer continuous
-                                               monitoring
-                        """
-            - 
-              id:         sa-4.9
-              class:      SP800-53-enhancement
-              title:      Functions / Ports / Protocols / Services in Use
-              properties: 
-                - 
-                  name:  label
-                  value: SA-4(9)
-                - 
-                  name:  sort-id
-                  value: sa-04.09
-              parts: 
-                - 
-                  id:    sa-4.9_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires the developer of the information system, system
-                                        component, or information system service to identify early in the system
-                                        development life cycle, the functions, ports, protocols, and services intended for
-                                        organizational use.
-                    """
-                - 
-                  id:    sa-4.9_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The identification of functions, ports, protocols, and services early in the
-                                        system development life cycle (e.g., during the initial requirements definition
-                                        and design phases) allows organizations to influence the design of the information
-                                        system, information system component, or information system service. This early
-                                        involvement in the life cycle helps organizations to avoid or minimize the use of
-                                        functions, ports, protocols, or services that pose unnecessarily high risks and
-                                        understand the trade-offs involved in blocking specific ports, protocols, or
-                                        services (or when requiring information system service providers to do so). Early
-                                        identification of functions, ports, protocols, and services avoids costly
-                                        retrofitting of security controls after the information system, system component,
-                                        or information system service has been implemented. SA-9 describes requirements
-                                        for external information system services with organizations identifying which
-                                        functions, ports, protocols, and services are provided from external sources.
-                    """
-                  links: 
-                    - 
-                      href: #cm-7
-                      rel:  related
-                      text: CM-7
-                    - 
-                      href: #sa-9
-                      rel:  related
-                      text: SA-9
-                - 
-                  id:    sa-4.9_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization requires the developer of the information system,
-                                        system component, or information system service to identify early in the system
-                                        development life cycle:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-4.9_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: SA-4(9)[1]
-                      prose:      the functions intended for organizational use;
-                    - 
-                      id:         sa-4.9_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-4(9)[2]
-                      prose:      the ports intended for organizational use;
-                    - 
-                      id:         sa-4.9_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-4(9)[3]
-                      prose:      the protocols intended for organizational use; and
-                    - 
-                      id:         sa-4.9_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-4(9)[4]
-                      prose:      the services intended for organizational use.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing the integration of information security requirements,
-                                               descriptions, and criteria into the acquisition process\n\ninformation system design documentation\n\ninformation system documentation including functions, ports, protocols, and
-                                               services intended for organizational use\n\nacquisition contracts for information systems or services\n\nacquisition documentation\n\nsolicitation documentation\n\nservice-level agreements\n\norganizational security requirements, descriptions, and criteria for developers
-                                               of information systems, system components, and information system services\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                               security requirements\n\nsystem/network administrators\n\norganizational personnel operating, using, and/or maintaining the information
-                                               system\n\ninformation system developers\n\norganizational personnel with information security responsibilities
-                        """
-            - 
-              id:         sa-4.10
-              class:      SP800-53-enhancement
-              title:      Use of Approved PIV Products
-              properties: 
-                - 
-                  name:  label
-                  value: SA-4(10)
-                - 
-                  name:  sort-id
-                  value: sa-04.10
-              parts: 
-                - 
-                  id:    sa-4.10_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs only information technology products on the FIPS
-                                        201-approved products list for Personal Identity Verification (PIV) capability
-                                        implemented within organizational information systems.
-                    """
-                - 
-                  id:    sa-4.10_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #ia-2
-                      rel:  related
-                      text: IA-2
-                    - 
-                      href: #ia-8
-                      rel:  related
-                      text: IA-8
-                - 
-                  id:         sa-4.10_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs only information technology products on the
-                                        FIPS 201-approved products list for Personal Identity Verification (PIV)
-                                        capability implemented within organizational information systems. 
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing the integration of information security requirements,
-                                               descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the information system, system component, or
-                                               information system service\n\nservice-level agreements\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                               security requirements\n\norganizational personnel with responsibility for ensuring only FIPS
-                                               201-approved products are implemented\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for selecting and employing FIPS 201-approved
-                                               products
-                        """
-        - 
-          id:         sa-5
-          class:      SP800-53
-          title:      Information System Documentation
-          parameters: 
-            - 
-              id:    sa-5_prm_1
-              label: organization-defined actions
-            - 
-              id:    sa-5_prm_2
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  label
-              value: SA-5
-            - 
-              name:  sort-id
-              value: sa-05
-          parts: 
-            - 
-              id:    sa-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Obtains administrator documentation for the information system, system component,
-                                        or information system service that describes:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-5_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Secure configuration, installation, and operation of the system, component, or
-                                               service;
-                        """
-                    - 
-                      id:         sa-5_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Effective use and maintenance of security functions/mechanisms; and
-                    - 
-                      id:         sa-5_smt.a.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          Known vulnerabilities regarding configuration and use of administrative (i.e.,
-                                               privileged) functions;
-                        """
-                - 
-                  id:         sa-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Obtains user documentation for the information system, system component, or
-                                        information system service that describes:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-5_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          User-accessible security functions/mechanisms and how to effectively use those
-                                               security functions/mechanisms;
-                        """
-                    - 
-                      id:         sa-5_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Methods for user interaction, which enables individuals to use the system,
-                                               component, or service in a more secure manner; and
-                        """
-                    - 
-                      id:         sa-5_smt.b.3
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 3.
-                      prose: 
-                        """
-                          User responsibilities in maintaining the security of the system, component, or
-                                               service;
-                        """
-                - 
-                  id:         sa-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Documents attempts to obtain information system, system component, or information
-                                        system service documentation when such documentation is either unavailable or
-                                        nonexistent and takes {{ sa-5_prm_1 }} in response;
-                    """
-                - 
-                  id:         sa-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Protects documentation as required, in accordance with the risk management
-                                        strategy; and
-                    """
-                - 
-                  id:         sa-5_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Distributes documentation to {{ sa-5_prm_2 }}.
-            - 
-              id:    sa-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control helps organizational personnel understand the implementation and
-                                 operation of security controls associated with information systems, system
-                                 components, and information system services. Organizations consider establishing
-                                 specific measures to determine the quality/completeness of the content provided. The
-                                 inability to obtain needed documentation may occur, for example, due to the age of
-                                 the information system/component or lack of support from developers and contractors.
-                                 In those situations, organizations may need to recreate selected documentation if
-                                 such documentation is essential to the effective implementation or operation of
-                                 security controls. The level of protection provided for selected information system,
-                                 component, or service documentation is commensurate with the security category or
-                                 classification of the system. For example, documentation associated with a key DoD
-                                 weapons system or command and control system would typically require a higher level
-                                 of protection than a routine administrative system. Documentation that addresses
-                                 information system vulnerabilities may also require an increased level of protection.
-                                 Secure operation of the information system, includes, for example, initially starting
-                                 the system and resuming secure system operation after any lapse in system
-                                 operation.
-                """
-              links: 
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #pl-2
-                  rel:  related
-                  text: PL-2
-                - 
-                  href: #pl-4
-                  rel:  related
-                  text: PL-4
-                - 
-                  href: #ps-2
-                  rel:  related
-                  text: PS-2
-                - 
-                  href: #sa-3
-                  rel:  related
-                  text: SA-3
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-            - 
-              id:    sa-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SA-5(a)
-                  prose: 
-                    """
-                      obtains administrator documentation for the information system, system component,
-                                        or information system service that describes:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-5.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(a)(1)
-                      parts: 
-                        - 
-                          id:         sa-5.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(1)[1]
-                          prose:      secure configuration of the system, system component, or service;
-                        - 
-                          id:         sa-5.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(1)[2]
-                          prose:      secure installation of the system, system component, or service;
-                        - 
-                          id:         sa-5.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(1)[3]
-                          prose:      secure operation of the system, system component, or service;
-                    - 
-                      id:         sa-5.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(a)(2)
-                      parts: 
-                        - 
-                          id:         sa-5.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(2)[1]
-                          prose:      effective use of the security features/mechanisms;
-                        - 
-                          id:         sa-5.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(a)(2)[2]
-                          prose:      effective maintenance of the security features/mechanisms;
-                    - 
-                      id:         sa-5.a.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(a)(3)
-                      prose: 
-                        """
-                          known vulnerabilities regarding configuration and use of administrative (i.e.,
-                                               privileged) functions;
-                        """
-                - 
-                  id:         sa-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SA-5(b)
-                  prose: 
-                    """
-                      obtains user documentation for the information system, system component, or
-                                        information system service that describes:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-5.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(b)(1)
-                      parts: 
-                        - 
-                          id:         sa-5.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(b)(1)[1]
-                          prose:      user-accessible security functions/mechanisms;
-                        - 
-                          id:         sa-5.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-5(b)(1)[2]
-                          prose:      how to effectively use those functions/mechanisms;
-                    - 
-                      id:         sa-5.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(b)(2)
-                      prose: 
-                        """
-                          methods for user interaction, which enables individuals to use the system,
-                                               component, or service in a more secure manner;
-                        """
-                    - 
-                      id:         sa-5.b.3_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-5(b)(3)
-                      prose: 
-                        """
-                          user responsibilities in maintaining the security of the system, component, or
-                                               service;
-                        """
-                - 
-                  id:         sa-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-5(c)
-                  parts: 
-                    - 
-                      id:         sa-5.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-5(c)[1]
-                      prose: 
-                        """
-                          defines actions to be taken after documented attempts to obtain information
-                                               system, system component, or information system service documentation when such
-                                               documentation is either unavailable or nonexistent;
-                        """
-                    - 
-                      id:         sa-5.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-5(c)[2]
-                      prose: 
-                        """
-                          documents attempts to obtain information system, system component, or
-                                               information system service documentation when such documentation is either
-                                               unavailable or nonexistent;
-                        """
-                    - 
-                      id:         sa-5.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-5(c)[3]
-                      prose:      takes organization-defined actions in response;
-                - 
-                  id:         sa-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-5(d)
-                  prose: 
-                    """
-                      protects documentation as required, in accordance with the risk management
-                                        strategy;
-                    """
-                - 
-                  id:         sa-5.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-5(e)
-                  parts: 
-                    - 
-                      id:         sa-5.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-5(e)[1]
-                      prose:      defines personnel or roles to whom documentation is to be distributed; and
-                    - 
-                      id:         sa-5.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-5(e)[2]
-                      prose:      distributes documentation to organization-defined personnel or roles.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing information system documentation\n\ninformation system documentation including administrator and user guides\n\nrecords documenting attempts to obtain unavailable or nonexistent information
-                                        system documentation\n\nlist of actions to be taken in response to documented attempts to obtain
-                                        information system, system component, or information system service
-                                        documentation\n\nrisk management strategy documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                        security requirements\n\nsystem administrators\n\norganizational personnel operating, using, and/or maintaining the information
-                                        system\n\ninformation system developers\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for obtaining, protecting, and distributing information
-                                        system administrator and user documentation
-                    """
-        - 
-          id:         sa-8
-          class:      SP800-53
-          title:      Security Engineering Principles
-          properties: 
-            - 
-              name:  label
-              value: SA-8
-            - 
-              name:  sort-id
-              value: sa-08
-          links: 
-            - 
-              href: #21b1ed35-56d2-40a8-bdfe-b461fffe322f
-              rel:  reference
-              text: NIST Special Publication 800-27
-          parts: 
-            - 
-              id:    sa-8_smt
-              name:  statement
-              prose: 
-                """
-                  The organization applies information system security engineering principles in the
-                                 specification, design, development, implementation, and modification of the
-                                 information system.
-                """
-            - 
-              id:    sa-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations apply security engineering principles primarily to new development
-                                 information systems or systems undergoing major upgrades. For legacy systems,
-                                 organizations apply security engineering principles to system upgrades and
-                                 modifications to the extent feasible, given the current state of hardware, software,
-                                 and firmware within those systems. Security engineering principles include, for
-                                 example: (i) developing layered protections; (ii) establishing sound security policy,
-                                 architecture, and controls as the foundation for design; (iii) incorporating security
-                                 requirements into the system development life cycle; (iv) delineating physical and
-                                 logical security boundaries; (v) ensuring that system developers are trained on how
-                                 to build secure software; (vi) tailoring security controls to meet organizational and
-                                 operational needs; (vii) performing threat modeling to identify use cases, threat
-                                 agents, attack vectors, and attack patterns as well as compensating controls and
-                                 design patterns needed to mitigate risk; and (viii) reducing risk to acceptable
-                                 levels, thus enabling informed risk management decisions.
-                """
-              links: 
-                - 
-                  href: #pm-7
-                  rel:  related
-                  text: PM-7
-                - 
-                  href: #sa-3
-                  rel:  related
-                  text: SA-3
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-17
-                  rel:  related
-                  text: SA-17
-                - 
-                  href: #sc-2
-                  rel:  related
-                  text: SC-2
-                - 
-                  href: #sc-3
-                  rel:  related
-                  text: SC-3
-            - 
-              id:    sa-8_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization applies information system security engineering
-                                 principles in: 
-                """
-              parts: 
-                - 
-                  id:         sa-8_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-8[1]
-                  prose:      the specification of the information system;
-                - 
-                  id:         sa-8_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-8[2]
-                  prose:      the design of the information system;
-                - 
-                  id:         sa-8_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-8[3]
-                  prose:      the development of the information system;
-                - 
-                  id:         sa-8_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-8[4]
-                  prose:      the implementation of the information system; and
-                - 
-                  id:         sa-8_obj.5
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-8[5]
-                  prose:      the modification of the information system.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing security engineering principles used in the specification,
-                                        design, development, implementation, and modification of the information
-                                        system\n\ninformation system design documentation\n\ninformation security requirements and specifications for the information
-                                        system\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with responsibility for determining information system
-                                        security requirements\n\norganizational personnel with information system specification, design,
-                                        development, implementation, and modification responsibilities\n\ninformation system developers\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for applying security engineering principles in
-                                        information system specification, design, development, implementation, and
-                                        modification\n\nautomated mechanisms supporting the application of security engineering principles
-                                        in information system specification, design, development, implementation, and
-                                        modification
-                    """
-        - 
-          id:         sa-9
-          class:      SP800-53
-          title:      External Information System Services
-          parameters: 
-            - 
-              id:          sa-9_prm_1
-              label:       organization-defined security controls
-              constraints: 
-                - 
-                  detail: FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system
-            - 
-              id:          sa-9_prm_2
-              label:       organization-defined processes, methods, and techniques
-              constraints: 
-                - 
-                  detail: Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored
-          properties: 
-            - 
-              name:  label
-              value: SA-9
-            - 
-              name:  sort-id
-              value: sa-09
-          links: 
-            - 
-              href: #0c775bc3-bfc3-42c7-a382-88949f503171
-              rel:  reference
-              text: NIST Special Publication 800-35
-          parts: 
-            - 
-              id:    sa-9_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sa-9_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Requires that providers of external information system services comply with
-                                        organizational information security requirements and employ {{ sa-9_prm_1 }} in accordance with applicable federal laws, Executive
-                                        Orders, directives, policies, regulations, standards, and guidance;
-                    """
-                - 
-                  id:         sa-9_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Defines and documents government oversight and user roles and responsibilities
-                                        with regard to external information system services; and
-                    """
-                - 
-                  id:         sa-9_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Employs {{ sa-9_prm_2 }} to monitor security control compliance by
-                                        external service providers on an ongoing basis.
-                    """
-            - 
-              id:    sa-9_gdn
-              name:  guidance
-              prose: 
-                """
-                  External information system services are services that are implemented outside of the
-                                 authorization boundaries of organizational information systems. This includes
-                                 services that are used by, but not a part of, organizational information systems.
-                                 FISMA and OMB policy require that organizations using external service providers that
-                                 are processing, storing, or transmitting federal information or operating information
-                                 systems on behalf of the federal government ensure that such providers meet the same
-                                 security requirements that federal agencies are required to meet. Organizations
-                                 establish relationships with external service providers in a variety of ways
-                                 including, for example, through joint ventures, business partnerships, contracts,
-                                 interagency agreements, lines of business arrangements, licensing agreements, and
-                                 supply chain exchanges. The responsibility for managing risks from the use of
-                                 external information system services remains with authorizing officials. For services
-                                 external to organizations, a chain of trust requires that organizations establish and
-                                 retain a level of confidence that each participating provider in the potentially
-                                 complex consumer-provider relationship provides adequate protection for the services
-                                 rendered. The extent and nature of this chain of trust varies based on the
-                                 relationships between organizations and the external providers. Organizations
-                                 document the basis for trust relationships so the relationships can be monitored over
-                                 time. External information system services documentation includes government, service
-                                 providers, end user security roles and responsibilities, and service-level
-                                 agreements. Service-level agreements define expectations of performance for security
-                                 controls, describe measurable outcomes, and identify remedies and response
-                                 requirements for identified instances of noncompliance.
-                """
-              links: 
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #ir-7
-                  rel:  related
-                  text: IR-7
-                - 
-                  href: #ps-7
-                  rel:  related
-                  text: PS-7
-            - 
-              id:    sa-9_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-9.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-9(a)
-                  parts: 
-                    - 
-                      id:         sa-9.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(a)[1]
-                      prose: 
-                        """
-                          defines security controls to be employed by providers of external information
-                                               system services;
-                        """
-                    - 
-                      id:         sa-9.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(a)[2]
-                      prose: 
-                        """
-                          requires that providers of external information system services comply with
-                                               organizational information security requirements;
-                        """
-                    - 
-                      id:         sa-9.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(a)[3]
-                      prose: 
-                        """
-                          requires that providers of external information system services employ
-                                               organization-defined security controls in accordance with applicable federal
-                                               laws, Executive Orders, directives, policies, regulations, standards, and
-                                               guidance;
-                        """
-                - 
-                  id:         sa-9.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-9(b)
-                  parts: 
-                    - 
-                      id:         sa-9.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(b)[1]
-                      prose: 
-                        """
-                          defines and documents government oversight with regard to external information
-                                               system services;
-                        """
-                    - 
-                      id:         sa-9.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(b)[2]
-                      prose: 
-                        """
-                          defines and documents user roles and responsibilities with regard to external
-                                               information system services;
-                        """
-                - 
-                  id:         sa-9.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-9(c)
-                  parts: 
-                    - 
-                      id:         sa-9.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(c)[1]
-                      prose: 
-                        """
-                          defines processes, methods, and techniques to be employed to monitor security
-                                               control compliance by external service providers; and
-                        """
-                    - 
-                      id:         sa-9.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-9(c)[2]
-                      prose: 
-                        """
-                          employs organization-defined processes, methods, and techniques to monitor
-                                               security control compliance by external service providers on an ongoing
-                                               basis.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing external information system services\n\nprocedures addressing methods and techniques for monitoring security control
-                                        compliance by external service providers of information system services\n\nacquisition contracts, service-level agreements\n\norganizational security requirements and security specifications for external
-                                        provider services\n\nsecurity control assessment evidence from external providers of information system
-                                        services\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with system and services acquisition responsibilities\n\nexternal providers of information system services\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for monitoring security control compliance by external
-                                        service providers on an ongoing basis\n\nautomated mechanisms for monitoring security control compliance by external
-                                        service providers on an ongoing basis
-                    """
-          controls: 
-            - 
-              id:         sa-9.1
-              class:      SP800-53-enhancement
-              title:      Risk Assessments / Organizational Approvals
-              parameters: 
-                - 
-                  id:    sa-9.1_prm_1
-                  label: organization-defined personnel or roles
-              properties: 
-                - 
-                  name:  label
-                  value: SA-9(1)
-                - 
-                  name:  sort-id
-                  value: sa-09.01
-              parts: 
-                - 
-                  id:    sa-9.1_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         sa-9.1_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose: 
-                        """
-                          Conducts an organizational assessment of risk prior to the acquisition or
-                                               outsourcing of dedicated information security services; and
-                        """
-                    - 
-                      id:         sa-9.1_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Ensures that the acquisition or outsourcing of dedicated information security
-                                               services is approved by {{ sa-9.1_prm_1 }}.
-                        """
-                - 
-                  id:    sa-9.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Dedicated information security services include, for example, incident monitoring,
-                                        analysis and response, operation of information security-related devices such as
-                                        firewalls, or key management services.
-                    """
-                  links: 
-                    - 
-                      href: #ca-6
-                      rel:  related
-                      text: CA-6
-                    - 
-                      href: #ra-3
-                      rel:  related
-                      text: RA-3
-                - 
-                  id:    sa-9.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         sa-9.1.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-9(1)(a)
-                      prose: 
-                        """
-                          conducts an organizational assessment of risk prior to the acquisition or
-                                               outsourcing of dedicated information security services;
-                        """
-                      links: 
-                        - 
-                          href: #sa-9.1_smt.a
-                          rel:  corresp
-                          text: SA-9(1)(a)
-                    - 
-                      id:         sa-9.1.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-9(1)(b)
-                      parts: 
-                        - 
-                          id:         sa-9.1.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SA-9(1)(b)[1]
-                          prose: 
-                            """
-                              defines personnel or roles designated to approve the acquisition or
-                                                      outsourcing of dedicated information security services; and
-                            """
-                        - 
-                          id:         sa-9.1.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: SA-9(1)(b)[2]
-                          prose: 
-                            """
-                              ensures that the acquisition or outsourcing of dedicated information
-                                                      security services is approved by organization-defined personnel or
-                                                      roles.
-                            """
-                      links: 
-                        - 
-                          href: #sa-9.1_smt.b
-                          rel:  corresp
-                          text: SA-9(1)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing external information system services\n\nacquisition documentation\n\nacquisition contracts for the information system, system component, or
-                                               information system service\n\nrisk assessment reports\n\napproval records for acquisition or outsourcing of dedicated information
-                                               security services\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with system and services acquisition
-                                               responsibilities\n\norganizational personnel with information system security responsibilities\n\nexternal providers of information system services\n\norganizational personnel with information security responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for conducting a risk assessment prior to acquiring or
-                                               outsourcing dedicated information security services\n\norganizational processes for approving the outsourcing of dedicated information
-                                               security services\n\nautomated mechanisms supporting and/or implementing risk assessment\n\nautomated mechanisms supporting and/or implementing approval processes
-                        """
-            - 
-              id:         sa-9.2
-              class:      SP800-53-enhancement
-              title:      Identification of Functions / Ports / Protocols / Services
-              parameters: 
-                - 
-                  id:          sa-9.2_prm_1
-                  label:       organization-defined external information system services
-                  constraints: 
-                    - 
-                      detail: all external systems where Federal information is processed or stored
-              properties: 
-                - 
-                  name:  label
-                  value: SA-9(2)
-                - 
-                  name:  sort-id
-                  value: sa-09.02
-              parts: 
-                - 
-                  id:    sa-9.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires providers of {{ sa-9.2_prm_1 }} to
-                                        identify the functions, ports, protocols, and other services required for the use
-                                        of such services.
-                    """
-                - 
-                  id:    sa-9.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Information from external service providers regarding the specific functions,
-                                        ports, protocols, and services used in the provision of such services can be
-                                        particularly useful when the need arises to understand the trade-offs involved in
-                                        restricting certain functions/services or blocking certain ports/protocols.
-                    """
-                  links: 
-                    - 
-                      href: #cm-7
-                      rel:  related
-                      text: CM-7
-                - 
-                  id:    sa-9.2_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         sa-9.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(2)[1]
-                      prose: 
-                        """
-                          defines external information system services for which providers of such
-                                               services are to identify the functions, ports, protocols, and other services
-                                               required for the use of such services;
-                        """
-                    - 
-                      id:         sa-9.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  label
-                          value: SA-9(2)[2]
-                      prose: 
-                        """
-                          requires providers of organization-defined external information system services
-                                               to identify:
-                        """
-                      parts: 
-                        - 
-                          id:         sa-9.2_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-9(2)[2][a]
-                          prose:      the functions required for the use of such services;
-                        - 
-                          id:         sa-9.2_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-9(2)[2][b]
-                          prose:      the ports required for the use of such services;
-                        - 
-                          id:         sa-9.2_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-9(2)[2][c]
-                          prose:      the protocols required for the use of such services; and
-                        - 
-                          id:         sa-9.2_obj.2.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-9(2)[2][d]
-                          prose:      the other services required for the use of such services.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing external information system services\n\nacquisition contracts for the information system, system component, or
-                                               information system service\n\nacquisition documentation\n\nsolicitation documentation, service-level agreements\n\norganizational security requirements and security specifications for external
-                                               service providers\n\nlist of required functions, ports, protocols, and other services\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with system and services acquisition
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nexternal providers of information system services
-                        """
-            - 
-              id:         sa-9.4
-              class:      SP800-53-enhancement
-              title:      Consistent Interests of Consumers and Providers
-              parameters: 
-                - 
-                  id:    sa-9.4_prm_1
-                  label: organization-defined security safeguards
-                - 
-                  id:          sa-9.4_prm_2
-                  label:       organization-defined external service providers
-                  constraints: 
-                    - 
-                      detail: all external systems where Federal information is processed or stored
-              properties: 
-                - 
-                  name:  label
-                  value: SA-9(4)
-                - 
-                  name:  sort-id
-                  value: sa-09.04
-              parts: 
-                - 
-                  id:    sa-9.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs {{ sa-9.4_prm_1 }} to ensure that the
-                                        interests of {{ sa-9.4_prm_2 }} are consistent with and reflect
-                                        organizational interests.
-                    """
-                - 
-                  id:    sa-9.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      As organizations increasingly use external service providers, the possibility
-                                        exists that the interests of the service providers may diverge from organizational
-                                        interests. In such situations, simply having the correct technical, procedural, or
-                                        operational safeguards in place may not be sufficient if the service providers
-                                        that implement and control those safeguards are not operating in a manner
-                                        consistent with the interests of the consuming organizations. Possible actions
-                                        that organizations might take to address such concerns include, for example,
-                                        requiring background checks for selected service provider personnel, examining
-                                        ownership records, employing only trustworthy service providers (i.e., providers
-                                        with which organizations have had positive experiences), and conducting
-                                        periodic/unscheduled visits to service provider facilities.
-                    """
-                - 
-                  id:    sa-9.4_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         sa-9.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(4)[1]
-                      prose: 
-                        """
-                          defines external service providers whose interests are to be consistent with
-                                               and reflect organizational interests;
-                        """
-                    - 
-                      id:         sa-9.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(4)[2]
-                      prose: 
-                        """
-                          defines security safeguards to be employed to ensure that the interests of
-                                               organization-defined external service providers are consistent with and reflect
-                                               organizational interests; and
-                        """
-                    - 
-                      id:         sa-9.4_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-9(4)[3]
-                      prose: 
-                        """
-                          employs organization-defined security safeguards to ensure that the interests
-                                               of organization-defined external service providers are consistent with and
-                                               reflect organizational interests.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing external information system services\n\nacquisition contracts for the information system, system component, or
-                                               information system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\norganizational security requirements/safeguards for external service
-                                               providers\n\npersonnel security policies for external service providers\n\nassessments performed on external service providers\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with system and services acquisition
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nexternal providers of information system services
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for defining and employing safeguards to ensure
-                                               consistent interests with external service providers\n\nautomated mechanisms supporting and/or implementing safeguards to ensure
-                                               consistent interests with external service providers
-                        """
-            - 
-              id:         sa-9.5
-              class:      SP800-53-enhancement
-              title:      Processing, Storage, and Service Location
-              parameters: 
-                - 
-                  id:          sa-9.5_prm_1
-                  constraints: 
-                    - 
-                      detail: information processing, information data, AND information services
-                - 
-                  id:    sa-9.5_prm_2
-                  label: organization-defined locations
-                - 
-                  id:    sa-9.5_prm_3
-                  label: organization-defined requirements or conditions
-              properties: 
-                - 
-                  name:  label
-                  value: SA-9(5)
-                - 
-                  name:  sort-id
-                  value: sa-09.05
-              parts: 
-                - 
-                  id:    sa-9.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization restricts the location of {{ sa-9.5_prm_1 }} to
-                                           {{ sa-9.5_prm_2 }} based on {{ sa-9.5_prm_3 }}.
-                    """
-                - 
-                  id:    sa-9.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      The location of information processing, information/data storage, or information
-                                        system services that are critical to organizations can have a direct impact on the
-                                        ability of those organizations to successfully execute their missions/business
-                                        functions. This situation exists when external providers control the location of
-                                        processing, storage or services. The criteria external providers use for the
-                                        selection of processing, storage, or service locations may be different from
-                                        organizational criteria. For example, organizations may want to ensure that
-                                        data/information storage locations are restricted to certain locations to
-                                        facilitate incident response activities (e.g., forensic analyses, after-the-fact
-                                        investigations) in case of information security breaches/compromises. Such
-                                        incident response activities may be adversely affected by the governing laws or
-                                        protocols in the locations where processing and storage occur and/or the locations
-                                        from which information system services emanate.
-                    """
-                - 
-                  id:    sa-9.5_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         sa-9.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(5)[1]
-                      prose: 
-                        """
-                          defines locations where organization-defined information processing,
-                                               information/data, and/or information system services are to be restricted;
-                        """
-                    - 
-                      id:         sa-9.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-9(5)[2]
-                      prose: 
-                        """
-                          defines requirements or conditions to restrict the location of information
-                                               processing, information/data, and/or information system services;
-                        """
-                    - 
-                      id:         sa-9.5_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-9(5)[3]
-                      prose: 
-                        """
-                          restricts the location of one or more of the following to organization-defined
-                                               locations based on organization-defined requirements or conditions:
-                        """
-                      parts: 
-                        - 
-                          id:         sa-9.5_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-9(5)[3][a]
-                          prose:      information processing;
-                        - 
-                          id:         sa-9.5_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-9(5)[3][b]
-                          prose:      information/data; and/or
-                        - 
-                          id:         sa-9.5_obj.3.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-9(5)[3][c]
-                          prose:      information services.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing external information system services\n\nacquisition contracts for the information system, system component, or
-                                               information system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nrestricted locations for information processing\n\ninformation/data and/or information system services\n\ninformation processing, information/data, and/or information system services to
-                                               be maintained in restricted locations\n\norganizational security requirements or conditions for external providers\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with system and services acquisition
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\nexternal providers of information system services
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for defining requirements to restrict locations of
-                                               information processing, information/data, or information services\n\norganizational processes for ensuring the location is restricted in accordance
-                                               with requirements or conditions
-                        """
-        - 
-          id:         sa-10
-          class:      SP800-53
-          title:      Developer Configuration Management
-          parameters: 
-            - 
-              id:          sa-10_prm_1
-              constraints: 
-                - 
-                  detail: development, implementation, AND operation
-            - 
-              id:    sa-10_prm_2
-              label: organization-defined configuration items under configuration management
-            - 
-              id:    sa-10_prm_3
-              label: organization-defined personnel
-          properties: 
-            - 
-              name:  label
-              value: SA-10
-            - 
-              name:  sort-id
-              value: sa-10
-          links: 
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    sa-10_smt
-              name:  statement
-              prose: 
-                """
-                  The organization requires the developer of the information system, system component,
-                                 or information system service to:
-                """
-              parts: 
-                - 
-                  id:         sa-10_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Perform configuration management during system, component, or service {{ sa-10_prm_1 }};
-                - 
-                  id:         sa-10_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Document, manage, and control the integrity of changes to {{ sa-10_prm_2 }};
-                - 
-                  id:         sa-10_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Implement only organization-approved changes to the system, component, or
-                                        service;
-                    """
-                - 
-                  id:         sa-10_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Document approved changes to the system, component, or service and the potential
-                                        security impacts of such changes; and
-                    """
-                - 
-                  id:         sa-10_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Track security flaws and flaw resolution within the system, component, or service
-                                        and report findings to {{ sa-10_prm_3 }}.
-                    """
-                - 
-                  id:    sa-10_fr
-                  name:  item
-                  title: SA-10 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         sa-10_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (e)  Requirement:
-                      prose:      For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.
-            - 
-              id:    sa-10_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control also applies to organizations conducting internal information systems
-                                 development and integration. Organizations consider the quality and completeness of
-                                 the configuration management activities conducted by developers as evidence of
-                                 applying effective security safeguards. Safeguards include, for example, protecting
-                                 from unauthorized modification or destruction, the master copies of all material used
-                                 to generate security-relevant portions of the system hardware, software, and
-                                 firmware. Maintaining the integrity of changes to the information system, information
-                                 system component, or information system service requires configuration control
-                                 throughout the system development life cycle to track authorized changes and prevent
-                                 unauthorized changes. Configuration items that are placed under configuration
-                                 management (if existence/use is required by other security controls) include: the
-                                 formal model; the functional, high-level, and low-level design specifications; other
-                                 design data; implementation documentation; source code and hardware schematics; the
-                                 running version of the object code; tools for comparing new versions of
-                                 security-relevant hardware descriptions and software/firmware source code with
-                                 previous versions; and test fixtures and documentation. Depending on the
-                                 mission/business needs of organizations and the nature of the contractual
-                                 relationships in place, developers may provide configuration management support
-                                 during the operations and maintenance phases of the life cycle.
-                """
-              links: 
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #cm-9
-                  rel:  related
-                  text: CM-9
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    sa-10_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-10.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-10(a)
-                  prose: 
-                    """
-                      requires the developer of the information system, system component, or information
-                                        system service to perform configuration management during one or more of the
-                                        following:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-10.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-10(a)[1]
-                      prose:      system, component, or service design;
-                    - 
-                      id:         sa-10.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-10(a)[2]
-                      prose:      system, component, or service development;
-                    - 
-                      id:         sa-10.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-10(a)[3]
-                      prose:      system, component, or service implementation; and/or
-                    - 
-                      id:         sa-10.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-10(a)[4]
-                      prose:      system, component, or service operation;
-                - 
-                  id:         sa-10.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-10(b)
-                  parts: 
-                    - 
-                      id:         sa-10.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-10(b)[1]
-                      prose:      defines configuration items to be placed under configuration management;
-                    - 
-                      id:         sa-10.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-10(b)[2]
-                      prose: 
-                        """
-                          requires the developer of the information system, system component, or
-                                               information system service to:
-                        """
-                      parts: 
-                        - 
-                          id:         sa-10.b_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-10(b)[2][a]
-                          prose: 
-                            """
-                              document the integrity of changes to organization-defined items under
-                                                      configuration management;
-                            """
-                        - 
-                          id:         sa-10.b_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-10(b)[2][b]
-                          prose: 
-                            """
-                              manage the integrity of changes to organization-defined items under
-                                                      configuration management;
-                            """
-                        - 
-                          id:         sa-10.b_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-10(b)[2][c]
-                          prose: 
-                            """
-                              control the integrity of changes to organization-defined items under
-                                                      configuration management;
-                            """
-                - 
-                  id:         sa-10.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-10(c)
-                  prose: 
-                    """
-                      requires the developer of the information system, system component, or information
-                                        system service to implement only organization-approved changes to the system,
-                                        component, or service;
-                    """
-                - 
-                  id:         sa-10.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-10(d)
-                  prose: 
-                    """
-                      requires the developer of the information system, system component, or information
-                                        system service to document:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-10.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-10(d)[1]
-                      prose:      approved changes to the system, component, or service;
-                    - 
-                      id:         sa-10.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-10(d)[2]
-                      prose:      the potential security impacts of such changes;
-                - 
-                  id:         sa-10.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-10(e)
-                  parts: 
-                    - 
-                      id:         sa-10.e_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-10(e)[1]
-                      prose: 
-                        """
-                          defines personnel to whom findings, resulting from security flaws and flaw
-                                               resolution tracked within the system, component, or service, are to be
-                                               reported;
-                        """
-                    - 
-                      id:         sa-10.e_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-10(e)[2]
-                      prose: 
-                        """
-                          requires the developer of the information system, system component, or
-                                               information system service to:
-                        """
-                      parts: 
-                        - 
-                          id:         sa-10.e_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-10(e)[2][a]
-                          prose:      track security flaws within the system, component, or service;
-                        - 
-                          id:         sa-10.e_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-10(e)[2][b]
-                          prose: 
-                            """
-                              track security flaw resolution within the system, component, or service;
-                                                      and
-                            """
-                        - 
-                          id:         sa-10.e_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-10(e)[2][c]
-                          prose:      report findings to organization-defined personnel.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information
-                                        system service\n\nsystem developer configuration management plan\n\nsecurity flaw and flaw resolution tracking records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for monitoring developer configuration management\n\nautomated mechanisms supporting and/or implementing the monitoring of developer
-                                        configuration management
-                    """
-          controls: 
-            - 
-              id:         sa-10.1
-              class:      SP800-53-enhancement
-              title:      Software / Firmware Integrity Verification
-              properties: 
-                - 
-                  name:  label
-                  value: SA-10(1)
-                - 
-                  name:  sort-id
-                  value: sa-10.01
-              parts: 
-                - 
-                  id:    sa-10.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires the developer of the information system, system
-                                        component, or information system service to enable integrity verification of
-                                        software and firmware components.
-                    """
-                - 
-                  id:    sa-10.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement allows organizations to detect unauthorized changes to
-                                        software and firmware components through the use of tools, techniques, and/or
-                                        mechanisms provided by developers. Integrity checking mechanisms can also address
-                                        counterfeiting of software and firmware components. Organizations verify the
-                                        integrity of software and firmware components, for example, through secure one-way
-                                        hashes provided by developers. Delivered software and firmware components also
-                                        include any updates to such components.
-                    """
-                  links: 
-                    - 
-                      href: #si-7
-                      rel:  related
-                      text: SI-7
-                - 
-                  id:         sa-10.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization requires the developer of the information system,
-                                        system component, or information system service to enable integrity verification
-                                        of software and firmware components.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system\n\nsystem component, or information system service\n\nsystem developer configuration management plan\n\nsoftware and firmware integrity verification records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with system and services acquisition
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for monitoring developer configuration management\n\nautomated mechanisms supporting and/or implementing the monitoring of developer
-                                               configuration management
-                        """
-        - 
-          id:         sa-11
-          class:      SP800-53
-          title:      Developer Security Testing and Evaluation
-          parameters: 
-            - 
-              id: sa-11_prm_1
-            - 
-              id:    sa-11_prm_2
-              label: organization-defined depth and coverage
-          properties: 
-            - 
-              name:  label
-              value: SA-11
-            - 
-              name:  sort-id
-              value: sa-11
-          links: 
-            - 
-              href: #1737a687-52fb-4008-b900-cbfa836f7b65
-              rel:  reference
-              text: ISO/IEC 15408
-            - 
-              href: #cd4cf751-3312-4a55-b1a9-fad2f1db9119
-              rel:  reference
-              text: NIST Special Publication 800-53A
-            - 
-              href: #275cc052-0f7f-423c-bdb6-ed503dc36228
-              rel:  reference
-              text: http://nvd.nist.gov
-            - 
-              href: #15522e92-9192-463d-9646-6a01982db8ca
-              rel:  reference
-              text: http://cwe.mitre.org
-            - 
-              href: #0931209f-00ae-4132-b92c-bc645847e8f9
-              rel:  reference
-              text: http://cve.mitre.org
-            - 
-              href: #4ef539ba-b767-4666-b0d3-168c53005fa3
-              rel:  reference
-              text: http://capec.mitre.org
-          parts: 
-            - 
-              id:    sa-11_smt
-              name:  statement
-              prose: 
-                """
-                  The organization requires the developer of the information system, system component,
-                                 or information system service to:
-                """
-              parts: 
-                - 
-                  id:         sa-11_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Create and implement a security assessment plan;
-                - 
-                  id:         sa-11_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Perform {{ sa-11_prm_1 }} testing/evaluation at {{ sa-11_prm_2 }};
-                - 
-                  id:         sa-11_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Produce evidence of the execution of the security assessment plan and the results
-                                        of the security testing/evaluation;
-                    """
-                - 
-                  id:         sa-11_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose:      Implement a verifiable flaw remediation process; and
-                - 
-                  id:         sa-11_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose:      Correct flaws identified during security testing/evaluation.
-            - 
-              id:    sa-11_gdn
-              name:  guidance
-              prose: 
-                """
-                  Developmental security testing/evaluation occurs at all post-design phases of the
-                                 system development life cycle. Such testing/evaluation confirms that the required
-                                 security controls are implemented correctly, operating as intended, enforcing the
-                                 desired security policy, and meeting established security requirements. Security
-                                 properties of information systems may be affected by the interconnection of system
-                                 components or changes to those components. These interconnections or changes (e.g.,
-                                 upgrading or replacing applications and operating systems) may adversely affect
-                                 previously implemented security controls. This control provides additional types of
-                                 security testing/evaluation that developers can conduct to reduce or eliminate
-                                 potential flaws. Testing custom software applications may require approaches such as
-                                 static analysis, dynamic analysis, binary analysis, or a hybrid of the three
-                                 approaches. Developers can employ these analysis approaches in a variety of tools
-                                 (e.g., web-based application scanners, static analysis tools, binary analyzers) and
-                                 in source code reviews. Security assessment plans provide the specific activities
-                                 that developers plan to carry out including the types of analyses, testing,
-                                 evaluation, and reviews of software and firmware components, the degree of rigor to
-                                 be applied, and the types of artifacts produced during those processes. The depth of
-                                 security testing/evaluation refers to the rigor and level of detail associated with
-                                 the assessment process (e.g., black box, gray box, or white box testing). The
-                                 coverage of security testing/evaluation refers to the scope (i.e., number and type)
-                                 of the artifacts included in the assessment process. Contracts specify the acceptance
-                                 criteria for security assessment plans, flaw remediation processes, and the evidence
-                                 that the plans/processes have been diligently applied. Methods for reviewing and
-                                 protecting assessment plans, evidence, and documentation are commensurate with the
-                                 security category or classification level of the information system. Contracts may
-                                 specify documentation protection requirements.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #cm-4
-                  rel:  related
-                  text: CM-4
-                - 
-                  href: #sa-3
-                  rel:  related
-                  text: SA-3
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    sa-11_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sa-11.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-11(a)
-                  prose: 
-                    """
-                      requires the developer of the information system, system component, or information
-                                        system service to create and implement a security plan;
-                    """
-                - 
-                  id:         sa-11.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SA-11(b)
-                  parts: 
-                    - 
-                      id:         sa-11.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-11(b)[1]
-                      prose: 
-                        """
-                          defines the depth of testing/evaluation to be performed by the developer of the
-                                               information system, system component, or information system service;
-                        """
-                    - 
-                      id:         sa-11.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SA-11(b)[2]
-                      prose: 
-                        """
-                          defines the coverage of testing/evaluation to be performed by the developer of
-                                               the information system, system component, or information system service;
-                        """
-                    - 
-                      id:         sa-11.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-11(b)[3]
-                      prose: 
-                        """
-                          requires the developer of the information system, system component, or
-                                               information system service to perform one or more of the following
-                                               testing/evaluation at the organization-defined depth and coverage:
-                        """
-                      parts: 
-                        - 
-                          id:         sa-11.b_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-11(b)[3][a]
-                          prose:      unit testing/evaluation;
-                        - 
-                          id:         sa-11.b_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-11(b)[3][b]
-                          prose:      integration testing/evaluation;
-                        - 
-                          id:         sa-11.b_obj.3.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-11(b)[3][c]
-                          prose:      system testing/evaluation; and/or
-                        - 
-                          id:         sa-11.b_obj.3.d
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SA-11(b)[3][d]
-                          prose:      regression testing/evaluation;
-                - 
-                  id:         sa-11.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-11(c)
-                  prose: 
-                    """
-                      requires the developer of the information system, system component, or information
-                                        system service to produce evidence of:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-11.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-11(c)[1]
-                      prose:      the execution of the security assessment plan;
-                    - 
-                      id:         sa-11.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-11(c)[2]
-                      prose:      the results of the security testing/evaluation;
-                - 
-                  id:         sa-11.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-11(d)
-                  prose: 
-                    """
-                      requires the developer of the information system, system component, or information
-                                        system service to implement a verifiable flaw remediation process; and
-                    """
-                - 
-                  id:         sa-11.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SA-11(e)
-                  prose: 
-                    """
-                      requires the developer of the information system, system component, or information
-                                        system service to correct flaws identified during security testing/evaluation.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information
-                                        system service\n\nsystem developer security test plans\n\nrecords of developer security testing results for the information system, system
-                                        component, or information system service\n\nsecurity flaw and remediation tracking records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for monitoring developer security testing and
-                                        evaluation\n\nautomated mechanisms supporting and/or implementing the monitoring of developer
-                                        security testing and evaluation
-                    """
-          controls: 
-            - 
-              id:         sa-11.1
-              class:      SP800-53-enhancement
-              title:      Static Code Analysis
-              properties: 
-                - 
-                  name:  label
-                  value: SA-11(1)
-                - 
-                  name:  sort-id
-                  value: sa-11.01
-              parts: 
-                - 
-                  id:    sa-11.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires the developer of the information system, system
-                                        component, or information system service to employ static code analysis tools to
-                                        identify common flaws and document the results of the analysis.
-                    """
-                  parts: 
-                    - 
-                      id:    sa-11.1_fr
-                      name:  item
-                      title: SA-11 (1) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         sa-11.1_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.
-                - 
-                  id:    sa-11.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Static code analysis provides a technology and methodology for security reviews.
-                                        Such analysis can be used to identify security vulnerabilities and enforce
-                                        security coding practices. Static code analysis is most effective when used early
-                                        in the development process, when each code change can be automatically scanned for
-                                        potential weaknesses. Static analysis can provide clear remediation guidance along
-                                        with defects to enable developers to fix such defects. Evidence of correct
-                                        implementation of static analysis can include, for example, aggregate defect
-                                        density for critical defect types, evidence that defects were inspected by
-                                        developers or security professionals, and evidence that defects were fixed. An
-                                        excessively high density of ignored findings (commonly referred to as ignored or
-                                        false positives) indicates a potential problem with the analysis process or tool.
-                                        In such cases, organizations weigh the validity of the evidence against evidence
-                                        from other sources.
-                    """
-                - 
-                  id:         sa-11.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization requires the developer of the information system,
-                                        system component, or information system service to employ static code analysis
-                                        tools to identify common flaws and document the results of the analysis.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or
-                                               information system service\n\nsystem developer security test plans\n\nsystem developer security testing results\n\nsecurity flaw and remediation tracking records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with system and services acquisition
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for monitoring developer security testing and
-                                               evaluation\n\nautomated mechanisms supporting and/or implementing the monitoring of developer
-                                               security testing and evaluation\n\nstatic code analysis tools
-                        """
-            - 
-              id:         sa-11.2
-              class:      SP800-53-enhancement
-              title:      Threat and Vulnerability Analyses
-              properties: 
-                - 
-                  name:  label
-                  value: SA-11(2)
-                - 
-                  name:  sort-id
-                  value: sa-11.02
-              parts: 
-                - 
-                  id:    sa-11.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires the developer of the information system, system
-                                        component, or information system service to perform threat and vulnerability
-                                        analyses and subsequent testing/evaluation of the as-built system, component, or
-                                        service.
-                    """
-                - 
-                  id:    sa-11.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Applications may deviate significantly from the functional and design
-                                        specifications created during the requirements and design phases of the system
-                                        development life cycle. Therefore, threat and vulnerability analyses of
-                                        information systems, system components, and information system services prior to
-                                        delivery are critical to the effective operation of those systems, components, and
-                                        services. Threat and vulnerability analyses at this phase of the life cycle help
-                                        to ensure that design or implementation changes have been accounted for, and that
-                                        any new vulnerabilities created as a result of those changes have been reviewed
-                                        and mitigated.
-                    """
-                  links: 
-                    - 
-                      href: #pm-15
-                      rel:  related
-                      text: PM-15
-                    - 
-                      href: #ra-5
-                      rel:  related
-                      text: RA-5
-                - 
-                  id:    sa-11.2_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization requires the developer of the information system,
-                                        system component, or information system service to perform:
-                    """
-                  parts: 
-                    - 
-                      id:         sa-11.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SA-11(2)[1]
-                      prose:      threat analyses of the as-built, system component, or service;
-                    - 
-                      id:         sa-11.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-11(2)[2]
-                      prose:      vulnerability analyses of the as-built, system component, or service; and
-                    - 
-                      id:         sa-11.2_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SA-11(2)[3]
-                      prose: 
-                        """
-                          subsequent testing/evaluation of the as-built, system component, or
-                                               service.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or
-                                               information system service\n\nsystem developer security test plans\n\nrecords of developer security testing results for the information system,
-                                               system component, or information system service\n\nvulnerability scanning results\n\ninformation system risk assessment reports\n\nthreat and vulnerability analysis reports\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with system and services acquisition
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for monitoring developer security testing and
-                                               evaluation\n\nautomated mechanisms supporting and/or implementing the monitoring of developer
-                                               security testing and evaluation
-                        """
-            - 
-              id:         sa-11.8
-              class:      SP800-53-enhancement
-              title:      Dynamic Code Analysis
-              properties: 
-                - 
-                  name:  label
-                  value: SA-11(8)
-                - 
-                  name:  sort-id
-                  value: sa-11.08
-              parts: 
-                - 
-                  id:    sa-11.8_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization requires the developer of the information system, system
-                                        component, or information system service to employ dynamic code analysis tools to
-                                        identify common flaws and document the results of the analysis.
-                    """
-                  parts: 
-                    - 
-                      id:    sa-11.8_fr
-                      name:  item
-                      title: SA-11 (8) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         sa-11.8_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.
-                - 
-                  id:    sa-11.8_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Dynamic code analysis provides run-time verification of software programs, using
-                                        tools capable of monitoring programs for memory corruption, user privilege issues,
-                                        and other potential security problems. Dynamic code analysis employs run-time
-                                        tools to help to ensure that security functionality performs in the manner in
-                                        which it was designed. A specialized type of dynamic analysis, known as fuzz
-                                        testing, induces program failures by deliberately introducing malformed or random
-                                        data into software programs. Fuzz testing strategies derive from the intended use
-                                        of applications and the functional and design specifications for the applications.
-                                        To understand the scope of dynamic code analysis and hence the assurance provided,
-                                        organizations may also consider conducting code coverage analysis (checking the
-                                        degree to which the code has been tested using metrics such as percent of
-                                        subroutines tested or percent of program statements called during execution of the
-                                        test suite) and/or concordance analysis (checking for words that are out of place
-                                        in software code such as non-English language words or derogatory terms).
-                    """
-                - 
-                  id:         sa-11.8_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization requires the developer of the information system,
-                                        system component, or information system service to employ dynamic code analysis
-                                        tools to identify common flaws and document the results of the analysis.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or
-                                               information system service\n\nsystem developer security test and evaluation plans\n\nsecurity test and evaluation results\n\nsecurity flaw and remediation tracking reports\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with system and services acquisition
-                                               responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for monitoring developer security testing and
-                                               evaluation\n\nautomated mechanisms supporting and/or implementing the monitoring of developer
-                                               security testing and evaluation
-                        """
-    - 
-      id:       sc
-      class:    family
-      title:    System and Communications Protection
-      controls: 
-        - 
-          id:         sc-1
-          class:      SP800-53
-          title:      System and Communications Protection Policy and Procedures
-          parameters: 
-            - 
-              id:    sc-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          sc-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          sc-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SC-1
-            - 
-              name:  sort-id
-              value: sc-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    sc-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sc-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ sc-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         sc-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A system and communications protection policy that addresses purpose, scope,
-                                               roles, responsibilities, management commitment, coordination among
-                                               organizational entities, and compliance; and
-                        """
-                    - 
-                      id:         sc-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the system and communications
-                                               protection policy and associated system and communications protection controls;
-                                               and
-                        """
-                - 
-                  id:         sc-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         sc-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          System and communications protection policy {{ sc-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         sc-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      System and communications protection procedures {{ sc-1_prm_3 }}.
-            - 
-              id:    sc-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the SC
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    sc-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sc-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-1(a)
-                  parts: 
-                    - 
-                      id:         sc-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-1(a)(1)
-                      parts: 
-                        - 
-                          id:         sc-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a system and communications protection policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         sc-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         sc-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         sc-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         sc-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         sc-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         sc-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         sc-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SC-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         sc-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the system and communications protection
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         sc-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SC-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the system and communications protection policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         sc-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-1(a)(2)
-                      parts: 
-                        - 
-                          id:         sc-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      system and communications protection policy and associated system and
-                                                      communications protection controls;
-                            """
-                        - 
-                          id:         sc-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         sc-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SC-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         sc-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-1(b)
-                  parts: 
-                    - 
-                      id:         sc-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-1(b)(1)
-                      parts: 
-                        - 
-                          id:         sc-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and
-                                                      communications protection policy;
-                            """
-                        - 
-                          id:         sc-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and communications protection policy
-                                                      with the organization-defined frequency;
-                            """
-                    - 
-                      id:         sc-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-1(b)(2)
-                      parts: 
-                        - 
-                          id:         sc-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and
-                                                      communications protection procedures; and
-                            """
-                        - 
-                          id:         sc-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and communications protection
-                                                      procedures with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with system and communications protection
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         sc-2
-          class:      SP800-53
-          title:      Application Partitioning
-          properties: 
-            - 
-              name:  label
-              value: SC-2
-            - 
-              name:  sort-id
-              value: sc-02
-          parts: 
-            - 
-              id:    sc-2_smt
-              name:  statement
-              prose: 
-                """
-                  The information system separates user functionality (including user interface
-                                 services) from information system management functionality.
-                """
-            - 
-              id:    sc-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system management functionality includes, for example, functions
-                                 necessary to administer databases, network components, workstations, or servers, and
-                                 typically requires privileged user access. The separation of user functionality from
-                                 information system management functionality is either physical or logical.
-                                 Organizations implement separation of system management-related functionality from
-                                 user functionality by using different computers, different central processing units,
-                                 different instances of operating systems, different network addresses, virtualization
-                                 techniques, or combinations of these or other methods, as appropriate. This type of
-                                 separation includes, for example, web administrative interfaces that use separate
-                                 authentication methods for users of any other information system resources.
-                                 Separation of system and user functionality may include isolating administrative
-                                 interfaces on different domains and with additional access controls.
-                """
-              links: 
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-                - 
-                  href: #sc-3
-                  rel:  related
-                  text: SC-3
-            - 
-              id:         sc-2_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system separates user functionality (including user
-                                 interface services) from information system management functionality.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing application partitioning\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Separation of user functionality from information system management
-                                        functionality
-                    """
-        - 
-          id:         sc-4
-          class:      SP800-53
-          title:      Information in Shared Resources
-          properties: 
-            - 
-              name:  label
-              value: SC-4
-            - 
-              name:  sort-id
-              value: sc-04
-          parts: 
-            - 
-              id:    sc-4_smt
-              name:  statement
-              prose: 
-                """
-                  The information system prevents unauthorized and unintended information transfer via
-                                 shared system resources.
-                """
-            - 
-              id:    sc-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control prevents information, including encrypted representations of
-                                 information, produced by the actions of prior users/roles (or the actions of
-                                 processes acting on behalf of prior users/roles) from being available to any current
-                                 users/roles (or current processes) that obtain access to shared system resources
-                                 (e.g., registers, main memory, hard disks) after those resources have been released
-                                 back to information systems. The control of information in shared resources is also
-                                 commonly referred to as object reuse and residual information protection. This
-                                 control does not address: (i) information remanence which refers to residual
-                                 representation of data that has been nominally erased or removed; (ii) covert
-                                 channels (including storage and/or timing channels) where shared resources are
-                                 manipulated to violate information flow restrictions; or (iii) components within
-                                 information systems for which there are only single users/roles.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #mp-6
-                  rel:  related
-                  text: MP-6
-            - 
-              id:         sc-4_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system prevents unauthorized and unintended information
-                                 transfer via shared system resources.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing information protection in shared system resources\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms preventing unauthorized and unintended transfer of
-                                        information via shared system resources
-                    """
-        - 
-          id:         sc-5
-          class:      SP800-53
-          title:      Denial of Service Protection
-          parameters: 
-            - 
-              id:    sc-5_prm_1
-              label: 
-                """
-                  organization-defined types of denial of service attacks or references to sources
-                                 for such information
-                """
-            - 
-              id:    sc-5_prm_2
-              label: organization-defined security safeguards
-          properties: 
-            - 
-              name:  label
-              value: SC-5
-            - 
-              name:  sort-id
-              value: sc-05
-          parts: 
-            - 
-              id:    sc-5_smt
-              name:  statement
-              prose: 
-                """
-                  The information system protects against or limits the effects of the following types
-                                 of denial of service attacks: {{ sc-5_prm_1 }} by employing {{ sc-5_prm_2 }}.
-                """
-            - 
-              id:    sc-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  A variety of technologies exist to limit, or in some cases, eliminate the effects of
-                                 denial of service attacks. For example, boundary protection devices can filter
-                                 certain types of packets to protect information system components on internal
-                                 organizational networks from being directly affected by denial of service attacks.
-                                 Employing increased capacity and bandwidth combined with service redundancy may also
-                                 reduce the susceptibility to denial of service attacks.
-                """
-              links: 
-                - 
-                  href: #sc-6
-                  rel:  related
-                  text: SC-6
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-            - 
-              id:    sc-5_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         sc-5_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-5[1]
-                  prose: 
-                    """
-                      the organization defines types of denial of service attacks or reference to source
-                                        of such information for the information system to protect against or limit the
-                                        effects;
-                    """
-                - 
-                  id:         sc-5_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-5[2]
-                  prose: 
-                    """
-                      the organization defines security safeguards to be employed by the information
-                                        system to protect against or limit the effects of organization-defined types of
-                                        denial of service attacks; and
-                    """
-                - 
-                  id:         sc-5_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-5[3]
-                  prose: 
-                    """
-                      the information system protects against or limits the effects of the
-                                        organization-defined denial or service attacks (or reference to source for such
-                                        information) by employing organization-defined security safeguards.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing denial of service protection\n\ninformation system design documentation\n\nsecurity plan\n\nlist of denial of services attacks requiring employment of security safeguards to
-                                        protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial
-                                        of service attacks\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms protecting against or limiting the effects of denial of
-                                        service attacks
-                    """
-        - 
-          id:         sc-6
-          class:      SP800-53
-          title:      Resource Availability
-          parameters: 
-            - 
-              id:    sc-6_prm_1
-              label: organization-defined resources
-            - 
-              id: sc-6_prm_2
-            - 
-              id:         sc-6_prm_3
-              depends-on: sc-6_prm_2
-              label:      organization-defined security safeguards
-          properties: 
-            - 
-              name:  label
-              value: SC-6
-            - 
-              name:  sort-id
-              value: sc-06
-          parts: 
-            - 
-              id:    sc-6_smt
-              name:  statement
-              prose: The information system protects the availability of resources by allocating {{ sc-6_prm_1 }} by {{ sc-6_prm_2 }}.
-            - 
-              id:    sc-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Priority protection helps prevent lower-priority processes from delaying or
-                                 interfering with the information system servicing any higher-priority processes.
-                                 Quotas prevent users or processes from obtaining more than predetermined amounts of
-                                 resources. This control does not apply to information system components for which
-                                 there are only single users/roles.
-                """
-            - 
-              id:    sc-6_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         sc-6_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-6[1]
-                  prose: 
-                    """
-                      the organization defines resources to be allocated to protect the availability of
-                                        resources;
-                    """
-                - 
-                  id:         sc-6_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-6[2]
-                  prose: 
-                    """
-                      the organization defines security safeguards to be employed to protect the
-                                        availability of resources;
-                    """
-                - 
-                  id:         sc-6_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-6[3]
-                  prose: 
-                    """
-                      the information system protects the availability of resources by allocating
-                                        organization-defined resources by one or more of the following:
-                    """
-                  parts: 
-                    - 
-                      id:         sc-6_obj.3.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-6[3][a]
-                      prose:      priority;
-                    - 
-                      id:         sc-6_obj.3.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-6[3][b]
-                      prose:      quota; and/or
-                    - 
-                      id:         sc-6_obj.3.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-6[3][c]
-                      prose:      organization-defined safeguards.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing prioritization of information system resources\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing resource allocation
-                                        capability\n\nsafeguards employed to protect availability of resources
-                    """
-        - 
-          id:         sc-7
-          class:      SP800-53
-          title:      Boundary Protection
-          parameters: 
-            - 
-              id: sc-7_prm_1
-          properties: 
-            - 
-              name:  label
-              value: SC-7
-            - 
-              name:  sort-id
-              value: sc-07
-          links: 
-            - 
-              href: #e85cdb3f-7f0a-4083-8639-f13f70d3760b
-              rel:  reference
-              text: FIPS Publication 199
-            - 
-              href: #756a8e86-57d5-4701-8382-f7a40439665a
-              rel:  reference
-              text: NIST Special Publication 800-41
-            - 
-              href: #99f331f2-a9f0-46c2-9856-a3cbb9b89442
-              rel:  reference
-              text: NIST Special Publication 800-77
-          parts: 
-            - 
-              id:    sc-7_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         sc-7_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Monitors and controls communications at the external boundary of the system and at
-                                        key internal boundaries within the system;
-                    """
-                - 
-                  id:         sc-7_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Implements subnetworks for publicly accessible system components that are {{ sc-7_prm_1 }} separated from internal organizational networks;
-                                        and
-                    """
-                - 
-                  id:         sc-7_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Connects to external networks or information systems only through managed
-                                        interfaces consisting of boundary protection devices arranged in accordance with
-                                        an organizational security architecture.
-                    """
-            - 
-              id:    sc-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Managed interfaces include, for example, gateways, routers, firewalls, guards,
-                                 network-based malicious code analysis and virtualization systems, or encrypted
-                                 tunnels implemented within a security architecture (e.g., routers protecting
-                                 firewalls or application gateways residing on protected subnetworks). Subnetworks
-                                 that are physically or logically separated from internal networks are referred to as
-                                 demilitarized zones or DMZs. Restricting or prohibiting interfaces within
-                                 organizational information systems includes, for example, restricting external web
-                                 traffic to designated web servers within managed interfaces and prohibiting external
-                                 traffic that appears to be spoofing internal addresses. Organizations consider the
-                                 shared nature of commercial telecommunications services in the implementation of
-                                 security controls associated with the use of such services. Commercial
-                                 telecommunications services are commonly based on network components and consolidated
-                                 management systems shared by all attached commercial customers, and may also include
-                                 third party-provided access lines and other service elements. Such transmission
-                                 services may represent sources of increased risk despite contract security
-                                 provisions.
-                """
-              links: 
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ca-3
-                  rel:  related
-                  text: CA-3
-                - 
-                  href: #cm-7
-                  rel:  related
-                  text: CM-7
-                - 
-                  href: #cp-8
-                  rel:  related
-                  text: CP-8
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ra-3
-                  rel:  related
-                  text: RA-3
-                - 
-                  href: #sc-5
-                  rel:  related
-                  text: SC-5
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-            - 
-              id:    sc-7_obj
-              name:  objective
-              prose: Determine if the information system:
-              parts: 
-                - 
-                  id:         sc-7.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-7(a)
-                  parts: 
-                    - 
-                      id:         sc-7.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(a)[1]
-                      prose:      monitors communications at the external boundary of the information system;
-                    - 
-                      id:         sc-7.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(a)[2]
-                      prose:      monitors communications at key internal boundaries within the system;
-                    - 
-                      id:         sc-7.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(a)[3]
-                      prose:      controls communications at the external boundary of the information system;
-                    - 
-                      id:         sc-7.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(a)[4]
-                      prose:      controls communications at key internal boundaries within the system;
-                - 
-                  id:         sc-7.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-7(b)
-                  prose: 
-                    """
-                      implements subnetworks for publicly accessible system components that are
-                                        either:
-                    """
-                  parts: 
-                    - 
-                      id:         sc-7.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-7(b)[1]
-                      prose:      physically separated from internal organizational networks; and/or
-                    - 
-                      id:         sc-7.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-7(b)[2]
-                      prose:      logically separated from internal organizational networks; and
-                - 
-                  id:         sc-7.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-7(c)
-                  prose: 
-                    """
-                      connects to external networks or information systems only through managed
-                                        interfaces consisting of boundary protection devices arranged in accordance with
-                                        an organizational security architecture.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the information system\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system configuration settings and associated documentation\n\nenterprise security architecture documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms implementing boundary protection capability
-          controls: 
-            - 
-              id:         sc-7.3
-              class:      SP800-53-enhancement
-              title:      Access Points
-              properties: 
-                - 
-                  name:  label
-                  value: SC-7(3)
-                - 
-                  name:  sort-id
-                  value: sc-07.03
-              parts: 
-                - 
-                  id:    sc-7.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization limits the number of external network connections to the
-                                        information system.
-                    """
-                - 
-                  id:    sc-7.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Limiting the number of external network connections facilitates more comprehensive
-                                        monitoring of inbound and outbound communications traffic. The Trusted Internet
-                                        Connection (TIC) initiative is an example of limiting the number of external
-                                        network connections.
-                    """
-                - 
-                  id:         sc-7.3_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization limits the number of external network connections to
-                                        the information system.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\ncommunications and network traffic monitoring logs\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing boundary protection capability\n\nautomated mechanisms limiting the number of external network connections to the
-                                               information system
-                        """
-            - 
-              id:         sc-7.4
-              class:      SP800-53-enhancement
-              title:      External Telecommunications Services
-              parameters: 
-                - 
-                  id:          sc-7.4_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least annually
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: SC-7(4)
-                - 
-                  name:  sort-id
-                  value: sc-07.04
-              parts: 
-                - 
-                  id:    sc-7.4_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         sc-7.4_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose:      Implements a managed interface for each external telecommunication service;
-                    - 
-                      id:         sc-7.4_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose:      Establishes a traffic flow policy for each managed interface;
-                    - 
-                      id:         sc-7.4_smt.c
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (c)
-                      prose: 
-                        """
-                          Protects the confidentiality and integrity of the information being transmitted
-                                               across each interface;
-                        """
-                    - 
-                      id:         sc-7.4_smt.d
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (d)
-                      prose: 
-                        """
-                          Documents each exception to the traffic flow policy with a supporting
-                                               mission/business need and duration of that need; and
-                        """
-                    - 
-                      id:         sc-7.4_smt.e
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (e)
-                      prose: 
-                        """
-                          Reviews exceptions to the traffic flow policy {{ sc-7.4_prm_1 }}
-                                               and removes exceptions that are no longer supported by an explicit
-                                               mission/business need.
-                        """
-                - 
-                  id:    sc-7.4_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #sc-8
-                      rel:  related
-                      text: SC-8
-                - 
-                  id:    sc-7.4_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         sc-7.4.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(4)(a)
-                      prose:      implements a managed interface for each external telecommunication service;
-                      links: 
-                        - 
-                          href: #sc-7.4_smt.a
-                          rel:  corresp
-                          text: SC-7(4)(a)
-                    - 
-                      id:         sc-7.4.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-7(4)(b)
-                      prose:      establishes a traffic flow policy for each managed interface;
-                      links: 
-                        - 
-                          href: #sc-7.4_smt.b
-                          rel:  corresp
-                          text: SC-7(4)(b)
-                    - 
-                      id:         sc-7.4.c_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(4)(c)
-                      prose: 
-                        """
-                          protects the confidentiality and integrity of the information being transmitted
-                                               across each interface;
-                        """
-                      links: 
-                        - 
-                          href: #sc-7.4_smt.c
-                          rel:  corresp
-                          text: SC-7(4)(c)
-                    - 
-                      id:         sc-7.4.d_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-7(4)(d)
-                      prose:      documents each exception to the traffic flow policy with:
-                      parts: 
-                        - 
-                          id:         sc-7.4.d_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-7(4)(d)[1]
-                          prose:      a supporting mission/business need;
-                        - 
-                          id:         sc-7.4.d_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-7(4)(d)[2]
-                          prose:      duration of that need;
-                      links: 
-                        - 
-                          href: #sc-7.4_smt.d
-                          rel:  corresp
-                          text: SC-7(4)(d)
-                    - 
-                      id:         sc-7.4.e_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-7(4)(e)
-                      parts: 
-                        - 
-                          id:         sc-7.4.e_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SC-7(4)(e)[1]
-                          prose:      defines a frequency to review exceptions to traffic flow policy;
-                        - 
-                          id:         sc-7.4.e_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: SC-7(4)(e)[2]
-                          prose: 
-                            """
-                              reviews exceptions to the traffic flow policy with the organization-defined
-                                                      frequency; and
-                            """
-                        - 
-                          id:         sc-7.4.e_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: SC-7(4)(e)[3]
-                          prose: 
-                            """
-                              removes traffic flow policy exceptions that are no longer supported by an
-                                                      explicit mission/business need
-                            """
-                      links: 
-                        - 
-                          href: #sc-7.4_smt.e
-                          rel:  corresp
-                          text: SC-7(4)(e)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\ntraffic flow policy\n\ninformation flow control policy\n\nprocedures addressing boundary protection\n\ninformation system security architecture\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of traffic flow policy exceptions\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for documenting and reviewing exceptions to the
-                                               traffic flow policy\n\norganizational processes for removing exceptions to the traffic flow policy\n\nautomated mechanisms implementing boundary protection capability\n\nmanaged interfaces implementing traffic flow policy
-                        """
-            - 
-              id:         sc-7.5
-              class:      SP800-53-enhancement
-              title:      Deny by Default / Allow by Exception
-              properties: 
-                - 
-                  name:  label
-                  value: SC-7(5)
-                - 
-                  name:  sort-id
-                  value: sc-07.05
-              parts: 
-                - 
-                  id:    sc-7.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system at managed interfaces denies network communications traffic
-                                        by default and allows network communications traffic by exception (i.e., deny all,
-                                        permit by exception).
-                    """
-                - 
-                  id:    sc-7.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement applies to both inbound and outbound network
-                                        communications traffic. A deny-all, permit-by-exception network communications
-                                        traffic policy ensures that only those connections which are essential and
-                                        approved are allowed.
-                    """
-                - 
-                  id:    sc-7.5_obj
-                  name:  objective
-                  prose: Determine if the information system, at managed interfaces:
-                  parts: 
-                    - 
-                      id:         sc-7.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(5)[1]
-                      prose:      denies network traffic by default; and
-                    - 
-                      id:         sc-7.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(5)[2]
-                      prose:      allows network traffic by exception.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing traffic management at managed interfaces
-            - 
-              id:         sc-7.7
-              class:      SP800-53-enhancement
-              title:      Prevent Split Tunneling for Remote Devices
-              properties: 
-                - 
-                  name:  label
-                  value: SC-7(7)
-                - 
-                  name:  sort-id
-                  value: sc-07.07
-              parts: 
-                - 
-                  id:    sc-7.7_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system, in conjunction with a remote device, prevents the device
-                                        from simultaneously establishing non-remote connections with the system and
-                                        communicating via some other connection to resources in external networks.
-                    """
-                - 
-                  id:    sc-7.7_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement is implemented within remote devices (e.g., notebook
-                                        computers) through configuration settings to disable split tunneling in those
-                                        devices, and by preventing those configuration settings from being readily
-                                        configurable by users. This control enhancement is implemented within the
-                                        information system by the detection of split tunneling (or of configuration
-                                        settings that allow split tunneling) in the remote device, and by prohibiting the
-                                        connection if the remote device is using split tunneling. Split tunneling might be
-                                        desirable by remote users to communicate with local information system resources
-                                        such as printers/file servers. However, split tunneling would in effect allow
-                                        unauthorized external connections, making the system more vulnerable to attack and
-                                        to exfiltration of organizational information. The use of VPNs for remote
-                                        connections, when adequately provisioned with appropriate security controls, may
-                                        provide the organization with sufficient assurance that it can effectively treat
-                                        such connections as non-remote connections from the confidentiality and integrity
-                                        perspective. VPNs thus provide a means for allowing non-remote communications
-                                        paths from remote devices. The use of an adequately provisioned VPN does not
-                                        eliminate the need for preventing split tunneling.
-                    """
-                - 
-                  id:         sc-7.7_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system, in conjunction with a remote device, prevents
-                                        the device from simultaneously establishing non-remote connections with the system
-                                        and communicating via some other connection to resources in external networks.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system hardware and software\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms implementing boundary protection capability\n\nautomated mechanisms supporting/restricting non-remote connections
-            - 
-              id:         sc-7.8
-              class:      SP800-53-enhancement
-              title:      Route Traffic to Authenticated Proxy Servers
-              parameters: 
-                - 
-                  id:    sc-7.8_prm_1
-                  label: organization-defined internal communications traffic
-                - 
-                  id:    sc-7.8_prm_2
-                  label: organization-defined external networks
-              properties: 
-                - 
-                  name:  label
-                  value: SC-7(8)
-                - 
-                  name:  sort-id
-                  value: sc-07.08
-              parts: 
-                - 
-                  id:    sc-7.8_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system routes {{ sc-7.8_prm_1 }} to {{ sc-7.8_prm_2 }} through authenticated proxy servers at managed
-                                        interfaces.
-                    """
-                - 
-                  id:    sc-7.8_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      External networks are networks outside of organizational control. A proxy server
-                                        is a server (i.e., information system or application) that acts as an intermediary
-                                        for clients requesting information system resources (e.g., files, connections, web
-                                        pages, or services) from other organizational servers. Client requests established
-                                        through an initial connection to the proxy server are evaluated to manage
-                                        complexity and to provide additional protection by limiting direct connectivity.
-                                        Web content filtering devices are one of the most common proxy servers providing
-                                        access to the Internet. Proxy servers support logging individual Transmission
-                                        Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators
-                                        (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be
-                                        configured with organization-defined lists of authorized and unauthorized
-                                        websites.
-                    """
-                  links: 
-                    - 
-                      href: #ac-3
-                      rel:  related
-                      text: AC-3
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                - 
-                  id:    sc-7.8_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         sc-7.8_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-7(8)[1]
-                      prose: 
-                        """
-                          the organization defines internal communications traffic to be routed to
-                                               external networks;
-                        """
-                    - 
-                      id:         sc-7.8_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-7(8)[2]
-                      prose: 
-                        """
-                          the organization defines external networks to which organization-defined
-                                               internal communications traffic is to be routed; and
-                        """
-                    - 
-                      id:         sc-7.8_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(8)[3]
-                      prose: 
-                        """
-                          the information system routes organization-defined internal communications
-                                               traffic to organization-defined external networks through authenticated proxy
-                                               servers at managed interfaces.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system hardware and software\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing traffic management through authenticated
-                                               proxy servers at managed interfaces
-                        """
-            - 
-              id:         sc-7.12
-              class:      SP800-53-enhancement
-              title:      Host-based Protection
-              parameters: 
-                - 
-                  id:    sc-7.12_prm_1
-                  label: organization-defined host-based boundary protection mechanisms
-                - 
-                  id:    sc-7.12_prm_2
-                  label: organization-defined information system components
-              properties: 
-                - 
-                  name:  label
-                  value: SC-7(12)
-                - 
-                  name:  sort-id
-                  value: sc-07.12
-              parts: 
-                - 
-                  id:    sc-7.12_smt
-                  name:  statement
-                  prose: The organization implements {{ sc-7.12_prm_1 }} at {{ sc-7.12_prm_2 }}.
-                - 
-                  id:    sc-7.12_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Host-based boundary protection mechanisms include, for example, host-based
-                                        firewalls. Information system components employing host-based boundary protection
-                                        mechanisms include, for example, servers, workstations, and mobile devices.
-                    """
-                - 
-                  id:    sc-7.12_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         sc-7.12_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-7(12)[1]
-                      prose:      defines host-based boundary protection mechanisms;
-                    - 
-                      id:         sc-7.12_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-7(12)[2]
-                      prose: 
-                        """
-                          defines information system components where organization-defined host-based
-                                               boundary protection mechanisms are to be implemented; and
-                        """
-                    - 
-                      id:         sc-7.12_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(12)[3]
-                      prose: 
-                        """
-                          implements organization-defined host-based boundary protection mechanisms at
-                                               organization-defined information system components.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities\n\ninformation system users
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms implementing host-based boundary protection
-                                               capabilities
-                        """
-            - 
-              id:         sc-7.13
-              class:      SP800-53-enhancement
-              title:      Isolation of Security Tools / Mechanisms / Support Components
-              parameters: 
-                - 
-                  id:    sc-7.13_prm_1
-                  label: 
-                    """
-                      organization-defined information security tools, mechanisms, and support
-                                        components
-                    """
-              properties: 
-                - 
-                  name:  label
-                  value: SC-7(13)
-                - 
-                  name:  sort-id
-                  value: sc-07.13
-              parts: 
-                - 
-                  id:    sc-7.13_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization isolates {{ sc-7.13_prm_1 }} from other internal
-                                        information system components by implementing physically separate subnetworks with
-                                        managed interfaces to other components of the system.
-                    """
-                  parts: 
-                    - 
-                      id:    sc-7.13_fr
-                      name:  item
-                      title: SC-7 (13) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         sc-7.13_fr_smt.1
-                          name:       item
-                          properties: 
-                            - 
-                              name:  label
-                              value: Requirement:
-                          prose:      The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.
-                - 
-                  id:    sc-7.13_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Physically separate subnetworks with managed interfaces are useful, for example,
-                                        in isolating computer network defenses from critical operational processing
-                                        networks to prevent adversaries from discovering the analysis and forensics
-                                        techniques of organizations.
-                    """
-                  links: 
-                    - 
-                      href: #sa-8
-                      rel:  related
-                      text: SA-8
-                    - 
-                      href: #sc-2
-                      rel:  related
-                      text: SC-2
-                    - 
-                      href: #sc-3
-                      rel:  related
-                      text: SC-3
-                - 
-                  id:    sc-7.13_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         sc-7.13_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-7(13)[1]
-                      prose: 
-                        """
-                          defines information security tools, mechanisms, and support components to be
-                                               isolated from other internal information system components; and
-                        """
-                    - 
-                      id:         sc-7.13_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-7(13)[2]
-                      prose: 
-                        """
-                          isolates organization-defined information security tools, mechanisms, and
-                                               support components from other internal information system components by
-                                               implementing physically separate subnetworks with managed interfaces to other
-                                               components of the system.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system hardware and software\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\nlist of security tools and support components to be isolated from other
-                                               internal information system components\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing isolation of information
-                                               security tools, mechanisms, and support components
-                        """
-            - 
-              id:         sc-7.18
-              class:      SP800-53-enhancement
-              title:      Fail Secure
-              properties: 
-                - 
-                  name:  label
-                  value: SC-7(18)
-                - 
-                  name:  sort-id
-                  value: sc-07.18
-              parts: 
-                - 
-                  id:    sc-7.18_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system fails securely in the event of an operational failure of a
-                                        boundary protection device.
-                    """
-                - 
-                  id:    sc-7.18_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Fail secure is a condition achieved by employing information system mechanisms to
-                                        ensure that in the event of operational failures of boundary protection devices at
-                                        managed interfaces (e.g., routers, firewalls, guards, and application gateways
-                                        residing on protected subnetworks commonly referred to as demilitarized zones),
-                                        information systems do not enter into unsecure states where intended security
-                                        properties no longer hold. Failures of boundary protection devices cannot lead to,
-                                        or cause information external to the devices to enter the devices, nor can
-                                        failures permit unauthorized information releases.
-                    """
-                  links: 
-                    - 
-                      href: #cp-2
-                      rel:  related
-                      text: CP-2
-                    - 
-                      href: #sc-24
-                      rel:  related
-                      text: SC-24
-                - 
-                  id:         sc-7.18_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system fails securely in the event of an operational
-                                        failure of a boundary protection device.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Automated mechanisms supporting and/or implementing secure failure
-        - 
-          id:         sc-8
-          class:      SP800-53
-          title:      Transmission Confidentiality and Integrity
-          parameters: 
-            - 
-              id:          sc-8_prm_1
-              constraints: 
-                - 
-                  detail: confidentiality AND integrity
-          properties: 
-            - 
-              name:  label
-              value: SC-8
-            - 
-              name:  sort-id
-              value: sc-08
-          links: 
-            - 
-              href: #d715b234-9b5b-4e07-b1ed-99836727664d
-              rel:  reference
-              text: FIPS Publication 140-2
-            - 
-              href: #f2dbd4ec-c413-4714-b85b-6b7184d1c195
-              rel:  reference
-              text: FIPS Publication 197
-            - 
-              href: #90c5bc98-f9c4-44c9-98b7-787422f0999c
-              rel:  reference
-              text: NIST Special Publication 800-52
-            - 
-              href: #99f331f2-a9f0-46c2-9856-a3cbb9b89442
-              rel:  reference
-              text: NIST Special Publication 800-77
-            - 
-              href: #6af1e841-672c-46c4-b121-96f603d04be3
-              rel:  reference
-              text: NIST Special Publication 800-81
-            - 
-              href: #349fe082-502d-464a-aa0c-1443c6a5cf40
-              rel:  reference
-              text: NIST Special Publication 800-113
-            - 
-              href: #a4aa9645-9a8a-4b51-90a9-e223250f9a75
-              rel:  reference
-              text: CNSS Policy 15
-            - 
-              href: #06dff0ea-3848-4945-8d91-e955ee69f05d
-              rel:  reference
-              text: NSTISSI No. 7003
-          parts: 
-            - 
-              id:    sc-8_smt
-              name:  statement
-              prose: 
-                """
-                  The information system protects the {{ sc-8_prm_1 }} of transmitted
-                                 information.
-                """
-            - 
-              id:    sc-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to both internal and external networks and all types of
-                                 information system components from which information can be transmitted (e.g.,
-                                 servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile
-                                 machines). Communication paths outside the physical protection of a controlled
-                                 boundary are exposed to the possibility of interception and modification. Protecting
-                                 the confidentiality and/or integrity of organizational information can be
-                                 accomplished by physical means (e.g., by employing protected distribution systems) or
-                                 by logical means (e.g., employing encryption techniques). Organizations relying on
-                                 commercial providers offering transmission services as commodity services rather than
-                                 as fully dedicated services (i.e., services which can be highly specialized to
-                                 individual customer needs), may find it difficult to obtain the necessary assurances
-                                 regarding the implementation of needed security controls for transmission
-                                 confidentiality/integrity. In such situations, organizations determine what types of
-                                 confidentiality/integrity services are available in standard, commercial
-                                 telecommunication service packages. If it is infeasible or impractical to obtain the
-                                 necessary security controls and assurances of control effectiveness through
-                                 appropriate contracting vehicles, organizations implement appropriate compensating
-                                 security controls or explicitly accept the additional risk.
-                """
-              links: 
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #pe-4
-                  rel:  related
-                  text: PE-4
-            - 
-              id:         sc-8_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose:      Determine if the information system protects one or more of the following:
-              parts: 
-                - 
-                  id:         sc-8_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-8[1]
-                  prose:      confidentiality of transmitted information; and/or
-                - 
-                  id:         sc-8_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-8[2]
-                  prose:      integrity of transmitted information.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing transmission confidentiality
-                                        and/or integrity
-                    """
-          controls: 
-            - 
-              id:         sc-8.1
-              class:      SP800-53-enhancement
-              title:      Cryptographic or Alternate Physical Protection
-              parameters: 
-                - 
-                  id:          sc-8.1_prm_1
-                  constraints: 
-                    - 
-                      detail: prevent unauthorized disclosure of information AND detect changes to information
-                - 
-                  id:          sc-8.1_prm_2
-                  label:       organization-defined alternative physical safeguards
-                  constraints: 
-                    - 
-                      detail: a hardened or alarmed carrier Protective Distribution System (PDS)
-              properties: 
-                - 
-                  name:  label
-                  value: SC-8(1)
-                - 
-                  name:  sort-id
-                  value: sc-08.01
-              parts: 
-                - 
-                  id:    sc-8.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements cryptographic mechanisms to {{ sc-8.1_prm_1 }} during transmission unless otherwise protected by
-                                           {{ sc-8.1_prm_2 }}.
-                    """
-                - 
-                  id:    sc-8.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Encrypting information for transmission protects information from unauthorized
-                                        disclosure and modification. Cryptographic mechanisms implemented to protect
-                                        information integrity include, for example, cryptographic hash functions which
-                                        have common application in digital signatures, checksums, and message
-                                        authentication codes. Alternative physical security safeguards include, for
-                                        example, protected distribution systems.
-                    """
-                  links: 
-                    - 
-                      href: #sc-13
-                      rel:  related
-                      text: SC-13
-                - 
-                  id:    sc-8.1_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         sc-8.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-8(1)[1]
-                      prose: 
-                        """
-                          the organization defines physical safeguards to be implemented to protect
-                                               information during transmission when cryptographic mechanisms are not
-                                               implemented; and
-                        """
-                    - 
-                      id:         sc-8.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-8(1)[2]
-                      prose: 
-                        """
-                          the information system implements cryptographic mechanisms to do one or more of
-                                               the following during transmission unless otherwise protected by
-                                               organization-defined alternative physical safeguards:
-                        """
-                      parts: 
-                        - 
-                          id:         sc-8.1_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SC-8(1)[2][a]
-                          prose:      prevent unauthorized disclosure of information; and/or
-                        - 
-                          id:         sc-8.1_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SC-8(1)[2][b]
-                          prose:      detect changes to information.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Cryptographic mechanisms supporting and/or implementing transmission
-                                               confidentiality and/or integrity\n\nautomated mechanisms supporting and/or implementing alternative physical
-                                               safeguards\n\norganizational processes for defining and implementing alternative physical
-                                               safeguards
-                        """
-        - 
-          id:         sc-10
-          class:      SP800-53
-          title:      Network Disconnect
-          parameters: 
-            - 
-              id:          sc-10_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-interactive user sessions
-          properties: 
-            - 
-              name:  label
-              value: SC-10
-            - 
-              name:  sort-id
-              value: sc-10
-          parts: 
-            - 
-              id:    sc-10_smt
-              name:  statement
-              prose: 
-                """
-                  The information system terminates the network connection associated with a
-                                 communications session at the end of the session or after {{ sc-10_prm_1 }} of inactivity.
-                """
-            - 
-              id:    sc-10_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control applies to both internal and external networks. Terminating network
-                                 connections associated with communications sessions include, for example,
-                                 de-allocating associated TCP/IP address/port pairs at the operating system level, or
-                                 de-allocating networking assignments at the application level if multiple application
-                                 sessions are using a single, operating system-level network connection. Time periods
-                                 of inactivity may be established by organizations and include, for example, time
-                                 periods by type of network access or for specific network accesses.
-                """
-            - 
-              id:    sc-10_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         sc-10_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-10[1]
-                  prose: 
-                    """
-                      the organization defines a time period of inactivity after which the information
-                                        system terminates a network connection associated with a communications session;
-                                        and
-                    """
-                - 
-                  id:         sc-10_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-10[2]
-                  prose: 
-                    """
-                      the information system terminates the network connection associated with a
-                                        communication session at the end of the session or after the organization-defined
-                                        time period of inactivity.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing network disconnect\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing network disconnect
-                                        capability
-                    """
-        - 
-          id:         sc-12
-          class:      SP800-53
-          title:      Cryptographic Key Establishment and Management
-          parameters: 
-            - 
-              id:    sc-12_prm_1
-              label: 
-                """
-                  organization-defined requirements for key generation, distribution, storage,
-                                 access, and destruction
-                """
-          properties: 
-            - 
-              name:  label
-              value: SC-12
-            - 
-              name:  sort-id
-              value: sc-12
-          links: 
-            - 
-              href: #81f09e01-d0b0-4ae2-aa6a-064ed9950070
-              rel:  reference
-              text: NIST Special Publication 800-56
-            - 
-              href: #a6c774c0-bf50-4590-9841-2a5c1c91ac6f
-              rel:  reference
-              text: NIST Special Publication 800-57
-          parts: 
-            - 
-              id:    sc-12_smt
-              name:  statement
-              prose: 
-                """
-                  The organization establishes and manages cryptographic keys for required cryptography
-                                 employed within the information system in accordance with {{ sc-12_prm_1 }}.
-                """
-              parts: 
-                - 
-                  id:    sc-12_fr
-                  name:  item
-                  title: SC-12 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         sc-12_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      Federally approved and validated cryptography.
-            - 
-              id:    sc-12_gdn
-              name:  guidance
-              prose: 
-                """
-                  Cryptographic key management and establishment can be performed using manual
-                                 procedures or automated mechanisms with supporting manual procedures. Organizations
-                                 define key management requirements in accordance with applicable federal laws,
-                                 Executive Orders, directives, regulations, policies, standards, and guidance,
-                                 specifying appropriate options, levels, and parameters. Organizations manage trust
-                                 stores to ensure that only approved trust anchors are in such trust stores. This
-                                 includes certificates with visibility external to organizational information systems
-                                 and certificates related to the internal operations of systems.
-                """
-              links: 
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-                - 
-                  href: #sc-17
-                  rel:  related
-                  text: SC-17
-            - 
-              id:    sc-12_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sc-12_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-12[1]
-                  prose:      defines requirements for cryptographic key:
-                  parts: 
-                    - 
-                      id:         sc-12_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][a]
-                      prose:      generation;
-                    - 
-                      id:         sc-12_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][b]
-                      prose:      distribution;
-                    - 
-                      id:         sc-12_obj.1.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][c]
-                      prose:      storage;
-                    - 
-                      id:         sc-12_obj.1.d
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][d]
-                      prose:      access;
-                    - 
-                      id:         sc-12_obj.1.e
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12[1][e]
-                      prose:      destruction; and
-                - 
-                  id:         sc-12_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-12[2]
-                  prose: 
-                    """
-                      establishes and manages cryptographic keys for required cryptography employed
-                                        within the information system in accordance with organization-defined requirements
-                                        for key generation, distribution, storage, access, and destruction.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\ninformation system design documentation\n\ncryptographic mechanisms\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment
-                                        and/or management
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing cryptographic key
-                                        establishment and management
-                    """
-          controls: 
-            - 
-              id:         sc-12.2
-              class:      SP800-53-enhancement
-              title:      Symmetric Keys
-              parameters: 
-                - 
-                  id:          sc-12.2_prm_1
-                  constraints: 
-                    - 
-                      detail: NIST FIPS-compliant
-              properties: 
-                - 
-                  name:  label
-                  value: SC-12(2)
-                - 
-                  name:  sort-id
-                  value: sc-12.02
-              parts: 
-                - 
-                  id:    sc-12.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization produces, controls, and distributes symmetric cryptographic keys
-                                        using {{ sc-12.2_prm_1 }} key management technology and
-                                        processes.
-                    """
-                - 
-                  id:         sc-12.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization produces, controls, and distributes symmetric
-                                        cryptographic keys using one of the following: 
-                    """
-                  parts: 
-                    - 
-                      id:         sc-12.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12(2)[1]
-                      prose:      NIST FIPS-compliant key management technology and processes; or
-                    - 
-                      id:         sc-12.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12(2)[2]
-                      prose:      NSA-approved key management technology and processes.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FIPS validated cryptographic products\n\nlist of NSA-approved cryptographic products\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic key
-                                               establishment or management
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing symmetric cryptographic key
-                                               establishment and management
-                        """
-            - 
-              id:         sc-12.3
-              class:      SP800-53-enhancement
-              title:      Asymmetric Keys
-              parameters: 
-                - 
-                  id: sc-12.3_prm_1
-              properties: 
-                - 
-                  name:  label
-                  value: SC-12(3)
-                - 
-                  name:  sort-id
-                  value: sc-12.03
-              parts: 
-                - 
-                  id:    sc-12.3_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization produces, controls, and distributes asymmetric cryptographic keys
-                                        using {{ sc-12.3_prm_1 }}.
-                    """
-                - 
-                  id:         sc-12.3_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization produces, controls, and distributes asymmetric
-                                        cryptographic keys using one of the following: 
-                    """
-                  parts: 
-                    - 
-                      id:         sc-12.3_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12(3)[1]
-                      prose:      NSA-approved key management technology and processes;
-                    - 
-                      id:         sc-12.3_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12(3)[2]
-                      prose:      approved PKI Class 3 certificates or prepositioned keying material; or
-                    - 
-                      id:         sc-12.3_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-12(3)[3]
-                      prose: 
-                        """
-                          approved PKI Class 3 or Class 4 certificates and hardware security tokens that
-                                               protect the user’s private key.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of NSA-approved cryptographic products\n\nlist of approved PKI Class 3 and Class 4 certificates\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic key
-                                               establishment or management\n\norganizational personnel with responsibilities for PKI certificates
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing asymmetric cryptographic
-                                               key establishment and management
-                        """
-        - 
-          id:         sc-13
-          class:      SP800-53
-          title:      Cryptographic Protection
-          parameters: 
-            - 
-              id:          sc-13_prm_1
-              label: 
-                """
-                  organization-defined cryptographic uses and type of cryptography required for
-                                 each use
-                """
-              constraints: 
-                - 
-                  detail: FIPS-validated or NSA-approved cryptography
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SC-13
-            - 
-              name:  sort-id
-              value: sc-13
-          links: 
-            - 
-              href: #39f9087d-7687-46d2-8eda-b6f4b7a4d8a9
-              rel:  reference
-              text: FIPS Publication 140
-            - 
-              href: #6a1041fc-054e-4230-946b-2e6f4f3731bb
-              rel:  reference
-              text: http://csrc.nist.gov/cryptval
-            - 
-              href: #9b97ed27-3dd6-4f9a-ade5-1b43e9669794
-              rel:  reference
-              text: http://www.cnss.gov
-          parts: 
-            - 
-              id:    sc-13_smt
-              name:  statement
-              prose: 
-                """
-                  The information system implements {{ sc-13_prm_1 }} in accordance with
-                                 applicable federal laws, Executive Orders, directives, policies, regulations, and
-                                 standards.
-                """
-            - 
-              id:    sc-13_gdn
-              name:  guidance
-              prose: 
-                """
-                  Cryptography can be employed to support a variety of security solutions including,
-                                 for example, the protection of classified and Controlled Unclassified Information,
-                                 the provision of digital signatures, and the enforcement of information separation
-                                 when authorized individuals have the necessary clearances for such information but
-                                 lack the necessary formal access approvals. Cryptography can also be used to support
-                                 random number generation and hash generation. Generally applicable cryptographic
-                                 standards include FIPS-validated cryptography and NSA-approved cryptography. This
-                                 control does not impose any requirements on organizations to use cryptography.
-                                 However, if cryptography is required based on the selection of other security
-                                 controls, organizations define each type of cryptographic use and the type of
-                                 cryptography required (e.g., protection of classified information: NSA-approved
-                                 cryptography; provision of digital signatures: FIPS-validated cryptography).
-                """
-              links: 
-                - 
-                  href: #ac-2
-                  rel:  related
-                  text: AC-2
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-7
-                  rel:  related
-                  text: AC-7
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #ac-18
-                  rel:  related
-                  text: AC-18
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #au-10
-                  rel:  related
-                  text: AU-10
-                - 
-                  href: #cm-11
-                  rel:  related
-                  text: CM-11
-                - 
-                  href: #cp-9
-                  rel:  related
-                  text: CP-9
-                - 
-                  href: #ia-3
-                  rel:  related
-                  text: IA-3
-                - 
-                  href: #ia-7
-                  rel:  related
-                  text: IA-7
-                - 
-                  href: #ma-4
-                  rel:  related
-                  text: MA-4
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-                - 
-                  href: #mp-5
-                  rel:  related
-                  text: MP-5
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-                - 
-                  href: #sc-12
-                  rel:  related
-                  text: SC-12
-                - 
-                  href: #sc-28
-                  rel:  related
-                  text: SC-28
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    sc-13_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         sc-13_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-13[1]
-                  prose:      the organization defines cryptographic uses; and
-                - 
-                  id:         sc-13_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-13[2]
-                  prose:      the organization defines the type of cryptography required for each use; and
-                - 
-                  id:         sc-13_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-13[3]
-                  prose: 
-                    """
-                      the information system implements the organization-defined cryptographic uses and
-                                        type of cryptography required for each use in accordance with applicable federal
-                                        laws, Executive Orders, directives, policies, regulations, and standards.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing cryptographic protection\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS validated cryptographic modules\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting and/or implementing cryptographic protection
-        - 
-          id:         sc-15
-          class:      SP800-53
-          title:      Collaborative Computing Devices
-          parameters: 
-            - 
-              id:          sc-15_prm_1
-              label:       organization-defined exceptions where remote activation is to be allowed
-              constraints: 
-                - 
-                  detail: no exceptions
-          properties: 
-            - 
-              name:  label
-              value: SC-15
-            - 
-              name:  sort-id
-              value: sc-15
-          parts: 
-            - 
-              id:    sc-15_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         sc-15_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Prohibits remote activation of collaborative computing devices with the following
-                                        exceptions: {{ sc-15_prm_1 }}; and
-                    """
-                - 
-                  id:         sc-15_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Provides an explicit indication of use to users physically present at the
-                                        devices.
-                    """
-                - 
-                  id:    sc-15_fr
-                  name:  item
-                  title: SC-15 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         sc-15_fr_smt.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: Requirement:
-                      prose:      The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.
-            - 
-              id:    sc-15_gdn
-              name:  guidance
-              prose: 
-                """
-                  Collaborative computing devices include, for example, networked white boards,
-                                 cameras, and microphones. Explicit indication of use includes, for example, signals
-                                 to users when collaborative computing devices are activated.
-                """
-              links: 
-                - 
-                  href: #ac-21
-                  rel:  related
-                  text: AC-21
-            - 
-              id:    sc-15_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         sc-15.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-15(a)
-                  parts: 
-                    - 
-                      id:         sc-15.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-15(a)[1]
-                      prose: 
-                        """
-                          the organization defines exceptions where remote activation of collaborative
-                                               computing devices is to be allowed;
-                        """
-                    - 
-                      id:         sc-15.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-15(a)[2]
-                      prose: 
-                        """
-                          the information system prohibits remote activation of collaborative computing
-                                               devices, except for organization-defined exceptions where remote activation is
-                                               to be allowed; and
-                        """
-                - 
-                  id:         sc-15.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-15(b)
-                  prose: 
-                    """
-                      the information system provides an explicit indication of use to users physically
-                                        present at the devices.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative
-                                        computing devices
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing management of remote
-                                        activation of collaborative computing devices\n\nautomated mechanisms providing an indication of use of collaborative computing
-                                        devices
-                    """
-        - 
-          id:         sc-17
-          class:      SP800-53
-          title:      Public Key Infrastructure Certificates
-          parameters: 
-            - 
-              id:    sc-17_prm_1
-              label: organization-defined certificate policy
-          properties: 
-            - 
-              name:  label
-              value: SC-17
-            - 
-              name:  sort-id
-              value: sc-17
-          links: 
-            - 
-              href: #58ad6f27-af99-429f-86a8-8bb767b014b9
-              rel:  reference
-              text: OMB Memorandum 05-24
-            - 
-              href: #8f174e91-844e-4cf1-a72a-45c119a3a8dd
-              rel:  reference
-              text: NIST Special Publication 800-32
-            - 
-              href: #644f44a9-a2de-4494-9c04-cd37fba45471
-              rel:  reference
-              text: NIST Special Publication 800-63
-          parts: 
-            - 
-              id:    sc-17_smt
-              name:  statement
-              prose: 
-                """
-                  The organization issues public key certificates under an {{ sc-17_prm_1 }} or obtains public key certificates from an approved
-                                 service provider.
-                """
-            - 
-              id:    sc-17_gdn
-              name:  guidance
-              prose: 
-                """
-                  For all certificates, organizations manage information system trust stores to ensure
-                                 only approved trust anchors are in the trust stores. This control addresses both
-                                 certificates with visibility external to organizational information systems and
-                                 certificates related to the internal operations of systems, for example,
-                                 application-specific time services.
-                """
-              links: 
-                - 
-                  href: #sc-12
-                  rel:  related
-                  text: SC-12
-            - 
-              id:    sc-17_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sc-17_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-17[1]
-                  prose:      defines a certificate policy for issuing public key certificates;
-                - 
-                  id:         sc-17_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-17[2]
-                  prose:      issues public key certificates:
-                  parts: 
-                    - 
-                      id:         sc-17_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-17[2][a]
-                      prose:      under an organization-defined certificate policy: or
-                    - 
-                      id:         sc-17_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-17[2][b]
-                      prose:      obtains public key certificates from an approved service provider.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing public key infrastructure certificates\n\npublic key certificate policy or policies\n\npublic key issuing process\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for issuing public key
-                                        certificates\n\nservice providers
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing the management of public key
-                                        infrastructure certificates
-                    """
-        - 
-          id:         sc-18
-          class:      SP800-53
-          title:      Mobile Code
-          properties: 
-            - 
-              name:  label
-              value: SC-18
-            - 
-              name:  sort-id
-              value: sc-18
-          links: 
-            - 
-              href: #e716cd51-d1d5-4c6a-967a-22e9fbbc42f1
-              rel:  reference
-              text: NIST Special Publication 800-28
-            - 
-              href: #e6522953-6714-435d-a0d3-140df554c186
-              rel:  reference
-              text: DoD Instruction 8552.01
-          parts: 
-            - 
-              id:    sc-18_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sc-18_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Defines acceptable and unacceptable mobile code and mobile code technologies;
-                - 
-                  id:         sc-18_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Establishes usage restrictions and implementation guidance for acceptable mobile
-                                        code and mobile code technologies; and
-                    """
-                - 
-                  id:         sc-18_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Authorizes, monitors, and controls the use of mobile code within the information
-                                        system.
-                    """
-            - 
-              id:    sc-18_gdn
-              name:  guidance
-              prose: 
-                """
-                  Decisions regarding the employment of mobile code within organizational information
-                                 systems are based on the potential for the code to cause damage to the systems if
-                                 used maliciously. Mobile code technologies include, for example, Java, JavaScript,
-                                 ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage
-                                 restrictions and implementation guidance apply to both the selection and use of
-                                 mobile code installed on servers and mobile code downloaded and executed on
-                                 individual workstations and devices (e.g., smart phones). Mobile code policy and
-                                 procedures address preventing the development, acquisition, or introduction of
-                                 unacceptable mobile code within organizational information systems.
-                """
-              links: 
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #cm-2
-                  rel:  related
-                  text: CM-2
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-            - 
-              id:    sc-18_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sc-18.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-18(a)
-                  prose:      defines acceptable and unacceptable mobile code and mobile code technologies;
-                - 
-                  id:         sc-18.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-18(b)
-                  parts: 
-                    - 
-                      id:         sc-18.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-18(b)[1]
-                      prose: 
-                        """
-                          establishes usage restrictions for acceptable mobile code and mobile code
-                                               technologies;
-                        """
-                    - 
-                      id:         sc-18.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-18(b)[2]
-                      prose: 
-                        """
-                          establishes implementation guidance for acceptable mobile code and mobile code
-                                               technologies;
-                        """
-                - 
-                  id:         sc-18.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-18(c)
-                  parts: 
-                    - 
-                      id:         sc-18.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-18(c)[1]
-                      prose:      authorizes the use of mobile code within the information system;
-                    - 
-                      id:         sc-18.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-18(c)[2]
-                      prose:      monitors the use of mobile code within the information system; and
-                    - 
-                      id:         sc-18.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-18(c)[3]
-                      prose:      controls the use of mobile code within the information system.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code usage restrictions, mobile code implementation policy and
-                                        procedures\n\nlist of acceptable mobile code and mobile code technologies\n\nlist of unacceptable mobile code and mobile technologies\n\nauthorization records\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing mobile code
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational process for controlling, authorizing, monitoring, and restricting
-                                        mobile code\n\nautomated mechanisms supporting and/or implementing the management of mobile
-                                        code\n\nautomated mechanisms supporting and/or implementing the monitoring of mobile
-                                        code
-                    """
-        - 
-          id:         sc-19
-          class:      SP800-53
-          title:      Voice Over Internet Protocol
-          properties: 
-            - 
-              name:  label
-              value: SC-19
-            - 
-              name:  sort-id
-              value: sc-19
-          links: 
-            - 
-              href: #7783f3e7-09b3-478b-9aa2-4a76dfd0ea90
-              rel:  reference
-              text: NIST Special Publication 800-58
-          parts: 
-            - 
-              id:    sc-19_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         sc-19_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Establishes usage restrictions and implementation guidance for Voice over Internet
-                                        Protocol (VoIP) technologies based on the potential to cause damage to the
-                                        information system if used maliciously; and
-                    """
-                - 
-                  id:         sc-19_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Authorizes, monitors, and controls the use of VoIP within the information
-                                        system.
-                    """
-            - 
-              id:    sc-19_gdn
-              name:  guidance
-              links: 
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-15
-                  rel:  related
-                  text: SC-15
-            - 
-              id:    sc-19_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         sc-19.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-19(a)
-                  parts: 
-                    - 
-                      id:         sc-19.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-19(a)[1]
-                      prose: 
-                        """
-                          establishes usage restrictions for Voice over Internet Protocol (VoIP)
-                                               technologies based on the potential to cause damage to the information system
-                                               if used maliciously;
-                        """
-                    - 
-                      id:         sc-19.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-19(a)[2]
-                      prose: 
-                        """
-                          establishes implementation guidance for Voice over Internet Protocol (VoIP)
-                                               technologies based on the potential to cause damage to the information system
-                                               if used maliciously;
-                        """
-                - 
-                  id:         sc-19.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-19(b)
-                  parts: 
-                    - 
-                      id:         sc-19.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-19(b)[1]
-                      prose:      authorizes the use of VoIP within the information system;
-                    - 
-                      id:         sc-19.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-19(b)[2]
-                      prose:      monitors the use of VoIP within the information system; and
-                    - 
-                      id:         sc-19.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-19(b)[3]
-                      prose:      controls the use of VoIP within the information system.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing VoIP\n\nVoIP usage restrictions\n\nVoIP implementation guidance\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing VoIP
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational process for authorizing, monitoring, and controlling VoIP\n\nautomated mechanisms supporting and/or implementing authorizing, monitoring, and
-                                        controlling VoIP
-                    """
-        - 
-          id:         sc-20
-          class:      SP800-53
-          title:      Secure Name / Address Resolution Service (authoritative Source)
-          properties: 
-            - 
-              name:  label
-              value: SC-20
-            - 
-              name:  sort-id
-              value: sc-20
-          links: 
-            - 
-              href: #28115a56-da6b-4d44-b1df-51dd7f048a3e
-              rel:  reference
-              text: OMB Memorandum 08-23
-            - 
-              href: #6af1e841-672c-46c4-b121-96f603d04be3
-              rel:  reference
-              text: NIST Special Publication 800-81
-          parts: 
-            - 
-              id:    sc-20_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         sc-20_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Provides additional data origin authentication and integrity verification
-                                        artifacts along with the authoritative name resolution data the system returns in
-                                        response to external name/address resolution queries; and
-                    """
-                - 
-                  id:         sc-20_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Provides the means to indicate the security status of child zones and (if the
-                                        child supports secure resolution services) to enable verification of a chain of
-                                        trust among parent and child domains, when operating as part of a distributed,
-                                        hierarchical namespace.
-                    """
-            - 
-              id:    sc-20_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control enables external clients including, for example, remote Internet
-                                 clients, to obtain origin authentication and integrity verification assurances for
-                                 the host/service name to network address resolution information obtained through the
-                                 service. Information systems that provide name and address resolution services
-                                 include, for example, domain name system (DNS) servers. Additional artifacts include,
-                                 for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS
-                                 resource records are examples of authoritative data. The means to indicate the
-                                 security status of child zones includes, for example, the use of delegation signer
-                                 resource records in the DNS. The DNS security controls reflect (and are referenced
-                                 from) OMB Memorandum 08-23. Information systems that use technologies other than the
-                                 DNS to map between host/service names and network addresses provide other means to
-                                 assure the authenticity and integrity of response data.
-                """
-              links: 
-                - 
-                  href: #au-10
-                  rel:  related
-                  text: AU-10
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-                - 
-                  href: #sc-12
-                  rel:  related
-                  text: SC-12
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-                - 
-                  href: #sc-21
-                  rel:  related
-                  text: SC-21
-                - 
-                  href: #sc-22
-                  rel:  related
-                  text: SC-22
-            - 
-              id:    sc-20_obj
-              name:  objective
-              prose: Determine if the information system:
-              parts: 
-                - 
-                  id:         sc-20.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-20(a)
-                  prose: 
-                    """
-                      provides additional data origin and integrity verification artifacts along with
-                                        the authoritative name resolution data the system returns in response to external
-                                        name/address resolution queries;
-                    """
-                - 
-                  id:         sc-20.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-20(b)
-                  prose: 
-                    """
-                      provides the means to, when operating as part of a distributed, hierarchical
-                                        namespace:
-                    """
-                  parts: 
-                    - 
-                      id:         sc-20.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-20(b)[1]
-                      prose:      indicate the security status of child zones; and
-                    - 
-                      id:         sc-20.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-20(b)[2]
-                      prose: 
-                        """
-                          enable verification of a chain of trust among parent and child domains (if the
-                                               child supports secure resolution services).
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing secure name/address resolution service (authoritative
-                                        source)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing secure name/address resolution
-                                        service
-                    """
-        - 
-          id:         sc-21
-          class:      SP800-53
-          title:      Secure Name / Address Resolution Service (recursive or Caching Resolver)
-          properties: 
-            - 
-              name:  label
-              value: SC-21
-            - 
-              name:  sort-id
-              value: sc-21
-          links: 
-            - 
-              href: #6af1e841-672c-46c4-b121-96f603d04be3
-              rel:  reference
-              text: NIST Special Publication 800-81
-          parts: 
-            - 
-              id:    sc-21_smt
-              name:  statement
-              prose: 
-                """
-                  The information system requests and performs data origin authentication and data
-                                 integrity verification on the name/address resolution responses the system receives
-                                 from authoritative sources.
-                """
-            - 
-              id:    sc-21_gdn
-              name:  guidance
-              prose: 
-                """
-                  Each client of name resolution services either performs this validation on its own,
-                                 or has authenticated channels to trusted validation providers. Information systems
-                                 that provide name and address resolution services for local clients include, for
-                                 example, recursive resolving or caching domain name system (DNS) servers. DNS client
-                                 resolvers either perform validation of DNSSEC signatures, or clients use
-                                 authenticated channels to recursive resolvers that perform such validations.
-                                 Information systems that use technologies other than the DNS to map between
-                                 host/service names and network addresses provide other means to enable clients to
-                                 verify the authenticity and integrity of response data.
-                """
-              links: 
-                - 
-                  href: #sc-20
-                  rel:  related
-                  text: SC-20
-                - 
-                  href: #sc-22
-                  rel:  related
-                  text: SC-22
-            - 
-              id:    sc-21_obj
-              name:  objective
-              prose: Determine if the information system: 
-              parts: 
-                - 
-                  id:         sc-21_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-21[1]
-                  prose: 
-                    """
-                      requests data origin authentication on the name/address resolution responses the
-                                        system receives from authoritative sources;
-                    """
-                - 
-                  id:         sc-21_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SC-21[2]
-                  prose: 
-                    """
-                      requests data integrity verification on the name/address resolution responses the
-                                        system receives from authoritative sources;
-                    """
-                - 
-                  id:         sc-21_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-21[3]
-                  prose: 
-                    """
-                      performs data origin authentication on the name/address resolution responses the
-                                        system receives from authoritative sources; and
-                    """
-                - 
-                  id:         sc-21_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-21[4]
-                  prose: 
-                    """
-                      performs data integrity verification on the name/address resolution responses the
-                                        system receives from authoritative sources.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing secure name/address resolution service (recursive or caching
-                                        resolver)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing data origin authentication and
-                                        data integrity verification for name/address resolution services
-                    """
-        - 
-          id:         sc-22
-          class:      SP800-53
-          title:      Architecture and Provisioning for Name / Address Resolution Service
-          properties: 
-            - 
-              name:  label
-              value: SC-22
-            - 
-              name:  sort-id
-              value: sc-22
-          links: 
-            - 
-              href: #6af1e841-672c-46c4-b121-96f603d04be3
-              rel:  reference
-              text: NIST Special Publication 800-81
-          parts: 
-            - 
-              id:    sc-22_smt
-              name:  statement
-              prose: 
-                """
-                  The information systems that collectively provide name/address resolution service for
-                                 an organization are fault-tolerant and implement internal/external role
-                                 separation.
-                """
-            - 
-              id:    sc-22_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information systems that provide name and address resolution services include, for
-                                 example, domain name system (DNS) servers. To eliminate single points of failure and
-                                 to enhance redundancy, organizations employ at least two authoritative domain name
-                                 system servers, one configured as the primary server and the other configured as the
-                                 secondary server. Additionally, organizations typically deploy the servers in two
-                                 geographically separated network subnetworks (i.e., not located in the same physical
-                                 facility). For role separation, DNS servers with internal roles only process name and
-                                 address resolution requests from within organizations (i.e., from internal clients).
-                                 DNS servers with external roles only process name and address resolution information
-                                 requests from clients external to organizations (i.e., on external networks including
-                                 the Internet). Organizations specify clients that can access authoritative DNS
-                                 servers in particular roles (e.g., by address ranges, explicit lists).
-                """
-              links: 
-                - 
-                  href: #sc-2
-                  rel:  related
-                  text: SC-2
-                - 
-                  href: #sc-20
-                  rel:  related
-                  text: SC-20
-                - 
-                  href: #sc-21
-                  rel:  related
-                  text: SC-21
-                - 
-                  href: #sc-24
-                  rel:  related
-                  text: SC-24
-            - 
-              id:    sc-22_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the information systems that collectively provide name/address
-                                 resolution service for an organization: 
-                """
-              parts: 
-                - 
-                  id:         sc-22_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-22[1]
-                  prose:      are fault tolerant; and
-                - 
-                  id:         sc-22_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SC-22[2]
-                  prose:      implement internal/external role separation.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing architecture and provisioning for name/address resolution
-                                        service\n\naccess control policy and procedures\n\ninformation system design documentation\n\nassessment results from independent, testing organizations\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing name/address resolution
-                                        service for fault tolerance and role separation
-                    """
-        - 
-          id:         sc-23
-          class:      SP800-53
-          title:      Session Authenticity
-          properties: 
-            - 
-              name:  label
-              value: SC-23
-            - 
-              name:  sort-id
-              value: sc-23
-          links: 
-            - 
-              href: #90c5bc98-f9c4-44c9-98b7-787422f0999c
-              rel:  reference
-              text: NIST Special Publication 800-52
-            - 
-              href: #99f331f2-a9f0-46c2-9856-a3cbb9b89442
-              rel:  reference
-              text: NIST Special Publication 800-77
-            - 
-              href: #1ebdf782-d95d-4a7b-8ec7-ee860951eced
-              rel:  reference
-              text: NIST Special Publication 800-95
-          parts: 
-            - 
-              id:    sc-23_smt
-              name:  statement
-              prose: The information system protects the authenticity of communications sessions.
-            - 
-              id:    sc-23_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses communications protection at the session, versus packet level
-                                 (e.g., sessions in service-oriented architectures providing web-based services) and
-                                 establishes grounds for confidence at both ends of communications sessions in ongoing
-                                 identities of other parties and in the validity of information transmitted.
-                                 Authenticity protection includes, for example, protecting against man-in-the-middle
-                                 attacks/session hijacking and the insertion of false information into sessions.
-                """
-              links: 
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-                - 
-                  href: #sc-10
-                  rel:  related
-                  text: SC-10
-                - 
-                  href: #sc-11
-                  rel:  related
-                  text: SC-11
-            - 
-              id:         sc-23_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system protects the authenticity of communications
-                                 sessions.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and communications protection policy\n\nprocedures addressing session authenticity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Automated mechanisms supporting and/or implementing session authenticity
-        - 
-          id:         sc-28
-          class:      SP800-53
-          title:      Protection of Information at Rest
-          parameters: 
-            - 
-              id:          sc-28_prm_1
-              constraints: 
-                - 
-                  detail: confidentiality AND integrity
-            - 
-              id:    sc-28_prm_2
-              label: organization-defined information at rest
-          properties: 
-            - 
-              name:  label
-              value: SC-28
-            - 
-              name:  sort-id
-              value: sc-28
-          links: 
-            - 
-              href: #81f09e01-d0b0-4ae2-aa6a-064ed9950070
-              rel:  reference
-              text: NIST Special Publication 800-56
-            - 
-              href: #a6c774c0-bf50-4590-9841-2a5c1c91ac6f
-              rel:  reference
-              text: NIST Special Publication 800-57
-            - 
-              href: #3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e
-              rel:  reference
-              text: NIST Special Publication 800-111
-          parts: 
-            - 
-              id:    sc-28_smt
-              name:  statement
-              prose: The information system protects the {{ sc-28_prm_1 }} of {{ sc-28_prm_2 }}.
-              parts: 
-                - 
-                  id:    sc-28_fr
-                  name:  item
-                  title: SC-28 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         sc-28_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      The organization supports the capability to use cryptographic mechanisms to protect information at rest.
-            - 
-              id:    sc-28_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the confidentiality and integrity of information at rest and
-                                 covers user information and system information. Information at rest refers to the
-                                 state of information when it is located on storage devices as specific components of
-                                 information systems. System-related information requiring protection includes, for
-                                 example, configurations or rule sets for firewalls, gateways, intrusion
-                                 detection/prevention systems, filtering routers, and authenticator content.
-                                 Organizations may employ different mechanisms to achieve confidentiality and
-                                 integrity protections, including the use of cryptographic mechanisms and file share
-                                 scanning. Integrity protection can be achieved, for example, by implementing
-                                 Write-Once-Read-Many (WORM) technologies. Organizations may also employ other
-                                 security controls including, for example, secure off-line storage in lieu of online
-                                 storage when adequate protection of information at rest cannot otherwise be achieved
-                                 and/or continuous monitoring to identify malicious code at rest.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    sc-28_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         sc-28_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-28[1]
-                  prose: 
-                    """
-                      the organization defines information at rest requiring one or more of the
-                                        following:
-                    """
-                  parts: 
-                    - 
-                      id:         sc-28_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-28[1][a]
-                      prose:      confidentiality protection; and/or
-                    - 
-                      id:         sc-28_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-28[1][b]
-                      prose:      integrity protection;
-                - 
-                  id:         sc-28_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SC-28[2]
-                  prose:      the information system protects:
-                  parts: 
-                    - 
-                      id:         sc-28_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-28[2][a]
-                      prose:      the confidentiality of organization-defined information at rest; and/or
-                    - 
-                      id:         sc-28_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SC-28[2][b]
-                      prose:      the integrity of organization-defined information at rest.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and communications protection policy\n\nprocedures addressing protection of information at rest\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity
-                                        protections\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing confidentiality and integrity
-                                        protections for information at rest
-                    """
-          controls: 
-            - 
-              id:         sc-28.1
-              class:      SP800-53-enhancement
-              title:      Cryptographic Protection
-              parameters: 
-                - 
-                  id:    sc-28.1_prm_1
-                  label: organization-defined information
-                - 
-                  id:    sc-28.1_prm_2
-                  label: organization-defined information system components
-              properties: 
-                - 
-                  name:  label
-                  value: SC-28(1)
-                - 
-                  name:  sort-id
-                  value: sc-28.01
-              parts: 
-                - 
-                  id:    sc-28.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements cryptographic mechanisms to prevent unauthorized
-                                        disclosure and modification of {{ sc-28.1_prm_1 }} on {{ sc-28.1_prm_2 }}.
-                    """
-                - 
-                  id:    sc-28.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Selection of cryptographic mechanisms is based on the need to protect the
-                                        confidentiality and integrity of organizational information. The strength of
-                                        mechanism is commensurate with the security category and/or classification of the
-                                        information. This control enhancement applies to significant concentrations of
-                                        digital media in organizational areas designated for media storage and also to
-                                        limited quantities of media generally associated with information system
-                                        components in operational environments (e.g., portable storage devices, mobile
-                                        devices). Organizations have the flexibility to either encrypt all information on
-                                        storage devices (i.e., full disk encryption) or encrypt specific data structures
-                                        (e.g., files, records, or fields). Organizations employing cryptographic
-                                        mechanisms to protect information at rest also consider cryptographic key
-                                        management solutions.
-                    """
-                  links: 
-                    - 
-                      href: #ac-19
-                      rel:  related
-                      text: AC-19
-                    - 
-                      href: #sc-12
-                      rel:  related
-                      text: SC-12
-                - 
-                  id:    sc-28.1_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         sc-28.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-28(1)[1]
-                      prose:      the organization defines information requiring cryptographic protection;
-                    - 
-                      id:         sc-28.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SC-28(1)[2]
-                      prose: 
-                        """
-                          the organization defines information system components with
-                                               organization-defined information requiring cryptographic protection; and
-                        """
-                    - 
-                      id:         sc-28.1_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SC-28(1)[3]
-                      prose: 
-                        """
-                          the information system employs cryptographic mechanisms to prevent unauthorized
-                                               disclosure and modification of organization-defined information on
-                                               organization-defined information system components.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and communications protection policy\n\nprocedures addressing protection of information at rest\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Cryptographic mechanisms implementing confidentiality and integrity protections
-                                               for information at rest
-                        """
-        - 
-          id:         sc-39
-          class:      SP800-53
-          title:      Process Isolation
-          properties: 
-            - 
-              name:  label
-              value: SC-39
-            - 
-              name:  sort-id
-              value: sc-39
-          parts: 
-            - 
-              id:    sc-39_smt
-              name:  statement
-              prose: 
-                """
-                  The information system maintains a separate execution domain for each executing
-                                 process.
-                """
-            - 
-              id:    sc-39_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information systems can maintain separate execution domains for each executing
-                                 process by assigning each process a separate address space. Each information system
-                                 process has a distinct address space so that communication between processes is
-                                 performed in a manner controlled through the security functions, and one process
-                                 cannot modify the executing code of another process. Maintaining separate execution
-                                 domains for executing processes can be achieved, for example, by implementing
-                                 separate address spaces. This capability is available in most commercial operating
-                                 systems that employ multi-state processor technologies.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-6
-                  rel:  related
-                  text: AC-6
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-5
-                  rel:  related
-                  text: SA-5
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-                - 
-                  href: #sc-2
-                  rel:  related
-                  text: SC-2
-                - 
-                  href: #sc-3
-                  rel:  related
-                  text: SC-3
-            - 
-              id:         sc-39_obj
-              name:       objective
-              properties: 
-                - 
-                  name:  conformity
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: assessment-objective
-                - 
-                  name:  method
-                  class: fedramp
-                  value: EXAMINE
-                - 
-                  name:  method
-                  class: fedramp
-                  value: INTERVIEW
-                - 
-                  name:  method
-                  class: fedramp
-                  value: TEST
-              prose: 
-                """
-                  Determine if the information system maintains a separate execution domain for each
-                                 executing process.
-                """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system design documentation\n\ninformation system architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation, other relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Information system developers/integrators\n\ninformation system security architect
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing separate execution domains for
-                                        each executing process
-                    """
-    - 
-      id:       si
-      class:    family
-      title:    System and Information Integrity
-      controls: 
-        - 
-          id:         si-1
-          class:      SP800-53
-          title:      System and Information Integrity Policy and Procedures
-          parameters: 
-            - 
-              id:    si-1_prm_1
-              label: organization-defined personnel or roles
-            - 
-              id:          si-1_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least every 3 years
-            - 
-              id:          si-1_prm_3
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least annually
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SI-1
-            - 
-              name:  sort-id
-              value: si-01
-          links: 
-            - 
-              href: #5c201b63-0768-417b-ac22-3f014e3941b2
-              rel:  reference
-              text: NIST Special Publication 800-12
-            - 
-              href: #9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-              rel:  reference
-              text: NIST Special Publication 800-100
-          parts: 
-            - 
-              id:    si-1_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-1_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Develops, documents, and disseminates to {{ si-1_prm_1 }}:
-                  parts: 
-                    - 
-                      id:         si-1_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          A system and information integrity policy that addresses purpose, scope, roles,
-                                               responsibilities, management commitment, coordination among organizational
-                                               entities, and compliance; and
-                        """
-                    - 
-                      id:         si-1_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          Procedures to facilitate the implementation of the system and information
-                                               integrity policy and associated system and information integrity controls;
-                                               and
-                        """
-                - 
-                  id:         si-1_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reviews and updates the current:
-                  parts: 
-                    - 
-                      id:         si-1_smt.b.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          System and information integrity policy {{ si-1_prm_2 }};
-                                               and
-                        """
-                    - 
-                      id:         si-1_smt.b.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      System and information integrity procedures {{ si-1_prm_3 }}.
-            - 
-              id:    si-1_gdn
-              name:  guidance
-              prose: 
-                """
-                  This control addresses the establishment of policy and procedures for the effective
-                                 implementation of selected security controls and control enhancements in the SI
-                                 family. Policy and procedures reflect applicable federal laws, Executive Orders,
-                                 directives, regulations, policies, standards, and guidance. Security program policies
-                                 and procedures at the organization level may make the need for system-specific
-                                 policies and procedures unnecessary. The policy can be included as part of the
-                                 general information security policy for organizations or conversely, can be
-                                 represented by multiple policies reflecting the complex nature of certain
-                                 organizations. The procedures can be established for the security program in general
-                                 and for particular information systems, if needed. The organizational risk management
-                                 strategy is a key factor in establishing policy and procedures.
-                """
-              links: 
-                - 
-                  href: #pm-9
-                  rel:  related
-                  text: PM-9
-            - 
-              id:    si-1_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-1.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-1(a)
-                  parts: 
-                    - 
-                      id:         si-1.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-1(a)(1)
-                      parts: 
-                        - 
-                          id:         si-1.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(a)(1)[1]
-                          prose: 
-                            """
-                              develops and documents a system and information integrity policy that
-                                                      addresses:
-                            """
-                          parts: 
-                            - 
-                              id:         si-1.a.1_obj.1.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][a]
-                              prose:      purpose;
-                            - 
-                              id:         si-1.a.1_obj.1.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][b]
-                              prose:      scope;
-                            - 
-                              id:         si-1.a.1_obj.1.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][c]
-                              prose:      roles;
-                            - 
-                              id:         si-1.a.1_obj.1.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][d]
-                              prose:      responsibilities;
-                            - 
-                              id:         si-1.a.1_obj.1.e
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][e]
-                              prose:      management commitment;
-                            - 
-                              id:         si-1.a.1_obj.1.f
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][f]
-                              prose:      coordination among organizational entities;
-                            - 
-                              id:         si-1.a.1_obj.1.g
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-1(a)(1)[1][g]
-                              prose:      compliance;
-                        - 
-                          id:         si-1.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(a)(1)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the system and information integrity
-                                                      policy is to be disseminated;
-                            """
-                        - 
-                          id:         si-1.a.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SI-1(a)(1)[3]
-                          prose: 
-                            """
-                              disseminates the system and information integrity policy to
-                                                      organization-defined personnel or roles;
-                            """
-                    - 
-                      id:         si-1.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-1(a)(2)
-                      parts: 
-                        - 
-                          id:         si-1.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(a)(2)[1]
-                          prose: 
-                            """
-                              develops and documents procedures to facilitate the implementation of the
-                                                      system and information integrity policy and associated system and
-                                                      information integrity controls;
-                            """
-                        - 
-                          id:         si-1.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(a)(2)[2]
-                          prose: 
-                            """
-                              defines personnel or roles to whom the procedures are to be
-                                                      disseminated;
-                            """
-                        - 
-                          id:         si-1.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  label
-                              value: SI-1(a)(2)[3]
-                          prose:      disseminates the procedures to organization-defined personnel or roles;
-                - 
-                  id:         si-1.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-1(b)
-                  parts: 
-                    - 
-                      id:         si-1.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-1(b)(1)
-                      parts: 
-                        - 
-                          id:         si-1.b.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(b)(1)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and
-                                                      information integrity policy;
-                            """
-                        - 
-                          id:         si-1.b.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(b)(1)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and information integrity policy with
-                                                      the organization-defined frequency;
-                            """
-                    - 
-                      id:         si-1.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-1(b)(2)
-                      parts: 
-                        - 
-                          id:         si-1.b.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(b)(2)[1]
-                          prose: 
-                            """
-                              defines the frequency to review and update the current system and
-                                                      information integrity procedures; and
-                            """
-                        - 
-                          id:         si-1.b.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-1(b)(2)[2]
-                          prose: 
-                            """
-                              reviews and updates the current system and information integrity procedures
-                                                      with the organization-defined frequency.
-                            """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and information integrity policy and procedures\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with system and information integrity
-                                        responsibilities\n\norganizational personnel with information security responsibilities
-                    """
-        - 
-          id:         si-2
-          class:      SP800-53
-          title:      Flaw Remediation
-          parameters: 
-            - 
-              id:          si-2_prm_1
-              label:       organization-defined time period
-              constraints: 
-                - 
-                  detail: within 30 days of release of updates
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SI-2
-            - 
-              name:  sort-id
-              value: si-02
-          links: 
-            - 
-              href: #bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d
-              rel:  reference
-              text: NIST Special Publication 800-40
-            - 
-              href: #080f8068-5e3e-435e-9790-d22ba4722693
-              rel:  reference
-              text: NIST Special Publication 800-128
-          parts: 
-            - 
-              id:    si-2_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-2_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Identifies, reports, and corrects information system flaws;
-                - 
-                  id:         si-2_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Tests software and firmware updates related to flaw remediation for effectiveness
-                                        and potential side effects before installation;
-                    """
-                - 
-                  id:         si-2_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Installs security-relevant software and firmware updates within {{ si-2_prm_1 }} of the release of the updates; and
-                - 
-                  id:         si-2_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Incorporates flaw remediation into the organizational configuration management
-                                        process.
-                    """
-            - 
-              id:    si-2_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations identify information systems affected by announced software flaws
-                                 including potential vulnerabilities resulting from those flaws, and report this
-                                 information to designated organizational personnel with information security
-                                 responsibilities. Security-relevant software updates include, for example, patches,
-                                 service packs, hot fixes, and anti-virus signatures. Organizations also address flaws
-                                 discovered during security assessments, continuous monitoring, incident response
-                                 activities, and system error handling. Organizations take advantage of available
-                                 resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and
-                                 Exposures (CVE) databases in remediating flaws discovered in organizational
-                                 information systems. By incorporating flaw remediation into ongoing configuration
-                                 management processes, required/anticipated remediation actions can be tracked and
-                                 verified. Flaw remediation actions that can be tracked and verified include, for
-                                 example, determining whether organizations follow US-CERT guidance and Information
-                                 Assurance Vulnerability Alerts. Organization-defined time periods for updating
-                                 security-relevant software and firmware may vary based on a variety of factors
-                                 including, for example, the security category of the information system or the
-                                 criticality of the update (i.e., severity of the vulnerability related to the
-                                 discovered flaw). Some types of flaw remediation may require more testing than other
-                                 types. Organizations determine the degree and type of testing needed for the specific
-                                 type of flaw remediation activity under consideration and also the types of changes
-                                 that are to be configuration-managed. In some situations, organizations may determine
-                                 that the testing of software and/or firmware updates is not necessary or practical,
-                                 for example, when implementing simple anti-virus signature updates. Organizations may
-                                 also consider in testing decisions, whether security-relevant software or firmware
-                                 updates are obtained from authorized sources with appropriate digital signatures.
-                """
-              links: 
-                - 
-                  href: #ca-2
-                  rel:  related
-                  text: CA-2
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #cm-5
-                  rel:  related
-                  text: CM-5
-                - 
-                  href: #cm-8
-                  rel:  related
-                  text: CM-8
-                - 
-                  href: #ma-2
-                  rel:  related
-                  text: MA-2
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sa-10
-                  rel:  related
-                  text: SA-10
-                - 
-                  href: #sa-11
-                  rel:  related
-                  text: SA-11
-                - 
-                  href: #si-11
-                  rel:  related
-                  text: SI-11
-            - 
-              id:    si-2_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-2.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-2(a)
-                  parts: 
-                    - 
-                      id:         si-2.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(a)[1]
-                      prose:      identifies information system flaws;
-                    - 
-                      id:         si-2.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(a)[2]
-                      prose:      reports information system flaws;
-                    - 
-                      id:         si-2.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(a)[3]
-                      prose:      corrects information system flaws;
-                - 
-                  id:         si-2.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-2(b)
-                  parts: 
-                    - 
-                      id:         si-2.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(b)[1]
-                      prose: 
-                        """
-                          tests software updates related to flaw remediation for effectiveness and
-                                               potential side effects before installation;
-                        """
-                    - 
-                      id:         si-2.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(b)[2]
-                      prose: 
-                        """
-                          tests firmware updates related to flaw remediation for effectiveness and
-                                               potential side effects before installation;
-                        """
-                - 
-                  id:         si-2.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-2(c)
-                  parts: 
-                    - 
-                      id:         si-2.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-2(c)[1]
-                      prose: 
-                        """
-                          defines the time period within which to install security-relevant software
-                                               updates after the release of the updates;
-                        """
-                    - 
-                      id:         si-2.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-2(c)[2]
-                      prose: 
-                        """
-                          defines the time period within which to install security-relevant firmware
-                                               updates after the release of the updates;
-                        """
-                    - 
-                      id:         si-2.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(c)[3]
-                      prose: 
-                        """
-                          installs software updates within the organization-defined time period of the
-                                               release of the updates;
-                        """
-                    - 
-                      id:         si-2.c_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(c)[4]
-                      prose: 
-                        """
-                          installs firmware updates within the organization-defined time period of the
-                                               release of the updates; and
-                        """
-                - 
-                  id:         si-2.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-2(d)
-                  prose: 
-                    """
-                      incorporates flaw remediation into the organizational configuration management
-                                        process.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and information integrity policy\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the information system\n\nlist of recent security flaw remediation actions performed on the information
-                                        system (e.g., list of installed patches, service packs, hot fixes, and other
-                                        software updates to correct information system flaws)\n\ntest results from the installation of software and firmware updates to correct
-                                        information system flaws\n\ninstallation/change control records for security-relevant software and firmware
-                                        updates\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                        information system\n\norganizational personnel with responsibility for flaw remediation\n\norganizational personnel with configuration management responsibility
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for identifying, reporting, and correcting information
-                                        system flaws\n\norganizational process for installing software and firmware updates\n\nautomated mechanisms supporting and/or implementing reporting, and correcting
-                                        information system flaws\n\nautomated mechanisms supporting and/or implementing testing software and firmware
-                                        updates
-                    """
-          controls: 
-            - 
-              id:         si-2.2
-              class:      SP800-53-enhancement
-              title:      Automated Flaw Remediation Status
-              parameters: 
-                - 
-                  id:          si-2.2_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least monthly
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: SI-2(2)
-                - 
-                  name:  sort-id
-                  value: si-02.02
-              parts: 
-                - 
-                  id:    si-2.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated mechanisms {{ si-2.2_prm_1 }} to
-                                        determine the state of information system components with regard to flaw
-                                        remediation.
-                    """
-                - 
-                  id:    si-2.2_gdn
-                  name:  guidance
-                  links: 
-                    - 
-                      href: #cm-6
-                      rel:  related
-                      text: CM-6
-                    - 
-                      href: #si-4
-                      rel:  related
-                      text: SI-4
-                - 
-                  id:    si-2.2_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         si-2.2_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-2(2)[1]
-                      prose: 
-                        """
-                          defines a frequency to employ automated mechanisms to determine the state of
-                                               information system components with regard to flaw remediation; and
-                        """
-                    - 
-                      id:         si-2.2_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(2)[2]
-                      prose: 
-                        """
-                          employs automated mechanisms with the organization-defined frequency to
-                                               determine the state of information system components with regard to flaw
-                                               remediation.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing flaw remediation\n\nautomated mechanisms supporting centralized management of flaw remediation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for flaw remediation
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms used to determine the state of information system
-                                               components with regard to flaw remediation
-                        """
-            - 
-              id:         si-2.3
-              class:      SP800-53-enhancement
-              title:      Time to Remediate Flaws / Benchmarks for Corrective Actions
-              parameters: 
-                - 
-                  id:    si-2.3_prm_1
-                  label: organization-defined benchmarks
-              properties: 
-                - 
-                  name:  label
-                  value: SI-2(3)
-                - 
-                  name:  sort-id
-                  value: si-02.03
-              parts: 
-                - 
-                  id:    si-2.3_smt
-                  name:  statement
-                  prose: The organization:
-                  parts: 
-                    - 
-                      id:         si-2.3_smt.a
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (a)
-                      prose:      Measures the time between flaw identification and flaw remediation; and
-                    - 
-                      id:         si-2.3_smt.b
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: (b)
-                      prose: 
-                        """
-                          Establishes {{ si-2.3_prm_1 }} for taking corrective
-                                               actions.
-                        """
-                - 
-                  id:    si-2.3_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement requires organizations to determine the current time it
-                                        takes on the average to correct information system flaws after such flaws have
-                                        been identified, and subsequently establish organizational benchmarks (i.e., time
-                                        frames) for taking corrective actions. Benchmarks can be established by type of
-                                        flaw and/or severity of the potential vulnerability if the flaw can be
-                                        exploited.
-                    """
-                - 
-                  id:    si-2.3_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         si-2.3.a_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-2(3)(a)
-                      prose:      measures the time between flaw identification and flaw remediation;
-                      links: 
-                        - 
-                          href: #si-2.3_smt.a
-                          rel:  corresp
-                          text: SI-2(3)(a)
-                    - 
-                      id:         si-2.3.b_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-2(3)(b)
-                      parts: 
-                        - 
-                          id:         si-2.3.b_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-2(3)(b)[1]
-                          prose:      defines benchmarks for taking corrective actions; and
-                        - 
-                          id:         si-2.3.b_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-2(3)(b)[2]
-                          prose: 
-                            """
-                              establishes organization-defined benchmarks for taking corrective
-                                                      actions.
-                            """
-                      links: 
-                        - 
-                          href: #si-2.3_smt.b
-                          rel:  corresp
-                          text: SI-2(3)(b)
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and information integrity policy\n\nprocedures addressing flaw remediation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of benchmarks for taking corrective action on flaws identified\n\nrecords providing time stamps of flaw identification and subsequent flaw
-                                               remediation activities\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for flaw remediation
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for identifying, reporting, and correcting information
-                                               system flaws\n\nautomated mechanisms used to measure the time between flaw identification and
-                                               flaw remediation
-                        """
-        - 
-          id:         si-3
-          class:      SP800-53
-          title:      Malicious Code Protection
-          parameters: 
-            - 
-              id:          si-3_prm_1
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least weekly
-            - 
-              id:          si-3_prm_2
-              constraints: 
-                - 
-                  detail: to include endpoints
-            - 
-              id:          si-3_prm_3
-              constraints: 
-                - 
-                  detail: to include alerting administrator or defined security personnel
-            - 
-              id:         si-3_prm_4
-              depends-on: si-3_prm_3
-              label:      organization-defined action
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SI-3
-            - 
-              name:  sort-id
-              value: si-03
-          links: 
-            - 
-              href: #6d431fee-658f-4a0e-9f2e-a38b5d398fab
-              rel:  reference
-              text: NIST Special Publication 800-83
-          parts: 
-            - 
-              id:    si-3_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-3_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Employs malicious code protection mechanisms at information system entry and exit
-                                        points to detect and eradicate malicious code;
-                    """
-                - 
-                  id:         si-3_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Updates malicious code protection mechanisms whenever new releases are available
-                                        in accordance with organizational configuration management policy and
-                                        procedures;
-                    """
-                - 
-                  id:         si-3_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Configures malicious code protection mechanisms to:
-                  parts: 
-                    - 
-                      id:         si-3_smt.c.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Perform periodic scans of the information system {{ si-3_prm_1 }} and real-time scans of files from external sources at {{ si-3_prm_2 }} as the files are downloaded, opened, or executed in
-                                               accordance with organizational security policy; and
-                        """
-                    - 
-                      id:         si-3_smt.c.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          
-                                               {{ si-3_prm_3 }} in response to malicious code detection;
-                                               and
-                        """
-                - 
-                  id:         si-3_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Addresses the receipt of false positives during malicious code detection and
-                                        eradication and the resulting potential impact on the availability of the
-                                        information system.
-                    """
-            - 
-              id:    si-3_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system entry and exit points include, for example, firewalls, electronic
-                                 mail servers, web servers, proxy servers, remote-access servers, workstations,
-                                 notebook computers, and mobile devices. Malicious code includes, for example,
-                                 viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in
-                                 various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden
-                                 files, or hidden in files using steganography. Malicious code can be transported by
-                                 different means including, for example, web accesses, electronic mail, electronic
-                                 mail attachments, and portable storage devices. Malicious code insertions occur
-                                 through the exploitation of information system vulnerabilities. Malicious code
-                                 protection mechanisms include, for example, anti-virus signature definitions and
-                                 reputation-based technologies. A variety of technologies and methods exist to limit
-                                 or eliminate the effects of malicious code. Pervasive configuration management and
-                                 comprehensive software integrity controls may be effective in preventing execution of
-                                 unauthorized code. In addition to commercial off-the-shelf software, malicious code
-                                 may also be present in custom-built software. This could include, for example, logic
-                                 bombs, back doors, and other types of cyber attacks that could affect organizational
-                                 missions/business functions. Traditional malicious code protection mechanisms cannot
-                                 always detect such code. In these situations, organizations rely instead on other
-                                 safeguards including, for example, secure coding practices, configuration management
-                                 and control, trusted procurement processes, and monitoring practices to help ensure
-                                 that software does not perform functions other than the functions intended.
-                                 Organizations may determine that in response to the detection of malicious code,
-                                 different actions may be warranted. For example, organizations can define actions in
-                                 response to malicious code detection during periodic scans, actions in response to
-                                 detection of malicious downloads, and/or actions in response to detection of
-                                 maliciousness when attempting to open or execute files.
-                """
-              links: 
-                - 
-                  href: #cm-3
-                  rel:  related
-                  text: CM-3
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #sa-4
-                  rel:  related
-                  text: SA-4
-                - 
-                  href: #sa-8
-                  rel:  related
-                  text: SA-8
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #sa-13
-                  rel:  related
-                  text: SA-13
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-26
-                  rel:  related
-                  text: SC-26
-                - 
-                  href: #sc-44
-                  rel:  related
-                  text: SC-44
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-                - 
-                  href: #si-4
-                  rel:  related
-                  text: SI-4
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    si-3_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-3.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-3(a)
-                  prose: 
-                    """
-                      employs malicious code protection mechanisms to detect and eradicate malicious
-                                        code at information system:
-                    """
-                  parts: 
-                    - 
-                      id:         si-3.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-3(a)[1]
-                      prose:      entry points;
-                    - 
-                      id:         si-3.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-3(a)[2]
-                      prose:      exit points;
-                - 
-                  id:         si-3.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-3(b)
-                  prose: 
-                    """
-                      updates malicious code protection mechanisms whenever new releases are available
-                                        in accordance with organizational configuration management policy and procedures
-                                        (as identified in CM-1);
-                    """
-                - 
-                  id:         si-3.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-3(c)
-                  parts: 
-                    - 
-                      id:         si-3.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-3(c)[1]
-                      prose: 
-                        """
-                          defines a frequency for malicious code protection mechanisms to perform
-                                               periodic scans of the information system;
-                        """
-                    - 
-                      id:         si-3.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-3(c)[2]
-                      prose: 
-                        """
-                          defines action to be initiated by malicious protection mechanisms in response
-                                               to malicious code detection;
-                        """
-                    - 
-                      id:         si-3.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-3(c)[3]
-                      parts: 
-                        - 
-                          id:         si-3.c.1_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: SI-3(c)[3](1)
-                          prose:      configures malicious code protection mechanisms to:
-                          parts: 
-                            - 
-                              id:         si-3.c.1_obj.3.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](1)[a]
-                              prose: 
-                                """
-                                  perform periodic scans of the information system with the
-                                                             organization-defined frequency;
-                                """
-                            - 
-                              id:         si-3.c.1_obj.3.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](1)[b]
-                              prose: 
-                                """
-                                  perform real-time scans of files from external sources at endpoint and/or
-                                                             network entry/exit points as the files are downloaded, opened, or
-                                                             executed in accordance with organizational security policy;
-                                """
-                        - 
-                          id:         si-3.c.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: SI-3(c)[3](2)
-                          prose: 
-                            """
-                              configures malicious code protection mechanisms to do one or more of the
-                                                      following:
-                            """
-                          parts: 
-                            - 
-                              id:         si-3.c.2_obj.3.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](2)[a]
-                              prose:      block malicious code in response to malicious code detection;
-                            - 
-                              id:         si-3.c.2_obj.3.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](2)[b]
-                              prose:      quarantine malicious code in response to malicious code detection;
-                            - 
-                              id:         si-3.c.2_obj.3.c
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](2)[c]
-                              prose: 
-                                """
-                                  send alert to administrator in response to malicious code detection;
-                                                             and/or
-                                """
-                            - 
-                              id:         si-3.c.2_obj.3.d
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-3(c)[3](2)[d]
-                              prose: 
-                                """
-                                  initiate organization-defined action in response to malicious code
-                                                             detection;
-                                """
-                - 
-                  id:         si-3.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-3(d)
-                  parts: 
-                    - 
-                      id:         si-3.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-3(d)[1]
-                      prose: 
-                        """
-                          addresses the receipt of false positives during malicious code detection and
-                                               eradication; and
-                        """
-                    - 
-                      id:         si-3.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-3(d)[2]
-                      prose: 
-                        """
-                          addresses the resulting potential impact on the availability of the information
-                                               system.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and information integrity policy\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to
-                                        malicious code detection\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                        information system\n\norganizational personnel with responsibility for malicious code protection\n\norganizational personnel with configuration management responsibility
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for employing, updating, and configuring malicious code
-                                        protection mechanisms\n\norganizational process for addressing false positives and resulting potential
-                                        impact\n\nautomated mechanisms supporting and/or implementing employing, updating, and
-                                        configuring malicious code protection mechanisms\n\nautomated mechanisms supporting and/or implementing malicious code scanning and
-                                        subsequent actions
-                    """
-          controls: 
-            - 
-              id:         si-3.1
-              class:      SP800-53-enhancement
-              title:      Central Management
-              properties: 
-                - 
-                  name:  label
-                  value: SI-3(1)
-                - 
-                  name:  sort-id
-                  value: si-03.01
-              parts: 
-                - 
-                  id:    si-3.1_smt
-                  name:  statement
-                  prose: The organization centrally manages malicious code protection mechanisms.
-                - 
-                  id:    si-3.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Central management is the organization-wide management and implementation of
-                                        malicious code protection mechanisms. Central management includes planning,
-                                        implementing, assessing, authorizing, and monitoring the organization-defined,
-                                        centrally managed flaw malicious code protection security controls.
-                    """
-                  links: 
-                    - 
-                      href: #au-2
-                      rel:  related
-                      text: AU-2
-                    - 
-                      href: #si-8
-                      rel:  related
-                      text: SI-8
-                - 
-                  id:         si-3.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization centrally manages malicious code protection
-                                        mechanisms.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and information integrity policy\n\nprocedures addressing malicious code protection\n\nautomated mechanisms supporting centralized management of malicious code
-                                               protection mechanisms\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for malicious code protection
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for central management of malicious code protection
-                                               mechanisms\n\nautomated mechanisms supporting and/or implementing central management of
-                                               malicious code protection mechanisms
-                        """
-            - 
-              id:         si-3.2
-              class:      SP800-53-enhancement
-              title:      Automatic Updates
-              properties: 
-                - 
-                  name:  label
-                  value: SI-3(2)
-                - 
-                  name:  sort-id
-                  value: si-03.02
-              parts: 
-                - 
-                  id:    si-3.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system automatically updates malicious code protection
-                                        mechanisms.
-                    """
-                - 
-                  id:    si-3.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Malicious code protection mechanisms include, for example, signature definitions.
-                                        Due to information system integrity and availability concerns, organizations give
-                                        careful consideration to the methodology used to carry out automatic updates.
-                    """
-                  links: 
-                    - 
-                      href: #si-8
-                      rel:  related
-                      text: SI-8
-                - 
-                  id:         si-3.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system automatically updates malicious code
-                                        protection mechanisms.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System and information integrity policy\n\nprocedures addressing malicious code protection\n\nautomated mechanisms supporting centralized management of malicious code
-                                               protection mechanisms\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for malicious code protection
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing automatic updates to
-                                               malicious code protection capability
-                        """
-            - 
-              id:         si-3.7
-              class:      SP800-53-enhancement
-              title:      Nonsignature-based Detection
-              properties: 
-                - 
-                  name:  label
-                  value: SI-3(7)
-                - 
-                  name:  sort-id
-                  value: si-03.07
-              parts: 
-                - 
-                  id:    si-3.7_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system implements nonsignature-based malicious code detection
-                                        mechanisms.
-                    """
-                - 
-                  id:    si-3.7_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Nonsignature-based detection mechanisms include, for example, the use of
-                                        heuristics to detect, analyze, and describe the characteristics or behavior of
-                                        malicious code and to provide safeguards against malicious code for which
-                                        signatures do not yet exist or for which existing signatures may not be effective.
-                                        This includes polymorphic malicious code (i.e., code that changes signatures when
-                                        it replicates). This control enhancement does not preclude the use of
-                                        signature-based detection mechanisms.
-                    """
-                - 
-                  id:         si-3.7_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system implements non signature-based malicious code
-                                        detection mechanisms.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing malicious code protection\n\ninformation system design documentation\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for malicious code protection
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Automated mechanisms supporting and/or implementing nonsignature-based
-                                               malicious code protection capability
-                        """
-        - 
-          id:         si-4
-          class:      SP800-53
-          title:      Information System Monitoring
-          parameters: 
-            - 
-              id:    si-4_prm_1
-              label: organization-defined monitoring objectives
-            - 
-              id:    si-4_prm_2
-              label: organization-defined techniques and methods
-            - 
-              id:    si-4_prm_3
-              label: organization-defined information system monitoring information
-            - 
-              id:    si-4_prm_4
-              label: organization-defined personnel or roles
-            - 
-              id: si-4_prm_5
-            - 
-              id:         si-4_prm_6
-              depends-on: si-4_prm_5
-              label:      organization-defined frequency
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SI-4
-            - 
-              name:  sort-id
-              value: si-04
-          links: 
-            - 
-              href: #be95fb85-a53f-4624-bdbb-140075500aa3
-              rel:  reference
-              text: NIST Special Publication 800-61
-            - 
-              href: #6d431fee-658f-4a0e-9f2e-a38b5d398fab
-              rel:  reference
-              text: NIST Special Publication 800-83
-            - 
-              href: #672fd561-b92b-4713-b9cf-6c9d9456728b
-              rel:  reference
-              text: NIST Special Publication 800-92
-            - 
-              href: #d1b1d689-0f66-4474-9924-c81119758dc1
-              rel:  reference
-              text: NIST Special Publication 800-94
-            - 
-              href: #cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-              rel:  reference
-              text: NIST Special Publication 800-137
-          parts: 
-            - 
-              id:    si-4_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-4_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Monitors the information system to detect:
-                  parts: 
-                    - 
-                      id:         si-4_smt.a.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose:      Attacks and indicators of potential attacks in accordance with {{ si-4_prm_1 }}; and
-                    - 
-                      id:         si-4_smt.a.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose:      Unauthorized local, network, and remote connections;
-                - 
-                  id:         si-4_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Identifies unauthorized use of the information system through {{ si-4_prm_2 }};
-                - 
-                  id:         si-4_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Deploys monitoring devices:
-                  parts: 
-                    - 
-                      id:         si-4_smt.c.1
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 1.
-                      prose: 
-                        """
-                          Strategically within the information system to collect organization-determined
-                                               essential information; and
-                        """
-                    - 
-                      id:         si-4_smt.c.2
-                      name:       item
-                      properties: 
-                        - 
-                          name:  label
-                          value: 2.
-                      prose: 
-                        """
-                          At ad hoc locations within the system to track specific types of transactions
-                                               of interest to the organization;
-                        """
-                - 
-                  id:         si-4_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Protects information obtained from intrusion-monitoring tools from unauthorized
-                                        access, modification, and deletion;
-                    """
-                - 
-                  id:         si-4_smt.e
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: e.
-                  prose: 
-                    """
-                      Heightens the level of information system monitoring activity whenever there is an
-                                        indication of increased risk to organizational operations and assets, individuals,
-                                        other organizations, or the Nation based on law enforcement information,
-                                        intelligence information, or other credible sources of information;
-                    """
-                - 
-                  id:         si-4_smt.f
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: f.
-                  prose: 
-                    """
-                      Obtains legal opinion with regard to information system monitoring activities in
-                                        accordance with applicable federal laws, Executive Orders, directives, policies,
-                                        or regulations; and
-                    """
-                - 
-                  id:         si-4_smt.g
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: g.
-                  prose: 
-                    """
-                      Provides {{ si-4_prm_3 }} to {{ si-4_prm_4 }}
-                                        {{ si-4_prm_5 }}.
-                    """
-                - 
-                  id:    si-4_fr
-                  name:  item
-                  title: SI-4 Additional FedRAMP Requirements and Guidance
-                  parts: 
-                    - 
-                      id:         si-4_fr_gdn.1
-                      name:       guidance
-                      properties: 
-                        - 
-                          name:  label
-                          value: Guidance:
-                      prose:      See US-CERT Incident Response Reporting Guidelines.
-            - 
-              id:    si-4_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system monitoring includes external and internal monitoring. External
-                                 monitoring includes the observation of events occurring at the information system
-                                 boundary (i.e., part of perimeter defense and boundary protection). Internal
-                                 monitoring includes the observation of events occurring within the information
-                                 system. Organizations can monitor information systems, for example, by observing
-                                 audit activities in real time or by observing other system aspects such as access
-                                 patterns, characteristics of access, and other actions. The monitoring objectives may
-                                 guide determination of the events. Information system monitoring capability is
-                                 achieved through a variety of tools and techniques (e.g., intrusion detection
-                                 systems, intrusion prevention systems, malicious code protection software, scanning
-                                 tools, audit record monitoring software, network monitoring software). Strategic
-                                 locations for monitoring devices include, for example, selected perimeter locations
-                                 and near server farms supporting critical applications, with such devices typically
-                                 being employed at the managed interfaces associated with controls SC-7 and AC-17.
-                                 Einstein network monitoring devices from the Department of Homeland Security can also
-                                 be included as monitoring devices. The granularity of monitoring information
-                                 collected is based on organizational monitoring objectives and the capability of
-                                 information systems to support such objectives. Specific types of transactions of
-                                 interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that
-                                 bypasses HTTP proxies. Information system monitoring is an integral part of
-                                 organizational continuous monitoring and incident response programs. Output from
-                                 system monitoring serves as input to continuous monitoring and incident response
-                                 programs. A network connection is any connection with a device that communicates
-                                 through a network (e.g., local area network, Internet). A remote connection is any
-                                 connection with a device communicating through an external network (e.g., the
-                                 Internet). Local, network, and remote connections can be either wired or
-                                 wireless.
-                """
-              links: 
-                - 
-                  href: #ac-3
-                  rel:  related
-                  text: AC-3
-                - 
-                  href: #ac-4
-                  rel:  related
-                  text: AC-4
-                - 
-                  href: #ac-8
-                  rel:  related
-                  text: AC-8
-                - 
-                  href: #ac-17
-                  rel:  related
-                  text: AC-17
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-6
-                  rel:  related
-                  text: AU-6
-                - 
-                  href: #au-7
-                  rel:  related
-                  text: AU-7
-                - 
-                  href: #au-9
-                  rel:  related
-                  text: AU-9
-                - 
-                  href: #au-12
-                  rel:  related
-                  text: AU-12
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #ir-4
-                  rel:  related
-                  text: IR-4
-                - 
-                  href: #pe-3
-                  rel:  related
-                  text: PE-3
-                - 
-                  href: #ra-5
-                  rel:  related
-                  text: RA-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #sc-26
-                  rel:  related
-                  text: SC-26
-                - 
-                  href: #sc-35
-                  rel:  related
-                  text: SC-35
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-                - 
-                  href: #si-7
-                  rel:  related
-                  text: SI-7
-            - 
-              id:    si-4_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-4.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-4(a)
-                  parts: 
-                    - 
-                      id:         si-4.a.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(a)(1)
-                      parts: 
-                        - 
-                          id:         si-4.a.1_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: EXAMINE
-                            - 
-                              name:  label
-                              value: SI-4(a)(1)[1]
-                          prose: 
-                            """
-                              defines monitoring objectives to detect attacks and indicators of potential
-                                                      attacks on the information system;
-                            """
-                        - 
-                          id:         si-4.a.1_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  conformity
-                              ns:    https://fedramp.gov/ns/oscal
-                              value: assessment-objective
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: INTERVIEW
-                            - 
-                              name:  method
-                              class: fedramp
-                              value: TEST
-                            - 
-                              name:  label
-                              value: SI-4(a)(1)[2]
-                          prose: 
-                            """
-                              monitors the information system to detect, in accordance with
-                                                      organization-defined monitoring objectives,:
-                            """
-                          parts: 
-                            - 
-                              id:         si-4.a.1_obj.2.a
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-4(a)(1)[2][a]
-                              prose:      attacks;
-                            - 
-                              id:         si-4.a.1_obj.2.b
-                              name:       objective
-                              properties: 
-                                - 
-                                  name:  label
-                                  value: SI-4(a)(1)[2][b]
-                              prose:      indicators of potential attacks;
-                    - 
-                      id:         si-4.a.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(a)(2)
-                      prose:      monitors the information system to detect unauthorized:
-                      parts: 
-                        - 
-                          id:         si-4.a.2_obj.1
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(a)(2)[1]
-                          prose:      local connections;
-                        - 
-                          id:         si-4.a.2_obj.2
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(a)(2)[2]
-                          prose:      network connections;
-                        - 
-                          id:         si-4.a.2_obj.3
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(a)(2)[3]
-                          prose:      remote connections;
-                - 
-                  id:         si-4.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-4(b)
-                  parts: 
-                    - 
-                      id:         si-4.b.1_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(b)(1)
-                      prose: 
-                        """
-                          defines techniques and methods to identify unauthorized use of the information
-                                               system;
-                        """
-                    - 
-                      id:         si-4.b.2_obj
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(b)(2)
-                      prose: 
-                        """
-                          identifies unauthorized use of the information system through
-                                               organization-defined techniques and methods;
-                        """
-                - 
-                  id:         si-4.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-4(c)
-                  prose:      deploys monitoring devices:
-                  parts: 
-                    - 
-                      id:         si-4.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(c)[1]
-                      prose: 
-                        """
-                          strategically within the information system to collect organization-determined
-                                               essential information;
-                        """
-                    - 
-                      id:         si-4.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(c)[2]
-                      prose: 
-                        """
-                          at ad hoc locations within the system to track specific types of transactions
-                                               of interest to the organization;
-                        """
-                - 
-                  id:         si-4.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-4(d)
-                  prose: 
-                    """
-                      protects information obtained from intrusion-monitoring tools from
-                                        unauthorized:
-                    """
-                  parts: 
-                    - 
-                      id:         si-4.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(d)[1]
-                      prose:      access;
-                    - 
-                      id:         si-4.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(d)[2]
-                      prose:      modification;
-                    - 
-                      id:         si-4.d_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-4(d)[3]
-                      prose:      deletion;
-                - 
-                  id:         si-4.e_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-4(e)
-                  prose: 
-                    """
-                      heightens the level of information system monitoring activity whenever there is an
-                                        indication of increased risk to organizational operations and assets, individuals,
-                                        other organizations, or the Nation based on law enforcement information,
-                                        intelligence information, or other credible sources of information;
-                    """
-                - 
-                  id:         si-4.f_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  label
-                      value: SI-4(f)
-                  prose: 
-                    """
-                      obtains legal opinion with regard to information system monitoring activities in
-                                        accordance with applicable federal laws, Executive Orders, directives, policies,
-                                        or regulations;
-                    """
-                - 
-                  id:         si-4.g_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-4(g)
-                  parts: 
-                    - 
-                      id:         si-4.g_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(g)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom information system monitoring information is
-                                               to be provided;
-                        """
-                    - 
-                      id:         si-4.g_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(g)[2]
-                      prose: 
-                        """
-                          defines information system monitoring information to be provided to
-                                               organization-defined personnel or roles;
-                        """
-                    - 
-                      id:         si-4.g_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(g)[3]
-                      prose: 
-                        """
-                          defines a frequency to provide organization-defined information system
-                                               monitoring to organization-defined personnel or roles;
-                        """
-                    - 
-                      id:         si-4.g_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(g)[4]
-                      prose: 
-                        """
-                          provides organization-defined information system monitoring information to
-                                               organization-defined personnel or roles one or more of the following:
-                        """
-                      parts: 
-                        - 
-                          id:         si-4.g_obj.4.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(g)[4][a]
-                          prose:      as needed; and/or
-                        - 
-                          id:         si-4.g_obj.4.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(g)[4][b]
-                          prose:      with the organization-defined frequency.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: Continuous monitoring strategy\n\nsystem and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\nfacility diagram/layout\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\nlocations within information system where monitoring devices are deployed\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                        information system\n\norganizational personnel with responsibility monitoring the information system
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for information system monitoring\n\nautomated mechanisms supporting and/or implementing information system monitoring
-                                        capability
-                    """
-          controls: 
-            - 
-              id:         si-4.1
-              class:      SP800-53-enhancement
-              title:      System-wide Intrusion Detection System
-              properties: 
-                - 
-                  name:  label
-                  value: SI-4(1)
-                - 
-                  name:  sort-id
-                  value: si-04.01
-              parts: 
-                - 
-                  id:    si-4.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization connects and configures individual intrusion detection tools into
-                                        an information system-wide intrusion detection system.
-                    """
-                - 
-                  id:    si-4.1_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         si-4.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(1)[1]
-                      prose: 
-                        """
-                          connects individual intrusion detection tools into an information system-wide
-                                               intrusion detection system; and
-                        """
-                    - 
-                      id:         si-4.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(1)[2]
-                      prose: 
-                        """
-                          configures individual intrusion detection tools into an information system-wide
-                                               intrusion detection system.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring the information
-                                               system\n\norganizational personnel with responsibility for the intrusion detection
-                                               system
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for intrusion detection/information system
-                                               monitoring\n\nautomated mechanisms supporting and/or implementing intrusion detection
-                                               capability
-                        """
-            - 
-              id:         si-4.2
-              class:      SP800-53-enhancement
-              title:      Automated Tools for Real-time Analysis
-              properties: 
-                - 
-                  name:  label
-                  value: SI-4(2)
-                - 
-                  name:  sort-id
-                  value: si-04.02
-              parts: 
-                - 
-                  id:    si-4.2_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs automated tools to support near real-time analysis of
-                                        events.
-                    """
-                - 
-                  id:    si-4.2_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Automated tools include, for example, host-based, network-based, transport-based,
-                                        or storage-based event monitoring tools or Security Information and Event
-                                        Management (SIEM) technologies that provide real time analysis of alerts and/or
-                                        notifications generated by organizational information systems.
-                    """
-                - 
-                  id:         si-4.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization employs automated tools to support near real-time
-                                        analysis of events.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring the information
-                                               system\n\norganizational personnel with responsibility for incident
-                                               response/management
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for near real-time analysis of events\n\norganizational processes for information system monitoring\n\nautomated mechanisms supporting and/or implementing information system
-                                               monitoring\n\nautomated mechanisms/tools supporting and/or implementing analysis of
-                                               events
-                        """
-            - 
-              id:         si-4.4
-              class:      SP800-53-enhancement
-              title:      Inbound and Outbound Communications Traffic
-              parameters: 
-                - 
-                  id:          si-4.4_prm_1
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: continuously
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: SI-4(4)
-                - 
-                  name:  sort-id
-                  value: si-04.04
-              parts: 
-                - 
-                  id:    si-4.4_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system monitors inbound and outbound communications traffic
-                                           {{ si-4.4_prm_1 }} for unusual or unauthorized activities or
-                                        conditions.
-                    """
-                - 
-                  id:    si-4.4_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Unusual/unauthorized activities or conditions related to information system
-                                        inbound and outbound communications traffic include, for example, internal traffic
-                                        that indicates the presence of malicious code within organizational information
-                                        systems or propagating among system components, the unauthorized exporting of
-                                        information, or signaling to external information systems. Evidence of malicious
-                                        code is used to identify potentially compromised information systems or
-                                        information system components.
-                    """
-                - 
-                  id:    si-4.4_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         si-4.4_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(4)[1]
-                      prose:      defines a frequency to monitor:
-                      parts: 
-                        - 
-                          id:         si-4.4_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(4)[1][a]
-                          prose: 
-                            """
-                              inbound communications traffic for unusual or unauthorized activities or
-                                                      conditions;
-                            """
-                        - 
-                          id:         si-4.4_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(4)[1][b]
-                          prose: 
-                            """
-                              outbound communications traffic for unusual or unauthorized activities or
-                                                      conditions;
-                            """
-                    - 
-                      id:         si-4.4_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(4)[2]
-                      prose:      monitors, with the organization-defined frequency:
-                      parts: 
-                        - 
-                          id:         si-4.4_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(4)[2][a]
-                          prose: 
-                            """
-                              inbound communications traffic for unusual or unauthorized activities or
-                                                      conditions; and
-                            """
-                        - 
-                          id:         si-4.4_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-4(4)[2][b]
-                          prose: 
-                            """
-                              outbound communications traffic for unusual or unauthorized activities or
-                                                      conditions.
-                            """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system protocols\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring the information
-                                               system\n\norganizational personnel with responsibility for the intrusion detection
-                                               system
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for intrusion detection/information system
-                                               monitoring\n\nautomated mechanisms supporting and/or implementing intrusion detection
-                                               capability/information system monitoring\n\nautomated mechanisms supporting and/or implementing monitoring of
-                                               inbound/outbound communications traffic
-                        """
-            - 
-              id:         si-4.5
-              class:      SP800-53-enhancement
-              title:      System-generated Alerts
-              parameters: 
-                - 
-                  id:    si-4.5_prm_1
-                  label: organization-defined personnel or roles
-                - 
-                  id:    si-4.5_prm_2
-                  label: organization-defined compromise indicators
-              properties: 
-                - 
-                  name:  label
-                  value: SI-4(5)
-                - 
-                  name:  sort-id
-                  value: si-04.05
-              parts: 
-                - 
-                  id:    si-4.5_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system alerts {{ si-4.5_prm_1 }} when the following
-                                        indications of compromise or potential compromise occur: {{ si-4.5_prm_2 }}.
-                    """
-                  parts: 
-                    - 
-                      id:    si-4.5_fr
-                      name:  item
-                      title: SI-4 (5) Additional FedRAMP Requirements and Guidance
-                      parts: 
-                        - 
-                          id:         si-4.5_fr_gdn.1
-                          name:       guidance
-                          properties: 
-                            - 
-                              name:  label
-                              value: Guidance:
-                          prose:      In accordance with the incident response plan.
-                - 
-                  id:    si-4.5_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Alerts may be generated from a variety of sources, including, for example, audit
-                                        records or inputs from malicious code protection mechanisms, intrusion detection
-                                        or prevention mechanisms, or boundary protection devices such as firewalls,
-                                        gateways, and routers. Alerts can be transmitted, for example, telephonically, by
-                                        electronic mail messages, or by text messaging. Organizational personnel on the
-                                        notification list can include, for example, system administrators,
-                                        mission/business owners, system owners, or information system security
-                                        officers.
-                    """
-                  links: 
-                    - 
-                      href: #au-5
-                      rel:  related
-                      text: AU-5
-                    - 
-                      href: #pe-6
-                      rel:  related
-                      text: PE-6
-                - 
-                  id:    si-4.5_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         si-4.5_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(5)[1]
-                      prose:      the organization defines compromise indicators for the information system;
-                    - 
-                      id:         si-4.5_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(5)[2]
-                      prose: 
-                        """
-                          the organization defines personnel or roles to be alerted when indications of
-                                               compromise or potential compromise occur; and
-                        """
-                    - 
-                      id:         si-4.5_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(5)[3]
-                      prose: 
-                        """
-                          the information system alerts organization-defined personnel or roles when
-                                               organization-defined compromise indicators occur.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\nalerts/notifications generated based on compromise indicators\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring the information
-                                               system\n\norganizational personnel with responsibility for the intrusion detection
-                                               system
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for intrusion detection/information system
-                                               monitoring\n\nautomated mechanisms supporting and/or implementing intrusion
-                                               detection/information system monitoring capability\n\nautomated mechanisms supporting and/or implementing alerts for compromise
-                                               indicators
-                        """
-            - 
-              id:         si-4.14
-              class:      SP800-53-enhancement
-              title:      Wireless Intrusion Detection
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: SI-4(14)
-                - 
-                  name:  sort-id
-                  value: si-04.14
-              parts: 
-                - 
-                  id:    si-4.14_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization employs a wireless intrusion detection system to identify rogue
-                                        wireless devices and to detect attack attempts and potential compromises/breaches
-                                        to the information system.
-                    """
-                - 
-                  id:    si-4.14_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Wireless signals may radiate beyond the confines of organization-controlled
-                                        facilities. Organizations proactively search for unauthorized wireless connections
-                                        including the conduct of thorough scans for unauthorized wireless access points.
-                                        Scans are not limited to those areas within facilities containing information
-                                        systems, but also include areas outside of facilities as needed, to verify that
-                                        unauthorized wireless access points are not connected to the systems.
-                    """
-                  links: 
-                    - 
-                      href: #ac-18
-                      rel:  related
-                      text: AC-18
-                    - 
-                      href: #ia-3
-                      rel:  related
-                      text: IA-3
-                - 
-                  id:    si-4.14_obj
-                  name:  objective
-                  prose: 
-                    """
-                      Determine if the organization employs a wireless intrusion detection system
-                                        to:
-                    """
-                  parts: 
-                    - 
-                      id:         si-4.14_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(14)[1]
-                      prose:      identify rogue wireless devices;
-                    - 
-                      id:         si-4.14_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(14)[2]
-                      prose:      detect attack attempts to the information system; and
-                    - 
-                      id:         si-4.14_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(14)[3]
-                      prose:      detect potential compromises/breaches to the information system.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system protocols\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring the information
-                                               system\n\norganizational personnel with responsibility for the intrusion detection
-                                               system
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for intrusion detection\n\nautomated mechanisms supporting and/or implementing wireless intrusion
-                                               detection capability
-                        """
-            - 
-              id:         si-4.16
-              class:      SP800-53-enhancement
-              title:      Correlate Monitoring Information
-              properties: 
-                - 
-                  name:  label
-                  value: SI-4(16)
-                - 
-                  name:  sort-id
-                  value: si-04.16
-              parts: 
-                - 
-                  id:    si-4.16_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization correlates information from monitoring tools employed throughout
-                                        the information system.
-                    """
-                - 
-                  id:    si-4.16_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Correlating information from different monitoring tools can provide a more
-                                        comprehensive view of information system activity. The correlation of monitoring
-                                        tools that usually work in isolation (e.g., host monitoring, network monitoring,
-                                        anti-virus software) can provide an organization-wide view and in so doing, may
-                                        reveal otherwise unseen attack patterns. Understanding the
-                                        capabilities/limitations of diverse monitoring tools and how to maximize the
-                                        utility of information generated by those tools can help organizations to build,
-                                        operate, and maintain effective monitoring programs.
-                    """
-                  links: 
-                    - 
-                      href: #au-6
-                      rel:  related
-                      text: AU-6
-                - 
-                  id:         si-4.16_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the organization correlates information from monitoring tools
-                                        employed throughout the information system.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\nevent correlation logs or records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring the information
-                                               system\n\norganizational personnel with responsibility for the intrusion detection
-                                               system
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for intrusion detection/information system
-                                               monitoring\n\nautomated mechanisms supporting and/or implementing intrusion
-                                               detection/information system monitoring capability\n\nautomated mechanisms supporting and/or implementing correlation of information
-                                               from monitoring tools
-                        """
-            - 
-              id:         si-4.23
-              class:      SP800-53-enhancement
-              title:      Host-based Devices
-              parameters: 
-                - 
-                  id:    si-4.23_prm_1
-                  label: organization-defined host-based monitoring mechanisms
-                - 
-                  id:    si-4.23_prm_2
-                  label: organization-defined information system components
-              properties: 
-                - 
-                  name:  label
-                  value: SI-4(23)
-                - 
-                  name:  sort-id
-                  value: si-04.23
-              parts: 
-                - 
-                  id:    si-4.23_smt
-                  name:  statement
-                  prose: The organization implements {{ si-4.23_prm_1 }} at {{ si-4.23_prm_2 }}.
-                - 
-                  id:    si-4.23_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Information system components where host-based monitoring can be implemented
-                                        include, for example, servers, workstations, and mobile devices. Organizations
-                                        consider employing host-based monitoring mechanisms from multiple information
-                                        technology product developers.
-                    """
-                - 
-                  id:    si-4.23_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         si-4.23_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(23)[1]
-                      prose:      defines host-based monitoring mechanisms to be implemented;
-                    - 
-                      id:         si-4.23_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-4(23)[2]
-                      prose: 
-                        """
-                          defines information system components where organization-defined host-based
-                                               monitoring is to be implemented; and
-                        """
-                    - 
-                      id:         si-4.23_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-4(23)[3]
-                      prose: 
-                        """
-                          implements organization-defined host-based monitoring mechanisms at
-                                               organization-defined information system components.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\nhost-based monitoring mechanisms\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system components requiring host-based monitoring\n\ninformation system monitoring logs or records\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the
-                                               information system\n\norganizational personnel with responsibility for monitoring information system
-                                               hosts
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for information system monitoring\n\nautomated mechanisms supporting and/or implementing host-based monitoring
-                                               capability
-                        """
-        - 
-          id:         si-5
-          class:      SP800-53
-          title:      Security Alerts, Advisories, and Directives
-          parameters: 
-            - 
-              id:          si-5_prm_1
-              label:       organization-defined external organizations
-              constraints: 
-                - 
-                  detail: to include US-CERT
-            - 
-              id:          si-5_prm_2
-              constraints: 
-                - 
-                  detail: to include system security personnel and administrators with configuration/patch-management responsibilities
-            - 
-              id:         si-5_prm_3
-              depends-on: si-5_prm_2
-              label:      organization-defined personnel or roles
-            - 
-              id:         si-5_prm_4
-              depends-on: si-5_prm_2
-              label:      organization-defined elements within the organization
-            - 
-              id:         si-5_prm_5
-              depends-on: si-5_prm_2
-              label:      organization-defined external organizations
-          properties: 
-            - 
-              name:  label
-              value: SI-5
-            - 
-              name:  sort-id
-              value: si-05
-          links: 
-            - 
-              href: #bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d
-              rel:  reference
-              text: NIST Special Publication 800-40
-          parts: 
-            - 
-              id:    si-5_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-5_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Receives information system security alerts, advisories, and directives from
-                                           {{ si-5_prm_1 }} on an ongoing basis;
-                    """
-                - 
-                  id:         si-5_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Generates internal security alerts, advisories, and directives as deemed
-                                        necessary;
-                    """
-                - 
-                  id:         si-5_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose:      Disseminates security alerts, advisories, and directives to: {{ si-5_prm_2 }}; and
-                - 
-                  id:         si-5_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      Implements security directives in accordance with established time frames, or
-                                        notifies the issuing organization of the degree of noncompliance.
-                    """
-            - 
-              id:    si-5_gdn
-              name:  guidance
-              prose: 
-                """
-                  The United States Computer Emergency Readiness Team (US-CERT) generates security
-                                 alerts and advisories to maintain situational awareness across the federal
-                                 government. Security directives are issued by OMB or other designated organizations
-                                 with the responsibility and authority to issue such directives. Compliance to
-                                 security directives is essential due to the critical nature of many of these
-                                 directives and the potential immediate adverse effects on organizational operations
-                                 and assets, individuals, other organizations, and the Nation should the directives
-                                 not be implemented in a timely manner. External organizations include, for example,
-                                 external mission/business partners, supply chain partners, external service
-                                 providers, and other peer/supporting organizations.
-                """
-              links: 
-                - 
-                  href: #si-2
-                  rel:  related
-                  text: SI-2
-            - 
-              id:    si-5_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-5.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-5(a)
-                  parts: 
-                    - 
-                      id:         si-5.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-5(a)[1]
-                      prose: 
-                        """
-                          defines external organizations from whom information system security alerts,
-                                               advisories and directives are to be received;
-                        """
-                    - 
-                      id:         si-5.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-5(a)[2]
-                      prose: 
-                        """
-                          receives information system security alerts, advisories, and directives from
-                                               organization-defined external organizations on an ongoing basis;
-                        """
-                - 
-                  id:         si-5.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-5(b)
-                  prose: 
-                    """
-                      generates internal security alerts, advisories, and directives as deemed
-                                        necessary;
-                    """
-                - 
-                  id:         si-5.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-5(c)
-                  parts: 
-                    - 
-                      id:         si-5.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-5(c)[1]
-                      prose: 
-                        """
-                          defines personnel or roles to whom security alerts, advisories, and directives
-                                               are to be provided;
-                        """
-                    - 
-                      id:         si-5.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-5(c)[2]
-                      prose: 
-                        """
-                          defines elements within the organization to whom security alerts, advisories,
-                                               and directives are to be provided;
-                        """
-                    - 
-                      id:         si-5.c_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-5(c)[3]
-                      prose: 
-                        """
-                          defines external organizations to whom security alerts, advisories, and
-                                               directives are to be provided;
-                        """
-                    - 
-                      id:         si-5.c_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-5(c)[4]
-                      prose: 
-                        """
-                          disseminates security alerts, advisories, and directives to one or more of the
-                                               following:
-                        """
-                      parts: 
-                        - 
-                          id:         si-5.c_obj.4.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-5(c)[4][a]
-                          prose:      organization-defined personnel or roles;
-                        - 
-                          id:         si-5.c_obj.4.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-5(c)[4][b]
-                          prose:      organization-defined elements within the organization; and/or
-                        - 
-                          id:         si-5.c_obj.4.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-5(c)[4][c]
-                          prose:      organization-defined external organizations; and
-                - 
-                  id:         si-5.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-5(d)
-                  parts: 
-                    - 
-                      id:         si-5.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-5(d)[1]
-                      prose: 
-                        """
-                          implements security directives in accordance with established time frames;
-                                               or
-                        """
-                    - 
-                      id:         si-5.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-5(d)[2]
-                      prose:      notifies the issuing organization of the degree of noncompliance.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and information integrity policy\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the
-                                        information system\n\norganizational personnel, organizational elements, and/or external organizations
-                                        to whom alerts, advisories, and directives are to be disseminated\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for defining, receiving, generating, disseminating, and
-                                        complying with security alerts, advisories, and directives\n\nautomated mechanisms supporting and/or implementing definition, receipt,
-                                        generation, and dissemination of security alerts, advisories, and directives\n\nautomated mechanisms supporting and/or implementing security directives
-                    """
-        - 
-          id:         si-6
-          class:      SP800-53
-          title:      Security Function Verification
-          parameters: 
-            - 
-              id:    si-6_prm_1
-              label: organization-defined security functions
-            - 
-              id: si-6_prm_2
-            - 
-              id:          si-6_prm_3
-              depends-on:  si-6_prm_2
-              label:       organization-defined system transitional states
-              constraints: 
-                - 
-                  detail: to include upon system startup and/or restart
-            - 
-              id:          si-6_prm_4
-              depends-on:  si-6_prm_2
-              label:       organization-defined frequency
-              constraints: 
-                - 
-                  detail: at least monthly
-            - 
-              id:          si-6_prm_5
-              label:       organization-defined personnel or roles
-              constraints: 
-                - 
-                  detail: to include system administrators and security personnel
-            - 
-              id: si-6_prm_6
-            - 
-              id:          si-6_prm_7
-              depends-on:  si-6_prm_6
-              label:       organization-defined alternative action(s)
-              constraints: 
-                - 
-                  detail: to include notification of system administrators and security personnel
-          properties: 
-            - 
-              name:  CORE
-              ns:    https://fedramp.gov/ns/oscal
-              value: 
-            - 
-              name:  label
-              value: SI-6
-            - 
-              name:  sort-id
-              value: si-06
-          parts: 
-            - 
-              id:    si-6_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         si-6_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose:      Verifies the correct operation of {{ si-6_prm_1 }};
-                - 
-                  id:         si-6_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Performs this verification {{ si-6_prm_2 }};
-                - 
-                  id:         si-6_smt.c
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: c.
-                  prose: 
-                    """
-                      Notifies {{ si-6_prm_5 }} of failed security verification tests;
-                                        and
-                    """
-                - 
-                  id:         si-6_smt.d
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: d.
-                  prose: 
-                    """
-                      
-                                        {{ si-6_prm_6 }} when anomalies are discovered.
-                    """
-            - 
-              id:    si-6_gdn
-              name:  guidance
-              prose: 
-                """
-                  Transitional states for information systems include, for example, system startup,
-                                 restart, shutdown, and abort. Notifications provided by information systems include,
-                                 for example, electronic alerts to system administrators, messages to local computer
-                                 consoles, and/or hardware indications such as lights.
-                """
-              links: 
-                - 
-                  href: #ca-7
-                  rel:  related
-                  text: CA-7
-                - 
-                  href: #cm-6
-                  rel:  related
-                  text: CM-6
-            - 
-              id:    si-6_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         si-6.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-6(a)
-                  parts: 
-                    - 
-                      id:         si-6.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-6(a)[1]
-                      prose: 
-                        """
-                          the organization defines security functions to be verified for correct
-                                               operation;
-                        """
-                    - 
-                      id:         si-6.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-6(a)[2]
-                      prose: 
-                        """
-                          the information system verifies the correct operation of organization-defined
-                                               security functions;
-                        """
-                - 
-                  id:         si-6.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-6(b)
-                  parts: 
-                    - 
-                      id:         si-6.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-6(b)[1]
-                      prose: 
-                        """
-                          the organization defines system transitional states requiring verification of
-                                               organization-defined security functions;
-                        """
-                    - 
-                      id:         si-6.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-6(b)[2]
-                      prose: 
-                        """
-                          the organization defines a frequency to verify the correct operation of
-                                               organization-defined security functions;
-                        """
-                    - 
-                      id:         si-6.b_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-6(b)[3]
-                      prose: 
-                        """
-                          the information system performs this verification one or more of the
-                                               following:
-                        """
-                      parts: 
-                        - 
-                          id:         si-6.b_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-6(b)[3][a]
-                          prose:      at organization-defined system transitional states;
-                        - 
-                          id:         si-6.b_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-6(b)[3][b]
-                          prose:      upon command by user with appropriate privilege; and/or
-                        - 
-                          id:         si-6.b_obj.3.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-6(b)[3][c]
-                          prose:      with the organization-defined frequency;
-                - 
-                  id:         si-6.c_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-6(c)
-                  parts: 
-                    - 
-                      id:         si-6.c_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-6(c)[1]
-                      prose: 
-                        """
-                          the organization defines personnel or roles to be notified of failed security
-                                               verification tests;
-                        """
-                    - 
-                      id:         si-6.c_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-6(c)[2]
-                      prose: 
-                        """
-                          the information system notifies organization-defined personnel or roles of
-                                               failed security verification tests;
-                        """
-                - 
-                  id:         si-6.d_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-6(d)
-                  parts: 
-                    - 
-                      id:         si-6.d_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-6(d)[1]
-                      prose: 
-                        """
-                          the organization defines alternative action(s) to be performed when anomalies
-                                               are discovered;
-                        """
-                    - 
-                      id:         si-6.d_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-6(d)[2]
-                      prose: 
-                        """
-                          the information system performs one or more of the following actions when
-                                               anomalies are discovered:
-                        """
-                      parts: 
-                        - 
-                          id:         si-6.d_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-6(d)[2][a]
-                          prose:      shuts the information system down;
-                        - 
-                          id:         si-6.d_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-6(d)[2][b]
-                          prose:      restarts the information system; and/or
-                        - 
-                          id:         si-6.d_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-6(d)[2][c]
-                          prose:      performs organization-defined alternative action(s).
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and information integrity policy\n\nprocedures addressing security function verification\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nalerts/notifications of failed security verification tests\n\nlist of system transition states requiring security functionality verification\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with security function verification responsibilities\n\norganizational personnel implementing, operating, and maintaining the information
-                                        system\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for security function verification\n\nautomated mechanisms supporting and/or implementing security function verification
-                                        capability
-                    """
-        - 
-          id:         si-7
-          class:      SP800-53
-          title:      Software, Firmware, and Information Integrity
-          parameters: 
-            - 
-              id:    si-7_prm_1
-              label: organization-defined software, firmware, and information
-          properties: 
-            - 
-              name:  label
-              value: SI-7
-            - 
-              name:  sort-id
-              value: si-07
-          links: 
-            - 
-              href: #6bf8d24a-78dc-4727-a2ac-0e64d71c495c
-              rel:  reference
-              text: NIST Special Publication 800-147
-            - 
-              href: #3878cc04-144a-483e-af62-8fe6f4ad6c7a
-              rel:  reference
-              text: NIST Special Publication 800-155
-          parts: 
-            - 
-              id:    si-7_smt
-              name:  statement
-              prose: 
-                """
-                  The organization employs integrity verification tools to detect unauthorized changes
-                                 to {{ si-7_prm_1 }}.
-                """
-            - 
-              id:    si-7_gdn
-              name:  guidance
-              prose: 
-                """
-                  Unauthorized changes to software, firmware, and information can occur due to errors
-                                 or malicious activity (e.g., tampering). Software includes, for example, operating
-                                 systems (with key internal components such as kernels, drivers), middleware, and
-                                 applications. Firmware includes, for example, the Basic Input Output System (BIOS).
-                                 Information includes metadata such as security attributes associated with
-                                 information. State-of-the-practice integrity-checking mechanisms (e.g., parity
-                                 checks, cyclical redundancy checks, cryptographic hashes) and associated tools can
-                                 automatically monitor the integrity of information systems and hosted
-                                 applications.
-                """
-              links: 
-                - 
-                  href: #sa-12
-                  rel:  related
-                  text: SA-12
-                - 
-                  href: #sc-8
-                  rel:  related
-                  text: SC-8
-                - 
-                  href: #sc-13
-                  rel:  related
-                  text: SC-13
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-            - 
-              id:    si-7_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-7_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-7[1]
-                  parts: 
-                    - 
-                      id:         si-7_obj.1.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-7[1][a]
-                      prose: 
-                        """
-                          defines software requiring integrity verification tools to be employed to
-                                               detect unauthorized changes;
-                        """
-                    - 
-                      id:         si-7_obj.1.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-7[1][b]
-                      prose: 
-                        """
-                          defines firmware requiring integrity verification tools to be employed to
-                                               detect unauthorized changes;
-                        """
-                    - 
-                      id:         si-7_obj.1.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-7[1][c]
-                      prose: 
-                        """
-                          defines information requiring integrity verification tools to be employed to
-                                               detect unauthorized changes;
-                        """
-                - 
-                  id:         si-7_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-7[2]
-                  prose: 
-                    """
-                      employs integrity verification tools to detect unauthorized changes to
-                                        organization-defined:
-                    """
-                  parts: 
-                    - 
-                      id:         si-7_obj.2.a
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-7[2][a]
-                      prose:      software;
-                    - 
-                      id:         si-7_obj.2.b
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-7[2][b]
-                      prose:      firmware; and
-                    - 
-                      id:         si-7_obj.2.c
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-7[2][c]
-                      prose:      information.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords generated/triggered from integrity verification tools regarding
-                                        unauthorized software, firmware, and information changes\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for software, firmware, and/or
-                                        information integrity\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Software, firmware, and information integrity verification tools
-          controls: 
-            - 
-              id:         si-7.1
-              class:      SP800-53-enhancement
-              title:      Integrity Checks
-              parameters: 
-                - 
-                  id:    si-7.1_prm_1
-                  label: organization-defined software, firmware, and information
-                - 
-                  id: si-7.1_prm_2
-                - 
-                  id:          si-7.1_prm_3
-                  depends-on:  si-7.1_prm_2
-                  label:       organization-defined transitional states or security-relevant events
-                  constraints: 
-                    - 
-                      detail: Selection to include security relevant events
-                - 
-                  id:          si-7.1_prm_4
-                  depends-on:  si-7.1_prm_2
-                  label:       organization-defined frequency
-                  constraints: 
-                    - 
-                      detail: at least monthly
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: SI-7(1)
-                - 
-                  name:  sort-id
-                  value: si-07.01
-              parts: 
-                - 
-                  id:    si-7.1_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The information system performs an integrity check of {{ si-7.1_prm_1 }}
-                                        {{ si-7.1_prm_2 }}.
-                    """
-                - 
-                  id:    si-7.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Security-relevant events include, for example, the identification of a new threat
-                                        to which organizational information systems are susceptible, and the installation
-                                        of new hardware, software, or firmware. Transitional states include, for example,
-                                        system startup, restart, shutdown, and abort.
-                    """
-                - 
-                  id:    si-7.1_obj
-                  name:  objective
-                  prose: Determine if:
-                  parts: 
-                    - 
-                      id:         si-7.1_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-7(1)[1]
-                      prose:      the organization defines:
-                      parts: 
-                        - 
-                          id:         si-7.1_obj.1.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[1][a]
-                          prose:      software requiring integrity checks to be performed;
-                        - 
-                          id:         si-7.1_obj.1.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[1][b]
-                          prose:      firmware requiring integrity checks to be performed;
-                        - 
-                          id:         si-7.1_obj.1.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[1][c]
-                          prose:      information requiring integrity checks to be performed;
-                    - 
-                      id:         si-7.1_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-7(1)[2]
-                      prose: 
-                        """
-                          the organization defines transitional states or security-relevant events
-                                               requiring integrity checks of organization-defined:
-                        """
-                      parts: 
-                        - 
-                          id:         si-7.1_obj.2.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[2][a]
-                          prose:      software;
-                        - 
-                          id:         si-7.1_obj.2.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[2][b]
-                          prose:      firmware;
-                        - 
-                          id:         si-7.1_obj.2.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[2][c]
-                          prose:      information;
-                    - 
-                      id:         si-7.1_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-7(1)[3]
-                      prose: 
-                        """
-                          the organization defines a frequency with which to perform an integrity check
-                                               of organization-defined:
-                        """
-                      parts: 
-                        - 
-                          id:         si-7.1_obj.3.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[3][a]
-                          prose:      software;
-                        - 
-                          id:         si-7.1_obj.3.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[3][b]
-                          prose:      firmware;
-                        - 
-                          id:         si-7.1_obj.3.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[3][c]
-                          prose:      information;
-                    - 
-                      id:         si-7.1_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-7(1)[4]
-                      prose: 
-                        """
-                          the information system performs an integrity check of organization-defined
-                                               software, firmware, and information one or more of the following:
-                        """
-                      parts: 
-                        - 
-                          id:         si-7.1_obj.4.a
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[4][a]
-                          prose:      at startup;
-                        - 
-                          id:         si-7.1_obj.4.b
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[4][b]
-                          prose: 
-                            """
-                              at organization-defined transitional states or security-relevant events;
-                                                      and/or
-                            """
-                        - 
-                          id:         si-7.1_obj.4.c
-                          name:       objective
-                          properties: 
-                            - 
-                              name:  label
-                              value: SI-7(1)[4][c]
-                          prose:      with the organization-defined frequency.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibility for software, firmware, and/or
-                                               information integrity\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Software, firmware, and information integrity verification tools
-            - 
-              id:         si-7.7
-              class:      SP800-53-enhancement
-              title:      Integration of Detection and Response
-              parameters: 
-                - 
-                  id:    si-7.7_prm_1
-                  label: 
-                    """
-                      organization-defined security-relevant changes to the information
-                                        system
-                    """
-              properties: 
-                - 
-                  name:  label
-                  value: SI-7(7)
-                - 
-                  name:  sort-id
-                  value: si-07.07
-              parts: 
-                - 
-                  id:    si-7.7_smt
-                  name:  statement
-                  prose: 
-                    """
-                      The organization incorporates the detection of unauthorized {{ si-7.7_prm_1 }} into the organizational incident response
-                                        capability.
-                    """
-                - 
-                  id:    si-7.7_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      This control enhancement helps to ensure that detected events are tracked,
-                                        monitored, corrected, and available for historical purposes. Maintaining
-                                        historical records is important both for being able to identify and discern
-                                        adversary actions over an extended period of time and for possible legal actions.
-                                        Security-relevant changes include, for example, unauthorized changes to
-                                        established configuration settings or unauthorized elevation of information system
-                                        privileges.
-                    """
-                  links: 
-                    - 
-                      href: #ir-4
-                      rel:  related
-                      text: IR-4
-                    - 
-                      href: #ir-5
-                      rel:  related
-                      text: IR-5
-                    - 
-                      href: #si-4
-                      rel:  related
-                      text: SI-4
-                - 
-                  id:    si-7.7_obj
-                  name:  objective
-                  prose: Determine if the organization:
-                  parts: 
-                    - 
-                      id:         si-7.7_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-7(7)[1]
-                      prose: 
-                        """
-                          defines unauthorized security-relevant changes to the information system;
-                                               and
-                        """
-                    - 
-                      id:         si-7.7_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-7(7)[2]
-                      prose: 
-                        """
-                          incorporates the detection of unauthorized organization-defined
-                                               security-relevant changes to the information system into the organizational
-                                               incident response capability.
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\nprocedures addressing incident response\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response records\n\ninformation audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational personnel with responsibility for software, firmware, and/or
-                                               information integrity\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities
-                        """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for incorporating detection of unauthorized
-                                               security-relevant changes into the incident response capability\n\nsoftware, firmware, and information integrity verification tools\n\nautomated mechanisms supporting and/or implementing incorporation of detection
-                                               of unauthorized security-relevant changes into the incident response
-                                               capability
-                        """
-        - 
-          id:         si-8
-          class:      SP800-53
-          title:      Spam Protection
-          properties: 
-            - 
-              name:  label
-              value: SI-8
-            - 
-              name:  sort-id
-              value: si-08
-          links: 
-            - 
-              href: #c6e95ca0-5828-420e-b095-00895b72b5e8
-              rel:  reference
-              text: NIST Special Publication 800-45
-          parts: 
-            - 
-              id:    si-8_smt
-              name:  statement
-              prose: The organization:
-              parts: 
-                - 
-                  id:         si-8_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Employs spam protection mechanisms at information system entry and exit points to
-                                        detect and take action on unsolicited messages; and
-                    """
-                - 
-                  id:         si-8_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose: 
-                    """
-                      Updates spam protection mechanisms when new releases are available in accordance
-                                        with organizational configuration management policy and procedures.
-                    """
-            - 
-              id:    si-8_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information system entry and exit points include, for example, firewalls, electronic
-                                 mail servers, web servers, proxy servers, remote-access servers, workstations, mobile
-                                 devices, and notebook/laptop computers. Spam can be transported by different means
-                                 including, for example, electronic mail, electronic mail attachments, and web
-                                 accesses. Spam protection mechanisms include, for example, signature definitions.
-                """
-              links: 
-                - 
-                  href: #at-2
-                  rel:  related
-                  text: AT-2
-                - 
-                  href: #at-3
-                  rel:  related
-                  text: AT-3
-                - 
-                  href: #sc-5
-                  rel:  related
-                  text: SC-5
-                - 
-                  href: #sc-7
-                  rel:  related
-                  text: SC-7
-                - 
-                  href: #si-3
-                  rel:  related
-                  text: SI-3
-            - 
-              id:    si-8_obj
-              name:  objective
-              prose: Determine if the organization:
-              parts: 
-                - 
-                  id:         si-8.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SI-8(a)
-                  prose:      employs spam protection mechanisms:
-                  parts: 
-                    - 
-                      id:         si-8.a_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-8(a)[1]
-                      prose:      at information system entry points to detect unsolicited messages;
-                    - 
-                      id:         si-8.a_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-8(a)[2]
-                      prose:      at information system entry points to take action on unsolicited messages;
-                    - 
-                      id:         si-8.a_obj.3
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-8(a)[3]
-                      prose:      at information system exit points to detect unsolicited messages;
-                    - 
-                      id:         si-8.a_obj.4
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  label
-                          value: SI-8(a)[4]
-                      prose: 
-                        """
-                          at information system exit points to take action on unsolicited messages;
-                                               and
-                        """
-                - 
-                  id:         si-8.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-8(b)
-                  prose: 
-                    """
-                      updates spam protection mechanisms when new releases are available in accordance
-                                        with organizational configuration management policy and procedures.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and information integrity policy\n\nconfiguration management policy and procedures (CM-1)\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with responsibility for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational processes for implementing spam protection\n\nautomated mechanisms supporting and/or implementing spam protection
-          controls: 
-            - 
-              id:         si-8.1
-              class:      SP800-53-enhancement
-              title:      Central Management
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: SI-8(1)
-                - 
-                  name:  sort-id
-                  value: si-08.01
-              parts: 
-                - 
-                  id:    si-8.1_smt
-                  name:  statement
-                  prose: The organization centrally manages spam protection mechanisms.
-                - 
-                  id:    si-8.1_gdn
-                  name:  guidance
-                  prose: 
-                    """
-                      Central management is the organization-wide management and implementation of spam
-                                        protection mechanisms. Central management includes planning, implementing,
-                                        assessing, authorizing, and monitoring the organization-defined, centrally managed
-                                        spam protection security controls.
-                    """
-                  links: 
-                    - 
-                      href: #au-3
-                      rel:  related
-                      text: AU-3
-                    - 
-                      href: #si-2
-                      rel:  related
-                      text: SI-2
-                    - 
-                      href: #si-7
-                      rel:  related
-                      text: SI-7
-                - 
-                  id:         si-8.1_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose:      Determine if the organization centrally manages spam protection mechanisms.
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with responsibility for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for central management of spam protection\n\nautomated mechanisms supporting and/or implementing central management of spam
-                                               protection
-                        """
-            - 
-              id:         si-8.2
-              class:      SP800-53-enhancement
-              title:      Automatic Updates
-              properties: 
-                - 
-                  name:  CORE
-                  ns:    https://fedramp.gov/ns/oscal
-                  value: 
-                - 
-                  name:  label
-                  value: SI-8(2)
-                - 
-                  name:  sort-id
-                  value: si-08.02
-              parts: 
-                - 
-                  id:    si-8.2_smt
-                  name:  statement
-                  prose: The information system automatically updates spam protection mechanisms.
-                - 
-                  id:         si-8.2_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                  prose: 
-                    """
-                      Determine if the information system automatically updates spam protection
-                                        mechanisms.
-                    """
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: EXAMINE
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: System and information integrity policy\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: INTERVIEW
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: Organizational personnel with responsibility for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer
-                - 
-                  name:       assessment
-                  properties: 
-                    - 
-                      name:  method
-                      value: TEST
-                  parts: 
-                    - 
-                      name:  objects
-                      prose: 
-                        """
-                          Organizational processes for spam protection\n\nautomated mechanisms supporting and/or implementing automatic updates to spam
-                                               protection mechanisms
-                        """
-        - 
-          id:         si-10
-          class:      SP800-53
-          title:      Information Input Validation
-          parameters: 
-            - 
-              id:    si-10_prm_1
-              label: organization-defined information inputs
-          properties: 
-            - 
-              name:  label
-              value: SI-10
-            - 
-              name:  sort-id
-              value: si-10
-          parts: 
-            - 
-              id:    si-10_smt
-              name:  statement
-              prose: The information system checks the validity of {{ si-10_prm_1 }}.
-            - 
-              id:    si-10_gdn
-              name:  guidance
-              prose: 
-                """
-                  Checking the valid syntax and semantics of information system inputs (e.g., character
-                                 set, length, numerical range, and acceptable values) verifies that inputs match
-                                 specified definitions for format and content. Software applications typically follow
-                                 well-defined protocols that use structured messages (i.e., commands or queries) to
-                                 communicate between software modules or system components. Structured messages can
-                                 contain raw or unstructured data interspersed with metadata or control information.
-                                 If software applications use attacker-supplied inputs to construct structured
-                                 messages without properly encoding such messages, then the attacker could insert
-                                 malicious commands or special characters that can cause the data to be interpreted as
-                                 control information or metadata. Consequently, the module or component that receives
-                                 the tainted output will perform the wrong operations or otherwise interpret the data
-                                 incorrectly. Prescreening inputs prior to passing to interpreters prevents the
-                                 content from being unintentionally interpreted as commands. Input validation helps to
-                                 ensure accurate and correct inputs and prevent attacks such as cross-site scripting
-                                 and a variety of injection attacks.
-                """
-            - 
-              id:    si-10_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         si-10_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SI-10[1]
-                  prose:      the organization defines information inputs requiring validity checks; and
-                - 
-                  id:         si-10_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-10[2]
-                  prose: 
-                    """
-                      the information system checks the validity of organization-defined information
-                                        inputs.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and information integrity policy\n\naccess control policy and procedures\n\nseparation of duties policy and procedures\n\nprocedures addressing information input validation\n\ndocumentation for automated tools and applications to verify validity of
-                                        information\n\nlist of information inputs requiring validity checks\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with responsibility for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing validity checks on information
-                                        inputs
-                    """
-        - 
-          id:         si-11
-          class:      SP800-53
-          title:      Error Handling
-          parameters: 
-            - 
-              id:    si-11_prm_1
-              label: organization-defined personnel or roles
-          properties: 
-            - 
-              name:  label
-              value: SI-11
-            - 
-              name:  sort-id
-              value: si-11
-          parts: 
-            - 
-              id:    si-11_smt
-              name:  statement
-              prose: The information system:
-              parts: 
-                - 
-                  id:         si-11_smt.a
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: a.
-                  prose: 
-                    """
-                      Generates error messages that provide information necessary for corrective actions
-                                        without revealing information that could be exploited by adversaries; and
-                    """
-                - 
-                  id:         si-11_smt.b
-                  name:       item
-                  properties: 
-                    - 
-                      name:  label
-                      value: b.
-                  prose:      Reveals error messages only to {{ si-11_prm_1 }}.
-            - 
-              id:    si-11_gdn
-              name:  guidance
-              prose: 
-                """
-                  Organizations carefully consider the structure/content of error messages. The extent
-                                 to which information systems are able to identify and handle error conditions is
-                                 guided by organizational policy and operational requirements. Information that could
-                                 be exploited by adversaries includes, for example, erroneous logon attempts with
-                                 passwords entered by mistake as the username, mission/business information that can
-                                 be derived from (if not stated explicitly by) information recorded, and personal
-                                 information such as account numbers, social security numbers, and credit card
-                                 numbers. In addition, error messages may provide a covert channel for transmitting
-                                 information.
-                """
-              links: 
-                - 
-                  href: #au-2
-                  rel:  related
-                  text: AU-2
-                - 
-                  href: #au-3
-                  rel:  related
-                  text: AU-3
-                - 
-                  href: #sc-31
-                  rel:  related
-                  text: SC-31
-            - 
-              id:    si-11_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         si-11.a_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-11(a)
-                  prose: 
-                    """
-                      the information system generates error messages that provide information necessary
-                                        for corrective actions without revealing information that could be exploited by
-                                        adversaries;
-                    """
-                - 
-                  id:         si-11.b_obj
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-11(b)
-                  parts: 
-                    - 
-                      id:         si-11.b_obj.1
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: EXAMINE
-                        - 
-                          name:  label
-                          value: SI-11(b)[1]
-                      prose: 
-                        """
-                          the organization defines personnel or roles to whom error messages are to be
-                                               revealed; and
-                        """
-                    - 
-                      id:         si-11.b_obj.2
-                      name:       objective
-                      properties: 
-                        - 
-                          name:  conformity
-                          ns:    https://fedramp.gov/ns/oscal
-                          value: assessment-objective
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: INTERVIEW
-                        - 
-                          name:  method
-                          class: fedramp
-                          value: TEST
-                        - 
-                          name:  label
-                          value: SI-11(b)[2]
-                      prose: 
-                        """
-                          the information system reveals error messages only to organization-defined
-                                               personnel or roles.
-                        """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: System and information integrity policy\n\nprocedures addressing information system error handling\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ndocumentation providing structure/content of error messages\n\ninformation system audit records\n\nother relevant documents or records
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with responsibility for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for error handling\n\nautomated mechanisms supporting and/or implementing error handling\n\nautomated mechanisms supporting and/or implementing management of error
-                                        messages
-                    """
-        - 
-          id:         si-12
-          class:      SP800-53
-          title:      Information Handling and Retention
-          properties: 
-            - 
-              name:  label
-              value: SI-12
-            - 
-              name:  sort-id
-              value: si-12
-          parts: 
-            - 
-              id:    si-12_smt
-              name:  statement
-              prose: 
-                """
-                  The organization handles and retains information within the information system and
-                                 information output from the system in accordance with applicable federal laws,
-                                 Executive Orders, directives, policies, regulations, standards, and operational
-                                 requirements.
-                """
-            - 
-              id:    si-12_gdn
-              name:  guidance
-              prose: 
-                """
-                  Information handling and retention requirements cover the full life cycle of
-                                 information, in some cases extending beyond the disposal of information systems. The
-                                 National Archives and Records Administration provides guidance on records
-                                 retention.
-                """
-              links: 
-                - 
-                  href: #ac-16
-                  rel:  related
-                  text: AC-16
-                - 
-                  href: #au-5
-                  rel:  related
-                  text: AU-5
-                - 
-                  href: #au-11
-                  rel:  related
-                  text: AU-11
-                - 
-                  href: #mp-2
-                  rel:  related
-                  text: MP-2
-                - 
-                  href: #mp-4
-                  rel:  related
-                  text: MP-4
-            - 
-              id:    si-12_obj
-              name:  objective
-              prose: 
-                """
-                  Determine if the organization, in accordance with applicable federal laws, Executive
-                                 Orders, directives, policies, regulations, standards, and operational
-                                 requirements:
-                """
-              parts: 
-                - 
-                  id:         si-12_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-12[1]
-                  prose:      handles information within the information system;
-                - 
-                  id:         si-12_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-12[2]
-                  prose:      handles output from the information system;
-                - 
-                  id:         si-12_obj.3
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-12[3]
-                  prose:      retains information within the information system; and
-                - 
-                  id:         si-12_obj.4
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  label
-                      value: SI-12[4]
-                  prose:      retains output from the information system.
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and information integrity policy\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and
-                                        operational requirements applicable to information handling and retention\n\nmedia protection policy and procedures\n\nprocedures addressing information system output handling and retention\n\ninformation retention records, other relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational personnel with responsibility for information handling and
-                                        retention\n\norganizational personnel with information security responsibilities/network
-                                        administrators
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Organizational processes for information handling and retention\n\nautomated mechanisms supporting and/or implementing information handling and
-                                        retention
-                    """
-        - 
-          id:         si-16
-          class:      SP800-53
-          title:      Memory Protection
-          parameters: 
-            - 
-              id:    si-16_prm_1
-              label: organization-defined security safeguards
-          properties: 
-            - 
-              name:  label
-              value: SI-16
-            - 
-              name:  sort-id
-              value: si-16
-          parts: 
-            - 
-              id:    si-16_smt
-              name:  statement
-              prose: 
-                """
-                  The information system implements {{ si-16_prm_1 }} to protect its
-                                 memory from unauthorized code execution.
-                """
-            - 
-              id:    si-16_gdn
-              name:  guidance
-              prose: 
-                """
-                  Some adversaries launch attacks with the intent of executing code in non-executable
-                                 regions of memory or in memory locations that are prohibited. Security safeguards
-                                 employed to protect memory include, for example, data execution prevention and
-                                 address space layout randomization. Data execution prevention safeguards can either
-                                 be hardware-enforced or software-enforced with hardware providing the greater
-                                 strength of mechanism.
-                """
-              links: 
-                - 
-                  href: #ac-25
-                  rel:  related
-                  text: AC-25
-                - 
-                  href: #sc-3
-                  rel:  related
-                  text: SC-3
-            - 
-              id:    si-16_obj
-              name:  objective
-              prose: Determine if:
-              parts: 
-                - 
-                  id:         si-16_obj.1
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: EXAMINE
-                    - 
-                      name:  label
-                      value: SI-16[1]
-                  prose: 
-                    """
-                      the organization defines security safeguards to be implemented to protect
-                                        information system memory from unauthorized code execution; and
-                    """
-                - 
-                  id:         si-16_obj.2
-                  name:       objective
-                  properties: 
-                    - 
-                      name:  conformity
-                      ns:    https://fedramp.gov/ns/oscal
-                      value: assessment-objective
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: INTERVIEW
-                    - 
-                      name:  method
-                      class: fedramp
-                      value: TEST
-                    - 
-                      name:  label
-                      value: SI-16[2]
-                  prose: 
-                    """
-                      the information system implements organization-defined security safeguards to
-                                        protect its memory from unauthorized code execution.
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: EXAMINE
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      System and information integrity policy\n\nprocedures addressing memory protection for the information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of security safeguards protecting information system memory from unauthorized
-                                        code execution\n\ninformation system audit records\n\nother relevant documents or records
-                    """
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: INTERVIEW
-              parts: 
-                - 
-                  name:  objects
-                  prose: Organizational personnel with responsibility for memory protection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer
-            - 
-              name:       assessment
-              properties: 
-                - 
-                  name:  method
-                  value: TEST
-              parts: 
-                - 
-                  name:  objects
-                  prose: 
-                    """
-                      Automated mechanisms supporting and/or implementing safeguards to protect
-                                        information system memory from unauthorized code execution
-                    """
-  back-matter: 
-    resources: 
-      - 
-        uuid:     0c97e60b-325a-4efa-ba2b-90f20ccd5abc
-        title:    5 C.F.R. 731.106
-        citation: 
-          text: 
-            """
-              Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106,
-                             Designation of Public Trust Positions and Investigative Requirements (5 C.F.R.
-                             731.106).
-            """
-        rlinks: 
-          - 
-            href: http://www.gpo.gov/fdsys/granule/CFR-2012-title5-vol2/CFR-2012-title5-vol2-sec731-106/content-detail.html
-      - 
-        uuid:     bb61234b-46c3-4211-8c2b-9869222a720d
-        title:    C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)
-        citation: 
-          text: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)
-        rlinks: 
-          - 
-            href: http://www.gpo.gov/fdsys/granule/CFR-2009-title5-vol2/CFR-2009-title5-vol2-sec930-301/content-detail.html
-      - 
-        uuid:     a4aa9645-9a8a-4b51-90a9-e223250f9a75
-        title:    CNSS Policy 15
-        citation: 
-          text: CNSS Policy 15
-        rlinks: 
-          - 
-            href: https://www.cnss.gov/policies.html
-      - 
-        uuid:     2d8b14e9-c8b5-4d3d-8bdc-155078f3281b
-        title:    DoD Information Assurance Vulnerability Alerts
-        citation: 
-          text: DoD Information Assurance Vulnerability Alerts
-      - 
-        uuid:     61081e7f-041d-4033-96a7-44a439071683
-        title:    DoD Instruction 5200.39
-        citation: 
-          text: DoD Instruction 5200.39
-        rlinks: 
-          - 
-            href: http://www.dtic.mil/whs/directives/corres/ins1.html
-      - 
-        uuid:     e42b2099-3e1c-415b-952c-61c96533c12e
-        title:    DoD Instruction 8551.01
-        citation: 
-          text: DoD Instruction 8551.01
-        rlinks: 
-          - 
-            href: http://www.dtic.mil/whs/directives/corres/ins1.html
-      - 
-        uuid:     e6522953-6714-435d-a0d3-140df554c186
-        title:    DoD Instruction 8552.01
-        citation: 
-          text: DoD Instruction 8552.01
-        rlinks: 
-          - 
-            href: http://www.dtic.mil/whs/directives/corres/ins1.html
-      - 
-        uuid:     c5034e0c-eba6-4ecd-a541-79f0678f4ba4
-        title:    Executive Order 13587
-        citation: 
-          text: Executive Order 13587
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net
-      - 
-        uuid:     56d671da-6b7b-4abf-8296-84b61980390a
-        title:    Federal Acquisition Regulation
-        citation: 
-          text: Federal Acquisition Regulation
-        rlinks: 
-          - 
-            href: https://acquisition.gov/far
-      - 
-        uuid:     023104bc-6f75-4cd5-b7d0-fc92326f8007
-        title:    Federal Continuity Directive 1
-        citation: 
-          text: Federal Continuity Directive 1
-        rlinks: 
-          - 
-            href: http://www.fema.gov/pdf/about/offices/fcd1.pdf
-      - 
-        uuid:     ba557c91-ba3e-4792-adc6-a4ae479b39ff
-        title:    FICAM Roadmap and Implementation Guidance
-        citation: 
-          text: FICAM Roadmap and Implementation Guidance
-        rlinks: 
-          - 
-            href: http://www.idmanagement.gov/documents/ficam-roadmap-and-implementation-guidance
-      - 
-        uuid:     39f9087d-7687-46d2-8eda-b6f4b7a4d8a9
-        title:    FIPS Publication 140
-        citation: 
-          text: FIPS Publication 140
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html
-      - 
-        uuid:     d715b234-9b5b-4e07-b1ed-99836727664d
-        title:    FIPS Publication 140-2
-        citation: 
-          text: FIPS Publication 140-2
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html#140-2
-      - 
-        uuid:     f2dbd4ec-c413-4714-b85b-6b7184d1c195
-        title:    FIPS Publication 197
-        citation: 
-          text: FIPS Publication 197
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html#197
-      - 
-        uuid:     e85cdb3f-7f0a-4083-8639-f13f70d3760b
-        title:    FIPS Publication 199
-        citation: 
-          text: FIPS Publication 199
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html#199
-      - 
-        uuid:     c80c10b3-1294-4984-a4cc-d1733ca432b9
-        title:    FIPS Publication 201
-        citation: 
-          text: FIPS Publication 201
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsFIPS.html#201
-      - 
-        uuid:     ad733a42-a7ed-4774-b988-4930c28852f3
-        title:    HSPD-12
-        citation: 
-          text: HSPD-12
-        rlinks: 
-          - 
-            href: http://www.dhs.gov/homeland-security-presidential-directive-12
-      - 
-        uuid:     4ef539ba-b767-4666-b0d3-168c53005fa3
-        title:    http://capec.mitre.org
-        citation: 
-          text: http://capec.mitre.org
-        rlinks: 
-          - 
-            href: http://capec.mitre.org
-      - 
-        uuid:     e95dd121-2733-413e-bf1e-f1eb49f20a98
-        title:    http://checklists.nist.gov
-        citation: 
-          text: http://checklists.nist.gov
-        rlinks: 
-          - 
-            href: http://checklists.nist.gov
-      - 
-        uuid:     6a1041fc-054e-4230-946b-2e6f4f3731bb
-        title:    http://csrc.nist.gov/cryptval
-        citation: 
-          text: http://csrc.nist.gov/cryptval
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/cryptval
-      - 
-        uuid:     b09d1a31-d3c9-4138-a4f4-4c63816afd7d
-        title:    http://csrc.nist.gov/groups/STM/cmvp/index.html
-        citation: 
-          text: http://csrc.nist.gov/groups/STM/cmvp/index.html
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/groups/STM/cmvp/index.html
-      - 
-        uuid:     0931209f-00ae-4132-b92c-bc645847e8f9
-        title:    http://cve.mitre.org
-        citation: 
-          text: http://cve.mitre.org
-        rlinks: 
-          - 
-            href: http://cve.mitre.org
-      - 
-        uuid:     15522e92-9192-463d-9646-6a01982db8ca
-        title:    http://cwe.mitre.org
-        citation: 
-          text: http://cwe.mitre.org
-        rlinks: 
-          - 
-            href: http://cwe.mitre.org
-      - 
-        uuid:     5ed1f4d5-1494-421b-97ed-39d3c88ab51f
-        title:    http://fips201ep.cio.gov
-        citation: 
-          text: http://fips201ep.cio.gov
-        rlinks: 
-          - 
-            href: http://fips201ep.cio.gov
-      - 
-        uuid:     85280698-0417-489d-b214-12bb935fb939
-        title:    http://idmanagement.gov
-        citation: 
-          text: http://idmanagement.gov
-        rlinks: 
-          - 
-            href: http://idmanagement.gov
-      - 
-        uuid:     275cc052-0f7f-423c-bdb6-ed503dc36228
-        title:    http://nvd.nist.gov
-        citation: 
-          text: http://nvd.nist.gov
-        rlinks: 
-          - 
-            href: http://nvd.nist.gov
-      - 
-        uuid:     bbd50dd1-54ce-4432-959d-63ea564b1bb4
-        title:    http://www.acquisition.gov/far
-        citation: 
-          text: http://www.acquisition.gov/far
-        rlinks: 
-          - 
-            href: http://www.acquisition.gov/far
-      - 
-        uuid:     9b97ed27-3dd6-4f9a-ade5-1b43e9669794
-        title:    http://www.cnss.gov
-        citation: 
-          text: http://www.cnss.gov
-        rlinks: 
-          - 
-            href: http://www.cnss.gov
-      - 
-        uuid:     3ac12e79-f54f-4a63-9f4b-ee4bcd4df604
-        title:    http://www.dhs.gov/telecommunications-service-priority-tsp
-        citation: 
-          text: http://www.dhs.gov/telecommunications-service-priority-tsp
-        rlinks: 
-          - 
-            href: http://www.dhs.gov/telecommunications-service-priority-tsp
-      - 
-        uuid:     c95a9986-3cd6-4a98-931b-ccfc56cb11e5
-        title:    http://www.niap-ccevs.org
-        citation: 
-          text: http://www.niap-ccevs.org
-        rlinks: 
-          - 
-            href: http://www.niap-ccevs.org
-      - 
-        uuid:     647b6de3-81d0-4d22-bec1-5f1333e34380
-        title:    http://www.nsa.gov
-        citation: 
-          text: http://www.nsa.gov
-        rlinks: 
-          - 
-            href: http://www.nsa.gov
-      - 
-        uuid:     a47466c4-c837-4f06-a39f-e68412a5f73d
-        title:    http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml
-        citation: 
-          text: http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml
-        rlinks: 
-          - 
-            href: http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml
-      - 
-        uuid:     02631467-668b-4233-989b-3dfded2fd184
-        title:    http://www.us-cert.gov
-        citation: 
-          text: http://www.us-cert.gov
-        rlinks: 
-          - 
-            href: http://www.us-cert.gov
-      - 
-        uuid:     6caa237b-531b-43ac-9711-d8f6b97b0377
-        title:    ICD 704
-        citation: 
-          text: ICD 704
-        rlinks: 
-          - 
-            href: http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives
-      - 
-        uuid:     398e33fd-f404-4e5c-b90e-2d50d3181244
-        title:    ICD 705
-        citation: 
-          text: ICD 705
-        rlinks: 
-          - 
-            href: http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives
-      - 
-        uuid:     1737a687-52fb-4008-b900-cbfa836f7b65
-        title:    ISO/IEC 15408
-        citation: 
-          text: ISO/IEC 15408
-        rlinks: 
-          - 
-            href: http://www.iso.org/iso/iso_catalog/catalog_tc/catalog_detail.htm?csnumber=50341
-      - 
-        uuid:     fb5844de-ff96-47c0-b258-4f52bcc2f30d
-        title:    National Communications Systems Directive 3-10
-        citation: 
-          text: National Communications Systems Directive 3-10
-      - 
-        uuid:     654f21e2-f3bc-43b2-abdc-60ab8d09744b
-        title:    National Strategy for Trusted Identities in Cyberspace
-        citation: 
-          text: National Strategy for Trusted Identities in Cyberspace
-        rlinks: 
-          - 
-            href: http://www.nist.gov/nstic
-      - 
-        uuid:         9cb3d8fe-2127-48ba-821e-cdd2d7aee921
-        title:        NIST Special Publication 800-100
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-100
-        citation: 
-          text: NIST Special Publication 800-100
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-100
-      - 
-        uuid:         3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e
-        title:        NIST Special Publication 800-111
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-111
-        citation: 
-          text: NIST Special Publication 800-111
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-111
-      - 
-        uuid:         349fe082-502d-464a-aa0c-1443c6a5cf40
-        title:        NIST Special Publication 800-113
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-113
-        citation: 
-          text: NIST Special Publication 800-113
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-113
-      - 
-        uuid:         1201fcf3-afb1-4675-915a-fb4ae0435717
-        title:        NIST Special Publication 800-114 Rev. 1
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-114r1
-        citation: 
-          text: NIST Special Publication 800-114 Rev. 1
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-114r1
-      - 
-        uuid:         c4691b88-57d1-463b-9053-2d0087913f31
-        title:        NIST Special Publication 800-115
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-115
-        citation: 
-          text: NIST Special Publication 800-115
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-115
-      - 
-        uuid:         2157bb7e-192c-4eaa-877f-93ef6b0a3292
-        title:        NIST Special Publication 800-116 Rev. 1
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-116r1
-        citation: 
-          text: NIST Special Publication 800-116 Rev. 1
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-116r1
-      - 
-        uuid:         5c201b63-0768-417b-ac22-3f014e3941b2
-        title:        NIST Special Publication 800-12 Rev. 1
-        document-ids: 
-          - 
-            type:       doi
-            identifier: 10.6028/NIST.SP.800-12r1
-        citation: 
-          text: NIST Special Publication 800-12 Rev. 1
-        rlinks: 
-          - 
-            href: https://doi.org/10.6028/NIST.SP.800-12r1
-      - 
-        uuid:     d1a4e2a9-e512-4132-8795-5357aba29254
-        title:    NIST Special Publication 800-121
-        citation: 
-          text: NIST Special Publication 800-121
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-121
-      - 
-        uuid:     0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589
-        title:    NIST Special Publication 800-124
-        citation: 
-          text: NIST Special Publication 800-124
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-124
-      - 
-        uuid:     080f8068-5e3e-435e-9790-d22ba4722693
-        title:    NIST Special Publication 800-128
-        citation: 
-          text: NIST Special Publication 800-128
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-128
-      - 
-        uuid:     cee2c6ca-0261-4a6f-b630-e41d8ffdd82b
-        title:    NIST Special Publication 800-137
-        citation: 
-          text: NIST Special Publication 800-137
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-137
-      - 
-        uuid:     6bf8d24a-78dc-4727-a2ac-0e64d71c495c
-        title:    NIST Special Publication 800-147
-        citation: 
-          text: NIST Special Publication 800-147
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-147
-      - 
-        uuid:     3878cc04-144a-483e-af62-8fe6f4ad6c7a
-        title:    NIST Special Publication 800-155
-        citation: 
-          text: NIST Special Publication 800-155
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-155
-      - 
-        uuid:     825438c3-248d-4e30-a51e-246473ce6ada
-        title:    NIST Special Publication 800-16
-        citation: 
-          text: NIST Special Publication 800-16
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-16
-      - 
-        uuid:     6513e480-fada-4876-abba-1397084dfb26
-        title:    NIST Special Publication 800-164
-        citation: 
-          text: NIST Special Publication 800-164
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-164
-      - 
-        uuid:     9c5c9e8c-dc81-4f55-a11c-d71d7487790f
-        title:    NIST Special Publication 800-18
-        citation: 
-          text: NIST Special Publication 800-18
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-18
-      - 
-        uuid:     0a5db899-f033-467f-8631-f5a8ba971475
-        title:    NIST Special Publication 800-23
-        citation: 
-          text: NIST Special Publication 800-23
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-23
-      - 
-        uuid:     21b1ed35-56d2-40a8-bdfe-b461fffe322f
-        title:    NIST Special Publication 800-27
-        citation: 
-          text: NIST Special Publication 800-27
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-27
-      - 
-        uuid:     e716cd51-d1d5-4c6a-967a-22e9fbbc42f1
-        title:    NIST Special Publication 800-28
-        citation: 
-          text: NIST Special Publication 800-28
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-28
-      - 
-        uuid:     a466121b-f0e2-41f0-a5f9-deb0b5fe6b15
-        title:    NIST Special Publication 800-30
-        citation: 
-          text: NIST Special Publication 800-30
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-30
-      - 
-        uuid:     8f174e91-844e-4cf1-a72a-45c119a3a8dd
-        title:    NIST Special Publication 800-32
-        citation: 
-          text: NIST Special Publication 800-32
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-32
-      - 
-        uuid:     748a81b9-9cad-463f-abde-8b368167e70d
-        title:    NIST Special Publication 800-34
-        citation: 
-          text: NIST Special Publication 800-34
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-34
-      - 
-        uuid:     0c775bc3-bfc3-42c7-a382-88949f503171
-        title:    NIST Special Publication 800-35
-        citation: 
-          text: NIST Special Publication 800-35
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-35
-      - 
-        uuid:     d818efd3-db31-4953-8afa-9e76afe83ce2
-        title:    NIST Special Publication 800-36
-        citation: 
-          text: NIST Special Publication 800-36
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-36
-      - 
-        uuid:     0a0c26b6-fd44-4274-8b36-93442d49d998
-        title:    NIST Special Publication 800-37
-        citation: 
-          text: NIST Special Publication 800-37
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-37
-      - 
-        uuid:     d480aa6a-7a88-424e-a10c-ad1c7870354b
-        title:    NIST Special Publication 800-39
-        citation: 
-          text: NIST Special Publication 800-39
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-39
-      - 
-        uuid:     bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d
-        title:    NIST Special Publication 800-40
-        citation: 
-          text: NIST Special Publication 800-40
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-40
-      - 
-        uuid:     756a8e86-57d5-4701-8382-f7a40439665a
-        title:    NIST Special Publication 800-41
-        citation: 
-          text: NIST Special Publication 800-41
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-41
-      - 
-        uuid:     c6e95ca0-5828-420e-b095-00895b72b5e8
-        title:    NIST Special Publication 800-45
-        citation: 
-          text: NIST Special Publication 800-45
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-45
-      - 
-        uuid:     5309d4d0-46f8-4213-a749-e7584164e5e8
-        title:    NIST Special Publication 800-46
-        citation: 
-          text: NIST Special Publication 800-46
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-46
-      - 
-        uuid:     2711f068-734e-4afd-94ba-0b22247fbc88
-        title:    NIST Special Publication 800-47
-        citation: 
-          text: NIST Special Publication 800-47
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-47
-      - 
-        uuid:     238ed479-eccb-49f6-82ec-ab74a7a428cf
-        title:    NIST Special Publication 800-48
-        citation: 
-          text: NIST Special Publication 800-48
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-48
-      - 
-        uuid:     e12b5738-de74-4fb3-8317-a3995a8a1898
-        title:    NIST Special Publication 800-50
-        citation: 
-          text: NIST Special Publication 800-50
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-50
-      - 
-        uuid:     90c5bc98-f9c4-44c9-98b7-787422f0999c
-        title:    NIST Special Publication 800-52
-        citation: 
-          text: NIST Special Publication 800-52
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-52
-      - 
-        uuid:     cd4cf751-3312-4a55-b1a9-fad2f1db9119
-        title:    NIST Special Publication 800-53A
-        citation: 
-          text: NIST Special Publication 800-53A
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-53A
-      - 
-        uuid:     81f09e01-d0b0-4ae2-aa6a-064ed9950070
-        title:    NIST Special Publication 800-56
-        citation: 
-          text: NIST Special Publication 800-56
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-56
-      - 
-        uuid:     a6c774c0-bf50-4590-9841-2a5c1c91ac6f
-        title:    NIST Special Publication 800-57
-        citation: 
-          text: NIST Special Publication 800-57
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-57
-      - 
-        uuid:     7783f3e7-09b3-478b-9aa2-4a76dfd0ea90
-        title:    NIST Special Publication 800-58
-        citation: 
-          text: NIST Special Publication 800-58
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-58
-      - 
-        uuid:     f152844f-b1ef-4836-8729-6277078ebee1
-        title:    NIST Special Publication 800-60
-        citation: 
-          text: NIST Special Publication 800-60
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-60
-      - 
-        uuid:     be95fb85-a53f-4624-bdbb-140075500aa3
-        title:    NIST Special Publication 800-61
-        citation: 
-          text: NIST Special Publication 800-61
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-61
-      - 
-        uuid:     644f44a9-a2de-4494-9c04-cd37fba45471
-        title:    NIST Special Publication 800-63
-        citation: 
-          text: NIST Special Publication 800-63
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-63
-      - 
-        uuid:     abd950ae-092f-4b7a-b374-1c7c67fe9350
-        title:    NIST Special Publication 800-64
-        citation: 
-          text: NIST Special Publication 800-64
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-64
-      - 
-        uuid:     29fcfe59-33cd-494a-8756-5907ae3a8f92
-        title:    NIST Special Publication 800-65
-        citation: 
-          text: NIST Special Publication 800-65
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-65
-      - 
-        uuid:     84a37532-6db6-477b-9ea8-f9085ebca0fc
-        title:    NIST Special Publication 800-70
-        citation: 
-          text: NIST Special Publication 800-70
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-70
-      - 
-        uuid:     ead74ea9-4c9c-446d-9b92-bcbf0ad4b655
-        title:    NIST Special Publication 800-73
-        citation: 
-          text: NIST Special Publication 800-73
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-73
-      - 
-        uuid:     2a71298a-ee90-490e-80ff-48c967173a47
-        title:    NIST Special Publication 800-76
-        citation: 
-          text: NIST Special Publication 800-76
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-76
-      - 
-        uuid:     99f331f2-a9f0-46c2-9856-a3cbb9b89442
-        title:    NIST Special Publication 800-77
-        citation: 
-          text: NIST Special Publication 800-77
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-77
-      - 
-        uuid:     2042d97b-f7f6-4c74-84f8-981867684659
-        title:    NIST Special Publication 800-78
-        citation: 
-          text: NIST Special Publication 800-78
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-78
-      - 
-        uuid:     6af1e841-672c-46c4-b121-96f603d04be3
-        title:    NIST Special Publication 800-81
-        citation: 
-          text: NIST Special Publication 800-81
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-81
-      - 
-        uuid:     6d431fee-658f-4a0e-9f2e-a38b5d398fab
-        title:    NIST Special Publication 800-83
-        citation: 
-          text: NIST Special Publication 800-83
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-83
-      - 
-        uuid:     0243a05a-e8a3-4d51-9364-4a9d20b0dcdf
-        title:    NIST Special Publication 800-84
-        citation: 
-          text: NIST Special Publication 800-84
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-84
-      - 
-        uuid:     263823e0-a971-4b00-959d-315b26278b22
-        title:    NIST Special Publication 800-88
-        citation: 
-          text: NIST Special Publication 800-88
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-88
-      - 
-        uuid:     672fd561-b92b-4713-b9cf-6c9d9456728b
-        title:    NIST Special Publication 800-92
-        citation: 
-          text: NIST Special Publication 800-92
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-92
-      - 
-        uuid:     d1b1d689-0f66-4474-9924-c81119758dc1
-        title:    NIST Special Publication 800-94
-        citation: 
-          text: NIST Special Publication 800-94
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-94
-      - 
-        uuid:     1ebdf782-d95d-4a7b-8ec7-ee860951eced
-        title:    NIST Special Publication 800-95
-        citation: 
-          text: NIST Special Publication 800-95
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-95
-      - 
-        uuid:     6f336ecd-f2a0-4c84-9699-0491d81b6e0d
-        title:    NIST Special Publication 800-97
-        citation: 
-          text: NIST Special Publication 800-97
-        rlinks: 
-          - 
-            href: http://csrc.nist.gov/publications/PubsSPs.html#800-97
-      - 
-        uuid:     06dff0ea-3848-4945-8d91-e955ee69f05d
-        title:    NSTISSI No. 7003
-        citation: 
-          text: NSTISSI No. 7003
-        rlinks: 
-          - 
-            href: http://www.cnss.gov/Assets/pdf/nstissi_7003.pdf
-      - 
-        uuid:     9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab
-        title:    OMB Circular A-130
-        citation: 
-          text: OMB Circular A-130
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/omb/circulars_a130_a130trans4
-      - 
-        uuid:     2c5884cd-7b96-425c-862a-99877e1cf909
-        title:    OMB Memorandum 02-01
-        citation: 
-          text: OMB Memorandum 02-01
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/omb/memoranda_m02-01
-      - 
-        uuid:     ff3bfb02-79b2-411f-8735-98dfe5af2ab0
-        title:    OMB Memorandum 04-04
-        citation: 
-          text: OMB Memorandum 04-04
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy04/m04-04.pdf
-      - 
-        uuid:     58ad6f27-af99-429f-86a8-8bb767b014b9
-        title:    OMB Memorandum 05-24
-        citation: 
-          text: OMB Memorandum 05-24
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2005/m05-24.pdf
-      - 
-        uuid:     4da24a96-6cf8-435d-9d1f-c73247cad109
-        title:    OMB Memorandum 06-16
-        citation: 
-          text: OMB Memorandum 06-16
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2006/m06-16.pdf
-      - 
-        uuid:     990268bf-f4a9-4c81-91ae-dc7d3115f4b1
-        title:    OMB Memorandum 07-11
-        citation: 
-          text: OMB Memorandum 07-11
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-11.pdf
-      - 
-        uuid:     0b3d8ba9-051f-498d-81ea-97f0f018c612
-        title:    OMB Memorandum 07-18
-        citation: 
-          text: OMB Memorandum 07-18
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-18.pdf
-      - 
-        uuid:     0916ef02-3618-411b-a525-565c088849a6
-        title:    OMB Memorandum 08-22
-        citation: 
-          text: OMB Memorandum 08-22
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-22.pdf
-      - 
-        uuid:     28115a56-da6b-4d44-b1df-51dd7f048a3e
-        title:    OMB Memorandum 08-23
-        citation: 
-          text: OMB Memorandum 08-23
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf
-      - 
-        uuid:     599fe9ba-4750-4450-9eeb-b95bd19a5e8f
-        title:    OMB Memorandum 10-06-2011
-        citation: 
-          text: OMB Memorandum 10-06-2011
-      - 
-        uuid:     74e740a4-c45d-49f3-a86e-eb747c549e01
-        title:    OMB Memorandum 11-11
-        citation: 
-          text: OMB Memorandum 11-11
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf
-      - 
-        uuid:     bedb15b7-ec5c-4a68-807f-385125751fcd
-        title:    OMB Memorandum 11-33
-        citation: 
-          text: OMB Memorandum 11-33
-        rlinks: 
-          - 
-            href: http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf
-      - 
-        uuid:     dd2f5acd-08f1-435a-9837-f8203088dc1a
-        title: 
-          """
-            Personal Identity Verification (PIV) in Enterprise Physical Access Control System
-                        (E-PACS)
-          """
-        citation: 
-          text: 
-            """
-              Personal Identity Verification (PIV) in Enterprise Physical Access Control System
-                             (E-PACS)
-            """
-      - 
-        uuid:     8ade2fbe-e468-4ca8-9a40-54d7f23c32bb
-        title:    US-CERT Technical Cyber Security Alerts
-        citation: 
-          text: US-CERT Technical Cyber Security Alerts
-        rlinks: 
-          - 
-            href: http://www.us-cert.gov/ncas/alerts
-      - 
-        uuid:       985475ee-d4d6-4581-8fdf-d84d3d8caa48
-        title:      FedRAMP Applicable Laws and Regulations
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-citations
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx
-      - 
-        uuid:       1a23a771-d481-4594-9a1a-71d584fa4123
-        title:      FedRAMP Master Acronym and Glossary
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-acronyms
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf
-      - 
-        uuid:       a2381e87-3d04-4108-a30b-b4d2f36d001f
-        desc:       FedRAMP Logo
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-logo
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/img/logo-main-fedramp.png
-      - 
-        uuid:       ad005eae-cc63-4e64-9109-3905a9a825e4
-        title:      NIST Special Publication (SP) 800-53
-        properties: 
-          - 
-            name:  version
-            ns:    https://fedramp.gov/ns/oscal
-            value: Revision 4
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href:       ../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_catalog.yaml
-            media-type: application/xml
diff --git a/content/fedramp.gov/yaml/FedRAMP_MODERATE-baseline_profile.yaml b/content/fedramp.gov/yaml/FedRAMP_MODERATE-baseline_profile.yaml
deleted file mode 100644
index c11f02e1f7..0000000000
--- a/content/fedramp.gov/yaml/FedRAMP_MODERATE-baseline_profile.yaml
+++ /dev/null
@@ -1,21952 +0,0 @@
-profile: 
-  uuid:        8383f859-be40-453d-9588-c645af5bef6f
-  metadata: 
-    title:               FedRAMP Moderate Baseline
-    published:           2020-06-01T00:00:00.000-04:00
-    last-modified:       2020-06-01T10:00:00.000-04:00
-    version:             1.2
-    oscal-version:       1.0.0-milestone3
-    roles: 
-      - 
-        id:    parpared-by
-        title: Document creator
-      - 
-        id:         fedramp-pmo
-        title:      The FedRAMP Program Management Office (PMO)
-        short-name: CSP
-      - 
-        id:         fedramp-jab
-        title:      The FedRAMP Joint Authorization Board (JAB)
-        short-name: CSP
-    parties: 
-      - 
-        uuid:            8cc0b8e5-9650-4d5f-9796-316f05fa9a2d
-        type:            organization
-        party-name:      Federal Risk and Authorization Management Program: Program Management Office
-        short-name:      FedRAMP PMO
-        links: 
-          - 
-            href: https://fedramp.gov
-            rel:  homepage
-            text: 
-        addresses: 
-          - 
-            type:           work
-            postal-address: 1800 F St. NW,
-            city:           Washington
-            state:          DC
-            postal-code:    
-            country:        US
-        email-addresses: info@fedramp.gov
-      - 
-        uuid:       ca9ba80e-1342-4bfd-b32a-abac468c24b4
-        type:       organization
-        party-name: Federal Risk and Authorization Management Program: Joint Authorization Board
-        short-name: FedRAMP JAB
-    responsible-parties: 
-      prepared-by: 
-        party-uuids: 4aa7b203-318b-4cde-96cf-feaeffc3a4b7
-      fedramp-pmo: 
-        party-uuids: 4aa7b203-318b-4cde-96cf-feaeffc3a4b7
-      fedramp-jab: 
-        party-uuids: ca9ba80e-1342-4bfd-b32a-abac468c24b4
-  imports: 
-    - 
-      href:    #ad005eae-cc63-4e64-9109-3905a9a825e4
-      include: 
-        id-selectors: 
-          - 
-            control-id: ac-1
-          - 
-            control-id: ac-2
-          - 
-            control-id: ac-2.1
-          - 
-            control-id: ac-2.2
-          - 
-            control-id: ac-2.3
-          - 
-            control-id: ac-2.4
-          - 
-            control-id: ac-2.5
-          - 
-            control-id: ac-2.7
-          - 
-            control-id: ac-2.9
-          - 
-            control-id: ac-2.10
-          - 
-            control-id: ac-2.12
-          - 
-            control-id: ac-3
-          - 
-            control-id: ac-4
-          - 
-            control-id: ac-4.21
-          - 
-            control-id: ac-5
-          - 
-            control-id: ac-6
-          - 
-            control-id: ac-6.1
-          - 
-            control-id: ac-6.2
-          - 
-            control-id: ac-6.5
-          - 
-            control-id: ac-6.9
-          - 
-            control-id: ac-6.10
-          - 
-            control-id: ac-7
-          - 
-            control-id: ac-8
-          - 
-            control-id: ac-10
-          - 
-            control-id: ac-11
-          - 
-            control-id: ac-11.1
-          - 
-            control-id: ac-12
-          - 
-            control-id: ac-14
-          - 
-            control-id: ac-17
-          - 
-            control-id: ac-17.1
-          - 
-            control-id: ac-17.2
-          - 
-            control-id: ac-17.3
-          - 
-            control-id: ac-17.4
-          - 
-            control-id: ac-17.9
-          - 
-            control-id: ac-18
-          - 
-            control-id: ac-18.1
-          - 
-            control-id: ac-19
-          - 
-            control-id: ac-19.5
-          - 
-            control-id: ac-20
-          - 
-            control-id: ac-20.1
-          - 
-            control-id: ac-20.2
-          - 
-            control-id: ac-21
-          - 
-            control-id: ac-22
-          - 
-            control-id: at-1
-          - 
-            control-id: at-2
-          - 
-            control-id: at-2.2
-          - 
-            control-id: at-3
-          - 
-            control-id: at-4
-          - 
-            control-id: au-1
-          - 
-            control-id: au-2
-          - 
-            control-id: au-2.3
-          - 
-            control-id: au-3
-          - 
-            control-id: au-3.1
-          - 
-            control-id: au-4
-          - 
-            control-id: au-5
-          - 
-            control-id: au-6
-          - 
-            control-id: au-6.1
-          - 
-            control-id: au-6.3
-          - 
-            control-id: au-7
-          - 
-            control-id: au-7.1
-          - 
-            control-id: au-8
-          - 
-            control-id: au-8.1
-          - 
-            control-id: au-9
-          - 
-            control-id: au-9.2
-          - 
-            control-id: au-9.4
-          - 
-            control-id: au-11
-          - 
-            control-id: au-12
-          - 
-            control-id: ca-1
-          - 
-            control-id: ca-2
-          - 
-            control-id: ca-2.1
-          - 
-            control-id: ca-2.2
-          - 
-            control-id: ca-2.3
-          - 
-            control-id: ca-3
-          - 
-            control-id: ca-3.3
-          - 
-            control-id: ca-3.5
-          - 
-            control-id: ca-5
-          - 
-            control-id: ca-6
-          - 
-            control-id: ca-7
-          - 
-            control-id: ca-7.1
-          - 
-            control-id: ca-8
-          - 
-            control-id: ca-8.1
-          - 
-            control-id: ca-9
-          - 
-            control-id: cm-1
-          - 
-            control-id: cm-2
-          - 
-            control-id: cm-2.1
-          - 
-            control-id: cm-2.2
-          - 
-            control-id: cm-2.3
-          - 
-            control-id: cm-2.7
-          - 
-            control-id: cm-3
-          - 
-            control-id: cm-4
-          - 
-            control-id: cm-5
-          - 
-            control-id: cm-5.1
-          - 
-            control-id: cm-5.3
-          - 
-            control-id: cm-5.5
-          - 
-            control-id: cm-6
-          - 
-            control-id: cm-6.1
-          - 
-            control-id: cm-7
-          - 
-            control-id: cm-7.1
-          - 
-            control-id: cm-7.2
-          - 
-            control-id: cm-7.5
-          - 
-            control-id: cm-8
-          - 
-            control-id: cm-8.1
-          - 
-            control-id: cm-8.3
-          - 
-            control-id: cm-8.5
-          - 
-            control-id: cm-9
-          - 
-            control-id: cm-10
-          - 
-            control-id: cm-10.1
-          - 
-            control-id: cm-11
-          - 
-            control-id: cp-1
-          - 
-            control-id: cp-2
-          - 
-            control-id: cp-2.1
-          - 
-            control-id: cp-2.2
-          - 
-            control-id: cp-2.3
-          - 
-            control-id: cp-2.8
-          - 
-            control-id: cp-3
-          - 
-            control-id: cp-4
-          - 
-            control-id: cp-4.1
-          - 
-            control-id: cp-6
-          - 
-            control-id: cp-6.1
-          - 
-            control-id: cp-6.3
-          - 
-            control-id: cp-7
-          - 
-            control-id: cp-7.1
-          - 
-            control-id: cp-7.2
-          - 
-            control-id: cp-7.3
-          - 
-            control-id: cp-8
-          - 
-            control-id: cp-8.1
-          - 
-            control-id: cp-8.2
-          - 
-            control-id: cp-9
-          - 
-            control-id: cp-9.1
-          - 
-            control-id: cp-9.3
-          - 
-            control-id: cp-10
-          - 
-            control-id: cp-10.2
-          - 
-            control-id: ia-1
-          - 
-            control-id: ia-2
-          - 
-            control-id: ia-2.1
-          - 
-            control-id: ia-2.2
-          - 
-            control-id: ia-2.3
-          - 
-            control-id: ia-2.5
-          - 
-            control-id: ia-2.8
-          - 
-            control-id: ia-2.11
-          - 
-            control-id: ia-2.12
-          - 
-            control-id: ia-3
-          - 
-            control-id: ia-4
-          - 
-            control-id: ia-4.4
-          - 
-            control-id: ia-5
-          - 
-            control-id: ia-5.1
-          - 
-            control-id: ia-5.2
-          - 
-            control-id: ia-5.3
-          - 
-            control-id: ia-5.4
-          - 
-            control-id: ia-5.6
-          - 
-            control-id: ia-5.7
-          - 
-            control-id: ia-5.11
-          - 
-            control-id: ia-6
-          - 
-            control-id: ia-7
-          - 
-            control-id: ia-8
-          - 
-            control-id: ia-8.1
-          - 
-            control-id: ia-8.2
-          - 
-            control-id: ia-8.3
-          - 
-            control-id: ia-8.4
-          - 
-            control-id: ir-1
-          - 
-            control-id: ir-2
-          - 
-            control-id: ir-3
-          - 
-            control-id: ir-3.2
-          - 
-            control-id: ir-4
-          - 
-            control-id: ir-4.1
-          - 
-            control-id: ir-5
-          - 
-            control-id: ir-6
-          - 
-            control-id: ir-6.1
-          - 
-            control-id: ir-7
-          - 
-            control-id: ir-7.1
-          - 
-            control-id: ir-7.2
-          - 
-            control-id: ir-8
-          - 
-            control-id: ir-9
-          - 
-            control-id: ir-9.1
-          - 
-            control-id: ir-9.2
-          - 
-            control-id: ir-9.3
-          - 
-            control-id: ir-9.4
-          - 
-            control-id: ma-1
-          - 
-            control-id: ma-2
-          - 
-            control-id: ma-3
-          - 
-            control-id: ma-3.1
-          - 
-            control-id: ma-3.2
-          - 
-            control-id: ma-3.3
-          - 
-            control-id: ma-4
-          - 
-            control-id: ma-4.2
-          - 
-            control-id: ma-5
-          - 
-            control-id: ma-5.1
-          - 
-            control-id: ma-6
-          - 
-            control-id: mp-1
-          - 
-            control-id: mp-2
-          - 
-            control-id: mp-3
-          - 
-            control-id: mp-4
-          - 
-            control-id: mp-5
-          - 
-            control-id: mp-5.4
-          - 
-            control-id: mp-6
-          - 
-            control-id: mp-6.2
-          - 
-            control-id: mp-7
-          - 
-            control-id: mp-7.1
-          - 
-            control-id: pe-1
-          - 
-            control-id: pe-2
-          - 
-            control-id: pe-3
-          - 
-            control-id: pe-4
-          - 
-            control-id: pe-5
-          - 
-            control-id: pe-6
-          - 
-            control-id: pe-6.1
-          - 
-            control-id: pe-8
-          - 
-            control-id: pe-9
-          - 
-            control-id: pe-10
-          - 
-            control-id: pe-11
-          - 
-            control-id: pe-12
-          - 
-            control-id: pe-13
-          - 
-            control-id: pe-13.2
-          - 
-            control-id: pe-13.3
-          - 
-            control-id: pe-14
-          - 
-            control-id: pe-14.2
-          - 
-            control-id: pe-15
-          - 
-            control-id: pe-16
-          - 
-            control-id: pe-17
-          - 
-            control-id: pl-1
-          - 
-            control-id: pl-2
-          - 
-            control-id: pl-2.3
-          - 
-            control-id: pl-4
-          - 
-            control-id: pl-4.1
-          - 
-            control-id: pl-8
-          - 
-            control-id: ps-1
-          - 
-            control-id: ps-2
-          - 
-            control-id: ps-3
-          - 
-            control-id: ps-3.3
-          - 
-            control-id: ps-4
-          - 
-            control-id: ps-5
-          - 
-            control-id: ps-6
-          - 
-            control-id: ps-7
-          - 
-            control-id: ps-8
-          - 
-            control-id: ra-1
-          - 
-            control-id: ra-2
-          - 
-            control-id: ra-3
-          - 
-            control-id: ra-5
-          - 
-            control-id: ra-5.1
-          - 
-            control-id: ra-5.2
-          - 
-            control-id: ra-5.3
-          - 
-            control-id: ra-5.5
-          - 
-            control-id: ra-5.6
-          - 
-            control-id: ra-5.8
-          - 
-            control-id: sa-1
-          - 
-            control-id: sa-2
-          - 
-            control-id: sa-3
-          - 
-            control-id: sa-4
-          - 
-            control-id: sa-4.1
-          - 
-            control-id: sa-4.2
-          - 
-            control-id: sa-4.8
-          - 
-            control-id: sa-4.9
-          - 
-            control-id: sa-4.10
-          - 
-            control-id: sa-5
-          - 
-            control-id: sa-8
-          - 
-            control-id: sa-9
-          - 
-            control-id: sa-9.1
-          - 
-            control-id: sa-9.2
-          - 
-            control-id: sa-9.4
-          - 
-            control-id: sa-9.5
-          - 
-            control-id: sa-10
-          - 
-            control-id: sa-10.1
-          - 
-            control-id: sa-11
-          - 
-            control-id: sa-11.1
-          - 
-            control-id: sa-11.2
-          - 
-            control-id: sa-11.8
-          - 
-            control-id: sc-1
-          - 
-            control-id: sc-2
-          - 
-            control-id: sc-4
-          - 
-            control-id: sc-5
-          - 
-            control-id: sc-6
-          - 
-            control-id: sc-7
-          - 
-            control-id: sc-7.3
-          - 
-            control-id: sc-7.4
-          - 
-            control-id: sc-7.5
-          - 
-            control-id: sc-7.7
-          - 
-            control-id: sc-7.8
-          - 
-            control-id: sc-7.12
-          - 
-            control-id: sc-7.13
-          - 
-            control-id: sc-7.18
-          - 
-            control-id: sc-8
-          - 
-            control-id: sc-8.1
-          - 
-            control-id: sc-10
-          - 
-            control-id: sc-12
-          - 
-            control-id: sc-12.2
-          - 
-            control-id: sc-12.3
-          - 
-            control-id: sc-13
-          - 
-            control-id: sc-15
-          - 
-            control-id: sc-17
-          - 
-            control-id: sc-18
-          - 
-            control-id: sc-19
-          - 
-            control-id: sc-20
-          - 
-            control-id: sc-21
-          - 
-            control-id: sc-22
-          - 
-            control-id: sc-23
-          - 
-            control-id: sc-28
-          - 
-            control-id: sc-28.1
-          - 
-            control-id: sc-39
-          - 
-            control-id: si-1
-          - 
-            control-id: si-2
-          - 
-            control-id: si-2.2
-          - 
-            control-id: si-2.3
-          - 
-            control-id: si-3
-          - 
-            control-id: si-3.1
-          - 
-            control-id: si-3.2
-          - 
-            control-id: si-3.7
-          - 
-            control-id: si-4
-          - 
-            control-id: si-4.1
-          - 
-            control-id: si-4.2
-          - 
-            control-id: si-4.4
-          - 
-            control-id: si-4.5
-          - 
-            control-id: si-4.14
-          - 
-            control-id: si-4.16
-          - 
-            control-id: si-4.23
-          - 
-            control-id: si-5
-          - 
-            control-id: si-6
-          - 
-            control-id: si-7
-          - 
-            control-id: si-7.1
-          - 
-            control-id: si-7.7
-          - 
-            control-id: si-8
-          - 
-            control-id: si-8.1
-          - 
-            control-id: si-8.2
-          - 
-            control-id: si-10
-          - 
-            control-id: si-11
-          - 
-            control-id: si-12
-          - 
-            control-id: si-16
-  merge: 
-    combine: 
-      method: keep
-    as-is:   true
-  modify: 
-    parameter-settings: 
-      ac-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      ac-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      ac-2_prm_4: 
-        constraints: 
-          - 
-            detail: at least annually
-      ac-2.2_prm_2: 
-        constraints: 
-          - 
-            detail: no more than 30 days for temporary and emergency account types
-      ac-2.3_prm_1: 
-        constraints: 
-          - 
-            detail: 90 days for user accounts
-      ac-6.2_prm_1: 
-        constraints: 
-          - 
-            detail: all security functions
-      ac-7_prm_1: 
-        constraints: 
-          - 
-            detail: not more than three (3)
-      ac-7_prm_2: 
-        constraints: 
-          - 
-            detail: fifteen (15) minutes
-      ac-7_prm_4: 
-        constraints: 
-          - 
-            detail: locks the account/node for thirty minutes
-      ac-8_prm_1: 
-        constraints: 
-          - 
-            detail: see additional Requirements and Guidance
-      ac-8_prm_2: 
-        constraints: 
-          - 
-            detail: see additional Requirements and Guidance]
-      ac-10_prm_2: 
-        constraints: 
-          - 
-            detail: three (3) sessions for privileged access and two (2) sessions for non-privileged access
-      ac-11_prm_1: 
-        constraints: 
-          - 
-            detail: fifteen (15) minutes
-      ac-17.9_prm_1: 
-        constraints: 
-          - 
-            detail: fifteen 15 minutes
-      ac-22_prm_1: 
-        constraints: 
-          - 
-            detail: at least quarterly
-      at-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      at-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      at-2_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      at-3_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      at-4_prm_1: 
-        constraints: 
-          - 
-            detail: At least one year
-      au-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      au-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      au-2_prm_1: 
-        constraints: 
-          - 
-            detail: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes
-      au-2_prm_2: 
-        constraints: 
-          - 
-            detail: organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event
-      au-2.3_prm_1: 
-        constraints: 
-          - 
-            detail: annually or whenever there is a change in the threat environment
-      au-3.1_prm_1: 
-        constraints: 
-          - 
-            detail: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon
-      au-5_prm_2: 
-        constraints: 
-          - 
-            detail: organization-defined actions to be taken (overwrite oldest record)
-      au-6_prm_1: 
-        constraints: 
-          - 
-            detail: at least weekly
-      au-8.1_prm_1: 
-        constraints: 
-          - 
-            detail: At least hourly
-      au-8.1_prm_2: 
-        constraints: 
-          - 
-            detail: http://tf.nist.gov/tf-cgi/servers.cgi
-      au-9.2_prm_1: 
-        constraints: 
-          - 
-            detail: at least weekly
-      au-11_prm_1: 
-        constraints: 
-          - 
-            detail: at least ninety days
-      au-12_prm_1: 
-        constraints: 
-          - 
-            detail: all information system and network components where audit capability is deployed/available
-      ca-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      ca-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      ca-2_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      ca-2_prm_2: 
-        constraints: 
-          - 
-            detail: individuals or roles to include FedRAMP PMO
-      ca-2.2_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      ca-2.3_prm_1: 
-        constraints: 
-          - 
-            detail: any FedRAMP Accredited 3PAO
-      ca-2.3_prm_2: 
-        constraints: 
-          - 
-            detail: any FedRAMP Accredited 3PAO
-      ca-2.3_prm_3: 
-        constraints: 
-          - 
-            detail: the conditions of the JAB/AO in the FedRAMP Repository
-      ca-3_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually and on input from FedRAMP
-      ca-3.3_prm_2: 
-        constraints: 
-          - 
-            detail: Boundary Protections which meet the Trusted Internet Connection (TIC) requirements
-      ca-5_prm_1: 
-        constraints: 
-          - 
-            detail: at least monthly
-      ca-6_prm_1: 
-        constraints: 
-          - 
-            detail: at least every three (3) years or when a significant change occurs
-      ca-7_prm_4: 
-        constraints: 
-          - 
-            detail: to meet Federal and FedRAMP requirements (See additional guidance)
-      ca-7_prm_5: 
-        constraints: 
-          - 
-            detail: to meet Federal and FedRAMP requirements (See additional guidance)
-      ca-8_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      cm-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      cm-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      cm-2.1_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually or when a significant change occurs
-      cm-2.1_prm_2: 
-        constraints: 
-          - 
-            detail: to include when directed by the JAB
-      cm-5.5_prm_1: 
-        constraints: 
-          - 
-            detail: at least quarterly
-      cm-6_prm_1: 
-        guidance: 
-          - 
-            prose: See CM-6(a) Additional FedRAMP Requirements and Guidance
-      cm-7_prm_1: 
-        constraints: 
-          - 
-            detail: United States Government Configuration Baseline (USGCB)
-      cm-7.1_prm_1: 
-        constraints: 
-          - 
-            detail: at least monthly
-      cm-7.5_prm_2: 
-        constraints: 
-          - 
-            detail: at least Annually or when there is a change
-      cm-8_prm_2: 
-        constraints: 
-          - 
-            detail: at least monthly
-      cm-8.3_prm_1: 
-        constraints: 
-          - 
-            detail: Continuously, using automated mechanisms with a maximum five-minute delay in detection
-      cm-11_prm_3: 
-        constraints: 
-          - 
-            detail: Continuously (via CM-7 (5))
-      cp-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      cp-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      cp-2_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      cp-3_prm_1: 
-        constraints: 
-          - 
-            detail: ten (10) days
-      cp-3_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      cp-4_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      cp-4_prm_2: 
-        constraints: 
-          - 
-            detail: functional exercises
-      cp-9_prm_1: 
-        constraints: 
-          - 
-            detail: daily incremental; weekly full
-      cp-9_prm_2: 
-        constraints: 
-          - 
-            detail: daily incremental; weekly full
-      cp-9_prm_3: 
-        constraints: 
-          - 
-            detail: daily incremental; weekly full
-      cp-9.1_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      ia-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      ia-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      ia-2.11_prm_1: 
-        constraints: 
-          - 
-            detail: FIPS 140-2, NIAP Certification, or NSA approval
-      ia-4_prm_2: 
-        constraints: 
-          - 
-            detail: IA-4 (d) [at least two years]
-      ia-4_prm_3: 
-        constraints: 
-          - 
-            detail: ninety days for user identifiers (See additional requirements and guidance)
-      ia-4.4_prm_1: 
-        constraints: 
-          - 
-            detail: contractors; foreign nationals
-      ia-5.1_prm_2: 
-        constraints: 
-          - 
-            detail: at least one
-      ia-5.1_prm_4: 
-        constraints: 
-          - 
-            detail: twenty four (24)
-      ia-5.3_prm_1: 
-        constraints: 
-          - 
-            detail: All hardware/biometric (multifactor authenticators)
-      ia-5.3_prm_2: 
-        constraints: 
-          - 
-            detail: in person
-      ir-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      ir-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      ir-2_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      ir-3_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      ir-3_prm_2: 
-        constraints: 
-          - 
-            detail: see additional FedRAMP Requirements and Guidance
-      ir-6_prm_1: 
-        constraints: 
-          - 
-            detail: US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)
-      ir-8_prm_2: 
-        constraints: 
-          - 
-            detail: see additional FedRAMP Requirements and Guidance
-      ir-8_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      ir-8_prm_4: 
-        constraints: 
-          - 
-            detail: see additional FedRAMP Requirements and Guidance
-      ma-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      ma-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      ma-3.3_prm_1: 
-        constraints: 
-          - 
-            detail: the information owner explicitly authorizing removal of the equipment from the facility
-      mp-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      mp-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      mp-3_prm_1: 
-        constraints: 
-          - 
-            detail: no removable media types
-      mp-4_prm_1: 
-        constraints: 
-          - 
-            detail: all types of digital and non-digital media with sensitive information
-      mp-4_prm_2: 
-        constraints: 
-          - 
-            detail: see additional FedRAMP requirements and guidance
-      mp-5_prm_1: 
-        constraints: 
-          - 
-            detail: all media with sensitive information
-      mp-5_prm_2: 
-        constraints: 
-          - 
-            detail: prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digitital media, secured in locked container
-      mp-6.2_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      pe-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      pe-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      pe-2_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      pe-3_prm_2: 
-        constraints: 
-          - 
-            detail: CSP defined physical access control systems/devices AND guards
-      pe-3_prm_3: 
-        constraints: 
-          - 
-            detail: CSP defined physical access control systems/devices
-      pe-3_prm_6: 
-        constraints: 
-          - 
-            detail: in all circumstances within restricted access area where the information system resides
-      pe-3_prm_8: 
-        constraints: 
-          - 
-            detail: at least annually
-      pe-3_prm_9: 
-        constraints: 
-          - 
-            detail: at least annually
-      pe-6_prm_1: 
-        constraints: 
-          - 
-            detail: at least monthly
-      pe-8_prm_1: 
-        constraints: 
-          - 
-            detail: for a minimum of one (1) year
-      pe-8_prm_2: 
-        constraints: 
-          - 
-            detail: at least monthly
-      pe-14_prm_1: 
-        constraints: 
-          - 
-            detail: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments
-      pe-14_prm_2: 
-        constraints: 
-          - 
-            detail: continuously
-      pe-16_prm_1: 
-        constraints: 
-          - 
-            detail: all information system components
-      pl-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      pl-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      pl-2_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      pl-4_prm_1: 
-        constraints: 
-          - 
-            detail: At least every 3 years
-      pl-8_prm_1: 
-        constraints: 
-          - 
-            detail: At least annually or when a significant change occurs
-      ps-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      ps-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      ps-2_prm_1: 
-        constraints: 
-          - 
-            detail: at least every three years
-      ps-3_prm_1: 
-        constraints: 
-          - 
-            detail: for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions
-      ps-3.3_prm_1: 
-        constraints: 
-          - 
-            detail: personnel screening criteria - as required by specific information
-      ps-4_prm_1: 
-        constraints: 
-          - 
-            detail: same day
-      ps-5_prm_4: 
-        constraints: 
-          - 
-            detail: five days of the time period following the formal transfer action (DoD 24 hours)
-      ps-6_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      ps-6_prm_2: 
-        constraints: 
-          - 
-            detail: at least annually
-      ps-7_prm_2: 
-        constraints: 
-          - 
-            detail: organization-defined time period - same day
-      ra-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      ra-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      ra-3_prm_2: 
-        constraints: 
-          - 
-            detail: security assessment report
-      ra-3_prm_3: 
-        constraints: 
-          - 
-            detail: at least every three (3) years or when a significant change occurs
-      ra-3_prm_5: 
-        constraints: 
-          - 
-            detail: at least every three (3) years or when a significant change occurs
-      ra-5_prm_1: 
-        constraints: 
-          - 
-            detail: monthly operating system/infrastructure; monthly web applications and databases
-      ra-5_prm_2: 
-        constraints: 
-          - 
-            detail: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery
-      ra-5.2_prm_1: 
-        constraints: 
-          - 
-            detail: prior to a new scan
-      ra-5.5_prm_1: 
-        constraints: 
-          - 
-            detail: operating systems / web applications / databases
-      ra-5.5_prm_2: 
-        constraints: 
-          - 
-            detail: all scans
-      sa-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      sa-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      sa-4.2_prm_1: 
-        constraints: 
-          - 
-            detail: to include security-relevant external system interfaces and high-level design
-      sa-4.8_prm_1: 
-        constraints: 
-          - 
-            detail: at least the minimum requirement as defined in control CA-7
-      sa-9_prm_1: 
-        constraints: 
-          - 
-            detail: FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system
-      sa-9_prm_2: 
-        constraints: 
-          - 
-            detail: Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored
-      sa-9.2_prm_1: 
-        constraints: 
-          - 
-            detail: all external systems where Federal information is processed or stored
-      sa-9.4_prm_2: 
-        constraints: 
-          - 
-            detail: all external systems where Federal information is processed or stored
-      sa-9.5_prm_1: 
-        constraints: 
-          - 
-            detail: information processing, information data, AND information services
-      sa-10_prm_1: 
-        constraints: 
-          - 
-            detail: development, implementation, AND operation
-      sc-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      sc-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      sc-7.4_prm_1: 
-        constraints: 
-          - 
-            detail: at least annually
-      sc-8_prm_1: 
-        constraints: 
-          - 
-            detail: confidentiality AND integrity
-      sc-8.1_prm_1: 
-        constraints: 
-          - 
-            detail: prevent unauthorized disclosure of information AND detect changes to information
-      sc-8.1_prm_2: 
-        constraints: 
-          - 
-            detail: a hardened or alarmed carrier Protective Distribution System (PDS)
-      sc-10_prm_1: 
-        constraints: 
-          - 
-            detail: no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-interactive user sessions
-      sc-12.2_prm_1: 
-        constraints: 
-          - 
-            detail: NIST FIPS-compliant
-      sc-13_prm_1: 
-        constraints: 
-          - 
-            detail: FIPS-validated or NSA-approved cryptography
-      sc-15_prm_1: 
-        constraints: 
-          - 
-            detail: no exceptions
-      sc-28_prm_1: 
-        constraints: 
-          - 
-            detail: confidentiality AND integrity
-      si-1_prm_2: 
-        constraints: 
-          - 
-            detail: at least every 3 years
-      si-1_prm_3: 
-        constraints: 
-          - 
-            detail: at least annually
-      si-2_prm_1: 
-        constraints: 
-          - 
-            detail: within 30 days of release of updates
-      si-2.2_prm_1: 
-        constraints: 
-          - 
-            detail: at least monthly
-      si-3_prm_1: 
-        constraints: 
-          - 
-            detail: at least weekly
-      si-3_prm_2: 
-        constraints: 
-          - 
-            detail: to include endpoints
-      si-3_prm_3: 
-        constraints: 
-          - 
-            detail: to include alerting administrator or defined security personnel
-      si-4.4_prm_1: 
-        constraints: 
-          - 
-            detail: continuously
-      si-5_prm_1: 
-        constraints: 
-          - 
-            detail: to include US-CERT
-      si-5_prm_2: 
-        constraints: 
-          - 
-            detail: to include system security personnel and administrators with configuration/patch-management responsibilities
-      si-6_prm_3: 
-        constraints: 
-          - 
-            detail: to include upon system startup and/or restart
-      si-6_prm_4: 
-        constraints: 
-          - 
-            detail: at least monthly
-      si-6_prm_5: 
-        constraints: 
-          - 
-            detail: to include system administrators and security personnel
-      si-6_prm_7: 
-        constraints: 
-          - 
-            detail: to include notification of system administrators and security personnel
-      si-7.1_prm_3: 
-        constraints: 
-          - 
-            detail: Selection to include security relevant events
-      si-7.1_prm_4: 
-        constraints: 
-          - 
-            detail: at least monthly
-    alterations: 
-      - 
-        control-id: ac-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ac-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ac-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ac-10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-10_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-10_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-10_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-11
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-11
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-11.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-11.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-11.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-11.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-11.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-12
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-12
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-12.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-12_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-14
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-14.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-14.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ac-14.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ac-17
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-17
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-17.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-17.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-17.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-17.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-17.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-17.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-17.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-17.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-17.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-17.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-17.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-17.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-17.4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-17.4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-17.4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ac-17.9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-17.9
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-17.9_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-17.9_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-18
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-18
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-18.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-18.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-18.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-18.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-19
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-19
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-19.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-19.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-19.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-19.5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-19.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-19.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ac-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ac-2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.g_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.h_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.i_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.j_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.j_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.k_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ac-2.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-2.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2.10
-        additions: 
-          - 
-            position: ending
-            id-ref:   ac-2.10_smt
-            parts: 
-              - 
-                id:    ac-2.10_fr
-                name:  item
-                title: AC-2 (10) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ac-2.10_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Required if shared/group accounts are deployed
-          - 
-            position:   starting
-            id-ref:     ac-2.10_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2.12
-        additions: 
-          - 
-            position: ending
-            id-ref:   ac-2.12_smt
-            parts: 
-              - 
-                id:    ac-2.12_fr
-                name:  item
-                title: AC-2 (12) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ac-2.12_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: (a) Guidance:
-                    prose:      Required for privileged accounts.
-                  - 
-                    id:         ac-2.12_fr_gdn.2
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: (b) Guidance:
-                    prose:      Required for privileged accounts.
-          - 
-            position:   starting
-            id-ref:     ac-2.12
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-2.12.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.12.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.12.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.12.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-2.2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-2.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-2.3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-2.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-2.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.4_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2.5
-        additions: 
-          - 
-            position: ending
-            id-ref:   ac-2.5_smt
-            parts: 
-              - 
-                id:    ac-2.5_fr
-                name:  item
-                title: AC-2 (5) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ac-2.5_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Should use a shorter timeframe than AC-12.
-          - 
-            position:   starting
-            id-ref:     ac-2.5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-2.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2.7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-2.7.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.7.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-2.7.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.7.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-2.9
-        additions: 
-          - 
-            position: ending
-            id-ref:   ac-2.9_smt
-            parts: 
-              - 
-                id:    ac-2.9_fr
-                name:  item
-                title: AC-2 (9) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ac-2.9_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Required if shared/group accounts are deployed
-          - 
-            position:   starting
-            id-ref:     ac-2.9_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-2.9_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-20
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-20.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-20.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-20.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-20.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-20.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-20.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-21
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-21.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-21.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-21.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-21.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-22
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-22
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-22.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-22.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-22.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-22.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-22.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-22.d_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-4.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-4.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-4.21
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-4.21_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-4.21_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-4.21_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-5
-        additions: 
-          - 
-            position: ending
-            id-ref:   ac-5_smt
-            parts: 
-              - 
-                id:    ac-5_fr
-                name:  item
-                title: AC-5 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ac.5_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.
-          - 
-            position:   starting
-            id-ref:     ac-5.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-5.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-5.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-5.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ac-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-6.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-6.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-6.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-6.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-6.10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-6.10_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-6.2
-        additions: 
-          - 
-            position: ending
-            id-ref:   ac-6.2_smt
-            parts: 
-              - 
-                id:    ac-6.2_fr
-                name:  item
-                title: AC-6 (2) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ac-6.2_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.
-          - 
-            position:   starting
-            id-ref:     ac-6.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-6.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-6.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-6.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-6.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-6.9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-6.9
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-6.9_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ac-7
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ac-7.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-7.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-7.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-7.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-7.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ac-8
-        additions: 
-          - 
-            position: ending
-            id-ref:   ac-8_smt
-            parts: 
-              - 
-                id:    ac-8_fr
-                name:  item
-                title: AC-8 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ac-8_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.
-                  - 
-                    id:         ac-8_fr_smt.2
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.
-                  - 
-                    id:         ac-8_fr_smt.3
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.
-          - 
-            position:   starting
-            id-ref:     ac-8.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-8.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-8.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-8.c.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ac-8.c.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-8.c.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ac-8.c.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: at-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     at-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     at-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     at-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     at-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: at-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     at-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     at-2.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     at-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     at-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: at-2.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     at-2.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: at-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     at-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     at-3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     at-3.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     at-3.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-3.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: at-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     at-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     at-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     at-4.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     at-4.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     au-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     au-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     au-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: au-11
-        additions: 
-          - 
-            position: ending
-            id-ref:   au-11_smt
-            parts: 
-              - 
-                id:    au-11_fr
-                name:  item
-                title: AU-11 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         au-11_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.
-          - 
-            position:   starting
-            id-ref:     au-11
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     au-11.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-11_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: au-12
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-12.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-12.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-12.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-12.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-12.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-2
-        additions: 
-          - 
-            position: ending
-            id-ref:   au-2_smt
-            parts: 
-              - 
-                id:    au-2_fr
-                name:  item
-                title: AU-2 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         au-2_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.
-          - 
-            position:   starting
-            id-ref:     au-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     au-2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     au-2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-2.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-2.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     au-2.d_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: au-2.3
-        additions: 
-          - 
-            position: ending
-            id-ref:   au-2.3_smt
-            parts: 
-              - 
-                id:    au-2.3_fr
-                name:  item
-                title: AU-2 (3) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         au-2.3_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.
-          - 
-            position:   starting
-            id-ref:     au-2.3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     au-2.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-2.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-3.1
-        additions: 
-          - 
-            position: ending
-            id-ref:   au-3.1_smt
-            parts: 
-              - 
-                id:    au-3.1_fr
-                name:  item
-                title: AU-3 (1) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         au-3.1_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider defines audit record types *[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]*.  The audit record types are approved and accepted by the JAB/AO.
-                  - 
-                    id:         au-3.1_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.
-          - 
-            position:   starting
-            id-ref:     au-3.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-3.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-4.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-5.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-5.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-5.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-5.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-6
-        additions: 
-          - 
-            position: ending
-            id-ref:   au-6_smt
-            parts: 
-              - 
-                id:    au-6_fr
-                name:  item
-                title: AU-6 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         au-6_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.
-          - 
-            position:   starting
-            id-ref:     au-6
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     au-6.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-6.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-6.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     au-6.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-6.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: au-6.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-6.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-6.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: au-6.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-6.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-7.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     au-7.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-7.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-7.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-7.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-8.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-8.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-8.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-8.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-8.1
-        additions: 
-          - 
-            position: ending
-            id-ref:   au-8.1_smt
-            parts: 
-              - 
-                id:    au-8.1_fr
-                name:  item
-                title: AU-8 (1) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         au-8.1_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.
-                  - 
-                    id:         au-8.1_fr_smt.2
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.
-                  - 
-                    id:         au-8.1_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Synchronization of system clocks improves the accuracy of log analysis.
-          - 
-            position:   starting
-            id-ref:     au-8.1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     au-8.1.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-8.1.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-8.1.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-8.1.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-8.1.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-9.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     au-9.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-9.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-9.2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     au-9.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-9.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: au-9.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     au-9.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     au-9.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ca-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ca-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ca-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ca-2
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-2_smt
-            parts: 
-              - 
-                id:    ca-2_fr
-                name:  item
-                title: CA-2 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-2_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                          
-                      """
-          - 
-            position:   starting
-            id-ref:     ca-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-2.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-2.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-2.1
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-2.1_smt
-            parts: 
-              - 
-                id:    ca-2.1_fr
-                name:  item
-                title: CA-2 (1) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-2.1_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).
-          - 
-            position:   starting
-            id-ref:     ca-2.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ca-2.2
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-2.2_smt
-            parts: 
-              - 
-                id:    ca-2.2_fr
-                name:  item
-                title: CA-2 (2) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-2.2_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      To include 'announced', 'vulnerability scanning'
-          - 
-            position:   starting
-            id-ref:     ca-2.2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-2.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.2_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-2.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ca-2.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.3_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-2.3_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ca-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ca-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ca-3.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-3.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-3.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ca-3.3
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-3.3_smt
-            parts: 
-              - 
-                id:    ca-3.3_fr
-                name:  item
-                title: CA-3 (3) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-3.3_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document.
-          - 
-            position:   starting
-            id-ref:     ca-3.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ca-3.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-3.3_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-3.5
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-3.5_smt
-            parts: 
-              - 
-                id:    ca-3.5_fr
-                name:  item
-                title: CA-3 (5) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-3.5_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing
-          - 
-            position:   starting
-            id-ref:     ca-3.5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-3.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-3.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-5
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-5_smt
-            parts: 
-              - 
-                id:    ca-5_fr
-                name:  item
-                title: CA-5 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-5_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Plan of Action & Milestones (POA&M) must be provided at least monthly.
-                  - 
-                    id:         ca-5_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                          
-                      """
-          - 
-            position:   starting
-            id-ref:     ca-5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-5.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ca-5.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-5.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-6
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-6_smt
-            parts: 
-              - 
-                id:    ca-6_fr
-                name:  item
-                title: CA-6(c) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-6_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.
-          - 
-            position:   starting
-            id-ref:     ca-6.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-6.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-6.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-6.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-7
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-7_smt
-            parts: 
-              - 
-                id:    ca-7_fr
-                name:  item
-                title: CA-7 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-7_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.
-                  - 
-                    id:         ca-7_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates.
-                  - 
-                    id:         ca-7_fr_gdn.2
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/)
-                                          
-                      """
-          - 
-            position:   starting
-            id-ref:     ca-7
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-7.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-7.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.b_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-7.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-7.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-7.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-7.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ca-7.g_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.g_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.g_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.g_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-7.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ca-7.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-7.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ca-8
-        additions: 
-          - 
-            position: ending
-            id-ref:   ca-8_smt
-            parts: 
-              - 
-                id:    ca-8_fr
-                name:  item
-                title: CA-8 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ca-8_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance [https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/)
-                                          
-                      """
-          - 
-            position:   starting
-            id-ref:     ca-8
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-8.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-8.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-8_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ca-8.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ca-8.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ca-9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ca-9
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ca-9.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ca-9.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ca-9.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: cm-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-1.a.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cm-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cm-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: cm-10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-10.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-10.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-10.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-10.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-10.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-10.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-11
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-11.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-11.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-11.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-11.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-11.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-11.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cm-2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-2.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-2.1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-2.1.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-2.1.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-2.1.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-2.1.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-2.1.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-2.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-2.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-2.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-2.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-2.2_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-2.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-2.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-2.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-2.7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-2.7.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-2.7.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-2.7.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-2.7.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-2.7.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-3
-        additions: 
-          - 
-            position: ending
-            id-ref:   cm-3_smt
-            parts: 
-              - 
-                id:    cm-3_fr
-                name:  item
-                title: CM-3 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cm-3_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.
-                  - 
-                    id:         cm-3_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: (e) Guidance:
-                    prose:      In accordance with record retention policies and procedures.
-          - 
-            position:   starting
-            id-ref:     cm-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-3.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cm-3.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cm-3.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-3.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-3.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-3.f_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-3.g_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-3.g_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-3.g_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-3.g_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-4.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-5.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-5.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-5.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-5.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cm-5.5_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-5.6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-5_obj.7
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-5_obj.8
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-5.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-5.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-5.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-5.3
-        additions: 
-          - 
-            position: ending
-            id-ref:   cm-5.3_smt
-            parts: 
-              - 
-                id:    cm-5.3_fr
-                name:  item
-                title: CM-5 (3) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cm-5.3_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.
-          - 
-            position:   starting
-            id-ref:     cm-5.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-5.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-5.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-5.5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-5.5.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-5.5.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-5.5.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: cm-6
-        additions: 
-          - 
-            position: ending
-            id-ref:   cm-6_smt
-            parts: 
-              - 
-                id:    cm-6_fr
-                name:  item
-                title: CM-6(a) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cm-6_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement 1:
-                    prose:      The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. 
-                  - 
-                    id:         cm-6_fr_smt.2
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement 2:
-                    prose:      The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available).
-                  - 
-                    id:         cm-6_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline).
-          - 
-            position:   starting
-            id-ref:     cm-6
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-6.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-6.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cm-6.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-6.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-6.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-6.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-6.c_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-6.c_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-6.c_obj.5
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-6.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-6.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-6.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-6.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-6.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-7
-        additions: 
-          - 
-            position: ending
-            id-ref:   cm-7_smt
-            parts: 
-              - 
-                id:    cm-7_fr
-                name:  item
-                title: CM-7 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cm-7_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.
-                  - 
-                    id:         cm-7_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Information on the USGCB checklists can be found at: [http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc](http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc). Partially derived from AC-17(8).
-          - 
-            position:   starting
-            id-ref:     cm-7.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-7.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-7.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-7.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-7.1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-7.1.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-7.1.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-7.1.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-7.1.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-7.2
-        additions: 
-          - 
-            position: ending
-            id-ref:   cm-7.2_smt
-            parts: 
-              - 
-                id:    cm-7.2_fr
-                name:  item
-                title: CM-7 (2) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cm-7.2_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.
-          - 
-            position:   starting
-            id-ref:     cm-7.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-7.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-7.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-7.5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-7.5.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-7.5.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-7.5.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-7.5.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-8
-        additions: 
-          - 
-            position: ending
-            id-ref:   cm-8_smt
-            parts: 
-              - 
-                id:    cm-8_fr
-                name:  item
-                title: CM-8 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cm-8_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Must be provided at least monthly or when there is a change.
-          - 
-            position:   starting
-            id-ref:     cm-8
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-8.a.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.a.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.a.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.a.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.a.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-8.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-8.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-8.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-8.3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-8.3.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.3.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cm-8.3.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-8.3.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-8.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-8.5_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cm-9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cm-9
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cm-9.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-9.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-9.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-9.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cm-9.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cp-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: cp-10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-10_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-10.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-10.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-10.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-2
-        additions: 
-          - 
-            position: ending
-            id-ref:   cp-2_smt
-            parts: 
-              - 
-                id:    cp-2_fr
-                name:  item
-                title: CP-2 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cp-2_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: CP-2 Requirement:
-                    prose:      For JAB authorizations the contingency lists include designated FedRAMP personnel.
-          - 
-            position:   starting
-            id-ref:     cp-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cp-2.a.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.a.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.a.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.a.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.a.5_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.a.6_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.a.6_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-2.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-2.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-2.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-2.g_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-2.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-2.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-2.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-2.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-2.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-2.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-2.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-2.8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-2.8_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cp-3.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-3.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-3.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-3.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-3.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-4
-        additions: 
-          - 
-            position: ending
-            id-ref:   cp-4_smt
-            parts: 
-              - 
-                id:    cp-4_fr
-                name:  item
-                title: CP-4(a) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cp-4_fr_smt.a
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: CP-4(a) Requirement:
-                    prose:      The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.
-          - 
-            position:   starting
-            id-ref:     cp-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cp-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-4.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-4.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-4.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-4.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-6.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     cp-6.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-6.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-6.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-6.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-6.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-6.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-7
-        additions: 
-          - 
-            position: ending
-            id-ref:   cp-7_smt
-            parts: 
-              - 
-                id:    cp-7_fr
-                name:  item
-                title: CP-7 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cp-7_fr_smt.a
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: (a) Requirement:
-                    prose:      The service provider defines a time period consistent with the recovery time objectives and business impact analysis.
-          - 
-            position:   starting
-            id-ref:     cp-7
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cp-7.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-7.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-7.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-7.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-7.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-7.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-7.1
-        additions: 
-          - 
-            position: ending
-            id-ref:   cp-7.1_smt
-            parts: 
-              - 
-                id:    cp-7.1_fr
-                name:  item
-                title: CP-7 (1) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cp-7.1_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.
-          - 
-            position:   starting
-            id-ref:     cp-7.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-7.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-7.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-7.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-7.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-7.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-8
-        additions: 
-          - 
-            position: ending
-            id-ref:   cp-8_smt
-            parts: 
-              - 
-                id:    cp-8_fr
-                name:  item
-                title: CP-8 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cp-8_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider defines a time period consistent with the recovery time objectives and business impact analysis.
-          - 
-            position:   starting
-            id-ref:     cp-8.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-8.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-8.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-8.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-8.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-8.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-8.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-8.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: cp-9
-        additions: 
-          - 
-            position: ending
-            id-ref:   cp-9_smt
-            parts: 
-              - 
-                id:    cp-9_fr
-                name:  item
-                title: CP-9 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         cp-9_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.
-                  - 
-                    id:         cp-9_fr_smt.a
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: CP-9(a) Requirement:
-                    prose:      The service provider maintains at least three backup copies of user-level information (at least one of which is available online).
-                  - 
-                    id:         cp-9_fr_smt.b
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: CP-9(b)Requirement:
-                    prose:      The service provider maintains at least three backup copies of system-level information (at least one of which is available online).
-                  - 
-                    id:         cp-9_fr_smt.c
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: CP-9(c)Requirement:
-                    prose:      The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).
-          - 
-            position:   starting
-            id-ref:     cp-9
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cp-9.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-9.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-9.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-9.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-9.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-9.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     cp-9.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-9.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-9.1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     cp-9.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-9.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: cp-9.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     cp-9.3_obj.1.a
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-9.3_obj.1.b
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     cp-9.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ia-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ia-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ia-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ia-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ia-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-2.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-2.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-2.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-2.11
-        additions: 
-          - 
-            position: ending
-            id-ref:   ia-2.11_smt
-            parts: 
-              - 
-                id:    ia-2.11_fr
-                name:  item
-                title: IA-2 (11) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ia-2.11_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.
-          - 
-            position:   starting
-            id-ref:     ia-2.11_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-2.11_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-2.11_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-2.11_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-2.11_obj.5
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-2.11_obj.6
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-2.12
-        additions: 
-          - 
-            position: ending
-            id-ref:   ia-2.12_smt
-            parts: 
-              - 
-                id:    ia-2.12_fr
-                name:  item
-                title: IA-2 (12) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ia-2.12_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.
-          - 
-            position:   starting
-            id-ref:     ia-2.12_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-2.12_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-2.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-2.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-2.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-2.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-2.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-2.5_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-2.8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-2.8_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-3.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-4
-        additions: 
-          - 
-            position: ending
-            id-ref:   ia-4_smt
-            parts: 
-              - 
-                id:    ia-4_fr
-                name:  item
-                title: IA-4(e) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ia-4_fr_smt.e
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider defines the time period of inactivity for device identifiers.
-                  - 
-                    id:         ia-4_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP [http://iase.disa.mil/cloud_security/Pages/index.aspx](http://iase.disa.mil/cloud_security/Pages/index.aspx).
-          - 
-            position:   starting
-            id-ref:     ia-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ia-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-4.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-4.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-4.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-4.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-4.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-4.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-4.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-4.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-5
-        additions: 
-          - 
-            position: ending
-            id-ref:   ia-5_smt
-            parts: 
-              - 
-                id:    ia-5_fr
-                name:  item
-                title: IA-5 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ia-5_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link [https://pages.nist.gov/800-63-3](https://pages.nist.gov/800-63-3).
-          - 
-            position:   starting
-            id-ref:     ia-5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ia-5.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.d_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.f_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.g_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.g_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.h_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.i_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ia-5.i_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.j_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-5.1
-        additions: 
-          - 
-            position: ending
-            id-ref:   ia-5.1_smt
-            parts: 
-              - 
-                id:    ia-5.1_fr
-                name:  item
-                title: IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ia-5.1_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: (a) (d) Guidance:
-                    prose:      If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.
-          - 
-            position:   starting
-            id-ref:     ia-5.1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ia-5.1.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.a_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.a_obj.5
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.1.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.1.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.1.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.d_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.1.d_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.1.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.1.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.1.f_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-5.11
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-5.11_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.11_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-5.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-5.2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.2.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-5.2.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-5.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-5.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.3_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.3_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.3_obj.5
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ia-5.4
-        additions: 
-          - 
-            position: ending
-            id-ref:   ia-5.4_smt
-            parts: 
-              - 
-                id:    ia-5.4_fr
-                name:  item
-                title: IA-5 (4) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ia-5.4_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.
-          - 
-            position:   starting
-            id-ref:     ia-5.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-5.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-5.6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-5.6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-5.7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-5.7_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-7_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-8.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-8.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-8.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ia-8.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-8.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-8.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-8.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-8.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ia-8.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ia-8.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ia-8.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ir-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ir-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ir-2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ir-3
-        additions: 
-          - 
-            position: ending
-            id-ref:   ir-3_smt
-            parts: 
-              - 
-                id:    ir-3_fr
-                name:  item
-                title: IR-3 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ir-3_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: IR-3 -2 Requirement:
-                    prose:      The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.
-          - 
-            position:   starting
-            id-ref:     ir-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ir-3.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-3.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-3_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ir-3.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-3.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ir-4
-        additions: 
-          - 
-            position: ending
-            id-ref:   ir-4_smt
-            parts: 
-              - 
-                id:    ir-4_fr
-                name:  item
-                title: IR-4 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ir-4_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.
-          - 
-            position:   starting
-            id-ref:     ir-4.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-4.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-4.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-4.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-4.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-5.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-6
-        additions: 
-          - 
-            position: ending
-            id-ref:   ir-6_smt
-            parts: 
-              - 
-                id:    ir-6_fr
-                name:  item
-                title: IR-6 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ir-6_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Report security incident information according to FedRAMP Incident Communications Procedure.
-          - 
-            position:   starting
-            id-ref:     ir-6
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ir-6.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-6.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-6.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-6.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-6.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-6.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-7.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-7.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-7.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-7.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-7.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-7.2.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-7.2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ir-8
-        additions: 
-          - 
-            position: ending
-            id-ref:   ir-8_smt
-            parts: 
-              - 
-                id:    ir-8_fr
-                name:  item
-                title: IR-8 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ir-8_fr_smt.b
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: (b) Requirement:
-                    prose:      The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.
-                  - 
-                    id:         ir-8_fr_smt.e
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: (e) Requirement:
-                    prose:      The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.
-          - 
-            position:   starting
-            id-ref:     ir-8
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ir-8.a.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.5_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-8.a.7_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.8_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.a.8_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-8.b_obj.1.a
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.b_obj.1.b
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-8.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-8.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-8.e_obj.1.a
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-8.e_obj.1.b
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-8.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-8.f_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-9.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-9.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-9.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ir-9.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-9.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-9.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-9.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ir-9.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-9.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-9.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-9.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-9.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ir-9.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-9.2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ir-9.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-9.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ir-9.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-9.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-9.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ir-9.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ir-9.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ir-9.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ma-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ma-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ma-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-2.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-2.a_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-2.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-2.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-2.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-2.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-2.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-2.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ma-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-3.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-3.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-3.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ma-3.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-3.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ma-3.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-3.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ma-3.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-3.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ma-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ma-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-4.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-4.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-4.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-4.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ma-4.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-4.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ma-4.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: ma-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-5.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-5.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-5.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-5.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ma-5.1
-        additions: 
-          - 
-            position: ending
-            id-ref:   ma-5.1_smt
-            parts: 
-              - 
-                id:    ma-5.1_fr
-                name:  item
-                title: MA-5 (1) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ma-5.1_fr_smt.b
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      Only MA-5 (1)(a)(1) is required by FedRAMP Moderate Baseline
-          - 
-            position:   starting
-            id-ref:     ma-5.1.a.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-5.1.a.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ma-5.1.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ma-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ma-6.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-6.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ma-6.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     mp-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     mp-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     mp-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     mp-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: mp-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     mp-2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-3
-        additions: 
-          - 
-            position: ending
-            id-ref:   mp-3_smt
-            parts: 
-              - 
-                id:    mp-3_fr
-                name:  item
-                title: MP-3 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         mp-3_fr_gdn.b
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: (b) Guidance:
-                    prose:      Second parameter not-applicable
-          - 
-            position:   starting
-            id-ref:     mp-3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     mp-3.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-3.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-3.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-4
-        additions: 
-          - 
-            position: ending
-            id-ref:   mp-4_smt
-            parts: 
-              - 
-                id:    mp-4_fr
-                name:  item
-                title: MP-4 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         mp-4_fr_smt.a
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: (a) Requirement:
-                    prose:      The service provider defines controlled areas within facilities where the information and information system reside.
-          - 
-            position:   starting
-            id-ref:     mp-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-4.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     mp-4.a_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     mp-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-5
-        additions: 
-          - 
-            position: ending
-            id-ref:   mp-5_smt
-            parts: 
-              - 
-                id:    mp-5_fr
-                name:  item
-                title: MP-5 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         mp-5_fr_smt.a
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: (a) Requirement:
-                    prose:      The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB.
-          - 
-            position:   starting
-            id-ref:     mp-5.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-5.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-5.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     mp-5.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     mp-5.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-5.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-5.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     mp-5.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     mp-6.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-6.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-6.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     mp-6.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-6.2
-        additions: 
-          - 
-            position: ending
-            id-ref:   mp-6.2_smt
-            parts: 
-              - 
-                id:    mp-6.2_fr
-                name:  item
-                title: MP-6 (2) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         mp-6.2_fr_gdn.a
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: (a) Requirement:
-                    prose:      Equipment and procedures may be tested or validated for effectiveness
-          - 
-            position:   starting
-            id-ref:     mp-6.2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     mp-6.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-6.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     mp-7.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-7.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-7_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     mp-7_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: mp-7.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     mp-7.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pe-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: pe-10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-10.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-10.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-10.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-10.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-11
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-11_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-12
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-12.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-12_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-13
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-13.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-13.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-13.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-13.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-13.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-13.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-13.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-13.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-14
-        additions: 
-          - 
-            position: ending
-            id-ref:   pe-14_smt
-            parts: 
-              - 
-                id:    pe-14_fr
-                name:  item
-                title: PE-14(a) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         pe-14_fr_smt.a
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: (a) Requirement:
-                    prose:      The service provider measures temperature at server inlets and humidity levels by dew point.
-          - 
-            position:   starting
-            id-ref:     pe-14.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-14.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-14.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-14.a_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-14.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-14.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-14.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-14.b_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-14.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-14.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-14.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-15
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-15_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-16
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.5
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.6
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.7
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.8
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-16_obj.9
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: pe-17
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-17.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-17.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-17.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-17.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pe-2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-2.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pe-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-2.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pe-3.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.e_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.f_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-3.g_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-3.g_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-4_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-5_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-6
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pe-6.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-6.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-6.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-6.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-6.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: pe-6.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-6.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-8
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pe-8.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-8.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pe-8.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pe-8.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pe-9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pe-9_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pl-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pl-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pl-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pl-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     pl-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: pl-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pl-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pl-2.a.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.5_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.7_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.8_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.a.9_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-2.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-2.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pl-2.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pl-2.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-2.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: pl-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pl-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-4.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-4.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-4.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pl-4.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     pl-4.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-4.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: pl-8
-        additions: 
-          - 
-            position: ending
-            id-ref:   pl-8_smt
-            parts: 
-              - 
-                id:    pl-8_fr
-                name:  item
-                title: PL-8(b) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         pl-8_fr_gdn.b
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: (b) Guidance:
-                    prose:      Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.
-          - 
-            position:   starting
-            id-ref:     pl-8
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     pl-8.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-8.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     pl-8.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     pl-8.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ps-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ps-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-2.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ps-3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-3.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-3.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-3.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-3.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-3.3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ps-3.3.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-3.3.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ps-4.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-4.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ps-4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ps-4.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-4.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-4.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-4.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-4.f_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-4.f_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-4.f_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ps-5.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-5.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-5.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-5.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-5.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ps-5.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ps-5.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-5.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-5.d_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-6
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ps-6.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-6.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-6.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-6.c.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ps-6.c.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-6.c.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-7
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ps-7.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-7.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ps-7.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-7.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-7.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-7.d_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-7.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ps-8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ps-8.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-8.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-8.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ps-8.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ra-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ra-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ra-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     ra-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: ra-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ra-2.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-3
-        additions: 
-          - 
-            position: ending
-            id-ref:   ra-3_smt
-            parts: 
-              - 
-                id:    ra-3_fr
-                name:  item
-                title: RA-3 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ra-3_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F
-                  - 
-                    id:         ra-3_fr_smt.d
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: RA-3 (d) Requirement:
-                    prose:      Include all Authorizing Officials; for JAB authorizations to include FedRAMP.
-          - 
-            position:   starting
-            id-ref:     ra-3.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-3.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-3.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-3.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-3.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-3.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-3.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-3.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-3.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-3.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-5
-        additions: 
-          - 
-            position: ending
-            id-ref:   ra-5_smt.a
-            parts: 
-              - 
-                id:         ra-5_fr_smt.a
-                name:       item
-                title:      RA-5(a) Additional FedRAMP Requirements and Guidance
-                properties: 
-                  - 
-                    name:  label
-                    value: RA-5 (a)Requirement:
-                prose:      An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.
-          - 
-            position: ending
-            id-ref:   ra-5_smt.e
-            parts: 
-              - 
-                id:         ra-5_fr_smt.e
-                name:       item
-                title:      RA-5(e) Additional FedRAMP Requirements and Guidance
-                properties: 
-                  - 
-                    name:  label
-                    value: RA-5 (e)Requirement:
-                prose:      To include all Authorizing Officials; for JAB authorizations to include FedRAMP.
-          - 
-            position: ending
-            id-ref:   ra-5_smt
-            parts: 
-              - 
-                id:    ra-5_fr
-                name:  item
-                title: RA-5 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ra-5_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose: 
-                      """
-                        
-                                             **See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))
-                      """
-          - 
-            position:   starting
-            id-ref:     ra-5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ra-5.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-5.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.b.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.b.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.b.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-5.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-5.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.e_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-5.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ra-5.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-5.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ra-5.2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ra-5.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-5.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-5.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ra-5.3_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     ra-5.3_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-5.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     ra-5.5
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     ra-5.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-5.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     ra-5.5_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-5.6
-        additions: 
-          - 
-            position: ending
-            id-ref:   ra-5.6_smt
-            parts: 
-              - 
-                id:    ra-5.6_fr
-                name:  item
-                title: RA-5 (6) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ra-5.6_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Include in Continuous Monitoring ISSO digest/report to JAB/AO
-          - 
-            position:   starting
-            id-ref:     ra-5.6_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: ra-5.8
-        additions: 
-          - 
-            position: ending
-            id-ref:   ra-5.8_smt
-            parts: 
-              - 
-                id:    ra-5.8_fr
-                name:  item
-                title: RA-5 (8) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         ra-5.8_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      This enhancement is required for all high vulnerability scan findings.
-                  - 
-                    id:         ra-5.8_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.
-          - 
-            position:   starting
-            id-ref:     ra-5.8_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     sa-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     sa-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     sa-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: sa-10
-        additions: 
-          - 
-            position: ending
-            id-ref:   sa-10_smt
-            parts: 
-              - 
-                id:    sa-10_fr
-                name:  item
-                title: SA-10 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sa-10_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: (e)  Requirement:
-                    prose:      For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.
-          - 
-            position:   starting
-            id-ref:     sa-10.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-10.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-10.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-10.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-10.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-10.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-10.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-10.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-10.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-11
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-11.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-11.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-11.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-11.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-11.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-11.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-11.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-11.1
-        additions: 
-          - 
-            position: ending
-            id-ref:   sa-11.1_smt
-            parts: 
-              - 
-                id:    sa-11.1_fr
-                name:  item
-                title: SA-11 (1) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sa-11.1_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.
-          - 
-            position:   starting
-            id-ref:     sa-11.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-11.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-11.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-11.8
-        additions: 
-          - 
-            position: ending
-            id-ref:   sa-11.8_smt
-            parts: 
-              - 
-                id:    sa-11.8_fr
-                name:  item
-                title: SA-11 (8) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sa-11.8_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.
-          - 
-            position:   starting
-            id-ref:     sa-11.8_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-2.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-2.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-2.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-3.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-3.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-3.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-3.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-3.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-4
-        additions: 
-          - 
-            position: ending
-            id-ref:   sa-4_smt
-            parts: 
-              - 
-                id:    sa-4_fr
-                name:  item
-                title: SA-4 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sa-4_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See [http://www.niap-ccevs.org/vpl](http://www.niap-ccevs.org/vpl) or [http://www.commoncriteriaportal.org/products.html](http://www.commoncriteriaportal.org/products.html).
-          - 
-            position:   starting
-            id-ref:     sa-4.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-4.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-4.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-4.10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-4.10_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-4.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-4.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-4.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-4.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-4.8
-        additions: 
-          - 
-            position: ending
-            id-ref:   sa-4.8_smt
-            parts: 
-              - 
-                id:    sa-4.8_fr
-                name:  item
-                title: SA-4 (8) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sa-4.8_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      CSP must use the same security standards regardless of where the system component or information system service is acquired.
-          - 
-            position:   starting
-            id-ref:     sa-4.8_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-4.8_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-4.9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-4.9_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: sa-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-5.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-5.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-5.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-5.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-5.c_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-5.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-5.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-5.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-8_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-9
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-9.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-9.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-9.1.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sa-9.1.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.1.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-9.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-9.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-      - 
-        control-id: sa-9.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-9.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.4_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sa-9.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sa-9.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sa-9.5_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     sc-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     sc-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     sc-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: sc-10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-10_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-10_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-12
-        additions: 
-          - 
-            position: ending
-            id-ref:   sc-12_smt
-            parts: 
-              - 
-                id:    sc-12_fr
-                name:  item
-                title: SC-12 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sc-12_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      Federally approved and validated cryptography.
-          - 
-            position:   starting
-            id-ref:     sc-12.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-12.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-12.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-12.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-12.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-12.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-13
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-13
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     sc-13_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-13_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-13_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-15
-        additions: 
-          - 
-            position: ending
-            id-ref:   sc-15_smt
-            parts: 
-              - 
-                id:    sc-15_fr
-                name:  item
-                title: SC-15 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sc-15_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.
-          - 
-            position:   starting
-            id-ref:     sc-15.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-15.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-15.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-17
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-17_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-17_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-18
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-18.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-18.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-18.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-18.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-18.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-18.c_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-19
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-19.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-19.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-19.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-19.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-19.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-20
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-20.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-20.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-21
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-21_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-21_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-21_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-21_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-22
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-22_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-22_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-23
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-23_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-28
-        additions: 
-          - 
-            position: ending
-            id-ref:   sc-28_smt
-            parts: 
-              - 
-                id:    sc-28_fr
-                name:  item
-                title: SC-28 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sc-28_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      The organization supports the capability to use cryptographic mechanisms to protect information at rest.
-          - 
-            position:   starting
-            id-ref:     sc-28.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-28.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-28.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-28.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-28.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-28.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-39
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-39_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-4_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-5.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-5.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-5.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-6_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-6_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-6_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.a_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7.12
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.12_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.12_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.12_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7.13
-        additions: 
-          - 
-            position: ending
-            id-ref:   sc-7.13_smt
-            parts: 
-              - 
-                id:    sc-7.13_fr
-                name:  item
-                title: SC-7 (13) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         sc-7.13_fr_smt.1
-                    name:       item
-                    properties: 
-                      - 
-                        name:  label
-                        value: Requirement:
-                    prose:      The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.
-          - 
-            position:   starting
-            id-ref:     sc-7.13_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.13_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7.18
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.18_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.3_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     sc-7.4.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.4.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.4.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.4.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.4.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.4.e_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.4.e_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.4.e_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7.5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     sc-7.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7.7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.7_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-7.8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-7.8_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.8_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-7.8_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-8_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: sc-8.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     sc-8.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     sc-8.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-1.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.a.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     si-1.a.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.a.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.a.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     si-1.b.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.b.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.b.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-1.b.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: si-10
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-10_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-10_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-11
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-11.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-11.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-11.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-12
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-12_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-16
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-16_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-16_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-2.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.a_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-2.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-2.c_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.c_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-2.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-2.2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-2.2_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-2.2_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-2.3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-2.3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-2.3.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-2.3.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-      - 
-        control-id: si-3
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-3
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-3.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-3.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-3.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-3.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-3.c.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-3.c.2_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-3.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-3.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-3.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-3.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-3.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-3.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-3.7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-3.7_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4
-        additions: 
-          - 
-            position: ending
-            id-ref:   si-4_smt
-            parts: 
-              - 
-                id:    si-4_fr
-                name:  item
-                title: SI-4 Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         si-4_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      See US-CERT Incident Response Reporting Guidelines.
-          - 
-            position:   starting
-            id-ref:     si-4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-4.a.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.a.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.a.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.b.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.b.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.c_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.e_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.f_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-          - 
-            position:   starting
-            id-ref:     si-4.g_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.g_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.g_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.g_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-4.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.14
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-4.14
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-4.14_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.14_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-4.14_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.16
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-4.16_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-4.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.23
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-4.23_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.23_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.23_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.4
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-4.4
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-4.4_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.4_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-4.5
-        additions: 
-          - 
-            position: ending
-            id-ref:   si-4.5_smt
-            parts: 
-              - 
-                id:    si-4.5_fr
-                name:  item
-                title: SI-4 (5) Additional FedRAMP Requirements and Guidance
-                parts: 
-                  - 
-                    id:         si-4.5_fr_gdn.1
-                    name:       guidance
-                    properties: 
-                      - 
-                        name:  label
-                        value: Guidance:
-                    prose:      In accordance with the incident response plan.
-          - 
-            position:   starting
-            id-ref:     si-4.5_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.5_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-4.5_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-5
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-5.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-5.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-5.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-5.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-5.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-5.c_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-5.c_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-5.d_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-6
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-6
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-6.a_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-6.a_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-6.b_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-6.b_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-6.b_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-6.c_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-6.c_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-          - 
-            position:   starting
-            id-ref:     si-6.d_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-6.d_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-7_obj.1.a
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-7_obj.1.b
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-7_obj.1.c
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-7.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-7.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-7.1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-7.1_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-7.1_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-7.1_obj.3
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-7.1_obj.4
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-7.7
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-7.7_obj.1
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-7.7_obj.2
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-8
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-8.a_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-          - 
-            position:   starting
-            id-ref:     si-8.b_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-8.1
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-8.1
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-8.1_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-      - 
-        control-id: si-8.2
-        additions: 
-          - 
-            position:   starting
-            id-ref:     si-8.2
-            properties: 
-              - 
-                name:  CORE
-                ns:    https://fedramp.gov/ns/oscal
-                value: 
-          - 
-            position:   starting
-            id-ref:     si-8.2_obj
-            properties: 
-              - 
-                name:  conformity
-                ns:    https://fedramp.gov/ns/oscal
-                value: assessment-objective
-              - 
-                name:  method
-                class: fedramp
-                value: EXAMINE
-              - 
-                name:  method
-                class: fedramp
-                value: INTERVIEW
-              - 
-                name:  method
-                class: fedramp
-                value: TEST
-  back-matter: 
-    resources: 
-      - 
-        uuid:       985475ee-d4d6-4581-8fdf-d84d3d8caa48
-        title:      FedRAMP Applicable Laws and Regulations
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-citations
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx
-      - 
-        uuid:       1a23a771-d481-4594-9a1a-71d584fa4123
-        title:      FedRAMP Master Acronym and Glossary
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-acronyms
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf
-      - 
-        uuid:       a2381e87-3d04-4108-a30b-b4d2f36d001f
-        desc:       FedRAMP Logo
-        properties: 
-          - 
-            name:  conformity
-            ns:    https://fedramp.gov/ns/oscal
-            value: fedramp-logo
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href: https://www.fedramp.gov/assets/img/logo-main-fedramp.png
-      - 
-        uuid:       ad005eae-cc63-4e64-9109-3905a9a825e4
-        title:      NIST Special Publication (SP) 800-53
-        properties: 
-          - 
-            name:  version
-            ns:    https://fedramp.gov/ns/oscal
-            value: Revision 4
-          - 
-            name:  keep
-            value: always
-        rlinks: 
-          - 
-            href:       ../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_catalog.yaml
-            media-type: application/xml
diff --git a/content/nist.gov/SP800-53/README.md b/content/nist.gov/SP800-53/README.md
index 0232538dbb..f57b2df529 100644
--- a/content/nist.gov/SP800-53/README.md
+++ b/content/nist.gov/SP800-53/README.md
@@ -1,20 +1,3 @@
-# NIST produced OSCAL content for NIST Special Publication 800-53
+# Content Moved
 
-NIST is maintining OSCAL content for multiple revisions of the NIST Special Publication (SP) 800-53.
-
-OSCAL XML-, JSON-, and YAML-based content is provided for the following revisions:
-
-- NIST [SP 800-53 Revision 4][sp800-53-rev4] OSCAL catalog and baseline profiles [content][sp800-53-rev4-oscal].
-- NIST [SP 800-53 Revision 5][sp800-53-rev5] Final Public Draft (FPD) OSCAL catalog [content][sp800-53-rev5-oscal].
-
-    Note: In the SP 800-53 Revision 5 FPD, the control catalog and control baselines are separated. The control baselines will be published at a future date. When the baselines are published, NIST will provide a corresponding OSCAL profile for each baseline at that time.
-
-    Please refer to the [publication announcement][sp800-53-rev5-announcement] for more information, along with information on providing feedback on the draft.
-
-The OSCAL XML, JSON, and YAML variants are all equivalent in their information content. These variants are provided to support tooling on different format-specific implementation stacks.
-
-[sp800-53-rev4-oscal]: rev4
-[sp800-53-rev4]: https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final
-[sp800-53-rev5-oscal]: rev5
-[sp800-53-rev5]: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft
-[sp800-53-rev5-announcement]: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft
\ No newline at end of file
+All NIST Special Publication (SP) 800-53 OSCAL content files have been moved to the [OSCAL content GitHub repository](https://github.com/usnistgov/oscal-content/tree/master/nist.gov/SP800-53).
diff --git a/content/ssp-example/json/ssp-example-min.json b/content/ssp-example/json/ssp-example-min.json
deleted file mode 100644
index f84bc74309..0000000000
--- a/content/ssp-example/json/ssp-example-min.json
+++ /dev/null
@@ -1,376 +0,0 @@
-{
-    "system-security-plan": {
-        "uuid": "66c2a1c8-5830-48bd-8fdd-55a1c3a52888",
-        "metadata": {
-            "title": "Enterprise Logging and Auditing System Security Plan",
-            "last-modified": "2019-09-23T18:14:50.591Z",
-            "version": "1.0",
-            "oscal-version": "1.0.0-milestone3",
-            "roles": [
-                {
-                    "id": "legal-officer",
-                    "title": "Legal Officer"
-                }
-            ],
-            "parties": [
-                {
-                    "uuid": "3b2a5599-cc37-403f-ae36-5708fa804b27",
-                    "type": "organization",
-                    "party-name": "Enterprise Asset Owners"
-                },
-                {
-                    "uuid": "833ac398-5c9a-4e6b-acba-2a9c11399da0",
-                    "type": "organization",
-                    "party-name": "Enterprise Asset Administrators"
-                },
-                {
-                    "uuid": "ec485dcf-2519-43f5-8e7d-014cc315332d",
-                    "type": "organization",
-                    "party-name": "Legal Department"
-                },
-                {
-                    "uuid": "0f0c15ed-565e-4ce9-8670-b54853d0bf03",
-                    "type": "organization",
-                    "party-name": "IT Department"
-                },
-                {
-                    "uuid": "96c362ee-a012-4e07-92f3-486ab303b0e7",
-                    "type": "organization",
-                    "party-name": "Acme Corp"
-                }
-            ]
-        },
-        "import-profile": {"href": "../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline_profile.json"},
-        "system-characteristics": {
-            "system-name": "Enterprise Logging and Auditing System",
-            "description": "This is an example of a system that provides enterprise logging and log auditing capabilities.",
-            "system-ids": [
-                {
-                    "id": "d7456980-9277-4dcb-83cf-f8ff0442623b",
-                    "identifier-type": "https://ietf.org/rfc/rfc4122"
-                }
-            ],
-            "security-sensitivity-level": "moderate",
-            "system-information": {
-                "information-types": [
-                    {
-                        "uuid": "7d28ac6e-5970-4f4c-a508-5a3715f0f02b",
-                        "title": "System and Network Monitoring",
-                        "information-type-ids": {
-                            "https://doi.org/10.6028/NIST.SP.800-60v2r1": {"id": "C.3.5.8"}
-                        },
-                        "description": "This system maintains historical logging and auditing information for all client devices connected to this system.",
-                        "confidentiality-impact": {"base": "fips-199-moderate"},
-                        "integrity-impact": {"base": "fips-199-moderate"},
-                        "availability-impact": {"base": "fips-199-low"}
-                    }
-                ]
-            },
-            "security-impact-level": {
-                "security-objective-confidentiality": "fips-199-moderate",
-                "security-objective-integrity": "fips-199-moderate",
-                "security-objective-availability": "fips-199-low"
-            },
-            "status": {
-                "state": "other",
-                "remarks": "This is an example, and is not intended to be implemented as a system"
-            },
-            "annotations": [
-                {
-                    "name": "deployment-model",
-                    "value": "private"
-                },
-                {
-                    "name": "service-models",
-                    "value": "iaas"
-                }
-            ],
-            "authorization-boundary": {"description": "The description of the authorization boundary would go here."}
-        },
-        "system-implementation": {
-            "remarks": "This is a partial implementation that addresses the logging server portion of the auditing system.",
-            "users": {
-                "9824089b-322c-456f-86c4-4111c4200f69": {
-                    "title": "System Administrator",
-                    "role-ids": ["asset-administrator"],
-                    "annotations": [
-                        {
-                            "name": "type",
-                            "value": "internal"
-                        }
-                    ]
-                },
-                "ae8de94c-835d-4303-83b1-114b6a117a07": {
-                    "title": "Audit Team",
-                    "role-ids": ["asset-owner"],
-                    "annotations": [
-                        {
-                            "name": "type",
-                            "value": "internal"
-                        }
-                    ]
-                },
-                "372ce7a3-92b0-437e-a98c-24d29f9bfab8": {
-                    "title": "Legal Department",
-                    "role-ids": ["legal-officer"],
-                    "annotations": [
-                        {
-                            "name": "type",
-                            "value": "internal"
-                        }
-                    ]
-                }
-            },
-            "components": {
-                "e00acdcf-911b-437d-a42f-b0b558cc4f03": {
-                    "title": "Logging Server",
-                    "description": "Provides a means for hosts to publish logged events to a central server.",
-                    "status": {"state": "operational"},
-                    "component-type": "software",
-                    "responsible-roles": {
-                        "provider": {
-                            "party-uuids": ["96c362ee-a012-4e07-92f3-486ab303b0e7"]
-                        },
-                        "asset-owner": {
-                            "party-uuids": ["3b2a5599-cc37-403f-ae36-5708fa804b27"]
-                        },
-                        "asset-administrator": {
-                            "party-uuids": ["833ac398-5c9a-4e6b-acba-2a9c11399da0"]
-                        }
-                    }
-                },
-                "795533ab-9427-4abe-820f-0b571bacfe6d": {
-                    "title": "Enterprise Logging, Monitoring, and Alerting Policy",
-                    "component-type": "policy",
-                    "description": "Requires all components to send logs to the enterprise logging solution\n\u2014 Requires all components synchronize their time with the appropriate enterprise time service, and at what frequency.\n\u2014 Identifies the events that must be captured\n\u2014 Identifies who is responsible/accountable for performing these functions",
-                    "status": {"state": "operational"},
-                    "properties": [
-                        {
-                            "name": "version",
-                            "value": "2.1"
-                        },
-                        {
-                            "name": "last-modified-date",
-                            "value": "20181015"
-                        }
-                    ],
-                    "responsible-roles": {
-                        "maintainer": {
-                            "party-uuids": ["ec485dcf-2519-43f5-8e7d-014cc315332d"]
-                        }
-                    }
-                },
-                "941e2a87-46f4-4b3e-9e87-bbd187091ca1": {
-                    "title": "System Integration Process",
-                    "component-type": "process",
-                    "description": "Ensures proper integration into the enterprise as new systems are brought into production.",
-                    "status": {"state": "operational"},
-                    "properties": [
-                        {
-                            "name": "last-modified-date",
-                            "value": "20181015"
-                        }
-                    ],
-                    "responsible-roles": {
-                        "maintainer": {
-                            "party-uuids": ["0f0c15ed-565e-4ce9-8670-b54853d0bf03"]
-                        }
-                    },
-                    "links": [
-                        {
-                            "rel": "implements-policy",
-                            "href": "#795533ab-9427-4abe-820f-0b571bacfe6d",
-                            "text": "Ensures logs from components in new system are able to published to the logging server. Ensures log monitoring capabilities recognize new system as authorized."
-                        }
-                    ]
-                },
-                "fa39eb84-3014-46b4-b6bc-7da10527c262": {
-                    "title": "Inventory Management Process",
-                    "component-type": "process",
-                    "description": "Describes how new components are introduced into the system - ensures monitoring teams know about every asset that should be producing logs, thus should be monitored.",
-                    "status": {"state": "operational"},
-                    "properties": [
-                        {
-                            "name": "last-modified-date",
-                            "value": "20181015"
-                        }
-                    ],
-                    "responsible-roles": {
-                        "maintainer": {
-                            "party-uuids": ["0f0c15ed-565e-4ce9-8670-b54853d0bf03"]
-                        }
-                    },
-                    "links": [
-                        {
-                            "rel": "implements-policy",
-                            "href": "#795533ab-9427-4abe-820f-0b571bacfe6d",
-                            "text": "Ensures that all host are known and authorized. Ensures that these hosts publish log events to the logging server."
-                        }
-                    ]
-                },
-                "4938767c-dd8b-4ea4-b74a-fafffd48ac99": {
-                    "title": "Configuration Management Guidance",
-                    "component-type": "guidance",
-                    "description": "Describes how to configure a component to ensure its logs are transmitted to Splunk in the appropriate format. Also describes how to configure time synchronization.",
-                    "status": {"state": "operational"},
-                    "properties": [
-                        {
-                            "name": "last-modified-date",
-                            "value": "20181015"
-                        }
-                    ],
-                    "responsible-roles": {
-                        "maintainer": {
-                            "party-uuids": ["0f0c15ed-565e-4ce9-8670-b54853d0bf03"]
-                        }
-                    },
-                    "links": [
-                        {
-                            "rel": "implements-policy",
-                            "href": "#795533ab-9427-4abe-820f-0b571bacfe6d",
-                            "text": "Ensures that all host are configured to publish log events to the logging server."
-                        }
-                    ]
-                }
-            },
-            "system-inventory": {
-                "inventory-items": {
-                    "c9c32657-a0eb-4cf2-b5c1-20928983063c": {
-                        "description": "The logging server.",
-                        "asset-id": "asset-id-logging-server",
-                        "responsible-parties": {
-                            "asset-administrator": {
-                                "party-uuids": ["833ac398-5c9a-4e6b-acba-2a9c11399da0"]
-                            },
-                            "asset-owner": {
-                                "party-uuids": ["3b2a5599-cc37-403f-ae36-5708fa804b27"]
-                            }
-                        },
-                        "implemented-components": {
-                            "e00acdcf-911b-437d-a42f-b0b558cc4f03": {"use": "runs-software"},
-                            "795533ab-9427-4abe-820f-0b571bacfe6d": {"use": "enforces-policy"}
-                        }
-                    }
-                }
-            }
-        },
-        "control-implementation": {
-            "description": "This is the control implementation for the system.",
-            "implemented-requirements": [
-                {
-                    "uuid": "aaadb3ff-6ae8-4332-92db-211468c52af2",
-                    "control-id": "au-1",
-                    "description": "This should be a description of how au-1 is implemented.",
-                    "statements": {
-                        "au-1smt": {
-                            "uuid": "7ad47329-dc55-4196-a19d-178a8fe7438d",
-                            "description": "N/A"
-                        },
-                        "au-1smt.a": {
-                            "uuid": "f3887a91-9ed3-425c-b305-21e4634a1c34",
-                            "description": "",
-                            "by-components": {
-                                "795533ab-9427-4abe-820f-0b571bacfe6d": {
-                                    "uuid": "a74681b2-fbcb-46eb-90fd-0d55aa74ac7b",
-                                    "description": "The legal department develops, documents, and disseminates this policy to all staff and contractors within the organization.",
-                                    "parameter-settings": {
-                                        "au-1_prm_1": {"value": "all staff and contractors within the organization"}
-                                    }
-                                },
-                                "941e2a87-46f4-4b3e-9e87-bbd187091ca1": {
-                                    "uuid": "4f873ce6-dd49-4a46-bd4a-5041c22665f1",
-                                    "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.",
-                                    "parameter-settings": {
-                                        "au-1_prm_1": {"value": "all IT staff who administer this system when the staff member is assigned and annually through training"}
-                                    }
-                                },
-                                "fa39eb84-3014-46b4-b6bc-7da10527c262": {
-                                    "uuid": "ea85a624-cd21-4c63-abe0-f66087e97241",
-                                    "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.",
-                                    "parameter-settings": {
-                                        "au-1_prm_1": {"value": "all IT staff who administer this system when the staff member is assigned and annually through training"}
-                                    }
-                                },
-                                "4938767c-dd8b-4ea4-b74a-fafffd48ac99": {
-                                    "uuid": "b5e5823a-844f-4306-a5ab-7e110679e0d5",
-                                    "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.",
-                                    "parameter-settings": {
-                                        "au-1_prm_1": {"value": "all IT staff who administer this system when the staff member is assigned and annually through training"}
-                                    }
-                                }
-                            }
-                        },
-                        "au-1smt.a.1": {
-                            "uuid": "6fe632bd-33aa-4eea-a507-a37f0d212085",
-                            "by-components": {
-                                "795533ab-9427-4abe-820f-0b571bacfe6d": {
-                                    "uuid": "2d0a7b08-da7f-4691-b99c-8fd9df02b25c",
-                                    "description": "This policy explicitly states the purpose and scope of the policy in Section 1. Roles and responsibilities are described in Section 2. This section also describes responsibilities for organizational coordination. Management commitment and compliance statements are made in the board\u2019s directive memo dated January 1, 2012."
-                                }
-                            }
-                        },
-                        "au-1smt.a.2": {
-                            "uuid": "dbe9af68-1cd9-4ff1-965b-8f887351d411",
-                            "by-components": {
-                                "941e2a87-46f4-4b3e-9e87-bbd187091ca1": {
-                                    "uuid": "dd4fd380-7a2a-4fba-9e98-933ba5cfc04d",
-                                    "description": "This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process"
-                                },
-                                "fa39eb84-3014-46b4-b6bc-7da10527c262": {
-                                    "uuid": "3b912d0f-2463-497c-8d8a-72416f38e999",
-                                    "description": "This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process"
-                                },
-                                "4938767c-dd8b-4ea4-b74a-fafffd48ac99": {
-                                    "uuid": "226ee2a2-cbdb-498f-8182-94dfa013476c",
-                                    "description": "This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process"
-                                }
-                            }
-                        },
-                        "au-1_smt.b": {
-                            "uuid": "b1773cd6-afc5-4c87-84a7-f182e6be5af9",
-                            "remarks": "N/A"
-                        },
-                        "au-1_smt.b.1": {
-                            "uuid": "75873308-f37d-4e89-9c27-29f3dee4b314",
-                            "by-components": {
-                                "795533ab-9427-4abe-820f-0b571bacfe6d": {
-                                    "uuid": "23903c59-1327-46f0-9c28-09ec7f144214",
-                                    "parameter-settings": {
-                                        "au-1_prm_2": {"value": "annually, and other times as necessary in response to regulatory or organizational changes"}
-                                    },
-                                    "description": "The legal department reviews this policy annually, and other times as necessary in response to regulatory or organizational changes. The legal department updates the policy as needed based on these reviews."
-                                }
-                            }
-                        },
-                        "au-1_smt.b.2": {
-                            "uuid": "74b5b0f2-9915-4f80-b7cd-379566442ab6",
-                            "by-components": {
-                                "941e2a87-46f4-4b3e-9e87-bbd187091ca1": {
-                                    "uuid": "0c45b6e2-f85b-4656-a6cc-2a302d184720",
-                                    "parameter-settings": {
-                                        "au-1_prm_3": {"value": "annually, and other times as necessary in response to regulatory or organizational changes"}
-                                    },
-                                    "description": "The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews."
-                                },
-                                "fa39eb84-3014-46b4-b6bc-7da10527c262": {
-                                    "uuid": "094f02ce-4b7a-405c-90a5-ab4d95133f74",
-                                    "parameter-settings": {
-                                        "au-1_prm_3": {"value": "annually, and other times as necessary in response to regulatory or organizational changes"}
-                                    },
-                                    "description": "The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews."
-                                },
-                                "4938767c-dd8b-4ea4-b74a-fafffd48ac99": {
-                                    "uuid": "7ec8b7ec-d931-4055-ac74-6d288d636787",
-                                    "parameter-settings": {
-                                        "au-1_prm_3": {"value": "annually, and other times as necessary in response to regulatory or organizational changes"}
-                                    },
-                                    "description": "The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews"
-                                }
-                            }
-                        }
-                    }
-                }
-            ]
-        }
-    }
-}
\ No newline at end of file
diff --git a/content/ssp-example/json/ssp-example.json b/content/ssp-example/json/ssp-example.json
deleted file mode 100644
index 83453bc2f4..0000000000
--- a/content/ssp-example/json/ssp-example.json
+++ /dev/null
@@ -1,442 +0,0 @@
-{
-  "system-security-plan": {
-    "uuid": "66c2a1c8-5830-48bd-8fdd-55a1c3a52888",
-    "metadata": {
-      "title": "Enterprise Logging and Auditing System Security Plan",
-      "last-modified": "2019-09-23T18:14:50.591Z",
-      "version": "1.0",
-      "oscal-version": "1.0.0-milestone3",
-      "roles": [
-        {
-          "id": "legal-officer",
-          "title": "Legal Officer"
-        }
-      ],
-      "parties": [
-        {
-          "uuid": "3b2a5599-cc37-403f-ae36-5708fa804b27",
-          "type": "organization",
-          "party-name": "Enterprise Asset Owners"
-        },
-        {
-          "uuid": "833ac398-5c9a-4e6b-acba-2a9c11399da0",
-          "type": "organization",
-          "party-name": "Enterprise Asset Administrators"
-        },
-        {
-          "uuid": "ec485dcf-2519-43f5-8e7d-014cc315332d",
-          "type": "organization",
-          "party-name": "Legal Department"
-        },
-        {
-          "uuid": "0f0c15ed-565e-4ce9-8670-b54853d0bf03",
-          "type": "organization",
-          "party-name": "IT Department"
-        },
-        {
-          "uuid": "96c362ee-a012-4e07-92f3-486ab303b0e7",
-          "type": "organization",
-          "party-name": "Acme Corp"
-        }
-      ]
-    },
-    "import-profile": {
-      "href": "../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline_profile.json"
-    },
-    "system-characteristics": {
-      "system-name": "Enterprise Logging and Auditing System",
-      "description": "This is an example of a system that provides enterprise logging and log auditing capabilities.",
-      "system-ids": [
-        {
-          "id": "d7456980-9277-4dcb-83cf-f8ff0442623b",
-          "identifier-type": "https://ietf.org/rfc/rfc4122"
-        }
-      ],
-      "security-sensitivity-level": "moderate",
-      "system-information": {
-        "information-types": [
-          {
-            "uuid": "7d28ac6e-5970-4f4c-a508-5a3715f0f02b",
-            "title": "System and Network Monitoring",
-            "information-type-ids": {
-              "https://doi.org/10.6028/NIST.SP.800-60v2r1": {
-                "id": "C.3.5.8"
-              }
-            },
-            "description": "This system maintains historical logging and auditing information for all client devices connected to this system.",
-            "confidentiality-impact": {
-              "base": "fips-199-moderate"
-            },
-            "integrity-impact": {
-              "base": "fips-199-moderate"
-            },
-            "availability-impact": {
-              "base": "fips-199-low"
-            }
-          }
-        ]
-      },
-      "security-impact-level": {
-        "security-objective-confidentiality": "fips-199-moderate",
-        "security-objective-integrity": "fips-199-moderate",
-        "security-objective-availability": "fips-199-low"
-      },
-      "status": {
-        "state": "other",
-        "remarks": "This is an example, and is not intended to be implemented as a system"
-      },
-      "annotations": [
-        {
-          "name": "deployment-model",
-          "value": "private"
-        },
-        {
-          "name": "service-models",
-          "value": "iaas"
-        }
-      ],
-      "authorization-boundary": {
-        "description": "The description of the authorization boundary would go here."
-      }
-    },
-    "system-implementation": {
-      "remarks": "This is a partial implementation that addresses the logging server portion of the auditing system.",
-      "users": {
-        "9824089b-322c-456f-86c4-4111c4200f69": {
-          "title": "System Administrator",
-          "role-ids": [
-            "asset-administrator"
-          ],
-          "annotations": [
-            {
-              "name": "type",
-              "value": "internal"
-            }
-          ]
-        },
-        "ae8de94c-835d-4303-83b1-114b6a117a07": {
-          "title": "Audit Team",
-          "role-ids": [
-            "asset-owner"
-          ],
-          "annotations": [
-            {
-              "name": "type",
-              "value": "internal"
-            }
-          ]
-        },
-        "372ce7a3-92b0-437e-a98c-24d29f9bfab8": {
-          "title": "Legal Department",
-          "role-ids": [
-            "legal-officer"
-          ],
-          "annotations": [
-            {
-              "name": "type",
-              "value": "internal"
-            }
-          ]
-        }
-      },
-      "components": {
-        "e00acdcf-911b-437d-a42f-b0b558cc4f03": {
-          "title": "Logging Server",
-          "description": "Provides a means for hosts to publish logged events to a central server.",
-          "status": {
-            "state": "operational"
-          },
-          "component-type": "software",
-          "responsible-roles": {
-            "provider": {
-              "party-uuids": [
-                "96c362ee-a012-4e07-92f3-486ab303b0e7"
-              ]
-            },
-            "asset-owner": {
-              "party-uuids": [
-                "3b2a5599-cc37-403f-ae36-5708fa804b27"
-              ]
-            },
-            "asset-administrator": {
-              "party-uuids": [
-                "833ac398-5c9a-4e6b-acba-2a9c11399da0"
-              ]
-            }
-          }
-        },
-        "795533ab-9427-4abe-820f-0b571bacfe6d": {
-          "title": "Enterprise Logging, Monitoring, and Alerting Policy",
-          "component-type": "policy",
-          "description": "Requires all components to send logs to the enterprise logging solution\n— Requires all components synchronize their time with the appropriate enterprise time service, and at what frequency.\n— Identifies the events that must be captured\n— Identifies who is responsible/accountable for performing these functions",
-          "status": {
-            "state": "operational"
-          },
-          "properties": [
-            {
-              "name": "version",
-              "value": "2.1"
-            },
-            {
-              "name": "last-modified-date",
-              "value": "20181015"
-            }
-          ],
-          "responsible-roles": {
-            "maintainer": {
-              "party-uuids": [
-                "ec485dcf-2519-43f5-8e7d-014cc315332d"
-              ]
-            }
-          }
-        },
-        "941e2a87-46f4-4b3e-9e87-bbd187091ca1": {
-          "title": "System Integration Process",
-          "component-type": "process",
-          "description": "Ensures proper integration into the enterprise as new systems are brought into production.",
-          "status": {
-            "state": "operational"
-          },
-          "properties": [
-            {
-              "name": "last-modified-date",
-              "value": "20181015"
-            }
-          ],
-          "responsible-roles": {
-            "maintainer": {
-              "party-uuids": [
-                "0f0c15ed-565e-4ce9-8670-b54853d0bf03"
-              ]
-            }
-          },
-          "links": [
-            {
-              "rel": "implements-policy",
-              "href": "#795533ab-9427-4abe-820f-0b571bacfe6d",
-              "text": "Ensures logs from components in new system are able to published to the logging server. Ensures log monitoring capabilities recognize new system as authorized."
-            }
-          ]
-        },
-        "fa39eb84-3014-46b4-b6bc-7da10527c262": {
-          "title": "Inventory Management Process",
-          "component-type": "process",
-          "description": "Describes how new components are introduced into the system - ensures monitoring teams know about every asset that should be producing logs, thus should be monitored.",
-          "status": {
-            "state": "operational"
-          },
-          "properties": [
-            {
-              "name": "last-modified-date",
-              "value": "20181015"
-            }
-          ],
-          "responsible-roles": {
-            "maintainer": {
-              "party-uuids": [
-                "0f0c15ed-565e-4ce9-8670-b54853d0bf03"
-              ]
-            }
-          },
-          "links": [
-            {
-              "rel": "implements-policy",
-              "href": "#795533ab-9427-4abe-820f-0b571bacfe6d",
-              "text": "Ensures that all host are known and authorized. Ensures that these hosts publish log events to the logging server."
-            }
-          ]
-        },
-        "4938767c-dd8b-4ea4-b74a-fafffd48ac99": {
-          "title": "Configuration Management Guidance",
-          "component-type": "guidance",
-          "description": "Describes how to configure a component to ensure its logs are transmitted to Splunk in the appropriate format. Also describes how to configure time synchronization.",
-          "status": {
-            "state": "operational"
-          },
-          "properties": [
-            {
-              "name": "last-modified-date",
-              "value": "20181015"
-            }
-          ],
-          "responsible-roles": {
-            "maintainer": {
-              "party-uuids": [
-                "0f0c15ed-565e-4ce9-8670-b54853d0bf03"
-              ]
-            }
-          },
-          "links": [
-            {
-              "rel": "implements-policy",
-              "href": "#795533ab-9427-4abe-820f-0b571bacfe6d",
-              "text": "Ensures that all host are configured to publish log events to the logging server."
-            }
-          ]
-        }
-      },
-      "system-inventory": {
-        "inventory-items": {
-          "c9c32657-a0eb-4cf2-b5c1-20928983063c": {
-            "description": "The logging server.",
-            "asset-id": "asset-id-logging-server",
-            "responsible-parties": {
-              "asset-administrator": {
-                "party-uuids": [
-                  "833ac398-5c9a-4e6b-acba-2a9c11399da0"
-                ]
-              },
-              "asset-owner": {
-                "party-uuids": [
-                  "3b2a5599-cc37-403f-ae36-5708fa804b27"
-                ]
-              }
-            },
-            "implemented-components": {
-              "e00acdcf-911b-437d-a42f-b0b558cc4f03": {
-                "use": "runs-software"
-              },
-              "795533ab-9427-4abe-820f-0b571bacfe6d": {
-                "use": "enforces-policy"
-              }
-            }
-          }
-        }
-      }
-    },
-    "control-implementation": {
-      "description": "This is the control implementation for the system.",
-      "implemented-requirements": [
-        {
-          "uuid": "aaadb3ff-6ae8-4332-92db-211468c52af2",
-          "control-id": "au-1",
-          "description": "This should be a description of how au-1 is implemented.",
-          "statements": {
-            "au-1smt": {
-              "uuid": "7ad47329-dc55-4196-a19d-178a8fe7438d",
-              "description": "N/A"
-            },
-            "au-1smt.a": {
-              "uuid": "f3887a91-9ed3-425c-b305-21e4634a1c34",
-              "description": "",
-              "by-components": {
-                "795533ab-9427-4abe-820f-0b571bacfe6d": {
-                  "uuid": "a74681b2-fbcb-46eb-90fd-0d55aa74ac7b",
-                  "description": "The legal department develops, documents, and disseminates this policy to all staff and contractors within the organization.",
-                  "parameter-settings": {
-                    "au-1_prm_1": {
-                      "value": "all staff and contractors within the organization"
-                    }
-                  }
-                },
-                "941e2a87-46f4-4b3e-9e87-bbd187091ca1": {
-                  "uuid": "4f873ce6-dd49-4a46-bd4a-5041c22665f1",
-                  "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.",
-                  "parameter-settings": {
-                    "au-1_prm_1": {
-                      "value": "all IT staff who administer this system when the staff member is assigned and annually through training"
-                    }
-                  }
-                },
-                "fa39eb84-3014-46b4-b6bc-7da10527c262": {
-                  "uuid": "ea85a624-cd21-4c63-abe0-f66087e97241",
-                  "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.",
-                  "parameter-settings": {
-                    "au-1_prm_1": {
-                      "value": "all IT staff who administer this system when the staff member is assigned and annually through training"
-                    }
-                  }
-                },
-                "4938767c-dd8b-4ea4-b74a-fafffd48ac99": {
-                  "uuid": "b5e5823a-844f-4306-a5ab-7e110679e0d5",
-                  "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.",
-                  "parameter-settings": {
-                    "au-1_prm_1": {
-                      "value": "all IT staff who administer this system when the staff member is assigned and annually through training"
-                    }
-                  }
-                }
-              }
-            },
-            "au-1smt.a.1": {
-              "uuid": "6fe632bd-33aa-4eea-a507-a37f0d212085",
-              "by-components": {
-                "795533ab-9427-4abe-820f-0b571bacfe6d": {
-                  "uuid": "2d0a7b08-da7f-4691-b99c-8fd9df02b25c",
-                  "description": "This policy explicitly states the purpose and scope of the policy in Section 1. Roles and responsibilities are described in Section 2. This section also describes responsibilities for organizational coordination. Management commitment and compliance statements are made in the board’s directive memo dated January 1, 2012."
-                }
-              }
-            },
-            "au-1smt.a.2": {
-              "uuid": "dbe9af68-1cd9-4ff1-965b-8f887351d411",
-              "by-components": {
-                "941e2a87-46f4-4b3e-9e87-bbd187091ca1": {
-                  "uuid": "dd4fd380-7a2a-4fba-9e98-933ba5cfc04d",
-                  "description": "This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process"
-                },
-                "fa39eb84-3014-46b4-b6bc-7da10527c262": {
-                  "uuid": "3b912d0f-2463-497c-8d8a-72416f38e999",
-                  "description": "This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process"
-                },
-                "4938767c-dd8b-4ea4-b74a-fafffd48ac99": {
-                  "uuid": "226ee2a2-cbdb-498f-8182-94dfa013476c",
-                  "description": "This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process"
-                }
-              }
-            },
-            "au-1_smt.b": {
-              "uuid": "b1773cd6-afc5-4c87-84a7-f182e6be5af9",
-              "remarks": "N/A"
-            },
-            "au-1_smt.b.1": {
-              "uuid": "75873308-f37d-4e89-9c27-29f3dee4b314",
-              "by-components": {
-                "795533ab-9427-4abe-820f-0b571bacfe6d": {
-                  "uuid": "23903c59-1327-46f0-9c28-09ec7f144214",
-                  "parameter-settings": {
-                    "au-1_prm_2": {
-                      "value": "annually, and other times as necessary in response to regulatory or organizational changes"
-                    }
-                  },
-                  "description": "The legal department reviews this policy annually, and other times as necessary in response to regulatory or organizational changes. The legal department updates the policy as needed based on these reviews."
-                }
-              }
-            },
-            "au-1_smt.b.2": {
-              "uuid": "74b5b0f2-9915-4f80-b7cd-379566442ab6",
-              "by-components": {
-                "941e2a87-46f4-4b3e-9e87-bbd187091ca1": {
-                  "uuid": "0c45b6e2-f85b-4656-a6cc-2a302d184720",
-                  "parameter-settings": {
-                    "au-1_prm_3": {
-                      "value": "annually, and other times as necessary in response to regulatory or organizational changes"
-                    }
-                  },
-                  "description": "The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews."
-                },
-                "fa39eb84-3014-46b4-b6bc-7da10527c262": {
-                  "uuid": "094f02ce-4b7a-405c-90a5-ab4d95133f74",
-                  "parameter-settings": {
-                    "au-1_prm_3": {
-                      "value": "annually, and other times as necessary in response to regulatory or organizational changes"
-                    }
-                  },
-                  "description": "The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews."
-                },
-                "4938767c-dd8b-4ea4-b74a-fafffd48ac99": {
-                  "uuid": "7ec8b7ec-d931-4055-ac74-6d288d636787",
-                  "parameter-settings": {
-                    "au-1_prm_3": {
-                      "value": "annually, and other times as necessary in response to regulatory or organizational changes"
-                    }
-                  },
-                  "description": "The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews"
-                }
-              }
-            }
-          }
-        }
-      ]
-    }
-  }
-}
diff --git a/content/ssp-example/xml/ssp-example.xml b/content/ssp-example/xml/ssp-example.xml
deleted file mode 100644
index 73ba2ae640..0000000000
--- a/content/ssp-example/xml/ssp-example.xml
+++ /dev/null
@@ -1,304 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-                      uuid="66c2a1c8-5830-48bd-8fdd-55a1c3a52888">
-   <metadata>
-      <title>Enterprise Logging and Auditing System Security Plan</title>
-      <last-modified>2019-09-23T18:14:50.591Z</last-modified>
-      <version>1.0</version>
-      <oscal-version>1.0.0-milestone3</oscal-version>
-      <role id="legal-officer">
-         <title>Legal Officer</title>
-      </role>
-      <party uuid="3b2a5599-cc37-403f-ae36-5708fa804b27" type="organization">
-         <party-name>Enterprise Asset Owners</party-name>
-      </party>
-      <party uuid="833ac398-5c9a-4e6b-acba-2a9c11399da0" type="organization">
-         <party-name>Enterprise Asset Administrators</party-name>
-      </party>
-      <party uuid="ec485dcf-2519-43f5-8e7d-014cc315332d" type="organization">
-         <party-name>Legal Department</party-name>
-      </party>
-      <party uuid="0f0c15ed-565e-4ce9-8670-b54853d0bf03" type="organization">
-         <party-name>IT Department</party-name>
-      </party>
-      <party uuid="96c362ee-a012-4e07-92f3-486ab303b0e7" type="organization">
-         <party-name>Acme Corp</party-name>
-      </party>
-   </metadata>
-   <import-profile href="../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml"/>
-   <system-characteristics>
-      <system-id identifier-type="https://ietf.org/rfc/rfc4122">d7456980-9277-4dcb-83cf-f8ff0442623b</system-id>
-      <system-name>Enterprise Logging and Auditing System</system-name>
-      <description>
-         <p>This is an example of a system that provides enterprise logging and log auditing capabilities.</p>
-      </description>
-      <annotation name="deployment-model" value="private"/>
-      <annotation name="service-models" value="iaas"/>
-      <security-sensitivity-level>moderate</security-sensitivity-level>
-      <system-information>
-         <information-type uuid="7d28ac6e-5970-4f4c-a508-5a3715f0f02b">
-            <title>System and Network Monitoring</title>
-            <description>
-               <p>This system maintains historical logging and auditing information for all client devices connected to this system.</p>
-            </description>
-            <information-type-id system="https://doi.org/10.6028/NIST.SP.800-60v2r1">C.3.5.8</information-type-id>
-            <confidentiality-impact>
-               <base>fips-199-moderate</base>
-            </confidentiality-impact>
-            <integrity-impact>
-               <base>fips-199-moderate</base>
-            </integrity-impact>
-            <availability-impact>
-               <base>fips-199-low</base>
-            </availability-impact>
-         </information-type>
-      </system-information>
-      <security-impact-level>
-         <security-objective-confidentiality>fips-199-moderate</security-objective-confidentiality>
-         <security-objective-integrity>fips-199-moderate</security-objective-integrity>
-         <security-objective-availability>fips-199-low</security-objective-availability>
-      </security-impact-level>
-      <status state="other">
-         <remarks>
-            <p>This is an example, and is not intended to be implemented as a system</p>
-         </remarks>
-      </status>
-      <authorization-boundary>
-         <description>
-            <p>The description of the authorization boundary would go here.</p>
-         </description>
-      </authorization-boundary>
-   </system-characteristics>
-   <system-implementation>
-      <user uuid="9824089b-322c-456f-86c4-4111c4200f69">
-         <title>System Administrator</title>
-         <annotation name="type" value="internal"/>
-         <role-id>asset-administrator</role-id>
-      </user>
-      <user uuid="ae8de94c-835d-4303-83b1-114b6a117a07">
-         <title>Audit Team</title>
-         <annotation name="type" value="internal"/>
-         <role-id>asset-owner</role-id>
-      </user>
-      <user uuid="372ce7a3-92b0-437e-a98c-24d29f9bfab8">
-         <title>Legal Department</title>
-         <annotation name="type" value="internal"/>
-         <role-id>legal-officer</role-id>
-      </user>
-      <component uuid="e00acdcf-911b-437d-a42f-b0b558cc4f03" component-type="software">
-         <title>Logging Server</title>
-         <description>
-            <p>Provides a means for hosts to publish logged events to a central server.</p>
-         </description>
-         <status state="operational"/>
-         <responsible-role role-id="provider">
-            <party-uuid>96c362ee-a012-4e07-92f3-486ab303b0e7</party-uuid>
-         </responsible-role>
-         <responsible-role role-id="asset-owner">
-            <party-uuid>3b2a5599-cc37-403f-ae36-5708fa804b27</party-uuid>
-         </responsible-role>
-         <responsible-role role-id="asset-administrator">
-            <party-uuid>833ac398-5c9a-4e6b-acba-2a9c11399da0</party-uuid>
-         </responsible-role>
-      </component>
-      <component uuid="795533ab-9427-4abe-820f-0b571bacfe6d" component-type="policy">
-         <title>Enterprise Logging, Monitoring, and Alerting Policy</title>
-         <description>
-            <p>Requires all components to send logs to the enterprise logging solution
-— Requires all components synchronize their time with the appropriate enterprise time service, and at what frequency.
-— Identifies the events that must be captured
-— Identifies who is responsible/accountable for performing these functions</p>
-         </description>
-         <prop name="version">2.1</prop>
-         <prop name="last-modified-date">20181015</prop>
-         <status state="operational"/>
-         <responsible-role role-id="maintainer">
-            <party-uuid>ec485dcf-2519-43f5-8e7d-014cc315332d</party-uuid>
-         </responsible-role>
-      </component>
-      <component uuid="941e2a87-46f4-4b3e-9e87-bbd187091ca1" component-type="process">
-         <title>System Integration Process</title>
-         <description>
-            <p>Ensures proper integration into the enterprise as new systems are brought into production.</p>
-         </description>
-         <prop name="last-modified-date">20181015</prop>
-         <link rel="implements-policy" href="#795533ab-9427-4abe-820f-0b571bacfe6d">Ensures logs from components in new system are able to published to the logging server. Ensures log monitoring capabilities recognize new system as authorized.</link>
-         <status state="operational"/>
-         <responsible-role role-id="maintainer">
-            <party-uuid>0f0c15ed-565e-4ce9-8670-b54853d0bf03</party-uuid>
-         </responsible-role>
-      </component>
-      <component uuid="fa39eb84-3014-46b4-b6bc-7da10527c262" component-type="process">
-         <title>Inventory Management Process</title>
-         <description>
-            <p>Describes how new components are introduced into the system - ensures monitoring teams know about every asset that should be producing logs, thus should be monitored.</p>
-         </description>
-         <prop name="last-modified-date">20181015</prop>
-         <link rel="implements-policy" href="#795533ab-9427-4abe-820f-0b571bacfe6d">Ensures that all host are known and authorized. Ensures that these hosts publish log events to the logging server.</link>
-         <status state="operational"/>
-         <responsible-role role-id="maintainer">
-            <party-uuid>0f0c15ed-565e-4ce9-8670-b54853d0bf03</party-uuid>
-         </responsible-role>
-      </component>
-      <component uuid="4938767c-dd8b-4ea4-b74a-fafffd48ac99" component-type="guidance">
-         <title>Configuration Management Guidance</title>
-         <description>
-            <p>Describes how to configure a component to ensure its logs are transmitted to Splunk in the appropriate format. Also describes how to configure time synchronization.</p>
-         </description>
-         <prop name="last-modified-date">20181015</prop>
-         <link rel="implements-policy" href="#795533ab-9427-4abe-820f-0b571bacfe6d">Ensures that all host are configured to publish log events to the logging server.</link>
-         <status state="operational"/>
-         <responsible-role role-id="maintainer">
-            <party-uuid>0f0c15ed-565e-4ce9-8670-b54853d0bf03</party-uuid>
-         </responsible-role>
-      </component>
-      <system-inventory>
-         <inventory-item uuid="c9c32657-a0eb-4cf2-b5c1-20928983063c"
-                         asset-id="asset-id-logging-server">
-            <description>
-               <p>The logging server.</p>
-            </description>
-            <responsible-party role-id="asset-administrator">
-               <party-uuid>833ac398-5c9a-4e6b-acba-2a9c11399da0</party-uuid>
-            </responsible-party>
-            <responsible-party role-id="asset-owner">
-               <party-uuid>3b2a5599-cc37-403f-ae36-5708fa804b27</party-uuid>
-            </responsible-party>
-            <implemented-component component-uuid="e00acdcf-911b-437d-a42f-b0b558cc4f03"
-                                   use="runs-software"/>
-            <implemented-component component-uuid="795533ab-9427-4abe-820f-0b571bacfe6d"
-                                   use="enforces-policy"/>
-         </inventory-item>
-      </system-inventory>
-      <remarks>
-         <p>This is a partial implementation that addresses the logging server portion of the auditing system.</p>
-      </remarks>
-   </system-implementation>
-   <control-implementation>
-      <description>
-         <p>This is the control implementation for the system.</p>
-      </description>
-      <implemented-requirement uuid="aaadb3ff-6ae8-4332-92db-211468c52af2" control-id="au-1">
-         <description>
-            <p>This should be a description of how au-1 is implemented.</p>
-         </description>
-         <statement statement-id="au-1smt" uuid="7ad47329-dc55-4196-a19d-178a8fe7438d">
-            <description>
-               <p>N/A</p>
-            </description>
-         </statement>
-         <statement statement-id="au-1smt.a" uuid="f3887a91-9ed3-425c-b305-21e4634a1c34">
-            <description/>
-            <by-component component-uuid="795533ab-9427-4abe-820f-0b571bacfe6d"
-                          uuid="a74681b2-fbcb-46eb-90fd-0d55aa74ac7b">
-               <description>
-                  <p>The legal department develops, documents, and disseminates this policy to all staff and contractors within the organization.</p>
-               </description>
-               <set-parameter param-id="au-1_prm_1">
-                  <value>all staff and contractors within the organization</value>
-               </set-parameter>
-            </by-component>
-            <by-component component-uuid="941e2a87-46f4-4b3e-9e87-bbd187091ca1"
-                          uuid="4f873ce6-dd49-4a46-bd4a-5041c22665f1">
-               <description>
-                  <p>The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.</p>
-               </description>
-               <set-parameter param-id="au-1_prm_1">
-                  <value>all IT staff who administer this system when the staff member is assigned and annually through training</value>
-               </set-parameter>
-            </by-component>
-            <by-component component-uuid="fa39eb84-3014-46b4-b6bc-7da10527c262"
-                          uuid="ea85a624-cd21-4c63-abe0-f66087e97241">
-               <description>
-                  <p>The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.</p>
-               </description>
-               <set-parameter param-id="au-1_prm_1">
-                  <value>all IT staff who administer this system when the staff member is assigned and annually through training</value>
-               </set-parameter>
-            </by-component>
-            <by-component component-uuid="4938767c-dd8b-4ea4-b74a-fafffd48ac99"
-                          uuid="b5e5823a-844f-4306-a5ab-7e110679e0d5">
-               <description>
-                  <p>The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.</p>
-               </description>
-               <set-parameter param-id="au-1_prm_1">
-                  <value>all IT staff who administer this system when the staff member is assigned and annually through training</value>
-               </set-parameter>
-            </by-component>
-         </statement>
-         <statement statement-id="au-1smt.a.1" uuid="6fe632bd-33aa-4eea-a507-a37f0d212085">
-            <by-component component-uuid="795533ab-9427-4abe-820f-0b571bacfe6d"
-                          uuid="2d0a7b08-da7f-4691-b99c-8fd9df02b25c">
-               <description>
-                  <p>This policy explicitly states the purpose and scope of the policy in Section 1. Roles and responsibilities are described in Section 2. This section also describes responsibilities for organizational coordination. Management commitment and compliance statements are made in the board’s directive memo dated January 1, 2012.</p>
-               </description>
-            </by-component>
-         </statement>
-         <statement statement-id="au-1smt.a.2" uuid="dbe9af68-1cd9-4ff1-965b-8f887351d411">
-            <by-component component-uuid="941e2a87-46f4-4b3e-9e87-bbd187091ca1"
-                          uuid="dd4fd380-7a2a-4fba-9e98-933ba5cfc04d">
-               <description>
-                  <p>This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process</p>
-               </description>
-            </by-component>
-            <by-component component-uuid="fa39eb84-3014-46b4-b6bc-7da10527c262"
-                          uuid="3b912d0f-2463-497c-8d8a-72416f38e999">
-               <description>
-                  <p>This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process</p>
-               </description>
-            </by-component>
-            <by-component component-uuid="4938767c-dd8b-4ea4-b74a-fafffd48ac99"
-                          uuid="226ee2a2-cbdb-498f-8182-94dfa013476c">
-               <description>
-                  <p>This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process</p>
-               </description>
-            </by-component>
-         </statement>
-         <statement statement-id="au-1_smt.b" uuid="b1773cd6-afc5-4c87-84a7-f182e6be5af9">
-            <remarks>
-               <p>N/A</p>
-            </remarks>
-         </statement>
-         <statement statement-id="au-1_smt.b.1" uuid="75873308-f37d-4e89-9c27-29f3dee4b314">
-            <by-component component-uuid="795533ab-9427-4abe-820f-0b571bacfe6d"
-                          uuid="23903c59-1327-46f0-9c28-09ec7f144214">
-               <description>
-                  <p>The legal department reviews this policy annually, and other times as necessary in response to regulatory or organizational changes. The legal department updates the policy as needed based on these reviews.</p>
-               </description>
-               <set-parameter param-id="au-1_prm_2">
-                  <value>annually, and other times as necessary in response to regulatory or organizational changes</value>
-               </set-parameter>
-            </by-component>
-         </statement>
-         <statement statement-id="au-1_smt.b.2" uuid="74b5b0f2-9915-4f80-b7cd-379566442ab6">
-            <by-component component-uuid="941e2a87-46f4-4b3e-9e87-bbd187091ca1"
-                          uuid="0c45b6e2-f85b-4656-a6cc-2a302d184720">
-               <description>
-                  <p>The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews.</p>
-               </description>
-               <set-parameter param-id="au-1_prm_3">
-                  <value>annually, and other times as necessary in response to regulatory or organizational changes</value>
-               </set-parameter>
-            </by-component>
-            <by-component component-uuid="fa39eb84-3014-46b4-b6bc-7da10527c262"
-                          uuid="094f02ce-4b7a-405c-90a5-ab4d95133f74">
-               <description>
-                  <p>The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews.</p>
-               </description>
-               <set-parameter param-id="au-1_prm_3">
-                  <value>annually, and other times as necessary in response to regulatory or organizational changes</value>
-               </set-parameter>
-            </by-component>
-            <by-component component-uuid="4938767c-dd8b-4ea4-b74a-fafffd48ac99"
-                          uuid="7ec8b7ec-d931-4055-ac74-6d288d636787">
-               <description>
-                  <p>The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews</p>
-               </description>
-               <set-parameter param-id="au-1_prm_3">
-                  <value>annually, and other times as necessary in response to regulatory or organizational changes</value>
-               </set-parameter>
-            </by-component>
-         </statement>
-      </implemented-requirement>
-   </control-implementation>
-</system-security-plan>
diff --git a/content/ssp-example/yaml/ssp-example.yaml b/content/ssp-example/yaml/ssp-example.yaml
deleted file mode 100644
index 6177f9653a..0000000000
--- a/content/ssp-example/yaml/ssp-example.yaml
+++ /dev/null
@@ -1,292 +0,0 @@
-system-security-plan: 
-  uuid:                   66c2a1c8-5830-48bd-8fdd-55a1c3a52888
-  metadata: 
-    title:         Enterprise Logging and Auditing System Security Plan
-    last-modified: 2019-09-23T18:14:50.591Z
-    version:       1.0
-    oscal-version: 1.0.0-milestone3
-    roles: 
-      - 
-        id:    legal-officer
-        title: Legal Officer
-    parties: 
-      - 
-        uuid:       3b2a5599-cc37-403f-ae36-5708fa804b27
-        type:       organization
-        party-name: Enterprise Asset Owners
-      - 
-        uuid:       833ac398-5c9a-4e6b-acba-2a9c11399da0
-        type:       organization
-        party-name: Enterprise Asset Administrators
-      - 
-        uuid:       ec485dcf-2519-43f5-8e7d-014cc315332d
-        type:       organization
-        party-name: Legal Department
-      - 
-        uuid:       0f0c15ed-565e-4ce9-8670-b54853d0bf03
-        type:       organization
-        party-name: IT Department
-      - 
-        uuid:       96c362ee-a012-4e07-92f3-486ab303b0e7
-        type:       organization
-        party-name: Acme Corp
-  import-profile: 
-    href: ../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.yaml
-  system-characteristics: 
-    system-name:                Enterprise Logging and Auditing System
-    description:                This is an example of a system that provides enterprise logging and log auditing capabilities.
-    system-ids: 
-      - 
-        id:              d7456980-9277-4dcb-83cf-f8ff0442623b
-        identifier-type: https://ietf.org/rfc/rfc4122
-    security-sensitivity-level: moderate
-    system-information: 
-      information-types: 
-        - 
-          uuid:                   7d28ac6e-5970-4f4c-a508-5a3715f0f02b
-          title:                  System and Network Monitoring
-          information-type-ids: 
-            https://doi.org/10.6028/NIST.SP.800-60v2r1: 
-              id: C.3.5.8
-          description:            This system maintains historical logging and auditing information for all client devices connected to this system.
-          confidentiality-impact: 
-            base: fips-199-moderate
-          integrity-impact: 
-            base: fips-199-moderate
-          availability-impact: 
-            base: fips-199-low
-    security-impact-level: 
-      security-objective-confidentiality: fips-199-moderate
-      security-objective-integrity:       fips-199-moderate
-      security-objective-availability:    fips-199-low
-    status: 
-      state:   other
-      remarks: This is an example, and is not intended to be implemented as a system
-    annotations: 
-      - 
-        name:  deployment-model
-        value: private
-      - 
-        name:  service-models
-        value: iaas
-    authorization-boundary: 
-      description: The description of the authorization boundary would go here.
-  system-implementation: 
-    remarks:          This is a partial implementation that addresses the logging server portion of the auditing system.
-    users: 
-      9824089b-322c-456f-86c4-4111c4200f69: 
-        title:       System Administrator
-        role-ids:    asset-administrator
-        annotations: 
-          - 
-            name:  type
-            value: internal
-      ae8de94c-835d-4303-83b1-114b6a117a07: 
-        title:       Audit Team
-        role-ids:    asset-owner
-        annotations: 
-          - 
-            name:  type
-            value: internal
-      372ce7a3-92b0-437e-a98c-24d29f9bfab8: 
-        title:       Legal Department
-        role-ids:    legal-officer
-        annotations: 
-          - 
-            name:  type
-            value: internal
-    components: 
-      e00acdcf-911b-437d-a42f-b0b558cc4f03: 
-        title:             Logging Server
-        description:       Provides a means for hosts to publish logged events to a central server.
-        status: 
-          state: operational
-        component-type:    software
-        responsible-roles: 
-          provider: 
-            party-uuids: 96c362ee-a012-4e07-92f3-486ab303b0e7
-          asset-owner: 
-            party-uuids: 3b2a5599-cc37-403f-ae36-5708fa804b27
-          asset-administrator: 
-            party-uuids: 833ac398-5c9a-4e6b-acba-2a9c11399da0
-      795533ab-9427-4abe-820f-0b571bacfe6d: 
-        title:             Enterprise Logging, Monitoring, and Alerting Policy
-        component-type:    policy
-        description: 
-          """
-            Requires all components to send logs to the enterprise logging solution
-            — Requires all components synchronize their time with the appropriate enterprise time service, and at what frequency.
-            — Identifies the events that must be captured
-            — Identifies who is responsible/accountable for performing these functions
-          """
-        status: 
-          state: operational
-        properties: 
-          - 
-            name:  version
-            value: 2.1
-          - 
-            name:  last-modified-date
-            value: 20181015
-        responsible-roles: 
-          maintainer: 
-            party-uuids: ec485dcf-2519-43f5-8e7d-014cc315332d
-      941e2a87-46f4-4b3e-9e87-bbd187091ca1: 
-        title:             System Integration Process
-        component-type:    process
-        description:       Ensures proper integration into the enterprise as new systems are brought into production.
-        status: 
-          state: operational
-        properties: 
-          - 
-            name:  last-modified-date
-            value: 20181015
-        responsible-roles: 
-          maintainer: 
-            party-uuids: 0f0c15ed-565e-4ce9-8670-b54853d0bf03
-        links: 
-          - 
-            rel:  implements-policy
-            href: #795533ab-9427-4abe-820f-0b571bacfe6d
-            text: Ensures logs from components in new system are able to published to the logging server. Ensures log monitoring capabilities recognize new system as authorized.
-      fa39eb84-3014-46b4-b6bc-7da10527c262: 
-        title:             Inventory Management Process
-        component-type:    process
-        description:       Describes how new components are introduced into the system - ensures monitoring teams know about every asset that should be producing logs, thus should be monitored.
-        status: 
-          state: operational
-        properties: 
-          - 
-            name:  last-modified-date
-            value: 20181015
-        responsible-roles: 
-          maintainer: 
-            party-uuids: 0f0c15ed-565e-4ce9-8670-b54853d0bf03
-        links: 
-          - 
-            rel:  implements-policy
-            href: #795533ab-9427-4abe-820f-0b571bacfe6d
-            text: Ensures that all host are known and authorized. Ensures that these hosts publish log events to the logging server.
-      4938767c-dd8b-4ea4-b74a-fafffd48ac99: 
-        title:             Configuration Management Guidance
-        component-type:    guidance
-        description:       Describes how to configure a component to ensure its logs are transmitted to Splunk in the appropriate format. Also describes how to configure time synchronization.
-        status: 
-          state: operational
-        properties: 
-          - 
-            name:  last-modified-date
-            value: 20181015
-        responsible-roles: 
-          maintainer: 
-            party-uuids: 0f0c15ed-565e-4ce9-8670-b54853d0bf03
-        links: 
-          - 
-            rel:  implements-policy
-            href: #795533ab-9427-4abe-820f-0b571bacfe6d
-            text: Ensures that all host are configured to publish log events to the logging server.
-    system-inventory: 
-      inventory-items: 
-        c9c32657-a0eb-4cf2-b5c1-20928983063c: 
-          description:            The logging server.
-          asset-id:               asset-id-logging-server
-          responsible-parties: 
-            asset-administrator: 
-              party-uuids: 833ac398-5c9a-4e6b-acba-2a9c11399da0
-            asset-owner: 
-              party-uuids: 3b2a5599-cc37-403f-ae36-5708fa804b27
-          implemented-components: 
-            e00acdcf-911b-437d-a42f-b0b558cc4f03: 
-              use: runs-software
-            795533ab-9427-4abe-820f-0b571bacfe6d: 
-              use: enforces-policy
-  control-implementation: 
-    description:              This is the control implementation for the system.
-    implemented-requirements: 
-      - 
-        uuid:        aaadb3ff-6ae8-4332-92db-211468c52af2
-        control-id:  au-1
-        description: This should be a description of how au-1 is implemented.
-        statements: 
-          au-1smt: 
-            uuid:        7ad47329-dc55-4196-a19d-178a8fe7438d
-            description: N/A
-          au-1smt.a: 
-            uuid:          f3887a91-9ed3-425c-b305-21e4634a1c34
-            description:   
-            by-components: 
-              795533ab-9427-4abe-820f-0b571bacfe6d: 
-                uuid:               a74681b2-fbcb-46eb-90fd-0d55aa74ac7b
-                description:        The legal department develops, documents, and disseminates this policy to all staff and contractors within the organization.
-                parameter-settings: 
-                  au-1_prm_1: 
-                    value: all staff and contractors within the organization
-              941e2a87-46f4-4b3e-9e87-bbd187091ca1: 
-                uuid:               4f873ce6-dd49-4a46-bd4a-5041c22665f1
-                description:        The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.
-                parameter-settings: 
-                  au-1_prm_1: 
-                    value: all IT staff who administer this system when the staff member is assigned and annually through training
-              fa39eb84-3014-46b4-b6bc-7da10527c262: 
-                uuid:               ea85a624-cd21-4c63-abe0-f66087e97241
-                description:        The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.
-                parameter-settings: 
-                  au-1_prm_1: 
-                    value: all IT staff who administer this system when the staff member is assigned and annually through training
-              4938767c-dd8b-4ea4-b74a-fafffd48ac99: 
-                uuid:               b5e5823a-844f-4306-a5ab-7e110679e0d5
-                description:        The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.
-                parameter-settings: 
-                  au-1_prm_1: 
-                    value: all IT staff who administer this system when the staff member is assigned and annually through training
-          au-1smt.a.1: 
-            uuid:          6fe632bd-33aa-4eea-a507-a37f0d212085
-            by-components: 
-              795533ab-9427-4abe-820f-0b571bacfe6d: 
-                uuid:        2d0a7b08-da7f-4691-b99c-8fd9df02b25c
-                description: This policy explicitly states the purpose and scope of the policy in Section 1. Roles and responsibilities are described in Section 2. This section also describes responsibilities for organizational coordination. Management commitment and compliance statements are made in the board’s directive memo dated January 1, 2012.
-          au-1smt.a.2: 
-            uuid:          dbe9af68-1cd9-4ff1-965b-8f887351d411
-            by-components: 
-              941e2a87-46f4-4b3e-9e87-bbd187091ca1: 
-                uuid:        dd4fd380-7a2a-4fba-9e98-933ba5cfc04d
-                description: This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process
-              fa39eb84-3014-46b4-b6bc-7da10527c262: 
-                uuid:        3b912d0f-2463-497c-8d8a-72416f38e999
-                description: This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process
-              4938767c-dd8b-4ea4-b74a-fafffd48ac99: 
-                uuid:        226ee2a2-cbdb-498f-8182-94dfa013476c
-                description: This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process
-          au-1_smt.b: 
-            uuid:    b1773cd6-afc5-4c87-84a7-f182e6be5af9
-            remarks: N/A
-          au-1_smt.b.1: 
-            uuid:          75873308-f37d-4e89-9c27-29f3dee4b314
-            by-components: 
-              795533ab-9427-4abe-820f-0b571bacfe6d: 
-                uuid:               23903c59-1327-46f0-9c28-09ec7f144214
-                parameter-settings: 
-                  au-1_prm_2: 
-                    value: annually, and other times as necessary in response to regulatory or organizational changes
-                description:        The legal department reviews this policy annually, and other times as necessary in response to regulatory or organizational changes. The legal department updates the policy as needed based on these reviews.
-          au-1_smt.b.2: 
-            uuid:          74b5b0f2-9915-4f80-b7cd-379566442ab6
-            by-components: 
-              941e2a87-46f4-4b3e-9e87-bbd187091ca1: 
-                uuid:               0c45b6e2-f85b-4656-a6cc-2a302d184720
-                parameter-settings: 
-                  au-1_prm_3: 
-                    value: annually, and other times as necessary in response to regulatory or organizational changes
-                description:        The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews.
-              fa39eb84-3014-46b4-b6bc-7da10527c262: 
-                uuid:               094f02ce-4b7a-405c-90a5-ab4d95133f74
-                parameter-settings: 
-                  au-1_prm_3: 
-                    value: annually, and other times as necessary in response to regulatory or organizational changes
-                description:        The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews.
-              4938767c-dd8b-4ea4-b74a-fafffd48ac99: 
-                uuid:               7ec8b7ec-d931-4055-ac74-6d288d636787
-                parameter-settings: 
-                  au-1_prm_3: 
-                    value: annually, and other times as necessary in response to regulatory or organizational changes
-                description:        The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews
diff --git a/src/content/README.md b/src/content/README.md
index 9822cbda66..38b95b313f 100644
--- a/src/content/README.md
+++ b/src/content/README.md
@@ -1,10 +1,3 @@
-# OSCAL Examples
+# Content Moved
 
-This directory contains numerous OSCAL examples in both XML and JSON formats. Some examples are considered provisional "finished" versions of OSCAL catalogs and profiles; they are not authoritative but are intended as demonstrations of OSCAL. Other examples are works in progress. Each subdirectory within the examples directory clearly indicates the current status of its example files.
-
-The structure and contents of the examples directory are as follows:
-
- * [fedramp.gov](fedramp.gov): This directory contains examples in XML and JSON formats of the low, moderate, and high baselines defined by FedRAMP (the Federal Risk and Authorization Management Program).
- * [nist.gov/SP800-53/rev4](nist.gov/SP800-53/rev4): This directory contains examples in XML and JSON formats of the low, moderate, and high baselines defined by NIST Special Publication (SP) 800-53 Revision 4.
- * [mini-testing](mini-testing): This directory contains sample files that can be used for unit testing in support of regressions of OSCAL.
- 
+All OSCAL content source files have been moved to the [OSCAL content GitHub repository](https://github.com/usnistgov/oscal-content/tree/master/src).
diff --git a/src/content/components/json/example-component-with-config.json b/src/content/components/json/example-component-with-config.json
deleted file mode 100644
index 0485391a6d..0000000000
--- a/src/content/components/json/example-component-with-config.json
+++ /dev/null
@@ -1,82 +0,0 @@
-{
-    "$schema": "../../../json/schema/oscal_component_schema.json",
-    "component-definition": {
-        "metadata": {
-            "title": "Test Component Defintion",
-            "last-modified": "2019-08-21T15:24:24.389Z",
-            "version": "20200723",
-            "oscal-version": "1.0.0-milestone2",
-            "parties": [{
-                "uuid": "ee47836c-877c-4007-bbf3-c9d9bd805a9a",
-                "party-name": "Test Vendor",
-                "type": "organization"
-            }]
-        },
-        "components": {
-            "component-1": {
-                "name": "test component 1",
-                "component-type": "software",
-                "title": "test component 1",
-                "description": "This is a software component that implements basic authentication mechanisms.",
-                "responsible-parties": {
-                    "supplier": {
-                        "party-uuids": [ "ee47836c-877c-4007-bbf3-c9d9bd805a9a" ]
-                    }
-                },
-                "control-implementations": [{
-                    "uuid": "cfcdd674-8595-4f98-a9d1-3ac70825c49f",
-                    "source": "../../../content/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json",
-                        "description": "This is a partial implementation of the SP 800-53 rev4 catalog, focusing on the control enhancement AC-2 (2).",
-                        "implemented-requirements": [{
-                            "uuid": "d1016df0-9b5c-4839-86cd-f9c1d113077b",
-                            "description": "Inactive accounts are automatically disabled based on the duration specified by the duration parameter. Disabled accounts are expected to be reviewed and removed when appropriate.",
-                            "control-id": "ac-2.2",
-                            "using": {
-                                "implementations": {
-                                    "configuration-id": "af5b16c7-7a03-4c78-92a3-47dfdbfb3868",
-                                    "with-arguments": {
-                                        "duration": {
-                                            "use-param": "ac-2.2_prm_2"
-                                        }
-                                    }
-                                }
-                            }
-                        }]
-                    },
-                    {
-                        "uuid": "22dbff65-9729-449f-9dfc-4e5fee0906de",
-                        "source": "../../../content/fedramp.gov/json/FedRAMP_HIGH-baseline_profile.json",
-                        "description": "This is a partial implementation of the FedRAMP High profile, focusing on the control enhancement AC-2 (2).",
-                        "implemented-requirements": [
-                            {"uuid": "65e30b37-0640-4844-9f42-b2a7ae944bb1",
-                            "control-id": "ac-2.2"
-                            }
-                            ]
-                    }
-                ],
-                "configurations": {
-                    "af5b16c7-7a03-4c78-92a3-47dfdbfb3868": {
-                        "description": "",
-                        "arguments": {
-                            "duration": {"type": "duration-seconds"}
-                        },
-                        "mechanisms": {
-                            "configuration-method": {
-                                "script": {
-                                    "STRVALUE": "something {{ duration }} ",
-                                    "system": "https://www.perl.org/"
-                                }
-                            },
-                            "verification-method": {
-                                "script": {
-                                    "STRVALUE": "something {{ duration }} ",
-                                    "system": "https://www.perl.org/"
-                                }
-                            }
-                        }
-                    }
-                }
-            }
-        }
-    }
-}
\ No newline at end of file
diff --git a/src/content/components/json/example-component.json b/src/content/components/json/example-component.json
deleted file mode 100644
index e2dbe89a86..0000000000
--- a/src/content/components/json/example-component.json
+++ /dev/null
@@ -1,55 +0,0 @@
-{
-    "component-definition": {
-        "metadata": {
-            "title": "Test Component Defintion",
-            "last-modified": "2019-08-21T15:24:24.389Z",
-            "version": "20200723",
-            "oscal-version": "1.0.0-milestone2",
-            "parties": [
-                {
-                    "uuid": "ee47836c-877c-4007-bbf3-c9d9bd805a9a",
-                    "party-name": "Test Vendor",
-                    "type": "organization"
-                }
-            ]
-        },
-        "components": {
-            "b036a6ac-6cff-4066-92bc-74ddfd9ad6fa": {
-                "name": "test component 1",
-                "component-type": "software",
-                "title": "test component 1",
-                "description": "This is a software component that implements basic authentication mechanisms.",
-                "responsible-parties": {
-                    "supplier": {
-                        "party-uuids": ["ee47836c-877c-4007-bbf3-c9d9bd805a9a"]
-                    }
-                },
-                "control-implementations": [
-                    {
-                        "uuid": "cfcdd674-8595-4f98-a9d1-3ac70825c49f",
-                        "source": "../../../content/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json",
-                        "description": "This is a partial implementation of the SP 800-53 rev4 catalog, focusing on the control enhancement AC-2 (2).",
-                        "implemented-requirements": [
-                            {
-                                "uuid": "d1016df0-9b5c-4839-86cd-f9c1d113077b",
-                                "description": "Inactive accounts are automatically disabled based on the duration specified by the duration parameter. Disabled accounts are expected to be reviewed and removed when appropriate.",
-                                "control-id": "ac-2.2"
-                            }
-                        ]
-                    },
-                    {
-                        "uuid": "22dbff65-9729-449f-9dfc-4e5fee0906de",
-                        "source": "../../../content/fedramp.gov/json/FedRAMP_HIGH-baseline_profile.json",
-                        "description": "This is a partial implementation of the FedRAMP High profile, focusing on the control enhancement AC-2 (2).",
-                        "implemented-requirements": [
-                            {
-                                "uuid": "65e30b37-0640-4844-9f42-b2a7ae944bb1",
-                                "control-id": "ac-2.2"
-                            }
-                        ]
-                    }
-                ]
-            }
-        }
-    }
-}
\ No newline at end of file
diff --git a/src/content/components/xml/import_component_definition_ut.xml b/src/content/components/xml/import_component_definition_ut.xml
deleted file mode 100644
index c48079dd2e..0000000000
--- a/src/content/components/xml/import_component_definition_ut.xml
+++ /dev/null
@@ -1,10 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<component-definition xmlns="http://csrc.nist.gov/ns/oscal/1.0">
-    <metadata>
-        <title>Test</title>
-        <last-modified>2019-12-06T05:15:11.928Z</last-modified>
-        <version>Draft A</version>
-        <oscal-version>1.0.0-milestone2</oscal-version>
-    </metadata>
-    <import-component-definition href="../other_component.xml"/>
-</component-definition>
\ No newline at end of file
diff --git a/src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline_profile.xml b/src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline_profile.xml
deleted file mode 100644
index e3e4565bfa..0000000000
--- a/src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline_profile.xml
+++ /dev/null
@@ -1,9689 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="b11dba1c-0c68-4724-9eaf-02de2d5bbb89">
-   
-   <metadata>
-      <title>FedRAMP High Baseline</title>
-      <published>2020-06-01T00:00:00.000-04:00</published>
-      <last-modified>2020-06-01T10:00:00.000-04:00</last-modified>
-      <version>1.2</version>
-      <oscal-version>1.0.0-milestone3</oscal-version>
-      <role id="parpared-by">
-         <title>Document creator</title>
-      </role>
-      <role id="fedramp-pmo">
-         <title>The FedRAMP Program Management Office (PMO)</title>
-         <short-name>CSP</short-name>
-      </role>
-      <role id="fedramp-jab">
-         <title>The FedRAMP Joint Authorization Board (JAB)</title>
-         <short-name>CSP</short-name>
-      </role>
-      
-      <party uuid="8cc0b8e5-9650-4d5f-9796-316f05fa9a2d" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Program Management Office</party-name>
-         <short-name>FedRAMP PMO</short-name>
-         <link href="https://fedramp.gov" rel="homepage" />
-         <address type="work">
-            <addr-line>1800 F St. NW</addr-line>
-            <addr-line/>
-            <city>Washington</city>
-            <state>DC</state>
-            <postal-code/>
-            <country>US</country>
-         </address>
-         <email>info@fedramp.gov</email>
-      </party>
-      <party uuid="ca9ba80e-1342-4bfd-b32a-abac468c24b4" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Joint Authorization Board</party-name>
-         <short-name>FedRAMP JAB</short-name>
-      </party>
-      
-      <responsible-party role-id="prepared-by">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-pmo">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-jab">
-         <party-uuid>ca9ba80e-1342-4bfd-b32a-abac468c24b4</party-uuid>
-      </responsible-party>
-   </metadata>
-   <import href="#ad005eae-cc63-4e64-9109-3905a9a825e4">
-      <include>
-         <call control-id="ac-1"/>
-         <call control-id="ac-2"/>
-         <call control-id="ac-2.1"/>
-         <call control-id="ac-2.2"/>
-         <call control-id="ac-2.3"/>
-         <call control-id="ac-2.4"/>
-         <call control-id="ac-2.5"/>
-         <call control-id="ac-2.7"/>
-         <call control-id="ac-2.9"/>
-         <call control-id="ac-2.10"/>
-         <call control-id="ac-2.11"/>
-         <call control-id="ac-2.12"/>
-         <call control-id="ac-2.13"/>
-         <call control-id="ac-3"/>
-         <call control-id="ac-4"/>
-         <call control-id="ac-4.8"/>
-         <call control-id="ac-4.21"/>
-         <call control-id="ac-5"/>
-         <call control-id="ac-6"/>
-         <call control-id="ac-6.1"/>
-         <call control-id="ac-6.2"/>
-         <call control-id="ac-6.3"/>
-         <call control-id="ac-6.5"/>
-         <call control-id="ac-6.7"/>
-         <call control-id="ac-6.8"/>
-         <call control-id="ac-6.9"/>
-         <call control-id="ac-6.10"/>
-         <call control-id="ac-7"/>
-         <call control-id="ac-7.2"/>
-         <call control-id="ac-8"/>
-         <call control-id="ac-10"/>
-         <call control-id="ac-11"/>
-         <call control-id="ac-11.1"/>
-         <call control-id="ac-12"/>
-         <call control-id="ac-12.1"/>
-         <call control-id="ac-14"/>
-         <call control-id="ac-17"/>
-         <call control-id="ac-17.1"/>
-         <call control-id="ac-17.2"/>
-         <call control-id="ac-17.3"/>
-         <call control-id="ac-17.4"/>
-         <call control-id="ac-17.9"/>
-         <call control-id="ac-18"/>
-         <call control-id="ac-18.1"/>
-         <call control-id="ac-18.3"/>
-         <call control-id="ac-18.4"/>
-         <call control-id="ac-18.5"/>
-         <call control-id="ac-19"/>
-         <call control-id="ac-19.5"/>
-         <call control-id="ac-20"/>
-         <call control-id="ac-20.1"/>
-         <call control-id="ac-20.2"/>
-         <call control-id="ac-21"/>
-         <call control-id="ac-22"/>
-         <call control-id="at-1"/>
-         <call control-id="at-2"/>
-         <call control-id="at-2.2"/>
-         <call control-id="at-3"/>
-         <call control-id="at-3.3"/>
-         <call control-id="at-3.4"/>
-         <call control-id="at-4"/>
-         <call control-id="au-1"/>
-         <call control-id="au-2"/>
-         <call control-id="au-2.3"/>
-         <call control-id="au-3"/>
-         <call control-id="au-3.1"/>
-         <call control-id="au-3.2"/>
-         <call control-id="au-4"/>
-         <call control-id="au-5"/>
-         <call control-id="au-5.1"/>
-         <call control-id="au-5.2"/>
-         <call control-id="au-6"/>
-         <call control-id="au-6.1"/>
-         <call control-id="au-6.3"/>
-         <call control-id="au-6.4"/>
-         <call control-id="au-6.5"/>
-         <call control-id="au-6.6"/>
-         <call control-id="au-6.7"/>
-         <call control-id="au-6.10"/>
-         <call control-id="au-7"/>
-         <call control-id="au-7.1"/>
-         <call control-id="au-8"/>
-         <call control-id="au-8.1"/>
-         <call control-id="au-9"/>
-         <call control-id="au-9.2"/>
-         <call control-id="au-9.3"/>
-         <call control-id="au-9.4"/>
-         <call control-id="au-10"/>
-         <call control-id="au-11"/>
-         <call control-id="au-12"/>
-         <call control-id="au-12.1"/>
-         <call control-id="au-12.3"/>
-         <call control-id="ca-1"/>
-         <call control-id="ca-2"/>
-         <call control-id="ca-2.1"/>
-         <call control-id="ca-2.2"/>
-         <call control-id="ca-2.3"/>
-         <call control-id="ca-3"/>
-         <call control-id="ca-3.3"/>
-         <call control-id="ca-3.5"/>
-         <call control-id="ca-5"/>
-         <call control-id="ca-6"/>
-         <call control-id="ca-7"/>
-         <call control-id="ca-7.1"/>
-         <call control-id="ca-7.3"/>
-         <call control-id="ca-8"/>
-         <call control-id="ca-8.1"/>
-         <call control-id="ca-9"/>
-         <call control-id="cm-1"/>
-         <call control-id="cm-2"/>
-         <call control-id="cm-2.1"/>
-         <call control-id="cm-2.2"/>
-         <call control-id="cm-2.3"/>
-         <call control-id="cm-2.7"/>
-         <call control-id="cm-3"/>
-         <call control-id="cm-3.1"/>
-         <call control-id="cm-3.2"/>
-         <call control-id="cm-3.4"/>
-         <call control-id="cm-3.6"/>
-         <call control-id="cm-4"/>
-         <call control-id="cm-4.1"/>
-         <call control-id="cm-5"/>
-         <call control-id="cm-5.1"/>
-         <call control-id="cm-5.2"/>
-         <call control-id="cm-5.3"/>
-         <call control-id="cm-5.5"/>
-         <call control-id="cm-6"/>
-         <call control-id="cm-6.1"/>
-         <call control-id="cm-6.2"/>
-         <call control-id="cm-7"/>
-         <call control-id="cm-7.1"/>
-         <call control-id="cm-7.2"/>
-         <call control-id="cm-7.5"/>
-         <call control-id="cm-8"/>
-         <call control-id="cm-8.1"/>
-         <call control-id="cm-8.2"/>
-         <call control-id="cm-8.3"/>
-         <call control-id="cm-8.4"/>
-         <call control-id="cm-8.5"/>
-         <call control-id="cm-9"/>
-         <call control-id="cm-10"/>
-         <call control-id="cm-10.1"/>
-         <call control-id="cm-11"/>
-         <call control-id="cm-11.1"/>
-         <call control-id="cp-1"/>
-         <call control-id="cp-2"/>
-         <call control-id="cp-2.1"/>
-         <call control-id="cp-2.2"/>
-         <call control-id="cp-2.3"/>
-         <call control-id="cp-2.4"/>
-         <call control-id="cp-2.5"/>
-         <call control-id="cp-2.8"/>
-         <call control-id="cp-3"/>
-         <call control-id="cp-3.1"/>
-         <call control-id="cp-4"/>
-         <call control-id="cp-4.1"/>
-         <call control-id="cp-4.2"/>
-         <call control-id="cp-6"/>
-         <call control-id="cp-6.1"/>
-         <call control-id="cp-6.2"/>
-         <call control-id="cp-6.3"/>
-         <call control-id="cp-7"/>
-         <call control-id="cp-7.1"/>
-         <call control-id="cp-7.2"/>
-         <call control-id="cp-7.3"/>
-         <call control-id="cp-7.4"/>
-         <call control-id="cp-8"/>
-         <call control-id="cp-8.1"/>
-         <call control-id="cp-8.2"/>
-         <call control-id="cp-8.3"/>
-         <call control-id="cp-8.4"/>
-         <call control-id="cp-9"/>
-         <call control-id="cp-9.1"/>
-         <call control-id="cp-9.2"/>
-         <call control-id="cp-9.3"/>
-         <call control-id="cp-9.5"/>
-         <call control-id="cp-10"/>
-         <call control-id="cp-10.2"/>
-         <call control-id="cp-10.4"/>
-         <call control-id="ia-1"/>
-         <call control-id="ia-2"/>
-         <call control-id="ia-2.1"/>
-         <call control-id="ia-2.2"/>
-         <call control-id="ia-2.3"/>
-         <call control-id="ia-2.4"/>
-         <call control-id="ia-2.5"/>
-         <call control-id="ia-2.8"/>
-         <call control-id="ia-2.9"/>
-         <call control-id="ia-2.11"/>
-         <call control-id="ia-2.12"/>
-         <call control-id="ia-3"/>
-         <call control-id="ia-4"/>
-         <call control-id="ia-4.4"/>
-         <call control-id="ia-5"/>
-         <call control-id="ia-5.1"/>
-         <call control-id="ia-5.2"/>
-         <call control-id="ia-5.3"/>
-         <call control-id="ia-5.4"/>
-         <call control-id="ia-5.6"/>
-         <call control-id="ia-5.7"/>
-         <call control-id="ia-5.8"/>
-         <call control-id="ia-5.11"/>
-         <call control-id="ia-5.13"/>
-         <call control-id="ia-6"/>
-         <call control-id="ia-7"/>
-         <call control-id="ia-8"/>
-         <call control-id="ia-8.1"/>
-         <call control-id="ia-8.2"/>
-         <call control-id="ia-8.3"/>
-         <call control-id="ia-8.4"/>
-         <call control-id="ir-1"/>
-         <call control-id="ir-2"/>
-         <call control-id="ir-2.1"/>
-         <call control-id="ir-2.2"/>
-         <call control-id="ir-3"/>
-         <call control-id="ir-3.2"/>
-         <call control-id="ir-4"/>
-         <call control-id="ir-4.1"/>
-         <call control-id="ir-4.2"/>
-         <call control-id="ir-4.3"/>
-         <call control-id="ir-4.4"/>
-         <call control-id="ir-4.6"/>
-         <call control-id="ir-4.8"/>
-         <call control-id="ir-5"/>
-         <call control-id="ir-5.1"/>
-         <call control-id="ir-6"/>
-         <call control-id="ir-6.1"/>
-         <call control-id="ir-7"/>
-         <call control-id="ir-7.1"/>
-         <call control-id="ir-7.2"/>
-         <call control-id="ir-8"/>
-         <call control-id="ir-9"/>
-         <call control-id="ir-9.1"/>
-         <call control-id="ir-9.2"/>
-         <call control-id="ir-9.3"/>
-         <call control-id="ir-9.4"/>
-         <call control-id="ma-1"/>
-         <call control-id="ma-2"/>
-         <call control-id="ma-2.2"/>
-         <call control-id="ma-3"/>
-         <call control-id="ma-3.1"/>
-         <call control-id="ma-3.2"/>
-         <call control-id="ma-3.3"/>
-         <call control-id="ma-4"/>
-         <call control-id="ma-4.2"/>
-         <call control-id="ma-4.3"/>
-         <call control-id="ma-4.6"/>
-         <call control-id="ma-5"/>
-         <call control-id="ma-5.1"/>
-         <call control-id="ma-6"/>
-         <call control-id="mp-1"/>
-         <call control-id="mp-2"/>
-         <call control-id="mp-3"/>
-         <call control-id="mp-4"/>
-         <call control-id="mp-5"/>
-         <call control-id="mp-5.4"/>
-         <call control-id="mp-6"/>
-         <call control-id="mp-6.1"/>
-         <call control-id="mp-6.2"/>
-         <call control-id="mp-6.3"/>
-         <call control-id="mp-7"/>
-         <call control-id="mp-7.1"/>
-         <call control-id="pe-1"/>
-         <call control-id="pe-2"/>
-         <call control-id="pe-3"/>
-         <call control-id="pe-3.1"/>
-         <call control-id="pe-4"/>
-         <call control-id="pe-5"/>
-         <call control-id="pe-6"/>
-         <call control-id="pe-6.1"/>
-         <call control-id="pe-6.4"/>
-         <call control-id="pe-8"/>
-         <call control-id="pe-8.1"/>
-         <call control-id="pe-9"/>
-         <call control-id="pe-10"/>
-         <call control-id="pe-11"/>
-         <call control-id="pe-11.1"/>
-         <call control-id="pe-12"/>
-         <call control-id="pe-13"/>
-         <call control-id="pe-13.1"/>
-         <call control-id="pe-13.2"/>
-         <call control-id="pe-13.3"/>
-         <call control-id="pe-14"/>
-         <call control-id="pe-14.2"/>
-         <call control-id="pe-15"/>
-         <call control-id="pe-15.1"/>
-         <call control-id="pe-16"/>
-         <call control-id="pe-17"/>
-         <call control-id="pe-18"/>
-         <call control-id="pl-1"/>
-         <call control-id="pl-2"/>
-         <call control-id="pl-2.3"/>
-         <call control-id="pl-4"/>
-         <call control-id="pl-4.1"/>
-         <call control-id="pl-8"/>
-         <call control-id="ps-1"/>
-         <call control-id="ps-2"/>
-         <call control-id="ps-3"/>
-         <call control-id="ps-3.3"/>
-         <call control-id="ps-4"/>
-         <call control-id="ps-4.2"/>
-         <call control-id="ps-5"/>
-         <call control-id="ps-6"/>
-         <call control-id="ps-7"/>
-         <call control-id="ps-8"/>
-         <call control-id="ra-1"/>
-         <call control-id="ra-2"/>
-         <call control-id="ra-3"/>
-         <call control-id="ra-5"/>
-         <call control-id="ra-5.1"/>
-         <call control-id="ra-5.2"/>
-         <call control-id="ra-5.3"/>
-         <call control-id="ra-5.4"/>
-         <call control-id="ra-5.5"/>
-         <call control-id="ra-5.6"/>
-         <call control-id="ra-5.8"/>
-         <call control-id="ra-5.10"/>
-         <call control-id="sa-1"/>
-         <call control-id="sa-2"/>
-         <call control-id="sa-3"/>
-         <call control-id="sa-4"/>
-         <call control-id="sa-4.1"/>
-         <call control-id="sa-4.2"/>
-         <call control-id="sa-4.8"/>
-         <call control-id="sa-4.9"/>
-         <call control-id="sa-4.10"/>
-         <call control-id="sa-5"/>
-         <call control-id="sa-8"/>
-         <call control-id="sa-9"/>
-         <call control-id="sa-9.1"/>
-         <call control-id="sa-9.2"/>
-         <call control-id="sa-9.4"/>
-         <call control-id="sa-9.5"/>
-         <call control-id="sa-10"/>
-         <call control-id="sa-10.1"/>
-         <call control-id="sa-11"/>
-         <call control-id="sa-11.1"/>
-         <call control-id="sa-11.2"/>
-         <call control-id="sa-11.8"/>
-         <call control-id="sa-12"/>
-         <call control-id="sa-15"/>
-         <call control-id="sa-16"/>
-         <call control-id="sa-17"/>
-         <call control-id="sc-1"/>
-         <call control-id="sc-2"/>
-         <call control-id="sc-3"/>
-         <call control-id="sc-4"/>
-         <call control-id="sc-5"/>
-         <call control-id="sc-6"/>
-         <call control-id="sc-7"/>
-         <call control-id="sc-7.3"/>
-         <call control-id="sc-7.4"/>
-         <call control-id="sc-7.5"/>
-         <call control-id="sc-7.7"/>
-         <call control-id="sc-7.8"/>
-         <call control-id="sc-7.10"/>
-         <call control-id="sc-7.12"/>
-         <call control-id="sc-7.13"/>
-         <call control-id="sc-7.18"/>
-         <call control-id="sc-7.20"/>
-         <call control-id="sc-7.21"/>
-         <call control-id="sc-8"/>
-         <call control-id="sc-8.1"/>
-         <call control-id="sc-10"/>
-         <call control-id="sc-12"/>
-         <call control-id="sc-12.1"/>
-         <call control-id="sc-12.2"/>
-         <call control-id="sc-12.3"/>
-         <call control-id="sc-13"/>
-         <call control-id="sc-15"/>
-         <call control-id="sc-17"/>
-         <call control-id="sc-18"/>
-         <call control-id="sc-19"/>
-         <call control-id="sc-20"/>
-         <call control-id="sc-21"/>
-         <call control-id="sc-22"/>
-         <call control-id="sc-23"/>
-         <call control-id="sc-23.1"/>
-         <call control-id="sc-24"/>
-         <call control-id="sc-28"/>
-         <call control-id="sc-28.1"/>
-         <call control-id="sc-39"/>
-         <call control-id="si-1"/>
-         <call control-id="si-2"/>
-         <call control-id="si-2.1"/>
-         <call control-id="si-2.2"/>
-         <call control-id="si-2.3"/>
-         <call control-id="si-3"/>
-         <call control-id="si-3.1"/>
-         <call control-id="si-3.2"/>
-         <call control-id="si-3.7"/>
-         <call control-id="si-4"/>
-         <call control-id="si-4.1"/>
-         <call control-id="si-4.2"/>
-         <call control-id="si-4.4"/>
-         <call control-id="si-4.5"/>
-         <call control-id="si-4.11"/>
-         <call control-id="si-4.14"/>
-         <call control-id="si-4.16"/>
-         <call control-id="si-4.18"/>
-         <call control-id="si-4.19"/>
-         <call control-id="si-4.20"/>
-         <call control-id="si-4.22"/>
-         <call control-id="si-4.23"/>
-         <call control-id="si-4.24"/>
-         <call control-id="si-5"/>
-         <call control-id="si-5.1"/>
-         <call control-id="si-6"/>
-         <call control-id="si-7"/>
-         <call control-id="si-7.1"/>
-         <call control-id="si-7.2"/>
-         <call control-id="si-7.5"/>
-         <call control-id="si-7.7"/>
-         <call control-id="si-7.14"/>
-         <call control-id="si-8"/>
-         <call control-id="si-8.1"/>
-         <call control-id="si-8.2"/>
-         <call control-id="si-10"/>
-         <call control-id="si-11"/>
-         <call control-id="si-12"/>
-         <call control-id="si-16"/>
-      </include>
-   </import>
-   <merge>
-      <combine method="keep"/>
-      <as-is>true</as-is>
-   </merge>
-   <modify>
-      <set-parameter param-id="ac-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2_prm_4">
-         <constraint>monthly for privileged accessed, every six (6) months for non-privileged access</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.2_prm_1">
-         <constraint>Selection: disables</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.2_prm_2">
-         <constraint>24 hours from last use</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.3_prm_1">
-         <constraint>35 days for user accounts</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.4_prm_1">
-         <constraint>organization and/or service provider system owner</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.5_prm_1">
-         <constraint>inactivity is anticipated to exceed Fifteen (15) minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.7_prm_1">
-         <constraint>disables/revokes access within a organization-specified timeframe</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.9_prm_1">
-         <constraint>organization-defined need with justification statement that explains why such accounts are necessary</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.12_prm_2">
-         <constraint>at a minimum, the ISSO and/or similar role within the organization</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.13_prm_1">
-         <constraint>one (1) hour</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-6.1_prm_1">
-         <constraint>all functions not publicly accessible and all security-relevant information not publicly available</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-6.2_prm_1">
-         <constraint>all security functions</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-6.3_prm_1">
-         <constraint>all privileged commands</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-6.7_prm_1">
-         <constraint>at a minimum, annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-6.7_prm_2">
-         <constraint>all users with privileges</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-6.8_prm_1">
-         <constraint>any software except software explicitly documented</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7_prm_1">
-         <constraint>not more than three (3)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7_prm_2">
-         <constraint>fifteen (15) minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7_prm_4">
-         <constraint>locks the account/node for a minimum of three (3) hours or until unlocked by an administrator</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7.2_prm_1">
-         <constraint>mobile devices as defined by organization policy</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7.2_prm_3">
-         <constraint>three (3)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-8_prm_1">
-         <constraint>see additional Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-8_prm_2">
-         <constraint>see additional Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-10_prm_2">
-         <constraint>three (3) sessions for privileged access and two (2) sessions for non-privileged access</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-11_prm_1">
-         <constraint>fifteen (15) minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-17.9_prm_1">
-         <constraint>fifteen (15) minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-22_prm_1">
-         <constraint>at least quarterly</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-1_prm_2">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-3_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-3.4_prm_1">
-         <constraint>malicious code indicators as defined by organization incident policy/capability.</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-4_prm_1">
-         <constraint>five (5) years or 5 years after completion of a specific training program</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-2_prm_1">
-         <constraint>successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-2_prm_2">
-         <constraint>organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-2.3_prm_1">
-         <constraint>annually or whenever there is a change in the threat environment</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-3.1_prm_1">
-         <constraint>session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-3.2_prm_1">
-         <constraint>all network, data storage, and computing devices</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-5_prm_2">
-         <constraint>organization-defined actions to be taken (overwrite oldest record)</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-5.2_prm_1">
-         <constraint>real-time</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-5.2_prm_2">
-         <constraint>service provider personnel with authority to address failed audit events</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-5.2_prm_3">
-         <constraint>audit failure events requiring real-time alerts, as defined by organization audit policy</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-6_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-6.5_prm_2">
-         <constraint>Possibly to include penetration test data.</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-6.7_prm_1">
-         <constraint>information system process; role; user</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-8_prm_1">
-         <constraint>one second granularity of time measurement</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-8.1_prm_1">
-         <constraint>At least hourly</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-8.1_prm_2">
-         <constraint>http://tf.nist.gov/tf-cgi/servers.cgi</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-9.2_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-10_prm_1">
-         <constraint>minimum actions including the addition, modification, deletion, approval, sending, or receiving of data</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-11_prm_1">
-         <constraint>at least one (1) year</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-12_prm_1">
-         <constraint>all information system and network components where audit capability is deployed/available</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-12.1_prm_1">
-         <constraint>all network, data storage, and computing devices</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-12.3_prm_1">
-         <constraint>service provider-defined individuals or roles with audit configuration responsibilities</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-12.3_prm_2">
-         <constraint>all network, data storage, and computing devices</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2_prm_2">
-         <constraint>individuals or roles to include FedRAMP PMO</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2.2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2.3_prm_1">
-         <constraint>any FedRAMP Accredited 3PAO</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2.3_prm_2">
-         <constraint>any FedRAMP Accredited 3PAO</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2.3_prm_3">
-         <constraint>the conditions of the JAB/AO in the FedRAMP Repository</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-3_prm_1">
-         <constraint>At least annually and on input from FedRAMP</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-3.3_prm_2">
-         <constraint>boundary protections which meet the Trusted Internet Connection (TIC) requirements</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-3.5_prm_1">
-         <constraint>deny-all, permit by exception</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-3.5_prm_2">
-         <constraint>any systems</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-5_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-6_prm_1">
-         <constraint>at least every three (3) years or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-7_prm_4">
-         <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-7_prm_5">
-         <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-8_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-2.1_prm_1">
-         <constraint>at least annually or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-2.1_prm_2">
-         <constraint>to include when directed by the JAB</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-2.3_prm_1">
-         <constraint>organization-defined previous versions of baseline configurations of the previously approved baseline configuration of IS components</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-3.1_prm_2">
-         <constraint>organization agreed upon time period</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-3.1_prm_3">
-         <constraint>organization defined configuration management approval authorities</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-3.4_prm_1">
-         <constraint>Configuration control board (CCB) or similar (as defined in CM-3)</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-3.6_prm_1">
-         <constraint>All security safeguards that rely on cryptography</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-5.2_prm_1">
-         <constraint>at least every thirty (30) days</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-5.5_prm_1">
-         <constraint>at least quarterly</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-6_prm_1">
-         <guideline>
-            <p>See CM-6(a) Additional FedRAMP Requirements and Guidance</p>
-         </guideline>
-      </set-parameter>
-      <set-parameter param-id="cm-7_prm_1">
-         <constraint>United States Government Configuration Baseline (USGCB)</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-7.1_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-7.5_prm_2">
-         <constraint>at least quarterly or when there is a change</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-8_prm_2">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-8.3_prm_1">
-         <constraint>Continuously, using automated mechanisms with a maximum five-minute delay in detection.</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-8.4_prm_1">
-         <constraint>position and role</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-11_prm_3">
-         <constraint>Continuously (via CM-7 (5))</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-2_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-2.4_prm_1">
-         <constraint>time period defined in service provider and organization SLA</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-3_prm_1">
-         <constraint>ten (10) days</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-3_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-4_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-4_prm_2">
-         <constraint>functional exercises</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-8.4_prm_1">
-         <constraint>annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_1">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_2">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_3">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9.1_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9.5_prm_1">
-         <constraint>time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-10.4_prm_1">
-         <constraint>time period consistent with the restoration time-periods defined in the service provider and organization SLA</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-2.11_prm_1">
-         <constraint>FIPS 140-2, NIAP Certification, or NSA approval</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-4_prm_1">
-         <constraint>at a minimum, the ISSO (or similar role within the organization)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-4_prm_2">
-         <constraint>at least two (2) years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-4_prm_3">
-         <constraint>thirty-five (35) days (See additional requirements and guidance.)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-4.4_prm_1">
-         <constraint>contractors; foreign nationals]</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.1_prm_2">
-         <constraint>at least fifty percent (50%)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.1_prm_4">
-         <constraint>twenty four (24)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.3_prm_1">
-         <constraint>All hardware/biometric (multifactor authenticators)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.3_prm_2">
-         <constraint>in person</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.4_prm_1">
-         <constraint>complexity as identified in IA-5 (1) Control Enhancement Part (a)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.8_prm_1">
-         <constraint>different authenticators on different systems</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-2_prm_1">
-         <constraint>within ten (10) days</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-2_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-3_prm_1">
-         <constraint>at least every six (6) months</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-4.2_prm_1">
-         <constraint>all network, data storage, and computing devices</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-4.8_prm_1">
-         <constraint>external organizations including consumer incident responders and network defenders and the appropriate CIRT/CERT (such as US-CERT, DOD CERT, IC CERT)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-6_prm_1">
-         <constraint>US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-8_prm_2">
-         <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-8_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-8_prm_4">
-         <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-9.2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ma-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ma-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ma-3.3_prm_1">
-         <constraint>the information owner explicitly authorizing removal of the equipment from the facility</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-2_prm_1">
-         <constraint>any digital and non-digital media deemed sensitive</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-3_prm_1">
-         <constraint>no removable media types</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-3_prm_2">
-         <constraint>organization-defined security safeguards not applicable</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-4_prm_1">
-         <constraint>all types of digital and non-digital media with sensitive information</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-4_prm_2">
-         <constraint>see additional FedRAMP requirements and guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-5_prm_1">
-         <constraint>all media with sensitive information</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-5_prm_2">
-         <constraint>prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-6_prm_2">
-         <constraint>techniques and procedures IAW NIST SP 800-88 R1, Appendix A - Minimum Sanitization Recommendations</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-6.2_prm_1">
-         <constraint>at least every six (6) months</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-2_prm_1">
-         <constraint>at least every ninety (90) days</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_2">
-         <constraint>CSP defined physical access control systems/devices AND guards</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_3">
-         <constraint>CSP defined physical access control systems/devices</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_6">
-         <constraint>in all circumstances within restricted access area where the information system resides</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_8">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_9">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-6_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-8_prm_1">
-         <constraint>for a minimum of one (1) year</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-8_prm_2">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-13.1_prm_1">
-         <constraint>service provider building maintenance/physical security personnel</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-13.1_prm_2">
-         <constraint>service provider emergency responders with incident response responsibilities</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-14_prm_1">
-         <constraint>consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-14_prm_2">
-         <constraint>continuously</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-15.1_prm_1">
-         <constraint>service provider building maintenance/physical security personnel</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-16_prm_1">
-         <constraint>all information system components</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-18_prm_1">
-         <constraint>physical and environmental hazards identified during threat assessment</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-2_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-4_prm_1">
-         <constraint>annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-8_prm_1">
-         <constraint>at least annually or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-3_prm_1">
-         <constraint>for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-3.3_prm_1">
-         <constraint>personnel screening criteria - as required by specific information</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-4_prm_1">
-         <constraint>eight (8) hours</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-4.2_prm_1">
-         <constraint>access control personnel responsible for disabling access to the system</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-5_prm_2">
-         <constraint>twenty-four (24) hours</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-5_prm_4">
-         <constraint>twenty-four (24) hours</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-6_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-6_prm_2">
-         <constraint>at least annually and any time there is a change to the user's level of access</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-7_prm_2">
-         <constraint>terminations: immediately; transfers: within twenty-four (24) hours</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-8_prm_1">
-         <constraint>at a minimum, the ISSO and/or similar role within the organization</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_2">
-         <constraint>security assessment report</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_5">
-         <constraint>annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5_prm_1">
-         <constraint>monthly operating system/infrastructure; monthly web applications and databases</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5_prm_2">
-         <constraint>high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5.2_prm_1">
-         <constraint>prior to a new scan</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5.4_prm_1">
-         <constraint>notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5.5_prm_1">
-         <constraint>operating systems / web applications / databases</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5.5_prm_2">
-         <constraint>all scans</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-4.2_prm_1">
-         <constraint>at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram; [organization-defined design/implementation information]</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-4.8_prm_1">
-         <constraint>at least the minimum requirement as defined in control CA-7</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-5_prm_2">
-         <constraint>at a minimum, the ISSO (or similar role within the organization)</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9_prm_1">
-         <constraint>FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9_prm_2">
-         <constraint>Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9.2_prm_1">
-         <constraint>all external systems where Federal information is processed or stored</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9.4_prm_2">
-         <constraint>all external systems where Federal information is processed or stored</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9.5_prm_1">
-         <constraint>information processing, information data, AND information services</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9.5_prm_2">
-         <constraint>U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9.5_prm_3">
-         <constraint>all High Impact Data, Systems, or Services</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-10_prm_1">
-         <constraint>development, implementation, AND operation</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-12_prm_1">
-         <constraint>organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-15_prm_1">
-         <constraint>as needed and as dictated by the current threat posture</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-15_prm_2">
-         <constraint>organization and service provider- defined security requirements</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-7.4_prm_1">
-         <constraint>at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-7.12_prm_1">
-         <constraint>Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-8_prm_1">
-         <constraint>confidentiality AND integrity</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-8.1_prm_1">
-         <constraint>prevent unauthorized disclosure of information AND detect changes to information</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-8.1_prm_2">
-         <constraint>a hardened or alarmed carrier Protective Distribution System (PDS)</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-10_prm_1">
-         <constraint>no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-12.2_prm_1">
-         <constraint>NIST FIPS-compliant</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-13_prm_1">
-         <constraint>FIPS-validated or NSA-approved cryptography</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-15_prm_1">
-         <constraint>no exceptions</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-28_prm_1">
-         <constraint>confidentiality AND integrity</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-28.1_prm_2">
-         <constraint>all information system components storing customer data deemed sensitive</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-1_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-1_prm_3">
-         <constraint>at least annually or whenever a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-2_prm_1">
-         <constraint>thirty (30) days of release of updates</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-2.2_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_2">
-         <constraint>to include endpoints</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_3">
-         <constraint>to include blocking and quarantining malicious code and alerting administrator or defined security personnel near-realtime</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-4.4_prm_1">
-         <constraint>continuously</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-5_prm_1">
-         <constraint>to include US-CERT</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-5_prm_2">
-         <constraint>to include system security personnel and administrators with configuration/patch-management responsibilities</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-6_prm_3">
-         <constraint>to include upon system startup and/or restart</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-6_prm_4">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-6_prm_5">
-         <constraint>to include system administrators and security personnel</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-6_prm_7">
-         <constraint>to include notification of system administrators and security personnel</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-7.1_prm_3">
-         <constraint>selection to include security relevant events</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-7.1_prm_4">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <alter control-id="ac-1">
-         <add position="starting" id-ref="ac-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-10">
-         <add position="starting" id-ref="ac-10_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-10_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-10_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-11">
-         <add position="starting" id-ref="ac-11">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-11.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-11.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-11.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-11.1">
-         <add position="starting" id-ref="ac-11.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-12">
-         <add position="starting" id-ref="ac-12">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-12.1">
-         <add position="ending" id-ref="ac-12.1_smt">
-            <part id="ac-12.1_fr" name="item">
-               <title>AC-12 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-12.1_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>https://www.owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-006%29</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-12.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-12.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-12.1.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-14">
-         <add position="starting" id-ref="ac-14.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-14.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-14.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17">
-         <add position="starting" id-ref="ac-17">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-17.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.1">
-         <add position="starting" id-ref="ac-17.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.2">
-         <add position="starting" id-ref="ac-17.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.3">
-         <add position="starting" id-ref="ac-17.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.4">
-         <add position="starting" id-ref="ac-17.4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.9">
-         <add position="starting" id-ref="ac-17.9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-17.9_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.9_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-18">
-         <add position="starting" id-ref="ac-18">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-18.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-18.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-18.1">
-         <add position="starting" id-ref="ac-18.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-18.3">
-         <add position="starting" id-ref="ac-18.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-18.4">
-         <add position="starting" id-ref="ac-18.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-18.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-18.5">
-         <add position="starting" id-ref="ac-18.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-18.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-19">
-         <add position="starting" id-ref="ac-19">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-19.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-19.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-19.5">
-         <add position="starting" id-ref="ac-19.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-19.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-19.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2">
-         <add position="starting" id-ref="ac-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.g_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.h_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.i_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.j_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.j_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.k_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.1">
-         <add position="starting" id-ref="ac-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.10">
-         <add position="ending" id-ref="ac-2.10_smt">
-            <part id="ac-2.10_fr" name="item">
-               <title>AC-2 (10) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2.10_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Required if shared/group accounts are deployed</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-2.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.11">
-         <add position="starting" id-ref="ac-2.11_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.11_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.12">
-         <add position="ending" id-ref="ac-2.12_smt">
-            <part id="ac-2.12_fr" name="item">
-               <title>AC-2 (12) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2.12_fr_gdn.1" name="guidance">
-                  <prop name="label">(a) Guidance:</prop>
-                  <p>Required for privileged accounts.</p>
-               </part>
-               <part id="ac-2.12_fr_gdn.2" name="guidance">
-                  <prop name="label">(b) Guidance:</prop>
-                  <p>Required for privileged accounts.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-2.12">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.12.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.12.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.12.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.12.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.13">
-         <add position="starting" id-ref="ac-2.13_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.13_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.2">
-         <add position="starting" id-ref="ac-2.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.3">
-         <add position="ending" id-ref="ac-2.3_smt">
-            <part id="ac-2.3_fr" name="item">
-               <title>AC-2 (3) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2.3_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-2.3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.4">
-         <add position="starting" id-ref="ac-2.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.4_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.5">
-         <add position="ending" id-ref="ac-2.5_smt">
-            <part id="ac-2.5_fr" name="item">
-               <title>AC-2 (5) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2.5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Should use a shorter timeframe than AC-12.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-2.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.7">
-         <add position="starting" id-ref="ac-2.7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.7.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.7.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.9">
-         <add position="ending" id-ref="ac-2.9_smt">
-            <part id="ac-2.9_fr" name="item">
-               <title>AC-2 (9) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2.9_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Required if shared/group accounts are deployed</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-2.9_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.9_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-20">
-         <add position="starting" id-ref="ac-20.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-20.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-20.1">
-         <add position="starting" id-ref="ac-20.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-20.2">
-         <add position="starting" id-ref="ac-20.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-21">
-         <add position="starting" id-ref="ac-21.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-21.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-21.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-21.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-22">
-         <add position="starting" id-ref="ac-22">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-22.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-3">
-         <add position="starting" id-ref="ac-3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-4">
-         <add position="starting" id-ref="ac-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-4.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-4.21">
-         <add position="starting" id-ref="ac-4.21_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-4.21_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-4.21_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-4.8">
-         <add position="starting" id-ref="ac-4.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-4.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-4.8_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-5">
-         <add position="ending" id-ref="ac-5_smt">
-            <part id="ac-5_fr" name="item">
-               <title>AC-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6">
-         <add position="starting" id-ref="ac-6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.1">
-         <add position="starting" id-ref="ac-6.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.10">
-         <add position="starting" id-ref="ac-6.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.2">
-         <add position="ending" id-ref="ac-6.2_smt">
-            <part id="ac-6.2_fr" name="item">
-               <title>AC-6 (2) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-6.2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-6.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.3">
-         <add position="starting" id-ref="ac-6.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.3_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.5">
-         <add position="starting" id-ref="ac-6.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.7">
-         <add position="starting" id-ref="ac-6.7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.8">
-         <add position="starting" id-ref="ac-6.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.9">
-         <add position="starting" id-ref="ac-6.9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-6.9_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-7">
-         <add position="starting" id-ref="ac-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-7.2">
-         <add position="starting" id-ref="ac-7.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.2_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-8">
-         <add position="ending" id-ref="ac-8_smt">
-            <part id="ac-8_fr" name="item">
-               <title>AC-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.</p>
-               </part>
-               <part id="ac-8_fr_smt.2" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.</p>
-               </part>
-               <part id="ac-8_fr_smt.3" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-8.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="at-1">
-         <add position="starting" id-ref="at-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="at-2">
-         <add position="starting" id-ref="at-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="at-2.2">
-         <add position="starting" id-ref="at-2.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="at-3">
-         <add position="starting" id-ref="at-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="at-3.3">
-         <add position="starting" id-ref="at-3.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="at-3.4">
-         <add position="starting" id-ref="at-3.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-3.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="at-4">
-         <add position="starting" id-ref="at-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="at-4.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-4.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-1">
-         <add position="starting" id-ref="au-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="au-10">
-         <add position="starting" id-ref="au-10.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-10.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-11">
-         <add position="ending" id-ref="au-11_smt">
-            <part id="au-11_fr" name="item">
-               <title>AU-11 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-11_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-11">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-11.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-12">
-         <add position="starting" id-ref="au-12.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-12.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-12.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-12.1">
-         <add position="starting" id-ref="au-12.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-12.3">
-         <add position="starting" id-ref="au-12.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.3_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.3_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-2">
-         <add position="ending" id-ref="au-2_smt">
-            <part id="au-2_fr" name="item">
-               <title>AU-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-2_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-2.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-2.3">
-         <add position="ending" id-ref="au-2.3_smt">
-            <part id="au-2.3_fr" name="item">
-               <title>AU-2 (3) Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-2.3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-2.3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-3">
-         <add position="starting" id-ref="au-3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-3.1">
-         <add position="ending" id-ref="au-3.1_smt">
-            <part id="au-3.1_fr" name="item">
-               <title>AU-3 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-3.1_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines audit record types <em>[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]</em>.  The audit record types are approved and accepted by the JAB/AO.</p>
-               </part>
-               <part id="au-3.1_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-3.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-3.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-3.2">
-         <add position="starting" id-ref="au-3.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-3.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-4">
-         <add position="starting" id-ref="au-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-5">
-         <add position="starting" id-ref="au-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-5.1">
-         <add position="starting" id-ref="au-5.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.1_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-5.2">
-         <add position="starting" id-ref="au-5.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.2_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6">
-         <add position="ending" id-ref="au-6_smt">
-            <part id="au-6_fr" name="item">
-               <title>AU-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6.1">
-         <add position="starting" id-ref="au-6.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-6.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6.10">
-         <add position="starting" id-ref="au-6.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6.3">
-         <add position="starting" id-ref="au-6.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6.4">
-         <add position="starting" id-ref="au-6.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6.5">
-         <add position="starting" id-ref="au-6.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-6.5_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6.6">
-         <add position="ending" id-ref="au-6.6_smt">
-            <part id="au-6.6_fr" name="item">
-               <title>AU-6 (6) Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-6.6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-6.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6.7">
-         <add position="starting" id-ref="au-6.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-7">
-         <add position="starting" id-ref="au-7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-7.1">
-         <add position="starting" id-ref="au-7.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-7.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-8">
-         <add position="starting" id-ref="au-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-8.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-8.1">
-         <add position="ending" id-ref="au-8.1_smt">
-            <part id="au-8.1_fr" name="item">
-               <title>AU-8 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-8.1_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.</p>
-               </part>
-               <part id="au-8.1_fr_smt.2" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.</p>
-               </part>
-               <part id="au-8.1_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Synchronization of system clocks improves the accuracy of log analysis.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-8.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-8.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-8.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-8.1.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-8.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-8.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-9">
-         <add position="starting" id-ref="au-9.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-9.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-9.2">
-         <add position="starting" id-ref="au-9.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-9.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-9.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-9.3">
-         <add position="starting" id-ref="au-9.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-9.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-9.4">
-         <add position="starting" id-ref="au-9.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-9.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-1">
-         <add position="starting" id-ref="ca-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2">
-         <add position="ending" id-ref="ca-2_smt">
-            <part id="ca-2_fr" name="item">
-               <title>CA-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2.1">
-         <add position="ending" id-ref="ca-2.1_smt">
-            <part id="ca-2.1_fr" name="item">
-               <title>CA-2 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2.1_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-2.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2.2">
-         <add position="ending" id-ref="ca-2.2_smt">
-            <part id="ca-2.2_fr" name="item">
-               <title>CA-2 (2) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2.2_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>To include 'announced', 'vulnerability scanning'</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-2.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.2_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2.3">
-         <add position="starting" id-ref="ca-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.3_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-3">
-         <add position="starting" id-ref="ca-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-3.3">
-         <add position="ending" id-ref="ca-3.3_smt">
-            <part id="ca-3.3_fr" name="item">
-               <title>CA-3 (3) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-3.3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-3.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-3.5">
-         <add position="ending" id-ref="ca-3.5_smt">
-            <part id="ca-3.5_fr" name="item">
-               <title>CA-3 (5) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-3.5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-3.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-3.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-5">
-         <add position="ending" id-ref="ca-5_smt">
-            <part id="ca-5_fr" name="item">
-               <title>CA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-5_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Plan of Action &amp; Milestones (POA&amp;M) must be provided at least monthly.</p>
-               </part>
-               <part id="ca-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action &amp; Milestones (POA&amp;M) Template Completion Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-6">
-         <add position="ending" id-ref="ca-6_smt">
-            <part id="ca-6_fr" name="item">
-               <title>CA-6(c) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-6.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-6.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-6.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-6.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-7">
-         <add position="ending" id-ref="ca-7_smt">
-            <part id="ca-7_fr" name="item">
-               <title>CA-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-7_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.</p>
-               </part>
-               <part id="ca-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&amp;M updates.</p>
-               </part>
-               <part id="ca-7_fr_gdn.2" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-7.1">
-         <add position="starting" id-ref="ca-7.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-7.3">
-         <add position="starting" id-ref="ca-7.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-8">
-         <add position="ending" id-ref="ca-8_smt">
-            <part id="ca-8_fr" name="item">
-               <title>CA-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-8_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance <a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-8_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-8.1">
-         <add position="starting" id-ref="ca-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-9">
-         <add position="starting" id-ref="ca-9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-9.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-9.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-9.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-1">
-         <add position="starting" id-ref="cm-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-1.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-10">
-         <add position="starting" id-ref="cm-10.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-10.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-10.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-10.1">
-         <add position="starting" id-ref="cm-10.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-10.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-11">
-         <add position="starting" id-ref="cm-11.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-11.1">
-         <add position="starting" id-ref="cm-11.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2">
-         <add position="starting" id-ref="cm-2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2.1">
-         <add position="ending" id-ref="cm-2.1_smt">
-            <part id="cm-2.1_fr" name="item">
-               <title>CM-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-2.1_fr_gdn.1" name="guidance">
-                  <prop name="label">(a) Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-2.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-2.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.1.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2.2">
-         <add position="starting" id-ref="cm-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.2_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2.3">
-         <add position="starting" id-ref="cm-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2.7">
-         <add position="starting" id-ref="cm-2.7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-3">
-         <add position="ending" id-ref="cm-3_smt">
-            <part id="cm-3_fr" name="item">
-               <title>CM-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-3_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.</p>
-               </part>
-               <part id="cm-3_fr_gdn.1" name="guidance">
-                  <prop name="label">(e) Guidance:</prop>
-                  <p>In accordance with record retention policies and procedures.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.g_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.g_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-3.1">
-         <add position="starting" id-ref="cm-3.1.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.1.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.1.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.1.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.1.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.1.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.1.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-3.2">
-         <add position="starting" id-ref="cm-3.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-3.4">
-         <add position="starting" id-ref="cm-3.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-3.6">
-         <add position="starting" id-ref="cm-3.6_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.6_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-4">
-         <add position="starting" id-ref="cm-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-4.1">
-         <add position="starting" id-ref="cm-4.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-4.1_obj.2.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-4.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-4.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-4.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5">
-         <add position="starting" id-ref="cm-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5_obj.7">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-5_obj.8">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5.1">
-         <add position="starting" id-ref="cm-5.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5.2">
-         <add position="starting" id-ref="cm-5.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.2_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5.3">
-         <add position="ending" id-ref="cm-5.3_smt">
-            <part id="cm-5.3_fr" name="item">
-               <title>CM-5 (3) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-5.3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-5.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5.5">
-         <add position="starting" id-ref="cm-5.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-5.5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-6">
-         <add position="ending" id-ref="cm-6_smt">
-            <part id="cm-6_fr" name="item">
-               <title>CM-6(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement 1:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. </p>
-               </part>
-               <part id="cm-6_fr_smt.2" name="item">
-                  <prop name="label">Requirement 2:</prop>
-                  <p>The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (<a href="http://scap.nist.gov/">http://scap.nist.gov/</a>) validated or SCAP compatible (if validated checklists are not available).</p>
-               </part>
-               <part id="cm-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a href="https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline">https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-6.1">
-         <add position="starting" id-ref="cm-6.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-6.2">
-         <add position="starting" id-ref="cm-6.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7">
-         <add position="ending" id-ref="cm-7_smt">
-            <part id="cm-7_fr" name="item">
-               <title>CM-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-7_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.</p>
-               </part>
-               <part id="cm-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a href="http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc">http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc</a>. Partially derived from AC-17(8).</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7.1">
-         <add position="starting" id-ref="cm-7.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-7.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7.2">
-         <add position="ending" id-ref="cm-7.2_smt">
-            <part id="cm-7.2_fr" name="item">
-               <title>CM-7 (2) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-7.2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-7.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7.5">
-         <add position="starting" id-ref="cm-7.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-7.5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8">
-         <add position="ending" id-ref="cm-8_smt">
-            <part id="cm-8_fr" name="item">
-               <title>CM-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Must be provided at least monthly or when there is a change.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-8.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8.1">
-         <add position="starting" id-ref="cm-8.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8.2">
-         <add position="starting" id-ref="cm-8.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8.3">
-         <add position="starting" id-ref="cm-8.3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-8.3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8.4">
-         <add position="starting" id-ref="cm-8.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8.5">
-         <add position="starting" id-ref="cm-8.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-9">
-         <add position="starting" id-ref="cm-9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-9.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-9.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-9.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-9.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-9.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-1">
-         <add position="starting" id-ref="cp-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-10">
-         <add position="starting" id-ref="cp-10_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-10.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-10.2">
-         <add position="starting" id-ref="cp-10.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-10.4">
-         <add position="starting" id-ref="cp-10.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-10.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2">
-         <add position="ending" id-ref="cp-2_smt">
-            <part id="cp-2_fr" name="item">
-               <title>CP-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-2_fr_smt.1" name="item">
-                  <prop name="label">CP-2 Requirement:</prop>
-                  <p>For JAB authorizations the contingency lists include designated FedRAMP personnel.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-2.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.6_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.6_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.g_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.1">
-         <add position="starting" id-ref="cp-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.2">
-         <add position="starting" id-ref="cp-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.3">
-         <add position="starting" id-ref="cp-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.4">
-         <add position="starting" id-ref="cp-2.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.5">
-         <add position="starting" id-ref="cp-2.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.8">
-         <add position="starting" id-ref="cp-2.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-3">
-         <add position="starting" id-ref="cp-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-3.1">
-         <add position="starting" id-ref="cp-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-4">
-         <add position="ending" id-ref="cp-4_smt">
-            <part id="cp-4_fr" name="item">
-               <title>CP-4(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-4_fr_smt.a" name="item">
-                  <prop name="label">CP-4(a) Requirement:</prop>
-                  <p>The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-4.1">
-         <add position="starting" id-ref="cp-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-4.2">
-         <add position="starting" id-ref="cp-4.2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-6">
-         <add position="starting" id-ref="cp-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-6.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-6.1">
-         <add position="starting" id-ref="cp-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-6.2">
-         <add position="starting" id-ref="cp-6.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-6.3">
-         <add position="starting" id-ref="cp-6.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-6.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7">
-         <add position="ending" id-ref="cp-7_smt">
-            <part id="cp-7_fr" name="item">
-               <title>CP-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-7_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7.1">
-         <add position="ending" id-ref="cp-7.1_smt">
-            <part id="cp-7.1_fr" name="item">
-               <title>CP-7 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-7.1_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7.2">
-         <add position="starting" id-ref="cp-7.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7.3">
-         <add position="starting" id-ref="cp-7.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7.4">
-         <add position="starting" id-ref="cp-7.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-8">
-         <add position="ending" id-ref="cp-8_smt">
-            <part id="cp-8_fr" name="item">
-               <title>CP-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-8.1">
-         <add position="starting" id-ref="cp-8.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-8.2">
-         <add position="starting" id-ref="cp-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-8.3">
-         <add position="starting" id-ref="cp-8.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-8.4">
-         <add position="starting" id-ref="cp-8.4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9">
-         <add position="ending" id-ref="cp-9_smt">
-            <part id="cp-9_fr" name="item">
-               <title>CP-9 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-9_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.</p>
-               </part>
-               <part id="cp-9_fr_smt.a" name="item">
-                  <prop name="label">CP-9(a) Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of user-level information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.b" name="item">
-                  <prop name="label">CP-9(b)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of system-level information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.c" name="item">
-                  <prop name="label">CP-9(c)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-9.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9.1">
-         <add position="starting" id-ref="cp-9.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-9.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9.2">
-         <add position="starting" id-ref="cp-9.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9.3">
-         <add position="starting" id-ref="cp-9.3_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.3_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9.5">
-         <add position="starting" id-ref="cp-9.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.5_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-1">
-         <add position="starting" id-ref="ia-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2">
-         <add position="starting" id-ref="ia-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.1">
-         <add position="starting" id-ref="ia-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.11">
-         <add position="ending" id-ref="ia-2.11_smt">
-            <part id="ia-2.11_fr" name="item">
-               <title>IA-2 (11) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-2.11_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.6">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.12">
-         <add position="ending" id-ref="ia-2.12_smt">
-            <part id="ia-2.12_fr" name="item">
-               <title>IA-2 (12) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-2.12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-2.12_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.2">
-         <add position="starting" id-ref="ia-2.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.3">
-         <add position="starting" id-ref="ia-2.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.4">
-         <add position="starting" id-ref="ia-2.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.5">
-         <add position="starting" id-ref="ia-2.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.8">
-         <add position="starting" id-ref="ia-2.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.9">
-         <add position="starting" id-ref="ia-2.9_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-3">
-         <add position="starting" id-ref="ia-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-4">
-         <add position="ending" id-ref="ia-4_smt">
-            <part id="ia-4_fr" name="item">
-               <title>IA-4(e) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-4_fr_smt.e" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines the time period of inactivity for device identifiers.</p>
-               </part>
-               <part id="ia-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP <a href="http://iase.disa.mil/cloud_security/Pages/index.aspx">http://iase.disa.mil/cloud_security/Pages/index.aspx</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-4.4">
-         <add position="starting" id-ref="ia-4.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5">
-         <add position="ending" id-ref="ia-5_smt">
-            <part id="ia-5_fr" name="item">
-               <title>IA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-5_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link <a href="https://pages.nist.gov/800-63-3">https://pages.nist.gov/800-63-3</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.f_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.h_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.i_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.i_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.j_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.1">
-         <add position="ending" id-ref="ia-5.1_smt">
-            <part id="ia-5.1_fr" name="item">
-               <title>IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-5.1_fr_gdn.1" name="guidance">
-                  <prop name="label">(a) (d) Guidance:</prop>
-                  <p>If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-5.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.11">
-         <add position="starting" id-ref="ia-5.11_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.13">
-         <add position="starting" id-ref="ia-5.13_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.13_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.2">
-         <add position="starting" id-ref="ia-5.2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.3">
-         <add position="starting" id-ref="ia-5.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.3_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.3_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.4">
-         <add position="ending" id-ref="ia-5.4_smt">
-            <part id="ia-5.4_fr" name="item">
-               <title>IA-5 (4) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-5.4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-5.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.6">
-         <add position="starting" id-ref="ia-5.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.7">
-         <add position="starting" id-ref="ia-5.7_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.8">
-         <add position="starting" id-ref="ia-5.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-6">
-         <add position="starting" id-ref="ia-6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-7">
-         <add position="starting" id-ref="ia-7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8">
-         <add position="starting" id-ref="ia-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.1">
-         <add position="starting" id-ref="ia-8.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-8.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.2">
-         <add position="starting" id-ref="ia-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.3">
-         <add position="starting" id-ref="ia-8.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-8.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.4">
-         <add position="starting" id-ref="ia-8.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-1">
-         <add position="starting" id-ref="ir-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-2">
-         <add position="starting" id-ref="ir-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-2.1">
-         <add position="starting" id-ref="ir-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-2.2">
-         <add position="starting" id-ref="ir-2.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-3">
-         <add position="ending" id-ref="ir-3_smt">
-            <part id="ir-3_fr" name="item">
-               <title>IR-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-3_fr_smt.1" name="item">
-                  <prop name="label">IR-3 -2 Requirement:</prop>
-                  <p>The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-3.2">
-         <add position="starting" id-ref="ir-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4">
-         <add position="ending" id-ref="ir-4_smt">
-            <part id="ir-4_fr" name="item">
-               <title>IR-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-4_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-4.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4.1">
-         <add position="starting" id-ref="ir-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4.2">
-         <add position="starting" id-ref="ir-4.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4.3">
-         <add position="starting" id-ref="ir-4.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4.4">
-         <add position="starting" id-ref="ir-4.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4.6">
-         <add position="starting" id-ref="ir-4.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4.8">
-         <add position="starting" id-ref="ir-4.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.8_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-5">
-         <add position="starting" id-ref="ir-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-5.1">
-         <add position="starting" id-ref="ir-5.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-6">
-         <add position="ending" id-ref="ir-6_smt">
-            <part id="ir-6_fr" name="item">
-               <title>IR-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Report security incident information according to FedRAMP Incident Communications Procedure.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-6.1">
-         <add position="starting" id-ref="ir-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-7">
-         <add position="starting" id-ref="ir-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-7.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-7.1">
-         <add position="starting" id-ref="ir-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-7.2">
-         <add position="starting" id-ref="ir-7.2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-7.2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-8">
-         <add position="ending" id-ref="ir-8_smt">
-            <part id="ir-8_fr" name="item">
-               <title>IR-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-8_fr_smt.b" name="item">
-                  <prop name="label">(b) Requirement:</prop>
-                  <p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
-               </part>
-               <part id="ir-8_fr_smt.e" name="item">
-                  <prop name="label">(e) Requirement:</prop>
-                  <p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-8.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.b_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.b_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.e_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.e_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9">
-         <add position="starting" id-ref="ir-9.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9.1">
-         <add position="starting" id-ref="ir-9.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9.2">
-         <add position="starting" id-ref="ir-9.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-9.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9.3">
-         <add position="starting" id-ref="ir-9.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9.4">
-         <add position="starting" id-ref="ir-9.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-1">
-         <add position="starting" id-ref="ma-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ma-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-2">
-         <add position="starting" id-ref="ma-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-2.2">
-         <add position="starting" id-ref="ma-2.2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-3">
-         <add position="starting" id-ref="ma-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-3.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-3.1">
-         <add position="starting" id-ref="ma-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-3.2">
-         <add position="starting" id-ref="ma-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-3.3">
-         <add position="starting" id-ref="ma-3.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-4">
-         <add position="starting" id-ref="ma-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ma-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-4.2">
-         <add position="starting" id-ref="ma-4.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-4.3">
-         <add position="starting" id-ref="ma-4.3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-4.6">
-         <add position="starting" id-ref="ma-4.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-5">
-         <add position="starting" id-ref="ma-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-5.1">
-         <add position="starting" id-ref="ma-5.1.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.1.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.1.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-6">
-         <add position="starting" id-ref="ma-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-6.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-6.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-1">
-         <add position="starting" id-ref="mp-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="mp-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-2">
-         <add position="starting" id-ref="mp-2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-3">
-         <add position="ending" id-ref="mp-3_smt">
-            <part id="mp-3_fr" name="item">
-               <title>MP-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-3_fr_gdn.b" name="guidance">
-                  <prop name="label">(b) Guidance:</prop>
-                  <p>Second parameter not-applicable</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="mp-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-3.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-4">
-         <add position="ending" id-ref="mp-4_smt">
-            <part id="mp-4_fr" name="item">
-               <title>MP-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-4_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider defines controlled areas within facilities where the information and information system reside.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="mp-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-4.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-4.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-5">
-         <add position="ending" id-ref="mp-5_smt">
-            <part id="mp-5_fr" name="item">
-               <title>MP-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-5_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider defines security measures to protect digital and non-digital media in transport.  The security measures are approved and accepted by the JAB.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="mp-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-5.4">
-         <add position="starting" id-ref="mp-5.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-6">
-         <add position="starting" id-ref="mp-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-6.1">
-         <add position="starting" id-ref="mp-6.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.1_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.1_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-6.2">
-         <add position="ending" id-ref="mp-6.2_smt">
-            <part id="mp-6.2_fr" name="item">
-               <title>MP-6 (2) Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-6.2_fr_gdn.a" name="guidance">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>Equipment and procedures may be tested or validated for effectiveness</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="mp-6.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="mp-6.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-6.3">
-         <add position="starting" id-ref="mp-6.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-7">
-         <add position="starting" id-ref="mp-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-7.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-7_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-7_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-7.1">
-         <add position="starting" id-ref="mp-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-1">
-         <add position="starting" id-ref="pe-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-10">
-         <add position="starting" id-ref="pe-10.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-10.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-10.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-10.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-11">
-         <add position="starting" id-ref="pe-11_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-11.1">
-         <add position="starting" id-ref="pe-11.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-12">
-         <add position="starting" id-ref="pe-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-13">
-         <add position="starting" id-ref="pe-13.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-13.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-13.1">
-         <add position="starting" id-ref="pe-13.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-13.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-13.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-13.2">
-         <add position="starting" id-ref="pe-13.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-13.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-13.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-13.3">
-         <add position="starting" id-ref="pe-13.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-14">
-         <add position="ending" id-ref="pe-14_smt">
-            <part id="pe-14_fr" name="item">
-               <title>PE-14(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="pe-14_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider measures temperature at server inlets and humidity levels by dew point.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-14.2">
-         <add position="starting" id-ref="pe-14.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-15">
-         <add position="starting" id-ref="pe-15_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-15.1">
-         <add position="starting" id-ref="pe-15.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-15.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-15.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-16">
-         <add position="starting" id-ref="pe-16_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.6">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.7">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.8">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.9">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-17">
-         <add position="starting" id-ref="pe-17.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-17.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-17.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-17.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-18">
-         <add position="starting" id-ref="pe-18.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-18_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-18_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-18_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-2">
-         <add position="starting" id-ref="pe-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-3">
-         <add position="starting" id-ref="pe-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.e_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.f_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-3.1">
-         <add position="starting" id-ref="pe-3.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-4">
-         <add position="starting" id-ref="pe-4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-4_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-5">
-         <add position="starting" id-ref="pe-5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-6">
-         <add position="starting" id-ref="pe-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-6.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-6.1">
-         <add position="starting" id-ref="pe-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-6.4">
-         <add position="starting" id-ref="pe-6.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-8">
-         <add position="starting" id-ref="pe-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-8.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-8.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-8.1">
-         <add position="starting" id-ref="pe-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-9">
-         <add position="starting" id-ref="pe-9_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-1">
-         <add position="starting" id-ref="pl-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pl-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-2">
-         <add position="starting" id-ref="pl-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pl-2.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.9_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-2.3">
-         <add position="starting" id-ref="pl-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-4">
-         <add position="starting" id-ref="pl-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-4.1">
-         <add position="starting" id-ref="pl-4.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-8">
-         <add position="ending" id-ref="pl-8_smt">
-            <part id="pl-8_fr" name="item">
-               <title>PL-8(b) Additional FedRAMP Requirements and Guidance</title>
-               <part id="pl-8_fr_gdn.b" name="guidance">
-                  <prop name="label">(b) Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="pl-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pl-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-8.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-1">
-         <add position="starting" id-ref="ps-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-2">
-         <add position="starting" id-ref="ps-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-3">
-         <add position="starting" id-ref="ps-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-3.3">
-         <add position="starting" id-ref="ps-3.3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-4">
-         <add position="starting" id-ref="ps-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.f_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-4.2">
-         <add position="starting" id-ref="ps-4.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-5">
-         <add position="starting" id-ref="ps-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-6">
-         <add position="starting" id-ref="ps-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-6.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.c.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.c.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.c.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-7">
-         <add position="starting" id-ref="ps-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-8">
-         <add position="starting" id-ref="ps-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-8.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-1">
-         <add position="starting" id-ref="ra-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-2">
-         <add position="starting" id-ref="ra-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-3">
-         <add position="ending" id-ref="ra-3_smt">
-            <part id="ra-3_fr" name="item">
-               <title>RA-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F</p>
-               </part>
-               <part id="ra-3_fr_smt.d" name="item">
-                  <prop name="label">RA-3 (d) Requirement:</prop>
-                  <p>Include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5">
-         <add id-ref="ra-5_smt">
-            <part id="ra-5_fr_smt.a" name="item">
-               <title>RA-5(a) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (a)Requirement:</prop>
-               <p>An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.</p>
-            </part>
-            <part id="ra-5_fr_smt.e" name="item">
-               <title>RA-5(e) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (e)Requirement:</prop>
-               <p>To include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
-            </part>
-            <part id="ra-5_fr" name="item">
-               <title>RA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>
-                     <strong>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents&gt; Vulnerability Scanning Requirements</strong> (<a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a>)</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.b.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.b.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.b.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.e_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.1">
-         <add position="starting" id-ref="ra-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.10">
-         <add position="ending" id-ref="ra-5.10_smt">
-            <part id="ra-5.10_fr" name="item">
-               <title>RA-5 (10) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5.10_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>If multiple tools are not used, this control is not applicable.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-5.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.2">
-         <add position="starting" id-ref="ra-5.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-5.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.3">
-         <add position="starting" id-ref="ra-5.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.4">
-         <add position="starting" id-ref="ra-5.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.4_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.5">
-         <add position="starting" id-ref="ra-5.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-5.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.5_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.6">
-         <add position="ending" id-ref="ra-5.6_smt">
-            <part id="ra-5.6_fr" name="item">
-               <title>RA-5 (6) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5.6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Include in Continuous Monitoring ISSO digest/report to JAB/AO</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-5.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.8">
-         <add position="ending" id-ref="ra-5.8_smt">
-            <part id="ra-5.8_fr" name="item">
-               <title>RA-5 (8) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5.8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>This enhancement is required for all high vulnerability scan findings.</p>
-               </part>
-               <part id="ra-5.8_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-5.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-1">
-         <add position="starting" id-ref="sa-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sa-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-10">
-         <add position="ending" id-ref="sa-10_smt">
-            <part id="sa-10_fr" name="item">
-               <title>SA-10 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-10_fr_smt.1" name="item">
-                  <prop name="label">(e)  Requirement:</prop>
-                  <p>For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-10.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-10.1">
-         <add position="starting" id-ref="sa-10.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-11">
-         <add position="starting" id-ref="sa-11.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-11.1">
-         <add position="ending" id-ref="sa-11.1_smt">
-            <part id="sa-11.1_fr" name="item">
-               <title>SA-11 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-11.1_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-11.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-11.2">
-         <add position="starting" id-ref="sa-11.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-11.8">
-         <add position="ending" id-ref="sa-11.8_smt">
-            <part id="sa-11.8_fr" name="item">
-               <title>SA-11 (8) Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-11.8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-11.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-12">
-         <add position="starting" id-ref="sa-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-12.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-15">
-         <add position="starting" id-ref="sa-15.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-15.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-15.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-15.b_obj.3.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-15.b_obj.3.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-15.b_obj.3.c">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-15.b_obj.3.d">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-16">
-         <add position="starting" id-ref="sa-16_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-16_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-17">
-         <add position="starting" id-ref="sa-17.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-17.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-17.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-2">
-         <add position="starting" id-ref="sa-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-3">
-         <add position="starting" id-ref="sa-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4">
-         <add position="ending" id-ref="sa-4_smt">
-            <part id="sa-4_fr" name="item">
-               <title>SA-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See <a href="http://www.niap-ccevs.org/vpl">http://www.niap-ccevs.org/vpl</a> or <a href="http://www.commoncriteriaportal.org/products.html">http://www.commoncriteriaportal.org/products.html</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.1">
-         <add position="starting" id-ref="sa-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.10">
-         <add position="starting" id-ref="sa-4.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.2">
-         <add position="starting" id-ref="sa-4.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-4.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-4.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.8">
-         <add position="ending" id-ref="sa-4.8_smt">
-            <part id="sa-4.8_fr" name="item">
-               <title>SA-4 (8) Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-4.8_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>CSP must use the same security standards regardless of where the system component or information system service is acquired.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-4.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-4.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.9">
-         <add position="starting" id-ref="sa-4.9_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-5">
-         <add position="starting" id-ref="sa-5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-8">
-         <add position="starting" id-ref="sa-8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9">
-         <add position="starting" id-ref="sa-9.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9.1">
-         <add position="starting" id-ref="sa-9.1.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9.2">
-         <add position="starting" id-ref="sa-9.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9.4">
-         <add position="starting" id-ref="sa-9.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.4_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9.5">
-         <add position="starting" id-ref="sa-9.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.5_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-1">
-         <add position="starting" id-ref="sc-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sc-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-10">
-         <add position="starting" id-ref="sc-10_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-10_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-12">
-         <add position="ending" id-ref="sc-12_smt">
-            <part id="sc-12_fr" name="item">
-               <title>SC-12 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Federally approved and validated cryptography.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-12.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-12.1">
-         <add position="starting" id-ref="sc-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-12.2">
-         <add position="starting" id-ref="sc-12.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-12.3">
-         <add position="starting" id-ref="sc-12.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-13">
-         <add position="starting" id-ref="sc-13">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sc-13_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-13_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-13_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-15">
-         <add position="ending" id-ref="sc-15_smt">
-            <part id="sc-15_fr" name="item">
-               <title>SC-15 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-15_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-15.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-15.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-15.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-17">
-         <add position="starting" id-ref="sc-17_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-17_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-18">
-         <add position="starting" id-ref="sc-18.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-19">
-         <add position="starting" id-ref="sc-19.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-19.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-19.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-19.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-19.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-2">
-         <add position="starting" id-ref="sc-2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-20">
-         <add position="starting" id-ref="sc-20.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-20.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-21">
-         <add position="starting" id-ref="sc-21_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-21_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-21_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-21_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-22">
-         <add position="starting" id-ref="sc-22_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-22_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-23">
-         <add position="starting" id-ref="sc-23_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-23.1">
-         <add position="starting" id-ref="sc-23.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-24">
-         <add position="starting" id-ref="sc-24_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-24_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-24_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-24_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-24_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-28">
-         <add position="ending" id-ref="sc-28_smt">
-            <part id="sc-28_fr" name="item">
-               <title>SC-28 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-28_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>The organization supports the capability to use cryptographic mechanisms to protect information at rest.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-28.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-28.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-28.1">
-         <add position="starting" id-ref="sc-28.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-28.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-28.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-3">
-         <add position="starting" id-ref="sc-3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-39">
-         <add position="starting" id-ref="sc-39_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-4">
-         <add position="starting" id-ref="sc-4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-5">
-         <add position="starting" id-ref="sc-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-5.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-5.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-6">
-         <add position="starting" id-ref="sc-6_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-6_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-6_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7">
-         <add position="starting" id-ref="sc-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.10">
-         <add position="starting" id-ref="sc-7.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.12">
-         <add position="starting" id-ref="sc-7.12_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.12_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.13">
-         <add position="ending" id-ref="sc-7.13_smt">
-            <part id="sc-7.13_fr" name="item">
-               <title>SC-7 (13) Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-7.13_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.</p>
-               </part>
-               <part id="sc-7.13_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Examples include: information security tools, mechanisms, and support components such as, but not limited to PKI, patching infrastructure, cyber defense tools, special purpose gateway, vulnerability tracking systems, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-7.13_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.13_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.18">
-         <add position="starting" id-ref="sc-7.18_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.20">
-         <add position="starting" id-ref="sc-7.20_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.20_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.21">
-         <add position="starting" id-ref="sc-7.21_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.21_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.21_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.3">
-         <add position="starting" id-ref="sc-7.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.4">
-         <add position="starting" id-ref="sc-7.4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sc-7.4.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.e_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.5">
-         <add position="starting" id-ref="sc-7.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.7">
-         <add position="starting" id-ref="sc-7.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.8">
-         <add position="starting" id-ref="sc-7.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.8_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-8">
-         <add position="starting" id-ref="sc-8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-8.1">
-         <add position="starting" id-ref="sc-8.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-8.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-1">
-         <add position="starting" id-ref="si-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="si-10">
-         <add position="starting" id-ref="si-10_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-10_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-11">
-         <add position="starting" id-ref="si-11.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-11.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-11.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-12">
-         <add position="starting" id-ref="si-12_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-16">
-         <add position="starting" id-ref="si-16_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-16_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-2">
-         <add position="starting" id-ref="si-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-2.1">
-         <add position="starting" id-ref="si-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-2.2">
-         <add position="starting" id-ref="si-2.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-2.3">
-         <add position="starting" id-ref="si-2.3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3">
-         <add position="starting" id-ref="si-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3.1">
-         <add position="starting" id-ref="si-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3.2">
-         <add position="starting" id-ref="si-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3.7">
-         <add position="starting" id-ref="si-3.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4">
-         <add position="ending" id-ref="si-4_smt">
-            <part id="si-4_fr" name="item">
-               <title>SI-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="si-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See US-CERT Incident Response Reporting Guidelines.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="si-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-4.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.b.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.b.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.1">
-         <add position="starting" id-ref="si-4.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.11">
-         <add position="starting" id-ref="si-4.11_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.14">
-         <add position="starting" id-ref="si-4.14">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-4.14_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.14_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.14_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.16">
-         <add position="starting" id-ref="si-4.16_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.18">
-         <add position="starting" id-ref="si-4.18_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.18_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.19">
-         <add position="starting" id-ref="si-4.19_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.19_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.19_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.2">
-         <add position="starting" id-ref="si-4.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.20">
-         <add position="starting" id-ref="si-4.20_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.20_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.22">
-         <add position="starting" id-ref="si-4.22_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.22_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.22_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.23">
-         <add position="starting" id-ref="si-4.23_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.23_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.23_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.24">
-         <add position="starting" id-ref="si-4.24_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.4">
-         <add position="starting" id-ref="si-4.4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-4.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.5">
-         <add position="ending" id-ref="si-4.5_smt">
-            <part id="si-4.5_fr" name="item">
-               <title>SI-4 (5) Additional FedRAMP Requirements and Guidance</title>
-               <part id="si-4.5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>In accordance with the incident response plan.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="si-4.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.5_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-5">
-         <add position="starting" id-ref="si-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-5.1">
-         <add position="starting" id-ref="si-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-6">
-         <add position="starting" id-ref="si-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-6.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-6.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7">
-         <add position="starting" id-ref="si-7_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7_obj.1.c">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7.1">
-         <add position="starting" id-ref="si-7.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-7.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.1_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7.14">
-         <add position="starting" id-ref="si-7.14.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.14.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.14.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-7.14.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7.2">
-         <add position="starting" id-ref="si-7.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7.5">
-         <add position="starting" id-ref="si-7.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7.7">
-         <add position="starting" id-ref="si-7.7_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.7_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-8">
-         <add position="starting" id-ref="si-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-8.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-8.1">
-         <add position="starting" id-ref="si-8.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-8.2">
-         <add position="starting" id-ref="si-8.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-   </modify>
-   <back-matter>
-      <resource uuid="985475ee-d4d6-4581-8fdf-d84d3d8caa48">
-         <title>FedRAMP Applicable Laws and Regulations</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-citations</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"/>
-      </resource>
-      <resource uuid="1a23a771-d481-4594-9a1a-71d584fa4123">
-         <title>FedRAMP Master Acronym and Glossary</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-acronyms</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"/>
-      </resource>
-      <resource uuid="a2381e87-3d04-4108-a30b-b4d2f36d001f">
-         <desc>FedRAMP Logo</desc>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-logo</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/img/logo-main-fedramp.png"/>
-      </resource>
-      <resource uuid="ad005eae-cc63-4e64-9109-3905a9a825e4">
-         <title>NIST Special Publication (SP) 800-53</title>
-         <prop name="version" ns="https://fedramp.gov/ns/oscal">Revision 4</prop>
-         <prop name="keep">always</prop>
-         <rlink media-type="application/xml" href="https://raw.githubusercontent.com/usnistgov/OSCAL/v1.0.0-milestone3/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml"/>
-      </resource>
-   </back-matter>
-</profile>
diff --git a/src/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline_profile.xml b/src/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline_profile.xml
deleted file mode 100644
index 74ed89cbf0..0000000000
--- a/src/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline_profile.xml
+++ /dev/null
@@ -1,1734 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="48d3387b-e554-4232-97bc-a8617cf238d9">
-   
-   <metadata>
-      <title>FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline</title>
-      <published>2020-02-02T00:00:00.000-05:00</published>
-      <last-modified>2020-06-01T10:00:00.000-05:00</last-modified>
-      <version>1.2</version>
-      <oscal-version>1.0.0-milestone3</oscal-version>
-      <role id="parpared-by">
-         <title>Document creator</title>
-      </role>
-      <role id="fedramp-pmo">
-         <title>The FedRAMP Program Management Office (PMO)</title>
-         <short-name>CSP</short-name>
-      </role>
-      <role id="fedramp-jab">
-         <title>The FedRAMP Joint Authorization Board (JAB)</title>
-         <short-name>CSP</short-name>
-      </role>
-
-      <party uuid="8cc0b8e5-9650-4d5f-9796-316f05fa9a2d" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Program Management Office</party-name>
-         <short-name>FedRAMP PMO</short-name>
-         <link href="https://fedramp.gov" rel="homepage" />
-         <address type="work">
-            <addr-line>1800 F St. NW</addr-line>
-            <addr-line/>
-            <city>Washington</city>
-            <state>DC</state>
-            <postal-code/>
-            <country>US</country>
-         </address>
-         <email>info@fedramp.gov</email>
-      </party>
-      <party uuid="ca9ba80e-1342-4bfd-b32a-abac468c24b4" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Joint Authorization Board</party-name>
-         <short-name>FedRAMP JAB</short-name>
-      </party>
-      
-      <responsible-party role-id="prepared-by">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-pmo">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-jab">
-         <party-uuid>ca9ba80e-1342-4bfd-b32a-abac468c24b4</party-uuid>
-      </responsible-party>
-   </metadata>
-   <import href="#ad005eae-cc63-4e64-9109-3905a9a825e4">
-      <include>
-         <call control-id="ac-1"/>
-         <call control-id="ac-2"/>
-         <call control-id="ac-3"/>
-         <call control-id="ac-7"/>
-         <call control-id="ac-8"/>
-         <call control-id="ac-14"/>
-         <call control-id="ac-17"/>
-         <call control-id="ac-18"/>
-         <call control-id="ac-19"/>
-         <call control-id="ac-20"/>
-         <call control-id="ac-22"/>
-         <call control-id="at-1"/>
-         <call control-id="at-2"/>
-         <call control-id="at-3"/>
-         <call control-id="at-4"/>
-         <call control-id="au-1"/>
-         <call control-id="au-2"/>
-         <call control-id="au-3"/>
-         <call control-id="au-4"/>
-         <call control-id="au-5"/>
-         <call control-id="au-6"/>
-         <call control-id="au-8"/>
-         <call control-id="au-9"/>
-         <call control-id="au-11"/>
-         <call control-id="au-12"/>
-         <call control-id="ca-1"/>
-         <call control-id="ca-2"/>
-         <call control-id="ca-2.1"/>
-         <call control-id="ca-3"/>
-         <call control-id="ca-5"/>
-         <call control-id="ca-6"/>
-         <call control-id="ca-7"/>
-         <call control-id="ca-9"/>
-         <call control-id="cm-1"/>
-         <call control-id="cm-2"/>
-         <call control-id="cm-4"/>
-         <call control-id="cm-6"/>
-         <call control-id="cm-7"/>
-         <call control-id="cm-8"/>
-         <call control-id="cm-10"/>
-         <call control-id="cm-11"/>
-         <call control-id="cp-1"/>
-         <call control-id="cp-2"/>
-         <call control-id="cp-3"/>
-         <call control-id="cp-4"/>
-         <call control-id="cp-9"/>
-         <call control-id="cp-10"/>
-         <call control-id="ia-1"/>
-         <call control-id="ia-2"/>
-         <call control-id="ia-2.1"/>
-         <call control-id="ia-2.12"/>
-         <call control-id="ia-4"/>
-         <call control-id="ia-5"/>
-         <call control-id="ia-5.1"/>
-         <call control-id="ia-5.11"/>
-         <call control-id="ia-6"/>
-         <call control-id="ia-7"/>
-         <call control-id="ia-8"/>
-         <call control-id="ia-8.1"/>
-         <call control-id="ia-8.2"/>
-         <call control-id="ia-8.3"/>
-         <call control-id="ia-8.4"/>
-         <call control-id="ir-1"/>
-         <call control-id="ir-2"/>
-         <call control-id="ir-4"/>
-         <call control-id="ir-5"/>
-         <call control-id="ir-6"/>
-         <call control-id="ir-7"/>
-         <call control-id="ir-8"/>
-         <call control-id="ir-9"/>
-         <call control-id="ma-1"/>
-         <call control-id="ma-2"/>
-         <call control-id="ma-4"/>
-         <call control-id="ma-5"/>
-         <call control-id="mp-1"/>
-         <call control-id="mp-2"/>
-         <call control-id="mp-6"/>
-         <call control-id="mp-7"/>
-         <call control-id="pe-1"/>
-         <call control-id="pe-2"/>
-         <call control-id="pe-3"/>
-         <call control-id="pe-6"/>
-         <call control-id="pe-8"/>
-         <call control-id="pe-12"/>
-         <call control-id="pe-13"/>
-         <call control-id="pe-14"/>
-         <call control-id="pe-15"/>
-         <call control-id="pe-16"/>
-         <call control-id="pl-1"/>
-         <call control-id="pl-2"/>
-         <call control-id="pl-4"/>
-         <call control-id="ps-1"/>
-         <call control-id="ps-2"/>
-         <call control-id="ps-3"/>
-         <call control-id="ps-4"/>
-         <call control-id="ps-5"/>
-         <call control-id="ps-6"/>
-         <call control-id="ps-7"/>
-         <call control-id="ps-8"/>
-         <call control-id="ra-1"/>
-         <call control-id="ra-2"/>
-         <call control-id="ra-3"/>
-         <call control-id="ra-5"/>
-         <call control-id="sa-1"/>
-         <call control-id="sa-2"/>
-         <call control-id="sa-3"/>
-         <call control-id="sa-4"/>
-         <call control-id="sa-4.10"/>
-         <call control-id="sa-5"/>
-         <call control-id="sa-9"/>
-         <call control-id="sc-1"/>
-         <call control-id="sc-5"/>
-         <call control-id="sc-7"/>
-         <call control-id="sc-12"/>
-         <call control-id="sc-13"/>
-         <call control-id="sc-15"/>
-         <call control-id="sc-20"/>
-         <call control-id="sc-21"/>
-         <call control-id="sc-22"/>
-         <call control-id="sc-39"/>
-         <call control-id="si-1"/>
-         <call control-id="si-2"/>
-         <call control-id="si-3"/>
-         <call control-id="si-4"/>
-         <call control-id="si-5"/>
-         <call control-id="si-12"/>
-      </include>
-   </import>
-   <merge>
-      <combine method="keep"/>
-      <as-is>true</as-is>
-   </merge>
-   <modify>
-      <!-- - - AC-22 - -  -->
-      <set-parameter param-id="ac-22_prm_1">
-         <constraint>at least quarterly</constraint>
-      </set-parameter>
-      <!-- - - AU-5 - -  -->
-      <set-parameter param-id="au-5_prm_2">
-         <constraint>organization-defined actions to be taken (overwrite oldest record)</constraint>
-      </set-parameter>
-      <!-- - - AU-6 - -  -->
-      <set-parameter param-id="au-6_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <!-- - - CA-2 - -  -->
-      <set-parameter param-id="ca-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2_prm_2">
-         <constraint>individuals or roles to include FedRAMP PMO</constraint>
-      </set-parameter>
-      <!-- - - CA-2 (1) - -  -->
-      <!-- - - CA-3 - -  -->
-      <set-parameter param-id="ca-3_prm_1">
-         <constraint>at least annually and on input from FedRAMP</constraint>
-      </set-parameter>
-      <!-- - - CA-5 - -  -->
-      <set-parameter param-id="ca-5_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <!-- - - CA-6 - -  -->
-      <set-parameter param-id="ca-6_prm_1">
-         <constraint>at least every three years or when a significant change occurs</constraint>
-      </set-parameter>
-      <!-- - - CA-7 - -  -->
-      <set-parameter param-id="ca-7_prm_4">
-         <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-7_prm_5">
-         <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-      </set-parameter>
-      <!-- - - CM-6 - -  -->
-      <set-parameter param-id="cm-6_prm_1">
-         <constraint>see CM-6(a) Additional FedRAMP Requirements and Guidance</constraint>
-      </set-parameter>
-      <!-- - - CM-8 - -  -->
-      <set-parameter param-id="cm-8_prm_2">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <!-- - - CP-9 - -  -->
-      <set-parameter param-id="cp-9_prm_1">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_2">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_3">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <!-- - - IR-6 - -  -->
-      <set-parameter param-id="ir-6_prm_1">
-         <constraint>US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)</constraint>
-      </set-parameter>
-      <!-- - - PE-2 - -  -->
-      <set-parameter param-id="pe-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <!-- - - PE-3 - -  -->
-      <set-parameter param-id="pe-3_prm_2">
-         <constraint>CSP defined physical access control systems/devices AND guards</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_6">
-         <constraint>in all circumstances within restricted access area where the information system resides</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_8">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_9">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <!-- - - PE-6 - -  -->
-      <set-parameter param-id="pe-6_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <!-- - - PE-8 - -  -->
-      <set-parameter param-id="pe-8_prm_1">
-         <constraint>for a minimum of one (1) year</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-8_prm_2">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <!-- - - PE-14 - -  -->
-      <set-parameter param-id="pe-14_prm_1">
-         <constraint>consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-14_prm_2">
-         <constraint>continuously</constraint>
-      </set-parameter>
-      <!-- - - PE-16 - -  -->
-      <set-parameter param-id="pe-16_prm_1">
-         <constraint>all information system components</constraint>
-      </set-parameter>
-      <!-- - - PL-2 - -  -->
-      <set-parameter param-id="pl-2_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <!-- - - PS-3 - -  -->
-      <set-parameter param-id="ps-3_prm_1">
-         <constraint>For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions.</constraint>
-      </set-parameter>
-      <!-- - - RA-3 - -  -->
-      <set-parameter param-id="ra-3_prm_2">
-         <constraint>security assessment report</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_3">
-         <constraint>at least every three (3) years or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_5">
-         <constraint>at least every three (3) years or when a significant change occurs</constraint>
-      </set-parameter>
-      <!-- - - RA-5 - -  -->
-      <set-parameter param-id="ra-5_prm_1">
-         <constraint>monthly operating system/infrastructure; monthly web applications and databases</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5_prm_2">
-         <constraint>[high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery.</constraint>
-      </set-parameter>
-      <!-- - - SA-9 - -  -->
-      <set-parameter param-id="sa-9_prm_1">
-         <constraint>FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9_prm_2">
-         <constraint>Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored</constraint>
-      </set-parameter>
-      <!-- - - SC-13 - -  -->
-      <set-parameter param-id="sc-13_prm_1">
-         <constraint>FIPS-validated or NSA-approved cryptography</constraint>
-      </set-parameter>
-      <!-- - - SI-2 - -  -->
-      <set-parameter param-id="si-2_prm_1">
-         <constraint>within 30 days of release of updates</constraint>
-      </set-parameter>
-      <!-- - - SI-3 - -  -->
-      <set-parameter param-id="si-3_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_2">
-         <constraint>to include endpoints</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_3">
-         <constraint>to include alerting administrator or defined security personnel</constraint>
-      </set-parameter>
-      <!-- - -     CONTROL MODIFICATIONS      - -  -->
-      <!-- - - AC-1 - -  -->
-      <alter control-id="ac-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AC-2 - -  -->
-      <alter control-id="ac-2">
-         <remove id-ref="ac-2_smt.b"/>
-         <remove id-ref="ac-2_smt.c"/>
-         <remove id-ref="ac-2_smt.d"/>
-         <remove id-ref="ac-2_smt.e"/>
-         <remove id-ref="ac-2_smt.i"/>
-         <remove id-ref="ac-2_smt.j"/>
-         <remove id-ref="ac-2_smt.k"/>
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="ac-2_fr" name="item">
-               <title>AC-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Parts (b), (c), (d), (e), (i), (j), and (k) are excluded from FedRAMP Tailored
-                     for LI-SaaS.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - AC-3 - -  -->
-      <alter control-id="ac-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - AC-7 - -  -->
-      <alter control-id="ac-7">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO for non-privileged users. Attestation for privileged users related to
-                  multi-factor identification and authentication.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - AC-8 - -  -->
-      <alter control-id="ac-8">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">FED</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>FED - This is related to agency data and agency policy solution.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - AC-14 - -  -->
-      <alter control-id="ac-14">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">FED</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>FED - This is related to agency data and agency policy solution.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - AC-17 - -  -->
-      <alter control-id="ac-17">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - AC-18 - -  -->
-      <alter control-id="ac-18">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - All access to Cloud SaaS are via web services and/or API. The device
-                  accessed from or whether via wired or wireless connection is out of scope.
-                  Regardless of device accessed from, must utilize approved remote access methods
-                  (AC-17), secure communication with strong encryption (SC-13), key management
-                  (SC-12), and multi-factor authentication for privileged access (IA-2[1]).</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - AC-19 - -  -->
-      <alter control-id="ac-19">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - All access to Cloud SaaS are via web service and/or API. The device accessed
-                  from is out of the scope. Regardless of device accessed from, must utilize
-                  approved remote access methods (AC-17), secure communication with strong
-                  encryption (SC-13), key management (SC-12), and multi-factor authentication for
-                  privileged access (IA-2 [1]).</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - AC-20 - -  -->
-      <alter control-id="ac-20">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AC-22 - -  -->
-      <alter control-id="ac-22">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - AT-1 - -  -->
-      <alter control-id="at-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AT-2 - -  -->
-      <alter control-id="at-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AT-3 - -  -->
-      <alter control-id="at-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AT-4 - -  -->
-      <alter control-id="at-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AU-1 - -  -->
-      <alter control-id="au-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AU-2 - -  -->
-      <alter control-id="au-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AU-3 - -  -->
-      <alter control-id="au-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - AU-4 - -  -->
-      <alter control-id="au-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - Loss of availability of the audit data has been determined to have little or
-                  no impact to government business/mission needs.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - AU-5 - -  -->
-      <alter control-id="au-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - AU-6 - -  -->
-      <alter control-id="au-6">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - AU-8 - -  -->
-      <alter control-id="au-8">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AU-9 - -  -->
-      <alter control-id="au-9">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - AU-11 - -  -->
-      <alter control-id="au-11">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - Loss of availability of the audit data has been determined as little or no
-                  impact to government business/mission needs.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - AU-12 - -  -->
-      <alter control-id="au-12">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - CA-1 - -  -->
-      <alter control-id="ca-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - CA-2 - -  -->
-      <alter control-id="ca-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="ca-2_fr" name="item">
-               <title>CA-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP)
-                     Documents, Annual Assessment Guidance <a
-                        href="https://www.fedramp.gov/documents/"
-                        >https://www.fedramp.gov/documents/</a></p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CA-2 (1) - -  -->
-      <alter control-id="ca-2.1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - CA-3 - -  -->
-      <alter control-id="ca-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: There are connection(s) to external systems. Connections (if any) shall
-                  be authorized and must: 1) Identify the interface/connection. 2) Detail what data
-                  is involved and its sensitivity. 3) Determine whether the connection is one-way or
-                  bi-directional. 4) Identify how the connection is secured.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CA-5 - -  -->
-      <alter control-id="ca-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring
-                  Requirements.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CA-6 - -  -->
-      <alter control-id="ca-6">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="ca-6_fr" name="item">
-               <title>CA-6(c) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1,
-                     Appendix F. The service provider describes the types of changes to the
-                     information system or the environment of operations that would impact the risk
-                     posture. The types of changes are approved and accepted by the Authorizing
-                     Official.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CA-7 - -  -->
-      <alter control-id="ca-7">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="ca-7_fr" name="item">
-               <title>CA-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>CSPs must provide evidence of closure and remediation of high vulnerabilities
-                     within the timeframe for standard POA&amp;M updates.</p>
-               </part>
-               <part id="ca-7_fr_gdn.2" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP)
-                     Documents, Continuous Monitoring Strategy Guide <a
-                        href="https://www.fedramp.gov/documents/"
-                        >https://www.fedramp.gov/documents/</a></p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CA-9 - -  -->
-      <alter control-id="ca-9">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: There are connection(s) to external systems. Connections (if any) shall
-                  be authorized and must: 1) Identify the interface/connection. 2) Detail what data
-                  is involved and its sensitivity. 3) Determine whether the connection is one-way or
-                  bi-directional. 4) Identify how the connection is secured.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CM-1 - -  -->
-      <alter control-id="cm-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - CM-2 - -  -->
-      <alter control-id="cm-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - CM-4 - -  -->
-      <alter control-id="cm-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - CM-6 - -  -->
-      <alter control-id="cm-6">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Required - Specifically include details of least functionality.</p>
-            </part>
-            <part id="cm-6_fr" name="item">
-               <title>CM-6(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement 1:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines
-                     (Level 1) to establish configuration settings or establishes its own
-                     configuration settings if USGCB is not available. </p>
-               </part>
-               <part id="cm-6_fr_smt.2" name="item">
-                  <prop name="label">Requirement 2:</prop>
-                  <p>The service provider shall ensure that checklists for configuration settings
-                     are Security Content Automation Protocol (SCAP) (<a
-                        href="http://scap.nist.gov/">http://scap.nist.gov/</a>) validated or SCAP
-                     compatible (if validated checklists are not available).</p>
-               </part>
-               <part id="cm-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a
-                        href="https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline"
-                        >https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline</a>.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CM-7 - -  -->
-      <alter control-id="cm-7">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - CM-8 - -  -->
-      <alter control-id="cm-8">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="cm-8_fr" name="item">
-               <title>CM-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Must be provided at least monthly or when there is a change.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CM-10 - -  -->
-      <alter control-id="cm-10">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO- Not directly related to protection of the data.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CM-11 - -  -->
-      <alter control-id="cm-11">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - Boundary is specific to SaaS environment; all access is via web services;
-                  users' machine or internal network are not contemplated. External services (SA-9),
-                  internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and
-                  SC-13), and privileged authentication (IA-2[1]) are considerations.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CP-1 - -  -->
-      <alter control-id="cp-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - CP-2 - -  -->
-      <alter control-id="cp-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - Loss of availability of the SaaS has been determined as little or no impact
-                  to government business/mission needs.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CP-3 - -  -->
-      <alter control-id="cp-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - Loss of availability of the SaaS has been determined as little or no impact
-                  to government business/mission needs.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CP-4 - -  -->
-      <alter control-id="cp-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - Loss of availability of the SaaS has been determined as little or no impact
-                  to government business/mission needs.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CP-9 - -  -->
-      <alter control-id="cp-9">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="cp-9_fr" name="item">
-               <title>CP-9 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-9_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine what elements of the cloud environment
-                     require the Information System Backup control. The service provider shall
-                     determine how Information System Backup is going to be verified and appropriate
-                     periodicity of the check.</p>
-               </part>
-               <part id="cp-9_fr_smt.a" name="item">
-                  <prop name="label">CP-9(a) Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of user-level
-                     information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.b" name="item">
-                  <prop name="label">CP-9(b)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of system-level
-                     information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.c" name="item">
-                  <prop name="label">CP-9(c)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of information
-                     system documentation including security information (at least one of which is
-                     available online).</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - CP-10 - -  -->
-      <alter control-id="cp-10">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - Loss of availability of the SaaS has been determined as little or no impact
-                  to government business/mission needs.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - IA-1 - -  -->
-      <alter control-id="ia-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IA-2 - -  -->
-      <alter control-id="ia-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO for non-privileged users. Attestation for privileged users related to
-                  multi-factor identification and authentication - specifically include description
-                  of management of service accounts.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - IA-2 (1) - -  -->
-      <alter control-id="ia-2.1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - IA-2 (12) - -  -->
-      <alter control-id="ia-2.12">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Must document and assess for privileged users. May attest to this
-                  control for non-privileged users. FedRAMP requires a minimum of multi-factor
-                  authentication for all Federal privileged users, if acceptance of PIV credentials
-                  is not supported. The implementation status and details of how this control is
-                  implemented must be clearly defined by the CSP.</p>
-            </part>
-            <part id="ia-2.12_fr" name="item">
-               <title>IA-2 (12) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-2.12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Include Common Access Card (CAC), i.e., the DoD technical implementation of
-                     PIV/FIPS 201/HSPD-12.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - IA-4 - -  -->
-      <alter control-id="ia-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IA-5 - -  -->
-      <alter control-id="ia-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IA-5 (1) - -  -->
-      <alter control-id="ia-5.1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IA-5 (11) - -  -->
-      <alter control-id="ia-5.11">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">FED</prop>
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>FED - for Federal privileged users. Condition - Must document and assess for
-                  privileged users. May attest to this control for non-privileged users.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - IA-6 - -  -->
-      <alter control-id="ia-6">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - IA-7 - -  -->
-      <alter control-id="ia-7">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IA-8 - -  -->
-      <alter control-id="ia-8">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IA-8 (1) - -  -->
-      <alter control-id="ia-8.1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Must document and assess for privileged users. May attest to this
-                  control for non-privileged users. FedRAMP requires a minimum of multi-factor
-                  authentication for all Federal privileged users, if acceptance of PIV credentials
-                  is not supported. The implementation status and details of how this control is
-                  implemented must be clearly defined by the CSP.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - IA-8 (2) - -  -->
-      <alter control-id="ia-8.2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Must document and assess for privileged users. May attest to this
-                  control for non-privileged users. FedRAMP requires a minimum of multi-factor
-                  authentication for all Federal privileged users, if acceptance of PIV credentials
-                  is not supported. The implementation status and details of how this control is
-                  implemented must be clearly defined by the CSP.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - IA-8 (3) - -  -->
-      <alter control-id="ia-8.3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IA-8 (4) - -  -->
-      <alter control-id="ia-8.4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IR-1 - -  -->
-      <alter control-id="ir-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IR-2 - -  -->
-      <alter control-id="ir-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IR-4 - -  -->
-      <alter control-id="ir-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="ir-4_fr" name="item">
-               <title>IR-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-4_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider ensures that individuals conducting incident handling meet
-                     personnel security requirements commensurate with the criticality/sensitivity
-                     of the information being processed, stored, and transmitted by the information
-                     system.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - IR-5 - -  -->
-      <alter control-id="ir-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IR-6 - -  -->
-      <alter control-id="ir-6">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="ir-6_fr" name="item">
-               <title>IR-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Report security incident information according to FedRAMP Incident
-                     Communications Procedure.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - IR-7 - -  -->
-      <alter control-id="ir-7">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - IR-8 - -  -->
-      <alter control-id="ir-8">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Attestation - Specifically attest to US-CERT compliance.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - IR-9 - -  -->
-      <alter control-id="ir-9">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Attestation - Specifically describe information spillage response processes.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - MA-1 - -  -->
-      <alter control-id="ma-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - MA-2 - -  -->
-      <alter control-id="ma-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - MA-4 - -  -->
-      <alter control-id="ma-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - MA-5 - -  -->
-      <alter control-id="ma-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - MP-1 - -  -->
-      <alter control-id="mp-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - MP-2 - -  -->
-      <alter control-id="mp-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - MP-6 - -  -->
-      <alter control-id="mp-6">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - MP-7 - -  -->
-      <alter control-id="mp-7">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PE-1 - -  -->
-      <alter control-id="pe-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - PE-2 - -  -->
-      <alter control-id="pe-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PE-3 - -  -->
-      <alter control-id="pe-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PE-6 - -  -->
-      <alter control-id="pe-6">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PE-8 - -  -->
-      <alter control-id="pe-8">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PE-12 - -  -->
-      <alter control-id="pe-12">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PE-13 - -  -->
-      <alter control-id="pe-13">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PE-14 - -  -->
-      <alter control-id="pe-14">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-            <part id="pe-14_fr" name="item">
-               <title>PE-14(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="pe-14_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider measures temperature at server inlets and humidity levels
-                     by dew point.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PE-15 - -  -->
-      <alter control-id="pe-15">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PE-16 - -  -->
-      <alter control-id="pe-16">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PL-1 - -  -->
-      <alter control-id="pl-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - PL-2 - -  -->
-      <alter control-id="pl-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - PL-4 - -  -->
-      <alter control-id="pl-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - PS-1 - -  -->
-      <alter control-id="ps-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - PS-2 - -  -->
-      <alter control-id="ps-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">FED</prop>
-         </add>
-      </alter>
-      <!-- - - PS-3 - -  -->
-      <alter control-id="ps-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - PS-4 - -  -->
-      <alter control-id="ps-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - PS-5 - -  -->
-      <alter control-id="ps-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - PS-6 - -  -->
-      <alter control-id="ps-6">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - PS-7 - -  -->
-      <alter control-id="ps-7">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Attestation - Specifically stating that any third-party security personnel are
-                  treated as CSP employees.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - PS-8 - -  -->
-      <alter control-id="ps-8">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - RA-1 - -  -->
-      <alter control-id="ra-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - RA-2 - -  -->
-      <alter control-id="ra-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - RA-3 - -  -->
-      <alter control-id="ra-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="ra-3_fr" name="item">
-               <title>RA-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1,
-                     Appendix F</p>
-               </part>
-               <part id="ra-3_fr_smt.d" name="item">
-                  <prop name="label">RA-3 (d) Requirement:</prop>
-                  <p>Include all Authorizing Officials; for JAB authorizations to include
-                     FedRAMP.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - RA-5 - -  -->
-      <alter control-id="ra-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add>
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="ra-5_fr_smt.a" name="item">
-               <title>RA-5(a) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (a)Requirement:</prop>
-               <p>An accredited independent assessor scans operating systems/infrastructure, web
-                  applications, and databases once annually.</p>
-            </part>
-            <part id="ra-5_fr_smt.e" name="item">
-               <title>RA-5(e) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (e)Requirement:</prop>
-               <p>To include all Authorizing Officials; for JAB authorizations to include
-                  FedRAMP.</p>
-            </part>
-            <part id="ra-5_fr" name="item">
-               <title>RA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p><strong>See the FedRAMP Documents page under Key Cloud Service Provider (CSP)
-                        Documents> Vulnerability Scanning Requirements</strong> (<a
-                        href="https://www.FedRAMP.gov/documents/"
-                        >https://www.FedRAMP.gov/documents/</a>)</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - SA-1 - -  -->
-      <alter control-id="sa-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SA-2 - -  -->
-      <alter control-id="sa-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SA-3 - -  -->
-      <alter control-id="sa-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SA-4 - -  -->
-      <alter control-id="sa-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SA-4(10) - -  -->
-      <alter control-id="sa-4.10">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SA-5 - -  -->
-      <alter control-id="sa-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SA-9 - -  -->
-      <alter control-id="sa-9">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - SC-1 - -  -->
-      <alter control-id="sc-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SC-5 - -  -->
-      <alter control-id="sc-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: If availability is a requirement, define protections in place as per
-                  control requirement.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - SC-7 - -  -->
-      <alter control-id="sc-7">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - SC-12 - -  -->
-      <alter control-id="sc-12">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-            <part id="sc-12_fr" name="item">
-               <title>SC-12 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Federally approved cryptography.</p>
-               </part>
-            </part>
-         </add>
-      </alter>
-      <!-- - - SC-13 - -  -->
-      <alter control-id="sc-13">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">CONDITIONAL</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Condition: If implementing need to detail how they meet it or don't meet it.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - SC-15 - -  -->
-      <alter control-id="sc-15">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">NSO</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>NSO - Not directly related to the security of the SaaS.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - SC-20 - -  -->
-      <alter control-id="sc-20">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SC-21 - -  -->
-      <alter control-id="sc-21">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SC-22 - -  -->
-      <alter control-id="sc-22">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SC-39 - -  -->
-      <alter control-id="sc-39">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SI-1 - -  -->
-      <alter control-id="si-1">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SI-2 - -  -->
-      <alter control-id="si-2">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - SI-3 - -  -->
-      <alter control-id="si-3">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - SI-4 - -  -->
-      <alter control-id="si-4">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ASSESS</prop>
-         </add>
-      </alter>
-      <!-- - - SI-5 - -  -->
-      <alter control-id="si-5">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-         </add>
-      </alter>
-      <!-- - - SI-12 - -  -->
-      <alter control-id="si-12">
-         <remove name-ref="objective"/>
-         <remove name-ref="assessment"/>
-         <add position="ending">
-            <prop name="method" class="FedRAMP-Tailored-LI-SaaS">ATTEST</prop>
-            <part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
-               <p>Attestation - Specifically related to US-CERT and FedRAMP communications
-                  procedures.</p>
-            </part>
-         </add>
-      </alter>
-      <!-- - - SI-16 - -  -->
-   </modify>
-   <back-matter>
-      <resource uuid="985475ee-d4d6-4581-8fdf-d84d3d8caa48">
-         <title>FedRAMP Applicable Laws and Regulations</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-citations</prop>
-         <prop name="keep">always</prop>
-         <rlink
-            href="https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"
-         />
-      </resource>
-      <resource uuid="1a23a771-d481-4594-9a1a-71d584fa4123">
-         <title>FedRAMP Master Acronym and Glossary</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-acronyms</prop>
-         <prop name="keep">always</prop>
-         <rlink
-            href="https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"
-         />
-      </resource>
-      <resource uuid="a2381e87-3d04-4108-a30b-b4d2f36d001f">
-         <desc>FedRAMP Logo</desc>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-logo</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/img/logo-main-fedramp.png"/>
-      </resource>
-      <resource uuid="ad005eae-cc63-4e64-9109-3905a9a825e4">
-         <title>NIST Special Publication (SP) 800-53</title>
-         <prop name="version" ns="https://fedramp.gov/ns/oscal">Revision 4</prop>
-         <prop name="keep">always</prop>
-         <rlink media-type="application/xml" href="../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml"/>
-      </resource>
-   </back-matter>
-</profile>
diff --git a/src/content/fedramp.gov/xml/FedRAMP_LOW-baseline_profile.xml b/src/content/fedramp.gov/xml/FedRAMP_LOW-baseline_profile.xml
deleted file mode 100644
index 8e29d4ae72..0000000000
--- a/src/content/fedramp.gov/xml/FedRAMP_LOW-baseline_profile.xml
+++ /dev/null
@@ -1,4623 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="4678df89-bdc1-4804-bdfd-0bb1fc5bba1a">
-   
-   <metadata>
-      <title>FedRAMP Low Baseline</title>
-      <published>2020-06-01T00:00:00.000-04:00</published>
-      <last-modified>2020-06-01T10:00:00.000-04:00</last-modified>
-      <version>1.2</version>
-      <oscal-version>1.0.0-milestone3</oscal-version>
-      <role id="parpared-by">
-         <title>Document creator</title>
-      </role>
-      <role id="fedramp-pmo">
-         <title>The FedRAMP Program Management Office (PMO)</title>
-         <short-name>CSP</short-name>
-      </role>
-      <role id="fedramp-jab">
-         <title>The FedRAMP Joint Authorization Board (JAB)</title>
-         <short-name>CSP</short-name>
-      </role>
-      
-      <party uuid="8cc0b8e5-9650-4d5f-9796-316f05fa9a2d" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Program Management Office</party-name>
-         <short-name>FedRAMP PMO</short-name>
-         <link href="https://fedramp.gov" rel="homepage" />
-         <address type="work">
-            <addr-line>1800 F St. NW</addr-line>
-            <addr-line/>
-            <city>Washington</city>
-            <state>DC</state>
-            <postal-code/>
-            <country>US</country>
-         </address>
-         <email>info@fedramp.gov</email>
-      </party>
-      <party uuid="ca9ba80e-1342-4bfd-b32a-abac468c24b4" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Joint Authorization Board</party-name>
-         <short-name>FedRAMP JAB</short-name>
-      </party>
-      
-      <responsible-party role-id="prepared-by">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-pmo">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-jab">
-         <party-uuid>ca9ba80e-1342-4bfd-b32a-abac468c24b4</party-uuid>
-      </responsible-party>
-   </metadata>
-   <import href="#ad005eae-cc63-4e64-9109-3905a9a825e4">
-      <include>
-         <call control-id="ac-1"/>
-         <call control-id="ac-2"/>
-         <call control-id="ac-3"/>
-         <call control-id="ac-7"/>
-         <call control-id="ac-8"/>
-         <call control-id="ac-14"/>
-         <call control-id="ac-17"/>
-         <call control-id="ac-18"/>
-         <call control-id="ac-19"/>
-         <call control-id="ac-20"/>
-         <call control-id="ac-22"/>
-         <call control-id="at-1"/>
-         <call control-id="at-2"/>
-         <call control-id="at-3"/>
-         <call control-id="at-4"/>
-         <call control-id="au-1"/>
-         <call control-id="au-2"/>
-         <call control-id="au-3"/>
-         <call control-id="au-4"/>
-         <call control-id="au-5"/>
-         <call control-id="au-6"/>
-         <call control-id="au-8"/>
-         <call control-id="au-9"/>
-         <call control-id="au-11"/>
-         <call control-id="au-12"/>
-         <call control-id="ca-1"/>
-         <call control-id="ca-2"/>
-         <call control-id="ca-2.1"/>
-         <call control-id="ca-3"/>
-         <call control-id="ca-5"/>
-         <call control-id="ca-6"/>
-         <call control-id="ca-7"/>
-         <call control-id="ca-9"/>
-         <call control-id="cm-1"/>
-         <call control-id="cm-2"/>
-         <call control-id="cm-4"/>
-         <call control-id="cm-6"/>
-         <call control-id="cm-7"/>
-         <call control-id="cm-8"/>
-         <call control-id="cm-10"/>
-         <call control-id="cm-11"/>
-         <call control-id="cp-1"/>
-         <call control-id="cp-2"/>
-         <call control-id="cp-3"/>
-         <call control-id="cp-4"/>
-         <call control-id="cp-9"/>
-         <call control-id="cp-10"/>
-         <call control-id="ia-1"/>
-         <call control-id="ia-2"/>
-         <call control-id="ia-2.1"/>
-         <call control-id="ia-2.12"/>
-         <call control-id="ia-4"/>
-         <call control-id="ia-5"/>
-         <call control-id="ia-5.1"/>
-         <call control-id="ia-5.11"/>
-         <call control-id="ia-6"/>
-         <call control-id="ia-7"/>
-         <call control-id="ia-8"/>
-         <call control-id="ia-8.1"/>
-         <call control-id="ia-8.2"/>
-         <call control-id="ia-8.3"/>
-         <call control-id="ia-8.4"/>
-         <call control-id="ir-1"/>
-         <call control-id="ir-2"/>
-         <call control-id="ir-4"/>
-         <call control-id="ir-5"/>
-         <call control-id="ir-6"/>
-         <call control-id="ir-7"/>
-         <call control-id="ir-8"/>
-         <call control-id="ma-1"/>
-         <call control-id="ma-2"/>
-         <call control-id="ma-4"/>
-         <call control-id="ma-5"/>
-         <call control-id="mp-1"/>
-         <call control-id="mp-2"/>
-         <call control-id="mp-6"/>
-         <call control-id="mp-7"/>
-         <call control-id="pe-1"/>
-         <call control-id="pe-2"/>
-         <call control-id="pe-3"/>
-         <call control-id="pe-6"/>
-         <call control-id="pe-8"/>
-         <call control-id="pe-12"/>
-         <call control-id="pe-13"/>
-         <call control-id="pe-14"/>
-         <call control-id="pe-15"/>
-         <call control-id="pe-16"/>
-         <call control-id="pl-1"/>
-         <call control-id="pl-2"/>
-         <call control-id="pl-4"/>
-         <call control-id="ps-1"/>
-         <call control-id="ps-2"/>
-         <call control-id="ps-3"/>
-         <call control-id="ps-4"/>
-         <call control-id="ps-5"/>
-         <call control-id="ps-6"/>
-         <call control-id="ps-7"/>
-         <call control-id="ps-8"/>
-         <call control-id="ra-1"/>
-         <call control-id="ra-2"/>
-         <call control-id="ra-3"/>
-         <call control-id="ra-5"/>
-         <call control-id="sa-1"/>
-         <call control-id="sa-2"/>
-         <call control-id="sa-3"/>
-         <call control-id="sa-4"/>
-         <call control-id="sa-5"/>
-         <call control-id="sa-9"/>
-         <call control-id="sc-1"/>
-         <call control-id="sc-5"/>
-         <call control-id="sc-7"/>
-         <call control-id="sc-12"/>
-         <call control-id="sc-13"/>
-         <call control-id="sc-15"/>
-         <call control-id="sc-20"/>
-         <call control-id="sc-21"/>
-         <call control-id="sc-22"/>
-         <call control-id="sc-39"/>
-         <call control-id="si-1"/>
-         <call control-id="si-2"/>
-         <call control-id="si-3"/>
-         <call control-id="si-4"/>
-         <call control-id="si-5"/>
-         <call control-id="si-12"/>
-         <call control-id="si-16"/>
-      </include>
-   </import>
-   <merge>
-      <combine method="keep"/>
-      <as-is>true</as-is>
-   </merge>
-   <modify>
-      <set-parameter param-id="ac-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2_prm_4">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7_prm_1">
-         <constraint>not more than three (3)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7_prm_2">
-         <constraint>fifteen (15) minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7_prm_4">
-         <constraint>thirty (30) minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-8_prm_1">
-         <constraint>see additional Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-8_prm_2">
-         <constraint>see additional Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-22_prm_1">
-         <constraint>at least quarterly</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-3_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-4_prm_1">
-         <constraint>At least one year</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-2_prm_1">
-         <constraint>Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-2_prm_2">
-         <constraint>organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-5_prm_2">
-         <constraint>organization-defined actions to be taken (overwrite oldest record)</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-6_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-11_prm_1">
-         <constraint>at least ninety days</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-12_prm_1">
-         <constraint>all information system and network components where audit capability is deployed/available</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2_prm_2">
-         <constraint>individuals or roles to include FedRAMP PMO</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-3_prm_1">
-         <constraint>at least annually and on input from FedRAMP</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-5_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-6_prm_1">
-         <constraint>at least every three years or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-7_prm_4">
-         <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-7_prm_5">
-         <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-6_prm_1">
-         <constraint>United States Government Configuration Baseline (USGCB)</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-7_prm_1">
-         <constraint>United States Government Configuration Baseline (USGCB)</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-8_prm_2">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-11_prm_3">
-         <constraint>Continuously (via CM-7 (5))</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-2_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-3_prm_1">
-         <constraint>ten (10) days</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-3_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-4_prm_1">
-         <constraint>at least every three years</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-4_prm_2">
-         <constraint>classroom exercises/table top written tests</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_1">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_2">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_3">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-4_prm_2">
-         <constraint>IA-4 (d) [at least two years]</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-4_prm_3">
-         <constraint>ninety days for user identifiers (See additional requirements and guidance)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.1_prm_2">
-         <constraint>at least one</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.1_prm_4">
-         <constraint>twenty four</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-2_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-6_prm_1">
-         <constraint>US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-8_prm_2">
-         <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-8_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-8_prm_4">
-         <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ma-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ma-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_2">
-         <constraint>CSP defined physical access control systems/devices AND guards</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_3">
-         <constraint>CSP defined physical access control systems/devices</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_6">
-         <constraint>in all circumstances within restricted access area where the information system resides</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_8">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_9">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-6_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-8_prm_1">
-         <constraint>for a minimum of one (1) year</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-8_prm_2">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-14_prm_1">
-         <constraint>consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-14_prm_2">
-         <constraint>continuously</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-16_prm_1">
-         <constraint>all information system components</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-2_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-4_prm_1">
-         <constraint>At least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-2_prm_1">
-         <constraint>at least every three years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-3_prm_1">
-         <constraint>For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions.</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-4_prm_1">
-         <constraint>same day</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-5_prm_4">
-         <constraint>five days of the time period following the formal transfer action (DoD 24 hours)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-6_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-6_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-7_prm_2">
-         <constraint>organization-defined time period - same day</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_2">
-         <constraint>security assessment report</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_3">
-         <constraint>at least every three (3) years or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_5">
-         <constraint>at least every three (3) years or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5_prm_1">
-         <constraint>monthly operating system/infrastructure; monthly web applications and databases</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5_prm_2">
-         <constraint>[high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery.</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9_prm_1">
-         <constraint>FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9_prm_2">
-         <constraint>Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-13_prm_1">
-         <constraint>FIPS-validated or NSA-approved cryptography</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-15_prm_1">
-         <constraint>no exceptions</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-2_prm_1">
-         <constraint>within 30 days of release of updates</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_2">
-         <constraint>to include endpoints</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_3">
-         <constraint>to include alerting administrator or defined security personnel</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-5_prm_1">
-         <constraint>to include US-CERT</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-5_prm_2">
-         <constraint>to include system security personnel and administrators with configuration/patch-management responsibilities</constraint>
-      </set-parameter>
-      <alter control-id="ac-1">
-         <add position="starting" id-ref="ac-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-14">
-         <add position="starting" id-ref="ac-14.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-14.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-14.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17">
-         <add position="starting" id-ref="ac-17">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-17.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-18">
-         <add position="starting" id-ref="ac-18">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-18.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-18.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-19">
-         <add position="starting" id-ref="ac-19">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-19.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-19.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2">
-         <add position="starting" id-ref="ac-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.g_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.h_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.i_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.j_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.j_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.k_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-20">
-         <add position="starting" id-ref="ac-20.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-20.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-22">
-         <add position="starting" id-ref="ac-22">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-22.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-3">
-         <add position="starting" id-ref="ac-3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-7">
-         <add position="starting" id-ref="ac-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-8">
-         <add position="ending" id-ref="ac-8_smt">
-            <part id="ac-8_fr" name="item">
-               <title>AC-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.</p>
-               </part>
-               <part id="ac-8_fr_smt.2" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.</p>
-               </part>
-               <part id="ac-8_fr_smt.3" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-8.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="at-1">
-         <add position="starting" id-ref="at-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="at-2">
-         <add position="starting" id-ref="at-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="at-3">
-         <add position="starting" id-ref="at-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="at-4">
-         <add position="starting" id-ref="at-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="at-4.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-4.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-1">
-         <add position="starting" id-ref="au-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="au-11">
-         <add position="ending" id-ref="au-11_smt">
-            <part id="au-11_fr" name="item">
-               <title>AU-11 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-11_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-11">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-11.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-12">
-         <add position="starting" id-ref="au-12.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-12.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-12.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-2">
-         <add position="ending" id-ref="au-2_smt">
-            <part id="au-2_fr" name="item">
-               <title>AU-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-2_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-2.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-3">
-         <add position="starting" id-ref="au-3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-4">
-         <add position="starting" id-ref="au-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-5">
-         <add position="starting" id-ref="au-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6">
-         <add position="ending" id-ref="au-6_smt">
-            <part id="au-6_fr" name="item">
-               <title>AU-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-8">
-         <add position="starting" id-ref="au-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-8.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-9">
-         <add position="starting" id-ref="au-9.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-9.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-1">
-         <add position="starting" id-ref="ca-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2">
-         <add position="ending" id-ref="ca-2_smt">
-            <part id="ca-2_fr" name="item">
-               <title>CA-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2.1">
-         <add position="ending" id-ref="ca-2.1_smt">
-            <part id="ca-2.1_fr" name="item">
-               <title>CA-2 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2.1_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-2.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-3">
-         <add position="starting" id-ref="ca-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-5">
-         <add position="ending" id-ref="ca-5_smt">
-            <part id="ca-5_fr" name="item">
-               <title>CA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-5_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Plan of Action &amp; Milestones (POA&amp;M) must be provided at least monthly.</p>
-               </part>
-               <part id="ca-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action &amp; Milestones (POA&amp;M) Template Completion Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-6">
-         <add position="ending" id-ref="ca-6_smt">
-            <part id="ca-6_fr" name="item">
-               <title>CA-6(c) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-6.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-6.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-6.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-6.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-7">
-         <add position="ending" id-ref="ca-7_smt">
-            <part id="ca-7_fr" name="item">
-               <title>CA-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-7_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.</p>
-               </part>
-               <part id="ca-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&amp;M updates.</p>
-               </part>
-               <part id="ca-7_fr_gdn.2" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-9">
-         <add position="starting" id-ref="ca-9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-9.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-9.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-9.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-1">
-         <add position="starting" id-ref="cm-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-1.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-10">
-         <add position="starting" id-ref="cm-10.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-10.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-10.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-11">
-         <add position="starting" id-ref="cm-11.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2">
-         <add position="starting" id-ref="cm-2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-4">
-         <add position="starting" id-ref="cm-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-6">
-         <add position="ending" id-ref="cm-6_smt">
-            <part id="cm-6_fr" name="item">
-               <title>CM-6(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement 1:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. </p>
-               </part>
-               <part id="cm-6_fr_smt.2" name="item">
-                  <prop name="label">Requirement 2:</prop>
-                  <p>The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (<a href="http://scap.nist.gov/">http://scap.nist.gov/</a>) validated or SCAP compatible (if validated checklists are not available).</p>
-               </part>
-               <part id="cm-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a href="https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline">https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7">
-         <add position="ending" id-ref="cm-7_smt">
-            <part id="cm-7_fr" name="item">
-               <title>CM-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-7_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.</p>
-               </part>
-               <part id="cm-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a href="http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc">http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc</a>
-							Partially derived from AC-17(8).</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8">
-         <add position="ending" id-ref="cm-8_smt">
-            <part id="cm-8_fr" name="item">
-               <title>CM-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Must be provided at least monthly or when there is a change.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-8.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-1">
-         <add position="starting" id-ref="cp-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-10">
-         <add position="starting" id-ref="cp-10_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-10.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2">
-         <add position="ending" id-ref="cp-2_smt">
-            <part id="cp-2_fr" name="item">
-               <title>CP-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-2_fr_smt.1" name="item">
-                  <prop name="label">CP-2 Requirement:</prop>
-                  <p>For JAB authorizations the contingency lists include designated FedRAMP personnel.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-2.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.6_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.6_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.g_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-3">
-         <add position="starting" id-ref="cp-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-4">
-         <add position="ending" id-ref="cp-4_smt">
-            <part id="cp-4_fr" name="item">
-               <title>CP-4(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-4_fr_smt.a" name="item">
-                  <prop name="label">CP-4(a) Requirement:</prop>
-                  <p>The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9">
-         <add position="ending" id-ref="cp-9_smt">
-            <part id="cp-9_fr" name="item">
-               <title>CP-9 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-9_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.</p>
-               </part>
-               <part id="cp-9_fr_smt.a" name="item">
-                  <prop name="label">CP-9(a) Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of user-level information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.b" name="item">
-                  <prop name="label">CP-9(b)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of system-level information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.c" name="item">
-                  <prop name="label">CP-9(c)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-9.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-1">
-         <add position="starting" id-ref="ia-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2">
-         <add position="starting" id-ref="ia-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.1">
-         <add position="starting" id-ref="ia-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.12">
-         <add position="ending" id-ref="ia-2.12_smt">
-            <part id="ia-2.12_fr" name="item">
-               <title>IA-2 (12) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-2.12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-2.12_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-4">
-         <add position="ending" id-ref="ia-4_smt">
-            <part id="ia-4_fr" name="item">
-               <title>IA-4(e) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-4_fr_smt.e" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines the time period of inactivity for device identifiers.</p>
-               </part>
-               <part id="ia-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP <a href="http://iase.disa.mil/cloud_security/Pages/index.aspx">http://iase.disa.mil/cloud_security/Pages/index.aspx</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5">
-         <add position="ending" id-ref="ia-5_smt">
-            <part id="ia-5_fr" name="item">
-               <title>IA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-5_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link <a href="https://pages.nist.gov/800-63-3">https://pages.nist.gov/800-63-3</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.f_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.h_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.i_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.i_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.j_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.1">
-         <add position="ending" id-ref="ia-5.1_smt">
-            <part id="ia-5.1_fr" name="item">
-               <title>IA-5 (1) (a) and (d) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-5.1_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance (a) (d):</prop>
-                  <p>If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-5.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.11">
-         <add position="starting" id-ref="ia-5.11_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-6">
-         <add position="starting" id-ref="ia-6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-7">
-         <add position="starting" id-ref="ia-7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8">
-         <add position="starting" id-ref="ia-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.1">
-         <add position="starting" id-ref="ia-8.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-8.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.2">
-         <add position="starting" id-ref="ia-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.3">
-         <add position="starting" id-ref="ia-8.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-8.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.4">
-         <add position="starting" id-ref="ia-8.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-1">
-         <add position="starting" id-ref="ir-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-2">
-         <add position="starting" id-ref="ir-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4">
-         <add position="ending" id-ref="ir-4_smt">
-            <part id="ir-4_fr" name="item">
-               <title>IR-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-4_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-4.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-5">
-         <add position="starting" id-ref="ir-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-6">
-         <add position="ending" id-ref="ir-6_smt">
-            <part id="ir-6_fr" name="item">
-               <title>IR-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Report security incident information according to FedRAMP Incident Communications Procedure.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-7">
-         <add position="starting" id-ref="ir-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-7.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-8">
-         <add position="ending" id-ref="ir-8_smt">
-            <part id="ir-8_fr" name="item">
-               <title>IR-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-8_fr_smt.b" name="item">
-                  <prop name="label">(b) Requirement:</prop>
-                  <p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
-               </part>
-               <part id="ir-8_fr_smt.e" name="item">
-                  <prop name="label">(e) Requirement:</prop>
-                  <p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-8.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.b_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.b_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.e_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.e_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-1">
-         <add position="starting" id-ref="ma-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ma-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-2">
-         <add position="starting" id-ref="ma-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-4">
-         <add position="starting" id-ref="ma-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ma-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-5">
-         <add position="starting" id-ref="ma-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-1">
-         <add position="starting" id-ref="mp-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="mp-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-2">
-         <add position="starting" id-ref="mp-2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-6">
-         <add position="starting" id-ref="mp-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-7">
-         <add position="starting" id-ref="mp-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-7.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-7_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-7_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-1">
-         <add position="starting" id-ref="pe-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-12">
-         <add position="starting" id-ref="pe-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-13">
-         <add position="starting" id-ref="pe-13.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-13.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-14">
-         <add position="ending" id-ref="pe-14_smt">
-            <part id="pe-14_fr" name="item">
-               <title>PE-14(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="pe-14_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider measures temperature at server inlets and humidity levels by dew point.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-15">
-         <add position="starting" id-ref="pe-15_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-16">
-         <add position="starting" id-ref="pe-16_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.6">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.7">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.8">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.9">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-2">
-         <add position="starting" id-ref="pe-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-3">
-         <add position="starting" id-ref="pe-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.e_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.f_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-6">
-         <add position="starting" id-ref="pe-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-6.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-8">
-         <add position="starting" id-ref="pe-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-8.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-8.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-1">
-         <add position="starting" id-ref="pl-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pl-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-2">
-         <add position="starting" id-ref="pl-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pl-2.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.9_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-4">
-         <add position="starting" id-ref="pl-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-1">
-         <add position="starting" id-ref="ps-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-2">
-         <add position="starting" id-ref="ps-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-3">
-         <add position="starting" id-ref="ps-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-4">
-         <add position="starting" id-ref="ps-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.f_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-5">
-         <add position="starting" id-ref="ps-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-6">
-         <add position="starting" id-ref="ps-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-6.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.c.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.c.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.c.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-7">
-         <add position="starting" id-ref="ps-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-8">
-         <add position="starting" id-ref="ps-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-8.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-1">
-         <add position="starting" id-ref="ra-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-2">
-         <add position="starting" id-ref="ra-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-3">
-         <add position="ending" id-ref="ra-3_smt">
-            <part id="ra-3_fr" name="item">
-               <title>RA-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F</p>
-               </part>
-               <part id="ra-3_fr_smt.d" name="item">
-                  <prop name="label">RA-3 (d) Requirement:</prop>
-                  <p>Include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5">
-         <add id-ref="ra-5_smt">
-            <part id="ra-5_fr_smt.a" name="item">
-               <title>RA-5(a) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (a)Requirement:</prop>
-               <p>An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.</p>
-            </part>
-            <part id="ra-5_fr_smt.e" name="item">
-               <title>RA-5(e) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (e)Requirement:</prop>
-               <p>To include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
-            </part>
-            <part id="ra-5_fr" name="item">
-               <title>RA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>
-                     <strong>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents&gt; Vulnerability Scanning Requirements</strong> (<a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a>)</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.b.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.b.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.b.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.e_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-1">
-         <add position="starting" id-ref="sa-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sa-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-2">
-         <add position="starting" id-ref="sa-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-3">
-         <add position="starting" id-ref="sa-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4">
-         <add position="ending" id-ref="sa-4_smt">
-            <part id="sa-4_fr" name="item">
-               <title>SA-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See <a href="http://www.niap-ccevs.org/vpl">http://www.niap-ccevs.org/vpl</a> or <a href="http://www.commoncriteriaportal.org/products.html">http://www.commoncriteriaportal.org/products.html</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.10">
-         <add position="starting" id-ref="sa-4.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-5">
-         <add position="starting" id-ref="sa-5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9">
-         <add position="ending" id-ref="sa-9_smt">
-            <part id="sa-9_fr" name="item">
-               <title>SA-9 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-9_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents&gt; Continuous Monitoring Strategy Guide <a href="https://www.FedRAMP.gov/documents">https://www.FedRAMP.gov/documents</a>
-                  </p>
-               </part>
-               <part id="sa-9_fr_gdn.2" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Independent Assessors should assess the risk associated with the use of external services. See the FedRAMP page under Key Cloud Service Provider (CSP) Documents&gt;FedRAMP Authorization Boundary Guidance</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-9.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-1">
-         <add position="starting" id-ref="sc-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sc-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-12">
-         <add position="ending" id-ref="sc-12_smt">
-            <part id="sc-12_fr" name="item">
-               <title>SC-12 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Federally approved and validated cryptography.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-12.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-13">
-         <add position="starting" id-ref="sc-13">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sc-13_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-13_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-13_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-15">
-         <add position="ending" id-ref="sc-15_smt">
-            <part id="sc-15_fr" name="item">
-               <title>SC-15 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-15_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-15.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-15.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-15.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-20">
-         <add position="starting" id-ref="sc-20.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-20.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-21">
-         <add position="starting" id-ref="sc-21_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-21_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-21_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-21_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-22">
-         <add position="starting" id-ref="sc-22_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-22_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-39">
-         <add position="starting" id-ref="sc-39_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-5">
-         <add position="starting" id-ref="sc-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-5.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-5.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7">
-         <add position="starting" id-ref="sc-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-1">
-         <add position="starting" id-ref="si-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="si-12">
-         <add position="starting" id-ref="si-12_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-2">
-         <add position="starting" id-ref="si-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3">
-         <add position="starting" id-ref="si-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4">
-         <add position="ending" id-ref="si-4_smt">
-            <part id="si-4_fr" name="item">
-               <title>SI-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="si-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See US-CERT Incident Response Reporting Guidelines.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="si-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-4.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.b.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.b.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-5">
-         <add position="starting" id-ref="si-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-   </modify>
-   <back-matter>
-      <resource uuid="985475ee-d4d6-4581-8fdf-d84d3d8caa48">
-         <title>FedRAMP Applicable Laws and Regulations</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-citations</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"/>
-      </resource>
-      <resource uuid="1a23a771-d481-4594-9a1a-71d584fa4123">
-         <title>FedRAMP Master Acronym and Glossary</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-acronyms</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"/>
-      </resource>
-      <resource uuid="a2381e87-3d04-4108-a30b-b4d2f36d001f">
-         <desc>FedRAMP Logo</desc>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-logo</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/img/logo-main-fedramp.png"/>
-      </resource>
-      <resource uuid="ad005eae-cc63-4e64-9109-3905a9a825e4">
-         <title>NIST Special Publication (SP) 800-53</title>
-         <prop name="version" ns="https://fedramp.gov/ns/oscal">Revision 4</prop>
-         <prop name="keep">always</prop>
-         <rlink media-type="application/xml" href="../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml"/>
-      </resource>
-   </back-matter>
-</profile>
diff --git a/src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline_profile.xml b/src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline_profile.xml
deleted file mode 100644
index 774b5bb6c8..0000000000
--- a/src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline_profile.xml
+++ /dev/null
@@ -1,8143 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0"  uuid="8383f859-be40-453d-9588-c645af5bef6f">
-   
-   <metadata>
-      <title>FedRAMP Moderate Baseline</title>
-      <published>2020-06-01T00:00:00.000-04:00</published>
-      <last-modified>2020-06-01T10:00:00.000-04:00</last-modified>
-      <version>1.2</version>
-      <oscal-version>1.0.0-milestone3</oscal-version>
-      <role id="parpared-by">
-         <title>Document creator</title>
-      </role>
-      <role id="fedramp-pmo">
-         <title>The FedRAMP Program Management Office (PMO)</title>
-         <short-name>CSP</short-name>
-      </role>
-      <role id="fedramp-jab">
-         <title>The FedRAMP Joint Authorization Board (JAB)</title>
-         <short-name>CSP</short-name>
-      </role>
-
-      <party uuid="8cc0b8e5-9650-4d5f-9796-316f05fa9a2d" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Program Management Office</party-name>
-         <short-name>FedRAMP PMO</short-name>
-         <link href="https://fedramp.gov" rel="homepage" />
-         <address type="work">
-            <addr-line>1800 F St. NW</addr-line>
-            <addr-line/>
-            <city>Washington</city>
-            <state>DC</state>
-            <postal-code/>
-            <country>US</country>
-         </address>
-         <email>info@fedramp.gov</email>
-      </party>
-      <party uuid="ca9ba80e-1342-4bfd-b32a-abac468c24b4" type="organization">
-         <party-name>Federal Risk and Authorization Management Program: Joint Authorization Board</party-name>
-         <short-name>FedRAMP JAB</short-name>
-      </party>
-
-      <responsible-party role-id="prepared-by">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-pmo">
-         <party-uuid>4aa7b203-318b-4cde-96cf-feaeffc3a4b7</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="fedramp-jab">
-         <party-uuid>ca9ba80e-1342-4bfd-b32a-abac468c24b4</party-uuid>
-      </responsible-party>
-   </metadata>
-
-   <import href="#ad005eae-cc63-4e64-9109-3905a9a825e4">
-      <include>
-         <call control-id="ac-1"/>
-         <call control-id="ac-2"/>
-         <call control-id="ac-2.1"/>
-         <call control-id="ac-2.2"/>
-         <call control-id="ac-2.3"/>
-         <call control-id="ac-2.4"/>
-         <call control-id="ac-2.5"/>
-         <call control-id="ac-2.7"/>
-         <call control-id="ac-2.9"/>
-         <call control-id="ac-2.10"/>
-         <call control-id="ac-2.12"/>
-         <call control-id="ac-3"/>
-         <call control-id="ac-4"/>
-         <call control-id="ac-4.21"/>
-         <call control-id="ac-5"/>
-         <call control-id="ac-6"/>
-         <call control-id="ac-6.1"/>
-         <call control-id="ac-6.2"/>
-         <call control-id="ac-6.5"/>
-         <call control-id="ac-6.9"/>
-         <call control-id="ac-6.10"/>
-         <call control-id="ac-7"/>
-         <call control-id="ac-8"/>
-         <call control-id="ac-10"/>
-         <call control-id="ac-11"/>
-         <call control-id="ac-11.1"/>
-         <call control-id="ac-12"/>
-         <call control-id="ac-14"/>
-         <call control-id="ac-17"/>
-         <call control-id="ac-17.1"/>
-         <call control-id="ac-17.2"/>
-         <call control-id="ac-17.3"/>
-         <call control-id="ac-17.4"/>
-         <call control-id="ac-17.9"/>
-         <call control-id="ac-18"/>
-         <call control-id="ac-18.1"/>
-         <call control-id="ac-19"/>
-         <call control-id="ac-19.5"/>
-         <call control-id="ac-20"/>
-         <call control-id="ac-20.1"/>
-         <call control-id="ac-20.2"/>
-         <call control-id="ac-21"/>
-         <call control-id="ac-22"/>
-         <call control-id="at-1"/>
-         <call control-id="at-2"/>
-         <call control-id="at-2.2"/>
-         <call control-id="at-3"/>
-         <call control-id="at-4"/>
-         <call control-id="au-1"/>
-         <call control-id="au-2"/>
-         <call control-id="au-2.3"/>
-         <call control-id="au-3"/>
-         <call control-id="au-3.1"/>
-         <call control-id="au-4"/>
-         <call control-id="au-5"/>
-         <call control-id="au-6"/>
-         <call control-id="au-6.1"/>
-         <call control-id="au-6.3"/>
-         <call control-id="au-7"/>
-         <call control-id="au-7.1"/>
-         <call control-id="au-8"/>
-         <call control-id="au-8.1"/>
-         <call control-id="au-9"/>
-         <call control-id="au-9.2"/>
-         <call control-id="au-9.4"/>
-         <call control-id="au-11"/>
-         <call control-id="au-12"/>
-         <call control-id="ca-1"/>
-         <call control-id="ca-2"/>
-         <call control-id="ca-2.1"/>
-         <call control-id="ca-2.2"/>
-         <call control-id="ca-2.3"/>
-         <call control-id="ca-3"/>
-         <call control-id="ca-3.3"/>
-         <call control-id="ca-3.5"/>
-         <call control-id="ca-5"/>
-         <call control-id="ca-6"/>
-         <call control-id="ca-7"/>
-         <call control-id="ca-7.1"/>
-         <call control-id="ca-8"/>
-         <call control-id="ca-8.1"/>
-         <call control-id="ca-9"/>
-         <call control-id="cm-1"/>
-         <call control-id="cm-2"/>
-         <call control-id="cm-2.1"/>
-         <call control-id="cm-2.2"/>
-         <call control-id="cm-2.3"/>
-         <call control-id="cm-2.7"/>
-         <call control-id="cm-3"/>
-         <call control-id="cm-4"/>
-         <call control-id="cm-5"/>
-         <call control-id="cm-5.1"/>
-         <call control-id="cm-5.3"/>
-         <call control-id="cm-5.5"/>
-         <call control-id="cm-6"/>
-         <call control-id="cm-6.1"/>
-         <call control-id="cm-7"/>
-         <call control-id="cm-7.1"/>
-         <call control-id="cm-7.2"/>
-         <call control-id="cm-7.5"/>
-         <call control-id="cm-8"/>
-         <call control-id="cm-8.1"/>
-         <call control-id="cm-8.3"/>
-         <call control-id="cm-8.5"/>
-         <call control-id="cm-9"/>
-         <call control-id="cm-10"/>
-         <call control-id="cm-10.1"/>
-         <call control-id="cm-11"/>
-         <call control-id="cp-1"/>
-         <call control-id="cp-2"/>
-         <call control-id="cp-2.1"/>
-         <call control-id="cp-2.2"/>
-         <call control-id="cp-2.3"/>
-         <call control-id="cp-2.8"/>
-         <call control-id="cp-3"/>
-         <call control-id="cp-4"/>
-         <call control-id="cp-4.1"/>
-         <call control-id="cp-6"/>
-         <call control-id="cp-6.1"/>
-         <call control-id="cp-6.3"/>
-         <call control-id="cp-7"/>
-         <call control-id="cp-7.1"/>
-         <call control-id="cp-7.2"/>
-         <call control-id="cp-7.3"/>
-         <call control-id="cp-8"/>
-         <call control-id="cp-8.1"/>
-         <call control-id="cp-8.2"/>
-         <call control-id="cp-9"/>
-         <call control-id="cp-9.1"/>
-         <call control-id="cp-9.3"/>
-         <call control-id="cp-10"/>
-         <call control-id="cp-10.2"/>
-         <call control-id="ia-1"/>
-         <call control-id="ia-2"/>
-         <call control-id="ia-2.1"/>
-         <call control-id="ia-2.2"/>
-         <call control-id="ia-2.3"/>
-         <call control-id="ia-2.5"/>
-         <call control-id="ia-2.8"/>
-         <call control-id="ia-2.11"/>
-         <call control-id="ia-2.12"/>
-         <call control-id="ia-3"/>
-         <call control-id="ia-4"/>
-         <call control-id="ia-4.4"/>
-         <call control-id="ia-5"/>
-         <call control-id="ia-5.1"/>
-         <call control-id="ia-5.2"/>
-         <call control-id="ia-5.3"/>
-         <call control-id="ia-5.4"/>
-         <call control-id="ia-5.6"/>
-         <call control-id="ia-5.7"/>
-         <call control-id="ia-5.11"/>
-         <call control-id="ia-6"/>
-         <call control-id="ia-7"/>
-         <call control-id="ia-8"/>
-         <call control-id="ia-8.1"/>
-         <call control-id="ia-8.2"/>
-         <call control-id="ia-8.3"/>
-         <call control-id="ia-8.4"/>
-         <call control-id="ir-1"/>
-         <call control-id="ir-2"/>
-         <call control-id="ir-3"/>
-         <call control-id="ir-3.2"/>
-         <call control-id="ir-4"/>
-         <call control-id="ir-4.1"/>
-         <call control-id="ir-5"/>
-         <call control-id="ir-6"/>
-         <call control-id="ir-6.1"/>
-         <call control-id="ir-7"/>
-         <call control-id="ir-7.1"/>
-         <call control-id="ir-7.2"/>
-         <call control-id="ir-8"/>
-         <call control-id="ir-9"/>
-         <call control-id="ir-9.1"/>
-         <call control-id="ir-9.2"/>
-         <call control-id="ir-9.3"/>
-         <call control-id="ir-9.4"/>
-         <call control-id="ma-1"/>
-         <call control-id="ma-2"/>
-         <call control-id="ma-3"/>
-         <call control-id="ma-3.1"/>
-         <call control-id="ma-3.2"/>
-         <call control-id="ma-3.3"/>
-         <call control-id="ma-4"/>
-         <call control-id="ma-4.2"/>
-         <call control-id="ma-5"/>
-         <call control-id="ma-5.1"/>
-         <call control-id="ma-6"/>
-         <call control-id="mp-1"/>
-         <call control-id="mp-2"/>
-         <call control-id="mp-3"/>
-         <call control-id="mp-4"/>
-         <call control-id="mp-5"/>
-         <call control-id="mp-5.4"/>
-         <call control-id="mp-6"/>
-         <call control-id="mp-6.2"/>
-         <call control-id="mp-7"/>
-         <call control-id="mp-7.1"/>
-         <call control-id="pe-1"/>
-         <call control-id="pe-2"/>
-         <call control-id="pe-3"/>
-         <call control-id="pe-4"/>
-         <call control-id="pe-5"/>
-         <call control-id="pe-6"/>
-         <call control-id="pe-6.1"/>
-         <call control-id="pe-8"/>
-         <call control-id="pe-9"/>
-         <call control-id="pe-10"/>
-         <call control-id="pe-11"/>
-         <call control-id="pe-12"/>
-         <call control-id="pe-13"/>
-         <call control-id="pe-13.2"/>
-         <call control-id="pe-13.3"/>
-         <call control-id="pe-14"/>
-         <call control-id="pe-14.2"/>
-         <call control-id="pe-15"/>
-         <call control-id="pe-16"/>
-         <call control-id="pe-17"/>
-         <call control-id="pl-1"/>
-         <call control-id="pl-2"/>
-         <call control-id="pl-2.3"/>
-         <call control-id="pl-4"/>
-         <call control-id="pl-4.1"/>
-         <call control-id="pl-8"/>
-         <call control-id="ps-1"/>
-         <call control-id="ps-2"/>
-         <call control-id="ps-3"/>
-         <call control-id="ps-3.3"/>
-         <call control-id="ps-4"/>
-         <call control-id="ps-5"/>
-         <call control-id="ps-6"/>
-         <call control-id="ps-7"/>
-         <call control-id="ps-8"/>
-         <call control-id="ra-1"/>
-         <call control-id="ra-2"/>
-         <call control-id="ra-3"/>
-         <call control-id="ra-5"/>
-         <call control-id="ra-5.1"/>
-         <call control-id="ra-5.2"/>
-         <call control-id="ra-5.3"/>
-         <call control-id="ra-5.5"/>
-         <call control-id="ra-5.6"/>
-         <call control-id="ra-5.8"/>
-         <call control-id="sa-1"/>
-         <call control-id="sa-2"/>
-         <call control-id="sa-3"/>
-         <call control-id="sa-4"/>
-         <call control-id="sa-4.1"/>
-         <call control-id="sa-4.2"/>
-         <call control-id="sa-4.8"/>
-         <call control-id="sa-4.9"/>
-         <call control-id="sa-4.10"/>
-         <call control-id="sa-5"/>
-         <call control-id="sa-8"/>
-         <call control-id="sa-9"/>
-         <call control-id="sa-9.1"/>
-         <call control-id="sa-9.2"/>
-         <call control-id="sa-9.4"/>
-         <call control-id="sa-9.5"/>
-         <call control-id="sa-10"/>
-         <call control-id="sa-10.1"/>
-         <call control-id="sa-11"/>
-         <call control-id="sa-11.1"/>
-         <call control-id="sa-11.2"/>
-         <call control-id="sa-11.8"/>
-         <call control-id="sc-1"/>
-         <call control-id="sc-2"/>
-         <call control-id="sc-4"/>
-         <call control-id="sc-5"/>
-         <call control-id="sc-6"/>
-         <call control-id="sc-7"/>
-         <call control-id="sc-7.3"/>
-         <call control-id="sc-7.4"/>
-         <call control-id="sc-7.5"/>
-         <call control-id="sc-7.7"/>
-         <call control-id="sc-7.8"/>
-         <call control-id="sc-7.12"/>
-         <call control-id="sc-7.13"/>
-         <call control-id="sc-7.18"/>
-         <call control-id="sc-8"/>
-         <call control-id="sc-8.1"/>
-         <call control-id="sc-10"/>
-         <call control-id="sc-12"/>
-         <call control-id="sc-12.2"/>
-         <call control-id="sc-12.3"/>
-         <call control-id="sc-13"/>
-         <call control-id="sc-15"/>
-         <call control-id="sc-17"/>
-         <call control-id="sc-18"/>
-         <call control-id="sc-19"/>
-         <call control-id="sc-20"/>
-         <call control-id="sc-21"/>
-         <call control-id="sc-22"/>
-         <call control-id="sc-23"/>
-         <call control-id="sc-28"/>
-         <call control-id="sc-28.1"/>
-         <call control-id="sc-39"/>
-         <call control-id="si-1"/>
-         <call control-id="si-2"/>
-         <call control-id="si-2.2"/>
-         <call control-id="si-2.3"/>
-         <call control-id="si-3"/>
-         <call control-id="si-3.1"/>
-         <call control-id="si-3.2"/>
-         <call control-id="si-3.7"/>
-         <call control-id="si-4"/>
-         <call control-id="si-4.1"/>
-         <call control-id="si-4.2"/>
-         <call control-id="si-4.4"/>
-         <call control-id="si-4.5"/>
-         <call control-id="si-4.14"/>
-         <call control-id="si-4.16"/>
-         <call control-id="si-4.23"/>
-         <call control-id="si-5"/>
-         <call control-id="si-6"/>
-         <call control-id="si-7"/>
-         <call control-id="si-7.1"/>
-         <call control-id="si-7.7"/>
-         <call control-id="si-8"/>
-         <call control-id="si-8.1"/>
-         <call control-id="si-8.2"/>
-         <call control-id="si-10"/>
-         <call control-id="si-11"/>
-         <call control-id="si-12"/>
-         <call control-id="si-16"/>
-      </include>
-   </import>
-   <merge>
-      <combine method="keep"/>
-      <as-is>true</as-is>
-   </merge>
-   <modify>
-      <set-parameter param-id="ac-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2_prm_4">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.2_prm_2">
-         <constraint>no more than 30 days for temporary and emergency account types</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-2.3_prm_1">
-         <constraint>90 days for user accounts</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-6.2_prm_1">
-         <constraint>all security functions</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7_prm_1">
-         <constraint>not more than three (3)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7_prm_2">
-         <constraint>fifteen (15) minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-7_prm_4">
-         <constraint>locks the account/node for thirty minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-8_prm_1">
-         <constraint>see additional Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-8_prm_2">
-         <constraint>see additional Requirements and Guidance]</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-10_prm_2">
-         <constraint>three (3) sessions for privileged access and two (2) sessions for non-privileged access</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-11_prm_1">
-         <constraint>fifteen (15) minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-17.9_prm_1">
-         <constraint>fifteen 15 minutes</constraint>
-      </set-parameter>
-      <set-parameter param-id="ac-22_prm_1">
-         <constraint>at least quarterly</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-3_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="at-4_prm_1">
-         <constraint>At least one year</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-2_prm_1">
-         <constraint>successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-2_prm_2">
-         <constraint>organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-2.3_prm_1">
-         <constraint>annually or whenever there is a change in the threat environment</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-3.1_prm_1">
-         <constraint>session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-5_prm_2">
-         <constraint>organization-defined actions to be taken (overwrite oldest record)</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-6_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-8.1_prm_1">
-         <constraint>At least hourly</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-8.1_prm_2">
-         <constraint>http://tf.nist.gov/tf-cgi/servers.cgi</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-9.2_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-11_prm_1">
-         <constraint>at least ninety days</constraint>
-      </set-parameter>
-      <set-parameter param-id="au-12_prm_1">
-         <constraint>all information system and network components where audit capability is deployed/available</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2_prm_2">
-         <constraint>individuals or roles to include FedRAMP PMO</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2.2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2.3_prm_1">
-         <constraint>any FedRAMP Accredited 3PAO</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2.3_prm_2">
-         <constraint>any FedRAMP Accredited 3PAO</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-2.3_prm_3">
-         <constraint>the conditions of the JAB/AO in the FedRAMP Repository</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-3_prm_1">
-         <constraint>at least annually and on input from FedRAMP</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-3.3_prm_2">
-         <constraint>Boundary Protections which meet the Trusted Internet Connection (TIC) requirements</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-5_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-6_prm_1">
-         <constraint>at least every three (3) years or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-7_prm_4">
-         <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-7_prm_5">
-         <constraint>to meet Federal and FedRAMP requirements (See additional guidance)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ca-8_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-2.1_prm_1">
-         <constraint>at least annually or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-2.1_prm_2">
-         <constraint>to include when directed by the JAB</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-5.5_prm_1">
-         <constraint>at least quarterly</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-6_prm_1">
-         <guideline>
-            <p>See CM-6(a) Additional FedRAMP Requirements and Guidance</p>
-         </guideline>
-      </set-parameter>
-      <set-parameter param-id="cm-7_prm_1">
-         <constraint>United States Government Configuration Baseline (USGCB)</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-7.1_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-7.5_prm_2">
-         <constraint>at least Annually or when there is a change</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-8_prm_2">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-8.3_prm_1">
-         <constraint>Continuously, using automated mechanisms with a maximum five-minute delay in detection</constraint>
-      </set-parameter>
-      <set-parameter param-id="cm-11_prm_3">
-         <constraint>Continuously (via CM-7 (5))</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-2_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-3_prm_1">
-         <constraint>ten (10) days</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-3_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-4_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-4_prm_2">
-         <constraint>functional exercises</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_1">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_2">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9_prm_3">
-         <constraint>daily incremental; weekly full</constraint>
-      </set-parameter>
-      <set-parameter param-id="cp-9.1_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-2.11_prm_1">
-         <constraint>FIPS 140-2, NIAP Certification, or NSA approval</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-4_prm_2">
-         <constraint>IA-4 (d) [at least two years]</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-4_prm_3">
-         <constraint>ninety days for user identifiers (See additional requirements and guidance)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-4.4_prm_1">
-         <constraint>contractors; foreign nationals</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.1_prm_2">
-         <constraint>at least one</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.1_prm_4">
-         <constraint>twenty four (24)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.3_prm_1">
-         <constraint>All hardware/biometric (multifactor authenticators)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ia-5.3_prm_2">
-         <constraint>in person</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-2_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-3_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-3_prm_2">
-         <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-6_prm_1">
-         <constraint>US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-8_prm_2">
-         <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-8_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ir-8_prm_4">
-         <constraint>see additional FedRAMP Requirements and Guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="ma-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ma-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ma-3.3_prm_1">
-         <constraint>the information owner explicitly authorizing removal of the equipment from the facility</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-3_prm_1">
-         <constraint>no removable media types</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-4_prm_1">
-         <constraint>all types of digital and non-digital media with sensitive information</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-4_prm_2">
-         <constraint>see additional FedRAMP requirements and guidance</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-5_prm_1">
-         <constraint>all media with sensitive information</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-5_prm_2">
-         <constraint>prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digitital media, secured in locked container</constraint>
-      </set-parameter>
-      <set-parameter param-id="mp-6.2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-2_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_2">
-         <constraint>CSP defined physical access control systems/devices AND guards</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_3">
-         <constraint>CSP defined physical access control systems/devices</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_6">
-         <constraint>in all circumstances within restricted access area where the information system resides</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_8">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-3_prm_9">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-6_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-8_prm_1">
-         <constraint>for a minimum of one (1) year</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-8_prm_2">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-14_prm_1">
-         <constraint>consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-14_prm_2">
-         <constraint>continuously</constraint>
-      </set-parameter>
-      <set-parameter param-id="pe-16_prm_1">
-         <constraint>all information system components</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-2_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-4_prm_1">
-         <constraint>At least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="pl-8_prm_1">
-         <constraint>At least annually or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-2_prm_1">
-         <constraint>at least every three years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-3_prm_1">
-         <constraint>for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-3.3_prm_1">
-         <constraint>personnel screening criteria - as required by specific information</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-4_prm_1">
-         <constraint>same day</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-5_prm_4">
-         <constraint>five days of the time period following the formal transfer action (DoD 24 hours)</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-6_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-6_prm_2">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ps-7_prm_2">
-         <constraint>organization-defined time period - same day</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_2">
-         <constraint>security assessment report</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_3">
-         <constraint>at least every three (3) years or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-3_prm_5">
-         <constraint>at least every three (3) years or when a significant change occurs</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5_prm_1">
-         <constraint>monthly operating system/infrastructure; monthly web applications and databases</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5_prm_2">
-         <constraint>high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5.2_prm_1">
-         <constraint>prior to a new scan</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5.5_prm_1">
-         <constraint>operating systems / web applications / databases</constraint>
-      </set-parameter>
-      <set-parameter param-id="ra-5.5_prm_2">
-         <constraint>all scans</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-4.2_prm_1">
-         <constraint>to include security-relevant external system interfaces and high-level design</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-4.8_prm_1">
-         <constraint>at least the minimum requirement as defined in control CA-7</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9_prm_1">
-         <constraint>FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9_prm_2">
-         <constraint>Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9.2_prm_1">
-         <constraint>all external systems where Federal information is processed or stored</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9.4_prm_2">
-         <constraint>all external systems where Federal information is processed or stored</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-9.5_prm_1">
-         <constraint>information processing, information data, AND information services</constraint>
-      </set-parameter>
-      <set-parameter param-id="sa-10_prm_1">
-         <constraint>development, implementation, AND operation</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-7.4_prm_1">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-8_prm_1">
-         <constraint>confidentiality AND integrity</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-8.1_prm_1">
-         <constraint>prevent unauthorized disclosure of information AND detect changes to information</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-8.1_prm_2">
-         <constraint>a hardened or alarmed carrier Protective Distribution System (PDS)</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-10_prm_1">
-         <constraint>no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-interactive user sessions</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-12.2_prm_1">
-         <constraint>NIST FIPS-compliant</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-13_prm_1">
-         <constraint>FIPS-validated or NSA-approved cryptography</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-15_prm_1">
-         <constraint>no exceptions</constraint>
-      </set-parameter>
-      <set-parameter param-id="sc-28_prm_1">
-         <constraint>confidentiality AND integrity</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-1_prm_2">
-         <constraint>at least every 3 years</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-1_prm_3">
-         <constraint>at least annually</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-2_prm_1">
-         <constraint>within 30 days of release of updates</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-2.2_prm_1">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_1">
-         <constraint>at least weekly</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_2">
-         <constraint>to include endpoints</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-3_prm_3">
-         <constraint>to include alerting administrator or defined security personnel</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-4.4_prm_1">
-         <constraint>continuously</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-5_prm_1">
-         <constraint>to include US-CERT</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-5_prm_2">
-         <constraint>to include system security personnel and administrators with configuration/patch-management responsibilities</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-6_prm_3">
-         <constraint>to include upon system startup and/or restart</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-6_prm_4">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-6_prm_5">
-         <constraint>to include system administrators and security personnel</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-6_prm_7">
-         <constraint>to include notification of system administrators and security personnel</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-7.1_prm_3">
-         <constraint>Selection to include security relevant events</constraint>
-      </set-parameter>
-      <set-parameter param-id="si-7.1_prm_4">
-         <constraint>at least monthly</constraint>
-      </set-parameter>
-      <alter control-id="ac-1">
-         <add position="starting" id-ref="ac-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-10">
-         <add position="starting" id-ref="ac-10_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-10_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-10_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-11">
-         <add position="starting" id-ref="ac-11">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-11.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-11.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-11.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-11.1">
-         <add position="starting" id-ref="ac-11.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-12">
-         <add position="starting" id-ref="ac-12">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-14">
-         <add position="starting" id-ref="ac-14.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-14.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-14.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17">
-         <add position="starting" id-ref="ac-17">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-17.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.1">
-         <add position="starting" id-ref="ac-17.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.2">
-         <add position="starting" id-ref="ac-17.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.3">
-         <add position="starting" id-ref="ac-17.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.4">
-         <add position="starting" id-ref="ac-17.4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17.9">
-         <add position="starting" id-ref="ac-17.9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-17.9_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-17.9_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-18">
-         <add position="starting" id-ref="ac-18">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-18.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-18.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-18.1">
-         <add position="starting" id-ref="ac-18.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-19">
-         <add position="starting" id-ref="ac-19">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-19.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-19.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-19.5">
-         <add position="starting" id-ref="ac-19.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-19.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-19.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2">
-         <add position="starting" id-ref="ac-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.g_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.h_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.i_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.j_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.j_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.k_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.1">
-         <add position="starting" id-ref="ac-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.10">
-         <add position="ending" id-ref="ac-2.10_smt">
-            <part id="ac-2.10_fr" name="item">
-               <title>AC-2 (10) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2.10_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Required if shared/group accounts are deployed</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-2.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.12">
-         <add position="ending" id-ref="ac-2.12_smt">
-            <part id="ac-2.12_fr" name="item">
-               <title>AC-2 (12) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2.12_fr_gdn.1" name="guidance">
-                  <prop name="label">(a) Guidance:</prop>
-                  <p>Required for privileged accounts.</p>
-               </part>
-               <part id="ac-2.12_fr_gdn.2" name="guidance">
-                  <prop name="label">(b) Guidance:</prop>
-                  <p>Required for privileged accounts.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-2.12">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.12.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.12.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.12.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.12.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.2">
-         <add position="starting" id-ref="ac-2.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.3">
-         <add position="starting" id-ref="ac-2.3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.4">
-         <add position="starting" id-ref="ac-2.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.4_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.5">
-         <add position="ending" id-ref="ac-2.5_smt">
-            <part id="ac-2.5_fr" name="item">
-               <title>AC-2 (5) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2.5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Should use a shorter timeframe than AC-12.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-2.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-2.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.7">
-         <add position="starting" id-ref="ac-2.7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.7.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.7.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2.9">
-         <add position="ending" id-ref="ac-2.9_smt">
-            <part id="ac-2.9_fr" name="item">
-               <title>AC-2 (9) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-2.9_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Required if shared/group accounts are deployed</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-2.9_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-2.9_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-20">
-         <add position="starting" id-ref="ac-20.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-20.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-20.1">
-         <add position="starting" id-ref="ac-20.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-20.2">
-         <add position="starting" id-ref="ac-20.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-21">
-         <add position="starting" id-ref="ac-21.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-21.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-21.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-21.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-22">
-         <add position="starting" id-ref="ac-22">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-22.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-22.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-3">
-         <add position="starting" id-ref="ac-3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-4">
-         <add position="starting" id-ref="ac-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-4.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-4.21">
-         <add position="starting" id-ref="ac-4.21_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-4.21_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-4.21_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-5">
-         <add position="ending" id-ref="ac-5_smt">
-            <part id="ac-5_fr" name="item">
-               <title>AC-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac.5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6">
-         <add position="starting" id-ref="ac-6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.1">
-         <add position="starting" id-ref="ac-6.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.10">
-         <add position="starting" id-ref="ac-6.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.2">
-         <add position="ending" id-ref="ac-6.2_smt">
-            <part id="ac-6.2_fr" name="item">
-               <title>AC-6 (2) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-6.2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-6.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.5">
-         <add position="starting" id-ref="ac-6.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-6.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6.9">
-         <add position="starting" id-ref="ac-6.9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-6.9_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-7">
-         <add position="starting" id-ref="ac-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ac-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-8">
-         <add position="ending" id-ref="ac-8_smt">
-            <part id="ac-8_fr" name="item">
-               <title>AC-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ac-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.</p>
-               </part>
-               <part id="ac-8_fr_smt.2" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.</p>
-               </part>
-               <part id="ac-8_fr_smt.3" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ac-8.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ac-8.c.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="at-1">
-         <add position="starting" id-ref="at-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="at-2">
-         <add position="starting" id-ref="at-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="at-2.2">
-         <add position="starting" id-ref="at-2.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="at-3">
-         <add position="starting" id-ref="at-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="at-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="at-4">
-         <add position="starting" id-ref="at-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="at-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="at-4.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="at-4.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-1">
-         <add position="starting" id-ref="au-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="au-11">
-         <add position="ending" id-ref="au-11_smt">
-            <part id="au-11_fr" name="item">
-               <title>AU-11 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-11_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-11">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-11.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-12">
-         <add position="starting" id-ref="au-12.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-12.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-12.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-12.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-2">
-         <add position="ending" id-ref="au-2_smt">
-            <part id="au-2_fr" name="item">
-               <title>AU-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-2_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-2.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-2.3">
-         <add position="ending" id-ref="au-2.3_smt">
-            <part id="au-2.3_fr" name="item">
-               <title>AU-2 (3) Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-2.3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-2.3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-3">
-         <add position="starting" id-ref="au-3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-3.1">
-         <add position="ending" id-ref="au-3.1_smt">
-            <part id="au-3.1_fr" name="item">
-               <title>AU-3 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-3.1_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines audit record types <em>[FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]</em>.  The audit record types are approved and accepted by the JAB/AO.</p>
-               </part>
-               <part id="au-3.1_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-3.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-3.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-4">
-         <add position="starting" id-ref="au-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-5">
-         <add position="starting" id-ref="au-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6">
-         <add position="ending" id-ref="au-6_smt">
-            <part id="au-6_fr" name="item">
-               <title>AU-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6.1">
-         <add position="starting" id-ref="au-6.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-6.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6.3">
-         <add position="starting" id-ref="au-6.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-7">
-         <add position="starting" id-ref="au-7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="au-7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-7.1">
-         <add position="starting" id-ref="au-7.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-7.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-8">
-         <add position="starting" id-ref="au-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-8.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-8.1">
-         <add position="ending" id-ref="au-8.1_smt">
-            <part id="au-8.1_fr" name="item">
-               <title>AU-8 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="au-8.1_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.</p>
-               </part>
-               <part id="au-8.1_fr_smt.2" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.</p>
-               </part>
-               <part id="au-8.1_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Synchronization of system clocks improves the accuracy of log analysis.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="au-8.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-8.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-8.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-8.1.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-8.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-8.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-9">
-         <add position="starting" id-ref="au-9.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="au-9.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-9.2">
-         <add position="starting" id-ref="au-9.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="au-9.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-9.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="au-9.4">
-         <add position="starting" id-ref="au-9.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="au-9.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-1">
-         <add position="starting" id-ref="ca-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2">
-         <add position="ending" id-ref="ca-2_smt">
-            <part id="ca-2_fr" name="item">
-               <title>CA-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2.1">
-         <add position="ending" id-ref="ca-2.1_smt">
-            <part id="ca-2.1_fr" name="item">
-               <title>CA-2 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2.1_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-2.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2.2">
-         <add position="ending" id-ref="ca-2.2_smt">
-            <part id="ca-2.2_fr" name="item">
-               <title>CA-2 (2) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-2.2_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>To include 'announced', 'vulnerability scanning'</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-2.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.2_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2.3">
-         <add position="starting" id-ref="ca-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-2.3_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-3">
-         <add position="starting" id-ref="ca-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-3.3">
-         <add position="ending" id-ref="ca-3.3_smt">
-            <part id="ca-3.3_fr" name="item">
-               <title>CA-3 (3) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-3.3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-3.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-3.5">
-         <add position="ending" id-ref="ca-3.5_smt">
-            <part id="ca-3.5_fr" name="item">
-               <title>CA-3 (5) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-3.5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-3.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-3.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-3.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-5">
-         <add position="ending" id-ref="ca-5_smt">
-            <part id="ca-5_fr" name="item">
-               <title>CA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-5_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Plan of Action &amp; Milestones (POA&amp;M) must be provided at least monthly.</p>
-               </part>
-               <part id="ca-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action &amp; Milestones (POA&amp;M) Template Completion Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-6">
-         <add position="ending" id-ref="ca-6_smt">
-            <part id="ca-6_fr" name="item">
-               <title>CA-6(c) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-6.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-6.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-6.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-6.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-7">
-         <add position="ending" id-ref="ca-7_smt">
-            <part id="ca-7_fr" name="item">
-               <title>CA-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-7_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.</p>
-               </part>
-               <part id="ca-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&amp;M updates.</p>
-               </part>
-               <part id="ca-7_fr_gdn.2" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide <a href="https://www.fedramp.gov/documents/">https://www.fedramp.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.b_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.g_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-7.1">
-         <add position="starting" id-ref="ca-7.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-7.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-8">
-         <add position="ending" id-ref="ca-8_smt">
-            <part id="ca-8_fr" name="item">
-               <title>CA-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ca-8_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance <a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a>
-                  </p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ca-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-8_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-8.1">
-         <add position="starting" id-ref="ca-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-9">
-         <add position="starting" id-ref="ca-9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ca-9.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ca-9.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ca-9.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-1">
-         <add position="starting" id-ref="cm-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-1.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-10">
-         <add position="starting" id-ref="cm-10.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-10.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-10.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-10.1">
-         <add position="starting" id-ref="cm-10.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-10.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-11">
-         <add position="starting" id-ref="cm-11.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-11.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2">
-         <add position="starting" id-ref="cm-2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2.1">
-         <add position="starting" id-ref="cm-2.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-2.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.1.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2.2">
-         <add position="starting" id-ref="cm-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.2_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2.3">
-         <add position="starting" id-ref="cm-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2.7">
-         <add position="starting" id-ref="cm-2.7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-2.7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-3">
-         <add position="ending" id-ref="cm-3_smt">
-            <part id="cm-3_fr" name="item">
-               <title>CM-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-3_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.</p>
-               </part>
-               <part id="cm-3_fr_gdn.1" name="guidance">
-                  <prop name="label">(e) Guidance:</prop>
-                  <p>In accordance with record retention policies and procedures.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.g_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-3.g_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-4">
-         <add position="starting" id-ref="cm-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5">
-         <add position="starting" id-ref="cm-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5_obj.7">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-5_obj.8">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5.1">
-         <add position="starting" id-ref="cm-5.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5.3">
-         <add position="ending" id-ref="cm-5.3_smt">
-            <part id="cm-5.3_fr" name="item">
-               <title>CM-5 (3) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-5.3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-5.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5.5">
-         <add position="starting" id-ref="cm-5.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-5.5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-5.5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-6">
-         <add position="ending" id-ref="cm-6_smt">
-            <part id="cm-6_fr" name="item">
-               <title>CM-6(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement 1:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. </p>
-               </part>
-               <part id="cm-6_fr_smt.2" name="item">
-                  <prop name="label">Requirement 2:</prop>
-                  <p>The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (<a href="http://scap.nist.gov/">http://scap.nist.gov/</a>) validated or SCAP compatible (if validated checklists are not available).</p>
-               </part>
-               <part id="cm-6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a href="https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline">https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.c_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-6.1">
-         <add position="starting" id-ref="cm-6.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-6.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7">
-         <add position="ending" id-ref="cm-7_smt">
-            <part id="cm-7_fr" name="item">
-               <title>CM-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-7_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.</p>
-               </part>
-               <part id="cm-7_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Information on the USGCB checklists can be found at: <a href="http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc">http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc</a>. Partially derived from AC-17(8).</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7.1">
-         <add position="starting" id-ref="cm-7.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-7.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7.2">
-         <add position="ending" id-ref="cm-7.2_smt">
-            <part id="cm-7.2_fr" name="item">
-               <title>CM-7 (2) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-7.2_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-7.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7.5">
-         <add position="starting" id-ref="cm-7.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-7.5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-7.5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8">
-         <add position="ending" id-ref="cm-8_smt">
-            <part id="cm-8_fr" name="item">
-               <title>CM-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cm-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Must be provided at least monthly or when there is a change.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cm-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-8.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.a.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8.1">
-         <add position="starting" id-ref="cm-8.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8.3">
-         <add position="starting" id-ref="cm-8.3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-8.3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-8.3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8.5">
-         <add position="starting" id-ref="cm-8.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-9">
-         <add position="starting" id-ref="cm-9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cm-9.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-9.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-9.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-9.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cm-9.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-1">
-         <add position="starting" id-ref="cp-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-10">
-         <add position="starting" id-ref="cp-10_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-10.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-10.2">
-         <add position="starting" id-ref="cp-10.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2">
-         <add position="ending" id-ref="cp-2_smt">
-            <part id="cp-2_fr" name="item">
-               <title>CP-2 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-2_fr_smt.1" name="item">
-                  <prop name="label">CP-2 Requirement:</prop>
-                  <p>For JAB authorizations the contingency lists include designated FedRAMP personnel.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-2.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.6_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.a.6_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.g_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.1">
-         <add position="starting" id-ref="cp-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.2">
-         <add position="starting" id-ref="cp-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.3">
-         <add position="starting" id-ref="cp-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2.8">
-         <add position="starting" id-ref="cp-2.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-3">
-         <add position="starting" id-ref="cp-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-4">
-         <add position="ending" id-ref="cp-4_smt">
-            <part id="cp-4_fr" name="item">
-               <title>CP-4(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-4_fr_smt.a" name="item">
-                  <prop name="label">CP-4(a) Requirement:</prop>
-                  <p>The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-4.1">
-         <add position="starting" id-ref="cp-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-6">
-         <add position="starting" id-ref="cp-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="cp-6.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-6.1">
-         <add position="starting" id-ref="cp-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-6.3">
-         <add position="starting" id-ref="cp-6.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-6.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7">
-         <add position="ending" id-ref="cp-7_smt">
-            <part id="cp-7_fr" name="item">
-               <title>CP-7 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-7_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7.1">
-         <add position="ending" id-ref="cp-7.1_smt">
-            <part id="cp-7.1_fr" name="item">
-               <title>CP-7 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-7.1_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7.2">
-         <add position="starting" id-ref="cp-7.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-7.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7.3">
-         <add position="starting" id-ref="cp-7.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-8">
-         <add position="ending" id-ref="cp-8_smt">
-            <part id="cp-8_fr" name="item">
-               <title>CP-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines a time period consistent with the recovery time objectives and business impact analysis.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-8.1">
-         <add position="starting" id-ref="cp-8.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-8.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-8.2">
-         <add position="starting" id-ref="cp-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9">
-         <add position="ending" id-ref="cp-9_smt">
-            <part id="cp-9_fr" name="item">
-               <title>CP-9 Additional FedRAMP Requirements and Guidance</title>
-               <part id="cp-9_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.</p>
-               </part>
-               <part id="cp-9_fr_smt.a" name="item">
-                  <prop name="label">CP-9(a) Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of user-level information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.b" name="item">
-                  <prop name="label">CP-9(b)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of system-level information (at least one of which is available online).</p>
-               </part>
-               <part id="cp-9_fr_smt.c" name="item">
-                  <prop name="label">CP-9(c)Requirement:</prop>
-                  <p>The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="cp-9">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-9.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9.1">
-         <add position="starting" id-ref="cp-9.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="cp-9.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9.3">
-         <add position="starting" id-ref="cp-9.3_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.3_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="cp-9.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-1">
-         <add position="starting" id-ref="ia-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2">
-         <add position="starting" id-ref="ia-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.1">
-         <add position="starting" id-ref="ia-2.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.11">
-         <add position="ending" id-ref="ia-2.11_smt">
-            <part id="ia-2.11_fr" name="item">
-               <title>IA-2 (11) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-2.11_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.11_obj.6">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.12">
-         <add position="ending" id-ref="ia-2.12_smt">
-            <part id="ia-2.12_fr" name="item">
-               <title>IA-2 (12) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-2.12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-2.12_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-2.12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.2">
-         <add position="starting" id-ref="ia-2.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.3">
-         <add position="starting" id-ref="ia-2.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.5">
-         <add position="starting" id-ref="ia-2.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2.8">
-         <add position="starting" id-ref="ia-2.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-3">
-         <add position="starting" id-ref="ia-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-4">
-         <add position="ending" id-ref="ia-4_smt">
-            <part id="ia-4_fr" name="item">
-               <title>IA-4(e) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-4_fr_smt.e" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines the time period of inactivity for device identifiers.</p>
-               </part>
-               <part id="ia-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP <a href="http://iase.disa.mil/cloud_security/Pages/index.aspx">http://iase.disa.mil/cloud_security/Pages/index.aspx</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-4.4">
-         <add position="starting" id-ref="ia-4.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-4.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5">
-         <add position="ending" id-ref="ia-5_smt">
-            <part id="ia-5_fr" name="item">
-               <title>IA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-5_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link <a href="https://pages.nist.gov/800-63-3">https://pages.nist.gov/800-63-3</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.f_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.h_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.i_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.i_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.j_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.1">
-         <add position="ending" id-ref="ia-5.1_smt">
-            <part id="ia-5.1_fr" name="item">
-               <title>IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-5.1_fr_gdn.1" name="guidance">
-                  <prop name="label">(a) (d) Guidance:</prop>
-                  <p>If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-5.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.a_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.d_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.1.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.11">
-         <add position="starting" id-ref="ia-5.11_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.11_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.2">
-         <add position="starting" id-ref="ia-5.2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.3">
-         <add position="starting" id-ref="ia-5.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.3_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.3_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.4">
-         <add position="ending" id-ref="ia-5.4_smt">
-            <part id="ia-5.4_fr" name="item">
-               <title>IA-5 (4) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ia-5.4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ia-5.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-5.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.6">
-         <add position="starting" id-ref="ia-5.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5.7">
-         <add position="starting" id-ref="ia-5.7_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-6">
-         <add position="starting" id-ref="ia-6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-7">
-         <add position="starting" id-ref="ia-7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8">
-         <add position="starting" id-ref="ia-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.1">
-         <add position="starting" id-ref="ia-8.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ia-8.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.2">
-         <add position="starting" id-ref="ia-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.3">
-         <add position="starting" id-ref="ia-8.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ia-8.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8.4">
-         <add position="starting" id-ref="ia-8.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-1">
-         <add position="starting" id-ref="ir-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-2">
-         <add position="starting" id-ref="ir-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-3">
-         <add position="ending" id-ref="ir-3_smt">
-            <part id="ir-3_fr" name="item">
-               <title>IR-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-3_fr_smt.1" name="item">
-                  <prop name="label">IR-3 -2 Requirement:</prop>
-                  <p>The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-3_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-3.2">
-         <add position="starting" id-ref="ir-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4">
-         <add position="ending" id-ref="ir-4_smt">
-            <part id="ir-4_fr" name="item">
-               <title>IR-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-4_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-4.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4.1">
-         <add position="starting" id-ref="ir-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-5">
-         <add position="starting" id-ref="ir-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-6">
-         <add position="ending" id-ref="ir-6_smt">
-            <part id="ir-6_fr" name="item">
-               <title>IR-6 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-6_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Report security incident information according to FedRAMP Incident Communications Procedure.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-6.1">
-         <add position="starting" id-ref="ir-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-7">
-         <add position="starting" id-ref="ir-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-7.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-7.1">
-         <add position="starting" id-ref="ir-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-7.2">
-         <add position="starting" id-ref="ir-7.2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-7.2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-8">
-         <add position="ending" id-ref="ir-8_smt">
-            <part id="ir-8_fr" name="item">
-               <title>IR-8 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ir-8_fr_smt.b" name="item">
-                  <prop name="label">(b) Requirement:</prop>
-                  <p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
-               </part>
-               <part id="ir-8_fr_smt.e" name="item">
-                  <prop name="label">(e) Requirement:</prop>
-                  <p>The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements.  The incident response list includes designated FedRAMP personnel.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ir-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-8.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.a.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.b_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.b_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.e_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.e_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-8.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9">
-         <add position="starting" id-ref="ir-9.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9.1">
-         <add position="starting" id-ref="ir-9.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9.2">
-         <add position="starting" id-ref="ir-9.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ir-9.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9.3">
-         <add position="starting" id-ref="ir-9.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-9.4">
-         <add position="starting" id-ref="ir-9.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ir-9.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-1">
-         <add position="starting" id-ref="ma-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ma-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-2">
-         <add position="starting" id-ref="ma-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-2.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-3">
-         <add position="starting" id-ref="ma-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-3.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-3.1">
-         <add position="starting" id-ref="ma-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-3.2">
-         <add position="starting" id-ref="ma-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-3.3">
-         <add position="starting" id-ref="ma-3.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-4">
-         <add position="starting" id-ref="ma-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ma-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-4.2">
-         <add position="starting" id-ref="ma-4.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ma-4.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-5">
-         <add position="starting" id-ref="ma-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-5.1">
-         <add position="ending" id-ref="ma-5.1_smt">
-            <part id="ma-5.1_fr" name="item">
-               <title>MA-5 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ma-5.1_fr_smt.b" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>Only MA-5 (1)(a)(1) is required by FedRAMP Moderate Baseline</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ma-5.1.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.1.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ma-5.1.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-6">
-         <add position="starting" id-ref="ma-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-6.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ma-6.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-1">
-         <add position="starting" id-ref="mp-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="mp-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-2">
-         <add position="starting" id-ref="mp-2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-3">
-         <add position="ending" id-ref="mp-3_smt">
-            <part id="mp-3_fr" name="item">
-               <title>MP-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-3_fr_gdn.b" name="guidance">
-                  <prop name="label">(b) Guidance:</prop>
-                  <p>Second parameter not-applicable</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="mp-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-3.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-4">
-         <add position="ending" id-ref="mp-4_smt">
-            <part id="mp-4_fr" name="item">
-               <title>MP-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-4_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider defines controlled areas within facilities where the information and information system reside.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="mp-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-4.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-4.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-5">
-         <add position="ending" id-ref="mp-5_smt">
-            <part id="mp-5_fr" name="item">
-               <title>MP-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-5_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="mp-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-5.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-5.4">
-         <add position="starting" id-ref="mp-5.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-6">
-         <add position="starting" id-ref="mp-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-6.2">
-         <add position="ending" id-ref="mp-6.2_smt">
-            <part id="mp-6.2_fr" name="item">
-               <title>MP-6 (2) Additional FedRAMP Requirements and Guidance</title>
-               <part id="mp-6.2_fr_gdn.a" name="guidance">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>Equipment and procedures may be tested or validated for effectiveness</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="mp-6.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="mp-6.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-6.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-7">
-         <add position="starting" id-ref="mp-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-7.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-7_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="mp-7_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-7.1">
-         <add position="starting" id-ref="mp-7.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-1">
-         <add position="starting" id-ref="pe-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-10">
-         <add position="starting" id-ref="pe-10.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-10.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-10.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-10.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-11">
-         <add position="starting" id-ref="pe-11_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-12">
-         <add position="starting" id-ref="pe-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-13">
-         <add position="starting" id-ref="pe-13.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-13.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-13.2">
-         <add position="starting" id-ref="pe-13.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-13.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-13.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-13.3">
-         <add position="starting" id-ref="pe-13.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-14">
-         <add position="ending" id-ref="pe-14_smt">
-            <part id="pe-14_fr" name="item">
-               <title>PE-14(a) Additional FedRAMP Requirements and Guidance</title>
-               <part id="pe-14_fr_smt.a" name="item">
-                  <prop name="label">(a) Requirement:</prop>
-                  <p>The service provider measures temperature at server inlets and humidity levels by dew point.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.b_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-14.2">
-         <add position="starting" id-ref="pe-14.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-14.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-15">
-         <add position="starting" id-ref="pe-15_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-16">
-         <add position="starting" id-ref="pe-16_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.5">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.6">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.7">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.8">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-16_obj.9">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-17">
-         <add position="starting" id-ref="pe-17.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-17.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-17.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-17.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-2">
-         <add position="starting" id-ref="pe-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-3">
-         <add position="starting" id-ref="pe-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.e_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.f_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-3.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-4">
-         <add position="starting" id-ref="pe-4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-4_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-5">
-         <add position="starting" id-ref="pe-5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-6">
-         <add position="starting" id-ref="pe-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-6.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-6.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-6.1">
-         <add position="starting" id-ref="pe-6.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-8">
-         <add position="starting" id-ref="pe-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pe-8.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-8.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pe-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pe-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-9">
-         <add position="starting" id-ref="pe-9_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-1">
-         <add position="starting" id-ref="pl-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pl-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-2">
-         <add position="starting" id-ref="pl-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pl-2.a.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.5_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.a.9_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-2.3">
-         <add position="starting" id-ref="pl-2.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-2.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-4">
-         <add position="starting" id-ref="pl-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-4.1">
-         <add position="starting" id-ref="pl-4.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-4.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-8">
-         <add position="ending" id-ref="pl-8_smt">
-            <part id="pl-8_fr" name="item">
-               <title>PL-8(b) Additional FedRAMP Requirements and Guidance</title>
-               <part id="pl-8_fr_gdn.b" name="guidance">
-                  <prop name="label">(b) Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="pl-8">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="pl-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="pl-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="pl-8.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-1">
-         <add position="starting" id-ref="ps-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-2">
-         <add position="starting" id-ref="ps-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-3">
-         <add position="starting" id-ref="ps-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-3.3">
-         <add position="starting" id-ref="ps-3.3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-3.3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-4">
-         <add position="starting" id-ref="ps-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-4.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.f_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.f_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-4.f_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-5">
-         <add position="starting" id-ref="ps-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-5.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-6">
-         <add position="starting" id-ref="ps-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-6.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.c.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.c.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-6.c.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-7">
-         <add position="starting" id-ref="ps-7">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ps-7.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.d_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-7.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-8">
-         <add position="starting" id-ref="ps-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-8.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-8.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ps-8.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-1">
-         <add position="starting" id-ref="ra-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-2">
-         <add position="starting" id-ref="ra-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-3">
-         <add position="ending" id-ref="ra-3_smt">
-            <part id="ra-3_fr" name="item">
-               <title>RA-3 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-3_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F</p>
-               </part>
-               <part id="ra-3_fr_smt.d" name="item">
-                  <prop name="label">RA-3 (d) Requirement:</prop>
-                  <p>Include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-3.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5">
-         <add position="ending" id-ref="ra-5_smt.a">
-            <part id="ra-5_fr_smt.a" name="item">
-               <title>RA-5(a) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (a)Requirement:</prop>
-               <p>An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.</p>
-            </part>
-         </add>
-         <add position="ending" id-ref="ra-5_smt.e">
-            <part id="ra-5_fr_smt.e" name="item">
-               <title>RA-5(e) Additional FedRAMP Requirements and Guidance</title>
-               <prop name="label">RA-5 (e)Requirement:</prop>
-               <p>To include all Authorizing Officials; for JAB authorizations to include FedRAMP.</p>
-            </part>
-         </add>
-         <add position="ending" id-ref="ra-5_smt">
-            <part id="ra-5_fr" name="item">
-               <title>RA-5 Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>
-                     <strong>See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents&gt; Vulnerability Scanning Requirements</strong> (<a href="https://www.FedRAMP.gov/documents/">https://www.FedRAMP.gov/documents/</a>)</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.b.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.b.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.b.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.e_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.1">
-         <add position="starting" id-ref="ra-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.2">
-         <add position="starting" id-ref="ra-5.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-5.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.3">
-         <add position="starting" id-ref="ra-5.3_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.3_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.5">
-         <add position="starting" id-ref="ra-5.5">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="ra-5.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="ra-5.5_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.6">
-         <add position="ending" id-ref="ra-5.6_smt">
-            <part id="ra-5.6_fr" name="item">
-               <title>RA-5 (6) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5.6_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Include in Continuous Monitoring ISSO digest/report to JAB/AO</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-5.6_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5.8">
-         <add position="ending" id-ref="ra-5.8_smt">
-            <part id="ra-5.8_fr" name="item">
-               <title>RA-5 (8) Additional FedRAMP Requirements and Guidance</title>
-               <part id="ra-5.8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>This enhancement is required for all high vulnerability scan findings.</p>
-               </part>
-               <part id="ra-5.8_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="ra-5.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-1">
-         <add position="starting" id-ref="sa-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sa-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-10">
-         <add position="ending" id-ref="sa-10_smt">
-            <part id="sa-10_fr" name="item">
-               <title>SA-10 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-10_fr_smt.1" name="item">
-                  <prop name="label">(e)  Requirement:</prop>
-                  <p>For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-10.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-10.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-10.1">
-         <add position="starting" id-ref="sa-10.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-11">
-         <add position="starting" id-ref="sa-11.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-11.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-11.1">
-         <add position="ending" id-ref="sa-11.1_smt">
-            <part id="sa-11.1_fr" name="item">
-               <title>SA-11 (1) Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-11.1_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-11.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-11.2">
-         <add position="starting" id-ref="sa-11.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-11.8">
-         <add position="ending" id-ref="sa-11.8_smt">
-            <part id="sa-11.8_fr" name="item">
-               <title>SA-11 (8) Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-11.8_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-11.8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-2">
-         <add position="starting" id-ref="sa-2.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-2.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-2.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-3">
-         <add position="starting" id-ref="sa-3.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-3.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4">
-         <add position="ending" id-ref="sa-4_smt">
-            <part id="sa-4_fr" name="item">
-               <title>SA-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See <a href="http://www.niap-ccevs.org/vpl">http://www.niap-ccevs.org/vpl</a> or <a href="http://www.commoncriteriaportal.org/products.html">http://www.commoncriteriaportal.org/products.html</a>.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.1">
-         <add position="starting" id-ref="sa-4.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.10">
-         <add position="starting" id-ref="sa-4.10_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.2">
-         <add position="starting" id-ref="sa-4.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-4.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-4.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.8">
-         <add position="ending" id-ref="sa-4.8_smt">
-            <part id="sa-4.8_fr" name="item">
-               <title>SA-4 (8) Additional FedRAMP Requirements and Guidance</title>
-               <part id="sa-4.8_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>CSP must use the same security standards regardless of where the system component or information system service is acquired.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sa-4.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-4.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4.9">
-         <add position="starting" id-ref="sa-4.9_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-5">
-         <add position="starting" id-ref="sa-5.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-5.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-8">
-         <add position="starting" id-ref="sa-8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9">
-         <add position="starting" id-ref="sa-9.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9.1">
-         <add position="starting" id-ref="sa-9.1.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.1.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.1.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9.2">
-         <add position="starting" id-ref="sa-9.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9.4">
-         <add position="starting" id-ref="sa-9.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.4_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9.5">
-         <add position="starting" id-ref="sa-9.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sa-9.5_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-1">
-         <add position="starting" id-ref="sc-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sc-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-10">
-         <add position="starting" id-ref="sc-10_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-10_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-12">
-         <add position="ending" id-ref="sc-12_smt">
-            <part id="sc-12_fr" name="item">
-               <title>SC-12 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-12_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>Federally approved and validated cryptography.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-12.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-12.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-12.2">
-         <add position="starting" id-ref="sc-12.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-12.3">
-         <add position="starting" id-ref="sc-12.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-13">
-         <add position="starting" id-ref="sc-13">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sc-13_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-13_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-13_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-15">
-         <add position="ending" id-ref="sc-15_smt">
-            <part id="sc-15_fr" name="item">
-               <title>SC-15 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-15_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-15.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-15.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-15.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-17">
-         <add position="starting" id-ref="sc-17_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-17_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-18">
-         <add position="starting" id-ref="sc-18.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-18.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-19">
-         <add position="starting" id-ref="sc-19.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-19.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-19.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-19.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-19.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-2">
-         <add position="starting" id-ref="sc-2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-20">
-         <add position="starting" id-ref="sc-20.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-20.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-21">
-         <add position="starting" id-ref="sc-21_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-21_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-21_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-21_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-22">
-         <add position="starting" id-ref="sc-22_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-22_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-23">
-         <add position="starting" id-ref="sc-23_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-28">
-         <add position="ending" id-ref="sc-28_smt">
-            <part id="sc-28_fr" name="item">
-               <title>SC-28 Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-28_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>The organization supports the capability to use cryptographic mechanisms to protect information at rest.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-28.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-28.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-28.1">
-         <add position="starting" id-ref="sc-28.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-28.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-28.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-39">
-         <add position="starting" id-ref="sc-39_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-4">
-         <add position="starting" id-ref="sc-4_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-5">
-         <add position="starting" id-ref="sc-5.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-5.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-5.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-6">
-         <add position="starting" id-ref="sc-6_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-6_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-6_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7">
-         <add position="starting" id-ref="sc-7.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.a_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.12">
-         <add position="starting" id-ref="sc-7.12_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.12_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.12_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.13">
-         <add position="ending" id-ref="sc-7.13_smt">
-            <part id="sc-7.13_fr" name="item">
-               <title>SC-7 (13) Additional FedRAMP Requirements and Guidance</title>
-               <part id="sc-7.13_fr_smt.1" name="item">
-                  <prop name="label">Requirement:</prop>
-                  <p>The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="sc-7.13_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.13_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.18">
-         <add position="starting" id-ref="sc-7.18_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.3">
-         <add position="starting" id-ref="sc-7.3_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.4">
-         <add position="starting" id-ref="sc-7.4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="sc-7.4.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.e_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.e_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.4.e_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.5">
-         <add position="starting" id-ref="sc-7.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.7">
-         <add position="starting" id-ref="sc-7.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7.8">
-         <add position="starting" id-ref="sc-7.8_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.8_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-7.8_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-8">
-         <add position="starting" id-ref="sc-8_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-8.1">
-         <add position="starting" id-ref="sc-8.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="sc-8.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-1">
-         <add position="starting" id-ref="si-1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-1.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.a.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-1.b.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="si-10">
-         <add position="starting" id-ref="si-10_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-10_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-11">
-         <add position="starting" id-ref="si-11.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-11.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-11.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-12">
-         <add position="starting" id-ref="si-12_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-16">
-         <add position="starting" id-ref="si-16_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-16_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-2">
-         <add position="starting" id-ref="si-2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-2.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.a_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.c_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-2.2">
-         <add position="starting" id-ref="si-2.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-2.2_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.2_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-2.3">
-         <add position="starting" id-ref="si-2.3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-2.3.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-2.3.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3">
-         <add position="starting" id-ref="si-3">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-3.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.c.2_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-3.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3.1">
-         <add position="starting" id-ref="si-3.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3.2">
-         <add position="starting" id-ref="si-3.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3.7">
-         <add position="starting" id-ref="si-3.7_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4">
-         <add position="ending" id-ref="si-4_smt">
-            <part id="si-4_fr" name="item">
-               <title>SI-4 Additional FedRAMP Requirements and Guidance</title>
-               <part id="si-4_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>See US-CERT Incident Response Reporting Guidelines.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="si-4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-4.a.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.a.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.a.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.b.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.b.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.c_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.e_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.f_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.g_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.1">
-         <add position="starting" id-ref="si-4.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.14">
-         <add position="starting" id-ref="si-4.14">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-4.14_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.14_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-4.14_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.16">
-         <add position="starting" id-ref="si-4.16_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.2">
-         <add position="starting" id-ref="si-4.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.23">
-         <add position="starting" id-ref="si-4.23_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.23_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.23_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.4">
-         <add position="starting" id-ref="si-4.4">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-4.4_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.4_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4.5">
-         <add position="ending" id-ref="si-4.5_smt">
-            <part id="si-4.5_fr" name="item">
-               <title>SI-4 (5) Additional FedRAMP Requirements and Guidance</title>
-               <part id="si-4.5_fr_gdn.1" name="guidance">
-                  <prop name="label">Guidance:</prop>
-                  <p>In accordance with the incident response plan.</p>
-               </part>
-            </part>
-         </add>
-         <add position="starting" id-ref="si-4.5_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.5_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-4.5_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-5">
-         <add position="starting" id-ref="si-5.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-5.c_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-5.d_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-6">
-         <add position="starting" id-ref="si-6">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-6.a_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.a_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-6.b_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.b_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.b_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-6.c_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.c_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-         <add position="starting" id-ref="si-6.d_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-6.d_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7">
-         <add position="starting" id-ref="si-7_obj.1.a">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7_obj.1.b">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7_obj.1.c">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7.1">
-         <add position="starting" id-ref="si-7.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-7.1_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.1_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.1_obj.3">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.1_obj.4">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7.7">
-         <add position="starting" id-ref="si-7.7_obj.1">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-7.7_obj.2">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-8">
-         <add position="starting" id-ref="si-8.a_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-         </add>
-         <add position="starting" id-ref="si-8.b_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-8.1">
-         <add position="starting" id-ref="si-8.1">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-8.1_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-      <alter control-id="si-8.2">
-         <add position="starting" id-ref="si-8.2">
-            <prop name="CORE" ns="https://fedramp.gov/ns/oscal"/>
-         </add>
-         <add position="starting" id-ref="si-8.2_obj">
-            <prop name="conformity" ns="https://fedramp.gov/ns/oscal">assessment-objective</prop>
-            <prop name="method" class="fedramp">EXAMINE</prop>
-            <prop name="method" class="fedramp">INTERVIEW</prop>
-            <prop name="method" class="fedramp">TEST</prop>
-         </add>
-      </alter>
-   </modify>
-   <back-matter>
-      <resource uuid="985475ee-d4d6-4581-8fdf-d84d3d8caa48">
-         <title>FedRAMP Applicable Laws and Regulations</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-citations</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"/>
-      </resource>
-      <resource uuid="1a23a771-d481-4594-9a1a-71d584fa4123">
-         <title>FedRAMP Master Acronym and Glossary</title>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-acronyms</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"/>
-      </resource>
-      <resource uuid="a2381e87-3d04-4108-a30b-b4d2f36d001f">
-         <desc>FedRAMP Logo</desc>
-         <prop name="conformity" ns="https://fedramp.gov/ns/oscal">fedramp-logo</prop>
-         <prop name="keep">always</prop>
-         <rlink href="https://www.fedramp.gov/assets/img/logo-main-fedramp.png"/>
-      </resource>
-      <resource uuid="ad005eae-cc63-4e64-9109-3905a9a825e4">
-         <title>NIST Special Publication (SP) 800-53</title>
-         <prop name="version" ns="https://fedramp.gov/ns/oscal">Revision 4</prop>
-         <prop name="keep">always</prop>
-         <rlink media-type="application/xml" href="../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml"/>
-      </resource>
-   </back-matter>
-</profile>
diff --git a/src/content/mini-testing/Unit-Testing-Description.md b/src/content/mini-testing/Unit-Testing-Description.md
deleted file mode 100644
index 1564f718f1..0000000000
--- a/src/content/mini-testing/Unit-Testing-Description.md
+++ /dev/null
@@ -1,53 +0,0 @@
-# Mini Testing sample files
-
-### Unit testing in support of regressions in OSCAL
-
-In scope:
-
-* To test profiling semantics: What happens when profiles are resolved against their source catalogs (or profiles or frameworks); how controls are designated for "surfacing" in profiles that call them; how they are modified by parameter setting or alteration.
-* To show examples of valid and near-valid ('specifically broken') OSCAL examples including example catalog(s) and profiles (and thereby test these validations)
-* To provide a showcase not only for schema validations but also Schematrons, referential integrity, etc.
-
-### Processes we can expect to run on these samples (and therefore validate/confirm):
-
-* Run the production pipeline to resolve any profiles against their authorities (i.e. source catalogs or profiles) and render the results in HTML (for browser) - presently `/lib/XProc/profile-resolve-and-display.xpl` supports this (though its components can also be run independently)
-* We can validate any profile or OSCAL catalog against OSCAL core or profile schemas (XSD) as appropriate
-* We can use the OSCAL profile Schematron (oscal-profile.sch) to detect when profiles elicit ambiguous sourcing (clashing IDs on controls or subcontrols) - a problem for downstream processing
-* We can check the design of our catalog using "OSCAL declarations" for the properties and parts of its controls and subcontrols
-* We can test run tools such as the oXygen Author with its display CSS
-* We can port to JSON or other alternative notations, and back, as a test of capabilities
-
-### Validation map
-
-Find details on the application of schemas and Schematron validations in the /schema subdirectory.
-
-| Process or schema | Constraint set |
-|:-----|:-----|
-| XSD schema (core) | XML element naming and containment constraints and content models in catalogs (also nominal `framework` and `worksheet` documents). |
-XSD schema (profile) | The same, for OSCAL profiles. |
-| Schematron schemas for catalogs | Various extra-schema constraints as documented in the Schematron/readme.md. These include constraints declared per OSCAL catalog or catalog "flavor" (OSCAL declarations). |
-| Schematron schemas for profiles | Two Schematrons are specialized for OSCAL profiles (not catalogs), validating their referential integrity vis-a-vis their source catalogs (or profiles). |
-| Profile resolution XSLT | OSCAL profiling semantics (control selection and configuration) are implemented by an XSLT that expands a profile into the control sets (catalog selections) it references. For these documents, profile resolution *only* happens when they are converted into HTML for display (results in the `pub` directory). |
-| RNC schemas (various) | The same constraints as the XSD. |
-
-#### Why two schema languages?
-
-(Or three, if we include Schematron)
-
-As described in the schema documentation, RNC (RelaxNG Compact ISO/IEC 19757) is the maintenance syntax for the OSCAL schemas (core and profile), from which the XSD is produced. With respect to a document set, validating with both RNC and XSD is redundant, as they express the same constraints over the XML (and hence should report the same problems with analogous messages). However, note that validating the document set against a schema (either RNC or XSD) is possible only when the schema itself is known to be correct; when testing the schemas themselves, each must be tested separately (because then we are testing both the RNC and the means of producing the XSD).
-
-Why two formats? RNC is easier for developers to use and work with, while tooling for XSD is more ubiquitous. Given our needs for coordinating documentation along with the schemas, it is easier for us to produce both versions from RNC (and XML) sources, than it is to work the XSD by hand. Having two versions (which are required to be aligned) also helps with validation of the schema design.
-
-In use, validation of an OSCAL document against the appropriate XSD should serve as warrant for validity against the RNC, and vice versa. End users or developers who do not need to alter schemas are advised to use the XSD (and consider the RNC part of "the sausage").
-
-### Sample docs
-
-See the samples for internal documentation regarding how they should work.
-
-Ordinarily, assume a sample is both valid and functional, except where/as noted in comments.
-
-Samples `41-exceptions-profile.xml` `42-more-exceptions-profile.xml` (and so forth) illustrate a special set of *error conditions*. These "errors" are not by definition non-functional. They may arise whenever controls are invoked multiple times by different pathways -- which raises the question of how to detect differences or disparities (presumably intentional / due to patching), what to do about them, etc. etc. Rather than force users to sort this out by learning a new notation or convention (rule) set, we simply accept the fact in principle that a unifying transformation cannot guarantee against @id clashes (and that indeed it might be the purpose of a certain kind of consumer to help resolve). Accordingly, we declare such resolution out of scope by simply detecting the problem instead of resolving it. (Meanwhile we can always accomplish a merge by patching a patch.)
-
-These files are valid wrt the (XSD) schema; the warning respects only how they resolve against control catalogs or their profiles, and where they do so in ways capable of causing (at worst) ambiguity or (at best) replication.
-
-
diff --git a/src/content/mini-testing/oscal_01-identity_profile.xml b/src/content/mini-testing/oscal_01-identity_profile.xml
deleted file mode 100644
index 07ccc7c1ad..0000000000
--- a/src/content/mini-testing/oscal_01-identity_profile.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Made by hand 2017-11-02   -->
-<profile
-      xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-      id="uuid-f20ea163-0397-47d5-80fd-1cb9e7be7929">
-   <metadata>
-      <title>Identity profile (an entire catalog, implicitly)</title>
-      <oscal-version>1.0.0-milestone2</oscal-version>
-   </metadata>
-   <!-- Asking for all controls. -->
-   <import href="oscal_testing_mini-testing_catalog.xml"/>
-</profile>
\ No newline at end of file
diff --git a/src/content/mini-testing/oscal_01a-param-only_profile.xml b/src/content/mini-testing/oscal_01a-param-only_profile.xml
deleted file mode 100644
index 0303be3497..0000000000
--- a/src/content/mini-testing/oscal_01a-param-only_profile.xml
+++ /dev/null
@@ -1,23 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Made by hand 2017-11-02   -->
-<?xml-model href="../../schema/xml/Schematron/oscal-profile.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="uuid-895bf828-d1ac-4211-94aa-33098177b4b1">
-
-   <!-- Asking for all controls -->
-   <title>Parameter This</title>
-   <import href="oscal_testing_mini-testing_catalog.xml">
-      <!-- Including everything (this also happens by default) -->
-      <include>
-         <all/>
-      </include></import>
-<modify>
-
-      <!-- Setting a parameter. -->
-      <set-param param-id="ac-5_a">
-         <!-- NB while the description has no effect on value assignment,
-              a new description will be visible to other profiles calling this one. -->
-         <desc>organization-defined duties of individuals</desc>
-         <!-- The assigned value will be propagated to points of insertion of this parameter. -->
-         <value>BUTCHER; BAKER; CANDLESTICK-MAKER</value>
-      </set-param>
-   </modify></profile>
\ No newline at end of file
diff --git a/src/content/mini-testing/oscal_02-all_profile.xml b/src/content/mini-testing/oscal_02-all_profile.xml
deleted file mode 100644
index 9db4cd9e43..0000000000
--- a/src/content/mini-testing/oscal_02-all_profile.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Made by hand 2017-11-02   -->
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="uuid-6dc02d06-73e5-4bf6-83ac-f727fcbe15ee">
-
-   <!-- Invocation of catalog results in all controls (include/all is implicit)  -->
-   <title>Calling All Controls</title>
-   <import href="oscal_testing_mini-testing_catalog.xml">
-      <include>
-         <!-- Doesn't include subcontrols since @with-child-controls defaults to 'no'. -->
-         <all/>
-      </include></import>
-</profile>
\ No newline at end of file
diff --git a/src/content/mini-testing/oscal_03-all-with-enh_profile.xml b/src/content/mini-testing/oscal_03-all-with-enh_profile.xml
deleted file mode 100644
index 3467703ce4..0000000000
--- a/src/content/mini-testing/oscal_03-all-with-enh_profile.xml
+++ /dev/null
@@ -1,14 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Made by hand 2017-11-02   -->
-<profile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 ../../../xml/schema/oscal_profile_schema.xsd"
- xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="uuid-389081eb-3a60-43aa-9de6-4ee47cb243c6">
-
-   <!-- Asking for all controls, with an exclusion -->
-   <title>Once Again, with Feeling</title>
-   <import href="oscal_testing_mini-testing_catalog.xml">
-      <!-- This time, subcontrols (enhancements) come with the controls. -->
-      <include>
-         <all with-child-controls="yes"/>
-      </include></import>
-</profile>
\ No newline at end of file
diff --git a/src/content/mini-testing/oscal_04-exclude1_profile.xml b/src/content/mini-testing/oscal_04-exclude1_profile.xml
deleted file mode 100644
index b10e57fec6..0000000000
--- a/src/content/mini-testing/oscal_04-exclude1_profile.xml
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Made by hand 2017-11-02   -->
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="uuid-e1a29684-2596-46a4-9804-162ecc9cf7ff">
-
-   <!-- Asking for all controls, with an exclusion -->
-   <title>Being Exclusive</title>
-   <import href="oscal_testing_mini-testing_catalog.xml">
-      <include>
-         <all with-child-controls="yes"/>
-      </include>
-      
-      <!-- Excluding two controls -->
-      <exclude>
-         <call control-id="ra.7"/>
-         <call control-id="ra.9"/>
-      </exclude></import>
-</profile>
\ No newline at end of file
diff --git a/src/content/mini-testing/oscal_05-exclude2_profile.xml b/src/content/mini-testing/oscal_05-exclude2_profile.xml
deleted file mode 100644
index ccd9269c01..0000000000
--- a/src/content/mini-testing/oscal_05-exclude2_profile.xml
+++ /dev/null
@@ -1,16 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Made by hand 2017-11-02   -->
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="uuid-b090b246-ff10-4897-a6ee-2cab35a84c1a">
-
-   <!-- Asking for all controls, this time with subcontrols, and three exclusions. -->
-   <title>Being More Exclusive</title>
-   <import href="oscal_testing_mini-testing_catalog.xml">
-      <include>
-         <all with-child-controls="yes"/>
-      </include>
-      <exclude>
-         <call control-id="ra.7"/>
-         <call control-id="ra.8"/>
-         <call control-id="ra.9"/>
-      </exclude></import>
-</profile>
\ No newline at end of file
diff --git a/src/content/mini-testing/oscal_10-some-params_profile.xml b/src/content/mini-testing/oscal_10-some-params_profile.xml
deleted file mode 100644
index bef4229152..0000000000
--- a/src/content/mini-testing/oscal_10-some-params_profile.xml
+++ /dev/null
@@ -1,27 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Made by hand 2017-11-02   -->
-<?xml-model href="../../schema/xml/Schematron/oscal-profile.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="uuid-1482c118-635d-40de-a4b0-83cda0fc96f2">
-
-   <!-- Asking for all controls, this time with a parameter-->
-   <title>Some Parameters</title>
-   <import href="oscal_testing_mini-testing_catalog.xml">
-         <include>
-            <all/>
-         </include>
-         
-         <!-- From here on, we exclude ra.9 just to show that exclusions work -->
-         <exclude>
-            <match pattern="ra\.9"/>
-            <!--<call control-id="ra.9"/>-->
-         </exclude></import>
-   
-   
-<modify>
-      
-      <set-param param-id="ac-5_a">
-         <desc>organization-defined duties of individuals</desc>
-         <value>butcher; baker; candlestick-maker</value>
-      </set-param>
-      
-   </modify></profile>
\ No newline at end of file
diff --git a/src/content/mini-testing/oscal_11-more-params_profile.xml b/src/content/mini-testing/oscal_11-more-params_profile.xml
deleted file mode 100644
index 15f16d4154..0000000000
--- a/src/content/mini-testing/oscal_11-more-params_profile.xml
+++ /dev/null
@@ -1,70 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Made by hand 2017-11-02   -->
-<?xml-model href="../../schema/xml/Schematron/oscal-profile.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
-<?xml-stylesheet type="text/css" href="../../lib/CSS/oscal.css"?>
-<?xml-model href="../../schema/xml/RNC/oscal-profile.rnc" type="application/relax-ng-compact-syntax"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="uuid-6f5ad460-f150-4af5-b08a-9a969e2acadd">
-
-   <!-- Subcontrols and parameters therefore -->
-  <title>More Paramters, More</title>
-   <import href="oscal_testing_mini-testing_catalog.xml">
-      <include>
-         <all with-child-controls="yes"/>
-      </include>
-
-      <!-- Excluding some subcontrols as well as a control. -->
-      <exclude>
-         <call control-id="ac.6.7"/>
-         <call control-id="ac.6.8"/>
-         <call control-id="ac.6.9"/>
-         <call control-id="ra.9"/>
-      </exclude></import>
-<modify>
-
-      <set-param param-id="ac-5_a">
-         <desc>organization-defined duties of individuals</desc>
-         <value>BUTCHER; BAKER; CANDLESTICK-MAKER</value>
-      </set-param>
-
-      <set-param param-id="ac-6_a">
-         <desc>organization-defined security functions (deployed in hardware, software, and
-            firmware) and security-relevant information</desc>
-         <value>DOORS, WINDOWS, AND ANY POINTS OF INGRESS; FAUCETS; CABINET DOORS</value>
-      </set-param>
-
-      <set-param param-id="ac-6_b">
-         <desc>organization-defined security functions or security-relevant information</desc>
-         <value>EXTRA-SPECIAL, SECRET AND SENSITIVE OPERATIONS SUCH AS PET FEEDING
-            RESPONSIBILITIES</value>
-      </set-param>
-
-      <set-param param-id="ac-6_c">
-         <desc>organization-defined privileged commands</desc>
-         <value>MEDIA REALLOCATION INCLUDING HARD DRIVE REFORMATTING; ANY COMMAND ON ANY
-            VOICE-OPERATED DEVICE</value>
-      </set-param>
-      <set-param param-id="ac-6_d">
-         <desc>organization-defined compelling operational needs</desc>
-         <value>EMERGENCIES, OR EARLY IN THE MORNING TO SAVE TIME</value>
-      </set-param>
-
-      <set-param param-id="ac-6_e">
-         <desc>organization-defined personnel or roles</desc>
-         <value>CREDENTIALED WIZARDS</value>
-      </set-param>
-
-      <!--<param id="ac-6_f">
-            <desc>organization-defined frequency</desc>
-            <value>organization-defined frequency</value>
-         </param>
-         <param id="ac-6_g">
-            <desc>organization-defined roles or classes of users</desc>
-            <value>organization-defined roles or classes of users</value>
-         </param>
-
-         <param id="ac-6_h">
-            <desc>organization-defined software</desc>
-            <value>organization-defined software</value>
-         </param>-->
-
-   </modify></profile>
\ No newline at end of file
diff --git a/src/content/mini-testing/oscal_20-compound_profile.xml b/src/content/mini-testing/oscal_20-compound_profile.xml
deleted file mode 100644
index 509bd1e253..0000000000
--- a/src/content/mini-testing/oscal_20-compound_profile.xml
+++ /dev/null
@@ -1,26 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Made by hand 2017-11-02, modified since -->
-<?xml-model href="../../schema/xml/Schematron/oscal-profile.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="uuid-a45d9f52-8607-439f-abac-7aedb3e6a0b0">
-
-   <!-- Asking for a control from a catalog, then also a whole batch of controls as a profile. -->
-   <title>A Compound Profile</title>
-   <import href="oscal_testing_mini-testing_catalog.xml">
-      <include>
-         <call control-id="ac.5"/>
-      </include>
-   </import>
-
-   <!-- Note what comes back from invoke/@href is fully resolved, with implicit include/all -->
-   <import href="99includeRAx3-profile.xml"/>
-
-   <merge>
-     <as-is/>
-   </merge>
-   <modify>
-      <set-param param-id="ac-5_a">
-         <desc>organization-defined duties of individuals</desc>
-         <value>butcher; baker; candlestick-maker</value>
-      </set-param>
-   </modify>
-</profile>
diff --git a/src/content/mini-testing/oscal_30-patched_profile.xml b/src/content/mini-testing/oscal_30-patched_profile.xml
deleted file mode 100644
index beb09e25b8..0000000000
--- a/src/content/mini-testing/oscal_30-patched_profile.xml
+++ /dev/null
@@ -1,35 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Made by hand 2017-11-02   -->
-<?xml-model href="../../schema/xml/Schematron/oscal-profile.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="uuid-836a9534-9f5d-48ed-8530-0d605167fcdc">
-
-   <!-- Asking for all controls, this time with a parameter-->
-   <title>Patching profile example</title>
-   <import href="oscal_testing_mini-testing_catalog.xml">
-      <!-- If we leave 'include' out, we get include/all implicitly
-         <include><all/></include>-->
-
-      <!-- Exclude ra.9 to show that exclusions work -->
-      <exclude>
-         <call control-id="ra.9"/>
-      </exclude></import>
-<modify>
-      
-      <!-- Including a parameter. -->
-      <set-param param-id="ac-5_a">
-         <desc>organization-defined duties of individuals</desc>
-         <value>butcher; baker; candlestick-maker</value>
-      </set-param>
-      
-      <!-- Also patching by adding removing and adding statements and properties -->
-      <alter control-id="ac.6">
-         <remove class-ref="statement guidance"/>
-         <add>
-            <part class="guidance"><p>DON'T GO BACK IN THE WATER!</p></part>
-            <prop class="stamp">SEAL OF APPROVAL (a)</prop>
-            <part class="notes">
-               <p>Local organizations may wish to sponsor special events including bake sales, lemonade stands, house-to-house cookie sales, lawn mowing services or other seasonal services etc.</p>
-            </part>
-         </add>
-      </alter>
-   </modify></profile>
\ No newline at end of file
diff --git a/src/content/mini-testing/oscal_31-patched-messy_profile.xml b/src/content/mini-testing/oscal_31-patched-messy_profile.xml
deleted file mode 100644
index c7b11ee2e2..0000000000
--- a/src/content/mini-testing/oscal_31-patched-messy_profile.xml
+++ /dev/null
@@ -1,51 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Made by hand 2017-11-02   -->
-<?xml-model href="../../schema/xml/Schematron/oscal-profile.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="uuid-12f44f4d-209b-4a40-b2e0-56c2a6a5b137">
-
-   <!-- Example show a simple parameter insertion and patch,
-        but with more complicated ("challenging") contents. -->
-
-   <!-- Asking for all controls, this time with a parameter-->
-   <title>Patching profile example</title>
-   <import href="oscal_testing_mini-testing_catalog.xml">
-      <!-- If we leave 'include' out, we get include/all implicitly
-         <include><all/></include>-->
-
-      <!-- Exclude ra.9 to show that exclusions work -->
-      <exclude>
-         <call control-id="ra.9"/>
-      </exclude>
-   </import>
-   <modify>
-   <!-- Including a parameter. -->
-      <set-param param-id="ac-5_a">
-         <desc>organization-defined duties of individuals</desc>
-         <value>butcher; baker; candlestick-maker</value>
-      </set-param>
-
-      <!-- Also patching by adding removing and adding statements and properties -->
-      <alter control-id="ac.6">
-         <remove class-ref="statement guidance"/>
-         <add>
-            <part class="guidance">
-               <p>Do <em>NOT</em> go back in the water.</p>
-            </part>
-            <prop class="stamp">SEAL OF APPROVAL (a)</prop>
-            <part class="notes">
-               <p>Local organizations may wish to sponsor special events including</p>
-               <ul>
-                  <li>bake sales,</li>
-                  <li> lemonade stands,</li>
-                  <li> house-to-house <i>cookie sales</i>,</li>
-                  <li> lawn mowing services</li>
-                  <li> or other seasonal services etc.</li>
-               </ul>
-            </part>
-            <part class="special">
-               <p>Code <code>green</code></p>
-            </part>
-         </add>
-      </alter>
-   </modify>
-</profile>
\ No newline at end of file
diff --git a/src/content/mini-testing/oscal_32-invalid_profile.xml b/src/content/mini-testing/oscal_32-invalid_profile.xml
deleted file mode 100644
index 692a2d0002..0000000000
--- a/src/content/mini-testing/oscal_32-invalid_profile.xml
+++ /dev/null
@@ -1,56 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Made by hand 2017-11-02   -->
-<?xml-model href="../../schema/xml/Schematron/oscal-profile.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="uuid-a6aa7bb3-101a-49ae-bf07-fac5a5c395cc">
-
-   <!-- Example shows several detectable errors.
-   
-   * invoke/include can't have both 'all' and 'call' (schema validation error) though 'all' should be effective
-   * trying to call things that aren't found in the referenced catalog (a validation error in profiling semantics)
-        should produce errors in oscal-profile.sch.
-   
-   -->
-   
-   <title>Patching profile example</title>
-   <import href="oscal_testing_mini-testing_catalog.xml">
-      <include>
-         <!-- Must have only one of 'all' and 'call' -->
-         <all/>
-         <call control-id="ac.5"/>
-      </include>
-
-      <!-- Exclude ra.10, which isn't there -->
-      <exclude>
-         <call control-id="ra.10"/>
-      </exclude></import>
-<modify>
-      
-      <!-- Including a parameter that's there -->
-      <set-param param-id="ac-5_a">
-         <desc>organization-defined duties of individuals</desc>
-         <value>butcher; baker; candlestick-maker</value>
-      </set-param>
-      
-      <!-- And one that isn't -->
-      <set-param param-id="BOO">
-         <desc>organization-defined duties of individuals</desc>
-         <value>butcher; baker; candlestick-maker</value>
-      </set-param>
-      
-      <!-- Trying to patch a control that doesn't exist. -->
-      <alter control-id="HOO">
-         <remove class-ref="statement guidance"/>
-         <add>
-            <part class="guidance"><p>Do <em>NOT</em> go back in the water.</p></part>
-            <prop class="stamp">SEAL OF APPROVAL (a)</prop>
-            <part class="notes">
-               <p>Local organizations may wish to sponsor special events including</p>
-               <ul>
-               <li>bake sales,</li><li> lemonade stands,</li><li> house-to-house <i>cookie sales</i>,</li><li> lawn mowing services</li><li> or other seasonal services etc.</li></ul>
-            </part>
-            <part class="special">
-               <p>Code <code>green</code></p>
-            </part>
-         </add>
-      </alter>
-   </modify></profile>
\ No newline at end of file
diff --git a/src/content/mini-testing/oscal_41-exceptions_profile.xml b/src/content/mini-testing/oscal_41-exceptions_profile.xml
deleted file mode 100644
index dffaf2dfd9..0000000000
--- a/src/content/mini-testing/oscal_41-exceptions_profile.xml
+++ /dev/null
@@ -1,49 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Made by hand 2017-11-02   -->
-<?xml-model href="../../schema/xml/Schematron/oscal-profile.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="uuid-cca384cb-1877-4254-ba4b-4554a3295c8d">
-
-   <!-- The profile illustrates a number of errors related to "controls collisions"
-     either errors in specification, or reference
-       -->
-   <title>Exceptions profile example</title>
-   <import href="oscal_testing_mini-testing_catalog.xml">
-      <!-- If we leave 'include' out, we get include/all implicitly
-         <include><all/></include>-->
-      <include>
-         <!-- Next element is Schematron-invalid in profile.sch - 'Control is both included and excluded' -->
-         <call control-id="ra.9"/>
-         <!-- Next element throws a warning in profile.sch - 'Repeated call [...] will be ignored' -->
-         <call control-id="ra.9"/>
-         
-         <!-- We should get an error here for empty target (a functional no op) -->
-         <call control-id="controlX"/>
-      </include>
-      
-      <exclude>
-         <call control-id="ra.9"/>
-      </exclude></import>
-   
-   <!-- This should error as a repeated call to the same authority (profile or catalog) - not allowed! -->
-   <import href="oscal_testing_mini-testing_catalog.xml"/>
-   
-<modify>
-      
-      <!-- Including a parameter. -->
-      <set-param param-id="ac-5_a">
-         <desc>organization-defined duties of individuals</desc>
-         <value>butcher; baker; candlestick-maker</value>
-      </set-param>
-      
-      <!-- Also patching by adding removing and adding statements and properties -->
-      <alter control-id="ac.6">
-         <remove class-ref="statement guidance"/>
-         <add>
-            <part class="guidance"><p>DON'T GO BACK IN THE WATER!</p></part>
-            <prop class="stamp">SEAL OF APPROVAL (a)</prop>
-            <part class="notes">
-               <p>Local organizations may wish to sponsor special events including bake sales, lemonade stands, house-to-house cookie sales, lawn mowing services or other seasonal services etc.</p>
-            </part>
-         </add>
-      </alter>
-   </modify></profile>
\ No newline at end of file
diff --git a/src/content/mini-testing/oscal_42-invoke-exceptions_profile.xml b/src/content/mini-testing/oscal_42-invoke-exceptions_profile.xml
deleted file mode 100644
index bfe54cc005..0000000000
--- a/src/content/mini-testing/oscal_42-invoke-exceptions_profile.xml
+++ /dev/null
@@ -1,24 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Made by hand 2017-11-02   -->
-<?xml-model href="../../schema/xml/Schematron/oscal-profile.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="uuid-ab698a3c-5604-47e0-ae46-530224f4fb78">
-
-   <!-- This one should throw an error because certain controls are declared
-        in (for) both catalog sources. -->
-   <title>More exceptions profile example</title>
-   
-   <!-- This should error with 'CONTESTED CONTROLS' meaning it invokes controls
-        with the same ids as other controls invoked.
-        The IDs should scope universally - perhaps by @id plus an identifier
-          for the ur-source catalog (not a deriving profile)
-        For now only @id is being examined; catalogs are expected to have exclusive (nonoverlapping) @id schemes.
-   -->
-   <!-- The full oscal_testing_mini-testing_catalog.xml includes several 'RA' examples. -->
-   <import href="oscal_testing_mini-testing_catalog.xml"/>
-   
-   <!-- RA.1 through RA.3 appear again in the profile, creating a set of nominal clashing controls.
-   Schematron oscal-profile.sch can successfully report them on both invocations
-   (without presuming the first one wins). -->
-   <import href="99includeRAx3-profile.xml"/>
-   
-</profile>
\ No newline at end of file
diff --git a/src/content/mini-testing/oscal_99includeACx2_profile.xml b/src/content/mini-testing/oscal_99includeACx2_profile.xml
deleted file mode 100644
index 7759138406..0000000000
--- a/src/content/mini-testing/oscal_99includeACx2_profile.xml
+++ /dev/null
@@ -1,70 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Made by hand 2017-11-02   -->
-<?xml-model href="../../schema/xml/Schematron/oscal-profile.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="uuid-d8ec4412-7d73-41ad-8cc5-d98db342c4eb">
-
-   <title>Two controls from AC, with parameters on subcontrols</title>
-   <import href="oscal_testing_mini-testing_catalog.xml">
-      <include>
-         <call control-id="ac.5"/>
-         <call control-id="ac.6"/>
-         <call control-id="ac.6.1"/>
-         <call control-id="ac.6.2"/>
-         <call control-id="ac.6.3"/>
-         <call control-id="ac.6.4"/>
-         <call control-id="ac.6.5"/>
-         <call control-id="ac.6.6"/>
-         <call control-id="ac.6.7"/>
-         <call control-id="ac.6.8"/>
-         <call control-id="ac.6.9"/>
-         <call control-id="ac.6.10"/>
-      </include></import>
-<modify>
-
-      <set-param param-id="ac-5_a">
-         <desc>[whoever is responsible for caring for the cats] - organization-defined duties of
-            individuals</desc>
-         <value>CAT PERSON #1 (primary), CAT PERSON #2 (asst), FURTHER CAT PERSONS</value>
-      </set-param>
-      <set-param param-id="ac-6_a">
-         <desc>[wherever the cat/s need/s to get to on a regular basis ] - organization-defined
-            security functions (deployed in hardware, software, and firmware) and security-relevant
-            information</desc>
-         <value>CAT FOOD STATION; LITTER BOX; REGULAR ACCESS TO OUTDOORS</value>
-      </set-param>
-      <set-param param-id="ac-6_b">
-         <desc>[describe feeding routine] - organization-defined security functions or
-            security-relevant information</desc>
-         <value>REGULAR FEEDINGS AND PROVISION OF TREATS</value>
-      </set-param>
-      <set-param param-id="ac-6_c">
-         <desc>[whatever activities occur over networks] - organization-defined privileged
-            commands</desc>
-         <value>COMMUNICATIVE BEHAVIORS SUCH AS RUBBING LEGS</value>
-      </set-param>
-      <set-param param-id="ac-6_d">
-         <desc>[such occasions as network access may occur] - organization-defined compelling
-            operational needs</desc>
-         <value>MEALTIMES</value>
-      </set-param>
-      <set-param param-id="ac-6_e">
-         <desc>FOREMENTIONED PET CARETAKERS AND STAFF - organization-defined personnel or
-            roles</desc>
-         <value>FOREMENTIONED PET CARETAKERS AND STAFF</value>
-      </set-param>
-      <set-param param-id="ac-6_f">
-         <desc>VERY FREQUENTLY - organization-defined frequency</desc>
-         <value>VERY FREQUENTLY</value>
-      </set-param>
-      <set-param param-id="ac-6_g">
-         <desc>PET CARETAKERS - organization-defined roles or classes of users</desc>
-         <value>PET CARETAKERS</value>
-      </set-param>
-
-      <set-param param-id="ac-6_h">
-         <desc>CAT TOYS - organization-defined software</desc>
-         <value>CAT TOYS</value>
-      </set-param>
-
-
-   </modify></profile>
\ No newline at end of file
diff --git a/src/content/mini-testing/oscal_99includeRAx3_profile.xml b/src/content/mini-testing/oscal_99includeRAx3_profile.xml
deleted file mode 100644
index 58f180faf8..0000000000
--- a/src/content/mini-testing/oscal_99includeRAx3_profile.xml
+++ /dev/null
@@ -1,32 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Made by hand 2017-11-02   -->
-<?xml-model href="../../schema/xml/Schematron/oscal-profile.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="uuid-2c20e8e1-6f36-442c-bfca-1e0ed75a3ecb">
-
-   <title>Three RA controls with parameters</title>
-   
-   <import href="oscal_testing_mini-testing_catalog.xml">
-         <include>
-            <call control-id="ra.7"/>
-            
-            <call control-id="ra.8"/>
-            
-            <call control-id="ra.9"/>
-            
-            <!-- Overriding both description and value in source catalog -->
-            
-            
-         </include></import>
-<modify>
-         
-      <set-param param-id="ra-9_a">
-         <desc>PET FEEDING, PLAY, ENVIRONMENTAL, VETERINARY REQUIREMENTS - organization-defined systems, system components, or system services</desc>
-         <value>PET FEEDING, PLAY, ENVIRONMENTAL, VETERINARY REQUIREMENTS</value>
-      </set-param>
-      <set-param param-id="ra-9_b">
-         <desc>ON AN ONGOING BASIS (AT LEAST NIGHTLY) - organization-defined decision points in the system development life
-            cycle</desc>
-         <value>ON AN ONGOING BASIS (AT LEAST NIGHTLY)</value>
-      </set-param>
-      
-   </modify></profile>
\ No newline at end of file
diff --git a/src/content/mini-testing/oscal_dinosaur-testing_profile.xml b/src/content/mini-testing/oscal_dinosaur-testing_profile.xml
deleted file mode 100644
index 8f6531a48b..0000000000
--- a/src/content/mini-testing/oscal_dinosaur-testing_profile.xml
+++ /dev/null
@@ -1,32 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Made by hand 2017-11-02, modified since -->
-<?xml-model href="../../schema/xml/Schematron/oscal-profile.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="uuid-6d20d489-ca9c-4bad-af6a-f30f663c0a50">
-
-   <!-- Asking for a control from a catalog, then also a whole batch of controls as a profile. -->
-   <title>A Compound Profile</title>
-   <import href="dinosaur-profile.xml"/>
-   <import href="oscal_testing_dinosaur_catalog.xml">
-      <include>
-         <!--
-         Q: anchor at front but not at end? AC becomes regex '^AC' only 'AC$' becomes '^AC$'
-         
-         include: tyrannosaur.*"
-         exclude: tyrannosaur
-           do we get child controls without their parent controls?
-           see slide 4
-         
-         -->
-         
-         <match pattern="tyrannosaurus-rex" with-control="no"/>
-         
-         <match pattern="triceratops"/>
-         <!--<call control-id="triceratops"/>
-         <call with-child-controls="yes" control-id="tyrannosaur"/>
-         <call control-id="archeopteryx"/>-->
-      </include>
-   </import>
-   <merge>
-      <build/>
-   </merge>
-</profile>
diff --git a/src/content/mini-testing/oscal_dinosaur_profile.xml b/src/content/mini-testing/oscal_dinosaur_profile.xml
deleted file mode 100644
index d8a7fa3e8d..0000000000
--- a/src/content/mini-testing/oscal_dinosaur_profile.xml
+++ /dev/null
@@ -1,88 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Made by hand 2017-11-02, modified since -->
-<?xml-model href="../../schema/xml/Schematron/oscal-profile.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
-<?xml-model href="../../schema/xml/RNC/oscal-profile.rnc" type="application/relax-ng-compact-syntax"?>
-<profile
- xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="uuid-945ac268-c826-45b1-a8fe-0c117d39b40b">
-
-   <!-- Asking for a control from a catalog, then also a whole batch of controls as a profile. -->
-   <title>Dinosaur Profile</title>
-  <import href="oscal_testing_dinosaur_catalog.xml">
-    <include>
-      <match pattern=".*saur.*"/>
-      <!--<call with-child-controls="yes" control-id="allosaur"/>
-         <call control-id="triceratops"/>-->
-    </include>
-    
-  </import>
-  <import href="oscal_testing_dinosaur_catalog.xml">
-    <include>
-      <match pattern="triceratops"/>
-      <!--<call with-child-controls="yes" control-id="allosaur"/>
-         <call control-id="triceratops"/>-->
-    </include>
-    
-  </import>
-  <!--<merge combine="merge"/>-->
-  <!--<merge>
-    <combine method="keep"/>
-<!-\- semantics of 'merge' combination should be specified (and tested!)   -\->
-    <!-\-<as-is/>-\->
-    
-    
-  </merge>-->
-  <!--<import href="something-else.xml"/>-->
-   
-   <!--<merge>
-     <!-\-<combine (control-id|subcontrol-id|pattern) method="use-first|merge|keep">
-       <
-     </combine>-\->
-     <!-\-<as-is/>-\->
-     <!-\-<custom>
-       <group>
-         <title>New group</title>
-         <call control-id="allosaur"/>
-         <match pattern="AC*" order-by="ascending|descending|keep"/>
-       </group>
-     -\-><!-\-</custom>-\->
-     
-   </merge>-->
-   <!--<modify>
-      <set-param param-id="scary">
-         <value>claws, tail, huge jackhammer jaws with sharp teeth</value>
-      </set-param>
-      
-<!-\- make examples of all/any remove and add formations
-      showing deep as well as shallow alterations -\->
-      <alter control-id="allosaur">
-        <remove class-ref="trans"/>
-        <remove id-ref="allosaur-desc"/>
-        <remove item-name="title"/>
-        <remove item-name="prop" class-ref="trans"/>
-        
-        <!-\-      add[empty(@id|@class)] will be added at the end   -\->
-<!-\-      add/@position defaults in processing to 'after' -\->
-          <!-\- @position w/o @where means added first (after titles and parameters)
-          or last (after everything) -\->
-<!-\- Empty @target is understood to be the control or subcontrol itself, not a descendant; in these cases position='before' and 'after' are inoperative ... you're not permitted to patch before or after controls, only inside them. -\->
-<!-\-         -\->
-<!-\- Schematron: when empty(@target) then @position=('starting','ending')        -\->
-         
-         
-         <!-\-<add target="@id|@class" position="starting|ending|before|after">-\->
-         <add position="ending">
-            <part  class="new">
-               <title>My new part</title>
-            </part>
-         </add>
-         <!-\-</add>-\->
-      </alter>
-   </modify>
-  -->
-<!-- Errors and warning conditions:
-  Duplicate or clashing controls in final results
-  Orphan subcontrols in final results
-  targets in merge/modify that do not resolve? (come up empty)
-  alter/add[empty(@target)][@position=('before','after')] (Schematron)
-  -->
-</profile>
diff --git a/src/content/mini-testing/oscal_testing_dinosaur_catalog.xml b/src/content/mini-testing/oscal_testing_dinosaur_catalog.xml
deleted file mode 100644
index fb553a21bc..0000000000
--- a/src/content/mini-testing/oscal_testing_dinosaur_catalog.xml
+++ /dev/null
@@ -1,71 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<?xml-stylesheet type="text/css" href="../../lib/CSS/oscal.css"?>
-<catalog xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 ../../../xml/schema/oscal-catalog-schema.xsd"
- xmlns="http://csrc.nist.gov/ns/oscal/1.0" id="xyz" model-version="abc">
-    <metadata>
-        <title>Dinosaur Testing Catalog</title>
-    </metadata>
-    <section>
-        <title>This catalog</title>
-        <p>For use in testing, especially structural transformations.</p>
-    </section>
-    <!--<group>
-        <title>Alphabetic</title>
-        <group>
-            <control id="A1">
-                <control id="A1a"/>
-                <control id="A1b"/>
-                <control id="A1c"/>
-            </control>
-            <control id="A2"/>
-            <control id="A3"/>
-        </group>
-        <group class="family">
-            <control id="B1"/>
-            <control id="B2"/>
-            <control id="B3"/>
-        </group>
-    </group>-->
-    <group>
-        <title>Dinosaurs</title>
-        <group><title>Predators</title>
-            <control id="allosaur">
-                <title>Allosaurus</title>
-              <param id="scary">
-                <label>teeth, claws, tail for example</label>
-                  <desc>List anything scary about this dinosaur</desc></param>
-              <prop class="trans">Other Lizard</prop>
-              <part class="desc" id="allosaur-desc"><p>Vicious predator, ancestor of more vicious predators.</p></part>
-            </control>
-            <control id="tyrannosaur">
-                <title>Tyrannosaurus</title>
-                <prop class="trans">Tyrant Lizard</prop>
-                <control id="tyrannosaurus-rex">
-                    <title>Tyrannosaurus Rex</title>
-                    <prop class="trans">King Tyrant Lizard</prop>
-                </control>
-            </control>
-            <control id="velociraptor">
-                <title>Velociraptor</title>
-            </control>
-        </group>
-        <group><title>Herbivores</title>
-            <control id="stegosaur">
-                <title>Stegosaurus</title>
-            </control>
-            <control id="triceratops">
-                <title>Triceratops</title>
-            </control>
-        </group>
-        <group><title>Proto-avians</title>
-            <control id="archeopteryx">
-                <title>Archaeopteryx</title>
-                <part>
-                    <p><img src="unoh" /></p>
-                </part>
-            </control>
-        </group>
-    </group>
-    
-</catalog>
\ No newline at end of file
diff --git a/src/content/mini-testing/oscal_testing_mini-testing_catalog.xml b/src/content/mini-testing/oscal_testing_mini-testing_catalog.xml
deleted file mode 100644
index 26f8a0e7bf..0000000000
--- a/src/content/mini-testing/oscal_testing_mini-testing_catalog.xml
+++ /dev/null
@@ -1,476 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<?xml-stylesheet type="text/css" href="../../lib/CSS/oscal.css"?>
-<?xml-model href="../../schema/xml/Schematron/oscal-links.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
-<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0">
-    <title>MINI TESTING catalog</title>
-    <section>
-        <title>This catalog</title>
-        <p>Mini-testing starts as a reduced and mocked up subset of SP800-53 controls for testing
-            and demonstration of OSCAL features and functionalities.</p>
-    </section>
-    <group class="family">
-        <title>FAKE(S)</title>
-        <control class="SP800-53" id="FAKE">
-            <title>EVERYTHING ALL MIXED TOGETHER</title>
-            <param id="fake_a">
-                <desc>FAKE PARAMETER IN FAKE CONTROL</desc>
-                <value>whatever is mixed or to be mixed</value>
-            </param>
-            <prop class="name">FAKE_0</prop>
-            <part class="statement">
-                <p>Whatever to be mixed is a fake control with some pathological markup.</p>
-                <part class="item" id="FAKE-a">
-                    <prop class="name">FAKEa.</prop>
-                    <p class="description">Insert your fake parameter here: <insert
-                            param-id="fake_a"/>;</p>
-                </part>
-                <part class="item" id="FAKE-b">
-                    <prop class="name">FAKEb.</prop>
-                    <p class="description">This item includes inline markup such as <i>italics</i>,
-                            <b>bold</b>, <em>emphasis</em>, <code>code</code>, <q>quoted text</q>
-                        and even a bit of water (H<sub>2</sub>O).</p>
-                </part>
-                <part class="item" id="FAKE-c">
-                    <prop class="name">FAKEc.</prop>
-                    <p class="description">This item includes some more complex prose:</p>
-                    <ul>
-                        <li>Here's language in a list item</li>
-                        <li>Another list item</li>
-                    </ul>
-                    <p class="description">And a scattering of things including a little physics!
-                            <i>e = mc<sup>2</sup></i> and all that.</p>
-                </part>
-            </part>
-            <part class="guidance">
-                <p>Don't follow any guidance you find in a fake control.</p>
-            </part>
-            <part class="guidance">
-                <p>Notice this control has more than one statement called "guidance". Presumably any
-                    profile could also patch it to add more.</p>
-            </part>
-            <part class="raci_index">
-                <prop class="accountable">Board</prop>
-                <prop class="responsible">Chief Executive Officer</prop>
-                <prop class="consulted">Chief Financial Officer</prop>
-            </part>
-        </control>
-    </group>
-    <group class="family">
-        <title>ACCESS CONTROL</title>
-        <control class="SP800-53" id="ac.5">
-            <title>SEPARATION OF DUTIES</title>
-            <param id="ac-5_a">
-                <desc>organization-defined duties of individuals</desc>
-                <value>organization-defined duties of individuals</value>
-            </param>
-            <prop class="name">AC-5</prop>
-            <part class="statement">
-                <part class="item" id="ac.5a">
-                    <prop class="name">AC-5a.</prop>
-                    <p class="description">Separate <insert param-id="ac-5_a"/>;</p>
-                </part>
-                <part class="item" id="ac.5b">
-                    <prop class="name">AC-5b.</prop>
-                    <p class="description">Document separation of duties of individuals; and</p>
-                </part>
-                <part class="item" id="ac.5c">
-                    <prop class="name">AC-5c.</prop>
-                    <p class="description">Define system access authorizations to support separation
-                        of duties.</p>
-                </part>
-            </part>
-            <part class="guidance">
-                <p>Separation of duties addresses the potential for abuse of authorized privileges
-                    and helps to reduce the risk of malevolent activity without collusion.
-                    Separation of duties includes, for example, dividing mission functions and
-                    system support functions among different individuals and/or roles; conducting
-                    system support functions with different individuals; and ensuring security
-                    personnel administering access control functions do not also administer audit
-                    functions. Because separation of duty violations can span systems and
-                    application domains, organizations consider the entirety of organizational
-                    systems and system components when developing policy on separation of
-                    duties.</p>
-                <!--<link href="#ac.2"/><link href="#ac.3"/><link href="#ac.6"/><link href="#au.9"/><link href="#cm.5"/><link href="#cm.11"/><link href="#cp.9"/><link href="#ia.2"/><link href="#ia.5"/><link href="#ma.3"/><link href="#ma.5"/><link href="#ps.2"/><link href="#sa.17"/>-->
-            </part>
-        </control>
-        <control class="SP800-53" id="ac.6">
-            <title>LEAST PRIVILEGE</title>
-            <prop class="name">AC-6</prop>
-            <part class="statement">
-                <p class="description">Employ the principle of least privilege, allowing only
-                    authorized accesses for users (or processes acting on behalf of users) which are
-                    necessary to accomplish assigned tasks in accordance with organizational
-                    missions and business functions.</p>
-            </part>
-            <part class="guidance">
-                <p>Organizations employ least privilege for specific duties and systems. The
-                    principle of least privilege is also applied to system processes, ensuring that
-                    the processes operate at privilege levels no higher than necessary to accomplish
-                    required organizational missions or business functions. Organizations consider
-                    the creation of additional processes, roles, and system accounts as necessary,
-                    to achieve least privilege. Organizations also apply least privilege to the
-                    development, implementation, and operation of organizational systems.</p>
-                <!--<link href="#ac.2"/><link href="#ac.3"/><link href="#ac.5"/><link href="#ac.16"/><link href="#cm.5"/><link href="#cm.11"/><link href="#pl.2"/><link href="#pm.12"/><link href="#sa.15"/><link href="#sa.17"/><link href="#sc.38"/>-->
-            </part>
-            <control class="SP800-53-enhancement" id="ac.6.1">
-                <title>AUTHORIZE ACCESS TO SECURITY FUNCTIONS</title>
-                <param id="ac-6_a">
-                    <desc>organization-defined security functions (deployed in hardware, software,
-                        and firmware) and security-relevant information</desc>
-                    <value>organization-defined security functions (deployed in hardware, software,
-                        and firmware) and security-relevant information</value>
-                </param>
-                <prop class="name">AC-6 (1)</prop>
-                <part class="statement">
-                    <p class="description">Explicitly authorize access to <insert param-id="ac-6_a"
-                        />.</p>
-                </part>
-                <part class="guidance">
-                    <p>Security functions include, for example, establishing system accounts,
-                        configuring access authorizations (i.e., permissions, privileges), setting
-                        events to be audited, and establishing intrusion detection parameters.
-                        Security-relevant information includes, for example, filtering rules for
-                        routers/firewalls, cryptographic key management information, configuration
-                        parameters for security services, and access control lists. Explicitly
-                        authorized personnel include, for example, security administrators, system
-                        and network administrators, system security officers, system maintenance
-                        personnel, system programmers, and other privileged users.</p>
-                    <!--<link href="#ac.17"/><link href="#ac.18"/><link href="#ac.19"/><link href="#au.9"/><link href="#pe.2"/>-->
-                </part>
-            </control>
-            <control class="SP800-53-enhancement" id="ac.6.2">
-                <title>NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS</title>
-                <param id="ac-6_b">
-                    <desc>organization-defined security functions or security-relevant
-                        information</desc>
-                    <value>organization-defined security functions or security-relevant
-                        information</value>
-                </param>
-                <prop class="name">AC-6 (2)</prop>
-                <part class="statement">
-                    <p class="description">Require that users of system accounts, or roles, with
-                        access to <insert param-id="ac-6_b"/>, use non-privileged accounts or roles,
-                        when accessing nonsecurity functions.</p>
-                </part>
-                <part class="guidance">
-                    <p>This control enhancement limits exposure when operating from within
-                        privileged accounts or roles. The inclusion of roles addresses situations
-                        where organizations implement access control policies such as role-based
-                        access control and where a change of role provides the same degree of
-                        assurance in the change of access authorizations for both the user and all
-                        processes acting on behalf of the user as would be provided by a change
-                        between a privileged and non-privileged account.</p>
-                    <!--<link href="#ac.17"/><link href="#ac.18"/><link href="#ac.19"/><link href="#pl.4"/>-->
-                </part>
-            </control>
-            <control class="SP800-53-enhancement" id="ac.6.3">
-                <title>NETWORK ACCESS TO PRIVILEGED COMMANDS</title>
-                <param id="ac-6_c">
-                    <desc>organization-defined privileged commands</desc>
-                    <value>organization-defined privileged commands</value>
-                </param>
-                <param id="ac-6_d">
-                    <desc>organization-defined compelling operational needs</desc>
-                    <value>organization-defined compelling operational needs</value>
-                </param>
-                <prop class="name">AC-6 (3)</prop>
-                <part class="statement">
-                    <p class="description">Authorize network access to <insert param-id="ac-6_c"/>
-                        only for <insert param-id="ac-6_d"/> and document the rationale for such
-                        access in the security plan for the system.</p>
-                </part>
-                <part class="guidance">
-                    <p>Network access is any access across a network connection in lieu of local
-                        access (i.e., user being physically present at the device).</p>
-                    <!--<link href="#ac.17"/><link href="#ac.18"/><link href="#ac.19"/>-->
-                </part>
-            </control>
-            <control class="SP800-53-enhancement" id="ac.6.4">
-                <title>SEPARATE PROCESSING DOMAINS</title>
-                <prop class="name">AC-6 (4)</prop>
-                <part class="statement">
-                    <p class="description">Provide separate processing domains to enable
-                        finer-grained allocation of user privileges.</p>
-                </part>
-                <part class="guidance">
-                    <p>Providing separate processing domains for finer-grained allocation of user
-                        privileges includes, for example, using virtualization techniques to allow
-                        additional user privileges within a virtual machine while restricting
-                        privileges to other virtual machines or to the underlying actual machine;
-                        employing hardware/software domain separation mechanisms; and implementing
-                        separate physical domains.</p>
-                    <!--<link href="#ac.4"/><link href="#sc.2"/><link href="#sc.3"/><link href="#sc.30"/><link href="#sc.32"/><link href="#sc.39"/>-->
-                </part>
-            </control>
-            <control class="SP800-53-enhancement" id="ac.6.5">
-                <title>PRIVILEGED ACCOUNTS</title>
-                <param id="ac-6_e">
-                    <desc>organization-defined personnel or roles</desc>
-                    <value>organization-defined personnel or roles</value>
-                </param>
-                <prop class="name">AC-6 (5)</prop>
-                <part class="statement">
-                    <p class="description">Restrict privileged accounts on the system to <insert
-                            param-id="ac-6_e"/>.</p>
-                </part>
-                <part class="guidance">
-                    <p>Privileged accounts, including super user accounts, are typically described
-                        as system administrator for various types of commercial off-the-shelf
-                        operating systems. Restricting privileged accounts to specific personnel or
-                        roles prevents day-to-day users from having access to privileged
-                        information/functions. Organizations may differentiate in the application of
-                        this control enhancement between allowed privileges for local accounts and
-                        for domain accounts provided they retain the ability to control system
-                        configurations for key security parameters and as otherwise necessary to
-                        sufficiently mitigate risk.</p>
-                    <!--<link href="#ia.2"/><link href="#ma.3"/><link href="#ma.4"/>-->
-                </part>
-            </control>
-            <control class="SP800-53-enhancement" id="ac.6.6">
-                <title>PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS</title>
-                <prop class="name">AC-6 (6)</prop>
-                <part class="statement">
-                    <p class="description">Prohibit privileged access to the system by
-                        non-organizational users.</p>
-                </part>
-                <part class="guidance">
-                    <p>None.</p>
-                    <!--<link href="#ac.18"/><link href="#ac.19"/><link href="#ia.2"/><link href="#ia.8"/>-->
-                </part>
-            </control>
-            <control class="SP800-53-enhancement" id="ac.6.7">
-                <title>REVIEW OF USER PRIVILEGES</title>
-                <param id="ac-6_f">
-                    <desc>organization-defined frequency</desc>
-                    <value>organization-defined frequency</value>
-                </param>
-                <param id="ac-6_g">
-                    <desc>organization-defined roles or classes of users</desc>
-                    <value>organization-defined roles or classes of users</value>
-                </param>
-                <prop class="name">AC-6 (7)</prop>
-                <part class="statement">
-                    <part class="item" id="ac.6.7.a">
-                        <prop class="name">AC-6 (7)(a)</prop>
-                        <p class="description">Review <insert param-id="ac-6_f"/> the privileges
-                            assigned to <insert param-id="ac-6_g"/> to validate the need for such
-                            privileges; and</p>
-                    </part>
-                    <part class="item" id="ac.6.7.b">
-                        <prop class="name">AC-6 (7)(b)</prop>
-                        <p class="description">Reassign or remove privileges, if necessary, to
-                            correctly reflect organizational mission and business needs.</p>
-                    </part>
-                </part>
-                <part class="guidance">
-                    <p>The need for certain assigned user privileges may change over time reflecting
-                        changes in organizational missions and business functions, environments of
-                        operation, technologies, or threat. Periodic review of assigned user
-                        privileges is necessary to determine if the rationale for assigning such
-                        privileges remains valid. If the need cannot be revalidated, organizations
-                        take appropriate corrective actions.</p>
-                    <!--<link href="#ca.7"/>-->
-                </part>
-            </control>
-            <control class="SP800-53-enhancement" id="ac.6.8">
-                <title>PRIVILEGE LEVELS FOR CODE EXECUTION</title>
-                <param id="ac-6_h">
-                    <desc>organization-defined software</desc>
-                    <value>organization-defined software</value>
-                </param>
-                <prop class="name">AC-6 (8)</prop>
-                <part class="statement">
-                    <p class="description">Prevent the following software from executing at higher
-                        privilege levels than users executing the software: <insert
-                            param-id="ac-6_h"/>.</p>
-                </part>
-                <part class="guidance">
-                    <p>In certain situations, software applications/programs need to execute with
-                        elevated privileges to perform required functions. However, if the
-                        privileges required for execution are at a higher level than the privileges
-                        assigned to organizational users invoking such applications/programs, those
-                        users are indirectly provided with greater privileges than assigned by
-                        organizations.</p>
-                </part>
-            </control>
-            <control class="SP800-53-enhancement" id="ac.6.9">
-                <title>AUDITING USE OF PRIVILEGED FUNCTIONS</title>
-                <prop class="name">AC-6 (9)</prop>
-                <part class="statement">
-                    <p class="description">Audit the execution of privileged functions.</p>
-                </part>
-                <part class="guidance">
-                    <p>Misuse of privileged functions, either intentionally or unintentionally by
-                        authorized users, or by unauthorized external entities that have compromised
-                        system accounts, is a serious and ongoing concern and can have significant
-                        adverse impacts on organizations. Auditing the use of privileged functions
-                        is one way to detect such misuse, and in doing so, help mitigate the risk
-                        from insider threats and the advanced persistent threat.</p>
-                    <!--<link href="#au.2"/><link href="#au.12"/>-->
-                </part>
-            </control>
-            <control class="SP800-53-enhancement" id="ac.6.10">
-                <title>PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS</title>
-                <prop class="name">AC-6 (10)</prop>
-                <part class="statement">
-                    <p class="description">Prevent non-privileged users from executing privileged
-                        functions.</p>
-                </part>
-                <part class="guidance">
-                    <p>Privileged functions include, for example, disabling, circumventing, or
-                        altering implemented security or privacy controls, establishing system
-                        accounts, performing system integrity checks, or administering cryptographic
-                        key management activities. Non-privileged users are individuals that do not
-                        possess appropriate authorizations. Circumventing intrusion detection and
-                        prevention mechanisms or malicious code protection mechanisms are examples
-                        of privileged functions that require protection from non-privileged
-                        users.</p>
-                </part>
-            </control>
-        </control>
-    </group>
-    <group class="family">
-        <title>RISK ASSESSMENT</title>
-        <control class="SP800-53" id="ra.7">
-            <title>RISK RESPONSE</title>
-            <prop class="name">RA-7</prop>
-            <part class="statement">
-                <p class="description">Respond to findings from security and privacy assessments,
-                    monitoring, and audits.</p>
-            </part>
-            <part class="guidance">
-                <p>Organizations have a variety of options for responding to risk including:
-                    mitigating the risk by implementing new controls or strengthening existing
-                    controls; accepting the risk with appropriate justification or rationale;
-                    sharing or transferring the risk; or rejecting the risk. Organizational risk
-                    tolerance influences risk response decisions and actions. Risk response is also
-                    known as risk treatment. This control addresses the need to determine an
-                    appropriate response to risk before a plan of action and milestones entry is
-                    generated. For example, the response may be to accept risk or reject risk, or it
-                    may be possible to mitigate the risk immediately so a plan of action and
-                    milestones entry is not needed. However, if the risk response is to mitigate the
-                    risk and the mitigation cannot be completed immediately, a plan of action and
-                    milestones entry is generated.</p>
-                <!--<link href="#ca.5"/><link href="#ir.9"/>-->
-                <!--<link href="#pm.4"/><link href="#pm.32"/><link href="#ra.2"/><link href="#ra.3"/>-->
-            </part>
-            <references>
-                <ref>
-                    <citation href="http://csrc.nist.gov/publications/PubsFIPS.html#199">FIPS
-                        Publication 199</citation>
-                </ref>
-                <ref>
-                    <citation href="http://csrc.nist.gov/publications/PubsFIPS.html#200">FIPS
-                        Publication 200</citation>
-                </ref>
-                <ref>
-                    <citation href="http://csrc.nist.gov/publications/PubsSPs.html#800-30">NIST
-                        Special Publication 800-30</citation>
-                </ref>
-                <ref>
-                    <citation href="http://csrc.nist.gov/publications/PubsSPs.html#800-37">NIST
-                        Special Publication 800-37</citation>
-                </ref>
-                <ref>
-                    <citation href="http://csrc.nist.gov/publications/PubsSPs.html#800-39">NIST
-                        Special Publication 800-39</citation>
-                </ref>
-            </references>
-        </control>
-        <control class="SP800-53" id="ra.8">
-            <title>PRIVACY IMPACT ASSESSMENTS</title>
-            <prop class="name">RA-8</prop>
-            <part class="statement">
-                <p class="description">Conduct privacy impact assessments for systems, programs, or
-                    other activities that pose a privacy risk before:</p>
-                <part class="item" id="ra.8a">
-                    <prop class="name">RA-8a.</prop>
-                    <p class="description">Developing or procuring information technology that
-                        collects, maintains, or disseminates information that is in an identifiable
-                        form; and</p>
-                </part>
-                <part class="item" id="ra.8b">
-                    <prop class="name">RA-8b.</prop>
-                    <p class="description">Initiating a new collection of information that:</p>
-                    <part class="item" id="ra.8b.1">
-                        <prop class="name">RA-8b.1.</prop>
-                        <p class="description">Will be collected, maintained, or disseminated using
-                            information technology; and</p>
-                    </part>
-                    <part class="item" id="ra.8b.2">
-                        <prop class="name">RA-8b.2.</prop>
-                        <p class="description">Includes information in an identifiable form
-                            permitting the physical or online contacting of a specific individual,
-                            if identical questions have been posed to, or identical reporting
-                            requirements imposed on, ten or more persons, other than agencies,
-                            instrumentalities, or employees of the Federal Government.</p>
-                    </part>
-                </part>
-            </part>
-            <part class="guidance">
-                <p>Privacy impact assessments are an analysis of how information is managed to
-                    ensure that such management conforms to applicable legal, regulatory, and policy
-                    requirements regarding privacy; to determine the associated privacy risks and
-                    effects of creating, collecting, using, processing, storing, maintaining,
-                    disseminating, disclosing, and disposing of information in identifiable form in
-                    a system; and to examine and evaluate the protections and alternate processes
-                    for managing information to mitigate potential privacy concerns. A privacy
-                    impact assessment is an analysis and a formal document detailing the process and
-                    outcome of the analysis. To conduct the analysis, organizations use risk
-                    assessment processes. Although privacy impact assessments may be required by
-                    law, organizations may develop policies to require privacy impact assessments in
-                    circumstances where a privacy impact assessment would not be required by
-                    law.</p>
-                <!--<link href="#ip.4"/><link href="#pa.2"/><link href="#pa.3"/><link href="#ra.1"/><link href="#ra.3"/><link href="#ra.7"/>-->
-            </part>
-        </control>
-        <control class="SP800-53" id="ra.9">
-            <title>CRITICALITY ANALYSIS</title>
-            <param id="ra-9_a">
-                <desc>organization-defined systems, system components, or system services</desc>
-                <value>organization-defined systems, system components, or system services</value>
-            </param>
-            <param id="ra-9_b">
-                <desc>organization-defined decision points in the system development life
-                    cycle</desc>
-                <value>organization-defined decision points in the system development life cycle</value>
-            </param>
-            <prop class="name">RA-9</prop>
-            <part class="statement">
-                <p class="description">Identify critical system components and functions by
-                    performing a criticality analysis for <insert param-id="ra-9_a"/> at <insert
-                        param-id="ra-9_b"/>.</p>
-            </part>
-            <part class="guidance">
-                <p>Not all system components, functions, or services necessarily require significant
-                    protections. Criticality analysis is a key tenet of, for example, supply chain
-                    risk management, and informs the prioritization of protection activities. The
-                    identification of critical system components and functions considers applicable
-                    regulations, directives, policies, standards, and guidelines, system
-                    functionality requirements, system and component interfaces, and system and
-                    component dependencies. Systems engineers conduct an end-to-end functional
-                    decomposition of a system to identify mission-critical functions and components.
-                    The functional decomposition includes the identification of core organizational
-                    missions supported by the system, decomposition into the specific functions to
-                    perform those missions, and traceability to the hardware, software, and firmware
-                    components that implement those functions, including when the functions are
-                    shared by many components within and beyond the system boundary. The operational
-                    environment of a system or component may impact the criticality including, for
-                    example, the connections to and dependencies on cyber-physical systems, devices,
-                    system-of-systems, and outsourced IT services. System components that allow
-                    unmediated access to critical system components or functions are considered
-                    critical due to the inherent vulnerabilities such components create. Component
-                    and function criticality are assessed in terms of the impact of a component or
-                    function failure on the organizational missions supported by the system
-                    containing those components and functions. A criticality analysis is performed
-                    when an architecture or design is being developed, modified, or upgraded. If
-                    done early in the system life cycle, organizations may consider modifying the
-                    system design to reduce the critical nature of these components and functions
-                    by, for example, adding redundancy or alternate paths into the system
-                    design.</p>
-                <!--<link href="#cp.2"/><link href="#pl.2"/><link href="#pl.8"/><link href="#pl.11"/><link href="#pm.1"/><link href="#sa.8"/><link href="#sa.12"/><link href="#sa.15"/><link href="#sa.20"/>-->
-            </part>
-        </control>
-    </group>
-    
-</catalog>
\ No newline at end of file
diff --git a/src/content/mini-testing/readme.md b/src/content/mini-testing/readme.md
deleted file mode 100644
index 977deb51df..0000000000
--- a/src/content/mini-testing/readme.md
+++ /dev/null
@@ -1,6 +0,0 @@
-# OSCAL Unit Testing Files
-
-This directory contains sample files that can be used for unit testing in support of regressions of OSCAL. The structure and contents of the directory are as follows:
-
-* The various .json and .xml files in the directory are a mix of test files that represent miniature catalogs and profiles. They are here primarily for ad hoc testing purposes.
-* [Unit-Testing-Description.md](Unit-Testing-Description.md): This file contains technical information on the test files, including how they are intended to be used.
diff --git a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline_profile.xml b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline_profile.xml
deleted file mode 100644
index 259dfedcf3..0000000000
--- a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline_profile.xml
+++ /dev/null
@@ -1,1248 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Modified by conversion XSLT 2020-06-01T15:50:15.681-04:00 - UUIDs refreshed -->
-<!-- Produced by SP800-53-profile-with-filter.xsl 2018-05-14-04:00
-        runtime parameter settings: $baseline='HIGH' -->
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-         uuid="9d0593f5-c6ed-44b8-9127-ad5c310f8e34">
-   <metadata>
-      <title>NIST Special Publication 800-53 Revision 4 HIGH IMPACT BASELINE</title>
-      <last-modified>2020-05-29T23:29:27.272-04:00</last-modified>
-      <version>2015-01-22</version>
-      <oscal-version>1.0.0-milestone3</oscal-version>
-      <role id="creator">
-         <title>Document Creator</title>
-      </role>
-      <role id="contact">
-         <title>Contact</title>
-      </role>
-      <party uuid="71c97c27-4f09-4d06-a6a4-065a54c19a1f" type="organization">
-         <party-name>Joint Task Force, Transformation Initiative</party-name>
-         <address>
-            <addr-line>National Institute of Standards and Technology</addr-line>
-            <addr-line>Attn: Computer Security Division</addr-line>
-            <addr-line>Information Technology Laboratory</addr-line>
-            <addr-line>100 Bureau Drive (Mail Stop 8930)</addr-line>
-            <city>Gaithersburg</city>
-            <state>MD</state>
-            <postal-code>20899-8930</postal-code>
-         </address>
-         <email>sec-cert@nist.gov</email>
-      </party>
-      <responsible-party role-id="creator">
-         <party-uuid>31a5dd8f-978a-4558-8ade-846211607d40</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="contact">
-         <party-uuid>31a5dd8f-978a-4558-8ade-846211607d40</party-uuid>
-      </responsible-party>
-   </metadata>
-   <import href="#f52e1458-7a97-49fd-8189-6af6a4e7051b">
-      <include>
-         <call control-id="ac-1"/>
-         <call control-id="ac-2"/>
-         <call control-id="ac-2.1"/>
-         <call control-id="ac-2.2"/>
-         <call control-id="ac-2.3"/>
-         <call control-id="ac-2.4"/>
-         <call control-id="ac-2.5"/>
-         <call control-id="ac-2.11"/>
-         <call control-id="ac-2.12"/>
-         <call control-id="ac-2.13"/>
-         <call control-id="ac-3"/>
-         <call control-id="ac-4"/>
-         <call control-id="ac-5"/>
-         <call control-id="ac-6"/>
-         <call control-id="ac-6.1"/>
-         <call control-id="ac-6.2"/>
-         <call control-id="ac-6.3"/>
-         <call control-id="ac-6.5"/>
-         <call control-id="ac-6.9"/>
-         <call control-id="ac-6.10"/>
-         <call control-id="ac-7"/>
-         <call control-id="ac-8"/>
-         <call control-id="ac-10"/>
-         <call control-id="ac-11"/>
-         <call control-id="ac-11.1"/>
-         <call control-id="ac-12"/>
-         <call control-id="ac-14"/>
-         <call control-id="ac-17"/>
-         <call control-id="ac-17.1"/>
-         <call control-id="ac-17.2"/>
-         <call control-id="ac-17.3"/>
-         <call control-id="ac-17.4"/>
-         <call control-id="ac-18"/>
-         <call control-id="ac-18.1"/>
-         <call control-id="ac-18.4"/>
-         <call control-id="ac-18.5"/>
-         <call control-id="ac-19"/>
-         <call control-id="ac-19.5"/>
-         <call control-id="ac-20"/>
-         <call control-id="ac-20.1"/>
-         <call control-id="ac-20.2"/>
-         <call control-id="ac-21"/>
-         <call control-id="ac-22"/>
-         <call control-id="at-1"/>
-         <call control-id="at-2"/>
-         <call control-id="at-2.2"/>
-         <call control-id="at-3"/>
-         <call control-id="at-4"/>
-         <call control-id="au-1"/>
-         <call control-id="au-2"/>
-         <call control-id="au-2.3"/>
-         <call control-id="au-3"/>
-         <call control-id="au-3.1"/>
-         <call control-id="au-3.2"/>
-         <call control-id="au-4"/>
-         <call control-id="au-5"/>
-         <call control-id="au-5.1"/>
-         <call control-id="au-5.2"/>
-         <call control-id="au-6"/>
-         <call control-id="au-6.1"/>
-         <call control-id="au-6.3"/>
-         <call control-id="au-6.5"/>
-         <call control-id="au-6.6"/>
-         <call control-id="au-7"/>
-         <call control-id="au-7.1"/>
-         <call control-id="au-8"/>
-         <call control-id="au-8.1"/>
-         <call control-id="au-9"/>
-         <call control-id="au-9.2"/>
-         <call control-id="au-9.3"/>
-         <call control-id="au-9.4"/>
-         <call control-id="au-10"/>
-         <call control-id="au-11"/>
-         <call control-id="au-12"/>
-         <call control-id="au-12.1"/>
-         <call control-id="au-12.3"/>
-         <call control-id="ca-1"/>
-         <call control-id="ca-2"/>
-         <call control-id="ca-2.1"/>
-         <call control-id="ca-2.2"/>
-         <call control-id="ca-3"/>
-         <call control-id="ca-3.5"/>
-         <call control-id="ca-5"/>
-         <call control-id="ca-6"/>
-         <call control-id="ca-7"/>
-         <call control-id="ca-7.1"/>
-         <call control-id="ca-8"/>
-         <call control-id="ca-9"/>
-         <call control-id="cm-1"/>
-         <call control-id="cm-2"/>
-         <call control-id="cm-2.1"/>
-         <call control-id="cm-2.2"/>
-         <call control-id="cm-2.3"/>
-         <call control-id="cm-2.7"/>
-         <call control-id="cm-3"/>
-         <call control-id="cm-3.1"/>
-         <call control-id="cm-3.2"/>
-         <call control-id="cm-4"/>
-         <call control-id="cm-4.1"/>
-         <call control-id="cm-5"/>
-         <call control-id="cm-5.1"/>
-         <call control-id="cm-5.2"/>
-         <call control-id="cm-5.3"/>
-         <call control-id="cm-6"/>
-         <call control-id="cm-6.1"/>
-         <call control-id="cm-6.2"/>
-         <call control-id="cm-7"/>
-         <call control-id="cm-7.1"/>
-         <call control-id="cm-7.2"/>
-         <call control-id="cm-7.5"/>
-         <call control-id="cm-8"/>
-         <call control-id="cm-8.1"/>
-         <call control-id="cm-8.2"/>
-         <call control-id="cm-8.3"/>
-         <call control-id="cm-8.4"/>
-         <call control-id="cm-8.5"/>
-         <call control-id="cm-9"/>
-         <call control-id="cm-10"/>
-         <call control-id="cm-11"/>
-         <call control-id="cp-1"/>
-         <call control-id="cp-2"/>
-         <call control-id="cp-2.1"/>
-         <call control-id="cp-2.2"/>
-         <call control-id="cp-2.3"/>
-         <call control-id="cp-2.4"/>
-         <call control-id="cp-2.5"/>
-         <call control-id="cp-2.8"/>
-         <call control-id="cp-3"/>
-         <call control-id="cp-3.1"/>
-         <call control-id="cp-4"/>
-         <call control-id="cp-4.1"/>
-         <call control-id="cp-4.2"/>
-         <call control-id="cp-6"/>
-         <call control-id="cp-6.1"/>
-         <call control-id="cp-6.2"/>
-         <call control-id="cp-6.3"/>
-         <call control-id="cp-7"/>
-         <call control-id="cp-7.1"/>
-         <call control-id="cp-7.2"/>
-         <call control-id="cp-7.3"/>
-         <call control-id="cp-7.4"/>
-         <call control-id="cp-8"/>
-         <call control-id="cp-8.1"/>
-         <call control-id="cp-8.2"/>
-         <call control-id="cp-8.3"/>
-         <call control-id="cp-8.4"/>
-         <call control-id="cp-9"/>
-         <call control-id="cp-9.1"/>
-         <call control-id="cp-9.2"/>
-         <call control-id="cp-9.3"/>
-         <call control-id="cp-9.5"/>
-         <call control-id="cp-10"/>
-         <call control-id="cp-10.2"/>
-         <call control-id="cp-10.4"/>
-         <call control-id="ia-1"/>
-         <call control-id="ia-2"/>
-         <call control-id="ia-2.1"/>
-         <call control-id="ia-2.2"/>
-         <call control-id="ia-2.3"/>
-         <call control-id="ia-2.4"/>
-         <call control-id="ia-2.8"/>
-         <call control-id="ia-2.9"/>
-         <call control-id="ia-2.11"/>
-         <call control-id="ia-2.12"/>
-         <call control-id="ia-3"/>
-         <call control-id="ia-4"/>
-         <call control-id="ia-5"/>
-         <call control-id="ia-5.1"/>
-         <call control-id="ia-5.2"/>
-         <call control-id="ia-5.3"/>
-         <call control-id="ia-5.11"/>
-         <call control-id="ia-6"/>
-         <call control-id="ia-7"/>
-         <call control-id="ia-8"/>
-         <call control-id="ia-8.1"/>
-         <call control-id="ia-8.2"/>
-         <call control-id="ia-8.3"/>
-         <call control-id="ia-8.4"/>
-         <call control-id="ir-1"/>
-         <call control-id="ir-2"/>
-         <call control-id="ir-2.1"/>
-         <call control-id="ir-2.2"/>
-         <call control-id="ir-3"/>
-         <call control-id="ir-3.2"/>
-         <call control-id="ir-4"/>
-         <call control-id="ir-4.1"/>
-         <call control-id="ir-4.4"/>
-         <call control-id="ir-5"/>
-         <call control-id="ir-5.1"/>
-         <call control-id="ir-6"/>
-         <call control-id="ir-6.1"/>
-         <call control-id="ir-7"/>
-         <call control-id="ir-7.1"/>
-         <call control-id="ir-8"/>
-         <call control-id="ma-1"/>
-         <call control-id="ma-2"/>
-         <call control-id="ma-2.2"/>
-         <call control-id="ma-3"/>
-         <call control-id="ma-3.1"/>
-         <call control-id="ma-3.2"/>
-         <call control-id="ma-3.3"/>
-         <call control-id="ma-4"/>
-         <call control-id="ma-4.2"/>
-         <call control-id="ma-4.3"/>
-         <call control-id="ma-5"/>
-         <call control-id="ma-5.1"/>
-         <call control-id="ma-6"/>
-         <call control-id="mp-1"/>
-         <call control-id="mp-2"/>
-         <call control-id="mp-3"/>
-         <call control-id="mp-4"/>
-         <call control-id="mp-5"/>
-         <call control-id="mp-5.4"/>
-         <call control-id="mp-6"/>
-         <call control-id="mp-6.1"/>
-         <call control-id="mp-6.2"/>
-         <call control-id="mp-6.3"/>
-         <call control-id="mp-7"/>
-         <call control-id="mp-7.1"/>
-         <call control-id="pe-1"/>
-         <call control-id="pe-2"/>
-         <call control-id="pe-3"/>
-         <call control-id="pe-3.1"/>
-         <call control-id="pe-4"/>
-         <call control-id="pe-5"/>
-         <call control-id="pe-6"/>
-         <call control-id="pe-6.1"/>
-         <call control-id="pe-6.4"/>
-         <call control-id="pe-8"/>
-         <call control-id="pe-8.1"/>
-         <call control-id="pe-9"/>
-         <call control-id="pe-10"/>
-         <call control-id="pe-11"/>
-         <call control-id="pe-11.1"/>
-         <call control-id="pe-12"/>
-         <call control-id="pe-13"/>
-         <call control-id="pe-13.1"/>
-         <call control-id="pe-13.2"/>
-         <call control-id="pe-13.3"/>
-         <call control-id="pe-14"/>
-         <call control-id="pe-15"/>
-         <call control-id="pe-15.1"/>
-         <call control-id="pe-16"/>
-         <call control-id="pe-17"/>
-         <call control-id="pe-18"/>
-         <call control-id="pl-1"/>
-         <call control-id="pl-2"/>
-         <call control-id="pl-2.3"/>
-         <call control-id="pl-4"/>
-         <call control-id="pl-4.1"/>
-         <call control-id="pl-8"/>
-         <call control-id="ps-1"/>
-         <call control-id="ps-2"/>
-         <call control-id="ps-3"/>
-         <call control-id="ps-4"/>
-         <call control-id="ps-4.2"/>
-         <call control-id="ps-5"/>
-         <call control-id="ps-6"/>
-         <call control-id="ps-7"/>
-         <call control-id="ps-8"/>
-         <call control-id="ra-1"/>
-         <call control-id="ra-2"/>
-         <call control-id="ra-3"/>
-         <call control-id="ra-5"/>
-         <call control-id="ra-5.1"/>
-         <call control-id="ra-5.2"/>
-         <call control-id="ra-5.4"/>
-         <call control-id="ra-5.5"/>
-         <call control-id="sa-1"/>
-         <call control-id="sa-2"/>
-         <call control-id="sa-3"/>
-         <call control-id="sa-4"/>
-         <call control-id="sa-4.1"/>
-         <call control-id="sa-4.2"/>
-         <call control-id="sa-4.9"/>
-         <call control-id="sa-4.10"/>
-         <call control-id="sa-5"/>
-         <call control-id="sa-8"/>
-         <call control-id="sa-9"/>
-         <call control-id="sa-9.2"/>
-         <call control-id="sa-10"/>
-         <call control-id="sa-11"/>
-         <call control-id="sa-12"/>
-         <call control-id="sa-15"/>
-         <call control-id="sa-16"/>
-         <call control-id="sa-17"/>
-         <call control-id="sc-1"/>
-         <call control-id="sc-2"/>
-         <call control-id="sc-3"/>
-         <call control-id="sc-4"/>
-         <call control-id="sc-5"/>
-         <call control-id="sc-7"/>
-         <call control-id="sc-7.3"/>
-         <call control-id="sc-7.4"/>
-         <call control-id="sc-7.5"/>
-         <call control-id="sc-7.7"/>
-         <call control-id="sc-7.8"/>
-         <call control-id="sc-7.18"/>
-         <call control-id="sc-7.21"/>
-         <call control-id="sc-8"/>
-         <call control-id="sc-8.1"/>
-         <call control-id="sc-10"/>
-         <call control-id="sc-12"/>
-         <call control-id="sc-12.1"/>
-         <call control-id="sc-13"/>
-         <call control-id="sc-15"/>
-         <call control-id="sc-17"/>
-         <call control-id="sc-18"/>
-         <call control-id="sc-19"/>
-         <call control-id="sc-20"/>
-         <call control-id="sc-21"/>
-         <call control-id="sc-22"/>
-         <call control-id="sc-23"/>
-         <call control-id="sc-24"/>
-         <call control-id="sc-28"/>
-         <call control-id="sc-39"/>
-         <call control-id="si-1"/>
-         <call control-id="si-2"/>
-         <call control-id="si-2.1"/>
-         <call control-id="si-2.2"/>
-         <call control-id="si-3"/>
-         <call control-id="si-3.1"/>
-         <call control-id="si-3.2"/>
-         <call control-id="si-4"/>
-         <call control-id="si-4.2"/>
-         <call control-id="si-4.4"/>
-         <call control-id="si-4.5"/>
-         <call control-id="si-5"/>
-         <call control-id="si-5.1"/>
-         <call control-id="si-6"/>
-         <call control-id="si-7"/>
-         <call control-id="si-7.1"/>
-         <call control-id="si-7.2"/>
-         <call control-id="si-7.5"/>
-         <call control-id="si-7.7"/>
-         <call control-id="si-7.14"/>
-         <call control-id="si-8"/>
-         <call control-id="si-8.1"/>
-         <call control-id="si-8.2"/>
-         <call control-id="si-10"/>
-         <call control-id="si-11"/>
-         <call control-id="si-12"/>
-         <call control-id="si-16"/>
-      </include>
-   </import>
-   <merge>
-      <as-is>true</as-is>
-   </merge>
-   <modify>
-      <alter control-id="ac-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-7">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-10">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-11">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-12">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-14">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-18">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-19">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-20">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-21">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-22">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="at-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="at-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="at-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="at-4">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="au-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-7">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="au-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-9">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-10">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="au-11">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="au-12">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-5">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-6">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-7">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-8">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-9">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-4">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-9">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-10">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-11">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-3">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-4">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-10">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-6">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-7">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-2">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-3">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-7">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-2">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-3">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-4">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-5">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-6">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-3">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-7">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-5">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-8">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-9">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-10">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-11">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-12">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-13">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-14">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-15">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-16">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-17">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-18">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-4">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-5">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-6">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-7">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-8">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-5">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-10">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-11">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-12">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-15">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-16">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-17">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-10">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-12">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-13">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-15">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-17">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-18">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-19">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-20">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-21">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-22">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-23">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-24">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-28">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-39">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-8">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="si-10">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-11">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="si-12">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="si-16">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-   </modify>
-   <back-matter>
-      <resource uuid="f52e1458-7a97-49fd-8189-6af6a4e7051b">
-         <desc>NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal
-            Information Systems and Organizations</desc>
-         <rlink href="NIST_SP-800-53_rev4_catalog.xml"
-                media-type="application/oscal.catalog+xml"/>
-      </resource>
-   </back-matter>
-</profile>
diff --git a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml
deleted file mode 100644
index 7cf977f01c..0000000000
--- a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml
+++ /dev/null
@@ -1,754 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Modified by conversion XSLT 2020-06-01T15:51:17.731-04:00 - UUIDs refreshed -->
-<!-- Produced by SP800-53-profile-with-filter.xsl 2018-05-14-04:00
-        runtime parameter settings: $baseline='LOW'-->
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-         uuid="13172679-d468-4a88-8d7f-3afdeffedff8">
-   <metadata>
-      <title>NIST Special Publication 800-53 Revision 4 LOW IMPACT BASELINE</title>
-      <last-modified>2020-05-29T23:29:27.272-04:00</last-modified>
-      <version>2015-01-22</version>
-      <oscal-version>1.0.0-milestone3</oscal-version>
-      <role id="creator">
-         <title>Document Creator</title>
-      </role>
-      <role id="contact">
-         <title>Contact</title>
-      </role>
-      <party uuid="96310e12-f661-41a7-bed9-842b6a931875" type="organization">
-         <party-name>Joint Task Force, Transformation Initiative</party-name>
-         <address>
-            <addr-line>National Institute of Standards and Technology</addr-line>
-            <addr-line>Attn: Computer Security Division</addr-line>
-            <addr-line>Information Technology Laboratory</addr-line>
-            <addr-line>100 Bureau Drive (Mail Stop 8930)</addr-line>
-            <city>Gaithersburg</city>
-            <state>MD</state>
-            <postal-code>20899-8930</postal-code>
-         </address>
-         <email>sec-cert@nist.gov</email>
-      </party>
-      <responsible-party role-id="creator">
-         <party-uuid>fcde62b1-8cce-4a57-a26b-b07ad2865ae1</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="contact">
-         <party-uuid>fcde62b1-8cce-4a57-a26b-b07ad2865ae1</party-uuid>
-      </responsible-party>
-   </metadata>
-   <import href="#31dbc4f2-c0e6-4e85-9cf4-b5d4843a32e8">
-      <include>
-         <call control-id="ac-1"/>
-         <call control-id="ac-2"/>
-         <call control-id="ac-3"/>
-         <call control-id="ac-7"/>
-         <call control-id="ac-8"/>
-         <call control-id="ac-14"/>
-         <call control-id="ac-17"/>
-         <call control-id="ac-18"/>
-         <call control-id="ac-19"/>
-         <call control-id="ac-20"/>
-         <call control-id="ac-22"/>
-         <call control-id="at-1"/>
-         <call control-id="at-2"/>
-         <call control-id="at-3"/>
-         <call control-id="at-4"/>
-         <call control-id="au-1"/>
-         <call control-id="au-2"/>
-         <call control-id="au-3"/>
-         <call control-id="au-4"/>
-         <call control-id="au-5"/>
-         <call control-id="au-6"/>
-         <call control-id="au-8"/>
-         <call control-id="au-9"/>
-         <call control-id="au-11"/>
-         <call control-id="au-12"/>
-         <call control-id="ca-1"/>
-         <call control-id="ca-2"/>
-         <call control-id="ca-3"/>
-         <call control-id="ca-5"/>
-         <call control-id="ca-6"/>
-         <call control-id="ca-7"/>
-         <call control-id="ca-9"/>
-         <call control-id="cm-1"/>
-         <call control-id="cm-2"/>
-         <call control-id="cm-4"/>
-         <call control-id="cm-6"/>
-         <call control-id="cm-7"/>
-         <call control-id="cm-8"/>
-         <call control-id="cm-10"/>
-         <call control-id="cm-11"/>
-         <call control-id="cp-1"/>
-         <call control-id="cp-2"/>
-         <call control-id="cp-3"/>
-         <call control-id="cp-4"/>
-         <call control-id="cp-9"/>
-         <call control-id="cp-10"/>
-         <call control-id="ia-1"/>
-         <call control-id="ia-2"/>
-         <call control-id="ia-2.1"/>
-         <call control-id="ia-2.12"/>
-         <call control-id="ia-4"/>
-         <call control-id="ia-5"/>
-         <call control-id="ia-5.1"/>
-         <call control-id="ia-5.11"/>
-         <call control-id="ia-6"/>
-         <call control-id="ia-7"/>
-         <call control-id="ia-8"/>
-         <call control-id="ia-8.1"/>
-         <call control-id="ia-8.2"/>
-         <call control-id="ia-8.3"/>
-         <call control-id="ia-8.4"/>
-         <call control-id="ir-1"/>
-         <call control-id="ir-2"/>
-         <call control-id="ir-4"/>
-         <call control-id="ir-5"/>
-         <call control-id="ir-6"/>
-         <call control-id="ir-7"/>
-         <call control-id="ir-8"/>
-         <call control-id="ma-1"/>
-         <call control-id="ma-2"/>
-         <call control-id="ma-4"/>
-         <call control-id="ma-5"/>
-         <call control-id="mp-1"/>
-         <call control-id="mp-2"/>
-         <call control-id="mp-6"/>
-         <call control-id="mp-7"/>
-         <call control-id="pe-1"/>
-         <call control-id="pe-2"/>
-         <call control-id="pe-3"/>
-         <call control-id="pe-6"/>
-         <call control-id="pe-8"/>
-         <call control-id="pe-12"/>
-         <call control-id="pe-13"/>
-         <call control-id="pe-14"/>
-         <call control-id="pe-15"/>
-         <call control-id="pe-16"/>
-         <call control-id="pl-1"/>
-         <call control-id="pl-2"/>
-         <call control-id="pl-4"/>
-         <call control-id="ps-1"/>
-         <call control-id="ps-2"/>
-         <call control-id="ps-3"/>
-         <call control-id="ps-4"/>
-         <call control-id="ps-5"/>
-         <call control-id="ps-6"/>
-         <call control-id="ps-7"/>
-         <call control-id="ps-8"/>
-         <call control-id="ra-1"/>
-         <call control-id="ra-2"/>
-         <call control-id="ra-3"/>
-         <call control-id="ra-5"/>
-         <call control-id="sa-1"/>
-         <call control-id="sa-2"/>
-         <call control-id="sa-3"/>
-         <call control-id="sa-4"/>
-         <call control-id="sa-4.10"/>
-         <call control-id="sa-5"/>
-         <call control-id="sa-9"/>
-         <call control-id="sc-1"/>
-         <call control-id="sc-5"/>
-         <call control-id="sc-7"/>
-         <call control-id="sc-12"/>
-         <call control-id="sc-13"/>
-         <call control-id="sc-15"/>
-         <call control-id="sc-20"/>
-         <call control-id="sc-21"/>
-         <call control-id="sc-22"/>
-         <call control-id="sc-39"/>
-         <call control-id="si-1"/>
-         <call control-id="si-2"/>
-         <call control-id="si-3"/>
-         <call control-id="si-4"/>
-         <call control-id="si-5"/>
-         <call control-id="si-12"/>
-      </include>
-   </import>
-   <merge>
-      <as-is>true</as-is>
-   </merge>
-   <modify>
-      <alter control-id="ac-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-7">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-14">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-18">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-19">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-20">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-22">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="at-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="at-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="at-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="at-4">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="au-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-9">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-11">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="au-12">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-5">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-6">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-7">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-9">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-4">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-10">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-11">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-3">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-4">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-10">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-6">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-7">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-2">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-7">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-2">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-4">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-5">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-7">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-8">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-12">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-13">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-14">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-15">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-16">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-4">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-5">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-6">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-7">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-8">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-5">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-12">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-13">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-15">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-20">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-21">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-22">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-39">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-12">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-   </modify>
-   <back-matter>
-      <resource uuid="31dbc4f2-c0e6-4e85-9cf4-b5d4843a32e8">
-         <desc>NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal
-            Information Systems and Organizations</desc>
-         <rlink href="NIST_SP-800-53_rev4_catalog.xml"
-                media-type="application/oscal.catalog+xml"/>
-      </resource>
-   </back-matter>
-</profile>
diff --git a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml
deleted file mode 100644
index b0f3ec3cb6..0000000000
--- a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml
+++ /dev/null
@@ -1,1111 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Modified by conversion XSLT 2020-06-01T15:50:56.121-04:00 - UUIDs refreshed -->
-<!-- Produced by SP800-53-profile-with-filter.xsl 2018-05-14-04:00
-        runtime parameter settings: $baseline='MODERATE'-->
-<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-         uuid="f5c7fb3c-b4d8-49ff-9ebf-cd6d484c2d7b">
-   <metadata>
-      <title>NIST Special Publication 800-53 Revision 4 MODERATE IMPACT BASELINE</title>
-      <last-modified>2020-05-29T23:29:27.272-04:00</last-modified>
-      <version>2015-01-22</version>
-      <oscal-version>1.0.0-milestone3</oscal-version>
-      <role id="creator">
-         <title>Document Creator</title>
-      </role>
-      <role id="contact">
-         <title>Contact</title>
-      </role>
-      <party uuid="29dd471e-7206-4388-857b-47673c04c4c9" type="organization">
-         <party-name>Joint Task Force, Transformation Initiative</party-name>
-         <address>
-            <addr-line>National Institute of Standards and Technology</addr-line>
-            <addr-line>Attn: Computer Security Division</addr-line>
-            <addr-line>Information Technology Laboratory</addr-line>
-            <addr-line>100 Bureau Drive (Mail Stop 8930)</addr-line>
-            <city>Gaithersburg</city>
-            <state>MD</state>
-            <postal-code>20899-8930</postal-code>
-         </address>
-         <email>sec-cert@nist.gov</email>
-      </party>
-      <responsible-party role-id="creator">
-         <party-uuid>316876e2-5c7b-4a60-a488-2ed977238f04</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="contact">
-         <party-uuid>316876e2-5c7b-4a60-a488-2ed977238f04</party-uuid>
-      </responsible-party>
-   </metadata>
-   <import href="#dc380596-027f-423b-83f2-82757554ee27">
-      <include>
-         <call control-id="ac-1"/>
-         <call control-id="ac-2"/>
-         <call control-id="ac-2.1"/>
-         <call control-id="ac-2.2"/>
-         <call control-id="ac-2.3"/>
-         <call control-id="ac-2.4"/>
-         <call control-id="ac-3"/>
-         <call control-id="ac-4"/>
-         <call control-id="ac-5"/>
-         <call control-id="ac-6"/>
-         <call control-id="ac-6.1"/>
-         <call control-id="ac-6.2"/>
-         <call control-id="ac-6.5"/>
-         <call control-id="ac-6.9"/>
-         <call control-id="ac-6.10"/>
-         <call control-id="ac-7"/>
-         <call control-id="ac-8"/>
-         <call control-id="ac-11"/>
-         <call control-id="ac-11.1"/>
-         <call control-id="ac-12"/>
-         <call control-id="ac-14"/>
-         <call control-id="ac-17"/>
-         <call control-id="ac-17.1"/>
-         <call control-id="ac-17.2"/>
-         <call control-id="ac-17.3"/>
-         <call control-id="ac-17.4"/>
-         <call control-id="ac-18"/>
-         <call control-id="ac-18.1"/>
-         <call control-id="ac-19"/>
-         <call control-id="ac-19.5"/>
-         <call control-id="ac-20"/>
-         <call control-id="ac-20.1"/>
-         <call control-id="ac-20.2"/>
-         <call control-id="ac-21"/>
-         <call control-id="ac-22"/>
-         <call control-id="at-1"/>
-         <call control-id="at-2"/>
-         <call control-id="at-2.2"/>
-         <call control-id="at-3"/>
-         <call control-id="at-4"/>
-         <call control-id="au-1"/>
-         <call control-id="au-2"/>
-         <call control-id="au-2.3"/>
-         <call control-id="au-3"/>
-         <call control-id="au-3.1"/>
-         <call control-id="au-4"/>
-         <call control-id="au-5"/>
-         <call control-id="au-6"/>
-         <call control-id="au-6.1"/>
-         <call control-id="au-6.3"/>
-         <call control-id="au-7"/>
-         <call control-id="au-7.1"/>
-         <call control-id="au-8"/>
-         <call control-id="au-8.1"/>
-         <call control-id="au-9"/>
-         <call control-id="au-9.4"/>
-         <call control-id="au-11"/>
-         <call control-id="au-12"/>
-         <call control-id="ca-1"/>
-         <call control-id="ca-2"/>
-         <call control-id="ca-2.1"/>
-         <call control-id="ca-3"/>
-         <call control-id="ca-3.5"/>
-         <call control-id="ca-5"/>
-         <call control-id="ca-6"/>
-         <call control-id="ca-7"/>
-         <call control-id="ca-7.1"/>
-         <call control-id="ca-9"/>
-         <call control-id="cm-1"/>
-         <call control-id="cm-2"/>
-         <call control-id="cm-2.1"/>
-         <call control-id="cm-2.3"/>
-         <call control-id="cm-2.7"/>
-         <call control-id="cm-3"/>
-         <call control-id="cm-3.2"/>
-         <call control-id="cm-4"/>
-         <call control-id="cm-5"/>
-         <call control-id="cm-6"/>
-         <call control-id="cm-7"/>
-         <call control-id="cm-7.1"/>
-         <call control-id="cm-7.2"/>
-         <call control-id="cm-7.4"/>
-         <call control-id="cm-8"/>
-         <call control-id="cm-8.1"/>
-         <call control-id="cm-8.3"/>
-         <call control-id="cm-8.5"/>
-         <call control-id="cm-9"/>
-         <call control-id="cm-10"/>
-         <call control-id="cm-11"/>
-         <call control-id="cp-1"/>
-         <call control-id="cp-2"/>
-         <call control-id="cp-2.1"/>
-         <call control-id="cp-2.3"/>
-         <call control-id="cp-2.8"/>
-         <call control-id="cp-3"/>
-         <call control-id="cp-4"/>
-         <call control-id="cp-4.1"/>
-         <call control-id="cp-6"/>
-         <call control-id="cp-6.1"/>
-         <call control-id="cp-6.3"/>
-         <call control-id="cp-7"/>
-         <call control-id="cp-7.1"/>
-         <call control-id="cp-7.2"/>
-         <call control-id="cp-7.3"/>
-         <call control-id="cp-8"/>
-         <call control-id="cp-8.1"/>
-         <call control-id="cp-8.2"/>
-         <call control-id="cp-9"/>
-         <call control-id="cp-9.1"/>
-         <call control-id="cp-10"/>
-         <call control-id="cp-10.2"/>
-         <call control-id="ia-1"/>
-         <call control-id="ia-2"/>
-         <call control-id="ia-2.1"/>
-         <call control-id="ia-2.2"/>
-         <call control-id="ia-2.3"/>
-         <call control-id="ia-2.8"/>
-         <call control-id="ia-2.11"/>
-         <call control-id="ia-2.12"/>
-         <call control-id="ia-3"/>
-         <call control-id="ia-4"/>
-         <call control-id="ia-5"/>
-         <call control-id="ia-5.1"/>
-         <call control-id="ia-5.2"/>
-         <call control-id="ia-5.3"/>
-         <call control-id="ia-5.11"/>
-         <call control-id="ia-6"/>
-         <call control-id="ia-7"/>
-         <call control-id="ia-8"/>
-         <call control-id="ia-8.1"/>
-         <call control-id="ia-8.2"/>
-         <call control-id="ia-8.3"/>
-         <call control-id="ia-8.4"/>
-         <call control-id="ir-1"/>
-         <call control-id="ir-2"/>
-         <call control-id="ir-3"/>
-         <call control-id="ir-3.2"/>
-         <call control-id="ir-4"/>
-         <call control-id="ir-4.1"/>
-         <call control-id="ir-5"/>
-         <call control-id="ir-6"/>
-         <call control-id="ir-6.1"/>
-         <call control-id="ir-7"/>
-         <call control-id="ir-7.1"/>
-         <call control-id="ir-8"/>
-         <call control-id="ma-1"/>
-         <call control-id="ma-2"/>
-         <call control-id="ma-3"/>
-         <call control-id="ma-3.1"/>
-         <call control-id="ma-3.2"/>
-         <call control-id="ma-4"/>
-         <call control-id="ma-4.2"/>
-         <call control-id="ma-5"/>
-         <call control-id="ma-6"/>
-         <call control-id="mp-1"/>
-         <call control-id="mp-2"/>
-         <call control-id="mp-3"/>
-         <call control-id="mp-4"/>
-         <call control-id="mp-5"/>
-         <call control-id="mp-5.4"/>
-         <call control-id="mp-6"/>
-         <call control-id="mp-7"/>
-         <call control-id="mp-7.1"/>
-         <call control-id="pe-1"/>
-         <call control-id="pe-2"/>
-         <call control-id="pe-3"/>
-         <call control-id="pe-4"/>
-         <call control-id="pe-5"/>
-         <call control-id="pe-6"/>
-         <call control-id="pe-6.1"/>
-         <call control-id="pe-8"/>
-         <call control-id="pe-9"/>
-         <call control-id="pe-10"/>
-         <call control-id="pe-11"/>
-         <call control-id="pe-12"/>
-         <call control-id="pe-13"/>
-         <call control-id="pe-13.3"/>
-         <call control-id="pe-14"/>
-         <call control-id="pe-15"/>
-         <call control-id="pe-16"/>
-         <call control-id="pe-17"/>
-         <call control-id="pl-1"/>
-         <call control-id="pl-2"/>
-         <call control-id="pl-2.3"/>
-         <call control-id="pl-4"/>
-         <call control-id="pl-4.1"/>
-         <call control-id="pl-8"/>
-         <call control-id="ps-1"/>
-         <call control-id="ps-2"/>
-         <call control-id="ps-3"/>
-         <call control-id="ps-4"/>
-         <call control-id="ps-5"/>
-         <call control-id="ps-6"/>
-         <call control-id="ps-7"/>
-         <call control-id="ps-8"/>
-         <call control-id="ra-1"/>
-         <call control-id="ra-2"/>
-         <call control-id="ra-3"/>
-         <call control-id="ra-5"/>
-         <call control-id="ra-5.1"/>
-         <call control-id="ra-5.2"/>
-         <call control-id="ra-5.5"/>
-         <call control-id="sa-1"/>
-         <call control-id="sa-2"/>
-         <call control-id="sa-3"/>
-         <call control-id="sa-4"/>
-         <call control-id="sa-4.1"/>
-         <call control-id="sa-4.2"/>
-         <call control-id="sa-4.9"/>
-         <call control-id="sa-4.10"/>
-         <call control-id="sa-5"/>
-         <call control-id="sa-8"/>
-         <call control-id="sa-9"/>
-         <call control-id="sa-9.2"/>
-         <call control-id="sa-10"/>
-         <call control-id="sa-11"/>
-         <call control-id="sc-1"/>
-         <call control-id="sc-2"/>
-         <call control-id="sc-4"/>
-         <call control-id="sc-5"/>
-         <call control-id="sc-7"/>
-         <call control-id="sc-7.3"/>
-         <call control-id="sc-7.4"/>
-         <call control-id="sc-7.5"/>
-         <call control-id="sc-7.7"/>
-         <call control-id="sc-8"/>
-         <call control-id="sc-8.1"/>
-         <call control-id="sc-10"/>
-         <call control-id="sc-12"/>
-         <call control-id="sc-13"/>
-         <call control-id="sc-15"/>
-         <call control-id="sc-17"/>
-         <call control-id="sc-18"/>
-         <call control-id="sc-19"/>
-         <call control-id="sc-20"/>
-         <call control-id="sc-21"/>
-         <call control-id="sc-22"/>
-         <call control-id="sc-23"/>
-         <call control-id="sc-28"/>
-         <call control-id="sc-39"/>
-         <call control-id="si-1"/>
-         <call control-id="si-2"/>
-         <call control-id="si-2.2"/>
-         <call control-id="si-3"/>
-         <call control-id="si-3.1"/>
-         <call control-id="si-3.2"/>
-         <call control-id="si-4"/>
-         <call control-id="si-4.2"/>
-         <call control-id="si-4.4"/>
-         <call control-id="si-4.5"/>
-         <call control-id="si-5"/>
-         <call control-id="si-7"/>
-         <call control-id="si-7.1"/>
-         <call control-id="si-7.7"/>
-         <call control-id="si-8"/>
-         <call control-id="si-8.1"/>
-         <call control-id="si-8.2"/>
-         <call control-id="si-10"/>
-         <call control-id="si-11"/>
-         <call control-id="si-12"/>
-         <call control-id="si-16"/>
-      </include>
-   </import>
-   <merge>
-      <as-is>true</as-is>
-   </merge>
-   <modify>
-      <alter control-id="ac-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-7">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-11">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-12">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-14">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-17">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-18">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-19">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-20">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-21">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ac-22">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="at-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="at-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="at-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="at-4">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="au-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-7">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="au-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-9">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="au-11">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="au-12">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-2">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-5">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-6">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-7">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ca-9">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-4">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-7">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-9">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-10">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="cm-11">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-3">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-4">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-7">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-9">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="cp-10">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-6">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-7">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ia-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-2">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-3">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-7">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ir-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-2">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-3">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-4">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-5">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ma-6">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-3">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="mp-7">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-5">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-6">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-8">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-9">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-10">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-11">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-12">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-13">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-14">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-15">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-16">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="pe-17">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-4">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="pl-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-5">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-6">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-7">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ps-8">
-         <add position="starting">
-            <prop name="priority">P3</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="ra-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-5">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-9">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-10">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sa-11">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-7">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-8">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-10">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-12">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-13">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-15">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-17">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-18">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-19">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-20">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-21">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-22">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-23">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-28">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="sc-39">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-1">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-2">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-3">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-4">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-5">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-7">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-8">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="si-10">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-      <alter control-id="si-11">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="si-12">
-         <add position="starting">
-            <prop name="priority">P2</prop>
-         </add>
-      </alter>
-      <alter control-id="si-16">
-         <add position="starting">
-            <prop name="priority">P1</prop>
-         </add>
-      </alter>
-   </modify>
-   <back-matter>
-      <resource uuid="dc380596-027f-423b-83f2-82757554ee27">
-         <desc>NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal
-            Information Systems and Organizations</desc>
-         <rlink href="NIST_SP-800-53_rev4_catalog.xml"
-                media-type="application/oscal.catalog+xml"/>
-      </resource>
-   </back-matter>
-</profile>
diff --git a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml
deleted file mode 100644
index f77274018c..0000000000
--- a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml
+++ /dev/null
@@ -1,67541 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Modified by conversion XSLT 2020-06-01T15:02:07.981-04:00 - UUIDs refreshed -->
-<!-- XML produced by extraction/mapping from NVD XML 2018-11-02T16:55:46.916-04:00 -->
-<!-- Subsequently updated by hand (2018-12-10, 2019-05-16, 2019-05-29, 2019-08-17, 2019-08-23, 2019-09-13, 2019-09-23) -->
-<!-- Valid against the OSCAL catalog schema (project path /xml/schema/oscal-catalog-schema.xsd) -->
-<!-- Modified by conversion XSLT 2020-02-04T14:55:16.051-05:00 - Milestone 2 OSCAL becomes Milestone 3 OSCAL  - -->
-<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-         uuid="26a2a133-f395-432c-b2ad-77d23a23ca4e">
-   <metadata>
-      <title>NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal
-         Information Systems and Organizations</title>
-      <last-modified>2020-05-29T23:29:27.272-04:00</last-modified>
-      <version>2015-01-22</version>
-      <oscal-version>1.0.0-milestone3</oscal-version>
-      <prop name="keywords">Assurance, computer security, FISMA, Privacy Act, Risk Management Framework, security controls, security requirements</prop>
-      <link rel="alternate" href="#16b3b234-3406-44dc-8645-7da61b6e81f1">NIST publication (PDF)</link>
-      <link rel="canonical" href="#fb81fb1c-165e-43a4-8264-1dfd3182b630">NIST publication via DOI lookup</link>
-      <role id="creator">
-         <title>Document creator</title>
-      </role>
-      <role id="contact">
-         <title>Contact</title>
-      </role>
-      <party type="organization" uuid="93122cb0-95bc-4fdb-8b48-85ff60f9509b">
-         <party-name>Joint Task Force, Transformation Initiative</party-name>
-         <address>
-            <addr-line>National Institute of Standards and Technology</addr-line>
-            <addr-line>Attn: Computer Security Division</addr-line>
-            <addr-line>Information Technology Laboratory</addr-line>
-            <addr-line>100 Bureau Drive (Mail Stop 8930)</addr-line>
-            <city>Gaithersburg</city>
-            <state>MD</state>
-            <postal-code>20899-8930</postal-code>
-         </address>
-         <email>sec-cert@nist.gov</email>
-      </party>
-      <responsible-party role-id="creator">
-         <party-uuid>c6d77a50-e52e-4399-8a57-896d4807952f</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="contact">
-         <party-uuid>c6d77a50-e52e-4399-8a57-896d4807952f</party-uuid>
-      </responsible-party>
-   </metadata>
-   <group class="family" id="ac">
-      <title>Access Control</title>
-      <control class="SP800-53" id="ac-1">
-         <title>Access Control Policy and Procedures</title>
-         <param id="ac-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ac-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ac-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AC-1</prop>
-         <prop name="sort-id">ac-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ac-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ac-1_prm_1"/>:</p>
-               <part id="ac-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An access control policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ac-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the access control policy and
-                     associated access controls; and</p>
-               </part>
-            </part>
-            <part id="ac-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ac-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Access control policy <insert param-id="ac-1_prm_2"/>; and</p>
-               </part>
-               <part id="ac-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Access control procedures <insert param-id="ac-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ac-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the AC
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ac-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-1.a_obj" name="objective">
-               <prop name="label">AC-1(a)</prop>
-               <part id="ac-1.a.1_obj" name="objective">
-                  <prop name="label">AC-1(a)(1)</prop>
-                  <part id="ac-1.a.1_obj.1" name="objective">
-                     <prop name="label">AC-1(a)(1)[1]</prop>
-                     <p>develops and documents an access control policy that addresses:</p>
-                     <part id="ac-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ac-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">AC-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ac-1.a.1_obj.2" name="objective">
-                     <prop name="label">AC-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the access control policy are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ac-1.a.1_obj.3" name="objective">
-                     <prop name="label">AC-1(a)(1)[3]</prop>
-                     <p>disseminates the access control policy to organization-defined personnel or
-                        roles;</p>
-                  </part>
-               </part>
-               <part id="ac-1.a.2_obj" name="objective">
-                  <prop name="label">AC-1(a)(2)</prop>
-                  <part id="ac-1.a.2_obj.1" name="objective">
-                     <prop name="label">AC-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        access control policy and associated access control controls;</p>
-                  </part>
-                  <part id="ac-1.a.2_obj.2" name="objective">
-                     <prop name="label">AC-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ac-1.a.2_obj.3" name="objective">
-                     <prop name="label">AC-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-1.b_obj" name="objective">
-               <prop name="label">AC-1(b)</prop>
-               <part id="ac-1.b.1_obj" name="objective">
-                  <prop name="label">AC-1(b)(1)</prop>
-                  <part id="ac-1.b.1_obj.1" name="objective">
-                     <prop name="label">AC-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current access control
-                        policy;</p>
-                  </part>
-                  <part id="ac-1.b.1_obj.2" name="objective">
-                     <prop name="label">AC-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current access control policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ac-1.b.2_obj" name="objective">
-                  <prop name="label">AC-1(b)(2)</prop>
-                  <part id="ac-1.b.2_obj.1" name="objective">
-                     <prop name="label">AC-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current access control
-                        procedures; and</p>
-                  </part>
-                  <part id="ac-1.b.2_obj.2" name="objective">
-                     <prop name="label">AC-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current access control procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-2">
-         <title>Account Management</title>
-         <param id="ac-2_prm_1">
-            <label>organization-defined information system account types</label>
-         </param>
-         <param id="ac-2_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ac-2_prm_3">
-            <label>organization-defined procedures or conditions</label>
-         </param>
-         <param id="ac-2_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AC-2</prop>
-         <prop name="sort-id">ac-02</prop>
-         <part id="ac-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Identifies and selects the following types of information system accounts to
-                  support organizational missions/business functions: <insert param-id="ac-2_prm_1"/>;</p>
-            </part>
-            <part id="ac-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Assigns account managers for information system accounts;</p>
-            </part>
-            <part id="ac-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Establishes conditions for group and role membership;</p>
-            </part>
-            <part id="ac-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Specifies authorized users of the information system, group and role membership,
-                  and access authorizations (i.e., privileges) and other attributes (as required)
-                  for each account;</p>
-            </part>
-            <part id="ac-2_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Requires approvals by <insert param-id="ac-2_prm_2"/> for requests to create
-                  information system accounts;</p>
-            </part>
-            <part id="ac-2_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Creates, enables, modifies, disables, and removes information system accounts in
-                  accordance with <insert param-id="ac-2_prm_3"/>;</p>
-            </part>
-            <part id="ac-2_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Monitors the use of information system accounts;</p>
-            </part>
-            <part id="ac-2_smt.h" name="item">
-               <prop name="label">h.</prop>
-               <p>Notifies account managers:</p>
-               <part id="ac-2_smt.h.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>When accounts are no longer required;</p>
-               </part>
-               <part id="ac-2_smt.h.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>When users are terminated or transferred; and</p>
-               </part>
-               <part id="ac-2_smt.h.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>When individual information system usage or need-to-know changes;</p>
-               </part>
-            </part>
-            <part id="ac-2_smt.i" name="item">
-               <prop name="label">i.</prop>
-               <p>Authorizes access to the information system based on:</p>
-               <part id="ac-2_smt.i.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A valid access authorization;</p>
-               </part>
-               <part id="ac-2_smt.i.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Intended system usage; and</p>
-               </part>
-               <part id="ac-2_smt.i.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Other attributes as required by the organization or associated
-                     missions/business functions;</p>
-               </part>
-            </part>
-            <part id="ac-2_smt.j" name="item">
-               <prop name="label">j.</prop>
-               <p>Reviews accounts for compliance with account management requirements <insert param-id="ac-2_prm_4"/>; and</p>
-            </part>
-            <part id="ac-2_smt.k" name="item">
-               <prop name="label">k.</prop>
-               <p>Establishes a process for reissuing shared/group account credentials (if deployed)
-                  when individuals are removed from the group.</p>
-            </part>
-         </part>
-         <part id="ac-2_gdn" name="guidance">
-            <p>Information system account types include, for example, individual, shared, group,
-               system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and
-               service. Some of the account management requirements listed above can be implemented
-               by organizational information systems. The identification of authorized users of the
-               information system and the specification of access privileges reflects the
-               requirements in other security controls in the security plan. Users requiring
-               administrative privileges on information system accounts receive additional scrutiny
-               by appropriate organizational personnel (e.g., system owner, mission/business owner,
-               or chief information security officer) responsible for approving such accounts and
-               privileged access. Organizations may choose to define access privileges or other
-               attributes by account, by type of account, or a combination of both. Other attributes
-               required for authorizing access include, for example, restrictions on time-of-day,
-               day-of-week, and point-of-origin. In defining other account attributes, organizations
-               consider system-related requirements (e.g., scheduled maintenance, system upgrades)
-               and mission/business requirements, (e.g., time zone differences, customer
-               requirements, remote access to support travel requirements). Failure to consider
-               these factors could affect information system availability. Temporary and emergency
-               accounts are accounts intended for short-term use. Organizations establish temporary
-               accounts as a part of normal account activation procedures when there is a need for
-               short-term accounts without the demand for immediacy in account activation.
-               Organizations establish emergency accounts in response to crisis situations and with
-               the need for rapid account activation. Therefore, emergency account activation may
-               bypass normal account authorization processes. Emergency and temporary accounts are
-               not to be confused with infrequently used accounts (e.g., local logon accounts used
-               for special tasks defined by organizations or when network resources are
-               unavailable). Such accounts remain available and are not subject to automatic
-               disabling or removal dates. Conditions for disabling or deactivating accounts
-               include, for example: (i) when shared/group, emergency, or temporary accounts are no
-               longer required; or (ii) when individuals are transferred or terminated. Some types
-               of information system accounts may require specialized training.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-10">AC-10</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ma-3">MA-3</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="ac-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-2.a_obj" name="objective">
-               <prop name="label">AC-2(a)</prop>
-               <part id="ac-2.a_obj.1" name="objective">
-                  <prop name="label">AC-2(a)[1]</prop>
-                  <p>defines information system account types to be identified and selected to
-                     support organizational missions/business functions;</p>
-               </part>
-               <part id="ac-2.a_obj.2" name="objective">
-                  <prop name="label">AC-2(a)[2]</prop>
-                  <p>identifies and selects organization-defined information system account types to
-                     support organizational missions/business functions;</p>
-               </part>
-            </part>
-            <part id="ac-2.b_obj" name="objective">
-               <prop name="label">AC-2(b)</prop>
-               <p>assigns account managers for information system accounts;</p>
-            </part>
-            <part id="ac-2.c_obj" name="objective">
-               <prop name="label">AC-2(c)</prop>
-               <p>establishes conditions for group and role membership;</p>
-            </part>
-            <part id="ac-2.d_obj" name="objective">
-               <prop name="label">AC-2(d)</prop>
-               <p>specifies for each account (as required):</p>
-               <part id="ac-2.d_obj.1" name="objective">
-                  <prop name="label">AC-2(d)[1]</prop>
-                  <p>authorized users of the information system;</p>
-               </part>
-               <part id="ac-2.d_obj.2" name="objective">
-                  <prop name="label">AC-2(d)[2]</prop>
-                  <p>group and role membership;</p>
-               </part>
-               <part id="ac-2.d_obj.3" name="objective">
-                  <prop name="label">AC-2(d)[3]</prop>
-                  <p>access authorizations (i.e., privileges);</p>
-               </part>
-               <part id="ac-2.d_obj.4" name="objective">
-                  <prop name="label">AC-2(d)[4]</prop>
-                  <p>other attributes;</p>
-               </part>
-            </part>
-            <part id="ac-2.e_obj" name="objective">
-               <prop name="label">AC-2(e)</prop>
-               <part id="ac-2.e_obj.1" name="objective">
-                  <prop name="label">AC-2(e)[1]</prop>
-                  <p>defines personnel or roles required to approve requests to create information
-                     system accounts;</p>
-               </part>
-               <part id="ac-2.e_obj.2" name="objective">
-                  <prop name="label">AC-2(e)[2]</prop>
-                  <p>requires approvals by organization-defined personnel or roles for requests to
-                     create information system accounts;</p>
-               </part>
-            </part>
-            <part id="ac-2.f_obj" name="objective">
-               <prop name="label">AC-2(f)</prop>
-               <part id="ac-2.f_obj.1" name="objective">
-                  <prop name="label">AC-2(f)[1]</prop>
-                  <p>defines procedures or conditions to:</p>
-                  <part id="ac-2.f_obj.1.a" name="objective">
-                     <prop name="label">AC-2(f)[1][a]</prop>
-                     <p>create information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.b" name="objective">
-                     <prop name="label">AC-2(f)[1][b]</prop>
-                     <p>enable information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.c" name="objective">
-                     <prop name="label">AC-2(f)[1][c]</prop>
-                     <p>modify information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.d" name="objective">
-                     <prop name="label">AC-2(f)[1][d]</prop>
-                     <p>disable information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.1.e" name="objective">
-                     <prop name="label">AC-2(f)[1][e]</prop>
-                     <p>remove information system accounts;</p>
-                  </part>
-               </part>
-               <part id="ac-2.f_obj.2" name="objective">
-                  <prop name="label">AC-2(f)[2]</prop>
-                  <p>in accordance with organization-defined procedures or conditions:</p>
-                  <part id="ac-2.f_obj.2.a" name="objective">
-                     <prop name="label">AC-2(f)[2][a]</prop>
-                     <p>creates information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.b" name="objective">
-                     <prop name="label">AC-2(f)[2][b]</prop>
-                     <p>enables information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.c" name="objective">
-                     <prop name="label">AC-2(f)[2][c]</prop>
-                     <p>modifies information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.d" name="objective">
-                     <prop name="label">AC-2(f)[2][d]</prop>
-                     <p>disables information system accounts;</p>
-                  </part>
-                  <part id="ac-2.f_obj.2.e" name="objective">
-                     <prop name="label">AC-2(f)[2][e]</prop>
-                     <p>removes information system accounts;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-2.g_obj" name="objective">
-               <prop name="label">AC-2(g)</prop>
-               <p>monitors the use of information system accounts;</p>
-            </part>
-            <part id="ac-2.h_obj" name="objective">
-               <prop name="label">AC-2(h)</prop>
-               <p>notifies account managers:</p>
-               <part id="ac-2.h.1_obj" name="objective">
-                  <prop name="label">AC-2(h)(1)</prop>
-                  <p>when accounts are no longer required;</p>
-               </part>
-               <part id="ac-2.h.2_obj" name="objective">
-                  <prop name="label">AC-2(h)(2)</prop>
-                  <p>when users are terminated or transferred;</p>
-               </part>
-               <part id="ac-2.h.3_obj" name="objective">
-                  <prop name="label">AC-2(h)(3)</prop>
-                  <p>when individual information system usage or need to know changes;</p>
-               </part>
-            </part>
-            <part id="ac-2.i_obj" name="objective">
-               <prop name="label">AC-2(i)</prop>
-               <p>authorizes access to the information system based on;</p>
-               <part id="ac-2.i.1_obj" name="objective">
-                  <prop name="label">AC-2(i)(1)</prop>
-                  <p>a valid access authorization;</p>
-               </part>
-               <part id="ac-2.i.2_obj" name="objective">
-                  <prop name="label">AC-2(i)(2)</prop>
-                  <p>intended system usage;</p>
-               </part>
-               <part id="ac-2.i.3_obj" name="objective">
-                  <prop name="label">AC-2(i)(3)</prop>
-                  <p>other attributes as required by the organization or associated
-                     missions/business functions;</p>
-               </part>
-            </part>
-            <part id="ac-2.j_obj" name="objective">
-               <prop name="label">AC-2(j)</prop>
-               <part id="ac-2.j_obj.1" name="objective">
-                  <prop name="label">AC-2(j)[1]</prop>
-                  <p>defines the frequency to review accounts for compliance with account management
-                     requirements;</p>
-               </part>
-               <part id="ac-2.j_obj.2" name="objective">
-                  <prop name="label">AC-2(j)[2]</prop>
-                  <p>reviews accounts for compliance with account management requirements with the
-                     organization-defined frequency; and</p>
-               </part>
-            </part>
-            <part id="ac-2.k_obj" name="objective">
-               <prop name="label">AC-2(k)</prop>
-               <p>establishes a process for reissuing shared/group account credentials (if deployed)
-                  when individuals are removed from the group.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing account management</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of active system accounts along with the name of the individual associated
-                  with each account</p>
-               <p>list of conditions for group and role membership</p>
-               <p>notifications or records of recently transferred, separated, or terminated
-                  employees</p>
-               <p>list of recently disabled information system accounts along with the name of the
-                  individual associated with each account</p>
-               <p>access authorization records</p>
-               <p>account management compliance reviews</p>
-               <p>information system monitoring records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with account management responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes account management on the information system</p>
-               <p>automated mechanisms for implementing account management</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-2.1">
-            <title>Automated System Account Management</title>
-            <prop name="label">AC-2(1)</prop>
-            <prop name="sort-id">ac-02.01</prop>
-            <part id="ac-2.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to support the management of
-                  information system accounts.</p>
-            </part>
-            <part id="ac-2.1_gdn" name="guidance">
-               <p>The use of automated mechanisms can include, for example: using email or text
-                  messaging to automatically notify account managers when users are terminated or
-                  transferred; using the information system to monitor account usage; and using
-                  telephonic notification to report atypical system account usage.</p>
-            </part>
-            <part id="ac-2.1_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to support the
-                  management of information system accounts.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.2">
-            <title>Removal of Temporary / Emergency Accounts</title>
-            <param id="ac-2.2_prm_1">
-               <select>
-                  <choice>removes</choice>
-                  <choice>disables</choice>
-               </select>
-            </param>
-            <param id="ac-2.2_prm_2">
-               <label>organization-defined time period for each type of account</label>
-            </param>
-            <prop name="label">AC-2(2)</prop>
-            <prop name="sort-id">ac-02.02</prop>
-            <part id="ac-2.2_smt" name="statement">
-               <p>The information system automatically <insert param-id="ac-2.2_prm_1"/> temporary
-                  and emergency accounts after <insert param-id="ac-2.2_prm_2"/>.</p>
-            </part>
-            <part id="ac-2.2_gdn" name="guidance">
-               <p>This control enhancement requires the removal of both temporary and emergency
-                  accounts automatically after a predefined period of time has elapsed, rather than
-                  at the convenience of the systems administrator.</p>
-            </part>
-            <part id="ac-2.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-2.2_obj.1" name="objective">
-                  <prop name="label">AC-2(2)[1]</prop>
-                  <p>the organization defines the time period after which the information system
-                     automatically removes or disables temporary and emergency accounts; and</p>
-               </part>
-               <part id="ac-2.2_obj.2" name="objective">
-                  <prop name="label">AC-2(2)[2]</prop>
-                  <p>the information system automatically removes or disables temporary and
-                     emergency accounts after the organization-defined time period for each type of
-                     account.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system-generated list of temporary accounts removed and/or
-                     disabled</p>
-                  <p>information system-generated list of emergency accounts removed and/or
-                     disabled</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.3">
-            <title>Disable Inactive Accounts</title>
-            <param id="ac-2.3_prm_1">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="label">AC-2(3)</prop>
-            <prop name="sort-id">ac-02.03</prop>
-            <part id="ac-2.3_smt" name="statement">
-               <p>The information system automatically disables inactive accounts after <insert param-id="ac-2.3_prm_1"/>.</p>
-            </part>
-            <part id="ac-2.3_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-2.3_obj.1" name="objective">
-                  <prop name="label">AC-2(3)[1]</prop>
-                  <p>the organization defines the time period after which the information system
-                     automatically disables inactive accounts; and</p>
-               </part>
-               <part id="ac-2.3_obj.2" name="objective">
-                  <prop name="label">AC-2(3)[2]</prop>
-                  <p>the information system automatically disables inactive accounts after the
-                     organization-defined time period.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system-generated list of temporary accounts removed and/or
-                     disabled</p>
-                  <p>information system-generated list of emergency accounts removed and/or
-                     disabled</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.4">
-            <title>Automated Audit Actions</title>
-            <param id="ac-2.4_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">AC-2(4)</prop>
-            <prop name="sort-id">ac-02.04</prop>
-            <part id="ac-2.4_smt" name="statement">
-               <p>The information system automatically audits account creation, modification,
-                  enabling, disabling, and removal actions, and notifies <insert param-id="ac-2.4_prm_1"/>.</p>
-            </part>
-            <part id="ac-2.4_gdn" name="guidance">
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-12">AU-12</link>
-            </part>
-            <part id="ac-2.4_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-2.4_obj.1" name="objective">
-                  <prop name="label">AC-2(4)[1]</prop>
-                  <p>the information system automatically audits the following account actions:</p>
-                  <part id="ac-2.4_obj.1.a" name="objective">
-                     <prop name="label">AC-2(4)[1][a]</prop>
-                     <p>creation;</p>
-                  </part>
-                  <part id="ac-2.4_obj.1.b" name="objective">
-                     <prop name="label">AC-2(4)[1][b]</prop>
-                     <p>modification;</p>
-                  </part>
-                  <part id="ac-2.4_obj.1.c" name="objective">
-                     <prop name="label">AC-2(4)[1][c]</prop>
-                     <p>enabling;</p>
-                  </part>
-                  <part id="ac-2.4_obj.1.d" name="objective">
-                     <prop name="label">AC-2(4)[1][d]</prop>
-                     <p>disabling;</p>
-                  </part>
-                  <part id="ac-2.4_obj.1.e" name="objective">
-                     <prop name="label">AC-2(4)[1][e]</prop>
-                     <p>removal;</p>
-                  </part>
-               </part>
-               <part id="ac-2.4_obj.2" name="objective">
-                  <prop name="label">AC-2(4)[2]</prop>
-                  <p>the organization defines personnel or roles to be notified of the following
-                     account actions:</p>
-                  <part id="ac-2.4_obj.2.a" name="objective">
-                     <prop name="label">AC-2(4)[2][a]</prop>
-                     <p>creation;</p>
-                  </part>
-                  <part id="ac-2.4_obj.2.b" name="objective">
-                     <prop name="label">AC-2(4)[2][b]</prop>
-                     <p>modification;</p>
-                  </part>
-                  <part id="ac-2.4_obj.2.c" name="objective">
-                     <prop name="label">AC-2(4)[2][c]</prop>
-                     <p>enabling;</p>
-                  </part>
-                  <part id="ac-2.4_obj.2.d" name="objective">
-                     <prop name="label">AC-2(4)[2][d]</prop>
-                     <p>disabling;</p>
-                  </part>
-                  <part id="ac-2.4_obj.2.e" name="objective">
-                     <prop name="label">AC-2(4)[2][e]</prop>
-                     <p>removal;</p>
-                  </part>
-               </part>
-               <part id="ac-2.4_obj.3" name="objective">
-                  <prop name="label">AC-2(4)[3]</prop>
-                  <p>the information system notifies organization-defined personnel or roles of the
-                     following account actions:</p>
-                  <part id="ac-2.4_obj.3.a" name="objective">
-                     <prop name="label">AC-2(4)[3][a]</prop>
-                     <p>creation;</p>
-                  </part>
-                  <part id="ac-2.4_obj.3.b" name="objective">
-                     <prop name="label">AC-2(4)[3][b]</prop>
-                     <p>modification;</p>
-                  </part>
-                  <part id="ac-2.4_obj.3.c" name="objective">
-                     <prop name="label">AC-2(4)[3][c]</prop>
-                     <p>enabling;</p>
-                  </part>
-                  <part id="ac-2.4_obj.3.d" name="objective">
-                     <prop name="label">AC-2(4)[3][d]</prop>
-                     <p>disabling; and</p>
-                  </part>
-                  <part id="ac-2.4_obj.3.e" name="objective">
-                     <prop name="label">AC-2(4)[3][e]</prop>
-                     <p>removal.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>notifications/alerts of account creation, modification, enabling, disabling,
-                     and removal actions</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.5">
-            <title>Inactivity Logout</title>
-            <param id="ac-2.5_prm_1">
-               <label>organization-defined time-period of expected inactivity or description of when
-                  to log out</label>
-            </param>
-            <prop name="label">AC-2(5)</prop>
-            <prop name="sort-id">ac-02.05</prop>
-            <part id="ac-2.5_smt" name="statement">
-               <p>The organization requires that users log out when <insert param-id="ac-2.5_prm_1"/>.</p>
-            </part>
-            <part id="ac-2.5_gdn" name="guidance">
-               <link rel="related" href="#sc-23">SC-23</link>
-            </part>
-            <part id="ac-2.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-2.5_obj.1" name="objective">
-                  <prop name="label">AC-2(5)[1]</prop>
-                  <p>defines either the time period of expected inactivity that requires users to
-                     log out or the description of when users are required to log out; and</p>
-               </part>
-               <part id="ac-2.5_obj.2" name="objective">
-                  <prop name="label">AC-2(5)[2]</prop>
-                  <p>requires that users log out when the organization-defined time period of
-                     inactivity is reached or in accordance with organization-defined description of
-                     when to log out.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security violation reports</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>users that must comply with inactivity logout policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.6">
-            <title>Dynamic Privilege Management</title>
-            <param id="ac-2.6_prm_1">
-               <label>organization-defined list of dynamic privilege management capabilities</label>
-            </param>
-            <prop name="label">AC-2(6)</prop>
-            <prop name="sort-id">ac-02.06</prop>
-            <part id="ac-2.6_smt" name="statement">
-               <p>The information system implements the following dynamic privilege management
-                  capabilities: <insert param-id="ac-2.6_prm_1"/>.</p>
-            </part>
-            <part id="ac-2.6_gdn" name="guidance">
-               <p>In contrast to conventional access control approaches which employ static
-                  information system accounts and predefined sets of user privileges, dynamic access
-                  control approaches (e.g., service-oriented architectures) rely on run time access
-                  control decisions facilitated by dynamic privilege management. While user
-                  identities may remain relatively constant over time, user privileges may change
-                  more frequently based on ongoing mission/business requirements and operational
-                  needs of organizations. Dynamic privilege management can include, for example, the
-                  immediate revocation of privileges from users, as opposed to requiring that users
-                  terminate and restart their sessions to reflect any changes in privileges. Dynamic
-                  privilege management can also refer to mechanisms that change the privileges of
-                  users based on dynamic rules as opposed to editing specific user profiles. This
-                  type of privilege management includes, for example, automatic adjustments of
-                  privileges if users are operating out of their normal work times, or if
-                  information systems are under duress or in emergency maintenance situations. This
-                  control enhancement also includes the ancillary effects of privilege changes, for
-                  example, the potential changes to encryption keys used for communications. Dynamic
-                  privilege management can support requirements for information system
-                  resiliency.</p>
-               <link rel="related" href="#ac-16">AC-16</link>
-            </part>
-            <part id="ac-2.6_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-2.6_obj.1" name="objective">
-                  <prop name="label">AC-2(6)[1]</prop>
-                  <p>the organization defines a list of dynamic privilege management capabilities to
-                     be implemented by the information system; and</p>
-               </part>
-               <part id="ac-2.6_obj.2" name="objective">
-                  <prop name="label">AC-2(6)[2]</prop>
-                  <p>the information system implements the organization-defined list of dynamic
-                     privilege management capabilities.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>system-generated list of dynamic privilege management capabilities</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system implementing dynamic privilege management capabilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.7">
-            <title>Role-based Schemes</title>
-            <param id="ac-2.7_prm_1">
-               <label>organization-defined actions</label>
-            </param>
-            <prop name="label">AC-2(7)</prop>
-            <prop name="sort-id">ac-02.07</prop>
-            <part id="ac-2.7_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ac-2.7_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Establishes and administers privileged user accounts in accordance with a
-                     role-based access scheme that organizes allowed information system access and
-                     privileges into roles;</p>
-               </part>
-               <part id="ac-2.7_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Monitors privileged role assignments; and</p>
-               </part>
-               <part id="ac-2.7_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Takes <insert param-id="ac-2.7_prm_1"/> when privileged role assignments are no
-                     longer appropriate.</p>
-               </part>
-            </part>
-            <part id="ac-2.7_gdn" name="guidance">
-               <p>Privileged roles are organization-defined roles assigned to individuals that allow
-                  those individuals to perform certain security-relevant functions that ordinary
-                  users are not authorized to perform. These privileged roles include, for example,
-                  key management, account management, network and system administration, database
-                  administration, and web administration.</p>
-            </part>
-            <part id="ac-2.7_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-2.7.a_obj" name="objective">
-                  <prop name="label">AC-2(7)(a)</prop>
-                  <p>establishes and administers privileged user accounts in accordance with a
-                     role-based access scheme that organizes allowed information system access and
-                     privileges into roles;</p>
-                  <link rel="corresp" href="#ac-2.7_smt.a">AC-2(7)(a)</link>
-               </part>
-               <part id="ac-2.7.b_obj" name="objective">
-                  <prop name="label">AC-2(7)(b)</prop>
-                  <p>monitors privileged role assignments;</p>
-                  <link rel="corresp" href="#ac-2.7_smt.b">AC-2(7)(b)</link>
-               </part>
-               <part id="ac-2.7.c_obj" name="objective">
-                  <prop name="label">AC-2(7)(c)</prop>
-                  <part id="ac-2.7.c_obj.1" name="objective">
-                     <prop name="label">AC-2(7)(c)[1]</prop>
-                     <p>defines actions to be taken when privileged role assignments are no longer
-                        appropriate; and</p>
-                  </part>
-                  <part id="ac-2.7.c_obj.2" name="objective">
-                     <prop name="label">AC-2(7)(c)[2]</prop>
-                     <p>takes organization-defined actions when privileged role assignments are no
-                        longer appropriate.</p>
-                  </part>
-                  <link rel="corresp" href="#ac-2.7_smt.c">AC-2(7)(c)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system-generated list of privileged user accounts and associated
-                     role</p>
-                  <p>records of actions taken when privileged role assignments are no longer
-                     appropriate</p>
-                  <p>information system audit records</p>
-                  <p>audit tracking and monitoring reports</p>
-                  <p>information system monitoring records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-                  <p>automated mechanisms monitoring privileged role assignments</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.8">
-            <title>Dynamic Account Creation</title>
-            <param id="ac-2.8_prm_1">
-               <label>organization-defined information system accounts</label>
-            </param>
-            <prop name="label">AC-2(8)</prop>
-            <prop name="sort-id">ac-02.08</prop>
-            <part id="ac-2.8_smt" name="statement">
-               <p>The information system creates <insert param-id="ac-2.8_prm_1"/> dynamically.</p>
-            </part>
-            <part id="ac-2.8_gdn" name="guidance">
-               <p>Dynamic approaches for creating information system accounts (e.g., as implemented
-                  within service-oriented architectures) rely on establishing accounts (identities)
-                  at run time for entities that were previously unknown. Organizations plan for
-                  dynamic creation of information system accounts by establishing trust
-                  relationships and mechanisms with the appropriate authorities to validate related
-                  authorizations and privileges.</p>
-               <link rel="related" href="#ac-16">AC-16</link>
-            </part>
-            <part id="ac-2.8_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-2.8_obj.1" name="objective">
-                  <prop name="label">AC-2(8)[1]</prop>
-                  <p>the organization defines information system accounts to be created by the
-                     information system dynamically; and</p>
-               </part>
-               <part id="ac-2.8_obj.2" name="objective">
-                  <prop name="label">AC-2(8)[2]</prop>
-                  <p>the information system creates organization-defined information system accounts
-                     dynamically.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>system-generated list of information system accounts</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.9">
-            <title>Restrictions On Use of Shared / Group Accounts</title>
-            <param id="ac-2.9_prm_1">
-               <label>organization-defined conditions for establishing shared/group accounts</label>
-            </param>
-            <prop name="label">AC-2(9)</prop>
-            <prop name="sort-id">ac-02.09</prop>
-            <part id="ac-2.9_smt" name="statement">
-               <p>The organization only permits the use of shared/group accounts that meet <insert param-id="ac-2.9_prm_1"/>.</p>
-            </part>
-            <part id="ac-2.9_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-2.9_obj.1" name="objective">
-                  <prop name="label">AC-2(9)[1]</prop>
-                  <p>defines conditions for establishing shared/group accounts; and</p>
-               </part>
-               <part id="ac-2.9_obj.2" name="objective">
-                  <prop name="label">AC-2(9)[2]</prop>
-                  <p>only permits the use of shared/group accounts that meet organization-defined
-                     conditions for establishing shared/group accounts.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>system-generated list of shared/group accounts and associated role</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing management of shared/group accounts</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.10">
-            <title>Shared / Group Account Credential Termination</title>
-            <prop name="label">AC-2(10)</prop>
-            <prop name="sort-id">ac-02.10</prop>
-            <part id="ac-2.10_smt" name="statement">
-               <p>The information system terminates shared/group account credentials when members
-                  leave the group.</p>
-            </part>
-            <part id="ac-2.10_obj" name="objective">
-               <p>Determine if the information system terminates shared/group account credentials
-                  when members leave the group.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>account access termination records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.11">
-            <title>Usage Conditions</title>
-            <param id="ac-2.11_prm_1">
-               <label>organization-defined circumstances and/or usage conditions</label>
-            </param>
-            <param id="ac-2.11_prm_2">
-               <label>organization-defined information system accounts</label>
-            </param>
-            <prop name="label">AC-2(11)</prop>
-            <prop name="sort-id">ac-02.11</prop>
-            <part id="ac-2.11_smt" name="statement">
-               <p>The information system enforces <insert param-id="ac-2.11_prm_1"/> for <insert param-id="ac-2.11_prm_2"/>.</p>
-            </part>
-            <part id="ac-2.11_gdn" name="guidance">
-               <p>Organizations can describe the specific conditions or circumstances under which
-                  information system accounts can be used, for example, by restricting usage to
-                  certain days of the week, time of day, or specific durations of time.</p>
-            </part>
-            <part id="ac-2.11_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-2.11_obj.1" name="objective">
-                  <prop name="label">AC-2(11)[1]</prop>
-                  <p>the organization defines circumstances and/or usage conditions to be enforced
-                     for information system accounts;</p>
-               </part>
-               <part id="ac-2.11_obj.2" name="objective">
-                  <prop name="label">AC-2(11)[2]</prop>
-                  <p>the organization defines information system accounts for which
-                     organization-defined circumstances and/or usage conditions are to be enforced;
-                     and</p>
-               </part>
-               <part id="ac-2.11_obj.3" name="objective">
-                  <prop name="label">AC-2(11)[3]</prop>
-                  <p>the information system enforces organization-defined circumstances and/or usage
-                     conditions for organization-defined information system accounts.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>system-generated list of information system accounts and associated assignments
-                     of usage circumstances and/or usage conditions</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.12">
-            <title>Account Monitoring / Atypical Usage</title>
-            <param id="ac-2.12_prm_1">
-               <label>organization-defined atypical usage</label>
-            </param>
-            <param id="ac-2.12_prm_2">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">AC-2(12)</prop>
-            <prop name="sort-id">ac-02.12</prop>
-            <part id="ac-2.12_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ac-2.12_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Monitors information system accounts for <insert param-id="ac-2.12_prm_1"/>;
-                     and</p>
-               </part>
-               <part id="ac-2.12_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Reports atypical usage of information system accounts to <insert param-id="ac-2.12_prm_2"/>.</p>
-               </part>
-            </part>
-            <part id="ac-2.12_gdn" name="guidance">
-               <p>Atypical usage includes, for example, accessing information systems at certain
-                  times of the day and from locations that are not consistent with the normal usage
-                  patterns of individuals working in organizations.</p>
-               <link rel="related" href="#ca-7">CA-7</link>
-            </part>
-            <part id="ac-2.12_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-2.12.a_obj" name="objective">
-                  <prop name="label">AC-2(12)(a)</prop>
-                  <part id="ac-2.12.a_obj.1" name="objective">
-                     <prop name="label">AC-2(12)(a)[1]</prop>
-                     <p>defines atypical usage to be monitored for information system accounts;</p>
-                  </part>
-                  <part id="ac-2.12.a_obj.2" name="objective">
-                     <prop name="label">AC-2(12)(a)[2]</prop>
-                     <p>monitors information system accounts for organization-defined atypical
-                        usage;</p>
-                  </part>
-                  <link rel="corresp" href="#ac-2.12_smt.a">AC-2(12)(a)</link>
-               </part>
-               <part id="ac-2.12.b_obj" name="objective">
-                  <prop name="label">AC-2(12)(b)</prop>
-                  <part id="ac-2.12.b_obj.1" name="objective">
-                     <prop name="label">AC-2(12)(b)[1]</prop>
-                     <p>defines personnel or roles to whom atypical usage of information system
-                        accounts are to be reported; and</p>
-                  </part>
-                  <part id="ac-2.12.b_obj.2" name="objective">
-                     <prop name="label">AC-2(12)(b)[2]</prop>
-                     <p>reports atypical usage of information system accounts to
-                        organization-defined personnel or roles.</p>
-                  </part>
-                  <link rel="corresp" href="#ac-2.12_smt.b">AC-2(12)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system monitoring records</p>
-                  <p>information system audit records</p>
-                  <p>audit tracking and monitoring reports</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.13">
-            <title>Disable Accounts for High-risk Individuals</title>
-            <param id="ac-2.13_prm_1">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="label">AC-2(13)</prop>
-            <prop name="sort-id">ac-02.13</prop>
-            <part id="ac-2.13_smt" name="statement">
-               <p>The organization disables accounts of users posing a significant risk within
-                     <insert param-id="ac-2.13_prm_1"/> of discovery of the risk.</p>
-            </part>
-            <part id="ac-2.13_gdn" name="guidance">
-               <p>Users posing a significant risk to organizations include individuals for whom
-                  reliable evidence or intelligence indicates either the intention to use authorized
-                  access to information systems to cause harm or through whom adversaries will cause
-                  harm. Harm includes potential adverse impacts to organizational operations and
-                  assets, individuals, other organizations, or the Nation. Close coordination
-                  between authorizing officials, information system administrators, and human
-                  resource managers is essential in order for timely execution of this control
-                  enhancement.</p>
-               <link rel="related" href="#ps-4">PS-4</link>
-            </part>
-            <part id="ac-2.13_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ac-2.13_obj.1" name="objective">
-                  <prop name="label">AC-2(13)[1]</prop>
-                  <p>defines the time period within which accounts are disabled upon discovery of a
-                     significant risk posed by users of such accounts; and</p>
-               </part>
-               <part id="ac-2.13_obj.2" name="objective">
-                  <prop name="label">AC-2(13)[2]</prop>
-                  <p>disables accounts of users posing a significant risk within the
-                     organization-defined time period of discovery of the risk.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>system-generated list of disabled accounts</p>
-                  <p>list of user activities posing significant organizational risk</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with account management responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing account management functions</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-3">
-         <title>Access Enforcement</title>
-         <prop name="label">AC-3</prop>
-         <prop name="sort-id">ac-03</prop>
-         <part id="ac-3_smt" name="statement">
-            <p>The information system enforces approved authorizations for logical access to
-               information and system resources in accordance with applicable access control
-               policies.</p>
-         </part>
-         <part id="ac-3_gdn" name="guidance">
-            <p>Access control policies (e.g., identity-based policies, role-based policies, control
-               matrices, cryptography) control access between active entities or subjects (i.e.,
-               users or processes acting on behalf of users) and passive entities or objects (e.g.,
-               devices, files, records, domains) in information systems. In addition to enforcing
-               authorized access at the information system level and recognizing that information
-               systems can host many applications and services in support of organizational missions
-               and business operations, access enforcement mechanisms can also be employed at the
-               application and service level to provide increased information security.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ac-21">AC-21</link>
-            <link rel="related" href="#ac-22">AC-22</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ma-3">MA-3</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-         </part>
-         <part id="ac-3_obj" name="objective">
-            <p>Determine if the information system enforces approved authorizations for logical
-               access to information and system resources in accordance with applicable access
-               control policies.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing access enforcement</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of approved authorizations (user privileges)</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with access enforcement responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing access control policy</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-3.1">
-            <title>Restricted Access to Privileged Functions</title>
-            <prop name="label">AC-3(1)</prop>
-            <prop name="sort-id">ac-03.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#ac-6">AC-6</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.2">
-            <title>Dual Authorization</title>
-            <param id="ac-3.2_prm_1">
-               <label>organization-defined privileged commands and/or other organization-defined
-                  actions</label>
-            </param>
-            <prop name="label">AC-3(2)</prop>
-            <prop name="sort-id">ac-03.02</prop>
-            <part id="ac-3.2_smt" name="statement">
-               <p>The information system enforces dual authorization for <insert param-id="ac-3.2_prm_1"/>.</p>
-            </part>
-            <part id="ac-3.2_gdn" name="guidance">
-               <p>Dual authorization mechanisms require the approval of two authorized individuals
-                  in order to execute. Organizations do not require dual authorization mechanisms
-                  when immediate responses are necessary to ensure public and environmental safety.
-                  Dual authorization may also be known as two-person control.</p>
-               <link rel="related" href="#cp-9">CP-9</link>
-               <link rel="related" href="#mp-6">MP-6</link>
-            </part>
-            <part id="ac-3.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-3.2_obj.1" name="objective">
-                  <prop name="label">AC-3(2)[1]</prop>
-                  <p>the organization defines privileged commands and/or other actions for which
-                     dual authorization is to be enforced; and</p>
-               </part>
-               <part id="ac-3.2_obj.2" name="objective">
-                  <prop name="label">AC-3(2)[2]</prop>
-                  <p>the information system enforces dual authorization for organization-defined
-                     privileged commands and/or other organization-defined actions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing access enforcement and dual authorization</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of privileged commands requiring dual authorization</p>
-                  <p>list of actions requiring dual authorization</p>
-                  <p>list of approved authorizations (user privileges)</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with access enforcement responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Dual authorization mechanisms implementing access control policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.3">
-            <title>Mandatory Access Control</title>
-            <param id="ac-3.3_prm_1">
-               <label>organization-defined mandatory access control policy</label>
-            </param>
-            <param id="ac-3.3_prm_2">
-               <label>organization-defined subjects</label>
-            </param>
-            <param id="ac-3.3_prm_3">
-               <label>organization-defined privileges (i.e., they are trusted subjects)</label>
-            </param>
-            <prop name="label">AC-3(3)</prop>
-            <prop name="sort-id">ac-03.03</prop>
-            <part id="ac-3.3_smt" name="statement">
-               <p>The information system enforces <insert param-id="ac-3.3_prm_1"/> over all
-                  subjects and objects where the policy:</p>
-               <part id="ac-3.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Is uniformly enforced across all subjects and objects within the boundary of
-                     the information system;</p>
-               </part>
-               <part id="ac-3.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Specifies that a subject that has been granted access to information is
-                     constrained from doing any of the following;</p>
-                  <part id="ac-3.3_smt.b.1" name="item">
-                     <prop name="label">(1)</prop>
-                     <p>Passing the information to unauthorized subjects or objects;</p>
-                  </part>
-                  <part id="ac-3.3_smt.b.2" name="item">
-                     <prop name="label">(2)</prop>
-                     <p>Granting its privileges to other subjects;</p>
-                  </part>
-                  <part id="ac-3.3_smt.b.3" name="item">
-                     <prop name="label">(3)</prop>
-                     <p>Changing one or more security attributes on subjects, objects, the
-                        information system, or information system components;</p>
-                  </part>
-                  <part id="ac-3.3_smt.b.4" name="item">
-                     <prop name="label">(4)</prop>
-                     <p>Choosing the security attributes and attribute values to be associated with
-                        newly created or modified objects; or</p>
-                  </part>
-                  <part id="ac-3.3_smt.b.5" name="item">
-                     <prop name="label">(5)</prop>
-                     <p>Changing the rules governing access control; and</p>
-                  </part>
-               </part>
-               <part id="ac-3.3_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Specifies that <insert param-id="ac-3.3_prm_2"/> may explicitly be granted
-                        <insert param-id="ac-3.3_prm_3"/> such that they are not limited by some or
-                     all of the above constraints.</p>
-               </part>
-            </part>
-            <part id="ac-3.3_gdn" name="guidance">
-               <p>Mandatory access control as defined in this control enhancement is synonymous with
-                  nondiscretionary access control, and is not constrained only to certain historical
-                  uses (e.g., implementations using the Bell-LaPadula Model). The above class of
-                  mandatory access control policies constrains what actions subjects can take with
-                  information obtained from data objects for which they have already been granted
-                  access, thus preventing the subjects from passing the information to unauthorized
-                  subjects and objects. This class of mandatory access control policies also
-                  constrains what actions subjects can take with respect to the propagation of
-                  access control privileges; that is, a subject with a privilege cannot pass that
-                  privilege to other subjects. The policy is uniformly enforced over all subjects
-                  and objects to which the information system has control. Otherwise, the access
-                  control policy can be circumvented. This enforcement typically is provided via an
-                  implementation that meets the reference monitor concept (see AC-25). The policy is
-                  bounded by the information system boundary (i.e., once the information is passed
-                  outside of the control of the system, additional means may be required to ensure
-                  that the constraints on the information remain in effect). The trusted subjects
-                  described above are granted privileges consistent with the concept of least
-                  privilege (see AC-6). Trusted subjects are only given the minimum privileges
-                  relative to the above policy necessary for satisfying organizational
-                  mission/business needs. The control is most applicable when there is some policy
-                  mandate (e.g., law, Executive Order, directive, or regulation) that establishes a
-                  policy regarding access to sensitive/classified information and some users of the
-                  information system are not authorized access to all sensitive/classified
-                  information resident in the information system. This control can operate in
-                  conjunction with AC-3 (4). A subject that is constrained in its operation by
-                  policies governed by this control is still able to operate under the less rigorous
-                  constraints of AC-3 (4), but policies governed by this control take precedence
-                  over the less rigorous constraints of AC-3 (4). For example, while a mandatory
-                  access control policy imposes a constraint preventing a subject from passing
-                  information to another subject operating at a different sensitivity label, AC-3
-                  (4) permits the subject to pass the information to any subject with the same
-                  sensitivity label as the subject.</p>
-               <link rel="related" href="#ac-25">AC-25</link>
-               <link rel="related" href="#sc-11">SC-11</link>
-            </part>
-            <part id="ac-3.3_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-3.3_obj.1" name="objective">
-                  <prop name="label">AC-3(3)[1]</prop>
-                  <p>the organization defines mandatory access control policies to be enforced over
-                     all subjects and objects;</p>
-               </part>
-               <part id="ac-3.3_obj.2" name="objective">
-                  <prop name="label">AC-3(3)[2]</prop>
-                  <p>the organization defines subjects over which organization-defined mandatory
-                     access control policies are to be enforced;</p>
-               </part>
-               <part id="ac-3.3_obj.3" name="objective">
-                  <prop name="label">AC-3(3)[3]</prop>
-                  <p>the organization defines objects over which organization-defined mandatory
-                     access control policies are to be enforced;</p>
-               </part>
-               <part id="ac-3.3_obj.4" name="objective">
-                  <prop name="label">AC-3(3)[4]</prop>
-                  <p>the organization defines subjects that may explicitly be granted privileges
-                     such that they are not limited by the constraints specified elsewhere within
-                     this control;</p>
-               </part>
-               <part id="ac-3.3_obj.5" name="objective">
-                  <prop name="label">AC-3(3)[5]</prop>
-                  <p>the organization defines privileges that may be granted to organization-defined
-                     subjects;</p>
-               </part>
-               <part id="ac-3.3_obj.6" name="objective">
-                  <prop name="label">AC-3(3)[6]</prop>
-                  <p>the information system enforces organization-defined mandatory access control
-                     policies over all subjects and objects where the policy specifies that:</p>
-                  <part id="ac-3.3.a_obj.6" name="objective">
-                     <prop name="label">AC-3(3)[6](a)</prop>
-                     <p>the policy is uniformly enforced across all subjects and objects within the
-                        boundary of the information system;</p>
-                     <link rel="corresp" href="#ac-3.3_smt.a">AC-3(3)(a)</link>
-                  </part>
-                  <part id="ac-3.3.b_obj.6" name="objective">
-                     <prop name="label">AC-3(3)[6](b)</prop>
-                     <p>a subject that has been granted access to information is constrained from
-                        doing any of the following:</p>
-                     <part id="ac-3.3.b.1_obj.6" name="objective">
-                        <prop name="label">AC-3(3)[6](b)(1)</prop>
-                        <p>passing the information to unauthorized subjects or objects;</p>
-                        <link rel="corresp" href="#ac-3.3_smt.b.1">AC-3(3)(b)(1)</link>
-                     </part>
-                     <part id="ac-3.3.b.2_obj.6" name="objective">
-                        <prop name="label">AC-3(3)[6](b)(2)</prop>
-                        <p>granting its privileges to other subjects;</p>
-                        <link rel="corresp" href="#ac-3.3_smt.b.2">AC-3(3)(b)(2)</link>
-                     </part>
-                     <part id="ac-3.3.b.3_obj.6" name="objective">
-                        <prop name="label">AC-3(3)[6](b)(3)</prop>
-                        <p>changing one or more security attributes on:</p>
-                        <part id="ac-3.3.b.3_obj.6.a" name="objective">
-                           <prop name="label">AC-3(3)[6](b)(3)[a]</prop>
-                           <p>subjects;</p>
-                        </part>
-                        <part id="ac-3.3.b.3_obj.6.b" name="objective">
-                           <prop name="label">AC-3(3)[6](b)(3)[b]</prop>
-                           <p>objects;</p>
-                        </part>
-                        <part id="ac-3.3.b.3_obj.6.c" name="objective">
-                           <prop name="label">AC-3(3)[6](b)(3)[c]</prop>
-                           <p>the information system; or</p>
-                        </part>
-                        <part id="ac-3.3.b.3_obj.6.d" name="objective">
-                           <prop name="label">AC-3(3)[6](b)(3)[d]</prop>
-                           <p>system components;</p>
-                        </part>
-                        <link rel="corresp" href="#ac-3.3_smt.b.3">AC-3(3)(b)(3)</link>
-                     </part>
-                     <part id="ac-3.3.b.4_obj.6" name="objective">
-                        <prop name="label">AC-3(3)[6](b)(4)</prop>
-                        <p>choosing the security attributes and attribute values to be associated
-                           with newly created or modified objects; or</p>
-                        <link rel="corresp" href="#ac-3.3_smt.b.4">AC-3(3)(b)(4)</link>
-                     </part>
-                     <part id="ac-3.3.b.5_obj.6" name="objective">
-                        <prop name="label">AC-3(3)[6](b)(5)</prop>
-                        <p>changing the rules governing access control; and</p>
-                        <link rel="corresp" href="#ac-3.3_smt.b.5">AC-3(3)(b)(5)</link>
-                     </part>
-                     <link rel="corresp" href="#ac-3.3_smt.b">AC-3(3)(b)</link>
-                  </part>
-                  <part id="ac-3.3.c_obj.6" name="objective">
-                     <prop name="label">AC-3(3)[6](c)</prop>
-                     <p>organization-defined subjects may explicitly be granted organization-defined
-                        privileges such that they are not limited by some or all of the above
-                        constraints.</p>
-                     <link rel="corresp" href="#ac-3.3_smt.c">AC-3(3)(c)</link>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>mandatory access control policies</p>
-                  <p>procedures addressing access enforcement</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of subjects and objects (i.e., users and resources) requiring enforcement
-                     of mandatory access control policies</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with access enforcement responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing mandatory access control</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.4">
-            <title>Discretionary Access Control</title>
-            <param id="ac-3.4_prm_1">
-               <label>organization-defined discretionary access control policy</label>
-            </param>
-            <prop name="label">AC-3(4)</prop>
-            <prop name="sort-id">ac-03.04</prop>
-            <part id="ac-3.4_smt" name="statement">
-               <p>The information system enforces <insert param-id="ac-3.4_prm_1"/> over defined
-                  subjects and objects where the policy specifies that a subject that has been
-                  granted access to information can do one or more of the following:</p>
-               <part id="ac-3.4_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Pass the information to any other subjects or objects;</p>
-               </part>
-               <part id="ac-3.4_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Grant its privileges to other subjects;</p>
-               </part>
-               <part id="ac-3.4_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Change security attributes on subjects, objects, the information system, or the
-                     information system’s components;</p>
-               </part>
-               <part id="ac-3.4_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Choose the security attributes to be associated with newly created or revised
-                     objects; or</p>
-               </part>
-               <part id="ac-3.4_smt.e" name="item">
-                  <prop name="label">(e)</prop>
-                  <p>Change the rules governing access control.</p>
-               </part>
-            </part>
-            <part id="ac-3.4_gdn" name="guidance">
-               <p>When discretionary access control policies are implemented, subjects are not
-                  constrained with regard to what actions they can take with information for which
-                  they have already been granted access. Thus, subjects that have been granted
-                  access to information are not prevented from passing (i.e., the subjects have the
-                  discretion to pass) the information to other subjects or objects. This control
-                  enhancement can operate in conjunction with AC-3 (3). A subject that is
-                  constrained in its operation by policies governed by AC-3 (3) is still able to
-                  operate under the less rigorous constraints of this control enhancement. Thus,
-                  while AC-3 (3) imposes constraints preventing a subject from passing information
-                  to another subject operating at a different sensitivity level, AC-3 (4) permits
-                  the subject to pass the information to any subject at the same sensitivity level.
-                  The policy is bounded by the information system boundary. Once the information is
-                  passed outside of the control of the information system, additional means may be
-                  required to ensure that the constraints remain in effect. While the older, more
-                  traditional definitions of discretionary access control require identity-based
-                  access control, that limitation is not required for this use of discretionary
-                  access control.</p>
-            </part>
-            <part id="ac-3.4_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-3.4_obj.1" name="objective">
-                  <prop name="label">AC-3(4)[1]</prop>
-                  <p>the organization defines discretionary access control policies to be enforced
-                     over defined subjects and objects;</p>
-               </part>
-               <part id="ac-3.4_obj.2" name="objective">
-                  <prop name="label">AC-3(4)[2]</prop>
-                  <p>the information system enforces organization-defined discretionary access
-                     control policies over defined subjects and objects where the policy specifies
-                     that a subject has been granted access to information and can do one or more of
-                     the following:</p>
-                  <part id="ac-3.4.a_obj.2" name="objective">
-                     <prop name="label">AC-3(4)[2](a)</prop>
-                     <p>pass the information to any other subjects or objects;</p>
-                     <link rel="corresp" href="#ac-3.4_smt.a">AC-3(4)(a)</link>
-                  </part>
-                  <part id="ac-3.4.b_obj.2" name="objective">
-                     <prop name="label">AC-3(4)[2](b)</prop>
-                     <p>grant its privileges to other subjects;</p>
-                     <link rel="corresp" href="#ac-3.4_smt.b">AC-3(4)(b)</link>
-                  </part>
-                  <part id="ac-3.4.c_obj.2" name="objective">
-                     <prop name="label">AC-3(4)[2](c)</prop>
-                     <p>change security attributes on:</p>
-                     <part id="ac-3.4.c_obj.2.a" name="objective">
-                        <prop name="label">AC-3(4)[2](c)[a]</prop>
-                        <p>subjects,</p>
-                     </part>
-                     <part id="ac-3.4.c_obj.2.b" name="objective">
-                        <prop name="label">AC-3(4)[2](c)[b]</prop>
-                        <p>objects,</p>
-                     </part>
-                     <part id="ac-3.4.c_obj.2.c" name="objective">
-                        <prop name="label">AC-3(4)[2](c)[c]</prop>
-                        <p>the information system, or</p>
-                     </part>
-                     <part id="ac-3.4.c_obj.2.d" name="objective">
-                        <prop name="label">AC-3(4)[2](c)[d]</prop>
-                        <p>the information system’s components;</p>
-                     </part>
-                     <link rel="corresp" href="#ac-3.4_smt.c">AC-3(4)(c)</link>
-                  </part>
-                  <part id="ac-3.4.d_obj.2" name="objective">
-                     <prop name="label">AC-3(4)[2](d)</prop>
-                     <p>choose the security attributes to be associated with newly created or
-                        revised objects; or</p>
-                     <link rel="corresp" href="#ac-3.4_smt.d">AC-3(4)(d)</link>
-                  </part>
-                  <part id="ac-3.4.e_obj.2" name="objective">
-                     <prop name="label">AC-3(4)[2](e)</prop>
-                     <p>change the rules governing access control.</p>
-                     <link rel="corresp" href="#ac-3.4_smt.e">AC-3(4)(e)</link>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>discretionary access control policies</p>
-                  <p>procedures addressing access enforcement</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of subjects and objects (i.e., users and resources) requiring enforcement
-                     of discretionary access control policies</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with access enforcement responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing discretionary access control policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.5">
-            <title>Security-relevant Information</title>
-            <param id="ac-3.5_prm_1">
-               <label>organization-defined security-relevant information</label>
-            </param>
-            <prop name="label">AC-3(5)</prop>
-            <prop name="sort-id">ac-03.05</prop>
-            <part id="ac-3.5_smt" name="statement">
-               <p>The information system prevents access to <insert param-id="ac-3.5_prm_1"/> except
-                  during secure, non-operable system states.</p>
-            </part>
-            <part id="ac-3.5_gdn" name="guidance">
-               <p>Security-relevant information is any information within information systems that
-                  can potentially impact the operation of security functions or the provision of
-                  security services in a manner that could result in failure to enforce system
-                  security policies or maintain the isolation of code and data. Security-relevant
-                  information includes, for example, filtering rules for routers/firewalls,
-                  cryptographic key management information, configuration parameters for security
-                  services, and access control lists. Secure, non-operable system states include the
-                  times in which information systems are not performing mission/business-related
-                  processing (e.g., the system is off-line for maintenance, troubleshooting,
-                  boot-up, shut down).</p>
-               <link rel="related" href="#cm-3">CM-3</link>
-            </part>
-            <part id="ac-3.5_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-3.5_obj.1" name="objective">
-                  <prop name="label">AC-3(5)[1]</prop>
-                  <p>the organization defines security-relevant information to which the information
-                     system prevents access except during secure, non-operable system states;
-                     and</p>
-               </part>
-               <part id="ac-3.5_obj.2" name="objective">
-                  <prop name="label">AC-3(5)[2]</prop>
-                  <p>the information system prevents access to organization-defined
-                     security-relevant information except during secure, non-operable system
-                     states.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing access enforcement</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with access enforcement responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms preventing access to security-relevant information within
-                     the information system</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.6">
-            <title>Protection of User and System Information</title>
-            <prop name="label">AC-3(6)</prop>
-            <prop name="sort-id">ac-03.06</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#mp-4">MP-4</link>
-            <link rel="incorporated-into" href="#sc-28">SC-28</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.7">
-            <title>Role-based Access Control</title>
-            <param id="ac-3.7_prm_1">
-               <label>organization-defined roles and users authorized to assume such roles</label>
-            </param>
-            <prop name="label">AC-3(7)</prop>
-            <prop name="sort-id">ac-03.07</prop>
-            <part id="ac-3.7_smt" name="statement">
-               <p>The information system enforces a role-based access control policy over defined
-                  subjects and objects and controls access based upon <insert param-id="ac-3.7_prm_1"/>.</p>
-            </part>
-            <part id="ac-3.7_gdn" name="guidance">
-               <p>Role-based access control (RBAC) is an access control policy that restricts
-                  information system access to authorized users. Organizations can create specific
-                  roles based on job functions and the authorizations (i.e., privileges) to perform
-                  needed operations on organizational information systems associated with the
-                  organization-defined roles. When users are assigned to the organizational roles,
-                  they inherit the authorizations or privileges defined for those roles. RBAC
-                  simplifies privilege administration for organizations because privileges are not
-                  assigned directly to every user (which can be a significant number of individuals
-                  for mid- to large-size organizations) but are instead acquired through role
-                  assignments. RBAC can be implemented either as a mandatory or discretionary form
-                  of access control. For organizations implementing RBAC with mandatory access
-                  controls, the requirements in AC-3 (3) define the scope of the subjects and
-                  objects covered by the policy.</p>
-            </part>
-            <part id="ac-3.7_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ac-3.7_obj.1" name="objective">
-                  <prop name="label">AC-3(7)[1]</prop>
-                  <p>the organization defines roles to control information system access;</p>
-               </part>
-               <part id="ac-3.7_obj.2" name="objective">
-                  <prop name="label">AC-3(7)[2]</prop>
-                  <p>the organization defines users authorized to assume the organization-defined
-                     roles;</p>
-               </part>
-               <part id="ac-3.7_obj.3" name="objective">
-                  <prop name="label">AC-3(7)[3]</prop>
-                  <p>the information system controls access based on organization-defined roles and
-                     users authorized to assume such roles;</p>
-               </part>
-               <part id="ac-3.7_obj.4" name="objective">
-                  <prop name="label">AC-3(7)[4]</prop>
-                  <p>the information system enforces a role-based access control policy over
-                     defined:</p>
-                  <part id="ac-3.7_obj.4.a" name="objective">
-                     <prop name="label">AC-3(7)[4][a]</prop>
-                     <p>subjects, and</p>
-                  </part>
-                  <part id="ac-3.7_obj.4.b" name="objective">
-                     <prop name="label">AC-3(7)[4][b]</prop>
-                     <p>objects.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>role-based access control policies</p>
-                  <p>procedures addressing access enforcement</p>
-                  <p>security plan, information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of roles, users, and associated privileges required to control information
-                     system access</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with access enforcement responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing role-based access control policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.8">
-            <title>Revocation of Access Authorizations</title>
-            <param id="ac-3.8_prm_1">
-               <label>organization-defined rules governing the timing of revocations of access
-                  authorizations</label>
-            </param>
-            <prop name="label">AC-3(8)</prop>
-            <prop name="sort-id">ac-03.08</prop>
-            <part id="ac-3.8_smt" name="statement">
-               <p>The information system enforces the revocation of access authorizations resulting
-                  from changes to the security attributes of subjects and objects based on <insert param-id="ac-3.8_prm_1"/>.</p>
-            </part>
-            <part id="ac-3.8_gdn" name="guidance">
-               <p>Revocation of access rules may differ based on the types of access revoked. For
-                  example, if a subject (i.e., user or process) is removed from a group, access may
-                  not be revoked until the next time the object (e.g., file) is opened or until the
-                  next time the subject attempts a new access to the object. Revocation based on
-                  changes to security labels may take effect immediately. Organizations can provide
-                  alternative approaches on how to make revocations immediate if information systems
-                  cannot provide such capability and immediate revocation is necessary.</p>
-            </part>
-            <part id="ac-3.8_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ac-3.8_obj.1" name="objective">
-                  <prop name="label">AC-3(8)[1]</prop>
-                  <p>the organization defines rules governing the timing of revocations of access
-                     authorizations; and</p>
-               </part>
-               <part id="ac-3.8_obj.2" name="objective">
-                  <prop name="label">AC-3(8)[2]</prop>
-                  <p>the information system enforces the revocation of access authorizations
-                     resulting from changes to the security attributes of subjects and objects based
-                     on organization-defined rules governing the timing of revocations of access
-                     authorizations.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing access enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>rules governing revocation of access authorizations, information system audit
-                     records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with access enforcement responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing access enforcement functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.9">
-            <title>Controlled Release</title>
-            <param id="ac-3.9_prm_1">
-               <label>organization-defined information system or system component</label>
-            </param>
-            <param id="ac-3.9_prm_2">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <param id="ac-3.9_prm_3">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <prop name="label">AC-3(9)</prop>
-            <prop name="sort-id">ac-03.09</prop>
-            <part id="ac-3.9_smt" name="statement">
-               <p>The information system does not release information outside of the established
-                  system boundary unless:</p>
-               <part id="ac-3.9_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>The receiving <insert param-id="ac-3.9_prm_1"/> provides <insert param-id="ac-3.9_prm_2"/>; and</p>
-               </part>
-               <part id="ac-3.9_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>
-                     <insert param-id="ac-3.9_prm_3"/> are used to validate the appropriateness of
-                     the information designated for release.</p>
-               </part>
-            </part>
-            <part id="ac-3.9_gdn" name="guidance">
-               <p>Information systems can only protect organizational information within the
-                  confines of established system boundaries. Additional security safeguards may be
-                  needed to ensure that such information is adequately protected once it is passed
-                  beyond the established information system boundaries. Examples of information
-                  leaving the system boundary include transmitting information to an external
-                  information system or printing the information on one of its printers. In cases
-                  where the information system is unable to make a determination of the adequacy of
-                  the protections provided by entities outside its boundary, as a mitigating
-                  control, organizations determine procedurally whether the external information
-                  systems are providing adequate security. The means used to determine the adequacy
-                  of the security provided by external information systems include, for example,
-                  conducting inspections or periodic testing, establishing agreements between the
-                  organization and its counterpart organizations, or some other process. The means
-                  used by external entities to protect the information received need not be the same
-                  as those used by the organization, but the means employed are sufficient to
-                  provide consistent adjudication of the security policy to protect the information.
-                  This control enhancement requires information systems to employ technical or
-                  procedural means to validate the information prior to releasing it to external
-                  systems. For example, if the information system passes information to another
-                  system controlled by another organization, technical means are employed to
-                  validate that the security attributes associated with the exported information are
-                  appropriate for the receiving system. Alternatively, if the information system
-                  passes information to a printer in organization-controlled space, procedural means
-                  can be employed to ensure that only appropriately authorized individuals gain
-                  access to the printer. This control enhancement is most applicable when there is
-                  some policy mandate (e.g., law, Executive Order, directive, or regulation) that
-                  establishes policy regarding access to the information, and that policy applies
-                  beyond the realm of a particular information system or organization.</p>
-            </part>
-            <part id="ac-3.9_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ac-3.9_obj.1" name="objective">
-                  <prop name="label">AC-3(9)[1]</prop>
-                  <p>the organization defines the information system or system component authorized
-                     to receive information released outside of the established system boundary of
-                     the information system releasing such information;</p>
-               </part>
-               <part id="ac-3.9_obj.2" name="objective">
-                  <prop name="label">AC-3(9)[2]</prop>
-                  <p>the organization defines security safeguards to be provided by
-                     organization-defined information system or system component receiving
-                     information released from an information system outside of the established
-                     system boundary;</p>
-               </part>
-               <part id="ac-3.9_obj.3" name="objective">
-                  <prop name="label">AC-3(9)[3]</prop>
-                  <p>the organization defines security safeguards to be used to validate the
-                     appropriateness of the information designated for release;</p>
-               </part>
-               <part id="ac-3.9_obj.4" name="objective">
-                  <prop name="label">AC-3(9)[4]</prop>
-                  <p>the information system does not release information outside of the established
-                     system boundary unless:</p>
-                  <part id="ac-3.9.a_obj.4" name="objective">
-                     <prop name="label">AC-3(9)[4](a)</prop>
-                     <p>the receiving organization-defined information system or system component
-                        provides organization-defined security safeguards; and</p>
-                     <link rel="corresp" href="#ac-3.9_smt.a">AC-3(9)(a)</link>
-                  </part>
-                  <part id="ac-3.9.b_obj.4" name="objective">
-                     <prop name="label">AC-3(9)[4](b)</prop>
-                     <p>the organization-defined security safeguards are used to validate the
-                        appropriateness of the information designated for release.</p>
-                     <link rel="corresp" href="#ac-3.9_smt.b">AC-3(9)(b)</link>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing access enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of security safeguards provided by receiving information system or system
-                     components</p>
-                  <p>list of security safeguards validating appropriateness of information
-                     designated for release</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with access enforcement responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing access enforcement functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.10">
-            <title>Audited Override of Access Control Mechanisms</title>
-            <param id="ac-3.10_prm_1">
-               <label>organization-defined conditions</label>
-            </param>
-            <prop name="label">AC-3(10)</prop>
-            <prop name="sort-id">ac-03.10</prop>
-            <part id="ac-3.10_smt" name="statement">
-               <p>The organization employs an audited override of automated access control
-                  mechanisms under <insert param-id="ac-3.10_prm_1"/>.</p>
-            </part>
-            <part id="ac-3.10_gdn" name="guidance">
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-6">AU-6</link>
-            </part>
-            <part id="ac-3.10_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ac-3.10_obj.1" name="objective">
-                  <prop name="label">AC-3(10)[1]</prop>
-                  <p>defines conditions under which to employ an audited override of automated
-                     access control mechanisms; and</p>
-               </part>
-               <part id="ac-3.10_obj.2" name="objective">
-                  <prop name="label">AC-3(10)[2]</prop>
-                  <p>employs an audited override of automated access control mechanisms under
-                     organization-defined conditions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing access enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>conditions for employing audited override of automated access control
-                     mechanisms</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with access enforcement responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing access enforcement functions</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-4">
-         <title>Information Flow Enforcement</title>
-         <param id="ac-4_prm_1">
-            <label>organization-defined information flow control policies</label>
-         </param>
-         <prop name="label">AC-4</prop>
-         <prop name="sort-id">ac-04</prop>
-         <part id="ac-4_smt" name="statement">
-            <p>The information system enforces approved authorizations for controlling the flow of
-               information within the system and between interconnected systems based on <insert param-id="ac-4_prm_1"/>.</p>
-         </part>
-         <part id="ac-4_gdn" name="guidance">
-            <p>Information flow control regulates where information is allowed to travel within an
-               information system and between information systems (as opposed to who is allowed to
-               access the information) and without explicit regard to subsequent accesses to that
-               information. Flow control restrictions include, for example, keeping
-               export-controlled information from being transmitted in the clear to the Internet,
-               blocking outside traffic that claims to be from within the organization, restricting
-               web requests to the Internet that are not from the internal web proxy server, and
-               limiting information transfers between organizations based on data structures and
-               content. Transferring information between information systems representing different
-               security domains with different security policies introduces risk that such transfers
-               violate one or more domain security policies. In such situations, information
-               owners/stewards provide guidance at designated policy enforcement points between
-               interconnected systems. Organizations consider mandating specific architectural
-               solutions when required to enforce specific security policies. Enforcement includes,
-               for example: (i) prohibiting information transfers between interconnected systems
-               (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way
-               information flows; and (iii) implementing trustworthy regrading mechanisms to
-               reassign security attributes and security labels. Organizations commonly employ
-               information flow control policies and enforcement mechanisms to control the flow of
-               information between designated sources and destinations (e.g., networks, individuals,
-               and devices) within information systems and between interconnected systems. Flow
-               control is based on the characteristics of the information and/or the information
-               path. Enforcement occurs, for example, in boundary protection devices (e.g.,
-               gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or
-               establish configuration settings that restrict information system services, provide a
-               packet-filtering capability based on header information, or message-filtering
-               capability based on message content (e.g., implementing key word searches or using
-               document characteristics). Organizations also consider the trustworthiness of
-               filtering/inspection mechanisms (i.e., hardware, firmware, and software components)
-               that are critical to information flow enforcement. Control enhancements 3 through 22
-               primarily address cross-domain solution needs which focus on more advanced filtering
-               techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented
-               in cross-domain products, for example, high-assurance guards. Such capabilities are
-               generally not available in commercial off-the-shelf information technology
-               products.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-21">AC-21</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-18">SC-18</link>
-         </part>
-         <part id="ac-4_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="ac-4_obj.1" name="objective">
-               <prop name="label">AC-4[1]</prop>
-               <p>the organization defines information flow control policies to control the flow of
-                  information within the system and between interconnected systems; and</p>
-            </part>
-            <part id="ac-4_obj.2" name="objective">
-               <prop name="label">AC-4[2]</prop>
-               <p>the information system enforces approved authorizations for controlling the flow
-                  of information within the system and between interconnected systems based on
-                  organization-defined information flow control policies.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>information flow control policies</p>
-               <p>procedures addressing information flow enforcement</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system baseline configuration</p>
-               <p>list of information flow authorizations</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing information flow enforcement policy</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-4.1">
-            <title>Object Security Attributes</title>
-            <param id="ac-4.1_prm_1">
-               <label>organization-defined security attributes</label>
-            </param>
-            <param id="ac-4.1_prm_2">
-               <label>organization-defined information, source, and destination objects</label>
-            </param>
-            <param id="ac-4.1_prm_3">
-               <label>organization-defined information flow control policies</label>
-            </param>
-            <prop name="label">AC-4(1)</prop>
-            <prop name="sort-id">ac-04.01</prop>
-            <part id="ac-4.1_smt" name="statement">
-               <p>The information system uses <insert param-id="ac-4.1_prm_1"/> associated with
-                     <insert param-id="ac-4.1_prm_2"/> to enforce <insert param-id="ac-4.1_prm_3"/>
-                  as a basis for flow control decisions.</p>
-            </part>
-            <part id="ac-4.1_gdn" name="guidance">
-               <p>Information flow enforcement mechanisms compare security attributes associated
-                  with information (data content and data structure) and source/destination objects,
-                  and respond appropriately (e.g., block, quarantine, alert administrator) when the
-                  mechanisms encounter information flows not explicitly allowed by information flow
-                  policies. For example, an information object labeled Secret would be allowed to
-                  flow to a destination object labeled Secret, but an information object labeled Top
-                  Secret would not be allowed to flow to a destination object labeled Secret.
-                  Security attributes can also include, for example, source and destination
-                  addresses employed in traffic filter firewalls. Flow enforcement using explicit
-                  security attributes can be used, for example, to control the release of certain
-                  types of information.</p>
-               <link rel="related" href="#ac-16">AC-16</link>
-            </part>
-            <part id="ac-4.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-4.1_obj.1" name="objective">
-                  <prop name="label">AC-4(1)[1]</prop>
-                  <p>the organization defines information flow control policies as a basis for flow
-                     control decisions;</p>
-               </part>
-               <part id="ac-4.1_obj.2" name="objective">
-                  <prop name="label">AC-4(1)[2]</prop>
-                  <p>the organization defines security attributes to be associated with information,
-                     source, and destination objects;</p>
-               </part>
-               <part id="ac-4.1_obj.3" name="objective">
-                  <prop name="label">AC-4(1)[3]</prop>
-                  <p>the organization defines the following objects to be associated with
-                     organization-defined security attributes:</p>
-                  <part id="ac-4.1_obj.3.a" name="objective">
-                     <prop name="label">AC-4(1)[3][a]</prop>
-                     <p>information;</p>
-                  </part>
-                  <part id="ac-4.1_obj.3.b" name="objective">
-                     <prop name="label">AC-4(1)[3][b]</prop>
-                     <p>source;</p>
-                  </part>
-                  <part id="ac-4.1_obj.3.c" name="objective">
-                     <prop name="label">AC-4(1)[3][c]</prop>
-                     <p>destination; and</p>
-                  </part>
-               </part>
-               <part id="ac-4.1_obj.4" name="objective">
-                  <prop name="label">AC-4(1)[4]</prop>
-                  <p>the information system uses organization-defined security attributes associated
-                     with organization-defined information, source, and destination objects to
-                     enforce organization-defined information flow control policies as a basis for
-                     flow control decisions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of security attributes and associated information, source, and destination
-                     objects enforcing information flow control policies</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.2">
-            <title>Processing Domains</title>
-            <param id="ac-4.2_prm_1">
-               <label>organization-defined information flow control policies</label>
-            </param>
-            <prop name="label">AC-4(2)</prop>
-            <prop name="sort-id">ac-04.02</prop>
-            <part id="ac-4.2_smt" name="statement">
-               <p>The information system uses protected processing domains to enforce <insert param-id="ac-4.2_prm_1"/> as a basis for flow control decisions.</p>
-            </part>
-            <part id="ac-4.2_gdn" name="guidance">
-               <p>Within information systems, protected processing domains are processing spaces
-                  that have controlled interactions with other processing spaces, thus enabling
-                  control of information flows between these spaces and to/from data/information
-                  objects. A protected processing domain can be provided, for example, by
-                  implementing domain and type enforcement. In domain and type enforcement,
-                  information system processes are assigned to domains; information is identified by
-                  types; and information flows are controlled based on allowed information accesses
-                  (determined by domain and type), allowed signaling among domains, and allowed
-                  process transitions to other domains.</p>
-            </part>
-            <part id="ac-4.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-4.2_obj.1" name="objective">
-                  <prop name="label">AC-4(2)[1]</prop>
-                  <p>the organization defines information flow control policies as a basis for flow
-                     control decisions; and</p>
-               </part>
-               <part id="ac-4.2_obj.2" name="objective">
-                  <prop name="label">AC-4(2)[2]</prop>
-                  <p>the information system uses protected processing domains to enforce
-                     organization-defined information flow control policies as a basis for flow
-                     control decisions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system security architecture and associated documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.3">
-            <title>Dynamic Information Flow Control</title>
-            <param id="ac-4.3_prm_1">
-               <label>organization-defined policies</label>
-            </param>
-            <prop name="label">AC-4(3)</prop>
-            <prop name="sort-id">ac-04.03</prop>
-            <part id="ac-4.3_smt" name="statement">
-               <p>The information system enforces dynamic information flow control based on <insert param-id="ac-4.3_prm_1"/>.</p>
-            </part>
-            <part id="ac-4.3_gdn" name="guidance">
-               <p>Organizational policies regarding dynamic information flow control include, for
-                  example, allowing or disallowing information flows based on changing conditions or
-                  mission/operational considerations. Changing conditions include, for example,
-                  changes in organizational risk tolerance due to changes in the immediacy of
-                  mission/business needs, changes in the threat environment, and detection of
-                  potentially harmful or adverse events.</p>
-               <link rel="related" href="#si-4">SI-4</link>
-            </part>
-            <part id="ac-4.3_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-4.3_obj.1" name="objective">
-                  <prop name="label">AC-4(3)[1]</prop>
-                  <p>the organization defines policies to enforce dynamic information flow control;
-                     and</p>
-               </part>
-               <part id="ac-4.3_obj.2" name="objective">
-                  <prop name="label">AC-4(3)[2]</prop>
-                  <p>the information system enforces dynamic information flow control based on
-                     organization-defined policies.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system security architecture and associated documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.4">
-            <title>Content Check Encrypted Information</title>
-            <param id="ac-4.4_prm_1">
-               <select how-many="one or more">
-                  <choice>decrypting the information</choice>
-                  <choice>blocking the flow of the encrypted information</choice>
-                  <choice>terminating communications sessions attempting to pass encrypted
-                     information</choice>
-                  <choice>
-                     <insert param-id="ac-4.4_prm_2"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="ac-4.4_prm_2" depends-on="ac-4.4_prm_1">
-               <label>organization-defined procedure or method</label>
-            </param>
-            <prop name="label">AC-4(4)</prop>
-            <prop name="sort-id">ac-04.04</prop>
-            <part id="ac-4.4_smt" name="statement">
-               <p>The information system prevents encrypted information from bypassing
-                  content-checking mechanisms by <insert param-id="ac-4.4_prm_1"/>.</p>
-            </part>
-            <part id="ac-4.4_gdn" name="guidance">
-               <link rel="related" href="#si-4">SI-4</link>
-            </part>
-            <part id="ac-4.4_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-4.4_obj.1" name="objective">
-                  <prop name="label">AC-4(4)[1]</prop>
-                  <p>the organization defines a procedure or method to be employed to prevent
-                     encrypted information from bypassing content-checking mechanisms;</p>
-               </part>
-               <part id="ac-4.4_obj.2" name="objective">
-                  <prop name="label">AC-4(4)[2]</prop>
-                  <p>the information system prevents encrypted information from bypassing
-                     content-checking mechanisms by doing one or more of the following:</p>
-                  <part id="ac-4.4_obj.2.a" name="objective">
-                     <prop name="label">AC-4(4)[2][a]</prop>
-                     <p>decrypting the information;</p>
-                  </part>
-                  <part id="ac-4.4_obj.2.b" name="objective">
-                     <prop name="label">AC-4(4)[2][b]</prop>
-                     <p>blocking the flow of the encrypted information;</p>
-                  </part>
-                  <part id="ac-4.4_obj.2.c" name="objective">
-                     <prop name="label">AC-4(4)[2][c]</prop>
-                     <p>terminating communications sessions attempting to pass encrypted
-                        information; and/or</p>
-                  </part>
-                  <part id="ac-4.4_obj.2.d" name="objective">
-                     <prop name="label">AC-4(4)[2][d]</prop>
-                     <p>employing the organization-defined procedure or method.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.5">
-            <title>Embedded Data Types</title>
-            <param id="ac-4.5_prm_1">
-               <label>organization-defined limitations</label>
-            </param>
-            <prop name="label">AC-4(5)</prop>
-            <prop name="sort-id">ac-04.05</prop>
-            <part id="ac-4.5_smt" name="statement">
-               <p>The information system enforces <insert param-id="ac-4.5_prm_1"/> on embedding
-                  data types within other data types.</p>
-            </part>
-            <part id="ac-4.5_gdn" name="guidance">
-               <p>Embedding data types within other data types may result in reduced flow control
-                  effectiveness. Data type embedding includes, for example, inserting executable
-                  files as objects within word processing files, inserting references or descriptive
-                  information into a media file, and compressed or archived data types that may
-                  include multiple embedded data types. Limitations on data type embedding consider
-                  the levels of embedding and prohibit levels of data type embedding that are beyond
-                  the capability of the inspection tools.</p>
-            </part>
-            <part id="ac-4.5_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-4.5_obj.1" name="objective">
-                  <prop name="label">AC-4(5)[1]</prop>
-                  <p>the organization defines limitations to be enforced on embedding data types
-                     within other data types; and</p>
-               </part>
-               <part id="ac-4.5_obj.2" name="objective">
-                  <prop name="label">AC-4(5)[2]</prop>
-                  <p>the information system enforces organization-defined limitations on embedding
-                     data types within other data types.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of limitations to be enforced on embedding data types within other data
-                     types</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.6">
-            <title>Metadata</title>
-            <param id="ac-4.6_prm_1">
-               <label>organization-defined metadata</label>
-            </param>
-            <prop name="label">AC-4(6)</prop>
-            <prop name="sort-id">ac-04.06</prop>
-            <part id="ac-4.6_smt" name="statement">
-               <p>The information system enforces information flow control based on <insert param-id="ac-4.6_prm_1"/>.</p>
-            </part>
-            <part id="ac-4.6_gdn" name="guidance">
-               <p>Metadata is information used to describe the characteristics of data. Metadata can
-                  include structural metadata describing data structures (e.g., data format, syntax,
-                  and semantics) or descriptive metadata describing data contents (e.g., age,
-                  location, telephone number). Enforcing allowed information flows based on metadata
-                  enables simpler and more effective flow control. Organizations consider the
-                  trustworthiness of metadata with regard to data accuracy (i.e., knowledge that the
-                  metadata values are correct with respect to the data), data integrity (i.e.,
-                  protecting against unauthorized changes to metadata tags), and the binding of
-                  metadata to the data payload (i.e., ensuring sufficiently strong binding
-                  techniques with appropriate levels of assurance).</p>
-               <link rel="related" href="#ac-16">AC-16</link>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="ac-4.6_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-4.6_obj.1" name="objective">
-                  <prop name="label">AC-4(6)[1]</prop>
-                  <p>the organization defines metadata to be used as a means of enforcing
-                     information flow control; and</p>
-               </part>
-               <part id="ac-4.6_obj.2" name="objective">
-                  <prop name="label">AC-4(6)[2]</prop>
-                  <p>the information system enforces information flow control based on
-                     organization-defined metadata.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>types of metadata used to enforce information flow control decisions</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.7">
-            <title>One-way Flow Mechanisms</title>
-            <param id="ac-4.7_prm_1">
-               <label>organization-defined one-way information flows</label>
-            </param>
-            <prop name="label">AC-4(7)</prop>
-            <prop name="sort-id">ac-04.07</prop>
-            <part id="ac-4.7_smt" name="statement">
-               <p>The information system enforces <insert param-id="ac-4.7_prm_1"/> using hardware
-                  mechanisms.</p>
-            </part>
-            <part id="ac-4.7_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-4.7_obj.1" name="objective">
-                  <prop name="label">AC-4(7)[1]</prop>
-                  <p>the organization defines one-way information flows to be enforced by the
-                     information system; and</p>
-               </part>
-               <part id="ac-4.7_obj.2" name="objective">
-                  <prop name="label">AC-4(7)[2]</prop>
-                  <p>the information system enforces organization-defined one-way information flows
-                     using hardware mechanisms.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system hardware mechanisms and associated configurations</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Hardware mechanisms implementing information flow enforcement policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.8">
-            <title>Security Policy Filters</title>
-            <param id="ac-4.8_prm_1">
-               <label>organization-defined security policy filters</label>
-            </param>
-            <param id="ac-4.8_prm_2">
-               <label>organization-defined information flows</label>
-            </param>
-            <prop name="label">AC-4(8)</prop>
-            <prop name="sort-id">ac-04.08</prop>
-            <part id="ac-4.8_smt" name="statement">
-               <p>The information system enforces information flow control using <insert param-id="ac-4.8_prm_1"/> as a basis for flow control decisions for <insert param-id="ac-4.8_prm_2"/>.</p>
-            </part>
-            <part id="ac-4.8_gdn" name="guidance">
-               <p>Organization-defined security policy filters can address data structures and
-                  content. For example, security policy filters for data structures can check for
-                  maximum file lengths, maximum field sizes, and data/file types (for structured and
-                  unstructured data). Security policy filters for data content can check for
-                  specific words (e.g., dirty/clean word filters), enumerated values or data value
-                  ranges, and hidden content. Structured data permits the interpretation of data
-                  content by applications. Unstructured data typically refers to digital information
-                  without a particular data structure or with a data structure that does not
-                  facilitate the development of rule sets to address the particular sensitivity of
-                  the information conveyed by the data or the associated flow enforcement decisions.
-                  Unstructured data consists of: (i) bitmap objects that are inherently non
-                  language-based (i.e., image, video, or audio files); and (ii) textual objects that
-                  are based on written or printed languages (e.g., commercial off-the-shelf word
-                  processing documents, spreadsheets, or emails). Organizations can implement more
-                  than one security policy filter to meet information flow control objectives (e.g.,
-                  employing clean word lists in conjunction with dirty word lists may help to reduce
-                  false positives).</p>
-            </part>
-            <part id="ac-4.8_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-4.8_obj.1" name="objective">
-                  <prop name="label">AC-4(8)[1]</prop>
-                  <p>the organization defines security policy filters to be used as a basis for
-                     enforcing flow control decisions;</p>
-               </part>
-               <part id="ac-4.8_obj.2" name="objective">
-                  <prop name="label">AC-4(8)[2]</prop>
-                  <p>the organization defines information flows for which flow control decisions are
-                     to be applied and enforced; and</p>
-               </part>
-               <part id="ac-4.8_obj.3" name="objective">
-                  <prop name="label">AC-4(8)[3]</prop>
-                  <p>the information system enforces information flow control using
-                     organization-defined security policy filters as a basis for flow control
-                     decisions for organization-defined information flows.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of security policy filters regulating flow control decisions</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.9">
-            <title>Human Reviews</title>
-            <param id="ac-4.9_prm_1">
-               <label>organization-defined information flows</label>
-            </param>
-            <param id="ac-4.9_prm_2">
-               <label>organization-defined conditions</label>
-            </param>
-            <prop name="label">AC-4(9)</prop>
-            <prop name="sort-id">ac-04.09</prop>
-            <part id="ac-4.9_smt" name="statement">
-               <p>The information system enforces the use of human reviews for <insert param-id="ac-4.9_prm_1"/> under the following conditions: <insert param-id="ac-4.9_prm_2"/>.</p>
-            </part>
-            <part id="ac-4.9_gdn" name="guidance">
-               <p>Organizations define security policy filters for all situations where automated
-                  flow control decisions are possible. When a fully automated flow control decision
-                  is not possible, then a human review may be employed in lieu of, or as a
-                  complement to, automated security policy filtering. Human reviews may also be
-                  employed as deemed necessary by organizations.</p>
-            </part>
-            <part id="ac-4.9_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-4.9_obj.1" name="objective">
-                  <prop name="label">AC-4(9)[1]</prop>
-                  <p>the organization defines information flows requiring the use of human
-                     reviews;</p>
-               </part>
-               <part id="ac-4.9_obj.2" name="objective">
-                  <prop name="label">AC-4(9)[2]</prop>
-                  <p>the organization defines conditions under which the use of human reviews for
-                     organization-defined information flows is to be enforced; and</p>
-               </part>
-               <part id="ac-4.9_obj.3" name="objective">
-                  <prop name="label">AC-4(9)[3]</prop>
-                  <p>the information system enforces the use of human reviews for
-                     organization-defined information flows under organization-defined
-                     conditions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>records of human reviews regarding information flows</p>
-                  <p>list of conditions requiring human reviews for information flows</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with information flow enforcement responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms enforcing the use of human reviews</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.10">
-            <title>Enable / Disable Security Policy Filters</title>
-            <param id="ac-4.10_prm_1">
-               <label>organization-defined security policy filters</label>
-            </param>
-            <param id="ac-4.10_prm_2">
-               <label>organization-defined conditions</label>
-            </param>
-            <prop name="label">AC-4(10)</prop>
-            <prop name="sort-id">ac-04.10</prop>
-            <part id="ac-4.10_smt" name="statement">
-               <p>The information system provides the capability for privileged administrators to
-                  enable/disable <insert param-id="ac-4.10_prm_1"/> under the following conditions:
-                     <insert param-id="ac-4.10_prm_2"/>.</p>
-            </part>
-            <part id="ac-4.10_gdn" name="guidance">
-               <p>For example, as allowed by the information system authorization, administrators
-                  can enable security policy filters to accommodate approved data types.</p>
-            </part>
-            <part id="ac-4.10_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-4.10_obj.1" name="objective">
-                  <prop name="label">AC-4(10)[1]</prop>
-                  <p>the organization defines security policy filters that privileged administrators
-                     have the capability to enable/disable;</p>
-               </part>
-               <part id="ac-4.10_obj.2" name="objective">
-                  <prop name="label">AC-4(10)[2]</prop>
-                  <p>the organization-defined conditions under which privileged administrators have
-                     the capability to enable/disable organization-defined security policy filters;
-                     and</p>
-               </part>
-               <part id="ac-4.10_obj.3" name="objective">
-                  <prop name="label">AC-4(10)[3]</prop>
-                  <p>the information system provides the capability for privileged administrators to
-                     enable/disable organization-defined security policy filters under
-                     organization-defined conditions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>information flow information policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of security policy filters enabled/disabled by privileged
-                     administrators</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for enabling/disabling security
-                     policy filters</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.11">
-            <title>Configuration of Security Policy Filters</title>
-            <param id="ac-4.11_prm_1">
-               <label>organization-defined security policy filters</label>
-            </param>
-            <prop name="label">AC-4(11)</prop>
-            <prop name="sort-id">ac-04.11</prop>
-            <part id="ac-4.11_smt" name="statement">
-               <p>The information system provides the capability for privileged administrators to
-                  configure <insert param-id="ac-4.11_prm_1"/> to support different security
-                  policies.</p>
-            </part>
-            <part id="ac-4.11_gdn" name="guidance">
-               <p>For example, to reflect changes in security policies, administrators can change
-                  the list of “dirty words” that security policy mechanisms check in accordance with
-                  the definitions provided by organizations.</p>
-            </part>
-            <part id="ac-4.11_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-4.11_obj.1" name="objective">
-                  <prop name="label">AC-4(11)[1]</prop>
-                  <p>the organization defines security policy filters that privileged administrators
-                     have the capability to configure to support different security policies;
-                     and</p>
-               </part>
-               <part id="ac-4.11_obj.2" name="objective">
-                  <prop name="label">AC-4(11)[2]</prop>
-                  <p>the information system provides the capability for privileged administrators to
-                     configure organization-defined security policy filters to support different
-                     security policies.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of security policy filters</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for configuring security policy
-                     filters</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.12">
-            <title>Data Type Identifiers</title>
-            <param id="ac-4.12_prm_1">
-               <label>organization-defined data type identifiers</label>
-            </param>
-            <prop name="label">AC-4(12)</prop>
-            <prop name="sort-id">ac-04.12</prop>
-            <part id="ac-4.12_smt" name="statement">
-               <p>The information system, when transferring information between different security
-                  domains, uses <insert param-id="ac-4.12_prm_1"/> to validate data essential for
-                  information flow decisions.</p>
-            </part>
-            <part id="ac-4.12_gdn" name="guidance">
-               <p>Data type identifiers include, for example, filenames, file types, file
-                  signatures/tokens, and multiple internal file signatures/tokens. Information
-                  systems may allow transfer of data only if compliant with data type format
-                  specifications.</p>
-            </part>
-            <part id="ac-4.12_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-4.12_obj.1" name="objective">
-                  <prop name="label">AC-4(12)[1]</prop>
-                  <p>the organization defines data type identifiers to be used, when transferring
-                     information between different security domains, to validate data essential for
-                     information flow decisions; and</p>
-               </part>
-               <part id="ac-4.12_obj.2" name="objective">
-                  <prop name="label">AC-4(12)[2]</prop>
-                  <p>the information system, when transferring information between different
-                     security domains, uses organization-defined data type identifiers to validate
-                     data essential for information flow decisions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of data type identifiers</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.13">
-            <title>Decomposition into Policy-relevant Subcomponents</title>
-            <param id="ac-4.13_prm_1">
-               <label>organization-defined policy-relevant subcomponents</label>
-            </param>
-            <prop name="label">AC-4(13)</prop>
-            <prop name="sort-id">ac-04.13</prop>
-            <part id="ac-4.13_smt" name="statement">
-               <p>The information system, when transferring information between different security
-                  domains, decomposes information into <insert param-id="ac-4.13_prm_1"/> for
-                  submission to policy enforcement mechanisms.</p>
-            </part>
-            <part id="ac-4.13_gdn" name="guidance">
-               <p>Policy enforcement mechanisms apply filtering, inspection, and/or sanitization
-                  rules to the policy-relevant subcomponents of information to facilitate flow
-                  enforcement prior to transferring such information to different security domains.
-                  Parsing transfer files facilitates policy decisions on source, destination,
-                  certificates, classification, attachments, and other security-related component
-                  differentiators.</p>
-            </part>
-            <part id="ac-4.13_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-4.13_obj.1" name="objective">
-                  <prop name="label">AC-4(13)[1]</prop>
-                  <p>the organization defines policy-relevant subcomponents to decompose information
-                     for submission to policy enforcement mechanisms when transferring such
-                     information between different security domains; and</p>
-               </part>
-               <part id="ac-4.13_obj.2" name="objective">
-                  <prop name="label">AC-4(13)[2]</prop>
-                  <p>the information system, when transferring information between different
-                     security domains, decomposes information into organization-defined
-                     policy-relevant subcomponents for submission to policy enforcement
-                     mechanisms.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.14">
-            <title>Security Policy Filter Constraints</title>
-            <param id="ac-4.14_prm_1">
-               <label>organization-defined security policy filters</label>
-            </param>
-            <prop name="label">AC-4(14)</prop>
-            <prop name="sort-id">ac-04.14</prop>
-            <part id="ac-4.14_smt" name="statement">
-               <p>The information system, when transferring information between different security
-                  domains, implements <insert param-id="ac-4.14_prm_1"/> requiring fully enumerated
-                  formats that restrict data structure and content.</p>
-            </part>
-            <part id="ac-4.14_gdn" name="guidance">
-               <p>Data structure and content restrictions reduce the range of potential malicious
-                  and/or unsanctioned content in cross-domain transactions. Security policy filters
-                  that restrict data structures include, for example, restricting file sizes and
-                  field lengths. Data content policy filters include, for example: (i) encoding
-                  formats for character sets (e.g., Universal Character Set Transformation Formats,
-                  American Standard Code for Information Interchange); (ii) restricting character
-                  data fields to only contain alpha-numeric characters; (iii) prohibiting special
-                  characters; and (iv) validating schema structures.</p>
-            </part>
-            <part id="ac-4.14_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-4.14_obj.1" name="objective">
-                  <prop name="label">AC-4(14)[1]</prop>
-                  <p>the organization defines security policy filters to be implemented that require
-                     fully enumerated formats restricting data structure and content when
-                     transferring information between different security domains; and</p>
-               </part>
-               <part id="ac-4.14_obj.2" name="objective">
-                  <prop name="label">AC-4(14)[2]</prop>
-                  <p>the information system, when transferring information between different
-                     security domains, implements organization-defined security policy filters
-                     requiring fully enumerated formats that restrict data structure and
-                     content.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of security policy filters</p>
-                  <p>list of data content policy filters</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.15">
-            <title>Detection of Unsanctioned Information</title>
-            <param id="ac-4.15_prm_1">
-               <label>organized-defined unsanctioned information</label>
-            </param>
-            <param id="ac-4.15_prm_2">
-               <label>organization-defined security policy</label>
-            </param>
-            <prop name="label">AC-4(15)</prop>
-            <prop name="sort-id">ac-04.15</prop>
-            <part id="ac-4.15_smt" name="statement">
-               <p>The information system, when transferring information between different security
-                  domains, examines the information for the presence of <insert param-id="ac-4.15_prm_1"/> and prohibits the transfer of such information in
-                  accordance with the <insert param-id="ac-4.15_prm_2"/>.</p>
-            </part>
-            <part id="ac-4.15_gdn" name="guidance">
-               <p>Detection of unsanctioned information includes, for example, checking all
-                  information to be transferred for malicious code and dirty words.</p>
-               <link rel="related" href="#si-3">SI-3</link>
-            </part>
-            <part id="ac-4.15_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-4.15_obj.1" name="objective">
-                  <prop name="label">AC-4(15)[1]</prop>
-                  <p>the organization defines unsanctioned information to be detected when
-                     transferring information between different security domains;</p>
-               </part>
-               <part id="ac-4.15_obj.2" name="objective">
-                  <prop name="label">AC-4(15)[2]</prop>
-                  <p>the organization defines the security policy that requires the transfer of
-                     organization-defined unsanctioned information between different security
-                     domains to be prohibited when the presence of such information is detected;
-                     and</p>
-               </part>
-               <part id="ac-4.15_obj.3" name="objective">
-                  <prop name="label">AC-4(15)[3]</prop>
-                  <p>the information system, when transferring information between different
-                     security domains, examines the information for the presence of
-                     organization-defined unsanctioned information and prohibits the transfer of
-                     such information in accordance with the organization-defined security
-                     policy.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of unsanctioned information types and associated information</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.16">
-            <title>Information Transfers On Interconnected Systems</title>
-            <prop name="label">AC-4(16)</prop>
-            <prop name="sort-id">ac-04.16</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#ac-4">AC-4</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.17">
-            <title>Domain Authentication</title>
-            <param id="ac-4.17_prm_1">
-               <select how-many="one or more">
-                  <choice>organization, system, application, individual</choice>
-               </select>
-            </param>
-            <prop name="label">AC-4(17)</prop>
-            <prop name="sort-id">ac-04.17</prop>
-            <part id="ac-4.17_smt" name="statement">
-               <p>The information system uniquely identifies and authenticates source and
-                  destination points by <insert param-id="ac-4.17_prm_1"/> for information
-                  transfer.</p>
-            </part>
-            <part id="ac-4.17_gdn" name="guidance">
-               <p>Attribution is a critical component of a security concept of operations. The
-                  ability to identify source and destination points for information flowing in
-                  information systems, allows the forensic reconstruction of events when required,
-                  and encourages policy compliance by attributing policy violations to specific
-                  organizations/individuals. Successful domain authentication requires that
-                  information system labels distinguish among systems, organizations, and
-                  individuals involved in preparing, sending, receiving, or disseminating
-                  information.</p>
-               <link rel="related" href="#ia-2">IA-2</link>
-               <link rel="related" href="#ia-3">IA-3</link>
-               <link rel="related" href="#ia-4">IA-4</link>
-               <link rel="related" href="#ia-5">IA-5</link>
-            </part>
-            <part id="ac-4.17_obj" name="objective">
-               <p>Determine if the information system uniquely identifies and authenticates: </p>
-               <part id="ac-4.17_obj.1" name="objective">
-                  <prop name="label">AC-4(17)[1]</prop>
-                  <part id="ac-4.17_obj.1.a" name="objective">
-                     <prop name="label">AC-4(17)[1][a]</prop>
-                     <p>source points for information transfer;</p>
-                  </part>
-                  <part id="ac-4.17_obj.1.b" name="objective">
-                     <prop name="label">AC-4(17)[1][b]</prop>
-                     <p>destination points for information transfer;</p>
-                  </part>
-               </part>
-               <part id="ac-4.17_obj.2" name="objective">
-                  <prop name="label">AC-4(17)[2]</prop>
-                  <p>by one or more of the following:</p>
-                  <part id="ac-4.17_obj.2.a" name="objective">
-                     <prop name="label">AC-4(17)[2][a]</prop>
-                     <p>organization;</p>
-                  </part>
-                  <part id="ac-4.17_obj.2.b" name="objective">
-                     <prop name="label">AC-4(17)[2][b]</prop>
-                     <p>system;</p>
-                  </part>
-                  <part id="ac-4.17_obj.2.c" name="objective">
-                     <prop name="label">AC-4(17)[2][c]</prop>
-                     <p>application; and/or</p>
-                  </part>
-                  <part id="ac-4.17_obj.2.d" name="objective">
-                     <prop name="label">AC-4(17)[2][d]</prop>
-                     <p>individual.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>procedures addressing source and destination domain identification and
-                     authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.18">
-            <title>Security Attribute Binding</title>
-            <param id="ac-4.18_prm_1">
-               <label>organization-defined binding techniques</label>
-            </param>
-            <prop name="label">AC-4(18)</prop>
-            <prop name="sort-id">ac-04.18</prop>
-            <part id="ac-4.18_smt" name="statement">
-               <p>The information system binds security attributes to information using <insert param-id="ac-4.18_prm_1"/> to facilitate information flow policy
-                  enforcement.</p>
-            </part>
-            <part id="ac-4.18_gdn" name="guidance">
-               <p>Binding techniques implemented by information systems affect the strength of
-                  security attribute binding to information. Binding strength and the assurance
-                  associated with binding techniques play an important part in the trust
-                  organizations have in the information flow enforcement process. The binding
-                  techniques affect the number and degree of additional reviews required by
-                  organizations.</p>
-               <link rel="related" href="#ac-16">AC-16</link>
-               <link rel="related" href="#sc-16">SC-16</link>
-            </part>
-            <part id="ac-4.18_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ac-4.18_obj.1" name="objective">
-                  <prop name="label">AC-4(18)[1]</prop>
-                  <p>the organization defines binding techniques to be used to facilitate
-                     information flow policy enforcement; and</p>
-               </part>
-               <part id="ac-4.18_obj.2" name="objective">
-                  <prop name="label">AC-4(18)[2]</prop>
-                  <p>the information system binds security attributes to information using
-                     organization-defined binding techniques to facilitate information flow policy
-                     enforcement.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information flow enforcement policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of binding techniques to bind security attributes to information</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information flow enforcement responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.19">
-            <title>Validation of Metadata</title>
-            <prop name="label">AC-4(19)</prop>
-            <prop name="sort-id">ac-04.19</prop>
-            <part id="ac-4.19_smt" name="statement">
-               <p>The information system, when transferring information between different security
-                  domains, applies the same security policy filtering to metadata as it applies to
-                  data payloads.</p>
-            </part>
-            <part id="ac-4.19_gdn" name="guidance">
-               <p>This control enhancement requires the validation of metadata and the data to which
-                  the metadata applies. Some organizations distinguish between metadata and data
-                  payloads (i.e., only the data to which the metadata is bound). Other organizations
-                  do not make such distinctions, considering metadata and the data to which the
-                  metadata applies as part of the payload. All information (including metadata and
-                  the data to which the metadata applies) is subject to filtering and
-                  inspection.</p>
-            </part>
-            <part id="ac-4.19_obj" name="objective">
-               <p>Determine if the information system, when transferring information between
-                  different security domains, applies the same security policy filtering to metadata
-                  as it applies to data payloads. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information flow enforcement policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of security policy filtering criteria applied to metadata and data
-                     payloads</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information flow enforcement responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.20">
-            <title>Approved Solutions</title>
-            <param id="ac-4.20_prm_1">
-               <label>organization-defined solutions in approved configurations</label>
-            </param>
-            <param id="ac-4.20_prm_2">
-               <label>organization-defined information</label>
-            </param>
-            <prop name="label">AC-4(20)</prop>
-            <prop name="sort-id">ac-04.20</prop>
-            <part id="ac-4.20_smt" name="statement">
-               <p>The organization employs <insert param-id="ac-4.20_prm_1"/> to control the flow of
-                     <insert param-id="ac-4.20_prm_2"/> across security domains.</p>
-            </part>
-            <part id="ac-4.20_gdn" name="guidance">
-               <p>Organizations define approved solutions and configurations in cross-domain
-                  policies and guidance in accordance with the types of information flows across
-                  classification boundaries. The Unified Cross Domain Management Office (UCDMO)
-                  provides a baseline listing of approved cross-domain solutions.</p>
-            </part>
-            <part id="ac-4.20_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-4.20_obj.1" name="objective">
-                  <prop name="label">AC-4(20)[1]</prop>
-                  <p>defines solutions in approved configurations to control the flow of information
-                     across security domains;</p>
-               </part>
-               <part id="ac-4.20_obj.2" name="objective">
-                  <prop name="label">AC-4(20)[2]</prop>
-                  <p>defines information for which organization-defined solutions in approved
-                     configurations are to be employed to control the flow of such information
-                     across security domains; and</p>
-               </part>
-               <part id="ac-4.20_obj.3" name="objective">
-                  <prop name="label">AC-4(20)[3]</prop>
-                  <p>employs organization-defined solutions in approved configurations to control
-                     the flow of organization-defined information across security domains.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information flow enforcement policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of solutions in approved configurations</p>
-                  <p>approved configuration baselines</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information flow enforcement responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.21">
-            <title>Physical / Logical Separation of Information Flows</title>
-            <param id="ac-4.21_prm_1">
-               <label>organization-defined mechanisms and/or techniques</label>
-            </param>
-            <param id="ac-4.21_prm_2">
-               <label>organization-defined required separations by types of information</label>
-            </param>
-            <prop name="label">AC-4(21)</prop>
-            <prop name="sort-id">ac-04.21</prop>
-            <part id="ac-4.21_smt" name="statement">
-               <p>The information system separates information flows logically or physically using
-                     <insert param-id="ac-4.21_prm_1"/> to accomplish <insert param-id="ac-4.21_prm_2"/>.</p>
-            </part>
-            <part id="ac-4.21_gdn" name="guidance">
-               <p>Enforcing the separation of information flows by type can enhance protection by
-                  ensuring that information is not commingled while in transit and by enabling flow
-                  control by transmission paths perhaps not otherwise achievable. Types of separable
-                  information include, for example, inbound and outbound communications traffic,
-                  service requests and responses, and information of differing security
-                  categories.</p>
-            </part>
-            <part id="ac-4.21_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ac-4.21_obj.1" name="objective">
-                  <prop name="label">AC-4(21)[1]</prop>
-                  <p>the organization defines the required separations of information flows by types
-                     of information;</p>
-               </part>
-               <part id="ac-4.21_obj.2" name="objective">
-                  <prop name="label">AC-4(21)[2]</prop>
-                  <p>the organization defines the mechanisms and/or techniques to be used to
-                     separate information flows logically or physically; and</p>
-               </part>
-               <part id="ac-4.21_obj.3" name="objective">
-                  <prop name="label">AC-4(21)[3]</prop>
-                  <p>the information system separates information flows logically or physically
-                     using organization-defined mechanisms and/or techniques to accomplish
-                     organization-defined required separations by types of information.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information flow enforcement policy</p>
-                  <p>information flow control policies</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of required separation of information flows by information types</p>
-                  <p>list of mechanisms and/or techniques used to logically or physically separate
-                     information flows</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information flow enforcement responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.22">
-            <title>Access Only</title>
-            <prop name="label">AC-4(22)</prop>
-            <prop name="sort-id">ac-04.22</prop>
-            <part id="ac-4.22_smt" name="statement">
-               <p>The information system provides access from a single device to computing
-                  platforms, applications, or data residing on multiple different security domains,
-                  while preventing any information flow between the different security domains.</p>
-            </part>
-            <part id="ac-4.22_gdn" name="guidance">
-               <p>The information system, for example, provides a desktop for users to access each
-                  connected security domain without providing any mechanisms to allow transfer of
-                  information between the different security domains.</p>
-            </part>
-            <part id="ac-4.22_obj" name="objective">
-               <p>Determine if the information system provides access from a single device to
-                  computing platforms, applications, or data residing on multiple different security
-                  domains, while preventing any information flow between the different security
-                  domains. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information flow enforcement policy</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information flow enforcement responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing information flow enforcement functions</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-5">
-         <title>Separation of Duties</title>
-         <param id="ac-5_prm_1">
-            <label>organization-defined duties of individuals</label>
-         </param>
-         <prop name="label">AC-5</prop>
-         <prop name="sort-id">ac-05</prop>
-         <part id="ac-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Separates <insert param-id="ac-5_prm_1"/>;</p>
-            </part>
-            <part id="ac-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents separation of duties of individuals; and</p>
-            </part>
-            <part id="ac-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Defines information system access authorizations to support separation of
-                  duties.</p>
-            </part>
-         </part>
-         <part id="ac-5_gdn" name="guidance">
-            <p>Separation of duties addresses the potential for abuse of authorized privileges and
-               helps to reduce the risk of malevolent activity without collusion. Separation of
-               duties includes, for example: (i) dividing mission functions and information system
-               support functions among different individuals and/or roles; (ii) conducting
-               information system support functions with different individuals (e.g., system
-               management, programming, configuration management, quality assurance and testing, and
-               network security); and (iii) ensuring security personnel administering access control
-               functions do not also administer audit functions.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#ps-2">PS-2</link>
-         </part>
-         <part id="ac-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-5.a_obj" name="objective">
-               <prop name="label">AC-5(a)</prop>
-               <part id="ac-5.a_obj.1" name="objective">
-                  <prop name="label">AC-5(a)[1]</prop>
-                  <p>defines duties of individuals to be separated;</p>
-               </part>
-               <part id="ac-5.a_obj.2" name="objective">
-                  <prop name="label">AC-5(a)[2]</prop>
-                  <p>separates organization-defined duties of individuals;</p>
-               </part>
-            </part>
-            <part id="ac-5.b_obj" name="objective">
-               <prop name="label">AC-5(b)</prop>
-               <p>documents separation of duties; and</p>
-            </part>
-            <part id="ac-5.c_obj" name="objective">
-               <prop name="label">AC-5(c)</prop>
-               <p>defines information system access authorizations to support separation of
-                  duties.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing divisions of responsibility and separation of duties</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of divisions of responsibility and separation of duties</p>
-               <p>information system access authorizations</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for defining appropriate divisions
-                  of responsibility and separation of duties</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing separation of duties policy</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-6">
-         <title>Least Privilege</title>
-         <prop name="label">AC-6</prop>
-         <prop name="sort-id">ac-06</prop>
-         <part id="ac-6_smt" name="statement">
-            <p>The organization employs the principle of least privilege, allowing only authorized
-               accesses for users (or processes acting on behalf of users) which are necessary to
-               accomplish assigned tasks in accordance with organizational missions and business
-               functions.</p>
-         </part>
-         <part id="ac-6_gdn" name="guidance">
-            <p>Organizations employ least privilege for specific duties and information systems. The
-               principle of least privilege is also applied to information system processes,
-               ensuring that the processes operate at privilege levels no higher than necessary to
-               accomplish required organizational missions/business functions. Organizations
-               consider the creation of additional processes, roles, and information system accounts
-               as necessary, to achieve least privilege. Organizations also apply least privilege to
-               the development, implementation, and operation of organizational information
-               systems.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-         </part>
-         <part id="ac-6_obj" name="objective">
-            <p>Determine if the organization employs the principle of least privilege, allowing only
-               authorized access for users (and processes acting on behalf of users) which are
-               necessary to accomplish assigned tasks in accordance with organizational missions and
-               business functions. </p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing least privilege</p>
-               <p>list of assigned access authorizations (user privileges)</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for defining least privileges
-                  necessary to accomplish specified tasks</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing least privilege functions</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-6.1">
-            <title>Authorize Access to Security Functions</title>
-            <param id="ac-6.1_prm_1">
-               <label>organization-defined security functions (deployed in hardware, software, and
-                  firmware) and security-relevant information</label>
-            </param>
-            <prop name="label">AC-6(1)</prop>
-            <prop name="sort-id">ac-06.01</prop>
-            <part id="ac-6.1_smt" name="statement">
-               <p>The organization explicitly authorizes access to <insert param-id="ac-6.1_prm_1"/>.</p>
-            </part>
-            <part id="ac-6.1_gdn" name="guidance">
-               <p>Security functions include, for example, establishing system accounts, configuring
-                  access authorizations (i.e., permissions, privileges), setting events to be
-                  audited, and setting intrusion detection parameters. Security-relevant information
-                  includes, for example, filtering rules for routers/firewalls, cryptographic key
-                  management information, configuration parameters for security services, and access
-                  control lists. Explicitly authorized personnel include, for example, security
-                  administrators, system and network administrators, system security officers,
-                  system maintenance personnel, system programmers, and other privileged users.</p>
-               <link rel="related" href="#ac-17">AC-17</link>
-               <link rel="related" href="#ac-18">AC-18</link>
-               <link rel="related" href="#ac-19">AC-19</link>
-            </part>
-            <part id="ac-6.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ac-6.1_obj.1" name="objective">
-                  <prop name="label">AC-6(1)[1]</prop>
-                  <p>defines security-relevant information for which access must be explicitly
-                     authorized;</p>
-               </part>
-               <part id="ac-6.1_obj.2" name="objective">
-                  <prop name="label">AC-6(1)[2]</prop>
-                  <p>defines security functions deployed in:</p>
-                  <part id="ac-6.1_obj.2.a" name="objective">
-                     <prop name="label">AC-6(1)[2][a]</prop>
-                     <p>hardware;</p>
-                  </part>
-                  <part id="ac-6.1_obj.2.b" name="objective">
-                     <prop name="label">AC-6(1)[2][b]</prop>
-                     <p>software;</p>
-                  </part>
-                  <part id="ac-6.1_obj.2.c" name="objective">
-                     <prop name="label">AC-6(1)[2][c]</prop>
-                     <p>firmware;</p>
-                  </part>
-               </part>
-               <part id="ac-6.1_obj.3" name="objective">
-                  <prop name="label">AC-6(1)[3]</prop>
-                  <p>explicitly authorizes access to:</p>
-                  <part id="ac-6.1_obj.3.a" name="objective">
-                     <prop name="label">AC-6(1)[3][a]</prop>
-                     <p>organization-defined security functions; and</p>
-                  </part>
-                  <part id="ac-6.1_obj.3.b" name="objective">
-                     <prop name="label">AC-6(1)[3][b]</prop>
-                     <p>security-relevant information.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>list of security functions (deployed in hardware, software, and firmware) and
-                     security-relevant information for which access must be explicitly
-                     authorized</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for defining least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing least privilege functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.2">
-            <title>Non-privileged Access for Nonsecurity Functions</title>
-            <param id="ac-6.2_prm_1">
-               <label>organization-defined security functions or security-relevant
-                  information</label>
-            </param>
-            <prop name="label">AC-6(2)</prop>
-            <prop name="sort-id">ac-06.02</prop>
-            <part id="ac-6.2_smt" name="statement">
-               <p>The organization requires that users of information system accounts, or roles,
-                  with access to <insert param-id="ac-6.2_prm_1"/>, use non-privileged accounts or
-                  roles, when accessing nonsecurity functions.</p>
-            </part>
-            <part id="ac-6.2_gdn" name="guidance">
-               <p>This control enhancement limits exposure when operating from within privileged
-                  accounts or roles. The inclusion of roles addresses situations where organizations
-                  implement access control policies such as role-based access control and where a
-                  change of role provides the same degree of assurance in the change of access
-                  authorizations for both the user and all processes acting on behalf of the user as
-                  would be provided by a change between a privileged and non-privileged account.</p>
-               <link rel="related" href="#pl-4">PL-4</link>
-            </part>
-            <part id="ac-6.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-6.2_obj.1" name="objective">
-                  <prop name="label">AC-6(2)[1]</prop>
-                  <p>defines security functions or security-relevant information to which users of
-                     information system accounts, or roles, have access; and</p>
-               </part>
-               <part id="ac-6.2_obj.2" name="objective">
-                  <prop name="label">AC-6(2)[2]</prop>
-                  <p>requires that users of information system accounts, or roles, with access to
-                     organization-defined security functions or security-relevant information, use
-                     non-privileged accounts, or roles, when accessing nonsecurity functions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>list of system-generated security functions or security-relevant information
-                     assigned to information system accounts or roles</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for defining least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing least privilege functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.3">
-            <title>Network Access to Privileged Commands</title>
-            <param id="ac-6.3_prm_1">
-               <label>organization-defined privileged commands</label>
-            </param>
-            <param id="ac-6.3_prm_2">
-               <label>organization-defined compelling operational needs</label>
-            </param>
-            <prop name="label">AC-6(3)</prop>
-            <prop name="sort-id">ac-06.03</prop>
-            <part id="ac-6.3_smt" name="statement">
-               <p>The organization authorizes network access to <insert param-id="ac-6.3_prm_1"/>
-                  only for <insert param-id="ac-6.3_prm_2"/> and documents the rationale for such
-                  access in the security plan for the information system.</p>
-            </part>
-            <part id="ac-6.3_gdn" name="guidance">
-               <p>Network access is any access across a network connection in lieu of local access
-                  (i.e., user being physically present at the device).</p>
-               <link rel="related" href="#ac-17">AC-17</link>
-            </part>
-            <part id="ac-6.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-6.3_obj.1" name="objective">
-                  <prop name="label">AC-6(3)[1]</prop>
-                  <p>defines privileged commands to which network access is to be authorized only
-                     for compelling operational needs;</p>
-               </part>
-               <part id="ac-6.3_obj.2" name="objective">
-                  <prop name="label">AC-6(3)[2]</prop>
-                  <p>defines compelling operational needs for which network access to
-                     organization-defined privileged commands are to be solely authorized;</p>
-               </part>
-               <part id="ac-6.3_obj.3" name="objective">
-                  <prop name="label">AC-6(3)[3]</prop>
-                  <p>authorizes network access to organization-defined privileged commands only for
-                     organization-defined compelling operational needs; and</p>
-               </part>
-               <part id="ac-6.3_obj.4" name="objective">
-                  <prop name="label">AC-6(3)[4]</prop>
-                  <p>documents the rationale for authorized network access to organization-defined
-                     privileged commands in the security plan for the information system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>security plan</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of operational needs for authorizing network access to privileged
-                     commands</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for defining least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing least privilege functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.4">
-            <title>Separate Processing Domains</title>
-            <prop name="label">AC-6(4)</prop>
-            <prop name="sort-id">ac-06.04</prop>
-            <part id="ac-6.4_smt" name="statement">
-               <p>The information system provides separate processing domains to enable
-                  finer-grained allocation of user privileges.</p>
-            </part>
-            <part id="ac-6.4_gdn" name="guidance">
-               <p>Providing separate processing domains for finer-grained allocation of user
-                  privileges includes, for example: (i) using virtualization techniques to allow
-                  additional privileges within a virtual machine while restricting privileges to
-                  other virtual machines or to the underlying actual machine; (ii) employing
-                  hardware and/or software domain separation mechanisms; and (iii) implementing
-                  separate physical domains.</p>
-               <link rel="related" href="#ac-4">AC-4</link>
-               <link rel="related" href="#sc-3">SC-3</link>
-               <link rel="related" href="#sc-30">SC-30</link>
-               <link rel="related" href="#sc-32">SC-32</link>
-            </part>
-            <part id="ac-6.4_obj" name="objective">
-               <p>Determine if the information system provides separate processing domains to enable
-                  finer-grained allocation of user privileges.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for defining least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing least privilege functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.5">
-            <title>Privileged Accounts</title>
-            <param id="ac-6.5_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">AC-6(5)</prop>
-            <prop name="sort-id">ac-06.05</prop>
-            <part id="ac-6.5_smt" name="statement">
-               <p>The organization restricts privileged accounts on the information system to
-                     <insert param-id="ac-6.5_prm_1"/>.</p>
-            </part>
-            <part id="ac-6.5_gdn" name="guidance">
-               <p>Privileged accounts, including super user accounts, are typically described as
-                  system administrator for various types of commercial off-the-shelf operating
-                  systems. Restricting privileged accounts to specific personnel or roles prevents
-                  day-to-day users from having access to privileged information/functions.
-                  Organizations may differentiate in the application of this control enhancement
-                  between allowed privileges for local accounts and for domain accounts provided
-                  organizations retain the ability to control information system configurations for
-                  key security parameters and as otherwise necessary to sufficiently mitigate
-                  risk.</p>
-               <link rel="related" href="#cm-6">CM-6</link>
-            </part>
-            <part id="ac-6.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-6.5_obj.1" name="objective">
-                  <prop name="label">AC-6(5)[1]</prop>
-                  <p>defines personnel or roles for which privileged accounts on the information
-                     system are to be restricted; and</p>
-               </part>
-               <part id="ac-6.5_obj.2" name="objective">
-                  <prop name="label">AC-6(5)[2]</prop>
-                  <p>restricts privileged accounts on the information system to organization-defined
-                     personnel or roles.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>list of system-generated privileged accounts</p>
-                  <p>list of system administration personnel</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for defining least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing least privilege functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.6">
-            <title>Privileged Access by Non-organizational Users</title>
-            <prop name="label">AC-6(6)</prop>
-            <prop name="sort-id">ac-06.06</prop>
-            <part id="ac-6.6_smt" name="statement">
-               <p>The organization prohibits privileged access to the information system by
-                  non-organizational users.</p>
-            </part>
-            <part id="ac-6.6_gdn" name="guidance">
-               <link rel="related" href="#ia-8">IA-8</link>
-            </part>
-            <part id="ac-6.6_obj" name="objective">
-               <p>Determine if the organization prohibits privileged access to the information
-                  system by non-organizational users. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>list of system-generated privileged accounts</p>
-                  <p>list of non-organizational users</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for defining least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms prohibiting privileged access to the information
-                     system</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.7">
-            <title>Review of User Privileges</title>
-            <param id="ac-6.7_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="ac-6.7_prm_2">
-               <label>organization-defined roles or classes of users</label>
-            </param>
-            <prop name="label">AC-6(7)</prop>
-            <prop name="sort-id">ac-06.07</prop>
-            <part id="ac-6.7_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ac-6.7_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Reviews <insert param-id="ac-6.7_prm_1"/> the privileges assigned to <insert param-id="ac-6.7_prm_2"/> to validate the need for such privileges; and</p>
-               </part>
-               <part id="ac-6.7_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Reassigns or removes privileges, if necessary, to correctly reflect
-                     organizational mission/business needs.</p>
-               </part>
-            </part>
-            <part id="ac-6.7_gdn" name="guidance">
-               <p>The need for certain assigned user privileges may change over time reflecting
-                  changes in organizational missions/business function, environments of operation,
-                  technologies, or threat. Periodic review of assigned user privileges is necessary
-                  to determine if the rationale for assigning such privileges remains valid. If the
-                  need cannot be revalidated, organizations take appropriate corrective actions.</p>
-               <link rel="related" href="#ca-7">CA-7</link>
-            </part>
-            <part id="ac-6.7_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ac-6.7.a_obj" name="objective">
-                  <prop name="label">AC-6(7)(a)</prop>
-                  <part id="ac-6.7.a_obj.1" name="objective">
-                     <prop name="label">AC-6(7)(a)[1]</prop>
-                     <p>defines roles or classes of users to which privileges are assigned;</p>
-                  </part>
-                  <part id="ac-6.7.a_obj.2" name="objective">
-                     <prop name="label">AC-6(7)(a)[2]</prop>
-                     <p>defines the frequency to review the privileges assigned to
-                        organization-defined roles or classes of users to validate the need for such
-                        privileges;</p>
-                  </part>
-                  <part id="ac-6.7.a_obj.3" name="objective">
-                     <prop name="label">AC-6(7)(a)[3]</prop>
-                     <p>reviews the privileges assigned to organization-defined roles or classes of
-                        users with the organization-defined frequency to validate the need for such
-                        privileges; and</p>
-                  </part>
-                  <link rel="corresp" href="#ac-6.7_smt.a">AC-6(7)(a)</link>
-               </part>
-               <part id="ac-6.7.b_obj" name="objective">
-                  <prop name="label">AC-6(7)(b)</prop>
-                  <p>reassigns or removes privileges, if necessary, to correctly reflect
-                     organizational missions/business needs.</p>
-                  <link rel="corresp" href="#ac-6.7_smt.b">AC-6(7)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>list of system-generated roles or classes of users and assigned privileges</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>validation reviews of privileges assigned to roles or classes or users</p>
-                  <p>records of privilege removals or reassignments for roles or classes of
-                     users</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for reviewing least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing review of user privileges</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.8">
-            <title>Privilege Levels for Code Execution</title>
-            <param id="ac-6.8_prm_1">
-               <label>organization-defined software</label>
-            </param>
-            <prop name="label">AC-6(8)</prop>
-            <prop name="sort-id">ac-06.08</prop>
-            <part id="ac-6.8_smt" name="statement">
-               <p>The information system prevents <insert param-id="ac-6.8_prm_1"/> from executing
-                  at higher privilege levels than users executing the software.</p>
-            </part>
-            <part id="ac-6.8_gdn" name="guidance">
-               <p>In certain situations, software applications/programs need to execute with
-                  elevated privileges to perform required functions. However, if the privileges
-                  required for execution are at a higher level than the privileges assigned to
-                  organizational users invoking such applications/programs, those users are
-                  indirectly provided with greater privileges than assigned by organizations.</p>
-            </part>
-            <part id="ac-6.8_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ac-6.8_obj.1" name="objective">
-                  <prop name="label">AC-6(8)[1]</prop>
-                  <p>the organization defines software that should not execute at higher privilege
-                     levels than users executing the software; and</p>
-               </part>
-               <part id="ac-6.8_obj.2" name="objective">
-                  <prop name="label">AC-6(8)[2]</prop>
-                  <p>the information system prevents organization-defined software from executing at
-                     higher privilege levels than users executing the software.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>list of software that should not execute at higher privilege levels than users
-                     executing software</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for defining least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing least privilege functions for software
-                     execution</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.9">
-            <title>Auditing Use of Privileged Functions</title>
-            <prop name="label">AC-6(9)</prop>
-            <prop name="sort-id">ac-06.09</prop>
-            <part id="ac-6.9_smt" name="statement">
-               <p>The information system audits the execution of privileged functions.</p>
-            </part>
-            <part id="ac-6.9_gdn" name="guidance">
-               <p>Misuse of privileged functions, either intentionally or unintentionally by
-                  authorized users, or by unauthorized external entities that have compromised
-                  information system accounts, is a serious and ongoing concern and can have
-                  significant adverse impacts on organizations. Auditing the use of privileged
-                  functions is one way to detect such misuse, and in doing so, help mitigate the
-                  risk from insider threats and the advanced persistent threat (APT).</p>
-               <link rel="related" href="#au-2">AU-2</link>
-            </part>
-            <part id="ac-6.9_obj" name="objective">
-               <p>Determine if the information system audits the execution of privileged functions.
-               </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of privileged functions to be audited</p>
-                  <p>list of audited events</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for reviewing least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms auditing the execution of least privilege functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.10">
-            <title>Prohibit Non-privileged Users from Executing Privileged Functions</title>
-            <prop name="label">AC-6(10)</prop>
-            <prop name="sort-id">ac-06.10</prop>
-            <part id="ac-6.10_smt" name="statement">
-               <p>The information system prevents non-privileged users from executing privileged
-                  functions to include disabling, circumventing, or altering implemented security
-                  safeguards/countermeasures.</p>
-            </part>
-            <part id="ac-6.10_gdn" name="guidance">
-               <p>Privileged functions include, for example, establishing information system
-                  accounts, performing system integrity checks, or administering cryptographic key
-                  management activities. Non-privileged users are individuals that do not possess
-                  appropriate authorizations. Circumventing intrusion detection and prevention
-                  mechanisms or malicious code protection mechanisms are examples of privileged
-                  functions that require protection from non-privileged users.</p>
-            </part>
-            <part id="ac-6.10_obj" name="objective">
-               <p>Determine if the information system prevents non-privileged users from executing
-                  privileged functions to include:</p>
-               <part id="ac-6.10_obj.1" name="objective">
-                  <prop name="label">AC-6(10)[1]</prop>
-                  <p>disabling implemented security safeguards/countermeasures;</p>
-               </part>
-               <part id="ac-6.10_obj.2" name="objective">
-                  <prop name="label">AC-6(10)[2]</prop>
-                  <p>circumventing security safeguards/countermeasures; or</p>
-               </part>
-               <part id="ac-6.10_obj.3" name="objective">
-                  <prop name="label">AC-6(10)[3]</prop>
-                  <p>altering implemented security safeguards/countermeasures.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing least privilege</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of privileged functions and associated user account assignments</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for defining least privileges
-                     necessary to accomplish specified tasks</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing least privilege functions for non-privileged
-                     users</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-7">
-         <title>Unsuccessful Logon Attempts</title>
-         <param id="ac-7_prm_1">
-            <label>organization-defined number</label>
-         </param>
-         <param id="ac-7_prm_2">
-            <label>organization-defined time period</label>
-         </param>
-         <param id="ac-7_prm_3">
-            <select>
-               <choice>locks the account/node for an <insert param-id="ac-7_prm_4"/>
-               </choice>
-               <choice>locks the account/node until released by an administrator</choice>
-               <choice>delays next logon prompt according to <insert param-id="ac-7_prm_5"/>
-               </choice>
-            </select>
-         </param>
-         <param id="ac-7_prm_4" depends-on="ac-7_prm_3">
-            <label>organization-defined time period</label>
-         </param>
-         <param id="ac-7_prm_5" depends-on="ac-7_prm_3">
-            <label>organization-defined delay algorithm</label>
-         </param>
-         <prop name="label">AC-7</prop>
-         <prop name="sort-id">ac-07</prop>
-         <part id="ac-7_smt" name="statement">
-            <p>The information system:</p>
-            <part id="ac-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Enforces a limit of <insert param-id="ac-7_prm_1"/> consecutive invalid logon
-                  attempts by a user during a <insert param-id="ac-7_prm_2"/>; and</p>
-            </part>
-            <part id="ac-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Automatically <insert param-id="ac-7_prm_3"/> when the maximum number of
-                  unsuccessful attempts is exceeded.</p>
-            </part>
-         </part>
-         <part id="ac-7_gdn" name="guidance">
-            <p>This control applies regardless of whether the logon occurs via a local or network
-               connection. Due to the potential for denial of service, automatic lockouts initiated
-               by information systems are usually temporary and automatically release after a
-               predetermined time period established by organizations. If a delay algorithm is
-               selected, organizations may choose to employ different algorithms for different
-               information system components based on the capabilities of those components.
-               Responses to unsuccessful logon attempts may be implemented at both the operating
-               system and the application levels.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-9">AC-9</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-         </part>
-         <part id="ac-7_obj" name="objective">
-            <p>Determine if: </p>
-            <part id="ac-7.a_obj" name="objective">
-               <prop name="label">AC-7(a)</prop>
-               <part id="ac-7.a_obj.1" name="objective">
-                  <prop name="label">AC-7(a)[1]</prop>
-                  <p>the organization defines the number of consecutive invalid logon attempts
-                     allowed to the information system by a user during an organization-defined time
-                     period;</p>
-               </part>
-               <part id="ac-7.a_obj.2" name="objective">
-                  <prop name="label">AC-7(a)[2]</prop>
-                  <p>the organization defines the time period allowed by a user of the information
-                     system for an organization-defined number of consecutive invalid logon
-                     attempts;</p>
-               </part>
-               <part id="ac-7.a_obj.3" name="objective">
-                  <prop name="label">AC-7(a)[3]</prop>
-                  <p>the information system enforces a limit of organization-defined number of
-                     consecutive invalid logon attempts by a user during an organization-defined
-                     time period;</p>
-               </part>
-            </part>
-            <part id="ac-7.b_obj" name="objective">
-               <prop name="label">AC-7(b)</prop>
-               <part id="ac-7.b_obj.1" name="objective">
-                  <prop name="label">AC-7(b)[1]</prop>
-                  <p>the organization defines account/node lockout time period or logon delay
-                     algorithm to be automatically enforced by the information system when the
-                     maximum number of unsuccessful logon attempts is exceeded;</p>
-               </part>
-               <part id="ac-7.b_obj.2" name="objective">
-                  <prop name="label">AC-7(b)[2]</prop>
-                  <p>the information system, when the maximum number of unsuccessful logon attempts
-                     is exceeded, automatically:</p>
-                  <part id="ac-7.b_obj.2.a" name="objective">
-                     <prop name="label">AC-7(b)[2][a]</prop>
-                     <p>locks the account/node for the organization-defined time period;</p>
-                  </part>
-                  <part id="ac-7.b_obj.2.b" name="objective">
-                     <prop name="label">AC-7(b)[2][b]</prop>
-                     <p>locks the account/node until released by an administrator; or</p>
-                  </part>
-                  <part id="ac-7.b_obj.2.c" name="objective">
-                     <prop name="label">AC-7(b)[2][c]</prop>
-                     <p>delays next logon prompt according to the organization-defined delay
-                        algorithm.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing unsuccessful logon attempts</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing access control policy for unsuccessful logon
-                  attempts</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-7.1">
-            <title>Automatic Account Lock</title>
-            <prop name="label">AC-7(1)</prop>
-            <prop name="sort-id">ac-07.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#ac-7">AC-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-7.2">
-            <title>Purge / Wipe Mobile Device</title>
-            <param id="ac-7.2_prm_1">
-               <label>organization-defined mobile devices</label>
-            </param>
-            <param id="ac-7.2_prm_2">
-               <label>organization-defined purging/wiping requirements/techniques</label>
-            </param>
-            <param id="ac-7.2_prm_3">
-               <label>organization-defined number</label>
-            </param>
-            <prop name="label">AC-7(2)</prop>
-            <prop name="sort-id">ac-07.02</prop>
-            <part id="ac-7.2_smt" name="statement">
-               <p>The information system purges/wipes information from <insert param-id="ac-7.2_prm_1"/> based on <insert param-id="ac-7.2_prm_2"/> after
-                     <insert param-id="ac-7.2_prm_3"/> consecutive, unsuccessful device logon
-                  attempts.</p>
-            </part>
-            <part id="ac-7.2_gdn" name="guidance">
-               <p>This control enhancement applies only to mobile devices for which a logon occurs
-                  (e.g., personal digital assistants, smart phones, tablets). The logon is to the
-                  mobile device, not to any one account on the device. Therefore, successful logons
-                  to any accounts on mobile devices reset the unsuccessful logon count to zero.
-                  Organizations define information to be purged/wiped carefully in order to avoid
-                  over purging/wiping which may result in devices becoming unusable. Purging/wiping
-                  may be unnecessary if the information on the device is protected with sufficiently
-                  strong encryption mechanisms.</p>
-               <link rel="related" href="#ac-19">AC-19</link>
-               <link rel="related" href="#mp-5">MP-5</link>
-               <link rel="related" href="#mp-6">MP-6</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="ac-7.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-7.2_obj.1" name="objective">
-                  <prop name="label">AC-7(2)[1]</prop>
-                  <p>the organization defines mobile devices to be purged/wiped after
-                     organization-defined number of consecutive, unsuccessful device logon
-                     attempts;</p>
-               </part>
-               <part id="ac-7.2_obj.2" name="objective">
-                  <prop name="label">AC-7(2)[2]</prop>
-                  <p>the organization defines purging/wiping requirements/techniques to be used when
-                     organization-defined mobile devices are purged/wiped after organization-defined
-                     number of consecutive, unsuccessful device logon attempts;</p>
-               </part>
-               <part id="ac-7.2_obj.3" name="objective">
-                  <prop name="label">AC-7(2)[3]</prop>
-                  <p>the organization defines the number of consecutive, unsuccessful logon attempts
-                     allowed for accessing mobile devices before the information system purges/wipes
-                     information from such devices; and</p>
-               </part>
-               <part id="ac-7.2_obj.4" name="objective">
-                  <prop name="label">AC-7(2)[4]</prop>
-                  <p>the information system purges/wipes information from organization-defined
-                     mobile devices based on organization-defined purging/wiping
-                     requirements/techniques after organization-defined number of consecutive,
-                     unsuccessful logon attempts.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing unsuccessful login attempts on mobile devices</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of mobile devices to be purged/wiped after organization-defined
-                     consecutive, unsuccessful device logon attempts</p>
-                  <p>list of purging/wiping requirements or techniques for mobile devices</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing access control policy for unsuccessful device
-                     logon attempts</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-8">
-         <title>System Use Notification</title>
-         <param id="ac-8_prm_1">
-            <label>organization-defined system use notification message or banner</label>
-         </param>
-         <param id="ac-8_prm_2">
-            <label>organization-defined conditions</label>
-         </param>
-         <prop name="label">AC-8</prop>
-         <prop name="sort-id">ac-08</prop>
-         <part id="ac-8_smt" name="statement">
-            <p>The information system:</p>
-            <part id="ac-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Displays to users <insert param-id="ac-8_prm_1"/> before granting access to the
-                  system that provides privacy and security notices consistent with applicable
-                  federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  guidance and states that:</p>
-               <part id="ac-8_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Users are accessing a U.S. Government information system;</p>
-               </part>
-               <part id="ac-8_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Information system usage may be monitored, recorded, and subject to audit;</p>
-               </part>
-               <part id="ac-8_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Unauthorized use of the information system is prohibited and subject to
-                     criminal and civil penalties; and</p>
-               </part>
-               <part id="ac-8_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Use of the information system indicates consent to monitoring and
-                     recording;</p>
-               </part>
-            </part>
-            <part id="ac-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Retains the notification message or banner on the screen until users acknowledge
-                  the usage conditions and take explicit actions to log on to or further access the
-                  information system; and</p>
-            </part>
-            <part id="ac-8_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>For publicly accessible systems:</p>
-               <part id="ac-8_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Displays system use information <insert param-id="ac-8_prm_2"/>, before
-                     granting further access;</p>
-               </part>
-               <part id="ac-8_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Displays references, if any, to monitoring, recording, or auditing that are
-                     consistent with privacy accommodations for such systems that generally prohibit
-                     those activities; and</p>
-               </part>
-               <part id="ac-8_smt.c.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Includes a description of the authorized uses of the system.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ac-8_gdn" name="guidance">
-            <p>System use notifications can be implemented using messages or warning banners
-               displayed before individuals log in to information systems. System use notifications
-               are used only for access via logon interfaces with human users and are not required
-               when such human interfaces do not exist. Organizations consider system use
-               notification messages/banners displayed in multiple languages based on specific
-               organizational needs and the demographics of information system users. Organizations
-               also consult with the Office of the General Counsel for legal review and approval of
-               warning banner content.</p>
-         </part>
-         <part id="ac-8_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="ac-8.a_obj" name="objective">
-               <prop name="label">AC-8(a)</prop>
-               <part id="ac-8.a_obj.1" name="objective">
-                  <prop name="label">AC-8(a)[1]</prop>
-                  <p>the organization defines a system use notification message or banner to be
-                     displayed by the information system to users before granting access to the
-                     system;</p>
-               </part>
-               <part id="ac-8.a_obj.2" name="objective">
-                  <prop name="label">AC-8(a)[2]</prop>
-                  <p>the information system displays to users the organization-defined system use
-                     notification message or banner before granting access to the information system
-                     that provides privacy and security notices consistent with applicable federal
-                     laws, Executive Orders, directives, policies, regulations, standards, and
-                     guidance, and states that:</p>
-                  <part id="ac-8.a.1_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](1)</prop>
-                     <p>users are accessing a U.S. Government information system;</p>
-                  </part>
-                  <part id="ac-8.a.2_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](2)</prop>
-                     <p>information system usage may be monitored, recorded, and subject to
-                        audit;</p>
-                  </part>
-                  <part id="ac-8.a.3_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](3)</prop>
-                     <p>unauthorized use of the information system is prohibited and subject to
-                        criminal and civil penalties;</p>
-                  </part>
-                  <part id="ac-8.a.4_obj.2" name="objective">
-                     <prop name="label">AC-8(a)[2](4)</prop>
-                     <p>use of the information system indicates consent to monitoring and
-                        recording;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-8.b_obj" name="objective">
-               <prop name="label">AC-8(b)</prop>
-               <p>the information system retains the notification message or banner on the screen
-                  until users acknowledge the usage conditions and take explicit actions to log on
-                  to or further access the information system;</p>
-            </part>
-            <part id="ac-8.c_obj" name="objective">
-               <prop name="label">AC-8(c)</prop>
-               <p>for publicly accessible systems:</p>
-               <part id="ac-8.c.1_obj" name="objective">
-                  <prop name="label">AC-8(c)(1)</prop>
-                  <part id="ac-8.c.1_obj.1" name="objective">
-                     <prop name="label">AC-8(c)(1)[1]</prop>
-                     <p>the organization defines conditions for system use to be displayed by the
-                        information system before granting further access;</p>
-                  </part>
-                  <part id="ac-8.c.1_obj.2" name="objective">
-                     <prop name="label">AC-8(c)(1)[2]</prop>
-                     <p>the information system displays organization-defined conditions before
-                        granting further access;</p>
-                  </part>
-               </part>
-               <part id="ac-8.c.2_obj" name="objective">
-                  <prop name="label">AC-8(c)(2)</prop>
-                  <p>the information system displays references, if any, to monitoring, recording,
-                     or auditing that are consistent with privacy accommodations for such systems
-                     that generally prohibit those activities; and</p>
-               </part>
-               <part id="ac-8.c.3_obj" name="objective">
-                  <prop name="label">AC-8(c)(3)</prop>
-                  <p>the information system includes a description of the authorized uses of the
-                     system.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>privacy and security policies, procedures addressing system use notification</p>
-               <p>documented approval of information system use notification messages or banners</p>
-               <p>information system audit records</p>
-               <p>user acknowledgements of notification message or banner</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system use notification messages</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibility for providing legal advice</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing system use notification</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-9">
-         <title>Previous Logon (access) Notification</title>
-         <prop name="label">AC-9</prop>
-         <prop name="sort-id">ac-09</prop>
-         <part id="ac-9_smt" name="statement">
-            <p>The information system notifies the user, upon successful logon (access) to the
-               system, of the date and time of the last logon (access).</p>
-         </part>
-         <part id="ac-9_gdn" name="guidance">
-            <p>This control is applicable to logons to information systems via human user interfaces
-               and logons to systems that occur in other types of architectures (e.g.,
-               service-oriented architectures).</p>
-            <link rel="related" href="#ac-7">AC-7</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-         </part>
-         <part id="ac-9_obj" name="objective">
-            <p>Determine if the information system notifies the user, upon successful logon (access)
-               to the system, of the date and time of the last logon (access).</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing previous logon notification</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system notification messages</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing access control policy for previous logon
-                  notification</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-9.1">
-            <title>Unsuccessful Logons</title>
-            <prop name="label">AC-9(1)</prop>
-            <prop name="sort-id">ac-09.01</prop>
-            <part id="ac-9.1_smt" name="statement">
-               <p>The information system notifies the user, upon successful logon/access, of the
-                  number of unsuccessful logon/access attempts since the last successful
-                  logon/access.</p>
-            </part>
-            <part id="ac-9.1_obj" name="objective">
-               <p>Determine if the information system notifies the user, upon successful
-                  logon/access, of the number of unsuccessful logon/access attempts since the last
-                  successful logon/access. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing previous logon notification</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing access control policy for previous logon
-                     notification</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-9.2">
-            <title>Successful / Unsuccessful Logons</title>
-            <param id="ac-9.2_prm_1">
-               <select>
-                  <choice>successful logons/accesses</choice>
-                  <choice>unsuccessful logon/access attempts</choice>
-                  <choice>both</choice>
-               </select>
-            </param>
-            <param id="ac-9.2_prm_2">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="label">AC-9(2)</prop>
-            <prop name="sort-id">ac-09.02</prop>
-            <part id="ac-9.2_smt" name="statement">
-               <p>The information system notifies the user of the number of <insert param-id="ac-9.2_prm_1"/> during <insert param-id="ac-9.2_prm_2"/>.</p>
-            </part>
-            <part id="ac-9.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-9.2_obj.1" name="objective">
-                  <prop name="label">AC-9(2)[1]</prop>
-                  <p>the organization defines the time period within which the information system
-                     must notify the user of the number of:</p>
-                  <part id="ac-9.2_obj.1.a" name="objective">
-                     <prop name="label">AC-9(2)[1][a]</prop>
-                     <p>successful logons/accesses; and/or</p>
-                  </part>
-                  <part id="ac-9.2_obj.1.b" name="objective">
-                     <prop name="label">AC-9(2)[1][b]</prop>
-                     <p>unsuccessful logon/access attempts;</p>
-                  </part>
-               </part>
-               <part id="ac-9.2_obj.2" name="objective">
-                  <prop name="label">AC-9(2)[2]</prop>
-                  <p>the information system, during the organization-defined time period, notifies
-                     the user of the number of:</p>
-                  <part id="ac-9.2_obj.2.a" name="objective">
-                     <prop name="label">AC-9(2)[2][a]</prop>
-                     <p>successful logons/accesses; and/or</p>
-                  </part>
-                  <part id="ac-9.2_obj.2.b" name="objective">
-                     <prop name="label">AC-9(2)[2][b]</prop>
-                     <p>unsuccessful logon/access attempts.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing previous logon notification</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing access control policy for previous logon
-                     notification</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-9.3">
-            <title>Notification of Account Changes</title>
-            <param id="ac-9.3_prm_1">
-               <label>organization-defined security-related characteristics/parameters of the user’s
-                  account</label>
-            </param>
-            <param id="ac-9.3_prm_2">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="label">AC-9(3)</prop>
-            <prop name="sort-id">ac-09.03</prop>
-            <part id="ac-9.3_smt" name="statement">
-               <p>The information system notifies the user of changes to <insert param-id="ac-9.3_prm_1"/> during <insert param-id="ac-9.3_prm_2"/>.</p>
-            </part>
-            <part id="ac-9.3_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-9.3_obj.1" name="objective">
-                  <prop name="label">AC-9(3)[1]</prop>
-                  <p>the organization defines security-related characteristics/parameters of a
-                     user’s account;</p>
-               </part>
-               <part id="ac-9.3_obj.2" name="objective">
-                  <prop name="label">AC-9(3)[2]</prop>
-                  <p>the organization defines the time period within which changes to
-                     organization-defined security-related characteristics/parameters of a user’s
-                     account must occur; and</p>
-               </part>
-               <part id="ac-9.3_obj.3" name="objective">
-                  <prop name="label">AC-9(3)[3]</prop>
-                  <p>the information system notifies the user of changes to organization-defined
-                     security-related characteristics/parameters of the user’s account during the
-                     organization-defined time period.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing previous logon notification</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing access control policy for previous logon
-                     notification</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-9.4">
-            <title>Additional Logon Information</title>
-            <param id="ac-9.4_prm_1">
-               <label>organization-defined information to be included in addition to the date and
-                  time of the last logon (access)</label>
-            </param>
-            <prop name="label">AC-9(4)</prop>
-            <prop name="sort-id">ac-09.04</prop>
-            <part id="ac-9.4_smt" name="statement">
-               <p>The information system notifies the user, upon successful logon (access), of the
-                  following additional information: <insert param-id="ac-9.4_prm_1"/>.</p>
-            </part>
-            <part id="ac-9.4_gdn" name="guidance">
-               <p>This control enhancement permits organizations to specify additional information
-                  to be provided to users upon logon including, for example, the location of last
-                  logon. User location is defined as that information which can be determined by
-                  information systems, for example, IP addresses from which network logons occurred,
-                  device identifiers, or notifications of local logons.</p>
-            </part>
-            <part id="ac-9.4_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-9.4_obj.1" name="objective">
-                  <prop name="label">AC-9(4)[1]</prop>
-                  <p>the organization defines information to be included in addition to the date and
-                     time of the last logon (access); and</p>
-               </part>
-               <part id="ac-9.4_obj.2" name="objective">
-                  <prop name="label">AC-9(4)[2]</prop>
-                  <p>the information system notifies the user, upon successful logon (access), of
-                     the organization-defined information to be included in addition to the date and
-                     time of the last logon (access).</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing previous logon notification</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing access control policy for previous logon
-                     notification</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-10">
-         <title>Concurrent Session Control</title>
-         <param id="ac-10_prm_1">
-            <label>organization-defined account and/or account type</label>
-         </param>
-         <param id="ac-10_prm_2">
-            <label>organization-defined number</label>
-         </param>
-         <prop name="label">AC-10</prop>
-         <prop name="sort-id">ac-10</prop>
-         <part id="ac-10_smt" name="statement">
-            <p>The information system limits the number of concurrent sessions for each <insert param-id="ac-10_prm_1"/> to <insert param-id="ac-10_prm_2"/>.</p>
-         </part>
-         <part id="ac-10_gdn" name="guidance">
-            <p>Organizations may define the maximum number of concurrent sessions for information
-               system accounts globally, by account type (e.g., privileged user, non-privileged
-               user, domain, specific application), by account, or a combination. For example,
-               organizations may limit the number of concurrent sessions for system administrators
-               or individuals working in particularly sensitive domains or mission-critical
-               applications. This control addresses concurrent sessions for information system
-               accounts and does not address concurrent sessions by single users via multiple system
-               accounts.</p>
-         </part>
-         <part id="ac-10_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="ac-10_obj.1" name="objective">
-               <prop name="label">AC-10[1]</prop>
-               <p>the organization defines account and/or account types for the information
-                  system;</p>
-            </part>
-            <part id="ac-10_obj.2" name="objective">
-               <prop name="label">AC-10[2]</prop>
-               <p>the organization defines the number of concurrent sessions to be allowed for each
-                  organization-defined account and/or account type; and</p>
-            </part>
-            <part id="ac-10_obj.3" name="objective">
-               <prop name="label">AC-10[3]</prop>
-               <p>the information system limits the number of concurrent sessions for each
-                  organization-defined account and/or account type to the organization-defined
-                  number of concurrent sessions allowed.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing concurrent session control</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing access control policy for concurrent session
-                  control</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-11">
-         <title>Session Lock</title>
-         <param id="ac-11_prm_1">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">AC-11</prop>
-         <prop name="sort-id">ac-11</prop>
-         <link href="#4da24a96-6cf8-435d-9d1f-c73247cad109" rel="reference">OMB Memorandum 06-16</link>
-         <part id="ac-11_smt" name="statement">
-            <p>The information system:</p>
-            <part id="ac-11_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Prevents further access to the system by initiating a session lock after <insert param-id="ac-11_prm_1"/> of inactivity or upon receiving a request from a user;
-                  and</p>
-            </part>
-            <part id="ac-11_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Retains the session lock until the user reestablishes access using established
-                  identification and authentication procedures.</p>
-            </part>
-         </part>
-         <part id="ac-11_gdn" name="guidance">
-            <p>Session locks are temporary actions taken when users stop work and move away from the
-               immediate vicinity of information systems but do not want to log out because of the
-               temporary nature of their absences. Session locks are implemented where session
-               activities can be determined. This is typically at the operating system level, but
-               can also be at the application level. Session locks are not an acceptable substitute
-               for logging out of information systems, for example, if organizations require users
-               to log out at the end of workdays.</p>
-            <link rel="related" href="#ac-7">AC-7</link>
-         </part>
-         <part id="ac-11_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="ac-11.a_obj" name="objective">
-               <prop name="label">AC-11(a)</prop>
-               <part id="ac-11.a_obj.1" name="objective">
-                  <prop name="label">AC-11(a)[1]</prop>
-                  <p>the organization defines the time period of user inactivity after which the
-                     information system initiates a session lock;</p>
-               </part>
-               <part id="ac-11.a_obj.2" name="objective">
-                  <prop name="label">AC-11(a)[2]</prop>
-                  <p>the information system prevents further access to the system by initiating a
-                     session lock after organization-defined time period of user inactivity or upon
-                     receiving a request from a user; and</p>
-               </part>
-            </part>
-            <part id="ac-11.b_obj" name="objective">
-               <prop name="label">AC-11(b)</prop>
-               <p>the information system retains the session lock until the user reestablishes
-                  access using established identification and authentication procedures.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing session lock</p>
-               <p>procedures addressing identification and authentication</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing access control policy for session lock</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-11.1">
-            <title>Pattern-hiding Displays</title>
-            <prop name="label">AC-11(1)</prop>
-            <prop name="sort-id">ac-11.01</prop>
-            <part id="ac-11.1_smt" name="statement">
-               <p>The information system conceals, via the session lock, information previously
-                  visible on the display with a publicly viewable image.</p>
-            </part>
-            <part id="ac-11.1_gdn" name="guidance">
-               <p>Publicly viewable images can include static or dynamic images, for example,
-                  patterns used with screen savers, photographic images, solid colors, clock,
-                  battery life indicator, or a blank screen, with the additional caveat that none of
-                  the images convey sensitive information.</p>
-            </part>
-            <part id="ac-11.1_obj" name="objective">
-               <p>Determine if the information system conceals, via the session lock, information
-                  previously visible on the display with a publicly viewable image.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing session lock</p>
-                  <p>display screen with session lock activated</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system session lock mechanisms</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-12">
-         <title>Session Termination</title>
-         <param id="ac-12_prm_1">
-            <label>organization-defined conditions or trigger events requiring session
-               disconnect</label>
-         </param>
-         <prop name="label">AC-12</prop>
-         <prop name="sort-id">ac-12</prop>
-         <part id="ac-12_smt" name="statement">
-            <p>The information system automatically terminates a user session after <insert param-id="ac-12_prm_1"/>.</p>
-         </part>
-         <part id="ac-12_gdn" name="guidance">
-            <p>This control addresses the termination of user-initiated logical sessions in contrast
-               to SC-10 which addresses the termination of network connections that are associated
-               with communications sessions (i.e., network disconnect). A logical session (for
-               local, network, and remote access) is initiated whenever a user (or process acting on
-               behalf of a user) accesses an organizational information system. Such user sessions
-               can be terminated (and thus terminate user access) without terminating network
-               sessions. Session termination terminates all processes associated with a user’s
-               logical session except those processes that are specifically created by the user
-               (i.e., session owner) to continue after the session is terminated. Conditions or
-               trigger events requiring automatic session termination can include, for example,
-               organization-defined periods of user inactivity, targeted responses to certain types
-               of incidents, time-of-day restrictions on information system use.</p>
-            <link rel="related" href="#sc-10">SC-10</link>
-            <link rel="related" href="#sc-23">SC-23</link>
-         </part>
-         <part id="ac-12_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="ac-12_obj.1" name="objective">
-               <prop name="label">AC-12[1]</prop>
-               <p>the organization defines conditions or trigger events requiring session
-                  disconnect; and</p>
-            </part>
-            <part id="ac-12_obj.2" name="objective">
-               <prop name="label">AC-12[2]</prop>
-               <p>the information system automatically terminates a user session after
-                  organization-defined conditions or trigger events requiring session disconnect
-                  occurs.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing session termination</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of conditions or trigger events requiring session disconnect</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing user session termination</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-12.1">
-            <title>User-initiated Logouts / Message Displays</title>
-            <param id="ac-12.1_prm_1">
-               <label>organization-defined information resources</label>
-            </param>
-            <prop name="label">AC-12(1)</prop>
-            <prop name="sort-id">ac-12.01</prop>
-            <part id="ac-12.1_smt" name="statement">
-               <p>The information system:</p>
-               <part id="ac-12.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Provides a logout capability for user-initiated communications sessions
-                     whenever authentication is used to gain access to <insert param-id="ac-12.1_prm_1"/>; and</p>
-               </part>
-               <part id="ac-12.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Displays an explicit logout message to users indicating the reliable
-                     termination of authenticated communications sessions.</p>
-               </part>
-            </part>
-            <part id="ac-12.1_gdn" name="guidance">
-               <p>Information resources to which users gain access via authentication include, for
-                  example, local workstations, databases, and password-protected websites/web-based
-                  services. Logout messages for web page access, for example, can be displayed after
-                  authenticated sessions have been terminated. However, for some types of
-                  interactive sessions including, for example, file transfer protocol (FTP)
-                  sessions, information systems typically send logout messages as final messages
-                  prior to terminating sessions.</p>
-            </part>
-            <part id="ac-12.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-12.1.a_obj" name="objective">
-                  <prop name="label">AC-12(1)(a)</prop>
-                  <part id="ac-12.1.a_obj.1" name="objective">
-                     <prop name="label">AC-12(1)(a)[1]</prop>
-                     <p>the organization defines information resources for which user authentication
-                        is required to gain access to such resources;</p>
-                  </part>
-                  <part id="ac-12.1.a_obj.2" name="objective">
-                     <prop name="label">AC-12(1)(a)[2]</prop>
-                     <p>the information system provides a logout capability for user-initiated
-                        communications sessions whenever authentication is used to gain access to
-                        organization-defined information resources; and</p>
-                  </part>
-                  <link rel="corresp" href="#ac-12.1_smt.a">AC-12(1)(a)</link>
-               </part>
-               <part id="ac-12.1.b_obj" name="objective">
-                  <prop name="label">AC-12(1)(b)</prop>
-                  <p>the information system displays an explicit logout message to users indicating
-                     the reliable termination of authenticated communications sessions.</p>
-                  <link rel="corresp" href="#ac-12.1_smt.b">AC-12(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing session termination</p>
-                  <p>user logout messages</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system session lock mechanisms</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-13">
-         <title>Supervision and Review - Access Control</title>
-         <prop name="label">AC-13</prop>
-         <prop name="sort-id">ac-13</prop>
-         <prop name="status">Withdrawn</prop>
-         <link rel="incorporated-into" href="#ac-2">AC-2</link>
-         <link rel="incorporated-into" href="#au-6">AU-6</link>
-      </control>
-      <control class="SP800-53" id="ac-14">
-         <title>Permitted Actions Without Identification or Authentication</title>
-         <param id="ac-14_prm_1">
-            <label>organization-defined user actions</label>
-         </param>
-         <prop name="label">AC-14</prop>
-         <prop name="sort-id">ac-14</prop>
-         <part id="ac-14_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-14_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Identifies <insert param-id="ac-14_prm_1"/> that can be performed on the
-                  information system without identification or authentication consistent with
-                  organizational missions/business functions; and</p>
-            </part>
-            <part id="ac-14_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents and provides supporting rationale in the security plan for the
-                  information system, user actions not requiring identification or
-                  authentication.</p>
-            </part>
-         </part>
-         <part id="ac-14_gdn" name="guidance">
-            <p>This control addresses situations in which organizations determine that no
-               identification or authentication is required in organizational information systems.
-               Organizations may allow a limited number of user actions without identification or
-               authentication including, for example, when individuals access public websites or
-               other publicly accessible federal information systems, when individuals use mobile
-               phones to receive calls, or when facsimiles are received. Organizations also identify
-               actions that normally require identification or authentication but may under certain
-               circumstances (e.g., emergencies), allow identification or authentication mechanisms
-               to be bypassed. Such bypasses may occur, for example, via a software-readable
-               physical switch that commands bypass of the logon functionality and is protected from
-               accidental or unmonitored use. This control does not apply to situations where
-               identification and authentication have already occurred and are not repeated, but
-               rather to situations where identification and authentication have not yet occurred.
-               Organizations may decide that there are no user actions that can be performed on
-               organizational information systems without identification and authentication and
-               thus, the values for assignment statements can be none.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-         </part>
-         <part id="ac-14_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-14.a_obj" name="objective">
-               <prop name="label">AC-14(a)</prop>
-               <part id="ac-14.a_obj.1" name="objective">
-                  <prop name="label">AC-14(a)[1]</prop>
-                  <p>defines user actions that can be performed on the information system without
-                     identification or authentication consistent with organizational
-                     missions/business functions;</p>
-               </part>
-               <part id="ac-14.a_obj.2" name="objective">
-                  <prop name="label">AC-14(a)[2]</prop>
-                  <p>identifies organization-defined user actions that can be performed on the
-                     information system without identification or authentication consistent with
-                     organizational missions/business functions; and</p>
-               </part>
-            </part>
-            <part id="ac-14.b_obj" name="objective">
-               <prop name="label">AC-14(b)</prop>
-               <p>documents and provides supporting rationale in the security plan for the
-                  information system, user actions not requiring identification or
-                  authentication.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing permitted actions without identification or
-                  authentication</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security plan</p>
-               <p>list of user actions that can be performed without identification or
-                  authentication</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-14.1">
-            <title>Necessary Uses</title>
-            <prop name="label">AC-14(1)</prop>
-            <prop name="sort-id">ac-14.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#ac-14">AC-14</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-15">
-         <title>Automated Marking</title>
-         <prop name="label">AC-15</prop>
-         <prop name="sort-id">ac-15</prop>
-         <prop name="status">Withdrawn</prop>
-         <link rel="incorporated-into" href="#mp-3">MP-3</link>
-      </control>
-      <control class="SP800-53" id="ac-16">
-         <title>Security Attributes</title>
-         <param id="ac-16_prm_1">
-            <label>organization-defined types of security attributes</label>
-         </param>
-         <param id="ac-16_prm_2">
-            <label>organization-defined security attribute values</label>
-         </param>
-         <param id="ac-16_prm_3">
-            <label>organization-defined security attributes</label>
-         </param>
-         <param id="ac-16_prm_4">
-            <label>organization-defined information systems</label>
-         </param>
-         <param id="ac-16_prm_5">
-            <label>organization-defined values or ranges</label>
-         </param>
-         <prop name="label">AC-16</prop>
-         <prop name="sort-id">ac-16</prop>
-         <part id="ac-16_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-16_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Provides the means to associate <insert param-id="ac-16_prm_1"/> having <insert param-id="ac-16_prm_2"/> with information in storage, in process, and/or in
-                  transmission;</p>
-            </part>
-            <part id="ac-16_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Ensures that the security attribute associations are made and retained with the
-                  information;</p>
-            </part>
-            <part id="ac-16_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Establishes the permitted <insert param-id="ac-16_prm_3"/> for <insert param-id="ac-16_prm_4"/>; and</p>
-            </part>
-            <part id="ac-16_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Determines the permitted <insert param-id="ac-16_prm_5"/> for each of the
-                  established security attributes.</p>
-            </part>
-         </part>
-         <part id="ac-16_gdn" name="guidance">
-            <p>Information is represented internally within information systems using abstractions
-               known as data structures. Internal data structures can represent different types of
-               entities, both active and passive. Active entities, also known as subjects, are
-               typically associated with individuals, devices, or processes acting on behalf of
-               individuals. Passive entities, also known as objects, are typically associated with
-               data structures such as records, buffers, tables, files, inter-process pipes, and
-               communications ports. Security attributes, a form of metadata, are abstractions
-               representing the basic properties or characteristics of active and passive entities
-               with respect to safeguarding information. These attributes may be associated with
-               active entities (i.e., subjects) that have the potential to send or receive
-               information, to cause information to flow among objects, or to change the information
-               system state. These attributes may also be associated with passive entities (i.e.,
-               objects) that contain or receive information. The association of security attributes
-               to subjects and objects is referred to as binding and is typically inclusive of
-               setting the attribute value and the attribute type. Security attributes when bound to
-               data/information, enables the enforcement of information security policies for access
-               control and information flow control, either through organizational processes or
-               information system functions or mechanisms. The content or assigned values of
-               security attributes can directly affect the ability of individuals to access
-               organizational information. Organizations can define the types of attributes needed
-               for selected information systems to support missions/business functions. There is
-               potentially a wide range of values that can be assigned to any given security
-               attribute. Release markings could include, for example, US only, NATO, or NOFORN (not
-               releasable to foreign nationals). By specifying permitted attribute ranges and
-               values, organizations can ensure that the security attribute values are meaningful
-               and relevant. The term security labeling refers to the association of security
-               attributes with subjects and objects represented by internal data structures within
-               organizational information systems, to enable information system-based enforcement of
-               information security policies. Security labels include, for example, access
-               authorizations, data life cycle protection (i.e., encryption and data expiration),
-               nationality, affiliation as contractor, and classification of information in
-               accordance with legal and compliance requirements. The term security marking refers
-               to the association of security attributes with objects in a human-readable form, to
-               enable organizational process-based enforcement of information security policies. The
-               AC-16 base control represents the requirement for user-based attribute association
-               (marking). The enhancements to AC-16 represent additional requirements including
-               information system-based attribute association (labeling). Types of attributes
-               include, for example, classification level for objects and clearance (access
-               authorization) level for subjects. An example of a value for both of these attribute
-               types is Top Secret.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-21">AC-21</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-10">AU-10</link>
-            <link rel="related" href="#sc-16">SC-16</link>
-            <link rel="related" href="#mp-3">MP-3</link>
-         </part>
-         <part id="ac-16_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-16.a_obj" name="objective">
-               <prop name="label">AC-16(a)</prop>
-               <part id="ac-16.a_obj.1" name="objective">
-                  <prop name="label">AC-16(a)[1]</prop>
-                  <p>defines types of security attributes to be associated with information:</p>
-                  <part id="ac-16.a_obj.1.a" name="objective">
-                     <prop name="label">AC-16(a)[1][a]</prop>
-                     <p>in storage;</p>
-                  </part>
-                  <part id="ac-16.a_obj.1.b" name="objective">
-                     <prop name="label">AC-16(a)[1][b]</prop>
-                     <p>in process; and/or</p>
-                  </part>
-                  <part id="ac-16.a_obj.1.c" name="objective">
-                     <prop name="label">AC-16(a)[1][c]</prop>
-                     <p>in transmission;</p>
-                  </part>
-               </part>
-               <part id="ac-16.a_obj.2" name="objective">
-                  <prop name="label">AC-16(a)[2]</prop>
-                  <p>defines security attribute values for organization-defined types of security
-                     attributes;</p>
-               </part>
-               <part id="ac-16.a_obj.3" name="objective">
-                  <prop name="label">AC-16(a)[3]</prop>
-                  <p>provides the means to associate organization-defined types of security
-                     attributes having organization-defined security attribute values with
-                     information:</p>
-                  <part id="ac-16.a_obj.3.a" name="objective">
-                     <prop name="label">AC-16(a)[3][a]</prop>
-                     <p>in storage;</p>
-                  </part>
-                  <part id="ac-16.a_obj.3.b" name="objective">
-                     <prop name="label">AC-16(a)[3][b]</prop>
-                     <p>in process; and/or</p>
-                  </part>
-                  <part id="ac-16.a_obj.3.c" name="objective">
-                     <prop name="label">AC-16(a)[3][c]</prop>
-                     <p>in transmission;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-16.b_obj" name="objective">
-               <prop name="label">AC-16(b)</prop>
-               <p>ensures that the security attribute associations are made and retained with the
-                  information;</p>
-            </part>
-            <part id="ac-16.c_obj" name="objective">
-               <prop name="label">AC-16(c)</prop>
-               <part id="ac-16.c_obj.1" name="objective">
-                  <prop name="label">AC-16(c)[1]</prop>
-                  <p>defines information systems for which the permitted organization-defined
-                     security attributes are to be established;</p>
-               </part>
-               <part id="ac-16.c_obj.2" name="objective">
-                  <prop name="label">AC-16(c)[2]</prop>
-                  <p>defines security attributes that are permitted for organization-defined
-                     information systems;</p>
-               </part>
-               <part id="ac-16.c_obj.3" name="objective">
-                  <prop name="label">AC-16(c)[3]</prop>
-                  <p>establishes the permitted organization-defined security attributes for
-                     organization-defined information systems;</p>
-               </part>
-            </part>
-            <part id="ac-16.d_obj" name="objective">
-               <prop name="label">AC-16(d)</prop>
-               <part id="ac-16.d_obj.1" name="objective">
-                  <prop name="label">AC-16(d)[1]</prop>
-                  <p>defines values or ranges for each of the established security attributes;
-                     and</p>
-               </part>
-               <part id="ac-16.d_obj.2" name="objective">
-                  <prop name="label">AC-16(d)[2]</prop>
-                  <p>determines the permitted organization-defined values or ranges for each of the
-                     established security attributes.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing the association of security attributes to information in
-                  storage, in process, and in transmission</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational capability supporting and maintaining the association of security
-                  attributes to information in storage, in process, and in transmission</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-16.1">
-            <title>Dynamic Attribute Association</title>
-            <param id="ac-16.1_prm_1">
-               <label>organization-defined subjects and objects</label>
-            </param>
-            <param id="ac-16.1_prm_2">
-               <label>organization-defined security policies</label>
-            </param>
-            <prop name="label">AC-16(1)</prop>
-            <prop name="sort-id">ac-16.01</prop>
-            <part id="ac-16.1_smt" name="statement">
-               <p>The information system dynamically associates security attributes with <insert param-id="ac-16.1_prm_1"/> in accordance with <insert param-id="ac-16.1_prm_2"/> as information is created and combined.</p>
-            </part>
-            <part id="ac-16.1_gdn" name="guidance">
-               <p>Dynamic association of security attributes is appropriate whenever the security
-                  characteristics of information changes over time. Security attributes may change,
-                  for example, due to information aggregation issues (i.e., the security
-                  characteristics of individual information elements are different from the combined
-                  elements), changes in individual access authorizations (i.e., privileges), and
-                  changes in the security category of information.</p>
-               <link rel="related" href="#ac-4">AC-4</link>
-            </part>
-            <part id="ac-16.1_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ac-16.1_obj.1" name="objective">
-                  <prop name="label">AC-16(1)[1]</prop>
-                  <p>the organization defines subjects and objects to which security attributes are
-                     to be dynamically associated as information is created and combined;</p>
-               </part>
-               <part id="ac-16.1_obj.2" name="objective">
-                  <prop name="label">AC-16(1)[2]</prop>
-                  <p>the organization defines security policies requiring the information system to
-                     dynamically associate security attributes with organization-defined subjects
-                     and objects; and</p>
-               </part>
-               <part id="ac-16.1_obj.3" name="objective">
-                  <prop name="label">AC-16(1)[3]</prop>
-                  <p>the information system dynamically associates security attributes with
-                     organization-defined subjects and objects in accordance with
-                     organization-defined security policies as information is created and
-                     combined.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing dynamic association of security attributes to
-                     information</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing dynamic association of security attributes to
-                     information</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-16.2">
-            <title>Attribute Value Changes by Authorized Individuals</title>
-            <prop name="label">AC-16(2)</prop>
-            <prop name="sort-id">ac-16.02</prop>
-            <part id="ac-16.2_smt" name="statement">
-               <p>The information system provides authorized individuals (or processes acting on
-                  behalf of individuals) the capability to define or change the value of associated
-                  security attributes.</p>
-            </part>
-            <part id="ac-16.2_gdn" name="guidance">
-               <p>The content or assigned values of security attributes can directly affect the
-                  ability of individuals to access organizational information. Therefore, it is
-                  important for information systems to be able to limit the ability to create or
-                  modify security attributes to authorized individuals.</p>
-               <link rel="related" href="#ac-6">AC-6</link>
-               <link rel="related" href="#au-2">AU-2</link>
-            </part>
-            <part id="ac-16.2_obj" name="objective">
-               <p>Determine if the information system provides authorized individuals (or processes
-                  acting on behalf on individuals) the capability to define or change the value of
-                  associated security attributes. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing the change of security attribute values</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of individuals authorized to change security attributes</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for changing values of security
-                     attributes</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms permitting changes to values of security attributes</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-16.3">
-            <title>Maintenance of Attribute Associations by Information System</title>
-            <param id="ac-16.3_prm_1">
-               <label>organization-defined security attributes</label>
-            </param>
-            <param id="ac-16.3_prm_2">
-               <label>organization-defined subjects and objects</label>
-            </param>
-            <prop name="label">AC-16(3)</prop>
-            <prop name="sort-id">ac-16.03</prop>
-            <part id="ac-16.3_smt" name="statement">
-               <p>The information system maintains the association and integrity of <insert param-id="ac-16.3_prm_1"/> to <insert param-id="ac-16.3_prm_2"/>.</p>
-            </part>
-            <part id="ac-16.3_gdn" name="guidance">
-               <p>Maintaining the association and integrity of security attributes to subjects and
-                  objects with sufficient assurance helps to ensure that the attribute associations
-                  can be used as the basis of automated policy actions. Automated policy actions
-                  include, for example, access control decisions or information flow control
-                  decisions.</p>
-            </part>
-            <part id="ac-16.3_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-16.3_obj.1" name="objective">
-                  <prop name="label">AC-16(3)[1]</prop>
-                  <p>the organization defines security attributes to be associated with
-                     organization-defined subjects and objects;</p>
-               </part>
-               <part id="ac-16.3_obj.2" name="objective">
-                  <prop name="label">AC-16(3)[2]</prop>
-                  <p>the organization defines subjects and objects requiring the association and
-                     integrity of security attributes to such subjects and objects to be maintained;
-                     and</p>
-               </part>
-               <part id="ac-16.3_obj.3" name="objective">
-                  <prop name="label">AC-16(3)[3]</prop>
-                  <p>the information system maintains the association and integrity of
-                     organization-defined security attributes to organization-defined subjects and
-                     objects.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing the association of security attributes to information</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms maintaining association and integrity of security
-                     attributes to information</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-16.4">
-            <title>Association of Attributes by Authorized Individuals</title>
-            <param id="ac-16.4_prm_1">
-               <label>organization-defined security attributes</label>
-            </param>
-            <param id="ac-16.4_prm_2">
-               <label>organization-defined subjects and objects</label>
-            </param>
-            <prop name="label">AC-16(4)</prop>
-            <prop name="sort-id">ac-16.04</prop>
-            <part id="ac-16.4_smt" name="statement">
-               <p>The information system supports the association of <insert param-id="ac-16.4_prm_1"/> with <insert param-id="ac-16.4_prm_2"/> by
-                  authorized individuals (or processes acting on behalf of individuals).</p>
-            </part>
-            <part id="ac-16.4_gdn" name="guidance">
-               <p>The support provided by information systems can vary to include: (i) prompting
-                  users to select specific security attributes to be associated with specific
-                  information objects; (ii) employing automated mechanisms for categorizing
-                  information with appropriate attributes based on defined policies; or (iii)
-                  ensuring that the combination of selected security attributes selected is valid.
-                  Organizations consider the creation, deletion, or modification of security
-                  attributes when defining auditable events.</p>
-            </part>
-            <part id="ac-16.4_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-16.4_obj.1" name="objective">
-                  <prop name="label">AC-16(4)[1]</prop>
-                  <p>the organization defines security attributes to be associated with subjects and
-                     objects by authorized individuals (or processes acting on behalf of
-                     individuals);</p>
-               </part>
-               <part id="ac-16.4_obj.2" name="objective">
-                  <prop name="label">AC-16(4)[2]</prop>
-                  <p>the organization defines subjects and objects requiring the association of
-                     organization-defined security attributes by authorized individuals (or
-                     processes acting on behalf of individuals); and</p>
-               </part>
-               <part id="ac-16.4_obj.3" name="objective">
-                  <prop name="label">AC-16(4)[3]</prop>
-                  <p>the information system supports the association of organization-defined
-                     security attributes with organization-defined subjects and objects by
-                     authorized individuals (or processes acting on behalf of individuals).</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing the association of security attributes to information</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of users authorized to associate security attributes to information</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for associating security
-                     attributes to information</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting user associations of security attributes to
-                     information</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-16.5">
-            <title>Attribute Displays for Output Devices</title>
-            <param id="ac-16.5_prm_1">
-               <label>organization-identified special dissemination, handling, or distribution
-                  instructions</label>
-            </param>
-            <param id="ac-16.5_prm_2">
-               <label>organization-identified human-readable, standard naming conventions</label>
-            </param>
-            <prop name="label">AC-16(5)</prop>
-            <prop name="sort-id">ac-16.05</prop>
-            <part id="ac-16.5_smt" name="statement">
-               <p>The information system displays security attributes in human-readable form on each
-                  object that the system transmits to output devices to identify <insert param-id="ac-16.5_prm_1"/> using <insert param-id="ac-16.5_prm_2"/>.</p>
-            </part>
-            <part id="ac-16.5_gdn" name="guidance">
-               <p>Information system outputs include, for example, pages, screens, or equivalent.
-                  Information system output devices include, for example, printers and video
-                  displays on computer workstations, notebook computers, and personal digital
-                  assistants.</p>
-            </part>
-            <part id="ac-16.5_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-16.5_obj.1" name="objective">
-                  <prop name="label">AC-16(5)[1]</prop>
-                  <p>the organization identifies special dissemination, handling, or distribution
-                     instructions to be used for each object that the information system transmits
-                     to output devices;</p>
-               </part>
-               <part id="ac-16.5_obj.2" name="objective">
-                  <prop name="label">AC-16(5)[2]</prop>
-                  <p>the organization identifies human-readable, standard naming conventions for the
-                     security attributes to be displayed in human-readable form on each object that
-                     the information system transmits to output devices; and</p>
-               </part>
-               <part id="ac-16.5_obj.3" name="objective">
-                  <prop name="label">AC-16(5)[3]</prop>
-                  <p>the information system displays security attributes in human-readable form on
-                     each object that the system transmits to output devices to identify
-                     organization-identified special dissemination, handling, or distribution
-                     instructions using organization-identified human readable, standard naming
-                     conventions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing display of security attributes in human-readable form</p>
-                  <p>special dissemination, handling, or distribution instructions</p>
-                  <p>types of human-readable, standard naming conventions</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>System output devices displaying security attributes in human-readable form on
-                     each object</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-16.6">
-            <title>Maintenance of Attribute Association by Organization</title>
-            <param id="ac-16.6_prm_1">
-               <label>organization-defined security attributes</label>
-            </param>
-            <param id="ac-16.6_prm_2">
-               <label>organization-defined subjects and objects</label>
-            </param>
-            <param id="ac-16.6_prm_3">
-               <label>organization-defined security policies</label>
-            </param>
-            <prop name="label">AC-16(6)</prop>
-            <prop name="sort-id">ac-16.06</prop>
-            <part id="ac-16.6_smt" name="statement">
-               <p>The organization allows personnel to associate, and maintain the association of
-                     <insert param-id="ac-16.6_prm_1"/> with <insert param-id="ac-16.6_prm_2"/> in
-                  accordance with <insert param-id="ac-16.6_prm_3"/>.</p>
-            </part>
-            <part id="ac-16.6_gdn" name="guidance">
-               <p>This control enhancement requires individual users (as opposed to the information
-                  system) to maintain associations of security attributes with subjects and
-                  objects.</p>
-            </part>
-            <part id="ac-16.6_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ac-16.6_obj.1" name="objective">
-                  <prop name="label">AC-16(6)[1]</prop>
-                  <p>defines security attributes to be associated with subjects and objects;</p>
-               </part>
-               <part id="ac-16.6_obj.2" name="objective">
-                  <prop name="label">AC-16(6)[2]</prop>
-                  <p>defines subjects and objects to be associated with organization-defined
-                     security attributes;</p>
-               </part>
-               <part id="ac-16.6_obj.3" name="objective">
-                  <prop name="label">AC-16(6)[3]</prop>
-                  <p>defines security policies to allow personnel to associate, and maintain the
-                     association of organization-defined security attributes with
-                     organization-defined subjects and objects; and</p>
-               </part>
-               <part id="ac-16.6_obj.4" name="objective">
-                  <prop name="label">AC-16(6)[4]</prop>
-                  <p>allows personnel to associate, and maintain the association of
-                     organization-defined security attributes with organization-defined subjects and
-                     objects in accordance with organization-defined security policies.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing association of security attributes with subjects and
-                     objects</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for associating and maintaining
-                     association of security attributes with subjects and objects</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting associations of security attributes to subjects
-                     and objects</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-16.7">
-            <title>Consistent Attribute Interpretation</title>
-            <prop name="label">AC-16(7)</prop>
-            <prop name="sort-id">ac-16.07</prop>
-            <part id="ac-16.7_smt" name="statement">
-               <p>The organization provides a consistent interpretation of security attributes
-                  transmitted between distributed information system components.</p>
-            </part>
-            <part id="ac-16.7_gdn" name="guidance">
-               <p>In order to enforce security policies across multiple components in distributed
-                  information systems (e.g., distributed database management systems, cloud-based
-                  systems, and service-oriented architectures), organizations provide a consistent
-                  interpretation of security attributes that are used in access enforcement and flow
-                  enforcement decisions. Organizations establish agreements and processes to ensure
-                  that all distributed information system components implement security attributes
-                  with consistent interpretations in automated access/flow enforcement actions.</p>
-            </part>
-            <part id="ac-16.7_obj" name="objective">
-               <p>Determine if the organization provides a consistent interpretation of security
-                  attributes transmitted between distributed information system components. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing consistent interpretation of security attributes
-                     transmitted between distributed information system components</p>
-                  <p>procedures addressing access enforcement</p>
-                  <p>procedures addressing information flow enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for providing consistent
-                     interpretation of security attributes used in access enforcement and
-                     information flow enforcement actions</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing access enforcement and information flow
-                     enforcement functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-16.8">
-            <title>Association Techniques / Technologies</title>
-            <param id="ac-16.8_prm_1">
-               <label>organization-defined techniques or technologies</label>
-            </param>
-            <param id="ac-16.8_prm_2">
-               <label>organization-defined level of assurance</label>
-            </param>
-            <prop name="label">AC-16(8)</prop>
-            <prop name="sort-id">ac-16.08</prop>
-            <part id="ac-16.8_smt" name="statement">
-               <p>The information system implements <insert param-id="ac-16.8_prm_1"/> with <insert param-id="ac-16.8_prm_2"/> in associating security attributes to
-                  information.</p>
-            </part>
-            <part id="ac-16.8_gdn" name="guidance">
-               <p>The association (i.e., binding) of security attributes to information within
-                  information systems is of significant importance with regard to conducting
-                  automated access enforcement and flow enforcement actions. The association of such
-                  security attributes can be accomplished with technologies/techniques providing
-                  different levels of assurance. For example, information systems can
-                  cryptographically bind security attributes to information using digital signatures
-                  with the supporting cryptographic keys protected by hardware devices (sometimes
-                  known as hardware roots of trust).</p>
-            </part>
-            <part id="ac-16.8_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ac-16.8_obj.1" name="objective">
-                  <prop name="label">AC-16(8)[1]</prop>
-                  <p>the organization defines techniques or technologies to be implemented in
-                     associating security attributes to information;</p>
-               </part>
-               <part id="ac-16.8_obj.2" name="objective">
-                  <prop name="label">AC-16(8)[2]</prop>
-                  <p>the organization defines level of assurance to be provided when the information
-                     system implements organization-defined technologies or technologies to
-                     associate security attributes to information; and</p>
-               </part>
-               <part id="ac-16.8_obj.3" name="objective">
-                  <prop name="label">AC-16(8)[3]</prop>
-                  <p>the information system implements organization-defined techniques or
-                     technologies with organization-defined level of assurance in associating
-                     security attributes to information.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing association of security attributes to information</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for associating security
-                     attributes to information</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing techniques or technologies associating
-                     security attributes to information</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-16.9">
-            <title>Attribute Reassignment</title>
-            <param id="ac-16.9_prm_1">
-               <label>organization-defined techniques or procedures</label>
-            </param>
-            <prop name="label">AC-16(9)</prop>
-            <prop name="sort-id">ac-16.09</prop>
-            <part id="ac-16.9_smt" name="statement">
-               <p>The organization ensures that security attributes associated with information are
-                  reassigned only via re-grading mechanisms validated using <insert param-id="ac-16.9_prm_1"/>.</p>
-            </part>
-            <part id="ac-16.9_gdn" name="guidance">
-               <p>Validated re-grading mechanisms are employed by organizations to provide the
-                  requisite levels of assurance for security attribute reassignment activities. The
-                  validation is facilitated by ensuring that re-grading mechanisms are single
-                  purpose and of limited function. Since security attribute reassignments can affect
-                  security policy enforcement actions (e.g., access/flow enforcement decisions),
-                  using trustworthy re-grading mechanisms is necessary to ensure that such
-                  mechanisms perform in a consistent/correct mode of operation.</p>
-            </part>
-            <part id="ac-16.9_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ac-16.9_obj.1" name="objective">
-                  <prop name="label">AC-16(9)[1]</prop>
-                  <p>defines techniques or procedures to validate re-grading mechanisms used to
-                     reassign association of security attributes with information; and</p>
-               </part>
-               <part id="ac-16.9_obj.2" name="objective">
-                  <prop name="label">AC-16(9)[2]</prop>
-                  <p>ensures that security attributes associated with information are reassigned
-                     only via re-grading mechanisms validated using organization-defined techniques
-                     or procedures.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing reassignment of security attributes to information</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for reassigning association of
-                     security attributes to information</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing techniques or procedures for reassigning
-                     association of security attributes to information</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-16.10">
-            <title>Attribute Configuration by Authorized Individuals</title>
-            <prop name="label">AC-16(10)</prop>
-            <prop name="sort-id">ac-16.10</prop>
-            <part id="ac-16.10_smt" name="statement">
-               <p>The information system provides authorized individuals the capability to define or
-                  change the type and value of security attributes available for association with
-                  subjects and objects.</p>
-            </part>
-            <part id="ac-16.10_gdn" name="guidance">
-               <p>The content or assigned values of security attributes can directly affect the
-                  ability of individuals to access organizational information. Therefore, it is
-                  important for information systems to be able to limit the ability to create or
-                  modify security attributes to authorized individuals only.</p>
-            </part>
-            <part id="ac-16.10_obj" name="objective">
-               <p>Determine if the information system provides authorized individuals the capability
-                  to define or change the type and value of security attributes available for
-                  association with subjects and objects. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing configuration of security attributes by authorized
-                     individuals</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for defining or changing
-                     security attributes associated with information</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing capability for defining or changing security
-                     attributes</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-17">
-         <title>Remote Access</title>
-         <prop name="label">AC-17</prop>
-         <prop name="sort-id">ac-17</prop>
-         <link href="#5309d4d0-46f8-4213-a749-e7584164e5e8" rel="reference">NIST Special Publication 800-46</link>
-         <link href="#99f331f2-a9f0-46c2-9856-a3cbb9b89442" rel="reference">NIST Special Publication 800-77</link>
-         <link href="#349fe082-502d-464a-aa0c-1443c6a5cf40" rel="reference">NIST Special Publication 800-113</link>
-         <link href="#1201fcf3-afb1-4675-915a-fb4ae0435717" rel="reference">NIST Special Publication 800-114</link>
-         <link href="#d1a4e2a9-e512-4132-8795-5357aba29254" rel="reference">NIST Special Publication 800-121</link>
-         <part id="ac-17_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-17_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes and documents usage restrictions, configuration/connection
-                  requirements, and implementation guidance for each type of remote access allowed;
-                  and</p>
-            </part>
-            <part id="ac-17_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Authorizes remote access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part id="ac-17_gdn" name="guidance">
-            <p>Remote access is access to organizational information systems by users (or processes
-               acting on behalf of users) communicating through external networks (e.g., the
-               Internet). Remote access methods include, for example, dial-up, broadband, and
-               wireless. Organizations often employ encrypted virtual private networks (VPNs) to
-               enhance confidentiality and integrity over remote connections. The use of encrypted
-               VPNs does not make the access non-remote; however, the use of VPNs, when adequately
-               provisioned with appropriate security controls (e.g., employing appropriate
-               encryption techniques for confidentiality and integrity protection) may provide
-               sufficient assurance to the organization that it can effectively treat such
-               connections as internal networks. Still, VPN connections traverse external networks,
-               and the encrypted VPN does not enhance the availability of remote connections. Also,
-               VPNs with encrypted tunnels can affect the organizational capability to adequately
-               monitor network communications traffic for malicious code. Remote access controls
-               apply to information systems other than public web servers or systems designed for
-               public access. This control addresses authorization prior to allowing remote access
-               without specifying the formats for such authorization. While organizations may use
-               interconnection security agreements to authorize remote access connections, such
-               agreements are not required by this control. Enforcing access restrictions for remote
-               connections is addressed in AC-3.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#pe-17">PE-17</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sc-10">SC-10</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ac-17_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-17.a_obj" name="objective">
-               <prop name="label">AC-17(a)</prop>
-               <part id="ac-17.a_obj.1" name="objective">
-                  <prop name="label">AC-17(a)[1]</prop>
-                  <p>identifies the types of remote access allowed to the information system;</p>
-               </part>
-               <part id="ac-17.a_obj.2" name="objective">
-                  <prop name="label">AC-17(a)[2]</prop>
-                  <p>establishes for each type of remote access allowed:</p>
-                  <part id="ac-17.a_obj.2.a" name="objective">
-                     <prop name="label">AC-17(a)[2][a]</prop>
-                     <p>usage restrictions;</p>
-                  </part>
-                  <part id="ac-17.a_obj.2.b" name="objective">
-                     <prop name="label">AC-17(a)[2][b]</prop>
-                     <p>configuration/connection requirements;</p>
-                  </part>
-                  <part id="ac-17.a_obj.2.c" name="objective">
-                     <prop name="label">AC-17(a)[2][c]</prop>
-                     <p>implementation guidance;</p>
-                  </part>
-               </part>
-               <part id="ac-17.a_obj.3" name="objective">
-                  <prop name="label">AC-17(a)[3]</prop>
-                  <p>documents for each type of remote access allowed:</p>
-                  <part id="ac-17.a_obj.3.a" name="objective">
-                     <prop name="label">AC-17(a)[3][a]</prop>
-                     <p>usage restrictions;</p>
-                  </part>
-                  <part id="ac-17.a_obj.3.b" name="objective">
-                     <prop name="label">AC-17(a)[3][b]</prop>
-                     <p>configuration/connection requirements;</p>
-                  </part>
-                  <part id="ac-17.a_obj.3.c" name="objective">
-                     <prop name="label">AC-17(a)[3][c]</prop>
-                     <p>implementation guidance; and</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ac-17.b_obj" name="objective">
-               <prop name="label">AC-17(b)</prop>
-               <p>authorizes remote access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing remote access implementation and usage (including
-                  restrictions)</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>remote access authorizations</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for managing remote access
-                  connections</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Remote access management capability for the information system</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-17.1">
-            <title>Automated Monitoring / Control</title>
-            <prop name="label">AC-17(1)</prop>
-            <prop name="sort-id">ac-17.01</prop>
-            <part id="ac-17.1_smt" name="statement">
-               <p>The information system monitors and controls remote access methods.</p>
-            </part>
-            <part id="ac-17.1_gdn" name="guidance">
-               <p>Automated monitoring and control of remote access sessions allows organizations to
-                  detect cyber attacks and also ensure ongoing compliance with remote access
-                  policies by auditing connection activities of remote users on a variety of
-                  information system components (e.g., servers, workstations, notebook computers,
-                  smart phones, and tablets).</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-12">AU-12</link>
-            </part>
-            <part id="ac-17.1_obj" name="objective">
-               <p>Determine if the information system monitors and controls remote access methods.
-               </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing remote access to the information system</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>information system monitoring records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms monitoring and controlling remote access methods</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.2">
-            <title>Protection of Confidentiality / Integrity Using Encryption</title>
-            <prop name="label">AC-17(2)</prop>
-            <prop name="sort-id">ac-17.02</prop>
-            <part id="ac-17.2_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to protect the
-                  confidentiality and integrity of remote access sessions.</p>
-            </part>
-            <part id="ac-17.2_gdn" name="guidance">
-               <p>The encryption strength of mechanism is selected based on the security
-                  categorization of the information.</p>
-               <link rel="related" href="#sc-8">SC-8</link>
-               <link rel="related" href="#sc-12">SC-12</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="ac-17.2_obj" name="objective">
-               <p>Determine if the information system implements cryptographic mechanisms to protect
-                  the confidentiality and integrity of remote access sessions. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing remote access to the information system</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>cryptographic mechanisms and associated configuration documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms protecting confidentiality and integrity of remote
-                     access sessions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.3">
-            <title>Managed Access Control Points</title>
-            <param id="ac-17.3_prm_1">
-               <label>organization-defined number</label>
-            </param>
-            <prop name="label">AC-17(3)</prop>
-            <prop name="sort-id">ac-17.03</prop>
-            <part id="ac-17.3_smt" name="statement">
-               <p>The information system routes all remote accesses through <insert param-id="ac-17.3_prm_1"/> managed network access control points.</p>
-            </part>
-            <part id="ac-17.3_gdn" name="guidance">
-               <p>Limiting the number of access control points for remote accesses reduces the
-                  attack surface for organizations. Organizations consider the Trusted Internet
-                  Connections (TIC) initiative requirements for external network connections.</p>
-               <link rel="related" href="#sc-7">SC-7</link>
-            </part>
-            <part id="ac-17.3_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ac-17.3_obj.1" name="objective">
-                  <prop name="label">AC-17(3)[1]</prop>
-                  <p>the organization defines the number of managed network access control points
-                     through which all remote accesses are to be routed; and</p>
-               </part>
-               <part id="ac-17.3_obj.2" name="objective">
-                  <prop name="label">AC-17(3)[2]</prop>
-                  <p>the information system routes all remote accesses through the
-                     organization-defined number of managed network access control points.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing remote access to the information system</p>
-                  <p>information system design documentation</p>
-                  <p>list of all managed network access control points</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms routing all remote accesses through managed network access
-                     control points</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.4">
-            <title>Privileged Commands / Access</title>
-            <param id="ac-17.4_prm_1">
-               <label>organization-defined needs</label>
-            </param>
-            <prop name="label">AC-17(4)</prop>
-            <prop name="sort-id">ac-17.04</prop>
-            <part id="ac-17.4_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ac-17.4_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Authorizes the execution of privileged commands and access to security-relevant
-                     information via remote access only for <insert param-id="ac-17.4_prm_1"/>;
-                     and</p>
-               </part>
-               <part id="ac-17.4_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Documents the rationale for such access in the security plan for the
-                     information system.</p>
-               </part>
-            </part>
-            <part id="ac-17.4_gdn" name="guidance">
-               <link rel="related" href="#ac-6">AC-6</link>
-            </part>
-            <part id="ac-17.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-17.4.a_obj" name="objective">
-                  <prop name="label">AC-17(4)(a)</prop>
-                  <part id="ac-17.4.a_obj.1" name="objective">
-                     <prop name="label">AC-17(4)(a)[1]</prop>
-                     <p>defines needs to authorize the execution of privileged commands and access
-                        to security-relevant information via remote access;</p>
-                  </part>
-                  <part id="ac-17.4.a_obj.2" name="objective">
-                     <prop name="label">AC-17(4)(a)[2]</prop>
-                     <p>authorizes the execution of privileged commands and access to
-                        security-relevant information via remote access only for
-                        organization-defined needs; and</p>
-                  </part>
-                  <link rel="corresp" href="#ac-17.4_smt.a">AC-17(4)(a)</link>
-               </part>
-               <part id="ac-17.4.b_obj" name="objective">
-                  <prop name="label">AC-17(4)(b)</prop>
-                  <p>documents the rationale for such access in the information system security
-                     plan.</p>
-                  <link rel="corresp" href="#ac-17.4_smt.b">AC-17(4)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing remote access to the information system</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security plan</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing remote access management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.5">
-            <title>Monitoring for Unauthorized Connections</title>
-            <prop name="label">AC-17(5)</prop>
-            <prop name="sort-id">ac-17.05</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#si-4">SI-4</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.6">
-            <title>Protection of Information</title>
-            <prop name="label">AC-17(6)</prop>
-            <prop name="sort-id">ac-17.06</prop>
-            <part id="ac-17.6_smt" name="statement">
-               <p>The organization ensures that users protect information about remote access
-                  mechanisms from unauthorized use and disclosure.</p>
-            </part>
-            <part id="ac-17.6_gdn" name="guidance">
-               <link rel="related" href="#at-2">AT-2</link>
-               <link rel="related" href="#at-3">AT-3</link>
-               <link rel="related" href="#ps-6">PS-6</link>
-            </part>
-            <part id="ac-17.6_obj" name="objective">
-               <p>Determine if the organization ensures that users protect information about remote
-                  access mechanisms from unauthorized use and disclosure.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing remote access to the information system</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for implementing or monitoring
-                     remote access to the information system</p>
-                  <p>information system users with knowledge of information about remote access
-                     mechanisms</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.7">
-            <title>Additional Protection for Security Function Access</title>
-            <prop name="label">AC-17(7)</prop>
-            <prop name="sort-id">ac-17.07</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#ac-3.10">AC-3 (10)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.8">
-            <title>Disable Nonsecure Network Protocols</title>
-            <prop name="label">AC-17(8)</prop>
-            <prop name="sort-id">ac-17.08</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#cm-7">CM-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.9">
-            <title>Disconnect / Disable Access</title>
-            <param id="ac-17.9_prm_1">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="label">AC-17(9)</prop>
-            <prop name="sort-id">ac-17.09</prop>
-            <part id="ac-17.9_smt" name="statement">
-               <p>The organization provides the capability to expeditiously disconnect or disable
-                  remote access to the information system within <insert param-id="ac-17.9_prm_1"/>.</p>
-            </part>
-            <part id="ac-17.9_gdn" name="guidance">
-               <p>This control enhancement requires organizations to have the capability to rapidly
-                  disconnect current users remotely accessing the information system and/or disable
-                  further remote access. The speed of disconnect or disablement varies based on the
-                  criticality of missions/business functions and the need to eliminate immediate or
-                  future remote access to organizational information systems.</p>
-            </part>
-            <part id="ac-17.9_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-17.9_obj.1" name="objective">
-                  <prop name="label">AC-17(9)[1]</prop>
-                  <p>defines the time period within which to expeditiously disconnect or disable
-                     remote access to the information system; and</p>
-               </part>
-               <part id="ac-17.9_obj.2" name="objective">
-                  <prop name="label">AC-17(9)[2]</prop>
-                  <p>provides the capability to expeditiously disconnect or disable remote access to
-                     the information system within the organization-defined time period.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing disconnecting or disabling remote access to the
-                     information system</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security plan, information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing capability to disconnect or disable remote
-                     access to information system</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-18">
-         <title>Wireless Access</title>
-         <prop name="label">AC-18</prop>
-         <prop name="sort-id">ac-18</prop>
-         <link href="#238ed479-eccb-49f6-82ec-ab74a7a428cf" rel="reference">NIST Special Publication 800-48</link>
-         <link href="#d1b1d689-0f66-4474-9924-c81119758dc1" rel="reference">NIST Special Publication 800-94</link>
-         <link href="#6f336ecd-f2a0-4c84-9699-0491d81b6e0d" rel="reference">NIST Special Publication 800-97</link>
-         <part id="ac-18_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-18_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes usage restrictions, configuration/connection requirements, and
-                  implementation guidance for wireless access; and</p>
-            </part>
-            <part id="ac-18_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Authorizes wireless access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part id="ac-18_gdn" name="guidance">
-            <p>Wireless technologies include, for example, microwave, packet radio (UHF/VHF),
-               802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g.,
-               EAP/TLS, PEAP), which provide credential protection and mutual authentication.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ac-18_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-18.a_obj" name="objective">
-               <prop name="label">AC-18(a)</prop>
-               <p>establishes for wireless access:</p>
-               <part id="ac-18.a_obj.1" name="objective">
-                  <prop name="label">AC-18(a)[1]</prop>
-                  <p>usage restrictions;</p>
-               </part>
-               <part id="ac-18.a_obj.2" name="objective">
-                  <prop name="label">AC-18(a)[2]</prop>
-                  <p>configuration/connection requirement;</p>
-               </part>
-               <part id="ac-18.a_obj.3" name="objective">
-                  <prop name="label">AC-18(a)[3]</prop>
-                  <p>implementation guidance; and</p>
-               </part>
-            </part>
-            <part id="ac-18.b_obj" name="objective">
-               <prop name="label">AC-18(b)</prop>
-               <p>authorizes wireless access to the information system prior to allowing such
-                  connections.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing wireless access implementation and usage (including
-                  restrictions)</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>wireless access authorizations</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for managing wireless access
-                  connections</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Wireless access management capability for the information system</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-18.1">
-            <title>Authentication and Encryption</title>
-            <param id="ac-18.1_prm_1">
-               <select how-many="one or more">
-                  <choice>users</choice>
-                  <choice>devices</choice>
-               </select>
-            </param>
-            <prop name="label">AC-18(1)</prop>
-            <prop name="sort-id">ac-18.01</prop>
-            <part id="ac-18.1_smt" name="statement">
-               <p>The information system protects wireless access to the system using authentication
-                  of <insert param-id="ac-18.1_prm_1"/> and encryption.</p>
-            </part>
-            <part id="ac-18.1_gdn" name="guidance">
-               <link rel="related" href="#sc-8">SC-8</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="ac-18.1_obj" name="objective">
-               <p>Determine if the information system protects wireless access to the system using
-                  encryption and one or more of the following:</p>
-               <part id="ac-18.1_obj.1" name="objective">
-                  <prop name="label">AC-18(1)[1]</prop>
-                  <p>authentication of users; and/or</p>
-               </part>
-               <part id="ac-18.1_obj.2" name="objective">
-                  <prop name="label">AC-18(1)[2]</prop>
-                  <p>authentication of devices.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing wireless implementation and usage (including
-                     restrictions)</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing wireless access protections to the
-                     information system</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-18.2">
-            <title>Monitoring Unauthorized Connections</title>
-            <prop name="label">AC-18(2)</prop>
-            <prop name="sort-id">ac-18.02</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#si-4">SI-4</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-18.3">
-            <title>Disable Wireless Networking</title>
-            <prop name="label">AC-18(3)</prop>
-            <prop name="sort-id">ac-18.03</prop>
-            <part id="ac-18.3_smt" name="statement">
-               <p>The organization disables, when not intended for use, wireless networking
-                  capabilities internally embedded within information system components prior to
-                  issuance and deployment.</p>
-            </part>
-            <part id="ac-18.3_gdn" name="guidance">
-               <link rel="related" href="#ac-19">AC-19</link>
-            </part>
-            <part id="ac-18.3_obj" name="objective">
-               <p>Determine if the organization disables, when not intended for use, wireless
-                  networking capabilities internally embedded within information system components
-                  prior to issuance and deployment.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing wireless implementation and usage (including
-                     restrictions)</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms managing the disabling of wireless networking capabilities
-                     internally embedded within information system components</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-18.4">
-            <title>Restrict Configurations by Users</title>
-            <prop name="label">AC-18(4)</prop>
-            <prop name="sort-id">ac-18.04</prop>
-            <part id="ac-18.4_smt" name="statement">
-               <p>The organization identifies and explicitly authorizes users allowed to
-                  independently configure wireless networking capabilities.</p>
-            </part>
-            <part id="ac-18.4_gdn" name="guidance">
-               <p>Organizational authorizations to allow selected users to configure wireless
-                  networking capability are enforced in part, by the access enforcement mechanisms
-                  employed within organizational information systems.</p>
-               <link rel="related" href="#ac-3">AC-3</link>
-               <link rel="related" href="#sc-15">SC-15</link>
-            </part>
-            <part id="ac-18.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-18.4_obj.1" name="objective">
-                  <prop name="label">AC-18(4)[1]</prop>
-                  <p>identifies users allowed to independently configure wireless networking
-                     capabilities; and</p>
-               </part>
-               <part id="ac-18.4_obj.2" name="objective">
-                  <prop name="label">AC-18(4)[2]</prop>
-                  <p>explicitly authorizes the identified users allowed to independently configure
-                     wireless networking capabilities.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing wireless implementation and usage (including
-                     restrictions)</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms authorizing independent user configuration of wireless
-                     networking capabilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-18.5">
-            <title>Antennas / Transmission Power Levels</title>
-            <prop name="label">AC-18(5)</prop>
-            <prop name="sort-id">ac-18.05</prop>
-            <part id="ac-18.5_smt" name="statement">
-               <p>The organization selects radio antennas and calibrates transmission power levels
-                  to reduce the probability that usable signals can be received outside of
-                  organization-controlled boundaries.</p>
-            </part>
-            <part id="ac-18.5_gdn" name="guidance">
-               <p>Actions that may be taken by organizations to limit unauthorized use of wireless
-                  communications outside of organization-controlled boundaries include, for example:
-                  (i) reducing the power of wireless transmissions so that the transmissions are
-                  less likely to emit a signal that can be used by adversaries outside of the
-                  physical perimeters of organizations; (ii) employing measures such as TEMPEST to
-                  control wireless emanations; and (iii) using directional/beam forming antennas
-                  that reduce the likelihood that unintended receivers will be able to intercept
-                  signals. Prior to taking such actions, organizations can conduct periodic wireless
-                  surveys to understand the radio frequency profile of organizational information
-                  systems as well as other systems that may be operating in the area.</p>
-               <link rel="related" href="#pe-19">PE-19</link>
-            </part>
-            <part id="ac-18.5_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ac-18.5_obj.1" name="objective">
-                  <prop name="label">AC-18(5)[1]</prop>
-                  <p>selects radio antennas to reduce the probability that usable signals can be
-                     received outside of organization-controlled boundaries; and</p>
-               </part>
-               <part id="ac-18.5_obj.2" name="objective">
-                  <prop name="label">AC-18(5)[2]</prop>
-                  <p>calibrates transmission power levels to reduce the probability that usable
-                     signals can be received outside of organization-controlled boundaries.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing wireless implementation and usage (including
-                     restrictions)</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Wireless access capability protecting usable signals from unauthorized access
-                     outside organization-controlled boundaries</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-19">
-         <title>Access Control for Mobile Devices</title>
-         <prop name="label">AC-19</prop>
-         <prop name="sort-id">ac-19</prop>
-         <link href="#4da24a96-6cf8-435d-9d1f-c73247cad109" rel="reference">OMB Memorandum 06-16</link>
-         <link href="#1201fcf3-afb1-4675-915a-fb4ae0435717" rel="reference">NIST Special Publication 800-114</link>
-         <link href="#0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589" rel="reference">NIST Special Publication 800-124</link>
-         <link href="#6513e480-fada-4876-abba-1397084dfb26" rel="reference">NIST Special Publication 800-164</link>
-         <part id="ac-19_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-19_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes usage restrictions, configuration requirements, connection
-                  requirements, and implementation guidance for organization-controlled mobile
-                  devices; and</p>
-            </part>
-            <part id="ac-19_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Authorizes the connection of mobile devices to organizational information
-                  systems.</p>
-            </part>
-         </part>
-         <part id="ac-19_gdn" name="guidance">
-            <p>A mobile device is a computing device that: (i) has a small form factor such that it
-               can easily be carried by a single individual; (ii) is designed to operate without a
-               physical connection (e.g., wirelessly transmit or receive information); (iii)
-               possesses local, non-removable or removable data storage; and (iv) includes a
-               self-contained power source. Mobile devices may also include voice communication
-               capabilities, on-board sensors that allow the device to capture information, and/or
-               built-in features for synchronizing local data with remote locations. Examples
-               include smart phones, E-readers, and tablets. Mobile devices are typically associated
-               with a single individual and the device is usually in close proximity to the
-               individual; however, the degree of proximity can vary depending upon on the form
-               factor and size of the device. The processing, storage, and transmission capability
-               of the mobile device may be comparable to or merely a subset of desktop systems,
-               depending upon the nature and intended purpose of the device. Due to the large
-               variety of mobile devices with different technical characteristics and capabilities,
-               organizational restrictions may vary for the different classes/types of such devices.
-               Usage restrictions and specific implementation guidance for mobile devices include,
-               for example, configuration management, device identification and authentication,
-               implementation of mandatory protective software (e.g., malicious code detection,
-               firewall), scanning devices for malicious code, updating virus protection software,
-               scanning for critical software updates and patches, conducting primary operating
-               system (and possibly other resident software) integrity checks, and disabling
-               unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the
-               need to provide adequate security for mobile devices goes beyond the requirements in
-               this control. Many safeguards and countermeasures for mobile devices are reflected in
-               other security controls in the catalog allocated in the initial control baselines as
-               starting points for the development of security plans and overlays using the
-               tailoring process. There may also be some degree of overlap in the requirements
-               articulated by the security controls within the different families of controls. AC-20
-               addresses mobile devices that are not organization-controlled.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-7">AC-7</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ca-9">CA-9</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-43">SC-43</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ac-19_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-19.a_obj" name="objective">
-               <prop name="label">AC-19(a)</prop>
-               <p>establishes for organization-controlled mobile devices:</p>
-               <part id="ac-19.a_obj.1" name="objective">
-                  <prop name="label">AC-19(a)[1]</prop>
-                  <p>usage restrictions;</p>
-               </part>
-               <part id="ac-19.a_obj.2" name="objective">
-                  <prop name="label">AC-19(a)[2]</prop>
-                  <p>configuration/connection requirement;</p>
-               </part>
-               <part id="ac-19.a_obj.3" name="objective">
-                  <prop name="label">AC-19(a)[3]</prop>
-                  <p>implementation guidance; and</p>
-               </part>
-            </part>
-            <part id="ac-19.b_obj" name="objective">
-               <prop name="label">AC-19(b)</prop>
-               <p>authorizes the connection of mobile devices to organizational information
-                  systems.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing access control for mobile device usage (including
-                  restrictions)</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>authorizations for mobile device connections to organizational information
-                  systems</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel using mobile devices to access organizational information
-                  systems</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Access control capability authorizing mobile device connections to organizational
-                  information systems</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-19.1">
-            <title>Use of Writable / Portable Storage Devices</title>
-            <prop name="label">AC-19(1)</prop>
-            <prop name="sort-id">ac-19.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#mp-7">MP-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-19.2">
-            <title>Use of Personally Owned Portable Storage Devices</title>
-            <prop name="label">AC-19(2)</prop>
-            <prop name="sort-id">ac-19.02</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#mp-7">MP-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-19.3">
-            <title>Use of Portable Storage Devices with No Identifiable Owner</title>
-            <prop name="label">AC-19(3)</prop>
-            <prop name="sort-id">ac-19.03</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#mp-7">MP-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-19.4">
-            <title>Restrictions for Classified Information</title>
-            <param id="ac-19.4_prm_1">
-               <label>organization-defined security officials</label>
-            </param>
-            <param id="ac-19.4_prm_2">
-               <label>organization-defined security policies</label>
-            </param>
-            <prop name="label">AC-19(4)</prop>
-            <prop name="sort-id">ac-19.04</prop>
-            <part id="ac-19.4_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ac-19.4_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Prohibits the use of unclassified mobile devices in facilities containing
-                     information systems processing, storing, or transmitting classified information
-                     unless specifically permitted by the authorizing official; and</p>
-               </part>
-               <part id="ac-19.4_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Enforces the following restrictions on individuals permitted by the authorizing
-                     official to use unclassified mobile devices in facilities containing
-                     information systems processing, storing, or transmitting classified
-                     information:</p>
-                  <part id="ac-19.4_smt.b.1" name="item">
-                     <prop name="label">(1)</prop>
-                     <p>Connection of unclassified mobile devices to classified information systems
-                        is prohibited;</p>
-                  </part>
-                  <part id="ac-19.4_smt.b.2" name="item">
-                     <prop name="label">(2)</prop>
-                     <p>Connection of unclassified mobile devices to unclassified information
-                        systems requires approval from the authorizing official;</p>
-                  </part>
-                  <part id="ac-19.4_smt.b.3" name="item">
-                     <prop name="label">(3)</prop>
-                     <p>Use of internal or external modems or wireless interfaces within the
-                        unclassified mobile devices is prohibited; and</p>
-                  </part>
-                  <part id="ac-19.4_smt.b.4" name="item">
-                     <prop name="label">(4)</prop>
-                     <p>Unclassified mobile devices and the information stored on those devices are
-                        subject to random reviews and inspections by <insert param-id="ac-19.4_prm_1"/>, and if classified information is found, the
-                        incident handling policy is followed.</p>
-                  </part>
-               </part>
-               <part id="ac-19.4_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Restricts the connection of classified mobile devices to classified information
-                     systems in accordance with <insert param-id="ac-19.4_prm_2"/>.</p>
-               </part>
-            </part>
-            <part id="ac-19.4_gdn" name="guidance">
-               <link rel="related" href="#ca-6">CA-6</link>
-               <link rel="related" href="#ir-4">IR-4</link>
-            </part>
-            <part id="ac-19.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-19.4.a_obj" name="objective">
-                  <prop name="label">AC-19(4)(a)</prop>
-                  <p>prohibits the use of unclassified mobile devices in facilities containing
-                     information systems processing, storing, or transmitting classified information
-                     unless specifically permitted by the authorizing official;</p>
-                  <link rel="corresp" href="#ac-19.4_smt.a">AC-19(4)(a)</link>
-               </part>
-               <part id="ac-19.4.b_obj" name="objective">
-                  <prop name="label">AC-19(4)(b)</prop>
-                  <p>enforces the following restrictions on individuals permitted by the authorizing
-                     official to use unclassified mobile devices in facilities containing
-                     information systems processing, storing, or transmitting classified
-                     information:</p>
-                  <part id="ac-19.4.b.1_obj" name="objective">
-                     <prop name="label">AC-19(4)(b)(1)</prop>
-                     <p>connection of unclassified mobile devices to classified information systems
-                        is prohibited;</p>
-                     <link rel="corresp" href="#ac-19.4_smt.b.1">AC-19(4)(b)(1)</link>
-                  </part>
-                  <part id="ac-19.4.b.2_obj" name="objective">
-                     <prop name="label">AC-19(4)(b)(2)</prop>
-                     <p>connection of unclassified mobile devices to unclassified information
-                        systems requires approval from the authorizing official;</p>
-                     <link rel="corresp" href="#ac-19.4_smt.b.2">AC-19(4)(b)(2)</link>
-                  </part>
-                  <part id="ac-19.4.b.3_obj" name="objective">
-                     <prop name="label">AC-19(4)(b)(3)</prop>
-                     <p>use of internal or external modems or wireless interfaces within the
-                        unclassified mobile devices is prohibited;</p>
-                     <link rel="corresp" href="#ac-19.4_smt.b.3">AC-19(4)(b)(3)</link>
-                  </part>
-                  <part id="ac-19.4.b.4_obj" name="objective">
-                     <prop name="label">AC-19(4)(b)(4)</prop>
-                     <part id="ac-19.4.b.4_obj.1" name="objective">
-                        <prop name="label">AC-19(4)(b)(4)[1]</prop>
-                        <p>defines security officials responsible for reviews and inspections of
-                           unclassified mobile devices and the information stored on those
-                           devices;</p>
-                     </part>
-                     <part id="ac-19.4.b.4_obj.2" name="objective">
-                        <prop name="label">AC-19(4)(b)(4)[2]</prop>
-                        <p>unclassified mobile devices and the information stored on those devices
-                           are subject to random reviews/inspections by organization-defined
-                           security officials;</p>
-                     </part>
-                     <part id="ac-19.4.b.4_obj.3" name="objective">
-                        <prop name="label">AC-19(4)(b)(4)[3]</prop>
-                        <p>the incident handling policy is followed if classified information is
-                           found;</p>
-                     </part>
-                     <link rel="corresp" href="#ac-19.4_smt.b.4">AC-19(4)(b)(4)</link>
-                  </part>
-                  <link rel="corresp" href="#ac-19.4_smt.b">AC-19(4)(b)</link>
-               </part>
-               <part id="ac-19.4.c_obj" name="objective">
-                  <prop name="label">AC-19(4)(c)</prop>
-                  <part id="ac-19.4.c_obj.1" name="objective">
-                     <prop name="label">AC-19(4)(c)[1]</prop>
-                     <p>defines security policies to restrict the connection of classified mobile
-                        devices to classified information systems; and</p>
-                  </part>
-                  <part id="ac-19.4.c_obj.2" name="objective">
-                     <prop name="label">AC-19(4)(c)[2]</prop>
-                     <p>restricts the connection of classified mobile devices to classified
-                        information systems in accordance with organization-defined security
-                        policies.</p>
-                  </part>
-                  <link rel="corresp" href="#ac-19.4_smt.c">AC-19(4)(c)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>incident handling policy</p>
-                  <p>procedures addressing access control for mobile devices</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>evidentiary documentation for random inspections and reviews of mobile
-                     devices</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel responsible for random reviews/inspections of mobile
-                     devices</p>
-                  <p>organizational personnel using mobile devices in facilities containing
-                     information systems processing, storing, or transmitting classified
-                     information</p>
-                  <p>organizational personnel with incident response responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms prohibiting the use of internal or external modems or
-                     wireless interfaces with mobile devices</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-19.5">
-            <title>Full Device / Container-based Encryption</title>
-            <param id="ac-19.5_prm_1">
-               <select>
-                  <choice>full-device encryption</choice>
-                  <choice>container encryption</choice>
-               </select>
-            </param>
-            <param id="ac-19.5_prm_2">
-               <label>organization-defined mobile devices</label>
-            </param>
-            <prop name="label">AC-19(5)</prop>
-            <prop name="sort-id">ac-19.05</prop>
-            <part id="ac-19.5_smt" name="statement">
-               <p>The organization employs <insert param-id="ac-19.5_prm_1"/> to protect the
-                  confidentiality and integrity of information on <insert param-id="ac-19.5_prm_2"/>.</p>
-            </part>
-            <part id="ac-19.5_gdn" name="guidance">
-               <p>Container-based encryption provides a more fine-grained approach to the encryption
-                  of data/information on mobile devices, including for example, encrypting selected
-                  data structures such as files, records, or fields.</p>
-               <link rel="related" href="#mp-5">MP-5</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-               <link rel="related" href="#sc-28">SC-28</link>
-            </part>
-            <part id="ac-19.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-19.5_obj.1" name="objective">
-                  <prop name="label">AC-19(5)[1]</prop>
-                  <p>defines mobile devices for which full-device encryption or container encryption
-                     is required to protect the confidentiality and integrity of information on such
-                     devices; and</p>
-               </part>
-               <part id="ac-19.5_obj.2" name="objective">
-                  <prop name="label">AC-19(5)[2]</prop>
-                  <p>employs full-device encryption or container encryption to protect the
-                     confidentiality and integrity of information on organization-defined mobile
-                     devices.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing access control for mobile devices</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>encryption mechanism s and associated configuration documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with access control responsibilities for mobile
-                     devices</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Encryption mechanisms protecting confidentiality and integrity of information
-                     on mobile devices</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-20">
-         <title>Use of External Information Systems</title>
-         <prop name="label">AC-20</prop>
-         <prop name="sort-id">ac-20</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <part id="ac-20_smt" name="statement">
-            <p>The organization establishes terms and conditions, consistent with any trust
-               relationships established with other organizations owning, operating, and/or
-               maintaining external information systems, allowing authorized individuals to:</p>
-            <part id="ac-20_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Access the information system from external information systems; and</p>
-            </part>
-            <part id="ac-20_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Process, store, or transmit organization-controlled information using external
-                  information systems.</p>
-            </part>
-         </part>
-         <part id="ac-20_gdn" name="guidance">
-            <p>External information systems are information systems or components of information
-               systems that are outside of the authorization boundary established by organizations
-               and for which organizations typically have no direct supervision and authority over
-               the application of required security controls or the assessment of control
-               effectiveness. External information systems include, for example: (i) personally
-               owned information systems/devices (e.g., notebook computers, smart phones, tablets,
-               personal digital assistants); (ii) privately owned computing and communications
-               devices resident in commercial or public facilities (e.g., hotels, train stations,
-               convention centers, shopping malls, or airports); (iii) information systems owned or
-               controlled by nonfederal governmental organizations; and (iv) federal information
-               systems that are not owned by, operated by, or under the direct supervision and
-               authority of organizations. This control also addresses the use of external
-               information systems for the processing, storage, or transmission of organizational
-               information, including, for example, accessing cloud services (e.g., infrastructure
-               as a service, platform as a service, or software as a service) from organizational
-               information systems. For some external information systems (i.e., information systems
-               operated by other federal agencies, including organizations subordinate to those
-               agencies), the trust relationships that have been established between those
-               organizations and the originating organization may be such, that no explicit terms
-               and conditions are required. Information systems within these organizations would not
-               be considered external. These situations occur when, for example, there are
-               pre-existing sharing/trust agreements (either implicit or explicit) established
-               between federal agencies or organizations subordinate to those agencies, or when such
-               trust agreements are specified by applicable laws, Executive Orders, directives, or
-               policies. Authorized individuals include, for example, organizational personnel,
-               contractors, or other individuals with authorized access to organizational
-               information systems and over which organizations have the authority to impose rules
-               of behavior with regard to system access. Restrictions that organizations impose on
-               authorized individuals need not be uniform, as those restrictions may vary depending
-               upon the trust relationships between organizations. Therefore, organizations may
-               choose to impose different security restrictions on contractors than on state, local,
-               or tribal governments. This control does not apply to the use of external information
-               systems to access public interfaces to organizational information systems (e.g.,
-               individuals accessing federal information through www.usa.gov). Organizations
-               establish terms and conditions for the use of external information systems in
-               accordance with organizational security policies and procedures. Terms and conditions
-               address as a minimum: types of applications that can be accessed on organizational
-               information systems from external information systems; and the highest security
-               category of information that can be processed, stored, or transmitted on external
-               information systems. If terms and conditions with the owners of external information
-               systems cannot be established, organizations may impose restrictions on
-               organizational personnel using those external systems.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-         </part>
-         <part id="ac-20_obj" name="objective">
-            <p>Determine if the organization establishes terms and conditions, consistent with any
-               trust relationships established with other organizations owning, operating, and/or
-               maintaining external information systems, allowing authorized individuals to: </p>
-            <part id="ac-20.a_obj" name="objective">
-               <prop name="label">AC-20(a)</prop>
-               <p>access the information system from the external information systems; and</p>
-            </part>
-            <part id="ac-20.b_obj" name="objective">
-               <prop name="label">AC-20(b)</prop>
-               <p>process, store, or transmit organization-controlled information using external
-                  information systems.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing the use of external information systems</p>
-               <p>external information systems terms and conditions</p>
-               <p>list of types of applications accessible from external information systems</p>
-               <p>maximum security categorization for information processed, stored, or transmitted
-                  on external information systems</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for defining terms and conditions
-                  for use of external information systems to access organizational systems</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing terms and conditions on use of external
-                  information systems</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-20.1">
-            <title>Limits On Authorized Use</title>
-            <prop name="label">AC-20(1)</prop>
-            <prop name="sort-id">ac-20.01</prop>
-            <part id="ac-20.1_smt" name="statement">
-               <p>The organization permits authorized individuals to use an external information
-                  system to access the information system or to process, store, or transmit
-                  organization-controlled information only when the organization:</p>
-               <part id="ac-20.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Verifies the implementation of required security controls on the external
-                     system as specified in the organization’s information security policy and
-                     security plan; or</p>
-               </part>
-               <part id="ac-20.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Retains approved information system connection or processing agreements with
-                     the organizational entity hosting the external information system.</p>
-               </part>
-            </part>
-            <part id="ac-20.1_gdn" name="guidance">
-               <p>This control enhancement recognizes that there are circumstances where individuals
-                  using external information systems (e.g., contractors, coalition partners) need to
-                  access organizational information systems. In those situations, organizations need
-                  confidence that the external information systems contain the necessary security
-                  safeguards (i.e., security controls), so as not to compromise, damage, or
-                  otherwise harm organizational information systems. Verification that the required
-                  security controls have been implemented can be achieved, for example, by
-                  third-party, independent assessments, attestations, or other means, depending on
-                  the confidence level required by organizations.</p>
-               <link rel="related" href="#ca-2">CA-2</link>
-            </part>
-            <part id="ac-20.1_obj" name="objective">
-               <p>Determine if the organization permits authorized individuals to use an external
-                  information system to access the information system or to process, store, or
-                  transmit organization-controlled information only when the organization: </p>
-               <part id="ac-20.1.a_obj" name="objective">
-                  <prop name="label">AC-20(1)(a)</prop>
-                  <p>verifies the implementation of required security controls on the external
-                     system as specified in the organization’s information security policy and
-                     security plan; or</p>
-                  <link rel="corresp" href="#ac-20.1_smt.a">AC-20(1)(a)</link>
-               </part>
-               <part id="ac-20.1.b_obj" name="objective">
-                  <prop name="label">AC-20(1)(b)</prop>
-                  <p>retains approved information system connection or processing agreements with
-                     the organizational entity hosting the external information system.</p>
-                  <link rel="corresp" href="#ac-20.1_smt.b">AC-20(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing the use of external information systems</p>
-                  <p>security plan</p>
-                  <p>information system connection or processing agreements</p>
-                  <p>account management documents</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing limits on use of external information
-                     systems</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-20.2">
-            <title>Portable Storage Devices</title>
-            <param id="ac-20.2_prm_1">
-               <select>
-                  <choice>restricts</choice>
-                  <choice>prohibits</choice>
-               </select>
-            </param>
-            <prop name="label">AC-20(2)</prop>
-            <prop name="sort-id">ac-20.02</prop>
-            <part id="ac-20.2_smt" name="statement">
-               <p>The organization <insert param-id="ac-20.2_prm_1"/> the use of
-                  organization-controlled portable storage devices by authorized individuals on
-                  external information systems.</p>
-            </part>
-            <part id="ac-20.2_gdn" name="guidance">
-               <p>Limits on the use of organization-controlled portable storage devices in external
-                  information systems include, for example, complete prohibition of the use of such
-                  devices or restrictions on how the devices may be used and under what conditions
-                  the devices may be used.</p>
-            </part>
-            <part id="ac-20.2_obj" name="objective">
-               <p>Determine if the organization restricts or prohibits the use of
-                  organization-controlled portable storage devices by authorized individuals on
-                  external information systems. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing the use of external information systems</p>
-                  <p>security plan</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system connection or processing agreements</p>
-                  <p>account management documents</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for restricting or prohibiting
-                     use of organization-controlled storage devices on external information
-                     systems</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing restrictions on use of portable storage
-                     devices</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-20.3">
-            <title>Non-organizationally Owned Systems / Components / Devices</title>
-            <param id="ac-20.3_prm_1">
-               <select>
-                  <choice>restricts</choice>
-                  <choice>prohibits</choice>
-               </select>
-            </param>
-            <prop name="label">AC-20(3)</prop>
-            <prop name="sort-id">ac-20.03</prop>
-            <part id="ac-20.3_smt" name="statement">
-               <p>The organization <insert param-id="ac-20.3_prm_1"/> the use of
-                  non-organizationally owned information systems, system components, or devices to
-                  process, store, or transmit organizational information.</p>
-            </part>
-            <part id="ac-20.3_gdn" name="guidance">
-               <p>Non-organizationally owned devices include devices owned by other organizations
-                  (e.g., federal/state agencies, contractors) and personally owned devices. There
-                  are risks to using non-organizationally owned devices. In some cases, the risk is
-                  sufficiently high as to prohibit such use. In other cases, it may be such that the
-                  use of non-organizationally owned devices is allowed but restricted in some way.
-                  Restrictions include, for example: (i) requiring the implementation of
-                  organization-approved security controls prior to authorizing such connections;
-                  (ii) limiting access to certain types of information, services, or applications;
-                  (iii) using virtualization techniques to limit processing and storage activities
-                  to servers or other system components provisioned by the organization; and (iv)
-                  agreeing to terms and conditions for usage. For personally owned devices,
-                  organizations consult with the Office of the General Counsel regarding legal
-                  issues associated with using such devices in operational environments, including,
-                  for example, requirements for conducting forensic analyses during investigations
-                  after an incident.</p>
-            </part>
-            <part id="ac-20.3_obj" name="objective">
-               <p>Determine if the organization restricts or prohibits the use of
-                  non-organizationally owned information systems, system components, or devices to
-                  process, store, or transmit organizational information.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing the use of external information systems</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system connection or processing agreements</p>
-                  <p>account management documents</p>
-                  <p>information system audit records, other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for restricting or prohibiting
-                     use of non-organizationally owned information systems, system components, or
-                     devices</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing restrictions on the use of
-                     non-organizationally owned systems/components/devices</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-20.4">
-            <title>Network Accessible Storage Devices</title>
-            <param id="ac-20.4_prm_1">
-               <label>organization-defined network accessible storage devices</label>
-            </param>
-            <prop name="label">AC-20(4)</prop>
-            <prop name="sort-id">ac-20.04</prop>
-            <part id="ac-20.4_smt" name="statement">
-               <p>The organization prohibits the use of <insert param-id="ac-20.4_prm_1"/> in
-                  external information systems.</p>
-            </part>
-            <part id="ac-20.4_gdn" name="guidance">
-               <p>Network accessible storage devices in external information systems include, for
-                  example, online storage devices in public, hybrid, or community cloud-based
-                  systems.</p>
-            </part>
-            <part id="ac-20.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ac-20.4_obj.1" name="objective">
-                  <prop name="label">AC-20(4)[1]</prop>
-                  <p>defines network accessible storage devices to be prohibited from use in
-                     external information systems; and</p>
-               </part>
-               <part id="ac-20.4_obj.2" name="objective">
-                  <prop name="label">AC-20(4)[2]</prop>
-                  <p>prohibits the use of organization-defined network accessible storage devices in
-                     external information systems.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing use of network accessible storage devices in external
-                     information systems</p>
-                  <p>security plan, information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system connection or processing agreements</p>
-                  <p>list of network accessible storage devices prohibited from use in external
-                     information systems</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for prohibiting use of network
-                     accessible storage devices in external information systems</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms prohibiting the use of network accessible storage devices
-                     in external information systems</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-21">
-         <title>Information Sharing</title>
-         <param id="ac-21_prm_1">
-            <label>organization-defined information sharing circumstances where user discretion is
-               required</label>
-         </param>
-         <param id="ac-21_prm_2">
-            <label>organization-defined automated mechanisms or manual processes</label>
-         </param>
-         <prop name="label">AC-21</prop>
-         <prop name="sort-id">ac-21</prop>
-         <part id="ac-21_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-21_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Facilitates information sharing by enabling authorized users to determine whether
-                  access authorizations assigned to the sharing partner match the access
-                  restrictions on the information for <insert param-id="ac-21_prm_1"/>; and</p>
-            </part>
-            <part id="ac-21_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Employs <insert param-id="ac-21_prm_2"/> to assist users in making information
-                  sharing/collaboration decisions.</p>
-            </part>
-         </part>
-         <part id="ac-21_gdn" name="guidance">
-            <p>This control applies to information that may be restricted in some manner (e.g.,
-               privileged medical information, contract-sensitive information, proprietary
-               information, personally identifiable information, classified information related to
-               special access programs or compartments) based on some formal or administrative
-               determination. Depending on the particular information-sharing circumstances, sharing
-               partners may be defined at the individual, group, or organizational level.
-               Information may be defined by content, type, security category, or special access
-               program/compartment.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-         </part>
-         <part id="ac-21_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ac-21.a_obj" name="objective">
-               <prop name="label">AC-21(a)</prop>
-               <part id="ac-21.a_obj.1" name="objective">
-                  <prop name="label">AC-21(a)[1]</prop>
-                  <p>defines information sharing circumstances where user discretion is
-                     required;</p>
-               </part>
-               <part id="ac-21.a_obj.2" name="objective">
-                  <prop name="label">AC-21(a)[2]</prop>
-                  <p>facilitates information sharing by enabling authorized users to determine
-                     whether access authorizations assigned to the sharing partner match the access
-                     restrictions on the information for organization-defined information sharing
-                     circumstances;</p>
-               </part>
-            </part>
-            <part id="ac-21.b_obj" name="objective">
-               <prop name="label">AC-21(b)</prop>
-               <part id="ac-21.b_obj.1" name="objective">
-                  <prop name="label">AC-21(b)[1]</prop>
-                  <p>defines automated mechanisms or manual processes to be employed to assist users
-                     in making information sharing/collaboration decisions; and</p>
-               </part>
-               <part id="ac-21.b_obj.2" name="objective">
-                  <prop name="label">AC-21(b)[2]</prop>
-                  <p>employs organization-defined automated mechanisms or manual processes to assist
-                     users in making information sharing/collaboration decisions.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing user-based collaboration and information sharing (including
-                  restrictions)</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of users authorized to make information sharing/collaboration decisions</p>
-               <p>list of information sharing circumstances requiring user discretion</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel responsible for making information sharing/collaboration
-                  decisions</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms or manual process implementing access authorizations
-                  supporting information sharing/user collaboration decisions</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-21.1">
-            <title>Automated Decision Support</title>
-            <prop name="label">AC-21(1)</prop>
-            <prop name="sort-id">ac-21.01</prop>
-            <part id="ac-21.1_smt" name="statement">
-               <p>The information system enforces information-sharing decisions by authorized users
-                  based on access authorizations of sharing partners and access restrictions on
-                  information to be shared.</p>
-            </part>
-            <part id="ac-21.1_obj" name="objective">
-               <p>Determine if the information system enforces information-sharing decisions by
-                  authorized users based on: </p>
-               <part id="ac-21.1_obj.1" name="objective">
-                  <prop name="label">AC-21(1)[1]</prop>
-                  <p>access authorizations of sharing partners; and</p>
-               </part>
-               <part id="ac-21.1_obj.2" name="objective">
-                  <prop name="label">AC-21(1)[2]</prop>
-                  <p>access restrictions on information to be shared.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing user-based collaboration and information sharing
-                     (including restrictions)</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>system-generated list of users authorized to make information
-                     sharing/collaboration decisions</p>
-                  <p>system-generated list of sharing partners and access authorizations</p>
-                  <p>system-generated list of access restrictions regarding information to be
-                     shared</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing access authorizations supporting information
-                     sharing/user collaboration decisions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-21.2">
-            <title>Information Search and Retrieval</title>
-            <param id="ac-21.2_prm_1">
-               <label>organization-defined information sharing restrictions</label>
-            </param>
-            <prop name="label">AC-21(2)</prop>
-            <prop name="sort-id">ac-21.02</prop>
-            <part id="ac-21.2_smt" name="statement">
-               <p>The information system implements information search and retrieval services that
-                  enforce <insert param-id="ac-21.2_prm_1"/>.</p>
-            </part>
-            <part id="ac-21.2_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ac-21.2_obj.1" name="objective">
-                  <prop name="label">AC-21(2)[1]</prop>
-                  <p>the organization defines information sharing restrictions to be enforced
-                     through information search and retrieval services; and</p>
-               </part>
-               <part id="ac-21.2_obj.2" name="objective">
-                  <prop name="label">AC-21(2)[2]</prop>
-                  <p>the information system implements information search and retrieval services
-                     that enforce organization-defined information sharing restrictions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing user-based collaboration and information sharing
-                     (including restrictions)</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>system-generated list of access restrictions regarding information to be
-                     shared</p>
-                  <p>information search and retrieval records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with access enforcement responsibilities for
-                     information system search and retrieval services</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system search and retrieval services enforcing information sharing
-                     restrictions</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-22">
-         <title>Publicly Accessible Content</title>
-         <param id="ac-22_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AC-22</prop>
-         <prop name="sort-id">ac-22</prop>
-         <part id="ac-22_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ac-22_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Designates individuals authorized to post information onto a publicly accessible
-                  information system;</p>
-            </part>
-            <part id="ac-22_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Trains authorized individuals to ensure that publicly accessible information does
-                  not contain nonpublic information;</p>
-            </part>
-            <part id="ac-22_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the proposed content of information prior to posting onto the publicly
-                  accessible information system to ensure that nonpublic information is not
-                  included; and</p>
-            </part>
-            <part id="ac-22_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Reviews the content on the publicly accessible information system for nonpublic
-                  information <insert param-id="ac-22_prm_1"/> and removes such information, if
-                  discovered.</p>
-            </part>
-         </part>
-         <part id="ac-22_gdn" name="guidance">
-            <p>In accordance with federal laws, Executive Orders, directives, policies, regulations,
-               standards, and/or guidance, the general public is not authorized access to nonpublic
-               information (e.g., information protected under the Privacy Act and proprietary
-               information). This control addresses information systems that are controlled by the
-               organization and accessible to the general public, typically without identification
-               or authentication. The posting of information on non-organization information systems
-               is covered by organizational policy.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#au-13">AU-13</link>
-         </part>
-         <part id="ac-22_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ac-22.a_obj" name="objective">
-               <prop name="label">AC-22(a)</prop>
-               <p>designates individuals authorized to post information onto a publicly accessible
-                  information system;</p>
-            </part>
-            <part id="ac-22.b_obj" name="objective">
-               <prop name="label">AC-22(b)</prop>
-               <p>trains authorized individuals to ensure that publicly accessible information does
-                  not contain nonpublic information;</p>
-            </part>
-            <part id="ac-22.c_obj" name="objective">
-               <prop name="label">AC-22(c)</prop>
-               <p>reviews the proposed content of information prior to posting onto the publicly
-                  accessible information system to ensure that nonpublic information is not
-                  included;</p>
-            </part>
-            <part id="ac-22.d_obj" name="objective">
-               <prop name="label">AC-22(d)</prop>
-               <part id="ac-22.d_obj.1" name="objective">
-                  <prop name="label">AC-22(d)[1]</prop>
-                  <p>defines the frequency to review the content on the publicly accessible
-                     information system for nonpublic information;</p>
-               </part>
-               <part id="ac-22.d_obj.2" name="objective">
-                  <prop name="label">AC-22(d)[2]</prop>
-                  <p>reviews the content on the publicly accessible information system for nonpublic
-                     information with the organization-defined frequency; and</p>
-               </part>
-               <part id="ac-22.d_obj.3" name="objective">
-                  <prop name="label">AC-22(d)[3]</prop>
-                  <p>removes nonpublic information from the publicly accessible information system,
-                     if discovered.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing publicly accessible content</p>
-               <p>list of users authorized to post publicly accessible content on organizational
-                  information systems</p>
-               <p>training materials and/or records</p>
-               <p>records of publicly accessible information reviews</p>
-               <p>records of response to nonpublic information on public websites</p>
-               <p>system audit logs</p>
-               <p>security awareness training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for managing publicly accessible
-                  information posted on organizational information systems</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing management of publicly accessible content</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-23">
-         <title>Data Mining Protection</title>
-         <param id="ac-23_prm_1">
-            <label>organization-defined data mining prevention and detection techniques</label>
-         </param>
-         <param id="ac-23_prm_2">
-            <label>organization-defined data storage objects</label>
-         </param>
-         <prop name="label">AC-23</prop>
-         <prop name="sort-id">ac-23</prop>
-         <part id="ac-23_smt" name="statement">
-            <p>The organization employs <insert param-id="ac-23_prm_1"/> for <insert param-id="ac-23_prm_2"/> to adequately detect and protect against data mining.</p>
-         </part>
-         <part id="ac-23_gdn" name="guidance">
-            <p>Data storage objects include, for example, databases, database records, and database
-               fields. Data mining prevention and detection techniques include, for example: (i)
-               limiting the types of responses provided to database queries; (ii) limiting the
-               number/frequency of database queries to increase the work factor needed to determine
-               the contents of such databases; and (iii) notifying organizational personnel when
-               atypical database queries or accesses occur. This control focuses on the protection
-               of organizational information from data mining while such information resides in
-               organizational data stores. In contrast, AU-13 focuses on monitoring for
-               organizational information that may have been mined or otherwise obtained from data
-               stores and is now available as open source information residing on external sites,
-               for example, through social networking or social media websites.</p>
-         </part>
-         <part id="ac-23_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ac-23_obj.1" name="objective">
-               <prop name="label">AC-23[1]</prop>
-               <p>defines data mining prevention and detection techniques to be employed for
-                  organization-defined storage objects to adequately detect and protect against data
-                  mining;</p>
-            </part>
-            <part id="ac-23_obj.2" name="objective">
-               <prop name="label">AC-23[2]</prop>
-               <p>defines data storage objects to be protected from data mining; and</p>
-            </part>
-            <part id="ac-23_obj.3" name="objective">
-               <prop name="label">AC-23[3]</prop>
-               <p>employs organization-defined data mining prevention and detection techniques for
-                  organization-defined data storage objects to adequately detect and protect against
-                  data mining.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing data mining techniques</p>
-               <p>procedures addressing protection of data storage objects against data mining</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit logs</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for implementing data mining
-                  detection and prevention techniques for data storage objects</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing data mining prevention and detection</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-24">
-         <title>Access Control Decisions</title>
-         <param id="ac-24_prm_1">
-            <label>organization-defined access control decisions</label>
-         </param>
-         <prop name="label">AC-24</prop>
-         <prop name="sort-id">ac-24</prop>
-         <part id="ac-24_smt" name="statement">
-            <p>The organization establishes procedures to ensure <insert param-id="ac-24_prm_1"/>
-               are applied to each access request prior to access enforcement.</p>
-         </part>
-         <part id="ac-24_gdn" name="guidance">
-            <p>Access control decisions (also known as authorization decisions) occur when
-               authorization information is applied to specific accesses. In contrast, access
-               enforcement occurs when information systems enforce access control decisions. While
-               it is very common to have access control decisions and access enforcement implemented
-               by the same entity, it is not required and it is not always an optimal implementation
-               choice. For some architectures and distributed information systems, different
-               entities may perform access control decisions and access enforcement.</p>
-         </part>
-         <part id="ac-24_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ac-24_obj.1" name="objective">
-               <prop name="label">AC-24[1]</prop>
-               <p>defines access control decisions to be applied to each access request prior to
-                  access control enforcement; and</p>
-            </part>
-            <part id="ac-24_obj.2" name="objective">
-               <prop name="label">AC-24[2]</prop>
-               <p>establishes procedures to ensure organization-defined access control decisions are
-                  applied to each access request prior to access control enforcement.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing access control decisions</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for establishing procedures
-                  regarding access control decisions to the information system</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms applying established access control decisions and
-                  procedures</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-24.1">
-            <title>Transmit Access Authorization Information</title>
-            <param id="ac-24.1_prm_1">
-               <label>organization-defined access authorization information</label>
-            </param>
-            <param id="ac-24.1_prm_2">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <param id="ac-24.1_prm_3">
-               <label>organization-defined information systems</label>
-            </param>
-            <prop name="label">AC-24(1)</prop>
-            <prop name="sort-id">ac-24.01</prop>
-            <part id="ac-24.1_smt" name="statement">
-               <p>The information system transmits <insert param-id="ac-24.1_prm_1"/> using <insert param-id="ac-24.1_prm_2"/> to <insert param-id="ac-24.1_prm_3"/> that enforce
-                  access control decisions.</p>
-            </part>
-            <part id="ac-24.1_gdn" name="guidance">
-               <p>In distributed information systems, authorization processes and access control
-                  decisions may occur in separate parts of the systems. In such instances,
-                  authorization information is transmitted securely so timely access control
-                  decisions can be enforced at the appropriate locations. To support the access
-                  control decisions, it may be necessary to transmit as part of the access
-                  authorization information, supporting security attributes. This is due to the fact
-                  that in distributed information systems, there are various access control
-                  decisions that need to be made and different entities (e.g., services) make these
-                  decisions in a serial fashion, each requiring some security attributes to make the
-                  decisions. Protecting access authorization information (i.e., access control
-                  decisions) ensures that such information cannot be altered, spoofed, or otherwise
-                  compromised during transmission.</p>
-            </part>
-            <part id="ac-24.1_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ac-24.1_obj.1" name="objective">
-                  <prop name="label">AC-24(1)[1]</prop>
-                  <p>the organization defines access authorization information that the information
-                     system transmits to organization-defined information systems that enforce
-                     access control decisions;</p>
-               </part>
-               <part id="ac-24.1_obj.2" name="objective">
-                  <prop name="label">AC-24(1)[2]</prop>
-                  <p>the organization defines security safeguards to be used when the information
-                     system transmits organization-defined authorization information to
-                     organization-defined information systems that enforce access control
-                     decisions;</p>
-               </part>
-               <part id="ac-24.1_obj.3" name="objective">
-                  <prop name="label">AC-24(1)[3]</prop>
-                  <p>the organization defines the information systems that enforce access control
-                     decisions; and</p>
-               </part>
-               <part id="ac-24.1_obj.4" name="objective">
-                  <prop name="label">AC-24(1)[4]</prop>
-                  <p>the information system transmits organization-defined access authorization
-                     information using organization-defined security safeguards to
-                     organization-defined information systems that enforce access control
-                     decisions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing access enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with access enforcement responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing access enforcement functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-24.2">
-            <title>No User or Process Identity</title>
-            <param id="ac-24.2_prm_1">
-               <label>organization-defined security attributes</label>
-            </param>
-            <prop name="label">AC-24(2)</prop>
-            <prop name="sort-id">ac-24.02</prop>
-            <part id="ac-24.2_smt" name="statement">
-               <p>The information system enforces access control decisions based on <insert param-id="ac-24.2_prm_1"/> that do not include the identity of the user or
-                  process acting on behalf of the user.</p>
-            </part>
-            <part id="ac-24.2_gdn" name="guidance">
-               <p>In certain situations, it is important that access control decisions can be made
-                  without information regarding the identity of the users issuing the requests.
-                  These are generally instances where preserving individual privacy is of paramount
-                  importance. In other situations, user identification information is simply not
-                  needed for access control decisions and, especially in the case of distributed
-                  information systems, transmitting such information with the needed degree of
-                  assurance may be very expensive or difficult to accomplish.</p>
-            </part>
-            <part id="ac-24.2_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ac-24.2_obj.1" name="objective">
-                  <prop name="label">AC-24(2)[1]</prop>
-                  <p>the organization defines security attributes that support access control
-                     decisions that do not include the identity of the user or processes acting on
-                     behalf of the user; and</p>
-               </part>
-               <part id="ac-24.2_obj.2" name="objective">
-                  <prop name="label">AC-24(2)[2]</prop>
-                  <p>the information system enforces access control decisions based on
-                     organization-defined security attributes that do not include the identity of
-                     the user or process acting on behalf of the user.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing access enforcement</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with access enforcement responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing access enforcement functions</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-25">
-         <title>Reference Monitor</title>
-         <param id="ac-25_prm_1">
-            <label>organization-defined access control policies</label>
-         </param>
-         <prop name="label">AC-25</prop>
-         <prop name="sort-id">ac-25</prop>
-         <part id="ac-25_smt" name="statement">
-            <p>The information system implements a reference monitor for <insert param-id="ac-25_prm_1"/> that is tamperproof, always invoked, and small enough to
-               be subject to analysis and testing, the completeness of which can be assured.</p>
-         </part>
-         <part id="ac-25_gdn" name="guidance">
-            <p>Information is represented internally within information systems using abstractions
-               known as data structures. Internal data structures can represent different types of
-               entities, both active and passive. Active entities, also known as subjects, are
-               typically associated with individuals, devices, or processes acting on behalf of
-               individuals. Passive entities, also known as objects, are typically associated with
-               data structures such as records, buffers, tables, files, inter-process pipes, and
-               communications ports. Reference monitors typically enforce mandatory access control
-               policies—a type of access control that restricts access to objects based on the
-               identity of subjects or groups to which the subjects belong. The access controls are
-               mandatory because subjects with certain privileges (i.e., access permissions) are
-               restricted from passing those privileges on to any other subjects, either directly or
-               indirectly—that is, the information system strictly enforces the access control
-               policy based on the rule set established by the policy. The tamperproof property of
-               the reference monitor prevents adversaries from compromising the functioning of the
-               mechanism. The always invoked property prevents adversaries from bypassing the
-               mechanism and hence violating the security policy. The smallness property helps to
-               ensure the completeness in the analysis and testing of the mechanism to detect
-               weaknesses or deficiencies (i.e., latent flaws) that would prevent the enforcement of
-               the security policy.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-            <link rel="related" href="#sc-39">SC-39</link>
-         </part>
-         <part id="ac-25_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="ac-25_obj.1" name="objective">
-               <prop name="label">AC-25[1]</prop>
-               <p>the organization defines access control policies for which the information system
-                  implements a reference monitor to enforce such policies; and</p>
-            </part>
-            <part id="ac-25_obj.2" name="objective">
-               <prop name="label">AC-25[2]</prop>
-               <p>the information system implements a reference monitor for organization-defined
-                  access control policies that is tamperproof, always invoked, and small enough to
-                  be subject to analysis and testing, the completeness of which can be assured.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing access enforcement</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with access enforcement responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing access enforcement functions</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="at">
-      <title>Awareness and Training</title>
-      <control class="SP800-53" id="at-1">
-         <title>Security Awareness and Training Policy and Procedures</title>
-         <param id="at-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="at-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="at-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AT-1</prop>
-         <prop name="sort-id">at-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="at-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="at-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="at-1_prm_1"/>:</p>
-               <part id="at-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A security awareness and training policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="at-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the security awareness and
-                     training policy and associated security awareness and training controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="at-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="at-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security awareness and training policy <insert param-id="at-1_prm_2"/>; and</p>
-               </part>
-               <part id="at-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Security awareness and training procedures <insert param-id="at-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="at-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the AT
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="at-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-1.a_obj" name="objective">
-               <prop name="label">AT-1(a)</prop>
-               <part id="at-1.a.1_obj" name="objective">
-                  <prop name="label">AT-1(a)(1)</prop>
-                  <part id="at-1.a.1_obj.1" name="objective">
-                     <prop name="label">AT-1(a)(1)[1]</prop>
-                     <p>develops and documents an security awareness and training policy that
-                        addresses:</p>
-                     <part id="at-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="at-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">AT-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="at-1.a.1_obj.2" name="objective">
-                     <prop name="label">AT-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the security awareness and training
-                        policy are to be disseminated;</p>
-                  </part>
-                  <part id="at-1.a.1_obj.3" name="objective">
-                     <prop name="label">AT-1(a)(1)[3]</prop>
-                     <p>disseminates the security awareness and training policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="at-1.a.2_obj" name="objective">
-                  <prop name="label">AT-1(a)(2)</prop>
-                  <part id="at-1.a.2_obj.1" name="objective">
-                     <prop name="label">AT-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        security awareness and training policy and associated awareness and training
-                        controls;</p>
-                  </part>
-                  <part id="at-1.a.2_obj.2" name="objective">
-                     <prop name="label">AT-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="at-1.a.2_obj.3" name="objective">
-                     <prop name="label">AT-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="at-1.b_obj" name="objective">
-               <prop name="label">AT-1(b)</prop>
-               <part id="at-1.b.1_obj" name="objective">
-                  <prop name="label">AT-1(b)(1)</prop>
-                  <part id="at-1.b.1_obj.1" name="objective">
-                     <prop name="label">AT-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current security awareness
-                        and training policy;</p>
-                  </part>
-                  <part id="at-1.b.1_obj.2" name="objective">
-                     <prop name="label">AT-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current security awareness and training policy with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="at-1.b.2_obj" name="objective">
-                  <prop name="label">AT-1(b)(2)</prop>
-                  <part id="at-1.b.2_obj.1" name="objective">
-                     <prop name="label">AT-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current security awareness
-                        and training procedures; and</p>
-                  </part>
-                  <part id="at-1.b.2_obj.2" name="objective">
-                     <prop name="label">AT-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current security awareness and training procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security awareness and training responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="at-2">
-         <title>Security Awareness Training</title>
-         <param id="at-2_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AT-2</prop>
-         <prop name="sort-id">at-02</prop>
-         <link href="#bb61234b-46c3-4211-8c2b-9869222a720d" rel="reference">C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</link>
-         <link href="#c5034e0c-eba6-4ecd-a541-79f0678f4ba4" rel="reference">Executive Order 13587</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="at-2_smt" name="statement">
-            <p>The organization provides basic security awareness training to information system
-               users (including managers, senior executives, and contractors):</p>
-            <part id="at-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>As part of initial training for new users;</p>
-            </part>
-            <part id="at-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="at-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="at-2_prm_1"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="at-2_gdn" name="guidance">
-            <p>Organizations determine the appropriate content of security awareness training and
-               security awareness techniques based on the specific organizational requirements and
-               the information systems to which personnel have authorized access. The content
-               includes a basic understanding of the need for information security and user actions
-               to maintain security and to respond to suspected security incidents. The content also
-               addresses awareness of the need for operations security. Security awareness
-               techniques can include, for example, displaying posters, offering supplies inscribed
-               with security reminders, generating email advisories/notices from senior
-               organizational officials, displaying logon screen messages, and conducting
-               information security awareness events.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#at-4">AT-4</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-         </part>
-         <part id="at-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-2.a_obj" name="objective">
-               <prop name="label">AT-2(a)</prop>
-               <p>provides basic security awareness training to information system users (including
-                  managers, senior executives, and contractors) as part of initial training for new
-                  users;</p>
-            </part>
-            <part id="at-2.b_obj" name="objective">
-               <prop name="label">AT-2(b)</prop>
-               <p>provides basic security awareness training to information system users (including
-                  managers, senior executives, and contractors) when required by information system
-                  changes; and</p>
-            </part>
-            <part id="at-2.c_obj" name="objective">
-               <prop name="label">AT-2(c)</prop>
-               <part id="at-2.c_obj.1" name="objective">
-                  <prop name="label">AT-2(c)[1]</prop>
-                  <p>defines the frequency to provide refresher security awareness training
-                     thereafter to information system users (including managers, senior executives,
-                     and contractors); and</p>
-               </part>
-               <part id="at-2.c_obj.2" name="objective">
-                  <prop name="label">AT-2(c)[2]</prop>
-                  <p>provides refresher security awareness training to information users (including
-                     managers, senior executives, and contractors) with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy</p>
-               <p>procedures addressing security awareness training implementation</p>
-               <p>appropriate codes of federal regulations</p>
-               <p>security awareness training curriculum</p>
-               <p>security awareness training materials</p>
-               <p>security plan</p>
-               <p>training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for security awareness training</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel comprising the general information system user
-                  community</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms managing security awareness training</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="at-2.1">
-            <title>Practical Exercises</title>
-            <prop name="label">AT-2(1)</prop>
-            <prop name="sort-id">at-02.01</prop>
-            <part id="at-2.1_smt" name="statement">
-               <p>The organization includes practical exercises in security awareness training that
-                  simulate actual cyber attacks.</p>
-            </part>
-            <part id="at-2.1_gdn" name="guidance">
-               <p>Practical exercises may include, for example, no-notice social engineering
-                  attempts to collect information, gain unauthorized access, or simulate the adverse
-                  impact of opening malicious email attachments or invoking, via spear phishing
-                  attacks, malicious web links.</p>
-               <link rel="related" href="#ca-2">CA-2</link>
-               <link rel="related" href="#ca-7">CA-7</link>
-               <link rel="related" href="#cp-4">CP-4</link>
-               <link rel="related" href="#ir-3">IR-3</link>
-            </part>
-            <part id="at-2.1_obj" name="objective">
-               <p>Determine if the organization includes practical exercises in security awareness
-                  training that simulate actual cyber attacks. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security awareness and training policy</p>
-                  <p>procedures addressing security awareness training implementation</p>
-                  <p>security awareness training curriculum</p>
-                  <p>security awareness training materials</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel that participate in security awareness training</p>
-                  <p>organizational personnel with responsibilities for security awareness
-                     training</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing cyber attack simulations in practical
-                     exercises</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="at-2.2">
-            <title>Insider Threat</title>
-            <prop name="label">AT-2(2)</prop>
-            <prop name="sort-id">at-02.02</prop>
-            <part id="at-2.2_smt" name="statement">
-               <p>The organization includes security awareness training on recognizing and reporting
-                  potential indicators of insider threat.</p>
-            </part>
-            <part id="at-2.2_gdn" name="guidance">
-               <p>Potential indicators and possible precursors of insider threat can include
-                  behaviors such as inordinate, long-term job dissatisfaction, attempts to gain
-                  access to information not required for job performance, unexplained access to
-                  financial resources, bullying or sexual harassment of fellow employees, workplace
-                  violence, and other serious violations of organizational policies, procedures,
-                  directives, rules, or practices. Security awareness training includes how to
-                  communicate employee and management concerns regarding potential indicators of
-                  insider threat through appropriate organizational channels in accordance with
-                  established organizational policies and procedures.</p>
-               <link rel="related" href="#pl-4">PL-4</link>
-               <link rel="related" href="#pm-12">PM-12</link>
-               <link rel="related" href="#ps-3">PS-3</link>
-               <link rel="related" href="#ps-6">PS-6</link>
-            </part>
-            <part id="at-2.2_obj" name="objective">
-               <p>Determine if the organization includes security awareness training on recognizing
-                  and reporting potential indicators of insider threat. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security awareness and training policy</p>
-                  <p>procedures addressing security awareness training implementation</p>
-                  <p>security awareness training curriculum</p>
-                  <p>security awareness training materials</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel that participate in security awareness training</p>
-                  <p>organizational personnel with responsibilities for basic security awareness
-                     training</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="at-3">
-         <title>Role-based Security Training</title>
-         <param id="at-3_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AT-3</prop>
-         <prop name="sort-id">at-03</prop>
-         <link href="#bb61234b-46c3-4211-8c2b-9869222a720d" rel="reference">C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</link>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="at-3_smt" name="statement">
-            <p>The organization provides role-based security training to personnel with assigned
-               security roles and responsibilities:</p>
-            <part id="at-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Before authorizing access to the information system or performing assigned
-                  duties;</p>
-            </part>
-            <part id="at-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="at-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="at-3_prm_1"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="at-3_gdn" name="guidance">
-            <p>Organizations determine the appropriate content of security training based on the
-               assigned roles and responsibilities of individuals and the specific security
-               requirements of organizations and the information systems to which personnel have
-               authorized access. In addition, organizations provide enterprise architects,
-               information system developers, software developers, acquisition/procurement
-               officials, information system managers, system/network administrators, personnel
-               conducting configuration management and auditing activities, personnel performing
-               independent verification and validation activities, security control assessors, and
-               other personnel having access to system-level software, adequate security-related
-               technical training specifically tailored for their assigned duties. Comprehensive
-               role-based training addresses management, operational, and technical roles and
-               responsibilities covering physical, personnel, and technical safeguards and
-               countermeasures. Such training can include for example, policies, procedures, tools,
-               and artifacts for the organizational security roles defined. Organizations also
-               provide the training necessary for individuals to carry out their responsibilities
-               related to operations and supply chain security within the context of organizational
-               information security programs. Role-based security training also applies to
-               contractors providing services to federal agencies.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-4">AT-4</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-7">PS-7</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sa-16">SA-16</link>
-         </part>
-         <part id="at-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-3.a_obj" name="objective">
-               <prop name="label">AT-3(a)</prop>
-               <p>provides role-based security training to personnel with assigned security roles
-                  and responsibilities before authorizing access to the information system or
-                  performing assigned duties;</p>
-            </part>
-            <part id="at-3.b_obj" name="objective">
-               <prop name="label">AT-3(b)</prop>
-               <p>provides role-based security training to personnel with assigned security roles
-                  and responsibilities when required by information system changes; and</p>
-            </part>
-            <part id="at-3.c_obj" name="objective">
-               <prop name="label">AT-3(c)</prop>
-               <part id="at-3.c_obj.1" name="objective">
-                  <prop name="label">AT-3(c)[1]</prop>
-                  <p>defines the frequency to provide refresher role-based security training
-                     thereafter to personnel with assigned security roles and responsibilities;
-                     and</p>
-               </part>
-               <part id="at-3.c_obj.2" name="objective">
-                  <prop name="label">AT-3(c)[2]</prop>
-                  <p>provides refresher role-based security training to personnel with assigned
-                     security roles and responsibilities with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy</p>
-               <p>procedures addressing security training implementation</p>
-               <p>codes of federal regulations</p>
-               <p>security training curriculum</p>
-               <p>security training materials</p>
-               <p>security plan</p>
-               <p>training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for role-based security
-                  training</p>
-               <p>organizational personnel with assigned information system security roles and
-                  responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms managing role-based security training</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="at-3.1">
-            <title>Environmental Controls</title>
-            <param id="at-3.1_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="at-3.1_prm_2">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">AT-3(1)</prop>
-            <prop name="sort-id">at-03.01</prop>
-            <part id="at-3.1_smt" name="statement">
-               <p>The organization provides <insert param-id="at-3.1_prm_1"/> with initial and
-                     <insert param-id="at-3.1_prm_2"/> training in the employment and operation of
-                  environmental controls.</p>
-            </part>
-            <part id="at-3.1_gdn" name="guidance">
-               <p>Environmental controls include, for example, fire suppression and detection
-                  devices/systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses,
-                  smoke detectors, temperature/humidity, HVAC, and power within the facility.
-                  Organizations identify personnel with specific roles and responsibilities
-                  associated with environmental controls requiring specialized training.</p>
-               <link rel="related" href="#pe-1">PE-1</link>
-               <link rel="related" href="#pe-13">PE-13</link>
-               <link rel="related" href="#pe-14">PE-14</link>
-               <link rel="related" href="#pe-15">PE-15</link>
-            </part>
-            <part id="at-3.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="at-3.1_obj.1" name="objective">
-                  <prop name="label">AT-3(1)[1]</prop>
-                  <p>defines personnel or roles to be provided with initial and refresher training
-                     in the employment and operation of environmental controls;</p>
-               </part>
-               <part id="at-3.1_obj.2" name="objective">
-                  <prop name="label">AT-3(1)[2]</prop>
-                  <p>provides organization-defined personnel or roles with initial and refresher
-                     training in the employment and operation of environmental controls;</p>
-               </part>
-               <part id="at-3.1_obj.3" name="objective">
-                  <prop name="label">AT-3(1)[3]</prop>
-                  <p>defines the frequency to provide refresher training in the employment and
-                     operation of environmental controls; and</p>
-               </part>
-               <part id="at-3.1_obj.4" name="objective">
-                  <prop name="label">AT-3(1)[4]</prop>
-                  <p>provides refresher training in the employment and operation of environmental
-                     controls with the organization-defined frequency.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security awareness and training policy</p>
-                  <p>procedures addressing security training implementation</p>
-                  <p>security training curriculum</p>
-                  <p>security training materials</p>
-                  <p>security plan</p>
-                  <p>training records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for role-based security
-                     training</p>
-                  <p>organizational personnel with responsibilities for employing and operating
-                     environmental controls</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="at-3.2">
-            <title>Physical Security Controls</title>
-            <param id="at-3.2_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="at-3.2_prm_2">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">AT-3(2)</prop>
-            <prop name="sort-id">at-03.02</prop>
-            <part id="at-3.2_smt" name="statement">
-               <p>The organization provides <insert param-id="at-3.2_prm_1"/> with initial and
-                     <insert param-id="at-3.2_prm_2"/> training in the employment and operation of
-                  physical security controls.</p>
-            </part>
-            <part id="at-3.2_gdn" name="guidance">
-               <p>Physical security controls include, for example, physical access control devices,
-                  physical intrusion alarms, monitoring/surveillance equipment, and security guards
-                  (deployment and operating procedures). Organizations identify personnel with
-                  specific roles and responsibilities associated with physical security controls
-                  requiring specialized training.</p>
-               <link rel="related" href="#pe-2">PE-2</link>
-               <link rel="related" href="#pe-3">PE-3</link>
-               <link rel="related" href="#pe-4">PE-4</link>
-               <link rel="related" href="#pe-5">PE-5</link>
-            </part>
-            <part id="at-3.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="at-3.2_obj.1" name="objective">
-                  <prop name="label">AT-3(2)[1]</prop>
-                  <p>defines personnel or roles to be provided with initial and refresher training
-                     in the employment and operation of physical security controls;</p>
-               </part>
-               <part id="at-3.2_obj.2" name="objective">
-                  <prop name="label">AT-3(2)[2]</prop>
-                  <p>provides organization-defined personnel or roles with initial and refresher
-                     training in the employment and operation of physical security controls;</p>
-               </part>
-               <part id="at-3.2_obj.3" name="objective">
-                  <prop name="label">AT-3(2)[3]</prop>
-                  <p>defines the frequency to provide refresher training in the employment and
-                     operation of physical security controls; and</p>
-               </part>
-               <part id="at-3.2_obj.4" name="objective">
-                  <prop name="label">AT-3(2)[4]</prop>
-                  <p>provides refresher training in the employment and operation of physical
-                     security controls with the organization-defined frequency.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security awareness and training policy</p>
-                  <p>procedures addressing security training implementation</p>
-                  <p>security training curriculum</p>
-                  <p>security training materials</p>
-                  <p>security plan</p>
-                  <p>training records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for role-based security
-                     training</p>
-                  <p>organizational personnel with responsibilities for employing and operating
-                     physical security controls</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="at-3.3">
-            <title>Practical Exercises</title>
-            <prop name="label">AT-3(3)</prop>
-            <prop name="sort-id">at-03.03</prop>
-            <part id="at-3.3_smt" name="statement">
-               <p>The organization includes practical exercises in security training that reinforce
-                  training objectives.</p>
-            </part>
-            <part id="at-3.3_gdn" name="guidance">
-               <p>Practical exercises may include, for example, security training for software
-                  developers that includes simulated cyber attacks exploiting common software
-                  vulnerabilities (e.g., buffer overflows), or spear/whale phishing attacks targeted
-                  at senior leaders/executives. These types of practical exercises help developers
-                  better understand the effects of such vulnerabilities and appreciate the need for
-                  security coding standards and processes.</p>
-            </part>
-            <part id="at-3.3_obj" name="objective">
-               <p>Determine if the organization includes practical exercises in security training
-                  that reinforce training objectives. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security awareness and training policy</p>
-                  <p>procedures addressing security awareness training implementation</p>
-                  <p>security awareness training curriculum</p>
-                  <p>security awareness training materials</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for role-based security
-                     training</p>
-                  <p>organizational personnel that participate in security awareness training</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="at-3.4">
-            <title>Suspicious Communications and Anomalous System Behavior</title>
-            <param id="at-3.4_prm_1">
-               <label>organization-defined indicators of malicious code</label>
-            </param>
-            <prop name="label">AT-3(4)</prop>
-            <prop name="sort-id">at-03.04</prop>
-            <part id="at-3.4_smt" name="statement">
-               <p>The organization provides training to its personnel on <insert param-id="at-3.4_prm_1"/> to recognize suspicious communications and anomalous
-                  behavior in organizational information systems.</p>
-            </part>
-            <part id="at-3.4_gdn" name="guidance">
-               <p>A well-trained workforce provides another organizational safeguard that can be
-                  employed as part of a defense-in-depth strategy to protect organizations against
-                  malicious code coming in to organizations via email or the web applications.
-                  Personnel are trained to look for indications of potentially suspicious email
-                  (e.g., receiving an unexpected email, receiving an email containing strange or
-                  poor grammar, or receiving an email from an unfamiliar sender but who appears to
-                  be from a known sponsor or contractor). Personnel are also trained on how to
-                  respond to such suspicious email or web communications (e.g., not opening
-                  attachments, not clicking on embedded web links, and checking the source of email
-                  addresses). For this process to work effectively, all organizational personnel are
-                  trained and made aware of what constitutes suspicious communications. Training
-                  personnel on how to recognize anomalous behaviors in organizational information
-                  systems can potentially provide early warning for the presence of malicious code.
-                  Recognition of such anomalous behavior by organizational personnel can supplement
-                  automated malicious code detection and protection tools and systems employed by
-                  organizations.</p>
-            </part>
-            <part id="at-3.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="at-3.4_obj.1" name="objective">
-                  <prop name="label">AT-3(4)[1]</prop>
-                  <p>defines indicators of malicious code; and</p>
-               </part>
-               <part id="at-3.4_obj.2" name="objective">
-                  <prop name="label">AT-3(4)[2]</prop>
-                  <p>provides training to its personnel on organization-defined indicators of
-                     malicious code to recognize suspicious communications and anomalous behavior in
-                     organizational information systems.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security awareness and training policy</p>
-                  <p>procedures addressing security training implementation</p>
-                  <p>security training curriculum</p>
-                  <p>security training materials</p>
-                  <p>security plan</p>
-                  <p>training records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for role-based security
-                     training</p>
-                  <p>organizational personnel that participate in security awareness training</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="at-4">
-         <title>Security Training Records</title>
-         <param id="at-4_prm_1">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">AT-4</prop>
-         <prop name="sort-id">at-04</prop>
-         <part id="at-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="at-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Documents and monitors individual information system security training activities
-                  including basic security awareness training and specific information system
-                  security training; and</p>
-            </part>
-            <part id="at-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Retains individual training records for <insert param-id="at-4_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="at-4_gdn" name="guidance">
-            <p>Documentation for specialized training may be maintained by individual supervisors at
-               the option of the organization.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#pm-14">PM-14</link>
-         </part>
-         <part id="at-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="at-4.a_obj" name="objective">
-               <prop name="label">AT-4(a)</prop>
-               <part id="at-4.a_obj.1" name="objective">
-                  <prop name="label">AT-4(a)[1]</prop>
-                  <p>documents individual information system security training activities
-                     including:</p>
-                  <part id="at-4.a_obj.1.a" name="objective">
-                     <prop name="label">AT-4(a)[1][a]</prop>
-                     <p>basic security awareness training;</p>
-                  </part>
-                  <part id="at-4.a_obj.1.b" name="objective">
-                     <prop name="label">AT-4(a)[1][b]</prop>
-                     <p>specific role-based information system security training;</p>
-                  </part>
-               </part>
-               <part id="at-4.a_obj.2" name="objective">
-                  <prop name="label">AT-4(a)[2]</prop>
-                  <p>monitors individual information system security training activities
-                     including:</p>
-                  <part id="at-4.a_obj.2.a" name="objective">
-                     <prop name="label">AT-4(a)[2][a]</prop>
-                     <p>basic security awareness training;</p>
-                  </part>
-                  <part id="at-4.a_obj.2.b" name="objective">
-                     <prop name="label">AT-4(a)[2][b]</prop>
-                     <p>specific role-based information system security training;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="at-4.b_obj" name="objective">
-               <prop name="label">AT-4(b)</prop>
-               <part id="at-4.b_obj.1" name="objective">
-                  <prop name="label">AT-4(b)[1]</prop>
-                  <p>defines a time period to retain individual training records; and</p>
-               </part>
-               <part id="at-4.b_obj.2" name="objective">
-                  <prop name="label">AT-4(b)[2]</prop>
-                  <p>retains individual training records for the organization-defined time
-                     period.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security awareness and training policy</p>
-               <p>procedures addressing security training records</p>
-               <p>security awareness and training records</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security training record retention
-                  responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting management of security training records</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="at-5">
-         <title>Contacts with Security Groups and Associations</title>
-         <prop name="label">AT-5</prop>
-         <prop name="sort-id">at-05</prop>
-         <prop name="status">Withdrawn</prop>
-         <link rel="incorporated-into" href="#pm-15">PM-15</link>
-      </control>
-   </group>
-   <group class="family" id="au">
-      <title>Audit and Accountability</title>
-      <control class="SP800-53" id="au-1">
-         <title>Audit and Accountability Policy and Procedures</title>
-         <param id="au-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="au-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="au-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AU-1</prop>
-         <prop name="sort-id">au-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="au-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="au-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="au-1_prm_1"/>:</p>
-               <part id="au-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An audit and accountability policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="au-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the audit and accountability
-                     policy and associated audit and accountability controls; and</p>
-               </part>
-            </part>
-            <part id="au-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="au-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Audit and accountability policy <insert param-id="au-1_prm_2"/>; and</p>
-               </part>
-               <part id="au-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Audit and accountability procedures <insert param-id="au-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="au-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the AU
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="au-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-1.a_obj" name="objective">
-               <prop name="label">AU-1(a)</prop>
-               <part id="au-1.a.1_obj" name="objective">
-                  <prop name="label">AU-1(a)(1)</prop>
-                  <part id="au-1.a.1_obj.1" name="objective">
-                     <prop name="label">AU-1(a)(1)[1]</prop>
-                     <p>develops and documents an audit and accountability policy that
-                        addresses:</p>
-                     <part id="au-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="au-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">AU-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="au-1.a.1_obj.2" name="objective">
-                     <prop name="label">AU-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the audit and accountability policy are
-                        to be disseminated;</p>
-                  </part>
-                  <part id="au-1.a.1_obj.3" name="objective">
-                     <prop name="label">AU-1(a)(1)[3]</prop>
-                     <p>disseminates the audit and accountability policy to organization-defined
-                        personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="au-1.a.2_obj" name="objective">
-                  <prop name="label">AU-1(a)(2)</prop>
-                  <part id="au-1.a.2_obj.1" name="objective">
-                     <prop name="label">AU-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        audit and accountability policy and associated audit and accountability
-                        controls;</p>
-                  </part>
-                  <part id="au-1.a.2_obj.2" name="objective">
-                     <prop name="label">AU-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="au-1.a.2_obj.3" name="objective">
-                     <prop name="label">AU-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="au-1.b_obj" name="objective">
-               <prop name="label">AU-1(b)</prop>
-               <part id="au-1.b.1_obj" name="objective">
-                  <prop name="label">AU-1(b)(1)</prop>
-                  <part id="au-1.b.1_obj.1" name="objective">
-                     <prop name="label">AU-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current audit and
-                        accountability policy;</p>
-                  </part>
-                  <part id="au-1.b.1_obj.2" name="objective">
-                     <prop name="label">AU-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current audit and accountability policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="au-1.b.2_obj" name="objective">
-                  <prop name="label">AU-1(b)(2)</prop>
-                  <part id="au-1.b.2_obj.1" name="objective">
-                     <prop name="label">AU-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current audit and
-                        accountability procedures; and</p>
-                  </part>
-                  <part id="au-1.b.2_obj.2" name="objective">
-                     <prop name="label">AU-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current audit and accountability procedures in
-                        accordance with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-2">
-         <title>Audit Events</title>
-         <param id="au-2_prm_1">
-            <label>organization-defined auditable events</label>
-         </param>
-         <param id="au-2_prm_2">
-            <label>organization-defined audited events (the subset of the auditable events defined
-               in AU-2 a.) along with the frequency of (or situation requiring) auditing for each
-               identified event</label>
-         </param>
-         <prop name="label">AU-2</prop>
-         <prop name="sort-id">au-02</prop>
-         <link href="#672fd561-b92b-4713-b9cf-6c9d9456728b" rel="reference">NIST Special Publication 800-92</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="au-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="au-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Determines that the information system is capable of auditing the following
-                  events: <insert param-id="au-2_prm_1"/>;</p>
-            </part>
-            <part id="au-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Coordinates the security audit function with other organizational entities
-                  requiring audit-related information to enhance mutual support and to help guide
-                  the selection of auditable events;</p>
-            </part>
-            <part id="au-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Provides a rationale for why the auditable events are deemed to be adequate to
-                  support after-the-fact investigations of security incidents; and</p>
-            </part>
-            <part id="au-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Determines that the following events are to be audited within the information
-                  system: <insert param-id="au-2_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="au-2_gdn" name="guidance">
-            <p>An event is any observable occurrence in an organizational information system.
-               Organizations identify audit events as those events which are significant and
-               relevant to the security of information systems and the environments in which those
-               systems operate in order to meet specific and ongoing audit needs. Audit events can
-               include, for example, password changes, failed logons, or failed accesses related to
-               information systems, administrative privilege usage, PIV credential usage, or
-               third-party credential usage. In determining the set of auditable events,
-               organizations consider the auditing appropriate for each of the security controls to
-               be implemented. To balance auditing requirements with other information system needs,
-               this control also requires identifying that subset of auditable events that are
-               audited at a given point in time. For example, organizations may determine that
-               information systems must have the capability to log every file access both successful
-               and unsuccessful, but not activate that capability except for specific circumstances
-               due to the potential burden on system performance. Auditing requirements, including
-               the need for auditable events, may be referenced in other security controls and
-               control enhancements. Organizations also include auditable events that are required
-               by applicable federal laws, Executive Orders, directives, policies, regulations, and
-               standards. Audit records can be generated at various levels of abstraction, including
-               at the packet level as information traverses the network. Selecting the appropriate
-               level of abstraction is a critical aspect of an audit capability and can facilitate
-               the identification of root causes to problems. Organizations consider in the
-               definition of auditable events, the auditing necessary to cover related events such
-               as the steps in distributed, transaction-based processes (e.g., processes that are
-               distributed across multiple organizations) and actions that occur in service-oriented
-               architectures.</p>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="au-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-2.a_obj" name="objective">
-               <prop name="label">AU-2(a)</prop>
-               <part id="au-2.a_obj.1" name="objective">
-                  <prop name="label">AU-2(a)[1]</prop>
-                  <p>defines the auditable events that the information system must be capable of
-                     auditing;</p>
-               </part>
-               <part id="au-2.a_obj.2" name="objective">
-                  <prop name="label">AU-2(a)[2]</prop>
-                  <p>determines that the information system is capable of auditing
-                     organization-defined auditable events;</p>
-               </part>
-            </part>
-            <part id="au-2.b_obj" name="objective">
-               <prop name="label">AU-2(b)</prop>
-               <p>coordinates the security audit function with other organizational entities
-                  requiring audit-related information to enhance mutual support and to help guide
-                  the selection of auditable events;</p>
-            </part>
-            <part id="au-2.c_obj" name="objective">
-               <prop name="label">AU-2(c)</prop>
-               <p>provides a rationale for why the auditable events are deemed to be adequate to
-                  support after-the-fact investigations of security incidents;</p>
-            </part>
-            <part id="au-2.d_obj" name="objective">
-               <prop name="label">AU-2(d)</prop>
-               <part id="au-2.d_obj.1" name="objective">
-                  <prop name="label">AU-2(d)[1]</prop>
-                  <p>defines the subset of auditable events defined in AU-2a that are to be audited
-                     within the information system;</p>
-               </part>
-               <part id="au-2.d_obj.2" name="objective">
-                  <prop name="label">AU-2(d)[2]</prop>
-                  <p>determines that the subset of auditable events defined in AU-2a are to be
-                     audited within the information system; and</p>
-               </part>
-               <part id="au-2.d_obj.3" name="objective">
-                  <prop name="label">AU-2(d)[3]</prop>
-                  <p>determines the frequency of (or situation requiring) auditing for each
-                     identified event.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing auditable events</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>information system auditable events</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing information system auditing</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-2.1">
-            <title>Compilation of Audit Records from Multiple Sources</title>
-            <prop name="label">AU-2(1)</prop>
-            <prop name="sort-id">au-02.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#au-12">AU-12</link>
-         </control>
-         <control class="SP800-53-enhancement" id="au-2.2">
-            <title>Selection of Audit Events by Component</title>
-            <prop name="label">AU-2(2)</prop>
-            <prop name="sort-id">au-02.02</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#au-12">AU-12</link>
-         </control>
-         <control class="SP800-53-enhancement" id="au-2.3">
-            <title>Reviews and Updates</title>
-            <param id="au-2.3_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">AU-2(3)</prop>
-            <prop name="sort-id">au-02.03</prop>
-            <part id="au-2.3_smt" name="statement">
-               <p>The organization reviews and updates the audited events <insert param-id="au-2.3_prm_1"/>.</p>
-            </part>
-            <part id="au-2.3_gdn" name="guidance">
-               <p>Over time, the events that organizations believe should be audited may change.
-                  Reviewing and updating the set of audited events periodically is necessary to
-                  ensure that the current set is still necessary and sufficient.</p>
-            </part>
-            <part id="au-2.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="au-2.3_obj.1" name="objective">
-                  <prop name="label">AU-2(3)[1]</prop>
-                  <p>defines the frequency to review and update the audited events; and</p>
-               </part>
-               <part id="au-2.3_obj.2" name="objective">
-                  <prop name="label">AU-2(3)[2]</prop>
-                  <p>reviews and updates the auditable events with organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing auditable events</p>
-                  <p>security plan</p>
-                  <p>list of organization-defined auditable events</p>
-                  <p>auditable events review and update records</p>
-                  <p>information system audit records</p>
-                  <p>information system incident reports</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting review and update of auditable events</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-2.4">
-            <title>Privileged Functions</title>
-            <prop name="label">AU-2(4)</prop>
-            <prop name="sort-id">au-02.04</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#ac-6.9">AC-6 (9)</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-3">
-         <title>Content of Audit Records</title>
-         <prop name="label">AU-3</prop>
-         <prop name="sort-id">au-03</prop>
-         <part id="au-3_smt" name="statement">
-            <p>The information system generates audit records containing information that
-               establishes what type of event occurred, when the event occurred, where the event
-               occurred, the source of the event, the outcome of the event, and the identity of any
-               individuals or subjects associated with the event.</p>
-         </part>
-         <part id="au-3_gdn" name="guidance">
-            <p>Audit record content that may be necessary to satisfy the requirement of this
-               control, includes, for example, time stamps, source and destination addresses,
-               user/process identifiers, event descriptions, success/fail indications, filenames
-               involved, and access control or flow control rules invoked. Event outcomes can
-               include indicators of event success or failure and event-specific results (e.g., the
-               security state of the information system after the event occurred).</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-8">AU-8</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#si-11">SI-11</link>
-         </part>
-         <part id="au-3_obj" name="objective">
-            <p>Determine if the information system generates audit records containing information
-               that establishes: </p>
-            <part id="au-3_obj.1" name="objective">
-               <prop name="label">AU-3[1]</prop>
-               <p>what type of event occurred;</p>
-            </part>
-            <part id="au-3_obj.2" name="objective">
-               <prop name="label">AU-3[2]</prop>
-               <p>when the event occurred;</p>
-            </part>
-            <part id="au-3_obj.3" name="objective">
-               <prop name="label">AU-3[3]</prop>
-               <p>where the event occurred;</p>
-            </part>
-            <part id="au-3_obj.4" name="objective">
-               <prop name="label">AU-3[4]</prop>
-               <p>the source of the event;</p>
-            </part>
-            <part id="au-3_obj.5" name="objective">
-               <prop name="label">AU-3[5]</prop>
-               <p>the outcome of the event; and</p>
-            </part>
-            <part id="au-3_obj.6" name="objective">
-               <prop name="label">AU-3[6]</prop>
-               <p>the identity of any individuals or subjects associated with the event.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing content of audit records</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of organization-defined auditable events</p>
-               <p>information system audit records</p>
-               <p>information system incident reports</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing information system auditing of auditable
-                  events</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-3.1">
-            <title>Additional Audit Information</title>
-            <param id="au-3.1_prm_1">
-               <label>organization-defined additional, more detailed information</label>
-            </param>
-            <prop name="label">AU-3(1)</prop>
-            <prop name="sort-id">au-03.01</prop>
-            <part id="au-3.1_smt" name="statement">
-               <p>The information system generates audit records containing the following additional
-                  information: <insert param-id="au-3.1_prm_1"/>.</p>
-            </part>
-            <part id="au-3.1_gdn" name="guidance">
-               <p>Detailed information that organizations may consider in audit records includes,
-                  for example, full text recording of privileged commands or the individual
-                  identities of group account users. Organizations consider limiting the additional
-                  audit information to only that information explicitly needed for specific audit
-                  requirements. This facilitates the use of audit trails and audit logs by not
-                  including information that could potentially be misleading or could make it more
-                  difficult to locate information of interest.</p>
-            </part>
-            <part id="au-3.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-3.1_obj.1" name="objective">
-                  <prop name="label">AU-3(1)[1]</prop>
-                  <p>the organization defines additional, more detailed information to be contained
-                     in audit records that the information system generates; and</p>
-               </part>
-               <part id="au-3.1_obj.2" name="objective">
-                  <prop name="label">AU-3(1)[2]</prop>
-                  <p>the information system generates audit records containing the
-                     organization-defined additional, more detailed information.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing content of audit records</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of organization-defined auditable events</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system audit capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-3.2">
-            <title>Centralized Management of Planned Audit Record Content</title>
-            <param id="au-3.2_prm_1">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">AU-3(2)</prop>
-            <prop name="sort-id">au-03.02</prop>
-            <part id="au-3.2_smt" name="statement">
-               <p>The information system provides centralized management and configuration of the
-                  content to be captured in audit records generated by <insert param-id="au-3.2_prm_1"/>.</p>
-            </part>
-            <part id="au-3.2_gdn" name="guidance">
-               <p>This control enhancement requires that the content to be captured in audit records
-                  be configured from a central location (necessitating automation). Organizations
-                  coordinate the selection of required audit content to support the centralized
-                  management and configuration capability provided by the information system.</p>
-               <link rel="related" href="#au-6">AU-6</link>
-               <link rel="related" href="#au-7">AU-7</link>
-            </part>
-            <part id="au-3.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-3.2_obj.1" name="objective">
-                  <prop name="label">AU-3(2)[1]</prop>
-                  <p>the organization defines information system components that generate audit
-                     records whose content is to be centrally managed and configured by the
-                     information system; and</p>
-               </part>
-               <part id="au-3.2_obj.2" name="objective">
-                  <prop name="label">AU-3(2)[2]</prop>
-                  <p>the information system provides centralized management and configuration of the
-                     content to be captured in audit records generated by the organization-defined
-                     information system components.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing content of audit records</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of organization-defined auditable events</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system capability implementing centralized management and
-                     configuration of audit record content</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-4">
-         <title>Audit Storage Capacity</title>
-         <param id="au-4_prm_1">
-            <label>organization-defined audit record storage requirements</label>
-         </param>
-         <prop name="label">AU-4</prop>
-         <prop name="sort-id">au-04</prop>
-         <part id="au-4_smt" name="statement">
-            <p>The organization allocates audit record storage capacity in accordance with <insert param-id="au-4_prm_1"/>.</p>
-         </part>
-         <part id="au-4_gdn" name="guidance">
-            <p>Organizations consider the types of auditing to be performed and the audit processing
-               requirements when allocating audit storage capacity. Allocating sufficient audit
-               storage capacity reduces the likelihood of such capacity being exceeded and resulting
-               in the potential loss or reduction of auditing capability.</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-5">AU-5</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#au-11">AU-11</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="au-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-4_obj.1" name="objective">
-               <prop name="label">AU-4[1]</prop>
-               <p>defines audit record storage requirements; and</p>
-            </part>
-            <part id="au-4_obj.2" name="objective">
-               <prop name="label">AU-4[2]</prop>
-               <p>allocates audit record storage capacity in accordance with the
-                  organization-defined audit record storage requirements.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing audit storage capacity</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>audit record storage requirements</p>
-               <p>audit record storage capability for information system components</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Audit record storage capacity and related configuration settings</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-4.1">
-            <title>Transfer to Alternate Storage</title>
-            <param id="au-4.1_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">AU-4(1)</prop>
-            <prop name="sort-id">au-04.01</prop>
-            <part id="au-4.1_smt" name="statement">
-               <p>The information system off-loads audit records <insert param-id="au-4.1_prm_1"/>
-                  onto a different system or media than the system being audited.</p>
-            </part>
-            <part id="au-4.1_gdn" name="guidance">
-               <p>Off-loading is a process designed to preserve the confidentiality and integrity of
-                  audit records by moving the records from the primary information system to a
-                  secondary or alternate system. It is a common process in information systems with
-                  limited audit storage capacity; the audit storage is used only in a transitory
-                  fashion until the system can communicate with the secondary or alternate system
-                  designated for storing the audit records, at which point the information is
-                  transferred.</p>
-            </part>
-            <part id="au-4.1_obj" name="objective">
-               <p> Determine if:</p>
-               <part id="au-4.1_obj.1" name="objective">
-                  <prop name="label">AU-4(1)[1]</prop>
-                  <p>the organization defines the frequency to off-load audit records onto a
-                     different system or media than the system being audited; and</p>
-               </part>
-               <part id="au-4.1_obj.2" name="objective">
-                  <prop name="label">AU-4(1)[2]</prop>
-                  <p>the information system off-loads audit records onto a different system or media
-                     than the system being audited with the organization-defined frequency.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit storage capacity</p>
-                  <p>procedures addressing transfer of information system audit records to secondary
-                     or alternate systems</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>logs of audit record transfers to secondary or alternate systems</p>
-                  <p>information system audit records transferred to secondary or alternate
-                     systems</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit storage capacity planning
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting transfer of audit records onto a different
-                     system</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-5">
-         <title>Response to Audit Processing Failures</title>
-         <param id="au-5_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="au-5_prm_2">
-            <label>organization-defined actions to be taken (e.g., shut down information system,
-               overwrite oldest audit records, stop generating audit records)</label>
-         </param>
-         <prop name="label">AU-5</prop>
-         <prop name="sort-id">au-05</prop>
-         <part id="au-5_smt" name="statement">
-            <p>The information system:</p>
-            <part id="au-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Alerts <insert param-id="au-5_prm_1"/> in the event of an audit processing
-                  failure; and</p>
-            </part>
-            <part id="au-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Takes the following additional actions: <insert param-id="au-5_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="au-5_gdn" name="guidance">
-            <p>Audit processing failures include, for example, software/hardware errors, failures in
-               the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
-               Organizations may choose to define additional actions for different audit processing
-               failures (e.g., by type, by location, by severity, or a combination of such factors).
-               This control applies to each audit data storage repository (i.e., distinct
-               information system component where audit records are stored), the total audit storage
-               capacity of organizations (i.e., all audit data storage repositories combined), or
-               both.</p>
-            <link rel="related" href="#au-4">AU-4</link>
-            <link rel="related" href="#si-12">SI-12</link>
-         </part>
-         <part id="au-5_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="au-5.a_obj" name="objective">
-               <prop name="label">AU-5(a)</prop>
-               <part id="au-5.a_obj.1" name="objective">
-                  <prop name="label">AU-5(a)[1]</prop>
-                  <p>the organization defines the personnel or roles to be alerted in the event of
-                     an audit processing failure;</p>
-               </part>
-               <part id="au-5.a_obj.2" name="objective">
-                  <prop name="label">AU-5(a)[2]</prop>
-                  <p>the information system alerts the organization-defined personnel or roles in
-                     the event of an audit processing failure;</p>
-               </part>
-            </part>
-            <part id="au-5.b_obj" name="objective">
-               <prop name="label">AU-5(b)</prop>
-               <part id="au-5.b_obj.1" name="objective">
-                  <prop name="label">AU-5(b)[1]</prop>
-                  <p>the organization defines additional actions to be taken (e.g., shutdown
-                     information system, overwrite oldest audit records, stop generating audit
-                     records) in the event of an audit processing failure; and</p>
-               </part>
-               <part id="au-5.b_obj.2" name="objective">
-                  <prop name="label">AU-5(b)[2]</prop>
-                  <p>the information system takes the additional organization-defined actions in the
-                     event of an audit processing failure.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing response to audit processing failures</p>
-               <p>information system design documentation</p>
-               <p>security plan</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of personnel to be notified in case of an audit processing failure</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing information system response to audit processing
-                  failures</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-5.1">
-            <title>Audit Storage Capacity</title>
-            <param id="au-5.1_prm_1">
-               <label>organization-defined personnel, roles, and/or locations</label>
-            </param>
-            <param id="au-5.1_prm_2">
-               <label>organization-defined time period</label>
-            </param>
-            <param id="au-5.1_prm_3">
-               <label>organization-defined percentage</label>
-            </param>
-            <prop name="label">AU-5(1)</prop>
-            <prop name="sort-id">au-05.01</prop>
-            <part id="au-5.1_smt" name="statement">
-               <p>The information system provides a warning to <insert param-id="au-5.1_prm_1"/>
-                  within <insert param-id="au-5.1_prm_2"/> when allocated audit record storage
-                  volume reaches <insert param-id="au-5.1_prm_3"/> of repository maximum audit
-                  record storage capacity.</p>
-            </part>
-            <part id="au-5.1_gdn" name="guidance">
-               <p>Organizations may have multiple audit data storage repositories distributed across
-                  multiple information system components, with each repository having different
-                  storage volume capacities.</p>
-            </part>
-            <part id="au-5.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-5.1_obj.1" name="objective">
-                  <prop name="label">AU-5(1)[1]</prop>
-                  <p>the organization defines:</p>
-                  <part id="au-5.1_obj.1.a" name="objective">
-                     <prop name="label">AU-5(1)[1][a]</prop>
-                     <p>personnel to be warned when allocated audit record storage volume reaches
-                        organization-defined percentage of repository maximum audit record storage
-                        capacity;</p>
-                  </part>
-                  <part id="au-5.1_obj.1.b" name="objective">
-                     <prop name="label">AU-5(1)[1][b]</prop>
-                     <p>roles to be warned when allocated audit record storage volume reaches
-                        organization-defined percentage of repository maximum audit record storage
-                        capacity; and/or</p>
-                  </part>
-                  <part id="au-5.1_obj.1.c" name="objective">
-                     <prop name="label">AU-5(1)[1][c]</prop>
-                     <p>locations to be warned when allocated audit record storage volume reaches
-                        organization-defined percentage of repository maximum audit record storage
-                        capacity;</p>
-                  </part>
-               </part>
-               <part id="au-5.1_obj.2" name="objective">
-                  <prop name="label">AU-5(1)[2]</prop>
-                  <p>the organization defines the time period within which the information system is
-                     to provide a warning to the organization-defined personnel, roles, and/or
-                     locations when allocated audit record storage volume reaches the
-                     organization-defined percentage of repository maximum audit record storage
-                     capacity;</p>
-               </part>
-               <part id="au-5.1_obj.3" name="objective">
-                  <prop name="label">AU-5(1)[3]</prop>
-                  <p>the organization defines the percentage of repository maximum audit record
-                     storage capacity that, if reached, requires a warning to be provided; and</p>
-               </part>
-               <part id="au-5.1_obj.4" name="objective">
-                  <prop name="label">AU-5(1)[4]</prop>
-                  <p>the information system provides a warning to the organization-defined
-                     personnel, roles, and/or locations within the organization-defined time period
-                     when allocated audit record storage volume reaches the organization-defined
-                     percentage of repository maximum audit record storage capacity.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing response to audit processing failures</p>
-                  <p>information system design documentation</p>
-                  <p>security plan</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing audit storage limit warnings</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-5.2">
-            <title>Real-time Alerts</title>
-            <param id="au-5.2_prm_1">
-               <label>organization-defined real-time period</label>
-            </param>
-            <param id="au-5.2_prm_2">
-               <label>organization-defined personnel, roles, and/or locations</label>
-            </param>
-            <param id="au-5.2_prm_3">
-               <label>organization-defined audit failure events requiring real-time alerts</label>
-            </param>
-            <prop name="label">AU-5(2)</prop>
-            <prop name="sort-id">au-05.02</prop>
-            <part id="au-5.2_smt" name="statement">
-               <p>The information system provides an alert in <insert param-id="au-5.2_prm_1"/> to
-                     <insert param-id="au-5.2_prm_2"/> when the following audit failure events
-                  occur: <insert param-id="au-5.2_prm_3"/>.</p>
-            </part>
-            <part id="au-5.2_gdn" name="guidance">
-               <p>Alerts provide organizations with urgent messages. Real-time alerts provide these
-                  messages at information technology speed (i.e., the time from event detection to
-                  alert occurs in seconds or less).</p>
-            </part>
-            <part id="au-5.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-5.2_obj.1" name="objective">
-                  <prop name="label">AU-5(2)[1]</prop>
-                  <p>the organization defines audit failure events requiring real-time alerts;</p>
-               </part>
-               <part id="au-5.2_obj.2" name="objective">
-                  <prop name="label">AU-5(2)[2]</prop>
-                  <p>the organization defines:</p>
-                  <part id="au-5.2_obj.2.a" name="objective">
-                     <prop name="label">AU-5(2)[2][a]</prop>
-                     <p>personnel to be alerted when organization-defined audit failure events
-                        requiring real-time alerts occur;</p>
-                  </part>
-                  <part id="au-5.2_obj.2.b" name="objective">
-                     <prop name="label">AU-5(2)[2][b]</prop>
-                     <p>roles to be alerted when organization-defined audit failure events requiring
-                        real-time alerts occur; and/or</p>
-                  </part>
-                  <part id="au-5.2_obj.2.c" name="objective">
-                     <prop name="label">AU-5(2)[2][c]</prop>
-                     <p>locations to be alerted when organization-defined audit failure events
-                        requiring real-time alerts occur;</p>
-                  </part>
-               </part>
-               <part id="au-5.2_obj.3" name="objective">
-                  <prop name="label">AU-5(2)[3]</prop>
-                  <p>the organization defines the real-time period within which the information
-                     system is to provide an alert to the organization-defined personnel, roles,
-                     and/or locations when the organization-defined audit failure events requiring
-                     real-time alerts occur; and</p>
-               </part>
-               <part id="au-5.2_obj.4" name="objective">
-                  <prop name="label">AU-5(2)[4]</prop>
-                  <p>the information system provides an alert within the organization-defined
-                     real-time period to the organization-defined personnel, roles, and/or locations
-                     when organization-defined audit failure events requiring real-time alerts
-                     occur.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing response to audit processing failures</p>
-                  <p>information system design documentation</p>
-                  <p>security plan</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>records of notifications or real-time alerts when audit processing failures
-                     occur</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing real-time audit alerts when
-                     organization-defined audit failure events occur</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-5.3">
-            <title>Configurable Traffic Volume Thresholds</title>
-            <param id="au-5.3_prm_1">
-               <select>
-                  <choice>rejects</choice>
-                  <choice>delays</choice>
-               </select>
-            </param>
-            <prop name="label">AU-5(3)</prop>
-            <prop name="sort-id">au-05.03</prop>
-            <part id="au-5.3_smt" name="statement">
-               <p>The information system enforces configurable network communications traffic volume
-                  thresholds reflecting limits on auditing capacity and <insert param-id="au-5.3_prm_1"/> network traffic above those thresholds.</p>
-            </part>
-            <part id="au-5.3_gdn" name="guidance">
-               <p>Organizations have the capability to reject or delay the processing of network
-                  communications traffic if auditing such traffic is determined to exceed the
-                  storage capacity of the information system audit function. The rejection or delay
-                  response is triggered by the established organizational traffic volume thresholds
-                  which can be adjusted based on changes to audit storage capacity.</p>
-            </part>
-            <part id="au-5.3_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-5.3_obj.1" name="objective">
-                  <prop name="label">AU-5(3)[1]</prop>
-                  <p>the information system enforces configurable network communications traffic
-                     volume thresholds reflecting limits on auditing capacity;</p>
-               </part>
-               <part id="au-5.3_obj.2" name="objective">
-                  <prop name="label">AU-5(3)[2]</prop>
-                  <p>the organization selects if network traffic above configurable traffic volume
-                     thresholds is to be:</p>
-                  <part id="au-5.3_obj.2.a" name="objective">
-                     <prop name="label">AU-5(3)[2][a]</prop>
-                     <p>rejected; or</p>
-                  </part>
-                  <part id="au-5.3_obj.2.b" name="objective">
-                     <prop name="label">AU-5(3)[2][b]</prop>
-                     <p>delayed; and</p>
-                  </part>
-               </part>
-               <part id="au-5.3_obj.3" name="objective">
-                  <prop name="label">AU-5(3)[3]</prop>
-                  <p>the information system rejects or delays network communications traffic
-                     generated above configurable traffic volume thresholds.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing response to audit processing failures</p>
-                  <p>information system design documentation</p>
-                  <p>security plan</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>configuration of network communications traffic volume thresholds</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system capability implementing configurable traffic volume
-                     thresholds</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-5.4">
-            <title>Shutdown On Failure</title>
-            <param id="au-5.4_prm_1">
-               <select>
-                  <choice>full system shutdown</choice>
-                  <choice>partial system shutdown</choice>
-                  <choice>degraded operational mode with limited mission/business functionality
-                     available</choice>
-               </select>
-            </param>
-            <param id="au-5.4_prm_2">
-               <label>organization-defined audit failures</label>
-            </param>
-            <prop name="label">AU-5(4)</prop>
-            <prop name="sort-id">au-05.04</prop>
-            <part id="au-5.4_smt" name="statement">
-               <p>The information system invokes a <insert param-id="au-5.4_prm_1"/> in the event of
-                     <insert param-id="au-5.4_prm_2"/>, unless an alternate audit capability
-                  exists.</p>
-            </part>
-            <part id="au-5.4_gdn" name="guidance">
-               <p>Organizations determine the types of audit failures that can trigger automatic
-                  information system shutdowns or degraded operations. Because of the importance of
-                  ensuring mission/business continuity, organizations may determine that the nature
-                  of the audit failure is not so severe that it warrants a complete shutdown of the
-                  information system supporting the core organizational missions/business
-                  operations. In those instances, partial information system shutdowns or operating
-                  in a degraded mode with reduced capability may be viable alternatives.</p>
-               <link rel="related" href="#au-15">AU-15</link>
-            </part>
-            <part id="au-5.4_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-5.4_obj.1" name="objective">
-                  <prop name="label">AU-5(4)[1]</prop>
-                  <p>the organization selects one of the following specific actions for the
-                     information system to invoke in the event of organization-defined audit
-                     failures:</p>
-                  <part id="au-5.4_obj.1.a" name="objective">
-                     <prop name="label">AU-5(4)[1][a]</prop>
-                     <p>full system shutdown;</p>
-                  </part>
-                  <part id="au-5.4_obj.1.b" name="objective">
-                     <prop name="label">AU-5(4)[1][b]</prop>
-                     <p>partial system shutdown; or</p>
-                  </part>
-                  <part id="au-5.4_obj.1.c" name="objective">
-                     <prop name="label">AU-5(4)[1][c]</prop>
-                     <p>degraded operational mode with limited mission/business functionality
-                        available;</p>
-                  </part>
-               </part>
-               <part id="au-5.4_obj.2" name="objective">
-                  <prop name="label">AU-5(4)[2]</prop>
-                  <p>the organization defines audit failures that, unless an alternate audit
-                     capability exists, are to trigger the information system to invoke a specific
-                     action; and</p>
-               </part>
-               <part id="au-5.4_obj.3" name="objective">
-                  <prop name="label">AU-5(4)[3]</prop>
-                  <p>the information system invokes the selected specific action in the event of
-                     organization-defined audit failures, unless an alternate audit capability
-                     exists.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing response to audit processing failures</p>
-                  <p>information system design documentation</p>
-                  <p>security plan</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system capability invoking system shutdown or degraded operational
-                     mode in the event of an audit processing failure</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-6">
-         <title>Audit Review, Analysis, and Reporting</title>
-         <param id="au-6_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="au-6_prm_2">
-            <label>organization-defined inappropriate or unusual activity</label>
-         </param>
-         <param id="au-6_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">AU-6</prop>
-         <prop name="sort-id">au-06</prop>
-         <part id="au-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="au-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Reviews and analyzes information system audit records <insert param-id="au-6_prm_1"/> for indications of <insert param-id="au-6_prm_2"/>;
-                  and</p>
-            </part>
-            <part id="au-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reports findings to <insert param-id="au-6_prm_3"/>.</p>
-            </part>
-         </part>
-         <part id="au-6_gdn" name="guidance">
-            <p>Audit review, analysis, and reporting covers information security-related auditing
-               performed by organizations including, for example, auditing that results from
-               monitoring of account usage, remote access, wireless connectivity, mobile device
-               connection, configuration settings, system component inventory, use of maintenance
-               tools and nonlocal maintenance, physical access, temperature and humidity, equipment
-               delivery and removal, communications at the information system boundaries, use of
-               mobile code, and use of VoIP. Findings can be reported to organizational entities
-               that include, for example, incident response team, help desk, information security
-               group/department. If organizations are prohibited from reviewing and analyzing audit
-               information or unable to conduct such activities (e.g., in certain national security
-               applications or systems), the review/analysis may be carried out by other
-               organizations granted such authority.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#au-16">AU-16</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-10">CM-10</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ir-5">IR-5</link>
-            <link rel="related" href="#ir-6">IR-6</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-            <link rel="related" href="#pe-14">PE-14</link>
-            <link rel="related" href="#pe-16">PE-16</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-18">SC-18</link>
-            <link rel="related" href="#sc-19">SC-19</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="au-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-6.a_obj" name="objective">
-               <prop name="label">AU-6(a)</prop>
-               <part id="au-6.a_obj.1" name="objective">
-                  <prop name="label">AU-6(a)[1]</prop>
-                  <p>defines the types of inappropriate or unusual activity to look for when
-                     information system audit records are reviewed and analyzed;</p>
-               </part>
-               <part id="au-6.a_obj.2" name="objective">
-                  <prop name="label">AU-6(a)[2]</prop>
-                  <p>defines the frequency to review and analyze information system audit records
-                     for indications of organization-defined inappropriate or unusual activity;</p>
-               </part>
-               <part id="au-6.a_obj.3" name="objective">
-                  <prop name="label">AU-6(a)[3]</prop>
-                  <p>reviews and analyzes information system audit records for indications of
-                     organization-defined inappropriate or unusual activity with the
-                     organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="au-6.b_obj" name="objective">
-               <prop name="label">AU-6(b)</prop>
-               <part id="au-6.b_obj.1" name="objective">
-                  <prop name="label">AU-6(b)[1]</prop>
-                  <p>defines personnel or roles to whom findings resulting from reviews and analysis
-                     of information system audit records are to be reported; and</p>
-               </part>
-               <part id="au-6.b_obj.2" name="objective">
-                  <prop name="label">AU-6(b)[2]</prop>
-                  <p>reports findings to organization-defined personnel or roles.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing audit review, analysis, and reporting</p>
-               <p>reports of audit findings</p>
-               <p>records of actions taken in response to reviews/analyses of audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit review, analysis, and reporting
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-6.1">
-            <title>Process Integration</title>
-            <prop name="label">AU-6(1)</prop>
-            <prop name="sort-id">au-06.01</prop>
-            <part id="au-6.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to integrate audit review, analysis,
-                  and reporting processes to support organizational processes for investigation and
-                  response to suspicious activities.</p>
-            </part>
-            <part id="au-6.1_gdn" name="guidance">
-               <p>Organizational processes benefiting from integrated audit review, analysis, and
-                  reporting include, for example, incident response, continuous monitoring,
-                  contingency planning, and Inspector General audits.</p>
-               <link rel="related" href="#au-12">AU-12</link>
-               <link rel="related" href="#pm-7">PM-7</link>
-            </part>
-            <part id="au-6.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="au-6.1_obj.1" name="objective">
-                  <prop name="label">AU-6(1)[1]</prop>
-                  <p>employs automated mechanisms to integrate:</p>
-                  <part id="au-6.1_obj.1.a" name="objective">
-                     <prop name="label">AU-6(1)[1][a]</prop>
-                     <p>audit review;</p>
-                  </part>
-                  <part id="au-6.1_obj.1.b" name="objective">
-                     <prop name="label">AU-6(1)[1][b]</prop>
-                     <p>analysis;</p>
-                  </part>
-                  <part id="au-6.1_obj.1.c" name="objective">
-                     <prop name="label">AU-6(1)[1][c]</prop>
-                     <p>reporting processes;</p>
-                  </part>
-               </part>
-               <part id="au-6.1_obj.2" name="objective">
-                  <prop name="label">AU-6(1)[2]</prop>
-                  <p>uses integrated audit review, analysis and reporting processes to support
-                     organizational processes for:</p>
-                  <part id="au-6.1_obj.2.a" name="objective">
-                     <prop name="label">AU-6(1)[2][a]</prop>
-                     <p>investigation of suspicious activities; and</p>
-                  </part>
-                  <part id="au-6.1_obj.2.b" name="objective">
-                     <prop name="label">AU-6(1)[2][b]</prop>
-                     <p>response to suspicious activities.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit review, analysis, and reporting</p>
-                  <p>procedures addressing investigation and response to suspicious activities</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit review, analysis, and reporting
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms integrating audit review, analysis, and reporting
-                     processes</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.2">
-            <title>Automated Security Alerts</title>
-            <prop name="label">AU-6(2)</prop>
-            <prop name="sort-id">au-06.02</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#si-4">SI-4</link>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.3">
-            <title>Correlate Audit Repositories</title>
-            <prop name="label">AU-6(3)</prop>
-            <prop name="sort-id">au-06.03</prop>
-            <part id="au-6.3_smt" name="statement">
-               <p>The organization analyzes and correlates audit records across different
-                  repositories to gain organization-wide situational awareness.</p>
-            </part>
-            <part id="au-6.3_gdn" name="guidance">
-               <p>Organization-wide situational awareness includes awareness across all three tiers
-                  of risk management (i.e., organizational, mission/business process, and
-                  information system) and supports cross-organization awareness.</p>
-               <link rel="related" href="#au-12">AU-12</link>
-               <link rel="related" href="#ir-4">IR-4</link>
-            </part>
-            <part id="au-6.3_obj" name="objective">
-               <p>Determine if the organization analyzes and correlates audit records across
-                  different repositories to gain organization-wide situational awareness. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit review, analysis, and reporting</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records across different repositories</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit review, analysis, and reporting
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting analysis and correlation of audit records</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.4">
-            <title>Central Review and Analysis</title>
-            <prop name="label">AU-6(4)</prop>
-            <prop name="sort-id">au-06.04</prop>
-            <part id="au-6.4_smt" name="statement">
-               <p>The information system provides the capability to centrally review and analyze
-                  audit records from multiple components within the system.</p>
-            </part>
-            <part id="au-6.4_gdn" name="guidance">
-               <p>Automated mechanisms for centralized reviews and analyses include, for example,
-                  Security Information Management products.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-12">AU-12</link>
-            </part>
-            <part id="au-6.4_obj" name="objective">
-               <p>Determine if the information system provides the capability to centrally review
-                  and analyze audit records from multiple components within the system.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit review, analysis, and reporting</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security plan</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit review, analysis, and reporting
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system capability to centralize review and analysis of audit
-                     records</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.5">
-            <title>Integration / Scanning and Monitoring Capabilities</title>
-            <param id="au-6.5_prm_1">
-               <select how-many="one or more">
-                  <choice>vulnerability scanning information</choice>
-                  <choice>performance data</choice>
-                  <choice>information system monitoring information</choice>
-                  <choice>
-                     <insert param-id="au-6.5_prm_2"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="au-6.5_prm_2" depends-on="au-6.5_prm_1">
-               <label>organization-defined data/information collected from other sources</label>
-            </param>
-            <prop name="label">AU-6(5)</prop>
-            <prop name="sort-id">au-06.05</prop>
-            <part id="au-6.5_smt" name="statement">
-               <p>The organization integrates analysis of audit records with analysis of <insert param-id="au-6.5_prm_1"/> to further enhance the ability to identify
-                  inappropriate or unusual activity.</p>
-            </part>
-            <part id="au-6.5_gdn" name="guidance">
-               <p>This control enhancement does not require vulnerability scanning, the generation
-                  of performance data, or information system monitoring. Rather, the enhancement
-                  requires that the analysis of information being otherwise produced in these areas
-                  is integrated with the analysis of audit information. Security Event and
-                  Information Management System tools can facilitate audit record
-                  aggregation/consolidation from multiple information system components as well as
-                  audit record correlation and analysis. The use of standardized audit record
-                  analysis scripts developed by organizations (with localized script adjustments, as
-                  necessary) provides more cost-effective approaches for analyzing audit record
-                  information collected. The correlation of audit record information with
-                  vulnerability scanning information is important in determining the veracity of
-                  vulnerability scans and correlating attack detection events with scanning results.
-                  Correlation with performance data can help uncover denial of service attacks or
-                  cyber attacks resulting in unauthorized use of resources. Correlation with system
-                  monitoring information can assist in uncovering attacks and in better relating
-                  audit information to operational situations.</p>
-               <link rel="related" href="#au-12">AU-12</link>
-               <link rel="related" href="#ir-4">IR-4</link>
-               <link rel="related" href="#ra-5">RA-5</link>
-            </part>
-            <part id="au-6.5_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="au-6.5_obj.1" name="objective">
-                  <prop name="label">AU-6(5)[1]</prop>
-                  <p>defines data/information to be collected from other sources;</p>
-               </part>
-               <part id="au-6.5_obj.2" name="objective">
-                  <prop name="label">AU-6(5)[2]</prop>
-                  <p>selects sources of data/information to be analyzed and integrated with the
-                     analysis of audit records from one or more of the following:</p>
-                  <part id="au-6.5_obj.2.a" name="objective">
-                     <prop name="label">AU-6(5)[2][a]</prop>
-                     <p>vulnerability scanning information;</p>
-                  </part>
-                  <part id="au-6.5_obj.2.b" name="objective">
-                     <prop name="label">AU-6(5)[2][b]</prop>
-                     <p>performance data;</p>
-                  </part>
-                  <part id="au-6.5_obj.2.c" name="objective">
-                     <prop name="label">AU-6(5)[2][c]</prop>
-                     <p>information system monitoring information; and/or</p>
-                  </part>
-                  <part id="au-6.5_obj.2.d" name="objective">
-                     <prop name="label">AU-6(5)[2][d]</prop>
-                     <p>organization-defined data/information collected from other sources; and</p>
-                  </part>
-               </part>
-               <part id="au-6.5_obj.3" name="objective">
-                  <prop name="label">AU-6(5)[3]</prop>
-                  <p>integrates the analysis of audit records with the analysis of selected
-                     data/information to further enhance the ability to identify inappropriate or
-                     unusual activity.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit review, analysis, and reporting</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>integrated analysis of audit records, vulnerability scanning information,
-                     performance data, network monitoring information and associated
-                     documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit review, analysis, and reporting
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing capability to integrate analysis of audit
-                     records with analysis of data/information sources</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.6">
-            <title>Correlation with Physical Monitoring</title>
-            <prop name="label">AU-6(6)</prop>
-            <prop name="sort-id">au-06.06</prop>
-            <part id="au-6.6_smt" name="statement">
-               <p>The organization correlates information from audit records with information
-                  obtained from monitoring physical access to further enhance the ability to
-                  identify suspicious, inappropriate, unusual, or malevolent activity.</p>
-            </part>
-            <part id="au-6.6_gdn" name="guidance">
-               <p>The correlation of physical audit information and audit logs from information
-                  systems may assist organizations in identifying examples of suspicious behavior or
-                  supporting evidence of such behavior. For example, the correlation of an
-                  individual’s identity for logical access to certain information systems with the
-                  additional physical security information that the individual was actually present
-                  at the facility when the logical access occurred, may prove to be useful in
-                  investigations.</p>
-            </part>
-            <part id="au-6.6_obj" name="objective">
-               <p>Determine if the organization correlates information from audit records with
-                  information obtained from monitoring physical access to enhance the ability to
-                  identify suspicious, inappropriate, unusual, or malevolent activity.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit review, analysis, and reporting</p>
-                  <p>procedures addressing physical access monitoring</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>documentation providing evidence of correlated information obtained from audit
-                     records and physical access monitoring records</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit review, analysis, and reporting
-                     responsibilities</p>
-                  <p>organizational personnel with physical access monitoring responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing capability to correlate information from
-                     audit records with information from monitoring physical access</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.7">
-            <title>Permitted Actions</title>
-            <param id="au-6.7_prm_1">
-               <select how-many="one or more">
-                  <choice>information system process</choice>
-                  <choice>role</choice>
-                  <choice>user</choice>
-               </select>
-            </param>
-            <prop name="label">AU-6(7)</prop>
-            <prop name="sort-id">au-06.07</prop>
-            <part id="au-6.7_smt" name="statement">
-               <p>The organization specifies the permitted actions for each <insert param-id="au-6.7_prm_1"/> associated with the review, analysis, and reporting
-                  of audit information.</p>
-            </part>
-            <part id="au-6.7_gdn" name="guidance">
-               <p>Organizations specify permitted actions for information system processes, roles,
-                  and/or users associated with the review, analysis, and reporting of audit records
-                  through account management techniques. Specifying permitted actions on audit
-                  information is a way to enforce the principle of least privilege. Permitted
-                  actions are enforced by the information system and include, for example, read,
-                  write, execute, append, and delete.</p>
-            </part>
-            <part id="au-6.7_obj" name="objective">
-               <p>Determine if the organization specifies the permitted actions for each one or more
-                  of the following associated with the review, analysis and reporting of audit
-                  information:</p>
-               <part id="au-6.7_obj.1" name="objective">
-                  <prop name="label">AU-6(7)[1]</prop>
-                  <p>information system process;</p>
-               </part>
-               <part id="au-6.7_obj.2" name="objective">
-                  <prop name="label">AU-6(7)[2]</prop>
-                  <p>role; and/or</p>
-               </part>
-               <part id="au-6.7_obj.3" name="objective">
-                  <prop name="label">AU-6(7)[3]</prop>
-                  <p>user.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing process, role and/or user permitted actions from audit
-                     review, analysis, and reporting</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit review, analysis, and reporting
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting permitted actions for review, analysis, and
-                     reporting of audit information</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.8">
-            <title>Full Text Analysis of Privileged Commands</title>
-            <prop name="label">AU-6(8)</prop>
-            <prop name="sort-id">au-06.08</prop>
-            <part id="au-6.8_smt" name="statement">
-               <p>The organization performs a full text analysis of audited privileged commands in a
-                  physically distinct component or subsystem of the information system, or other
-                  information system that is dedicated to that analysis.</p>
-            </part>
-            <part id="au-6.8_gdn" name="guidance">
-               <p>This control enhancement requires a distinct environment for the dedicated
-                  analysis of audit information related to privileged users without compromising
-                  such information on the information system where the users have elevated
-                  privileges including the capability to execute privileged commands. Full text
-                  analysis refers to analysis that considers the full text of privileged commands
-                  (i.e., commands and all parameters) as opposed to analysis that considers only the
-                  name of the command. Full text analysis includes, for example, the use of pattern
-                  matching and heuristics.</p>
-               <link rel="related" href="#au-3">AU-3</link>
-               <link rel="related" href="#au-9">AU-9</link>
-               <link rel="related" href="#au-11">AU-11</link>
-               <link rel="related" href="#au-12">AU-12</link>
-            </part>
-            <part id="au-6.8_obj" name="objective">
-               <p>Determine if the organization performs a full text analysis of audited privileged
-                  commands in:</p>
-               <part id="au-6.8_obj.1" name="objective">
-                  <prop name="label">AU-6(8)[1]</prop>
-                  <p>a physically distinct component or subsystem of the information system; or</p>
-               </part>
-               <part id="au-6.8_obj.2" name="objective">
-                  <prop name="label">AU-6(8)[2]</prop>
-                  <p>other information system that is dedicated to that analysis.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit review, analysis, and reporting</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>text analysis tools and techniques</p>
-                  <p>text analysis documentation of audited privileged commands</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit review, analysis, and reporting
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing capability to perform a full text analysis of
-                     audited privilege commands</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.9">
-            <title>Correlation with Information from Nontechnical Sources</title>
-            <prop name="label">AU-6(9)</prop>
-            <prop name="sort-id">au-06.09</prop>
-            <part id="au-6.9_smt" name="statement">
-               <p>The organization correlates information from nontechnical sources with audit
-                  information to enhance organization-wide situational awareness.</p>
-            </part>
-            <part id="au-6.9_gdn" name="guidance">
-               <p>Nontechnical sources include, for example, human resources records documenting
-                  organizational policy violations (e.g., sexual harassment incidents, improper use
-                  of organizational information assets). Such information can lead organizations to
-                  a more directed analytical effort to detect potential malicious insider activity.
-                  Due to the sensitive nature of the information available from nontechnical
-                  sources, organizations limit access to such information to minimize the potential
-                  for the inadvertent release of privacy-related information to individuals that do
-                  not have a need to know. Thus, correlation of information from nontechnical
-                  sources with audit information generally occurs only when individuals are
-                  suspected of being involved in a security incident. Organizations obtain legal
-                  advice prior to initiating such actions.</p>
-               <link rel="related" href="#at-2">AT-2</link>
-            </part>
-            <part id="au-6.9_obj" name="objective">
-               <p>Determine if the organization correlates information from nontechnical sources
-                  with audit information to enhance organization-wide situational awareness.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit review, analysis, and reporting</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>documentation providing evidence of correlated information obtained from audit
-                     records and organization-defined nontechnical sources</p>
-                  <p>list of information types from nontechnical sources for correlation with audit
-                     information</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit review, analysis, and reporting
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing capability to correlate information from
-                     non-technical sources</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.10">
-            <title>Audit Level Adjustment</title>
-            <prop name="label">AU-6(10)</prop>
-            <prop name="sort-id">au-06.10</prop>
-            <part id="au-6.10_smt" name="statement">
-               <p>The organization adjusts the level of audit review, analysis, and reporting within
-                  the information system when there is a change in risk based on law enforcement
-                  information, intelligence information, or other credible sources of
-                  information.</p>
-            </part>
-            <part id="au-6.10_gdn" name="guidance">
-               <p>The frequency, scope, and/or depth of the audit review, analysis, and reporting
-                  may be adjusted to meet organizational needs based on new information
-                  received.</p>
-            </part>
-            <part id="au-6.10_obj" name="objective">
-               <p>Determine if the organization adjusts the level of audit review, analysis, and
-                  reporting within the information system when there is a change in risk based
-                  on:</p>
-               <part id="au-6.10_obj.1" name="objective">
-                  <prop name="label">AU-6(10)[1]</prop>
-                  <p>law enforcement information;</p>
-               </part>
-               <part id="au-6.10_obj.2" name="objective">
-                  <prop name="label">AU-6(10)[2]</prop>
-                  <p>intelligence information; and/or</p>
-               </part>
-               <part id="au-6.10_obj.3" name="objective">
-                  <prop name="label">AU-6(10)[3]</prop>
-                  <p>other credible sources of information.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit review, analysis, and reporting</p>
-                  <p>organizational risk assessment</p>
-                  <p>security control assessment</p>
-                  <p>vulnerability assessment</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit review, analysis, and reporting
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting review, analysis, and reporting of audit
-                     information</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-7">
-         <title>Audit Reduction and Report Generation</title>
-         <prop name="label">AU-7</prop>
-         <prop name="sort-id">au-07</prop>
-         <part id="au-7_smt" name="statement">
-            <p>The information system provides an audit reduction and report generation capability
-               that:</p>
-            <part id="au-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Supports on-demand audit review, analysis, and reporting requirements and
-                  after-the-fact investigations of security incidents; and</p>
-            </part>
-            <part id="au-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Does not alter the original content or time ordering of audit records.</p>
-            </part>
-         </part>
-         <part id="au-7_gdn" name="guidance">
-            <p>Audit reduction is a process that manipulates collected audit information and
-               organizes such information in a summary format that is more meaningful to analysts.
-               Audit reduction and report generation capabilities do not always emanate from the
-               same information system or from the same organizational entities conducting auditing
-               activities. Audit reduction capability can include, for example, modern data mining
-               techniques with advanced data filters to identify anomalous behavior in audit
-               records. The report generation capability provided by the information system can
-               generate customizable reports. Time ordering of audit records can be a significant
-               issue if the granularity of the timestamp in the record is insufficient.</p>
-            <link rel="related" href="#au-6">AU-6</link>
-         </part>
-         <part id="au-7_obj" name="objective">
-            <p>Determine if the information system provides an audit reduction and report generation
-               capability that supports:</p>
-            <part id="au-7.a_obj" name="objective">
-               <prop name="label">AU-7(a)</prop>
-               <part id="au-7.a_obj.1" name="objective">
-                  <prop name="label">AU-7(a)[1]</prop>
-                  <p>on-demand audit review;</p>
-               </part>
-               <part id="au-7.a_obj.2" name="objective">
-                  <prop name="label">AU-7(a)[2]</prop>
-                  <p>analysis;</p>
-               </part>
-               <part id="au-7.a_obj.3" name="objective">
-                  <prop name="label">AU-7(a)[3]</prop>
-                  <p>reporting requirements;</p>
-               </part>
-               <part id="au-7.a_obj.4" name="objective">
-                  <prop name="label">AU-7(a)[4]</prop>
-                  <p>after-the-fact investigations of security incidents; and</p>
-               </part>
-            </part>
-            <part id="au-7.b_obj" name="objective">
-               <prop name="label">AU-7(b)</prop>
-               <p>does not alter the original content or time ordering of audit records.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing audit reduction and report generation</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>audit reduction, review, analysis, and reporting tools</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit reduction and report generation
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Audit reduction and report generation capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-7.1">
-            <title>Automatic Processing</title>
-            <param id="au-7.1_prm_1">
-               <label>organization-defined audit fields within audit records</label>
-            </param>
-            <prop name="label">AU-7(1)</prop>
-            <prop name="sort-id">au-07.01</prop>
-            <part id="au-7.1_smt" name="statement">
-               <p>The information system provides the capability to process audit records for events
-                  of interest based on <insert param-id="au-7.1_prm_1"/>.</p>
-            </part>
-            <part id="au-7.1_gdn" name="guidance">
-               <p>Events of interest can be identified by the content of specific audit record
-                  fields including, for example, identities of individuals, event types, event
-                  locations, event times, event dates, system resources involved, IP addresses
-                  involved, or information objects accessed. Organizations may define audit event
-                  criteria to any degree of granularity required, for example, locations selectable
-                  by general networking location (e.g., by network or subnetwork) or selectable by
-                  specific information system component.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-12">AU-12</link>
-            </part>
-            <part id="au-7.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-7.1_obj.1" name="objective">
-                  <prop name="label">AU-7(1)[1]</prop>
-                  <p>the organization defines audit fields within audit records in order to process
-                     audit records for events of interest; and</p>
-               </part>
-               <part id="au-7.1_obj.2" name="objective">
-                  <prop name="label">AU-7(1)[2]</prop>
-                  <p>the information system provides the capability to process audit records for
-                     events of interest based on the organization-defined audit fields within audit
-                     records.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit reduction and report generation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>audit reduction, review, analysis, and reporting tools</p>
-                  <p>audit record criteria (fields) establishing events of interest</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit reduction and report generation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Audit reduction and report generation capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-7.2">
-            <title>Automatic Sort and Search</title>
-            <param id="au-7.2_prm_1">
-               <label>organization-defined audit fields within audit records</label>
-            </param>
-            <prop name="label">AU-7(2)</prop>
-            <prop name="sort-id">au-07.02</prop>
-            <part id="au-7.2_smt" name="statement">
-               <p>The information system provides the capability to sort and search audit records
-                  for events of interest based on the content of <insert param-id="au-7.2_prm_1"/>.</p>
-            </part>
-            <part id="au-7.2_gdn" name="guidance">
-               <p>Sorting and searching of audit records may be based upon the contents of audit
-                  record fields, for example: (i) date/time of events; (ii) user identifiers; (iii)
-                  Internet Protocol (IP) addresses involved in the event; (iv) type of event; or (v)
-                  event success/failure.</p>
-            </part>
-            <part id="au-7.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-7.2_obj.1" name="objective">
-                  <prop name="label">AU-7(2)[1]</prop>
-                  <p>the organization defines audit fields within audit records in order to sort and
-                     search audit records for events of interest based on content of such audit
-                     fields; and</p>
-               </part>
-               <part id="au-7.2_obj.2" name="objective">
-                  <prop name="label">AU-7(2)[2]</prop>
-                  <p>the information system provides the capability to sort and search audit records
-                     for events of interest based on the content of organization-defined audit
-                     fields within audit records.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit reduction and report generation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>audit reduction, review, analysis, and reporting tools</p>
-                  <p>audit record criteria (fields) establishing events of interest</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit reduction and report generation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Audit reduction and report generation capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-8">
-         <title>Time Stamps</title>
-         <param id="au-8_prm_1">
-            <label>organization-defined granularity of time measurement</label>
-         </param>
-         <prop name="label">AU-8</prop>
-         <prop name="sort-id">au-08</prop>
-         <part id="au-8_smt" name="statement">
-            <p>The information system:</p>
-            <part id="au-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Uses internal system clocks to generate time stamps for audit records; and</p>
-            </part>
-            <part id="au-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Records time stamps for audit records that can be mapped to Coordinated Universal
-                  Time (UTC) or Greenwich Mean Time (GMT) and meets <insert param-id="au-8_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="au-8_gdn" name="guidance">
-            <p>Time stamps generated by the information system include date and time. Time is
-               commonly expressed in Coordinated Universal Time (UTC), a modern continuation of
-               Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time
-               measurements refers to the degree of synchronization between information system
-               clocks and reference clocks, for example, clocks synchronizing within hundreds of
-               milliseconds or within tens of milliseconds. Organizations may define different time
-               granularities for different system components. Time service can also be critical to
-               other security capabilities such as access control and identification and
-               authentication, depending on the nature of the mechanisms used to support those
-               capabilities.</p>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#au-12">AU-12</link>
-         </part>
-         <part id="au-8_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="au-8.a_obj" name="objective">
-               <prop name="label">AU-8(a)</prop>
-               <p>the information system uses internal system clocks to generate time stamps for
-                  audit records;</p>
-            </part>
-            <part id="au-8.b_obj" name="objective">
-               <prop name="label">AU-8(b)</prop>
-               <part id="au-8.b_obj.1" name="objective">
-                  <prop name="label">AU-8(b)[1]</prop>
-                  <p>the information system records time stamps for audit records that can be mapped
-                     to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);</p>
-               </part>
-               <part id="au-8.b_obj.2" name="objective">
-                  <prop name="label">AU-8(b)[2]</prop>
-                  <p>the organization defines the granularity of time measurement to be met when
-                     recording time stamps for audit records; and</p>
-               </part>
-               <part id="au-8.b_obj.3" name="objective">
-                  <prop name="label">AU-8(b)[3]</prop>
-                  <p>the organization records time stamps for audit records that meet the
-                     organization-defined granularity of time measurement.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing time stamp generation</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing time stamp generation</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-8.1">
-            <title>Synchronization with Authoritative Time Source</title>
-            <param id="au-8.1_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="au-8.1_prm_2">
-               <label>organization-defined authoritative time source</label>
-            </param>
-            <param id="au-8.1_prm_3">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="label">AU-8(1)</prop>
-            <prop name="sort-id">au-08.01</prop>
-            <part id="au-8.1_smt" name="statement">
-               <p>The information system:</p>
-               <part id="au-8.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Compares the internal information system clocks <insert param-id="au-8.1_prm_1"/> with <insert param-id="au-8.1_prm_2"/>; and</p>
-               </part>
-               <part id="au-8.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Synchronizes the internal system clocks to the authoritative time source when
-                     the time difference is greater than <insert param-id="au-8.1_prm_3"/>.</p>
-               </part>
-            </part>
-            <part id="au-8.1_gdn" name="guidance">
-               <p>This control enhancement provides uniformity of time stamps for information
-                  systems with multiple system clocks and systems connected over a network.</p>
-            </part>
-            <part id="au-8.1_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="au-8.1.a_obj" name="objective">
-                  <prop name="label">AU-8(1)(a)</prop>
-                  <part id="au-8.1.a_obj.1" name="objective">
-                     <prop name="label">AU-8(1)(a)[1]</prop>
-                     <p>the organization defines the authoritative time source to which internal
-                        information system clocks are to be compared;</p>
-                  </part>
-                  <part id="au-8.1.a_obj.2" name="objective">
-                     <prop name="label">AU-8(1)(a)[2]</prop>
-                     <p>the organization defines the frequency to compare the internal information
-                        system clocks with the organization-defined authoritative time source;
-                        and</p>
-                  </part>
-                  <part id="au-8.1.a_obj.3" name="objective">
-                     <prop name="label">AU-8(1)(a)[3]</prop>
-                     <p>the information system compares the internal information system clocks with
-                        the organization-defined authoritative time source with organization-defined
-                        frequency; and</p>
-                  </part>
-                  <link rel="corresp" href="#au-8.1_smt.a">AU-8(1)(a)</link>
-               </part>
-               <part id="au-8.1.b_obj" name="objective">
-                  <prop name="label">AU-8(1)(b)</prop>
-                  <part id="au-8.1.b_obj.1" name="objective">
-                     <prop name="label">AU-8(1)(b)[1]</prop>
-                     <p>the organization defines the time period that, if exceeded by the time
-                        difference between the internal system clocks and the authoritative time
-                        source, will result in the internal system clocks being synchronized to the
-                        authoritative time source; and</p>
-                  </part>
-                  <part id="au-8.1.b_obj.2" name="objective">
-                     <prop name="label">AU-8(1)(b)[2]</prop>
-                     <p>the information system synchronizes the internal information system clocks
-                        to the authoritative time source when the time difference is greater than
-                        the organization-defined time period.</p>
-                  </part>
-                  <link rel="corresp" href="#au-8.1_smt.b">AU-8(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing time stamp generation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing internal information system clock
-                     synchronization</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-8.2">
-            <title>Secondary Authoritative Time Source</title>
-            <prop name="label">AU-8(2)</prop>
-            <prop name="sort-id">au-08.02</prop>
-            <part id="au-8.2_smt" name="statement">
-               <p>The information system identifies a secondary authoritative time source that is
-                  located in a different geographic region than the primary authoritative time
-                  source.</p>
-            </part>
-            <part id="au-8.2_obj" name="objective">
-               <p>Determine if the information system identifies a secondary authoritative time
-                  source that is located in a different geographic region than the primary
-                  authoritative time source. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing time stamp generation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing internal information system clock
-                     authoritative time sources</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-9">
-         <title>Protection of Audit Information</title>
-         <prop name="label">AU-9</prop>
-         <prop name="sort-id">au-09</prop>
-         <part id="au-9_smt" name="statement">
-            <p>The information system protects audit information and audit tools from unauthorized
-               access, modification, and deletion.</p>
-         </part>
-         <part id="au-9_gdn" name="guidance">
-            <p>Audit information includes all information (e.g., audit records, audit settings, and
-               audit reports) needed to successfully audit information system activity. This control
-               focuses on technical protection of audit information. Physical protection of audit
-               information is addressed by media protection controls and physical and environmental
-               protection controls.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-         </part>
-         <part id="au-9_obj" name="objective">
-            <p>Determine if: </p>
-            <part id="au-9_obj.1" name="objective">
-               <prop name="label">AU-9[1]</prop>
-               <p>the information system protects audit information from unauthorized:</p>
-               <part id="au-9_obj.1.a" name="objective">
-                  <prop name="label">AU-9[1][a]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="au-9_obj.1.b" name="objective">
-                  <prop name="label">AU-9[1][b]</prop>
-                  <p>modification;</p>
-               </part>
-               <part id="au-9_obj.1.c" name="objective">
-                  <prop name="label">AU-9[1][c]</prop>
-                  <p>deletion;</p>
-               </part>
-            </part>
-            <part id="au-9_obj.2" name="objective">
-               <prop name="label">AU-9[2]</prop>
-               <p>the information system protects audit tools from unauthorized:</p>
-               <part id="au-9_obj.2.a" name="objective">
-                  <prop name="label">AU-9[2][a]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="au-9_obj.2.b" name="objective">
-                  <prop name="label">AU-9[2][b]</prop>
-                  <p>modification; and</p>
-               </part>
-               <part id="au-9_obj.2.c" name="objective">
-                  <prop name="label">AU-9[2][c]</prop>
-                  <p>deletion.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>access control policy and procedures</p>
-               <p>procedures addressing protection of audit information</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation,
-                  information system audit records</p>
-               <p>audit tools</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit and accountability responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing audit information protection</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-9.1">
-            <title>Hardware Write-once Media</title>
-            <prop name="label">AU-9(1)</prop>
-            <prop name="sort-id">au-09.01</prop>
-            <part id="au-9.1_smt" name="statement">
-               <p>The information system writes audit trails to hardware-enforced, write-once
-                  media.</p>
-            </part>
-            <part id="au-9.1_gdn" name="guidance">
-               <p>This control enhancement applies to the initial generation of audit trails (i.e.,
-                  the collection of audit records that represents the audit information to be used
-                  for detection, analysis, and reporting purposes) and to the backup of those audit
-                  trails. The enhancement does not apply to the initial generation of audit records
-                  prior to being written to an audit trail. Write-once, read-many (WORM) media
-                  includes, for example, Compact Disk-Recordable (CD-R) and Digital Video
-                  Disk-Recordable (DVD-R). In contrast, the use of switchable write-protection media
-                  such as on tape cartridges or Universal Serial Bus (USB) drives results in
-                  write-protected, but not write-once, media.</p>
-               <link rel="related" href="#au-4">AU-4</link>
-               <link rel="related" href="#au-5">AU-5</link>
-            </part>
-            <part id="au-9.1_obj" name="objective">
-               <p>Determine if the information system writes audit trails to hardware-enforced,
-                  write-once media.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>procedures addressing protection of audit information</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware settings</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system storage media</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system media storing audit trails</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-9.2">
-            <title>Audit Backup On Separate Physical Systems / Components</title>
-            <param id="au-9.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">AU-9(2)</prop>
-            <prop name="sort-id">au-09.02</prop>
-            <part id="au-9.2_smt" name="statement">
-               <p>The information system backs up audit records <insert param-id="au-9.2_prm_1"/>
-                  onto a physically different system or system component than the system or
-                  component being audited.</p>
-            </part>
-            <part id="au-9.2_gdn" name="guidance">
-               <p>This control enhancement helps to ensure that a compromise of the information
-                  system being audited does not also result in a compromise of the audit
-                  records.</p>
-               <link rel="related" href="#au-4">AU-4</link>
-               <link rel="related" href="#au-5">AU-5</link>
-               <link rel="related" href="#au-11">AU-11</link>
-            </part>
-            <part id="au-9.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-9.2_obj.1" name="objective">
-                  <prop name="label">AU-9(2)[1]</prop>
-                  <p>the organization defines the frequency to back up audit records onto a
-                     physically different system or system component than the system or component
-                     being audited; and</p>
-               </part>
-               <part id="au-9.2_obj.2" name="objective">
-                  <prop name="label">AU-9(2)[2]</prop>
-                  <p>the information system backs up audit records with the organization-defined
-                     frequency, onto a physically different system or system component than the
-                     system or component being audited.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing protection of audit information</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation, system
-                     or media storing backups of information system audit records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing the backing up of audit records</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-9.3">
-            <title>Cryptographic Protection</title>
-            <prop name="label">AU-9(3)</prop>
-            <prop name="sort-id">au-09.03</prop>
-            <part id="au-9.3_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to protect the
-                  integrity of audit information and audit tools.</p>
-            </part>
-            <part id="au-9.3_gdn" name="guidance">
-               <p>Cryptographic mechanisms used for protecting the integrity of audit information
-                  include, for example, signed hash functions using asymmetric cryptography enabling
-                  distribution of the public key to verify the hash information while maintaining
-                  the confidentiality of the secret key used to generate the hash.</p>
-               <link rel="related" href="#au-10">AU-10</link>
-               <link rel="related" href="#sc-12">SC-12</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="au-9.3_obj" name="objective">
-               <p>Determine if the information system:</p>
-               <part id="au-9.3_obj.1" name="objective">
-                  <prop name="label">AU-9(3)[1]</prop>
-                  <p>uses cryptographic mechanisms to protect the integrity of audit information;
-                     and</p>
-               </part>
-               <part id="au-9.3_obj.2" name="objective">
-                  <prop name="label">AU-9(3)[2]</prop>
-                  <p>uses cryptographic mechanisms to protect the integrity of audit tools.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>procedures addressing protection of audit information</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware settings</p>
-                  <p>information system configuration settings and associated documentation,
-                     information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms protecting integrity of audit information and
-                     tools</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-9.4">
-            <title>Access by Subset of Privileged Users</title>
-            <param id="au-9.4_prm_1">
-               <label>organization-defined subset of privileged users</label>
-            </param>
-            <prop name="label">AU-9(4)</prop>
-            <prop name="sort-id">au-09.04</prop>
-            <part id="au-9.4_smt" name="statement">
-               <p>The organization authorizes access to management of audit functionality to only
-                     <insert param-id="au-9.4_prm_1"/>.</p>
-            </part>
-            <part id="au-9.4_gdn" name="guidance">
-               <p>Individuals with privileged access to an information system and who are also the
-                  subject of an audit by that system, may affect the reliability of audit
-                  information by inhibiting audit activities or modifying audit records. This
-                  control enhancement requires that privileged access be further defined between
-                  audit-related privileges and other privileges, thus limiting the users with
-                  audit-related privileges.</p>
-               <link rel="related" href="#ac-5">AC-5</link>
-            </part>
-            <part id="au-9.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="au-9.4_obj.1" name="objective">
-                  <prop name="label">AU-9(4)[1]</prop>
-                  <p>defines a subset of privileged users to be authorized access to management of
-                     audit functionality; and</p>
-               </part>
-               <part id="au-9.4_obj.2" name="objective">
-                  <prop name="label">AU-9(4)[2]</prop>
-                  <p>authorizes access to management of audit functionality to only the
-                     organization-defined subset of privileged users.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>procedures addressing protection of audit information</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation,
-                     system-generated list of privileged users with access to management of audit
-                     functionality</p>
-                  <p>access authorizations</p>
-                  <p>access control list</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms managing access to audit functionality</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-9.5">
-            <title>Dual Authorization</title>
-            <param id="au-9.5_prm_1">
-               <select how-many="one or more">
-                  <choice>movement</choice>
-                  <choice>deletion</choice>
-               </select>
-            </param>
-            <param id="au-9.5_prm_2">
-               <label>organization-defined audit information</label>
-            </param>
-            <prop name="label">AU-9(5)</prop>
-            <prop name="sort-id">au-09.05</prop>
-            <part id="au-9.5_smt" name="statement">
-               <p>The organization enforces dual authorization for <insert param-id="au-9.5_prm_1"/>
-                  of <insert param-id="au-9.5_prm_2"/>.</p>
-            </part>
-            <part id="au-9.5_gdn" name="guidance">
-               <p>Organizations may choose different selection options for different types of audit
-                  information. Dual authorization mechanisms require the approval of two authorized
-                  individuals in order to execute. Dual authorization may also be known as
-                  two-person control.</p>
-               <link rel="related" href="#ac-3">AC-3</link>
-               <link rel="related" href="#mp-2">MP-2</link>
-            </part>
-            <part id="au-9.5_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="au-9.5_obj.1" name="objective">
-                  <prop name="label">AU-9(5)[1]</prop>
-                  <p>defines audit information for which dual authorization is to be enforced;</p>
-               </part>
-               <part id="au-9.5_obj.2" name="objective">
-                  <prop name="label">AU-9(5)[2]</prop>
-                  <p>defines one or more of the following types of operations on audit information
-                     for which dual authorization is to be enforced:</p>
-                  <part id="au-9.5_obj.2.a" name="objective">
-                     <prop name="label">AU-9(5)[2][a]</prop>
-                     <p>movement; and/or</p>
-                  </part>
-                  <part id="au-9.5_obj.2.b" name="objective">
-                     <prop name="label">AU-9(5)[2][b]</prop>
-                     <p>deletion; and</p>
-                  </part>
-               </part>
-               <part id="au-9.5_obj.3" name="objective">
-                  <prop name="label">AU-9(5)[3]</prop>
-                  <p>enforces dual authorization for the movement and/or deletion of
-                     organization-defined audit information.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>procedures addressing protection of audit information</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation, access
-                     authorizations</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing enforcement of dual authorization</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-9.6">
-            <title>Read Only Access</title>
-            <param id="au-9.6_prm_1">
-               <label>organization-defined subset of privileged users</label>
-            </param>
-            <prop name="label">AU-9(6)</prop>
-            <prop name="sort-id">au-09.06</prop>
-            <part id="au-9.6_smt" name="statement">
-               <p>The organization authorizes read-only access to audit information to <insert param-id="au-9.6_prm_1"/>.</p>
-            </part>
-            <part id="au-9.6_gdn" name="guidance">
-               <p>Restricting privileged user authorizations to read-only helps to limit the
-                  potential damage to organizations that could be initiated by such users (e.g.,
-                  deleting audit records to cover up malicious activity).</p>
-            </part>
-            <part id="au-9.6_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="au-9.6_obj.1" name="objective">
-                  <prop name="label">AU-9(6)[1]</prop>
-                  <p>defines the subset of privileged users to be authorized read-only access to
-                     audit information; and</p>
-               </part>
-               <part id="au-9.6_obj.2" name="objective">
-                  <prop name="label">AU-9(6)[2]</prop>
-                  <p>authorizes read-only access to audit information to the organization-defined
-                     subset of privileged users.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>procedures addressing protection of audit information</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation,
-                     system-generated list of privileged users with read-only access to audit
-                     information</p>
-                  <p>access authorizations</p>
-                  <p>access control list</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit and accountability responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms managing access to audit information</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-10">
-         <title>Non-repudiation</title>
-         <param id="au-10_prm_1">
-            <label>organization-defined actions to be covered by non-repudiation</label>
-         </param>
-         <prop name="label">AU-10</prop>
-         <prop name="sort-id">au-10</prop>
-         <part id="au-10_smt" name="statement">
-            <p>The information system protects against an individual (or process acting on behalf of
-               an individual) falsely denying having performed <insert param-id="au-10_prm_1"/>.</p>
-         </part>
-         <part id="au-10_gdn" name="guidance">
-            <p>Types of individual actions covered by non-repudiation include, for example, creating
-               information, sending and receiving messages, approving information (e.g., indicating
-               concurrence or signing a contract). Non-repudiation protects individuals against
-               later claims by: (i) authors of not having authored particular documents; (ii)
-               senders of not having transmitted messages; (iii) receivers of not having received
-               messages; or (iv) signatories of not having signed documents. Non-repudiation
-               services can be used to determine if information originated from a particular
-               individual, or if an individual took specific actions (e.g., sending an email,
-               signing a contract, approving a procurement request) or received specific
-               information. Organizations obtain non-repudiation services by employing various
-               techniques or mechanisms (e.g., digital signatures, digital message receipts).</p>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-16">SC-16</link>
-            <link rel="related" href="#sc-17">SC-17</link>
-            <link rel="related" href="#sc-23">SC-23</link>
-         </part>
-         <part id="au-10_obj" name="objective">
-            <p>Determine if: </p>
-            <part id="au-10_obj.1" name="objective">
-               <prop name="label">AU-10[1]</prop>
-               <p>the organization defines actions to be covered by non-repudiation; and</p>
-            </part>
-            <part id="au-10_obj.2" name="objective">
-               <prop name="label">AU-10[2]</prop>
-               <p>the information system protects against an individual (or process acting on behalf
-                  of an individual) falsely denying having performed organization-defined actions to
-                  be covered by non-repudiation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing non-repudiation</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing non-repudiation capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-10.1">
-            <title>Association of Identities</title>
-            <param id="au-10.1_prm_1">
-               <label>organization-defined strength of binding</label>
-            </param>
-            <prop name="label">AU-10(1)</prop>
-            <prop name="sort-id">au-10.01</prop>
-            <part id="au-10.1_smt" name="statement">
-               <p>The information system:</p>
-               <part id="au-10.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Binds the identity of the information producer with the information to <insert param-id="au-10.1_prm_1"/>; and</p>
-               </part>
-               <part id="au-10.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Provides the means for authorized individuals to determine the identity of the
-                     producer of the information.</p>
-               </part>
-            </part>
-            <part id="au-10.1_gdn" name="guidance">
-               <p>This control enhancement supports audit requirements that provide organizational
-                  personnel with the means to identify who produced specific information in the
-                  event of an information transfer. Organizations determine and approve the strength
-                  of the binding between the information producer and the information based on the
-                  security category of the information and relevant risk factors.</p>
-               <link rel="related" href="#ac-4">AC-4</link>
-               <link rel="related" href="#ac-16">AC-16</link>
-            </part>
-            <part id="au-10.1_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="au-10.1.a_obj" name="objective">
-                  <prop name="label">AU-10(1)(a)</prop>
-                  <part id="au-10.1.a_obj.1" name="objective">
-                     <prop name="label">AU-10(1)(a)[1]</prop>
-                     <p>the organization defines the strength of binding to be employed between the
-                        identity of the information producer and the information;</p>
-                  </part>
-                  <part id="au-10.1.a_obj.2" name="objective">
-                     <prop name="label">AU-10(1)(a)[2]</prop>
-                     <p>the information system binds the identity of the information producer with
-                        the information to the organization-defined strength of binding; and</p>
-                  </part>
-                  <link rel="corresp" href="#au-10.1_smt.a">AU-10(1)(a)</link>
-               </part>
-               <part id="au-10.1.b_obj" name="objective">
-                  <prop name="label">AU-10(1)(b)</prop>
-                  <p>the information system provides the means for authorized individuals to
-                     determine the identity of the producer of the information.</p>
-                  <link rel="corresp" href="#au-10.1_smt.b">AU-10(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing non-repudiation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing non-repudiation capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-10.2">
-            <title>Validate Binding of Information Producer Identity</title>
-            <param id="au-10.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="au-10.2_prm_2">
-               <label>organization-defined actions</label>
-            </param>
-            <prop name="label">AU-10(2)</prop>
-            <prop name="sort-id">au-10.02</prop>
-            <part id="au-10.2_smt" name="statement">
-               <p>The information system:</p>
-               <part id="au-10.2_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Validates the binding of the information producer identity to the information
-                     at <insert param-id="au-10.2_prm_1"/>; and</p>
-               </part>
-               <part id="au-10.2_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Performs <insert param-id="au-10.2_prm_2"/> in the event of a validation
-                     error.</p>
-               </part>
-            </part>
-            <part id="au-10.2_gdn" name="guidance">
-               <p>This control enhancement prevents the modification of information between
-                  production and review. The validation of bindings can be achieved, for example, by
-                  the use of cryptographic checksums. Organizations determine if validations are in
-                  response to user requests or generated automatically.</p>
-               <link rel="related" href="#ac-3">AC-3</link>
-               <link rel="related" href="#ac-4">AC-4</link>
-               <link rel="related" href="#ac-16">AC-16</link>
-            </part>
-            <part id="au-10.2_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="au-10.2.a_obj" name="objective">
-                  <prop name="label">AU-10(2)(a)</prop>
-                  <part id="au-10.2.a_obj.1" name="objective">
-                     <prop name="label">AU-10(2)(a)[1]</prop>
-                     <p>the organization defines the frequency to validate the binding of the
-                        information producer identity to the information;</p>
-                  </part>
-                  <part id="au-10.2.a_obj.2" name="objective">
-                     <prop name="label">AU-10(2)(a)[2]</prop>
-                     <p>the information system validates the binding of the information producer
-                        identity to the information at the organization-defined frequency; and</p>
-                  </part>
-                  <link rel="corresp" href="#au-10.2_smt.a">AU-10(2)(a)</link>
-               </part>
-               <part id="au-10.2.b_obj" name="objective">
-                  <prop name="label">AU-10(2)(b)</prop>
-                  <part id="au-10.2.b_obj.1" name="objective">
-                     <prop name="label">AU-10(2)(b)[1]</prop>
-                     <p>the organization defines actions to be performed in the event of a
-                        validation error; and</p>
-                  </part>
-                  <part id="au-10.2.b_obj.2" name="objective">
-                     <prop name="label">AU-10(2)(b)[2]</prop>
-                     <p>the information system performs organization-defined actions in the event of
-                        a validation error.</p>
-                  </part>
-                  <link rel="corresp" href="#au-10.2_smt.b">AU-10(2)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing non-repudiation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>validation records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing non-repudiation capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-10.3">
-            <title>Chain of Custody</title>
-            <prop name="label">AU-10(3)</prop>
-            <prop name="sort-id">au-10.03</prop>
-            <part id="au-10.3_smt" name="statement">
-               <p>The information system maintains reviewer/releaser identity and credentials within
-                  the established chain of custody for all information reviewed or released.</p>
-            </part>
-            <part id="au-10.3_gdn" name="guidance">
-               <p>Chain of custody is a process that tracks the movement of evidence through its
-                  collection, safeguarding, and analysis life cycle by documenting each person who
-                  handled the evidence, the date and time it was collected or transferred, and the
-                  purpose for the transfer. If the reviewer is a human or if the review function is
-                  automated but separate from the release/transfer function, the information system
-                  associates the identity of the reviewer of the information to be released with the
-                  information and the information label. In the case of human reviews, this control
-                  enhancement provides organizational officials the means to identify who reviewed
-                  and released the information. In the case of automated reviews, this control
-                  enhancement ensures that only approved review functions are employed.</p>
-               <link rel="related" href="#ac-4">AC-4</link>
-               <link rel="related" href="#ac-16">AC-16</link>
-            </part>
-            <part id="au-10.3_obj" name="objective">
-               <p>Determine if the information system: </p>
-               <part id="au-10.3_obj.1" name="objective">
-                  <prop name="label">AU-10(3)[1]</prop>
-                  <p>maintains reviewer/releaser identity within the established chain of custody
-                     for all information reviewed;</p>
-               </part>
-               <part id="au-10.3_obj.2" name="objective">
-                  <prop name="label">AU-10(3)[2]</prop>
-                  <p>maintains reviewer/releaser identity within the established chain of custody
-                     for all information released;</p>
-               </part>
-               <part id="au-10.3_obj.3" name="objective">
-                  <prop name="label">AU-10(3)[3]</prop>
-                  <p>maintains reviewer/releaser credentials within the established chain of custody
-                     for all information reviewed; and</p>
-               </part>
-               <part id="au-10.3_obj.4" name="objective">
-                  <prop name="label">AU-10(3)[4]</prop>
-                  <p>maintains reviewer/releaser credentials within the established chain of custody
-                     for all information released.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing non-repudiation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>records of information reviews and releases</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing non-repudiation capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-10.4">
-            <title>Validate Binding of Information Reviewer Identity</title>
-            <param id="au-10.4_prm_1">
-               <label>organization-defined security domains</label>
-            </param>
-            <param id="au-10.4_prm_2">
-               <label>organization-defined actions</label>
-            </param>
-            <prop name="label">AU-10(4)</prop>
-            <prop name="sort-id">au-10.04</prop>
-            <part id="au-10.4_smt" name="statement">
-               <p>The information system:</p>
-               <part id="au-10.4_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Validates the binding of the information reviewer identity to the information
-                     at the transfer or release points prior to release/transfer between <insert param-id="au-10.4_prm_1"/>; and</p>
-               </part>
-               <part id="au-10.4_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Performs <insert param-id="au-10.4_prm_2"/> in the event of a validation
-                     error.</p>
-               </part>
-            </part>
-            <part id="au-10.4_gdn" name="guidance">
-               <p>This control enhancement prevents the modification of information between review
-                  and transfer/release. The validation of bindings can be achieved, for example, by
-                  the use of cryptographic checksums. Organizations determine validations are in
-                  response to user requests or generated automatically.</p>
-               <link rel="related" href="#ac-4">AC-4</link>
-               <link rel="related" href="#ac-16">AC-16</link>
-            </part>
-            <part id="au-10.4_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="au-10.4.a_obj" name="objective">
-                  <prop name="label">AU-10(4)(a)</prop>
-                  <part id="au-10.4.a_obj.1" name="objective">
-                     <prop name="label">AU-10(4)(a)[1]</prop>
-                     <p>the organization defines security domains for which the binding of the
-                        information reviewer identity to the information is to be validated at the
-                        transfer or release points prior to release/transfer between such
-                        domains;</p>
-                  </part>
-                  <part id="au-10.4.a_obj.2" name="objective">
-                     <prop name="label">AU-10(4)(a)[2]</prop>
-                     <p>the information system validates the binding of the information reviewer
-                        identity to the information at the transfer or release points prior to
-                        release/transfer between organization-defined security domains;</p>
-                  </part>
-                  <link rel="corresp" href="#au-10.4_smt.a">AU-10(4)(a)</link>
-               </part>
-               <part id="au-10.4.b_obj" name="objective">
-                  <prop name="label">AU-10(4)(b)</prop>
-                  <part id="au-10.4.b_obj.1" name="objective">
-                     <prop name="label">AU-10(4)(b)[1]</prop>
-                     <p>the organization defines actions to be performed in the event of a
-                        validation error; and</p>
-                  </part>
-                  <part id="au-10.4.b_obj.2" name="objective">
-                     <prop name="label">AU-10(4)(b)[2]</prop>
-                     <p>the information system performs organization-defined actions in the event of
-                        a validation error.</p>
-                  </part>
-                  <link rel="corresp" href="#au-10.4_smt.b">AU-10(4)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing non-repudiation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>validation records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing non-repudiation capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-10.5">
-            <title>Digital Signatures</title>
-            <prop name="label">AU-10(5)</prop>
-            <prop name="sort-id">au-10.05</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#si-7">SI-7</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-11">
-         <title>Audit Record Retention</title>
-         <param id="au-11_prm_1">
-            <label>organization-defined time period consistent with records retention policy</label>
-         </param>
-         <prop name="label">AU-11</prop>
-         <prop name="sort-id">au-11</prop>
-         <part id="au-11_smt" name="statement">
-            <p>The organization retains audit records for <insert param-id="au-11_prm_1"/> to
-               provide support for after-the-fact investigations of security incidents and to meet
-               regulatory and organizational information retention requirements.</p>
-         </part>
-         <part id="au-11_gdn" name="guidance">
-            <p>Organizations retain audit records until it is determined that they are no longer
-               needed for administrative, legal, audit, or other operational purposes. This
-               includes, for example, retention and availability of audit records relative to
-               Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions.
-               Organizations develop standard categories of audit records relative to such types of
-               actions and standard response processes for each type of action. The National
-               Archives and Records Administration (NARA) General Records Schedules provide federal
-               policy on record retention.</p>
-            <link rel="related" href="#au-4">AU-4</link>
-            <link rel="related" href="#au-5">AU-5</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-         </part>
-         <part id="au-11_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-11_obj.1" name="objective">
-               <prop name="label">AU-11[1]</prop>
-               <p>defines a time period to retain audit records that is consistent with records
-                  retention policy;</p>
-            </part>
-            <part id="au-11_obj.2" name="objective">
-               <prop name="label">AU-11[2]</prop>
-               <p>retains audit records for the organization-defined time period consistent with
-                  records retention policy to:</p>
-               <part id="au-11_obj.2.a" name="objective">
-                  <prop name="label">AU-11[2][a]</prop>
-                  <p>provide support for after-the-fact investigations of security incidents;
-                     and</p>
-               </part>
-               <part id="au-11_obj.2.b" name="objective">
-                  <prop name="label">AU-11[2][b]</prop>
-                  <p>meet regulatory and organizational information retention requirements.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>audit record retention policy and procedures</p>
-               <p>security plan</p>
-               <p>organization-defined retention period for audit records</p>
-               <p>audit record archives</p>
-               <p>audit logs</p>
-               <p>audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit record retention responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-11.1">
-            <title>Long-term Retrieval Capability</title>
-            <param id="au-11.1_prm_1">
-               <label>organization-defined measures</label>
-            </param>
-            <prop name="label">AU-11(1)</prop>
-            <prop name="sort-id">au-11.01</prop>
-            <part id="au-11.1_smt" name="statement">
-               <p>The organization employs <insert param-id="au-11.1_prm_1"/> to ensure that
-                  long-term audit records generated by the information system can be retrieved.</p>
-            </part>
-            <part id="au-11.1_gdn" name="guidance">
-               <p>Measures employed by organizations to help facilitate the retrieval of audit
-                  records include, for example, converting records to newer formats, retaining
-                  equipment capable of reading the records, and retaining necessary documentation to
-                  help organizational personnel understand how to interpret the records.</p>
-            </part>
-            <part id="au-11.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="au-11.1_obj.1" name="objective">
-                  <prop name="label">AU-11(1)[1]</prop>
-                  <p>defines measures to be employed to ensure that long-term audit records
-                     generated by the information system can be retrieved; and</p>
-               </part>
-               <part id="au-11.1_obj.2" name="objective">
-                  <prop name="label">AU-11(1)[2]</prop>
-                  <p>employs organization-defined measures to ensure that long-term audit records
-                     generated by the information system can be retrieved.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>audit record retention policy and procedures</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>audit record archives</p>
-                  <p>audit logs</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit record retention responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing audit record retention capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-12">
-         <title>Audit Generation</title>
-         <param id="au-12_prm_1">
-            <label>organization-defined information system components</label>
-         </param>
-         <param id="au-12_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">AU-12</prop>
-         <prop name="sort-id">au-12</prop>
-         <part id="au-12_smt" name="statement">
-            <p>The information system:</p>
-            <part id="au-12_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Provides audit record generation capability for the auditable events defined in
-                  AU-2 a. at <insert param-id="au-12_prm_1"/>;</p>
-            </part>
-            <part id="au-12_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Allows <insert param-id="au-12_prm_2"/> to select which auditable events are to be
-                  audited by specific components of the information system; and</p>
-            </part>
-            <part id="au-12_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Generates audit records for the events defined in AU-2 d. with the content defined
-                  in AU-3.</p>
-            </part>
-         </part>
-         <part id="au-12_gdn" name="guidance">
-            <p>Audit records can be generated from many different information system components. The
-               list of audited events is the set of events for which audits are to be generated.
-               These events are typically a subset of all events for which the information system is
-               capable of generating audit records.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-         </part>
-         <part id="au-12_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="au-12.a_obj" name="objective">
-               <prop name="label">AU-12(a)</prop>
-               <part id="au-12.a_obj.1" name="objective">
-                  <prop name="label">AU-12(a)[1]</prop>
-                  <p>the organization defines the information system components which are to provide
-                     audit record generation capability for the auditable events defined in
-                     AU-2a;</p>
-               </part>
-               <part id="au-12.a_obj.2" name="objective">
-                  <prop name="label">AU-12(a)[2]</prop>
-                  <p>the information system provides audit record generation capability, for the
-                     auditable events defined in AU-2a, at organization-defined information system
-                     components;</p>
-               </part>
-            </part>
-            <part id="au-12.b_obj" name="objective">
-               <prop name="label">AU-12(b)</prop>
-               <part id="au-12.b_obj.1" name="objective">
-                  <prop name="label">AU-12(b)[1]</prop>
-                  <p>the organization defines the personnel or roles allowed to select which
-                     auditable events are to be audited by specific components of the information
-                     system;</p>
-               </part>
-               <part id="au-12.b_obj.2" name="objective">
-                  <prop name="label">AU-12(b)[2]</prop>
-                  <p>the information system allows the organization-defined personnel or roles to
-                     select which auditable events are to be audited by specific components of the
-                     system; and</p>
-               </part>
-            </part>
-            <part id="au-12.c_obj" name="objective">
-               <prop name="label">AU-12(c)</prop>
-               <p>the information system generates audit records for the events defined in AU-2d
-                  with the content in defined in AU-3.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing audit record generation</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of auditable events</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with audit record generation responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing audit record generation capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-12.1">
-            <title>System-wide / Time-correlated Audit Trail</title>
-            <param id="au-12.1_prm_1">
-               <label>organization-defined information system components</label>
-            </param>
-            <param id="au-12.1_prm_2">
-               <label>organization-defined level of tolerance for the relationship between time
-                  stamps of individual records in the audit trail</label>
-            </param>
-            <prop name="label">AU-12(1)</prop>
-            <prop name="sort-id">au-12.01</prop>
-            <part id="au-12.1_smt" name="statement">
-               <p>The information system compiles audit records from <insert param-id="au-12.1_prm_1"/> into a system-wide (logical or physical) audit trail
-                  that is time-correlated to within <insert param-id="au-12.1_prm_2"/>.</p>
-            </part>
-            <part id="au-12.1_gdn" name="guidance">
-               <p>Audit trails are time-correlated if the time stamps in the individual audit
-                  records can be reliably related to the time stamps in other audit records to
-                  achieve a time ordering of the records within organizational tolerances.</p>
-               <link rel="related" href="#au-8">AU-8</link>
-               <link rel="related" href="#au-12">AU-12</link>
-            </part>
-            <part id="au-12.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="au-12.1_obj.1" name="objective">
-                  <prop name="label">AU-12(1)[1]</prop>
-                  <p>the organization defines the information system components from which audit
-                     records are to be compiled into a system-wide (logical or physical) audit
-                     trail;</p>
-               </part>
-               <part id="au-12.1_obj.2" name="objective">
-                  <prop name="label">AU-12(1)[2]</prop>
-                  <p>the organization defines the level of tolerance for the relationship between
-                     time stamps of individual records in the audit trail; and</p>
-               </part>
-               <part id="au-12.1_obj.3" name="objective">
-                  <prop name="label">AU-12(1)[3]</prop>
-                  <p>the information system compiles audit records from organization-defined
-                     information system components into a system-wide (logical or physical) audit
-                     trail that is time-correlated to within the organization-defined level of
-                     tolerance for the relationship between time stamps of individual records in the
-                     audit trail.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit record generation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>system-wide audit trail (logical or physical)</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit record generation responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing audit record generation capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-12.2">
-            <title>Standardized Formats</title>
-            <prop name="label">AU-12(2)</prop>
-            <prop name="sort-id">au-12.02</prop>
-            <part id="au-12.2_smt" name="statement">
-               <p>The information system produces a system-wide (logical or physical) audit trail
-                  composed of audit records in a standardized format.</p>
-            </part>
-            <part id="au-12.2_gdn" name="guidance">
-               <p>Audit information that is normalized to common standards promotes interoperability
-                  and exchange of such information between dissimilar devices and information
-                  systems. This facilitates production of event information that can be more readily
-                  analyzed and correlated. Standard formats for audit records include, for example,
-                  system log records and audit records compliant with Common Event Expressions
-                  (CEE). If logging mechanisms within information systems do not conform to
-                  standardized formats, systems may convert individual audit records into
-                  standardized formats when compiling system-wide audit trails.</p>
-            </part>
-            <part id="au-12.2_obj" name="objective">
-               <p>Determine if the information system produces a system-wide (logical or physical)
-                  audit trail composed of audit records in a standardized format.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit record generation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>system-wide audit trail (logical or physical)</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit record generation responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing audit record generation capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-12.3">
-            <title>Changes by Authorized Individuals</title>
-            <param id="au-12.3_prm_1">
-               <label>organization-defined individuals or roles</label>
-            </param>
-            <param id="au-12.3_prm_2">
-               <label>organization-defined information system components</label>
-            </param>
-            <param id="au-12.3_prm_3">
-               <label>organization-defined selectable event criteria</label>
-            </param>
-            <param id="au-12.3_prm_4">
-               <label>organization-defined time thresholds</label>
-            </param>
-            <prop name="label">AU-12(3)</prop>
-            <prop name="sort-id">au-12.03</prop>
-            <part id="au-12.3_smt" name="statement">
-               <p>The information system provides the capability for <insert param-id="au-12.3_prm_1"/> to change the auditing to be performed on <insert param-id="au-12.3_prm_2"/> based on <insert param-id="au-12.3_prm_3"/> within
-                     <insert param-id="au-12.3_prm_4"/>.</p>
-            </part>
-            <part id="au-12.3_gdn" name="guidance">
-               <p>This control enhancement enables organizations to extend or limit auditing as
-                  necessary to meet organizational requirements. Auditing that is limited to
-                  conserve information system resources may be extended to address certain threat
-                  situations. In addition, auditing may be limited to a specific set of events to
-                  facilitate audit reduction, analysis, and reporting. Organizations can establish
-                  time thresholds in which audit actions are changed, for example, near real-time,
-                  within minutes, or within hours.</p>
-               <link rel="related" href="#au-7">AU-7</link>
-            </part>
-            <part id="au-12.3_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="au-12.3_obj.1" name="objective">
-                  <prop name="label">AU-12(3)[1]</prop>
-                  <p>the organization defines information system components on which auditing is to
-                     be performed;</p>
-               </part>
-               <part id="au-12.3_obj.2" name="objective">
-                  <prop name="label">AU-12(3)[2]</prop>
-                  <p>the organization defines individuals or roles authorized to change the auditing
-                     to be performed on organization-defined information system components;</p>
-               </part>
-               <part id="au-12.3_obj.3" name="objective">
-                  <prop name="label">AU-12(3)[3]</prop>
-                  <p>the organization defines time thresholds within which organization-defined
-                     individuals or roles can change the auditing to be performed on
-                     organization-defined information system components;</p>
-               </part>
-               <part id="au-12.3_obj.4" name="objective">
-                  <prop name="label">AU-12(3)[4]</prop>
-                  <p>the organization defines selectable event criteria that support the capability
-                     for organization-defined individuals or roles to change the auditing to be
-                     performed on organization-defined information system components; and</p>
-               </part>
-               <part id="au-12.3_obj.5" name="objective">
-                  <prop name="label">AU-12(3)[5]</prop>
-                  <p>the information system provides the capability for organization-defined
-                     individuals or roles to change the auditing to be performed on
-                     organization-defined information system components based on
-                     organization-defined selectable event criteria within organization-defined time
-                     thresholds.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing audit record generation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>system-generated list of individuals or roles authorized to change auditing to
-                     be performed</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with audit record generation responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing audit record generation capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-13">
-         <title>Monitoring for Information Disclosure</title>
-         <param id="au-13_prm_1">
-            <label>organization-defined open source information and/or information sites</label>
-         </param>
-         <param id="au-13_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AU-13</prop>
-         <prop name="sort-id">au-13</prop>
-         <part id="au-13_smt" name="statement">
-            <p>The organization monitors <insert param-id="au-13_prm_1"/>
-               <insert param-id="au-13_prm_2"/> for evidence of unauthorized disclosure of
-               organizational information.</p>
-         </part>
-         <part id="au-13_gdn" name="guidance">
-            <p>Open source information includes, for example, social networking sites.</p>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="au-13_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-13_obj.1" name="objective">
-               <prop name="label">AU-13[1]</prop>
-               <p>defines open source information and/or information sites to be monitored for
-                  evidence of unauthorized disclosure of organizational information;</p>
-            </part>
-            <part id="au-13_obj.2" name="objective">
-               <prop name="label">AU-13[2]</prop>
-               <p>defines a frequency to monitor organization-defined open source information and/or
-                  information sites for evidence of unauthorized disclosure of organizational
-                  information; and</p>
-            </part>
-            <part id="au-13_obj.3" name="objective">
-               <prop name="label">AU-13[3]</prop>
-               <p>monitors organization-defined open source information and/or information sites for
-                  evidence of unauthorized disclosure of organizational information with the
-                  organization-defined frequency.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing information disclosure monitoring</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>monitoring records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for monitoring open source
-                  information and/or information sites</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing monitoring for information disclosure</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-13.1">
-            <title>Use of Automated Tools</title>
-            <prop name="label">AU-13(1)</prop>
-            <prop name="sort-id">au-13.01</prop>
-            <part id="au-13.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to determine if organizational
-                  information has been disclosed in an unauthorized manner.</p>
-            </part>
-            <part id="au-13.1_gdn" name="guidance">
-               <p>Automated mechanisms can include, for example, automated scripts to monitor new
-                  posts on selected websites, and commercial services providing notifications and
-                  alerts to organizations.</p>
-            </part>
-            <part id="au-13.1_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to determine if
-                  organizational information has been disclosed in an unauthorized manner. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing information disclosure monitoring</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>automated monitoring tools</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for monitoring information
-                     disclosures</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing monitoring for information disclosure</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-13.2">
-            <title>Review of Monitored Sites</title>
-            <param id="au-13.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">AU-13(2)</prop>
-            <prop name="sort-id">au-13.02</prop>
-            <part id="au-13.2_smt" name="statement">
-               <p>The organization reviews the open source information sites being monitored <insert param-id="au-13.2_prm_1"/>.</p>
-            </part>
-            <part id="au-13.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="au-13.2_obj.1" name="objective">
-                  <prop name="label">AU-13(2)[1]</prop>
-                  <p>defines a frequency to review the open source information sites being
-                     monitored; and</p>
-               </part>
-               <part id="au-13.2_obj.2" name="objective">
-                  <prop name="label">AU-13(2)[2]</prop>
-                  <p>reviews the open source information sites being monitored with the
-                     organization-defined frequency.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing information disclosure monitoring</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>reviews for open source information sites being monitored</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for monitoring open source
-                     information sites</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing monitoring for information disclosure</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-14">
-         <title>Session Audit</title>
-         <prop name="label">AU-14</prop>
-         <prop name="sort-id">au-14</prop>
-         <part id="au-14_smt" name="statement">
-            <p>The information system provides the capability for authorized users to select a user
-               session to capture/record or view/hear.</p>
-         </part>
-         <part id="au-14_gdn" name="guidance">
-            <p>Session audits include, for example, monitoring keystrokes, tracking websites
-               visited, and recording information and/or file transfers. Session auditing activities
-               are developed, integrated, and used in consultation with legal counsel in accordance
-               with applicable federal laws, Executive Orders, directives, policies, regulations, or
-               standards.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#au-4">AU-4</link>
-            <link rel="related" href="#au-5">AU-5</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#au-11">AU-11</link>
-         </part>
-         <part id="au-14_obj" name="objective">
-            <p>Determine if the information system provides the capability for authorized users to
-               select a user session to: </p>
-            <part id="au-14_obj.1" name="objective">
-               <prop name="label">AU-14[1]</prop>
-               <p>capture/record; and/or</p>
-            </part>
-            <part id="au-14_obj.2" name="objective">
-               <prop name="label">AU-14[2]</prop>
-               <p>view/hear.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing user session auditing</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing user session auditing capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-14.1">
-            <title>System Start-up</title>
-            <prop name="label">AU-14(1)</prop>
-            <prop name="sort-id">au-14.01</prop>
-            <part id="au-14.1_smt" name="statement">
-               <p>The information system initiates session audits at system start-up.</p>
-            </part>
-            <part id="au-14.1_obj" name="objective">
-               <p>Determine if the information system initiates session audits at system start-up.
-               </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing user session auditing</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing user session auditing capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-14.2">
-            <title>Capture/record and Log Content</title>
-            <prop name="label">AU-14(2)</prop>
-            <prop name="sort-id">au-14.02</prop>
-            <part id="au-14.2_smt" name="statement">
-               <p>The information system provides the capability for authorized users to
-                  capture/record and log content related to a user session.</p>
-            </part>
-            <part id="au-14.2_obj" name="objective">
-               <p>Determine if the information system provides the capability for authorized users
-                  to: </p>
-               <part id="au-14.2_obj.1" name="objective">
-                  <prop name="label">AU-14(2)[1]</prop>
-                  <p>capture/record content related to a user session; and</p>
-               </part>
-               <part id="au-14.2_obj.2" name="objective">
-                  <prop name="label">AU-14(2)[2]</prop>
-                  <p>log content related to a user session.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing user session auditing</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing user session auditing capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-14.3">
-            <title>Remote Viewing / Listening</title>
-            <prop name="label">AU-14(3)</prop>
-            <prop name="sort-id">au-14.03</prop>
-            <part id="au-14.3_smt" name="statement">
-               <p>The information system provides the capability for authorized users to remotely
-                  view/hear all content related to an established user session in real time.</p>
-            </part>
-            <part id="au-14.3_obj" name="objective">
-               <p>Determine if the information system provides the capability for authorized users
-                  to remotely view/hear all content related to an established user session in real
-                  time. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing user session auditing</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing user session auditing capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-15">
-         <title>Alternate Audit Capability</title>
-         <param id="au-15_prm_1">
-            <label>organization-defined alternate audit functionality</label>
-         </param>
-         <prop name="label">AU-15</prop>
-         <prop name="sort-id">au-15</prop>
-         <part id="au-15_smt" name="statement">
-            <p>The organization provides an alternate audit capability in the event of a failure in
-               primary audit capability that provides <insert param-id="au-15_prm_1"/>.</p>
-         </part>
-         <part id="au-15_gdn" name="guidance">
-            <p>Since an alternate audit capability may be a short-term protection employed until the
-               failure in the primary auditing capability is corrected, organizations may determine
-               that the alternate audit capability need only provide a subset of the primary audit
-               functionality that is impacted by the failure.</p>
-            <link rel="related" href="#au-5">AU-5</link>
-         </part>
-         <part id="au-15_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-15_obj.1" name="objective">
-               <prop name="label">AU-15[1]</prop>
-               <p>defines alternative audit functionality to be provided in the event of a failure
-                  in primary audit capability; and</p>
-            </part>
-            <part id="au-15_obj.2" name="objective">
-               <prop name="label">AU-15[2]</prop>
-               <p>provides an alternative audit capability in the event of a failure in primary
-                  audit capability that provides organization-defined alternative audit
-                  functionality.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing alternate audit capability</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>test records for alternative audit capability</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel responsible for providing alternate audit capability</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing alternative audit capability</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-16">
-         <title>Cross-organizational Auditing</title>
-         <param id="au-16_prm_1">
-            <label>organization-defined methods</label>
-         </param>
-         <param id="au-16_prm_2">
-            <label>organization-defined audit information</label>
-         </param>
-         <prop name="label">AU-16</prop>
-         <prop name="sort-id">au-16</prop>
-         <part id="au-16_smt" name="statement">
-            <p>The organization employs <insert param-id="au-16_prm_1"/> for coordinating <insert param-id="au-16_prm_2"/> among external organizations when audit information is
-               transmitted across organizational boundaries.</p>
-         </part>
-         <part id="au-16_gdn" name="guidance">
-            <p>When organizations use information systems and/or services of external organizations,
-               the auditing capability necessitates a coordinated approach across organizations. For
-               example, maintaining the identity of individuals that requested particular services
-               across organizational boundaries may often be very difficult, and doing so may prove
-               to have significant performance ramifications. Therefore, it is often the case that
-               cross-organizational auditing (e.g., the type of auditing capability provided by
-               service-oriented architectures) simply captures the identity of individuals issuing
-               requests at the initial information system, and subsequent systems record that the
-               requests emanated from authorized individuals.</p>
-            <link rel="related" href="#au-6">AU-6</link>
-         </part>
-         <part id="au-16_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="au-16_obj.1" name="objective">
-               <prop name="label">AU-16[1]</prop>
-               <p>defines audit information to be coordinated among external organizations when
-                  audit information is transmitted across organizational boundaries;</p>
-            </part>
-            <part id="au-16_obj.2" name="objective">
-               <prop name="label">AU-16[2]</prop>
-               <p>defines methods for coordinating organization-defined audit information among
-                  external organizations when audit information is transmitted across organizational
-                  boundaries; and</p>
-            </part>
-            <part id="au-16_obj.3" name="objective">
-               <prop name="label">AU-16[3]</prop>
-               <p>employs organization-defined methods for coordinating organization-defined audit
-                  information among external organizations when audit information is transmitted
-                  across organizational boundaries.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Audit and accountability policy</p>
-               <p>procedures addressing methods for coordinating audit information among external
-                  organizations</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>methods for coordinating audit information among external organizations</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for coordinating audit information
-                  among external organizations</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing cross-organizational auditing (if
-                  applicable)</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="au-16.1">
-            <title>Identity Preservation</title>
-            <prop name="label">AU-16(1)</prop>
-            <prop name="sort-id">au-16.01</prop>
-            <part id="au-16.1_smt" name="statement">
-               <p>The organization requires that the identity of individuals be preserved in
-                  cross-organizational audit trails.</p>
-            </part>
-            <part id="au-16.1_gdn" name="guidance">
-               <p>This control enhancement applies when there is a need to be able to trace actions
-                  that are performed across organizational boundaries to a specific individual.</p>
-            </part>
-            <part id="au-16.1_obj" name="objective">
-               <p>Determine if the organization requires that the identity of individuals be
-                  preserved in cross- organizational audit trails.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing cross-organizational audit trails</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with cross-organizational audit responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing cross-organizational auditing (if
-                     applicable)</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-16.2">
-            <title>Sharing of Audit Information</title>
-            <param id="au-16.2_prm_1">
-               <label>organization-defined organizations</label>
-            </param>
-            <param id="au-16.2_prm_2">
-               <label>organization-defined cross-organizational sharing agreements</label>
-            </param>
-            <prop name="label">AU-16(2)</prop>
-            <prop name="sort-id">au-16.02</prop>
-            <part id="au-16.2_smt" name="statement">
-               <p>The organization provides cross-organizational audit information to <insert param-id="au-16.2_prm_1"/> based on <insert param-id="au-16.2_prm_2"/>.</p>
-            </part>
-            <part id="au-16.2_gdn" name="guidance">
-               <p>Because of the distributed nature of the audit information, cross-organization
-                  sharing of audit information may be essential for effective analysis of the
-                  auditing being performed. For example, the audit records of one organization may
-                  not provide sufficient information to determine the appropriate or inappropriate
-                  use of organizational information resources by individuals in other organizations.
-                  In some instances, only the home organizations of individuals have the appropriate
-                  knowledge to make such determinations, thus requiring the sharing of audit
-                  information among organizations.</p>
-            </part>
-            <part id="au-16.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="au-16.2_obj.1" name="objective">
-                  <prop name="label">AU-16(2)[1]</prop>
-                  <p>defines organizations with whom cross-organizational audit information is to be
-                     shared;</p>
-               </part>
-               <part id="au-16.2_obj.2" name="objective">
-                  <prop name="label">AU-16(2)[2]</prop>
-                  <p>defines cross-organizational sharing agreements to be used when providing
-                     cross-organizational audit information to organization-defined organizations;
-                     and</p>
-               </part>
-               <part id="au-16.2_obj.3" name="objective">
-                  <prop name="label">AU-16(2)[3]</prop>
-                  <p>provides cross-organizational audit information to organization-defined
-                     organizations based on organization-defined cross-organizational sharing
-                     agreements.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Audit and accountability policy</p>
-                  <p>procedures addressing cross-organizational sharing of audit information</p>
-                  <p>cross-organizational sharing agreements</p>
-                  <p>data sharing agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for sharing cross-organizational
-                     audit information</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="ca">
-      <title>Security Assessment and Authorization</title>
-      <control class="SP800-53" id="ca-1">
-         <title>Security Assessment and Authorization Policy and Procedures</title>
-         <param id="ca-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ca-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ca-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CA-1</prop>
-         <prop name="sort-id">ca-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ca-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ca-1_prm_1"/>:</p>
-               <part id="ca-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A security assessment and authorization policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="ca-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the security assessment and
-                     authorization policy and associated security assessment and authorization
-                     controls; and</p>
-               </part>
-            </part>
-            <part id="ca-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ca-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security assessment and authorization policy <insert param-id="ca-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="ca-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Security assessment and authorization procedures <insert param-id="ca-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ca-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the CA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ca-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-1.a_obj" name="objective">
-               <prop name="label">CA-1(a)</prop>
-               <part id="ca-1.a.1_obj" name="objective">
-                  <prop name="label">CA-1(a)(1)</prop>
-                  <part id="ca-1.a.1_obj.1" name="objective">
-                     <prop name="label">CA-1(a)(1)[1]</prop>
-                     <p>develops and documents a security assessment and authorization policy that
-                        addresses:</p>
-                     <part id="ca-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ca-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">CA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ca-1.a.1_obj.2" name="objective">
-                     <prop name="label">CA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the security assessment and authorization
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="ca-1.a.1_obj.3" name="objective">
-                     <prop name="label">CA-1(a)(1)[3]</prop>
-                     <p>disseminates the security assessment and authorization policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="ca-1.a.2_obj" name="objective">
-                  <prop name="label">CA-1(a)(2)</prop>
-                  <part id="ca-1.a.2_obj.1" name="objective">
-                     <prop name="label">CA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        security assessment and authorization policy and associated assessment and
-                        authorization controls;</p>
-                  </part>
-                  <part id="ca-1.a.2_obj.2" name="objective">
-                     <prop name="label">CA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ca-1.a.2_obj.3" name="objective">
-                     <prop name="label">CA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ca-1.b_obj" name="objective">
-               <prop name="label">CA-1(b)</prop>
-               <part id="ca-1.b.1_obj" name="objective">
-                  <prop name="label">CA-1(b)(1)</prop>
-                  <part id="ca-1.b.1_obj.1" name="objective">
-                     <prop name="label">CA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current security assessment
-                        and authorization policy;</p>
-                  </part>
-                  <part id="ca-1.b.1_obj.2" name="objective">
-                     <prop name="label">CA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current security assessment and authorization policy
-                        with the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ca-1.b.2_obj" name="objective">
-                  <prop name="label">CA-1(b)(2)</prop>
-                  <part id="ca-1.b.2_obj.1" name="objective">
-                     <prop name="label">CA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current security assessment
-                        and authorization procedures; and</p>
-                  </part>
-                  <part id="ca-1.b.2_obj.2" name="objective">
-                     <prop name="label">CA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current security assessment and authorization
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security assessment and authorization
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ca-2">
-         <title>Security Assessments</title>
-         <param id="ca-2_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ca-2_prm_2">
-            <label>organization-defined individuals or roles</label>
-         </param>
-         <prop name="label">CA-2</prop>
-         <prop name="sort-id">ca-02</prop>
-         <link href="#c5034e0c-eba6-4ecd-a541-79f0678f4ba4" rel="reference">Executive Order 13587</link>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#c4691b88-57d1-463b-9053-2d0087913f31" rel="reference">NIST Special Publication 800-115</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <part id="ca-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a security assessment plan that describes the scope of the assessment
-                  including:</p>
-               <part id="ca-2_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security controls and control enhancements under assessment;</p>
-               </part>
-               <part id="ca-2_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Assessment procedures to be used to determine security control effectiveness;
-                     and</p>
-               </part>
-               <part id="ca-2_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Assessment environment, assessment team, and assessment roles and
-                     responsibilities;</p>
-               </part>
-            </part>
-            <part id="ca-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Assesses the security controls in the information system and its environment of
-                  operation <insert param-id="ca-2_prm_1"/> to determine the extent to which the
-                  controls are implemented correctly, operating as intended, and producing the
-                  desired outcome with respect to meeting established security requirements;</p>
-            </part>
-            <part id="ca-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Produces a security assessment report that documents the results of the
-                  assessment; and</p>
-            </part>
-            <part id="ca-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Provides the results of the security control assessment to <insert param-id="ca-2_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="ca-2_gdn" name="guidance">
-            <p>Organizations assess security controls in organizational information systems and the
-               environments in which those systems operate as part of: (i) initial and ongoing
-               security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring;
-               and (iv) system development life cycle activities. Security assessments: (i) ensure
-               that information security is built into organizational information systems; (ii)
-               identify weaknesses and deficiencies early in the development process; (iii) provide
-               essential information needed to make risk-based decisions as part of security
-               authorization processes; and (iv) ensure compliance to vulnerability mitigation
-               procedures. Assessments are conducted on the implemented security controls from
-               Appendix F (main catalog) and Appendix G (Program Management controls) as documented
-               in System Security Plans and Information Security Program Plans. Organizations can
-               use other types of assessment activities such as vulnerability scanning and system
-               monitoring to maintain the security posture of information systems during the entire
-               life cycle. Security assessment reports document assessment results in sufficient
-               detail as deemed necessary by organizations, to determine the accuracy and
-               completeness of the reports and whether the security controls are implemented
-               correctly, operating as intended, and producing the desired outcome with respect to
-               meeting security requirements. The FISMA requirement for assessing security controls
-               at least annually does not require additional assessment activities to those
-               activities already in place in organizational security authorization processes.
-               Security assessment results are provided to the individuals or roles appropriate for
-               the types of assessments being conducted. For example, assessments conducted in
-               support of security authorization decisions are provided to authorizing officials or
-               authorizing official designated representatives. To satisfy annual assessment
-               requirements, organizations can use assessment results from the following sources:
-               (i) initial or ongoing information system authorizations; (ii) continuous monitoring;
-               or (iii) system development life cycle activities. Organizations ensure that security
-               assessment results are current, relevant to the determination of security control
-               effectiveness, and obtained with the appropriate level of assessor independence.
-               Existing security control assessment results can be reused to the extent that the
-               results are still valid and can also be supplemented with additional assessments as
-               needed. Subsequent to initial authorizations and in accordance with OMB policy,
-               organizations assess security controls during continuous monitoring. Organizations
-               establish the frequency for ongoing security control assessments in accordance with
-               organizational continuous monitoring strategies. Information Assurance Vulnerability
-               Alerts provide useful examples of vulnerability mitigation procedures. External
-               audits (e.g., audits by external entities such as regulatory agencies) are outside
-               the scope of this control.</p>
-            <link rel="related" href="#ca-5">CA-5</link>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-2.a_obj" name="objective">
-               <prop name="label">CA-2(a)</prop>
-               <p>develops a security assessment plan that describes the scope of the assessment
-                  including:</p>
-               <part id="ca-2.a.1_obj" name="objective">
-                  <prop name="label">CA-2(a)(1)</prop>
-                  <p>security controls and control enhancements under assessment;</p>
-               </part>
-               <part id="ca-2.a.2_obj" name="objective">
-                  <prop name="label">CA-2(a)(2)</prop>
-                  <p>assessment procedures to be used to determine security control
-                     effectiveness;</p>
-               </part>
-               <part id="ca-2.a.3_obj" name="objective">
-                  <prop name="label">CA-2(a)(3)</prop>
-                  <part id="ca-2.a.3_obj.1" name="objective">
-                     <prop name="label">CA-2(a)(3)[1]</prop>
-                     <p>assessment environment;</p>
-                  </part>
-                  <part id="ca-2.a.3_obj.2" name="objective">
-                     <prop name="label">CA-2(a)(3)[2]</prop>
-                     <p>assessment team;</p>
-                  </part>
-                  <part id="ca-2.a.3_obj.3" name="objective">
-                     <prop name="label">CA-2(a)(3)[3]</prop>
-                     <p>assessment roles and responsibilities;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ca-2.b_obj" name="objective">
-               <prop name="label">CA-2(b)</prop>
-               <part id="ca-2.b_obj.1" name="objective">
-                  <prop name="label">CA-2(b)[1]</prop>
-                  <p>defines the frequency to assess the security controls in the information system
-                     and its environment of operation;</p>
-               </part>
-               <part id="ca-2.b_obj.2" name="objective">
-                  <prop name="label">CA-2(b)[2]</prop>
-                  <p>assesses the security controls in the information system with the
-                     organization-defined frequency to determine the extent to which the controls
-                     are implemented correctly, operating as intended, and producing the desired
-                     outcome with respect to meeting established security requirements;</p>
-               </part>
-            </part>
-            <part id="ca-2.c_obj" name="objective">
-               <prop name="label">CA-2(c)</prop>
-               <p>produces a security assessment report that documents the results of the
-                  assessment;</p>
-            </part>
-            <part id="ca-2.d_obj" name="objective">
-               <prop name="label">CA-2(d)</prop>
-               <part id="ca-2.d_obj.1" name="objective">
-                  <prop name="label">CA-2(d)[1]</prop>
-                  <p>defines individuals or roles to whom the results of the security control
-                     assessment are to be provided; and</p>
-               </part>
-               <part id="ca-2.d_obj.2" name="objective">
-                  <prop name="label">CA-2(d)[2]</prop>
-                  <p>provides the results of the security control assessment to organization-defined
-                     individuals or roles.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing security assessment planning</p>
-               <p>procedures addressing security assessments</p>
-               <p>security assessment plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security assessment responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting security assessment, security assessment plan
-                  development, and/or security assessment reporting</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-2.1">
-            <title>Independent Assessors</title>
-            <param id="ca-2.1_prm_1">
-               <label>organization-defined level of independence</label>
-            </param>
-            <prop name="label">CA-2(1)</prop>
-            <prop name="sort-id">ca-02.01</prop>
-            <part id="ca-2.1_smt" name="statement">
-               <p>The organization employs assessors or assessment teams with <insert param-id="ca-2.1_prm_1"/> to conduct security control assessments.</p>
-            </part>
-            <part id="ca-2.1_gdn" name="guidance">
-               <p>Independent assessors or assessment teams are individuals or groups who conduct
-                  impartial assessments of organizational information systems. Impartiality implies
-                  that assessors are free from any perceived or actual conflicts of interest with
-                  regard to the development, operation, or management of the organizational
-                  information systems under assessment or to the determination of security control
-                  effectiveness. To achieve impartiality, assessors should not: (i) create a mutual
-                  or conflicting interest with the organizations where the assessments are being
-                  conducted; (ii) assess their own work; (iii) act as management or employees of the
-                  organizations they are serving; or (iv) place themselves in positions of advocacy
-                  for the organizations acquiring their services. Independent assessments can be
-                  obtained from elements within organizations or can be contracted to public or
-                  private sector entities outside of organizations. Authorizing officials determine
-                  the required level of independence based on the security categories of information
-                  systems and/or the ultimate risk to organizational operations, organizational
-                  assets, or individuals. Authorizing officials also determine if the level of
-                  assessor independence provides sufficient assurance that the results are sound and
-                  can be used to make credible, risk-based decisions. This includes determining
-                  whether contracted security assessment services have sufficient independence, for
-                  example, when information system owners are not directly involved in contracting
-                  processes or cannot unduly influence the impartiality of assessors conducting
-                  assessments. In special situations, for example, when organizations that own the
-                  information systems are small or organizational structures require that
-                  assessments are conducted by individuals that are in the developmental,
-                  operational, or management chain of system owners, independence in assessment
-                  processes can be achieved by ensuring that assessment results are carefully
-                  reviewed and analyzed by independent teams of experts to validate the
-                  completeness, accuracy, integrity, and reliability of the results. Organizations
-                  recognize that assessments performed for purposes other than direct support to
-                  authorization decisions are, when performed by assessors with sufficient
-                  independence, more likely to be useable for such decisions, thereby reducing the
-                  need to repeat assessments.</p>
-            </part>
-            <part id="ca-2.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-2.1_obj.1" name="objective">
-                  <prop name="label">CA-2(1)[1]</prop>
-                  <p>defines the level of independence to be employed to conduct security control
-                     assessments; and</p>
-               </part>
-               <part id="ca-2.1_obj.2" name="objective">
-                  <prop name="label">CA-2(1)[2]</prop>
-                  <p>employs assessors or assessment teams with the organization-defined level of
-                     independence to conduct security control assessments.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing security assessments</p>
-                  <p>security authorization package (including security plan, security assessment
-                     plan, security assessment report, plan of action and milestones, authorization
-                     statement)</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security assessment responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-2.2">
-            <title>Specialized Assessments</title>
-            <param id="ca-2.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="ca-2.2_prm_2">
-               <select>
-                  <choice>announced</choice>
-                  <choice>unannounced</choice>
-               </select>
-            </param>
-            <param id="ca-2.2_prm_3">
-               <select how-many="one or more">
-                  <choice>in-depth monitoring</choice>
-                  <choice>vulnerability scanning</choice>
-                  <choice>malicious user testing</choice>
-                  <choice>insider threat assessment</choice>
-                  <choice>performance/load testing</choice>
-                  <choice>
-                     <insert param-id="ca-2.2_prm_4"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="ca-2.2_prm_4" depends-on="ca-2.2_prm_3">
-               <label>organization-defined other forms of security assessment</label>
-            </param>
-            <prop name="label">CA-2(2)</prop>
-            <prop name="sort-id">ca-02.02</prop>
-            <part id="ca-2.2_smt" name="statement">
-               <p>The organization includes as part of security control assessments, <insert param-id="ca-2.2_prm_1"/>, <insert param-id="ca-2.2_prm_2"/>, <insert param-id="ca-2.2_prm_3"/>.</p>
-            </part>
-            <part id="ca-2.2_gdn" name="guidance">
-               <p>Organizations can employ information system monitoring, insider threat
-                  assessments, malicious user testing, and other forms of testing (e.g.,
-                  verification and validation) to improve readiness by exercising organizational
-                  capabilities and indicating current performance levels as a means of focusing
-                  actions to improve security. Organizations conduct assessment activities in
-                  accordance with applicable federal laws, Executive Orders, directives, policies,
-                  regulations, and standards. Authorizing officials approve the assessment methods
-                  in coordination with the organizational risk executive function. Organizations can
-                  incorporate vulnerabilities uncovered during assessments into vulnerability
-                  remediation processes.</p>
-               <link rel="related" href="#pe-3">PE-3</link>
-               <link rel="related" href="#si-2">SI-2</link>
-            </part>
-            <part id="ca-2.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-2.2_obj.1" name="objective">
-                  <prop name="label">CA-2(2)[1]</prop>
-                  <p>selects one or more of the following forms of specialized security assessment
-                     to be included as part of security control assessments:</p>
-                  <part id="ca-2.2_obj.1.a" name="objective">
-                     <prop name="label">CA-2(2)[1][a]</prop>
-                     <p>in-depth monitoring;</p>
-                  </part>
-                  <part id="ca-2.2_obj.1.b" name="objective">
-                     <prop name="label">CA-2(2)[1][b]</prop>
-                     <p>vulnerability scanning;</p>
-                  </part>
-                  <part id="ca-2.2_obj.1.c" name="objective">
-                     <prop name="label">CA-2(2)[1][c]</prop>
-                     <p>malicious user testing;</p>
-                  </part>
-                  <part id="ca-2.2_obj.1.d" name="objective">
-                     <prop name="label">CA-2(2)[1][d]</prop>
-                     <p>insider threat assessment;</p>
-                  </part>
-                  <part id="ca-2.2_obj.1.e" name="objective">
-                     <prop name="label">CA-2(2)[1][e]</prop>
-                     <p>performance/load testing; and/or</p>
-                  </part>
-                  <part id="ca-2.2_obj.1.f" name="objective">
-                     <prop name="label">CA-2(2)[1][f]</prop>
-                     <p>other forms of organization-defined specialized security assessment;</p>
-                  </part>
-               </part>
-               <part id="ca-2.2_obj.2" name="objective">
-                  <prop name="label">CA-2(2)[2]</prop>
-                  <p>defines the frequency for conducting the selected form(s) of specialized
-                     security assessment;</p>
-               </part>
-               <part id="ca-2.2_obj.3" name="objective">
-                  <prop name="label">CA-2(2)[3]</prop>
-                  <p>defines whether the specialized security assessment will be announced or
-                     unannounced; and</p>
-               </part>
-               <part id="ca-2.2_obj.4" name="objective">
-                  <prop name="label">CA-2(2)[4]</prop>
-                  <p>conducts announced or unannounced organization-defined forms of specialized
-                     security assessments with the organization-defined frequency as part of
-                     security control assessments.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing security assessments</p>
-                  <p>security plan</p>
-                  <p>security assessment plan</p>
-                  <p>security assessment report</p>
-                  <p>security assessment evidence</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security assessment responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting security control assessment</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-2.3">
-            <title>External Organizations</title>
-            <param id="ca-2.3_prm_1">
-               <label>organization-defined information system</label>
-            </param>
-            <param id="ca-2.3_prm_2">
-               <label>organization-defined external organization</label>
-            </param>
-            <param id="ca-2.3_prm_3">
-               <label>organization-defined requirements</label>
-            </param>
-            <prop name="label">CA-2(3)</prop>
-            <prop name="sort-id">ca-02.03</prop>
-            <part id="ca-2.3_smt" name="statement">
-               <p>The organization accepts the results of an assessment of <insert param-id="ca-2.3_prm_1"/> performed by <insert param-id="ca-2.3_prm_2"/> when
-                  the assessment meets <insert param-id="ca-2.3_prm_3"/>.</p>
-            </part>
-            <part id="ca-2.3_gdn" name="guidance">
-               <p>Organizations may often rely on assessments of specific information systems by
-                  other (external) organizations. Utilizing such existing assessments (i.e., reusing
-                  existing assessment evidence) can significantly decrease the time and resources
-                  required for organizational assessments by limiting the amount of independent
-                  assessment activities that organizations need to perform. The factors that
-                  organizations may consider in determining whether to accept assessment results
-                  from external organizations can vary. Determinations for accepting assessment
-                  results can be based on, for example, past assessment experiences one organization
-                  has had with another organization, the reputation that organizations have with
-                  regard to assessments, the level of detail of supporting assessment documentation
-                  provided, or mandates imposed upon organizations by federal legislation, policies,
-                  or directives.</p>
-            </part>
-            <part id="ca-2.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-2.3_obj.1" name="objective">
-                  <prop name="label">CA-2(3)[1]</prop>
-                  <p>defines an information system for which the results of a security assessment
-                     performed by an external organization are to be accepted;</p>
-               </part>
-               <part id="ca-2.3_obj.2" name="objective">
-                  <prop name="label">CA-2(3)[2]</prop>
-                  <p>defines an external organization from which to accept a security assessment
-                     performed on an organization-defined information system;</p>
-               </part>
-               <part id="ca-2.3_obj.3" name="objective">
-                  <prop name="label">CA-2(3)[3]</prop>
-                  <p>defines the requirements to be met by a security assessment performed by
-                     organization-defined external organization on organization-defined information
-                     system; and</p>
-               </part>
-               <part id="ca-2.3_obj.4" name="objective">
-                  <prop name="label">CA-2(3)[4]</prop>
-                  <p>accepts the results of an assessment of an organization-defined information
-                     system performed by an organization-defined external organization when the
-                     assessment meets organization-defined requirements.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing security assessments</p>
-                  <p>security plan</p>
-                  <p>security assessment requirements</p>
-                  <p>security assessment plan</p>
-                  <p>security assessment report</p>
-                  <p>security assessment evidence</p>
-                  <p>plan of action and milestones</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security assessment responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>personnel performing security assessments for the specified external
-                     organization</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-3">
-         <title>System Interconnections</title>
-         <param id="ca-3_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CA-3</prop>
-         <prop name="sort-id">ca-03</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#2711f068-734e-4afd-94ba-0b22247fbc88" rel="reference">NIST Special Publication 800-47</link>
-         <part id="ca-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Authorizes connections from the information system to other information systems
-                  through the use of Interconnection Security Agreements;</p>
-            </part>
-            <part id="ca-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents, for each interconnection, the interface characteristics, security
-                  requirements, and the nature of the information communicated; and</p>
-            </part>
-            <part id="ca-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews and updates Interconnection Security Agreements <insert param-id="ca-3_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="ca-3_gdn" name="guidance">
-            <p>This control applies to dedicated connections between information systems (i.e.,
-               system interconnections) and does not apply to transitory, user-controlled
-               connections such as email and website browsing. Organizations carefully consider the
-               risks that may be introduced when information systems are connected to other systems
-               with different security requirements and security controls, both within organizations
-               and external to organizations. Authorizing officials determine the risk associated
-               with information system connections and the appropriate controls employed. If
-               interconnecting systems have the same authorizing official, organizations do not need
-               to develop Interconnection Security Agreements. Instead, organizations can describe
-               the interface characteristics between those interconnecting systems in their
-               respective security plans. If interconnecting systems have different authorizing
-               officials within the same organization, organizations can either develop
-               Interconnection Security Agreements or describe the interface characteristics between
-               systems in the security plans for the respective systems. Organizations may also
-               incorporate Interconnection Security Agreement information into formal contracts,
-               especially for interconnections established between federal agencies and nonfederal
-               (i.e., private sector) organizations. Risk considerations also include information
-               systems sharing the same networks. For certain technologies (e.g., space, unmanned
-               aerial vehicles, and medical devices), there may be specialized connections in place
-               during preoperational testing. Such connections may require Interconnection Security
-               Agreements and be subject to additional security controls.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#au-16">AU-16</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-3.a_obj" name="objective">
-               <prop name="label">CA-3(a)</prop>
-               <p>authorizes connections from the information system to other information systems
-                  through the use of Interconnection Security Agreements;</p>
-            </part>
-            <part id="ca-3.b_obj" name="objective">
-               <prop name="label">CA-3(b)</prop>
-               <p>documents, for each interconnection:</p>
-               <part id="ca-3.b_obj.1" name="objective">
-                  <prop name="label">CA-3(b)[1]</prop>
-                  <p>the interface characteristics;</p>
-               </part>
-               <part id="ca-3.b_obj.2" name="objective">
-                  <prop name="label">CA-3(b)[2]</prop>
-                  <p>the security requirements;</p>
-               </part>
-               <part id="ca-3.b_obj.3" name="objective">
-                  <prop name="label">CA-3(b)[3]</prop>
-                  <p>the nature of the information communicated;</p>
-               </part>
-            </part>
-            <part id="ca-3.c_obj" name="objective">
-               <prop name="label">CA-3(c)</prop>
-               <part id="ca-3.c_obj.1" name="objective">
-                  <prop name="label">CA-3(c)[1]</prop>
-                  <p>defines the frequency to review and update Interconnection Security Agreements;
-                     and</p>
-               </part>
-               <part id="ca-3.c_obj.2" name="objective">
-                  <prop name="label">CA-3(c)[2]</prop>
-                  <p>reviews and updates Interconnection Security Agreements with the
-                     organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing information system connections</p>
-               <p>system and communications protection policy</p>
-               <p>information system Interconnection Security Agreements</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for developing, implementing, or
-                  approving information system interconnection agreements</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>personnel managing the system(s) to which the Interconnection Security Agreement
-                  applies</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-3.1">
-            <title>Unclassified National Security System Connections</title>
-            <param id="ca-3.1_prm_1">
-               <label>organization-defined unclassified, national security system</label>
-            </param>
-            <param id="ca-3.1_prm_2">
-               <label>organization-defined boundary protection device</label>
-            </param>
-            <prop name="label">CA-3(1)</prop>
-            <prop name="sort-id">ca-03.01</prop>
-            <part id="ca-3.1_smt" name="statement">
-               <p>The organization prohibits the direct connection of an <insert param-id="ca-3.1_prm_1"/> to an external network without the use of <insert param-id="ca-3.1_prm_2"/>.</p>
-            </part>
-            <part id="ca-3.1_gdn" name="guidance">
-               <p>Organizations typically do not have control over external networks (e.g., the
-                  Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate
-                  communications (i.e., information flows) between unclassified national security
-                  systems and external networks. This control enhancement is required for
-                  organizations processing, storing, or transmitting Controlled Unclassified
-                  Information (CUI).</p>
-            </part>
-            <part id="ca-3.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-3.1_obj.1" name="objective">
-                  <prop name="label">CA-3(1)[1]</prop>
-                  <p>defines an unclassified, national security system whose direct connection to an
-                     external network is to be prohibited without the use of approved boundary
-                     protection device;</p>
-               </part>
-               <part id="ca-3.1_obj.2" name="objective">
-                  <prop name="label">CA-3(1)[2]</prop>
-                  <p>defines a boundary protection device to be used to establish the direct
-                     connection of an organization-defined unclassified, national security system to
-                     an external network; and</p>
-               </part>
-               <part id="ca-3.1_obj.3" name="objective">
-                  <prop name="label">CA-3(1)[3]</prop>
-                  <p>prohibits the direct connection of an organization-defined unclassified,
-                     national security system to an external network without the use of an
-                     organization-defined boundary protection device.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing information system connections</p>
-                  <p>system and communications protection policy</p>
-                  <p>information system interconnection security agreements</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security assessment report</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for managing direct connections to
-                     external networks</p>
-                  <p>network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>personnel managing directly connected external networks</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting the management of external network
-                     connections</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-3.2">
-            <title>Classified National Security System Connections</title>
-            <param id="ca-3.2_prm_1">
-               <label>organization-defined boundary protection device</label>
-            </param>
-            <prop name="label">CA-3(2)</prop>
-            <prop name="sort-id">ca-03.02</prop>
-            <part id="ca-3.2_smt" name="statement">
-               <p>The organization prohibits the direct connection of a classified, national
-                  security system to an external network without the use of <insert param-id="ca-3.2_prm_1"/>.</p>
-            </part>
-            <part id="ca-3.2_gdn" name="guidance">
-               <p>Organizations typically do not have control over external networks (e.g., the
-                  Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate
-                  communications (i.e., information flows) between classified national security
-                  systems and external networks. In addition, approved boundary protection devices
-                  (typically managed interface/cross-domain systems) provide information flow
-                  enforcement from information systems to external networks.</p>
-            </part>
-            <part id="ca-3.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-3.2_obj.1" name="objective">
-                  <prop name="label">CA-3(2)[1]</prop>
-                  <p>defines a boundary protection device to be used to establish the direct
-                     connection of a classified, national security system to an external network;
-                     and</p>
-               </part>
-               <part id="ca-3.2_obj.2" name="objective">
-                  <prop name="label">CA-3(2)[2]</prop>
-                  <p>prohibits the direct connection of a classified, national security system to an
-                     external network without the use of an organization-defined boundary protection
-                     device.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing information system connections</p>
-                  <p>system and communications protection policy</p>
-                  <p>information system interconnection security agreements</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security assessment report</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for managing direct connections to
-                     external networks</p>
-                  <p>network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>personnel managing directly connected external networks</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting the management of external network
-                     connections</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-3.3">
-            <title>Unclassified Non-national Security System Connections</title>
-            <param id="ca-3.3_prm_1">
-               <label>organization-defined unclassified, non-national security system</label>
-            </param>
-            <param id="ca-3.3_prm_2">
-               <label>Assignment; organization-defined boundary protection device</label>
-            </param>
-            <prop name="label">CA-3(3)</prop>
-            <prop name="sort-id">ca-03.03</prop>
-            <part id="ca-3.3_smt" name="statement">
-               <p>The organization prohibits the direct connection of an <insert param-id="ca-3.3_prm_1"/> to an external network without the use of <insert param-id="ca-3.3_prm_2"/>.</p>
-            </part>
-            <part id="ca-3.3_gdn" name="guidance">
-               <p>Organizations typically do not have control over external networks (e.g., the
-                  Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate
-                  communications (i.e., information flows) between unclassified non-national
-                  security systems and external networks. This control enhancement is required for
-                  organizations processing, storing, or transmitting Controlled Unclassified
-                  Information (CUI).</p>
-            </part>
-            <part id="ca-3.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-3.3_obj.1" name="objective">
-                  <prop name="label">CA-3(3)[1]</prop>
-                  <p>defines an unclassified, non-national security system whose direct connection
-                     to an external network is to be prohibited without the use of approved boundary
-                     protection device;</p>
-               </part>
-               <part id="ca-3.3_obj.2" name="objective">
-                  <prop name="label">CA-3(3)[2]</prop>
-                  <p>defines a boundary protection device to be used to establish the direct
-                     connection of an organization-defined unclassified, non-national security
-                     system to an external network; and</p>
-               </part>
-               <part id="ca-3.3_obj.3" name="objective">
-                  <prop name="label">CA-3(3)[3]</prop>
-                  <p>prohibits the direct connection of an organization-defined unclassified,
-                     non-national security system to an external network without the use of an
-                     organization-defined boundary protection device.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing information system connections</p>
-                  <p>system and communications protection policy</p>
-                  <p>information system interconnection security agreements</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security assessment report</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for managing direct connections to
-                     external networks</p>
-                  <p>network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>personnel managing directly connected external networks</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting the management of external network
-                     connections</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-3.4">
-            <title>Connections to Public Networks</title>
-            <param id="ca-3.4_prm_1">
-               <label>organization-defined information system</label>
-            </param>
-            <prop name="label">CA-3(4)</prop>
-            <prop name="sort-id">ca-03.04</prop>
-            <part id="ca-3.4_smt" name="statement">
-               <p>The organization prohibits the direct connection of an <insert param-id="ca-3.4_prm_1"/> to a public network.</p>
-            </part>
-            <part id="ca-3.4_gdn" name="guidance">
-               <p>A public network is any network accessible to the general public including, for
-                  example, the Internet and organizational extranets with public access.</p>
-            </part>
-            <part id="ca-3.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-3.4_obj.1" name="objective">
-                  <prop name="label">CA-3(4)[1]</prop>
-                  <p>defines an information system whose direct connection to a public network is to
-                     be prohibited; and</p>
-               </part>
-               <part id="ca-3.4_obj.2" name="objective">
-                  <prop name="label">CA-3(4)[2]</prop>
-                  <p>prohibits the direct connection of an organization-defined information system
-                     to a public network.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing information system connections</p>
-                  <p>system and communications protection policy</p>
-                  <p>information system interconnection security agreements</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security assessment report</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting the management of public network
-                     connections</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-3.5">
-            <title>Restrictions On External System Connections</title>
-            <param id="ca-3.5_prm_1">
-               <select>
-                  <choice>allow-all, deny-by-exception</choice>
-                  <choice>deny-all, permit-by-exception</choice>
-               </select>
-            </param>
-            <param id="ca-3.5_prm_2">
-               <label>organization-defined information systems</label>
-            </param>
-            <prop name="label">CA-3(5)</prop>
-            <prop name="sort-id">ca-03.05</prop>
-            <part id="ca-3.5_smt" name="statement">
-               <p>The organization employs <insert param-id="ca-3.5_prm_1"/> policy for allowing
-                     <insert param-id="ca-3.5_prm_2"/> to connect to external information
-                  systems.</p>
-            </part>
-            <part id="ca-3.5_gdn" name="guidance">
-               <p>Organizations can constrain information system connectivity to external domains
-                  (e.g., websites) by employing one of two policies with regard to such
-                  connectivity: (i) allow-all, deny by exception, also known as blacklisting (the
-                  weaker of the two policies); or (ii) deny-all, allow by exception, also known as
-                  whitelisting (the stronger of the two policies). For either policy, organizations
-                  determine what exceptions, if any, are acceptable.</p>
-               <link rel="related" href="#cm-7">CM-7</link>
-            </part>
-            <part id="ca-3.5_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ca-3.5_obj.1" name="objective">
-                  <prop name="label">CA-3(5)[1]</prop>
-                  <p>defines information systems to be allowed to connect to external information
-                     systems;</p>
-               </part>
-               <part id="ca-3.5_obj.2" name="objective">
-                  <prop name="label">CA-3(5)[2]</prop>
-                  <p>employs one of the following policies for allowing organization-defined
-                     information systems to connect to external information systems:</p>
-                  <part id="ca-3.5_obj.2.a" name="objective">
-                     <prop name="label">CA-3(5)[2][a]</prop>
-                     <p>allow-all policy;</p>
-                  </part>
-                  <part id="ca-3.5_obj.2.b" name="objective">
-                     <prop name="label">CA-3(5)[2][b]</prop>
-                     <p>deny-by-exception policy;</p>
-                  </part>
-                  <part id="ca-3.5_obj.2.c" name="objective">
-                     <prop name="label">CA-3(5)[2][c]</prop>
-                     <p>deny-all policy; or</p>
-                  </part>
-                  <part id="ca-3.5_obj.2.d" name="objective">
-                     <prop name="label">CA-3(5)[2][d]</prop>
-                     <p>permit-by-exception policy.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing information system connections</p>
-                  <p>system and communications protection policy</p>
-                  <p>information system interconnection agreements</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security assessment report</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for managing connections to
-                     external information systems</p>
-                  <p>network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing restrictions on external system
-                     connections</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-4">
-         <title>Security Certification</title>
-         <prop name="label">CA-4</prop>
-         <prop name="sort-id">ca-04</prop>
-         <prop name="status">Withdrawn</prop>
-         <link rel="incorporated-into" href="#ca-2">CA-2</link>
-      </control>
-      <control class="SP800-53" id="ca-5">
-         <title>Plan of Action and Milestones</title>
-         <param id="ca-5_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CA-5</prop>
-         <prop name="sort-id">ca-05</prop>
-         <link href="#2c5884cd-7b96-425c-862a-99877e1cf909" rel="reference">OMB Memorandum 02-01</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <part id="ca-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a plan of action and milestones for the information system to document
-                  the organization’s planned remedial actions to correct weaknesses or deficiencies
-                  noted during the assessment of the security controls and to reduce or eliminate
-                  known vulnerabilities in the system; and</p>
-            </part>
-            <part id="ca-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Updates existing plan of action and milestones <insert param-id="ca-5_prm_1"/>
-                  based on the findings from security controls assessments, security impact
-                  analyses, and continuous monitoring activities.</p>
-            </part>
-         </part>
-         <part id="ca-5_gdn" name="guidance">
-            <p>Plans of action and milestones are key documents in security authorization packages
-               and are subject to federal reporting requirements established by OMB.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#pm-4">PM-4</link>
-         </part>
-         <part id="ca-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-5.a_obj" name="objective">
-               <prop name="label">CA-5(a)</prop>
-               <p>develops a plan of action and milestones for the information system to:</p>
-               <part id="ca-5.a_obj.1" name="objective">
-                  <prop name="label">CA-5(a)[1]</prop>
-                  <p>document the organization’s planned remedial actions to correct weaknesses or
-                     deficiencies noted during the assessment of the security controls;</p>
-               </part>
-               <part id="ca-5.a_obj.2" name="objective">
-                  <prop name="label">CA-5(a)[2]</prop>
-                  <p>reduce or eliminate known vulnerabilities in the system;</p>
-               </part>
-            </part>
-            <part id="ca-5.b_obj" name="objective">
-               <prop name="label">CA-5(b)</prop>
-               <part id="ca-5.b_obj.1" name="objective">
-                  <prop name="label">CA-5(b)[1]</prop>
-                  <p>defines the frequency to update the existing plan of action and milestones;</p>
-               </part>
-               <part id="ca-5.b_obj.2" name="objective">
-                  <prop name="label">CA-5(b)[2]</prop>
-                  <p>updates the existing plan of action and milestones with the
-                     organization-defined frequency based on the findings from:</p>
-                  <part id="ca-5.b_obj.2.a" name="objective">
-                     <prop name="label">CA-5(b)[2][a]</prop>
-                     <p>security controls assessments;</p>
-                  </part>
-                  <part id="ca-5.b_obj.2.b" name="objective">
-                     <prop name="label">CA-5(b)[2][b]</prop>
-                     <p>security impact analyses; and</p>
-                  </part>
-                  <part id="ca-5.b_obj.2.c" name="objective">
-                     <prop name="label">CA-5(b)[2][c]</prop>
-                     <p>continuous monitoring activities.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing plan of action and milestones</p>
-               <p>security plan</p>
-               <p>security assessment plan</p>
-               <p>security assessment report</p>
-               <p>security assessment evidence</p>
-               <p>plan of action and milestones</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with plan of action and milestones development and
-                  implementation responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms for developing, implementing, and maintaining plan of action
-                  and milestones</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-5.1">
-            <title>Automation Support for Accuracy / Currency</title>
-            <prop name="label">CA-5(1)</prop>
-            <prop name="sort-id">ca-05.01</prop>
-            <part id="ca-5.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to help ensure that the plan of
-                  action and milestones for the information system is accurate, up to date, and
-                  readily available.</p>
-            </part>
-            <part id="ca-5.1_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to help ensure that the
-                  plan of action and milestones for the information system is: </p>
-               <part id="ca-5.1_obj.1" name="objective">
-                  <prop name="label">CA-5(1)[1]</prop>
-                  <p>accurate;</p>
-               </part>
-               <part id="ca-5.1_obj.2" name="objective">
-                  <prop name="label">CA-5(1)[2]</prop>
-                  <p>up to date; and</p>
-               </part>
-               <part id="ca-5.1_obj.3" name="objective">
-                  <prop name="label">CA-5(1)[3]</prop>
-                  <p>readily available.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing plan of action and milestones</p>
-                  <p>information system design documentation, information system configuration
-                     settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>plan of action and milestones</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with plan of action and milestones development and
-                     implementation responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms for developing, implementing and maintaining plan of
-                     action and milestones</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-6">
-         <title>Security Authorization</title>
-         <param id="ca-6_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CA-6</prop>
-         <prop name="sort-id">ca-06</prop>
-         <link href="#9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab" rel="reference">OMB Circular A-130</link>
-         <link href="#bedb15b7-ec5c-4a68-807f-385125751fcd" rel="reference">OMB Memorandum 11-33</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <part id="ca-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Assigns a senior-level executive or manager as the authorizing official for the
-                  information system;</p>
-            </part>
-            <part id="ca-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Ensures that the authorizing official authorizes the information system for
-                  processing before commencing operations; and</p>
-            </part>
-            <part id="ca-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Updates the security authorization <insert param-id="ca-6_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="ca-6_gdn" name="guidance">
-            <p>Security authorizations are official management decisions, conveyed through
-               authorization decision documents, by senior organizational officials or executives
-               (i.e., authorizing officials) to authorize operation of information systems and to
-               explicitly accept the risk to organizational operations and assets, individuals,
-               other organizations, and the Nation based on the implementation of agreed-upon
-               security controls. Authorizing officials provide budgetary oversight for
-               organizational information systems or assume responsibility for the mission/business
-               operations supported by those systems. The security authorization process is an
-               inherently federal responsibility and therefore, authorizing officials must be
-               federal employees. Through the security authorization process, authorizing officials
-               assume responsibility and are accountable for security risks associated with the
-               operation and use of organizational information systems. Accordingly, authorizing
-               officials are in positions with levels of authority commensurate with understanding
-               and accepting such information security-related risks. OMB policy requires that
-               organizations conduct ongoing authorizations of information systems by implementing
-               continuous monitoring programs. Continuous monitoring programs can satisfy three-year
-               reauthorization requirements, so separate reauthorization processes are not
-               necessary. Through the employment of comprehensive continuous monitoring processes,
-               critical information contained in authorization packages (i.e., security plans,
-               security assessment reports, and plans of action and milestones) is updated on an
-               ongoing basis, providing authorizing officials and information system owners with an
-               up-to-date status of the security state of organizational information systems and
-               environments of operation. To reduce the administrative cost of security
-               reauthorization, authorizing officials use the results of continuous monitoring
-               processes to the maximum extent possible as the basis for rendering reauthorization
-               decisions.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#pm-10">PM-10</link>
-         </part>
-         <part id="ca-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-6.a_obj" name="objective">
-               <prop name="label">CA-6(a)</prop>
-               <p>assigns a senior-level executive or manager as the authorizing official for the
-                  information system;</p>
-            </part>
-            <part id="ca-6.b_obj" name="objective">
-               <prop name="label">CA-6(b)</prop>
-               <p>ensures that the authorizing official authorizes the information system for
-                  processing before commencing operations;</p>
-            </part>
-            <part id="ca-6.c_obj" name="objective">
-               <prop name="label">CA-6(c)</prop>
-               <part id="ca-6.c_obj.1" name="objective">
-                  <prop name="label">CA-6(c)[1]</prop>
-                  <p>defines the frequency to update the security authorization; and</p>
-               </part>
-               <part id="ca-6.c_obj.2" name="objective">
-                  <prop name="label">CA-6(c)[2]</prop>
-                  <p>updates the security authorization with the organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing security authorization</p>
-               <p>security authorization package (including security plan</p>
-               <p>security assessment report</p>
-               <p>plan of action and milestones</p>
-               <p>authorization statement)</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security authorization responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms that facilitate security authorizations and updates</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ca-7">
-         <title>Continuous Monitoring</title>
-         <param id="ca-7_prm_1">
-            <label>organization-defined metrics</label>
-         </param>
-         <param id="ca-7_prm_2">
-            <label>organization-defined frequencies</label>
-         </param>
-         <param id="ca-7_prm_3">
-            <label>organization-defined frequencies</label>
-         </param>
-         <param id="ca-7_prm_4">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ca-7_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CA-7</prop>
-         <prop name="sort-id">ca-07</prop>
-         <link href="#bedb15b7-ec5c-4a68-807f-385125751fcd" rel="reference">OMB Memorandum 11-33</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#c4691b88-57d1-463b-9053-2d0087913f31" rel="reference">NIST Special Publication 800-115</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <link href="#8ade2fbe-e468-4ca8-9a40-54d7f23c32bb" rel="reference">US-CERT Technical Cyber Security Alerts</link>
-         <link href="#2d8b14e9-c8b5-4d3d-8bdc-155078f3281b" rel="reference">DoD Information Assurance Vulnerability Alerts</link>
-         <part id="ca-7_smt" name="statement">
-            <p>The organization develops a continuous monitoring strategy and implements a
-               continuous monitoring program that includes:</p>
-            <part id="ca-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishment of <insert param-id="ca-7_prm_1"/> to be monitored;</p>
-            </part>
-            <part id="ca-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishment of <insert param-id="ca-7_prm_2"/> for monitoring and <insert param-id="ca-7_prm_3"/> for assessments supporting such monitoring;</p>
-            </part>
-            <part id="ca-7_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ongoing security control assessments in accordance with the organizational
-                  continuous monitoring strategy;</p>
-            </part>
-            <part id="ca-7_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Ongoing security status monitoring of organization-defined metrics in accordance
-                  with the organizational continuous monitoring strategy;</p>
-            </part>
-            <part id="ca-7_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Correlation and analysis of security-related information generated by assessments
-                  and monitoring;</p>
-            </part>
-            <part id="ca-7_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Response actions to address results of the analysis of security-related
-                  information; and</p>
-            </part>
-            <part id="ca-7_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Reporting the security status of organization and the information system to
-                     <insert param-id="ca-7_prm_4"/>
-                  <insert param-id="ca-7_prm_5"/>.</p>
-            </part>
-         </part>
-         <part id="ca-7_gdn" name="guidance">
-            <p>Continuous monitoring programs facilitate ongoing awareness of threats,
-               vulnerabilities, and information security to support organizational risk management
-               decisions. The terms continuous and ongoing imply that organizations assess/analyze
-               security controls and information security-related risks at a frequency sufficient to
-               support organizational risk-based decisions. The results of continuous monitoring
-               programs generate appropriate risk response actions by organizations. Continuous
-               monitoring programs also allow organizations to maintain the security authorizations
-               of information systems and common controls over time in highly dynamic environments
-               of operation with changing mission/business needs, threats, vulnerabilities, and
-               technologies. Having access to security-related information on a continuing basis
-               through reports/dashboards gives organizational officials the capability to make more
-               effective and timely risk management decisions, including ongoing security
-               authorization decisions. Automation supports more frequent updates to security
-               authorization packages, hardware/software/firmware inventories, and other system
-               information. Effectiveness is further enhanced when continuous monitoring outputs are
-               formatted to provide information that is specific, measurable, actionable, relevant,
-               and timely. Continuous monitoring activities are scaled in accordance with the
-               security categories of information systems.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-5">CA-5</link>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#pm-6">PM-6</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-2">SI-2</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-7_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ca-7.a_obj" name="objective">
-               <prop name="label">CA-7(a)</prop>
-               <part id="ca-7.a_obj.1" name="objective">
-                  <prop name="label">CA-7(a)[1]</prop>
-                  <p>develops a continuous monitoring strategy that defines metrics to be
-                     monitored;</p>
-               </part>
-               <part id="ca-7.a_obj.2" name="objective">
-                  <prop name="label">CA-7(a)[2]</prop>
-                  <p>develops a continuous monitoring strategy that includes monitoring of
-                     organization-defined metrics;</p>
-               </part>
-               <part id="ca-7.a_obj.3" name="objective">
-                  <prop name="label">CA-7(a)[3]</prop>
-                  <p>implements a continuous monitoring program that includes monitoring of
-                     organization-defined metrics in accordance with the organizational continuous
-                     monitoring strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.b_obj" name="objective">
-               <prop name="label">CA-7(b)</prop>
-               <part id="ca-7.b_obj.1" name="objective">
-                  <prop name="label">CA-7(b)[1]</prop>
-                  <p>develops a continuous monitoring strategy that defines frequencies for
-                     monitoring;</p>
-               </part>
-               <part id="ca-7.b_obj.2" name="objective">
-                  <prop name="label">CA-7(b)[2]</prop>
-                  <p>defines frequencies for assessments supporting monitoring;</p>
-               </part>
-               <part id="ca-7.b_obj.3" name="objective">
-                  <prop name="label">CA-7(b)[3]</prop>
-                  <p>develops a continuous monitoring strategy that includes establishment of the
-                     organization-defined frequencies for monitoring and for assessments supporting
-                     monitoring;</p>
-               </part>
-               <part id="ca-7.b_obj.4" name="objective">
-                  <prop name="label">CA-7(b)[4]</prop>
-                  <p>implements a continuous monitoring program that includes establishment of
-                     organization-defined frequencies for monitoring and for assessments supporting
-                     such monitoring in accordance with the organizational continuous monitoring
-                     strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.c_obj" name="objective">
-               <prop name="label">CA-7(c)</prop>
-               <part id="ca-7.c_obj.1" name="objective">
-                  <prop name="label">CA-7(c)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes ongoing security
-                     control assessments;</p>
-               </part>
-               <part id="ca-7.c_obj.2" name="objective">
-                  <prop name="label">CA-7(c)[2]</prop>
-                  <p>implements a continuous monitoring program that includes ongoing security
-                     control assessments in accordance with the organizational continuous monitoring
-                     strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.d_obj" name="objective">
-               <prop name="label">CA-7(d)</prop>
-               <part id="ca-7.d_obj.1" name="objective">
-                  <prop name="label">CA-7(d)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes ongoing security status
-                     monitoring of organization-defined metrics;</p>
-               </part>
-               <part id="ca-7.d_obj.2" name="objective">
-                  <prop name="label">CA-7(d)[2]</prop>
-                  <p>implements a continuous monitoring program that includes ongoing security
-                     status monitoring of organization-defined metrics in accordance with the
-                     organizational continuous monitoring strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.e_obj" name="objective">
-               <prop name="label">CA-7(e)</prop>
-               <part id="ca-7.e_obj.1" name="objective">
-                  <prop name="label">CA-7(e)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes correlation and
-                     analysis of security-related information generated by assessments and
-                     monitoring;</p>
-               </part>
-               <part id="ca-7.e_obj.2" name="objective">
-                  <prop name="label">CA-7(e)[2]</prop>
-                  <p>implements a continuous monitoring program that includes correlation and
-                     analysis of security-related information generated by assessments and
-                     monitoring in accordance with the organizational continuous monitoring
-                     strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.f_obj" name="objective">
-               <prop name="label">CA-7(f)</prop>
-               <part id="ca-7.f_obj.1" name="objective">
-                  <prop name="label">CA-7(f)[1]</prop>
-                  <p>develops a continuous monitoring strategy that includes response actions to
-                     address results of the analysis of security-related information;</p>
-               </part>
-               <part id="ca-7.f_obj.2" name="objective">
-                  <prop name="label">CA-7(f)[2]</prop>
-                  <p>implements a continuous monitoring program that includes response actions to
-                     address results of the analysis of security-related information in accordance
-                     with the organizational continuous monitoring strategy;</p>
-               </part>
-            </part>
-            <part id="ca-7.g_obj" name="objective">
-               <prop name="label">CA-7(g)</prop>
-               <part id="ca-7.g_obj.1" name="objective">
-                  <prop name="label">CA-7(g)[1]</prop>
-                  <p>develops a continuous monitoring strategy that defines the personnel or roles
-                     to whom the security status of the organization and information system are to
-                     be reported;</p>
-               </part>
-               <part id="ca-7.g_obj.2" name="objective">
-                  <prop name="label">CA-7(g)[2]</prop>
-                  <p>develops a continuous monitoring strategy that defines the frequency to report
-                     the security status of the organization and information system to
-                     organization-defined personnel or roles;</p>
-               </part>
-               <part id="ca-7.g_obj.3" name="objective">
-                  <prop name="label">CA-7(g)[3]</prop>
-                  <p>develops a continuous monitoring strategy that includes reporting the security
-                     status of the organization or information system to organizational-defined
-                     personnel or roles with the organization-defined frequency; and</p>
-               </part>
-               <part id="ca-7.g_obj.4" name="objective">
-                  <prop name="label">CA-7(g)[4]</prop>
-                  <p>implements a continuous monitoring program that includes reporting the security
-                     status of the organization and information system to organization-defined
-                     personnel or roles with the organization-defined frequency in accordance with
-                     the organizational continuous monitoring strategy.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing continuous monitoring of information system security
-                  controls</p>
-               <p>procedures addressing configuration management</p>
-               <p>security plan</p>
-               <p>security assessment report</p>
-               <p>plan of action and milestones</p>
-               <p>information system monitoring records</p>
-               <p>configuration management records, security impact analyses</p>
-               <p>status reports</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with continuous monitoring responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Mechanisms implementing continuous monitoring</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-7.1">
-            <title>Independent Assessment</title>
-            <param id="ca-7.1_prm_1">
-               <label>organization-defined level of independence</label>
-            </param>
-            <prop name="label">CA-7(1)</prop>
-            <prop name="sort-id">ca-07.01</prop>
-            <part id="ca-7.1_smt" name="statement">
-               <p>The organization employs assessors or assessment teams with <insert param-id="ca-7.1_prm_1"/> to monitor the security controls in the information
-                  system on an ongoing basis.</p>
-            </part>
-            <part id="ca-7.1_gdn" name="guidance">
-               <p>Organizations can maximize the value of assessments of security controls during
-                  the continuous monitoring process by requiring that such assessments be conducted
-                  by assessors or assessment teams with appropriate levels of independence based on
-                  continuous monitoring strategies. Assessor independence provides a degree of
-                  impartiality to the monitoring process. To achieve such impartiality, assessors
-                  should not: (i) create a mutual or conflicting interest with the organizations
-                  where the assessments are being conducted; (ii) assess their own work; (iii) act
-                  as management or employees of the organizations they are serving; or (iv) place
-                  themselves in advocacy positions for the organizations acquiring their
-                  services.</p>
-            </part>
-            <part id="ca-7.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-7.1_obj.1" name="objective">
-                  <prop name="label">CA-7(1)[1]</prop>
-                  <p>defines a level of independence to be employed to monitor the security controls
-                     in the information system on an ongoing basis; and</p>
-               </part>
-               <part id="ca-7.1_obj.2" name="objective">
-                  <prop name="label">CA-7(1)[2]</prop>
-                  <p>employs assessors or assessment teams with the organization-defined level of
-                     independence to monitor the security controls in the information system on an
-                     ongoing basis.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing continuous monitoring of information system security
-                     controls</p>
-                  <p>security plan</p>
-                  <p>security assessment report</p>
-                  <p>plan of action and milestones</p>
-                  <p>information system monitoring records</p>
-                  <p>security impact analyses</p>
-                  <p>status reports</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with continuous monitoring responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-7.2">
-            <title>Types of Assessments</title>
-            <prop name="label">CA-7(2)</prop>
-            <prop name="sort-id">ca-07.02</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#ca-2">CA-2</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-7.3">
-            <title>Trend Analyses</title>
-            <prop name="label">CA-7(3)</prop>
-            <prop name="sort-id">ca-07.03</prop>
-            <part id="ca-7.3_smt" name="statement">
-               <p>The organization employs trend analyses to determine if security control
-                  implementations, the frequency of continuous monitoring activities, and/or the
-                  types of activities used in the continuous monitoring process need to be modified
-                  based on empirical data.</p>
-            </part>
-            <part id="ca-7.3_gdn" name="guidance">
-               <p>Trend analyses can include, for example, examining recent threat information
-                  regarding the types of threat events that have occurred within the organization or
-                  across the federal government, success rates of certain types of cyber attacks,
-                  emerging vulnerabilities in information technologies, evolving social engineering
-                  techniques, results from multiple security control assessments, the effectiveness
-                  of configuration settings, and findings from Inspectors General or auditors.</p>
-            </part>
-            <part id="ca-7.3_obj" name="objective">
-               <p>Determine if the organization employs trend analyses to determine if the following
-                  items need to be modified based on empirical data:</p>
-               <part id="ca-7.3_obj.1" name="objective">
-                  <prop name="label">CA-7(3)[1]</prop>
-                  <p>security control implementations;</p>
-               </part>
-               <part id="ca-7.3_obj.2" name="objective">
-                  <prop name="label">CA-7(3)[2]</prop>
-                  <p>the frequency of continuous monitoring activities; and/or</p>
-               </part>
-               <part id="ca-7.3_obj.3" name="objective">
-                  <prop name="label">CA-7(3)[3]</prop>
-                  <p>the types of activities used in the continuous monitoring process.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Continuous monitoring strategy</p>
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing continuous monitoring of information system security
-                     controls</p>
-                  <p>security plan</p>
-                  <p>security assessment report</p>
-                  <p>plan of action and milestones</p>
-                  <p>information system monitoring records</p>
-                  <p>security impact analyses</p>
-                  <p>status reports</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with continuous monitoring responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-8">
-         <title>Penetration Testing</title>
-         <param id="ca-8_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ca-8_prm_2">
-            <label>organization-defined information systems or system components</label>
-         </param>
-         <prop name="label">CA-8</prop>
-         <prop name="sort-id">ca-08</prop>
-         <part id="ca-8_smt" name="statement">
-            <p>The organization conducts penetration testing <insert param-id="ca-8_prm_1"/> on
-                  <insert param-id="ca-8_prm_2"/>.</p>
-         </part>
-         <part id="ca-8_gdn" name="guidance">
-            <p>Penetration testing is a specialized type of assessment conducted on information
-               systems or individual system components to identify vulnerabilities that could be
-               exploited by adversaries. Such testing can be used to either validate vulnerabilities
-               or determine the degree of resistance organizational information systems have to
-               adversaries within a set of specified constraints (e.g., time, resources, and/or
-               skills). Penetration testing attempts to duplicate the actions of adversaries in
-               carrying out hostile cyber attacks against organizations and provides a more in-depth
-               analysis of security-related weaknesses/deficiencies. Organizations can also use the
-               results of vulnerability analyses to support penetration testing activities.
-               Penetration testing can be conducted on the hardware, software, or firmware
-               components of an information system and can exercise both physical and technical
-               security controls. A standard method for penetration testing includes, for example:
-               (i) pretest analysis based on full knowledge of the target system; (ii) pretest
-               identification of potential vulnerabilities based on pretest analysis; and (iii)
-               testing designed to determine exploitability of identified vulnerabilities. All
-               parties agree to the rules of engagement before the commencement of penetration
-               testing scenarios. Organizations correlate the penetration testing rules of
-               engagement with the tools, techniques, and procedures that are anticipated to be
-               employed by adversaries carrying out attacks. Organizational risk assessments guide
-               decisions on the level of independence required for personnel conducting penetration
-               testing.</p>
-            <link rel="related" href="#sa-12">SA-12</link>
-         </part>
-         <part id="ca-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-8_obj.1" name="objective">
-               <prop name="label">CA-8[1]</prop>
-               <p>defines information systems or system components on which penetration testing is
-                  to be conducted;</p>
-            </part>
-            <part id="ca-8_obj.2" name="objective">
-               <prop name="label">CA-8[2]</prop>
-               <p>defines the frequency to conduct penetration testing on organization-defined
-                  information systems or system components; and</p>
-            </part>
-            <part id="ca-8_obj.3" name="objective">
-               <prop name="label">CA-8[3]</prop>
-               <p>conducts penetration testing on organization-defined information systems or system
-                  components with the organization-defined frequency.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security assessment and authorization policy</p>
-               <p>procedures addressing penetration testing</p>
-               <p>security plan</p>
-               <p>security assessment plan</p>
-               <p>penetration test report</p>
-               <p>security assessment report</p>
-               <p>security assessment evidence</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security assessment responsibilities</p>
-               <p>organizational personnel with information security responsibilities,
-                  system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting penetration testing</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-8.1">
-            <title>Independent Penetration Agent or Team</title>
-            <prop name="label">CA-8(1)</prop>
-            <prop name="sort-id">ca-08.01</prop>
-            <part id="ca-8.1_smt" name="statement">
-               <p>The organization employs an independent penetration agent or penetration team to
-                  perform penetration testing on the information system or system components.</p>
-            </part>
-            <part id="ca-8.1_gdn" name="guidance">
-               <p>Independent penetration agents or teams are individuals or groups who conduct
-                  impartial penetration testing of organizational information systems. Impartiality
-                  implies that penetration agents or teams are free from any perceived or actual
-                  conflicts of interest with regard to the development, operation, or management of
-                  the information systems that are the targets of the penetration testing.
-                  Supplemental guidance for CA-2 (1) provides additional information regarding
-                  independent assessments that can be applied to penetration testing.</p>
-               <link rel="related" href="#ca-2">CA-2</link>
-            </part>
-            <part id="ca-8.1_obj" name="objective">
-               <p>Determine if the organization employs an independent penetration agent or
-                  penetration team to perform penetration testing on the information system or
-                  system components. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing penetration testing</p>
-                  <p>security plan</p>
-                  <p>security assessment plan</p>
-                  <p>penetration test report</p>
-                  <p>security assessment report</p>
-                  <p>security assessment evidence</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security assessment responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-8.2">
-            <title>Red Team Exercises</title>
-            <param id="ca-8.2_prm_1">
-               <label>organization-defined red team exercises</label>
-            </param>
-            <param id="ca-8.2_prm_2">
-               <label>organization-defined rules of engagement</label>
-            </param>
-            <prop name="label">CA-8(2)</prop>
-            <prop name="sort-id">ca-08.02</prop>
-            <part id="ca-8.2_smt" name="statement">
-               <p>The organization employs <insert param-id="ca-8.2_prm_1"/> to simulate attempts by
-                  adversaries to compromise organizational information systems in accordance with
-                     <insert param-id="ca-8.2_prm_2"/>.</p>
-            </part>
-            <part id="ca-8.2_gdn" name="guidance">
-               <p>Red team exercises extend the objectives of penetration testing by examining the
-                  security posture of organizations and their ability to implement effective cyber
-                  defenses. As such, red team exercises reflect simulated adversarial attempts to
-                  compromise organizational mission/business functions and provide a comprehensive
-                  assessment of the security state of information systems and organizations.
-                  Simulated adversarial attempts to compromise organizational missions/business
-                  functions and the information systems that support those missions/functions may
-                  include technology-focused attacks (e.g., interactions with hardware, software, or
-                  firmware components and/or mission/business processes) and social
-                  engineering-based attacks (e.g., interactions via email, telephone, shoulder
-                  surfing, or personal conversations). While penetration testing may be largely
-                  laboratory-based testing, organizations use red team exercises to provide more
-                  comprehensive assessments that reflect real-world conditions. Red team exercises
-                  can be used to improve security awareness and training and to assess levels of
-                  security control effectiveness.</p>
-            </part>
-            <part id="ca-8.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ca-8.2_obj.1" name="objective">
-                  <prop name="label">CA-8(2)[1]</prop>
-                  <p>defines red team exercises to be employed to simulate attempts by adversaries
-                     to compromise organizational information systems;</p>
-               </part>
-               <part id="ca-8.2_obj.2" name="objective">
-                  <prop name="label">CA-8(2)[2]</prop>
-                  <p>defines rules of engagement for employing organization-defined red team
-                     exercises; and</p>
-               </part>
-               <part id="ca-8.2_obj.3" name="objective">
-                  <prop name="label">CA-8(2)[3]</prop>
-                  <p>employs organization-defined red team exercises to simulate attempts by
-                     adversaries to compromise organizational information systems in accordance with
-                     organization-defined rules of engagement.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security assessment and authorization policy</p>
-                  <p>procedures addressing penetration testing</p>
-                  <p>procedures addressing red team exercises</p>
-                  <p>security plan</p>
-                  <p>security assessment plan</p>
-                  <p>results of red team exercise</p>
-                  <p>penetration test report</p>
-                  <p>security assessment report</p>
-                  <p>rules of engagement</p>
-                  <p>security assessment evidence</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security assessment responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting employment of red team exercises</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-9">
-         <title>Internal System Connections</title>
-         <param id="ca-9_prm_1">
-            <label>organization-defined information system components or classes of
-               components</label>
-         </param>
-         <prop name="label">CA-9</prop>
-         <prop name="sort-id">ca-09</prop>
-         <part id="ca-9_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ca-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Authorizes internal connections of <insert param-id="ca-9_prm_1"/> to the
-                  information system; and</p>
-            </part>
-            <part id="ca-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents, for each internal connection, the interface characteristics, security
-                  requirements, and the nature of the information communicated.</p>
-            </part>
-         </part>
-         <part id="ca-9_gdn" name="guidance">
-            <p>This control applies to connections between organizational information systems and
-               (separate) constituent system components (i.e., intra-system connections) including,
-               for example, system connections with mobile devices, notebook/desktop computers,
-               printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of
-               authorizing each individual internal connection, organizations can authorize internal
-               connections for a class of components with common characteristics and/or
-               configurations, for example, all digital printers, scanners, and copiers with a
-               specified processing, storage, and transmission capability or all smart phones with a
-               specific baseline configuration.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ca-9_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ca-9.a_obj" name="objective">
-               <prop name="label">CA-9(a)</prop>
-               <part id="ca-9.a_obj.1" name="objective">
-                  <prop name="label">CA-9(a)[1]</prop>
-                  <p>defines information system components or classes of components to be authorized
-                     as internal connections to the information system;</p>
-               </part>
-               <part id="ca-9.a_obj.2" name="objective">
-                  <prop name="label">CA-9(a)[2]</prop>
-                  <p>authorizes internal connections of organization-defined information system
-                     components or classes of components to the information system;</p>
-               </part>
-            </part>
-            <part id="ca-9.b_obj" name="objective">
-               <prop name="label">CA-9(b)</prop>
-               <p>documents, for each internal connection:</p>
-               <part id="ca-9.b_obj.1" name="objective">
-                  <prop name="label">CA-9(b)[1]</prop>
-                  <p>the interface characteristics;</p>
-               </part>
-               <part id="ca-9.b_obj.2" name="objective">
-                  <prop name="label">CA-9(b)[2]</prop>
-                  <p>the security requirements; and</p>
-               </part>
-               <part id="ca-9.b_obj.3" name="objective">
-                  <prop name="label">CA-9(b)[3]</prop>
-                  <p>the nature of the information communicated.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Access control policy</p>
-               <p>procedures addressing information system connections</p>
-               <p>system and communications protection policy</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of components or classes of components authorized as internal system
-                  connections</p>
-               <p>security assessment report</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for developing, implementing, or
-                  authorizing internal system connections</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-9.1">
-            <title>Security Compliance Checks</title>
-            <prop name="label">CA-9(1)</prop>
-            <prop name="sort-id">ca-09.01</prop>
-            <part id="ca-9.1_smt" name="statement">
-               <p>The information system performs security compliance checks on constituent system
-                  components prior to the establishment of the internal connection.</p>
-            </part>
-            <part id="ca-9.1_gdn" name="guidance">
-               <p>Security compliance checks may include, for example, verification of the relevant
-                  baseline configuration.</p>
-               <link rel="related" href="#cm-6">CM-6</link>
-            </part>
-            <part id="ca-9.1_obj" name="objective">
-               <p>Determine if the information system performs security compliance checks on
-                  constituent system components prior to the establishment of the internal
-                  connection. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Access control policy</p>
-                  <p>procedures addressing information system connections</p>
-                  <p>system and communications protection policy</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of components or classes of components authorized as internal system
-                     connections</p>
-                  <p>security assessment report</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for developing, implementing, or
-                     authorizing internal system connections</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting compliance checks</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="cm">
-      <title>Configuration Management</title>
-      <control class="SP800-53" id="cm-1">
-         <title>Configuration Management Policy and Procedures</title>
-         <param id="cm-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="cm-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="cm-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CM-1</prop>
-         <prop name="sort-id">cm-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="cm-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="cm-1_prm_1"/>:</p>
-               <part id="cm-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A configuration management policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="cm-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the configuration management
-                     policy and associated configuration management controls; and</p>
-               </part>
-            </part>
-            <part id="cm-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="cm-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Configuration management policy <insert param-id="cm-1_prm_2"/>; and</p>
-               </part>
-               <part id="cm-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Configuration management procedures <insert param-id="cm-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cm-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the CM
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="cm-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-1.a_obj" name="objective">
-               <prop name="label">CM-1(a)</prop>
-               <part id="cm-1.a.1_obj" name="objective">
-                  <prop name="label">CM-1(a)(1)</prop>
-                  <part id="cm-1.a.1_obj.1" name="objective">
-                     <prop name="label">CM-1(a)(1)[1]</prop>
-                     <p>develops and documents a configuration management policy that addresses:</p>
-                     <part id="cm-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="cm-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">CM-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="cm-1.a.1_obj.2" name="objective">
-                     <prop name="label">CM-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the configuration management policy is to
-                        be disseminated;</p>
-                  </part>
-                  <part id="cm-1.a.1_obj.3" name="objective">
-                     <prop name="label">CM-1(a)(1)[3]</prop>
-                     <p>disseminates the configuration management policy to organization-defined
-                        personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="cm-1.a.2_obj" name="objective">
-                  <prop name="label">CM-1(a)(2)</prop>
-                  <part id="cm-1.a.2_obj.1" name="objective">
-                     <prop name="label">CM-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        configuration management policy and associated configuration management
-                        controls;</p>
-                  </part>
-                  <part id="cm-1.a.2_obj.2" name="objective">
-                     <prop name="label">CM-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="cm-1.a.2_obj.3" name="objective">
-                     <prop name="label">CM-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cm-1.b_obj" name="objective">
-               <prop name="label">CM-1(b)</prop>
-               <part id="cm-1.b.1_obj" name="objective">
-                  <prop name="label">CM-1(b)(1)</prop>
-                  <part id="cm-1.b.1_obj.1" name="objective">
-                     <prop name="label">CM-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current configuration
-                        management policy;</p>
-                  </part>
-                  <part id="cm-1.b.1_obj.2" name="objective">
-                     <prop name="label">CM-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current configuration management policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="cm-1.b.2_obj" name="objective">
-                  <prop name="label">CM-1(b)(2)</prop>
-                  <part id="cm-1.b.2_obj.1" name="objective">
-                     <prop name="label">CM-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current configuration
-                        management procedures; and</p>
-                  </part>
-                  <part id="cm-1.b.2_obj.2" name="objective">
-                     <prop name="label">CM-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current configuration management procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with configuration management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-2">
-         <title>Baseline Configuration</title>
-         <prop name="label">CM-2</prop>
-         <prop name="sort-id">cm-02</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-2_smt" name="statement">
-            <p>The organization develops, documents, and maintains under configuration control, a
-               current baseline configuration of the information system.</p>
-         </part>
-         <part id="cm-2_gdn" name="guidance">
-            <p>This control establishes baseline configurations for information systems and system
-               components including communications and connectivity-related aspects of systems.
-               Baseline configurations are documented, formally reviewed and agreed-upon sets of
-               specifications for information systems or configuration items within those systems.
-               Baseline configurations serve as a basis for future builds, releases, and/or changes
-               to information systems. Baseline configurations include information about information
-               system components (e.g., standard software packages installed on workstations,
-               notebook computers, servers, network components, or mobile devices; current version
-               numbers and patch information on operating systems and applications; and
-               configuration settings/parameters), network topology, and the logical placement of
-               those components within the system architecture. Maintaining baseline configurations
-               requires creating new baselines as organizational information systems change over
-               time. Baseline configurations of information systems reflect the current enterprise
-               architecture.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#pm-5">PM-5</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-         </part>
-         <part id="cm-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-2_obj.1" name="objective">
-               <prop name="label">CM-2[1]</prop>
-               <p>develops and documents a current baseline configuration of the information system;
-                  and</p>
-            </part>
-            <part id="cm-2_obj.2" name="objective">
-               <prop name="label">CM-2[2]</prop>
-               <p>maintains, under configuration control, a current baseline configuration of the
-                  information system.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing the baseline configuration of the information system</p>
-               <p>configuration management plan</p>
-               <p>enterprise architecture documentation</p>
-               <p>information system design documentation</p>
-               <p>information system architecture and configuration documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>change control records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with configuration management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing baseline configurations</p>
-               <p>automated mechanisms supporting configuration control of the baseline
-                  configuration</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-2.1">
-            <title>Reviews and Updates</title>
-            <param id="cm-2.1_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="cm-2.1_prm_2">
-               <label>Assignment organization-defined circumstances</label>
-            </param>
-            <prop name="label">CM-2(1)</prop>
-            <prop name="sort-id">cm-02.01</prop>
-            <part id="cm-2.1_smt" name="statement">
-               <p>The organization reviews and updates the baseline configuration of the information
-                  system:</p>
-               <part id="cm-2.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>
-                     <insert param-id="cm-2.1_prm_1"/>;</p>
-               </part>
-               <part id="cm-2.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>When required due to <insert param-id="cm-2.1_prm_2"/>; and</p>
-               </part>
-               <part id="cm-2.1_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>As an integral part of information system component installations and
-                     upgrades.</p>
-               </part>
-            </part>
-            <part id="cm-2.1_gdn" name="guidance">
-               <link rel="related" href="#cm-5">CM-5</link>
-            </part>
-            <part id="cm-2.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-2.1.a_obj" name="objective">
-                  <prop name="label">CM-2(1)(a)</prop>
-                  <part id="cm-2.1.a_obj.1" name="objective">
-                     <prop name="label">CM-2(1)(a)[1]</prop>
-                     <p>defines the frequency to review and update the baseline configuration of the
-                        information system;</p>
-                  </part>
-                  <part id="cm-2.1.a_obj.2" name="objective">
-                     <prop name="label">CM-2(1)(a)[2]</prop>
-                     <p>reviews and updates the baseline configuration of the information system
-                        with the organization-defined frequency;</p>
-                  </part>
-                  <link rel="corresp" href="#cm-2.1_smt.a">CM-2(1)(a)</link>
-               </part>
-               <part id="cm-2.1.b_obj" name="objective">
-                  <prop name="label">CM-2(1)(b)</prop>
-                  <part id="cm-2.1.b_obj.1" name="objective">
-                     <prop name="label">CM-2(1)(b)[1]</prop>
-                     <p>defines circumstances that require the baseline configuration of the
-                        information system to be reviewed and updated;</p>
-                  </part>
-                  <part id="cm-2.1.b_obj.2" name="objective">
-                     <prop name="label">CM-2(1)(b)[2]</prop>
-                     <p>reviews and updates the baseline configuration of the information system
-                        when required due to organization-defined circumstances; and</p>
-                  </part>
-                  <link rel="corresp" href="#cm-2.1_smt.b">CM-2(1)(b)</link>
-               </part>
-               <part id="cm-2.1.c_obj" name="objective">
-                  <prop name="label">CM-2(1)(c)</prop>
-                  <p>reviews and updates the baseline configuration of the information system as an
-                     integral part of information system component installations and upgrades.</p>
-                  <link rel="corresp" href="#cm-2.1_smt.c">CM-2(1)(c)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>configuration management plan</p>
-                  <p>procedures addressing the baseline configuration of the information system</p>
-                  <p>procedures addressing information system component installations and
-                     upgrades</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>records of information system baseline configuration reviews and updates</p>
-                  <p>information system component installations/upgrades and associated records</p>
-                  <p>change control records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing baseline configurations</p>
-                  <p>automated mechanisms supporting review and update of the baseline
-                     configuration</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-2.2">
-            <title>Automation Support for Accuracy / Currency</title>
-            <prop name="label">CM-2(2)</prop>
-            <prop name="sort-id">cm-02.02</prop>
-            <part id="cm-2.2_smt" name="statement">
-               <p>The organization employs automated mechanisms to maintain an up-to-date, complete,
-                  accurate, and readily available baseline configuration of the information
-                  system.</p>
-            </part>
-            <part id="cm-2.2_gdn" name="guidance">
-               <p>Automated mechanisms that help organizations maintain consistent baseline
-                  configurations for information systems include, for example, hardware and software
-                  inventory tools, configuration management tools, and network management tools.
-                  Such tools can be deployed and/or allocated as common controls, at the information
-                  system level, or at the operating system or component level (e.g., on
-                  workstations, servers, notebook computers, network components, or mobile devices).
-                  Tools can be used, for example, to track version numbers on operating system
-                  applications, types of software installed, and current patch levels. This control
-                  enhancement can be satisfied by the implementation of CM-8 (2) for organizations
-                  that choose to combine information system component inventory and baseline
-                  configuration activities.</p>
-               <link rel="related" href="#cm-7">CM-7</link>
-               <link rel="related" href="#ra-5">RA-5</link>
-            </part>
-            <part id="cm-2.2_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to maintain: </p>
-               <part id="cm-2.2_obj.1" name="objective">
-                  <prop name="label">CM-2(2)[1]</prop>
-                  <p>an up-to-date baseline configuration of the information system;</p>
-               </part>
-               <part id="cm-2.2_obj.2" name="objective">
-                  <prop name="label">CM-2(2)[2]</prop>
-                  <p>a complete baseline configuration of the information system;</p>
-               </part>
-               <part id="cm-2.2_obj.3" name="objective">
-                  <prop name="label">CM-2(2)[3]</prop>
-                  <p>an accurate baseline configuration of the information system; and</p>
-               </part>
-               <part id="cm-2.2_obj.4" name="objective">
-                  <prop name="label">CM-2(2)[4]</prop>
-                  <p>a readily available baseline configuration of the information system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing the baseline configuration of the information system</p>
-                  <p>configuration management plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>configuration change control records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing baseline configurations</p>
-                  <p>automated mechanisms implementing baseline configuration maintenance</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-2.3">
-            <title>Retention of Previous Configurations</title>
-            <param id="cm-2.3_prm_1">
-               <label>organization-defined previous versions of baseline configurations of the
-                  information system</label>
-            </param>
-            <prop name="label">CM-2(3)</prop>
-            <prop name="sort-id">cm-02.03</prop>
-            <part id="cm-2.3_smt" name="statement">
-               <p>The organization retains <insert param-id="cm-2.3_prm_1"/> to support
-                  rollback.</p>
-            </part>
-            <part id="cm-2.3_gdn" name="guidance">
-               <p>Retaining previous versions of baseline configurations to support rollback may
-                  include, for example, hardware, software, firmware, configuration files, and
-                  configuration records.</p>
-            </part>
-            <part id="cm-2.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-2.3_obj.1" name="objective">
-                  <prop name="label">CM-2(3)[1]</prop>
-                  <p>defines previous versions of baseline configurations of the information system
-                     to be retained to support rollback; and</p>
-               </part>
-               <part id="cm-2.3_obj.2" name="objective">
-                  <prop name="label">CM-2(3)[2]</prop>
-                  <p>retains organization-defined previous versions of baseline configurations of
-                     the information system to support rollback.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing the baseline configuration of the information system</p>
-                  <p>configuration management plan</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>copies of previous baseline configuration versions</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing baseline configurations</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-2.4">
-            <title>Unauthorized Software</title>
-            <prop name="label">CM-2(4)</prop>
-            <prop name="sort-id">cm-02.04</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#cm-7">CM-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-2.5">
-            <title>Authorized Software</title>
-            <prop name="label">CM-2(5)</prop>
-            <prop name="sort-id">cm-02.05</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#cm-7">CM-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-2.6">
-            <title>Development and Test Environments</title>
-            <prop name="label">CM-2(6)</prop>
-            <prop name="sort-id">cm-02.06</prop>
-            <part id="cm-2.6_smt" name="statement">
-               <p>The organization maintains a baseline configuration for information system
-                  development and test environments that is managed separately from the operational
-                  baseline configuration.</p>
-            </part>
-            <part id="cm-2.6_gdn" name="guidance">
-               <p>Establishing separate baseline configurations for development, testing, and
-                  operational environments helps protect information systems from
-                  unplanned/unexpected events related to development and testing activities.
-                  Separate baseline configurations allow organizations to apply the configuration
-                  management that is most appropriate for each type of configuration. For example,
-                  management of operational configurations typically emphasizes the need for
-                  stability, while management of development/test configurations requires greater
-                  flexibility. Configurations in the test environment mirror the configurations in
-                  the operational environment to the extent practicable so that the results of the
-                  testing are representative of the proposed changes to the operational systems.
-                  This control enhancement requires separate configurations but not necessarily
-                  separate physical environments.</p>
-               <link rel="related" href="#cm-4">CM-4</link>
-               <link rel="related" href="#sc-3">SC-3</link>
-               <link rel="related" href="#sc-7">SC-7</link>
-            </part>
-            <part id="cm-2.6_obj" name="objective">
-               <p>Determine if the organization maintains a baseline configuration for information
-                  system development and test environments that is managed separately from the
-                  operational baseline configuration.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing the baseline configuration of the information system</p>
-                  <p>configuration management plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing baseline configurations</p>
-                  <p>automated mechanisms implementing separate baseline configurations for
-                     development, test, and operational environments</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-2.7">
-            <title>Configure Systems, Components, or Devices for High-risk Areas</title>
-            <param id="cm-2.7_prm_1">
-               <label>organization-defined information systems, system components, or
-                  devices</label>
-            </param>
-            <param id="cm-2.7_prm_2">
-               <label>organization-defined configurations</label>
-            </param>
-            <param id="cm-2.7_prm_3">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <prop name="label">CM-2(7)</prop>
-            <prop name="sort-id">cm-02.07</prop>
-            <part id="cm-2.7_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cm-2.7_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Issues <insert param-id="cm-2.7_prm_1"/> with <insert param-id="cm-2.7_prm_2"/>
-                     to individuals traveling to locations that the organization deems to be of
-                     significant risk; and</p>
-               </part>
-               <part id="cm-2.7_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Applies <insert param-id="cm-2.7_prm_3"/> to the devices when the individuals
-                     return.</p>
-               </part>
-            </part>
-            <part id="cm-2.7_gdn" name="guidance">
-               <p>When it is known that information systems, system components, or devices (e.g.,
-                  notebook computers, mobile devices) will be located in high-risk areas, additional
-                  security controls may be implemented to counter the greater threat in such areas
-                  coupled with the lack of physical security relative to organizational-controlled
-                  areas. For example, organizational policies and procedures for notebook computers
-                  used by individuals departing on and returning from travel include, for example,
-                  determining which locations are of concern, defining required configurations for
-                  the devices, ensuring that the devices are configured as intended before travel is
-                  initiated, and applying specific safeguards to the device after travel is
-                  completed. Specially configured notebook computers include, for example, computers
-                  with sanitized hard drives, limited applications, and additional hardening (e.g.,
-                  more stringent configuration settings). Specified safeguards applied to mobile
-                  devices upon return from travel include, for example, examining the device for
-                  signs of physical tampering and purging/reimaging the hard disk drive. Protecting
-                  information residing on mobile devices is covered in the media protection
-                  family.</p>
-            </part>
-            <part id="cm-2.7_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-2.7.a_obj" name="objective">
-                  <prop name="label">CM-2(7)(a)</prop>
-                  <part id="cm-2.7.a_obj.1" name="objective">
-                     <prop name="label">CM-2(7)(a)[1]</prop>
-                     <p>defines information systems, system components, or devices to be issued to
-                        individuals traveling to locations that the organization deems to be of
-                        significant risk;</p>
-                  </part>
-                  <part id="cm-2.7.a_obj.2" name="objective">
-                     <prop name="label">CM-2(7)(a)[2]</prop>
-                     <p>defines configurations to be employed on organization-defined information
-                        systems, system components, or devices issued to individuals traveling to
-                        such locations;</p>
-                  </part>
-                  <part id="cm-2.7.a_obj.3" name="objective">
-                     <prop name="label">CM-2(7)(a)[3]</prop>
-                     <p>issues organization-defined information systems, system components, or
-                        devices with organization-defined configurations to individuals traveling to
-                        locations that the organization deems to be of significant risk;</p>
-                  </part>
-                  <link rel="corresp" href="#cm-2.7_smt.a">CM-2(7)(a)</link>
-               </part>
-               <part id="cm-2.7.b_obj" name="objective">
-                  <prop name="label">CM-2(7)(b)</prop>
-                  <part id="cm-2.7.b_obj.1" name="objective">
-                     <prop name="label">CM-2(7)(b)[1]</prop>
-                     <p>defines security safeguards to be applied to the devices when the
-                        individuals return; and</p>
-                  </part>
-                  <part id="cm-2.7.b_obj.2" name="objective">
-                     <prop name="label">CM-2(7)(b)[2]</prop>
-                     <p>applies organization-defined safeguards to the devices when the individuals
-                        return.</p>
-                  </part>
-                  <link rel="corresp" href="#cm-2.7_smt.b">CM-2(7)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>configuration management plan</p>
-                  <p>procedures addressing the baseline configuration of the information system</p>
-                  <p>procedures addressing information system component installations and
-                     upgrades</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>records of information system baseline configuration reviews and updates</p>
-                  <p>information system component installations/upgrades and associated records</p>
-                  <p>change control records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing baseline configurations</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-3">
-         <title>Configuration Change Control</title>
-         <param id="cm-3_prm_1">
-            <label>organization-defined time period</label>
-         </param>
-         <param id="cm-3_prm_2">
-            <label>organization-defined configuration change control element (e.g., committee,
-               board)</label>
-         </param>
-         <param id="cm-3_prm_3">
-            <select how-many="one or more">
-               <choice>
-                  <insert param-id="cm-3_prm_4"/>
-               </choice>
-               <choice>
-                  <insert param-id="cm-3_prm_5"/>
-               </choice>
-            </select>
-         </param>
-         <param id="cm-3_prm_4" depends-on="cm-3_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="cm-3_prm_5" depends-on="cm-3_prm_3">
-            <label>organization-defined configuration change conditions</label>
-         </param>
-         <prop name="label">CM-3</prop>
-         <prop name="sort-id">cm-03</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Determines the types of changes to the information system that are
-                  configuration-controlled;</p>
-            </part>
-            <part id="cm-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews proposed configuration-controlled changes to the information system and
-                  approves or disapproves such changes with explicit consideration for security
-                  impact analyses;</p>
-            </part>
-            <part id="cm-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Documents configuration change decisions associated with the information
-                  system;</p>
-            </part>
-            <part id="cm-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Implements approved configuration-controlled changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-3_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Retains records of configuration-controlled changes to the information system for
-                     <insert param-id="cm-3_prm_1"/>;</p>
-            </part>
-            <part id="cm-3_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Audits and reviews activities associated with configuration-controlled changes to
-                  the information system; and</p>
-            </part>
-            <part id="cm-3_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Coordinates and provides oversight for configuration change control activities
-                  through <insert param-id="cm-3_prm_2"/> that convenes <insert param-id="cm-3_prm_3"/>.</p>
-            </part>
-         </part>
-         <part id="cm-3_gdn" name="guidance">
-            <p>Configuration change controls for organizational information systems involve the
-               systematic proposal, justification, implementation, testing, review, and disposition
-               of changes to the systems, including system upgrades and modifications. Configuration
-               change control includes changes to baseline configurations for components and
-               configuration items of information systems, changes to configuration settings for
-               information technology products (e.g., operating systems, applications, firewalls,
-               routers, and mobile devices), unscheduled/unauthorized changes, and changes to
-               remediate vulnerabilities. Typical processes for managing configuration changes to
-               information systems include, for example, Configuration Control Boards that approve
-               proposed changes to systems. For new development information systems or systems
-               undergoing major upgrades, organizations consider including representatives from
-               development organizations on the Configuration Control Boards. Auditing of changes
-               includes activities before and after changes are made to organizational information
-               systems and the auditing activities required to implement such changes.</p>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#si-2">SI-2</link>
-            <link rel="related" href="#si-12">SI-12</link>
-         </part>
-         <part id="cm-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-3.a_obj" name="objective">
-               <prop name="label">CM-3(a)</prop>
-               <p>determines the type of changes to the information system that must be
-                  configuration-controlled;</p>
-            </part>
-            <part id="cm-3.b_obj" name="objective">
-               <prop name="label">CM-3(b)</prop>
-               <p>reviews proposed configuration-controlled changes to the information system and
-                  approves or disapproves such changes with explicit consideration for security
-                  impact analyses;</p>
-            </part>
-            <part id="cm-3.c_obj" name="objective">
-               <prop name="label">CM-3(c)</prop>
-               <p>documents configuration change decisions associated with the information
-                  system;</p>
-            </part>
-            <part id="cm-3.d_obj" name="objective">
-               <prop name="label">CM-3(d)</prop>
-               <p>implements approved configuration-controlled changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-3.e_obj" name="objective">
-               <prop name="label">CM-3(e)</prop>
-               <part id="cm-3.e_obj.1" name="objective">
-                  <prop name="label">CM-3(e)[1]</prop>
-                  <p>defines a time period to retain records of configuration-controlled changes to
-                     the information system;</p>
-               </part>
-               <part id="cm-3.e_obj.2" name="objective">
-                  <prop name="label">CM-3(e)[2]</prop>
-                  <p>retains records of configuration-controlled changes to the information system
-                     for the organization-defined time period;</p>
-               </part>
-            </part>
-            <part id="cm-3.f_obj" name="objective">
-               <prop name="label">CM-3(f)</prop>
-               <p>audits and reviews activities associated with configuration-controlled changes to
-                  the information system;</p>
-            </part>
-            <part id="cm-3.g_obj" name="objective">
-               <prop name="label">CM-3(g)</prop>
-               <part id="cm-3.g_obj.1" name="objective">
-                  <prop name="label">CM-3(g)[1]</prop>
-                  <p>defines a configuration change control element (e.g., committee, board)
-                     responsible for coordinating and providing oversight for configuration change
-                     control activities;</p>
-               </part>
-               <part id="cm-3.g_obj.2" name="objective">
-                  <prop name="label">CM-3(g)[2]</prop>
-                  <p>defines the frequency with which the configuration change control element must
-                     convene; and/or</p>
-               </part>
-               <part id="cm-3.g_obj.3" name="objective">
-                  <prop name="label">CM-3(g)[3]</prop>
-                  <p>defines configuration change conditions that prompt the configuration change
-                     control element to convene; and</p>
-               </part>
-               <part id="cm-3.g_obj.4" name="objective">
-                  <prop name="label">CM-3(g)[4]</prop>
-                  <p>coordinates and provides oversight for configuration change control activities
-                     through organization-defined configuration change control element that convenes
-                     at organization-defined frequency and/or for any organization-defined
-                     configuration change conditions.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing information system configuration change control</p>
-               <p>configuration management plan</p>
-               <p>information system architecture and configuration documentation</p>
-               <p>security plan</p>
-               <p>change control records</p>
-               <p>information system audit records</p>
-               <p>change control audit and review reports</p>
-               <p>agenda /minutes from configuration change control oversight meetings</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with configuration change control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>members of change control board or similar</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for configuration change control</p>
-               <p>automated mechanisms that implement configuration change control</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-3.1">
-            <title>Automated Document / Notification / Prohibition of Changes</title>
-            <param id="cm-3.1_prm_1">
-               <label>organized-defined approval authorities</label>
-            </param>
-            <param id="cm-3.1_prm_2">
-               <label>organization-defined time period</label>
-            </param>
-            <param id="cm-3.1_prm_3">
-               <label>organization-defined personnel</label>
-            </param>
-            <prop name="label">CM-3(1)</prop>
-            <prop name="sort-id">cm-03.01</prop>
-            <part id="cm-3.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to:</p>
-               <part id="cm-3.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Document proposed changes to the information system;</p>
-               </part>
-               <part id="cm-3.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Notify <insert param-id="cm-3.1_prm_1"/> of proposed changes to the information
-                     system and request change approval;</p>
-               </part>
-               <part id="cm-3.1_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Highlight proposed changes to the information system that have not been
-                     approved or disapproved by <insert param-id="cm-3.1_prm_2"/>;</p>
-               </part>
-               <part id="cm-3.1_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Prohibit changes to the information system until designated approvals are
-                     received;</p>
-               </part>
-               <part id="cm-3.1_smt.e" name="item">
-                  <prop name="label">(e)</prop>
-                  <p>Document all changes to the information system; and</p>
-               </part>
-               <part id="cm-3.1_smt.f" name="item">
-                  <prop name="label">(f)</prop>
-                  <p>Notify <insert param-id="cm-3.1_prm_3"/> when approved changes to the
-                     information system are completed.</p>
-               </part>
-            </part>
-            <part id="cm-3.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-3.1.a_obj" name="objective">
-                  <prop name="label">CM-3(1)(a)</prop>
-                  <p>employs automated mechanisms to document proposed changes to the information
-                     system;</p>
-                  <link rel="corresp" href="#cm-3.1_smt.a">CM-3(1)(a)</link>
-               </part>
-               <part id="cm-3.1.b_obj" name="objective">
-                  <prop name="label">CM-3(1)(b)</prop>
-                  <part id="cm-3.1.b_obj.1" name="objective">
-                     <prop name="label">CM-3(1)(b)[1]</prop>
-                     <p>defines approval authorities to be notified of proposed changes to the
-                        information system and request change approval;</p>
-                  </part>
-                  <part id="cm-3.1.b_obj.2" name="objective">
-                     <prop name="label">CM-3(1)(b)[2]</prop>
-                     <p>employs automated mechanisms to notify organization-defined approval
-                        authorities of proposed changes to the information system and request change
-                        approval;</p>
-                  </part>
-                  <link rel="corresp" href="#cm-3.1_smt.b">CM-3(1)(b)</link>
-               </part>
-               <part id="cm-3.1.c_obj" name="objective">
-                  <prop name="label">CM-3(1)(c)</prop>
-                  <part id="cm-3.1.c_obj.1" name="objective">
-                     <prop name="label">CM-3(1)(c)[1]</prop>
-                     <p>defines the time period within which proposed changes to the information
-                        system that have not been approved or disapproved must be highlighted;</p>
-                  </part>
-                  <part id="cm-3.1.c_obj.2" name="objective">
-                     <prop name="label">CM-3(1)(c)[2]</prop>
-                     <p>employs automated mechanisms to highlight proposed changes to the
-                        information system that have not been approved or disapproved by
-                        organization-defined time period;</p>
-                  </part>
-                  <link rel="corresp" href="#cm-3.1_smt.c">CM-3(1)(c)</link>
-               </part>
-               <part id="cm-3.1.d_obj" name="objective">
-                  <prop name="label">CM-3(1)(d)</prop>
-                  <p>employs automated mechanisms to prohibit changes to the information system
-                     until designated approvals are received;</p>
-                  <link rel="corresp" href="#cm-3.1_smt.d">CM-3(1)(d)</link>
-               </part>
-               <part id="cm-3.1.e_obj" name="objective">
-                  <prop name="label">CM-3(1)(e)</prop>
-                  <p>employs automated mechanisms to document all changes to the information
-                     system;</p>
-                  <link rel="corresp" href="#cm-3.1_smt.e">CM-3(1)(e)</link>
-               </part>
-               <part id="cm-3.1.f_obj" name="objective">
-                  <prop name="label">CM-3(1)(f)</prop>
-                  <part id="cm-3.1.f_obj.1" name="objective">
-                     <prop name="label">CM-3(1)(f)[1]</prop>
-                     <p>defines personnel to be notified when approved changes to the information
-                        system are completed; and</p>
-                  </part>
-                  <part id="cm-3.1.f_obj.2" name="objective">
-                     <prop name="label">CM-3(1)(f)[2]</prop>
-                     <p>employs automated mechanisms to notify organization-defined personnel when
-                        approved changes to the information system are completed.</p>
-                  </part>
-                  <link rel="corresp" href="#cm-3.1_smt.f">CM-3(1)(f)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system configuration change control</p>
-                  <p>configuration management plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>automated configuration control mechanisms</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>change approval requests</p>
-                  <p>change approvals</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration change control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for configuration change control</p>
-                  <p>automated mechanisms implementing configuration change control activities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-3.2">
-            <title>Test / Validate / Document Changes</title>
-            <prop name="label">CM-3(2)</prop>
-            <prop name="sort-id">cm-03.02</prop>
-            <part id="cm-3.2_smt" name="statement">
-               <p>The organization tests, validates, and documents changes to the information system
-                  before implementing the changes on the operational system.</p>
-            </part>
-            <part id="cm-3.2_gdn" name="guidance">
-               <p>Changes to information systems include modifications to hardware, software, or
-                  firmware components and configuration settings defined in CM-6. Organizations
-                  ensure that testing does not interfere with information system operations.
-                  Individuals/groups conducting tests understand organizational security policies
-                  and procedures, information system security policies and procedures, and the
-                  specific health, safety, and environmental risks associated with particular
-                  facilities/processes. Operational systems may need to be taken off-line, or
-                  replicated to the extent feasible, before testing can be conducted. If information
-                  systems must be taken off-line for testing, the tests are scheduled to occur
-                  during planned system outages whenever possible. If testing cannot be conducted on
-                  operational systems, organizations employ compensating controls (e.g., testing on
-                  replicated systems).</p>
-            </part>
-            <part id="cm-3.2_obj" name="objective">
-               <p>Determine if the organization, before implementing changes on the operational
-                  system:</p>
-               <part id="cm-3.2_obj.1" name="objective">
-                  <prop name="label">CM-3(2)[1]</prop>
-                  <p>tests changes to the information system;</p>
-               </part>
-               <part id="cm-3.2_obj.2" name="objective">
-                  <prop name="label">CM-3(2)[2]</prop>
-                  <p>validates changes to the information system; and</p>
-               </part>
-               <part id="cm-3.2_obj.3" name="objective">
-                  <prop name="label">CM-3(2)[3]</prop>
-                  <p>documents changes to the information system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>configuration management plan</p>
-                  <p>procedures addressing information system configuration change control</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>test records</p>
-                  <p>validation records</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration change control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for configuration change control</p>
-                  <p>automated mechanisms supporting and/or implementing testing, validating, and
-                     documenting information system changes</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-3.3">
-            <title>Automated Change Implementation</title>
-            <prop name="label">CM-3(3)</prop>
-            <prop name="sort-id">cm-03.03</prop>
-            <part id="cm-3.3_smt" name="statement">
-               <p>The organization employs automated mechanisms to implement changes to the current
-                  information system baseline and deploys the updated baseline across the installed
-                  base.</p>
-            </part>
-            <part id="cm-3.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-3.3_obj.1" name="objective">
-                  <prop name="label">CM-3(3)[1]</prop>
-                  <p>employs automated mechanisms to implement changes to the current information
-                     system baseline; and</p>
-               </part>
-               <part id="cm-3.3_obj.2" name="objective">
-                  <prop name="label">CM-3(3)[2]</prop>
-                  <p>deploys the updated baseline across the installed base.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>configuration management plan</p>
-                  <p>procedures addressing information system configuration change control</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>automated configuration control mechanisms</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration change control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for configuration change control</p>
-                  <p>automated mechanisms implementing changes to current information system
-                     baseline</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-3.4">
-            <title>Security Representative</title>
-            <param id="cm-3.4_prm_1">
-               <label>organization-defined configuration change control element</label>
-            </param>
-            <prop name="label">CM-3(4)</prop>
-            <prop name="sort-id">cm-03.04</prop>
-            <part id="cm-3.4_smt" name="statement">
-               <p>The organization requires an information security representative to be a member of
-                  the <insert param-id="cm-3.4_prm_1"/>.</p>
-            </part>
-            <part id="cm-3.4_gdn" name="guidance">
-               <p>Information security representatives can include, for example, senior agency
-                  information security officers, information system security officers, or
-                  information system security managers. Representation by personnel with information
-                  security expertise is important because changes to information system
-                  configurations can have unintended side effects, some of which may be
-                  security-relevant. Detecting such changes early in the process can help avoid
-                  unintended, negative consequences that could ultimately affect the security state
-                  of organizational information systems. The configuration change control element in
-                  this control enhancement reflects the change control elements defined by
-                  organizations in CM-3.</p>
-            </part>
-            <part id="cm-3.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-3.4_obj.1" name="objective">
-                  <prop name="label">CM-3(4)[1]</prop>
-                  <p>specifies the configuration change control elements (as defined in CM-3g) of
-                     which an information security representative is to be a member; and</p>
-               </part>
-               <part id="cm-3.4_obj.2" name="objective">
-                  <prop name="label">CM-3(4)[2]</prop>
-                  <p>requires an information security representative to be a member of the specified
-                     configuration control element.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system configuration change control</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration change control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for configuration change control</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-3.5">
-            <title>Automated Security Response</title>
-            <param id="cm-3.5_prm_1">
-               <label>organization-defined security responses</label>
-            </param>
-            <prop name="label">CM-3(5)</prop>
-            <prop name="sort-id">cm-03.05</prop>
-            <part id="cm-3.5_smt" name="statement">
-               <p>The information system implements <insert param-id="cm-3.5_prm_1"/> automatically
-                  if baseline configurations are changed in an unauthorized manner.</p>
-            </part>
-            <part id="cm-3.5_gdn" name="guidance">
-               <p>Security responses include, for example, halting information system processing,
-                  halting selected system functions, or issuing alerts/notifications to
-                  organizational personnel when there is an unauthorized modification of a
-                  configuration item.</p>
-            </part>
-            <part id="cm-3.5_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="cm-3.5_obj.1" name="objective">
-                  <prop name="label">CM-3(5)[1]</prop>
-                  <p>the organization defines security responses to be implemented automatically if
-                     baseline configurations are changed in an unauthorized manner; and</p>
-               </part>
-               <part id="cm-3.5_obj.2" name="objective">
-                  <prop name="label">CM-3(5)[2]</prop>
-                  <p>the information system implements organization-defined security responses
-                     automatically if baseline configurations are changed in an unauthorized
-                     manner.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system configuration change control</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>alerts/notifications of unauthorized baseline configuration changes</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration change control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for configuration change control</p>
-                  <p>automated mechanisms implementing security responses to changes to the baseline
-                     configurations</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-3.6">
-            <title>Cryptography Management</title>
-            <param id="cm-3.6_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <prop name="label">CM-3(6)</prop>
-            <prop name="sort-id">cm-03.06</prop>
-            <part id="cm-3.6_smt" name="statement">
-               <p>The organization ensures that cryptographic mechanisms used to provide <insert param-id="cm-3.6_prm_1"/> are under configuration management.</p>
-            </part>
-            <part id="cm-3.6_gdn" name="guidance">
-               <p>Regardless of the cryptographic means employed (e.g., public key, private key,
-                  shared secrets), organizations ensure that there are processes and procedures in
-                  place to effectively manage those means. For example, if devices use certificates
-                  as a basis for identification and authentication, there needs to be a process in
-                  place to address the expiration of those certificates.</p>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="cm-3.6_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-3.6_obj.1" name="objective">
-                  <prop name="label">CM-3(6)[1]</prop>
-                  <p>defines security safeguards provided by cryptographic mechanisms that are to be
-                     under configuration management; and</p>
-               </part>
-               <part id="cm-3.6_obj.2" name="objective">
-                  <prop name="label">CM-3(6)[2]</prop>
-                  <p>ensures that cryptographic mechanisms used to provide organization-defined
-                     security safeguards are under configuration management.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system configuration change control</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with configuration change control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for configuration change control</p>
-                  <p>cryptographic mechanisms implementing organizational security safeguards</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-4">
-         <title>Security Impact Analysis</title>
-         <prop name="label">CM-4</prop>
-         <prop name="sort-id">cm-04</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-4_smt" name="statement">
-            <p>The organization analyzes changes to the information system to determine potential
-               security impacts prior to change implementation.</p>
-         </part>
-         <part id="cm-4_gdn" name="guidance">
-            <p>Organizational personnel with information security responsibilities (e.g.,
-               Information System Administrators, Information System Security Officers, Information
-               System Security Managers, and Information System Security Engineers) conduct security
-               impact analyses. Individuals conducting security impact analyses possess the
-               necessary skills/technical expertise to analyze the changes to information systems
-               and the associated security ramifications. Security impact analysis may include, for
-               example, reviewing security plans to understand security control requirements and
-               reviewing system design documentation to understand control implementation and how
-               specific changes might affect the controls. Security impact analyses may also include
-               assessments of risk to better understand the impact of the changes and to determine
-               if additional security controls are required. Security impact analyses are scaled in
-               accordance with the security categories of the information systems.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="cm-4_obj" name="objective">
-            <p>Determine if the organization analyzes changes to the information system to determine
-               potential security impacts prior to change implementation.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing security impact analysis for changes to the information
-                  system</p>
-               <p>configuration management plan</p>
-               <p>security impact analysis documentation</p>
-               <p>analysis tools and associated outputs</p>
-               <p>change control records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for conducting security impact
-                  analysis</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security impact analysis</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-4.1">
-            <title>Separate Test Environments</title>
-            <prop name="label">CM-4(1)</prop>
-            <prop name="sort-id">cm-04.01</prop>
-            <part id="cm-4.1_smt" name="statement">
-               <p>The organization analyzes changes to the information system in a separate test
-                  environment before implementation in an operational environment, looking for
-                  security impacts due to flaws, weaknesses, incompatibility, or intentional
-                  malice.</p>
-            </part>
-            <part id="cm-4.1_gdn" name="guidance">
-               <p>Separate test environment in this context means an environment that is physically
-                  or logically isolated and distinct from the operational environment. The
-                  separation is sufficient to ensure that activities in the test environment do not
-                  impact activities in the operational environment, and information in the
-                  operational environment is not inadvertently transmitted to the test environment.
-                  Separate environments can be achieved by physical or logical means. If physically
-                  separate test environments are not used, organizations determine the strength of
-                  mechanism required when implementing logical separation (e.g., separation achieved
-                  through virtual machines).</p>
-               <link rel="related" href="#sa-11">SA-11</link>
-               <link rel="related" href="#sc-3">SC-3</link>
-               <link rel="related" href="#sc-7">SC-7</link>
-            </part>
-            <part id="cm-4.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-4.1_obj.1" name="objective">
-                  <prop name="label">CM-4(1)[1]</prop>
-                  <p>analyzes changes to the information system in a separate test environment
-                     before implementation in an operational environment;</p>
-               </part>
-               <part id="cm-4.1_obj.2" name="objective">
-                  <prop name="label">CM-4(1)[2]</prop>
-                  <p>when analyzing changes to the information system in a separate test
-                     environment, looks for security impacts due to:</p>
-                  <part id="cm-4.1_obj.2.a" name="objective">
-                     <prop name="label">CM-4(1)[2][a]</prop>
-                     <p>flaws;</p>
-                  </part>
-                  <part id="cm-4.1_obj.2.b" name="objective">
-                     <prop name="label">CM-4(1)[2][b]</prop>
-                     <p>weaknesses;</p>
-                  </part>
-                  <part id="cm-4.1_obj.2.c" name="objective">
-                     <prop name="label">CM-4(1)[2][c]</prop>
-                     <p>incompatibility; and</p>
-                  </part>
-                  <part id="cm-4.1_obj.2.d" name="objective">
-                     <prop name="label">CM-4(1)[2][d]</prop>
-                     <p>intentional malice.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing security impact analysis for changes to the information
-                     system</p>
-                  <p>configuration management plan</p>
-                  <p>security impact analysis documentation</p>
-                  <p>analysis tools and associated outputs information system design
-                     documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>documentation evidence of separate test and operational environments</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for conducting security impact
-                     analysis</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for security impact analysis</p>
-                  <p>automated mechanisms supporting and/or implementing security impact analysis of
-                     changes</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-4.2">
-            <title>Verification of Security Functions</title>
-            <prop name="label">CM-4(2)</prop>
-            <prop name="sort-id">cm-04.02</prop>
-            <part id="cm-4.2_smt" name="statement">
-               <p>The organization, after the information system is changed, checks the security
-                  functions to verify that the functions are implemented correctly, operating as
-                  intended, and producing the desired outcome with regard to meeting the security
-                  requirements for the system.</p>
-            </part>
-            <part id="cm-4.2_gdn" name="guidance">
-               <p>Implementation is this context refers to installing changed code in the
-                  operational information system.</p>
-               <link rel="related" href="#sa-11">SA-11</link>
-            </part>
-            <part id="cm-4.2_obj" name="objective">
-               <p>Determine if the organization, after the information system is changed, checks the
-                  security functions to verify that the functions are:</p>
-               <part id="cm-4.2_obj.1" name="objective">
-                  <prop name="label">CM-4(2)[1]</prop>
-                  <p>implemented correctly;</p>
-               </part>
-               <part id="cm-4.2_obj.2" name="objective">
-                  <prop name="label">CM-4(2)[2]</prop>
-                  <p>operating as intended; and</p>
-               </part>
-               <part id="cm-4.2_obj.3" name="objective">
-                  <prop name="label">CM-4(2)[3]</prop>
-                  <p>producing the desired outcome with regard to meeting the security requirements
-                     for the system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing security impact analysis for changes to the information
-                     system</p>
-                  <p>configuration management plan</p>
-                  <p>security impact analysis documentation</p>
-                  <p>analysis tools and associated outputs</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for conducting security impact
-                     analysis</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for security impact analysis</p>
-                  <p>automated mechanisms supporting and/or implementing verification of security
-                     functions</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-5">
-         <title>Access Restrictions for Change</title>
-         <prop name="label">CM-5</prop>
-         <prop name="sort-id">cm-05</prop>
-         <part id="cm-5_smt" name="statement">
-            <p>The organization defines, documents, approves, and enforces physical and logical
-               access restrictions associated with changes to the information system.</p>
-         </part>
-         <part id="cm-5_gdn" name="guidance">
-            <p>Any changes to the hardware, software, and/or firmware components of information
-               systems can potentially have significant effects on the overall security of the
-               systems. Therefore, organizations permit only qualified and authorized individuals to
-               access information systems for purposes of initiating changes, including upgrades and
-               modifications. Organizations maintain records of access to ensure that configuration
-               change control is implemented and to support after-the-fact actions should
-               organizations discover any unauthorized changes. Access restrictions for change also
-               include software libraries. Access restrictions include, for example, physical and
-               logical access controls (see AC-3 and PE-3), workflow automation, media libraries,
-               abstract layers (e.g., changes implemented into third-party interfaces rather than
-               directly into information systems), and change windows (e.g., changes occur only
-               during specified times, making unauthorized changes easy to discover).</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-         </part>
-         <part id="cm-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-5_obj.1" name="objective">
-               <prop name="label">CM-5[1]</prop>
-               <p>defines physical access restrictions associated with changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-5_obj.2" name="objective">
-               <prop name="label">CM-5[2]</prop>
-               <p>documents physical access restrictions associated with changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-5_obj.3" name="objective">
-               <prop name="label">CM-5[3]</prop>
-               <p>approves physical access restrictions associated with changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-5_obj.4" name="objective">
-               <prop name="label">CM-5[4]</prop>
-               <p>enforces physical access restrictions associated with changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-5_obj.5" name="objective">
-               <prop name="label">CM-5[5]</prop>
-               <p>defines logical access restrictions associated with changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-5_obj.6" name="objective">
-               <prop name="label">CM-5[6]</prop>
-               <p>documents logical access restrictions associated with changes to the information
-                  system;</p>
-            </part>
-            <part id="cm-5_obj.7" name="objective">
-               <prop name="label">CM-5[7]</prop>
-               <p>approves logical access restrictions associated with changes to the information
-                  system; and</p>
-            </part>
-            <part id="cm-5_obj.8" name="objective">
-               <prop name="label">CM-5[8]</prop>
-               <p>enforces logical access restrictions associated with changes to the information
-                  system.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing access restrictions for changes to the information
-                  system</p>
-               <p>configuration management plan</p>
-               <p>information system design documentation</p>
-               <p>information system architecture and configuration documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>logical access approvals</p>
-               <p>physical access approvals</p>
-               <p>access credentials</p>
-               <p>change control records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with logical access control responsibilities</p>
-               <p>organizational personnel with physical access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing access restrictions to change</p>
-               <p>automated mechanisms supporting/implementing/enforcing access restrictions
-                  associated with changes to the information system</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-5.1">
-            <title>Automated Access Enforcement / Auditing</title>
-            <prop name="label">CM-5(1)</prop>
-            <prop name="sort-id">cm-05.01</prop>
-            <part id="cm-5.1_smt" name="statement">
-               <p>The information system enforces access restrictions and supports auditing of the
-                  enforcement actions.</p>
-            </part>
-            <part id="cm-5.1_gdn" name="guidance">
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-12">AU-12</link>
-               <link rel="related" href="#au-6">AU-6</link>
-               <link rel="related" href="#cm-3">CM-3</link>
-               <link rel="related" href="#cm-6">CM-6</link>
-            </part>
-            <part id="cm-5.1_obj" name="objective">
-               <p>Determine if the information system:</p>
-               <part id="cm-5.1_obj.1" name="objective">
-                  <prop name="label">CM-5(1)[1]</prop>
-                  <p>enforces access restrictions for change; and</p>
-               </part>
-               <part id="cm-5.1_obj.2" name="objective">
-                  <prop name="label">CM-5(1)[2]</prop>
-                  <p>supports auditing of the enforcement actions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing access restrictions for changes to the information
-                     system</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing access restrictions to change</p>
-                  <p>automated mechanisms implementing enforcement of access restrictions for
-                     changes to the information system</p>
-                  <p>automated mechanisms supporting auditing of enforcement actions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-5.2">
-            <title>Review System Changes</title>
-            <param id="cm-5.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="cm-5.2_prm_2">
-               <label>organization-defined circumstances</label>
-            </param>
-            <prop name="label">CM-5(2)</prop>
-            <prop name="sort-id">cm-05.02</prop>
-            <part id="cm-5.2_smt" name="statement">
-               <p>The organization reviews information system changes <insert param-id="cm-5.2_prm_1"/> and <insert param-id="cm-5.2_prm_2"/> to determine
-                  whether unauthorized changes have occurred.</p>
-            </part>
-            <part id="cm-5.2_gdn" name="guidance">
-               <p>Indications that warrant review of information system changes and the specific
-                  circumstances justifying such reviews may be obtained from activities carried out
-                  by organizations during the configuration change process.</p>
-               <link rel="related" href="#au-6">AU-6</link>
-               <link rel="related" href="#au-7">AU-7</link>
-               <link rel="related" href="#cm-3">CM-3</link>
-               <link rel="related" href="#cm-5">CM-5</link>
-               <link rel="related" href="#pe-6">PE-6</link>
-               <link rel="related" href="#pe-8">PE-8</link>
-            </part>
-            <part id="cm-5.2_obj" name="objective">
-               <p>Determine if the organization, in an effort to ascertain whether unauthorized
-                  changes have occurred:</p>
-               <part id="cm-5.2_obj.1" name="objective">
-                  <prop name="label">CM-5(2)[1]</prop>
-                  <p>defines the frequency to review information system changes;</p>
-               </part>
-               <part id="cm-5.2_obj.2" name="objective">
-                  <prop name="label">CM-5(2)[2]</prop>
-                  <p>defines circumstances that warrant review of information system changes;</p>
-               </part>
-               <part id="cm-5.2_obj.3" name="objective">
-                  <prop name="label">CM-5(2)[3]</prop>
-                  <p>reviews information system changes with the organization-defined frequency;
-                     and</p>
-               </part>
-               <part id="cm-5.2_obj.4" name="objective">
-                  <prop name="label">CM-5(2)[4]</prop>
-                  <p>reviews information system changes with the organization-defined
-                     circumstances.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing access restrictions for changes to the information
-                     system</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>reviews of information system changes</p>
-                  <p>audit and review reports</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing access restrictions to change</p>
-                  <p>automated mechanisms supporting/implementing information system reviews to
-                     determine whether unauthorized changes have occurred</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-5.3">
-            <title>Signed Components</title>
-            <param id="cm-5.3_prm_1">
-               <label>organization-defined software and firmware components</label>
-            </param>
-            <prop name="label">CM-5(3)</prop>
-            <prop name="sort-id">cm-05.03</prop>
-            <part id="cm-5.3_smt" name="statement">
-               <p>The information system prevents the installation of <insert param-id="cm-5.3_prm_1"/> without verification that the component has been
-                  digitally signed using a certificate that is recognized and approved by the
-                  organization.</p>
-            </part>
-            <part id="cm-5.3_gdn" name="guidance">
-               <p>Software and firmware components prevented from installation unless signed with
-                  recognized and approved certificates include, for example, software and firmware
-                  version updates, patches, service packs, device drivers, and basic input output
-                  system (BIOS) updates. Organizations can identify applicable software and firmware
-                  components by type, by specific items, or a combination of both. Digital
-                  signatures and organizational verification of such signatures, is a method of code
-                  authentication.</p>
-               <link rel="related" href="#cm-7">CM-7</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="cm-5.3_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="cm-5.3_obj.1" name="objective">
-                  <prop name="label">CM-5(3)[1]</prop>
-                  <p>the organization defines software and firmware components that the information
-                     system will prevent from being installed without verification that such
-                     components have been digitally signed using a certificate that is recognized
-                     and approved by the organization; and</p>
-               </part>
-               <part id="cm-5.3_obj.2" name="objective">
-                  <prop name="label">CM-5(3)[2]</prop>
-                  <p>the information system prevents the installation of organization-defined
-                     software and firmware components without verification that such components have
-                     been digitally signed using a certificate that is recognized and approved by
-                     the organization.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing access restrictions for changes to the information
-                     system</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>list of software and firmware components to be prohibited from installation
-                     without a recognized and approved certificate</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing access restrictions to change</p>
-                  <p>automated mechanisms preventing installation of software and firmware
-                     components not signed with an organization-recognized and approved
-                     certificate</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-5.4">
-            <title>Dual Authorization</title>
-            <param id="cm-5.4_prm_1">
-               <label>organization-defined information system components and system-level
-                  information</label>
-            </param>
-            <prop name="label">CM-5(4)</prop>
-            <prop name="sort-id">cm-05.04</prop>
-            <part id="cm-5.4_smt" name="statement">
-               <p>The organization enforces dual authorization for implementing changes to <insert param-id="cm-5.4_prm_1"/>.</p>
-            </part>
-            <part id="cm-5.4_gdn" name="guidance">
-               <p>Organizations employ dual authorization to ensure that any changes to selected
-                  information system components and information cannot occur unless two qualified
-                  individuals implement such changes. The two individuals possess sufficient
-                  skills/expertise to determine if the proposed changes are correct implementations
-                  of approved changes. Dual authorization may also be known as two-person
-                  control.</p>
-               <link rel="related" href="#ac-5">AC-5</link>
-               <link rel="related" href="#cm-3">CM-3</link>
-            </part>
-            <part id="cm-5.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-5.4_obj.1" name="objective">
-                  <prop name="label">CM-5(4)[1]</prop>
-                  <p>defines information system components and system-level information requiring
-                     dual authorization to be enforced when implementing changes; and</p>
-               </part>
-               <part id="cm-5.4_obj.2" name="objective">
-                  <prop name="label">CM-5(4)[2]</prop>
-                  <p>enforces dual authorization for implementing changes to organization-defined
-                     information system components and system-level information.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing access restrictions for changes to the information
-                     system</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with dual authorization enforcement responsibilities
-                     for implementing information system changes</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing access restrictions to change</p>
-                  <p>automated mechanisms implementing dual authorization enforcement</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-5.5">
-            <title>Limit Production / Operational Privileges</title>
-            <param id="cm-5.5_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">CM-5(5)</prop>
-            <prop name="sort-id">cm-05.05</prop>
-            <part id="cm-5.5_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cm-5.5_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Limits privileges to change information system components and system-related
-                     information within a production or operational environment; and</p>
-               </part>
-               <part id="cm-5.5_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Reviews and reevaluates privileges <insert param-id="cm-5.5_prm_1"/>.</p>
-               </part>
-            </part>
-            <part id="cm-5.5_gdn" name="guidance">
-               <p>In many organizations, information systems support multiple core missions/business
-                  functions. Limiting privileges to change information system components with
-                  respect to operational systems is necessary because changes to a particular
-                  information system component may have far-reaching effects on mission/business
-                  processes supported by the system where the component resides. The complex,
-                  many-to-many relationships between systems and mission/business processes are in
-                  some cases, unknown to developers.</p>
-               <link rel="related" href="#ac-2">AC-2</link>
-            </part>
-            <part id="cm-5.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-5.5.a_obj" name="objective">
-                  <prop name="label">CM-5(5)(a)</prop>
-                  <p>limits privileges to change information system components and system-related
-                     information within a production or operational environment;</p>
-                  <link rel="corresp" href="#cm-5.5_smt.a">CM-5(5)(a)</link>
-               </part>
-               <part id="cm-5.5.b_obj" name="objective">
-                  <prop name="label">CM-5(5)(b)</prop>
-                  <part id="cm-5.5.b_obj.1" name="objective">
-                     <prop name="label">CM-5(5)(b)[1]</prop>
-                     <p>defines the frequency to review and reevaluate privileges; and</p>
-                  </part>
-                  <part id="cm-5.5.b_obj.2" name="objective">
-                     <prop name="label">CM-5(5)(b)[2]</prop>
-                     <p>reviews and reevaluates privileges with the organization-defined
-                        frequency.</p>
-                  </part>
-                  <link rel="corresp" href="#cm-5.5_smt.b">CM-5(5)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing access restrictions for changes to the information
-                     system</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>user privilege reviews</p>
-                  <p>user privilege recertifications</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing access restrictions to change</p>
-                  <p>automated mechanisms supporting and/or implementing access restrictions for
-                     change</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-5.6">
-            <title>Limit Library Privileges</title>
-            <prop name="label">CM-5(6)</prop>
-            <prop name="sort-id">cm-05.06</prop>
-            <part id="cm-5.6_smt" name="statement">
-               <p>The organization limits privileges to change software resident within software
-                  libraries.</p>
-            </part>
-            <part id="cm-5.6_gdn" name="guidance">
-               <p>Software libraries include privileged programs.</p>
-               <link rel="related" href="#ac-2">AC-2</link>
-            </part>
-            <part id="cm-5.6_obj" name="objective">
-               <p>Determine if the organization limits privileges to change software resident within
-                  software libraries.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing access restrictions for changes to the information
-                     system</p>
-                  <p>configuration management plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing access restrictions to change</p>
-                  <p>automated mechanisms supporting and/or implementing access restrictions for
-                     change</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-5.7">
-            <title>Automatic Implementation of Security Safeguards</title>
-            <prop name="label">CM-5(7)</prop>
-            <prop name="sort-id">cm-05.07</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#si-7">SI-7</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-6">
-         <title>Configuration Settings</title>
-         <param id="cm-6_prm_1">
-            <label>organization-defined security configuration checklists</label>
-         </param>
-         <param id="cm-6_prm_2">
-            <label>organization-defined information system components</label>
-         </param>
-         <param id="cm-6_prm_3">
-            <label>organization-defined operational requirements</label>
-         </param>
-         <prop name="label">CM-6</prop>
-         <prop name="sort-id">cm-06</prop>
-         <link href="#990268bf-f4a9-4c81-91ae-dc7d3115f4b1" rel="reference">OMB Memorandum 07-11</link>
-         <link href="#0b3d8ba9-051f-498d-81ea-97f0f018c612" rel="reference">OMB Memorandum 07-18</link>
-         <link href="#0916ef02-3618-411b-a525-565c088849a6" rel="reference">OMB Memorandum 08-22</link>
-         <link href="#84a37532-6db6-477b-9ea8-f9085ebca0fc" rel="reference">NIST Special Publication 800-70</link>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <link href="#275cc052-0f7f-423c-bdb6-ed503dc36228" rel="reference">http://nvd.nist.gov</link>
-         <link href="#e95dd121-2733-413e-bf1e-f1eb49f20a98" rel="reference">http://checklists.nist.gov</link>
-         <link href="#647b6de3-81d0-4d22-bec1-5f1333e34380" rel="reference">http://www.nsa.gov</link>
-         <part id="cm-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes and documents configuration settings for information technology
-                  products employed within the information system using <insert param-id="cm-6_prm_1"/> that reflect the most restrictive mode consistent with
-                  operational requirements;</p>
-            </part>
-            <part id="cm-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Implements the configuration settings;</p>
-            </part>
-            <part id="cm-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Identifies, documents, and approves any deviations from established configuration
-                  settings for <insert param-id="cm-6_prm_2"/> based on <insert param-id="cm-6_prm_3"/>; and</p>
-            </part>
-            <part id="cm-6_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Monitors and controls changes to the configuration settings in accordance with
-                  organizational policies and procedures.</p>
-            </part>
-         </part>
-         <part id="cm-6_gdn" name="guidance">
-            <p>Configuration settings are the set of parameters that can be changed in hardware,
-               software, or firmware components of the information system that affect the security
-               posture and/or functionality of the system. Information technology products for which
-               security-related configuration settings can be defined include, for example,
-               mainframe computers, servers (e.g., database, electronic mail, authentication, web,
-               proxy, file, domain name), workstations, input/output devices (e.g., scanners,
-               copiers, and printers), network components (e.g., firewalls, routers, gateways, voice
-               and data switches, wireless access points, network appliances, sensors), operating
-               systems, middleware, and applications. Security-related parameters are those
-               parameters impacting the security state of information systems including the
-               parameters required to satisfy other security control requirements. Security-related
-               parameters include, for example: (i) registry settings; (ii) account, file, directory
-               permission settings; and (iii) settings for functions, ports, protocols, services,
-               and remote connections. Organizations establish organization-wide configuration
-               settings and subsequently derive specific settings for information systems. The
-               established settings become part of the systems configuration baseline. Common secure
-               configurations (also referred to as security configuration checklists, lockdown and
-               hardening guides, security reference guides, security technical implementation
-               guides) provide recognized, standardized, and established benchmarks that stipulate
-               secure configuration settings for specific information technology platforms/products
-               and instructions for configuring those information system components to meet
-               operational requirements. Common secure configurations can be developed by a variety
-               of organizations including, for example, information technology product developers,
-               manufacturers, vendors, consortia, academia, industry, federal agencies, and other
-               organizations in the public and private sectors. Common secure configurations include
-               the United States Government Configuration Baseline (USGCB) which affects the
-               implementation of CM-6 and other controls such as AC-19 and CM-7. The Security
-               Content Automation Protocol (SCAP) and the defined standards within the protocol
-               (e.g., Common Configuration Enumeration) provide an effective method to uniquely
-               identify, track, and control configuration settings. OMB establishes federal policy
-               on configuration requirements for federal information systems.</p>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="cm-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-6.a_obj" name="objective">
-               <prop name="label">CM-6(a)</prop>
-               <part id="cm-6.a_obj.1" name="objective">
-                  <prop name="label">CM-6(a)[1]</prop>
-                  <p>defines security configuration checklists to be used to establish and document
-                     configuration settings for the information technology products employed;</p>
-               </part>
-               <part id="cm-6.a_obj.2" name="objective">
-                  <prop name="label">CM-6(a)[2]</prop>
-                  <p>ensures the defined security configuration checklists reflect the most
-                     restrictive mode consistent with operational requirements;</p>
-               </part>
-               <part id="cm-6.a_obj.3" name="objective">
-                  <prop name="label">CM-6(a)[3]</prop>
-                  <p>establishes and documents configuration settings for information technology
-                     products employed within the information system using organization-defined
-                     security configuration checklists;</p>
-               </part>
-            </part>
-            <part id="cm-6.b_obj" name="objective">
-               <prop name="label">CM-6(b)</prop>
-               <p>implements the configuration settings established/documented in CM-6(a);;</p>
-            </part>
-            <part id="cm-6.c_obj" name="objective">
-               <prop name="label">CM-6(c)</prop>
-               <part id="cm-6.c_obj.1" name="objective">
-                  <prop name="label">CM-6(c)[1]</prop>
-                  <p>defines information system components for which any deviations from established
-                     configuration settings must be:</p>
-                  <part id="cm-6.c_obj.1.a" name="objective">
-                     <prop name="label">CM-6(c)[1][a]</prop>
-                     <p>identified;</p>
-                  </part>
-                  <part id="cm-6.c_obj.1.b" name="objective">
-                     <prop name="label">CM-6(c)[1][b]</prop>
-                     <p>documented;</p>
-                  </part>
-                  <part id="cm-6.c_obj.1.c" name="objective">
-                     <prop name="label">CM-6(c)[1][c]</prop>
-                     <p>approved;</p>
-                  </part>
-               </part>
-               <part id="cm-6.c_obj.2" name="objective">
-                  <prop name="label">CM-6(c)[2]</prop>
-                  <p>defines operational requirements to support:</p>
-                  <part id="cm-6.c_obj.2.a" name="objective">
-                     <prop name="label">CM-6(c)[2][a]</prop>
-                     <p>the identification of any deviations from established configuration
-                        settings;</p>
-                  </part>
-                  <part id="cm-6.c_obj.2.b" name="objective">
-                     <prop name="label">CM-6(c)[2][b]</prop>
-                     <p>the documentation of any deviations from established configuration
-                        settings;</p>
-                  </part>
-                  <part id="cm-6.c_obj.2.c" name="objective">
-                     <prop name="label">CM-6(c)[2][c]</prop>
-                     <p>the approval of any deviations from established configuration settings;</p>
-                  </part>
-               </part>
-               <part id="cm-6.c_obj.3" name="objective">
-                  <prop name="label">CM-6(c)[3]</prop>
-                  <p>identifies any deviations from established configuration settings for
-                     organization-defined information system components based on
-                     organizational-defined operational requirements;</p>
-               </part>
-               <part id="cm-6.c_obj.4" name="objective">
-                  <prop name="label">CM-6(c)[4]</prop>
-                  <p>documents any deviations from established configuration settings for
-                     organization-defined information system components based on
-                     organizational-defined operational requirements;</p>
-               </part>
-               <part id="cm-6.c_obj.5" name="objective">
-                  <prop name="label">CM-6(c)[5]</prop>
-                  <p>approves any deviations from established configuration settings for
-                     organization-defined information system components based on
-                     organizational-defined operational requirements;</p>
-               </part>
-            </part>
-            <part id="cm-6.d_obj" name="objective">
-               <prop name="label">CM-6(d)</prop>
-               <part id="cm-6.d_obj.1" name="objective">
-                  <prop name="label">CM-6(d)[1]</prop>
-                  <p>monitors changes to the configuration settings in accordance with
-                     organizational policies and procedures; and</p>
-               </part>
-               <part id="cm-6.d_obj.2" name="objective">
-                  <prop name="label">CM-6(d)[2]</prop>
-                  <p>controls changes to the configuration settings in accordance with
-                     organizational policies and procedures.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing configuration settings for the information system</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security configuration checklists</p>
-               <p>evidence supporting approved deviations from established configuration
-                  settings</p>
-               <p>change control records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security configuration management
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing configuration settings</p>
-               <p>automated mechanisms that implement, monitor, and/or control information system
-                  configuration settings</p>
-               <p>automated mechanisms that identify and/or document deviations from established
-                  configuration settings</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-6.1">
-            <title>Automated Central Management / Application / Verification</title>
-            <param id="cm-6.1_prm_1">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">CM-6(1)</prop>
-            <prop name="sort-id">cm-06.01</prop>
-            <part id="cm-6.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to centrally manage, apply, and
-                  verify configuration settings for <insert param-id="cm-6.1_prm_1"/>.</p>
-            </part>
-            <part id="cm-6.1_gdn" name="guidance">
-               <link rel="related" href="#ca-7">CA-7</link>
-               <link rel="related" href="#cm-4">CM-4</link>
-            </part>
-            <part id="cm-6.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-6.1_obj.1" name="objective">
-                  <prop name="label">CM-6(1)[1]</prop>
-                  <p>defines information system components for which automated mechanisms are to be
-                     employed to:</p>
-                  <part id="cm-6.1_obj.1.a" name="objective">
-                     <prop name="label">CM-6(1)[1][a]</prop>
-                     <p>centrally manage configuration settings of such components;</p>
-                  </part>
-                  <part id="cm-6.1_obj.1.b" name="objective">
-                     <prop name="label">CM-6(1)[1][b]</prop>
-                     <p>apply configuration settings of such components;</p>
-                  </part>
-                  <part id="cm-6.1_obj.1.c" name="objective">
-                     <prop name="label">CM-6(1)[1][c]</prop>
-                     <p>verify configuration settings of such components;</p>
-                  </part>
-               </part>
-               <part id="cm-6.1_obj.2" name="objective">
-                  <prop name="label">CM-6(1)[2]</prop>
-                  <p>employs automated mechanisms to:</p>
-                  <part id="cm-6.1_obj.2.a" name="objective">
-                     <prop name="label">CM-6(1)[2][a]</prop>
-                     <p>centrally manage configuration settings for organization-defined information
-                        system components;</p>
-                  </part>
-                  <part id="cm-6.1_obj.2.b" name="objective">
-                     <prop name="label">CM-6(1)[2][b]</prop>
-                     <p>apply configuration settings for organization-defined information system
-                        components; and</p>
-                  </part>
-                  <part id="cm-6.1_obj.2.c" name="objective">
-                     <prop name="label">CM-6(1)[2][c]</prop>
-                     <p>verify configuration settings for organization-defined information system
-                        components.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing configuration settings for the information system</p>
-                  <p>configuration management plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security configuration checklists</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security configuration management
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing configuration settings</p>
-                  <p>automated mechanisms implemented to centrally manage, apply, and verify
-                     information system configuration settings</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-6.2">
-            <title>Respond to Unauthorized Changes</title>
-            <param id="cm-6.2_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <param id="cm-6.2_prm_2">
-               <label>organization-defined configuration settings</label>
-            </param>
-            <prop name="label">CM-6(2)</prop>
-            <prop name="sort-id">cm-06.02</prop>
-            <part id="cm-6.2_smt" name="statement">
-               <p>The organization employs <insert param-id="cm-6.2_prm_1"/> to respond to
-                  unauthorized changes to <insert param-id="cm-6.2_prm_2"/>.</p>
-            </part>
-            <part id="cm-6.2_gdn" name="guidance">
-               <p>Responses to unauthorized changes to configuration settings can include, for
-                  example, alerting designated organizational personnel, restoring established
-                  configuration settings, or in extreme cases, halting affected information system
-                  processing.</p>
-               <link rel="related" href="#ir-4">IR-4</link>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="cm-6.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-6.2_obj.1" name="objective">
-                  <prop name="label">CM-6(2)[1]</prop>
-                  <p>defines configuration settings that, if modified by unauthorized changes,
-                     result in organizational security safeguards being employed to respond to such
-                     changes;</p>
-               </part>
-               <part id="cm-6.2_obj.2" name="objective">
-                  <prop name="label">CM-6(2)[2]</prop>
-                  <p>defines security safeguards to be employed to respond to unauthorized changes
-                     to organization-defined configuration settings; and</p>
-               </part>
-               <part id="cm-6.2_obj.3" name="objective">
-                  <prop name="label">CM-6(2)[3]</prop>
-                  <p>employs organization-defined security safeguards to respond to unauthorized
-                     changes to organization-defined configuration settings.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing configuration settings for the information system</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>alerts/notifications of unauthorized changes to information system
-                     configuration settings</p>
-                  <p>documented responses to unauthorized changes to information system
-                     configuration settings</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security configuration management
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for responding to unauthorized changes to information
-                     system configuration settings</p>
-                  <p>automated mechanisms supporting and/or implementing security safeguards for
-                     response to unauthorized changes</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-6.3">
-            <title>Unauthorized Change Detection</title>
-            <prop name="label">CM-6(3)</prop>
-            <prop name="sort-id">cm-06.03</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#si-7">SI-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-6.4">
-            <title>Conformance Demonstration</title>
-            <prop name="label">CM-6(4)</prop>
-            <prop name="sort-id">cm-06.04</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#cm-4">CM-4</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-7">
-         <title>Least Functionality</title>
-         <param id="cm-7_prm_1">
-            <label>organization-defined prohibited or restricted functions, ports, protocols, and/or
-               services</label>
-         </param>
-         <prop name="label">CM-7</prop>
-         <prop name="sort-id">cm-07</prop>
-         <link href="#e42b2099-3e1c-415b-952c-61c96533c12e" rel="reference">DoD Instruction 8551.01</link>
-         <part id="cm-7_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Configures the information system to provide only essential capabilities; and</p>
-            </part>
-            <part id="cm-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Prohibits or restricts the use of the following functions, ports, protocols,
-                  and/or services: <insert param-id="cm-7_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="cm-7_gdn" name="guidance">
-            <p>Information systems can provide a wide variety of functions and services. Some of the
-               functions and services, provided by default, may not be necessary to support
-               essential organizational operations (e.g., key missions, functions). Additionally, it
-               is sometimes convenient to provide multiple services from single information system
-               components, but doing so increases risk over limiting the services provided by any
-               one component. Where feasible, organizations limit component functionality to a
-               single function per device (e.g., email servers or web servers, but not both).
-               Organizations review functions and services provided by information systems or
-               individual components of information systems, to determine which functions and
-               services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant
-               Messaging, auto-execute, and file sharing). Organizations consider disabling unused
-               or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File
-               Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to
-               prevent unauthorized connection of devices, unauthorized transfer of information, or
-               unauthorized tunneling. Organizations can utilize network scanning tools, intrusion
-               detection and prevention systems, and end-point protections such as firewalls and
-               host-based intrusion detection systems to identify and prevent the use of prohibited
-               functions, ports, protocols, and services.</p>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="cm-7_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-7.a_obj" name="objective">
-               <prop name="label">CM-7(a)</prop>
-               <p>configures the information system to provide only essential capabilities;</p>
-            </part>
-            <part id="cm-7.b_obj" name="objective">
-               <prop name="label">CM-7(b)</prop>
-               <part id="cm-7.b_obj.1" name="objective">
-                  <prop name="label">CM-7(b)[1]</prop>
-                  <p>defines prohibited or restricted:</p>
-                  <part id="cm-7.b_obj.1.a" name="objective">
-                     <prop name="label">CM-7(b)[1][a]</prop>
-                     <p>functions;</p>
-                  </part>
-                  <part id="cm-7.b_obj.1.b" name="objective">
-                     <prop name="label">CM-7(b)[1][b]</prop>
-                     <p>ports;</p>
-                  </part>
-                  <part id="cm-7.b_obj.1.c" name="objective">
-                     <prop name="label">CM-7(b)[1][c]</prop>
-                     <p>protocols; and/or</p>
-                  </part>
-                  <part id="cm-7.b_obj.1.d" name="objective">
-                     <prop name="label">CM-7(b)[1][d]</prop>
-                     <p>services;</p>
-                  </part>
-               </part>
-               <part id="cm-7.b_obj.2" name="objective">
-                  <prop name="label">CM-7(b)[2]</prop>
-                  <p>prohibits or restricts the use of organization-defined:</p>
-                  <part id="cm-7.b_obj.2.a" name="objective">
-                     <prop name="label">CM-7(b)[2][a]</prop>
-                     <p>functions;</p>
-                  </part>
-                  <part id="cm-7.b_obj.2.b" name="objective">
-                     <prop name="label">CM-7(b)[2][b]</prop>
-                     <p>ports;</p>
-                  </part>
-                  <part id="cm-7.b_obj.2.c" name="objective">
-                     <prop name="label">CM-7(b)[2][c]</prop>
-                     <p>protocols; and/or</p>
-                  </part>
-                  <part id="cm-7.b_obj.2.d" name="objective">
-                     <prop name="label">CM-7(b)[2][d]</prop>
-                     <p>services.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>configuration management plan</p>
-               <p>procedures addressing least functionality in the information system</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security configuration checklists</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security configuration management
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes prohibiting or restricting functions, ports, protocols,
-                  and/or services</p>
-               <p>automated mechanisms implementing restrictions or prohibition of functions, ports,
-                  protocols, and/or services</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-7.1">
-            <title>Periodic Review</title>
-            <param id="cm-7.1_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="cm-7.1_prm_2">
-               <label>organization-defined functions, ports, protocols, and services within the
-                  information system deemed to be unnecessary and/or nonsecure</label>
-            </param>
-            <prop name="label">CM-7(1)</prop>
-            <prop name="sort-id">cm-07.01</prop>
-            <part id="cm-7.1_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cm-7.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Reviews the information system <insert param-id="cm-7.1_prm_1"/> to identify
-                     unnecessary and/or nonsecure functions, ports, protocols, and services; and</p>
-               </part>
-               <part id="cm-7.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Disables <insert param-id="cm-7.1_prm_2"/>.</p>
-               </part>
-            </part>
-            <part id="cm-7.1_gdn" name="guidance">
-               <p>The organization can either make a determination of the relative security of the
-                  function, port, protocol, and/or service or base the security decision on the
-                  assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are
-                  examples of less than secure protocols.</p>
-               <link rel="related" href="#ac-18">AC-18</link>
-               <link rel="related" href="#cm-7">CM-7</link>
-               <link rel="related" href="#ia-2">IA-2</link>
-            </part>
-            <part id="cm-7.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-7.1.a_obj" name="objective">
-                  <prop name="label">CM-7(1)(a)</prop>
-                  <part id="cm-7.1.a_obj.1" name="objective">
-                     <prop name="label">CM-7(1)(a)[1]</prop>
-                     <p>defines the frequency to review the information system to identify
-                        unnecessary and/or nonsecure:</p>
-                     <part id="cm-7.1.a_obj.1.a" name="objective">
-                        <prop name="label">CM-7(1)(a)[1][a]</prop>
-                        <p>functions;</p>
-                     </part>
-                     <part id="cm-7.1.a_obj.1.b" name="objective">
-                        <prop name="label">CM-7(1)(a)[1][b]</prop>
-                        <p>ports;</p>
-                     </part>
-                     <part id="cm-7.1.a_obj.1.c" name="objective">
-                        <prop name="label">CM-7(1)(a)[1][c]</prop>
-                        <p>protocols; and/or</p>
-                     </part>
-                     <part id="cm-7.1.a_obj.1.d" name="objective">
-                        <prop name="label">CM-7(1)(a)[1][d]</prop>
-                        <p>services;</p>
-                     </part>
-                  </part>
-                  <part id="cm-7.1.a_obj.2" name="objective">
-                     <prop name="label">CM-7(1)(a)[2]</prop>
-                     <p>reviews the information system with the organization-defined frequency to
-                        identify unnecessary and/or nonsecure:</p>
-                     <part id="cm-7.1.a_obj.2.a" name="objective">
-                        <prop name="label">CM-7(1)(a)[2][a]</prop>
-                        <p>functions;</p>
-                     </part>
-                     <part id="cm-7.1.a_obj.2.b" name="objective">
-                        <prop name="label">CM-7(1)(a)[2][b]</prop>
-                        <p>ports;</p>
-                     </part>
-                     <part id="cm-7.1.a_obj.2.c" name="objective">
-                        <prop name="label">CM-7(1)(a)[2][c]</prop>
-                        <p>protocols; and/or</p>
-                     </part>
-                     <part id="cm-7.1.a_obj.2.d" name="objective">
-                        <prop name="label">CM-7(1)(a)[2][d]</prop>
-                        <p>services;</p>
-                     </part>
-                  </part>
-                  <link rel="corresp" href="#cm-7.1_smt.a">CM-7(1)(a)</link>
-               </part>
-               <part id="cm-7.1.b_obj" name="objective">
-                  <prop name="label">CM-7(1)(b)</prop>
-                  <part id="cm-7.1.b_obj.1" name="objective">
-                     <prop name="label">CM-7(1)(b)[1]</prop>
-                     <p>defines, within the information system, unnecessary and/or nonsecure:</p>
-                     <part id="cm-7.1.b_obj.1.a" name="objective">
-                        <prop name="label">CM-7(1)(b)[1][a]</prop>
-                        <p>functions;</p>
-                     </part>
-                     <part id="cm-7.1.b_obj.1.b" name="objective">
-                        <prop name="label">CM-7(1)(b)[1][b]</prop>
-                        <p>ports;</p>
-                     </part>
-                     <part id="cm-7.1.b_obj.1.c" name="objective">
-                        <prop name="label">CM-7(1)(b)[1][c]</prop>
-                        <p>protocols; and/or</p>
-                     </part>
-                     <part id="cm-7.1.b_obj.1.d" name="objective">
-                        <prop name="label">CM-7(1)(b)[1][d]</prop>
-                        <p>services;</p>
-                     </part>
-                  </part>
-                  <part id="cm-7.1.b_obj.2" name="objective">
-                     <prop name="label">CM-7(1)(b)[2]</prop>
-                     <p>disables organization-defined unnecessary and/or nonsecure:</p>
-                     <part id="cm-7.1.b_obj.2.a" name="objective">
-                        <prop name="label">CM-7(1)(b)[2][a]</prop>
-                        <p>functions;</p>
-                     </part>
-                     <part id="cm-7.1.b_obj.2.b" name="objective">
-                        <prop name="label">CM-7(1)(b)[2][b]</prop>
-                        <p>ports;</p>
-                     </part>
-                     <part id="cm-7.1.b_obj.2.c" name="objective">
-                        <prop name="label">CM-7(1)(b)[2][c]</prop>
-                        <p>protocols; and/or</p>
-                     </part>
-                     <part id="cm-7.1.b_obj.2.d" name="objective">
-                        <prop name="label">CM-7(1)(b)[2][d]</prop>
-                        <p>services.</p>
-                     </part>
-                  </part>
-                  <link rel="corresp" href="#cm-7.1_smt.b">CM-7(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing least functionality in the information system</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>security configuration checklists</p>
-                  <p>documented reviews of functions, ports, protocols, and/or services</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for reviewing functions, ports,
-                     protocols, and services on the information system</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for reviewing/disabling nonsecure functions, ports,
-                     protocols, and/or services</p>
-                  <p>automated mechanisms implementing review and disabling of nonsecure functions,
-                     ports, protocols, and/or services</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-7.2">
-            <title>Prevent Program Execution</title>
-            <param id="cm-7.2_prm_1">
-               <select how-many="one or more">
-                  <choice>
-                     <insert param-id="cm-7.2_prm_2"/>
-                  </choice>
-                  <choice>rules authorizing the terms and conditions of software program
-                     usage</choice>
-               </select>
-            </param>
-            <param id="cm-7.2_prm_2" depends-on="cm-7.2_prm_1">
-               <label>organization-defined policies regarding software program usage and
-                  restrictions</label>
-            </param>
-            <prop name="label">CM-7(2)</prop>
-            <prop name="sort-id">cm-07.02</prop>
-            <part id="cm-7.2_smt" name="statement">
-               <p>The information system prevents program execution in accordance with <insert param-id="cm-7.2_prm_1"/>.</p>
-            </part>
-            <part id="cm-7.2_gdn" name="guidance">
-               <link rel="related" href="#cm-8">CM-8</link>
-               <link rel="related" href="#pm-5">PM-5</link>
-            </part>
-            <part id="cm-7.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="cm-7.2_obj.1" name="objective">
-                  <prop name="label">CM-7(2)[1]</prop>
-                  <p>the organization defines policies regarding software program usage and
-                     restrictions;</p>
-               </part>
-               <part id="cm-7.2_obj.2" name="objective">
-                  <prop name="label">CM-7(2)[2]</prop>
-                  <p>the information system prevents program execution in accordance with one or
-                     more of the following:</p>
-                  <part id="cm-7.2_obj.2.a" name="objective">
-                     <prop name="label">CM-7(2)[2][a]</prop>
-                     <p>organization-defined policies regarding program usage and restrictions;
-                        and/or</p>
-                  </part>
-                  <part id="cm-7.2_obj.2.b" name="objective">
-                     <prop name="label">CM-7(2)[2][b]</prop>
-                     <p>rules authorizing the terms and conditions of software program usage.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing least functionality in the information system</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>specifications for preventing software program execution</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes preventing program execution on the information
-                     system</p>
-                  <p>organizational processes for software program usage and restrictions</p>
-                  <p>automated mechanisms preventing program execution on the information system</p>
-                  <p>automated mechanisms supporting and/or implementing software program usage and
-                     restrictions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-7.3">
-            <title>Registration Compliance</title>
-            <param id="cm-7.3_prm_1">
-               <label>organization-defined registration requirements for functions, ports,
-                  protocols, and services</label>
-            </param>
-            <prop name="label">CM-7(3)</prop>
-            <prop name="sort-id">cm-07.03</prop>
-            <part id="cm-7.3_smt" name="statement">
-               <p>The organization ensures compliance with <insert param-id="cm-7.3_prm_1"/>.</p>
-            </part>
-            <part id="cm-7.3_gdn" name="guidance">
-               <p>Organizations use the registration process to manage, track, and provide oversight
-                  for information systems and implemented functions, ports, protocols, and
-                  services.</p>
-            </part>
-            <part id="cm-7.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-7.3_obj.1" name="objective">
-                  <prop name="label">CM-7(3)[1]</prop>
-                  <p>defines registration requirements for:</p>
-                  <part id="cm-7.3_obj.1.a" name="objective">
-                     <prop name="label">CM-7(3)[1][a]</prop>
-                     <p>functions;</p>
-                  </part>
-                  <part id="cm-7.3_obj.1.b" name="objective">
-                     <prop name="label">CM-7(3)[1][b]</prop>
-                     <p>ports;</p>
-                  </part>
-                  <part id="cm-7.3_obj.1.c" name="objective">
-                     <prop name="label">CM-7(3)[1][c]</prop>
-                     <p>protocols; and/or</p>
-                  </part>
-                  <part id="cm-7.3_obj.1.d" name="objective">
-                     <prop name="label">CM-7(3)[1][d]</prop>
-                     <p>services;</p>
-                  </part>
-               </part>
-               <part id="cm-7.3_obj.2" name="objective">
-                  <prop name="label">CM-7(3)[2]</prop>
-                  <p>ensures compliance with organization-defined registration requirements for:</p>
-                  <part id="cm-7.3_obj.2.a" name="objective">
-                     <prop name="label">CM-7(3)[2][a]</prop>
-                     <p>functions;</p>
-                  </part>
-                  <part id="cm-7.3_obj.2.b" name="objective">
-                     <prop name="label">CM-7(3)[2][b]</prop>
-                     <p>ports;</p>
-                  </part>
-                  <part id="cm-7.3_obj.2.c" name="objective">
-                     <prop name="label">CM-7(3)[2][c]</prop>
-                     <p>protocols; and/or</p>
-                  </part>
-                  <part id="cm-7.3_obj.2.d" name="objective">
-                     <prop name="label">CM-7(3)[2][d]</prop>
-                     <p>services.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing least functionality in the information system</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>audit and compliance reviews</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes ensuring compliance with registration requirements for
-                     functions, ports, protocols, and/or services</p>
-                  <p>automated mechanisms implementing compliance with registration requirements for
-                     functions, ports, protocols, and/or services</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-7.4">
-            <title>Unauthorized Software / Blacklisting</title>
-            <param id="cm-7.4_prm_1">
-               <label>organization-defined software programs not authorized to execute on the
-                  information system</label>
-            </param>
-            <param id="cm-7.4_prm_2">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">CM-7(4)</prop>
-            <prop name="sort-id">cm-07.04</prop>
-            <part id="cm-7.4_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cm-7.4_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Identifies <insert param-id="cm-7.4_prm_1"/>;</p>
-               </part>
-               <part id="cm-7.4_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Employs an allow-all, deny-by-exception policy to prohibit the execution of
-                     unauthorized software programs on the information system; and</p>
-               </part>
-               <part id="cm-7.4_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Reviews and updates the list of unauthorized software programs <insert param-id="cm-7.4_prm_2"/>.</p>
-               </part>
-            </part>
-            <part id="cm-7.4_gdn" name="guidance">
-               <p>The process used to identify software programs that are not authorized to execute
-                  on organizational information systems is commonly referred to as blacklisting.
-                  Organizations can implement CM-7 (5) instead of this control enhancement if
-                  whitelisting (the stronger of the two policies) is the preferred approach for
-                  restricting software program execution.</p>
-               <link rel="related" href="#cm-6">CM-6</link>
-               <link rel="related" href="#cm-8">CM-8</link>
-               <link rel="related" href="#pm-5">PM-5</link>
-            </part>
-            <part id="cm-7.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-7.4.a_obj" name="objective">
-                  <prop name="label">CM-7(4)(a)</prop>
-                  <p>Identifies/defines software programs not authorized to execute on the
-                     information system;</p>
-                  <link rel="corresp" href="#cm-7.4_smt.a">CM-7(4)(a)</link>
-               </part>
-               <part id="cm-7.4.b_obj" name="objective">
-                  <prop name="label">CM-7(4)(b)</prop>
-                  <p>employs an allow-all, deny-by-exception policy to prohibit the execution of
-                     unauthorized software programs on the information system;</p>
-                  <link rel="corresp" href="#cm-7.4_smt.b">CM-7(4)(b)</link>
-               </part>
-               <part id="cm-7.4.c_obj" name="objective">
-                  <prop name="label">CM-7(4)(c)</prop>
-                  <part id="cm-7.4.c_obj.1" name="objective">
-                     <prop name="label">CM-7(4)(c)[1]</prop>
-                     <p>defines the frequency to review and update the list of unauthorized software
-                        programs on the information system; and</p>
-                  </part>
-                  <part id="cm-7.4.c_obj.2" name="objective">
-                     <prop name="label">CM-7(4)(c)[2]</prop>
-                     <p>reviews and updates the list of unauthorized software programs with the
-                        organization-defined frequency.</p>
-                  </part>
-                  <link rel="corresp" href="#cm-7.4_smt.c">CM-7(4)(c)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing least functionality in the information system</p>
-                  <p>configuration management plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of software programs not authorized to execute on the information
-                     system</p>
-                  <p>security configuration checklists</p>
-                  <p>review and update records associated with list of unauthorized software
-                     programs</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for identifying software not
-                     authorized to execute on the information system</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for identifying, reviewing, and updating programs not
-                     authorized to execute on the information system</p>
-                  <p>organizational process for implementing blacklisting</p>
-                  <p>automated mechanisms supporting and/or implementing blacklisting</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-7.5">
-            <title>Authorized Software / Whitelisting</title>
-            <param id="cm-7.5_prm_1">
-               <label>organization-defined software programs authorized to execute on the
-                  information system</label>
-            </param>
-            <param id="cm-7.5_prm_2">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">CM-7(5)</prop>
-            <prop name="sort-id">cm-07.05</prop>
-            <part id="cm-7.5_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cm-7.5_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Identifies <insert param-id="cm-7.5_prm_1"/>;</p>
-               </part>
-               <part id="cm-7.5_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Employs a deny-all, permit-by-exception policy to allow the execution of
-                     authorized software programs on the information system; and</p>
-               </part>
-               <part id="cm-7.5_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Reviews and updates the list of authorized software programs <insert param-id="cm-7.5_prm_2"/>.</p>
-               </part>
-            </part>
-            <part id="cm-7.5_gdn" name="guidance">
-               <p>The process used to identify software programs that are authorized to execute on
-                  organizational information systems is commonly referred to as whitelisting. In
-                  addition to whitelisting, organizations consider verifying the integrity of
-                  white-listed software programs using, for example, cryptographic checksums,
-                  digital signatures, or hash functions. Verification of white-listed software can
-                  occur either prior to execution or at system startup.</p>
-               <link rel="related" href="#cm-2">CM-2</link>
-               <link rel="related" href="#cm-6">CM-6</link>
-               <link rel="related" href="#cm-8">CM-8</link>
-               <link rel="related" href="#pm-5">PM-5</link>
-               <link rel="related" href="#sa-10">SA-10</link>
-               <link rel="related" href="#sc-34">SC-34</link>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="cm-7.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-7.5.a_obj" name="objective">
-                  <prop name="label">CM-7(5)(a)</prop>
-                  <p>Identifies/defines software programs authorized to execute on the information
-                     system;</p>
-                  <link rel="corresp" href="#cm-7.5_smt.a">CM-7(5)(a)</link>
-               </part>
-               <part id="cm-7.5.b_obj" name="objective">
-                  <prop name="label">CM-7(5)(b)</prop>
-                  <p>employs a deny-all, permit-by-exception policy to allow the execution of
-                     authorized software programs on the information system;</p>
-                  <link rel="corresp" href="#cm-7.5_smt.b">CM-7(5)(b)</link>
-               </part>
-               <part id="cm-7.5.c_obj" name="objective">
-                  <prop name="label">CM-7(5)(c)</prop>
-                  <part id="cm-7.5.c_obj.1" name="objective">
-                     <prop name="label">CM-7(5)(c)[1]</prop>
-                     <p>defines the frequency to review and update the list of authorized software
-                        programs on the information system; and</p>
-                  </part>
-                  <part id="cm-7.5.c_obj.2" name="objective">
-                     <prop name="label">CM-7(5)(c)[2]</prop>
-                     <p>reviews and updates the list of authorized software programs with the
-                        organization-defined frequency.</p>
-                  </part>
-                  <link rel="corresp" href="#cm-7.5_smt.c">CM-7(5)(c)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing least functionality in the information system</p>
-                  <p>configuration management plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of software programs authorized to execute on the information system</p>
-                  <p>security configuration checklists</p>
-                  <p>review and update records associated with list of authorized software
-                     programs</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for identifying software
-                     authorized to execute on the information system</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for identifying, reviewing, and updating programs
-                     authorized to execute on the information system</p>
-                  <p>organizational process for implementing whitelisting</p>
-                  <p>automated mechanisms implementing whitelisting</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-8">
-         <title>Information System Component Inventory</title>
-         <param id="cm-8_prm_1">
-            <label>organization-defined information deemed necessary to achieve effective
-               information system component accountability</label>
-         </param>
-         <param id="cm-8_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CM-8</prop>
-         <prop name="sort-id">cm-08</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops and documents an inventory of information system components that:</p>
-               <part id="cm-8_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Accurately reflects the current information system;</p>
-               </part>
-               <part id="cm-8_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Includes all components within the authorization boundary of the information
-                     system;</p>
-               </part>
-               <part id="cm-8_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Is at the level of granularity deemed necessary for tracking and reporting;
-                     and</p>
-               </part>
-               <part id="cm-8_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Includes <insert param-id="cm-8_prm_1"/>; and</p>
-               </part>
-            </part>
-            <part id="cm-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the information system component inventory <insert param-id="cm-8_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="cm-8_gdn" name="guidance">
-            <p>Organizations may choose to implement centralized information system component
-               inventories that include components from all organizational information systems. In
-               such situations, organizations ensure that the resulting inventories include
-               system-specific information required for proper component accountability (e.g.,
-               information system association, information system owner). Information deemed
-               necessary for effective accountability of information system components includes, for
-               example, hardware inventory specifications, software license information, software
-               version numbers, component owners, and for networked components or devices, machine
-               names and network addresses. Inventory specifications include, for example,
-               manufacturer, device type, model, serial number, and physical location.</p>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#pm-5">PM-5</link>
-         </part>
-         <part id="cm-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-8.a_obj" name="objective">
-               <prop name="label">CM-8(a)</prop>
-               <part id="cm-8.a.1_obj" name="objective">
-                  <prop name="label">CM-8(a)(1)</prop>
-                  <p>develops and documents an inventory of information system components that
-                     accurately reflects the current information system;</p>
-               </part>
-               <part id="cm-8.a.2_obj" name="objective">
-                  <prop name="label">CM-8(a)(2)</prop>
-                  <p>develops and documents an inventory of information system components that
-                     includes all components within the authorization boundary of the information
-                     system;</p>
-               </part>
-               <part id="cm-8.a.3_obj" name="objective">
-                  <prop name="label">CM-8(a)(3)</prop>
-                  <p>develops and documents an inventory of information system components that is at
-                     the level of granularity deemed necessary for tracking and reporting;</p>
-               </part>
-               <part id="cm-8.a.4_obj" name="objective">
-                  <prop name="label">CM-8(a)(4)</prop>
-                  <part id="cm-8.a.4_obj.1" name="objective">
-                     <prop name="label">CM-8(a)(4)[1]</prop>
-                     <p>defines the information deemed necessary to achieve effective information
-                        system component accountability;</p>
-                  </part>
-                  <part id="cm-8.a.4_obj.2" name="objective">
-                     <prop name="label">CM-8(a)(4)[2]</prop>
-                     <p>develops and documents an inventory of information system components that
-                        includes organization-defined information deemed necessary to achieve
-                        effective information system component accountability;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cm-8.b_obj" name="objective">
-               <prop name="label">CM-8(b)</prop>
-               <part id="cm-8.b_obj.1" name="objective">
-                  <prop name="label">CM-8(b)[1]</prop>
-                  <p>defines the frequency to review and update the information system component
-                     inventory; and</p>
-               </part>
-               <part id="cm-8.b_obj.2" name="objective">
-                  <prop name="label">CM-8(b)[2]</prop>
-                  <p>reviews and updates the information system component inventory with the
-                     organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing information system component inventory</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system inventory records</p>
-               <p>inventory reviews and update records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for information system component
-                  inventory</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for developing and documenting an inventory of
-                  information system components</p>
-               <p>automated mechanisms supporting and/or implementing the information system
-                  component inventory</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-8.1">
-            <title>Updates During Installations / Removals</title>
-            <prop name="label">CM-8(1)</prop>
-            <prop name="sort-id">cm-08.01</prop>
-            <part id="cm-8.1_smt" name="statement">
-               <p>The organization updates the inventory of information system components as an
-                  integral part of component installations, removals, and information system
-                  updates.</p>
-            </part>
-            <part id="cm-8.1_obj" name="objective">
-               <p>Determine if the organization updates the inventory of information system
-                  components as an integral part of:</p>
-               <part id="cm-8.1_obj.1" name="objective">
-                  <prop name="label">CM-8(1)[1]</prop>
-                  <p>component installations;</p>
-               </part>
-               <part id="cm-8.1_obj.2" name="objective">
-                  <prop name="label">CM-8(1)[2]</prop>
-                  <p>component removals; and</p>
-               </part>
-               <part id="cm-8.1_obj.3" name="objective">
-                  <prop name="label">CM-8(1)[3]</prop>
-                  <p>information system updates.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system component inventory</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system inventory records</p>
-                  <p>inventory reviews and update records</p>
-                  <p>component installation records</p>
-                  <p>component removal records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for updating the information
-                     system component inventory</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for updating inventory of information system
-                     components</p>
-                  <p>automated mechanisms implementing updating of the information system component
-                     inventory</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.2">
-            <title>Automated Maintenance</title>
-            <prop name="label">CM-8(2)</prop>
-            <prop name="sort-id">cm-08.02</prop>
-            <part id="cm-8.2_smt" name="statement">
-               <p>The organization employs automated mechanisms to help maintain an up-to-date,
-                  complete, accurate, and readily available inventory of information system
-                  components.</p>
-            </part>
-            <part id="cm-8.2_gdn" name="guidance">
-               <p>Organizations maintain information system inventories to the extent feasible.
-                  Virtual machines, for example, can be difficult to monitor because such machines
-                  are not visible to the network when not in use. In such cases, organizations
-                  maintain as up-to-date, complete, and accurate an inventory as is deemed
-                  reasonable. This control enhancement can be satisfied by the implementation of
-                  CM-2 (2) for organizations that choose to combine information system component
-                  inventory and baseline configuration activities.</p>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="cm-8.2_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to maintain an
-                  inventory of information system components that is:</p>
-               <part id="cm-8.2_obj.1" name="objective">
-                  <prop name="label">CM-8(2)[1]</prop>
-                  <p>up-to-date;</p>
-               </part>
-               <part id="cm-8.2_obj.2" name="objective">
-                  <prop name="label">CM-8(2)[2]</prop>
-                  <p>complete;</p>
-               </part>
-               <part id="cm-8.2_obj.3" name="objective">
-                  <prop name="label">CM-8(2)[3]</prop>
-                  <p>accurate; and</p>
-               </part>
-               <part id="cm-8.2_obj.4" name="objective">
-                  <prop name="label">CM-8(2)[4]</prop>
-                  <p>readily available.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>configuration management plan</p>
-                  <p>procedures addressing information system component inventory</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system inventory records</p>
-                  <p>change control records</p>
-                  <p>information system maintenance records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for managing the automated
-                     mechanisms implementing the information system component inventory</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for maintaining the inventory of information system
-                     components</p>
-                  <p>automated mechanisms implementing the information system component
-                     inventory</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.3">
-            <title>Automated Unauthorized Component Detection</title>
-            <param id="cm-8.3_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="cm-8.3_prm_2">
-               <select how-many="one or more">
-                  <choice>disables network access by such components</choice>
-                  <choice>isolates the components</choice>
-                  <choice>notifies <insert param-id="cm-8.3_prm_3"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="cm-8.3_prm_3" depends-on="cm-8.3_prm_2">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">CM-8(3)</prop>
-            <prop name="sort-id">cm-08.03</prop>
-            <part id="cm-8.3_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cm-8.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Employs automated mechanisms <insert param-id="cm-8.3_prm_1"/> to detect the
-                     presence of unauthorized hardware, software, and firmware components within the
-                     information system; and</p>
-               </part>
-               <part id="cm-8.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Takes the following actions when unauthorized components are detected: <insert param-id="cm-8.3_prm_2"/>.</p>
-               </part>
-            </part>
-            <part id="cm-8.3_gdn" name="guidance">
-               <p>This control enhancement is applied in addition to the monitoring for unauthorized
-                  remote connections and mobile devices. Monitoring for unauthorized system
-                  components may be accomplished on an ongoing basis or by the periodic scanning of
-                  systems for that purpose. Automated mechanisms can be implemented within
-                  information systems or in other separate devices. Isolation can be achieved, for
-                  example, by placing unauthorized information system components in separate domains
-                  or subnets or otherwise quarantining such components. This type of component
-                  isolation is commonly referred to as sandboxing.</p>
-               <link rel="related" href="#ac-17">AC-17</link>
-               <link rel="related" href="#ac-18">AC-18</link>
-               <link rel="related" href="#ac-19">AC-19</link>
-               <link rel="related" href="#ca-7">CA-7</link>
-               <link rel="related" href="#si-3">SI-3</link>
-               <link rel="related" href="#si-4">SI-4</link>
-               <link rel="related" href="#si-7">SI-7</link>
-               <link rel="related" href="#ra-5">RA-5</link>
-            </part>
-            <part id="cm-8.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-8.3.a_obj" name="objective">
-                  <prop name="label">CM-8(3)(a)</prop>
-                  <part id="cm-8.3.a_obj.1" name="objective">
-                     <prop name="label">CM-8(3)(a)[1]</prop>
-                     <p>defines the frequency to employ automated mechanisms to detect the presence
-                        of unauthorized:</p>
-                     <part id="cm-8.3.a_obj.1.a" name="objective">
-                        <prop name="label">CM-8(3)(a)[1][a]</prop>
-                        <p>hardware components within the information system;</p>
-                     </part>
-                     <part id="cm-8.3.a_obj.1.b" name="objective">
-                        <prop name="label">CM-8(3)(a)[1][b]</prop>
-                        <p>software components within the information system;</p>
-                     </part>
-                     <part id="cm-8.3.a_obj.1.c" name="objective">
-                        <prop name="label">CM-8(3)(a)[1][c]</prop>
-                        <p>firmware components within the information system;</p>
-                     </part>
-                  </part>
-                  <part id="cm-8.3.a_obj.2" name="objective">
-                     <prop name="label">CM-8(3)(a)[2]</prop>
-                     <p>employs automated mechanisms with the organization-defined frequency to
-                        detect the presence of unauthorized:</p>
-                     <part id="cm-8.3.a_obj.2.a" name="objective">
-                        <prop name="label">CM-8(3)(a)[2][a]</prop>
-                        <p>hardware components within the information system;</p>
-                     </part>
-                     <part id="cm-8.3.a_obj.2.b" name="objective">
-                        <prop name="label">CM-8(3)(a)[2][b]</prop>
-                        <p>software components within the information system;</p>
-                     </part>
-                     <part id="cm-8.3.a_obj.2.c" name="objective">
-                        <prop name="label">CM-8(3)(a)[2][c]</prop>
-                        <p>firmware components within the information system;</p>
-                     </part>
-                  </part>
-                  <link rel="corresp" href="#cm-8.3_smt.a">CM-8(3)(a)</link>
-               </part>
-               <part id="cm-8.3.b_obj" name="objective">
-                  <prop name="label">CM-8(3)(b)</prop>
-                  <part id="cm-8.3.b_obj.1" name="objective">
-                     <prop name="label">CM-8(3)(b)[1]</prop>
-                     <p>defines personnel or roles to be notified when unauthorized components are
-                        detected;</p>
-                  </part>
-                  <part id="cm-8.3.b_obj.2" name="objective">
-                     <prop name="label">CM-8(3)(b)[2]</prop>
-                     <p>takes one or more of the following actions when unauthorized components are
-                        detected:</p>
-                     <part id="cm-8.3.b_obj.2.a" name="objective">
-                        <prop name="label">CM-8(3)(b)[2][a]</prop>
-                        <p>disables network access by such components;</p>
-                     </part>
-                     <part id="cm-8.3.b_obj.2.b" name="objective">
-                        <prop name="label">CM-8(3)(b)[2][b]</prop>
-                        <p>isolates the components; and/or</p>
-                     </part>
-                     <part id="cm-8.3.b_obj.2.c" name="objective">
-                        <prop name="label">CM-8(3)(b)[2][c]</prop>
-                        <p>notifies organization-defined personnel or roles.</p>
-                     </part>
-                  </part>
-                  <link rel="corresp" href="#cm-8.3_smt.b">CM-8(3)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system component inventory</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system inventory records</p>
-                  <p>alerts/notifications of unauthorized components within the information
-                     system</p>
-                  <p>information system monitoring records</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for managing the automated
-                     mechanisms implementing unauthorized information system component detection</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for detection of unauthorized information system
-                     components</p>
-                  <p>automated mechanisms implementing the detection of unauthorized information
-                     system components</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.4">
-            <title>Accountability Information</title>
-            <param id="cm-8.4_prm_1">
-               <select how-many="one or more">
-                  <choice>name</choice>
-                  <choice>position</choice>
-                  <choice>role</choice>
-               </select>
-            </param>
-            <prop name="label">CM-8(4)</prop>
-            <prop name="sort-id">cm-08.04</prop>
-            <part id="cm-8.4_smt" name="statement">
-               <p>The organization includes in the information system component inventory
-                  information, a means for identifying by <insert param-id="cm-8.4_prm_1"/>,
-                  individuals responsible/accountable for administering those components.</p>
-            </part>
-            <part id="cm-8.4_gdn" name="guidance">
-               <p>Identifying individuals who are both responsible and accountable for administering
-                  information system components helps to ensure that the assigned components are
-                  properly administered and organizations can contact those individuals if some
-                  action is required (e.g., component is determined to be the source of a
-                  breach/compromise, component needs to be recalled/replaced, or component needs to
-                  be relocated).</p>
-            </part>
-            <part id="cm-8.4_obj" name="objective">
-               <p>Determine if the organization includes in the information system component
-                  inventory for information system components, a means for identifying the
-                  individuals responsible and accountable for administering those components by one
-                  or more of the following: </p>
-               <part id="cm-8.4_obj.1" name="objective">
-                  <prop name="label">CM-8(4)[1]</prop>
-                  <p>name;</p>
-               </part>
-               <part id="cm-8.4_obj.2" name="objective">
-                  <prop name="label">CM-8(4)[2]</prop>
-                  <p>position; and/or</p>
-               </part>
-               <part id="cm-8.4_obj.3" name="objective">
-                  <prop name="label">CM-8(4)[3]</prop>
-                  <p>role.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system component inventory</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system inventory records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for managing the information
-                     system component inventory</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for maintaining the inventory of information system
-                     components</p>
-                  <p>automated mechanisms implementing the information system component
-                     inventory</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.5">
-            <title>No Duplicate Accounting of Components</title>
-            <prop name="label">CM-8(5)</prop>
-            <prop name="sort-id">cm-08.05</prop>
-            <part id="cm-8.5_smt" name="statement">
-               <p>The organization verifies that all components within the authorization boundary of
-                  the information system are not duplicated in other information system component
-                  inventories.</p>
-            </part>
-            <part id="cm-8.5_gdn" name="guidance">
-               <p>This control enhancement addresses the potential problem of duplicate accounting
-                  of information system components in large or complex interconnected systems.</p>
-            </part>
-            <part id="cm-8.5_obj" name="objective">
-               <p>Determine if the organization verifies that all components within the
-                  authorization boundary of the information system are not duplicated in other
-                  information system inventories. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system component inventory</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system inventory records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system inventory responsibilities</p>
-                  <p>organizational personnel with responsibilities for defining information system
-                     components within the authorization boundary of the system</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for maintaining the inventory of information system
-                     components</p>
-                  <p>automated mechanisms implementing the information system component
-                     inventory</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.6">
-            <title>Assessed Configurations / Approved Deviations</title>
-            <prop name="label">CM-8(6)</prop>
-            <prop name="sort-id">cm-08.06</prop>
-            <part id="cm-8.6_smt" name="statement">
-               <p>The organization includes assessed component configurations and any approved
-                  deviations to current deployed configurations in the information system component
-                  inventory.</p>
-            </part>
-            <part id="cm-8.6_gdn" name="guidance">
-               <p>This control enhancement focuses on configuration settings established by
-                  organizations for information system components, the specific components that have
-                  been assessed to determine compliance with the required configuration settings,
-                  and any approved deviations from established configuration settings.</p>
-               <link rel="related" href="#cm-2">CM-2</link>
-               <link rel="related" href="#cm-6">CM-6</link>
-            </part>
-            <part id="cm-8.6_obj" name="objective">
-               <p>Determine if the organization includes in the information system component
-                  inventory: </p>
-               <part id="cm-8.6_obj.1" name="objective">
-                  <prop name="label">CM-8(6)[1]</prop>
-                  <p>assessed component configurations; and</p>
-               </part>
-               <part id="cm-8.6_obj.2" name="objective">
-                  <prop name="label">CM-8(6)[2]</prop>
-                  <p>any approved deviations to current deployed configurations.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system component inventory</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system inventory records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with inventory management and assessment
-                     responsibilities for information system components</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for maintaining the inventory of information system
-                     components</p>
-                  <p>automated mechanisms implementing the information system component
-                     inventory</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.7">
-            <title>Centralized Repository</title>
-            <prop name="label">CM-8(7)</prop>
-            <prop name="sort-id">cm-08.07</prop>
-            <part id="cm-8.7_smt" name="statement">
-               <p>The organization provides a centralized repository for the inventory of
-                  information system components.</p>
-            </part>
-            <part id="cm-8.7_gdn" name="guidance">
-               <p>Organizations may choose to implement centralized information system component
-                  inventories that include components from all organizational information systems.
-                  Centralized repositories of information system component inventories provide
-                  opportunities for efficiencies in accounting for organizational hardware,
-                  software, and firmware assets. Such repositories may also help organizations
-                  rapidly identify the location and responsible individuals of system components
-                  that have been compromised, breached, or are otherwise in need of mitigation
-                  actions. Organizations ensure that the resulting centralized inventories include
-                  system-specific information required for proper component accountability (e.g.,
-                  information system association, information system owner).</p>
-            </part>
-            <part id="cm-8.7_obj" name="objective">
-               <p>Determine if the organization provides a centralized repository for the inventory
-                  of information system components. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system component inventory</p>
-                  <p>configuration management plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system inventory repository</p>
-                  <p>information system inventory records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with inventory management responsibilities for
-                     information system components</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing the information system component inventory in
-                     a centralized repository</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.8">
-            <title>Automated Location Tracking</title>
-            <prop name="label">CM-8(8)</prop>
-            <prop name="sort-id">cm-08.08</prop>
-            <part id="cm-8.8_smt" name="statement">
-               <p>The organization employs automated mechanisms to support tracking of information
-                  system components by geographic location.</p>
-            </part>
-            <part id="cm-8.8_gdn" name="guidance">
-               <p>The use of automated mechanisms to track the location of information system
-                  components can increase the accuracy of component inventories. Such capability may
-                  also help organizations rapidly identify the location and responsible individuals
-                  of system components that have been compromised, breached, or are otherwise in
-                  need of mitigation actions.</p>
-            </part>
-            <part id="cm-8.8_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to support tracking of
-                  information system components by geographic location. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system component inventory</p>
-                  <p>configuration management plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system inventory records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with inventory management responsibilities for
-                     information system components</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing the information system component
-                     inventory</p>
-                  <p>automated mechanisms supporting tracking of information system components by
-                     geographic location</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.9">
-            <title>Assignment of Components to Systems</title>
-            <param id="cm-8.9_prm_1">
-               <label>organization-defined acquired information system components</label>
-            </param>
-            <prop name="label">CM-8(9)</prop>
-            <prop name="sort-id">cm-08.09</prop>
-            <part id="cm-8.9_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cm-8.9_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Assigns <insert param-id="cm-8.9_prm_1"/> to an information system; and</p>
-               </part>
-               <part id="cm-8.9_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Receives an acknowledgement from the information system owner of this
-                     assignment.</p>
-               </part>
-            </part>
-            <part id="cm-8.9_gdn" name="guidance">
-               <p>Organizations determine the criteria for or types of information system components
-                  (e.g., microprocessors, motherboards, software, programmable logic controllers,
-                  and network devices) that are subject to this control enhancement.</p>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="cm-8.9_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-8.9.a_obj" name="objective">
-                  <prop name="label">CM-8(9)(a)</prop>
-                  <part id="cm-8.9.a_obj.1" name="objective">
-                     <prop name="label">CM-8(9)(a)[1]</prop>
-                     <p>defines acquired information system components to be assigned to an
-                        information system; and</p>
-                  </part>
-                  <part id="cm-8.9.a_obj.2" name="objective">
-                     <prop name="label">CM-8(9)(a)[2]</prop>
-                     <p>assigns organization-defined acquired information system components to an
-                        information system; and</p>
-                  </part>
-                  <link rel="corresp" href="#cm-8.9_smt.a">CM-8(9)(a)</link>
-               </part>
-               <part id="cm-8.9.b_obj" name="objective">
-                  <prop name="label">CM-8(9)(b)</prop>
-                  <p>receives an acknowledgement from the information system owner of the
-                     assignment.</p>
-                  <link rel="corresp" href="#cm-8.9_smt.b">CM-8(9)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing information system component inventory</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>acknowledgements of information system component assignments</p>
-                  <p>information system inventory records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with inventory management responsibilities for
-                     information system components</p>
-                  <p>information system owner</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for assigning components to systems</p>
-                  <p>organizational processes for acknowledging assignment of components to
-                     systems</p>
-                  <p>automated mechanisms implementing assignment of acquired components to the
-                     information system</p>
-                  <p>automated mechanisms implementing acknowledgment of assignment of acquired
-                     components to the information system</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-9">
-         <title>Configuration Management Plan</title>
-         <prop name="label">CM-9</prop>
-         <prop name="sort-id">cm-09</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="cm-9_smt" name="statement">
-            <p>The organization develops, documents, and implements a configuration management plan
-               for the information system that:</p>
-            <part id="cm-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Addresses roles, responsibilities, and configuration management processes and
-                  procedures;</p>
-            </part>
-            <part id="cm-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishes a process for identifying configuration items throughout the system
-                  development life cycle and for managing the configuration of the configuration
-                  items;</p>
-            </part>
-            <part id="cm-9_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Defines the configuration items for the information system and places the
-                  configuration items under configuration management; and</p>
-            </part>
-            <part id="cm-9_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Protects the configuration management plan from unauthorized disclosure and
-                  modification.</p>
-            </part>
-         </part>
-         <part id="cm-9_gdn" name="guidance">
-            <p>Configuration management plans satisfy the requirements in configuration management
-               policies while being tailored to individual information systems. Such plans define
-               detailed processes and procedures for how configuration management is used to support
-               system development life cycle activities at the information system level.
-               Configuration management plans are typically developed during the
-               development/acquisition phase of the system development life cycle. The plans
-               describe how to move changes through change management processes, how to update
-               configuration settings and baselines, how to maintain information system component
-               inventories, how to control development, test, and operational environments, and how
-               to develop, release, and update key documents. Organizations can employ templates to
-               help ensure consistent and timely development and implementation of configuration
-               management plans. Such templates can represent a master configuration management plan
-               for the organization at large with subsets of the plan implemented on a system by
-               system basis. Configuration management approval processes include designation of key
-               management stakeholders responsible for reviewing and approving proposed changes to
-               information systems, and personnel that conduct security impact analyses prior to the
-               implementation of changes to the systems. Configuration items are the information
-               system items (hardware, software, firmware, and documentation) to be
-               configuration-managed. As information systems continue through the system development
-               life cycle, new configuration items may be identified and some existing configuration
-               items may no longer need to be under configuration control.</p>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-         </part>
-         <part id="cm-9_obj" name="objective">
-            <p>Determine if the organization develops, documents, and implements a configuration
-               management plan for the information system that:</p>
-            <part id="cm-9.a_obj" name="objective">
-               <prop name="label">CM-9(a)</prop>
-               <part id="cm-9.a_obj.1" name="objective">
-                  <prop name="label">CM-9(a)[1]</prop>
-                  <p>addresses roles;</p>
-               </part>
-               <part id="cm-9.a_obj.2" name="objective">
-                  <prop name="label">CM-9(a)[2]</prop>
-                  <p>addresses responsibilities;</p>
-               </part>
-               <part id="cm-9.a_obj.3" name="objective">
-                  <prop name="label">CM-9(a)[3]</prop>
-                  <p>addresses configuration management processes and procedures;</p>
-               </part>
-            </part>
-            <part id="cm-9.b_obj" name="objective">
-               <prop name="label">CM-9(b)</prop>
-               <p>establishes a process for:</p>
-               <part id="cm-9.b_obj.1" name="objective">
-                  <prop name="label">CM-9(b)[1]</prop>
-                  <p>identifying configuration items throughout the SDLC;</p>
-               </part>
-               <part id="cm-9.b_obj.2" name="objective">
-                  <prop name="label">CM-9(b)[2]</prop>
-                  <p>managing the configuration of the configuration items;</p>
-               </part>
-            </part>
-            <part id="cm-9.c_obj" name="objective">
-               <prop name="label">CM-9(c)</prop>
-               <part id="cm-9.c_obj.1" name="objective">
-                  <prop name="label">CM-9(c)[1]</prop>
-                  <p>defines the configuration items for the information system;</p>
-               </part>
-               <part id="cm-9.c_obj.2" name="objective">
-                  <prop name="label">CM-9(c)[2]</prop>
-                  <p>places the configuration items under configuration management;</p>
-               </part>
-            </part>
-            <part id="cm-9.d_obj" name="objective">
-               <prop name="label">CM-9(d)</prop>
-               <p>protects the configuration management plan from unauthorized:</p>
-               <part id="cm-9.d_obj.1" name="objective">
-                  <prop name="label">CM-9(d)[1]</prop>
-                  <p>disclosure; and</p>
-               </part>
-               <part id="cm-9.d_obj.2" name="objective">
-                  <prop name="label">CM-9(d)[2]</prop>
-                  <p>modification.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing configuration management planning</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for developing the configuration
-                  management plan</p>
-               <p>organizational personnel with responsibilities for implementing and managing
-                  processes defined in the configuration management plan</p>
-               <p>organizational personnel with responsibilities for protecting the configuration
-                  management plan</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for developing and documenting the configuration
-                  management plan</p>
-               <p>organizational processes for identifying and managing configuration items</p>
-               <p>organizational processes for protecting the configuration management plan</p>
-               <p>automated mechanisms implementing the configuration management plan</p>
-               <p>automated mechanisms for managing configuration items</p>
-               <p>automated mechanisms for protecting the configuration management plan</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-9.1">
-            <title>Assignment of Responsibility</title>
-            <prop name="label">CM-9(1)</prop>
-            <prop name="sort-id">cm-09.01</prop>
-            <part id="cm-9.1_smt" name="statement">
-               <p>The organization assigns responsibility for developing the configuration
-                  management process to organizational personnel that are not directly involved in
-                  information system development.</p>
-            </part>
-            <part id="cm-9.1_gdn" name="guidance">
-               <p>In the absence of dedicated configuration management teams assigned within
-                  organizations, system developers may be tasked to develop configuration management
-                  processes using personnel who are not directly involved in system development or
-                  integration. This separation of duties ensures that organizations establish and
-                  maintain a sufficient degree of independence between the information system
-                  development and integration processes and configuration management processes to
-                  facilitate quality control and more effective oversight.</p>
-            </part>
-            <part id="cm-9.1_obj" name="objective">
-               <p>Determine if the organization assigns responsibility for developing the
-                  configuration management process to organizational personnel that are not directly
-                  involved in information system development. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing responsibilities for configuration management process
-                     development</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for configuration management
-                     process development</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-10">
-         <title>Software Usage Restrictions</title>
-         <prop name="label">CM-10</prop>
-         <prop name="sort-id">cm-10</prop>
-         <part id="cm-10_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-10_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Uses software and associated documentation in accordance with contract agreements
-                  and copyright laws;</p>
-            </part>
-            <part id="cm-10_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Tracks the use of software and associated documentation protected by quantity
-                  licenses to control copying and distribution; and</p>
-            </part>
-            <part id="cm-10_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Controls and documents the use of peer-to-peer file sharing technology to ensure
-                  that this capability is not used for the unauthorized distribution, display,
-                  performance, or reproduction of copyrighted work.</p>
-            </part>
-         </part>
-         <part id="cm-10_gdn" name="guidance">
-            <p>Software license tracking can be accomplished by manual methods (e.g., simple
-               spreadsheets) or automated methods (e.g., specialized tracking applications)
-               depending on organizational needs.</p>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="cm-10_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-10.a_obj" name="objective">
-               <prop name="label">CM-10(a)</prop>
-               <p>uses software and associated documentation in accordance with contract agreements
-                  and copyright laws;</p>
-            </part>
-            <part id="cm-10.b_obj" name="objective">
-               <prop name="label">CM-10(b)</prop>
-               <p>tracks the use of software and associated documentation protected by quantity
-                  licenses to control copying and distribution; and</p>
-            </part>
-            <part id="cm-10.c_obj" name="objective">
-               <prop name="label">CM-10(c)</prop>
-               <p>controls and documents the use of peer-to-peer file sharing technology to ensure
-                  that this capability is not used for the unauthorized distribution, display,
-                  performance, or reproduction of copyrighted work.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing software usage restrictions</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>software contract agreements and copyright laws</p>
-               <p>site license documentation</p>
-               <p>list of software usage restrictions</p>
-               <p>software license tracking reports</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel operating, using, and/or maintaining the information
-                  system</p>
-               <p>organizational personnel with software license management responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational process for tracking the use of software protected by quantity
-                  licenses</p>
-               <p>organization process for controlling/documenting the use of peer-to-peer file
-                  sharing technology</p>
-               <p>automated mechanisms implementing software license tracking</p>
-               <p>automated mechanisms implementing and controlling the use of peer-to-peer files
-                  sharing technology</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-10.1">
-            <title>Open Source Software</title>
-            <param id="cm-10.1_prm_1">
-               <label>organization-defined restrictions</label>
-            </param>
-            <prop name="label">CM-10(1)</prop>
-            <prop name="sort-id">cm-10.01</prop>
-            <part id="cm-10.1_smt" name="statement">
-               <p>The organization establishes the following restrictions on the use of open source
-                  software: <insert param-id="cm-10.1_prm_1"/>.</p>
-            </part>
-            <part id="cm-10.1_gdn" name="guidance">
-               <p>Open source software refers to software that is available in source code form.
-                  Certain software rights normally reserved for copyright holders are routinely
-                  provided under software license agreements that permit individuals to study,
-                  change, and improve the software. From a security perspective, the major advantage
-                  of open source software is that it provides organizations with the ability to
-                  examine the source code. However, there are also various licensing issues
-                  associated with open source software including, for example, the constraints on
-                  derivative use of such software.</p>
-            </part>
-            <part id="cm-10.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cm-10.1_obj.1" name="objective">
-                  <prop name="label">CM-10(1)[1]</prop>
-                  <p>defines restrictions on the use of open source software; and</p>
-               </part>
-               <part id="cm-10.1_obj.2" name="objective">
-                  <prop name="label">CM-10(1)[2]</prop>
-                  <p>establishes organization-defined restrictions on the use of open source
-                     software.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing restrictions on use of open source software</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for establishing and enforcing
-                     restrictions on use of open source software</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for restricting the use of open source software</p>
-                  <p>automated mechanisms implementing restrictions on the use of open source
-                     software</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-11">
-         <title>User-installed Software</title>
-         <param id="cm-11_prm_1">
-            <label>organization-defined policies</label>
-         </param>
-         <param id="cm-11_prm_2">
-            <label>organization-defined methods</label>
-         </param>
-         <param id="cm-11_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CM-11</prop>
-         <prop name="sort-id">cm-11</prop>
-         <part id="cm-11_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cm-11_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes <insert param-id="cm-11_prm_1"/> governing the installation of
-                  software by users;</p>
-            </part>
-            <part id="cm-11_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Enforces software installation policies through <insert param-id="cm-11_prm_2"/>;
-                  and</p>
-            </part>
-            <part id="cm-11_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Monitors policy compliance at <insert param-id="cm-11_prm_3"/>.</p>
-            </part>
-         </part>
-         <part id="cm-11_gdn" name="guidance">
-            <p>If provided the necessary privileges, users have the ability to install software in
-               organizational information systems. To maintain control over the types of software
-               installed, organizations identify permitted and prohibited actions regarding software
-               installation. Permitted software installations may include, for example, updates and
-               security patches to existing software and downloading applications from
-               organization-approved “app stores” Prohibited software installations may include, for
-               example, software with unknown or suspect pedigrees or software that organizations
-               consider potentially malicious. The policies organizations select governing
-               user-installed software may be organization-developed or provided by some external
-               entity. Policy enforcement methods include procedural methods (e.g., periodic
-               examination of user accounts), automated methods (e.g., configuration settings
-               implemented on organizational information systems), or both.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-         </part>
-         <part id="cm-11_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cm-11.a_obj" name="objective">
-               <prop name="label">CM-11(a)</prop>
-               <part id="cm-11.a_obj.1" name="objective">
-                  <prop name="label">CM-11(a)[1]</prop>
-                  <p>defines policies to govern the installation of software by users;</p>
-               </part>
-               <part id="cm-11.a_obj.2" name="objective">
-                  <prop name="label">CM-11(a)[2]</prop>
-                  <p>establishes organization-defined policies governing the installation of
-                     software by users;</p>
-               </part>
-            </part>
-            <part id="cm-11.b_obj" name="objective">
-               <prop name="label">CM-11(b)</prop>
-               <part id="cm-11.b_obj.1" name="objective">
-                  <prop name="label">CM-11(b)[1]</prop>
-                  <p>defines methods to enforce software installation policies;</p>
-               </part>
-               <part id="cm-11.b_obj.2" name="objective">
-                  <prop name="label">CM-11(b)[2]</prop>
-                  <p>enforces software installation policies through organization-defined
-                     methods;</p>
-               </part>
-            </part>
-            <part id="cm-11.c_obj" name="objective">
-               <prop name="label">CM-11(c)</prop>
-               <part id="cm-11.c_obj.1" name="objective">
-                  <prop name="label">CM-11(c)[1]</prop>
-                  <p>defines frequency to monitor policy compliance; and</p>
-               </part>
-               <part id="cm-11.c_obj.2" name="objective">
-                  <prop name="label">CM-11(c)[2]</prop>
-                  <p>monitors policy compliance at organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Configuration management policy</p>
-               <p>procedures addressing user installed software</p>
-               <p>configuration management plan</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of rules governing user installed software</p>
-               <p>information system monitoring records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-               <p>continuous monitoring strategy</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for governing user-installed
-                  software</p>
-               <p>organizational personnel operating, using, and/or maintaining the information
-                  system</p>
-               <p>organizational personnel monitoring compliance with user-installed software
-                  policy</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes governing user-installed software on the information
-                  system</p>
-               <p>automated mechanisms enforcing rules/methods for governing the installation of
-                  software by users</p>
-               <p>automated mechanisms monitoring policy compliance</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-11.1">
-            <title>Alerts for Unauthorized Installations</title>
-            <param id="cm-11.1_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">CM-11(1)</prop>
-            <prop name="sort-id">cm-11.01</prop>
-            <part id="cm-11.1_smt" name="statement">
-               <p>The information system alerts <insert param-id="cm-11.1_prm_1"/> when the
-                  unauthorized installation of software is detected.</p>
-            </part>
-            <part id="cm-11.1_gdn" name="guidance">
-               <link rel="related" href="#ca-7">CA-7</link>
-               <link rel="related" href="#si-4">SI-4</link>
-            </part>
-            <part id="cm-11.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="cm-11.1_obj.1" name="objective">
-                  <prop name="label">CM-11(1)[1]</prop>
-                  <p>the organization defines personnel or roles to be alerted when the unauthorized
-                     installation of software is detected; and</p>
-               </part>
-               <part id="cm-11.1_obj.2" name="objective">
-                  <prop name="label">CM-11(1)[2]</prop>
-                  <p>the information system alerts organization-defined personnel or roles when the
-                     unauthorized installation of software is detected.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing user installed software</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for governing user-installed
-                     software</p>
-                  <p>organizational personnel operating, using, and/or maintaining the information
-                     system</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes governing user-installed software on the information
-                     system</p>
-                  <p>automated mechanisms for alerting personnel/roles when unauthorized
-                     installation of software is detected</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-11.2">
-            <title>Prohibit Installation Without Privileged Status</title>
-            <prop name="label">CM-11(2)</prop>
-            <prop name="sort-id">cm-11.02</prop>
-            <part id="cm-11.2_smt" name="statement">
-               <p>The information system prohibits user installation of software without explicit
-                  privileged status.</p>
-            </part>
-            <part id="cm-11.2_gdn" name="guidance">
-               <p>Privileged status can be obtained, for example, by serving in the role of system
-                  administrator.</p>
-               <link rel="related" href="#ac-6">AC-6</link>
-            </part>
-            <part id="cm-11.2_obj" name="objective">
-               <p>Determine if the information system prohibits user installation of software
-                  without explicit privileged status.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Configuration management policy</p>
-                  <p>procedures addressing user installed software</p>
-                  <p>configuration management plan</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>alerts/notifications of unauthorized software installations</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for governing user-installed
-                     software</p>
-                  <p>organizational personnel operating, using, and/or maintaining the information
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes governing user-installed software on the information
-                     system</p>
-                  <p>automated mechanisms for prohibiting installation of software without
-                     privileged status (e.g., access controls)</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="cp">
-      <title>Contingency Planning</title>
-      <control class="SP800-53" id="cp-1">
-         <title>Contingency Planning Policy and Procedures</title>
-         <param id="cp-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="cp-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="cp-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CP-1</prop>
-         <prop name="sort-id">cp-01</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="cp-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="cp-1_prm_1"/>:</p>
-               <part id="cp-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A contingency planning policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="cp-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the contingency planning policy
-                     and associated contingency planning controls; and</p>
-               </part>
-            </part>
-            <part id="cp-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="cp-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Contingency planning policy <insert param-id="cp-1_prm_2"/>; and</p>
-               </part>
-               <part id="cp-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Contingency planning procedures <insert param-id="cp-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="cp-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the CP
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="cp-1_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="cp-1.a_obj" name="objective">
-               <prop name="label">CP-1(a)</prop>
-               <part id="cp-1.a.1_obj" name="objective">
-                  <prop name="label">CP-1(a)(1)</prop>
-                  <part id="cp-1.a.1_obj.1" name="objective">
-                     <prop name="label">CP-1(a)(1)[1]</prop>
-                     <p>the organization develops and documents a contingency planning policy that
-                        addresses:</p>
-                     <part id="cp-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="cp-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">CP-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="cp-1.a.1_obj.2" name="objective">
-                     <prop name="label">CP-1(a)(1)[2]</prop>
-                     <p>the organization defines personnel or roles to whom the contingency planning
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="cp-1.a.1_obj.3" name="objective">
-                     <prop name="label">CP-1(a)(1)[3]</prop>
-                     <p>the organization disseminates the contingency planning policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="cp-1.a.2_obj" name="objective">
-                  <prop name="label">CP-1(a)(2)</prop>
-                  <part id="cp-1.a.2_obj.1" name="objective">
-                     <prop name="label">CP-1(a)(2)[1]</prop>
-                     <p>the organization develops and documents procedures to facilitate the
-                        implementation of the contingency planning policy and associated contingency
-                        planning controls;</p>
-                  </part>
-                  <part id="cp-1.a.2_obj.2" name="objective">
-                     <prop name="label">CP-1(a)(2)[2]</prop>
-                     <p>the organization defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="cp-1.a.2_obj.3" name="objective">
-                     <prop name="label">CP-1(a)(2)[3]</prop>
-                     <p>the organization disseminates the procedures to organization-defined
-                        personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cp-1.b_obj" name="objective">
-               <prop name="label">CP-1(b)</prop>
-               <part id="cp-1.b.1_obj" name="objective">
-                  <prop name="label">CP-1(b)(1)</prop>
-                  <part id="cp-1.b.1_obj.1" name="objective">
-                     <prop name="label">CP-1(b)(1)[1]</prop>
-                     <p>the organization defines the frequency to review and update the current
-                        contingency planning policy;</p>
-                  </part>
-                  <part id="cp-1.b.1_obj.2" name="objective">
-                     <prop name="label">CP-1(b)(1)[2]</prop>
-                     <p>the organization reviews and updates the current contingency planning with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="cp-1.b.2_obj" name="objective">
-                  <prop name="label">CP-1(b)(2)</prop>
-                  <part id="cp-1.b.2_obj.1" name="objective">
-                     <prop name="label">CP-1(b)(2)[1]</prop>
-                     <p>the organization defines the frequency to review and update the current
-                        contingency planning procedures; and</p>
-                  </part>
-                  <part id="cp-1.b.2_obj.2" name="objective">
-                     <prop name="label">CP-1(b)(2)[2]</prop>
-                     <p>the organization reviews and updates the current contingency planning
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-2">
-         <title>Contingency Plan</title>
-         <param id="cp-2_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="cp-2_prm_2">
-            <label>organization-defined key contingency personnel (identified by name and/or by
-               role) and organizational elements</label>
-         </param>
-         <param id="cp-2_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="cp-2_prm_4">
-            <label>organization-defined key contingency personnel (identified by name and/or by
-               role) and organizational elements</label>
-         </param>
-         <prop name="label">CP-2</prop>
-         <prop name="sort-id">cp-02</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a contingency plan for the information system that:</p>
-               <part id="cp-2_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Identifies essential missions and business functions and associated contingency
-                     requirements;</p>
-               </part>
-               <part id="cp-2_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Provides recovery objectives, restoration priorities, and metrics;</p>
-               </part>
-               <part id="cp-2_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Addresses contingency roles, responsibilities, assigned individuals with
-                     contact information;</p>
-               </part>
-               <part id="cp-2_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Addresses maintaining essential missions and business functions despite an
-                     information system disruption, compromise, or failure;</p>
-               </part>
-               <part id="cp-2_smt.a.5" name="item">
-                  <prop name="label">5.</prop>
-                  <p>Addresses eventual, full information system restoration without deterioration
-                     of the security safeguards originally planned and implemented; and</p>
-               </part>
-               <part id="cp-2_smt.a.6" name="item">
-                  <prop name="label">6.</prop>
-                  <p>Is reviewed and approved by <insert param-id="cp-2_prm_1"/>;</p>
-               </part>
-            </part>
-            <part id="cp-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Distributes copies of the contingency plan to <insert param-id="cp-2_prm_2"/>;</p>
-            </part>
-            <part id="cp-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Coordinates contingency planning activities with incident handling activities;</p>
-            </part>
-            <part id="cp-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Reviews the contingency plan for the information system <insert param-id="cp-2_prm_3"/>;</p>
-            </part>
-            <part id="cp-2_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Updates the contingency plan to address changes to the organization, information
-                  system, or environment of operation and problems encountered during contingency
-                  plan implementation, execution, or testing;</p>
-            </part>
-            <part id="cp-2_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Communicates contingency plan changes to <insert param-id="cp-2_prm_4"/>; and</p>
-            </part>
-            <part id="cp-2_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Protects the contingency plan from unauthorized disclosure and modification.</p>
-            </part>
-         </part>
-         <part id="cp-2_gdn" name="guidance">
-            <p>Contingency planning for information systems is part of an overall organizational
-               program for achieving continuity of operations for mission/business functions.
-               Contingency planning addresses both information system restoration and implementation
-               of alternative mission/business processes when systems are compromised. The
-               effectiveness of contingency planning is maximized by considering such planning
-               throughout the phases of the system development life cycle. Performing contingency
-               planning on hardware, software, and firmware development can be an effective means of
-               achieving information system resiliency. Contingency plans reflect the degree of
-               restoration required for organizational information systems since not all systems may
-               need to fully recover to achieve the level of continuity of operations desired.
-               Information system recovery objectives reflect applicable laws, Executive Orders,
-               directives, policies, standards, regulations, and guidelines. In addition to
-               information system availability, contingency plans also address other
-               security-related events resulting in a reduction in mission and/or business
-               effectiveness, such as malicious attacks compromising the confidentiality or
-               integrity of information systems. Actions addressed in contingency plans include, for
-               example, orderly/graceful degradation, information system shutdown, fallback to a
-               manual mode, alternate information flows, and operating in modes reserved for when
-               systems are under attack. By closely coordinating contingency planning with incident
-               handling activities, organizations can ensure that the necessary contingency planning
-               activities are in place and activated in the event of a security incident.</p>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <link rel="related" href="#cp-8">CP-8</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#cp-10">CP-10</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#pm-8">PM-8</link>
-            <link rel="related" href="#pm-11">PM-11</link>
-         </part>
-         <part id="cp-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cp-2.a_obj" name="objective">
-               <prop name="label">CP-2(a)</prop>
-               <p>develops and documents a contingency plan for the information system that:</p>
-               <part id="cp-2.a.1_obj" name="objective">
-                  <prop name="label">CP-2(a)(1)</prop>
-                  <p>identifies essential missions and business functions and associated contingency
-                     requirements;</p>
-               </part>
-               <part id="cp-2.a.2_obj" name="objective">
-                  <prop name="label">CP-2(a)(2)</prop>
-                  <part id="cp-2.a.2_obj.1" name="objective">
-                     <prop name="label">CP-2(a)(2)[1]</prop>
-                     <p>provides recovery objectives;</p>
-                  </part>
-                  <part id="cp-2.a.2_obj.2" name="objective">
-                     <prop name="label">CP-2(a)(2)[2]</prop>
-                     <p>provides restoration priorities;</p>
-                  </part>
-                  <part id="cp-2.a.2_obj.3" name="objective">
-                     <prop name="label">CP-2(a)(2)[3]</prop>
-                     <p>provides metrics;</p>
-                  </part>
-               </part>
-               <part id="cp-2.a.3_obj" name="objective">
-                  <prop name="label">CP-2(a)(3)</prop>
-                  <part id="cp-2.a.3_obj.1" name="objective">
-                     <prop name="label">CP-2(a)(3)[1]</prop>
-                     <p>addresses contingency roles;</p>
-                  </part>
-                  <part id="cp-2.a.3_obj.2" name="objective">
-                     <prop name="label">CP-2(a)(3)[2]</prop>
-                     <p>addresses contingency responsibilities;</p>
-                  </part>
-                  <part id="cp-2.a.3_obj.3" name="objective">
-                     <prop name="label">CP-2(a)(3)[3]</prop>
-                     <p>addresses assigned individuals with contact information;</p>
-                  </part>
-               </part>
-               <part id="cp-2.a.4_obj" name="objective">
-                  <prop name="label">CP-2(a)(4)</prop>
-                  <p>addresses maintaining essential missions and business functions despite an
-                     information system disruption, compromise, or failure;</p>
-               </part>
-               <part id="cp-2.a.5_obj" name="objective">
-                  <prop name="label">CP-2(a)(5)</prop>
-                  <p>addresses eventual, full information system restoration without deterioration
-                     of the security safeguards originally planned and implemented;</p>
-               </part>
-               <part id="cp-2.a.6_obj" name="objective">
-                  <prop name="label">CP-2(a)(6)</prop>
-                  <part id="cp-2.a.6_obj.1" name="objective">
-                     <prop name="label">CP-2(a)(6)[1]</prop>
-                     <p>defines personnel or roles to review and approve the contingency plan for
-                        the information system;</p>
-                  </part>
-                  <part id="cp-2.a.6_obj.2" name="objective">
-                     <prop name="label">CP-2(a)(6)[2]</prop>
-                     <p>is reviewed and approved by organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="cp-2.b_obj" name="objective">
-               <prop name="label">CP-2(b)</prop>
-               <part id="cp-2.b_obj.1" name="objective">
-                  <prop name="label">CP-2(b)[1]</prop>
-                  <p>defines key contingency personnel (identified by name and/or by role) and
-                     organizational elements to whom copies of the contingency plan are to be
-                     distributed;</p>
-               </part>
-               <part id="cp-2.b_obj.2" name="objective">
-                  <prop name="label">CP-2(b)[2]</prop>
-                  <p>distributes copies of the contingency plan to organization-defined key
-                     contingency personnel and organizational elements;</p>
-               </part>
-            </part>
-            <part id="cp-2.c_obj" name="objective">
-               <prop name="label">CP-2(c)</prop>
-               <p>coordinates contingency planning activities with incident handling activities;</p>
-            </part>
-            <part id="cp-2.d_obj" name="objective">
-               <prop name="label">CP-2(d)</prop>
-               <part id="cp-2.d_obj.1" name="objective">
-                  <prop name="label">CP-2(d)[1]</prop>
-                  <p>defines a frequency to review the contingency plan for the information
-                     system;</p>
-               </part>
-               <part id="cp-2.d_obj.2" name="objective">
-                  <prop name="label">CP-2(d)[2]</prop>
-                  <p>reviews the contingency plan with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="cp-2.e_obj" name="objective">
-               <prop name="label">CP-2(e)</prop>
-               <p>updates the contingency plan to address:</p>
-               <part id="cp-2.e_obj.1" name="objective">
-                  <prop name="label">CP-2(e)[1]</prop>
-                  <p>changes to the organization, information system, or environment of
-                     operation;</p>
-               </part>
-               <part id="cp-2.e_obj.2" name="objective">
-                  <prop name="label">CP-2(e)[2]</prop>
-                  <p>problems encountered during plan implementation, execution, and testing;</p>
-               </part>
-            </part>
-            <part id="cp-2.f_obj" name="objective">
-               <prop name="label">CP-2(f)</prop>
-               <part id="cp-2.f_obj.1" name="objective">
-                  <prop name="label">CP-2(f)[1]</prop>
-                  <p>defines key contingency personnel (identified by name and/or by role) and
-                     organizational elements to whom contingency plan changes are to be
-                     communicated;</p>
-               </part>
-               <part id="cp-2.f_obj.2" name="objective">
-                  <prop name="label">CP-2(f)[2]</prop>
-                  <p>communicates contingency plan changes to organization-defined key contingency
-                     personnel and organizational elements; and</p>
-               </part>
-            </part>
-            <part id="cp-2.g_obj" name="objective">
-               <prop name="label">CP-2(g)</prop>
-               <p>protects the contingency plan from unauthorized disclosure and modification.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing contingency operations for the information system</p>
-               <p>contingency plan</p>
-               <p>security plan</p>
-               <p>evidence of contingency plan reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning and plan implementation
-                  responsibilities</p>
-               <p>organizational personnel with incident handling responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for contingency plan development, review, update, and
-                  protection</p>
-               <p>automated mechanisms for developing, reviewing, updating and/or protecting the
-                  contingency plan</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-2.1">
-            <title>Coordinate with Related Plans</title>
-            <prop name="label">CP-2(1)</prop>
-            <prop name="sort-id">cp-02.01</prop>
-            <part id="cp-2.1_smt" name="statement">
-               <p>The organization coordinates contingency plan development with organizational
-                  elements responsible for related plans.</p>
-            </part>
-            <part id="cp-2.1_gdn" name="guidance">
-               <p>Plans related to contingency plans for organizational information systems include,
-                  for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of
-                  Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,
-                  Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant
-                  Emergency Plans.</p>
-            </part>
-            <part id="cp-2.1_obj" name="objective">
-               <p>Determine if the organization coordinates contingency plan development with
-                  organizational elements responsible for related plans.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency operations for the information system</p>
-                  <p>contingency plan</p>
-                  <p>business contingency plans</p>
-                  <p>disaster recovery plans</p>
-                  <p>continuity of operations plans</p>
-                  <p>crisis communications plans</p>
-                  <p>critical infrastructure plans</p>
-                  <p>cyber incident response plan</p>
-                  <p>insider threat implementation plans</p>
-                  <p>occupant emergency plans</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>personnel with responsibility for related plans</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.2">
-            <title>Capacity Planning</title>
-            <prop name="label">CP-2(2)</prop>
-            <prop name="sort-id">cp-02.02</prop>
-            <part id="cp-2.2_smt" name="statement">
-               <p>The organization conducts capacity planning so that necessary capacity for
-                  information processing, telecommunications, and environmental support exists
-                  during contingency operations.</p>
-            </part>
-            <part id="cp-2.2_gdn" name="guidance">
-               <p>Capacity planning is needed because different types of threats (e.g., natural
-                  disasters, targeted cyber attacks) can result in a reduction of the available
-                  processing, telecommunications, and support services originally intended to
-                  support the organizational missions/business functions. Organizations may need to
-                  anticipate degraded operations during contingency operations and factor such
-                  degradation into capacity planning.</p>
-            </part>
-            <part id="cp-2.2_obj" name="objective">
-               <p>Determine if the organization conducts capacity planning so that necessary
-                  capacity exists during contingency operations for: </p>
-               <part id="cp-2.2_obj.1" name="objective">
-                  <prop name="label">CP-2(2)[1]</prop>
-                  <p>information processing;</p>
-               </part>
-               <part id="cp-2.2_obj.2" name="objective">
-                  <prop name="label">CP-2(2)[2]</prop>
-                  <p>telecommunications; and</p>
-               </part>
-               <part id="cp-2.2_obj.3" name="objective">
-                  <prop name="label">CP-2(2)[3]</prop>
-                  <p>environmental support.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency operations for the information system</p>
-                  <p>contingency plan</p>
-                  <p>capacity planning documents</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.3">
-            <title>Resume Essential Missions / Business Functions</title>
-            <param id="cp-2.3_prm_1">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="label">CP-2(3)</prop>
-            <prop name="sort-id">cp-02.03</prop>
-            <part id="cp-2.3_smt" name="statement">
-               <p>The organization plans for the resumption of essential missions and business
-                  functions within <insert param-id="cp-2.3_prm_1"/> of contingency plan
-                  activation.</p>
-            </part>
-            <part id="cp-2.3_gdn" name="guidance">
-               <p>Organizations may choose to carry out the contingency planning activities in this
-                  control enhancement as part of organizational business continuity planning
-                  including, for example, as part of business impact analyses. The time period for
-                  resumption of essential missions/business functions may be dependent on the
-                  severity/extent of disruptions to the information system and its supporting
-                  infrastructure.</p>
-               <link rel="related" href="#pe-12">PE-12</link>
-            </part>
-            <part id="cp-2.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cp-2.3_obj.1" name="objective">
-                  <prop name="label">CP-2(3)[1]</prop>
-                  <p>defines the time period to plan for the resumption of essential missions and
-                     business functions as a result of contingency plan activation; and</p>
-               </part>
-               <part id="cp-2.3_obj.2" name="objective">
-                  <prop name="label">CP-2(3)[2]</prop>
-                  <p>plans for the resumption of essential missions and business functions within
-                     organization-defined time period of contingency plan activation.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency operations for the information system</p>
-                  <p>contingency plan</p>
-                  <p>security plan</p>
-                  <p>business impact assessment</p>
-                  <p>other related plans</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for resumption of missions and business functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.4">
-            <title>Resume All Missions / Business Functions</title>
-            <param id="cp-2.4_prm_1">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="label">CP-2(4)</prop>
-            <prop name="sort-id">cp-02.04</prop>
-            <part id="cp-2.4_smt" name="statement">
-               <p>The organization plans for the resumption of all missions and business functions
-                  within <insert param-id="cp-2.4_prm_1"/> of contingency plan activation.</p>
-            </part>
-            <part id="cp-2.4_gdn" name="guidance">
-               <p>Organizations may choose to carry out the contingency planning activities in this
-                  control enhancement as part of organizational business continuity planning
-                  including, for example, as part of business impact analyses. The time period for
-                  resumption of all missions/business functions may be dependent on the
-                  severity/extent of disruptions to the information system and its supporting
-                  infrastructure.</p>
-               <link rel="related" href="#pe-12">PE-12</link>
-            </part>
-            <part id="cp-2.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cp-2.4_obj.1" name="objective">
-                  <prop name="label">CP-2(4)[1]</prop>
-                  <p>defines the time period to plan for the resumption of all missions and business
-                     functions as a result of contingency plan activation; and</p>
-               </part>
-               <part id="cp-2.4_obj.2" name="objective">
-                  <prop name="label">CP-2(4)[2]</prop>
-                  <p>plans for the resumption of all missions and business functions within
-                     organization-defined time period of contingency plan activation.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency operations for the information system</p>
-                  <p>contingency plan</p>
-                  <p>security plan</p>
-                  <p>business impact assessment</p>
-                  <p>other related plans</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for resumption of missions and business functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.5">
-            <title>Continue Essential Missions / Business Functions</title>
-            <prop name="label">CP-2(5)</prop>
-            <prop name="sort-id">cp-02.05</prop>
-            <part id="cp-2.5_smt" name="statement">
-               <p>The organization plans for the continuance of essential missions and business
-                  functions with little or no loss of operational continuity and sustains that
-                  continuity until full information system restoration at primary processing and/or
-                  storage sites.</p>
-            </part>
-            <part id="cp-2.5_gdn" name="guidance">
-               <p>Organizations may choose to carry out the contingency planning activities in this
-                  control enhancement as part of organizational business continuity planning
-                  including, for example, as part of business impact analyses. Primary processing
-                  and/or storage sites defined by organizations as part of contingency planning may
-                  change depending on the circumstances associated with the contingency (e.g.,
-                  backup sites may become primary sites).</p>
-               <link rel="related" href="#pe-12">PE-12</link>
-            </part>
-            <part id="cp-2.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cp-2.5_obj.1" name="objective">
-                  <prop name="label">CP-2(5)[1]</prop>
-                  <p>plans for the continuance of essential missions and business functions with
-                     little or no loss of operational continuity; and</p>
-               </part>
-               <part id="cp-2.5_obj.2" name="objective">
-                  <prop name="label">CP-2(5)[2]</prop>
-                  <p>sustains that operational continuity until full information system restoration
-                     at primary processing and/or storage sites.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency operations for the information system</p>
-                  <p>contingency plan</p>
-                  <p>business impact assessment</p>
-                  <p>primary processing site agreements</p>
-                  <p>primary storage site agreements</p>
-                  <p>alternate processing site agreements</p>
-                  <p>alternate storage site agreements</p>
-                  <p>contingency plan test documentation</p>
-                  <p>contingency plan test results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for continuing missions and business functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.6">
-            <title>Alternate Processing / Storage Site</title>
-            <prop name="label">CP-2(6)</prop>
-            <prop name="sort-id">cp-02.06</prop>
-            <part id="cp-2.6_smt" name="statement">
-               <p>The organization plans for the transfer of essential missions and business
-                  functions to alternate processing and/or storage sites with little or no loss of
-                  operational continuity and sustains that continuity through information system
-                  restoration to primary processing and/or storage sites.</p>
-            </part>
-            <part id="cp-2.6_gdn" name="guidance">
-               <p>Organizations may choose to carry out the contingency planning activities in this
-                  control enhancement as part of organizational business continuity planning
-                  including, for example, as part of business impact analyses. Primary processing
-                  and/or storage sites defined by organizations as part of contingency planning may
-                  change depending on the circumstances associated with the contingency (e.g.,
-                  backup sites may become primary sites).</p>
-               <link rel="related" href="#pe-12">PE-12</link>
-            </part>
-            <part id="cp-2.6_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cp-2.6_obj.1" name="objective">
-                  <prop name="label">CP-2(6)[1]</prop>
-                  <p>plans for the transfer of essential missions and business functions to
-                     alternate processing and/or storage sites with little or no loss of operational
-                     continuity; and</p>
-               </part>
-               <part id="cp-2.6_obj.2" name="objective">
-                  <prop name="label">CP-2(6)[2]</prop>
-                  <p>sustains that operational continuity through information system restoration to
-                     primary processing and/or storage sites.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency operations for the information system</p>
-                  <p>contingency plan</p>
-                  <p>business impact assessment</p>
-                  <p>alternate processing site agreements</p>
-                  <p>alternate storage site agreements</p>
-                  <p>contingency plan testing documentation</p>
-                  <p>contingency plan test results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for transfer of essential missions and business
-                     functions to alternate processing/storage sites</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.7">
-            <title>Coordinate with External Service Providers</title>
-            <prop name="label">CP-2(7)</prop>
-            <prop name="sort-id">cp-02.07</prop>
-            <part id="cp-2.7_smt" name="statement">
-               <p>The organization coordinates its contingency plan with the contingency plans of
-                  external service providers to ensure that contingency requirements can be
-                  satisfied.</p>
-            </part>
-            <part id="cp-2.7_gdn" name="guidance">
-               <p>When the capability of an organization to successfully carry out its core
-                  missions/business functions is dependent on external service providers, developing
-                  a timely and comprehensive contingency plan may become more challenging. In this
-                  situation, organizations coordinate contingency planning activities with the
-                  external entities to ensure that the individual plans reflect the overall
-                  contingency needs of the organization.</p>
-               <link rel="related" href="#sa-9">SA-9</link>
-            </part>
-            <part id="cp-2.7_obj" name="objective">
-               <p>Determine if the organization coordinates its contingency plan with the
-                  contingency plans of external service provides to ensure contingency requirements
-                  can be satisfied. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency operations for the information system</p>
-                  <p>contingency plan</p>
-                  <p>contingency plans of external</p>
-                  <p>service providers</p>
-                  <p>service level agreements</p>
-                  <p>security plan</p>
-                  <p>contingency plan requirements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>external service providers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.8">
-            <title>Identify Critical Assets</title>
-            <prop name="label">CP-2(8)</prop>
-            <prop name="sort-id">cp-02.08</prop>
-            <part id="cp-2.8_smt" name="statement">
-               <p>The organization identifies critical information system assets supporting
-                  essential missions and business functions.</p>
-            </part>
-            <part id="cp-2.8_gdn" name="guidance">
-               <p>Organizations may choose to carry out the contingency planning activities in this
-                  control enhancement as part of organizational business continuity planning
-                  including, for example, as part of business impact analyses. Organizations
-                  identify critical information system assets so that additional safeguards and
-                  countermeasures can be employed (above and beyond those safeguards and
-                  countermeasures routinely implemented) to help ensure that organizational
-                  missions/business functions can continue to be conducted during contingency
-                  operations. In addition, the identification of critical information assets
-                  facilitates the prioritization of organizational resources. Critical information
-                  system assets include technical and operational aspects. Technical aspects
-                  include, for example, information technology services, information system
-                  components, information technology products, and mechanisms. Operational aspects
-                  include, for example, procedures (manually executed operations) and personnel
-                  (individuals operating technical safeguards and/or executing manual procedures).
-                  Organizational program protection plans can provide assistance in identifying
-                  critical assets.</p>
-               <link rel="related" href="#sa-14">SA-14</link>
-               <link rel="related" href="#sa-15">SA-15</link>
-            </part>
-            <part id="cp-2.8_obj" name="objective">
-               <p>Determine if the organization identifies critical information system assets
-                  supporting essential missions and business functions.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency operations for the information system</p>
-                  <p>contingency plan</p>
-                  <p>business impact assessment</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-3">
-         <title>Contingency Training</title>
-         <param id="cp-3_prm_1">
-            <label>organization-defined time period</label>
-         </param>
-         <param id="cp-3_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CP-3</prop>
-         <prop name="sort-id">cp-03</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="cp-3_smt" name="statement">
-            <p>The organization provides contingency training to information system users consistent
-               with assigned roles and responsibilities:</p>
-            <part id="cp-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Within <insert param-id="cp-3_prm_1"/> of assuming a contingency role or
-                  responsibility;</p>
-            </part>
-            <part id="cp-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="cp-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="cp-3_prm_2"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="cp-3_gdn" name="guidance">
-            <p>Contingency training provided by organizations is linked to the assigned roles and
-               responsibilities of organizational personnel to ensure that the appropriate content
-               and level of detail is included in such training. For example, regular users may only
-               need to know when and where to report for duty during contingency operations and if
-               normal duties are affected; system administrators may require additional training on
-               how to set up information systems at alternate processing and storage sites; and
-               managers/senior leaders may receive more specific training on how to conduct
-               mission-essential functions in designated off-site locations and how to establish
-               communications with other governmental entities for purposes of coordination on
-               contingency-related activities. Training for contingency roles/responsibilities
-               reflects the specific continuity requirements in the contingency plan.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#ir-2">IR-2</link>
-         </part>
-         <part id="cp-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cp-3.a_obj" name="objective">
-               <prop name="label">CP-3(a)</prop>
-               <part id="cp-3.a_obj.1" name="objective">
-                  <prop name="label">CP-3(a)[1]</prop>
-                  <p>defines a time period within which contingency training is to be provided to
-                     information system users assuming a contingency role or responsibility;</p>
-               </part>
-               <part id="cp-3.a_obj.2" name="objective">
-                  <prop name="label">CP-3(a)[2]</prop>
-                  <p>provides contingency training to information system users consistent with
-                     assigned roles and responsibilities within the organization-defined time period
-                     of assuming a contingency role or responsibility;</p>
-               </part>
-            </part>
-            <part id="cp-3.b_obj" name="objective">
-               <prop name="label">CP-3(b)</prop>
-               <p>provides contingency training to information system users consistent with assigned
-                  roles and responsibilities when required by information system changes;</p>
-            </part>
-            <part id="cp-3.c_obj" name="objective">
-               <prop name="label">CP-3(c)</prop>
-               <part id="cp-3.c_obj.1" name="objective">
-                  <prop name="label">CP-3(c)[1]</prop>
-                  <p>defines the frequency for contingency training thereafter; and</p>
-               </part>
-               <part id="cp-3.c_obj.2" name="objective">
-                  <prop name="label">CP-3(c)[2]</prop>
-                  <p>provides contingency training to information system users consistent with
-                     assigned roles and responsibilities with the organization-defined frequency
-                     thereafter.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing contingency training</p>
-               <p>contingency plan</p>
-               <p>contingency training curriculum</p>
-               <p>contingency training material</p>
-               <p>security plan</p>
-               <p>contingency training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning, plan implementation, and
-                  training responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for contingency training</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-3.1">
-            <title>Simulated Events</title>
-            <prop name="label">CP-3(1)</prop>
-            <prop name="sort-id">cp-03.01</prop>
-            <part id="cp-3.1_smt" name="statement">
-               <p>The organization incorporates simulated events into contingency training to
-                  facilitate effective response by personnel in crisis situations.</p>
-            </part>
-            <part id="cp-3.1_obj" name="objective">
-               <p>Determine if the organization incorporates simulated events into contingency
-                  training to facilitate effective response by personnel in crisis situations.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency training</p>
-                  <p>contingency plan</p>
-                  <p>contingency training curriculum</p>
-                  <p>contingency training material</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning, plan implementation, and
-                     training responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for contingency training</p>
-                  <p>automated mechanisms for simulating contingency events</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-3.2">
-            <title>Automated Training Environments</title>
-            <prop name="label">CP-3(2)</prop>
-            <prop name="sort-id">cp-03.02</prop>
-            <part id="cp-3.2_smt" name="statement">
-               <p>The organization employs automated mechanisms to provide a more thorough and
-                  realistic contingency training environment.</p>
-            </part>
-            <part id="cp-3.2_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to provide a more
-                  thorough and realistic contingency training environment.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency training</p>
-                  <p>contingency plan</p>
-                  <p>contingency training curriculum</p>
-                  <p>contingency training material</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning, plan implementation, and
-                     training responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for contingency training</p>
-                  <p>automated mechanisms for providing contingency training environments</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-4">
-         <title>Contingency Plan Testing</title>
-         <param id="cp-4_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="cp-4_prm_2">
-            <label>organization-defined tests</label>
-         </param>
-         <prop name="label">CP-4</prop>
-         <prop name="sort-id">cp-04</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <link href="#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf" rel="reference">NIST Special Publication 800-84</link>
-         <part id="cp-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Tests the contingency plan for the information system <insert param-id="cp-4_prm_1"/> using <insert param-id="cp-4_prm_2"/> to determine the
-                  effectiveness of the plan and the organizational readiness to execute the
-                  plan;</p>
-            </part>
-            <part id="cp-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews the contingency plan test results; and</p>
-            </part>
-            <part id="cp-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Initiates corrective actions, if needed.</p>
-            </part>
-         </part>
-         <part id="cp-4_gdn" name="guidance">
-            <p>Methods for testing contingency plans to determine the effectiveness of the plans and
-               to identify potential weaknesses in the plans include, for example, walk-through and
-               tabletop exercises, checklists, simulations (parallel, full interrupt), and
-               comprehensive exercises. Organizations conduct testing based on the continuity
-               requirements in contingency plans and include a determination of the effects on
-               organizational operations, assets, and individuals arising due to contingency
-               operations. Organizations have flexibility and discretion in the breadth, depth, and
-               timelines of corrective actions.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-3">CP-3</link>
-            <link rel="related" href="#ir-3">IR-3</link>
-         </part>
-         <part id="cp-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="cp-4.a_obj" name="objective">
-               <prop name="label">CP-4(a)</prop>
-               <part id="cp-4.a_obj.1" name="objective">
-                  <prop name="label">CP-4(a)[1]</prop>
-                  <p>defines tests to determine the effectiveness of the contingency plan and the
-                     organizational readiness to execute the plan;</p>
-               </part>
-               <part id="cp-4.a_obj.2" name="objective">
-                  <prop name="label">CP-4(a)[2]</prop>
-                  <p>defines a frequency to test the contingency plan for the information
-                     system;</p>
-               </part>
-               <part id="cp-4.a_obj.3" name="objective">
-                  <prop name="label">CP-4(a)[3]</prop>
-                  <p>tests the contingency plan for the information system with the
-                     organization-defined frequency, using organization-defined tests to determine
-                     the effectiveness of the plan and the organizational readiness to execute the
-                     plan;</p>
-               </part>
-            </part>
-            <part id="cp-4.b_obj" name="objective">
-               <prop name="label">CP-4(b)</prop>
-               <p>reviews the contingency plan test results; and</p>
-            </part>
-            <part id="cp-4.c_obj" name="objective">
-               <prop name="label">CP-4(c)</prop>
-               <p>initiates corrective actions, if needed.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing contingency plan testing</p>
-               <p>contingency plan</p>
-               <p>security plan</p>
-               <p>contingency plan test documentation</p>
-               <p>contingency plan test results</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for contingency plan testing,
-                  reviewing or responding to contingency plan tests</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for contingency plan testing</p>
-               <p>automated mechanisms supporting the contingency plan and/or contingency plan
-                  testing</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-4.1">
-            <title>Coordinate with Related Plans</title>
-            <prop name="label">CP-4(1)</prop>
-            <prop name="sort-id">cp-04.01</prop>
-            <part id="cp-4.1_smt" name="statement">
-               <p>The organization coordinates contingency plan testing with organizational elements
-                  responsible for related plans.</p>
-            </part>
-            <part id="cp-4.1_gdn" name="guidance">
-               <p>Plans related to contingency plans for organizational information systems include,
-                  for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of
-                  Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,
-                  Cyber Incident Response Plans, and Occupant Emergency Plans. This control
-                  enhancement does not require organizations to create organizational elements to
-                  handle related plans or to align such elements with specific plans. It does
-                  require, however, that if such organizational elements are responsible for related
-                  plans, organizations should coordinate with those elements.</p>
-               <link rel="related" href="#ir-8">IR-8</link>
-               <link rel="related" href="#pm-8">PM-8</link>
-            </part>
-            <part id="cp-4.1_obj" name="objective">
-               <p>Determine if the organization coordinates contingency plan testing with
-                  organizational elements responsible for related plans. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>incident response policy</p>
-                  <p>procedures addressing contingency plan testing</p>
-                  <p>contingency plan testing documentation</p>
-                  <p>contingency plan</p>
-                  <p>business continuity plans</p>
-                  <p>disaster recovery plans</p>
-                  <p>continuity of operations plans</p>
-                  <p>crisis communications plans</p>
-                  <p>critical infrastructure plans</p>
-                  <p>cyber incident response plans</p>
-                  <p>occupant emergency plans</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan testing responsibilities</p>
-                  <p>organizational personnel</p>
-                  <p>personnel with responsibilities for related plans</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-4.2">
-            <title>Alternate Processing Site</title>
-            <prop name="label">CP-4(2)</prop>
-            <prop name="sort-id">cp-04.02</prop>
-            <part id="cp-4.2_smt" name="statement">
-               <p>The organization tests the contingency plan at the alternate processing site:</p>
-               <part id="cp-4.2_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>To familiarize contingency personnel with the facility and available resources;
-                     and</p>
-               </part>
-               <part id="cp-4.2_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>To evaluate the capabilities of the alternate processing site to support
-                     contingency operations.</p>
-               </part>
-            </part>
-            <part id="cp-4.2_gdn" name="guidance">
-               <link rel="related" href="#cp-7">CP-7</link>
-            </part>
-            <part id="cp-4.2_obj" name="objective">
-               <p>Determine if the organization tests the contingency plan at the alternate
-                  processing site to:</p>
-               <part id="cp-4.2.a_obj" name="objective">
-                  <prop name="label">CP-4(2)(a)</prop>
-                  <p>familiarize contingency personnel with the facility and available resources;
-                     and</p>
-                  <link rel="corresp" href="#cp-4.2_smt.a">CP-4(2)(a)</link>
-               </part>
-               <part id="cp-4.2.b_obj" name="objective">
-                  <prop name="label">CP-4(2)(b)</prop>
-                  <p>evaluate the capabilities of the alternate processing site to support
-                     contingency operations.</p>
-                  <link rel="corresp" href="#cp-4.2_smt.b">CP-4(2)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency plan testing</p>
-                  <p>contingency plan</p>
-                  <p>contingency plan test documentation</p>
-                  <p>contingency plan test results</p>
-                  <p>alternate processing site agreements</p>
-                  <p>service-level agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for contingency plan testing</p>
-                  <p>automated mechanisms supporting the contingency plan and/or contingency plan
-                     testing</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-4.3">
-            <title>Automated Testing</title>
-            <prop name="label">CP-4(3)</prop>
-            <prop name="sort-id">cp-04.03</prop>
-            <part id="cp-4.3_smt" name="statement">
-               <p>The organization employs automated mechanisms to more thoroughly and effectively
-                  test the contingency plan.</p>
-            </part>
-            <part id="cp-4.3_gdn" name="guidance">
-               <p>Automated mechanisms provide more thorough and effective testing of contingency
-                  plans, for example: (i) by providing more complete coverage of contingency issues;
-                  (ii) by selecting more realistic test scenarios and environments; and (iii) by
-                  effectively stressing the information system and supported missions.</p>
-            </part>
-            <part id="cp-4.3_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to more thoroughly and
-                  effectively test the contingency plan. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing contingency plan testing</p>
-                  <p>contingency plan</p>
-                  <p>automated mechanisms supporting contingency plan testing</p>
-                  <p>contingency plan test documentation</p>
-                  <p>contingency plan test results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan testing responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for contingency plan testing</p>
-                  <p>automated mechanisms supporting contingency plan testing</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-4.4">
-            <title>Full Recovery / Reconstitution</title>
-            <prop name="label">CP-4(4)</prop>
-            <prop name="sort-id">cp-04.04</prop>
-            <part id="cp-4.4_smt" name="statement">
-               <p>The organization includes a full recovery and reconstitution of the information
-                  system to a known state as part of contingency plan testing.</p>
-            </part>
-            <part id="cp-4.4_gdn" name="guidance">
-               <link rel="related" href="#cp-10">CP-10</link>
-               <link rel="related" href="#sc-24">SC-24</link>
-            </part>
-            <part id="cp-4.4_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-4.4_obj.1" name="objective">
-                  <prop name="label">CP-4(4)[1]</prop>
-                  <p>includes a full recovery of the information system to a known state as part of
-                     contingency plan testing; and</p>
-               </part>
-               <part id="cp-4.4_obj.2" name="objective">
-                  <prop name="label">CP-4(4)[2]</prop>
-                  <p>includes a full reconstitution of the information system to a known state as
-                     part of contingency plan testing.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing information system recovery and reconstitution</p>
-                  <p>contingency plan</p>
-                  <p>contingency plan test documentation</p>
-                  <p>contingency plan test results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan testing responsibilities</p>
-                  <p>organizational personnel with information system recovery and reconstitution
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for contingency plan testing</p>
-                  <p>automated mechanisms supporting contingency plan testing</p>
-                  <p>automated mechanisms supporting recovery and reconstitution of the information
-                     system</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-5">
-         <title>Contingency Plan Update</title>
-         <prop name="label">CP-5</prop>
-         <prop name="sort-id">cp-05</prop>
-         <prop name="status">Withdrawn</prop>
-         <link rel="incorporated-into" href="#cp-2">CP-2</link>
-      </control>
-      <control class="SP800-53" id="cp-6">
-         <title>Alternate Storage Site</title>
-         <prop name="label">CP-6</prop>
-         <prop name="sort-id">cp-06</prop>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes an alternate storage site including necessary agreements to permit the
-                  storage and retrieval of information system backup information; and</p>
-            </part>
-            <part id="cp-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Ensures that the alternate storage site provides information security safeguards
-                  equivalent to that of the primary site.</p>
-            </part>
-         </part>
-         <part id="cp-6_gdn" name="guidance">
-            <p>Alternate storage sites are sites that are geographically distinct from primary
-               storage sites. An alternate storage site maintains duplicate copies of information
-               and data in the event that the primary storage site is not available. Items covered
-               by alternate storage site agreements include, for example, environmental conditions
-               at alternate sites, access rules, physical and environmental protection requirements,
-               and coordination of delivery/retrieval of backup media. Alternate storage sites
-               reflect the requirements in contingency plans so that organizations can maintain
-               essential missions/business functions despite disruption, compromise, or failure in
-               organizational information systems.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#cp-10">CP-10</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-         </part>
-         <part id="cp-6_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="cp-6_obj.1" name="objective">
-               <prop name="label">CP-6[1]</prop>
-               <p>establishes an alternate storage site including necessary agreements to permit the
-                  storage and retrieval of information system backup information; and</p>
-            </part>
-            <part id="cp-6_obj.2" name="objective">
-               <prop name="label">CP-6[2]</prop>
-               <p>ensures that the alternate storage site provides information security safeguards
-                  equivalent to that of the primary site.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing alternate storage sites</p>
-               <p>contingency plan</p>
-               <p>alternate storage site agreements</p>
-               <p>primary storage site agreements</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency plan alternate storage site
-                  responsibilities</p>
-               <p>organizational personnel with information system recovery responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for storing and retrieving information system backup
-                  information at the alternate storage site</p>
-               <p>automated mechanisms supporting and/or implementing storage and retrieval of
-                  information system backup information at the alternate storage site</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-6.1">
-            <title>Separation from Primary Site</title>
-            <prop name="label">CP-6(1)</prop>
-            <prop name="sort-id">cp-06.01</prop>
-            <part id="cp-6.1_smt" name="statement">
-               <p>The organization identifies an alternate storage site that is separated from the
-                  primary storage site to reduce susceptibility to the same threats.</p>
-            </part>
-            <part id="cp-6.1_gdn" name="guidance">
-               <p>Threats that affect alternate storage sites are typically defined in
-                  organizational assessments of risk and include, for example, natural disasters,
-                  structural failures, hostile cyber attacks, and errors of omission/commission.
-                  Organizations determine what is considered a sufficient degree of separation
-                  between primary and alternate storage sites based on the types of threats that are
-                  of concern. For one particular type of threat (i.e., hostile cyber attack), the
-                  degree of separation between sites is less relevant.</p>
-               <link rel="related" href="#ra-3">RA-3</link>
-            </part>
-            <part id="cp-6.1_obj" name="objective">
-               <p>Determine if the organization identifies an alternate storage site that is
-                  separated from the primary storage site to reduce susceptibility to the same
-                  threats. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate storage sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate storage site</p>
-                  <p>alternate storage site agreements</p>
-                  <p>primary storage site agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan alternate storage site
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-6.2">
-            <title>Recovery Time / Point Objectives</title>
-            <prop name="label">CP-6(2)</prop>
-            <prop name="sort-id">cp-06.02</prop>
-            <part id="cp-6.2_smt" name="statement">
-               <p>The organization configures the alternate storage site to facilitate recovery
-                  operations in accordance with recovery time and recovery point objectives.</p>
-            </part>
-            <part id="cp-6.2_obj" name="objective">
-               <p>Determine if the organization configures the alternate storage site to facilitate
-                  recovery operations in accordance with recovery time objectives and recovery point
-                  objectives (as specified in the information system contingency plan).</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate storage sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate storage site</p>
-                  <p>alternate storage site agreements</p>
-                  <p>alternate storage site configurations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan testing responsibilities</p>
-                  <p>organizational personnel with responsibilities for testing related plans</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for contingency plan testing</p>
-                  <p>automated mechanisms supporting recovery time/point objectives</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-6.3">
-            <title>Accessibility</title>
-            <prop name="label">CP-6(3)</prop>
-            <prop name="sort-id">cp-06.03</prop>
-            <part id="cp-6.3_smt" name="statement">
-               <p>The organization identifies potential accessibility problems to the alternate
-                  storage site in the event of an area-wide disruption or disaster and outlines
-                  explicit mitigation actions.</p>
-            </part>
-            <part id="cp-6.3_gdn" name="guidance">
-               <p>Area-wide disruptions refer to those types of disruptions that are broad in
-                  geographic scope (e.g., hurricane, regional power outage) with such determinations
-                  made by organizations based on organizational assessments of risk. Explicit
-                  mitigation actions include, for example: (i) duplicating backup information at
-                  other alternate storage sites if access problems occur at originally designated
-                  alternate sites; or (ii) planning for physical access to retrieve backup
-                  information if electronic accessibility to the alternate site is disrupted.</p>
-               <link rel="related" href="#ra-3">RA-3</link>
-            </part>
-            <part id="cp-6.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-6.3_obj.1" name="objective">
-                  <prop name="label">CP-6(3)[1]</prop>
-                  <p>identifies potential accessibility problems to the alternate storage site in
-                     the event of an area-wide disruption or disaster; and</p>
-               </part>
-               <part id="cp-6.3_obj.2" name="objective">
-                  <prop name="label">CP-6(3)[2]</prop>
-                  <p>outlines explicit mitigation actions for such potential accessibility problems
-                     to the alternate storage site in the event of an area-wide disruption or
-                     disaster.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate storage sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate storage site</p>
-                  <p>list of potential accessibility problems to alternate storage site</p>
-                  <p>mitigation actions for accessibility problems to alternate storage site</p>
-                  <p>organizational risk assessments</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan alternate storage site
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-7">
-         <title>Alternate Processing Site</title>
-         <param id="cp-7_prm_1">
-            <label>organization-defined information system operations</label>
-         </param>
-         <param id="cp-7_prm_2">
-            <label>organization-defined time period consistent with recovery time and recovery point
-               objectives</label>
-         </param>
-         <prop name="label">CP-7</prop>
-         <prop name="sort-id">cp-07</prop>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-7_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes an alternate processing site including necessary agreements to permit
-                  the transfer and resumption of <insert param-id="cp-7_prm_1"/> for essential
-                  missions/business functions within <insert param-id="cp-7_prm_2"/> when the
-                  primary processing capabilities are unavailable;</p>
-            </part>
-            <part id="cp-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Ensures that equipment and supplies required to transfer and resume operations are
-                  available at the alternate processing site or contracts are in place to support
-                  delivery to the site within the organization-defined time period for
-                  transfer/resumption; and</p>
-            </part>
-            <part id="cp-7_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensures that the alternate processing site provides information security
-                  safeguards equivalent to those of the primary site.</p>
-            </part>
-         </part>
-         <part id="cp-7_gdn" name="guidance">
-            <p>Alternate processing sites are sites that are geographically distinct from primary
-               processing sites. An alternate processing site provides processing capability in the
-               event that the primary processing site is not available. Items covered by alternate
-               processing site agreements include, for example, environmental conditions at
-               alternate sites, access rules, physical and environmental protection requirements,
-               and coordination for the transfer/assignment of personnel. Requirements are
-               specifically allocated to alternate processing sites that reflect the requirements in
-               contingency plans to maintain essential missions/business functions despite
-               disruption, compromise, or failure in organizational information systems.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-8">CP-8</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#cp-10">CP-10</link>
-            <link rel="related" href="#ma-6">MA-6</link>
-         </part>
-         <part id="cp-7_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="cp-7.a_obj" name="objective">
-               <prop name="label">CP-7(a)</prop>
-               <part id="cp-7.a_obj.1" name="objective">
-                  <prop name="label">CP-7(a)[1]</prop>
-                  <p>defines information system operations requiring an alternate processing site to
-                     be established to permit the transfer and resumption of such operations;</p>
-               </part>
-               <part id="cp-7.a_obj.2" name="objective">
-                  <prop name="label">CP-7(a)[2]</prop>
-                  <p>defines the time period consistent with recovery time objectives and recovery
-                     point objectives (as specified in the information system contingency plan) for
-                     transfer/resumption of organization-defined information system operations for
-                     essential missions/business functions;</p>
-               </part>
-               <part id="cp-7.a_obj.3" name="objective">
-                  <prop name="label">CP-7(a)[3]</prop>
-                  <p>establishes an alternate processing site including necessary agreements to
-                     permit the transfer and resumption of organization-defined information system
-                     operations for essential missions/business functions, within the
-                     organization-defined time period, when the primary processing capabilities are
-                     unavailable;</p>
-               </part>
-            </part>
-            <part id="cp-7.b_obj" name="objective">
-               <prop name="label">CP-7(b)</prop>
-               <part id="cp-7.b_obj.1" name="objective">
-                  <prop name="label">CP-7(b)[1]</prop>
-                  <p>ensures that equipment and supplies required to transfer and resume operations
-                     are available at the alternate processing site; or</p>
-               </part>
-               <part id="cp-7.b_obj.2" name="objective">
-                  <prop name="label">CP-7(b)[2]</prop>
-                  <p>ensures that contracts are in place to support delivery to the site within the
-                     organization-defined time period for transfer/resumption; and</p>
-               </part>
-            </part>
-            <part id="cp-7.c_obj" name="objective">
-               <prop name="label">CP-7(c)</prop>
-               <p>ensures that the alternate processing site provides information security
-                  safeguards equivalent to those of the primary site.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing alternate processing sites</p>
-               <p>contingency plan</p>
-               <p>alternate processing site agreements</p>
-               <p>primary processing site agreements</p>
-               <p>spare equipment and supplies inventory at alternate processing site</p>
-               <p>equipment and supply contracts</p>
-               <p>service-level agreements</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for contingency planning and/or
-                  alternate site arrangements</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for recovery at the alternate site</p>
-               <p>automated mechanisms supporting and/or implementing recovery at the alternate
-                  processing site</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-7.1">
-            <title>Separation from Primary Site</title>
-            <prop name="label">CP-7(1)</prop>
-            <prop name="sort-id">cp-07.01</prop>
-            <part id="cp-7.1_smt" name="statement">
-               <p>The organization identifies an alternate processing site that is separated from
-                  the primary processing site to reduce susceptibility to the same threats.</p>
-            </part>
-            <part id="cp-7.1_gdn" name="guidance">
-               <p>Threats that affect alternate processing sites are typically defined in
-                  organizational assessments of risk and include, for example, natural disasters,
-                  structural failures, hostile cyber attacks, and errors of omission/commission.
-                  Organizations determine what is considered a sufficient degree of separation
-                  between primary and alternate processing sites based on the types of threats that
-                  are of concern. For one particular type of threat (i.e., hostile cyber attack),
-                  the degree of separation between sites is less relevant.</p>
-               <link rel="related" href="#ra-3">RA-3</link>
-            </part>
-            <part id="cp-7.1_obj" name="objective">
-               <p>Determine if the organization identifies an alternate processing site that is
-                  separated from the primary storage site to reduce susceptibility to the same
-                  threats. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate processing sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate processing site</p>
-                  <p>alternate processing site agreements</p>
-                  <p>primary processing site agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan alternate processing site
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-7.2">
-            <title>Accessibility</title>
-            <prop name="label">CP-7(2)</prop>
-            <prop name="sort-id">cp-07.02</prop>
-            <part id="cp-7.2_smt" name="statement">
-               <p>The organization identifies potential accessibility problems to the alternate
-                  processing site in the event of an area-wide disruption or disaster and outlines
-                  explicit mitigation actions.</p>
-            </part>
-            <part id="cp-7.2_gdn" name="guidance">
-               <p>Area-wide disruptions refer to those types of disruptions that are broad in
-                  geographic scope (e.g., hurricane, regional power outage) with such determinations
-                  made by organizations based on organizational assessments of risk.</p>
-               <link rel="related" href="#ra-3">RA-3</link>
-            </part>
-            <part id="cp-7.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-7.2_obj.1" name="objective">
-                  <prop name="label">CP-7(2)[1]</prop>
-                  <p>identifies potential accessibility problems to the alternate processing site in
-                     the event of an area-wide disruption or disaster; and</p>
-               </part>
-               <part id="cp-7.2_obj.2" name="objective">
-                  <prop name="label">CP-7(2)[2]</prop>
-                  <p>outlines explicit mitigation actions for such potential accessibility problems
-                     to the alternate processing site in the event of an area-wide disruption or
-                     disaster.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate processing sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate processing site</p>
-                  <p>alternate processing site agreements</p>
-                  <p>primary processing site agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan alternate processing site
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-7.3">
-            <title>Priority of Service</title>
-            <prop name="label">CP-7(3)</prop>
-            <prop name="sort-id">cp-07.03</prop>
-            <part id="cp-7.3_smt" name="statement">
-               <p>The organization develops alternate processing site agreements that contain
-                  priority-of-service provisions in accordance with organizational availability
-                  requirements (including recovery time objectives).</p>
-            </part>
-            <part id="cp-7.3_gdn" name="guidance">
-               <p>Priority-of-service agreements refer to negotiated agreements with service
-                  providers that ensure that organizations receive priority treatment consistent
-                  with their availability requirements and the availability of information resources
-                  at the alternate processing site.</p>
-            </part>
-            <part id="cp-7.3_obj" name="objective">
-               <p>Determine if the organization develops alternate processing site agreements that
-                  contain priority-of-service provisions in accordance with organizational
-                  availability requirements (including recovery time objectives as specified in the
-                  information system contingency plan).</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate processing sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate processing site agreements</p>
-                  <p>service-level agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan alternate processing site
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for acquisitions/contractual
-                     agreements</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-7.4">
-            <title>Preparation for Use</title>
-            <prop name="label">CP-7(4)</prop>
-            <prop name="sort-id">cp-07.04</prop>
-            <part id="cp-7.4_smt" name="statement">
-               <p>The organization prepares the alternate processing site so that the site is ready
-                  to be used as the operational site supporting essential missions and business
-                  functions.</p>
-            </part>
-            <part id="cp-7.4_gdn" name="guidance">
-               <p>Site preparation includes, for example, establishing configuration settings for
-                  information system components at the alternate processing site consistent with the
-                  requirements for such settings at the primary site and ensuring that essential
-                  supplies and other logistical considerations are in place.</p>
-               <link rel="related" href="#cm-2">CM-2</link>
-               <link rel="related" href="#cm-6">CM-6</link>
-            </part>
-            <part id="cp-7.4_obj" name="objective">
-               <p>Determine if the organization prepares the alternate processing site so that the
-                  site is ready to be used as the operational site supporting essential missions and
-                  business functions.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate processing sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate processing site</p>
-                  <p>alternate processing site agreements</p>
-                  <p>alternate processing site configurations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan alternate processing site
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing recovery at the alternate
-                     processing site</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-7.5">
-            <title>Equivalent Information Security Safeguards</title>
-            <prop name="label">CP-7(5)</prop>
-            <prop name="sort-id">cp-07.05</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#cp-7">CP-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-7.6">
-            <title>Inability to Return to Primary Site</title>
-            <prop name="label">CP-7(6)</prop>
-            <prop name="sort-id">cp-07.06</prop>
-            <part id="cp-7.6_smt" name="statement">
-               <p>The organization plans and prepares for circumstances that preclude returning to
-                  the primary processing site.</p>
-            </part>
-            <part id="cp-7.6_obj" name="objective">
-               <p>Determine if the organization plans and prepares for circumstances that preclude
-                  returning to the primary processing site.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate processing sites</p>
-                  <p>contingency plan</p>
-                  <p>alternate processing site</p>
-                  <p>alternate processing site agreements</p>
-                  <p>alternate processing site configurations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system reconstitution
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-8">
-         <title>Telecommunications Services</title>
-         <param id="cp-8_prm_1">
-            <label>organization-defined information system operations</label>
-         </param>
-         <param id="cp-8_prm_2">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">CP-8</prop>
-         <prop name="sort-id">cp-08</prop>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <link href="#fb5844de-ff96-47c0-b258-4f52bcc2f30d" rel="reference">National Communications Systems Directive 3-10</link>
-         <link href="#3ac12e79-f54f-4a63-9f4b-ee4bcd4df604" rel="reference">http://www.dhs.gov/telecommunications-service-priority-tsp</link>
-         <part id="cp-8_smt" name="statement">
-            <p>The organization establishes alternate telecommunications services including
-               necessary agreements to permit the resumption of <insert param-id="cp-8_prm_1"/> for
-               essential missions and business functions within <insert param-id="cp-8_prm_2"/> when
-               the primary telecommunications capabilities are unavailable at either the primary or
-               alternate processing or storage sites.</p>
-         </part>
-         <part id="cp-8_gdn" name="guidance">
-            <p>This control applies to telecommunications services (data and voice) for primary and
-               alternate processing and storage sites. Alternate telecommunications services reflect
-               the continuity requirements in contingency plans to maintain essential
-               missions/business functions despite the loss of primary telecommunications services.
-               Organizations may specify different time periods for primary/alternate sites.
-               Alternate telecommunications services include, for example, additional organizational
-               or commercial ground-based circuits/lines or satellites in lieu of ground-based
-               communications. Organizations consider factors such as availability, quality of
-               service, and access when entering into alternate telecommunications agreements.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-         </part>
-         <part id="cp-8_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="cp-8_obj.1" name="objective">
-               <prop name="label">CP-8[1]</prop>
-               <p>defines information system operations requiring alternate telecommunications
-                  services to be established to permit the resumption of such operations;</p>
-            </part>
-            <part id="cp-8_obj.2" name="objective">
-               <prop name="label">CP-8[2]</prop>
-               <p>defines the time period to permit resumption of organization-defined information
-                  system operations for essential missions and business functions; and</p>
-            </part>
-            <part id="cp-8_obj.3" name="objective">
-               <prop name="label">CP-8[3]</prop>
-               <p>establishes alternate telecommunications services including necessary agreements
-                  to permit the resumption of organization-defined information system operations for
-                  essential missions and business functions, within the organization-defined time
-                  period, when the primary telecommunications capabilities are unavailable at either
-                  the primary or alternate processing or storage sites.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing alternate telecommunications services</p>
-               <p>contingency plan</p>
-               <p>primary and alternate telecommunications service agreements</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency plan telecommunications
-                  responsibilities</p>
-               <p>organizational personnel with information system recovery responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibility for acquisitions/contractual
-                  agreements</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting telecommunications</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-8.1">
-            <title>Priority of Service Provisions</title>
-            <prop name="label">CP-8(1)</prop>
-            <prop name="sort-id">cp-08.01</prop>
-            <part id="cp-8.1_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cp-8.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Develops primary and alternate telecommunications service agreements that
-                     contain priority-of-service provisions in accordance with organizational
-                     availability requirements (including recovery time objectives); and</p>
-               </part>
-               <part id="cp-8.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Requests Telecommunications Service Priority for all telecommunications
-                     services used for national security emergency preparedness in the event that
-                     the primary and/or alternate telecommunications services are provided by a
-                     common carrier.</p>
-               </part>
-            </part>
-            <part id="cp-8.1_gdn" name="guidance">
-               <p>Organizations consider the potential mission/business impact in situations where
-                  telecommunications service providers are servicing other organizations with
-                  similar priority-of-service provisions.</p>
-            </part>
-            <part id="cp-8.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-8.1_obj.1" name="objective">
-                  <prop name="label">CP-8(1)[1]</prop>
-                  <p>develops primary and alternate telecommunications service agreements that
-                     contain priority-of-service provisions in accordance with organizational
-                     availability requirements (including recovery time objectives as specified in
-                     the information system contingency plan); and</p>
-               </part>
-               <part id="cp-8.1_obj.2" name="objective">
-                  <prop name="label">CP-8(1)[2]</prop>
-                  <p>requests Telecommunications Service Priority for all telecommunications
-                     services used for national security emergency preparedness in the event that
-                     the primary and/or alternate telecommunications services are provided by a
-                     common carrier.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing primary and alternate telecommunications services</p>
-                  <p>contingency plan</p>
-                  <p>primary and alternate telecommunications service agreements</p>
-                  <p>Telecommunications Service Priority documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan telecommunications
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for acquisitions/contractual
-                     agreements</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting telecommunications</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-8.2">
-            <title>Single Points of Failure</title>
-            <prop name="label">CP-8(2)</prop>
-            <prop name="sort-id">cp-08.02</prop>
-            <part id="cp-8.2_smt" name="statement">
-               <p>The organization obtains alternate telecommunications services to reduce the
-                  likelihood of sharing a single point of failure with primary telecommunications
-                  services.</p>
-            </part>
-            <part id="cp-8.2_obj" name="objective">
-               <p>Determine if the organization obtains alternate telecommunications services to
-                  reduce the likelihood of sharing a single point of failure with primary
-                  telecommunications services. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing primary and alternate telecommunications services</p>
-                  <p>contingency plan</p>
-                  <p>primary and alternate telecommunications service agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan telecommunications
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>primary and alternate telecommunications service providers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-8.3">
-            <title>Separation of Primary / Alternate Providers</title>
-            <prop name="label">CP-8(3)</prop>
-            <prop name="sort-id">cp-08.03</prop>
-            <part id="cp-8.3_smt" name="statement">
-               <p>The organization obtains alternate telecommunications services from providers that
-                  are separated from primary service providers to reduce susceptibility to the same
-                  threats.</p>
-            </part>
-            <part id="cp-8.3_gdn" name="guidance">
-               <p>Threats that affect telecommunications services are typically defined in
-                  organizational assessments of risk and include, for example, natural disasters,
-                  structural failures, hostile cyber/physical attacks, and errors of
-                  omission/commission. Organizations seek to reduce common susceptibilities by, for
-                  example, minimizing shared infrastructure among telecommunications service
-                  providers and achieving sufficient geographic separation between services.
-                  Organizations may consider using a single service provider in situations where the
-                  service provider can provide alternate telecommunications services meeting the
-                  separation needs addressed in the risk assessment.</p>
-            </part>
-            <part id="cp-8.3_obj" name="objective">
-               <p>Determine if the organization obtains alternate telecommunications services from
-                  providers that are separated from primary service providers to reduce
-                  susceptibility to the same threats. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing primary and alternate telecommunications services</p>
-                  <p>contingency plan</p>
-                  <p>primary and alternate telecommunications service agreements</p>
-                  <p>alternate telecommunications service provider site</p>
-                  <p>primary telecommunications service provider site</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency plan telecommunications
-                     responsibilities</p>
-                  <p>organizational personnel with information system recovery responsibilities</p>
-                  <p>primary and alternate telecommunications service providers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-8.4">
-            <title>Provider Contingency Plan</title>
-            <param id="cp-8.4_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">CP-8(4)</prop>
-            <prop name="sort-id">cp-08.04</prop>
-            <part id="cp-8.4_smt" name="statement">
-               <p>The organization:</p>
-               <part id="cp-8.4_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Requires primary and alternate telecommunications service providers to have
-                     contingency plans;</p>
-               </part>
-               <part id="cp-8.4_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Reviews provider contingency plans to ensure that the plans meet organizational
-                     contingency requirements; and</p>
-               </part>
-               <part id="cp-8.4_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Obtains evidence of contingency testing/training by providers <insert param-id="cp-8.4_prm_1"/>.</p>
-               </part>
-            </part>
-            <part id="cp-8.4_gdn" name="guidance">
-               <p>Reviews of provider contingency plans consider the proprietary nature of such
-                  plans. In some situations, a summary of provider contingency plans may be
-                  sufficient evidence for organizations to satisfy the review requirement.
-                  Telecommunications service providers may also participate in ongoing disaster
-                  recovery exercises in coordination with the Department of Homeland Security,
-                  state, and local governments. Organizations may use these types of activities to
-                  satisfy evidentiary requirements related to service provider contingency plan
-                  reviews, testing, and training.</p>
-            </part>
-            <part id="cp-8.4_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-8.4.a_obj" name="objective">
-                  <prop name="label">CP-8(4)(a)</prop>
-                  <part id="cp-8.4.a_obj.1" name="objective">
-                     <prop name="label">CP-8(4)(a)[1]</prop>
-                     <p>requires primary telecommunications service provider to have contingency
-                        plans;</p>
-                  </part>
-                  <part id="cp-8.4.a_obj.2" name="objective">
-                     <prop name="label">CP-8(4)(a)[2]</prop>
-                     <p>requires alternate telecommunications service provider(s) to have
-                        contingency plans;</p>
-                  </part>
-                  <link rel="corresp" href="#cp-8.4_smt.a">CP-8(4)(a)</link>
-               </part>
-               <part id="cp-8.4.b_obj" name="objective">
-                  <prop name="label">CP-8(4)(b)</prop>
-                  <p>reviews provider contingency plans to ensure that the plans meet organizational
-                     contingency requirements;</p>
-                  <link rel="corresp" href="#cp-8.4_smt.b">CP-8(4)(b)</link>
-               </part>
-               <part id="cp-8.4.c_obj" name="objective">
-                  <prop name="label">CP-8(4)(c)</prop>
-                  <part id="cp-8.4.c_obj.1" name="objective">
-                     <prop name="label">CP-8(4)(c)[1]</prop>
-                     <p>defines the frequency to obtain evidence of contingency testing/training by
-                        providers; and</p>
-                  </part>
-                  <part id="cp-8.4.c_obj.2" name="objective">
-                     <prop name="label">CP-8(4)(c)[2]</prop>
-                     <p>obtains evidence of contingency testing/training by providers with the
-                        organization-defined frequency.</p>
-                  </part>
-                  <link rel="corresp" href="#cp-8.4_smt.c">CP-8(4)(c)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing primary and alternate telecommunications services</p>
-                  <p>contingency plan</p>
-                  <p>provider contingency plans</p>
-                  <p>evidence of contingency testing/training by providers</p>
-                  <p>primary and alternate telecommunications service agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning, plan implementation, and
-                     testing responsibilities</p>
-                  <p>primary and alternate telecommunications service providers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for acquisitions/contractual
-                     agreements</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-8.5">
-            <title>Alternate Telecommunication Service Testing</title>
-            <param id="cp-8.5_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">CP-8(5)</prop>
-            <prop name="sort-id">cp-08.05</prop>
-            <part id="cp-8.5_smt" name="statement">
-               <p>The organization tests alternate telecommunication services <insert param-id="cp-8.5_prm_1"/>.</p>
-            </part>
-            <part id="cp-8.5_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-8.5_obj.1" name="objective">
-                  <prop name="label">CP-8(5)[1]</prop>
-                  <p>defines the frequency to test alternate telecommunication services; and</p>
-               </part>
-               <part id="cp-8.5_obj.2" name="objective">
-                  <prop name="label">CP-8(5)[2]</prop>
-                  <p>tests alternate telecommunication services with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing alternate telecommunications services</p>
-                  <p>contingency plan</p>
-                  <p>evidence of testing alternate telecommunications services</p>
-                  <p>alternate telecommunications service agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning, plan implementation, and
-                     testing responsibilities</p>
-                  <p>alternate telecommunications service providers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting testing alternate telecommunications
-                     services</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-9">
-         <title>Information System Backup</title>
-         <param id="cp-9_prm_1">
-            <label>organization-defined frequency consistent with recovery time and recovery point
-               objectives</label>
-         </param>
-         <param id="cp-9_prm_2">
-            <label>organization-defined frequency consistent with recovery time and recovery point
-               objectives</label>
-         </param>
-         <param id="cp-9_prm_3">
-            <label>organization-defined frequency consistent with recovery time and recovery point
-               objectives</label>
-         </param>
-         <prop name="label">CP-9</prop>
-         <prop name="sort-id">cp-09</prop>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-9_smt" name="statement">
-            <p>The organization:</p>
-            <part id="cp-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Conducts backups of user-level information contained in the information system
-                     <insert param-id="cp-9_prm_1"/>;</p>
-            </part>
-            <part id="cp-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Conducts backups of system-level information contained in the information system
-                     <insert param-id="cp-9_prm_2"/>;</p>
-            </part>
-            <part id="cp-9_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Conducts backups of information system documentation including security-related
-                  documentation <insert param-id="cp-9_prm_3"/>; and</p>
-            </part>
-            <part id="cp-9_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Protects the confidentiality, integrity, and availability of backup information at
-                  storage locations.</p>
-            </part>
-         </part>
-         <part id="cp-9_gdn" name="guidance">
-            <p>System-level information includes, for example, system-state information, operating
-               system and application software, and licenses. User-level information includes any
-               information other than system-level information. Mechanisms employed by organizations
-               to protect the integrity of information system backups include, for example, digital
-               signatures and cryptographic hashes. Protection of system backup information while in
-               transit is beyond the scope of this control. Information system backups reflect the
-               requirements in contingency plans as well as other organizational requirements for
-               backing up information.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="cp-9_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="cp-9.a_obj" name="objective">
-               <prop name="label">CP-9(a)</prop>
-               <part id="cp-9.a_obj.1" name="objective">
-                  <prop name="label">CP-9(a)[1]</prop>
-                  <p>defines a frequency, consistent with recovery time objectives and recovery
-                     point objectives as specified in the information system contingency plan, to
-                     conduct backups of user-level information contained in the information
-                     system;</p>
-               </part>
-               <part id="cp-9.a_obj.2" name="objective">
-                  <prop name="label">CP-9(a)[2]</prop>
-                  <p>conducts backups of user-level information contained in the information system
-                     with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="cp-9.b_obj" name="objective">
-               <prop name="label">CP-9(b)</prop>
-               <part id="cp-9.b_obj.1" name="objective">
-                  <prop name="label">CP-9(b)[1]</prop>
-                  <p>defines a frequency, consistent with recovery time objectives and recovery
-                     point objectives as specified in the information system contingency plan, to
-                     conduct backups of system-level information contained in the information
-                     system;</p>
-               </part>
-               <part id="cp-9.b_obj.2" name="objective">
-                  <prop name="label">CP-9(b)[2]</prop>
-                  <p>conducts backups of system-level information contained in the information
-                     system with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="cp-9.c_obj" name="objective">
-               <prop name="label">CP-9(c)</prop>
-               <part id="cp-9.c_obj.1" name="objective">
-                  <prop name="label">CP-9(c)[1]</prop>
-                  <p>defines a frequency, consistent with recovery time objectives and recovery
-                     point objectives as specified in the information system contingency plan, to
-                     conduct backups of information system documentation including security-related
-                     documentation;</p>
-               </part>
-               <part id="cp-9.c_obj.2" name="objective">
-                  <prop name="label">CP-9(c)[2]</prop>
-                  <p>conducts backups of information system documentation, including
-                     security-related documentation, with the organization-defined frequency;
-                     and</p>
-               </part>
-            </part>
-            <part id="cp-9.d_obj" name="objective">
-               <prop name="label">CP-9(d)</prop>
-               <p>protects the confidentiality, integrity, and availability of backup information at
-                  storage locations.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing information system backup</p>
-               <p>contingency plan</p>
-               <p>backup storage location(s)</p>
-               <p>information system backup logs or records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system backup responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for conducting information system backups</p>
-               <p>automated mechanisms supporting and/or implementing information system backups</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-9.1">
-            <title>Testing for Reliability / Integrity</title>
-            <param id="cp-9.1_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">CP-9(1)</prop>
-            <prop name="sort-id">cp-09.01</prop>
-            <part id="cp-9.1_smt" name="statement">
-               <p>The organization tests backup information <insert param-id="cp-9.1_prm_1"/> to
-                  verify media reliability and information integrity.</p>
-            </part>
-            <part id="cp-9.1_gdn" name="guidance">
-               <link rel="related" href="#cp-4">CP-4</link>
-            </part>
-            <part id="cp-9.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-9.1_obj.1" name="objective">
-                  <prop name="label">CP-9(1)[1]</prop>
-                  <p>defines the frequency to test backup information to verify media reliability
-                     and information integrity; and</p>
-               </part>
-               <part id="cp-9.1_obj.2" name="objective">
-                  <prop name="label">CP-9(1)[2]</prop>
-                  <p>tests backup information with the organization-defined frequency to verify
-                     media reliability and information integrity.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing information system backup</p>
-                  <p>contingency plan</p>
-                  <p>information system backup test results</p>
-                  <p>contingency plan test documentation</p>
-                  <p>contingency plan test results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system backup responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for conducting information system backups</p>
-                  <p>automated mechanisms supporting and/or implementing information system
-                     backups</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-9.2">
-            <title>Test Restoration Using Sampling</title>
-            <prop name="label">CP-9(2)</prop>
-            <prop name="sort-id">cp-09.02</prop>
-            <part id="cp-9.2_smt" name="statement">
-               <p>The organization uses a sample of backup information in the restoration of
-                  selected information system functions as part of contingency plan testing.</p>
-            </part>
-            <part id="cp-9.2_gdn" name="guidance">
-               <link rel="related" href="#cp-4">CP-4</link>
-            </part>
-            <part id="cp-9.2_obj" name="objective">
-               <p>Determine if the organization uses a sample of backup information in the
-                  restoration of selected information system functions as part of contingency plan
-                  testing. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing information system backup</p>
-                  <p>contingency plan</p>
-                  <p>information system backup test results</p>
-                  <p>contingency plan test documentation</p>
-                  <p>contingency plan test results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system backup responsibilities</p>
-                  <p>organizational personnel with contingency planning/contingency plan testing
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for conducting information system backups</p>
-                  <p>automated mechanisms supporting and/or implementing information system
-                     backups</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-9.3">
-            <title>Separate Storage for Critical Information</title>
-            <param id="cp-9.3_prm_1">
-               <label>organization-defined critical information system software and other
-                  security-related information</label>
-            </param>
-            <prop name="label">CP-9(3)</prop>
-            <prop name="sort-id">cp-09.03</prop>
-            <part id="cp-9.3_smt" name="statement">
-               <p>The organization stores backup copies of <insert param-id="cp-9.3_prm_1"/> in a
-                  separate facility or in a fire-rated container that is not collocated with the
-                  operational system.</p>
-            </part>
-            <part id="cp-9.3_gdn" name="guidance">
-               <p>Critical information system software includes, for example, operating systems,
-                  cryptographic key management systems, and intrusion detection/prevention systems.
-                  Security-related information includes, for example, organizational inventories of
-                  hardware, software, and firmware components. Alternate storage sites typically
-                  serve as separate storage facilities for organizations.</p>
-               <link rel="related" href="#cm-2">CM-2</link>
-               <link rel="related" href="#cm-8">CM-8</link>
-            </part>
-            <part id="cp-9.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-9.3_obj.1" name="objective">
-                  <prop name="label">CP-9(3)[1]</prop>
-                  <part id="cp-9.3_obj.1.a" name="objective">
-                     <prop name="label">CP-9(3)[1][a]</prop>
-                     <p>defines critical information system software and other security-related
-                        information requiring backup copies to be stored in a separate facility;
-                        or</p>
-                  </part>
-                  <part id="cp-9.3_obj.1.b" name="objective">
-                     <prop name="label">CP-9(3)[1][b]</prop>
-                     <p>defines critical information system software and other security-related
-                        information requiring backup copies to be stored in a fire-rated container
-                        that is not collocated with the operational system; and</p>
-                  </part>
-               </part>
-               <part id="cp-9.3_obj.2" name="objective">
-                  <prop name="label">CP-9(3)[2]</prop>
-                  <p>stores backup copies of organization-defined critical information system
-                     software and other security-related information in a separate facility or in a
-                     fire-rated container that is not collocated with the operational system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing information system backup</p>
-                  <p>contingency plan</p>
-                  <p>backup storage location(s)</p>
-                  <p>information system backup configurations and associated documentation</p>
-                  <p>information system backup logs or records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with contingency planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information system backup responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-9.4">
-            <title>Protection from Unauthorized Modification</title>
-            <prop name="label">CP-9(4)</prop>
-            <prop name="sort-id">cp-09.04</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#cp-9">CP-9</link>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-9.5">
-            <title>Transfer to Alternate Storage Site</title>
-            <param id="cp-9.5_prm_1">
-               <label>organization-defined time period and transfer rate consistent with the
-                  recovery time and recovery point objectives</label>
-            </param>
-            <prop name="label">CP-9(5)</prop>
-            <prop name="sort-id">cp-09.05</prop>
-            <part id="cp-9.5_smt" name="statement">
-               <p>The organization transfers information system backup information to the alternate
-                  storage site <insert param-id="cp-9.5_prm_1"/>.</p>
-            </part>
-            <part id="cp-9.5_gdn" name="guidance">
-               <p>Information system backup information can be transferred to alternate storage
-                  sites either electronically or by physical shipment of storage media.</p>
-            </part>
-            <part id="cp-9.5_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-9.5_obj.1" name="objective">
-                  <prop name="label">CP-9(5)[1]</prop>
-                  <p>defines a time period, consistent with recovery time objectives and recovery
-                     point objectives as specified in the information system contingency plan, to
-                     transfer information system backup information to the alternate storage
-                     site;</p>
-               </part>
-               <part id="cp-9.5_obj.2" name="objective">
-                  <prop name="label">CP-9(5)[2]</prop>
-                  <p>defines a transfer rate, consistent with recovery time objectives and recovery
-                     point objectives as specified in the information system contingency plan, to
-                     transfer information system backup information to the alternate storage site;
-                     and</p>
-               </part>
-               <part id="cp-9.5_obj.3" name="objective">
-                  <prop name="label">CP-9(5)[3]</prop>
-                  <p>transfers information system backup information to the alternate storage site
-                     with the organization-defined time period and transfer rate.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing information system backup</p>
-                  <p>contingency plan</p>
-                  <p>information system backup logs or records</p>
-                  <p>evidence of system backup information transferred to alternate storage site</p>
-                  <p>alternate storage site agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system backup responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for transferring information system backups to the
-                     alternate storage site</p>
-                  <p>automated mechanisms supporting and/or implementing information system
-                     backups</p>
-                  <p>automated mechanisms supporting and/or implementing information transfer to the
-                     alternate storage site</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-9.6">
-            <title>Redundant Secondary System</title>
-            <prop name="label">CP-9(6)</prop>
-            <prop name="sort-id">cp-09.06</prop>
-            <part id="cp-9.6_smt" name="statement">
-               <p>The organization accomplishes information system backup by maintaining a redundant
-                  secondary system that is not collocated with the primary system and that can be
-                  activated without loss of information or disruption to operations.</p>
-            </part>
-            <part id="cp-9.6_gdn" name="guidance">
-               <link rel="related" href="#cp-7">CP-7</link>
-               <link rel="related" href="#cp-10">CP-10</link>
-            </part>
-            <part id="cp-9.6_obj" name="objective">
-               <p>Determine if the organization accomplishes information system backup by
-                  maintaining a redundant secondary system that: </p>
-               <part id="cp-9.6_obj.1" name="objective">
-                  <prop name="label">CP-9(6)[1]</prop>
-                  <p>is not collocated with the primary system; and</p>
-               </part>
-               <part id="cp-9.6_obj.2" name="objective">
-                  <prop name="label">CP-9(6)[2]</prop>
-                  <p>can be activated without loss of information or disruption to operations.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing information system backup</p>
-                  <p>contingency plan</p>
-                  <p>information system backup test results</p>
-                  <p>contingency plan test results</p>
-                  <p>contingency plan test documentation</p>
-                  <p>redundant secondary system for information system backups</p>
-                  <p>location(s) of redundant secondary backup system(s)</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system backup responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for the redundant secondary
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for maintaining redundant secondary systems</p>
-                  <p>automated mechanisms supporting and/or implementing information system
-                     backups</p>
-                  <p>automated mechanisms supporting and/or implementing information transfer to a
-                     redundant secondary system</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-9.7">
-            <title>Dual Authorization</title>
-            <param id="cp-9.7_prm_1">
-               <label>organization-defined backup information</label>
-            </param>
-            <prop name="label">CP-9(7)</prop>
-            <prop name="sort-id">cp-09.07</prop>
-            <part id="cp-9.7_smt" name="statement">
-               <p>The organization enforces dual authorization for the deletion or destruction of
-                     <insert param-id="cp-9.7_prm_1"/>.</p>
-            </part>
-            <part id="cp-9.7_gdn" name="guidance">
-               <p>Dual authorization ensures that the deletion or destruction of backup information
-                  cannot occur unless two qualified individuals carry out the task. Individuals
-                  deleting/destroying backup information possess sufficient skills/expertise to
-                  determine if the proposed deletion/destruction of backup information reflects
-                  organizational policies and procedures. Dual authorization may also be known as
-                  two-person control.</p>
-               <link rel="related" href="#ac-3">AC-3</link>
-               <link rel="related" href="#mp-2">MP-2</link>
-            </part>
-            <part id="cp-9.7_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="cp-9.7_obj.1" name="objective">
-                  <prop name="label">CP-9(7)[1]</prop>
-                  <p>defines backup information that requires dual authorization to be enforced for
-                     the deletion or destruction of such information; and</p>
-               </part>
-               <part id="cp-9.7_obj.2" name="objective">
-                  <prop name="label">CP-9(7)[2]</prop>
-                  <p>enforces dual authorization for the deletion or destruction of
-                     organization-defined backup information.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing information system backup</p>
-                  <p>contingency plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>system generated list of dual authorization credentials or rules</p>
-                  <p>logs or records of deletion or destruction of backup information</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system backup responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing dual authorization</p>
-                  <p>automated mechanisms supporting and/or implementing deletion/destruction of
-                     backup information</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-10">
-         <title>Information System Recovery and Reconstitution</title>
-         <prop name="label">CP-10</prop>
-         <prop name="sort-id">cp-10</prop>
-         <link href="#023104bc-6f75-4cd5-b7d0-fc92326f8007" rel="reference">Federal Continuity Directive 1</link>
-         <link href="#748a81b9-9cad-463f-abde-8b368167e70d" rel="reference">NIST Special Publication 800-34</link>
-         <part id="cp-10_smt" name="statement">
-            <p>The organization provides for the recovery and reconstitution of the information
-               system to a known state after a disruption, compromise, or failure.</p>
-         </part>
-         <part id="cp-10_gdn" name="guidance">
-            <p>Recovery is executing information system contingency plan activities to restore
-               organizational missions/business functions. Reconstitution takes place following
-               recovery and includes activities for returning organizational information systems to
-               fully operational states. Recovery and reconstitution operations reflect mission and
-               business priorities, recovery point/time and reconstitution objectives, and
-               established organizational metrics consistent with contingency plan requirements.
-               Reconstitution includes the deactivation of any interim information system
-               capabilities that may have been needed during recovery operations. Reconstitution
-               also includes assessments of fully restored information system capabilities,
-               reestablishment of continuous monitoring activities, potential information system
-               reauthorizations, and activities to prepare the systems against future disruptions,
-               compromises, or failures. Recovery/reconstitution capabilities employed by
-               organizations can include both automated mechanisms and manual procedures.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#sc-24">SC-24</link>
-         </part>
-         <part id="cp-10_obj" name="objective">
-            <p>Determine if the organization provides for: </p>
-            <part id="cp-10_obj.1" name="objective">
-               <prop name="label">CP-10[1]</prop>
-               <p>the recovery of the information system to a known state after:</p>
-               <part id="cp-10_obj.1.a" name="objective">
-                  <prop name="label">CP-10[1][a]</prop>
-                  <p>a disruption;</p>
-               </part>
-               <part id="cp-10_obj.1.b" name="objective">
-                  <prop name="label">CP-10[1][b]</prop>
-                  <p>a compromise; or</p>
-               </part>
-               <part id="cp-10_obj.1.c" name="objective">
-                  <prop name="label">CP-10[1][c]</prop>
-                  <p>a failure;</p>
-               </part>
-            </part>
-            <part id="cp-10_obj.2" name="objective">
-               <prop name="label">CP-10[2]</prop>
-               <p>the reconstitution of the information system to a known state after:</p>
-               <part id="cp-10_obj.2.a" name="objective">
-                  <prop name="label">CP-10[2][a]</prop>
-                  <p>a disruption;</p>
-               </part>
-               <part id="cp-10_obj.2.b" name="objective">
-                  <prop name="label">CP-10[2][b]</prop>
-                  <p>a compromise; or</p>
-               </part>
-               <part id="cp-10_obj.2.c" name="objective">
-                  <prop name="label">CP-10[2][c]</prop>
-                  <p>a failure.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing information system backup</p>
-               <p>contingency plan</p>
-               <p>information system backup test results</p>
-               <p>contingency plan test results</p>
-               <p>contingency plan test documentation</p>
-               <p>redundant secondary system for information system backups</p>
-               <p>location(s) of redundant secondary backup system(s)</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning, recovery, and/or
-                  reconstitution responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes implementing information system recovery and
-                  reconstitution operations</p>
-               <p>automated mechanisms supporting and/or implementing information system recovery
-                  and reconstitution operations</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-10.1">
-            <title>Contingency Plan Testing</title>
-            <prop name="label">CP-10(1)</prop>
-            <prop name="sort-id">cp-10.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#cp-4">CP-4</link>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-10.2">
-            <title>Transaction Recovery</title>
-            <prop name="label">CP-10(2)</prop>
-            <prop name="sort-id">cp-10.02</prop>
-            <part id="cp-10.2_smt" name="statement">
-               <p>The information system implements transaction recovery for systems that are
-                  transaction-based.</p>
-            </part>
-            <part id="cp-10.2_gdn" name="guidance">
-               <p>Transaction-based information systems include, for example, database management
-                  systems and transaction processing systems. Mechanisms supporting transaction
-                  recovery include, for example, transaction rollback and transaction
-                  journaling.</p>
-            </part>
-            <part id="cp-10.2_obj" name="objective">
-               <p>Determine if the information system implements transaction recovery for systems
-                  that are transaction-based. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing information system recovery and reconstitution</p>
-                  <p>contingency plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>contingency plan test documentation</p>
-                  <p>contingency plan test results</p>
-                  <p>information system transaction recovery records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for transaction recovery</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing transaction recovery
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-10.3">
-            <title>Compensating Security Controls</title>
-            <prop name="label">CP-10(3)</prop>
-            <prop name="sort-id">cp-10.03</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="https://doi.org/10.6028/NIST.SP.800-53r4">Chapter
-               3</link>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-10.4">
-            <title>Restore Within Time Period</title>
-            <param id="cp-10.4_prm_1">
-               <label>organization-defined restoration time-periods</label>
-            </param>
-            <prop name="label">CP-10(4)</prop>
-            <prop name="sort-id">cp-10.04</prop>
-            <part id="cp-10.4_smt" name="statement">
-               <p>The organization provides the capability to restore information system components
-                  within <insert param-id="cp-10.4_prm_1"/> from configuration-controlled and
-                  integrity-protected information representing a known, operational state for the
-                  components.</p>
-            </part>
-            <part id="cp-10.4_gdn" name="guidance">
-               <p>Restoration of information system components includes, for example, reimaging
-                  which restores components to known, operational states.</p>
-               <link rel="related" href="#cm-2">CM-2</link>
-            </part>
-            <part id="cp-10.4_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="cp-10.4_obj.1" name="objective">
-                  <prop name="label">CP-10(4)[1]</prop>
-                  <p>defines a time period to restore information system components from
-                     configuration-controlled and integrity-protected information representing a
-                     known, operational state for the components; and</p>
-               </part>
-               <part id="cp-10.4_obj.2" name="objective">
-                  <prop name="label">CP-10(4)[2]</prop>
-                  <p>provides the capability to restore information system components within the
-                     organization-defined time period from configuration-controlled and
-                     integrity-protected information representing a known, operational state for the
-                     components.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing information system recovery and reconstitution</p>
-                  <p>contingency plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>contingency plan test documentation</p>
-                  <p>contingency plan test results</p>
-                  <p>evidence of information system recovery and reconstitution operations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system recovery and reconstitution
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing recovery/reconstitution of
-                     information system information</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-10.5">
-            <title>Failover Capability</title>
-            <prop name="label">CP-10(5)</prop>
-            <prop name="sort-id">cp-10.05</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#si-13">SI-13</link>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-10.6">
-            <title>Component Protection</title>
-            <prop name="label">CP-10(6)</prop>
-            <prop name="sort-id">cp-10.06</prop>
-            <part id="cp-10.6_smt" name="statement">
-               <p>The organization protects backup and restoration hardware, firmware, and
-                  software.</p>
-            </part>
-            <part id="cp-10.6_gdn" name="guidance">
-               <p>Protection of backup and restoration hardware, firmware, and software components
-                  includes both physical and technical safeguards. Backup and restoration software
-                  includes, for example, router tables, compilers, and other security-relevant
-                  system software.</p>
-               <link rel="related" href="#ac-3">AC-3</link>
-               <link rel="related" href="#ac-6">AC-6</link>
-               <link rel="related" href="#pe-3">PE-3</link>
-            </part>
-            <part id="cp-10.6_obj" name="objective">
-               <p>Determine if the organization protects backup and restoration: </p>
-               <part id="cp-10.6_obj.1" name="objective">
-                  <prop name="label">CP-10(6)[1]</prop>
-                  <p>hardware;</p>
-               </part>
-               <part id="cp-10.6_obj.2" name="objective">
-                  <prop name="label">CP-10(6)[2]</prop>
-                  <p>firmware; and</p>
-               </part>
-               <part id="cp-10.6_obj.3" name="objective">
-                  <prop name="label">CP-10(6)[3]</prop>
-                  <p>software.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Contingency planning policy</p>
-                  <p>procedures addressing information system recovery and reconstitution</p>
-                  <p>contingency plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>logical access credentials</p>
-                  <p>physical access credentials</p>
-                  <p>logical access authorization records</p>
-                  <p>physical access authorization records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system recovery and reconstitution
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for protecting backup and restoration hardware,
-                     firmware, and software</p>
-                  <p>automated mechanisms supporting and/or implementing protection of backup and
-                     restoration hardware, firmware, and software</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-11">
-         <title>Alternate Communications Protocols</title>
-         <param id="cp-11_prm_1">
-            <label>organization-defined alternative communications protocols</label>
-         </param>
-         <prop name="label">CP-11</prop>
-         <prop name="sort-id">cp-11</prop>
-         <part id="cp-11_smt" name="statement">
-            <p>The information system provides the capability to employ <insert param-id="cp-11_prm_1"/> in support of maintaining continuity of operations.</p>
-         </part>
-         <part id="cp-11_gdn" name="guidance">
-            <p>Contingency plans and the associated training and testing for those plans,
-               incorporate an alternate communications protocol capability as part of increasing the
-               resilience of organizational information systems. Alternate communications protocols
-               include, for example, switching from Transmission Control Protocol/Internet Protocol
-               (TCP/IP) Version 4 to TCP/IP Version 6. Switching communications protocols may affect
-               software applications and therefore, the potential side effects of introducing
-               alternate communications protocols are analyzed prior to implementation.</p>
-         </part>
-         <part id="cp-11_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="cp-11_obj.1" name="objective">
-               <prop name="label">CP-11[1]</prop>
-               <p>the organization defines alternative communications protocols to be employed in
-                  support of maintaining continuity of operations; and</p>
-            </part>
-            <part id="cp-11_obj.2" name="objective">
-               <prop name="label">CP-11[2]</prop>
-               <p>the information system provides the capability to employ organization-defined
-                  alternative communications protocols in support of maintaining continuity of
-                  operations.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing alternative communications protocols</p>
-               <p>contingency plan</p>
-               <p>continuity of operations plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of alternative communications protocols supporting continuity of
-                  operations</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with contingency planning and plan implementation
-                  responsibilities</p>
-               <p>organizational personnel with continuity of operations planning and plan
-                  implementation responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms employing alternative communications protocols</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-12">
-         <title>Safe Mode</title>
-         <param id="cp-12_prm_1">
-            <label>organization-defined conditions</label>
-         </param>
-         <param id="cp-12_prm_2">
-            <label>organization-defined restrictions of safe mode of operation</label>
-         </param>
-         <prop name="label">CP-12</prop>
-         <prop name="sort-id">cp-12</prop>
-         <part id="cp-12_smt" name="statement">
-            <p>The information system, when <insert param-id="cp-12_prm_1"/> are detected, enters a
-               safe mode of operation with <insert param-id="cp-12_prm_2"/>.</p>
-         </part>
-         <part id="cp-12_gdn" name="guidance">
-            <p>For information systems supporting critical missions/business functions including,
-               for example, military operations and weapons systems, civilian space operations,
-               nuclear power plant operations, and air traffic control operations (especially
-               real-time operational environments), organizations may choose to identify certain
-               conditions under which those systems revert to a predefined safe mode of operation.
-               The safe mode of operation, which can be activated automatically or manually,
-               restricts the types of activities or operations information systems could execute
-               when those conditions are encountered. Restriction includes, for example, allowing
-               only certain functions that could be carried out under limited power or with reduced
-               communications bandwidth.</p>
-         </part>
-         <part id="cp-12_obj" name="objective">
-            <p>Determine if: </p>
-            <part id="cp-12_obj.1" name="objective">
-               <prop name="label">CP-12[1]</prop>
-               <p>the organization defines conditions that, when detected, requires the information
-                  system to enter a safe mode of operation;</p>
-            </part>
-            <part id="cp-12_obj.2" name="objective">
-               <prop name="label">CP-12[2]</prop>
-               <p>the organization defines restrictions of safe mode of operation; and</p>
-            </part>
-            <part id="cp-12_obj.3" name="objective">
-               <prop name="label">CP-12[3]</prop>
-               <p>the information system, when organization-defined conditions are detected, enters
-                  a safe mode of operation with organization-defined restrictions of safe mode of
-                  operation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing safe mode of operation for the information system</p>
-               <p>contingency plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system administration manuals</p>
-               <p>information system operation manuals</p>
-               <p>information system installation manuals</p>
-               <p>contingency plan test records</p>
-               <p>incident handling records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system operation responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing safe mode of operation</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-13">
-         <title>Alternative Security Mechanisms</title>
-         <param id="cp-13_prm_1">
-            <label>organization-defined alternative or supplemental security mechanisms</label>
-         </param>
-         <param id="cp-13_prm_2">
-            <label>organization-defined security functions</label>
-         </param>
-         <prop name="label">CP-13</prop>
-         <prop name="sort-id">cp-13</prop>
-         <part id="cp-13_smt" name="statement">
-            <p>The organization employs <insert param-id="cp-13_prm_1"/> for satisfying <insert param-id="cp-13_prm_2"/> when the primary means of implementing the security
-               function is unavailable or compromised.</p>
-         </part>
-         <part id="cp-13_gdn" name="guidance">
-            <p>This control supports information system resiliency and contingency
-               planning/continuity of operations. To ensure mission/business continuity,
-               organizations can implement alternative or supplemental security mechanisms. These
-               mechanisms may be less effective than the primary mechanisms (e.g., not as easy to
-               use, not as scalable, or not as secure). However, having the capability to readily
-               employ these alternative/supplemental mechanisms enhances overall mission/business
-               continuity that might otherwise be adversely impacted if organizational operations
-               had to be curtailed until the primary means of implementing the functions was
-               restored. Given the cost and level of effort required to provide such alternative
-               capabilities, this control would typically be applied only to critical security
-               capabilities provided by information systems, system components, or information
-               system services. For example, an organization may issue to senior executives and
-               system administrators one-time pads in case multifactor tokens, the organization’s
-               standard means for secure remote authentication, is compromised.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-         </part>
-         <part id="cp-13_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="cp-13_obj.1" name="objective">
-               <prop name="label">CP-13[1]</prop>
-               <p>defines alternative or supplemental security mechanisms to be employed when the
-                  primary means of implementing the security function is unavailable or
-                  compromised;</p>
-            </part>
-            <part id="cp-13_obj.2" name="objective">
-               <prop name="label">CP-13[2]</prop>
-               <p>defines security functions to be satisfied using organization-defined alternative
-                  or supplemental security mechanisms when the primary means of implementing the
-                  security function is unavailable or compromised; and</p>
-            </part>
-            <part id="cp-13_obj.3" name="objective">
-               <prop name="label">CP-13[3]</prop>
-               <p>employs organization-defined alternative or supplemental security mechanisms
-                  satisfying organization-defined security functions when the primary means of
-                  implementing the security function is unavailable or compromised.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Contingency planning policy</p>
-               <p>procedures addressing alternate security mechanisms</p>
-               <p>contingency plan</p>
-               <p>continuity of operations plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>contingency plan test records</p>
-               <p>contingency plan test results</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system operation responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Information system capability implementing alternative security mechanisms</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ia">
-      <title>Identification and Authentication</title>
-      <control class="SP800-53" id="ia-1">
-         <title>Identification and Authentication Policy and Procedures</title>
-         <param id="ia-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ia-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ia-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">IA-1</prop>
-         <prop name="sort-id">ia-01</prop>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ia-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ia-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ia-1_prm_1"/>:</p>
-               <part id="ia-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An identification and authentication policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="ia-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the identification and
-                     authentication policy and associated identification and authentication
-                     controls; and</p>
-               </part>
-            </part>
-            <part id="ia-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ia-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Identification and authentication policy <insert param-id="ia-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="ia-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Identification and authentication procedures <insert param-id="ia-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ia-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the IA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ia-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ia-1.a_obj" name="objective">
-               <prop name="label">IA-1(a)</prop>
-               <part id="ia-1.a.1_obj" name="objective">
-                  <prop name="label">IA-1(a)(1)</prop>
-                  <part id="ia-1.a.1_obj.1" name="objective">
-                     <prop name="label">IA-1(a)(1)[1]</prop>
-                     <p>develops and documents an identification and authentication policy that
-                        addresses:</p>
-                     <part id="ia-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ia-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">IA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ia-1.a.1_obj.2" name="objective">
-                     <prop name="label">IA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the identification and authentication
-                        policy is to be disseminated; and</p>
-                  </part>
-                  <part id="ia-1.a.1_obj.3" name="objective">
-                     <prop name="label">IA-1(a)(1)[3]</prop>
-                     <p>disseminates the identification and authentication policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="ia-1.a.2_obj" name="objective">
-                  <prop name="label">IA-1(a)(2)</prop>
-                  <part id="ia-1.a.2_obj.1" name="objective">
-                     <prop name="label">IA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        identification and authentication policy and associated identification and
-                        authentication controls;</p>
-                  </part>
-                  <part id="ia-1.a.2_obj.2" name="objective">
-                     <prop name="label">IA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ia-1.a.2_obj.3" name="objective">
-                     <prop name="label">IA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-1.b_obj" name="objective">
-               <prop name="label">IA-1(b)</prop>
-               <part id="ia-1.b.1_obj" name="objective">
-                  <prop name="label">IA-1(b)(1)</prop>
-                  <part id="ia-1.b.1_obj.1" name="objective">
-                     <prop name="label">IA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current identification and
-                        authentication policy;</p>
-                  </part>
-                  <part id="ia-1.b.1_obj.2" name="objective">
-                     <prop name="label">IA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current identification and authentication policy
-                        with the organization-defined frequency; and</p>
-                  </part>
-               </part>
-               <part id="ia-1.b.2_obj" name="objective">
-                  <prop name="label">IA-1(b)(2)</prop>
-                  <part id="ia-1.b.2_obj.1" name="objective">
-                     <prop name="label">IA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current identification and
-                        authentication procedures; and</p>
-                  </part>
-                  <part id="ia-1.b.2_obj.2" name="objective">
-                     <prop name="label">IA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current identification and authentication procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with identification and authentication
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-2">
-         <title>Identification and Authentication (organizational Users)</title>
-         <prop name="label">IA-2</prop>
-         <prop name="sort-id">ia-02</prop>
-         <link href="#ad733a42-a7ed-4774-b988-4930c28852f3" rel="reference">HSPD-12</link>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#4da24a96-6cf8-435d-9d1f-c73247cad109" rel="reference">OMB Memorandum 06-16</link>
-         <link href="#74e740a4-c45d-49f3-a86e-eb747c549e01" rel="reference">OMB Memorandum 11-11</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#ba557c91-ba3e-4792-adc6-a4ae479b39ff" rel="reference">FICAM Roadmap and Implementation Guidance</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ia-2_smt" name="statement">
-            <p>The information system uniquely identifies and authenticates organizational users (or
-               processes acting on behalf of organizational users).</p>
-         </part>
-         <part id="ia-2_gdn" name="guidance">
-            <p>Organizational users include employees or individuals that organizations deem to have
-               equivalent status of employees (e.g., contractors, guest researchers). This control
-               applies to all accesses other than: (i) accesses that are explicitly identified and
-               documented in AC-14; and (ii) accesses that occur through authorized use of group
-               authenticators without individual authentication. Organizations may require unique
-               identification of individuals in group accounts (e.g., shared privilege accounts) or
-               for detailed accountability of individual activity. Organizations employ passwords,
-               tokens, or biometrics to authenticate user identities, or in the case multifactor
-               authentication, or some combination thereof. Access to organizational information
-               systems is defined as either local access or network access. Local access is any
-               access to organizational information systems by users (or processes acting on behalf
-               of users) where such access is obtained by direct connections without the use of
-               networks. Network access is access to organizational information systems by users (or
-               processes acting on behalf of users) where such access is obtained through network
-               connections (i.e., nonlocal accesses). Remote access is a type of network access that
-               involves communication through external networks (e.g., the Internet). Internal
-               networks include local area networks and wide area networks. In addition, the use of
-               encrypted virtual private networks (VPNs) for network connections between
-               organization-controlled endpoints and non-organization controlled endpoints may be
-               treated as internal networks from the perspective of protecting the confidentiality
-               and integrity of information traversing the network. Organizations can satisfy the
-               identification and authentication requirements in this control by complying with the
-               requirements in Homeland Security Presidential Directive 12 consistent with the
-               specific organizational implementation plans. Multifactor authentication requires the
-               use of two or more different factors to achieve authentication. The factors are
-               defined as: (i) something you know (e.g., password, personal identification number
-               [PIN]); (ii) something you have (e.g., cryptographic identification device, token);
-               or (iii) something you are (e.g., biometric). Multifactor solutions that require
-               devices separate from information systems gaining access include, for example,
-               hardware tokens providing time-based or challenge-response authenticators and smart
-               cards such as the U.S. Government Personal Identity Verification card and the DoD
-               common access card. In addition to identifying and authenticating users at the
-               information system level (i.e., at logon), organizations also employ identification
-               and authentication mechanisms at the application level, when necessary, to provide
-               increased information security. Identification and authentication requirements for
-               other than organizational users are described in IA-8.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-         </part>
-         <part id="ia-2_obj" name="objective">
-            <p>Determine if the information system uniquely identifies and authenticates
-               organizational users (or processes acting on behalf of organizational users).</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing user identification and authentication</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>list of information system accounts</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system operations responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with account management responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for uniquely identifying and authenticating users</p>
-               <p>automated mechanisms supporting and/or implementing identification and
-                  authentication capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-2.1">
-            <title>Network Access to Privileged Accounts</title>
-            <prop name="label">IA-2(1)</prop>
-            <prop name="sort-id">ia-02.01</prop>
-            <part id="ia-2.1_smt" name="statement">
-               <p>The information system implements multifactor authentication for network access to
-                  privileged accounts.</p>
-            </part>
-            <part id="ia-2.1_gdn" name="guidance">
-               <link rel="related" href="#ac-6">AC-6</link>
-            </part>
-            <part id="ia-2.1_obj" name="objective">
-               <p>Determine if the information system implements multifactor authentication for
-                  network access to privileged accounts.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing multifactor authentication
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.2">
-            <title>Network Access to Non-privileged Accounts</title>
-            <prop name="label">IA-2(2)</prop>
-            <prop name="sort-id">ia-02.02</prop>
-            <part id="ia-2.2_smt" name="statement">
-               <p>The information system implements multifactor authentication for network access to
-                  non-privileged accounts.</p>
-            </part>
-            <part id="ia-2.2_obj" name="objective">
-               <p>Determine if the information system implements multifactor authentication for
-                  network access to non-privileged accounts.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing multifactor authentication
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.3">
-            <title>Local Access to Privileged Accounts</title>
-            <prop name="label">IA-2(3)</prop>
-            <prop name="sort-id">ia-02.03</prop>
-            <part id="ia-2.3_smt" name="statement">
-               <p>The information system implements multifactor authentication for local access to
-                  privileged accounts.</p>
-            </part>
-            <part id="ia-2.3_gdn" name="guidance">
-               <link rel="related" href="#ac-6">AC-6</link>
-            </part>
-            <part id="ia-2.3_obj" name="objective">
-               <p>Determine if the information system implements multifactor authentication for
-                  local access to privileged accounts.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing multifactor authentication
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.4">
-            <title>Local Access to Non-privileged Accounts</title>
-            <prop name="label">IA-2(4)</prop>
-            <prop name="sort-id">ia-02.04</prop>
-            <part id="ia-2.4_smt" name="statement">
-               <p>The information system implements multifactor authentication for local access to
-                  non-privileged accounts.</p>
-            </part>
-            <part id="ia-2.4_obj" name="objective">
-               <p>Determine if the information system implements multifactor authentication for
-                  local access to non-privileged accounts.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing multifactor authentication
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.5">
-            <title>Group Authentication</title>
-            <prop name="label">IA-2(5)</prop>
-            <prop name="sort-id">ia-02.05</prop>
-            <part id="ia-2.5_smt" name="statement">
-               <p>The organization requires individuals to be authenticated with an individual
-                  authenticator when a group authenticator is employed.</p>
-            </part>
-            <part id="ia-2.5_gdn" name="guidance">
-               <p>Requiring individuals to use individual authenticators as a second level of
-                  authentication helps organizations to mitigate the risk of using group
-                  authenticators.</p>
-            </part>
-            <part id="ia-2.5_obj" name="objective">
-               <p>Determine if the organization requires individuals to be authenticated with an
-                  individual authenticator when a group authenticator is employed.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing authentication capability
-                     for group accounts</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.6">
-            <title>Network Access to Privileged Accounts - Separate Device</title>
-            <param id="ia-2.6_prm_1">
-               <label>organization-defined strength of mechanism requirements</label>
-            </param>
-            <prop name="label">IA-2(6)</prop>
-            <prop name="sort-id">ia-02.06</prop>
-            <part id="ia-2.6_smt" name="statement">
-               <p>The information system implements multifactor authentication for network access to
-                  privileged accounts such that one of the factors is provided by a device separate
-                  from the system gaining access and the device meets <insert param-id="ia-2.6_prm_1"/>.</p>
-            </part>
-            <part id="ia-2.6_gdn" name="guidance">
-               <link rel="related" href="#ac-6">AC-6</link>
-            </part>
-            <part id="ia-2.6_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ia-2.6_obj.1" name="objective">
-                  <prop name="label">IA-2(6)[1]</prop>
-                  <p>the information system implements multifactor authentication for network access
-                     to privileged accounts such that one of the factors is provided by a device
-                     separate from the system gaining access;</p>
-               </part>
-               <part id="ia-2.6_obj.2" name="objective">
-                  <prop name="label">IA-2(6)[2]</prop>
-                  <p>the organization defines strength of mechanism requirements to be enforced by a
-                     device separate from the system gaining network access to privileged accounts;
-                     and</p>
-               </part>
-               <part id="ia-2.6_obj.3" name="objective">
-                  <prop name="label">IA-2(6)[3]</prop>
-                  <p>the information system implements multifactor authentication for network access
-                     to privileged accounts such that a device, separate from the system gaining
-                     access, meets organization-defined strength of mechanism requirements.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing multifactor authentication
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.7">
-            <title>Network Access to Non-privileged Accounts - Separate Device</title>
-            <param id="ia-2.7_prm_1">
-               <label>organization-defined strength of mechanism requirements</label>
-            </param>
-            <prop name="label">IA-2(7)</prop>
-            <prop name="sort-id">ia-02.07</prop>
-            <part id="ia-2.7_smt" name="statement">
-               <p>The information system implements multifactor authentication for network access to
-                  non-privileged accounts such that one of the factors is provided by a device
-                  separate from the system gaining access and the device meets <insert param-id="ia-2.7_prm_1"/>.</p>
-            </part>
-            <part id="ia-2.7_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ia-2.7_obj.1" name="objective">
-                  <prop name="label">IA-2(7)[1]</prop>
-                  <p>the information system implements multifactor authentication for network access
-                     to non-privileged accounts such that one of the factors is provided by a device
-                     separate from the system gaining access;</p>
-               </part>
-               <part id="ia-2.7_obj.2" name="objective">
-                  <prop name="label">IA-2(7)[2]</prop>
-                  <p>the organization defines strength of mechanism requirements to be enforced by a
-                     device separate from the system gaining network access to non-privileged
-                     accounts; and</p>
-               </part>
-               <part id="ia-2.7_obj.3" name="objective">
-                  <prop name="label">IA-2(7)[3]</prop>
-                  <p>the information system implements multifactor authentication for network access
-                     to non-privileged accounts such that a device, separate from the system gaining
-                     access, meets organization-defined strength of mechanism requirements.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing multifactor authentication
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.8">
-            <title>Network Access to Privileged Accounts - Replay Resistant</title>
-            <prop name="label">IA-2(8)</prop>
-            <prop name="sort-id">ia-02.08</prop>
-            <part id="ia-2.8_smt" name="statement">
-               <p>The information system implements replay-resistant authentication mechanisms for
-                  network access to privileged accounts.</p>
-            </part>
-            <part id="ia-2.8_gdn" name="guidance">
-               <p>Authentication processes resist replay attacks if it is impractical to achieve
-                  successful authentications by replaying previous authentication messages.
-                  Replay-resistant techniques include, for example, protocols that use nonces or
-                  challenges such as Transport Layer Security (TLS) and time synchronous or
-                  challenge-response one-time authenticators.</p>
-            </part>
-            <part id="ia-2.8_obj" name="objective">
-               <p>Determine if the information system implements replay-resistant authentication
-                  mechanisms for network access to privileged accounts. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of privileged information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms supporting and/or implementing replay resistant
-                     authentication mechanisms</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.9">
-            <title>Network Access to Non-privileged Accounts - Replay Resistant</title>
-            <prop name="label">IA-2(9)</prop>
-            <prop name="sort-id">ia-02.09</prop>
-            <part id="ia-2.9_smt" name="statement">
-               <p>The information system implements replay-resistant authentication mechanisms for
-                  network access to non-privileged accounts.</p>
-            </part>
-            <part id="ia-2.9_gdn" name="guidance">
-               <p>Authentication processes resist replay attacks if it is impractical to achieve
-                  successful authentications by recording/replaying previous authentication
-                  messages. Replay-resistant techniques include, for example, protocols that use
-                  nonces or challenges such as Transport Layer Security (TLS) and time synchronous
-                  or challenge-response one-time authenticators.</p>
-            </part>
-            <part id="ia-2.9_obj" name="objective">
-               <p>Determine if the information system implements replay-resistant authentication
-                  mechanisms for network access to non-privileged accounts. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of non-privileged information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms supporting and/or implementing replay resistant
-                     authentication mechanisms</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.10">
-            <title>Single Sign-on</title>
-            <param id="ia-2.10_prm_1">
-               <label>organization-defined information system accounts and services</label>
-            </param>
-            <prop name="label">IA-2(10)</prop>
-            <prop name="sort-id">ia-02.10</prop>
-            <part id="ia-2.10_smt" name="statement">
-               <p>The information system provides a single sign-on capability for <insert param-id="ia-2.10_prm_1"/>.</p>
-            </part>
-            <part id="ia-2.10_gdn" name="guidance">
-               <p>Single sign-on enables users to log in once and gain access to multiple
-                  information system resources. Organizations consider the operational efficiencies
-                  provided by single sign-on capabilities with the increased risk from disclosures
-                  of single authenticators providing access to multiple system resources.</p>
-            </part>
-            <part id="ia-2.10_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ia-2.10_obj.1" name="objective">
-                  <prop name="label">IA-2(10)[1]</prop>
-                  <p>the organization defines a list of information system accounts and services for
-                     which a single sign-on capability must be provided; and</p>
-               </part>
-               <part id="ia-2.10_obj.2" name="objective">
-                  <prop name="label">IA-2(10)[2]</prop>
-                  <p>the information system provides a single sign-on capability for
-                     organization-defined information system accounts and services.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing single sign-on capability for information system accounts
-                     and services</p>
-                  <p>procedures addressing identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of information system accounts and services requiring single sign-on
-                     capability</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms supporting and/or implementing single sign-on capability
-                     for information system accounts and services</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.11">
-            <title>Remote Access - Separate Device</title>
-            <param id="ia-2.11_prm_1">
-               <label>organization-defined strength of mechanism requirements</label>
-            </param>
-            <prop name="label">IA-2(11)</prop>
-            <prop name="sort-id">ia-02.11</prop>
-            <part id="ia-2.11_smt" name="statement">
-               <p>The information system implements multifactor authentication for remote access to
-                  privileged and non-privileged accounts such that one of the factors is provided by
-                  a device separate from the system gaining access and the device meets <insert param-id="ia-2.11_prm_1"/>.</p>
-            </part>
-            <part id="ia-2.11_gdn" name="guidance">
-               <p>For remote access to privileged/non-privileged accounts, the purpose of requiring
-                  a device that is separate from the information system gaining access for one of
-                  the factors during multifactor authentication is to reduce the likelihood of
-                  compromising authentication credentials stored on the system. For example,
-                  adversaries deploying malicious code on organizational information systems can
-                  potentially compromise such credentials resident on the system and subsequently
-                  impersonate authorized users.</p>
-               <link rel="related" href="#ac-6">AC-6</link>
-            </part>
-            <part id="ia-2.11_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ia-2.11_obj.1" name="objective">
-                  <prop name="label">IA-2(11)[1]</prop>
-                  <p>the information system implements multifactor authentication for remote access
-                     to privileged accounts such that one of the factors is provided by a device
-                     separate from the system gaining access;</p>
-               </part>
-               <part id="ia-2.11_obj.2" name="objective">
-                  <prop name="label">IA-2(11)[2]</prop>
-                  <p>the information system implements multifactor authentication for remote access
-                     to non-privileged accounts such that one of the factors is provided by a device
-                     separate from the system gaining access;</p>
-               </part>
-               <part id="ia-2.11_obj.3" name="objective">
-                  <prop name="label">IA-2(11)[3]</prop>
-                  <p>the organization defines strength of mechanism requirements to be enforced by a
-                     device separate from the system gaining remote access to privileged
-                     accounts;</p>
-               </part>
-               <part id="ia-2.11_obj.4" name="objective">
-                  <prop name="label">IA-2(11)[4]</prop>
-                  <p>the organization defines strength of mechanism requirements to be enforced by a
-                     device separate from the system gaining remote access to non-privileged
-                     accounts;</p>
-               </part>
-               <part id="ia-2.11_obj.5" name="objective">
-                  <prop name="label">IA-2(11)[5]</prop>
-                  <p>the information system implements multifactor authentication for remote access
-                     to privileged accounts such that a device, separate from the system gaining
-                     access, meets organization-defined strength of mechanism requirements; and</p>
-               </part>
-               <part id="ia-2.11_obj.6" name="objective">
-                  <prop name="label">IA-2(11)[6]</prop>
-                  <p>the information system implements multifactor authentication for remote access
-                     to non-privileged accounts such that a device, separate from the system gaining
-                     access, meets organization-defined strength of mechanism requirements.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of privileged and non-privileged information system accounts</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.12">
-            <title>Acceptance of PIV Credentials</title>
-            <prop name="label">IA-2(12)</prop>
-            <prop name="sort-id">ia-02.12</prop>
-            <part id="ia-2.12_smt" name="statement">
-               <p>The information system accepts and electronically verifies Personal Identity
-                  Verification (PIV) credentials.</p>
-            </part>
-            <part id="ia-2.12_gdn" name="guidance">
-               <p>This control enhancement applies to organizations implementing logical access
-                  control systems (LACS) and physical access control systems (PACS). Personal
-                  Identity Verification (PIV) credentials are those credentials issued by federal
-                  agencies that conform to FIPS Publication 201 and supporting guidance documents.
-                  OMB Memorandum 11-11 requires federal agencies to continue implementing the
-                  requirements specified in HSPD-12 to enable agency-wide use of PIV
-                  credentials.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#pe-3">PE-3</link>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-2.12_obj" name="objective">
-               <p>Determine if the information system: </p>
-               <part id="ia-2.12_obj.1" name="objective">
-                  <prop name="label">IA-2(12)[1]</prop>
-                  <p>accepts Personal Identity Verification (PIV) credentials; and</p>
-               </part>
-               <part id="ia-2.12_obj.2" name="objective">
-                  <prop name="label">IA-2(12)[2]</prop>
-                  <p>electronically verifies Personal Identity Verification (PIV) credentials.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>PIV verification records</p>
-                  <p>evidence of PIV credentials</p>
-                  <p>PIV credential authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing acceptance and verification
-                     of PIV credentials</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.13">
-            <title>Out-of-band Authentication</title>
-            <param id="ia-2.13_prm_1">
-               <label>organization-defined out-of-band authentication</label>
-            </param>
-            <param id="ia-2.13_prm_2">
-               <label>organization-defined conditions</label>
-            </param>
-            <prop name="label">IA-2(13)</prop>
-            <prop name="sort-id">ia-02.13</prop>
-            <part id="ia-2.13_smt" name="statement">
-               <p>The information system implements <insert param-id="ia-2.13_prm_1"/> under <insert param-id="ia-2.13_prm_2"/>.</p>
-            </part>
-            <part id="ia-2.13_gdn" name="guidance">
-               <p>Out-of-band authentication (OOBA) refers to the use of two separate communication
-                  paths to identify and authenticate users or devices to an information system. The
-                  first path (i.e., the in-band path), is used to identify and authenticate users or
-                  devices, and generally is the path through which information flows. The second
-                  path (i.e., the out-of-band path) is used to independently verify the
-                  authentication and/or requested action. For example, a user authenticates via a
-                  notebook computer to a remote server to which the user desires access, and
-                  requests some action of the server via that communication path. Subsequently, the
-                  server contacts the user via the user’s cell phone to verify that the requested
-                  action originated from the user. The user may either confirm the intended action
-                  to an individual on the telephone or provide an authentication code via the
-                  telephone. This type of authentication can be employed by organizations to
-                  mitigate actual or suspected man-in the-middle attacks. The conditions for
-                  activation can include, for example, suspicious activities, new threat indicators
-                  or elevated threat levels, or the impact level or classification level of
-                  information in requested transactions.</p>
-               <link rel="related" href="#ia-10">IA-10</link>
-               <link rel="related" href="#ia-11">IA-11</link>
-               <link rel="related" href="#sc-37">SC-37</link>
-            </part>
-            <part id="ia-2.13_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ia-2.13_obj.1" name="objective">
-                  <prop name="label">IA-2(13)[1]</prop>
-                  <p>the organization defines out-of-band authentication to be implemented by the
-                     information system;</p>
-               </part>
-               <part id="ia-2.13_obj.2" name="objective">
-                  <prop name="label">IA-2(13)[2]</prop>
-                  <p>the organization defines conditions under which the information system
-                     implements organization-defined out-of-band authentication; and</p>
-               </part>
-               <part id="ia-2.13_obj.3" name="objective">
-                  <prop name="label">IA-2(13)[3]</prop>
-                  <p>the information system implements organization-defined out-of-band
-                     authentication under organization-defined conditions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>system-generated list of out-of-band authentication paths</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing out-of-band authentication
-                     capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-3">
-         <title>Device Identification and Authentication</title>
-         <param id="ia-3_prm_1">
-            <label>organization-defined specific and/or types of devices</label>
-         </param>
-         <param id="ia-3_prm_2">
-            <select how-many="one or more">
-               <choice>local</choice>
-               <choice>remote</choice>
-               <choice>network</choice>
-            </select>
-         </param>
-         <prop name="label">IA-3</prop>
-         <prop name="sort-id">ia-03</prop>
-         <part id="ia-3_smt" name="statement">
-            <p>The information system uniquely identifies and authenticates <insert param-id="ia-3_prm_1"/> before establishing a <insert param-id="ia-3_prm_2"/>
-               connection.</p>
-         </part>
-         <part id="ia-3_gdn" name="guidance">
-            <p>Organizational devices requiring unique device-to-device identification and
-               authentication may be defined by type, by device, or by a combination of type/device.
-               Information systems typically use either shared known information (e.g., Media Access
-               Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses)
-               for device identification or organizational authentication solutions (e.g., IEEE
-               802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport
-               Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on
-               local and/or wide area networks. Organizations determine the required strength of
-               authentication mechanisms by the security categories of information systems. Because
-               of the challenges of applying this control on large scale, organizations are
-               encouraged to only apply the control to those limited number (and type) of devices
-               that truly need to support this capability.</p>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-         </part>
-         <part id="ia-3_obj" name="objective">
-            <p>Determine if: </p>
-            <part id="ia-3_obj.1" name="objective">
-               <prop name="label">IA-3[1]</prop>
-               <p>the organization defines specific and/or types of devices that the information
-                  system uniquely identifies and authenticates before establishing one or more of
-                  the following:</p>
-               <part id="ia-3_obj.1.a" name="objective">
-                  <prop name="label">IA-3[1][a]</prop>
-                  <p>a local connection;</p>
-               </part>
-               <part id="ia-3_obj.1.b" name="objective">
-                  <prop name="label">IA-3[1][b]</prop>
-                  <p>a remote connection; and/or</p>
-               </part>
-               <part id="ia-3_obj.1.c" name="objective">
-                  <prop name="label">IA-3[1][c]</prop>
-                  <p>a network connection; and</p>
-               </part>
-            </part>
-            <part id="ia-3_obj.2" name="objective">
-               <prop name="label">IA-3[2]</prop>
-               <p>the information system uniquely identifies and authenticates organization-defined
-                  devices before establishing one or more of the following:</p>
-               <part id="ia-3_obj.2.a" name="objective">
-                  <prop name="label">IA-3[2][a]</prop>
-                  <p>a local connection;</p>
-               </part>
-               <part id="ia-3_obj.2.b" name="objective">
-                  <prop name="label">IA-3[2][b]</prop>
-                  <p>a remote connection; and/or</p>
-               </part>
-               <part id="ia-3_obj.2.c" name="objective">
-                  <prop name="label">IA-3[2][c]</prop>
-                  <p>a network connection.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing device identification and authentication</p>
-               <p>information system design documentation</p>
-               <p>list of devices requiring unique identification and authentication</p>
-               <p>device connection reports</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with operational responsibilities for device
-                  identification and authentication</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing device identification and
-                  authentication capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-3.1">
-            <title>Cryptographic Bidirectional Authentication</title>
-            <param id="ia-3.1_prm_1">
-               <label>organization-defined specific devices and/or types of devices</label>
-            </param>
-            <param id="ia-3.1_prm_2">
-               <select how-many="one or more">
-                  <choice>local</choice>
-                  <choice>remote</choice>
-                  <choice>network</choice>
-               </select>
-            </param>
-            <prop name="label">IA-3(1)</prop>
-            <prop name="sort-id">ia-03.01</prop>
-            <part id="ia-3.1_smt" name="statement">
-               <p>The information system authenticates <insert param-id="ia-3.1_prm_1"/> before
-                  establishing <insert param-id="ia-3.1_prm_2"/> connection using bidirectional
-                  authentication that is cryptographically based.</p>
-            </part>
-            <part id="ia-3.1_gdn" name="guidance">
-               <p>A local connection is any connection with a device communicating without the use
-                  of a network. A network connection is any connection with a device that
-                  communicates through a network (e.g., local area or wide area network, Internet).
-                  A remote connection is any connection with a device communicating through an
-                  external network (e.g., the Internet). Bidirectional authentication provides
-                  stronger safeguards to validate the identity of other devices for connections that
-                  are of greater risk (e.g., remote connections).</p>
-               <link rel="related" href="#sc-8">SC-8</link>
-               <link rel="related" href="#sc-12">SC-12</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="ia-3.1_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ia-3.1_obj.1" name="objective">
-                  <prop name="label">IA-3(1)[1]</prop>
-                  <p>the organization defines specific and/or types of devices requiring use of
-                     cryptographically based, bidirectional authentication to authenticate before
-                     establishing one or more of the following:</p>
-                  <part id="ia-3.1_obj.1.a" name="objective">
-                     <prop name="label">IA-3(1)[1][a]</prop>
-                     <p>a local connection;</p>
-                  </part>
-                  <part id="ia-3.1_obj.1.b" name="objective">
-                     <prop name="label">IA-3(1)[1][b]</prop>
-                     <p>a remote connection; and/or</p>
-                  </part>
-                  <part id="ia-3.1_obj.1.c" name="objective">
-                     <prop name="label">IA-3(1)[1][c]</prop>
-                     <p>a network connection;</p>
-                  </part>
-               </part>
-               <part id="ia-3.1_obj.2" name="objective">
-                  <prop name="label">IA-3(1)[2]</prop>
-                  <p>the information system uses cryptographically based bidirectional
-                     authentication to authenticate organization-defined devices before establishing
-                     one or more of the following:</p>
-                  <part id="ia-3.1_obj.2.a" name="objective">
-                     <prop name="label">IA-3(1)[2][a]</prop>
-                     <p>a local connection;</p>
-                  </part>
-                  <part id="ia-3.1_obj.2.b" name="objective">
-                     <prop name="label">IA-3(1)[2][b]</prop>
-                     <p>a remote connection; and/or</p>
-                  </part>
-                  <part id="ia-3.1_obj.2.c" name="objective">
-                     <prop name="label">IA-3(1)[2][c]</prop>
-                     <p>a network connection.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing device identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>list of devices requiring unique identification and authentication</p>
-                  <p>device connection reports</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with operational responsibilities for device
-                     identification and authentication</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing device authentication
-                     capability</p>
-                  <p>cryptographically based bidirectional authentication mechanisms</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-3.2">
-            <title>Cryptographic Bidirectional Network Authentication</title>
-            <prop name="label">IA-3(2)</prop>
-            <prop name="sort-id">ia-03.02</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#ia-3.1">IA-3 (1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-3.3">
-            <title>Dynamic Address Allocation</title>
-            <param id="ia-3.3_prm_1">
-               <label>organization-defined lease information and lease duration</label>
-            </param>
-            <prop name="label">IA-3(3)</prop>
-            <prop name="sort-id">ia-03.03</prop>
-            <part id="ia-3.3_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ia-3.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Standardizes dynamic address allocation lease information and the lease
-                     duration assigned to devices in accordance with <insert param-id="ia-3.3_prm_1"/>; and</p>
-               </part>
-               <part id="ia-3.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Audits lease information when assigned to a device.</p>
-               </part>
-            </part>
-            <part id="ia-3.3_gdn" name="guidance">
-               <p>DHCP-enabled clients obtaining leases for IP addresses from DHCP servers, is a
-                  typical example of dynamic address allocation for devices.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-3">AU-3</link>
-               <link rel="related" href="#au-6">AU-6</link>
-               <link rel="related" href="#au-12">AU-12</link>
-            </part>
-            <part id="ia-3.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-3.3.a_obj" name="objective">
-                  <prop name="label">IA-3(3)(a)</prop>
-                  <part id="ia-3.3.a_obj.1" name="objective">
-                     <prop name="label">IA-3(3)(a)[1]</prop>
-                     <p>defines lease information to be employed to standardize dynamic address
-                        allocation for devices;</p>
-                  </part>
-                  <part id="ia-3.3.a_obj.2" name="objective">
-                     <prop name="label">IA-3(3)(a)[2]</prop>
-                     <p>defines lease duration to be employed to standardize dynamic address
-                        allocation for devices;</p>
-                  </part>
-                  <part id="ia-3.3.a_obj.3" name="objective">
-                     <prop name="label">IA-3(3)(a)[3]</prop>
-                     <p>standardizes dynamic address allocation of lease information assigned to
-                        devices in accordance with organization-defined lease information;</p>
-                  </part>
-                  <part id="ia-3.3.a_obj.4" name="objective">
-                     <prop name="label">IA-3(3)(a)[4]</prop>
-                     <p>standardizes dynamic address allocation of the lease duration assigned to
-                        devices in accordance with organization-defined lease duration; and</p>
-                  </part>
-                  <link rel="corresp" href="#ia-3.3_smt.a">IA-3(3)(a)</link>
-               </part>
-               <part id="ia-3.3.b_obj" name="objective">
-                  <prop name="label">IA-3(3)(b)</prop>
-                  <p>audits lease information when assigned to a device.</p>
-                  <link rel="corresp" href="#ia-3.3_smt.b">IA-3(3)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing device identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>evidence of lease information and lease duration assigned to devices</p>
-                  <p>device connection reports</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with operational responsibilities for device
-                     identification and authentication</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing device identification and
-                     authentication capability</p>
-                  <p>automated mechanisms supporting and/or implementing dynamic address
-                     allocation</p>
-                  <p>automated mechanisms supporting and/or implanting auditing of lease
-                     information</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-3.4">
-            <title>Device Attestation</title>
-            <param id="ia-3.4_prm_1">
-               <label>organization-defined configuration management process</label>
-            </param>
-            <prop name="label">IA-3(4)</prop>
-            <prop name="sort-id">ia-03.04</prop>
-            <part id="ia-3.4_smt" name="statement">
-               <p>The organization ensures that device identification and authentication based on
-                  attestation is handled by <insert param-id="ia-3.4_prm_1"/>.</p>
-            </part>
-            <part id="ia-3.4_gdn" name="guidance">
-               <p>Device attestation refers to the identification and authentication of a device
-                  based on its configuration and known operating state. This might be determined via
-                  some cryptographic hash of the device. If device attestation is the means of
-                  identification and authentication, then it is important that patches and updates
-                  to the device are handled via a configuration management process such that the
-                  those patches/updates are done securely and at the same time do not disrupt the
-                  identification and authentication to other devices.</p>
-            </part>
-            <part id="ia-3.4_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-3.4_obj.1" name="objective">
-                  <prop name="label">IA-3(4)[1]</prop>
-                  <p>defines configuration management process to be employed to handle device
-                     identification and authentication based on attestation; and</p>
-               </part>
-               <part id="ia-3.4_obj.2" name="objective">
-                  <prop name="label">IA-3(4)[2]</prop>
-                  <p>ensures that device identification and authentication based on attestation is
-                     handled by organization-defined configuration management process.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing device identification and authentication</p>
-                  <p>procedures addressing device configuration management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>configuration management records</p>
-                  <p>change control records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with operational responsibilities for device
-                     identification and authentication</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing device identification and
-                     authentication capability</p>
-                  <p>automated mechanisms supporting and/or implementing configuration
-                     management</p>
-                  <p>cryptographic mechanisms supporting device attestation</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-4">
-         <title>Identifier Management</title>
-         <param id="ia-4_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ia-4_prm_2">
-            <label>organization-defined time period</label>
-         </param>
-         <param id="ia-4_prm_3">
-            <label>organization-defined time period of inactivity</label>
-         </param>
-         <prop name="label">IA-4</prop>
-         <prop name="sort-id">ia-04</prop>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <part id="ia-4_smt" name="statement">
-            <p>The organization manages information system identifiers by:</p>
-            <part id="ia-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Receiving authorization from <insert param-id="ia-4_prm_1"/> to assign an
-                  individual, group, role, or device identifier;</p>
-            </part>
-            <part id="ia-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Selecting an identifier that identifies an individual, group, role, or device;</p>
-            </part>
-            <part id="ia-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Assigning the identifier to the intended individual, group, role, or device;</p>
-            </part>
-            <part id="ia-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Preventing reuse of identifiers for <insert param-id="ia-4_prm_2"/>; and</p>
-            </part>
-            <part id="ia-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Disabling the identifier after <insert param-id="ia-4_prm_3"/>.</p>
-            </part>
-         </part>
-         <part id="ia-4_gdn" name="guidance">
-            <p>Common device identifiers include, for example, media access control (MAC), Internet
-               protocol (IP) addresses, or device-unique token identifiers. Management of individual
-               identifiers is not applicable to shared information system accounts (e.g., guest and
-               anonymous accounts). Typically, individual identifiers are the user names of the
-               information system accounts assigned to those individuals. In such instances, the
-               account management activities of AC-2 use account names provided by IA-4. This
-               control also addresses individual identifiers not necessarily associated with
-               information system accounts (e.g., identifiers used in physical security control
-               databases accessed by badge reader systems for access to information systems).
-               Preventing reuse of identifiers implies preventing the assignment of previously used
-               individual, group, role, or device identifiers to different individuals, groups,
-               roles, or devices.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#sc-37">SC-37</link>
-         </part>
-         <part id="ia-4_obj" name="objective">
-            <p>Determine if the organization manages information system identifiers by: </p>
-            <part id="ia-4.a_obj" name="objective">
-               <prop name="label">IA-4(a)</prop>
-               <part id="ia-4.a_obj.1" name="objective">
-                  <prop name="label">IA-4(a)[1]</prop>
-                  <p>defining personnel or roles from whom authorization must be received to
-                     assign:</p>
-                  <part id="ia-4.a_obj.1.a" name="objective">
-                     <prop name="label">IA-4(a)[1][a]</prop>
-                     <p>an individual identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.1.b" name="objective">
-                     <prop name="label">IA-4(a)[1][b]</prop>
-                     <p>a group identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.1.c" name="objective">
-                     <prop name="label">IA-4(a)[1][c]</prop>
-                     <p>a role identifier; and/or</p>
-                  </part>
-                  <part id="ia-4.a_obj.1.d" name="objective">
-                     <prop name="label">IA-4(a)[1][d]</prop>
-                     <p>a device identifier;</p>
-                  </part>
-               </part>
-               <part id="ia-4.a_obj.2" name="objective">
-                  <prop name="label">IA-4(a)[2]</prop>
-                  <p>receiving authorization from organization-defined personnel or roles to
-                     assign:</p>
-                  <part id="ia-4.a_obj.2.a" name="objective">
-                     <prop name="label">IA-4(a)[2][a]</prop>
-                     <p>an individual identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.2.b" name="objective">
-                     <prop name="label">IA-4(a)[2][b]</prop>
-                     <p>a group identifier;</p>
-                  </part>
-                  <part id="ia-4.a_obj.2.c" name="objective">
-                     <prop name="label">IA-4(a)[2][c]</prop>
-                     <p>a role identifier; and/or</p>
-                  </part>
-                  <part id="ia-4.a_obj.2.d" name="objective">
-                     <prop name="label">IA-4(a)[2][d]</prop>
-                     <p>a device identifier;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ia-4.b_obj" name="objective">
-               <prop name="label">IA-4(b)</prop>
-               <p>selecting an identifier that identifies:</p>
-               <part id="ia-4.b_obj.1" name="objective">
-                  <prop name="label">IA-4(b)[1]</prop>
-                  <p>an individual;</p>
-               </part>
-               <part id="ia-4.b_obj.2" name="objective">
-                  <prop name="label">IA-4(b)[2]</prop>
-                  <p>a group;</p>
-               </part>
-               <part id="ia-4.b_obj.3" name="objective">
-                  <prop name="label">IA-4(b)[3]</prop>
-                  <p>a role; and/or</p>
-               </part>
-               <part id="ia-4.b_obj.4" name="objective">
-                  <prop name="label">IA-4(b)[4]</prop>
-                  <p>a device;</p>
-               </part>
-            </part>
-            <part id="ia-4.c_obj" name="objective">
-               <prop name="label">IA-4(c)</prop>
-               <p>assigning the identifier to the intended:</p>
-               <part id="ia-4.c_obj.1" name="objective">
-                  <prop name="label">IA-4(c)[1]</prop>
-                  <p>individual;</p>
-               </part>
-               <part id="ia-4.c_obj.2" name="objective">
-                  <prop name="label">IA-4(c)[2]</prop>
-                  <p>group;</p>
-               </part>
-               <part id="ia-4.c_obj.3" name="objective">
-                  <prop name="label">IA-4(c)[3]</prop>
-                  <p>role; and/or</p>
-               </part>
-               <part id="ia-4.c_obj.4" name="objective">
-                  <prop name="label">IA-4(c)[4]</prop>
-                  <p>device;</p>
-               </part>
-            </part>
-            <part id="ia-4.d_obj" name="objective">
-               <prop name="label">IA-4(d)</prop>
-               <part id="ia-4.d_obj.1" name="objective">
-                  <prop name="label">IA-4(d)[1]</prop>
-                  <p>defining a time period for preventing reuse of identifiers;</p>
-               </part>
-               <part id="ia-4.d_obj.2" name="objective">
-                  <prop name="label">IA-4(d)[2]</prop>
-                  <p>preventing reuse of identifiers for the organization-defined time period;</p>
-               </part>
-            </part>
-            <part id="ia-4.e_obj" name="objective">
-               <prop name="label">IA-4(e)</prop>
-               <part id="ia-4.e_obj.1" name="objective">
-                  <prop name="label">IA-4(e)[1]</prop>
-                  <p>defining a time period of inactivity to disable the identifier; and</p>
-               </part>
-               <part id="ia-4.e_obj.2" name="objective">
-                  <prop name="label">IA-4(e)[2]</prop>
-                  <p>disabling the identifier after the organization-defined time period of
-                     inactivity.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing identifier management</p>
-               <p>procedures addressing account management</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of information system accounts</p>
-               <p>list of identifiers generated from physical access control devices</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with identifier management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing identifier management</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-4.1">
-            <title>Prohibit Account Identifiers as Public Identifiers</title>
-            <prop name="label">IA-4(1)</prop>
-            <prop name="sort-id">ia-04.01</prop>
-            <part id="ia-4.1_smt" name="statement">
-               <p>The organization prohibits the use of information system account identifiers that
-                  are the same as public identifiers for individual electronic mail accounts.</p>
-            </part>
-            <part id="ia-4.1_gdn" name="guidance">
-               <p>Prohibiting the use of information systems account identifiers that are the same
-                  as some public identifier such as the individual identifier section of an
-                  electronic mail address, makes it more difficult for adversaries to guess user
-                  identifiers on organizational information systems.</p>
-               <link rel="related" href="#at-2">AT-2</link>
-            </part>
-            <part id="ia-4.1_obj" name="objective">
-               <p>Determine if the organization prohibits the use of information system account
-                  identifiers that are the same as public identifiers for individual electronic mail
-                  accounts. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing identifier management</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with identifier management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identifier management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-4.2">
-            <title>Supervisor Authorization</title>
-            <prop name="label">IA-4(2)</prop>
-            <prop name="sort-id">ia-04.02</prop>
-            <part id="ia-4.2_smt" name="statement">
-               <p>The organization requires that the registration process to receive an individual
-                  identifier includes supervisor authorization.</p>
-            </part>
-            <part id="ia-4.2_obj" name="objective">
-               <p>Determine if the organization requires that the registration process to receive an
-                  individual identifier includes supervisor authorization. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing identifier management</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with identifier management responsibilities</p>
-                  <p>supervisors responsible for authorizing identifier registration</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identifier management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-4.3">
-            <title>Multiple Forms of Certification</title>
-            <prop name="label">IA-4(3)</prop>
-            <prop name="sort-id">ia-04.03</prop>
-            <part id="ia-4.3_smt" name="statement">
-               <p>The organization requires multiple forms of certification of individual
-                  identification be presented to the registration authority.</p>
-            </part>
-            <part id="ia-4.3_gdn" name="guidance">
-               <p>Requiring multiple forms of identification, such as documentary evidence or a
-                  combination of documents and biometrics, reduces the likelihood of individuals
-                  using fraudulent identification to establish an identity, or at least increases
-                  the work factor of potential adversaries.</p>
-            </part>
-            <part id="ia-4.3_obj" name="objective">
-               <p>Determine if the organization requires multiple forms of certification of
-                  individual identification such as documentary evidence or a combination of
-                  documents and biometrics be presented to the registration authority.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing identifier management</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with identifier management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identifier management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-4.4">
-            <title>Identify User Status</title>
-            <param id="ia-4.4_prm_1">
-               <label>organization-defined characteristic identifying individual status</label>
-            </param>
-            <prop name="label">IA-4(4)</prop>
-            <prop name="sort-id">ia-04.04</prop>
-            <part id="ia-4.4_smt" name="statement">
-               <p>The organization manages individual identifiers by uniquely identifying each
-                  individual as <insert param-id="ia-4.4_prm_1"/>.</p>
-            </part>
-            <part id="ia-4.4_gdn" name="guidance">
-               <p>Characteristics identifying the status of individuals include, for example,
-                  contractors and foreign nationals. Identifying the status of individuals by
-                  specific characteristics provides additional information about the people with
-                  whom organizational personnel are communicating. For example, it might be useful
-                  for a government employee to know that one of the individuals on an email message
-                  is a contractor.</p>
-               <link rel="related" href="#at-2">AT-2</link>
-            </part>
-            <part id="ia-4.4_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-4.4_obj.1" name="objective">
-                  <prop name="label">IA-4(4)[1]</prop>
-                  <p>defines a characteristic to be used to identify individual status; and</p>
-               </part>
-               <part id="ia-4.4_obj.2" name="objective">
-                  <prop name="label">IA-4(4)[2]</prop>
-                  <p>manages individual identifiers by uniquely identifying each individual as the
-                     organization-defined characteristic identifying individual status.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing identifier management</p>
-                  <p>procedures addressing account management</p>
-                  <p>list of characteristics identifying individual status</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with identifier management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identifier management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-4.5">
-            <title>Dynamic Management</title>
-            <prop name="label">IA-4(5)</prop>
-            <prop name="sort-id">ia-04.05</prop>
-            <part id="ia-4.5_smt" name="statement">
-               <p>The information system dynamically manages identifiers.</p>
-            </part>
-            <part id="ia-4.5_gdn" name="guidance">
-               <p>In contrast to conventional approaches to identification which presume static
-                  accounts for preregistered users, many distributed information systems including,
-                  for example, service-oriented architectures, rely on establishing identifiers at
-                  run time for entities that were previously unknown. In these situations,
-                  organizations anticipate and provision for the dynamic establishment of
-                  identifiers. Preestablished trust relationships and mechanisms with appropriate
-                  authorities to validate identities and related credentials are essential.</p>
-               <link rel="related" href="#ac-16">AC-16</link>
-            </part>
-            <part id="ia-4.5_obj" name="objective">
-               <p>Determine if the information system dynamically manages identifiers. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing identifier management</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with identifier management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing dynamic identifier
-                     management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-4.6">
-            <title>Cross-organization Management</title>
-            <param id="ia-4.6_prm_1">
-               <label>organization-defined external organizations</label>
-            </param>
-            <prop name="label">IA-4(6)</prop>
-            <prop name="sort-id">ia-04.06</prop>
-            <part id="ia-4.6_smt" name="statement">
-               <p>The organization coordinates with <insert param-id="ia-4.6_prm_1"/> for
-                  cross-organization management of identifiers.</p>
-            </part>
-            <part id="ia-4.6_gdn" name="guidance">
-               <p>Cross-organization identifier management provides the capability for organizations
-                  to appropriately identify individuals, groups, roles, or devices when conducting
-                  cross-organization activities involving the processing, storage, or transmission
-                  of information.</p>
-            </part>
-            <part id="ia-4.6_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-4.6_obj.1" name="objective">
-                  <prop name="label">IA-4(6)[1]</prop>
-                  <p>defines external organizations with whom to coordinate cross-organization
-                     management of identifiers; and</p>
-               </part>
-               <part id="ia-4.6_obj.2" name="objective">
-                  <prop name="label">IA-4(6)[2]</prop>
-                  <p>coordinates with organization-defined external organizations for
-                     cross-organization management of identifiers.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing identifier management</p>
-                  <p>procedures addressing account management</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with identifier management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identifier management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-4.7">
-            <title>In-person Registration</title>
-            <prop name="label">IA-4(7)</prop>
-            <prop name="sort-id">ia-04.07</prop>
-            <part id="ia-4.7_smt" name="statement">
-               <p>The organization requires that the registration process to receive an individual
-                  identifier be conducted in person before a designated registration authority.</p>
-            </part>
-            <part id="ia-4.7_gdn" name="guidance">
-               <p>In-person registration reduces the likelihood of fraudulent identifiers being
-                  issued because it requires the physical presence of individuals and actual
-                  face-to-face interactions with designated registration authorities.</p>
-            </part>
-            <part id="ia-4.7_obj" name="objective">
-               <p>Determine if the organization requires that the registration process to receive an
-                  individual identifier be conducted in person before a designated registration
-                  authority. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing identifier management</p>
-                  <p>procedures addressing account management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with identifier management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-5">
-         <title>Authenticator Management</title>
-         <param id="ia-5_prm_1">
-            <label>organization-defined time period by authenticator type</label>
-         </param>
-         <prop name="label">IA-5</prop>
-         <prop name="sort-id">ia-05</prop>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#74e740a4-c45d-49f3-a86e-eb747c549e01" rel="reference">OMB Memorandum 11-11</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#ba557c91-ba3e-4792-adc6-a4ae479b39ff" rel="reference">FICAM Roadmap and Implementation Guidance</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ia-5_smt" name="statement">
-            <p>The organization manages information system authenticators by:</p>
-            <part id="ia-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Verifying, as part of the initial authenticator distribution, the identity of the
-                  individual, group, role, or device receiving the authenticator;</p>
-            </part>
-            <part id="ia-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishing initial authenticator content for authenticators defined by the
-                  organization;</p>
-            </part>
-            <part id="ia-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensuring that authenticators have sufficient strength of mechanism for their
-                  intended use;</p>
-            </part>
-            <part id="ia-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Establishing and implementing administrative procedures for initial authenticator
-                  distribution, for lost/compromised or damaged authenticators, and for revoking
-                  authenticators;</p>
-            </part>
-            <part id="ia-5_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Changing default content of authenticators prior to information system
-                  installation;</p>
-            </part>
-            <part id="ia-5_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Establishing minimum and maximum lifetime restrictions and reuse conditions for
-                  authenticators;</p>
-            </part>
-            <part id="ia-5_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Changing/refreshing authenticators <insert param-id="ia-5_prm_1"/>;</p>
-            </part>
-            <part id="ia-5_smt.h" name="item">
-               <prop name="label">h.</prop>
-               <p>Protecting authenticator content from unauthorized disclosure and
-                  modification;</p>
-            </part>
-            <part id="ia-5_smt.i" name="item">
-               <prop name="label">i.</prop>
-               <p>Requiring individuals to take, and having devices implement, specific security
-                  safeguards to protect authenticators; and</p>
-            </part>
-            <part id="ia-5_smt.j" name="item">
-               <prop name="label">j.</prop>
-               <p>Changing authenticators for group/role accounts when membership to those accounts
-                  changes.</p>
-            </part>
-         </part>
-         <part id="ia-5_gdn" name="guidance">
-            <p>Individual authenticators include, for example, passwords, tokens, biometrics, PKI
-               certificates, and key cards. Initial authenticator content is the actual content
-               (e.g., the initial password) as opposed to requirements about authenticator content
-               (e.g., minimum password length). In many cases, developers ship information system
-               components with factory default authentication credentials to allow for initial
-               installation and configuration. Default authentication credentials are often well
-               known, easily discoverable, and present a significant security risk. The requirement
-               to protect individual authenticators may be implemented via control PL-4 or PS-6 for
-               authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28
-               for authenticators stored within organizational information systems (e.g., passwords
-               stored in hashed or encrypted formats, files containing encrypted or hashed passwords
-               accessible with administrator privileges). Information systems support individual
-               authenticator management by organization-defined settings and restrictions for
-               various authenticator characteristics including, for example, minimum password
-               length, password composition, validation time window for time synchronous one-time
-               tokens, and number of allowed rejections during the verification stage of biometric
-               authentication. Specific actions that can be taken to safeguard authenticators
-               include, for example, maintaining possession of individual authenticators, not
-               loaning or sharing individual authenticators with others, and reporting lost, stolen,
-               or compromised authenticators immediately. Authenticator management includes issuing
-               and revoking, when no longer needed, authenticators for temporary access such as that
-               required for remote maintenance. Device authenticators include, for example,
-               certificates and passwords.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-5">PS-5</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-17">SC-17</link>
-            <link rel="related" href="#sc-28">SC-28</link>
-         </part>
-         <part id="ia-5_obj" name="objective">
-            <p>Determine if the organization manages information system authenticators by: </p>
-            <part id="ia-5.a_obj" name="objective">
-               <prop name="label">IA-5(a)</prop>
-               <p>verifying, as part of the initial authenticator distribution, the identity of:</p>
-               <part id="ia-5.a_obj.1" name="objective">
-                  <prop name="label">IA-5(a)[1]</prop>
-                  <p>the individual receiving the authenticator;</p>
-               </part>
-               <part id="ia-5.a_obj.2" name="objective">
-                  <prop name="label">IA-5(a)[2]</prop>
-                  <p>the group receiving the authenticator;</p>
-               </part>
-               <part id="ia-5.a_obj.3" name="objective">
-                  <prop name="label">IA-5(a)[3]</prop>
-                  <p>the role receiving the authenticator; and/or</p>
-               </part>
-               <part id="ia-5.a_obj.4" name="objective">
-                  <prop name="label">IA-5(a)[4]</prop>
-                  <p>the device receiving the authenticator;</p>
-               </part>
-            </part>
-            <part id="ia-5.b_obj" name="objective">
-               <prop name="label">IA-5(b)</prop>
-               <p>establishing initial authenticator content for authenticators defined by the
-                  organization;</p>
-            </part>
-            <part id="ia-5.c_obj" name="objective">
-               <prop name="label">IA-5(c)</prop>
-               <p>ensuring that authenticators have sufficient strength of mechanism for their
-                  intended use;</p>
-            </part>
-            <part id="ia-5.d_obj" name="objective">
-               <prop name="label">IA-5(d)</prop>
-               <part id="ia-5.d_obj.1" name="objective">
-                  <prop name="label">IA-5(d)[1]</prop>
-                  <p>establishing and implementing administrative procedures for initial
-                     authenticator distribution;</p>
-               </part>
-               <part id="ia-5.d_obj.2" name="objective">
-                  <prop name="label">IA-5(d)[2]</prop>
-                  <p>establishing and implementing administrative procedures for lost/compromised or
-                     damaged authenticators;</p>
-               </part>
-               <part id="ia-5.d_obj.3" name="objective">
-                  <prop name="label">IA-5(d)[3]</prop>
-                  <p>establishing and implementing administrative procedures for revoking
-                     authenticators;</p>
-               </part>
-            </part>
-            <part id="ia-5.e_obj" name="objective">
-               <prop name="label">IA-5(e)</prop>
-               <p>changing default content of authenticators prior to information system
-                  installation;</p>
-            </part>
-            <part id="ia-5.f_obj" name="objective">
-               <prop name="label">IA-5(f)</prop>
-               <part id="ia-5.f_obj.1" name="objective">
-                  <prop name="label">IA-5(f)[1]</prop>
-                  <p>establishing minimum lifetime restrictions for authenticators;</p>
-               </part>
-               <part id="ia-5.f_obj.2" name="objective">
-                  <prop name="label">IA-5(f)[2]</prop>
-                  <p>establishing maximum lifetime restrictions for authenticators;</p>
-               </part>
-               <part id="ia-5.f_obj.3" name="objective">
-                  <prop name="label">IA-5(f)[3]</prop>
-                  <p>establishing reuse conditions for authenticators;</p>
-               </part>
-            </part>
-            <part id="ia-5.g_obj" name="objective">
-               <prop name="label">IA-5(g)</prop>
-               <part id="ia-5.g_obj.1" name="objective">
-                  <prop name="label">IA-5(g)[1]</prop>
-                  <p>defining a time period (by authenticator type) for changing/refreshing
-                     authenticators;</p>
-               </part>
-               <part id="ia-5.g_obj.2" name="objective">
-                  <prop name="label">IA-5(g)[2]</prop>
-                  <p>changing/refreshing authenticators with the organization-defined time period by
-                     authenticator type;</p>
-               </part>
-            </part>
-            <part id="ia-5.h_obj" name="objective">
-               <prop name="label">IA-5(h)</prop>
-               <p>protecting authenticator content from unauthorized:</p>
-               <part id="ia-5.h_obj.1" name="objective">
-                  <prop name="label">IA-5(h)[1]</prop>
-                  <p>disclosure;</p>
-               </part>
-               <part id="ia-5.h_obj.2" name="objective">
-                  <prop name="label">IA-5(h)[2]</prop>
-                  <p>modification;</p>
-               </part>
-            </part>
-            <part id="ia-5.i_obj" name="objective">
-               <prop name="label">IA-5(i)</prop>
-               <part id="ia-5.i_obj.1" name="objective">
-                  <prop name="label">IA-5(i)[1]</prop>
-                  <p>requiring individuals to take specific security safeguards to protect
-                     authenticators;</p>
-               </part>
-               <part id="ia-5.i_obj.2" name="objective">
-                  <prop name="label">IA-5(i)[2]</prop>
-                  <p>having devices implement specific security safeguards to protect
-                     authenticators; and</p>
-               </part>
-            </part>
-            <part id="ia-5.j_obj" name="objective">
-               <prop name="label">IA-5(j)</prop>
-               <p>changing authenticators for group/role accounts when membership to those accounts
-                  changes.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing authenticator management</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of information system authenticator types</p>
-               <p>change control records associated with managing information system
-                  authenticators</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with authenticator management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing authenticator management
-                  capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-5.1">
-            <title>Password-based Authentication</title>
-            <param id="ia-5.1_prm_1">
-               <label>organization-defined requirements for case sensitivity, number of characters,
-                  mix of upper-case letters, lower-case letters, numbers, and special characters,
-                  including minimum requirements for each type</label>
-            </param>
-            <param id="ia-5.1_prm_2">
-               <label>organization-defined number</label>
-            </param>
-            <param id="ia-5.1_prm_3">
-               <label>organization-defined numbers for lifetime minimum, lifetime maximum</label>
-            </param>
-            <param id="ia-5.1_prm_4">
-               <label>organization-defined number</label>
-            </param>
-            <prop name="label">IA-5(1)</prop>
-            <prop name="sort-id">ia-05.01</prop>
-            <part id="ia-5.1_smt" name="statement">
-               <p>The information system, for password-based authentication:</p>
-               <part id="ia-5.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Enforces minimum password complexity of <insert param-id="ia-5.1_prm_1"/>;</p>
-               </part>
-               <part id="ia-5.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Enforces at least the following number of changed characters when new passwords
-                     are created: <insert param-id="ia-5.1_prm_2"/>;</p>
-               </part>
-               <part id="ia-5.1_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Stores and transmits only cryptographically-protected passwords;</p>
-               </part>
-               <part id="ia-5.1_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Enforces password minimum and maximum lifetime restrictions of <insert param-id="ia-5.1_prm_3"/>;</p>
-               </part>
-               <part id="ia-5.1_smt.e" name="item">
-                  <prop name="label">(e)</prop>
-                  <p>Prohibits password reuse for <insert param-id="ia-5.1_prm_4"/> generations;
-                     and</p>
-               </part>
-               <part id="ia-5.1_smt.f" name="item">
-                  <prop name="label">(f)</prop>
-                  <p>Allows the use of a temporary password for system logons with an immediate
-                     change to a permanent password.</p>
-               </part>
-            </part>
-            <part id="ia-5.1_gdn" name="guidance">
-               <p>This control enhancement applies to single-factor authentication of individuals
-                  using passwords as individual or group authenticators, and in a similar manner,
-                  when passwords are part of multifactor authenticators. This control enhancement
-                  does not apply when passwords are used to unlock hardware authenticators (e.g.,
-                  Personal Identity Verification cards). The implementation of such password
-                  mechanisms may not meet all of the requirements in the enhancement.
-                  Cryptographically-protected passwords include, for example, encrypted versions of
-                  passwords and one-way cryptographic hashes of passwords. The number of changed
-                  characters refers to the number of changes required with respect to the total
-                  number of positions in the current password. Password lifetime restrictions do not
-                  apply to temporary passwords. To mitigate certain brute force attacks against
-                  passwords, organizations may also consider salting passwords.</p>
-               <link rel="related" href="#ia-6">IA-6</link>
-            </part>
-            <part id="ia-5.1_obj" name="objective">
-               <p>Determine if, for password-based authentication: </p>
-               <part id="ia-5.1.a_obj" name="objective">
-                  <prop name="label">IA-5(1)(a)</prop>
-                  <part id="ia-5.1.a_obj.1" name="objective">
-                     <prop name="label">IA-5(1)(a)[1]</prop>
-                     <p>the organization defines requirements for case sensitivity;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.2" name="objective">
-                     <prop name="label">IA-5(1)(a)[2]</prop>
-                     <p>the organization defines requirements for number of characters;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.3" name="objective">
-                     <prop name="label">IA-5(1)(a)[3]</prop>
-                     <p>the organization defines requirements for the mix of upper-case letters,
-                        lower-case letters, numbers and special characters;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.4" name="objective">
-                     <prop name="label">IA-5(1)(a)[4]</prop>
-                     <p>the organization defines minimum requirements for each type of
-                        character;</p>
-                  </part>
-                  <part id="ia-5.1.a_obj.5" name="objective">
-                     <prop name="label">IA-5(1)(a)[5]</prop>
-                     <p>the information system enforces minimum password complexity of
-                        organization-defined requirements for case sensitivity, number of
-                        characters, mix of upper-case letters, lower-case letters, numbers, and
-                        special characters, including minimum requirements for each type;</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.a">IA-5(1)(a)</link>
-               </part>
-               <part id="ia-5.1.b_obj" name="objective">
-                  <prop name="label">IA-5(1)(b)</prop>
-                  <part id="ia-5.1.b_obj.1" name="objective">
-                     <prop name="label">IA-5(1)(b)[1]</prop>
-                     <p>the organization defines a minimum number of changed characters to be
-                        enforced when new passwords are created;</p>
-                  </part>
-                  <part id="ia-5.1.b_obj.2" name="objective">
-                     <prop name="label">IA-5(1)(b)[2]</prop>
-                     <p>the information system enforces at least the organization-defined minimum
-                        number of characters that must be changed when new passwords are
-                        created;</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.b">IA-5(1)(b)</link>
-               </part>
-               <part id="ia-5.1.c_obj" name="objective">
-                  <prop name="label">IA-5(1)(c)</prop>
-                  <p>the information system stores and transmits only encrypted representations of
-                     passwords;</p>
-                  <link rel="corresp" href="#ia-5.1_smt.c">IA-5(1)(c)</link>
-               </part>
-               <part id="ia-5.1.d_obj" name="objective">
-                  <prop name="label">IA-5(1)(d)</prop>
-                  <part id="ia-5.1.d_obj.1" name="objective">
-                     <prop name="label">IA-5(1)(d)[1]</prop>
-                     <p>the organization defines numbers for password minimum lifetime restrictions
-                        to be enforced for passwords;</p>
-                  </part>
-                  <part id="ia-5.1.d_obj.2" name="objective">
-                     <prop name="label">IA-5(1)(d)[2]</prop>
-                     <p>the organization defines numbers for password maximum lifetime restrictions
-                        to be enforced for passwords;</p>
-                  </part>
-                  <part id="ia-5.1.d_obj.3" name="objective">
-                     <prop name="label">IA-5(1)(d)[3]</prop>
-                     <p>the information system enforces password minimum lifetime restrictions of
-                        organization-defined numbers for lifetime minimum;</p>
-                  </part>
-                  <part id="ia-5.1.d_obj.4" name="objective">
-                     <prop name="label">IA-5(1)(d)[4]</prop>
-                     <p>the information system enforces password maximum lifetime restrictions of
-                        organization-defined numbers for lifetime maximum;</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.d">IA-5(1)(d)</link>
-               </part>
-               <part id="ia-5.1.e_obj" name="objective">
-                  <prop name="label">IA-5(1)(e)</prop>
-                  <part id="ia-5.1.e_obj.1" name="objective">
-                     <prop name="label">IA-5(1)(e)[1]</prop>
-                     <p>the organization defines the number of password generations to be prohibited
-                        from password reuse;</p>
-                  </part>
-                  <part id="ia-5.1.e_obj.2" name="objective">
-                     <prop name="label">IA-5(1)(e)[2]</prop>
-                     <p>the information system prohibits password reuse for the organization-defined
-                        number of generations; and</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.1_smt.e">IA-5(1)(e)</link>
-               </part>
-               <part id="ia-5.1.f_obj" name="objective">
-                  <prop name="label">IA-5(1)(f)</prop>
-                  <p>the information system allows the use of a temporary password for system logons
-                     with an immediate change to a permanent password.</p>
-                  <link rel="corresp" href="#ia-5.1_smt.f">IA-5(1)(f)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>password policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>password configurations and associated documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing password-based
-                     authenticator management capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.2">
-            <title>Pki-based Authentication</title>
-            <prop name="label">IA-5(2)</prop>
-            <prop name="sort-id">ia-05.02</prop>
-            <part id="ia-5.2_smt" name="statement">
-               <p>The information system, for PKI-based authentication:</p>
-               <part id="ia-5.2_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Validates certifications by constructing and verifying a certification path to
-                     an accepted trust anchor including checking certificate status information;</p>
-               </part>
-               <part id="ia-5.2_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Enforces authorized access to the corresponding private key;</p>
-               </part>
-               <part id="ia-5.2_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Maps the authenticated identity to the account of the individual or group;
-                     and</p>
-               </part>
-               <part id="ia-5.2_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Implements a local cache of revocation data to support path discovery and
-                     validation in case of inability to access revocation information via the
-                     network.</p>
-               </part>
-            </part>
-            <part id="ia-5.2_gdn" name="guidance">
-               <p>Status information for certification paths includes, for example, certificate
-                  revocation lists or certificate status protocol responses. For PIV cards,
-                  validation of certifications involves the construction and verification of a
-                  certification path to the Common Policy Root trust anchor including certificate
-                  policy processing.</p>
-               <link rel="related" href="#ia-6">IA-6</link>
-            </part>
-            <part id="ia-5.2_obj" name="objective">
-               <p>Determine if the information system, for PKI-based authentication: </p>
-               <part id="ia-5.2.a_obj" name="objective">
-                  <prop name="label">IA-5(2)(a)</prop>
-                  <part id="ia-5.2.a_obj.1" name="objective">
-                     <prop name="label">IA-5(2)(a)[1]</prop>
-                     <p>validates certifications by constructing a certification path to an accepted
-                        trust anchor;</p>
-                  </part>
-                  <part id="ia-5.2.a_obj.2" name="objective">
-                     <prop name="label">IA-5(2)(a)[2]</prop>
-                     <p>validates certifications by verifying a certification path to an accepted
-                        trust anchor;</p>
-                  </part>
-                  <part id="ia-5.2.a_obj.3" name="objective">
-                     <prop name="label">IA-5(2)(a)[3]</prop>
-                     <p>includes checking certificate status information when constructing and
-                        verifying the certification path;</p>
-                  </part>
-                  <link rel="corresp" href="#ia-5.2_smt.a">IA-5(2)(a)</link>
-               </part>
-               <part id="ia-5.2.b_obj" name="objective">
-                  <prop name="label">IA-5(2)(b)</prop>
-                  <p>enforces authorized access to the corresponding private key;</p>
-                  <link rel="corresp" href="#ia-5.2_smt.b">IA-5(2)(b)</link>
-               </part>
-               <part id="ia-5.2.c_obj" name="objective">
-                  <prop name="label">IA-5(2)(c)</prop>
-                  <p>maps the authenticated identity to the account of the individual or group;
-                     and</p>
-                  <link rel="corresp" href="#ia-5.2_smt.c">IA-5(2)(c)</link>
-               </part>
-               <part id="ia-5.2.d_obj" name="objective">
-                  <prop name="label">IA-5(2)(d)</prop>
-                  <p>implements a local cache of revocation data to support path discovery and
-                     validation in case of inability to access revocation information via the
-                     network.</p>
-                  <link rel="corresp" href="#ia-5.2_smt.d">IA-5(2)(d)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>PKI certification validation records</p>
-                  <p>PKI certification revocation lists</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with PKI-based, authenticator management
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing PKI-based, authenticator
-                     management capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.3">
-            <title>In-person or Trusted Third-party Registration</title>
-            <param id="ia-5.3_prm_1">
-               <label>organization-defined types of and/or specific authenticators</label>
-            </param>
-            <param id="ia-5.3_prm_2">
-               <select>
-                  <choice>in person</choice>
-                  <choice>by a trusted third party</choice>
-               </select>
-            </param>
-            <param id="ia-5.3_prm_3">
-               <label>organization-defined registration authority</label>
-            </param>
-            <param id="ia-5.3_prm_4">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">IA-5(3)</prop>
-            <prop name="sort-id">ia-05.03</prop>
-            <part id="ia-5.3_smt" name="statement">
-               <p>The organization requires that the registration process to receive <insert param-id="ia-5.3_prm_1"/> be conducted <insert param-id="ia-5.3_prm_2"/> before
-                     <insert param-id="ia-5.3_prm_3"/> with authorization by <insert param-id="ia-5.3_prm_4"/>.</p>
-            </part>
-            <part id="ia-5.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-5.3_obj.1" name="objective">
-                  <prop name="label">IA-5(3)[1]</prop>
-                  <p>defines types of and/or specific authenticators to be received in person or by
-                     a trusted third party;</p>
-               </part>
-               <part id="ia-5.3_obj.2" name="objective">
-                  <prop name="label">IA-5(3)[2]</prop>
-                  <p>defines the registration authority with oversight of the registration process
-                     for receipt of organization-defined types of and/or specific
-                     authenticators;</p>
-               </part>
-               <part id="ia-5.3_obj.3" name="objective">
-                  <prop name="label">IA-5(3)[3]</prop>
-                  <p>defines personnel or roles responsible for authorizing organization-defined
-                     registration authority;</p>
-               </part>
-               <part id="ia-5.3_obj.4" name="objective">
-                  <prop name="label">IA-5(3)[4]</prop>
-                  <p>defines if the registration process is to be conducted:</p>
-                  <part id="ia-5.3_obj.4.a" name="objective">
-                     <prop name="label">IA-5(3)[4][a]</prop>
-                     <p>in person; or</p>
-                  </part>
-                  <part id="ia-5.3_obj.4.b" name="objective">
-                     <prop name="label">IA-5(3)[4][b]</prop>
-                     <p>by a trusted third party; and</p>
-                  </part>
-               </part>
-               <part id="ia-5.3_obj.5" name="objective">
-                  <prop name="label">IA-5(3)[5]</prop>
-                  <p>requires that the registration process to receive organization-defined types of
-                     and/or specific authenticators be conducted in person or by a trusted third
-                     party before organization-defined registration authority with authorization by
-                     organization-defined personnel or roles.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>registration process for receiving information system authenticators</p>
-                  <p>list of authenticators requiring in-person registration</p>
-                  <p>list of authenticators requiring trusted third party registration</p>
-                  <p>authenticator registration documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>registration authority</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.4">
-            <title>Automated Support for Password Strength Determination</title>
-            <param id="ia-5.4_prm_1">
-               <label>organization-defined requirements</label>
-            </param>
-            <prop name="label">IA-5(4)</prop>
-            <prop name="sort-id">ia-05.04</prop>
-            <part id="ia-5.4_smt" name="statement">
-               <p>The organization employs automated tools to determine if password authenticators
-                  are sufficiently strong to satisfy <insert param-id="ia-5.4_prm_1"/>.</p>
-            </part>
-            <part id="ia-5.4_gdn" name="guidance">
-               <p>This control enhancement focuses on the creation of strong passwords and the
-                  characteristics of such passwords (e.g., complexity) prior to use, the enforcement
-                  of which is carried out by organizational information systems in IA-5 (1).</p>
-               <link rel="related" href="#ca-2">CA-2</link>
-               <link rel="related" href="#ca-7">CA-7</link>
-               <link rel="related" href="#ra-5">RA-5</link>
-            </part>
-            <part id="ia-5.4_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-5.4_obj.1" name="objective">
-                  <prop name="label">IA-5(4)[1]</prop>
-                  <p>defines requirements to be satisfied by password authenticators; and</p>
-               </part>
-               <part id="ia-5.4_obj.2" name="objective">
-                  <prop name="label">IA-5(4)[2]</prop>
-                  <p>employs automated tools to determine if password authenticators are
-                     sufficiently strong to satisfy organization-defined requirements.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>automated tools for evaluating password authenticators</p>
-                  <p>password strength assessment results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing password-based
-                     authenticator management capability</p>
-                  <p>automated tools for determining password strength</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.5">
-            <title>Change Authenticators Prior to Delivery</title>
-            <prop name="label">IA-5(5)</prop>
-            <prop name="sort-id">ia-05.05</prop>
-            <part id="ia-5.5_smt" name="statement">
-               <p>The organization requires developers/installers of information system components
-                  to provide unique authenticators or change default authenticators prior to
-                  delivery/installation.</p>
-            </part>
-            <part id="ia-5.5_gdn" name="guidance">
-               <p>This control enhancement extends the requirement for organizations to change
-                  default authenticators upon information system installation, by requiring
-                  developers and/or installers to provide unique authenticators or change default
-                  authenticators for system components prior to delivery and/or installation.
-                  However, it typically does not apply to the developers of commercial
-                  off-the-shelve information technology products. Requirements for unique
-                  authenticators can be included in acquisition documents prepared by organizations
-                  when procuring information systems or system components.</p>
-            </part>
-            <part id="ia-5.5_obj" name="objective">
-               <p>Determine if the organization requires developers/installers of information system
-                  components to: </p>
-               <part id="ia-5.5_obj.1" name="objective">
-                  <prop name="label">IA-5(5)[1]</prop>
-                  <p>provide unique authenticators prior to delivery/installation; or</p>
-               </part>
-               <part id="ia-5.5_obj.2" name="objective">
-                  <prop name="label">IA-5(5)[2]</prop>
-                  <p>change default authenticators prior to delivery/installation.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>system and services acquisition policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>procedures addressing the integration of security requirements into the
-                     acquisition process</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for information system procurements or services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information system security, acquisition, and
-                     contracting responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing authenticator management
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.6">
-            <title>Protection of Authenticators</title>
-            <prop name="label">IA-5(6)</prop>
-            <prop name="sort-id">ia-05.06</prop>
-            <part id="ia-5.6_smt" name="statement">
-               <p>The organization protects authenticators commensurate with the security category
-                  of the information to which use of the authenticator permits access.</p>
-            </part>
-            <part id="ia-5.6_gdn" name="guidance">
-               <p>For information systems containing multiple security categories of information
-                  without reliable physical or logical separation between categories, authenticators
-                  used to grant access to the systems are protected commensurate with the highest
-                  security category of information on the systems.</p>
-            </part>
-            <part id="ia-5.6_obj" name="objective">
-               <p>Determine if the organization protects authenticators commensurate with the
-                  security category of the information to which use of the authenticator permits
-                  access.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security categorization documentation for the information system</p>
-                  <p>security assessments of authenticator protections</p>
-                  <p>risk assessment results</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel implementing and/or maintaining authenticator
-                     protections</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing authenticator management
-                     capability</p>
-                  <p>automated mechanisms protecting authenticators</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.7">
-            <title>No Embedded Unencrypted Static Authenticators</title>
-            <prop name="label">IA-5(7)</prop>
-            <prop name="sort-id">ia-05.07</prop>
-            <part id="ia-5.7_smt" name="statement">
-               <p>The organization ensures that unencrypted static authenticators are not embedded
-                  in applications or access scripts or stored on function keys.</p>
-            </part>
-            <part id="ia-5.7_gdn" name="guidance">
-               <p>Organizations exercise caution in determining whether embedded or stored
-                  authenticators are in encrypted or unencrypted form. If authenticators are used in
-                  the manner stored, then those representations are considered unencrypted
-                  authenticators. This is irrespective of whether that representation is perhaps an
-                  encrypted version of something else (e.g., a password).</p>
-            </part>
-            <part id="ia-5.7_obj" name="objective">
-               <p>Determine if the organization ensures that unencrypted static authenticators are
-                  not: </p>
-               <part id="ia-5.7_obj.1" name="objective">
-                  <prop name="label">IA-5(7)[1]</prop>
-                  <p>embedded in applications;</p>
-               </part>
-               <part id="ia-5.7_obj.2" name="objective">
-                  <prop name="label">IA-5(7)[2]</prop>
-                  <p>embedded in access scripts; or</p>
-               </part>
-               <part id="ia-5.7_obj.3" name="objective">
-                  <prop name="label">IA-5(7)[3]</prop>
-                  <p>stored on function keys.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>logical access scripts</p>
-                  <p>application code reviews for detecting unencrypted static authenticators</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing authenticator management
-                     capability</p>
-                  <p>automated mechanisms implementing authentication in applications</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.8">
-            <title>Multiple Information System Accounts</title>
-            <param id="ia-5.8_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <prop name="label">IA-5(8)</prop>
-            <prop name="sort-id">ia-05.08</prop>
-            <part id="ia-5.8_smt" name="statement">
-               <p>The organization implements <insert param-id="ia-5.8_prm_1"/> to manage the risk
-                  of compromise due to individuals having accounts on multiple information
-                  systems.</p>
-            </part>
-            <part id="ia-5.8_gdn" name="guidance">
-               <p>When individuals have accounts on multiple information systems, there is the risk
-                  that the compromise of one account may lead to the compromise of other accounts if
-                  individuals use the same authenticators. Possible alternatives include, for
-                  example: (i) having different authenticators on all systems; (ii) employing some
-                  form of single sign-on mechanism; or (iii) including some form of one-time
-                  passwords on all systems.</p>
-            </part>
-            <part id="ia-5.8_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-5.8_obj.1" name="objective">
-                  <prop name="label">IA-5(8)[1]</prop>
-                  <p>defines security safeguards to manage the risk of compromise due to individuals
-                     having accounts on multiple information systems; and</p>
-               </part>
-               <part id="ia-5.8_obj.2" name="objective">
-                  <prop name="label">IA-5(8)[2]</prop>
-                  <p>implements organization-defined security safeguards to manage the risk of
-                     compromise due to individuals having accounts on multiple information
-                     systems.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security plan</p>
-                  <p>list of individuals having accounts on multiple information systems</p>
-                  <p>list of security safeguards intended to manage risk of compromise due to
-                     individuals having accounts on multiple information systems</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing safeguards for
-                     authenticator management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.9">
-            <title>Cross-organization Credential Management</title>
-            <param id="ia-5.9_prm_1">
-               <label>organization-defined external organizations</label>
-            </param>
-            <prop name="label">IA-5(9)</prop>
-            <prop name="sort-id">ia-05.09</prop>
-            <part id="ia-5.9_smt" name="statement">
-               <p>The organization coordinates with <insert param-id="ia-5.9_prm_1"/> for
-                  cross-organization management of credentials.</p>
-            </part>
-            <part id="ia-5.9_gdn" name="guidance">
-               <p>Cross-organization management of credentials provides the capability for
-                  organizations to appropriately authenticate individuals, groups, roles, or devices
-                  when conducting cross-organization activities involving the processing, storage,
-                  or transmission of information.</p>
-            </part>
-            <part id="ia-5.9_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-5.9_obj.1" name="objective">
-                  <prop name="label">IA-5(9)[1]</prop>
-                  <p>defines external organizations with whom to coordinate cross-organizational
-                     management of credentials; and</p>
-               </part>
-               <part id="ia-5.9_obj.2" name="objective">
-                  <prop name="label">IA-5(9)[2]</prop>
-                  <p>coordinates with organization-defined external organizations for
-                     cross-organizational management of credentials.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>procedures addressing account management</p>
-                  <p>security plan</p>
-                  <p>information security agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing safeguards for
-                     authenticator management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.10">
-            <title>Dynamic Credential Association</title>
-            <prop name="label">IA-5(10)</prop>
-            <prop name="sort-id">ia-05.10</prop>
-            <part id="ia-5.10_smt" name="statement">
-               <p>The information system dynamically provisions identities.</p>
-            </part>
-            <part id="ia-5.10_gdn" name="guidance">
-               <p>Authentication requires some form of binding between an identity and the
-                  authenticator used to confirm the identity. In conventional approaches, this
-                  binding is established by pre-provisioning both the identity and the authenticator
-                  to the information system. For example, the binding between a username (i.e.,
-                  identity) and a password (i.e., authenticator) is accomplished by provisioning the
-                  identity and authenticator as a pair in the information system. New authentication
-                  techniques allow the binding between the identity and the authenticator to be
-                  implemented outside an information system. For example, with smartcard
-                  credentials, the identity and the authenticator are bound together on the card.
-                  Using these credentials, information systems can authenticate identities that have
-                  not been pre-provisioned, dynamically provisioning the identity after
-                  authentication. In these situations, organizations can anticipate the dynamic
-                  provisioning of identities. Preestablished trust relationships and mechanisms with
-                  appropriate authorities to validate identities and related credentials are
-                  essential.</p>
-            </part>
-            <part id="ia-5.10_obj" name="objective">
-               <p>Determine if the information system dynamically provisions identifiers.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing identifier management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>automated mechanisms providing dynamic binding of identifiers and
-                     authenticators</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with identifier management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing identifier management capability</p>
-                  <p>automated mechanisms implementing dynamic provisioning of identifiers</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.11">
-            <title>Hardware Token-based Authentication</title>
-            <param id="ia-5.11_prm_1">
-               <label>organization-defined token quality requirements</label>
-            </param>
-            <prop name="label">IA-5(11)</prop>
-            <prop name="sort-id">ia-05.11</prop>
-            <part id="ia-5.11_smt" name="statement">
-               <p>The information system, for hardware token-based authentication, employs
-                  mechanisms that satisfy <insert param-id="ia-5.11_prm_1"/>.</p>
-            </part>
-            <part id="ia-5.11_gdn" name="guidance">
-               <p>Hardware token-based authentication typically refers to the use of PKI-based
-                  tokens, such as the U.S. Government Personal Identity Verification (PIV) card.
-                  Organizations define specific requirements for tokens, such as working with a
-                  particular PKI.</p>
-            </part>
-            <part id="ia-5.11_obj" name="objective">
-               <p>Determine if, for hardware token-based authentication: </p>
-               <part id="ia-5.11_obj.1" name="objective">
-                  <prop name="label">IA-5(11)[1]</prop>
-                  <p>the organization defines token quality requirements to be satisfied; and</p>
-               </part>
-               <part id="ia-5.11_obj.2" name="objective">
-                  <prop name="label">IA-5(11)[2]</prop>
-                  <p>the information system employs mechanisms that satisfy organization-defined
-                     token quality requirements.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>automated mechanisms employing hardware token-based authentication for the
-                     information system</p>
-                  <p>list of token quality requirements</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing hardware token-based
-                     authenticator management capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.12">
-            <title>Biometric-based Authentication</title>
-            <param id="ia-5.12_prm_1">
-               <label>organization-defined biometric quality requirements</label>
-            </param>
-            <prop name="label">IA-5(12)</prop>
-            <prop name="sort-id">ia-05.12</prop>
-            <part id="ia-5.12_smt" name="statement">
-               <p>The information system, for biometric-based authentication, employs mechanisms
-                  that satisfy <insert param-id="ia-5.12_prm_1"/>.</p>
-            </part>
-            <part id="ia-5.12_gdn" name="guidance">
-               <p>Unlike password-based authentication which provides exact matches of user-input
-                  passwords to stored passwords, biometric authentication does not provide such
-                  exact matches. Depending upon the type of biometric and the type of collection
-                  mechanism, there is likely to be some divergence from the presented biometric and
-                  stored biometric which serves as the basis of comparison. There will likely be
-                  both false positives and false negatives when making such comparisons. The rate at
-                  which the false accept and false reject rates are equal is known as the crossover
-                  rate. Biometric quality requirements include, for example, acceptable crossover
-                  rates, as that essentially reflects the accuracy of the biometric.</p>
-            </part>
-            <part id="ia-5.12_obj" name="objective">
-               <p>Determine if, for biometric-based authentication: </p>
-               <part id="ia-5.12_obj.1" name="objective">
-                  <prop name="label">IA-5(12)[1]</prop>
-                  <p>the organization defines biometric quality requirements to be satisfied;
-                     and</p>
-               </part>
-               <part id="ia-5.12_obj.2" name="objective">
-                  <prop name="label">IA-5(12)[2]</prop>
-                  <p>the information system employs mechanisms that satisfy organization-defined
-                     biometric quality requirements.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>automated mechanisms employing biometric-based authentication for the
-                     information system</p>
-                  <p>list of biometric quality requirements</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing biometric-based
-                     authenticator management capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.13">
-            <title>Expiration of Cached Authenticators</title>
-            <param id="ia-5.13_prm_1">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="label">IA-5(13)</prop>
-            <prop name="sort-id">ia-05.13</prop>
-            <part id="ia-5.13_smt" name="statement">
-               <p>The information system prohibits the use of cached authenticators after <insert param-id="ia-5.13_prm_1"/>.</p>
-            </part>
-            <part id="ia-5.13_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="ia-5.13_obj.1" name="objective">
-                  <prop name="label">IA-5(13)[1]</prop>
-                  <p>the organization defines the time period after which the information system is
-                     to prohibit the use of cached authenticators; and</p>
-               </part>
-               <part id="ia-5.13_obj.2" name="objective">
-                  <prop name="label">IA-5(13)[2]</prop>
-                  <p>the information system prohibits the use of cached authenticators after the
-                     organization-defined time period.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing authenticator management
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.14">
-            <title>Managing Content of PKI Trust Stores</title>
-            <prop name="label">IA-5(14)</prop>
-            <prop name="sort-id">ia-05.14</prop>
-            <part id="ia-5.14_smt" name="statement">
-               <p>The organization, for PKI-based authentication, employs a deliberate
-                  organization-wide methodology for managing the content of PKI trust stores
-                  installed across all platforms including networks, operating systems, browsers,
-                  and applications.</p>
-            </part>
-            <part id="ia-5.14_obj" name="objective">
-               <p>Determine if the organization, for PKI-based authentication, employs a deliberate
-                  organization-wide methodology for managing the content of PKI trust stores
-                  installed across all platforms including: </p>
-               <part id="ia-5.14_obj.1" name="objective">
-                  <prop name="label">IA-5(14)[1]</prop>
-                  <p>networks;</p>
-               </part>
-               <part id="ia-5.14_obj.2" name="objective">
-                  <prop name="label">IA-5(14)[2]</prop>
-                  <p>operating systems;</p>
-               </part>
-               <part id="ia-5.14_obj.3" name="objective">
-                  <prop name="label">IA-5(14)[3]</prop>
-                  <p>browsers; and</p>
-               </part>
-               <part id="ia-5.14_obj.4" name="objective">
-                  <prop name="label">IA-5(14)[4]</prop>
-                  <p>applications.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing authenticator management</p>
-                  <p>security plan</p>
-                  <p>organizational methodology for managing content of PKI trust stores across
-                     installed all platforms</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>enterprise security architecture documentation</p>
-                  <p>enterprise architecture documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with authenticator management responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing PKI-based authenticator
-                     management capability</p>
-                  <p>automated mechanisms supporting and/or implementing the PKI trust store
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.15">
-            <title>Ficam-approved Products and Services</title>
-            <prop name="label">IA-5(15)</prop>
-            <prop name="sort-id">ia-05.15</prop>
-            <part id="ia-5.15_smt" name="statement">
-               <p>The organization uses only FICAM-approved path discovery and validation products
-                  and services.</p>
-            </part>
-            <part id="ia-5.15_gdn" name="guidance">
-               <p>Federal Identity, Credential, and Access Management (FICAM)-approved path
-                  discovery and validation products and services are those products and services
-                  that have been approved through the FICAM conformance program, where
-                  applicable.</p>
-            </part>
-            <part id="ia-5.15_obj" name="objective">
-               <p>Determine if the organization uses only FICAM-approved path discovery and
-                  validation products and services.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing identifier management</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>automated mechanisms providing dynamic binding of identifiers and
-                     authenticators</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with identification and authentication management
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing account management
-                     capability</p>
-                  <p>automated mechanisms supporting and/or implementing identification and
-                     authentication management capability for the information system</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-6">
-         <title>Authenticator Feedback</title>
-         <prop name="label">IA-6</prop>
-         <prop name="sort-id">ia-06</prop>
-         <part id="ia-6_smt" name="statement">
-            <p>The information system obscures feedback of authentication information during the
-               authentication process to protect the information from possible exploitation/use by
-               unauthorized individuals.</p>
-         </part>
-         <part id="ia-6_gdn" name="guidance">
-            <p>The feedback from information systems does not provide information that would allow
-               unauthorized individuals to compromise authentication mechanisms. For some types of
-               information systems or system components, for example, desktops/notebooks with
-               relatively large monitors, the threat (often referred to as shoulder surfing) may be
-               significant. For other types of systems or components, for example, mobile devices
-               with 2-4 inch screens, this threat may be less significant, and may need to be
-               balanced against the increased likelihood of typographic input errors due to the
-               small keyboards. Therefore, the means for obscuring the authenticator feedback is
-               selected accordingly. Obscuring the feedback of authentication information includes,
-               for example, displaying asterisks when users type passwords into input devices, or
-               displaying feedback for a very limited time before fully obscuring it.</p>
-            <link rel="related" href="#pe-18">PE-18</link>
-         </part>
-         <part id="ia-6_obj" name="objective">
-            <p>Determine if the information system obscures feedback of authentication information
-               during the authentication process to protect the information from possible
-               exploitation/use by unauthorized individuals.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing authenticator feedback</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing the obscuring of feedback of
-                  authentication information during authentication</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-7">
-         <title>Cryptographic Module Authentication</title>
-         <prop name="label">IA-7</prop>
-         <prop name="sort-id">ia-07</prop>
-         <link href="#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9" rel="reference">FIPS Publication 140</link>
-         <link href="#b09d1a31-d3c9-4138-a4f4-4c63816afd7d" rel="reference">http://csrc.nist.gov/groups/STM/cmvp/index.html</link>
-         <part id="ia-7_smt" name="statement">
-            <p>The information system implements mechanisms for authentication to a cryptographic
-               module that meet the requirements of applicable federal laws, Executive Orders,
-               directives, policies, regulations, standards, and guidance for such
-               authentication.</p>
-         </part>
-         <part id="ia-7_gdn" name="guidance">
-            <p>Authentication mechanisms may be required within a cryptographic module to
-               authenticate an operator accessing the module and to verify that the operator is
-               authorized to assume the requested role and perform services within that role.</p>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="ia-7_obj" name="objective">
-            <p>Determine if the information system implements mechanisms for authentication to a
-               cryptographic module that meet the requirements of applicable federal laws, Executive
-               Orders, directives, policies, regulations, standards, and guidance for such
-               authentication.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing cryptographic module authentication</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for cryptographic module
-                  authentication</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing cryptographic module
-                  authentication</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-8">
-         <title>Identification and Authentication (non-organizational Users)</title>
-         <prop name="label">IA-8</prop>
-         <prop name="sort-id">ia-08</prop>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#74e740a4-c45d-49f3-a86e-eb747c549e01" rel="reference">OMB Memorandum 11-11</link>
-         <link href="#599fe9ba-4750-4450-9eeb-b95bd19a5e8f" rel="reference">OMB Memorandum 10-06-2011</link>
-         <link href="#ba557c91-ba3e-4792-adc6-a4ae479b39ff" rel="reference">FICAM Roadmap and Implementation Guidance</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#2157bb7e-192c-4eaa-877f-93ef6b0a3292" rel="reference">NIST Special Publication 800-116</link>
-         <link href="#654f21e2-f3bc-43b2-abdc-60ab8d09744b" rel="reference">National Strategy for Trusted Identities in
-            Cyberspace</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ia-8_smt" name="statement">
-            <p>The information system uniquely identifies and authenticates non-organizational users
-               (or processes acting on behalf of non-organizational users).</p>
-         </part>
-         <part id="ia-8_gdn" name="guidance">
-            <p>Non-organizational users include information system users other than organizational
-               users explicitly covered by IA-2. These individuals are uniquely identified and
-               authenticated for accesses other than those accesses explicitly identified and
-               documented in AC-14. In accordance with the E-Authentication E-Government initiative,
-               authentication of non-organizational users accessing federal information systems may
-               be required to protect federal, proprietary, or privacy-related information (with
-               exceptions noted for national security systems). Organizations use risk assessments
-               to determine authentication needs and consider scalability, practicality, and
-               security in balancing the need to ensure ease of use for access to federal
-               information and information systems with the need to protect and adequately mitigate
-               risk. IA-2 addresses identification and authentication requirements for access to
-               information systems by organizational users.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-         </part>
-         <part id="ia-8_obj" name="objective">
-            <p>Determine if the information system uniquely identifies and authenticates
-               non-organizational users (or processes acting on behalf of non-organizational
-               users).</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing user identification and authentication</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>list of information system accounts</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system operations responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with account management responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing identification and
-                  authentication capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-8.1">
-            <title>Acceptance of PIV Credentials from Other Agencies</title>
-            <prop name="label">IA-8(1)</prop>
-            <prop name="sort-id">ia-08.01</prop>
-            <part id="ia-8.1_smt" name="statement">
-               <p>The information system accepts and electronically verifies Personal Identity
-                  Verification (PIV) credentials from other federal agencies.</p>
-            </part>
-            <part id="ia-8.1_gdn" name="guidance">
-               <p>This control enhancement applies to logical access control systems (LACS) and
-                  physical access control systems (PACS). Personal Identity Verification (PIV)
-                  credentials are those credentials issued by federal agencies that conform to FIPS
-                  Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires
-                  federal agencies to continue implementing the requirements specified in HSPD-12 to
-                  enable agency-wide use of PIV credentials.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#pe-3">PE-3</link>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-8.1_obj" name="objective">
-               <p>Determine if the information system: </p>
-               <part id="ia-8.1_obj.1" name="objective">
-                  <prop name="label">IA-8(1)[1]</prop>
-                  <p>accepts Personal Identity Verification (PIV) credentials from other agencies;
-                     and</p>
-               </part>
-               <part id="ia-8.1_obj.2" name="objective">
-                  <prop name="label">IA-8(1)[2]</prop>
-                  <p>electronically verifies Personal Identity Verification (PIV) credentials from
-                     other agencies.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>PIV verification records</p>
-                  <p>evidence of PIV credentials</p>
-                  <p>PIV credential authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with account management responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms that accept and verify PIV credentials</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.2">
-            <title>Acceptance of Third-party Credentials</title>
-            <prop name="label">IA-8(2)</prop>
-            <prop name="sort-id">ia-08.02</prop>
-            <part id="ia-8.2_smt" name="statement">
-               <p>The information system accepts only FICAM-approved third-party credentials.</p>
-            </part>
-            <part id="ia-8.2_gdn" name="guidance">
-               <p>This control enhancement typically applies to organizational information systems
-                  that are accessible to the general public, for example, public-facing websites.
-                  Third-party credentials are those credentials issued by nonfederal government
-                  entities approved by the Federal Identity, Credential, and Access Management
-                  (FICAM) Trust Framework Solutions initiative. Approved third-party credentials
-                  meet or exceed the set of minimum federal government-wide technical, security,
-                  privacy, and organizational maturity requirements. This allows federal government
-                  relying parties to trust such credentials at their approved assurance levels.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-            </part>
-            <part id="ia-8.2_obj" name="objective">
-               <p>Determine if the information system accepts only FICAM-approved third-party
-                  credentials. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of FICAM-approved, third-party credentialing products, components, or
-                     services procured and implemented by organization</p>
-                  <p>third-party credential verification records</p>
-                  <p>evidence of FICAM-approved third-party credentials</p>
-                  <p>third-party credential authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with account management responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms that accept FICAM-approved credentials</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.3">
-            <title>Use of Ficam-approved Products</title>
-            <param id="ia-8.3_prm_1">
-               <label>organization-defined information systems</label>
-            </param>
-            <prop name="label">IA-8(3)</prop>
-            <prop name="sort-id">ia-08.03</prop>
-            <part id="ia-8.3_smt" name="statement">
-               <p>The organization employs only FICAM-approved information system components in
-                     <insert param-id="ia-8.3_prm_1"/> to accept third-party credentials.</p>
-            </part>
-            <part id="ia-8.3_gdn" name="guidance">
-               <p>This control enhancement typically applies to information systems that are
-                  accessible to the general public, for example, public-facing websites.
-                  FICAM-approved information system components include, for example, information
-                  technology products and software libraries that have been approved by the Federal
-                  Identity, Credential, and Access Management conformance program.</p>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-8.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-8.3_obj.1" name="objective">
-                  <prop name="label">IA-8(3)[1]</prop>
-                  <p>defines information systems in which only FICAM-approved information system
-                     components are to be employed to accept third-party credentials; and</p>
-               </part>
-               <part id="ia-8.3_obj.2" name="objective">
-                  <prop name="label">IA-8(3)[2]</prop>
-                  <p>employs only FICAM-approved information system components in
-                     organization-defined information systems to accept third-party credentials.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>system and services acquisition policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>procedures addressing the integration of security requirements into the
-                     acquisition process</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>third-party credential validations</p>
-                  <p>third-party credential authorizations</p>
-                  <p>third-party credential records</p>
-                  <p>list of FICAM-approved information system components procured and implemented
-                     by organization</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for information system procurements or services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with account management responsibilities</p>
-                  <p>organizational personnel with information system security, acquisition, and
-                     contracting responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.4">
-            <title>Use of Ficam-issued Profiles</title>
-            <prop name="label">IA-8(4)</prop>
-            <prop name="sort-id">ia-08.04</prop>
-            <part id="ia-8.4_smt" name="statement">
-               <p>The information system conforms to FICAM-issued profiles.</p>
-            </part>
-            <part id="ia-8.4_gdn" name="guidance">
-               <p>This control enhancement addresses open identity management standards. To ensure
-                  that these standards are viable, robust, reliable, sustainable (e.g., available in
-                  commercial information technology products), and interoperable as documented, the
-                  United States Government assesses and scopes identity management standards and
-                  technology implementations against applicable federal legislation, directives,
-                  policies, and requirements. The result is FICAM-issued implementation profiles of
-                  approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and
-                  OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute
-                  Exchange).</p>
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="ia-8.4_obj" name="objective">
-               <p>Determine if the information system conforms to FICAM-issued profiles. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>system and services acquisition policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>procedures addressing the integration of security requirements into the
-                     acquisition process</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of FICAM-issued profiles and associated, approved protocols</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for information system procurements or services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with account management responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms supporting and/or implementing conformance with
-                     FICAM-issued profiles</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.5">
-            <title>Acceptance of PIV-I Credentials</title>
-            <prop name="label">IA-8(5)</prop>
-            <prop name="sort-id">ia-08.05</prop>
-            <part id="ia-8.5_smt" name="statement">
-               <p>The information system accepts and electronically verifies Personal Identity
-                  Verification-I (PIV-I) credentials.</p>
-            </part>
-            <part id="ia-8.5_gdn" name="guidance">
-               <p>This control enhancement: (i) applies to logical and physical access control
-                  systems; and (ii) addresses Non-Federal Issuers (NFIs) of identity cards that
-                  desire to interoperate with United States Government Personal Identity
-                  Verification (PIV) information systems and that can be trusted by federal
-                  government-relying parties. The X.509 certificate policy for the Federal Bridge
-                  Certification Authority (FBCA) addresses PIV-I requirements. The PIV-I card is
-                  suitable for Assurance Level 4 as defined in OMB Memorandum 04-04 and NIST Special
-                  Publication 800-63, and multifactor authentication as defined in NIST Special
-                  Publication 800-116. PIV-I credentials are those credentials issued by a PIV-I
-                  provider whose PIV-I certificate policy maps to the Federal Bridge PIV-I
-                  Certificate Policy. A PIV-I provider is cross-certified (directly or through
-                  another PKI bridge) with the FBCA with policies that have been mapped and approved
-                  as meeting the requirements of the PIV-I policies defined in the FBCA certificate
-                  policy.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-            </part>
-            <part id="ia-8.5_obj" name="objective">
-               <p>Determine if the information system: </p>
-               <part id="ia-8.5_obj.1" name="objective">
-                  <prop name="label">IA-8(5)[1]</prop>
-                  <p>accepts Personal Identity Verification-I (PIV-I) credentials; and</p>
-               </part>
-               <part id="ia-8.5_obj.2" name="objective">
-                  <prop name="label">IA-8(5)[2]</prop>
-                  <p>electronically verifies Personal Identity Verification-I (PIV-I)
-                     credentials.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing user identification and authentication</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>PIV-I verification records</p>
-                  <p>evidence of PIV-I credentials</p>
-                  <p>PIV-I credential authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system operations
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with account management responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing identification and
-                     authentication capability</p>
-                  <p>automated mechanisms that accept and verify PIV-I credentials</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-9">
-         <title>Service Identification and Authentication</title>
-         <param id="ia-9_prm_1">
-            <label>organization-defined information system services</label>
-         </param>
-         <param id="ia-9_prm_2">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">IA-9</prop>
-         <prop name="sort-id">ia-09</prop>
-         <part id="ia-9_smt" name="statement">
-            <p>The organization identifies and authenticates <insert param-id="ia-9_prm_1"/> using
-                  <insert param-id="ia-9_prm_2"/>.</p>
-         </part>
-         <part id="ia-9_gdn" name="guidance">
-            <p>This control supports service-oriented architectures and other distributed
-               architectural approaches requiring the identification and authentication of
-               information system services. In such architectures, external services often appear
-               dynamically. Therefore, information systems should be able to determine in a dynamic
-               manner, if external providers and associated services are authentic. Safeguards
-               implemented by organizational information systems to validate provider and service
-               authenticity include, for example, information or code signing, provenance graphs,
-               and/or electronic signatures indicating or including the sources of services.</p>
-         </part>
-         <part id="ia-9_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ia-9_obj.1" name="objective">
-               <prop name="label">IA-9[1]</prop>
-               <p>defines information system services to be identified and authenticated using
-                  security safeguards;</p>
-            </part>
-            <part id="ia-9_obj.2" name="objective">
-               <prop name="label">IA-9[2]</prop>
-               <p>defines security safeguards to be used to identify and authenticate
-                  organization-defined information system services; and</p>
-            </part>
-            <part id="ia-9_obj.3" name="objective">
-               <prop name="label">IA-9[3]</prop>
-               <p>identifies and authenticates organization-defined information system services
-                  using organization-defined security safeguards.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing service identification and authentication</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>security safeguards used to identify and authenticate information system
-                  services</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system operations responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-               <p>organizational personnel with identification and authentication
-                  responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Security safeguards implementing service identification and authentication
-                  capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-9.1">
-            <title>Information Exchange</title>
-            <prop name="label">IA-9(1)</prop>
-            <prop name="sort-id">ia-09.01</prop>
-            <part id="ia-9.1_smt" name="statement">
-               <p>The organization ensures that service providers receive, validate, and transmit
-                  identification and authentication information.</p>
-            </part>
-            <part id="ia-9.1_obj" name="objective">
-               <p>Determine if the organization ensures that service providers: </p>
-               <part id="ia-9.1_obj.1" name="objective">
-                  <prop name="label">IA-9(1)[1]</prop>
-                  <p>receive identification and authentication information;</p>
-               </part>
-               <part id="ia-9.1_obj.2" name="objective">
-                  <prop name="label">IA-9(1)[2]</prop>
-                  <p>validate identification and authentication information; and</p>
-               </part>
-               <part id="ia-9.1_obj.3" name="objective">
-                  <prop name="label">IA-9(1)[3]</prop>
-                  <p>transmit identification and authentication information.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing service identification and authentication</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with identification and authentication
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>service providers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing service identification and authentication
-                     capabilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-9.2">
-            <title>Transmission of Decisions</title>
-            <param id="ia-9.2_prm_1">
-               <label>organization-defined services</label>
-            </param>
-            <prop name="label">IA-9(2)</prop>
-            <prop name="sort-id">ia-09.02</prop>
-            <part id="ia-9.2_smt" name="statement">
-               <p>The organization ensures that identification and authentication decisions are
-                  transmitted between <insert param-id="ia-9.2_prm_1"/> consistent with
-                  organizational policies.</p>
-            </part>
-            <part id="ia-9.2_gdn" name="guidance">
-               <p>For distributed architectures (e.g., service-oriented architectures), the
-                  decisions regarding the validation of identification and authentication claims may
-                  be made by services separate from the services acting on those decisions. In such
-                  situations, it is necessary to provide the identification and authentication
-                  decisions (as opposed to the actual identifiers and authenticators) to the
-                  services that need to act on those decisions.</p>
-               <link rel="related" href="#sc-8">SC-8</link>
-            </part>
-            <part id="ia-9.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ia-9.2_obj.1" name="objective">
-                  <prop name="label">IA-9(2)[1]</prop>
-                  <p>defines services for which identification and authentication decisions
-                     transmitted between such services are to be consistent with organizational
-                     policies; and</p>
-               </part>
-               <part id="ia-9.2_obj.2" name="objective">
-                  <prop name="label">IA-9(2)[2]</prop>
-                  <p>ensures that identification and authentication decisions are transmitted
-                     between organization-defined services consistent with organizational
-                     policies.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Identification and authentication policy</p>
-                  <p>procedures addressing service identification and authentication</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>transmission records</p>
-                  <p>transmission verification records</p>
-                  <p>rules for identification and authentication transmission decisions between
-                     organizational services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with identification and authentication
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing service identification and authentication
-                     capabilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-10">
-         <title>Adaptive Identification and Authentication</title>
-         <param id="ia-10_prm_1">
-            <label>organization-defined supplemental authentication techniques or mechanisms</label>
-         </param>
-         <param id="ia-10_prm_2">
-            <label>organization-defined circumstances or situations</label>
-         </param>
-         <prop name="label">IA-10</prop>
-         <prop name="sort-id">ia-10</prop>
-         <part id="ia-10_smt" name="statement">
-            <p>The organization requires that individuals accessing the information system employ
-                  <insert param-id="ia-10_prm_1"/> under specific <insert param-id="ia-10_prm_2"/>.</p>
-         </part>
-         <part id="ia-10_gdn" name="guidance">
-            <p>Adversaries may compromise individual authentication mechanisms and subsequently
-               attempt to impersonate legitimate users. This situation can potentially occur with
-               any authentication mechanisms employed by organizations. To address this threat,
-               organizations may employ specific techniques/mechanisms and establish protocols to
-               assess suspicious behavior (e.g., individuals accessing information that they do not
-               typically access as part of their normal duties, roles, or responsibilities,
-               accessing greater quantities of information than the individuals would routinely
-               access, or attempting to access information from suspicious network addresses). In
-               these situations when certain preestablished conditions or triggers occur,
-               organizations can require selected individuals to provide additional authentication
-               information. Another potential use for adaptive identification and authentication is
-               to increase the strength of mechanism based on the number and/or types of records
-               being accessed.</p>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="ia-10_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ia-10_obj.1" name="objective">
-               <prop name="label">IA-10[1]</prop>
-               <p>defines specific circumstances or situations that require individuals accessing
-                  the information system to employ supplemental authentication techniques or
-                  mechanisms;</p>
-            </part>
-            <part id="ia-10_obj.2" name="objective">
-               <prop name="label">IA-10[2]</prop>
-               <p>defines supplemental authentication techniques or mechanisms to be employed when
-                  accessing the information system under specific organization-defined circumstances
-                  or situations; and</p>
-            </part>
-            <part id="ia-10_obj.3" name="objective">
-               <prop name="label">IA-10[3]</prop>
-               <p>requires that individuals accessing the information system employ
-                  organization-defined supplemental authentication techniques or mechanisms under
-                  specific organization-defined circumstances or situations.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing adaptive/ supplemental identification and authentication
-                  techniques or mechanisms</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>supplemental identification and authentication techniques or mechanisms</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system operations responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-               <p>organizational personnel with identification and authentication
-                  responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing identification and
-                  authentication capability</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-11">
-         <title>Re-authentication</title>
-         <param id="ia-11_prm_1">
-            <label>organization-defined circumstances or situations requiring
-               re-authentication</label>
-         </param>
-         <prop name="label">IA-11</prop>
-         <prop name="sort-id">ia-11</prop>
-         <part id="ia-11_smt" name="statement">
-            <p>The organization requires users and devices to re-authenticate when <insert param-id="ia-11_prm_1"/>.</p>
-         </part>
-         <part id="ia-11_gdn" name="guidance">
-            <p>In addition to the re-authentication requirements associated with session locks,
-               organizations may require re-authentication of individuals and/or devices in other
-               situations including, for example: (i) when authenticators change; (ii), when roles
-               change; (iii) when security categories of information systems change; (iv), when the
-               execution of privileged functions occurs; (v) after a fixed period of time; or (vi)
-               periodically.</p>
-            <link rel="related" href="#ac-11">AC-11</link>
-         </part>
-         <part id="ia-11_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ia-11_obj.1" name="objective">
-               <prop name="label">IA-11[1]</prop>
-               <p>defines circumstances or situations requiring re-authentication;</p>
-            </part>
-            <part id="ia-11_obj.2" name="objective">
-               <prop name="label">IA-11[2]</prop>
-               <p>requires users to re-authenticate when organization-defined circumstances or
-                  situations require re-authentication; and</p>
-            </part>
-            <part id="ia-11_obj.3" name="objective">
-               <prop name="label">IA-11[3]</prop>
-               <p>requires devices to re-authenticate when organization-defined circumstances or
-                  situations require re-authentication.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Identification and authentication policy</p>
-               <p>procedures addressing user and device re-authentication</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of circumstances or situations requiring re-authentication</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system operations responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developers</p>
-               <p>organizational personnel with identification and authentication
-                  responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing identification and
-                  authentication capability</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ir">
-      <title>Incident Response</title>
-      <control class="SP800-53" id="ir-1">
-         <title>Incident Response Policy and Procedures</title>
-         <param id="ir-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ir-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ir-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">IR-1</prop>
-         <prop name="sort-id">ir-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <link href="#6d431fee-658f-4a0e-9f2e-a38b5d398fab" rel="reference">NIST Special Publication 800-83</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ir-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ir-1_prm_1"/>:</p>
-               <part id="ir-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>An incident response policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ir-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the incident response policy and
-                     associated incident response controls; and</p>
-               </part>
-            </part>
-            <part id="ir-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ir-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Incident response policy <insert param-id="ir-1_prm_2"/>; and</p>
-               </part>
-               <part id="ir-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Incident response procedures <insert param-id="ir-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ir-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the IR
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ir-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-1.a_obj" name="objective">
-               <prop name="label">IR-1(a)</prop>
-               <part id="ir-1.a.1_obj" name="objective">
-                  <prop name="label">IR-1(a)(1)</prop>
-                  <part id="ir-1.a.1_obj.1" name="objective">
-                     <prop name="label">IR-1(a)(1)[1]</prop>
-                     <p>develops and documents an incident response policy that addresses:</p>
-                     <part id="ir-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ir-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">IR-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ir-1.a.1_obj.2" name="objective">
-                     <prop name="label">IR-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the incident response policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ir-1.a.1_obj.3" name="objective">
-                     <prop name="label">IR-1(a)(1)[3]</prop>
-                     <p>disseminates the incident response policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="ir-1.a.2_obj" name="objective">
-                  <prop name="label">IR-1(a)(2)</prop>
-                  <part id="ir-1.a.2_obj.1" name="objective">
-                     <prop name="label">IR-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        incident response policy and associated incident response controls;</p>
-                  </part>
-                  <part id="ir-1.a.2_obj.2" name="objective">
-                     <prop name="label">IR-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ir-1.a.2_obj.3" name="objective">
-                     <prop name="label">IR-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ir-1.b_obj" name="objective">
-               <prop name="label">IR-1(b)</prop>
-               <part id="ir-1.b.1_obj" name="objective">
-                  <prop name="label">IR-1(b)(1)</prop>
-                  <part id="ir-1.b.1_obj.1" name="objective">
-                     <prop name="label">IR-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current incident response
-                        policy;</p>
-                  </part>
-                  <part id="ir-1.b.1_obj.2" name="objective">
-                     <prop name="label">IR-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current incident response policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ir-1.b.2_obj" name="objective">
-                  <prop name="label">IR-1(b)(2)</prop>
-                  <part id="ir-1.b.2_obj.1" name="objective">
-                     <prop name="label">IR-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current incident response
-                        procedures; and</p>
-                  </part>
-                  <part id="ir-1.b.2_obj.2" name="objective">
-                     <prop name="label">IR-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current incident response procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-2">
-         <title>Incident Response Training</title>
-         <param id="ir-2_prm_1">
-            <label>organization-defined time period</label>
-         </param>
-         <param id="ir-2_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">IR-2</prop>
-         <prop name="sort-id">ir-02</prop>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#e12b5738-de74-4fb3-8317-a3995a8a1898" rel="reference">NIST Special Publication 800-50</link>
-         <part id="ir-2_smt" name="statement">
-            <p>The organization provides incident response training to information system users
-               consistent with assigned roles and responsibilities:</p>
-            <part id="ir-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Within <insert param-id="ir-2_prm_1"/> of assuming an incident response role or
-                  responsibility;</p>
-            </part>
-            <part id="ir-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>When required by information system changes; and</p>
-            </part>
-            <part id="ir-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="ir-2_prm_2"/> thereafter.</p>
-            </part>
-         </part>
-         <part id="ir-2_gdn" name="guidance">
-            <p>Incident response training provided by organizations is linked to the assigned roles
-               and responsibilities of organizational personnel to ensure the appropriate content
-               and level of detail is included in such training. For example, regular users may only
-               need to know who to call or how to recognize an incident on the information system;
-               system administrators may require additional training on how to handle/remediate
-               incidents; and incident responders may receive more specific training on forensics,
-               reporting, system recovery, and restoration. Incident response training includes user
-               training in the identification and reporting of suspicious activities, both from
-               external and internal sources.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cp-3">CP-3</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-         </part>
-         <part id="ir-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-2.a_obj" name="objective">
-               <prop name="label">IR-2(a)</prop>
-               <part id="ir-2.a_obj.1" name="objective">
-                  <prop name="label">IR-2(a)[1]</prop>
-                  <p>defines a time period within which incident response training is to be provided
-                     to information system users assuming an incident response role or
-                     responsibility;</p>
-               </part>
-               <part id="ir-2.a_obj.2" name="objective">
-                  <prop name="label">IR-2(a)[2]</prop>
-                  <p>provides incident response training to information system users consistent with
-                     assigned roles and responsibilities within the organization-defined time period
-                     of assuming an incident response role or responsibility;</p>
-               </part>
-            </part>
-            <part id="ir-2.b_obj" name="objective">
-               <prop name="label">IR-2(b)</prop>
-               <p>provides incident response training to information system users consistent with
-                  assigned roles and responsibilities when required by information system
-                  changes;</p>
-            </part>
-            <part id="ir-2.c_obj" name="objective">
-               <prop name="label">IR-2(c)</prop>
-               <part id="ir-2.c_obj.1" name="objective">
-                  <prop name="label">IR-2(c)[1]</prop>
-                  <p>defines the frequency to provide refresher incident response training to
-                     information system users consistent with assigned roles or responsibilities;
-                     and</p>
-               </part>
-               <part id="ir-2.c_obj.2" name="objective">
-                  <prop name="label">IR-2(c)[2]</prop>
-                  <p>after the initial incident response training, provides refresher incident
-                     response training to information system users consistent with assigned roles
-                     and responsibilities in accordance with the organization-defined frequency to
-                     provide refresher training.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident response training</p>
-               <p>incident response training curriculum</p>
-               <p>incident response training materials</p>
-               <p>security plan</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>incident response training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response training and operational
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-2.1">
-            <title>Simulated Events</title>
-            <prop name="label">IR-2(1)</prop>
-            <prop name="sort-id">ir-02.01</prop>
-            <part id="ir-2.1_smt" name="statement">
-               <p>The organization incorporates simulated events into incident response training to
-                  facilitate effective response by personnel in crisis situations.</p>
-            </part>
-            <part id="ir-2.1_obj" name="objective">
-               <p>Determine if the organization incorporates simulated events into incident response
-                  training to facilitate effective response by personnel in crisis situations. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident response training</p>
-                  <p>incident response training curriculum</p>
-                  <p>incident response training materials</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response training and operational
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms that support and/or implement simulated events for
-                     incident response training</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-2.2">
-            <title>Automated Training Environments</title>
-            <prop name="label">IR-2(2)</prop>
-            <prop name="sort-id">ir-02.02</prop>
-            <part id="ir-2.2_smt" name="statement">
-               <p>The organization employs automated mechanisms to provide a more thorough and
-                  realistic incident response training environment.</p>
-            </part>
-            <part id="ir-2.2_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to provide a more
-                  thorough and realistic incident response training environment. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident response training</p>
-                  <p>incident response training curriculum</p>
-                  <p>incident response training materials</p>
-                  <p>automated mechanisms supporting incident response training</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response training and operational
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms that provide a thorough and realistic incident response
-                     training environment</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-3">
-         <title>Incident Response Testing</title>
-         <param id="ir-3_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ir-3_prm_2">
-            <label>organization-defined tests</label>
-         </param>
-         <prop name="label">IR-3</prop>
-         <prop name="sort-id">ir-03</prop>
-         <link href="#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf" rel="reference">NIST Special Publication 800-84</link>
-         <link href="#c4691b88-57d1-463b-9053-2d0087913f31" rel="reference">NIST Special Publication 800-115</link>
-         <part id="ir-3_smt" name="statement">
-            <p>The organization tests the incident response capability for the information system
-                  <insert param-id="ir-3_prm_1"/> using <insert param-id="ir-3_prm_2"/> to determine
-               the incident response effectiveness and documents the results.</p>
-         </part>
-         <part id="ir-3_gdn" name="guidance">
-            <p>Organizations test incident response capabilities to determine the overall
-               effectiveness of the capabilities and to identify potential weaknesses or
-               deficiencies. Incident response testing includes, for example, the use of checklists,
-               walk-through or tabletop exercises, simulations (parallel/full interrupt), and
-               comprehensive exercises. Incident response testing can also include a determination
-               of the effects on organizational operations (e.g., reduction in mission
-               capabilities), organizational assets, and individuals due to incident response.</p>
-            <link rel="related" href="#cp-4">CP-4</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-         </part>
-         <part id="ir-3_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ir-3_obj.1" name="objective">
-               <prop name="label">IR-3[1]</prop>
-               <p>defines incident response tests to test the incident response capability for the
-                  information system;</p>
-            </part>
-            <part id="ir-3_obj.2" name="objective">
-               <prop name="label">IR-3[2]</prop>
-               <p>defines the frequency to test the incident response capability for the information
-                  system; and</p>
-            </part>
-            <part id="ir-3_obj.3" name="objective">
-               <prop name="label">IR-3[3]</prop>
-               <p>tests the incident response capability for the information system with the
-                  organization-defined frequency, using organization-defined tests to determine the
-                  incident response effectiveness and documents the results.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>contingency planning policy</p>
-               <p>procedures addressing incident response testing</p>
-               <p>procedures addressing contingency plan testing</p>
-               <p>incident response testing material</p>
-               <p>incident response test results</p>
-               <p>incident response test plan</p>
-               <p>incident response plan</p>
-               <p>contingency plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response testing responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-3.1">
-            <title>Automated Testing</title>
-            <prop name="label">IR-3(1)</prop>
-            <prop name="sort-id">ir-03.01</prop>
-            <part id="ir-3.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to more thoroughly and effectively
-                  test the incident response capability.</p>
-            </part>
-            <part id="ir-3.1_gdn" name="guidance">
-               <p>Organizations use automated mechanisms to more thoroughly and effectively test
-                  incident response capabilities, for example: (i) by providing more complete
-                  coverage of incident response issues; (ii) by selecting more realistic test
-                  scenarios and test environments; and (iii) by stressing the response
-                  capability.</p>
-               <link rel="related" href="#at-2">AT-2</link>
-            </part>
-            <part id="ir-3.1_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to more thoroughly and
-                  effectively test the incident response capability.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>contingency planning policy</p>
-                  <p>procedures addressing incident response testing</p>
-                  <p>procedures addressing contingency plan testing</p>
-                  <p>incident response testing documentation</p>
-                  <p>incident response test results</p>
-                  <p>incident response test plan</p>
-                  <p>incident response plan</p>
-                  <p>contingency plan</p>
-                  <p>security plan</p>
-                  <p>automated mechanisms supporting incident response tests</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response testing responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms that more thoroughly and effectively test the incident
-                     response capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-3.2">
-            <title>Coordination with Related Plans</title>
-            <prop name="label">IR-3(2)</prop>
-            <prop name="sort-id">ir-03.02</prop>
-            <part id="ir-3.2_smt" name="statement">
-               <p>The organization coordinates incident response testing with organizational
-                  elements responsible for related plans.</p>
-            </part>
-            <part id="ir-3.2_gdn" name="guidance">
-               <p>Organizational plans related to incident response testing include, for example,
-                  Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity
-                  of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans,
-                  and Occupant Emergency Plans.</p>
-            </part>
-            <part id="ir-3.2_obj" name="objective">
-               <p>Determine if the organization coordinates incident response testing with
-                  organizational elements responsible for related plans. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>contingency planning policy</p>
-                  <p>procedures addressing incident response testing</p>
-                  <p>incident response testing documentation</p>
-                  <p>incident response plan</p>
-                  <p>business continuity plans</p>
-                  <p>contingency plans</p>
-                  <p>disaster recovery plans</p>
-                  <p>continuity of operations plans</p>
-                  <p>crisis communications plans</p>
-                  <p>critical infrastructure plans</p>
-                  <p>occupant emergency plans</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response testing responsibilities</p>
-                  <p>organizational personnel with responsibilities for testing organizational plans
-                     related to incident response testing</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-4">
-         <title>Incident Handling</title>
-         <prop name="label">IR-4</prop>
-         <prop name="sort-id">ir-04</prop>
-         <link href="#c5034e0c-eba6-4ecd-a541-79f0678f4ba4" rel="reference">Executive Order 13587</link>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <part id="ir-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Implements an incident handling capability for security incidents that includes
-                  preparation, detection and analysis, containment, eradication, and recovery;</p>
-            </part>
-            <part id="ir-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Coordinates incident handling activities with contingency planning activities;
-                  and</p>
-            </part>
-            <part id="ir-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Incorporates lessons learned from ongoing incident handling activities into
-                  incident response procedures, training, and testing, and implements the resulting
-                  changes accordingly.</p>
-            </part>
-         </part>
-         <part id="ir-4_gdn" name="guidance">
-            <p>Organizations recognize that incident response capability is dependent on the
-               capabilities of organizational information systems and the mission/business processes
-               being supported by those systems. Therefore, organizations consider incident response
-               as part of the definition, design, and development of mission/business processes and
-               information systems. Incident-related information can be obtained from a variety of
-               sources including, for example, audit monitoring, network monitoring, physical access
-               monitoring, user/administrator reports, and reported supply chain events. Effective
-               incident handling capability includes coordination among many organizational entities
-               including, for example, mission/business owners, information system owners,
-               authorizing officials, human resources offices, physical and personnel security
-               offices, legal departments, operations personnel, procurement offices, and the risk
-               executive (function).</p>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-4">CP-4</link>
-            <link rel="related" href="#ir-2">IR-2</link>
-            <link rel="related" href="#ir-3">IR-3</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="ir-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-4.a_obj" name="objective">
-               <prop name="label">IR-4(a)</prop>
-               <p>implements an incident handling capability for security incidents that
-                  includes:</p>
-               <part id="ir-4.a_obj.1" name="objective">
-                  <prop name="label">IR-4(a)[1]</prop>
-                  <p>preparation;</p>
-               </part>
-               <part id="ir-4.a_obj.2" name="objective">
-                  <prop name="label">IR-4(a)[2]</prop>
-                  <p>detection and analysis;</p>
-               </part>
-               <part id="ir-4.a_obj.3" name="objective">
-                  <prop name="label">IR-4(a)[3]</prop>
-                  <p>containment;</p>
-               </part>
-               <part id="ir-4.a_obj.4" name="objective">
-                  <prop name="label">IR-4(a)[4]</prop>
-                  <p>eradication;</p>
-               </part>
-               <part id="ir-4.a_obj.5" name="objective">
-                  <prop name="label">IR-4(a)[5]</prop>
-                  <p>recovery;</p>
-               </part>
-            </part>
-            <part id="ir-4.b_obj" name="objective">
-               <prop name="label">IR-4(b)</prop>
-               <p>coordinates incident handling activities with contingency planning activities;</p>
-            </part>
-            <part id="ir-4.c_obj" name="objective">
-               <prop name="label">IR-4(c)</prop>
-               <part id="ir-4.c_obj.1" name="objective">
-                  <prop name="label">IR-4(c)[1]</prop>
-                  <p>incorporates lessons learned from ongoing incident handling activities
-                     into:</p>
-                  <part id="ir-4.c_obj.1.a" name="objective">
-                     <prop name="label">IR-4(c)[1][a]</prop>
-                     <p>incident response procedures;</p>
-                  </part>
-                  <part id="ir-4.c_obj.1.b" name="objective">
-                     <prop name="label">IR-4(c)[1][b]</prop>
-                     <p>training;</p>
-                  </part>
-                  <part id="ir-4.c_obj.1.c" name="objective">
-                     <prop name="label">IR-4(c)[1][c]</prop>
-                     <p>testing/exercises;</p>
-                  </part>
-               </part>
-               <part id="ir-4.c_obj.2" name="objective">
-                  <prop name="label">IR-4(c)[2]</prop>
-                  <p>implements the resulting changes accordingly to:</p>
-                  <part id="ir-4.c_obj.2.a" name="objective">
-                     <prop name="label">IR-4(c)[2][a]</prop>
-                     <p>incident response procedures;</p>
-                  </part>
-                  <part id="ir-4.c_obj.2.b" name="objective">
-                     <prop name="label">IR-4(c)[2][b]</prop>
-                     <p>training; and</p>
-                  </part>
-                  <part id="ir-4.c_obj.2.c" name="objective">
-                     <prop name="label">IR-4(c)[2][c]</prop>
-                     <p>testing/exercises.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>contingency planning policy</p>
-               <p>procedures addressing incident handling</p>
-               <p>incident response plan</p>
-               <p>contingency plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident handling responsibilities</p>
-               <p>organizational personnel with contingency planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Incident handling capability for the organization</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-4.1">
-            <title>Automated Incident Handling Processes</title>
-            <prop name="label">IR-4(1)</prop>
-            <prop name="sort-id">ir-04.01</prop>
-            <part id="ir-4.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to support the incident handling
-                  process.</p>
-            </part>
-            <part id="ir-4.1_gdn" name="guidance">
-               <p>Automated mechanisms supporting incident handling processes include, for example,
-                  online incident management systems.</p>
-            </part>
-            <part id="ir-4.1_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to support the incident
-                  handling process. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>automated mechanisms supporting incident handling</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident handling responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms that support and/or implement the incident handling
-                     process</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.2">
-            <title>Dynamic Reconfiguration</title>
-            <param id="ir-4.2_prm_1">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">IR-4(2)</prop>
-            <prop name="sort-id">ir-04.02</prop>
-            <part id="ir-4.2_smt" name="statement">
-               <p>The organization includes dynamic reconfiguration of <insert param-id="ir-4.2_prm_1"/> as part of the incident response capability.</p>
-            </part>
-            <part id="ir-4.2_gdn" name="guidance">
-               <p>Dynamic reconfiguration includes, for example, changes to router rules, access
-                  control lists, intrusion detection/prevention system parameters, and filter rules
-                  for firewalls and gateways. Organizations perform dynamic reconfiguration of
-                  information systems, for example, to stop attacks, to misdirect attackers, and to
-                  isolate components of systems, thus limiting the extent of the damage from
-                  breaches or compromises. Organizations include time frames for achieving the
-                  reconfiguration of information systems in the definition of the reconfiguration
-                  capability, considering the potential need for rapid response in order to
-                  effectively address sophisticated cyber threats.</p>
-               <link rel="related" href="#ac-2">AC-2</link>
-               <link rel="related" href="#ac-4">AC-4</link>
-               <link rel="related" href="#ac-16">AC-16</link>
-               <link rel="related" href="#cm-2">CM-2</link>
-               <link rel="related" href="#cm-3">CM-3</link>
-               <link rel="related" href="#cm-4">CM-4</link>
-            </part>
-            <part id="ir-4.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ir-4.2_obj.1" name="objective">
-                  <prop name="label">IR-4(2)[1]</prop>
-                  <p>defines information system components to be dynamically reconfigured as part of
-                     the incident response capability; and</p>
-               </part>
-               <part id="ir-4.2_obj.2" name="objective">
-                  <prop name="label">IR-4(2)[2]</prop>
-                  <p>includes dynamic reconfiguration of organization-defined information system
-                     components as part of the incident response capability.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>automated mechanisms supporting incident handling</p>
-                  <p>list of system components to be dynamically reconfigured as part of incident
-                     response capability</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident handling responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms that support and/or implement dynamic reconfiguration of
-                     components as part of incident response</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.3">
-            <title>Continuity of Operations</title>
-            <param id="ir-4.3_prm_1">
-               <label>organization-defined classes of incidents</label>
-            </param>
-            <param id="ir-4.3_prm_2">
-               <label>organization-defined actions to take in response to classes of
-                  incidents</label>
-            </param>
-            <prop name="label">IR-4(3)</prop>
-            <prop name="sort-id">ir-04.03</prop>
-            <part id="ir-4.3_smt" name="statement">
-               <p>The organization identifies <insert param-id="ir-4.3_prm_1"/> and <insert param-id="ir-4.3_prm_2"/> to ensure continuation of organizational missions and
-                  business functions.</p>
-            </part>
-            <part id="ir-4.3_gdn" name="guidance">
-               <p>Classes of incidents include, for example, malfunctions due to
-                  design/implementation errors and omissions, targeted malicious attacks, and
-                  untargeted malicious attacks. Appropriate incident response actions include, for
-                  example, graceful degradation, information system shutdown, fall back to manual
-                  mode/alternative technology whereby the system operates differently, employing
-                  deceptive measures, alternate information flows, or operating in a mode that is
-                  reserved solely for when systems are under attack.</p>
-            </part>
-            <part id="ir-4.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ir-4.3_obj.1" name="objective">
-                  <prop name="label">IR-4(3)[1]</prop>
-                  <p>defines classes of incidents requiring an organization-defined action to be
-                     taken;</p>
-               </part>
-               <part id="ir-4.3_obj.2" name="objective">
-                  <prop name="label">IR-4(3)[2]</prop>
-                  <p>defines actions to be taken in response to organization-defined classes of
-                     incidents; and</p>
-               </part>
-               <part id="ir-4.3_obj.3" name="objective">
-                  <prop name="label">IR-4(3)[3]</prop>
-                  <p>identifies organization-defined classes of incidents and organization-defined
-                     actions to take in response to classes of incidents to ensure continuation of
-                     organizational missions and business functions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>list of classes of incidents</p>
-                  <p>list of appropriate incident response actions</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident handling responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms that support and/or implement continuity of operations</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.4">
-            <title>Information Correlation</title>
-            <prop name="label">IR-4(4)</prop>
-            <prop name="sort-id">ir-04.04</prop>
-            <part id="ir-4.4_smt" name="statement">
-               <p>The organization correlates incident information and individual incident responses
-                  to achieve an organization-wide perspective on incident awareness and
-                  response.</p>
-            </part>
-            <part id="ir-4.4_gdn" name="guidance">
-               <p>Sometimes the nature of a threat event, for example, a hostile cyber attack, is
-                  such that it can only be observed by bringing together information from different
-                  sources including various reports and reporting procedures established by
-                  organizations.</p>
-            </part>
-            <part id="ir-4.4_obj" name="objective">
-               <p>Determine if the organization correlates incident information and individual
-                  incident responses to achieve an organization-wide perspective on incident
-                  awareness and response. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>automated mechanisms supporting incident and event correlation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>incident management correlation logs</p>
-                  <p>event management correlation logs</p>
-                  <p>security information and event management logs</p>
-                  <p>incident management correlation reports</p>
-                  <p>event management correlation reports</p>
-                  <p>security information and event management reports</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident handling responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with whom incident information and individual incident
-                     responses are to be correlated</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for correlating incident information and individual
-                     incident responses</p>
-                  <p>automated mechanisms that support and or implement correlation of incident
-                     response information with individual incident responses</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.5">
-            <title>Automatic Disabling of Information System</title>
-            <param id="ir-4.5_prm_1">
-               <label>organization-defined security violations</label>
-            </param>
-            <prop name="label">IR-4(5)</prop>
-            <prop name="sort-id">ir-04.05</prop>
-            <part id="ir-4.5_smt" name="statement">
-               <p>The organization implements a configurable capability to automatically disable the
-                  information system if <insert param-id="ir-4.5_prm_1"/> are detected.</p>
-            </part>
-            <part id="ir-4.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ir-4.5_obj.1" name="objective">
-                  <prop name="label">IR-4(5)[1]</prop>
-                  <p>defines security violations that, if detected, initiate a configurable
-                     capability to automatically disable the information system; and</p>
-               </part>
-               <part id="ir-4.5_obj.2" name="objective">
-                  <prop name="label">IR-4(5)[2]</prop>
-                  <p>implements a configurable capability to automatically disable the information
-                     system if any of the organization-defined security violations are detected.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>automated mechanisms supporting incident handling</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident handling responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Incident handling capability for the organization</p>
-                  <p>automated mechanisms supporting and/or implementing automatic disabling of the
-                     information system</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.6">
-            <title>Insider Threats - Specific Capabilities</title>
-            <prop name="label">IR-4(6)</prop>
-            <prop name="sort-id">ir-04.06</prop>
-            <part id="ir-4.6_smt" name="statement">
-               <p>The organization implements incident handling capability for insider threats.</p>
-            </part>
-            <part id="ir-4.6_gdn" name="guidance">
-               <p>While many organizations address insider threat incidents as an inherent part of
-                  their organizational incident response capability, this control enhancement
-                  provides additional emphasis on this type of threat and the need for specific
-                  incident handling capabilities (as defined within organizations) to provide
-                  appropriate and timely responses.</p>
-            </part>
-            <part id="ir-4.6_obj" name="objective">
-               <p>Determine if the organization implements incident handling capability for insider
-                  threats.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>automated mechanisms supporting incident handling</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident handling responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Incident handling capability for the organization</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.7">
-            <title>Insider Threats - Intra-organization Coordination</title>
-            <param id="ir-4.7_prm_1">
-               <label>organization-defined components or elements of the organization</label>
-            </param>
-            <prop name="label">IR-4(7)</prop>
-            <prop name="sort-id">ir-04.07</prop>
-            <part id="ir-4.7_smt" name="statement">
-               <p>The organization coordinates incident handling capability for insider threats
-                  across <insert param-id="ir-4.7_prm_1"/>.</p>
-            </part>
-            <part id="ir-4.7_gdn" name="guidance">
-               <p>Incident handling for insider threat incidents (including preparation, detection
-                  and analysis, containment, eradication, and recovery) requires close coordination
-                  among a variety of organizational components or elements to be effective. These
-                  components or elements include, for example, mission/business owners, information
-                  system owners, human resources offices, procurement offices, personnel/physical
-                  security offices, operations personnel, and risk executive (function). In
-                  addition, organizations may require external support from federal, state, and
-                  local law enforcement agencies.</p>
-            </part>
-            <part id="ir-4.7_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ir-4.7_obj.1" name="objective">
-                  <prop name="label">IR-4(7)[1]</prop>
-                  <p>defines components or elements of the organization with whom the incident
-                     handling capability for insider threats is to be coordinated; and</p>
-               </part>
-               <part id="ir-4.7_obj.2" name="objective">
-                  <prop name="label">IR-4(7)[2]</prop>
-                  <p>coordinates incident handling capability for insider threats across
-                     organization-defined components or elements of the organization.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident handling responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel/elements with whom incident handling capability is to
-                     be coordinated</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for coordinating incident handling</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.8">
-            <title>Correlation with External Organizations</title>
-            <param id="ir-4.8_prm_1">
-               <label>organization-defined external organizations</label>
-            </param>
-            <param id="ir-4.8_prm_2">
-               <label>organization-defined incident information</label>
-            </param>
-            <prop name="label">IR-4(8)</prop>
-            <prop name="sort-id">ir-04.08</prop>
-            <part id="ir-4.8_smt" name="statement">
-               <p>The organization coordinates with <insert param-id="ir-4.8_prm_1"/> to correlate
-                  and share <insert param-id="ir-4.8_prm_2"/> to achieve a cross-organization
-                  perspective on incident awareness and more effective incident responses.</p>
-            </part>
-            <part id="ir-4.8_gdn" name="guidance">
-               <p>The coordination of incident information with external organizations including,
-                  for example, mission/business partners, military/coalition partners, customers,
-                  and multitiered developers, can provide significant benefits. Cross-organizational
-                  coordination with respect to incident handling can serve as an important risk
-                  management capability. This capability allows organizations to leverage critical
-                  information from a variety of sources to effectively respond to information
-                  security-related incidents potentially affecting the organization’s operations,
-                  assets, and individuals.</p>
-            </part>
-            <part id="ir-4.8_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ir-4.8_obj.1" name="objective">
-                  <prop name="label">IR-4(8)[1]</prop>
-                  <p>defines external organizations with whom organizational incident information is
-                     to be coordinated;</p>
-               </part>
-               <part id="ir-4.8_obj.2" name="objective">
-                  <prop name="label">IR-4(8)[2]</prop>
-                  <p>defines incident information to be correlated and shared with
-                     organization-defined external organizations; and</p>
-               </part>
-               <part id="ir-4.8_obj.3" name="objective">
-                  <prop name="label">IR-4(8)[3]</prop>
-                  <p>the organization coordinates with organization-defined external organizations
-                     to correlate and share organization-defined information to achieve a
-                     cross-organization perspective on incident awareness and more effective
-                     incident responses.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>list of external organizations</p>
-                  <p>records of incident handling coordination with external organizations</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident handling responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>personnel from external organizations with whom incident response information
-                     is to be coordinated/shared/correlated</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for coordinating incident handling information with
-                     external organizations</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.9">
-            <title>Dynamic Response Capability</title>
-            <param id="ir-4.9_prm_1">
-               <label>organization-defined dynamic response capabilities</label>
-            </param>
-            <prop name="label">IR-4(9)</prop>
-            <prop name="sort-id">ir-04.09</prop>
-            <part id="ir-4.9_smt" name="statement">
-               <p>The organization employs <insert param-id="ir-4.9_prm_1"/> to effectively respond
-                  to security incidents.</p>
-            </part>
-            <part id="ir-4.9_gdn" name="guidance">
-               <p>This control enhancement addresses the deployment of replacement or new
-                  capabilities in a timely manner in response to security incidents (e.g., adversary
-                  actions during hostile cyber attacks). This includes capabilities implemented at
-                  the mission/business process level (e.g., activating alternative mission/business
-                  processes) and at the information system level.</p>
-               <link rel="related" href="#cp-10">CP-10</link>
-            </part>
-            <part id="ir-4.9_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ir-4.9_obj.1" name="objective">
-                  <prop name="label">IR-4(9)[1]</prop>
-                  <p>defines dynamic response capabilities to be employed to effectively respond to
-                     security incidents; and</p>
-               </part>
-               <part id="ir-4.9_obj.2" name="objective">
-                  <prop name="label">IR-4(9)[2]</prop>
-                  <p>employs organization-defined dynamic response capabilities to effectively
-                     respond to security incidents.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>automated mechanisms supporting dynamic response capabilities</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident handling responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for dynamic response capability</p>
-                  <p>automated mechanisms supporting and/or implementing the dynamic response
-                     capability for the organization</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.10">
-            <title>Supply Chain Coordination</title>
-            <prop name="label">IR-4(10)</prop>
-            <prop name="sort-id">ir-04.10</prop>
-            <part id="ir-4.10_smt" name="statement">
-               <p>The organization coordinates incident handling activities involving supply chain
-                  events with other organizations involved in the supply chain.</p>
-            </part>
-            <part id="ir-4.10_gdn" name="guidance">
-               <p>Organizations involved in supply chain activities include, for example,
-                  system/product developers, integrators, manufacturers, packagers, assemblers,
-                  distributors, vendors, and resellers. Supply chain incidents include, for example,
-                  compromises/breaches involving information system components, information
-                  technology products, development processes or personnel, and distribution
-                  processes or warehousing facilities.</p>
-            </part>
-            <part id="ir-4.10_obj" name="objective">
-               <p>Determine if the organization coordinates incident handling activities involving
-                  supply chain events with other organizations involved in the supply chain.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing supply chain coordination</p>
-                  <p>acquisition contracts</p>
-                  <p>service-level agreements</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>incident response plans of other organization involved in supply chain
-                     activities</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident handling responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with supply chain responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-5">
-         <title>Incident Monitoring</title>
-         <prop name="label">IR-5</prop>
-         <prop name="sort-id">ir-05</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <part id="ir-5_smt" name="statement">
-            <p>The organization tracks and documents information system security incidents.</p>
-         </part>
-         <part id="ir-5_gdn" name="guidance">
-            <p>Documenting information system security incidents includes, for example, maintaining
-               records about each incident, the status of the incident, and other pertinent
-               information necessary for forensics, evaluating incident details, trends, and
-               handling. Incident information can be obtained from a variety of sources including,
-               for example, incident reports, incident response teams, audit monitoring, network
-               monitoring, physical access monitoring, and user/administrator reports.</p>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="ir-5_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ir-5_obj.1" name="objective">
-               <prop name="label">IR-5[1]</prop>
-               <p>tracks information system security incidents; and</p>
-            </part>
-            <part id="ir-5_obj.2" name="objective">
-               <prop name="label">IR-5[2]</prop>
-               <p>documents information system security incidents.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident monitoring</p>
-               <p>incident response records and documentation</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident monitoring responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Incident monitoring capability for the organization</p>
-               <p>automated mechanisms supporting and/or implementing tracking and documenting of
-                  system security incidents</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-5.1">
-            <title>Automated Tracking / Data Collection / Analysis</title>
-            <prop name="label">IR-5(1)</prop>
-            <prop name="sort-id">ir-05.01</prop>
-            <part id="ir-5.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to assist in the tracking of
-                  security incidents and in the collection and analysis of incident information.</p>
-            </part>
-            <part id="ir-5.1_gdn" name="guidance">
-               <p>Automated mechanisms for tracking security incidents and collecting/analyzing
-                  incident information include, for example, the Einstein network monitoring device
-                  and monitoring online Computer Incident Response Centers (CIRCs) or other
-                  electronic databases of incidents.</p>
-               <link rel="related" href="#au-7">AU-7</link>
-               <link rel="related" href="#ir-4">IR-4</link>
-            </part>
-            <part id="ir-5.1_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to assist in:</p>
-               <part id="ir-5.1_obj.1" name="objective">
-                  <prop name="label">IR-5(1)[1]</prop>
-                  <p>the tracking of security incidents;</p>
-               </part>
-               <part id="ir-5.1_obj.2" name="objective">
-                  <prop name="label">IR-5(1)[2]</prop>
-                  <p>the collection of incident information; and</p>
-               </part>
-               <part id="ir-5.1_obj.3" name="objective">
-                  <prop name="label">IR-5(1)[3]</prop>
-                  <p>the analysis of incident information.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident monitoring</p>
-                  <p>automated mechanisms supporting incident monitoring</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident monitoring responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms assisting in tracking of security incidents and in the
-                     collection and analysis of incident information</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-6">
-         <title>Incident Reporting</title>
-         <param id="ir-6_prm_1">
-            <label>organization-defined time period</label>
-         </param>
-         <param id="ir-6_prm_2">
-            <label>organization-defined authorities</label>
-         </param>
-         <prop name="label">IR-6</prop>
-         <prop name="sort-id">ir-06</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <link href="#02631467-668b-4233-989b-3dfded2fd184" rel="reference">http://www.us-cert.gov</link>
-         <part id="ir-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Requires personnel to report suspected security incidents to the organizational
-                  incident response capability within <insert param-id="ir-6_prm_1"/>; and</p>
-            </part>
-            <part id="ir-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reports security incident information to <insert param-id="ir-6_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="ir-6_gdn" name="guidance">
-            <p>The intent of this control is to address both specific incident reporting
-               requirements within an organization and the formal incident reporting requirements
-               for federal agencies and their subordinate organizations. Suspected security
-               incidents include, for example, the receipt of suspicious email communications that
-               can potentially contain malicious code. The types of security incidents reported, the
-               content and timeliness of the reports, and the designated reporting authorities
-               reflect applicable federal laws, Executive Orders, directives, regulations, policies,
-               standards, and guidance. Current federal policy requires that all federal agencies
-               (unless specifically exempted from such requirements) report security incidents to
-               the United States Computer Emergency Readiness Team (US-CERT) within specified time
-               frames designated in the US-CERT Concept of Operations for Federal Cyber Security
-               Incident Handling.</p>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-5">IR-5</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-         </part>
-         <part id="ir-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-6.a_obj" name="objective">
-               <prop name="label">IR-6(a)</prop>
-               <part id="ir-6.a_obj.1" name="objective">
-                  <prop name="label">IR-6(a)[1]</prop>
-                  <p>defines the time period within which personnel report suspected security
-                     incidents to the organizational incident response capability;</p>
-               </part>
-               <part id="ir-6.a_obj.2" name="objective">
-                  <prop name="label">IR-6(a)[2]</prop>
-                  <p>requires personnel to report suspected security incidents to the organizational
-                     incident response capability within the organization-defined time period;</p>
-               </part>
-            </part>
-            <part id="ir-6.b_obj" name="objective">
-               <prop name="label">IR-6(b)</prop>
-               <part id="ir-6.b_obj.1" name="objective">
-                  <prop name="label">IR-6(b)[1]</prop>
-                  <p>defines authorities to whom security incident information is to be reported;
-                     and</p>
-               </part>
-               <part id="ir-6.b_obj.2" name="objective">
-                  <prop name="label">IR-6(b)[2]</prop>
-                  <p>reports security incident information to organization-defined authorities.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident reporting</p>
-               <p>incident reporting records and documentation</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident reporting responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>personnel who have/should have reported incidents</p>
-               <p>personnel (authorities) to whom incident information is to be reported</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for incident reporting</p>
-               <p>automated mechanisms supporting and/or implementing incident reporting</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-6.1">
-            <title>Automated Reporting</title>
-            <prop name="label">IR-6(1)</prop>
-            <prop name="sort-id">ir-06.01</prop>
-            <part id="ir-6.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to assist in the reporting of
-                  security incidents.</p>
-            </part>
-            <part id="ir-6.1_gdn" name="guidance">
-               <link rel="related" href="#ir-7">IR-7</link>
-            </part>
-            <part id="ir-6.1_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to assist in the
-                  reporting of security incidents.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident reporting</p>
-                  <p>automated mechanisms supporting incident reporting</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident reporting responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for incident reporting</p>
-                  <p>automated mechanisms supporting and/or implementing reporting of security
-                     incidents</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-6.2">
-            <title>Vulnerabilities Related to Incidents</title>
-            <param id="ir-6.2_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">IR-6(2)</prop>
-            <prop name="sort-id">ir-06.02</prop>
-            <part id="ir-6.2_smt" name="statement">
-               <p>The organization reports information system vulnerabilities associated with
-                  reported security incidents to <insert param-id="ir-6.2_prm_1"/>.</p>
-            </part>
-            <part id="ir-6.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ir-6.2_obj.1" name="objective">
-                  <prop name="label">IR-6(2)[1]</prop>
-                  <p>defines personnel or roles to whom information system vulnerabilities
-                     associated with reported security incidents are to be reported; and</p>
-               </part>
-               <part id="ir-6.2_obj.2" name="objective">
-                  <prop name="label">IR-6(2)[2]</prop>
-                  <p>reports information system vulnerabilities associated with reported security
-                     incidents to organization-defined personnel or roles.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident reporting</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>security incident reports and associated information system vulnerabilities</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident reporting responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>personnel to whom vulnerabilities associated with security incidents are to be
-                     reported</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for incident reporting</p>
-                  <p>automated mechanisms supporting and/or implementing reporting of
-                     vulnerabilities associated with security incidents</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-6.3">
-            <title>Coordination with Supply Chain</title>
-            <prop name="label">IR-6(3)</prop>
-            <prop name="sort-id">ir-06.03</prop>
-            <part id="ir-6.3_smt" name="statement">
-               <p>The organization provides security incident information to other organizations
-                  involved in the supply chain for information systems or information system
-                  components related to the incident.</p>
-            </part>
-            <part id="ir-6.3_gdn" name="guidance">
-               <p>Organizations involved in supply chain activities include, for example,
-                  system/product developers, integrators, manufacturers, packagers, assemblers,
-                  distributors, vendors, and resellers. Supply chain incidents include, for example,
-                  compromises/breaches involving information system components, information
-                  technology products, development processes or personnel, and distribution
-                  processes or warehousing facilities. Organizations determine the appropriate
-                  information to share considering the value gained from support by external
-                  organizations with the potential for harm due to sensitive information being
-                  released to outside organizations of perhaps questionable trustworthiness.</p>
-            </part>
-            <part id="ir-6.3_obj" name="objective">
-               <p>Determine if the organization provides security incident information to other
-                  organizations involved in the supply chain for information systems or information
-                  system components related to the incident.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing supply chain coordination</p>
-                  <p>acquisition contracts</p>
-                  <p>service-level agreements</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>plans of other organization involved in supply chain activities</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident reporting responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with supply chain responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for incident reporting</p>
-                  <p>automated mechanisms supporting and/or implementing reporting of incident
-                     information involved in the supply chain</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-7">
-         <title>Incident Response Assistance</title>
-         <prop name="label">IR-7</prop>
-         <prop name="sort-id">ir-07</prop>
-         <part id="ir-7_smt" name="statement">
-            <p>The organization provides an incident response support resource, integral to the
-               organizational incident response capability that offers advice and assistance to
-               users of the information system for the handling and reporting of security
-               incidents.</p>
-         </part>
-         <part id="ir-7_gdn" name="guidance">
-            <p>Incident response support resources provided by organizations include, for example,
-               help desks, assistance groups, and access to forensics services, when required.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-6">IR-6</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-         </part>
-         <part id="ir-7_obj" name="objective">
-            <p>Determine if the organization provides an incident response support resource:</p>
-            <part id="ir-7_obj.1" name="objective">
-               <prop name="label">IR-7[1]</prop>
-               <p>that is integral to the organizational incident response capability; and</p>
-            </part>
-            <part id="ir-7_obj.2" name="objective">
-               <prop name="label">IR-7[2]</prop>
-               <p>that offers advice and assistance to users of the information system for the
-                  handling and reporting of security incidents.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident response assistance</p>
-               <p>incident response plan</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response assistance and support
-                  responsibilities</p>
-               <p>organizational personnel with access to incident response support and assistance
-                  capability</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for incident response assistance</p>
-               <p>automated mechanisms supporting and/or implementing incident response
-                  assistance</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-7.1">
-            <title>Automation Support for Availability of Information / Support</title>
-            <prop name="label">IR-7(1)</prop>
-            <prop name="sort-id">ir-07.01</prop>
-            <part id="ir-7.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to increase the availability of
-                  incident response-related information and support.</p>
-            </part>
-            <part id="ir-7.1_gdn" name="guidance">
-               <p>Automated mechanisms can provide a push and/or pull capability for users to obtain
-                  incident response assistance. For example, individuals might have access to a
-                  website to query the assistance capability, or conversely, the assistance
-                  capability may have the ability to proactively send information to users (general
-                  distribution or targeted) as part of increasing understanding of current response
-                  capabilities and support.</p>
-            </part>
-            <part id="ir-7.1_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to increase the
-                  availability of incident response-related information and support.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident response assistance</p>
-                  <p>automated mechanisms supporting incident response support and assistance</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response support and assistance
-                     responsibilities</p>
-                  <p>organizational personnel with access to incident response support and
-                     assistance capability</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for incident response assistance</p>
-                  <p>automated mechanisms supporting and/or implementing an increase in the
-                     availability of incident response information and support</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-7.2">
-            <title>Coordination with External Providers</title>
-            <prop name="label">IR-7(2)</prop>
-            <prop name="sort-id">ir-07.02</prop>
-            <part id="ir-7.2_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ir-7.2_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Establishes a direct, cooperative relationship between its incident response
-                     capability and external providers of information system protection capability;
-                     and</p>
-               </part>
-               <part id="ir-7.2_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Identifies organizational incident response team members to the external
-                     providers.</p>
-               </part>
-            </part>
-            <part id="ir-7.2_gdn" name="guidance">
-               <p>External providers of information system protection capability include, for
-                  example, the Computer Network Defense program within the U.S. Department of
-                  Defense. External providers help to protect, monitor, analyze, detect, and respond
-                  to unauthorized activity within organizational information systems and
-                  networks.</p>
-            </part>
-            <part id="ir-7.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ir-7.2.a_obj" name="objective">
-                  <prop name="label">IR-7(2)(a)</prop>
-                  <p>establishes a direct, cooperative relationship between its incident response
-                     capability and external providers of information system protection capability;
-                     and</p>
-                  <link rel="corresp" href="#ir-7.2_smt.a">IR-7(2)(a)</link>
-               </part>
-               <part id="ir-7.2.b_obj" name="objective">
-                  <prop name="label">IR-7(2)(b)</prop>
-                  <p>identifies organizational incident response team members to the external
-                     providers.</p>
-                  <link rel="corresp" href="#ir-7.2_smt.b">IR-7(2)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident response assistance</p>
-                  <p>incident response plan</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response support and assistance
-                     responsibilities</p>
-                  <p>external providers of information system protection capability</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-8">
-         <title>Incident Response Plan</title>
-         <param id="ir-8_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ir-8_prm_2">
-            <label>organization-defined incident response personnel (identified by name and/or by
-               role) and organizational elements</label>
-         </param>
-         <param id="ir-8_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ir-8_prm_4">
-            <label>organization-defined incident response personnel (identified by name and/or by
-               role) and organizational elements</label>
-         </param>
-         <prop name="label">IR-8</prop>
-         <prop name="sort-id">ir-08</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <part id="ir-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ir-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops an incident response plan that:</p>
-               <part id="ir-8_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Provides the organization with a roadmap for implementing its incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Describes the structure and organization of the incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Provides a high-level approach for how the incident response capability fits
-                     into the overall organization;</p>
-               </part>
-               <part id="ir-8_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Meets the unique requirements of the organization, which relate to mission,
-                     size, structure, and functions;</p>
-               </part>
-               <part id="ir-8_smt.a.5" name="item">
-                  <prop name="label">5.</prop>
-                  <p>Defines reportable incidents;</p>
-               </part>
-               <part id="ir-8_smt.a.6" name="item">
-                  <prop name="label">6.</prop>
-                  <p>Provides metrics for measuring the incident response capability within the
-                     organization;</p>
-               </part>
-               <part id="ir-8_smt.a.7" name="item">
-                  <prop name="label">7.</prop>
-                  <p>Defines the resources and management support needed to effectively maintain and
-                     mature an incident response capability; and</p>
-               </part>
-               <part id="ir-8_smt.a.8" name="item">
-                  <prop name="label">8.</prop>
-                  <p>Is reviewed and approved by <insert param-id="ir-8_prm_1"/>;</p>
-               </part>
-            </part>
-            <part id="ir-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Distributes copies of the incident response plan to <insert param-id="ir-8_prm_2"/>;</p>
-            </part>
-            <part id="ir-8_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the incident response plan <insert param-id="ir-8_prm_3"/>;</p>
-            </part>
-            <part id="ir-8_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Updates the incident response plan to address system/organizational changes or
-                  problems encountered during plan implementation, execution, or testing;</p>
-            </part>
-            <part id="ir-8_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Communicates incident response plan changes to <insert param-id="ir-8_prm_4"/>;
-                  and</p>
-            </part>
-            <part id="ir-8_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Protects the incident response plan from unauthorized disclosure and
-                  modification.</p>
-            </part>
-         </part>
-         <part id="ir-8_gdn" name="guidance">
-            <p>It is important that organizations develop and implement a coordinated approach to
-               incident response. Organizational missions, business functions, strategies, goals,
-               and objectives for incident response help to determine the structure of incident
-               response capabilities. As part of a comprehensive incident response capability,
-               organizations consider the coordination and sharing of information with external
-               organizations, including, for example, external service providers and organizations
-               involved in the supply chain for organizational information systems.</p>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-         </part>
-         <part id="ir-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ir-8.a_obj" name="objective">
-               <prop name="label">IR-8(a)</prop>
-               <p>develops an incident response plan that:</p>
-               <part id="ir-8.a.1_obj" name="objective">
-                  <prop name="label">IR-8(a)(1)</prop>
-                  <p>provides the organization with a roadmap for implementing its incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8.a.2_obj" name="objective">
-                  <prop name="label">IR-8(a)(2)</prop>
-                  <p>describes the structure and organization of the incident response
-                     capability;</p>
-               </part>
-               <part id="ir-8.a.3_obj" name="objective">
-                  <prop name="label">IR-8(a)(3)</prop>
-                  <p>provides a high-level approach for how the incident response capability fits
-                     into the overall organization;</p>
-               </part>
-               <part id="ir-8.a.4_obj" name="objective">
-                  <prop name="label">IR-8(a)(4)</prop>
-                  <p>meets the unique requirements of the organization, which relate to:</p>
-                  <part id="ir-8.a.4_obj.1" name="objective">
-                     <prop name="label">IR-8(a)(4)[1]</prop>
-                     <p>mission;</p>
-                  </part>
-                  <part id="ir-8.a.4_obj.2" name="objective">
-                     <prop name="label">IR-8(a)(4)[2]</prop>
-                     <p>size;</p>
-                  </part>
-                  <part id="ir-8.a.4_obj.3" name="objective">
-                     <prop name="label">IR-8(a)(4)[3]</prop>
-                     <p>structure;</p>
-                  </part>
-                  <part id="ir-8.a.4_obj.4" name="objective">
-                     <prop name="label">IR-8(a)(4)[4]</prop>
-                     <p>functions;</p>
-                  </part>
-               </part>
-               <part id="ir-8.a.5_obj" name="objective">
-                  <prop name="label">IR-8(a)(5)</prop>
-                  <p>defines reportable incidents;</p>
-               </part>
-               <part id="ir-8.a.6_obj" name="objective">
-                  <prop name="label">IR-8(a)(6)</prop>
-                  <p>provides metrics for measuring the incident response capability within the
-                     organization;</p>
-               </part>
-               <part id="ir-8.a.7_obj" name="objective">
-                  <prop name="label">IR-8(a)(7)</prop>
-                  <p>defines the resources and management support needed to effectively maintain and
-                     mature an incident response capability;</p>
-               </part>
-               <part id="ir-8.a.8_obj" name="objective">
-                  <prop name="label">IR-8(a)(8)</prop>
-                  <part id="ir-8.a.8_obj.1" name="objective">
-                     <prop name="label">IR-8(a)(8)[1]</prop>
-                     <p>defines personnel or roles to review and approve the incident response
-                        plan;</p>
-                  </part>
-                  <part id="ir-8.a.8_obj.2" name="objective">
-                     <prop name="label">IR-8(a)(8)[2]</prop>
-                     <p>is reviewed and approved by organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ir-8.b_obj" name="objective">
-               <prop name="label">IR-8(b)</prop>
-               <part id="ir-8.b_obj.1" name="objective">
-                  <prop name="label">IR-8(b)[1]</prop>
-                  <part id="ir-8.b_obj.1.a" name="objective">
-                     <prop name="label">IR-8(b)[1][a]</prop>
-                     <p>defines incident response personnel (identified by name and/or by role) to
-                        whom copies of the incident response plan are to be distributed;</p>
-                  </part>
-                  <part id="ir-8.b_obj.1.b" name="objective">
-                     <prop name="label">IR-8(b)[1][b]</prop>
-                     <p>defines organizational elements to whom copies of the incident response plan
-                        are to be distributed;</p>
-                  </part>
-               </part>
-               <part id="ir-8.b_obj.2" name="objective">
-                  <prop name="label">IR-8(b)[2]</prop>
-                  <p>distributes copies of the incident response plan to organization-defined
-                     incident response personnel (identified by name and/or by role) and
-                     organizational elements;</p>
-               </part>
-            </part>
-            <part id="ir-8.c_obj" name="objective">
-               <prop name="label">IR-8(c)</prop>
-               <part id="ir-8.c_obj.1" name="objective">
-                  <prop name="label">IR-8(c)[1]</prop>
-                  <p>defines the frequency to review the incident response plan;</p>
-               </part>
-               <part id="ir-8.c_obj.2" name="objective">
-                  <prop name="label">IR-8(c)[2]</prop>
-                  <p>reviews the incident response plan with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="ir-8.d_obj" name="objective">
-               <prop name="label">IR-8(d)</prop>
-               <p>updates the incident response plan to address system/organizational changes or
-                  problems encountered during plan:</p>
-               <part id="ir-8.d_obj.1" name="objective">
-                  <prop name="label">IR-8(d)[1]</prop>
-                  <p>implementation;</p>
-               </part>
-               <part id="ir-8.d_obj.2" name="objective">
-                  <prop name="label">IR-8(d)[2]</prop>
-                  <p>execution; or</p>
-               </part>
-               <part id="ir-8.d_obj.3" name="objective">
-                  <prop name="label">IR-8(d)[3]</prop>
-                  <p>testing;</p>
-               </part>
-            </part>
-            <part id="ir-8.e_obj" name="objective">
-               <prop name="label">IR-8(e)</prop>
-               <part id="ir-8.e_obj.1" name="objective">
-                  <prop name="label">IR-8(e)[1]</prop>
-                  <part id="ir-8.e_obj.1.a" name="objective">
-                     <prop name="label">IR-8(e)[1][a]</prop>
-                     <p>defines incident response personnel (identified by name and/or by role) to
-                        whom incident response plan changes are to be communicated;</p>
-                  </part>
-                  <part id="ir-8.e_obj.1.b" name="objective">
-                     <prop name="label">IR-8(e)[1][b]</prop>
-                     <p>defines organizational elements to whom incident response plan changes are
-                        to be communicated;</p>
-                  </part>
-               </part>
-               <part id="ir-8.e_obj.2" name="objective">
-                  <prop name="label">IR-8(e)[2]</prop>
-                  <p>communicates incident response plan changes to organization-defined incident
-                     response personnel (identified by name and/or by role) and organizational
-                     elements; and</p>
-               </part>
-            </part>
-            <part id="ir-8.f_obj" name="objective">
-               <prop name="label">IR-8(f)</prop>
-               <p>protects the incident response plan from unauthorized disclosure and
-                  modification.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident response planning</p>
-               <p>incident response plan</p>
-               <p>records of incident response plan reviews and approvals</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational incident response plan and related organizational processes</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-9">
-         <title>Information Spillage Response</title>
-         <param id="ir-9_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ir-9_prm_2">
-            <label>organization-defined actions</label>
-         </param>
-         <prop name="label">IR-9</prop>
-         <prop name="sort-id">ir-09</prop>
-         <part id="ir-9_smt" name="statement">
-            <p>The organization responds to information spills by:</p>
-            <part id="ir-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Identifying the specific information involved in the information system
-                  contamination;</p>
-            </part>
-            <part id="ir-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Alerting <insert param-id="ir-9_prm_1"/> of the information spill using a method
-                  of communication not associated with the spill;</p>
-            </part>
-            <part id="ir-9_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Isolating the contaminated information system or system component;</p>
-            </part>
-            <part id="ir-9_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Eradicating the information from the contaminated information system or
-                  component;</p>
-            </part>
-            <part id="ir-9_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Identifying other information systems or system components that may have been
-                  subsequently contaminated; and</p>
-            </part>
-            <part id="ir-9_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Performing other <insert param-id="ir-9_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="ir-9_gdn" name="guidance">
-            <p>Information spillage refers to instances where either classified or sensitive
-               information is inadvertently placed on information systems that are not authorized to
-               process such information. Such information spills often occur when information that
-               is initially thought to be of lower sensitivity is transmitted to an information
-               system and then is subsequently determined to be of higher sensitivity. At that
-               point, corrective action is required. The nature of the organizational response is
-               generally based upon the degree of sensitivity of the spilled information (e.g.,
-               security category or classification level), the security capabilities of the
-               information system, the specific nature of contaminated storage media, and the access
-               authorizations (e.g., security clearances) of individuals with authorized access to
-               the contaminated system. The methods used to communicate information about the spill
-               after the fact do not involve methods directly associated with the actual spill to
-               minimize the risk of further spreading the contamination before such contamination is
-               isolated and eradicated.</p>
-         </part>
-         <part id="ir-9_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ir-9.a_obj" name="objective">
-               <prop name="label">IR-9(a)</prop>
-               <p>responds to information spills by identifying the specific information causing the
-                  information system contamination;</p>
-            </part>
-            <part id="ir-9.b_obj" name="objective">
-               <prop name="label">IR-9(b)</prop>
-               <part id="ir-9.b_obj.1" name="objective">
-                  <prop name="label">IR-9(b)[1]</prop>
-                  <p>defines personnel to be alerted of the information spillage;</p>
-               </part>
-               <part id="ir-9.b_obj.2" name="objective">
-                  <prop name="label">IR-9(b)[2]</prop>
-                  <p>identifies a method of communication not associated with the information spill
-                     to use to alert organization-defined personnel of the spill;</p>
-               </part>
-               <part id="ir-9.b_obj.3" name="objective">
-                  <prop name="label">IR-9(b)[3]</prop>
-                  <p>responds to information spills by alerting organization-defined personnel of
-                     the information spill using a method of communication not associated with the
-                     spill;</p>
-               </part>
-            </part>
-            <part id="ir-9.c_obj" name="objective">
-               <prop name="label">IR-9(c)</prop>
-               <p>responds to information spills by isolating the contaminated information
-                  system;</p>
-            </part>
-            <part id="ir-9.d_obj" name="objective">
-               <prop name="label">IR-9(d)</prop>
-               <p>responds to information spills by eradicating the information from the
-                  contaminated information system;</p>
-            </part>
-            <part id="ir-9.e_obj" name="objective">
-               <prop name="label">IR-9(e)</prop>
-               <p>responds to information spills by identifying other information systems that may
-                  have been subsequently contaminated;</p>
-            </part>
-            <part id="ir-9.f_obj" name="objective">
-               <prop name="label">IR-9(f)</prop>
-               <part id="ir-9.f_obj.1" name="objective">
-                  <prop name="label">IR-9(f)[1]</prop>
-                  <p>defines other actions to be performed in response to information spills;
-                     and</p>
-               </part>
-               <part id="ir-9.f_obj.2" name="objective">
-                  <prop name="label">IR-9(f)[2]</prop>
-                  <p>responds to information spills by performing other organization-defined
-                     actions.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing information spillage</p>
-               <p>incident response plan</p>
-               <p>records of information spillage alerts/notifications, list of personnel who should
-                  receive alerts of information spillage</p>
-               <p>list of actions to be performed regarding information spillage</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for information spillage response</p>
-               <p>automated mechanisms supporting and/or implementing information spillage response
-                  actions and related communications</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-9.1">
-            <title>Responsible Personnel</title>
-            <param id="ir-9.1_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">IR-9(1)</prop>
-            <prop name="sort-id">ir-09.01</prop>
-            <part id="ir-9.1_smt" name="statement">
-               <p>The organization assigns <insert param-id="ir-9.1_prm_1"/> with responsibility for
-                  responding to information spills.</p>
-            </part>
-            <part id="ir-9.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ir-9.1_obj.1" name="objective">
-                  <prop name="label">IR-9(1)[1]</prop>
-                  <p>defines personnel with responsibility for responding to information spills;
-                     and</p>
-               </part>
-               <part id="ir-9.1_obj.2" name="objective">
-                  <prop name="label">IR-9(1)[2]</prop>
-                  <p>assigns organization-defined personnel with responsibility for responding to
-                     information spills.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing information spillage</p>
-                  <p>incident response plan</p>
-                  <p>list of personnel responsible for responding to information spillage</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-9.2">
-            <title>Training</title>
-            <param id="ir-9.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">IR-9(2)</prop>
-            <prop name="sort-id">ir-09.02</prop>
-            <part id="ir-9.2_smt" name="statement">
-               <p>The organization provides information spillage response training <insert param-id="ir-9.2_prm_1"/>.</p>
-            </part>
-            <part id="ir-9.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ir-9.2_obj.1" name="objective">
-                  <prop name="label">IR-9(2)[1]</prop>
-                  <p>defines the frequency to provide information spillage response training;
-                     and</p>
-               </part>
-               <part id="ir-9.2_obj.2" name="objective">
-                  <prop name="label">IR-9(2)[2]</prop>
-                  <p>provides information spillage response training with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing information spillage response training</p>
-                  <p>information spillage response training curriculum</p>
-                  <p>information spillage response training materials</p>
-                  <p>incident response plan</p>
-                  <p>information spillage response training records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response training responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-9.3">
-            <title>Post-spill Operations</title>
-            <param id="ir-9.3_prm_1">
-               <label>organization-defined procedures</label>
-            </param>
-            <prop name="label">IR-9(3)</prop>
-            <prop name="sort-id">ir-09.03</prop>
-            <part id="ir-9.3_smt" name="statement">
-               <p>The organization implements <insert param-id="ir-9.3_prm_1"/> to ensure that
-                  organizational personnel impacted by information spills can continue to carry out
-                  assigned tasks while contaminated systems are undergoing corrective actions.</p>
-            </part>
-            <part id="ir-9.3_gdn" name="guidance">
-               <p>Correction actions for information systems contaminated due to information
-                  spillages may be very time-consuming. During those periods, personnel may not have
-                  access to the contaminated systems, which may potentially affect their ability to
-                  conduct organizational business.</p>
-            </part>
-            <part id="ir-9.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ir-9.3_obj.1" name="objective">
-                  <prop name="label">IR-9(3)[1]</prop>
-                  <p>defines procedures that ensure organizational personnel impacted by information
-                     spills can continue to carry out assigned tasks while contaminated systems are
-                     undergoing corrective actions; and</p>
-               </part>
-               <part id="ir-9.3_obj.2" name="objective">
-                  <prop name="label">IR-9(3)[2]</prop>
-                  <p>implements organization-defined procedures to ensure that organizational
-                     personnel impacted by information spills can continue to carry out assigned
-                     tasks while contaminated systems are undergoing corrective actions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>procedures addressing information spillage</p>
-                  <p>incident response plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for post-spill operations</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-9.4">
-            <title>Exposure to Unauthorized Personnel</title>
-            <param id="ir-9.4_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <prop name="label">IR-9(4)</prop>
-            <prop name="sort-id">ir-09.04</prop>
-            <part id="ir-9.4_smt" name="statement">
-               <p>The organization employs <insert param-id="ir-9.4_prm_1"/> for personnel exposed
-                  to information not within assigned access authorizations.</p>
-            </part>
-            <part id="ir-9.4_gdn" name="guidance">
-               <p>Security safeguards include, for example, making personnel exposed to spilled
-                  information aware of the federal laws, directives, policies, and/or regulations
-                  regarding the information and the restrictions imposed based on exposure to such
-                  information.</p>
-            </part>
-            <part id="ir-9.4_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ir-9.4_obj.1" name="objective">
-                  <prop name="label">IR-9(4)[1]</prop>
-                  <p>defines security safeguards to be employed for personnel exposed to information
-                     not within assigned access authorizations; and</p>
-               </part>
-               <part id="ir-9.4_obj.2" name="objective">
-                  <prop name="label">IR-9(4)[2]</prop>
-                  <p>employs organization-defined security safeguards for personnel exposed to
-                     information not within assigned access authorizations.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Incident response policy</p>
-                  <p>procedures addressing incident handling</p>
-                  <p>procedures addressing information spillage</p>
-                  <p>incident response plan</p>
-                  <p>security safeguards regarding information spillage/exposure to unauthorized
-                     personnel</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with incident response responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for dealing with information exposed to unauthorized
-                     personnel</p>
-                  <p>automated mechanisms supporting and/or implementing safeguards for personnel
-                     exposed to information not within assigned access authorizations</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-10">
-         <title>Integrated Information Security Analysis Team</title>
-         <prop name="label">IR-10</prop>
-         <prop name="sort-id">ir-10</prop>
-         <part id="ir-10_smt" name="statement">
-            <p>The organization establishes an integrated team of forensic/malicious code analysts,
-               tool developers, and real-time operations personnel.</p>
-         </part>
-         <part id="ir-10_gdn" name="guidance">
-            <p>Having an integrated team for incident response facilitates information sharing. Such
-               capability allows organizational personnel, including developers, implementers, and
-               operators, to leverage the team knowledge of the threat in order to implement
-               defensive measures that will enable organizations to deter intrusions more
-               effectively. Moreover, it promotes the rapid detection of intrusions, development of
-               appropriate mitigations, and the deployment of effective defensive measures. For
-               example, when an intrusion is detected, the integrated security analysis team can
-               rapidly develop an appropriate response for operators to implement, correlate the new
-               incident with information on past intrusions, and augment ongoing intelligence
-               development. This enables the team to identify adversary TTPs that are linked to the
-               operations tempo or to specific missions/business functions, and to define responsive
-               actions in a way that does not disrupt the mission/business operations. Ideally,
-               information security analysis teams are distributed within organizations to make the
-               capability more resilient.</p>
-         </part>
-         <part id="ir-10_obj" name="objective">
-            <p>Determine if the organization establishes an integrated team of forensic/malicious
-               code analyst, tool developers, and real-time operations personnel.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Incident response policy</p>
-               <p>procedures addressing incident response planning and security analysis team
-                  integration</p>
-               <p>incident response plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with incident response and information security analysis
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel participating on integrated security analysis teams</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ma">
-      <title>Maintenance</title>
-      <control class="SP800-53" id="ma-1">
-         <title>System Maintenance Policy and Procedures</title>
-         <param id="ma-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ma-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ma-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">MA-1</prop>
-         <prop name="sort-id">ma-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ma-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ma-1_prm_1"/>:</p>
-               <part id="ma-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system maintenance policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ma-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system maintenance policy
-                     and associated system maintenance controls; and</p>
-               </part>
-            </part>
-            <part id="ma-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ma-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System maintenance policy <insert param-id="ma-1_prm_2"/>; and</p>
-               </part>
-               <part id="ma-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System maintenance procedures <insert param-id="ma-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ma-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the MA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ma-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ma-1.a_obj" name="objective">
-               <prop name="label">MA-1(a)</prop>
-               <part id="ma-1.a.1_obj" name="objective">
-                  <prop name="label">MA-1(a)(1)</prop>
-                  <part id="ma-1.a.1_obj.1" name="objective">
-                     <prop name="label">MA-1(a)(1)[1]</prop>
-                     <p>develops and documents a system maintenance policy that addresses:</p>
-                     <part id="ma-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ma-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">MA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ma-1.a.1_obj.2" name="objective">
-                     <prop name="label">MA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system maintenance policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ma-1.a.1_obj.3" name="objective">
-                     <prop name="label">MA-1(a)(1)[3]</prop>
-                     <p>disseminates the system maintenance policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="ma-1.a.2_obj" name="objective">
-                  <prop name="label">MA-1(a)(2)</prop>
-                  <part id="ma-1.a.2_obj.1" name="objective">
-                     <prop name="label">MA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        maintenance policy and associated system maintenance controls;</p>
-                  </part>
-                  <part id="ma-1.a.2_obj.2" name="objective">
-                     <prop name="label">MA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ma-1.a.2_obj.3" name="objective">
-                     <prop name="label">MA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ma-1.b_obj" name="objective">
-               <prop name="label">MA-1(b)</prop>
-               <part id="ma-1.b.1_obj" name="objective">
-                  <prop name="label">MA-1(b)(1)</prop>
-                  <part id="ma-1.b.1_obj.1" name="objective">
-                     <prop name="label">MA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system maintenance
-                        policy;</p>
-                  </part>
-                  <part id="ma-1.b.1_obj.2" name="objective">
-                     <prop name="label">MA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system maintenance policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ma-1.b.2_obj" name="objective">
-                  <prop name="label">MA-1(b)(2)</prop>
-                  <part id="ma-1.b.2_obj.1" name="objective">
-                     <prop name="label">MA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system maintenance
-                        procedures; and</p>
-                  </part>
-                  <part id="ma-1.b.2_obj.2" name="objective">
-                     <prop name="label">MA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system maintenance procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Maintenance policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ma-2">
-         <title>Controlled Maintenance</title>
-         <param id="ma-2_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ma-2_prm_2">
-            <label>organization-defined maintenance-related information</label>
-         </param>
-         <prop name="label">MA-2</prop>
-         <prop name="sort-id">ma-02</prop>
-         <part id="ma-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Schedules, performs, documents, and reviews records of maintenance and repairs on
-                  information system components in accordance with manufacturer or vendor
-                  specifications and/or organizational requirements;</p>
-            </part>
-            <part id="ma-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Approves and monitors all maintenance activities, whether performed on site or
-                  remotely and whether the equipment is serviced on site or removed to another
-                  location;</p>
-            </part>
-            <part id="ma-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Requires that <insert param-id="ma-2_prm_1"/> explicitly approve the removal of
-                  the information system or system components from organizational facilities for
-                  off-site maintenance or repairs;</p>
-            </part>
-            <part id="ma-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Sanitizes equipment to remove all information from associated media prior to
-                  removal from organizational facilities for off-site maintenance or repairs;</p>
-            </part>
-            <part id="ma-2_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Checks all potentially impacted security controls to verify that the controls are
-                  still functioning properly following maintenance or repair actions; and</p>
-            </part>
-            <part id="ma-2_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Includes <insert param-id="ma-2_prm_2"/> in organizational maintenance
-                  records.</p>
-            </part>
-         </part>
-         <part id="ma-2_gdn" name="guidance">
-            <p>This control addresses the information security aspects of the information system
-               maintenance program and applies to all types of maintenance to any system component
-               (including applications) conducted by any local or nonlocal entity (e.g.,
-               in-contract, warranty, in-house, software maintenance agreement). System maintenance
-               also includes those components not directly associated with information processing
-               and/or data/information retention such as scanners, copiers, and printers.
-               Information necessary for creating effective maintenance records includes, for
-               example: (i) date and time of maintenance; (ii) name of individuals or group
-               performing the maintenance; (iii) name of escort, if necessary; (iv) a description of
-               the maintenance performed; and (v) information system components/equipment removed or
-               replaced (including identification numbers, if applicable). The level of detail
-               included in maintenance records can be informed by the security categories of
-               organizational information systems. Organizations consider supply chain issues
-               associated with replacement components for information systems.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-            <link rel="related" href="#pe-16">PE-16</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="ma-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ma-2.a_obj" name="objective">
-               <prop name="label">MA-2(a)</prop>
-               <part id="ma-2.a_obj.1" name="objective">
-                  <prop name="label">MA-2(a)[1]</prop>
-                  <p>schedules maintenance and repairs on information system components in
-                     accordance with:</p>
-                  <part id="ma-2.a_obj.1.a" name="objective">
-                     <prop name="label">MA-2(a)[1][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.1.b" name="objective">
-                     <prop name="label">MA-2(a)[1][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-               <part id="ma-2.a_obj.2" name="objective">
-                  <prop name="label">MA-2(a)[2]</prop>
-                  <p>performs maintenance and repairs on information system components in accordance
-                     with:</p>
-                  <part id="ma-2.a_obj.2.a" name="objective">
-                     <prop name="label">MA-2(a)[2][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.2.b" name="objective">
-                     <prop name="label">MA-2(a)[2][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-               <part id="ma-2.a_obj.3" name="objective">
-                  <prop name="label">MA-2(a)[3]</prop>
-                  <p>documents maintenance and repairs on information system components in
-                     accordance with:</p>
-                  <part id="ma-2.a_obj.3.a" name="objective">
-                     <prop name="label">MA-2(a)[3][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.3.b" name="objective">
-                     <prop name="label">MA-2(a)[3][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-               <part id="ma-2.a_obj.4" name="objective">
-                  <prop name="label">MA-2(a)[4]</prop>
-                  <p>reviews records of maintenance and repairs on information system components in
-                     accordance with:</p>
-                  <part id="ma-2.a_obj.4.a" name="objective">
-                     <prop name="label">MA-2(a)[4][a]</prop>
-                     <p>manufacturer or vendor specifications; and/or</p>
-                  </part>
-                  <part id="ma-2.a_obj.4.b" name="objective">
-                     <prop name="label">MA-2(a)[4][b]</prop>
-                     <p>organizational requirements;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ma-2.b_obj" name="objective">
-               <prop name="label">MA-2(b)</prop>
-               <part id="ma-2.b_obj.1" name="objective">
-                  <prop name="label">MA-2(b)[1]</prop>
-                  <p>approves all maintenance activities, whether performed on site or remotely and
-                     whether the equipment is serviced on site or removed to another location;</p>
-               </part>
-               <part id="ma-2.b_obj.2" name="objective">
-                  <prop name="label">MA-2(b)[2]</prop>
-                  <p>monitors all maintenance activities, whether performed on site or remotely and
-                     whether the equipment is serviced on site or removed to another location;</p>
-               </part>
-            </part>
-            <part id="ma-2.c_obj" name="objective">
-               <prop name="label">MA-2(c)</prop>
-               <part id="ma-2.c_obj.1" name="objective">
-                  <prop name="label">MA-2(c)[1]</prop>
-                  <p>defines personnel or roles required to explicitly approve the removal of the
-                     information system or system components from organizational facilities for
-                     off-site maintenance or repairs;</p>
-               </part>
-               <part id="ma-2.c_obj.2" name="objective">
-                  <prop name="label">MA-2(c)[2]</prop>
-                  <p>requires that organization-defined personnel or roles explicitly approve the
-                     removal of the information system or system components from organizational
-                     facilities for off-site maintenance or repairs;</p>
-               </part>
-            </part>
-            <part id="ma-2.d_obj" name="objective">
-               <prop name="label">MA-2(d)</prop>
-               <p>sanitizes equipment to remove all information from associated media prior to
-                  removal from organizational facilities for off-site maintenance or repairs;</p>
-            </part>
-            <part id="ma-2.e_obj" name="objective">
-               <prop name="label">MA-2(e)</prop>
-               <p>checks all potentially impacted security controls to verify that the controls are
-                  still functioning properly following maintenance or repair actions;</p>
-            </part>
-            <part id="ma-2.f_obj" name="objective">
-               <prop name="label">MA-2(f)</prop>
-               <part id="ma-2.f_obj.1" name="objective">
-                  <prop name="label">MA-2(f)[1]</prop>
-                  <p>defines maintenance-related information to be included in organizational
-                     maintenance records; and</p>
-               </part>
-               <part id="ma-2.f_obj.2" name="objective">
-                  <prop name="label">MA-2(f)[2]</prop>
-                  <p>includes organization-defined maintenance-related information in organizational
-                     maintenance records.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing controlled information system maintenance</p>
-               <p>maintenance records</p>
-               <p>manufacturer/vendor maintenance specifications</p>
-               <p>equipment sanitization records</p>
-               <p>media sanitization records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel responsible for media sanitization</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for scheduling, performing, documenting, reviewing,
-                  approving, and monitoring maintenance and repairs for the information system</p>
-               <p>organizational processes for sanitizing information system components</p>
-               <p>automated mechanisms supporting and/or implementing controlled maintenance</p>
-               <p>automated mechanisms implementing sanitization of information system
-                  components</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ma-2.1">
-            <title>Record Content</title>
-            <prop name="label">MA-2(1)</prop>
-            <prop name="sort-id">ma-02.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#ma-2">MA-2</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-2.2">
-            <title>Automated Maintenance Activities</title>
-            <prop name="label">MA-2(2)</prop>
-            <prop name="sort-id">ma-02.02</prop>
-            <part id="ma-2.2_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ma-2.2_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Employs automated mechanisms to schedule, conduct, and document maintenance and
-                     repairs; and</p>
-               </part>
-               <part id="ma-2.2_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Produces up-to date, accurate, and complete records of all maintenance and
-                     repair actions requested, scheduled, in process, and completed.</p>
-               </part>
-            </part>
-            <part id="ma-2.2_gdn" name="guidance">
-               <link rel="related" href="#ca-7">CA-7</link>
-               <link rel="related" href="#ma-3">MA-3</link>
-            </part>
-            <part id="ma-2.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ma-2.2.a_obj" name="objective">
-                  <prop name="label">MA-2(2)(a)</prop>
-                  <p>employs automated mechanisms to:</p>
-                  <part id="ma-2.2.a_obj.1" name="objective">
-                     <prop name="label">MA-2(2)(a)[1]</prop>
-                     <p>schedule maintenance and repairs;</p>
-                  </part>
-                  <part id="ma-2.2.a_obj.2" name="objective">
-                     <prop name="label">MA-2(2)(a)[2]</prop>
-                     <p>conduct maintenance and repairs;</p>
-                  </part>
-                  <part id="ma-2.2.a_obj.3" name="objective">
-                     <prop name="label">MA-2(2)(a)[3]</prop>
-                     <p>document maintenance and repairs;</p>
-                  </part>
-                  <link rel="corresp" href="#ma-2.2_smt.a">MA-2(2)(a)</link>
-               </part>
-               <part id="ma-2.2.b_obj" name="objective">
-                  <prop name="label">MA-2(2)(b)</prop>
-                  <p>produces up-to-date, accurate, and complete records of all maintenance and
-                     repair actions:</p>
-                  <part id="ma-2.2.b_obj.1" name="objective">
-                     <prop name="label">MA-2(2)(b)[1]</prop>
-                     <p>requested;</p>
-                  </part>
-                  <part id="ma-2.2.b_obj.2" name="objective">
-                     <prop name="label">MA-2(2)(b)[2]</prop>
-                     <p>scheduled;</p>
-                  </part>
-                  <part id="ma-2.2.b_obj.3" name="objective">
-                     <prop name="label">MA-2(2)(b)[3]</prop>
-                     <p>in process; and</p>
-                  </part>
-                  <part id="ma-2.2.b_obj.4" name="objective">
-                     <prop name="label">MA-2(2)(b)[4]</prop>
-                     <p>completed.</p>
-                  </part>
-                  <link rel="corresp" href="#ma-2.2_smt.b">MA-2(2)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing controlled information system maintenance</p>
-                  <p>automated mechanisms supporting information system maintenance activities</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>maintenance records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing controlled maintenance</p>
-                  <p>automated mechanisms supporting and/or implementing production of records of
-                     maintenance and repair actions</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ma-3">
-         <title>Maintenance Tools</title>
-         <prop name="label">MA-3</prop>
-         <prop name="sort-id">ma-03</prop>
-         <link href="#263823e0-a971-4b00-959d-315b26278b22" rel="reference">NIST Special Publication 800-88</link>
-         <part id="ma-3_smt" name="statement">
-            <p>The organization approves, controls, and monitors information system maintenance
-               tools.</p>
-         </part>
-         <part id="ma-3_gdn" name="guidance">
-            <p>This control addresses security-related issues associated with maintenance tools used
-               specifically for diagnostic and repair actions on organizational information systems.
-               Maintenance tools can include hardware, software, and firmware items. Maintenance
-               tools are potential vehicles for transporting malicious code, either intentionally or
-               unintentionally, into a facility and subsequently into organizational information
-               systems. Maintenance tools can include, for example, hardware/software diagnostic
-               test equipment and hardware/software packet sniffers. This control does not cover
-               hardware/software components that may support information system maintenance, yet are
-               a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,
-               or the hardware and software implementing the monitoring port of an Ethernet
-               switch.</p>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-         </part>
-         <part id="ma-3_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ma-3_obj.1" name="objective">
-               <prop name="label">MA-3[1]</prop>
-               <p>approves information system maintenance tools;</p>
-            </part>
-            <part id="ma-3_obj.2" name="objective">
-               <prop name="label">MA-3[2]</prop>
-               <p>controls information system maintenance tools; and</p>
-            </part>
-            <part id="ma-3_obj.3" name="objective">
-               <prop name="label">MA-3[3]</prop>
-               <p>monitors information system maintenance tools.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing information system maintenance tools</p>
-               <p>information system maintenance tools and associated documentation</p>
-               <p>maintenance records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for approving, controlling, and monitoring maintenance
-                  tools</p>
-               <p>automated mechanisms supporting and/or implementing approval, control, and/or
-                  monitoring of maintenance tools</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ma-3.1">
-            <title>Inspect Tools</title>
-            <prop name="label">MA-3(1)</prop>
-            <prop name="sort-id">ma-03.01</prop>
-            <part id="ma-3.1_smt" name="statement">
-               <p>The organization inspects the maintenance tools carried into a facility by
-                  maintenance personnel for improper or unauthorized modifications.</p>
-            </part>
-            <part id="ma-3.1_gdn" name="guidance">
-               <p>If, upon inspection of maintenance tools, organizations determine that the tools
-                  have been modified in an improper/unauthorized manner or contain malicious code,
-                  the incident is handled consistent with organizational policies and procedures for
-                  incident handling.</p>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="ma-3.1_obj" name="objective">
-               <p>Determine if the organization inspects the maintenance tools carried into a
-                  facility by maintenance personnel for improper or unauthorized modifications. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing information system maintenance tools</p>
-                  <p>information system maintenance tools and associated documentation</p>
-                  <p>maintenance tool inspection records</p>
-                  <p>maintenance records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for inspecting maintenance tools</p>
-                  <p>automated mechanisms supporting and/or implementing inspection of maintenance
-                     tools</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-3.2">
-            <title>Inspect Media</title>
-            <prop name="label">MA-3(2)</prop>
-            <prop name="sort-id">ma-03.02</prop>
-            <part id="ma-3.2_smt" name="statement">
-               <p>The organization checks media containing diagnostic and test programs for
-                  malicious code before the media are used in the information system.</p>
-            </part>
-            <part id="ma-3.2_gdn" name="guidance">
-               <p>If, upon inspection of media containing maintenance diagnostic and test programs,
-                  organizations determine that the media contain malicious code, the incident is
-                  handled consistent with organizational incident handling policies and
-                  procedures.</p>
-               <link rel="related" href="#si-3">SI-3</link>
-            </part>
-            <part id="ma-3.2_obj" name="objective">
-               <p>Determine if the organization checks media containing diagnostic and test programs
-                  for malicious code before the media are used in the information system. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing information system maintenance tools</p>
-                  <p>information system maintenance tools and associated documentation</p>
-                  <p>maintenance records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for inspecting media for malicious code</p>
-                  <p>automated mechanisms supporting and/or implementing inspection of media used
-                     for maintenance</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-3.3">
-            <title>Prevent Unauthorized Removal</title>
-            <param id="ma-3.3_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">MA-3(3)</prop>
-            <prop name="sort-id">ma-03.03</prop>
-            <part id="ma-3.3_smt" name="statement">
-               <p>The organization prevents the unauthorized removal of maintenance equipment
-                  containing organizational information by:</p>
-               <part id="ma-3.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Verifying that there is no organizational information contained on the
-                     equipment;</p>
-               </part>
-               <part id="ma-3.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Sanitizing or destroying the equipment;</p>
-               </part>
-               <part id="ma-3.3_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Retaining the equipment within the facility; or</p>
-               </part>
-               <part id="ma-3.3_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Obtaining an exemption from <insert param-id="ma-3.3_prm_1"/> explicitly
-                     authorizing removal of the equipment from the facility.</p>
-               </part>
-            </part>
-            <part id="ma-3.3_gdn" name="guidance">
-               <p>Organizational information includes all information specifically owned by
-                  organizations and information provided to organizations in which organizations
-                  serve as information stewards.</p>
-            </part>
-            <part id="ma-3.3_obj" name="objective">
-               <p>Determine if the organization prevents the unauthorized removal of maintenance
-                  equipment containing organizational information by: </p>
-               <part id="ma-3.3.a_obj" name="objective">
-                  <prop name="label">MA-3(3)(a)</prop>
-                  <p>verifying that there is no organizational information contained on the
-                     equipment;</p>
-                  <link rel="corresp" href="#ma-3.3_smt.a">MA-3(3)(a)</link>
-               </part>
-               <part id="ma-3.3.b_obj" name="objective">
-                  <prop name="label">MA-3(3)(b)</prop>
-                  <p>sanitizing or destroying the equipment;</p>
-                  <link rel="corresp" href="#ma-3.3_smt.b">MA-3(3)(b)</link>
-               </part>
-               <part id="ma-3.3.c_obj" name="objective">
-                  <prop name="label">MA-3(3)(c)</prop>
-                  <p>retaining the equipment within the facility; or</p>
-                  <link rel="corresp" href="#ma-3.3_smt.c">MA-3(3)(c)</link>
-               </part>
-               <part id="ma-3.3.d_obj" name="objective">
-                  <prop name="label">MA-3(3)(d)</prop>
-                  <part id="ma-3.3.d_obj.1" name="objective">
-                     <prop name="label">MA-3(3)(d)[1]</prop>
-                     <p>defining personnel or roles that can grant an exemption from explicitly
-                        authorizing removal of the equipment from the facility; and</p>
-                  </part>
-                  <part id="ma-3.3.d_obj.2" name="objective">
-                     <prop name="label">MA-3(3)(d)[2]</prop>
-                     <p>obtaining an exemption from organization-defined personnel or roles
-                        explicitly authorizing removal of the equipment from the facility.</p>
-                  </part>
-                  <link rel="corresp" href="#ma-3.3_smt.d">MA-3(3)(d)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing information system maintenance tools</p>
-                  <p>information system maintenance tools and associated documentation</p>
-                  <p>maintenance records</p>
-                  <p>equipment sanitization records</p>
-                  <p>media sanitization records</p>
-                  <p>exemptions for equipment removal</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel responsible for media sanitization</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for preventing unauthorized removal of information</p>
-                  <p>automated mechanisms supporting media sanitization or destruction of
-                     equipment</p>
-                  <p>automated mechanisms supporting verification of media sanitization</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-3.4">
-            <title>Restricted Tool Use</title>
-            <prop name="label">MA-3(4)</prop>
-            <prop name="sort-id">ma-03.04</prop>
-            <part id="ma-3.4_smt" name="statement">
-               <p>The information system restricts the use of maintenance tools to authorized
-                  personnel only.</p>
-            </part>
-            <part id="ma-3.4_gdn" name="guidance">
-               <p>This control enhancement applies to information systems that are used to carry out
-                  maintenance functions.</p>
-               <link rel="related" href="#ac-2">AC-2</link>
-               <link rel="related" href="#ac-3">AC-3</link>
-               <link rel="related" href="#ac-5">AC-5</link>
-               <link rel="related" href="#ac-6">AC-6</link>
-            </part>
-            <part id="ma-3.4_obj" name="objective">
-               <p>Determine if the organization restricts the use of maintenance tools to authorized
-                  personnel only. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing information system maintenance tools</p>
-                  <p>information system maintenance tools and associated documentation</p>
-                  <p>list of personnel authorized to use maintenance tools</p>
-                  <p>maintenance tool usage records</p>
-                  <p>maintenance records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for restricting use of maintenance tools</p>
-                  <p>automated mechanisms supporting and/or implementing restricted use of
-                     maintenance tools</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ma-4">
-         <title>Nonlocal Maintenance</title>
-         <prop name="label">MA-4</prop>
-         <prop name="sort-id">ma-04</prop>
-         <link href="#d715b234-9b5b-4e07-b1ed-99836727664d" rel="reference">FIPS Publication 140-2</link>
-         <link href="#f2dbd4ec-c413-4714-b85b-6b7184d1c195" rel="reference">FIPS Publication 197</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <link href="#263823e0-a971-4b00-959d-315b26278b22" rel="reference">NIST Special Publication 800-88</link>
-         <link href="#a4aa9645-9a8a-4b51-90a9-e223250f9a75" rel="reference">CNSS Policy 15</link>
-         <part id="ma-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Approves and monitors nonlocal maintenance and diagnostic activities;</p>
-            </part>
-            <part id="ma-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Allows the use of nonlocal maintenance and diagnostic tools only as consistent
-                  with organizational policy and documented in the security plan for the information
-                  system;</p>
-            </part>
-            <part id="ma-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Employs strong authenticators in the establishment of nonlocal maintenance and
-                  diagnostic sessions;</p>
-            </part>
-            <part id="ma-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Maintains records for nonlocal maintenance and diagnostic activities; and</p>
-            </part>
-            <part id="ma-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Terminates session and network connections when nonlocal maintenance is
-                  completed.</p>
-            </part>
-         </part>
-         <part id="ma-4_gdn" name="guidance">
-            <p>Nonlocal maintenance and diagnostic activities are those activities conducted by
-               individuals communicating through a network, either an external network (e.g., the
-               Internet) or an internal network. Local maintenance and diagnostic activities are
-               those activities carried out by individuals physically present at the information
-               system or information system component and not communicating across a network
-               connection. Authentication techniques used in the establishment of nonlocal
-               maintenance and diagnostic sessions reflect the network access requirements in IA-2.
-               Typically, strong authentication requires authenticators that are resistant to replay
-               attacks and employ multifactor authentication. Strong authenticators include, for
-               example, PKI where certificates are stored on a token protected by a password,
-               passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by
-               other controls.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-10">SC-10</link>
-            <link rel="related" href="#sc-17">SC-17</link>
-         </part>
-         <part id="ma-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ma-4.a_obj" name="objective">
-               <prop name="label">MA-4(a)</prop>
-               <part id="ma-4.a_obj.1" name="objective">
-                  <prop name="label">MA-4(a)[1]</prop>
-                  <p>approves nonlocal maintenance and diagnostic activities;</p>
-               </part>
-               <part id="ma-4.a_obj.2" name="objective">
-                  <prop name="label">MA-4(a)[2]</prop>
-                  <p>monitors nonlocal maintenance and diagnostic activities;</p>
-               </part>
-            </part>
-            <part id="ma-4.b_obj" name="objective">
-               <prop name="label">MA-4(b)</prop>
-               <p>allows the use of nonlocal maintenance and diagnostic tools only:</p>
-               <part id="ma-4.b_obj.1" name="objective">
-                  <prop name="label">MA-4(b)[1]</prop>
-                  <p>as consistent with organizational policy;</p>
-               </part>
-               <part id="ma-4.b_obj.2" name="objective">
-                  <prop name="label">MA-4(b)[2]</prop>
-                  <p>as documented in the security plan for the information system;</p>
-               </part>
-            </part>
-            <part id="ma-4.c_obj" name="objective">
-               <prop name="label">MA-4(c)</prop>
-               <p>employs strong authenticators in the establishment of nonlocal maintenance and
-                  diagnostic sessions;</p>
-            </part>
-            <part id="ma-4.d_obj" name="objective">
-               <prop name="label">MA-4(d)</prop>
-               <p>maintains records for nonlocal maintenance and diagnostic activities;</p>
-            </part>
-            <part id="ma-4.e_obj" name="objective">
-               <prop name="label">MA-4(e)</prop>
-               <part id="ma-4.e_obj.1" name="objective">
-                  <prop name="label">MA-4(e)[1]</prop>
-                  <p>terminates sessions when nonlocal maintenance or diagnostics is completed;
-                     and</p>
-               </part>
-               <part id="ma-4.e_obj.2" name="objective">
-                  <prop name="label">MA-4(e)[2]</prop>
-                  <p>terminates network connections when nonlocal maintenance or diagnostics is
-                     completed.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing nonlocal information system maintenance</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>maintenance records</p>
-               <p>diagnostic records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing nonlocal maintenance</p>
-               <p>automated mechanisms implementing, supporting, and/or managing nonlocal
-                  maintenance</p>
-               <p>automated mechanisms for strong authentication of nonlocal maintenance diagnostic
-                  sessions</p>
-               <p>automated mechanisms for terminating nonlocal maintenance sessions and network
-                  connections</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ma-4.1">
-            <title>Auditing and Review</title>
-            <param id="ma-4.1_prm_1">
-               <label>organization-defined audit events</label>
-            </param>
-            <prop name="label">MA-4(1)</prop>
-            <prop name="sort-id">ma-04.01</prop>
-            <part id="ma-4.1_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ma-4.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Audits nonlocal maintenance and diagnostic sessions <insert param-id="ma-4.1_prm_1"/>; and</p>
-               </part>
-               <part id="ma-4.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Reviews the records of the maintenance and diagnostic sessions.</p>
-               </part>
-            </part>
-            <part id="ma-4.1_gdn" name="guidance">
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-6">AU-6</link>
-               <link rel="related" href="#au-12">AU-12</link>
-            </part>
-            <part id="ma-4.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ma-4.1.a_obj" name="objective">
-                  <prop name="label">MA-4(1)(a)</prop>
-                  <part id="ma-4.1.a_obj.1" name="objective">
-                     <prop name="label">MA-4(1)(a)[1]</prop>
-                     <p>defines audit events to audit nonlocal maintenance and diagnostic
-                        sessions;</p>
-                  </part>
-                  <part id="ma-4.1.a_obj.2" name="objective">
-                     <prop name="label">MA-4(1)(a)[2]</prop>
-                     <p>audits organization-defined audit events for non-local maintenance and
-                        diagnostic sessions; and</p>
-                  </part>
-                  <link rel="corresp" href="#ma-4.1_smt.a">MA-4(1)(a)</link>
-               </part>
-               <part id="ma-4.1.b_obj" name="objective">
-                  <prop name="label">MA-4(1)(b)</prop>
-                  <p>reviews records of the maintenance and diagnostic sessions.</p>
-                  <link rel="corresp" href="#ma-4.1_smt.b">MA-4(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing nonlocal information system maintenance</p>
-                  <p>list of audit events</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>maintenance records</p>
-                  <p>diagnostic records</p>
-                  <p>audit records</p>
-                  <p>reviews of maintenance and diagnostic session records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with audit and review responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for audit and review of nonlocal maintenance</p>
-                  <p>automated mechanisms supporting and/or implementing audit and review of
-                     nonlocal maintenance</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-4.2">
-            <title>Document Nonlocal Maintenance</title>
-            <prop name="label">MA-4(2)</prop>
-            <prop name="sort-id">ma-04.02</prop>
-            <part id="ma-4.2_smt" name="statement">
-               <p>The organization documents in the security plan for the information system, the
-                  policies and procedures for the establishment and use of nonlocal maintenance and
-                  diagnostic connections.</p>
-            </part>
-            <part id="ma-4.2_obj" name="objective">
-               <p>Determine if the organization documents in the security plan for the information
-                  system: </p>
-               <part id="ma-4.2_obj.1" name="objective">
-                  <prop name="label">MA-4(2)[1]</prop>
-                  <p>the policies for the establishment and use of nonlocal maintenance and
-                     diagnostic connections; and</p>
-               </part>
-               <part id="ma-4.2_obj.2" name="objective">
-                  <prop name="label">MA-4(2)[2]</prop>
-                  <p>the procedures for the establishment and use of nonlocal maintenance and
-                     diagnostic connections.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing non-local information system maintenance</p>
-                  <p>security plan</p>
-                  <p>maintenance records</p>
-                  <p>diagnostic records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-4.3">
-            <title>Comparable Security / Sanitization</title>
-            <prop name="label">MA-4(3)</prop>
-            <prop name="sort-id">ma-04.03</prop>
-            <part id="ma-4.3_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ma-4.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Requires that nonlocal maintenance and diagnostic services be performed from an
-                     information system that implements a security capability comparable to the
-                     capability implemented on the system being serviced; or</p>
-               </part>
-               <part id="ma-4.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Removes the component to be serviced from the information system prior to
-                     nonlocal maintenance or diagnostic services, sanitizes the component (with
-                     regard to organizational information) before removal from organizational
-                     facilities, and after the service is performed, inspects and sanitizes the
-                     component (with regard to potentially malicious software) before reconnecting
-                     the component to the information system.</p>
-               </part>
-            </part>
-            <part id="ma-4.3_gdn" name="guidance">
-               <p>Comparable security capability on information systems, diagnostic tools, and
-                  equipment providing maintenance services implies that the implemented security
-                  controls on those systems, tools, and equipment are at least as comprehensive as
-                  the controls on the information system being serviced.</p>
-               <link rel="related" href="#ma-3">MA-3</link>
-               <link rel="related" href="#sa-12">SA-12</link>
-               <link rel="related" href="#si-3">SI-3</link>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="ma-4.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ma-4.3.a_obj" name="objective">
-                  <prop name="label">MA-4(3)(a)</prop>
-                  <p>requires that nonlocal maintenance and diagnostic services be performed from an
-                     information system that implements a security capability comparable to the
-                     capability implemented on the system being serviced; or</p>
-                  <link rel="corresp" href="#ma-4.3_smt.a">MA-4(3)(a)</link>
-               </part>
-               <part id="ma-4.3.b_obj" name="objective">
-                  <prop name="label">MA-4(3)(b)</prop>
-                  <part id="ma-4.3.b_obj.1" name="objective">
-                     <prop name="label">MA-4(3)(b)[1]</prop>
-                     <p>removes the component to be serviced from the information system;</p>
-                  </part>
-                  <part id="ma-4.3.b_obj.2" name="objective">
-                     <prop name="label">MA-4(3)(b)[2]</prop>
-                     <p>sanitizes the component (with regard to organizational information) prior to
-                        nonlocal maintenance or diagnostic services and/or before removal from
-                        organizational facilities; and</p>
-                  </part>
-                  <part id="ma-4.3.b_obj.3" name="objective">
-                     <prop name="label">MA-4(3)(b)[3]</prop>
-                     <p>inspects and sanitizes the component (with regard to potentially malicious
-                        software) after service is performed on the component and before
-                        reconnecting the component to the information system.</p>
-                  </part>
-                  <link rel="corresp" href="#ma-4.3_smt.b">MA-4(3)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing nonlocal information system maintenance</p>
-                  <p>service provider contracts and/or service-level agreements</p>
-                  <p>maintenance records</p>
-                  <p>inspection records</p>
-                  <p>audit records</p>
-                  <p>equipment sanitization records</p>
-                  <p>media sanitization records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>information system maintenance provider</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel responsible for media sanitization</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for comparable security and sanitization for nonlocal
-                     maintenance</p>
-                  <p>organizational processes for removal, sanitization, and inspection of
-                     components serviced via nonlocal maintenance</p>
-                  <p>automated mechanisms supporting and/or implementing component sanitization and
-                     inspection</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-4.4">
-            <title>Authentication / Separation of Maintenance Sessions</title>
-            <param id="ma-4.4_prm_1">
-               <label>organization-defined authenticators that are replay resistant</label>
-            </param>
-            <prop name="label">MA-4(4)</prop>
-            <prop name="sort-id">ma-04.04</prop>
-            <part id="ma-4.4_smt" name="statement">
-               <p>The organization protects nonlocal maintenance sessions by:</p>
-               <part id="ma-4.4_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Employing <insert param-id="ma-4.4_prm_1"/>; and</p>
-               </part>
-               <part id="ma-4.4_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Separating the maintenance sessions from other network sessions with the
-                     information system by either:</p>
-                  <part id="ma-4.4_smt.b.1" name="item">
-                     <prop name="label">(1)</prop>
-                     <p>Physically separated communications paths; or</p>
-                  </part>
-                  <part id="ma-4.4_smt.b.2" name="item">
-                     <prop name="label">(2)</prop>
-                     <p>Logically separated communications paths based upon encryption.</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ma-4.4_gdn" name="guidance">
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="ma-4.4_obj" name="objective">
-               <p>Determine if the organization protects nonlocal maintenance sessions by: </p>
-               <part id="ma-4.4.a_obj" name="objective">
-                  <prop name="label">MA-4(4)(a)</prop>
-                  <part id="ma-4.4.a_obj.1" name="objective">
-                     <prop name="label">MA-4(4)(a)[1]</prop>
-                     <p>defining replay resistant authenticators to be employed to protect nonlocal
-                        maintenance sessions;</p>
-                  </part>
-                  <part id="ma-4.4.a_obj.2" name="objective">
-                     <prop name="label">MA-4(4)(a)[2]</prop>
-                     <p>employing organization-defined authenticators that are replay resistant;</p>
-                  </part>
-                  <link rel="corresp" href="#ma-4.4_smt.a">MA-4(4)(a)</link>
-               </part>
-               <part id="ma-4.4.b_obj" name="objective">
-                  <prop name="label">MA-4(4)(b)</prop>
-                  <p>separating the maintenance sessions from other network sessions with the
-                     information system by either:</p>
-                  <part id="ma-4.4.b.1_obj" name="objective">
-                     <prop name="label">MA-4(4)(b)(1)</prop>
-                     <p>physically separated communications paths; or</p>
-                     <link rel="corresp" href="#ma-4.4_smt.b.1">MA-4(4)(b)(1)</link>
-                  </part>
-                  <part id="ma-4.4.b.2_obj" name="objective">
-                     <prop name="label">MA-4(4)(b)(2)</prop>
-                     <p>logically separated communications paths based upon encryption.</p>
-                     <link rel="corresp" href="#ma-4.4_smt.b.2">MA-4(4)(b)(2)</link>
-                  </part>
-                  <link rel="corresp" href="#ma-4.4_smt.b">MA-4(4)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing nonlocal information system maintenance</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>maintenance records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>network engineers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for protecting nonlocal maintenance sessions</p>
-                  <p>automated mechanisms implementing replay resistant authenticators</p>
-                  <p>automated mechanisms implementing logically separated/encrypted communications
-                     paths</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-4.5">
-            <title>Approvals and Notifications</title>
-            <param id="ma-4.5_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="ma-4.5_prm_2">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">MA-4(5)</prop>
-            <prop name="sort-id">ma-04.05</prop>
-            <part id="ma-4.5_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ma-4.5_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Requires the approval of each nonlocal maintenance session by <insert param-id="ma-4.5_prm_1"/>; and</p>
-               </part>
-               <part id="ma-4.5_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Notifies <insert param-id="ma-4.5_prm_2"/> of the date and time of planned
-                     nonlocal maintenance.</p>
-               </part>
-            </part>
-            <part id="ma-4.5_gdn" name="guidance">
-               <p>Notification may be performed by maintenance personnel. Approval of nonlocal
-                  maintenance sessions is accomplished by organizational personnel with sufficient
-                  information security and information system knowledge to determine the
-                  appropriateness of the proposed maintenance.</p>
-            </part>
-            <part id="ma-4.5_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ma-4.5.a_obj" name="objective">
-                  <prop name="label">MA-4(5)(a)</prop>
-                  <part id="ma-4.5.a_obj.1" name="objective">
-                     <prop name="label">MA-4(5)(a)[1]</prop>
-                     <p>defines personnel or roles required to approve each nonlocal maintenance
-                        session;</p>
-                  </part>
-                  <part id="ma-4.5.a_obj.2" name="objective">
-                     <prop name="label">MA-4(5)(a)[2]</prop>
-                     <p>requires the approval of each nonlocal maintenance session by
-                        organization-defined personnel or roles;</p>
-                  </part>
-                  <link rel="corresp" href="#ma-4.5_smt.a">MA-4(5)(a)</link>
-               </part>
-               <part id="ma-4.5.b_obj" name="objective">
-                  <prop name="label">MA-4(5)(b)</prop>
-                  <part id="ma-4.5.b_obj.1" name="objective">
-                     <prop name="label">MA-4(5)(b)[1]</prop>
-                     <p>defines personnel or roles to be notified of the date and time of planned
-                        nonlocal maintenance; and</p>
-                  </part>
-                  <part id="ma-4.5.b_obj.2" name="objective">
-                     <prop name="label">MA-4(5)(b)[2]</prop>
-                     <p>notifies organization-defined personnel roles of the date and time of
-                        planned nonlocal maintenance.</p>
-                  </part>
-                  <link rel="corresp" href="#ma-4.5_smt.b">MA-4(5)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing non-local information system maintenance</p>
-                  <p>security plan</p>
-                  <p>notifications supporting nonlocal maintenance sessions</p>
-                  <p>maintenance records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with notification responsibilities</p>
-                  <p>organizational personnel with approval responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for approving and notifying personnel regarding
-                     nonlocal maintenance</p>
-                  <p>automated mechanisms supporting notification and approval of nonlocal
-                     maintenance</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-4.6">
-            <title>Cryptographic Protection</title>
-            <prop name="label">MA-4(6)</prop>
-            <prop name="sort-id">ma-04.06</prop>
-            <part id="ma-4.6_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to protect the
-                  integrity and confidentiality of nonlocal maintenance and diagnostic
-                  communications.</p>
-            </part>
-            <part id="ma-4.6_gdn" name="guidance">
-               <link rel="related" href="#sc-8">SC-8</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="ma-4.6_obj" name="objective">
-               <p>Determine if the information system implements cryptographic mechanisms to protect
-                  the integrity and confidentiality of nonlocal maintenance and diagnostic
-                  communications. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing non-local information system maintenance</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>cryptographic mechanisms protecting nonlocal maintenance activities</p>
-                  <p>maintenance records</p>
-                  <p>diagnostic records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>network engineers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms protecting nonlocal maintenance and diagnostic
-                     communications</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-4.7">
-            <title>Remote Disconnect Verification</title>
-            <prop name="label">MA-4(7)</prop>
-            <prop name="sort-id">ma-04.07</prop>
-            <part id="ma-4.7_smt" name="statement">
-               <p>The information system implements remote disconnect verification at the
-                  termination of nonlocal maintenance and diagnostic sessions.</p>
-            </part>
-            <part id="ma-4.7_gdn" name="guidance">
-               <p>Remote disconnect verification ensures that remote connections from nonlocal
-                  maintenance sessions have been terminated and are no longer available for use.</p>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="ma-4.7_obj" name="objective">
-               <p>Determine if the information system implements remote disconnect verification at
-                  the termination of nonlocal maintenance and diagnostic sessions. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing non-local information system maintenance</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>cryptographic mechanisms protecting nonlocal maintenance activities</p>
-                  <p>maintenance records</p>
-                  <p>diagnostic records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>network engineers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing remote disconnect verifications of terminated
-                     nonlocal maintenance and diagnostic sessions</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ma-5">
-         <title>Maintenance Personnel</title>
-         <prop name="label">MA-5</prop>
-         <prop name="sort-id">ma-05</prop>
-         <part id="ma-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ma-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes a process for maintenance personnel authorization and maintains a list
-                  of authorized maintenance organizations or personnel;</p>
-            </part>
-            <part id="ma-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Ensures that non-escorted personnel performing maintenance on the information
-                  system have required access authorizations; and</p>
-            </part>
-            <part id="ma-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Designates organizational personnel with required access authorizations and
-                  technical competence to supervise the maintenance activities of personnel who do
-                  not possess the required access authorizations.</p>
-            </part>
-         </part>
-         <part id="ma-5_gdn" name="guidance">
-            <p>This control applies to individuals performing hardware or software maintenance on
-               organizational information systems, while PE-2 addresses physical access for
-               individuals whose maintenance duties place them within the physical protection
-               perimeter of the systems (e.g., custodial staff, physical plant maintenance
-               personnel). Technical competence of supervising individuals relates to the
-               maintenance performed on the information systems while having required access
-               authorizations refers to maintenance on and near the systems. Individuals not
-               previously identified as authorized maintenance personnel, such as information
-               technology manufacturers, vendors, systems integrators, and consultants, may require
-               privileged access to organizational information systems, for example, when required
-               to conduct maintenance activities with little or no notice. Based on organizational
-               assessments of risk, organizations may issue temporary credentials to these
-               individuals. Temporary credentials may be for one-time use or for very limited time
-               periods.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-         </part>
-         <part id="ma-5_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ma-5.a_obj" name="objective">
-               <prop name="label">MA-5(a)</prop>
-               <part id="ma-5.a_obj.1" name="objective">
-                  <prop name="label">MA-5(a)[1]</prop>
-                  <p>establishes a process for maintenance personnel authorization;</p>
-               </part>
-               <part id="ma-5.a_obj.2" name="objective">
-                  <prop name="label">MA-5(a)[2]</prop>
-                  <p>maintains a list of authorized maintenance organizations or personnel;</p>
-               </part>
-            </part>
-            <part id="ma-5.b_obj" name="objective">
-               <prop name="label">MA-5(b)</prop>
-               <p>ensures that non-escorted personnel performing maintenance on the information
-                  system have required access authorizations; and</p>
-            </part>
-            <part id="ma-5.c_obj" name="objective">
-               <prop name="label">MA-5(c)</prop>
-               <p>designates organizational personnel with required access authorizations and
-                  technical competence to supervise the maintenance activities of personnel who do
-                  not possess the required access authorizations.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing maintenance personnel</p>
-               <p>service provider contracts</p>
-               <p>service-level agreements</p>
-               <p>list of authorized personnel</p>
-               <p>maintenance records</p>
-               <p>access control records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for authorizing and managing maintenance personnel</p>
-               <p>automated mechanisms supporting and/or implementing authorization of maintenance
-                  personnel</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ma-5.1">
-            <title>Individuals Without Appropriate Access</title>
-            <prop name="label">MA-5(1)</prop>
-            <prop name="sort-id">ma-05.01</prop>
-            <part id="ma-5.1_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ma-5.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Implements procedures for the use of maintenance personnel that lack
-                     appropriate security clearances or are not U.S. citizens, that include the
-                     following requirements:</p>
-                  <part id="ma-5.1_smt.a.1" name="item">
-                     <prop name="label">(1)</prop>
-                     <p>Maintenance personnel who do not have needed access authorizations,
-                        clearances, or formal access approvals are escorted and supervised during
-                        the performance of maintenance and diagnostic activities on the information
-                        system by approved organizational personnel who are fully cleared, have
-                        appropriate access authorizations, and are technically qualified;</p>
-                  </part>
-                  <part id="ma-5.1_smt.a.2" name="item">
-                     <prop name="label">(2)</prop>
-                     <p>Prior to initiating maintenance or diagnostic activities by personnel who do
-                        not have needed access authorizations, clearances or formal access
-                        approvals, all volatile information storage components within the
-                        information system are sanitized and all nonvolatile storage media are
-                        removed or physically disconnected from the system and secured; and</p>
-                  </part>
-               </part>
-               <part id="ma-5.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Develops and implements alternate security safeguards in the event an
-                     information system component cannot be sanitized, removed, or disconnected from
-                     the system.</p>
-               </part>
-            </part>
-            <part id="ma-5.1_gdn" name="guidance">
-               <p>This control enhancement denies individuals who lack appropriate security
-                  clearances (i.e., individuals who do not possess security clearances or possess
-                  security clearances at a lower level than required) or who are not U.S. citizens,
-                  visual and electronic access to any classified information, Controlled
-                  Unclassified Information (CUI), or any other sensitive information contained on
-                  organizational information systems. Procedures for the use of maintenance
-                  personnel can be documented in security plans for the information systems.</p>
-               <link rel="related" href="#mp-6">MP-6</link>
-               <link rel="related" href="#pl-2">PL-2</link>
-            </part>
-            <part id="ma-5.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ma-5.1.a_obj" name="objective">
-                  <prop name="label">MA-5(1)(a)</prop>
-                  <p>implements procedures for the use of maintenance personnel that lack
-                     appropriate security clearances or are not U.S. citizens, that include the
-                     following requirements:</p>
-                  <part id="ma-5.1.a.1_obj" name="objective">
-                     <prop name="label">MA-5(1)(a)(1)</prop>
-                     <p>maintenance personnel who do not have needed access authorizations,
-                        clearances, or formal access approvals are escorted and supervised during
-                        the performance of maintenance and diagnostic activities on the information
-                        system by approved organizational personnel who:</p>
-                     <part id="ma-5.1.a.1_obj.1" name="objective">
-                        <prop name="label">MA-5(1)(a)(1)[1]</prop>
-                        <p>are fully cleared;</p>
-                     </part>
-                     <part id="ma-5.1.a.1_obj.2" name="objective">
-                        <prop name="label">MA-5(1)(a)(1)[2]</prop>
-                        <p>have appropriate access authorizations;</p>
-                     </part>
-                     <part id="ma-5.1.a.1_obj.3" name="objective">
-                        <prop name="label">MA-5(1)(a)(1)[3]</prop>
-                        <p>are technically qualified;</p>
-                     </part>
-                     <link rel="corresp" href="#ma-5.1_smt.a.1">MA-5(1)(a)(1)</link>
-                  </part>
-                  <part id="ma-5.1.a.2_obj" name="objective">
-                     <prop name="label">MA-5(1)(a)(2)</prop>
-                     <p>prior to initiating maintenance or diagnostic activities by personnel who do
-                        not have needed access authorizations, clearances, or formal access
-                        approvals:</p>
-                     <part id="ma-5.1.a.2_obj.1" name="objective">
-                        <prop name="label">MA-5(1)(a)(2)[1]</prop>
-                        <p>all volatile information storage components within the information system
-                           are sanitized; and</p>
-                     </part>
-                     <part id="ma-5.1.a.2_obj.2" name="objective">
-                        <prop name="label">MA-5(1)(a)(2)[2]</prop>
-                        <p>all nonvolatile storage media are removed; or</p>
-                     </part>
-                     <part id="ma-5.1.a.2_obj.3" name="objective">
-                        <prop name="label">MA-5(1)(a)(2)[3]</prop>
-                        <p>all nonvolatile storage media are physically disconnected from the system
-                           and secured; and</p>
-                     </part>
-                     <link rel="corresp" href="#ma-5.1_smt.a.2">MA-5(1)(a)(2)</link>
-                  </part>
-                  <link rel="corresp" href="#ma-5.1_smt.a">MA-5(1)(a)</link>
-               </part>
-               <part id="ma-5.1.b_obj" name="objective">
-                  <prop name="label">MA-5(1)(b)</prop>
-                  <p>develops and implements alternative security safeguards in the event an
-                     information system component cannot be sanitized, removed, or disconnected from
-                     the system.</p>
-                  <link rel="corresp" href="#ma-5.1_smt.b">MA-5(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing maintenance personnel</p>
-                  <p>information system media protection policy</p>
-                  <p>physical and environmental protection policy</p>
-                  <p>security plan</p>
-                  <p>list of maintenance personnel requiring escort/supervision</p>
-                  <p>maintenance records</p>
-                  <p>access control records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with personnel security responsibilities</p>
-                  <p>organizational personnel with physical access control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel responsible for media sanitization</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing maintenance personnel without appropriate
-                     access</p>
-                  <p>automated mechanisms supporting and/or implementing alternative security
-                     safeguards</p>
-                  <p>automated mechanisms supporting and/or implementing information storage
-                     component sanitization</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-5.2">
-            <title>Security Clearances for Classified Systems</title>
-            <prop name="label">MA-5(2)</prop>
-            <prop name="sort-id">ma-05.02</prop>
-            <part id="ma-5.2_smt" name="statement">
-               <p>The organization ensures that personnel performing maintenance and diagnostic
-                  activities on an information system processing, storing, or transmitting
-                  classified information possess security clearances and formal access approvals for
-                  at least the highest classification level and for all compartments of information
-                  on the system.</p>
-            </part>
-            <part id="ma-5.2_gdn" name="guidance">
-               <link rel="related" href="#ps-3">PS-3</link>
-            </part>
-            <part id="ma-5.2_obj" name="objective">
-               <p>Determine if the organization ensures that personnel performing maintenance and
-                  diagnostic activities on an information system processing, storing, or
-                  transmitting classified information possess: </p>
-               <part id="ma-5.2_obj.1" name="objective">
-                  <prop name="label">MA-5(2)[1]</prop>
-                  <p>security clearances for at least the highest classification level on the
-                     system;</p>
-               </part>
-               <part id="ma-5.2_obj.2" name="objective">
-                  <prop name="label">MA-5(2)[2]</prop>
-                  <p>security clearances for all compartments of information on the system;</p>
-               </part>
-               <part id="ma-5.2_obj.3" name="objective">
-                  <prop name="label">MA-5(2)[3]</prop>
-                  <p>formal access approvals for at least the highest classification level on the
-                     system; and</p>
-               </part>
-               <part id="ma-5.2_obj.4" name="objective">
-                  <prop name="label">MA-5(2)[4]</prop>
-                  <p>formal access approvals for all compartments of information on the system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing maintenance personnel</p>
-                  <p>personnel records</p>
-                  <p>maintenance records</p>
-                  <p>access control records</p>
-                  <p>access credentials</p>
-                  <p>access authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with personnel security responsibilities</p>
-                  <p>organizational personnel with physical access control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing security clearances for maintenance
-                     personnel</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-5.3">
-            <title>Citizenship Requirements for Classified Systems</title>
-            <prop name="label">MA-5(3)</prop>
-            <prop name="sort-id">ma-05.03</prop>
-            <part id="ma-5.3_smt" name="statement">
-               <p>The organization ensures that personnel performing maintenance and diagnostic
-                  activities on an information system processing, storing, or transmitting
-                  classified information are U.S. citizens.</p>
-            </part>
-            <part id="ma-5.3_gdn" name="guidance">
-               <link rel="related" href="#ps-3">PS-3</link>
-            </part>
-            <part id="ma-5.3_obj" name="objective">
-               <p>Determine if the organization ensures that personnel performing maintenance and
-                  diagnostic activities on an information system processing, storing, or
-                  transmitting classified information are U.S. citizens. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing maintenance personnel</p>
-                  <p>personnel records</p>
-                  <p>maintenance records</p>
-                  <p>access control records</p>
-                  <p>access credentials</p>
-                  <p>access authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with personnel security responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-5.4">
-            <title>Foreign Nationals</title>
-            <prop name="label">MA-5(4)</prop>
-            <prop name="sort-id">ma-05.04</prop>
-            <part id="ma-5.4_smt" name="statement">
-               <p>The organization ensures that:</p>
-               <part id="ma-5.4_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Cleared foreign nationals (i.e., foreign nationals with appropriate security
-                     clearances), are used to conduct maintenance and diagnostic activities on
-                     classified information systems only when the systems are jointly owned and
-                     operated by the United States and foreign allied governments, or owned and
-                     operated solely by foreign allied governments; and</p>
-               </part>
-               <part id="ma-5.4_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Approvals, consents, and detailed operational conditions regarding the use of
-                     foreign nationals to conduct maintenance and diagnostic activities on
-                     classified information systems are fully documented within Memoranda of
-                     Agreements.</p>
-               </part>
-            </part>
-            <part id="ma-5.4_gdn" name="guidance">
-               <link rel="related" href="#ps-3">PS-3</link>
-            </part>
-            <part id="ma-5.4_obj" name="objective">
-               <p>Determine if the organization ensures that: </p>
-               <part id="ma-5.4.a_obj" name="objective">
-                  <prop name="label">MA-5(4)(a)</prop>
-                  <p>cleared foreign nationals (i.e., foreign nationals with appropriate security
-                     clearances) are used to conduct maintenance and diagnostic activities on
-                     classified information systems only when the systems are:</p>
-                  <part id="ma-5.4.a_obj.1" name="objective">
-                     <prop name="label">MA-5(4)(a)[1]</prop>
-                     <p>jointly owned and operated by the United States and foreign allied
-                        governments; or</p>
-                  </part>
-                  <part id="ma-5.4.a_obj.2" name="objective">
-                     <prop name="label">MA-5(4)(a)[2]</prop>
-                     <p>owned and operated solely by foreign allied governments; and</p>
-                  </part>
-                  <link rel="corresp" href="#ma-5.4_smt.a">MA-5(4)(a)</link>
-               </part>
-               <part id="ma-5.4.b_obj" name="objective">
-                  <prop name="label">MA-5(4)(b)</prop>
-                  <p>approvals, consents, and detailed operational conditions regarding the use of
-                     foreign nationals to conduct maintenance and diagnostic activities on
-                     classified information systems are fully documented within Memoranda of
-                     Agreements.</p>
-                  <link rel="corresp" href="#ma-5.4_smt.b">MA-5(4)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing maintenance personnel</p>
-                  <p>information system media protection policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>physical and environmental protection policy and procedures</p>
-                  <p>memorandum of agreement</p>
-                  <p>maintenance records</p>
-                  <p>access control records</p>
-                  <p>access credentials</p>
-                  <p>access authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance responsibilities,
-                     organizational personnel with personnel security responsibilities</p>
-                  <p>organizational personnel managing memoranda of agreements</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing foreign national maintenance
-                     personnel</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-5.5">
-            <title>Nonsystem-related Maintenance</title>
-            <prop name="label">MA-5(5)</prop>
-            <prop name="sort-id">ma-05.05</prop>
-            <part id="ma-5.5_smt" name="statement">
-               <p>The organization ensures that non-escorted personnel performing maintenance
-                  activities not directly associated with the information system but in the physical
-                  proximity of the system, have required access authorizations.</p>
-            </part>
-            <part id="ma-5.5_gdn" name="guidance">
-               <p>Personnel performing maintenance activities in other capacities not directly
-                  related to the information system include, for example, physical plant personnel
-                  and janitorial personnel.</p>
-            </part>
-            <part id="ma-5.5_obj" name="objective">
-               <p>Determine if the organization ensures that non-escorted personnel performing
-                  maintenance activities not directly associated with the information system but in
-                  the physical proximity of the system, have required access authorizations.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing maintenance personnel</p>
-                  <p>information system media protection policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>physical and environmental protection policy and procedures</p>
-                  <p>maintenance records</p>
-                  <p>access control records</p>
-                  <p>access authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with personnel security responsibilities</p>
-                  <p>organizational personnel with physical access control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ma-6">
-         <title>Timely Maintenance</title>
-         <param id="ma-6_prm_1">
-            <label>organization-defined information system components</label>
-         </param>
-         <param id="ma-6_prm_2">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">MA-6</prop>
-         <prop name="sort-id">ma-06</prop>
-         <part id="ma-6_smt" name="statement">
-            <p>The organization obtains maintenance support and/or spare parts for <insert param-id="ma-6_prm_1"/> within <insert param-id="ma-6_prm_2"/> of failure.</p>
-         </part>
-         <part id="ma-6_gdn" name="guidance">
-            <p>Organizations specify the information system components that result in increased risk
-               to organizational operations and assets, individuals, other organizations, or the
-               Nation when the functionality provided by those components is not operational.
-               Organizational actions to obtain maintenance support typically include having
-               appropriate contracts in place.</p>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <link rel="related" href="#sa-14">SA-14</link>
-            <link rel="related" href="#sa-15">SA-15</link>
-         </part>
-         <part id="ma-6_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="ma-6_obj.1" name="objective">
-               <prop name="label">MA-6[1]</prop>
-               <p>defines information system components for which maintenance support and/or spare
-                  parts are to be obtained;</p>
-            </part>
-            <part id="ma-6_obj.2" name="objective">
-               <prop name="label">MA-6[2]</prop>
-               <p>defines the time period within which maintenance support and/or spare parts are to
-                  be obtained after a failure;</p>
-            </part>
-            <part id="ma-6_obj.3" name="objective">
-               <prop name="label">MA-6[3]</prop>
-               <part id="ma-6_obj.3.a" name="objective">
-                  <prop name="label">MA-6[3][a]</prop>
-                  <p>obtains maintenance support for organization-defined information system
-                     components within the organization-defined time period of failure; and/or</p>
-               </part>
-               <part id="ma-6_obj.3.b" name="objective">
-                  <prop name="label">MA-6[3][b]</prop>
-                  <p>obtains spare parts for organization-defined information system components
-                     within the organization-defined time period of failure.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system maintenance policy</p>
-               <p>procedures addressing information system maintenance</p>
-               <p>service provider contracts</p>
-               <p>service-level agreements</p>
-               <p>inventory and availability of spare parts</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system maintenance responsibilities</p>
-               <p>organizational personnel with acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for ensuring timely maintenance</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ma-6.1">
-            <title>Preventive Maintenance</title>
-            <param id="ma-6.1_prm_1">
-               <label>organization-defined information system components</label>
-            </param>
-            <param id="ma-6.1_prm_2">
-               <label>organization-defined time intervals</label>
-            </param>
-            <prop name="label">MA-6(1)</prop>
-            <prop name="sort-id">ma-06.01</prop>
-            <part id="ma-6.1_smt" name="statement">
-               <p>The organization performs preventive maintenance on <insert param-id="ma-6.1_prm_1"/> at <insert param-id="ma-6.1_prm_2"/>.</p>
-            </part>
-            <part id="ma-6.1_gdn" name="guidance">
-               <p>Preventive maintenance includes proactive care and servicing of organizational
-                  information systems components for the purpose of maintaining equipment and
-                  facilities in satisfactory operating condition. Such maintenance provides for the
-                  systematic inspection, tests, measurements, adjustments, parts replacement,
-                  detection, and correction of incipient failures either before they occur or before
-                  they develop into major defects. The primary goal of preventive maintenance is to
-                  avoid/mitigate the consequences of equipment failures. Preventive maintenance is
-                  designed to preserve and restore equipment reliability by replacing worn
-                  components before they actually fail. Methods of determining what preventive (or
-                  other) failure management policies to apply include, for example, original
-                  equipment manufacturer (OEM) recommendations, statistical failure records,
-                  requirements of codes, legislation, or regulations within a jurisdiction, expert
-                  opinion, maintenance that has already been conducted on similar equipment, or
-                  measured values and performance indications.</p>
-            </part>
-            <part id="ma-6.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ma-6.1_obj.1" name="objective">
-                  <prop name="label">MA-6(1)[1]</prop>
-                  <p>defines information system components on which preventive maintenance is to be
-                     performed;</p>
-               </part>
-               <part id="ma-6.1_obj.2" name="objective">
-                  <prop name="label">MA-6(1)[2]</prop>
-                  <p>defines time intervals within which preventive maintenance is to be performed
-                     on organization-defined information system components; and</p>
-               </part>
-               <part id="ma-6.1_obj.3" name="objective">
-                  <prop name="label">MA-6(1)[3]</prop>
-                  <p>performs preventive maintenance on organization-defined information system
-                     components at organization-defined time intervals.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing information system maintenance</p>
-                  <p>service provider contracts</p>
-                  <p>service-level agreements</p>
-                  <p>security plan</p>
-                  <p>maintenance records</p>
-                  <p>list of system components requiring preventive maintenance</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for preventive maintenance</p>
-                  <p>automated mechanisms supporting and/or implementing preventive maintenance</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-6.2">
-            <title>Predictive Maintenance</title>
-            <param id="ma-6.2_prm_1">
-               <label>organization-defined information system components</label>
-            </param>
-            <param id="ma-6.2_prm_2">
-               <label>organization-defined time intervals</label>
-            </param>
-            <prop name="label">MA-6(2)</prop>
-            <prop name="sort-id">ma-06.02</prop>
-            <part id="ma-6.2_smt" name="statement">
-               <p>The organization performs predictive maintenance on <insert param-id="ma-6.2_prm_1"/> at <insert param-id="ma-6.2_prm_2"/>.</p>
-            </part>
-            <part id="ma-6.2_gdn" name="guidance">
-               <p>Predictive maintenance, or condition-based maintenance, attempts to evaluate the
-                  condition of equipment by performing periodic or continuous (online) equipment
-                  condition monitoring. The goal of predictive maintenance is to perform maintenance
-                  at a scheduled point in time when the maintenance activity is most cost-effective
-                  and before the equipment loses performance within a threshold. The predictive
-                  component of predictive maintenance stems from the goal of predicting the future
-                  trend of the equipment's condition. This approach uses principles of statistical
-                  process control to determine at what point in the future maintenance activities
-                  will be appropriate. Most predictive maintenance inspections are performed while
-                  equipment is in service, thereby minimizing disruption of normal system
-                  operations. Predictive maintenance can result in substantial cost savings and
-                  higher system reliability. Predictive maintenance tends to include measurement of
-                  the item. To evaluate equipment condition, predictive maintenance utilizes
-                  nondestructive testing technologies such as infrared, acoustic (partial discharge
-                  and airborne ultrasonic), corona detection, vibration analysis, sound level
-                  measurements, oil analysis, and other specific online tests.</p>
-            </part>
-            <part id="ma-6.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ma-6.2_obj.1" name="objective">
-                  <prop name="label">MA-6(2)[1]</prop>
-                  <p>defines information system components on which predictive maintenance is to be
-                     performed;</p>
-               </part>
-               <part id="ma-6.2_obj.2" name="objective">
-                  <prop name="label">MA-6(2)[2]</prop>
-                  <p>defines time intervals within which predictive maintenance is to be performed
-                     on organization-defined information system components; and</p>
-               </part>
-               <part id="ma-6.2_obj.3" name="objective">
-                  <prop name="label">MA-6(2)[3]</prop>
-                  <p>performs predictive maintenance on organization-defined information system
-                     components at organization-defined time intervals.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing information system maintenance</p>
-                  <p>service provider contracts</p>
-                  <p>service-level agreements</p>
-                  <p>security plan</p>
-                  <p>maintenance records</p>
-                  <p>list of system components requiring predictive maintenance</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for predictive maintenance</p>
-                  <p>automated mechanisms supporting and/or implementing predictive maintenance</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-6.3">
-            <title>Automated Support for Predictive Maintenance</title>
-            <prop name="label">MA-6(3)</prop>
-            <prop name="sort-id">ma-06.03</prop>
-            <part id="ma-6.3_smt" name="statement">
-               <p>The organization employs automated mechanisms to transfer predictive maintenance
-                  data to a computerized maintenance management system.</p>
-            </part>
-            <part id="ma-6.3_gdn" name="guidance">
-               <p>A computerized maintenance management system maintains a computer database of
-                  information about the maintenance operations of organizations and automates
-                  processing equipment condition data in order to trigger maintenance planning,
-                  execution, and reporting.</p>
-            </part>
-            <part id="ma-6.3_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to transfer predictive
-                  maintenance data to a computerized maintenance management system.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system maintenance policy</p>
-                  <p>procedures addressing information system maintenance</p>
-                  <p>service provider contracts</p>
-                  <p>service-level agreements</p>
-                  <p>security plan</p>
-                  <p>maintenance records</p>
-                  <p>list of system components requiring predictive maintenance</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system maintenance
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing the transfer of predictive maintenance data
-                     to a computerized maintenance management system</p>
-                  <p>operations of the computer maintenance management system</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="mp">
-      <title>Media Protection</title>
-      <control class="SP800-53" id="mp-1">
-         <title>Media Protection Policy and Procedures</title>
-         <param id="mp-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="mp-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="mp-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">MP-1</prop>
-         <prop name="sort-id">mp-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="mp-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="mp-1_prm_1"/>:</p>
-               <part id="mp-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A media protection policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="mp-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the media protection policy and
-                     associated media protection controls; and</p>
-               </part>
-            </part>
-            <part id="mp-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="mp-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Media protection policy <insert param-id="mp-1_prm_2"/>; and</p>
-               </part>
-               <part id="mp-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Media protection procedures <insert param-id="mp-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="mp-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the MP
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="mp-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="mp-1.a_obj" name="objective">
-               <prop name="label">MP-1(a)</prop>
-               <part id="mp-1.a.1_obj" name="objective">
-                  <prop name="label">MP-1(a)(1)</prop>
-                  <part id="mp-1.a.1_obj.1" name="objective">
-                     <prop name="label">MP-1(a)(1)[1]</prop>
-                     <p>develops and documents a media protection policy that addresses:</p>
-                     <part id="mp-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="mp-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">MP-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="mp-1.a.1_obj.2" name="objective">
-                     <prop name="label">MP-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the media protection policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="mp-1.a.1_obj.3" name="objective">
-                     <prop name="label">MP-1(a)(1)[3]</prop>
-                     <p>disseminates the media protection policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="mp-1.a.2_obj" name="objective">
-                  <prop name="label">MP-1(a)(2)</prop>
-                  <part id="mp-1.a.2_obj.1" name="objective">
-                     <prop name="label">MP-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        media protection policy and associated media protection controls;</p>
-                  </part>
-                  <part id="mp-1.a.2_obj.2" name="objective">
-                     <prop name="label">MP-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="mp-1.a.2_obj.3" name="objective">
-                     <prop name="label">MP-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="mp-1.b_obj" name="objective">
-               <prop name="label">MP-1(b)</prop>
-               <part id="mp-1.b.1_obj" name="objective">
-                  <prop name="label">MP-1(b)(1)</prop>
-                  <part id="mp-1.b.1_obj.1" name="objective">
-                     <prop name="label">MP-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current media protection
-                        policy;</p>
-                  </part>
-                  <part id="mp-1.b.1_obj.2" name="objective">
-                     <prop name="label">MP-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current media protection policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="mp-1.b.2_obj" name="objective">
-                  <prop name="label">MP-1(b)(2)</prop>
-                  <part id="mp-1.b.2_obj.1" name="objective">
-                     <prop name="label">MP-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current media protection
-                        procedures; and</p>
-                  </part>
-                  <part id="mp-1.b.2_obj.2" name="objective">
-                     <prop name="label">MP-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current media protection procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Media protection policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with media protection responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="mp-2">
-         <title>Media Access</title>
-         <param id="mp-2_prm_1">
-            <label>organization-defined types of digital and/or non-digital media</label>
-         </param>
-         <param id="mp-2_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">MP-2</prop>
-         <prop name="sort-id">mp-02</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e" rel="reference">NIST Special Publication 800-111</link>
-         <part id="mp-2_smt" name="statement">
-            <p>The organization restricts access to <insert param-id="mp-2_prm_1"/> to <insert param-id="mp-2_prm_2"/>.</p>
-         </part>
-         <part id="mp-2_gdn" name="guidance">
-            <p>Information system media includes both digital and non-digital media. Digital media
-               includes, for example, diskettes, magnetic tapes, external/removable hard disk
-               drives, flash drives, compact disks, and digital video disks. Non-digital media
-               includes, for example, paper and microfilm. Restricting non-digital media access
-               includes, for example, denying access to patient medical records in a community
-               hospital unless the individuals seeking access to such records are authorized
-               healthcare providers. Restricting access to digital media includes, for example,
-               limiting access to design specifications stored on compact disks in the media library
-               to the project leader and the individuals on the development team.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-         </part>
-         <part id="mp-2_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-2_obj.1" name="objective">
-               <prop name="label">MP-2[1]</prop>
-               <p>defines types of digital and/or non-digital media requiring restricted access;</p>
-            </part>
-            <part id="mp-2_obj.2" name="objective">
-               <prop name="label">MP-2[2]</prop>
-               <p>defines personnel or roles authorized to access organization-defined types of
-                  digital and/or non-digital media; and</p>
-            </part>
-            <part id="mp-2_obj.3" name="objective">
-               <prop name="label">MP-2[3]</prop>
-               <p>restricts access to organization-defined types of digital and/or non-digital media
-                  to organization-defined personnel or roles.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media access restrictions</p>
-               <p>access control policy and procedures</p>
-               <p>physical and environmental protection policy and procedures</p>
-               <p>media storage facilities</p>
-               <p>access control records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media protection
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for restricting information media</p>
-               <p>automated mechanisms supporting and/or implementing media access restrictions</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="mp-2.1">
-            <title>Automated Restricted Access</title>
-            <prop name="label">MP-2(1)</prop>
-            <prop name="sort-id">mp-02.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#mp-4.2">MP-4 (2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-2.2">
-            <title>Cryptographic Protection</title>
-            <prop name="label">MP-2(2)</prop>
-            <prop name="sort-id">mp-02.02</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sc-28.1">SC-28 (1)</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="mp-3">
-         <title>Media Marking</title>
-         <param id="mp-3_prm_1">
-            <label>organization-defined types of information system media</label>
-         </param>
-         <param id="mp-3_prm_2">
-            <label>organization-defined controlled areas</label>
-         </param>
-         <prop name="label">MP-3</prop>
-         <prop name="sort-id">mp-03</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <part id="mp-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Marks information system media indicating the distribution limitations, handling
-                  caveats, and applicable security markings (if any) of the information; and</p>
-            </part>
-            <part id="mp-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Exempts <insert param-id="mp-3_prm_1"/> from marking as long as the media remain
-                  within <insert param-id="mp-3_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="mp-3_gdn" name="guidance">
-            <p>The term security marking refers to the application/use of human-readable security
-               attributes. The term security labeling refers to the application/use of security
-               attributes with regard to internal data structures within information systems (see
-               AC-16). Information system media includes both digital and non-digital media. Digital
-               media includes, for example, diskettes, magnetic tapes, external/removable hard disk
-               drives, flash drives, compact disks, and digital video disks. Non-digital media
-               includes, for example, paper and microfilm. Security marking is generally not
-               required for media containing information determined by organizations to be in the
-               public domain or to be publicly releasable. However, some organizations may require
-               markings for public information indicating that the information is publicly
-               releasable. Marking of information system media reflects applicable federal laws,
-               Executive Orders, directives, policies, regulations, standards, and guidance.</p>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-         </part>
-         <part id="mp-3_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-3.a_obj" name="objective">
-               <prop name="label">MP-3(a)</prop>
-               <p>marks information system media indicating the:</p>
-               <part id="mp-3.a_obj.1" name="objective">
-                  <prop name="label">MP-3(a)[1]</prop>
-                  <p>distribution limitations of the information;</p>
-               </part>
-               <part id="mp-3.a_obj.2" name="objective">
-                  <prop name="label">MP-3(a)[2]</prop>
-                  <p>handling caveats of the information;</p>
-               </part>
-               <part id="mp-3.a_obj.3" name="objective">
-                  <prop name="label">MP-3(a)[3]</prop>
-                  <p>applicable security markings (if any) of the information;</p>
-               </part>
-            </part>
-            <part id="mp-3.b_obj" name="objective">
-               <prop name="label">MP-3(b)</prop>
-               <part id="mp-3.b_obj.1" name="objective">
-                  <prop name="label">MP-3(b)[1]</prop>
-                  <p>defines types of information system media to be exempted from marking as long
-                     as the media remain in designated controlled areas;</p>
-               </part>
-               <part id="mp-3.b_obj.2" name="objective">
-                  <prop name="label">MP-3(b)[2]</prop>
-                  <p>defines controlled areas where organization-defined types of information system
-                     media exempt from marking are to be retained; and</p>
-               </part>
-               <part id="mp-3.b_obj.3" name="objective">
-                  <prop name="label">MP-3(b)[3]</prop>
-                  <p>exempts organization-defined types of information system media from marking as
-                     long as the media remain within organization-defined controlled areas.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media marking</p>
-               <p>physical and environmental protection policy and procedures</p>
-               <p>security plan</p>
-               <p>list of information system media marking security attributes</p>
-               <p>designated controlled areas</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media protection and marking
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for marking information media</p>
-               <p>automated mechanisms supporting and/or implementing media marking</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="mp-4">
-         <title>Media Storage</title>
-         <param id="mp-4_prm_1">
-            <label>organization-defined types of digital and/or non-digital media</label>
-         </param>
-         <param id="mp-4_prm_2">
-            <label>organization-defined controlled areas</label>
-         </param>
-         <prop name="label">MP-4</prop>
-         <prop name="sort-id">mp-04</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#81f09e01-d0b0-4ae2-aa6a-064ed9950070" rel="reference">NIST Special Publication 800-56</link>
-         <link href="#a6c774c0-bf50-4590-9841-2a5c1c91ac6f" rel="reference">NIST Special Publication 800-57</link>
-         <link href="#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e" rel="reference">NIST Special Publication 800-111</link>
-         <part id="mp-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Physically controls and securely stores <insert param-id="mp-4_prm_1"/> within
-                     <insert param-id="mp-4_prm_2"/>; and</p>
-            </part>
-            <part id="mp-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Protects information system media until the media are destroyed or sanitized using
-                  approved equipment, techniques, and procedures.</p>
-            </part>
-         </part>
-         <part id="mp-4_gdn" name="guidance">
-            <p>Information system media includes both digital and non-digital media. Digital media
-               includes, for example, diskettes, magnetic tapes, external/removable hard disk
-               drives, flash drives, compact disks, and digital video disks. Non-digital media
-               includes, for example, paper and microfilm. Physically controlling information system
-               media includes, for example, conducting inventories, ensuring procedures are in place
-               to allow individuals to check out and return media to the media library, and
-               maintaining accountability for all stored media. Secure storage includes, for
-               example, a locked drawer, desk, or cabinet, or a controlled media library. The type
-               of media storage is commensurate with the security category and/or classification of
-               the information residing on the media. Controlled areas are areas for which
-               organizations provide sufficient physical and procedural safeguards to meet the
-               requirements established for protecting information and/or information systems. For
-               media containing information determined by organizations to be in the public domain,
-               to be publicly releasable, or to have limited or no adverse impact on organizations
-               or individuals if accessed by other than authorized personnel, fewer safeguards may
-               be needed. In these situations, physical access controls provide adequate
-               protection.</p>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-7">MP-7</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-         </part>
-         <part id="mp-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-4.a_obj" name="objective">
-               <prop name="label">MP-4(a)</prop>
-               <part id="mp-4.a_obj.1" name="objective">
-                  <prop name="label">MP-4(a)[1]</prop>
-                  <p>defines types of digital and/or non-digital media to be physically controlled
-                     and securely stored within designated controlled areas;</p>
-               </part>
-               <part id="mp-4.a_obj.2" name="objective">
-                  <prop name="label">MP-4(a)[2]</prop>
-                  <p>defines controlled areas designated to physically control and securely store
-                     organization-defined types of digital and/or non-digital media;</p>
-               </part>
-               <part id="mp-4.a_obj.3" name="objective">
-                  <prop name="label">MP-4(a)[3]</prop>
-                  <p>physically controls organization-defined types of digital and/or non-digital
-                     media within organization-defined controlled areas;</p>
-               </part>
-               <part id="mp-4.a_obj.4" name="objective">
-                  <prop name="label">MP-4(a)[4]</prop>
-                  <p>securely stores organization-defined types of digital and/or non-digital media
-                     within organization-defined controlled areas; and</p>
-               </part>
-            </part>
-            <part id="mp-4.b_obj" name="objective">
-               <prop name="label">MP-4(b)</prop>
-               <p>protects information system media until the media are destroyed or sanitized using
-                  approved equipment, techniques, and procedures.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media storage</p>
-               <p>physical and environmental protection policy and procedures</p>
-               <p>access control policy and procedures</p>
-               <p>security plan</p>
-               <p>information system media</p>
-               <p>designated controlled areas</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media protection and storage
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for storing information media</p>
-               <p>automated mechanisms supporting and/or implementing secure media storage/media
-                  protection</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="mp-4.1">
-            <title>Cryptographic Protection</title>
-            <prop name="label">MP-4(1)</prop>
-            <prop name="sort-id">mp-04.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sc-28.1">SC-28 (1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-4.2">
-            <title>Automated Restricted Access</title>
-            <prop name="label">MP-4(2)</prop>
-            <prop name="sort-id">mp-04.02</prop>
-            <part id="mp-4.2_smt" name="statement">
-               <p>The organization employs automated mechanisms to restrict access to media storage
-                  areas and to audit access attempts and access granted.</p>
-            </part>
-            <part id="mp-4.2_gdn" name="guidance">
-               <p>Automated mechanisms can include, for example, keypads on the external entries to
-                  media storage areas.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-9">AU-9</link>
-               <link rel="related" href="#au-6">AU-6</link>
-               <link rel="related" href="#au-12">AU-12</link>
-            </part>
-            <part id="mp-4.2_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to: </p>
-               <part id="mp-4.2_obj.1" name="objective">
-                  <prop name="label">MP-4(2)[1]</prop>
-                  <p>restrict access to media storage areas;</p>
-               </part>
-               <part id="mp-4.2_obj.2" name="objective">
-                  <prop name="label">MP-4(2)[2]</prop>
-                  <p>audit access attempts; and</p>
-               </part>
-               <part id="mp-4.2_obj.3" name="objective">
-                  <prop name="label">MP-4(2)[3]</prop>
-                  <p>audit access granted.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>procedures addressing media storage</p>
-                  <p>access control policy and procedures</p>
-                  <p>physical and environmental protection policy and procedures</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>media storage facilities</p>
-                  <p>access control devices</p>
-                  <p>access control records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media protection and storage
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms restricting access to media storage areas</p>
-                  <p>automated mechanisms auditing access attempts and access granted to media
-                     storage areas</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="mp-5">
-         <title>Media Transport</title>
-         <param id="mp-5_prm_1">
-            <label>organization-defined types of information system media</label>
-         </param>
-         <param id="mp-5_prm_2">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">MP-5</prop>
-         <prop name="sort-id">mp-05</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <part id="mp-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Protects and controls <insert param-id="mp-5_prm_1"/> during transport outside of
-                  controlled areas using <insert param-id="mp-5_prm_2"/>;</p>
-            </part>
-            <part id="mp-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Maintains accountability for information system media during transport outside of
-                  controlled areas;</p>
-            </part>
-            <part id="mp-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Documents activities associated with the transport of information system media;
-                  and</p>
-            </part>
-            <part id="mp-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Restricts the activities associated with the transport of information system media
-                  to authorized personnel.</p>
-            </part>
-         </part>
-         <part id="mp-5_gdn" name="guidance">
-            <p>Information system media includes both digital and non-digital media. Digital media
-               includes, for example, diskettes, magnetic tapes, external/removable hard disk
-               drives, flash drives, compact disks, and digital video disks. Non-digital media
-               includes, for example, paper and microfilm. This control also applies to mobile
-               devices with information storage capability (e.g., smart phones, tablets, E-readers),
-               that are transported outside of controlled areas. Controlled areas are areas or
-               spaces for which organizations provide sufficient physical and/or procedural
-               safeguards to meet the requirements established for protecting information and/or
-               information systems. Physical and technical safeguards for media are commensurate
-               with the security category or classification of the information residing on the
-               media. Safeguards to protect media during transport include, for example, locked
-               containers and cryptography. Cryptographic mechanisms can provide confidentiality and
-               integrity protections depending upon the mechanisms used. Activities associated with
-               transport include the actual transport as well as those activities such as releasing
-               media for transport and ensuring that media enters the appropriate transport
-               processes. For the actual transport, authorized transport and courier personnel may
-               include individuals from outside the organization (e.g., U.S. Postal Service or a
-               commercial transport or delivery service). Maintaining accountability of media during
-               transport includes, for example, restricting transport activities to authorized
-               personnel, and tracking and/or obtaining explicit records of transport activities as
-               the media moves through the transportation system to prevent and detect loss,
-               destruction, or tampering. Organizations establish documentation requirements for
-               activities associated with the transport of information system media in accordance
-               with organizational assessments of risk to include the flexibility to define
-               different record-keeping methods for the different types of media transport as part
-               of an overall system of transport-related records.</p>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#mp-3">MP-3</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-28">SC-28</link>
-         </part>
-         <part id="mp-5_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-5.a_obj" name="objective">
-               <prop name="label">MP-5(a)</prop>
-               <part id="mp-5.a_obj.1" name="objective">
-                  <prop name="label">MP-5(a)[1]</prop>
-                  <p>defines types of information system media to be protected and controlled during
-                     transport outside of controlled areas;</p>
-               </part>
-               <part id="mp-5.a_obj.2" name="objective">
-                  <prop name="label">MP-5(a)[2]</prop>
-                  <p>defines security safeguards to protect and control organization-defined
-                     information system media during transport outside of controlled areas;</p>
-               </part>
-               <part id="mp-5.a_obj.3" name="objective">
-                  <prop name="label">MP-5(a)[3]</prop>
-                  <p>protects and controls organization-defined information system media during
-                     transport outside of controlled areas using organization-defined security
-                     safeguards;</p>
-               </part>
-            </part>
-            <part id="mp-5.b_obj" name="objective">
-               <prop name="label">MP-5(b)</prop>
-               <p>maintains accountability for information system media during transport outside of
-                  controlled areas;</p>
-            </part>
-            <part id="mp-5.c_obj" name="objective">
-               <prop name="label">MP-5(c)</prop>
-               <p>documents activities associated with the transport of information system media;
-                  and</p>
-            </part>
-            <part id="mp-5.d_obj" name="objective">
-               <prop name="label">MP-5(d)</prop>
-               <p>restricts the activities associated with transport of information system media to
-                  authorized personnel.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media storage</p>
-               <p>physical and environmental protection policy and procedures</p>
-               <p>access control policy and procedures</p>
-               <p>security plan</p>
-               <p>information system media</p>
-               <p>designated controlled areas</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media protection and storage
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for storing information media</p>
-               <p>automated mechanisms supporting and/or implementing media storage/media
-                  protection</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="mp-5.1">
-            <title>Protection Outside of Controlled Areas</title>
-            <prop name="label">MP-5(1)</prop>
-            <prop name="sort-id">mp-05.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#mp-5">MP-5</link>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-5.2">
-            <title>Documentation of Activities</title>
-            <prop name="label">MP-5(2)</prop>
-            <prop name="sort-id">mp-05.02</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#mp-5">MP-5</link>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-5.3">
-            <title>Custodians</title>
-            <prop name="label">MP-5(3)</prop>
-            <prop name="sort-id">mp-05.03</prop>
-            <part id="mp-5.3_smt" name="statement">
-               <p>The organization employs an identified custodian during transport of information
-                  system media outside of controlled areas.</p>
-            </part>
-            <part id="mp-5.3_gdn" name="guidance">
-               <p>Identified custodians provide organizations with specific points of contact during
-                  the media transport process and facilitate individual accountability. Custodial
-                  responsibilities can be transferred from one individual to another as long as an
-                  unambiguous custodian is identified at all times.</p>
-            </part>
-            <part id="mp-5.3_obj" name="objective">
-               <p>Determine if the organization employs an identified custodian during transport of
-                  information system media outside of controlled areas. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>procedures addressing media transport</p>
-                  <p>physical and environmental protection policy and procedures</p>
-                  <p>information system media transport records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media transport
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-5.4">
-            <title>Cryptographic Protection</title>
-            <prop name="label">MP-5(4)</prop>
-            <prop name="sort-id">mp-05.04</prop>
-            <part id="mp-5.4_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to protect the
-                  confidentiality and integrity of information stored on digital media during
-                  transport outside of controlled areas.</p>
-            </part>
-            <part id="mp-5.4_gdn" name="guidance">
-               <p>This control enhancement applies to both portable storage devices (e.g., USB
-                  memory sticks, compact disks, digital video disks, external/removable hard disk
-                  drives) and mobile devices with storage capability (e.g., smart phones, tablets,
-                  E-readers).</p>
-               <link rel="related" href="#mp-2">MP-2</link>
-            </part>
-            <part id="mp-5.4_obj" name="objective">
-               <p>Determine if the organization employs cryptographic mechanisms to protect the
-                  confidentiality and integrity of information stored on digital media during
-                  transport outside of controlled areas. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>procedures addressing media transport</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system media transport records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media transport
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms protecting information on digital media during
-                     transportation outside controlled areas</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="mp-6">
-         <title>Media Sanitization</title>
-         <param id="mp-6_prm_1">
-            <label>organization-defined information system media</label>
-         </param>
-         <param id="mp-6_prm_2">
-            <label>organization-defined sanitization techniques and procedures</label>
-         </param>
-         <prop name="label">MP-6</prop>
-         <prop name="sort-id">mp-06</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <link href="#263823e0-a971-4b00-959d-315b26278b22" rel="reference">NIST Special Publication 800-88</link>
-         <link href="#a47466c4-c837-4f06-a39f-e68412a5f73d" rel="reference">http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml</link>
-         <part id="mp-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Sanitizes <insert param-id="mp-6_prm_1"/> prior to disposal, release out of
-                  organizational control, or release for reuse using <insert param-id="mp-6_prm_2"/>
-                  in accordance with applicable federal and organizational standards and policies;
-                  and</p>
-            </part>
-            <part id="mp-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Employs sanitization mechanisms with the strength and integrity commensurate with
-                  the security category or classification of the information.</p>
-            </part>
-         </part>
-         <part id="mp-6_gdn" name="guidance">
-            <p>This control applies to all information system media, both digital and non-digital,
-               subject to disposal or reuse, whether or not the media is considered removable.
-               Examples include media found in scanners, copiers, printers, notebook computers,
-               workstations, network components, and mobile devices. The sanitization process
-               removes information from the media such that the information cannot be retrieved or
-               reconstructed. Sanitization techniques, including clearing, purging, cryptographic
-               erase, and destruction, prevent the disclosure of information to unauthorized
-               individuals when such media is reused or released for disposal. Organizations
-               determine the appropriate sanitization methods recognizing that destruction is
-               sometimes necessary when other methods cannot be applied to media requiring
-               sanitization. Organizations use discretion on the employment of approved sanitization
-               techniques and procedures for media containing information deemed to be in the public
-               domain or publicly releasable, or deemed to have no adverse impact on organizations
-               or individuals if released for reuse or disposal. Sanitization of non-digital media
-               includes, for example, removing a classified appendix from an otherwise unclassified
-               document, or redacting selected sections or words from a document by obscuring the
-               redacted sections/words in a manner equivalent in effectiveness to removing them from
-               the document. NSA standards and policies control the sanitization process for media
-               containing classified information.</p>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sc-4">SC-4</link>
-         </part>
-         <part id="mp-6_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-6.a_obj" name="objective">
-               <prop name="label">MP-6(a)</prop>
-               <part id="mp-6.a_obj.1" name="objective">
-                  <prop name="label">MP-6(a)[1]</prop>
-                  <p>defines information system media to be sanitized prior to:</p>
-                  <part id="mp-6.a_obj.1.a" name="objective">
-                     <prop name="label">MP-6(a)[1][a]</prop>
-                     <p>disposal;</p>
-                  </part>
-                  <part id="mp-6.a_obj.1.b" name="objective">
-                     <prop name="label">MP-6(a)[1][b]</prop>
-                     <p>release out of organizational control; or</p>
-                  </part>
-                  <part id="mp-6.a_obj.1.c" name="objective">
-                     <prop name="label">MP-6(a)[1][c]</prop>
-                     <p>release for reuse;</p>
-                  </part>
-               </part>
-               <part id="mp-6.a_obj.2" name="objective">
-                  <prop name="label">MP-6(a)[2]</prop>
-                  <p>defines sanitization techniques or procedures to be used for sanitizing
-                     organization-defined information system media prior to:</p>
-                  <part id="mp-6.a_obj.2.a" name="objective">
-                     <prop name="label">MP-6(a)[2][a]</prop>
-                     <p>disposal;</p>
-                  </part>
-                  <part id="mp-6.a_obj.2.b" name="objective">
-                     <prop name="label">MP-6(a)[2][b]</prop>
-                     <p>release out of organizational control; or</p>
-                  </part>
-                  <part id="mp-6.a_obj.2.c" name="objective">
-                     <prop name="label">MP-6(a)[2][c]</prop>
-                     <p>release for reuse;</p>
-                  </part>
-               </part>
-               <part id="mp-6.a_obj.3" name="objective">
-                  <prop name="label">MP-6(a)[3]</prop>
-                  <p>sanitizes organization-defined information system media prior to disposal,
-                     release out of organizational control, or release for reuse using
-                     organization-defined sanitization techniques or procedures in accordance with
-                     applicable federal and organizational standards and policies; and</p>
-               </part>
-            </part>
-            <part id="mp-6.b_obj" name="objective">
-               <prop name="label">MP-6(b)</prop>
-               <p>employs sanitization mechanisms with strength and integrity commensurate with the
-                  security category or classification of the information.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media sanitization and disposal</p>
-               <p>applicable federal standards and policies addressing media sanitization</p>
-               <p>media sanitization records</p>
-               <p>audit records</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with media sanitization responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for media sanitization</p>
-               <p>automated mechanisms supporting and/or implementing media sanitization</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="mp-6.1">
-            <title>Review / Approve / Track / Document / Verify</title>
-            <prop name="label">MP-6(1)</prop>
-            <prop name="sort-id">mp-06.01</prop>
-            <part id="mp-6.1_smt" name="statement">
-               <p>The organization reviews, approves, tracks, documents, and verifies media
-                  sanitization and disposal actions.</p>
-            </part>
-            <part id="mp-6.1_gdn" name="guidance">
-               <p>Organizations review and approve media to be sanitized to ensure compliance with
-                  records-retention policies. Tracking/documenting actions include, for example,
-                  listing personnel who reviewed and approved sanitization and disposal actions,
-                  types of media sanitized, specific files stored on the media, sanitization methods
-                  used, date and time of the sanitization actions, personnel who performed the
-                  sanitization, verification actions taken, personnel who performed the
-                  verification, and disposal action taken. Organizations verify that the
-                  sanitization of the media was effective prior to disposal.</p>
-               <link rel="related" href="#si-12">SI-12</link>
-            </part>
-            <part id="mp-6.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="mp-6.1_obj.1" name="objective">
-                  <prop name="label">MP-6(1)[1]</prop>
-                  <p>reviews media sanitization and disposal actions;</p>
-               </part>
-               <part id="mp-6.1_obj.2" name="objective">
-                  <prop name="label">MP-6(1)[2]</prop>
-                  <p>approves media sanitization and disposal actions;</p>
-               </part>
-               <part id="mp-6.1_obj.3" name="objective">
-                  <prop name="label">MP-6(1)[3]</prop>
-                  <p>tracks media sanitization and disposal actions;</p>
-               </part>
-               <part id="mp-6.1_obj.4" name="objective">
-                  <prop name="label">MP-6(1)[4]</prop>
-                  <p>documents media sanitization and disposal actions; and</p>
-               </part>
-               <part id="mp-6.1_obj.5" name="objective">
-                  <prop name="label">MP-6(1)[5]</prop>
-                  <p>verifies media sanitization and disposal actions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>procedures addressing media sanitization and disposal</p>
-                  <p>media sanitization and disposal records</p>
-                  <p>review records for media sanitization and disposal actions</p>
-                  <p>approvals for media sanitization and disposal actions</p>
-                  <p>tracking records</p>
-                  <p>verification records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media sanitization and
-                     disposal responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for media sanitization</p>
-                  <p>automated mechanisms supporting and/or implementing media sanitization</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-6.2">
-            <title>Equipment Testing</title>
-            <param id="mp-6.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">MP-6(2)</prop>
-            <prop name="sort-id">mp-06.02</prop>
-            <part id="mp-6.2_smt" name="statement">
-               <p>The organization tests sanitization equipment and procedures <insert param-id="mp-6.2_prm_1"/> to verify that the intended sanitization is being
-                  achieved.</p>
-            </part>
-            <part id="mp-6.2_gdn" name="guidance">
-               <p>Testing of sanitization equipment and procedures may be conducted by qualified and
-                  authorized external entities (e.g., other federal agencies or external service
-                  providers).</p>
-            </part>
-            <part id="mp-6.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="mp-6.2_obj.1" name="objective">
-                  <prop name="label">MP-6(2)[1]</prop>
-                  <p>defines the frequency for testing sanitization equipment and procedures to
-                     verify that the intended sanitization is being achieved; and</p>
-               </part>
-               <part id="mp-6.2_obj.2" name="objective">
-                  <prop name="label">MP-6(2)[2]</prop>
-                  <p>tests sanitization equipment and procedures with the organization-defined
-                     frequency to verify that the intended sanitization is being achieved.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>procedures addressing media sanitization and disposal</p>
-                  <p>procedures addressing testing of media sanitization equipment</p>
-                  <p>results of media sanitization equipment and procedures testing</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media sanitization
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for media sanitization</p>
-                  <p>automated mechanisms supporting and/or implementing media sanitization</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-6.3">
-            <title>Nondestructive Techniques</title>
-            <param id="mp-6.3_prm_1">
-               <label>organization-defined circumstances requiring sanitization of portable storage
-                  devices</label>
-            </param>
-            <prop name="label">MP-6(3)</prop>
-            <prop name="sort-id">mp-06.03</prop>
-            <part id="mp-6.3_smt" name="statement">
-               <p>The organization applies nondestructive sanitization techniques to portable
-                  storage devices prior to connecting such devices to the information system under
-                  the following circumstances: <insert param-id="mp-6.3_prm_1"/>.</p>
-            </part>
-            <part id="mp-6.3_gdn" name="guidance">
-               <p>This control enhancement applies to digital media containing classified
-                  information and Controlled Unclassified Information (CUI). Portable storage
-                  devices can be the source of malicious code insertions into organizational
-                  information systems. Many of these devices are obtained from unknown and
-                  potentially untrustworthy sources and may contain malicious code that can be
-                  readily transferred to information systems through USB ports or other entry
-                  portals. While scanning such storage devices is always recommended, sanitization
-                  provides additional assurance that the devices are free of malicious code to
-                  include code capable of initiating zero-day attacks. Organizations consider
-                  nondestructive sanitization of portable storage devices when such devices are
-                  first purchased from the manufacturer or vendor prior to initial use or when
-                  organizations lose a positive chain of custody for the devices.</p>
-               <link rel="related" href="#si-3">SI-3</link>
-            </part>
-            <part id="mp-6.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="mp-6.3_obj.1" name="objective">
-                  <prop name="label">MP-6(3)[1]</prop>
-                  <p>defines circumstances requiring sanitization of portable storage devices;
-                     and</p>
-               </part>
-               <part id="mp-6.3_obj.2" name="objective">
-                  <prop name="label">MP-6(3)[2]</prop>
-                  <p>applies nondestructive sanitization techniques to portable storage devices
-                     prior to connecting such devices to the information system under
-                     organization-defined circumstances requiring sanitization of portable storage
-                     devices.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>procedures addressing media sanitization and disposal</p>
-                  <p>list of circumstances requiring sanitization of portable storage devices</p>
-                  <p>media sanitization records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media sanitization
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for media sanitization of portable storage devices</p>
-                  <p>automated mechanisms supporting and/or implementing media sanitization</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-6.4">
-            <title>Controlled Unclassified Information</title>
-            <prop name="label">MP-6(4)</prop>
-            <prop name="sort-id">mp-06.04</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#mp-6">MP-6</link>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-6.5">
-            <title>Classified Information</title>
-            <prop name="label">MP-6(5)</prop>
-            <prop name="sort-id">mp-06.05</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#mp-6">MP-6</link>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-6.6">
-            <title>Media Destruction</title>
-            <prop name="label">MP-6(6)</prop>
-            <prop name="sort-id">mp-06.06</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#mp-6">MP-6</link>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-6.7">
-            <title>Dual Authorization</title>
-            <param id="mp-6.7_prm_1">
-               <label>organization-defined information system media</label>
-            </param>
-            <prop name="label">MP-6(7)</prop>
-            <prop name="sort-id">mp-06.07</prop>
-            <part id="mp-6.7_smt" name="statement">
-               <p>The organization enforces dual authorization for the sanitization of <insert param-id="mp-6.7_prm_1"/>.</p>
-            </part>
-            <part id="mp-6.7_gdn" name="guidance">
-               <p>Organizations employ dual authorization to ensure that information system media
-                  sanitization cannot occur unless two technically qualified individuals conduct the
-                  task. Individuals sanitizing information system media possess sufficient
-                  skills/expertise to determine if the proposed sanitization reflects applicable
-                  federal/organizational standards, policies, and procedures. Dual authorization
-                  also helps to ensure that sanitization occurs as intended, both protecting against
-                  errors and false claims of having performed the sanitization actions. Dual
-                  authorization may also be known as two-person control.</p>
-               <link rel="related" href="#ac-3">AC-3</link>
-               <link rel="related" href="#mp-2">MP-2</link>
-            </part>
-            <part id="mp-6.7_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="mp-6.7_obj.1" name="objective">
-                  <prop name="label">MP-6(7)[1]</prop>
-                  <p>defines information system media requiring dual authorization to be enforced
-                     for sanitization of such media; and</p>
-               </part>
-               <part id="mp-6.7_obj.2" name="objective">
-                  <prop name="label">MP-6(7)[2]</prop>
-                  <p>enforces dual authorization for the sanitization of organization-defined
-                     information system media.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>procedures addressing media sanitization and disposal</p>
-                  <p>list of information system media requiring dual authorization for
-                     sanitization</p>
-                  <p>authorization records</p>
-                  <p>media sanitization records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media sanitization
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes requiring dual authorization for media
-                     sanitization</p>
-                  <p>automated mechanisms supporting and/or implementing media sanitization</p>
-                  <p>automated mechanisms supporting and/or implementing dual authorization</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-6.8">
-            <title>Remote Purging / Wiping of Information</title>
-            <param id="mp-6.8_prm_1">
-               <label>organization-defined information systems, system components, or
-                  devices</label>
-            </param>
-            <param id="mp-6.8_prm_2">
-               <label>organization-defined conditions</label>
-            </param>
-            <prop name="label">MP-6(8)</prop>
-            <prop name="sort-id">mp-06.08</prop>
-            <part id="mp-6.8_smt" name="statement">
-               <p>The organization provides the capability to purge/wipe information from <insert param-id="mp-6.8_prm_1"/> either remotely or under the following conditions:
-                     <insert param-id="mp-6.8_prm_2"/>.</p>
-            </part>
-            <part id="mp-6.8_gdn" name="guidance">
-               <p>This control enhancement protects data/information on organizational information
-                  systems, system components, or devices (e.g., mobile devices) if such systems,
-                  components, or devices are obtained by unauthorized individuals. Remote purge/wipe
-                  commands require strong authentication to mitigate the risk of unauthorized
-                  individuals purging/wiping the system/component/device. The purge/wipe function
-                  can be implemented in a variety of ways including, for example, by overwriting
-                  data/information multiple times or by destroying the key necessary to decrypt
-                  encrypted data.</p>
-            </part>
-            <part id="mp-6.8_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="mp-6.8_obj.1" name="objective">
-                  <prop name="label">MP-6(8)[1]</prop>
-                  <p>defines information systems, system components, or devices to purge/wipe either
-                     remotely or under specific organizational conditions;</p>
-               </part>
-               <part id="mp-6.8_obj.2" name="objective">
-                  <prop name="label">MP-6(8)[2]</prop>
-                  <p>defines conditions under which information is to be purged/wiped from
-                     organization-defined information systems, system components, or devices;
-                     and</p>
-               </part>
-               <part id="mp-6.8_obj.3" name="objective">
-                  <prop name="label">MP-6(8)[3]</prop>
-                  <p>provides the capability to purge/wipe information from organization-defined
-                     information systems, system components, or devices either:</p>
-                  <part id="mp-6.8_obj.3.a" name="objective">
-                     <prop name="label">MP-6(8)[3][a]</prop>
-                     <p>remotely; or</p>
-                  </part>
-                  <part id="mp-6.8_obj.3.b" name="objective">
-                     <prop name="label">MP-6(8)[3][b]</prop>
-                     <p>under organization-defined conditions.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>procedures addressing media sanitization and disposal</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>media sanitization records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media sanitization
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for purging/wiping media</p>
-                  <p>automated mechanisms supporting and/or implementing purge/wipe capabilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="mp-7">
-         <title>Media Use</title>
-         <param id="mp-7_prm_1">
-            <select>
-               <choice>restricts</choice>
-               <choice>prohibits</choice>
-            </select>
-         </param>
-         <param id="mp-7_prm_2">
-            <label>organization-defined types of information system media</label>
-         </param>
-         <param id="mp-7_prm_3">
-            <label>organization-defined information systems or system components</label>
-         </param>
-         <param id="mp-7_prm_4">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">MP-7</prop>
-         <prop name="sort-id">mp-07</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e" rel="reference">NIST Special Publication 800-111</link>
-         <part id="mp-7_smt" name="statement">
-            <p>The organization <insert param-id="mp-7_prm_1"/> the use of <insert param-id="mp-7_prm_2"/> on <insert param-id="mp-7_prm_3"/> using <insert param-id="mp-7_prm_4"/>.</p>
-         </part>
-         <part id="mp-7_gdn" name="guidance">
-            <p>Information system media includes both digital and non-digital media. Digital media
-               includes, for example, diskettes, magnetic tapes, external/removable hard disk
-               drives, flash drives, compact disks, and digital video disks. Non-digital media
-               includes, for example, paper and microfilm. This control also applies to mobile
-               devices with information storage capability (e.g., smart phones, tablets, E-readers).
-               In contrast to MP-2, which restricts user access to media, this control restricts the
-               use of certain types of media on information systems, for example,
-               restricting/prohibiting the use of flash drives or external hard disk drives.
-               Organizations can employ technical and nontechnical safeguards (e.g., policies,
-               procedures, rules of behavior) to restrict the use of information system media.
-               Organizations may restrict the use of portable storage devices, for example, by using
-               physical cages on workstations to prohibit access to certain external ports, or
-               disabling/removing the ability to insert, read or write to such devices.
-               Organizations may also limit the use of portable storage devices to only approved
-               devices including, for example, devices provided by the organization, devices
-               provided by other approved organizations, and devices that are not personally owned.
-               Finally, organizations may restrict the use of portable storage devices based on the
-               type of device, for example, prohibiting the use of writeable, portable storage
-               devices, and implementing this restriction by disabling or removing the capability to
-               write to such devices.</p>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-         </part>
-         <part id="mp-7_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-7_obj.1" name="objective">
-               <prop name="label">MP-7[1]</prop>
-               <p>defines types of information system media to be:</p>
-               <part id="mp-7_obj.1.a" name="objective">
-                  <prop name="label">MP-7[1][a]</prop>
-                  <p>restricted on information systems or system components; or</p>
-               </part>
-               <part id="mp-7_obj.1.b" name="objective">
-                  <prop name="label">MP-7[1][b]</prop>
-                  <p>prohibited from use on information systems or system components;</p>
-               </part>
-            </part>
-            <part id="mp-7_obj.2" name="objective">
-               <prop name="label">MP-7[2]</prop>
-               <p>defines information systems or system components on which the use of
-                  organization-defined types of information system media is to be one of the
-                  following:</p>
-               <part id="mp-7_obj.2.a" name="objective">
-                  <prop name="label">MP-7[2][a]</prop>
-                  <p>restricted; or</p>
-               </part>
-               <part id="mp-7_obj.2.b" name="objective">
-                  <prop name="label">MP-7[2][b]</prop>
-                  <p>prohibited;</p>
-               </part>
-            </part>
-            <part id="mp-7_obj.3" name="objective">
-               <prop name="label">MP-7[3]</prop>
-               <p>defines security safeguards to be employed to restrict or prohibit the use of
-                  organization-defined types of information system media on organization-defined
-                  information systems or system components; and</p>
-            </part>
-            <part id="mp-7_obj.4" name="objective">
-               <prop name="label">MP-7[4]</prop>
-               <p>restricts or prohibits the use of organization-defined information system media on
-                  organization-defined information systems or system components using
-                  organization-defined security safeguards.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>system use policy</p>
-               <p>procedures addressing media usage restrictions</p>
-               <p>security plan</p>
-               <p>rules of behavior</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media use responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for media use</p>
-               <p>automated mechanisms restricting or prohibiting use of information system media on
-                  information systems or system components</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="mp-7.1">
-            <title>Prohibit Use Without Owner</title>
-            <prop name="label">MP-7(1)</prop>
-            <prop name="sort-id">mp-07.01</prop>
-            <part id="mp-7.1_smt" name="statement">
-               <p>The organization prohibits the use of portable storage devices in organizational
-                  information systems when such devices have no identifiable owner.</p>
-            </part>
-            <part id="mp-7.1_gdn" name="guidance">
-               <p>Requiring identifiable owners (e.g., individuals, organizations, or projects) for
-                  portable storage devices reduces the risk of using such technologies by allowing
-                  organizations to assign responsibility and accountability for addressing known
-                  vulnerabilities in the devices (e.g., malicious code insertion).</p>
-               <link rel="related" href="#pl-4">PL-4</link>
-            </part>
-            <part id="mp-7.1_obj" name="objective">
-               <p>Determine if the organization prohibits the use of portable storage devices in
-                  organizational information systems when such devices have no identifiable owner.
-               </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>system use policy</p>
-                  <p>procedures addressing media usage restrictions</p>
-                  <p>security plan</p>
-                  <p>rules of behavior</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media use responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for media use</p>
-                  <p>automated mechanisms prohibiting use of media on information systems or system
-                     components</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-7.2">
-            <title>Prohibit Use of Sanitization-resistant Media</title>
-            <prop name="label">MP-7(2)</prop>
-            <prop name="sort-id">mp-07.02</prop>
-            <part id="mp-7.2_smt" name="statement">
-               <p>The organization prohibits the use of sanitization-resistant media in
-                  organizational information systems.</p>
-            </part>
-            <part id="mp-7.2_gdn" name="guidance">
-               <p>Sanitization-resistance applies to the capability to purge information from media.
-                  Certain types of media do not support sanitize commands, or if supported, the
-                  interfaces are not supported in a standardized way across these devices.
-                  Sanitization-resistant media include, for example, compact flash, embedded flash
-                  on boards and devices, solid state drives, and USB removable media.</p>
-               <link rel="related" href="#mp-6">MP-6</link>
-            </part>
-            <part id="mp-7.2_obj" name="objective">
-               <p>Determine if the organization prohibits the use of sanitization-resistant media in
-                  organizational information systems. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy, system use policy</p>
-                  <p>procedures addressing media usage restrictions</p>
-                  <p>rules of behavior</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media use responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for media use</p>
-                  <p>automated mechanisms prohibiting use of media on information systems or system
-                     components</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="mp-8">
-         <title>Media Downgrading</title>
-         <param id="mp-8_prm_1">
-            <label>organization-defined information system media downgrading process</label>
-         </param>
-         <param id="mp-8_prm_2">
-            <label>organization-defined strength and integrity</label>
-         </param>
-         <param id="mp-8_prm_3">
-            <label>organization-defined information system media requiring downgrading</label>
-         </param>
-         <prop name="label">MP-8</prop>
-         <prop name="sort-id">mp-08</prop>
-         <part id="mp-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="mp-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes <insert param-id="mp-8_prm_1"/> that includes employing downgrading
-                  mechanisms with <insert param-id="mp-8_prm_2"/>;</p>
-            </part>
-            <part id="mp-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Ensures that the information system media downgrading process is commensurate with
-                  the security category and/or classification level of the information to be removed
-                  and the access authorizations of the potential recipients of the downgraded
-                  information;</p>
-            </part>
-            <part id="mp-8_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Identifies <insert param-id="mp-8_prm_3"/>; and</p>
-            </part>
-            <part id="mp-8_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Downgrades the identified information system media using the established
-                  process.</p>
-            </part>
-         </part>
-         <part id="mp-8_gdn" name="guidance">
-            <p>This control applies to all information system media, digital and non-digital,
-               subject to release outside of the organization, whether or not the media is
-               considered removable. The downgrading process, when applied to system media, removes
-               information from the media, typically by security category or classification level,
-               such that the information cannot be retrieved or reconstructed. Downgrading of media
-               includes redacting information to enable wider release and distribution. Downgrading
-               of media also ensures that empty space on the media (e.g., slack space within files)
-               is devoid of information.</p>
-         </part>
-         <part id="mp-8_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="mp-8.a_obj" name="objective">
-               <prop name="label">MP-8(a)</prop>
-               <part id="mp-8.a_obj.1" name="objective">
-                  <prop name="label">MP-8(a)[1]</prop>
-                  <p>defines the information system media downgrading process;</p>
-               </part>
-               <part id="mp-8.a_obj.2" name="objective">
-                  <prop name="label">MP-8(a)[2]</prop>
-                  <p>defines the strength and integrity with which media downgrading mechanisms are
-                     to be employed;</p>
-               </part>
-               <part id="mp-8.a_obj.3" name="objective">
-                  <prop name="label">MP-8(a)[3]</prop>
-                  <p>establishes an organization-defined information system media downgrading
-                     process that includes employing downgrading mechanisms with
-                     organization-defined strength and integrity;</p>
-               </part>
-            </part>
-            <part id="mp-8.b_obj" name="objective">
-               <prop name="label">MP-8(b)</prop>
-               <p>ensures that the information system media downgrading process is commensurate with
-                  the:</p>
-               <part id="mp-8.b_obj.1" name="objective">
-                  <prop name="label">MP-8(b)[1]</prop>
-                  <p>security category and/or classification level of the information to be
-                     removed;</p>
-               </part>
-               <part id="mp-8.b_obj.2" name="objective">
-                  <prop name="label">MP-8(b)[2]</prop>
-                  <p>access authorizations of the potential recipients of the downgraded
-                     information;</p>
-               </part>
-            </part>
-            <part id="mp-8.c_obj" name="objective">
-               <prop name="label">MP-8(c)</prop>
-               <p>identifies/defines information system media requiring downgrading; and</p>
-            </part>
-            <part id="mp-8.d_obj" name="objective">
-               <prop name="label">MP-8(d)</prop>
-               <p>downgrades the identified information system media using the established
-                  process.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system media protection policy</p>
-               <p>procedures addressing media downgrading</p>
-               <p>system categorization documentation</p>
-               <p>list of media requiring downgrading</p>
-               <p>records of media downgrading</p>
-               <p>audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information system media downgrading
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for media downgrading</p>
-               <p>automated mechanisms supporting and/or implementing media downgrading</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="mp-8.1">
-            <title>Documentation of Process</title>
-            <prop name="label">MP-8(1)</prop>
-            <prop name="sort-id">mp-08.01</prop>
-            <part id="mp-8.1_smt" name="statement">
-               <p>The organization documents information system media downgrading actions.</p>
-            </part>
-            <part id="mp-8.1_gdn" name="guidance">
-               <p>Organizations can document the media downgrading process by providing information
-                  such as the downgrading technique employed, the identification number of the
-                  downgraded media, and the identity of the individual that authorized and/or
-                  performed the downgrading action.</p>
-            </part>
-            <part id="mp-8.1_obj" name="objective">
-               <p>Determine if the organization documents information system media downgrading
-                  actions. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>procedures addressing media downgrading</p>
-                  <p>list of media requiring downgrading</p>
-                  <p>records of media downgrading</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media downgrading
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for media downgrading</p>
-                  <p>automated mechanisms supporting and/or implementing media downgrading</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-8.2">
-            <title>Equipment Testing</title>
-            <param id="mp-8.2_prm_1">
-               <label>organization-defined tests</label>
-            </param>
-            <param id="mp-8.2_prm_2">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">MP-8(2)</prop>
-            <prop name="sort-id">mp-08.02</prop>
-            <part id="mp-8.2_smt" name="statement">
-               <p>The organization employs <insert param-id="mp-8.2_prm_1"/> of downgrading
-                  equipment and procedures to verify correct performance <insert param-id="mp-8.2_prm_2"/>.</p>
-            </part>
-            <part id="mp-8.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="mp-8.2_obj.1" name="objective">
-                  <prop name="label">MP-8(2)[1]</prop>
-                  <part id="mp-8.2_obj.1.a" name="objective">
-                     <prop name="label">MP-8(2)[1][a]</prop>
-                     <p>defines tests to be employed for downgrading equipment;</p>
-                  </part>
-                  <part id="mp-8.2_obj.1.b" name="objective">
-                     <prop name="label">MP-8(2)[1][b]</prop>
-                     <p>defines procedures to verify correct performance;</p>
-                  </part>
-               </part>
-               <part id="mp-8.2_obj.2" name="objective">
-                  <prop name="label">MP-8(2)[2]</prop>
-                  <p>defines the frequency for employing tests of downgrading equipment and
-                     procedures to verify correct performance; and</p>
-               </part>
-               <part id="mp-8.2_obj.3" name="objective">
-                  <prop name="label">MP-8(2)[3]</prop>
-                  <p>employs organization-defined tests of downgrading equipment and procedures to
-                     verify correct performance with the organization-defined frequency.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>procedures addressing media downgrading</p>
-                  <p>procedures addressing testing of media downgrading equipment</p>
-                  <p>results of downgrading equipment and procedures testing</p>
-                  <p>audit records: other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media downgrading
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for media downgrading</p>
-                  <p>automated mechanisms supporting and/or implementing media downgrading</p>
-                  <p>automated mechanisms supporting and/or implementing tests for downgrading
-                     equipment</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-8.3">
-            <title>Controlled Unclassified Information</title>
-            <param id="mp-8.3_prm_1">
-               <label>organization-defined Controlled Unclassified Information (CUI)</label>
-            </param>
-            <prop name="label">MP-8(3)</prop>
-            <prop name="sort-id">mp-08.03</prop>
-            <part id="mp-8.3_smt" name="statement">
-               <p>The organization downgrades information system media containing <insert param-id="mp-8.3_prm_1"/> prior to public release in accordance with applicable
-                  federal and organizational standards and policies.</p>
-            </part>
-            <part id="mp-8.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="mp-8.3_obj.1" name="objective">
-                  <prop name="label">MP-8(3)[1]</prop>
-                  <p>defines Controlled Unclassified Information (CUI) contained on information
-                     system media that requires downgrading prior to public release; and</p>
-               </part>
-               <part id="mp-8.3_obj.2" name="objective">
-                  <prop name="label">MP-8(3)[2]</prop>
-                  <p>downgrades information system media containing organization-defined CUI prior
-                     to public release in accordance with applicable federal and organizational
-                     standards and policies.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>access authorization policy</p>
-                  <p>procedures addressing downgrading of media containing CUI</p>
-                  <p>applicable federal and organizational standards and policies regarding
-                     protection of CUI</p>
-                  <p>media downgrading records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media downgrading
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for media downgrading</p>
-                  <p>automated mechanisms supporting and/or implementing media downgrading</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-8.4">
-            <title>Classified Information</title>
-            <prop name="label">MP-8(4)</prop>
-            <prop name="sort-id">mp-08.04</prop>
-            <part id="mp-8.4_smt" name="statement">
-               <p>The organization downgrades information system media containing classified
-                  information prior to release to individuals without required access authorizations
-                  in accordance with NSA standards and policies.</p>
-            </part>
-            <part id="mp-8.4_gdn" name="guidance">
-               <p>Downgrading of classified information uses approved sanitization tools,
-                  techniques, and procedures to transfer information confirmed to be unclassified
-                  from classified information systems to unclassified media.</p>
-            </part>
-            <part id="mp-8.4_obj" name="objective">
-               <p>Determine if the organization downgrades information system media containing
-                  classified information prior to release to individuals without required access
-                  authorizations in accordance with NSA standards and policies. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Information system media protection policy</p>
-                  <p>access authorization policy</p>
-                  <p>procedures addressing downgrading of media containing classified
-                     information</p>
-                  <p>procedures addressing handling of classified information</p>
-                  <p>NSA standards and policies regarding protection of classified information</p>
-                  <p>media downgrading records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with information system media downgrading
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for media downgrading</p>
-                  <p>automated mechanisms supporting and/or implementing media downgrading</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="pe">
-      <title>Physical and Environmental Protection</title>
-      <control class="SP800-53" id="pe-1">
-         <title>Physical and Environmental Protection Policy and Procedures</title>
-         <param id="pe-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pe-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="pe-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PE-1</prop>
-         <prop name="sort-id">pe-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="pe-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="pe-1_prm_1"/>:</p>
-               <part id="pe-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A physical and environmental protection policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="pe-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the physical and environmental
-                     protection policy and associated physical and environmental protection
-                     controls; and</p>
-               </part>
-            </part>
-            <part id="pe-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="pe-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Physical and environmental protection policy <insert param-id="pe-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="pe-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Physical and environmental protection procedures <insert param-id="pe-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="pe-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the PE
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="pe-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="pe-1.a_obj" name="objective">
-               <prop name="label">PE-1(a)</prop>
-               <part id="pe-1.a.1_obj" name="objective">
-                  <prop name="label">PE-1(a)(1)</prop>
-                  <part id="pe-1.a.1_obj.1" name="objective">
-                     <prop name="label">PE-1(a)(1)[1]</prop>
-                     <p>develops and documents a physical and environmental protection policy that
-                        addresses:</p>
-                     <part id="pe-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="pe-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">PE-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="pe-1.a.1_obj.2" name="objective">
-                     <prop name="label">PE-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the physical and environmental protection
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="pe-1.a.1_obj.3" name="objective">
-                     <prop name="label">PE-1(a)(1)[3]</prop>
-                     <p>disseminates the physical and environmental protection policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="pe-1.a.2_obj" name="objective">
-                  <prop name="label">PE-1(a)(2)</prop>
-                  <part id="pe-1.a.2_obj.1" name="objective">
-                     <prop name="label">PE-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        physical and environmental protection policy and associated physical and
-                        environmental protection controls;</p>
-                  </part>
-                  <part id="pe-1.a.2_obj.2" name="objective">
-                     <prop name="label">PE-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="pe-1.a.2_obj.3" name="objective">
-                     <prop name="label">PE-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="pe-1.b_obj" name="objective">
-               <prop name="label">PE-1(b)</prop>
-               <part id="pe-1.b.1_obj" name="objective">
-                  <prop name="label">PE-1(b)(1)</prop>
-                  <part id="pe-1.b.1_obj.1" name="objective">
-                     <prop name="label">PE-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current physical and
-                        environmental protection policy;</p>
-                  </part>
-                  <part id="pe-1.b.1_obj.2" name="objective">
-                     <prop name="label">PE-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current physical and environmental protection policy
-                        with the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="pe-1.b.2_obj" name="objective">
-                  <prop name="label">PE-1(b)(2)</prop>
-                  <part id="pe-1.b.2_obj.1" name="objective">
-                     <prop name="label">PE-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current physical and
-                        environmental protection procedures; and</p>
-                  </part>
-                  <part id="pe-1.b.2_obj.2" name="objective">
-                     <prop name="label">PE-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current physical and environmental protection
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical and environmental protection
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-2">
-         <title>Physical Access Authorizations</title>
-         <param id="pe-2_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PE-2</prop>
-         <prop name="sort-id">pe-02</prop>
-         <part id="pe-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, approves, and maintains a list of individuals with authorized access to
-                  the facility where the information system resides;</p>
-            </part>
-            <part id="pe-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Issues authorization credentials for facility access;</p>
-            </part>
-            <part id="pe-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the access list detailing authorized facility access by individuals
-                     <insert param-id="pe-2_prm_1"/>; and</p>
-            </part>
-            <part id="pe-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Removes individuals from the facility access list when access is no longer
-                  required.</p>
-            </part>
-         </part>
-         <part id="pe-2_gdn" name="guidance">
-            <p>This control applies to organizational employees and visitors. Individuals (e.g.,
-               employees, contractors, and others) with permanent physical access authorization
-               credentials are not considered visitors. Authorization credentials include, for
-               example, badges, identification cards, and smart cards. Organizations determine the
-               strength of authorization credentials needed (including level of forge-proof badges,
-               smart cards, or identification cards) consistent with federal standards, policies,
-               and procedures. This control only applies to areas within facilities that have not
-               been designated as publicly accessible.</p>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-         </part>
-         <part id="pe-2_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-2.a_obj" name="objective">
-               <prop name="label">PE-2(a)</prop>
-               <part id="pe-2.a_obj.1" name="objective">
-                  <prop name="label">PE-2(a)[1]</prop>
-                  <p>develops a list of individuals with authorized access to the facility where the
-                     information system resides;</p>
-               </part>
-               <part id="pe-2.a_obj.2" name="objective">
-                  <prop name="label">PE-2(a)[2]</prop>
-                  <p>approves a list of individuals with authorized access to the facility where the
-                     information system resides;</p>
-               </part>
-               <part id="pe-2.a_obj.3" name="objective">
-                  <prop name="label">PE-2(a)[3]</prop>
-                  <p>maintains a list of individuals with authorized access to the facility where
-                     the information system resides;</p>
-               </part>
-            </part>
-            <part id="pe-2.b_obj" name="objective">
-               <prop name="label">PE-2(b)</prop>
-               <p>issues authorization credentials for facility access;</p>
-            </part>
-            <part id="pe-2.c_obj" name="objective">
-               <prop name="label">PE-2(c)</prop>
-               <part id="pe-2.c_obj.1" name="objective">
-                  <prop name="label">PE-2(c)[1]</prop>
-                  <p>defines the frequency to review the access list detailing authorized facility
-                     access by individuals;</p>
-               </part>
-               <part id="pe-2.c_obj.2" name="objective">
-                  <prop name="label">PE-2(c)[2]</prop>
-                  <p>reviews the access list detailing authorized facility access by individuals
-                     with the organization-defined frequency; and</p>
-               </part>
-            </part>
-            <part id="pe-2.d_obj" name="objective">
-               <prop name="label">PE-2(d)</prop>
-               <p>removes individuals from the facility access list when access is no longer
-                  required.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing physical access authorizations</p>
-               <p>security plan</p>
-               <p>authorized personnel access list</p>
-               <p>authorization credentials</p>
-               <p>physical access list reviews</p>
-               <p>physical access termination records and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access authorization responsibilities</p>
-               <p>organizational personnel with physical access to information system facility</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for physical access authorizations</p>
-               <p>automated mechanisms supporting and/or implementing physical access
-                  authorizations</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-2.1">
-            <title>Access by Position / Role</title>
-            <prop name="label">PE-2(1)</prop>
-            <prop name="sort-id">pe-02.01</prop>
-            <part id="pe-2.1_smt" name="statement">
-               <p>The organization authorizes physical access to the facility where the information
-                  system resides based on position or role.</p>
-            </part>
-            <part id="pe-2.1_gdn" name="guidance">
-               <link rel="related" href="#ac-2">AC-2</link>
-               <link rel="related" href="#ac-3">AC-3</link>
-               <link rel="related" href="#ac-6">AC-6</link>
-            </part>
-            <part id="pe-2.1_obj" name="objective">
-               <p>Determine if the organization authorizes physical access to the facility where the
-                  information system resides based on position or role. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access authorizations</p>
-                  <p>physical access control logs or records</p>
-                  <p>list of positions/roles and corresponding physical access authorizations</p>
-                  <p>information system entry and exit points</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access authorization
-                     responsibilities</p>
-                  <p>organizational personnel with physical access to information system
-                     facility</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for physical access authorizations</p>
-                  <p>automated mechanisms supporting and/or implementing physical access
-                     authorizations</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-2.2">
-            <title>Two Forms of Identification</title>
-            <param id="pe-2.2_prm_1">
-               <label>organization-defined list of acceptable forms of identification</label>
-            </param>
-            <prop name="label">PE-2(2)</prop>
-            <prop name="sort-id">pe-02.02</prop>
-            <part id="pe-2.2_smt" name="statement">
-               <p>The organization requires two forms of identification from <insert param-id="pe-2.2_prm_1"/> for visitor access to the facility where the
-                  information system resides.</p>
-            </part>
-            <part id="pe-2.2_gdn" name="guidance">
-               <p>Acceptable forms of government photo identification include, for example,
-                  passports, Personal Identity Verification (PIV) cards, and drivers’ licenses. In
-                  the case of gaining access to facilities using automated mechanisms, organizations
-                  may use PIV cards, key cards, PINs, and biometrics.</p>
-               <link rel="related" href="#ia-2">IA-2</link>
-               <link rel="related" href="#ia-4">IA-4</link>
-               <link rel="related" href="#ia-5">IA-5</link>
-            </part>
-            <part id="pe-2.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-2.2_obj.1" name="objective">
-                  <prop name="label">PE-2(2)[1]</prop>
-                  <p>defines a list of acceptable forms of identification for visitor access to the
-                     facility where the information system resides; and</p>
-               </part>
-               <part id="pe-2.2_obj.2" name="objective">
-                  <prop name="label">PE-2(2)[2]</prop>
-                  <p>requires two forms of identification from the organization-defined list of
-                     acceptable forms of identification for visitor access to the facility where the
-                     information system resides.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access authorizations</p>
-                  <p>list of acceptable forms of identification for visitor access to the facility
-                     where information system resides</p>
-                  <p>access authorization forms</p>
-                  <p>access credentials</p>
-                  <p>physical access control logs or records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access authorization
-                     responsibilities</p>
-                  <p>organizational personnel with physical access to information system
-                     facility</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for physical access authorizations</p>
-                  <p>automated mechanisms supporting and/or implementing physical access
-                     authorizations</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-2.3">
-            <title>Restrict Unescorted Access</title>
-            <param id="pe-2.3_prm_1">
-               <select how-many="one or more">
-                  <choice>security clearances for all information contained within the
-                     system</choice>
-                  <choice>formal access authorizations for all information contained within the
-                     system</choice>
-                  <choice>need for access to all information contained within the system</choice>
-                  <choice>
-                     <insert param-id="pe-2.3_prm_2"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="pe-2.3_prm_2" depends-on="pe-2.3_prm_1">
-               <label>organization-defined credentials</label>
-            </param>
-            <prop name="label">PE-2(3)</prop>
-            <prop name="sort-id">pe-02.03</prop>
-            <part id="pe-2.3_smt" name="statement">
-               <p>The organization restricts unescorted access to the facility where the information
-                  system resides to personnel with <insert param-id="pe-2.3_prm_1"/>.</p>
-            </part>
-            <part id="pe-2.3_gdn" name="guidance">
-               <p>Due to the highly sensitive nature of classified information stored within certain
-                  facilities, it is important that individuals lacking sufficient security
-                  clearances, access approvals, or need to know, be escorted by individuals with
-                  appropriate credentials to ensure that such information is not exposed or
-                  otherwise compromised.</p>
-               <link rel="related" href="#ps-2">PS-2</link>
-               <link rel="related" href="#ps-6">PS-6</link>
-            </part>
-            <part id="pe-2.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-2.3_obj.1" name="objective">
-                  <prop name="label">PE-2(3)[1]</prop>
-                  <p>defines credentials to be employed to restrict unescorted access to the
-                     facility where the information system resides to authorized personnel;</p>
-               </part>
-               <part id="pe-2.3_obj.2" name="objective">
-                  <prop name="label">PE-2(3)[2]</prop>
-                  <p>restricts unescorted access to the facility where the information system
-                     resides to personnel with one or more of the following:</p>
-                  <part id="pe-2.3_obj.2.a" name="objective">
-                     <prop name="label">PE-2(3)[2][a]</prop>
-                     <p>security clearances for all information contained within the system;</p>
-                  </part>
-                  <part id="pe-2.3_obj.2.b" name="objective">
-                     <prop name="label">PE-2(3)[2][b]</prop>
-                     <p>formal access authorizations for all information contained within the
-                        system;</p>
-                  </part>
-                  <part id="pe-2.3_obj.2.c" name="objective">
-                     <prop name="label">PE-2(3)[2][c]</prop>
-                     <p>need for access to all information contained within the system; and/or</p>
-                  </part>
-                  <part id="pe-2.3_obj.2.d" name="objective">
-                     <prop name="label">PE-2(3)[2][d]</prop>
-                     <p>organization-defined credentials.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access authorizations</p>
-                  <p>authorized personnel access list</p>
-                  <p>security clearances</p>
-                  <p>access authorizations</p>
-                  <p>access credentials</p>
-                  <p>physical access control logs or records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access authorization
-                     responsibilities</p>
-                  <p>organizational personnel with physical access to information system
-                     facility</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for physical access authorizations</p>
-                  <p>automated mechanisms supporting and/or implementing physical access
-                     authorizations</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-3">
-         <title>Physical Access Control</title>
-         <param id="pe-3_prm_1">
-            <label>organization-defined entry/exit points to the facility where the information
-               system resides</label>
-         </param>
-         <param id="pe-3_prm_2">
-            <select how-many="one or more">
-               <choice>
-                  <insert param-id="pe-3_prm_3"/>
-               </choice>
-               <choice>guards</choice>
-            </select>
-         </param>
-         <param id="pe-3_prm_3" depends-on="pe-3_prm_2">
-            <label>organization-defined physical access control systems/devices</label>
-         </param>
-         <param id="pe-3_prm_4">
-            <label>organization-defined entry/exit points</label>
-         </param>
-         <param id="pe-3_prm_5">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <param id="pe-3_prm_6">
-            <label>organization-defined circumstances requiring visitor escorts and
-               monitoring</label>
-         </param>
-         <param id="pe-3_prm_7">
-            <label>organization-defined physical access devices</label>
-         </param>
-         <param id="pe-3_prm_8">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="pe-3_prm_9">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PE-3</prop>
-         <prop name="sort-id">pe-03</prop>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#2157bb7e-192c-4eaa-877f-93ef6b0a3292" rel="reference">NIST Special Publication 800-116</link>
-         <link href="#6caa237b-531b-43ac-9711-d8f6b97b0377" rel="reference">ICD 704</link>
-         <link href="#398e33fd-f404-4e5c-b90e-2d50d3181244" rel="reference">ICD 705</link>
-         <link href="#61081e7f-041d-4033-96a7-44a439071683" rel="reference">DoD Instruction 5200.39</link>
-         <link href="#dd2f5acd-08f1-435a-9837-f8203088dc1a" rel="reference">Personal Identity Verification (PIV) in Enterprise
-            Physical Access Control System (E-PACS)</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <link href="#5ed1f4d5-1494-421b-97ed-39d3c88ab51f" rel="reference">http://fips201ep.cio.gov</link>
-         <part id="pe-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Enforces physical access authorizations at <insert param-id="pe-3_prm_1"/> by;</p>
-               <part id="pe-3_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Verifying individual access authorizations before granting access to the
-                     facility; and</p>
-               </part>
-               <part id="pe-3_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Controlling ingress/egress to the facility using <insert param-id="pe-3_prm_2"/>;</p>
-               </part>
-            </part>
-            <part id="pe-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Maintains physical access audit logs for <insert param-id="pe-3_prm_4"/>;</p>
-            </part>
-            <part id="pe-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Provides <insert param-id="pe-3_prm_5"/> to control access to areas within the
-                  facility officially designated as publicly accessible;</p>
-            </part>
-            <part id="pe-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Escorts visitors and monitors visitor activity <insert param-id="pe-3_prm_6"/>;</p>
-            </part>
-            <part id="pe-3_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Secures keys, combinations, and other physical access devices;</p>
-            </part>
-            <part id="pe-3_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Inventories <insert param-id="pe-3_prm_7"/> every <insert param-id="pe-3_prm_8"/>;
-                  and</p>
-            </part>
-            <part id="pe-3_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Changes combinations and keys <insert param-id="pe-3_prm_9"/> and/or when keys are
-                  lost, combinations are compromised, or individuals are transferred or
-                  terminated.</p>
-            </part>
-         </part>
-         <part id="pe-3_gdn" name="guidance">
-            <p>This control applies to organizational employees and visitors. Individuals (e.g.,
-               employees, contractors, and others) with permanent physical access authorization
-               credentials are not considered visitors. Organizations determine the types of
-               facility guards needed including, for example, professional physical security staff
-               or other personnel such as administrative staff or information system users. Physical
-               access devices include, for example, keys, locks, combinations, and card readers.
-               Safeguards for publicly accessible areas within organizational facilities include,
-               for example, cameras, monitoring by guards, and isolating selected information
-               systems and/or system components in secured areas. Physical access control systems
-               comply with applicable federal laws, Executive Orders, directives, policies,
-               regulations, standards, and guidance. The Federal Identity, Credential, and Access
-               Management Program provides implementation guidance for identity, credential, and
-               access management capabilities for physical access control systems. Organizations
-               have flexibility in the types of audit logs employed. Audit logs can be procedural
-               (e.g., a written log of individuals accessing the facility and when such access
-               occurred), automated (e.g., capturing ID provided by a PIV card), or some combination
-               thereof. Physical access points can include facility access points, interior access
-               points to information systems and/or components requiring supplemental access
-               controls, or both. Components of organizational information systems (e.g.,
-               workstations, terminals) may be located in areas designated as publicly accessible
-               with organizations safeguarding access to such devices.</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#pe-5">PE-5</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-         </part>
-         <part id="pe-3_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-3.a_obj" name="objective">
-               <prop name="label">PE-3(a)</prop>
-               <part id="pe-3.a_obj.1" name="objective">
-                  <prop name="label">PE-3(a)[1]</prop>
-                  <p>defines entry/exit points to the facility where the information system
-                     resides;</p>
-               </part>
-               <part id="pe-3.a_obj.2" name="objective">
-                  <prop name="label">PE-3(a)[2]</prop>
-                  <p>enforces physical access authorizations at organization-defined entry/exit
-                     points to the facility where the information system resides by:</p>
-                  <part id="pe-3.a.1_obj.2" name="objective">
-                     <prop name="label">PE-3(a)[2](1)</prop>
-                     <p>verifying individual access authorizations before granting access to the
-                        facility;</p>
-                  </part>
-                  <part id="pe-3.a.2_obj.2" name="objective">
-                     <prop name="label">PE-3(a)[2](2)</prop>
-                     <part id="pe-3.a.2_obj.2.a" name="objective">
-                        <prop name="label">PE-3(a)[2](2)[a]</prop>
-                        <p>defining physical access control systems/devices to be employed to
-                           control ingress/egress to the facility where the information system
-                           resides;</p>
-                     </part>
-                     <part id="pe-3.a.2_obj.2.b" name="objective">
-                        <prop name="label">PE-3(a)[2](2)[b]</prop>
-                        <p>using one or more of the following ways to control ingress/egress to the
-                           facility:</p>
-                        <part id="pe-3.a.2_obj.2.b.1" name="objective">
-                           <prop name="label">PE-3(a)[2](2)[b][1]</prop>
-                           <p>organization-defined physical access control systems/devices;
-                              and/or</p>
-                        </part>
-                        <part id="pe-3.a.2_obj.2.b.2" name="objective">
-                           <prop name="label">PE-3(a)[2](2)[b][2]</prop>
-                           <p>guards;</p>
-                        </part>
-                     </part>
-                  </part>
-               </part>
-            </part>
-            <part id="pe-3.b_obj" name="objective">
-               <prop name="label">PE-3(b)</prop>
-               <part id="pe-3.b_obj.1" name="objective">
-                  <prop name="label">PE-3(b)[1]</prop>
-                  <p>defines entry/exit points for which physical access audit logs are to be
-                     maintained;</p>
-               </part>
-               <part id="pe-3.b_obj.2" name="objective">
-                  <prop name="label">PE-3(b)[2]</prop>
-                  <p>maintains physical access audit logs for organization-defined entry/exit
-                     points;</p>
-               </part>
-            </part>
-            <part id="pe-3.c_obj" name="objective">
-               <prop name="label">PE-3(c)</prop>
-               <part id="pe-3.c_obj.1" name="objective">
-                  <prop name="label">PE-3(c)[1]</prop>
-                  <p>defines security safeguards to be employed to control access to areas within
-                     the facility officially designated as publicly accessible;</p>
-               </part>
-               <part id="pe-3.c_obj.2" name="objective">
-                  <prop name="label">PE-3(c)[2]</prop>
-                  <p>provides organization-defined security safeguards to control access to areas
-                     within the facility officially designated as publicly accessible;</p>
-               </part>
-            </part>
-            <part id="pe-3.d_obj" name="objective">
-               <prop name="label">PE-3(d)</prop>
-               <part id="pe-3.d_obj.1" name="objective">
-                  <prop name="label">PE-3(d)[1]</prop>
-                  <p>defines circumstances requiring visitor:</p>
-                  <part id="pe-3.d_obj.1.a" name="objective">
-                     <prop name="label">PE-3(d)[1][a]</prop>
-                     <p>escorts;</p>
-                  </part>
-                  <part id="pe-3.d_obj.1.b" name="objective">
-                     <prop name="label">PE-3(d)[1][b]</prop>
-                     <p>monitoring;</p>
-                  </part>
-               </part>
-               <part id="pe-3.d_obj.2" name="objective">
-                  <prop name="label">PE-3(d)[2]</prop>
-                  <p>in accordance with organization-defined circumstances requiring visitor escorts
-                     and monitoring:</p>
-                  <part id="pe-3.d_obj.2.a" name="objective">
-                     <prop name="label">PE-3(d)[2][a]</prop>
-                     <p>escorts visitors;</p>
-                  </part>
-                  <part id="pe-3.d_obj.2.b" name="objective">
-                     <prop name="label">PE-3(d)[2][b]</prop>
-                     <p>monitors visitor activities;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="pe-3.e_obj" name="objective">
-               <prop name="label">PE-3(e)</prop>
-               <part id="pe-3.e_obj.1" name="objective">
-                  <prop name="label">PE-3(e)[1]</prop>
-                  <p>secures keys;</p>
-               </part>
-               <part id="pe-3.e_obj.2" name="objective">
-                  <prop name="label">PE-3(e)[2]</prop>
-                  <p>secures combinations;</p>
-               </part>
-               <part id="pe-3.e_obj.3" name="objective">
-                  <prop name="label">PE-3(e)[3]</prop>
-                  <p>secures other physical access devices;</p>
-               </part>
-            </part>
-            <part id="pe-3.f_obj" name="objective">
-               <prop name="label">PE-3(f)</prop>
-               <part id="pe-3.f_obj.1" name="objective">
-                  <prop name="label">PE-3(f)[1]</prop>
-                  <p>defines physical access devices to be inventoried;</p>
-               </part>
-               <part id="pe-3.f_obj.2" name="objective">
-                  <prop name="label">PE-3(f)[2]</prop>
-                  <p>defines the frequency to inventory organization-defined physical access
-                     devices;</p>
-               </part>
-               <part id="pe-3.f_obj.3" name="objective">
-                  <prop name="label">PE-3(f)[3]</prop>
-                  <p>inventories the organization-defined physical access devices with the
-                     organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="pe-3.g_obj" name="objective">
-               <prop name="label">PE-3(g)</prop>
-               <part id="pe-3.g_obj.1" name="objective">
-                  <prop name="label">PE-3(g)[1]</prop>
-                  <p>defines the frequency to change combinations and keys; and</p>
-               </part>
-               <part id="pe-3.g_obj.2" name="objective">
-                  <prop name="label">PE-3(g)[2]</prop>
-                  <p>changes combinations and keys with the organization-defined frequency and/or
-                     when:</p>
-                  <part id="pe-3.g_obj.2.a" name="objective">
-                     <prop name="label">PE-3(g)[2][a]</prop>
-                     <p>keys are lost;</p>
-                  </part>
-                  <part id="pe-3.g_obj.2.b" name="objective">
-                     <prop name="label">PE-3(g)[2][b]</prop>
-                     <p>combinations are compromised;</p>
-                  </part>
-                  <part id="pe-3.g_obj.2.c" name="objective">
-                     <prop name="label">PE-3(g)[2][c]</prop>
-                     <p>individuals are transferred or terminated.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing physical access control</p>
-               <p>security plan</p>
-               <p>physical access control logs or records</p>
-               <p>inventory records of physical access control devices</p>
-               <p>information system entry and exit points</p>
-               <p>records of key and lock combination changes</p>
-               <p>storage locations for physical access control devices</p>
-               <p>physical access control devices</p>
-               <p>list of security safeguards controlling access to designated publicly accessible
-                  areas within facility</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for physical access control</p>
-               <p>automated mechanisms supporting and/or implementing physical access control</p>
-               <p>physical access control devices</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-3.1">
-            <title>Information System Access</title>
-            <param id="pe-3.1_prm_1">
-               <label>organization-defined physical spaces containing one or more components of the
-                  information system</label>
-            </param>
-            <prop name="label">PE-3(1)</prop>
-            <prop name="sort-id">pe-03.01</prop>
-            <part id="pe-3.1_smt" name="statement">
-               <p>The organization enforces physical access authorizations to the information system
-                  in addition to the physical access controls for the facility at <insert param-id="pe-3.1_prm_1"/>.</p>
-            </part>
-            <part id="pe-3.1_gdn" name="guidance">
-               <p>This control enhancement provides additional physical security for those areas
-                  within facilities where there is a concentration of information system components
-                  (e.g., server rooms, media storage areas, data and communications centers).</p>
-               <link rel="related" href="#ps-2">PS-2</link>
-            </part>
-            <part id="pe-3.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-3.1_obj.1" name="objective">
-                  <prop name="label">PE-3(1)[1]</prop>
-                  <p>defines physical spaces containing one or more components of the information
-                     system; and</p>
-               </part>
-               <part id="pe-3.1_obj.2" name="objective">
-                  <prop name="label">PE-3(1)[2]</prop>
-                  <p>enforces physical access authorizations to the information system in addition
-                     to the physical access controls for the facility at organization-defined
-                     physical spaces containing one or more components of the information
-                     system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access control</p>
-                  <p>physical access control logs or records</p>
-                  <p>physical access control devices</p>
-                  <p>access authorizations</p>
-                  <p>access credentials</p>
-                  <p>information system entry and exit points</p>
-                  <p>list of areas within the facility containing concentrations of information
-                     system components or information system components requiring additional
-                     physical protection</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access authorization
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for physical access control to the information
-                     system/components</p>
-                  <p>automated mechanisms supporting and/or implementing physical access control for
-                     facility areas containing information system components</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-3.2">
-            <title>Facility / Information System Boundaries</title>
-            <param id="pe-3.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">PE-3(2)</prop>
-            <prop name="sort-id">pe-03.02</prop>
-            <part id="pe-3.2_smt" name="statement">
-               <p>The organization performs security checks <insert param-id="pe-3.2_prm_1"/> at the
-                  physical boundary of the facility or information system for unauthorized
-                  exfiltration of information or removal of information system components.</p>
-            </part>
-            <part id="pe-3.2_gdn" name="guidance">
-               <p>Organizations determine the extent, frequency, and/or randomness of security
-                  checks to adequately mitigate risk associated with exfiltration.</p>
-               <link rel="related" href="#ac-4">AC-4</link>
-               <link rel="related" href="#sc-7">SC-7</link>
-            </part>
-            <part id="pe-3.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-3.2_obj.1" name="objective">
-                  <prop name="label">PE-3(2)[1]</prop>
-                  <p>defines the frequency to perform security checks at the physical boundary of
-                     the facility or information system for:</p>
-                  <part id="pe-3.2_obj.1.a" name="objective">
-                     <prop name="label">PE-3(2)[1][a]</prop>
-                     <p>unauthorized exfiltration of information; or</p>
-                  </part>
-                  <part id="pe-3.2_obj.1.b" name="objective">
-                     <prop name="label">PE-3(2)[1][b]</prop>
-                     <p>removal of information system components; and</p>
-                  </part>
-               </part>
-               <part id="pe-3.2_obj.2" name="objective">
-                  <prop name="label">PE-3(2)[2]</prop>
-                  <p>performs security checks with the organization-defined frequency at the
-                     physical boundary of the facility or information system for:</p>
-                  <part id="pe-3.2_obj.2.a" name="objective">
-                     <prop name="label">PE-3(2)[2][a]</prop>
-                     <p>unauthorized exfiltration of information; or</p>
-                  </part>
-                  <part id="pe-3.2_obj.2.b" name="objective">
-                     <prop name="label">PE-3(2)[2][b]</prop>
-                     <p>removal of information system components.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access control</p>
-                  <p>physical access control logs or records</p>
-                  <p>records of security checks</p>
-                  <p>security audit reports</p>
-                  <p>security inspection reports</p>
-                  <p>facility layout documentation</p>
-                  <p>information system entry and exit points</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for physical access control to the facility and/or
-                     information system</p>
-                  <p>automated mechanisms supporting and/or implementing physical access control for
-                     the facility or information system</p>
-                  <p>automated mechanisms supporting and/or implementing security checks for
-                     unauthorized exfiltration of information</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-3.3">
-            <title>Continuous Guards / Alarms / Monitoring</title>
-            <prop name="label">PE-3(3)</prop>
-            <prop name="sort-id">pe-03.03</prop>
-            <part id="pe-3.3_smt" name="statement">
-               <p>The organization employs guards and/or alarms to monitor every physical access
-                  point to the facility where the information system resides 24 hours per day, 7
-                  days per week.</p>
-            </part>
-            <part id="pe-3.3_gdn" name="guidance">
-               <link rel="related" href="#cp-6">CP-6</link>
-               <link rel="related" href="#cp-7">CP-7</link>
-            </part>
-            <part id="pe-3.3_obj" name="objective">
-               <p>Determine if the organization employs one or more of the following to monitor
-                  every physical access point to the facility where the information system resides
-                  24 hours per day, 7 days per week:</p>
-               <part id="pe-3.3_obj.1" name="objective">
-                  <prop name="label">PE-3(3)[1]</prop>
-                  <p>guards; and/or</p>
-               </part>
-               <part id="pe-3.3_obj.2" name="objective">
-                  <prop name="label">PE-3(3)[2]</prop>
-                  <p>alarms.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access control</p>
-                  <p>physical access control logs or records</p>
-                  <p>physical access control devices</p>
-                  <p>facility surveillance records</p>
-                  <p>facility layout documentation</p>
-                  <p>information system entry and exit points</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for physical access control to the facility where the
-                     information system resides</p>
-                  <p>automated mechanisms supporting and/or implementing physical access control for
-                     the facility where the information system resides</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-3.4">
-            <title>Lockable Casings</title>
-            <param id="pe-3.4_prm_1">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">PE-3(4)</prop>
-            <prop name="sort-id">pe-03.04</prop>
-            <part id="pe-3.4_smt" name="statement">
-               <p>The organization uses lockable physical casings to protect <insert param-id="pe-3.4_prm_1"/> from unauthorized physical access.</p>
-            </part>
-            <part id="pe-3.4_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-3.4_obj.1" name="objective">
-                  <prop name="label">PE-3(4)[1]</prop>
-                  <p>defines information system components to be protected from unauthorized
-                     physical access using lockable physical casings; and</p>
-               </part>
-               <part id="pe-3.4_obj.2" name="objective">
-                  <prop name="label">PE-3(4)[2]</prop>
-                  <p>uses lockable physical casings to protect organization-defined information
-                     system components from unauthorized physical access.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access control</p>
-                  <p>security plan</p>
-                  <p>list of information system components requiring protection through lockable
-                     physical casings</p>
-                  <p>lockable physical casings</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Lockable physical casings</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-3.5">
-            <title>Tamper Protection</title>
-            <param id="pe-3.5_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <param id="pe-3.5_prm_2">
-               <select how-many="one or more">
-                  <choice>detect</choice>
-                  <choice>prevent</choice>
-               </select>
-            </param>
-            <param id="pe-3.5_prm_3">
-               <label>organization-defined hardware components</label>
-            </param>
-            <prop name="label">PE-3(5)</prop>
-            <prop name="sort-id">pe-03.05</prop>
-            <part id="pe-3.5_smt" name="statement">
-               <p>The organization employs <insert param-id="pe-3.5_prm_1"/> to <insert param-id="pe-3.5_prm_2"/> physical tampering or alteration of <insert param-id="pe-3.5_prm_3"/> within the information system.</p>
-            </part>
-            <part id="pe-3.5_gdn" name="guidance">
-               <p>Organizations may implement tamper detection/prevention at selected hardware
-                  components or tamper detection at some components and tamper prevention at other
-                  components. Tamper detection/prevention activities can employ many types of
-                  anti-tamper technologies including, for example, tamper-detection seals and
-                  anti-tamper coatings. Anti-tamper programs help to detect hardware alterations
-                  through counterfeiting and other supply chain-related risks.</p>
-               <link rel="related" href="#sa-12">SA-12</link>
-            </part>
-            <part id="pe-3.5_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-3.5_obj.1" name="objective">
-                  <prop name="label">PE-3(5)[1]</prop>
-                  <p>defines security safeguards to be employed to detect and/or prevent physical
-                     tampering or alteration of organization-defined hardware components within the
-                     information system;</p>
-               </part>
-               <part id="pe-3.5_obj.2" name="objective">
-                  <prop name="label">PE-3(5)[2]</prop>
-                  <p>defines hardware components within the information system for which security
-                     safeguards are to be employed to detect and/or prevent physical tampering or
-                     alteration of such components;</p>
-               </part>
-               <part id="pe-3.5_obj.3" name="objective">
-                  <prop name="label">PE-3(5)[3]</prop>
-                  <p>employs organization-defined security safeguards to do one or more of the
-                     following:</p>
-                  <part id="pe-3.5_obj.3.a" name="objective">
-                     <prop name="label">PE-3(5)[3][a]</prop>
-                     <p>detect physical tampering or alteration of organization-defined hardware
-                        components within the information system; and/or</p>
-                  </part>
-                  <part id="pe-3.5_obj.3.b" name="objective">
-                     <prop name="label">PE-3(5)[3][b]</prop>
-                     <p>prevent physical tampering or alteration of organization-defined hardware
-                        components within the information system.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access control</p>
-                  <p>list of security safeguards to detect/prevent physical tampering or alteration
-                     of information system hardware components</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes to detect/prevent physical tampering or alteration of
-                     information system hardware components</p>
-                  <p>automated mechanisms/security safeguards supporting and/or implementing
-                     detection/prevention of physical tampering/alternation of information system
-                     hardware components</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-3.6">
-            <title>Facility Penetration Testing</title>
-            <param id="pe-3.6_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">PE-3(6)</prop>
-            <prop name="sort-id">pe-03.06</prop>
-            <part id="pe-3.6_smt" name="statement">
-               <p>The organization employs a penetration testing process that includes <insert param-id="pe-3.6_prm_1"/>, unannounced attempts to bypass or circumvent
-                  security controls associated with physical access points to the facility.</p>
-            </part>
-            <part id="pe-3.6_gdn" name="guidance">
-               <link rel="related" href="#ca-2">CA-2</link>
-               <link rel="related" href="#ca-7">CA-7</link>
-            </part>
-            <part id="pe-3.6_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-3.6_obj.1" name="objective">
-                  <prop name="label">PE-3(6)[1]</prop>
-                  <p>defines the frequency of unannounced attempts to be included in a penetration
-                     testing process to bypass or circumvent security controls associated with
-                     physical access points to the facility; and</p>
-               </part>
-               <part id="pe-3.6_obj.2" name="objective">
-                  <prop name="label">PE-3(6)[2]</prop>
-                  <p>employs a penetration testing process with the organization-defined frequency
-                     that includes unannounced attempts to bypass or circumvent security controls
-                     associated with physical access points to the facility.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access control</p>
-                  <p>procedures addressing penetration testing</p>
-                  <p>rules of engagement and associated documentation</p>
-                  <p>penetration test results</p>
-                  <p>security plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for facility penetration testing</p>
-                  <p>automated mechanisms supporting and/or implementing facility penetration
-                     testing</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-4">
-         <title>Access Control for Transmission Medium</title>
-         <param id="pe-4_prm_1">
-            <label>organization-defined information system distribution and transmission
-               lines</label>
-         </param>
-         <param id="pe-4_prm_2">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">PE-4</prop>
-         <prop name="sort-id">pe-04</prop>
-         <link href="#06dff0ea-3848-4945-8d91-e955ee69f05d" rel="reference">NSTISSI No. 7003</link>
-         <part id="pe-4_smt" name="statement">
-            <p>The organization controls physical access to <insert param-id="pe-4_prm_1"/> within
-               organizational facilities using <insert param-id="pe-4_prm_2"/>.</p>
-         </part>
-         <part id="pe-4_gdn" name="guidance">
-            <p>Physical security safeguards applied to information system distribution and
-               transmission lines help to prevent accidental damage, disruption, and physical
-               tampering. In addition, physical safeguards may be necessary to help prevent
-               eavesdropping or in transit modification of unencrypted transmissions. Security
-               safeguards to control physical access to system distribution and transmission lines
-               include, for example: (i) locked wiring closets; (ii) disconnected or locked spare
-               jacks; and/or (iii) protection of cabling by conduit or cable trays.</p>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-5">PE-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-         </part>
-         <part id="pe-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-4_obj.1" name="objective">
-               <prop name="label">PE-4[1]</prop>
-               <p>defines information system distribution and transmission lines requiring physical
-                  access controls;</p>
-            </part>
-            <part id="pe-4_obj.2" name="objective">
-               <prop name="label">PE-4[2]</prop>
-               <p>defines security safeguards to be employed to control physical access to
-                  organization-defined information system distribution and transmission lines within
-                  organizational facilities; and</p>
-            </part>
-            <part id="pe-4_obj.3" name="objective">
-               <prop name="label">PE-4[3]</prop>
-               <p>controls physical access to organization-defined information system distribution
-                  and transmission lines within organizational facilities using organization-defined
-                  security safeguards.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing access control for transmission medium</p>
-               <p>information system design documentation</p>
-               <p>facility communications and wiring diagrams</p>
-               <p>list of physical security safeguards applied to information system distribution
-                  and transmission lines</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for access control to distribution and transmission
-                  lines</p>
-               <p>automated mechanisms/security safeguards supporting and/or implementing access
-                  control to distribution and transmission lines</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-5">
-         <title>Access Control for Output Devices</title>
-         <prop name="label">PE-5</prop>
-         <prop name="sort-id">pe-05</prop>
-         <part id="pe-5_smt" name="statement">
-            <p>The organization controls physical access to information system output devices to
-               prevent unauthorized individuals from obtaining the output.</p>
-         </part>
-         <part id="pe-5_gdn" name="guidance">
-            <p>Controlling physical access to output devices includes, for example, placing output
-               devices in locked rooms or other secured areas and allowing access to authorized
-               individuals only, and placing output devices in locations that can be monitored by
-               organizational personnel. Monitors, printers, copiers, scanners, facsimile machines,
-               and audio devices are examples of information system output devices.</p>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#pe-18">PE-18</link>
-         </part>
-         <part id="pe-5_obj" name="objective">
-            <p>Determine if the organization controls physical access to information system output
-               devices to prevent unauthorized individuals from obtaining the output. </p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing access control for display medium</p>
-               <p>facility layout of information system components</p>
-               <p>actual displays from information system components</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for access control to output devices</p>
-               <p>automated mechanisms supporting and/or implementing access control to output
-                  devices</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-5.1">
-            <title>Access to Output by Authorized Individuals</title>
-            <param id="pe-5.1_prm_1">
-               <label>organization-defined output devices</label>
-            </param>
-            <prop name="label">PE-5(1)</prop>
-            <prop name="sort-id">pe-05.01</prop>
-            <part id="pe-5.1_smt" name="statement">
-               <p>The organization:</p>
-               <part id="pe-5.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Controls physical access to output from <insert param-id="pe-5.1_prm_1"/>;
-                     and</p>
-               </part>
-               <part id="pe-5.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Ensures that only authorized individuals receive output from the device.</p>
-               </part>
-            </part>
-            <part id="pe-5.1_gdn" name="guidance">
-               <p>Controlling physical access to selected output devices includes, for example,
-                  placing printers, copiers, and facsimile machines in controlled areas with keypad
-                  access controls or limiting access to individuals with certain types of
-                  badges.</p>
-            </part>
-            <part id="pe-5.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-5.1.a_obj" name="objective">
-                  <prop name="label">PE-5(1)(a)</prop>
-                  <part id="pe-5.1.a_obj.1" name="objective">
-                     <prop name="label">PE-5(1)(a)[1]</prop>
-                     <p>defines output devices whose output requires physical access controls;</p>
-                  </part>
-                  <part id="pe-5.1.a_obj.2" name="objective">
-                     <prop name="label">PE-5(1)(a)[2]</prop>
-                     <p>controls physical access to output from organization-defined output devices;
-                        and</p>
-                  </part>
-                  <link rel="corresp" href="#pe-5.1_smt.a">PE-5(1)(a)</link>
-               </part>
-               <part id="pe-5.1.b_obj" name="objective">
-                  <prop name="label">PE-5(1)(b)</prop>
-                  <p>ensures that only authorized individuals receive output from the device.</p>
-                  <link rel="corresp" href="#pe-5.1_smt.b">PE-5(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access control</p>
-                  <p>list of output devices and associated outputs requiring physical access
-                     controls</p>
-                  <p>physical access control logs or records for areas containing output devices and
-                     related outputs</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for access control to output devices</p>
-                  <p>automated mechanisms supporting and/or implementing access control to output
-                     devices</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-5.2">
-            <title>Access to Output by Individual Identity</title>
-            <param id="pe-5.2_prm_1">
-               <label>organization-defined output devices</label>
-            </param>
-            <prop name="label">PE-5(2)</prop>
-            <prop name="sort-id">pe-05.02</prop>
-            <part id="pe-5.2_smt" name="statement">
-               <p>The information system:</p>
-               <part id="pe-5.2_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Controls physical access to output from <insert param-id="pe-5.2_prm_1"/>;
-                     and</p>
-               </part>
-               <part id="pe-5.2_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Links individual identity to receipt of the output from the device.</p>
-               </part>
-            </part>
-            <part id="pe-5.2_gdn" name="guidance">
-               <p>Controlling physical access to selected output devices includes, for example,
-                  installing security functionality on printers, copiers, and facsimile machines
-                  that allows organizations to implement authentication (e.g., using a PIN or
-                  hardware token) on output devices prior to the release of output to
-                  individuals.</p>
-            </part>
-            <part id="pe-5.2_obj" name="objective">
-               <p>Determine if: </p>
-               <part id="pe-5.2.a_obj" name="objective">
-                  <prop name="label">PE-5(2)(a)</prop>
-                  <part id="pe-5.2.a_obj.1" name="objective">
-                     <prop name="label">PE-5(2)(a)[1]</prop>
-                     <p>the organization defines output devices whose output requires physical
-                        access controls;</p>
-                  </part>
-                  <part id="pe-5.2.a_obj.2" name="objective">
-                     <prop name="label">PE-5(2)(a)[2]</prop>
-                     <p>the information system controls physical access to output from
-                        organization-defined output devices; and</p>
-                  </part>
-                  <link rel="corresp" href="#pe-5.2_smt.a">PE-5(2)(a)</link>
-               </part>
-               <part id="pe-5.2.b_obj" name="objective">
-                  <prop name="label">PE-5(2)(b)</prop>
-                  <p>the information system links individual identity to receipt of the output from
-                     the device.</p>
-                  <link rel="corresp" href="#pe-5.2_smt.b">PE-5(2)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access control</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of output devices and associated outputs requiring physical access
-                     controls</p>
-                  <p>physical access control logs or records for areas containing output devices and
-                     related outputs</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for access control to output devices</p>
-                  <p>automated mechanisms supporting and/or implementing access control to output
-                     devices</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-5.3">
-            <title>Marking Output Devices</title>
-            <param id="pe-5.3_prm_1">
-               <label>organization-defined information system output devices</label>
-            </param>
-            <prop name="label">PE-5(3)</prop>
-            <prop name="sort-id">pe-05.03</prop>
-            <part id="pe-5.3_smt" name="statement">
-               <p>The organization marks <insert param-id="pe-5.3_prm_1"/> indicating the
-                  appropriate security marking of the information permitted to be output from the
-                  device.</p>
-            </part>
-            <part id="pe-5.3_gdn" name="guidance">
-               <p>Outputs devices include, for example, printers, monitors, facsimile machines,
-                  scanners, copiers, and audio devices. This control enhancement is generally
-                  applicable to information system output devices other than mobiles devices.</p>
-            </part>
-            <part id="pe-5.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-5.3_obj.1" name="objective">
-                  <prop name="label">PE-5(3)[1]</prop>
-                  <p>defines information system output devices to be marked with appropriate
-                     security marking of the information permitted to be output from such devices;
-                     and</p>
-               </part>
-               <part id="pe-5.3_obj.2" name="objective">
-                  <prop name="label">PE-5(3)[2]</prop>
-                  <p>marks organization-defined information system output devices indicating the
-                     appropriate security marking of the information permitted to be output from the
-                     device.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access control</p>
-                  <p>security markings for information types permitted as output from information
-                     system output devices</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access control responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for marking output devices</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-6">
-         <title>Monitoring Physical Access</title>
-         <param id="pe-6_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="pe-6_prm_2">
-            <label>organization-defined events or potential indications of events</label>
-         </param>
-         <prop name="label">PE-6</prop>
-         <prop name="sort-id">pe-06</prop>
-         <part id="pe-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Monitors physical access to the facility where the information system resides to
-                  detect and respond to physical security incidents;</p>
-            </part>
-            <part id="pe-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews physical access logs <insert param-id="pe-6_prm_1"/> and upon occurrence
-                  of <insert param-id="pe-6_prm_2"/>; and</p>
-            </part>
-            <part id="pe-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Coordinates results of reviews and investigations with the organizational incident
-                  response capability.</p>
-            </part>
-         </part>
-         <part id="pe-6_gdn" name="guidance">
-            <p>Organizational incident response capabilities include investigations of and responses
-               to detected physical security incidents. Security incidents include, for example,
-               apparent security violations or suspicious physical access activities. Suspicious
-               physical access activities include, for example: (i) accesses outside of normal work
-               hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for
-               unusual lengths of time; and (iv) out-of-sequence accesses.</p>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-         </part>
-         <part id="pe-6_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-6.a_obj" name="objective">
-               <prop name="label">PE-6(a)</prop>
-               <p>monitors physical access to the facility where the information system resides to
-                  detect and respond to physical security incidents;</p>
-            </part>
-            <part id="pe-6.b_obj" name="objective">
-               <prop name="label">PE-6(b)</prop>
-               <part id="pe-6.b_obj.1" name="objective">
-                  <prop name="label">PE-6(b)[1]</prop>
-                  <p>defines the frequency to review physical access logs;</p>
-               </part>
-               <part id="pe-6.b_obj.2" name="objective">
-                  <prop name="label">PE-6(b)[2]</prop>
-                  <p>defines events or potential indication of events requiring physical access logs
-                     to be reviewed;</p>
-               </part>
-               <part id="pe-6.b_obj.3" name="objective">
-                  <prop name="label">PE-6(b)[3]</prop>
-                  <p>reviews physical access logs with the organization-defined frequency and upon
-                     occurrence of organization-defined events or potential indications of events;
-                     and</p>
-               </part>
-            </part>
-            <part id="pe-6.c_obj" name="objective">
-               <prop name="label">PE-6(c)</prop>
-               <p>coordinates results of reviews and investigations with the organizational incident
-                  response capability.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing physical access monitoring</p>
-               <p>security plan</p>
-               <p>physical access logs or records</p>
-               <p>physical access monitoring records</p>
-               <p>physical access log reviews</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with physical access monitoring responsibilities</p>
-               <p>organizational personnel with incident response responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for monitoring physical access</p>
-               <p>automated mechanisms supporting and/or implementing physical access monitoring</p>
-               <p>automated mechanisms supporting and/or implementing reviewing of physical access
-                  logs</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-6.1">
-            <title>Intrusion Alarms / Surveillance Equipment</title>
-            <prop name="label">PE-6(1)</prop>
-            <prop name="sort-id">pe-06.01</prop>
-            <part id="pe-6.1_smt" name="statement">
-               <p>The organization monitors physical intrusion alarms and surveillance
-                  equipment.</p>
-            </part>
-            <part id="pe-6.1_obj" name="objective">
-               <p>Determine if the organization monitors physical intrusion alarms and surveillance
-                  equipment. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access monitoring</p>
-                  <p>security plan</p>
-                  <p>physical access logs or records</p>
-                  <p>physical access monitoring records</p>
-                  <p>physical access log reviews</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access monitoring responsibilities</p>
-                  <p>organizational personnel with incident response responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring physical intrusion alarms and
-                     surveillance equipment</p>
-                  <p>automated mechanisms supporting and/or implementing physical access
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing physical intrusion alarms
-                     and surveillance equipment</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-6.2">
-            <title>Automated Intrusion Recognition / Responses</title>
-            <param id="pe-6.2_prm_1">
-               <label>organization-defined classes/types of intrusions</label>
-            </param>
-            <param id="pe-6.2_prm_2">
-               <label>organization-defined response actions</label>
-            </param>
-            <prop name="label">PE-6(2)</prop>
-            <prop name="sort-id">pe-06.02</prop>
-            <part id="pe-6.2_smt" name="statement">
-               <p>The organization employs automated mechanisms to recognize <insert param-id="pe-6.2_prm_1"/> and initiate <insert param-id="pe-6.2_prm_2"/>.</p>
-            </part>
-            <part id="pe-6.2_gdn" name="guidance">
-               <link rel="related" href="#si-4">SI-4</link>
-            </part>
-            <part id="pe-6.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-6.2_obj.1" name="objective">
-                  <prop name="label">PE-6(2)[1]</prop>
-                  <p>defines classes/types of intrusions to be recognized by automated
-                     mechanisms;</p>
-               </part>
-               <part id="pe-6.2_obj.2" name="objective">
-                  <prop name="label">PE-6(2)[2]</prop>
-                  <p>defines response actions to be initiated by automated mechanisms when
-                     organization-defined classes/types of intrusions are recognized; and</p>
-               </part>
-               <part id="pe-6.2_obj.3" name="objective">
-                  <prop name="label">PE-6(2)[3]</prop>
-                  <p>employs automated mechanisms to recognize organization-defined classes/types of
-                     intrusions and initiate organization-defined response actions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access monitoring</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of response actions to be initiated when specific classes/types of
-                     intrusions are recognized</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access monitoring responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring physical access</p>
-                  <p>automated mechanisms supporting and/or implementing physical access
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing recognition of
-                     classes/types of intrusions and initiation of a response</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-6.3">
-            <title>Video Surveillance</title>
-            <param id="pe-6.3_prm_1">
-               <label>organization-defined operational areas</label>
-            </param>
-            <param id="pe-6.3_prm_2">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="label">PE-6(3)</prop>
-            <prop name="sort-id">pe-06.03</prop>
-            <part id="pe-6.3_smt" name="statement">
-               <p>The organization employs video surveillance of <insert param-id="pe-6.3_prm_1"/>
-                  and retains video recordings for <insert param-id="pe-6.3_prm_2"/>.</p>
-            </part>
-            <part id="pe-6.3_gdn" name="guidance">
-               <p>This control enhancement focuses on recording surveillance video for purposes of
-                  subsequent review, if circumstances so warrant (e.g., a break-in detected by other
-                  means). It does not require monitoring surveillance video although organizations
-                  may choose to do so. Note that there may be legal considerations when performing
-                  and retaining video surveillance, especially if such surveillance is in a public
-                  location.</p>
-            </part>
-            <part id="pe-6.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-6.3_obj.1" name="objective">
-                  <prop name="label">PE-6(3)[1]</prop>
-                  <p>defines operational areas where video surveillance is to be employed;</p>
-               </part>
-               <part id="pe-6.3_obj.2" name="objective">
-                  <prop name="label">PE-6(3)[2]</prop>
-                  <p>defines a time period to retain video recordings of organization-defined
-                     operational areas;</p>
-               </part>
-               <part id="pe-6.3_obj.3" name="objective">
-                  <prop name="label">PE-6(3)[3]</prop>
-                  <part id="pe-6.3_obj.3.a" name="objective">
-                     <prop name="label">PE-6(3)[3][a]</prop>
-                     <p>employs video surveillance of organization-defined operational areas;
-                        and</p>
-                  </part>
-                  <part id="pe-6.3_obj.3.b" name="objective">
-                     <prop name="label">PE-6(3)[3][b]</prop>
-                     <p>retains video recordings for the organization-defined time period.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access monitoring</p>
-                  <p>video surveillance equipment used to monitor operational areas</p>
-                  <p>video recordings of operational areas where video surveillance is employed</p>
-                  <p>video surveillance equipment logs or records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access monitoring responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring physical access</p>
-                  <p>automated mechanisms supporting and/or implementing physical access
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing video surveillance</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-6.4">
-            <title>Monitoring Physical Access to Information Systems</title>
-            <param id="pe-6.4_prm_1">
-               <label>organization-defined physical spaces containing one or more components of the
-                  information system</label>
-            </param>
-            <prop name="label">PE-6(4)</prop>
-            <prop name="sort-id">pe-06.04</prop>
-            <part id="pe-6.4_smt" name="statement">
-               <p>The organization monitors physical access to the information system in addition to
-                  the physical access monitoring of the facility as <insert param-id="pe-6.4_prm_1"/>.</p>
-            </part>
-            <part id="pe-6.4_gdn" name="guidance">
-               <p>This control enhancement provides additional monitoring for those areas within
-                  facilities where there is a concentration of information system components (e.g.,
-                  server rooms, media storage areas, communications centers).</p>
-               <link rel="related" href="#ps-2">PS-2</link>
-               <link rel="related" href="#ps-3">PS-3</link>
-            </part>
-            <part id="pe-6.4_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-6.4_obj.1" name="objective">
-                  <prop name="label">PE-6(4)[1]</prop>
-                  <p>defines physical spaces containing one or more components of the information
-                     system; and</p>
-               </part>
-               <part id="pe-6.4_obj.2" name="objective">
-                  <prop name="label">PE-6(4)[2]</prop>
-                  <p>monitors physical access to the information system in addition to the physical
-                     access monitoring of the facility at organization-defined physical spaces
-                     containing one or more components of the information system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing physical access monitoring</p>
-                  <p>physical access control logs or records</p>
-                  <p>physical access control devices</p>
-                  <p>access authorizations</p>
-                  <p>access credentials</p>
-                  <p>list of areas within the facility containing concentrations of information
-                     system components or information system components requiring additional
-                     physical access monitoring</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with physical access monitoring responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring physical access to the information
-                     system</p>
-                  <p>automated mechanisms supporting and/or implementing physical access monitoring
-                     for facility areas containing information system components</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-7">
-         <title>Visitor Control</title>
-         <prop name="label">PE-7</prop>
-         <prop name="sort-id">pe-07</prop>
-         <prop name="status">Withdrawn</prop>
-         <link rel="incorporated-into" href="#pe-2">PE-2</link>
-         <link rel="incorporated-into" href="#pe-3">PE-3</link>
-      </control>
-      <control class="SP800-53" id="pe-8">
-         <title>Visitor Access Records</title>
-         <param id="pe-8_prm_1">
-            <label>organization-defined time period</label>
-         </param>
-         <param id="pe-8_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PE-8</prop>
-         <prop name="sort-id">pe-08</prop>
-         <part id="pe-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Maintains visitor access records to the facility where the information system
-                  resides for <insert param-id="pe-8_prm_1"/>; and</p>
-            </part>
-            <part id="pe-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews visitor access records <insert param-id="pe-8_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="pe-8_gdn" name="guidance">
-            <p>Visitor access records include, for example, names and organizations of persons
-               visiting, visitor signatures, forms of identification, dates of access, entry and
-               departure times, purposes of visits, and names and organizations of persons visited.
-               Visitor access records are not required for publicly accessible areas.</p>
-         </part>
-         <part id="pe-8_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-8.a_obj" name="objective">
-               <prop name="label">PE-8(a)</prop>
-               <part id="pe-8.a_obj.1" name="objective">
-                  <prop name="label">PE-8(a)[1]</prop>
-                  <p>defines the time period to maintain visitor access records to the facility
-                     where the information system resides;</p>
-               </part>
-               <part id="pe-8.a_obj.2" name="objective">
-                  <prop name="label">PE-8(a)[2]</prop>
-                  <p>maintains visitor access records to the facility where the information system
-                     resides for the organization-defined time period;</p>
-               </part>
-            </part>
-            <part id="pe-8.b_obj" name="objective">
-               <prop name="label">PE-8(b)</prop>
-               <part id="pe-8.b_obj.1" name="objective">
-                  <prop name="label">PE-8(b)[1]</prop>
-                  <p>defines the frequency to review visitor access records; and</p>
-               </part>
-               <part id="pe-8.b_obj.2" name="objective">
-                  <prop name="label">PE-8(b)[2]</prop>
-                  <p>reviews visitor access records with the organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing visitor access records</p>
-               <p>security plan</p>
-               <p>visitor access control logs or records</p>
-               <p>visitor access record or log reviews</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with visitor access records responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for maintaining and reviewing visitor access records</p>
-               <p>automated mechanisms supporting and/or implementing maintenance and review of
-                  visitor access records</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-8.1">
-            <title>Automated Records Maintenance / Review</title>
-            <prop name="label">PE-8(1)</prop>
-            <prop name="sort-id">pe-08.01</prop>
-            <part id="pe-8.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to facilitate the maintenance and
-                  review of visitor access records.</p>
-            </part>
-            <part id="pe-8.1_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to facilitate the
-                  maintenance and review of visitor access records. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing visitor access records</p>
-                  <p>automated mechanisms supporting management of visitor access records</p>
-                  <p>visitor access control logs or records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with visitor access records responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for maintaining and reviewing visitor access
-                     records</p>
-                  <p>automated mechanisms supporting and/or implementing maintenance and review of
-                     visitor access records</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-8.2">
-            <title>Physical Access Records</title>
-            <prop name="label">PE-8(2)</prop>
-            <prop name="sort-id">pe-08.02</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#pe-2">PE-2</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-9">
-         <title>Power Equipment and Cabling</title>
-         <prop name="label">PE-9</prop>
-         <prop name="sort-id">pe-09</prop>
-         <part id="pe-9_smt" name="statement">
-            <p>The organization protects power equipment and power cabling for the information
-               system from damage and destruction.</p>
-         </part>
-         <part id="pe-9_gdn" name="guidance">
-            <p>Organizations determine the types of protection necessary for power equipment and
-               cabling employed at different locations both internal and external to organizational
-               facilities and environments of operation. This includes, for example, generators and
-               power cabling outside of buildings, internal cabling and uninterruptable power
-               sources within an office or data center, and power sources for self-contained
-               entities such as vehicles and satellites.</p>
-            <link rel="related" href="#pe-4">PE-4</link>
-         </part>
-         <part id="pe-9_obj" name="objective">
-            <p>Determine if the organization protects power equipment and power cabling for the
-               information system from damage and destruction. </p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing power equipment/cabling protection</p>
-               <p>facilities housing power equipment/cabling</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for protecting power
-                  equipment/cabling</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing protection of power
-                  equipment/cabling</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-9.1">
-            <title>Redundant Cabling</title>
-            <param id="pe-9.1_prm_1">
-               <label>organization-defined distance</label>
-            </param>
-            <prop name="label">PE-9(1)</prop>
-            <prop name="sort-id">pe-09.01</prop>
-            <part id="pe-9.1_smt" name="statement">
-               <p>The organization employs redundant power cabling paths that are physically
-                  separated by <insert param-id="pe-9.1_prm_1"/>.</p>
-            </part>
-            <part id="pe-9.1_gdn" name="guidance">
-               <p>Physically separate, redundant power cables help to ensure that power continues to
-                  flow in the event one of the cables is cut or otherwise damaged.</p>
-            </part>
-            <part id="pe-9.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="pe-9.1_obj.1" name="objective">
-                  <prop name="label">PE-9(1)[1]</prop>
-                  <p>defines the distance by which redundant power cabling paths are to be
-                     physically separated; and</p>
-               </part>
-               <part id="pe-9.1_obj.2" name="objective">
-                  <prop name="label">PE-9(1)[2]</prop>
-                  <p>employs redundant power cabling paths that are physically separated by
-                     organization-defined distance.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing power equipment/cabling protection</p>
-                  <p>facilities housing power equipment/cabling</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for protecting power
-                     equipment/cabling</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing protection of power
-                     equipment/cabling</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-9.2">
-            <title>Automatic Voltage Controls</title>
-            <param id="pe-9.2_prm_1">
-               <label>organization-defined critical information system components</label>
-            </param>
-            <prop name="label">PE-9(2)</prop>
-            <prop name="sort-id">pe-09.02</prop>
-            <part id="pe-9.2_smt" name="statement">
-               <p>The organization employs automatic voltage controls for <insert param-id="pe-9.2_prm_1"/>.</p>
-            </part>
-            <part id="pe-9.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="pe-9.2_obj.1" name="objective">
-                  <prop name="label">PE-9(2)[1]</prop>
-                  <p>defines critical information system components that require automatic voltage
-                     controls; and</p>
-               </part>
-               <part id="pe-9.2_obj.2" name="objective">
-                  <prop name="label">PE-9(2)[2]</prop>
-                  <p>employs automatic voltage controls for organization-defined critical
-                     information system components.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing voltage control</p>
-                  <p>security plan</p>
-                  <p>list of critical information system components requiring automatic voltage
-                     controls</p>
-                  <p>automatic voltage control mechanisms and associated configurations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for environmental protection of
-                     information system components</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing automatic voltage
-                     controls</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-10">
-         <title>Emergency Shutoff</title>
-         <param id="pe-10_prm_1">
-            <label>organization-defined location by information system or system component</label>
-         </param>
-         <prop name="label">PE-10</prop>
-         <prop name="sort-id">pe-10</prop>
-         <part id="pe-10_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-10_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Provides the capability of shutting off power to the information system or
-                  individual system components in emergency situations;</p>
-            </part>
-            <part id="pe-10_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Places emergency shutoff switches or devices in <insert param-id="pe-10_prm_1"/>
-                  to facilitate safe and easy access for personnel; and</p>
-            </part>
-            <part id="pe-10_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Protects emergency power shutoff capability from unauthorized activation.</p>
-            </part>
-         </part>
-         <part id="pe-10_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources including, for example, data centers, server rooms, and mainframe
-               computer rooms.</p>
-            <link rel="related" href="#pe-15">PE-15</link>
-         </part>
-         <part id="pe-10_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-10.a_obj" name="objective">
-               <prop name="label">PE-10(a)</prop>
-               <p>provides the capability of shutting off power to the information system or
-                  individual system components in emergency situations;</p>
-            </part>
-            <part id="pe-10.b_obj" name="objective">
-               <prop name="label">PE-10(b)</prop>
-               <part id="pe-10.b_obj.1" name="objective">
-                  <prop name="label">PE-10(b)[1]</prop>
-                  <p>defines the location of emergency shutoff switches or devices by information
-                     system or system component;</p>
-               </part>
-               <part id="pe-10.b_obj.2" name="objective">
-                  <prop name="label">PE-10(b)[2]</prop>
-                  <p>places emergency shutoff switches or devices in the organization-defined
-                     location by information system or system component to facilitate safe and easy
-                     access for personnel; and</p>
-               </part>
-            </part>
-            <part id="pe-10.c_obj" name="objective">
-               <prop name="label">PE-10(c)</prop>
-               <p>protects emergency power shutoff capability from unauthorized activation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing power source emergency shutoff</p>
-               <p>security plan</p>
-               <p>emergency shutoff controls or switches</p>
-               <p>locations housing emergency shutoff switches and devices</p>
-               <p>security safeguards protecting emergency power shutoff capability from
-                  unauthorized activation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for emergency power shutoff
-                  capability (both implementing and using the capability)</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing emergency power shutoff</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-10.1">
-            <title>Accidental / Unauthorized Activation</title>
-            <prop name="label">PE-10(1)</prop>
-            <prop name="sort-id">pe-10.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#pe-10">PE-10</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-11">
-         <title>Emergency Power</title>
-         <param id="pe-11_prm_1">
-            <select how-many="one or more">
-               <choice>an orderly shutdown of the information system</choice>
-               <choice>transition of the information system to long-term alternate power</choice>
-            </select>
-         </param>
-         <prop name="label">PE-11</prop>
-         <prop name="sort-id">pe-11</prop>
-         <part id="pe-11_smt" name="statement">
-            <p>The organization provides a short-term uninterruptible power supply to facilitate
-                  <insert param-id="pe-11_prm_1"/> in the event of a primary power source loss.</p>
-         </part>
-         <part id="pe-11_gdn" name="guidance">
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-         </part>
-         <part id="pe-11_obj" name="objective">
-            <p>Determine if the organization provides a short-term uninterruptible power supply to
-               facilitate one or more of the following in the event of a primary power source loss: </p>
-            <part id="pe-11_obj.1" name="objective">
-               <prop name="label">PE-11[1]</prop>
-               <p>an orderly shutdown of the information system; and/or</p>
-            </part>
-            <part id="pe-11_obj.2" name="objective">
-               <prop name="label">PE-11[2]</prop>
-               <p>transition of the information system to long-term alternate power.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing emergency power</p>
-               <p>uninterruptible power supply</p>
-               <p>uninterruptible power supply documentation</p>
-               <p>uninterruptible power supply test records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for emergency power and/or
-                  planning</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing uninterruptible power
-                  supply</p>
-               <p>the uninterruptable power supply</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-11.1">
-            <title>Long-term Alternate Power Supply - Minimal Operational Capability</title>
-            <prop name="label">PE-11(1)</prop>
-            <prop name="sort-id">pe-11.01</prop>
-            <part id="pe-11.1_smt" name="statement">
-               <p>The organization provides a long-term alternate power supply for the information
-                  system that is capable of maintaining minimally required operational capability in
-                  the event of an extended loss of the primary power source.</p>
-            </part>
-            <part id="pe-11.1_gdn" name="guidance">
-               <p>This control enhancement can be satisfied, for example, by the use of a secondary
-                  commercial power supply or other external power supply. Long-term alternate power
-                  supplies for the information system can be either manually or automatically
-                  activated.</p>
-            </part>
-            <part id="pe-11.1_obj" name="objective">
-               <p>Determine if the organization provides a long-term alternate power supply for the
-                  information system that is capable of maintaining minimally required operational
-                  capability in the event of an extended loss of the primary power source. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing emergency power</p>
-                  <p>alternate power supply</p>
-                  <p>alternate power supply documentation</p>
-                  <p>alternate power supply test records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for emergency power and/or
-                     planning</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing alternate power supply</p>
-                  <p>the alternate power supply</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-11.2">
-            <title>Long-term Alternate Power Supply - Self-contained</title>
-            <param id="pe-11.2_prm_1">
-               <select>
-                  <choice>minimally required operational capability</choice>
-                  <choice>full operational capability</choice>
-               </select>
-            </param>
-            <prop name="label">PE-11(2)</prop>
-            <prop name="sort-id">pe-11.02</prop>
-            <part id="pe-11.2_smt" name="statement">
-               <p>The organization provides a long-term alternate power supply for the information
-                  system that is:</p>
-               <part id="pe-11.2_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Self-contained;</p>
-               </part>
-               <part id="pe-11.2_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Not reliant on external power generation; and</p>
-               </part>
-               <part id="pe-11.2_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Capable of maintaining <insert param-id="pe-11.2_prm_1"/> in the event of an
-                     extended loss of the primary power source.</p>
-               </part>
-            </part>
-            <part id="pe-11.2_gdn" name="guidance">
-               <p>This control enhancement can be satisfied, for example, by the use of one or more
-                  generators with sufficient capacity to meet the needs of the organization.
-                  Long-term alternate power supplies for organizational information systems are
-                  either manually or automatically activated.</p>
-            </part>
-            <part id="pe-11.2_obj" name="objective">
-               <p>Determine if the organization provides a long-term alternate power supply for the
-                  information system that is: </p>
-               <part id="pe-11.2.a_obj" name="objective">
-                  <prop name="label">PE-11(2)(a)</prop>
-                  <p>self-contained;</p>
-                  <link rel="corresp" href="#pe-11.2_smt.a">PE-11(2)(a)</link>
-               </part>
-               <part id="pe-11.2.b_obj" name="objective">
-                  <prop name="label">PE-11(2)(b)</prop>
-                  <p>not reliant on external power generation;</p>
-                  <link rel="corresp" href="#pe-11.2_smt.b">PE-11(2)(b)</link>
-               </part>
-               <part id="pe-11.2.c_obj" name="objective">
-                  <prop name="label">PE-11(2)(c)</prop>
-                  <p>capable of maintaining one of the following in the event of an extended loss of
-                     the primary power source:</p>
-                  <part id="pe-11.2.c_obj.1" name="objective">
-                     <prop name="label">PE-11(2)(c)[1]</prop>
-                     <p>minimally required operational capability; or</p>
-                  </part>
-                  <part id="pe-11.2.c_obj.2" name="objective">
-                     <prop name="label">PE-11(2)(c)[2]</prop>
-                     <p>full operational capability.</p>
-                  </part>
-                  <link rel="corresp" href="#pe-11.2_smt.c">PE-11(2)(c)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing emergency power</p>
-                  <p>alternate power supply</p>
-                  <p>alternate power supply documentation</p>
-                  <p>alternate power supply test records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for emergency power and/or
-                     planning</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing alternate power supply</p>
-                  <p>the alternate power supply</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-12">
-         <title>Emergency Lighting</title>
-         <prop name="label">PE-12</prop>
-         <prop name="sort-id">pe-12</prop>
-         <part id="pe-12_smt" name="statement">
-            <p>The organization employs and maintains automatic emergency lighting for the
-               information system that activates in the event of a power outage or disruption and
-               that covers emergency exits and evacuation routes within the facility.</p>
-         </part>
-         <part id="pe-12_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources including, for example, data centers, server rooms, and mainframe
-               computer rooms.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-         </part>
-         <part id="pe-12_obj" name="objective">
-            <p>Determine if the organization employs and maintains automatic emergency lighting for
-               the information system that: </p>
-            <part id="pe-12_obj.1" name="objective">
-               <prop name="label">PE-12[1]</prop>
-               <p>activates in the event of a power outage or disruption; and</p>
-            </part>
-            <part id="pe-12_obj.2" name="objective">
-               <prop name="label">PE-12[2]</prop>
-               <p>covers emergency exits and evacuation routes within the facility.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing emergency lighting</p>
-               <p>emergency lighting documentation</p>
-               <p>emergency lighting test records</p>
-               <p>emergency exits and evacuation routes</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for emergency lighting and/or
-                  planning</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing emergency lighting
-                  capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-12.1">
-            <title>Essential Missions / Business Functions</title>
-            <prop name="label">PE-12(1)</prop>
-            <prop name="sort-id">pe-12.01</prop>
-            <part id="pe-12.1_smt" name="statement">
-               <p>The organization provides emergency lighting for all areas within the facility
-                  supporting essential missions and business functions.</p>
-            </part>
-            <part id="pe-12.1_obj" name="objective">
-               <p>Determine if the organization provides emergency lighting for all areas within the
-                  facility supporting essential missions and business functions.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing emergency lighting</p>
-                  <p>emergency lighting documentation</p>
-                  <p>emergency lighting test records</p>
-                  <p>emergency exits and evacuation routes</p>
-                  <p>areas/locations within facility supporting essential missions and business
-                     functions</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for emergency lighting and/or
-                     planning</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing emergency lighting
-                     capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-13">
-         <title>Fire Protection</title>
-         <prop name="label">PE-13</prop>
-         <prop name="sort-id">pe-13</prop>
-         <part id="pe-13_smt" name="statement">
-            <p>The organization employs and maintains fire suppression and detection devices/systems
-               for the information system that are supported by an independent energy source.</p>
-         </part>
-         <part id="pe-13_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources including, for example, data centers, server rooms, and mainframe
-               computer rooms. Fire suppression and detection devices/systems include, for example,
-               sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke
-               detectors.</p>
-         </part>
-         <part id="pe-13_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-13_obj.1" name="objective">
-               <prop name="label">PE-13[1]</prop>
-               <p>employs fire suppression and detection devices/systems for the information system
-                  that are supported by an independent energy source; and</p>
-            </part>
-            <part id="pe-13_obj.2" name="objective">
-               <prop name="label">PE-13[2]</prop>
-               <p>maintains fire suppression and detection devices/systems for the information
-                  system that are supported by an independent energy source.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing fire protection</p>
-               <p>fire suppression and detection devices/systems</p>
-               <p>fire suppression and detection devices/systems documentation</p>
-               <p>test records of fire suppression and detection devices/systems</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for fire detection and suppression
-                  devices/systems</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing fire suppression/detection
-                  devices/systems</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-13.1">
-            <title>Detection Devices / Systems</title>
-            <param id="pe-13.1_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="pe-13.1_prm_2">
-               <label>organization-defined emergency responders</label>
-            </param>
-            <prop name="label">PE-13(1)</prop>
-            <prop name="sort-id">pe-13.01</prop>
-            <part id="pe-13.1_smt" name="statement">
-               <p>The organization employs fire detection devices/systems for the information system
-                  that activate automatically and notify <insert param-id="pe-13.1_prm_1"/> and
-                     <insert param-id="pe-13.1_prm_2"/> in the event of a fire.</p>
-            </part>
-            <part id="pe-13.1_gdn" name="guidance">
-               <p>Organizations can identify specific personnel, roles, and emergency responders in
-                  the event that individuals on the notification list must have appropriate access
-                  authorizations and/or clearances, for example, to obtain access to facilities
-                  where classified operations are taking place or where there are information
-                  systems containing classified information.</p>
-            </part>
-            <part id="pe-13.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-13.1_obj.1" name="objective">
-                  <prop name="label">PE-13(1)[1]</prop>
-                  <p>defines personnel or roles to be notified in the event of a fire;</p>
-               </part>
-               <part id="pe-13.1_obj.2" name="objective">
-                  <prop name="label">PE-13(1)[2]</prop>
-                  <p>defines emergency responders to be notified in the event of a fire;</p>
-               </part>
-               <part id="pe-13.1_obj.3" name="objective">
-                  <prop name="label">PE-13(1)[3]</prop>
-                  <p>employs fire detection devices/systems for the information system that, in the
-                     event of a fire,:</p>
-                  <part id="pe-13.1_obj.3.a" name="objective">
-                     <prop name="label">PE-13(1)[3][a]</prop>
-                     <p>activate automatically;</p>
-                  </part>
-                  <part id="pe-13.1_obj.3.b" name="objective">
-                     <prop name="label">PE-13(1)[3][b]</prop>
-                     <p>notify organization-defined personnel or roles; and</p>
-                  </part>
-                  <part id="pe-13.1_obj.3.c" name="objective">
-                     <prop name="label">PE-13(1)[3][c]</prop>
-                     <p>notify organization-defined emergency responders.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing fire protection</p>
-                  <p>facility housing the information system</p>
-                  <p>alarm service-level agreements</p>
-                  <p>test records of fire suppression and detection devices/systems</p>
-                  <p>fire suppression and detection devices/systems documentation</p>
-                  <p>alerts/notifications of fire events</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for fire detection and
-                     suppression devices/systems</p>
-                  <p>organizational personnel with responsibilities for notifying appropriate
-                     personnel, roles, and emergency responders of fires</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing fire detection
-                     devices/systems</p>
-                  <p>activation of fire detection devices/systems (simulated)</p>
-                  <p>automated notifications</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-13.2">
-            <title>Suppression Devices / Systems</title>
-            <param id="pe-13.2_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="pe-13.2_prm_2">
-               <label>organization-defined emergency responders</label>
-            </param>
-            <prop name="label">PE-13(2)</prop>
-            <prop name="sort-id">pe-13.02</prop>
-            <part id="pe-13.2_smt" name="statement">
-               <p>The organization employs fire suppression devices/systems for the information
-                  system that provide automatic notification of any activation to <insert param-id="pe-13.2_prm_1"/> and <insert param-id="pe-13.2_prm_2"/>.</p>
-            </part>
-            <part id="pe-13.2_gdn" name="guidance">
-               <p>Organizations can identify specific personnel, roles, and emergency responders in
-                  the event that individuals on the notification list must have appropriate access
-                  authorizations and/or clearances, for example, to obtain access to facilities
-                  where classified operations are taking place or where there are information
-                  systems containing classified information.</p>
-            </part>
-            <part id="pe-13.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-13.2_obj.1" name="objective">
-                  <prop name="label">PE-13(2)[1]</prop>
-                  <p>defines personnel or roles to be provided automatic notification of any
-                     activation of fire suppression devices/systems for the information system;</p>
-               </part>
-               <part id="pe-13.2_obj.2" name="objective">
-                  <prop name="label">PE-13(2)[2]</prop>
-                  <p>defines emergency responders to be provided automatic notification of any
-                     activation of fire suppression devices/systems for the information system;</p>
-               </part>
-               <part id="pe-13.2_obj.3" name="objective">
-                  <prop name="label">PE-13(2)[3]</prop>
-                  <p>employs fire suppression devices/systems for the information system that
-                     provide automatic notification of any activation to:</p>
-                  <part id="pe-13.2_obj.3.a" name="objective">
-                     <prop name="label">PE-13(2)[3][a]</prop>
-                     <p>organization-defined personnel or roles; and</p>
-                  </part>
-                  <part id="pe-13.2_obj.3.b" name="objective">
-                     <prop name="label">PE-13(2)[3][b]</prop>
-                     <p>organization-defined emergency responders.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing fire protection</p>
-                  <p>fire suppression and detection devices/systems documentation</p>
-                  <p>facility housing the information system</p>
-                  <p>alarm service-level agreements</p>
-                  <p>test records of fire suppression and detection devices/systems</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for fire detection and
-                     suppression devices/systems</p>
-                  <p>organizational personnel with responsibilities for providing automatic
-                     notifications of any activation of fire suppression devices/systems to
-                     appropriate personnel, roles, and emergency responders</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing fire suppression
-                     devices/systems</p>
-                  <p>activation of fire suppression devices/systems (simulated)</p>
-                  <p>automated notifications</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-13.3">
-            <title>Automatic Fire Suppression</title>
-            <prop name="label">PE-13(3)</prop>
-            <prop name="sort-id">pe-13.03</prop>
-            <part id="pe-13.3_smt" name="statement">
-               <p>The organization employs an automatic fire suppression capability for the
-                  information system when the facility is not staffed on a continuous basis.</p>
-            </part>
-            <part id="pe-13.3_obj" name="objective">
-               <p>Determine if the organization employs an automatic fire suppression capability for
-                  the information system when the facility is not staffed on a continuous basis.
-               </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing fire protection</p>
-                  <p>fire suppression and detection devices/systems documentation</p>
-                  <p>facility housing the information system</p>
-                  <p>alarm service-level agreements</p>
-                  <p>test records of fire suppression and detection devices/systems</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for fire detection and
-                     suppression devices/systems</p>
-                  <p>organizational personnel with responsibilities for providing automatic
-                     notifications of any activation of fire suppression devices/systems to
-                     appropriate personnel, roles, and emergency responders</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing fire suppression
-                     devices/systems</p>
-                  <p>activation of fire suppression devices/systems (simulated)</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-13.4">
-            <title>Inspections</title>
-            <param id="pe-13.4_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="pe-13.4_prm_2">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="label">PE-13(4)</prop>
-            <prop name="sort-id">pe-13.04</prop>
-            <part id="pe-13.4_smt" name="statement">
-               <p>The organization ensures that the facility undergoes <insert param-id="pe-13.4_prm_1"/> inspections by authorized and qualified inspectors
-                  and resolves identified deficiencies within <insert param-id="pe-13.4_prm_2"/>.</p>
-            </part>
-            <part id="pe-13.4_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-13.4_obj.1" name="objective">
-                  <prop name="label">PE-13(4)[1]</prop>
-                  <p>defines the frequency of inspections to be conducted on the facility by
-                     authorized and qualified inspectors;</p>
-               </part>
-               <part id="pe-13.4_obj.2" name="objective">
-                  <prop name="label">PE-13(4)[2]</prop>
-                  <p>ensures that the facility undergoes inspections by authorized and qualified
-                     inspectors with the organization-defined frequency;</p>
-               </part>
-               <part id="pe-13.4_obj.3" name="objective">
-                  <prop name="label">PE-13(4)[3]</prop>
-                  <p>defines a time period to resolve deficiencies identified when the facility
-                     undergoes such inspections; and</p>
-               </part>
-               <part id="pe-13.4_obj.4" name="objective">
-                  <prop name="label">PE-13(4)[4]</prop>
-                  <p>resolves identified deficiencies within the organization-defined time
-                     period.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing fire protection</p>
-                  <p>security plan</p>
-                  <p>facility housing the information system</p>
-                  <p>inspection plans</p>
-                  <p>inspection results</p>
-                  <p>inspect reports</p>
-                  <p>test records of fire suppression and detection devices/systems</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for planning, approving, and
-                     executing fire inspections</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-14">
-         <title>Temperature and Humidity Controls</title>
-         <param id="pe-14_prm_1">
-            <label>organization-defined acceptable levels</label>
-         </param>
-         <param id="pe-14_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PE-14</prop>
-         <prop name="sort-id">pe-14</prop>
-         <part id="pe-14_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-14_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Maintains temperature and humidity levels within the facility where the
-                  information system resides at <insert param-id="pe-14_prm_1"/>; and</p>
-            </part>
-            <part id="pe-14_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Monitors temperature and humidity levels <insert param-id="pe-14_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="pe-14_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources, for example, data centers, server rooms, and mainframe computer
-               rooms.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-         </part>
-         <part id="pe-14_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-14.a_obj" name="objective">
-               <prop name="label">PE-14(a)</prop>
-               <part id="pe-14.a_obj.1" name="objective">
-                  <prop name="label">PE-14(a)[1]</prop>
-                  <p>defines acceptable temperature levels to be maintained within the facility
-                     where the information system resides;</p>
-               </part>
-               <part id="pe-14.a_obj.2" name="objective">
-                  <prop name="label">PE-14(a)[2]</prop>
-                  <p>defines acceptable humidity levels to be maintained within the facility where
-                     the information system resides;</p>
-               </part>
-               <part id="pe-14.a_obj.3" name="objective">
-                  <prop name="label">PE-14(a)[3]</prop>
-                  <p>maintains temperature levels within the facility where the information system
-                     resides at the organization-defined levels;</p>
-               </part>
-               <part id="pe-14.a_obj.4" name="objective">
-                  <prop name="label">PE-14(a)[4]</prop>
-                  <p>maintains humidity levels within the facility where the information system
-                     resides at the organization-defined levels;</p>
-               </part>
-            </part>
-            <part id="pe-14.b_obj" name="objective">
-               <prop name="label">PE-14(b)</prop>
-               <part id="pe-14.b_obj.1" name="objective">
-                  <prop name="label">PE-14(b)[1]</prop>
-                  <p>defines the frequency to monitor temperature levels;</p>
-               </part>
-               <part id="pe-14.b_obj.2" name="objective">
-                  <prop name="label">PE-14(b)[2]</prop>
-                  <p>defines the frequency to monitor humidity levels;</p>
-               </part>
-               <part id="pe-14.b_obj.3" name="objective">
-                  <prop name="label">PE-14(b)[3]</prop>
-                  <p>monitors temperature levels with the organization-defined frequency; and</p>
-               </part>
-               <part id="pe-14.b_obj.4" name="objective">
-                  <prop name="label">PE-14(b)[4]</prop>
-                  <p>monitors humidity levels with the organization-defined frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing temperature and humidity control</p>
-               <p>security plan</p>
-               <p>temperature and humidity controls</p>
-               <p>facility housing the information system</p>
-               <p>temperature and humidity controls documentation</p>
-               <p>temperature and humidity records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for information system
-                  environmental controls</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing maintenance and monitoring of
-                  temperature and humidity levels</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-14.1">
-            <title>Automatic Controls</title>
-            <prop name="label">PE-14(1)</prop>
-            <prop name="sort-id">pe-14.01</prop>
-            <part id="pe-14.1_smt" name="statement">
-               <p>The organization employs automatic temperature and humidity controls in the
-                  facility to prevent fluctuations potentially harmful to the information
-                  system.</p>
-            </part>
-            <part id="pe-14.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-14.1_obj.1" name="objective">
-                  <prop name="label">PE-14(1)[1]</prop>
-                  <p>employs automatic temperature controls in the facility to prevent fluctuations
-                     potentially harmful to the information system; and</p>
-               </part>
-               <part id="pe-14.1_obj.2" name="objective">
-                  <prop name="label">PE-14(1)[2]</prop>
-                  <p>employs automatic humidity controls in the facility to prevent fluctuations
-                     potentially harmful to the information system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing temperature and humidity controls</p>
-                  <p>facility housing the information system</p>
-                  <p>automated mechanisms for temperature and humidity</p>
-                  <p>temperature and humidity controls</p>
-                  <p>temperature and humidity documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for information system
-                     environmental controls</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing temperature and humidity
-                     levels</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-14.2">
-            <title>Monitoring with Alarms / Notifications</title>
-            <prop name="label">PE-14(2)</prop>
-            <prop name="sort-id">pe-14.02</prop>
-            <part id="pe-14.2_smt" name="statement">
-               <p>The organization employs temperature and humidity monitoring that provides an
-                  alarm or notification of changes potentially harmful to personnel or
-                  equipment.</p>
-            </part>
-            <part id="pe-14.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-14.2_obj.1" name="objective">
-                  <prop name="label">PE-14(2)[1]</prop>
-                  <p>employs temperature monitoring that provides an alarm of changes potentially
-                     harmful to personnel or equipment; and/or</p>
-               </part>
-               <part id="pe-14.2_obj.2" name="objective">
-                  <prop name="label">PE-14(2)[2]</prop>
-                  <p>employs temperature monitoring that provides notification of changes
-                     potentially harmful to personnel or equipment;</p>
-               </part>
-               <part id="pe-14.2_obj.3" name="objective">
-                  <prop name="label">PE-14(2)[3]</prop>
-                  <p>employs humidity monitoring that provides an alarm of changes potentially
-                     harmful to personnel or equipment; and/or</p>
-               </part>
-               <part id="pe-14.2_obj.4" name="objective">
-                  <prop name="label">PE-14(2)[4]</prop>
-                  <p>employs humidity monitoring that provides notification of changes potentially
-                     harmful to personnel or equipment.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing temperature and humidity monitoring</p>
-                  <p>facility housing the information system</p>
-                  <p>logs or records of temperature and humidity monitoring</p>
-                  <p>records of changes to temperature and humidity levels that generate alarms or
-                     notifications</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for information system
-                     environmental controls</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing temperature and humidity
-                     monitoring</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-15">
-         <title>Water Damage Protection</title>
-         <prop name="label">PE-15</prop>
-         <prop name="sort-id">pe-15</prop>
-         <part id="pe-15_smt" name="statement">
-            <p>The organization protects the information system from damage resulting from water
-               leakage by providing master shutoff or isolation valves that are accessible, working
-               properly, and known to key personnel.</p>
-         </part>
-         <part id="pe-15_gdn" name="guidance">
-            <p>This control applies primarily to facilities containing concentrations of information
-               system resources including, for example, data centers, server rooms, and mainframe
-               computer rooms. Isolation valves can be employed in addition to or in lieu of master
-               shutoff valves to shut off water supplies in specific areas of concern, without
-               affecting entire organizations.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-         </part>
-         <part id="pe-15_obj" name="objective">
-            <p>Determine if the organization protects the information system from damage resulting
-               from water leakage by providing master shutoff or isolation valves that are: </p>
-            <part id="pe-15_obj.1" name="objective">
-               <prop name="label">PE-15[1]</prop>
-               <p>accessible;</p>
-            </part>
-            <part id="pe-15_obj.2" name="objective">
-               <prop name="label">PE-15[2]</prop>
-               <p>working properly; and</p>
-            </part>
-            <part id="pe-15_obj.3" name="objective">
-               <prop name="label">PE-15[3]</prop>
-               <p>known to key personnel.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing water damage protection</p>
-               <p>facility housing the information system</p>
-               <p>master shutoff valves</p>
-               <p>list of key personnel with knowledge of location and activation procedures for
-                  master shutoff valves for the plumbing system</p>
-               <p>master shutoff valve documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for information system
-                  environmental controls</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Master water-shutoff valves</p>
-               <p>organizational process for activating master water-shutoff</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-15.1">
-            <title>Automation Support</title>
-            <param id="pe-15.1_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">PE-15(1)</prop>
-            <prop name="sort-id">pe-15.01</prop>
-            <part id="pe-15.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to detect the presence of water in
-                  the vicinity of the information system and alerts <insert param-id="pe-15.1_prm_1"/>.</p>
-            </part>
-            <part id="pe-15.1_gdn" name="guidance">
-               <p>Automated mechanisms can include, for example, water detection sensors, alarms,
-                  and notification systems.</p>
-            </part>
-            <part id="pe-15.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-15.1_obj.1" name="objective">
-                  <prop name="label">PE-15(1)[1]</prop>
-                  <p>defines personnel or roles to be alerted when the presence of water is detected
-                     in the vicinity of the information system;</p>
-               </part>
-               <part id="pe-15.1_obj.2" name="objective">
-                  <prop name="label">PE-15(1)[2]</prop>
-                  <p>employs automated mechanisms to detect the presence of water in the vicinity of
-                     the information system; and</p>
-               </part>
-               <part id="pe-15.1_obj.3" name="objective">
-                  <prop name="label">PE-15(1)[3]</prop>
-                  <p>alerts organization-defined personnel or roles when the presence of water is
-                     detected in the vicinity of the information system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing water damage protection</p>
-                  <p>facility housing the information system</p>
-                  <p>automated mechanisms for water shutoff valves</p>
-                  <p>automated mechanisms detecting presence of water in vicinity of information
-                     system</p>
-                  <p>alerts/notifications of water detection in information system facility</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for information system
-                     environmental controls</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing water detection capability
-                     and alerts for the information system</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-16">
-         <title>Delivery and Removal</title>
-         <param id="pe-16_prm_1">
-            <label>organization-defined types of information system components</label>
-         </param>
-         <prop name="label">PE-16</prop>
-         <prop name="sort-id">pe-16</prop>
-         <part id="pe-16_smt" name="statement">
-            <p>The organization authorizes, monitors, and controls <insert param-id="pe-16_prm_1"/>
-               entering and exiting the facility and maintains records of those items.</p>
-         </part>
-         <part id="pe-16_gdn" name="guidance">
-            <p>Effectively enforcing authorizations for entry and exit of information system
-               components may require restricting access to delivery areas and possibly isolating
-               the areas from the information system and media libraries.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ma-3">MA-3</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-         </part>
-         <part id="pe-16_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-16_obj.1" name="objective">
-               <prop name="label">PE-16[1]</prop>
-               <p>defines types of information system components to be authorized, monitored, and
-                  controlled as such components are entering and exiting the facility;</p>
-            </part>
-            <part id="pe-16_obj.2" name="objective">
-               <prop name="label">PE-16[2]</prop>
-               <p>authorizes organization-defined information system components entering the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.3" name="objective">
-               <prop name="label">PE-16[3]</prop>
-               <p>monitors organization-defined information system components entering the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.4" name="objective">
-               <prop name="label">PE-16[4]</prop>
-               <p>controls organization-defined information system components entering the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.5" name="objective">
-               <prop name="label">PE-16[5]</prop>
-               <p>authorizes organization-defined information system components exiting the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.6" name="objective">
-               <prop name="label">PE-16[6]</prop>
-               <p>monitors organization-defined information system components exiting the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.7" name="objective">
-               <prop name="label">PE-16[7]</prop>
-               <p>controls organization-defined information system components exiting the
-                  facility;</p>
-            </part>
-            <part id="pe-16_obj.8" name="objective">
-               <prop name="label">PE-16[8]</prop>
-               <p>maintains records of information system components entering the facility; and</p>
-            </part>
-            <part id="pe-16_obj.9" name="objective">
-               <prop name="label">PE-16[9]</prop>
-               <p>maintains records of information system components exiting the facility.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing delivery and removal of information system components from
-                  the facility</p>
-               <p>security plan</p>
-               <p>facility housing the information system</p>
-               <p>records of items entering and exiting the facility</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for controlling information system
-                  components entering and exiting the facility</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational process for authorizing, monitoring, and controlling information
-                  system-related items entering and exiting the facility</p>
-               <p>automated mechanisms supporting and/or implementing authorizing, monitoring, and
-                  controlling information system-related items entering and exiting the facility</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-17">
-         <title>Alternate Work Site</title>
-         <param id="pe-17_prm_1">
-            <label>organization-defined security controls</label>
-         </param>
-         <prop name="label">PE-17</prop>
-         <prop name="sort-id">pe-17</prop>
-         <link href="#5309d4d0-46f8-4213-a749-e7584164e5e8" rel="reference">NIST Special Publication 800-46</link>
-         <part id="pe-17_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-17_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Employs <insert param-id="pe-17_prm_1"/> at alternate work sites;</p>
-            </part>
-            <part id="pe-17_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Assesses as feasible, the effectiveness of security controls at alternate work
-                  sites; and</p>
-            </part>
-            <part id="pe-17_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Provides a means for employees to communicate with information security personnel
-                  in case of security incidents or problems.</p>
-            </part>
-         </part>
-         <part id="pe-17_gdn" name="guidance">
-            <p>Alternate work sites may include, for example, government facilities or private
-               residences of employees. While commonly distinct from alternative processing sites,
-               alternate work sites may provide readily available alternate locations as part of
-               contingency operations. Organizations may define different sets of security controls
-               for specific alternate work sites or types of sites depending on the work-related
-               activities conducted at those sites. This control supports the contingency planning
-               activities of organizations and the federal telework initiative.</p>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-         </part>
-         <part id="pe-17_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-17.a_obj" name="objective">
-               <prop name="label">PE-17(a)</prop>
-               <part id="pe-17.a_obj.1" name="objective">
-                  <prop name="label">PE-17(a)[1]</prop>
-                  <p>defines security controls to be employed at alternate work sites;</p>
-               </part>
-               <part id="pe-17.a_obj.2" name="objective">
-                  <prop name="label">PE-17(a)[2]</prop>
-                  <p>employs organization-defined security controls at alternate work sites;</p>
-               </part>
-            </part>
-            <part id="pe-17.b_obj" name="objective">
-               <prop name="label">PE-17(b)</prop>
-               <p>assesses, as feasible, the effectiveness of security controls at alternate work
-                  sites; and</p>
-            </part>
-            <part id="pe-17.c_obj" name="objective">
-               <prop name="label">PE-17(c)</prop>
-               <p>provides a means for employees to communicate with information security personnel
-                  in case of security incidents or problems.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing alternate work sites for organizational personnel</p>
-               <p>security plan</p>
-               <p>list of security controls required for alternate work sites</p>
-               <p>assessments of security controls at alternate work sites</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel approving use of alternate work sites</p>
-               <p>organizational personnel using alternate work sites</p>
-               <p>organizational personnel assessing controls at alternate work sites</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security at alternate work sites</p>
-               <p>automated mechanisms supporting alternate work sites</p>
-               <p>security controls employed at alternate work sites</p>
-               <p>means of communications between personnel at alternate work sites and security
-                  personnel</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-18">
-         <title>Location of Information System Components</title>
-         <param id="pe-18_prm_1">
-            <label>organization-defined physical and environmental hazards</label>
-         </param>
-         <prop name="label">PE-18</prop>
-         <prop name="sort-id">pe-18</prop>
-         <part id="pe-18_smt" name="statement">
-            <p>The organization positions information system components within the facility to
-               minimize potential damage from <insert param-id="pe-18_prm_1"/> and to minimize the
-               opportunity for unauthorized access.</p>
-         </part>
-         <part id="pe-18_gdn" name="guidance">
-            <p>Physical and environmental hazards include, for example, flooding, fire, tornados,
-               earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse,
-               electrical interference, and other forms of incoming electromagnetic radiation. In
-               addition, organizations consider the location of physical entry points where
-               unauthorized individuals, while not being granted access, might nonetheless be in
-               close proximity to information systems and therefore increase the potential for
-               unauthorized access to organizational communications (e.g., through the use of
-               wireless sniffers or microphones).</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#pe-19">PE-19</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-         </part>
-         <part id="pe-18_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-18_obj.1" name="objective">
-               <prop name="label">PE-18[1]</prop>
-               <p>defines physical hazards that could result in potential damage to information
-                  system components within the facility;</p>
-            </part>
-            <part id="pe-18_obj.2" name="objective">
-               <prop name="label">PE-18[2]</prop>
-               <p>defines environmental hazards that could result in potential damage to information
-                  system components within the facility;</p>
-            </part>
-            <part id="pe-18_obj.3" name="objective">
-               <prop name="label">PE-18[3]</prop>
-               <p>positions information system components within the facility to minimize potential
-                  damage from organization-defined physical and environmental hazards; and</p>
-            </part>
-            <part id="pe-18_obj.4" name="objective">
-               <prop name="label">PE-18[4]</prop>
-               <p>positions information system components within the facility to minimize the
-                  opportunity for unauthorized access.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing positioning of information system components</p>
-               <p>documentation providing the location and position of information system components
-                  within the facility</p>
-               <p>locations housing information system components within the facility</p>
-               <p>list of physical and environmental hazards with potential to damage information
-                  system components within the facility</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for positioning information system
-                  components</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for positioning information system components</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-18.1">
-            <title>Facility Site</title>
-            <prop name="label">PE-18(1)</prop>
-            <prop name="sort-id">pe-18.01</prop>
-            <part id="pe-18.1_smt" name="statement">
-               <p>The organization plans the location or site of the facility where the information
-                  system resides with regard to physical and environmental hazards and for existing
-                  facilities, considers the physical and environmental hazards in its risk
-                  mitigation strategy.</p>
-            </part>
-            <part id="pe-18.1_gdn" name="guidance">
-               <link rel="related" href="#pm-8">PM-8</link>
-            </part>
-            <part id="pe-18.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pe-18.1_obj.1" name="objective">
-                  <prop name="label">PE-18(1)[1]</prop>
-                  <p>plans the location or site of the facility where the information system resides
-                     with regard to physical hazards;</p>
-               </part>
-               <part id="pe-18.1_obj.2" name="objective">
-                  <prop name="label">PE-18(1)[2]</prop>
-                  <p>plans the location or site of the facility where the information system resides
-                     with regard to environmental hazards;</p>
-               </part>
-               <part id="pe-18.1_obj.3" name="objective">
-                  <prop name="label">PE-18(1)[3]</prop>
-                  <p>for existing facilities, considers the physical hazards in its risk mitigation
-                     strategy; and</p>
-               </part>
-               <part id="pe-18.1_obj.4" name="objective">
-                  <prop name="label">PE-18(1)[4]</prop>
-                  <p>for existing facilities, considers the environmental hazards in its risk
-                     mitigation strategy.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>physical site planning documents</p>
-                  <p>organizational assessment of risk, contingency plan</p>
-                  <p>risk mitigation strategy documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with site selection responsibilities for the facility
-                     housing the information system</p>
-                  <p>organizational personnel with risk mitigation responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for site planning</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-19">
-         <title>Information Leakage</title>
-         <prop name="label">PE-19</prop>
-         <prop name="sort-id">pe-19</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <part id="pe-19_smt" name="statement">
-            <p>The organization protects the information system from information leakage due to
-               electromagnetic signals emanations.</p>
-         </part>
-         <part id="pe-19_gdn" name="guidance">
-            <p>Information leakage is the intentional or unintentional release of information to an
-               untrusted environment from electromagnetic signals emanations. Security categories or
-               classifications of information systems (with respect to confidentiality) and
-               organizational security policies guide the selection of security controls employed to
-               protect systems against information leakage due to electromagnetic signals
-               emanations.</p>
-         </part>
-         <part id="pe-19_obj" name="objective">
-            <p>Determine if the organization protects the information system from information
-               leakage due to electromagnetic signals emanations. </p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing information leakage due to electromagnetic signals
-                  emanations</p>
-               <p>mechanisms protecting the information system against electronic signals
-                  emanation</p>
-               <p>facility housing the information system</p>
-               <p>records from electromagnetic signals emanation tests</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibilities for information system
-                  environmental controls</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing protection from information
-                  leakage due to electromagnetic signals emanations</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-19.1">
-            <title>National Emissions / Tempest Policies and Procedures</title>
-            <prop name="label">PE-19(1)</prop>
-            <prop name="sort-id">pe-19.01</prop>
-            <part id="pe-19.1_smt" name="statement">
-               <p>The organization ensures that information system components, associated data
-                  communications, and networks are protected in accordance with national emissions
-                  and TEMPEST policies and procedures based on the security category or
-                  classification of the information.</p>
-            </part>
-            <part id="pe-19.1_obj" name="objective">
-               <p>Determine if the organization ensures that the following are protected in
-                  accordance with national emissions and TEMPEST policies and procedures based on
-                  the security category or classification of the information: </p>
-               <part id="pe-19.1_obj.1" name="objective">
-                  <prop name="label">PE-19(1)[1]</prop>
-                  <p>information system components;</p>
-               </part>
-               <part id="pe-19.1_obj.2" name="objective">
-                  <prop name="label">PE-19(1)[2]</prop>
-                  <p>associated data communications; and</p>
-               </part>
-               <part id="pe-19.1_obj.3" name="objective">
-                  <prop name="label">PE-19(1)[3]</prop>
-                  <p>networks.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Physical and environmental protection policy</p>
-                  <p>procedures addressing information leakage that comply with national emissions
-                     and TEMPEST policies and procedures</p>
-                  <p>information system component design documentation</p>
-                  <p>information system configuration settings and associated documentation other
-                     relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibilities for information system
-                     environmental controls</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system components for compliance with national emissions and
-                     TEMPEST policies and procedures</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-20">
-         <title>Asset Monitoring and Tracking</title>
-         <param id="pe-20_prm_1">
-            <label>organization-defined asset location technologies</label>
-         </param>
-         <param id="pe-20_prm_2">
-            <label>organization-defined assets</label>
-         </param>
-         <param id="pe-20_prm_3">
-            <label>organization-defined controlled areas</label>
-         </param>
-         <prop name="label">PE-20</prop>
-         <prop name="sort-id">pe-20</prop>
-         <part id="pe-20_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pe-20_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Employs <insert param-id="pe-20_prm_1"/> to track and monitor the location and
-                  movement of <insert param-id="pe-20_prm_2"/> within <insert param-id="pe-20_prm_3"/>; and</p>
-            </part>
-            <part id="pe-20_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Ensures that asset location technologies are employed in accordance with
-                  applicable federal laws, Executive Orders, directives, regulations, policies,
-                  standards, and guidance.</p>
-            </part>
-         </part>
-         <part id="pe-20_gdn" name="guidance">
-            <p>Asset location technologies can help organizations ensure that critical assets such
-               as vehicles or essential information system components remain in authorized
-               locations. Organizations consult with the Office of the General Counsel and the
-               Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) regarding the
-               deployment and use of asset location technologies to address potential privacy
-               concerns.</p>
-            <link rel="related" href="#cm-8">CM-8</link>
-         </part>
-         <part id="pe-20_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pe-20.a_obj" name="objective">
-               <prop name="label">PE-20(a)</prop>
-               <part id="pe-20.a_obj.1" name="objective">
-                  <prop name="label">PE-20(a)[1]</prop>
-                  <p>defines assets whose location and movement are to be tracked and monitored;</p>
-               </part>
-               <part id="pe-20.a_obj.2" name="objective">
-                  <prop name="label">PE-20(a)[2]</prop>
-                  <p>defines asset location technologies to be employed to track and monitor the
-                     location and movement of organization-defined assets;</p>
-               </part>
-               <part id="pe-20.a_obj.3" name="objective">
-                  <prop name="label">PE-20(a)[3]</prop>
-                  <p>defines controlled areas within which to track and monitor organization-defined
-                     assets;</p>
-               </part>
-               <part id="pe-20.a_obj.4" name="objective">
-                  <prop name="label">PE-20(a)[4]</prop>
-                  <p>employs organization-defined asset location technologies to track and monitor
-                     the location and movement of organization-defined assets within
-                     organization-defined controlled areas; and</p>
-               </part>
-            </part>
-            <part id="pe-20.b_obj" name="objective">
-               <prop name="label">PE-20(b)</prop>
-               <p>ensures that asset location technologies are employed in accordance with
-                  applicable federal laws, Executive Orders, directives, regulations, policies,
-                  standards and guidance.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Physical and environmental protection policy</p>
-               <p>procedures addressing asset monitoring and tracking</p>
-               <p>asset location technologies and associated configuration documentation</p>
-               <p>list of organizational assets requiring tracking and monitoring</p>
-               <p>asset monitoring and tracking records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with asset monitoring and tracking responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for tracking and monitoring assets</p>
-               <p>automated mechanisms supporting and/or implementing tracking and monitoring of
-                  assets</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="pl">
-      <title>Planning</title>
-      <control class="SP800-53" id="pl-1">
-         <title>Security Planning Policy and Procedures</title>
-         <param id="pl-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pl-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="pl-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PL-1</prop>
-         <prop name="sort-id">pl-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9c5c9e8c-dc81-4f55-a11c-d71d7487790f" rel="reference">NIST Special Publication 800-18</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="pl-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pl-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="pl-1_prm_1"/>:</p>
-               <part id="pl-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A security planning policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="pl-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the security planning policy and
-                     associated security planning controls; and</p>
-               </part>
-            </part>
-            <part id="pl-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="pl-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Security planning policy <insert param-id="pl-1_prm_2"/>; and</p>
-               </part>
-               <part id="pl-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Security planning procedures <insert param-id="pl-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="pl-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the PL
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="pl-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="pl-1.a_obj" name="objective">
-               <prop name="label">PL-1(a)</prop>
-               <part id="pl-1.a.1_obj" name="objective">
-                  <prop name="label">PL-1(a)(1)</prop>
-                  <part id="pl-1.a.1_obj.1" name="objective">
-                     <prop name="label">PL-1(a)(1)[1]</prop>
-                     <p>develops and documents a planning policy that addresses:</p>
-                     <part id="pl-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="pl-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">PL-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="pl-1.a.1_obj.2" name="objective">
-                     <prop name="label">PL-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the planning policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="pl-1.a.1_obj.3" name="objective">
-                     <prop name="label">PL-1(a)(1)[3]</prop>
-                     <p>disseminates the planning policy to organization-defined personnel or
-                        roles;</p>
-                  </part>
-               </part>
-               <part id="pl-1.a.2_obj" name="objective">
-                  <prop name="label">PL-1(a)(2)</prop>
-                  <part id="pl-1.a.2_obj.1" name="objective">
-                     <prop name="label">PL-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        planning policy and associated planning controls;</p>
-                  </part>
-                  <part id="pl-1.a.2_obj.2" name="objective">
-                     <prop name="label">PL-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="pl-1.a.2_obj.3" name="objective">
-                     <prop name="label">PL-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="pl-1.b_obj" name="objective">
-               <prop name="label">PL-1(b)</prop>
-               <part id="pl-1.b.1_obj" name="objective">
-                  <prop name="label">PL-1(b)(1)</prop>
-                  <part id="pl-1.b.1_obj.1" name="objective">
-                     <prop name="label">PL-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current planning policy;</p>
-                  </part>
-                  <part id="pl-1.b.1_obj.2" name="objective">
-                     <prop name="label">PL-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current planning policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="pl-1.b.2_obj" name="objective">
-                  <prop name="label">PL-1(b)(2)</prop>
-                  <part id="pl-1.b.2_obj.1" name="objective">
-                     <prop name="label">PL-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current planning procedures;
-                        and</p>
-                  </part>
-                  <part id="pl-1.b.2_obj.2" name="objective">
-                     <prop name="label">PL-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current planning procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Planning policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with planning responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pl-2">
-         <title>System Security Plan</title>
-         <param id="pl-2_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pl-2_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PL-2</prop>
-         <prop name="sort-id">pl-02</prop>
-         <link href="#9c5c9e8c-dc81-4f55-a11c-d71d7487790f" rel="reference">NIST Special Publication 800-18</link>
-         <part id="pl-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pl-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a security plan for the information system that:</p>
-               <part id="pl-2_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Is consistent with the organization’s enterprise architecture;</p>
-               </part>
-               <part id="pl-2_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Explicitly defines the authorization boundary for the system;</p>
-               </part>
-               <part id="pl-2_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Describes the operational context of the information system in terms of
-                     missions and business processes;</p>
-               </part>
-               <part id="pl-2_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Provides the security categorization of the information system including
-                     supporting rationale;</p>
-               </part>
-               <part id="pl-2_smt.a.5" name="item">
-                  <prop name="label">5.</prop>
-                  <p>Describes the operational environment for the information system and
-                     relationships with or connections to other information systems;</p>
-               </part>
-               <part id="pl-2_smt.a.6" name="item">
-                  <prop name="label">6.</prop>
-                  <p>Provides an overview of the security requirements for the system;</p>
-               </part>
-               <part id="pl-2_smt.a.7" name="item">
-                  <prop name="label">7.</prop>
-                  <p>Identifies any relevant overlays, if applicable;</p>
-               </part>
-               <part id="pl-2_smt.a.8" name="item">
-                  <prop name="label">8.</prop>
-                  <p>Describes the security controls in place or planned for meeting those
-                     requirements including a rationale for the tailoring decisions; and</p>
-               </part>
-               <part id="pl-2_smt.a.9" name="item">
-                  <prop name="label">9.</prop>
-                  <p>Is reviewed and approved by the authorizing official or designated
-                     representative prior to plan implementation;</p>
-               </part>
-            </part>
-            <part id="pl-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Distributes copies of the security plan and communicates subsequent changes to the
-                  plan to <insert param-id="pl-2_prm_1"/>;</p>
-            </part>
-            <part id="pl-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews the security plan for the information system <insert param-id="pl-2_prm_2"/>;</p>
-            </part>
-            <part id="pl-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Updates the plan to address changes to the information system/environment of
-                  operation or problems identified during plan implementation or security control
-                  assessments; and</p>
-            </part>
-            <part id="pl-2_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Protects the security plan from unauthorized disclosure and modification.</p>
-            </part>
-         </part>
-         <part id="pl-2_gdn" name="guidance">
-            <p>Security plans relate security requirements to a set of security controls and control
-               enhancements. Security plans also describe, at a high level, how the security
-               controls and control enhancements meet those security requirements, but do not
-               provide detailed, technical descriptions of the specific design or implementation of
-               the controls/enhancements. Security plans contain sufficient information (including
-               the specification of parameter values for assignment and selection statements either
-               explicitly or by reference) to enable a design and implementation that is
-               unambiguously compliant with the intent of the plans and subsequent determinations of
-               risk to organizational operations and assets, individuals, other organizations, and
-               the Nation if the plan is implemented as intended. Organizations can also apply
-               tailoring guidance to the security control baselines in Appendix D and CNSS
-               Instruction 1253 to develop overlays for community-wide use or to address specialized
-               requirements, technologies, or missions/environments of operation (e.g.,
-               DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and
-               Access Management, space operations). Appendix I provides guidance on developing
-               overlays. Security plans need not be single documents; the plans can be a collection
-               of various documents including documents that already exist. Effective security plans
-               make extensive use of references to policies, procedures, and additional documents
-               (e.g., design and implementation specifications) where more detailed information can
-               be obtained. This reduces the documentation requirements associated with security
-               programs and maintains security-related information in other established
-               management/operational areas related to enterprise architecture, system development
-               life cycle, systems engineering, and acquisition. For example, security plans do not
-               contain detailed contingency plan or incident response plan information but instead
-               provide explicitly or by reference, sufficient information to define what needs to be
-               accomplished by those plans.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-14">AC-14</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#ma-5">MA-5</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#pl-7">PL-7</link>
-            <link rel="related" href="#pm-1">PM-1</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <link rel="related" href="#pm-8">PM-8</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#pm-11">PM-11</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-17">SA-17</link>
-         </part>
-         <part id="pl-2_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pl-2.a_obj" name="objective">
-               <prop name="label">PL-2(a)</prop>
-               <p>develops a security plan for the information system that:</p>
-               <part id="pl-2.a.1_obj" name="objective">
-                  <prop name="label">PL-2(a)(1)</prop>
-                  <p>is consistent with the organization’s enterprise architecture;</p>
-               </part>
-               <part id="pl-2.a.2_obj" name="objective">
-                  <prop name="label">PL-2(a)(2)</prop>
-                  <p>explicitly defines the authorization boundary for the system;</p>
-               </part>
-               <part id="pl-2.a.3_obj" name="objective">
-                  <prop name="label">PL-2(a)(3)</prop>
-                  <p>describes the operational context of the information system in terms of
-                     missions and business processes;</p>
-               </part>
-               <part id="pl-2.a.4_obj" name="objective">
-                  <prop name="label">PL-2(a)(4)</prop>
-                  <p>provides the security categorization of the information system including
-                     supporting rationale;</p>
-               </part>
-               <part id="pl-2.a.5_obj" name="objective">
-                  <prop name="label">PL-2(a)(5)</prop>
-                  <p>describes the operational environment for the information system and
-                     relationships with or connections to other information systems;</p>
-               </part>
-               <part id="pl-2.a.6_obj" name="objective">
-                  <prop name="label">PL-2(a)(6)</prop>
-                  <p>provides an overview of the security requirements for the system;</p>
-               </part>
-               <part id="pl-2.a.7_obj" name="objective">
-                  <prop name="label">PL-2(a)(7)</prop>
-                  <p>identifies any relevant overlays, if applicable;</p>
-               </part>
-               <part id="pl-2.a.8_obj" name="objective">
-                  <prop name="label">PL-2(a)(8)</prop>
-                  <p>describes the security controls in place or planned for meeting those
-                     requirements including a rationale for the tailoring and supplemental
-                     decisions;</p>
-               </part>
-               <part id="pl-2.a.9_obj" name="objective">
-                  <prop name="label">PL-2(a)(9)</prop>
-                  <p>is reviewed and approved by the authorizing official or designated
-                     representative prior to plan implementation;</p>
-               </part>
-            </part>
-            <part id="pl-2.b_obj" name="objective">
-               <prop name="label">PL-2(b)</prop>
-               <part id="pl-2.b_obj.1" name="objective">
-                  <prop name="label">PL-2(b)[1]</prop>
-                  <p>defines personnel or roles to whom copies of the security plan are to be
-                     distributed and subsequent changes to the plan are to be communicated;</p>
-               </part>
-               <part id="pl-2.b_obj.2" name="objective">
-                  <prop name="label">PL-2(b)[2]</prop>
-                  <p>distributes copies of the security plan and communicates subsequent changes to
-                     the plan to organization-defined personnel or roles;</p>
-               </part>
-            </part>
-            <part id="pl-2.c_obj" name="objective">
-               <prop name="label">PL-2(c)</prop>
-               <part id="pl-2.c_obj.1" name="objective">
-                  <prop name="label">PL-2(c)[1]</prop>
-                  <p>defines the frequency to review the security plan for the information
-                     system;</p>
-               </part>
-               <part id="pl-2.c_obj.2" name="objective">
-                  <prop name="label">PL-2(c)[2]</prop>
-                  <p>reviews the security plan for the information system with the
-                     organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="pl-2.d_obj" name="objective">
-               <prop name="label">PL-2(d)</prop>
-               <p>updates the plan to address:</p>
-               <part id="pl-2.d_obj.1" name="objective">
-                  <prop name="label">PL-2(d)[1]</prop>
-                  <p>changes to the information system/environment of operation;</p>
-               </part>
-               <part id="pl-2.d_obj.2" name="objective">
-                  <prop name="label">PL-2(d)[2]</prop>
-                  <p>problems identified during plan implementation;</p>
-               </part>
-               <part id="pl-2.d_obj.3" name="objective">
-                  <prop name="label">PL-2(d)[3]</prop>
-                  <p>problems identified during security control assessments;</p>
-               </part>
-            </part>
-            <part id="pl-2.e_obj" name="objective">
-               <prop name="label">PL-2(e)</prop>
-               <p>protects the security plan from unauthorized:</p>
-               <part id="pl-2.e_obj.1" name="objective">
-                  <prop name="label">PL-2(e)[1]</prop>
-                  <p>disclosure; and</p>
-               </part>
-               <part id="pl-2.e_obj.2" name="objective">
-                  <prop name="label">PL-2(e)[2]</prop>
-                  <p>modification.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security planning policy</p>
-               <p>procedures addressing security plan development and implementation</p>
-               <p>procedures addressing security plan reviews and updates</p>
-               <p>enterprise architecture documentation</p>
-               <p>security plan for the information system</p>
-               <p>records of security plan reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security planning and plan implementation
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security plan development/review/update/approval</p>
-               <p>automated mechanisms supporting the information system security plan</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pl-2.1">
-            <title>Concept of Operations</title>
-            <prop name="label">PL-2(1)</prop>
-            <prop name="sort-id">pl-02.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#pl-7">PL-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="pl-2.2">
-            <title>Functional Architecture</title>
-            <prop name="label">PL-2(2)</prop>
-            <prop name="sort-id">pl-02.02</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#pl-8">PL-8</link>
-         </control>
-         <control class="SP800-53-enhancement" id="pl-2.3">
-            <title>Plan / Coordinate with Other Organizational Entities</title>
-            <param id="pl-2.3_prm_1">
-               <label>organization-defined individuals or groups</label>
-            </param>
-            <prop name="label">PL-2(3)</prop>
-            <prop name="sort-id">pl-02.03</prop>
-            <part id="pl-2.3_smt" name="statement">
-               <p>The organization plans and coordinates security-related activities affecting the
-                  information system with <insert param-id="pl-2.3_prm_1"/> before conducting such
-                  activities in order to reduce the impact on other organizational entities.</p>
-            </part>
-            <part id="pl-2.3_gdn" name="guidance">
-               <p>Security-related activities include, for example, security assessments, audits,
-                  hardware and software maintenance, patch management, and contingency plan testing.
-                  Advance planning and coordination includes emergency and nonemergency (i.e.,
-                  planned or nonurgent unplanned) situations. The process defined by organizations
-                  to plan and coordinate security-related activities can be included in security
-                  plans for information systems or other documents, as appropriate.</p>
-               <link rel="related" href="#cp-4">CP-4</link>
-               <link rel="related" href="#ir-4">IR-4</link>
-            </part>
-            <part id="pl-2.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pl-2.3_obj.1" name="objective">
-                  <prop name="label">PL-2(3)[1]</prop>
-                  <p>defines individuals or groups with whom security-related activities affecting
-                     the information system are to be planned and coordinated before conducting such
-                     activities in order to reduce the impact on other organizational entities;
-                     and</p>
-               </part>
-               <part id="pl-2.3_obj.2" name="objective">
-                  <prop name="label">PL-2(3)[2]</prop>
-                  <p>plans and coordinates security-related activities affecting the information
-                     system with organization-defined individuals or groups before conducting such
-                     activities in order to reduce the impact on other organizational entities.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security planning policy</p>
-                  <p>access control policy</p>
-                  <p>contingency planning policy</p>
-                  <p>procedures addressing security-related activity planning for the information
-                     system</p>
-                  <p>security plan for the information system</p>
-                  <p>contingency plan for the information system</p>
-                  <p>information system design documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational individuals or groups with whom security-related activities are
-                     to be planned and coordinated</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pl-3">
-         <title>System Security Plan Update</title>
-         <prop name="label">PL-3</prop>
-         <prop name="sort-id">pl-03</prop>
-         <prop name="status">Withdrawn</prop>
-         <link rel="incorporated-into" href="#pl-2">PL-2</link>
-      </control>
-      <control class="SP800-53" id="pl-4">
-         <title>Rules of Behavior</title>
-         <param id="pl-4_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PL-4</prop>
-         <prop name="sort-id">pl-04</prop>
-         <link href="#9c5c9e8c-dc81-4f55-a11c-d71d7487790f" rel="reference">NIST Special Publication 800-18</link>
-         <part id="pl-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pl-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes and makes readily available to individuals requiring access to the
-                  information system, the rules that describe their responsibilities and expected
-                  behavior with regard to information and information system usage;</p>
-            </part>
-            <part id="pl-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Receives a signed acknowledgment from such individuals, indicating that they have
-                  read, understand, and agree to abide by the rules of behavior, before authorizing
-                  access to information and the information system;</p>
-            </part>
-            <part id="pl-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews and updates the rules of behavior <insert param-id="pl-4_prm_1"/>; and</p>
-            </part>
-            <part id="pl-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Requires individuals who have signed a previous version of the rules of behavior
-                  to read and re-sign when the rules of behavior are revised/updated.</p>
-            </part>
-         </part>
-         <part id="pl-4_gdn" name="guidance">
-            <p>This control enhancement applies to organizational users. Organizations consider
-               rules of behavior based on individual user roles and responsibilities,
-               differentiating, for example, between rules that apply to privileged users and rules
-               that apply to general users. Establishing rules of behavior for some types of
-               non-organizational users including, for example, individuals who simply receive
-               data/information from federal information systems, is often not feasible given the
-               large number of such users and the limited nature of their interactions with the
-               systems. Rules of behavior for both organizational and non-organizational users can
-               also be established in AC-8, System Use Notification. PL-4 b. (the signed
-               acknowledgment portion of this control) may be satisfied by the security awareness
-               training and role-based security training programs conducted by organizations if such
-               training includes rules of behavior. Organizations can use electronic signatures for
-               acknowledging rules of behavior.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ac-8">AC-8</link>
-            <link rel="related" href="#ac-9">AC-9</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ac-20">AC-20</link>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#mp-7">MP-7</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-            <link rel="related" href="#ps-8">PS-8</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-         </part>
-         <part id="pl-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pl-4.a_obj" name="objective">
-               <prop name="label">PL-4(a)</prop>
-               <part id="pl-4.a_obj.1" name="objective">
-                  <prop name="label">PL-4(a)[1]</prop>
-                  <p>establishes, for individuals requiring access to the information system, the
-                     rules that describe their responsibilities and expected behavior with regard to
-                     information and information system usage;</p>
-               </part>
-               <part id="pl-4.a_obj.2" name="objective">
-                  <prop name="label">PL-4(a)[2]</prop>
-                  <p>makes readily available to individuals requiring access to the information
-                     system, the rules that describe their responsibilities and expected behavior
-                     with regard to information and information system usage;</p>
-               </part>
-            </part>
-            <part id="pl-4.b_obj" name="objective">
-               <prop name="label">PL-4(b)</prop>
-               <p>receives a signed acknowledgement from such individuals, indicating that they have
-                  read, understand, and agree to abide by the rules of behavior, before authorizing
-                  access to information and the information system;</p>
-            </part>
-            <part id="pl-4.c_obj" name="objective">
-               <prop name="label">PL-4(c)</prop>
-               <part id="pl-4.c_obj.1" name="objective">
-                  <prop name="label">PL-4(c)[1]</prop>
-                  <p>defines the frequency to review and update the rules of behavior;</p>
-               </part>
-               <part id="pl-4.c_obj.2" name="objective">
-                  <prop name="label">PL-4(c)[2]</prop>
-                  <p>reviews and updates the rules of behavior with the organization-defined
-                     frequency; and</p>
-               </part>
-            </part>
-            <part id="pl-4.d_obj" name="objective">
-               <prop name="label">PL-4(d)</prop>
-               <p>requires individuals who have signed a previous version of the rules of behavior
-                  to read and resign when the rules of behavior are revised/updated.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security planning policy</p>
-               <p>procedures addressing rules of behavior for information system users</p>
-               <p>rules of behavior</p>
-               <p>signed acknowledgements</p>
-               <p>records for rules of behavior reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for establishing, reviewing, and
-                  updating rules of behavior</p>
-               <p>organizational personnel who are authorized users of the information system and
-                  have signed and resigned rules of behavior</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for establishing, reviewing, disseminating, and updating
-                  rules of behavior</p>
-               <p>automated mechanisms supporting and/or implementing the establishment, review,
-                  dissemination, and update of rules of behavior</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pl-4.1">
-            <title>Social Media and Networking Restrictions</title>
-            <prop name="label">PL-4(1)</prop>
-            <prop name="sort-id">pl-04.01</prop>
-            <part id="pl-4.1_smt" name="statement">
-               <p>The organization includes in the rules of behavior, explicit restrictions on the
-                  use of social media/networking sites and posting organizational information on
-                  public websites.</p>
-            </part>
-            <part id="pl-4.1_gdn" name="guidance">
-               <p>This control enhancement addresses rules of behavior related to the use of social
-                  media/networking sites: (i) when organizational personnel are using such sites for
-                  official duties or in the conduct of official business; (ii) when organizational
-                  information is involved in social media/networking transactions; and (iii) when
-                  personnel are accessing social media/networking sites from organizational
-                  information systems. Organizations also address specific rules that prevent
-                  unauthorized entities from obtaining and/or inferring non-public organizational
-                  information (e.g., system account information, personally identifiable
-                  information) from social media/networking sites.</p>
-            </part>
-            <part id="pl-4.1_obj" name="objective">
-               <p>Determine if the organization includes the following in the rules of behavior: </p>
-               <part id="pl-4.1_obj.1" name="objective">
-                  <prop name="label">PL-4(1)[1]</prop>
-                  <p>explicit restrictions on the use of social media/networking sites; and</p>
-               </part>
-               <part id="pl-4.1_obj.2" name="objective">
-                  <prop name="label">PL-4(1)[2]</prop>
-                  <p>posting organizational information on public websites.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security planning policy</p>
-                  <p>procedures addressing rules of behavior for information system users</p>
-                  <p>rules of behavior</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for establishing, reviewing, and
-                     updating rules of behavior</p>
-                  <p>organizational personnel who are authorized users of the information system and
-                     have signed rules of behavior</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for establishing rules of behavior</p>
-                  <p>automated mechanisms supporting and/or implementing the establishment of rules
-                     of behavior</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pl-5">
-         <title>Privacy Impact Assessment</title>
-         <prop name="label">PL-5</prop>
-         <prop name="sort-id">pl-05</prop>
-         <prop name="status">Withdrawn</prop>
-         <link rel="incorporated-into" href="https://doi.org/10.6028/NIST.SP.800-53r4">Appendix
-            J</link>
-         <link rel="incorporated-into" href="https://doi.org/10.6028/NIST.SP.800-53r4">AR-2</link>
-      </control>
-      <control class="SP800-53" id="pl-6">
-         <title>Security-related Activity Planning</title>
-         <prop name="label">PL-6</prop>
-         <prop name="sort-id">pl-06</prop>
-         <prop name="status">Withdrawn</prop>
-         <link rel="incorporated-into" href="#pl-2">PL-2</link>
-      </control>
-      <control class="SP800-53" id="pl-7">
-         <title>Security Concept of Operations</title>
-         <param id="pl-7_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PL-7</prop>
-         <prop name="sort-id">pl-07</prop>
-         <part id="pl-7_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pl-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a security Concept of Operations (CONOPS) for the information system
-                  containing at a minimum, how the organization intends to operate the system from
-                  the perspective of information security; and</p>
-            </part>
-            <part id="pl-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the CONOPS <insert param-id="pl-7_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="pl-7_gdn" name="guidance">
-            <p>The security CONOPS may be included in the security plan for the information system
-               or in other system development life cycle-related documents, as appropriate. Changes
-               to the CONOPS are reflected in ongoing updates to the security plan, the information
-               security architecture, and other appropriate organizational documents (e.g., security
-               specifications for procurements/acquisitions, system development life cycle
-               documents, and systems/security engineering documents).</p>
-            <link rel="related" href="#pl-2">PL-2</link>
-         </part>
-         <part id="pl-7_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pl-7.a_obj" name="objective">
-               <prop name="label">PL-7(a)</prop>
-               <p>develops a security Concept of Operations (CONOPS) for the information system
-                  containing at a minimum, how the organization intends to operate the system from
-                  the perspective of information security;</p>
-            </part>
-            <part id="pl-7.b_obj" name="objective">
-               <prop name="label">PL-7(b)</prop>
-               <part id="pl-7.b_obj.1" name="objective">
-                  <prop name="label">PL-7(b)[1]</prop>
-                  <p>defines the frequency to review and update the security CONOPS; and</p>
-               </part>
-               <part id="pl-7.b_obj.2" name="objective">
-                  <prop name="label">PL-7(b)[2]</prop>
-                  <p>reviews and updates the security CONOPS with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security planning policy</p>
-               <p>procedures addressing security CONOPS development</p>
-               <p>procedures addressing security CONOPS reviews and updates</p>
-               <p>security CONOPS for the information system</p>
-               <p>security plan for the information system</p>
-               <p>records of security CONOPS reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security planning and plan implementation
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for developing, reviewing, and updating the security
-                  CONOPS</p>
-               <p>automated mechanisms supporting and/or implementing the development, review, and
-                  update of the security CONOPS</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pl-8">
-         <title>Information Security Architecture</title>
-         <param id="pl-8_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PL-8</prop>
-         <prop name="sort-id">pl-08</prop>
-         <part id="pl-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pl-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops an information security architecture for the information system that:</p>
-               <part id="pl-8_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Describes the overall philosophy, requirements, and approach to be taken with
-                     regard to protecting the confidentiality, integrity, and availability of
-                     organizational information;</p>
-               </part>
-               <part id="pl-8_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Describes how the information security architecture is integrated into and
-                     supports the enterprise architecture; and</p>
-               </part>
-               <part id="pl-8_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Describes any information security assumptions about, and dependencies on,
-                     external services;</p>
-               </part>
-            </part>
-            <part id="pl-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the information security architecture <insert param-id="pl-8_prm_1"/> to reflect updates in the enterprise architecture;
-                  and</p>
-            </part>
-            <part id="pl-8_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensures that planned information security architecture changes are reflected in
-                  the security plan, the security Concept of Operations (CONOPS), and organizational
-                  procurements/acquisitions.</p>
-            </part>
-         </part>
-         <part id="pl-8_gdn" name="guidance">
-            <p>This control addresses actions taken by organizations in the design and development
-               of information systems. The information security architecture at the individual
-               information system level is consistent with and complements the more global,
-               organization-wide information security architecture described in PM-7 that is
-               integral to and developed as part of the enterprise architecture. The information
-               security architecture includes an architectural description, the placement/allocation
-               of security functionality (including security controls), security-related information
-               for external interfaces, information being exchanged across the interfaces, and the
-               protection mechanisms associated with each interface. In addition, the security
-               architecture can include other important security-related information, for example,
-               user roles and access privileges assigned to each role, unique security requirements,
-               the types of information processed, stored, and transmitted by the information
-               system, restoration priorities of information and information system services, and
-               any other specific protection needs. In today’s modern architecture, it is becoming
-               less common for organizations to control all information resources. There are going
-               to be key dependencies on external information services and service providers.
-               Describing such dependencies in the information security architecture is important to
-               developing a comprehensive mission/business protection strategy. Establishing,
-               developing, documenting, and maintaining under configuration control, a baseline
-               configuration for organizational information systems is critical to implementing and
-               maintaining an effective information security architecture. The development of the
-               information security architecture is coordinated with the Senior Agency Official for
-               Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to
-               support privacy requirements are identified and effectively implemented. PL-8 is
-               primarily directed at organizations (i.e., internally focused) to help ensure that
-               organizations develop an information security architecture for the information
-               system, and that the security architecture is integrated with or tightly coupled to
-               the enterprise architecture through the organization-wide information security
-               architecture. In contrast, SA-17 is primarily directed at external information
-               technology product/system developers and integrators (although SA-17 could be used
-               internally within organizations for in-house system development). SA-17, which is
-               complementary to PL-8, is selected when organizations outsource the development of
-               information systems or information system components to external entities, and there
-               is a need to demonstrate/show consistency with the organization’s enterprise
-               architecture and information security architecture.</p>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-17">SA-17</link>
-            <link rel="related" href="https://doi.org/10.6028/NIST.SP.800-53r4">Appendix J</link>
-         </part>
-         <part id="pl-8_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pl-8.a_obj" name="objective">
-               <prop name="label">PL-8(a)</prop>
-               <p>develops an information security architecture for the information system that
-                  describes:</p>
-               <part id="pl-8.a.1_obj" name="objective">
-                  <prop name="label">PL-8(a)(1)</prop>
-                  <p>the overall philosophy, requirements, and approach to be taken with regard to
-                     protecting the confidentiality, integrity, and availability of organizational
-                     information;</p>
-               </part>
-               <part id="pl-8.a.2_obj" name="objective">
-                  <prop name="label">PL-8(a)(2)</prop>
-                  <p>how the information security architecture is integrated into and supports the
-                     enterprise architecture;</p>
-               </part>
-               <part id="pl-8.a.3_obj" name="objective">
-                  <prop name="label">PL-8(a)(3)</prop>
-                  <p>any information security assumptions about, and dependencies on, external
-                     services;</p>
-               </part>
-            </part>
-            <part id="pl-8.b_obj" name="objective">
-               <prop name="label">PL-8(b)</prop>
-               <part id="pl-8.b_obj.1" name="objective">
-                  <prop name="label">PL-8(b)[1]</prop>
-                  <p>defines the frequency to review and update the information security
-                     architecture;</p>
-               </part>
-               <part id="pl-8.b_obj.2" name="objective">
-                  <prop name="label">PL-8(b)[2]</prop>
-                  <p>reviews and updates the information security architecture with the
-                     organization-defined frequency to reflect updates in the enterprise
-                     architecture;</p>
-               </part>
-            </part>
-            <part id="pl-8.c_obj" name="objective">
-               <prop name="label">PL-8(c)</prop>
-               <p>ensures that planned information security architecture changes are reflected
-                  in:</p>
-               <part id="pl-8.c_obj.1" name="objective">
-                  <prop name="label">PL-8(c)[1]</prop>
-                  <p>the security plan;</p>
-               </part>
-               <part id="pl-8.c_obj.2" name="objective">
-                  <prop name="label">PL-8(c)[2]</prop>
-                  <p>the security Concept of Operations (CONOPS); and</p>
-               </part>
-               <part id="pl-8.c_obj.3" name="objective">
-                  <prop name="label">PL-8(c)[3]</prop>
-                  <p>the organizational procurements/acquisitions.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security planning policy</p>
-               <p>procedures addressing information security architecture development</p>
-               <p>procedures addressing information security architecture reviews and updates</p>
-               <p>enterprise architecture documentation</p>
-               <p>information security architecture documentation</p>
-               <p>security plan for the information system</p>
-               <p>security CONOPS for the information system</p>
-               <p>records of information security architecture reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security planning and plan implementation
-                  responsibilities</p>
-               <p>organizational personnel with information security architecture development
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for developing, reviewing, and updating the information
-                  security architecture</p>
-               <p>automated mechanisms supporting and/or implementing the development, review, and
-                  update of the information security architecture</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="pl-8.1">
-            <title>Defense-in-depth</title>
-            <param id="pl-8.1_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <param id="pl-8.1_prm_2">
-               <label>organization-defined locations and architectural layers</label>
-            </param>
-            <prop name="label">PL-8(1)</prop>
-            <prop name="sort-id">pl-08.01</prop>
-            <part id="pl-8.1_smt" name="statement">
-               <p>The organization designs its security architecture using a defense-in-depth
-                  approach that:</p>
-               <part id="pl-8.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Allocates <insert param-id="pl-8.1_prm_1"/> to <insert param-id="pl-8.1_prm_2"/>; and</p>
-               </part>
-               <part id="pl-8.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Ensures that the allocated security safeguards operate in a coordinated and
-                     mutually reinforcing manner.</p>
-               </part>
-            </part>
-            <part id="pl-8.1_gdn" name="guidance">
-               <p>Organizations strategically allocate security safeguards (procedural, technical,
-                  or both) in the security architecture so that adversaries have to overcome
-                  multiple safeguards to achieve their objective. Requiring adversaries to defeat
-                  multiple mechanisms makes it more difficult to successfully attack critical
-                  information resources (i.e., increases adversary work factor) and also increases
-                  the likelihood of detection. The coordination of allocated safeguards is essential
-                  to ensure that an attack that involves one safeguard does not create adverse
-                  unintended consequences (e.g., lockout, cascading alarms) by interfering with
-                  another safeguard. Placement of security safeguards is a key activity. Greater
-                  asset criticality or information value merits additional layering. Thus, an
-                  organization may choose to place anti-virus software at organizational boundary
-                  layers, email/web servers, notebook computers, and workstations to maximize the
-                  number of related safeguards adversaries must penetrate before compromising the
-                  information and information systems.</p>
-               <link rel="related" href="#sc-29">SC-29</link>
-               <link rel="related" href="#sc-36">SC-36</link>
-            </part>
-            <part id="pl-8.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pl-8.1.a_obj" name="objective">
-                  <prop name="label">PL-8(1)(a)</prop>
-                  <part id="pl-8.1.a_obj.1" name="objective">
-                     <prop name="label">PL-8(1)(a)[1]</prop>
-                     <p>defines security safeguards to be allocated to locations and architectural
-                        layers within the design of its security architecture;</p>
-                  </part>
-                  <part id="pl-8.1.a_obj.2" name="objective">
-                     <prop name="label">PL-8(1)(a)[2]</prop>
-                     <p>defines locations and architectural layers of its security architecture in
-                        which organization-defined security safeguards are to be allocated;</p>
-                  </part>
-                  <part id="pl-8.1.a_obj.3" name="objective">
-                     <prop name="label">PL-8(1)(a)[3]</prop>
-                     <p>designs its security architecture using a defense-in-depth approach that
-                        allocates organization-defined security safeguards to organization-defined
-                        locations and architectural layers; and</p>
-                  </part>
-                  <link rel="corresp" href="#pl-8.1_smt.a">PL-8(1)(a)</link>
-               </part>
-               <part id="pl-8.1.b_obj" name="objective">
-                  <prop name="label">PL-8(1)(b)</prop>
-                  <p>designs its security architecture using a defense-in-depth approach that
-                     ensures the allocated organization-defined security safeguards operate in a
-                     coordinated and mutually reinforcing manner.</p>
-                  <link rel="corresp" href="#pl-8.1_smt.b">PL-8(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security planning policy</p>
-                  <p>procedures addressing information security architecture development</p>
-                  <p>enterprise architecture documentation</p>
-                  <p>information security architecture documentation</p>
-                  <p>security plan for the information system</p>
-                  <p>security CONOPS for the information system</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security architecture development
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for designing the information security
-                     architecture</p>
-                  <p>automated mechanisms supporting and/or implementing the design of the
-                     information security architecture</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pl-8.2">
-            <title>Supplier Diversity</title>
-            <param id="pl-8.2_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <param id="pl-8.2_prm_2">
-               <label>organization-defined locations and architectural layers</label>
-            </param>
-            <prop name="label">PL-8(2)</prop>
-            <prop name="sort-id">pl-08.02</prop>
-            <part id="pl-8.2_smt" name="statement">
-               <p>The organization requires that <insert param-id="pl-8.2_prm_1"/> allocated to
-                     <insert param-id="pl-8.2_prm_2"/> are obtained from different suppliers.</p>
-            </part>
-            <part id="pl-8.2_gdn" name="guidance">
-               <p>Different information technology products have different strengths and weaknesses.
-                  Providing a broad spectrum of products complements the individual offerings. For
-                  example, vendors offering malicious code protection typically update their
-                  products at different times, often developing solutions for known viruses,
-                  Trojans, or worms according to their priorities and development schedules. By
-                  having different products at different locations (e.g., server, boundary, desktop)
-                  there is an increased likelihood that at least one will detect the malicious
-                  code.</p>
-               <link rel="related" href="#sa-12">SA-12</link>
-            </part>
-            <part id="pl-8.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="pl-8.2_obj.1" name="objective">
-                  <prop name="label">PL-8(2)[1]</prop>
-                  <p>defines security safeguards to be allocated to locations and architectural
-                     layers within the design of its security architecture;</p>
-               </part>
-               <part id="pl-8.2_obj.2" name="objective">
-                  <prop name="label">PL-8(2)[2]</prop>
-                  <p>defines locations and architectural layers of its security architecture in
-                     which organization-defined security safeguards are to be allocated; and</p>
-               </part>
-               <part id="pl-8.2_obj.3" name="objective">
-                  <prop name="label">PL-8(2)[3]</prop>
-                  <p>requires that organization-defined security safeguards allocated to
-                     organization-defined locations and architectural layers are obtained from
-                     different suppliers.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Security planning policy</p>
-                  <p>procedures addressing information security architecture development</p>
-                  <p>enterprise architecture documentation</p>
-                  <p>information security architecture documentation</p>
-                  <p>security plan for the information system</p>
-                  <p>security CONOPS for the information system</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security planning and plan implementation
-                     responsibilities</p>
-                  <p>organizational personnel with information security architecture development
-                     responsibilities</p>
-                  <p>organizational personnel with acquisition responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for obtaining information security safeguards from
-                     different suppliers</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pl-9">
-         <title>Central Management</title>
-         <param id="pl-9_prm_1">
-            <label>organization-defined security controls and related processes</label>
-         </param>
-         <prop name="label">PL-9</prop>
-         <prop name="sort-id">pl-09</prop>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <part id="pl-9_smt" name="statement">
-            <p>The organization centrally manages <insert param-id="pl-9_prm_1"/>.</p>
-         </part>
-         <part id="pl-9_gdn" name="guidance">
-            <p>Central management refers to the organization-wide management and implementation of
-               selected security controls and related processes. Central management includes
-               planning, implementing, assessing, authorizing, and monitoring the
-               organization-defined, centrally managed security controls and processes. As central
-               management of security controls is generally associated with common controls, such
-               management promotes and facilitates standardization of security control
-               implementations and management and judicious use of organizational resources.
-               Centrally-managed security controls and processes may also meet independence
-               requirements for assessments in support of initial and ongoing authorizations to
-               operate as part of organizational continuous monitoring. As part of the security
-               control selection process, organizations determine which controls may be suitable for
-               central management based on organizational resources and capabilities. Organizations
-               consider that it may not always be possible to centrally manage every aspect of a
-               security control. In such cases, the security control is treated as a hybrid control
-               with the control managed and implemented either centrally or at the information
-               system level. Controls and control enhancements that are candidates for full or
-               partial central management include, but are not limited to: AC-2 (1) (2) (3) (4);
-               AC-17 (1) (2) (3) (9); AC-18 (1) (3) (4) (5); AC-19 (4); AC-22; AC-23; AT-2 (1) (2);
-               AT-3 (1) (2) (3); AT-4; AU-6 (1) (3) (5) (6) (9); AU-7 (1) (2); AU-11, AU-13, AU-16,
-               CA-2 (1) (2) (3); CA-3 (1) (2) (3); CA-7 (1); CA-9; CM-2 (1) (2); CM-3 (1) (4); CM-4;
-               CM-6 (1); CM-7 (4) (5); CM-8 (all); CM-9 (1); CM-10; CM-11; CP-7 (all); CP-8 (all);
-               SC-43; SI-2; SI-3; SI-7; and SI-8.</p>
-         </part>
-         <part id="pl-9_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pl-9_obj.1" name="objective">
-               <prop name="label">PL-9[1]</prop>
-               <p>defines security controls and related processes to be centrally managed; and</p>
-            </part>
-            <part id="pl-9_obj.2" name="objective">
-               <prop name="label">PL-9[2]</prop>
-               <p>centrally manages organization-defined security controls and related
-                  processes.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Security planning policy</p>
-               <p>procedures addressing security plan development and implementation</p>
-               <p>security plan for the information system</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security planning and plan implementation
-                  responsibilities</p>
-               <p>organizational personnel with responsibilities for planning/implementing central
-                  management of security controls and related processes</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for central management of security controls and related
-                  processes</p>
-               <p>automated mechanisms supporting and/or implementing central management of security
-                  controls and related processes</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ps">
-      <title>Personnel Security</title>
-      <control class="SP800-53" id="ps-1">
-         <title>Personnel Security Policy and Procedures</title>
-         <param id="ps-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ps-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PS-1</prop>
-         <prop name="sort-id">ps-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ps-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ps-1_prm_1"/>:</p>
-               <part id="ps-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A personnel security policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ps-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the personnel security policy
-                     and associated personnel security controls; and</p>
-               </part>
-            </part>
-            <part id="ps-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ps-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Personnel security policy <insert param-id="ps-1_prm_2"/>; and</p>
-               </part>
-               <part id="ps-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Personnel security procedures <insert param-id="ps-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ps-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the PS
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ps-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-1.a_obj" name="objective">
-               <prop name="label">PS-1(a)</prop>
-               <part id="ps-1.a.1_obj" name="objective">
-                  <prop name="label">PS-1(a)(1)</prop>
-                  <part id="ps-1.a.1_obj.1" name="objective">
-                     <prop name="label">PS-1(a)(1)[1]</prop>
-                     <p>develops and documents an personnel security policy that addresses:</p>
-                     <part id="ps-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ps-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">PS-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ps-1.a.1_obj.2" name="objective">
-                     <prop name="label">PS-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the personnel security policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ps-1.a.1_obj.3" name="objective">
-                     <prop name="label">PS-1(a)(1)[3]</prop>
-                     <p>disseminates the personnel security policy to organization-defined personnel
-                        or roles;</p>
-                  </part>
-               </part>
-               <part id="ps-1.a.2_obj" name="objective">
-                  <prop name="label">PS-1(a)(2)</prop>
-                  <part id="ps-1.a.2_obj.1" name="objective">
-                     <prop name="label">PS-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        personnel security policy and associated personnel security controls;</p>
-                  </part>
-                  <part id="ps-1.a.2_obj.2" name="objective">
-                     <prop name="label">PS-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ps-1.a.2_obj.3" name="objective">
-                     <prop name="label">PS-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ps-1.b_obj" name="objective">
-               <prop name="label">PS-1(b)</prop>
-               <part id="ps-1.b.1_obj" name="objective">
-                  <prop name="label">PS-1(b)(1)</prop>
-                  <part id="ps-1.b.1_obj.1" name="objective">
-                     <prop name="label">PS-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current personnel security
-                        policy;</p>
-                  </part>
-                  <part id="ps-1.b.1_obj.2" name="objective">
-                     <prop name="label">PS-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current personnel security policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ps-1.b.2_obj" name="objective">
-                  <prop name="label">PS-1(b)(2)</prop>
-                  <part id="ps-1.b.2_obj.1" name="objective">
-                     <prop name="label">PS-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current personnel security
-                        procedures; and</p>
-                  </part>
-                  <part id="ps-1.b.2_obj.2" name="objective">
-                     <prop name="label">PS-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current personnel security procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with access control responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-2">
-         <title>Position Risk Designation</title>
-         <param id="ps-2_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PS-2</prop>
-         <prop name="sort-id">ps-02</prop>
-         <link href="#0c97e60b-325a-4efa-ba2b-90f20ccd5abc" rel="reference">5 C.F.R. 731.106</link>
-         <part id="ps-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Assigns a risk designation to all organizational positions;</p>
-            </part>
-            <part id="ps-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishes screening criteria for individuals filling those positions; and</p>
-            </part>
-            <part id="ps-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews and updates position risk designations <insert param-id="ps-2_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="ps-2_gdn" name="guidance">
-            <p>Position risk designations reflect Office of Personnel Management policy and
-               guidance. Risk designations can guide and inform the types of authorizations
-               individuals receive when accessing organizational information and information
-               systems. Position screening criteria include explicit information security role
-               appointment requirements (e.g., training, security clearances).</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-         </part>
-         <part id="ps-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-2.a_obj" name="objective">
-               <prop name="label">PS-2(a)</prop>
-               <p>assigns a risk designation to all organizational positions;</p>
-            </part>
-            <part id="ps-2.b_obj" name="objective">
-               <prop name="label">PS-2(b)</prop>
-               <p>establishes screening criteria for individuals filling those positions;</p>
-            </part>
-            <part id="ps-2.c_obj" name="objective">
-               <prop name="label">PS-2(c)</prop>
-               <part id="ps-2.c_obj.1" name="objective">
-                  <prop name="label">PS-2(c)[1]</prop>
-                  <p>defines the frequency to review and update position risk designations; and</p>
-               </part>
-               <part id="ps-2.c_obj.2" name="objective">
-                  <prop name="label">PS-2(c)[2]</prop>
-                  <p>reviews and updates position risk designations with the organization-defined
-                     frequency.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing position categorization</p>
-               <p>appropriate codes of federal regulations</p>
-               <p>list of risk designations for organizational positions</p>
-               <p>security plan</p>
-               <p>records of position risk designation reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for assigning, reviewing, and updating position risk
-                  designations</p>
-               <p>organizational processes for establishing screening criteria</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-3">
-         <title>Personnel Screening</title>
-         <param id="ps-3_prm_1">
-            <label>organization-defined conditions requiring rescreening and, where rescreening is
-               so indicated, the frequency of such rescreening</label>
-         </param>
-         <prop name="label">PS-3</prop>
-         <prop name="sort-id">ps-03</prop>
-         <link href="#0c97e60b-325a-4efa-ba2b-90f20ccd5abc" rel="reference">5 C.F.R. 731.106</link>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <link href="#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655" rel="reference">NIST Special Publication 800-73</link>
-         <link href="#2a71298a-ee90-490e-80ff-48c967173a47" rel="reference">NIST Special Publication 800-76</link>
-         <link href="#2042d97b-f7f6-4c74-84f8-981867684659" rel="reference">NIST Special Publication 800-78</link>
-         <link href="#6caa237b-531b-43ac-9711-d8f6b97b0377" rel="reference">ICD 704</link>
-         <part id="ps-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Screens individuals prior to authorizing access to the information system; and</p>
-            </part>
-            <part id="ps-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Rescreens individuals according to <insert param-id="ps-3_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="ps-3_gdn" name="guidance">
-            <p>Personnel screening and rescreening activities reflect applicable federal laws,
-               Executive Orders, directives, regulations, policies, standards, guidance, and
-               specific criteria established for the risk designations of assigned positions.
-               Organizations may define different rescreening conditions and frequencies for
-               personnel accessing information systems based on types of information processed,
-               stored, or transmitted by the systems.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#ps-2">PS-2</link>
-         </part>
-         <part id="ps-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-3.a_obj" name="objective">
-               <prop name="label">PS-3(a)</prop>
-               <p>screens individuals prior to authorizing access to the information system;</p>
-            </part>
-            <part id="ps-3.b_obj" name="objective">
-               <prop name="label">PS-3(b)</prop>
-               <part id="ps-3.b_obj.1" name="objective">
-                  <prop name="label">PS-3(b)[1]</prop>
-                  <p>defines conditions requiring re-screening;</p>
-               </part>
-               <part id="ps-3.b_obj.2" name="objective">
-                  <prop name="label">PS-3(b)[2]</prop>
-                  <p>defines the frequency of re-screening where it is so indicated; and</p>
-               </part>
-               <part id="ps-3.b_obj.3" name="objective">
-                  <prop name="label">PS-3(b)[3]</prop>
-                  <p>re-screens individuals in accordance with organization-defined conditions
-                     requiring re-screening and, where re-screening is so indicated, with the
-                     organization-defined frequency of such re-screening.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel screening</p>
-               <p>records of screened personnel</p>
-               <p>security plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for personnel screening</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ps-3.1">
-            <title>Classified Information</title>
-            <prop name="label">PS-3(1)</prop>
-            <prop name="sort-id">ps-03.01</prop>
-            <part id="ps-3.1_smt" name="statement">
-               <p>The organization ensures that individuals accessing an information system
-                  processing, storing, or transmitting classified information are cleared and
-                  indoctrinated to the highest classification level of the information to which they
-                  have access on the system.</p>
-            </part>
-            <part id="ps-3.1_gdn" name="guidance">
-               <link rel="related" href="#ac-3">AC-3</link>
-               <link rel="related" href="#ac-4">AC-4</link>
-            </part>
-            <part id="ps-3.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ps-3.1_obj.1" name="objective">
-                  <prop name="label">PS-3(1)[1]</prop>
-                  <p>ensures that individuals accessing an information system processing, storing,
-                     or transmitting classified information are cleared to the highest
-                     classification level of the information to which they have access on the
-                     system; and</p>
-               </part>
-               <part id="ps-3.1_obj.2" name="objective">
-                  <prop name="label">PS-3(1)[2]</prop>
-                  <p>ensures that individuals accessing an information system processing, storing,
-                     or transmitting classified information are indoctrinated to the highest
-                     classification level of the information to which they have access on the
-                     system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Personnel security policy</p>
-                  <p>procedures addressing personnel screening</p>
-                  <p>records of screened personnel</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with personnel security responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for clearing and indoctrinating personnel for access
-                     to classified information</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ps-3.2">
-            <title>Formal Indoctrination</title>
-            <prop name="label">PS-3(2)</prop>
-            <prop name="sort-id">ps-03.02</prop>
-            <part id="ps-3.2_smt" name="statement">
-               <p>The organization ensures that individuals accessing an information system
-                  processing, storing, or transmitting types of classified information which require
-                  formal indoctrination, are formally indoctrinated for all of the relevant types of
-                  information to which they have access on the system.</p>
-            </part>
-            <part id="ps-3.2_gdn" name="guidance">
-               <p>Types of classified information requiring formal indoctrination include, for
-                  example, Special Access Program (SAP), Restricted Data (RD), and Sensitive
-                  Compartment Information (SCI).</p>
-               <link rel="related" href="#ac-3">AC-3</link>
-               <link rel="related" href="#ac-4">AC-4</link>
-            </part>
-            <part id="ps-3.2_obj" name="objective">
-               <p>Determine if the organization ensures that individuals accessing an information
-                  system processing, storing, or transmitting types of classified information which
-                  require formal indoctrination, are formally indoctrinated for all of the relevant
-                  types of information to which they have access on the system.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Personnel security policy</p>
-                  <p>procedures addressing personnel screening</p>
-                  <p>records of screened personnel</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with personnel security responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for formal indoctrination for all relevant types of
-                     information to which personnel have access</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ps-3.3">
-            <title>Information with Special Protection Measures</title>
-            <param id="ps-3.3_prm_1">
-               <label>organization-defined additional personnel screening criteria</label>
-            </param>
-            <prop name="label">PS-3(3)</prop>
-            <prop name="sort-id">ps-03.03</prop>
-            <part id="ps-3.3_smt" name="statement">
-               <p>The organization ensures that individuals accessing an information system
-                  processing, storing, or transmitting information requiring special protection:</p>
-               <part id="ps-3.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Have valid access authorizations that are demonstrated by assigned official
-                     government duties; and</p>
-               </part>
-               <part id="ps-3.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Satisfy <insert param-id="ps-3.3_prm_1"/>.</p>
-               </part>
-            </part>
-            <part id="ps-3.3_gdn" name="guidance">
-               <p>Organizational information requiring special protection includes, for example,
-                  Controlled Unclassified Information (CUI) and Sources and Methods Information
-                  (SAMI). Personnel security criteria include, for example, position sensitivity
-                  background screening requirements.</p>
-            </part>
-            <part id="ps-3.3_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ps-3.3.a_obj" name="objective">
-                  <prop name="label">PS-3(3)(a)</prop>
-                  <p>ensures that individuals accessing an information system processing, storing,
-                     or transmitting information requiring special protection have valid access
-                     authorizations that are demonstrated by assigned official government
-                     duties;</p>
-                  <link rel="corresp" href="#ps-3.3_smt.a">PS-3(3)(a)</link>
-               </part>
-               <part id="ps-3.3.b_obj" name="objective">
-                  <prop name="label">PS-3(3)(b)</prop>
-                  <part id="ps-3.3.b_obj.1" name="objective">
-                     <prop name="label">PS-3(3)(b)[1]</prop>
-                     <p>defines additional personnel screening criteria to be satisfied for
-                        individuals accessing an information system processing, storing, or
-                        transmitting information requiring special protection; and</p>
-                  </part>
-                  <part id="ps-3.3.b_obj.2" name="objective">
-                     <prop name="label">PS-3(3)(b)[2]</prop>
-                     <p>ensures that individuals accessing an information system processing,
-                        storing, or transmitting information requiring special protection satisfy
-                        organization-defined additional personnel screening criteria.</p>
-                  </part>
-                  <link rel="corresp" href="#ps-3.3_smt.b">PS-3(3)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Personnel security policy</p>
-                  <p>access control policy, procedures addressing personnel screening</p>
-                  <p>records of screened personnel</p>
-                  <p>screening criteria</p>
-                  <p>records of access authorizations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with personnel security responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for ensuring valid access authorizations for
-                     information requiring special protection</p>
-                  <p>organizational process for additional personnel screening for information
-                     requiring special protection</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ps-4">
-         <title>Personnel Termination</title>
-         <param id="ps-4_prm_1">
-            <label>organization-defined time period</label>
-         </param>
-         <param id="ps-4_prm_2">
-            <label>organization-defined information security topics</label>
-         </param>
-         <param id="ps-4_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-4_prm_4">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">PS-4</prop>
-         <prop name="sort-id">ps-04</prop>
-         <part id="ps-4_smt" name="statement">
-            <p>The organization, upon termination of individual employment:</p>
-            <part id="ps-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Disables information system access within <insert param-id="ps-4_prm_1"/>;</p>
-            </part>
-            <part id="ps-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Terminates/revokes any authenticators/credentials associated with the
-                  individual;</p>
-            </part>
-            <part id="ps-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Conducts exit interviews that include a discussion of <insert param-id="ps-4_prm_2"/>;</p>
-            </part>
-            <part id="ps-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Retrieves all security-related organizational information system-related
-                  property;</p>
-            </part>
-            <part id="ps-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Retains access to organizational information and information systems formerly
-                  controlled by terminated individual; and</p>
-            </part>
-            <part id="ps-4_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Notifies <insert param-id="ps-4_prm_3"/> within <insert param-id="ps-4_prm_4"/>.</p>
-            </part>
-         </part>
-         <part id="ps-4_gdn" name="guidance">
-            <p>Information system-related property includes, for example, hardware authentication
-               tokens, system administration technical manuals, keys, identification cards, and
-               building passes. Exit interviews ensure that terminated individuals understand the
-               security constraints imposed by being former employees and that proper accountability
-               is achieved for information system-related property. Security topics of interest at
-               exit interviews can include, for example, reminding terminated individuals of
-               nondisclosure agreements and potential limitations on future employment. Exit
-               interviews may not be possible for some terminated individuals, for example, in cases
-               related to job abandonment, illnesses, and nonavailability of supervisors. Exit
-               interviews are important for individuals with security clearances. Timely execution
-               of termination actions is essential for individuals terminated for cause. In certain
-               situations, organizations consider disabling the information system accounts of
-               individuals that are being terminated prior to the individuals being notified.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#ps-5">PS-5</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-         </part>
-         <part id="ps-4_obj" name="objective">
-            <p>Determine if the organization, upon termination of individual employment,:</p>
-            <part id="ps-4.a_obj" name="objective">
-               <prop name="label">PS-4(a)</prop>
-               <part id="ps-4.a_obj.1" name="objective">
-                  <prop name="label">PS-4(a)[1]</prop>
-                  <p>defines a time period within which to disable information system access;</p>
-               </part>
-               <part id="ps-4.a_obj.2" name="objective">
-                  <prop name="label">PS-4(a)[2]</prop>
-                  <p>disables information system access within the organization-defined time
-                     period;</p>
-               </part>
-            </part>
-            <part id="ps-4.b_obj" name="objective">
-               <prop name="label">PS-4(b)</prop>
-               <p>terminates/revokes any authenticators/credentials associated with the
-                  individual;</p>
-            </part>
-            <part id="ps-4.c_obj" name="objective">
-               <prop name="label">PS-4(c)</prop>
-               <part id="ps-4.c_obj.1" name="objective">
-                  <prop name="label">PS-4(c)[1]</prop>
-                  <p>defines information security topics to be discussed when conducting exit
-                     interviews;</p>
-               </part>
-               <part id="ps-4.c_obj.2" name="objective">
-                  <prop name="label">PS-4(c)[2]</prop>
-                  <p>conducts exit interviews that include a discussion of organization-defined
-                     information security topics;</p>
-               </part>
-            </part>
-            <part id="ps-4.d_obj" name="objective">
-               <prop name="label">PS-4(d)</prop>
-               <p>retrieves all security-related organizational information system-related
-                  property;</p>
-            </part>
-            <part id="ps-4.e_obj" name="objective">
-               <prop name="label">PS-4(e)</prop>
-               <p>retains access to organizational information and information systems formerly
-                  controlled by the terminated individual;</p>
-            </part>
-            <part id="ps-4.f_obj" name="objective">
-               <prop name="label">PS-4(f)</prop>
-               <part id="ps-4.f_obj.1" name="objective">
-                  <prop name="label">PS-4(f)[1]</prop>
-                  <p>defines personnel or roles to be notified of the termination;</p>
-               </part>
-               <part id="ps-4.f_obj.2" name="objective">
-                  <prop name="label">PS-4(f)[2]</prop>
-                  <p>defines the time period within which to notify organization-defined personnel
-                     or roles; and</p>
-               </part>
-               <part id="ps-4.f_obj.3" name="objective">
-                  <prop name="label">PS-4(f)[3]</prop>
-                  <p>notifies organization-defined personnel or roles within the
-                     organization-defined time period.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel termination</p>
-               <p>records of personnel termination actions</p>
-               <p>list of information system accounts</p>
-               <p>records of terminated or revoked authenticators/credentials</p>
-               <p>records of exit interviews</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with account management responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for personnel termination</p>
-               <p>automated mechanisms supporting and/or implementing personnel termination
-                  notifications</p>
-               <p>automated mechanisms for disabling information system access/revoking
-                  authenticators</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ps-4.1">
-            <title>Post-employment Requirements</title>
-            <prop name="label">PS-4(1)</prop>
-            <prop name="sort-id">ps-04.01</prop>
-            <part id="ps-4.1_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ps-4.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Notifies terminated individuals of applicable, legally binding post-employment
-                     requirements for the protection of organizational information; and</p>
-               </part>
-               <part id="ps-4.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Requires terminated individuals to sign an acknowledgment of post-employment
-                     requirements as part of the organizational termination process.</p>
-               </part>
-            </part>
-            <part id="ps-4.1_gdn" name="guidance">
-               <p>Organizations consult with the Office of the General Counsel regarding matters of
-                  post-employment requirements on terminated individuals.</p>
-            </part>
-            <part id="ps-4.1_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ps-4.1.a_obj" name="objective">
-                  <prop name="label">PS-4(1)(a)</prop>
-                  <p>notifies terminated individuals of applicable, legally binding, post-employment
-                     requirements for the protection of organizational information; and</p>
-                  <link rel="corresp" href="#ps-4.1_smt.a">PS-4(1)(a)</link>
-               </part>
-               <part id="ps-4.1.b_obj" name="objective">
-                  <prop name="label">PS-4(1)(b)</prop>
-                  <p>requires terminated individuals to sign an acknowledgement of post-employment
-                     requirements as part of the organizational termination process.</p>
-                  <link rel="corresp" href="#ps-4.1_smt.b">PS-4(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Personnel security policy</p>
-                  <p>procedures addressing personnel termination</p>
-                  <p>signed post-employment acknowledgement forms</p>
-                  <p>list of applicable, legally binding post-employment requirements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with personnel security responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for post-employment requirements</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ps-4.2">
-            <title>Automated Notification</title>
-            <param id="ps-4.2_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">PS-4(2)</prop>
-            <prop name="sort-id">ps-04.02</prop>
-            <part id="ps-4.2_smt" name="statement">
-               <p>The organization employs automated mechanisms to notify <insert param-id="ps-4.2_prm_1"/> upon termination of an individual.</p>
-            </part>
-            <part id="ps-4.2_gdn" name="guidance">
-               <p>In organizations with a large number of employees, not all personnel who need to
-                  know about termination actions receive the appropriate notifications—or, if such
-                  notifications are received, they may not occur in a timely manner. Automated
-                  mechanisms can be used to send automatic alerts or notifications to specific
-                  organizational personnel or roles (e.g., management personnel, supervisors,
-                  personnel security officers, information security officers, systems
-                  administrators, or information technology administrators) when individuals are
-                  terminated. Such automatic alerts or notifications can be conveyed in a variety of
-                  ways, including, for example, telephonically, via electronic mail, via text
-                  message, or via websites.</p>
-            </part>
-            <part id="ps-4.2_obj" name="objective">
-               <p>Determine if the organization: </p>
-               <part id="ps-4.2_obj.1" name="objective">
-                  <prop name="label">PS-4(2)[1]</prop>
-                  <p>defines personnel or roles to be notified upon termination of an individual;
-                     and</p>
-               </part>
-               <part id="ps-4.2_obj.2" name="objective">
-                  <prop name="label">PS-4(2)[2]</prop>
-                  <p>employs automated mechanisms to notify organization-defined personnel or roles
-                     upon termination of an individual.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Personnel security policy</p>
-                  <p>procedures addressing personnel termination</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>records of personnel termination actions</p>
-                  <p>automated notifications of employee terminations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with personnel security responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for personnel termination</p>
-                  <p>automated mechanisms supporting and/or implementing personnel termination
-                     notifications</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ps-5">
-         <title>Personnel Transfer</title>
-         <param id="ps-5_prm_1">
-            <label>organization-defined transfer or reassignment actions</label>
-         </param>
-         <param id="ps-5_prm_2">
-            <label>organization-defined time period following the formal transfer action</label>
-         </param>
-         <param id="ps-5_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-5_prm_4">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">PS-5</prop>
-         <prop name="sort-id">ps-05</prop>
-         <part id="ps-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Reviews and confirms ongoing operational need for current logical and physical
-                  access authorizations to information systems/facilities when individuals are
-                  reassigned or transferred to other positions within the organization;</p>
-            </part>
-            <part id="ps-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Initiates <insert param-id="ps-5_prm_1"/> within <insert param-id="ps-5_prm_2"/>;</p>
-            </part>
-            <part id="ps-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Modifies access authorization as needed to correspond with any changes in
-                  operational need due to reassignment or transfer; and</p>
-            </part>
-            <part id="ps-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Notifies <insert param-id="ps-5_prm_3"/> within <insert param-id="ps-5_prm_4"/>.</p>
-            </part>
-         </part>
-         <part id="ps-5_gdn" name="guidance">
-            <p>This control applies when reassignments or transfers of individuals are permanent or
-               of such extended durations as to make the actions warranted. Organizations define
-               actions appropriate for the types of reassignments or transfers, whether permanent or
-               extended. Actions that may be required for personnel transfers or reassignments to
-               other positions within organizations include, for example: (i) returning old and
-               issuing new keys, identification cards, and building passes; (ii) closing information
-               system accounts and establishing new accounts; (iii) changing information system
-               access authorizations (i.e., privileges); and (iv) providing for access to official
-               records to which individuals had access at previous work locations and in previous
-               information system accounts.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#ps-4">PS-4</link>
-         </part>
-         <part id="ps-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-5.a_obj" name="objective">
-               <prop name="label">PS-5(a)</prop>
-               <p>when individuals are reassigned or transferred to other positions within the
-                  organization, reviews and confirms ongoing operational need for current:</p>
-               <part id="ps-5.a_obj.1" name="objective">
-                  <prop name="label">PS-5(a)[1]</prop>
-                  <p>logical access authorizations to information systems;</p>
-               </part>
-               <part id="ps-5.a_obj.2" name="objective">
-                  <prop name="label">PS-5(a)[2]</prop>
-                  <p>physical access authorizations to information systems and facilities;</p>
-               </part>
-            </part>
-            <part id="ps-5.b_obj" name="objective">
-               <prop name="label">PS-5(b)</prop>
-               <part id="ps-5.b_obj.1" name="objective">
-                  <prop name="label">PS-5(b)[1]</prop>
-                  <p>defines transfer or reassignment actions to be initiated following transfer or
-                     reassignment;</p>
-               </part>
-               <part id="ps-5.b_obj.2" name="objective">
-                  <prop name="label">PS-5(b)[2]</prop>
-                  <p>defines the time period within which transfer or reassignment actions must
-                     occur following transfer or reassignment;</p>
-               </part>
-               <part id="ps-5.b_obj.3" name="objective">
-                  <prop name="label">PS-5(b)[3]</prop>
-                  <p>initiates organization-defined transfer or reassignment actions within the
-                     organization-defined time period following transfer or reassignment;</p>
-               </part>
-            </part>
-            <part id="ps-5.c_obj" name="objective">
-               <prop name="label">PS-5(c)</prop>
-               <p>modifies access authorization as needed to correspond with any changes in
-                  operational need due to reassignment or transfer;</p>
-            </part>
-            <part id="ps-5.d_obj" name="objective">
-               <prop name="label">PS-5(d)</prop>
-               <part id="ps-5.d_obj.1" name="objective">
-                  <prop name="label">PS-5(d)[1]</prop>
-                  <p>defines personnel or roles to be notified when individuals are reassigned or
-                     transferred to other positions within the organization;</p>
-               </part>
-               <part id="ps-5.d_obj.2" name="objective">
-                  <prop name="label">PS-5(d)[2]</prop>
-                  <p>defines the time period within which to notify organization-defined personnel
-                     or roles when individuals are reassigned or transferred to other positions
-                     within the organization; and</p>
-               </part>
-               <part id="ps-5.d_obj.3" name="objective">
-                  <prop name="label">PS-5(d)[3]</prop>
-                  <p>notifies organization-defined personnel or roles within the
-                     organization-defined time period when individuals are reassigned or transferred
-                     to other positions within the organization.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel transfer</p>
-               <p>security plan</p>
-               <p>records of personnel transfer actions</p>
-               <p>list of information system and facility access authorizations</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities organizational
-                  personnel with account management responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for personnel transfer</p>
-               <p>automated mechanisms supporting and/or implementing personnel transfer
-                  notifications</p>
-               <p>automated mechanisms for disabling information system access/revoking
-                  authenticators</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-6">
-         <title>Access Agreements</title>
-         <param id="ps-6_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ps-6_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PS-6</prop>
-         <prop name="sort-id">ps-06</prop>
-         <part id="ps-6_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops and documents access agreements for organizational information
-                  systems;</p>
-            </part>
-            <part id="ps-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the access agreements <insert param-id="ps-6_prm_1"/>; and</p>
-            </part>
-            <part id="ps-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensures that individuals requiring access to organizational information and
-                  information systems:</p>
-               <part id="ps-6_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Sign appropriate access agreements prior to being granted access; and</p>
-               </part>
-               <part id="ps-6_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Re-sign access agreements to maintain access to organizational information
-                     systems when access agreements have been updated or <insert param-id="ps-6_prm_2"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ps-6_gdn" name="guidance">
-            <p>Access agreements include, for example, nondisclosure agreements, acceptable use
-               agreements, rules of behavior, and conflict-of-interest agreements. Signed access
-               agreements include an acknowledgement that individuals have read, understand, and
-               agree to abide by the constraints associated with organizational information systems
-               to which access is authorized. Organizations can use electronic signatures to
-               acknowledge access agreements unless specifically prohibited by organizational
-               policy.</p>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-2">PS-2</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <link rel="related" href="#ps-4">PS-4</link>
-            <link rel="related" href="#ps-8">PS-8</link>
-         </part>
-         <part id="ps-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-6.a_obj" name="objective">
-               <prop name="label">PS-6(a)</prop>
-               <p>develops and documents access agreements for organizational information
-                  systems;</p>
-            </part>
-            <part id="ps-6.b_obj" name="objective">
-               <prop name="label">PS-6(b)</prop>
-               <part id="ps-6.b_obj.1" name="objective">
-                  <prop name="label">PS-6(b)[1]</prop>
-                  <p>defines the frequency to review and update the access agreements;</p>
-               </part>
-               <part id="ps-6.b_obj.2" name="objective">
-                  <prop name="label">PS-6(b)[2]</prop>
-                  <p>reviews and updates the access agreements with the organization-defined
-                     frequency;</p>
-               </part>
-            </part>
-            <part id="ps-6.c_obj" name="objective">
-               <prop name="label">PS-6(c)</prop>
-               <part id="ps-6.c.1_obj" name="objective">
-                  <prop name="label">PS-6(c)(1)</prop>
-                  <p>ensures that individuals requiring access to organizational information and
-                     information systems sign appropriate access agreements prior to being granted
-                     access;</p>
-               </part>
-               <part id="ps-6.c.2_obj" name="objective">
-                  <prop name="label">PS-6(c)(2)</prop>
-                  <part id="ps-6.c.2_obj.1" name="objective">
-                     <prop name="label">PS-6(c)(2)[1]</prop>
-                     <p>defines the frequency to re-sign access agreements to maintain access to
-                        organizational information systems when access agreements have been
-                        updated;</p>
-                  </part>
-                  <part id="ps-6.c.2_obj.2" name="objective">
-                     <prop name="label">PS-6(c)(2)[2]</prop>
-                     <p>ensures that individuals requiring access to organizational information and
-                        information systems re-sign access agreements to maintain access to
-                        organizational information systems when access agreements have been updated
-                        or with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing access agreements for organizational information and
-                  information systems</p>
-               <p>security plan</p>
-               <p>access agreements</p>
-               <p>records of access agreement reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel who have signed/resigned access agreements</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for access agreements</p>
-               <p>automated mechanisms supporting access agreements</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ps-6.1">
-            <title>Information Requiring Special Protection</title>
-            <prop name="label">PS-6(1)</prop>
-            <prop name="sort-id">ps-06.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#ps-3">PS-3</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ps-6.2">
-            <title>Classified Information Requiring Special Protection</title>
-            <prop name="label">PS-6(2)</prop>
-            <prop name="sort-id">ps-06.02</prop>
-            <part id="ps-6.2_smt" name="statement">
-               <p>The organization ensures that access to classified information requiring special
-                  protection is granted only to individuals who:</p>
-               <part id="ps-6.2_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Have a valid access authorization that is demonstrated by assigned official
-                     government duties;</p>
-               </part>
-               <part id="ps-6.2_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Satisfy associated personnel security criteria; and</p>
-               </part>
-               <part id="ps-6.2_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Have read, understood, and signed a nondisclosure agreement.</p>
-               </part>
-            </part>
-            <part id="ps-6.2_gdn" name="guidance">
-               <p>Classified information requiring special protection includes, for example,
-                  collateral information, Special Access Program (SAP) information, and Sensitive
-                  Compartmented Information (SCI). Personnel security criteria reflect applicable
-                  federal laws, Executive Orders, directives, regulations, policies, standards, and
-                  guidance.</p>
-            </part>
-            <part id="ps-6.2_obj" name="objective">
-               <p>Determine if the organization ensures that access to classified information
-                  requiring special protection is granted only to individuals who:</p>
-               <part id="ps-6.2.a_obj" name="objective">
-                  <prop name="label">PS-6(2)(a)</prop>
-                  <p>have a valid access authorization that is demonstrated by assigned official
-                     government duties;</p>
-                  <link rel="corresp" href="#ps-6.2_smt.a">PS-6(2)(a)</link>
-               </part>
-               <part id="ps-6.2.b_obj" name="objective">
-                  <prop name="label">PS-6(2)(b)</prop>
-                  <p>satisfy associated personnel security criteria; and</p>
-                  <link rel="corresp" href="#ps-6.2_smt.b">PS-6(2)(b)</link>
-               </part>
-               <part id="ps-6.2.c_obj" name="objective">
-                  <prop name="label">PS-6(2)(c)</prop>
-                  <p>have read, understood, and signed a nondisclosure agreement.</p>
-                  <link rel="corresp" href="#ps-6.2_smt.c">PS-6(2)(c)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Personnel security policy</p>
-                  <p>procedures addressing access agreements for organizational information and
-                     information systems</p>
-                  <p>access agreements</p>
-                  <p>access authorizations</p>
-                  <p>personnel security criteria</p>
-                  <p>signed nondisclosure agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with personnel security responsibilities</p>
-                  <p>organizational personnel who have signed nondisclosure agreements</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for access to classified information requiring special
-                     protection</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ps-6.3">
-            <title>Post-employment Requirements</title>
-            <prop name="label">PS-6(3)</prop>
-            <prop name="sort-id">ps-06.03</prop>
-            <part id="ps-6.3_smt" name="statement">
-               <p>The organization:</p>
-               <part id="ps-6.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Notifies individuals of applicable, legally binding post-employment
-                     requirements for protection of organizational information; and</p>
-               </part>
-               <part id="ps-6.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Requires individuals to sign an acknowledgment of these requirements, if
-                     applicable, as part of granting initial access to covered information.</p>
-               </part>
-            </part>
-            <part id="ps-6.3_gdn" name="guidance">
-               <p>Organizations consult with the Office of the General Counsel regarding matters of
-                  post-employment requirements on terminated individuals.</p>
-            </part>
-            <part id="ps-6.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ps-6.3.a_obj" name="objective">
-                  <prop name="label">PS-6(3)(a)</prop>
-                  <p>notifies individuals of applicable, legally binding post-employment
-                     requirements for protection of organizational information; and</p>
-                  <link rel="corresp" href="#ps-6.3_smt.a">PS-6(3)(a)</link>
-               </part>
-               <part id="ps-6.3.b_obj" name="objective">
-                  <prop name="label">PS-6(3)(b)</prop>
-                  <p>requires individuals to sign an acknowledgement of these requirements, if
-                     applicable, as part of granting initial access to covered information.</p>
-                  <link rel="corresp" href="#ps-6.3_smt.b">PS-6(3)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Personnel security policy</p>
-                  <p>procedures addressing access agreements for organizational information and
-                     information systems</p>
-                  <p>signed post-employment acknowledgement forms</p>
-                  <p>access agreements</p>
-                  <p>list of applicable, legally binding post-employment requirements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with personnel security responsibilities</p>
-                  <p>organizational personnel who have signed access agreements that include
-                     post-employment requirements</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for post-employment requirements</p>
-                  <p>automated mechanisms supporting notifications and individual acknowledgements
-                     of post-employment requirements</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ps-7">
-         <title>Third-party Personnel Security</title>
-         <param id="ps-7_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-7_prm_2">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">PS-7</prop>
-         <prop name="sort-id">ps-07</prop>
-         <link href="#0c775bc3-bfc3-42c7-a382-88949f503171" rel="reference">NIST Special Publication 800-35</link>
-         <part id="ps-7_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes personnel security requirements including security roles and
-                  responsibilities for third-party providers;</p>
-            </part>
-            <part id="ps-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Requires third-party providers to comply with personnel security policies and
-                  procedures established by the organization;</p>
-            </part>
-            <part id="ps-7_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Documents personnel security requirements;</p>
-            </part>
-            <part id="ps-7_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Requires third-party providers to notify <insert param-id="ps-7_prm_1"/> of any
-                  personnel transfers or terminations of third-party personnel who possess
-                  organizational credentials and/or badges, or who have information system
-                  privileges within <insert param-id="ps-7_prm_2"/>; and</p>
-            </part>
-            <part id="ps-7_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Monitors provider compliance.</p>
-            </part>
-         </part>
-         <part id="ps-7_gdn" name="guidance">
-            <p>Third-party providers include, for example, service bureaus, contractors, and other
-               organizations providing information system development, information technology
-               services, outsourced applications, and network and security management. Organizations
-               explicitly include personnel security requirements in acquisition-related documents.
-               Third-party providers may have personnel working at organizational facilities with
-               credentials, badges, or information system privileges issued by organizations.
-               Notifications of third-party personnel changes ensure appropriate termination of
-               privileges and credentials. Organizations define the transfers and terminations
-               deemed reportable by security-related characteristics that include, for example,
-               functions, roles, and nature of credentials/privileges associated with individuals
-               transferred or terminated.</p>
-            <link rel="related" href="#ps-2">PS-2</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <link rel="related" href="#ps-4">PS-4</link>
-            <link rel="related" href="#ps-5">PS-5</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-            <link rel="related" href="#sa-21">SA-21</link>
-         </part>
-         <part id="ps-7_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-7.a_obj" name="objective">
-               <prop name="label">PS-7(a)</prop>
-               <p>establishes personnel security requirements, including security roles and
-                  responsibilities, for third-party providers;</p>
-            </part>
-            <part id="ps-7.b_obj" name="objective">
-               <prop name="label">PS-7(b)</prop>
-               <p>requires third-party providers to comply with personnel security policies and
-                  procedures established by the organization;</p>
-            </part>
-            <part id="ps-7.c_obj" name="objective">
-               <prop name="label">PS-7(c)</prop>
-               <p>documents personnel security requirements;</p>
-            </part>
-            <part id="ps-7.d_obj" name="objective">
-               <prop name="label">PS-7(d)</prop>
-               <part id="ps-7.d_obj.1" name="objective">
-                  <prop name="label">PS-7(d)[1]</prop>
-                  <p>defines personnel or roles to be notified of any personnel transfers or
-                     terminations of third-party personnel who possess organizational credentials
-                     and/or badges, or who have information system privileges;</p>
-               </part>
-               <part id="ps-7.d_obj.2" name="objective">
-                  <prop name="label">PS-7(d)[2]</prop>
-                  <p>defines the time period within which third-party providers are required to
-                     notify organization-defined personnel or roles of any personnel transfers or
-                     terminations of third-party personnel who possess organizational credentials
-                     and/or badges, or who have information system privileges;</p>
-               </part>
-               <part id="ps-7.d_obj.3" name="objective">
-                  <prop name="label">PS-7(d)[3]</prop>
-                  <p>requires third-party providers to notify organization-defined personnel or
-                     roles within the organization-defined time period of any personnel transfers or
-                     terminations of third-party personnel who possess organizational credentials
-                     and/or badges, or who have information system privileges; and</p>
-               </part>
-            </part>
-            <part id="ps-7.e_obj" name="objective">
-               <prop name="label">PS-7(e)</prop>
-               <p>monitors provider compliance.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing third-party personnel security</p>
-               <p>list of personnel security requirements</p>
-               <p>acquisition documents</p>
-               <p>service-level agreements</p>
-               <p>compliance monitoring process</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>third-party providers</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with account management responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing and monitoring third-party personnel
-                  security</p>
-               <p>automated mechanisms supporting and/or implementing monitoring of provider
-                  compliance</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-8">
-         <title>Personnel Sanctions</title>
-         <param id="ps-8_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-8_prm_2">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">PS-8</prop>
-         <prop name="sort-id">ps-08</prop>
-         <part id="ps-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ps-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Employs a formal sanctions process for individuals failing to comply with
-                  established information security policies and procedures; and</p>
-            </part>
-            <part id="ps-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Notifies <insert param-id="ps-8_prm_1"/> within <insert param-id="ps-8_prm_2"/>
-                  when a formal employee sanctions process is initiated, identifying the individual
-                  sanctioned and the reason for the sanction.</p>
-            </part>
-         </part>
-         <part id="ps-8_gdn" name="guidance">
-            <p>Organizational sanctions processes reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Sanctions processes are
-               described in access agreements and can be included as part of general personnel
-               policies and procedures for organizations. Organizations consult with the Office of
-               the General Counsel regarding matters of employee sanctions.</p>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-         </part>
-         <part id="ps-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ps-8.a_obj" name="objective">
-               <prop name="label">PS-8(a)</prop>
-               <p>employs a formal sanctions process for individuals failing to comply with
-                  established information security policies and procedures;</p>
-            </part>
-            <part id="ps-8.b_obj" name="objective">
-               <prop name="label">PS-8(b)</prop>
-               <part id="ps-8.b_obj.1" name="objective">
-                  <prop name="label">PS-8(b)[1]</prop>
-                  <p>defines personnel or roles to be notified when a formal employee sanctions
-                     process is initiated;</p>
-               </part>
-               <part id="ps-8.b_obj.2" name="objective">
-                  <prop name="label">PS-8(b)[2]</prop>
-                  <p>defines the time period within which organization-defined personnel or roles
-                     must be notified when a formal employee sanctions process is initiated; and</p>
-               </part>
-               <part id="ps-8.b_obj.3" name="objective">
-                  <prop name="label">PS-8(b)[3]</prop>
-                  <p>notifies organization-defined personnel or roles within the
-                     organization-defined time period when a formal employee sanctions process is
-                     initiated, identifying the individual sanctioned and the reason for the
-                     sanction.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Personnel security policy</p>
-               <p>procedures addressing personnel sanctions</p>
-               <p>rules of behavior</p>
-               <p>records of formal sanctions</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with personnel security responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing personnel sanctions</p>
-               <p>automated mechanisms supporting and/or implementing notifications</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ra">
-      <title>Risk Assessment</title>
-      <control class="SP800-53" id="ra-1">
-         <title>Risk Assessment Policy and Procedures</title>
-         <param id="ra-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ra-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ra-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">RA-1</prop>
-         <prop name="sort-id">ra-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15" rel="reference">NIST Special Publication 800-30</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="ra-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="ra-1_prm_1"/>:</p>
-               <part id="ra-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A risk assessment policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="ra-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the risk assessment policy and
-                     associated risk assessment controls; and</p>
-               </part>
-            </part>
-            <part id="ra-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="ra-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Risk assessment policy <insert param-id="ra-1_prm_2"/>; and</p>
-               </part>
-               <part id="ra-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Risk assessment procedures <insert param-id="ra-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="ra-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the RA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ra-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-1.a_obj" name="objective">
-               <prop name="label">RA-1(a)</prop>
-               <part id="ra-1.a.1_obj" name="objective">
-                  <prop name="label">RA-1(a)(1)</prop>
-                  <part id="ra-1.a.1_obj.1" name="objective">
-                     <prop name="label">RA-1(a)(1)[1]</prop>
-                     <p>develops and documents a risk assessment policy that addresses:</p>
-                     <part id="ra-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="ra-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">RA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="ra-1.a.1_obj.2" name="objective">
-                     <prop name="label">RA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the risk assessment policy is to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ra-1.a.1_obj.3" name="objective">
-                     <prop name="label">RA-1(a)(1)[3]</prop>
-                     <p>disseminates the risk assessment policy to organization-defined personnel or
-                        roles;</p>
-                  </part>
-               </part>
-               <part id="ra-1.a.2_obj" name="objective">
-                  <prop name="label">RA-1(a)(2)</prop>
-                  <part id="ra-1.a.2_obj.1" name="objective">
-                     <prop name="label">RA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        risk assessment policy and associated risk assessment controls;</p>
-                  </part>
-                  <part id="ra-1.a.2_obj.2" name="objective">
-                     <prop name="label">RA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="ra-1.a.2_obj.3" name="objective">
-                     <prop name="label">RA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-1.b_obj" name="objective">
-               <prop name="label">RA-1(b)</prop>
-               <part id="ra-1.b.1_obj" name="objective">
-                  <prop name="label">RA-1(b)(1)</prop>
-                  <part id="ra-1.b.1_obj.1" name="objective">
-                     <prop name="label">RA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current risk assessment
-                        policy;</p>
-                  </part>
-                  <part id="ra-1.b.1_obj.2" name="objective">
-                     <prop name="label">RA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current risk assessment policy with the
-                        organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="ra-1.b.2_obj" name="objective">
-                  <prop name="label">RA-1(b)(2)</prop>
-                  <part id="ra-1.b.2_obj.1" name="objective">
-                     <prop name="label">RA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current risk assessment
-                        procedures; and</p>
-                  </part>
-                  <part id="ra-1.b.2_obj.2" name="objective">
-                     <prop name="label">RA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current risk assessment procedures with the
-                        organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>risk assessment policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with risk assessment responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-2">
-         <title>Security Categorization</title>
-         <prop name="label">RA-2</prop>
-         <prop name="sort-id">ra-02</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15" rel="reference">NIST Special Publication 800-30</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <part id="ra-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Categorizes information and the information system in accordance with applicable
-                  federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  guidance;</p>
-            </part>
-            <part id="ra-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents the security categorization results (including supporting rationale) in
-                  the security plan for the information system; and</p>
-            </part>
-            <part id="ra-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensures that the authorizing official or authorizing official designated
-                  representative reviews and approves the security categorization decision.</p>
-            </part>
-         </part>
-         <part id="ra-2_gdn" name="guidance">
-            <p>Clearly defined authorization boundaries are a prerequisite for effective security
-               categorization decisions. Security categories describe the potential adverse impacts
-               to organizational operations, organizational assets, and individuals if
-               organizational information and information systems are comprised through a loss of
-               confidentiality, integrity, or availability. Organizations conduct the security
-               categorization process as an organization-wide activity with the involvement of chief
-               information officers, senior information security officers, information system
-               owners, mission/business owners, and information owners/stewards. Organizations also
-               consider the potential adverse impacts to other organizations and, in accordance with
-               the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential
-               national-level adverse impacts. Security categorization processes carried out by
-               organizations facilitate the development of inventories of information assets, and
-               along with CM-8, mappings to specific information system components where information
-               is processed, stored, or transmitted.</p>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="ra-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-2.a_obj" name="objective">
-               <prop name="label">RA-2(a)</prop>
-               <p>categorizes information and the information system in accordance with applicable
-                  federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  guidance;</p>
-            </part>
-            <part id="ra-2.b_obj" name="objective">
-               <prop name="label">RA-2(b)</prop>
-               <p>documents the security categorization results (including supporting rationale) in
-                  the security plan for the information system; and</p>
-            </part>
-            <part id="ra-2.c_obj" name="objective">
-               <prop name="label">RA-2(c)</prop>
-               <p>ensures the authorizing official or authorizing official designated representative
-                  reviews and approves the security categorization decision.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Risk assessment policy</p>
-               <p>security planning policy and procedures</p>
-               <p>procedures addressing security categorization of organizational information and
-                  information systems</p>
-               <p>security plan</p>
-               <p>security categorization documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security categorization and risk assessment
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security categorization</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-3">
-         <title>Risk Assessment</title>
-         <param id="ra-3_prm_1">
-            <select>
-               <choice>security plan</choice>
-               <choice>risk assessment report</choice>
-               <choice>
-                  <insert param-id="ra-3_prm_2"/>
-               </choice>
-            </select>
-         </param>
-         <param id="ra-3_prm_2" depends-on="ra-3_prm_1">
-            <label>organization-defined document</label>
-         </param>
-         <param id="ra-3_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ra-3_prm_4">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ra-3_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">RA-3</prop>
-         <prop name="sort-id">ra-03</prop>
-         <link href="#ff3bfb02-79b2-411f-8735-98dfe5af2ab0" rel="reference">OMB Memorandum 04-04</link>
-         <link href="#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15" rel="reference">NIST Special Publication 800-30</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <link href="#85280698-0417-489d-b214-12bb935fb939" rel="reference">http://idmanagement.gov</link>
-         <part id="ra-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Conducts an assessment of risk, including the likelihood and magnitude of harm,
-                  from the unauthorized access, use, disclosure, disruption, modification, or
-                  destruction of the information system and the information it processes, stores, or
-                  transmits;</p>
-            </part>
-            <part id="ra-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Documents risk assessment results in <insert param-id="ra-3_prm_1"/>;</p>
-            </part>
-            <part id="ra-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews risk assessment results <insert param-id="ra-3_prm_3"/>;</p>
-            </part>
-            <part id="ra-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Disseminates risk assessment results to <insert param-id="ra-3_prm_4"/>; and</p>
-            </part>
-            <part id="ra-3_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Updates the risk assessment <insert param-id="ra-3_prm_5"/> or whenever there are
-                  significant changes to the information system or environment of operation
-                  (including the identification of new threats and vulnerabilities), or other
-                  conditions that may impact the security state of the system.</p>
-            </part>
-         </part>
-         <part id="ra-3_gdn" name="guidance">
-            <p>Clearly defined authorization boundaries are a prerequisite for effective risk
-               assessments. Risk assessments take into account threats, vulnerabilities, likelihood,
-               and impact to organizational operations and assets, individuals, other organizations,
-               and the Nation based on the operation and use of information systems. Risk
-               assessments also take into account risk from external parties (e.g., service
-               providers, contractors operating information systems on behalf of the organization,
-               individuals accessing organizational information systems, outsourcing entities). In
-               accordance with OMB policy and related E-authentication initiatives, authentication
-               of public users accessing federal information systems may also be required to protect
-               nonpublic or privacy-related information. As such, organizational assessments of risk
-               also address public access to federal information systems. Risk assessments (either
-               formal or informal) can be conducted at all three tiers in the risk management
-               hierarchy (i.e., organization level, mission/business process level, or information
-               system level) and at any phase in the system development life cycle. Risk assessments
-               can also be conducted at various steps in the Risk Management Framework, including
-               categorization, security control selection, security control implementation, security
-               control assessment, information system authorization, and security control
-               monitoring. RA-3 is noteworthy in that the control must be partially implemented
-               prior to the implementation of other controls in order to complete the first two
-               steps in the Risk Management Framework. Risk assessments can play an important role
-               in security control selection processes, particularly during the application of
-               tailoring guidance, which includes security control supplementation.</p>
-            <link rel="related" href="#ra-2">RA-2</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="ra-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-3.a_obj" name="objective">
-               <prop name="label">RA-3(a)</prop>
-               <p>conducts an assessment of risk, including the likelihood and magnitude of harm,
-                  from the unauthorized access, use, disclosure, disruption, modification, or
-                  destruction of:</p>
-               <part id="ra-3.a_obj.1" name="objective">
-                  <prop name="label">RA-3(a)[1]</prop>
-                  <p>the information system;</p>
-               </part>
-               <part id="ra-3.a_obj.2" name="objective">
-                  <prop name="label">RA-3(a)[2]</prop>
-                  <p>the information the system processes, stores, or transmits;</p>
-               </part>
-            </part>
-            <part id="ra-3.b_obj" name="objective">
-               <prop name="label">RA-3(b)</prop>
-               <part id="ra-3.b_obj.1" name="objective">
-                  <prop name="label">RA-3(b)[1]</prop>
-                  <p>defines a document in which risk assessment results are to be documented (if
-                     not documented in the security plan or risk assessment report);</p>
-               </part>
-               <part id="ra-3.b_obj.2" name="objective">
-                  <prop name="label">RA-3(b)[2]</prop>
-                  <p>documents risk assessment results in one of the following:</p>
-                  <part id="ra-3.b_obj.2.a" name="objective">
-                     <prop name="label">RA-3(b)[2][a]</prop>
-                     <p>the security plan;</p>
-                  </part>
-                  <part id="ra-3.b_obj.2.b" name="objective">
-                     <prop name="label">RA-3(b)[2][b]</prop>
-                     <p>the risk assessment report; or</p>
-                  </part>
-                  <part id="ra-3.b_obj.2.c" name="objective">
-                     <prop name="label">RA-3(b)[2][c]</prop>
-                     <p>the organization-defined document;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-3.c_obj" name="objective">
-               <prop name="label">RA-3(c)</prop>
-               <part id="ra-3.c_obj.1" name="objective">
-                  <prop name="label">RA-3(c)[1]</prop>
-                  <p>defines the frequency to review risk assessment results;</p>
-               </part>
-               <part id="ra-3.c_obj.2" name="objective">
-                  <prop name="label">RA-3(c)[2]</prop>
-                  <p>reviews risk assessment results with the organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="ra-3.d_obj" name="objective">
-               <prop name="label">RA-3(d)</prop>
-               <part id="ra-3.d_obj.1" name="objective">
-                  <prop name="label">RA-3(d)[1]</prop>
-                  <p>defines personnel or roles to whom risk assessment results are to be
-                     disseminated;</p>
-               </part>
-               <part id="ra-3.d_obj.2" name="objective">
-                  <prop name="label">RA-3(d)[2]</prop>
-                  <p>disseminates risk assessment results to organization-defined personnel or
-                     roles;</p>
-               </part>
-            </part>
-            <part id="ra-3.e_obj" name="objective">
-               <prop name="label">RA-3(e)</prop>
-               <part id="ra-3.e_obj.1" name="objective">
-                  <prop name="label">RA-3(e)[1]</prop>
-                  <p>defines the frequency to update the risk assessment;</p>
-               </part>
-               <part id="ra-3.e_obj.2" name="objective">
-                  <prop name="label">RA-3(e)[2]</prop>
-                  <p>updates the risk assessment:</p>
-                  <part id="ra-3.e_obj.2.a" name="objective">
-                     <prop name="label">RA-3(e)[2][a]</prop>
-                     <p>with the organization-defined frequency;</p>
-                  </part>
-                  <part id="ra-3.e_obj.2.b" name="objective">
-                     <prop name="label">RA-3(e)[2][b]</prop>
-                     <p>whenever there are significant changes to the information system or
-                        environment of operation (including the identification of new threats and
-                        vulnerabilities); and</p>
-                  </part>
-                  <part id="ra-3.e_obj.2.c" name="objective">
-                     <prop name="label">RA-3(e)[2][c]</prop>
-                     <p>whenever there are other conditions that may impact the security state of
-                        the system.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Risk assessment policy</p>
-               <p>security planning policy and procedures</p>
-               <p>procedures addressing organizational assessments of risk</p>
-               <p>security plan</p>
-               <p>risk assessment</p>
-               <p>risk assessment results</p>
-               <p>risk assessment reviews</p>
-               <p>risk assessment updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with risk assessment responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for risk assessment</p>
-               <p>automated mechanisms supporting and/or for conducting, documenting, reviewing,
-                  disseminating, and updating the risk assessment</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-4">
-         <title>Risk Assessment Update</title>
-         <prop name="label">RA-4</prop>
-         <prop name="sort-id">ra-04</prop>
-         <prop name="status">Withdrawn</prop>
-         <link rel="incorporated-into" href="#ra-3">RA-3</link>
-      </control>
-      <control class="SP800-53" id="ra-5">
-         <title>Vulnerability Scanning</title>
-         <param id="ra-5_prm_1">
-            <label>organization-defined frequency and/or randomly in accordance with
-               organization-defined process</label>
-         </param>
-         <param id="ra-5_prm_2">
-            <label>organization-defined response times</label>
-         </param>
-         <param id="ra-5_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">RA-5</prop>
-         <prop name="sort-id">ra-05</prop>
-         <link href="#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d" rel="reference">NIST Special Publication 800-40</link>
-         <link href="#84a37532-6db6-477b-9ea8-f9085ebca0fc" rel="reference">NIST Special Publication 800-70</link>
-         <link href="#c4691b88-57d1-463b-9053-2d0087913f31" rel="reference">NIST Special Publication 800-115</link>
-         <link href="#15522e92-9192-463d-9646-6a01982db8ca" rel="reference">http://cwe.mitre.org</link>
-         <link href="#275cc052-0f7f-423c-bdb6-ed503dc36228" rel="reference">http://nvd.nist.gov</link>
-         <part id="ra-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="ra-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Scans for vulnerabilities in the information system and hosted applications
-                     <insert param-id="ra-5_prm_1"/> and when new vulnerabilities potentially
-                  affecting the system/applications are identified and reported;</p>
-            </part>
-            <part id="ra-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Employs vulnerability scanning tools and techniques that facilitate
-                  interoperability among tools and automate parts of the vulnerability management
-                  process by using standards for:</p>
-               <part id="ra-5_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Enumerating platforms, software flaws, and improper configurations;</p>
-               </part>
-               <part id="ra-5_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Formatting checklists and test procedures; and</p>
-               </part>
-               <part id="ra-5_smt.b.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Measuring vulnerability impact;</p>
-               </part>
-            </part>
-            <part id="ra-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Analyzes vulnerability scan reports and results from security control
-                  assessments;</p>
-            </part>
-            <part id="ra-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Remediates legitimate vulnerabilities <insert param-id="ra-5_prm_2"/> in
-                  accordance with an organizational assessment of risk; and</p>
-            </part>
-            <part id="ra-5_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Shares information obtained from the vulnerability scanning process and security
-                  control assessments with <insert param-id="ra-5_prm_3"/> to help eliminate similar
-                  vulnerabilities in other information systems (i.e., systemic weaknesses or
-                  deficiencies).</p>
-            </part>
-         </part>
-         <part id="ra-5_gdn" name="guidance">
-            <p>Security categorization of information systems guides the frequency and
-               comprehensiveness of vulnerability scans. Organizations determine the required
-               vulnerability scanning for all information system components, ensuring that potential
-               sources of vulnerabilities such as networked printers, scanners, and copiers are not
-               overlooked. Vulnerability analyses for custom software applications may require
-               additional approaches such as static analysis, dynamic analysis, binary analysis, or
-               a hybrid of the three approaches. Organizations can employ these analysis approaches
-               in a variety of tools (e.g., web-based application scanners, static analysis tools,
-               binary analyzers) and in source code reviews. Vulnerability scanning includes, for
-               example: (i) scanning for patch levels; (ii) scanning for functions, ports,
-               protocols, and services that should not be accessible to users or devices; and (iii)
-               scanning for improperly configured or incorrectly operating information flow control
-               mechanisms. Organizations consider using tools that express vulnerabilities in the
-               Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open
-               Vulnerability Assessment Language (OVAL) to determine/test for the presence of
-               vulnerabilities. Suggested sources for vulnerability information include the Common
-               Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In
-               addition, security control assessments such as red team exercises provide other
-               sources of potential vulnerabilities for which to scan. Organizations also consider
-               using tools that express vulnerability impact by the Common Vulnerability Scoring
-               System (CVSS).</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#ra-2">RA-2</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="ra-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-5.a_obj" name="objective">
-               <prop name="label">RA-5(a)</prop>
-               <part id="ra-5.a_obj.1" name="objective">
-                  <prop name="label">RA-5(a)[1]</prop>
-                  <part id="ra-5.a_obj.1.a" name="objective">
-                     <prop name="label">RA-5(a)[1][a]</prop>
-                     <p>defines the frequency for conducting vulnerability scans on the information
-                        system and hosted applications; and/or</p>
-                  </part>
-                  <part id="ra-5.a_obj.1.b" name="objective">
-                     <prop name="label">RA-5(a)[1][b]</prop>
-                     <p>defines the process for conducting random vulnerability scans on the
-                        information system and hosted applications;</p>
-                  </part>
-               </part>
-               <part id="ra-5.a_obj.2" name="objective">
-                  <prop name="label">RA-5(a)[2]</prop>
-                  <p>in accordance with the organization-defined frequency and/or
-                     organization-defined process for conducting random scans, scans for
-                     vulnerabilities in:</p>
-                  <part id="ra-5.a_obj.2.a" name="objective">
-                     <prop name="label">RA-5(a)[2][a]</prop>
-                     <p>the information system;</p>
-                  </part>
-                  <part id="ra-5.a_obj.2.b" name="objective">
-                     <prop name="label">RA-5(a)[2][b]</prop>
-                     <p>hosted applications;</p>
-                  </part>
-               </part>
-               <part id="ra-5.a_obj.3" name="objective">
-                  <prop name="label">RA-5(a)[3]</prop>
-                  <p>when new vulnerabilities potentially affecting the system/applications are
-                     identified and reported, scans for vulnerabilities in:</p>
-                  <part id="ra-5.a_obj.3.a" name="objective">
-                     <prop name="label">RA-5(a)[3][a]</prop>
-                     <p>the information system;</p>
-                  </part>
-                  <part id="ra-5.a_obj.3.b" name="objective">
-                     <prop name="label">RA-5(a)[3][b]</prop>
-                     <p>hosted applications;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="ra-5.b_obj" name="objective">
-               <prop name="label">RA-5(b)</prop>
-               <p>employs vulnerability scanning tools and techniques that facilitate
-                  interoperability among tools and automate parts of the vulnerability management
-                  process by using standards for:</p>
-               <part id="ra-5.b.1_obj" name="objective">
-                  <prop name="label">RA-5(b)(1)</prop>
-                  <part id="ra-5.b.1_obj.1" name="objective">
-                     <prop name="label">RA-5(b)(1)[1]</prop>
-                     <p>enumerating platforms;</p>
-                  </part>
-                  <part id="ra-5.b.1_obj.2" name="objective">
-                     <prop name="label">RA-5(b)(1)[2]</prop>
-                     <p>enumerating software flaws;</p>
-                  </part>
-                  <part id="ra-5.b.1_obj.3" name="objective">
-                     <prop name="label">RA-5(b)(1)[3]</prop>
-                     <p>enumerating improper configurations;</p>
-                  </part>
-               </part>
-               <part id="ra-5.b.2_obj" name="objective">
-                  <prop name="label">RA-5(b)(2)</prop>
-                  <part id="ra-5.b.2_obj.1" name="objective">
-                     <prop name="label">RA-5(b)(2)[1]</prop>
-                     <p>formatting checklists;</p>
-                  </part>
-                  <part id="ra-5.b.2_obj.2" name="objective">
-                     <prop name="label">RA-5(b)(2)[2]</prop>
-                     <p>formatting test procedures;</p>
-                  </part>
-               </part>
-               <part id="ra-5.b.3_obj" name="objective">
-                  <prop name="label">RA-5(b)(3)</prop>
-                  <p>measuring vulnerability impact;</p>
-               </part>
-            </part>
-            <part id="ra-5.c_obj" name="objective">
-               <prop name="label">RA-5(c)</prop>
-               <part id="ra-5.c_obj.1" name="objective">
-                  <prop name="label">RA-5(c)[1]</prop>
-                  <p>analyzes vulnerability scan reports;</p>
-               </part>
-               <part id="ra-5.c_obj.2" name="objective">
-                  <prop name="label">RA-5(c)[2]</prop>
-                  <p>analyzes results from security control assessments;</p>
-               </part>
-            </part>
-            <part id="ra-5.d_obj" name="objective">
-               <prop name="label">RA-5(d)</prop>
-               <part id="ra-5.d_obj.1" name="objective">
-                  <prop name="label">RA-5(d)[1]</prop>
-                  <p>defines response times to remediate legitimate vulnerabilities in accordance
-                     with an organizational assessment of risk;</p>
-               </part>
-               <part id="ra-5.d_obj.2" name="objective">
-                  <prop name="label">RA-5(d)[2]</prop>
-                  <p>remediates legitimate vulnerabilities within the organization-defined response
-                     times in accordance with an organizational assessment of risk;</p>
-               </part>
-            </part>
-            <part id="ra-5.e_obj" name="objective">
-               <prop name="label">RA-5(e)</prop>
-               <part id="ra-5.e_obj.1" name="objective">
-                  <prop name="label">RA-5(e)[1]</prop>
-                  <p>defines personnel or roles with whom information obtained from the
-                     vulnerability scanning process and security control assessments is to be
-                     shared;</p>
-               </part>
-               <part id="ra-5.e_obj.2" name="objective">
-                  <prop name="label">RA-5(e)[2]</prop>
-                  <p>shares information obtained from the vulnerability scanning process with
-                     organization-defined personnel or roles to help eliminate similar
-                     vulnerabilities in other information systems (i.e., systemic weaknesses or
-                     deficiencies); and</p>
-               </part>
-               <part id="ra-5.e_obj.3" name="objective">
-                  <prop name="label">RA-5(e)[3]</prop>
-                  <p>shares information obtained from security control assessments with
-                     organization-defined personnel or roles to help eliminate similar
-                     vulnerabilities in other information systems (i.e., systemic weaknesses or
-                     deficiencies).</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Risk assessment policy</p>
-               <p>procedures addressing vulnerability scanning</p>
-               <p>risk assessment</p>
-               <p>security plan</p>
-               <p>security assessment report</p>
-               <p>vulnerability scanning tools and associated configuration documentation</p>
-               <p>vulnerability scanning results</p>
-               <p>patch and vulnerability management records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with risk assessment, security control assessment and
-                  vulnerability scanning responsibilities</p>
-               <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-               <p>organizational personnel with vulnerability remediation responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for vulnerability scanning, analysis, remediation, and
-                  information sharing</p>
-               <p>automated mechanisms supporting and/or implementing vulnerability scanning,
-                  analysis, remediation, and information sharing</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="ra-5.1">
-            <title>Update Tool Capability</title>
-            <prop name="label">RA-5(1)</prop>
-            <prop name="sort-id">ra-05.01</prop>
-            <part id="ra-5.1_smt" name="statement">
-               <p>The organization employs vulnerability scanning tools that include the capability
-                  to readily update the information system vulnerabilities to be scanned.</p>
-            </part>
-            <part id="ra-5.1_gdn" name="guidance">
-               <p>The vulnerabilities to be scanned need to be readily updated as new
-                  vulnerabilities are discovered, announced, and scanning methods developed. This
-                  updating process helps to ensure that potential vulnerabilities in the information
-                  system are identified and addressed as quickly as possible.</p>
-               <link rel="related" href="#si-3">SI-3</link>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="ra-5.1_obj" name="objective">
-               <p>Determine if the organization employs vulnerability scanning tools that include
-                  the capability to readily update the information system vulnerabilities to be
-                  scanned.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Procedures addressing vulnerability scanning</p>
-                  <p>security plan</p>
-                  <p>security assessment report</p>
-                  <p>vulnerability scanning tools and associated configuration documentation</p>
-                  <p>vulnerability scanning results</p>
-                  <p>patch and vulnerability management records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.2">
-            <title>Update by Frequency / Prior to New Scan / When Identified</title>
-            <param id="ra-5.2_prm_1">
-               <select how-many="one or more">
-                  <choice>
-                     <insert param-id="ra-5.2_prm_2"/>
-                  </choice>
-                  <choice>prior to a new scan</choice>
-                  <choice>when new vulnerabilities are identified and reported</choice>
-               </select>
-            </param>
-            <param id="ra-5.2_prm_2" depends-on="ra-5.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">RA-5(2)</prop>
-            <prop name="sort-id">ra-05.02</prop>
-            <part id="ra-5.2_smt" name="statement">
-               <p>The organization updates the information system vulnerabilities scanned <insert param-id="ra-5.2_prm_1"/>.</p>
-            </part>
-            <part id="ra-5.2_gdn" name="guidance">
-               <link rel="related" href="#si-3">SI-3</link>
-               <link rel="related" href="#si-5">SI-5</link>
-            </part>
-            <part id="ra-5.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ra-5.2_obj.1" name="objective">
-                  <prop name="label">RA-5(2)[1]</prop>
-                  <p>defines the frequency to update the information system vulnerabilities
-                     scanned;</p>
-               </part>
-               <part id="ra-5.2_obj.2" name="objective">
-                  <prop name="label">RA-5(2)[2]</prop>
-                  <p>updates the information system vulnerabilities scanned one or more of the
-                     following:</p>
-                  <part id="ra-5.2_obj.2.a" name="objective">
-                     <prop name="label">RA-5(2)[2][a]</prop>
-                     <p>with the organization-defined frequency;</p>
-                  </part>
-                  <part id="ra-5.2_obj.2.b" name="objective">
-                     <prop name="label">RA-5(2)[2][b]</prop>
-                     <p>prior to a new scan; and/or</p>
-                  </part>
-                  <part id="ra-5.2_obj.2.c" name="objective">
-                     <prop name="label">RA-5(2)[2][c]</prop>
-                     <p>when new vulnerabilities are identified and reported.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Procedures addressing vulnerability scanning</p>
-                  <p>security plan</p>
-                  <p>security assessment report</p>
-                  <p>vulnerability scanning tools and associated configuration documentation</p>
-                  <p>vulnerability scanning results</p>
-                  <p>patch and vulnerability management records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.3">
-            <title>Breadth / Depth of Coverage</title>
-            <prop name="label">RA-5(3)</prop>
-            <prop name="sort-id">ra-05.03</prop>
-            <part id="ra-5.3_smt" name="statement">
-               <p>The organization employs vulnerability scanning procedures that can identify the
-                  breadth and depth of coverage (i.e., information system components scanned and
-                  vulnerabilities checked).</p>
-            </part>
-            <part id="ra-5.3_obj" name="objective">
-               <p>Determine if the organization employs vulnerability scanning procedures that can
-                  identify:</p>
-               <part id="ra-5.3_obj.1" name="objective">
-                  <prop name="label">RA-5(3)[1]</prop>
-                  <p>the breadth of coverage (i.e., information system components scanned); and</p>
-               </part>
-               <part id="ra-5.3_obj.2" name="objective">
-                  <prop name="label">RA-5(3)[2]</prop>
-                  <p>the depth of coverage (i.e., vulnerabilities checked).</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Procedures addressing vulnerability scanning</p>
-                  <p>security plan</p>
-                  <p>security assessment report</p>
-                  <p>vulnerability scanning tools and associated configuration documentation</p>
-                  <p>vulnerability scanning results</p>
-                  <p>patch and vulnerability management records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.4">
-            <title>Discoverable Information</title>
-            <param id="ra-5.4_prm_1">
-               <label>organization-defined corrective actions</label>
-            </param>
-            <prop name="label">RA-5(4)</prop>
-            <prop name="sort-id">ra-05.04</prop>
-            <part id="ra-5.4_smt" name="statement">
-               <p>The organization determines what information about the information system is
-                  discoverable by adversaries and subsequently takes <insert param-id="ra-5.4_prm_1"/>.</p>
-            </part>
-            <part id="ra-5.4_gdn" name="guidance">
-               <p>Discoverable information includes information that adversaries could obtain
-                  without directly compromising or breaching the information system, for example, by
-                  collecting information the system is exposing or by conducting extensive searches
-                  of the web. Corrective actions can include, for example, notifying appropriate
-                  organizational personnel, removing designated information, or changing the
-                  information system to make designated information less relevant or attractive to
-                  adversaries.</p>
-               <link rel="related" href="#au-13">AU-13</link>
-            </part>
-            <part id="ra-5.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="ra-5.4_obj.1" name="objective">
-                  <prop name="label">RA-5(4)[1]</prop>
-                  <p>defines corrective actions to be taken if information about the information
-                     system is discoverable by adversaries;</p>
-               </part>
-               <part id="ra-5.4_obj.2" name="objective">
-                  <prop name="label">RA-5(4)[2]</prop>
-                  <p>determines what information about the information system is discoverable by
-                     adversaries; and</p>
-               </part>
-               <part id="ra-5.4_obj.3" name="objective">
-                  <prop name="label">RA-5(4)[3]</prop>
-                  <p>subsequently takes organization-defined corrective actions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Procedures addressing vulnerability scanning</p>
-                  <p>security assessment report</p>
-                  <p>penetration test results</p>
-                  <p>vulnerability scanning results</p>
-                  <p>risk assessment report</p>
-                  <p>records of corrective actions taken</p>
-                  <p>incident response records</p>
-                  <p>audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning and/or penetration testing
-                     responsibilities</p>
-                  <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-                  <p>organizational personnel responsible for risk response</p>
-                  <p>organizational personnel responsible for incident management and response</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>organizational processes for risk response</p>
-                  <p>organizational processes for incident management and response</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-                  <p>automated mechanisms supporting and/or implementing risk response</p>
-                  <p>automated mechanisms supporting and/or implementing incident management and
-                     response</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.5">
-            <title>Privileged Access</title>
-            <param id="ra-5.5_prm_1">
-               <label>organization-identified information system components</label>
-            </param>
-            <param id="ra-5.5_prm_2">
-               <label>organization-defined vulnerability scanning activities</label>
-            </param>
-            <prop name="label">RA-5(5)</prop>
-            <prop name="sort-id">ra-05.05</prop>
-            <part id="ra-5.5_smt" name="statement">
-               <p>The information system implements privileged access authorization to <insert param-id="ra-5.5_prm_1"/> for selected <insert param-id="ra-5.5_prm_2"/>.</p>
-            </part>
-            <part id="ra-5.5_gdn" name="guidance">
-               <p>In certain situations, the nature of the vulnerability scanning may be more
-                  intrusive or the information system component that is the subject of the scanning
-                  may contain highly sensitive information. Privileged access authorization to
-                  selected system components facilitates more thorough vulnerability scanning and
-                  also protects the sensitive nature of such scanning.</p>
-            </part>
-            <part id="ra-5.5_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="ra-5.5_obj.1" name="objective">
-                  <prop name="label">RA-5(5)[1]</prop>
-                  <p>the organization defines information system components to which privileged
-                     access is authorized for selected vulnerability scanning activities;</p>
-               </part>
-               <part id="ra-5.5_obj.2" name="objective">
-                  <prop name="label">RA-5(5)[2]</prop>
-                  <p>the organization defines vulnerability scanning activities selected for
-                     privileged access authorization to organization-defined information system
-                     components; and</p>
-               </part>
-               <part id="ra-5.5_obj.3" name="objective">
-                  <prop name="label">RA-5(5)[3]</prop>
-                  <p>the information system implements privileged access authorization to
-                     organization-defined information system components for selected
-                     organization-defined vulnerability scanning activities.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Risk assessment policy</p>
-                  <p>procedures addressing vulnerability scanning</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of information system components for vulnerability scanning</p>
-                  <p>personnel access authorization list</p>
-                  <p>authorization credentials</p>
-                  <p>access authorization records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel responsible for access control to the information
-                     system</p>
-                  <p>organizational personnel responsible for configuration management of the
-                     information system</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>organizational processes for access control</p>
-                  <p>automated mechanisms supporting and/or implementing access control</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.6">
-            <title>Automated Trend Analyses</title>
-            <prop name="label">RA-5(6)</prop>
-            <prop name="sort-id">ra-05.06</prop>
-            <part id="ra-5.6_smt" name="statement">
-               <p>The organization employs automated mechanisms to compare the results of
-                  vulnerability scans over time to determine trends in information system
-                  vulnerabilities.</p>
-            </part>
-            <part id="ra-5.6_gdn" name="guidance">
-               <link rel="related" href="#ir-4">IR-4</link>
-               <link rel="related" href="#ir-5">IR-5</link>
-               <link rel="related" href="#si-4">SI-4</link>
-            </part>
-            <part id="ra-5.6_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to compare the results
-                  of vulnerability scans over time to determine trends in information system
-                  vulnerabilities.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Risk assessment policy</p>
-                  <p>procedures addressing vulnerability scanning</p>
-                  <p>information system design documentation</p>
-                  <p>vulnerability scanning tools and techniques documentation</p>
-                  <p>vulnerability scanning results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-                  <p>automated mechanisms supporting and/or implementing trend analysis of
-                     vulnerability scan results</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.7">
-            <title>Automated Detection and Notification of Unauthorized Components</title>
-            <prop name="label">RA-5(7)</prop>
-            <prop name="sort-id">ra-05.07</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#cm-8">CM-8</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.8">
-            <title>Review Historic Audit Logs</title>
-            <prop name="label">RA-5(8)</prop>
-            <prop name="sort-id">ra-05.08</prop>
-            <part id="ra-5.8_smt" name="statement">
-               <p>The organization reviews historic audit logs to determine if a vulnerability
-                  identified in the information system has been previously exploited.</p>
-            </part>
-            <part id="ra-5.8_gdn" name="guidance">
-               <link rel="related" href="#au-6">AU-6</link>
-            </part>
-            <part id="ra-5.8_obj" name="objective">
-               <p>Determine if the organization reviews historic audit logs to determine if a
-                  vulnerability identified in the information system has been previously exploited.
-               </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Risk assessment policy</p>
-                  <p>procedures addressing vulnerability scanning</p>
-                  <p>audit logs</p>
-                  <p>records of audit log reviews</p>
-                  <p>vulnerability scanning results</p>
-                  <p>patch and vulnerability management records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-                  <p>organizational personnel with audit record review responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>organizational process for audit record review and response</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-                  <p>automated mechanisms supporting and/or implementing audit record review</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.9">
-            <title>Penetration Testing and Analyses</title>
-            <prop name="label">RA-5(9)</prop>
-            <prop name="sort-id">ra-05.09</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#ca-8">CA-8</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.10">
-            <title>Correlate Scanning Information</title>
-            <prop name="label">RA-5(10)</prop>
-            <prop name="sort-id">ra-05.10</prop>
-            <part id="ra-5.10_smt" name="statement">
-               <p>The organization correlates the output from vulnerability scanning tools to
-                  determine the presence of multi-vulnerability/multi-hop attack vectors.</p>
-            </part>
-            <part id="ra-5.10_obj" name="objective">
-               <p>Determine if the organization correlates the output from vulnerability scanning
-                  tools to determine the presence of multi-vulnerability/multi-hop attack vectors.
-               </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>Risk assessment policy</p>
-                  <p>procedures addressing vulnerability scanning</p>
-                  <p>risk assessment</p>
-                  <p>security plan</p>
-                  <p>vulnerability scanning tools and techniques documentation</p>
-                  <p>vulnerability scanning results</p>
-                  <p>vulnerability management records</p>
-                  <p>audit records</p>
-                  <p>event/vulnerability correlation logs</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with vulnerability scanning responsibilities</p>
-                  <p>organizational personnel with vulnerability scan analysis responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability scanning</p>
-                  <p>automated mechanisms/tools supporting and/or implementing vulnerability
-                     scanning</p>
-                  <p>automated mechanisms implementing correlation of vulnerability scan results</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ra-6">
-         <title>Technical Surveillance Countermeasures Survey</title>
-         <param id="ra-6_prm_1">
-            <label>organization-defined locations</label>
-         </param>
-         <param id="ra-6_prm_2">
-            <select how-many="one or more">
-               <choice>
-                  <insert param-id="ra-6_prm_3"/>
-               </choice>
-               <choice>
-                  <insert param-id="ra-6_prm_4"/>
-               </choice>
-            </select>
-         </param>
-         <param id="ra-6_prm_3" depends-on="ra-6_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ra-6_prm_4" depends-on="ra-6_prm_2">
-            <label>organization-defined events or indicators occur</label>
-         </param>
-         <prop name="label">RA-6</prop>
-         <prop name="sort-id">ra-06</prop>
-         <part id="ra-6_smt" name="statement">
-            <p>The organization employs a technical surveillance countermeasures survey at <insert param-id="ra-6_prm_1"/>
-               <insert param-id="ra-6_prm_2"/>.</p>
-         </part>
-         <part id="ra-6_gdn" name="guidance">
-            <p>Technical surveillance countermeasures surveys are performed by qualified personnel
-               to detect the presence of technical surveillance devices/hazards and to identify
-               technical security weaknesses that could aid in the conduct of technical penetrations
-               of surveyed facilities. Such surveys provide evaluations of the technical security
-               postures of organizations and facilities and typically include thorough visual,
-               electronic, and physical examinations in and about surveyed facilities. The surveys
-               also provide useful input into risk assessments and organizational exposure to
-               potential adversaries.</p>
-         </part>
-         <part id="ra-6_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="ra-6_obj.1" name="objective">
-               <prop name="label">RA-6[1]</prop>
-               <p>defines locations to employ technical surveillance countermeasure surveys;</p>
-            </part>
-            <part id="ra-6_obj.2" name="objective">
-               <prop name="label">RA-6[2]</prop>
-               <p>defines a frequency to employ technical surveillance countermeasure surveys;</p>
-            </part>
-            <part id="ra-6_obj.3" name="objective">
-               <prop name="label">RA-6[3]</prop>
-               <p>defines events or indicators which, if they occur, trigger a technical
-                  surveillance countermeasures survey;</p>
-            </part>
-            <part id="ra-6_obj.4" name="objective">
-               <prop name="label">RA-6[4]</prop>
-               <p>employs a technical surveillance countermeasures survey at organization-defined
-                  locations one or more of the following:</p>
-               <part id="ra-6_obj.4.a" name="objective">
-                  <prop name="label">RA-6[4][a]</prop>
-                  <p>with the organization-defined frequency; and/or</p>
-               </part>
-               <part id="ra-6_obj.4.b" name="objective">
-                  <prop name="label">RA-6[4][b]</prop>
-                  <p>when organization-defined events or indicators occur.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Risk assessment policy</p>
-               <p>procedures addressing technical surveillance countermeasures surveys</p>
-               <p>security plan</p>
-               <p>audit records/event logs</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with technical surveillance countermeasures surveys
-                  responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for technical surveillance countermeasures surveys</p>
-               <p>automated mechanisms/tools supporting and/or implementing technical surveillance
-                  countermeasures surveys</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="sa">
-      <title>System and Services Acquisition</title>
-      <control class="SP800-53" id="sa-1">
-         <title>System and Services Acquisition Policy and Procedures</title>
-         <param id="sa-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="sa-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="sa-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">SA-1</prop>
-         <prop name="sort-id">sa-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="sa-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="sa-1_prm_1"/>:</p>
-               <part id="sa-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system and services acquisition policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="sa-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system and services
-                     acquisition policy and associated system and services acquisition controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="sa-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="sa-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System and services acquisition policy <insert param-id="sa-1_prm_2"/>; and</p>
-               </part>
-               <part id="sa-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System and services acquisition procedures <insert param-id="sa-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sa-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the SA
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="sa-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-1.a_obj" name="objective">
-               <prop name="label">SA-1(a)</prop>
-               <part id="sa-1.a.1_obj" name="objective">
-                  <prop name="label">SA-1(a)(1)</prop>
-                  <part id="sa-1.a.1_obj.1" name="objective">
-                     <prop name="label">SA-1(a)(1)[1]</prop>
-                     <p>develops and documents a system and services acquisition policy that
-                        addresses:</p>
-                     <part id="sa-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="sa-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">SA-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="sa-1.a.1_obj.2" name="objective">
-                     <prop name="label">SA-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system and services acquisition
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="sa-1.a.1_obj.3" name="objective">
-                     <prop name="label">SA-1(a)(1)[3]</prop>
-                     <p>disseminates the system and services acquisition policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="sa-1.a.2_obj" name="objective">
-                  <prop name="label">SA-1(a)(2)</prop>
-                  <part id="sa-1.a.2_obj.1" name="objective">
-                     <prop name="label">SA-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        system and services acquisition policy and associated system and services
-                        acquisition controls;</p>
-                  </part>
-                  <part id="sa-1.a.2_obj.2" name="objective">
-                     <prop name="label">SA-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="sa-1.a.2_obj.3" name="objective">
-                     <prop name="label">SA-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sa-1.b_obj" name="objective">
-               <prop name="label">SA-1(b)</prop>
-               <part id="sa-1.b.1_obj" name="objective">
-                  <prop name="label">SA-1(b)(1)</prop>
-                  <part id="sa-1.b.1_obj.1" name="objective">
-                     <prop name="label">SA-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system and services
-                        acquisition policy;</p>
-                  </part>
-                  <part id="sa-1.b.1_obj.2" name="objective">
-                     <prop name="label">SA-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system and services acquisition policy with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="sa-1.b.2_obj" name="objective">
-                  <prop name="label">SA-1(b)(2)</prop>
-                  <part id="sa-1.b.2_obj.1" name="objective">
-                     <prop name="label">SA-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system and services
-                        acquisition procedures; and</p>
-                  </part>
-                  <part id="sa-1.b.2_obj.2" name="objective">
-                     <prop name="label">SA-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system and services acquisition procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-2">
-         <title>Allocation of Resources</title>
-         <prop name="label">SA-2</prop>
-         <prop name="sort-id">sa-02</prop>
-         <link href="#29fcfe59-33cd-494a-8756-5907ae3a8f92" rel="reference">NIST Special Publication 800-65</link>
-         <part id="sa-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Determines information security requirements for the information system or
-                  information system service in mission/business process planning;</p>
-            </part>
-            <part id="sa-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Determines, documents, and allocates the resources required to protect the
-                  information system or information system service as part of its capital planning
-                  and investment control process; and</p>
-            </part>
-            <part id="sa-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Establishes a discrete line item for information security in organizational
-                  programming and budgeting documentation.</p>
-            </part>
-         </part>
-         <part id="sa-2_gdn" name="guidance">
-            <p>Resource allocation for information security includes funding for the initial
-               information system or information system service acquisition and funding for the
-               sustainment of the system/service.</p>
-            <link rel="related" href="#pm-3">PM-3</link>
-            <link rel="related" href="#pm-11">PM-11</link>
-         </part>
-         <part id="sa-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-2.a_obj" name="objective">
-               <prop name="label">SA-2(a)</prop>
-               <p>determines information security requirements for the information system or
-                  information system service in mission/business process planning;</p>
-            </part>
-            <part id="sa-2.b_obj" name="objective">
-               <prop name="label">SA-2(b)</prop>
-               <p>to protect the information system or information system service as part of its
-                  capital planning and investment control process:</p>
-               <part id="sa-2.b_obj.1" name="objective">
-                  <prop name="label">SA-2(b)[1]</prop>
-                  <p>determines the resources required;</p>
-               </part>
-               <part id="sa-2.b_obj.2" name="objective">
-                  <prop name="label">SA-2(b)[2]</prop>
-                  <p>documents the resources required;</p>
-               </part>
-               <part id="sa-2.b_obj.3" name="objective">
-                  <prop name="label">SA-2(b)[3]</prop>
-                  <p>allocates the resources required; and</p>
-               </part>
-            </part>
-            <part id="sa-2.c_obj" name="objective">
-               <prop name="label">SA-2(c)</prop>
-               <p>establishes a discrete line item for information security in organizational
-                  programming and budgeting documentation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing the allocation of resources to information security
-                  requirements</p>
-               <p>procedures addressing capital planning and investment control</p>
-               <p>organizational programming and budgeting documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with capital planning, investment control, organizational
-                  programming and budgeting responsibilities</p>
-               <p>organizational personnel responsible for determining information security
-                  requirements for information systems/services</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for determining information security requirements</p>
-               <p>organizational processes for capital planning, programming, and budgeting</p>
-               <p>automated mechanisms supporting and/or implementing organizational capital
-                  planning, programming, and budgeting</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-3">
-         <title>System Development Life Cycle</title>
-         <param id="sa-3_prm_1">
-            <label>organization-defined system development life cycle</label>
-         </param>
-         <prop name="label">SA-3</prop>
-         <prop name="sort-id">sa-03</prop>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#abd950ae-092f-4b7a-b374-1c7c67fe9350" rel="reference">NIST Special Publication 800-64</link>
-         <part id="sa-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Manages the information system using <insert param-id="sa-3_prm_1"/> that
-                  incorporates information security considerations;</p>
-            </part>
-            <part id="sa-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Defines and documents information security roles and responsibilities throughout
-                  the system development life cycle;</p>
-            </part>
-            <part id="sa-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Identifies individuals having information security roles and responsibilities;
-                  and</p>
-            </part>
-            <part id="sa-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Integrates the organizational information security risk management process into
-                  system development life cycle activities.</p>
-            </part>
-         </part>
-         <part id="sa-3_gdn" name="guidance">
-            <p>A well-defined system development life cycle provides the foundation for the
-               successful development, implementation, and operation of organizational information
-               systems. To apply the required security controls within the system development life
-               cycle requires a basic understanding of information security, threats,
-               vulnerabilities, adverse impacts, and risk to critical missions/business functions.
-               The security engineering principles in SA-8 cannot be properly applied if individuals
-               that design, code, and test information systems and system components (including
-               information technology products) do not understand security. Therefore, organizations
-               include qualified personnel, for example, chief information security officers,
-               security architects, security engineers, and information system security officers in
-               system development life cycle activities to ensure that security requirements are
-               incorporated into organizational information systems. It is equally important that
-               developers include individuals on the development team that possess the requisite
-               security expertise and skills to ensure that needed security capabilities are
-               effectively integrated into the information system. Security awareness and training
-               programs can help ensure that individuals having key security roles and
-               responsibilities have the appropriate experience, skills, and expertise to conduct
-               assigned system development life cycle activities. The effective integration of
-               security requirements into enterprise architecture also helps to ensure that
-               important security considerations are addressed early in the system development life
-               cycle and that those considerations are directly related to the organizational
-               mission/business processes. This process also facilitates the integration of the
-               information security architecture into the enterprise architecture, consistent with
-               organizational risk management and information security strategies.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-         </part>
-         <part id="sa-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-3.a_obj" name="objective">
-               <prop name="label">SA-3(a)</prop>
-               <part id="sa-3.a_obj.1" name="objective">
-                  <prop name="label">SA-3(a)[1]</prop>
-                  <p>defines a system development life cycle that incorporates information security
-                     considerations to be used to manage the information system;</p>
-               </part>
-               <part id="sa-3.a_obj.2" name="objective">
-                  <prop name="label">SA-3(a)[2]</prop>
-                  <p>manages the information system using the organization-defined system
-                     development life cycle;</p>
-               </part>
-            </part>
-            <part id="sa-3.b_obj" name="objective">
-               <prop name="label">SA-3(b)</prop>
-               <p>defines and documents information security roles and responsibilities throughout
-                  the system development life cycle;</p>
-            </part>
-            <part id="sa-3.c_obj" name="objective">
-               <prop name="label">SA-3(c)</prop>
-               <p>identifies individuals having information security roles and responsibilities;
-                  and</p>
-            </part>
-            <part id="sa-3.d_obj" name="objective">
-               <prop name="label">SA-3(d)</prop>
-               <p>integrates the organizational information security risk management process into
-                  system development life cycle activities.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing the integration of information security into the system
-                  development life cycle process</p>
-               <p>information system development life cycle documentation</p>
-               <p>information security risk management strategy/program documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security and system life cycle
-                  development responsibilities</p>
-               <p>organizational personnel with information security risk management
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for defining and documenting the SDLC</p>
-               <p>organizational processes for identifying SDLC roles and responsibilities</p>
-               <p>organizational process for integrating information security risk management into
-                  the SDLC</p>
-               <p>automated mechanisms supporting and/or implementing the SDLC</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-4">
-         <title>Acquisition Process</title>
-         <prop name="label">SA-4</prop>
-         <prop name="sort-id">sa-04</prop>
-         <link href="#ad733a42-a7ed-4774-b988-4930c28852f3" rel="reference">HSPD-12</link>
-         <link href="#1737a687-52fb-4008-b900-cbfa836f7b65" rel="reference">ISO/IEC 15408</link>
-         <link href="#d715b234-9b5b-4e07-b1ed-99836727664d" rel="reference">FIPS Publication 140-2</link>
-         <link href="#c80c10b3-1294-4984-a4cc-d1733ca432b9" rel="reference">FIPS Publication 201</link>
-         <link href="#0a5db899-f033-467f-8631-f5a8ba971475" rel="reference">NIST Special Publication 800-23</link>
-         <link href="#0c775bc3-bfc3-42c7-a382-88949f503171" rel="reference">NIST Special Publication 800-35</link>
-         <link href="#d818efd3-db31-4953-8afa-9e76afe83ce2" rel="reference">NIST Special Publication 800-36</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#abd950ae-092f-4b7a-b374-1c7c67fe9350" rel="reference">NIST Special Publication 800-64</link>
-         <link href="#84a37532-6db6-477b-9ea8-f9085ebca0fc" rel="reference">NIST Special Publication 800-70</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <link href="#56d671da-6b7b-4abf-8296-84b61980390a" rel="reference">Federal Acquisition Regulation</link>
-         <link href="#c95a9986-3cd6-4a98-931b-ccfc56cb11e5" rel="reference">http://www.niap-ccevs.org</link>
-         <link href="#5ed1f4d5-1494-421b-97ed-39d3c88ab51f" rel="reference">http://fips201ep.cio.gov</link>
-         <link href="#bbd50dd1-54ce-4432-959d-63ea564b1bb4" rel="reference">http://www.acquisition.gov/far</link>
-         <part id="sa-4_smt" name="statement">
-            <p>The organization includes the following requirements, descriptions, and criteria,
-               explicitly or by reference, in the acquisition contract for the information system,
-               system component, or information system service in accordance with applicable federal
-               laws, Executive Orders, directives, policies, regulations, standards, guidelines, and
-               organizational mission/business needs:</p>
-            <part id="sa-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Security functional requirements;</p>
-            </part>
-            <part id="sa-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Security strength requirements;</p>
-            </part>
-            <part id="sa-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Security assurance requirements;</p>
-            </part>
-            <part id="sa-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Security-related documentation requirements;</p>
-            </part>
-            <part id="sa-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Requirements for protecting security-related documentation;</p>
-            </part>
-            <part id="sa-4_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Description of the information system development environment and environment in
-                  which the system is intended to operate; and</p>
-            </part>
-            <part id="sa-4_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Acceptance criteria.</p>
-            </part>
-         </part>
-         <part id="sa-4_gdn" name="guidance">
-            <p>Information system components are discrete, identifiable information technology
-               assets (e.g., hardware, software, or firmware) that represent the building blocks of
-               an information system. Information system components include commercial information
-               technology products. Security functional requirements include security capabilities,
-               security functions, and security mechanisms. Security strength requirements
-               associated with such capabilities, functions, and mechanisms include degree of
-               correctness, completeness, resistance to direct attack, and resistance to tampering
-               or bypass. Security assurance requirements include: (i) development processes,
-               procedures, practices, and methodologies; and (ii) evidence from development and
-               assessment activities providing grounds for confidence that the required security
-               functionality has been implemented and the required security strength has been
-               achieved. Security documentation requirements address all phases of the system
-               development life cycle. Security functionality, assurance, and documentation
-               requirements are expressed in terms of security controls and control enhancements
-               that have been selected through the tailoring process. The security control tailoring
-               process includes, for example, the specification of parameter values through the use
-               of assignment and selection statements and the specification of platform dependencies
-               and implementation information. Security documentation provides user and
-               administrator guidance regarding the implementation and operation of security
-               controls. The level of detail required in security documentation is based on the
-               security category or classification level of the information system and the degree to
-               which organizations depend on the stated security capability, functions, or
-               mechanisms to meet overall risk response expectations (as defined in the
-               organizational risk management strategy). Security requirements can also include
-               organizationally mandated configuration settings specifying allowed functions, ports,
-               protocols, and services. Acceptance criteria for information systems, information
-               system components, and information system services are defined in the same manner as
-               such criteria for any organizational acquisition or procurement. The Federal
-               Acquisition Regulation (FAR) Section 7.103 contains information security requirements
-               from FISMA.</p>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#ps-7">PS-7</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-         </part>
-         <part id="sa-4_obj" name="objective">
-            <p>Determine if the organization includes the following requirements, descriptions, and
-               criteria, explicitly or by reference, in the acquisition contracts for the
-               information system, system component, or information system service in accordance
-               with applicable federal laws, Executive Orders, directives, policies, regulations,
-               standards, guidelines, and organizational mission/business needs:</p>
-            <part id="sa-4.a_obj" name="objective">
-               <prop name="label">SA-4(a)</prop>
-               <p>security functional requirements;</p>
-            </part>
-            <part id="sa-4.b_obj" name="objective">
-               <prop name="label">SA-4(b)</prop>
-               <p>security strength requirements;</p>
-            </part>
-            <part id="sa-4.c_obj" name="objective">
-               <prop name="label">SA-4(c)</prop>
-               <p>security assurance requirements;</p>
-            </part>
-            <part id="sa-4.d_obj" name="objective">
-               <prop name="label">SA-4(d)</prop>
-               <p>security-related documentation requirements;</p>
-            </part>
-            <part id="sa-4.e_obj" name="objective">
-               <prop name="label">SA-4(e)</prop>
-               <p>requirements for protecting security-related documentation;</p>
-            </part>
-            <part id="sa-4.f_obj" name="objective">
-               <prop name="label">SA-4(f)</prop>
-               <p>description of:</p>
-               <part id="sa-4.f_obj.1" name="objective">
-                  <prop name="label">SA-4(f)[1]</prop>
-                  <p>the information system development environment;</p>
-               </part>
-               <part id="sa-4.f_obj.2" name="objective">
-                  <prop name="label">SA-4(f)[2]</prop>
-                  <p>the environment in which the system is intended to operate; and</p>
-               </part>
-            </part>
-            <part id="sa-4.g_obj" name="objective">
-               <prop name="label">SA-4(g)</prop>
-               <p>acceptance criteria.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing the integration of information security requirements,
-                  descriptions, and criteria into the acquisition process</p>
-               <p>acquisition contracts for the information system, system component, or information
-                  system service</p>
-               <p>information system design documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with acquisition/contracting responsibilities</p>
-               <p>organizational personnel with responsibility for determining information system
-                  security functional, strength, and assurance requirements</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for determining information system security functional,
-                  strength, and assurance requirements</p>
-               <p>organizational processes for developing acquisition contracts</p>
-               <p>automated mechanisms supporting and/or implementing acquisitions and inclusion of
-                  security requirements in contracts</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-4.1">
-            <title>Functional Properties of Security Controls</title>
-            <prop name="label">SA-4(1)</prop>
-            <prop name="sort-id">sa-04.01</prop>
-            <part id="sa-4.1_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to provide a description of the
-                  functional properties of the security controls to be employed.</p>
-            </part>
-            <part id="sa-4.1_gdn" name="guidance">
-               <p>Functional properties of security controls describe the functionality (i.e.,
-                  security capability, functions, or mechanisms) visible at the interfaces of the
-                  controls and specifically exclude functionality and data structures internal to
-                  the operation of the controls.</p>
-               <link rel="related" href="#sa-5">SA-5</link>
-            </part>
-            <part id="sa-4.1_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to provide a description of the
-                  functional properties of the security controls to be employed.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>solicitation documents</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security functional requirements</p>
-                  <p>information system developer or service provider</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for determining information system security
-                     functional, requirements</p>
-                  <p>organizational processes for developing acquisition contracts</p>
-                  <p>automated mechanisms supporting and/or implementing acquisitions and inclusion
-                     of security requirements in contracts</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.2">
-            <title>Design / Implementation Information for Security Controls</title>
-            <param id="sa-4.2_prm_1">
-               <select how-many="one or more">
-                  <choice>security-relevant external system interfaces</choice>
-                  <choice>high-level design</choice>
-                  <choice>low-level design</choice>
-                  <choice>source code or hardware schematics</choice>
-                  <choice>
-                     <insert param-id="sa-4.2_prm_2"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="sa-4.2_prm_2" depends-on="sa-4.2_prm_1">
-               <label>organization-defined design/implementation information</label>
-            </param>
-            <param id="sa-4.2_prm_3">
-               <label>organization-defined level of detail</label>
-            </param>
-            <prop name="label">SA-4(2)</prop>
-            <prop name="sort-id">sa-04.02</prop>
-            <part id="sa-4.2_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to provide design and implementation
-                  information for the security controls to be employed that includes: <insert param-id="sa-4.2_prm_1"/> at <insert param-id="sa-4.2_prm_3"/>.</p>
-            </part>
-            <part id="sa-4.2_gdn" name="guidance">
-               <p>Organizations may require different levels of detail in design and implementation
-                  documentation for security controls employed in organizational information
-                  systems, system components, or information system services based on
-                  mission/business requirements, requirements for trustworthiness/resiliency, and
-                  requirements for analysis and testing. Information systems can be partitioned into
-                  multiple subsystems. Each subsystem within the system can contain one or more
-                  modules. The high-level design for the system is expressed in terms of multiple
-                  subsystems and the interfaces between subsystems providing security-relevant
-                  functionality. The low-level design for the system is expressed in terms of
-                  modules with particular emphasis on software and firmware (but not excluding
-                  hardware) and the interfaces between modules providing security-relevant
-                  functionality. Source code and hardware schematics are typically referred to as
-                  the implementation representation of the information system.</p>
-               <link rel="related" href="#sa-5">SA-5</link>
-            </part>
-            <part id="sa-4.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-4.2_obj.1" name="objective">
-                  <prop name="label">SA-4(2)[1]</prop>
-                  <p>defines level of detail that the developer is required to provide in design and
-                     implementation information for the security controls to be employed in the
-                     information system, system component, or information system service;</p>
-               </part>
-               <part id="sa-4.2_obj.2" name="objective">
-                  <prop name="label">SA-4(2)[2]</prop>
-                  <p>defines design/implementation information that the developer is to provide for
-                     the security controls to be employed (if selected);</p>
-               </part>
-               <part id="sa-4.2_obj.3" name="objective">
-                  <prop name="label">SA-4(2)[3]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to provide design and implementation information for
-                     the security controls to be employed that includes, at the organization-defined
-                     level of detail, one or more of the following:</p>
-                  <part id="sa-4.2_obj.3.a" name="objective">
-                     <prop name="label">SA-4(2)[3][a]</prop>
-                     <p>security-relevant external system interfaces;</p>
-                  </part>
-                  <part id="sa-4.2_obj.3.b" name="objective">
-                     <prop name="label">SA-4(2)[3][b]</prop>
-                     <p>high-level design;</p>
-                  </part>
-                  <part id="sa-4.2_obj.3.c" name="objective">
-                     <prop name="label">SA-4(2)[3][c]</prop>
-                     <p>low-level design;</p>
-                  </part>
-                  <part id="sa-4.2_obj.3.d" name="objective">
-                     <prop name="label">SA-4(2)[3][d]</prop>
-                     <p>source code;</p>
-                  </part>
-                  <part id="sa-4.2_obj.3.e" name="objective">
-                     <prop name="label">SA-4(2)[3][e]</prop>
-                     <p>hardware schematics; and/or</p>
-                  </part>
-                  <part id="sa-4.2_obj.3.f" name="objective">
-                     <prop name="label">SA-4(2)[3][f]</prop>
-                     <p>organization-defined design/implementation information.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>solicitation documents</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system components, or
-                     information system services</p>
-                  <p>design and implementation information for security controls employed in the
-                     information system, system component, or information system service</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security requirements</p>
-                  <p>information system developer or service provider</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for determining level of detail for system design and
-                     security controls</p>
-                  <p>organizational processes for developing acquisition contracts</p>
-                  <p>automated mechanisms supporting and/or implementing development of system
-                     design details</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.3">
-            <title>Development Methods / Techniques / Practices</title>
-            <param id="sa-4.3_prm_1">
-               <label>organization-defined state-of-the-practice system/security engineering
-                  methods, software development methods, testing/evaluation/validation techniques,
-                  and quality control processes</label>
-            </param>
-            <prop name="label">SA-4(3)</prop>
-            <prop name="sort-id">sa-04.03</prop>
-            <part id="sa-4.3_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to demonstrate the use of a system
-                  development life cycle that includes <insert param-id="sa-4.3_prm_1"/>.</p>
-            </part>
-            <part id="sa-4.3_gdn" name="guidance">
-               <p>Following a well-defined system development life cycle that includes
-                  state-of-the-practice software development methods, systems/security engineering
-                  methods, quality control processes, and testing, evaluation, and validation
-                  techniques helps to reduce the number and severity of latent errors within
-                  information systems, system components, and information system services. Reducing
-                  the number/severity of such errors reduces the number of vulnerabilities in those
-                  systems, components, and services.</p>
-               <link rel="related" href="#sa-12">SA-12</link>
-            </part>
-            <part id="sa-4.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-4.3_obj.1" name="objective">
-                  <prop name="label">SA-4(3)[1]</prop>
-                  <p>defines state-of-the-practice system/security engineering methods to be
-                     included in the system development life cycle employed by the developer of the
-                     information system, system component, or information system service;</p>
-               </part>
-               <part id="sa-4.3_obj.2" name="objective">
-                  <prop name="label">SA-4(3)[2]</prop>
-                  <p>defines software development methods to be included in the system development
-                     life cycle employed by the developer of the information system, system
-                     component, or information system service;</p>
-               </part>
-               <part id="sa-4.3_obj.3" name="objective">
-                  <prop name="label">SA-4(3)[3]</prop>
-                  <p>defines testing/evaluation/validation techniques to be included in the system
-                     development life cycle employed by the developer of the information system,
-                     system component, or information system service;</p>
-               </part>
-               <part id="sa-4.3_obj.4" name="objective">
-                  <prop name="label">SA-4(3)[4]</prop>
-                  <p>defines quality control processes to be included in the system development life
-                     cycle employed by the developer of the information system, system component, or
-                     information system service;</p>
-               </part>
-               <part id="sa-4.3_obj.5" name="objective">
-                  <prop name="label">SA-4(3)[5]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to demonstrate the use of a system development life
-                     cycle that includes:</p>
-                  <part id="sa-4.3_obj.5.a" name="objective">
-                     <prop name="label">SA-4(3)[5][a]</prop>
-                     <p>organization-defined state-of-the-practice system/security engineering
-                        methods;</p>
-                  </part>
-                  <part id="sa-4.3_obj.5.b" name="objective">
-                     <prop name="label">SA-4(3)[5][b]</prop>
-                     <p>organization-defined software development methods;</p>
-                  </part>
-                  <part id="sa-4.3_obj.5.c" name="objective">
-                     <prop name="label">SA-4(3)[5][c]</prop>
-                     <p>organization-defined testing/evaluation/validation techniques; and</p>
-                  </part>
-                  <part id="sa-4.3_obj.5.d" name="objective">
-                     <prop name="label">SA-4(3)[5][d]</prop>
-                     <p>organization-defined quality control processes.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>solicitation documents</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>list of system/security engineering methods to be included in developer’s
-                     system development life cycle process</p>
-                  <p>list of software development methods to be included in developer’s system
-                     development life cycle process</p>
-                  <p>list of testing/evaluation/validation techniques to be included in developer’s
-                     system development life cycle process</p>
-                  <p>list of quality control processes to be included in developer’s system
-                     development life cycle process</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security requirements</p>
-                  <p>organizational personnel with information security and system life cycle
-                     responsibilities</p>
-                  <p>information system developer or service provider</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for development methods, techniques, and processes</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.4">
-            <title>Assignment of Components to Systems</title>
-            <prop name="label">SA-4(4)</prop>
-            <prop name="sort-id">sa-04.04</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#cm-8.9">CM-8 (9)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.5">
-            <title>System / Component / Service Configurations</title>
-            <param id="sa-4.5_prm_1">
-               <label>organization-defined security configurations</label>
-            </param>
-            <prop name="label">SA-4(5)</prop>
-            <prop name="sort-id">sa-04.05</prop>
-            <part id="sa-4.5_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to:</p>
-               <part id="sa-4.5_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Deliver the system, component, or service with <insert param-id="sa-4.5_prm_1"/> implemented; and</p>
-               </part>
-               <part id="sa-4.5_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Use the configurations as the default for any subsequent system, component, or
-                     service reinstallation or upgrade.</p>
-               </part>
-            </part>
-            <part id="sa-4.5_gdn" name="guidance">
-               <p>Security configurations include, for example, the U.S. Government Configuration
-                  Baseline (USGCB) and any limitations on functions, ports, protocols, and services.
-                  Security characteristics include, for example, requiring that all default
-                  passwords have been changed.</p>
-               <link rel="related" href="#cm-8">CM-8</link>
-            </part>
-            <part id="sa-4.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-4.5.a_obj" name="objective">
-                  <prop name="label">SA-4(5)(a)</prop>
-                  <part id="sa-4.5.a_obj.1" name="objective">
-                     <prop name="label">SA-4(5)(a)[1]</prop>
-                     <p>defines security configurations to be implemented by the developer of the
-                        information system, system component, or information system service;</p>
-                  </part>
-                  <part id="sa-4.5.a_obj.2" name="objective">
-                     <prop name="label">SA-4(5)(a)[2]</prop>
-                     <p>requires the developer of the information system, system component, or
-                        information system service to deliver the system, component, or service with
-                        organization-defined security configurations implemented; and</p>
-                  </part>
-                  <link rel="corresp" href="#sa-4.5_smt.a">SA-4(5)(a)</link>
-               </part>
-               <part id="sa-4.5.b_obj" name="objective">
-                  <prop name="label">SA-4(5)(b)</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to use the configurations as the default for any
-                     subsequent system, component, or service reinstallation or upgrade.</p>
-                  <link rel="corresp" href="#sa-4.5_smt.b">SA-4(5)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>solicitation documents</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>security configurations to be implemented by developer of the information
-                     system, system component, or information system service</p>
-                  <p>service-level agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security requirements</p>
-                  <p>information system developer or service provider</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms used to verify that the configuration of the information
-                     system, component, or service, as delivered, is as specified</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.6">
-            <title>Use of Information Assurance Products</title>
-            <prop name="label">SA-4(6)</prop>
-            <prop name="sort-id">sa-04.06</prop>
-            <part id="sa-4.6_smt" name="statement">
-               <p>The organization:</p>
-               <part id="sa-4.6_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS)
-                     information assurance (IA) and IA-enabled information technology products that
-                     compose an NSA-approved solution to protect classified information when the
-                     networks used to transmit the information are at a lower classification level
-                     than the information being transmitted; and</p>
-               </part>
-               <part id="sa-4.6_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Ensures that these products have been evaluated and/or validated by NSA or in
-                     accordance with NSA-approved procedures.</p>
-               </part>
-            </part>
-            <part id="sa-4.6_gdn" name="guidance">
-               <p>COTS IA or IA-enabled information technology products used to protect classified
-                  information by cryptographic means may be required to use NSA-approved key
-                  management.</p>
-               <link rel="related" href="#sc-8">SC-8</link>
-               <link rel="related" href="#sc-12">SC-12</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="sa-4.6_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-4.6.a_obj" name="objective">
-                  <prop name="label">SA-4(6)(a)</prop>
-                  <p>employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS)
-                     information assurance (IA) and IA-enabled information technology products that
-                     compose an NSA-approved solution to protect classified information when the
-                     networks used to transmit the information are at a lower classification level
-                     than the information being transmitted; and</p>
-                  <link rel="corresp" href="#sa-4.6_smt.a">SA-4(6)(a)</link>
-               </part>
-               <part id="sa-4.6.b_obj" name="objective">
-                  <prop name="label">SA-4(6)(b)</prop>
-                  <p>ensures that these products have been evaluated and/or validated by the NSA or
-                     in accordance with NSA-approved procedures.</p>
-                  <link rel="corresp" href="#sa-4.6_smt.b">SA-4(6)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>solicitation documents</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>security configurations to be implemented by developer of the information
-                     system, system component, or information system service</p>
-                  <p>service-level agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security requirements</p>
-                  <p>organizational personnel responsible for ensuring information assurance
-                     products are NSA-approved and are evaluated and/or validated products in
-                     accordance with NSA-approved procedures</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for selecting and employing evaluated and/or validated
-                     information assurance products and services that compose an NSA-approved
-                     solution to protect classified information</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.7">
-            <title>Niap-approved Protection Profiles</title>
-            <prop name="label">SA-4(7)</prop>
-            <prop name="sort-id">sa-04.07</prop>
-            <part id="sa-4.7_smt" name="statement">
-               <p>The organization:</p>
-               <part id="sa-4.7_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Limits the use of commercially provided information assurance (IA) and
-                     IA-enabled information technology products to those products that have been
-                     successfully evaluated against a National Information Assurance partnership
-                     (NIAP)-approved Protection Profile for a specific technology type, if such a
-                     profile exists; and</p>
-               </part>
-               <part id="sa-4.7_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Requires, if no NIAP-approved Protection Profile exists for a specific
-                     technology type but a commercially provided information technology product
-                     relies on cryptographic functionality to enforce its security policy, that the
-                     cryptographic module is FIPS-validated.</p>
-               </part>
-            </part>
-            <part id="sa-4.7_gdn" name="guidance">
-               <link rel="related" href="#sc-12">SC-12</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="sa-4.7_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-4.7.a_obj" name="objective">
-                  <prop name="label">SA-4(7)(a)</prop>
-                  <p>limits the use of commercially-provided information assurance (IA) and
-                     IA-enabled information technology products to those products that have been
-                     successfully evaluated against a National Information Assurance partnership
-                     (NIAP)-approved Protection Profile for a specific technology type, if such a
-                     profile exists; and</p>
-                  <link rel="corresp" href="#sa-4.7_smt.a">SA-4(7)(a)</link>
-               </part>
-               <part id="sa-4.7.b_obj" name="objective">
-                  <prop name="label">SA-4(7)(b)</prop>
-                  <p>requires, if no NIAP-approved Protection Profile exists for a specific
-                     technology type but a commercially provided information technology product
-                     relies on cryptographic functionality to enforce its security policy, that the
-                     cryptographic module is FIPS-validated.</p>
-                  <link rel="corresp" href="#sa-4.7_smt.b">SA-4(7)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>solicitation documents</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>NAIP-approved protection profiles</p>
-                  <p>FIPS-validation information for cryptographic functionality</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security requirements</p>
-                  <p>organizational personnel responsible for ensuring information assurance
-                     products are have been evaluated against a NIAP-approved protection profile or
-                     for ensuring products relying on cryptographic functionality are
-                     FIPS-validated</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for selecting and employing products/services
-                     evaluated against a NIAP-approved protection profile or FIPS-validated
-                     products</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.8">
-            <title>Continuous Monitoring Plan</title>
-            <param id="sa-4.8_prm_1">
-               <label>organization-defined level of detail</label>
-            </param>
-            <prop name="label">SA-4(8)</prop>
-            <prop name="sort-id">sa-04.08</prop>
-            <part id="sa-4.8_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to produce a plan for the continuous
-                  monitoring of security control effectiveness that contains <insert param-id="sa-4.8_prm_1"/>.</p>
-            </part>
-            <part id="sa-4.8_gdn" name="guidance">
-               <p>The objective of continuous monitoring plans is to determine if the complete set
-                  of planned, required, and deployed security controls within the information
-                  system, system component, or information system service continue to be effective
-                  over time based on the inevitable changes that occur. Developer continuous
-                  monitoring plans include a sufficient level of detail such that the information
-                  can be incorporated into the continuous monitoring strategies and programs
-                  implemented by organizations.</p>
-               <link rel="related" href="#ca-7">CA-7</link>
-            </part>
-            <part id="sa-4.8_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-4.8_obj.1" name="objective">
-                  <prop name="label">SA-4(8)[1]</prop>
-                  <p>defines the level of detail the developer of the information system, system
-                     component, or information system service is required to provide when producing
-                     a plan for the continuous monitoring of security control effectiveness; and</p>
-               </part>
-               <part id="sa-4.8_obj.2" name="objective">
-                  <prop name="label">SA-4(8)[2]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to produce a plan for the continuous monitoring of
-                     security control effectiveness that contains the organization-defined level of
-                     detail.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing developer continuous monitoring plans</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>developer continuous monitoring plans</p>
-                  <p>security assessment plans</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>acquisition documentation</p>
-                  <p>solicitation documentation</p>
-                  <p>service-level agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security requirements</p>
-                  <p>information system developers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Vendor processes for continuous monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing developer continuous
-                     monitoring</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.9">
-            <title>Functions / Ports / Protocols / Services in Use</title>
-            <prop name="label">SA-4(9)</prop>
-            <prop name="sort-id">sa-04.09</prop>
-            <part id="sa-4.9_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to identify early in the system
-                  development life cycle, the functions, ports, protocols, and services intended for
-                  organizational use.</p>
-            </part>
-            <part id="sa-4.9_gdn" name="guidance">
-               <p>The identification of functions, ports, protocols, and services early in the
-                  system development life cycle (e.g., during the initial requirements definition
-                  and design phases) allows organizations to influence the design of the information
-                  system, information system component, or information system service. This early
-                  involvement in the life cycle helps organizations to avoid or minimize the use of
-                  functions, ports, protocols, or services that pose unnecessarily high risks and
-                  understand the trade-offs involved in blocking specific ports, protocols, or
-                  services (or when requiring information system service providers to do so). Early
-                  identification of functions, ports, protocols, and services avoids costly
-                  retrofitting of security controls after the information system, system component,
-                  or information system service has been implemented. SA-9 describes requirements
-                  for external information system services with organizations identifying which
-                  functions, ports, protocols, and services are provided from external sources.</p>
-               <link rel="related" href="#cm-7">CM-7</link>
-               <link rel="related" href="#sa-9">SA-9</link>
-            </part>
-            <part id="sa-4.9_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to identify early in the system
-                  development life cycle:</p>
-               <part id="sa-4.9_obj.1" name="objective">
-                  <prop name="label">SA-4(9)[1]</prop>
-                  <p>the functions intended for organizational use;</p>
-               </part>
-               <part id="sa-4.9_obj.2" name="objective">
-                  <prop name="label">SA-4(9)[2]</prop>
-                  <p>the ports intended for organizational use;</p>
-               </part>
-               <part id="sa-4.9_obj.3" name="objective">
-                  <prop name="label">SA-4(9)[3]</prop>
-                  <p>the protocols intended for organizational use; and</p>
-               </part>
-               <part id="sa-4.9_obj.4" name="objective">
-                  <prop name="label">SA-4(9)[4]</prop>
-                  <p>the services intended for organizational use.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>information system design documentation</p>
-                  <p>information system documentation including functions, ports, protocols, and
-                     services intended for organizational use</p>
-                  <p>acquisition contracts for information systems or services</p>
-                  <p>acquisition documentation</p>
-                  <p>solicitation documentation</p>
-                  <p>service-level agreements</p>
-                  <p>organizational security requirements, descriptions, and criteria for developers
-                     of information systems, system components, and information system services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security requirements</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel operating, using, and/or maintaining the information
-                     system</p>
-                  <p>information system developers</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.10">
-            <title>Use of Approved PIV Products</title>
-            <prop name="label">SA-4(10)</prop>
-            <prop name="sort-id">sa-04.10</prop>
-            <part id="sa-4.10_smt" name="statement">
-               <p>The organization employs only information technology products on the FIPS
-                  201-approved products list for Personal Identity Verification (PIV) capability
-                  implemented within organizational information systems.</p>
-            </part>
-            <part id="sa-4.10_gdn" name="guidance">
-               <link rel="related" href="#ia-2">IA-2</link>
-               <link rel="related" href="#ia-8">IA-8</link>
-            </part>
-            <part id="sa-4.10_obj" name="objective">
-               <p>Determine if the organization employs only information technology products on the
-                  FIPS 201-approved products list for Personal Identity Verification (PIV)
-                  capability implemented within organizational information systems. </p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing the integration of information security requirements,
-                     descriptions, and criteria into the acquisition process</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>service-level agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with acquisition/contracting responsibilities</p>
-                  <p>organizational personnel with responsibility for determining information system
-                     security requirements</p>
-                  <p>organizational personnel with responsibility for ensuring only FIPS
-                     201-approved products are implemented</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for selecting and employing FIPS 201-approved
-                     products</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-5">
-         <title>Information System Documentation</title>
-         <param id="sa-5_prm_1">
-            <label>organization-defined actions</label>
-         </param>
-         <param id="sa-5_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">SA-5</prop>
-         <prop name="sort-id">sa-05</prop>
-         <part id="sa-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Obtains administrator documentation for the information system, system component,
-                  or information system service that describes:</p>
-               <part id="sa-5_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Secure configuration, installation, and operation of the system, component, or
-                     service;</p>
-               </part>
-               <part id="sa-5_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Effective use and maintenance of security functions/mechanisms; and</p>
-               </part>
-               <part id="sa-5_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Known vulnerabilities regarding configuration and use of administrative (i.e.,
-                     privileged) functions;</p>
-               </part>
-            </part>
-            <part id="sa-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Obtains user documentation for the information system, system component, or
-                  information system service that describes:</p>
-               <part id="sa-5_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>User-accessible security functions/mechanisms and how to effectively use those
-                     security functions/mechanisms;</p>
-               </part>
-               <part id="sa-5_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Methods for user interaction, which enables individuals to use the system,
-                     component, or service in a more secure manner; and</p>
-               </part>
-               <part id="sa-5_smt.b.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>User responsibilities in maintaining the security of the system, component, or
-                     service;</p>
-               </part>
-            </part>
-            <part id="sa-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Documents attempts to obtain information system, system component, or information
-                  system service documentation when such documentation is either unavailable or
-                  nonexistent and takes <insert param-id="sa-5_prm_1"/> in response;</p>
-            </part>
-            <part id="sa-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Protects documentation as required, in accordance with the risk management
-                  strategy; and</p>
-            </part>
-            <part id="sa-5_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Distributes documentation to <insert param-id="sa-5_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="sa-5_gdn" name="guidance">
-            <p>This control helps organizational personnel understand the implementation and
-               operation of security controls associated with information systems, system
-               components, and information system services. Organizations consider establishing
-               specific measures to determine the quality/completeness of the content provided. The
-               inability to obtain needed documentation may occur, for example, due to the age of
-               the information system/component or lack of support from developers and contractors.
-               In those situations, organizations may need to recreate selected documentation if
-               such documentation is essential to the effective implementation or operation of
-               security controls. The level of protection provided for selected information system,
-               component, or service documentation is commensurate with the security category or
-               classification of the system. For example, documentation associated with a key DoD
-               weapons system or command and control system would typically require a higher level
-               of protection than a routine administrative system. Documentation that addresses
-               information system vulnerabilities may also require an increased level of protection.
-               Secure operation of the information system, includes, for example, initially starting
-               the system and resuming secure system operation after any lapse in system
-               operation.</p>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#ps-2">PS-2</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-         </part>
-         <part id="sa-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-5.a_obj" name="objective">
-               <prop name="label">SA-5(a)</prop>
-               <p>obtains administrator documentation for the information system, system component,
-                  or information system service that describes:</p>
-               <part id="sa-5.a.1_obj" name="objective">
-                  <prop name="label">SA-5(a)(1)</prop>
-                  <part id="sa-5.a.1_obj.1" name="objective">
-                     <prop name="label">SA-5(a)(1)[1]</prop>
-                     <p>secure configuration of the system, system component, or service;</p>
-                  </part>
-                  <part id="sa-5.a.1_obj.2" name="objective">
-                     <prop name="label">SA-5(a)(1)[2]</prop>
-                     <p>secure installation of the system, system component, or service;</p>
-                  </part>
-                  <part id="sa-5.a.1_obj.3" name="objective">
-                     <prop name="label">SA-5(a)(1)[3]</prop>
-                     <p>secure operation of the system, system component, or service;</p>
-                  </part>
-               </part>
-               <part id="sa-5.a.2_obj" name="objective">
-                  <prop name="label">SA-5(a)(2)</prop>
-                  <part id="sa-5.a.2_obj.1" name="objective">
-                     <prop name="label">SA-5(a)(2)[1]</prop>
-                     <p>effective use of the security features/mechanisms;</p>
-                  </part>
-                  <part id="sa-5.a.2_obj.2" name="objective">
-                     <prop name="label">SA-5(a)(2)[2]</prop>
-                     <p>effective maintenance of the security features/mechanisms;</p>
-                  </part>
-               </part>
-               <part id="sa-5.a.3_obj" name="objective">
-                  <prop name="label">SA-5(a)(3)</prop>
-                  <p>known vulnerabilities regarding configuration and use of administrative (i.e.,
-                     privileged) functions;</p>
-               </part>
-            </part>
-            <part id="sa-5.b_obj" name="objective">
-               <prop name="label">SA-5(b)</prop>
-               <p>obtains user documentation for the information system, system component, or
-                  information system service that describes:</p>
-               <part id="sa-5.b.1_obj" name="objective">
-                  <prop name="label">SA-5(b)(1)</prop>
-                  <part id="sa-5.b.1_obj.1" name="objective">
-                     <prop name="label">SA-5(b)(1)[1]</prop>
-                     <p>user-accessible security functions/mechanisms;</p>
-                  </part>
-                  <part id="sa-5.b.1_obj.2" name="objective">
-                     <prop name="label">SA-5(b)(1)[2]</prop>
-                     <p>how to effectively use those functions/mechanisms;</p>
-                  </part>
-               </part>
-               <part id="sa-5.b.2_obj" name="objective">
-                  <prop name="label">SA-5(b)(2)</prop>
-                  <p>methods for user interaction, which enables individuals to use the system,
-                     component, or service in a more secure manner;</p>
-               </part>
-               <part id="sa-5.b.3_obj" name="objective">
-                  <prop name="label">SA-5(b)(3)</prop>
-                  <p>user responsibilities in maintaining the security of the system, component, or
-                     service;</p>
-               </part>
-            </part>
-            <part id="sa-5.c_obj" name="objective">
-               <prop name="label">SA-5(c)</prop>
-               <part id="sa-5.c_obj.1" name="objective">
-                  <prop name="label">SA-5(c)[1]</prop>
-                  <p>defines actions to be taken after documented attempts to obtain information
-                     system, system component, or information system service documentation when such
-                     documentation is either unavailable or nonexistent;</p>
-               </part>
-               <part id="sa-5.c_obj.2" name="objective">
-                  <prop name="label">SA-5(c)[2]</prop>
-                  <p>documents attempts to obtain information system, system component, or
-                     information system service documentation when such documentation is either
-                     unavailable or nonexistent;</p>
-               </part>
-               <part id="sa-5.c_obj.3" name="objective">
-                  <prop name="label">SA-5(c)[3]</prop>
-                  <p>takes organization-defined actions in response;</p>
-               </part>
-            </part>
-            <part id="sa-5.d_obj" name="objective">
-               <prop name="label">SA-5(d)</prop>
-               <p>protects documentation as required, in accordance with the risk management
-                  strategy;</p>
-            </part>
-            <part id="sa-5.e_obj" name="objective">
-               <prop name="label">SA-5(e)</prop>
-               <part id="sa-5.e_obj.1" name="objective">
-                  <prop name="label">SA-5(e)[1]</prop>
-                  <p>defines personnel or roles to whom documentation is to be distributed; and</p>
-               </part>
-               <part id="sa-5.e_obj.2" name="objective">
-                  <prop name="label">SA-5(e)[2]</prop>
-                  <p>distributes documentation to organization-defined personnel or roles.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing information system documentation</p>
-               <p>information system documentation including administrator and user guides</p>
-               <p>records documenting attempts to obtain unavailable or nonexistent information
-                  system documentation</p>
-               <p>list of actions to be taken in response to documented attempts to obtain
-                  information system, system component, or information system service
-                  documentation</p>
-               <p>risk management strategy documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with acquisition/contracting responsibilities</p>
-               <p>organizational personnel with responsibility for determining information system
-                  security requirements</p>
-               <p>system administrators</p>
-               <p>organizational personnel operating, using, and/or maintaining the information
-                  system</p>
-               <p>information system developers</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for obtaining, protecting, and distributing information
-                  system administrator and user documentation</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-5.1">
-            <title>Functional Properties of Security Controls</title>
-            <prop name="label">SA-5(1)</prop>
-            <prop name="sort-id">sa-05.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sa-4.1">SA-4 (1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-5.2">
-            <title>Security-relevant External System Interfaces</title>
-            <prop name="label">SA-5(2)</prop>
-            <prop name="sort-id">sa-05.02</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sa-4.2">SA-4 (2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-5.3">
-            <title>High-level Design</title>
-            <prop name="label">SA-5(3)</prop>
-            <prop name="sort-id">sa-05.03</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sa-4.2">SA-4 (2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-5.4">
-            <title>Low-level Design</title>
-            <prop name="label">SA-5(4)</prop>
-            <prop name="sort-id">sa-05.04</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sa-4.2">SA-4 (2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-5.5">
-            <title>Source Code</title>
-            <prop name="label">SA-5(5)</prop>
-            <prop name="sort-id">sa-05.05</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sa-4.2">SA-4 (2)</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-6">
-         <title>Software Usage Restrictions</title>
-         <prop name="label">SA-6</prop>
-         <prop name="sort-id">sa-06</prop>
-         <prop name="status">Withdrawn</prop>
-         <link rel="incorporated-into" href="#cm-10">CM-10</link>
-         <link rel="incorporated-into" href="#si-7">SI-7</link>
-      </control>
-      <control class="SP800-53" id="sa-7">
-         <title>User-installed Software</title>
-         <prop name="label">SA-7</prop>
-         <prop name="sort-id">sa-07</prop>
-         <prop name="status">Withdrawn</prop>
-         <link rel="incorporated-into" href="#cm-11">CM-11</link>
-         <link rel="incorporated-into" href="#si-7">SI-7</link>
-      </control>
-      <control class="SP800-53" id="sa-8">
-         <title>Security Engineering Principles</title>
-         <prop name="label">SA-8</prop>
-         <prop name="sort-id">sa-08</prop>
-         <link href="#21b1ed35-56d2-40a8-bdfe-b461fffe322f" rel="reference">NIST Special Publication 800-27</link>
-         <part id="sa-8_smt" name="statement">
-            <p>The organization applies information system security engineering principles in the
-               specification, design, development, implementation, and modification of the
-               information system.</p>
-         </part>
-         <part id="sa-8_gdn" name="guidance">
-            <p>Organizations apply security engineering principles primarily to new development
-               information systems or systems undergoing major upgrades. For legacy systems,
-               organizations apply security engineering principles to system upgrades and
-               modifications to the extent feasible, given the current state of hardware, software,
-               and firmware within those systems. Security engineering principles include, for
-               example: (i) developing layered protections; (ii) establishing sound security policy,
-               architecture, and controls as the foundation for design; (iii) incorporating security
-               requirements into the system development life cycle; (iv) delineating physical and
-               logical security boundaries; (v) ensuring that system developers are trained on how
-               to build secure software; (vi) tailoring security controls to meet organizational and
-               operational needs; (vii) performing threat modeling to identify use cases, threat
-               agents, attack vectors, and attack patterns as well as compensating controls and
-               design patterns needed to mitigate risk; and (viii) reducing risk to acceptable
-               levels, thus enabling informed risk management decisions.</p>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-17">SA-17</link>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-         </part>
-         <part id="sa-8_obj" name="objective">
-            <p>Determine if the organization applies information system security engineering
-               principles in: </p>
-            <part id="sa-8_obj.1" name="objective">
-               <prop name="label">SA-8[1]</prop>
-               <p>the specification of the information system;</p>
-            </part>
-            <part id="sa-8_obj.2" name="objective">
-               <prop name="label">SA-8[2]</prop>
-               <p>the design of the information system;</p>
-            </part>
-            <part id="sa-8_obj.3" name="objective">
-               <prop name="label">SA-8[3]</prop>
-               <p>the development of the information system;</p>
-            </part>
-            <part id="sa-8_obj.4" name="objective">
-               <prop name="label">SA-8[4]</prop>
-               <p>the implementation of the information system; and</p>
-            </part>
-            <part id="sa-8_obj.5" name="objective">
-               <prop name="label">SA-8[5]</prop>
-               <p>the modification of the information system.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing security engineering principles used in the specification,
-                  design, development, implementation, and modification of the information
-                  system</p>
-               <p>information system design documentation</p>
-               <p>information security requirements and specifications for the information
-                  system</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with acquisition/contracting responsibilities</p>
-               <p>organizational personnel with responsibility for determining information system
-                  security requirements</p>
-               <p>organizational personnel with information system specification, design,
-                  development, implementation, and modification responsibilities</p>
-               <p>information system developers</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for applying security engineering principles in
-                  information system specification, design, development, implementation, and
-                  modification</p>
-               <p>automated mechanisms supporting the application of security engineering principles
-                  in information system specification, design, development, implementation, and
-                  modification</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-9">
-         <title>External Information System Services</title>
-         <param id="sa-9_prm_1">
-            <label>organization-defined security controls</label>
-         </param>
-         <param id="sa-9_prm_2">
-            <label>organization-defined processes, methods, and techniques</label>
-         </param>
-         <prop name="label">SA-9</prop>
-         <prop name="sort-id">sa-09</prop>
-         <link href="#0c775bc3-bfc3-42c7-a382-88949f503171" rel="reference">NIST Special Publication 800-35</link>
-         <part id="sa-9_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Requires that providers of external information system services comply with
-                  organizational information security requirements and employ <insert param-id="sa-9_prm_1"/> in accordance with applicable federal laws, Executive
-                  Orders, directives, policies, regulations, standards, and guidance;</p>
-            </part>
-            <part id="sa-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Defines and documents government oversight and user roles and responsibilities
-                  with regard to external information system services; and</p>
-            </part>
-            <part id="sa-9_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Employs <insert param-id="sa-9_prm_2"/> to monitor security control compliance by
-                  external service providers on an ongoing basis.</p>
-            </part>
-         </part>
-         <part id="sa-9_gdn" name="guidance">
-            <p>External information system services are services that are implemented outside of the
-               authorization boundaries of organizational information systems. This includes
-               services that are used by, but not a part of, organizational information systems.
-               FISMA and OMB policy require that organizations using external service providers that
-               are processing, storing, or transmitting federal information or operating information
-               systems on behalf of the federal government ensure that such providers meet the same
-               security requirements that federal agencies are required to meet. Organizations
-               establish relationships with external service providers in a variety of ways
-               including, for example, through joint ventures, business partnerships, contracts,
-               interagency agreements, lines of business arrangements, licensing agreements, and
-               supply chain exchanges. The responsibility for managing risks from the use of
-               external information system services remains with authorizing officials. For services
-               external to organizations, a chain of trust requires that organizations establish and
-               retain a level of confidence that each participating provider in the potentially
-               complex consumer-provider relationship provides adequate protection for the services
-               rendered. The extent and nature of this chain of trust varies based on the
-               relationships between organizations and the external providers. Organizations
-               document the basis for trust relationships so the relationships can be monitored over
-               time. External information system services documentation includes government, service
-               providers, end user security roles and responsibilities, and service-level
-               agreements. Service-level agreements define expectations of performance for security
-               controls, describe measurable outcomes, and identify remedies and response
-               requirements for identified instances of noncompliance.</p>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ir-7">IR-7</link>
-            <link rel="related" href="#ps-7">PS-7</link>
-         </part>
-         <part id="sa-9_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-9.a_obj" name="objective">
-               <prop name="label">SA-9(a)</prop>
-               <part id="sa-9.a_obj.1" name="objective">
-                  <prop name="label">SA-9(a)[1]</prop>
-                  <p>defines security controls to be employed by providers of external information
-                     system services;</p>
-               </part>
-               <part id="sa-9.a_obj.2" name="objective">
-                  <prop name="label">SA-9(a)[2]</prop>
-                  <p>requires that providers of external information system services comply with
-                     organizational information security requirements;</p>
-               </part>
-               <part id="sa-9.a_obj.3" name="objective">
-                  <prop name="label">SA-9(a)[3]</prop>
-                  <p>requires that providers of external information system services employ
-                     organization-defined security controls in accordance with applicable federal
-                     laws, Executive Orders, directives, policies, regulations, standards, and
-                     guidance;</p>
-               </part>
-            </part>
-            <part id="sa-9.b_obj" name="objective">
-               <prop name="label">SA-9(b)</prop>
-               <part id="sa-9.b_obj.1" name="objective">
-                  <prop name="label">SA-9(b)[1]</prop>
-                  <p>defines and documents government oversight with regard to external information
-                     system services;</p>
-               </part>
-               <part id="sa-9.b_obj.2" name="objective">
-                  <prop name="label">SA-9(b)[2]</prop>
-                  <p>defines and documents user roles and responsibilities with regard to external
-                     information system services;</p>
-               </part>
-            </part>
-            <part id="sa-9.c_obj" name="objective">
-               <prop name="label">SA-9(c)</prop>
-               <part id="sa-9.c_obj.1" name="objective">
-                  <prop name="label">SA-9(c)[1]</prop>
-                  <p>defines processes, methods, and techniques to be employed to monitor security
-                     control compliance by external service providers; and</p>
-               </part>
-               <part id="sa-9.c_obj.2" name="objective">
-                  <prop name="label">SA-9(c)[2]</prop>
-                  <p>employs organization-defined processes, methods, and techniques to monitor
-                     security control compliance by external service providers on an ongoing
-                     basis.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing external information system services</p>
-               <p>procedures addressing methods and techniques for monitoring security control
-                  compliance by external service providers of information system services</p>
-               <p>acquisition contracts, service-level agreements</p>
-               <p>organizational security requirements and security specifications for external
-                  provider services</p>
-               <p>security control assessment evidence from external providers of information system
-                  services</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>external providers of information system services</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for monitoring security control compliance by external
-                  service providers on an ongoing basis</p>
-               <p>automated mechanisms for monitoring security control compliance by external
-                  service providers on an ongoing basis</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-9.1">
-            <title>Risk Assessments / Organizational Approvals</title>
-            <param id="sa-9.1_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">SA-9(1)</prop>
-            <prop name="sort-id">sa-09.01</prop>
-            <part id="sa-9.1_smt" name="statement">
-               <p>The organization:</p>
-               <part id="sa-9.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Conducts an organizational assessment of risk prior to the acquisition or
-                     outsourcing of dedicated information security services; and</p>
-               </part>
-               <part id="sa-9.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Ensures that the acquisition or outsourcing of dedicated information security
-                     services is approved by <insert param-id="sa-9.1_prm_1"/>.</p>
-               </part>
-            </part>
-            <part id="sa-9.1_gdn" name="guidance">
-               <p>Dedicated information security services include, for example, incident monitoring,
-                  analysis and response, operation of information security-related devices such as
-                  firewalls, or key management services.</p>
-               <link rel="related" href="#ca-6">CA-6</link>
-               <link rel="related" href="#ra-3">RA-3</link>
-            </part>
-            <part id="sa-9.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-9.1.a_obj" name="objective">
-                  <prop name="label">SA-9(1)(a)</prop>
-                  <p>conducts an organizational assessment of risk prior to the acquisition or
-                     outsourcing of dedicated information security services;</p>
-                  <link rel="corresp" href="#sa-9.1_smt.a">SA-9(1)(a)</link>
-               </part>
-               <part id="sa-9.1.b_obj" name="objective">
-                  <prop name="label">SA-9(1)(b)</prop>
-                  <part id="sa-9.1.b_obj.1" name="objective">
-                     <prop name="label">SA-9(1)(b)[1]</prop>
-                     <p>defines personnel or roles designated to approve the acquisition or
-                        outsourcing of dedicated information security services; and</p>
-                  </part>
-                  <part id="sa-9.1.b_obj.2" name="objective">
-                     <prop name="label">SA-9(1)(b)[2]</prop>
-                     <p>ensures that the acquisition or outsourcing of dedicated information
-                        security services is approved by organization-defined personnel or
-                        roles.</p>
-                  </part>
-                  <link rel="corresp" href="#sa-9.1_smt.b">SA-9(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing external information system services</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>risk assessment reports</p>
-                  <p>approval records for acquisition or outsourcing of dedicated information
-                     security services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information system security responsibilities</p>
-                  <p>external providers of information system services</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for conducting a risk assessment prior to acquiring or
-                     outsourcing dedicated information security services</p>
-                  <p>organizational processes for approving the outsourcing of dedicated information
-                     security services</p>
-                  <p>automated mechanisms supporting and/or implementing risk assessment</p>
-                  <p>automated mechanisms supporting and/or implementing approval processes</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-9.2">
-            <title>Identification of Functions / Ports / Protocols / Services</title>
-            <param id="sa-9.2_prm_1">
-               <label>organization-defined external information system services</label>
-            </param>
-            <prop name="label">SA-9(2)</prop>
-            <prop name="sort-id">sa-09.02</prop>
-            <part id="sa-9.2_smt" name="statement">
-               <p>The organization requires providers of <insert param-id="sa-9.2_prm_1"/> to
-                  identify the functions, ports, protocols, and other services required for the use
-                  of such services.</p>
-            </part>
-            <part id="sa-9.2_gdn" name="guidance">
-               <p>Information from external service providers regarding the specific functions,
-                  ports, protocols, and services used in the provision of such services can be
-                  particularly useful when the need arises to understand the trade-offs involved in
-                  restricting certain functions/services or blocking certain ports/protocols.</p>
-               <link rel="related" href="#cm-7">CM-7</link>
-            </part>
-            <part id="sa-9.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-9.2_obj.1" name="objective">
-                  <prop name="label">SA-9(2)[1]</prop>
-                  <p>defines external information system services for which providers of such
-                     services are to identify the functions, ports, protocols, and other services
-                     required for the use of such services;</p>
-               </part>
-               <part id="sa-9.2_obj.2" name="objective">
-                  <prop name="label">SA-9(2)[2]</prop>
-                  <p>requires providers of organization-defined external information system services
-                     to identify:</p>
-                  <part id="sa-9.2_obj.2.a" name="objective">
-                     <prop name="label">SA-9(2)[2][a]</prop>
-                     <p>the functions required for the use of such services;</p>
-                  </part>
-                  <part id="sa-9.2_obj.2.b" name="objective">
-                     <prop name="label">SA-9(2)[2][b]</prop>
-                     <p>the ports required for the use of such services;</p>
-                  </part>
-                  <part id="sa-9.2_obj.2.c" name="objective">
-                     <prop name="label">SA-9(2)[2][c]</prop>
-                     <p>the protocols required for the use of such services; and</p>
-                  </part>
-                  <part id="sa-9.2_obj.2.d" name="objective">
-                     <prop name="label">SA-9(2)[2][d]</prop>
-                     <p>the other services required for the use of such services.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing external information system services</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>acquisition documentation</p>
-                  <p>solicitation documentation, service-level agreements</p>
-                  <p>organizational security requirements and security specifications for external
-                     service providers</p>
-                  <p>list of required functions, ports, protocols, and other services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>external providers of information system services</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-9.3">
-            <title>Establish / Maintain Trust Relationship with Providers</title>
-            <param id="sa-9.3_prm_1">
-               <label>organization-defined security requirements, properties, factors, or conditions
-                  defining acceptable trust relationships</label>
-            </param>
-            <prop name="label">SA-9(3)</prop>
-            <prop name="sort-id">sa-09.03</prop>
-            <part id="sa-9.3_smt" name="statement">
-               <p>The organization establishes, documents, and maintains trust relationships with
-                  external service providers based on <insert param-id="sa-9.3_prm_1"/>.</p>
-            </part>
-            <part id="sa-9.3_gdn" name="guidance">
-               <p>The degree of confidence that the risk from using external services is at an
-                  acceptable level depends on the trust that organizations place in the external
-                  providers, individually or in combination. Trust relationships can help
-                  organization to gain increased levels of confidence that participating service
-                  providers are providing adequate protection for the services rendered. Such
-                  relationships can be complicated due to the number of potential entities
-                  participating in the consumer-provider interactions, subordinate relationships and
-                  levels of trust, and the types of interactions between the parties. In some cases,
-                  the degree of trust is based on the amount of direct control organizations are
-                  able to exert on external service providers with regard to employment of security
-                  controls necessary for the protection of the service/information and the evidence
-                  brought forth as to the effectiveness of those controls. The level of control is
-                  typically established by the terms and conditions of the contracts or
-                  service-level agreements and can range from extensive control (e.g., negotiating
-                  contracts or agreements that specify security requirements for the providers) to
-                  very limited control (e.g., using contracts or service-level agreements to obtain
-                  commodity services such as commercial telecommunications services). In other
-                  cases, levels of trust are based on factors that convince organizations that
-                  required security controls have been employed and that determinations of control
-                  effectiveness exist. For example, separately authorized external information
-                  system services provided to organizations through well-established business
-                  relationships may provide degrees of trust in such services within the tolerable
-                  risk range of the organizations using the services. External service providers may
-                  also outsource selected services to other external entities, making the trust
-                  relationship more difficult and complicated to manage. Depending on the nature of
-                  the services, organizations may find it very difficult to place significant trust
-                  in external providers. This is not due to any inherent untrustworthiness on the
-                  part of providers, but to the intrinsic level of risk in the services.</p>
-            </part>
-            <part id="sa-9.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-9.3_obj.1" name="objective">
-                  <prop name="label">SA-9(3)[1]</prop>
-                  <p>defines requirements, properties, factors, or conditions defining acceptable
-                     trust relationships;</p>
-               </part>
-               <part id="sa-9.3_obj.2" name="objective">
-                  <prop name="label">SA-9(3)[2]</prop>
-                  <p>based on organization-defined requirements, properties, factors, or conditions
-                     defining acceptable trust relationships:</p>
-                  <part id="sa-9.3_obj.2.a" name="objective">
-                     <prop name="label">SA-9(3)[2][a]</prop>
-                     <p>establishes trust relationships with external service providers;</p>
-                  </part>
-                  <part id="sa-9.3_obj.2.b" name="objective">
-                     <prop name="label">SA-9(3)[2][b]</prop>
-                     <p>documents trust relationships with external service providers; and</p>
-                  </part>
-                  <part id="sa-9.3_obj.2.c" name="objective">
-                     <prop name="label">SA-9(3)[2][c]</prop>
-                     <p>maintains trust relationships with external service providers.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing external information system services</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>acquisition documentation</p>
-                  <p>solicitation documentation</p>
-                  <p>service-level agreements</p>
-                  <p>organizational security requirements, properties, factors, or conditions
-                     defining acceptable trust relationships</p>
-                  <p>documentation of trust relationships with external service providers</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>external providers of information system services</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-9.4">
-            <title>Consistent Interests of Consumers and Providers</title>
-            <param id="sa-9.4_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <param id="sa-9.4_prm_2">
-               <label>organization-defined external service providers</label>
-            </param>
-            <prop name="label">SA-9(4)</prop>
-            <prop name="sort-id">sa-09.04</prop>
-            <part id="sa-9.4_smt" name="statement">
-               <p>The organization employs <insert param-id="sa-9.4_prm_1"/> to ensure that the
-                  interests of <insert param-id="sa-9.4_prm_2"/> are consistent with and reflect
-                  organizational interests.</p>
-            </part>
-            <part id="sa-9.4_gdn" name="guidance">
-               <p>As organizations increasingly use external service providers, the possibility
-                  exists that the interests of the service providers may diverge from organizational
-                  interests. In such situations, simply having the correct technical, procedural, or
-                  operational safeguards in place may not be sufficient if the service providers
-                  that implement and control those safeguards are not operating in a manner
-                  consistent with the interests of the consuming organizations. Possible actions
-                  that organizations might take to address such concerns include, for example,
-                  requiring background checks for selected service provider personnel, examining
-                  ownership records, employing only trustworthy service providers (i.e., providers
-                  with which organizations have had positive experiences), and conducting
-                  periodic/unscheduled visits to service provider facilities.</p>
-            </part>
-            <part id="sa-9.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-9.4_obj.1" name="objective">
-                  <prop name="label">SA-9(4)[1]</prop>
-                  <p>defines external service providers whose interests are to be consistent with
-                     and reflect organizational interests;</p>
-               </part>
-               <part id="sa-9.4_obj.2" name="objective">
-                  <prop name="label">SA-9(4)[2]</prop>
-                  <p>defines security safeguards to be employed to ensure that the interests of
-                     organization-defined external service providers are consistent with and reflect
-                     organizational interests; and</p>
-               </part>
-               <part id="sa-9.4_obj.3" name="objective">
-                  <prop name="label">SA-9(4)[3]</prop>
-                  <p>employs organization-defined security safeguards to ensure that the interests
-                     of organization-defined external service providers are consistent with and
-                     reflect organizational interests.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing external information system services</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>organizational security requirements/safeguards for external service
-                     providers</p>
-                  <p>personnel security policies for external service providers</p>
-                  <p>assessments performed on external service providers</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>external providers of information system services</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for defining and employing safeguards to ensure
-                     consistent interests with external service providers</p>
-                  <p>automated mechanisms supporting and/or implementing safeguards to ensure
-                     consistent interests with external service providers</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-9.5">
-            <title>Processing, Storage, and Service Location</title>
-            <param id="sa-9.5_prm_1">
-               <select how-many="one or more">
-                  <choice>information processing</choice>
-                  <choice>information/data</choice>
-                  <choice>information system services</choice>
-               </select>
-            </param>
-            <param id="sa-9.5_prm_2">
-               <label>organization-defined locations</label>
-            </param>
-            <param id="sa-9.5_prm_3">
-               <label>organization-defined requirements or conditions</label>
-            </param>
-            <prop name="label">SA-9(5)</prop>
-            <prop name="sort-id">sa-09.05</prop>
-            <part id="sa-9.5_smt" name="statement">
-               <p>The organization restricts the location of <insert param-id="sa-9.5_prm_1"/> to
-                     <insert param-id="sa-9.5_prm_2"/> based on <insert param-id="sa-9.5_prm_3"/>.</p>
-            </part>
-            <part id="sa-9.5_gdn" name="guidance">
-               <p>The location of information processing, information/data storage, or information
-                  system services that are critical to organizations can have a direct impact on the
-                  ability of those organizations to successfully execute their missions/business
-                  functions. This situation exists when external providers control the location of
-                  processing, storage or services. The criteria external providers use for the
-                  selection of processing, storage, or service locations may be different from
-                  organizational criteria. For example, organizations may want to ensure that
-                  data/information storage locations are restricted to certain locations to
-                  facilitate incident response activities (e.g., forensic analyses, after-the-fact
-                  investigations) in case of information security breaches/compromises. Such
-                  incident response activities may be adversely affected by the governing laws or
-                  protocols in the locations where processing and storage occur and/or the locations
-                  from which information system services emanate.</p>
-            </part>
-            <part id="sa-9.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-9.5_obj.1" name="objective">
-                  <prop name="label">SA-9(5)[1]</prop>
-                  <p>defines locations where organization-defined information processing,
-                     information/data, and/or information system services are to be restricted;</p>
-               </part>
-               <part id="sa-9.5_obj.2" name="objective">
-                  <prop name="label">SA-9(5)[2]</prop>
-                  <p>defines requirements or conditions to restrict the location of information
-                     processing, information/data, and/or information system services;</p>
-               </part>
-               <part id="sa-9.5_obj.3" name="objective">
-                  <prop name="label">SA-9(5)[3]</prop>
-                  <p>restricts the location of one or more of the following to organization-defined
-                     locations based on organization-defined requirements or conditions:</p>
-                  <part id="sa-9.5_obj.3.a" name="objective">
-                     <prop name="label">SA-9(5)[3][a]</prop>
-                     <p>information processing;</p>
-                  </part>
-                  <part id="sa-9.5_obj.3.b" name="objective">
-                     <prop name="label">SA-9(5)[3][b]</prop>
-                     <p>information/data; and/or</p>
-                  </part>
-                  <part id="sa-9.5_obj.3.c" name="objective">
-                     <prop name="label">SA-9(5)[3][c]</prop>
-                     <p>information services.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing external information system services</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>restricted locations for information processing</p>
-                  <p>information/data and/or information system services</p>
-                  <p>information processing, information/data, and/or information system services to
-                     be maintained in restricted locations</p>
-                  <p>organizational security requirements or conditions for external providers</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>external providers of information system services</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for defining requirements to restrict locations of
-                     information processing, information/data, or information services</p>
-                  <p>organizational processes for ensuring the location is restricted in accordance
-                     with requirements or conditions</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-10">
-         <title>Developer Configuration Management</title>
-         <param id="sa-10_prm_1">
-            <select how-many="one or more">
-               <choice>design</choice>
-               <choice>development</choice>
-               <choice>implementation</choice>
-               <choice>operation</choice>
-            </select>
-         </param>
-         <param id="sa-10_prm_2">
-            <label>organization-defined configuration items under configuration management</label>
-         </param>
-         <param id="sa-10_prm_3">
-            <label>organization-defined personnel</label>
-         </param>
-         <prop name="label">SA-10</prop>
-         <prop name="sort-id">sa-10</prop>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="sa-10_smt" name="statement">
-            <p>The organization requires the developer of the information system, system component,
-               or information system service to:</p>
-            <part id="sa-10_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Perform configuration management during system, component, or service <insert param-id="sa-10_prm_1"/>;</p>
-            </part>
-            <part id="sa-10_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Document, manage, and control the integrity of changes to <insert param-id="sa-10_prm_2"/>;</p>
-            </part>
-            <part id="sa-10_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Implement only organization-approved changes to the system, component, or
-                  service;</p>
-            </part>
-            <part id="sa-10_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Document approved changes to the system, component, or service and the potential
-                  security impacts of such changes; and</p>
-            </part>
-            <part id="sa-10_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Track security flaws and flaw resolution within the system, component, or service
-                  and report findings to <insert param-id="sa-10_prm_3"/>.</p>
-            </part>
-         </part>
-         <part id="sa-10_gdn" name="guidance">
-            <p>This control also applies to organizations conducting internal information systems
-               development and integration. Organizations consider the quality and completeness of
-               the configuration management activities conducted by developers as evidence of
-               applying effective security safeguards. Safeguards include, for example, protecting
-               from unauthorized modification or destruction, the master copies of all material used
-               to generate security-relevant portions of the system hardware, software, and
-               firmware. Maintaining the integrity of changes to the information system, information
-               system component, or information system service requires configuration control
-               throughout the system development life cycle to track authorized changes and prevent
-               unauthorized changes. Configuration items that are placed under configuration
-               management (if existence/use is required by other security controls) include: the
-               formal model; the functional, high-level, and low-level design specifications; other
-               design data; implementation documentation; source code and hardware schematics; the
-               running version of the object code; tools for comparing new versions of
-               security-relevant hardware descriptions and software/firmware source code with
-               previous versions; and test fixtures and documentation. Depending on the
-               mission/business needs of organizations and the nature of the contractual
-               relationships in place, developers may provide configuration management support
-               during the operations and maintenance phases of the life cycle.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="sa-10_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-10.a_obj" name="objective">
-               <prop name="label">SA-10(a)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to perform configuration management during one or more of the
-                  following:</p>
-               <part id="sa-10.a_obj.1" name="objective">
-                  <prop name="label">SA-10(a)[1]</prop>
-                  <p>system, component, or service design;</p>
-               </part>
-               <part id="sa-10.a_obj.2" name="objective">
-                  <prop name="label">SA-10(a)[2]</prop>
-                  <p>system, component, or service development;</p>
-               </part>
-               <part id="sa-10.a_obj.3" name="objective">
-                  <prop name="label">SA-10(a)[3]</prop>
-                  <p>system, component, or service implementation; and/or</p>
-               </part>
-               <part id="sa-10.a_obj.4" name="objective">
-                  <prop name="label">SA-10(a)[4]</prop>
-                  <p>system, component, or service operation;</p>
-               </part>
-            </part>
-            <part id="sa-10.b_obj" name="objective">
-               <prop name="label">SA-10(b)</prop>
-               <part id="sa-10.b_obj.1" name="objective">
-                  <prop name="label">SA-10(b)[1]</prop>
-                  <p>defines configuration items to be placed under configuration management;</p>
-               </part>
-               <part id="sa-10.b_obj.2" name="objective">
-                  <prop name="label">SA-10(b)[2]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to:</p>
-                  <part id="sa-10.b_obj.2.a" name="objective">
-                     <prop name="label">SA-10(b)[2][a]</prop>
-                     <p>document the integrity of changes to organization-defined items under
-                        configuration management;</p>
-                  </part>
-                  <part id="sa-10.b_obj.2.b" name="objective">
-                     <prop name="label">SA-10(b)[2][b]</prop>
-                     <p>manage the integrity of changes to organization-defined items under
-                        configuration management;</p>
-                  </part>
-                  <part id="sa-10.b_obj.2.c" name="objective">
-                     <prop name="label">SA-10(b)[2][c]</prop>
-                     <p>control the integrity of changes to organization-defined items under
-                        configuration management;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sa-10.c_obj" name="objective">
-               <prop name="label">SA-10(c)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to implement only organization-approved changes to the system,
-                  component, or service;</p>
-            </part>
-            <part id="sa-10.d_obj" name="objective">
-               <prop name="label">SA-10(d)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to document:</p>
-               <part id="sa-10.d_obj.1" name="objective">
-                  <prop name="label">SA-10(d)[1]</prop>
-                  <p>approved changes to the system, component, or service;</p>
-               </part>
-               <part id="sa-10.d_obj.2" name="objective">
-                  <prop name="label">SA-10(d)[2]</prop>
-                  <p>the potential security impacts of such changes;</p>
-               </part>
-            </part>
-            <part id="sa-10.e_obj" name="objective">
-               <prop name="label">SA-10(e)</prop>
-               <part id="sa-10.e_obj.1" name="objective">
-                  <prop name="label">SA-10(e)[1]</prop>
-                  <p>defines personnel to whom findings, resulting from security flaws and flaw
-                     resolution tracked within the system, component, or service, are to be
-                     reported;</p>
-               </part>
-               <part id="sa-10.e_obj.2" name="objective">
-                  <prop name="label">SA-10(e)[2]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to:</p>
-                  <part id="sa-10.e_obj.2.a" name="objective">
-                     <prop name="label">SA-10(e)[2][a]</prop>
-                     <p>track security flaws within the system, component, or service;</p>
-                  </part>
-                  <part id="sa-10.e_obj.2.b" name="objective">
-                     <prop name="label">SA-10(e)[2][b]</prop>
-                     <p>track security flaw resolution within the system, component, or service;
-                        and</p>
-                  </part>
-                  <part id="sa-10.e_obj.2.c" name="objective">
-                     <prop name="label">SA-10(e)[2][c]</prop>
-                     <p>report findings to organization-defined personnel.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing system developer configuration management</p>
-               <p>solicitation documentation</p>
-               <p>acquisition documentation</p>
-               <p>service-level agreements</p>
-               <p>acquisition contracts for the information system, system component, or information
-                  system service</p>
-               <p>system developer configuration management plan</p>
-               <p>security flaw and flaw resolution tracking records</p>
-               <p>system change authorization records</p>
-               <p>change control records</p>
-               <p>configuration management records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with configuration management responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for monitoring developer configuration management</p>
-               <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                  configuration management</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-10.1">
-            <title>Software / Firmware Integrity Verification</title>
-            <prop name="label">SA-10(1)</prop>
-            <prop name="sort-id">sa-10.01</prop>
-            <part id="sa-10.1_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to enable integrity verification of
-                  software and firmware components.</p>
-            </part>
-            <part id="sa-10.1_gdn" name="guidance">
-               <p>This control enhancement allows organizations to detect unauthorized changes to
-                  software and firmware components through the use of tools, techniques, and/or
-                  mechanisms provided by developers. Integrity checking mechanisms can also address
-                  counterfeiting of software and firmware components. Organizations verify the
-                  integrity of software and firmware components, for example, through secure one-way
-                  hashes provided by developers. Delivered software and firmware components also
-                  include any updates to such components.</p>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="sa-10.1_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to enable integrity verification
-                  of software and firmware components.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer configuration management</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system</p>
-                  <p>system component, or information system service</p>
-                  <p>system developer configuration management plan</p>
-                  <p>software and firmware integrity verification records</p>
-                  <p>system change authorization records</p>
-                  <p>change control records</p>
-                  <p>configuration management records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with configuration management responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer configuration management</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     configuration management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-10.2">
-            <title>Alternative Configuration Management Processes</title>
-            <prop name="label">SA-10(2)</prop>
-            <prop name="sort-id">sa-10.02</prop>
-            <part id="sa-10.2_smt" name="statement">
-               <p>The organization provides an alternate configuration management process using
-                  organizational personnel in the absence of a dedicated developer configuration
-                  management team.</p>
-            </part>
-            <part id="sa-10.2_gdn" name="guidance">
-               <p>Alternate configuration management processes may be required, for example, when
-                  organizations use commercial off-the-shelf (COTS) information technology products.
-                  Alternate configuration management processes include organizational personnel
-                  that: (i) are responsible for reviewing/approving proposed changes to information
-                  systems, system components, and information system services; and (ii) conduct
-                  security impact analyses prior to the implementation of any changes to systems,
-                  components, or services (e.g., a configuration control board that considers
-                  security impacts of changes during development and includes representatives of
-                  both the organization and the developer, when applicable).</p>
-            </part>
-            <part id="sa-10.2_obj" name="objective">
-               <p>Determine if the organization provides an alternative configuration management
-                  process with organizational personnel in the absence of a dedicated developer
-                  configuration management team.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer configuration management</p>
-                  <p>procedures addressing configuration management</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system</p>
-                  <p>system component, or information system service</p>
-                  <p>system developer configuration management plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with configuration management responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer configuration management</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     configuration management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-10.3">
-            <title>Hardware Integrity Verification</title>
-            <prop name="label">SA-10(3)</prop>
-            <prop name="sort-id">sa-10.03</prop>
-            <part id="sa-10.3_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to enable integrity verification of
-                  hardware components.</p>
-            </part>
-            <part id="sa-10.3_gdn" name="guidance">
-               <p>This control enhancement allows organizations to detect unauthorized changes to
-                  hardware components through the use of tools, techniques, and/or mechanisms
-                  provided by developers. Organizations verify the integrity of hardware components,
-                  for example, with hard-to-copy labels and verifiable serial numbers provided by
-                  developers, and by requiring the implementation of anti-tamper technologies.
-                  Delivered hardware components also include updates to such components.</p>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="sa-10.3_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to enable integrity verification
-                  of hardware components.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer configuration management</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>system developer configuration management plan</p>
-                  <p>hardware integrity verification records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with configuration management responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer configuration management</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     configuration management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-10.4">
-            <title>Trusted Generation</title>
-            <prop name="label">SA-10(4)</prop>
-            <prop name="sort-id">sa-10.04</prop>
-            <part id="sa-10.4_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to employ tools for comparing newly
-                  generated versions of security-relevant hardware descriptions and
-                  software/firmware source and object code with previous versions.</p>
-            </part>
-            <part id="sa-10.4_gdn" name="guidance">
-               <p>This control enhancement addresses changes to hardware, software, and firmware
-                  components between versions during development. In contrast, SA-10 (1) and SA-10
-                  (3) allow organizations to detect unauthorized changes to hardware, software, and
-                  firmware components through the use of tools, techniques, and/or mechanisms
-                  provided by developers.</p>
-            </part>
-            <part id="sa-10.4_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to employ tools for comparing
-                  newly generated versions of:</p>
-               <part id="sa-10.4_obj.1" name="objective">
-                  <prop name="label">SA-10(4)[1]</prop>
-                  <p>security-relevant hardware descriptions with previous versions; and</p>
-               </part>
-               <part id="sa-10.4_obj.2" name="objective">
-                  <prop name="label">SA-10(4)[2]</prop>
-                  <p>software/firmware source and object code with previous versions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer configuration management</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>system developer configuration management plan</p>
-                  <p>change control records</p>
-                  <p>configuration management records</p>
-                  <p>configuration control audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with configuration management responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer configuration management</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     configuration management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-10.5">
-            <title>Mapping Integrity for Version Control</title>
-            <prop name="label">SA-10(5)</prop>
-            <prop name="sort-id">sa-10.05</prop>
-            <part id="sa-10.5_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to maintain the integrity of the mapping
-                  between the master build data (hardware drawings and software/firmware code)
-                  describing the current version of security-relevant hardware, software, and
-                  firmware and the on-site master copy of the data for the current version.</p>
-            </part>
-            <part id="sa-10.5_gdn" name="guidance">
-               <p>This control enhancement addresses changes to hardware, software, and firmware
-                  components during initial development and during system life cycle updates.
-                  Maintaining the integrity between the master copies of security-relevant hardware,
-                  software, and firmware (including designs and source code) and the equivalent data
-                  in master copies on-site in operational environments is essential to ensure the
-                  availability of organizational information systems supporting critical missions
-                  and/or business functions.</p>
-            </part>
-            <part id="sa-10.5_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to maintain the integrity of the
-                  mapping between the master build data (hardware drawings and software/firmware
-                  code) describing the current version of security-relevant hardware, software, and
-                  firmware and the on-site master copy of the data for the current version.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer configuration management</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>system developer configuration management plan</p>
-                  <p>change control records</p>
-                  <p>configuration management records</p>
-                  <p>version control change/update records</p>
-                  <p>integrity verification records between master copies of security-relevant
-                     hardware, software, and firmware (including designs and source code)</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with configuration management responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer configuration management</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     configuration management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-10.6">
-            <title>Trusted Distribution</title>
-            <prop name="label">SA-10(6)</prop>
-            <prop name="sort-id">sa-10.06</prop>
-            <part id="sa-10.6_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to execute procedures for ensuring that
-                  security-relevant hardware, software, and firmware updates distributed to the
-                  organization are exactly as specified by the master copies.</p>
-            </part>
-            <part id="sa-10.6_gdn" name="guidance">
-               <p>The trusted distribution of security-relevant hardware, software, and firmware
-                  updates helps to ensure that such updates are faithful representations of the
-                  master copies maintained by the developer and have not been tampered with during
-                  distribution.</p>
-            </part>
-            <part id="sa-10.6_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to execute procedures for ensuring
-                  that security-relevant hardware, software, and firmware updates distributed to the
-                  organization are exactly as specified by the master copies.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer configuration management</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system</p>
-                  <p>system component, or information system service</p>
-                  <p>system developer configuration management plan</p>
-                  <p>change control records</p>
-                  <p>configuration management records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with configuration management responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer configuration management</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     configuration management</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-11">
-         <title>Developer Security Testing and Evaluation</title>
-         <param id="sa-11_prm_1">
-            <select how-many="one or more">
-               <choice>unit</choice>
-               <choice>integration</choice>
-               <choice>system</choice>
-               <choice>regression</choice>
-            </select>
-         </param>
-         <param id="sa-11_prm_2">
-            <label>organization-defined depth and coverage</label>
-         </param>
-         <prop name="label">SA-11</prop>
-         <prop name="sort-id">sa-11</prop>
-         <link href="#1737a687-52fb-4008-b900-cbfa836f7b65" rel="reference">ISO/IEC 15408</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#275cc052-0f7f-423c-bdb6-ed503dc36228" rel="reference">http://nvd.nist.gov</link>
-         <link href="#15522e92-9192-463d-9646-6a01982db8ca" rel="reference">http://cwe.mitre.org</link>
-         <link href="#0931209f-00ae-4132-b92c-bc645847e8f9" rel="reference">http://cve.mitre.org</link>
-         <link href="#4ef539ba-b767-4666-b0d3-168c53005fa3" rel="reference">http://capec.mitre.org</link>
-         <part id="sa-11_smt" name="statement">
-            <p>The organization requires the developer of the information system, system component,
-               or information system service to:</p>
-            <part id="sa-11_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Create and implement a security assessment plan;</p>
-            </part>
-            <part id="sa-11_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Perform <insert param-id="sa-11_prm_1"/> testing/evaluation at <insert param-id="sa-11_prm_2"/>;</p>
-            </part>
-            <part id="sa-11_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Produce evidence of the execution of the security assessment plan and the results
-                  of the security testing/evaluation;</p>
-            </part>
-            <part id="sa-11_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Implement a verifiable flaw remediation process; and</p>
-            </part>
-            <part id="sa-11_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Correct flaws identified during security testing/evaluation.</p>
-            </part>
-         </part>
-         <part id="sa-11_gdn" name="guidance">
-            <p>Developmental security testing/evaluation occurs at all post-design phases of the
-               system development life cycle. Such testing/evaluation confirms that the required
-               security controls are implemented correctly, operating as intended, enforcing the
-               desired security policy, and meeting established security requirements. Security
-               properties of information systems may be affected by the interconnection of system
-               components or changes to those components. These interconnections or changes (e.g.,
-               upgrading or replacing applications and operating systems) may adversely affect
-               previously implemented security controls. This control provides additional types of
-               security testing/evaluation that developers can conduct to reduce or eliminate
-               potential flaws. Testing custom software applications may require approaches such as
-               static analysis, dynamic analysis, binary analysis, or a hybrid of the three
-               approaches. Developers can employ these analysis approaches in a variety of tools
-               (e.g., web-based application scanners, static analysis tools, binary analyzers) and
-               in source code reviews. Security assessment plans provide the specific activities
-               that developers plan to carry out including the types of analyses, testing,
-               evaluation, and reviews of software and firmware components, the degree of rigor to
-               be applied, and the types of artifacts produced during those processes. The depth of
-               security testing/evaluation refers to the rigor and level of detail associated with
-               the assessment process (e.g., black box, gray box, or white box testing). The
-               coverage of security testing/evaluation refers to the scope (i.e., number and type)
-               of the artifacts included in the assessment process. Contracts specify the acceptance
-               criteria for security assessment plans, flaw remediation processes, and the evidence
-               that the plans/processes have been diligently applied. Methods for reviewing and
-               protecting assessment plans, evidence, and documentation are commensurate with the
-               security category or classification level of the information system. Contracts may
-               specify documentation protection requirements.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="sa-11_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-11.a_obj" name="objective">
-               <prop name="label">SA-11(a)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to create and implement a security plan;</p>
-            </part>
-            <part id="sa-11.b_obj" name="objective">
-               <prop name="label">SA-11(b)</prop>
-               <part id="sa-11.b_obj.1" name="objective">
-                  <prop name="label">SA-11(b)[1]</prop>
-                  <p>defines the depth of testing/evaluation to be performed by the developer of the
-                     information system, system component, or information system service;</p>
-               </part>
-               <part id="sa-11.b_obj.2" name="objective">
-                  <prop name="label">SA-11(b)[2]</prop>
-                  <p>defines the coverage of testing/evaluation to be performed by the developer of
-                     the information system, system component, or information system service;</p>
-               </part>
-               <part id="sa-11.b_obj.3" name="objective">
-                  <prop name="label">SA-11(b)[3]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to perform one or more of the following
-                     testing/evaluation at the organization-defined depth and coverage:</p>
-                  <part id="sa-11.b_obj.3.a" name="objective">
-                     <prop name="label">SA-11(b)[3][a]</prop>
-                     <p>unit testing/evaluation;</p>
-                  </part>
-                  <part id="sa-11.b_obj.3.b" name="objective">
-                     <prop name="label">SA-11(b)[3][b]</prop>
-                     <p>integration testing/evaluation;</p>
-                  </part>
-                  <part id="sa-11.b_obj.3.c" name="objective">
-                     <prop name="label">SA-11(b)[3][c]</prop>
-                     <p>system testing/evaluation; and/or</p>
-                  </part>
-                  <part id="sa-11.b_obj.3.d" name="objective">
-                     <prop name="label">SA-11(b)[3][d]</prop>
-                     <p>regression testing/evaluation;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sa-11.c_obj" name="objective">
-               <prop name="label">SA-11(c)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to produce evidence of:</p>
-               <part id="sa-11.c_obj.1" name="objective">
-                  <prop name="label">SA-11(c)[1]</prop>
-                  <p>the execution of the security assessment plan;</p>
-               </part>
-               <part id="sa-11.c_obj.2" name="objective">
-                  <prop name="label">SA-11(c)[2]</prop>
-                  <p>the results of the security testing/evaluation;</p>
-               </part>
-            </part>
-            <part id="sa-11.d_obj" name="objective">
-               <prop name="label">SA-11(d)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to implement a verifiable flaw remediation process; and</p>
-            </part>
-            <part id="sa-11.e_obj" name="objective">
-               <prop name="label">SA-11(e)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to correct flaws identified during security testing/evaluation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing system developer security testing</p>
-               <p>procedures addressing flaw remediation</p>
-               <p>solicitation documentation</p>
-               <p>acquisition documentation</p>
-               <p>service-level agreements</p>
-               <p>acquisition contracts for the information system, system component, or information
-                  system service</p>
-               <p>system developer security test plans</p>
-               <p>records of developer security testing results for the information system, system
-                  component, or information system service</p>
-               <p>security flaw and remediation tracking records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with developer security testing responsibilities</p>
-               <p>system developers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for monitoring developer security testing and
-                  evaluation</p>
-               <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                  security testing and evaluation</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-11.1">
-            <title>Static Code Analysis</title>
-            <prop name="label">SA-11(1)</prop>
-            <prop name="sort-id">sa-11.01</prop>
-            <part id="sa-11.1_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to employ static code analysis tools to
-                  identify common flaws and document the results of the analysis.</p>
-            </part>
-            <part id="sa-11.1_gdn" name="guidance">
-               <p>Static code analysis provides a technology and methodology for security reviews.
-                  Such analysis can be used to identify security vulnerabilities and enforce
-                  security coding practices. Static code analysis is most effective when used early
-                  in the development process, when each code change can be automatically scanned for
-                  potential weaknesses. Static analysis can provide clear remediation guidance along
-                  with defects to enable developers to fix such defects. Evidence of correct
-                  implementation of static analysis can include, for example, aggregate defect
-                  density for critical defect types, evidence that defects were inspected by
-                  developers or security professionals, and evidence that defects were fixed. An
-                  excessively high density of ignored findings (commonly referred to as ignored or
-                  false positives) indicates a potential problem with the analysis process or tool.
-                  In such cases, organizations weigh the validity of the evidence against evidence
-                  from other sources.</p>
-            </part>
-            <part id="sa-11.1_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to employ static code analysis
-                  tools to identify common flaws and document the results of the analysis.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer security testing</p>
-                  <p>procedures addressing flaw remediation</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>system developer security test plans</p>
-                  <p>system developer security testing results</p>
-                  <p>security flaw and remediation tracking records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with developer security testing responsibilities</p>
-                  <p>organizational personnel with configuration management responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer security testing and
-                     evaluation</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     security testing and evaluation</p>
-                  <p>static code analysis tools</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-11.2">
-            <title>Threat and Vulnerability Analyses</title>
-            <prop name="label">SA-11(2)</prop>
-            <prop name="sort-id">sa-11.02</prop>
-            <part id="sa-11.2_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to perform threat and vulnerability
-                  analyses and subsequent testing/evaluation of the as-built system, component, or
-                  service.</p>
-            </part>
-            <part id="sa-11.2_gdn" name="guidance">
-               <p>Applications may deviate significantly from the functional and design
-                  specifications created during the requirements and design phases of the system
-                  development life cycle. Therefore, threat and vulnerability analyses of
-                  information systems, system components, and information system services prior to
-                  delivery are critical to the effective operation of those systems, components, and
-                  services. Threat and vulnerability analyses at this phase of the life cycle help
-                  to ensure that design or implementation changes have been accounted for, and that
-                  any new vulnerabilities created as a result of those changes have been reviewed
-                  and mitigated.</p>
-               <link rel="related" href="#pm-15">PM-15</link>
-               <link rel="related" href="#ra-5">RA-5</link>
-            </part>
-            <part id="sa-11.2_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to perform:</p>
-               <part id="sa-11.2_obj.1" name="objective">
-                  <prop name="label">SA-11(2)[1]</prop>
-                  <p>threat analyses of the as-built, system component, or service;</p>
-               </part>
-               <part id="sa-11.2_obj.2" name="objective">
-                  <prop name="label">SA-11(2)[2]</prop>
-                  <p>vulnerability analyses of the as-built, system component, or service; and</p>
-               </part>
-               <part id="sa-11.2_obj.3" name="objective">
-                  <prop name="label">SA-11(2)[3]</prop>
-                  <p>subsequent testing/evaluation of the as-built, system component, or
-                     service.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer security testing</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>system developer security test plans</p>
-                  <p>records of developer security testing results for the information system,
-                     system component, or information system service</p>
-                  <p>vulnerability scanning results</p>
-                  <p>information system risk assessment reports</p>
-                  <p>threat and vulnerability analysis reports</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with developer security testing responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer security testing and
-                     evaluation</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     security testing and evaluation</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-11.3">
-            <title>Independent Verification of Assessment Plans / Evidence</title>
-            <param id="sa-11.3_prm_1">
-               <label>organization-defined independence criteria</label>
-            </param>
-            <prop name="label">SA-11(3)</prop>
-            <prop name="sort-id">sa-11.03</prop>
-            <part id="sa-11.3_smt" name="statement">
-               <p>The organization:</p>
-               <part id="sa-11.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Requires an independent agent satisfying <insert param-id="sa-11.3_prm_1"/> to
-                     verify the correct implementation of the developer security assessment plan and
-                     the evidence produced during security testing/evaluation; and</p>
-               </part>
-               <part id="sa-11.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Ensures that the independent agent is either provided with sufficient
-                     information to complete the verification process or granted the authority to
-                     obtain such information.</p>
-               </part>
-            </part>
-            <part id="sa-11.3_gdn" name="guidance">
-               <p>Independent agents have the necessary qualifications (i.e., expertise, skills,
-                  training, and experience) to verify the correct implementation of developer
-                  security assessment plans.</p>
-               <link rel="related" href="#at-3">AT-3</link>
-               <link rel="related" href="#ca-7">CA-7</link>
-               <link rel="related" href="#ra-5">RA-5</link>
-               <link rel="related" href="#sa-12">SA-12</link>
-            </part>
-            <part id="sa-11.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-11.3.a_obj" name="objective">
-                  <prop name="label">SA-11(3)(a)</prop>
-                  <part id="sa-11.3.a_obj.1" name="objective">
-                     <prop name="label">SA-11(3)(a)[1]</prop>
-                     <p>defines independence criteria that an independent agent is required to
-                        satisfy;</p>
-                  </part>
-                  <part id="sa-11.3.a_obj.2" name="objective">
-                     <prop name="label">SA-11(3)(a)[2]</prop>
-                     <p>requires an independent agent satisfying organization-defined independence
-                        criteria to verify:</p>
-                     <part id="sa-11.3.a_obj.2.a" name="objective">
-                        <prop name="label">SA-11(3)(a)[2][a]</prop>
-                        <p>the correct implementation of the developer security assessment plan;</p>
-                     </part>
-                     <part id="sa-11.3.a_obj.2.b" name="objective">
-                        <prop name="label">SA-11(3)(a)[2][b]</prop>
-                        <p>the evidence produced during security testing/evaluation;</p>
-                     </part>
-                  </part>
-                  <link rel="corresp" href="#sa-11.3_smt.a">SA-11(3)(a)</link>
-               </part>
-               <part id="sa-11.3.b_obj" name="objective">
-                  <prop name="label">SA-11(3)(b)</prop>
-                  <p>ensures that the independent agent is either:</p>
-                  <part id="sa-11.3.b_obj.1" name="objective">
-                     <prop name="label">SA-11(3)(b)[1]</prop>
-                     <p>provided with sufficient information to complete the verification process;
-                        or</p>
-                  </part>
-                  <part id="sa-11.3.b_obj.2" name="objective">
-                     <prop name="label">SA-11(3)(b)[2]</prop>
-                     <p>granted the authority to obtain such information.</p>
-                  </part>
-                  <link rel="corresp" href="#sa-11.3_smt.b">SA-11(3)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer security testing</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>independent verification and validation reports</p>
-                  <p>security test and evaluation plans</p>
-                  <p>security test and evaluation results for the information system, system
-                     component, or information system service</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with developer security testing responsibilities</p>
-                  <p>system developers</p>
-                  <p>independent verification agent</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer security testing and
-                     evaluation</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     security testing and evaluation</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-11.4">
-            <title>Manual Code Reviews</title>
-            <param id="sa-11.4_prm_1">
-               <label>organization-defined specific code</label>
-            </param>
-            <param id="sa-11.4_prm_2">
-               <label>organization-defined processes, procedures, and/or techniques</label>
-            </param>
-            <prop name="label">SA-11(4)</prop>
-            <prop name="sort-id">sa-11.04</prop>
-            <part id="sa-11.4_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to perform a manual code review of
-                     <insert param-id="sa-11.4_prm_1"/> using <insert param-id="sa-11.4_prm_2"/>.</p>
-            </part>
-            <part id="sa-11.4_gdn" name="guidance">
-               <p>Manual code reviews are usually reserved for the critical software and firmware
-                  components of information systems. Such code reviews are uniquely effective at
-                  identifying weaknesses that require knowledge of the application’s requirements or
-                  context which are generally unavailable to more automated analytic tools and
-                  techniques such as static or dynamic analysis. Components benefiting from manual
-                  review include for example, verifying access control matrices against application
-                  controls and reviewing more detailed aspects of cryptographic implementations and
-                  controls.</p>
-            </part>
-            <part id="sa-11.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-11.4_obj.1" name="objective">
-                  <prop name="label">SA-11(4)[1]</prop>
-                  <p>defines specific code for which the developer of the information system, system
-                     component, or information system service is required to perform a manual code
-                     review;</p>
-               </part>
-               <part id="sa-11.4_obj.2" name="objective">
-                  <prop name="label">SA-11(4)[2]</prop>
-                  <p>defines processes, procedures, and/or techniques to be used when the developer
-                     performs a manual code review of organization-defined specific code; and</p>
-               </part>
-               <part id="sa-11.4_obj.3" name="objective">
-                  <prop name="label">SA-11(4)[3]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to perform a manual code review of
-                     organization-defined specific code using organization-defined processes,
-                     procedures, and/or techniques.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer security testing</p>
-                  <p>processes, procedures, and/or techniques for performing manual code reviews</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>system developer security testing and evaluation plans</p>
-                  <p>system developer security testing and evaluation results</p>
-                  <p>list of code requiring manual reviews</p>
-                  <p>records of manual code reviews</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with developer security testing responsibilities</p>
-                  <p>system developers</p>
-                  <p>independent verification agent</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer security testing and
-                     evaluation</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     security testing and evaluation</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-11.5">
-            <title>Penetration Testing</title>
-            <param id="sa-11.5_prm_1">
-               <label>organization-defined breadth/depth</label>
-            </param>
-            <param id="sa-11.5_prm_2">
-               <label>organization-defined constraints</label>
-            </param>
-            <prop name="label">SA-11(5)</prop>
-            <prop name="sort-id">sa-11.05</prop>
-            <part id="sa-11.5_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to perform penetration testing at <insert param-id="sa-11.5_prm_1"/> and with <insert param-id="sa-11.5_prm_2"/>.</p>
-            </part>
-            <part id="sa-11.5_gdn" name="guidance">
-               <p>Penetration testing is an assessment methodology in which assessors, using all
-                  available information technology product and/or information system documentation
-                  (e.g., product/system design specifications, source code, and
-                  administrator/operator manuals) and working under specific constraints, attempt to
-                  circumvent implemented security features of information technology products and
-                  information systems. Penetration testing can include, for example, white, gray, or
-                  black box testing with analyses performed by skilled security professionals
-                  simulating adversary actions. The objective of penetration testing is to uncover
-                  potential vulnerabilities in information technology products and information
-                  systems resulting from implementation errors, configuration faults, or other
-                  operational deployment weaknesses or deficiencies. Penetration tests can be
-                  performed in conjunction with automated and manual code reviews to provide greater
-                  levels of analysis than would ordinarily be possible.</p>
-            </part>
-            <part id="sa-11.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-11.5_obj.1" name="objective">
-                  <prop name="label">SA-11(5)[1]</prop>
-                  <p>defines for the developer of the information system, system component, or
-                     information system service:</p>
-                  <part id="sa-11.5_obj.1.a" name="objective">
-                     <prop name="label">SA-11(5)[1][a]</prop>
-                     <p>the breadth of penetration testing to be performed by the developer;</p>
-                  </part>
-                  <part id="sa-11.5_obj.1.b" name="objective">
-                     <prop name="label">SA-11(5)[1][b]</prop>
-                     <p>the depth of penetration testing to be performed by the developer;</p>
-                  </part>
-               </part>
-               <part id="sa-11.5_obj.2" name="objective">
-                  <prop name="label">SA-11(5)[2]</prop>
-                  <p>defines constraints under which the developer is to perform penetration
-                     testing; and</p>
-               </part>
-               <part id="sa-11.5_obj.3" name="objective">
-                  <prop name="label">SA-11(5)[3]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to perform penetration testing at
-                     organization-defined breadth/depth and with organization-defined
-                     constraints.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer security testing</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>system developer penetration testing and evaluation plans</p>
-                  <p>system developer penetration testing and evaluation results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with developer security testing responsibilities</p>
-                  <p>system developers</p>
-                  <p>independent verification agent</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer security testing and
-                     evaluation</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     security testing and evaluation</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-11.6">
-            <title>Attack Surface Reviews</title>
-            <prop name="label">SA-11(6)</prop>
-            <prop name="sort-id">sa-11.06</prop>
-            <part id="sa-11.6_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to perform attack surface reviews.</p>
-            </part>
-            <part id="sa-11.6_gdn" name="guidance">
-               <p>Attack surfaces of information systems are exposed areas that make those systems
-                  more vulnerable to cyber attacks. This includes any accessible areas where
-                  weaknesses or deficiencies in information systems (including the hardware,
-                  software, and firmware components) provide opportunities for adversaries to
-                  exploit vulnerabilities. Attack surface reviews ensure that developers: (i)
-                  analyze both design and implementation changes to information systems; and (ii)
-                  mitigate attack vectors generated as a result of the changes. Correction of
-                  identified flaws includes, for example, deprecation of unsafe functions.</p>
-            </part>
-            <part id="sa-11.6_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to perform attack surface
-                  reviews.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer security testing</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>system developer security testing and evaluation plans</p>
-                  <p>system developer security testing and evaluation results</p>
-                  <p>records of attack surface reviews</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with developer security testing responsibilities</p>
-                  <p>organizational personnel with configuration management responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer security testing and
-                     evaluation</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     security testing and evaluation</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-11.7">
-            <title>Verify Scope of Testing / Evaluation</title>
-            <param id="sa-11.7_prm_1">
-               <label>organization-defined depth of testing/evaluation</label>
-            </param>
-            <prop name="label">SA-11(7)</prop>
-            <prop name="sort-id">sa-11.07</prop>
-            <part id="sa-11.7_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to verify that the scope of security
-                  testing/evaluation provides complete coverage of required security controls at
-                     <insert param-id="sa-11.7_prm_1"/>.</p>
-            </part>
-            <part id="sa-11.7_gdn" name="guidance">
-               <p>Verifying that security testing/evaluation provides complete coverage of required
-                  security controls can be accomplished by a variety of analytic techniques ranging
-                  from informal to formal. Each of these techniques provides an increasing level of
-                  assurance corresponding to the degree of formality of the analysis. Rigorously
-                  demonstrating security control coverage at the highest levels of assurance can be
-                  provided by the use of formal modeling and analysis techniques including
-                  correlation between control implementation and corresponding test cases.</p>
-            </part>
-            <part id="sa-11.7_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-11.7_obj.1" name="objective">
-                  <prop name="label">SA-11(7)[1]</prop>
-                  <p>defines the depth of testing/evaluation to ensure the scope of security/testing
-                     evaluation provides complete coverage of required security controls; and</p>
-               </part>
-               <part id="sa-11.7_obj.2" name="objective">
-                  <prop name="label">SA-11(7)[2]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to verify that the scope of security
-                     testing/evaluation provides complete coverage of required security controls at
-                     the organization-defined depth of testing/evaluation.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer security testing</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>system developer security testing and evaluation plans</p>
-                  <p>system developer security testing and evaluation results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with developer security testing responsibilities</p>
-                  <p>system developers</p>
-                  <p>independent verification agent</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer security testing and
-                     evaluation</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     security testing and evaluation</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-11.8">
-            <title>Dynamic Code Analysis</title>
-            <prop name="label">SA-11(8)</prop>
-            <prop name="sort-id">sa-11.08</prop>
-            <part id="sa-11.8_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to employ dynamic code analysis tools to
-                  identify common flaws and document the results of the analysis.</p>
-            </part>
-            <part id="sa-11.8_gdn" name="guidance">
-               <p>Dynamic code analysis provides run-time verification of software programs, using
-                  tools capable of monitoring programs for memory corruption, user privilege issues,
-                  and other potential security problems. Dynamic code analysis employs run-time
-                  tools to help to ensure that security functionality performs in the manner in
-                  which it was designed. A specialized type of dynamic analysis, known as fuzz
-                  testing, induces program failures by deliberately introducing malformed or random
-                  data into software programs. Fuzz testing strategies derive from the intended use
-                  of applications and the functional and design specifications for the applications.
-                  To understand the scope of dynamic code analysis and hence the assurance provided,
-                  organizations may also consider conducting code coverage analysis (checking the
-                  degree to which the code has been tested using metrics such as percent of
-                  subroutines tested or percent of program statements called during execution of the
-                  test suite) and/or concordance analysis (checking for words that are out of place
-                  in software code such as non-English language words or derogatory terms).</p>
-            </part>
-            <part id="sa-11.8_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to employ dynamic code analysis
-                  tools to identify common flaws and document the results of the analysis.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing system developer security testing</p>
-                  <p>procedures addressing flaw remediation</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>system developer security test and evaluation plans</p>
-                  <p>security test and evaluation results</p>
-                  <p>security flaw and remediation tracking reports</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with developer security testing responsibilities</p>
-                  <p>organizational personnel with configuration management responsibilities</p>
-                  <p>system developers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for monitoring developer security testing and
-                     evaluation</p>
-                  <p>automated mechanisms supporting and/or implementing the monitoring of developer
-                     security testing and evaluation</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-12">
-         <title>Supply Chain Protection</title>
-         <param id="sa-12_prm_1">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">SA-12</prop>
-         <prop name="sort-id">sa-12</prop>
-         <link href="#8ab6bcdc-339b-4068-b45e-994814a6e187" rel="reference">NIST Special Publication 800-161</link>
-         <link href="#bdd2f49e-edf7-491f-a178-4487898228f3" rel="reference">NIST Interagency Report 7622</link>
-         <part id="sa-12_smt" name="statement">
-            <p>The organization protects against supply chain threats to the information system,
-               system component, or information system service by employing <insert param-id="sa-12_prm_1"/> as part of a comprehensive, defense-in-breadth
-               information security strategy.</p>
-         </part>
-         <part id="sa-12_gdn" name="guidance">
-            <p>Information systems (including system components that compose those systems) need to
-               be protected throughout the system development life cycle (i.e., during design,
-               development, manufacturing, packaging, assembly, distribution, system integration,
-               operations, maintenance, and retirement). Protection of organizational information
-               systems is accomplished through threat awareness, by the identification, management,
-               and reduction of vulnerabilities at each phase of the life cycle and the use of
-               complementary, mutually reinforcing strategies to respond to risk. Organizations
-               consider implementing a standardized process to address supply chain risk with
-               respect to information systems and system components, and to educate the acquisition
-               workforce on threats, risk, and required security controls. Organizations use the
-               acquisition/procurement processes to require supply chain entities to implement
-               necessary security safeguards to: (i) reduce the likelihood of unauthorized
-               modifications at each stage in the supply chain; and (ii) protect information systems
-               and information system components, prior to taking delivery of such
-               systems/components. This control also applies to information system services.
-               Security safeguards include, for example: (i) security controls for development
-               systems, development facilities, and external connections to development systems;
-               (ii) vetting development personnel; and (iii) use of tamper-evident packaging during
-               shipping/warehousing. Methods for reviewing and protecting development plans,
-               evidence, and documentation are commensurate with the security category or
-               classification level of the information system. Contracts may specify documentation
-               protection requirements.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#pe-16">PE-16</link>
-            <link rel="related" href="#pl-8">PL-8</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#sa-14">SA-14</link>
-            <link rel="related" href="#sa-15">SA-15</link>
-            <link rel="related" href="#sa-18">SA-18</link>
-            <link rel="related" href="#sa-19">SA-19</link>
-            <link rel="related" href="#sc-29">SC-29</link>
-            <link rel="related" href="#sc-30">SC-30</link>
-            <link rel="related" href="#sc-38">SC-38</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="sa-12_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-12_obj.1" name="objective">
-               <prop name="label">SA-12[1]</prop>
-               <p>defines security safeguards to be employed to protect against supply chain threats
-                  to the information system, system component, or information system service;
-                  and</p>
-            </part>
-            <part id="sa-12_obj.2" name="objective">
-               <prop name="label">SA-12[2]</prop>
-               <p>protects against supply chain threats to the information system, system component,
-                  or information system service by employing organization-defined security
-                  safeguards as part of a comprehensive, defense-in-breadth information security
-                  strategy.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing supply chain protection</p>
-               <p>procedures addressing the integration of information security requirements into
-                  the acquisition process</p>
-               <p>solicitation documentation</p>
-               <p>acquisition documentation</p>
-               <p>service-level agreements</p>
-               <p>acquisition contracts for the information system, system component, or information
-                  system service</p>
-               <p>list of supply chain threats</p>
-               <p>list of security safeguards to be taken against supply chain threats</p>
-               <p>system development life cycle documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with supply chain protection responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for defining safeguards for and protecting against supply
-                  chain threats</p>
-               <p>automated mechanisms supporting and/or implementing safeguards for supply chain
-                  threats</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-12.1">
-            <title>Acquisition Strategies / Tools / Methods</title>
-            <param id="sa-12.1_prm_1">
-               <label>organization-defined tailored acquisition strategies, contract tools, and
-                  procurement methods</label>
-            </param>
-            <prop name="label">SA-12(1)</prop>
-            <prop name="sort-id">sa-12.01</prop>
-            <part id="sa-12.1_smt" name="statement">
-               <p>The organization employs <insert param-id="sa-12.1_prm_1"/> for the purchase of
-                  the information system, system component, or information system service from
-                  suppliers.</p>
-            </part>
-            <part id="sa-12.1_gdn" name="guidance">
-               <p>The use of acquisition and procurement processes by organizations early in the
-                  system development life cycle provides an important vehicle to protect the supply
-                  chain. Organizations use available all-source intelligence analysis to inform the
-                  tailoring of acquisition strategies, tools, and methods. There are a number of
-                  different tools and techniques available (e.g., obscuring the end use of an
-                  information system or system component, using blind or filtered buys).
-                  Organizations also consider creating incentives for suppliers who: (i) implement
-                  required security safeguards; (ii) promote transparency into their organizational
-                  processes and security practices; (iii) provide additional vetting of the
-                  processes and security practices of subordinate suppliers, critical information
-                  system components, and services; (iv) restrict purchases from specific suppliers
-                  or countries; and (v) provide contract language regarding the prohibition of
-                  tainted or counterfeit components. In addition, organizations consider minimizing
-                  the time between purchase decisions and required delivery to limit opportunities
-                  for adversaries to corrupt information system components or products. Finally,
-                  organizations can use trusted/controlled distribution, delivery, and warehousing
-                  options to reduce supply chain risk (e.g., requiring tamper-evident packaging of
-                  information system components during shipping and warehousing).</p>
-               <link rel="related" href="#sa-19">SA-19</link>
-            </part>
-            <part id="sa-12.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-12.1_obj.1" name="objective">
-                  <prop name="label">SA-12(1)[1]</prop>
-                  <p>defines the following to be employed for the purchase of the information
-                     system, system component, or information system service from suppliers:</p>
-                  <part id="sa-12.1_obj.1.a" name="objective">
-                     <prop name="label">SA-12(1)[1][a]</prop>
-                     <p>tailored acquisition strategies;</p>
-                  </part>
-                  <part id="sa-12.1_obj.1.b" name="objective">
-                     <prop name="label">SA-12(1)[1][b]</prop>
-                     <p>contract tools;</p>
-                  </part>
-                  <part id="sa-12.1_obj.1.c" name="objective">
-                     <prop name="label">SA-12(1)[1][c]</prop>
-                     <p>procurement methods; and</p>
-                  </part>
-               </part>
-               <part id="sa-12.1_obj.2" name="objective">
-                  <prop name="label">SA-12(1)[2]</prop>
-                  <p>employs organization-defined tailored acquisition strategies, contract tools,
-                     and procurement methods for the purchase of the information system, system
-                     component, or information system service from suppliers.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing supply chain protection</p>
-                  <p>procedures addressing the integration of information security requirements into
-                     the acquisition process</p>
-                  <p>procedures addressing the integration of acquisition strategies, contract
-                     tools, and procure methods into the acquisition process</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for information systems or services</p>
-                  <p>purchase orders/requisitions for the information system</p>
-                  <p>system component</p>
-                  <p>or information system service from suppliers</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with supply chain protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for defining and employing tailored acquisition
-                     strategies, contract tools, and procurement methods</p>
-                  <p>automated mechanisms supporting and/or implementing the definition and
-                     employment of tailored acquisition strategies, contract tools, and procurement
-                     methods</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.2">
-            <title>Supplier Reviews</title>
-            <prop name="label">SA-12(2)</prop>
-            <prop name="sort-id">sa-12.02</prop>
-            <part id="sa-12.2_smt" name="statement">
-               <p>The organization conducts a supplier review prior to entering into a contractual
-                  agreement to acquire the information system, system component, or information
-                  system service.</p>
-            </part>
-            <part id="sa-12.2_gdn" name="guidance">
-               <p>Supplier reviews include, for example: (i) analysis of supplier processes used to
-                  design, develop, test, implement, verify, deliver, and support information
-                  systems, system components, and information system services; and (ii) assessment
-                  of supplier training and experience in developing systems, components, or services
-                  with the required security capability. These reviews provide organizations with
-                  increased levels of visibility into supplier activities during the system
-                  development life cycle to promote more effective supply chain risk management.
-                  Supplier reviews can also help to determine whether primary suppliers have
-                  security safeguards in place and a practice for vetting subordinate suppliers, for
-                  example, second- and third-tier suppliers, and any subcontractors.</p>
-            </part>
-            <part id="sa-12.2_obj" name="objective">
-               <p>Determine if the organization conducts a supplier review prior to entering into a
-                  contractual agreement to acquire the information system, system component, or
-                  information system service.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing supply chain protection</p>
-                  <p>procedures addressing the integration of information security requirements into
-                     the acquisition process</p>
-                  <p>records of supplier due diligence reviews</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with supply chain protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for conducting supplier reviews</p>
-                  <p>automated mechanisms supporting and/or implementing supplier reviews</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.3">
-            <title>Trusted Shipping and Warehousing</title>
-            <prop name="label">SA-12(3)</prop>
-            <prop name="sort-id">sa-12.03</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sa-12.1">SA-12 (1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.4">
-            <title>Diversity of Suppliers</title>
-            <prop name="label">SA-12(4)</prop>
-            <prop name="sort-id">sa-12.04</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sa-12.13">SA-12 (13)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.5">
-            <title>Limitation of Harm</title>
-            <param id="sa-12.5_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <prop name="label">SA-12(5)</prop>
-            <prop name="sort-id">sa-12.05</prop>
-            <part id="sa-12.5_smt" name="statement">
-               <p>The organization employs <insert param-id="sa-12.5_prm_1"/> to limit harm from
-                  potential adversaries identifying and targeting the organizational supply
-                  chain.</p>
-            </part>
-            <part id="sa-12.5_gdn" name="guidance">
-               <p>Supply chain risk is part of the advanced persistent threat (APT). Security
-                  safeguards and countermeasures to reduce the probability of adversaries
-                  successfully identifying and targeting the supply chain include, for example: (i)
-                  avoiding the purchase of custom configurations to reduce the risk of acquiring
-                  information systems, components, or products that have been corrupted via supply
-                  chain actions targeted at specific organizations; (ii) employing a diverse set of
-                  suppliers to limit the potential harm from any given supplier in the supply chain;
-                  (iii) employing approved vendor lists with standing reputations in industry, and
-                  (iv) using procurement carve outs (i.e., exclusions to commitments or
-                  obligations).</p>
-            </part>
-            <part id="sa-12.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-12.5_obj.1" name="objective">
-                  <prop name="label">SA-12(5)[1]</prop>
-                  <p>defines security safeguards to be employed to limit harm from potential
-                     adversaries identifying and targeting the organizational supply chain; and</p>
-               </part>
-               <part id="sa-12.5_obj.2" name="objective">
-                  <prop name="label">SA-12(5)[2]</prop>
-                  <p>employs organization-defined security safeguards to limit harm from potential
-                     adversaries identifying and targeting the organizational supply chain.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>configuration management policy</p>
-                  <p>procedures addressing supply chain protection</p>
-                  <p>procedures addressing the integration of information security requirements into
-                     the acquisition process</p>
-                  <p>procedures addressing the baseline configuration of the information system</p>
-                  <p>configuration management plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture and associated configuration documentation</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>list of security safeguards to be taken to protect organizational supply chain
-                     against potential supply chain threats</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with supply chain protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for defining and employing safeguards to limit harm
-                     from adversaries of the organizational supply chain</p>
-                  <p>automated mechanisms supporting and/or implementing the definition and
-                     employment of safeguards to protect the organizational supply chain</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.6">
-            <title>Minimizing Procurement Time</title>
-            <prop name="label">SA-12(6)</prop>
-            <prop name="sort-id">sa-12.06</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sa-12.1">SA-12 (1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.7">
-            <title>Assessments Prior to Selection / Acceptance / Update</title>
-            <prop name="label">SA-12(7)</prop>
-            <prop name="sort-id">sa-12.07</prop>
-            <part id="sa-12.7_smt" name="statement">
-               <p>The organization conducts an assessment of the information system, system
-                  component, or information system service prior to selection, acceptance, or
-                  update.</p>
-            </part>
-            <part id="sa-12.7_gdn" name="guidance">
-               <p>Assessments include, for example, testing, evaluations, reviews, and analyses.
-                  Independent, third-party entities or organizational personnel conduct assessments
-                  of systems, components, products, tools, and services. Organizations conduct
-                  assessments to uncover unintentional vulnerabilities and intentional
-                  vulnerabilities including, for example, malicious code, malicious processes,
-                  defective software, and counterfeits. Assessments can include, for example, static
-                  analyses, dynamic analyses, simulations, white, gray, and black box testing, fuzz
-                  testing, penetration testing, and ensuring that components or services are genuine
-                  (e.g., using tags, cryptographic hash verifications, or digital signatures).
-                  Evidence generated during security assessments is documented for follow-on actions
-                  carried out by organizations.</p>
-               <link rel="related" href="#ca-2">CA-2</link>
-               <link rel="related" href="#sa-11">SA-11</link>
-            </part>
-            <part id="sa-12.7_obj" name="objective">
-               <p>Determine if the organization conducts an assessment of the information system,
-                  system component, or information system service prior to:</p>
-               <part id="sa-12.7_obj.1" name="objective">
-                  <prop name="label">SA-12(7)[1]</prop>
-                  <p>selection;</p>
-               </part>
-               <part id="sa-12.7_obj.2" name="objective">
-                  <prop name="label">SA-12(7)[2]</prop>
-                  <p>acceptance; or</p>
-               </part>
-               <part id="sa-12.7_obj.3" name="objective">
-                  <prop name="label">SA-12(7)[3]</prop>
-                  <p>update.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing supply chain protection</p>
-                  <p>procedures addressing the integration of information security requirements into
-                     the acquisition process</p>
-                  <p>security test and evaluation results</p>
-                  <p>vulnerability assessment results</p>
-                  <p>penetration testing results</p>
-                  <p>organizational risk assessment results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with supply chain protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for conducting assessments prior to selection,
-                     acceptance, or update</p>
-                  <p>automated mechanisms supporting and/or implementing the conducting of
-                     assessments prior to selection, acceptance, or update</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.8">
-            <title>Use of All-source Intelligence</title>
-            <prop name="label">SA-12(8)</prop>
-            <prop name="sort-id">sa-12.08</prop>
-            <part id="sa-12.8_smt" name="statement">
-               <p>The organization uses all-source intelligence analysis of suppliers and potential
-                  suppliers of the information system, system component, or information system
-                  service.</p>
-            </part>
-            <part id="sa-12.8_gdn" name="guidance">
-               <p>All-source intelligence analysis is employed by organizations to inform
-                  engineering, acquisition, and risk management decisions. All-source intelligence
-                  consists of intelligence products and/or organizations and activities that
-                  incorporate all sources of information, most frequently including human
-                  intelligence, imagery intelligence, measurement and signature intelligence,
-                  signals intelligence, and open source data in the production of finished
-                  intelligence. Where available, such information is used to analyze the risk of
-                  both intentional and unintentional vulnerabilities from development,
-                  manufacturing, and delivery processes, people, and the environment. This review is
-                  performed on suppliers at multiple tiers in the supply chain sufficient to manage
-                  risks.</p>
-               <link rel="related" href="#sa-15">SA-15</link>
-            </part>
-            <part id="sa-12.8_obj" name="objective">
-               <p>Determine if the organization uses all-source intelligence analysis of:</p>
-               <part id="sa-12.8_obj.1" name="objective">
-                  <prop name="label">SA-12(8)[1]</prop>
-                  <p>suppliers of the information system, system component, or information system
-                     service; and</p>
-               </part>
-               <part id="sa-12.8_obj.2" name="objective">
-                  <prop name="label">SA-12(8)[2]</prop>
-                  <p>potential suppliers of the information system, system component, or information
-                     system service.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing supply chain protection</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>records of all-source intelligence analyses</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with supply chain protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for use of an all-source analysis of suppliers and
-                     potential suppliers</p>
-                  <p>automated mechanisms supporting and/or implementing the use of all-source
-                     analysis of suppliers and potential suppliers</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.9">
-            <title>Operations Security</title>
-            <param id="sa-12.9_prm_1">
-               <label>organization-defined Operations Security (OPSEC) safeguards</label>
-            </param>
-            <prop name="label">SA-12(9)</prop>
-            <prop name="sort-id">sa-12.09</prop>
-            <part id="sa-12.9_smt" name="statement">
-               <p>The organization employs <insert param-id="sa-12.9_prm_1"/> in accordance with
-                  classification guides to protect supply chain-related information for the
-                  information system, system component, or information system service.</p>
-            </part>
-            <part id="sa-12.9_gdn" name="guidance">
-               <p>Supply chain information includes, for example: user identities; uses for
-                  information systems, information system components, and information system
-                  services; supplier identities; supplier processes; security requirements; design
-                  specifications; testing and evaluation results; and system/component
-                  configurations. This control enhancement expands the scope of OPSEC to include
-                  suppliers and potential suppliers. OPSEC is a process of identifying critical
-                  information and subsequently analyzing friendly actions attendant to operations
-                  and other activities to: (i) identify those actions that can be observed by
-                  potential adversaries; (ii) determine indicators that adversaries might obtain
-                  that could be interpreted or pieced together to derive critical information in
-                  sufficient time to cause harm to organizations; (iii) implement safeguards or
-                  countermeasures to eliminate or reduce to an acceptable level, exploitable
-                  vulnerabilities; and (iv) consider how aggregated information may compromise the
-                  confidentiality of users or uses of the supply chain. OPSEC may require
-                  organizations to withhold critical mission/business information from suppliers and
-                  may include the use of intermediaries to hide the end use, or users, of
-                  information systems, system components, or information system services.</p>
-            </part>
-            <part id="sa-12.9_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-12.9_obj.1" name="objective">
-                  <prop name="label">SA-12(9)[1]</prop>
-                  <p>defines Operations Security (OPSEC) safeguards to be employed in accordance
-                     with classification guides to protect supply chain-related information for the
-                     information system, system component, or information system service; and</p>
-               </part>
-               <part id="sa-12.9_obj.2" name="objective">
-                  <prop name="label">SA-12(9)[2]</prop>
-                  <p>employs organization-defined OPSEC safeguards in accordance with classification
-                     guides to protect supply chain-related information for the information system,
-                     system component, or information system service.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing supply chain protection</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>records of all-source intelligence analyses</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with supply chain protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for defining and employing OPSEC safeguards</p>
-                  <p>automated mechanisms supporting and/or implementing the definition and
-                     employment of OPSEC safeguards</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.10">
-            <title>Validate as Genuine and Not Altered</title>
-            <param id="sa-12.10_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <prop name="label">SA-12(10)</prop>
-            <prop name="sort-id">sa-12.10</prop>
-            <part id="sa-12.10_smt" name="statement">
-               <p>The organization employs <insert param-id="sa-12.10_prm_1"/> to validate that the
-                  information system or system component received is genuine and has not been
-                  altered.</p>
-            </part>
-            <part id="sa-12.10_gdn" name="guidance">
-               <p>For some information system components, especially hardware, there are technical
-                  means to help determine if the components are genuine or have been altered.
-                  Security safeguards used to validate the authenticity of information systems and
-                  information system components include, for example, optical/nanotechnology tagging
-                  and side-channel analysis. For hardware, detailed bill of material information can
-                  highlight the elements with embedded logic complete with component and production
-                  location.</p>
-            </part>
-            <part id="sa-12.10_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-12.10_obj.1" name="objective">
-                  <prop name="label">SA-12(10)[1]</prop>
-                  <p>defines security safeguards to be employed to validate that the information
-                     system or system component received is genuine and has not been altered;
-                     and</p>
-               </part>
-               <part id="sa-12.10_obj.2" name="objective">
-                  <prop name="label">SA-12(10)[2]</prop>
-                  <p>employs organization-defined security safeguards to validate that the
-                     information system or system components received is genuine and has not been
-                     altered.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing supply chain protection</p>
-                  <p>procedures address the integration of information security requirements into
-                     the acquisition process</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>evidentiary documentation (including applicable configurations) indicating the
-                     information system, system component, or information system service are genuine
-                     and have not been altered</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with supply chain protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for defining and employing validation safeguards</p>
-                  <p>automated mechanisms supporting and/or implementing the definition and
-                     employment of validation safeguards</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.11">
-            <title>Penetration Testing / Analysis of Elements, Processes, and Actors</title>
-            <param id="sa-12.11_prm_1">
-               <select how-many="one or more">
-                  <choice>organizational analysis, independent third-party analysis, organizational
-                     penetration testing, independent third-party penetration testing</choice>
-               </select>
-            </param>
-            <param id="sa-12.11_prm_2">
-               <label>organization-defined supply chain elements, processes, and actors</label>
-            </param>
-            <prop name="label">SA-12(11)</prop>
-            <prop name="sort-id">sa-12.11</prop>
-            <part id="sa-12.11_smt" name="statement">
-               <p>The organization employs <insert param-id="sa-12.11_prm_1"/> of <insert param-id="sa-12.11_prm_2"/> associated with the information system, system
-                  component, or information system service.</p>
-            </part>
-            <part id="sa-12.11_gdn" name="guidance">
-               <p>This control enhancement addresses analysis and/or testing of the supply chain,
-                  not just delivered items. Supply chain elements are information technology
-                  products or product components that contain programmable logic and that are
-                  critically important to information system functions. Supply chain processes
-                  include, for example: (i) hardware, software, and firmware development processes;
-                  (ii) shipping/handling procedures; (iii) personnel and physical security programs;
-                  (iv) configuration management tools/measures to maintain provenance; or (v) any
-                  other programs, processes, or procedures associated with the
-                  production/distribution of supply chain elements. Supply chain actors are
-                  individuals with specific roles and responsibilities in the supply chain. The
-                  evidence generated during analyses and testing of supply chain elements,
-                  processes, and actors is documented and used to inform organizational risk
-                  management activities and decisions.</p>
-               <link rel="related" href="#ra-5">RA-5</link>
-            </part>
-            <part id="sa-12.11_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-12.11_obj.1" name="objective">
-                  <prop name="label">SA-12(11)[1]</prop>
-                  <p>defines supply chain:</p>
-                  <part id="sa-12.11_obj.1.a" name="objective">
-                     <prop name="label">SA-12(11)[1][a]</prop>
-                     <p>elements to be analyzed and/or tested;</p>
-                  </part>
-                  <part id="sa-12.11_obj.1.b" name="objective">
-                     <prop name="label">SA-12(11)[1][b]</prop>
-                     <p>processes to be analyzed and/or tested;</p>
-                  </part>
-                  <part id="sa-12.11_obj.1.c" name="objective">
-                     <prop name="label">SA-12(11)[1][c]</prop>
-                     <p>actors to be analyzed and/or tested;</p>
-                  </part>
-               </part>
-               <part id="sa-12.11_obj.2" name="objective">
-                  <prop name="label">SA-12(11)[2]</prop>
-                  <p>employs one or more of the following to analyze and/or test
-                     organization-defined supply chain elements, processes, and actors associated
-                     with the information system, system component, or information system
-                     service:</p>
-                  <part id="sa-12.11_obj.2.a" name="objective">
-                     <prop name="label">SA-12(11)[2][a]</prop>
-                     <p>organizational analysis;</p>
-                  </part>
-                  <part id="sa-12.11_obj.2.b" name="objective">
-                     <prop name="label">SA-12(11)[2][b]</prop>
-                     <p>independent third party analysis;</p>
-                  </part>
-                  <part id="sa-12.11_obj.2.c" name="objective">
-                     <prop name="label">SA-12(11)[2][c]</prop>
-                     <p>organizational penetration testing; and/or</p>
-                  </part>
-                  <part id="sa-12.11_obj.2.d" name="objective">
-                     <prop name="label">SA-12(11)[2][d]</prop>
-                     <p>independent third-party penetration testing.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing supply chain protection</p>
-                  <p>evidence of organizational analysis, independent third-party analysis,
-                     organizational penetration testing, and/or independent third-party penetration
-                     testing</p>
-                  <p>list of supply chain elements, processes, and actors (associated with the
-                     information system, system component, or information system service) subject to
-                     analysis and/or testing</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with supply chain protection responsibilities</p>
-                  <p>organizational personnel with responsibilities for analyzing and/or testing
-                     supply chain elements, processes, and actors</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for defining and employing methods of analysis/testing
-                     of supply chain elements, processes, and actors</p>
-                  <p>automated mechanisms supporting and/or implementing the analysis/testing of
-                     supply chain elements, processes, and actors</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.12">
-            <title>Inter-organizational Agreements</title>
-            <prop name="label">SA-12(12)</prop>
-            <prop name="sort-id">sa-12.12</prop>
-            <part id="sa-12.12_smt" name="statement">
-               <p>The organization establishes inter-organizational agreements and procedures with
-                  entities involved in the supply chain for the information system, system
-                  component, or information system service.</p>
-            </part>
-            <part id="sa-12.12_gdn" name="guidance">
-               <p>The establishment of inter-organizational agreements and procedures provides for
-                  notification of supply chain compromises. Early notification of supply chain
-                  compromises that can potentially adversely affect or have adversely affected
-                  organizational information systems, including critical system components, is
-                  essential for organizations to provide appropriate responses to such
-                  incidents.</p>
-            </part>
-            <part id="sa-12.12_obj" name="objective">
-               <p>Determine if the organization establishes, with entities involved in the supply
-                  chain for the information system, system component, or information system
-                  service,:</p>
-               <part id="sa-12.12_obj.1" name="objective">
-                  <prop name="label">SA-12(12)[1]</prop>
-                  <p>inter-organizational agreements; and</p>
-               </part>
-               <part id="sa-12.12_obj.2" name="objective">
-                  <prop name="label">SA-12(12)[2]</prop>
-                  <p>inter-organizational procedures.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing supply chain protection</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>inter-organizational agreements and procedures</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with supply chain protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for establishing inter-organizational agreements and
-                     procedures with supply chain entities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.13">
-            <title>Critical Information System Components</title>
-            <param id="sa-12.13_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <param id="sa-12.13_prm_2">
-               <label>organization-defined critical information system components</label>
-            </param>
-            <prop name="label">SA-12(13)</prop>
-            <prop name="sort-id">sa-12.13</prop>
-            <part id="sa-12.13_smt" name="statement">
-               <p>The organization employs <insert param-id="sa-12.13_prm_1"/> to ensure an adequate
-                  supply of <insert param-id="sa-12.13_prm_2"/>.</p>
-            </part>
-            <part id="sa-12.13_gdn" name="guidance">
-               <p>Adversaries can attempt to impede organizational operations by disrupting the
-                  supply of critical information system components or corrupting supplier
-                  operations. Safeguards to ensure adequate supplies of critical information system
-                  components include, for example: (i) the use of multiple suppliers throughout the
-                  supply chain for the identified critical components; and (ii) stockpiling of spare
-                  components to ensure operation during mission-critical times.</p>
-            </part>
-            <part id="sa-12.13_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-12.13_obj.1" name="objective">
-                  <prop name="label">SA-12(13)[1]</prop>
-                  <p>defines critical information system components for which security safeguards
-                     are to be employed to ensure an adequate supply of such components;</p>
-               </part>
-               <part id="sa-12.13_obj.2" name="objective">
-                  <prop name="label">SA-12(13)[2]</prop>
-                  <p>defines security safeguards to be employed to ensure an adequate supply of
-                     organization-defined critical information components; and</p>
-               </part>
-               <part id="sa-12.13_obj.3" name="objective">
-                  <prop name="label">SA-12(13)[3]</prop>
-                  <p>employs organization-defined security safeguards to ensure an adequate supply
-                     of organization-defined critical information system components.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing supply chain protection</p>
-                  <p>physical inventory of critical information system components</p>
-                  <p>inventory records of critical information system components</p>
-                  <p>list of security safeguards ensuring adequate supply of critical information
-                     system components</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with supply chain protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for defining and employing security safeguards to
-                     ensure an adequate supply of critical information system components</p>
-                  <p>automated mechanisms supporting and/or implementing the security safeguards
-                     that ensure an adequate supply of critical information system components</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.14">
-            <title>Identity and Traceability</title>
-            <param id="sa-12.14_prm_1">
-               <label>organization-defined supply chain elements, processes, and actors</label>
-            </param>
-            <prop name="label">SA-12(14)</prop>
-            <prop name="sort-id">sa-12.14</prop>
-            <part id="sa-12.14_smt" name="statement">
-               <p>The organization establishes and retains unique identification of <insert param-id="sa-12.14_prm_1"/> for the information system, system component, or
-                  information system service.</p>
-            </part>
-            <part id="sa-12.14_gdn" name="guidance">
-               <p>Knowing who and what is in the supply chains of organizations is critical to
-                  gaining visibility into what is happening within such supply chains, as well as
-                  monitoring and identifying high-risk events and activities. Without reasonable
-                  visibility and traceability into supply chains (i.e., elements, processes, and
-                  actors), it is very difficult for organizations to understand and therefore manage
-                  risk, and to reduce the likelihood of adverse events. Uniquely identifying
-                  acquirer and integrator roles, organizations, personnel, mission and element
-                  processes, testing and evaluation procedures, delivery mechanisms, support
-                  mechanisms, communications/delivery paths, and disposal/final disposition
-                  activities as well as the components and tools used, establishes a foundational
-                  identity structure for assessment of supply chain activities. For example,
-                  labeling (using serial numbers) and tagging (using radio-frequency identification
-                  [RFID] tags) individual supply chain elements including software packages,
-                  modules, and hardware devices, and processes associated with those elements can be
-                  used for this purpose. Identification methods are sufficient to support the
-                  provenance in the event of a supply chain issue or adverse supply chain event.</p>
-            </part>
-            <part id="sa-12.14_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-12.14_obj.1" name="objective">
-                  <prop name="label">SA-12(14)[1]</prop>
-                  <p>defines the following for the establishment and retention of unique
-                     identification:</p>
-                  <part id="sa-12.14_obj.1.a" name="objective">
-                     <prop name="label">SA-12(14)[1][a]</prop>
-                     <p>supply chain elements;</p>
-                  </part>
-                  <part id="sa-12.14_obj.1.b" name="objective">
-                     <prop name="label">SA-12(14)[1][b]</prop>
-                     <p>supply chain processes;</p>
-                  </part>
-                  <part id="sa-12.14_obj.1.c" name="objective">
-                     <prop name="label">SA-12(14)[1][c]</prop>
-                     <p>supply chain actors; and</p>
-                  </part>
-               </part>
-               <part id="sa-12.14_obj.2" name="objective">
-                  <prop name="label">SA-12(14)[2]</prop>
-                  <p>establishes and retains unique identification of organization-defined supply
-                     chain elements, processes, and actors for the information system, system
-                     component, or information system service.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing supply chain protection</p>
-                  <p>procedures addressing the integration of information security requirements into
-                     the acquisition process</p>
-                  <p>list of supply chain elements, processes, and actors (associated with the
-                     information system, system component, or information system service) requiring
-                     implementation of unique identification processes, procedures, tools,
-                     mechanisms, equipment, techniques and/or configurations</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with supply chain protection responsibilities</p>
-                  <p>organizational personnel with responsibilities for establishing and retaining
-                     unique identification of supply chain elements, processes, and actors</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for defining, establishing, and retaining unique
-                     identification for supply chain elements, processes, and actors</p>
-                  <p>automated mechanisms supporting and/or implementing the definition,
-                     establishment, and retention of unique identification for supply chain
-                     elements, processes, and actors</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.15">
-            <title>Processes to Address Weaknesses or Deficiencies</title>
-            <prop name="label">SA-12(15)</prop>
-            <prop name="sort-id">sa-12.15</prop>
-            <part id="sa-12.15_smt" name="statement">
-               <p>The organization establishes a process to address weaknesses or deficiencies in
-                  supply chain elements identified during independent or organizational assessments
-                  of such elements.</p>
-            </part>
-            <part id="sa-12.15_gdn" name="guidance">
-               <p>Evidence generated during independent or organizational assessments of supply
-                  chain elements (e.g., penetration testing, audits, verification/validation
-                  activities) is documented and used in follow-on processes implemented by
-                  organizations to respond to the risks related to the identified weaknesses and
-                  deficiencies. Supply chain elements include, for example, supplier development
-                  processes and supplier distribution systems.</p>
-            </part>
-            <part id="sa-12.15_obj" name="objective">
-               <p>Determine if the organization establishes a process to address weaknesses or
-                  deficiencies in supply chain elements identified during independent or
-                  organizational assessments of such elements.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing supply chain protection</p>
-                  <p>procedures addressing weaknesses or deficiencies in supply chain elements</p>
-                  <p>results of independent or organizational assessments of supply chain controls
-                     and processes</p>
-                  <p>acquisition contracts, service-level agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with supply chain protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for addressing weaknesses or deficiencies in supply
-                     chain elements</p>
-                  <p>automated mechanisms supporting and/or implementing the addressing of
-                     weaknesses or deficiencies in supply chain elements</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-13">
-         <title>Trustworthiness</title>
-         <param id="sa-13_prm_1">
-            <label>organization-defined information system, information system component, or
-               information system service</label>
-         </param>
-         <param id="sa-13_prm_2">
-            <label>organization-defined assurance overlay</label>
-         </param>
-         <prop name="label">SA-13</prop>
-         <prop name="sort-id">sa-13</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#aba82822-b6e6-4abe-af2e-3fdd68f0bcf8" rel="reference">FIPS Publication 200</link>
-         <link href="#07b79057-4b85-471e-bd16-84844917325b" rel="reference">NIST Special Publication 800-53</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <link href="#abd950ae-092f-4b7a-b374-1c7c67fe9350" rel="reference">NIST Special Publication 800-64</link>
-         <part id="sa-13_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-13_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Describes the trustworthiness required in the <insert param-id="sa-13_prm_1"/>
-                  supporting its critical missions/business functions; and</p>
-            </part>
-            <part id="sa-13_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Implements <insert param-id="sa-13_prm_2"/> to achieve such trustworthiness.</p>
-            </part>
-         </part>
-         <part id="sa-13_gdn" name="guidance">
-            <p>This control helps organizations to make explicit trustworthiness decisions when
-               designing, developing, and implementing information systems that are needed to
-               conduct critical organizational missions/business functions. Trustworthiness is a
-               characteristic/property of an information system that expresses the degree to which
-               the system can be expected to preserve the confidentiality, integrity, and
-               availability of the information it processes, stores, or transmits. Trustworthy
-               information systems are systems that are capable of being trusted to operate within
-               defined levels of risk despite the environmental disruptions, human errors, and
-               purposeful attacks that are expected to occur in the specified environments of
-               operation. Trustworthy systems are important to mission/business success. Two factors
-               affecting the trustworthiness of information systems include: (i) security
-               functionality (i.e., the security features, functions, and/or mechanisms employed
-               within the system and its environment of operation); and (ii) security assurance
-               (i.e., the grounds for confidence that the security functionality is effective in its
-               application). Developers, implementers, operators, and maintainers of organizational
-               information systems can increase the level of assurance (and trustworthiness), for
-               example, by employing well-defined security policy models, structured and rigorous
-               hardware, software, and firmware development techniques, sound system/security
-               engineering principles, and secure configuration settings (defined by a set of
-               assurance-related security controls in Appendix E). Assurance is also based on the
-               assessment of evidence produced during the system development life cycle. Critical
-               missions/business functions are supported by high-impact systems and the associated
-               assurance requirements for such systems. The additional assurance controls in Table
-               E-4 in Appendix E (designated as optional) can be used to develop and implement
-               high-assurance solutions for specific information systems and system components using
-               the concept of overlays described in Appendix I. Organizations select assurance
-               overlays that have been developed, validated, and approved for community adoption
-               (e.g., cross-organization, governmentwide), limiting the development of such overlays
-               on an organization-by-organization basis. Organizations can conduct criticality
-               analyses as described in SA-14, to determine the information systems, system
-               components, or information system services that require high-assurance solutions.
-               Trustworthiness requirements and assurance overlays can be described in the security
-               plans for organizational information systems.</p>
-            <link rel="related" href="#ra-2">RA-2</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sa-14">SA-14</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-         </part>
-         <part id="sa-13_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-13.a_obj" name="objective">
-               <prop name="label">SA-13(a)</prop>
-               <part id="sa-13.a_obj.1" name="objective">
-                  <prop name="label">SA-13(a)[1]</prop>
-                  <p>defines information system, system component, or information system service for
-                     which the trustworthiness required is to be described;</p>
-               </part>
-               <part id="sa-13.a_obj.2" name="objective">
-                  <prop name="label">SA-13(a)[2]</prop>
-                  <p>describes the trustworthiness required in organization-defined information
-                     system, information system component, or information system service supporting
-                     its critical mission/business functions;</p>
-               </part>
-            </part>
-            <part id="sa-13.b_obj" name="objective">
-               <prop name="label">SA-13(b)</prop>
-               <part id="sa-13.b_obj.1" name="objective">
-                  <prop name="label">SA-13(b)[1]</prop>
-                  <p>defines an assurance overlay to be implemented to achieve such trustworthiness;
-                     and</p>
-               </part>
-               <part id="sa-13.b_obj.2" name="objective">
-                  <prop name="label">SA-13(b)[2]</prop>
-                  <p>organization implements the organization-defined assurance overlay to achieve
-                     such trustworthiness.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing trustworthiness requirements for the information system,
-                  system component, or information system service</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>security categorization documentation/results</p>
-               <p>security authorization package for the information system, system component, or
-                  information system service</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>authorizing official</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-14">
-         <title>Criticality Analysis</title>
-         <param id="sa-14_prm_1">
-            <label>organization-defined information systems, information system components, or
-               information system services</label>
-         </param>
-         <param id="sa-14_prm_2">
-            <label>organization-defined decision points in the system development life cycle</label>
-         </param>
-         <prop name="label">SA-14</prop>
-         <prop name="sort-id">sa-14</prop>
-         <part id="sa-14_smt" name="statement">
-            <p>The organization identifies critical information system components and functions by
-               performing a criticality analysis for <insert param-id="sa-14_prm_1"/> at <insert param-id="sa-14_prm_2"/>.</p>
-         </part>
-         <part id="sa-14_gdn" name="guidance">
-            <p>Criticality analysis is a key tenet of supply chain risk management and informs the
-               prioritization of supply chain protection activities such as attack surface
-               reduction, use of all-source intelligence, and tailored acquisition strategies.
-               Information system engineers can conduct an end-to-end functional decomposition of an
-               information system to identify mission-critical functions and components. The
-               functional decomposition includes the identification of core organizational missions
-               supported by the system, decomposition into the specific functions to perform those
-               missions, and traceability to the hardware, software, and firmware components that
-               implement those functions, including when the functions are shared by many components
-               within and beyond the information system boundary. Information system components that
-               allow for unmediated access to critical components or functions are considered
-               critical due to the inherent vulnerabilities such components create. Criticality is
-               assessed in terms of the impact of the function or component failure on the ability
-               of the component to complete the organizational missions supported by the information
-               system. A criticality analysis is performed whenever an architecture or design is
-               being developed or modified, including upgrades.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#pl-8">PL-8</link>
-            <link rel="related" href="#pm-1">PM-1</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sa-13">SA-13</link>
-            <link rel="related" href="#sa-15">SA-15</link>
-            <link rel="related" href="#sa-20">SA-20</link>
-         </part>
-         <part id="sa-14_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-14_obj.1" name="objective">
-               <prop name="label">SA-14[1]</prop>
-               <p>defines information systems, information system components, or information system
-                  services requiring a criticality analysis to identify critical information system
-                  components and functions;</p>
-            </part>
-            <part id="sa-14_obj.2" name="objective">
-               <prop name="label">SA-14[2]</prop>
-               <p>defines decision points in the system development life cycle when a criticality
-                  analysis is to be performed for organization-defined information systems,
-                  information system components, or information system services; and</p>
-            </part>
-            <part id="sa-14_obj.3" name="objective">
-               <prop name="label">SA-14[3]</prop>
-               <p>identifies critical information system components and functions by performing a
-                  criticality analysis for organization-defined information systems, information
-                  system components, or information system services at organization-defined
-                  decisions points in the system development life cycle.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing criticality analysis requirements for information systems,
-                  security plan</p>
-               <p>contingency plan</p>
-               <p>list of information systems, information system components, or information system
-                  services requiring criticality analyses</p>
-               <p>list of critical information system components and functions identified by
-                  criticality analyses</p>
-               <p>criticality analysis documentation</p>
-               <p>business impact analysis documentation</p>
-               <p>system development life cycle documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for performing criticality analysis
-                  for the information system</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-14.1">
-            <title>Critical Components with No Viable Alternative Sourcing</title>
-            <prop name="label">SA-14(1)</prop>
-            <prop name="sort-id">sa-14.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sa-20">SA-20</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-15">
-         <title>Development Process, Standards, and Tools</title>
-         <param id="sa-15_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="sa-15_prm_2">
-            <label>organization-defined security requirements</label>
-         </param>
-         <prop name="label">SA-15</prop>
-         <prop name="sort-id">sa-15</prop>
-         <part id="sa-15_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-15_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Requires the developer of the information system, system component, or information
-                  system service to follow a documented development process that:</p>
-               <part id="sa-15_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Explicitly addresses security requirements;</p>
-               </part>
-               <part id="sa-15_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Identifies the standards and tools used in the development process;</p>
-               </part>
-               <part id="sa-15_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Documents the specific tool options and tool configurations used in the
-                     development process; and</p>
-               </part>
-               <part id="sa-15_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Documents, manages, and ensures the integrity of changes to the process and/or
-                     tools used in development; and</p>
-               </part>
-            </part>
-            <part id="sa-15_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews the development process, standards, tools, and tool options/configurations
-                     <insert param-id="sa-15_prm_1"/> to determine if the process, standards, tools,
-                  and tool options/configurations selected and employed can satisfy <insert param-id="sa-15_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="sa-15_gdn" name="guidance">
-            <p>Development tools include, for example, programming languages and computer-aided
-               design (CAD) systems. Reviews of development processes can include, for example, the
-               use of maturity models to determine the potential effectiveness of such processes.
-               Maintaining the integrity of changes to tools and processes enables accurate supply
-               chain risk assessment and mitigation, and requires robust configuration control
-               throughout the life cycle (including design, development, transport, delivery,
-               integration, and maintenance) to track authorized changes and prevent unauthorized
-               changes.</p>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-         </part>
-         <part id="sa-15_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-15.a_obj" name="objective">
-               <prop name="label">SA-15(a)</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to follow a documented development process that:</p>
-               <part id="sa-15.a.1_obj" name="objective">
-                  <prop name="label">SA-15(a)(1)</prop>
-                  <p>explicitly addresses security requirements;</p>
-               </part>
-               <part id="sa-15.a.2_obj" name="objective">
-                  <prop name="label">SA-15(a)(2)</prop>
-                  <p>identifies the standards and tools used in the development process;</p>
-               </part>
-               <part id="sa-15.a.3_obj" name="objective">
-                  <prop name="label">SA-15(a)(3)</prop>
-                  <part id="sa-15.a.3_obj.1" name="objective">
-                     <prop name="label">SA-15(a)(3)[1]</prop>
-                     <p>documents the specific tool options used in the development process;</p>
-                  </part>
-                  <part id="sa-15.a.3_obj.2" name="objective">
-                     <prop name="label">SA-15(a)(3)[2]</prop>
-                     <p>documents the specific tool configurations used in the development
-                        process;</p>
-                  </part>
-               </part>
-               <part id="sa-15.a.4_obj" name="objective">
-                  <prop name="label">SA-15(a)(4)</prop>
-                  <part id="sa-15.a.4_obj.1" name="objective">
-                     <prop name="label">SA-15(a)(4)[1]</prop>
-                     <p>documents changes to the process and/or tools used in the development;</p>
-                  </part>
-                  <part id="sa-15.a.4_obj.2" name="objective">
-                     <prop name="label">SA-15(a)(4)[2]</prop>
-                     <p>manages changes to the process and/or tools used in the development;</p>
-                  </part>
-                  <part id="sa-15.a.4_obj.3" name="objective">
-                     <prop name="label">SA-15(a)(4)[3]</prop>
-                     <p>ensures the integrity of changes to the process and/or tools used in the
-                        development;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sa-15.b_obj" name="objective">
-               <prop name="label">SA-15(b)</prop>
-               <part id="sa-15.b_obj.1" name="objective">
-                  <prop name="label">SA-15(b)[1]</prop>
-                  <p>defines a frequency to review the development process, standards, tools, and
-                     tool options/configurations;</p>
-               </part>
-               <part id="sa-15.b_obj.2" name="objective">
-                  <prop name="label">SA-15(b)[2]</prop>
-                  <p>defines security requirements to be satisfied by the process, standards, tools,
-                     and tool option/configurations selected and employed; and</p>
-               </part>
-               <part id="sa-15.b_obj.3" name="objective">
-                  <prop name="label">SA-15(b)[3]</prop>
-                  <part id="sa-15.b_obj.3.a" name="objective">
-                     <prop name="label">SA-15(b)[3][a]</prop>
-                     <p>reviews the development process with the organization-defined frequency to
-                        determine if the process selected and employed can satisfy
-                        organization-defined security requirements;</p>
-                  </part>
-                  <part id="sa-15.b_obj.3.b" name="objective">
-                     <prop name="label">SA-15(b)[3][b]</prop>
-                     <p>reviews the development standards with the organization-defined frequency to
-                        determine if the standards selected and employed can satisfy
-                        organization-defined security requirements;</p>
-                  </part>
-                  <part id="sa-15.b_obj.3.c" name="objective">
-                     <prop name="label">SA-15(b)[3][c]</prop>
-                     <p>reviews the development tools with the organization-defined frequency to
-                        determine if the tools selected and employed can satisfy
-                        organization-defined security requirements; and</p>
-                  </part>
-                  <part id="sa-15.b_obj.3.d" name="objective">
-                     <prop name="label">SA-15(b)[3][d]</prop>
-                     <p>reviews the development tool options/configurations with the
-                        organization-defined frequency to determine if the tool
-                        options/configurations selected and employed can satisfy
-                        organization-defined security requirements.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing development process, standards, and tools</p>
-               <p>procedures addressing the integration of security requirements during the
-                  development process</p>
-               <p>solicitation documentation</p>
-               <p>acquisition documentation</p>
-               <p>service-level agreements</p>
-               <p>acquisition contracts for the information system, system component, or information
-                  system service</p>
-               <p>system developer documentation listing tool options/configuration guides,
-                  configuration management records</p>
-               <p>change control records</p>
-               <p>configuration control records</p>
-               <p>documented reviews of development process, standards, tools, and tool
-                  options/configurations</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-15.1">
-            <title>Quality Metrics</title>
-            <param id="sa-15.1_prm_1">
-               <select how-many="one or more">
-                  <choice>
-                     <insert param-id="sa-15.1_prm_2"/>
-                  </choice>
-                  <choice>
-                     <insert param-id="sa-15.1_prm_3"/>
-                  </choice>
-                  <choice>upon delivery</choice>
-               </select>
-            </param>
-            <param id="sa-15.1_prm_2" depends-on="sa-15.1_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="sa-15.1_prm_3" depends-on="sa-15.1_prm_1">
-               <label>organization-defined program review milestones</label>
-            </param>
-            <prop name="label">SA-15(1)</prop>
-            <prop name="sort-id">sa-15.01</prop>
-            <part id="sa-15.1_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to:</p>
-               <part id="sa-15.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Define quality metrics at the beginning of the development process; and</p>
-               </part>
-               <part id="sa-15.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Provide evidence of meeting the quality metrics <insert param-id="sa-15.1_prm_1"/>.</p>
-               </part>
-            </part>
-            <part id="sa-15.1_gdn" name="guidance">
-               <p>Organizations use quality metrics to establish minimum acceptable levels of
-                  information system quality. Metrics may include quality gates which are
-                  collections of completion criteria or sufficiency standards representing the
-                  satisfactory execution of particular phases of the system development project. A
-                  quality gate, for example, may require the elimination of all compiler warnings or
-                  an explicit determination that the warnings have no impact on the effectiveness of
-                  required security capabilities. During the execution phases of development
-                  projects, quality gates provide clear, unambiguous indications of progress. Other
-                  metrics apply to the entire development project. These metrics can include
-                  defining the severity thresholds of vulnerabilities, for example, requiring no
-                  known vulnerabilities in the delivered information system with a Common
-                  Vulnerability Scoring System (CVSS) severity of Medium or High.</p>
-            </part>
-            <part id="sa-15.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-15.1.a_obj" name="objective">
-                  <prop name="label">SA-15(1)(a)</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to define quality metrics at the beginning of the
-                     development process;</p>
-                  <link rel="corresp" href="#sa-15.1_smt.a">SA-15(1)(a)</link>
-               </part>
-               <part id="sa-15.1.b_obj" name="objective">
-                  <prop name="label">SA-15(1)(b)</prop>
-                  <part id="sa-15.1.b_obj.1" name="objective">
-                     <prop name="label">SA-15(1)(b)[1]</prop>
-                     <p>defines a frequency to provide evidence of meeting the quality metrics;</p>
-                  </part>
-                  <part id="sa-15.1.b_obj.2" name="objective">
-                     <prop name="label">SA-15(1)(b)[2]</prop>
-                     <p>defines program review milestones to provide evidence of meeting the quality
-                        metrics;</p>
-                  </part>
-                  <part id="sa-15.1.b_obj.3" name="objective">
-                     <prop name="label">SA-15(1)(b)[3]</prop>
-                     <p>requires the developer of the information system, system component, or
-                        information system service to provide evidence of meeting the quality
-                        metrics one or more of the following:</p>
-                     <part id="sa-15.1.b_obj.3.a" name="objective">
-                        <prop name="label">SA-15(1)(b)[3][a]</prop>
-                        <p>with the organization-defined frequency;</p>
-                     </part>
-                     <part id="sa-15.1.b_obj.3.b" name="objective">
-                        <prop name="label">SA-15(1)(b)[3][b]</prop>
-                        <p>in accordance with the organization-defined program review milestones;
-                           and/or</p>
-                     </part>
-                     <part id="sa-15.1.b_obj.3.c" name="objective">
-                        <prop name="label">SA-15(1)(b)[3][c]</prop>
-                        <p>upon delivery of the information system, system component, or information
-                           system service.</p>
-                     </part>
-                  </part>
-                  <link rel="corresp" href="#sa-15.1_smt.b">SA-15(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing development process, standards, and tools</p>
-                  <p>procedures addressing the integration of security requirements into the
-                     acquisition process</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>list of quality metrics</p>
-                  <p>documentation evidence of meeting quality metrics</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.2">
-            <title>Security Tracking Tools</title>
-            <prop name="label">SA-15(2)</prop>
-            <prop name="sort-id">sa-15.02</prop>
-            <part id="sa-15.2_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to select and employ a security tracking
-                  tool for use during the development process.</p>
-            </part>
-            <part id="sa-15.2_gdn" name="guidance">
-               <p>Information system development teams select and deploy security tracking tools,
-                  including, for example, vulnerability/work item tracking systems that facilitate
-                  assignment, sorting, filtering, and tracking of completed work items or tasks
-                  associated with system development processes.</p>
-            </part>
-            <part id="sa-15.2_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to select and employ a security
-                  tracking tool for use during the development process.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing development process, standards, and tools</p>
-                  <p>procedures addressing the integration of security requirements into the
-                     acquisition process</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>list of quality metrics</p>
-                  <p>documentation evidence of meeting quality metrics</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.3">
-            <title>Criticality Analysis</title>
-            <param id="sa-15.3_prm_1">
-               <label>organization-defined breadth/depth</label>
-            </param>
-            <param id="sa-15.3_prm_2">
-               <label>organization-defined decision points in the system development life
-                  cycle</label>
-            </param>
-            <prop name="label">SA-15(3)</prop>
-            <prop name="sort-id">sa-15.03</prop>
-            <part id="sa-15.3_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to perform a criticality analysis at
-                     <insert param-id="sa-15.3_prm_1"/> and at <insert param-id="sa-15.3_prm_2"/>.</p>
-            </part>
-            <part id="sa-15.3_gdn" name="guidance">
-               <p>This control enhancement provides developer input to the criticality analysis
-                  performed by organizations in SA-14. Developer input is essential to such analysis
-                  because organizations may not have access to detailed design documentation for
-                  information system components that are developed as commercial off-the-shelf
-                  (COTS) information technology products (e.g., functional specifications,
-                  high-level designs, low-level designs, and source code/hardware schematics).</p>
-               <link rel="related" href="#sa-4">SA-4</link>
-               <link rel="related" href="#sa-14">SA-14</link>
-            </part>
-            <part id="sa-15.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-15.3_obj.1" name="objective">
-                  <prop name="label">SA-15(3)[1]</prop>
-                  <p>defines the breadth of criticality analysis to be performed by the developer of
-                     the information system, system component, or information system service;</p>
-               </part>
-               <part id="sa-15.3_obj.2" name="objective">
-                  <prop name="label">SA-15(3)[2]</prop>
-                  <p>defines the depth of criticality analysis to be performed by the developer of
-                     the information system, system component, or information system service;</p>
-               </part>
-               <part id="sa-15.3_obj.3" name="objective">
-                  <prop name="label">SA-15(3)[3]</prop>
-                  <p>defines decision points in the system development life cycle when a criticality
-                     analysis is to be performed for the information system, system component, or
-                     information system service; and</p>
-               </part>
-               <part id="sa-15.3_obj.4" name="objective">
-                  <prop name="label">SA-15(3)[4]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to perform a criticality analysis at the
-                     organization-defined breadth/depth and at organization-defined decision points
-                     in the system development life cycle.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing development process, standards, and tools</p>
-                  <p>procedures addressing criticality analysis requirements for the information
-                     system, system component, or information system service</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>criticality analysis documentation</p>
-                  <p>business impact analysis documentation</p>
-                  <p>software development life cycle documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel responsibility for performing criticality analysis</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for performing criticality analysis</p>
-                  <p>automated mechanisms supporting and/or implementing criticality analysis</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.4">
-            <title>Threat Modeling / Vulnerability Analysis</title>
-            <param id="sa-15.4_prm_1">
-               <label>organization-defined breadth/depth</label>
-            </param>
-            <param id="sa-15.4_prm_2">
-               <label>organization-defined information concerning impact, environment of operations,
-                  known or assumed threats, and acceptable risk levels</label>
-            </param>
-            <param id="sa-15.4_prm_3">
-               <label>organization-defined tools and methods</label>
-            </param>
-            <param id="sa-15.4_prm_4">
-               <label>organization-defined acceptance criteria</label>
-            </param>
-            <prop name="label">SA-15(4)</prop>
-            <prop name="sort-id">sa-15.04</prop>
-            <part id="sa-15.4_smt" name="statement">
-               <p>The organization requires that developers perform threat modeling and a
-                  vulnerability analysis for the information system at <insert param-id="sa-15.4_prm_1"/> that:</p>
-               <part id="sa-15.4_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Uses <insert param-id="sa-15.4_prm_2"/>;</p>
-               </part>
-               <part id="sa-15.4_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Employs <insert param-id="sa-15.4_prm_3"/>; and</p>
-               </part>
-               <part id="sa-15.4_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Produces evidence that meets <insert param-id="sa-15.4_prm_4"/>.</p>
-               </part>
-            </part>
-            <part id="sa-15.4_gdn" name="guidance">
-               <link rel="related" href="#sa-4">SA-4</link>
-            </part>
-            <part id="sa-15.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-15.4_obj.1" name="objective">
-                  <prop name="label">SA-15(4)[1]</prop>
-                  <p>defines the breadth of threat modeling and vulnerability analysis to be
-                     performed by developers for the information system;</p>
-               </part>
-               <part id="sa-15.4_obj.2" name="objective">
-                  <prop name="label">SA-15(4)[2]</prop>
-                  <p>defines the depth of threat modeling and vulnerability analysis to be performed
-                     by developers for the information system;</p>
-               </part>
-               <part id="sa-15.4_obj.3" name="objective">
-                  <prop name="label">SA-15(4)[3]</prop>
-                  <p>defines information concerning impact, environment of operations, known or
-                     assumed threats, and acceptable risk levels to be used in threat modeling and
-                     vulnerability analysis;</p>
-               </part>
-               <part id="sa-15.4_obj.4" name="objective">
-                  <prop name="label">SA-15(4)[4]</prop>
-                  <p>defines tools and methods to be employed in threat modeling and vulnerability
-                     analysis;</p>
-               </part>
-               <part id="sa-15.4_obj.5" name="objective">
-                  <prop name="label">SA-15(4)[5]</prop>
-                  <p>defines acceptance criteria for evidence produced from threat modeling and
-                     vulnerability analysis;</p>
-               </part>
-               <part id="sa-15.4_obj.6" name="objective">
-                  <prop name="label">SA-15(4)[6]</prop>
-                  <p>requires that developers perform threat modeling and a vulnerability analysis
-                     for the information system at the organization-defined breadth/depth that:</p>
-                  <part id="sa-15.4.a_obj.6" name="objective">
-                     <prop name="label">SA-15(4)[6](a)</prop>
-                     <p>uses organization-defined information concerning impact, environment of
-                        operations, known or assumed threats, and acceptable risk levels;</p>
-                     <link rel="corresp" href="#sa-15.4_smt.a">SA-15(4)(a)</link>
-                  </part>
-                  <part id="sa-15.4.b_obj.6" name="objective">
-                     <prop name="label">SA-15(4)[6](b)</prop>
-                     <p>employs organization-defined tools and methods; and</p>
-                     <link rel="corresp" href="#sa-15.4_smt.b">SA-15(4)(b)</link>
-                  </part>
-                  <part id="sa-15.4.c_obj.6" name="objective">
-                     <prop name="label">SA-15(4)[6](c)</prop>
-                     <p>produces evidence that meets organization-defined acceptance criteria.</p>
-                     <link rel="corresp" href="#sa-15.4_smt.c">SA-15(4)(c)</link>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing development process, standards, and tools</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>threat modeling documentation</p>
-                  <p>vulnerability analysis results</p>
-                  <p>organizational risk assessments</p>
-                  <p>acceptance criteria for evidence produced from threat modeling and
-                     vulnerability analysis</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for performing development threat modeling and
-                     vulnerability analysis</p>
-                  <p>automated mechanisms supporting and/or implementing development threat modeling
-                     and vulnerability analysis</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.5">
-            <title>Attack Surface Reduction</title>
-            <param id="sa-15.5_prm_1">
-               <label>organization-defined thresholds</label>
-            </param>
-            <prop name="label">SA-15(5)</prop>
-            <prop name="sort-id">sa-15.05</prop>
-            <part id="sa-15.5_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to reduce attack surfaces to <insert param-id="sa-15.5_prm_1"/>.</p>
-            </part>
-            <part id="sa-15.5_gdn" name="guidance">
-               <p>Attack surface reduction is closely aligned with developer threat and
-                  vulnerability analyses and information system architecture and design. Attack
-                  surface reduction is a means of reducing risk to organizations by giving attackers
-                  less opportunity to exploit weaknesses or deficiencies (i.e., potential
-                  vulnerabilities) within information systems, information system components, and
-                  information system services. Attack surface reduction includes, for example,
-                  applying the principle of least privilege, employing layered defenses, applying
-                  the principle of least functionality (i.e., restricting ports, protocols,
-                  functions, and services), deprecating unsafe functions, and eliminating
-                  application programming interfaces (APIs) that are vulnerable to cyber
-                  attacks.</p>
-               <link rel="related" href="#cm-7">CM-7</link>
-            </part>
-            <part id="sa-15.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-15.5_obj.1" name="objective">
-                  <prop name="label">SA-15(5)[1]</prop>
-                  <p>defines thresholds to which attack surfaces are to be reduced; and</p>
-               </part>
-               <part id="sa-15.5_obj.2" name="objective">
-                  <prop name="label">SA-15(5)[2]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to reduce attack surfaces to organization-defined
-                     thresholds.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing development process, standards, and tools</p>
-                  <p>procedures addressing attack surface reduction</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, or information system
-                     service</p>
-                  <p>information system design documentation</p>
-                  <p>network diagram</p>
-                  <p>information system configuration settings and associated documentation
-                     establishing/enforcing organization-defined thresholds for reducing attack
-                     surfaces</p>
-                  <p>list of restricted ports, protocols, functions and services</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel responsibility for attack surface reduction
-                     thresholds</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for defining attack surface reduction thresholds</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.6">
-            <title>Continuous Improvement</title>
-            <prop name="label">SA-15(6)</prop>
-            <prop name="sort-id">sa-15.06</prop>
-            <part id="sa-15.6_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to implement an explicit process to
-                  continuously improve the development process.</p>
-            </part>
-            <part id="sa-15.6_gdn" name="guidance">
-               <p>Developers of information systems, information system components, and information
-                  system services consider the effectiveness/efficiency of current development
-                  processes for meeting quality objectives and addressing security capabilities in
-                  current threat environments.</p>
-            </part>
-            <part id="sa-15.6_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to implement an explicit process
-                  to continuously improve the development process.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing development process, standards, and tools</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>quality goals and metrics for improving system development process</p>
-                  <p>security assessments and/or quality control reviews of system development
-                     process</p>
-                  <p>plans of action and milestones for improving system development process</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.7">
-            <title>Automated Vulnerability Analysis</title>
-            <param id="sa-15.7_prm_1">
-               <label>organization-defined tools</label>
-            </param>
-            <param id="sa-15.7_prm_2">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">SA-15(7)</prop>
-            <prop name="sort-id">sa-15.07</prop>
-            <part id="sa-15.7_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to:</p>
-               <part id="sa-15.7_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Perform an automated vulnerability analysis using <insert param-id="sa-15.7_prm_1"/>;</p>
-               </part>
-               <part id="sa-15.7_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Determine the exploitation potential for discovered vulnerabilities;</p>
-               </part>
-               <part id="sa-15.7_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Determine potential risk mitigations for delivered vulnerabilities; and</p>
-               </part>
-               <part id="sa-15.7_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Deliver the outputs of the tools and results of the analysis to <insert param-id="sa-15.7_prm_2"/>.</p>
-               </part>
-            </part>
-            <part id="sa-15.7_gdn" name="guidance">
-               <link rel="related" href="#ra-5">RA-5</link>
-            </part>
-            <part id="sa-15.7_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-15.7.a_obj" name="objective">
-                  <prop name="label">SA-15(7)(a)</prop>
-                  <part id="sa-15.7.a_obj.1" name="objective">
-                     <prop name="label">SA-15(7)(a)[1]</prop>
-                     <p>defines tools to be used to perform automated vulnerability analysis of the
-                        information system, system component, or information system service;</p>
-                  </part>
-                  <part id="sa-15.7.a_obj.2" name="objective">
-                     <prop name="label">SA-15(7)(a)[2]</prop>
-                     <p>requires the developer of the information system, system component, or
-                        information system service to perform an automated vulnerability analysis
-                        using organization-defined tools;</p>
-                  </part>
-                  <link rel="corresp" href="#sa-15.7_smt.a">SA-15(7)(a)</link>
-               </part>
-               <part id="sa-15.7.b_obj" name="objective">
-                  <prop name="label">SA-15(7)(b)</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to determine the exploitation potential for
-                     discovered vulnerabilities;</p>
-                  <link rel="corresp" href="#sa-15.7_smt.b">SA-15(7)(b)</link>
-               </part>
-               <part id="sa-15.7.c_obj" name="objective">
-                  <prop name="label">SA-15(7)(c)</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to determine potential risk mitigations for
-                     delivered vulnerabilities;</p>
-                  <link rel="corresp" href="#sa-15.7_smt.c">SA-15(7)(c)</link>
-               </part>
-               <part id="sa-15.7.d_obj" name="objective">
-                  <prop name="label">SA-15(7)(d)</prop>
-                  <part id="sa-15.7.d_obj.1" name="objective">
-                     <prop name="label">SA-15(7)(d)[1]</prop>
-                     <p>defines personnel or roles to whom the output of the tools and results of
-                        the analysis are to be delivered; and</p>
-                  </part>
-                  <part id="sa-15.7.d_obj.2" name="objective">
-                     <prop name="label">SA-15(7)(d)[2]</prop>
-                     <p>requires the developer of the information system, system component, or
-                        information system service to deliver the outputs of the tools and results
-                        of the analysis to organization-defined personnel or roles.</p>
-                  </part>
-                  <link rel="corresp" href="#sa-15.7_smt.d">SA-15(7)(d)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing development process, standards, and tools</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>vulnerability analysis tools and associated documentation</p>
-                  <p>risk assessment reports</p>
-                  <p>vulnerability analysis results</p>
-                  <p>vulnerability mitigation reports</p>
-                  <p>risk mitigation strategy documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel performing automated vulnerability analysis on the
-                     information system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for vulnerability analysis of information systems,
-                     system components, or information system services under development</p>
-                  <p>automated mechanisms supporting and/or implementing vulnerability analysis of
-                     information systems, system components, or information system services under
-                     development</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.8">
-            <title>Reuse of Threat / Vulnerability Information</title>
-            <prop name="label">SA-15(8)</prop>
-            <prop name="sort-id">sa-15.08</prop>
-            <part id="sa-15.8_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to use threat modeling and vulnerability
-                  analyses from similar systems, components, or services to inform the current
-                  development process.</p>
-            </part>
-            <part id="sa-15.8_gdn" name="guidance">
-               <p>Analysis of vulnerabilities found in similar software applications can inform
-                  potential design or implementation issues for information systems under
-                  development. Similar information systems or system components may exist within
-                  developer organizations. Authoritative vulnerability information is available from
-                  a variety of public and private sector sources including, for example, the
-                  National Vulnerability Database.</p>
-            </part>
-            <part id="sa-15.8_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to use threat modeling and
-                  vulnerability analyses from similar systems, components, or services to inform the
-                  current development process.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing development process, standards, and tools</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>threat modeling and vulnerability analyses from similar information systems,
-                     system components, or information system service</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.9">
-            <title>Use of Live Data</title>
-            <prop name="label">SA-15(9)</prop>
-            <prop name="sort-id">sa-15.09</prop>
-            <part id="sa-15.9_smt" name="statement">
-               <p>The organization approves, documents, and controls the use of live data in
-                  development and test environments for the information system, system component, or
-                  information system service.</p>
-            </part>
-            <part id="sa-15.9_gdn" name="guidance">
-               <p>The use of live data in preproduction environments can result in significant risk
-                  to organizations. Organizations can minimize such risk by using test or dummy data
-                  during the development and testing of information systems, information system
-                  components, and information system services.</p>
-            </part>
-            <part id="sa-15.9_obj" name="objective">
-               <p>Determine if the organization, for the information system, system component, or
-                  information system service:</p>
-               <part id="sa-15.9_obj.1" name="objective">
-                  <prop name="label">SA-15(9)[1]</prop>
-                  <p>approves the use of live data in development and test environments;</p>
-               </part>
-               <part id="sa-15.9_obj.2" name="objective">
-                  <prop name="label">SA-15(9)[2]</prop>
-                  <p>documents the use of live data in development and test environments; and</p>
-               </part>
-               <part id="sa-15.9_obj.3" name="objective">
-                  <prop name="label">SA-15(9)[3]</prop>
-                  <p>controls the use of live data in development and test environments.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing development process, standards, and tools</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>documentation authorizing use of live data in development and test
-                     environments</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for approving, documenting, and controlling the use of
-                     live data in development and test environments</p>
-                  <p>automated mechanisms supporting and/or implementing the approval,
-                     documentation, and control of the use of live data in development and test
-                     environments</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.10">
-            <title>Incident Response Plan</title>
-            <prop name="label">SA-15(10)</prop>
-            <prop name="sort-id">sa-15.10</prop>
-            <part id="sa-15.10_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to provide an incident response plan.</p>
-            </part>
-            <part id="sa-15.10_gdn" name="guidance">
-               <p>The incident response plan for developers of information systems, system
-                  components, and information system services is incorporated into organizational
-                  incident response plans to provide the type of incident response information not
-                  readily available to organizations. Such information may be extremely helpful, for
-                  example, when organizations respond to vulnerabilities in commercial off-the-shelf
-                  (COTS) information technology products.</p>
-               <link rel="related" href="#ir-8">IR-8</link>
-            </part>
-            <part id="sa-15.10_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to provide an incident response
-                  plan.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing development process, standards, and tools</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, or services</p>
-                  <p>acquisition documentation</p>
-                  <p>solicitation documentation</p>
-                  <p>service-level agreements</p>
-                  <p>developer incident response plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.11">
-            <title>Archive Information System / Component</title>
-            <prop name="label">SA-15(11)</prop>
-            <prop name="sort-id">sa-15.11</prop>
-            <part id="sa-15.11_smt" name="statement">
-               <p>The organization requires the developer of the information system or system
-                  component to archive the system or component to be released or delivered together
-                  with the corresponding evidence supporting the final security review.</p>
-            </part>
-            <part id="sa-15.11_gdn" name="guidance">
-               <p>Archiving relevant documentation from the development process can provide a
-                  readily available baseline of information that can be helpful during information
-                  system/component upgrades or modifications.</p>
-            </part>
-            <part id="sa-15.11_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system or
-                  system component to archive the system or component to be released or delivered
-                  together with the corresponding evidence supporting the final security review.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing development process, standards, and tools</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, or services</p>
-                  <p>acquisition documentation</p>
-                  <p>solicitation documentation</p>
-                  <p>service-level agreements</p>
-                  <p>developer incident response plan</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-16">
-         <title>Developer-provided Training</title>
-         <param id="sa-16_prm_1">
-            <label>organization-defined training</label>
-         </param>
-         <prop name="label">SA-16</prop>
-         <prop name="sort-id">sa-16</prop>
-         <part id="sa-16_smt" name="statement">
-            <p>The organization requires the developer of the information system, system component,
-               or information system service to provide <insert param-id="sa-16_prm_1"/> on the
-               correct use and operation of the implemented security functions, controls, and/or
-               mechanisms.</p>
-         </part>
-         <part id="sa-16_gdn" name="guidance">
-            <p>This control applies to external and internal (in-house) developers. Training of
-               personnel is an essential element to ensure the effectiveness of security controls
-               implemented within organizational information systems. Training options include, for
-               example, classroom-style training, web-based/computer-based training, and hands-on
-               training. Organizations can also request sufficient training materials from
-               developers to conduct in-house training or offer self-training to organizational
-               personnel. Organizations determine the type of training necessary and may require
-               different types of training for different security functions, controls, or
-               mechanisms.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-         </part>
-         <part id="sa-16_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-16_obj.1" name="objective">
-               <prop name="label">SA-16[1]</prop>
-               <p>defines training to be provided by the developer of the information system, system
-                  component, or information system service; and</p>
-            </part>
-            <part id="sa-16_obj.2" name="objective">
-               <prop name="label">SA-16[2]</prop>
-               <p>requires the developer of the information system, system component, or information
-                  system service to provide organization-defined training on the correct use and
-                  operation of the implemented security functions, controls, and/or mechanisms.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing developer-provided training</p>
-               <p>solicitation documentation</p>
-               <p>acquisition documentation</p>
-               <p>service-level agreements</p>
-               <p>acquisition contracts for the information system, system component, or information
-                  system service</p>
-               <p>developer-provided training materials</p>
-               <p>training records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information system security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational or third-party developers with training responsibilities for the
-                  information system, system component, or information system service</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-17">
-         <title>Developer Security Architecture and Design</title>
-         <prop name="label">SA-17</prop>
-         <prop name="sort-id">sa-17</prop>
-         <part id="sa-17_smt" name="statement">
-            <p>The organization requires the developer of the information system, system component,
-               or information system service to produce a design specification and security
-               architecture that:</p>
-            <part id="sa-17_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Is consistent with and supportive of the organization’s security architecture
-                  which is established within and is an integrated part of the organization’s
-                  enterprise architecture;</p>
-            </part>
-            <part id="sa-17_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Accurately and completely describes the required security functionality, and the
-                  allocation of security controls among physical and logical components; and</p>
-            </part>
-            <part id="sa-17_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Expresses how individual security functions, mechanisms, and services work
-                  together to provide required security capabilities and a unified approach to
-                  protection.</p>
-            </part>
-         </part>
-         <part id="sa-17_gdn" name="guidance">
-            <p>This control is primarily directed at external developers, although it could also be
-               used for internal (in-house) development. In contrast, PL-8 is primarily directed at
-               internal developers to help ensure that organizations develop an information security
-               architecture and such security architecture is integrated or tightly coupled to the
-               enterprise architecture. This distinction is important if/when organizations
-               outsource the development of information systems, information system components, or
-               information system services to external entities, and there is a requirement to
-               demonstrate consistency with the organization’s enterprise architecture and
-               information security architecture.</p>
-            <link rel="related" href="#pl-8">PL-8</link>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-         </part>
-         <part id="sa-17_obj" name="objective">
-            <p>Determine if the organization requires the developer of the information system,
-               system component, or information system service to produce a design specification and
-               security architecture that:</p>
-            <part id="sa-17.a_obj" name="objective">
-               <prop name="label">SA-17(a)</prop>
-               <p>is consistent with and supportive of the organization’s security architecture
-                  which is established within and is an integrated part of the organization’s
-                  enterprise architecture;</p>
-            </part>
-            <part id="sa-17.b_obj" name="objective">
-               <prop name="label">SA-17(b)</prop>
-               <p>accurately and completely describes:</p>
-               <part id="sa-17.b_obj.1" name="objective">
-                  <prop name="label">SA-17(b)[1]</prop>
-                  <p>the required security functionality;</p>
-               </part>
-               <part id="sa-17.b_obj.2" name="objective">
-                  <prop name="label">SA-17(b)[2]</prop>
-                  <p>the allocation of security controls among physical and logical components;
-                     and</p>
-               </part>
-            </part>
-            <part id="sa-17.c_obj" name="objective">
-               <prop name="label">SA-17(c)</prop>
-               <p>expresses how individual security functions, mechanisms, and services work
-                  together to provide required security capabilities and a unified approach to
-                  protection.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>enterprise architecture policy</p>
-               <p>procedures addressing developer security architecture and design specification for
-                  the information system</p>
-               <p>solicitation documentation</p>
-               <p>acquisition documentation</p>
-               <p>service-level agreements</p>
-               <p>acquisition contracts for the information system, system component, or information
-                  system service</p>
-               <p>design specification and security architecture documentation for the system</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel with security architecture and design
-                  responsibilities</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-17.1">
-            <title>Formal Policy Model</title>
-            <param id="sa-17.1_prm_1">
-               <label>organization-defined elements of organizational security policy</label>
-            </param>
-            <prop name="label">SA-17(1)</prop>
-            <prop name="sort-id">sa-17.01</prop>
-            <part id="sa-17.1_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to:</p>
-               <part id="sa-17.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Produce, as an integral part of the development process, a formal policy model
-                     describing the <insert param-id="sa-17.1_prm_1"/> to be enforced; and</p>
-               </part>
-               <part id="sa-17.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Prove that the formal policy model is internally consistent and sufficient to
-                     enforce the defined elements of the organizational security policy when
-                     implemented.</p>
-               </part>
-            </part>
-            <part id="sa-17.1_gdn" name="guidance">
-               <p>Formal models describe specific behaviors or security policies using formal
-                  languages, thus enabling the correctness of those behaviors/policies to be
-                  formally proven. Not all components of information systems can be modeled, and
-                  generally, formal specifications are scoped to specific behaviors or policies of
-                  interest (e.g., nondiscretionary access control policies). Organizations choose
-                  the particular formal modeling language and approach based on the nature of the
-                  behaviors/policies to be described and the available tools. Formal modeling tools
-                  include, for example, Gypsy and Zed.</p>
-            </part>
-            <part id="sa-17.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-17.1.a_obj" name="objective">
-                  <prop name="label">SA-17(1)(a)</prop>
-                  <part id="sa-17.1.a_obj.1" name="objective">
-                     <prop name="label">SA-17(1)(a)[1]</prop>
-                     <p>defines elements of the organizational security policy to be enforced under
-                        a formal policy model produced by the developer as an integral part of the
-                        development process for the information system, system component, or
-                        information system service;</p>
-                  </part>
-                  <part id="sa-17.1.a_obj.2" name="objective">
-                     <prop name="label">SA-17(1)(a)[2]</prop>
-                     <p>requires the developer of the information system, system component, or
-                        information system service to produce, as an integral part of the
-                        development process, a formal policy model describing the
-                        organization-defined elements of organizational security policy to be
-                        enforced; and</p>
-                  </part>
-                  <link rel="corresp" href="#sa-17.1_smt.a">SA-17(1)(a)</link>
-               </part>
-               <part id="sa-17.1.b_obj" name="objective">
-                  <prop name="label">SA-17(1)(b)</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service to prove that the formal policy model is internally
-                     consistent and sufficient to enforce the defined elements of the organizational
-                     security policy when implemented.</p>
-                  <link rel="corresp" href="#sa-17.1_smt.b">SA-17(1)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>enterprise architecture policy</p>
-                  <p>procedures addressing developer security architecture and design specification
-                     for the information system</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>design specification and security architecture documentation for the system</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with security architecture and design
-                     responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-17.2">
-            <title>Security-relevant Components</title>
-            <prop name="label">SA-17(2)</prop>
-            <prop name="sort-id">sa-17.02</prop>
-            <part id="sa-17.2_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to:</p>
-               <part id="sa-17.2_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Define security-relevant hardware, software, and firmware; and</p>
-               </part>
-               <part id="sa-17.2_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Provide a rationale that the definition for security-relevant hardware,
-                     software, and firmware is complete.</p>
-               </part>
-            </part>
-            <part id="sa-17.2_gdn" name="guidance">
-               <p>Security-relevant hardware, software, and firmware represent the portion of the
-                  information system, component, or service that must be trusted to perform
-                  correctly in order to maintain required security properties.</p>
-               <link rel="related" href="#sa-5">SA-5</link>
-            </part>
-            <part id="sa-17.2_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to:</p>
-               <part id="sa-17.2.a_obj" name="objective">
-                  <prop name="label">SA-17(2)(a)</prop>
-                  <part id="sa-17.2.a_obj.1" name="objective">
-                     <prop name="label">SA-17(2)(a)[1]</prop>
-                     <p>define security-relevant hardware;</p>
-                  </part>
-                  <part id="sa-17.2.a_obj.2" name="objective">
-                     <prop name="label">SA-17(2)(a)[2]</prop>
-                     <p>define security-relevant software;</p>
-                  </part>
-                  <part id="sa-17.2.a_obj.3" name="objective">
-                     <prop name="label">SA-17(2)(a)[3]</prop>
-                     <p>define security-relevant firmware; and</p>
-                  </part>
-                  <link rel="corresp" href="#sa-17.2_smt.a">SA-17(2)(a)</link>
-               </part>
-               <part id="sa-17.2.b_obj" name="objective">
-                  <prop name="label">SA-17(2)(b)</prop>
-                  <p>provide a rationale that the definition for security-relevant hardware,
-                     software, and firmware components is complete.</p>
-                  <link rel="corresp" href="#sa-17.2_smt.b">SA-17(2)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>enterprise architecture policy</p>
-                  <p>procedures addressing developer security architecture and design specification
-                     for the information system</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>list of security-relevant hardware, software, and firmware components</p>
-                  <p>documented rationale of completeness regarding definitions provided for
-                     security-relevant hardware, software, and firmware</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-                  <p>organizational personnel with security architecture and design
-                     responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-17.3">
-            <title>Formal Correspondence</title>
-            <prop name="label">SA-17(3)</prop>
-            <prop name="sort-id">sa-17.03</prop>
-            <part id="sa-17.3_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to:</p>
-               <part id="sa-17.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Produce, as an integral part of the development process, a formal top-level
-                     specification that specifies the interfaces to security-relevant hardware,
-                     software, and firmware in terms of exceptions, error messages, and effects;</p>
-               </part>
-               <part id="sa-17.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Show via proof to the extent feasible with additional informal demonstration as
-                     necessary, that the formal top-level specification is consistent with the
-                     formal policy model;</p>
-               </part>
-               <part id="sa-17.3_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Show via informal demonstration, that the formal top-level specification
-                     completely covers the interfaces to security-relevant hardware, software, and
-                     firmware;</p>
-               </part>
-               <part id="sa-17.3_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Show that the formal top-level specification is an accurate description of the
-                     implemented security-relevant hardware, software, and firmware; and</p>
-               </part>
-               <part id="sa-17.3_smt.e" name="item">
-                  <prop name="label">(e)</prop>
-                  <p>Describe the security-relevant hardware, software, and firmware mechanisms not
-                     addressed in the formal top-level specification but strictly internal to the
-                     security-relevant hardware, software, and firmware.</p>
-               </part>
-            </part>
-            <part id="sa-17.3_gdn" name="guidance">
-               <p>Correspondence is an important part of the assurance gained through modeling. It
-                  demonstrates that the implementation is an accurate transformation of the model,
-                  and that any additional code or implementation details present have no impact on
-                  the behaviors or policies being modeled. Formal methods can be used to show that
-                  the high-level security properties are satisfied by the formal information system
-                  description, and that the formal system description is correctly implemented by a
-                  description of some lower level, for example a hardware description. Consistency
-                  between the formal top-level specification and the formal policy models is
-                  generally not amenable to being fully proven. Therefore, a combination of
-                  formal/informal methods may be needed to show such consistency. Consistency
-                  between the formal top-level specification and the implementation may require the
-                  use of an informal demonstration due to limitations in the applicability of formal
-                  methods to prove that the specification accurately reflects the implementation.
-                  Hardware, software, and firmware mechanisms strictly internal to security-relevant
-                  hardware, software, and firmware include, for example, mapping registers and
-                  direct memory input/output.</p>
-               <link rel="related" href="#sa-5">SA-5</link>
-            </part>
-            <part id="sa-17.3_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to:</p>
-               <part id="sa-17.3.a_obj" name="objective">
-                  <prop name="label">SA-17(3)(a)</prop>
-                  <p>produce, as an integral part of the development process, a formal top-level
-                     specification that specifies the interfaces to security-relevant hardware,
-                     software, and firmware in terms of:</p>
-                  <part id="sa-17.3.a_obj.1" name="objective">
-                     <prop name="label">SA-17(3)(a)[1]</prop>
-                     <p>exceptions;</p>
-                  </part>
-                  <part id="sa-17.3.a_obj.2" name="objective">
-                     <prop name="label">SA-17(3)(a)[2]</prop>
-                     <p>error messages;</p>
-                  </part>
-                  <part id="sa-17.3.a_obj.3" name="objective">
-                     <prop name="label">SA-17(3)(a)[3]</prop>
-                     <p>effects;</p>
-                  </part>
-                  <link rel="corresp" href="#sa-17.3_smt.a">SA-17(3)(a)</link>
-               </part>
-               <part id="sa-17.3.b_obj" name="objective">
-                  <prop name="label">SA-17(3)(b)</prop>
-                  <p>show via proof to the extent feasible with additional informal demonstration as
-                     necessary, that the formal top-level specification is consistent with the
-                     formal policy model;</p>
-                  <link rel="corresp" href="#sa-17.3_smt.b">SA-17(3)(b)</link>
-               </part>
-               <part id="sa-17.3.c_obj" name="objective">
-                  <prop name="label">SA-17(3)(c)</prop>
-                  <p>show via informal demonstration, that the formal top-level specification
-                     completely covers the interfaces to security-relevant hardware, software, and
-                     firmware;</p>
-                  <link rel="corresp" href="#sa-17.3_smt.c">SA-17(3)(c)</link>
-               </part>
-               <part id="sa-17.3.d_obj" name="objective">
-                  <prop name="label">SA-17(3)(d)</prop>
-                  <p>show that the formal top-level specification is an accurate description of the
-                     implemented security-relevant hardware, software, and firmware; and</p>
-                  <link rel="corresp" href="#sa-17.3_smt.d">SA-17(3)(d)</link>
-               </part>
-               <part id="sa-17.3.e_obj" name="objective">
-                  <prop name="label">SA-17(3)(e)</prop>
-                  <p>describe the security-relevant hardware, software, and firmware mechanisms not
-                     addressed in the formal top-level specification but strictly internal to the
-                     security-relevant hardware, software, and firmware.</p>
-                  <link rel="corresp" href="#sa-17.3_smt.e">SA-17(3)(e)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>enterprise architecture policy</p>
-                  <p>formal policy model</p>
-                  <p>procedures addressing developer security architecture and design specification
-                     for the information system</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>formal top-level specification documentation</p>
-                  <p>information system security architecture and design documentation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>documentation describing security-relevant hardware, software and firmware
-                     mechanisms not addressed in the formal top-level specification
-                     documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with security architecture and design
-                     responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-17.4">
-            <title>Informal Correspondence</title>
-            <param id="sa-17.4_prm_1">
-               <select>
-                  <choice>informal demonstration, convincing argument with formal methods as
-                     feasible</choice>
-               </select>
-            </param>
-            <prop name="label">SA-17(4)</prop>
-            <prop name="sort-id">sa-17.04</prop>
-            <part id="sa-17.4_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to:</p>
-               <part id="sa-17.4_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Produce, as an integral part of the development process, an informal
-                     descriptive top-level specification that specifies the interfaces to
-                     security-relevant hardware, software, and firmware in terms of exceptions,
-                     error messages, and effects;</p>
-               </part>
-               <part id="sa-17.4_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Show via <insert param-id="sa-17.4_prm_1"/> that the descriptive top-level
-                     specification is consistent with the formal policy model;</p>
-               </part>
-               <part id="sa-17.4_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Show via informal demonstration, that the descriptive top-level specification
-                     completely covers the interfaces to security-relevant hardware, software, and
-                     firmware;</p>
-               </part>
-               <part id="sa-17.4_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Show that the descriptive top-level specification is an accurate description of
-                     the interfaces to security-relevant hardware, software, and firmware; and</p>
-               </part>
-               <part id="sa-17.4_smt.e" name="item">
-                  <prop name="label">(e)</prop>
-                  <p>Describe the security-relevant hardware, software, and firmware mechanisms not
-                     addressed in the descriptive top-level specification but strictly internal to
-                     the security-relevant hardware, software, and firmware.</p>
-               </part>
-            </part>
-            <part id="sa-17.4_gdn" name="guidance">
-               <p>Correspondence is an important part of the assurance gained through modeling. It
-                  demonstrates that the implementation is an accurate transformation of the model,
-                  and that any additional code or implementation details present has no impact on
-                  the behaviors or policies being modeled. Consistency between the descriptive
-                  top-level specification (i.e., high-level/low-level design) and the formal policy
-                  model is generally not amenable to being fully proven. Therefore, a combination of
-                  formal/informal methods may be needed to show such consistency. Hardware,
-                  software, and firmware mechanisms strictly internal to security-relevant hardware,
-                  software, and firmware include, for example, mapping registers and direct memory
-                  input/output.</p>
-               <link rel="related" href="#sa-5">SA-5</link>
-            </part>
-            <part id="sa-17.4_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to:</p>
-               <part id="sa-17.4.a_obj" name="objective">
-                  <prop name="label">SA-17(4)(a)</prop>
-                  <p>produce, as an integral part of the development process, an informal
-                     descriptive top-level specification that specifies the interfaces to
-                     security-relevant hardware, software, and firmware in terms of:</p>
-                  <part id="sa-17.4.a_obj.1" name="objective">
-                     <prop name="label">SA-17(4)(a)[1]</prop>
-                     <p>exceptions;</p>
-                  </part>
-                  <part id="sa-17.4.a_obj.2" name="objective">
-                     <prop name="label">SA-17(4)(a)[2]</prop>
-                     <p>error messages;</p>
-                  </part>
-                  <part id="sa-17.4.a_obj.3" name="objective">
-                     <prop name="label">SA-17(4)(a)[3]</prop>
-                     <p>effects;</p>
-                  </part>
-                  <link rel="corresp" href="#sa-17.4_smt.a">SA-17(4)(a)</link>
-               </part>
-               <part id="sa-17.4.b_obj" name="objective">
-                  <prop name="label">SA-17(4)(b)</prop>
-                  <p>show via informal demonstration and/or convincing argument with formal methods
-                     as feasible that the descriptive top-level specification is consistent with the
-                     formal policy model;</p>
-                  <link rel="corresp" href="#sa-17.4_smt.b">SA-17(4)(b)</link>
-               </part>
-               <part id="sa-17.4.c_obj" name="objective">
-                  <prop name="label">SA-17(4)(c)</prop>
-                  <p>show via informal demonstration, that the descriptive top-level specification
-                     completely covers the interfaces to security-relevant hardware, software, and
-                     firmware;</p>
-                  <link rel="corresp" href="#sa-17.4_smt.c">SA-17(4)(c)</link>
-               </part>
-               <part id="sa-17.4.d_obj" name="objective">
-                  <prop name="label">SA-17(4)(d)</prop>
-                  <p>show that the descriptive top-level specification is an accurate description of
-                     the interfaces to the security-relevant hardware, software, and firmware;
-                     and</p>
-                  <link rel="corresp" href="#sa-17.4_smt.d">SA-17(4)(d)</link>
-               </part>
-               <part id="sa-17.4.e_obj" name="objective">
-                  <prop name="label">SA-17(4)(e)</prop>
-                  <p>describe the security-relevant hardware, software, and firmware mechanisms not
-                     addressed in the descriptive top-level specification but strictly internal to
-                     the security-relevant hardware, software, and firmware.</p>
-                  <link rel="corresp" href="#sa-17.4_smt.e">SA-17(4)(e)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>enterprise architecture policy</p>
-                  <p>formal policy model</p>
-                  <p>procedures addressing developer security architecture and design specification
-                     for the information system</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>informal descriptive top-level specification documentation</p>
-                  <p>information system security architecture and design documentation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>documentation describing security-relevant hardware, software and firmware
-                     mechanisms not addressed in the informal descriptive top-level specification
-                     documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with security architecture and design
-                     responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-17.5">
-            <title>Conceptually Simple Design</title>
-            <prop name="label">SA-17(5)</prop>
-            <prop name="sort-id">sa-17.05</prop>
-            <part id="sa-17.5_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to:</p>
-               <part id="sa-17.5_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Design and structure the security-relevant hardware, software, and firmware to
-                     use a complete, conceptually simple protection mechanism with precisely defined
-                     semantics; and</p>
-               </part>
-               <part id="sa-17.5_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Internally structure the security-relevant hardware, software, and firmware
-                     with specific regard for this mechanism.</p>
-               </part>
-            </part>
-            <part id="sa-17.5_gdn" name="guidance">
-               <link rel="related" href="#sc-3">SC-3</link>
-            </part>
-            <part id="sa-17.5_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to:</p>
-               <part id="sa-17.5.a_obj" name="objective">
-                  <prop name="label">SA-17(5)(a)</prop>
-                  <p>design and structure the security-relevant hardware, software, and firmware to
-                     use a complete, conceptually simple protection mechanism with precisely defined
-                     semantics; and</p>
-                  <link rel="corresp" href="#sa-17.5_smt.a">SA-17(5)(a)</link>
-               </part>
-               <part id="sa-17.5.b_obj" name="objective">
-                  <prop name="label">SA-17(5)(b)</prop>
-                  <p>internally structure the security-relevant hardware, software, and firmware
-                     with specific regard for this mechanism.</p>
-                  <link rel="corresp" href="#sa-17.5_smt.b">SA-17(5)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>enterprise architecture policy</p>
-                  <p>procedures addressing developer security architecture and design specification
-                     for the information system</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>information system design documentation</p>
-                  <p>information system security architecture documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>developer documentation describing design and structure of security-relevant
-                     hardware, software, and firmware components</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with security architecture and design
-                     responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-17.6">
-            <title>Structure for Testing</title>
-            <prop name="label">SA-17(6)</prop>
-            <prop name="sort-id">sa-17.06</prop>
-            <part id="sa-17.6_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to structure security-relevant hardware,
-                  software, and firmware to facilitate testing.</p>
-            </part>
-            <part id="sa-17.6_gdn" name="guidance">
-               <link rel="related" href="#sa-11">SA-11</link>
-            </part>
-            <part id="sa-17.6_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to structure security-relevant
-                  hardware, software, and firmware to facilitate testing.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>enterprise architecture policy</p>
-                  <p>procedures addressing developer security architecture and design specification
-                     for the information system</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>information system design documentation</p>
-                  <p>information system security architecture documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>developer documentation describing design and structure of security-relevant
-                     hardware, software, and firmware components to facilitate testing</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with security architecture and design
-                     responsibilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-17.7">
-            <title>Structure for Least Privilege</title>
-            <prop name="label">SA-17(7)</prop>
-            <prop name="sort-id">sa-17.07</prop>
-            <part id="sa-17.7_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service to structure security-relevant hardware,
-                  software, and firmware to facilitate controlling access with least privilege.</p>
-            </part>
-            <part id="sa-17.7_gdn" name="guidance">
-               <link rel="related" href="#ac-5">AC-5</link>
-               <link rel="related" href="#ac-6">AC-6</link>
-            </part>
-            <part id="sa-17.7_obj" name="objective">
-               <p>Determine if the organization requires the developer of the information system,
-                  system component, or information system service to structure security-relevant
-                  hardware, software, and firmware to facilitate controlling access with least
-                  privilege.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>enterprise architecture policy</p>
-                  <p>procedures addressing developer security architecture and design specification
-                     for the information system</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>service-level agreements</p>
-                  <p>acquisition contracts for the information system, system component, or
-                     information system service</p>
-                  <p>information system design documentation</p>
-                  <p>information system security architecture documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>developer documentation describing design and structure of security-relevant
-                     hardware, software, and firmware components to facilitate controlling access
-                     with least privilege</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with security architecture and design
-                     responsibilities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-18">
-         <title>Tamper Resistance and Detection</title>
-         <prop name="label">SA-18</prop>
-         <prop name="sort-id">sa-18</prop>
-         <part id="sa-18_smt" name="statement">
-            <p>The organization implements a tamper protection program for the information system,
-               system component, or information system service.</p>
-         </part>
-         <part id="sa-18_gdn" name="guidance">
-            <p>Anti-tamper technologies and techniques provide a level of protection for critical
-               information systems, system components, and information technology products against a
-               number of related threats including modification, reverse engineering, and
-               substitution. Strong identification combined with tamper resistance and/or tamper
-               detection is essential to protecting information systems, components, and products
-               during distribution and when in use.</p>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="sa-18_obj" name="objective">
-            <p>Determine if the organization implements a tamper protection program for the
-               information system, system component, or information system service.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing tamper resistance and detection</p>
-               <p>tamper protection program documentation</p>
-               <p>tamper protection tools and techniques documentation</p>
-               <p>tamper resistance and detection tools and techniques documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibility for the tamper protection program</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for implementation of the tamper protection program</p>
-               <p>automated mechanisms supporting and/or implementing the tamper protection
-                  program</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-18.1">
-            <title>Multiple Phases of SDLC</title>
-            <prop name="label">SA-18(1)</prop>
-            <prop name="sort-id">sa-18.01</prop>
-            <part id="sa-18.1_smt" name="statement">
-               <p>The organization employs anti-tamper technologies and techniques during multiple
-                  phases in the system development life cycle including design, development,
-                  integration, operations, and maintenance.</p>
-            </part>
-            <part id="sa-18.1_gdn" name="guidance">
-               <p>Organizations use a combination of hardware and software techniques for tamper
-                  resistance and detection. Organizations employ obfuscation and self-checking, for
-                  example, to make reverse engineering and modifications more difficult,
-                  time-consuming, and expensive for adversaries. Customization of information
-                  systems and system components can make substitutions easier to detect and
-                  therefore limit damage.</p>
-               <link rel="related" href="#sa-3">SA-3</link>
-            </part>
-            <part id="sa-18.1_obj" name="objective">
-               <p>Determine if the organization employs anti-tamper technologies and techniques
-                  during multiple phases in the system development life cycle including:</p>
-               <part id="sa-18.1_obj.1" name="objective">
-                  <prop name="label">SA-18(1)[1]</prop>
-                  <p>design;</p>
-               </part>
-               <part id="sa-18.1_obj.2" name="objective">
-                  <prop name="label">SA-18(1)[2]</prop>
-                  <p>development;</p>
-               </part>
-               <part id="sa-18.1_obj.3" name="objective">
-                  <prop name="label">SA-18(1)[3]</prop>
-                  <p>integration;</p>
-               </part>
-               <part id="sa-18.1_obj.4" name="objective">
-                  <prop name="label">SA-18(1)[4]</prop>
-                  <p>operations; and</p>
-               </part>
-               <part id="sa-18.1_obj.5" name="objective">
-                  <prop name="label">SA-18(1)[5]</prop>
-                  <p>maintenance.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing tamper resistance and detection</p>
-                  <p>tamper protection program documentation</p>
-                  <p>tamper protection tools and techniques documentation</p>
-                  <p>tamper resistance and detection tools (technologies) and techniques
-                     documentation</p>
-                  <p>system development life cycle documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for the tamper protection
-                     program</p>
-                  <p>organizational personnel with SDLC responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for employing anti-tamper technologies</p>
-                  <p>automated mechanisms supporting and/or implementing anti-tamper
-                     technologies</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-18.2">
-            <title>Inspection of Information Systems, Components, or Devices</title>
-            <param id="sa-18.2_prm_1">
-               <label>organization-defined information systems, system components, or
-                  devices</label>
-            </param>
-            <param id="sa-18.2_prm_2">
-               <select how-many="one or more">
-                  <choice>at random</choice>
-                  <choice>at <insert param-id="sa-18.2_prm_3"/>, upon <insert param-id="sa-18.2_prm_4"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="sa-18.2_prm_3" depends-on="sa-18.2_prm_2">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="sa-18.2_prm_4" depends-on="sa-18.2_prm_2">
-               <label>organization-defined indications of need for inspection</label>
-            </param>
-            <prop name="label">SA-18(2)</prop>
-            <prop name="sort-id">sa-18.02</prop>
-            <part id="sa-18.2_smt" name="statement">
-               <p>The organization inspects <insert param-id="sa-18.2_prm_1"/>
-                  <insert param-id="sa-18.2_prm_2"/> to detect tampering.</p>
-            </part>
-            <part id="sa-18.2_gdn" name="guidance">
-               <p>This control enhancement addresses both physical and logical tampering and is
-                  typically applied to mobile devices, notebook computers, or other system
-                  components taken out of organization-controlled areas. Indications of need for
-                  inspection include, for example, when individuals return from travel to high-risk
-                  locations.</p>
-               <link rel="related" href="#si-4">SI-4</link>
-            </part>
-            <part id="sa-18.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-18.2_obj.1" name="objective">
-                  <prop name="label">SA-18(2)[1]</prop>
-                  <p>defines information systems, system components, or devices to be inspected to
-                     detect tampering;</p>
-               </part>
-               <part id="sa-18.2_obj.2" name="objective">
-                  <prop name="label">SA-18(2)[2]</prop>
-                  <p>defines the frequency to inspect organization-defined information systems,
-                     system components, or devices to detect tampering;</p>
-               </part>
-               <part id="sa-18.2_obj.3" name="objective">
-                  <prop name="label">SA-18(2)[3]</prop>
-                  <p>defines indications of need for inspection of organization-defined information
-                     systems, system components, or devices to detect tampering;</p>
-               </part>
-               <part id="sa-18.2_obj.4" name="objective">
-                  <prop name="label">SA-18(2)[4]</prop>
-                  <p>inspects organization-defined information systems, system components, or
-                     devices to detect tampering, selecting one or more of the following:</p>
-                  <part id="sa-18.2_obj.4.a" name="objective">
-                     <prop name="label">SA-18(2)[4][a]</prop>
-                     <p>at random;</p>
-                  </part>
-                  <part id="sa-18.2_obj.4.b" name="objective">
-                     <prop name="label">SA-18(2)[4][b]</prop>
-                     <p>with the organization-defined frequency; and/or</p>
-                  </part>
-                  <part id="sa-18.2_obj.4.c" name="objective">
-                     <prop name="label">SA-18(2)[4][c]</prop>
-                     <p>upon organization-defined indications of need for inspection.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing tamper resistance and detection</p>
-                  <p>records of random inspections</p>
-                  <p>inspection reports/results</p>
-                  <p>assessment reports/results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for the tamper protection
-                     program</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for inspecting information systems, system components,
-                     or devices to detect tampering</p>
-                  <p>automated mechanisms supporting and/or implementing tampering detection</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-19">
-         <title>Component Authenticity</title>
-         <param id="sa-19_prm_1">
-            <select how-many="one or more">
-               <choice>source of counterfeit component</choice>
-               <choice>
-                  <insert param-id="sa-19_prm_2"/>
-               </choice>
-               <choice>
-                  <insert param-id="sa-19_prm_3"/>
-               </choice>
-            </select>
-         </param>
-         <param id="sa-19_prm_2" depends-on="sa-19_prm_1">
-            <label>organization-defined external reporting organizations</label>
-         </param>
-         <param id="sa-19_prm_3" depends-on="sa-19_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">SA-19</prop>
-         <prop name="sort-id">sa-19</prop>
-         <part id="sa-19_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-19_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops and implements anti-counterfeit policy and procedures that include the
-                  means to detect and prevent counterfeit components from entering the information
-                  system; and</p>
-            </part>
-            <part id="sa-19_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reports counterfeit information system components to <insert param-id="sa-19_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="sa-19_gdn" name="guidance">
-            <p>Sources of counterfeit components include, for example, manufacturers, developers,
-               vendors, and contractors. Anti-counterfeiting policy and procedures support tamper
-               resistance and provide a level of protection against the introduction of malicious
-               code. External reporting organizations include, for example, US-CERT.</p>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="sa-19_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-19.a_obj" name="objective">
-               <prop name="label">SA-19(a)</prop>
-               <p>develops and implements anti-counterfeit policy and procedures that include the
-                  means to detect and prevent counterfeit components from entering the information
-                  system;</p>
-            </part>
-            <part id="sa-19.b_obj" name="objective">
-               <prop name="label">SA-19(b)</prop>
-               <part id="sa-19.b_obj.1" name="objective">
-                  <prop name="label">SA-19(b)[1]</prop>
-                  <p>defines external reporting organizations to whom counterfeit information system
-                     components are to be reported;</p>
-               </part>
-               <part id="sa-19.b_obj.2" name="objective">
-                  <prop name="label">SA-19(b)[2]</prop>
-                  <p>defines personnel or roles to whom counterfeit information system components
-                     are to be reported;</p>
-               </part>
-               <part id="sa-19.b_obj.3" name="objective">
-                  <prop name="label">SA-19(b)[3]</prop>
-                  <p>reports counterfeit information system components to one or more of the
-                     following:</p>
-                  <part id="sa-19.b_obj.3.a" name="objective">
-                     <prop name="label">SA-19(b)[3][a]</prop>
-                     <p>the source of counterfeit component;</p>
-                  </part>
-                  <part id="sa-19.b_obj.3.b" name="objective">
-                     <prop name="label">SA-19(b)[3][b]</prop>
-                     <p>the organization-defined external reporting organizations; and/or</p>
-                  </part>
-                  <part id="sa-19.b_obj.3.c" name="objective">
-                     <prop name="label">SA-19(b)[3][c]</prop>
-                     <p>the organization-defined personnel or roles.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>anti-counterfeit policy and procedures</p>
-               <p>media disposal policy</p>
-               <p>media protection policy</p>
-               <p>incident response policy</p>
-               <p>training materials addressing counterfeit information system components</p>
-               <p>training records on detection and prevention of counterfeit components from
-                  entering the information system</p>
-               <p>reports notifying developers/manufacturers/vendors/ contractors and/or external
-                  reporting organizations of counterfeit information system components</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibility for anti-counterfeit policy,
-                  procedures, and reporting</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for anti-counterfeit detection, prevention, and
-                  reporting</p>
-               <p>automated mechanisms supporting and/or implementing anti-counterfeit detection,
-                  prevention, and reporting</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-19.1">
-            <title>Anti-counterfeit Training</title>
-            <param id="sa-19.1_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">SA-19(1)</prop>
-            <prop name="sort-id">sa-19.01</prop>
-            <part id="sa-19.1_smt" name="statement">
-               <p>The organization trains <insert param-id="sa-19.1_prm_1"/> to detect counterfeit
-                  information system components (including hardware, software, and firmware).</p>
-            </part>
-            <part id="sa-19.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-19.1_obj.1" name="objective">
-                  <prop name="label">SA-19(1)[1]</prop>
-                  <p>defines personnel or roles to be trained to detect counterfeit information
-                     system components (including hardware, software, and firmware); and</p>
-               </part>
-               <part id="sa-19.1_obj.2" name="objective">
-                  <prop name="label">SA-19(1)[2]</prop>
-                  <p>trains organization-defined personnel or roles to detect counterfeit
-                     information system components (including hardware, software, and firmware).</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>anti-counterfeit policy and procedures</p>
-                  <p>media disposal policy</p>
-                  <p>media protection policy</p>
-                  <p>incident response policy</p>
-                  <p>training materials addressing counterfeit information system components</p>
-                  <p>training records on detection of counterfeit information system components</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for anti-counterfeit policy,
-                     procedures, and training</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for anti-counterfeit training</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-19.2">
-            <title>Configuration Control for Component Service / Repair</title>
-            <param id="sa-19.2_prm_1">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">SA-19(2)</prop>
-            <prop name="sort-id">sa-19.02</prop>
-            <part id="sa-19.2_smt" name="statement">
-               <p>The organization maintains configuration control over <insert param-id="sa-19.2_prm_1"/> awaiting service/repair and serviced/repaired
-                  components awaiting return to service.</p>
-            </part>
-            <part id="sa-19.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-19.2_obj.1" name="objective">
-                  <prop name="label">SA-19(2)[1]</prop>
-                  <p>defines information system components requiring configuration control to be
-                     maintained when awaiting service/repair;</p>
-               </part>
-               <part id="sa-19.2_obj.2" name="objective">
-                  <prop name="label">SA-19(2)[2]</prop>
-                  <p>defines information system components requiring configuration control to be
-                     maintained when awaiting return to service; and</p>
-               </part>
-               <part id="sa-19.2_obj.3" name="objective">
-                  <prop name="label">SA-19(2)[3]</prop>
-                  <p>maintains configuration control over organization-defined information system
-                     components awaiting service/repairs and serviced/repaired components awaiting
-                     return to service.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>anti-counterfeit policy and procedures</p>
-                  <p>media protection policy</p>
-                  <p>configuration management plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>configuration control records for components awaiting service/repair</p>
-                  <p>configuration control records for serviced/repaired components awaiting return
-                     to service</p>
-                  <p>information system maintenance records</p>
-                  <p>information system audit records</p>
-                  <p>inventory management records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for anti-counterfeit policy and
-                     procedures</p>
-                  <p>organizational personnel with responsibility for configuration management</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for configuration management</p>
-                  <p>automated mechanisms supporting and/or implementing configuration
-                     management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-19.3">
-            <title>Component Disposal</title>
-            <param id="sa-19.3_prm_1">
-               <label>organization-defined techniques and methods</label>
-            </param>
-            <prop name="label">SA-19(3)</prop>
-            <prop name="sort-id">sa-19.03</prop>
-            <part id="sa-19.3_smt" name="statement">
-               <p>The organization disposes of information system components using <insert param-id="sa-19.3_prm_1"/>.</p>
-            </part>
-            <part id="sa-19.3_gdn" name="guidance">
-               <p>Proper disposal of information system components helps to prevent such components
-                  from entering the gray market.</p>
-            </part>
-            <part id="sa-19.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-19.3_obj.1" name="objective">
-                  <prop name="label">SA-19(3)[1]</prop>
-                  <p>defines techniques and methods to dispose of information system components;
-                     and</p>
-               </part>
-               <part id="sa-19.3_obj.2" name="objective">
-                  <prop name="label">SA-19(3)[2]</prop>
-                  <p>disposes of information system components using organization-defined techniques
-                     and methods.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>anti-counterfeit policy and procedures</p>
-                  <p>media disposal policy</p>
-                  <p>media protection policy</p>
-                  <p>disposal records for information system components</p>
-                  <p>documentation of disposal techniques and methods employed for information
-                     system components</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for anti-counterfeit policy and
-                     procedures</p>
-                  <p>organizational personnel with responsibility for disposal of information system
-                     components</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational techniques and methods for information system component
-                     disposal</p>
-                  <p>automated mechanisms supporting and/or implementing system component
-                     disposal</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-19.4">
-            <title>Anti-counterfeit Scanning</title>
-            <param id="sa-19.4_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">SA-19(4)</prop>
-            <prop name="sort-id">sa-19.04</prop>
-            <part id="sa-19.4_smt" name="statement">
-               <p>The organization scans for counterfeit information system components <insert param-id="sa-19.4_prm_1"/>.</p>
-            </part>
-            <part id="sa-19.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-19.4_obj.1" name="objective">
-                  <prop name="label">SA-19(4)[1]</prop>
-                  <p>defines a frequency to scan for counterfeit information system components;
-                     and</p>
-               </part>
-               <part id="sa-19.4_obj.2" name="objective">
-                  <prop name="label">SA-19(4)[2]</prop>
-                  <p>scans for counterfeit information system components with the
-                     organization-defined frequency.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>anti-counterfeit policy and procedures</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>scanning tools and associated documentation</p>
-                  <p>scanning results</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for anti-counterfeit policy and
-                     procedures</p>
-                  <p>organizational personnel with responsibility for anti-counterfeit scanning</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for anti-counterfeit scanning</p>
-                  <p>automated mechanisms supporting and/or implementing anti-counterfeit
-                     scanning</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-20">
-         <title>Customized Development of Critical Components</title>
-         <param id="sa-20_prm_1">
-            <label>organization-defined critical information system components</label>
-         </param>
-         <prop name="label">SA-20</prop>
-         <prop name="sort-id">sa-20</prop>
-         <part id="sa-20_smt" name="statement">
-            <p>The organization re-implements or custom develops <insert param-id="sa-20_prm_1"/>.</p>
-         </part>
-         <part id="sa-20_gdn" name="guidance">
-            <p>Organizations determine that certain information system components likely cannot be
-               trusted due to specific threats to and vulnerabilities in those components, and for
-               which there are no viable security controls to adequately mitigate the resulting
-               risk. Re-implementation or custom development of such components helps to satisfy
-               requirements for higher assurance. This is accomplished by initiating changes to
-               system components (including hardware, software, and firmware) such that the standard
-               attacks by adversaries are less likely to succeed. In situations where no alternative
-               sourcing is available and organizations choose not to re-implement or custom develop
-               critical information system components, additional safeguards can be employed (e.g.,
-               enhanced auditing, restrictions on source code and system utility access, and
-               protection from deletion of system and application files.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sa-14">SA-14</link>
-         </part>
-         <part id="sa-20_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-20_obj.1" name="objective">
-               <prop name="label">SA-20[1]</prop>
-               <p>defines critical information system components to be re-implemented or custom
-                  developed; and</p>
-            </part>
-            <part id="sa-20_obj.2" name="objective">
-               <prop name="label">SA-20[2]</prop>
-               <p>re-implements or custom develops organization-defined information system
-                  components.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing customized development of critical information system
-                  components</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>system development life cycle documentation addressing custom development of
-                  critical information system components</p>
-               <p>configuration management records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibility re-implementation or customized
-                  development of critical information system components</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for re-implementing or customized development of critical
-                  information system components</p>
-               <p>automated mechanisms supporting and/or implementing re-implementation or
-                  customized development of critical information system components</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-21">
-         <title>Developer Screening</title>
-         <param id="sa-21_prm_1">
-            <label>organization-defined information system, system component, or information system
-               service</label>
-         </param>
-         <param id="sa-21_prm_2">
-            <label>organization-defined official government duties</label>
-         </param>
-         <param id="sa-21_prm_3">
-            <label>organization-defined additional personnel screening criteria</label>
-         </param>
-         <prop name="label">SA-21</prop>
-         <prop name="sort-id">sa-21</prop>
-         <part id="sa-21_smt" name="statement">
-            <p>The organization requires that the developer of <insert param-id="sa-21_prm_1"/>:</p>
-            <part id="sa-21_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Have appropriate access authorizations as determined by assigned <insert param-id="sa-21_prm_2"/>; and</p>
-            </part>
-            <part id="sa-21_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Satisfy <insert param-id="sa-21_prm_3"/>.</p>
-            </part>
-         </part>
-         <part id="sa-21_gdn" name="guidance">
-            <p>Because the information system, system component, or information system service may
-               be employed in critical activities essential to the national and/or economic security
-               interests of the United States, organizations have a strong interest in ensuring that
-               the developer is trustworthy. The degree of trust required of the developer may need
-               to be consistent with that of the individuals accessing the information
-               system/component/service once deployed. Examples of authorization and personnel
-               screening criteria include clearance, satisfactory background checks, citizenship,
-               and nationality. Trustworthiness of developers may also include a review and analysis
-               of company ownership and any relationships the company has with entities potentially
-               affecting the quality/reliability of the systems, components, or services being
-               developed.</p>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <link rel="related" href="#ps-7">PS-7</link>
-         </part>
-         <part id="sa-21_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-21_obj.1" name="objective">
-               <prop name="label">SA-21[1]</prop>
-               <p>defines the information system, system component, or information system service
-                  for which the developer is to be screened;</p>
-            </part>
-            <part id="sa-21_obj.2" name="objective">
-               <prop name="label">SA-21[2]</prop>
-               <p>defines official government duties to be used to determine appropriate access
-                  authorizations for the developer;</p>
-            </part>
-            <part id="sa-21_obj.3" name="objective">
-               <prop name="label">SA-21[3]</prop>
-               <p>defines additional personnel screening criteria to be satisfied by the
-                  developer;</p>
-            </part>
-            <part id="sa-21_obj.4" name="objective">
-               <prop name="label">SA-21[4]</prop>
-               <part id="sa-21_obj.4.a" name="objective">
-                  <prop name="label">SA-21[4][a]</prop>
-                  <p>requires that the developer of organization-defined information system, system
-                     component, or information system service have appropriate access authorizations
-                     as determined by assigned organization-defined official government duties;
-                     and</p>
-               </part>
-               <part id="sa-21_obj.4.b" name="objective">
-                  <prop name="label">SA-21[4][b]</prop>
-                  <p>requires that the developer of organization-defined information system, system
-                     component, or information system service satisfy organization-defined
-                     additional personnel screening criteria.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>personnel security policy and procedures</p>
-               <p>procedures addressing personnel screening</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of appropriate access authorizations required by developers of the
-                  information system</p>
-               <p>personnel screening criteria and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibility for developer screening</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for developer screening</p>
-               <p>automated mechanisms supporting developer screening</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-21.1">
-            <title>Validation of Screening</title>
-            <param id="sa-21.1_prm_1">
-               <label>organization-defined actions</label>
-            </param>
-            <prop name="label">SA-21(1)</prop>
-            <prop name="sort-id">sa-21.01</prop>
-            <part id="sa-21.1_smt" name="statement">
-               <p>The organization requires the developer of the information system, system
-                  component, or information system service take <insert param-id="sa-21.1_prm_1"/>
-                  to ensure that the required access authorizations and screening criteria are
-                  satisfied.</p>
-            </part>
-            <part id="sa-21.1_gdn" name="guidance">
-               <p>Satisfying required access authorizations and personnel screening criteria
-                  includes, for example, providing a listing of all the individuals authorized to
-                  perform development activities on the selected information system, system
-                  component, or information system service so that organizations can validate that
-                  the developer has satisfied the necessary authorization and screening
-                  requirements.</p>
-            </part>
-            <part id="sa-21.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-21.1_obj.1" name="objective">
-                  <prop name="label">SA-21(1)[1]</prop>
-                  <p>defines actions to be taken by the developer of the information system, system
-                     component, or information system service to ensure that the required access
-                     authorizations and screening criteria are satisfied; and</p>
-               </part>
-               <part id="sa-21.1_obj.2" name="objective">
-                  <prop name="label">SA-21(1)[2]</prop>
-                  <p>requires the developer of the information system, system component, or
-                     information system service take organization-defined actions to ensure that the
-                     required access authorizations and screening criteria are satisfied.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>personnel security policy and procedures</p>
-                  <p>procedures addressing personnel screening</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of appropriate access authorizations required by developers of the
-                     information system</p>
-                  <p>personnel screening criteria and associated documentation</p>
-                  <p>list of actions ensuring required access authorizations and screening criteria
-                     are satisfied</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for developer screening</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for developer screening</p>
-                  <p>automated mechanisms supporting developer screening</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-22">
-         <title>Unsupported System Components</title>
-         <prop name="label">SA-22</prop>
-         <prop name="sort-id">sa-22</prop>
-         <part id="sa-22_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sa-22_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Replaces information system components when support for the components is no
-                  longer available from the developer, vendor, or manufacturer; and</p>
-            </part>
-            <part id="sa-22_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Provides justification and documents approval for the continued use of unsupported
-                  system components required to satisfy mission/business needs.</p>
-            </part>
-         </part>
-         <part id="sa-22_gdn" name="guidance">
-            <p>Support for information system components includes, for example, software patches,
-               firmware updates, replacement parts, and maintenance contracts. Unsupported
-               components (e.g., when vendors are no longer providing critical software patches),
-               provide a substantial opportunity for adversaries to exploit new weaknesses
-               discovered in the currently installed components. Exceptions to replacing unsupported
-               system components may include, for example, systems that provide critical
-               mission/business capability where newer technologies are not available or where the
-               systems are so isolated that installing replacement components is not an option.</p>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-         </part>
-         <part id="sa-22_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sa-22.a_obj" name="objective">
-               <prop name="label">SA-22(a)</prop>
-               <p>replaces information system components when support for the components is no
-                  longer available from the developer, vendor, or manufacturer;</p>
-            </part>
-            <part id="sa-22.b_obj" name="objective">
-               <prop name="label">SA-22(b)</prop>
-               <part id="sa-22.b_obj.1" name="objective">
-                  <prop name="label">SA-22(b)[1]</prop>
-                  <p>provides justification for the continued use of unsupported system components
-                     required to satisfy mission/business needs; and</p>
-               </part>
-               <part id="sa-22.b_obj.2" name="objective">
-                  <prop name="label">SA-22(b)[2]</prop>
-                  <p>documents approval for the continued use of unsupported system components
-                     required to satisfy mission/business needs.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and services acquisition policy</p>
-               <p>procedures addressing replacement or continued use of unsupported information
-                  system components</p>
-               <p>documented evidence of replacing unsupported information system components</p>
-               <p>documented approvals (including justification) for continued use of unsupported
-                  information system components</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and services acquisition responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibility system development life cycle</p>
-               <p>organizational personnel responsible for configuration management</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for replacing unsupported system components</p>
-               <p>automated mechanisms supporting and/or implementing replacement of unsupported
-                  system components</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-22.1">
-            <title>Alternative Sources for Continued Support</title>
-            <param id="sa-22.1_prm_1">
-               <select how-many="one or more">
-                  <choice>in-house support</choice>
-                  <choice>
-                     <insert param-id="sa-22.1_prm_2"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="sa-22.1_prm_2" depends-on="sa-22.1_prm_1">
-               <label>organization-defined support from external providers</label>
-            </param>
-            <prop name="label">SA-22(1)</prop>
-            <prop name="sort-id">sa-22.01</prop>
-            <part id="sa-22.1_smt" name="statement">
-               <p>The organization provides <insert param-id="sa-22.1_prm_1"/> for unsupported
-                  information system components.</p>
-            </part>
-            <part id="sa-22.1_gdn" name="guidance">
-               <p>This control enhancement addresses the need to provide continued support for
-                  selected information system components that are no longer supported by the
-                  original developers, vendors, or manufacturers when such components remain
-                  essential to mission/business operations. Organizations can establish in-house
-                  support, for example, by developing customized patches for critical software
-                  components or secure the services of external providers who through contractual
-                  relationships, provide ongoing support for the designated unsupported components.
-                  Such contractual relationships can include, for example, Open Source Software
-                  value-added vendors.</p>
-            </part>
-            <part id="sa-22.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sa-22.1_obj.1" name="objective">
-                  <prop name="label">SA-22(1)[1]</prop>
-                  <p>defines support from external providers to be provided for unsupported
-                     information system components;</p>
-               </part>
-               <part id="sa-22.1_obj.2" name="objective">
-                  <prop name="label">SA-22(1)[2]</prop>
-                  <p>provides and/or obtains support for unsupported information system components
-                     from one or more of the following:</p>
-                  <part id="sa-22.1_obj.2.a" name="objective">
-                     <prop name="label">SA-22(1)[2][a]</prop>
-                     <p>in-house support; and/or</p>
-                  </part>
-                  <part id="sa-22.1_obj.2.b" name="objective">
-                     <prop name="label">SA-22(1)[2][b]</prop>
-                     <p>organization-defined support from external providers.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and services acquisition policy</p>
-                  <p>procedures addressing support for unsupported information system components</p>
-                  <p>solicitation documentation</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts</p>
-                  <p>service-level agreements</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with system and services acquisition
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility system development life cycle</p>
-                  <p>organizational personnel or third-party external providers supporting
-                     information system components no longer supported by original developers,
-                     vendors, or manufacturers</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for supporting system components no longer supported
-                     by original developers, vendors, or manufacturers</p>
-                  <p>automated mechanisms providing support for system components no longer
-                     supported by original developers, vendors, or manufacturers</p>
-               </part>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="sc">
-      <title>System and Communications Protection</title>
-      <control class="SP800-53" id="sc-1">
-         <title>System and Communications Protection Policy and Procedures</title>
-         <param id="sc-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="sc-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="sc-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">SC-1</prop>
-         <prop name="sort-id">sc-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="sc-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sc-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="sc-1_prm_1"/>:</p>
-               <part id="sc-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system and communications protection policy that addresses purpose, scope,
-                     roles, responsibilities, management commitment, coordination among
-                     organizational entities, and compliance; and</p>
-               </part>
-               <part id="sc-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system and communications
-                     protection policy and associated system and communications protection controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="sc-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="sc-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System and communications protection policy <insert param-id="sc-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="sc-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System and communications protection procedures <insert param-id="sc-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="sc-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the SC
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="sc-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-1.a_obj" name="objective">
-               <prop name="label">SC-1(a)</prop>
-               <part id="sc-1.a.1_obj" name="objective">
-                  <prop name="label">SC-1(a)(1)</prop>
-                  <part id="sc-1.a.1_obj.1" name="objective">
-                     <prop name="label">SC-1(a)(1)[1]</prop>
-                     <p>develops and documents a system and communications protection policy that
-                        addresses:</p>
-                     <part id="sc-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="sc-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">SC-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="sc-1.a.1_obj.2" name="objective">
-                     <prop name="label">SC-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system and communications protection
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="sc-1.a.1_obj.3" name="objective">
-                     <prop name="label">SC-1(a)(1)[3]</prop>
-                     <p>disseminates the system and communications protection policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="sc-1.a.2_obj" name="objective">
-                  <prop name="label">SC-1(a)(2)</prop>
-                  <part id="sc-1.a.2_obj.1" name="objective">
-                     <prop name="label">SC-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        system and communications protection policy and associated system and
-                        communications protection controls;</p>
-                  </part>
-                  <part id="sc-1.a.2_obj.2" name="objective">
-                     <prop name="label">SC-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="sc-1.a.2_obj.3" name="objective">
-                     <prop name="label">SC-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sc-1.b_obj" name="objective">
-               <prop name="label">SC-1(b)</prop>
-               <part id="sc-1.b.1_obj" name="objective">
-                  <prop name="label">SC-1(b)(1)</prop>
-                  <part id="sc-1.b.1_obj.1" name="objective">
-                     <prop name="label">SC-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        communications protection policy;</p>
-                  </part>
-                  <part id="sc-1.b.1_obj.2" name="objective">
-                     <prop name="label">SC-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system and communications protection policy
-                        with the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="sc-1.b.2_obj" name="objective">
-                  <prop name="label">SC-1(b)(2)</prop>
-                  <part id="sc-1.b.2_obj.1" name="objective">
-                     <prop name="label">SC-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        communications protection procedures; and</p>
-                  </part>
-                  <part id="sc-1.b.2_obj.2" name="objective">
-                     <prop name="label">SC-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system and communications protection
-                        procedures with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and communications protection
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-2">
-         <title>Application Partitioning</title>
-         <prop name="label">SC-2</prop>
-         <prop name="sort-id">sc-02</prop>
-         <part id="sc-2_smt" name="statement">
-            <p>The information system separates user functionality (including user interface
-               services) from information system management functionality.</p>
-         </part>
-         <part id="sc-2_gdn" name="guidance">
-            <p>Information system management functionality includes, for example, functions
-               necessary to administer databases, network components, workstations, or servers, and
-               typically requires privileged user access. The separation of user functionality from
-               information system management functionality is either physical or logical.
-               Organizations implement separation of system management-related functionality from
-               user functionality by using different computers, different central processing units,
-               different instances of operating systems, different network addresses, virtualization
-               techniques, or combinations of these or other methods, as appropriate. This type of
-               separation includes, for example, web administrative interfaces that use separate
-               authentication methods for users of any other information system resources.
-               Separation of system and user functionality may include isolating administrative
-               interfaces on different domains and with additional access controls.</p>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-         </part>
-         <part id="sc-2_obj" name="objective">
-            <p>Determine if the information system separates user functionality (including user
-               interface services) from information system management functionality.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing application partitioning</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Separation of user functionality from information system management
-                  functionality</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-2.1">
-            <title>Interfaces for Non-privileged Users</title>
-            <prop name="label">SC-2(1)</prop>
-            <prop name="sort-id">sc-02.01</prop>
-            <part id="sc-2.1_smt" name="statement">
-               <p>The information system prevents the presentation of information system
-                  management-related functionality at an interface for non-privileged users.</p>
-            </part>
-            <part id="sc-2.1_gdn" name="guidance">
-               <p>This control enhancement ensures that administration options (e.g., administrator
-                  privileges) are not available to general users (including prohibiting the use of
-                  the grey-out option commonly used to eliminate accessibility to such information).
-                  Such restrictions include, for example, not presenting administration options
-                  until users establish sessions with administrator privileges.</p>
-               <link rel="related" href="#ac-3">AC-3</link>
-            </part>
-            <part id="sc-2.1_obj" name="objective">
-               <p>Determine if the information system prevents the presentation of information
-                  system management-related functionality at an interface for non-privileged
-                  users.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing application partitioning</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>non-privileged users of the information system</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Separation of user functionality from information system management
-                     functionality</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-3">
-         <title>Security Function Isolation</title>
-         <prop name="label">SC-3</prop>
-         <prop name="sort-id">sc-03</prop>
-         <part id="sc-3_smt" name="statement">
-            <p>The information system isolates security functions from nonsecurity functions.</p>
-         </part>
-         <part id="sc-3_gdn" name="guidance">
-            <p>The information system isolates security functions from nonsecurity functions by
-               means of an isolation boundary (implemented via partitions and domains). Such
-               isolation controls access to and protects the integrity of the hardware, software,
-               and firmware that perform those security functions. Information systems implement
-               code separation (i.e., separation of security functions from nonsecurity functions)
-               in a number of ways, including, for example, through the provision of security
-               kernels via processor rings or processor modes. For non-kernel code, security
-               function isolation is often achieved through file system protections that serve to
-               protect the code on disk, and address space protections that protect executing code.
-               Information systems restrict access to security functions through the use of access
-               control mechanisms and by implementing least privilege capabilities. While the ideal
-               is for all of the code within the security function isolation boundary to only
-               contain security-relevant code, it is sometimes necessary to include nonsecurity
-               functions within the isolation boundary as an exception.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sa-13">SA-13</link>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-39">SC-39</link>
-         </part>
-         <part id="sc-3_obj" name="objective">
-            <p>Determine if the information system isolates security functions from nonsecurity
-               functions.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing security function isolation</p>
-               <p>list of security functions to be isolated from nonsecurity functions</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Separation of security functions from nonsecurity functions within the information
-                  system</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-3.1">
-            <title>Hardware Separation</title>
-            <prop name="label">SC-3(1)</prop>
-            <prop name="sort-id">sc-03.01</prop>
-            <part id="sc-3.1_smt" name="statement">
-               <p>The information system utilizes underlying hardware separation mechanisms to
-                  implement security function isolation.</p>
-            </part>
-            <part id="sc-3.1_gdn" name="guidance">
-               <p>Underlying hardware separation mechanisms include, for example, hardware ring
-                  architectures, commonly implemented within microprocessors, and hardware-enforced
-                  address segmentation used to support logically distinct storage objects with
-                  separate attributes (i.e., readable, writeable).</p>
-            </part>
-            <part id="sc-3.1_obj" name="objective">
-               <p>Determine if the information system utilizes underlying hardware separation
-                  mechanisms to implement security function isolation.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing security function isolation</p>
-                  <p>information system design documentation</p>
-                  <p>hardware separation mechanisms</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Separation of security functions from nonsecurity functions within the
-                     information system</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-3.2">
-            <title>Access / Flow Control Functions</title>
-            <prop name="label">SC-3(2)</prop>
-            <prop name="sort-id">sc-03.02</prop>
-            <part id="sc-3.2_smt" name="statement">
-               <p>The information system isolates security functions enforcing access and
-                  information flow control from nonsecurity functions and from other security
-                  functions.</p>
-            </part>
-            <part id="sc-3.2_gdn" name="guidance">
-               <p>Security function isolation occurs as a result of implementation; the functions
-                  can still be scanned and monitored. Security functions that are potentially
-                  isolated from access and flow control enforcement functions include, for example,
-                  auditing, intrusion detection, and anti-virus functions.</p>
-            </part>
-            <part id="sc-3.2_obj" name="objective">
-               <p>Determine if the information system isolates security functions enforcing: </p>
-               <part id="sc-3.2_obj.1" name="objective">
-                  <prop name="label">SC-3(2)[1]</prop>
-                  <p>access control from nonsecurity functions;</p>
-               </part>
-               <part id="sc-3.2_obj.2" name="objective">
-                  <prop name="label">SC-3(2)[2]</prop>
-                  <p>information flow control from nonsecurity functions;</p>
-               </part>
-               <part id="sc-3.2_obj.3" name="objective">
-                  <prop name="label">SC-3(2)[3]</prop>
-                  <p>access control from other security functions; and</p>
-               </part>
-               <part id="sc-3.2_obj.4" name="objective">
-                  <prop name="label">SC-3(2)[4]</prop>
-                  <p>information flow control from other security functions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing security function isolation</p>
-                  <p>list of critical security functions</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Isolation of security functions enforcing access and information flow
-                     control</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-3.3">
-            <title>Minimize Nonsecurity Functionality</title>
-            <prop name="label">SC-3(3)</prop>
-            <prop name="sort-id">sc-03.03</prop>
-            <part id="sc-3.3_smt" name="statement">
-               <p>The organization minimizes the number of nonsecurity functions included within the
-                  isolation boundary containing security functions.</p>
-            </part>
-            <part id="sc-3.3_gdn" name="guidance">
-               <p>In those instances where it is not feasible to achieve strict isolation of
-                  nonsecurity functions from security functions, it is necessary to take actions to
-                  minimize the nonsecurity-relevant functions within the security function boundary.
-                  Nonsecurity functions contained within the isolation boundary are considered
-                  security-relevant because errors or maliciousness in such software, by virtue of
-                  being within the boundary, can impact the security functions of organizational
-                  information systems. The design objective is that the specific portions of
-                  information systems providing information security are of minimal size/complexity.
-                  Minimizing the number of nonsecurity functions in the security-relevant components
-                  of information systems allows designers and implementers to focus only on those
-                  functions which are necessary to provide the desired security capability
-                  (typically access enforcement). By minimizing nonsecurity functions within the
-                  isolation boundaries, the amount of code that must be trusted to enforce security
-                  policies is reduced, thus contributing to understandability.</p>
-            </part>
-            <part id="sc-3.3_obj" name="objective">
-               <p>Determine if the organization implements an information system isolation boundary
-                  to minimize the number of nonsecurity functions included within the boundary
-                  containing security functions.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing security function isolation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing an isolation boundary</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-3.4">
-            <title>Module Coupling and Cohesiveness</title>
-            <prop name="label">SC-3(4)</prop>
-            <prop name="sort-id">sc-03.04</prop>
-            <part id="sc-3.4_smt" name="statement">
-               <p>The organization implements security functions as largely independent modules that
-                  maximize internal cohesiveness within modules and minimize coupling between
-                  modules.</p>
-            </part>
-            <part id="sc-3.4_gdn" name="guidance">
-               <p>The reduction in inter-module interactions helps to constrain security functions
-                  and to manage complexity. The concepts of coupling and cohesion are important with
-                  respect to modularity in software design. Coupling refers to the dependencies that
-                  one module has on other modules. Cohesion refers to the relationship between the
-                  different functions within a particular module. Good software engineering
-                  practices rely on modular decomposition, layering, and minimization to reduce and
-                  manage complexity, thus producing software modules that are highly cohesive and
-                  loosely coupled.</p>
-            </part>
-            <part id="sc-3.4_obj" name="objective">
-               <p>Determine if the organization implements security functions as largely independent
-                  modules that:</p>
-               <part id="sc-3.4_obj.1" name="objective">
-                  <prop name="label">SC-3(4)[1]</prop>
-                  <p>maximize internal cohesiveness within modules; and</p>
-               </part>
-               <part id="sc-3.4_obj.2" name="objective">
-                  <prop name="label">SC-3(4)[2]</prop>
-                  <p>minimize coupling between modules.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing security function isolation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for maximizing internal cohesiveness within modules
-                     and minimizing coupling between modules</p>
-                  <p>automated mechanisms supporting and/or implementing security functions as
-                     independent modules</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-3.5">
-            <title>Layered Structures</title>
-            <prop name="label">SC-3(5)</prop>
-            <prop name="sort-id">sc-03.05</prop>
-            <part id="sc-3.5_smt" name="statement">
-               <p>The organization implements security functions as a layered structure minimizing
-                  interactions between layers of the design and avoiding any dependence by lower
-                  layers on the functionality or correctness of higher layers.</p>
-            </part>
-            <part id="sc-3.5_gdn" name="guidance">
-               <p>The implementation of layered structures with minimized interactions among
-                  security functions and non-looping layers (i.e., lower-layer functions do not
-                  depend on higher-layer functions) further enables the isolation of security
-                  functions and management of complexity.</p>
-            </part>
-            <part id="sc-3.5_obj" name="objective">
-               <p>Determine if the organization implements security functions as a layered
-                  structure:</p>
-               <part id="sc-3.5_obj.1" name="objective">
-                  <prop name="label">SC-3(5)[1]</prop>
-                  <p>minimizing interactions between layers of the design; and</p>
-               </part>
-               <part id="sc-3.5_obj.2" name="objective">
-                  <prop name="label">SC-3(5)[2]</prop>
-                  <p>avoiding any dependence by lower layers on the functionality or correctness of
-                     higher layers.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing security function isolation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for implementing security functions as a layered
-                     structure that minimizes interactions between layers and avoids dependence by
-                     lower layers on functionality/correctness of higher layers</p>
-                  <p>automated mechanisms supporting and/or implementing security functions as a
-                     layered structure</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-4">
-         <title>Information in Shared Resources</title>
-         <prop name="label">SC-4</prop>
-         <prop name="sort-id">sc-04</prop>
-         <part id="sc-4_smt" name="statement">
-            <p>The information system prevents unauthorized and unintended information transfer via
-               shared system resources.</p>
-         </part>
-         <part id="sc-4_gdn" name="guidance">
-            <p>This control prevents information, including encrypted representations of
-               information, produced by the actions of prior users/roles (or the actions of
-               processes acting on behalf of prior users/roles) from being available to any current
-               users/roles (or current processes) that obtain access to shared system resources
-               (e.g., registers, main memory, hard disks) after those resources have been released
-               back to information systems. The control of information in shared resources is also
-               commonly referred to as object reuse and residual information protection. This
-               control does not address: (i) information remanence which refers to residual
-               representation of data that has been nominally erased or removed; (ii) covert
-               channels (including storage and/or timing channels) where shared resources are
-               manipulated to violate information flow restrictions; or (iii) components within
-               information systems for which there are only single users/roles.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-         </part>
-         <part id="sc-4_obj" name="objective">
-            <p>Determine if the information system prevents unauthorized and unintended information
-               transfer via shared system resources.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing information protection in shared system resources</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms preventing unauthorized and unintended transfer of
-                  information via shared system resources</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-4.1">
-            <title>Security Levels</title>
-            <prop name="label">SC-4(1)</prop>
-            <prop name="sort-id">sc-04.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sc-4">SC-4</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-4.2">
-            <title>Periods Processing</title>
-            <param id="sc-4.2_prm_1">
-               <label>organization-defined procedures</label>
-            </param>
-            <prop name="label">SC-4(2)</prop>
-            <prop name="sort-id">sc-04.02</prop>
-            <part id="sc-4.2_smt" name="statement">
-               <p>The information system prevents unauthorized information transfer via shared
-                  resources in accordance with <insert param-id="sc-4.2_prm_1"/> when system
-                  processing explicitly switches between different information classification levels
-                  or security categories.</p>
-            </part>
-            <part id="sc-4.2_gdn" name="guidance">
-               <p>This control enhancement applies when there are explicit changes in information
-                  processing levels during information system operations, for example, during
-                  multilevel processing and periods processing with information at different
-                  classification levels or security categories. Organization-defined procedures may
-                  include, for example, approved sanitization processes for electronically stored
-                  information.</p>
-            </part>
-            <part id="sc-4.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-4.2_obj.1" name="objective">
-                  <prop name="label">SC-4(2)[1]</prop>
-                  <p>the organization defines procedures to be employed to ensure unauthorized
-                     information transfer via shared resources is prevented when system processing
-                     explicitly switches between different information classification levels or
-                     security categories; and</p>
-               </part>
-               <part id="sc-4.2_obj.2" name="objective">
-                  <prop name="label">SC-4(2)[2]</prop>
-                  <p>the information system prevents unauthorized information transfer via shared
-                     resources in accordance with organization-defined procedures when system
-                     processing explicitly switches between different information classification
-                     levels or security categories.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing information protection in shared system resources</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms preventing unauthorized transfer of information via shared
-                     system resources</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-5">
-         <title>Denial of Service Protection</title>
-         <param id="sc-5_prm_1">
-            <label>organization-defined types of denial of service attacks or references to sources
-               for such information</label>
-         </param>
-         <param id="sc-5_prm_2">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">SC-5</prop>
-         <prop name="sort-id">sc-05</prop>
-         <part id="sc-5_smt" name="statement">
-            <p>The information system protects against or limits the effects of the following types
-               of denial of service attacks: <insert param-id="sc-5_prm_1"/> by employing <insert param-id="sc-5_prm_2"/>.</p>
-         </part>
-         <part id="sc-5_gdn" name="guidance">
-            <p>A variety of technologies exist to limit, or in some cases, eliminate the effects of
-               denial of service attacks. For example, boundary protection devices can filter
-               certain types of packets to protect information system components on internal
-               organizational networks from being directly affected by denial of service attacks.
-               Employing increased capacity and bandwidth combined with service redundancy may also
-               reduce the susceptibility to denial of service attacks.</p>
-            <link rel="related" href="#sc-6">SC-6</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="sc-5_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-5_obj.1" name="objective">
-               <prop name="label">SC-5[1]</prop>
-               <p>the organization defines types of denial of service attacks or reference to source
-                  of such information for the information system to protect against or limit the
-                  effects;</p>
-            </part>
-            <part id="sc-5_obj.2" name="objective">
-               <prop name="label">SC-5[2]</prop>
-               <p>the organization defines security safeguards to be employed by the information
-                  system to protect against or limit the effects of organization-defined types of
-                  denial of service attacks; and</p>
-            </part>
-            <part id="sc-5_obj.3" name="objective">
-               <prop name="label">SC-5[3]</prop>
-               <p>the information system protects against or limits the effects of the
-                  organization-defined denial or service attacks (or reference to source for such
-                  information) by employing organization-defined security safeguards.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing denial of service protection</p>
-               <p>information system design documentation</p>
-               <p>security plan</p>
-               <p>list of denial of services attacks requiring employment of security safeguards to
-                  protect against or limit effects of such attacks</p>
-               <p>list of security safeguards protecting against or limiting the effects of denial
-                  of service attacks</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with incident response responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms protecting against or limiting the effects of denial of
-                  service attacks</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-5.1">
-            <title>Restrict Internal Users</title>
-            <param id="sc-5.1_prm_1">
-               <label>organization-defined denial of service attacks</label>
-            </param>
-            <prop name="label">SC-5(1)</prop>
-            <prop name="sort-id">sc-05.01</prop>
-            <part id="sc-5.1_smt" name="statement">
-               <p>The information system restricts the ability of individuals to launch <insert param-id="sc-5.1_prm_1"/> against other information systems.</p>
-            </part>
-            <part id="sc-5.1_gdn" name="guidance">
-               <p>Restricting the ability of individuals to launch denial of service attacks
-                  requires that the mechanisms used for such attacks are unavailable. Individuals of
-                  concern can include, for example, hostile insiders or external adversaries that
-                  have successfully breached the information system and are using the system as a
-                  platform to launch cyber attacks on third parties. Organizations can restrict the
-                  ability of individuals to connect and transmit arbitrary information on the
-                  transport medium (i.e., network, wireless spectrum). Organizations can also limit
-                  the ability of individuals to use excessive information system resources.
-                  Protection against individuals having the ability to launch denial of service
-                  attacks may be implemented on specific information systems or on boundary devices
-                  prohibiting egress to potential target systems.</p>
-            </part>
-            <part id="sc-5.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-5.1_obj.1" name="objective">
-                  <prop name="label">SC-5(1)[1]</prop>
-                  <p>the organization defines denial of service attacks for which the information
-                     system is required to restrict the ability of individuals to launch such
-                     attacks against other information systems; and</p>
-               </part>
-               <part id="sc-5.1_obj.2" name="objective">
-                  <prop name="label">SC-5(1)[2]</prop>
-                  <p>the information system restricts the ability of individuals to launch
-                     organization-defined denial of service attacks against other information
-                     systems.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing denial of service protection</p>
-                  <p>information system design documentation</p>
-                  <p>security plan</p>
-                  <p>list of denial of service attacks launched by individuals against information
-                     systems</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with incident response responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms restricting the ability to launch denial of service
-                     attacks against other information systems</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-5.2">
-            <title>Excess Capacity / Bandwidth / Redundancy</title>
-            <prop name="label">SC-5(2)</prop>
-            <prop name="sort-id">sc-05.02</prop>
-            <part id="sc-5.2_smt" name="statement">
-               <p>The information system manages excess capacity, bandwidth, or other redundancy to
-                  limit the effects of information flooding denial of service attacks.</p>
-            </part>
-            <part id="sc-5.2_gdn" name="guidance">
-               <p>Managing excess capacity ensures that sufficient capacity is available to counter
-                  flooding attacks. Managing excess capacity may include, for example, establishing
-                  selected usage priorities, quotas, or partitioning.</p>
-            </part>
-            <part id="sc-5.2_obj" name="objective">
-               <p>Determine if the information system, to limit the effects of information flooding
-                  denial of service attacks, manages:</p>
-               <part id="sc-5.2_obj.1" name="objective">
-                  <prop name="label">SC-5(2)[1]</prop>
-                  <p>excess capacity;</p>
-               </part>
-               <part id="sc-5.2_obj.2" name="objective">
-                  <prop name="label">SC-5(2)[2]</prop>
-                  <p>bandwidth; or</p>
-               </part>
-               <part id="sc-5.2_obj.3" name="objective">
-                  <prop name="label">SC-5(2)[3]</prop>
-                  <p>other redundancy.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing denial of service protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with incident response responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing management of information system bandwidth,
-                     capacity, and redundancy to limit the effects of information flooding denial of
-                     service attacks</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-5.3">
-            <title>Detection / Monitoring</title>
-            <param id="sc-5.3_prm_1">
-               <label>organization-defined monitoring tools</label>
-            </param>
-            <param id="sc-5.3_prm_2">
-               <label>organization-defined information system resources</label>
-            </param>
-            <prop name="label">SC-5(3)</prop>
-            <prop name="sort-id">sc-05.03</prop>
-            <part id="sc-5.3_smt" name="statement">
-               <p>The organization:</p>
-               <part id="sc-5.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Employs <insert param-id="sc-5.3_prm_1"/> to detect indicators of denial of
-                     service attacks against the information system; and</p>
-               </part>
-               <part id="sc-5.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Monitors <insert param-id="sc-5.3_prm_2"/> to determine if sufficient resources
-                     exist to prevent effective denial of service attacks.</p>
-               </part>
-            </part>
-            <part id="sc-5.3_gdn" name="guidance">
-               <p>Organizations consider utilization and capacity of information system resources
-                  when managing risk from denial of service due to malicious attacks. Denial of
-                  service attacks can originate from external or internal sources. Information
-                  system resources sensitive to denial of service include, for example, physical
-                  disk storage, memory, and CPU cycles. Common safeguards to prevent denial of
-                  service attacks related to storage utilization and capacity include, for example,
-                  instituting disk quotas, configuring information systems to automatically alert
-                  administrators when specific storage capacity thresholds are reached, using file
-                  compression technologies to maximize available storage space, and imposing
-                  separate partitions for system and user data.</p>
-               <link rel="related" href="#ca-7">CA-7</link>
-               <link rel="related" href="#si-4">SI-4</link>
-            </part>
-            <part id="sc-5.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-5.3.a_obj" name="objective">
-                  <prop name="label">SC-5(3)(a)</prop>
-                  <part id="sc-5.3.a_obj.1" name="objective">
-                     <prop name="label">SC-5(3)(a)[1]</prop>
-                     <p>defines monitoring tools to be employed to detect indicators of denial of
-                        service attacks against the information system;</p>
-                  </part>
-                  <part id="sc-5.3.a_obj.2" name="objective">
-                     <prop name="label">SC-5(3)(a)[2]</prop>
-                     <p>employs organization-defined monitoring tools to detect indicators of denial
-                        of service attacks against the information system;</p>
-                  </part>
-                  <link rel="corresp" href="#sc-5.3_smt.a">SC-5(3)(a)</link>
-               </part>
-               <part id="sc-5.3.b_obj" name="objective">
-                  <prop name="label">SC-5(3)(b)</prop>
-                  <part id="sc-5.3.b_obj.1" name="objective">
-                     <prop name="label">SC-5(3)(b)[1]</prop>
-                     <p>defines information system resources to be monitored to determine if
-                        sufficient resources exist to prevent effective denial of service attacks;
-                        and</p>
-                  </part>
-                  <part id="sc-5.3.b_obj.2" name="objective">
-                     <prop name="label">SC-5(3)(b)[2]</prop>
-                     <p>monitors organization-defined information system resources to determine if
-                        sufficient resources exist to prevent effective denial of service
-                        attacks.</p>
-                  </part>
-                  <link rel="corresp" href="#sc-5.3_smt.b">SC-5(3)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing denial of service protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with detection and monitoring responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms/tools implementing information system monitoring for
-                     denial of service attacks</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-6">
-         <title>Resource Availability</title>
-         <param id="sc-6_prm_1">
-            <label>organization-defined resources</label>
-         </param>
-         <param id="sc-6_prm_2">
-            <select how-many="one or more">
-               <choice>priority</choice>
-               <choice>quota</choice>
-               <choice>
-                  <insert param-id="sc-6_prm_3"/>
-               </choice>
-            </select>
-         </param>
-         <param id="sc-6_prm_3" depends-on="sc-6_prm_2">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">SC-6</prop>
-         <prop name="sort-id">sc-06</prop>
-         <part id="sc-6_smt" name="statement">
-            <p>The information system protects the availability of resources by allocating <insert param-id="sc-6_prm_1"/> by <insert param-id="sc-6_prm_2"/>.</p>
-         </part>
-         <part id="sc-6_gdn" name="guidance">
-            <p>Priority protection helps prevent lower-priority processes from delaying or
-               interfering with the information system servicing any higher-priority processes.
-               Quotas prevent users or processes from obtaining more than predetermined amounts of
-               resources. This control does not apply to information system components for which
-               there are only single users/roles.</p>
-         </part>
-         <part id="sc-6_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-6_obj.1" name="objective">
-               <prop name="label">SC-6[1]</prop>
-               <p>the organization defines resources to be allocated to protect the availability of
-                  resources;</p>
-            </part>
-            <part id="sc-6_obj.2" name="objective">
-               <prop name="label">SC-6[2]</prop>
-               <p>the organization defines security safeguards to be employed to protect the
-                  availability of resources;</p>
-            </part>
-            <part id="sc-6_obj.3" name="objective">
-               <prop name="label">SC-6[3]</prop>
-               <p>the information system protects the availability of resources by allocating
-                  organization-defined resources by one or more of the following:</p>
-               <part id="sc-6_obj.3.a" name="objective">
-                  <prop name="label">SC-6[3][a]</prop>
-                  <p>priority;</p>
-               </part>
-               <part id="sc-6_obj.3.b" name="objective">
-                  <prop name="label">SC-6[3][b]</prop>
-                  <p>quota; and/or</p>
-               </part>
-               <part id="sc-6_obj.3.c" name="objective">
-                  <prop name="label">SC-6[3][c]</prop>
-                  <p>organization-defined safeguards.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing prioritization of information system resources</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing resource allocation
-                  capability</p>
-               <p>safeguards employed to protect availability of resources</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-7">
-         <title>Boundary Protection</title>
-         <param id="sc-7_prm_1">
-            <select>
-               <choice>physically</choice>
-               <choice>logically</choice>
-            </select>
-         </param>
-         <prop name="label">SC-7</prop>
-         <prop name="sort-id">sc-07</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#756a8e86-57d5-4701-8382-f7a40439665a" rel="reference">NIST Special Publication 800-41</link>
-         <link href="#99f331f2-a9f0-46c2-9856-a3cbb9b89442" rel="reference">NIST Special Publication 800-77</link>
-         <part id="sc-7_smt" name="statement">
-            <p>The information system:</p>
-            <part id="sc-7_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Monitors and controls communications at the external boundary of the system and at
-                  key internal boundaries within the system;</p>
-            </part>
-            <part id="sc-7_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Implements subnetworks for publicly accessible system components that are <insert param-id="sc-7_prm_1"/> separated from internal organizational networks;
-                  and</p>
-            </part>
-            <part id="sc-7_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Connects to external networks or information systems only through managed
-                  interfaces consisting of boundary protection devices arranged in accordance with
-                  an organizational security architecture.</p>
-            </part>
-         </part>
-         <part id="sc-7_gdn" name="guidance">
-            <p>Managed interfaces include, for example, gateways, routers, firewalls, guards,
-               network-based malicious code analysis and virtualization systems, or encrypted
-               tunnels implemented within a security architecture (e.g., routers protecting
-               firewalls or application gateways residing on protected subnetworks). Subnetworks
-               that are physically or logically separated from internal networks are referred to as
-               demilitarized zones or DMZs. Restricting or prohibiting interfaces within
-               organizational information systems includes, for example, restricting external web
-               traffic to designated web servers within managed interfaces and prohibiting external
-               traffic that appears to be spoofing internal addresses. Organizations consider the
-               shared nature of commercial telecommunications services in the implementation of
-               security controls associated with the use of such services. Commercial
-               telecommunications services are commonly based on network components and consolidated
-               management systems shared by all attached commercial customers, and may also include
-               third party-provided access lines and other service elements. Such transmission
-               services may represent sources of increased risk despite contract security
-               provisions.</p>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#cp-8">CP-8</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-         </part>
-         <part id="sc-7_obj" name="objective">
-            <p>Determine if the information system:</p>
-            <part id="sc-7.a_obj" name="objective">
-               <prop name="label">SC-7(a)</prop>
-               <part id="sc-7.a_obj.1" name="objective">
-                  <prop name="label">SC-7(a)[1]</prop>
-                  <p>monitors communications at the external boundary of the information system;</p>
-               </part>
-               <part id="sc-7.a_obj.2" name="objective">
-                  <prop name="label">SC-7(a)[2]</prop>
-                  <p>monitors communications at key internal boundaries within the system;</p>
-               </part>
-               <part id="sc-7.a_obj.3" name="objective">
-                  <prop name="label">SC-7(a)[3]</prop>
-                  <p>controls communications at the external boundary of the information system;</p>
-               </part>
-               <part id="sc-7.a_obj.4" name="objective">
-                  <prop name="label">SC-7(a)[4]</prop>
-                  <p>controls communications at key internal boundaries within the system;</p>
-               </part>
-            </part>
-            <part id="sc-7.b_obj" name="objective">
-               <prop name="label">SC-7(b)</prop>
-               <p>implements subnetworks for publicly accessible system components that are
-                  either:</p>
-               <part id="sc-7.b_obj.1" name="objective">
-                  <prop name="label">SC-7(b)[1]</prop>
-                  <p>physically separated from internal organizational networks; and/or</p>
-               </part>
-               <part id="sc-7.b_obj.2" name="objective">
-                  <prop name="label">SC-7(b)[2]</prop>
-                  <p>logically separated from internal organizational networks; and</p>
-               </part>
-            </part>
-            <part id="sc-7.c_obj" name="objective">
-               <prop name="label">SC-7(c)</prop>
-               <p>connects to external networks or information systems only through managed
-                  interfaces consisting of boundary protection devices arranged in accordance with
-                  an organizational security architecture.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing boundary protection</p>
-               <p>list of key internal boundaries of the information system</p>
-               <p>information system design documentation</p>
-               <p>boundary protection hardware and software</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>enterprise security architecture documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel with boundary protection responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing boundary protection capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-7.1">
-            <title>Physically Separated Subnetworks</title>
-            <prop name="label">SC-7(1)</prop>
-            <prop name="sort-id">sc-07.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sc-7">SC-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.2">
-            <title>Public Access</title>
-            <prop name="label">SC-7(2)</prop>
-            <prop name="sort-id">sc-07.02</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sc-7">SC-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.3">
-            <title>Access Points</title>
-            <prop name="label">SC-7(3)</prop>
-            <prop name="sort-id">sc-07.03</prop>
-            <part id="sc-7.3_smt" name="statement">
-               <p>The organization limits the number of external network connections to the
-                  information system.</p>
-            </part>
-            <part id="sc-7.3_gdn" name="guidance">
-               <p>Limiting the number of external network connections facilitates more comprehensive
-                  monitoring of inbound and outbound communications traffic. The Trusted Internet
-                  Connection (TIC) initiative is an example of limiting the number of external
-                  network connections.</p>
-            </part>
-            <part id="sc-7.3_obj" name="objective">
-               <p>Determine if the organization limits the number of external network connections to
-                  the information system.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>boundary protection hardware and software</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>communications and network traffic monitoring logs</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing boundary protection capability</p>
-                  <p>automated mechanisms limiting the number of external network connections to the
-                     information system</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.4">
-            <title>External Telecommunications Services</title>
-            <param id="sc-7.4_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">SC-7(4)</prop>
-            <prop name="sort-id">sc-07.04</prop>
-            <part id="sc-7.4_smt" name="statement">
-               <p>The organization:</p>
-               <part id="sc-7.4_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Implements a managed interface for each external telecommunication service;</p>
-               </part>
-               <part id="sc-7.4_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Establishes a traffic flow policy for each managed interface;</p>
-               </part>
-               <part id="sc-7.4_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Protects the confidentiality and integrity of the information being transmitted
-                     across each interface;</p>
-               </part>
-               <part id="sc-7.4_smt.d" name="item">
-                  <prop name="label">(d)</prop>
-                  <p>Documents each exception to the traffic flow policy with a supporting
-                     mission/business need and duration of that need; and</p>
-               </part>
-               <part id="sc-7.4_smt.e" name="item">
-                  <prop name="label">(e)</prop>
-                  <p>Reviews exceptions to the traffic flow policy <insert param-id="sc-7.4_prm_1"/>
-                     and removes exceptions that are no longer supported by an explicit
-                     mission/business need.</p>
-               </part>
-            </part>
-            <part id="sc-7.4_gdn" name="guidance">
-               <link rel="related" href="#sc-8">SC-8</link>
-            </part>
-            <part id="sc-7.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-7.4.a_obj" name="objective">
-                  <prop name="label">SC-7(4)(a)</prop>
-                  <p>implements a managed interface for each external telecommunication service;</p>
-                  <link rel="corresp" href="#sc-7.4_smt.a">SC-7(4)(a)</link>
-               </part>
-               <part id="sc-7.4.b_obj" name="objective">
-                  <prop name="label">SC-7(4)(b)</prop>
-                  <p>establishes a traffic flow policy for each managed interface;</p>
-                  <link rel="corresp" href="#sc-7.4_smt.b">SC-7(4)(b)</link>
-               </part>
-               <part id="sc-7.4.c_obj" name="objective">
-                  <prop name="label">SC-7(4)(c)</prop>
-                  <p>protects the confidentiality and integrity of the information being transmitted
-                     across each interface;</p>
-                  <link rel="corresp" href="#sc-7.4_smt.c">SC-7(4)(c)</link>
-               </part>
-               <part id="sc-7.4.d_obj" name="objective">
-                  <prop name="label">SC-7(4)(d)</prop>
-                  <p>documents each exception to the traffic flow policy with:</p>
-                  <part id="sc-7.4.d_obj.1" name="objective">
-                     <prop name="label">SC-7(4)(d)[1]</prop>
-                     <p>a supporting mission/business need;</p>
-                  </part>
-                  <part id="sc-7.4.d_obj.2" name="objective">
-                     <prop name="label">SC-7(4)(d)[2]</prop>
-                     <p>duration of that need;</p>
-                  </part>
-                  <link rel="corresp" href="#sc-7.4_smt.d">SC-7(4)(d)</link>
-               </part>
-               <part id="sc-7.4.e_obj" name="objective">
-                  <prop name="label">SC-7(4)(e)</prop>
-                  <part id="sc-7.4.e_obj.1" name="objective">
-                     <prop name="label">SC-7(4)(e)[1]</prop>
-                     <p>defines a frequency to review exceptions to traffic flow policy;</p>
-                  </part>
-                  <part id="sc-7.4.e_obj.2" name="objective">
-                     <prop name="label">SC-7(4)(e)[2]</prop>
-                     <p>reviews exceptions to the traffic flow policy with the organization-defined
-                        frequency; and</p>
-                  </part>
-                  <part id="sc-7.4.e_obj.3" name="objective">
-                     <prop name="label">SC-7(4)(e)[3]</prop>
-                     <p>removes traffic flow policy exceptions that are no longer supported by an
-                        explicit mission/business need</p>
-                  </part>
-                  <link rel="corresp" href="#sc-7.4_smt.e">SC-7(4)(e)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>traffic flow policy</p>
-                  <p>information flow control policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system security architecture</p>
-                  <p>information system design documentation</p>
-                  <p>boundary protection hardware and software</p>
-                  <p>information system architecture and configuration documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>records of traffic flow policy exceptions</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for documenting and reviewing exceptions to the
-                     traffic flow policy</p>
-                  <p>organizational processes for removing exceptions to the traffic flow policy</p>
-                  <p>automated mechanisms implementing boundary protection capability</p>
-                  <p>managed interfaces implementing traffic flow policy</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.5">
-            <title>Deny by Default / Allow by Exception</title>
-            <prop name="label">SC-7(5)</prop>
-            <prop name="sort-id">sc-07.05</prop>
-            <part id="sc-7.5_smt" name="statement">
-               <p>The information system at managed interfaces denies network communications traffic
-                  by default and allows network communications traffic by exception (i.e., deny all,
-                  permit by exception).</p>
-            </part>
-            <part id="sc-7.5_gdn" name="guidance">
-               <p>This control enhancement applies to both inbound and outbound network
-                  communications traffic. A deny-all, permit-by-exception network communications
-                  traffic policy ensures that only those connections which are essential and
-                  approved are allowed.</p>
-            </part>
-            <part id="sc-7.5_obj" name="objective">
-               <p>Determine if the information system, at managed interfaces:</p>
-               <part id="sc-7.5_obj.1" name="objective">
-                  <prop name="label">SC-7(5)[1]</prop>
-                  <p>denies network traffic by default; and</p>
-               </part>
-               <part id="sc-7.5_obj.2" name="objective">
-                  <prop name="label">SC-7(5)[2]</prop>
-                  <p>allows network traffic by exception.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing traffic management at managed interfaces</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.6">
-            <title>Response to Recognized Failures</title>
-            <prop name="label">SC-7(6)</prop>
-            <prop name="sort-id">sc-07.06</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sc-7.18">SC-7 (18)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.7">
-            <title>Prevent Split Tunneling for Remote Devices</title>
-            <prop name="label">SC-7(7)</prop>
-            <prop name="sort-id">sc-07.07</prop>
-            <part id="sc-7.7_smt" name="statement">
-               <p>The information system, in conjunction with a remote device, prevents the device
-                  from simultaneously establishing non-remote connections with the system and
-                  communicating via some other connection to resources in external networks.</p>
-            </part>
-            <part id="sc-7.7_gdn" name="guidance">
-               <p>This control enhancement is implemented within remote devices (e.g., notebook
-                  computers) through configuration settings to disable split tunneling in those
-                  devices, and by preventing those configuration settings from being readily
-                  configurable by users. This control enhancement is implemented within the
-                  information system by the detection of split tunneling (or of configuration
-                  settings that allow split tunneling) in the remote device, and by prohibiting the
-                  connection if the remote device is using split tunneling. Split tunneling might be
-                  desirable by remote users to communicate with local information system resources
-                  such as printers/file servers. However, split tunneling would in effect allow
-                  unauthorized external connections, making the system more vulnerable to attack and
-                  to exfiltration of organizational information. The use of VPNs for remote
-                  connections, when adequately provisioned with appropriate security controls, may
-                  provide the organization with sufficient assurance that it can effectively treat
-                  such connections as non-remote connections from the confidentiality and integrity
-                  perspective. VPNs thus provide a means for allowing non-remote communications
-                  paths from remote devices. The use of an adequately provisioned VPN does not
-                  eliminate the need for preventing split tunneling.</p>
-            </part>
-            <part id="sc-7.7_obj" name="objective">
-               <p>Determine if the information system, in conjunction with a remote device, prevents
-                  the device from simultaneously establishing non-remote connections with the system
-                  and communicating via some other connection to resources in external networks.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing boundary protection capability</p>
-                  <p>automated mechanisms supporting/restricting non-remote connections</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.8">
-            <title>Route Traffic to Authenticated Proxy Servers</title>
-            <param id="sc-7.8_prm_1">
-               <label>organization-defined internal communications traffic</label>
-            </param>
-            <param id="sc-7.8_prm_2">
-               <label>organization-defined external networks</label>
-            </param>
-            <prop name="label">SC-7(8)</prop>
-            <prop name="sort-id">sc-07.08</prop>
-            <part id="sc-7.8_smt" name="statement">
-               <p>The information system routes <insert param-id="sc-7.8_prm_1"/> to <insert param-id="sc-7.8_prm_2"/> through authenticated proxy servers at managed
-                  interfaces.</p>
-            </part>
-            <part id="sc-7.8_gdn" name="guidance">
-               <p>External networks are networks outside of organizational control. A proxy server
-                  is a server (i.e., information system or application) that acts as an intermediary
-                  for clients requesting information system resources (e.g., files, connections, web
-                  pages, or services) from other organizational servers. Client requests established
-                  through an initial connection to the proxy server are evaluated to manage
-                  complexity and to provide additional protection by limiting direct connectivity.
-                  Web content filtering devices are one of the most common proxy servers providing
-                  access to the Internet. Proxy servers support logging individual Transmission
-                  Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators
-                  (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be
-                  configured with organization-defined lists of authorized and unauthorized
-                  websites.</p>
-               <link rel="related" href="#ac-3">AC-3</link>
-               <link rel="related" href="#au-2">AU-2</link>
-            </part>
-            <part id="sc-7.8_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-7.8_obj.1" name="objective">
-                  <prop name="label">SC-7(8)[1]</prop>
-                  <p>the organization defines internal communications traffic to be routed to
-                     external networks;</p>
-               </part>
-               <part id="sc-7.8_obj.2" name="objective">
-                  <prop name="label">SC-7(8)[2]</prop>
-                  <p>the organization defines external networks to which organization-defined
-                     internal communications traffic is to be routed; and</p>
-               </part>
-               <part id="sc-7.8_obj.3" name="objective">
-                  <prop name="label">SC-7(8)[3]</prop>
-                  <p>the information system routes organization-defined internal communications
-                     traffic to organization-defined external networks through authenticated proxy
-                     servers at managed interfaces.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing traffic management through authenticated
-                     proxy servers at managed interfaces</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.9">
-            <title>Restrict Threatening Outgoing Communications Traffic</title>
-            <prop name="label">SC-7(9)</prop>
-            <prop name="sort-id">sc-07.09</prop>
-            <part id="sc-7.9_smt" name="statement">
-               <p>The information system:</p>
-               <part id="sc-7.9_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Detects and denies outgoing communications traffic posing a threat to external
-                     information systems; and</p>
-               </part>
-               <part id="sc-7.9_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Audits the identity of internal users associated with denied
-                     communications.</p>
-               </part>
-            </part>
-            <part id="sc-7.9_gdn" name="guidance">
-               <p>Detecting outgoing communications traffic from internal actions that may pose
-                  threats to external information systems is sometimes termed extrusion detection.
-                  Extrusion detection at information system boundaries as part of managed interfaces
-                  includes the analysis of incoming and outgoing communications traffic searching
-                  for indications of internal threats to the security of external systems. Such
-                  threats include, for example, traffic indicative of denial of service attacks and
-                  traffic containing malicious code.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-6">AU-6</link>
-               <link rel="related" href="#sc-38">SC-38</link>
-               <link rel="related" href="#sc-44">SC-44</link>
-               <link rel="related" href="#si-3">SI-3</link>
-               <link rel="related" href="#si-4">SI-4</link>
-            </part>
-            <part id="sc-7.9_obj" name="objective">
-               <p>Determine if the information system:</p>
-               <part id="sc-7.9.a_obj" name="objective">
-                  <prop name="label">SC-7(9)(a)</prop>
-                  <part id="sc-7.9.a_obj.1" name="objective">
-                     <prop name="label">SC-7(9)(a)[1]</prop>
-                     <p>detects outgoing communications traffic posing a threat to external
-                        information systems; and</p>
-                  </part>
-                  <part id="sc-7.9.a_obj.2" name="objective">
-                     <prop name="label">SC-7(9)(a)[2]</prop>
-                     <p>denies outgoing communications traffic posing a threat to external
-                        information systems; and</p>
-                  </part>
-                  <link rel="corresp" href="#sc-7.9_smt.a">SC-7(9)(a)</link>
-               </part>
-               <part id="sc-7.9.b_obj" name="objective">
-                  <prop name="label">SC-7(9)(b)</prop>
-                  <p>audits the identity of internal users associated with denied
-                     communications.</p>
-                  <link rel="corresp" href="#sc-7.9_smt.b">SC-7(9)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing boundary protection capability</p>
-                  <p>automated mechanisms implementing detection and denial of threatening outgoing
-                     communications traffic</p>
-                  <p>automated mechanisms implementing auditing of outgoing communications
-                     traffic</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.10">
-            <title>Prevent Unauthorized Exfiltration</title>
-            <prop name="label">SC-7(10)</prop>
-            <prop name="sort-id">sc-07.10</prop>
-            <part id="sc-7.10_smt" name="statement">
-               <p>The organization prevents the unauthorized exfiltration of information across
-                  managed interfaces.</p>
-            </part>
-            <part id="sc-7.10_gdn" name="guidance">
-               <p>Safeguards implemented by organizations to prevent unauthorized exfiltration of
-                  information from information systems include, for example: (i) strict adherence to
-                  protocol formats; (ii) monitoring for beaconing from information systems; (iii)
-                  monitoring for steganography; (iv) disconnecting external network interfaces
-                  except when explicitly needed; (v) disassembling and reassembling packet headers;
-                  and (vi) employing traffic profile analysis to detect deviations from the
-                  volume/types of traffic expected within organizations or call backs to command and
-                  control centers. Devices enforcing strict adherence to protocol formats include,
-                  for example, deep packet inspection firewalls and XML gateways. These devices
-                  verify adherence to protocol formats and specification at the application layer
-                  and serve to identify vulnerabilities that cannot be detected by devices operating
-                  at the network or transport layers. This control enhancement is closely associated
-                  with cross-domain solutions and system guards enforcing information flow
-                  requirements.</p>
-               <link rel="related" href="#si-3">SI-3</link>
-            </part>
-            <part id="sc-7.10_obj" name="objective">
-               <p>Determine if the organization prevents the unauthorized exfiltration of
-                  information across managed interfaces.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing boundary protection capability</p>
-                  <p>preventing unauthorized exfiltration of information across managed
-                     interfaces</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.11">
-            <title>Restrict Incoming Communications Traffic</title>
-            <param id="sc-7.11_prm_1">
-               <label>organization-defined authorized sources</label>
-            </param>
-            <param id="sc-7.11_prm_2">
-               <label>organization-defined authorized destinations</label>
-            </param>
-            <prop name="label">SC-7(11)</prop>
-            <prop name="sort-id">sc-07.11</prop>
-            <part id="sc-7.11_smt" name="statement">
-               <p>The information system only allows incoming communications from <insert param-id="sc-7.11_prm_1"/> to be routed to <insert param-id="sc-7.11_prm_2"/>.</p>
-            </part>
-            <part id="sc-7.11_gdn" name="guidance">
-               <p>This control enhancement provides determinations that source and destination
-                  address pairs represent authorized/allowed communications. Such determinations can
-                  be based on several factors including, for example, the presence of
-                  source/destination address pairs in lists of authorized/allowed communications,
-                  the absence of address pairs in lists of unauthorized/disallowed pairs, or meeting
-                  more general rules for authorized/allowed source/destination pairs.</p>
-               <link rel="related" href="#ac-3">AC-3</link>
-            </part>
-            <part id="sc-7.11_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-7.11_obj.1" name="objective">
-                  <prop name="label">SC-7(11)[1]</prop>
-                  <p>the organization defines internal communications traffic to be routed to
-                     external networks;</p>
-               </part>
-               <part id="sc-7.11_obj.2" name="objective">
-                  <prop name="label">SC-7(11)[2]</prop>
-                  <p>the organization defines authorized destinations only to which that incoming
-                     communications from organization-defined authorized sources may be routed;
-                     and</p>
-               </part>
-               <part id="sc-7.11_obj.3" name="objective">
-                  <prop name="label">SC-7(11)[3]</prop>
-                  <p>the information system only allows incoming communications from
-                     organization-defined authorized sources to be routed to organization-defined
-                     authorized destinations.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing boundary protection capabilities with respect
-                     to source/destination address pairs</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.12">
-            <title>Host-based Protection</title>
-            <param id="sc-7.12_prm_1">
-               <label>organization-defined host-based boundary protection mechanisms</label>
-            </param>
-            <param id="sc-7.12_prm_2">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">SC-7(12)</prop>
-            <prop name="sort-id">sc-07.12</prop>
-            <part id="sc-7.12_smt" name="statement">
-               <p>The organization implements <insert param-id="sc-7.12_prm_1"/> at <insert param-id="sc-7.12_prm_2"/>.</p>
-            </part>
-            <part id="sc-7.12_gdn" name="guidance">
-               <p>Host-based boundary protection mechanisms include, for example, host-based
-                  firewalls. Information system components employing host-based boundary protection
-                  mechanisms include, for example, servers, workstations, and mobile devices.</p>
-            </part>
-            <part id="sc-7.12_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-7.12_obj.1" name="objective">
-                  <prop name="label">SC-7(12)[1]</prop>
-                  <p>defines host-based boundary protection mechanisms;</p>
-               </part>
-               <part id="sc-7.12_obj.2" name="objective">
-                  <prop name="label">SC-7(12)[2]</prop>
-                  <p>defines information system components where organization-defined host-based
-                     boundary protection mechanisms are to be implemented; and</p>
-               </part>
-               <part id="sc-7.12_obj.3" name="objective">
-                  <prop name="label">SC-7(12)[3]</prop>
-                  <p>implements organization-defined host-based boundary protection mechanisms at
-                     organization-defined information system components.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>boundary protection hardware and software</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-                  <p>information system users</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing host-based boundary protection
-                     capabilities</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.13">
-            <title>Isolation of Security Tools / Mechanisms / Support Components</title>
-            <param id="sc-7.13_prm_1">
-               <label>organization-defined information security tools, mechanisms, and support
-                  components</label>
-            </param>
-            <prop name="label">SC-7(13)</prop>
-            <prop name="sort-id">sc-07.13</prop>
-            <part id="sc-7.13_smt" name="statement">
-               <p>The organization isolates <insert param-id="sc-7.13_prm_1"/> from other internal
-                  information system components by implementing physically separate subnetworks with
-                  managed interfaces to other components of the system.</p>
-            </part>
-            <part id="sc-7.13_gdn" name="guidance">
-               <p>Physically separate subnetworks with managed interfaces are useful, for example,
-                  in isolating computer network defenses from critical operational processing
-                  networks to prevent adversaries from discovering the analysis and forensics
-                  techniques of organizations.</p>
-               <link rel="related" href="#sa-8">SA-8</link>
-               <link rel="related" href="#sc-2">SC-2</link>
-               <link rel="related" href="#sc-3">SC-3</link>
-            </part>
-            <part id="sc-7.13_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-7.13_obj.1" name="objective">
-                  <prop name="label">SC-7(13)[1]</prop>
-                  <p>defines information security tools, mechanisms, and support components to be
-                     isolated from other internal information system components; and</p>
-               </part>
-               <part id="sc-7.13_obj.2" name="objective">
-                  <prop name="label">SC-7(13)[2]</prop>
-                  <p>isolates organization-defined information security tools, mechanisms, and
-                     support components from other internal information system components by
-                     implementing physically separate subnetworks with managed interfaces to other
-                     components of the system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of security tools and support components to be isolated from other
-                     internal information system components</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing isolation of information
-                     security tools, mechanisms, and support components</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.14">
-            <title>Protects Against Unauthorized Physical Connections</title>
-            <param id="sc-7.14_prm_1">
-               <label>organization-defined managed interfaces</label>
-            </param>
-            <prop name="label">SC-7(14)</prop>
-            <prop name="sort-id">sc-07.14</prop>
-            <part id="sc-7.14_smt" name="statement">
-               <p>The organization protects against unauthorized physical connections at <insert param-id="sc-7.14_prm_1"/>.</p>
-            </part>
-            <part id="sc-7.14_gdn" name="guidance">
-               <p>Information systems operating at different security categories or classification
-                  levels may share common physical and environmental controls, since the systems may
-                  share space within organizational facilities. In practice, it is possible that
-                  these separate information systems may share common equipment rooms, wiring
-                  closets, and cable distribution paths. Protection against unauthorized physical
-                  connections can be achieved, for example, by employing clearly identified and
-                  physically separated cable trays, connection frames, and patch panels for each
-                  side of managed interfaces with physical access controls enforcing limited
-                  authorized access to these items.</p>
-               <link rel="related" href="#pe-4">PE-4</link>
-               <link rel="related" href="#pe-19">PE-19</link>
-            </part>
-            <part id="sc-7.14_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-7.14_obj.1" name="objective">
-                  <prop name="label">SC-7(14)[1]</prop>
-                  <p>defines managed interfaces to be protected against unauthorized physical
-                     connections; and</p>
-               </part>
-               <part id="sc-7.14_obj.2" name="objective">
-                  <prop name="label">SC-7(14)[2]</prop>
-                  <p>protects against unauthorized physical connections at organization-defined
-                     managed interfaces.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>facility communications and wiring diagram</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing protection against
-                     unauthorized physical connections</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.15">
-            <title>Route Privileged Network Accesses</title>
-            <prop name="label">SC-7(15)</prop>
-            <prop name="sort-id">sc-07.15</prop>
-            <part id="sc-7.15_smt" name="statement">
-               <p>The information system routes all networked, privileged accesses through a
-                  dedicated, managed interface for purposes of access control and auditing.</p>
-            </part>
-            <part id="sc-7.15_gdn" name="guidance">
-               <link rel="related" href="#ac-2">AC-2</link>
-               <link rel="related" href="#ac-3">AC-3</link>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#si-4">SI-4</link>
-            </part>
-            <part id="sc-7.15_obj" name="objective">
-               <p>Determine if the information system routes all networked, privileged accesses
-                  through a dedicated, managed interface for the purposes of:</p>
-               <part id="sc-7.15_obj.1" name="objective">
-                  <prop name="label">SC-7(15)[1]</prop>
-                  <p>access control; and</p>
-               </part>
-               <part id="sc-7.15_obj.2" name="objective">
-                  <prop name="label">SC-7(15)[2]</prop>
-                  <p>auditing.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>audit logs</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing the routing of networked,
-                     privileged access through dedicated managed interfaces</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.16">
-            <title>Prevent Discovery of Components / Devices</title>
-            <prop name="label">SC-7(16)</prop>
-            <prop name="sort-id">sc-07.16</prop>
-            <part id="sc-7.16_smt" name="statement">
-               <p>The information system prevents discovery of specific system components composing
-                  a managed interface.</p>
-            </part>
-            <part id="sc-7.16_gdn" name="guidance">
-               <p>This control enhancement protects network addresses of information system
-                  components that are part of managed interfaces from discovery through common tools
-                  and techniques used to identify devices on networks. Network addresses are not
-                  available for discovery (e.g., network address not published or entered in domain
-                  name systems), requiring prior knowledge for access. Another obfuscation technique
-                  is to periodically change network addresses.</p>
-            </part>
-            <part id="sc-7.16_obj" name="objective">
-               <p>Determine if the information system prevents discovery of specific system
-                  components composing a managed interface.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing the prevention of discovery
-                     of system components at managed interfaces</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.17">
-            <title>Automated Enforcement of Protocol Formats</title>
-            <prop name="label">SC-7(17)</prop>
-            <prop name="sort-id">sc-07.17</prop>
-            <part id="sc-7.17_smt" name="statement">
-               <p>The information system enforces adherence to protocol formats.</p>
-            </part>
-            <part id="sc-7.17_gdn" name="guidance">
-               <p>Information system components that enforce protocol formats include, for example,
-                  deep packet inspection firewalls and XML gateways. Such system components verify
-                  adherence to protocol formats/specifications (e.g., IEEE) at the application layer
-                  and identify significant vulnerabilities that cannot be detected by devices
-                  operating at the network or transport layers.</p>
-               <link rel="related" href="#sc-4">SC-4</link>
-            </part>
-            <part id="sc-7.17_obj" name="objective">
-               <p>Determine if the information system enforces adherence to protocol formats.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing enforcement of adherence to
-                     protocol formats</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.18">
-            <title>Fail Secure</title>
-            <prop name="label">SC-7(18)</prop>
-            <prop name="sort-id">sc-07.18</prop>
-            <part id="sc-7.18_smt" name="statement">
-               <p>The information system fails securely in the event of an operational failure of a
-                  boundary protection device.</p>
-            </part>
-            <part id="sc-7.18_gdn" name="guidance">
-               <p>Fail secure is a condition achieved by employing information system mechanisms to
-                  ensure that in the event of operational failures of boundary protection devices at
-                  managed interfaces (e.g., routers, firewalls, guards, and application gateways
-                  residing on protected subnetworks commonly referred to as demilitarized zones),
-                  information systems do not enter into unsecure states where intended security
-                  properties no longer hold. Failures of boundary protection devices cannot lead to,
-                  or cause information external to the devices to enter the devices, nor can
-                  failures permit unauthorized information releases.</p>
-               <link rel="related" href="#cp-2">CP-2</link>
-               <link rel="related" href="#sc-24">SC-24</link>
-            </part>
-            <part id="sc-7.18_obj" name="objective">
-               <p>Determine if the information system fails securely in the event of an operational
-                  failure of a boundary protection device.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing secure failure</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.19">
-            <title>Blocks Communication from Non-organizationally Configured Hosts</title>
-            <param id="sc-7.19_prm_1">
-               <label>organization-defined communication clients</label>
-            </param>
-            <prop name="label">SC-7(19)</prop>
-            <prop name="sort-id">sc-07.19</prop>
-            <part id="sc-7.19_smt" name="statement">
-               <p>The information system blocks both inbound and outbound communications traffic
-                  between <insert param-id="sc-7.19_prm_1"/> that are independently configured by
-                  end users and external service providers.</p>
-            </part>
-            <part id="sc-7.19_gdn" name="guidance">
-               <p>Communication clients independently configured by end users and external service
-                  providers include, for example, instant messaging clients. Traffic blocking does
-                  not apply to communication clients that are configured by organizations to perform
-                  authorized functions.</p>
-            </part>
-            <part id="sc-7.19_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-7.19_obj.1" name="objective">
-                  <prop name="label">SC-7(19)[1]</prop>
-                  <p>defines communication clients that are independently configured by end users
-                     and external service providers; and</p>
-               </part>
-               <part id="sc-7.19_obj.2" name="objective">
-                  <prop name="label">SC-7(19)[2]</prop>
-                  <p>blocks, between organization-defined communication clients that are
-                     independently configured by end users and external service providers,:</p>
-                  <part id="sc-7.19_obj.2.a" name="objective">
-                     <prop name="label">SC-7(19)[2][a]</prop>
-                     <p>inbound communications traffic; and</p>
-                  </part>
-                  <part id="sc-7.19_obj.2.b" name="objective">
-                     <prop name="label">SC-7(19)[2][b]</prop>
-                     <p>outbound communications traffic.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of communication clients independently configured by end users and
-                     external service providers</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing the blocking of inbound and
-                     outbound communications traffic between communication clients independently
-                     configured by end users and external service providers</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.20">
-            <title>Dynamic Isolation / Segregation</title>
-            <param id="sc-7.20_prm_1">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">SC-7(20)</prop>
-            <prop name="sort-id">sc-07.20</prop>
-            <part id="sc-7.20_smt" name="statement">
-               <p>The information system provides the capability to dynamically isolate/segregate
-                     <insert param-id="sc-7.20_prm_1"/> from other components of the system.</p>
-            </part>
-            <part id="sc-7.20_gdn" name="guidance">
-               <p>The capability to dynamically isolate or segregate certain internal components of
-                  organizational information systems is useful when it is necessary to partition or
-                  separate certain components of dubious origin from those components possessing
-                  greater trustworthiness. Component isolation reduces the attack surface of
-                  organizational information systems. Isolation of selected information system
-                  components is also a means of limiting the damage from successful cyber attacks
-                  when those attacks occur.</p>
-            </part>
-            <part id="sc-7.20_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-7.20_obj.1" name="objective">
-                  <prop name="label">SC-7(20)[1]</prop>
-                  <p>the organization defines information system components to be dynamically
-                     isolated/segregated from other components of the system; and</p>
-               </part>
-               <part id="sc-7.20_obj.2" name="objective">
-                  <prop name="label">SC-7(20)[2]</prop>
-                  <p>the information system provides the capability to dynamically isolate/segregate
-                     organization-defined information system components from other components of the
-                     system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of information system components to be dynamically isolated/segregated
-                     from other components of the system</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing the capability to
-                     dynamically isolate/segregate information system components</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.21">
-            <title>Isolation of Information System Components</title>
-            <param id="sc-7.21_prm_1">
-               <label>organization-defined information system components</label>
-            </param>
-            <param id="sc-7.21_prm_2">
-               <label>organization-defined missions and/or business functions</label>
-            </param>
-            <prop name="label">SC-7(21)</prop>
-            <prop name="sort-id">sc-07.21</prop>
-            <part id="sc-7.21_smt" name="statement">
-               <p>The organization employs boundary protection mechanisms to separate <insert param-id="sc-7.21_prm_1"/> supporting <insert param-id="sc-7.21_prm_2"/>.</p>
-            </part>
-            <part id="sc-7.21_gdn" name="guidance">
-               <p>Organizations can isolate information system components performing different
-                  missions and/or business functions. Such isolation limits unauthorized information
-                  flows among system components and also provides the opportunity to deploy greater
-                  levels of protection for selected components. Separating system components with
-                  boundary protection mechanisms provides the capability for increased protection of
-                  individual components and to more effectively control information flows between
-                  those components. This type of enhanced protection limits the potential harm from
-                  cyber attacks and errors. The degree of separation provided varies depending upon
-                  the mechanisms chosen. Boundary protection mechanisms include, for example,
-                  routers, gateways, and firewalls separating system components into physically
-                  separate networks or subnetworks, cross-domain devices separating subnetworks,
-                  virtualization techniques, and encrypting information flows among system
-                  components using distinct encryption keys.</p>
-               <link rel="related" href="#ca-9">CA-9</link>
-               <link rel="related" href="#sc-3">SC-3</link>
-            </part>
-            <part id="sc-7.21_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-7.21_obj.1" name="objective">
-                  <prop name="label">SC-7(21)[1]</prop>
-                  <p>defines information system components to be separated by boundary protection
-                     mechanisms;</p>
-               </part>
-               <part id="sc-7.21_obj.2" name="objective">
-                  <prop name="label">SC-7(21)[2]</prop>
-                  <p>defines missions and/or business functions to be supported by
-                     organization-defined information system components separated by boundary
-                     protection mechanisms; and</p>
-               </part>
-               <part id="sc-7.21_obj.3" name="objective">
-                  <prop name="label">SC-7(21)[3]</prop>
-                  <p>employs boundary protection mechanisms to separate organization-defined
-                     information system components supporting organization-defined missions and/or
-                     business functions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>enterprise architecture documentation</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing the capability to separate
-                     information system components supporting organizational missions and/or
-                     business functions</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.22">
-            <title>Separate Subnets for Connecting to Different Security Domains</title>
-            <prop name="label">SC-7(22)</prop>
-            <prop name="sort-id">sc-07.22</prop>
-            <part id="sc-7.22_smt" name="statement">
-               <p>The information system implements separate network addresses (i.e., different
-                  subnets) to connect to systems in different security domains.</p>
-            </part>
-            <part id="sc-7.22_gdn" name="guidance">
-               <p>Decomposition of information systems into subnets helps to provide the appropriate
-                  level of protection for network connections to different security domains
-                  containing information with different security categories or classification
-                  levels.</p>
-            </part>
-            <part id="sc-7.22_obj" name="objective">
-               <p>Determine if the information system implements separate network addresses (i.e.,
-                  different subnets) to connect to systems in different security domains.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing separate network
-                     addresses/different subnets</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.23">
-            <title>Disable Sender Feedback On Protocol Validation Failure</title>
-            <prop name="label">SC-7(23)</prop>
-            <prop name="sort-id">sc-07.23</prop>
-            <part id="sc-7.23_smt" name="statement">
-               <p>The information system disables feedback to senders on protocol format validation
-                  failure.</p>
-            </part>
-            <part id="sc-7.23_gdn" name="guidance">
-               <p>Disabling feedback to senders when there is a failure in protocol validation
-                  format prevents adversaries from obtaining information which would otherwise be
-                  unavailable.</p>
-            </part>
-            <part id="sc-7.23_obj" name="objective">
-               <p>Determine if the information system disables feedback to senders on protocol
-                  format validation failure.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing boundary protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system hardware and software</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with boundary protection responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing the disabling of feedback
-                     to senders on protocol format validation failure</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-8">
-         <title>Transmission Confidentiality and Integrity</title>
-         <param id="sc-8_prm_1">
-            <select how-many="one or more">
-               <choice>confidentiality</choice>
-               <choice>integrity</choice>
-            </select>
-         </param>
-         <prop name="label">SC-8</prop>
-         <prop name="sort-id">sc-08</prop>
-         <link href="#d715b234-9b5b-4e07-b1ed-99836727664d" rel="reference">FIPS Publication 140-2</link>
-         <link href="#f2dbd4ec-c413-4714-b85b-6b7184d1c195" rel="reference">FIPS Publication 197</link>
-         <link href="#90c5bc98-f9c4-44c9-98b7-787422f0999c" rel="reference">NIST Special Publication 800-52</link>
-         <link href="#99f331f2-a9f0-46c2-9856-a3cbb9b89442" rel="reference">NIST Special Publication 800-77</link>
-         <link href="#6af1e841-672c-46c4-b121-96f603d04be3" rel="reference">NIST Special Publication 800-81</link>
-         <link href="#349fe082-502d-464a-aa0c-1443c6a5cf40" rel="reference">NIST Special Publication 800-113</link>
-         <link href="#a4aa9645-9a8a-4b51-90a9-e223250f9a75" rel="reference">CNSS Policy 15</link>
-         <link href="#06dff0ea-3848-4945-8d91-e955ee69f05d" rel="reference">NSTISSI No. 7003</link>
-         <part id="sc-8_smt" name="statement">
-            <p>The information system protects the <insert param-id="sc-8_prm_1"/> of transmitted
-               information.</p>
-         </part>
-         <part id="sc-8_gdn" name="guidance">
-            <p>This control applies to both internal and external networks and all types of
-               information system components from which information can be transmitted (e.g.,
-               servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile
-               machines). Communication paths outside the physical protection of a controlled
-               boundary are exposed to the possibility of interception and modification. Protecting
-               the confidentiality and/or integrity of organizational information can be
-               accomplished by physical means (e.g., by employing protected distribution systems) or
-               by logical means (e.g., employing encryption techniques). Organizations relying on
-               commercial providers offering transmission services as commodity services rather than
-               as fully dedicated services (i.e., services which can be highly specialized to
-               individual customer needs), may find it difficult to obtain the necessary assurances
-               regarding the implementation of needed security controls for transmission
-               confidentiality/integrity. In such situations, organizations determine what types of
-               confidentiality/integrity services are available in standard, commercial
-               telecommunication service packages. If it is infeasible or impractical to obtain the
-               necessary security controls and assurances of control effectiveness through
-               appropriate contracting vehicles, organizations implement appropriate compensating
-               security controls or explicitly accept the additional risk.</p>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-         </part>
-         <part id="sc-8_obj" name="objective">
-            <p>Determine if the information system protects one or more of the following:</p>
-            <part id="sc-8_obj.1" name="objective">
-               <prop name="label">SC-8[1]</prop>
-               <p>confidentiality of transmitted information; and/or</p>
-            </part>
-            <part id="sc-8_obj.2" name="objective">
-               <prop name="label">SC-8[2]</prop>
-               <p>integrity of transmitted information.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing transmission confidentiality and integrity</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing transmission confidentiality
-                  and/or integrity</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-8.1">
-            <title>Cryptographic or Alternate Physical Protection</title>
-            <param id="sc-8.1_prm_1">
-               <select how-many="one or more">
-                  <choice>prevent unauthorized disclosure of information</choice>
-                  <choice>detect changes to information</choice>
-               </select>
-            </param>
-            <param id="sc-8.1_prm_2">
-               <label>organization-defined alternative physical safeguards</label>
-            </param>
-            <prop name="label">SC-8(1)</prop>
-            <prop name="sort-id">sc-08.01</prop>
-            <part id="sc-8.1_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to <insert param-id="sc-8.1_prm_1"/> during transmission unless otherwise protected by
-                     <insert param-id="sc-8.1_prm_2"/>.</p>
-            </part>
-            <part id="sc-8.1_gdn" name="guidance">
-               <p>Encrypting information for transmission protects information from unauthorized
-                  disclosure and modification. Cryptographic mechanisms implemented to protect
-                  information integrity include, for example, cryptographic hash functions which
-                  have common application in digital signatures, checksums, and message
-                  authentication codes. Alternative physical security safeguards include, for
-                  example, protected distribution systems.</p>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="sc-8.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-8.1_obj.1" name="objective">
-                  <prop name="label">SC-8(1)[1]</prop>
-                  <p>the organization defines physical safeguards to be implemented to protect
-                     information during transmission when cryptographic mechanisms are not
-                     implemented; and</p>
-               </part>
-               <part id="sc-8.1_obj.2" name="objective">
-                  <prop name="label">SC-8(1)[2]</prop>
-                  <p>the information system implements cryptographic mechanisms to do one or more of
-                     the following during transmission unless otherwise protected by
-                     organization-defined alternative physical safeguards:</p>
-                  <part id="sc-8.1_obj.2.a" name="objective">
-                     <prop name="label">SC-8(1)[2][a]</prop>
-                     <p>prevent unauthorized disclosure of information; and/or</p>
-                  </part>
-                  <part id="sc-8.1_obj.2.b" name="objective">
-                     <prop name="label">SC-8(1)[2][b]</prop>
-                     <p>detect changes to information.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing transmission confidentiality and integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms supporting and/or implementing transmission
-                     confidentiality and/or integrity</p>
-                  <p>automated mechanisms supporting and/or implementing alternative physical
-                     safeguards</p>
-                  <p>organizational processes for defining and implementing alternative physical
-                     safeguards</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-8.2">
-            <title>Pre / Post Transmission Handling</title>
-            <param id="sc-8.2_prm_1">
-               <select how-many="one or more">
-                  <choice>confidentiality</choice>
-                  <choice>integrity</choice>
-               </select>
-            </param>
-            <prop name="label">SC-8(2)</prop>
-            <prop name="sort-id">sc-08.02</prop>
-            <part id="sc-8.2_smt" name="statement">
-               <p>The information system maintains the <insert param-id="sc-8.2_prm_1"/> of
-                  information during preparation for transmission and during reception.</p>
-            </part>
-            <part id="sc-8.2_gdn" name="guidance">
-               <p>Information can be either unintentionally or maliciously disclosed or modified
-                  during preparation for transmission or during reception including, for example,
-                  during aggregation, at protocol transformation points, and during
-                  packing/unpacking. These unauthorized disclosures or modifications compromise the
-                  confidentiality or integrity of the information.</p>
-               <link rel="related" href="#au-10">AU-10</link>
-            </part>
-            <part id="sc-8.2_obj" name="objective">
-               <p>Determine if the information system maintains one or more of the following:</p>
-               <part id="sc-8.2_obj.1" name="objective">
-                  <prop name="label">SC-8(2)[1]</prop>
-                  <p>confidentiality of information during preparation for transmission;</p>
-               </part>
-               <part id="sc-8.2_obj.2" name="objective">
-                  <prop name="label">SC-8(2)[2]</prop>
-                  <p>confidentiality of information during reception; and/or</p>
-               </part>
-               <part id="sc-8.2_obj.3" name="objective">
-                  <prop name="label">SC-8(2)[3]</prop>
-                  <p>integrity of information during preparation for transmission;</p>
-               </part>
-               <part id="sc-8.2_obj.4" name="objective">
-                  <prop name="label">SC-8(2)[4]</prop>
-                  <p>integrity of information during reception.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing transmission confidentiality and integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing transmission
-                     confidentiality and/or integrity</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-8.3">
-            <title>Cryptographic Protection for Message Externals</title>
-            <param id="sc-8.3_prm_1">
-               <label>organization-defined alternative physical safeguards</label>
-            </param>
-            <prop name="label">SC-8(3)</prop>
-            <prop name="sort-id">sc-08.03</prop>
-            <part id="sc-8.3_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to protect message
-                  externals unless otherwise protected by <insert param-id="sc-8.3_prm_1"/>.</p>
-            </part>
-            <part id="sc-8.3_gdn" name="guidance">
-               <p>This control enhancement addresses protection against unauthorized disclosure of
-                  information. Message externals include, for example, message headers/routing
-                  information. This control enhancement prevents the exploitation of message
-                  externals and applies to both internal and external networks or links that may be
-                  visible to individuals who are not authorized users. Header/routing information is
-                  sometimes transmitted unencrypted because the information is not properly
-                  identified by organizations as having significant value or because encrypting the
-                  information can result in lower network performance and/or higher costs.
-                  Alternative physical safeguards include, for example, protected distribution
-                  systems.</p>
-               <link rel="related" href="#sc-12">SC-12</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="sc-8.3_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-8.3_obj.1" name="objective">
-                  <prop name="label">SC-8(3)[1]</prop>
-                  <p>the organization defines alternative physical safeguards to be implemented to
-                     protect message externals; and</p>
-               </part>
-               <part id="sc-8.3_obj.2" name="objective">
-                  <prop name="label">SC-8(3)[2]</prop>
-                  <p>the information system implements cryptographic mechanisms to protect message
-                     externals unless otherwise protected by organization-defined alternative
-                     physical safeguards.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing transmission confidentiality and integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms supporting and/or implementing transmission
-                     confidentiality and/or integrity for message externals</p>
-                  <p>automated mechanisms supporting and/or implementing alternative physical
-                     safeguards</p>
-                  <p>organizational processes for defining and implementing alternative physical
-                     safeguards</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-8.4">
-            <title>Conceal / Randomize Communications</title>
-            <param id="sc-8.4_prm_1">
-               <label>organization-defined alternative physical safeguards</label>
-            </param>
-            <prop name="label">SC-8(4)</prop>
-            <prop name="sort-id">sc-08.04</prop>
-            <part id="sc-8.4_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to conceal or randomize
-                  communication patterns unless otherwise protected by <insert param-id="sc-8.4_prm_1"/>.</p>
-            </part>
-            <part id="sc-8.4_gdn" name="guidance">
-               <p>This control enhancement addresses protection against unauthorized disclosure of
-                  information. Communication patterns include, for example, frequency, periods,
-                  amount, and predictability. Changes to communications patterns can reveal
-                  information having intelligence value especially when combined with other
-                  available information related to missions/business functions supported by
-                  organizational information systems. This control enhancement prevents the
-                  derivation of intelligence based on communications patterns and applies to both
-                  internal and external networks or links that may be visible to individuals who are
-                  not authorized users. Encrypting the links and transmitting in continuous,
-                  fixed/random patterns prevents the derivation of intelligence from the system
-                  communications patterns. Alternative physical safeguards include, for example,
-                  protected distribution systems.</p>
-               <link rel="related" href="#sc-12">SC-12</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="sc-8.4_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-8.4_obj.1" name="objective">
-                  <prop name="label">SC-8(4)[1]</prop>
-                  <p>the organization defines alternative physical safeguards to be implemented to
-                     protect against unauthorized disclosure of communication patterns;</p>
-               </part>
-               <part id="sc-8.4_obj.2" name="objective">
-                  <prop name="label">SC-8(4)[2]</prop>
-                  <p>the information system, unless otherwise protected by organization-defined
-                     alternative physical safeguards, implements cryptographic mechanisms to:</p>
-                  <part id="sc-8.4_obj.2.a" name="objective">
-                     <prop name="label">SC-8(4)[2][a]</prop>
-                     <p>conceal communication patterns; or</p>
-                  </part>
-                  <part id="sc-8.4_obj.2.b" name="objective">
-                     <prop name="label">SC-8(4)[2][b]</prop>
-                     <p>randomize communication patterns.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing transmission confidentiality and integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms supporting and/or implementing concealment or
-                     randomization of communications patterns</p>
-                  <p>automated mechanisms supporting and/or implementing alternative physical
-                     safeguards</p>
-                  <p>organizational processes for defining and implementing alternative physical
-                     safeguards</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-9">
-         <title>Transmission Confidentiality</title>
-         <prop name="label">SC-9</prop>
-         <prop name="sort-id">sc-09</prop>
-         <prop name="status">Withdrawn</prop>
-         <link rel="incorporated-into" href="#sc-8">SC-8</link>
-      </control>
-      <control class="SP800-53" id="sc-10">
-         <title>Network Disconnect</title>
-         <param id="sc-10_prm_1">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">SC-10</prop>
-         <prop name="sort-id">sc-10</prop>
-         <part id="sc-10_smt" name="statement">
-            <p>The information system terminates the network connection associated with a
-               communications session at the end of the session or after <insert param-id="sc-10_prm_1"/> of inactivity.</p>
-         </part>
-         <part id="sc-10_gdn" name="guidance">
-            <p>This control applies to both internal and external networks. Terminating network
-               connections associated with communications sessions include, for example,
-               de-allocating associated TCP/IP address/port pairs at the operating system level, or
-               de-allocating networking assignments at the application level if multiple application
-               sessions are using a single, operating system-level network connection. Time periods
-               of inactivity may be established by organizations and include, for example, time
-               periods by type of network access or for specific network accesses.</p>
-         </part>
-         <part id="sc-10_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-10_obj.1" name="objective">
-               <prop name="label">SC-10[1]</prop>
-               <p>the organization defines a time period of inactivity after which the information
-                  system terminates a network connection associated with a communications session;
-                  and</p>
-            </part>
-            <part id="sc-10_obj.2" name="objective">
-               <prop name="label">SC-10[2]</prop>
-               <p>the information system terminates the network connection associated with a
-                  communication session at the end of the session or after the organization-defined
-                  time period of inactivity.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing network disconnect</p>
-               <p>information system design documentation</p>
-               <p>security plan</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing network disconnect
-                  capability</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-11">
-         <title>Trusted Path</title>
-         <param id="sc-11_prm_1">
-            <label>organization-defined security functions to include at a minimum, information
-               system authentication and re-authentication</label>
-         </param>
-         <prop name="label">SC-11</prop>
-         <prop name="sort-id">sc-11</prop>
-         <part id="sc-11_smt" name="statement">
-            <p>The information system establishes a trusted communications path between the user and
-               the following security functions of the system: <insert param-id="sc-11_prm_1"/>.</p>
-         </part>
-         <part id="sc-11_gdn" name="guidance">
-            <p>Trusted paths are mechanisms by which users (through input devices) can communicate
-               directly with security functions of information systems with the requisite assurance
-               to support information security policies. The mechanisms can be activated only by
-               users or the security functions of organizational information systems. User responses
-               via trusted paths are protected from modifications by or disclosure to untrusted
-               applications. Organizations employ trusted paths for high-assurance connections
-               between security functions of information systems and users (e.g., during system
-               logons). Enforcement of trusted communications paths is typically provided via an
-               implementation that meets the reference monitor concept.</p>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <link rel="related" href="#ac-25">AC-25</link>
-         </part>
-         <part id="sc-11_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-11_obj.1" name="objective">
-               <prop name="label">SC-11[1]</prop>
-               <p>the organization defines security functions of the information system;</p>
-            </part>
-            <part id="sc-11_obj.2" name="objective">
-               <prop name="label">SC-11[2]</prop>
-               <p>the organization-defined security functions include at a minimum, information
-                  system authentication and re-authentication; and</p>
-            </part>
-            <part id="sc-11_obj.3" name="objective">
-               <prop name="label">SC-11[3]</prop>
-               <p>the information system establishes a trusted communications path between the user
-                  and the organization-defined security functions of the system.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing trusted communications paths</p>
-               <p>security plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>assessment results from independent, testing organizations</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing trusted communications
-                  paths</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-11.1">
-            <title>Logical Isolation</title>
-            <prop name="label">SC-11(1)</prop>
-            <prop name="sort-id">sc-11.01</prop>
-            <part id="sc-11.1_smt" name="statement">
-               <p>The information system provides a trusted communications path that is logically
-                  isolated and distinguishable from other paths.</p>
-            </part>
-            <part id="sc-11.1_obj" name="objective">
-               <p>Determine if the information system provides a trusted communications path that
-                  is:</p>
-               <part id="sc-11.1_obj.1" name="objective">
-                  <prop name="label">SC-11(1)[1]</prop>
-                  <p>logically isolated; and</p>
-               </part>
-               <part id="sc-11.1_obj.2" name="objective">
-                  <prop name="label">SC-11(1)[2]</prop>
-                  <p>distinguishable from other paths.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing trusted communications paths</p>
-                  <p>security plan</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>assessment results from independent, testing organizations</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing trusted communications
-                     paths</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-12">
-         <title>Cryptographic Key Establishment and Management</title>
-         <param id="sc-12_prm_1">
-            <label>organization-defined requirements for key generation, distribution, storage,
-               access, and destruction</label>
-         </param>
-         <prop name="label">SC-12</prop>
-         <prop name="sort-id">sc-12</prop>
-         <link href="#81f09e01-d0b0-4ae2-aa6a-064ed9950070" rel="reference">NIST Special Publication 800-56</link>
-         <link href="#a6c774c0-bf50-4590-9841-2a5c1c91ac6f" rel="reference">NIST Special Publication 800-57</link>
-         <part id="sc-12_smt" name="statement">
-            <p>The organization establishes and manages cryptographic keys for required cryptography
-               employed within the information system in accordance with <insert param-id="sc-12_prm_1"/>.</p>
-         </part>
-         <part id="sc-12_gdn" name="guidance">
-            <p>Cryptographic key management and establishment can be performed using manual
-               procedures or automated mechanisms with supporting manual procedures. Organizations
-               define key management requirements in accordance with applicable federal laws,
-               Executive Orders, directives, regulations, policies, standards, and guidance,
-               specifying appropriate options, levels, and parameters. Organizations manage trust
-               stores to ensure that only approved trust anchors are in such trust stores. This
-               includes certificates with visibility external to organizational information systems
-               and certificates related to the internal operations of systems.</p>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-17">SC-17</link>
-         </part>
-         <part id="sc-12_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-12_obj.1" name="objective">
-               <prop name="label">SC-12[1]</prop>
-               <p>defines requirements for cryptographic key:</p>
-               <part id="sc-12_obj.1.a" name="objective">
-                  <prop name="label">SC-12[1][a]</prop>
-                  <p>generation;</p>
-               </part>
-               <part id="sc-12_obj.1.b" name="objective">
-                  <prop name="label">SC-12[1][b]</prop>
-                  <p>distribution;</p>
-               </part>
-               <part id="sc-12_obj.1.c" name="objective">
-                  <prop name="label">SC-12[1][c]</prop>
-                  <p>storage;</p>
-               </part>
-               <part id="sc-12_obj.1.d" name="objective">
-                  <prop name="label">SC-12[1][d]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="sc-12_obj.1.e" name="objective">
-                  <prop name="label">SC-12[1][e]</prop>
-                  <p>destruction; and</p>
-               </part>
-            </part>
-            <part id="sc-12_obj.2" name="objective">
-               <prop name="label">SC-12[2]</prop>
-               <p>establishes and manages cryptographic keys for required cryptography employed
-                  within the information system in accordance with organization-defined requirements
-                  for key generation, distribution, storage, access, and destruction.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing cryptographic key establishment and management</p>
-               <p>information system design documentation</p>
-               <p>cryptographic mechanisms</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for cryptographic key establishment
-                  and/or management</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing cryptographic key
-                  establishment and management</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-12.1">
-            <title>Availability</title>
-            <prop name="label">SC-12(1)</prop>
-            <prop name="sort-id">sc-12.01</prop>
-            <part id="sc-12.1_smt" name="statement">
-               <p>The organization maintains availability of information in the event of the loss of
-                  cryptographic keys by users.</p>
-            </part>
-            <part id="sc-12.1_gdn" name="guidance">
-               <p>Escrowing of encryption keys is a common practice for ensuring availability in the
-                  event of loss of keys (e.g., due to forgotten passphrase).</p>
-            </part>
-            <part id="sc-12.1_obj" name="objective">
-               <p>Determine if the organization maintains availability of information in the event
-                  of the loss of cryptographic keys by users.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing cryptographic key establishment, management, and
-                     recovery</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibilities for cryptographic key
-                     establishment or management</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing cryptographic key
-                     establishment and management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-12.2">
-            <title>Symmetric Keys</title>
-            <param id="sc-12.2_prm_1">
-               <select>
-                  <choice>NIST FIPS-compliant</choice>
-                  <choice>NSA-approved</choice>
-               </select>
-            </param>
-            <prop name="label">SC-12(2)</prop>
-            <prop name="sort-id">sc-12.02</prop>
-            <part id="sc-12.2_smt" name="statement">
-               <p>The organization produces, controls, and distributes symmetric cryptographic keys
-                  using <insert param-id="sc-12.2_prm_1"/> key management technology and
-                  processes.</p>
-            </part>
-            <part id="sc-12.2_obj" name="objective">
-               <p>Determine if the organization produces, controls, and distributes symmetric
-                  cryptographic keys using one of the following: </p>
-               <part id="sc-12.2_obj.1" name="objective">
-                  <prop name="label">SC-12(2)[1]</prop>
-                  <p>NIST FIPS-compliant key management technology and processes; or</p>
-               </part>
-               <part id="sc-12.2_obj.2" name="objective">
-                  <prop name="label">SC-12(2)[2]</prop>
-                  <p>NSA-approved key management technology and processes.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing cryptographic key establishment and management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of FIPS validated cryptographic products</p>
-                  <p>list of NSA-approved cryptographic products</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with responsibilities for cryptographic key
-                     establishment or management</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing symmetric cryptographic key
-                     establishment and management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-12.3">
-            <title>Asymmetric Keys</title>
-            <param id="sc-12.3_prm_1">
-               <select>
-                  <choice>NSA-approved key management technology and processes</choice>
-                  <choice>approved PKI Class 3 certificates or prepositioned keying
-                     material</choice>
-                  <choice>approved PKI Class 3 or Class 4 certificates and hardware security tokens
-                     that protect the user’s private key</choice>
-               </select>
-            </param>
-            <prop name="label">SC-12(3)</prop>
-            <prop name="sort-id">sc-12.03</prop>
-            <part id="sc-12.3_smt" name="statement">
-               <p>The organization produces, controls, and distributes asymmetric cryptographic keys
-                  using <insert param-id="sc-12.3_prm_1"/>.</p>
-            </part>
-            <part id="sc-12.3_obj" name="objective">
-               <p>Determine if the organization produces, controls, and distributes asymmetric
-                  cryptographic keys using one of the following: </p>
-               <part id="sc-12.3_obj.1" name="objective">
-                  <prop name="label">SC-12(3)[1]</prop>
-                  <p>NSA-approved key management technology and processes;</p>
-               </part>
-               <part id="sc-12.3_obj.2" name="objective">
-                  <prop name="label">SC-12(3)[2]</prop>
-                  <p>approved PKI Class 3 certificates or prepositioned keying material; or</p>
-               </part>
-               <part id="sc-12.3_obj.3" name="objective">
-                  <prop name="label">SC-12(3)[3]</prop>
-                  <p>approved PKI Class 3 or Class 4 certificates and hardware security tokens that
-                     protect the user’s private key.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing cryptographic key establishment and management</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of NSA-approved cryptographic products</p>
-                  <p>list of approved PKI Class 3 and Class 4 certificates</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with responsibilities for cryptographic key
-                     establishment or management</p>
-                  <p>organizational personnel with responsibilities for PKI certificates</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing asymmetric cryptographic
-                     key establishment and management</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-12.4">
-            <title>PKI Certificates</title>
-            <prop name="label">SC-12(4)</prop>
-            <prop name="sort-id">sc-12.04</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sc-12">SC-12</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-12.5">
-            <title>PKI Certificates / Hardware Tokens</title>
-            <prop name="label">SC-12(5)</prop>
-            <prop name="sort-id">sc-12.05</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sc-12">SC-12</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-13">
-         <title>Cryptographic Protection</title>
-         <param id="sc-13_prm_1">
-            <label>organization-defined cryptographic uses and type of cryptography required for
-               each use</label>
-         </param>
-         <prop name="label">SC-13</prop>
-         <prop name="sort-id">sc-13</prop>
-         <link href="#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9" rel="reference">FIPS Publication 140</link>
-         <link href="#6a1041fc-054e-4230-946b-2e6f4f3731bb" rel="reference">http://csrc.nist.gov/cryptval</link>
-         <link href="#9b97ed27-3dd6-4f9a-ade5-1b43e9669794" rel="reference">http://www.cnss.gov</link>
-         <part id="sc-13_smt" name="statement">
-            <p>The information system implements <insert param-id="sc-13_prm_1"/> in accordance with
-               applicable federal laws, Executive Orders, directives, policies, regulations, and
-               standards.</p>
-         </part>
-         <part id="sc-13_gdn" name="guidance">
-            <p>Cryptography can be employed to support a variety of security solutions including,
-               for example, the protection of classified and Controlled Unclassified Information,
-               the provision of digital signatures, and the enforcement of information separation
-               when authorized individuals have the necessary clearances for such information but
-               lack the necessary formal access approvals. Cryptography can also be used to support
-               random number generation and hash generation. Generally applicable cryptographic
-               standards include FIPS-validated cryptography and NSA-approved cryptography. This
-               control does not impose any requirements on organizations to use cryptography.
-               However, if cryptography is required based on the selection of other security
-               controls, organizations define each type of cryptographic use and the type of
-               cryptography required (e.g., protection of classified information: NSA-approved
-               cryptography; provision of digital signatures: FIPS-validated cryptography).</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-7">AC-7</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#au-10">AU-10</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-7">IA-7</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-28">SC-28</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="sc-13_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-13_obj.1" name="objective">
-               <prop name="label">SC-13[1]</prop>
-               <p>the organization defines cryptographic uses; and</p>
-            </part>
-            <part id="sc-13_obj.2" name="objective">
-               <prop name="label">SC-13[2]</prop>
-               <p>the organization defines the type of cryptography required for each use; and</p>
-            </part>
-            <part id="sc-13_obj.3" name="objective">
-               <prop name="label">SC-13[3]</prop>
-               <p>the information system implements the organization-defined cryptographic uses and
-                  type of cryptography required for each use in accordance with applicable federal
-                  laws, Executive Orders, directives, policies, regulations, and standards.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing cryptographic protection</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>cryptographic module validation certificates</p>
-               <p>list of FIPS validated cryptographic modules</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel with responsibilities for cryptographic protection</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing cryptographic protection</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-13.1">
-            <title>Fips-validated Cryptography</title>
-            <prop name="label">SC-13(1)</prop>
-            <prop name="sort-id">sc-13.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sc-13">SC-13</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-13.2">
-            <title>Nsa-approved Cryptography</title>
-            <prop name="label">SC-13(2)</prop>
-            <prop name="sort-id">sc-13.02</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sc-13">SC-13</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-13.3">
-            <title>Individuals Without Formal Access Approvals</title>
-            <prop name="label">SC-13(3)</prop>
-            <prop name="sort-id">sc-13.03</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sc-13">SC-13</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-13.4">
-            <title>Digital Signatures</title>
-            <prop name="label">SC-13(4)</prop>
-            <prop name="sort-id">sc-13.04</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sc-13">SC-13</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-14">
-         <title>Public Access Protections</title>
-         <prop name="label">SC-14</prop>
-         <prop name="sort-id">sc-14</prop>
-         <prop name="status">Withdrawn</prop>
-         <link rel="incorporated-into" href="#ac-2">AC-2</link>
-         <link rel="incorporated-into" href="#ac-3">AC-3</link>
-         <link rel="incorporated-into" href="#ac-5">AC-5</link>
-         <link rel="incorporated-into" href="#ac-6">AC-6</link>
-         <link rel="incorporated-into" href="#si-3">SI-3</link>
-         <link rel="incorporated-into" href="#si-4">SI-4</link>
-         <link rel="incorporated-into" href="#si-5">SI-5</link>
-         <link rel="incorporated-into" href="#si-7">SI-7</link>
-         <link rel="incorporated-into" href="#si-10">SI-10</link>
-      </control>
-      <control class="SP800-53" id="sc-15">
-         <title>Collaborative Computing Devices</title>
-         <param id="sc-15_prm_1">
-            <label>organization-defined exceptions where remote activation is to be allowed</label>
-         </param>
-         <prop name="label">SC-15</prop>
-         <prop name="sort-id">sc-15</prop>
-         <part id="sc-15_smt" name="statement">
-            <p>The information system:</p>
-            <part id="sc-15_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Prohibits remote activation of collaborative computing devices with the following
-                  exceptions: <insert param-id="sc-15_prm_1"/>; and</p>
-            </part>
-            <part id="sc-15_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Provides an explicit indication of use to users physically present at the
-                  devices.</p>
-            </part>
-         </part>
-         <part id="sc-15_gdn" name="guidance">
-            <p>Collaborative computing devices include, for example, networked white boards,
-               cameras, and microphones. Explicit indication of use includes, for example, signals
-               to users when collaborative computing devices are activated.</p>
-            <link rel="related" href="#ac-21">AC-21</link>
-         </part>
-         <part id="sc-15_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-15.a_obj" name="objective">
-               <prop name="label">SC-15(a)</prop>
-               <part id="sc-15.a_obj.1" name="objective">
-                  <prop name="label">SC-15(a)[1]</prop>
-                  <p>the organization defines exceptions where remote activation of collaborative
-                     computing devices is to be allowed;</p>
-               </part>
-               <part id="sc-15.a_obj.2" name="objective">
-                  <prop name="label">SC-15(a)[2]</prop>
-                  <p>the information system prohibits remote activation of collaborative computing
-                     devices, except for organization-defined exceptions where remote activation is
-                     to be allowed; and</p>
-               </part>
-            </part>
-            <part id="sc-15.b_obj" name="objective">
-               <prop name="label">SC-15(b)</prop>
-               <p>the information system provides an explicit indication of use to users physically
-                  present at the devices.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing collaborative computing</p>
-               <p>access control policy and procedures</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel with responsibilities for managing collaborative
-                  computing devices</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing management of remote
-                  activation of collaborative computing devices</p>
-               <p>automated mechanisms providing an indication of use of collaborative computing
-                  devices</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-15.1">
-            <title>Physical Disconnect</title>
-            <prop name="label">SC-15(1)</prop>
-            <prop name="sort-id">sc-15.01</prop>
-            <part id="sc-15.1_smt" name="statement">
-               <p>The information system provides physical disconnect of collaborative computing
-                  devices in a manner that supports ease of use.</p>
-            </part>
-            <part id="sc-15.1_gdn" name="guidance">
-               <p>Failing to physically disconnect from collaborative computing devices can result
-                  in subsequent compromises of organizational information. Providing easy methods to
-                  physically disconnect from such devices after a collaborative computing session
-                  helps to ensure that participants actually carry out the disconnect activity
-                  without having to go through complex and tedious procedures.</p>
-            </part>
-            <part id="sc-15.1_obj" name="objective">
-               <p>Determine if the information system provides physical disconnect of collaborative
-                  computing devices in a manner that supports ease of use.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing collaborative computing</p>
-                  <p>access control policy and procedures</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with responsibilities for managing collaborative
-                     computing devices</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing physical disconnect of
-                     collaborative computing devices</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-15.2">
-            <title>Blocking Inbound / Outbound Communications Traffic</title>
-            <prop name="label">SC-15(2)</prop>
-            <prop name="sort-id">sc-15.02</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sc-7">SC-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-15.3">
-            <title>Disabling / Removal in Secure Work Areas</title>
-            <param id="sc-15.3_prm_1">
-               <label>organization-defined information systems or information system
-                  components</label>
-            </param>
-            <param id="sc-15.3_prm_2">
-               <label>organization-defined secure work areas</label>
-            </param>
-            <prop name="label">SC-15(3)</prop>
-            <prop name="sort-id">sc-15.03</prop>
-            <part id="sc-15.3_smt" name="statement">
-               <p>The organization disables or removes collaborative computing devices from <insert param-id="sc-15.3_prm_1"/> in <insert param-id="sc-15.3_prm_2"/>.</p>
-            </part>
-            <part id="sc-15.3_gdn" name="guidance">
-               <p>Failing to disable or remove collaborative computing devices from information
-                  systems or information system components can result in subsequent compromises of
-                  organizational information including, for example, eavesdropping on
-                  conversations.</p>
-            </part>
-            <part id="sc-15.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-15.3_obj.1" name="objective">
-                  <prop name="label">SC-15(3)[1]</prop>
-                  <p>defines information systems or information system components from which
-                     collaborative computing devices are to be disabled or removed;</p>
-               </part>
-               <part id="sc-15.3_obj.2" name="objective">
-                  <prop name="label">SC-15(3)[2]</prop>
-                  <p>defines secure work areas where collaborative computing devices are to be
-                     disabled or removed from information systems or information system components
-                     placed in such work areas; and</p>
-               </part>
-               <part id="sc-15.3_obj.3" name="objective">
-                  <prop name="label">SC-15(3)[3]</prop>
-                  <p>disables or removes collaborative computing devices from organization-defined
-                     information systems or information system components in organization-defined
-                     secure work areas.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing collaborative computing</p>
-                  <p>access control policy and procedures</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of secure work areas</p>
-                  <p>information systems or information system components in secured work areas
-                     where collaborative computing devices are to be disabled or removed</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibilities for managing collaborative
-                     computing devices</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing the capability to disable
-                     collaborative computing devices</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-15.4">
-            <title>Explicitly Indicate Current Participants</title>
-            <param id="sc-15.4_prm_1">
-               <label>organization-defined online meetings and teleconferences</label>
-            </param>
-            <prop name="label">SC-15(4)</prop>
-            <prop name="sort-id">sc-15.04</prop>
-            <part id="sc-15.4_smt" name="statement">
-               <p>The information system provides an explicit indication of current participants in
-                     <insert param-id="sc-15.4_prm_1"/>.</p>
-            </part>
-            <part id="sc-15.4_gdn" name="guidance">
-               <p>This control enhancement helps to prevent unauthorized individuals from
-                  participating in collaborative computing sessions without the explicit knowledge
-                  of other participants.</p>
-            </part>
-            <part id="sc-15.4_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-15.4_obj.1" name="objective">
-                  <prop name="label">SC-15(4)[1]</prop>
-                  <p>the organization defines online meetings and teleconferences for which an
-                     explicit indication of current participants is to be provided; and</p>
-               </part>
-               <part id="sc-15.4_obj.2" name="objective">
-                  <prop name="label">SC-15(4)[2]</prop>
-                  <p>the information system provides an explicit indication of current participants
-                     in organization-defined meetings and teleconferences.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing collaborative computing</p>
-                  <p>access control policy and procedures</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>list of types of meetings and teleconferences requiring explicit indication of
-                     current participants</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibilities for managing collaborative
-                     computing devices</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing the capability to indicate
-                     participants on collaborative computing devices</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-16">
-         <title>Transmission of Security Attributes</title>
-         <param id="sc-16_prm_1">
-            <label>organization-defined security attributes</label>
-         </param>
-         <prop name="label">SC-16</prop>
-         <prop name="sort-id">sc-16</prop>
-         <part id="sc-16_smt" name="statement">
-            <p>The information system associates <insert param-id="sc-16_prm_1"/> with information
-               exchanged between information systems and between system components.</p>
-         </part>
-         <part id="sc-16_gdn" name="guidance">
-            <p>Security attributes can be explicitly or implicitly associated with the information
-               contained in organizational information systems or system components.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-16">AC-16</link>
-         </part>
-         <part id="sc-16_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-16_obj.1" name="objective">
-               <prop name="label">SC-16[1]</prop>
-               <p>the organization defines security attributes to be associated with information
-                  exchanged:</p>
-               <part id="sc-16_obj.1.a" name="objective">
-                  <prop name="label">SC-16[1][a]</prop>
-                  <p>between information systems;</p>
-               </part>
-               <part id="sc-16_obj.1.b" name="objective">
-                  <prop name="label">SC-16[1][b]</prop>
-                  <p>between system components;</p>
-               </part>
-            </part>
-            <part id="sc-16_obj.2" name="objective">
-               <prop name="label">SC-16[2]</prop>
-               <p>the information system associates organization-defined security attributes with
-                  information exchanged:</p>
-               <part id="sc-16_obj.2.a" name="objective">
-                  <prop name="label">SC-16[2][a]</prop>
-                  <p>between information systems; and</p>
-               </part>
-               <part id="sc-16_obj.2.b" name="objective">
-                  <prop name="label">SC-16[2][b]</prop>
-                  <p>between system components.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing transmission of security attributes</p>
-               <p>access control policy and procedures</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing transmission of security
-                  attributes between information systems</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-16.1">
-            <title>Integrity Validation</title>
-            <prop name="label">SC-16(1)</prop>
-            <prop name="sort-id">sc-16.01</prop>
-            <part id="sc-16.1_smt" name="statement">
-               <p>The information system validates the integrity of transmitted security
-                  attributes.</p>
-            </part>
-            <part id="sc-16.1_gdn" name="guidance">
-               <p>This control enhancement ensures that the verification of the integrity of
-                  transmitted information includes security attributes.</p>
-               <link rel="related" href="#au-10">AU-10</link>
-               <link rel="related" href="#sc-8">SC-8</link>
-            </part>
-            <part id="sc-16.1_obj" name="objective">
-               <p>Determine if the information system validates the integrity of transmitted
-                  security attributes.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing transmission of security attributes</p>
-                  <p>access control policy and procedures</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing validation of the integrity
-                     of transmitted security attributes</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-17">
-         <title>Public Key Infrastructure Certificates</title>
-         <param id="sc-17_prm_1">
-            <label>organization-defined certificate policy</label>
-         </param>
-         <prop name="label">SC-17</prop>
-         <prop name="sort-id">sc-17</prop>
-         <link href="#58ad6f27-af99-429f-86a8-8bb767b014b9" rel="reference">OMB Memorandum 05-24</link>
-         <link href="#8f174e91-844e-4cf1-a72a-45c119a3a8dd" rel="reference">NIST Special Publication 800-32</link>
-         <link href="#644f44a9-a2de-4494-9c04-cd37fba45471" rel="reference">NIST Special Publication 800-63</link>
-         <part id="sc-17_smt" name="statement">
-            <p>The organization issues public key certificates under an <insert param-id="sc-17_prm_1"/> or obtains public key certificates from an approved
-               service provider.</p>
-         </part>
-         <part id="sc-17_gdn" name="guidance">
-            <p>For all certificates, organizations manage information system trust stores to ensure
-               only approved trust anchors are in the trust stores. This control addresses both
-               certificates with visibility external to organizational information systems and
-               certificates related to the internal operations of systems, for example,
-               application-specific time services.</p>
-            <link rel="related" href="#sc-12">SC-12</link>
-         </part>
-         <part id="sc-17_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-17_obj.1" name="objective">
-               <prop name="label">SC-17[1]</prop>
-               <p>defines a certificate policy for issuing public key certificates;</p>
-            </part>
-            <part id="sc-17_obj.2" name="objective">
-               <prop name="label">SC-17[2]</prop>
-               <p>issues public key certificates:</p>
-               <part id="sc-17_obj.2.a" name="objective">
-                  <prop name="label">SC-17[2][a]</prop>
-                  <p>under an organization-defined certificate policy: or</p>
-               </part>
-               <part id="sc-17_obj.2.b" name="objective">
-                  <prop name="label">SC-17[2][b]</prop>
-                  <p>obtains public key certificates from an approved service provider.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing public key infrastructure certificates</p>
-               <p>public key certificate policy or policies</p>
-               <p>public key issuing process</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for issuing public key
-                  certificates</p>
-               <p>service providers</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing the management of public key
-                  infrastructure certificates</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-18">
-         <title>Mobile Code</title>
-         <prop name="label">SC-18</prop>
-         <prop name="sort-id">sc-18</prop>
-         <link href="#e716cd51-d1d5-4c6a-967a-22e9fbbc42f1" rel="reference">NIST Special Publication 800-28</link>
-         <link href="#e6522953-6714-435d-a0d3-140df554c186" rel="reference">DoD Instruction 8552.01</link>
-         <part id="sc-18_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sc-18_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Defines acceptable and unacceptable mobile code and mobile code technologies;</p>
-            </part>
-            <part id="sc-18_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Establishes usage restrictions and implementation guidance for acceptable mobile
-                  code and mobile code technologies; and</p>
-            </part>
-            <part id="sc-18_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Authorizes, monitors, and controls the use of mobile code within the information
-                  system.</p>
-            </part>
-         </part>
-         <part id="sc-18_gdn" name="guidance">
-            <p>Decisions regarding the employment of mobile code within organizational information
-               systems are based on the potential for the code to cause damage to the systems if
-               used maliciously. Mobile code technologies include, for example, Java, JavaScript,
-               ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage
-               restrictions and implementation guidance apply to both the selection and use of
-               mobile code installed on servers and mobile code downloaded and executed on
-               individual workstations and devices (e.g., smart phones). Mobile code policy and
-               procedures address preventing the development, acquisition, or introduction of
-               unacceptable mobile code within organizational information systems.</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#si-3">SI-3</link>
-         </part>
-         <part id="sc-18_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-18.a_obj" name="objective">
-               <prop name="label">SC-18(a)</prop>
-               <p>defines acceptable and unacceptable mobile code and mobile code technologies;</p>
-            </part>
-            <part id="sc-18.b_obj" name="objective">
-               <prop name="label">SC-18(b)</prop>
-               <part id="sc-18.b_obj.1" name="objective">
-                  <prop name="label">SC-18(b)[1]</prop>
-                  <p>establishes usage restrictions for acceptable mobile code and mobile code
-                     technologies;</p>
-               </part>
-               <part id="sc-18.b_obj.2" name="objective">
-                  <prop name="label">SC-18(b)[2]</prop>
-                  <p>establishes implementation guidance for acceptable mobile code and mobile code
-                     technologies;</p>
-               </part>
-            </part>
-            <part id="sc-18.c_obj" name="objective">
-               <prop name="label">SC-18(c)</prop>
-               <part id="sc-18.c_obj.1" name="objective">
-                  <prop name="label">SC-18(c)[1]</prop>
-                  <p>authorizes the use of mobile code within the information system;</p>
-               </part>
-               <part id="sc-18.c_obj.2" name="objective">
-                  <prop name="label">SC-18(c)[2]</prop>
-                  <p>monitors the use of mobile code within the information system; and</p>
-               </part>
-               <part id="sc-18.c_obj.3" name="objective">
-                  <prop name="label">SC-18(c)[3]</prop>
-                  <p>controls the use of mobile code within the information system.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing mobile code</p>
-               <p>mobile code usage restrictions, mobile code implementation policy and
-                  procedures</p>
-               <p>list of acceptable mobile code and mobile code technologies</p>
-               <p>list of unacceptable mobile code and mobile technologies</p>
-               <p>authorization records</p>
-               <p>information system monitoring records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing mobile code</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational process for controlling, authorizing, monitoring, and restricting
-                  mobile code</p>
-               <p>automated mechanisms supporting and/or implementing the management of mobile
-                  code</p>
-               <p>automated mechanisms supporting and/or implementing the monitoring of mobile
-                  code</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-18.1">
-            <title>Identify Unacceptable Code / Take Corrective Actions</title>
-            <param id="sc-18.1_prm_1">
-               <label>organization-defined unacceptable mobile code</label>
-            </param>
-            <param id="sc-18.1_prm_2">
-               <label>organization-defined corrective actions</label>
-            </param>
-            <prop name="label">SC-18(1)</prop>
-            <prop name="sort-id">sc-18.01</prop>
-            <part id="sc-18.1_smt" name="statement">
-               <p>The information system identifies <insert param-id="sc-18.1_prm_1"/> and takes
-                     <insert param-id="sc-18.1_prm_2"/>.</p>
-            </part>
-            <part id="sc-18.1_gdn" name="guidance">
-               <p>Corrective actions when unacceptable mobile code is detected include, for example,
-                  blocking, quarantine, or alerting administrators. Blocking includes, for example,
-                  preventing transmission of word processing files with embedded macros when such
-                  macros have been defined to be unacceptable mobile code.</p>
-            </part>
-            <part id="sc-18.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-18.1_obj.1" name="objective">
-                  <prop name="label">SC-18(1)[1]</prop>
-                  <p>the organization defines unacceptable mobile code to be identified by the
-                     information system;</p>
-               </part>
-               <part id="sc-18.1_obj.2" name="objective">
-                  <prop name="label">SC-18(1)[2]</prop>
-                  <p>the organization defines correctives actions to be taken when the information
-                     system identifies organization-defined unacceptable mobile code;</p>
-               </part>
-               <part id="sc-18.1_obj.3" name="objective">
-                  <prop name="label">SC-18(1)[3]</prop>
-                  <p>the information system:</p>
-                  <part id="sc-18.1_obj.3.a" name="objective">
-                     <prop name="label">SC-18(1)[3][a]</prop>
-                     <p>identifies organization-defined unacceptable mobile code; and</p>
-                  </part>
-                  <part id="sc-18.1_obj.3.b" name="objective">
-                     <prop name="label">SC-18(1)[3][b]</prop>
-                     <p>takes organization-defined corrective actions.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing mobile code</p>
-                  <p>mobile code usage restrictions, mobile code implementation policy and
-                     procedures</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of unacceptable mobile code</p>
-                  <p>list of corrective actions to be taken when unacceptable mobile code is
-                     identified</p>
-                  <p>information system monitoring records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with responsibilities for managing mobile code</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing mobile code detection,
-                     inspection, and corrective capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-18.2">
-            <title>Acquisition / Development / Use</title>
-            <param id="sc-18.2_prm_1">
-               <label>organization-defined mobile code requirements</label>
-            </param>
-            <prop name="label">SC-18(2)</prop>
-            <prop name="sort-id">sc-18.02</prop>
-            <part id="sc-18.2_smt" name="statement">
-               <p>The organization ensures that the acquisition, development, and use of mobile code
-                  to be deployed in the information system meets <insert param-id="sc-18.2_prm_1"/>.</p>
-            </part>
-            <part id="sc-18.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-18.2_obj.1" name="objective">
-                  <prop name="label">SC-18(2)[1]</prop>
-                  <p>defines requirements for:</p>
-                  <part id="sc-18.2_obj.1.a" name="objective">
-                     <prop name="label">SC-18(2)[1][a]</prop>
-                     <p>the acquisition of mobile code;</p>
-                  </part>
-                  <part id="sc-18.2_obj.1.b" name="objective">
-                     <prop name="label">SC-18(2)[1][b]</prop>
-                     <p>the development of mobile code;</p>
-                  </part>
-                  <part id="sc-18.2_obj.1.c" name="objective">
-                     <prop name="label">SC-18(2)[1][c]</prop>
-                     <p>the use of mobile code; and</p>
-                  </part>
-               </part>
-               <part id="sc-18.2_obj.2" name="objective">
-                  <prop name="label">SC-18(2)[2]</prop>
-                  <p>ensures that the acquisition, development, and use of mobile code to be
-                     deployed in the information system meets organization-defined mobile code
-                     requirements.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing mobile code</p>
-                  <p>mobile code requirements</p>
-                  <p>mobile code usage restrictions, mobile code implementation policy and
-                     procedures</p>
-                  <p>acquisition documentation</p>
-                  <p>acquisition contracts for information system, system component, or information
-                     system service</p>
-                  <p>system development life cycle documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibilities for managing mobile code</p>
-                  <p>organizational personnel with acquisition and contracting responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for the acquisition, development, and use of mobile
-                     code</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-18.3">
-            <title>Prevent Downloading / Execution</title>
-            <param id="sc-18.3_prm_1">
-               <label>organization-defined unacceptable mobile code</label>
-            </param>
-            <prop name="label">SC-18(3)</prop>
-            <prop name="sort-id">sc-18.03</prop>
-            <part id="sc-18.3_smt" name="statement">
-               <p>The information system prevents the download and execution of <insert param-id="sc-18.3_prm_1"/>.</p>
-            </part>
-            <part id="sc-18.3_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-18.3_obj.1" name="objective">
-                  <prop name="label">SC-18(3)[1]</prop>
-                  <p>the organization defines unacceptable mobile code to be prevented from
-                     downloading and execution;</p>
-               </part>
-               <part id="sc-18.3_obj.2" name="objective">
-                  <prop name="label">SC-18(3)[2]</prop>
-                  <p>the information system prevents the:</p>
-                  <part id="sc-18.3_obj.2.a" name="objective">
-                     <prop name="label">SC-18(3)[2][a]</prop>
-                     <p>download of organization-defined unacceptable mobile code; and</p>
-                  </part>
-                  <part id="sc-18.3_obj.2.b" name="objective">
-                     <prop name="label">SC-18(3)[2][b]</prop>
-                     <p>execution of organization-defined unacceptable mobile code.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing mobile code</p>
-                  <p>mobile code usage restrictions, mobile code implementation policy and
-                     procedures</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with responsibilities for managing mobile code</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms preventing download and execution of unacceptable mobile
-                     code</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-18.4">
-            <title>Prevent Automatic Execution</title>
-            <param id="sc-18.4_prm_1">
-               <label>organization-defined software applications</label>
-            </param>
-            <param id="sc-18.4_prm_2">
-               <label>organization-defined actions</label>
-            </param>
-            <prop name="label">SC-18(4)</prop>
-            <prop name="sort-id">sc-18.04</prop>
-            <part id="sc-18.4_smt" name="statement">
-               <p>The information system prevents the automatic execution of mobile code in <insert param-id="sc-18.4_prm_1"/> and enforces <insert param-id="sc-18.4_prm_2"/>
-                  prior to executing the code.</p>
-            </part>
-            <part id="sc-18.4_gdn" name="guidance">
-               <p>Actions enforced before executing mobile code, include, for example, prompting
-                  users prior to opening electronic mail attachments. Preventing automatic execution
-                  of mobile code includes, for example, disabling auto execute features on
-                  information system components employing portable storage devices such as Compact
-                  Disks (CDs), Digital Video Disks (DVDs), and Universal Serial Bus (USB)
-                  devices.</p>
-            </part>
-            <part id="sc-18.4_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-18.4_obj.1" name="objective">
-                  <prop name="label">SC-18(4)[1]</prop>
-                  <p>the organization defines software applications in which the automatic execution
-                     of mobile code is to be prohibited;</p>
-               </part>
-               <part id="sc-18.4_obj.2" name="objective">
-                  <prop name="label">SC-18(4)[2]</prop>
-                  <p>the organization defines actions to be enforced by the information system prior
-                     to executing mobile code;</p>
-               </part>
-               <part id="sc-18.4_obj.3" name="objective">
-                  <prop name="label">SC-18(4)[3]</prop>
-                  <p>the information system prevents the automatic execution of mobile code in the
-                     organization-defined software applications; and</p>
-               </part>
-               <part id="sc-18.4_obj.4" name="objective">
-                  <prop name="label">SC-18(4)[4]</prop>
-                  <p>the information system enforces organization-defined actions prior to executing
-                     the code.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing mobile code</p>
-                  <p>mobile code usage restrictions</p>
-                  <p>mobile code implementation policy and procedures</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of software applications for which automatic execution of mobile code must
-                     be prohibited</p>
-                  <p>list of actions required before execution of mobile code</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with responsibilities for managing mobile code</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms preventing automatic execution of unacceptable mobile
-                     code</p>
-                  <p>automated mechanisms enforcing actions to be taken prior to the execution of
-                     the mobile code</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-18.5">
-            <title>Allow Execution Only in Confined Environments</title>
-            <prop name="label">SC-18(5)</prop>
-            <prop name="sort-id">sc-18.05</prop>
-            <part id="sc-18.5_smt" name="statement">
-               <p>The organization allows execution of permitted mobile code only in confined
-                  virtual machine environments.</p>
-            </part>
-            <part id="sc-18.5_obj" name="objective">
-               <p>Determine if the organization allows execution of permitted mobile code only in
-                  confined virtual machine environments.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing mobile code</p>
-                  <p>mobile code usage allowances</p>
-                  <p>mobile code usage restrictions</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of confined virtual machine environments for which execution of
-                     organizationally-acceptable mobile code is allowed</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel with responsibilities for managing mobile code</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms allowing execution of permitted mobile code in confined
-                     virtual machine environments</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-19">
-         <title>Voice Over Internet Protocol</title>
-         <prop name="label">SC-19</prop>
-         <prop name="sort-id">sc-19</prop>
-         <link href="#7783f3e7-09b3-478b-9aa2-4a76dfd0ea90" rel="reference">NIST Special Publication 800-58</link>
-         <part id="sc-19_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sc-19_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes usage restrictions and implementation guidance for Voice over Internet
-                  Protocol (VoIP) technologies based on the potential to cause damage to the
-                  information system if used maliciously; and</p>
-            </part>
-            <part id="sc-19_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Authorizes, monitors, and controls the use of VoIP within the information
-                  system.</p>
-            </part>
-         </part>
-         <part id="sc-19_gdn" name="guidance">
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-15">SC-15</link>
-         </part>
-         <part id="sc-19_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-19.a_obj" name="objective">
-               <prop name="label">SC-19(a)</prop>
-               <part id="sc-19.a_obj.1" name="objective">
-                  <prop name="label">SC-19(a)[1]</prop>
-                  <p>establishes usage restrictions for Voice over Internet Protocol (VoIP)
-                     technologies based on the potential to cause damage to the information system
-                     if used maliciously;</p>
-               </part>
-               <part id="sc-19.a_obj.2" name="objective">
-                  <prop name="label">SC-19(a)[2]</prop>
-                  <p>establishes implementation guidance for Voice over Internet Protocol (VoIP)
-                     technologies based on the potential to cause damage to the information system
-                     if used maliciously;</p>
-               </part>
-            </part>
-            <part id="sc-19.b_obj" name="objective">
-               <prop name="label">SC-19(b)</prop>
-               <part id="sc-19.b_obj.1" name="objective">
-                  <prop name="label">SC-19(b)[1]</prop>
-                  <p>authorizes the use of VoIP within the information system;</p>
-               </part>
-               <part id="sc-19.b_obj.2" name="objective">
-                  <prop name="label">SC-19(b)[2]</prop>
-                  <p>monitors the use of VoIP within the information system; and</p>
-               </part>
-               <part id="sc-19.b_obj.3" name="objective">
-                  <prop name="label">SC-19(b)[3]</prop>
-                  <p>controls the use of VoIP within the information system.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing VoIP</p>
-               <p>VoIP usage restrictions</p>
-               <p>VoIP implementation guidance</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system monitoring records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing VoIP</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational process for authorizing, monitoring, and controlling VoIP</p>
-               <p>automated mechanisms supporting and/or implementing authorizing, monitoring, and
-                  controlling VoIP</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-20">
-         <title>Secure Name / Address Resolution Service (authoritative Source)</title>
-         <prop name="label">SC-20</prop>
-         <prop name="sort-id">sc-20</prop>
-         <link href="#28115a56-da6b-4d44-b1df-51dd7f048a3e" rel="reference">OMB Memorandum 08-23</link>
-         <link href="#6af1e841-672c-46c4-b121-96f603d04be3" rel="reference">NIST Special Publication 800-81</link>
-         <part id="sc-20_smt" name="statement">
-            <p>The information system:</p>
-            <part id="sc-20_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Provides additional data origin authentication and integrity verification
-                  artifacts along with the authoritative name resolution data the system returns in
-                  response to external name/address resolution queries; and</p>
-            </part>
-            <part id="sc-20_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Provides the means to indicate the security status of child zones and (if the
-                  child supports secure resolution services) to enable verification of a chain of
-                  trust among parent and child domains, when operating as part of a distributed,
-                  hierarchical namespace.</p>
-            </part>
-         </part>
-         <part id="sc-20_gdn" name="guidance">
-            <p>This control enables external clients including, for example, remote Internet
-               clients, to obtain origin authentication and integrity verification assurances for
-               the host/service name to network address resolution information obtained through the
-               service. Information systems that provide name and address resolution services
-               include, for example, domain name system (DNS) servers. Additional artifacts include,
-               for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS
-               resource records are examples of authoritative data. The means to indicate the
-               security status of child zones includes, for example, the use of delegation signer
-               resource records in the DNS. The DNS security controls reflect (and are referenced
-               from) OMB Memorandum 08-23. Information systems that use technologies other than the
-               DNS to map between host/service names and network addresses provide other means to
-               assure the authenticity and integrity of response data.</p>
-            <link rel="related" href="#au-10">AU-10</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-21">SC-21</link>
-            <link rel="related" href="#sc-22">SC-22</link>
-         </part>
-         <part id="sc-20_obj" name="objective">
-            <p>Determine if the information system:</p>
-            <part id="sc-20.a_obj" name="objective">
-               <prop name="label">SC-20(a)</prop>
-               <p>provides additional data origin and integrity verification artifacts along with
-                  the authoritative name resolution data the system returns in response to external
-                  name/address resolution queries;</p>
-            </part>
-            <part id="sc-20.b_obj" name="objective">
-               <prop name="label">SC-20(b)</prop>
-               <p>provides the means to, when operating as part of a distributed, hierarchical
-                  namespace:</p>
-               <part id="sc-20.b_obj.1" name="objective">
-                  <prop name="label">SC-20(b)[1]</prop>
-                  <p>indicate the security status of child zones; and</p>
-               </part>
-               <part id="sc-20.b_obj.2" name="objective">
-                  <prop name="label">SC-20(b)[2]</prop>
-                  <p>enable verification of a chain of trust among parent and child domains (if the
-                     child supports secure resolution services).</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing secure name/address resolution service (authoritative
-                  source)</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing DNS</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing secure name/address resolution
-                  service</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-20.1">
-            <title>Child Subspaces</title>
-            <prop name="label">SC-20(1)</prop>
-            <prop name="sort-id">sc-20.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sc-20">SC-20</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-20.2">
-            <title>Data Origin / Integrity</title>
-            <prop name="label">SC-20(2)</prop>
-            <prop name="sort-id">sc-20.02</prop>
-            <part id="sc-20.2_smt" name="statement">
-               <p>The information system provides data origin and integrity protection artifacts for
-                  internal name/address resolution queries.</p>
-            </part>
-            <part id="sc-20.2_obj" name="objective">
-               <p>Determine if the information system provides data origin and integrity protection
-                  artifacts for internal name/address resolution queries.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing secure name/address resolution service (authoritative
-                     source)</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibilities for managing DNS</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing data origin and integrity
-                     protection for internal name/address resolution service queries</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-21">
-         <title>Secure Name / Address Resolution Service (recursive or Caching Resolver)</title>
-         <prop name="label">SC-21</prop>
-         <prop name="sort-id">sc-21</prop>
-         <link href="#6af1e841-672c-46c4-b121-96f603d04be3" rel="reference">NIST Special Publication 800-81</link>
-         <part id="sc-21_smt" name="statement">
-            <p>The information system requests and performs data origin authentication and data
-               integrity verification on the name/address resolution responses the system receives
-               from authoritative sources.</p>
-         </part>
-         <part id="sc-21_gdn" name="guidance">
-            <p>Each client of name resolution services either performs this validation on its own,
-               or has authenticated channels to trusted validation providers. Information systems
-               that provide name and address resolution services for local clients include, for
-               example, recursive resolving or caching domain name system (DNS) servers. DNS client
-               resolvers either perform validation of DNSSEC signatures, or clients use
-               authenticated channels to recursive resolvers that perform such validations.
-               Information systems that use technologies other than the DNS to map between
-               host/service names and network addresses provide other means to enable clients to
-               verify the authenticity and integrity of response data.</p>
-            <link rel="related" href="#sc-20">SC-20</link>
-            <link rel="related" href="#sc-22">SC-22</link>
-         </part>
-         <part id="sc-21_obj" name="objective">
-            <p>Determine if the information system: </p>
-            <part id="sc-21_obj.1" name="objective">
-               <prop name="label">SC-21[1]</prop>
-               <p>requests data origin authentication on the name/address resolution responses the
-                  system receives from authoritative sources;</p>
-            </part>
-            <part id="sc-21_obj.2" name="objective">
-               <prop name="label">SC-21[2]</prop>
-               <p>requests data integrity verification on the name/address resolution responses the
-                  system receives from authoritative sources;</p>
-            </part>
-            <part id="sc-21_obj.3" name="objective">
-               <prop name="label">SC-21[3]</prop>
-               <p>performs data origin authentication on the name/address resolution responses the
-                  system receives from authoritative sources; and</p>
-            </part>
-            <part id="sc-21_obj.4" name="objective">
-               <prop name="label">SC-21[4]</prop>
-               <p>performs data integrity verification on the name/address resolution responses the
-                  system receives from authoritative sources.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing secure name/address resolution service (recursive or caching
-                  resolver)</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing DNS</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing data origin authentication and
-                  data integrity verification for name/address resolution services</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-21.1">
-            <title>Data Origin / Integrity</title>
-            <prop name="label">SC-21(1)</prop>
-            <prop name="sort-id">sc-21.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sc-21">SC-21</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-22">
-         <title>Architecture and Provisioning for Name / Address Resolution Service</title>
-         <prop name="label">SC-22</prop>
-         <prop name="sort-id">sc-22</prop>
-         <link href="#6af1e841-672c-46c4-b121-96f603d04be3" rel="reference">NIST Special Publication 800-81</link>
-         <part id="sc-22_smt" name="statement">
-            <p>The information systems that collectively provide name/address resolution service for
-               an organization are fault-tolerant and implement internal/external role
-               separation.</p>
-         </part>
-         <part id="sc-22_gdn" name="guidance">
-            <p>Information systems that provide name and address resolution services include, for
-               example, domain name system (DNS) servers. To eliminate single points of failure and
-               to enhance redundancy, organizations employ at least two authoritative domain name
-               system servers, one configured as the primary server and the other configured as the
-               secondary server. Additionally, organizations typically deploy the servers in two
-               geographically separated network subnetworks (i.e., not located in the same physical
-               facility). For role separation, DNS servers with internal roles only process name and
-               address resolution requests from within organizations (i.e., from internal clients).
-               DNS servers with external roles only process name and address resolution information
-               requests from clients external to organizations (i.e., on external networks including
-               the Internet). Organizations specify clients that can access authoritative DNS
-               servers in particular roles (e.g., by address ranges, explicit lists).</p>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-20">SC-20</link>
-            <link rel="related" href="#sc-21">SC-21</link>
-            <link rel="related" href="#sc-24">SC-24</link>
-         </part>
-         <part id="sc-22_obj" name="objective">
-            <p>Determine if the information systems that collectively provide name/address
-               resolution service for an organization: </p>
-            <part id="sc-22_obj.1" name="objective">
-               <prop name="label">SC-22[1]</prop>
-               <p>are fault tolerant; and</p>
-            </part>
-            <part id="sc-22_obj.2" name="objective">
-               <prop name="label">SC-22[2]</prop>
-               <p>implement internal/external role separation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing architecture and provisioning for name/address resolution
-                  service</p>
-               <p>access control policy and procedures</p>
-               <p>information system design documentation</p>
-               <p>assessment results from independent, testing organizations</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibilities for managing DNS</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing name/address resolution
-                  service for fault tolerance and role separation</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-23">
-         <title>Session Authenticity</title>
-         <prop name="label">SC-23</prop>
-         <prop name="sort-id">sc-23</prop>
-         <link href="#90c5bc98-f9c4-44c9-98b7-787422f0999c" rel="reference">NIST Special Publication 800-52</link>
-         <link href="#99f331f2-a9f0-46c2-9856-a3cbb9b89442" rel="reference">NIST Special Publication 800-77</link>
-         <link href="#1ebdf782-d95d-4a7b-8ec7-ee860951eced" rel="reference">NIST Special Publication 800-95</link>
-         <part id="sc-23_smt" name="statement">
-            <p>The information system protects the authenticity of communications sessions.</p>
-         </part>
-         <part id="sc-23_gdn" name="guidance">
-            <p>This control addresses communications protection at the session, versus packet level
-               (e.g., sessions in service-oriented architectures providing web-based services) and
-               establishes grounds for confidence at both ends of communications sessions in ongoing
-               identities of other parties and in the validity of information transmitted.
-               Authenticity protection includes, for example, protecting against man-in-the-middle
-               attacks/session hijacking and the insertion of false information into sessions.</p>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-10">SC-10</link>
-            <link rel="related" href="#sc-11">SC-11</link>
-         </part>
-         <part id="sc-23_obj" name="objective">
-            <p>Determine if the information system protects the authenticity of communications
-               sessions.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing session authenticity</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing session authenticity</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-23.1">
-            <title>Invalidate Session Identifiers at Logout</title>
-            <prop name="label">SC-23(1)</prop>
-            <prop name="sort-id">sc-23.01</prop>
-            <part id="sc-23.1_smt" name="statement">
-               <p>The information system invalidates session identifiers upon user logout or other
-                  session termination.</p>
-            </part>
-            <part id="sc-23.1_gdn" name="guidance">
-               <p>This control enhancement curtails the ability of adversaries from capturing and
-                  continuing to employ previously valid session IDs.</p>
-            </part>
-            <part id="sc-23.1_obj" name="objective">
-               <p>Determine if the information system invalidates session identifiers upon user
-                  logout or other session termination.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing session authenticity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing session identifier
-                     invalidation upon session termination</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-23.2">
-            <title>User-initiated Logouts / Message Displays</title>
-            <prop name="label">SC-23(2)</prop>
-            <prop name="sort-id">sc-23.02</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#ac-12.1">AC-12 (1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-23.3">
-            <title>Unique Session Identifiers with Randomization</title>
-            <param id="sc-23.3_prm_1">
-               <label>organization-defined randomness requirements</label>
-            </param>
-            <prop name="label">SC-23(3)</prop>
-            <prop name="sort-id">sc-23.03</prop>
-            <part id="sc-23.3_smt" name="statement">
-               <p>The information system generates a unique session identifier for each session with
-                     <insert param-id="sc-23.3_prm_1"/> and recognizes only session identifiers that
-                  are system-generated.</p>
-            </part>
-            <part id="sc-23.3_gdn" name="guidance">
-               <p>This control enhancement curtails the ability of adversaries from reusing
-                  previously valid session IDs. Employing the concept of randomness in the
-                  generation of unique session identifiers helps to protect against brute-force
-                  attacks to determine future session identifiers.</p>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="sc-23.3_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-23.3_obj.1" name="objective">
-                  <prop name="label">SC-23(3)[1]</prop>
-                  <p>the organization defines randomness requirements for generating a unique
-                     session identifier for each session;</p>
-               </part>
-               <part id="sc-23.3_obj.2" name="objective">
-                  <prop name="label">SC-23(3)[2]</prop>
-                  <p>the information system generates a unique session identifier for each session
-                     with organization-defined randomness requirements; and</p>
-               </part>
-               <part id="sc-23.3_obj.3" name="objective">
-                  <prop name="label">SC-23(3)[3]</prop>
-                  <p>the information system recognizes only session identifiers that are
-                     system-generated.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing session authenticity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing generating and monitoring
-                     unique session identifiers</p>
-                  <p>automated mechanisms supporting and/or implementing randomness requirements</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-23.4">
-            <title>Unique Session Identifiers with Randomization</title>
-            <prop name="label">SC-23(4)</prop>
-            <prop name="sort-id">sc-23.04</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sc-23.3">SC-23 (3)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-23.5">
-            <title>Allowed Certificate Authorities</title>
-            <param id="sc-23.5_prm_1">
-               <label>organization-defined certificate authorities</label>
-            </param>
-            <prop name="label">SC-23(5)</prop>
-            <prop name="sort-id">sc-23.05</prop>
-            <part id="sc-23.5_smt" name="statement">
-               <p>The information system only allows the use of <insert param-id="sc-23.5_prm_1"/>
-                  for verification of the establishment of protected sessions.</p>
-            </part>
-            <part id="sc-23.5_gdn" name="guidance">
-               <p>Reliance on certificate authorities (CAs) for the establishment of secure sessions
-                  includes, for example, the use of Secure Socket Layer (SSL) and/or Transport Layer
-                  Security (TLS) certificates. These certificates, after verification by the
-                  respective certificate authorities, facilitate the establishment of protected
-                  sessions between web clients and web servers.</p>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="sc-23.5_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-23.5_obj.1" name="objective">
-                  <prop name="label">SC-23(5)[1]</prop>
-                  <p>the organization defines certificate authorities to be allowed for verification
-                     of the establishment of protected sessions; and</p>
-               </part>
-               <part id="sc-23.5_obj.2" name="objective">
-                  <prop name="label">SC-23(5)[2]</prop>
-                  <p>the information system only allows the use of organization-defined certificate
-                     authorities for verification of the establishment of protected sessions.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing session authenticity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of certificate authorities allowed for verification of the establishment
-                     of protected sessions</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing management of certificate
-                     authorities</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-24">
-         <title>Fail in Known State</title>
-         <param id="sc-24_prm_1">
-            <label>organization-defined known-state</label>
-         </param>
-         <param id="sc-24_prm_2">
-            <label>organization-defined types of failures</label>
-         </param>
-         <param id="sc-24_prm_3">
-            <label>organization-defined system state information</label>
-         </param>
-         <prop name="label">SC-24</prop>
-         <prop name="sort-id">sc-24</prop>
-         <part id="sc-24_smt" name="statement">
-            <p>The information system fails to a <insert param-id="sc-24_prm_1"/> for <insert param-id="sc-24_prm_2"/> preserving <insert param-id="sc-24_prm_3"/> in
-               failure.</p>
-         </part>
-         <part id="sc-24_gdn" name="guidance">
-            <p>Failure in a known state addresses security concerns in accordance with the
-               mission/business needs of organizations. Failure in a known secure state helps to
-               prevent the loss of confidentiality, integrity, or availability of information in the
-               event of failures of organizational information systems or system components. Failure
-               in a known safe state helps to prevent systems from failing to a state that may cause
-               injury to individuals or destruction to property. Preserving information system state
-               information facilitates system restart and return to the operational mode of
-               organizations with less disruption of mission/business processes.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-10">CP-10</link>
-            <link rel="related" href="#cp-12">CP-12</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-22">SC-22</link>
-         </part>
-         <part id="sc-24_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-24_obj.1" name="objective">
-               <prop name="label">SC-24[1]</prop>
-               <p>the organization defines a known-state to which the information system is to fail
-                  in the event of a system failure;</p>
-            </part>
-            <part id="sc-24_obj.2" name="objective">
-               <prop name="label">SC-24[2]</prop>
-               <p>the organization defines types of failures for which the information system is to
-                  fail to an organization-defined known-state;</p>
-            </part>
-            <part id="sc-24_obj.3" name="objective">
-               <prop name="label">SC-24[3]</prop>
-               <p>the organization defines system state information to be preserved in the event of
-                  a system failure;</p>
-            </part>
-            <part id="sc-24_obj.4" name="objective">
-               <prop name="label">SC-24[4]</prop>
-               <p>the information system fails to the organization-defined known-state for
-                  organization-defined types of failures; and</p>
-            </part>
-            <part id="sc-24_obj.5" name="objective">
-               <prop name="label">SC-24[5]</prop>
-               <p>the information system preserves the organization-defined system state information
-                  in the event of a system failure.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing information system failure to known state</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of failures requiring information system to fail in a known state</p>
-               <p>state information to be preserved in system failure</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing fail-in-known state
-                  capability</p>
-               <p>automated mechanisms preserving system state information in the event of a system
-                  failure</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-25">
-         <title>Thin Nodes</title>
-         <param id="sc-25_prm_1">
-            <label>organization-defined information system components</label>
-         </param>
-         <prop name="label">SC-25</prop>
-         <prop name="sort-id">sc-25</prop>
-         <part id="sc-25_smt" name="statement">
-            <p>The organization employs <insert param-id="sc-25_prm_1"/> with minimal functionality
-               and information storage.</p>
-         </part>
-         <part id="sc-25_gdn" name="guidance">
-            <p>The deployment of information system components with reduced/minimal functionality
-               (e.g., diskless nodes and thin client technologies) reduces the need to secure every
-               user endpoint, and may reduce the exposure of information, information systems, and
-               services to cyber attacks.</p>
-            <link rel="related" href="#sc-30">SC-30</link>
-         </part>
-         <part id="sc-25_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-25_obj.1" name="objective">
-               <prop name="label">SC-25[1]</prop>
-               <p>defines information system components to be employed with minimal functionality
-                  and information storage; and</p>
-            </part>
-            <part id="sc-25_obj.2" name="objective">
-               <prop name="label">SC-25[2]</prop>
-               <p>employs organization-defined information system components with minimal
-                  functionality and information storage.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing use of thin nodes</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing thin nodes</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-26">
-         <title>Honeypots</title>
-         <prop name="label">SC-26</prop>
-         <prop name="sort-id">sc-26</prop>
-         <part id="sc-26_smt" name="statement">
-            <p>The information system includes components specifically designed to be the target of
-               malicious attacks for the purpose of detecting, deflecting, and analyzing such
-               attacks.</p>
-         </part>
-         <part id="sc-26_gdn" name="guidance">
-            <p>A honeypot is set up as a decoy to attract adversaries and to deflect their attacks
-               away from the operational systems supporting organizational missions/business
-               function. Depending upon the specific usage of the honeypot, consultation with the
-               Office of the General Counsel before deployment may be needed.</p>
-            <link rel="related" href="#sc-30">SC-30</link>
-            <link rel="related" href="#sc-44">SC-44</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="sc-26_obj" name="objective">
-            <p>Determine if the information system includes components specifically designed to be
-               the target of malicious attacks for the purpose of detecting, deflecting, and
-               analyzing such attacks.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing use of honeypots</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing honey pots</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-26.1">
-            <title>Detection of Malicious Code</title>
-            <prop name="label">SC-26(1)</prop>
-            <prop name="sort-id">sc-26.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sc-35">SC-35</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-27">
-         <title>Platform-independent Applications</title>
-         <param id="sc-27_prm_1">
-            <label>organization-defined platform-independent applications</label>
-         </param>
-         <prop name="label">SC-27</prop>
-         <prop name="sort-id">sc-27</prop>
-         <part id="sc-27_smt" name="statement">
-            <p>The information system includes: <insert param-id="sc-27_prm_1"/>.</p>
-         </part>
-         <part id="sc-27_gdn" name="guidance">
-            <p>Platforms are combinations of hardware and software used to run software
-               applications. Platforms include: (i) operating systems; (ii) the underlying computer
-               architectures, or (iii) both. Platform-independent applications are applications that
-               run on multiple platforms. Such applications promote portability and reconstitution
-               on different platforms, increasing the availability of critical functions within
-               organizations while information systems with specific operating systems are under
-               attack.</p>
-            <link rel="related" href="#sc-29">SC-29</link>
-         </part>
-         <part id="sc-27_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-27_obj.1" name="objective">
-               <prop name="label">SC-27[1]</prop>
-               <p>the organization defines platform-independent applications; and</p>
-            </part>
-            <part id="sc-27_obj.2" name="objective">
-               <prop name="label">SC-27[2]</prop>
-               <p>the information system includes organization-defined platform-independent
-                  applications.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing platform-independent applications</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of platform-independent applications</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing platform-independent
-                  applications</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-28">
-         <title>Protection of Information at Rest</title>
-         <param id="sc-28_prm_1">
-            <select how-many="one or more">
-               <choice>confidentiality</choice>
-               <choice>integrity</choice>
-            </select>
-         </param>
-         <param id="sc-28_prm_2">
-            <label>organization-defined information at rest</label>
-         </param>
-         <prop name="label">SC-28</prop>
-         <prop name="sort-id">sc-28</prop>
-         <link href="#81f09e01-d0b0-4ae2-aa6a-064ed9950070" rel="reference">NIST Special Publication 800-56</link>
-         <link href="#a6c774c0-bf50-4590-9841-2a5c1c91ac6f" rel="reference">NIST Special Publication 800-57</link>
-         <link href="#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e" rel="reference">NIST Special Publication 800-111</link>
-         <part id="sc-28_smt" name="statement">
-            <p>The information system protects the <insert param-id="sc-28_prm_1"/> of <insert param-id="sc-28_prm_2"/>.</p>
-         </part>
-         <part id="sc-28_gdn" name="guidance">
-            <p>This control addresses the confidentiality and integrity of information at rest and
-               covers user information and system information. Information at rest refers to the
-               state of information when it is located on storage devices as specific components of
-               information systems. System-related information requiring protection includes, for
-               example, configurations or rule sets for firewalls, gateways, intrusion
-               detection/prevention systems, filtering routers, and authenticator content.
-               Organizations may employ different mechanisms to achieve confidentiality and
-               integrity protections, including the use of cryptographic mechanisms and file share
-               scanning. Integrity protection can be achieved, for example, by implementing
-               Write-Once-Read-Many (WORM) technologies. Organizations may also employ other
-               security controls including, for example, secure off-line storage in lieu of online
-               storage when adequate protection of information at rest cannot otherwise be achieved
-               and/or continuous monitoring to identify malicious code at rest.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="sc-28_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-28_obj.1" name="objective">
-               <prop name="label">SC-28[1]</prop>
-               <p>the organization defines information at rest requiring one or more of the
-                  following:</p>
-               <part id="sc-28_obj.1.a" name="objective">
-                  <prop name="label">SC-28[1][a]</prop>
-                  <p>confidentiality protection; and/or</p>
-               </part>
-               <part id="sc-28_obj.1.b" name="objective">
-                  <prop name="label">SC-28[1][b]</prop>
-                  <p>integrity protection;</p>
-               </part>
-            </part>
-            <part id="sc-28_obj.2" name="objective">
-               <prop name="label">SC-28[2]</prop>
-               <p>the information system protects:</p>
-               <part id="sc-28_obj.2.a" name="objective">
-                  <prop name="label">SC-28[2][a]</prop>
-                  <p>the confidentiality of organization-defined information at rest; and/or</p>
-               </part>
-               <part id="sc-28_obj.2.b" name="objective">
-                  <prop name="label">SC-28[2][b]</prop>
-                  <p>the integrity of organization-defined information at rest.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing protection of information at rest</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>cryptographic mechanisms and associated configuration documentation</p>
-               <p>list of information at rest requiring confidentiality and integrity
-                  protections</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing confidentiality and integrity
-                  protections for information at rest</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-28.1">
-            <title>Cryptographic Protection</title>
-            <param id="sc-28.1_prm_1">
-               <label>organization-defined information</label>
-            </param>
-            <param id="sc-28.1_prm_2">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">SC-28(1)</prop>
-            <prop name="sort-id">sc-28.01</prop>
-            <part id="sc-28.1_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to prevent unauthorized
-                  disclosure and modification of <insert param-id="sc-28.1_prm_1"/> on <insert param-id="sc-28.1_prm_2"/>.</p>
-            </part>
-            <part id="sc-28.1_gdn" name="guidance">
-               <p>Selection of cryptographic mechanisms is based on the need to protect the
-                  confidentiality and integrity of organizational information. The strength of
-                  mechanism is commensurate with the security category and/or classification of the
-                  information. This control enhancement applies to significant concentrations of
-                  digital media in organizational areas designated for media storage and also to
-                  limited quantities of media generally associated with information system
-                  components in operational environments (e.g., portable storage devices, mobile
-                  devices). Organizations have the flexibility to either encrypt all information on
-                  storage devices (i.e., full disk encryption) or encrypt specific data structures
-                  (e.g., files, records, or fields). Organizations employing cryptographic
-                  mechanisms to protect information at rest also consider cryptographic key
-                  management solutions.</p>
-               <link rel="related" href="#ac-19">AC-19</link>
-               <link rel="related" href="#sc-12">SC-12</link>
-            </part>
-            <part id="sc-28.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-28.1_obj.1" name="objective">
-                  <prop name="label">SC-28(1)[1]</prop>
-                  <p>the organization defines information requiring cryptographic protection;</p>
-               </part>
-               <part id="sc-28.1_obj.2" name="objective">
-                  <prop name="label">SC-28(1)[2]</prop>
-                  <p>the organization defines information system components with
-                     organization-defined information requiring cryptographic protection; and</p>
-               </part>
-               <part id="sc-28.1_obj.3" name="objective">
-                  <prop name="label">SC-28(1)[3]</prop>
-                  <p>the information system employs cryptographic mechanisms to prevent unauthorized
-                     disclosure and modification of organization-defined information on
-                     organization-defined information system components.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing protection of information at rest</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>cryptographic mechanisms and associated configuration documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms implementing confidentiality and integrity protections
-                     for information at rest</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-28.2">
-            <title>Off-line Storage</title>
-            <param id="sc-28.2_prm_1">
-               <label>organization-defined information</label>
-            </param>
-            <prop name="label">SC-28(2)</prop>
-            <prop name="sort-id">sc-28.02</prop>
-            <part id="sc-28.2_smt" name="statement">
-               <p>The organization removes from online storage and stores off-line in a secure
-                  location <insert param-id="sc-28.2_prm_1"/>.</p>
-            </part>
-            <part id="sc-28.2_gdn" name="guidance">
-               <p>Removing organizational information from online information system storage to
-                  off-line storage eliminates the possibility of individuals gaining unauthorized
-                  access to the information through a network. Therefore, organizations may choose
-                  to move information to off-line storage in lieu of protecting such information in
-                  online storage.</p>
-            </part>
-            <part id="sc-28.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-28.2_obj.1" name="objective">
-                  <prop name="label">SC-28(2)[1]</prop>
-                  <p>defines information to be removed from online storage and stored off-line in a
-                     secure location; and</p>
-               </part>
-               <part id="sc-28.2_obj.2" name="objective">
-                  <prop name="label">SC-28(2)[2]</prop>
-                  <p>removes organization-defined information from online storage; and</p>
-               </part>
-               <part id="sc-28.2_obj.3" name="objective">
-                  <prop name="label">SC-28(2)[3]</prop>
-                  <p>stores such information off-line in a secure location.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing protection of information at rest</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>cryptographic mechanisms and associated configuration documentation</p>
-                  <p>off-line storage locations for information at rest</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing removal of information from
-                     online storage</p>
-                  <p>automated mechanisms supporting and/or implementing storage of information
-                     off-line</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-29">
-         <title>Heterogeneity</title>
-         <param id="sc-29_prm_1">
-            <label>organization-defined information system components</label>
-         </param>
-         <prop name="label">SC-29</prop>
-         <prop name="sort-id">sc-29</prop>
-         <part id="sc-29_smt" name="statement">
-            <p>The organization employs a diverse set of information technologies for <insert param-id="sc-29_prm_1"/> in the implementation of the information system.</p>
-         </part>
-         <part id="sc-29_gdn" name="guidance">
-            <p>Increasing the diversity of information technologies within organizational
-               information systems reduces the impact of potential exploitations of specific
-               technologies and also defends against common mode failures, including those failures
-               induced by supply chain attacks. Diversity in information technologies also reduces
-               the likelihood that the means adversaries use to compromise one information system
-               component will be equally effective against other system components, thus further
-               increasing the adversary work factor to successfully complete planned cyber attacks.
-               An increase in diversity may add complexity and management overhead which could
-               ultimately lead to mistakes and unauthorized configurations.</p>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sa-14">SA-14</link>
-            <link rel="related" href="#sc-27">SC-27</link>
-         </part>
-         <part id="sc-29_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-29_obj.1" name="objective">
-               <prop name="label">SC-29[1]</prop>
-               <p>defines information system components requiring a diverse set of information
-                  technologies to be employed in the implementation of the information system;
-                  and</p>
-            </part>
-            <part id="sc-29_obj.2" name="objective">
-               <prop name="label">SC-29[2]</prop>
-               <p>employs a diverse set of information technologies for organization-defined
-                  information system components in the implementation of the information system.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of technologies deployed in the information system</p>
-               <p>acquisition documentation</p>
-               <p>acquisition contracts for information system components or services</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with information system acquisition, development, and
-                  implementation responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing employment of a diverse set of
-                  information technologies</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-29.1">
-            <title>Virtualization Techniques</title>
-            <param id="sc-29.1_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">SC-29(1)</prop>
-            <prop name="sort-id">sc-29.01</prop>
-            <part id="sc-29.1_smt" name="statement">
-               <p>The organization employs virtualization techniques to support the deployment of a
-                  diversity of operating systems and applications that are changed <insert param-id="sc-29.1_prm_1"/>.</p>
-            </part>
-            <part id="sc-29.1_gdn" name="guidance">
-               <p>While frequent changes to operating systems and applications pose configuration
-                  management challenges, the changes can result in an increased work factor for
-                  adversaries in order to carry out successful cyber attacks. Changing virtual
-                  operating systems or applications, as opposed to changing actual operating
-                  systems/applications, provide virtual changes that impede attacker success while
-                  reducing configuration management efforts. In addition, virtualization techniques
-                  can assist organizations in isolating untrustworthy software and/or software of
-                  dubious provenance into confined execution environments.</p>
-            </part>
-            <part id="sc-29.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-29.1_obj.1" name="objective">
-                  <prop name="label">SC-29(1)[1]</prop>
-                  <p>defines a frequency to change the diversity of operating systems and
-                     applications deployed using virtualization techniques; and</p>
-               </part>
-               <part id="sc-29.1_obj.2" name="objective">
-                  <prop name="label">SC-29(1)[2]</prop>
-                  <p>employs virtualization techniques to support the deployment of a diversity of
-                     operating systems and applications that are changed with the
-                     organization-defined frequency.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>configuration management policy and procedures</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system architecture</p>
-                  <p>list of operating systems and applications deployed using virtualization
-                     techniques</p>
-                  <p>change control records</p>
-                  <p>configuration management records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibilities for implementing approved
-                     virtualization techniques to the information system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing employment of a diverse set
-                     of information technologies</p>
-                  <p>automated mechanisms supporting and/or implementing virtualization
-                     techniques</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-30">
-         <title>Concealment and Misdirection</title>
-         <param id="sc-30_prm_1">
-            <label>organization-defined concealment and misdirection techniques</label>
-         </param>
-         <param id="sc-30_prm_2">
-            <label>organization-defined information systems</label>
-         </param>
-         <param id="sc-30_prm_3">
-            <label>organization-defined time periods</label>
-         </param>
-         <prop name="label">SC-30</prop>
-         <prop name="sort-id">sc-30</prop>
-         <part id="sc-30_smt" name="statement">
-            <p>The organization employs <insert param-id="sc-30_prm_1"/> for <insert param-id="sc-30_prm_2"/> at <insert param-id="sc-30_prm_3"/> to confuse and
-               mislead adversaries.</p>
-         </part>
-         <part id="sc-30_gdn" name="guidance">
-            <p>Concealment and misdirection techniques can significantly reduce the targeting
-               capability of adversaries (i.e., window of opportunity and available attack surface)
-               to initiate and complete cyber attacks. For example, virtualization techniques
-               provide organizations with the ability to disguise information systems, potentially
-               reducing the likelihood of successful attacks without the cost of having multiple
-               platforms. Increased use of concealment/misdirection techniques including, for
-               example, randomness, uncertainty, and virtualization, may sufficiently confuse and
-               mislead adversaries and subsequently increase the risk of discovery and/or exposing
-               tradecraft. Concealment/misdirection techniques may also provide organizations
-               additional time to successfully perform core missions and business functions. Because
-               of the time and effort required to support concealment/misdirection techniques, it is
-               anticipated that such techniques would be used by organizations on a very limited
-               basis.</p>
-            <link rel="related" href="#sc-26">SC-26</link>
-            <link rel="related" href="#sc-29">SC-29</link>
-            <link rel="related" href="#si-14">SI-14</link>
-         </part>
-         <part id="sc-30_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-30_obj.1" name="objective">
-               <prop name="label">SC-30[1]</prop>
-               <p>defines concealment and misdirection techniques to be employed to confuse and
-                  mislead adversaries potentially targeting organizational information systems;</p>
-            </part>
-            <part id="sc-30_obj.2" name="objective">
-               <prop name="label">SC-30[2]</prop>
-               <p>defines information systems for which organization-defined concealment and
-                  misdirection techniques are to be employed;</p>
-            </part>
-            <part id="sc-30_obj.3" name="objective">
-               <prop name="label">SC-30[3]</prop>
-               <p>defines time periods to employ organization-defined concealment and misdirection
-                  techniques for organization-defined information systems; and</p>
-            </part>
-            <part id="sc-30_obj.4" name="objective">
-               <prop name="label">SC-30[4]</prop>
-               <p>employs organization-defined concealment and misdirection techniques for
-                  organization-defined information systems at organization-defined time periods to
-                  confuse and mislead adversaries.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing concealment and misdirection techniques for the information
-                  system</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system architecture</p>
-               <p>list of concealment and misdirection techniques to be employed for organizational
-                  information systems</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with responsibility for implementing concealment and
-                  misdirection techniques for information systems</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing concealment and misdirection
-                  techniques</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-30.1">
-            <title>Virtualization Techniques</title>
-            <prop name="label">SC-30(1)</prop>
-            <prop name="sort-id">sc-30.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sc-29.1">SC-29 (1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-30.2">
-            <title>Randomness</title>
-            <param id="sc-30.2_prm_1">
-               <label>organization-defined techniques</label>
-            </param>
-            <prop name="label">SC-30(2)</prop>
-            <prop name="sort-id">sc-30.02</prop>
-            <part id="sc-30.2_smt" name="statement">
-               <p>The organization employs <insert param-id="sc-30.2_prm_1"/> to introduce
-                  randomness into organizational operations and assets.</p>
-            </part>
-            <part id="sc-30.2_gdn" name="guidance">
-               <p>Randomness introduces increased levels of uncertainty for adversaries regarding
-                  the actions organizations take in defending against cyber attacks. Such actions
-                  may impede the ability of adversaries to correctly target information resources of
-                  organizations supporting critical missions/business functions. Uncertainty may
-                  also cause adversaries to hesitate before initiating or continuing attacks.
-                  Misdirection techniques involving randomness include, for example, performing
-                  certain routine actions at different times of day, employing different information
-                  technologies (e.g., browsers, search engines), using different suppliers, and
-                  rotating roles and responsibilities of organizational personnel.</p>
-            </part>
-            <part id="sc-30.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-30.2_obj.1" name="objective">
-                  <prop name="label">SC-30(2)[1]</prop>
-                  <p>defines techniques to be employed to introduce randomness into organizational
-                     operations and assets; and</p>
-               </part>
-               <part id="sc-30.2_obj.2" name="objective">
-                  <prop name="label">SC-30(2)[2]</prop>
-                  <p>employs organization-defined techniques to introduce randomness into
-                     organizational operations and assets.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing concealment and misdirection techniques for the
-                     information system</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system architecture</p>
-                  <p>list of techniques to be employed to introduce randomness into organizational
-                     operations and assets</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for implementing concealment and
-                     misdirection techniques for information systems</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing randomness as a concealment
-                     and misdirection technique</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-30.3">
-            <title>Change Processing / Storage Locations</title>
-            <param id="sc-30.3_prm_1">
-               <label>organization-defined processing and/or storage</label>
-            </param>
-            <param id="sc-30.3_prm_2">
-               <select>
-                  <choice>
-                     <insert param-id="sc-30.3_prm_3"/>
-                  </choice>
-                  <choice>at random time intervals</choice>
-               </select>
-            </param>
-            <param id="sc-30.3_prm_3" depends-on="sc-30.3_prm_2">
-               <label>organization-defined time frequency</label>
-            </param>
-            <prop name="label">SC-30(3)</prop>
-            <prop name="sort-id">sc-30.03</prop>
-            <part id="sc-30.3_smt" name="statement">
-               <p>The organization changes the location of <insert param-id="sc-30.3_prm_1"/>
-                  <insert param-id="sc-30.3_prm_2"/>].</p>
-            </part>
-            <part id="sc-30.3_gdn" name="guidance">
-               <p>Adversaries target critical organizational missions/business functions and the
-                  information resources supporting those missions and functions while at the same
-                  time, trying to minimize exposure of their existence and tradecraft. The static,
-                  homogeneous, and deterministic nature of organizational information systems
-                  targeted by adversaries, make such systems more susceptible to cyber attacks with
-                  less adversary cost and effort to be successful. Changing organizational
-                  processing and storage locations (sometimes referred to as moving target defense)
-                  addresses the advanced persistent threat (APT) using techniques such as
-                  virtualization, distributed processing, and replication. This enables
-                  organizations to relocate the information resources (i.e., processing and/or
-                  storage) supporting critical missions and business functions. Changing locations
-                  of processing activities and/or storage sites introduces uncertainty into the
-                  targeting activities by adversaries. This uncertainty increases the work factor of
-                  adversaries making compromises or breaches to organizational information systems
-                  much more difficult and time-consuming, and increases the chances that adversaries
-                  may inadvertently disclose aspects of tradecraft while attempting to locate
-                  critical organizational resources.</p>
-            </part>
-            <part id="sc-30.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-30.3_obj.1" name="objective">
-                  <prop name="label">SC-30(3)[1]</prop>
-                  <p>defines processing and/or storage locations to be changed at time intervals
-                     specified by the organization;</p>
-               </part>
-               <part id="sc-30.3_obj.2" name="objective">
-                  <prop name="label">SC-30(3)[2]</prop>
-                  <p>defines a frequency to change the location of organization-defined processing
-                     and/or storage; and</p>
-               </part>
-               <part id="sc-30.3_obj.3" name="objective">
-                  <prop name="label">SC-30(3)[3]</prop>
-                  <p>changes the location of organization-defined processing and/or storage at one
-                     of the following:</p>
-                  <part id="sc-30.3_obj.3.a" name="objective">
-                     <prop name="label">SC-30(3)[3][a]</prop>
-                     <p>organization-defined time intervals; or</p>
-                  </part>
-                  <part id="sc-30.3_obj.3.b" name="objective">
-                     <prop name="label">SC-30(3)[3][b]</prop>
-                     <p>random time intervals.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>configuration management policy and procedures</p>
-                  <p>procedures addressing concealment and misdirection techniques for the
-                     information system</p>
-                  <p>list of processing/storage locations to be changed at organizational time
-                     intervals</p>
-                  <p>change control records</p>
-                  <p>configuration management records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for changing processing and/or
-                     storage locations</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing changing processing and/or
-                     storage locations</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-30.4">
-            <title>Misleading Information</title>
-            <param id="sc-30.4_prm_1">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">SC-30(4)</prop>
-            <prop name="sort-id">sc-30.04</prop>
-            <part id="sc-30.4_smt" name="statement">
-               <p>The organization employs realistic, but misleading information in <insert param-id="sc-30.4_prm_1"/> with regard to its security state or posture.</p>
-            </part>
-            <part id="sc-30.4_gdn" name="guidance">
-               <p>This control enhancement misleads potential adversaries regarding the nature and
-                  extent of security safeguards deployed by organizations. As a result, adversaries
-                  may employ incorrect (and as a result ineffective) attack techniques. One way of
-                  misleading adversaries is for organizations to place misleading information
-                  regarding the specific security controls deployed in external information systems
-                  that are known to be accessed or targeted by adversaries. Another technique is the
-                  use of deception nets (e.g., honeynets, virtualized environments) that mimic
-                  actual aspects of organizational information systems but use, for example,
-                  out-of-date software configurations.</p>
-            </part>
-            <part id="sc-30.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-30.4_obj.1" name="objective">
-                  <prop name="label">SC-30(4)[1]</prop>
-                  <p>defines information system components in which to employ realistic, but
-                     misleading information regarding its security state or posture; and</p>
-               </part>
-               <part id="sc-30.4_obj.2" name="objective">
-                  <prop name="label">SC-30(4)[2]</prop>
-                  <p>employs realistic, but misleading information in organization-defined
-                     information system components with regard to its security state or posture.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>configuration management policy and procedures</p>
-                  <p>procedures addressing concealment and misdirection techniques for the
-                     information system</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for defining and employing
-                     realistic, but misleading information about the security posture of information
-                     system components</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing employment of realistic,
-                     but misleading information about the security posture of information system
-                     components</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-30.5">
-            <title>Concealment of System Components</title>
-            <param id="sc-30.5_prm_1">
-               <label>organization-defined techniques</label>
-            </param>
-            <param id="sc-30.5_prm_2">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">SC-30(5)</prop>
-            <prop name="sort-id">sc-30.05</prop>
-            <part id="sc-30.5_smt" name="statement">
-               <p>The organization employs <insert param-id="sc-30.5_prm_1"/> to hide or conceal
-                     <insert param-id="sc-30.5_prm_2"/>.</p>
-            </part>
-            <part id="sc-30.5_gdn" name="guidance">
-               <p>By hiding, disguising, or otherwise concealing critical information system
-                  components, organizations may be able to decrease the probability that adversaries
-                  target and successfully compromise those assets. Potential means for organizations
-                  to hide and/or conceal information system components include, for example,
-                  configuration of routers or the use of honeynets or virtualization techniques.</p>
-            </part>
-            <part id="sc-30.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-30.5_obj.1" name="objective">
-                  <prop name="label">SC-30(5)[1]</prop>
-                  <p>defines techniques to be employed to hide or conceal information system
-                     components;</p>
-               </part>
-               <part id="sc-30.5_obj.2" name="objective">
-                  <prop name="label">SC-30(5)[2]</prop>
-                  <p>defines information system components to be hidden or concealed using
-                     organization-defined techniques; and</p>
-               </part>
-               <part id="sc-30.5_obj.3" name="objective">
-                  <prop name="label">SC-30(5)[3]</prop>
-                  <p>employs organization-defined techniques to hide or conceal organization-defined
-                     information system components.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>configuration management policy and procedures</p>
-                  <p>procedures addressing concealment and misdirection techniques for the
-                     information system</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of techniques employed to hide or conceal information system
-                     components</p>
-                  <p>list of information system components to be hidden or concealed</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with responsibility for concealment of system
-                     components</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing techniques for concealment
-                     of system components</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-31">
-         <title>Covert Channel Analysis</title>
-         <param id="sc-31_prm_1">
-            <select how-many="one or more">
-               <choice>storage</choice>
-               <choice>timing</choice>
-            </select>
-         </param>
-         <prop name="label">SC-31</prop>
-         <prop name="sort-id">sc-31</prop>
-         <part id="sc-31_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sc-31_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Performs a covert channel analysis to identify those aspects of communications
-                  within the information system that are potential avenues for covert <insert param-id="sc-31_prm_1"/> channels; and</p>
-            </part>
-            <part id="sc-31_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Estimates the maximum bandwidth of those channels.</p>
-            </part>
-         </part>
-         <part id="sc-31_gdn" name="guidance">
-            <p>Developers are in the best position to identify potential areas within systems that
-               might lead to covert channels. Covert channel analysis is a meaningful activity when
-               there is the potential for unauthorized information flows across security domains,
-               for example, in the case of information systems containing export-controlled
-               information and having connections to external networks (i.e., networks not
-               controlled by organizations). Covert channel analysis is also meaningful for
-               multilevel secure (MLS) information systems, multiple security level (MSL) systems,
-               and cross-domain systems.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-         </part>
-         <part id="sc-31_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-31.a_obj" name="objective">
-               <prop name="label">SC-31(a)</prop>
-               <p>performs a covert channel analysis to identify those aspects of communications
-                  within the information system that are potential avenues for one or more of the
-                  following:</p>
-               <part id="sc-31.a_obj.1" name="objective">
-                  <prop name="label">SC-31(a)[1]</prop>
-                  <p>covert storage channels; and/or</p>
-               </part>
-               <part id="sc-31.a_obj.2" name="objective">
-                  <prop name="label">SC-31(a)[2]</prop>
-                  <p>covert timing channels; and</p>
-               </part>
-            </part>
-            <part id="sc-31.b_obj" name="objective">
-               <prop name="label">SC-31(b)</prop>
-               <p>estimates the maximum bandwidth of those channels.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing covert channel analysis</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>covert channel analysis documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel with covert channel analysis responsibilities</p>
-               <p>information system developers/integrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational process for conducting covert channel analysis</p>
-               <p>automated mechanisms supporting and/or implementing covert channel analysis</p>
-               <p>automated mechanisms supporting and/or implementing the capability to estimate the
-                  bandwidth of covert channels</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-31.1">
-            <title>Test Covert Channels for Exploitability</title>
-            <prop name="label">SC-31(1)</prop>
-            <prop name="sort-id">sc-31.01</prop>
-            <part id="sc-31.1_smt" name="statement">
-               <p>The organization tests a subset of the identified covert channels to determine
-                  which channels are exploitable.</p>
-            </part>
-            <part id="sc-31.1_obj" name="objective">
-               <p>Determine if the organization tests a subset of identified covert channels to
-                  determine which channels are exploitable.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing covert channel analysis</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of covert channels</p>
-                  <p>covert channel analysis documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with covert channel analysis responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for testing covert channels</p>
-                  <p>automated mechanisms supporting and/or implementing testing of covert channels
-                     analysis</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-31.2">
-            <title>Maximum Bandwidth</title>
-            <param id="sc-31.2_prm_1">
-               <select how-many="one or more">
-                  <choice>storage</choice>
-                  <choice>timing</choice>
-               </select>
-            </param>
-            <param id="sc-31.2_prm_2">
-               <label>organization-defined values</label>
-            </param>
-            <prop name="label">SC-31(2)</prop>
-            <prop name="sort-id">sc-31.02</prop>
-            <part id="sc-31.2_smt" name="statement">
-               <p>The organization reduces the maximum bandwidth for identified covert <insert param-id="sc-31.2_prm_1"/> channels to <insert param-id="sc-31.2_prm_2"/>.</p>
-            </part>
-            <part id="sc-31.2_gdn" name="guidance">
-               <p>Information system developers are in the best position to reduce the maximum
-                  bandwidth for identified covert storage and timing channels.</p>
-            </part>
-            <part id="sc-31.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-31.2_obj.1" name="objective">
-                  <prop name="label">SC-31(2)[1]</prop>
-                  <p>defines values to be employed as the maximum bandwidth allowed for identified
-                     covert channels; and</p>
-               </part>
-               <part id="sc-31.2_obj.2" name="objective">
-                  <prop name="label">SC-31(2)[2]</prop>
-                  <p>reduces the maximum bandwidth to organization-defined values for one or more of
-                     the following identified:</p>
-                  <part id="sc-31.2_obj.2.a" name="objective">
-                     <prop name="label">SC-31(2)[2][a]</prop>
-                     <p>covert storage channels; and/or</p>
-                  </part>
-                  <part id="sc-31.2_obj.2.b" name="objective">
-                     <prop name="label">SC-31(2)[2][b]</prop>
-                     <p>covert timing channels.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing covert channel analysis</p>
-                  <p>acquisition contracts for information systems or services</p>
-                  <p>acquisition documentation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>covert channel analysis documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with covert channel analysis responsibilities</p>
-                  <p>information system developers/integrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for conducting covert channel analysis</p>
-                  <p>automated mechanisms supporting and/or implementing covert channel analysis</p>
-                  <p>automated mechanisms supporting and/or implementing the capability to reduce
-                     the bandwidth of covert channels</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-31.3">
-            <title>Measure Bandwidth in Operational Environments</title>
-            <param id="sc-31.3_prm_1">
-               <label>organization-defined subset of identified covert channels</label>
-            </param>
-            <prop name="label">SC-31(3)</prop>
-            <prop name="sort-id">sc-31.03</prop>
-            <part id="sc-31.3_smt" name="statement">
-               <p>The organization measures the bandwidth of <insert param-id="sc-31.3_prm_1"/> in
-                  the operational environment of the information system.</p>
-            </part>
-            <part id="sc-31.3_gdn" name="guidance">
-               <p>This control enhancement addresses covert channel bandwidth in operational
-                  environments versus developmental environments. Measuring covert channel bandwidth
-                  in operational environments helps organizations to determine how much information
-                  can be covertly leaked before such leakage adversely affects organizational
-                  missions/business functions. Covert channel bandwidth may be significantly
-                  different when measured in those settings that are independent of the particular
-                  environments of operation (e.g., laboratories or development environments).</p>
-            </part>
-            <part id="sc-31.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-31.3_obj.1" name="objective">
-                  <prop name="label">SC-31(3)[1]</prop>
-                  <p>defines subset of identified covert channels whose bandwidth is to be measured
-                     in the operational environment of the information system; and</p>
-               </part>
-               <part id="sc-31.3_obj.2" name="objective">
-                  <prop name="label">SC-31(3)[2]</prop>
-                  <p>measures the bandwidth of the organization-defined subset of identified covert
-                     channels in the operational environment of the information system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing covert channel analysis</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>covert channel analysis documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with covert channel analysis responsibilities</p>
-                  <p>information system developers/integrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for conducting covert channel analysis</p>
-                  <p>automated mechanisms supporting and/or implementing covert channel analysis</p>
-                  <p>automated mechanisms supporting and/or implementing the capability to measure
-                     the bandwidth of covert channels</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-32">
-         <title>Information System Partitioning</title>
-         <param id="sc-32_prm_1">
-            <label>organization-defined information system components</label>
-         </param>
-         <param id="sc-32_prm_2">
-            <label>organization-defined circumstances for physical separation of components</label>
-         </param>
-         <prop name="label">SC-32</prop>
-         <prop name="sort-id">sc-32</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <part id="sc-32_smt" name="statement">
-            <p>The organization partitions the information system into <insert param-id="sc-32_prm_1"/> residing in separate physical domains or environments
-               based on <insert param-id="sc-32_prm_2"/>.</p>
-         </part>
-         <part id="sc-32_gdn" name="guidance">
-            <p>Information system partitioning is a part of a defense-in-depth protection strategy.
-               Organizations determine the degree of physical separation of system components from
-               physically distinct components in separate racks in the same room, to components in
-               separate rooms for the more critical components, to more significant geographical
-               separation of the most critical components. Security categorization can guide the
-               selection of appropriate candidates for domain partitioning. Managed interfaces
-               restrict or prohibit network access and information flow among partitioned
-               information system components.</p>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="sc-32_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-32_obj.1" name="objective">
-               <prop name="label">SC-32[1]</prop>
-               <p>defines circumstances for physical separation of information system components
-                  into information system partitions;</p>
-            </part>
-            <part id="sc-32_obj.2" name="objective">
-               <prop name="label">SC-32[2]</prop>
-               <p>defines information system components to reside in separate physical domains or
-                  environments based on organization-defined circumstances for physical separation
-                  of components; and</p>
-            </part>
-            <part id="sc-32_obj.3" name="objective">
-               <prop name="label">SC-32[3]</prop>
-               <p>partitions the information system into organization-defined information system
-                  components residing in separate physical domains or environments based on
-                  organization-defined circumstances for physical separation of components.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing information system partitioning</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system architecture</p>
-               <p>list of information system physical domains (or environments)</p>
-               <p>information system facility diagrams</p>
-               <p>information system network diagrams</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>information system developers/integrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing physical separation of
-                  information system components</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-33">
-         <title>Transmission Preparation Integrity</title>
-         <prop name="label">SC-33</prop>
-         <prop name="sort-id">sc-33</prop>
-         <prop name="status">Withdrawn</prop>
-         <link rel="incorporated-into" href="#sc-8">SC-8</link>
-      </control>
-      <control class="SP800-53" id="sc-34">
-         <title>Non-modifiable Executable Programs</title>
-         <param id="sc-34_prm_1">
-            <label>organization-defined information system components</label>
-         </param>
-         <param id="sc-34_prm_2">
-            <label>organization-defined applications</label>
-         </param>
-         <prop name="label">SC-34</prop>
-         <prop name="sort-id">sc-34</prop>
-         <part id="sc-34_smt" name="statement">
-            <p>The information system at <insert param-id="sc-34_prm_1"/>:</p>
-            <part id="sc-34_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Loads and executes the operating environment from hardware-enforced, read-only
-                  media; and</p>
-            </part>
-            <part id="sc-34_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Loads and executes <insert param-id="sc-34_prm_2"/> from hardware-enforced,
-                  read-only media.</p>
-            </part>
-         </part>
-         <part id="sc-34_gdn" name="guidance">
-            <p>The term operating environment is defined as the specific code that hosts
-               applications, for example, operating systems, executives, or monitors including
-               virtual machine monitors (i.e., hypervisors). It can also include certain
-               applications running directly on hardware platforms. Hardware-enforced, read-only
-               media include, for example, Compact Disk-Recordable (CD-R)/Digital Video
-               Disk-Recordable (DVD-R) disk drives and one-time programmable read-only memory. The
-               use of non-modifiable storage ensures the integrity of software from the point of
-               creation of the read-only image. The use of reprogrammable read-only memory can be
-               accepted as read-only media provided: (i) integrity can be adequately protected from
-               the point of initial writing to the insertion of the memory into the information
-               system; and (ii) there are reliable hardware protections against reprogramming the
-               memory while installed in organizational information systems.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="sc-34_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-34_obj.1" name="objective">
-               <prop name="label">SC-34[1]</prop>
-               <p>the organization defines information system components for which the operating
-                  environment and organization-defined applications are to be loaded and executed
-                  from hardware-enforced, read-only media;</p>
-            </part>
-            <part id="sc-34_obj.2" name="objective">
-               <prop name="label">SC-34[2]</prop>
-               <p>the organization defines applications to be loaded and executed from
-                  hardware-enforced, read-only media;</p>
-            </part>
-            <part id="sc-34_obj.3" name="objective">
-               <prop name="label">SC-34[3]</prop>
-               <p>the information system, at organization-defined information system components:</p>
-               <part id="sc-34.a_obj.3" name="objective">
-                  <prop name="label">SC-34[3](a)</prop>
-                  <p>loads and executes the operating environment from hardware-enforced, read-only
-                     media; and</p>
-               </part>
-               <part id="sc-34.b_obj.3" name="objective">
-                  <prop name="label">SC-34[3](b)</prop>
-                  <p>loads and executes organization-defined applications from hardware-enforced,
-                     read-only media.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing non-modifiable executable programs</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system architecture</p>
-               <p>list of operating system components to be loaded from hardware-enforced, read-only
-                  media</p>
-               <p>list of applications to be loaded from hardware-enforced, read-only media</p>
-               <p>media used to load and execute information system operating environment</p>
-               <p>media used to load and execute information system applications</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>information system developers/integrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing loading and executing the
-                  operating environment from hardware-enforced, read-only media</p>
-               <p>automated mechanisms supporting and/or implementing loading and executing
-                  applications from hardware-enforced, read-only media</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-34.1">
-            <title>No Writable Storage</title>
-            <param id="sc-34.1_prm_1">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">SC-34(1)</prop>
-            <prop name="sort-id">sc-34.01</prop>
-            <part id="sc-34.1_smt" name="statement">
-               <p>The organization employs <insert param-id="sc-34.1_prm_1"/> with no writeable
-                  storage that is persistent across component restart or power on/off.</p>
-            </part>
-            <part id="sc-34.1_gdn" name="guidance">
-               <p>This control enhancement: (i) eliminates the possibility of malicious code
-                  insertion via persistent, writeable storage within the designated information
-                  system components; and (ii) applies to both fixed and removable storage, with the
-                  latter being addressed directly or as specific restrictions imposed through access
-                  controls for mobile devices.</p>
-               <link rel="related" href="#ac-19">AC-19</link>
-               <link rel="related" href="#mp-7">MP-7</link>
-            </part>
-            <part id="sc-34.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-34.1_obj.1" name="objective">
-                  <prop name="label">SC-34(1)[1]</prop>
-                  <p>defines information system components to be employed with no writeable storage;
-                     and</p>
-               </part>
-               <part id="sc-34.1_obj.2" name="objective">
-                  <prop name="label">SC-34(1)[2]</prop>
-                  <p>employs organization-defined information system components with no writeable
-                     storage that is persistent across component restart or power on/off.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing non-modifiable executable programs</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system architecture</p>
-                  <p>list of information system components to be employed without writeable storage
-                     capability</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>information system developers/integrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing employment of components
-                     with no writeable storage</p>
-                  <p>automated mechanisms supporting and/or implementing persistent non-writeable
-                     storage across component restart and power on/off</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-34.2">
-            <title>Integrity Protection / Read-only Media</title>
-            <prop name="label">SC-34(2)</prop>
-            <prop name="sort-id">sc-34.02</prop>
-            <part id="sc-34.2_smt" name="statement">
-               <p>The organization protects the integrity of information prior to storage on
-                  read-only media and controls the media after such information has been recorded
-                  onto the media.</p>
-            </part>
-            <part id="sc-34.2_gdn" name="guidance">
-               <p>Security safeguards prevent the substitution of media into information systems or
-                  the reprogramming of programmable read-only media prior to installation into the
-                  systems. Security safeguards include, for example, a combination of prevention,
-                  detection, and response.</p>
-               <link rel="related" href="#ac-5">AC-5</link>
-               <link rel="related" href="#cm-3">CM-3</link>
-               <link rel="related" href="#cm-5">CM-5</link>
-               <link rel="related" href="#cm-9">CM-9</link>
-               <link rel="related" href="#mp-2">MP-2</link>
-               <link rel="related" href="#mp-4">MP-4</link>
-               <link rel="related" href="#mp-5">MP-5</link>
-               <link rel="related" href="#sa-12">SA-12</link>
-               <link rel="related" href="#sc-28">SC-28</link>
-               <link rel="related" href="#si-3">SI-3</link>
-            </part>
-            <part id="sc-34.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-34.2_obj.1" name="objective">
-                  <prop name="label">SC-34(2)[1]</prop>
-                  <p>protects the integrity of the information prior to storage on read-only media;
-                     and</p>
-               </part>
-               <part id="sc-34.2_obj.2" name="objective">
-                  <prop name="label">SC-34(2)[2]</prop>
-                  <p>controls the media after such information has been recorded onto the media.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing non-modifiable executable programs</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system architecture</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>information system developers/integrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing capability for protecting
-                     information integrity on read-only media prior to storage and after information
-                     has been recorded onto the media</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-34.3">
-            <title>Hardware-based Protection</title>
-            <param id="sc-34.3_prm_1">
-               <label>organization-defined information system firmware components</label>
-            </param>
-            <param id="sc-34.3_prm_2">
-               <label>organization-defined authorized individuals</label>
-            </param>
-            <prop name="label">SC-34(3)</prop>
-            <prop name="sort-id">sc-34.03</prop>
-            <part id="sc-34.3_smt" name="statement">
-               <p>The organization:</p>
-               <part id="sc-34.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Employs hardware-based, write-protect for <insert param-id="sc-34.3_prm_1"/>;
-                     and</p>
-               </part>
-               <part id="sc-34.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Implements specific procedures for <insert param-id="sc-34.3_prm_2"/> to
-                     manually disable hardware write-protect for firmware modifications and
-                     re-enable the write-protect prior to returning to operational mode.</p>
-               </part>
-            </part>
-            <part id="sc-34.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-34.3.a_obj" name="objective">
-                  <prop name="label">SC-34(3)(a)</prop>
-                  <part id="sc-34.3.a_obj.1" name="objective">
-                     <prop name="label">SC-34(3)(a)[1]</prop>
-                     <p>defines information system firmware components for which hardware-based,
-                        write-protection is to be employed;</p>
-                  </part>
-                  <part id="sc-34.3.a_obj.2" name="objective">
-                     <prop name="label">SC-34(3)(a)[2]</prop>
-                     <p>employs hardware-based, write-protection for organization-defined
-                        information system firmware components;</p>
-                  </part>
-                  <link rel="corresp" href="#sc-34.3_smt.a">SC-34(3)(a)</link>
-               </part>
-               <part id="sc-34.3.b_obj" name="objective">
-                  <prop name="label">SC-34(3)(b)</prop>
-                  <part id="sc-34.3.b_obj.1" name="objective">
-                     <prop name="label">SC-34(3)(b)[1]</prop>
-                     <p>defines individuals authorized to manually disable hardware write-protect
-                        for firmware modifications and re-enable the write-protect prior to
-                        returning to operational mode; and</p>
-                  </part>
-                  <part id="sc-34.3.b_obj.2" name="objective">
-                     <prop name="label">SC-34(3)(b)[2]</prop>
-                     <p>implements specific procedures for organization-defined authorized
-                        individuals to manually disable hardware write-protect for firmware
-                        modifications and re-enable the write-protect prior to returning to
-                        operational mode.</p>
-                  </part>
-                  <link rel="corresp" href="#sc-34.3_smt.b">SC-34(3)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing firmware modifications</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system architecture</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>information system developers/integrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for modifying firmware</p>
-                  <p>automated mechanisms supporting and/or implementing hardware-based,
-                     write-protection for firmware</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-35">
-         <title>Honeyclients</title>
-         <prop name="label">SC-35</prop>
-         <prop name="sort-id">sc-35</prop>
-         <part id="sc-35_smt" name="statement">
-            <p>The information system includes components that proactively seek to identify
-               malicious websites and/or web-based malicious code.</p>
-         </part>
-         <part id="sc-35_gdn" name="guidance">
-            <p>Honeyclients differ from honeypots in that the components actively probe the Internet
-               in search of malicious code (e.g., worms) contained on external websites. As with
-               honeypots, honeyclients require some supporting isolation measures (e.g.,
-               virtualization) to ensure that any malicious code discovered during the search and
-               subsequently executed does not infect organizational information systems.</p>
-            <link rel="related" href="#sc-26">SC-26</link>
-            <link rel="related" href="#sc-44">SC-44</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="sc-35_obj" name="objective">
-            <p>Determine if the information system includes components that proactively seek to
-               identify malicious websites and/or web-based malicious code.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing honeyclients</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system components deployed to identify malicious websites and/or
-                  web-based malicious code</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>information system developers/integrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing honeyclients</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-36">
-         <title>Distributed Processing and Storage</title>
-         <param id="sc-36_prm_1">
-            <label>organization-defined processing and storage</label>
-         </param>
-         <prop name="label">SC-36</prop>
-         <prop name="sort-id">sc-36</prop>
-         <part id="sc-36_smt" name="statement">
-            <p>The organization distributes <insert param-id="sc-36_prm_1"/> across multiple
-               physical locations.</p>
-         </part>
-         <part id="sc-36_gdn" name="guidance">
-            <p>Distributing processing and storage across multiple physical locations provides some
-               degree of redundancy or overlap for organizations, and therefore increases the work
-               factor of adversaries to adversely impact organizational operations, assets, and
-               individuals. This control does not assume a single primary processing or storage
-               location, and thus allows for parallel processing and storage.</p>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-         </part>
-         <part id="sc-36_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-36_obj.1" name="objective">
-               <prop name="label">SC-36[1]</prop>
-               <p>defines processing and storage to be distributed across multiple physical
-                  locations; and</p>
-            </part>
-            <part id="sc-36_obj.2" name="objective">
-               <prop name="label">SC-36[2]</prop>
-               <p>distributes organization-defined processing and storage across multiple physical
-                  locations.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>contingency planning policy and procedures</p>
-               <p>contingency plan</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system architecture</p>
-               <p>list of information system physical locations (or environments) with distributed
-                  processing and storage</p>
-               <p>information system facility diagrams</p>
-               <p>processing site agreements</p>
-               <p>storage site agreements</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>organizational personnel with contingency planning and plan implementation
-                  responsibilities</p>
-               <p>information system developers/integrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for distributing processing and storage across multiple
-                  physical locations</p>
-               <p>automated mechanisms supporting and/or implementing capability for distributing
-                  processing and storage across multiple physical locations</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-36.1">
-            <title>Polling Techniques</title>
-            <param id="sc-36.1_prm_1">
-               <label>organization-defined distributed processing and storage components</label>
-            </param>
-            <prop name="label">SC-36(1)</prop>
-            <prop name="sort-id">sc-36.01</prop>
-            <part id="sc-36.1_smt" name="statement">
-               <p>The organization employs polling techniques to identify potential faults, errors,
-                  or compromises to <insert param-id="sc-36.1_prm_1"/>.</p>
-            </part>
-            <part id="sc-36.1_gdn" name="guidance">
-               <p>Distributed processing and/or storage may be employed to reduce opportunities for
-                  adversaries to successfully compromise the confidentiality, integrity, or
-                  availability of information and information systems. However, distribution of
-                  processing and/or storage components does not prevent adversaries from
-                  compromising one (or more) of the distributed components. Polling compares the
-                  processing results and/or storage content from the various distributed components
-                  and subsequently voting on the outcomes. Polling identifies potential faults,
-                  errors, or compromises in distributed processing and/or storage components.</p>
-               <link rel="related" href="#si-4">SI-4</link>
-            </part>
-            <part id="sc-36.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-36.1_obj.1" name="objective">
-                  <prop name="label">SC-36(1)[1]</prop>
-                  <p>defines distributed processing and storage components for which polling
-                     techniques are to be employed to identify potential faults, errors, or
-                     compromises; and</p>
-               </part>
-               <part id="sc-36.1_obj.2" name="objective">
-                  <prop name="label">SC-36(1)[2]</prop>
-                  <p>employs polling techniques to identify potential faults, errors, or compromises
-                     to organization-defined distributed processing and storage components.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system architecture</p>
-                  <p>list of distributed processing and storage components subject to polling</p>
-                  <p>information system polling techniques and associated documentation or
-                     records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>information system developers/integrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing polling techniques</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-37">
-         <title>Out-of-band Channels</title>
-         <param id="sc-37_prm_1">
-            <label>organization-defined out-of-band channels</label>
-         </param>
-         <param id="sc-37_prm_2">
-            <label>organization-defined information, information system components, or
-               devices</label>
-         </param>
-         <param id="sc-37_prm_3">
-            <label>organization-defined individuals or information systems</label>
-         </param>
-         <prop name="label">SC-37</prop>
-         <prop name="sort-id">sc-37</prop>
-         <part id="sc-37_smt" name="statement">
-            <p>The organization employs <insert param-id="sc-37_prm_1"/> for the physical delivery
-               or electronic transmission of <insert param-id="sc-37_prm_2"/> to <insert param-id="sc-37_prm_3"/>.</p>
-         </part>
-         <part id="sc-37_gdn" name="guidance">
-            <p>Out-of-band channels include, for example, local (nonnetwork) accesses to information
-               systems, network paths physically separate from network paths used for operational
-               traffic, or nonelectronic paths such as the US Postal Service. This is in contrast
-               with using the same channels (i.e., in-band channels) that carry routine operational
-               traffic. Out-of-band channels do not have the same vulnerability/exposure as in-band
-               channels, and hence the confidentiality, integrity, or availability compromises of
-               in-band channels will not compromise the out-of-band channels. Organizations may
-               employ out-of-band channels in the delivery or transmission of many organizational
-               items including, for example, identifiers/authenticators, configuration management
-               changes for hardware, firmware, or software, cryptographic key management
-               information, security updates, system/data backups, maintenance information, and
-               malicious code protection updates.</p>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="sc-37_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-37_obj.1" name="objective">
-               <prop name="label">SC-37[1]</prop>
-               <p>defines out-of-band channels to be employed for the physical delivery or
-                  electronic transmission of information, information system components, or devices
-                  to individuals or information systems;</p>
-            </part>
-            <part id="sc-37_obj.2" name="objective">
-               <prop name="label">SC-37[2]</prop>
-               <p>defines information, information system components, or devices for which physical
-                  delivery or electronic transmission of such information, information system
-                  components, or devices to individuals or information systems requires employment
-                  of organization-defined out-of-band channels;</p>
-            </part>
-            <part id="sc-37_obj.3" name="objective">
-               <prop name="label">SC-37[3]</prop>
-               <p>defines individuals or information systems to which physical delivery or
-                  electronic transmission of organization-defined information, information system
-                  components, or devices is to be achieved via employment of organization-defined
-                  out-of-band channels; and</p>
-            </part>
-            <part id="sc-37_obj.4" name="objective">
-               <prop name="label">SC-37[4]</prop>
-               <p>employs organization-defined out-of-band channels for the physical delivery or
-                  electronic transmission of organization-defined information, information system
-                  components, or devices to organization-defined individuals or information
-                  systems.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing use of out-of-band channels</p>
-               <p>access control policy and procedures</p>
-               <p>identification and authentication policy and procedures</p>
-               <p>information system design documentation</p>
-               <p>information system architecture</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of out-of-band channels</p>
-               <p>types of information, information system components, or devices requiring use of
-                  out-of-band channels for physical delivery or electronic transmission to
-                  authorized individuals or information systems</p>
-               <p>physical delivery records</p>
-               <p>electronic transmission records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>organizational personnel authorizing, installing, configuring, operating, and/or
-                  using out-of-band channels</p>
-               <p>information system developers/integrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for use of out-of-band channels</p>
-               <p>automated mechanisms supporting and/or implementing use of out-of-band
-                  channels</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-37.1">
-            <title>Ensure Delivery / Transmission</title>
-            <param id="sc-37.1_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <param id="sc-37.1_prm_2">
-               <label>organization-defined individuals or information systems</label>
-            </param>
-            <param id="sc-37.1_prm_3">
-               <label>organization-defined information, information system components, or
-                  devices</label>
-            </param>
-            <prop name="label">SC-37(1)</prop>
-            <prop name="sort-id">sc-37.01</prop>
-            <part id="sc-37.1_smt" name="statement">
-               <p>The organization employs <insert param-id="sc-37.1_prm_1"/> to ensure that only
-                     <insert param-id="sc-37.1_prm_2"/> receive the <insert param-id="sc-37.1_prm_3"/>.</p>
-            </part>
-            <part id="sc-37.1_gdn" name="guidance">
-               <p>Techniques and/or methods employed by organizations to ensure that only designated
-                  information systems or individuals receive particular information, system
-                  components, or devices include, for example, sending authenticators via courier
-                  service but requiring recipients to show some form of government-issued
-                  photographic identification as a condition of receipt.</p>
-            </part>
-            <part id="sc-37.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-37.1_obj.1" name="objective">
-                  <prop name="label">SC-37(1)[1]</prop>
-                  <p>defines security safeguards to be employed to ensure that only designated
-                     individuals or information systems receive specific information, information
-                     system components, or devices;</p>
-               </part>
-               <part id="sc-37.1_obj.2" name="objective">
-                  <prop name="label">SC-37(1)[2]</prop>
-                  <p>defines individuals or information systems designated to receive specific
-                     information, information system components, or devices;</p>
-               </part>
-               <part id="sc-37.1_obj.3" name="objective">
-                  <prop name="label">SC-37(1)[3]</prop>
-                  <p>defines information, information system components, or devices that only
-                     organization-defined individuals or information systems are designated to
-                     receive; and</p>
-               </part>
-               <part id="sc-37.1_obj.4" name="objective">
-                  <prop name="label">SC-37(1)[4]</prop>
-                  <p>employs organization-defined security safeguards to ensure that only
-                     organization-defined individuals or information systems receive the
-                     organization-defined information, information system components, or
-                     devices.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>procedures addressing use of out-of-band channels</p>
-                  <p>access control policy and procedures</p>
-                  <p>identification and authentication policy and procedures</p>
-                  <p>information system design documentation</p>
-                  <p>information system architecture</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of security safeguards to be employed to ensure designated individuals or
-                     information systems receive organization-defined information, information
-                     system components, or devices</p>
-                  <p>list of security safeguards for delivering designated information, information
-                     system components, or devices to designated individuals or information
-                     systems</p>
-                  <p>list of information, information system components, or devices to be delivered
-                     to designated individuals or information systems</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel authorizing, installing, configuring, operating,
-                     and/or using out-of-band channels</p>
-                  <p>information system developers/integrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for use of out-of-band channels</p>
-                  <p>automated mechanisms supporting and/or implementing use of out-of-band
-                     channels</p>
-                  <p>automated mechanisms supporting/implementing safeguards to ensure delivery of
-                     designated information, system components, or devices</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-38">
-         <title>Operations Security</title>
-         <param id="sc-38_prm_1">
-            <label>organization-defined operations security safeguards</label>
-         </param>
-         <prop name="label">SC-38</prop>
-         <prop name="sort-id">sc-38</prop>
-         <part id="sc-38_smt" name="statement">
-            <p>The organization employs <insert param-id="sc-38_prm_1"/> to protect key
-               organizational information throughout the system development life cycle.</p>
-         </part>
-         <part id="sc-38_gdn" name="guidance">
-            <p>Operations security (OPSEC) is a systematic process by which potential adversaries
-               can be denied information about the capabilities and intentions of organizations by
-               identifying, controlling, and protecting generally unclassified information that
-               specifically relates to the planning and execution of sensitive organizational
-               activities. The OPSEC process involves five steps: (i) identification of critical
-               information (e.g., the security categorization process); (ii) analysis of threats;
-               (iii) analysis of vulnerabilities; (iv) assessment of risks; and (v) the application
-               of appropriate countermeasures. OPSEC safeguards are applied to both organizational
-               information systems and the environments in which those systems operate. OPSEC
-               safeguards help to protect the confidentiality of key information including, for
-               example, limiting the sharing of information with suppliers and potential suppliers
-               of information system components, information technology products and services, and
-               with other non-organizational elements and individuals. Information critical to
-               mission/business success includes, for example, user identities, element uses,
-               suppliers, supply chain processes, functional and security requirements, system
-               design specifications, testing protocols, and security control implementation
-               details.</p>
-            <link rel="related" href="#ra-2">RA-2</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-         </part>
-         <part id="sc-38_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-38_obj.1" name="objective">
-               <prop name="label">SC-38[1]</prop>
-               <p>defines operations security safeguards to be employed to protect key
-                  organizational information throughout the system development life cycle; and</p>
-            </part>
-            <part id="sc-38_obj.2" name="objective">
-               <prop name="label">SC-38[2]</prop>
-               <p>employs organization-defined operations security safeguards to protect key
-                  organizational information throughout the system development life cycle.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing operations security</p>
-               <p>security plan</p>
-               <p>list of operations security safeguards</p>
-               <p>security control assessments</p>
-               <p>risk assessments</p>
-               <p>threat and vulnerability assessments</p>
-               <p>plans of action and milestones</p>
-               <p>system development life cycle documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>information system developers/integrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for protecting organizational information throughout the
-                  SDLC</p>
-               <p>automated mechanisms supporting and/or implementing safeguards to protect
-                  organizational information throughout the SDLC</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-39">
-         <title>Process Isolation</title>
-         <prop name="label">SC-39</prop>
-         <prop name="sort-id">sc-39</prop>
-         <part id="sc-39_smt" name="statement">
-            <p>The information system maintains a separate execution domain for each executing
-               process.</p>
-         </part>
-         <part id="sc-39_gdn" name="guidance">
-            <p>Information systems can maintain separate execution domains for each executing
-               process by assigning each process a separate address space. Each information system
-               process has a distinct address space so that communication between processes is
-               performed in a manner controlled through the security functions, and one process
-               cannot modify the executing code of another process. Maintaining separate execution
-               domains for executing processes can be achieved, for example, by implementing
-               separate address spaces. This capability is available in most commercial operating
-               systems that employ multi-state processor technologies.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-         </part>
-         <part id="sc-39_obj" name="objective">
-            <p>Determine if the information system maintains a separate execution domain for each
-               executing process.</p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information system design documentation</p>
-               <p>information system architecture</p>
-               <p>independent verification and validation documentation</p>
-               <p>testing and evaluation documentation, other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Information system developers/integrators</p>
-               <p>information system security architect</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing separate execution domains for
-                  each executing process</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-39.1">
-            <title>Hardware Separation</title>
-            <prop name="label">SC-39(1)</prop>
-            <prop name="sort-id">sc-39.01</prop>
-            <part id="sc-39.1_smt" name="statement">
-               <p>The information system implements underlying hardware separation mechanisms to
-                  facilitate process separation.</p>
-            </part>
-            <part id="sc-39.1_gdn" name="guidance">
-               <p>Hardware-based separation of information system processes is generally less
-                  susceptible to compromise than software-based separation, thus providing greater
-                  assurance that the separation will be enforced. Underlying hardware separation
-                  mechanisms include, for example, hardware memory management.</p>
-            </part>
-            <part id="sc-39.1_obj" name="objective">
-               <p>Determine if the information system implements underlying hardware separation
-                  mechanisms to facilitate process separation.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system architecture</p>
-                  <p>information system documentation for hardware separation mechanisms</p>
-                  <p>information system documentation from vendors, manufacturers or developers</p>
-                  <p>independent verification and validation documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>information system developers/integrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system capability implementing underlying hardware separation
-                     mechanisms for process separation</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-39.2">
-            <title>Thread Isolation</title>
-            <param id="sc-39.2_prm_1">
-               <label>organization-defined multi-threaded processing</label>
-            </param>
-            <prop name="label">SC-39(2)</prop>
-            <prop name="sort-id">sc-39.02</prop>
-            <part id="sc-39.2_smt" name="statement">
-               <p>The information system maintains a separate execution domain for each thread in
-                     <insert param-id="sc-39.2_prm_1"/>.</p>
-            </part>
-            <part id="sc-39.2_obj" name="objective">
-               <p>Determine if the information system:</p>
-               <part id="sc-39.2_obj.1" name="objective">
-                  <prop name="label">SC-39(2)[1]</prop>
-                  <p>defines multi-threaded processing for which a separate execution domain is to
-                     be maintained for each thread in multi-threaded processing; and</p>
-               </part>
-               <part id="sc-39.2_obj.2" name="objective">
-                  <prop name="label">SC-39(2)[2]</prop>
-                  <p>maintains a separate execution domain for each thread in organization-defined
-                     multi-threaded processing.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system architecture</p>
-                  <p>list of information system execution domains for each thread in multi-threaded
-                     processing</p>
-                  <p>information system documentation for multi-threaded processing</p>
-                  <p>information system documentation from vendors, manufacturers or developers</p>
-                  <p>independent verification and validation documentation</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>information system developers/integrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Information system capability implementing a separate execution domain for each
-                     thread in multi-threaded processing</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-40">
-         <title>Wireless Link Protection</title>
-         <param id="sc-40_prm_1">
-            <label>organization-defined wireless links</label>
-         </param>
-         <param id="sc-40_prm_2">
-            <label>organization-defined types of signal parameter attacks or references to sources
-               for such attacks</label>
-         </param>
-         <prop name="label">SC-40</prop>
-         <prop name="sort-id">sc-40</prop>
-         <part id="sc-40_smt" name="statement">
-            <p>The information system protects external and internal <insert param-id="sc-40_prm_1"/> from <insert param-id="sc-40_prm_2"/>.</p>
-         </part>
-         <part id="sc-40_gdn" name="guidance">
-            <p>This control applies to internal and external wireless communication links that may
-               be visible to individuals who are not authorized information system users.
-               Adversaries can exploit the signal parameters of wireless links if such links are not
-               adequately protected. There are many ways to exploit the signal parameters of
-               wireless links to gain intelligence, deny service, or to spoof users of
-               organizational information systems. This control reduces the impact of attacks that
-               are unique to wireless systems. If organizations rely on commercial service providers
-               for transmission services as commodity items rather than as fully dedicated services,
-               it may not be possible to implement this control.</p>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-         </part>
-         <part id="sc-40_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-40_obj.1" name="objective">
-               <prop name="label">SC-40[1]</prop>
-               <p>the organization defines:</p>
-               <part id="sc-40_obj.1.a" name="objective">
-                  <prop name="label">SC-40[1][a]</prop>
-                  <p>internal wireless links to be protected from particular types of signal
-                     parameter attacks;</p>
-               </part>
-               <part id="sc-40_obj.1.b" name="objective">
-                  <prop name="label">SC-40[1][b]</prop>
-                  <p>external wireless links to be protected from particular types of signal
-                     parameter attacks;</p>
-               </part>
-            </part>
-            <part id="sc-40_obj.2" name="objective">
-               <prop name="label">SC-40[2]</prop>
-               <p>the organization defines types of signal parameter attacks or references to
-                  sources for such attacks that are based upon exploiting the signal parameters of
-                  organization-defined internal and external wireless links; and</p>
-            </part>
-            <part id="sc-40_obj.3" name="objective">
-               <prop name="label">SC-40[3]</prop>
-               <p>the information system protects internal and external organization-defined
-                  wireless links from organization-defined types of signal parameter attacks or
-                  references to sources for such attacks.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>access control policy and procedures</p>
-               <p>procedures addressing wireless link protection</p>
-               <p>information system design documentation</p>
-               <p>wireless network diagrams</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system architecture</p>
-               <p>list or internal and external wireless links</p>
-               <p>list of signal parameter attacks or references to sources for attacks</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>organizational personnel authorizing, installing, configuring and/or maintaining
-                  internal and external wireless links</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing protection of wireless
-                  links</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-40.1">
-            <title>Electromagnetic Interference</title>
-            <param id="sc-40.1_prm_1">
-               <label>organization-defined level of protection</label>
-            </param>
-            <prop name="label">SC-40(1)</prop>
-            <prop name="sort-id">sc-40.01</prop>
-            <part id="sc-40.1_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms that achieve <insert param-id="sc-40.1_prm_1"/> against the effects of intentional electromagnetic
-                  interference.</p>
-            </part>
-            <part id="sc-40.1_gdn" name="guidance">
-               <p>This control enhancement protects against intentional jamming that might deny or
-                  impair communications by ensuring that wireless spread spectrum waveforms used to
-                  provide anti-jam protection are not predictable by unauthorized individuals. The
-                  control enhancement may also coincidentally help to mitigate the effects of
-                  unintentional jamming due to interference from legitimate transmitters sharing the
-                  same spectrum. Mission requirements, projected threats, concept of operations, and
-                  applicable legislation, directives, regulations, policies, standards, and
-                  guidelines determine levels of wireless link availability and
-                  performance/cryptography needed.</p>
-               <link rel="related" href="#sc-12">SC-12</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="sc-40.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-40.1_obj.1" name="objective">
-                  <prop name="label">SC-40(1)[1]</prop>
-                  <p>the organization defines level of protection to be employed against the effects
-                     of intentional electromagnetic interference; and</p>
-               </part>
-               <part id="sc-40.1_obj.2" name="objective">
-                  <prop name="label">SC-40(1)[2]</prop>
-                  <p>the information system employs cryptographic mechanisms that achieve
-                     organization-defined level of protection against the effects of intentional
-                     electromagnetic interference.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>procedures addressing wireless link protection</p>
-                  <p>information system design documentation</p>
-                  <p>wireless network diagrams</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system architecture</p>
-                  <p>information system communications hardware and software</p>
-                  <p>security categorization results</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel authorizing, installing, configuring and/or
-                     maintaining internal and external wireless links</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms enforcing protections against effects of intentional
-                     electromagnetic interference</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-40.2">
-            <title>Reduce Detection Potential</title>
-            <param id="sc-40.2_prm_1">
-               <label>organization-defined level of reduction</label>
-            </param>
-            <prop name="label">SC-40(2)</prop>
-            <prop name="sort-id">sc-40.02</prop>
-            <part id="sc-40.2_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to reduce the detection
-                  potential of wireless links to <insert param-id="sc-40.2_prm_1"/>.</p>
-            </part>
-            <part id="sc-40.2_gdn" name="guidance">
-               <p>This control enhancement is needed for covert communications and protecting
-                  wireless transmitters from being geo-located by their transmissions. The control
-                  enhancement ensures that spread spectrum waveforms used to achieve low probability
-                  of detection are not predictable by unauthorized individuals. Mission
-                  requirements, projected threats, concept of operations, and applicable
-                  legislation, directives, regulations, policies, standards, and guidelines
-                  determine the levels to which wireless links should be undetectable.</p>
-               <link rel="related" href="#sc-12">SC-12</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="sc-40.2_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-40.2_obj.1" name="objective">
-                  <prop name="label">SC-40(2)[1]</prop>
-                  <p>the organization defines level of reduction to be achieved to reduce the
-                     detection potential of wireless links; and</p>
-               </part>
-               <part id="sc-40.2_obj.2" name="objective">
-                  <prop name="label">SC-40(2)[2]</prop>
-                  <p>the information system implements cryptographic mechanisms to reduce the
-                     detection potential of wireless links to organization-defined level of
-                     reduction.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>procedures addressing wireless link protection</p>
-                  <p>information system design documentation</p>
-                  <p>wireless network diagrams</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system architecture</p>
-                  <p>information system communications hardware and software</p>
-                  <p>security categorization results</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel authorizing, installing, configuring and/or
-                     maintaining internal and external wireless links</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms enforcing protections to reduce detection of wireless
-                     links</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-40.3">
-            <title>Imitative or Manipulative Communications Deception</title>
-            <prop name="label">SC-40(3)</prop>
-            <prop name="sort-id">sc-40.03</prop>
-            <part id="sc-40.3_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to identify and reject
-                  wireless transmissions that are deliberate attempts to achieve imitative or
-                  manipulative communications deception based on signal parameters.</p>
-            </part>
-            <part id="sc-40.3_gdn" name="guidance">
-               <p>This control enhancement ensures that the signal parameters of wireless
-                  transmissions are not predictable by unauthorized individuals. Such
-                  unpredictability reduces the probability of imitative or manipulative
-                  communications deception based upon signal parameters alone.</p>
-               <link rel="related" href="#sc-12">SC-12</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="sc-40.3_obj" name="objective">
-               <p>Determine if the information system implements cryptographic mechanisms to:</p>
-               <part id="sc-40.3_obj.1" name="objective">
-                  <prop name="label">SC-40(3)[1]</prop>
-                  <p>identify wireless transmissions that are deliberate attempts to achieve
-                     imitative or manipulative communications deception based on signal parameters;
-                     and</p>
-               </part>
-               <part id="sc-40.3_obj.2" name="objective">
-                  <prop name="label">SC-40(3)[2]</prop>
-                  <p>reject wireless transmissions that are deliberate attempts to achieve imitative
-                     or manipulative communications deception based on signal parameters.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>procedures addressing information system design documentation</p>
-                  <p>wireless network diagrams</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system architecture</p>
-                  <p>information system communications hardware and software</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel authorizing, installing, configuring and/or
-                     maintaining internal and external wireless links</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms enforcing wireless link protections against imitative
-                     or manipulative communications deception</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-40.4">
-            <title>Signal Parameter Identification</title>
-            <param id="sc-40.4_prm_1">
-               <label>organization-defined wireless transmitters</label>
-            </param>
-            <prop name="label">SC-40(4)</prop>
-            <prop name="sort-id">sc-40.04</prop>
-            <part id="sc-40.4_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to prevent the
-                  identification of <insert param-id="sc-40.4_prm_1"/> by using the transmitter
-                  signal parameters.</p>
-            </part>
-            <part id="sc-40.4_gdn" name="guidance">
-               <p>Radio fingerprinting techniques identify the unique signal parameters of
-                  transmitters to fingerprint such transmitters for purposes of tracking and
-                  mission/user identification. This control enhancement protects against the unique
-                  identification of wireless transmitters for purposes of intelligence exploitation
-                  by ensuring that anti-fingerprinting alterations to signal parameters are not
-                  predictable by unauthorized individuals. This control enhancement helps assure
-                  mission success when anonymity is required.</p>
-               <link rel="related" href="#sc-12">SC-12</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="sc-40.4_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="sc-40.4_obj.1" name="objective">
-                  <prop name="label">SC-40(4)[1]</prop>
-                  <p>the organization defines wireless transmitters for which cryptographic
-                     mechanisms are to be implemented to prevent identification of such transmitters
-                     by using the transmitter signal parameters; and</p>
-               </part>
-               <part id="sc-40.4_obj.2" name="objective">
-                  <prop name="label">SC-40(4)[2]</prop>
-                  <p>the information system implements cryptographic mechanisms to prevent the
-                     identification of organization-defined wireless transmitters by using the
-                     transmitter signal parameters.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>procedures addressing information system design documentation</p>
-                  <p>wireless network diagrams</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system architecture</p>
-                  <p>information system communications hardware and software</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel authorizing, installing, configuring and/or
-                     maintaining internal and external wireless links</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms preventing the identification of wireless
-                     transmitters</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-41">
-         <title>Port and I/O Device Access</title>
-         <param id="sc-41_prm_1">
-            <label>organization-defined connection ports or input/output devices</label>
-         </param>
-         <param id="sc-41_prm_2">
-            <label>organization-defined information systems or information system components</label>
-         </param>
-         <prop name="label">SC-41</prop>
-         <prop name="sort-id">sc-41</prop>
-         <part id="sc-41_smt" name="statement">
-            <p>The organization physically disables or removes <insert param-id="sc-41_prm_1"/> on
-                  <insert param-id="sc-41_prm_2"/>.</p>
-         </part>
-         <part id="sc-41_gdn" name="guidance">
-            <p>Connection ports include, for example, Universal Serial Bus (USB) and Firewire (IEEE
-               1394). Input/output (I/O) devices include, for example, Compact Disk (CD) and Digital
-               Video Disk (DVD) drives. Physically disabling or removing such connection ports and
-               I/O devices helps prevent exfiltration of information from information systems and
-               the introduction of malicious code into systems from those ports/devices.</p>
-         </part>
-         <part id="sc-41_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-41_obj.1" name="objective">
-               <prop name="label">SC-41[1]</prop>
-               <p>defines connection ports or input/output devices to be physically disabled or
-                  removed on information systems or information system components;</p>
-            </part>
-            <part id="sc-41_obj.2" name="objective">
-               <prop name="label">SC-41[2]</prop>
-               <p>defines information systems or information system components with
-                  organization-defined connection ports or input/output devices that are to be
-                  physically disabled or removed; and</p>
-            </part>
-            <part id="sc-41_obj.3" name="objective">
-               <prop name="label">SC-41[3]</prop>
-               <p>physically disables or removes organization-defined connection ports or
-                  input/output devices on organization-defined information systems or information
-                  system components.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>access control policy and procedures</p>
-               <p>procedures addressing port and input/output device access</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system architecture</p>
-               <p>information systems or information system components list of connection ports or
-                  input/output devices to be physically disabled or removed on information systems
-                  or information system components</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing disabling of connection ports
-                  or input/output devices</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-42">
-         <title>Sensor Capability and Data</title>
-         <param id="sc-42_prm_1">
-            <label>organization-defined exceptions where remote activation of sensors is
-               allowed</label>
-         </param>
-         <param id="sc-42_prm_2">
-            <label>organization-defined class of users</label>
-         </param>
-         <prop name="label">SC-42</prop>
-         <prop name="sort-id">sc-42</prop>
-         <part id="sc-42_smt" name="statement">
-            <p>The information system:</p>
-            <part id="sc-42_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Prohibits the remote activation of environmental sensing capabilities with the
-                  following exceptions: <insert param-id="sc-42_prm_1"/>; and</p>
-            </part>
-            <part id="sc-42_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Provides an explicit indication of sensor use to <insert param-id="sc-42_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="sc-42_gdn" name="guidance">
-            <p>This control often applies to types of information systems or system components
-               characterized as mobile devices, for example, smart phones, tablets, and E-readers.
-               These systems often include sensors that can collect and record data regarding the
-               environment where the system is in use. Sensors that are embedded within mobile
-               devices include, for example, cameras, microphones, Global Positioning System (GPS)
-               mechanisms, and accelerometers. While the sensors on mobiles devices provide an
-               important function, if activated covertly, such devices can potentially provide a
-               means for adversaries to learn valuable information about individuals and
-               organizations. For example, remotely activating the GPS function on a mobile device
-               could provide an adversary with the ability to track the specific movements of an
-               individual.</p>
-         </part>
-         <part id="sc-42_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="sc-42.a_obj" name="objective">
-               <prop name="label">SC-42(a)</prop>
-               <part id="sc-42.a_obj.1" name="objective">
-                  <prop name="label">SC-42(a)[1]</prop>
-                  <p>the organization defines exceptions where remote activation of sensors is to be
-                     allowed;</p>
-               </part>
-               <part id="sc-42.a_obj.2" name="objective">
-                  <prop name="label">SC-42(a)[2]</prop>
-                  <p>the information system prohibits the remote activation of sensors, except for
-                     organization-defined exceptions where remote activation of sensors is to be
-                     allowed;</p>
-               </part>
-            </part>
-            <part id="sc-42.b_obj" name="objective">
-               <prop name="label">SC-42(b)</prop>
-               <part id="sc-42.b_obj.1" name="objective">
-                  <prop name="label">SC-42(b)[1]</prop>
-                  <p>the organization defines the class of users to whom an explicit indication of
-                     sensor use is to be provided; and</p>
-               </part>
-               <part id="sc-42.b_obj.2" name="objective">
-                  <prop name="label">SC-42(b)[2]</prop>
-                  <p>the information system provides an explicit indication of sensor use to the
-                     organization-defined class of users.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing sensor capability and data collection</p>
-               <p>access control policy and procedures</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>organizational personnel with responsibility for sensor capability</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms implementing access controls for remote activation of
-                  information system sensor capabilities</p>
-               <p>automated mechanisms implementing capability to indicate sensor use</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-42.1">
-            <title>Reporting to Authorized Individuals or Roles</title>
-            <param id="sc-42.1_prm_1">
-               <label>organization-defined sensors</label>
-            </param>
-            <prop name="label">SC-42(1)</prop>
-            <prop name="sort-id">sc-42.01</prop>
-            <part id="sc-42.1_smt" name="statement">
-               <p>The organization ensures that the information system is configured so that data or
-                  information collected by the <insert param-id="sc-42.1_prm_1"/> is only reported
-                  to authorized individuals or roles.</p>
-            </part>
-            <part id="sc-42.1_gdn" name="guidance">
-               <p>In situations where sensors are activated by authorized individuals (e.g., end
-                  users), it is still possible that the data/information collected by the sensors
-                  will be sent to unauthorized entities.</p>
-            </part>
-            <part id="sc-42.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-42.1_obj.1" name="objective">
-                  <prop name="label">SC-42(1)[1]</prop>
-                  <p>defines sensors to be used to collect data or information only reported to
-                     authorized individuals or roles; and</p>
-               </part>
-               <part id="sc-42.1_obj.2" name="objective">
-                  <prop name="label">SC-42(1)[2]</prop>
-                  <p>ensures that the information system is configured so that data or information
-                     collected by the organization-defined sensors is only reported to authorized
-                     individuals or roles.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>procedures addressing sensor capability and data collection</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system architecture</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for sensor capability</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms restricting reporting of sensor information only to those
-                     authorized</p>
-                  <p>sensor data collection and reporting capability for the information system</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-42.2">
-            <title>Authorized Use</title>
-            <param id="sc-42.2_prm_1">
-               <label>organization-defined measures</label>
-            </param>
-            <param id="sc-42.2_prm_2">
-               <label>organization-defined sensors</label>
-            </param>
-            <prop name="label">SC-42(2)</prop>
-            <prop name="sort-id">sc-42.02</prop>
-            <part id="sc-42.2_smt" name="statement">
-               <p>The organization employs the following measures: <insert param-id="sc-42.2_prm_1"/>, so that data or information collected by <insert param-id="sc-42.2_prm_2"/> is
-                  only used for authorized purposes.</p>
-            </part>
-            <part id="sc-42.2_gdn" name="guidance">
-               <p>Information collected by sensors for a specific authorized purpose potentially
-                  could be misused for some unauthorized purpose. For example, GPS sensors that are
-                  used to support traffic navigation could be misused to track movements of
-                  individuals. Measures to mitigate such activities include, for example, additional
-                  training to ensure that authorized parties do not abuse their authority, or (in
-                  the case where sensor data/information is maintained by external parties)
-                  contractual restrictions on the use of the data/information.</p>
-            </part>
-            <part id="sc-42.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-42.2_obj.1" name="objective">
-                  <prop name="label">SC-42(2)[1]</prop>
-                  <p>defines measures to be employed so that data or information collected by
-                     sensors is only used for authorized purposes;</p>
-               </part>
-               <part id="sc-42.2_obj.2" name="objective">
-                  <prop name="label">SC-42(2)[2]</prop>
-                  <p>defines sensors to be used to collect data or information for authorized
-                     purposes only; and</p>
-               </part>
-               <part id="sc-42.2_obj.3" name="objective">
-                  <prop name="label">SC-42(2)[3]</prop>
-                  <p>employs organization-defined measures so that data or information collected by
-                     organization-defined sensors is only used for authorized purposes.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>sensor capability and data collection</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system architecture</p>
-                  <p>list of measures to be employed to ensure data or information collected by
-                     sensors is only used for authorized purposes</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for sensor capability</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing measures to ensure sensor
-                     information is only used for authorized purposes</p>
-                  <p>sensor information collection capability for the information system</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-42.3">
-            <title>Prohibit Use of Devices</title>
-            <param id="sc-42.3_prm_1">
-               <label>organization-defined environmental sensing capabilities</label>
-            </param>
-            <param id="sc-42.3_prm_2">
-               <label>organization-defined facilities, areas, or systems</label>
-            </param>
-            <prop name="label">SC-42(3)</prop>
-            <prop name="sort-id">sc-42.03</prop>
-            <part id="sc-42.3_smt" name="statement">
-               <p>The organization prohibits the use of devices possessing <insert param-id="sc-42.3_prm_1"/> in <insert param-id="sc-42.3_prm_2"/>.</p>
-            </part>
-            <part id="sc-42.3_gdn" name="guidance">
-               <p>For example, organizations may prohibit individuals from bringing cell phones or
-                  digital cameras into certain facilities or specific controlled areas within
-                  facilities where classified information is stored or sensitive conversations are
-                  taking place.</p>
-            </part>
-            <part id="sc-42.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="sc-42.3_obj.1" name="objective">
-                  <prop name="label">SC-42(3)[1]</prop>
-                  <p>defines environmental sensing capabilities to be prohibited from use in
-                     facilities, areas, or systems;</p>
-               </part>
-               <part id="sc-42.3_obj.2" name="objective">
-                  <prop name="label">SC-42(3)[2]</prop>
-                  <p>defines facilities, areas, or systems where the use of devices possessing
-                     organization-defined environmental sensing capabilities is to be prohibited;
-                     and</p>
-               </part>
-               <part id="sc-42.3_obj.3" name="objective">
-                  <prop name="label">SC-42(3)[3]</prop>
-                  <p>prohibits the use of devices possessing organization-defined environmental
-                     sensing capabilities in organization-defined facilities, areas, or systems.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and communications protection policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>procedures addressing sensor capability and data collection</p>
-                  <p>information system design documentation</p>
-                  <p>wireless network diagrams</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system architecture</p>
-                  <p>facilities, areas, or systems where use of devices possessing environmental
-                     sensing capabilities is prohibited</p>
-                  <p>list of devices possessing environmental sensing capabilities</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for sensor capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-43">
-         <title>Usage Restrictions</title>
-         <param id="sc-43_prm_1">
-            <label>organization-defined information system components</label>
-         </param>
-         <prop name="label">SC-43</prop>
-         <prop name="sort-id">sc-43</prop>
-         <part id="sc-43_smt" name="statement">
-            <p>The organization:</p>
-            <part id="sc-43_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Establishes usage restrictions and implementation guidance for <insert param-id="sc-43_prm_1"/> based on the potential to cause damage to the
-                  information system if used maliciously; and</p>
-            </part>
-            <part id="sc-43_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Authorizes, monitors, and controls the use of such components within the
-                  information system.</p>
-            </part>
-         </part>
-         <part id="sc-43_gdn" name="guidance">
-            <p>Information system components include hardware, software, or firmware components
-               (e.g., Voice Over Internet Protocol, mobile code, digital copiers, printers,
-               scanners, optical devices, wireless technologies, mobile devices).</p>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-         </part>
-         <part id="sc-43_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-43.a_obj" name="objective">
-               <prop name="label">SC-43(a)</prop>
-               <part id="sc-43.a_obj.1" name="objective">
-                  <prop name="label">SC-43(a)[1]</prop>
-                  <p>defines information system components for which usage restrictions and
-                     implementation guidance are to be established;</p>
-               </part>
-               <part id="sc-43.a_obj.2" name="objective">
-                  <prop name="label">SC-43(a)[2]</prop>
-                  <p>establishes, for organization-defined information system components:</p>
-                  <part id="sc-43.a_obj.2.a" name="objective">
-                     <prop name="label">SC-43(a)[2][a]</prop>
-                     <p>usage restrictions based on the potential to cause damage to the information
-                        system if used maliciously;</p>
-                  </part>
-                  <part id="sc-43.a_obj.2.b" name="objective">
-                     <prop name="label">SC-43(a)[2][b]</prop>
-                     <p>implementation guidance based on the potential to cause damage to the
-                        information system if used maliciously;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="sc-43.b_obj" name="objective">
-               <prop name="label">SC-43(b)</prop>
-               <part id="sc-43.b_obj.1" name="objective">
-                  <prop name="label">SC-43(b)[1]</prop>
-                  <p>authorizes the use of such components within the information system;</p>
-               </part>
-               <part id="sc-43.b_obj.2" name="objective">
-                  <prop name="label">SC-43(b)[2]</prop>
-                  <p>monitors the use of such components within the information system; and</p>
-               </part>
-               <part id="sc-43.b_obj.3" name="objective">
-                  <prop name="label">SC-43(b)[3]</prop>
-                  <p>controls the use of such components within the information system.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing usage restrictions</p>
-               <p>usage restrictions</p>
-               <p>implementation policy and procedures</p>
-               <p>authorization records</p>
-               <p>information system monitoring records</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for authorizing, monitoring, and controlling use of
-                  components with usage restrictions</p>
-               <p>Automated mechanisms supporting and/or implementing authorizing, monitoring, and
-                  controlling use of components with usage restrictions</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-44">
-         <title>Detonation Chambers</title>
-         <param id="sc-44_prm_1">
-            <label>organization-defined information system, system component, or location</label>
-         </param>
-         <prop name="label">SC-44</prop>
-         <prop name="sort-id">sc-44</prop>
-         <part id="sc-44_smt" name="statement">
-            <p>The organization employs a detonation chamber capability within <insert param-id="sc-44_prm_1"/>.</p>
-         </part>
-         <part id="sc-44_gdn" name="guidance">
-            <p>Detonation chambers, also known as dynamic execution environments, allow
-               organizations to open email attachments, execute untrusted or suspicious
-               applications, and execute Universal Resource Locator (URL) requests in the safety of
-               an isolated environment or virtualized sandbox. These protected and isolated
-               execution environments provide a means of determining whether the associated
-               attachments/applications contain malicious code. While related to the concept of
-               deception nets, the control is not intended to maintain a long-term environment in
-               which adversaries can operate and their actions can be observed. Rather, it is
-               intended to quickly identify malicious code and reduce the likelihood that the code
-               is propagated to user environments of operation (or prevent such propagation
-               completely).</p>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-25">SC-25</link>
-            <link rel="related" href="#sc-26">SC-26</link>
-            <link rel="related" href="#sc-30">SC-30</link>
-         </part>
-         <part id="sc-44_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="sc-44_obj.1" name="objective">
-               <prop name="label">SC-44[1]</prop>
-               <p>defines information system, system component, or location where a detonation
-                  chamber capability is to be employed; and</p>
-            </part>
-            <part id="sc-44_obj.2" name="objective">
-               <prop name="label">SC-44[2]</prop>
-               <p>employs a detonation chamber capability within organization-defined information
-                  system, system component, or location.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and communications protection policy</p>
-               <p>procedures addressing detonation chambers</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing detonation chamber
-                  capability</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="si">
-      <title>System and Information Integrity</title>
-      <control class="SP800-53" id="si-1">
-         <title>System and Information Integrity Policy and Procedures</title>
-         <param id="si-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-1_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="si-1_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">SI-1</prop>
-         <prop name="sort-id">si-01</prop>
-         <link href="#5c201b63-0768-417b-ac22-3f014e3941b2" rel="reference">NIST Special Publication 800-12</link>
-         <link href="#9cb3d8fe-2127-48ba-821e-cdd2d7aee921" rel="reference">NIST Special Publication 800-100</link>
-         <part id="si-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops, documents, and disseminates to <insert param-id="si-1_prm_1"/>:</p>
-               <part id="si-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>A system and information integrity policy that addresses purpose, scope, roles,
-                     responsibilities, management commitment, coordination among organizational
-                     entities, and compliance; and</p>
-               </part>
-               <part id="si-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system and information
-                     integrity policy and associated system and information integrity controls;
-                     and</p>
-               </part>
-            </part>
-            <part id="si-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews and updates the current:</p>
-               <part id="si-1_smt.b.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>System and information integrity policy <insert param-id="si-1_prm_2"/>;
-                     and</p>
-               </part>
-               <part id="si-1_smt.b.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>System and information integrity procedures <insert param-id="si-1_prm_3"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part id="si-1_gdn" name="guidance">
-            <p>This control addresses the establishment of policy and procedures for the effective
-               implementation of selected security controls and control enhancements in the SI
-               family. Policy and procedures reflect applicable federal laws, Executive Orders,
-               directives, regulations, policies, standards, and guidance. Security program policies
-               and procedures at the organization level may make the need for system-specific
-               policies and procedures unnecessary. The policy can be included as part of the
-               general information security policy for organizations or conversely, can be
-               represented by multiple policies reflecting the complex nature of certain
-               organizations. The procedures can be established for the security program in general
-               and for particular information systems, if needed. The organizational risk management
-               strategy is a key factor in establishing policy and procedures.</p>
-            <link rel="related" href="#pm-9">PM-9</link>
-         </part>
-         <part id="si-1_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-1.a_obj" name="objective">
-               <prop name="label">SI-1(a)</prop>
-               <part id="si-1.a.1_obj" name="objective">
-                  <prop name="label">SI-1(a)(1)</prop>
-                  <part id="si-1.a.1_obj.1" name="objective">
-                     <prop name="label">SI-1(a)(1)[1]</prop>
-                     <p>develops and documents a system and information integrity policy that
-                        addresses:</p>
-                     <part id="si-1.a.1_obj.1.a" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][a]</prop>
-                        <p>purpose;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.b" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][b]</prop>
-                        <p>scope;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.c" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][c]</prop>
-                        <p>roles;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.d" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][d]</prop>
-                        <p>responsibilities;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.e" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][e]</prop>
-                        <p>management commitment;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.f" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][f]</prop>
-                        <p>coordination among organizational entities;</p>
-                     </part>
-                     <part id="si-1.a.1_obj.1.g" name="objective">
-                        <prop name="label">SI-1(a)(1)[1][g]</prop>
-                        <p>compliance;</p>
-                     </part>
-                  </part>
-                  <part id="si-1.a.1_obj.2" name="objective">
-                     <prop name="label">SI-1(a)(1)[2]</prop>
-                     <p>defines personnel or roles to whom the system and information integrity
-                        policy is to be disseminated;</p>
-                  </part>
-                  <part id="si-1.a.1_obj.3" name="objective">
-                     <prop name="label">SI-1(a)(1)[3]</prop>
-                     <p>disseminates the system and information integrity policy to
-                        organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-               <part id="si-1.a.2_obj" name="objective">
-                  <prop name="label">SI-1(a)(2)</prop>
-                  <part id="si-1.a.2_obj.1" name="objective">
-                     <prop name="label">SI-1(a)(2)[1]</prop>
-                     <p>develops and documents procedures to facilitate the implementation of the
-                        system and information integrity policy and associated system and
-                        information integrity controls;</p>
-                  </part>
-                  <part id="si-1.a.2_obj.2" name="objective">
-                     <prop name="label">SI-1(a)(2)[2]</prop>
-                     <p>defines personnel or roles to whom the procedures are to be
-                        disseminated;</p>
-                  </part>
-                  <part id="si-1.a.2_obj.3" name="objective">
-                     <prop name="label">SI-1(a)(2)[3]</prop>
-                     <p>disseminates the procedures to organization-defined personnel or roles;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-1.b_obj" name="objective">
-               <prop name="label">SI-1(b)</prop>
-               <part id="si-1.b.1_obj" name="objective">
-                  <prop name="label">SI-1(b)(1)</prop>
-                  <part id="si-1.b.1_obj.1" name="objective">
-                     <prop name="label">SI-1(b)(1)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        information integrity policy;</p>
-                  </part>
-                  <part id="si-1.b.1_obj.2" name="objective">
-                     <prop name="label">SI-1(b)(1)[2]</prop>
-                     <p>reviews and updates the current system and information integrity policy with
-                        the organization-defined frequency;</p>
-                  </part>
-               </part>
-               <part id="si-1.b.2_obj" name="objective">
-                  <prop name="label">SI-1(b)(2)</prop>
-                  <part id="si-1.b.2_obj.1" name="objective">
-                     <prop name="label">SI-1(b)(2)[1]</prop>
-                     <p>defines the frequency to review and update the current system and
-                        information integrity procedures; and</p>
-                  </part>
-                  <part id="si-1.b.2_obj.2" name="objective">
-                     <prop name="label">SI-1(b)(2)[2]</prop>
-                     <p>reviews and updates the current system and information integrity procedures
-                        with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy and procedures</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with system and information integrity
-                  responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-2">
-         <title>Flaw Remediation</title>
-         <param id="si-2_prm_1">
-            <label>organization-defined time period</label>
-         </param>
-         <prop name="label">SI-2</prop>
-         <prop name="sort-id">si-02</prop>
-         <link href="#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d" rel="reference">NIST Special Publication 800-40</link>
-         <link href="#080f8068-5e3e-435e-9790-d22ba4722693" rel="reference">NIST Special Publication 800-128</link>
-         <part id="si-2_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-2_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Identifies, reports, and corrects information system flaws;</p>
-            </part>
-            <part id="si-2_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Tests software and firmware updates related to flaw remediation for effectiveness
-                  and potential side effects before installation;</p>
-            </part>
-            <part id="si-2_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Installs security-relevant software and firmware updates within <insert param-id="si-2_prm_1"/> of the release of the updates; and</p>
-            </part>
-            <part id="si-2_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Incorporates flaw remediation into the organizational configuration management
-                  process.</p>
-            </part>
-         </part>
-         <part id="si-2_gdn" name="guidance">
-            <p>Organizations identify information systems affected by announced software flaws
-               including potential vulnerabilities resulting from those flaws, and report this
-               information to designated organizational personnel with information security
-               responsibilities. Security-relevant software updates include, for example, patches,
-               service packs, hot fixes, and anti-virus signatures. Organizations also address flaws
-               discovered during security assessments, continuous monitoring, incident response
-               activities, and system error handling. Organizations take advantage of available
-               resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and
-               Exposures (CVE) databases in remediating flaws discovered in organizational
-               information systems. By incorporating flaw remediation into ongoing configuration
-               management processes, required/anticipated remediation actions can be tracked and
-               verified. Flaw remediation actions that can be tracked and verified include, for
-               example, determining whether organizations follow US-CERT guidance and Information
-               Assurance Vulnerability Alerts. Organization-defined time periods for updating
-               security-relevant software and firmware may vary based on a variety of factors
-               including, for example, the security category of the information system or the
-               criticality of the update (i.e., severity of the vulnerability related to the
-               discovered flaw). Some types of flaw remediation may require more testing than other
-               types. Organizations determine the degree and type of testing needed for the specific
-               type of flaw remediation activity under consideration and also the types of changes
-               that are to be configuration-managed. In some situations, organizations may determine
-               that the testing of software and/or firmware updates is not necessary or practical,
-               for example, when implementing simple anti-virus signature updates. Organizations may
-               also consider in testing decisions, whether security-relevant software or firmware
-               updates are obtained from authorized sources with appropriate digital signatures.</p>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#si-11">SI-11</link>
-         </part>
-         <part id="si-2_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-2.a_obj" name="objective">
-               <prop name="label">SI-2(a)</prop>
-               <part id="si-2.a_obj.1" name="objective">
-                  <prop name="label">SI-2(a)[1]</prop>
-                  <p>identifies information system flaws;</p>
-               </part>
-               <part id="si-2.a_obj.2" name="objective">
-                  <prop name="label">SI-2(a)[2]</prop>
-                  <p>reports information system flaws;</p>
-               </part>
-               <part id="si-2.a_obj.3" name="objective">
-                  <prop name="label">SI-2(a)[3]</prop>
-                  <p>corrects information system flaws;</p>
-               </part>
-            </part>
-            <part id="si-2.b_obj" name="objective">
-               <prop name="label">SI-2(b)</prop>
-               <part id="si-2.b_obj.1" name="objective">
-                  <prop name="label">SI-2(b)[1]</prop>
-                  <p>tests software updates related to flaw remediation for effectiveness and
-                     potential side effects before installation;</p>
-               </part>
-               <part id="si-2.b_obj.2" name="objective">
-                  <prop name="label">SI-2(b)[2]</prop>
-                  <p>tests firmware updates related to flaw remediation for effectiveness and
-                     potential side effects before installation;</p>
-               </part>
-            </part>
-            <part id="si-2.c_obj" name="objective">
-               <prop name="label">SI-2(c)</prop>
-               <part id="si-2.c_obj.1" name="objective">
-                  <prop name="label">SI-2(c)[1]</prop>
-                  <p>defines the time period within which to install security-relevant software
-                     updates after the release of the updates;</p>
-               </part>
-               <part id="si-2.c_obj.2" name="objective">
-                  <prop name="label">SI-2(c)[2]</prop>
-                  <p>defines the time period within which to install security-relevant firmware
-                     updates after the release of the updates;</p>
-               </part>
-               <part id="si-2.c_obj.3" name="objective">
-                  <prop name="label">SI-2(c)[3]</prop>
-                  <p>installs software updates within the organization-defined time period of the
-                     release of the updates;</p>
-               </part>
-               <part id="si-2.c_obj.4" name="objective">
-                  <prop name="label">SI-2(c)[4]</prop>
-                  <p>installs firmware updates within the organization-defined time period of the
-                     release of the updates; and</p>
-               </part>
-            </part>
-            <part id="si-2.d_obj" name="objective">
-               <prop name="label">SI-2(d)</prop>
-               <p>incorporates flaw remediation into the organizational configuration management
-                  process.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing flaw remediation</p>
-               <p>procedures addressing configuration management</p>
-               <p>list of flaws and vulnerabilities potentially affecting the information system</p>
-               <p>list of recent security flaw remediation actions performed on the information
-                  system (e.g., list of installed patches, service packs, hot fixes, and other
-                  software updates to correct information system flaws)</p>
-               <p>test results from the installation of software and firmware updates to correct
-                  information system flaws</p>
-               <p>installation/change control records for security-relevant software and firmware
-                  updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>organizational personnel with responsibility for flaw remediation</p>
-               <p>organizational personnel with configuration management responsibility</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for identifying, reporting, and correcting information
-                  system flaws</p>
-               <p>organizational process for installing software and firmware updates</p>
-               <p>automated mechanisms supporting and/or implementing reporting, and correcting
-                  information system flaws</p>
-               <p>automated mechanisms supporting and/or implementing testing software and firmware
-                  updates</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-2.1">
-            <title>Central Management</title>
-            <prop name="label">SI-2(1)</prop>
-            <prop name="sort-id">si-02.01</prop>
-            <part id="si-2.1_smt" name="statement">
-               <p>The organization centrally manages the flaw remediation process.</p>
-            </part>
-            <part id="si-2.1_gdn" name="guidance">
-               <p>Central management is the organization-wide management and implementation of flaw
-                  remediation processes. Central management includes planning, implementing,
-                  assessing, authorizing, and monitoring the organization-defined, centrally managed
-                  flaw remediation security controls.</p>
-            </part>
-            <part id="si-2.1_obj" name="objective">
-               <p>Determine if the organization centrally manages the flaw remediation process.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing flaw remediation</p>
-                  <p>automated mechanisms supporting centralized management of flaw remediation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for flaw remediation</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for central management of the flaw remediation
-                     process</p>
-                  <p>automated mechanisms supporting and/or implementing central management of the
-                     flaw remediation process</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-2.2">
-            <title>Automated Flaw Remediation Status</title>
-            <param id="si-2.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">SI-2(2)</prop>
-            <prop name="sort-id">si-02.02</prop>
-            <part id="si-2.2_smt" name="statement">
-               <p>The organization employs automated mechanisms <insert param-id="si-2.2_prm_1"/> to
-                  determine the state of information system components with regard to flaw
-                  remediation.</p>
-            </part>
-            <part id="si-2.2_gdn" name="guidance">
-               <link rel="related" href="#cm-6">CM-6</link>
-               <link rel="related" href="#si-4">SI-4</link>
-            </part>
-            <part id="si-2.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-2.2_obj.1" name="objective">
-                  <prop name="label">SI-2(2)[1]</prop>
-                  <p>defines a frequency to employ automated mechanisms to determine the state of
-                     information system components with regard to flaw remediation; and</p>
-               </part>
-               <part id="si-2.2_obj.2" name="objective">
-                  <prop name="label">SI-2(2)[2]</prop>
-                  <p>employs automated mechanisms with the organization-defined frequency to
-                     determine the state of information system components with regard to flaw
-                     remediation.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing flaw remediation</p>
-                  <p>automated mechanisms supporting centralized management of flaw remediation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for flaw remediation</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms used to determine the state of information system
-                     components with regard to flaw remediation</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-2.3">
-            <title>Time to Remediate Flaws / Benchmarks for Corrective Actions</title>
-            <param id="si-2.3_prm_1">
-               <label>organization-defined benchmarks</label>
-            </param>
-            <prop name="label">SI-2(3)</prop>
-            <prop name="sort-id">si-02.03</prop>
-            <part id="si-2.3_smt" name="statement">
-               <p>The organization:</p>
-               <part id="si-2.3_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Measures the time between flaw identification and flaw remediation; and</p>
-               </part>
-               <part id="si-2.3_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Establishes <insert param-id="si-2.3_prm_1"/> for taking corrective
-                     actions.</p>
-               </part>
-            </part>
-            <part id="si-2.3_gdn" name="guidance">
-               <p>This control enhancement requires organizations to determine the current time it
-                  takes on the average to correct information system flaws after such flaws have
-                  been identified, and subsequently establish organizational benchmarks (i.e., time
-                  frames) for taking corrective actions. Benchmarks can be established by type of
-                  flaw and/or severity of the potential vulnerability if the flaw can be
-                  exploited.</p>
-            </part>
-            <part id="si-2.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-2.3.a_obj" name="objective">
-                  <prop name="label">SI-2(3)(a)</prop>
-                  <p>measures the time between flaw identification and flaw remediation;</p>
-                  <link rel="corresp" href="#si-2.3_smt.a">SI-2(3)(a)</link>
-               </part>
-               <part id="si-2.3.b_obj" name="objective">
-                  <prop name="label">SI-2(3)(b)</prop>
-                  <part id="si-2.3.b_obj.1" name="objective">
-                     <prop name="label">SI-2(3)(b)[1]</prop>
-                     <p>defines benchmarks for taking corrective actions; and</p>
-                  </part>
-                  <part id="si-2.3.b_obj.2" name="objective">
-                     <prop name="label">SI-2(3)(b)[2]</prop>
-                     <p>establishes organization-defined benchmarks for taking corrective
-                        actions.</p>
-                  </part>
-                  <link rel="corresp" href="#si-2.3_smt.b">SI-2(3)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing flaw remediation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of benchmarks for taking corrective action on flaws identified</p>
-                  <p>records providing time stamps of flaw identification and subsequent flaw
-                     remediation activities</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for flaw remediation</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for identifying, reporting, and correcting information
-                     system flaws</p>
-                  <p>automated mechanisms used to measure the time between flaw identification and
-                     flaw remediation</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-2.4">
-            <title>Automated Patch Management Tools</title>
-            <prop name="label">SI-2(4)</prop>
-            <prop name="sort-id">si-02.04</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#si-2">SI-2</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-2.5">
-            <title>Automatic Software / Firmware Updates</title>
-            <param id="si-2.5_prm_1">
-               <label>organization-defined security-relevant software and firmware updates</label>
-            </param>
-            <param id="si-2.5_prm_2">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">SI-2(5)</prop>
-            <prop name="sort-id">si-02.05</prop>
-            <part id="si-2.5_smt" name="statement">
-               <p>The organization installs <insert param-id="si-2.5_prm_1"/> automatically to
-                     <insert param-id="si-2.5_prm_2"/>.</p>
-            </part>
-            <part id="si-2.5_gdn" name="guidance">
-               <p>Due to information system integrity and availability concerns, organizations give
-                  careful consideration to the methodology used to carry out automatic updates.
-                  Organizations must balance the need to ensure that the updates are installed as
-                  soon as possible with the need to maintain configuration management and with any
-                  mission or operational impacts that automatic updates might impose.</p>
-            </part>
-            <part id="si-2.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-2.5_obj.1" name="objective">
-                  <prop name="label">SI-2(5)[1]</prop>
-                  <part id="si-2.5_obj.1.a" name="objective">
-                     <prop name="label">SI-2(5)[1][a]</prop>
-                     <p>defines information system components requiring security-relevant software
-                        updates to be automatically installed;</p>
-                  </part>
-                  <part id="si-2.5_obj.1.b" name="objective">
-                     <prop name="label">SI-2(5)[1][b]</prop>
-                     <p>defines information system components requiring security-relevant firmware
-                        updates to be automatically installed;</p>
-                  </part>
-               </part>
-               <part id="si-2.5_obj.2" name="objective">
-                  <prop name="label">SI-2(5)[2]</prop>
-                  <part id="si-2.5_obj.2.a" name="objective">
-                     <prop name="label">SI-2(5)[2][a]</prop>
-                     <p>defines security-relevant software updates to be automatically installed to
-                        organization-defined information system components;</p>
-                  </part>
-                  <part id="si-2.5_obj.2.b" name="objective">
-                     <prop name="label">SI-2(5)[2][b]</prop>
-                     <p>defines security-relevant firmware updates to be automatically installed to
-                        organization-defined information system components;</p>
-                  </part>
-               </part>
-               <part id="si-2.5_obj.3" name="objective">
-                  <prop name="label">SI-2(5)[3]</prop>
-                  <part id="si-2.5_obj.3.a" name="objective">
-                     <prop name="label">SI-2(5)[3][a]</prop>
-                     <p>installs organization-defined security-relevant software updates
-                        automatically to organization-defined information system components; and</p>
-                  </part>
-                  <part id="si-2.5_obj.3.b" name="objective">
-                     <prop name="label">SI-2(5)[3][b]</prop>
-                     <p>installs organization-defined security-relevant firmware updates
-                        automatically to organization-defined information system components.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing flaw remediation</p>
-                  <p>automated mechanisms supporting flaw remediation and automatic
-                     software/firmware updates</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>records of recent security-relevant software and firmware updates automatically
-                     installed to information system components</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for flaw remediation</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms implementing automatic software/firmware updates</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-2.6">
-            <title>Removal of Previous Versions of Software / Firmware</title>
-            <param id="si-2.6_prm_1">
-               <label>organization-defined software and firmware components</label>
-            </param>
-            <prop name="label">SI-2(6)</prop>
-            <prop name="sort-id">si-02.06</prop>
-            <part id="si-2.6_smt" name="statement">
-               <p>The organization removes <insert param-id="si-2.6_prm_1"/> after updated versions
-                  have been installed.</p>
-            </part>
-            <part id="si-2.6_gdn" name="guidance">
-               <p>Previous versions of software and/or firmware components that are not removed from
-                  the information system after updates have been installed may be exploited by
-                  adversaries. Some information technology products may remove older versions of
-                  software and/or firmware automatically from the information system.</p>
-            </part>
-            <part id="si-2.6_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-2.6_obj.1" name="objective">
-                  <prop name="label">SI-2(6)[1]</prop>
-                  <part id="si-2.6_obj.1.a" name="objective">
-                     <prop name="label">SI-2(6)[1][a]</prop>
-                     <p>defines software components to be removed after updated versions have been
-                        installed;</p>
-                  </part>
-                  <part id="si-2.6_obj.1.b" name="objective">
-                     <prop name="label">SI-2(6)[1][b]</prop>
-                     <p>defines firmware components to be removed after updated versions have been
-                        installed;</p>
-                  </part>
-               </part>
-               <part id="si-2.6_obj.2" name="objective">
-                  <prop name="label">SI-2(6)[2]</prop>
-                  <part id="si-2.6_obj.2.a" name="objective">
-                     <prop name="label">SI-2(6)[2][a]</prop>
-                     <p>removes organization-defined software components after updated versions have
-                        been installed; and</p>
-                  </part>
-                  <part id="si-2.6_obj.2.b" name="objective">
-                     <prop name="label">SI-2(6)[2][b]</prop>
-                     <p>removes organization-defined firmware components after updated versions have
-                        been installed.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing flaw remediation</p>
-                  <p>automated mechanisms supporting flaw remediation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>records of software and firmware component removals after updated versions are
-                     installed</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for flaw remediation</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing removal of previous
-                     versions of software/firmware</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-3">
-         <title>Malicious Code Protection</title>
-         <param id="si-3_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="si-3_prm_2">
-            <select how-many="one or more">
-               <choice>endpoint</choice>
-               <choice>network entry/exit points</choice>
-            </select>
-         </param>
-         <param id="si-3_prm_3">
-            <select how-many="one or more">
-               <choice>block malicious code</choice>
-               <choice>quarantine malicious code</choice>
-               <choice>send alert to administrator</choice>
-               <choice>
-                  <insert param-id="si-3_prm_4"/>
-               </choice>
-            </select>
-         </param>
-         <param id="si-3_prm_4" depends-on="si-3_prm_3">
-            <label>organization-defined action</label>
-         </param>
-         <prop name="label">SI-3</prop>
-         <prop name="sort-id">si-03</prop>
-         <link href="#6d431fee-658f-4a0e-9f2e-a38b5d398fab" rel="reference">NIST Special Publication 800-83</link>
-         <part id="si-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Employs malicious code protection mechanisms at information system entry and exit
-                  points to detect and eradicate malicious code;</p>
-            </part>
-            <part id="si-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Updates malicious code protection mechanisms whenever new releases are available
-                  in accordance with organizational configuration management policy and
-                  procedures;</p>
-            </part>
-            <part id="si-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Configures malicious code protection mechanisms to:</p>
-               <part id="si-3_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Perform periodic scans of the information system <insert param-id="si-3_prm_1"/> and real-time scans of files from external sources at <insert param-id="si-3_prm_2"/> as the files are downloaded, opened, or executed in
-                     accordance with organizational security policy; and</p>
-               </part>
-               <part id="si-3_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>
-                     <insert param-id="si-3_prm_3"/> in response to malicious code detection;
-                     and</p>
-               </part>
-            </part>
-            <part id="si-3_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Addresses the receipt of false positives during malicious code detection and
-                  eradication and the resulting potential impact on the availability of the
-                  information system.</p>
-            </part>
-         </part>
-         <part id="si-3_gdn" name="guidance">
-            <p>Information system entry and exit points include, for example, firewalls, electronic
-               mail servers, web servers, proxy servers, remote-access servers, workstations,
-               notebook computers, and mobile devices. Malicious code includes, for example,
-               viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in
-               various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden
-               files, or hidden in files using steganography. Malicious code can be transported by
-               different means including, for example, web accesses, electronic mail, electronic
-               mail attachments, and portable storage devices. Malicious code insertions occur
-               through the exploitation of information system vulnerabilities. Malicious code
-               protection mechanisms include, for example, anti-virus signature definitions and
-               reputation-based technologies. A variety of technologies and methods exist to limit
-               or eliminate the effects of malicious code. Pervasive configuration management and
-               comprehensive software integrity controls may be effective in preventing execution of
-               unauthorized code. In addition to commercial off-the-shelf software, malicious code
-               may also be present in custom-built software. This could include, for example, logic
-               bombs, back doors, and other types of cyber attacks that could affect organizational
-               missions/business functions. Traditional malicious code protection mechanisms cannot
-               always detect such code. In these situations, organizations rely instead on other
-               safeguards including, for example, secure coding practices, configuration management
-               and control, trusted procurement processes, and monitoring practices to help ensure
-               that software does not perform functions other than the functions intended.
-               Organizations may determine that in response to the detection of malicious code,
-               different actions may be warranted. For example, organizations can define actions in
-               response to malicious code detection during periodic scans, actions in response to
-               detection of malicious downloads, and/or actions in response to detection of
-               maliciousness when attempting to open or execute files.</p>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sa-13">SA-13</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-26">SC-26</link>
-            <link rel="related" href="#sc-44">SC-44</link>
-            <link rel="related" href="#si-2">SI-2</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="si-3_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-3.a_obj" name="objective">
-               <prop name="label">SI-3(a)</prop>
-               <p>employs malicious code protection mechanisms to detect and eradicate malicious
-                  code at information system:</p>
-               <part id="si-3.a_obj.1" name="objective">
-                  <prop name="label">SI-3(a)[1]</prop>
-                  <p>entry points;</p>
-               </part>
-               <part id="si-3.a_obj.2" name="objective">
-                  <prop name="label">SI-3(a)[2]</prop>
-                  <p>exit points;</p>
-               </part>
-            </part>
-            <part id="si-3.b_obj" name="objective">
-               <prop name="label">SI-3(b)</prop>
-               <p>updates malicious code protection mechanisms whenever new releases are available
-                  in accordance with organizational configuration management policy and procedures
-                  (as identified in CM-1);</p>
-            </part>
-            <part id="si-3.c_obj" name="objective">
-               <prop name="label">SI-3(c)</prop>
-               <part id="si-3.c_obj.1" name="objective">
-                  <prop name="label">SI-3(c)[1]</prop>
-                  <p>defines a frequency for malicious code protection mechanisms to perform
-                     periodic scans of the information system;</p>
-               </part>
-               <part id="si-3.c_obj.2" name="objective">
-                  <prop name="label">SI-3(c)[2]</prop>
-                  <p>defines action to be initiated by malicious protection mechanisms in response
-                     to malicious code detection;</p>
-               </part>
-               <part id="si-3.c_obj.3" name="objective">
-                  <prop name="label">SI-3(c)[3]</prop>
-                  <part id="si-3.c.1_obj.3" name="objective">
-                     <prop name="label">SI-3(c)[3](1)</prop>
-                     <p>configures malicious code protection mechanisms to:</p>
-                     <part id="si-3.c.1_obj.3.a" name="objective">
-                        <prop name="label">SI-3(c)[3](1)[a]</prop>
-                        <p>perform periodic scans of the information system with the
-                           organization-defined frequency;</p>
-                     </part>
-                     <part id="si-3.c.1_obj.3.b" name="objective">
-                        <prop name="label">SI-3(c)[3](1)[b]</prop>
-                        <p>perform real-time scans of files from external sources at endpoint and/or
-                           network entry/exit points as the files are downloaded, opened, or
-                           executed in accordance with organizational security policy;</p>
-                     </part>
-                  </part>
-                  <part id="si-3.c.2_obj.3" name="objective">
-                     <prop name="label">SI-3(c)[3](2)</prop>
-                     <p>configures malicious code protection mechanisms to do one or more of the
-                        following:</p>
-                     <part id="si-3.c.2_obj.3.a" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[a]</prop>
-                        <p>block malicious code in response to malicious code detection;</p>
-                     </part>
-                     <part id="si-3.c.2_obj.3.b" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[b]</prop>
-                        <p>quarantine malicious code in response to malicious code detection;</p>
-                     </part>
-                     <part id="si-3.c.2_obj.3.c" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[c]</prop>
-                        <p>send alert to administrator in response to malicious code detection;
-                           and/or</p>
-                     </part>
-                     <part id="si-3.c.2_obj.3.d" name="objective">
-                        <prop name="label">SI-3(c)[3](2)[d]</prop>
-                        <p>initiate organization-defined action in response to malicious code
-                           detection;</p>
-                     </part>
-                  </part>
-               </part>
-            </part>
-            <part id="si-3.d_obj" name="objective">
-               <prop name="label">SI-3(d)</prop>
-               <part id="si-3.d_obj.1" name="objective">
-                  <prop name="label">SI-3(d)[1]</prop>
-                  <p>addresses the receipt of false positives during malicious code detection and
-                     eradication; and</p>
-               </part>
-               <part id="si-3.d_obj.2" name="objective">
-                  <prop name="label">SI-3(d)[2]</prop>
-                  <p>addresses the resulting potential impact on the availability of the information
-                     system.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>configuration management policy and procedures</p>
-               <p>procedures addressing malicious code protection</p>
-               <p>malicious code protection mechanisms</p>
-               <p>records of malicious code protection updates</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>scan results from malicious code protection mechanisms</p>
-               <p>record of actions initiated by malicious code protection mechanisms in response to
-                  malicious code detection</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>organizational personnel with responsibility for malicious code protection</p>
-               <p>organizational personnel with configuration management responsibility</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for employing, updating, and configuring malicious code
-                  protection mechanisms</p>
-               <p>organizational process for addressing false positives and resulting potential
-                  impact</p>
-               <p>automated mechanisms supporting and/or implementing employing, updating, and
-                  configuring malicious code protection mechanisms</p>
-               <p>automated mechanisms supporting and/or implementing malicious code scanning and
-                  subsequent actions</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-3.1">
-            <title>Central Management</title>
-            <prop name="label">SI-3(1)</prop>
-            <prop name="sort-id">si-03.01</prop>
-            <part id="si-3.1_smt" name="statement">
-               <p>The organization centrally manages malicious code protection mechanisms.</p>
-            </part>
-            <part id="si-3.1_gdn" name="guidance">
-               <p>Central management is the organization-wide management and implementation of
-                  malicious code protection mechanisms. Central management includes planning,
-                  implementing, assessing, authorizing, and monitoring the organization-defined,
-                  centrally managed flaw malicious code protection security controls.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#si-8">SI-8</link>
-            </part>
-            <part id="si-3.1_obj" name="objective">
-               <p>Determine if the organization centrally manages malicious code protection
-                  mechanisms.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing malicious code protection</p>
-                  <p>automated mechanisms supporting centralized management of malicious code
-                     protection mechanisms</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for malicious code protection</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for central management of malicious code protection
-                     mechanisms</p>
-                  <p>automated mechanisms supporting and/or implementing central management of
-                     malicious code protection mechanisms</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.2">
-            <title>Automatic Updates</title>
-            <prop name="label">SI-3(2)</prop>
-            <prop name="sort-id">si-03.02</prop>
-            <part id="si-3.2_smt" name="statement">
-               <p>The information system automatically updates malicious code protection
-                  mechanisms.</p>
-            </part>
-            <part id="si-3.2_gdn" name="guidance">
-               <p>Malicious code protection mechanisms include, for example, signature definitions.
-                  Due to information system integrity and availability concerns, organizations give
-                  careful consideration to the methodology used to carry out automatic updates.</p>
-               <link rel="related" href="#si-8">SI-8</link>
-            </part>
-            <part id="si-3.2_obj" name="objective">
-               <p>Determine if the information system automatically updates malicious code
-                  protection mechanisms.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing malicious code protection</p>
-                  <p>automated mechanisms supporting centralized management of malicious code
-                     protection mechanisms</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for malicious code protection</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing automatic updates to
-                     malicious code protection capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.3">
-            <title>Non-privileged Users</title>
-            <prop name="label">SI-3(3)</prop>
-            <prop name="sort-id">si-03.03</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#ac-6.10">AC-6 (10)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.4">
-            <title>Updates Only by Privileged Users</title>
-            <prop name="label">SI-3(4)</prop>
-            <prop name="sort-id">si-03.04</prop>
-            <part id="si-3.4_smt" name="statement">
-               <p>The information system updates malicious code protection mechanisms only when
-                  directed by a privileged user.</p>
-            </part>
-            <part id="si-3.4_gdn" name="guidance">
-               <p>This control enhancement may be appropriate for situations where for reasons of
-                  security or operational continuity, updates are only applied when
-                  selected/approved by designated organizational personnel.</p>
-               <link rel="related" href="#ac-6">AC-6</link>
-               <link rel="related" href="#cm-5">CM-5</link>
-            </part>
-            <part id="si-3.4_obj" name="objective">
-               <p>Determine if the information system updates malicious code protection mechanisms
-                  only when directed by a privileged user.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing malicious code protection</p>
-                  <p>information system design documentation</p>
-                  <p>malicious code protection mechanisms</p>
-                  <p>records of malicious code protection updates</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for malicious code protection</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing malicious code protection
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.5">
-            <title>Portable Storage Devices</title>
-            <prop name="label">SI-3(5)</prop>
-            <prop name="sort-id">si-03.05</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#mp-7">MP-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.6">
-            <title>Testing / Verification</title>
-            <param id="si-3.6_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">SI-3(6)</prop>
-            <prop name="sort-id">si-03.06</prop>
-            <part id="si-3.6_smt" name="statement">
-               <p>The organization:</p>
-               <part id="si-3.6_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Tests malicious code protection mechanisms <insert param-id="si-3.6_prm_1"/> by
-                     introducing a known benign, non-spreading test case into the information
-                     system; and</p>
-               </part>
-               <part id="si-3.6_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Verifies that both detection of the test case and associated incident reporting
-                     occur.</p>
-               </part>
-            </part>
-            <part id="si-3.6_gdn" name="guidance">
-               <link rel="related" href="#ca-2">CA-2</link>
-               <link rel="related" href="#ca-7">CA-7</link>
-               <link rel="related" href="#ra-5">RA-5</link>
-            </part>
-            <part id="si-3.6_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-3.6.a_obj" name="objective">
-                  <prop name="label">SI-3(6)(a)</prop>
-                  <part id="si-3.6.a_obj.1" name="objective">
-                     <prop name="label">SI-3(6)(a)[1]</prop>
-                     <p>defines a frequency to test malicious code protection mechanisms;</p>
-                  </part>
-                  <part id="si-3.6.a_obj.2" name="objective">
-                     <prop name="label">SI-3(6)(a)[2]</prop>
-                     <p>tests malicious code protection mechanisms with the organization-defined
-                        frequency by introducing a known benign, non-spreading test case into the
-                        information system;</p>
-                  </part>
-                  <link rel="corresp" href="#si-3.6_smt.a">SI-3(6)(a)</link>
-               </part>
-               <part id="si-3.6.b_obj" name="objective">
-                  <prop name="label">SI-3(6)(b)</prop>
-                  <part id="si-3.6.b_obj.1" name="objective">
-                     <prop name="label">SI-3(6)(b)[1]</prop>
-                     <p>verifies that detection of the test case occurs; and</p>
-                  </part>
-                  <part id="si-3.6.b_obj.2" name="objective">
-                     <prop name="label">SI-3(6)(b)[2]</prop>
-                     <p>verifies that associated incident reporting occurs.</p>
-                  </part>
-                  <link rel="corresp" href="#si-3.6_smt.b">SI-3(6)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing malicious code protection</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>test cases</p>
-                  <p>records providing evidence of test cases executed on malicious code protection
-                     mechanisms</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for malicious code protection</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing testing and verification of
-                     malicious code protection capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.7">
-            <title>Nonsignature-based Detection</title>
-            <prop name="label">SI-3(7)</prop>
-            <prop name="sort-id">si-03.07</prop>
-            <part id="si-3.7_smt" name="statement">
-               <p>The information system implements nonsignature-based malicious code detection
-                  mechanisms.</p>
-            </part>
-            <part id="si-3.7_gdn" name="guidance">
-               <p>Nonsignature-based detection mechanisms include, for example, the use of
-                  heuristics to detect, analyze, and describe the characteristics or behavior of
-                  malicious code and to provide safeguards against malicious code for which
-                  signatures do not yet exist or for which existing signatures may not be effective.
-                  This includes polymorphic malicious code (i.e., code that changes signatures when
-                  it replicates). This control enhancement does not preclude the use of
-                  signature-based detection mechanisms.</p>
-            </part>
-            <part id="si-3.7_obj" name="objective">
-               <p>Determine if the information system implements non signature-based malicious code
-                  detection mechanisms.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing malicious code protection</p>
-                  <p>information system design documentation</p>
-                  <p>malicious code protection mechanisms</p>
-                  <p>records of malicious code protection updates</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for malicious code protection</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing nonsignature-based
-                     malicious code protection capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.8">
-            <title>Detect Unauthorized Commands</title>
-            <param id="si-3.8_prm_1">
-               <label>organization-defined unauthorized operating system commands</label>
-            </param>
-            <param id="si-3.8_prm_2">
-               <label>organization-defined information system hardware components</label>
-            </param>
-            <param id="si-3.8_prm_3">
-               <select how-many="one or more">
-                  <choice>issues a warning</choice>
-                  <choice>audits the command execution</choice>
-                  <choice>prevents the execution of the command</choice>
-               </select>
-            </param>
-            <prop name="label">SI-3(8)</prop>
-            <prop name="sort-id">si-03.08</prop>
-            <part id="si-3.8_smt" name="statement">
-               <p>The information system detects <insert param-id="si-3.8_prm_1"/> through the
-                  kernel application programming interface at <insert param-id="si-3.8_prm_2"/> and
-                     <insert param-id="si-3.8_prm_3"/>.</p>
-            </part>
-            <part id="si-3.8_gdn" name="guidance">
-               <p>This control enhancement can also be applied to critical interfaces other than
-                  kernel-based interfaces, including for example, interfaces with virtual machines
-                  and privileged applications. Unauthorized operating system commands include, for
-                  example, commands for kernel functions from information system processes that are
-                  not trusted to initiate such commands, or commands for kernel functions that are
-                  suspicious even though commands of that type are reasonable for processes to
-                  initiate. Organizations can define the malicious commands to be detected by a
-                  combination of command types, command classes, or specific instances of commands.
-                  Organizations can define hardware components by specific component, component
-                  type, location in the network, or combination therein. Organizations may select
-                  different actions for different types/classes/specific instances of potentially
-                  malicious commands.</p>
-               <link rel="related" href="#au-6">AU-6</link>
-            </part>
-            <part id="si-3.8_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="si-3.8_obj.1" name="objective">
-                  <prop name="label">SI-3(8)[1]</prop>
-                  <p>the organization defines unauthorized operating system commands to be detected
-                     by the information system;</p>
-               </part>
-               <part id="si-3.8_obj.2" name="objective">
-                  <prop name="label">SI-3(8)[2]</prop>
-                  <p>the organization defines information system hardware components for which
-                     organization-defined unauthorized operating system commands are to be detected
-                     through the kernel application programming interface;</p>
-               </part>
-               <part id="si-3.8_obj.3" name="objective">
-                  <prop name="label">SI-3(8)[3]</prop>
-                  <p>the information system detects organization-defined unauthorized operating
-                     system commands through the kernel application programming interface at
-                     organization-defined information system hardware components, and does one or
-                     more of the following:</p>
-                  <part id="si-3.8_obj.3.a" name="objective">
-                     <prop name="label">SI-3(8)[3][a]</prop>
-                     <p>issues a warning;</p>
-                  </part>
-                  <part id="si-3.8_obj.3.b" name="objective">
-                     <prop name="label">SI-3(8)[3][b]</prop>
-                     <p>audits the command execution; and/or</p>
-                  </part>
-                  <part id="si-3.8_obj.3.c" name="objective">
-                     <prop name="label">SI-3(8)[3][c]</prop>
-                     <p>prevents the execution of the command.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing malicious code protection</p>
-                  <p>information system design documentation</p>
-                  <p>malicious code protection mechanisms</p>
-                  <p>warning messages sent upon detection of unauthorized operating system command
-                     execution</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for malicious code protection</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing malicious code protection
-                     capability</p>
-                  <p>automated mechanisms supporting and/or implementing detection of unauthorized
-                     operating system commands through the kernel application programming
-                     interface</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.9">
-            <title>Authenticate Remote Commands</title>
-            <param id="si-3.9_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <param id="si-3.9_prm_2">
-               <label>organization-defined remote commands</label>
-            </param>
-            <prop name="label">SI-3(9)</prop>
-            <prop name="sort-id">si-03.09</prop>
-            <part id="si-3.9_smt" name="statement">
-               <p>The information system implements <insert param-id="si-3.9_prm_1"/> to
-                  authenticate <insert param-id="si-3.9_prm_2"/>.</p>
-            </part>
-            <part id="si-3.9_gdn" name="guidance">
-               <p>This control enhancement protects against unauthorized commands and replay of
-                  authorized commands. This capability is important for those remote information
-                  systems whose loss, malfunction, misdirection, or exploitation would have
-                  immediate and/or serious consequences (e.g., injury or death, property damage,
-                  loss of high-valued assets or sensitive information, or failure of important
-                  missions/business functions). Authentication safeguards for remote commands help
-                  to ensure that information systems accept and execute in the order intended, only
-                  authorized commands, and that unauthorized commands are rejected. Cryptographic
-                  mechanisms can be employed, for example, to authenticate remote commands.</p>
-               <link rel="related" href="#sc-12">SC-12</link>
-               <link rel="related" href="#sc-13">SC-13</link>
-               <link rel="related" href="#sc-23">SC-23</link>
-            </part>
-            <part id="si-3.9_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="si-3.9_obj.1" name="objective">
-                  <prop name="label">SI-3(9)[1]</prop>
-                  <p>the organization defines security safeguards to be implemented by the
-                     information system to authenticate organization-defined remote commands;</p>
-               </part>
-               <part id="si-3.9_obj.2" name="objective">
-                  <prop name="label">SI-3(9)[2]</prop>
-                  <p>the organization defines remote commands to be authenticated by
-                     organization-defined security safeguards; and</p>
-               </part>
-               <part id="si-3.9_obj.3" name="objective">
-                  <prop name="label">SI-3(9)[3]</prop>
-                  <p>the information system implements organization-defined security safeguards to
-                     authenticate organization-defined remote commands.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing malicious code protection</p>
-                  <p>information system design documentation</p>
-                  <p>malicious code protection mechanisms</p>
-                  <p>warning messages sent upon detection of unauthorized operating system command
-                     execution</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for malicious code protection</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing malicious code protection
-                     capability</p>
-                  <p>automated mechanisms implementing authentication of remote commands</p>
-                  <p>automated mechanisms supporting and/or implementing security safeguards to
-                     authenticate remote commands</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.10">
-            <title>Malicious Code Analysis</title>
-            <param id="si-3.10_prm_1">
-               <label>organization-defined tools and techniques</label>
-            </param>
-            <prop name="label">SI-3(10)</prop>
-            <prop name="sort-id">si-03.10</prop>
-            <part id="si-3.10_smt" name="statement">
-               <p>The organization:</p>
-               <part id="si-3.10_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Employs <insert param-id="si-3.10_prm_1"/> to analyze the characteristics and
-                     behavior of malicious code; and</p>
-               </part>
-               <part id="si-3.10_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Incorporates the results from malicious code analysis into organizational
-                     incident response and flaw remediation processes.</p>
-               </part>
-            </part>
-            <part id="si-3.10_gdn" name="guidance">
-               <p>The application of selected malicious code analysis tools and techniques provides
-                  organizations with a more in-depth understanding of adversary tradecraft (i.e.,
-                  tactics, techniques, and procedures) and the functionality and purpose of specific
-                  instances of malicious code. Understanding the characteristics of malicious code
-                  facilitates more effective organizational responses to current and future threats.
-                  Organizations can conduct malicious code analyses by using reverse engineering
-                  techniques or by monitoring the behavior of executing code.</p>
-            </part>
-            <part id="si-3.10_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-3.10.a_obj" name="objective">
-                  <prop name="label">SI-3(10)(a)</prop>
-                  <part id="si-3.10.a_obj.1" name="objective">
-                     <prop name="label">SI-3(10)(a)[1]</prop>
-                     <p>defines tools and techniques to be employed to analyze the characteristics
-                        and behavior of malicious code;</p>
-                  </part>
-                  <part id="si-3.10.a_obj.2" name="objective">
-                     <prop name="label">SI-3(10)(a)[2]</prop>
-                     <p>employs organization-defined tools and techniques to analyze the
-                        characteristics and behavior of malicious code; and</p>
-                  </part>
-                  <link rel="corresp" href="#si-3.10_smt.a">SI-3(10)(a)</link>
-               </part>
-               <part id="si-3.10.b_obj" name="objective">
-                  <prop name="label">SI-3(10)(b)</prop>
-                  <p>incorporates the results from malicious code analysis into incident response
-                     and flaw remediate processes.</p>
-                  <link rel="corresp" href="#si-3.10_smt.b">SI-3(10)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing malicious code protection</p>
-                  <p>procedures addressing incident response</p>
-                  <p>procedures addressing flaw remediation</p>
-                  <p>information system design documentation</p>
-                  <p>malicious code protection mechanisms, tools, and techniques</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>results from malicious code analyses</p>
-                  <p>records of flaw remediation events resulting from malicious code analyses</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for malicious code protection</p>
-                  <p>organizational personnel responsible for flaw remediation</p>
-                  <p>organizational personnel responsible for incident response/management</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational process for incident response</p>
-                  <p>organizational process for flaw remediation</p>
-                  <p>automated mechanisms supporting and/or implementing malicious code protection
-                     capability</p>
-                  <p>tools and techniques for analysis of malicious code characteristics and
-                     behavior</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-4">
-         <title>Information System Monitoring</title>
-         <param id="si-4_prm_1">
-            <label>organization-defined monitoring objectives</label>
-         </param>
-         <param id="si-4_prm_2">
-            <label>organization-defined techniques and methods</label>
-         </param>
-         <param id="si-4_prm_3">
-            <label>organization-defined information system monitoring information</label>
-         </param>
-         <param id="si-4_prm_4">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-4_prm_5">
-            <select how-many="one or more">
-               <choice>as needed</choice>
-               <choice>
-                  <insert param-id="si-4_prm_6"/>
-               </choice>
-            </select>
-         </param>
-         <param id="si-4_prm_6" depends-on="si-4_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">SI-4</prop>
-         <prop name="sort-id">si-04</prop>
-         <link href="#be95fb85-a53f-4624-bdbb-140075500aa3" rel="reference">NIST Special Publication 800-61</link>
-         <link href="#6d431fee-658f-4a0e-9f2e-a38b5d398fab" rel="reference">NIST Special Publication 800-83</link>
-         <link href="#672fd561-b92b-4713-b9cf-6c9d9456728b" rel="reference">NIST Special Publication 800-92</link>
-         <link href="#d1b1d689-0f66-4474-9924-c81119758dc1" rel="reference">NIST Special Publication 800-94</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <part id="si-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Monitors the information system to detect:</p>
-               <part id="si-4_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Attacks and indicators of potential attacks in accordance with <insert param-id="si-4_prm_1"/>; and</p>
-               </part>
-               <part id="si-4_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Unauthorized local, network, and remote connections;</p>
-               </part>
-            </part>
-            <part id="si-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Identifies unauthorized use of the information system through <insert param-id="si-4_prm_2"/>;</p>
-            </part>
-            <part id="si-4_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Deploys monitoring devices:</p>
-               <part id="si-4_smt.c.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Strategically within the information system to collect organization-determined
-                     essential information; and</p>
-               </part>
-               <part id="si-4_smt.c.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>At ad hoc locations within the system to track specific types of transactions
-                     of interest to the organization;</p>
-               </part>
-            </part>
-            <part id="si-4_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Protects information obtained from intrusion-monitoring tools from unauthorized
-                  access, modification, and deletion;</p>
-            </part>
-            <part id="si-4_smt.e" name="item">
-               <prop name="label">e.</prop>
-               <p>Heightens the level of information system monitoring activity whenever there is an
-                  indication of increased risk to organizational operations and assets, individuals,
-                  other organizations, or the Nation based on law enforcement information,
-                  intelligence information, or other credible sources of information;</p>
-            </part>
-            <part id="si-4_smt.f" name="item">
-               <prop name="label">f.</prop>
-               <p>Obtains legal opinion with regard to information system monitoring activities in
-                  accordance with applicable federal laws, Executive Orders, directives, policies,
-                  or regulations; and</p>
-            </part>
-            <part id="si-4_smt.g" name="item">
-               <prop name="label">g.</prop>
-               <p>Provides <insert param-id="si-4_prm_3"/> to <insert param-id="si-4_prm_4"/>
-                  <insert param-id="si-4_prm_5"/>.</p>
-            </part>
-         </part>
-         <part id="si-4_gdn" name="guidance">
-            <p>Information system monitoring includes external and internal monitoring. External
-               monitoring includes the observation of events occurring at the information system
-               boundary (i.e., part of perimeter defense and boundary protection). Internal
-               monitoring includes the observation of events occurring within the information
-               system. Organizations can monitor information systems, for example, by observing
-               audit activities in real time or by observing other system aspects such as access
-               patterns, characteristics of access, and other actions. The monitoring objectives may
-               guide determination of the events. Information system monitoring capability is
-               achieved through a variety of tools and techniques (e.g., intrusion detection
-               systems, intrusion prevention systems, malicious code protection software, scanning
-               tools, audit record monitoring software, network monitoring software). Strategic
-               locations for monitoring devices include, for example, selected perimeter locations
-               and near server farms supporting critical applications, with such devices typically
-               being employed at the managed interfaces associated with controls SC-7 and AC-17.
-               Einstein network monitoring devices from the Department of Homeland Security can also
-               be included as monitoring devices. The granularity of monitoring information
-               collected is based on organizational monitoring objectives and the capability of
-               information systems to support such objectives. Specific types of transactions of
-               interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that
-               bypasses HTTP proxies. Information system monitoring is an integral part of
-               organizational continuous monitoring and incident response programs. Output from
-               system monitoring serves as input to continuous monitoring and incident response
-               programs. A network connection is any connection with a device that communicates
-               through a network (e.g., local area network, Internet). A remote connection is any
-               connection with a device communicating through an external network (e.g., the
-               Internet). Local, network, and remote connections can be either wired or
-               wireless.</p>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-8">AC-8</link>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-26">SC-26</link>
-            <link rel="related" href="#sc-35">SC-35</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-7">SI-7</link>
-         </part>
-         <part id="si-4_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-4.a_obj" name="objective">
-               <prop name="label">SI-4(a)</prop>
-               <part id="si-4.a.1_obj" name="objective">
-                  <prop name="label">SI-4(a)(1)</prop>
-                  <part id="si-4.a.1_obj.1" name="objective">
-                     <prop name="label">SI-4(a)(1)[1]</prop>
-                     <p>defines monitoring objectives to detect attacks and indicators of potential
-                        attacks on the information system;</p>
-                  </part>
-                  <part id="si-4.a.1_obj.2" name="objective">
-                     <prop name="label">SI-4(a)(1)[2]</prop>
-                     <p>monitors the information system to detect, in accordance with
-                        organization-defined monitoring objectives,:</p>
-                     <part id="si-4.a.1_obj.2.a" name="objective">
-                        <prop name="label">SI-4(a)(1)[2][a]</prop>
-                        <p>attacks;</p>
-                     </part>
-                     <part id="si-4.a.1_obj.2.b" name="objective">
-                        <prop name="label">SI-4(a)(1)[2][b]</prop>
-                        <p>indicators of potential attacks;</p>
-                     </part>
-                  </part>
-               </part>
-               <part id="si-4.a.2_obj" name="objective">
-                  <prop name="label">SI-4(a)(2)</prop>
-                  <p>monitors the information system to detect unauthorized:</p>
-                  <part id="si-4.a.2_obj.1" name="objective">
-                     <prop name="label">SI-4(a)(2)[1]</prop>
-                     <p>local connections;</p>
-                  </part>
-                  <part id="si-4.a.2_obj.2" name="objective">
-                     <prop name="label">SI-4(a)(2)[2]</prop>
-                     <p>network connections;</p>
-                  </part>
-                  <part id="si-4.a.2_obj.3" name="objective">
-                     <prop name="label">SI-4(a)(2)[3]</prop>
-                     <p>remote connections;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-4.b_obj" name="objective">
-               <prop name="label">SI-4(b)</prop>
-               <part id="si-4.b.1_obj" name="objective">
-                  <prop name="label">SI-4(b)(1)</prop>
-                  <p>defines techniques and methods to identify unauthorized use of the information
-                     system;</p>
-               </part>
-               <part id="si-4.b.2_obj" name="objective">
-                  <prop name="label">SI-4(b)(2)</prop>
-                  <p>identifies unauthorized use of the information system through
-                     organization-defined techniques and methods;</p>
-               </part>
-            </part>
-            <part id="si-4.c_obj" name="objective">
-               <prop name="label">SI-4(c)</prop>
-               <p>deploys monitoring devices:</p>
-               <part id="si-4.c_obj.1" name="objective">
-                  <prop name="label">SI-4(c)[1]</prop>
-                  <p>strategically within the information system to collect organization-determined
-                     essential information;</p>
-               </part>
-               <part id="si-4.c_obj.2" name="objective">
-                  <prop name="label">SI-4(c)[2]</prop>
-                  <p>at ad hoc locations within the system to track specific types of transactions
-                     of interest to the organization;</p>
-               </part>
-            </part>
-            <part id="si-4.d_obj" name="objective">
-               <prop name="label">SI-4(d)</prop>
-               <p>protects information obtained from intrusion-monitoring tools from
-                  unauthorized:</p>
-               <part id="si-4.d_obj.1" name="objective">
-                  <prop name="label">SI-4(d)[1]</prop>
-                  <p>access;</p>
-               </part>
-               <part id="si-4.d_obj.2" name="objective">
-                  <prop name="label">SI-4(d)[2]</prop>
-                  <p>modification;</p>
-               </part>
-               <part id="si-4.d_obj.3" name="objective">
-                  <prop name="label">SI-4(d)[3]</prop>
-                  <p>deletion;</p>
-               </part>
-            </part>
-            <part id="si-4.e_obj" name="objective">
-               <prop name="label">SI-4(e)</prop>
-               <p>heightens the level of information system monitoring activity whenever there is an
-                  indication of increased risk to organizational operations and assets, individuals,
-                  other organizations, or the Nation based on law enforcement information,
-                  intelligence information, or other credible sources of information;</p>
-            </part>
-            <part id="si-4.f_obj" name="objective">
-               <prop name="label">SI-4(f)</prop>
-               <p>obtains legal opinion with regard to information system monitoring activities in
-                  accordance with applicable federal laws, Executive Orders, directives, policies,
-                  or regulations;</p>
-            </part>
-            <part id="si-4.g_obj" name="objective">
-               <prop name="label">SI-4(g)</prop>
-               <part id="si-4.g_obj.1" name="objective">
-                  <prop name="label">SI-4(g)[1]</prop>
-                  <p>defines personnel or roles to whom information system monitoring information is
-                     to be provided;</p>
-               </part>
-               <part id="si-4.g_obj.2" name="objective">
-                  <prop name="label">SI-4(g)[2]</prop>
-                  <p>defines information system monitoring information to be provided to
-                     organization-defined personnel or roles;</p>
-               </part>
-               <part id="si-4.g_obj.3" name="objective">
-                  <prop name="label">SI-4(g)[3]</prop>
-                  <p>defines a frequency to provide organization-defined information system
-                     monitoring to organization-defined personnel or roles;</p>
-               </part>
-               <part id="si-4.g_obj.4" name="objective">
-                  <prop name="label">SI-4(g)[4]</prop>
-                  <p>provides organization-defined information system monitoring information to
-                     organization-defined personnel or roles one or more of the following:</p>
-                  <part id="si-4.g_obj.4.a" name="objective">
-                     <prop name="label">SI-4(g)[4][a]</prop>
-                     <p>as needed; and/or</p>
-                  </part>
-                  <part id="si-4.g_obj.4.b" name="objective">
-                     <prop name="label">SI-4(g)[4][b]</prop>
-                     <p>with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Continuous monitoring strategy</p>
-               <p>system and information integrity policy</p>
-               <p>procedures addressing information system monitoring tools and techniques</p>
-               <p>facility diagram/layout</p>
-               <p>information system design documentation</p>
-               <p>information system monitoring tools and techniques documentation</p>
-               <p>locations within information system where monitoring devices are deployed</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>System/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>organizational personnel installing, configuring, and/or maintaining the
-                  information system</p>
-               <p>organizational personnel with responsibility monitoring the information system</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for information system monitoring</p>
-               <p>automated mechanisms supporting and/or implementing information system monitoring
-                  capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-4.1">
-            <title>System-wide Intrusion Detection System</title>
-            <prop name="label">SI-4(1)</prop>
-            <prop name="sort-id">si-04.01</prop>
-            <part id="si-4.1_smt" name="statement">
-               <p>The organization connects and configures individual intrusion detection tools into
-                  an information system-wide intrusion detection system.</p>
-            </part>
-            <part id="si-4.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.1_obj.1" name="objective">
-                  <prop name="label">SI-4(1)[1]</prop>
-                  <p>connects individual intrusion detection tools into an information system-wide
-                     intrusion detection system; and</p>
-               </part>
-               <part id="si-4.1_obj.2" name="objective">
-                  <prop name="label">SI-4(1)[2]</prop>
-                  <p>configures individual intrusion detection tools into an information system-wide
-                     intrusion detection system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion detection
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.2">
-            <title>Automated Tools for Real-time Analysis</title>
-            <prop name="label">SI-4(2)</prop>
-            <prop name="sort-id">si-04.02</prop>
-            <part id="si-4.2_smt" name="statement">
-               <p>The organization employs automated tools to support near real-time analysis of
-                  events.</p>
-            </part>
-            <part id="si-4.2_gdn" name="guidance">
-               <p>Automated tools include, for example, host-based, network-based, transport-based,
-                  or storage-based event monitoring tools or Security Information and Event
-                  Management (SIEM) technologies that provide real time analysis of alerts and/or
-                  notifications generated by organizational information systems.</p>
-            </part>
-            <part id="si-4.2_obj" name="objective">
-               <p>Determine if the organization employs automated tools to support near real-time
-                  analysis of events.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for incident
-                     response/management</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for near real-time analysis of events</p>
-                  <p>organizational processes for information system monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing information system
-                     monitoring</p>
-                  <p>automated mechanisms/tools supporting and/or implementing analysis of
-                     events</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.3">
-            <title>Automated Tool Integration</title>
-            <prop name="label">SI-4(3)</prop>
-            <prop name="sort-id">si-04.03</prop>
-            <part id="si-4.3_smt" name="statement">
-               <p>The organization employs automated tools to integrate intrusion detection tools
-                  into access control and flow control mechanisms for rapid response to attacks by
-                  enabling reconfiguration of these mechanisms in support of attack isolation and
-                  elimination.</p>
-            </part>
-            <part id="si-4.3_obj" name="objective">
-               <p>Determine if the organization, for rapid response to attacks by enabling
-                  reconfiguration of intrusion detection tools in support of attack isolation and
-                  elimination, employs automated tools to integrate intrusion detection tools
-                  into:</p>
-               <part id="si-4.3_obj.1" name="objective">
-                  <prop name="label">SI-4(3)[1]</prop>
-                  <p>access control mechanisms; and</p>
-               </part>
-               <part id="si-4.3_obj.2" name="objective">
-                  <prop name="label">SI-4(3)[2]</prop>
-                  <p>flow control mechanisms.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion
-                     detection/information system monitoring capability</p>
-                  <p>automated mechanisms/tools supporting and/or implementing access/flow control
-                     capability</p>
-                  <p>automated mechanisms/tools supporting and/or implementing integration of
-                     intrusion detection tools into access/flow control mechanisms</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.4">
-            <title>Inbound and Outbound Communications Traffic</title>
-            <param id="si-4.4_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">SI-4(4)</prop>
-            <prop name="sort-id">si-04.04</prop>
-            <part id="si-4.4_smt" name="statement">
-               <p>The information system monitors inbound and outbound communications traffic
-                     <insert param-id="si-4.4_prm_1"/> for unusual or unauthorized activities or
-                  conditions.</p>
-            </part>
-            <part id="si-4.4_gdn" name="guidance">
-               <p>Unusual/unauthorized activities or conditions related to information system
-                  inbound and outbound communications traffic include, for example, internal traffic
-                  that indicates the presence of malicious code within organizational information
-                  systems or propagating among system components, the unauthorized exporting of
-                  information, or signaling to external information systems. Evidence of malicious
-                  code is used to identify potentially compromised information systems or
-                  information system components.</p>
-            </part>
-            <part id="si-4.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.4_obj.1" name="objective">
-                  <prop name="label">SI-4(4)[1]</prop>
-                  <p>defines a frequency to monitor:</p>
-                  <part id="si-4.4_obj.1.a" name="objective">
-                     <prop name="label">SI-4(4)[1][a]</prop>
-                     <p>inbound communications traffic for unusual or unauthorized activities or
-                        conditions;</p>
-                  </part>
-                  <part id="si-4.4_obj.1.b" name="objective">
-                     <prop name="label">SI-4(4)[1][b]</prop>
-                     <p>outbound communications traffic for unusual or unauthorized activities or
-                        conditions;</p>
-                  </part>
-               </part>
-               <part id="si-4.4_obj.2" name="objective">
-                  <prop name="label">SI-4(4)[2]</prop>
-                  <p>monitors, with the organization-defined frequency:</p>
-                  <part id="si-4.4_obj.2.a" name="objective">
-                     <prop name="label">SI-4(4)[2][a]</prop>
-                     <p>inbound communications traffic for unusual or unauthorized activities or
-                        conditions; and</p>
-                  </part>
-                  <part id="si-4.4_obj.2.b" name="objective">
-                     <prop name="label">SI-4(4)[2][b]</prop>
-                     <p>outbound communications traffic for unusual or unauthorized activities or
-                        conditions.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system protocols</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion detection
-                     capability/information system monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing monitoring of
-                     inbound/outbound communications traffic</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.5">
-            <title>System-generated Alerts</title>
-            <param id="si-4.5_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="si-4.5_prm_2">
-               <label>organization-defined compromise indicators</label>
-            </param>
-            <prop name="label">SI-4(5)</prop>
-            <prop name="sort-id">si-04.05</prop>
-            <part id="si-4.5_smt" name="statement">
-               <p>The information system alerts <insert param-id="si-4.5_prm_1"/> when the following
-                  indications of compromise or potential compromise occur: <insert param-id="si-4.5_prm_2"/>.</p>
-            </part>
-            <part id="si-4.5_gdn" name="guidance">
-               <p>Alerts may be generated from a variety of sources, including, for example, audit
-                  records or inputs from malicious code protection mechanisms, intrusion detection
-                  or prevention mechanisms, or boundary protection devices such as firewalls,
-                  gateways, and routers. Alerts can be transmitted, for example, telephonically, by
-                  electronic mail messages, or by text messaging. Organizational personnel on the
-                  notification list can include, for example, system administrators,
-                  mission/business owners, system owners, or information system security
-                  officers.</p>
-               <link rel="related" href="#au-5">AU-5</link>
-               <link rel="related" href="#pe-6">PE-6</link>
-            </part>
-            <part id="si-4.5_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="si-4.5_obj.1" name="objective">
-                  <prop name="label">SI-4(5)[1]</prop>
-                  <p>the organization defines compromise indicators for the information system;</p>
-               </part>
-               <part id="si-4.5_obj.2" name="objective">
-                  <prop name="label">SI-4(5)[2]</prop>
-                  <p>the organization defines personnel or roles to be alerted when indications of
-                     compromise or potential compromise occur; and</p>
-               </part>
-               <part id="si-4.5_obj.3" name="objective">
-                  <prop name="label">SI-4(5)[3]</prop>
-                  <p>the information system alerts organization-defined personnel or roles when
-                     organization-defined compromise indicators occur.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>alerts/notifications generated based on compromise indicators</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion
-                     detection/information system monitoring capability</p>
-                  <p>automated mechanisms supporting and/or implementing alerts for compromise
-                     indicators</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.6">
-            <title>Restrict Non-privileged Users</title>
-            <prop name="label">SI-4(6)</prop>
-            <prop name="sort-id">si-04.06</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#ac-6.10">AC-6 (10)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.7">
-            <title>Automated Response to Suspicious Events</title>
-            <param id="si-4.7_prm_1">
-               <label>organization-defined incident response personnel (identified by name and/or by
-                  role)</label>
-            </param>
-            <param id="si-4.7_prm_2">
-               <label>organization-defined least-disruptive actions to terminate suspicious
-                  events</label>
-            </param>
-            <prop name="label">SI-4(7)</prop>
-            <prop name="sort-id">si-04.07</prop>
-            <part id="si-4.7_smt" name="statement">
-               <p>The information system notifies <insert param-id="si-4.7_prm_1"/> of detected
-                  suspicious events and takes <insert param-id="si-4.7_prm_2"/>.</p>
-            </part>
-            <part id="si-4.7_gdn" name="guidance">
-               <p>Least-disruptive actions may include, for example, initiating requests for human
-                  responses.</p>
-            </part>
-            <part id="si-4.7_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="si-4.7_obj.1" name="objective">
-                  <prop name="label">SI-4(7)[1]</prop>
-                  <p>the organization defines incident response personnel (identified by name and/or
-                     by role) to be notified of detected suspicious events;</p>
-               </part>
-               <part id="si-4.7_obj.2" name="objective">
-                  <prop name="label">SI-4(7)[2]</prop>
-                  <p>the organization defines least-disruptive actions to be taken by the
-                     information system to terminate suspicious events;</p>
-               </part>
-               <part id="si-4.7_obj.3" name="objective">
-                  <prop name="label">SI-4(7)[3]</prop>
-                  <p>the information system notifies organization-defined incident response
-                     personnel of detected suspicious events; and</p>
-               </part>
-               <part id="si-4.7_obj.4" name="objective">
-                  <prop name="label">SI-4(7)[4]</prop>
-                  <p>the information system takes organization-defined least-disruptive actions to
-                     terminate suspicious events.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>alerts/notifications generated based on detected suspicious events</p>
-                  <p>records of actions taken to terminate suspicious events</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion
-                     detection/information system monitoring capability</p>
-                  <p>automated mechanisms supporting and/or implementing notifications to incident
-                     response personnel</p>
-                  <p>automated mechanisms supporting and/or implementing actions to terminate
-                     suspicious events</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.8">
-            <title>Protection of Monitoring Information</title>
-            <prop name="label">SI-4(8)</prop>
-            <prop name="sort-id">si-04.08</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#si-4">SI-4</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.9">
-            <title>Testing of Monitoring Tools</title>
-            <param id="si-4.9_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">SI-4(9)</prop>
-            <prop name="sort-id">si-04.09</prop>
-            <part id="si-4.9_smt" name="statement">
-               <p>The organization tests intrusion-monitoring tools <insert param-id="si-4.9_prm_1"/>.</p>
-            </part>
-            <part id="si-4.9_gdn" name="guidance">
-               <p>Testing intrusion-monitoring tools is necessary to ensure that the tools are
-                  operating correctly and continue to meet the monitoring objectives of
-                  organizations. The frequency of testing depends on the types of tools used by
-                  organizations and methods of deployment.</p>
-               <link rel="related" href="#cp-9">CP-9</link>
-            </part>
-            <part id="si-4.9_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.9_obj.1" name="objective">
-                  <prop name="label">SI-4(9)[1]</prop>
-                  <p>defines a frequency to test intrusion-monitoring tools; and</p>
-               </part>
-               <part id="si-4.9_obj.2" name="objective">
-                  <prop name="label">SI-4(9)[2]</prop>
-                  <p>tests intrusion-monitoring tools with the organization-defined frequency.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing testing of information system monitoring tools and
-                     techniques</p>
-                  <p>documentation providing evidence of testing intrusion-monitoring tools</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion
-                     detection/information system monitoring capability</p>
-                  <p>automated mechanisms supporting and/or implementing testing of
-                     intrusion-monitoring tools</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.10">
-            <title>Visibility of Encrypted Communications</title>
-            <param id="si-4.10_prm_1">
-               <label>organization-defined encrypted communications traffic</label>
-            </param>
-            <param id="si-4.10_prm_2">
-               <label>organization-defined information system monitoring tools</label>
-            </param>
-            <prop name="label">SI-4(10)</prop>
-            <prop name="sort-id">si-04.10</prop>
-            <part id="si-4.10_smt" name="statement">
-               <p>The organization makes provisions so that <insert param-id="si-4.10_prm_1"/> is
-                  visible to <insert param-id="si-4.10_prm_2"/>.</p>
-            </part>
-            <part id="si-4.10_gdn" name="guidance">
-               <p>Organizations balance the potentially conflicting needs for encrypting
-                  communications traffic and for having insight into such traffic from a monitoring
-                  perspective. For some organizations, the need to ensure the confidentiality of
-                  communications traffic is paramount; for others, mission-assurance is of greater
-                  concern. Organizations determine whether the visibility requirement applies to
-                  internal encrypted traffic, encrypted traffic intended for external destinations,
-                  or a subset of the traffic types.</p>
-            </part>
-            <part id="si-4.10_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.10_obj.1" name="objective">
-                  <prop name="label">SI-4(10)[1]</prop>
-                  <p>defines encrypted communications traffic required to be visible to information
-                     system monitoring tools;</p>
-               </part>
-               <part id="si-4.10_obj.2" name="objective">
-                  <prop name="label">SI-4(10)[2]</prop>
-                  <p>defines information system monitoring tools to be provided access to
-                     organization-defined encrypted communications traffic; and</p>
-               </part>
-               <part id="si-4.10_obj.3" name="objective">
-                  <prop name="label">SI-4(10)[3]</prop>
-                  <p>makes provisions so that organization-defined encrypted communications traffic
-                     is visible to organization-defined information system monitoring tools.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system protocols</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion
-                     detection/information system monitoring capability</p>
-                  <p>automated mechanisms supporting and/or implementing visibility of encrypted
-                     communications traffic to monitoring tools</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.11">
-            <title>Analyze Communications Traffic Anomalies</title>
-            <param id="si-4.11_prm_1">
-               <label>organization-defined interior points within the system (e.g., subnetworks,
-                  subsystems)</label>
-            </param>
-            <prop name="label">SI-4(11)</prop>
-            <prop name="sort-id">si-04.11</prop>
-            <part id="si-4.11_smt" name="statement">
-               <p>The organization analyzes outbound communications traffic at the external boundary
-                  of the information system and selected <insert param-id="si-4.11_prm_1"/> to
-                  discover anomalies.</p>
-            </part>
-            <part id="si-4.11_gdn" name="guidance">
-               <p>Anomalies within organizational information systems include, for example, large
-                  file transfers, long-time persistent connections, unusual protocols and ports in
-                  use, and attempted communications with suspected malicious external addresses.</p>
-            </part>
-            <part id="si-4.11_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.11_obj.1" name="objective">
-                  <prop name="label">SI-4(11)[1]</prop>
-                  <p>defines interior points within the system (e.g., subnetworks, subsystems) where
-                     communications traffic is to be analyzed;</p>
-               </part>
-               <part id="si-4.11_obj.2" name="objective">
-                  <prop name="label">SI-4(11)[2]</prop>
-                  <p>analyzes outbound communications traffic to discover anomalies at:</p>
-                  <part id="si-4.11_obj.2.a" name="objective">
-                     <prop name="label">SI-4(11)[2][a]</prop>
-                     <p>the external boundary of the information system; and</p>
-                  </part>
-                  <part id="si-4.11_obj.2.b" name="objective">
-                     <prop name="label">SI-4(11)[2][b]</prop>
-                     <p>selected organization-defined interior points within the system.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>network diagram</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system monitoring logs or records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion
-                     detection/information system monitoring capability</p>
-                  <p>automated mechanisms supporting and/or implementing analysis of communications
-                     traffic</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.12">
-            <title>Automated Alerts</title>
-            <param id="si-4.12_prm_1">
-               <label>organization-defined activities that trigger alerts</label>
-            </param>
-            <prop name="label">SI-4(12)</prop>
-            <prop name="sort-id">si-04.12</prop>
-            <part id="si-4.12_smt" name="statement">
-               <p>The organization employs automated mechanisms to alert security personnel of the
-                  following inappropriate or unusual activities with security implications: <insert param-id="si-4.12_prm_1"/>.</p>
-            </part>
-            <part id="si-4.12_gdn" name="guidance">
-               <p>This control enhancement focuses on the security alerts generated by organizations
-                  and transmitted using automated means. In contrast to the alerts generated by
-                  information systems in SI-4 (5), which tend to focus on information sources
-                  internal to the systems (e.g., audit records), the sources of information for this
-                  enhancement can include other entities as well (e.g., suspicious activity reports,
-                  reports on potential insider threats).</p>
-               <link rel="related" href="#ac-18">AC-18</link>
-               <link rel="related" href="#ia-3">IA-3</link>
-            </part>
-            <part id="si-4.12_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.12_obj.1" name="objective">
-                  <prop name="label">SI-4(12)[1]</prop>
-                  <p>defines activities that trigger alerts to security personnel based on
-                     inappropriate or unusual activities with security implications; and</p>
-               </part>
-               <part id="si-4.12_obj.2" name="objective">
-                  <prop name="label">SI-4(12)[2]</prop>
-                  <p>employs automated mechanisms to alert security personnel of
-                     organization-defined activities that trigger alerts based on inappropriate or
-                     unusual activities with security implications.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of inappropriate or unusual activities (with security implications) that
-                     trigger alerts</p>
-                  <p>alerts/notifications provided to security personnel</p>
-                  <p>information system monitoring logs or records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developers</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion
-                     detection/information system monitoring capability</p>
-                  <p>automated mechanisms supporting and/or implementing automated alerts to
-                     security personnel</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.13">
-            <title>Analyze Traffic / Event Patterns</title>
-            <prop name="label">SI-4(13)</prop>
-            <prop name="sort-id">si-04.13</prop>
-            <part id="si-4.13_smt" name="statement">
-               <p>The organization:</p>
-               <part id="si-4.13_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Analyzes communications traffic/event patterns for the information system;</p>
-               </part>
-               <part id="si-4.13_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Develops profiles representing common traffic patterns and/or events; and</p>
-               </part>
-               <part id="si-4.13_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Uses the traffic/event profiles in tuning system-monitoring devices to reduce
-                     the number of false positives and the number of false negatives.</p>
-               </part>
-            </part>
-            <part id="si-4.13_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.13.a_obj" name="objective">
-                  <prop name="label">SI-4(13)(a)</prop>
-                  <p>analyzes communications traffic/event patterns for the information system;</p>
-                  <link rel="corresp" href="#si-4.13_smt.a">SI-4(13)(a)</link>
-               </part>
-               <part id="si-4.13.b_obj" name="objective">
-                  <prop name="label">SI-4(13)(b)</prop>
-                  <p>develops profiles representing common traffic patterns and/or events;</p>
-                  <link rel="corresp" href="#si-4.13_smt.b">SI-4(13)(b)</link>
-               </part>
-               <part id="si-4.13.c_obj" name="objective">
-                  <prop name="label">SI-4(13)(c)</prop>
-                  <p>uses the traffic/event profiles in tuning system-monitoring devices to reduce
-                     the number of false positives and false negatives.</p>
-                  <link rel="corresp" href="#si-4.13_smt.c">SI-4(13)(c)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of profiles representing common traffic patterns and/or events</p>
-                  <p>information system protocols documentation</p>
-                  <p>list of acceptable thresholds for false positives and false negatives</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion
-                     detection/information system monitoring capability</p>
-                  <p>automated mechanisms supporting and/or implementing analysis of communications
-                     traffic/event patterns</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.14">
-            <title>Wireless Intrusion Detection</title>
-            <prop name="label">SI-4(14)</prop>
-            <prop name="sort-id">si-04.14</prop>
-            <part id="si-4.14_smt" name="statement">
-               <p>The organization employs a wireless intrusion detection system to identify rogue
-                  wireless devices and to detect attack attempts and potential compromises/breaches
-                  to the information system.</p>
-            </part>
-            <part id="si-4.14_gdn" name="guidance">
-               <p>Wireless signals may radiate beyond the confines of organization-controlled
-                  facilities. Organizations proactively search for unauthorized wireless connections
-                  including the conduct of thorough scans for unauthorized wireless access points.
-                  Scans are not limited to those areas within facilities containing information
-                  systems, but also include areas outside of facilities as needed, to verify that
-                  unauthorized wireless access points are not connected to the systems.</p>
-               <link rel="related" href="#ac-18">AC-18</link>
-               <link rel="related" href="#ia-3">IA-3</link>
-            </part>
-            <part id="si-4.14_obj" name="objective">
-               <p>Determine if the organization employs a wireless intrusion detection system
-                  to:</p>
-               <part id="si-4.14_obj.1" name="objective">
-                  <prop name="label">SI-4(14)[1]</prop>
-                  <p>identify rogue wireless devices;</p>
-               </part>
-               <part id="si-4.14_obj.2" name="objective">
-                  <prop name="label">SI-4(14)[2]</prop>
-                  <p>detect attack attempts to the information system; and</p>
-               </part>
-               <part id="si-4.14_obj.3" name="objective">
-                  <prop name="label">SI-4(14)[3]</prop>
-                  <p>detect potential compromises/breaches to the information system.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system protocols</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection</p>
-                  <p>automated mechanisms supporting and/or implementing wireless intrusion
-                     detection capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.15">
-            <title>Wireless to Wireline Communications</title>
-            <prop name="label">SI-4(15)</prop>
-            <prop name="sort-id">si-04.15</prop>
-            <part id="si-4.15_smt" name="statement">
-               <p>The organization employs an intrusion detection system to monitor wireless
-                  communications traffic as the traffic passes from wireless to wireline
-                  networks.</p>
-            </part>
-            <part id="si-4.15_gdn" name="guidance">
-               <link rel="related" href="#ac-18">AC-18</link>
-            </part>
-            <part id="si-4.15_obj" name="objective">
-               <p>Determine if the organization employs an intrusion detection system to monitor
-                  wireless communications traffic as the traffic passes from wireless to wireline
-                  networks.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system protocols documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion
-                     detection/information system monitoring capability</p>
-                  <p>automated mechanisms supporting and/or implementing wireless intrusion
-                     detection capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.16">
-            <title>Correlate Monitoring Information</title>
-            <prop name="label">SI-4(16)</prop>
-            <prop name="sort-id">si-04.16</prop>
-            <part id="si-4.16_smt" name="statement">
-               <p>The organization correlates information from monitoring tools employed throughout
-                  the information system.</p>
-            </part>
-            <part id="si-4.16_gdn" name="guidance">
-               <p>Correlating information from different monitoring tools can provide a more
-                  comprehensive view of information system activity. The correlation of monitoring
-                  tools that usually work in isolation (e.g., host monitoring, network monitoring,
-                  anti-virus software) can provide an organization-wide view and in so doing, may
-                  reveal otherwise unseen attack patterns. Understanding the
-                  capabilities/limitations of diverse monitoring tools and how to maximize the
-                  utility of information generated by those tools can help organizations to build,
-                  operate, and maintain effective monitoring programs.</p>
-               <link rel="related" href="#au-6">AU-6</link>
-            </part>
-            <part id="si-4.16_obj" name="objective">
-               <p>Determine if the organization correlates information from monitoring tools
-                  employed throughout the information system.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>event correlation logs or records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion
-                     detection/information system monitoring capability</p>
-                  <p>automated mechanisms supporting and/or implementing correlation of information
-                     from monitoring tools</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.17">
-            <title>Integrated Situational Awareness</title>
-            <prop name="label">SI-4(17)</prop>
-            <prop name="sort-id">si-04.17</prop>
-            <part id="si-4.17_smt" name="statement">
-               <p>The organization correlates information from monitoring physical, cyber, and
-                  supply chain activities to achieve integrated, organization-wide situational
-                  awareness.</p>
-            </part>
-            <part id="si-4.17_gdn" name="guidance">
-               <p>This control enhancement correlates monitoring information from a more diverse set
-                  of information sources to achieve integrated situational awareness. Integrated
-                  situational awareness from a combination of physical, cyber, and supply chain
-                  monitoring activities enhances the capability of organizations to more quickly
-                  detect sophisticated cyber attacks and investigate the methods and techniques
-                  employed to carry out such attacks. In contrast to SI-4 (16) which correlates the
-                  various cyber monitoring information, this control enhancement correlates
-                  monitoring beyond just the cyber domain. Such monitoring may help reveal attacks
-                  on organizations that are operating across multiple attack vectors.</p>
-               <link rel="related" href="#sa-12">SA-12</link>
-            </part>
-            <part id="si-4.17_obj" name="objective">
-               <p>Determine if the organization, to achieve integrated, organization-wide
-                  situational awareness, correlates information from monitoring:</p>
-               <part id="si-4.17_obj.1" name="objective">
-                  <prop name="label">SI-4(17)[1]</prop>
-                  <p>physical activities;</p>
-               </part>
-               <part id="si-4.17_obj.2" name="objective">
-                  <prop name="label">SI-4(17)[2]</prop>
-                  <p>cyber activities; and</p>
-               </part>
-               <part id="si-4.17_obj.3" name="objective">
-                  <prop name="label">SI-4(17)[3]</prop>
-                  <p>supply chain activities.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>event correlation logs or records resulting from physical, cyber, and supply
-                     chain activities</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion detection/system
-                     monitoring capability</p>
-                  <p>automated mechanisms supporting and/or implementing correlation of information
-                     from monitoring tools</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.18">
-            <title>Analyze Traffic / Covert Exfiltration</title>
-            <param id="si-4.18_prm_1">
-               <label>organization-defined interior points within the system (e.g., subsystems,
-                  subnetworks)</label>
-            </param>
-            <prop name="label">SI-4(18)</prop>
-            <prop name="sort-id">si-04.18</prop>
-            <part id="si-4.18_smt" name="statement">
-               <p>The organization analyzes outbound communications traffic at the external boundary
-                  of the information system (i.e., system perimeter) and at <insert param-id="si-4.18_prm_1"/> to detect covert exfiltration of information.</p>
-            </part>
-            <part id="si-4.18_gdn" name="guidance">
-               <p>Covert means that can be used for the unauthorized exfiltration of organizational
-                  information include, for example, steganography.</p>
-            </part>
-            <part id="si-4.18_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.18_obj.1" name="objective">
-                  <prop name="label">SI-4(18)[1]</prop>
-                  <p>defines interior points within the system (e.g., subsystems, subnetworks) where
-                     communications traffic is to be analyzed;</p>
-               </part>
-               <part id="si-4.18_obj.2" name="objective">
-                  <prop name="label">SI-4(18)[2]</prop>
-                  <p>to detect covert exfiltration of information, analyzes outbound communications
-                     traffic at:</p>
-                  <part id="si-4.18_obj.2.a" name="objective">
-                     <prop name="label">SI-4(18)[2][a]</prop>
-                     <p>the external boundary of the information system (i.e., system perimeter);
-                        and</p>
-                  </part>
-                  <part id="si-4.18_obj.2.b" name="objective">
-                     <prop name="label">SI-4(18)[2][b]</prop>
-                     <p>organization-defined interior points within the system.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>network diagram</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system monitoring logs or records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-                  <p>organizational personnel with responsibility for the intrusion detection
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for intrusion detection/information system
-                     monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing intrusion detection/system
-                     monitoring capability</p>
-                  <p>automated mechanisms supporting and/or implementing analysis of outbound
-                     communications traffic</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.19">
-            <title>Individuals Posing Greater Risk</title>
-            <param id="si-4.19_prm_1">
-               <label>organization-defined additional monitoring</label>
-            </param>
-            <param id="si-4.19_prm_2">
-               <label>organization-defined sources</label>
-            </param>
-            <prop name="label">SI-4(19)</prop>
-            <prop name="sort-id">si-04.19</prop>
-            <part id="si-4.19_smt" name="statement">
-               <p>The organization implements <insert param-id="si-4.19_prm_1"/> of individuals who
-                  have been identified by <insert param-id="si-4.19_prm_2"/> as posing an increased
-                  level of risk.</p>
-            </part>
-            <part id="si-4.19_gdn" name="guidance">
-               <p>Indications of increased risk from individuals can be obtained from a variety of
-                  sources including, for example, human resource records, intelligence agencies, law
-                  enforcement organizations, and/or other credible sources. The monitoring of
-                  individuals is closely coordinated with management, legal, security, and human
-                  resources officials within organizations conducting such monitoring and complies
-                  with federal legislation, Executive Orders, policies, directives, regulations, and
-                  standards.</p>
-            </part>
-            <part id="si-4.19_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.19_obj.1" name="objective">
-                  <prop name="label">SI-4(19)[1]</prop>
-                  <p>defines sources that identify individuals who pose an increased level of
-                     risk;</p>
-               </part>
-               <part id="si-4.19_obj.2" name="objective">
-                  <prop name="label">SI-4(19)[2]</prop>
-                  <p>defines additional monitoring to be implemented on individuals who have been
-                     identified by organization-defined sources as posing an increased level of
-                     risk; and</p>
-               </part>
-               <part id="si-4.19_obj.3" name="objective">
-                  <prop name="label">SI-4(19)[3]</prop>
-                  <p>implements organization-defined additional monitoring of individuals who have
-                     been identified by organization-defined sources as posing an increased level of
-                     risk.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring</p>
-                  <p>information system design documentation</p>
-                  <p>list of individuals who have been identified as posing an increased level of
-                     risk</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for information system monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing system monitoring
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.20">
-            <title>Privileged Users</title>
-            <param id="si-4.20_prm_1">
-               <label>organization-defined additional monitoring</label>
-            </param>
-            <prop name="label">SI-4(20)</prop>
-            <prop name="sort-id">si-04.20</prop>
-            <part id="si-4.20_smt" name="statement">
-               <p>The organization implements <insert param-id="si-4.20_prm_1"/> of privileged
-                  users.</p>
-            </part>
-            <part id="si-4.20_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.20_obj.1" name="objective">
-                  <prop name="label">SI-4(20)[1]</prop>
-                  <p>defines additional monitoring to be implemented on privileged users; and</p>
-               </part>
-               <part id="si-4.20_obj.2" name="objective">
-                  <prop name="label">SI-4(20)[2]</prop>
-                  <p>implements organization-defined additional monitoring of privileged users;</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>list of privileged users</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system monitoring logs or records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for information system monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing system monitoring
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.21">
-            <title>Probationary Periods</title>
-            <param id="si-4.21_prm_1">
-               <label>organization-defined additional monitoring</label>
-            </param>
-            <param id="si-4.21_prm_2">
-               <label>organization-defined probationary period</label>
-            </param>
-            <prop name="label">SI-4(21)</prop>
-            <prop name="sort-id">si-04.21</prop>
-            <part id="si-4.21_smt" name="statement">
-               <p>The organization implements <insert param-id="si-4.21_prm_1"/> of individuals
-                  during <insert param-id="si-4.21_prm_2"/>.</p>
-            </part>
-            <part id="si-4.21_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.21_obj.1" name="objective">
-                  <prop name="label">SI-4(21)[1]</prop>
-                  <p>defines additional monitoring to be implemented on individuals during
-                     probationary periods;</p>
-               </part>
-               <part id="si-4.21_obj.2" name="objective">
-                  <prop name="label">SI-4(21)[2]</prop>
-                  <p>defines probationary period during which organization-defined additional
-                     monitoring of individuals is to be performed; and</p>
-               </part>
-               <part id="si-4.21_obj.3" name="objective">
-                  <prop name="label">SI-4(21)[3]</prop>
-                  <p>implements organization-defined additional monitoring of individuals during
-                     organization-defined probationary period.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system monitoring logs or records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for information system monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing system monitoring
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.22">
-            <title>Unauthorized Network Services</title>
-            <param id="si-4.22_prm_1">
-               <label>organization-defined authorization or approval processes</label>
-            </param>
-            <param id="si-4.22_prm_2">
-               <select how-many="one or more">
-                  <choice>audits</choice>
-                  <choice>alerts <insert param-id="si-4.22_prm_3"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="si-4.22_prm_3" depends-on="si-4.22_prm_2">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">SI-4(22)</prop>
-            <prop name="sort-id">si-04.22</prop>
-            <part id="si-4.22_smt" name="statement">
-               <p>The information system detects network services that have not been authorized or
-                  approved by <insert param-id="si-4.22_prm_1"/> and <insert param-id="si-4.22_prm_2"/>.</p>
-            </part>
-            <part id="si-4.22_gdn" name="guidance">
-               <p>Unauthorized or unapproved network services include, for example, services in
-                  service-oriented architectures that lack organizational verification or validation
-                  and therefore may be unreliable or serve as malicious rogues for valid
-                  services.</p>
-               <link rel="related" href="#ac-6">AC-6</link>
-               <link rel="related" href="#cm-7">CM-7</link>
-               <link rel="related" href="#sa-5">SA-5</link>
-               <link rel="related" href="#sa-9">SA-9</link>
-            </part>
-            <part id="si-4.22_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="si-4.22_obj.1" name="objective">
-                  <prop name="label">SI-4(22)[1]</prop>
-                  <p>the organization defines authorization or approval processes for network
-                     services;</p>
-               </part>
-               <part id="si-4.22_obj.2" name="objective">
-                  <prop name="label">SI-4(22)[2]</prop>
-                  <p>the organization defines personnel or roles to be alerted upon detection of
-                     network services that have not been authorized or approved by
-                     organization-defined authorization or approval processes;</p>
-               </part>
-               <part id="si-4.22_obj.3" name="objective">
-                  <prop name="label">SI-4(22)[3]</prop>
-                  <p>the information system detects network services that have not been authorized
-                     or approved by organization-defined authorization or approval processes and
-                     does one or more of the following:</p>
-                  <part id="si-4.22_obj.3.a" name="objective">
-                     <prop name="label">SI-4(22)[3][a]</prop>
-                     <p>audits; and/or</p>
-                  </part>
-                  <part id="si-4.22_obj.3.b" name="objective">
-                     <prop name="label">SI-4(22)[3][b]</prop>
-                     <p>alerts organization-defined personnel or roles.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>documented authorization/approval of network services</p>
-                  <p>notifications or alerts of unauthorized network services</p>
-                  <p>information system monitoring logs or records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring the information
-                     system</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for information system monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing system monitoring
-                     capability</p>
-                  <p>automated mechanisms for auditing network services</p>
-                  <p>automated mechanisms for providing alerts</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.23">
-            <title>Host-based Devices</title>
-            <param id="si-4.23_prm_1">
-               <label>organization-defined host-based monitoring mechanisms</label>
-            </param>
-            <param id="si-4.23_prm_2">
-               <label>organization-defined information system components</label>
-            </param>
-            <prop name="label">SI-4(23)</prop>
-            <prop name="sort-id">si-04.23</prop>
-            <part id="si-4.23_smt" name="statement">
-               <p>The organization implements <insert param-id="si-4.23_prm_1"/> at <insert param-id="si-4.23_prm_2"/>.</p>
-            </part>
-            <part id="si-4.23_gdn" name="guidance">
-               <p>Information system components where host-based monitoring can be implemented
-                  include, for example, servers, workstations, and mobile devices. Organizations
-                  consider employing host-based monitoring mechanisms from multiple information
-                  technology product developers.</p>
-            </part>
-            <part id="si-4.23_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-4.23_obj.1" name="objective">
-                  <prop name="label">SI-4(23)[1]</prop>
-                  <p>defines host-based monitoring mechanisms to be implemented;</p>
-               </part>
-               <part id="si-4.23_obj.2" name="objective">
-                  <prop name="label">SI-4(23)[2]</prop>
-                  <p>defines information system components where organization-defined host-based
-                     monitoring is to be implemented; and</p>
-               </part>
-               <part id="si-4.23_obj.3" name="objective">
-                  <prop name="label">SI-4(23)[3]</prop>
-                  <p>implements organization-defined host-based monitoring mechanisms at
-                     organization-defined information system components.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring tools and techniques</p>
-                  <p>information system design documentation</p>
-                  <p>host-based monitoring mechanisms</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of information system components requiring host-based monitoring</p>
-                  <p>information system monitoring logs or records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring information system
-                     hosts</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for information system monitoring</p>
-                  <p>automated mechanisms supporting and/or implementing host-based monitoring
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.24">
-            <title>Indicators of Compromise</title>
-            <prop name="label">SI-4(24)</prop>
-            <prop name="sort-id">si-04.24</prop>
-            <part id="si-4.24_smt" name="statement">
-               <p>The information system discovers, collects, distributes, and uses indicators of
-                  compromise.</p>
-            </part>
-            <part id="si-4.24_gdn" name="guidance">
-               <p>Indicators of compromise (IOC) are forensic artifacts from intrusions that are
-                  identified on organizational information systems (at the host or network level).
-                  IOCs provide organizations with valuable information on objects or information
-                  systems that have been compromised. IOCs for the discovery of compromised hosts
-                  can include for example, the creation of registry key values. IOCs for network
-                  traffic include, for example, Universal Resource Locator (URL) or protocol
-                  elements that indicate malware command and control servers. The rapid distribution
-                  and adoption of IOCs can improve information security by reducing the time that
-                  information systems and organizations are vulnerable to the same exploit or
-                  attack.</p>
-            </part>
-            <part id="si-4.24_obj" name="objective">
-               <p>Determine if the information system:</p>
-               <part id="si-4.24_obj.1" name="objective">
-                  <prop name="label">SI-4(24)[1]</prop>
-                  <p>discovers indicators of compromise;</p>
-               </part>
-               <part id="si-4.24_obj.2" name="objective">
-                  <prop name="label">SI-4(24)[2]</prop>
-                  <p>collects indicators of compromise;</p>
-               </part>
-               <part id="si-4.24_obj.3" name="objective">
-                  <prop name="label">SI-4(24)[3]</prop>
-                  <p>distributes indicators of compromise; and</p>
-               </part>
-               <part id="si-4.24_obj.4" name="objective">
-                  <prop name="label">SI-4(24)[4]</prop>
-                  <p>uses indicators of compromise.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information system monitoring</p>
-                  <p>information system design documentation</p>
-                  <p>information system monitoring tools and techniques documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system monitoring logs or records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>System/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-                  <p>organizational personnel installing, configuring, and/or maintaining the
-                     information system</p>
-                  <p>organizational personnel with responsibility for monitoring information system
-                     hosts</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for information system monitoring</p>
-                  <p>organizational processes for discovery, collection, distribution, and use of
-                     indicators of compromise</p>
-                  <p>automated mechanisms supporting and/or implementing system monitoring
-                     capability</p>
-                  <p>automated mechanisms supporting and/or implementing the discovery, collection,
-                     distribution, and use of indicators of compromise</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-5">
-         <title>Security Alerts, Advisories, and Directives</title>
-         <param id="si-5_prm_1">
-            <label>organization-defined external organizations</label>
-         </param>
-         <param id="si-5_prm_2">
-            <select how-many="one or more">
-               <choice>
-                  <insert param-id="si-5_prm_3"/>
-               </choice>
-               <choice>
-                  <insert param-id="si-5_prm_4"/>
-               </choice>
-               <choice>
-                  <insert param-id="si-5_prm_5"/>
-               </choice>
-            </select>
-         </param>
-         <param id="si-5_prm_3" depends-on="si-5_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-5_prm_4" depends-on="si-5_prm_2">
-            <label>organization-defined elements within the organization</label>
-         </param>
-         <param id="si-5_prm_5" depends-on="si-5_prm_2">
-            <label>organization-defined external organizations</label>
-         </param>
-         <prop name="label">SI-5</prop>
-         <prop name="sort-id">si-05</prop>
-         <link href="#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d" rel="reference">NIST Special Publication 800-40</link>
-         <part id="si-5_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-5_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Receives information system security alerts, advisories, and directives from
-                     <insert param-id="si-5_prm_1"/> on an ongoing basis;</p>
-            </part>
-            <part id="si-5_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Generates internal security alerts, advisories, and directives as deemed
-                  necessary;</p>
-            </part>
-            <part id="si-5_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Disseminates security alerts, advisories, and directives to: <insert param-id="si-5_prm_2"/>; and</p>
-            </part>
-            <part id="si-5_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Implements security directives in accordance with established time frames, or
-                  notifies the issuing organization of the degree of noncompliance.</p>
-            </part>
-         </part>
-         <part id="si-5_gdn" name="guidance">
-            <p>The United States Computer Emergency Readiness Team (US-CERT) generates security
-               alerts and advisories to maintain situational awareness across the federal
-               government. Security directives are issued by OMB or other designated organizations
-               with the responsibility and authority to issue such directives. Compliance to
-               security directives is essential due to the critical nature of many of these
-               directives and the potential immediate adverse effects on organizational operations
-               and assets, individuals, other organizations, and the Nation should the directives
-               not be implemented in a timely manner. External organizations include, for example,
-               external mission/business partners, supply chain partners, external service
-               providers, and other peer/supporting organizations.</p>
-            <link rel="related" href="#si-2">SI-2</link>
-         </part>
-         <part id="si-5_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-5.a_obj" name="objective">
-               <prop name="label">SI-5(a)</prop>
-               <part id="si-5.a_obj.1" name="objective">
-                  <prop name="label">SI-5(a)[1]</prop>
-                  <p>defines external organizations from whom information system security alerts,
-                     advisories and directives are to be received;</p>
-               </part>
-               <part id="si-5.a_obj.2" name="objective">
-                  <prop name="label">SI-5(a)[2]</prop>
-                  <p>receives information system security alerts, advisories, and directives from
-                     organization-defined external organizations on an ongoing basis;</p>
-               </part>
-            </part>
-            <part id="si-5.b_obj" name="objective">
-               <prop name="label">SI-5(b)</prop>
-               <p>generates internal security alerts, advisories, and directives as deemed
-                  necessary;</p>
-            </part>
-            <part id="si-5.c_obj" name="objective">
-               <prop name="label">SI-5(c)</prop>
-               <part id="si-5.c_obj.1" name="objective">
-                  <prop name="label">SI-5(c)[1]</prop>
-                  <p>defines personnel or roles to whom security alerts, advisories, and directives
-                     are to be provided;</p>
-               </part>
-               <part id="si-5.c_obj.2" name="objective">
-                  <prop name="label">SI-5(c)[2]</prop>
-                  <p>defines elements within the organization to whom security alerts, advisories,
-                     and directives are to be provided;</p>
-               </part>
-               <part id="si-5.c_obj.3" name="objective">
-                  <prop name="label">SI-5(c)[3]</prop>
-                  <p>defines external organizations to whom security alerts, advisories, and
-                     directives are to be provided;</p>
-               </part>
-               <part id="si-5.c_obj.4" name="objective">
-                  <prop name="label">SI-5(c)[4]</prop>
-                  <p>disseminates security alerts, advisories, and directives to one or more of the
-                     following:</p>
-                  <part id="si-5.c_obj.4.a" name="objective">
-                     <prop name="label">SI-5(c)[4][a]</prop>
-                     <p>organization-defined personnel or roles;</p>
-                  </part>
-                  <part id="si-5.c_obj.4.b" name="objective">
-                     <prop name="label">SI-5(c)[4][b]</prop>
-                     <p>organization-defined elements within the organization; and/or</p>
-                  </part>
-                  <part id="si-5.c_obj.4.c" name="objective">
-                     <prop name="label">SI-5(c)[4][c]</prop>
-                     <p>organization-defined external organizations; and</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-5.d_obj" name="objective">
-               <prop name="label">SI-5(d)</prop>
-               <part id="si-5.d_obj.1" name="objective">
-                  <prop name="label">SI-5(d)[1]</prop>
-                  <p>implements security directives in accordance with established time frames;
-                     or</p>
-               </part>
-               <part id="si-5.d_obj.2" name="objective">
-                  <prop name="label">SI-5(d)[2]</prop>
-                  <p>notifies the issuing organization of the degree of noncompliance.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing security alerts, advisories, and directives</p>
-               <p>records of security alerts and advisories</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security alert and advisory responsibilities</p>
-               <p>organizational personnel implementing, operating, maintaining, and using the
-                  information system</p>
-               <p>organizational personnel, organizational elements, and/or external organizations
-                  to whom alerts, advisories, and directives are to be disseminated</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for defining, receiving, generating, disseminating, and
-                  complying with security alerts, advisories, and directives</p>
-               <p>automated mechanisms supporting and/or implementing definition, receipt,
-                  generation, and dissemination of security alerts, advisories, and directives</p>
-               <p>automated mechanisms supporting and/or implementing security directives</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-5.1">
-            <title>Automated Alerts and Advisories</title>
-            <prop name="label">SI-5(1)</prop>
-            <prop name="sort-id">si-05.01</prop>
-            <part id="si-5.1_smt" name="statement">
-               <p>The organization employs automated mechanisms to make security alert and advisory
-                  information available throughout the organization.</p>
-            </part>
-            <part id="si-5.1_gdn" name="guidance">
-               <p>The significant number of changes to organizational information systems and the
-                  environments in which those systems operate requires the dissemination of
-                  security-related information to a variety of organizational entities that have a
-                  direct interest in the success of organizational missions and business functions.
-                  Based on the information provided by the security alerts and advisories, changes
-                  may be required at one or more of the three tiers related to the management of
-                  information security risk including the governance level, mission/business
-                  process/enterprise architecture level, and the information system level.</p>
-            </part>
-            <part id="si-5.1_obj" name="objective">
-               <p>Determine if the organization employs automated mechanisms to make security alert
-                  and advisory information available throughout the organization.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing security alerts, advisories, and directives</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>automated mechanisms supporting the distribution of security alert and advisory
-                     information</p>
-                  <p>records of security alerts and advisories</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security alert and advisory responsibilities</p>
-                  <p>organizational personnel implementing, operating, maintaining, and using the
-                     information system</p>
-                  <p>organizational personnel, organizational elements, and/or external
-                     organizations to whom alerts and advisories are to be disseminated</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for defining, receiving, generating, and disseminating
-                     security alerts and advisories</p>
-                  <p>automated mechanisms supporting and/or implementing dissemination of security
-                     alerts and advisories</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-6">
-         <title>Security Function Verification</title>
-         <param id="si-6_prm_1">
-            <label>organization-defined security functions</label>
-         </param>
-         <param id="si-6_prm_2">
-            <select how-many="one or more">
-               <choice>
-                  <insert param-id="si-6_prm_3"/>
-               </choice>
-               <choice>upon command by user with appropriate privilege</choice>
-               <choice>
-                  <insert param-id="si-6_prm_4"/>
-               </choice>
-            </select>
-         </param>
-         <param id="si-6_prm_3" depends-on="si-6_prm_2">
-            <label>organization-defined system transitional states</label>
-         </param>
-         <param id="si-6_prm_4" depends-on="si-6_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="si-6_prm_5">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-6_prm_6">
-            <select how-many="one or more">
-               <choice>shuts the information system down</choice>
-               <choice>restarts the information system</choice>
-               <choice>
-                  <insert param-id="si-6_prm_7"/>
-               </choice>
-            </select>
-         </param>
-         <param id="si-6_prm_7" depends-on="si-6_prm_6">
-            <label>organization-defined alternative action(s)</label>
-         </param>
-         <prop name="label">SI-6</prop>
-         <prop name="sort-id">si-06</prop>
-         <part id="si-6_smt" name="statement">
-            <p>The information system:</p>
-            <part id="si-6_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Verifies the correct operation of <insert param-id="si-6_prm_1"/>;</p>
-            </part>
-            <part id="si-6_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Performs this verification <insert param-id="si-6_prm_2"/>;</p>
-            </part>
-            <part id="si-6_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Notifies <insert param-id="si-6_prm_5"/> of failed security verification tests;
-                  and</p>
-            </part>
-            <part id="si-6_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>
-                  <insert param-id="si-6_prm_6"/> when anomalies are discovered.</p>
-            </part>
-         </part>
-         <part id="si-6_gdn" name="guidance">
-            <p>Transitional states for information systems include, for example, system startup,
-               restart, shutdown, and abort. Notifications provided by information systems include,
-               for example, electronic alerts to system administrators, messages to local computer
-               consoles, and/or hardware indications such as lights.</p>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-         </part>
-         <part id="si-6_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="si-6.a_obj" name="objective">
-               <prop name="label">SI-6(a)</prop>
-               <part id="si-6.a_obj.1" name="objective">
-                  <prop name="label">SI-6(a)[1]</prop>
-                  <p>the organization defines security functions to be verified for correct
-                     operation;</p>
-               </part>
-               <part id="si-6.a_obj.2" name="objective">
-                  <prop name="label">SI-6(a)[2]</prop>
-                  <p>the information system verifies the correct operation of organization-defined
-                     security functions;</p>
-               </part>
-            </part>
-            <part id="si-6.b_obj" name="objective">
-               <prop name="label">SI-6(b)</prop>
-               <part id="si-6.b_obj.1" name="objective">
-                  <prop name="label">SI-6(b)[1]</prop>
-                  <p>the organization defines system transitional states requiring verification of
-                     organization-defined security functions;</p>
-               </part>
-               <part id="si-6.b_obj.2" name="objective">
-                  <prop name="label">SI-6(b)[2]</prop>
-                  <p>the organization defines a frequency to verify the correct operation of
-                     organization-defined security functions;</p>
-               </part>
-               <part id="si-6.b_obj.3" name="objective">
-                  <prop name="label">SI-6(b)[3]</prop>
-                  <p>the information system performs this verification one or more of the
-                     following:</p>
-                  <part id="si-6.b_obj.3.a" name="objective">
-                     <prop name="label">SI-6(b)[3][a]</prop>
-                     <p>at organization-defined system transitional states;</p>
-                  </part>
-                  <part id="si-6.b_obj.3.b" name="objective">
-                     <prop name="label">SI-6(b)[3][b]</prop>
-                     <p>upon command by user with appropriate privilege; and/or</p>
-                  </part>
-                  <part id="si-6.b_obj.3.c" name="objective">
-                     <prop name="label">SI-6(b)[3][c]</prop>
-                     <p>with the organization-defined frequency;</p>
-                  </part>
-               </part>
-            </part>
-            <part id="si-6.c_obj" name="objective">
-               <prop name="label">SI-6(c)</prop>
-               <part id="si-6.c_obj.1" name="objective">
-                  <prop name="label">SI-6(c)[1]</prop>
-                  <p>the organization defines personnel or roles to be notified of failed security
-                     verification tests;</p>
-               </part>
-               <part id="si-6.c_obj.2" name="objective">
-                  <prop name="label">SI-6(c)[2]</prop>
-                  <p>the information system notifies organization-defined personnel or roles of
-                     failed security verification tests;</p>
-               </part>
-            </part>
-            <part id="si-6.d_obj" name="objective">
-               <prop name="label">SI-6(d)</prop>
-               <part id="si-6.d_obj.1" name="objective">
-                  <prop name="label">SI-6(d)[1]</prop>
-                  <p>the organization defines alternative action(s) to be performed when anomalies
-                     are discovered;</p>
-               </part>
-               <part id="si-6.d_obj.2" name="objective">
-                  <prop name="label">SI-6(d)[2]</prop>
-                  <p>the information system performs one or more of the following actions when
-                     anomalies are discovered:</p>
-                  <part id="si-6.d_obj.2.a" name="objective">
-                     <prop name="label">SI-6(d)[2][a]</prop>
-                     <p>shuts the information system down;</p>
-                  </part>
-                  <part id="si-6.d_obj.2.b" name="objective">
-                     <prop name="label">SI-6(d)[2][b]</prop>
-                     <p>restarts the information system; and/or</p>
-                  </part>
-                  <part id="si-6.d_obj.2.c" name="objective">
-                     <prop name="label">SI-6(d)[2][c]</prop>
-                     <p>performs organization-defined alternative action(s).</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing security function verification</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>alerts/notifications of failed security verification tests</p>
-               <p>list of system transition states requiring security functionality verification</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with security function verification responsibilities</p>
-               <p>organizational personnel implementing, operating, and maintaining the information
-                  system</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security function verification</p>
-               <p>automated mechanisms supporting and/or implementing security function verification
-                  capability</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-6.1">
-            <title>Notification of Failed Security Tests</title>
-            <prop name="label">SI-6(1)</prop>
-            <prop name="sort-id">si-06.01</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#si-6">SI-6</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-6.2">
-            <title>Automation Support for Distributed Testing</title>
-            <prop name="label">SI-6(2)</prop>
-            <prop name="sort-id">si-06.02</prop>
-            <part id="si-6.2_smt" name="statement">
-               <p>The information system implements automated mechanisms to support the management
-                  of distributed security testing.</p>
-            </part>
-            <part id="si-6.2_gdn" name="guidance">
-               <link rel="related" href="#si-2">SI-2</link>
-            </part>
-            <part id="si-6.2_obj" name="objective">
-               <p>Determine if the information system implements automated mechanisms to support the
-                  management of distributed security testing.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing security function verification</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security function verification
-                     responsibilities</p>
-                  <p>organizational personnel implementing, operating, and maintaining the
-                     information system</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for security function verification</p>
-                  <p>automated mechanisms supporting and/or implementing the management of
-                     distributed security testing</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-6.3">
-            <title>Report Verification Results</title>
-            <param id="si-6.3_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">SI-6(3)</prop>
-            <prop name="sort-id">si-06.03</prop>
-            <part id="si-6.3_smt" name="statement">
-               <p>The organization reports the results of security function verification to <insert param-id="si-6.3_prm_1"/>.</p>
-            </part>
-            <part id="si-6.3_gdn" name="guidance">
-               <p>Organizational personnel with potential interest in security function verification
-                  results include, for example, senior information security officers, information
-                  system security managers, and information systems security officers.</p>
-               <link rel="related" href="#sa-12">SA-12</link>
-               <link rel="related" href="#si-4">SI-4</link>
-               <link rel="related" href="#si-5">SI-5</link>
-            </part>
-            <part id="si-6.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-6.3_obj.1" name="objective">
-                  <prop name="label">SI-6(3)[1]</prop>
-                  <p>defines personnel or roles designated to receive the results of security
-                     function verification; and</p>
-               </part>
-               <part id="si-6.3_obj.2" name="objective">
-                  <prop name="label">SI-6(3)[2]</prop>
-                  <p>reports the results of security function verification to organization-defined
-                     personnel or roles.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing security function verification</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>records of security function verification results</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with security function verification
-                     responsibilities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for reporting security function verification
-                     results</p>
-                  <p>automated mechanisms supporting and/or implementing the reporting of security
-                     function verification results</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-7">
-         <title>Software, Firmware, and Information Integrity</title>
-         <param id="si-7_prm_1">
-            <label>organization-defined software, firmware, and information</label>
-         </param>
-         <prop name="label">SI-7</prop>
-         <prop name="sort-id">si-07</prop>
-         <link href="#6bf8d24a-78dc-4727-a2ac-0e64d71c495c" rel="reference">NIST Special Publication 800-147</link>
-         <link href="#3878cc04-144a-483e-af62-8fe6f4ad6c7a" rel="reference">NIST Special Publication 800-155</link>
-         <part id="si-7_smt" name="statement">
-            <p>The organization employs integrity verification tools to detect unauthorized changes
-               to <insert param-id="si-7_prm_1"/>.</p>
-         </part>
-         <part id="si-7_gdn" name="guidance">
-            <p>Unauthorized changes to software, firmware, and information can occur due to errors
-               or malicious activity (e.g., tampering). Software includes, for example, operating
-               systems (with key internal components such as kernels, drivers), middleware, and
-               applications. Firmware includes, for example, the Basic Input Output System (BIOS).
-               Information includes metadata such as security attributes associated with
-               information. State-of-the-practice integrity-checking mechanisms (e.g., parity
-               checks, cyclical redundancy checks, cryptographic hashes) and associated tools can
-               automatically monitor the integrity of information systems and hosted
-               applications.</p>
-            <link rel="related" href="#sa-12">SA-12</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#si-3">SI-3</link>
-         </part>
-         <part id="si-7_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-7_obj.1" name="objective">
-               <prop name="label">SI-7[1]</prop>
-               <part id="si-7_obj.1.a" name="objective">
-                  <prop name="label">SI-7[1][a]</prop>
-                  <p>defines software requiring integrity verification tools to be employed to
-                     detect unauthorized changes;</p>
-               </part>
-               <part id="si-7_obj.1.b" name="objective">
-                  <prop name="label">SI-7[1][b]</prop>
-                  <p>defines firmware requiring integrity verification tools to be employed to
-                     detect unauthorized changes;</p>
-               </part>
-               <part id="si-7_obj.1.c" name="objective">
-                  <prop name="label">SI-7[1][c]</prop>
-                  <p>defines information requiring integrity verification tools to be employed to
-                     detect unauthorized changes;</p>
-               </part>
-            </part>
-            <part id="si-7_obj.2" name="objective">
-               <prop name="label">SI-7[2]</prop>
-               <p>employs integrity verification tools to detect unauthorized changes to
-                  organization-defined:</p>
-               <part id="si-7_obj.2.a" name="objective">
-                  <prop name="label">SI-7[2][a]</prop>
-                  <p>software;</p>
-               </part>
-               <part id="si-7_obj.2.b" name="objective">
-                  <prop name="label">SI-7[2][b]</prop>
-                  <p>firmware; and</p>
-               </part>
-               <part id="si-7_obj.2.c" name="objective">
-                  <prop name="label">SI-7[2][c]</prop>
-                  <p>information.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing software, firmware, and information integrity</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>integrity verification tools and associated documentation</p>
-               <p>records generated/triggered from integrity verification tools regarding
-                  unauthorized software, firmware, and information changes</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for software, firmware, and/or
-                  information integrity</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Software, firmware, and information integrity verification tools</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-7.1">
-            <title>Integrity Checks</title>
-            <param id="si-7.1_prm_1">
-               <label>organization-defined software, firmware, and information</label>
-            </param>
-            <param id="si-7.1_prm_2">
-               <select how-many="one or more">
-                  <choice>at startup</choice>
-                  <choice>at <insert param-id="si-7.1_prm_3"/>
-                  </choice>
-                  <choice>
-                     <insert param-id="si-7.1_prm_4"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="si-7.1_prm_3" depends-on="si-7.1_prm_2">
-               <label>organization-defined transitional states or security-relevant events</label>
-            </param>
-            <param id="si-7.1_prm_4" depends-on="si-7.1_prm_2">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">SI-7(1)</prop>
-            <prop name="sort-id">si-07.01</prop>
-            <part id="si-7.1_smt" name="statement">
-               <p>The information system performs an integrity check of <insert param-id="si-7.1_prm_1"/>
-                  <insert param-id="si-7.1_prm_2"/>.</p>
-            </part>
-            <part id="si-7.1_gdn" name="guidance">
-               <p>Security-relevant events include, for example, the identification of a new threat
-                  to which organizational information systems are susceptible, and the installation
-                  of new hardware, software, or firmware. Transitional states include, for example,
-                  system startup, restart, shutdown, and abort.</p>
-            </part>
-            <part id="si-7.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="si-7.1_obj.1" name="objective">
-                  <prop name="label">SI-7(1)[1]</prop>
-                  <p>the organization defines:</p>
-                  <part id="si-7.1_obj.1.a" name="objective">
-                     <prop name="label">SI-7(1)[1][a]</prop>
-                     <p>software requiring integrity checks to be performed;</p>
-                  </part>
-                  <part id="si-7.1_obj.1.b" name="objective">
-                     <prop name="label">SI-7(1)[1][b]</prop>
-                     <p>firmware requiring integrity checks to be performed;</p>
-                  </part>
-                  <part id="si-7.1_obj.1.c" name="objective">
-                     <prop name="label">SI-7(1)[1][c]</prop>
-                     <p>information requiring integrity checks to be performed;</p>
-                  </part>
-               </part>
-               <part id="si-7.1_obj.2" name="objective">
-                  <prop name="label">SI-7(1)[2]</prop>
-                  <p>the organization defines transitional states or security-relevant events
-                     requiring integrity checks of organization-defined:</p>
-                  <part id="si-7.1_obj.2.a" name="objective">
-                     <prop name="label">SI-7(1)[2][a]</prop>
-                     <p>software;</p>
-                  </part>
-                  <part id="si-7.1_obj.2.b" name="objective">
-                     <prop name="label">SI-7(1)[2][b]</prop>
-                     <p>firmware;</p>
-                  </part>
-                  <part id="si-7.1_obj.2.c" name="objective">
-                     <prop name="label">SI-7(1)[2][c]</prop>
-                     <p>information;</p>
-                  </part>
-               </part>
-               <part id="si-7.1_obj.3" name="objective">
-                  <prop name="label">SI-7(1)[3]</prop>
-                  <p>the organization defines a frequency with which to perform an integrity check
-                     of organization-defined:</p>
-                  <part id="si-7.1_obj.3.a" name="objective">
-                     <prop name="label">SI-7(1)[3][a]</prop>
-                     <p>software;</p>
-                  </part>
-                  <part id="si-7.1_obj.3.b" name="objective">
-                     <prop name="label">SI-7(1)[3][b]</prop>
-                     <p>firmware;</p>
-                  </part>
-                  <part id="si-7.1_obj.3.c" name="objective">
-                     <prop name="label">SI-7(1)[3][c]</prop>
-                     <p>information;</p>
-                  </part>
-               </part>
-               <part id="si-7.1_obj.4" name="objective">
-                  <prop name="label">SI-7(1)[4]</prop>
-                  <p>the information system performs an integrity check of organization-defined
-                     software, firmware, and information one or more of the following:</p>
-                  <part id="si-7.1_obj.4.a" name="objective">
-                     <prop name="label">SI-7(1)[4][a]</prop>
-                     <p>at startup;</p>
-                  </part>
-                  <part id="si-7.1_obj.4.b" name="objective">
-                     <prop name="label">SI-7(1)[4][b]</prop>
-                     <p>at organization-defined transitional states or security-relevant events;
-                        and/or</p>
-                  </part>
-                  <part id="si-7.1_obj.4.c" name="objective">
-                     <prop name="label">SI-7(1)[4][c]</prop>
-                     <p>with the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>integrity verification tools and associated documentation</p>
-                  <p>records of integrity scans</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Software, firmware, and information integrity verification tools</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.2">
-            <title>Automated Notifications of Integrity Violations</title>
-            <param id="si-7.2_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">SI-7(2)</prop>
-            <prop name="sort-id">si-07.02</prop>
-            <part id="si-7.2_smt" name="statement">
-               <p>The organization employs automated tools that provide notification to <insert param-id="si-7.2_prm_1"/> upon discovering discrepancies during integrity
-                  verification.</p>
-            </part>
-            <part id="si-7.2_gdn" name="guidance">
-               <p>The use of automated tools to report integrity violations and to notify
-                  organizational personnel in a timely matter is an essential precursor to effective
-                  risk response. Personnel having an interest in integrity violations include, for
-                  example, mission/business owners, information system owners, systems
-                  administrators, software developers, systems integrators, and information security
-                  officers.</p>
-            </part>
-            <part id="si-7.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-7.2_obj.1" name="objective">
-                  <prop name="label">SI-7(2)[1]</prop>
-                  <p>defines personnel or roles to whom notification is to be provided upon
-                     discovering discrepancies during integrity verification; and</p>
-               </part>
-               <part id="si-7.2_obj.2" name="objective">
-                  <prop name="label">SI-7(2)[2]</prop>
-                  <p>employs automated tools that provide notification to organization-defined
-                     personnel or roles upon discovering discrepancies during integrity
-                     verification.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>integrity verification tools and associated documentation</p>
-                  <p>records of integrity scans</p>
-                  <p>automated tools supporting alerts and notifications for integrity
-                     discrepancies</p>
-                  <p>alerts/notifications provided upon discovering discrepancies during integrity
-                     verifications</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Software, firmware, and information integrity verification tools</p>
-                  <p>automated mechanisms providing integrity discrepancy notifications</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.3">
-            <title>Centrally-managed Integrity Tools</title>
-            <prop name="label">SI-7(3)</prop>
-            <prop name="sort-id">si-07.03</prop>
-            <part id="si-7.3_smt" name="statement">
-               <p>The organization employs centrally managed integrity verification tools.</p>
-            </part>
-            <part id="si-7.3_gdn" name="guidance">
-               <link rel="related" href="#au-3">AU-3</link>
-               <link rel="related" href="#si-2">SI-2</link>
-               <link rel="related" href="#si-8">SI-8</link>
-            </part>
-            <part id="si-7.3_obj" name="objective">
-               <p>Determine if the organization employs centrally managed integrity verification
-                  tools.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>integrity verification tools and associated documentation</p>
-                  <p>records of integrity scans</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for central management of
-                     integrity verification tools</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing central management of
-                     integrity verification tools</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.4">
-            <title>Tamper-evident Packaging</title>
-            <prop name="label">SI-7(4)</prop>
-            <prop name="sort-id">si-07.04</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#sa-12">SA-12</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.5">
-            <title>Automated Response to Integrity Violations</title>
-            <param id="si-7.5_prm_1">
-               <select how-many="one or more">
-                  <choice>shuts the information system down</choice>
-                  <choice>restarts the information system</choice>
-                  <choice>implements <insert param-id="si-7.5_prm_2"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="si-7.5_prm_2" depends-on="si-7.5_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <prop name="label">SI-7(5)</prop>
-            <prop name="sort-id">si-07.05</prop>
-            <part id="si-7.5_smt" name="statement">
-               <p>The information system automatically <insert param-id="si-7.5_prm_1"/> when
-                  integrity violations are discovered.</p>
-            </part>
-            <part id="si-7.5_gdn" name="guidance">
-               <p>Organizations may define different integrity checking and anomaly responses: (i)
-                  by type of information (e.g., firmware, software, user data); (ii) by specific
-                  information (e.g., boot firmware, boot firmware for a specific types of machines);
-                  or (iii) a combination of both. Automatic implementation of specific safeguards
-                  within organizational information systems includes, for example, reversing the
-                  changes, halting the information system, or triggering audit alerts when
-                  unauthorized modifications to critical security files occur.</p>
-            </part>
-            <part id="si-7.5_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="si-7.5_obj.1" name="objective">
-                  <prop name="label">SI-7(5)[1]</prop>
-                  <p>the organization defines security safeguards to be implemented when integrity
-                     violations are discovered;</p>
-               </part>
-               <part id="si-7.5_obj.2" name="objective">
-                  <prop name="label">SI-7(5)[2]</prop>
-                  <p>the information system automatically performs one or more of the following
-                     actions when integrity violations are discovered:</p>
-                  <part id="si-7.5_obj.2.a" name="objective">
-                     <prop name="label">SI-7(5)[2][a]</prop>
-                     <p>shuts the information system down;</p>
-                  </part>
-                  <part id="si-7.5_obj.2.b" name="objective">
-                     <prop name="label">SI-7(5)[2][b]</prop>
-                     <p>restarts the information system; and/or</p>
-                  </part>
-                  <part id="si-7.5_obj.2.c" name="objective">
-                     <prop name="label">SI-7(5)[2][c]</prop>
-                     <p>implements the organization-defined security safeguards.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>integrity verification tools and associated documentation</p>
-                  <p>records of integrity scans</p>
-                  <p>records of integrity checks and responses to integrity violations</p>
-                  <p>information audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Software, firmware, and information integrity verification tools</p>
-                  <p>automated mechanisms providing an automated response to integrity
-                     violations</p>
-                  <p>automated mechanisms supporting and/or implementing security safeguards to be
-                     implemented when integrity violations are discovered</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.6">
-            <title>Cryptographic Protection</title>
-            <prop name="label">SI-7(6)</prop>
-            <prop name="sort-id">si-07.06</prop>
-            <part id="si-7.6_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to detect unauthorized
-                  changes to software, firmware, and information.</p>
-            </part>
-            <part id="si-7.6_gdn" name="guidance">
-               <p>Cryptographic mechanisms used for the protection of integrity include, for
-                  example, digital signatures and the computation and application of signed hashes
-                  using asymmetric cryptography, protecting the confidentiality of the key used to
-                  generate the hash, and using the public key to verify the hash information.</p>
-               <link rel="related" href="#sc-13">SC-13</link>
-            </part>
-            <part id="si-7.6_obj" name="objective">
-               <p>Determine if the information system employs cryptographic mechanism to detect
-                  unauthorized changes to:</p>
-               <part id="si-7.6_obj.1" name="objective">
-                  <prop name="label">SI-7(6)[1]</prop>
-                  <p>software;</p>
-               </part>
-               <part id="si-7.6_obj.2" name="objective">
-                  <prop name="label">SI-7(6)[2]</prop>
-                  <p>firmware; and</p>
-               </part>
-               <part id="si-7.6_obj.3" name="objective">
-                  <prop name="label">SI-7(6)[3]</prop>
-                  <p>information.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>cryptographic mechanisms and associated documentation</p>
-                  <p>records of detected unauthorized changes to software, firmware, and
-                     information</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Software, firmware, and information integrity verification tools</p>
-                  <p>cryptographic mechanisms implementing software, firmware, and information
-                     integrity</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.7">
-            <title>Integration of Detection and Response</title>
-            <param id="si-7.7_prm_1">
-               <label>organization-defined security-relevant changes to the information
-                  system</label>
-            </param>
-            <prop name="label">SI-7(7)</prop>
-            <prop name="sort-id">si-07.07</prop>
-            <part id="si-7.7_smt" name="statement">
-               <p>The organization incorporates the detection of unauthorized <insert param-id="si-7.7_prm_1"/> into the organizational incident response
-                  capability.</p>
-            </part>
-            <part id="si-7.7_gdn" name="guidance">
-               <p>This control enhancement helps to ensure that detected events are tracked,
-                  monitored, corrected, and available for historical purposes. Maintaining
-                  historical records is important both for being able to identify and discern
-                  adversary actions over an extended period of time and for possible legal actions.
-                  Security-relevant changes include, for example, unauthorized changes to
-                  established configuration settings or unauthorized elevation of information system
-                  privileges.</p>
-               <link rel="related" href="#ir-4">IR-4</link>
-               <link rel="related" href="#ir-5">IR-5</link>
-               <link rel="related" href="#si-4">SI-4</link>
-            </part>
-            <part id="si-7.7_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-7.7_obj.1" name="objective">
-                  <prop name="label">SI-7(7)[1]</prop>
-                  <p>defines unauthorized security-relevant changes to the information system;
-                     and</p>
-               </part>
-               <part id="si-7.7_obj.2" name="objective">
-                  <prop name="label">SI-7(7)[2]</prop>
-                  <p>incorporates the detection of unauthorized organization-defined
-                     security-relevant changes to the information system into the organizational
-                     incident response capability.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>procedures addressing incident response</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>incident response records</p>
-                  <p>information audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>organizational personnel with incident response responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for incorporating detection of unauthorized
-                     security-relevant changes into the incident response capability</p>
-                  <p>software, firmware, and information integrity verification tools</p>
-                  <p>automated mechanisms supporting and/or implementing incorporation of detection
-                     of unauthorized security-relevant changes into the incident response
-                     capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.8">
-            <title>Auditing Capability for Significant Events</title>
-            <param id="si-7.8_prm_1">
-               <select how-many="one or more">
-                  <choice>generates an audit record</choice>
-                  <choice>alerts current user</choice>
-                  <choice>alerts <insert param-id="si-7.8_prm_2"/>
-                  </choice>
-                  <choice>
-                     <insert param-id="si-7.8_prm_3"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="si-7.8_prm_2" depends-on="si-7.8_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="si-7.8_prm_3" depends-on="si-7.8_prm_1">
-               <label>organization-defined other actions</label>
-            </param>
-            <prop name="label">SI-7(8)</prop>
-            <prop name="sort-id">si-07.08</prop>
-            <part id="si-7.8_smt" name="statement">
-               <p>The information system, upon detection of a potential integrity violation,
-                  provides the capability to audit the event and initiates the following actions:
-                     <insert param-id="si-7.8_prm_1"/>.</p>
-            </part>
-            <part id="si-7.8_gdn" name="guidance">
-               <p>Organizations select response actions based on types of software, specific
-                  software, or information for which there are potential integrity violations.</p>
-               <link rel="related" href="#au-2">AU-2</link>
-               <link rel="related" href="#au-6">AU-6</link>
-               <link rel="related" href="#au-12">AU-12</link>
-            </part>
-            <part id="si-7.8_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="si-7.8_obj.1" name="objective">
-                  <prop name="label">SI-7(8)[1]</prop>
-                  <p>the organization defines personnel or roles to be alerted upon detection of a
-                     potential integrity violation;</p>
-               </part>
-               <part id="si-7.8_obj.2" name="objective">
-                  <prop name="label">SI-7(8)[2]</prop>
-                  <p>the organization defines other actions to be taken upon detection of a
-                     potential integrity violation;</p>
-               </part>
-               <part id="si-7.8_obj.3" name="objective">
-                  <prop name="label">SI-7(8)[3]</prop>
-                  <part id="si-7.8_obj.3.a" name="objective">
-                     <prop name="label">SI-7(8)[3][a]</prop>
-                     <p>the information system, upon detection of a potential integrity violation,
-                        provides the capability to audit the event;</p>
-                  </part>
-                  <part id="si-7.8_obj.3.b" name="objective">
-                     <prop name="label">SI-7(8)[3][b]</prop>
-                     <p>the information system, upon detection of a potential integrity violation,
-                        initiates one or more of the following actions:</p>
-                     <part id="si-7.8_obj.3.b.1" name="objective">
-                        <prop name="label">SI-7(8)[3][b][1]</prop>
-                        <p>generates an audit record;</p>
-                     </part>
-                     <part id="si-7.8_obj.3.b.2" name="objective">
-                        <prop name="label">SI-7(8)[3][b][2]</prop>
-                        <p>alerts current user;</p>
-                     </part>
-                     <part id="si-7.8_obj.3.b.3" name="objective">
-                        <prop name="label">SI-7(8)[3][b][3]</prop>
-                        <p>alerts organization-defined personnel or roles; and/or</p>
-                     </part>
-                     <part id="si-7.8_obj.3.b.4" name="objective">
-                        <prop name="label">SI-7(8)[3][b][4]</prop>
-                        <p>organization-defined other actions.</p>
-                     </part>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>integrity verification tools and associated documentation</p>
-                  <p>records of integrity scans</p>
-                  <p>incident response records, list of security-relevant changes to the information
-                     system</p>
-                  <p>automated tools supporting alerts and notifications if unauthorized security
-                     changes are detected</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Software, firmware, and information integrity verification tools</p>
-                  <p>automated mechanisms supporting and/or implementing the capability to audit
-                     potential integrity violations</p>
-                  <p>automated mechanisms supporting and/or implementing alerts about potential
-                     integrity violations</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.9">
-            <title>Verify Boot Process</title>
-            <param id="si-7.9_prm_1">
-               <label>organization-defined devices</label>
-            </param>
-            <prop name="label">SI-7(9)</prop>
-            <prop name="sort-id">si-07.09</prop>
-            <part id="si-7.9_smt" name="statement">
-               <p>The information system verifies the integrity of the boot process of <insert param-id="si-7.9_prm_1"/>.</p>
-            </part>
-            <part id="si-7.9_gdn" name="guidance">
-               <p>Ensuring the integrity of boot processes is critical to starting devices in
-                  known/trustworthy states. Integrity verification mechanisms provide organizational
-                  personnel with assurance that only trusted code is executed during boot
-                  processes.</p>
-            </part>
-            <part id="si-7.9_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="si-7.9_obj.1" name="objective">
-                  <prop name="label">SI-7(9)[1]</prop>
-                  <p>the organization defines devices requiring integrity verification of the boot
-                     process; and</p>
-               </part>
-               <part id="si-7.9_obj.2" name="objective">
-                  <prop name="label">SI-7(9)[2]</prop>
-                  <p>the information system verifies the integrity of the boot process of
-                     organization-defined devices.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>integrity verification tools and associated documentation</p>
-                  <p>documentation</p>
-                  <p>records of integrity verification scans</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Software, firmware, and information integrity verification tools</p>
-                  <p>automated mechanisms supporting and/or implementing integrity verification of
-                     the boot process</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.10">
-            <title>Protection of Boot Firmware</title>
-            <param id="si-7.10_prm_1">
-               <label>organization-defined security safeguards</label>
-            </param>
-            <param id="si-7.10_prm_2">
-               <label>organization-defined devices</label>
-            </param>
-            <prop name="label">SI-7(10)</prop>
-            <prop name="sort-id">si-07.10</prop>
-            <part id="si-7.10_smt" name="statement">
-               <p>The information system implements <insert param-id="si-7.10_prm_1"/> to protect
-                  the integrity of boot firmware in <insert param-id="si-7.10_prm_2"/>.</p>
-            </part>
-            <part id="si-7.10_gdn" name="guidance">
-               <p>Unauthorized modifications to boot firmware may be indicative of a sophisticated,
-                  targeted cyber attack. These types of cyber attacks can result in a permanent
-                  denial of service (e.g., if the firmware is corrupted) or a persistent malicious
-                  code presence (e.g., if code is embedded within the firmware). Devices can protect
-                  the integrity of the boot firmware in organizational information systems by: (i)
-                  verifying the integrity and authenticity of all updates to the boot firmware prior
-                  to applying changes to the boot devices; and (ii) preventing unauthorized
-                  processes from modifying the boot firmware.</p>
-            </part>
-            <part id="si-7.10_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="si-7.10_obj.1" name="objective">
-                  <prop name="label">SI-7(10)[1]</prop>
-                  <p>the organization defines security safeguards to be implemented to protect the
-                     integrity of boot firmware in devices;</p>
-               </part>
-               <part id="si-7.10_obj.2" name="objective">
-                  <prop name="label">SI-7(10)[2]</prop>
-                  <p>the organization defines devices requiring organization-defined security
-                     safeguards to be implemented to protect the integrity of boot firmware; and</p>
-               </part>
-               <part id="si-7.10_obj.3" name="objective">
-                  <prop name="label">SI-7(10)[3]</prop>
-                  <p>the information system implements organization-defined security safeguards to
-                     protect the integrity of boot firmware in organization-defined devices.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>integrity verification tools and associated documentation</p>
-                  <p>records of integrity verification scans</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Software, firmware, and information integrity verification tools</p>
-                  <p>automated mechanisms supporting and/or implementing protection of the integrity
-                     of boot firmware</p>
-                  <p>safeguards implementing protection of the integrity of boot firmware</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.11">
-            <title>Confined Environments with Limited Privileges</title>
-            <param id="si-7.11_prm_1">
-               <label>organization-defined user-installed software</label>
-            </param>
-            <prop name="label">SI-7(11)</prop>
-            <prop name="sort-id">si-07.11</prop>
-            <part id="si-7.11_smt" name="statement">
-               <p>The organization requires that <insert param-id="si-7.11_prm_1"/> execute in a
-                  confined physical or virtual machine environment with limited privileges.</p>
-            </part>
-            <part id="si-7.11_gdn" name="guidance">
-               <p>Organizations identify software that may be of greater concern with regard to
-                  origin or potential for containing malicious code. For this type of software, user
-                  installations occur in confined environments of operation to limit or contain
-                  damage from malicious code that may be executed.</p>
-            </part>
-            <part id="si-7.11_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-7.11_obj.1" name="objective">
-                  <prop name="label">SI-7(11)[1]</prop>
-                  <p>defines user-installed software to be executed in a confined physical or
-                     virtual machine environment with limited privileges; and</p>
-               </part>
-               <part id="si-7.11_obj.2" name="objective">
-                  <prop name="label">SI-7(11)[2]</prop>
-                  <p>requires that organization-defined user-installed software execute in a
-                     confined physical or virtual machine environment with limited privileges.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Software, firmware, and information integrity verification tools</p>
-                  <p>automated mechanisms supporting and/or implementing execution of software in a
-                     confined environment (physical and/or virtual)</p>
-                  <p>automated mechanisms supporting and/or implementing limited privileges in the
-                     confined environment</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.12">
-            <title>Integrity Verification</title>
-            <param id="si-7.12_prm_1">
-               <label>organization-defined user-installed software</label>
-            </param>
-            <prop name="label">SI-7(12)</prop>
-            <prop name="sort-id">si-07.12</prop>
-            <part id="si-7.12_smt" name="statement">
-               <p>The organization requires that the integrity of <insert param-id="si-7.12_prm_1"/>
-                  be verified prior to execution.</p>
-            </part>
-            <part id="si-7.12_gdn" name="guidance">
-               <p>Organizations verify the integrity of user-installed software prior to execution
-                  to reduce the likelihood of executing malicious code or code that contains errors
-                  from unauthorized modifications. Organizations consider the practicality of
-                  approaches to verifying software integrity including, for example, availability of
-                  checksums of adequate trustworthiness from software developers or vendors.</p>
-            </part>
-            <part id="si-7.12_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-7.12_obj.1" name="objective">
-                  <prop name="label">SI-7(12)[1]</prop>
-                  <p>defines user-installed software requiring integrity verification prior to
-                     execution; and</p>
-               </part>
-               <part id="si-7.12_obj.2" name="objective">
-                  <prop name="label">SI-7(12)[2]</prop>
-                  <p>requires that the integrity of organization-defined user-installed software be
-                     verified prior to execution.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>integrity verification records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Software, firmware, and information integrity verification tools</p>
-                  <p>automated mechanisms supporting and/or implementing verification of the
-                     integrity of user-installed software prior to execution</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.13">
-            <title>Code Execution in Protected Environments</title>
-            <param id="si-7.13_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">SI-7(13)</prop>
-            <prop name="sort-id">si-07.13</prop>
-            <part id="si-7.13_smt" name="statement">
-               <p>The organization allows execution of binary or machine-executable code obtained
-                  from sources with limited or no warranty and without the provision of source code
-                  only in confined physical or virtual machine environments and with the explicit
-                  approval of <insert param-id="si-7.13_prm_1"/>.</p>
-            </part>
-            <part id="si-7.13_gdn" name="guidance">
-               <p>This control enhancement applies to all sources of binary or machine-executable
-                  code including, for example, commercial software/firmware and open source
-                  software.</p>
-            </part>
-            <part id="si-7.13_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-7.13_obj.1" name="objective">
-                  <prop name="label">SI-7(13)[1]</prop>
-                  <p>allows execution of binary or machine-executable code obtained from sources
-                     with limited or no warranty;</p>
-               </part>
-               <part id="si-7.13_obj.2" name="objective">
-                  <prop name="label">SI-7(13)[2]</prop>
-                  <p>allows execution of binary or machine-executable code without the provision of
-                     source code only in confined physical or virtual machines;</p>
-               </part>
-               <part id="si-7.13_obj.3" name="objective">
-                  <prop name="label">SI-7(13)[3]</prop>
-                  <p>defines personnel or roles required to provide explicit approval to allow
-                     execution of binary or machine-executable code; and</p>
-               </part>
-               <part id="si-7.13_obj.4" name="objective">
-                  <prop name="label">SI-7(13)[4]</prop>
-                  <p>allows execution of binary or machine-executable code with the explicit
-                     approval of organization-defined personnel or roles.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>approval records for execution of binary and machine-executable code</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Software, firmware, and information integrity verification tools</p>
-                  <p>automated mechanisms supporting and/or implementing approvals for execution of
-                     binary or machine-executable code</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.14">
-            <title>Binary or Machine Executable Code</title>
-            <prop name="label">SI-7(14)</prop>
-            <prop name="sort-id">si-07.14</prop>
-            <part id="si-7.14_smt" name="statement">
-               <p>The organization:</p>
-               <part id="si-7.14_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Prohibits the use of binary or machine-executable code from sources with
-                     limited or no warranty and without the provision of source code; and</p>
-               </part>
-               <part id="si-7.14_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Provides exceptions to the source code requirement only for compelling
-                     mission/operational requirements and with the approval of the authorizing
-                     official.</p>
-               </part>
-            </part>
-            <part id="si-7.14_gdn" name="guidance">
-               <p>This control enhancement applies to all sources of binary or machine-executable
-                  code including, for example, commercial software/firmware and open source
-                  software. Organizations assess software products without accompanying source code
-                  from sources with limited or no warranty for potential security impacts. The
-                  assessments address the fact that these types of software products may be very
-                  difficult to review, repair, or extend, given that organizations, in most cases,
-                  do not have access to the original source code, and there may be no owners who
-                  could make such repairs on behalf of organizations.</p>
-               <link rel="related" href="#sa-5">SA-5</link>
-            </part>
-            <part id="si-7.14_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-7.14.a_obj" name="objective">
-                  <prop name="label">SI-7(14)(a)</prop>
-                  <part id="si-7.14.a_obj.1" name="objective">
-                     <prop name="label">SI-7(14)(a)[1]</prop>
-                     <p>prohibits the use of binary or machine-executable code from sources with
-                        limited or no warranty;</p>
-                  </part>
-                  <part id="si-7.14.a_obj.2" name="objective">
-                     <prop name="label">SI-7(14)(a)[2]</prop>
-                     <p>prohibits the use of binary or machine-executable code without the provision
-                        of source code;</p>
-                  </part>
-                  <link rel="corresp" href="#si-7.14_smt.a">SI-7(14)(a)</link>
-               </part>
-               <part id="si-7.14.b_obj" name="objective">
-                  <prop name="label">SI-7(14)(b)</prop>
-                  <part id="si-7.14.b_obj.1" name="objective">
-                     <prop name="label">SI-7(14)(b)[1]</prop>
-                     <p>provides exceptions to the source code requirement only for compelling
-                        mission/operational requirements; and</p>
-                  </part>
-                  <part id="si-7.14.b_obj.2" name="objective">
-                     <prop name="label">SI-7(14)(b)[2]</prop>
-                     <p>provides exceptions to the source code requirement only with the approval of
-                        the authorizing official.</p>
-                  </part>
-                  <link rel="corresp" href="#si-7.14_smt.b">SI-7(14)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>approval records for execution of binary and machine-executable code</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>authorizing official</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing prohibition of the
-                     execution of binary or machine-executable code</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.15">
-            <title>Code Authentication</title>
-            <param id="si-7.15_prm_1">
-               <label>organization-defined software or firmware components</label>
-            </param>
-            <prop name="label">SI-7(15)</prop>
-            <prop name="sort-id">si-07.15</prop>
-            <part id="si-7.15_smt" name="statement">
-               <p>The information system implements cryptographic mechanisms to authenticate <insert param-id="si-7.15_prm_1"/> prior to installation.</p>
-            </part>
-            <part id="si-7.15_gdn" name="guidance">
-               <p>Cryptographic authentication includes, for example, verifying that software or
-                  firmware components have been digitally signed using certificates recognized and
-                  approved by organizations. Code signing is an effective method to protect against
-                  malicious code.</p>
-            </part>
-            <part id="si-7.15_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="si-7.15_obj.1" name="objective">
-                  <prop name="label">SI-7(15)[1]</prop>
-                  <part id="si-7.15_obj.1.a" name="objective">
-                     <prop name="label">SI-7(15)[1][a]</prop>
-                     <p>the organization defines software components to be authenticated by
-                        cryptographic mechanisms prior to installation;</p>
-                  </part>
-                  <part id="si-7.15_obj.1.b" name="objective">
-                     <prop name="label">SI-7(15)[1][b]</prop>
-                     <p>the organization defines firmware components to be authenticated by
-                        cryptographic mechanisms prior to installation;</p>
-                  </part>
-               </part>
-               <part id="si-7.15_obj.2" name="objective">
-                  <prop name="label">SI-7(15)[2]</prop>
-                  <part id="si-7.15_obj.2.a" name="objective">
-                     <prop name="label">SI-7(15)[2][a]</prop>
-                     <p>the information system implements cryptographic mechanisms to authenticate
-                        organization-defined software components prior to installation; and</p>
-                  </part>
-                  <part id="si-7.15_obj.2.b" name="objective">
-                     <prop name="label">SI-7(15)[2][b]</prop>
-                     <p>the information system implements cryptographic mechanisms to authenticate
-                        organization-defined firmware components prior to installation.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software, firmware, and information integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>cryptographic mechanisms and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Cryptographic mechanisms authenticating software/firmware prior to
-                     installation</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.16">
-            <title>Time Limit On Process Execution w/o Supervision</title>
-            <param id="si-7.16_prm_1">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="label">SI-7(16)</prop>
-            <prop name="sort-id">si-07.16</prop>
-            <part id="si-7.16_smt" name="statement">
-               <p>The organization does not allow processes to execute without supervision for more
-                  than <insert param-id="si-7.16_prm_1"/>.</p>
-            </part>
-            <part id="si-7.16_gdn" name="guidance">
-               <p>This control enhancement addresses processes for which normal execution periods
-                  can be determined and situations in which organizations exceed such periods.
-                  Supervision includes, for example, operating system timers, automated responses,
-                  or manual oversight and response when information system process anomalies
-                  occur.</p>
-            </part>
-            <part id="si-7.16_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-7.16_obj.1" name="objective">
-                  <prop name="label">SI-7(16)[1]</prop>
-                  <p>defines a time period as the maximum period allowed for processes to execute
-                     without supervision; and</p>
-               </part>
-               <part id="si-7.16_obj.2" name="objective">
-                  <prop name="label">SI-7(16)[2]</prop>
-                  <p>does not allow processes to execute without supervision for more than the
-                     organization-defined time period.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing software and information integrity</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for software, firmware, and/or
-                     information integrity</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Software, firmware, and information integrity verification tools</p>
-                  <p>automated mechanisms supporting and/or implementing time limits on process
-                     execution without supervision</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-8">
-         <title>Spam Protection</title>
-         <prop name="label">SI-8</prop>
-         <prop name="sort-id">si-08</prop>
-         <link href="#c6e95ca0-5828-420e-b095-00895b72b5e8" rel="reference">NIST Special Publication 800-45</link>
-         <part id="si-8_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-8_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Employs spam protection mechanisms at information system entry and exit points to
-                  detect and take action on unsolicited messages; and</p>
-            </part>
-            <part id="si-8_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Updates spam protection mechanisms when new releases are available in accordance
-                  with organizational configuration management policy and procedures.</p>
-            </part>
-         </part>
-         <part id="si-8_gdn" name="guidance">
-            <p>Information system entry and exit points include, for example, firewalls, electronic
-               mail servers, web servers, proxy servers, remote-access servers, workstations, mobile
-               devices, and notebook/laptop computers. Spam can be transported by different means
-               including, for example, electronic mail, electronic mail attachments, and web
-               accesses. Spam protection mechanisms include, for example, signature definitions.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#si-3">SI-3</link>
-         </part>
-         <part id="si-8_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-8.a_obj" name="objective">
-               <prop name="label">SI-8(a)</prop>
-               <p>employs spam protection mechanisms:</p>
-               <part id="si-8.a_obj.1" name="objective">
-                  <prop name="label">SI-8(a)[1]</prop>
-                  <p>at information system entry points to detect unsolicited messages;</p>
-               </part>
-               <part id="si-8.a_obj.2" name="objective">
-                  <prop name="label">SI-8(a)[2]</prop>
-                  <p>at information system entry points to take action on unsolicited messages;</p>
-               </part>
-               <part id="si-8.a_obj.3" name="objective">
-                  <prop name="label">SI-8(a)[3]</prop>
-                  <p>at information system exit points to detect unsolicited messages;</p>
-               </part>
-               <part id="si-8.a_obj.4" name="objective">
-                  <prop name="label">SI-8(a)[4]</prop>
-                  <p>at information system exit points to take action on unsolicited messages;
-                     and</p>
-               </part>
-            </part>
-            <part id="si-8.b_obj" name="objective">
-               <prop name="label">SI-8(b)</prop>
-               <p>updates spam protection mechanisms when new releases are available in accordance
-                  with organizational configuration management policy and procedures.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>configuration management policy and procedures (CM-1)</p>
-               <p>procedures addressing spam protection</p>
-               <p>spam protection mechanisms</p>
-               <p>records of spam protection updates</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for spam protection</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for implementing spam protection</p>
-               <p>automated mechanisms supporting and/or implementing spam protection</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-8.1">
-            <title>Central Management</title>
-            <prop name="label">SI-8(1)</prop>
-            <prop name="sort-id">si-08.01</prop>
-            <part id="si-8.1_smt" name="statement">
-               <p>The organization centrally manages spam protection mechanisms.</p>
-            </part>
-            <part id="si-8.1_gdn" name="guidance">
-               <p>Central management is the organization-wide management and implementation of spam
-                  protection mechanisms. Central management includes planning, implementing,
-                  assessing, authorizing, and monitoring the organization-defined, centrally managed
-                  spam protection security controls.</p>
-               <link rel="related" href="#au-3">AU-3</link>
-               <link rel="related" href="#si-2">SI-2</link>
-               <link rel="related" href="#si-7">SI-7</link>
-            </part>
-            <part id="si-8.1_obj" name="objective">
-               <p>Determine if the organization centrally manages spam protection mechanisms.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing spam protection</p>
-                  <p>spam protection mechanisms</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for spam protection</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for central management of spam protection</p>
-                  <p>automated mechanisms supporting and/or implementing central management of spam
-                     protection</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-8.2">
-            <title>Automatic Updates</title>
-            <prop name="label">SI-8(2)</prop>
-            <prop name="sort-id">si-08.02</prop>
-            <part id="si-8.2_smt" name="statement">
-               <p>The information system automatically updates spam protection mechanisms.</p>
-            </part>
-            <part id="si-8.2_obj" name="objective">
-               <p>Determine if the information system automatically updates spam protection
-                  mechanisms.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing spam protection</p>
-                  <p>spam protection mechanisms</p>
-                  <p>records of spam protection updates</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for spam protection</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for spam protection</p>
-                  <p>automated mechanisms supporting and/or implementing automatic updates to spam
-                     protection mechanisms</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-8.3">
-            <title>Continuous Learning Capability</title>
-            <prop name="label">SI-8(3)</prop>
-            <prop name="sort-id">si-08.03</prop>
-            <part id="si-8.3_smt" name="statement">
-               <p>The information system implements spam protection mechanisms with a learning
-                  capability to more effectively identify legitimate communications traffic.</p>
-            </part>
-            <part id="si-8.3_gdn" name="guidance">
-               <p>Learning mechanisms include, for example, Bayesian filters that respond to user
-                  inputs identifying specific traffic as spam or legitimate by updating algorithm
-                  parameters and thereby more accurately separating types of traffic.</p>
-            </part>
-            <part id="si-8.3_obj" name="objective">
-               <p>Determine if the information system implements spam protection mechanisms with a
-                  learning capability to more effectively identify legitimate communications
-                  traffic.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing spam protection</p>
-                  <p>spam protection mechanisms</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for spam protection</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for spam protection</p>
-                  <p>automated mechanisms supporting and/or implementing spam protection mechanisms
-                     with a learning capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-9">
-         <title>Information Input Restrictions</title>
-         <prop name="label">SI-9</prop>
-         <prop name="sort-id">si-09</prop>
-         <prop name="status">Withdrawn</prop>
-         <link rel="incorporated-into" href="#ac-2">AC-2</link>
-         <link rel="incorporated-into" href="#ac-3">AC-3</link>
-         <link rel="incorporated-into" href="#ac-5">AC-5</link>
-         <link rel="incorporated-into" href="#ac-6">AC-6</link>
-      </control>
-      <control class="SP800-53" id="si-10">
-         <title>Information Input Validation</title>
-         <param id="si-10_prm_1">
-            <label>organization-defined information inputs</label>
-         </param>
-         <prop name="label">SI-10</prop>
-         <prop name="sort-id">si-10</prop>
-         <part id="si-10_smt" name="statement">
-            <p>The information system checks the validity of <insert param-id="si-10_prm_1"/>.</p>
-         </part>
-         <part id="si-10_gdn" name="guidance">
-            <p>Checking the valid syntax and semantics of information system inputs (e.g., character
-               set, length, numerical range, and acceptable values) verifies that inputs match
-               specified definitions for format and content. Software applications typically follow
-               well-defined protocols that use structured messages (i.e., commands or queries) to
-               communicate between software modules or system components. Structured messages can
-               contain raw or unstructured data interspersed with metadata or control information.
-               If software applications use attacker-supplied inputs to construct structured
-               messages without properly encoding such messages, then the attacker could insert
-               malicious commands or special characters that can cause the data to be interpreted as
-               control information or metadata. Consequently, the module or component that receives
-               the tainted output will perform the wrong operations or otherwise interpret the data
-               incorrectly. Prescreening inputs prior to passing to interpreters prevents the
-               content from being unintentionally interpreted as commands. Input validation helps to
-               ensure accurate and correct inputs and prevent attacks such as cross-site scripting
-               and a variety of injection attacks.</p>
-         </part>
-         <part id="si-10_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="si-10_obj.1" name="objective">
-               <prop name="label">SI-10[1]</prop>
-               <p>the organization defines information inputs requiring validity checks; and</p>
-            </part>
-            <part id="si-10_obj.2" name="objective">
-               <prop name="label">SI-10[2]</prop>
-               <p>the information system checks the validity of organization-defined information
-                  inputs.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>access control policy and procedures</p>
-               <p>separation of duties policy and procedures</p>
-               <p>procedures addressing information input validation</p>
-               <p>documentation for automated tools and applications to verify validity of
-                  information</p>
-               <p>list of information inputs requiring validity checks</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for information input validation</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing validity checks on information
-                  inputs</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-10.1">
-            <title>Manual Override Capability</title>
-            <param id="si-10.1_prm_1">
-               <label>organization-defined inputs</label>
-            </param>
-            <param id="si-10.1_prm_2">
-               <label>organization-defined authorized individuals</label>
-            </param>
-            <prop name="label">SI-10(1)</prop>
-            <prop name="sort-id">si-10.01</prop>
-            <part id="si-10.1_smt" name="statement">
-               <p>The information system:</p>
-               <part id="si-10.1_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Provides a manual override capability for input validation of <insert param-id="si-10.1_prm_1"/>;</p>
-               </part>
-               <part id="si-10.1_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>Restricts the use of the manual override capability to only <insert param-id="si-10.1_prm_2"/>; and</p>
-               </part>
-               <part id="si-10.1_smt.c" name="item">
-                  <prop name="label">(c)</prop>
-                  <p>Audits the use of the manual override capability.</p>
-               </part>
-            </part>
-            <part id="si-10.1_gdn" name="guidance">
-               <link rel="related" href="#cm-3">CM-3</link>
-               <link rel="related" href="#cm-5">CM-5</link>
-            </part>
-            <part id="si-10.1_obj" name="objective">
-               <p>Determine if:</p>
-               <part id="si-10.1.a_obj" name="objective">
-                  <prop name="label">SI-10(1)(a)</prop>
-                  <part id="si-10.1.a_obj.1" name="objective">
-                     <prop name="label">SI-10(1)(a)[1]</prop>
-                     <p>the organization defines information inputs for which the information system
-                        provides a manual override capability for input validation;</p>
-                  </part>
-                  <part id="si-10.1.a_obj.2" name="objective">
-                     <prop name="label">SI-10(1)(a)[2]</prop>
-                     <p>the information system provides a manual override capability for input
-                        validation of organization-defined inputs;</p>
-                  </part>
-                  <link rel="corresp" href="#si-10.1_smt.a">SI-10(1)(a)</link>
-               </part>
-               <part id="si-10.1.b_obj" name="objective">
-                  <prop name="label">SI-10(1)(b)</prop>
-                  <part id="si-10.1.b_obj.1" name="objective">
-                     <prop name="label">SI-10(1)(b)[1]</prop>
-                     <p>the organization defines authorized individuals who can use the manual
-                        override capability;</p>
-                  </part>
-                  <part id="si-10.1.b_obj.2" name="objective">
-                     <prop name="label">SI-10(1)(b)[2]</prop>
-                     <p>the information system restricts the use of manual override capability to
-                        organization-defined authorized individuals; and</p>
-                  </part>
-                  <link rel="corresp" href="#si-10.1_smt.b">SI-10(1)(b)</link>
-               </part>
-               <part id="si-10.1.c_obj" name="objective">
-                  <prop name="label">SI-10(1)(c)</prop>
-                  <p>the information system audits the use of the manual override capability.</p>
-                  <link rel="corresp" href="#si-10.1_smt.c">SI-10(1)(c)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>separation of duties policy and procedures</p>
-                  <p>procedures addressing information input validation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for information input
-                     validation</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for use of manual override capability</p>
-                  <p>automated mechanisms supporting and/or implementing manual override capability
-                     for input validation</p>
-                  <p>automated mechanisms supporting and/or implementing auditing of the use of
-                     manual override capability</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-10.2">
-            <title>Review / Resolution of Errors</title>
-            <param id="si-10.2_prm_1">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="label">SI-10(2)</prop>
-            <prop name="sort-id">si-10.02</prop>
-            <part id="si-10.2_smt" name="statement">
-               <p>The organization ensures that input validation errors are reviewed and resolved
-                  within <insert param-id="si-10.2_prm_1"/>.</p>
-            </part>
-            <part id="si-10.2_gdn" name="guidance">
-               <p>Resolution of input validation errors includes, for example, correcting systemic
-                  causes of errors and resubmitting transactions with corrected input.</p>
-            </part>
-            <part id="si-10.2_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-10.2_obj.1" name="objective">
-                  <prop name="label">SI-10(2)[1]</prop>
-                  <p>defines a time period within which input validation errors are to be reviewed
-                     and resolved; and</p>
-               </part>
-               <part id="si-10.2_obj.2" name="objective">
-                  <prop name="label">SI-10(2)[2]</prop>
-                  <p>ensures that input validation errors are reviewed and resolved within the
-                     organization-defined time period.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>access control policy and procedures</p>
-                  <p>separation of duties policy and procedures</p>
-                  <p>procedures addressing information input validation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>review records of information input validation errors and resulting
-                     resolutions</p>
-                  <p>information input validation error logs or records</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for information input
-                     validation</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for review and resolution of input validation
-                     errors</p>
-                  <p>automated mechanisms supporting and/or implementing review and resolution of
-                     input validation errors</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-10.3">
-            <title>Predictable Behavior</title>
-            <prop name="label">SI-10(3)</prop>
-            <prop name="sort-id">si-10.03</prop>
-            <part id="si-10.3_smt" name="statement">
-               <p>The information system behaves in a predictable and documented manner that
-                  reflects organizational and system objectives when invalid inputs are
-                  received.</p>
-            </part>
-            <part id="si-10.3_gdn" name="guidance">
-               <p>A common vulnerability in organizational information systems is unpredictable
-                  behavior when invalid inputs are received. This control enhancement ensures that
-                  there is predictable behavior in the face of invalid inputs by specifying
-                  information system responses that facilitate transitioning the system to known
-                  states without adverse, unintended side effects.</p>
-            </part>
-            <part id="si-10.3_obj" name="objective">
-               <p>Determine if the information system behaves in a predictable and documented manner
-                  that reflects organizational and system objectives when invalid inputs are
-                  received.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information input validation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for information input
-                     validation</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Automated mechanisms supporting and/or implementing predictable behavior when
-                     invalid inputs are received</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-10.4">
-            <title>Review / Timing Interactions</title>
-            <prop name="label">SI-10(4)</prop>
-            <prop name="sort-id">si-10.04</prop>
-            <part id="si-10.4_smt" name="statement">
-               <p>The organization accounts for timing interactions among information system
-                  components in determining appropriate responses for invalid inputs.</p>
-            </part>
-            <part id="si-10.4_gdn" name="guidance">
-               <p>In addressing invalid information system inputs received across protocol
-                  interfaces, timing interactions become relevant, where one protocol needs to
-                  consider the impact of the error response on other protocols within the protocol
-                  stack. For example, 802.11 standard wireless network protocols do not interact
-                  well with Transmission Control Protocols (TCP) when packets are dropped (which
-                  could be due to invalid packet input). TCP assumes packet losses are due to
-                  congestion, while packets lost over 802.11 links are typically dropped due to
-                  collisions or noise on the link. If TCP makes a congestion response, it takes
-                  precisely the wrong action in response to a collision event. Adversaries may be
-                  able to use apparently acceptable individual behaviors of the protocols in concert
-                  to achieve adverse effects through suitable construction of invalid input.</p>
-            </part>
-            <part id="si-10.4_obj" name="objective">
-               <p>Determine if the organization accounts for timing interactions among information
-                  system components in determining appropriate responses for invalid inputs.</p>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information input validation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for information input
-                     validation</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for determining appropriate responses to invalid
-                     inputs</p>
-                  <p>automated mechanisms supporting and/or implementing responses to invalid
-                     inputs</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-10.5">
-            <title>Restrict Inputs to Trusted Sources and Approved Formats</title>
-            <param id="si-10.5_prm_1">
-               <label>organization-defined trusted sources</label>
-            </param>
-            <param id="si-10.5_prm_2">
-               <label>organization-defined formats</label>
-            </param>
-            <prop name="label">SI-10(5)</prop>
-            <prop name="sort-id">si-10.05</prop>
-            <part id="si-10.5_smt" name="statement">
-               <p>The organization restricts the use of information inputs to <insert param-id="si-10.5_prm_1"/> and/or <insert param-id="si-10.5_prm_2"/>.</p>
-            </part>
-            <part id="si-10.5_gdn" name="guidance">
-               <p>This control enhancement applies the concept of whitelisting to information
-                  inputs. Specifying known trusted sources for information inputs and acceptable
-                  formats for such inputs can reduce the probability of malicious activity.</p>
-            </part>
-            <part id="si-10.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-10.5_obj.1" name="objective">
-                  <prop name="label">SI-10(5)[1]</prop>
-                  <p>defines trusted sources to which the use of information inputs is to be
-                     restricted;</p>
-               </part>
-               <part id="si-10.5_obj.2" name="objective">
-                  <prop name="label">SI-10(5)[2]</prop>
-                  <p>defines formats to which the use of information inputs is to be restricted;</p>
-               </part>
-               <part id="si-10.5_obj.3" name="objective">
-                  <prop name="label">SI-10(5)[3]</prop>
-                  <p>restricts the use of information inputs to:</p>
-                  <part id="si-10.5_obj.3.a" name="objective">
-                     <prop name="label">SI-10(5)[3][a]</prop>
-                     <p>organization-defined trust sources; and/or</p>
-                  </part>
-                  <part id="si-10.5_obj.3.b" name="objective">
-                     <prop name="label">SI-10(5)[3][b]</prop>
-                     <p>organization-defined formats.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing information input validation</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of trusted sources for information inputs</p>
-                  <p>list of acceptable formats for input restrictions</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for information input
-                     validation</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>system developer</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for restricting information inputs</p>
-                  <p>automated mechanisms supporting and/or implementing restriction of information
-                     inputs</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-11">
-         <title>Error Handling</title>
-         <param id="si-11_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">SI-11</prop>
-         <prop name="sort-id">si-11</prop>
-         <part id="si-11_smt" name="statement">
-            <p>The information system:</p>
-            <part id="si-11_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Generates error messages that provide information necessary for corrective actions
-                  without revealing information that could be exploited by adversaries; and</p>
-            </part>
-            <part id="si-11_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reveals error messages only to <insert param-id="si-11_prm_1"/>.</p>
-            </part>
-         </part>
-         <part id="si-11_gdn" name="guidance">
-            <p>Organizations carefully consider the structure/content of error messages. The extent
-               to which information systems are able to identify and handle error conditions is
-               guided by organizational policy and operational requirements. Information that could
-               be exploited by adversaries includes, for example, erroneous logon attempts with
-               passwords entered by mistake as the username, mission/business information that can
-               be derived from (if not stated explicitly by) information recorded, and personal
-               information such as account numbers, social security numbers, and credit card
-               numbers. In addition, error messages may provide a covert channel for transmitting
-               information.</p>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#sc-31">SC-31</link>
-         </part>
-         <part id="si-11_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="si-11.a_obj" name="objective">
-               <prop name="label">SI-11(a)</prop>
-               <p>the information system generates error messages that provide information necessary
-                  for corrective actions without revealing information that could be exploited by
-                  adversaries;</p>
-            </part>
-            <part id="si-11.b_obj" name="objective">
-               <prop name="label">SI-11(b)</prop>
-               <part id="si-11.b_obj.1" name="objective">
-                  <prop name="label">SI-11(b)[1]</prop>
-                  <p>the organization defines personnel or roles to whom error messages are to be
-                     revealed; and</p>
-               </part>
-               <part id="si-11.b_obj.2" name="objective">
-                  <prop name="label">SI-11(b)[2]</prop>
-                  <p>the information system reveals error messages only to organization-defined
-                     personnel or roles.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing information system error handling</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>documentation providing structure/content of error messages</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for information input validation</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for error handling</p>
-               <p>automated mechanisms supporting and/or implementing error handling</p>
-               <p>automated mechanisms supporting and/or implementing management of error
-                  messages</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-12">
-         <title>Information Handling and Retention</title>
-         <prop name="label">SI-12</prop>
-         <prop name="sort-id">si-12</prop>
-         <part id="si-12_smt" name="statement">
-            <p>The organization handles and retains information within the information system and
-               information output from the system in accordance with applicable federal laws,
-               Executive Orders, directives, policies, regulations, standards, and operational
-               requirements.</p>
-         </part>
-         <part id="si-12_gdn" name="guidance">
-            <p>Information handling and retention requirements cover the full life cycle of
-               information, in some cases extending beyond the disposal of information systems. The
-               National Archives and Records Administration provides guidance on records
-               retention.</p>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <link rel="related" href="#au-5">AU-5</link>
-            <link rel="related" href="#au-11">AU-11</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-         </part>
-         <part id="si-12_obj" name="objective">
-            <p>Determine if the organization, in accordance with applicable federal laws, Executive
-               Orders, directives, policies, regulations, standards, and operational
-               requirements:</p>
-            <part id="si-12_obj.1" name="objective">
-               <prop name="label">SI-12[1]</prop>
-               <p>handles information within the information system;</p>
-            </part>
-            <part id="si-12_obj.2" name="objective">
-               <prop name="label">SI-12[2]</prop>
-               <p>handles output from the information system;</p>
-            </part>
-            <part id="si-12_obj.3" name="objective">
-               <prop name="label">SI-12[3]</prop>
-               <p>retains information within the information system; and</p>
-            </part>
-            <part id="si-12_obj.4" name="objective">
-               <prop name="label">SI-12[4]</prop>
-               <p>retains output from the information system.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>federal laws, Executive Orders, directives, policies, regulations, standards, and
-                  operational requirements applicable to information handling and retention</p>
-               <p>media protection policy and procedures</p>
-               <p>procedures addressing information system output handling and retention</p>
-               <p>information retention records, other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for information handling and
-                  retention</p>
-               <p>organizational personnel with information security responsibilities/network
-                  administrators</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for information handling and retention</p>
-               <p>automated mechanisms supporting and/or implementing information handling and
-                  retention</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-13">
-         <title>Predictable Failure Prevention</title>
-         <param id="si-13_prm_1">
-            <label>organization-defined information system components</label>
-         </param>
-         <param id="si-13_prm_2">
-            <label>organization-defined MTTF substitution criteria</label>
-         </param>
-         <prop name="label">SI-13</prop>
-         <prop name="sort-id">si-13</prop>
-         <part id="si-13_smt" name="statement">
-            <p>The organization:</p>
-            <part id="si-13_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Determines mean time to failure (MTTF) for <insert param-id="si-13_prm_1"/> in
-                  specific environments of operation; and</p>
-            </part>
-            <part id="si-13_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Provides substitute information system components and a means to exchange active
-                  and standby components at <insert param-id="si-13_prm_2"/>.</p>
-            </part>
-         </part>
-         <part id="si-13_gdn" name="guidance">
-            <p>While MTTF is primarily a reliability issue, this control addresses potential
-               failures of specific information system components that provide security capability.
-               Failure rates reflect installation-specific consideration, not industry-average.
-               Organizations define criteria for substitution of information system components based
-               on MTTF value with consideration for resulting potential harm from component
-               failures. Transfer of responsibilities between active and standby components does not
-               compromise safety, operational readiness, or security capability (e.g., preservation
-               of state variables). Standby components remain available at all times except for
-               maintenance issues or recovery failures in progress.</p>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-10">CP-10</link>
-            <link rel="related" href="#ma-6">MA-6</link>
-         </part>
-         <part id="si-13_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-13.a_obj" name="objective">
-               <prop name="label">SI-13(a)</prop>
-               <part id="si-13.a_obj.1" name="objective">
-                  <prop name="label">SI-13(a)[1]</prop>
-                  <p>defines information system components for which mean time to failure (MTTF)
-                     should be determined;</p>
-               </part>
-               <part id="si-13.a_obj.2" name="objective">
-                  <prop name="label">SI-13(a)[2]</prop>
-                  <p>determines MTTF for organization-defined information system components in
-                     specific environments of operation;</p>
-               </part>
-            </part>
-            <part id="si-13.b_obj" name="objective">
-               <prop name="label">SI-13(b)</prop>
-               <part id="si-13.b_obj.1" name="objective">
-                  <prop name="label">SI-13(b)[1]</prop>
-                  <p>defines MTTF substitution criteria to be used as a means to exchange active and
-                     standby components;</p>
-               </part>
-               <part id="si-13.b_obj.2" name="objective">
-                  <prop name="label">SI-13(b)[2]</prop>
-                  <p>provides substitute information system components at organization-defined MTTF
-                     substitution criteria; and</p>
-               </part>
-               <part id="si-13.b_obj.3" name="objective">
-                  <prop name="label">SI-13(b)[3]</prop>
-                  <p>provides a means to exchange active and standby components at
-                     organization-defined MTTF substitution criteria.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing predictable failure prevention</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of MTTF substitution criteria</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for MTTF determinations and
-                  activities</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>organizational personnel with contingency planning responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for managing MTTF</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-13.1">
-            <title>Transferring Component Responsibilities</title>
-            <param id="si-13.1_prm_1">
-               <label>organization-defined fraction or percentage</label>
-            </param>
-            <prop name="label">SI-13(1)</prop>
-            <prop name="sort-id">si-13.01</prop>
-            <part id="si-13.1_smt" name="statement">
-               <p>The organization takes information system components out of service by
-                  transferring component responsibilities to substitute components no later than
-                     <insert param-id="si-13.1_prm_1"/> of mean time to failure.</p>
-            </part>
-            <part id="si-13.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-13.1_obj.1" name="objective">
-                  <prop name="label">SI-13(1)[1]</prop>
-                  <p>defines maximum fraction or percentage of mean time to failure within which to
-                     transfer the responsibilities of an information system component that is out of
-                     service to a substitute component; and</p>
-               </part>
-               <part id="si-13.1_obj.2" name="objective">
-                  <prop name="label">SI-13(1)[2]</prop>
-                  <p>takes the information system component out of service by transferring component
-                     responsibilities to substitute components no later than organization-defined
-                     fraction or percentage of mean time to failure.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing predictable failure prevention</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for MTTF activities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with contingency planning responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing MTTF</p>
-                  <p>automated mechanisms supporting and/or implementing transfer of component
-                     responsibilities to substitute components</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-13.2">
-            <title>Time Limit On Process Execution Without Supervision</title>
-            <prop name="label">SI-13(2)</prop>
-            <prop name="sort-id">si-13.02</prop>
-            <prop name="status">Withdrawn</prop>
-            <link rel="incorporated-into" href="#si-7.16">SI-7 (16)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-13.3">
-            <title>Manual Transfer Between Components</title>
-            <param id="si-13.3_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="si-13.3_prm_2">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="label">SI-13(3)</prop>
-            <prop name="sort-id">si-13.03</prop>
-            <part id="si-13.3_smt" name="statement">
-               <p>The organization manually initiates transfers between active and standby
-                  information system components <insert param-id="si-13.3_prm_1"/> if the mean time
-                  to failure exceeds <insert param-id="si-13.3_prm_2"/>.</p>
-            </part>
-            <part id="si-13.3_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-13.3_obj.1" name="objective">
-                  <prop name="label">SI-13(3)[1]</prop>
-                  <p>defines the minimum frequency with which the organization manually initiates a
-                     transfer between active and standby information system components if the mean
-                     time to failure exceeds the organization-defined time period;</p>
-               </part>
-               <part id="si-13.3_obj.2" name="objective">
-                  <prop name="label">SI-13(3)[2]</prop>
-                  <p>defines the time period that the mean time to failure must exceed before the
-                     organization manually initiates a transfer between active and standby
-                     information system components; and</p>
-               </part>
-               <part id="si-13.3_obj.3" name="objective">
-                  <prop name="label">SI-13(3)[3]</prop>
-                  <p>manually initiates transfers between active and standby information system
-                     components at the organization-defined frequency if the mean time to failure
-                     exceeds the organization-defined time period.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing predictable failure prevention</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for MTTF activities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with contingency planning responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing MTTF and conducting the manual transfer
-                     between active and standby components</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-13.4">
-            <title>Standby Component Installation / Notification</title>
-            <param id="si-13.4_prm_1">
-               <label>organization-defined time period</label>
-            </param>
-            <param id="si-13.4_prm_2">
-               <select how-many="one or more">
-                  <choice>activates <insert param-id="si-13.4_prm_3"/>
-                  </choice>
-                  <choice>automatically shuts down the information system</choice>
-               </select>
-            </param>
-            <param id="si-13.4_prm_3" depends-on="si-13.4_prm_2">
-               <label>organization-defined alarm</label>
-            </param>
-            <prop name="label">SI-13(4)</prop>
-            <prop name="sort-id">si-13.04</prop>
-            <part id="si-13.4_smt" name="statement">
-               <p>The organization, if information system component failures are detected:</p>
-               <part id="si-13.4_smt.a" name="item">
-                  <prop name="label">(a)</prop>
-                  <p>Ensures that the standby components are successfully and transparently
-                     installed within <insert param-id="si-13.4_prm_1"/>; and</p>
-               </part>
-               <part id="si-13.4_smt.b" name="item">
-                  <prop name="label">(b)</prop>
-                  <p>
-                     <insert param-id="si-13.4_prm_2"/>.</p>
-               </part>
-            </part>
-            <part id="si-13.4_gdn" name="guidance">
-               <p>Automatic or manual transfer of components from standby to active mode can occur,
-                  for example, upon detection of component failures.</p>
-            </part>
-            <part id="si-13.4_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-13.4.a_obj" name="objective">
-                  <prop name="label">SI-13(4)(a)</prop>
-                  <part id="si-13.4.a_obj.1" name="objective">
-                     <prop name="label">SI-13(4)(a)[1]</prop>
-                     <p>defines a time period for standby information system components to be
-                        successfully and transparently installed when information system component
-                        failures are detected;</p>
-                  </part>
-                  <part id="si-13.4.a_obj.2" name="objective">
-                     <prop name="label">SI-13(4)(a)[2]</prop>
-                     <p>ensures that the standby components are successfully and transparently
-                        installed within the organization-defined time period;</p>
-                  </part>
-                  <link rel="corresp" href="#si-13.4_smt.a">SI-13(4)(a)</link>
-               </part>
-               <part id="si-13.4.b_obj" name="objective">
-                  <prop name="label">SI-13(4)(b)</prop>
-                  <part id="si-13.4.b_obj.1" name="objective">
-                     <prop name="label">SI-13(4)(b)[1]</prop>
-                     <p>defines an alarm to be activated when information system component failures
-                        are detected;</p>
-                  </part>
-                  <part id="si-13.4.b_obj.2" name="objective">
-                     <prop name="label">SI-13(4)(b)[2]</prop>
-                     <p>if information system component failures are detected, does one or more of
-                        the following:</p>
-                     <part id="si-13.4.b_obj.2.a" name="objective">
-                        <prop name="label">SI-13(4)(b)[2][a]</prop>
-                        <p>activates the organization-defined alarm; and/or</p>
-                     </part>
-                     <part id="si-13.4.b_obj.2.b" name="objective">
-                        <prop name="label">SI-13(4)(b)[2][b]</prop>
-                        <p>automatically shuts down the information system.</p>
-                     </part>
-                  </part>
-                  <link rel="corresp" href="#si-13.4_smt.b">SI-13(4)(b)</link>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing predictable failure prevention</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>list of actions to be taken once information system component failure is
-                     detected</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for MTTF activities</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with contingency planning responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing MTTF</p>
-                  <p>automated mechanisms supporting and/or implementing transparent installation of
-                     standby components</p>
-                  <p>automated mechanisms supporting and/or implementing alarms or system shutdown
-                     if component failures are detected</p>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-13.5">
-            <title>Failover Capability</title>
-            <param id="si-13.5_prm_1">
-               <select>
-                  <choice>real-time</choice>
-                  <choice>near real-time</choice>
-               </select>
-            </param>
-            <param id="si-13.5_prm_2">
-               <label>organization-defined failover capability</label>
-            </param>
-            <prop name="label">SI-13(5)</prop>
-            <prop name="sort-id">si-13.05</prop>
-            <part id="si-13.5_smt" name="statement">
-               <p>The organization provides <insert param-id="si-13.5_prm_1"/>
-                  <insert param-id="si-13.5_prm_2"/> for the information system.</p>
-            </part>
-            <part id="si-13.5_gdn" name="guidance">
-               <p>Failover refers to the automatic switchover to an alternate information system
-                  upon the failure of the primary information system. Failover capability includes,
-                  for example, incorporating mirrored information system operations at alternate
-                  processing sites or periodic data mirroring at regular intervals defined by
-                  recovery time periods of organizations.</p>
-            </part>
-            <part id="si-13.5_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-13.5_obj.1" name="objective">
-                  <prop name="label">SI-13(5)[1]</prop>
-                  <p>defines failover capability to be provided for the information system;</p>
-               </part>
-               <part id="si-13.5_obj.2" name="objective">
-                  <prop name="label">SI-13(5)[2]</prop>
-                  <p>provides one of the following organization-defined failover capabilities for
-                     the information system:</p>
-                  <part id="si-13.5_obj.2.a" name="objective">
-                     <prop name="label">SI-13(5)[2][a]</prop>
-                     <p>real-time failover capability; and/or</p>
-                  </part>
-                  <part id="si-13.5_obj.2.b" name="objective">
-                     <prop name="label">SI-13(5)[2][b]</prop>
-                     <p>near real-time failover capability.</p>
-                  </part>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing predictable failure prevention</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>documentation describing failover capability provided for the information
-                     system</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for failover capability</p>
-                  <p>organizational personnel with information security responsibilities</p>
-                  <p>system/network administrators</p>
-                  <p>organizational personnel with contingency planning responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for managing failover capability</p>
-                  <p>automated mechanisms supporting and/or implementing failover capability</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-14">
-         <title>Non-persistence</title>
-         <param id="si-14_prm_1">
-            <label>organization-defined information system components and services</label>
-         </param>
-         <param id="si-14_prm_2">
-            <select how-many="one or more">
-               <choice>upon end of session of use</choice>
-               <choice>periodically at <insert param-id="si-14_prm_3"/>
-               </choice>
-            </select>
-         </param>
-         <param id="si-14_prm_3" depends-on="si-14_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">SI-14</prop>
-         <prop name="sort-id">si-14</prop>
-         <part id="si-14_smt" name="statement">
-            <p>The organization implements non-persistent <insert param-id="si-14_prm_1"/> that are
-               initiated in a known state and terminated <insert param-id="si-14_prm_2"/>.</p>
-         </part>
-         <part id="si-14_gdn" name="guidance">
-            <p>This control mitigates risk from advanced persistent threats (APTs) by significantly
-               reducing the targeting capability of adversaries (i.e., window of opportunity and
-               available attack surface) to initiate and complete cyber attacks. By implementing the
-               concept of non-persistence for selected information system components, organizations
-               can provide a known state computing resource for a specific period of time that does
-               not give adversaries sufficient time on target to exploit vulnerabilities in
-               organizational information systems and the environments in which those systems
-               operate. Since the advanced persistent threat is a high-end threat with regard to
-               capability, intent, and targeting, organizations assume that over an extended period
-               of time, a percentage of cyber attacks will be successful. Non-persistent information
-               system components and services are activated as required using protected information
-               and terminated periodically or upon the end of sessions. Non-persistence increases
-               the work factor of adversaries in attempting to compromise or breach organizational
-               information systems. Non-persistent system components can be implemented, for
-               example, by periodically re-imaging components or by using a variety of common
-               virtualization techniques. Non-persistent services can be implemented using
-               virtualization techniques as part of virtual machines or as new instances of
-               processes on physical machines (either persistent or non-persistent).The benefit of
-               periodic refreshes of information system components/services is that it does not
-               require organizations to first determine whether compromises of components or
-               services have occurred (something that may often be difficult for organizations to
-               determine). The refresh of selected information system components and services occurs
-               with sufficient frequency to prevent the spread or intended impact of attacks, but
-               not with such frequency that it makes the information system unstable. In some
-               instances, refreshes of critical components and services may be done periodically in
-               order to hinder the ability of adversaries to exploit optimum windows of
-               vulnerabilities.</p>
-            <link rel="related" href="#sc-30">SC-30</link>
-            <link rel="related" href="#sc-34">SC-34</link>
-         </part>
-         <part id="si-14_obj" name="objective">
-            <p>Determine if the organization:</p>
-            <part id="si-14_obj.1" name="objective">
-               <prop name="label">SI-14[1]</prop>
-               <p>defines non-persistent information system components and services to be
-                  implemented;</p>
-            </part>
-            <part id="si-14_obj.2" name="objective">
-               <prop name="label">SI-14[2]</prop>
-               <part id="si-14_obj.2.a" name="objective">
-                  <prop name="label">SI-14[2][a]</prop>
-                  <p>defines a frequency to terminate non-persistent organization-defined components
-                     and services that are initiated in a known state;</p>
-               </part>
-               <part id="si-14_obj.2.b" name="objective">
-                  <prop name="label">SI-14[2][b]</prop>
-                  <p>implements non-persistent organization-defined information system components
-                     and services that are initiated in a known state and terminated one or more of
-                     the following:</p>
-                  <part id="si-14_obj.2.b.1" name="objective">
-                     <prop name="label">SI-14[2][b][1]</prop>
-                     <p>upon end of session of use; and/or</p>
-                  </part>
-                  <part id="si-14_obj.2.b.2" name="objective">
-                     <prop name="label">SI-14[2][b][2]</prop>
-                     <p>periodically at the organization-defined frequency.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing non-persistence for information system components</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for non-persistence</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing initiation and termination of
-                  non-persistent components</p>
-            </part>
-         </part>
-         <control class="SP800-53-enhancement" id="si-14.1">
-            <title>Refresh from Trusted Sources</title>
-            <param id="si-14.1_prm_1">
-               <label>organization-defined trusted sources</label>
-            </param>
-            <prop name="label">SI-14(1)</prop>
-            <prop name="sort-id">si-14.01</prop>
-            <part id="si-14.1_smt" name="statement">
-               <p>The organization ensures that software and data employed during information system
-                  component and service refreshes are obtained from <insert param-id="si-14.1_prm_1"/>.</p>
-            </part>
-            <part id="si-14.1_gdn" name="guidance">
-               <p>Trusted sources include, for example, software/data from write-once, read-only
-                  media or from selected off-line secure storage facilities.</p>
-            </part>
-            <part id="si-14.1_obj" name="objective">
-               <p>Determine if the organization:</p>
-               <part id="si-14.1_obj.1" name="objective">
-                  <prop name="label">SI-14(1)[1]</prop>
-                  <p>defines trusted sources from which software and data employed during
-                     information system component and service refreshes are to be obtained; and</p>
-               </part>
-               <part id="si-14.1_obj.2" name="objective">
-                  <prop name="label">SI-14(1)[2]</prop>
-                  <p>ensures that software and data employed during information system component and
-                     service refreshes are obtained from organization-defined trusted sources.</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">EXAMINE</prop>
-               <part name="objects">
-                  <p>System and information integrity policy</p>
-                  <p>procedures addressing non-persistence for information system components</p>
-                  <p>information system design documentation</p>
-                  <p>information system configuration settings and associated documentation</p>
-                  <p>information system audit records</p>
-                  <p>other relevant documents or records</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">INTERVIEW</prop>
-               <part name="objects">
-                  <p>Organizational personnel with responsibility for obtaining component and
-                     service refreshes from trusted sources</p>
-                  <p>organizational personnel with information security responsibilities</p>
-               </part>
-            </part>
-            <part name="assessment">
-               <prop name="method">TEST</prop>
-               <part name="objects">
-                  <p>Organizational processes for defining and obtaining component and service
-                     refreshes from trusted sources</p>
-                  <p>automated mechanisms supporting and/or implementing component and service
-                     refreshes</p>
-               </part>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-15">
-         <title>Information Output Filtering</title>
-         <param id="si-15_prm_1">
-            <label>organization-defined software programs and/or applications</label>
-         </param>
-         <prop name="label">SI-15</prop>
-         <prop name="sort-id">si-15</prop>
-         <part id="si-15_smt" name="statement">
-            <p>The information system validates information output from <insert param-id="si-15_prm_1"/> to ensure that the information is consistent with the
-               expected content.</p>
-         </part>
-         <part id="si-15_gdn" name="guidance">
-            <p>Certain types of cyber attacks (e.g., SQL injections) produce output results that are
-               unexpected or inconsistent with the output results that would normally be expected
-               from software programs or applications. This control enhancement focuses on detecting
-               extraneous content, preventing such extraneous content from being displayed, and
-               alerting monitoring tools that anomalous behavior has been discovered.</p>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="si-15_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="si-15_obj.1" name="objective">
-               <prop name="label">SI-15[1]</prop>
-               <p>the organization defines software programs and/or applications whose information
-                  output requires validation to ensure that the information is consistent with the
-                  expected content; and</p>
-            </part>
-            <part id="si-15_obj.2" name="objective">
-               <prop name="label">SI-15[2]</prop>
-               <p>the information system validates information output from organization-defined
-                  software programs and/or applications to ensure that the information is consistent
-                  with the expected content.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing information output filtering</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for validating information output</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for validating information output</p>
-               <p>automated mechanisms supporting and/or implementing information output
-                  validation</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-16">
-         <title>Memory Protection</title>
-         <param id="si-16_prm_1">
-            <label>organization-defined security safeguards</label>
-         </param>
-         <prop name="label">SI-16</prop>
-         <prop name="sort-id">si-16</prop>
-         <part id="si-16_smt" name="statement">
-            <p>The information system implements <insert param-id="si-16_prm_1"/> to protect its
-               memory from unauthorized code execution.</p>
-         </part>
-         <part id="si-16_gdn" name="guidance">
-            <p>Some adversaries launch attacks with the intent of executing code in non-executable
-               regions of memory or in memory locations that are prohibited. Security safeguards
-               employed to protect memory include, for example, data execution prevention and
-               address space layout randomization. Data execution prevention safeguards can either
-               be hardware-enforced or software-enforced with hardware providing the greater
-               strength of mechanism.</p>
-            <link rel="related" href="#ac-25">AC-25</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-         </part>
-         <part id="si-16_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="si-16_obj.1" name="objective">
-               <prop name="label">SI-16[1]</prop>
-               <p>the organization defines security safeguards to be implemented to protect
-                  information system memory from unauthorized code execution; and</p>
-            </part>
-            <part id="si-16_obj.2" name="objective">
-               <prop name="label">SI-16[2]</prop>
-               <p>the information system implements organization-defined security safeguards to
-                  protect its memory from unauthorized code execution.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing memory protection for the information system</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of security safeguards protecting information system memory from unauthorized
-                  code execution</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for memory protection</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Automated mechanisms supporting and/or implementing safeguards to protect
-                  information system memory from unauthorized code execution</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-17">
-         <title>Fail-safe Procedures</title>
-         <param id="si-17_prm_1">
-            <label>organization-defined fail-safe procedures</label>
-         </param>
-         <param id="si-17_prm_2">
-            <label>organization-defined failure conditions occur</label>
-         </param>
-         <prop name="label">SI-17</prop>
-         <prop name="sort-id">si-17</prop>
-         <part id="si-17_smt" name="statement">
-            <p>The information system implements <insert param-id="si-17_prm_1"/> when <insert param-id="si-17_prm_2"/>.</p>
-         </part>
-         <part id="si-17_gdn" name="guidance">
-            <p>Failure conditions include, for example, loss of communications among critical system
-               components or between system components and operational facilities. Fail-safe
-               procedures include, for example, alerting operator personnel and providing specific
-               instructions on subsequent steps to take (e.g., do nothing, reestablish system
-               settings, shut down processes, restart the system, or contact designated
-               organizational personnel).</p>
-            <link rel="related" href="#cp-12">CP-12</link>
-            <link rel="related" href="#cp-13">CP-13</link>
-            <link rel="related" href="#sc-24">SC-24</link>
-            <link rel="related" href="#si-13">SI-13</link>
-         </part>
-         <part id="si-17_obj" name="objective">
-            <p>Determine if:</p>
-            <part id="si-17_obj.1" name="objective">
-               <prop name="label">SI-17[1]</prop>
-               <p>the organization defines fail-safe procedures to be implemented when
-                  organization-defined failure conditions occur;</p>
-            </part>
-            <part id="si-17_obj.2" name="objective">
-               <prop name="label">SI-17[2]</prop>
-               <p>the organization defines failure conditions resulting in organization-defined
-                  fail-safe procedures being implemented when such conditions occur; and</p>
-            </part>
-            <part id="si-17_obj.3" name="objective">
-               <prop name="label">SI-17[3]</prop>
-               <p>the information system implements organization-defined fail-safe procedures when
-                  organization-defined failure conditions occur.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>System and information integrity policy</p>
-               <p>procedures addressing memory protection for the information system</p>
-               <p>information system design documentation</p>
-               <p>information system configuration settings and associated documentation</p>
-               <p>list of security safeguards protecting information system memory from unauthorized
-                  code execution</p>
-               <p>information system audit records</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for fail-safe procedures</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>system/network administrators</p>
-               <p>system developer</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational fail-safe procedures</p>
-               <p>automated mechanisms supporting and/or implementing fail-safe procedures</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="pm">
-      <title>Program Management</title>
-      <control class="SP800-53" id="pm-1">
-         <title>Information Security Program Plan</title>
-         <param id="pm-1_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PM-1</prop>
-         <prop name="sort-id">pm-01</prop>
-         <part id="pm-1_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pm-1_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops and disseminates an organization-wide information security program plan
-                  that:</p>
-               <part id="pm-1_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Provides an overview of the requirements for the security program and a
-                     description of the security program management controls and common controls in
-                     place or planned for meeting those requirements;</p>
-               </part>
-               <part id="pm-1_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Includes the identification and assignment of roles, responsibilities,
-                     management commitment, coordination among organizational entities, and
-                     compliance;</p>
-               </part>
-               <part id="pm-1_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Reflects coordination among organizational entities responsible for the
-                     different aspects of information security (i.e., technical, physical,
-                     personnel, cyber-physical); and</p>
-               </part>
-               <part id="pm-1_smt.a.4" name="item">
-                  <prop name="label">4.</prop>
-                  <p>Is approved by a senior official with responsibility and accountability for the
-                     risk being incurred to organizational operations (including mission, functions,
-                     image, and reputation), organizational assets, individuals, other
-                     organizations, and the Nation;</p>
-               </part>
-            </part>
-            <part id="pm-1_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews the organization-wide information security program plan <insert param-id="pm-1_prm_1"/>;</p>
-            </part>
-            <part id="pm-1_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Updates the plan to address organizational changes and problems identified during
-                  plan implementation or security control assessments; and</p>
-            </part>
-            <part id="pm-1_smt.d" name="item">
-               <prop name="label">d.</prop>
-               <p>Protects the information security program plan from unauthorized disclosure and
-                  modification.</p>
-            </part>
-         </part>
-         <part id="pm-1_gdn" name="guidance">
-            <p>Information security program plans can be represented in single documents or
-               compilations of documents at the discretion of organizations. The plans document the
-               program management controls and organization-defined common controls. Information
-               security program plans provide sufficient information about the program management
-               controls/common controls (including specification of parameters for any assignment
-               and selection statements either explicitly or by reference) to enable implementations
-               that are unambiguously compliant with the intent of the plans and a determination of
-               the risk to be incurred if the plans are implemented as intended. The security plans
-               for individual information systems and the organization-wide information security
-               program plan together, provide complete coverage for all security controls employed
-               within the organization. Common controls are documented in an appendix to the
-               organization’s information security program plan unless the controls are included in
-               a separate security plan for an information system (e.g., security controls employed
-               as part of an intrusion detection system providing organization-wide boundary
-               protection inherited by one or more organizational information systems). The
-               organization-wide information security program plan will indicate which separate
-               security plans contain descriptions of common controls. Organizations have the
-               flexibility to describe common controls in a single document or in multiple
-               documents. In the case of multiple documents, the documents describing common
-               controls are included as attachments to the information security program plan. If the
-               information security program plan contains multiple documents, the organization
-               specifies in each document the organizational official or officials responsible for
-               the development, implementation, assessment, authorization, and monitoring of the
-               respective common controls. For example, the organization may require that the
-               Facilities Management Office develop, implement, assess, authorize, and continuously
-               monitor common physical and environmental protection controls from the PE family when
-               such controls are not associated with a particular information system but instead,
-               support multiple information systems.</p>
-            <link rel="related" href="#pm-8">PM-8</link>
-         </part>
-         <part id="pm-1_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pm-1.a_obj" name="objective">
-               <prop name="label">PM-1(a)</prop>
-               <p>develops and disseminates an organization-wide information security program plan
-                  that:</p>
-               <part id="pm-1.a.1_obj" name="objective">
-                  <prop name="label">PM-1(a)(1)</prop>
-                  <part id="pm-1.a.1_obj.1" name="objective">
-                     <prop name="label">PM-1(a)(1)[1]</prop>
-                     <p>provides an overview of the requirements for the security program;</p>
-                  </part>
-                  <part id="pm-1.a.1_obj.2" name="objective">
-                     <prop name="label">PM-1(a)(1)[2]</prop>
-                     <p>provides a description of the:</p>
-                     <part id="pm-1.a.1_obj.2.a" name="objective">
-                        <prop name="label">PM-1(a)(1)[2][a]</prop>
-                        <p>security program management controls in place or planned for meeting
-                           those requirements;</p>
-                     </part>
-                     <part id="pm-1.a.1_obj.2.b" name="objective">
-                        <prop name="label">PM-1(a)(1)[2][b]</prop>
-                        <p>common controls in place or planned for meeting those requirements;</p>
-                     </part>
-                  </part>
-               </part>
-               <part id="pm-1.a.2_obj" name="objective">
-                  <prop name="label">PM-1(a)(2)</prop>
-                  <p>includes the identification and assignment of:</p>
-                  <part id="pm-1.a.2_obj.1" name="objective">
-                     <prop name="label">PM-1(a)(2)[1]</prop>
-                     <p>roles;</p>
-                  </part>
-                  <part id="pm-1.a.2_obj.2" name="objective">
-                     <prop name="label">PM-1(a)(2)[2]</prop>
-                     <p>responsibilities;</p>
-                  </part>
-                  <part id="pm-1.a.2_obj.3" name="objective">
-                     <prop name="label">PM-1(a)(2)[3]</prop>
-                     <p>management commitment;</p>
-                  </part>
-                  <part id="pm-1.a.2_obj.4" name="objective">
-                     <prop name="label">PM-1(a)(2)[4]</prop>
-                     <p>coordination among organizational entities;</p>
-                  </part>
-                  <part id="pm-1.a.2_obj.5" name="objective">
-                     <prop name="label">PM-1(a)(2)[5]</prop>
-                     <p>compliance;</p>
-                  </part>
-               </part>
-               <part id="pm-1.a.3_obj" name="objective">
-                  <prop name="label">PM-1(a)(3)</prop>
-                  <p>reflects coordination among organizational entities responsible for the
-                     different aspects of information security (i.e., technical, physical,
-                     personnel, cyber-physical);</p>
-               </part>
-               <part id="pm-1.a.4_obj" name="objective">
-                  <prop name="label">PM-1(a)(4)</prop>
-                  <p>is approved by a senior official with responsibility and accountability for the
-                     risk being incurred to organizational operations, organizational assets,
-                     individuals, other organizations, and the Nation;</p>
-               </part>
-            </part>
-            <part id="pm-1.b_obj" name="objective">
-               <prop name="label">PM-1(b)</prop>
-               <part id="pm-1.b_obj.1" name="objective">
-                  <prop name="label">PM-1(b)[1]</prop>
-                  <p>defines the frequency to review the security program plan for the information
-                     system;</p>
-               </part>
-               <part id="pm-1.b_obj.2" name="objective">
-                  <prop name="label">PM-1(b)[2]</prop>
-                  <p>reviews the organization-wide information security program plan with the
-                     organization-defined frequency;</p>
-               </part>
-            </part>
-            <part id="pm-1.c_obj" name="objective">
-               <prop name="label">PM-1(c)</prop>
-               <p>updates the plan to address organizational:</p>
-               <part id="pm-1.c_obj.1" name="objective">
-                  <prop name="label">PM-1(c)[1]</prop>
-                  <p>changes identified during plan implementation;</p>
-               </part>
-               <part id="pm-1.c_obj.2" name="objective">
-                  <prop name="label">PM-1(c)[2]</prop>
-                  <p>changes identified during security control assessments;</p>
-               </part>
-               <part id="pm-1.c_obj.3" name="objective">
-                  <prop name="label">PM-1(c)[3]</prop>
-                  <p>problems identified during plan implementation;</p>
-               </part>
-               <part id="pm-1.c_obj.4" name="objective">
-                  <prop name="label">PM-1(c)[4]</prop>
-                  <p>problems identified during security control assessments;</p>
-               </part>
-            </part>
-            <part id="pm-1.d_obj" name="objective">
-               <prop name="label">PM-1(d)</prop>
-               <p>protects the information security program plan from unauthorized:</p>
-               <part id="pm-1.d_obj.1" name="objective">
-                  <prop name="label">PM-1(d)[1]</prop>
-                  <p>disclosure; and</p>
-               </part>
-               <part id="pm-1.d_obj.2" name="objective">
-                  <prop name="label">PM-1(d)[2]</prop>
-                  <p>modification.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information security program plan</p>
-               <p>procedures addressing program plan development and implementation</p>
-               <p>procedures addressing program plan reviews and updates</p>
-               <p>procedures addressing coordination of the program plan with relevant entities</p>
-               <p>procedures for program plan approvals</p>
-               <p>records of program plan reviews and updates</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security program planning and plan
-                  implementation responsibilities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for information security program plan
-                  development/review/update/approval</p>
-               <p>automated mechanisms supporting and/or implementing the information security
-                  program plan</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-2">
-         <title>Senior Information Security Officer</title>
-         <prop name="label">PM-2</prop>
-         <prop name="sort-id">pm-02</prop>
-         <part id="pm-2_smt" name="statement">
-            <p>The organization appoints a senior information security officer with the mission and
-               resources to coordinate, develop, implement, and maintain an organization-wide
-               information security program.</p>
-         </part>
-         <part id="pm-2_gdn" name="guidance">
-            <p>The security officer described in this control is an organizational official. For a
-               federal agency (as defined in applicable federal laws, Executive Orders, directives,
-               policies, or regulations) this official is the Senior Agency Information Security
-               Officer. Organizations may also refer to this official as the Senior Information
-               Security Officer or Chief Information Security Officer.</p>
-         </part>
-         <part id="pm-2_obj" name="objective">
-            <p>Determine if the organization appoints a senior information security officer with the
-               mission and resources to: </p>
-            <part id="pm-2_obj.1" name="objective">
-               <prop name="label">PM-2[1]</prop>
-               <p>coordinate an organization-wide information security program;</p>
-            </part>
-            <part id="pm-2_obj.2" name="objective">
-               <prop name="label">PM-2[2]</prop>
-               <p>develop an organization-wide information security program;</p>
-            </part>
-            <part id="pm-2_obj.3" name="objective">
-               <prop name="label">PM-2[3]</prop>
-               <p>implement an organization-wide information security program; and</p>
-            </part>
-            <part id="pm-2_obj.4" name="objective">
-               <prop name="label">PM-2[4]</prop>
-               <p>maintain an organization-wide information security program.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information security program plan</p>
-               <p>procedures addressing program plan development and implementation</p>
-               <p>procedures addressing program plan reviews and updates</p>
-               <p>procedures addressing coordination of the program plan with relevant entities</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security program planning and plan
-                  implementation responsibilities</p>
-               <p>senior information security officer</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-3">
-         <title>Information Security Resources</title>
-         <prop name="label">PM-3</prop>
-         <prop name="sort-id">pm-03</prop>
-         <link href="#29fcfe59-33cd-494a-8756-5907ae3a8f92" rel="reference">NIST Special Publication 800-65</link>
-         <part id="pm-3_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pm-3_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Ensures that all capital planning and investment requests include the resources
-                  needed to implement the information security program and documents all exceptions
-                  to this requirement;</p>
-            </part>
-            <part id="pm-3_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Employs a business case/Exhibit 300/Exhibit 53 to record the resources required;
-                  and</p>
-            </part>
-            <part id="pm-3_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Ensures that information security resources are available for expenditure as
-                  planned.</p>
-            </part>
-         </part>
-         <part id="pm-3_gdn" name="guidance">
-            <p>Organizations consider establishing champions for information security efforts and as
-               part of including the necessary resources, assign specialized expertise and resources
-               as needed. Organizations may designate and empower an Investment Review Board (or
-               similar group) to manage and provide oversight for the information security-related
-               aspects of the capital planning and investment control process.</p>
-            <link rel="related" href="#pm-4">PM-4</link>
-            <link rel="related" href="#sa-2">SA-2</link>
-         </part>
-         <part id="pm-3_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pm-3.a_obj" name="objective">
-               <prop name="label">PM-3(a)</prop>
-               <part id="pm-3.a_obj.1" name="objective">
-                  <prop name="label">PM-3(a)[1]</prop>
-                  <p>ensures that all capital planning and investment requests include the resources
-                     needed to implement the information security program plan;</p>
-               </part>
-               <part id="pm-3.a_obj.2" name="objective">
-                  <prop name="label">PM-3(a)[2]</prop>
-                  <p>documents all exceptions to the requirement;</p>
-               </part>
-            </part>
-            <part id="pm-3.b_obj" name="objective">
-               <prop name="label">PM-3(b)</prop>
-               <p>employs a business case/Exhibit 300/Exhibit 53 to record the resources required;
-                  and</p>
-            </part>
-            <part id="pm-3.c_obj" name="objective">
-               <prop name="label">PM-3(c)</prop>
-               <p>ensures that information security resources are available for expenditure as
-                  planned.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information security program plan</p>
-               <p>Exhibits 300</p>
-               <p>Exhibits 53</p>
-               <p>business cases for capital planning and investment</p>
-               <p>procedures for capital planning and investment</p>
-               <p>documentation of exceptions to capital planning requirements</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security program planning
-                  responsibilities</p>
-               <p>organizational personnel responsible for capital planning and investment</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for capital planning and investment</p>
-               <p>organizational processes for business case/Exhibit 300/Exhibit 53 development</p>
-               <p>automated mechanisms supporting the capital planning and investment process</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-4">
-         <title>Plan of Action and Milestones Process</title>
-         <prop name="label">PM-4</prop>
-         <prop name="sort-id">pm-04</prop>
-         <link href="#2c5884cd-7b96-425c-862a-99877e1cf909" rel="reference">OMB Memorandum 02-01</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <part id="pm-4_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pm-4_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Implements a process for ensuring that plans of action and milestones for the
-                  security program and associated organizational information systems:</p>
-               <part id="pm-4_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Are developed and maintained;</p>
-               </part>
-               <part id="pm-4_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Document the remedial information security actions to adequately respond to
-                     risk to organizational operations and assets, individuals, other organizations,
-                     and the Nation; and</p>
-               </part>
-               <part id="pm-4_smt.a.3" name="item">
-                  <prop name="label">3.</prop>
-                  <p>Are reported in accordance with OMB FISMA reporting requirements.</p>
-               </part>
-            </part>
-            <part id="pm-4_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews plans of action and milestones for consistency with the organizational
-                  risk management strategy and organization-wide priorities for risk response
-                  actions.</p>
-            </part>
-         </part>
-         <part id="pm-4_gdn" name="guidance">
-            <p>The plan of action and milestones is a key document in the information security
-               program and is subject to federal reporting requirements established by OMB. With the
-               increasing emphasis on organization-wide risk management across all three tiers in
-               the risk management hierarchy (i.e., organization, mission/business process, and
-               information system), organizations view plans of action and milestones from an
-               organizational perspective, prioritizing risk response actions and ensuring
-               consistency with the goals and objectives of the organization. Plan of action and
-               milestones updates are based on findings from security control assessments and
-               continuous monitoring activities. OMB FISMA reporting guidance contains instructions
-               regarding organizational plans of action and milestones.</p>
-            <link rel="related" href="#ca-5">CA-5</link>
-         </part>
-         <part id="pm-4_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pm-4.a_obj" name="objective">
-               <prop name="label">PM-4(a)</prop>
-               <p>implements a process for ensuring that plans of action and milestones for the
-                  security program and associated organizational information systems:</p>
-               <part id="pm-4.a.1_obj" name="objective">
-                  <prop name="label">PM-4(a)(1)</prop>
-                  <part id="pm-4.a.1_obj.1" name="objective">
-                     <prop name="label">PM-4(a)(1)[1]</prop>
-                     <p>are developed;</p>
-                  </part>
-                  <part id="pm-4.a.1_obj.2" name="objective">
-                     <prop name="label">PM-4(a)(1)[2]</prop>
-                     <p>are maintained;</p>
-                  </part>
-               </part>
-               <part id="pm-4.a.2_obj" name="objective">
-                  <prop name="label">PM-4(a)(2)</prop>
-                  <p>document the remedial information security actions to adequately respond to
-                     risk to organizational operations and assets, individuals, other organizations,
-                     and the Nation;</p>
-               </part>
-               <part id="pm-4.a.3_obj" name="objective">
-                  <prop name="label">PM-4(a)(3)</prop>
-                  <p>are reported in accordance with OMB FISMA reporting requirements;</p>
-               </part>
-            </part>
-            <part id="pm-4.b_obj" name="objective">
-               <prop name="label">PM-4(b)</prop>
-               <p>reviews plans of action and milestones for consistency with:</p>
-               <part id="pm-4.b_obj.1" name="objective">
-                  <prop name="label">PM-4(b)[1]</prop>
-                  <p>the organizational risk management strategy; and</p>
-               </part>
-               <part id="pm-4.b_obj.2" name="objective">
-                  <prop name="label">PM-4(b)[2]</prop>
-                  <p>organization-wide priorities for risk response actions.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information security program plan</p>
-               <p>plans of action and milestones</p>
-               <p>procedures addressing plans of action and milestones development and
-                  maintenance</p>
-               <p>procedures addressing plans of action and milestones reporting</p>
-               <p>procedures for review of plans of action and milestones for consistency with risk
-                  management strategy and risk response priorities</p>
-               <p>results of risk assessments associated with plans of action and milestones</p>
-               <p>OMB FISMA reporting requirements</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for developing, maintaining,
-                  reviewing, and reporting plans of action and milestones</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for plan of action and milestones development, review,
-                  maintenance, reporting</p>
-               <p>automated mechanisms supporting plans of action and milestones</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-5">
-         <title>Information System Inventory</title>
-         <prop name="label">PM-5</prop>
-         <prop name="sort-id">pm-05</prop>
-         <link href="#9bd19d23-025f-4a47-935e-44810a0552a4" rel="reference">http://www.omb.gov</link>
-         <part id="pm-5_smt" name="statement">
-            <p>The organization develops and maintains an inventory of its information systems.</p>
-         </part>
-         <part id="pm-5_gdn" name="guidance">
-            <p>This control addresses the inventory requirements in FISMA. OMB provides guidance on
-               developing information systems inventories and associated reporting requirements. For
-               specific information system inventory reporting requirements, organizations consult
-               OMB annual FISMA reporting guidance.</p>
-         </part>
-         <part id="pm-5_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pm-5_obj.1" name="objective">
-               <prop name="label">PM-5[1]</prop>
-               <p>develops an inventory of its information systems; and</p>
-            </part>
-            <part id="pm-5_obj.2" name="objective">
-               <prop name="label">PM-5[2]</prop>
-               <p>maintains the inventory of its information systems.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information security program plan</p>
-               <p>information system inventory</p>
-               <p>procedures addressing information system inventory development and maintenance</p>
-               <p>OMB FISMA reporting guidance</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security program planning and plan
-                  implementation responsibilities</p>
-               <p>organizational personnel responsible for developing and maintaining the
-                  information system inventory</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for information system inventory development and
-                  maintenance</p>
-               <p>automated mechanisms supporting the information system inventory</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-6">
-         <title>Information Security Measures of Performance</title>
-         <prop name="label">PM-6</prop>
-         <prop name="sort-id">pm-06</prop>
-         <link href="#83c261f0-e7a1-49f8-95ac-2ab2517644bc" rel="reference">NIST Special Publication 800-55</link>
-         <part id="pm-6_smt" name="statement">
-            <p>The organization develops, monitors, and reports on the results of information
-               security measures of performance.</p>
-         </part>
-         <part id="pm-6_gdn" name="guidance">
-            <p>Measures of performance are outcome-based metrics used by an organization to measure
-               the effectiveness or efficiency of the information security program and the security
-               controls employed in support of the program.</p>
-         </part>
-         <part id="pm-6_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pm-6_obj.1" name="objective">
-               <prop name="label">PM-6[1]</prop>
-               <p>develops information security measures of performance;</p>
-            </part>
-            <part id="pm-6_obj.2" name="objective">
-               <prop name="label">PM-6[2]</prop>
-               <p>monitors information security measures of performance; and</p>
-            </part>
-            <part id="pm-6_obj.3" name="objective">
-               <prop name="label">PM-6[3]</prop>
-               <p>reports information security measures of performance.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information security program plan</p>
-               <p>information security measures of performance</p>
-               <p>procedures addressing development, monitoring, and reporting of information
-                  security measures of performance</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security program planning and plan
-                  implementation responsibilities</p>
-               <p>organizational personnel responsible for developing, monitoring, and reporting
-                  information security measures of performance</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for developing, monitoring, and reporting information
-                  security measures of performance</p>
-               <p>automated mechanisms supporting the development, monitoring, and reporting of
-                  information security measures of performance</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-7">
-         <title>Enterprise Architecture</title>
-         <prop name="label">PM-7</prop>
-         <prop name="sort-id">pm-07</prop>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <part id="pm-7_smt" name="statement">
-            <p>The organization develops an enterprise architecture with consideration for
-               information security and the resulting risk to organizational operations,
-               organizational assets, individuals, other organizations, and the Nation.</p>
-         </part>
-         <part id="pm-7_gdn" name="guidance">
-            <p>The enterprise architecture developed by the organization is aligned with the Federal
-               Enterprise Architecture. The integration of information security requirements and
-               associated security controls into the organization’s enterprise architecture helps to
-               ensure that security considerations are addressed by organizations early in the
-               system development life cycle and are directly and explicitly related to the
-               organization’s mission/business processes. This process of security requirements
-               integration also embeds into the enterprise architecture, an integral information
-               security architecture consistent with organizational risk management and information
-               security strategies. For PM-7, the information security architecture is developed at
-               a system-of-systems level (organization-wide), representing all of the organizational
-               information systems. For PL-8, the information security architecture is developed at
-               a level representing an individual information system but at the same time, is
-               consistent with the information security architecture defined for the organization.
-               Security requirements and security control integration are most effectively
-               accomplished through the application of the Risk Management Framework and supporting
-               security standards and guidelines. The Federal Segment Architecture Methodology
-               provides guidance on integrating information security requirements and security
-               controls into enterprise architectures.</p>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <link rel="related" href="#pl-8">PL-8</link>
-            <link rel="related" href="#pm-11">PM-11</link>
-            <link rel="related" href="#ra-2">RA-2</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-         </part>
-         <part id="pm-7_obj" name="objective">
-            <p>Determine if the organization develops an enterprise architecture with consideration
-               for: </p>
-            <part id="pm-7_obj.1" name="objective">
-               <prop name="label">PM-7[1]</prop>
-               <p>information security; and</p>
-            </part>
-            <part id="pm-7_obj.2" name="objective">
-               <prop name="label">PM-7[2]</prop>
-               <p>the resulting risk to organizational operations, organizational assets,
-                  individuals, other organizations, and the Nation.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information security program plan</p>
-               <p>enterprise architecture documentation</p>
-               <p>procedures addressing enterprise architecture development</p>
-               <p>results of risk assessment of enterprise architecture</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security program planning and plan
-                  implementation responsibilities</p>
-               <p>organizational personnel responsible for developing enterprise architecture</p>
-               <p>organizational personnel responsible for risk assessment of enterprise
-                  architecture</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for enterprise architecture development</p>
-               <p>automated mechanisms supporting the enterprise architecture and its
-                  development</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-8">
-         <title>Critical Infrastructure Plan</title>
-         <prop name="label">PM-8</prop>
-         <prop name="sort-id">pm-08</prop>
-         <link href="#9680884b-55b7-4015-a5d7-dcb7392cb412" rel="reference">HSPD 7</link>
-         <link href="#bd0c544a-57de-458c-9bbe-6ceac27867c8" rel="reference">National Infrastructure Protection Plan</link>
-         <part id="pm-8_smt" name="statement">
-            <p>The organization addresses information security issues in the development,
-               documentation, and updating of a critical infrastructure and key resources protection
-               plan.</p>
-         </part>
-         <part id="pm-8_gdn" name="guidance">
-            <p>Protection strategies are based on the prioritization of critical assets and
-               resources. The requirement and guidance for defining critical infrastructure and key
-               resources and for preparing an associated critical infrastructure protection plan are
-               found in applicable federal laws, Executive Orders, directives, policies,
-               regulations, standards, and guidance.</p>
-            <link rel="related" href="#pm-1">PM-1</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <link rel="related" href="#pm-11">PM-11</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-         </part>
-         <part id="pm-8_obj" name="objective">
-            <p>Determine if the organization addresses information security issues in the: </p>
-            <part id="pm-8_obj.1" name="objective">
-               <prop name="label">PM-8[1]</prop>
-               <p>development of a critical infrastructure and key resources protection plan;</p>
-            </part>
-            <part id="pm-8_obj.2" name="objective">
-               <prop name="label">PM-8[2]</prop>
-               <p>documentation of a critical infrastructure and key resources protection plan;
-                  and</p>
-            </part>
-            <part id="pm-8_obj.3" name="objective">
-               <prop name="label">PM-8[3]</prop>
-               <p>updating of the critical infrastructure and key resources protection plan.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information security program plan</p>
-               <p>critical infrastructure and key resources protection plan</p>
-               <p>procedures addressing development, documentation, and updating of the critical
-                  infrastructure and key resources protection plan</p>
-               <p>HSPD 7</p>
-               <p>National Infrastructure Protection Plan</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security program planning and plan
-                  implementation responsibilities</p>
-               <p>organizational personnel responsible for developing, documenting, and updating the
-                  critical infrastructure and key resources protection plan</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for developing, documenting, and updating the critical
-                  infrastructure and key resources protection plan</p>
-               <p>automated mechanisms supporting the development, documentation, and updating of
-                  the critical infrastructure and key resources protection plan</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-9">
-         <title>Risk Management Strategy</title>
-         <param id="pm-9_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PM-9</prop>
-         <prop name="sort-id">pm-09</prop>
-         <link href="#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15" rel="reference">NIST Special Publication 800-30</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <part id="pm-9_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pm-9_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Develops a comprehensive strategy to manage risk to organizational operations and
-                  assets, individuals, other organizations, and the Nation associated with the
-                  operation and use of information systems;</p>
-            </part>
-            <part id="pm-9_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Implements the risk management strategy consistently across the organization;
-                  and</p>
-            </part>
-            <part id="pm-9_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Reviews and updates the risk management strategy <insert param-id="pm-9_prm_1"/>
-                  or as required, to address organizational changes.</p>
-            </part>
-         </part>
-         <part id="pm-9_gdn" name="guidance">
-            <p>An organization-wide risk management strategy includes, for example, an unambiguous
-               expression of the risk tolerance for the organization, acceptable risk assessment
-               methodologies, risk mitigation strategies, a process for consistently evaluating risk
-               across the organization with respect to the organization’s risk tolerance, and
-               approaches for monitoring risk over time. The use of a risk executive function can
-               facilitate consistent, organization-wide application of the risk management strategy.
-               The organization-wide risk management strategy can be informed by risk-related inputs
-               from other sources both internal and external to the organization to ensure the
-               strategy is both broad-based and comprehensive.</p>
-            <link rel="related" href="#ra-3">RA-3</link>
-         </part>
-         <part id="pm-9_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pm-9.a_obj" name="objective">
-               <prop name="label">PM-9(a)</prop>
-               <p>develops a comprehensive strategy to manage risk to organizational operations and
-                  assets, individuals, other organizations, and the Nation associated with the
-                  operation and use of information systems;</p>
-            </part>
-            <part id="pm-9.b_obj" name="objective">
-               <prop name="label">PM-9(b)</prop>
-               <p>implements the risk management strategy consistently across the organization;</p>
-            </part>
-            <part id="pm-9.c_obj" name="objective">
-               <prop name="label">PM-9(c)</prop>
-               <part id="pm-9.c_obj.1" name="objective">
-                  <prop name="label">PM-9(c)[1]</prop>
-                  <p>defines the frequency to review and update the risk management strategy;</p>
-               </part>
-               <part id="pm-9.c_obj.2" name="objective">
-                  <prop name="label">PM-9(c)[2]</prop>
-                  <p>reviews and updates the risk management strategy to address organizational
-                     changes:</p>
-                  <part id="pm-9.c_obj.2.a" name="objective">
-                     <prop name="label">PM-9(c)[2][a]</prop>
-                     <p>with the organization-defined frequency; or</p>
-                  </part>
-                  <part id="pm-9.c_obj.2.b" name="objective">
-                     <prop name="label">PM-9(c)[2][b]</prop>
-                     <p>as required.</p>
-                  </part>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information security program plan</p>
-               <p>risk management strategy</p>
-               <p>procedures addressing development, implementation, review, and update of the risk
-                  management strategy</p>
-               <p>risk assessment results relevant to the risk management strategy</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security program planning and plan
-                  implementation responsibilities</p>
-               <p>organizational personnel responsible for development, implementation, review, and
-                  update of the risk management strategy</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for development, implementation, review, and update of
-                  the risk management strategy</p>
-               <p>automated mechanisms supporting the development, implementation, review, and
-                  update of the risk management strategy</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-10">
-         <title>Security Authorization Process</title>
-         <prop name="label">PM-10</prop>
-         <prop name="sort-id">pm-10</prop>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#d480aa6a-7a88-424e-a10c-ad1c7870354b" rel="reference">NIST Special Publication 800-39</link>
-         <part id="pm-10_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pm-10_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Manages (i.e., documents, tracks, and reports) the security state of
-                  organizational information systems and the environments in which those systems
-                  operate through security authorization processes;</p>
-            </part>
-            <part id="pm-10_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Designates individuals to fulfill specific roles and responsibilities within the
-                  organizational risk management process; and</p>
-            </part>
-            <part id="pm-10_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>Fully integrates the security authorization processes into an organization-wide
-                  risk management program.</p>
-            </part>
-         </part>
-         <part id="pm-10_gdn" name="guidance">
-            <p>Security authorization processes for information systems and environments of
-               operation require the implementation of an organization-wide risk management process,
-               a Risk Management Framework, and associated security standards and guidelines.
-               Specific roles within the risk management process include an organizational risk
-               executive (function) and designated authorizing officials for each organizational
-               information system and common control provider. Security authorization processes are
-               integrated with organizational continuous monitoring processes to facilitate ongoing
-               understanding and acceptance of risk to organizational operations and assets,
-               individuals, other organizations, and the Nation.</p>
-            <link rel="related" href="#ca-6">CA-6</link>
-         </part>
-         <part id="pm-10_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pm-10.a_obj" name="objective">
-               <prop name="label">PM-10(a)</prop>
-               <p>manages (i.e., documents, tracks, and reports) the security state of
-                  organizational information systems and the environments in which those systems
-                  operate through security authorization processes;</p>
-            </part>
-            <part id="pm-10.b_obj" name="objective">
-               <prop name="label">PM-10(b)</prop>
-               <p>designates individuals to fulfill specific roles and responsibilities within the
-                  organizational risk management process; and</p>
-            </part>
-            <part id="pm-10.c_obj" name="objective">
-               <prop name="label">PM-10(c)</prop>
-               <p>fully integrates the security authorization processes into an organization-wide
-                  risk management program.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information security program plan</p>
-               <p>procedures addressing management (i.e., documentation, tracking, and reporting) of
-                  the security authorization process</p>
-               <p>security authorization documents</p>
-               <p>lists or other documentation about security authorization process roles and
-                  responsibilities</p>
-               <p>risk assessment results relevant to the security authorization process and the
-                  organization-wide risk management program</p>
-               <p>organizational risk management strategy</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security program planning and plan
-                  implementation responsibilities</p>
-               <p>organizational personnel responsible for management of the security authorization
-                  process</p>
-               <p>authorizing officials</p>
-               <p>system owners, senior information security officer</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for security authorization</p>
-               <p>automated mechanisms supporting the security authorization process</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-11">
-         <title>Mission/business Process Definition</title>
-         <prop name="label">PM-11</prop>
-         <prop name="sort-id">pm-11</prop>
-         <link href="#e85cdb3f-7f0a-4083-8639-f13f70d3760b" rel="reference">FIPS Publication 199</link>
-         <link href="#f152844f-b1ef-4836-8729-6277078ebee1" rel="reference">NIST Special Publication 800-60</link>
-         <part id="pm-11_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pm-11_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Defines mission/business processes with consideration for information security and
-                  the resulting risk to organizational operations, organizational assets,
-                  individuals, other organizations, and the Nation; and</p>
-            </part>
-            <part id="pm-11_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Determines information protection needs arising from the defined mission/business
-                  processes and revises the processes as necessary, until achievable protection
-                  needs are obtained.</p>
-            </part>
-         </part>
-         <part id="pm-11_gdn" name="guidance">
-            <p>Information protection needs are technology-independent, required capabilities to
-               counter threats to organizations, individuals, or the Nation through the compromise
-               of information (i.e., loss of confidentiality, integrity, or availability).
-               Information protection needs are derived from the mission/business needs defined by
-               the organization, the mission/business processes selected to meet the stated needs,
-               and the organizational risk management strategy. Information protection needs
-               determine the required security controls for the organization and the associated
-               information systems supporting the mission/business processes. Inherent in defining
-               an organization’s information protection needs is an understanding of the level of
-               adverse impact that could result if a compromise of information occurs. The security
-               categorization process is used to make such potential impact determinations.
-               Mission/business process definitions and associated information protection
-               requirements are documented by the organization in accordance with organizational
-               policy and procedure.</p>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <link rel="related" href="#pm-8">PM-8</link>
-            <link rel="related" href="#ra-2">RA-2</link>
-         </part>
-         <part id="pm-11_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pm-11.a_obj" name="objective">
-               <prop name="label">PM-11(a)</prop>
-               <p>defines mission/business processes with consideration for information security and
-                  the resulting risk to organizational operations, organizational assets,
-                  individuals, other organizations, and the Nation;</p>
-            </part>
-            <part id="pm-11.b_obj" name="objective">
-               <prop name="label">PM-11(b)</prop>
-               <part id="pm-11.b_obj.1" name="objective">
-                  <prop name="label">PM-11(b)[1]</prop>
-                  <p>determines information protection needs arising from the defined
-                     mission/business process; and</p>
-               </part>
-               <part id="pm-11.b_obj.2" name="objective">
-                  <prop name="label">PM-11(b)[2]</prop>
-                  <p>revises the processes as necessary until achievable protection needs are
-                     obtained.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information security program plan</p>
-               <p>risk management strategy</p>
-               <p>procedures for determining mission/business protection needs</p>
-               <p>risk assessment results relevant to determination of mission/business protection
-                  needs</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security program planning and plan
-                  implementation responsibilities</p>
-               <p>organizational personnel responsible for mission/business processes</p>
-               <p>organizational personnel responsible for determining information protection needs
-                  for mission/business processes</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for defining mission/business processes and their
-                  information protection needs</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-12">
-         <title>Insider Threat Program</title>
-         <prop name="label">PM-12</prop>
-         <prop name="sort-id">pm-12</prop>
-         <link href="#c5034e0c-eba6-4ecd-a541-79f0678f4ba4" rel="reference">Executive Order 13587</link>
-         <part id="pm-12_smt" name="statement">
-            <p>The organization implements an insider threat program that includes a
-               cross-discipline insider threat incident handling team.</p>
-         </part>
-         <part id="pm-12_gdn" name="guidance">
-            <p>Organizations handling classified information are required, under Executive Order
-               13587 and the National Policy on Insider Threat, to establish insider threat
-               programs. The standards and guidelines that apply to insider threat programs in
-               classified environments can also be employed effectively to improve the security of
-               Controlled Unclassified Information in non-national security systems. Insider threat
-               programs include security controls to detect and prevent malicious insider activity
-               through the centralized integration and analysis of both technical and non-technical
-               information to identify potential insider threat concerns. A senior organizational
-               official is designated by the department/agency head as the responsible individual to
-               implement and provide oversight for the program. In addition to the centralized
-               integration and analysis capability, insider threat programs as a minimum, prepare
-               department/agency insider threat policies and implementation plans, conduct
-               host-based user monitoring of individual employee activities on government-owned
-               classified computers, provide insider threat awareness training to employees, receive
-               access to information from all offices within the department/agency (e.g., human
-               resources, legal, physical security, personnel security, information technology,
-               information system security, and law enforcement) for insider threat analysis, and
-               conduct self-assessments of department/agency insider threat posture. Insider threat
-               programs can leverage the existence of incident handling teams organizations may
-               already have in place, such as computer security incident response teams. Human
-               resources records are especially important in this effort, as there is compelling
-               evidence to show that some types of insider crimes are often preceded by nontechnical
-               behaviors in the workplace (e.g., ongoing patterns of disgruntled behavior and
-               conflicts with coworkers and other colleagues). These precursors can better inform
-               and guide organizational officials in more focused, targeted monitoring efforts. The
-               participation of a legal team is important to ensure that all monitoring activities
-               are performed in accordance with appropriate legislation, directives, regulations,
-               policies, standards, and guidelines.</p>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#au-10">AU-10</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#au-13">AU-13</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#mp-7">MP-7</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <link rel="related" href="#ps-4">PS-4</link>
-            <link rel="related" href="#ps-5">PS-5</link>
-            <link rel="related" href="#ps-8">PS-8</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-38">SC-38</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#pm-1">PM-1</link>
-            <link rel="related" href="#pm-14">PM-14</link>
-         </part>
-         <part id="pm-12_obj" name="objective">
-            <p>Determine if the organization implements an insider threat program that includes a
-               cross-discipline insider threat incident handling team. </p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information security program plan</p>
-               <p>insider threat program documentation</p>
-               <p>procedures for the insider threat program</p>
-               <p>risk assessment results relevant to insider threats</p>
-               <p>list or other documentation on the cross-discipline insider threat incident
-                  handling team</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security program planning and plan
-                  implementation responsibilities</p>
-               <p>organizational personnel responsible for the insider threat program</p>
-               <p>members of the cross-discipline insider threat incident handling team</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for implementing the insider threat program and the
-                  cross-discipline insider threat incident handling team</p>
-               <p>automated mechanisms supporting and/or implementing the insider threat program and
-                  the cross-discipline insider threat incident handling team</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-13">
-         <title>Information Security Workforce</title>
-         <prop name="label">PM-13</prop>
-         <prop name="sort-id">pm-13</prop>
-         <part id="pm-13_smt" name="statement">
-            <p>The organization establishes an information security workforce development and
-               improvement program.</p>
-         </part>
-         <part id="pm-13_gdn" name="guidance">
-            <p>Information security workforce development and improvement programs include, for
-               example: (i) defining the knowledge and skill levels needed to perform information
-               security duties and tasks; (ii) developing role-based training programs for
-               individuals assigned information security roles and responsibilities; and (iii)
-               providing standards for measuring and building individual qualifications for
-               incumbents and applicants for information security-related positions. Such workforce
-               programs can also include associated information security career paths to encourage:
-               (i) information security professionals to advance in the field and fill positions
-               with greater responsibility; and (ii) organizations to fill information
-               security-related positions with qualified personnel. Information security workforce
-               development and improvement programs are complementary to organizational security
-               awareness and training programs. Information security workforce development and
-               improvement programs focus on developing and institutionalizing core information
-               security capabilities of selected personnel needed to protect organizational
-               operations, assets, and individuals.</p>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-         </part>
-         <part id="pm-13_obj" name="objective">
-            <p>Determine if the organization establishes an information security workforce
-               development and improvement program. </p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information security program plan</p>
-               <p>information security workforce development and improvement program
-                  documentation</p>
-               <p>procedures for the information security workforce development and improvement
-                  program</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security program planning and plan
-                  implementation responsibilities</p>
-               <p>organizational personnel responsible for the information security workforce
-                  development and improvement program</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for implementing information security workforce
-                  development and improvement program</p>
-               <p>automated mechanisms supporting and/or implementing the information security
-                  workforce development and improvement program</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-14">
-         <title>Testing, Training, and Monitoring</title>
-         <prop name="label">PM-14</prop>
-         <prop name="sort-id">pm-14</prop>
-         <link href="#825438c3-248d-4e30-a51e-246473ce6ada" rel="reference">NIST Special Publication 800-16</link>
-         <link href="#0a0c26b6-fd44-4274-8b36-93442d49d998" rel="reference">NIST Special Publication 800-37</link>
-         <link href="#cd4cf751-3312-4a55-b1a9-fad2f1db9119" rel="reference">NIST Special Publication 800-53A</link>
-         <link href="#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b" rel="reference">NIST Special Publication 800-137</link>
-         <part id="pm-14_smt" name="statement">
-            <p>The organization:</p>
-            <part id="pm-14_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>Implements a process for ensuring that organizational plans for conducting
-                  security testing, training, and monitoring activities associated with
-                  organizational information systems:</p>
-               <part id="pm-14_smt.a.1" name="item">
-                  <prop name="label">1.</prop>
-                  <p>Are developed and maintained; and</p>
-               </part>
-               <part id="pm-14_smt.a.2" name="item">
-                  <prop name="label">2.</prop>
-                  <p>Continue to be executed in a timely manner;</p>
-               </part>
-            </part>
-            <part id="pm-14_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>Reviews testing, training, and monitoring plans for consistency with the
-                  organizational risk management strategy and organization-wide priorities for risk
-                  response actions.</p>
-            </part>
-         </part>
-         <part id="pm-14_gdn" name="guidance">
-            <p>This control ensures that organizations provide oversight for the security testing,
-               training, and monitoring activities conducted organization-wide and that those
-               activities are coordinated. With the importance of continuous monitoring programs,
-               the implementation of information security across the three tiers of the risk
-               management hierarchy, and the widespread use of common controls, organizations
-               coordinate and consolidate the testing and monitoring activities that are routinely
-               conducted as part of ongoing organizational assessments supporting a variety of
-               security controls. Security training activities, while typically focused on
-               individual information systems and specific roles, also necessitate coordination
-               across all organizational elements. Testing, training, and monitoring plans and
-               activities are informed by current threat and vulnerability assessments.</p>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cp-4">CP-4</link>
-            <link rel="related" href="#ir-3">IR-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-         </part>
-         <part id="pm-14_obj" name="objective">
-            <p>Determine if the organization: </p>
-            <part id="pm-14.a_obj" name="objective">
-               <prop name="label">PM-14(a)</prop>
-               <p>implements a process for ensuring that organizational plans for conducting
-                  security testing, training, and monitoring activities associated with
-                  organizational information systems:</p>
-               <part id="pm-14.a.1_obj" name="objective">
-                  <prop name="label">PM-14(a)(1)</prop>
-                  <part id="pm-14.a.1_obj.1" name="objective">
-                     <prop name="label">PM-14(a)(1)[1]</prop>
-                     <p>are developed;</p>
-                  </part>
-                  <part id="pm-14.a.1_obj.2" name="objective">
-                     <prop name="label">PM-14(a)(1)[2]</prop>
-                     <p>are maintained;</p>
-                  </part>
-               </part>
-               <part id="pm-14.a.2_obj" name="objective">
-                  <prop name="label">PM-14(a)(2)</prop>
-                  <p>continue to be executed in a timely manner;</p>
-               </part>
-            </part>
-            <part id="pm-14.b_obj" name="objective">
-               <prop name="label">PM-14(b)</prop>
-               <p>reviews testing, training, and monitoring plans for consistency with:</p>
-               <part id="pm-14.b_obj.1" name="objective">
-                  <prop name="label">PM-14(b)[1]</prop>
-                  <p>the organizational risk management strategy; and</p>
-               </part>
-               <part id="pm-14.b_obj.2" name="objective">
-                  <prop name="label">PM-14(b)[2]</prop>
-                  <p>organization-wide priorities for risk response actions.</p>
-               </part>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information security program plan</p>
-               <p>plans for conducting security testing, training, and monitoring activities</p>
-               <p>organizational procedures addressing development and maintenance of plans for
-                  conducting security testing, training, and monitoring activities</p>
-               <p>risk management strategy</p>
-               <p>procedures for review of plans for conducting security testing, training, and
-                  monitoring activities for consistency with risk management strategy and risk
-                  response priorities</p>
-               <p>results of risk assessments associated with conducting security testing, training,
-                  and monitoring activities</p>
-               <p>evidence that plans for conducting security testing, training, and monitoring
-                  activities are executed in a timely manner</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with responsibility for developing and maintaining plans
-                  for conducting security testing, training, and monitoring activities</p>
-               <p>organizational personnel with information security responsibilities</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for development and maintenance of plans for conducting
-                  security testing, training, and monitoring activities</p>
-               <p>automated mechanisms supporting development and maintenance of plans for
-                  conducting security testing, training, and monitoring activities</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-15">
-         <title>Contacts with Security Groups and Associations</title>
-         <prop name="label">PM-15</prop>
-         <prop name="sort-id">pm-15</prop>
-         <part id="pm-15_smt" name="statement">
-            <p>The organization establishes and institutionalizes contact with selected groups and
-               associations within the security community:</p>
-            <part id="pm-15_smt.a" name="item">
-               <prop name="label">a.</prop>
-               <p>To facilitate ongoing security education and training for organizational
-                  personnel;</p>
-            </part>
-            <part id="pm-15_smt.b" name="item">
-               <prop name="label">b.</prop>
-               <p>To maintain currency with recommended security practices, techniques, and
-                  technologies; and</p>
-            </part>
-            <part id="pm-15_smt.c" name="item">
-               <prop name="label">c.</prop>
-               <p>To share current security-related information including threats, vulnerabilities,
-                  and incidents.</p>
-            </part>
-         </part>
-         <part id="pm-15_gdn" name="guidance">
-            <p>Ongoing contact with security groups and associations is of paramount importance in
-               an environment of rapidly changing technologies and threats. Security groups and
-               associations include, for example, special interest groups, forums, professional
-               associations, news groups, and/or peer groups of security professionals in similar
-               organizations. Organizations select groups and associations based on organizational
-               missions/business functions. Organizations share threat, vulnerability, and incident
-               information consistent with applicable federal laws, Executive Orders, directives,
-               policies, regulations, standards, and guidance.</p>
-            <link rel="related" href="#si-5">SI-5</link>
-         </part>
-         <part id="pm-15_obj" name="objective">
-            <p>Determine if the organization establishes and institutionalizes contact with selected
-               groups and associations with the security community to: </p>
-            <part id="pm-15.a_obj" name="objective">
-               <prop name="label">PM-15(a)</prop>
-               <p>facilitate ongoing security education and training for organizational
-                  personnel;</p>
-            </part>
-            <part id="pm-15.b_obj" name="objective">
-               <prop name="label">PM-15(b)</prop>
-               <p>maintain currency with recommended security practices, techniques, and
-                  technologies; and</p>
-            </part>
-            <part id="pm-15.c_obj" name="objective">
-               <prop name="label">PM-15(c)</prop>
-               <p>share current security-related information including threats, vulnerabilities, and
-                  incidents.</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information security program plan</p>
-               <p>risk management strategy</p>
-               <p>procedures for contacts with security groups and associations</p>
-               <p>evidence of established and institutionalized contact with security groups and
-                  associations</p>
-               <p>lists or other documentation about contact with and/or membership in security
-                  groups and associations</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security program planning and plan
-                  implementation responsibilities</p>
-               <p>organizational personnel responsible for establishing and institutionalizing
-                  contact with security groups and associations</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>personnel from selected groups and associations with which the organization has
-                  established and institutionalized contact</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for establishing and institutionalizing contact with
-                  security groups and associations</p>
-               <p>automated mechanisms supporting contacts with security groups and associations</p>
-            </part>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-16">
-         <title>Threat Awareness Program</title>
-         <prop name="label">PM-16</prop>
-         <prop name="sort-id">pm-16</prop>
-         <part id="pm-16_smt" name="statement">
-            <p>The organization implements a threat awareness program that includes a
-               cross-organization information-sharing capability.</p>
-         </part>
-         <part id="pm-16_gdn" name="guidance">
-            <p>Because of the constantly changing and increasing sophistication of adversaries,
-               especially the advanced persistent threat (APT), it is becoming more likely that
-               adversaries may successfully breach or compromise organizational information systems.
-               One of the best techniques to address this concern is for organizations to share
-               threat information. This can include, for example, sharing threat events (i.e.,
-               tactics, techniques, and procedures) that organizations have experienced, mitigations
-               that organizations have found are effective against certain types of threats, threat
-               intelligence (i.e., indications and warnings about threats that are likely to occur).
-               Threat information sharing may be bilateral (e.g., government-commercial
-               cooperatives, government-government cooperatives), or multilateral (e.g.,
-               organizations taking part in threat-sharing consortia). Threat information may be
-               highly sensitive requiring special agreements and protection, or less sensitive and
-               freely shared.</p>
-            <link rel="related" href="#pm-12">PM-12</link>
-            <link rel="related" href="#pm-16">PM-16</link>
-         </part>
-         <part id="pm-16_obj" name="objective">
-            <p>Determine if the organization implements a threat awareness program that includes a
-               cross-organization information-sharing capability. </p>
-         </part>
-         <part name="assessment">
-            <prop name="method">EXAMINE</prop>
-            <part name="objects">
-               <p>Information security program plan</p>
-               <p>threat awareness program documentation</p>
-               <p>procedures for the threat awareness program</p>
-               <p>risk assessment results relevant to threat awareness</p>
-               <p>list or other documentation on the cross-organization information-sharing
-                  capability</p>
-               <p>other relevant documents or records</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">INTERVIEW</prop>
-            <part name="objects">
-               <p>Organizational personnel with information security program planning and plan
-                  implementation responsibilities</p>
-               <p>organizational personnel responsible for the threat awareness program</p>
-               <p>organizational personnel with responsibility for the cross-organization
-                  information-sharing capability</p>
-               <p>organizational personnel with information security responsibilities</p>
-               <p>personnel with whom threat awareness information is shared by the organization</p>
-            </part>
-         </part>
-         <part name="assessment">
-            <prop name="method">TEST</prop>
-            <part name="objects">
-               <p>Organizational processes for implementing the threat awareness program</p>
-               <p>Organizational processes for implementing the cross-organization
-                  information-sharing capability</p>
-               <p>automated mechanisms supporting and/or implementing the threat awareness
-                  program</p>
-               <p>automated mechanisms supporting and/or implementing the cross-organization
-                  information-sharing capability</p>
-            </part>
-         </part>
-      </control>
-   </group>
-   <back-matter>
-      <resource uuid="0c97e60b-325a-4efa-ba2b-90f20ccd5abc">
-         <title>5 C.F.R. 731.106</title>
-         <citation>
-            <text>Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106,
-               Designation of Public Trust Positions and Investigative Requirements (5 C.F.R.
-               731.106).</text>
-         </citation>
-         <rlink href="http://www.gpo.gov/fdsys/granule/CFR-2012-title5-vol2/CFR-2012-title5-vol2-sec731-106/content-detail.html"/>
-      </resource>
-      <resource uuid="bb61234b-46c3-4211-8c2b-9869222a720d">
-         <title>C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</title>
-         <citation>
-            <text>C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)</text>
-         </citation>
-         <rlink href="http://www.gpo.gov/fdsys/granule/CFR-2009-title5-vol2/CFR-2009-title5-vol2-sec930-301/content-detail.html"/>
-      </resource>
-      <resource uuid="a4aa9645-9a8a-4b51-90a9-e223250f9a75">
-         <title>CNSS Policy 15</title>
-         <citation>
-            <text>CNSS Policy 15</text>
-         </citation>
-         <rlink href="https://www.cnss.gov/policies.html"/>
-      </resource>
-      <resource uuid="2d8b14e9-c8b5-4d3d-8bdc-155078f3281b">
-         <title>DoD Information Assurance Vulnerability Alerts</title>
-         <citation>
-            <text>DoD Information Assurance Vulnerability Alerts</text>
-         </citation>
-      </resource>
-      <resource uuid="61081e7f-041d-4033-96a7-44a439071683">
-         <title>DoD Instruction 5200.39</title>
-         <citation>
-            <text>DoD Instruction 5200.39</text>
-         </citation>
-         <rlink href="http://www.dtic.mil/whs/directives/corres/ins1.html"/>
-      </resource>
-      <resource uuid="e42b2099-3e1c-415b-952c-61c96533c12e">
-         <title>DoD Instruction 8551.01</title>
-         <citation>
-            <text>DoD Instruction 8551.01</text>
-         </citation>
-         <rlink href="http://www.dtic.mil/whs/directives/corres/ins1.html"/>
-      </resource>
-      <resource uuid="e6522953-6714-435d-a0d3-140df554c186">
-         <title>DoD Instruction 8552.01</title>
-         <citation>
-            <text>DoD Instruction 8552.01</text>
-         </citation>
-         <rlink href="http://www.dtic.mil/whs/directives/corres/ins1.html"/>
-      </resource>
-      <resource uuid="c5034e0c-eba6-4ecd-a541-79f0678f4ba4">
-         <title>Executive Order 13587</title>
-         <citation>
-            <text>Executive Order 13587</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net"/>
-      </resource>
-      <resource uuid="56d671da-6b7b-4abf-8296-84b61980390a">
-         <title>Federal Acquisition Regulation</title>
-         <citation>
-            <text>Federal Acquisition Regulation</text>
-         </citation>
-         <rlink href="https://acquisition.gov/far"/>
-      </resource>
-      <resource uuid="023104bc-6f75-4cd5-b7d0-fc92326f8007">
-         <title>Federal Continuity Directive 1</title>
-         <citation>
-            <text>Federal Continuity Directive 1</text>
-         </citation>
-         <rlink href="http://www.fema.gov/pdf/about/offices/fcd1.pdf"/>
-      </resource>
-      <resource uuid="ba557c91-ba3e-4792-adc6-a4ae479b39ff">
-         <title>FICAM Roadmap and Implementation Guidance</title>
-         <citation>
-            <text>FICAM Roadmap and Implementation Guidance</text>
-         </citation>
-         <rlink href="http://www.idmanagement.gov/documents/ficam-roadmap-and-implementation-guidance"/>
-      </resource>
-      <resource uuid="39f9087d-7687-46d2-8eda-b6f4b7a4d8a9">
-         <title>FIPS Publication 140</title>
-         <citation>
-            <text>FIPS Publication 140</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html"/>
-      </resource>
-      <resource uuid="d715b234-9b5b-4e07-b1ed-99836727664d">
-         <title>FIPS Publication 140-2</title>
-         <citation>
-            <text>FIPS Publication 140-2</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#140-2"/>
-      </resource>
-      <resource uuid="f2dbd4ec-c413-4714-b85b-6b7184d1c195">
-         <title>FIPS Publication 197</title>
-         <citation>
-            <text>FIPS Publication 197</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#197"/>
-      </resource>
-      <resource uuid="e85cdb3f-7f0a-4083-8639-f13f70d3760b">
-         <title>FIPS Publication 199</title>
-         <citation>
-            <text>FIPS Publication 199</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#199"/>
-      </resource>
-      <resource uuid="aba82822-b6e6-4abe-af2e-3fdd68f0bcf8">
-         <title>FIPS Publication 200</title>
-         <citation>
-            <text>FIPS Publication 200</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#200"/>
-      </resource>
-      <resource uuid="c80c10b3-1294-4984-a4cc-d1733ca432b9">
-         <title>FIPS Publication 201</title>
-         <citation>
-            <text>FIPS Publication 201</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsFIPS.html#201"/>
-      </resource>
-      <resource uuid="ad733a42-a7ed-4774-b988-4930c28852f3">
-         <title>HSPD-12</title>
-         <citation>
-            <text>HSPD-12</text>
-         </citation>
-         <rlink href="http://www.dhs.gov/homeland-security-presidential-directive-12"/>
-      </resource>
-      <resource uuid="9680884b-55b7-4015-a5d7-dcb7392cb412">
-         <title>HSPD 7</title>
-         <citation>
-            <text>HSPD 7</text>
-         </citation>
-         <rlink href="http://www.fas.org/irp/offdocs/nspd/hspd-7.html"/>
-      </resource>
-      <resource uuid="4ef539ba-b767-4666-b0d3-168c53005fa3">
-         <title>http://capec.mitre.org</title>
-         <citation>
-            <text>http://capec.mitre.org</text>
-         </citation>
-         <rlink href="http://capec.mitre.org"/>
-      </resource>
-      <resource uuid="e95dd121-2733-413e-bf1e-f1eb49f20a98">
-         <title>http://checklists.nist.gov</title>
-         <citation>
-            <text>http://checklists.nist.gov</text>
-         </citation>
-         <rlink href="http://checklists.nist.gov"/>
-      </resource>
-      <resource uuid="6a1041fc-054e-4230-946b-2e6f4f3731bb">
-         <title>http://csrc.nist.gov/cryptval</title>
-         <citation>
-            <text>http://csrc.nist.gov/cryptval</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/cryptval"/>
-      </resource>
-      <resource uuid="b09d1a31-d3c9-4138-a4f4-4c63816afd7d">
-         <title>http://csrc.nist.gov/groups/STM/cmvp/index.html</title>
-         <citation>
-            <text>http://csrc.nist.gov/groups/STM/cmvp/index.html</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/groups/STM/cmvp/index.html"/>
-      </resource>
-      <resource uuid="0931209f-00ae-4132-b92c-bc645847e8f9">
-         <title>http://cve.mitre.org</title>
-         <citation>
-            <text>http://cve.mitre.org</text>
-         </citation>
-         <rlink href="http://cve.mitre.org"/>
-      </resource>
-      <resource uuid="15522e92-9192-463d-9646-6a01982db8ca">
-         <title>http://cwe.mitre.org</title>
-         <citation>
-            <text>http://cwe.mitre.org</text>
-         </citation>
-         <rlink href="http://cwe.mitre.org"/>
-      </resource>
-      <resource uuid="5ed1f4d5-1494-421b-97ed-39d3c88ab51f">
-         <title>http://fips201ep.cio.gov</title>
-         <citation>
-            <text>http://fips201ep.cio.gov</text>
-         </citation>
-         <rlink href="http://fips201ep.cio.gov"/>
-      </resource>
-      <resource uuid="85280698-0417-489d-b214-12bb935fb939">
-         <title>http://idmanagement.gov</title>
-         <citation>
-            <text>http://idmanagement.gov</text>
-         </citation>
-         <rlink href="http://idmanagement.gov"/>
-      </resource>
-      <resource uuid="275cc052-0f7f-423c-bdb6-ed503dc36228">
-         <title>http://nvd.nist.gov</title>
-         <citation>
-            <text>http://nvd.nist.gov</text>
-         </citation>
-         <rlink href="http://nvd.nist.gov"/>
-      </resource>
-      <resource uuid="bbd50dd1-54ce-4432-959d-63ea564b1bb4">
-         <title>http://www.acquisition.gov/far</title>
-         <citation>
-            <text>http://www.acquisition.gov/far</text>
-         </citation>
-         <rlink href="http://www.acquisition.gov/far"/>
-      </resource>
-      <resource uuid="9b97ed27-3dd6-4f9a-ade5-1b43e9669794">
-         <title>http://www.cnss.gov</title>
-         <citation>
-            <text>http://www.cnss.gov</text>
-         </citation>
-         <rlink href="http://www.cnss.gov"/>
-      </resource>
-      <resource uuid="3ac12e79-f54f-4a63-9f4b-ee4bcd4df604">
-         <title>http://www.dhs.gov/telecommunications-service-priority-tsp</title>
-         <citation>
-            <text>http://www.dhs.gov/telecommunications-service-priority-tsp</text>
-         </citation>
-         <rlink href="http://www.dhs.gov/telecommunications-service-priority-tsp"/>
-      </resource>
-      <resource uuid="c95a9986-3cd6-4a98-931b-ccfc56cb11e5">
-         <title>http://www.niap-ccevs.org</title>
-         <citation>
-            <text>http://www.niap-ccevs.org</text>
-         </citation>
-         <rlink href="http://www.niap-ccevs.org"/>
-      </resource>
-      <resource uuid="647b6de3-81d0-4d22-bec1-5f1333e34380">
-         <title>http://www.nsa.gov</title>
-         <citation>
-            <text>http://www.nsa.gov</text>
-         </citation>
-         <rlink href="http://www.nsa.gov"/>
-      </resource>
-      <resource uuid="a47466c4-c837-4f06-a39f-e68412a5f73d">
-         <title>http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml</title>
-         <citation>
-            <text>http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml</text>
-         </citation>
-         <rlink href="http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml"/>
-      </resource>
-      <resource uuid="9bd19d23-025f-4a47-935e-44810a0552a4">
-         <title>http://www.omb.gov</title>
-         <citation>
-            <text>http://www.omb.gov</text>
-         </citation>
-         <rlink href="http://www.omb.gov"/>
-      </resource>
-      <resource uuid="02631467-668b-4233-989b-3dfded2fd184">
-         <title>http://www.us-cert.gov</title>
-         <citation>
-            <text>http://www.us-cert.gov</text>
-         </citation>
-         <rlink href="http://www.us-cert.gov"/>
-      </resource>
-      <resource uuid="6caa237b-531b-43ac-9711-d8f6b97b0377">
-         <title>ICD 704</title>
-         <citation>
-            <text>ICD 704</text>
-         </citation>
-         <rlink href="http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"/>
-      </resource>
-      <resource uuid="398e33fd-f404-4e5c-b90e-2d50d3181244">
-         <title>ICD 705</title>
-         <citation>
-            <text>ICD 705</text>
-         </citation>
-         <rlink href="http://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives"/>
-      </resource>
-      <resource uuid="1737a687-52fb-4008-b900-cbfa836f7b65">
-         <title>ISO/IEC 15408</title>
-         <citation>
-            <text>ISO/IEC 15408</text>
-         </citation>
-         <rlink href="http://www.iso.org/iso/iso_catalog/catalog_tc/catalog_detail.htm?csnumber=50341"/>
-      </resource>
-      <resource uuid="fb5844de-ff96-47c0-b258-4f52bcc2f30d">
-         <title>National Communications Systems Directive 3-10</title>
-         <citation>
-            <text>National Communications Systems Directive 3-10</text>
-         </citation>
-      </resource>
-      <resource uuid="bd0c544a-57de-458c-9bbe-6ceac27867c8">
-         <title>National Infrastructure Protection Plan</title>
-         <citation>
-            <text>National Infrastructure Protection Plan</text>
-         </citation>
-         <rlink href="https://www.dhs.gov/national-infrastructure-protection-plan"/>
-      </resource>
-      <resource uuid="654f21e2-f3bc-43b2-abdc-60ab8d09744b">
-         <title>National Strategy for Trusted Identities in Cyberspace</title>
-         <citation>
-            <text>National Strategy for Trusted Identities in Cyberspace</text>
-         </citation>
-         <rlink href="http://www.nist.gov/nstic"/>
-      </resource>
-      <resource uuid="bdd2f49e-edf7-491f-a178-4487898228f3">
-         <title>NIST Interagency Report 7622</title>
-         <citation>
-            <text>NIST Interagency Report 7622</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7622"/>
-      </resource>
-      <resource uuid="9cb3d8fe-2127-48ba-821e-cdd2d7aee921">
-         <title>NIST Special Publication 800-100</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-100</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-100</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-100"/>
-      </resource>
-      <resource uuid="3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e">
-         <title>NIST Special Publication 800-111</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-111</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-111</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-111"/>
-      </resource>
-      <resource uuid="349fe082-502d-464a-aa0c-1443c6a5cf40">
-         <title>NIST Special Publication 800-113</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-113</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-113</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-113"/>
-      </resource>
-      <resource uuid="1201fcf3-afb1-4675-915a-fb4ae0435717">
-         <title>NIST Special Publication 800-114 Rev. 1</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-114r1</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-114 Rev. 1</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-114r1"/>
-      </resource>
-      <resource uuid="c4691b88-57d1-463b-9053-2d0087913f31">
-         <title>NIST Special Publication 800-115</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-115</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-115</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-115"/>
-      </resource>
-      <resource uuid="2157bb7e-192c-4eaa-877f-93ef6b0a3292">
-         <title>NIST Special Publication 800-116 Rev. 1</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-116r1</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-116 Rev. 1</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-116r1"/>
-      </resource>
-      <resource uuid="5c201b63-0768-417b-ac22-3f014e3941b2">
-         <title>NIST Special Publication 800-12 Rev. 1</title>
-         <doc-id type="doi">10.6028/NIST.SP.800-12r1</doc-id>
-         <citation>
-            <text>NIST Special Publication 800-12 Rev. 1</text>
-            <!--<doc-id type="doi">10.6028/NIST.SP.800-12r1</doc-id>-->
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-12r1"/>
-      </resource>
-      <resource uuid="d1a4e2a9-e512-4132-8795-5357aba29254">
-         <title>NIST Special Publication 800-121</title>
-         <citation>
-            <text>NIST Special Publication 800-121</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-121"/>
-      </resource>
-      <resource uuid="0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589">
-         <title>NIST Special Publication 800-124</title>
-         <citation>
-            <text>NIST Special Publication 800-124</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-124"/>
-      </resource>
-      <resource uuid="080f8068-5e3e-435e-9790-d22ba4722693">
-         <title>NIST Special Publication 800-128</title>
-         <citation>
-            <text>NIST Special Publication 800-128</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-128"/>
-      </resource>
-      <resource uuid="cee2c6ca-0261-4a6f-b630-e41d8ffdd82b">
-         <title>NIST Special Publication 800-137</title>
-         <citation>
-            <text>NIST Special Publication 800-137</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-137"/>
-      </resource>
-      <resource uuid="6bf8d24a-78dc-4727-a2ac-0e64d71c495c">
-         <title>NIST Special Publication 800-147</title>
-         <citation>
-            <text>NIST Special Publication 800-147</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-147"/>
-      </resource>
-      <resource uuid="3878cc04-144a-483e-af62-8fe6f4ad6c7a">
-         <title>NIST Special Publication 800-155</title>
-         <citation>
-            <text>NIST Special Publication 800-155</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-155"/>
-      </resource>
-      <resource uuid="825438c3-248d-4e30-a51e-246473ce6ada">
-         <title>NIST Special Publication 800-16</title>
-         <citation>
-            <text>NIST Special Publication 800-16</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-16"/>
-      </resource>
-      <resource uuid="8ab6bcdc-339b-4068-b45e-994814a6e187">
-         <title>NIST Special Publication 800-161</title>
-         <citation>
-            <text>NIST Special Publication 800-161</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-161"/>
-      </resource>
-      <resource uuid="6513e480-fada-4876-abba-1397084dfb26">
-         <title>NIST Special Publication 800-164</title>
-         <citation>
-            <text>NIST Special Publication 800-164</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-164"/>
-      </resource>
-      <resource uuid="9c5c9e8c-dc81-4f55-a11c-d71d7487790f">
-         <title>NIST Special Publication 800-18</title>
-         <citation>
-            <text>NIST Special Publication 800-18</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-18"/>
-      </resource>
-      <resource uuid="0a5db899-f033-467f-8631-f5a8ba971475">
-         <title>NIST Special Publication 800-23</title>
-         <citation>
-            <text>NIST Special Publication 800-23</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-23"/>
-      </resource>
-      <resource uuid="21b1ed35-56d2-40a8-bdfe-b461fffe322f">
-         <title>NIST Special Publication 800-27</title>
-         <citation>
-            <text>NIST Special Publication 800-27</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-27"/>
-      </resource>
-      <resource uuid="e716cd51-d1d5-4c6a-967a-22e9fbbc42f1">
-         <title>NIST Special Publication 800-28</title>
-         <citation>
-            <text>NIST Special Publication 800-28</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-28"/>
-      </resource>
-      <resource uuid="a466121b-f0e2-41f0-a5f9-deb0b5fe6b15">
-         <title>NIST Special Publication 800-30</title>
-         <citation>
-            <text>NIST Special Publication 800-30</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-30"/>
-      </resource>
-      <resource uuid="8f174e91-844e-4cf1-a72a-45c119a3a8dd">
-         <title>NIST Special Publication 800-32</title>
-         <citation>
-            <text>NIST Special Publication 800-32</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-32"/>
-      </resource>
-      <resource uuid="748a81b9-9cad-463f-abde-8b368167e70d">
-         <title>NIST Special Publication 800-34</title>
-         <citation>
-            <text>NIST Special Publication 800-34</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-34"/>
-      </resource>
-      <resource uuid="0c775bc3-bfc3-42c7-a382-88949f503171">
-         <title>NIST Special Publication 800-35</title>
-         <citation>
-            <text>NIST Special Publication 800-35</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-35"/>
-      </resource>
-      <resource uuid="d818efd3-db31-4953-8afa-9e76afe83ce2">
-         <title>NIST Special Publication 800-36</title>
-         <citation>
-            <text>NIST Special Publication 800-36</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-36"/>
-      </resource>
-      <resource uuid="0a0c26b6-fd44-4274-8b36-93442d49d998">
-         <title>NIST Special Publication 800-37</title>
-         <citation>
-            <text>NIST Special Publication 800-37</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-37"/>
-      </resource>
-      <resource uuid="d480aa6a-7a88-424e-a10c-ad1c7870354b">
-         <title>NIST Special Publication 800-39</title>
-         <citation>
-            <text>NIST Special Publication 800-39</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-39"/>
-      </resource>
-      <resource uuid="bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d">
-         <title>NIST Special Publication 800-40</title>
-         <citation>
-            <text>NIST Special Publication 800-40</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-40"/>
-      </resource>
-      <resource uuid="756a8e86-57d5-4701-8382-f7a40439665a">
-         <title>NIST Special Publication 800-41</title>
-         <citation>
-            <text>NIST Special Publication 800-41</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-41"/>
-      </resource>
-      <resource uuid="c6e95ca0-5828-420e-b095-00895b72b5e8">
-         <title>NIST Special Publication 800-45</title>
-         <citation>
-            <text>NIST Special Publication 800-45</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-45"/>
-      </resource>
-      <resource uuid="5309d4d0-46f8-4213-a749-e7584164e5e8">
-         <title>NIST Special Publication 800-46</title>
-         <citation>
-            <text>NIST Special Publication 800-46</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-46"/>
-      </resource>
-      <resource uuid="2711f068-734e-4afd-94ba-0b22247fbc88">
-         <title>NIST Special Publication 800-47</title>
-         <citation>
-            <text>NIST Special Publication 800-47</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-47"/>
-      </resource>
-      <resource uuid="238ed479-eccb-49f6-82ec-ab74a7a428cf">
-         <title>NIST Special Publication 800-48</title>
-         <citation>
-            <text>NIST Special Publication 800-48</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-48"/>
-      </resource>
-      <resource uuid="e12b5738-de74-4fb3-8317-a3995a8a1898">
-         <title>NIST Special Publication 800-50</title>
-         <citation>
-            <text>NIST Special Publication 800-50</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-50"/>
-      </resource>
-      <resource uuid="90c5bc98-f9c4-44c9-98b7-787422f0999c">
-         <title>NIST Special Publication 800-52</title>
-         <citation>
-            <text>NIST Special Publication 800-52</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-52"/>
-      </resource>
-      <resource uuid="07b79057-4b85-471e-bd16-84844917325b">
-         <title>NIST Special Publication 800-53</title>
-         <citation>
-            <text>NIST Special Publication 800-53</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-53"/>
-      </resource>
-      <resource uuid="cd4cf751-3312-4a55-b1a9-fad2f1db9119">
-         <title>NIST Special Publication 800-53A</title>
-         <citation>
-            <text>NIST Special Publication 800-53A</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-53A"/>
-      </resource>
-      <resource uuid="83c261f0-e7a1-49f8-95ac-2ab2517644bc">
-         <title>NIST Special Publication 800-55</title>
-         <citation>
-            <text>NIST Special Publication 800-55</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-55"/>
-      </resource>
-      <resource uuid="81f09e01-d0b0-4ae2-aa6a-064ed9950070">
-         <title>NIST Special Publication 800-56</title>
-         <citation>
-            <text>NIST Special Publication 800-56</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-56"/>
-      </resource>
-      <resource uuid="a6c774c0-bf50-4590-9841-2a5c1c91ac6f">
-         <title>NIST Special Publication 800-57</title>
-         <citation>
-            <text>NIST Special Publication 800-57</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-57"/>
-      </resource>
-      <resource uuid="7783f3e7-09b3-478b-9aa2-4a76dfd0ea90">
-         <title>NIST Special Publication 800-58</title>
-         <citation>
-            <text>NIST Special Publication 800-58</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-58"/>
-      </resource>
-      <resource uuid="f152844f-b1ef-4836-8729-6277078ebee1">
-         <title>NIST Special Publication 800-60</title>
-         <citation>
-            <text>NIST Special Publication 800-60</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-60"/>
-      </resource>
-      <resource uuid="be95fb85-a53f-4624-bdbb-140075500aa3">
-         <title>NIST Special Publication 800-61</title>
-         <citation>
-            <text>NIST Special Publication 800-61</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-61"/>
-      </resource>
-      <resource uuid="644f44a9-a2de-4494-9c04-cd37fba45471">
-         <title>NIST Special Publication 800-63</title>
-         <citation>
-            <text>NIST Special Publication 800-63</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-63"/>
-      </resource>
-      <resource uuid="abd950ae-092f-4b7a-b374-1c7c67fe9350">
-         <title>NIST Special Publication 800-64</title>
-         <citation>
-            <text>NIST Special Publication 800-64</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-64"/>
-      </resource>
-      <resource uuid="29fcfe59-33cd-494a-8756-5907ae3a8f92">
-         <title>NIST Special Publication 800-65</title>
-         <citation>
-            <text>NIST Special Publication 800-65</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-65"/>
-      </resource>
-      <resource uuid="84a37532-6db6-477b-9ea8-f9085ebca0fc">
-         <title>NIST Special Publication 800-70</title>
-         <citation>
-            <text>NIST Special Publication 800-70</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-70"/>
-      </resource>
-      <resource uuid="ead74ea9-4c9c-446d-9b92-bcbf0ad4b655">
-         <title>NIST Special Publication 800-73</title>
-         <citation>
-            <text>NIST Special Publication 800-73</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-73"/>
-      </resource>
-      <resource uuid="2a71298a-ee90-490e-80ff-48c967173a47">
-         <title>NIST Special Publication 800-76</title>
-         <citation>
-            <text>NIST Special Publication 800-76</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-76"/>
-      </resource>
-      <resource uuid="99f331f2-a9f0-46c2-9856-a3cbb9b89442">
-         <title>NIST Special Publication 800-77</title>
-         <citation>
-            <text>NIST Special Publication 800-77</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-77"/>
-      </resource>
-      <resource uuid="2042d97b-f7f6-4c74-84f8-981867684659">
-         <title>NIST Special Publication 800-78</title>
-         <citation>
-            <text>NIST Special Publication 800-78</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-78"/>
-      </resource>
-      <resource uuid="6af1e841-672c-46c4-b121-96f603d04be3">
-         <title>NIST Special Publication 800-81</title>
-         <citation>
-            <text>NIST Special Publication 800-81</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-81"/>
-      </resource>
-      <resource uuid="6d431fee-658f-4a0e-9f2e-a38b5d398fab">
-         <title>NIST Special Publication 800-83</title>
-         <citation>
-            <text>NIST Special Publication 800-83</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-83"/>
-      </resource>
-      <resource uuid="0243a05a-e8a3-4d51-9364-4a9d20b0dcdf">
-         <title>NIST Special Publication 800-84</title>
-         <citation>
-            <text>NIST Special Publication 800-84</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-84"/>
-      </resource>
-      <resource uuid="263823e0-a971-4b00-959d-315b26278b22">
-         <title>NIST Special Publication 800-88</title>
-         <citation>
-            <text>NIST Special Publication 800-88</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-88"/>
-      </resource>
-      <resource uuid="672fd561-b92b-4713-b9cf-6c9d9456728b">
-         <title>NIST Special Publication 800-92</title>
-         <citation>
-            <text>NIST Special Publication 800-92</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-92"/>
-      </resource>
-      <resource uuid="d1b1d689-0f66-4474-9924-c81119758dc1">
-         <title>NIST Special Publication 800-94</title>
-         <citation>
-            <text>NIST Special Publication 800-94</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-94"/>
-      </resource>
-      <resource uuid="1ebdf782-d95d-4a7b-8ec7-ee860951eced">
-         <title>NIST Special Publication 800-95</title>
-         <citation>
-            <text>NIST Special Publication 800-95</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-95"/>
-      </resource>
-      <resource uuid="6f336ecd-f2a0-4c84-9699-0491d81b6e0d">
-         <title>NIST Special Publication 800-97</title>
-         <citation>
-            <text>NIST Special Publication 800-97</text>
-         </citation>
-         <rlink href="http://csrc.nist.gov/publications/PubsSPs.html#800-97"/>
-      </resource>
-      <resource uuid="06dff0ea-3848-4945-8d91-e955ee69f05d">
-         <title>NSTISSI No. 7003</title>
-         <citation>
-            <text>NSTISSI No. 7003</text>
-         </citation>
-         <rlink href="http://www.cnss.gov/Assets/pdf/nstissi_7003.pdf"/>
-      </resource>
-      <resource uuid="9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab">
-         <title>OMB Circular A-130</title>
-         <citation>
-            <text>OMB Circular A-130</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/omb/circulars_a130_a130trans4"/>
-      </resource>
-      <resource uuid="2c5884cd-7b96-425c-862a-99877e1cf909">
-         <title>OMB Memorandum 02-01</title>
-         <citation>
-            <text>OMB Memorandum 02-01</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/omb/memoranda_m02-01"/>
-      </resource>
-      <resource uuid="ff3bfb02-79b2-411f-8735-98dfe5af2ab0">
-         <title>OMB Memorandum 04-04</title>
-         <citation>
-            <text>OMB Memorandum 04-04</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy04/m04-04.pdf"/>
-      </resource>
-      <resource uuid="58ad6f27-af99-429f-86a8-8bb767b014b9">
-         <title>OMB Memorandum 05-24</title>
-         <citation>
-            <text>OMB Memorandum 05-24</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2005/m05-24.pdf"/>
-      </resource>
-      <resource uuid="4da24a96-6cf8-435d-9d1f-c73247cad109">
-         <title>OMB Memorandum 06-16</title>
-         <citation>
-            <text>OMB Memorandum 06-16</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2006/m06-16.pdf"/>
-      </resource>
-      <resource uuid="990268bf-f4a9-4c81-91ae-dc7d3115f4b1">
-         <title>OMB Memorandum 07-11</title>
-         <citation>
-            <text>OMB Memorandum 07-11</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-11.pdf"/>
-      </resource>
-      <resource uuid="0b3d8ba9-051f-498d-81ea-97f0f018c612">
-         <title>OMB Memorandum 07-18</title>
-         <citation>
-            <text>OMB Memorandum 07-18</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-18.pdf"/>
-      </resource>
-      <resource uuid="0916ef02-3618-411b-a525-565c088849a6">
-         <title>OMB Memorandum 08-22</title>
-         <citation>
-            <text>OMB Memorandum 08-22</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-22.pdf"/>
-      </resource>
-      <resource uuid="28115a56-da6b-4d44-b1df-51dd7f048a3e">
-         <title>OMB Memorandum 08-23</title>
-         <citation>
-            <text>OMB Memorandum 08-23</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf"/>
-      </resource>
-      <resource uuid="599fe9ba-4750-4450-9eeb-b95bd19a5e8f">
-         <title>OMB Memorandum 10-06-2011</title>
-         <citation>
-            <text>OMB Memorandum 10-06-2011</text>
-         </citation>
-      </resource>
-      <resource uuid="74e740a4-c45d-49f3-a86e-eb747c549e01">
-         <title>OMB Memorandum 11-11</title>
-         <citation>
-            <text>OMB Memorandum 11-11</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf"/>
-      </resource>
-      <resource uuid="bedb15b7-ec5c-4a68-807f-385125751fcd">
-         <title>OMB Memorandum 11-33</title>
-         <citation>
-            <text>OMB Memorandum 11-33</text>
-         </citation>
-         <rlink href="http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf"/>
-      </resource>
-      <resource uuid="dd2f5acd-08f1-435a-9837-f8203088dc1a">
-         <title>Personal Identity Verification (PIV) in Enterprise Physical Access Control System
-            (E-PACS)</title>
-         <citation>
-            <text>Personal Identity Verification (PIV) in Enterprise Physical Access Control System
-               (E-PACS)</text>
-         </citation>
-      </resource>
-      <resource uuid="8ade2fbe-e468-4ca8-9a40-54d7f23c32bb">
-         <title>US-CERT Technical Cyber Security Alerts</title>
-         <citation>
-            <text>US-CERT Technical Cyber Security Alerts</text>
-         </citation>
-         <rlink href="http://www.us-cert.gov/ncas/alerts"/>
-      </resource>
-      <resource uuid="16b3b234-3406-44dc-8645-7da61b6e81f1">
-         <rlink media-type="application/pdf"
-                href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"/>
-      </resource>
-      <resource uuid="fb81fb1c-165e-43a4-8264-1dfd3182b630">
-         <rlink media-type="application/pdf"
-                href="http://dx.doi.org/10.6028/NIST.SP.800-53r4"/>
-      </resource>
-   </back-matter>
-</catalog>
diff --git a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_declarations.xml b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_declarations.xml
deleted file mode 100644
index 92e42cac56..0000000000
--- a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_declarations.xml
+++ /dev/null
@@ -1,108 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<?xml-stylesheet type="text/css" href="../../lib/CSS/oscal.css"?>
-<declarations xmlns="http://csrc.nist.gov/ns/oscal/1.0">
-  <declare-prop context="SP800-53" class="label">
-    <singleton/>
-    <required/>
-    <regex>^(AC|AT|AU|CA|CM|CP|IA|IR|MA|MP|PE|PL|PM|PS|RA|SA|SC|SI)[\d\.\-]*$</regex>
-  </declare-prop>
-  <!--<declare-prop context="SP800-53" class="priority">
-    <singleton/>
-    <value>P1</value>
-    <value>P2</value>
-    <value>P0</value>
-    <value>P3</value>
-  </declare-prop>-->
-  <!--<declare-prop context="SP800-53" class="baseline-impact">
-    <value>LOW</value>
-    <value>MODERATE</value>
-    <value>HIGH</value>
-  </declare-prop>-->
-  <declare-part context="SP800-53" class="statement">
-    <singleton/>
-    <required/>
-  </declare-part>
-  <declare-part context="SP800-53" class="guidance">
-    <singleton/>
-  </declare-part>
-  <declare-part context="SP800-53" class="objective">
-    <singleton/>
-    <required/>
-  </declare-part>
-  <declare-part context="SP800-53" class="assessment"/>
-  <!-- can repeat -->
-
-  <declare-prop context="SP800-53-enhancement" class="label">
-    <singleton/>
-    <required/>
-    <!-- a child control's label must increment its parent control's label -->
-    <calc xml:space="preserve"><inherit/><autonum>(1)</autonum></calc>
-  </declare-prop>
-  
-  <declare-part context="SP800-53-enhancement" class="statement">
-    <singleton/>
-    <required/>
-  </declare-part>
-  <declare-part context="SP800-53-enhancement" class="guidance">
-    <singleton/>
-  </declare-part>
-  <declare-part context="SP800-53-enhancement" class="objective">
-    <singleton/>
-    <required/>
-  </declare-part>
-  <declare-part context="SP800-53-enhancement" class="assessment"/>
-
-  <declare-part context="statement" class="item"/>
-  
-  <!-- recursive -->
-  <declare-part context="item" class="item"/>
-  
-  <declare-prop context="statement" class="label">
-    <singleton/>
-  </declare-prop>
-  
-  <declare-prop context="item" class="label">
-    <singleton/>
-    <required/>
-  </declare-prop>
-  
-  <declare-prop context="objective" class="label">
-    <singleton/>
-    <!-- <required/> not given at top level -->
-  </declare-prop>
-  
-  
-  <!-- label values are complex and must be validated using custom logic  -->
-  
-  <!--<declare-p context="item" class="description">
-    <singleton/>
-    <required/>
-  </declare-p>-->
-
-  <!-- Note recursion: objectives contain objectives -->
-  <declare-part context="objective" class="objective">
-    <required/>
-  </declare-part>
-  <declare-p context="objective" class="decision">
-    <singleton/>
-    <!-- <required/>not required because objectives are nested; only lowest level has decision given. -->
-  </declare-p>
-  
-  
-  <declare-prop context="assessment" class="method">
-    <singleton/>
-    <required/>
-    <value>EXAMINE</value>
-    <value>INTERVIEW</value>
-    <value>TEST</value>
-  </declare-prop>
-  <declare-part context="assessment" class="objects">
-    <required/>
-  </declare-part>
-  
-  <declare-prop context="sp800-53 SP800-53-enhancement" class="status">
-    <singleton/>
-    <value>Withdrawn</value>
-  </declare-prop>
-  
-</declarations>
diff --git a/src/content/nist.gov/SP800-53/rev4/xml/conversion-notes.md b/src/content/nist.gov/SP800-53/rev4/xml/conversion-notes.md
deleted file mode 100644
index f8c7a001e0..0000000000
--- a/src/content/nist.gov/SP800-53/rev4/xml/conversion-notes.md
+++ /dev/null
@@ -1,47 +0,0 @@
-# SP800-53 conversion notes
-
-The XML, JSON, and YAML versions of SP800-53 given here are derived from official and internal NIST publications and communications, in order faithfully to represent published standards (providing them with machinable proxies) but not to determine their meaning or force.
-
-Keep in mind that the OSCAL code is thus a *representation* of an *interpretation* of the standard, and can in no way be considered as authoritative in itself. Any authority or reliability it may be considered to have derives entirely from its resemblance to the standard as published, as confirmed by external inspection.
-
-Specifically, this OSCAL XML was produced via XSLT transformation pipeline from 
-[NIST NVD XML sources](https://nvd.nist.gov/800-53) (Control descriptions in Appendixes F & G and Objective Appendix F)
-
-The transformation pipeline applies the following enhancements and mappings to this data set:
-
-1. Source is ameliorated at points of detected failure such as typographical glitches (where necessary to enable downstream processing).
-1. Source is cast from native (NVD XML) description into OSCAL
-1. Various enhancements are made, such as inferring parameter markup, establishing internal cross-references etc.
-1. Along the way, IDs are produced by mapping literal values (generally, labels) found in the source data. This entails some rewriting of identifiers (see below). Because these values are produced by direct mapping from the data, as opposed to auto-generating them based on intrinsic document properties (structure), they can also be meaningfully *validated*. See below.
-1. In the result, control descriptions from the base publication, SP800-53, are merged with detailed objective and assessment descriptions from Appendix A, by control.
-
-## IDs in SP800-53
-
-Globally in OSCAL, `@id` attributes (XML) or 'id' fields (JSON) are validated as XML type ID, which imposes the following constraints:
-
-- Must be an
-[XML NCName](https://www.w3.org/TR/REC-xml-names/#NT-NCName)
-[https://www.w3.org/TR/REC-xml-names/#NT-NCName], hence
-   - Starting with a letter (or underscore or period)
-   - Followed by letters, digits, underscores, dashes or periods (but no other punctuation such as parentheses or brackets)
-- Must be lexically unique across the scope of the document. That is, the same 'id' value may not be given to any other object.
-
-As a consequence of the second constraint, ids serve as robust targets for linking when other information is not determinative, especially when used in combination with unique identifiers at the document level.
-
-Additionally, in the OSCAL version of SP800-53 rev 4, the following ID conventions are followed:
-
-1. IDs of controls are derived from the name (label) of the Control. So control "AC-1" has id `ac-1` and "PM-15" has `pm-15`.
-1. IDs of control enhancements (child controls) are produced similarly, with the parenthetical expression cast to "dot notation". So control enhancement SI-14(1) has id `si-14.1`, etc.
-1. The analogous rule is applied to groups. So "Risk Assessment" (with controls RA-1 through RA-6) has id `ra`.
-1. Within controls, components (parts) are given IDs whenever it is expected or anticipated to be targets of internal linking. This does not include all components, for example properties (`prop` fields) such as labels. But:
-  1. Statements for each control are suffixed `_smt`, so `si-14.1_smt` etc.
-  1. A "Guidance" part ID is suffixed `_gdn`
-  1. Parameter IDs suffixed `_prm` with a number representing their position among other parameters in the same control, so `ac-1_prm_2` for the second parameter defined in AC-1.
-  1. "Objectives" are suffixed `_obj`. When objectives given in the data have distinct labels, they have similarly been provided with ids accordingly, such as `si-14.1_obj.1` for Objective SI-14\(1\)\[1\])  etc.
-  1. In this assignment, implicit targets of links (from objectives to components of statements) are disentangled. So for example Objective AC-3(3)\[6]\(a) refers to (indeed its text corresponds to) statement AC-3(3)(a). So the objective is given id `ac-3.3.a_obj.6`, and provided with a link to the statement.  
-  1. Currently, IDs are not assigned to assessments.
-
-
-### Validating 'id' assignment in OSCAL SP800-53/A
-
-A Schematron in this subdirectory, `validate_SP800-53_labels-and-ids.sch`, when applied to the catalog XML, demonstrates that `id` values derived from labels correspond to values expected from static analysis (of document structure). This helps confirm their referential integrity.
diff --git a/src/content/nist.gov/SP800-53/rev4/xml/validate-labels_SP800-53-catalog.sch b/src/content/nist.gov/SP800-53/rev4/xml/validate-labels_SP800-53-catalog.sch
deleted file mode 100644
index f36b86a0e9..0000000000
--- a/src/content/nist.gov/SP800-53/rev4/xml/validate-labels_SP800-53-catalog.sch
+++ /dev/null
@@ -1,125 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron" queryBinding="xslt2"
-    xmlns:sqf="http://www.schematron-quickfix.com/validator/process"
-    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-    xmlns:o="http://csrc.nist.gov/ns/oscal/1.0">
-    
-    <sch:ns prefix="o"     uri="http://csrc.nist.gov/ns/oscal/1.0"/>
-    <sch:ns prefix="oscal" uri="http://csrc.nist.gov/ns/oscal/1.0"/>
-    
-    <!-- This Schematron checks the representation of labels in SP800-53
-           - labels given on controls and their parts correspond to their @id values
-           - labels are formatted correctly and represent the order of the document
-             by incrementing regularly -->
-         
-    <sch:pattern>
-        <sch:rule context="oscal:part[@name='item']/oscal:prop[@name='label']">
-            <xsl:variable name="number-format">
-                <xsl:apply-templates mode="number-format" select=".."/>
-            </xsl:variable>
-            <!-- returns true() when $parent-label is empty -->
-            <xsl:variable name="expected">
-                <xsl:number count="oscal:part[@name='item']" format="{$number-format}"/>
-            </xsl:variable>
-            <sch:assert test=". = $expected">Label issue: expected '<sch:value-of select="$expected"/>'</sch:assert>
-        </sch:rule>
-        
-        <!-- Preempted by the preceding rule, this rule matches label properties not directly inside part[@name='item'] -->
-        <sch:rule context="oscal:prop[@name='label']">
-            <sch:let name="parent-label" value="parent::*/../oscal:prop[@name='label']"/>
-            <!-- returns true() when $parent-label is empty -->
-            <sch:assert test="starts-with(.,$parent-label)">Label hierarchy issue</sch:assert>
-        </sch:rule>
-        
-        <sch:rule context="oscal:control">
-            <sch:let name="expected-id" value="o:reduce-label(oscal:prop[@name='label'])"/>
-            <sch:assert test="@id = $expected-id">Expected id to be '<sch:value-of select="$expected-id"/>'</sch:assert>
-        </sch:rule>
-        
-        <sch:rule context="oscal:control/oscal:part[@name='statement']">
-            <sch:let name="expected-id" value="../@id || '_smt'"/>
-            <sch:assert test="@id = $expected-id">Expected id to be '<sch:value-of select="$expected-id"/>'</sch:assert>
-        </sch:rule>
-
-        <sch:rule context="oscal:part[@name='statement']/oscal:part[@name='statement']">
-            <sch:let name="owner" value="(ancestor::oscal:control)[1]"/>
-            <xsl:variable name="reckoning">
-                <xsl:number count="oscal:part[@name='statement']/oscal:part[@name='statement']" level="multiple" format=".a.1"/>
-            </xsl:variable>
-            <sch:let name="expected-id" value="$owner/@id || '_smt' || $reckoning"/>
-            <sch:assert test="@id = $expected-id">Expected id to be '<sch:value-of select="$expected-id"/>'</sch:assert>
-        </sch:rule>
-        
-        <sch:rule context="oscal:control/oscal:part[@name='objective']">
-            <sch:let name="expected-id" value="../@id || '_obj'"/>
-            <sch:assert test="@id = $expected-id">Expected id to be '<sch:value-of select="$expected-id"/>'</sch:assert>
-        </sch:rule>
-        
-        
-<!-- OBJECTIVE IDS
-            An 'objective' id has two parts, before and after '_obj' called $head and $tail
-     One but not the other of these has an incremented value.
-     The other must be the same as the parent.
-     If neither or both are the same we have an error.
-     
-     calling the kind that increments the head, a 'matcher'
-     calling the kind that increments the tail, a 'brancher' -->
-<!-- when the head is incremented, it should be calculable relative to other
-     front-incremented values (heads, numbered relative to the root of the control)
-     when the tail is incremented, similarly, within the scope of elements with the same head -->
-
-        <sch:rule context="oscal:part[@name = 'objective']/oscal:part[@name = 'objective']">
-
-            <sch:let name="owner" value="ancestor::oscal:control[1]"/>
-
-            <sch:let name="my-head" value="o:head(.)"/>
-            <sch:let name="my-tail" value="o:tail(.)"/>
-            <sch:assert test="(o:head(.) = o:head(..)) or (o:tail(.) = o:tail(..))">Head or tail must match</sch:assert>
-            <!-- $maps when the head increments, meaning we map to a new element -->
-            <sch:let name="maps" value="$my-tail = (o:tail(..), '')"/>
-            <!-- $extends when the head is the same but we extend for more detail (the tail changes) -->
-            <sch:let name="extends" value="o:head(.) = o:head(..)"/>
-
-            <!-- When $maps, we expect the mapping portion (the head) to be regular      -->
-            <xsl:variable name="id-for-mapper">
-                <xsl:value-of select="o:head(..)"/>
-                <xsl:number count="oscal:part/oscal:part"
-                    format="{ if (matches(o:head(..),'\d$')) then '.a' else '.1' }"/>
-                <xsl:text>_obj</xsl:text>
-                <xsl:value-of select="$my-tail"/>
-            </xsl:variable>
-
-            <sch:assert test="not($maps) or @id = $id-for-mapper"> Expecting @id to be
-                    '<sch:value-of select="$id-for-mapper"/>' </sch:assert>
-
-            <xsl:variable name="id-for-extender">
-                <xsl:value-of select="../@id"/>
-                <xsl:number count="oscal:part/oscal:part"
-                    format="{ if (matches(../@id,'\d$')) then '.a' else '.1' }"/>
-            </xsl:variable>
-            <sch:assert test="not($extends) or @id = $id-for-extender"> Expecting @id to be
-                    '<sch:value-of select="$id-for-extender"/>' </sch:assert>
-        </sch:rule>
-        
-    </sch:pattern>
-    
-    <xsl:function name="o:head" as="xs:string">
-        <xsl:param name="who" as="element()"/>
-        <xsl:sequence select="substring-before($who/@id,'_obj')"/>
-    </xsl:function>
-    
-    <xsl:function name="o:tail" as="xs:string">
-        <xsl:param name="who" as="element()"/>
-        <xsl:sequence select="substring-after($who/@id,'_obj')"/>
-    </xsl:function>
-    
-    <xsl:function name="o:reduce-label">
-        <xsl:param name="what"/>
-        <xsl:value-of select="lower-case($what) ! replace(., '\(', '.') ! replace(., '\)', '') ! replace(.,'\.$','')"/>
-    </xsl:function>
-    
-    <xsl:template mode="number-format" priority="1" match="oscal:part[@name='item']">a.</xsl:template>
-    <xsl:template mode="number-format" priority="2" match="oscal:part[@name='item']/oscal:part[@name='item']">1.</xsl:template>
-    <xsl:template mode="number-format" priority="3" match="oscal:control/oscal:control//oscal:part[@name='item']">(a)</xsl:template>
-    <xsl:template mode="number-format" priority="4" match="oscal:control/oscal:control//oscal:part[@name='item']/oscal:part[@name='item']">(1)</xsl:template>
-</sch:schema>
\ No newline at end of file
diff --git a/src/content/nist.gov/SP800-53/rev4/xml/validate-names-etc_SP800-53-catalog.sch b/src/content/nist.gov/SP800-53/rev4/xml/validate-names-etc_SP800-53-catalog.sch
deleted file mode 100644
index c0d1128615..0000000000
--- a/src/content/nist.gov/SP800-53/rev4/xml/validate-names-etc_SP800-53-catalog.sch
+++ /dev/null
@@ -1,197 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron" queryBinding="xslt2"
-    xmlns:sqf="http://www.schematron-quickfix.com/validator/process"
-    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-    xmlns:o="http://csrc.nist.gov/ns/oscal/1.0">
-    
-    <sch:ns prefix="o" uri="http://csrc.nist.gov/ns/oscal/1.0"/>
-    
-    <xsl:key name="by-id"        match="*[@id]" use="@id"/>
-    <xsl:key name="link-targets" match="*[@id]" use="'#' || @id"/>
-    
-<!-- This Schematron checks several basic features of SP800-53, or a similarly encoded document,
-     for conformance with expectations. Specifically, it tests:
-     
-     - @id values are unique in the document
-     - Use of @name is consistent with OSCAL, avoiding clashes with named elements in OSCAL
-     - Expected (named) parts and properties are given in controls and subcontrols
-     - Parts and properties are not given redundantly; when expected, they are singletons
-       (the only child of their parent node with the @name value)
-     - Cross-references (internal links) resolve when given
-     
-     More complex checking of 
-     
-    
-    -->
-    
-    <!-- Some tokens should be prohibited for use as @name flags. -->
-    <sch:let name="interdicted" value="'control','group','part','prop','param','title'"/>
-    
-    <sch:let name="known-part-names" value="('statement', 'item', 'guidance', 'objective', 'assessment', 'objects')"/>
-    
-    <sch:let name="known-property-names" value="('keywords', 'label', 'sort-id', 'method', 'status')"/>
-    
-    <sch:pattern id="general">
-        <sch:rule context="*[matches(@name,'\S')]">
-            <sch:report test="@name = $interdicted">@name '<sch:value-of select="@name"/>' is not permitted</sch:report>
-        </sch:rule>
-    </sch:pattern>
-    
-    <sch:pattern id="uniqueness-constraints">
-        <sch:rule context="*[exists(@id)]">
-            <sch:assert test="empty(key('by-id',@id) except .)">ID on element is not unique.</sch:assert>
-        </sch:rule>
-    </sch:pattern>
-    
-<!-- Ensure all the values of @name given are known.  -->
-    <sch:pattern id="occurrences">
-        <sch:rule context="o:part[exists(@name)]">
-            <sch:assert test="@name=$known-part-names">@name on part is not recognized: we expect <sch:value-of select="o:or-sequence($known-part-names)"/></sch:assert>
-        </sch:rule>
-        <sch:rule context="o:prop[exists(@name)]">
-            <sch:assert test="@name=$known-property-names">@name on property is not recognized: we expect <sch:value-of select="o:or-sequence($known-property-names)"/></sch:assert>
-        </sch:rule>
-        
-    </sch:pattern>
-    
-    <!-- Controls and their parts may require properties or subparts designated for particular contents. -->
-    <sch:pattern id="required-items">
-        <sch:rule context="o:control">
-            <sch:let name="withdrawn" value="o:prop[@name='status'] = 'Withdrawn'"/>
-            <sch:assert test="o:prop/@name='label'">control must have a child 'prop' with @name='label'</sch:assert>
-            <sch:assert test="o:prop/@name='sort-id'">control must have a child 'prop' with @name='sort-id'</sch:assert>
-            <sch:assert test="o:part/@name='statement' or $withdrawn">control with name='SP800-53' must have a child 'part' with @name='statement'</sch:assert>
-            <sch:assert test="o:part/@name='objective' or $withdrawn">control with name='SP800-53' must have a child 'part' with @name='objective'</sch:assert>
-        </sch:rule>
-        <sch:rule context="o:part[@name='item']">
-            <sch:assert test="o:prop/@name='label'">part with name='item' must have a child prop with @name='label'</sch:assert>
-        </sch:rule>
-        <sch:rule context="o:part[@name='assessment']">
-            <sch:assert test="o:prop/@name='method'">part with name='assessment' must have a child prop with @name='method'</sch:assert>
-            <sch:assert test="o:part/@name='objects'">part with name='assessment' must have a child part with @name='objects'</sch:assert>
-        </sch:rule>
-    </sch:pattern>
-    
-    <!-- Many properties exhibit regularities; we need to detect if they are violated. -->
-    <!-- Note that these validations will not work on catalogs that do not have, for example, consistent
-         continuous numbering of controls and their constituent parts (control, prop, part elements).
-         So for example, a catalog produced by resolving a profile, which contains gaps, will show
-         those gaps in validation against this Schematron. -->
-    <sch:pattern id="appearances">
-        <!-- o:control/o:control is a control enhancement -->
-        <sch:rule context="o:control/o:control/o:prop[@name = 'label']">
-            <sch:assert test="o:singleton(.)">prop with name='label'
-                must be a singleton: no other properties named 'label' may appear in the same
-                context</sch:assert>
-            <sch:assert
-                test="matches(., '^(AC|AT|AU|CA|CM|CP|IA|IR|MA|MP|PE|PL|PM|PS|RA|SA|SC|SI)\-\d\d?\(\d\d?\)')"
-                >prop with name='label' must match regular expression
-                '^(AC|AT|AU|CA|CM|CP|IA|IR|MA|MP|PE|PL|PM|PS|RA|SA|SC|SI)\-\d\d?\(\d\d?\)$'</sch:assert>
-            <sch:let name="parent-label" value="../../o:prop[@name = 'label']"/>
-            <xsl:variable name="formatted-no">
-                <xsl:number count="o:control" format="(1)"/>
-            </xsl:variable>
-            <sch:assert test=". = ($parent-label || $formatted-no)">Control enhancement
-                label is inconsistent: we expect <sch:value-of select="$parent-label || $formatted-no"/> here</sch:assert>
-        </sch:rule>
-
-        <sch:rule context="o:control/o:prop[@name = 'label']">
-            <sch:assert test="o:singleton(.)">prop with name='label'
-                must be a singleton: no other properties named 'label' may appear in the same
-                context</sch:assert>
-            <sch:assert
-                test="matches(., '^(AC|AT|AU|CA|CM|CP|IA|IR|MA|MP|PE|PL|PM|PS|RA|SA|SC|SI)[\d\.\-]*$')"
-                >prop with name='label' must match regular expression
-                '^(AC|AT|AU|CA|CM|CP|IA|IR|MA|MP|PE|PL|PM|PS|RA|SA|SC|SI)\-\d\d?$'</sch:assert>
-            <sch:assert test="substring(.,1,2) = upper-case(../../@id)">Control label does not match its family, '<sch:value-of select="upper-case(../../@id)"/></sch:assert>
-            <xsl:variable name="formatted-no">
-                <xsl:number count="o:control"/>
-            </xsl:variable>
-            <sch:assert test="replace(.,'\D','') = $formatted-no">Control label appears to be out of sequence</sch:assert>
-        </sch:rule>
-        <sch:rule context="o:part[@name = 'statement']">
-            <sch:assert test="o:singleton(.)">part with name='statement'
-                must be a singleton: no other parts named 'statement' may appear in the same
-                context</sch:assert>
-        </sch:rule>
-        <sch:rule context="o:part[@name = 'item']/o:prop[@name = 'label']">
-            <sch:assert test="o:singleton(.)">prop with name='label'
-                must be a singleton: no other properties named 'label' may appear in the same
-                context</sch:assert>
-            <sch:assert test="ends-with(../@id, replace(., '[\.\(\)\[\]]', ''))">Label
-                    '<sch:value-of select="."/>' does not match with parent id '<sch:value-of
-                    select="../@id"/>'</sch:assert>
-        </sch:rule>
-        <sch:rule context="o:prop[@name = 'label']">
-            <sch:assert test="o:singleton(.)">prop with name='label'
-                must be a singleton: no other properties named 'label' may appear in the same
-                context</sch:assert>
-            <sch:let name="parent-label"
-                value="../ancestor::*[o:prop/@name = 'label'][1]/o:prop[@name = 'label']"/>
-            <sch:assert test="not(count($parent-label) = 1) or starts-with(., $parent-label)">Label is expected to start with
-                inherited label '<sch:value-of select="$parent-label"/>'</sch:assert>
-        </sch:rule>
-        <sch:rule context="o:prop[@name = 'sort-id']">
-            <sch:assert test="o:singleton(.)">prop with name='sort-id'
-                must be a singleton: no other properties named 'sort-id' may appear in the same
-                context</sch:assert>
-        </sch:rule>
-        <sch:rule context="o:part[@name = 'assessment']/o:prop[@name = 'method']">
-            <sch:assert test="o:singleton(.)">prop with name='method'
-                must be a singleton: no other properties named 'method' may appear in the same
-                context</sch:assert>
-            <sch:assert test=". = ('EXAMINE', 'INTERVIEW', 'TEST')">prop name='method' here must
-                have a value 'EXAMINE', 'INTERVIEW', or 'TEST'</sch:assert>
-        </sch:rule>
-        <sch:rule context="o:prop[@name = 'status']">
-            <sch:assert test="o:singleton(.)">prop with name='status'
-                must be a singleton: no other properties named 'status' may appear in the same
-                context</sch:assert>
-            <sch:assert test=". = ('Withdrawn')">prop name='status' here must have a value
-                'Withdrawn'</sch:assert>
-        </sch:rule>
-        <sch:rule context="o:prop[@name = 'method']">
-            <sch:assert test="o:singleton(.)">prop with name='method' must be a singleton: no other
-                properties named 'method' may appear in the same context</sch:assert>
-        </sch:rule>
-        <sch:rule context="o:prop[@name = 'keywords']">
-            <sch:assert test="exists(parent::o:metadata)">prop with name='keywords' is not expected outside metadata</sch:assert>
-        </sch:rule>
-    </sch:pattern>
-
-    <!-- Checking presence and form of link hrefs -->
-    <sch:pattern id="links">
-        <sch:rule context="o:link | o:a">
-            <sch:let name="href" value="@href[matches(.,'\S')]"/>
-            <sch:let name="is-anchor" value="exists(self::o:a)"/>
-            <sch:assert role="warning" test="exists($href)"><sch:value-of select="local-name() || 'nchor'[$is-anchor]"/> missing @href</sch:assert>
-            <sch:assert test="empty($href) or ($href castable as xs:anyURI)">An @href must be a URI</sch:assert>
-            <sch:assert test="empty($href[starts-with(.,'#')]) or exists(key('link-targets',$href))">Internal link is broken.</sch:assert>
-        </sch:rule>
-    </sch:pattern>
-    
-    <!-- Returns 'true' for elements without siblings with the same @name value -->
-    <xsl:function name="o:singleton" as="xs:boolean">
-        <xsl:param name="who" as="element()"/>
-        <xsl:variable name="competitors" select="$who/parent::*/(* except $who)[@name = $who/@name]"/>
-        <xsl:sequence select="empty($competitors)"/>
-    </xsl:function>
-    
-    <xsl:function name="o:or-sequence" as="xs:string?">
-        <xsl:param name="seq" as="item()*"/>
-        <xsl:value-of>
-            <xsl:for-each select="$seq ! ('''' || . || '''')">
-                <xsl:if test="position() ne 1">
-                    <xsl:choose>
-                        <xsl:when test="(position() eq 2 and last() eq 2)"> or </xsl:when>
-                        <xsl:when test="position() = last()">, or </xsl:when>
-                        <xsl:otherwise>, </xsl:otherwise>
-                    </xsl:choose>
-                </xsl:if>
-                <xsl:value-of select="."/>
-            </xsl:for-each>
-        </xsl:value-of>
-    </xsl:function>
-    
-
-</sch:schema>
\ No newline at end of file
diff --git a/src/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_catalog.xml b/src/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_catalog.xml
deleted file mode 100644
index e907209535..0000000000
--- a/src/content/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FPD_catalog.xml
+++ /dev/null
@@ -1,26078 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Modified by conversion XSLT 2020-06-01T15:03:10.188-04:00 - UUIDs refreshed -->
-<!-- XML produced by extraction/mapping from NVD XML :2020-03-16T13:24:48.668-04:00 -->
-<!-- Valid against the OSCAL catalog schema (project path schema/xml/oscal-catalog-schema.xsd) -->
-<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-         uuid="419d31dd-746d-4dc2-89ad-1d13cc2326ca">
-   <metadata>
-      <title>NIST Special Publication 800-53: Security and Privacy Controls for Federal Information
-         Systems and Organizations, Revision 5 Final Public Draft</title>
-      <last-modified>2020-03-16T13:24:48.516-04:00</last-modified>
-      <version>Revision 5</version>
-      <oscal-version>1.0.0-Milestone3</oscal-version>
-      <prop name="keywords">assurance, availability, computer security, confidentiality, control,
-         cybersecurity, FISMA, information security, information system, integrity, personally
-         identifiable information, Privacy Act, privacy controls, privacy functions, privacy
-         requirements, Risk Management Framework, security controls, security functions, security
-         requirements, system, system security</prop>
-      <link rel="alternate" href="#90ec1671-8dcf-4bcf-8efe-ac6d06a806f0">NIST publication (PDF)</link>
-      <link rel="canonical" href="#abe434a3-7630-4138-8699-2ab8c7a9aa6c">NIST publication via DOI lookup</link>
-      <role id="creator">
-         <title>Document creator</title>
-      </role>
-      <role id="contact">
-         <title>Contact</title>
-      </role>
-      <party type="organization" uuid="d2cd65bd-2123-4dd9-afb2-c7564f3251c2">
-         <party-name>Joint Task Force, Interagency Working Group</party-name>
-         <address>
-            <addr-line>National Institute of Standards and Technology</addr-line>
-            <addr-line>Attn: Computer Security Division</addr-line>
-            <addr-line>Information Technology Laboratory</addr-line>
-            <addr-line>100 Bureau Drive (Mail Stop 8930)</addr-line>
-            <city>Gaithersburg</city>
-            <state>MD</state>
-            <postal-code>20899-8930</postal-code>
-         </address>
-         <email>sec-cert@nist.gov</email>
-      </party>
-      <responsible-party role-id="creator">
-         <party-uuid>4ae7292e-6d8e-4735-86ea-11047c575e87</party-uuid>
-      </responsible-party>
-      <responsible-party role-id="contact">
-         <party-uuid>4ae7292e-6d8e-4735-86ea-11047c575e87</party-uuid>
-      </responsible-party>
-   </metadata>
-   <group class="family" id="ac">
-      <title>Access Control</title>
-      <control class="SP800-53" id="ac-1">
-         <title>Policy and Procedures</title>
-         <param id="ac-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ac-1_prm_2">
-            <select how-many="one or more">
-               <choice>organization-level</choice>
-               <choice>mission/business process-level</choice>
-               <choice>system-level</choice>
-            </select>
-         </param>
-         <param id="ac-1_prm_3">
-            <label>organization-defined official</label>
-         </param>
-         <param id="ac-1_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ac-1_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AC-1</prop>
-         <prop name="sort-id">AC-01</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#12702585-0c72-43c9-9185-a76a59f74233">[SP 800-12]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#9183bd83-170e-4701-b32c-97e08ef8bedb">[SP 800-100]</link>
-         <link rel="reference" href="#bb22d510-54a9-4588-b725-00d37576562b">[IR 7874]</link>
-         <link rel="related" href="#ia-1">IA-1</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#pm-24">PM-24</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="ac-1_smt">
-            <part name="item" id="ac-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and disseminate to <insert param-id="ac-1_prm_1"/>:</p>
-               <part name="item" id="ac-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="ac-1_prm_2"/> access control policy that:</p>
-                  <part name="item" id="ac-1_smt.a.1.a">
-                     <prop name="label">(a)</prop>
-                     <p>Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
-                  </part>
-                  <part name="item" id="ac-1_smt.a.1.b">
-                     <prop name="label">(b)</prop>
-                     <p>Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p>
-                  </part>
-               </part>
-               <part name="item" id="ac-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the access control policy and the associated access controls;</p>
-               </part>
-            </part>
-            <part name="item" id="ac-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate an <insert param-id="ac-1_prm_3"/> to manage the development, documentation, and dissemination of the access control policy and procedures; and</p>
-            </part>
-            <part name="item" id="ac-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the current access control:</p>
-               <part name="item" id="ac-1_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Policy <insert param-id="ac-1_prm_4"/>; and</p>
-               </part>
-               <part name="item" id="ac-1_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures <insert param-id="ac-1_prm_5"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="ac-1_gdn">
-            <p>This control addresses policy and procedures for the controls in the AC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-2">
-         <title>Account Management</title>
-         <param id="ac-2_prm_1">
-            <label>organization-defined attributes (as required)</label>
-         </param>
-         <param id="ac-2_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ac-2_prm_3">
-            <label>organization-defined policy, procedures, and conditions</label>
-         </param>
-         <param id="ac-2_prm_4">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ac-2_prm_5">
-            <label>organization-defined time-period</label>
-         </param>
-         <param id="ac-2_prm_6">
-            <label>organization-defined time-period</label>
-         </param>
-         <param id="ac-2_prm_7">
-            <label>organization-defined time-period</label>
-         </param>
-         <param id="ac-2_prm_8">
-            <label>organization-defined attributes (as required)</label>
-         </param>
-         <param id="ac-2_prm_9">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AC-2</prop>
-         <prop name="sort-id">AC-02</prop>
-         <link rel="reference" href="#359f960c-2598-454c-ba3b-a30c553e498f">[SP 800-162]</link>
-         <link rel="reference" href="#223b23a9-baea-4a50-8058-63cf7967b61f">[SP 800-178]</link>
-         <link rel="reference" href="#06d3c11a-4a00-42d9-ad75-e6a777ffae5e">[SP 800-192]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-5">AC-5</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#ac-18">AC-18</link>
-         <link rel="related" href="#ac-20">AC-20</link>
-         <link rel="related" href="#ac-24">AC-24</link>
-         <link rel="related" href="#au-2">AU-2</link>
-         <link rel="related" href="#au-12">AU-12</link>
-         <link rel="related" href="#cm-5">CM-5</link>
-         <link rel="related" href="#ia-2">IA-2</link>
-         <link rel="related" href="#ia-4">IA-4</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <link rel="related" href="#ia-8">IA-8</link>
-         <link rel="related" href="#ma-3">MA-3</link>
-         <link rel="related" href="#ma-5">MA-5</link>
-         <link rel="related" href="#pe-2">PE-2</link>
-         <link rel="related" href="#pl-4">PL-4</link>
-         <link rel="related" href="#ps-2">PS-2</link>
-         <link rel="related" href="#ps-4">PS-4</link>
-         <link rel="related" href="#ps-5">PS-5</link>
-         <link rel="related" href="#ps-7">PS-7</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-13">SC-13</link>
-         <link rel="related" href="#sc-37">SC-37</link>
-         <part name="statement" id="ac-2_smt">
-            <part name="item" id="ac-2_smt.a">
-               <prop name="label">a.</prop>
-               <p>Define and document the types of accounts allowed for use within the system;</p>
-            </part>
-            <part name="item" id="ac-2_smt.b">
-               <prop name="label">b.</prop>
-               <p>Assign account managers;</p>
-            </part>
-            <part name="item" id="ac-2_smt.c">
-               <prop name="label">c.</prop>
-               <p>Establish conditions for group and role membership;</p>
-            </part>
-            <part name="item" id="ac-2_smt.d">
-               <prop name="label">d.</prop>
-               <p>Specify:</p>
-               <part name="item" id="ac-2_smt.d.1">
-                  <prop name="label">1.</prop>
-                  <p>Authorized users of the system;</p>
-               </part>
-               <part name="item" id="ac-2_smt.d.2">
-                  <prop name="label">2.</prop>
-                  <p>Group and role membership; and</p>
-               </part>
-               <part name="item" id="ac-2_smt.d.3">
-                  <prop name="label">3.</prop>
-                  <p>Access authorizations (i.e., privileges) and <insert param-id="ac-2_prm_1"/> for each account;</p>
-               </part>
-            </part>
-            <part name="item" id="ac-2_smt.e">
-               <prop name="label">e.</prop>
-               <p>Require approvals by <insert param-id="ac-2_prm_2"/> for requests to create accounts;</p>
-            </part>
-            <part name="item" id="ac-2_smt.f">
-               <prop name="label">f.</prop>
-               <p>Create, enable, modify, disable, and remove accounts in accordance with <insert param-id="ac-2_prm_3"/>;</p>
-            </part>
-            <part name="item" id="ac-2_smt.g">
-               <prop name="label">g.</prop>
-               <p>Monitor the use of accounts;</p>
-            </part>
-            <part name="item" id="ac-2_smt.h">
-               <prop name="label">h.</prop>
-               <p>Notify account managers and <insert param-id="ac-2_prm_4"/> within:</p>
-               <part name="item" id="ac-2_smt.h.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="ac-2_prm_5"/> when accounts are no longer required;</p>
-               </part>
-               <part name="item" id="ac-2_smt.h.2">
-                  <prop name="label">2.</prop>
-                  <p>
-                     <insert param-id="ac-2_prm_6"/> when users are terminated or transferred; and</p>
-               </part>
-               <part name="item" id="ac-2_smt.h.3">
-                  <prop name="label">3.</prop>
-                  <p>
-                     <insert param-id="ac-2_prm_7"/> when system usage or need-to-know changes for an individual;</p>
-               </part>
-            </part>
-            <part name="item" id="ac-2_smt.i">
-               <prop name="label">i.</prop>
-               <p>Authorize access to the system based on:</p>
-               <part name="item" id="ac-2_smt.i.1">
-                  <prop name="label">1.</prop>
-                  <p>A valid access authorization;</p>
-               </part>
-               <part name="item" id="ac-2_smt.i.2">
-                  <prop name="label">2.</prop>
-                  <p>Intended system usage; and</p>
-               </part>
-               <part name="item" id="ac-2_smt.i.3">
-                  <prop name="label">3.</prop>
-                  <p>
-                     <insert param-id="ac-2_prm_8"/>;</p>
-               </part>
-            </part>
-            <part name="item" id="ac-2_smt.j">
-               <prop name="label">j.</prop>
-               <p>Review accounts for compliance with account management requirements <insert param-id="ac-2_prm_9"/>;</p>
-            </part>
-            <part name="item" id="ac-2_smt.k">
-               <prop name="label">k.</prop>
-               <p>Establish and implement a process for changing shared or group account credentials (if deployed) when individuals are removed from the group; and</p>
-            </part>
-            <part name="item" id="ac-2_smt.l">
-               <prop name="label">l.</prop>
-               <p>Align account management processes with personnel termination and transfer processes.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ac-2_gdn">
-            <p>Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflects the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. External system accounts are not included in the scope of this control. Organizations address external system accounts through organizational policy.
-Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy on establishing the specific conditions for group and role membership; specifying for each account, authorized users, group and role membership, and access authorizations; and creating, adjusting, or removing system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors triggering the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.
-Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required; and when individuals are transferred or terminated. Changing shared/group account credentials when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-2.1">
-            <title>Automated System Account Management</title>
-            <param id="ac-2.1_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">AC-2(1)</prop>
-            <prop name="sort-id">AC-02(01)</prop>
-            <part name="statement" id="ac-2.1_smt">
-               <p>Support the management of system accounts using <insert param-id="ac-2.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-2.1_gdn">
-               <p>Automated mechanisms include using email or text messaging to automatically notify account managers when users are terminated or transferred; using the system to monitor account usage; and using telephonic notification to report atypical system account usage.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.2">
-            <title>Automated Temporary and Emergency Account Management</title>
-            <param id="ac-2.2_prm_1">
-               <select>
-                  <choice>remove</choice>
-                  <choice>disable</choice>
-               </select>
-            </param>
-            <param id="ac-2.2_prm_2">
-               <label>organization-defined time-period for each type of account</label>
-            </param>
-            <prop name="label">AC-2(2)</prop>
-            <prop name="sort-id">AC-02(02)</prop>
-            <part name="statement" id="ac-2.2_smt">
-               <p>Automatically <insert param-id="ac-2.2_prm_1"/> temporary and emergency accounts after <insert param-id="ac-2.2_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ac-2.2_gdn">
-               <p>Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time-period, rather than at the convenience of the systems administrator. Automatic removal or disabling of accounts provides a more consistent implementation.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.3">
-            <title>Disable Accounts</title>
-            <param id="ac-2.3_prm_1">
-               <label>organization-defined time-period</label>
-            </param>
-            <prop name="label">AC-2(3)</prop>
-            <prop name="sort-id">AC-02(03)</prop>
-            <part name="statement" id="ac-2.3_smt">
-               <p>Disable accounts when the accounts:</p>
-               <part name="item" id="ac-2.3_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Have expired;</p>
-               </part>
-               <part name="item" id="ac-2.3_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Are no longer associated with a user or individual;</p>
-               </part>
-               <part name="item" id="ac-2.3_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Are in violation of organizational policy; or</p>
-               </part>
-               <part name="item" id="ac-2.3_smt.d">
-                  <prop name="label">(d)</prop>
-                  <p>Have been inactive for <insert param-id="ac-2.3_prm_1"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ac-2.3_gdn">
-               <p>Disabling expired, inactive, or otherwise anomalous accounts supports the concept of least privilege and least functionality which reduces the attack surface of the system.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.4">
-            <title>Automated Audit Actions</title>
-            <prop name="label">AC-2(4)</prop>
-            <prop name="sort-id">AC-02(04)</prop>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <part name="statement" id="ac-2.4_smt">
-               <p>Automatically audit account creation, modification, enabling, disabling, and removal actions.</p>
-            </part>
-            <part name="guidance" id="ac-2.4_gdn">
-               <p>Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in accordance with AU-6.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.5">
-            <title>Inactivity Logout</title>
-            <param id="ac-2.5_prm_1">
-               <label>organization-defined time-period of expected inactivity or description of when to log out</label>
-            </param>
-            <prop name="label">AC-2(5)</prop>
-            <prop name="sort-id">AC-02(05)</prop>
-            <link rel="related" href="#ac-11">AC-11</link>
-            <part name="statement" id="ac-2.5_smt">
-               <p>Require that users log out when <insert param-id="ac-2.5_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-2.5_gdn">
-               <p>Inactivity logout is behavior or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of this control enhancement is addressed by AC-11.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.6">
-            <title>Dynamic Privilege Management</title>
-            <param id="ac-2.6_prm_1">
-               <label>organization-defined dynamic privilege management capabilities</label>
-            </param>
-            <prop name="label">AC-2(6)</prop>
-            <prop name="sort-id">AC-02(06)</prop>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <part name="statement" id="ac-2.6_smt">
-               <p>Implement <insert param-id="ac-2.6_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-2.6_gdn">
-               <p>In contrast to access control approaches that employ static accounts and predefined user privileges, dynamic access control approaches rely on run time access control decisions facilitated by dynamic privilege management such as attribute-based access control. While user identities remain relatively constant over time, user privileges typically change more frequently based on ongoing mission or business requirements and operational needs of organizations. An example of dynamic privilege management is the immediate revocation of privileges from users, as opposed to requiring that users terminate and restart their sessions to reflect changes in privileges. Dynamic privilege management can also include mechanisms that change user privileges based on dynamic rules as opposed to editing specific user profiles. Examples include automatic adjustments of user privileges if they are operating out of their normal work times, their job function or assignment changes, or if systems are under duress or in emergency situations. Dynamic privilege management includes the effects of privilege changes, for example, when there are changes to encryption keys used for communications.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.7">
-            <title>Privileged User Accounts</title>
-            <param id="ac-2.7_prm_1">
-               <select>
-                  <choice>a role-based access scheme</choice>
-                  <choice>an attribute-based access scheme</choice>
-               </select>
-            </param>
-            <prop name="label">AC-2(7)</prop>
-            <prop name="sort-id">AC-02(07)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <part name="statement" id="ac-2.7_smt">
-               <part name="item" id="ac-2.7_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Establish and administer privileged user accounts in accordance with <insert param-id="ac-2.7_prm_1"/>;</p>
-               </part>
-               <part name="item" id="ac-2.7_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Monitor privileged role or attribute assignments;</p>
-               </part>
-               <part name="item" id="ac-2.7_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Monitor changes to roles or attributes; and</p>
-               </part>
-               <part name="item" id="ac-2.7_smt.d">
-                  <prop name="label">(d)</prop>
-                  <p>Revoke access when privileged role or attribute assignments are no longer appropriate.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ac-2.7_gdn">
-               <p>Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.8">
-            <title>Dynamic Account Management</title>
-            <param id="ac-2.8_prm_1">
-               <label>organization-defined system accounts</label>
-            </param>
-            <prop name="label">AC-2(8)</prop>
-            <prop name="sort-id">AC-02(08)</prop>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <part name="statement" id="ac-2.8_smt">
-               <p>Create, activate, manage, and deactivate <insert param-id="ac-2.8_prm_1"/> dynamically.</p>
-            </part>
-            <part name="guidance" id="ac-2.8_gdn">
-               <p>Approaches for dynamically creating, activating, managing, and deactivating system accounts rely on automatically provisioning the accounts at run time for entities that were previously unknown. Organizations plan for the dynamic management, creation, activation, and deactivation of system accounts by establishing trust relationships, business rules, and mechanisms with appropriate authorities to validate related authorizations and privileges.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.9">
-            <title>Restrictions on Use of Shared and Group Accounts</title>
-            <param id="ac-2.9_prm_1">
-               <label>organization-defined conditions for establishing shared and group accounts</label>
-            </param>
-            <prop name="label">AC-2(9)</prop>
-            <prop name="sort-id">AC-02(09)</prop>
-            <part name="statement" id="ac-2.9_smt">
-               <p>Only permit the use of shared and group accounts that meet <insert param-id="ac-2.9_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-2.9_gdn">
-               <p>Before permitting the use of shared or group accounts, organizations consider the increased risk due to the lack of accountability with such accounts.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.10">
-            <title>Shared and Group Account Credential Change</title>
-            <prop name="label">AC-2(10)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AC-02(10)</prop>
-            <link href="#ac-2_smt.k" rel="incorporated-into">AC-2k</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.11">
-            <title>Usage Conditions</title>
-            <param id="ac-2.11_prm_1">
-               <label>organization-defined circumstances and/or usage conditions</label>
-            </param>
-            <param id="ac-2.11_prm_2">
-               <label>organization-defined system accounts</label>
-            </param>
-            <prop name="label">AC-2(11)</prop>
-            <prop name="sort-id">AC-02(11)</prop>
-            <part name="statement" id="ac-2.11_smt">
-               <p>Enforce <insert param-id="ac-2.11_prm_1"/> for  <insert param-id="ac-2.11_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ac-2.11_gdn">
-               <p>Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, for example, by restricting usage to certain days of the week, time of day, or specific durations of time.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.12">
-            <title>Account Monitoring for Atypical Usage</title>
-            <param id="ac-2.12_prm_1">
-               <label>organization-defined atypical usage</label>
-            </param>
-            <param id="ac-2.12_prm_2">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">AC-2(12)</prop>
-            <prop name="sort-id">AC-02(12)</prop>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <part name="statement" id="ac-2.12_smt">
-               <part name="item" id="ac-2.12_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Monitor system accounts for <insert param-id="ac-2.12_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="ac-2.12_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Report atypical usage of system accounts to <insert param-id="ac-2.12_prm_2"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ac-2.12_gdn">
-               <p>Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals working in organizations. Account monitoring may inadvertently create privacy risks. Data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.13">
-            <title>Disable Accounts for High-risk Individuals</title>
-            <param id="ac-2.13_prm_1">
-               <label>organization-defined time-period</label>
-            </param>
-            <param id="ac-2.13_prm_2">
-               <label>organization-defined significant risks</label>
-            </param>
-            <prop name="label">AC-2(13)</prop>
-            <prop name="sort-id">AC-02(13)</prop>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <part name="statement" id="ac-2.13_smt">
-               <p>Disable accounts of users within <insert param-id="ac-2.13_prm_1"/> of discovery of <insert param-id="ac-2.13_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ac-2.13_gdn">
-               <p>Users posing a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes the adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential for execution of this control enhancement.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-2.14">
-            <title>Prohibit Specific Account Types</title>
-            <param id="ac-2.14_prm_1">
-               <select how-many="one or more">
-                  <choice>shared</choice>
-                  <choice>guest</choice>
-                  <choice>anonymous</choice>
-                  <choice>temporary</choice>
-                  <choice>emergency</choice>
-               </select>
-            </param>
-            <param id="ac-2.14_prm_2">
-               <label>organization-defined information types</label>
-            </param>
-            <prop name="label">AC-2(14)</prop>
-            <prop name="sort-id">AC-02(14)</prop>
-            <link rel="related" href="#ps-4">PS-4</link>
-            <part name="statement" id="ac-2.14_smt">
-               <p>Prohibit the use of <insert param-id="ac-2.14_prm_1"/> accounts for access to <insert param-id="ac-2.14_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ac-2.14_gdn">
-               <p>Organizations determine what types of accounts are prohibited based on the security and privacy risk.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-3">
-         <title>Access Enforcement</title>
-         <prop name="label">AC-3</prop>
-         <prop name="sort-id">AC-03</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#770f9bdc-4023-48ef-8206-c65397f061ea">[SP 800-57-1]</link>
-         <link rel="reference" href="#69644a9e-438a-47c3-bac9-cf28b5baf848">[SP 800-57-2]</link>
-         <link rel="reference" href="#9933c883-e8f3-4a83-9a9a-d1e058038080">[SP 800-57-3]</link>
-         <link rel="reference" href="#359f960c-2598-454c-ba3b-a30c553e498f">[SP 800-162]</link>
-         <link rel="reference" href="#223b23a9-baea-4a50-8058-63cf7967b61f">[SP 800-178]</link>
-         <link rel="reference" href="#bb22d510-54a9-4588-b725-00d37576562b">[IR 7874]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#ac-5">AC-5</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#ac-16">AC-16</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#ac-18">AC-18</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#ac-20">AC-20</link>
-         <link rel="related" href="#ac-21">AC-21</link>
-         <link rel="related" href="#ac-22">AC-22</link>
-         <link rel="related" href="#ac-24">AC-24</link>
-         <link rel="related" href="#ac-25">AC-25</link>
-         <link rel="related" href="#at-2">AT-2</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#au-9">AU-9</link>
-         <link rel="related" href="#ca-9">CA-9</link>
-         <link rel="related" href="#cm-5">CM-5</link>
-         <link rel="related" href="#cm-11">CM-11</link>
-         <link rel="related" href="#ia-2">IA-2</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <link rel="related" href="#ia-6">IA-6</link>
-         <link rel="related" href="#ia-7">IA-7</link>
-         <link rel="related" href="#ia-11">IA-11</link>
-         <link rel="related" href="#ma-3">MA-3</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#ma-5">MA-5</link>
-         <link rel="related" href="#mp-4">MP-4</link>
-         <link rel="related" href="#pm-2">PM-2</link>
-         <link rel="related" href="#ps-3">PS-3</link>
-         <link rel="related" href="#sa-17">SA-17</link>
-         <link rel="related" href="#sc-2">SC-2</link>
-         <link rel="related" href="#sc-3">SC-3</link>
-         <link rel="related" href="#sc-4">SC-4</link>
-         <link rel="related" href="#sc-13">SC-13</link>
-         <link rel="related" href="#sc-28">SC-28</link>
-         <link rel="related" href="#sc-31">SC-31</link>
-         <link rel="related" href="#sc-34">SC-34</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <part name="statement" id="ac-3_smt">
-            <p>Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.</p>
-         </part>
-         <part name="guidance" id="ac-3_gdn">
-            <p>Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of missions and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-3.1">
-            <title>Restricted Access to Privileged Functions</title>
-            <prop name="label">AC-3(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AC-03(01)</prop>
-            <link rel="incorporated-into" href="#ac-6">AC-6</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.2">
-            <title>Dual Authorization</title>
-            <param id="ac-3.2_prm_1">
-               <label>organization-defined privileged commands and/or other organization-defined actions</label>
-            </param>
-            <prop name="label">AC-3(2)</prop>
-            <prop name="sort-id">AC-03(02)</prop>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-            <part name="statement" id="ac-3.2_smt">
-               <p>Enforce dual authorization for <insert param-id="ac-3.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-3.2_gdn">
-               <p>Dual authorization, also known as two-person control, reduces risk related to insider threat. Dual authorization mechanisms require the approval of two authorized individuals to execute. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. Organizations do not require dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.3">
-            <title>Mandatory Access Control</title>
-            <param id="ac-3.3_prm_1">
-               <label>organization-defined mandatory access control policy</label>
-            </param>
-            <param id="ac-3.3_prm_2">
-               <label>organization-defined subjects</label>
-            </param>
-            <param id="ac-3.3_prm_3">
-               <label>organization-defined privileges</label>
-            </param>
-            <prop name="label">AC-3(3)</prop>
-            <prop name="sort-id">AC-03(03)</prop>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <part name="statement" id="ac-3.3_smt">
-               <p>Enforce <insert param-id="ac-3.3_prm_1"/> over the set of covered subjects and objects specified in the policy, and where the policy:</p>
-               <part name="item" id="ac-3.3_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Is uniformly enforced across the covered subjects and objects within the system;</p>
-               </part>
-               <part name="item" id="ac-3.3_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Specifies that a subject that has been granted access to information is constrained from doing any of the following;</p>
-                  <part name="item" id="ac-3.3_smt.b.1">
-                     <prop name="label">(1)</prop>
-                     <p>Passing the information to unauthorized subjects or objects;</p>
-                  </part>
-                  <part name="item" id="ac-3.3_smt.b.2">
-                     <prop name="label">(2)</prop>
-                     <p>Granting its privileges to other subjects;</p>
-                  </part>
-                  <part name="item" id="ac-3.3_smt.b.3">
-                     <prop name="label">(3)</prop>
-                     <p>Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;</p>
-                  </part>
-                  <part name="item" id="ac-3.3_smt.b.4">
-                     <prop name="label">(4)</prop>
-                     <p>Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and</p>
-                  </part>
-                  <part name="item" id="ac-3.3_smt.b.5">
-                     <prop name="label">(5)</prop>
-                     <p>Changing the rules governing access control; and</p>
-                  </part>
-               </part>
-               <part name="item" id="ac-3.3_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Specifies that <insert param-id="ac-3.3_prm_2"/> may explicitly be granted <insert param-id="ac-3.3_prm_3"/> such that they are not limited by any defined subset (or all) of the above constraints.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ac-3.3_gdn">
-               <p>Mandatory access control is a type of nondiscretionary access control. Mandatory access control policies constrain what actions subjects can take with information obtained from objects for which they have already been granted access. This prevents the subjects from passing the information to unauthorized subjects and objects. Mandatory access control policies constrain actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the system has control; otherwise, the access control policy can be circumvented. This enforcement is provided by an implementation that meets the reference monitor concept as described in AC-25. The policy is bounded by the system (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect).
-The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is a mandate that establishes a policy regarding access to controlled unclassified information or classified information and some users of the system are not authorized access to all such information resident in the system. Mandatory access control can operate in conjunction with discretionary access control as described in AC-3(4). A subject constrained in its operation by policies governed by this control can still operate under the less rigorous constraints of AC-3(4), but mandatory access control policies take precedence over the less rigorous constraints of AC-3(4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity level, AC-3(4) permits the subject to pass the information to any subject with the same sensitivity level as the subject. Examples of mandatory access control policies include the Bell-La Padula policy to protect confidentiality of information and the Biba policy to protect the integrity of information.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.4">
-            <title>Discretionary Access Control</title>
-            <param id="ac-3.4_prm_1">
-               <label>organization-defined discretionary access control policy</label>
-            </param>
-            <prop name="label">AC-3(4)</prop>
-            <prop name="sort-id">AC-03(04)</prop>
-            <part name="statement" id="ac-3.4_smt">
-               <p>Enforce <insert param-id="ac-3.4_prm_1"/> over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following:</p>
-               <part name="item" id="ac-3.4_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Pass the information to any other subjects or objects;</p>
-               </part>
-               <part name="item" id="ac-3.4_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Grant its privileges to other subjects;</p>
-               </part>
-               <part name="item" id="ac-3.4_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Change security attributes on subjects, objects, the system, or the system’s components;</p>
-               </part>
-               <part name="item" id="ac-3.4_smt.d">
-                  <prop name="label">(d)</prop>
-                  <p>Choose the security attributes to be associated with newly created or revised objects; or</p>
-               </part>
-               <part name="item" id="ac-3.4_smt.e">
-                  <prop name="label">(e)</prop>
-                  <p>Change the rules governing access control.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ac-3.4_gdn">
-               <p>When discretionary access control policies are implemented, subjects are not constrained regarding what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing the information to other subjects or objects (i.e., subjects have the discretion to pass). Discretionary access control can operate in conjunction with mandatory access control as described in AC-3(3) and AC-3(15). A subject that is constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of discretionary access control. Therefore, while AC-3(3) imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, AC-3(4) permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the system. Once the information is passed outside of system control, additional means may be required to ensure that the constraints remain in effect. While traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this particular use of discretionary access control.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.5">
-            <title>Security-relevant Information</title>
-            <param id="ac-3.5_prm_1">
-               <label>organization-defined security-relevant information</label>
-            </param>
-            <prop name="label">AC-3(5)</prop>
-            <prop name="sort-id">AC-03(05)</prop>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#sc-39">SC-39</link>
-            <part name="statement" id="ac-3.5_smt">
-               <p>Prevent access to <insert param-id="ac-3.5_prm_1"/> except during secure, non-operable system states.</p>
-            </part>
-            <part name="guidance" id="ac-3.5_gdn">
-               <p>Security-relevant information is information within systems that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce system security policies or maintain the separation of code and data. Security-relevant information includes access control lists, filtering rules for routers or firewalls, configuration parameters for security services, and cryptographic key management information. Secure, non-operable system states include the times in which systems are not performing mission or business-related processing such as when the system is off-line for maintenance, boot-up, troubleshooting, or shut down.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.6">
-            <title>Protection of User and System Information</title>
-            <prop name="label">AC-3(6)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AC-03(06)</prop>
-            <link rel="incorporated-into" href="#mp-4">MP-4</link>
-            <link rel="incorporated-into" href="#sc-28">SC-28</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.7">
-            <title>Role-based Access Control</title>
-            <param id="ac-3.7_prm_1">
-               <label>organization-defined roles and users authorized to assume such roles</label>
-            </param>
-            <prop name="label">AC-3(7)</prop>
-            <prop name="sort-id">AC-03(07)</prop>
-            <part name="statement" id="ac-3.7_smt">
-               <p>Enforce a role-based access control policy over defined subjects and objects and control access based upon <insert param-id="ac-3.7_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-3.7_gdn">
-               <p>Role-based access control (RBAC) is an access control policy that enforces access to objects and system functions based on the defined role (i.e., job function) of the subject. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on the systems associated with the organization-defined roles. When users are assigned to the specific roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for because privileges are not assigned directly to every user (which can potentially be a large number of individuals) but are instead acquired through role assignments. RBAC can be implemented as a mandatory or discretionary form of access control. For those organizations implementing RBAC with mandatory access controls, the requirements in AC-3(3) define the scope of the subjects and objects covered by the policy.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.8">
-            <title>Revocation of Access Authorizations</title>
-            <param id="ac-3.8_prm_1">
-               <label>organization-defined rules governing the timing of revocations of access authorizations</label>
-            </param>
-            <prop name="label">AC-3(8)</prop>
-            <prop name="sort-id">AC-03(08)</prop>
-            <part name="statement" id="ac-3.8_smt">
-               <p>Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on <insert param-id="ac-3.8_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-3.8_gdn">
-               <p>Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process acting on behalf of a user) is removed from a group, access may not be revoked until the next time the object is opened or the next time the subject attempts a new access to the object. Revocation based on changes to security labels may take effect immediately. Organizations provide alternative approaches on how to make revocations immediate if systems cannot provide such capability and immediate revocation is necessary.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.9">
-            <title>Controlled Release</title>
-            <param id="ac-3.9_prm_1">
-               <label>organization-defined system or system component</label>
-            </param>
-            <param id="ac-3.9_prm_2">
-               <label>organization-defined controls</label>
-            </param>
-            <param id="ac-3.9_prm_3">
-               <label>organization-defined controls</label>
-            </param>
-            <prop name="label">AC-3(9)</prop>
-            <prop name="sort-id">AC-03(09)</prop>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#pt-2">PT-2</link>
-            <link rel="related" href="#pt-3">PT-3</link>
-            <link rel="related" href="#pt-8">PT-8</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-            <link rel="related" href="#sc-16">SC-16</link>
-            <part name="statement" id="ac-3.9_smt">
-               <p>Release information outside of the system only if:</p>
-               <part name="item" id="ac-3.9_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>The receiving <insert param-id="ac-3.9_prm_1"/> provides <insert param-id="ac-3.9_prm_2"/>; and</p>
-               </part>
-               <part name="item" id="ac-3.9_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>
-                     <insert param-id="ac-3.9_prm_3"/> are used to validate the appropriateness of the information designated for release.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ac-3.9_gdn">
-               <p>Systems can only protect organizational information within the confines of established system boundaries. Additional controls may be needed to ensure that such information is adequately protected once it is passed beyond the established system boundaries. In situations where the system is unable to determine the adequacy of the protections provided by external entities, as a mitigating control, organizations determine procedurally whether the external systems are providing adequate controls. The means used to determine the adequacy of controls provided by external systems include conducting periodic assessments (inspections/tests); establishing agreements between the organization and its counterpart organizations; or some other process. The means used by external entities to protect the information received need not be the same as those used by the organization, but the means employed are sufficient to provide consistent adjudication of the security and privacy policy to protect the information and individuals’ privacy.
-Controlled release of information requires systems to implement technical or procedural means to validate the information prior to releasing it to external systems. For example, if the system passes information to a system controlled by another organization, technical means are employed to validate that the security and privacy attributes associated with the exported information are appropriate for the receiving system. Alternatively, if the system passes information to a printer in organization-controlled space, procedural means can be employed to ensure that only authorized individuals gain access to the printer.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.10">
-            <title>Audited Override of Access Control Mechanisms</title>
-            <param id="ac-3.10_prm_1">
-               <label>organization-defined conditions</label>
-            </param>
-            <param id="ac-3.10_prm_2">
-               <label>organization-defined roles</label>
-            </param>
-            <prop name="label">AC-3(10)</prop>
-            <prop name="sort-id">AC-03(10)</prop>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-10">AU-10</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#au-14">AU-14</link>
-            <part name="statement" id="ac-3.10_smt">
-               <p>Employ an audited override of automated access control mechanisms under <insert param-id="ac-3.10_prm_1"/> by <insert param-id="ac-3.10_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ac-3.10_gdn">
-               <p>In certain situations, for example, where there is a threat to human life or an event that threatens the organization’s ability to carry out critical missions or business functions, an override capability for access control mechanisms may be needed. Override conditions are defined by organizations and are used only in those limited circumstances. Audit events are defined in AU-2. Audit records are generated in AU-12.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.11">
-            <title>Restrict Access to Specific Information Types</title>
-            <param id="ac-3.11_prm_1">
-               <label>organization-defined information types</label>
-            </param>
-            <prop name="label">AC-3(11)</prop>
-            <prop name="sort-id">AC-03(11)</prop>
-            <part name="statement" id="ac-3.11_smt">
-               <p>Restrict access to data repositories containing <insert param-id="ac-3.11_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-3.11_gdn">
-               <p>Restricting access to specific information is intended to provide flexibility regarding access control of specific information types within a system. For example, role-based access could be employed to allow access to only a specific type of personally identifiable information within a database rather than allowing access to the database in its entirety. Other examples include restricting access to cryptographic keys, authentication information, and selected system information.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.12">
-            <title>Assert and Enforce Application Access</title>
-            <param id="ac-3.12_prm_1">
-               <label>organization-defined system applications and functions</label>
-            </param>
-            <prop name="label">AC-3(12)</prop>
-            <prop name="sort-id">AC-03(12)</prop>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <part name="statement" id="ac-3.12_smt">
-               <part name="item" id="ac-3.12_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: <insert param-id="ac-3.12_prm_1"/>;</p>
-               </part>
-               <part name="item" id="ac-3.12_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Provide an enforcement mechanism to prevent unauthorized access; and</p>
-               </part>
-               <part name="item" id="ac-3.12_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Approve access changes after initial installation of the application.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ac-3.12_gdn">
-               <p>Asserting and enforcing application access is intended to address applications that need to access existing system applications and functions, including user contacts, global positioning system, camera, keyboard, microphone, network, phones, or other files.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.13">
-            <title>Attribute-based Access Control</title>
-            <param id="ac-3.13_prm_1">
-               <label>organization-defined attributes to assume access permissions</label>
-            </param>
-            <prop name="label">AC-3(13)</prop>
-            <prop name="sort-id">AC-03(13)</prop>
-            <part name="statement" id="ac-3.13_smt">
-               <p>Enforce attribute-based access control policy over defined subjects and objects and control access based upon <insert param-id="ac-3.13_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-3.13_gdn">
-               <p>Attribute-based access control is an access control policy that restricts system access to authorized users based on specified organizational attributes (e.g., job function, identity); action attributes (e.g., read, write, delete); environmental attributes (e.g., time of day, location); and resource attributes (e.g., classification of a document). Organizations can create rules based on attributes and the authorizations (i.e., privileges) to perform needed operations on the systems associated with the organization-defined attributes and rules. When users are assigned to attributes defined in attribute-based access control policies or rules, they can be provisioned to a system with the appropriate privileges or dynamically granted access to a protected resource upon access. Attribute-based access control can be implemented as a mandatory or discretionary form of access control. For attribute-based access control implemented with mandatory access controls, the requirements in AC-3(3) define the scope of the subjects and objects covered by the policy.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.14">
-            <title>Individual Access</title>
-            <param id="ac-3.14_prm_1">
-               <label>organization-defined mechanisms</label>
-            </param>
-            <param id="ac-3.14_prm_2">
-               <label>organization-defined elements</label>
-            </param>
-            <prop name="label">AC-3(14)</prop>
-            <prop name="sort-id">AC-03(14)</prop>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#pm-22">PM-22</link>
-            <link rel="related" href="#pt-3">PT-3</link>
-            <link rel="related" href="#si-18">SI-18</link>
-            <part name="statement" id="ac-3.14_smt">
-               <p>Provide <insert param-id="ac-3.14_prm_1"/> to enable individuals to have access to the following elements of their personally identifiable information: <insert param-id="ac-3.14_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ac-3.14_gdn">
-               <p>Individual access affords individuals the ability to review personally identifiable information about them held within organizational records, regardless of format. Access helps individuals to develop an understanding about how their personally identifiable information is being processed. It can also help individuals ensure that their data is accurate. Access mechanisms can include request forms and application interfaces. Access to certain types of records may not be appropriate or may require certain levels of authentication assurance. Organizational personnel consult with the senior agency official for privacy and legal counsel to determine appropriate mechanisms and access rights or limitations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-3.15">
-            <title>Discretionary and Mandatory Access Control</title>
-            <param id="ac-3.15_prm_1">
-               <label>organization-defined mandatory access control policy</label>
-            </param>
-            <param id="ac-3.15_prm_2">
-               <label>organization-defined discretionary access control policy</label>
-            </param>
-            <prop name="label">AC-3(15)</prop>
-            <prop name="sort-id">AC-03(15)</prop>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <part name="statement" id="ac-3.15_smt">
-               <part name="item" id="ac-3.15_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Enforce <insert param-id="ac-3.15_prm_1"/> over the set of covered subjects and objects specified in the policy; and</p>
-               </part>
-               <part name="item" id="ac-3.15_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Enforce <insert param-id="ac-3.15_prm_2"/> over the set of covered subjects and objects specified in the policy.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ac-3.15_gdn">
-               <p>Implementing a mandatory access control policy and a discretionary access control policy simultaneously can provide additional protection against the unauthorized execution of code by users or processes acting on behalf of users. This helps prevent a single compromised user or process from compromising the entire system.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-4">
-         <title>Information Flow Enforcement</title>
-         <param id="ac-4_prm_1">
-            <label>organization-defined information flow control policies</label>
-         </param>
-         <prop name="label">AC-4</prop>
-         <prop name="sort-id">AC-04</prop>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="reference" href="#359f960c-2598-454c-ba3b-a30c553e498f">[SP 800-162]</link>
-         <link rel="reference" href="#223b23a9-baea-4a50-8058-63cf7967b61f">[SP 800-178]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#ac-16">AC-16</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#ac-21">AC-21</link>
-         <link rel="related" href="#au-10">AU-10</link>
-         <link rel="related" href="#ca-3">CA-3</link>
-         <link rel="related" href="#ca-9">CA-9</link>
-         <link rel="related" href="#cm-7">CM-7</link>
-         <link rel="related" href="#pm-24">PM-24</link>
-         <link rel="related" href="#sa-17">SA-17</link>
-         <link rel="related" href="#sc-4">SC-4</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-16">SC-16</link>
-         <link rel="related" href="#sc-31">SC-31</link>
-         <part name="statement" id="ac-4_smt">
-            <p>Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on <insert param-id="ac-4_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="ac-4_gdn">
-            <p>Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization; keeping export-controlled information from being transmitted in the clear to the Internet; restricting web requests that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only); verifying write permissions before accepting information from another security or privacy domain or connected system; employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and security or privacy labels.
-Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. This control also applies to control plane traffic (e.g., routing and DNS).</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-4.1">
-            <title>Object Security and Privacy Attributes</title>
-            <param id="ac-4.1_prm_1">
-               <label>organization-defined security and privacy attributes</label>
-            </param>
-            <param id="ac-4.1_prm_2">
-               <label>organization-defined information, source, and destination objects</label>
-            </param>
-            <param id="ac-4.1_prm_3">
-               <label>organization-defined information flow control policies</label>
-            </param>
-            <prop name="label">AC-4(1)</prop>
-            <prop name="sort-id">AC-04(01)</prop>
-            <part name="statement" id="ac-4.1_smt">
-               <p>Use <insert param-id="ac-4.1_prm_1"/> associated with <insert param-id="ac-4.1_prm_2"/> to enforce <insert param-id="ac-4.1_prm_3"/> as a basis for flow control decisions.</p>
-            </part>
-            <part name="guidance" id="ac-4.1_gdn">
-               <p>Information flow enforcement mechanisms compare security and privacy attributes associated with information (i.e., data content and structure) and source and destination objects and respond appropriately when the enforcement mechanisms encounter information flows not explicitly allowed by information flow policies. For example, an information object labeled Secret would be allowed to flow to a destination object labeled Secret, but an information object labeled Top Secret would not be allowed to flow to a destination object labeled Secret. A dataset of personally identifiable information may be tagged with restrictions against combining with other types of datasets, and therefore, would not be allowed to flow to the restricted dataset. Security and privacy attributes can also include source and destination addresses employed in traffic filter firewalls. Flow enforcement using explicit security or privacy attributes can be used, for example, to control the release of certain types of information.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.2">
-            <title>Processing Domains</title>
-            <param id="ac-4.2_prm_1">
-               <label>organization-defined information flow control policies</label>
-            </param>
-            <prop name="label">AC-4(2)</prop>
-            <prop name="sort-id">AC-04(02)</prop>
-            <link rel="related" href="#sc-39">SC-39</link>
-            <part name="statement" id="ac-4.2_smt">
-               <p>Use protected processing domains to enforce <insert param-id="ac-4.2_prm_1"/> as a basis for flow control decisions.</p>
-            </part>
-            <part name="guidance" id="ac-4.2_gdn">
-               <p>Protected processing domains within systems are processing spaces that have controlled interactions with other processing spaces, enabling control of information flows between these spaces and to/from information objects. A protected processing domain can be provided, for example, by implementing domain and type enforcement. In domain and type enforcement, system processes are assigned to domains; information is identified by types; and information flows are controlled based on allowed information accesses (i.e., determined by domain and type), allowed signaling among domains, and allowed process transitions to other domains.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.3">
-            <title>Dynamic Information Flow Control</title>
-            <param id="ac-4.3_prm_1">
-               <label>organization-defined information flow control policies</label>
-            </param>
-            <prop name="label">AC-4(3)</prop>
-            <prop name="sort-id">AC-04(03)</prop>
-            <link rel="related" href="#si-4">SI-4</link>
-            <part name="statement" id="ac-4.3_smt">
-               <p>Enforce <insert param-id="ac-4.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-4.3_gdn">
-               <p>Organizational policies regarding dynamic information flow control include allowing or disallowing information flows based on changing conditions or mission or operational considerations. Changing conditions include changes in risk tolerance due to changes in the immediacy of mission or business needs, changes in the threat environment, and detection of potentially harmful or adverse events.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.4">
-            <title>Flow Control of Encrypted Information</title>
-            <param id="ac-4.4_prm_1">
-               <label>organization-defined information flow control mechanisms</label>
-            </param>
-            <param id="ac-4.4_prm_2">
-               <select how-many="one or more">
-                  <choice>decrypting the information</choice>
-                  <choice>blocking the flow of the encrypted information</choice>
-                  <choice>terminating communications sessions attempting to pass encrypted information</choice>
-                  <choice>
-                     <insert param-id="ac-4.4_prm_3"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="ac-4.4_prm_3" depends-on="ac-4.4_prm_2">
-               <label>organization-defined procedure or method</label>
-            </param>
-            <prop name="label">AC-4(4)</prop>
-            <prop name="sort-id">AC-04(04)</prop>
-            <link rel="related" href="#si-4">SI-4</link>
-            <part name="statement" id="ac-4.4_smt">
-               <p>Prevent encrypted information from bypassing <insert param-id="ac-4.4_prm_1"/> by <insert param-id="ac-4.4_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ac-4.4_gdn">
-               <p>Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.5">
-            <title>Embedded Data Types</title>
-            <param id="ac-4.5_prm_1">
-               <label>organization-defined limitations</label>
-            </param>
-            <prop name="label">AC-4(5)</prop>
-            <prop name="sort-id">AC-04(05)</prop>
-            <part name="statement" id="ac-4.5_smt">
-               <p>Enforce <insert param-id="ac-4.5_prm_1"/> on embedding data types within other data types.</p>
-            </part>
-            <part name="guidance" id="ac-4.5_gdn">
-               <p>Embedding data types within other data types may result in reduced flow control effectiveness. Data type embedding includes inserting files as objects within other files and using compressed or archived data types that may include multiple embedded data types. Limitations on data type embedding consider the levels of embedding and prohibit levels of data type embedding that are beyond the capability of the inspection tools.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.6">
-            <title>Metadata</title>
-            <param id="ac-4.6_prm_1">
-               <label>organization-defined metadata</label>
-            </param>
-            <prop name="label">AC-4(6)</prop>
-            <prop name="sort-id">AC-04(06)</prop>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <link rel="related" href="#si-7">SI-7</link>
-            <part name="statement" id="ac-4.6_smt">
-               <p>Enforce information flow control based on <insert param-id="ac-4.6_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-4.6_gdn">
-               <p>Metadata is information that describes the characteristics of data. Metadata can include structural metadata describing data structures or descriptive metadata describing data content. Enforcement of allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata regarding data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., ensuring sufficiently strong binding techniques with appropriate levels of assurance).</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.7">
-            <title>One-way Flow Mechanisms</title>
-            <prop name="label">AC-4(7)</prop>
-            <prop name="sort-id">AC-04(07)</prop>
-            <part name="statement" id="ac-4.7_smt">
-               <p>Enforce one-way information flows through hardware-based flow control mechanisms.</p>
-            </part>
-            <part name="guidance" id="ac-4.7_gdn">
-               <p>One-way flow mechanisms may also be referred to as a unidirectional network, unidirectional security gateway, or data diode. One-way flow mechanisms can be used to prevent data from being exported from a higher impact or classified domain or system, while permitting data from a lower impact or unclassified domain or system to be imported.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.8">
-            <title>Security and Privacy Policy Filters</title>
-            <param id="ac-4.8_prm_1">
-               <label>organization-defined security or privacy policy filters</label>
-            </param>
-            <param id="ac-4.8_prm_2">
-               <label>organization-defined information flows</label>
-            </param>
-            <param id="ac-4.8_prm_3">
-               <select how-many="one or more">
-                  <choice>block</choice>
-                  <choice>strip</choice>
-                  <choice>modify</choice>
-                  <choice>quarantine</choice>
-               </select>
-            </param>
-            <param id="ac-4.8_prm_4">
-               <label>organization-defined security or privacy policy</label>
-            </param>
-            <prop name="label">AC-4(8)</prop>
-            <prop name="sort-id">AC-04(08)</prop>
-            <part name="statement" id="ac-4.8_smt">
-               <part name="item" id="ac-4.8_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Enforce information flow control using <insert param-id="ac-4.8_prm_1"/> as a basis for flow control decisions for <insert param-id="ac-4.8_prm_2"/>; and</p>
-               </part>
-               <part name="item" id="ac-4.8_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>
-                     <insert param-id="ac-4.8_prm_3"/> data after a filter processing failure in accordance with <insert param-id="ac-4.8_prm_4"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ac-4.8_gdn">
-               <p>Organization-defined security or privacy policy filters can address data structures and content. For example, security or privacy policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security or privacy policy filters for data content can check for specific words enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data refers to digital information without a data structure or with a data structure that does not facilitate the development of rule sets to address the sensitivity of the information conveyed by the data or the flow enforcement decisions. Unstructured data consists of bitmap objects that are inherently non-language-based (i.e., image, video, or audio files); and textual objects that are based on written or printed languages. Organizations can implement more than one security or privacy policy filter to meet information flow control objectives.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.9">
-            <title>Human Reviews</title>
-            <param id="ac-4.9_prm_1">
-               <label>organization-defined information flows</label>
-            </param>
-            <param id="ac-4.9_prm_2">
-               <label>organization-defined conditions</label>
-            </param>
-            <prop name="label">AC-4(9)</prop>
-            <prop name="sort-id">AC-04(09)</prop>
-            <part name="statement" id="ac-4.9_smt">
-               <p>Enforce the use of human reviews for <insert param-id="ac-4.9_prm_1"/> under the following conditions: <insert param-id="ac-4.9_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ac-4.9_gdn">
-               <p>Organizations define security or privacy policy filters for all situations where automated flow control decisions are possible. When a fully automated flow control decision is not possible, then a human review may be employed in lieu of, or as a complement to, automated security or privacy policy filtering. Human reviews may also be employed as deemed necessary by organizations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.10">
-            <title>Enable and Disable Security or Privacy Policy Filters</title>
-            <param id="ac-4.10_prm_1">
-               <label>organization-defined security or privacy policy filters</label>
-            </param>
-            <param id="ac-4.10_prm_2">
-               <label>organization-defined conditions</label>
-            </param>
-            <prop name="label">AC-4(10)</prop>
-            <prop name="sort-id">AC-04(10)</prop>
-            <part name="statement" id="ac-4.10_smt">
-               <p>Provide the capability for privileged administrators to enable and disable <insert param-id="ac-4.10_prm_1"/> under the following conditions: <insert param-id="ac-4.10_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ac-4.10_gdn">
-               <p>For example, as allowed by the system authorization, administrators can enable security or privacy policy filters to accommodate approved data types. Administrators also have the capability to select the filters that are executed on a specific data flow based on the type of data that is being transferred, the source and destination security or privacy domains, and other security or privacy relevant features, as needed.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.11">
-            <title>Configuration of Security or Privacy Policy Filters</title>
-            <param id="ac-4.11_prm_1">
-               <label>organization-defined security or privacy policy filters</label>
-            </param>
-            <prop name="label">AC-4(11)</prop>
-            <prop name="sort-id">AC-04(11)</prop>
-            <part name="statement" id="ac-4.11_smt">
-               <p>Provide the capability for privileged administrators to configure <insert param-id="ac-4.11_prm_1"/> to support different security or privacy policies.</p>
-            </part>
-            <part name="guidance" id="ac-4.11_gdn">
-               <p>Documentation contains detailed information for configuring security or privacy policy filters. For example, administrators can configure security or privacy policy filters to include the list of “dirty words” that security or privacy policy mechanisms check in accordance with the definitions provided by organizations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.12">
-            <title>Data Type Identifiers</title>
-            <param id="ac-4.12_prm_1">
-               <label>organization-defined data type identifiers</label>
-            </param>
-            <prop name="label">AC-4(12)</prop>
-            <prop name="sort-id">AC-04(12)</prop>
-            <part name="statement" id="ac-4.12_smt">
-               <p>When transferring information between different security or privacy domains, use <insert param-id="ac-4.12_prm_1"/> to validate data essential for information flow decisions.</p>
-            </part>
-            <part name="guidance" id="ac-4.12_gdn">
-               <p>Data type identifiers include filenames, file types, file signatures or tokens, and multiple internal file signatures or tokens. Systems allow transfer of data only if compliant with data type format specifications. Identification and validation of data types is based on defined specifications associated with each allowed data format. The filename and number alone are not used for data type identification. Content is validated syntactically and semantically against its specification to ensure it is the proper data type.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.13">
-            <title>Decomposition into Policy-relevant Subcomponents</title>
-            <param id="ac-4.13_prm_1">
-               <label>organization-defined policy-relevant subcomponents</label>
-            </param>
-            <prop name="label">AC-4(13)</prop>
-            <prop name="sort-id">AC-04(13)</prop>
-            <part name="statement" id="ac-4.13_smt">
-               <p>When transferring information between different security or privacy domains, decompose information into <insert param-id="ac-4.13_prm_1"/> for submission to policy enforcement mechanisms.</p>
-            </part>
-            <part name="guidance" id="ac-4.13_gdn">
-               <p>Decomposing information into policy-relevant subcomponents prior to information transfer facilitates policy decisions on source, destination, certificates, classification, attachments, and other security- or privacy-related component differentiators. Policy enforcement mechanisms apply filtering, inspection, and/or sanitization rules to the policy-relevant subcomponents of information to facilitate flow enforcement prior to transferring such information to different security or privacy domains.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.14">
-            <title>Security or Privacy Policy Filter Constraints</title>
-            <param id="ac-4.14_prm_1">
-               <label>organization-defined security or privacy policy filters</label>
-            </param>
-            <prop name="label">AC-4(14)</prop>
-            <prop name="sort-id">AC-04(14)</prop>
-            <part name="statement" id="ac-4.14_smt">
-               <p>When transferring information between different security or privacy domains, implement <insert param-id="ac-4.14_prm_1"/> requiring fully enumerated formats that restrict data structure and content.</p>
-            </part>
-            <part name="guidance" id="ac-4.14_gdn">
-               <p>Data structure and content restrictions reduce the range of potential malicious or unsanctioned content in cross-domain transactions. Security or privacy policy filters that restrict data structures include restricting file sizes and field lengths. Data content policy filters include encoding formats for character sets; restricting character data fields to only contain alpha-numeric characters; prohibiting special characters; and validating schema structures.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.15">
-            <title>Detection of Unsanctioned Information</title>
-            <param id="ac-4.15_prm_1">
-               <label>organization-defined unsanctioned information</label>
-            </param>
-            <param id="ac-4.15_prm_2">
-               <label>organization-defined security or privacy policy</label>
-            </param>
-            <prop name="label">AC-4(15)</prop>
-            <prop name="sort-id">AC-04(15)</prop>
-            <link rel="related" href="#si-3">SI-3</link>
-            <part name="statement" id="ac-4.15_smt">
-               <p>When transferring information between different security or privacy domains, examine the information for the presence of <insert param-id="ac-4.15_prm_1"/> and prohibit the transfer of such information in accordance with the <insert param-id="ac-4.15_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ac-4.15_gdn">
-               <p>Unsanctioned information includes malicious code, dirty words, sensitive information inappropriate for release from the source network, or executable code that could disrupt or harm the services or systems on the destination network.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.16">
-            <title>Information Transfers on Interconnected Systems</title>
-            <prop name="label">AC-4(16)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AC-04(16)</prop>
-            <link rel="incorporated-into" href="#ac-4">AC-4</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.17">
-            <title>Domain Authentication</title>
-            <param id="ac-4.17_prm_1">
-               <select how-many="one or more">
-                  <choice>organization</choice>
-                  <choice>system</choice>
-                  <choice>application</choice>
-                  <choice>service</choice>
-                  <choice>individual</choice>
-               </select>
-            </param>
-            <prop name="label">AC-4(17)</prop>
-            <prop name="sort-id">AC-04(17)</prop>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-9">IA-9</link>
-            <part name="statement" id="ac-4.17_smt">
-               <p>Uniquely identify and authenticate source and destination points by <insert param-id="ac-4.17_prm_1"/> for information transfer.</p>
-            </part>
-            <part name="guidance" id="ac-4.17_gdn">
-               <p>Attribution is a critical component of a security and privacy concept of operations. The ability to identify source and destination points for information flowing within systems, allows the forensic reconstruction of events, and encourages policy compliance by attributing policy violations to specific organizations or individuals. Successful domain authentication requires that system labels distinguish among systems, organizations, and individuals involved in preparing, sending, receiving, or disseminating information. Attribution also allows organizations to better maintain the lineage of personally identifiable information processing as it flows through systems and can facilitate consent tracking, as well as correction, deletion, or access requests from individuals.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.18">
-            <title>Security Attribute Binding</title>
-            <prop name="label">AC-4(18)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AC-04(18)</prop>
-            <link rel="incorporated-into" href="#ac-16">AC-16</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.19">
-            <title>Validation of Metadata</title>
-            <param id="ac-4.19_prm_1">
-               <label>organization-defined security or privacy policy filters</label>
-            </param>
-            <prop name="label">AC-4(19)</prop>
-            <prop name="sort-id">AC-04(19)</prop>
-            <part name="statement" id="ac-4.19_smt">
-               <p>When transferring information between different security or privacy domains, implement <insert param-id="ac-4.19_prm_1"/> on metadata.</p>
-            </part>
-            <part name="guidance" id="ac-4.19_gdn">
-               <p>All information (including metadata and the data to which the metadata applies) is subject to filtering and inspection. Some organizations distinguish between metadata and data payloads (i.e., only the data to which the metadata is bound). Other organizations do not make such distinctions, considering metadata and the data to which the metadata applies as part of the payload.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.20">
-            <title>Approved Solutions</title>
-            <param id="ac-4.20_prm_1">
-               <label>organization-defined solutions in approved configurations</label>
-            </param>
-            <param id="ac-4.20_prm_2">
-               <label>organization-defined information</label>
-            </param>
-            <prop name="label">AC-4(20)</prop>
-            <prop name="sort-id">AC-04(20)</prop>
-            <part name="statement" id="ac-4.20_smt">
-               <p>Employ <insert param-id="ac-4.20_prm_1"/> to control the flow of <insert param-id="ac-4.20_prm_2"/> across security or privacy domains.</p>
-            </part>
-            <part name="guidance" id="ac-4.20_gdn">
-               <p>Organizations define approved solutions and configurations in cross-domain policies and guidance in accordance with the types of information flows across classification boundaries. The NSA National Cross Domain Strategy and Management Office provides a baseline listing of approved cross-domain solutions.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.21">
-            <title>Physical or Logical Separation of Information Flows</title>
-            <param id="ac-4.21_prm_1">
-               <label>organization-defined mechanisms and/or techniques</label>
-            </param>
-            <param id="ac-4.21_prm_2">
-               <label>organization-defined required separations by types of information</label>
-            </param>
-            <prop name="label">AC-4(21)</prop>
-            <prop name="sort-id">AC-04(21)</prop>
-            <link rel="related" href="#sc-32">SC-32</link>
-            <part name="statement" id="ac-4.21_smt">
-               <p>Separate information flows logically or physically using <insert param-id="ac-4.21_prm_1"/> to accomplish <insert param-id="ac-4.21_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ac-4.21_gdn">
-               <p>Enforcing the separation of information flows associated with defined types of data can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths perhaps not otherwise achievable. Types of separable information include inbound and outbound communications traffic, service requests and responses, and information of differing security categories.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.22">
-            <title>Access Only</title>
-            <prop name="label">AC-4(22)</prop>
-            <prop name="sort-id">AC-04(22)</prop>
-            <part name="statement" id="ac-4.22_smt">
-               <p>Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing any information flow between the different security domains.</p>
-            </part>
-            <part name="guidance" id="ac-4.22_gdn">
-               <p>The system provides a capability for users to access each connected security domain without providing any mechanisms to allow transfer of data or information between the different security domains. An example of an access-only solution is a terminal that provides a user access to information with different security classifications while assuredly keeping the information separate.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.23">
-            <title>Modify Non-releasable Information</title>
-            <param id="ac-4.23_prm_1">
-               <label>organization-defined modification action</label>
-            </param>
-            <prop name="label">AC-4(23)</prop>
-            <prop name="sort-id">AC-04(23)</prop>
-            <part name="statement" id="ac-4.23_smt">
-               <p>When transferring information between different security domains, modify non-releasable information by implementing <insert param-id="ac-4.23_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-4.23_gdn">
-               <p>Modifying non-releasable information can help prevent a data spill or attack when information is transferred across security domains. Modification actions include masking, permutation, alteration, removal, or redaction.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.24">
-            <title>Internal Normalized Format</title>
-            <prop name="label">AC-4(24)</prop>
-            <prop name="sort-id">AC-04(24)</prop>
-            <part name="statement" id="ac-4.24_smt">
-               <p>When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification.</p>
-            </part>
-            <part name="guidance" id="ac-4.24_gdn">
-               <p>Converting data into normalized forms is one of most of effective mechanisms to stop malicious attacks and large classes of data exfiltration.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.25">
-            <title>Data Sanitization</title>
-            <param id="ac-4.25_prm_1">
-               <select how-many="one or more">
-                  <choice>delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography encoded data</choice>
-                  <choice>spillage of sensitive information</choice>
-               </select>
-            </param>
-            <param id="ac-4.25_prm_2">
-               <label>organization-defined policy</label>
-            </param>
-            <prop name="label">AC-4(25)</prop>
-            <prop name="sort-id">AC-04(25)</prop>
-            <part name="statement" id="ac-4.25_smt">
-               <p>When transferring information between different security domains, sanitize data to minimize <insert param-id="ac-4.25_prm_1"/> in accordance with <insert param-id="ac-4.25_prm_2"/>].</p>
-            </part>
-            <part name="guidance" id="ac-4.25_gdn">
-               <p>Data sanitization is the process of irreversibly removing or destroying data stored on a memory device (e.g., hard drives, flash memory/SSDs, mobile devices, CDs, and DVDs) or in hard copy form.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.26">
-            <title>Audit Filtering Actions</title>
-            <prop name="label">AC-4(26)</prop>
-            <prop name="sort-id">AC-04(26)</prop>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <part name="statement" id="ac-4.26_smt">
-               <p>When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.</p>
-            </part>
-            <part name="guidance" id="ac-4.26_gdn">
-               <p>Content filtering is the process of inspecting information as it traverses a cross domain solution and determines if the information meets a pre-defined policy. Content filtering actions and results of filtering actions are recorded for individual messages to ensure the correct filter actions were applied. Content filter reports are used to assist in troubleshooting actions, for example, determining why message content was modified and/or why it failed the filtering process. Audit events are defined in AU-2. Audit records are generated in AU-12.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.27">
-            <title>Redundant/independent Filtering Mechanisms</title>
-            <prop name="label">AC-4(27)</prop>
-            <prop name="sort-id">AC-04(27)</prop>
-            <part name="statement" id="ac-4.27_smt">
-               <p>When transferring information between different security or privacy domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type.</p>
-            </part>
-            <part name="guidance" id="ac-4.27_gdn">
-               <p>Content filtering is the process of inspecting information as it traverses a cross domain solution and determines if the information meets a pre-defined policy. Redundant and independent content filtering eliminates a single point of failure filtering system. Independence is defined as implementation of a content filter that uses a different code base and supporting libraries (e.g., two JPEG filters using different vendors’ JPEG libraries) and multiple, independent system processes.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.28">
-            <title>Linear Filter Pipelines</title>
-            <prop name="label">AC-4(28)</prop>
-            <prop name="sort-id">AC-04(28)</prop>
-            <part name="statement" id="ac-4.28_smt">
-               <p>When transferring information between different security or privacy domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.</p>
-            </part>
-            <part name="guidance" id="ac-4.28_gdn">
-               <p>Content filtering is the process of inspecting information as it traverses a cross domain solution and determines if the information meets a pre-defined policy. The use of linear content filter pipelines ensures that filter processes are non-bypassable and always invoked. In general, the use of parallel filtering architectures for content filtering of a single data type introduces by-pass and non-invocation issues.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.29">
-            <title>Filter Orchestration Engines</title>
-            <param id="ac-4.29_prm_1">
-               <label>organization-defined policy</label>
-            </param>
-            <prop name="label">AC-4(29)</prop>
-            <prop name="sort-id">AC-04(29)</prop>
-            <part name="statement" id="ac-4.29_smt">
-               <p>When transferring information between different security or privacy domains, employ content filter orchestration engines to ensure that:</p>
-               <part name="item" id="ac-4.29_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Content filtering mechanisms successfully complete execution without errors; and</p>
-               </part>
-               <part name="item" id="ac-4.29_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Content filtering actions occur in the correct order and comply with <insert param-id="ac-4.29_prm_1"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ac-4.29_gdn">
-               <p>Content filtering is the process of inspecting information as it traverses a cross domain solution and determines if the information meets a pre-defined security policy. An orchestration engine coordinates the sequencing of activities (manual and automated) in a content filtering process. Errors are defined as either anomalous actions or unexpected termination of the content filter process. This is not the same as a filter failing content due non-compliance with policy. Content filter reports are a commonly used mechanism to ensure expected filtering actions are completed successfully.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.30">
-            <title>Filter Mechanisms Using Multiple Processes</title>
-            <prop name="label">AC-4(30)</prop>
-            <prop name="sort-id">AC-04(30)</prop>
-            <part name="statement" id="ac-4.30_smt">
-               <p>When transferring information between different security or privacy domains, implement content filtering mechanisms using multiple processes.</p>
-            </part>
-            <part name="guidance" id="ac-4.30_gdn">
-               <p>The use of multiple processes to implement content filtering mechanisms reduces the likelihood of a single point of failure.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.31">
-            <title>Failed Content Transfer Prevention</title>
-            <prop name="label">AC-4(31)</prop>
-            <prop name="sort-id">AC-04(31)</prop>
-            <part name="statement" id="ac-4.31_smt">
-               <p>When transferring information between different security or privacy domains, prevent the transfer of failed content to the receiving domain.</p>
-            </part>
-            <part name="guidance" id="ac-4.31_gdn">
-               <p>Content that failed filtering checks, can corrupt the system if transferred to the receiving domain.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-4.32">
-            <title>Process Requirements for Information Transfer</title>
-            <prop name="label">AC-4(32)</prop>
-            <prop name="sort-id">AC-04(32)</prop>
-            <part name="statement" id="ac-4.32_smt">
-               <p>When transferring information between different security or privacy domains, the process that transfers information between filter pipelines:</p>
-               <part name="item" id="ac-4.32_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Does not filter message content;</p>
-               </part>
-               <part name="item" id="ac-4.32_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Validates filtering metadata;</p>
-               </part>
-               <part name="item" id="ac-4.32_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Ensures the content associated with the filtering metadata has successfully completed filtering; and</p>
-               </part>
-               <part name="item" id="ac-4.32_smt.d">
-                  <prop name="label">(d)</prop>
-                  <p>Transfers the content to the destination filter pipeline.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ac-4.32_gdn">
-               <p>The processes transferring information between filter pipelines have minimum complexity and functionality to provide assurance that the processes operate correctly.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-5">
-         <title>Separation of Duties</title>
-         <param id="ac-5_prm_1">
-            <label>organization-defined duties of individuals requiring separation</label>
-         </param>
-         <prop name="label">AC-5</prop>
-         <prop name="sort-id">AC-05</prop>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#au-9">AU-9</link>
-         <link rel="related" href="#cm-5">CM-5</link>
-         <link rel="related" href="#cm-11">CM-11</link>
-         <link rel="related" href="#cp-9">CP-9</link>
-         <link rel="related" href="#ia-2">IA-2</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <link rel="related" href="#ma-3">MA-3</link>
-         <link rel="related" href="#ma-5">MA-5</link>
-         <link rel="related" href="#ps-2">PS-2</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-17">SA-17</link>
-         <part name="statement" id="ac-5_smt">
-            <part name="item" id="ac-5_smt.a">
-               <prop name="label">a.</prop>
-               <p>Identify and document <insert param-id="ac-5_prm_1"/>; and</p>
-            </part>
-            <part name="item" id="ac-5_smt.b">
-               <prop name="label">b.</prop>
-               <p>Define system access authorizations to support separation of duties.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ac-5_gdn">
-            <p>Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles; conducting system support functions with different individuals; and ensuring security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. This control is enforced through the account management activities in AC-2 and access control mechanisms in AC-3.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-6">
-         <title>Least Privilege</title>
-         <prop name="label">AC-6</prop>
-         <prop name="sort-id">AC-06</prop>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-5">AC-5</link>
-         <link rel="related" href="#ac-16">AC-16</link>
-         <link rel="related" href="#cm-5">CM-5</link>
-         <link rel="related" href="#cm-11">CM-11</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-15">SA-15</link>
-         <link rel="related" href="#sa-17">SA-17</link>
-         <link rel="related" href="#sc-38">SC-38</link>
-         <part name="statement" id="ac-6_smt">
-            <p>Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.</p>
-         </part>
-         <part name="guidance" id="ac-6_gdn">
-            <p>Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary, to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-6.1">
-            <title>Authorize Access to Security Functions</title>
-            <param id="ac-6.1_prm_1">
-               <label>organization-defined individuals or roles</label>
-            </param>
-            <param id="ac-6.1_prm_2">
-               <label>organization-defined security functions (deployed in hardware, software, and firmware)</label>
-            </param>
-            <param id="ac-6.1_prm_3">
-               <label>organization-defined security-relevant information</label>
-            </param>
-            <prop name="label">AC-6(1)</prop>
-            <prop name="sort-id">AC-06(01)</prop>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <part name="statement" id="ac-6.1_smt">
-               <p>Explicitly authorize access for <insert param-id="ac-6.1_prm_1"/> to:</p>
-               <part name="item" id="ac-6.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>
-                     <insert param-id="ac-6.1_prm_2"/>; and</p>
-               </part>
-               <part name="item" id="ac-6.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>
-                     <insert param-id="ac-6.1_prm_3"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ac-6.1_gdn">
-               <p>Security functions include establishing system accounts; configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Explicitly authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.2">
-            <title>Non-privileged Access for Nonsecurity Functions</title>
-            <param id="ac-6.2_prm_1">
-               <label>organization-defined security functions or security-relevant information</label>
-            </param>
-            <prop name="label">AC-6(2)</prop>
-            <prop name="sort-id">AC-06(02)</prop>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <part name="statement" id="ac-6.2_smt">
-               <p>Require that users of system accounts (or roles) with access to <insert param-id="ac-6.2_prm_1"/>, use non-privileged accounts or roles, when accessing nonsecurity functions.</p>
-            </part>
-            <part name="guidance" id="ac-6.2_gdn">
-               <p>Requiring use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.3">
-            <title>Network Access to Privileged Commands</title>
-            <param id="ac-6.3_prm_1">
-               <label>organization-defined privileged commands</label>
-            </param>
-            <param id="ac-6.3_prm_2">
-               <label>organization-defined compelling operational needs</label>
-            </param>
-            <prop name="label">AC-6(3)</prop>
-            <prop name="sort-id">AC-06(03)</prop>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <part name="statement" id="ac-6.3_smt">
-               <p>Authorize network access to <insert param-id="ac-6.3_prm_1"/> only for <insert param-id="ac-6.3_prm_2"/> and document the rationale for such access in the security plan for the system.</p>
-            </part>
-            <part name="guidance" id="ac-6.3_gdn">
-               <p>Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device).</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.4">
-            <title>Separate Processing Domains</title>
-            <prop name="label">AC-6(4)</prop>
-            <prop name="sort-id">AC-06(04)</prop>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-            <link rel="related" href="#sc-30">SC-30</link>
-            <link rel="related" href="#sc-32">SC-32</link>
-            <link rel="related" href="#sc-39">SC-39</link>
-            <part name="statement" id="ac-6.4_smt">
-               <p>Provide separate processing domains to enable finer-grained allocation of user privileges.</p>
-            </part>
-            <part name="guidance" id="ac-6.4_gdn">
-               <p>Providing separate processing domains for finer-grained allocation of user privileges includes using virtualization techniques to permit additional user privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying physical machine; implementing separate physical domains, and employing hardware or software domain separation mechanisms.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.5">
-            <title>Privileged Accounts</title>
-            <param id="ac-6.5_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">AC-6(5)</prop>
-            <prop name="sort-id">AC-06(05)</prop>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ma-3">MA-3</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <part name="statement" id="ac-6.5_smt">
-               <p>Restrict privileged accounts on the system to <insert param-id="ac-6.5_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-6.5_gdn">
-               <p>Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided they retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.6">
-            <title>Privileged Access by Non-organizational Users</title>
-            <prop name="label">AC-6(6)</prop>
-            <prop name="sort-id">AC-06(06)</prop>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <part name="statement" id="ac-6.6_smt">
-               <p>Prohibit privileged access to the system by non-organizational users.</p>
-            </part>
-            <part name="guidance" id="ac-6.6_gdn">
-               <p>An organizational user is an employee or an individual considered by the organization to have the equivalent status of an employee. Organizational users include contractors, guest researchers, or individuals detailed from other organizations. A non-organizational user is a user who is not an organizational user. Policy and procedures for granting equivalent status of employees to individuals include a need-to-know, citizenship, and the relationship to the organization.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.7">
-            <title>Review of User Privileges</title>
-            <param id="ac-6.7_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="ac-6.7_prm_2">
-               <label>organization-defined roles or classes of users</label>
-            </param>
-            <prop name="label">AC-6(7)</prop>
-            <prop name="sort-id">AC-06(07)</prop>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <part name="statement" id="ac-6.7_smt">
-               <part name="item" id="ac-6.7_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Review <insert param-id="ac-6.7_prm_1"/> the privileges assigned to <insert param-id="ac-6.7_prm_2"/> to validate the need for such privileges; and</p>
-               </part>
-               <part name="item" id="ac-6.7_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ac-6.7_gdn">
-               <p>The need for certain assigned user privileges may change over time reflecting changes in organizational missions and business functions, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.8">
-            <title>Privilege Levels for Code Execution</title>
-            <param id="ac-6.8_prm_1">
-               <label>organization-defined software</label>
-            </param>
-            <prop name="label">AC-6(8)</prop>
-            <prop name="sort-id">AC-06(08)</prop>
-            <part name="statement" id="ac-6.8_smt">
-               <p>Prevent the following software from executing at higher privilege levels than users executing the software: <insert param-id="ac-6.8_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-6.8_gdn">
-               <p>In certain situations, software applications or programs need to execute with elevated privileges to perform required functions. However, depending on the software functionality and configuration, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications or programs, those users may indirectly be provided with greater privileges than assigned.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.9">
-            <title>Log Use of Privileged Functions</title>
-            <prop name="label">AC-6(9)</prop>
-            <prop name="sort-id">AC-06(09)</prop>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <part name="statement" id="ac-6.9_smt">
-               <p>Audit the execution of privileged functions.</p>
-            </part>
-            <part name="guidance" id="ac-6.9_gdn">
-               <p>The misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Capturing the use of privileged functions in audit logs is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-6.10">
-            <title>Prohibit Non-privileged Users from Executing Privileged Functions</title>
-            <prop name="label">AC-6(10)</prop>
-            <prop name="sort-id">AC-06(10)</prop>
-            <part name="statement" id="ac-6.10_smt">
-               <p>Prevent non-privileged users from executing privileged functions.</p>
-            </part>
-            <part name="guidance" id="ac-6.10_gdn">
-               <p>Privileged functions include disabling, circumventing, or altering implemented security or privacy controls; establishing system accounts; performing system integrity checks; and administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. This control enhancement is enforced by AC-3.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-7">
-         <title>Unsuccessful Logon Attempts</title>
-         <param id="ac-7_prm_1">
-            <label>organization-defined number</label>
-         </param>
-         <param id="ac-7_prm_2">
-            <label>organization-defined time-period</label>
-         </param>
-         <param id="ac-7_prm_3">
-            <select how-many="one or more">
-               <choice>lock the account or node for an <insert param-id="ac-7_prm_4"/>
-               </choice>
-               <choice>lock the account or node until released by an administrator</choice>
-               <choice>delay next logon prompt per <insert param-id="ac-7_prm_5"/>
-               </choice>
-               <choice>notify system administrator</choice>
-               <choice>take other <insert param-id="ac-7_prm_6"/>
-               </choice>
-            </select>
-         </param>
-         <param id="ac-7_prm_4" depends-on="ac-7_prm_3">
-            <label>organization-defined time-period</label>
-         </param>
-         <param id="ac-7_prm_5" depends-on="ac-7_prm_3">
-            <label>organization-defined delay algorithm</label>
-         </param>
-         <param id="ac-7_prm_6" depends-on="ac-7_prm_3">
-            <label>organization-defined action</label>
-         </param>
-         <prop name="label">AC-7</prop>
-         <prop name="sort-id">AC-07</prop>
-         <link rel="reference" href="#549993c0-9bdd-4d49-875c-f56950cc5f30">[SP 800-63-3]</link>
-         <link rel="reference" href="#18c6942b-95f8-414c-b548-c8e6b8d8a172">[SP 800-124]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-9">AC-9</link>
-         <link rel="related" href="#au-2">AU-2</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <part name="statement" id="ac-7_smt">
-            <part name="item" id="ac-7_smt.a">
-               <prop name="label">a.</prop>
-               <p>Enforce a limit of <insert param-id="ac-7_prm_1"/> consecutive invalid logon attempts by a user during a <insert param-id="ac-7_prm_2"/>; and</p>
-            </part>
-            <part name="item" id="ac-7_smt.b">
-               <prop name="label">b.</prop>
-               <p>Automatically <insert param-id="ac-7_prm_3"/> when the maximum number of unsuccessful attempts is exceeded.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ac-7_gdn">
-            <p>This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password; invoking a lockdown mode with limited user capabilities (instead of full lockout); or comparing the IP address to a list of known IP addresses for the user and then allowing additional logon attempts if the attempts are from a known IP address.
-Techniques to help prevent brute force attacks in lieu of an automatic system lockout or the execution of delay algorithms support the objective of availability while still protecting against such attacks. Techniques that are effective when used in combination include prompting the user to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded; allowing users to logon only from specified IP addresses; requiring a CAPTCHA to prevent automated attacks; or applying user profiles such as location, time of day, IP address, device, or MAC address. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-7.1">
-            <title>Automatic Account Lock</title>
-            <prop name="label">AC-7(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AC-07(01)</prop>
-            <link rel="incorporated-into" href="#ac-7">AC-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-7.2">
-            <title>Purge or Wipe Mobile Device</title>
-            <param id="ac-7.2_prm_1">
-               <label>organization-defined mobile devices</label>
-            </param>
-            <param id="ac-7.2_prm_2">
-               <label>organization-defined purging or wiping requirements and techniques</label>
-            </param>
-            <param id="ac-7.2_prm_3">
-               <label>organization-defined number</label>
-            </param>
-            <prop name="label">AC-7(2)</prop>
-            <prop name="sort-id">AC-07(02)</prop>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#mp-6">MP-6</link>
-            <part name="statement" id="ac-7.2_smt">
-               <p>Purge or wipe information from <insert param-id="ac-7.2_prm_1"/> based on <insert param-id="ac-7.2_prm_2"/> after <insert param-id="ac-7.2_prm_3"/> consecutive, unsuccessful device logon attempts.</p>
-            </part>
-            <part name="guidance" id="ac-7.2_gdn">
-               <p>A mobile device is a computing device that has a small form factor such that it can be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Purging or wiping the device applies only to mobile devices for which the organization-defined number of unsuccessful logons occurs. The logon is to the mobile device, not to any one account on the device. Successful logons to accounts on mobile devices reset the unsuccessful logon count to zero. Purging or wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-7.3">
-            <title>Biometric Attempt Limiting</title>
-            <param id="ac-7.3_prm_1">
-               <label>organization-defined number</label>
-            </param>
-            <prop name="label">AC-7(3)</prop>
-            <prop name="sort-id">AC-07(03)</prop>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <part name="statement" id="ac-7.3_smt">
-               <p>Limit the number of unsuccessful biometric logon attempts to <insert param-id="ac-7.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-7.3_gdn">
-               <p>Biometrics are probabilistic in nature. The ability to successfully authenticate can be impacted by many factors, including matching performance and presentation attack detection mechanisms. Organizations select the appropriate number of attempts and fall back mechanisms for users based on organizationally-defined factors.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-7.4">
-            <title>Use of Alternate Factor</title>
-            <param id="ac-7.4_prm_1">
-               <label>organization-defined authentication factors</label>
-            </param>
-            <param id="ac-7.4_prm_2">
-               <label>organization-defined number</label>
-            </param>
-            <param id="ac-7.4_prm_3">
-               <label>organization-defined time-period</label>
-            </param>
-            <prop name="label">AC-7(4)</prop>
-            <prop name="sort-id">AC-07(04)</prop>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <part name="statement" id="ac-7.4_smt">
-               <part name="item" id="ac-7.4_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Allow the use of <insert param-id="ac-7.4_prm_1"/> that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and</p>
-               </part>
-               <part name="item" id="ac-7.4_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Enforce a limit of <insert param-id="ac-7.4_prm_2"/> consecutive invalid logon attempts through use of the alternative factors by a user during a <insert param-id="ac-7.4_prm_3"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ac-7.4_gdn">
-               <p>The use of alternate authentication factors supports the objective of availability and allows a user that has inadvertently been locked out to use additional authentication factors to bypass the lockout.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-8">
-         <title>System Use Notification</title>
-         <param id="ac-8_prm_1">
-            <label>organization-defined system use notification message or banner</label>
-         </param>
-         <param id="ac-8_prm_2">
-            <label>organization-defined conditions</label>
-         </param>
-         <prop name="label">AC-8</prop>
-         <prop name="sort-id">AC-08</prop>
-         <link rel="related" href="#ac-14">AC-14</link>
-         <link rel="related" href="#pl-4">PL-4</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <part name="statement" id="ac-8_smt">
-            <part name="item" id="ac-8_smt.a">
-               <prop name="label">a.</prop>
-               <p>Display <insert param-id="ac-8_prm_1"/> to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:</p>
-               <part name="item" id="ac-8_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Users are accessing a U.S. Government system;</p>
-               </part>
-               <part name="item" id="ac-8_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>System usage may be monitored, recorded, and subject to audit;</p>
-               </part>
-               <part name="item" id="ac-8_smt.a.3">
-                  <prop name="label">3.</prop>
-                  <p>Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and</p>
-               </part>
-               <part name="item" id="ac-8_smt.a.4">
-                  <prop name="label">4.</prop>
-                  <p>Use of the system indicates consent to monitoring and recording;</p>
-               </part>
-            </part>
-            <part name="item" id="ac-8_smt.b">
-               <prop name="label">b.</prop>
-               <p>Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and</p>
-            </part>
-            <part name="item" id="ac-8_smt.c">
-               <prop name="label">c.</prop>
-               <p>For publicly accessible systems:</p>
-               <part name="item" id="ac-8_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Display system use information <insert param-id="ac-8_prm_2"/>, before granting further access to the publicly accessible system;</p>
-               </part>
-               <part name="item" id="ac-8_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and</p>
-               </part>
-               <part name="item" id="ac-8_smt.c.3">
-                  <prop name="label">3.</prop>
-                  <p>Include a description of the authorized uses of the system.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="ac-8_gdn">
-            <p>System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-9">
-         <title>Previous Logon Notification</title>
-         <prop name="label">AC-9</prop>
-         <prop name="sort-id">AC-09</prop>
-         <link rel="related" href="#ac-7">AC-7</link>
-         <link rel="related" href="#pl-4">PL-4</link>
-         <part name="statement" id="ac-9_smt">
-            <p>Notify the user, upon successful logon to the system, of the date and time of the last logon.</p>
-         </part>
-         <part name="guidance" id="ac-9_gdn">
-            <p>Previous logon notification is applicable to system access via human user interfaces and access to systems that occurs in other types of architectures. Information about the last successful logon allows the user to recognize if the date and time provided is not consistent with the user’s last access.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-9.1">
-            <title>Unsuccessful Logons</title>
-            <prop name="label">AC-9(1)</prop>
-            <prop name="sort-id">AC-09(01)</prop>
-            <part name="statement" id="ac-9.1_smt">
-               <p>Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.</p>
-            </part>
-            <part name="guidance" id="ac-9.1_gdn">
-               <p>Information about the number of unsuccessful logon attempts since the last successful logon allows the user to recognize if the number of unsuccessful logon attempts is consistent with the user’s actual logon attempts.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-9.2">
-            <title>Successful and Unsuccessful Logons</title>
-            <param id="ac-9.2_prm_1">
-               <select>
-                  <choice>successful logons</choice>
-                  <choice>unsuccessful logon attempts</choice>
-                  <choice>both</choice>
-               </select>
-            </param>
-            <param id="ac-9.2_prm_2">
-               <label>organization-defined time-period</label>
-            </param>
-            <prop name="label">AC-9(2)</prop>
-            <prop name="sort-id">AC-09(02)</prop>
-            <part name="statement" id="ac-9.2_smt">
-               <p>Notify the user, upon successful logon, of the number of <insert param-id="ac-9.2_prm_1"/> during <insert param-id="ac-9.2_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ac-9.2_gdn">
-               <p>Information about the number of successful and unsuccessful logon attempts within a specified time period allows the user to recognize if the number and type of logon attempts is consistent with the user’s actual logon attempts.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-9.3">
-            <title>Notification of Account Changes</title>
-            <param id="ac-9.3_prm_1">
-               <label>organization-defined security-related characteristics or parameters of the user’s account</label>
-            </param>
-            <param id="ac-9.3_prm_2">
-               <label>organization-defined time-period</label>
-            </param>
-            <prop name="label">AC-9(3)</prop>
-            <prop name="sort-id">AC-09(03)</prop>
-            <part name="statement" id="ac-9.3_smt">
-               <p>Notify the user, upon successful logon, of changes to <insert param-id="ac-9.3_prm_1"/> during <insert param-id="ac-9.3_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ac-9.3_gdn">
-               <p>Information about changes to security-related account characteristics within a specified time period allows users to recognize if changes were made without their knowledge.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-9.4">
-            <title>Additional Logon Information</title>
-            <param id="ac-9.4_prm_1">
-               <label>organization-defined additional information</label>
-            </param>
-            <prop name="label">AC-9(4)</prop>
-            <prop name="sort-id">AC-09(04)</prop>
-            <part name="statement" id="ac-9.4_smt">
-               <p>Notify the user, upon successful logon, of the following additional information: <insert param-id="ac-9.4_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-9.4_gdn">
-               <p>Organizations can specify additional information to be provided to users upon logon, including the location of last logon. User location is defined as that information which can be determined by systems, for example, Internet Protocol (IP) addresses from which network logons occurred, notifications of local logons, or device identifiers.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-10">
-         <title>Concurrent Session Control</title>
-         <param id="ac-10_prm_1">
-            <label>organization-defined account and/or account type</label>
-         </param>
-         <param id="ac-10_prm_2">
-            <label>organization-defined number</label>
-         </param>
-         <prop name="label">AC-10</prop>
-         <prop name="sort-id">AC-10</prop>
-         <link rel="related" href="#sc-23">SC-23</link>
-         <part name="statement" id="ac-10_smt">
-            <p>Limit the number of concurrent sessions for each <insert param-id="ac-10_prm_1"/> to <insert param-id="ac-10_prm_2"/>.</p>
-         </part>
-         <part name="guidance" id="ac-10_gdn">
-            <p>Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for system accounts and does not address concurrent sessions by single users via multiple system accounts.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-11">
-         <title>Device Lock</title>
-         <param id="ac-11_prm_1">
-            <select how-many="one or more">
-               <choice>initiating a device lock after <insert param-id="ac-11_prm_2"/> of inactivity</choice>
-               <choice>requiring the user to initiate a device lock before leaving the system unattended</choice>
-            </select>
-         </param>
-         <param id="ac-11_prm_2" depends-on="ac-11_prm_1">
-            <label>organization-defined time-period</label>
-         </param>
-         <prop name="label">AC-11</prop>
-         <prop name="sort-id">AC-11</prop>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-7">AC-7</link>
-         <link rel="related" href="#ia-11">IA-11</link>
-         <link rel="related" href="#pl-4">PL-4</link>
-         <part name="statement" id="ac-11_smt">
-            <part name="item" id="ac-11_smt.a">
-               <prop name="label">a.</prop>
-               <p>Prevent further access to the system by <insert param-id="ac-11_prm_1"/>; and</p>
-            </part>
-            <part name="item" id="ac-11_smt.b">
-               <prop name="label">b.</prop>
-               <p>Retain the device lock until the user reestablishes access using established identification and authentication procedures.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ac-11_gdn">
-            <p>Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User initiated device locking is behavior or policy-based and as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, for example, if organizations require users to log out at the end of workdays.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-11.1">
-            <title>Pattern-hiding Displays</title>
-            <prop name="label">AC-11(1)</prop>
-            <prop name="sort-id">AC-11(01)</prop>
-            <part name="statement" id="ac-11.1_smt">
-               <p>Conceal, via the device lock, information previously visible on the display with a publicly viewable image.</p>
-            </part>
-            <part name="guidance" id="ac-11.1_gdn">
-               <p>The pattern-hiding display can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the caveat that controlled unclassified information is not displayed.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-12">
-         <title>Session Termination</title>
-         <param id="ac-12_prm_1">
-            <label>organization-defined conditions or trigger events requiring session disconnect</label>
-         </param>
-         <prop name="label">AC-12</prop>
-         <prop name="sort-id">AC-12</prop>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#sc-10">SC-10</link>
-         <link rel="related" href="#sc-23">SC-23</link>
-         <part name="statement" id="ac-12_smt">
-            <p>Automatically terminate a user session after <insert param-id="ac-12_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="ac-12_gdn">
-            <p>Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10, which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-12.1">
-            <title>User-initiated Logouts</title>
-            <param id="ac-12.1_prm_1">
-               <label>organization-defined information resources</label>
-            </param>
-            <prop name="label">AC-12(1)</prop>
-            <prop name="sort-id">AC-12(01)</prop>
-            <part name="statement" id="ac-12.1_smt">
-               <p>Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to <insert param-id="ac-12.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-12.1_gdn">
-               <p>Information resources to which users gain access via authentication include local workstations, databases, and password-protected websites or web-based services.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-12.2">
-            <title>Termination Message</title>
-            <prop name="label">AC-12(2)</prop>
-            <prop name="sort-id">AC-12(02)</prop>
-            <part name="statement" id="ac-12.2_smt">
-               <p>Display an explicit logout message to users indicating the termination of authenticated communications sessions.</p>
-            </part>
-            <part name="guidance" id="ac-12.2_gdn">
-               <p>Logout messages for web access can be displayed after authenticated sessions have been terminated. However, for certain types of sessions, including file transfer protocol (FTP) sessions, systems typically send logout messages as final messages prior to terminating sessions.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-12.3">
-            <title>Timeout Warning Message</title>
-            <param id="ac-12.3_prm_1">
-               <label>organization-defined time until end of session</label>
-            </param>
-            <prop name="label">AC-12(3)</prop>
-            <prop name="sort-id">AC-12(03)</prop>
-            <part name="statement" id="ac-12.3_smt">
-               <p>Display an explicit message to users indicating that the session will end in <insert param-id="ac-12.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-12.3_gdn">
-               <p>To increase usability, notify users of pending session termination and prompt users to continue the session.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-13">
-         <title>Supervision and Review — Access Control</title>
-         <prop name="label">AC-13</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">AC-13</prop>
-         <link rel="incorporated-into" href="#ac-2">AC-2</link>
-         <link rel="incorporated-into" href="#au-6">AU-6</link>
-      </control>
-      <control class="SP800-53" id="ac-14">
-         <title>Permitted Actions Without Identification or Authentication</title>
-         <param id="ac-14_prm_1">
-            <label>organization-defined user actions</label>
-         </param>
-         <prop name="label">AC-14</prop>
-         <prop name="sort-id">AC-14</prop>
-         <link rel="related" href="#ac-8">AC-8</link>
-         <link rel="related" href="#ia-2">IA-2</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <part name="statement" id="ac-14_smt">
-            <part name="item" id="ac-14_smt.a">
-               <prop name="label">a.</prop>
-               <p>Identify <insert param-id="ac-14_prm_1"/> that can be performed on the system without identification or authentication consistent with organizational missions and business functions; and</p>
-            </part>
-            <part name="item" id="ac-14_smt.b">
-               <prop name="label">b.</prop>
-               <p>Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ac-14_gdn">
-            <p>Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication is not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems; when individuals use mobile phones to receive calls; or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication and therefore, the value for the assignment can be none.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-14.1">
-            <title>Necessary Uses</title>
-            <prop name="label">AC-14(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AC-14(01)</prop>
-            <link rel="incorporated-into" href="#ac-14">AC-14</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-15">
-         <title>Automated Marking</title>
-         <prop name="label">AC-15</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">AC-15</prop>
-         <link rel="incorporated-into" href="#mp-3">MP-3</link>
-      </control>
-      <control class="SP800-53" id="ac-16">
-         <title>Security and Privacy Attributes</title>
-         <param id="ac-16_prm_1">
-            <label>organization-defined types of security and privacy attributes</label>
-         </param>
-         <param id="ac-16_prm_2">
-            <label>organization-defined security and privacy attribute values</label>
-         </param>
-         <param id="ac-16_prm_3">
-            <label>organization-defined security and privacy attributes</label>
-         </param>
-         <param id="ac-16_prm_4">
-            <label>organization-defined systems</label>
-         </param>
-         <param id="ac-16_prm_5">
-            <label>organization-defined values or ranges</label>
-         </param>
-         <param id="ac-16_prm_6">
-            <label>organization-defined security and privacy attributes</label>
-         </param>
-         <param id="ac-16_prm_7">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AC-16</prop>
-         <prop name="sort-id">AC-16</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">[FIPS 140-3]</link>
-         <link rel="reference" href="#0b9fe06d-1b89-4dba-b9f8-3baf51504b17">[FIPS 186-4]</link>
-         <link rel="reference" href="#359f960c-2598-454c-ba3b-a30c553e498f">[SP 800-162]</link>
-         <link rel="reference" href="#223b23a9-baea-4a50-8058-63cf7967b61f">[SP 800-178]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#ac-21">AC-21</link>
-         <link rel="related" href="#ac-25">AC-25</link>
-         <link rel="related" href="#au-2">AU-2</link>
-         <link rel="related" href="#au-10">AU-10</link>
-         <link rel="related" href="#mp-3">MP-3</link>
-         <link rel="related" href="#pe-22">PE-22</link>
-         <link rel="related" href="#pt-2">PT-2</link>
-         <link rel="related" href="#pt-5">PT-5</link>
-         <link rel="related" href="#sc-11">SC-11</link>
-         <link rel="related" href="#sc-16">SC-16</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="ac-16_smt">
-            <part name="item" id="ac-16_smt.a">
-               <prop name="label">a.</prop>
-               <p>Provide the means to associate <insert param-id="ac-16_prm_1"/> having <insert param-id="ac-16_prm_2"/> with information in storage, in process, and/or in transmission;</p>
-            </part>
-            <part name="item" id="ac-16_smt.b">
-               <prop name="label">b.</prop>
-               <p>Ensure that the attribute associations are made and retained with the information;</p>
-            </part>
-            <part name="item" id="ac-16_smt.c">
-               <prop name="label">c.</prop>
-               <p>Establish the permitted <insert param-id="ac-16_prm_3"/> for <insert param-id="ac-16_prm_4"/>;</p>
-            </part>
-            <part name="item" id="ac-16_smt.d">
-               <prop name="label">d.</prop>
-               <p>Determine the permitted <insert param-id="ac-16_prm_5"/> for each of the established attributes;</p>
-            </part>
-            <part name="item" id="ac-16_smt.e">
-               <prop name="label">e.</prop>
-               <p>Audit changes to attributes; and</p>
-            </part>
-            <part name="item" id="ac-16_smt.f">
-               <prop name="label">f.</prop>
-               <p>Review <insert param-id="ac-16_prm_6"/> for applicability <insert param-id="ac-16_prm_7"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ac-16_gdn">
-            <p>Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. Privacy attributes, which may be used independently, or in conjunction with security attributes, represent the basic properties or characteristics of active or passive entities with respect to the management of personally identifiable information. Attributes can be either explicitly or implicitly associated with the information contained in organizational systems or system components.
-Attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of attributes to subjects and objects by a system is referred to as binding and is inclusive of setting the attribute value and the attribute type. Attributes, when bound to data or information, permit the enforcement of security and privacy policies for access control and information flow control, including data retention limits, permitted uses of personally identifiable information, and identification of personal information within data objects. Such enforcement occurs through organizational processes or system functions or mechanisms. The binding techniques implemented by systems affect the strength of attribute binding to information. Binding strength and the assurance associated with binding techniques play an important part in the trust organizations have in the information flow enforcement process. The binding techniques affect the number and degree of additional reviews required by organizations. The content or assigned values of attributes can directly affect the ability of individuals to access organizational information.
-Organizations can define the types of attributes needed for systems to support missions or business functions. There are many values that can be assigned to a security attribute. Release markings include US only, NATO (North Atlantic Treaty Organization), or NOFORN (not releasable to foreign nationals). By specifying the permitted attribute ranges and values, organizations ensure that attribute values are meaningful and relevant. Labeling refers to the association of attributes with the subjects and objects represented by the internal data structures within systems. This facilitates system-based enforcement of information security and privacy policies. Labels include classification of information in accordance with legal and compliance requirements; access authorizations; nationality; data life cycle protection (i.e., encryption and data expiration); personally identifiable information processing permissions; individual consent to personally identifiable information processing; and affiliation as a contractor. Conversely, marking refers to the association of attributes with objects in a human-readable form. Marking enables manual, procedural, or process-based enforcement of information security and privacy policies. Attribute types include classification level for objects and clearance (access authorization) level for subjects. An attribute value for both attribute types is Top Secret.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-16.1">
-            <title>Dynamic Attribute Association</title>
-            <param id="ac-16.1_prm_1">
-               <label>organization-defined subjects and objects</label>
-            </param>
-            <param id="ac-16.1_prm_2">
-               <label>organization-defined security and privacy policies</label>
-            </param>
-            <prop name="label">AC-16(1)</prop>
-            <prop name="sort-id">AC-16(01)</prop>
-            <part name="statement" id="ac-16.1_smt">
-               <p>Dynamically associate security and privacy attributes with <insert param-id="ac-16.1_prm_1"/> in accordance with the following security and privacy policies as information is created and combined: <insert param-id="ac-16.1_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ac-16.1_gdn">
-               <p>Dynamic association of attributes is appropriate whenever the security or privacy characteristics of information change over time. Attributes may change due to information aggregation issues (i.e., characteristics of individual data elements are different from the combined elements); changes in individual access authorizations (i.e., privileges); changes in the security category of information; or changes in security or privacy policies. Attributes may also change situationally.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-16.2">
-            <title>Attribute Value Changes by Authorized Individuals</title>
-            <prop name="label">AC-16(2)</prop>
-            <prop name="sort-id">AC-16(02)</prop>
-            <part name="statement" id="ac-16.2_smt">
-               <p>Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes.</p>
-            </part>
-            <part name="guidance" id="ac-16.2_gdn">
-               <p>The content or assigned values of attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for systems to be able to limit the ability to create or modify attributes to authorized individuals.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-16.3">
-            <title>Maintenance of Attribute Associations by System</title>
-            <param id="ac-16.3_prm_1">
-               <label>organization-defined security and privacy attributes</label>
-            </param>
-            <param id="ac-16.3_prm_2">
-               <label>organization-defined subjects and objects</label>
-            </param>
-            <prop name="label">AC-16(3)</prop>
-            <prop name="sort-id">AC-16(03)</prop>
-            <part name="statement" id="ac-16.3_smt">
-               <p>Maintain the association and integrity of <insert param-id="ac-16.3_prm_1"/> to <insert param-id="ac-16.3_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ac-16.3_gdn">
-               <p>Maintaining the association and integrity of security and privacy attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. The integrity of specific items, such as security configuration files, may be maintained through the use of an integrity monitoring mechanism that detects anomalies and changes that deviate from “known good” baselines. Automated policy actions include retention date expirations, access control decisions, information flow control decisions, and information disclosure decisions.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-16.4">
-            <title>Association of Attributes by Authorized Individuals</title>
-            <param id="ac-16.4_prm_1">
-               <label>organization-defined security and privacy attributes</label>
-            </param>
-            <param id="ac-16.4_prm_2">
-               <label>organization-defined subjects and objects</label>
-            </param>
-            <prop name="label">AC-16(4)</prop>
-            <prop name="sort-id">AC-16(04)</prop>
-            <part name="statement" id="ac-16.4_smt">
-               <p>Provide the capability to associate <insert param-id="ac-16.4_prm_1"/> with <insert param-id="ac-16.4_prm_2"/> by authorized individuals (or processes acting on behalf of individuals).</p>
-            </part>
-            <part name="guidance" id="ac-16.4_gdn">
-               <p>Systems in general, provide the capability for privileged users to assign security and privacy attributes to system-defined subjects (e.g., users) and objects (e.g., directories, files, and ports). Some systems provide additional capability for general users to assign security and privacy attributes to additional objects (e.g., files, emails). The association of attributes by authorized individuals is described in the design documentation. The support provided by systems can include prompting users to select security and privacy attributes to be associated with information objects; employing automated mechanisms to categorize information with attributes based on defined policies; or ensuring that the combination of the security or privacy attributes selected is valid. Organizations consider the creation, deletion, or modification of attributes when defining auditable events.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-16.5">
-            <title>Attribute Displays for Output Devices</title>
-            <param id="ac-16.5_prm_1">
-               <label>organization-defined special dissemination, handling, or distribution instructions</label>
-            </param>
-            <param id="ac-16.5_prm_2">
-               <label>organization-defined human-readable, standard naming conventions</label>
-            </param>
-            <prop name="label">AC-16(5)</prop>
-            <prop name="sort-id">AC-16(05)</prop>
-            <part name="statement" id="ac-16.5_smt">
-               <p>Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify <insert param-id="ac-16.5_prm_1"/> using <insert param-id="ac-16.5_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ac-16.5_gdn">
-               <p>System outputs include printed pages, screens, or equivalent. System output devices include printers, notebook computers, video displays, tablets, and smartphones. To mitigate the risk of unauthorized exposure of selected information, for example, shoulder surfing, the outputs display full attribute values when unmasked by the subscriber.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-16.6">
-            <title>Maintenance of Attribute Association by Organization</title>
-            <param id="ac-16.6_prm_1">
-               <label>organization-defined security and privacy attributes</label>
-            </param>
-            <param id="ac-16.6_prm_2">
-               <label>organization-defined subjects and objects</label>
-            </param>
-            <param id="ac-16.6_prm_3">
-               <label>organization-defined security and privacy policies</label>
-            </param>
-            <prop name="label">AC-16(6)</prop>
-            <prop name="sort-id">AC-16(06)</prop>
-            <part name="statement" id="ac-16.6_smt">
-               <p>Require personnel to associate and maintain the association of <insert param-id="ac-16.6_prm_1"/> with <insert param-id="ac-16.6_prm_2"/> in accordance with <insert param-id="ac-16.6_prm_3"/>.</p>
-            </part>
-            <part name="guidance" id="ac-16.6_gdn">
-               <p>This control enhancement requires individual users (as opposed to the system) to maintain associations of defined security and privacy attributes with subjects and objects.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-16.7">
-            <title>Consistent Attribute Interpretation</title>
-            <prop name="label">AC-16(7)</prop>
-            <prop name="sort-id">AC-16(07)</prop>
-            <part name="statement" id="ac-16.7_smt">
-               <p>Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components.</p>
-            </part>
-            <part name="guidance" id="ac-16.7_gdn">
-               <p>To enforce security and privacy policies across multiple system components in distributed systems, organizations provide a consistent interpretation of security and privacy attributes employed in access enforcement and flow enforcement decisions. Organizations can establish agreements and processes to help ensure that distributed system components implement attributes with consistent interpretations in automated access enforcement and flow enforcement actions.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-16.8">
-            <title>Association Techniques and Technologies</title>
-            <param id="ac-16.8_prm_1">
-               <label>organization-defined techniques and technologies</label>
-            </param>
-            <param id="ac-16.8_prm_2">
-               <label>organization-defined level of assurance</label>
-            </param>
-            <prop name="label">AC-16(8)</prop>
-            <prop name="sort-id">AC-16(08)</prop>
-            <part name="statement" id="ac-16.8_smt">
-               <p>Implement <insert param-id="ac-16.8_prm_1"/> with <insert param-id="ac-16.8_prm_2"/> in associating security and privacy attributes to information.</p>
-            </part>
-            <part name="guidance" id="ac-16.8_gdn">
-               <p>The association of security and privacy attributes to information within systems is important for conducting automated access enforcement and flow enforcement actions. The association of such attributes to information (i.e., binding) can be accomplished with technologies and techniques providing different levels of assurance. For example, systems can bind attributes to information cryptographically using digital signatures supporting cryptographic keys protected by hardware devices (sometimes known as hardware roots of trust).</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-16.9">
-            <title>Attribute Reassignment — Regrading Mechanisms</title>
-            <param id="ac-16.9_prm_1">
-               <label>organization-defined techniques or procedures</label>
-            </param>
-            <prop name="label">AC-16(9)</prop>
-            <prop name="sort-id">AC-16(09)</prop>
-            <part name="statement" id="ac-16.9_smt">
-               <p>Change security and privacy attributes associated with information only via regrading mechanisms validated using <insert param-id="ac-16.9_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-16.9_gdn">
-               <p>A regrading mechanism is a trusted process authorized to re-classify and re-label data in accordance with a defined policy exception. Validated regrading mechanisms are used by organizations to provide the requisite levels of assurance for attribute reassignment activities. The validation is facilitated by ensuring that regrading mechanisms are single purpose and of limited function. Since security and privacy attribute changes can directly affect policy enforcement actions, implementing trustworthy regrading mechanisms is necessary to help ensure that such mechanisms perform in a consistent and correct mode of operation.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-16.10">
-            <title>Attribute Configuration by Authorized Individuals</title>
-            <prop name="label">AC-16(10)</prop>
-            <prop name="sort-id">AC-16(10)</prop>
-            <part name="statement" id="ac-16.10_smt">
-               <p>Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects.</p>
-            </part>
-            <part name="guidance" id="ac-16.10_gdn">
-               <p>The content or assigned values of security and privacy attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for systems to be able to limit the ability to create or modify attributes to authorized individuals only.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-17">
-         <title>Remote Access</title>
-         <prop name="label">AC-17</prop>
-         <prop name="sort-id">AC-17</prop>
-         <link rel="reference" href="#7768c184-088d-4ee8-a316-f9286b52df7f">[SP 800-46]</link>
-         <link rel="reference" href="#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa">[SP 800-77]</link>
-         <link rel="reference" href="#36132a58-56fd-4980-9f6c-c010d3faf52b">[SP 800-113]</link>
-         <link rel="reference" href="#49fa1ee1-aaf7-4270-bb5a-a86497f717dc">[SP 800-114]</link>
-         <link rel="reference" href="#60b24979-65b8-4ca5-a442-11b74339fab5">[SP 800-121]</link>
-         <link rel="reference" href="#30213e10-2aca-47b3-8cdb-61303e0959f5">[IR 7966]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#ac-18">AC-18</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#ac-20">AC-20</link>
-         <link rel="related" href="#ca-3">CA-3</link>
-         <link rel="related" href="#cm-10">CM-10</link>
-         <link rel="related" href="#ia-2">IA-2</link>
-         <link rel="related" href="#ia-3">IA-3</link>
-         <link rel="related" href="#ia-8">IA-8</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#pe-17">PE-17</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pl-4">PL-4</link>
-         <link rel="related" href="#sc-10">SC-10</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <part name="statement" id="ac-17_smt">
-            <part name="item" id="ac-17_smt.a">
-               <prop name="label">a.</prop>
-               <p>Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and</p>
-            </part>
-            <part name="item" id="ac-17_smt.b">
-               <prop name="label">b.</prop>
-               <p>Authorize each type of remote access to the system prior to allowing such connections.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ac-17_gdn">
-            <p>Remote access is access to organizational systems (or processes acting on behalf of users) communicating through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote access is addressed via AC-3.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-17.1">
-            <title>Monitoring and Control</title>
-            <prop name="label">AC-17(1)</prop>
-            <prop name="sort-id">AC-17(01)</prop>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#au-14">AU-14</link>
-            <part name="statement" id="ac-17.1_smt">
-               <p>Employ automated mechanisms to monitor and control remote access methods.</p>
-            </part>
-            <part name="guidance" id="ac-17.1_gdn">
-               <p>Monitoring and control of remote access methods allows organizations to detect attacks and ensure compliance with remote access policies by auditing connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by AU-2. Audit events are defined in AU-2a.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.2">
-            <title>Protection of Confidentiality and Integrity Using Encryption</title>
-            <prop name="label">AC-17(2)</prop>
-            <prop name="sort-id">AC-17(02)</prop>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="ac-17.2_smt">
-               <p>Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.</p>
-            </part>
-            <part name="guidance" id="ac-17.2_gdn">
-               <p>Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.3">
-            <title>Managed Access Control Points</title>
-            <prop name="label">AC-17(3)</prop>
-            <prop name="sort-id">AC-17(03)</prop>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <part name="statement" id="ac-17.3_smt">
-               <p>Route remote accesses through authorized and managed network access control points.</p>
-            </part>
-            <part name="guidance" id="ac-17.3_gdn">
-               <p>Organizations consider the Trusted Internet Connections initiative [DHS TIC] requirements for external network connections since limiting the number of access control points for remote accesses reduces attack surface.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.4">
-            <title>Privileged Commands and Access</title>
-            <param id="ac-17.4_prm_1">
-               <label>organization-defined needs</label>
-            </param>
-            <prop name="label">AC-17(4)</prop>
-            <prop name="sort-id">AC-17(04)</prop>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="ac-17.4_smt">
-               <part name="item" id="ac-17.4_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: <insert param-id="ac-17.4_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="ac-17.4_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Document the rationale for remote access in the security plan for the system.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ac-17.4_gdn">
-               <p>Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.5">
-            <title>Monitoring for Unauthorized Connections</title>
-            <prop name="label">AC-17(5)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AC-17(05)</prop>
-            <link rel="incorporated-into" href="#si-4">SI-4</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.6">
-            <title>Protection of Mechanism Information</title>
-            <prop name="label">AC-17(6)</prop>
-            <prop name="sort-id">AC-17(06)</prop>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-            <part name="statement" id="ac-17.6_smt">
-               <p>Protect information about remote access mechanisms from unauthorized use and disclosure.</p>
-            </part>
-            <part name="guidance" id="ac-17.6_gdn">
-               <p>Remote access to organizational information by nonorganizational entities can increase the risk of unauthorized use and disclosure about remote access mechanisms. The organization considers including remote access requirements in the information exchange agreements with other organizations, as applicable. Remote access requirements can also be included in rules of behavior (see PL-4) and access agreements (see PS-6).</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.7">
-            <title>Additional Protection for Security Function Access</title>
-            <prop name="label">AC-17(7)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AC-17(07)</prop>
-            <link rel="incorporated-into" href="#ac-3.10">AC-3(10)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.8">
-            <title>Disable Nonsecure Network Protocols</title>
-            <prop name="label">AC-17(8)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AC-17(08)</prop>
-            <link rel="incorporated-into" href="#cm-7">CM-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.9">
-            <title>Disconnect or Disable Access</title>
-            <param id="ac-17.9_prm_1">
-               <label>organization-defined time-period</label>
-            </param>
-            <prop name="label">AC-17(9)</prop>
-            <prop name="sort-id">AC-17(09)</prop>
-            <part name="statement" id="ac-17.9_smt">
-               <p>Provide the capability to disconnect or disable remote access to the system within <insert param-id="ac-17.9_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-17.9_gdn">
-               <p>This control enhancement requires organizations to have the capability to rapidly disconnect current users remotely accessing the system or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions or business functions and the need to eliminate immediate or future remote access to systems.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-17.10">
-            <title>Authenticate Remote Commands</title>
-            <param id="ac-17.10_prm_1">
-               <label>organization-defined controls</label>
-            </param>
-            <param id="ac-17.10_prm_2">
-               <label>organization-defined remote commands</label>
-            </param>
-            <prop name="label">AC-17(10)</prop>
-            <prop name="sort-id">AC-17(10)</prop>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-23">SC-23</link>
-            <part name="statement" id="ac-17.10_smt">
-               <p>Implement <insert param-id="ac-17.10_prm_1"/> to authenticate <insert param-id="ac-17.10_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ac-17.10_gdn">
-               <p>Authenticating remote commands protects against unauthorized commands and the replay of authorized commands. The capability to authenticate remote commands is important for remote systems whose loss, malfunction, misdirection, or exploitation would have immediate or serious consequences, including injury or death; property damage; loss of high value assets; failure of missions or business functions; or compromise of classified or controlled unclassified information. Authentication controls for remote commands ensure that systems accept and execute commands in the order intended, execute only authorized commands, and reject unauthorized commands. Cryptographic mechanisms can be used, for example, to authenticate remote commands.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-18">
-         <title>Wireless Access</title>
-         <prop name="label">AC-18</prop>
-         <prop name="sort-id">AC-18</prop>
-         <link rel="reference" href="#41e2e2c6-2260-4258-85c8-09db17c43103">[SP 800-94]</link>
-         <link rel="reference" href="#6bed1550-cd5d-4e80-8d83-4e597c1514fe">[SP 800-97]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#ca-9">CA-9</link>
-         <link rel="related" href="#cm-7">CM-7</link>
-         <link rel="related" href="#ia-2">IA-2</link>
-         <link rel="related" href="#ia-3">IA-3</link>
-         <link rel="related" href="#ia-8">IA-8</link>
-         <link rel="related" href="#pl-4">PL-4</link>
-         <link rel="related" href="#sc-40">SC-40</link>
-         <link rel="related" href="#sc-43">SC-43</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <part name="statement" id="ac-18_smt">
-            <part name="item" id="ac-18_smt.a">
-               <prop name="label">a.</prop>
-               <p>Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and</p>
-            </part>
-            <part name="item" id="ac-18_smt.b">
-               <prop name="label">b.</prop>
-               <p>Authorize each type of wireless access to the system prior to allowing such connections.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ac-18_gdn">
-            <p>Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide credential protection and mutual authentication.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-18.1">
-            <title>Authentication and Encryption</title>
-            <param id="ac-18.1_prm_1">
-               <select how-many="one or more">
-                  <choice>users</choice>
-                  <choice>devices</choice>
-               </select>
-            </param>
-            <prop name="label">AC-18(1)</prop>
-            <prop name="sort-id">AC-18(01)</prop>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="ac-18.1_smt">
-               <p>Protect wireless access to the system using authentication of <insert param-id="ac-18.1_prm_1"/> and encryption.</p>
-            </part>
-            <part name="guidance" id="ac-18.1_gdn">
-               <p>Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices with encryption can reduce susceptibility to threats by adversaries involving wireless technologies.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-18.2">
-            <title>Monitoring Unauthorized Connections</title>
-            <prop name="label">AC-18(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AC-18(02)</prop>
-            <link rel="incorporated-into" href="#si-4">SI-4</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-18.3">
-            <title>Disable Wireless Networking</title>
-            <prop name="label">AC-18(3)</prop>
-            <prop name="sort-id">AC-18(03)</prop>
-            <part name="statement" id="ac-18.3_smt">
-               <p>Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.</p>
-            </part>
-            <part name="guidance" id="ac-18.3_gdn">
-               <p>Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-18.4">
-            <title>Restrict Configurations by Users</title>
-            <prop name="label">AC-18(4)</prop>
-            <prop name="sort-id">AC-18(04)</prop>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-15">SC-15</link>
-            <part name="statement" id="ac-18.4_smt">
-               <p>Identify and explicitly authorize users allowed to independently configure wireless networking capabilities.</p>
-            </part>
-            <part name="guidance" id="ac-18.4_gdn">
-               <p>Organizational authorizations to allow selected users to configure wireless networking capability are enforced in part, by the access enforcement mechanisms employed within organizational systems.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-18.5">
-            <title>Antennas and Transmission Power Levels</title>
-            <prop name="label">AC-18(5)</prop>
-            <prop name="sort-id">AC-18(05)</prop>
-            <link rel="related" href="#pe-19">PE-19</link>
-            <part name="statement" id="ac-18.5_smt">
-               <p>Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.</p>
-            </part>
-            <part name="guidance" id="ac-18.5_gdn">
-               <p>Actions that may be taken to limit unauthorized use of wireless communications outside of organization-controlled boundaries include reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be captured outside of the physical perimeters of the organization; employing measures such as emissions security to control wireless emanations; and using directional or beam forming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such mitigating actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational systems as well as other systems that may be operating in the area.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-19">
-         <title>Access Control for Mobile Devices</title>
-         <prop name="label">AC-19</prop>
-         <prop name="sort-id">AC-19</prop>
-         <link rel="reference" href="#49fa1ee1-aaf7-4270-bb5a-a86497f717dc">[SP 800-114]</link>
-         <link rel="reference" href="#18c6942b-95f8-414c-b548-c8e6b8d8a172">[SP 800-124]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#ac-7">AC-7</link>
-         <link rel="related" href="#ac-11">AC-11</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#ac-18">AC-18</link>
-         <link rel="related" href="#ac-20">AC-20</link>
-         <link rel="related" href="#ca-9">CA-9</link>
-         <link rel="related" href="#cm-2">CM-2</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#ia-2">IA-2</link>
-         <link rel="related" href="#ia-3">IA-3</link>
-         <link rel="related" href="#mp-2">MP-2</link>
-         <link rel="related" href="#mp-4">MP-4</link>
-         <link rel="related" href="#mp-5">MP-5</link>
-         <link rel="related" href="#mp-7">MP-7</link>
-         <link rel="related" href="#pl-4">PL-4</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-34">SC-34</link>
-         <link rel="related" href="#sc-43">SC-43</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <part name="statement" id="ac-19_smt">
-            <part name="item" id="ac-19_smt.a">
-               <prop name="label">a.</prop>
-               <p>Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and</p>
-            </part>
-            <part name="item" id="ac-19_smt.b">
-               <prop name="label">b.</prop>
-               <p>Authorize the connection of mobile devices to organizational systems.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ac-19_gdn">
-            <p>A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending upon the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.
-Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.
-Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to the organizational network and impose a set of usage restrictions while a system owner may withhold authorization for mobile device connection to specific applications or may impose additional usage restrictions before allowing mobile device connections to a system. The need to provide adequate security for mobile devices goes beyond the requirements in this control. Many controls for mobile devices are reflected in other controls allocated to the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some overlap by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-19.1">
-            <title>Use of Writable and Portable Storage Devices</title>
-            <prop name="label">AC-19(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AC-19(01)</prop>
-            <link rel="incorporated-into" href="#mp-7">MP-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-19.2">
-            <title>Use of Personally Owned Portable Storage Devices</title>
-            <prop name="label">AC-19(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AC-19(02)</prop>
-            <link rel="incorporated-into" href="#mp-7">MP-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-19.3">
-            <title>Use of Portable Storage Devices with No Identifiable Owner</title>
-            <prop name="label">AC-19(3)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AC-19(03)</prop>
-            <link rel="incorporated-into" href="#mp-7">MP-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-19.4">
-            <title>Restrictions for Classified Information</title>
-            <param id="ac-19.4_prm_1">
-               <label>organization-defined security officials</label>
-            </param>
-            <param id="ac-19.4_prm_2">
-               <label>organization-defined security policies</label>
-            </param>
-            <prop name="label">AC-19(4)</prop>
-            <prop name="sort-id">AC-19(04)</prop>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <part name="statement" id="ac-19.4_smt">
-               <part name="item" id="ac-19.4_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and</p>
-               </part>
-               <part name="item" id="ac-19.4_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information:</p>
-                  <part name="item" id="ac-19.4_smt.b.1">
-                     <prop name="label">(1)</prop>
-                     <p>Connection of unclassified mobile devices to classified systems is prohibited;</p>
-                  </part>
-                  <part name="item" id="ac-19.4_smt.b.2">
-                     <prop name="label">(2)</prop>
-                     <p>Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official;</p>
-                  </part>
-                  <part name="item" id="ac-19.4_smt.b.3">
-                     <prop name="label">(3)</prop>
-                     <p>Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and</p>
-                  </part>
-                  <part name="item" id="ac-19.4_smt.b.4">
-                     <prop name="label">(4)</prop>
-                     <p>Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by <insert param-id="ac-19.4_prm_1"/>, and if classified information is found, the incident handling policy is followed.</p>
-                  </part>
-               </part>
-               <part name="item" id="ac-19.4_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Restrict the connection of classified mobile devices to classified systems in accordance with <insert param-id="ac-19.4_prm_2"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ac-19.4_gdn">
-               <p>None.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-19.5">
-            <title>Full Device and Container-based Encryption</title>
-            <param id="ac-19.5_prm_1">
-               <select>
-                  <choice>full-device encryption</choice>
-                  <choice>container-based encryption</choice>
-               </select>
-            </param>
-            <param id="ac-19.5_prm_2">
-               <label>organization-defined mobile devices</label>
-            </param>
-            <prop name="label">AC-19(5)</prop>
-            <prop name="sort-id">AC-19(05)</prop>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-28">SC-28</link>
-            <part name="statement" id="ac-19.5_smt">
-               <p>Employ <insert param-id="ac-19.5_prm_1"/> to protect the confidentiality and integrity of information on <insert param-id="ac-19.5_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ac-19.5_gdn">
-               <p>Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-20">
-         <title>Use of External Systems</title>
-         <param id="ac-20_prm_1">
-            <select how-many="one or more">
-               <choice>
-                  <insert param-id="ac-20_prm_2"/>
-               </choice>
-               <choice>
-                  <insert param-id="ac-20_prm_3"/>
-               </choice>
-            </select>
-         </param>
-         <param id="ac-20_prm_2" depends-on="ac-20_prm_1">
-            <label>organization-defined terms and conditions</label>
-         </param>
-         <param id="ac-20_prm_3" depends-on="ac-20_prm_1">
-            <label>organization-defined controls asserted to be implemented on external systems</label>
-         </param>
-         <prop name="label">AC-20</prop>
-         <prop name="sort-id">AC-20</prop>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="reference" href="#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a">[SP 800-171]</link>
-         <link rel="reference" href="#aad55f03-8ece-4b21-b09c-9ef65b5a9f55">[SP 800-171B]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#ca-3">CA-3</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pl-4">PL-4</link>
-         <link rel="related" href="#sa-9">SA-9</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <part name="statement" id="ac-20_smt">
-            <p>Establish <insert param-id="ac-20_prm_1"/>, consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:</p>
-            <part name="item" id="ac-20_smt.a">
-               <prop name="label">a.</prop>
-               <p>Access the system from external systems; and</p>
-            </part>
-            <part name="item" id="ac-20_smt.b">
-               <prop name="label">b.</prop>
-               <p>Process, store, or transmit organization-controlled information using external systems.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ac-20_gdn">
-            <p>External systems are systems that are used by, but not a part of, organizational systems and for which the organization has no direct control over the implementation of required security and privacy controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision and authority of the organization. External systems also include systems owned or operated by other components within the same organization, and systems within the organization with different authorization boundaries.
-For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components, or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.
-This control does not apply to external systems used to access public interfaces to organizational systems. Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: the specific types of applications that can be accessed on organizational systems from external systems; and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-20.1">
-            <title>Limits on Authorized Use</title>
-            <prop name="label">AC-20(1)</prop>
-            <prop name="sort-id">AC-20(01)</prop>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <part name="statement" id="ac-20.1_smt">
-               <p>Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:</p>
-               <part name="item" id="ac-20.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or</p>
-               </part>
-               <part name="item" id="ac-20.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Retention of approved system connection or processing agreements with the organizational entity hosting the external system.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ac-20.1_gdn">
-               <p>Limits on authorized use recognizes the circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-20.2">
-            <title>Portable Storage Devices — Restricted Use</title>
-            <param id="ac-20.2_prm_1">
-               <label>organization-defined restrictions</label>
-            </param>
-            <prop name="label">AC-20(2)</prop>
-            <prop name="sort-id">AC-20(02)</prop>
-            <link rel="related" href="#mp-7">MP-7</link>
-            <link rel="related" href="#sc-41">SC-41</link>
-            <part name="statement" id="ac-20.2_smt">
-               <p>Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using <insert param-id="ac-20.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-20.2_gdn">
-               <p>Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-20.3">
-            <title>Non-organizationally Owned Systems  — Restricted Use</title>
-            <param id="ac-20.3_prm_1">
-               <label>organization-defined restrictions</label>
-            </param>
-            <prop name="label">AC-20(3)</prop>
-            <prop name="sort-id">AC-20(03)</prop>
-            <part name="statement" id="ac-20.3_smt">
-               <p>Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using <insert param-id="ac-20.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-20.3_gdn">
-               <p>Non-organizationally owned systems or system components include systems or system components owned by other organizations and personally owned devices. There are potential risks to using non-organizationally owned systems or system components. In some cases, the risk is sufficiently high as to prohibit such use (see AC-20(6)). In other cases, the use of such systems or system components may be allowed but restricted in some way. Restrictions include requiring the implementation of approved controls prior to authorizing connection of non-organizationally owned systems and components; limiting access to types of information, services, or applications; using virtualization techniques to limit processing and storage activities to servers or system components provisioned by the organization; and agreeing to the terms and conditions for usage. Organizations consult with the Office of the General Counsel regarding legal issues associated with using personally owned devices, including requirements for conducting forensic analyses during investigations after an incident.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-20.4">
-            <title>Network Accessible Storage Devices</title>
-            <param id="ac-20.4_prm_1">
-               <label>organization-defined network accessible storage devices</label>
-            </param>
-            <prop name="label">AC-20(4)</prop>
-            <prop name="sort-id">AC-20(04)</prop>
-            <part name="statement" id="ac-20.4_smt">
-               <p>Prohibit the use of <insert param-id="ac-20.4_prm_1"/> in external systems.</p>
-            </part>
-            <part name="guidance" id="ac-20.4_gdn">
-               <p>Network accessible storage devices in external systems include online storage devices in public, hybrid, or community cloud-based systems.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-20.5">
-            <title>Portable Storage Devices — Prohibited Use</title>
-            <prop name="label">AC-20(5)</prop>
-            <prop name="sort-id">AC-20(05)</prop>
-            <link rel="related" href="#mp-7">MP-7</link>
-            <link rel="related" href="#sc-41">SC-41</link>
-            <part name="statement" id="ac-20.5_smt">
-               <p>Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems.</p>
-            </part>
-            <part name="guidance" id="ac-20.5_gdn">
-               <p>Limits on the use of organization-controlled portable storage devices in external systems include a complete prohibition of the use of such devices.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-20.6">
-            <title>Non-organizationally Owned Systems — Prohibited Use</title>
-            <prop name="label">AC-20(6)</prop>
-            <prop name="sort-id">AC-20(06)</prop>
-            <part name="statement" id="ac-20.6_smt">
-               <p>Prohibit the use of non-organizationally owned systems or system components to process, store, or transmit organizational information.</p>
-            </part>
-            <part name="guidance" id="ac-20.6_gdn">
-               <p>Non-organizationally owned systems or system components include systems or system components owned by other organizations and personally owned devices. There are potential risks to using non-organizationally owned systems or system components. In some cases, the risk is sufficiently high as to prohibit such use. In other cases, the use of such systems or system components may be allowed but restricted in some way (see AC-20(4)).</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-21">
-         <title>Information Sharing</title>
-         <param id="ac-21_prm_1">
-            <label>organization-defined information sharing circumstances where user discretion is required</label>
-         </param>
-         <param id="ac-21_prm_2">
-            <label>organization-defined automated mechanisms or manual processes</label>
-         </param>
-         <prop name="label">AC-21</prop>
-         <prop name="sort-id">AC-21</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#ad3e8f21-07c6-4968-b002-00b64dfa70ae">[SP 800-150]</link>
-         <link rel="reference" href="#817b4227-5857-494d-9032-915980b32f15">[IR 8062]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#ac-16">AC-16</link>
-         <link rel="related" href="#pt-2">PT-2</link>
-         <link rel="related" href="#pt-8">PT-8</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#sc-15">SC-15</link>
-         <part name="statement" id="ac-21_smt">
-            <part name="item" id="ac-21_smt.a">
-               <prop name="label">a.</prop>
-               <p>Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for <insert param-id="ac-21_prm_1"/>; and</p>
-            </part>
-            <part name="item" id="ac-21_smt.b">
-               <prop name="label">b.</prop>
-               <p>Employ <insert param-id="ac-21_prm_2"/> to assist users in making information sharing and collaboration decisions.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ac-21_gdn">
-            <p>Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA).</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-21.1">
-            <title>Automated Decision Support</title>
-            <param id="ac-21.1_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">AC-21(1)</prop>
-            <prop name="sort-id">AC-21(01)</prop>
-            <part name="statement" id="ac-21.1_smt">
-               <p>Employ <insert param-id="ac-21.1_prm_1"/> to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.</p>
-            </part>
-            <part name="guidance" id="ac-21.1_gdn">
-               <p>Automated mechanisms are used to enforce information sharing decisions.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-21.2">
-            <title>Information Search and Retrieval</title>
-            <param id="ac-21.2_prm_1">
-               <label>organization-defined information sharing restrictions</label>
-            </param>
-            <prop name="label">AC-21(2)</prop>
-            <prop name="sort-id">AC-21(02)</prop>
-            <part name="statement" id="ac-21.2_smt">
-               <p>Implement information search and retrieval services that enforce <insert param-id="ac-21.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ac-21.2_gdn">
-               <p>Information search and retrieval services identify information system resources relevant to an information need.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-22">
-         <title>Publicly Accessible Content</title>
-         <param id="ac-22_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AC-22</prop>
-         <prop name="sort-id">AC-22</prop>
-         <link rel="reference" href="#a7dfa526-b81f-41d7-9875-c8b0faafe74b">[PRIVACT]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#at-2">AT-2</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#au-13">AU-13</link>
-         <part name="statement" id="ac-22_smt">
-            <part name="item" id="ac-22_smt.a">
-               <prop name="label">a.</prop>
-               <p>Designate individuals authorized to make information publicly accessible;</p>
-            </part>
-            <part name="item" id="ac-22_smt.b">
-               <prop name="label">b.</prop>
-               <p>Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;</p>
-            </part>
-            <part name="item" id="ac-22_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and</p>
-            </part>
-            <part name="item" id="ac-22_smt.d">
-               <prop name="label">d.</prop>
-               <p>Review the content on the publicly accessible system for nonpublic information <insert param-id="ac-22_prm_1"/> and remove such information, if discovered.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ac-22_gdn">
-            <p>In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT] and proprietary information. This control addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, this control addresses the management of the individuals who make such information publicly accessible.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-23">
-         <title>Data Mining Protection</title>
-         <param id="ac-23_prm_1">
-            <label>organization-defined data mining prevention and detection techniques</label>
-         </param>
-         <param id="ac-23_prm_2">
-            <label>organization-defined data storage objects</label>
-         </param>
-         <prop name="label">AC-23</prop>
-         <prop name="sort-id">AC-23</prop>
-         <link rel="reference" href="#2b5e12fb-633f-49e6-8aff-81d75bf53545">[EO 13587]</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#pt-2">PT-2</link>
-         <part name="statement" id="ac-23_smt">
-            <p>Employ <insert param-id="ac-23_prm_1"/> for <insert param-id="ac-23_prm_2"/> to detect and protect against unauthorized data mining.</p>
-         </part>
-         <part name="guidance" id="ac-23_gdn">
-            <p>Data mining is an analytical process that attempts to find correlations or patterns in large data sets for the purpose of data or knowledge discovery. Data storage objects include database records and database fields. Sensitive information can be extracted from data mining operations. When information is personally identifiable information, it may lead to unanticipated revelations about individuals and give rise to privacy risks. Prior to performing data mining activities, organizations determine whether such activities are authorized. Organizations may be subject to applicable laws, executive orders, directives, regulations, or policies that address data mining requirements. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.
-Data mining prevention and detection techniques include limiting the number and the frequency of database queries to increase the work factor needed to determine the contents of such databases; limiting types of responses provided to database queries; applying differential privacy techniques or homomorphic encryption; and notifying personnel when atypical database queries or accesses occur. Data mining protection focuses on protecting information from data mining while such information resides in organizational data stores. In contrast, AU-13 focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is available as open source information residing on external sites, for example, through social networking or social media websites.
-[EO 13587] requires the establishment of an insider threat program for deterring, detecting, and mitigating insider threats, including the safeguarding of sensitive information from exploitation, compromise, or other unauthorized disclosure. This control requires organizations to identify appropriate techniques to prevent and detect unnecessary or unauthorized data mining, which can be used by an insider to collect organizational information for the purpose of exfiltration.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ac-24">
-         <title>Access Control Decisions</title>
-         <param id="ac-24_prm_1">
-            <select>
-               <choice>Establish procedures</choice>
-               <choice>Implement mechanisms</choice>
-            </select>
-         </param>
-         <param id="ac-24_prm_2">
-            <label>organization-defined access control decisions</label>
-         </param>
-         <prop name="label">AC-24</prop>
-         <prop name="sort-id">AC-24</prop>
-         <link rel="reference" href="#359f960c-2598-454c-ba3b-a30c553e498f">[SP 800-162]</link>
-         <link rel="reference" href="#223b23a9-baea-4a50-8058-63cf7967b61f">[SP 800-178]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <part name="statement" id="ac-24_smt">
-            <p>
-               <insert param-id="ac-24_prm_1"/> to ensure <insert param-id="ac-24_prm_2"/> are applied to each access request prior to access enforcement.</p>
-         </part>
-         <part name="guidance" id="ac-24_gdn">
-            <p>Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when systems enforce access control decisions. While it is very common to have access control decisions and access enforcement implemented by the same entity, it is not required, and it is not always an optimal implementation choice. For some architectures and distributed systems, different entities may perform access control decisions and access enforcement.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ac-24.1">
-            <title>Transmit Access Authorization Information</title>
-            <param id="ac-24.1_prm_1">
-               <label>organization-defined access authorization information</label>
-            </param>
-            <param id="ac-24.1_prm_2">
-               <label>organization-defined controls</label>
-            </param>
-            <param id="ac-24.1_prm_3">
-               <label>organization-defined systems</label>
-            </param>
-            <prop name="label">AC-24(1)</prop>
-            <prop name="sort-id">AC-24(01)</prop>
-            <link rel="related" href="#au-10">AU-10</link>
-            <part name="statement" id="ac-24.1_smt">
-               <p>Transmit <insert param-id="ac-24.1_prm_1"/> using <insert param-id="ac-24.1_prm_2"/> to <insert param-id="ac-24.1_prm_3"/> that enforce access control decisions.</p>
-            </part>
-            <part name="guidance" id="ac-24.1_gdn">
-               <p>Authorization processes and access control decisions may occur in separate parts of systems or in separate systems. In such instances, authorization information is transmitted securely (e.g., using cryptographic mechanisms) so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorization information, supporting security and privacy attributes. This is because in distributed systems, there are various access control decisions that need to be made and different entities make these decisions in a serial fashion, each requiring those attributes to make the decisions. Protecting access authorization information ensures that such information cannot be altered, spoofed, or compromised during transmission.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ac-24.2">
-            <title>No User or Process Identity</title>
-            <param id="ac-24.2_prm_1">
-               <label>organization-defined security or privacy attributes</label>
-            </param>
-            <prop name="label">AC-24(2)</prop>
-            <prop name="sort-id">AC-24(02)</prop>
-            <part name="statement" id="ac-24.2_smt">
-               <p>Enforce access control decisions based on <insert param-id="ac-24.2_prm_1"/> that do not include the identity of the user or process acting on behalf of the user.</p>
-            </part>
-            <part name="guidance" id="ac-24.2_gdn">
-               <p>In certain situations, it is important that access control decisions can be made without information regarding the identity of the users issuing the requests. These are generally instances where preserving individual privacy is of paramount importance. In other situations, user identification information is simply not needed for access control decisions and, especially in the case of distributed systems, transmitting such information with the needed degree of assurance may be very expensive or difficult to accomplish. MAC, RBAC, ABAC, and label-based control policies, for example, might not include user identity as an attribute.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ac-25">
-         <title>Reference Monitor</title>
-         <param id="ac-25_prm_1">
-            <label>organization-defined access control policies</label>
-         </param>
-         <prop name="label">AC-25</prop>
-         <prop name="sort-id">AC-25</prop>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-16">AC-16</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-17">SA-17</link>
-         <link rel="related" href="#sc-3">SC-3</link>
-         <link rel="related" href="#sc-11">SC-11</link>
-         <link rel="related" href="#sc-39">SC-39</link>
-         <link rel="related" href="#si-13">SI-13</link>
-         <part name="statement" id="ac-25_smt">
-            <p>Implement a reference monitor for <insert param-id="ac-25_prm_1"/> that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.</p>
-         </part>
-         <part name="guidance" id="ac-25_gdn">
-            <p>A reference monitor is a set of design requirements on a reference validation mechanism that as key component of an operating system, enforces an access control policy over all subjects and objects. A reference validation mechanism is always invoked (i.e., complete mediation); tamperproof; and small enough to be subject to analysis and tests, the completeness of which can be assured (i.e., verifiable). Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are associated with data structures such as records, buffers, communications ports, tables, files, and inter-process pipes. Reference monitors enforce access control policies that restrict access to objects based on the identity of subjects or groups to which the subjects belong. The system enforces the access control policy based on the rule set established by the policy. The tamperproof property of the reference monitor prevents determined adversaries from compromising the functioning of the mechanism. The always invoked property prevents adversaries from bypassing the mechanism and hence violating the security policy. The smallness property helps to ensure the completeness in the analysis and testing of the mechanism to detect any weaknesses or deficiencies (i.e., latent flaws) that would prevent the enforcement of the security policy.</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="at">
-      <title>Awareness and Training</title>
-      <control class="SP800-53" id="at-1">
-         <title>Policy and Procedures</title>
-         <param id="at-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="at-1_prm_2">
-            <select how-many="one or more">
-               <choice>organization-level</choice>
-               <choice>mission/business process-level</choice>
-               <choice>system-level</choice>
-            </select>
-         </param>
-         <param id="at-1_prm_3">
-            <label>organization-defined official</label>
-         </param>
-         <param id="at-1_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="at-1_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AT-1</prop>
-         <prop name="sort-id">AT-01</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#12702585-0c72-43c9-9185-a76a59f74233">[SP 800-12]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#2e29c363-d5be-47ba-92f5-f8a58a69b65e">[SP 800-50]</link>
-         <link rel="reference" href="#9183bd83-170e-4701-b32c-97e08ef8bedb">[SP 800-100]</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="at-1_smt">
-            <part name="item" id="at-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and disseminate to <insert param-id="at-1_prm_1"/>:</p>
-               <part name="item" id="at-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="at-1_prm_2"/> awareness and training policy that:</p>
-                  <part name="item" id="at-1_smt.a.1.a">
-                     <prop name="label">(a)</prop>
-                     <p>Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
-                  </part>
-                  <part name="item" id="at-1_smt.a.1.b">
-                     <prop name="label">(b)</prop>
-                     <p>Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p>
-                  </part>
-               </part>
-               <part name="item" id="at-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;</p>
-               </part>
-            </part>
-            <part name="item" id="at-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate an <insert param-id="at-1_prm_3"/> to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and</p>
-            </part>
-            <part name="item" id="at-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the current awareness and training:</p>
-               <part name="item" id="at-1_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Policy <insert param-id="at-1_prm_4"/>; and</p>
-               </part>
-               <part name="item" id="at-1_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures <insert param-id="at-1_prm_5"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="at-1_gdn">
-            <p>This control addresses policy and procedures for the controls in the AT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="at-2">
-         <title>Awareness Training</title>
-         <param id="at-2_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="at-2_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AT-2</prop>
-         <prop name="sort-id">AT-02</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#2e29c363-d5be-47ba-92f5-f8a58a69b65e">[SP 800-50]</link>
-         <link rel="reference" href="#8411e6e8-09bd-431d-bbcb-3423d36ad880">[SP 800-160 v2]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#ac-22">AC-22</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#at-4">AT-4</link>
-         <link rel="related" href="#cp-3">CP-3</link>
-         <link rel="related" href="#ia-4">IA-4</link>
-         <link rel="related" href="#ir-2">IR-2</link>
-         <link rel="related" href="#ir-7">IR-7</link>
-         <link rel="related" href="#ir-9">IR-9</link>
-         <link rel="related" href="#pl-4">PL-4</link>
-         <link rel="related" href="#pm-13">PM-13</link>
-         <link rel="related" href="#pm-21">PM-21</link>
-         <link rel="related" href="#ps-7">PS-7</link>
-         <link rel="related" href="#pt-2">PT-2</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-16">SA-16</link>
-         <part name="statement" id="at-2_smt">
-            <part name="item" id="at-2_smt.a">
-               <prop name="label">a.</prop>
-               <p>Provide security and privacy awareness training to system users (including managers, senior executives, and contractors):</p>
-               <part name="item" id="at-2_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>As part of initial training for new users and <insert param-id="at-2_prm_1"/> thereafter; and</p>
-               </part>
-               <part name="item" id="at-2_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>When required by system changes; and</p>
-               </part>
-            </part>
-            <part name="item" id="at-2_smt.b">
-               <prop name="label">b.</prop>
-               <p>Update awareness training <insert param-id="at-2_prm_2"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="at-2_gdn">
-            <p>Organizations provide foundational and advanced levels of awareness training to system users, including measures to test the knowledge level of users. Organizations determine the content of awareness training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy and actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.
-Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Awareness training after the initial training described in AT-2a.1, is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent awareness training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes; changes to organizational security and privacy policies; revised security and privacy expectations; or a subset of topics from the initial training. Updating awareness training on a regular basis helps to ensure the content remains relevant and effective.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="at-2.1">
-            <title>Practical Exercises</title>
-            <prop name="label">AT-2(1)</prop>
-            <prop name="sort-id">AT-02(01)</prop>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#cp-4">CP-4</link>
-            <link rel="related" href="#ir-3">IR-3</link>
-            <part name="statement" id="at-2.1_smt">
-               <p>Provide practical exercises in awareness training that simulate events and incidents.</p>
-            </part>
-            <part name="guidance" id="at-2.1_gdn">
-               <p>Practical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments; or invoking, via spear phishing attacks, malicious web links.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="at-2.2">
-            <title>Insider Threat</title>
-            <prop name="label">AT-2(2)</prop>
-            <prop name="sort-id">AT-02(02)</prop>
-            <link rel="related" href="#pm-12">PM-12</link>
-            <part name="statement" id="at-2.2_smt">
-               <p>Provide awareness training on recognizing and reporting potential indicators of insider threat.</p>
-            </part>
-            <part name="guidance" id="at-2.2_gdn">
-               <p>Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Awareness training includes how to communicate concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in behavior of team members, while training for employees may be focused on more general observations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="at-2.3">
-            <title>Social Engineering and Mining</title>
-            <prop name="label">AT-2(3)</prop>
-            <prop name="sort-id">AT-02(03)</prop>
-            <part name="statement" id="at-2.3_smt">
-               <p>Provide awareness training on recognizing and reporting potential and actual instances of social engineering and social mining.</p>
-            </part>
-            <part name="guidance" id="at-2.3_gdn">
-               <p>Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Awareness training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="at-2.4">
-            <title>Suspicious Communications and Anomalous System Behavior</title>
-            <param id="at-2.4_prm_1">
-               <label>organization-defined indicators of malicious code</label>
-            </param>
-            <prop name="label">AT-2(4)</prop>
-            <prop name="sort-id">AT-02(04)</prop>
-            <part name="statement" id="at-2.4_smt">
-               <p>Provide awareness training on recognizing suspicious communications and anomalous behavior in organizational systems using <insert param-id="at-2.4_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="at-2.4_gdn">
-               <p>A well-trained workforce provides another organizational control that can be employed as part of a defense-in-depth strategy to protect organizations against malicious code coming into organizations via email or the web applications. Personnel are trained to look for indications of potentially suspicious email (e.g., receiving an unexpected email, receiving an email containing strange or poor grammar, or receiving an email from an unfamiliar sender but who appears to be from a known sponsor or contractor). Personnel are also trained on how to respond to suspicious email or web communications. For this process to work effectively, personnel are trained and made aware of what constitutes suspicious communications. Training personnel on how to recognize anomalous behaviors in systems can provide organizations with early warning for the presence of malicious code. Recognition of anomalous behavior by organizational personnel can supplement malicious code detection and protection tools and systems employed by organizations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="at-2.5">
-            <title>Breach</title>
-            <prop name="label">AT-2(5)</prop>
-            <prop name="sort-id">AT-02(05)</prop>
-            <link rel="related" href="#ir-1">IR-1</link>
-            <link rel="related" href="#ir-2">IR-2</link>
-            <part name="statement" id="at-2.5_smt">
-               <p>Provide awareness training on how to identify and respond to a breach, including the organization’s process for reporting a breach.</p>
-            </part>
-            <part name="guidance" id="at-2.5_gdn">
-               <p>A breach is a type of incident that involves personally identifiable information. A breach results in the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes. The awareness training emphasizes the obligation of individuals to report both confirmed and suspected breaches involving information in any medium or form, including paper, oral, and electronic. Awareness training includes tabletop exercises that simulate a breach.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="at-2.6">
-            <title>Advanced Persistent Threat</title>
-            <prop name="label">AT-2(6)</prop>
-            <prop name="sort-id">AT-02(06)</prop>
-            <part name="statement" id="at-2.6_smt">
-               <p>Provide awareness training on the advanced persistent threat.</p>
-            </part>
-            <part name="guidance" id="at-2.6_gdn">
-               <p>An effective way to detect advanced persistent threats (APT) and to preclude success attacks is to provide specific awareness training for individuals. Threat awareness training includes educating individuals on the various ways APTs can infiltrate into the organization (e.g., through websites, emails, advertisement pop-ups, articles, and social engineering). Effective training includes techniques for recognizing suspicious emails, use of removable systems in non-secure settings, and the potential targeting of individuals at home.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="at-2.7">
-            <title>Cyber Threat Environment</title>
-            <prop name="label">AT-2(7)</prop>
-            <prop name="sort-id">AT-02(07)</prop>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <part name="statement" id="at-2.7_smt">
-               <part name="item" id="at-2.7_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Provide awareness training on the cyber threat environment; and</p>
-               </part>
-               <part name="item" id="at-2.7_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Reflect current cyber threat information in system operations.</p>
-               </part>
-            </part>
-            <part name="guidance" id="at-2.7_gdn">
-               <p>Since threats continue to change over time, the threat awareness training by the organization is dynamic. Moreover, threat awareness training is not performed in isolation from the system operations that support organizational missions and business functions.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="at-2.8">
-            <title>Training Feedback</title>
-            <param id="at-2.8_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="at-2.8_prm_2">
-               <label>organization-defined personnel</label>
-            </param>
-            <prop name="label">AT-2(8)</prop>
-            <prop name="sort-id">AT-02(08)</prop>
-            <part name="statement" id="at-2.8_smt">
-               <p>Provide feedback on organizational training results to the following personnel <insert param-id="at-2.8_prm_1"/>: <insert param-id="at-2.8_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="at-2.8_gdn">
-               <p>Training feedback includes awareness training results and role-based training results. Training results, especially failures of personnel in critical roles, can be indicative of a potentially serious problem. Therefore, it is important that senior managers are made aware of such situations so that they can take appropriate response actions. Training feedback supports the assessment and update of organization training described in AT-2b.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="at-3">
-         <title>Role-based Training</title>
-         <param id="at-3_prm_1">
-            <label>organization-defined roles and responsibilities</label>
-         </param>
-         <param id="at-3_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="at-3_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AT-3</prop>
-         <prop name="sort-id">AT-03</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#2e29c363-d5be-47ba-92f5-f8a58a69b65e">[SP 800-50]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#ac-22">AC-22</link>
-         <link rel="related" href="#at-2">AT-2</link>
-         <link rel="related" href="#at-4">AT-4</link>
-         <link rel="related" href="#cp-3">CP-3</link>
-         <link rel="related" href="#ir-2">IR-2</link>
-         <link rel="related" href="#ir-7">IR-7</link>
-         <link rel="related" href="#ir-9">IR-9</link>
-         <link rel="related" href="#ir-10">IR-10</link>
-         <link rel="related" href="#pl-4">PL-4</link>
-         <link rel="related" href="#pm-13">PM-13</link>
-         <link rel="related" href="#pm-23">PM-23</link>
-         <link rel="related" href="#ps-7">PS-7</link>
-         <link rel="related" href="#sa-3">SA-3</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-11">SA-11</link>
-         <link rel="related" href="#sa-16">SA-16</link>
-         <link rel="related" href="#sr-5">SR-5</link>
-         <link rel="related" href="#sr-6">SR-6</link>
-         <link rel="related" href="#sr-11">SR-11</link>
-         <part name="statement" id="at-3_smt">
-            <part name="item" id="at-3_smt.a">
-               <prop name="label">a.</prop>
-               <p>Provide role-based security and privacy training to personnel with the following roles and responsibilities: <insert param-id="at-3_prm_1"/>:</p>
-               <part name="item" id="at-3_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Before authorizing access to the system, information, or performing assigned duties, and <insert param-id="at-3_prm_2"/> thereafter; and</p>
-               </part>
-               <part name="item" id="at-3_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>When required by system changes; and</p>
-               </part>
-            </part>
-            <part name="item" id="at-3_smt.b">
-               <prop name="label">b.</prop>
-               <p>Update role-based training <insert param-id="at-3_prm_3"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="at-3_gdn">
-            <p>Organizations determine the content of training based on the assigned roles and responsibilities of individuals and the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; system and software developers; system, network, and database administrators; personnel conducting configuration management activities; personnel performing verification and validation activities; auditors; personnel having access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel having access to personally identifiable information.
-Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain security within the context of organizational security and privacy programs. Role-based training also applies to contractors providing services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure the content remains relevant and effective.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="at-3.1">
-            <title>Environmental Controls</title>
-            <param id="at-3.1_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="at-3.1_prm_2">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">AT-3(1)</prop>
-            <prop name="sort-id">AT-03(01)</prop>
-            <link rel="related" href="#pe-1">PE-1</link>
-            <link rel="related" href="#pe-11">PE-11</link>
-            <link rel="related" href="#pe-13">PE-13</link>
-            <link rel="related" href="#pe-14">PE-14</link>
-            <link rel="related" href="#pe-15">PE-15</link>
-            <part name="statement" id="at-3.1_smt">
-               <p>Provide <insert param-id="at-3.1_prm_1"/> with initial and <insert param-id="at-3.1_prm_2"/> training in the employment and operation of environmental controls.</p>
-            </part>
-            <part name="guidance" id="at-3.1_gdn">
-               <p>Environmental controls include fire suppression and detection devices or systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature or humidity, heating, ventilation, and air conditioning, and power within the facility.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="at-3.2">
-            <title>Physical Security Controls</title>
-            <param id="at-3.2_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="at-3.2_prm_2">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">AT-3(2)</prop>
-            <prop name="sort-id">AT-03(02)</prop>
-            <link rel="related" href="#pe-2">PE-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <part name="statement" id="at-3.2_smt">
-               <p>Provide <insert param-id="at-3.2_prm_1"/> with initial and <insert param-id="at-3.2_prm_2"/> training in the employment and operation of physical security controls.</p>
-            </part>
-            <part name="guidance" id="at-3.2_gdn">
-               <p>Physical security controls include physical access control devices, physical intrusion and detection alarms, operating procedures for facility security guards, and monitoring or surveillance equipment.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="at-3.3">
-            <title>Practical Exercises</title>
-            <prop name="label">AT-3(3)</prop>
-            <prop name="sort-id">AT-03(03)</prop>
-            <part name="statement" id="at-3.3_smt">
-               <p>Provide practical exercises in security and privacy training that reinforce training objectives.</p>
-            </part>
-            <part name="guidance" id="at-3.3_gdn">
-               <p>Practical exercises for security include training for software developers that addresses simulated attacks exploiting common software vulnerabilities or spear or whale phishing attacks targeted at senior leaders or executives. Practical exercises for privacy include modules with quizzes on handling personally identifiable information in various scenarios, or scenarios on conducting privacy impact assessments.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="at-3.4">
-            <title>Suspicious Communications and Anomalous System Behavior</title>
-            <prop name="label">AT-3(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AT-03(04)</prop>
-            <link rel="moved-to" href="#at-2.4">AT-2(4)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="at-3.5">
-            <title>Accessing Personally Identifiable Information</title>
-            <param id="at-3.5_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="at-3.5_prm_2">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">AT-3(5)</prop>
-            <prop name="sort-id">AT-03(05)</prop>
-            <part name="statement" id="at-3.5_smt">
-               <p>Provide <insert param-id="at-3.5_prm_1"/> with initial and <insert param-id="at-3.5_prm_2"/> training on:</p>
-               <part name="item" id="at-3.5_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Organizational authority for collecting personally identifiable information;</p>
-               </part>
-               <part name="item" id="at-3.5_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Authorized uses of personally identifiable information;</p>
-               </part>
-               <part name="item" id="at-3.5_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Identifying, reporting, and responding to a suspected or confirmed breach;</p>
-               </part>
-               <part name="item" id="at-3.5_smt.d">
-                  <prop name="label">(d)</prop>
-                  <p>Content of system of records notices, computer matching agreements, and privacy impact assessments;</p>
-               </part>
-               <part name="item" id="at-3.5_smt.e">
-                  <prop name="label">(e)</prop>
-                  <p>Authorized sharing of personally identifiable information with external parties; and</p>
-               </part>
-               <part name="item" id="at-3.5_smt.f">
-                  <prop name="label">(f)</prop>
-                  <p>Rules of behavior and the consequences for unauthorized collection, use, or sharing of personally identifiable information.</p>
-               </part>
-            </part>
-            <part name="guidance" id="at-3.5_gdn">
-               <p>Role-based training addresses the responsibility of individuals when accessing personally identifiable information; the organization’s established rules of behavior when accessing personally identifiable information; the consequences for violating the rules of behavior; and how to respond to a breach. Role-based training helps ensure personnel comply with applicable privacy requirements and is necessary to manage privacy risks.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="at-4">
-         <title>Training Records</title>
-         <param id="at-4_prm_1">
-            <label>organization-defined time-period</label>
-         </param>
-         <prop name="label">AT-4</prop>
-         <prop name="sort-id">AT-04</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="related" href="#at-2">AT-2</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#cp-3">CP-3</link>
-         <link rel="related" href="#ir-2">IR-2</link>
-         <link rel="related" href="#pm-14">PM-14</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="at-4_smt">
-            <part name="item" id="at-4_smt.a">
-               <prop name="label">a.</prop>
-               <p>Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and</p>
-            </part>
-            <part name="item" id="at-4_smt.b">
-               <prop name="label">b.</prop>
-               <p>Retain individual training records for <insert param-id="at-4_prm_1"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="at-4_gdn">
-            <p>Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="at-5">
-         <title>Contacts with Security Groups and Associations</title>
-         <prop name="label">AT-5</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">AT-05</prop>
-         <link rel="incorporated-into" href="#pm-15">PM-15</link>
-      </control>
-   </group>
-   <group class="family" id="au">
-      <title>Audit and Accountability</title>
-      <control class="SP800-53" id="au-1">
-         <title>Policy and Procedures</title>
-         <param id="au-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="au-1_prm_2">
-            <select how-many="one or more">
-               <choice>organization-level</choice>
-               <choice>mission/business process-level</choice>
-               <choice>system-level</choice>
-            </select>
-         </param>
-         <param id="au-1_prm_3">
-            <label>organization-defined official</label>
-         </param>
-         <param id="au-1_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="au-1_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AU-1</prop>
-         <prop name="sort-id">AU-01</prop>
-         <link rel="reference" href="#12702585-0c72-43c9-9185-a76a59f74233">[SP 800-12]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#9183bd83-170e-4701-b32c-97e08ef8bedb">[SP 800-100]</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="au-1_smt">
-            <part name="item" id="au-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and disseminate to <insert param-id="au-1_prm_1"/>:</p>
-               <part name="item" id="au-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="au-1_prm_2"/> audit and accountability policy that:</p>
-                  <part name="item" id="au-1_smt.a.1.a">
-                     <prop name="label">(a)</prop>
-                     <p>Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
-                  </part>
-                  <part name="item" id="au-1_smt.a.1.b">
-                     <prop name="label">(b)</prop>
-                     <p>Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p>
-                  </part>
-               </part>
-               <part name="item" id="au-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;</p>
-               </part>
-            </part>
-            <part name="item" id="au-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate an <insert param-id="au-1_prm_3"/> to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and</p>
-            </part>
-            <part name="item" id="au-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the current audit and accountability:</p>
-               <part name="item" id="au-1_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Policy <insert param-id="au-1_prm_4"/>; and</p>
-               </part>
-               <part name="item" id="au-1_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures <insert param-id="au-1_prm_5"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="au-1_gdn">
-            <p>This control addresses policy and procedures for the controls in the AU family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="au-2">
-         <title>Event Logging</title>
-         <param id="au-2_prm_1">
-            <label>organization-defined event types that the system is capable of logging</label>
-         </param>
-         <param id="au-2_prm_2">
-            <label>organization-defined event types (subset of the event types defined in AU-2 a.) along with the frequency of (or situation requiring) logging for each identified event type</label>
-         </param>
-         <param id="au-2_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">AU-2</prop>
-         <prop name="sort-id">AU-02</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#02d8ec60-6197-43f8-9f47-18732127963e">[SP 800-92]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#ac-7">AC-7</link>
-         <link rel="related" href="#ac-8">AC-8</link>
-         <link rel="related" href="#ac-16">AC-16</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#au-3">AU-3</link>
-         <link rel="related" href="#au-4">AU-4</link>
-         <link rel="related" href="#au-5">AU-5</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#au-7">AU-7</link>
-         <link rel="related" href="#au-11">AU-11</link>
-         <link rel="related" href="#au-12">AU-12</link>
-         <link rel="related" href="#cm-3">CM-3</link>
-         <link rel="related" href="#cm-5">CM-5</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#cm-13">CM-13</link>
-         <link rel="related" href="#ia-3">IA-3</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#mp-4">MP-4</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#pm-21">PM-21</link>
-         <link rel="related" href="#pt-2">PT-2</link>
-         <link rel="related" href="#pt-8">PT-8</link>
-         <link rel="related" href="#ra-8">RA-8</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-18">SC-18</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <link rel="related" href="#si-10">SI-10</link>
-         <link rel="related" href="#si-11">SI-11</link>
-         <part name="statement" id="au-2_smt">
-            <part name="item" id="au-2_smt.a">
-               <prop name="label">a.</prop>
-               <p>Identify the types of events that the system is capable of logging in support of the audit function: <insert param-id="au-2_prm_1"/>;</p>
-            </part>
-            <part name="item" id="au-2_smt.b">
-               <prop name="label">b.</prop>
-               <p>Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;</p>
-            </part>
-            <part name="item" id="au-2_smt.c">
-               <prop name="label">c.</prop>
-               <p>Specify the following event types for logging within the system: <insert param-id="au-2_prm_2"/>;</p>
-            </part>
-            <part name="item" id="au-2_smt.d">
-               <prop name="label">d.</prop>
-               <p>Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and</p>
-            </part>
-            <part name="item" id="au-2_smt.e">
-               <prop name="label">e.</prop>
-               <p>Review and update the event types selected for logging <insert param-id="au-2_prm_3"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="au-2_gdn">
-            <p>An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes; failed logons or failed accesses related to systems; security or privacy attribute changes; administrative privilege usage; PIV credential usage; data action changes; query parameters; or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.
-To balance monitoring and auditing requirements with other system needs, this control also requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the logging event is based on patterns or time of usage.
-Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-16(11), AC-17(1), CM-3.f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-8, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. Organizations consider in the definition of event types, the logging necessary to cover related event types such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="au-2.1">
-            <title>Compilation of Audit Records from Multiple Sources</title>
-            <prop name="label">AU-2(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AU-02(01)</prop>
-            <link rel="incorporated-into" href="#au-12">AU-12</link>
-         </control>
-         <control class="SP800-53-enhancement" id="au-2.2">
-            <title>Selection of Audit Events by Component</title>
-            <prop name="label">AU-2(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AU-02(02)</prop>
-            <link rel="incorporated-into" href="#au-12">AU-12</link>
-         </control>
-         <control class="SP800-53-enhancement" id="au-2.3">
-            <title>Reviews and Updates</title>
-            <prop name="label">AU-2(3)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AU-02(03)</prop>
-            <link rel="incorporated-into" href="#au-2">AU-2</link>
-         </control>
-         <control class="SP800-53-enhancement" id="au-2.4">
-            <title>Privileged Functions</title>
-            <prop name="label">AU-2(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AU-02(04)</prop>
-            <link rel="incorporated-into" href="#ac-6.9">AC-6(9)</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-3">
-         <title>Content of Audit Records</title>
-         <prop name="label">AU-3</prop>
-         <prop name="sort-id">AU-03</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#817b4227-5857-494d-9032-915980b32f15">[IR 8062]</link>
-         <link rel="related" href="#au-2">AU-2</link>
-         <link rel="related" href="#au-8">AU-8</link>
-         <link rel="related" href="#au-12">AU-12</link>
-         <link rel="related" href="#au-14">AU-14</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <link rel="related" href="#si-11">SI-11</link>
-         <part name="statement" id="au-3_smt">
-            <p>Ensure that audit records contain information that establishes the following:</p>
-            <part name="item" id="au-3_smt.a">
-               <prop name="label">a.</prop>
-               <p>What type of event occurred;</p>
-            </part>
-            <part name="item" id="au-3_smt.b">
-               <prop name="label">b.</prop>
-               <p>When the event occurred;</p>
-            </part>
-            <part name="item" id="au-3_smt.c">
-               <prop name="label">c.</prop>
-               <p>Where the event occurred;</p>
-            </part>
-            <part name="item" id="au-3_smt.d">
-               <prop name="label">d.</prop>
-               <p>Source of the event;</p>
-            </part>
-            <part name="item" id="au-3_smt.e">
-               <prop name="label">e.</prop>
-               <p>Outcome of the event; and</p>
-            </part>
-            <part name="item" id="au-3_smt.f">
-               <prop name="label">f.</prop>
-               <p>Identity of any individuals, subjects, or objects/entities associated with the event.</p>
-            </part>
-         </part>
-         <part name="guidance" id="au-3_gdn">
-            <p>Audit record content that may be necessary to support the auditing function includes, but is not limited to, event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential for personally identifiable information in the audit trail especially if the trail records inputs or is based on patterns or time of usage.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="au-3.1">
-            <title>Additional Audit Information</title>
-            <param id="au-3.1_prm_1">
-               <label>organization-defined additional information</label>
-            </param>
-            <prop name="label">AU-3(1)</prop>
-            <prop name="sort-id">AU-03(01)</prop>
-            <part name="statement" id="au-3.1_smt">
-               <p>Generate audit records containing the following additional information: <insert param-id="au-3.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="au-3.1_gdn">
-               <p>The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading or that could make it more difficult to locate information of interest.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-3.2">
-            <title>Centralized Management of Planned Audit Record Content</title>
-            <param id="au-3.2_prm_1">
-               <label>organization-defined system components</label>
-            </param>
-            <prop name="label">AU-3(2)</prop>
-            <prop name="sort-id">AU-03(02)</prop>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <part name="statement" id="au-3.2_smt">
-               <p>Provide centralized management and configuration of the content to be captured in audit records generated by <insert param-id="au-3.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="au-3.2_gdn">
-               <p>Centralized management of planned audit record content requires that the content to be captured in audit records be configured from a central location (necessitating an automated capability). Organizations coordinate the selection of the required audit record content to support the centralized management and configuration capability provided by the system.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-3.3">
-            <title>Limit Personally Identifiable Information Elements</title>
-            <param id="au-3.3_prm_1">
-               <label>organization-defined elements</label>
-            </param>
-            <prop name="label">AU-3(3)</prop>
-            <prop name="sort-id">AU-03(03)</prop>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <part name="statement" id="au-3.3_smt">
-               <p>Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: <insert param-id="au-3.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="au-3.3_gdn">
-               <p>Limiting personally identifiable information in audit records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-4">
-         <title>Audit Log Storage Capacity</title>
-         <param id="au-4_prm_1">
-            <label>organization-defined audit log retention requirements</label>
-         </param>
-         <prop name="label">AU-4</prop>
-         <prop name="sort-id">AU-04</prop>
-         <link rel="related" href="#au-2">AU-2</link>
-         <link rel="related" href="#au-5">AU-5</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#au-7">AU-7</link>
-         <link rel="related" href="#au-9">AU-9</link>
-         <link rel="related" href="#au-11">AU-11</link>
-         <link rel="related" href="#au-12">AU-12</link>
-         <link rel="related" href="#au-14">AU-14</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <part name="statement" id="au-4_smt">
-            <p>Allocate audit log storage capacity to accommodate <insert param-id="au-4_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="au-4_gdn">
-            <p>Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="au-4.1">
-            <title>Transfer to Alternate Storage</title>
-            <param id="au-4.1_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">AU-4(1)</prop>
-            <prop name="sort-id">AU-04(01)</prop>
-            <part name="statement" id="au-4.1_smt">
-               <p>Transfer audit logs <insert param-id="au-4.1_prm_1"/> to a different system, system component, or media other than the system or system component conducting the logging.</p>
-            </part>
-            <part name="guidance" id="au-4.1_gdn">
-               <p>Audit log transfer, also known as off-loading, is a common process in systems with limited audit log storage capacity and thus supports availability of the audit logs. The initial audit log storage is used only in a transitory fashion until the system can communicate with the secondary or alternate system allocated to audit log storage, at which point the audit logs are transferred. This control enhancement is similar to AU-9(2) in that audit logs are transferred to a different entity. However, the primary purpose of selecting AU-9(2) is to protect the confidentiality and integrity of audit records. Organizations can select either control enhancement to obtain the dual benefit of increased audit log storage capacity and preserving the confidentiality, integrity, and availability of audit records and logs.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-5">
-         <title>Response to Audit Logging Process Failures</title>
-         <param id="au-5_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="au-5_prm_2">
-            <label>organization-defined time-period</label>
-         </param>
-         <param id="au-5_prm_3">
-            <label>organization-defined additional actions</label>
-         </param>
-         <prop name="label">AU-5</prop>
-         <prop name="sort-id">AU-05</prop>
-         <link rel="related" href="#au-2">AU-2</link>
-         <link rel="related" href="#au-4">AU-4</link>
-         <link rel="related" href="#au-7">AU-7</link>
-         <link rel="related" href="#au-9">AU-9</link>
-         <link rel="related" href="#au-11">AU-11</link>
-         <link rel="related" href="#au-12">AU-12</link>
-         <link rel="related" href="#au-14">AU-14</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="au-5_smt">
-            <part name="item" id="au-5_smt.a">
-               <prop name="label">a.</prop>
-               <p>Alert <insert param-id="au-5_prm_1"/> within <insert param-id="au-5_prm_2"/> in the event of an audit logging process failure; and</p>
-            </part>
-            <part name="item" id="au-5_smt.b">
-               <prop name="label">b.</prop>
-               <p>Take the following additional actions: <insert param-id="au-5_prm_3"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="au-5_gdn">
-            <p>Audit logging process failures include, for example, software and hardware errors; reaching or exceeding audit log storage capacity; and failures in audit log capturing mechanisms. Organization-defined actions include overwriting oldest audit records; shutting down the system; and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored); the system on which the audit logs reside; the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="au-5.1">
-            <title>Storage Capacity Warning</title>
-            <param id="au-5.1_prm_1">
-               <label>organization-defined personnel, roles, and/or locations</label>
-            </param>
-            <param id="au-5.1_prm_2">
-               <label>organization-defined time-period</label>
-            </param>
-            <param id="au-5.1_prm_3">
-               <label>organization-defined percentage</label>
-            </param>
-            <prop name="label">AU-5(1)</prop>
-            <prop name="sort-id">AU-05(01)</prop>
-            <part name="statement" id="au-5.1_smt">
-               <p>Provide a warning to <insert param-id="au-5.1_prm_1"/> within <insert param-id="au-5.1_prm_2"/> when allocated audit log storage volume reaches <insert param-id="au-5.1_prm_3"/> of repository maximum audit log storage capacity.</p>
-            </part>
-            <part name="guidance" id="au-5.1_gdn">
-               <p>Organizations may have multiple audit log storage repositories distributed across multiple system components, with each repository having different storage volume capacities.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-5.2">
-            <title>Real-time Alerts</title>
-            <param id="au-5.2_prm_1">
-               <label>organization-defined real-time-period</label>
-            </param>
-            <param id="au-5.2_prm_2">
-               <label>organization-defined personnel, roles, and/or locations</label>
-            </param>
-            <param id="au-5.2_prm_3">
-               <label>organization-defined audit logging failure events requiring real-time alerts</label>
-            </param>
-            <prop name="label">AU-5(2)</prop>
-            <prop name="sort-id">AU-05(02)</prop>
-            <part name="statement" id="au-5.2_smt">
-               <p>Provide an alert within <insert param-id="au-5.2_prm_1"/> to <insert param-id="au-5.2_prm_2"/> when the following audit failure events occur: <insert param-id="au-5.2_prm_3"/>.</p>
-            </part>
-            <part name="guidance" id="au-5.2_gdn">
-               <p>Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less).</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-5.3">
-            <title>Configurable Traffic Volume Thresholds</title>
-            <param id="au-5.3_prm_1">
-               <select>
-                  <choice>reject</choice>
-                  <choice>delay</choice>
-               </select>
-            </param>
-            <prop name="label">AU-5(3)</prop>
-            <prop name="sort-id">AU-05(03)</prop>
-            <part name="statement" id="au-5.3_smt">
-               <p>Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and <insert param-id="au-5.3_prm_1"/> network traffic above those thresholds.</p>
-            </part>
-            <part name="guidance" id="au-5.3_gdn">
-               <p>Organizations have the capability to reject or delay the processing of network communications traffic if audit logging information about such traffic is determined to exceed the storage capacity of the system audit logging function. The rejection or delay response is triggered by the established organizational traffic volume thresholds that can be adjusted based on changes to audit log storage capacity.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-5.4">
-            <title>Shutdown on Failure</title>
-            <param id="au-5.4_prm_1">
-               <select>
-                  <choice>full system shutdown</choice>
-                  <choice>partial system shutdown</choice>
-                  <choice>degraded operational mode with limited mission or business functionality available</choice>
-               </select>
-            </param>
-            <param id="au-5.4_prm_2">
-               <label>organization-defined audit logging failures</label>
-            </param>
-            <prop name="label">AU-5(4)</prop>
-            <prop name="sort-id">AU-05(04)</prop>
-            <link rel="related" href="#au-15">AU-15</link>
-            <part name="statement" id="au-5.4_smt">
-               <p>Invoke a <insert param-id="au-5.4_prm_1"/> in the event of <insert param-id="au-5.4_prm_2"/>, unless an alternate audit logging capability exists.</p>
-            </part>
-            <part name="guidance" id="au-5.4_gdn">
-               <p>Organizations determine the types of audit logging failures that can trigger automatic system shutdowns or degraded operations. Because of the importance of ensuring mission and business continuity, organizations may determine that the nature of the audit logging failure is not so severe that it warrants a complete shutdown of the system supporting the core organizational missions and business operations. In those instances, partial system shutdowns or operating in a degraded mode with reduced capability may be viable alternatives.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-5.5">
-            <title>Alternate Audit Logging Capability</title>
-            <param id="au-5.5_prm_1">
-               <label>organization-defined alternate audit logging functionality</label>
-            </param>
-            <prop name="label">AU-5(5)</prop>
-            <prop name="sort-id">AU-05(05)</prop>
-            <link rel="related" href="#au-9">AU-9</link>
-            <part name="statement" id="au-5.5_smt">
-               <p>Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements <insert param-id="au-5.5_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="au-5.5_gdn">
-               <p>Since an alternate audit logging capability may be a short-term protection solution employed until the failure in the primary audit logging capability is corrected, organizations may determine that the alternate audit logging capability need only provide a subset of the primary audit logging functionality that is impacted by the failure.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-6">
-         <title>Audit Record Review, Analysis, and Reporting</title>
-         <param id="au-6_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="au-6_prm_2">
-            <label>organization-defined inappropriate or unusual activity</label>
-         </param>
-         <param id="au-6_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">AU-6</prop>
-         <prop name="sort-id">AU-06</prop>
-         <link rel="reference" href="#35dfd59f-eef2-4f71-bdb5-6d878267456a">[SP 800-86]</link>
-         <link rel="reference" href="#1e2c475a-84ae-4c60-b420-8fb2ea552b71">[SP 800-101]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-5">AC-5</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#ac-7">AC-7</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#au-7">AU-7</link>
-         <link rel="related" href="#au-16">AU-16</link>
-         <link rel="related" href="#ca-2">CA-2</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#cm-2">CM-2</link>
-         <link rel="related" href="#cm-5">CM-5</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#cm-10">CM-10</link>
-         <link rel="related" href="#cm-11">CM-11</link>
-         <link rel="related" href="#ia-2">IA-2</link>
-         <link rel="related" href="#ia-3">IA-3</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <link rel="related" href="#ia-8">IA-8</link>
-         <link rel="related" href="#ir-5">IR-5</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#mp-4">MP-4</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#pe-6">PE-6</link>
-         <link rel="related" href="#ra-5">RA-5</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <part name="statement" id="au-6_smt">
-            <part name="item" id="au-6_smt.a">
-               <prop name="label">a.</prop>
-               <p>Review and analyze system audit records <insert param-id="au-6_prm_1"/> for indications of <insert param-id="au-6_prm_2"/>;</p>
-            </part>
-            <part name="item" id="au-6_smt.b">
-               <prop name="label">b.</prop>
-               <p>Report findings to <insert param-id="au-6_prm_3"/>; and</p>
-            </part>
-            <part name="item" id="au-6_smt.c">
-               <prop name="label">c.</prop>
-               <p>Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.</p>
-            </part>
-         </part>
-         <part name="guidance" id="au-6_gdn">
-            <p>Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system boundaries, and use of mobile code or VoIP. Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="au-6.1">
-            <title>Automated Process Integration</title>
-            <param id="au-6.1_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">AU-6(1)</prop>
-            <prop name="sort-id">AU-06(01)</prop>
-            <link rel="related" href="#pm-7">PM-7</link>
-            <part name="statement" id="au-6.1_smt">
-               <p>Integrate audit record review, analysis, and reporting processes using <insert param-id="au-6.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="au-6.1_gdn">
-               <p>Organizational processes benefiting from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.2">
-            <title>Automated Security Alerts</title>
-            <prop name="label">AU-6(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AU-06(02)</prop>
-            <link rel="incorporated-into" href="#si-4">SI-4</link>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.3">
-            <title>Correlate Audit Record Repositories</title>
-            <prop name="label">AU-6(3)</prop>
-            <prop name="sort-id">AU-06(03)</prop>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <part name="statement" id="au-6.3_smt">
-               <p>Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.</p>
-            </part>
-            <part name="guidance" id="au-6.3_gdn">
-               <p>Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.4">
-            <title>Central Review and Analysis</title>
-            <prop name="label">AU-6(4)</prop>
-            <prop name="sort-id">AU-06(04)</prop>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <part name="statement" id="au-6.4_smt">
-               <p>Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.</p>
-            </part>
-            <part name="guidance" id="au-6.4_gdn">
-               <p>Automated mechanisms for centralized reviews and analyses include Security Information and Event Management products.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.5">
-            <title>Integrated Analysis of Audit Records</title>
-            <param id="au-6.5_prm_1">
-               <select how-many="one or more">
-                  <choice>vulnerability scanning information</choice>
-                  <choice>performance data</choice>
-                  <choice>system monitoring information</choice>
-                  <choice>
-                     <insert param-id="au-6.5_prm_2"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="au-6.5_prm_2" depends-on="au-6.5_prm_1">
-               <label>organization-defined data/information collected from other sources</label>
-            </param>
-            <prop name="label">AU-6(5)</prop>
-            <prop name="sort-id">AU-06(05)</prop>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <part name="statement" id="au-6.5_smt">
-               <p>Integrate analysis of audit records with analysis of <insert param-id="au-6.5_prm_1"/> to further enhance the ability to identify inappropriate or unusual activity.</p>
-            </part>
-            <part name="guidance" id="au-6.5_gdn">
-               <p>Integrated analysis of audit records does not require vulnerability scanning, the generation of performance data, or system monitoring. Rather, integrated analysis requires that the analysis of information generated by scanning, monitoring, or other data collection activities is integrated with the analysis of audit record information. Security Information and Event Management tools can facilitate audit record aggregation or consolidation from multiple system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results. Correlation with performance data can uncover denial of service attacks or other types of attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.6">
-            <title>Correlation with Physical Monitoring</title>
-            <prop name="label">AU-6(6)</prop>
-            <prop name="sort-id">AU-06(06)</prop>
-            <part name="statement" id="au-6.6_smt">
-               <p>Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.</p>
-            </part>
-            <part name="guidance" id="au-6.6_gdn">
-               <p>The correlation of physical audit record information and the audit records from systems may assist organizations in identifying suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional physical security information that the individual was present at the facility when the logical access occurred, may be useful in investigations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.7">
-            <title>Permitted Actions</title>
-            <param id="au-6.7_prm_1">
-               <select how-many="one or more">
-                  <choice>system process</choice>
-                  <choice>role</choice>
-                  <choice>user</choice>
-               </select>
-            </param>
-            <prop name="label">AU-6(7)</prop>
-            <prop name="sort-id">AU-06(07)</prop>
-            <part name="statement" id="au-6.7_smt">
-               <p>Specify the permitted actions for each <insert param-id="au-6.7_prm_1"/> associated with the review, analysis, and reporting of audit record information.</p>
-            </part>
-            <part name="guidance" id="au-6.7_gdn">
-               <p>Organizations specify permitted actions for system processes, roles, and users associated with the review, analysis, and reporting of audit records through system account management activities. Specifying permitted actions on audit record information is a way to enforce the principle of least privilege. Permitted actions are enforced by the system and include read, write, execute, append, and delete.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.8">
-            <title>Full Text Analysis of Privileged Commands</title>
-            <prop name="label">AU-6(8)</prop>
-            <prop name="sort-id">AU-06(08)</prop>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#au-11">AU-11</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <part name="statement" id="au-6.8_smt">
-               <p>Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis.</p>
-            </part>
-            <part name="guidance" id="au-6.8_gdn">
-               <p>Full text analysis of privileged commands requires a distinct environment for the analysis of audit record information related to privileged users without compromising such information on the system where the users have elevated privileges, including the capability to execute privileged commands. Full text analysis refers to analysis that considers the full text of privileged commands (i.e., commands and parameters) as opposed to analysis that considers only the name of the command. Full text analysis includes the use of pattern matching and heuristics.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.9">
-            <title>Correlation with Information from Nontechnical Sources</title>
-            <prop name="label">AU-6(9)</prop>
-            <prop name="sort-id">AU-06(09)</prop>
-            <link rel="related" href="#pm-12">PM-12</link>
-            <part name="statement" id="au-6.9_smt">
-               <p>Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness.</p>
-            </part>
-            <part name="guidance" id="au-6.9_gdn">
-               <p>Nontechnical sources include records documenting organizational policy violations related to sexual harassment incidents and the improper use of information assets. Such information can lead to a directed analytical effort to detect potential malicious insider activity. Organizations limit access to information that is available from nontechnical sources due to its sensitive nature. Limited access minimizes the potential for inadvertent release of privacy-related information to individuals that do not have a need to know. Thus, the correlation of information from nontechnical sources with audit record information generally occurs only when individuals are suspected of being involved in an incident. Organizations obtain legal advice prior to initiating such actions.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-6.10">
-            <title>Audit Level Adjustment</title>
-            <prop name="label">AU-6(10)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AU-06(10)</prop>
-            <link rel="incorporated-into" href="#au-6">AU-6</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-7">
-         <title>Audit Record Reduction and Report Generation</title>
-         <prop name="label">AU-7</prop>
-         <prop name="sort-id">AU-07</prop>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#au-2">AU-2</link>
-         <link rel="related" href="#au-3">AU-3</link>
-         <link rel="related" href="#au-4">AU-4</link>
-         <link rel="related" href="#au-5">AU-5</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#au-12">AU-12</link>
-         <link rel="related" href="#au-16">AU-16</link>
-         <link rel="related" href="#cm-5">CM-5</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <part name="statement" id="au-7_smt">
-            <p>Provide and implement an audit record reduction and report generation capability that:</p>
-            <part name="item" id="au-7_smt.a">
-               <prop name="label">a.</prop>
-               <p>Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and</p>
-            </part>
-            <part name="item" id="au-7_smt.b">
-               <prop name="label">b.</prop>
-               <p>Does not alter the original content or time ordering of audit records.</p>
-            </part>
-         </part>
-         <part name="guidance" id="au-7_gdn">
-            <p>Audit record reduction is a process that manipulates collected audit log information and organizes such information in a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities conducting audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="au-7.1">
-            <title>Automatic Processing</title>
-            <param id="au-7.1_prm_1">
-               <label>organization-defined fields within audit records</label>
-            </param>
-            <prop name="label">AU-7(1)</prop>
-            <prop name="sort-id">AU-07(01)</prop>
-            <part name="statement" id="au-7.1_smt">
-               <p>Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: <insert param-id="au-7.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="au-7.1_gdn">
-               <p>Events of interest can be identified by the content of audit records including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, for example, locations selectable by a general networking location or by specific system component.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-7.2">
-            <title>Automatic Sort and Search</title>
-            <prop name="label">AU-7(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AU-07(02)</prop>
-            <link rel="incorporated-into" href="#au-7.1">AU-7(1)</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-8">
-         <title>Time Stamps</title>
-         <param id="au-8_prm_1">
-            <label>organization-defined granularity of time measurement</label>
-         </param>
-         <prop name="label">AU-8</prop>
-         <prop name="sort-id">AU-08</prop>
-         <link rel="reference" href="#17ca9481-ea11-4ef2-81c1-885fd37d4be5">[IETF 5905]</link>
-         <link rel="related" href="#au-3">AU-3</link>
-         <link rel="related" href="#au-12">AU-12</link>
-         <link rel="related" href="#au-14">AU-14</link>
-         <link rel="related" href="#sc-45">SC-45</link>
-         <part name="statement" id="au-8_smt">
-            <part name="item" id="au-8_smt.a">
-               <prop name="label">a.</prop>
-               <p>Use internal system clocks to generate time stamps for audit records; and</p>
-            </part>
-            <part name="item" id="au-8_smt.b">
-               <prop name="label">b.</prop>
-               <p>Record time stamps for audit records that meet <insert param-id="au-8_prm_1"/> and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.</p>
-            </part>
-         </part>
-         <part name="guidance" id="au-8_gdn">
-            <p>Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="au-8.1">
-            <title>Synchronization with Authoritative Time Source</title>
-            <param id="au-8.1_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="au-8.1_prm_2">
-               <label>organization-defined authoritative time source</label>
-            </param>
-            <param id="au-8.1_prm_3">
-               <label>organization-defined time-period</label>
-            </param>
-            <prop name="label">AU-8(1)</prop>
-            <prop name="sort-id">AU-08(01)</prop>
-            <part name="statement" id="au-8.1_smt">
-               <part name="item" id="au-8.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Compare the internal system clocks <insert param-id="au-8.1_prm_1"/> with <insert param-id="au-8.1_prm_2"/>; and</p>
-               </part>
-               <part name="item" id="au-8.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Synchronize the internal system clocks to the authoritative time source when the time difference is greater than <insert param-id="au-8.1_prm_3"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="au-8.1_gdn">
-               <p>Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-8.2">
-            <title>Secondary Authoritative Time Source</title>
-            <prop name="label">AU-8(2)</prop>
-            <prop name="sort-id">AU-08(02)</prop>
-            <part name="statement" id="au-8.2_smt">
-               <part name="item" id="au-8.2_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Identify a secondary authoritative time source that is in a different geographic region than the primary authoritative time source; and</p>
-               </part>
-               <part name="item" id="au-8.2_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Synchronize the internal system clocks to the secondary authoritative time source if the primary authoritative time source is unavailable.</p>
-               </part>
-            </part>
-            <part name="guidance" id="au-8.2_gdn">
-               <p>It may be necessary to employ geolocation information to determine that the secondary authoritative time source is in a different geographic region.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-9">
-         <title>Protection of Audit Information</title>
-         <prop name="label">AU-9</prop>
-         <prop name="sort-id">AU-09</prop>
-         <link rel="reference" href="#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">[FIPS 140-3]</link>
-         <link rel="reference" href="#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd">[FIPS 180-4]</link>
-         <link rel="reference" href="#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa">[FIPS 202]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#au-11">AU-11</link>
-         <link rel="related" href="#au-14">AU-14</link>
-         <link rel="related" href="#au-15">AU-15</link>
-         <link rel="related" href="#mp-2">MP-2</link>
-         <link rel="related" href="#mp-4">MP-4</link>
-         <link rel="related" href="#pe-2">PE-2</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#pe-6">PE-6</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sc-8">SC-8</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <part name="statement" id="au-9_smt">
-            <p>Protect audit information and audit logging tools from unauthorized access, modification, and deletion.</p>
-         </part>
-         <part name="guidance" id="au-9_gdn">
-            <p>Audit information includes all information, for example, audit records, audit log settings, audit reports, and personally identifiable information, needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="au-9.1">
-            <title>Hardware Write-once Media</title>
-            <prop name="label">AU-9(1)</prop>
-            <prop name="sort-id">AU-09(01)</prop>
-            <link rel="related" href="#au-4">AU-4</link>
-            <link rel="related" href="#au-5">AU-5</link>
-            <part name="statement" id="au-9.1_smt">
-               <p>Write audit trails to hardware-enforced, write-once media.</p>
-            </part>
-            <part name="guidance" id="au-9.1_gdn">
-               <p>Writing audit trails to hardware-enforced, write-once media applies to the initial generation of audit trails (i.e., the collection of audit records that represents the information to be used for detection, analysis, and reporting purposes) and to the backup of those audit trails. Writing audit trails to hardware-enforced, write-once media does not apply to the initial generation of audit records prior to being written to an audit trail. Write-once, read-many (WORM) media includes Compact Disk-Recordable (CD-R) and Digital Versatile Disk-Recordable (DVD-R). In contrast, the use of switchable write-protection media such as on tape cartridges or Universal Serial Bus (USB) drives results in write-protected, but not write-once, media.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-9.2">
-            <title>Store on Separate Physical Systems or Components</title>
-            <param id="au-9.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">AU-9(2)</prop>
-            <prop name="sort-id">AU-09(02)</prop>
-            <link rel="related" href="#au-4">AU-4</link>
-            <link rel="related" href="#au-5">AU-5</link>
-            <part name="statement" id="au-9.2_smt">
-               <p>Store audit records <insert param-id="au-9.2_prm_1"/> in a repository that is part of a physically different system or system component than the system or component being audited.</p>
-            </part>
-            <part name="guidance" id="au-9.2_gdn">
-               <p>Storing audit records in a repository separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components also preserves the confidentiality and integrity of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or components applies to initial generation as well as backup or long-term storage of audit records.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-9.3">
-            <title>Cryptographic Protection</title>
-            <prop name="label">AU-9(3)</prop>
-            <prop name="sort-id">AU-09(03)</prop>
-            <link rel="related" href="#au-10">AU-10</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="au-9.3_smt">
-               <p>Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.</p>
-            </part>
-            <part name="guidance" id="au-9.3_gdn">
-               <p>Cryptographic mechanisms used for protecting the integrity of audit information include signed hash functions using asymmetric cryptography. This enables the distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-9.4">
-            <title>Access by Subset of Privileged Users</title>
-            <param id="au-9.4_prm_1">
-               <label>organization-defined subset of privileged users or roles</label>
-            </param>
-            <prop name="label">AU-9(4)</prop>
-            <prop name="sort-id">AU-09(04)</prop>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <part name="statement" id="au-9.4_smt">
-               <p>Authorize access to management of audit logging functionality to only <insert param-id="au-9.4_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="au-9.4_gdn">
-               <p>Individuals or roles with privileged access to a system and who are also the subject of an audit by that system, may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges, limits the number of users or roles with audit-related privileges.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-9.5">
-            <title>Dual Authorization</title>
-            <param id="au-9.5_prm_1">
-               <select how-many="one or more">
-                  <choice>movement</choice>
-                  <choice>deletion</choice>
-               </select>
-            </param>
-            <param id="au-9.5_prm_2">
-               <label>organization-defined audit information</label>
-            </param>
-            <prop name="label">AU-9(5)</prop>
-            <prop name="sort-id">AU-09(05)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <part name="statement" id="au-9.5_smt">
-               <p>Enforce dual authorization for <insert param-id="au-9.5_prm_1"/> of <insert param-id="au-9.5_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="au-9.5_gdn">
-               <p>Organizations may choose different selection options for different types of audit information. Dual authorization mechanisms (also known as two-person control) require the approval of two authorized individuals to execute audit functions. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. Organizations do not require dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-9.6">
-            <title>Read-only Access</title>
-            <param id="au-9.6_prm_1">
-               <label>organization-defined subset of privileged users or roles</label>
-            </param>
-            <prop name="label">AU-9(6)</prop>
-            <prop name="sort-id">AU-09(06)</prop>
-            <part name="statement" id="au-9.6_smt">
-               <p>Authorize read-only access to audit information to <insert param-id="au-9.6_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="au-9.6_gdn">
-               <p>Restricting privileged user or role authorizations to read-only helps to limit the potential damage to organizations that could be initiated by such users or roles, for example, deleting audit records to cover up malicious activity.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-9.7">
-            <title>Store on Component with Different Operating System</title>
-            <prop name="label">AU-9(7)</prop>
-            <prop name="sort-id">AU-09(07)</prop>
-            <part name="statement" id="au-9.7_smt">
-               <p>Store audit information on a component running a different operating system than the system or component being audited.</p>
-            </part>
-            <part name="guidance" id="au-9.7_gdn">
-               <p>Storing auditing information on a system component running a different operating system reduces the risk of a vulnerability specific to the system resulting in a compromise of the audit records.
-Related controls:  AU-4, AU-5, AU-11, SC-29.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-10">
-         <title>Non-repudiation</title>
-         <param id="au-10_prm_1">
-            <label>organization-defined actions to be covered by non-repudiation</label>
-         </param>
-         <prop name="label">AU-10</prop>
-         <prop name="sort-id">AU-10</prop>
-         <link rel="reference" href="#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">[FIPS 140-3]</link>
-         <link rel="reference" href="#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd">[FIPS 180-4]</link>
-         <link rel="reference" href="#0b9fe06d-1b89-4dba-b9f8-3baf51504b17">[FIPS 186-4]</link>
-         <link rel="reference" href="#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa">[FIPS 202]</link>
-         <link rel="reference" href="#64e044e4-b2a9-490f-a079-1106407c812f">[SP 800-177]</link>
-         <link rel="related" href="#au-9">AU-9</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sc-8">SC-8</link>
-         <link rel="related" href="#sc-12">SC-12</link>
-         <link rel="related" href="#sc-13">SC-13</link>
-         <link rel="related" href="#sc-16">SC-16</link>
-         <link rel="related" href="#sc-17">SC-17</link>
-         <link rel="related" href="#sc-23">SC-23</link>
-         <part name="statement" id="au-10_smt">
-            <p>Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed <insert param-id="au-10_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="au-10_gdn">
-            <p>Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents; senders of not having transmitted messages; receivers of not having received messages; and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual, or if an individual took specific actions (e.g., sending an email, signing a contract, or approving a procurement request, or received specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="au-10.1">
-            <title>Association of Identities</title>
-            <param id="au-10.1_prm_1">
-               <label>organization-defined strength of binding</label>
-            </param>
-            <prop name="label">AU-10(1)</prop>
-            <prop name="sort-id">AU-10(01)</prop>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <part name="statement" id="au-10.1_smt">
-               <part name="item" id="au-10.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Bind the identity of the information producer with the information to <insert param-id="au-10.1_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="au-10.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Provide the means for authorized individuals to determine the identity of the producer of the information.</p>
-               </part>
-            </part>
-            <part name="guidance" id="au-10.1_gdn">
-               <p>Binding identities to the information supports audit requirements that provide organizational personnel with the means to identify who produced specific information in the event of an information transfer. Organizations determine and approve the strength of attribute binding between the information producer and the information based on the security category of the information and other relevant risk factors.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-10.2">
-            <title>Validate Binding of Information Producer Identity</title>
-            <param id="au-10.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="au-10.2_prm_2">
-               <label>organization-defined actions</label>
-            </param>
-            <prop name="label">AU-10(2)</prop>
-            <prop name="sort-id">AU-10(02)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <part name="statement" id="au-10.2_smt">
-               <part name="item" id="au-10.2_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Validate the binding of the information producer identity to the information at <insert param-id="au-10.2_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="au-10.2_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Perform <insert param-id="au-10.2_prm_2"/> in the event of a validation error.</p>
-               </part>
-            </part>
-            <part name="guidance" id="au-10.2_gdn">
-               <p>Validating the binding of the information producer identity to the information prevents the modification of information between production and review. The validation of bindings can be achieved, for example, using cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-10.3">
-            <title>Chain of Custody</title>
-            <prop name="label">AU-10(3)</prop>
-            <prop name="sort-id">AU-10(03)</prop>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <part name="statement" id="au-10.3_smt">
-               <p>Maintain reviewer or releaser identity and credentials within the established chain of custody for information reviewed or released.</p>
-            </part>
-            <part name="guidance" id="au-10.3_gdn">
-               <p>Chain of custody is a process that tracks the movement of evidence through its collection, safeguarding, and analysis life cycle by documenting each person who handled the evidence, the date and time it was collected or transferred, and the purpose for the transfer. If the reviewer is a human or if the review function is automated but separate from the release or transfer function, the system associates the identity of the reviewer of the information to be released with the information and the information label. In the case of human reviews, maintaining the identity and credentials of reviewers or releasers provides organizational officials the means to identify who reviewed and released the information. In the case of automated reviews, it ensures that only approved review functions are used.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-10.4">
-            <title>Validate Binding of Information Reviewer Identity</title>
-            <param id="au-10.4_prm_1">
-               <label>organization-defined security domains</label>
-            </param>
-            <param id="au-10.4_prm_2">
-               <label>organization-defined actions</label>
-            </param>
-            <prop name="label">AU-10(4)</prop>
-            <prop name="sort-id">AU-10(04)</prop>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <part name="statement" id="au-10.4_smt">
-               <part name="item" id="au-10.4_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between <insert param-id="au-10.4_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="au-10.4_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Perform <insert param-id="au-10.4_prm_2"/> in the event of a validation error.</p>
-               </part>
-            </part>
-            <part name="guidance" id="au-10.4_gdn">
-               <p>Validating the binding of the information reviewer identity to the information at transfer or release points prevents the unauthorized modification of information between review and the transfer or release. The validation of bindings can be achieved by using cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-10.5">
-            <title>Digital Signatures</title>
-            <prop name="label">AU-10(5)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AU-10(05)</prop>
-            <link rel="incorporated-into" href="#si-7">SI-7</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-11">
-         <title>Audit Record Retention</title>
-         <param id="au-11_prm_1">
-            <label>organization-defined time-period consistent with records retention policy</label>
-         </param>
-         <prop name="label">AU-11</prop>
-         <prop name="sort-id">AU-11</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="related" href="#au-2">AU-2</link>
-         <link rel="related" href="#au-4">AU-4</link>
-         <link rel="related" href="#au-5">AU-5</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#au-9">AU-9</link>
-         <link rel="related" href="#au-14">AU-14</link>
-         <link rel="related" href="#mp-6">MP-6</link>
-         <link rel="related" href="#ra-5">RA-5</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="au-11_smt">
-            <p>Retain audit records for <insert param-id="au-11_prm_1"/> to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.</p>
-         </part>
-         <part name="guidance" id="au-11_gdn">
-            <p>Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="au-11.1">
-            <title>Long-term Retrieval Capability</title>
-            <param id="au-11.1_prm_1">
-               <label>organization-defined measures</label>
-            </param>
-            <prop name="label">AU-11(1)</prop>
-            <prop name="sort-id">AU-11(01)</prop>
-            <part name="statement" id="au-11.1_smt">
-               <p>Employ <insert param-id="au-11.1_prm_1"/> to ensure that long-term audit records generated by the system can be retrieved.</p>
-            </part>
-            <part name="guidance" id="au-11.1_gdn">
-               <p>Organizations need to access and read audit records requiring long-term storage (on the order of years). Measures employed to help facilitate the retrieval of audit records include converting records to newer formats, retaining equipment capable of reading the records, and retaining necessary documentation to help personnel understand how to interpret the records.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-12">
-         <title>Audit Record Generation</title>
-         <param id="au-12_prm_1">
-            <label>organization-defined system components</label>
-         </param>
-         <param id="au-12_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">AU-12</prop>
-         <prop name="sort-id">AU-12</prop>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#au-2">AU-2</link>
-         <link rel="related" href="#au-3">AU-3</link>
-         <link rel="related" href="#au-4">AU-4</link>
-         <link rel="related" href="#au-5">AU-5</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#au-7">AU-7</link>
-         <link rel="related" href="#au-14">AU-14</link>
-         <link rel="related" href="#cm-5">CM-5</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#mp-4">MP-4</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sc-18">SC-18</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <link rel="related" href="#si-10">SI-10</link>
-         <part name="statement" id="au-12_smt">
-            <part name="item" id="au-12_smt.a">
-               <prop name="label">a.</prop>
-               <p>Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on <insert param-id="au-12_prm_1"/>;</p>
-            </part>
-            <part name="item" id="au-12_smt.b">
-               <prop name="label">b.</prop>
-               <p>Allow <insert param-id="au-12_prm_2"/> to select the event types that are to be logged by specific components of the system; and</p>
-            </part>
-            <part name="item" id="au-12_smt.c">
-               <prop name="label">c.</prop>
-               <p>Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.</p>
-            </part>
-         </part>
-         <part name="guidance" id="au-12_gdn">
-            <p>Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="au-12.1">
-            <title>System-wide and Time-correlated Audit Trail</title>
-            <param id="au-12.1_prm_1">
-               <label>organization-defined system components</label>
-            </param>
-            <param id="au-12.1_prm_2">
-               <label>organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail</label>
-            </param>
-            <prop name="label">AU-12(1)</prop>
-            <prop name="sort-id">AU-12(01)</prop>
-            <link rel="related" href="#au-8">AU-8</link>
-            <part name="statement" id="au-12.1_smt">
-               <p>Compile audit records from <insert param-id="au-12.1_prm_1"/> into a system-wide (logical or physical) audit trail that is time-correlated to within <insert param-id="au-12.1_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="au-12.1_gdn">
-               <p>Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-12.2">
-            <title>Standardized Formats</title>
-            <prop name="label">AU-12(2)</prop>
-            <prop name="sort-id">AU-12(02)</prop>
-            <part name="statement" id="au-12.2_smt">
-               <p>Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.</p>
-            </part>
-            <part name="guidance" id="au-12.2_gdn">
-               <p>Audit records that follow common standards promote interoperability and information exchange between devices and systems. This facilitates the production of event information that can be readily analyzed and correlated. Standard formats for audit records include records that are compliant with Common Event Expressions. If logging mechanisms within systems do not conform to standardized formats, systems may convert individual audit records into standardized formats when compiling system-wide audit trails.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-12.3">
-            <title>Changes by Authorized Individuals</title>
-            <param id="au-12.3_prm_1">
-               <label>organization-defined individuals or roles</label>
-            </param>
-            <param id="au-12.3_prm_2">
-               <label>organization-defined system components</label>
-            </param>
-            <param id="au-12.3_prm_3">
-               <label>organization-defined selectable event criteria</label>
-            </param>
-            <param id="au-12.3_prm_4">
-               <label>organization-defined time thresholds</label>
-            </param>
-            <prop name="label">AU-12(3)</prop>
-            <prop name="sort-id">AU-12(03)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <part name="statement" id="au-12.3_smt">
-               <p>Provide and implement the capability for <insert param-id="au-12.3_prm_1"/> to change the logging to be performed on <insert param-id="au-12.3_prm_2"/> based on <insert param-id="au-12.3_prm_3"/> within <insert param-id="au-12.3_prm_4"/>.</p>
-            </part>
-            <part name="guidance" id="au-12.3_gdn">
-               <p>Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed, for example, near real-time, within minutes, or within hours.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-12.4">
-            <title>Query Parameter Audits of Personally Identifiable Information</title>
-            <prop name="label">AU-12(4)</prop>
-            <prop name="sort-id">AU-12(04)</prop>
-            <part name="statement" id="au-12.4_smt">
-               <p>Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information.</p>
-            </part>
-            <part name="guidance" id="au-12.4_gdn">
-               <p>Query parameters are explicit criteria that an individual or an automated system submits to a system to retrieve data. Auditing of query parameters for datasets that contain personally identifiable information augments the capability of an organization to track and understand the access, usage, or sharing of personally identifiable information by authorized personnel.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-13">
-         <title>Monitoring for Information Disclosure</title>
-         <param id="au-13_prm_1">
-            <label>organization-defined open source information and/or information sites</label>
-         </param>
-         <param id="au-13_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="au-13_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="au-13_prm_4">
-            <label>organization-defined additional actions</label>
-         </param>
-         <prop name="label">AU-13</prop>
-         <prop name="sort-id">AU-13</prop>
-         <link rel="related" href="#ac-22">AC-22</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#ra-5">RA-5</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <part name="statement" id="au-13_smt">
-            <part name="item" id="au-13_smt.a">
-               <prop name="label">a.</prop>
-               <p>Monitor <insert param-id="au-13_prm_1"/>
-                  <insert param-id="au-13_prm_2"/> for evidence of unauthorized disclosure of organizational information; and</p>
-            </part>
-            <part name="item" id="au-13_smt.b">
-               <prop name="label">b.</prop>
-               <p>If an information disclosure is discovered:</p>
-               <part name="item" id="au-13_smt.b.1">
-                  <prop name="label">1.</prop>
-                  <p>Notify <insert param-id="au-13_prm_3"/>; and</p>
-               </part>
-               <part name="item" id="au-13_smt.b.2">
-                  <prop name="label">2.</prop>
-                  <p>Take the following additional actions: <insert param-id="au-13_prm_4"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="au-13_gdn">
-            <p>Unauthorized disclosure of information is a form of data leakage. Open source information includes social networking sites and code sharing platforms and repositories. Organizational information can include personally identifiable information retained by the organization.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="au-13.1">
-            <title>Use of Automated Tools</title>
-            <param id="au-13.1_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">AU-13(1)</prop>
-            <prop name="sort-id">AU-13(01)</prop>
-            <part name="statement" id="au-13.1_smt">
-               <p>Monitor open source information and information sites using <insert param-id="au-13.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="au-13.1_gdn">
-               <p>Automated mechanisms include commercial services providing notifications and alerts to organizations and automated scripts to monitor new posts on websites.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-13.2">
-            <title>Review of Monitored Sites</title>
-            <param id="au-13.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">AU-13(2)</prop>
-            <prop name="sort-id">AU-13(02)</prop>
-            <part name="statement" id="au-13.2_smt">
-               <p>Review the list of open source information sites being monitored <insert param-id="au-13.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="au-13.2_gdn">
-               <p>Reviewing on a regular basis, the current list of open source information sites being monitored, helps to ensure that the selected sites remain relevant. The review also provides the opportunity to add new open source information sites with the potential to provide evidence of unauthorized disclosure of organizational information. The list of sites monitored can be guided and informed by threat intelligence of other credible sources of information.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-13.3">
-            <title>Unauthorized Replication of Information</title>
-            <prop name="label">AU-13(3)</prop>
-            <prop name="sort-id">AU-13(03)</prop>
-            <part name="statement" id="au-13.3_smt">
-               <p>Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner.</p>
-            </part>
-            <part name="guidance" id="au-13.3_gdn">
-               <p>The unauthorized use or replication of organizational information by external entities can cause adverse impact on organizational operations and assets including damage to reputation. Such activity can include, for example, the replication of an organizational website by an adversary or hostile threat actor who attempts to impersonate the web-hosting organization. Discovery tools, techniques and processes used to determine if external entities are replicating organizational information in an unauthorized manner include scanning external websites, monitoring social media, and training staff to recognize unauthorized use of organizational information.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-14">
-         <title>Session Audit</title>
-         <param id="au-14_prm_1">
-            <label>organization-defined users or roles</label>
-         </param>
-         <param id="au-14_prm_2">
-            <select how-many="one or more">
-               <choice>record</choice>
-               <choice>view</choice>
-               <choice>hear</choice>
-               <choice>log</choice>
-            </select>
-         </param>
-         <param id="au-14_prm_3">
-            <label>organization-defined circumstances</label>
-         </param>
-         <prop name="label">AU-14</prop>
-         <prop name="sort-id">AU-14</prop>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-8">AC-8</link>
-         <link rel="related" href="#au-2">AU-2</link>
-         <link rel="related" href="#au-3">AU-3</link>
-         <link rel="related" href="#au-4">AU-4</link>
-         <link rel="related" href="#au-5">AU-5</link>
-         <link rel="related" href="#au-8">AU-8</link>
-         <link rel="related" href="#au-9">AU-9</link>
-         <link rel="related" href="#au-11">AU-11</link>
-         <link rel="related" href="#au-12">AU-12</link>
-         <part name="statement" id="au-14_smt">
-            <part name="item" id="au-14_smt.a">
-               <prop name="label">a.</prop>
-               <p>Provide and implement the capability for <insert param-id="au-14_prm_1"/> to <insert param-id="au-14_prm_2"/> the content of a user session under <insert param-id="au-14_prm_3"/>; and</p>
-            </part>
-            <part name="item" id="au-14_smt.b">
-               <prop name="label">b.</prop>
-               <p>Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.</p>
-            </part>
-         </part>
-         <part name="guidance" id="au-14_gdn">
-            <p>Session audits can include monitoring keystrokes, tracking websites visited, and recording information and/or file transfers. Organizations consider how session auditing can reveal information about individuals that may give rise to privacy risk and how to mitigate those risks. Because session auditing can impact system and network performance, organizations activate the capability under well-defined situations (e.g., the organization is suspicious of a specific individual). Organizations consult with legal counsel, civil liberties officials, and privacy officials to ensure that any legal, privacy, civil rights, or civil liberties issues, including use of personally identifiable information, are appropriately addressed.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="au-14.1">
-            <title>System Start-up</title>
-            <prop name="label">AU-14(1)</prop>
-            <prop name="sort-id">AU-14(01)</prop>
-            <part name="statement" id="au-14.1_smt">
-               <p>Initiate session audits automatically at system start-up.</p>
-            </part>
-            <part name="guidance" id="au-14.1_gdn">
-               <p>The initiation of session audits automatically at startup helps to ensure the information being captured on selected individuals is complete and is not subject to compromise through tampering by malicious threat actors.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-14.2">
-            <title>Capture and Record Content</title>
-            <prop name="label">AU-14(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">AU-14(02)</prop>
-            <link rel="incorporated-into" href="#au-14">AU-14</link>
-         </control>
-         <control class="SP800-53-enhancement" id="au-14.3">
-            <title>Remote Viewing and Listening</title>
-            <prop name="label">AU-14(3)</prop>
-            <prop name="sort-id">AU-14(03)</prop>
-            <link rel="related" href="#ac-17">AC-17</link>
-            <part name="statement" id="au-14.3_smt">
-               <p>Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time.</p>
-            </part>
-            <part name="guidance" id="au-14.3_gdn">
-               <p>None.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="au-15">
-         <title>Alternate Audit Logging Capability</title>
-         <prop name="label">AU-15</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">AU-15</prop>
-         <link rel="moved-to" href="#au-5.5">AU-5(5)</link>
-      </control>
-      <control class="SP800-53" id="au-16">
-         <title>Cross-organizational Audit Logging</title>
-         <param id="au-16_prm_1">
-            <label>organization-defined methods</label>
-         </param>
-         <param id="au-16_prm_2">
-            <label>organization-defined audit information</label>
-         </param>
-         <prop name="label">AU-16</prop>
-         <prop name="sort-id">AU-16</prop>
-         <link rel="related" href="#au-3">AU-3</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#au-7">AU-7</link>
-         <link rel="related" href="#ca-3">CA-3</link>
-         <link rel="related" href="#pt-8">PT-8</link>
-         <part name="statement" id="au-16_smt">
-            <p>Employ <insert param-id="au-16_prm_1"/> for coordinating <insert param-id="au-16_prm_2"/> among external organizations when audit information is transmitted across organizational boundaries.</p>
-         </part>
-         <part name="guidance" id="au-16_gdn">
-            <p>When organizations use systems or services of external organizations, the audit logging capability necessitates a coordinated, cross-organization approach. For example, maintaining the identity of individuals that requested specific services across organizational boundaries may often be difficult, and doing so may prove to have significant performance and privacy ramifications. Therefore, it is often the case that cross-organizational audit logging simply captures the identity of individuals issuing requests at the initial system, and subsequent systems record that the requests originated from authorized individuals. Organizations consider including processes for coordinating audit information requirements and protection of audit information in information exchange agreements.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="au-16.1">
-            <title>Identity Preservation</title>
-            <prop name="label">AU-16(1)</prop>
-            <prop name="sort-id">AU-16(01)</prop>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <part name="statement" id="au-16.1_smt">
-               <p>Preserve the identity of individuals in cross-organizational audit trails.</p>
-            </part>
-            <part name="guidance" id="au-16.1_gdn">
-               <p>Identity preservation is applied when there is a need to be able to trace actions that are performed across organizational boundaries to a specific individual.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-16.2">
-            <title>Sharing of Audit Information</title>
-            <param id="au-16.2_prm_1">
-               <label>organization-defined organizations</label>
-            </param>
-            <param id="au-16.2_prm_2">
-               <label>organization-defined cross-organizational sharing agreements</label>
-            </param>
-            <prop name="label">AU-16(2)</prop>
-            <prop name="sort-id">AU-16(02)</prop>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <part name="statement" id="au-16.2_smt">
-               <p>Provide cross-organizational audit information to <insert param-id="au-16.2_prm_1"/> based on <insert param-id="au-16.2_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="au-16.2_gdn">
-               <p>Due to the distributed nature of the audit information, cross-organization sharing of audit information may be essential for effective analysis of the auditing being performed. For example, the audit records of one organization may not provide sufficient information to determine the appropriate or inappropriate use of organizational information resources by individuals in other organizations. In some instances, only individuals’ home organizations have appropriate knowledge to make such determinations, thus requiring the sharing of audit information among organizations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="au-16.3">
-            <title>Disassociability</title>
-            <param id="au-16.3_prm_1">
-               <label>organization-defined measures</label>
-            </param>
-            <prop name="label">AU-16(3)</prop>
-            <prop name="sort-id">AU-16(03)</prop>
-            <part name="statement" id="au-16.3_smt">
-               <p>Implement <insert param-id="au-16.3_prm_1"/> to disassociate individuals from audit information transmitted across organizational boundaries.</p>
-            </part>
-            <part name="guidance" id="au-16.3_gdn">
-               <p>Preserving identities in audit trails could have privacy ramifications such as enabling the tracking and profiling of individuals but may not be operationally necessary. These risks could be further amplified when transmitting information across organizational boundaries. Using privacy-enhancing cryptographic techniques can disassociate individuals from audit information and reduce privacy risk while maintaining accountability.</p>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="ca">
-      <title>Assessment, Authorization, and Monitoring</title>
-      <control class="SP800-53" id="ca-1">
-         <title>Policy and Procedures</title>
-         <param id="ca-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ca-1_prm_2">
-            <select how-many="one or more">
-               <choice>organization-level</choice>
-               <choice>mission/business process-level</choice>
-               <choice>system-level</choice>
-            </select>
-         </param>
-         <param id="ca-1_prm_3">
-            <label>organization-defined official</label>
-         </param>
-         <param id="ca-1_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ca-1_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CA-1</prop>
-         <prop name="sort-id">CA-01</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130, Appendix II]</link>
-         <link rel="reference" href="#12702585-0c72-43c9-9185-a76a59f74233">[SP 800-12]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#5db6dfe4-788e-4183-93b9-f6fb29d75e41">[SP 800-53A]</link>
-         <link rel="reference" href="#9183bd83-170e-4701-b32c-97e08ef8bedb">[SP 800-100]</link>
-         <link rel="reference" href="#c3b34083-77b2-4dab-a980-73068f8933bd">[SP 800-137]</link>
-         <link rel="reference" href="#817b4227-5857-494d-9032-915980b32f15">[IR 8062]</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="ca-1_smt">
-            <part name="item" id="ca-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and disseminate to <insert param-id="ca-1_prm_1"/>:</p>
-               <part name="item" id="ca-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="ca-1_prm_2"/> assessment, authorization, and monitoring policy that:</p>
-                  <part name="item" id="ca-1_smt.a.1.a">
-                     <prop name="label">(a)</prop>
-                     <p>Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
-                  </part>
-                  <part name="item" id="ca-1_smt.a.1.b">
-                     <prop name="label">(b)</prop>
-                     <p>Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p>
-                  </part>
-               </part>
-               <part name="item" id="ca-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;</p>
-               </part>
-            </part>
-            <part name="item" id="ca-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate an <insert param-id="ca-1_prm_3"/> to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and</p>
-            </part>
-            <part name="item" id="ca-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the current assessment, authorization, and monitoring:</p>
-               <part name="item" id="ca-1_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Policy <insert param-id="ca-1_prm_4"/>; and</p>
-               </part>
-               <part name="item" id="ca-1_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures <insert param-id="ca-1_prm_5"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="ca-1_gdn">
-            <p>This control addresses policy and procedures for the controls in the CA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ca-2">
-         <title>Control Assessments</title>
-         <param id="ca-2_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ca-2_prm_2">
-            <label>organization-defined individuals or roles</label>
-         </param>
-         <prop name="label">CA-2</prop>
-         <prop name="sort-id">CA-02</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="reference" href="#ae962073-f9bb-4210-b1ad-53ef6f6afad6">[SP 800-18]</link>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#5db6dfe4-788e-4183-93b9-f6fb29d75e41">[SP 800-53A]</link>
-         <link rel="reference" href="#a6b97214-55d4-4b86-a3a4-53d5911d96f7">[SP 800-115]</link>
-         <link rel="reference" href="#c3b34083-77b2-4dab-a980-73068f8933bd">[SP 800-137]</link>
-         <link rel="reference" href="#817b4227-5857-494d-9032-915980b32f15">[IR 8062]</link>
-         <link rel="related" href="#ac-20">AC-20</link>
-         <link rel="related" href="#ca-5">CA-5</link>
-         <link rel="related" href="#ca-6">CA-6</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ra-5">RA-5</link>
-         <link rel="related" href="#sa-11">SA-11</link>
-         <link rel="related" href="#sc-38">SC-38</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <link rel="related" href="#sr-2">SR-2</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <part name="statement" id="ca-2_smt">
-            <part name="item" id="ca-2_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop a control assessment plan that describes the scope of the assessment including:</p>
-               <part name="item" id="ca-2_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Controls and control enhancements under assessment;</p>
-               </part>
-               <part name="item" id="ca-2_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Assessment procedures to be used to determine control effectiveness; and</p>
-               </part>
-               <part name="item" id="ca-2_smt.a.3">
-                  <prop name="label">3.</prop>
-                  <p>Assessment environment, assessment team, and assessment roles and responsibilities;</p>
-               </part>
-            </part>
-            <part name="item" id="ca-2_smt.b">
-               <prop name="label">b.</prop>
-               <p>Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;</p>
-            </part>
-            <part name="item" id="ca-2_smt.c">
-               <prop name="label">c.</prop>
-               <p>Assess the controls in the system and its environment of operation <insert param-id="ca-2_prm_1"/> to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;</p>
-            </part>
-            <part name="item" id="ca-2_smt.d">
-               <prop name="label">d.</prop>
-               <p>Produce a control assessment report that document the results of the assessment; and</p>
-            </part>
-            <part name="item" id="ca-2_smt.e">
-               <prop name="label">e.</prop>
-               <p>Provide the results of the control assessment to <insert param-id="ca-2_prm_2"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ca-2_gdn">
-            <p>Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations; continuous monitoring; FISMA annual assessments; system design and development; systems security engineering; and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements; identify weaknesses and deficiencies in the system design and development process; provide essential information needed to make risk-based decisions as part of authorization processes; and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. For example, the design for the controls can be assessed as RFPs are developed and responses assessed, and as design reviews are conducted. If design to implement controls and subsequent implementation in accordance with the design is assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.
-Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.
-Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.
-To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations; continuous monitoring; systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside the scope of this control.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-2.1">
-            <title>Independent Assessors</title>
-            <prop name="label">CA-2(1)</prop>
-            <prop name="sort-id">CA-02(01)</prop>
-            <part name="statement" id="ca-2.1_smt">
-               <p>Employ independent assessors or assessment teams to conduct control assessments.</p>
-            </part>
-            <part name="guidance" id="ca-2.1_gdn">
-               <p>Independent assessors or assessment teams are individuals or groups conducting impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted; assess their own work; act as management or employees of the organizations they are serving; or place themselves in positions of advocacy for the organizations acquiring their services.
-Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination also includes whether contracted assessment services have sufficient independence, for example, when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, the analogy to independent assessors is having independent SMEs involved in design reviews.
-When organizations that own the systems are small or the structures of the organizations require that assessments are conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions, are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-2.2">
-            <title>Specialized Assessments</title>
-            <param id="ca-2.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="ca-2.2_prm_2">
-               <select>
-                  <choice>announced</choice>
-                  <choice>unannounced</choice>
-               </select>
-            </param>
-            <param id="ca-2.2_prm_3">
-               <select how-many="one or more">
-                  <choice>in-depth monitoring</choice>
-                  <choice>security instrumentation</choice>
-                  <choice>automated security test cases</choice>
-                  <choice>vulnerability scanning</choice>
-                  <choice>malicious user testing</choice>
-                  <choice>insider threat assessment</choice>
-                  <choice>performance and load testing</choice>
-                  <choice>data leakage or data loss assessment <insert param-id="ca-2.2_prm_4"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="ca-2.2_prm_4" depends-on="ca-2.2_prm_3">
-               <label>organization-defined other forms of assessment</label>
-            </param>
-            <prop name="label">CA-2(2)</prop>
-            <prop name="sort-id">CA-02(02)</prop>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#si-2">SI-2</link>
-            <part name="statement" id="ca-2.2_smt">
-               <p>Include as part of control assessments, <insert param-id="ca-2.2_prm_1"/>, <insert param-id="ca-2.2_prm_2"/>, <insert param-id="ca-2.2_prm_3"/>.</p>
-            </part>
-            <part name="guidance" id="ca-2.2_gdn">
-               <p>Organizations can conduct specialized assessments, including verification and validation, system monitoring, insider threat assessments, malicious user testing, and other forms of testing. These assessments can improve readiness by exercising organizational capabilities and indicating current levels of performance as a means of focusing actions to improve security and privacy. Organizations conduct specialized assessments in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can include vulnerabilities uncovered during assessments into vulnerability remediation processes. Specialized assessments can also be conducted early in the system development life cycle, for example, during design, development, and unit testing.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-2.3">
-            <title>External Organizations</title>
-            <param id="ca-2.3_prm_1">
-               <label>organization-defined external organization</label>
-            </param>
-            <param id="ca-2.3_prm_2">
-               <label>organization-defined system</label>
-            </param>
-            <param id="ca-2.3_prm_3">
-               <label>organization-defined requirements</label>
-            </param>
-            <prop name="label">CA-2(3)</prop>
-            <prop name="sort-id">CA-02(03)</prop>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <part name="statement" id="ca-2.3_smt">
-               <p>Leverage the results of control assessments performed by <insert param-id="ca-2.3_prm_1"/> on <insert param-id="ca-2.3_prm_2"/> when the assessment meets <insert param-id="ca-2.3_prm_3"/>.</p>
-            </part>
-            <part name="guidance" id="ca-2.3_gdn">
-               <p>Organizations may rely on control assessments of organizational systems by other (external) organizations. Using such assessments and reusing existing assessment evidence can decrease the time and resources required for assessments by limiting the independent assessment activities that organizations need to perform. The factors that organizations consider in determining whether to accept assessment results from external organizations can vary. Such factors include the organization’s past experience with the organization that conducted the assessment; the reputation of the assessment organization; the level of detail of supporting assessment evidence provided; and mandates imposed by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Accredited testing laboratories supporting the Common Criteria Program [ISO 15408-1], the NIST Cryptographic Module Validation Program (CMVP), or the NIST Cryptographic Algorithm Validation Program (CAVP) can provide independent assessment results that organizations can leverage.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-3">
-         <title>Information Exchange</title>
-         <param id="ca-3_prm_1">
-            <select how-many="one or more">
-               <choice>interconnection security agreements</choice>
-               <choice>information exchange security agreements</choice>
-               <choice>memoranda of understanding or agreement</choice>
-               <choice>service level agreements</choice>
-               <choice>user agreements</choice>
-               <choice>nondisclosure agreements</choice>
-               <choice>
-                  <insert param-id="ca-3_prm_2"/>
-               </choice>
-            </select>
-         </param>
-         <param id="ca-3_prm_2" depends-on="ca-3_prm_1">
-            <label>organization-defined type of agreement</label>
-         </param>
-         <param id="ca-3_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CA-3</prop>
-         <prop name="sort-id">CA-03</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130, Appendix II]</link>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="reference" href="#2e66c31a-190e-49ad-8e00-f306f8a0df17">[SP 800-47]</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#ac-20">AC-20</link>
-         <link rel="related" href="#au-16">AU-16</link>
-         <link rel="related" href="#ca-6">CA-6</link>
-         <link rel="related" href="#ia-3">IA-3</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pt-8">PT-8</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#sa-9">SA-9</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="ca-3_smt">
-            <part name="item" id="ca-3_smt.a">
-               <prop name="label">a.</prop>
-               <p>Approve and manage the exchange of information between the system and other systems using <insert param-id="ca-3_prm_1"/>;</p>
-            </part>
-            <part name="item" id="ca-3_smt.b">
-               <prop name="label">b.</prop>
-               <p>Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and</p>
-            </part>
-            <part name="item" id="ca-3_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the agreements <insert param-id="ca-3_prm_3"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ca-3_gdn">
-            <p>System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges associated with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization to organization communications. Organizations consider the risk related to new or increased threats, that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information as described in CA-6(1) or CA-6(2) may help to communicate and reduce risk.
-Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The type of agreement selected is based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged; how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements, or they can provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems sharing the same networks.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-3.1">
-            <title>Unclassified National Security System Connections</title>
-            <prop name="label">CA-3(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CA-03(01)</prop>
-            <link rel="moved-to" href="#sc-7.25">SC-7(25)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-3.2">
-            <title>Classified National Security System Connections</title>
-            <prop name="label">CA-3(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CA-03(02)</prop>
-            <link rel="moved-to" href="#sc-7.26">SC-7(26)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-3.3">
-            <title>Unclassified Non-national Security System Connections</title>
-            <prop name="label">CA-3(3)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CA-03(03)</prop>
-            <link rel="moved-to" href="#sc-7.27">SC-7(27)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-3.4">
-            <title>Connections to Public Networks</title>
-            <prop name="label">CA-3(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CA-03(04)</prop>
-            <link rel="moved-to" href="#sc-7.28">SC-7(28)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-3.5">
-            <title>Restrictions on External System Connections</title>
-            <prop name="label">CA-3(5)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CA-03(05)</prop>
-            <link rel="moved-to" href="#sc-7.5">SC-7(5)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-3.6">
-            <title>Transfer Authorizations</title>
-            <prop name="label">CA-3(6)</prop>
-            <prop name="sort-id">CA-03(06)</prop>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <part name="statement" id="ca-3.6_smt">
-               <p>Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.</p>
-            </part>
-            <part name="guidance" id="ca-3.6_gdn">
-               <p>To prevent unauthorized individuals and systems from making information transfers to protected systems, the protected system verifies via independent means, whether the individual or system attempting to transfer information is authorized to do so. This control enhancement also applies to control plane traffic (e.g., routing and DNS) and services such as authenticated SMTP relays.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-3.7">
-            <title>Transitive Information Exchanges</title>
-            <prop name="label">CA-3(7)</prop>
-            <prop name="sort-id">CA-03(07)</prop>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <part name="statement" id="ca-3.7_smt">
-               <part name="item" id="ca-3.7_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Identify transitive (downstream) information exchanges with other systems through the systems identified in CA-3a; and</p>
-               </part>
-               <part name="item" id="ca-3.7_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Take measures to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ca-3.7_gdn">
-               <p>Transitive or “downstream” information exchanges are information exchanges between the system or systems with which the organizational system exchanges information and other systems. For mission essential systems, services, and applications, including high value assets, it is necessary to identify such information exchanges. The transparency of the controls or protection measures in place in such downstream systems connected directly or indirectly to organizational systems is essential in understanding the security and privacy risks resulting from those interconnections. Organizational systems can inherit risk from downstream systems through transitive connections and information exchanges which can make the organizational systems more susceptible to threats, hazards, and adverse impacts.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-4">
-         <title>Security Certification</title>
-         <prop name="label">CA-4</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">CA-04</prop>
-         <link rel="incorporated-into" href="#ca-2">CA-2</link>
-      </control>
-      <control class="SP800-53" id="ca-5">
-         <title>Plan of Action and Milestones</title>
-         <param id="ca-5_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CA-5</prop>
-         <prop name="sort-id">CA-05</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="related" href="#ca-2">CA-2</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#pm-4">PM-4</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ra-7">RA-7</link>
-         <link rel="related" href="#si-2">SI-2</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="ca-5_smt">
-            <part name="item" id="ca-5_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and</p>
-            </part>
-            <part name="item" id="ca-5_smt.b">
-               <prop name="label">b.</prop>
-               <p>Update existing plan of action and milestones <insert param-id="ca-5_prm_1"/> based on the findings from control assessments, audits, and continuous monitoring activities.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ca-5_gdn">
-            <p>Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and are subject to federal reporting requirements established by OMB.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-5.1">
-            <title>Automation Support for Accuracy and Currency</title>
-            <param id="ca-5.1_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">CA-5(1)</prop>
-            <prop name="sort-id">CA-05(01)</prop>
-            <part name="statement" id="ca-5.1_smt">
-               <p>Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using <insert param-id="ca-5.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ca-5.1_gdn">
-               <p>Using automated tools helps to maintain the accuracy, currency, and availability of the plan of action and milestones and facilitates the coordination and sharing of security and privacy information throughout the organization. Such coordination and information sharing helps to identify systemic weaknesses or deficiencies in organizational systems and ensure that appropriate resources are directed at the most critical system vulnerabilities in a timely manner.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-6">
-         <title>Authorization</title>
-         <param id="ca-6_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CA-6</prop>
-         <prop name="sort-id">CA-06</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="reference" href="#c3b34083-77b2-4dab-a980-73068f8933bd">[SP 800-137]</link>
-         <link rel="related" href="#ca-2">CA-2</link>
-         <link rel="related" href="#ca-3">CA-3</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#pm-10">PM-10</link>
-         <link rel="related" href="#sa-10">SA-10</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="ca-6_smt">
-            <part name="item" id="ca-6_smt.a">
-               <prop name="label">a.</prop>
-               <p>Assign a senior official as the authorizing official for the system;</p>
-            </part>
-            <part name="item" id="ca-6_smt.b">
-               <prop name="label">b.</prop>
-               <p>Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;</p>
-            </part>
-            <part name="item" id="ca-6_smt.c">
-               <prop name="label">c.</prop>
-               <p>Ensure that the authorizing official for the system, before commencing operations:</p>
-               <part name="item" id="ca-6_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Accepts the use of common controls inherited by the system; and</p>
-               </part>
-               <part name="item" id="ca-6_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Authorizes the system to operate;</p>
-               </part>
-            </part>
-            <part name="item" id="ca-6_smt.d">
-               <prop name="label">d.</prop>
-               <p>Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;</p>
-            </part>
-            <part name="item" id="ca-6_smt.e">
-               <prop name="label">e.</prop>
-               <p>Update the authorizations <insert param-id="ca-6_prm_1"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ca-6_gdn">
-            <p>Authorizations are official management decisions by senior officials to authorize operation of systems, to authorize the use of common controls for inheritance by organizational systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and for common controls or assume responsibility for the mission and business operations supported by those systems or common controls. The authorization process is a federal responsibility and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.
-Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., the security and privacy plans, assessment reports, and plans of action and milestones), is updated on an ongoing basis. This provides authorizing officials, system owners, and common control providers with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-6.1">
-            <title>Joint Authorization — Intra-organization</title>
-            <prop name="label">CA-6(1)</prop>
-            <prop name="sort-id">CA-06(01)</prop>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <part name="statement" id="ca-6.1_smt">
-               <p>Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization.</p>
-            </part>
-            <part name="guidance" id="ca-6.1_gdn">
-               <p>Assigning multiple authorizing officials from the same organization to serve as co-authorizing officials for the system, increases the level of independence in the risk-based decision-making process. It also implements the concepts of separation of duties and dual authorization as applied to the system authorization process. The intra-organization joint authorization process is most relevant for connected systems, shared systems, and systems with multiple information owners.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-6.2">
-            <title>Joint Authorization — Inter-organization</title>
-            <prop name="label">CA-6(2)</prop>
-            <prop name="sort-id">CA-06(02)</prop>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <part name="statement" id="ca-6.2_smt">
-               <p>Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization.</p>
-            </part>
-            <part name="guidance" id="ca-6.2_gdn">
-               <p>Assigning multiple authorizing officials, at least one of which comes from an external organization, to serve as co-authorizing officials for the system, increases the level of independence in the risk-based decision-making process. It implements the concepts of separation of duties and dual authorization as applied to the system authorization process. Employing authorizing officials from external organizations to supplement the authorizing official from the organization owning or hosting the system may be necessary when the external organizations have a vested interest or equities in the outcome of the authorization decision. The inter-organization joint authorization process is relevant and appropriate for connected systems, shared systems or services, and systems with multiple information owners. The authorizing officials from the external organizations are key stakeholders of the system undergoing authorization.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-7">
-         <title>Continuous Monitoring</title>
-         <param id="ca-7_prm_1">
-            <label>organization-defined system-level metrics</label>
-         </param>
-         <param id="ca-7_prm_2">
-            <label>organization-defined frequencies</label>
-         </param>
-         <param id="ca-7_prm_3">
-            <label>organization-defined frequencies</label>
-         </param>
-         <param id="ca-7_prm_4">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ca-7_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CA-7</prop>
-         <prop name="sort-id">CA-07</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#5db6dfe4-788e-4183-93b9-f6fb29d75e41">[SP 800-53A]</link>
-         <link rel="reference" href="#a6b97214-55d4-4b86-a3a4-53d5911d96f7">[SP 800-115]</link>
-         <link rel="reference" href="#c3b34083-77b2-4dab-a980-73068f8933bd">[SP 800-137]</link>
-         <link rel="reference" href="#851b5ba4-6aa0-4583-857c-4c360cbdf2a0">[IR 8011 v1]</link>
-         <link rel="reference" href="#817b4227-5857-494d-9032-915980b32f15">[IR 8062]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#at-4">AT-4</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#au-13">AU-13</link>
-         <link rel="related" href="#ca-2">CA-2</link>
-         <link rel="related" href="#ca-5">CA-5</link>
-         <link rel="related" href="#ca-6">CA-6</link>
-         <link rel="related" href="#cm-3">CM-3</link>
-         <link rel="related" href="#cm-4">CM-4</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#cm-11">CM-11</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <link rel="related" href="#ir-5">IR-5</link>
-         <link rel="related" href="#ma-2">MA-2</link>
-         <link rel="related" href="#ma-3">MA-3</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#pe-6">PE-6</link>
-         <link rel="related" href="#pe-14">PE-14</link>
-         <link rel="related" href="#pe-16">PE-16</link>
-         <link rel="related" href="#pe-20">PE-20</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pm-4">PM-4</link>
-         <link rel="related" href="#pm-6">PM-6</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#pm-10">PM-10</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#pm-14">PM-14</link>
-         <link rel="related" href="#pm-23">PM-23</link>
-         <link rel="related" href="#pm-28">PM-28</link>
-         <link rel="related" href="#pm-31">PM-31</link>
-         <link rel="related" href="#ps-7">PS-7</link>
-         <link rel="related" href="#pt-8">PT-8</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#ra-5">RA-5</link>
-         <link rel="related" href="#ra-7">RA-7</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-9">SA-9</link>
-         <link rel="related" href="#sa-11">SA-11</link>
-         <link rel="related" href="#sc-5">SC-5</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-18">SC-18</link>
-         <link rel="related" href="#sc-38">SC-38</link>
-         <link rel="related" href="#sc-43">SC-43</link>
-         <link rel="related" href="#sc-38">SC-38</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <link rel="related" href="#sr-6">SR-6</link>
-         <part name="statement" id="ca-7_smt">
-            <p>Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:</p>
-            <part name="item" id="ca-7_smt.a">
-               <prop name="label">a.</prop>
-               <p>Establishing the following system-level metrics to be monitored: <insert param-id="ca-7_prm_1"/>;</p>
-            </part>
-            <part name="item" id="ca-7_smt.b">
-               <prop name="label">b.</prop>
-               <p>Establishing <insert param-id="ca-7_prm_2"/> for monitoring and <insert param-id="ca-7_prm_3"/> for assessment of control effectiveness;</p>
-            </part>
-            <part name="item" id="ca-7_smt.c">
-               <prop name="label">c.</prop>
-               <p>Ongoing control assessments in accordance with the continuous monitoring strategy;</p>
-            </part>
-            <part name="item" id="ca-7_smt.d">
-               <prop name="label">d.</prop>
-               <p>Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;</p>
-            </part>
-            <part name="item" id="ca-7_smt.e">
-               <prop name="label">e.</prop>
-               <p>Correlation and analysis of information generated by control assessments and monitoring;</p>
-            </part>
-            <part name="item" id="ca-7_smt.f">
-               <prop name="label">f.</prop>
-               <p>Response actions to address results of the analysis of control assessment and monitoring information; and</p>
-            </part>
-            <part name="item" id="ca-7_smt.g">
-               <prop name="label">g.</prop>
-               <p>Reporting the security and privacy status of the system to <insert param-id="ca-7_prm_4"/>
-                  <insert param-id="ca-7_prm_5"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ca-7_gdn">
-            <p>Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.
-Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-7.1">
-            <title>Independent Assessment</title>
-            <prop name="label">CA-7(1)</prop>
-            <prop name="sort-id">CA-07(01)</prop>
-            <part name="statement" id="ca-7.1_smt">
-               <p>Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.</p>
-            </part>
-            <part name="guidance" id="ca-7.1_gdn">
-               <p>Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted; assess their own work; act as management or employees of the organizations they are serving; or place themselves in advocacy positions for the organizations acquiring their services.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-7.2">
-            <title>Types of Assessments</title>
-            <prop name="label">CA-7(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CA-07(02)</prop>
-            <link rel="incorporated-into" href="#ca-2">CA-2</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-7.3">
-            <title>Trend Analyses</title>
-            <prop name="label">CA-7(3)</prop>
-            <prop name="sort-id">CA-07(03)</prop>
-            <part name="statement" id="ca-7.3_smt">
-               <p>Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modified based on empirical data.</p>
-            </part>
-            <part name="guidance" id="ca-7.3_gdn">
-               <p>Trend analyses include examining recent threat information addressing the types of threat events that have occurred within the organization or the federal government; success rates of certain types of attacks; emerging vulnerabilities in technologies; evolving social engineering techniques; the effectiveness of configuration settings; results from multiple control assessments; and findings from Inspectors General or auditors.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-7.4">
-            <title>Risk Monitoring</title>
-            <prop name="label">CA-7(4)</prop>
-            <prop name="sort-id">CA-07(04)</prop>
-            <part name="statement" id="ca-7.4_smt">
-               <p>Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:</p>
-               <part name="item" id="ca-7.4_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Effectiveness monitoring;</p>
-               </part>
-               <part name="item" id="ca-7.4_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Compliance monitoring; and</p>
-               </part>
-               <part name="item" id="ca-7.4_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Change monitoring.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ca-7.4_gdn">
-               <p>Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-7.5">
-            <title>Consistency Analysis</title>
-            <param id="ca-7.5_prm_1">
-               <label>organization-defined actions</label>
-            </param>
-            <prop name="label">CA-7(5)</prop>
-            <prop name="sort-id">CA-07(05)</prop>
-            <part name="statement" id="ca-7.5_smt">
-               <p>Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: <insert param-id="ca-7.5_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ca-7.5_gdn">
-               <p>Security and privacy controls are often added incrementally to a system. As a result, policies for selecting and implementing controls may be inconsistent and the controls could fail to work together in a consistent or coordinated manner. At a minimum, the lack of consistency and coordination could mean that there are unacceptable security and privacy gaps in the system. At worst, it could mean that some of the controls implemented in one location or by one component are actually impeding the functionality of other controls (e.g., encrypting internal network traffic can impede monitoring). Or in other situations, failing to consistently monitor all implemented network protocols (e.g., a dual stack of IPv4 and IPv6) may create unintended vulnerabilities in the system that could be exploited by adversaries. It is important to validate through testing, monitoring, and analysis that the implemented controls are operating in a consistent, coordinated, non-interfering manner.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-8">
-         <title>Penetration Testing</title>
-         <param id="ca-8_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ca-8_prm_2">
-            <label>organization-defined systems or system components</label>
-         </param>
-         <prop name="label">CA-8</prop>
-         <prop name="sort-id">CA-08</prop>
-         <link rel="related" href="#sa-11">SA-11</link>
-         <link rel="related" href="#sr-5">SR-5</link>
-         <link rel="related" href="#sr-6">SR-6</link>
-         <part name="statement" id="ca-8_smt">
-            <p>Conduct penetration testing <insert param-id="ca-8_prm_1"/> on <insert param-id="ca-8_prm_2"/>.</p>
-         </part>
-         <part name="guidance" id="ca-8_gdn">
-            <p>Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries in carrying out attacks and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).
-Organizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes pretest analysis based on full knowledge of the system; pretest identification of potential vulnerabilities based on pretest analysis; and testing designed to determine exploitability of vulnerabilities. All parties agree to the rules of engagement before commencement of penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-8.1">
-            <title>Independent Penetration Testing Agent or Team</title>
-            <prop name="label">CA-8(1)</prop>
-            <prop name="sort-id">CA-08(01)</prop>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <part name="statement" id="ca-8.1_smt">
-               <p>Employ an independent penetration testing agent or team to perform penetration testing on the system or system components.</p>
-            </part>
-            <part name="guidance" id="ca-8.1_gdn">
-               <p>Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. CA-2(1) provides additional information on independent assessments that can be applied to penetration testing.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-8.2">
-            <title>Red Team Exercises</title>
-            <param id="ca-8.2_prm_1">
-               <label>organization-defined red team exercises</label>
-            </param>
-            <prop name="label">CA-8(2)</prop>
-            <prop name="sort-id">CA-08(02)</prop>
-            <part name="statement" id="ca-8.2_smt">
-               <p>Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: <insert param-id="ca-8.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ca-8.2_gdn">
-               <p>Red team exercises extend the objectives of penetration testing by examining the security and privacy posture of organizations and the capability to implement effective cyber defenses. Red team exercises simulate attempts by adversaries to compromise missions and business functions and provide a comprehensive assessment of the security and privacy posture of systems and organizations. Such attempts may include technology-based attacks and social engineering-based attacks. Technology-based attacks include interactions with hardware, software, or firmware components and/or mission and business processes. Social engineering-based attacks include interactions via email, telephone, shoulder surfing, or personal conversations. Red team exercises are most effective when conducted by penetration testing agents and teams with knowledge of and experience with current adversarial tactics, techniques, procedures, and tools. While penetration testing may be primarily laboratory-based testing, organizations can use red team exercises to provide more comprehensive assessments that reflect real-world conditions. The results from red team exercises can be used by organizations to improve security and privacy awareness and training and to assess control effectiveness.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ca-8.3">
-            <title>Facility Penetration Testing</title>
-            <param id="ca-8.3_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="ca-8.3_prm_2">
-               <select>
-                  <choice>announced</choice>
-                  <choice>unannounced</choice>
-               </select>
-            </param>
-            <prop name="label">CA-8(3)</prop>
-            <prop name="sort-id">CA-08(03)</prop>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <part name="statement" id="ca-8.3_smt">
-               <p>Employ a penetration testing process that includes <insert param-id="ca-8.3_prm_1"/>
-                  <insert param-id="ca-8.3_prm_2"/> attempts to bypass or circumvent controls associated with physical access points to the facility.</p>
-            </part>
-            <part name="guidance" id="ca-8.3_gdn">
-               <p>Penetration testing of physical access points can provide information on critical vulnerabilities in the operating environments of organizational systems. Such information can be used to correct weaknesses or deficiencies in physical controls that are necessary to protect organizational systems.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ca-9">
-         <title>Internal System Connections</title>
-         <param id="ca-9_prm_1">
-            <label>organization-defined system components or classes of components</label>
-         </param>
-         <param id="ca-9_prm_2">
-            <label>organization-defined conditions</label>
-         </param>
-         <param id="ca-9_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CA-9</prop>
-         <prop name="sort-id">CA-09</prop>
-         <link rel="reference" href="#18c6942b-95f8-414c-b548-c8e6b8d8a172">[SP 800-124]</link>
-         <link rel="reference" href="#7e7538d7-9c3a-4e5f-bbb4-638cec975415">[IR 8023]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#ac-18">AC-18</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#cm-2">CM-2</link>
-         <link rel="related" href="#ia-3">IA-3</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="ca-9_smt">
-            <part name="item" id="ca-9_smt.a">
-               <prop name="label">a.</prop>
-               <p>Authorize internal connections of <insert param-id="ca-9_prm_1"/> to the system;</p>
-            </part>
-            <part name="item" id="ca-9_smt.b">
-               <prop name="label">b.</prop>
-               <p>Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;</p>
-            </part>
-            <part name="item" id="ca-9_smt.c">
-               <prop name="label">c.</prop>
-               <p>Terminate internal system connections after <insert param-id="ca-9_prm_2"/>; and</p>
-            </part>
-            <part name="item" id="ca-9_smt.d">
-               <prop name="label">d.</prop>
-               <p>Review <insert param-id="ca-9_prm_3"/> the continued need for each internal connection.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ca-9_gdn">
-            <p>Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system). Intra-system connections include connections with mobile devices, notebook and desktop computers, workstations, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal system connection, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability; or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ca-9.1">
-            <title>Compliance Checks</title>
-            <prop name="label">CA-9(1)</prop>
-            <prop name="sort-id">CA-09(01)</prop>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <part name="statement" id="ca-9.1_smt">
-               <p>Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection.</p>
-            </part>
-            <part name="guidance" id="ca-9.1_gdn">
-               <p>Compliance checks include verification of the relevant baseline configuration.</p>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="cm">
-      <title>Configuration Management</title>
-      <control class="SP800-53" id="cm-1">
-         <title>Policy and Procedures</title>
-         <param id="cm-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="cm-1_prm_2">
-            <select how-many="one or more">
-               <choice>organization-level</choice>
-               <choice>mission/business process-level</choice>
-               <choice>system-level</choice>
-            </select>
-         </param>
-         <param id="cm-1_prm_3">
-            <label>organization-defined official</label>
-         </param>
-         <param id="cm-1_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="cm-1_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CM-1</prop>
-         <prop name="sort-id">CM-01</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#12702585-0c72-43c9-9185-a76a59f74233">[SP 800-12]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#9183bd83-170e-4701-b32c-97e08ef8bedb">[SP 800-100]</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="cm-1_smt">
-            <part name="item" id="cm-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and disseminate to <insert param-id="cm-1_prm_1"/>:</p>
-               <part name="item" id="cm-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="cm-1_prm_2"/> configuration management policy that:</p>
-                  <part name="item" id="cm-1_smt.a.1.a">
-                     <prop name="label">(a)</prop>
-                     <p>Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
-                  </part>
-                  <part name="item" id="cm-1_smt.a.1.b">
-                     <prop name="label">(b)</prop>
-                     <p>Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p>
-                  </part>
-               </part>
-               <part name="item" id="cm-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;</p>
-               </part>
-            </part>
-            <part name="item" id="cm-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate an <insert param-id="cm-1_prm_3"/> to manage the development, documentation, and dissemination of the configuration management policy and procedures; and</p>
-            </part>
-            <part name="item" id="cm-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the current configuration management:</p>
-               <part name="item" id="cm-1_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Policy <insert param-id="cm-1_prm_4"/>; and</p>
-               </part>
-               <part name="item" id="cm-1_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures <insert param-id="cm-1_prm_5"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="cm-1_gdn">
-            <p>This control addresses policy and procedures for the controls in the CM family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="cm-2">
-         <title>Baseline Configuration</title>
-         <param id="cm-2_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="cm-2_prm_2">
-            <label>Assignment organization-defined circumstances</label>
-         </param>
-         <prop name="label">CM-2</prop>
-         <prop name="sort-id">CM-02</prop>
-         <link rel="reference" href="#18c6942b-95f8-414c-b548-c8e6b8d8a172">[SP 800-124]</link>
-         <link rel="reference" href="#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4">[SP 800-128]</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#ca-9">CA-9</link>
-         <link rel="related" href="#cm-1">CM-1</link>
-         <link rel="related" href="#cm-3">CM-3</link>
-         <link rel="related" href="#cm-5">CM-5</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#cm-8">CM-8</link>
-         <link rel="related" href="#cm-9">CM-9</link>
-         <link rel="related" href="#cp-9">CP-9</link>
-         <link rel="related" href="#cp-10">CP-10</link>
-         <link rel="related" href="#cp-12">CP-12</link>
-         <link rel="related" href="#ma-2">MA-2</link>
-         <link rel="related" href="#pl-8">PL-8</link>
-         <link rel="related" href="#pm-5">PM-5</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-10">SA-10</link>
-         <link rel="related" href="#sa-15">SA-15</link>
-         <link rel="related" href="#sc-18">SC-18</link>
-         <part name="statement" id="cm-2_smt">
-            <part name="item" id="cm-2_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and maintain under configuration control, a current baseline configuration of the system; and</p>
-            </part>
-            <part name="item" id="cm-2_smt.b">
-               <prop name="label">b.</prop>
-               <p>Review and update the baseline configuration of the system:</p>
-               <part name="item" id="cm-2_smt.b.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="cm-2_prm_1"/>;</p>
-               </part>
-               <part name="item" id="cm-2_smt.b.2">
-                  <prop name="label">2.</prop>
-                  <p>When required due to <insert param-id="cm-2_prm_2"/>; and</p>
-               </part>
-               <part name="item" id="cm-2_smt.b.3">
-                  <prop name="label">3.</prop>
-                  <p>When system components are installed or upgraded.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="cm-2_gdn">
-            <p>Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-2.1">
-            <title>Reviews and Updates</title>
-            <prop name="label">CM-2(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CM-02(01)</prop>
-            <link rel="incorporated-into" href="#cm-2">CM-2</link>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-2.2">
-            <title>Automation Support for Accuracy and Currency</title>
-            <param id="cm-2.2_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">CM-2(2)</prop>
-            <prop name="sort-id">CM-02(02)</prop>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <part name="statement" id="cm-2.2_smt">
-               <p>Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using <insert param-id="cm-2.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="cm-2.2_gdn">
-               <p>Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, and firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission/business process level or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of CM-8(2) for organizations that combine system component inventory and baseline configuration activities.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-2.3">
-            <title>Retention of Previous Configurations</title>
-            <param id="cm-2.3_prm_1">
-               <label>organization-defined number</label>
-            </param>
-            <prop name="label">CM-2(3)</prop>
-            <prop name="sort-id">CM-02(03)</prop>
-            <part name="statement" id="cm-2.3_smt">
-               <p>Retain <insert param-id="cm-2.3_prm_1"/> of previous versions of baseline configurations of the system to support rollback.</p>
-            </part>
-            <part name="guidance" id="cm-2.3_gdn">
-               <p>Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, and configuration records.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-2.4">
-            <title>Unauthorized Software</title>
-            <prop name="label">CM-2(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CM-02(04)</prop>
-            <link rel="incorporated-into" href="#cm-7.4">CM-7(4)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-2.5">
-            <title>Authorized Software</title>
-            <prop name="label">CM-2(5)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CM-02(05)</prop>
-            <link rel="incorporated-into" href="#cm-7.5">CM-7(5)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-2.6">
-            <title>Development and Test Environments</title>
-            <prop name="label">CM-2(6)</prop>
-            <prop name="sort-id">CM-02(06)</prop>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <part name="statement" id="cm-2.6_smt">
-               <p>Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration.</p>
-            </part>
-            <part name="guidance" id="cm-2.6_gdn">
-               <p>Establishing separate baseline configurations for development, testing, and operational environments protects systems from unplanned or unexpected events related to development and testing activities. Separate baseline configurations allow organizations to apply the configuration management that is most appropriate for each type of configuration. For example, the management of operational configurations typically emphasizes the need for stability, while the management of development or test configurations requires greater flexibility. Configurations in the test environment mirror configurations in the operational environment to the extent practicable so that the results of the testing are representative of the proposed changes to the operational systems. Separate baseline configurations does not necessarily require separate physical environments.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-2.7">
-            <title>Configure Systems and Components for High-risk Areas</title>
-            <param id="cm-2.7_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <param id="cm-2.7_prm_2">
-               <label>organization-defined configurations</label>
-            </param>
-            <param id="cm-2.7_prm_3">
-               <label>organization-defined controls</label>
-            </param>
-            <prop name="label">CM-2(7)</prop>
-            <prop name="sort-id">CM-02(07)</prop>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <part name="statement" id="cm-2.7_smt">
-               <part name="item" id="cm-2.7_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Issue <insert param-id="cm-2.7_prm_1"/> with <insert param-id="cm-2.7_prm_2"/> to individuals traveling to locations that the organization deems to be of significant risk; and</p>
-               </part>
-               <part name="item" id="cm-2.7_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Apply the following controls to the systems or components when the individuals return from travel: <insert param-id="cm-2.7_prm_3"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="cm-2.7_gdn">
-               <p>When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the MP (Media Protection) family.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-3">
-         <title>Configuration Change Control</title>
-         <param id="cm-3_prm_1">
-            <label>organization-defined time-period</label>
-         </param>
-         <param id="cm-3_prm_2">
-            <label>organization-defined configuration change control element</label>
-         </param>
-         <param id="cm-3_prm_3">
-            <select how-many="one or more">
-               <choice>
-                  <insert param-id="cm-3_prm_4"/>
-               </choice>
-               <choice>when <insert param-id="cm-3_prm_5"/>
-               </choice>
-            </select>
-         </param>
-         <param id="cm-3_prm_4" depends-on="cm-3_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="cm-3_prm_5" depends-on="cm-3_prm_3">
-            <label>organization-defined configuration change conditions</label>
-         </param>
-         <prop name="label">CM-3</prop>
-         <prop name="sort-id">CM-03</prop>
-         <link rel="reference" href="#18c6942b-95f8-414c-b548-c8e6b8d8a172">[SP 800-124]</link>
-         <link rel="reference" href="#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4">[SP 800-128]</link>
-         <link rel="reference" href="#817b4227-5857-494d-9032-915980b32f15">[IR 8062]</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#cm-2">CM-2</link>
-         <link rel="related" href="#cm-4">CM-4</link>
-         <link rel="related" href="#cm-5">CM-5</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#cm-9">CM-9</link>
-         <link rel="related" href="#cm-11">CM-11</link>
-         <link rel="related" href="#ia-3">IA-3</link>
-         <link rel="related" href="#ma-2">MA-2</link>
-         <link rel="related" href="#pe-16">PE-16</link>
-         <link rel="related" href="#pt-7">PT-7</link>
-         <link rel="related" href="#ra-8">RA-8</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-10">SA-10</link>
-         <link rel="related" href="#sc-28">SC-28</link>
-         <link rel="related" href="#sc-34">SC-34</link>
-         <link rel="related" href="#sc-37">SC-37</link>
-         <link rel="related" href="#si-2">SI-2</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <link rel="related" href="#si-10">SI-10</link>
-         <link rel="related" href="#sr-11">SR-11</link>
-         <part name="statement" id="cm-3_smt">
-            <part name="item" id="cm-3_smt.a">
-               <prop name="label">a.</prop>
-               <p>Determine and document the types of changes to the system that are configuration-controlled;</p>
-            </part>
-            <part name="item" id="cm-3_smt.b">
-               <prop name="label">b.</prop>
-               <p>Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;</p>
-            </part>
-            <part name="item" id="cm-3_smt.c">
-               <prop name="label">c.</prop>
-               <p>Document configuration change decisions associated with the system;</p>
-            </part>
-            <part name="item" id="cm-3_smt.d">
-               <prop name="label">d.</prop>
-               <p>Implement approved configuration-controlled changes to the system;</p>
-            </part>
-            <part name="item" id="cm-3_smt.e">
-               <prop name="label">e.</prop>
-               <p>Retain records of configuration-controlled changes to the system for <insert param-id="cm-3_prm_1"/>;</p>
-            </part>
-            <part name="item" id="cm-3_smt.f">
-               <prop name="label">f.</prop>
-               <p>Monitor and review activities associated with configuration-controlled changes to the system; and</p>
-            </part>
-            <part name="item" id="cm-3_smt.g">
-               <prop name="label">g.</prop>
-               <p>Coordinate and provide oversight for configuration change control activities through <insert param-id="cm-3_prm_2"/> that convenes <insert param-id="cm-3_prm_3"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="cm-3_gdn">
-            <p>Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations and configuration items of systems; changes to operational procedures; changes to configuration settings for system components; unscheduled or unauthorized changes; and changes to remediate vulnerabilities. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes impacting privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-3.1">
-            <title>Automated Documentation, Notification, and Prohibition of Changes</title>
-            <param id="cm-3.1_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <param id="cm-3.1_prm_2">
-               <label>organization-defined approval authorities</label>
-            </param>
-            <param id="cm-3.1_prm_3">
-               <label>organization-defined time-period</label>
-            </param>
-            <param id="cm-3.1_prm_4">
-               <label>organization-defined personnel</label>
-            </param>
-            <prop name="label">CM-3(1)</prop>
-            <prop name="sort-id">CM-03(01)</prop>
-            <part name="statement" id="cm-3.1_smt">
-               <p>Use <insert param-id="cm-3.1_prm_1"/> to:</p>
-               <part name="item" id="cm-3.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Document proposed changes to the system;</p>
-               </part>
-               <part name="item" id="cm-3.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Notify <insert param-id="cm-3.1_prm_2"/> of proposed changes to the system and request change approval;</p>
-               </part>
-               <part name="item" id="cm-3.1_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Highlight proposed changes to the system that have not been approved or disapproved within <insert param-id="cm-3.1_prm_3"/>;</p>
-               </part>
-               <part name="item" id="cm-3.1_smt.d">
-                  <prop name="label">(d)</prop>
-                  <p>Prohibit changes to the system until designated approvals are received;</p>
-               </part>
-               <part name="item" id="cm-3.1_smt.e">
-                  <prop name="label">(e)</prop>
-                  <p>Document all changes to the system; and</p>
-               </part>
-               <part name="item" id="cm-3.1_smt.f">
-                  <prop name="label">(f)</prop>
-                  <p>Notify <insert param-id="cm-3.1_prm_4"/> when approved changes to the system are completed.</p>
-               </part>
-            </part>
-            <part name="guidance" id="cm-3.1_gdn">
-               <p>None.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-3.2">
-            <title>Testing, Validation, and Documentation of Changes</title>
-            <prop name="label">CM-3(2)</prop>
-            <prop name="sort-id">CM-03(02)</prop>
-            <part name="statement" id="cm-3.2_smt">
-               <p>Test, validate, and document changes to the system before finalizing the implementation of the changes.</p>
-            </part>
-            <part name="guidance" id="cm-3.2_gdn">
-               <p>Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with system operations supporting organizational missions and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-3.3">
-            <title>Automated Change Implementation</title>
-            <param id="cm-3.3_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">CM-3(3)</prop>
-            <prop name="sort-id">CM-03(03)</prop>
-            <part name="statement" id="cm-3.3_smt">
-               <p>Implement changes to the current system baseline and deploy the updated baseline across the installed base using <insert param-id="cm-3.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="cm-3.3_gdn">
-               <p>Automated tools (e.g., Security Information and Event Management tools) can improve the accuracy, consistency, and availability of configuration baseline information. Automation can also provide data aggregation and data correlation capabilities; alerting mechanisms; and dashboards to support risk-based decision making within the organization.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-3.4">
-            <title>Security and Privacy Representatives</title>
-            <param id="cm-3.4_prm_1">
-               <label>organization-defined security and privacy representatives</label>
-            </param>
-            <param id="cm-3.4_prm_2">
-               <label>organization-defined configuration change control element</label>
-            </param>
-            <prop name="label">CM-3(4)</prop>
-            <prop name="sort-id">CM-03(04)</prop>
-            <part name="statement" id="cm-3.4_smt">
-               <p>Require <insert param-id="cm-3.4_prm_1"/> to be members of the <insert param-id="cm-3.4_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="cm-3.4_gdn">
-               <p>Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element in this control enhancement reflects the change control elements defined by organizations in CM-3.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-3.5">
-            <title>Automated Security Response</title>
-            <param id="cm-3.5_prm_1">
-               <label>organization-defined security responses</label>
-            </param>
-            <prop name="label">CM-3(5)</prop>
-            <prop name="sort-id">CM-03(05)</prop>
-            <part name="statement" id="cm-3.5_smt">
-               <p>Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: <insert param-id="cm-3.5_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="cm-3.5_gdn">
-               <p>Automated security responses include halting selected system functions, halting system processing, or issuing alerts or notifications to organizational personnel when there is an unauthorized modification of a configuration item.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-3.6">
-            <title>Cryptography Management</title>
-            <param id="cm-3.6_prm_1">
-               <label>organization-defined controls</label>
-            </param>
-            <prop name="label">CM-3(6)</prop>
-            <prop name="sort-id">CM-03(06)</prop>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <part name="statement" id="cm-3.6_smt">
-               <p>Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: <insert param-id="cm-3.6_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="cm-3.6_gdn">
-               <p>The controls referenced in the control enhancement refer to security and privacy controls from the control catalog. Regardless of the cryptographic mechanisms employed, processes and procedures are in place to manage those mechanisms. For example, if system components use certificates for identification and authentication, a process is implemented to address the expiration of those certificates.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-3.7">
-            <title>Review System Changes</title>
-            <param id="cm-3.7_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="cm-3.7_prm_2">
-               <label>organization-defined circumstances</label>
-            </param>
-            <prop name="label">CM-3(7)</prop>
-            <prop name="sort-id">CM-03(07)</prop>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <part name="statement" id="cm-3.7_smt">
-               <p>Review changes to the system <insert param-id="cm-3.7_prm_1"/> or when <insert param-id="cm-3.7_prm_2"/> to determine whether unauthorized changes have occurred.</p>
-            </part>
-            <part name="guidance" id="cm-3.7_gdn">
-               <p>Indications that warrant review of changes to the system and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process or continuous monitoring process.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-3.8">
-            <title>Prevent or Restrict Configuration Changes</title>
-            <param id="cm-3.8_prm_1">
-               <label>organization-defined circumstances</label>
-            </param>
-            <prop name="label">CM-3(8)</prop>
-            <prop name="sort-id">CM-03(08)</prop>
-            <part name="statement" id="cm-3.8_smt">
-               <p>Prevent or restrict changes to the configuration of the system under the following circumstances: <insert param-id="cm-3.8_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="cm-3.8_gdn">
-               <p>System configuration changes made in an ad hoc manner or in uncontrolled environments can adversely affect critical system security and privacy functionality. Change restrictions can be enforced through automated mechanisms.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-4">
-         <title>Impact Analyses</title>
-         <prop name="label">CM-4</prop>
-         <prop name="sort-id">CM-04</prop>
-         <link rel="reference" href="#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4">[SP 800-128]</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#cm-3">CM-3</link>
-         <link rel="related" href="#cm-8">CM-8</link>
-         <link rel="related" href="#cm-9">CM-9</link>
-         <link rel="related" href="#ma-2">MA-2</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#ra-5">RA-5</link>
-         <link rel="related" href="#sa-5">SA-5</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-10">SA-10</link>
-         <link rel="related" href="#si-2">SI-2</link>
-         <part name="statement" id="cm-4_smt">
-            <p>Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.</p>
-         </part>
-         <part name="guidance" id="cm-4_gdn">
-            <p>Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing with stakeholders the impact of changes on organizational supply chain partners; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and to determine if additional controls are required.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-4.1">
-            <title>Separate Test Environments</title>
-            <prop name="label">CM-4(1)</prop>
-            <prop name="sort-id">CM-04(01)</prop>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <part name="statement" id="cm-4.1_smt">
-               <p>Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice.</p>
-            </part>
-            <part name="guidance" id="cm-4.1_gdn">
-               <p>A separate test environment requires an environment that is physically or logically separate and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment, and that information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not implemented, organizations determine the strength of mechanism required when implementing logical separation.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-4.2">
-            <title>Verification of Controls</title>
-            <prop name="label">CM-4(2)</prop>
-            <prop name="sort-id">CM-04(02)</prop>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-            <link rel="related" href="#si-6">SI-6</link>
-            <part name="statement" id="cm-4.2_smt">
-               <p>After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system.</p>
-            </part>
-            <part name="guidance" id="cm-4.2_gdn">
-               <p>Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-5">
-         <title>Access Restrictions for Change</title>
-         <prop name="label">CM-5</prop>
-         <prop name="sort-id">CM-05</prop>
-         <link rel="reference" href="#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">[FIPS 140-3]</link>
-         <link rel="reference" href="#0b9fe06d-1b89-4dba-b9f8-3baf51504b17">[FIPS 186-4]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-5">AC-5</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#cm-9">CM-9</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#sc-28">SC-28</link>
-         <link rel="related" href="#sc-34">SC-34</link>
-         <link rel="related" href="#sc-37">SC-37</link>
-         <link rel="related" href="#si-2">SI-2</link>
-         <link rel="related" href="#si-10">SI-10</link>
-         <part name="statement" id="cm-5_smt">
-            <p>Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.</p>
-         </part>
-         <part name="guidance" id="cm-5_gdn">
-            <p>Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system, can potentially have significant effects on the security of the systems or individual privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).</p>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-5.1">
-            <title>Automated Access Enforcement and Audit Records</title>
-            <param id="cm-5.1_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">CM-5(1)</prop>
-            <prop name="sort-id">CM-05(01)</prop>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#si-12">SI-12</link>
-            <part name="statement" id="cm-5.1_smt">
-               <part name="item" id="cm-5.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Enforce access restrictions using <insert param-id="cm-5.1_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="cm-5.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Automatically generate audit records of the enforcement actions.</p>
-               </part>
-            </part>
-            <part name="guidance" id="cm-5.1_gdn">
-               <p>Organizations log access records associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-5.2">
-            <title>Review System Changes</title>
-            <prop name="label">CM-5(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CM-05(02)</prop>
-            <link rel="incorporated-into" href="#cm-3.7">CM-3(7)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-5.3">
-            <title>Signed Components</title>
-            <param id="cm-5.3_prm_1">
-               <label>organization-defined software and firmware components</label>
-            </param>
-            <prop name="label">CM-5(3)</prop>
-            <prop name="sort-id">CM-05(03)</prop>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#si-7">SI-7</link>
-            <part name="statement" id="cm-5.3_smt">
-               <p>Prevent the installation of <insert param-id="cm-5.3_prm_1"/> without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.</p>
-            </part>
-            <part name="guidance" id="cm-5.3_gdn">
-               <p>Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-5.4">
-            <title>Dual Authorization</title>
-            <param id="cm-5.4_prm_1">
-               <label>organization-defined system components and system-level information</label>
-            </param>
-            <prop name="label">CM-5(4)</prop>
-            <prop name="sort-id">CM-05(04)</prop>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <part name="statement" id="cm-5.4_smt">
-               <p>Enforce dual authorization for implementing changes to <insert param-id="cm-5.4_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="cm-5.4_gdn">
-               <p>Organizations employ dual authorization to help ensure that any changes to selected system components and information cannot occur unless two qualified individuals approve and implement such changes. The two individuals possess the skills and expertise to determine if the proposed changes are correct implementations of approved changes. The individuals are also accountable for the changes. Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. System-level information includes operational procedures.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-5.5">
-            <title>Privilege Limitation for Production and Operation</title>
-            <param id="cm-5.5_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">CM-5(5)</prop>
-            <prop name="sort-id">CM-05(05)</prop>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <part name="statement" id="cm-5.5_smt">
-               <part name="item" id="cm-5.5_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Limit privileges to change system components and system-related information within a production or operational environment; and</p>
-               </part>
-               <part name="item" id="cm-5.5_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Review and reevaluate privileges <insert param-id="cm-5.5_prm_1"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="cm-5.5_gdn">
-               <p>In many organizations, systems support multiple missions and business functions. Limiting privileges to change system components with respect to operational systems is necessary because changes to a system component may have far-reaching effects on mission and business processes supported by the system. The relationships between systems and mission/business processes are in some cases, unknown to developers. System-related information includes operational procedures.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-5.6">
-            <title>Limit Library Privileges</title>
-            <prop name="label">CM-5(6)</prop>
-            <prop name="sort-id">CM-05(06)</prop>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <part name="statement" id="cm-5.6_smt">
-               <p>Limit privileges to change software resident within software libraries.</p>
-            </part>
-            <part name="guidance" id="cm-5.6_gdn">
-               <p>Software libraries include privileged programs.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-5.7">
-            <title>Automatic Implementation of Security Safeguards</title>
-            <prop name="label">CM-5(7)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CM-05(07)</prop>
-            <link rel="incorporated-into" href="#si-7">SI-7</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-6">
-         <title>Configuration Settings</title>
-         <param id="cm-6_prm_1">
-            <label>organization-defined common secure configurations</label>
-         </param>
-         <param id="cm-6_prm_2">
-            <label>organization-defined system components</label>
-         </param>
-         <param id="cm-6_prm_3">
-            <label>organization-defined operational requirements</label>
-         </param>
-         <prop name="label">CM-6</prop>
-         <prop name="sort-id">CM-06</prop>
-         <link rel="reference" href="#14a7d982-9747-48e0-a877-3e8fbf6ae381">[SP 800-70]</link>
-         <link rel="reference" href="#0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f">[SP 800-126]</link>
-         <link rel="reference" href="#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4">[SP 800-128]</link>
-         <link rel="reference" href="#06842bea-64c9-4e20-807a-b8fc003fa737">[USGCB]</link>
-         <link rel="reference" href="#5cc04a1c-5489-4751-a493-746a9639067b">[NCPR]</link>
-         <link rel="reference" href="#294eed19-7471-4517-9480-2ec73e7c6a78">[DOD STIG]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#au-2">AU-2</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#ca-9">CA-9</link>
-         <link rel="related" href="#cm-2">CM-2</link>
-         <link rel="related" href="#cm-3">CM-3</link>
-         <link rel="related" href="#cm-5">CM-5</link>
-         <link rel="related" href="#cm-7">CM-7</link>
-         <link rel="related" href="#cm-11">CM-11</link>
-         <link rel="related" href="#cp-7">CP-7</link>
-         <link rel="related" href="#cp-9">CP-9</link>
-         <link rel="related" href="#cp-10">CP-10</link>
-         <link rel="related" href="#ia-3">IA-3</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <link rel="related" href="#pl-8">PL-8</link>
-         <link rel="related" href="#ra-5">RA-5</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-5">SA-5</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-9">SA-9</link>
-         <link rel="related" href="#sc-18">SC-18</link>
-         <link rel="related" href="#sc-28">SC-28</link>
-         <link rel="related" href="#sc-43">SC-43</link>
-         <link rel="related" href="#si-2">SI-2</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#si-6">SI-6</link>
-         <part name="statement" id="cm-6_smt">
-            <part name="item" id="cm-6_smt.a">
-               <prop name="label">a.</prop>
-               <p>Establish and document configuration settings for components employed within the system using <insert param-id="cm-6_prm_1"/> that reflect the most restrictive mode consistent with operational requirements;</p>
-            </part>
-            <part name="item" id="cm-6_smt.b">
-               <prop name="label">b.</prop>
-               <p>Implement the configuration settings;</p>
-            </part>
-            <part name="item" id="cm-6_smt.c">
-               <prop name="label">c.</prop>
-               <p>Identify, document, and approve any deviations from established configuration settings for <insert param-id="cm-6_prm_2"/> based on <insert param-id="cm-6_prm_3"/>; and</p>
-            </part>
-            <part name="item" id="cm-6_smt.d">
-               <prop name="label">d.</prop>
-               <p>Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.</p>
-            </part>
-         </part>
-         <part name="guidance" id="cm-6_gdn">
-            <p>Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Security parameters are parameters impacting the security posture of systems, including the parameters required to satisfy other security control requirements. Security parameters include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.
-Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.
-Implementation of a common secure configuration may be mandated at the organization level, mission/business process level, or system level, or may be mandated at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB] and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-6.1">
-            <title>Automated Management, Application, and Verification</title>
-            <param id="cm-6.1_prm_1">
-               <label>organization-defined system components</label>
-            </param>
-            <param id="cm-6.1_prm_2">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">CM-6(1)</prop>
-            <prop name="sort-id">CM-06(01)</prop>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <part name="statement" id="cm-6.1_smt">
-               <p>Centrally manage, apply, and verify configuration settings for <insert param-id="cm-6.1_prm_1"/> using <insert param-id="cm-6.1_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="cm-6.1_gdn">
-               <p>Automated tools (e.g., security information and event management tools or enterprise security monitoring tools) can improve the accuracy, consistency, and availability of configuration settings information. Automation can also provide data aggregation and data correlation capabilities; alerting mechanisms; and dashboards to support risk-based decision making within the organization.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-6.2">
-            <title>Respond to Unauthorized Changes</title>
-            <param id="cm-6.2_prm_1">
-               <label>organization-defined configuration settings</label>
-            </param>
-            <param id="cm-6.2_prm_2">
-               <label>organization-defined actions</label>
-            </param>
-            <prop name="label">CM-6(2)</prop>
-            <prop name="sort-id">CM-06(02)</prop>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-6">IR-6</link>
-            <link rel="related" href="#si-7">SI-7</link>
-            <part name="statement" id="cm-6.2_smt">
-               <p>Take the following actions in response to unauthorized changes to <insert param-id="cm-6.2_prm_1"/>: <insert param-id="cm-6.2_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="cm-6.2_gdn">
-               <p>Responses to unauthorized changes to configuration settings include alerting designated organizational personnel, restoring established configuration settings, or in extreme cases, halting affected system processing.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-6.3">
-            <title>Unauthorized Change Detection</title>
-            <prop name="label">CM-6(3)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CM-06(03)</prop>
-            <link rel="incorporated-into" href="#si-7">SI-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-6.4">
-            <title>Conformance Demonstration</title>
-            <prop name="label">CM-6(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CM-06(04)</prop>
-            <link rel="incorporated-into" href="#cm-4">CM-4</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-7">
-         <title>Least Functionality</title>
-         <param id="cm-7_prm_1">
-            <label>organization-defined mission essential capabilities</label>
-         </param>
-         <param id="cm-7_prm_2">
-            <label>organization-defined prohibited or restricted functions, ports, protocols, software, and/or services</label>
-         </param>
-         <prop name="label">CM-7</prop>
-         <prop name="sort-id">CM-07</prop>
-         <link rel="reference" href="#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">[FIPS 140-3]</link>
-         <link rel="reference" href="#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd">[FIPS 180-4]</link>
-         <link rel="reference" href="#0b9fe06d-1b89-4dba-b9f8-3baf51504b17">[FIPS 186-4]</link>
-         <link rel="reference" href="#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa">[FIPS 202]</link>
-         <link rel="reference" href="#893d1736-324c-41d6-a5f4-d526b5ca981a">[SP 800-167]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#cm-2">CM-2</link>
-         <link rel="related" href="#cm-5">CM-5</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#cm-11">CM-11</link>
-         <link rel="related" href="#ra-5">RA-5</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-5">SA-5</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-9">SA-9</link>
-         <link rel="related" href="#sa-15">SA-15</link>
-         <link rel="related" href="#sc-2">SC-2</link>
-         <link rel="related" href="#sc-3">SC-3</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-37">SC-37</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <part name="statement" id="cm-7_smt">
-            <part name="item" id="cm-7_smt.a">
-               <prop name="label">a.</prop>
-               <p>Configure the system to provide only <insert param-id="cm-7_prm_1"/>; and</p>
-            </part>
-            <part name="item" id="cm-7_smt.b">
-               <prop name="label">b.</prop>
-               <p>Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: <insert param-id="cm-7_prm_2"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="cm-7_gdn">
-            <p>Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3).</p>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-7.1">
-            <title>Periodic Review</title>
-            <param id="cm-7.1_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="cm-7.1_prm_2">
-               <label>organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure</label>
-            </param>
-            <prop name="label">CM-7(1)</prop>
-            <prop name="sort-id">CM-07(01)</prop>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <part name="statement" id="cm-7.1_smt">
-               <part name="item" id="cm-7.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Review the system <insert param-id="cm-7.1_prm_1"/> to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and</p>
-               </part>
-               <part name="item" id="cm-7.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Disable or remove <insert param-id="cm-7.1_prm_2"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="cm-7.1_gdn">
-               <p>Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-7.2">
-            <title>Prevent Program Execution</title>
-            <param id="cm-7.2_prm_1">
-               <select how-many="one or more">
-                  <choice>
-                     <insert param-id="cm-7.2_prm_2"/>
-                  </choice>
-                  <choice>rules authorizing the terms and conditions of software program usage</choice>
-               </select>
-            </param>
-            <param id="cm-7.2_prm_2" depends-on="cm-7.2_prm_1">
-               <label>organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions</label>
-            </param>
-            <prop name="label">CM-7(2)</prop>
-            <prop name="sort-id">CM-07(02)</prop>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#pl-4">PL-4</link>
-            <link rel="related" href="#pm-5">PM-5</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-            <part name="statement" id="cm-7.2_smt">
-               <p>Prevent program execution in accordance with <insert param-id="cm-7.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="cm-7.2_gdn">
-               <p>Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements restricting software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features; restricting roles allowed to approve program execution; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-7.3">
-            <title>Registration Compliance</title>
-            <param id="cm-7.3_prm_1">
-               <label>organization-defined registration requirements for functions, ports, protocols, and services</label>
-            </param>
-            <prop name="label">CM-7(3)</prop>
-            <prop name="sort-id">CM-07(03)</prop>
-            <part name="statement" id="cm-7.3_smt">
-               <p>Ensure compliance with <insert param-id="cm-7.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="cm-7.3_gdn">
-               <p>Organizations use the registration process to manage, track, and provide oversight for systems and implemented functions, ports, protocols, and services.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-7.4">
-            <title>Unauthorized Software — Blacklisting</title>
-            <param id="cm-7.4_prm_1">
-               <label>organization-defined software programs not authorized to execute on the system</label>
-            </param>
-            <param id="cm-7.4_prm_2">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">CM-7(4)</prop>
-            <prop name="sort-id">CM-07(04)</prop>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#cm-10">CM-10</link>
-            <link rel="related" href="#pm-5">PM-5</link>
-            <part name="statement" id="cm-7.4_smt">
-               <part name="item" id="cm-7.4_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Identify <insert param-id="cm-7.4_prm_1"/>;</p>
-               </part>
-               <part name="item" id="cm-7.4_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and</p>
-               </part>
-               <part name="item" id="cm-7.4_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Review and update the list of unauthorized software programs <insert param-id="cm-7.4_prm_2"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="cm-7.4_gdn">
-               <p>The process used to identify software programs or categories of software programs that are not authorized to execute on organizational systems is commonly referred to as blacklisting. Software programs identified can be limited to specific versions or from a specific source. The concept of blacklisting may also be applied to user actions, ports, IP addresses, and media access control (MAC) addresses.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-7.5">
-            <title>Authorized Software — Whitelisting</title>
-            <param id="cm-7.5_prm_1">
-               <label>organization-defined software programs authorized to execute on the system</label>
-            </param>
-            <param id="cm-7.5_prm_2">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">CM-7(5)</prop>
-            <prop name="sort-id">CM-07(05)</prop>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#cm-10">CM-10</link>
-            <link rel="related" href="#pm-5">PM-5</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#sc-34">SC-34</link>
-            <link rel="related" href="#si-7">SI-7</link>
-            <part name="statement" id="cm-7.5_smt">
-               <part name="item" id="cm-7.5_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Identify <insert param-id="cm-7.5_prm_1"/>;</p>
-               </part>
-               <part name="item" id="cm-7.5_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and</p>
-               </part>
-               <part name="item" id="cm-7.5_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Review and update the list of authorized software programs <insert param-id="cm-7.5_prm_2"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="cm-7.5_gdn">
-               <p>The process used to identify specific software programs or entire categories of software programs that are authorized to execute on organizational systems is commonly referred to as whitelisting. Software programs identified can be limited to specific versions or from a specific source. To facilitate comprehensive whitelisting and increase the strength of protection for attacks that bypass application level whitelisting, software programs may be decomposed into and monitored at different levels of detail. Software program levels of detail include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of whitelisting may also be applied to user actions, ports, IP addresses, and media access control (MAC) addresses. Organizations consider verifying the integrity of white-listed software programs using, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Whitelisting of URLs for websites is addressed in CA-3(5) and SC-7.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-7.6">
-            <title>Confined Environments with Limited Privileges</title>
-            <param id="cm-7.6_prm_1">
-               <label>organization-defined user-installed software</label>
-            </param>
-            <prop name="label">CM-7(6)</prop>
-            <prop name="sort-id">CM-07(06)</prop>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <link rel="related" href="#sc-44">SC-44</link>
-            <part name="statement" id="cm-7.6_smt">
-               <p>Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: <insert param-id="cm-7.6_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="cm-7.6_gdn">
-               <p>Organizations identify software that may be of concern regarding its origin or potential for containing malicious code. For this type of software, user installations occur in confined environments of operation to limit or contain damage from malicious code that may be executed.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-7.7">
-            <title>Code Execution in Protected Environments</title>
-            <param id="cm-7.7_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">CM-7(7)</prop>
-            <prop name="sort-id">CM-07(07)</prop>
-            <link rel="related" href="#cm-10">CM-10</link>
-            <link rel="related" href="#sc-44">SC-44</link>
-            <part name="statement" id="cm-7.7_smt">
-               <p>Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of <insert param-id="cm-7.7_prm_1"/> when such code is:</p>
-               <part name="item" id="cm-7.7_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Obtained from sources with limited or no warranty; and/or</p>
-               </part>
-               <part name="item" id="cm-7.7_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Without the provision of source code.</p>
-               </part>
-            </part>
-            <part name="guidance" id="cm-7.7_gdn">
-               <p>This control enhancement applies to all sources of binary or machine-executable code, including commercial software and firmware and open source software.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-7.8">
-            <title>Binary or Machine Executable Code</title>
-            <prop name="label">CM-7(8)</prop>
-            <prop name="sort-id">CM-07(08)</prop>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-22">SA-22</link>
-            <part name="statement" id="cm-7.8_smt">
-               <part name="item" id="cm-7.8_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and</p>
-               </part>
-               <part name="item" id="cm-7.8_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official.</p>
-               </part>
-            </part>
-            <part name="guidance" id="cm-7.8_gdn">
-               <p>This control enhancement applies to all sources of binary or machine-executable code, including commercial software and firmware and open source software. Organizations assess software products without accompanying source code or from sources with limited or no warranty for potential security impacts. The assessments address the fact that software products without the provision of source code may be difficult to review, repair, or extend. In addition, there may be no owners to make such repairs on behalf of organizations. If open source software is used, the assessments address the fact that there is no warranty, the open source software could contain back doors or malware, and there may be no support available.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-8">
-         <title>System Component Inventory</title>
-         <param id="cm-8_prm_1">
-            <label>organization-defined information deemed necessary to achieve effective system component accountability</label>
-         </param>
-         <param id="cm-8_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CM-8</prop>
-         <prop name="sort-id">CM-08</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#770f9bdc-4023-48ef-8206-c65397f061ea">[SP 800-57-1]</link>
-         <link rel="reference" href="#69644a9e-438a-47c3-bac9-cf28b5baf848">[SP 800-57-2]</link>
-         <link rel="reference" href="#9933c883-e8f3-4a83-9a9a-d1e058038080">[SP 800-57-3]</link>
-         <link rel="reference" href="#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4">[SP 800-128]</link>
-         <link rel="related" href="#cm-2">CM-2</link>
-         <link rel="related" href="#cm-7">CM-7</link>
-         <link rel="related" href="#cm-9">CM-9</link>
-         <link rel="related" href="#cm-10">CM-10</link>
-         <link rel="related" href="#cm-11">CM-11</link>
-         <link rel="related" href="#cm-13">CM-13</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-9">CP-9</link>
-         <link rel="related" href="#ma-2">MA-2</link>
-         <link rel="related" href="#ma-6">MA-6</link>
-         <link rel="related" href="#pe-20">PE-20</link>
-         <link rel="related" href="#pm-5">PM-5</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-5">SA-5</link>
-         <link rel="related" href="#si-2">SI-2</link>
-         <link rel="related" href="#sr-4">SR-4</link>
-         <part name="statement" id="cm-8_smt">
-            <part name="item" id="cm-8_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop and document an inventory of system components that:</p>
-               <part name="item" id="cm-8_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Accurately reflects the system;</p>
-               </part>
-               <part name="item" id="cm-8_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Includes all components within the system;</p>
-               </part>
-               <part name="item" id="cm-8_smt.a.3">
-                  <prop name="label">3.</prop>
-                  <p>Is at the level of granularity deemed necessary for tracking and reporting; and</p>
-               </part>
-               <part name="item" id="cm-8_smt.a.4">
-                  <prop name="label">4.</prop>
-                  <p>Includes the following information to achieve system component accountability: <insert param-id="cm-8_prm_1"/>; and</p>
-               </part>
-            </part>
-            <part name="item" id="cm-8_smt.b">
-               <prop name="label">b.</prop>
-               <p>Review and update the system component inventory <insert param-id="cm-8_prm_2"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="cm-8_gdn">
-            <p>System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type,  and physical location.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-8.1">
-            <title>Updates During Installation and Removal</title>
-            <prop name="label">CM-8(1)</prop>
-            <prop name="sort-id">CM-08(01)</prop>
-            <link rel="related" href="#pm-16">PM-16</link>
-            <part name="statement" id="cm-8.1_smt">
-               <p>Update the inventory of system components as part of component installations, removals, and system updates.</p>
-            </part>
-            <part name="guidance" id="cm-8.1_gdn">
-               <p>Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated routinely as part of component installations or removals, or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.2">
-            <title>Automated Maintenance</title>
-            <param id="cm-8.2_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">CM-8(2)</prop>
-            <prop name="sort-id">CM-08(02)</prop>
-            <part name="statement" id="cm-8.2_smt">
-               <p>Maintain the currency, completeness, accuracy, and availability of the inventory of system components using <insert param-id="cm-8.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="cm-8.2_gdn">
-               <p>Organizations maintain system inventories to the extent feasible. For example, virtual machines can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. Automated maintenance can be achieved by the implementation of CM-2(2) for organizations that combine system component inventory and baseline configuration activities.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.3">
-            <title>Automated Unauthorized Component Detection</title>
-            <param id="cm-8.3_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <param id="cm-8.3_prm_2">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="cm-8.3_prm_3">
-               <select how-many="one or more">
-                  <choice>disable network access by such components</choice>
-                  <choice>isolate the components</choice>
-                  <choice>notify <insert param-id="cm-8.3_prm_4"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="cm-8.3_prm_4" depends-on="cm-8.3_prm_3">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">CM-8(3)</prop>
-            <prop name="sort-id">CM-08(03)</prop>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-            <link rel="related" href="#sc-39">SC-39</link>
-            <link rel="related" href="#sc-44">SC-44</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-            <part name="statement" id="cm-8.3_smt">
-               <part name="item" id="cm-8.3_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Detect the presence of unauthorized hardware, software, and firmware components within the system using <insert param-id="cm-8.3_prm_1"/>
-                     <insert param-id="cm-8.3_prm_2"/>; and</p>
-               </part>
-               <part name="item" id="cm-8.3_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Take the following actions when unauthorized components are detected: <insert param-id="cm-8.3_prm_3"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="cm-8.3_gdn">
-               <p>Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices). Isolation can be achieved, for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as sandboxing.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.4">
-            <title>Accountability Information</title>
-            <param id="cm-8.4_prm_1">
-               <select how-many="one or more">
-                  <choice>name</choice>
-                  <choice>position</choice>
-                  <choice>role</choice>
-               </select>
-            </param>
-            <prop name="label">CM-8(4)</prop>
-            <prop name="sort-id">CM-08(04)</prop>
-            <part name="statement" id="cm-8.4_smt">
-               <p>Include in the system component inventory information, a means for identifying by <insert param-id="cm-8.4_prm_1"/>, individuals responsible and accountable for administering those components.</p>
-            </part>
-            <part name="guidance" id="cm-8.4_gdn">
-               <p>Identifying individuals who are responsible and accountable for administering system components ensures that the assigned components are properly administered and that organizations can contact those individuals if some action is required, for example, the component is determined to be the source of a breach; the component needs to be recalled or replaced; or the component needs to be relocated.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.5">
-            <title>No Duplicate Accounting of Components</title>
-            <prop name="label">CM-8(5)</prop>
-            <prop name="sort-id">CM-08(05)</prop>
-            <part name="statement" id="cm-8.5_smt">
-               <part name="item" id="cm-8.5_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Verify that all components within the system are not duplicated in other system component inventories; or</p>
-               </part>
-               <part name="item" id="cm-8.5_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>If a centralized component inventory is used, verify components are not assigned to multiple systems.</p>
-               </part>
-            </part>
-            <part name="guidance" id="cm-8.5_gdn">
-               <p>Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of CM-8(7) can help to eliminate duplicate accounting of components.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.6">
-            <title>Assessed Configurations and Approved Deviations</title>
-            <prop name="label">CM-8(6)</prop>
-            <prop name="sort-id">CM-08(06)</prop>
-            <part name="statement" id="cm-8.6_smt">
-               <p>Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory.</p>
-            </part>
-            <part name="guidance" id="cm-8.6_gdn">
-               <p>Assessed configurations and approved deviations focus on configuration settings established by organizations for system components, the specific components that have been assessed to determine compliance with the required configuration settings, and any approved deviations from established configuration settings.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.7">
-            <title>Centralized Repository</title>
-            <prop name="label">CM-8(7)</prop>
-            <prop name="sort-id">CM-08(07)</prop>
-            <part name="statement" id="cm-8.7_smt">
-               <p>Provide a centralized repository for the inventory of system components.</p>
-            </part>
-            <part name="guidance" id="cm-8.7_gdn">
-               <p>Organizations may implement centralized system component inventories that include components from all organizational systems. Centralized repositories of component inventories provide opportunities for efficiencies in accounting for organizational hardware, software, and firmware assets. Such repositories may also help organizations rapidly identify the location and responsible individuals of components that have been compromised, breached, or are otherwise in need of mitigation actions. Organizations ensure that the resulting centralized inventories include system-specific information required for proper component accountability.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.8">
-            <title>Automated Location Tracking</title>
-            <param id="cm-8.8_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">CM-8(8)</prop>
-            <prop name="sort-id">CM-08(08)</prop>
-            <part name="statement" id="cm-8.8_smt">
-               <p>Support the tracking of system components by geographic location using <insert param-id="cm-8.8_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="cm-8.8_gdn">
-               <p>The use of automated mechanisms to track the location of system components can increase the accuracy of component inventories. Such capability may help organizations rapidly identify the location and responsible individuals of system components that have been compromised, breached, or are otherwise in need of mitigation actions. The use of tracking mechanisms can be coordinated with senior agency officials for privacy if there are implications affecting individual privacy.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-8.9">
-            <title>Assignment of Components to Systems</title>
-            <param id="cm-8.9_prm_1">
-               <label>organization-defined acquired system components</label>
-            </param>
-            <param id="cm-8.9_prm_2">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">CM-8(9)</prop>
-            <prop name="sort-id">CM-08(09)</prop>
-            <part name="statement" id="cm-8.9_smt">
-               <part name="item" id="cm-8.9_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Assign <insert param-id="cm-8.9_prm_1"/> to a system; and</p>
-               </part>
-               <part name="item" id="cm-8.9_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Receive an acknowledgement from <insert param-id="cm-8.9_prm_2"/> of this assignment.</p>
-               </part>
-            </part>
-            <part name="guidance" id="cm-8.9_gdn">
-               <p>Acquired system components that are not assigned to a specific system may be unmanaged, lack the required protection, and thus, become an organizational vulnerability. Organizations determine the types of system components that are subject to this control enhancement.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-9">
-         <title>Configuration Management Plan</title>
-         <param id="cm-9_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">CM-9</prop>
-         <prop name="sort-id">CM-09</prop>
-         <link rel="reference" href="#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4">[SP 800-128]</link>
-         <link rel="related" href="#cm-2">CM-2</link>
-         <link rel="related" href="#cm-3">CM-3</link>
-         <link rel="related" href="#cm-4">CM-4</link>
-         <link rel="related" href="#cm-5">CM-5</link>
-         <link rel="related" href="#cm-8">CM-8</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#sa-10">SA-10</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="cm-9_smt">
-            <p>Develop, document, and implement a configuration management plan for the system that:</p>
-            <part name="item" id="cm-9_smt.a">
-               <prop name="label">a.</prop>
-               <p>Addresses roles, responsibilities, and configuration management processes and procedures;</p>
-            </part>
-            <part name="item" id="cm-9_smt.b">
-               <prop name="label">b.</prop>
-               <p>Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;</p>
-            </part>
-            <part name="item" id="cm-9_smt.c">
-               <prop name="label">c.</prop>
-               <p>Defines the configuration items for the system and places the configuration items under configuration management;</p>
-            </part>
-            <part name="item" id="cm-9_smt.d">
-               <prop name="label">d.</prop>
-               <p>Is reviewed and approved by <insert param-id="cm-9_prm_1"/>; and</p>
-            </part>
-            <part name="item" id="cm-9_smt.e">
-               <prop name="label">e.</prop>
-               <p>Protects the configuration management plan from unauthorized disclosure and modification.</p>
-            </part>
-         </part>
-         <part name="guidance" id="cm-9_gdn">
-            <p>Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.
-Configuration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes, how to update configuration settings and baselines, how to maintain component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents.
-Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Templates can represent a master configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, for example, the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-9.1">
-            <title>Assignment of Responsibility</title>
-            <prop name="label">CM-9(1)</prop>
-            <prop name="sort-id">CM-09(01)</prop>
-            <part name="statement" id="cm-9.1_smt">
-               <p>Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.</p>
-            </part>
-            <part name="guidance" id="cm-9.1_gdn">
-               <p>In the absence of dedicated configuration management teams assigned within organizations, system developers may be tasked to develop configuration management processes using personnel who are not directly involved in system development or system integration. This separation of duties ensures that organizations establish and maintain a sufficient degree of independence between the system development and integration processes and configuration management processes to facilitate quality control and more effective oversight.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-10">
-         <title>Software Usage Restrictions</title>
-         <prop name="label">CM-10</prop>
-         <prop name="sort-id">CM-10</prop>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#cm-7">CM-7</link>
-         <link rel="related" href="#cm-8">CM-8</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <part name="statement" id="cm-10_smt">
-            <part name="item" id="cm-10_smt.a">
-               <prop name="label">a.</prop>
-               <p>Use software and associated documentation in accordance with contract agreements and copyright laws;</p>
-            </part>
-            <part name="item" id="cm-10_smt.b">
-               <prop name="label">b.</prop>
-               <p>Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and</p>
-            </part>
-            <part name="item" id="cm-10_smt.c">
-               <prop name="label">c.</prop>
-               <p>Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.</p>
-            </part>
-         </part>
-         <part name="guidance" id="cm-10_gdn">
-            <p>Software license tracking can be accomplished by manual or automated methods depending on organizational needs. A non-disclosure agreement is an example of a contract agreement.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-10.1">
-            <title>Open Source Software</title>
-            <param id="cm-10.1_prm_1">
-               <label>organization-defined restrictions</label>
-            </param>
-            <prop name="label">CM-10(1)</prop>
-            <prop name="sort-id">CM-10(01)</prop>
-            <link rel="related" href="#si-7">SI-7</link>
-            <part name="statement" id="cm-10.1_smt">
-               <p>Establish the following restrictions on the use of open source software: <insert param-id="cm-10.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="cm-10.1_gdn">
-               <p>Open source software refers to software that is available in source code form. Certain software rights normally reserved for copyright holders are routinely provided under software license agreements that permit individuals to study, change, and improve the software. From a security perspective, the major advantage of open source software is that it provides organizations with the ability to examine the source code. However, remediating vulnerabilities in open source software may be problematic. There may also be licensing issues associated with open source software, including the constraints on derivative use of such software. Open source software that is available only in binary form may increase the level of risk in using such software.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-11">
-         <title>User-installed Software</title>
-         <param id="cm-11_prm_1">
-            <label>organization-defined policies</label>
-         </param>
-         <param id="cm-11_prm_2">
-            <label>organization-defined methods</label>
-         </param>
-         <param id="cm-11_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CM-11</prop>
-         <prop name="sort-id">CM-11</prop>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#cm-2">CM-2</link>
-         <link rel="related" href="#cm-3">CM-3</link>
-         <link rel="related" href="#cm-5">CM-5</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#cm-7">CM-7</link>
-         <link rel="related" href="#cm-8">CM-8</link>
-         <link rel="related" href="#pl-4">PL-4</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <part name="statement" id="cm-11_smt">
-            <part name="item" id="cm-11_smt.a">
-               <prop name="label">a.</prop>
-               <p>Establish <insert param-id="cm-11_prm_1"/> governing the installation of software by users;</p>
-            </part>
-            <part name="item" id="cm-11_smt.b">
-               <prop name="label">b.</prop>
-               <p>Enforce software installation policies through the following methods: <insert param-id="cm-11_prm_2"/>; and</p>
-            </part>
-            <part name="item" id="cm-11_smt.c">
-               <prop name="label">c.</prop>
-               <p>Monitor policy compliance <insert param-id="cm-11_prm_3"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="cm-11_gdn">
-            <p>If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved “app stores.” Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-11.1">
-            <title>Alerts for Unauthorized Installations</title>
-            <prop name="label">CM-11(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CM-11(01)</prop>
-            <link rel="incorporated-into" href="#cm-8.3">CM-8(3)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="cm-11.2">
-            <title>Software Installation with Privileged Status</title>
-            <prop name="label">CM-11(2)</prop>
-            <prop name="sort-id">CM-11(02)</prop>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <part name="statement" id="cm-11.2_smt">
-               <p>Allow user installation of software only with explicit privileged status.</p>
-            </part>
-            <part name="guidance" id="cm-11.2_gdn">
-               <p>Privileged status can be obtained, for example, by serving in the role of system administrator.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-12">
-         <title>Information Location</title>
-         <param id="cm-12_prm_1">
-            <label>organization-defined information</label>
-         </param>
-         <prop name="label">CM-12</prop>
-         <prop name="sort-id">CM-12</prop>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="reference" href="#68949f14-9cf5-4116-91d8-e820b9df3ffd">[SP 800-60 v1]</link>
-         <link rel="reference" href="#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc">[SP 800-60 v2]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#ac-23">AC-23</link>
-         <link rel="related" href="#cm-8">CM-8</link>
-         <link rel="related" href="#pm-5">PM-5</link>
-         <link rel="related" href="#ra-2">RA-2</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-17">SA-17</link>
-         <link rel="related" href="#sc-4">SC-4</link>
-         <link rel="related" href="#sc-16">SC-16</link>
-         <link rel="related" href="#sc-28">SC-28</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <part name="statement" id="cm-12_smt">
-            <part name="item" id="cm-12_smt.a">
-               <prop name="label">a.</prop>
-               <p>Identify and document the location of <insert param-id="cm-12_prm_1"/> and the specific system components on which the information is processed and stored;</p>
-            </part>
-            <part name="item" id="cm-12_smt.b">
-               <prop name="label">b.</prop>
-               <p>Identify and document the users who have access to the system and system components where the information is processed and stored; and</p>
-            </part>
-            <part name="item" id="cm-12_smt.c">
-               <prop name="label">c.</prop>
-               <p>Document changes to the location (i.e., system or system components) where the information is processed and stored.</p>
-            </part>
-         </part>
-         <part name="guidance" id="cm-12_gdn">
-            <p>Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and associated information reside in the system components; and how information is being processed so that information flow can be understood, and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see FIPS 199). The location of the information and system components is also a factor in the architecture and design of the system (see SA-4, SA-8, SA-17).</p>
-         </part>
-         <control class="SP800-53-enhancement" id="cm-12.1">
-            <title>Automated Tools to Support Information Location</title>
-            <param id="cm-12.1_prm_1">
-               <label>organization-defined information by information type</label>
-            </param>
-            <param id="cm-12.1_prm_2">
-               <label>organization-defined system components</label>
-            </param>
-            <prop name="label">CM-12(1)</prop>
-            <prop name="sort-id">CM-12(01)</prop>
-            <part name="statement" id="cm-12.1_smt">
-               <p>Use automated tools to identify <insert param-id="cm-12.1_prm_1"/> on <insert param-id="cm-12.1_prm_2"/> to ensure controls are in place to protect organizational information and individual privacy.</p>
-            </part>
-            <part name="guidance" id="cm-12.1_gdn">
-               <p>The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information organization-wide. The output of automated information location tools can be used to guide and inform system architecture and design decisions.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cm-13">
-         <title>Data Action Mapping</title>
-         <prop name="label">CM-13</prop>
-         <prop name="sort-id">CM-13</prop>
-         <link rel="reference" href="#817b4227-5857-494d-9032-915980b32f15">[IR 8062]</link>
-         <link rel="related" href="#cm-4">CM-4</link>
-         <link rel="related" href="#cm-12">CM-12</link>
-         <link rel="related" href="#pm-5">PM-5</link>
-         <link rel="related" href="#pm-27">PM-27</link>
-         <part name="statement" id="cm-13_smt">
-            <p>Develop and document a map of system data actions.</p>
-         </part>
-         <part name="guidance" id="cm-13_gdn">
-            <p>Data actions are system operations that process personally identifiable information. The processing of such information encompasses the full information life cycle which includes collection, generation, transformation, use, disclosure, retention, and disposal. A map of system data actions includes discrete data actions, elements of personally identifiable information being processed in the data actions, components of the system involved in the data actions, and the owners or operators of the components. Understanding what personally identifiable information is being processed (e.g., the sensitivity of the personally identifiable information), how personally identifiable information is being processed (e.g., if the data action is visible to the individual or is processed on the backend of the system), and by whom (e.g., individuals may have different privacy perceptions based on the entity that is processing the personally identifiable information) provides a number of contextual factors that are important to assessing the degree of privacy risk created by the system. The data map may be an overlay of any system design artifact that the organization is using. The development of this map may necessitate coordination between the privacy and security programs regarding the covered data actions and the components that are identified as part of the system.</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="cp">
-      <title>Contingency Planning</title>
-      <control class="SP800-53" id="cp-1">
-         <title>Policy and Procedures</title>
-         <param id="cp-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="cp-1_prm_2">
-            <select how-many="one or more">
-               <choice>organization-level</choice>
-               <choice>mission/business process-level</choice>
-               <choice>system-level</choice>
-            </select>
-         </param>
-         <param id="cp-1_prm_3">
-            <label>organization-defined official</label>
-         </param>
-         <param id="cp-1_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="cp-1_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CP-1</prop>
-         <prop name="sort-id">CP-01</prop>
-         <link rel="reference" href="#12702585-0c72-43c9-9185-a76a59f74233">[SP 800-12]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#65774382-fcc6-4bbc-89fc-9d35aab19952">[SP 800-34]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#2e29c363-d5be-47ba-92f5-f8a58a69b65e">[SP 800-50]</link>
-         <link rel="reference" href="#9183bd83-170e-4701-b32c-97e08ef8bedb">[SP 800-100]</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="cp-1_smt">
-            <part name="item" id="cp-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and disseminate to <insert param-id="cp-1_prm_1"/>:</p>
-               <part name="item" id="cp-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="cp-1_prm_2"/> contingency planning policy that:</p>
-                  <part name="item" id="cp-1_smt.a.1.a">
-                     <prop name="label">(a)</prop>
-                     <p>Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
-                  </part>
-                  <part name="item" id="cp-1_smt.a.1.b">
-                     <prop name="label">(b)</prop>
-                     <p>Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p>
-                  </part>
-               </part>
-               <part name="item" id="cp-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;</p>
-               </part>
-            </part>
-            <part name="item" id="cp-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate an <insert param-id="cp-1_prm_3"/> to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and</p>
-            </part>
-            <part name="item" id="cp-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the current contingency planning:</p>
-               <part name="item" id="cp-1_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Policy <insert param-id="cp-1_prm_4"/>; and</p>
-               </part>
-               <part name="item" id="cp-1_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures <insert param-id="cp-1_prm_5"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="cp-1_gdn">
-            <p>This control addresses policy and procedures for the controls in the CP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-2">
-         <title>Contingency Plan</title>
-         <param id="cp-2_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="cp-2_prm_2">
-            <label>organization-defined key contingency personnel (identified by name and/or by role) and organizational elements</label>
-         </param>
-         <param id="cp-2_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="cp-2_prm_4">
-            <label>organization-defined key contingency personnel (identified by name and/or by role) and organizational elements</label>
-         </param>
-         <prop name="label">CP-2</prop>
-         <prop name="sort-id">CP-02</prop>
-         <link rel="reference" href="#65774382-fcc6-4bbc-89fc-9d35aab19952">[SP 800-34]</link>
-         <link rel="reference" href="#7a93e915-fd58-4147-be12-e48044c367e6">[IR 8179]</link>
-         <link rel="related" href="#cp-3">CP-3</link>
-         <link rel="related" href="#cp-4">CP-4</link>
-         <link rel="related" href="#cp-6">CP-6</link>
-         <link rel="related" href="#cp-7">CP-7</link>
-         <link rel="related" href="#cp-8">CP-8</link>
-         <link rel="related" href="#cp-9">CP-9</link>
-         <link rel="related" href="#cp-10">CP-10</link>
-         <link rel="related" href="#cp-11">CP-11</link>
-         <link rel="related" href="#cp-13">CP-13</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#ir-6">IR-6</link>
-         <link rel="related" href="#ir-8">IR-8</link>
-         <link rel="related" href="#ir-9">IR-9</link>
-         <link rel="related" href="#ma-6">MA-6</link>
-         <link rel="related" href="#mp-2">MP-2</link>
-         <link rel="related" href="#mp-4">MP-4</link>
-         <link rel="related" href="#mp-5">MP-5</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pm-8">PM-8</link>
-         <link rel="related" href="#pm-11">PM-11</link>
-         <link rel="related" href="#sa-15">SA-15</link>
-         <link rel="related" href="#sa-20">SA-20</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-23">SC-23</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="cp-2_smt">
-            <part name="item" id="cp-2_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop a contingency plan for the system that:</p>
-               <part name="item" id="cp-2_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Identifies essential missions and business functions and associated contingency requirements;</p>
-               </part>
-               <part name="item" id="cp-2_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Provides recovery objectives, restoration priorities, and metrics;</p>
-               </part>
-               <part name="item" id="cp-2_smt.a.3">
-                  <prop name="label">3.</prop>
-                  <p>Addresses contingency roles, responsibilities, assigned individuals with contact information;</p>
-               </part>
-               <part name="item" id="cp-2_smt.a.4">
-                  <prop name="label">4.</prop>
-                  <p>Addresses maintaining essential missions and business functions despite a system disruption, compromise, or failure;</p>
-               </part>
-               <part name="item" id="cp-2_smt.a.5">
-                  <prop name="label">5.</prop>
-                  <p>Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; and</p>
-               </part>
-               <part name="item" id="cp-2_smt.a.6">
-                  <prop name="label">6.</prop>
-                  <p>Is reviewed and approved by <insert param-id="cp-2_prm_1"/>;</p>
-               </part>
-            </part>
-            <part name="item" id="cp-2_smt.b">
-               <prop name="label">b.</prop>
-               <p>Distribute copies of the contingency plan to <insert param-id="cp-2_prm_2"/>;</p>
-            </part>
-            <part name="item" id="cp-2_smt.c">
-               <prop name="label">c.</prop>
-               <p>Coordinate contingency planning activities with incident handling activities;</p>
-            </part>
-            <part name="item" id="cp-2_smt.d">
-               <prop name="label">d.</prop>
-               <p>Review the contingency plan for the system <insert param-id="cp-2_prm_3"/>;</p>
-            </part>
-            <part name="item" id="cp-2_smt.e">
-               <prop name="label">e.</prop>
-               <p>Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;</p>
-            </part>
-            <part name="item" id="cp-2_smt.f">
-               <prop name="label">f.</prop>
-               <p>Communicate contingency plan changes to <insert param-id="cp-2_prm_4"/>; and</p>
-            </part>
-            <part name="item" id="cp-2_smt.g">
-               <prop name="label">g.</prop>
-               <p>Protect the contingency plan from unauthorized disclosure and modification.</p>
-            </part>
-         </part>
-         <part name="guidance" id="cp-2_gdn">
-            <p>Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational missions and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
-In addition to availability, contingency plans address other security-related events resulting in a reduction in mission effectiveness including malicious attacks that compromise the integrity of systems or the confidentiality of information. Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system as specified in IR-4(5). Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-2.1">
-            <title>Coordinate with Related Plans</title>
-            <prop name="label">CP-2(1)</prop>
-            <prop name="sort-id">CP-02(01)</prop>
-            <part name="statement" id="cp-2.1_smt">
-               <p>Coordinate contingency plan development with organizational elements responsible for related plans.</p>
-            </part>
-            <part name="guidance" id="cp-2.1_gdn">
-               <p>Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Cyber Incident Response Plans, and Occupant Emergency Plans.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.2">
-            <title>Capacity Planning</title>
-            <prop name="label">CP-2(2)</prop>
-            <prop name="sort-id">CP-02(02)</prop>
-            <link rel="related" href="#pe-11">PE-11</link>
-            <link rel="related" href="#pe-12">PE-12</link>
-            <link rel="related" href="#pe-13">PE-13</link>
-            <link rel="related" href="#pe-14">PE-14</link>
-            <link rel="related" href="#pe-18">PE-18</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <part name="statement" id="cp-2.2_smt">
-               <p>Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.</p>
-            </part>
-            <part name="guidance" id="cp-2.2_gdn">
-               <p>Capacity planning is needed because different threats can result in a reduction of the available processing, telecommunications, and support services intended to support essential missions and business functions. Organizations anticipate degraded operations during contingency operations and factor the degradation into capacity planning. For capacity planning, environmental support refers to any environmental factor for which the organization determines that it needs to provide support in a contingency situation, even if in a degraded state. Such determinations are based on an organizational assessment of risk, system categorization (impact level), and organizational risk tolerance.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.3">
-            <title>Resume Missions and Business Functions</title>
-            <param id="cp-2.3_prm_1">
-               <select>
-                  <choice>all</choice>
-                  <choice>essential</choice>
-               </select>
-            </param>
-            <param id="cp-2.3_prm_2">
-               <label>organization-defined time-period</label>
-            </param>
-            <prop name="label">CP-2(3)</prop>
-            <prop name="sort-id">CP-02(03)</prop>
-            <part name="statement" id="cp-2.3_smt">
-               <p>Plan for the resumption of <insert param-id="cp-2.3_prm_1"/> missions and business functions within <insert param-id="cp-2.3_prm_2"/> of contingency plan activation.</p>
-            </part>
-            <part name="guidance" id="cp-2.3_gdn">
-               <p>Organizations may choose to conduct contingency planning activities to resume missions and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of missions and business functions. The time-period for the resumption of missions and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.4">
-            <title>Resume All Missions and Business Functions</title>
-            <prop name="label">CP-2(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CP-02(04)</prop>
-            <link rel="incorporated-into" href="#cp-2.3">CP-2(3)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.5">
-            <title>Continue Missions and Business Functions</title>
-            <param id="cp-2.5_prm_1">
-               <select>
-                  <choice>all</choice>
-                  <choice>essential</choice>
-               </select>
-            </param>
-            <prop name="label">CP-2(5)</prop>
-            <prop name="sort-id">CP-02(05)</prop>
-            <part name="statement" id="cp-2.5_smt">
-               <p>Plan for the continuance of <insert param-id="cp-2.5_prm_1"/> missions and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites.</p>
-            </part>
-            <part name="guidance" id="cp-2.5_gdn">
-               <p>Organizations may choose to conduct the contingency planning activities to continue missions and business functions as part of business continuity planning or as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.6">
-            <title>Alternate Processing and Storage Sites</title>
-            <param id="cp-2.6_prm_1">
-               <select>
-                  <choice>all</choice>
-                  <choice>essential</choice>
-               </select>
-            </param>
-            <prop name="label">CP-2(6)</prop>
-            <prop name="sort-id">CP-02(06)</prop>
-            <part name="statement" id="cp-2.6_smt">
-               <p>Plan for the transfer of <insert param-id="cp-2.6_prm_1"/> missions and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites.</p>
-            </part>
-            <part name="guidance" id="cp-2.6_gdn">
-               <p>Organizations may choose to conduct the contingency planning activities for alternate processing and storage sites as part of business continuity planning or as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.7">
-            <title>Coordinate with External Service Providers</title>
-            <prop name="label">CP-2(7)</prop>
-            <prop name="sort-id">CP-02(07)</prop>
-            <link rel="related" href="#sa-9">SA-9</link>
-            <part name="statement" id="cp-2.7_smt">
-               <p>Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.</p>
-            </part>
-            <part name="guidance" id="cp-2.7_gdn">
-               <p>When the capability of an organization to carry out its missions and business functions is dependent on external service providers, developing a comprehensive and timely contingency plan may become more challenging. When missions and business functions are dependent on external service providers, organizations coordinate contingency planning activities with the external entities to ensure that the individual plans reflect the overall contingency needs of the organization.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-2.8">
-            <title>Identify Critical Assets</title>
-            <param id="cp-2.8_prm_1">
-               <select>
-                  <choice>all</choice>
-                  <choice>essential</choice>
-               </select>
-            </param>
-            <prop name="label">CP-2(8)</prop>
-            <prop name="sort-id">CP-02(08)</prop>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#ra-9">RA-9</link>
-            <part name="statement" id="cp-2.8_smt">
-               <p>Identify critical system assets supporting <insert param-id="cp-2.8_prm_1"/> missions and business functions.</p>
-            </part>
-            <part name="guidance" id="cp-2.8_gdn">
-               <p>Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational missions and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (manually executed operations) and personnel (individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing CP-2(7) as a control enhancement.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-3">
-         <title>Contingency Training</title>
-         <param id="cp-3_prm_1">
-            <label>organization-defined time-period</label>
-         </param>
-         <param id="cp-3_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">CP-3</prop>
-         <prop name="sort-id">CP-03</prop>
-         <link rel="reference" href="#2e29c363-d5be-47ba-92f5-f8a58a69b65e">[SP 800-50]</link>
-         <link rel="related" href="#at-2">AT-2</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#at-4">AT-4</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-4">CP-4</link>
-         <link rel="related" href="#cp-8">CP-8</link>
-         <link rel="related" href="#ir-2">IR-2</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#ir-9">IR-9</link>
-         <part name="statement" id="cp-3_smt">
-            <p>Provide contingency training to system users consistent with assigned roles and responsibilities:</p>
-            <part name="item" id="cp-3_smt.a">
-               <prop name="label">a.</prop>
-               <p>Within <insert param-id="cp-3_prm_1"/> of assuming a contingency role or responsibility;</p>
-            </part>
-            <part name="item" id="cp-3_smt.b">
-               <prop name="label">b.</prop>
-               <p>When required by system changes; and</p>
-            </part>
-            <part name="item" id="cp-3_smt.c">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="cp-3_prm_2"/> thereafter.</p>
-            </part>
-         </part>
-         <part name="guidance" id="cp-3_gdn">
-            <p>Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-3.1">
-            <title>Simulated Events</title>
-            <prop name="label">CP-3(1)</prop>
-            <prop name="sort-id">CP-03(01)</prop>
-            <part name="statement" id="cp-3.1_smt">
-               <p>Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.</p>
-            </part>
-            <part name="guidance" id="cp-3.1_gdn">
-               <p>The use of simulated events creates an environment for personnel to experience actual threat events including cyber-attacks that disable web sites, ransom-ware attacks that encrypt organizational data on servers, hurricanes that damage or destroy organizational facilities, or hardware or software failures.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-3.2">
-            <title>Mechanisms Used in Training Environments</title>
-            <prop name="label">CP-3(2)</prop>
-            <prop name="sort-id">CP-03(02)</prop>
-            <part name="statement" id="cp-3.2_smt">
-               <p>Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment.</p>
-            </part>
-            <part name="guidance" id="cp-3.2_gdn">
-               <p>Operational mechanisms refer to processes that have been established to accomplish an organizational goal or a system that supports a particular organizational mission or business objective. Actual mission/business processes, systems, and/or facilities may be used to generate simulated events and/or to enhance the realism of simulated events during contingency training.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-4">
-         <title>Contingency Plan Testing</title>
-         <param id="cp-4_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="cp-4_prm_2">
-            <label>organization-defined tests</label>
-         </param>
-         <prop name="label">CP-4</prop>
-         <prop name="sort-id">CP-04</prop>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="reference" href="#65774382-fcc6-4bbc-89fc-9d35aab19952">[SP 800-34]</link>
-         <link rel="reference" href="#20bf433b-074c-47a0-8fca-cd591772ccd6">[SP 800-84]</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-3">CP-3</link>
-         <link rel="related" href="#cp-8">CP-8</link>
-         <link rel="related" href="#cp-9">CP-9</link>
-         <link rel="related" href="#ir-3">IR-3</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pm-14">PM-14</link>
-         <link rel="related" href="#sr-2">SR-2</link>
-         <part name="statement" id="cp-4_smt">
-            <part name="item" id="cp-4_smt.a">
-               <prop name="label">a.</prop>
-               <p>Test the contingency plan for the system <insert param-id="cp-4_prm_1"/> using  the following tests to determine the effectiveness of the plan and the readiness to execute the plan: <insert param-id="cp-4_prm_2"/>.</p>
-            </part>
-            <part name="item" id="cp-4_smt.b">
-               <prop name="label">b.</prop>
-               <p>Review the contingency plan test results; and</p>
-            </part>
-            <part name="item" id="cp-4_smt.c">
-               <prop name="label">c.</prop>
-               <p>Initiate corrective actions, if needed.</p>
-            </part>
-         </part>
-         <part name="guidance" id="cp-4_gdn">
-            <p>Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-4.1">
-            <title>Coordinate with Related Plans</title>
-            <prop name="label">CP-4(1)</prop>
-            <prop name="sort-id">CP-04(01)</prop>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <link rel="related" href="#pm-8">PM-8</link>
-            <part name="statement" id="cp-4.1_smt">
-               <p>Coordinate contingency plan testing with organizational elements responsible for related plans.</p>
-            </part>
-            <part name="guidance" id="cp-4.1_gdn">
-               <p>Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations coordinate with those elements.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-4.2">
-            <title>Alternate Processing Site</title>
-            <prop name="label">CP-4(2)</prop>
-            <prop name="sort-id">CP-04(02)</prop>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <part name="statement" id="cp-4.2_smt">
-               <p>Test the contingency plan at the alternate processing site:</p>
-               <part name="item" id="cp-4.2_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>To familiarize contingency personnel with the facility and available resources; and</p>
-               </part>
-               <part name="item" id="cp-4.2_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>To evaluate the capabilities of the alternate processing site to support contingency operations.</p>
-               </part>
-            </part>
-            <part name="guidance" id="cp-4.2_gdn">
-               <p>Conditions at the alternate processing site may be significantly different than the conditions at the primary site. Having the opportunity to visit the alternate site and experience, firsthand, the actual capabilities available at the site can provide valuable information on potential vulnerabilities that could affect essential organizational missions and functions. The on-site visit can also provide an opportunity to refine the contingency plan to address the vulnerabilities discovered during testing.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-4.3">
-            <title>Automated Testing</title>
-            <param id="cp-4.3_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">CP-4(3)</prop>
-            <prop name="sort-id">CP-04(03)</prop>
-            <part name="statement" id="cp-4.3_smt">
-               <p>Test the contingency plan using <insert param-id="cp-4.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="cp-4.3_gdn">
-               <p>Automated mechanisms facilitate thorough and effective testing of contingency plans by providing more complete coverage of contingency issues; by selecting more realistic test scenarios and environments; and by effectively stressing the system and supported missions and business operations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-4.4">
-            <title>Full Recovery and Reconstitution</title>
-            <prop name="label">CP-4(4)</prop>
-            <prop name="sort-id">CP-04(04)</prop>
-            <link rel="related" href="#cp-10">CP-10</link>
-            <link rel="related" href="#sc-24">SC-24</link>
-            <part name="statement" id="cp-4.4_smt">
-               <p>Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing.</p>
-            </part>
-            <part name="guidance" id="cp-4.4_gdn">
-               <p>Recovery is executing contingency plan activities to restore organizational missions and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Organizations establish a known state for systems that includes system state information for hardware, software programs, and data. Preserving system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission and business processes.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-5">
-         <title>Contingency Plan Update</title>
-         <prop name="label">CP-5</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">CP-05</prop>
-         <link rel="incorporated-into" href="#cp-2">CP-2</link>
-      </control>
-      <control class="SP800-53" id="cp-6">
-         <title>Alternate Storage Site</title>
-         <prop name="label">CP-6</prop>
-         <prop name="sort-id">CP-06</prop>
-         <link rel="reference" href="#65774382-fcc6-4bbc-89fc-9d35aab19952">[SP 800-34]</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-7">CP-7</link>
-         <link rel="related" href="#cp-8">CP-8</link>
-         <link rel="related" href="#cp-9">CP-9</link>
-         <link rel="related" href="#cp-10">CP-10</link>
-         <link rel="related" href="#mp-4">MP-4</link>
-         <link rel="related" href="#mp-5">MP-5</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#sc-36">SC-36</link>
-         <link rel="related" href="#si-13">SI-13</link>
-         <part name="statement" id="cp-6_smt">
-            <part name="item" id="cp-6_smt.a">
-               <prop name="label">a.</prop>
-               <p>Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and</p>
-            </part>
-            <part name="item" id="cp-6_smt.b">
-               <prop name="label">b.</prop>
-               <p>Ensure that the alternate storage site provides controls equivalent to that of the primary site.</p>
-            </part>
-         </part>
-         <part name="guidance" id="cp-6_gdn">
-            <p>Alternate storage sites are sites that are geographically distinct from primary storage sites and that maintain duplicate copies of information and data if the primary storage site is not available. In contrast to alternate storage sites, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may also be considered as alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions and business functions despite disruption, compromise, or failure in organizational systems.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-6.1">
-            <title>Separation from Primary Site</title>
-            <prop name="label">CP-6(1)</prop>
-            <prop name="sort-id">CP-06(01)</prop>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <part name="statement" id="cp-6.1_smt">
-               <p>Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.</p>
-            </part>
-            <part name="guidance" id="cp-6.1_gdn">
-               <p>Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-6.2">
-            <title>Recovery Time and Recovery Point Objectives</title>
-            <prop name="label">CP-6(2)</prop>
-            <prop name="sort-id">CP-06(02)</prop>
-            <part name="statement" id="cp-6.2_smt">
-               <p>Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.</p>
-            </part>
-            <part name="guidance" id="cp-6.2_gdn">
-               <p>Organizations establish recovery time and recovery point objectives as part of contingency planning. Configuration of the alternate storage site includes physical facilities and the systems supporting recovery operations ensuring accessibility and correct execution.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-6.3">
-            <title>Accessibility</title>
-            <prop name="label">CP-6(3)</prop>
-            <prop name="sort-id">CP-06(03)</prop>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <part name="statement" id="cp-6.3_smt">
-               <p>Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions.</p>
-            </part>
-            <part name="guidance" id="cp-6.3_gdn">
-               <p>Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-7">
-         <title>Alternate Processing Site</title>
-         <param id="cp-7_prm_1">
-            <label>organization-defined system operations</label>
-         </param>
-         <param id="cp-7_prm_2">
-            <label>organization-defined time-period consistent with recovery time and recovery point objectives</label>
-         </param>
-         <prop name="label">CP-7</prop>
-         <prop name="sort-id">CP-07</prop>
-         <link rel="reference" href="#65774382-fcc6-4bbc-89fc-9d35aab19952">[SP 800-34]</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-6">CP-6</link>
-         <link rel="related" href="#cp-8">CP-8</link>
-         <link rel="related" href="#cp-9">CP-9</link>
-         <link rel="related" href="#cp-10">CP-10</link>
-         <link rel="related" href="#ma-6">MA-6</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#pe-11">PE-11</link>
-         <link rel="related" href="#pe-12">PE-12</link>
-         <link rel="related" href="#pe-17">PE-17</link>
-         <link rel="related" href="#sc-36">SC-36</link>
-         <link rel="related" href="#si-13">SI-13</link>
-         <part name="statement" id="cp-7_smt">
-            <part name="item" id="cp-7_smt.a">
-               <prop name="label">a.</prop>
-               <p>Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of <insert param-id="cp-7_prm_1"/> for essential missions and business functions within <insert param-id="cp-7_prm_2"/> when the primary processing capabilities are unavailable;</p>
-            </part>
-            <part name="item" id="cp-7_smt.b">
-               <prop name="label">b.</prop>
-               <p>Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time-period for transfer and resumption; and</p>
-            </part>
-            <part name="item" id="cp-7_smt.c">
-               <prop name="label">c.</prop>
-               <p>Provide controls at the alternate processing site that are equivalent to those at the primary site.</p>
-            </part>
-         </part>
-         <part name="guidance" id="cp-7_gdn">
-            <p>Alternate processing sites are sites that are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives such as failover to a cloud-based service provider or other internally- or externally-provided processing service. Geographically distributed architectures that support contingency requirements may also be considered as alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites; access rules; physical and environmental protection requirements; and the coordination for the transfer and assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions and business functions despite disruption, compromise, or failure in organizational systems.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-7.1">
-            <title>Separation from Primary Site</title>
-            <prop name="label">CP-7(1)</prop>
-            <prop name="sort-id">CP-07(01)</prop>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <part name="statement" id="cp-7.1_smt">
-               <p>Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.</p>
-            </part>
-            <part name="guidance" id="cp-7.1_gdn">
-               <p>Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-7.2">
-            <title>Accessibility</title>
-            <prop name="label">CP-7(2)</prop>
-            <prop name="sort-id">CP-07(02)</prop>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <part name="statement" id="cp-7.2_smt">
-               <p>Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.</p>
-            </part>
-            <part name="guidance" id="cp-7.2_gdn">
-               <p>Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-7.3">
-            <title>Priority of Service</title>
-            <prop name="label">CP-7(3)</prop>
-            <prop name="sort-id">CP-07(03)</prop>
-            <part name="statement" id="cp-7.3_smt">
-               <p>Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).</p>
-            </part>
-            <part name="guidance" id="cp-7.3_gdn">
-               <p>Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-7.4">
-            <title>Preparation for Use</title>
-            <prop name="label">CP-7(4)</prop>
-            <prop name="sort-id">CP-07(04)</prop>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cp-4">CP-4</link>
-            <part name="statement" id="cp-7.4_smt">
-               <p>Prepare the alternate processing site so that the site can serve as the operational site supporting essential missions and business functions.</p>
-            </part>
-            <part name="guidance" id="cp-7.4_gdn">
-               <p>Site preparation includes establishing configuration settings for systems at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and logistical considerations are in place.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-7.5">
-            <title>Equivalent Information Security Safeguards</title>
-            <prop name="label">CP-7(5)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CP-07(05)</prop>
-            <link rel="incorporated-into" href="#cp-7">CP-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-7.6">
-            <title>Inability to Return to Primary Site</title>
-            <prop name="label">CP-7(6)</prop>
-            <prop name="sort-id">CP-07(06)</prop>
-            <part name="statement" id="cp-7.6_smt">
-               <p>Plan and prepare for circumstances that preclude returning to the primary processing site.</p>
-            </part>
-            <part name="guidance" id="cp-7.6_gdn">
-               <p>There may be situations that preclude an organization from returning to the primary processing site. This can occur, for example, if a natural disaster such as a flood or a hurricane damaged or destroyed a facility and it was determined that rebuilding in the same location was not prudent.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-8">
-         <title>Telecommunications Services</title>
-         <param id="cp-8_prm_1">
-            <label>organization-defined system operations</label>
-         </param>
-         <param id="cp-8_prm_2">
-            <label>organization-defined time-period</label>
-         </param>
-         <prop name="label">CP-8</prop>
-         <prop name="sort-id">CP-08</prop>
-         <link rel="reference" href="#65774382-fcc6-4bbc-89fc-9d35aab19952">[SP 800-34]</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-6">CP-6</link>
-         <link rel="related" href="#cp-7">CP-7</link>
-         <link rel="related" href="#cp-11">CP-11</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <part name="statement" id="cp-8_smt">
-            <p>Establish alternate telecommunications services, including necessary agreements to permit the resumption of <insert param-id="cp-8_prm_1"/> for essential missions and business functions within <insert param-id="cp-8_prm_2"/> when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.</p>
-         </part>
-         <part name="guidance" id="cp-8_gdn">
-            <p>This control applies to telecommunications services (for data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions and business functions despite the loss of primary telecommunications services. Organizations may specify different time-periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines or the use of satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-8.1">
-            <title>Priority of Service Provisions</title>
-            <prop name="label">CP-8(1)</prop>
-            <prop name="sort-id">CP-08(01)</prop>
-            <part name="statement" id="cp-8.1_smt">
-               <part name="item" id="cp-8.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and</p>
-               </part>
-               <part name="item" id="cp-8.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.</p>
-               </part>
-            </part>
-            <part name="guidance" id="cp-8.1_gdn">
-               <p>Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program and the Department of Homeland Security, manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-8.2">
-            <title>Single Points of Failure</title>
-            <prop name="label">CP-8(2)</prop>
-            <prop name="sort-id">CP-08(02)</prop>
-            <part name="statement" id="cp-8.2_smt">
-               <p>Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.</p>
-            </part>
-            <part name="guidance" id="cp-8.2_gdn">
-               <p>In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-8.3">
-            <title>Separation of Primary and Alternate Providers</title>
-            <prop name="label">CP-8(3)</prop>
-            <prop name="sort-id">CP-08(03)</prop>
-            <part name="statement" id="cp-8.3_smt">
-               <p>Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.</p>
-            </part>
-            <part name="guidance" id="cp-8.3_gdn">
-               <p>Threats that affect telecommunications services are defined in organizational assessments of risk and include natural disasters, structural failures, cyber or physical attacks, and errors of omission or commission. Organizations can reduce common susceptibilities by minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services meeting the separation needs addressed in the risk assessment.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-8.4">
-            <title>Provider Contingency Plan</title>
-            <param id="cp-8.4_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">CP-8(4)</prop>
-            <prop name="sort-id">CP-08(04)</prop>
-            <link rel="related" href="#cp-3">CP-3</link>
-            <link rel="related" href="#cp-4">CP-4</link>
-            <part name="statement" id="cp-8.4_smt">
-               <part name="item" id="cp-8.4_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Require primary and alternate telecommunications service providers to have contingency plans;</p>
-               </part>
-               <part name="item" id="cp-8.4_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and</p>
-               </part>
-               <part name="item" id="cp-8.4_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Obtain evidence of contingency testing and training by providers <insert param-id="cp-8.4_prm_1"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="cp-8.4_gdn">
-               <p>Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-8.5">
-            <title>Alternate Telecommunication Service Testing</title>
-            <param id="cp-8.5_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">CP-8(5)</prop>
-            <prop name="sort-id">CP-08(05)</prop>
-            <link rel="related" href="#cp-3">CP-3</link>
-            <part name="statement" id="cp-8.5_smt">
-               <p>Test alternate telecommunication services <insert param-id="cp-8.5_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="cp-8.5_gdn">
-               <p>Alternate telecommunications services testing is arranged through contractual agreements with service providers. The testing may occur in parallel with normal operations to ensure there is no degradation in organizational missions or functions.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-9">
-         <title>System Backup</title>
-         <param id="cp-9_prm_1">
-            <label>organization-defined system components</label>
-         </param>
-         <param id="cp-9_prm_2">
-            <label>organization-defined frequency consistent with recovery time and recovery point objectives</label>
-         </param>
-         <param id="cp-9_prm_3">
-            <label>organization-defined frequency consistent with recovery time and recovery point objectives</label>
-         </param>
-         <param id="cp-9_prm_4">
-            <label>organization-defined frequency consistent with recovery time and recovery point objectives</label>
-         </param>
-         <prop name="label">CP-9</prop>
-         <prop name="sort-id">CP-09</prop>
-         <link rel="reference" href="#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">[FIPS 140-3]</link>
-         <link rel="reference" href="#0b9fe06d-1b89-4dba-b9f8-3baf51504b17">[FIPS 186-4]</link>
-         <link rel="reference" href="#65774382-fcc6-4bbc-89fc-9d35aab19952">[SP 800-34]</link>
-         <link rel="reference" href="#ae412317-c2b4-47bb-b47b-c329ce0d7a0b">[SP 800-130]</link>
-         <link rel="reference" href="#38dbdf55-9a14-446f-b563-c48e4e3d37fb">[SP 800-152]</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-6">CP-6</link>
-         <link rel="related" href="#cp-10">CP-10</link>
-         <link rel="related" href="#mp-4">MP-4</link>
-         <link rel="related" href="#mp-5">MP-5</link>
-         <link rel="related" href="#sc-13">SC-13</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#si-13">SI-13</link>
-         <part name="statement" id="cp-9_smt">
-            <part name="item" id="cp-9_smt.a">
-               <prop name="label">a.</prop>
-               <p>Conduct backups of user-level information contained in <insert param-id="cp-9_prm_1"/>
-                  <insert param-id="cp-9_prm_2"/>;</p>
-            </part>
-            <part name="item" id="cp-9_smt.b">
-               <prop name="label">b.</prop>
-               <p>Conduct backups of system-level information contained in the system <insert param-id="cp-9_prm_3"/>;</p>
-            </part>
-            <part name="item" id="cp-9_smt.c">
-               <prop name="label">c.</prop>
-               <p>Conduct backups of system documentation, including security and privacy-related documentation <insert param-id="cp-9_prm_4"/>; and</p>
-            </part>
-            <part name="item" id="cp-9_smt.d">
-               <prop name="label">d.</prop>
-               <p>Protect the confidentiality, integrity, and availability of backup information.</p>
-            </part>
-         </part>
-         <part name="guidance" id="cp-9_gdn">
-            <p>System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of backup information while in transit is outside the scope of this control. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-9.1">
-            <title>Testing for Reliability and Integrity</title>
-            <param id="cp-9.1_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">CP-9(1)</prop>
-            <prop name="sort-id">CP-09(01)</prop>
-            <link rel="related" href="#cp-4">CP-4</link>
-            <part name="statement" id="cp-9.1_smt">
-               <p>Test backup information <insert param-id="cp-9.1_prm_1"/> to verify media reliability and information integrity.</p>
-            </part>
-            <part name="guidance" id="cp-9.1_gdn">
-               <p>Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-9.2">
-            <title>Test Restoration Using Sampling</title>
-            <prop name="label">CP-9(2)</prop>
-            <prop name="sort-id">CP-09(02)</prop>
-            <link rel="related" href="#cp-4">CP-4</link>
-            <part name="statement" id="cp-9.2_smt">
-               <p>Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing.</p>
-            </part>
-            <part name="guidance" id="cp-9.2_gdn">
-               <p>Organizations need assurance that system functions can be restored correctly and can support established organizational missions. To ensure that the selected system functions are thoroughly exercised during contingency plan testing, a sample of backup information is used to determine if the functions operate as intended. Organizations can determine the sample size for the functions and backup information based on the level of assurance needed.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-9.3">
-            <title>Separate Storage for Critical Information</title>
-            <param id="cp-9.3_prm_1">
-               <label>organization-defined critical system software and other security-related information</label>
-            </param>
-            <prop name="label">CP-9(3)</prop>
-            <prop name="sort-id">CP-09(03)</prop>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <part name="statement" id="cp-9.3_smt">
-               <p>Store backup copies of <insert param-id="cp-9.3_prm_1"/> in a separate facility or in a fire-rated container that is not collocated with the operational system.</p>
-            </part>
-            <part name="guidance" id="cp-9.3_gdn">
-               <p>Separate storage for critical information applies to all critical information regardless of the type of backup storage media. Critical system software includes operating systems, middleware, cryptographic key management systems, and intrusion detection systems. Security-related information includes inventories of system hardware, software, and firmware components. Alternate storage sites, including geographically distributed architectures, serve as separate storage facilities for organizations. Organizations may provide separate storage by implementing automated backup processes at alternative storage sites (e.g., data centers). The General Services Administration (GSA) establishes standards and specifications for security and fire-rated containers.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-9.4">
-            <title>Protection from Unauthorized Modification</title>
-            <prop name="label">CP-9(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CP-09(04)</prop>
-            <link rel="incorporated-into" href="#cp-9">CP-9</link>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-9.5">
-            <title>Transfer to Alternate Storage Site</title>
-            <param id="cp-9.5_prm_1">
-               <label>organization-defined time-period and transfer rate consistent with the recovery time and recovery point objectives</label>
-            </param>
-            <prop name="label">CP-9(5)</prop>
-            <prop name="sort-id">CP-09(05)</prop>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <link rel="related" href="#mp-3">MP-3</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <part name="statement" id="cp-9.5_smt">
-               <p>Transfer system backup information to the alternate storage site <insert param-id="cp-9.5_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="cp-9.5_gdn">
-               <p>System backup information can be transferred to alternate storage sites either electronically or by physical shipment of storage media.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-9.6">
-            <title>Redundant Secondary System</title>
-            <prop name="label">CP-9(6)</prop>
-            <prop name="sort-id">CP-09(06)</prop>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <part name="statement" id="cp-9.6_smt">
-               <p>Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.</p>
-            </part>
-            <part name="guidance" id="cp-9.6_gdn">
-               <p>The effect of system backup can be achieved by maintaining a redundant secondary system that mirrors the primary system, including the replication of information. If this type of redundancy is in place and there is sufficient geographic separation between the two systems, the secondary system can also serve as the alternate processing site.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-9.7">
-            <title>Dual Authorization</title>
-            <param id="cp-9.7_prm_1">
-               <label>organization-defined backup information</label>
-            </param>
-            <prop name="label">CP-9(7)</prop>
-            <prop name="sort-id">CP-09(07)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <part name="statement" id="cp-9.7_smt">
-               <p>Enforce dual authorization for the deletion or destruction of <insert param-id="cp-9.7_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="cp-9.7_gdn">
-               <p>Dual authorization ensures that deletion or destruction of backup information cannot occur unless two qualified individuals carry out the task. Individuals deleting or destroying backup information possess the skills or expertise to determine if the proposed deletion or destruction of information reflects organizational policies and procedures. Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-9.8">
-            <title>Cryptographic Protection</title>
-            <param id="cp-9.8_prm_1">
-               <label>organization-defined backup information</label>
-            </param>
-            <prop name="label">CP-9(8)</prop>
-            <prop name="sort-id">CP-09(08)</prop>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-28">SC-28</link>
-            <part name="statement" id="cp-9.8_smt">
-               <p>Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of <insert param-id="cp-9.8_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="cp-9.8_gdn">
-               <p>The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. This control enhancement applies to system backup information in storage at primary and alternate locations. Organizations implementing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-10">
-         <title>System Recovery and Reconstitution</title>
-         <param id="cp-10_prm_1">
-            <label>organization-defined time-period consistent with recovery time and recovery point objectives</label>
-         </param>
-         <prop name="label">CP-10</prop>
-         <prop name="sort-id">CP-10</prop>
-         <link rel="reference" href="#65774382-fcc6-4bbc-89fc-9d35aab19952">[SP 800-34]</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-4">CP-4</link>
-         <link rel="related" href="#cp-6">CP-6</link>
-         <link rel="related" href="#cp-7">CP-7</link>
-         <link rel="related" href="#cp-9">CP-9</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sc-24">SC-24</link>
-         <link rel="related" href="#si-13">SI-13</link>
-         <part name="statement" id="cp-10_smt">
-            <p>Provide for the recovery and reconstitution of the system to a known state within <insert param-id="cp-10_prm_1"/> after a disruption, compromise, or failure.</p>
-         </part>
-         <part name="guidance" id="cp-10_gdn">
-            <p>Recovery is executing contingency plan activities to restore organizational missions and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point, recovery time, and reconstitution objectives, and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="cp-10.1">
-            <title>Contingency Plan Testing</title>
-            <prop name="label">CP-10(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CP-10(01)</prop>
-            <link rel="incorporated-into" href="#cp-4">CP-4</link>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-10.2">
-            <title>Transaction Recovery</title>
-            <prop name="label">CP-10(2)</prop>
-            <prop name="sort-id">CP-10(02)</prop>
-            <part name="statement" id="cp-10.2_smt">
-               <p>Implement transaction recovery for systems that are transaction-based.</p>
-            </part>
-            <part name="guidance" id="cp-10.2_gdn">
-               <p>Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-10.3">
-            <title>Compensating Security Controls</title>
-            <prop name="label">CP-10(3)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CP-10(03)</prop>
-            <part name="statement" id="cp-10.3_smt">
-               <p>
-                  <em>Addressed through tailoring procedures.</em>
-               </p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-10.4">
-            <title>Restore Within Time-period</title>
-            <param id="cp-10.4_prm_1">
-               <label>organization-defined restoration time-periods</label>
-            </param>
-            <prop name="label">CP-10(4)</prop>
-            <prop name="sort-id">CP-10(04)</prop>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <part name="statement" id="cp-10.4_smt">
-               <p>Provide the capability to restore system components within <insert param-id="cp-10.4_prm_1"/> from configuration-controlled and integrity-protected information representing a known, operational state for the components.</p>
-            </part>
-            <part name="guidance" id="cp-10.4_gdn">
-               <p>Restoration of system components includes reimaging which restores the components to known, operational states.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-10.5">
-            <title>Failover Capability</title>
-            <prop name="label">CP-10(5)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">CP-10(05)</prop>
-            <link rel="incorporated-into" href="#si-13">SI-13</link>
-         </control>
-         <control class="SP800-53-enhancement" id="cp-10.6">
-            <title>Component Protection</title>
-            <prop name="label">CP-10(6)</prop>
-            <prop name="sort-id">CP-10(06)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-            <part name="statement" id="cp-10.6_smt">
-               <p>Protect system components used for recovery and reconstitution.</p>
-            </part>
-            <part name="guidance" id="cp-10.6_gdn">
-               <p>Protection of system recovery and reconstitution components (i.e., hardware, firmware, and software) includes physical and technical controls. Backup and restoration components used for recovery and reconstitution include router tables, compilers, and other system software.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="cp-11">
-         <title>Alternate Communications Protocols</title>
-         <param id="cp-11_prm_1">
-            <label>organization-defined alternative communications protocols</label>
-         </param>
-         <prop name="label">CP-11</prop>
-         <prop name="sort-id">CP-11</prop>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-8">CP-8</link>
-         <link rel="related" href="#cp-13">CP-13</link>
-         <part name="statement" id="cp-11_smt">
-            <p>Provide the capability to employ <insert param-id="cp-11_prm_1"/> in support of maintaining continuity of operations.</p>
-         </part>
-         <part name="guidance" id="cp-11_gdn">
-            <p>Contingency plans and the contingency training or testing associated with those plans, incorporate an alternate communications protocol capability as part of establishing resilience in organizational systems. Switching communications protocols may affect software applications and operational aspects of systems. Organizations assess the potential side effects of introducing alternate communications protocols prior to implementation.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-12">
-         <title>Safe Mode</title>
-         <param id="cp-12_prm_1">
-            <label>organization-defined conditions</label>
-         </param>
-         <param id="cp-12_prm_2">
-            <label>organization-defined restrictions of safe mode of operation</label>
-         </param>
-         <prop name="label">CP-12</prop>
-         <prop name="sort-id">CP-12</prop>
-         <link rel="related" href="#cm-2">CM-2</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sc-24">SC-24</link>
-         <link rel="related" href="#si-13">SI-13</link>
-         <link rel="related" href="#si-17">SI-17</link>
-         <part name="statement" id="cp-12_smt">
-            <p>When <insert param-id="cp-12_prm_1"/> are detected, enter a safe mode of operation with <insert param-id="cp-12_prm_2"/>.</p>
-         </part>
-         <part name="guidance" id="cp-12_gdn">
-            <p>For systems supporting critical missions and business functions, including military operations, civilian space operations, nuclear power plant operations, and air traffic control operations (especially real-time operational environments), organizations can identify certain conditions under which those systems revert to a predefined safe mode of operation. The safe mode of operation, which can be activated either automatically or manually, restricts the operations systems can execute when those conditions are encountered. Restriction includes allowing only selected functions to execute that can be carried out under limited power or with reduced communications bandwidth.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-13">
-         <title>Alternative Security Mechanisms</title>
-         <param id="cp-13_prm_1">
-            <label>organization-defined alternative or supplemental security mechanisms</label>
-         </param>
-         <param id="cp-13_prm_2">
-            <label>organization-defined security functions</label>
-         </param>
-         <prop name="label">CP-13</prop>
-         <prop name="sort-id">CP-13</prop>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-11">CP-11</link>
-         <link rel="related" href="#si-13">SI-13</link>
-         <part name="statement" id="cp-13_smt">
-            <p>Employ <insert param-id="cp-13_prm_1"/> for satisfying <insert param-id="cp-13_prm_2"/> when the primary means of implementing the security function is unavailable or compromised.</p>
-         </part>
-         <part name="guidance" id="cp-13_gdn">
-            <p>Use of alternative security mechanisms supports system resiliency, contingency planning, and continuity of operations. To ensure mission and business continuity, organizations can implement alternative or supplemental security mechanisms. The mechanisms may be less effective than the primary mechanisms. However, having the capability to readily employ alternative or supplemental mechanisms enhances mission and business continuity that might otherwise be adversely impacted if operations had to be curtailed until the primary means of implementing the functions was restored. Given the cost and level of effort required to provide such alternative capabilities, the alternative or supplemental mechanisms are typically applied only to critical security capabilities provided by systems, system components, or system services. For example, an organization may issue to senior executives and system administrators one-time pads if multifactor tokens, the standard means for secure remote authentication, is compromised.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="cp-14">
-         <title>Self-challenge</title>
-         <param id="cp-14_prm_1">
-            <label>organization-defined autonomous service</label>
-         </param>
-         <param id="cp-14_prm_2">
-            <label>organization-defined system or system components</label>
-         </param>
-         <prop name="label">CP-14</prop>
-         <prop name="sort-id">CP-14</prop>
-         <link rel="reference" href="#8411e6e8-09bd-431d-bbcb-3423d36ad880">[SP 800-160 v2]</link>
-         <part name="statement" id="cp-14_smt">
-            <p>Employ <insert param-id="cp-14_prm_1"/> to <insert param-id="cp-14_prm_2"/> to affect the system or system components in an adverse manner.</p>
-         </part>
-         <part name="guidance" id="cp-14_gdn">
-            <p>Often the best means of assessing the effectiveness of the controls implemented within a system and the system resilience is to disrupt it in some manner. The autonomous service selected and implemented by the organization could disrupt system services in many ways, including terminating or disabling key system components, changing the configuration of system elements, altering privileges, or degrading critical functionality (e.g., restricting network bandwidth). Such automated, on-going, simulated cyber-attacks and service disruptions can reveal unexpected functional dependencies and help the organization determine its ability to ensure resilience in the face of an actual cyber-attack.</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ia">
-      <title>Identification and Authentication</title>
-      <control class="SP800-53" id="ia-1">
-         <title>Policy and Procedures</title>
-         <param id="ia-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ia-1_prm_2">
-            <select how-many="one or more">
-               <choice>organization-level</choice>
-               <choice>mission/business process-level</choice>
-               <choice>system-level</choice>
-            </select>
-         </param>
-         <param id="ia-1_prm_3">
-            <label>organization-defined official</label>
-         </param>
-         <param id="ia-1_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ia-1_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">IA-1</prop>
-         <prop name="sort-id">IA-01</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#ab414c48-b7a2-4ffe-b74d-4d8b8120adce">[FIPS 201-2]</link>
-         <link rel="reference" href="#12702585-0c72-43c9-9185-a76a59f74233">[SP 800-12]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#549993c0-9bdd-4d49-875c-f56950cc5f30">[SP 800-63-3]</link>
-         <link rel="reference" href="#3d6b3a16-94e7-4a43-8648-8bdeaadb271b">[SP 800-73-4]</link>
-         <link rel="reference" href="#d5ef0056-c807-44c3-a7b5-6eb491538f8e">[SP 800-76-2]</link>
-         <link rel="reference" href="#013e098f-0680-4856-a130-b768c69dab9c">[SP 800-78-4]</link>
-         <link rel="reference" href="#9183bd83-170e-4701-b32c-97e08ef8bedb">[SP 800-100]</link>
-         <link rel="reference" href="#bb22d510-54a9-4588-b725-00d37576562b">[IR 7874]</link>
-         <link rel="related" href="#ac-1">AC-1</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="ia-1_smt">
-            <part name="item" id="ia-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and disseminate to <insert param-id="ia-1_prm_1"/>:</p>
-               <part name="item" id="ia-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="ia-1_prm_2"/> identification and authentication policy that:</p>
-                  <part name="item" id="ia-1_smt.a.1.a">
-                     <prop name="label">(a)</prop>
-                     <p>Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
-                  </part>
-                  <part name="item" id="ia-1_smt.a.1.b">
-                     <prop name="label">(b)</prop>
-                     <p>Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p>
-                  </part>
-               </part>
-               <part name="item" id="ia-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;</p>
-               </part>
-            </part>
-            <part name="item" id="ia-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate an <insert param-id="ia-1_prm_3"/> to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and</p>
-            </part>
-            <part name="item" id="ia-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the current identification and authentication:</p>
-               <part name="item" id="ia-1_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Policy <insert param-id="ia-1_prm_4"/>; and</p>
-               </part>
-               <part name="item" id="ia-1_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures <insert param-id="ia-1_prm_5"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="ia-1_gdn">
-            <p>This control addresses policy and procedures for the controls in the IA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-2">
-         <title>Identification and Authentication (organizational Users)</title>
-         <prop name="label">IA-2</prop>
-         <prop name="sort-id">IA-02</prop>
-         <link rel="reference" href="#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">[FIPS 140-3]</link>
-         <link rel="reference" href="#ab414c48-b7a2-4ffe-b74d-4d8b8120adce">[FIPS 201-2]</link>
-         <link rel="reference" href="#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa">[FIPS 202]</link>
-         <link rel="reference" href="#549993c0-9bdd-4d49-875c-f56950cc5f30">[SP 800-63-3]</link>
-         <link rel="reference" href="#3d6b3a16-94e7-4a43-8648-8bdeaadb271b">[SP 800-73-4]</link>
-         <link rel="reference" href="#d5ef0056-c807-44c3-a7b5-6eb491538f8e">[SP 800-76-2]</link>
-         <link rel="reference" href="#013e098f-0680-4856-a130-b768c69dab9c">[SP 800-78-4]</link>
-         <link rel="reference" href="#bb55e71a-e059-4263-8dd8-bc96fd3f063d">[SP 800-79-2]</link>
-         <link rel="reference" href="#f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa">[SP 800-156]</link>
-         <link rel="reference" href="#a8f55663-86c5-415b-aabe-d2a126981d65">[SP 800-166]</link>
-         <link rel="reference" href="#d4779b49-8acc-45ef-b4f0-30f945e81d1b">[IR 7539]</link>
-         <link rel="reference" href="#daf69edb-a0ef-4447-9880-8c4bf553181f">[IR 7676]</link>
-         <link rel="reference" href="#a49f67fc-827c-40e6-9a37-2b1cbe8142fd">[IR 7817]</link>
-         <link rel="reference" href="#972c10bd-aedf-485f-b0db-f46a402127e2">[IR 7849]</link>
-         <link rel="reference" href="#197f7ba7-9af8-4a67-b3a4-5523d850e53b">[IR 7870]</link>
-         <link rel="reference" href="#bb22d510-54a9-4588-b725-00d37576562b">[IR 7874]</link>
-         <link rel="reference" href="#30213e10-2aca-47b3-8cdb-61303e0959f5">[IR 7966]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#ac-14">AC-14</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#ac-18">AC-18</link>
-         <link rel="related" href="#au-1">AU-1</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#ia-4">IA-4</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <link rel="related" href="#ia-8">IA-8</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#ma-5">MA-5</link>
-         <link rel="related" href="#pe-2">PE-2</link>
-         <link rel="related" href="#pl-4">PL-4</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <part name="statement" id="ia-2_smt">
-            <p>Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.</p>
-         </part>
-         <part name="guidance" id="ia-2_gdn">
-            <p>Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12]. Organizational users include employees or individuals that organizations consider having equivalent status of employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than accesses that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.
-Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities, or in the case of multifactor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.
-The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-2.1">
-            <title>Multifactor Authentication to Privileged Accounts</title>
-            <prop name="label">IA-2(1)</prop>
-            <prop name="sort-id">IA-02(01)</prop>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <part name="statement" id="ia-2.1_smt">
-               <p>Implement multifactor authentication for access to privileged accounts.</p>
-            </part>
-            <part name="guidance" id="ia-2.1_gdn">
-               <p>Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.2">
-            <title>Multifactor Authentication to Non-privileged Accounts</title>
-            <prop name="label">IA-2(2)</prop>
-            <prop name="sort-id">IA-02(02)</prop>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <part name="statement" id="ia-2.2_smt">
-               <p>Implement multifactor authentication for access to non-privileged accounts.</p>
-            </part>
-            <part name="guidance" id="ia-2.2_gdn">
-               <p>Multifactor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number (PIN)); something you have (e.g., a physical authenticator or cryptographic private key stored in hardware or software); or something you are (e.g., a biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access, privileged accounts are authenticated using multifactor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.3">
-            <title>Local Access to Privileged Accounts</title>
-            <prop name="label">IA-2(3)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">IA-02(03)</prop>
-            <link rel="incorporated-into" href="#ia-2.1">IA-2(1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.4">
-            <title>Local Access to Non-privileged Accounts</title>
-            <prop name="label">IA-2(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">IA-02(04)</prop>
-            <link rel="incorporated-into" href="#ia-2.2">IA-2(2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.5">
-            <title>Individual Authentication with Group Authentication</title>
-            <prop name="label">IA-2(5)</prop>
-            <prop name="sort-id">IA-02(05)</prop>
-            <part name="statement" id="ia-2.5_smt">
-               <p>When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources.</p>
-            </part>
-            <part name="guidance" id="ia-2.5_gdn">
-               <p>Individual authentication prior to shared group authentication helps to mitigate the risk of using group accounts or authenticators.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.6">
-            <title>Access to Accounts — Separate Device</title>
-            <param id="ia-2.6_prm_1">
-               <select how-many="one or more">
-                  <choice>local</choice>
-                  <choice>network</choice>
-                  <choice>remote</choice>
-               </select>
-            </param>
-            <param id="ia-2.6_prm_2">
-               <select how-many="one or more">
-                  <choice>privileged accounts</choice>
-                  <choice>non-privileged accounts</choice>
-               </select>
-            </param>
-            <param id="ia-2.6_prm_3">
-               <label>organization-defined strength of mechanism requirements</label>
-            </param>
-            <prop name="label">IA-2(6)</prop>
-            <prop name="sort-id">IA-02(06)</prop>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <part name="statement" id="ia-2.6_smt">
-               <p>Implement multifactor authentication for <insert param-id="ia-2.6_prm_1"/> access to <insert param-id="ia-2.6_prm_2"/> such that:</p>
-               <part name="item" id="ia-2.6_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>One of the factors is provided by a device separate from the system gaining access; and</p>
-               </part>
-               <part name="item" id="ia-2.6_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>The device meets <insert param-id="ia-2.6_prm_3"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ia-2.6_gdn">
-               <p>The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. Adversaries may be able to compromise credentials stored on the system and subsequently impersonate authorized users. Implementing one of the factors in multifactor authentication (e.g., a hardware token) on a separate device, provides a greater strength of mechanism and an increased level of assurance in the authentication process.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.7">
-            <title>Access to Non-privileged Accounts — Separate Device</title>
-            <prop name="label">IA-2(7)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">IA-02(07)</prop>
-            <link rel="incorporated-into" href="#ia-2.6">IA-2(6)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.8">
-            <title>Access to Accounts — Replay Resistant</title>
-            <param id="ia-2.8_prm_1">
-               <select how-many="one or more">
-                  <choice>privileged accounts</choice>
-                  <choice>non-privileged accounts</choice>
-               </select>
-            </param>
-            <prop name="label">IA-2(8)</prop>
-            <prop name="sort-id">IA-02(08)</prop>
-            <part name="statement" id="ia-2.8_smt">
-               <p>Implement replay-resistant authentication mechanisms for access to <insert param-id="ia-2.8_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ia-2.8_gdn">
-               <p>Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.9">
-            <title>Network Access to Non-privileged Accounts — Replay Resistant</title>
-            <prop name="label">IA-2(9)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">IA-02(09)</prop>
-            <link rel="incorporated-into" href="#ia-2.8">IA-2(8)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.10">
-            <title>Single Sign-on</title>
-            <param id="ia-2.10_prm_1">
-               <label>organization-defined system accounts and services</label>
-            </param>
-            <prop name="label">IA-2(10)</prop>
-            <prop name="sort-id">IA-02(10)</prop>
-            <part name="statement" id="ia-2.10_smt">
-               <p>Provide a single sign-on capability for <insert param-id="ia-2.10_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ia-2.10_gdn">
-               <p>Single sign-on enables users to log in once and gain access to multiple system resources. Organizations consider the operational efficiencies provided by single sign-on capabilities with the risk introduced by allowing access to multiple systems via a single authentication event. Single sign-on can present opportunities to improve system security, for example by providing the ability to add multifactor authentication for applications and systems (existing and new) that may not be able to natively support multifactor authentication.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.11">
-            <title>Remote Access — Separate Device</title>
-            <prop name="label">IA-2(11)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">IA-02(11)</prop>
-            <link rel="incorporated-into" href="#ia-2.6">IA-2(6)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.12">
-            <title>Acceptance of PIV Credentials</title>
-            <prop name="label">IA-2(12)</prop>
-            <prop name="sort-id">IA-02(12)</prop>
-            <part name="statement" id="ia-2.12_smt">
-               <p>Accept and electronically verify Personal Identity Verification-compliant credentials.</p>
-            </part>
-            <part name="guidance" id="ia-2.12_gdn">
-               <p>Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2]. Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166]. The DOD Common Access Card (CAC) is an example of a PIV credential.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-2.13">
-            <title>Out-of-band Authentication</title>
-            <param id="ia-2.13_prm_1">
-               <label>organization-defined conditions</label>
-            </param>
-            <param id="ia-2.13_prm_2">
-               <label>organization-defined out-of-band authentication</label>
-            </param>
-            <prop name="label">IA-2(13)</prop>
-            <prop name="sort-id">IA-02(13)</prop>
-            <link rel="related" href="#ia-10">IA-10</link>
-            <link rel="related" href="#ia-11">IA-11</link>
-            <link rel="related" href="#sc-37">SC-37</link>
-            <part name="statement" id="ia-2.13_smt">
-               <p>Implement the following out-of-band authentication mechanisms under <insert param-id="ia-2.13_prm_1"/>: <insert param-id="ia-2.13_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ia-2.13_gdn">
-               <p>Out-of-band authentication refers to the use of two separate communication paths to identify and authenticate users or devices to an information system. The first path (i.e., the in-band path), is used to identify and authenticate users or devices, and generally is the path through which information flows. The second path (i.e., the out-of-band path) is used to independently verify the authentication and/or requested action. For example, a user authenticates via a notebook computer to a remote server to which the user desires access and requests some action of the server via that communication path. Subsequently, the server contacts the user via the user’s cell phone to verify that the requested action originated from the user. The user may confirm the intended action to an individual on the telephone or provide an authentication code via the telephone. Out-of-band authentication can be used to mitigate actual or suspected man-in the-middle attacks. The conditions or criteria for activation can include suspicious activities, new threat indicators or elevated threat levels, or the impact or classification level of information in requested transactions.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-3">
-         <title>Device Identification and Authentication</title>
-         <param id="ia-3_prm_1">
-            <label>organization-defined devices and/or types of devices</label>
-         </param>
-         <param id="ia-3_prm_2">
-            <select how-many="one or more">
-               <choice>local</choice>
-               <choice>remote</choice>
-               <choice>network</choice>
-            </select>
-         </param>
-         <prop name="label">IA-3</prop>
-         <prop name="sort-id">IA-03</prop>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#ac-18">AC-18</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#ca-3">CA-3</link>
-         <link rel="related" href="#ca-9">CA-9</link>
-         <link rel="related" href="#ia-4">IA-4</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <link rel="related" href="#ia-9">IA-9</link>
-         <link rel="related" href="#ia-11">IA-11</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <part name="statement" id="ia-3_smt">
-            <p>Uniquely identify and authenticate <insert param-id="ia-3_prm_1"/> before establishing a <insert param-id="ia-3_prm_2"/> connection.</p>
-         </part>
-         <part name="guidance" id="ia-3_gdn">
-            <p>Devices that require unique device-to-device identification and authentication are defined by type, by device, or by a combination of type and device. Organization-defined device types can include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on large scale, organizations can restrict the application of the control to a limited number (and type) of devices based on need.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-3.1">
-            <title>Cryptographic Bidirectional Authentication</title>
-            <param id="ia-3.1_prm_1">
-               <label>organization-defined devices and/or types of devices</label>
-            </param>
-            <param id="ia-3.1_prm_2">
-               <select how-many="one or more">
-                  <choice>local</choice>
-                  <choice>remote</choice>
-                  <choice>network</choice>
-               </select>
-            </param>
-            <prop name="label">IA-3(1)</prop>
-            <prop name="sort-id">IA-03(01)</prop>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="ia-3.1_smt">
-               <p>Authenticate <insert param-id="ia-3.1_prm_1"/> before establishing <insert param-id="ia-3.1_prm_2"/> connection using bidirectional authentication that is cryptographically based.</p>
-            </part>
-            <part name="guidance" id="ia-3.1_gdn">
-               <p>A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network. A remote connection is any connection with a device communicating through an external network. Bidirectional authentication provides stronger protection to validate the identity of other devices for connections that are of greater risk.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-3.2">
-            <title>Cryptographic Bidirectional Network Authentication</title>
-            <prop name="label">IA-3(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">IA-03(02)</prop>
-            <link rel="incorporated-into" href="#ia-3.1">IA-3(1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-3.3">
-            <title>Dynamic Address Allocation</title>
-            <param id="ia-3.3_prm_1">
-               <label>organization-defined lease information and lease duration</label>
-            </param>
-            <prop name="label">IA-3(3)</prop>
-            <prop name="sort-id">IA-03(03)</prop>
-            <link rel="related" href="#au-2">AU-2</link>
-            <part name="statement" id="ia-3.3_smt">
-               <part name="item" id="ia-3.3_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with <insert param-id="ia-3.3_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="ia-3.3_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Audit lease information when assigned to a device.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ia-3.3_gdn">
-               <p>The Dynamic Host Configuration (DHCP) protocol is an example of a means by which clients can dynamically receive network address assignments.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-3.4">
-            <title>Device Attestation</title>
-            <param id="ia-3.4_prm_1">
-               <label>organization-defined configuration management process</label>
-            </param>
-            <prop name="label">IA-3(4)</prop>
-            <prop name="sort-id">IA-03(04)</prop>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <part name="statement" id="ia-3.4_smt">
-               <p>Handle device identification and authentication based on attestation by <insert param-id="ia-3.4_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ia-3.4_gdn">
-               <p>Device attestation refers to the identification and authentication of a device based on its configuration and known operating state. Device attestation can be determined via a cryptographic hash of the device. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the patches and updates are done securely and at the same time do not disrupt the identification and authentication to other devices.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-4">
-         <title>Identifier Management</title>
-         <param id="ia-4_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ia-4_prm_2">
-            <label>organization-defined time-period</label>
-         </param>
-         <prop name="label">IA-4</prop>
-         <prop name="sort-id">IA-04</prop>
-         <link rel="reference" href="#ab414c48-b7a2-4ffe-b74d-4d8b8120adce">[FIPS 201-2]</link>
-         <link rel="reference" href="#549993c0-9bdd-4d49-875c-f56950cc5f30">[SP 800-63-3]</link>
-         <link rel="reference" href="#3d6b3a16-94e7-4a43-8648-8bdeaadb271b">[SP 800-73-4]</link>
-         <link rel="reference" href="#d5ef0056-c807-44c3-a7b5-6eb491538f8e">[SP 800-76-2]</link>
-         <link rel="reference" href="#013e098f-0680-4856-a130-b768c69dab9c">[SP 800-78-4]</link>
-         <link rel="related" href="#ia-2">IA-2</link>
-         <link rel="related" href="#ia-3">IA-3</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <link rel="related" href="#ia-8">IA-8</link>
-         <link rel="related" href="#ia-9">IA-9</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#pe-2">PE-2</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#pe-4">PE-4</link>
-         <link rel="related" href="#pl-4">PL-4</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#ps-3">PS-3</link>
-         <link rel="related" href="#ps-4">PS-4</link>
-         <link rel="related" href="#ps-5">PS-5</link>
-         <link rel="related" href="#sc-37">SC-37</link>
-         <part name="statement" id="ia-4_smt">
-            <p>Manage system identifiers by:</p>
-            <part name="item" id="ia-4_smt.a">
-               <prop name="label">a.</prop>
-               <p>Receiving authorization from <insert param-id="ia-4_prm_1"/> to assign an individual, group, role, service, or device identifier;</p>
-            </part>
-            <part name="item" id="ia-4_smt.b">
-               <prop name="label">b.</prop>
-               <p>Selecting an identifier that identifies an individual, group, role, service, or device;</p>
-            </part>
-            <part name="item" id="ia-4_smt.c">
-               <prop name="label">c.</prop>
-               <p>Assigning the identifier to the intended individual, group, role, service, or device; and</p>
-            </part>
-            <part name="item" id="ia-4_smt.d">
-               <prop name="label">d.</prop>
-               <p>Preventing reuse of identifiers for <insert param-id="ia-4_prm_2"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ia-4_gdn">
-            <p>Common device identifiers include media access control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-4.1">
-            <title>Prohibit Account Identifiers as Public Identifiers</title>
-            <prop name="label">IA-4(1)</prop>
-            <prop name="sort-id">IA-04(01)</prop>
-            <link rel="related" href="#at-2">AT-2</link>
-            <part name="statement" id="ia-4.1_smt">
-               <p>Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts.</p>
-            </part>
-            <part name="guidance" id="ia-4.1_gdn">
-               <p>This control enhancement applies to any publicly disclosed account identifier used for communication including, for example, electronic mail and instant messaging. Prohibiting the use of systems account identifiers that are the same as some public identifier such as the individual identifier section of an electronic mail address, makes it more difficult for adversaries to guess user identifiers. Prohibiting account identifiers as public identifiers without the implementation of other supporting controls only complicates guessing of identifiers. Additional protections are required for authenticators and attributes to protect the account.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-4.2">
-            <title>Supervisor Authorization</title>
-            <prop name="label">IA-4(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">IA-04(02)</prop>
-            <link rel="incorporated-into" href="#ia-12.1">IA-12(1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-4.3">
-            <title>Multiple Forms of Certification</title>
-            <prop name="label">IA-4(3)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">IA-04(03)</prop>
-            <link rel="incorporated-into" href="#ia-12.2">IA-12(2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-4.4">
-            <title>Identify User Status</title>
-            <param id="ia-4.4_prm_1">
-               <label>organization-defined characteristic identifying individual status</label>
-            </param>
-            <prop name="label">IA-4(4)</prop>
-            <prop name="sort-id">IA-04(04)</prop>
-            <part name="statement" id="ia-4.4_smt">
-               <p>Manage individual identifiers by uniquely identifying each individual as <insert param-id="ia-4.4_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ia-4.4_gdn">
-               <p>Characteristics identifying the status of individuals include contractors and foreign nationals. Identifying the status of individuals by characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-4.5">
-            <title>Dynamic Management</title>
-            <param id="ia-4.5_prm_1">
-               <label>organization-defined dynamic identifier policy</label>
-            </param>
-            <prop name="label">IA-4(5)</prop>
-            <prop name="sort-id">IA-04(05)</prop>
-            <link rel="related" href="#ac-16">AC-16</link>
-            <part name="statement" id="ia-4.5_smt">
-               <p>Manage individual identifiers dynamically in accordance with <insert param-id="ia-4.5_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ia-4.5_gdn">
-               <p>In contrast to conventional approaches to identification that presume static accounts for preregistered users, many distributed systems establish identifiers at run time for entities that were previously unknown. When identifiers are established at runtime for previously unknown entities, organizations can anticipate and provision for the dynamic establishment of identifiers. Pre-established trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-4.6">
-            <title>Cross-organization Management</title>
-            <param id="ia-4.6_prm_1">
-               <label>organization-defined external organizations</label>
-            </param>
-            <prop name="label">IA-4(6)</prop>
-            <prop name="sort-id">IA-04(06)</prop>
-            <link rel="related" href="#au-16">AU-16</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <part name="statement" id="ia-4.6_smt">
-               <p>Coordinate with the following external organizations for cross-organization management of identifiers: <insert param-id="ia-4.6_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ia-4.6_gdn">
-               <p>Cross-organization identifier management provides the capability to identify individuals, groups, roles, or devices when conducting cross-organization activities involving the processing, storage, or transmission of information.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-4.7">
-            <title>In-person Registration</title>
-            <prop name="label">IA-4(7)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">IA-04(07)</prop>
-            <link rel="incorporated-into" href="#ia-12.4">IA-12(4)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-4.8">
-            <title>Pairwise Pseudonymous Identifiers</title>
-            <prop name="label">IA-4(8)</prop>
-            <prop name="sort-id">IA-04(08)</prop>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <part name="statement" id="ia-4.8_smt">
-               <p>Generate pairwise pseudonymous identifiers.</p>
-            </part>
-            <part name="guidance" id="ia-4.8_gdn">
-               <p>A pairwise pseudonymous identifier is an opaque unguessable subscriber identifier generated by an identify provider for use at a specific individual relying party. Generating distinct pairwise pseudonymous identifiers, with no identifying information about a subscriber, discourages subscriber activity tracking and profiling beyond the operational requirements established by an organization. The pairwise pseudonymous identifiers are unique to each relying party, except in situations where relying parties can show a demonstrable relationship justifying an operational need for correlation, or all parties consent to being correlated in such a manner.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-4.9">
-            <title>Attribute Maintenance and Protection</title>
-            <param id="ia-4.9_prm_1">
-               <label>organization-defined protected central storage</label>
-            </param>
-            <prop name="label">IA-4(9)</prop>
-            <prop name="sort-id">IA-04(09)</prop>
-            <part name="statement" id="ia-4.9_smt">
-               <p>Maintain the attributes for each uniquely identified individual, device, or service in <insert param-id="ia-4.9_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ia-4.9_gdn">
-               <p>For each of the entities covered in IA-2, IA-3, IA-8, and IA-9, it is important to maintain the attributes for each authenticated entity on an ongoing basis in a central (protected) store.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-5">
-         <title>Authenticator Management</title>
-         <param id="ia-5_prm_1">
-            <label>organization-defined time-period by authenticator type</label>
-         </param>
-         <prop name="label">IA-5</prop>
-         <prop name="sort-id">IA-05</prop>
-         <link rel="reference" href="#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">[FIPS 140-3]</link>
-         <link rel="reference" href="#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd">[FIPS 180-4]</link>
-         <link rel="reference" href="#ab414c48-b7a2-4ffe-b74d-4d8b8120adce">[FIPS 201-2]</link>
-         <link rel="reference" href="#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa">[FIPS 202]</link>
-         <link rel="reference" href="#549993c0-9bdd-4d49-875c-f56950cc5f30">[SP 800-63-3]</link>
-         <link rel="reference" href="#3d6b3a16-94e7-4a43-8648-8bdeaadb271b">[SP 800-73-4]</link>
-         <link rel="reference" href="#d5ef0056-c807-44c3-a7b5-6eb491538f8e">[SP 800-76-2]</link>
-         <link rel="reference" href="#013e098f-0680-4856-a130-b768c69dab9c">[SP 800-78-4]</link>
-         <link rel="reference" href="#d4779b49-8acc-45ef-b4f0-30f945e81d1b">[IR 7539]</link>
-         <link rel="reference" href="#a49f67fc-827c-40e6-9a37-2b1cbe8142fd">[IR 7817]</link>
-         <link rel="reference" href="#972c10bd-aedf-485f-b0db-f46a402127e2">[IR 7849]</link>
-         <link rel="reference" href="#197f7ba7-9af8-4a67-b3a4-5523d850e53b">[IR 7870]</link>
-         <link rel="reference" href="#24738ee6-b3f3-4e37-825b-58775846bdbc">[IR 8040]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#ia-2">IA-2</link>
-         <link rel="related" href="#ia-4">IA-4</link>
-         <link rel="related" href="#ia-7">IA-7</link>
-         <link rel="related" href="#ia-8">IA-8</link>
-         <link rel="related" href="#ia-9">IA-9</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#pe-2">PE-2</link>
-         <link rel="related" href="#pl-4">PL-4</link>
-         <part name="statement" id="ia-5_smt">
-            <p>Manage system authenticators by:</p>
-            <part name="item" id="ia-5_smt.a">
-               <prop name="label">a.</prop>
-               <p>Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;</p>
-            </part>
-            <part name="item" id="ia-5_smt.b">
-               <prop name="label">b.</prop>
-               <p>Establishing initial authenticator content for any authenticators issued by the organization;</p>
-            </part>
-            <part name="item" id="ia-5_smt.c">
-               <prop name="label">c.</prop>
-               <p>Ensuring that authenticators have sufficient strength of mechanism for their intended use;</p>
-            </part>
-            <part name="item" id="ia-5_smt.d">
-               <prop name="label">d.</prop>
-               <p>Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;</p>
-            </part>
-            <part name="item" id="ia-5_smt.e">
-               <prop name="label">e.</prop>
-               <p>Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;</p>
-            </part>
-            <part name="item" id="ia-5_smt.f">
-               <prop name="label">f.</prop>
-               <p>Changing default authenticators prior to first use;</p>
-            </part>
-            <part name="item" id="ia-5_smt.g">
-               <prop name="label">g.</prop>
-               <p>Changing or refreshing authenticators <insert param-id="ia-5_prm_1"/>;</p>
-            </part>
-            <part name="item" id="ia-5_smt.h">
-               <prop name="label">h.</prop>
-               <p>Protecting authenticator content from unauthorized disclosure and modification;</p>
-            </part>
-            <part name="item" id="ia-5_smt.i">
-               <prop name="label">i.</prop>
-               <p>Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and</p>
-            </part>
-            <part name="item" id="ia-5_smt.j">
-               <prop name="label">j.</prop>
-               <p>Changing authenticators for group or role accounts when membership to those accounts changes.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ia-5_gdn">
-            <p>Authenticators include passwords, cryptographic devices, one-time password devices, and key cards. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements about authenticator content contain specific characteristics or criteria (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.
-Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g.,  minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators; not sharing authenticators with others; and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-5.1">
-            <title>Password-based Authentication</title>
-            <param id="ia-5.1_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="ia-5.1_prm_2">
-               <label>organization-defined composition and complexity rules</label>
-            </param>
-            <prop name="label">IA-5(1)</prop>
-            <prop name="sort-id">IA-05(01)</prop>
-            <link rel="related" href="#ia-6">IA-6</link>
-            <part name="statement" id="ia-5.1_smt">
-               <p>For password-based authentication:</p>
-               <part name="item" id="ia-5.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Maintain a list of commonly-used, expected, or compromised passwords and update the list <insert param-id="ia-5.1_prm_1"/> and when organizational passwords are suspected to have been compromised directly or indirectly;</p>
-               </part>
-               <part name="item" id="ia-5.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Verify, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords;</p>
-               </part>
-               <part name="item" id="ia-5.1_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Transmit only cryptographically-protected passwords;</p>
-               </part>
-               <part name="item" id="ia-5.1_smt.d">
-                  <prop name="label">(d)</prop>
-                  <p>Store passwords using an approved hash algorithm and salt, preferably using a keyed hash;</p>
-               </part>
-               <part name="item" id="ia-5.1_smt.e">
-                  <prop name="label">(e)</prop>
-                  <p>Require immediate selection of a new password upon account recovery;</p>
-               </part>
-               <part name="item" id="ia-5.1_smt.f">
-                  <prop name="label">(f)</prop>
-                  <p>Allow user selection of long passwords and passphrases, including spaces and all printable characters;</p>
-               </part>
-               <part name="item" id="ia-5.1_smt.g">
-                  <prop name="label">(g)</prop>
-                  <p>Employ automated tools to assist the user in selecting strong password authenticators; and</p>
-               </part>
-               <part name="item" id="ia-5.1_smt.h">
-                  <prop name="label">(h)</prop>
-                  <p>Enforce the following composition and complexity rules: <insert param-id="ia-5.1_prm_2"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ia-5.1_gdn">
-               <p>Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefit while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically-protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly-used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context specific words, for example, the name of the service, username, and derivatives thereof.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.2">
-            <title>Implement a local cache of revocation data to support path discovery and validation.</title>
-            <prop name="label">IA-5(2)</prop>
-            <prop name="sort-id">IA-05(02)</prop>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#sc-17">SC-17</link>
-            <part name="statement" id="ia-5.2_smt">
-               <p>Discussion:  Public key cryptography is a valid authentication mechanism for individuals and machines or devices. When PKI is implemented, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation supports system availability in situations where organizations are unable to access revocation information via the network.</p>
-            </part>
-            <part name="guidance" id="ia-5.2_gdn"/>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.3">
-            <title>In-person or Trusted External Party Registration</title>
-            <prop name="label">IA-5(3)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">IA-05(03)</prop>
-            <link rel="incorporated-into" href="#ia-12.4">IA-12(4)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.4">
-            <title>Automated Support for Password Strength Determination</title>
-            <prop name="label">IA-5(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">IA-05(04)</prop>
-            <link rel="incorporated-into" href="#ia-5.1">IA-5(1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.5">
-            <title>Change Authenticators Prior to Delivery</title>
-            <prop name="label">IA-5(5)</prop>
-            <prop name="sort-id">IA-05(05)</prop>
-            <part name="statement" id="ia-5.5_smt">
-               <p>Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation.</p>
-            </part>
-            <part name="guidance" id="ia-5.5_gdn">
-               <p>Changing authenticators prior to delivery and installation of system components extends the requirement for organizations to change default authenticators upon system installation, by requiring developers and/or installers to provide unique authenticators or change default authenticators for system components prior to delivery and/or installation. However, it typically does not apply to developers of commercial off-the-shelf information technology products. Requirements for unique authenticators can be included in acquisition documents prepared by organizations when procuring systems or system components.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.6">
-            <title>Protection of Authenticators</title>
-            <prop name="label">IA-5(6)</prop>
-            <prop name="sort-id">IA-05(06)</prop>
-            <link rel="related" href="#ra-2">RA-2</link>
-            <part name="statement" id="ia-5.6_smt">
-               <p>Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access.</p>
-            </part>
-            <part name="guidance" id="ia-5.6_gdn">
-               <p>For systems containing multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.7">
-            <title>No Embedded Unencrypted Static Authenticators</title>
-            <prop name="label">IA-5(7)</prop>
-            <prop name="sort-id">IA-05(07)</prop>
-            <part name="statement" id="ia-5.7_smt">
-               <p>Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage.</p>
-            </part>
-            <part name="guidance" id="ia-5.7_gdn">
-               <p>In addition to applications, other forms of static storage include access scripts and function keys. Organizations exercise caution in determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.8">
-            <title>Multiple System Accounts</title>
-            <param id="ia-5.8_prm_1">
-               <label>organization-defined security controls</label>
-            </param>
-            <prop name="label">IA-5(8)</prop>
-            <prop name="sort-id">IA-05(08)</prop>
-            <part name="statement" id="ia-5.8_smt">
-               <p>Implement <insert param-id="ia-5.8_prm_1"/> to manage the risk of compromise due to individuals having accounts on multiple systems.</p>
-            </part>
-            <part name="guidance" id="ia-5.8_gdn">
-               <p>When individuals have accounts on multiple systems, there is the risk that a compromise of one account may lead to the compromise of other accounts if individuals use the same authenticators. Alternatives include having different authenticators on all systems; employing a single sign-on mechanism; or using some form of one-time passwords on all systems. Organizations can also use rules of behavior (see PL-4) and access agreements (see PS-6) to mitigate the risk of multiple system accounts.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.9">
-            <title>Federated Credential Management</title>
-            <param id="ia-5.9_prm_1">
-               <label>organization-defined external organizations</label>
-            </param>
-            <prop name="label">IA-5(9)</prop>
-            <prop name="sort-id">IA-05(09)</prop>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#au-16">AU-16</link>
-            <part name="statement" id="ia-5.9_smt">
-               <p>Use the following external organizations to federate authenticators: <insert param-id="ia-5.9_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ia-5.9_gdn">
-               <p>Federation provides the capability for organizations to authenticate individuals and devices when conducting cross-organization activities involving the processing, storage, or transmission of information.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.10">
-            <title>Dynamic Credential Binding</title>
-            <param id="ia-5.10_prm_1">
-               <label>organization-defined binding rules</label>
-            </param>
-            <prop name="label">IA-5(10)</prop>
-            <prop name="sort-id">IA-05(10)</prop>
-            <link rel="related" href="#au-16">AU-16</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <part name="statement" id="ia-5.10_smt">
-               <p>Bind identities and authenticators dynamically using the following rules: <insert param-id="ia-5.10_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ia-5.10_gdn">
-               <p>Authentication requires some form of binding between an identity and the authenticator that is used to confirm the identity. In conventional approaches, binding is established by pre-provisioning both the identity and the authenticator to the system. For example, the binding between a username (i.e., identity) and a password (i.e., authenticator) is accomplished by provisioning the identity and authenticator as a pair in the system. New authentication techniques allow the binding between the identity and the authenticator to be implemented external to a system. For example, with smartcard credentials, the identity and authenticator are bound together on the smartcard. Using these credentials, systems can authenticate identities that have not been pre-provisioned, dynamically provisioning the identity after authentication. In these situations, organizations can anticipate the dynamic provisioning of identities. Pre-established trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.11">
-            <title>Hardware Token-based Authentication</title>
-            <prop name="label">IA-5(11)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">IA-05(11)</prop>
-            <link rel="incorporated-into" href="#ia-2.1">IA-2(1)</link>
-            <link rel="incorporated-into" href="#ia-2.2">IA-2(2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.12">
-            <title>Biometric Authentication Performance</title>
-            <param id="ia-5.12_prm_1">
-               <label>organization-defined biometric quality requirements</label>
-            </param>
-            <prop name="label">IA-5(12)</prop>
-            <prop name="sort-id">IA-05(12)</prop>
-            <link rel="related" href="#ac-7">AC-7</link>
-            <part name="statement" id="ia-5.12_smt">
-               <p>For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements <insert param-id="ia-5.12_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ia-5.12_gdn">
-               <p>Unlike password-based authentication which provides exact matches of user-input passwords to stored passwords, biometric authentication does not provide such exact matches. Depending upon the type of biometric and the type of collection mechanism, there is likely to be some divergence from the presented biometric and the stored biometric that serves as the basis of comparison. Matching performance is the rate at which a biometric algorithm correctly results in a match for a genuine user and rejects other users. Biometric performance requirements include the match rate as this rate reflects the accuracy of the biometric matching algorithm used by a system.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.13">
-            <title>Expiration of Cached Authenticators</title>
-            <param id="ia-5.13_prm_1">
-               <label>organization-defined time-period</label>
-            </param>
-            <prop name="label">IA-5(13)</prop>
-            <prop name="sort-id">IA-05(13)</prop>
-            <part name="statement" id="ia-5.13_smt">
-               <p>Prohibit the use of cached authenticators after <insert param-id="ia-5.13_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ia-5.13_gdn">
-               <p>If cached authentication information is out-of-date, the validity of the authentication information may be questionable.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.14">
-            <title>Managing Content of PKI Trust Stores</title>
-            <prop name="label">IA-5(14)</prop>
-            <prop name="sort-id">IA-05(14)</prop>
-            <part name="statement" id="ia-5.14_smt">
-               <p>For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and applications.</p>
-            </part>
-            <part name="guidance" id="ia-5.14_gdn">
-               <p>An organization-wide methodology for managing the content of PKI trust stores helps improve the accuracy and currency of PKI-based authentication credentials across the organization.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.15">
-            <title>Gsa-approved Products and Services</title>
-            <prop name="label">IA-5(15)</prop>
-            <prop name="sort-id">IA-05(15)</prop>
-            <part name="statement" id="ia-5.15_smt">
-               <p>Use only General Services Administration-approved and validated products and services for identity, credential, and access management.</p>
-            </part>
-            <part name="guidance" id="ia-5.15_gdn">
-               <p>General Services Administration (GSA)-approved products and services are the products and services that have been approved through the GSA conformance program, where applicable, and posted to the GSA Approved Products List. GSA provides guidance for teams to design and build functional and secure systems that comply with Federal Identity, Credential, and Access Management (FICAM) policies, technologies, and implementation patterns.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.16">
-            <title>In-person or Trusted External Party Authenticator Issuance</title>
-            <param id="ia-5.16_prm_1">
-               <label>organization-defined types of and/or specific authenticators</label>
-            </param>
-            <param id="ia-5.16_prm_2">
-               <select>
-                  <choice>in person</choice>
-                  <choice>by a trusted external party</choice>
-               </select>
-            </param>
-            <param id="ia-5.16_prm_3">
-               <label>organization-defined registration authority</label>
-            </param>
-            <param id="ia-5.16_prm_4">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">IA-5(16)</prop>
-            <prop name="sort-id">IA-05(16)</prop>
-            <link rel="related" href="#ia-12">IA-12</link>
-            <part name="statement" id="ia-5.16_smt">
-               <p>Require that the issuance of <insert param-id="ia-5.16_prm_1"/> be conducted <insert param-id="ia-5.16_prm_2"/> before <insert param-id="ia-5.16_prm_3"/> with authorization by <insert param-id="ia-5.16_prm_4"/>.</p>
-            </part>
-            <part name="guidance" id="ia-5.16_gdn">
-               <p>Issuing authenticators in person or by a trusted external party enhances and reinforces the trustworthiness of the identity proofing process.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.17">
-            <title>Presentation Attack Detection for Biometric Authenticators</title>
-            <prop name="label">IA-5(17)</prop>
-            <prop name="sort-id">IA-05(17)</prop>
-            <link rel="related" href="#ac-7">AC-7</link>
-            <part name="statement" id="ia-5.17_smt">
-               <p>Employ presentation attack detection mechanisms for biometric-based authentication.</p>
-            </part>
-            <part name="guidance" id="ia-5.17_gdn">
-               <p>Biometric characteristics do not constitute secrets. Such characteristics can be obtained by online web accesses; taking a picture of someone with a camera phone to obtain facial images with or without their knowledge; lifting from objects that someone has touched, for example, a latent fingerprint; or capturing a high-resolution image, for example, an iris pattern. Presentation attack detection technologies including liveness detection, can mitigate the risk of these types of attacks by making it difficult to produce artifacts intended to defeat the biometric sensor.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-5.18">
-            <title>Password Managers</title>
-            <param id="ia-5.18_prm_1">
-               <label>organization-defined password managers</label>
-            </param>
-            <param id="ia-5.18_prm_2">
-               <label>organization-defined controls</label>
-            </param>
-            <prop name="label">IA-5(18)</prop>
-            <prop name="sort-id">IA-05(18)</prop>
-            <part name="statement" id="ia-5.18_smt">
-               <part name="item" id="ia-5.18_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Employ <insert param-id="ia-5.18_prm_1"/> to generate and manage passwords; and</p>
-               </part>
-               <part name="item" id="ia-5.18_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Protect the passwords using <insert param-id="ia-5.18_prm_2"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ia-5.18_gdn">
-               <p>For those systems where static passwords are employed, it is often a challenge to ensure that the passwords are suitably complex and that the same passwords are not employed on multiple systems. A password manager is a solution to this problem as it automatically generates and stores strong and different passwords for the various accounts. A potential risk of using password managers is that adversaries can target the collection of passwords generated by the password manager. Therefore, the collection of passwords requires protection including encrypting the passwords (see IA-5(1)d.) and storing the collection off-line in a token.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-6">
-         <title>Authenticator Feedback</title>
-         <prop name="label">IA-6</prop>
-         <prop name="sort-id">IA-06</prop>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <part name="statement" id="ia-6_smt">
-            <p>Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.</p>
-         </part>
-         <part name="guidance" id="ia-6_gdn">
-            <p>Authenticator feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, for example, desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, for example, mobile devices with small displays, the threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before obscuring it.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-7">
-         <title>Cryptographic Module Authentication</title>
-         <prop name="label">IA-7</prop>
-         <prop name="sort-id">IA-07</prop>
-         <link rel="reference" href="#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">[FIPS 140-3]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sc-12">SC-12</link>
-         <link rel="related" href="#sc-13">SC-13</link>
-         <part name="statement" id="ia-7_smt">
-            <p>Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.</p>
-         </part>
-         <part name="guidance" id="ia-7_gdn">
-            <p>Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-8">
-         <title>Identification and Authentication (non-organizational Users)</title>
-         <prop name="label">IA-8</prop>
-         <prop name="sort-id">IA-08</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#ab414c48-b7a2-4ffe-b74d-4d8b8120adce">[FIPS 201-2]</link>
-         <link rel="reference" href="#549993c0-9bdd-4d49-875c-f56950cc5f30">[SP 800-63-3]</link>
-         <link rel="reference" href="#bb55e71a-e059-4263-8dd8-bc96fd3f063d">[SP 800-79-2]</link>
-         <link rel="reference" href="#ad7d575f-b5fe-489b-8d48-36a93d964a5f">[SP 800-116]</link>
-         <link rel="reference" href="#817b4227-5857-494d-9032-915980b32f15">[IR 8062]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#ac-14">AC-14</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#ac-18">AC-18</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#ia-2">IA-2</link>
-         <link rel="related" href="#ia-4">IA-4</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <link rel="related" href="#ia-10">IA-10</link>
-         <link rel="related" href="#ia-11">IA-11</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sc-8">SC-8</link>
-         <part name="statement" id="ia-8_smt">
-            <p>Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.</p>
-         </part>
-         <part name="guidance" id="ia-8_gdn">
-            <p>Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors, including security, privacy, scalability, and practicality in balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-8.1">
-            <title>Acceptance of PIV Credentials from Other Agencies</title>
-            <prop name="label">IA-8(1)</prop>
-            <prop name="sort-id">IA-08(01)</prop>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <part name="statement" id="ia-8.1_smt">
-               <p>Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.</p>
-            </part>
-            <part name="guidance" id="ia-8.1_gdn">
-               <p>Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2].</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.2">
-            <title>Acceptance of External Credentials</title>
-            <prop name="label">IA-8(2)</prop>
-            <prop name="sort-id">IA-08(02)</prop>
-            <part name="statement" id="ia-8.2_smt">
-               <p>Accept only external credentials that are NIST-compliant.</p>
-            </part>
-            <part name="guidance" id="ia-8.2_gdn">
-               <p>Acceptance of only NIST-compliant external credentials applies to organizational systems that are accessible to the public (e.g., public-facing websites). External credentials are those credentials issued by nonfederal government entities. External credentials are certified as compliant with [SP 800-63-3] by an approved accreditation authority. Approved external credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding federal requirements allows federal government relying parties to trust external credentials at their approved assurance levels.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.3">
-            <title>Use of Ficam-approved Products</title>
-            <prop name="label">IA-8(3)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">IA-08(03)</prop>
-            <link rel="incorporated-into" href="#ia-8.2">IA-8(2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.4">
-            <title>Use of Nist-issued Profiles</title>
-            <prop name="label">IA-8(4)</prop>
-            <prop name="sort-id">IA-08(04)</prop>
-            <part name="statement" id="ia-8.4_smt">
-               <p>Conform to NIST-issued profiles for identity management.</p>
-            </part>
-            <part name="guidance" id="ia-8.4_gdn">
-               <p>Conformance with NIST-issued profiles for identity management addresses open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the United States Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. The result is NIST-issued implementation profiles of approved protocols.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.5">
-            <title>Acceptance of PIV-I Credentials</title>
-            <param id="ia-8.5_prm_1">
-               <label>organization-defined policy</label>
-            </param>
-            <prop name="label">IA-8(5)</prop>
-            <prop name="sort-id">IA-08(05)</prop>
-            <part name="statement" id="ia-8.5_smt">
-               <p>Accept and verify federated or PKI credentials that meet <insert param-id="ia-8.5_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ia-8.5_gdn">
-               <p>This control enhancement can be implemented by PIV , PIV-I, and other commercial or external identity providers. Acceptance and verification of Personal Identity Verification (PIV)-I-compliant credentials applies to both logical and physical access control systems. Acceptance and verification of PIV-I credentials addresses nonfederal issuers of identity cards that desire to interoperate with United States Government PIV systems and that can be trusted by federal government-relying parties. The X.509 certificate policy for the Federal Bridge Certification Authority (FBCA) addresses PIV-I requirements. The PIV-I card is commensurate with the PIV credentials as defined in cited references. PIV-I credentials are the credentials issued by a PIV-I provider whose PIV-I certificate policy maps to the Federal Bridge PIV-I Certificate Policy. A PIV-I provider is cross-certified with the FBCA (directly or through another PKI bridge) with policies that have been mapped and approved as meeting the requirements of the PIV-I policies defined in the FBCA certificate policy.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-8.6">
-            <title>Disassociability</title>
-            <param id="ia-8.6_prm_1">
-               <label>organization-defined measures</label>
-            </param>
-            <prop name="label">IA-8(6)</prop>
-            <prop name="sort-id">IA-08(06)</prop>
-            <part name="statement" id="ia-8.6_smt">
-               <p>Implement the following measures to disassociate user attributes or credential assertion relationships among individuals, credential service providers, and relying parties: <insert param-id="ia-8.6_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ia-8.6_gdn">
-               <p>Federated identity solutions can create increased privacy risks due to tracking and profiling of individuals. Using identifier mapping tables or cryptographic techniques to blind credential service providers and relying parties from each other or to make identity attributes less visible to transmitting parties can reduce these privacy risks.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-9">
-         <title>Service Identification and Authentication</title>
-         <param id="ia-9_prm_1">
-            <label>organization-defined system services and applications</label>
-         </param>
-         <prop name="label">IA-9</prop>
-         <prop name="sort-id">IA-09</prop>
-         <link rel="related" href="#ia-3">IA-3</link>
-         <link rel="related" href="#ia-4">IA-4</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <link rel="related" href="#sc-8">SC-8</link>
-         <part name="statement" id="ia-9_smt">
-            <p>Uniquely identify and authenticate <insert param-id="ia-9_prm_1"/> before establishing communications with devices, users, or other services or applications.</p>
-         </part>
-         <part name="guidance" id="ia-9_gdn">
-            <p>Services that may require identification and authentication include web applications using digital certificates or services or applications that query a database. Identification and authentication methods for system services/applications include information or code signing, provenance graphs, and/or electronic signatures indicating the sources of services. Decisions regarding the validation of identification and authentication claims can be made by services separate from the services acting on those decisions. This can occur in distributed system architectures. In such situations, the identification and authentication decisions (instead of actual identifiers and authenticators) are provided to the services that need to act on those decisions.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-9.1">
-            <title>Information Exchange</title>
-            <prop name="label">IA-9(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">IA-09(01)</prop>
-            <link rel="incorporated-into" href="#ia-9">IA-9</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-9.2">
-            <title>Transmission of Decisions</title>
-            <prop name="label">IA-9(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">IA-09(02)</prop>
-            <link rel="incorporated-into" href="#ia-9">IA-9</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="ia-10">
-         <title>Adaptive Authentication</title>
-         <param id="ia-10_prm_1">
-            <label>organization-defined supplemental authentication techniques or mechanisms</label>
-         </param>
-         <param id="ia-10_prm_2">
-            <label>organization-defined circumstances or situations</label>
-         </param>
-         <prop name="label">IA-10</prop>
-         <prop name="sort-id">IA-10</prop>
-         <link rel="reference" href="#549993c0-9bdd-4d49-875c-f56950cc5f30">[SP 800-63-3]</link>
-         <link rel="related" href="#ia-2">IA-2</link>
-         <link rel="related" href="#ia-8">IA-8</link>
-         <part name="statement" id="ia-10_smt">
-            <p>Require individuals accessing the system to employ <insert param-id="ia-10_prm_1"/> under specific <insert param-id="ia-10_prm_2"/>.</p>
-         </part>
-         <part name="guidance" id="ia-10_gdn">
-            <p>Adversaries may compromise individual authentication mechanisms employed by organizations and subsequently attempt to impersonate legitimate users. To address this threat, organizations may employ specific techniques or mechanisms and establish protocols to assess suspicious behavior. Suspicious behavior may include accessing information that individuals do not typically access as part of their duties, roles, or responsibilities; accessing greater quantities of information than individuals would routinely access; or attempting to access information from suspicious network addresses. When pre-established conditions or triggers occur, organizations can require individuals to provide additional authentication information. Another potential use for adaptive authentication is to increase the strength of mechanism based on the number or types of records being accessed. Adaptive authentication does not replace and is not used to avoid the use of multifactor authentication mechanisms but can augment implementations of these controls.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-11">
-         <title>Re-authentication</title>
-         <param id="ia-11_prm_1">
-            <label>organization-defined circumstances or situations requiring re-authentication</label>
-         </param>
-         <prop name="label">IA-11</prop>
-         <prop name="sort-id">IA-11</prop>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-11">AC-11</link>
-         <link rel="related" href="#ia-2">IA-2</link>
-         <link rel="related" href="#ia-3">IA-3</link>
-         <link rel="related" href="#ia-8">IA-8</link>
-         <part name="statement" id="ia-11_smt">
-            <p>Require users to re-authenticate when <insert param-id="ia-11_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="ia-11_gdn">
-            <p>In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when authenticators or roles change; when security categories of systems change; when the execution of privileged functions occurs; after a fixed time-period; or periodically.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ia-12">
-         <title>Identity Proofing</title>
-         <prop name="label">IA-12</prop>
-         <prop name="sort-id">IA-12</prop>
-         <link rel="reference" href="#ab414c48-b7a2-4ffe-b74d-4d8b8120adce">[FIPS 201-2]</link>
-         <link rel="reference" href="#549993c0-9bdd-4d49-875c-f56950cc5f30">[SP 800-63-3]</link>
-         <link rel="reference" href="#3c50fa31-7f4d-4d30-91d7-27ee87cd5f75">[SP 800-63A]</link>
-         <link rel="reference" href="#bb55e71a-e059-4263-8dd8-bc96fd3f063d">[SP 800-79-2]</link>
-         <link rel="related" href="#ia-1">IA-1</link>
-         <link rel="related" href="#ia-2">IA-2</link>
-         <link rel="related" href="#ia-3">IA-3</link>
-         <link rel="related" href="#ia-4">IA-4</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <link rel="related" href="#ia-6">IA-6</link>
-         <link rel="related" href="#ia-8">IA-8</link>
-         <part name="statement" id="ia-12_smt">
-            <part name="item" id="ia-12_smt.a">
-               <prop name="label">a.</prop>
-               <p>Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;</p>
-            </part>
-            <part name="item" id="ia-12_smt.b">
-               <prop name="label">b.</prop>
-               <p>Resolve user identities to a unique individual; and</p>
-            </part>
-            <part name="item" id="ia-12_smt.c">
-               <prop name="label">c.</prop>
-               <p>Collect, validate, and verify identity evidence.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ia-12_gdn">
-            <p>Identity proofing is the process of collecting, validating, and verifying user’s identity information for the purposes of issuing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3] and [SP 800-63A].</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ia-12.1">
-            <title>Supervisor Authorization</title>
-            <prop name="label">IA-12(1)</prop>
-            <prop name="sort-id">IA-12(01)</prop>
-            <part name="statement" id="ia-12.1_smt">
-               <p>Require that the registration process to receive an account for logical access includes supervisor or sponsor authorization.</p>
-            </part>
-            <part name="guidance" id="ia-12.1_gdn">
-               <p>Including supervisor or sponsor authorization as part of the registration process provides an additional level of scrutiny to ensure that the user’s management chain is aware of the account, the account is essential to carry out organizational missions and functions, and the user’s privileges are appropriate for the anticipated responsibilities and authorities within the organization.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-12.2">
-            <title>Identity Evidence</title>
-            <prop name="label">IA-12(2)</prop>
-            <prop name="sort-id">IA-12(02)</prop>
-            <part name="statement" id="ia-12.2_smt">
-               <p>Require evidence of individual identification be presented to the registration authority.</p>
-            </part>
-            <part name="guidance" id="ia-12.2_gdn">
-               <p>Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity, or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risk to the systems, roles, and privileges associated with the user’s account.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-12.3">
-            <title>Identity Evidence Validation and Verification</title>
-            <param id="ia-12.3_prm_1">
-               <label>organizational defined methods of validation and verification</label>
-            </param>
-            <prop name="label">IA-12(3)</prop>
-            <prop name="sort-id">IA-12(03)</prop>
-            <part name="statement" id="ia-12.3_smt">
-               <p>Require that the presented identity evidence be validated and verified through <insert param-id="ia-12.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ia-12.3_gdn">
-               <p>Validating and verifying identity evidence increases the assurance that accounts, identifiers, and authenticators are being issued to the correct user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an actual person or individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risk to the systems, roles, and privileges associated with the users account</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-12.4">
-            <title>In-person Validation and Verification</title>
-            <prop name="label">IA-12(4)</prop>
-            <prop name="sort-id">IA-12(04)</prop>
-            <part name="statement" id="ia-12.4_smt">
-               <p>Require that the validation and verification of identity evidence be conducted in person before a designated registration authority.</p>
-            </part>
-            <part name="guidance" id="ia-12.4_gdn">
-               <p>In-person proofing reduces the likelihood of fraudulent credentials being issued because it requires the physical presence of individuals, the presentation of physical identity documents, and actual face-to-face interactions with designated registration authorities.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-12.5">
-            <title>Address Confirmation</title>
-            <param id="ia-12.5_prm_1">
-               <select>
-                  <choice>registration code</choice>
-                  <choice>notice of proofing</choice>
-               </select>
-            </param>
-            <prop name="label">IA-12(5)</prop>
-            <prop name="sort-id">IA-12(05)</prop>
-            <link rel="related" href="#ia-12">IA-12</link>
-            <part name="statement" id="ia-12.5_smt">
-               <p>Require that a <insert param-id="ia-12.5_prm_1"/> be delivered through an out-of-band channel to verify the users address (physical or digital) of record.</p>
-            </part>
-            <part name="guidance" id="ia-12.5_gdn">
-               <p>To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to increase assurance that the individual associated with an address of record is the same person that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts are obtained from records and not self-asserted by the user. The address can include a physical or a digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ia-12.6">
-            <title>Accept Externally-proofed Identities</title>
-            <param id="ia-12.6_prm_1">
-               <label>organization-defined identity assurance level</label>
-            </param>
-            <prop name="label">IA-12(6)</prop>
-            <prop name="sort-id">IA-12(06)</prop>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <part name="statement" id="ia-12.6_smt">
-               <p>Accept externally-proofed identities at <insert param-id="ia-12.6_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ia-12.6_gdn">
-               <p>To limit unnecessary re-proofing of identities, particularly of non-PIV users, organizations accept proofing conducted at a commensurate level of assurance by other agencies or organizations. Proofing is consistent with organizational security policy and with the identity assurance level appropriate for the system, application, or information accessed. Accepting externally-proofed identities is a fundamental component of managing federated identities across agencies and organizations.</p>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="ir">
-      <title>Incident Response</title>
-      <control class="SP800-53" id="ir-1">
-         <title>Policy and Procedures</title>
-         <param id="ir-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ir-1_prm_2">
-            <select how-many="one or more">
-               <choice>organization-level</choice>
-               <choice>mission/business process-level</choice>
-               <choice>system-level</choice>
-            </select>
-         </param>
-         <param id="ir-1_prm_3">
-            <label>organization-defined official</label>
-         </param>
-         <param id="ir-1_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ir-1_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">IR-1</prop>
-         <prop name="sort-id">IR-01</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#12702585-0c72-43c9-9185-a76a59f74233">[SP 800-12]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#2e29c363-d5be-47ba-92f5-f8a58a69b65e">[SP 800-50]</link>
-         <link rel="reference" href="#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b">[SP 800-61]</link>
-         <link rel="reference" href="#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b">[SP 800-83]</link>
-         <link rel="reference" href="#9183bd83-170e-4701-b32c-97e08ef8bedb">[SP 800-100]</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="ir-1_smt">
-            <part name="item" id="ir-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and disseminate to <insert param-id="ir-1_prm_1"/>:</p>
-               <part name="item" id="ir-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="ir-1_prm_2"/> incident response policy that:</p>
-                  <part name="item" id="ir-1_smt.a.1.a">
-                     <prop name="label">(a)</prop>
-                     <p>Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
-                  </part>
-                  <part name="item" id="ir-1_smt.a.1.b">
-                     <prop name="label">(b)</prop>
-                     <p>Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p>
-                  </part>
-               </part>
-               <part name="item" id="ir-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;</p>
-               </part>
-            </part>
-            <part name="item" id="ir-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate an <insert param-id="ir-1_prm_3"/> to manage the development, documentation, and dissemination of the incident response policy and procedures; and</p>
-            </part>
-            <part name="item" id="ir-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the current incident response:</p>
-               <part name="item" id="ir-1_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Policy <insert param-id="ir-1_prm_4"/>; and</p>
-               </part>
-               <part name="item" id="ir-1_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures <insert param-id="ir-1_prm_5"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="ir-1_gdn">
-            <p>This control addresses policy and procedures for the controls in the IR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ir-2">
-         <title>Incident Response Training</title>
-         <param id="ir-2_prm_1">
-            <label>organization-defined time-period</label>
-         </param>
-         <param id="ir-2_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">IR-2</prop>
-         <prop name="sort-id">IR-02</prop>
-         <link rel="reference" href="#2e29c363-d5be-47ba-92f5-f8a58a69b65e">[SP 800-50]</link>
-         <link rel="related" href="#at-2">AT-2</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#at-4">AT-4</link>
-         <link rel="related" href="#cp-3">CP-3</link>
-         <link rel="related" href="#ir-3">IR-3</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#ir-8">IR-8</link>
-         <link rel="related" href="#ir-9">IR-9</link>
-         <part name="statement" id="ir-2_smt">
-            <p>Provide incident response training to system users consistent with assigned roles and responsibilities:</p>
-            <part name="item" id="ir-2_smt.a">
-               <prop name="label">a.</prop>
-               <p>Within <insert param-id="ir-2_prm_1"/> of assuming an incident response role or responsibility or acquiring system access;</p>
-            </part>
-            <part name="item" id="ir-2_smt.b">
-               <prop name="label">b.</prop>
-               <p>When required by system changes; and</p>
-            </part>
-            <part name="item" id="ir-2_smt.c">
-               <prop name="label">c.</prop>
-               <p>
-                  <insert param-id="ir-2_prm_2"/> thereafter.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ir-2_gdn">
-            <p>Incident response training is associated with assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and finally, incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-2.1">
-            <title>Simulated Events</title>
-            <prop name="label">IR-2(1)</prop>
-            <prop name="sort-id">IR-02(01)</prop>
-            <part name="statement" id="ir-2.1_smt">
-               <p>Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.</p>
-            </part>
-            <part name="guidance" id="ir-2.1_gdn">
-               <p>Organizations establish requirements for responding to incidents in incident response plans. Incorporating simulated events into incident response training helps to ensure that personnel understand their individual responsibilities and what specific actions to take in crisis situations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-2.2">
-            <title>Automated Training Environments</title>
-            <param id="ir-2.2_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">IR-2(2)</prop>
-            <prop name="sort-id">IR-02(02)</prop>
-            <part name="statement" id="ir-2.2_smt">
-               <p>Provide an incident response training environment using <insert param-id="ir-2.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ir-2.2_gdn">
-               <p>Automated mechanisms can provide a more thorough and realistic incident response training environment. This can be accomplished, for example, by providing more complete coverage of incident response issues; by selecting more realistic training scenarios and training environments; and by stressing the response capability.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-3">
-         <title>Incident Response Testing</title>
-         <param id="ir-3_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ir-3_prm_2">
-            <label>organization-defined tests</label>
-         </param>
-         <prop name="label">IR-3</prop>
-         <prop name="sort-id">IR-03</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#20bf433b-074c-47a0-8fca-cd591772ccd6">[SP 800-84]</link>
-         <link rel="reference" href="#a6b97214-55d4-4b86-a3a4-53d5911d96f7">[SP 800-115]</link>
-         <link rel="related" href="#cp-3">CP-3</link>
-         <link rel="related" href="#cp-4">CP-4</link>
-         <link rel="related" href="#ir-2">IR-2</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#ir-8">IR-8</link>
-         <link rel="related" href="#pm-14">PM-14</link>
-         <part name="statement" id="ir-3_smt">
-            <p>Test the effectiveness of the incident response capability for the system <insert param-id="ir-3_prm_1"/> using the following tests: <insert param-id="ir-3_prm_2"/>.</p>
-         </part>
-         <part name="guidance" id="ir-3_gdn">
-            <p>Organizations test incident response capabilities to determine the effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations, organizational assets, and individuals due to incident response. Use of qualitative and quantitative data aids in determining the effectiveness of incident response processes.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-3.1">
-            <title>Automated Testing</title>
-            <param id="ir-3.1_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">IR-3(1)</prop>
-            <prop name="sort-id">IR-03(01)</prop>
-            <part name="statement" id="ir-3.1_smt">
-               <p>Test the incident response capability using <insert param-id="ir-3.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ir-3.1_gdn">
-               <p>Organizations use automated mechanisms to more thoroughly and effectively test incident response capabilities. This can be accomplished by providing more complete coverage of incident response issues; by selecting more realistic test scenarios and test environments; and by stressing the response capability.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-3.2">
-            <title>Coordination with Related Plans</title>
-            <prop name="label">IR-3(2)</prop>
-            <prop name="sort-id">IR-03(02)</prop>
-            <part name="statement" id="ir-3.2_smt">
-               <p>Coordinate incident response testing with organizational elements responsible for related plans.</p>
-            </part>
-            <part name="guidance" id="ir-3.2_gdn">
-               <p>Organizational plans related to incident response testing include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Contingency Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-3.3">
-            <title>Continuous Improvement</title>
-            <prop name="label">IR-3(3)</prop>
-            <prop name="sort-id">IR-03(03)</prop>
-            <part name="statement" id="ir-3.3_smt">
-               <p>Use qualitative and quantitative data from testing to:</p>
-               <part name="item" id="ir-3.3_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Determine the effectiveness of incident response processes;</p>
-               </part>
-               <part name="item" id="ir-3.3_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Continuously improve incident response processes; and</p>
-               </part>
-               <part name="item" id="ir-3.3_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ir-3.3_gdn">
-               <p>To help incident response activities function as intended, organizations may use metrics and evaluation criteria to assess incident response programs as part of an effort to continually improve response performance. These efforts facilitate improvement in incident response efficacy and lessen the impact of incidents.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-4">
-         <title>Incident Handling</title>
-         <prop name="label">IR-4</prop>
-         <prop name="sort-id">IR-04</prop>
-         <link rel="reference" href="#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b">[SP 800-61]</link>
-         <link rel="reference" href="#35dfd59f-eef2-4f71-bdb5-6d878267456a">[SP 800-86]</link>
-         <link rel="reference" href="#1e2c475a-84ae-4c60-b420-8fb2ea552b71">[SP 800-101]</link>
-         <link rel="reference" href="#ad3e8f21-07c6-4968-b002-00b64dfa70ae">[SP 800-150]</link>
-         <link rel="reference" href="#8411e6e8-09bd-431d-bbcb-3423d36ad880">[SP 800-160 v2]</link>
-         <link rel="reference" href="#08f518f7-f9b9-4bee-8986-860214f46b16">[SP 800-184]</link>
-         <link rel="reference" href="#09ac1fdb-36a9-483f-a04c-5c1e1bf104fb">[IR 7559]</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#au-7">AU-7</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-3">CP-3</link>
-         <link rel="related" href="#cp-4">CP-4</link>
-         <link rel="related" href="#ir-2">IR-2</link>
-         <link rel="related" href="#ir-3">IR-3</link>
-         <link rel="related" href="#ir-6">IR-6</link>
-         <link rel="related" href="#ir-8">IR-8</link>
-         <link rel="related" href="#ir-10">IR-10</link>
-         <link rel="related" href="#pe-6">PE-6</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sc-5">SC-5</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <part name="statement" id="ir-4_smt">
-            <part name="item" id="ir-4_smt.a">
-               <prop name="label">a.</prop>
-               <p>Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;</p>
-            </part>
-            <part name="item" id="ir-4_smt.b">
-               <prop name="label">b.</prop>
-               <p>Coordinate incident handling activities with contingency planning activities;</p>
-            </part>
-            <part name="item" id="ir-4_smt.c">
-               <prop name="label">c.</prop>
-               <p>Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and</p>
-            </part>
-            <part name="item" id="ir-4_smt.d">
-               <prop name="label">d.</prop>
-               <p>Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ir-4_gdn">
-            <p>Organizations recognize that incident response capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive (function), operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. Suspected privacy incidents include a breach of personally identifiable information or the recognition that the processing of personally identifiable information creates potential privacy risk.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-4.1">
-            <title>Automated Incident Handling Processes</title>
-            <param id="ir-4.1_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">IR-4(1)</prop>
-            <prop name="sort-id">IR-04(01)</prop>
-            <part name="statement" id="ir-4.1_smt">
-               <p>Support the incident handling process using <insert param-id="ir-4.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ir-4.1_gdn">
-               <p>Automated mechanisms supporting incident handling processes include online incident management systems; and tools that support the collection of live response data, full network packet capture, and forensic analysis.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.2">
-            <title>Dynamic Reconfiguration</title>
-            <param id="ir-4.2_prm_1">
-               <label>organization-defined system components</label>
-            </param>
-            <param id="ir-4.2_prm_2">
-               <label>organization-defined types of dynamic reconfiguration</label>
-            </param>
-            <prop name="label">IR-4(2)</prop>
-            <prop name="sort-id">IR-04(02)</prop>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <part name="statement" id="ir-4.2_smt">
-               <p>Include the following types of dynamic reconfiguration for <insert param-id="ir-4.2_prm_1"/> as part of the incident response capability: <insert param-id="ir-4.2_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ir-4.2_gdn">
-               <p>Dynamic reconfiguration includes changes to router rules, access control lists, intrusion detection or prevention system parameters, and filter rules for guards or firewalls. Organizations perform dynamic reconfiguration of systems, for example, to stop attacks, to misdirect attackers, and to isolate components of systems, thus limiting the extent of the damage from breaches or compromises. Organizations include time frames for achieving the reconfiguration of systems in the definition of the reconfiguration capability, considering the potential need for rapid response to effectively address cyber threats.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.3">
-            <title>Continuity of Operations</title>
-            <param id="ir-4.3_prm_1">
-               <label>organization-defined classes of incidents</label>
-            </param>
-            <param id="ir-4.3_prm_2">
-               <label>organization-defined actions to take in response to classes of incidents</label>
-            </param>
-            <prop name="label">IR-4(3)</prop>
-            <prop name="sort-id">IR-04(03)</prop>
-            <part name="statement" id="ir-4.3_smt">
-               <p>Identify <insert param-id="ir-4.3_prm_1"/> and take the following actions in response to those incidents to ensure continuation of organizational missions and business functions: <insert param-id="ir-4.3_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ir-4.3_gdn">
-               <p>Classes of incidents include malfunctions due to design or implementation errors and omissions, targeted malicious attacks, and untargeted malicious attacks. Incident response actions include orderly system degradation, system shutdown, fall back to manual mode or activation of alternative technology whereby the system operates differently, employing deceptive measures, alternate information flows, or operating in a mode that is reserved for when systems are under attack. Organizations consider whether continuity of operations requirements during an incident conflict with the capability to automatically disable the system as specified as part of IR-4(5).</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.4">
-            <title>Information Correlation</title>
-            <prop name="label">IR-4(4)</prop>
-            <prop name="sort-id">IR-04(04)</prop>
-            <part name="statement" id="ir-4.4_smt">
-               <p>Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.</p>
-            </part>
-            <part name="guidance" id="ir-4.4_gdn">
-               <p>Sometimes a threat event, for example, a hostile cyber-attack, can only be observed by bringing together information from different sources, including various reports and reporting procedures established by organizations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.5">
-            <title>Automatic Disabling of System</title>
-            <param id="ir-4.5_prm_1">
-               <label>organization-defined security violations</label>
-            </param>
-            <prop name="label">IR-4(5)</prop>
-            <prop name="sort-id">IR-04(05)</prop>
-            <part name="statement" id="ir-4.5_smt">
-               <p>Implement a configurable capability to automatically disable the system if <insert param-id="ir-4.5_prm_1"/> are detected.</p>
-            </part>
-            <part name="guidance" id="ir-4.5_gdn">
-               <p>Organizations consider whether the capability to automatically disable the system conflicts with continuity of operations requirements specified as part of CP-2 or IR-4(3). Security violations include cyber-attacks that have compromised the integrity of the system or exfiltrated organizational information; serious errors in software programs that could adversely impact organizational missions or functions or jeopardize the safety of individuals.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.6">
-            <title>Insider Threats — Specific Capabilities</title>
-            <prop name="label">IR-4(6)</prop>
-            <prop name="sort-id">IR-04(06)</prop>
-            <part name="statement" id="ir-4.6_smt">
-               <p>Implement an incident handling capability for incidents involving insider threats.</p>
-            </part>
-            <part name="guidance" id="ir-4.6_gdn">
-               <p>While many organizations address insider threat incidents as part of their organizational incident response capability, this control enhancement provides additional emphasis on this type of threat and the need for specific incident handling capabilities (as defined within organizations) to provide appropriate and timely responses.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.7">
-            <title>Insider Threats — Intra-organization Coordination</title>
-            <param id="ir-4.7_prm_1">
-               <label>organization-defined entities</label>
-            </param>
-            <prop name="label">IR-4(7)</prop>
-            <prop name="sort-id">IR-04(07)</prop>
-            <part name="statement" id="ir-4.7_smt">
-               <p>Coordinate an incident handling capability for insider threats that includes the following organizational entities <insert param-id="ir-4.7_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ir-4.7_gdn">
-               <p>Incident handling for insider threat incidents (including preparation, detection and analysis, containment, eradication, and recovery) requires coordination among many organizational entities, including mission or business owners, system owners, human resources offices, procurement offices, personnel offices, physical security offices, senior agency information security officer, operations personnel, risk executive (function), senior agency official for privacy, and legal counsel. In addition, organizations may require external support from federal, state, and local law enforcement agencies.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.8">
-            <title>Correlation with External Organizations</title>
-            <param id="ir-4.8_prm_1">
-               <label>organization-defined external organizations</label>
-            </param>
-            <param id="ir-4.8_prm_2">
-               <label>organization-defined incident information</label>
-            </param>
-            <prop name="label">IR-4(8)</prop>
-            <prop name="sort-id">IR-04(08)</prop>
-            <link rel="related" href="#au-16">AU-16</link>
-            <link rel="related" href="#pm-16">PM-16</link>
-            <part name="statement" id="ir-4.8_smt">
-               <p>Coordinate with <insert param-id="ir-4.8_prm_1"/> to correlate and share <insert param-id="ir-4.8_prm_2"/> to achieve a cross-organization perspective on incident awareness and more effective incident responses.</p>
-            </part>
-            <part name="guidance" id="ir-4.8_gdn">
-               <p>The coordination of incident information with external organizations, including mission or business partners, military or coalition partners, customers, and developers, can provide significant benefits. Cross-organizational coordination can serve as an important risk management capability. This capability allows organizations to leverage critical information from a variety of sources to effectively respond to information security-related incidents potentially affecting the organization’s operations, assets, and individuals.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.9">
-            <title>Dynamic Response Capability</title>
-            <param id="ir-4.9_prm_1">
-               <label>organization-defined dynamic response capabilities</label>
-            </param>
-            <prop name="label">IR-4(9)</prop>
-            <prop name="sort-id">IR-04(09)</prop>
-            <part name="statement" id="ir-4.9_smt">
-               <p>Employ <insert param-id="ir-4.9_prm_1"/> to respond to incidents.</p>
-            </part>
-            <part name="guidance" id="ir-4.9_gdn">
-               <p>Dynamic response capability addresses the timely deployment of new or replacement organizational capabilities in response to incidents. This includes capabilities implemented at the mission and business process level and at the system level.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.10">
-            <title>Supply Chain Coordination</title>
-            <prop name="label">IR-4(10)</prop>
-            <prop name="sort-id">IR-04(10)</prop>
-            <link rel="related" href="#ca-3">CA-3</link>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-            <link rel="related" href="#sr-8">SR-8</link>
-            <part name="statement" id="ir-4.10_smt">
-               <p>Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain.</p>
-            </part>
-            <part name="guidance" id="ir-4.10_gdn">
-               <p>Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents include compromises or breaches that involve system components, information technology products, development processes or personnel, and distribution processes or warehousing facilities. Organizations consider including processes for protecting and sharing incident information in information exchange agreements.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.11">
-            <title>Integrated Incident Response Team</title>
-            <param id="ir-4.11_prm_1">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="label">IR-4(11)</prop>
-            <prop name="sort-id">IR-04(11)</prop>
-            <link rel="related" href="#at-3">AT-3</link>
-            <part name="statement" id="ir-4.11_smt">
-               <p>Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in <insert param-id="ir-4.11_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ir-4.11_gdn">
-               <p>An integrated incident response team is a team of experts that assesses, documents, and responds to incidents so that organizational systems and networks can recover quickly and can implement the necessary controls to avoid future incidents. Incident response team personnel include forensic and malicious code analysts, tool developers, systems security engineers, and real-time operations personnel. The incident handling capability includes performing rapid forensic preservation of evidence and analysis of and response to intrusions. For some organizations the incident response team can be a cross organizational entity.
-An integrated incident response team facilitates information sharing and allows organizational personnel (e.g., developers, implementers, and operators), to leverage team knowledge of the threat and to implement defensive measures that enable organizations to deter intrusions more effectively. Moreover, integrated teams promote the rapid detection of intrusions, development of appropriate mitigations, and the deployment of effective defensive measures. For example, when an intrusion is detected, the integrated team can rapidly develop an appropriate response for operators to implement, correlate the new incident with information on past intrusions, and augment ongoing cyber intelligence development. Integrated incident response teams are better able to identify adversary tactics, techniques, and procedures that are linked to the operations tempo or to specific missions and business functions, and to define responsive actions in a way that does not disrupt those missions and business functions. Incident response teams can be distributed within organizations to make the capability resilient.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.12">
-            <title>Malicious Code and Forensic Analysis</title>
-            <param id="ir-4.12_prm_1">
-               <label>organization-defined residual artifacts</label>
-            </param>
-            <prop name="label">IR-4(12)</prop>
-            <prop name="sort-id">IR-04(12)</prop>
-            <part name="statement" id="ir-4.12_smt">
-               <p>Analyze [Selection (one or more): malicious code; <insert param-id="ir-4.12_prm_1"/> remaining in the system after the incident.</p>
-            </part>
-            <part name="guidance" id="ir-4.12_gdn">
-               <p>Analysis of malicious code and other residual artifacts of a security or privacy incident can give the organization insight into adversary tactics, techniques, and procedures. It can also indicate the identity or some defining characteristics of the adversary. Malicious code analysis can also help the organization develop responses to future incidents.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.13">
-            <title>Behavior Analysis</title>
-            <param id="ir-4.13_prm_1">
-               <label>organization-defined environments or resources</label>
-            </param>
-            <prop name="label">IR-4(13)</prop>
-            <prop name="sort-id">IR-04(13)</prop>
-            <part name="statement" id="ir-4.13_smt">
-               <p>Analyze anomalous or suspected adversarial behavior in or related to <insert param-id="ir-4.13_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ir-4.13_gdn">
-               <p>If the organization maintains a deception environment, analysis of behaviors in that environment, including resources targeted by the adversary and timing of the incident or event, can provide insight into adversarial tactics, techniques, and procedures. External to a deception environment, the analysis of anomalous adversarial behavior (e.g., changes in system performance or usage patterns) or suspected behavior (e.g., changes in searches for the location of specific resources) can give the organization such insight.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.14">
-            <title>Security Operations Center</title>
-            <prop name="label">IR-4(14)</prop>
-            <prop name="sort-id">IR-04(14)</prop>
-            <part name="statement" id="ir-4.14_smt">
-               <p>Establish and maintain a security operations center.</p>
-            </part>
-            <part name="guidance" id="ir-4.14_gdn">
-               <p>A security operations center (SOC) is the focal point for security operations and computer network defense for an organization. The purpose of the SOC is to defend and monitor an organization’s systems and networks (i.e., cyber infrastructure) on an ongoing basis. The SOC is also responsible for detecting, analyzing, and responding to cybersecurity incidents in a timely manner. The organization staffs the SOC with skilled technical and operational personnel (e.g., security analysts, incident response personnel, systems security engineers) and implements a combination of technical, management, and operational controls (including monitoring, scanning, and forensics tools) to monitor, fuse, correlate, analyze, and respond to threat and security-relevant event data from multiple sources. These sources include perimeter defenses, network devices (e.g., routers, switches), and endpoint agent data feeds. The SOC provides a holistic situational awareness capability to help organizations determine the security posture of the system and organization. A SOC capability can be obtained in a variety of ways. Larger organizations may implement a dedicated SOC while smaller organizations may employ third-party organizations to provide such capability.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-4.15">
-            <title>Publication Relations and Reputation Repair</title>
-            <prop name="label">IR-4(15)</prop>
-            <prop name="sort-id">IR-04(15)</prop>
-            <part name="statement" id="ir-4.15_smt">
-               <part name="item" id="ir-4.15_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Manage public relations associated with an incident; and</p>
-               </part>
-               <part name="item" id="ir-4.15_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Employ measures to repair the reputation of the organization.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ir-4.15_gdn">
-               <p>It is important for an organization to have a strategy in place for addressing incidents that have been brought to the attention of the general public and that have cast the organization in a negative light or affected the organization’s constituents (e.g., partners, customers). Such publicity can be extremely harmful to the organization and effect its ability to effectively carry out its missions and business functions. Taking proactive steps to repair the organization’s reputation is an essential aspect of reestablishing trust and confidence of its constituents.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-5">
-         <title>Incident Monitoring</title>
-         <prop name="label">IR-5</prop>
-         <prop name="sort-id">IR-05</prop>
-         <link rel="reference" href="#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b">[SP 800-61]</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#au-7">AU-7</link>
-         <link rel="related" href="#ir-8">IR-8</link>
-         <link rel="related" href="#pe-6">PE-6</link>
-         <link rel="related" href="#pm-5">PM-5</link>
-         <link rel="related" href="#sc-5">SC-5</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <part name="statement" id="ir-5_smt">
-            <p>Track and document security, privacy, and supply chain incidents.</p>
-         </part>
-         <part name="guidance" id="ir-5_gdn">
-            <p>Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics; and evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring; incident reports; incident response teams; user complaints; supply chain partners; audit monitoring; physical access monitoring; and user and administrator reports.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-5.1">
-            <title>Automated Tracking, Data Collection, and Analysis</title>
-            <param id="ir-5.1_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">IR-5(1)</prop>
-            <prop name="sort-id">IR-05(01)</prop>
-            <link rel="related" href="#au-7">AU-7</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <part name="statement" id="ir-5.1_smt">
-               <p>Track security and privacy incidents and collect and analyze incident information using <insert param-id="ir-5.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ir-5.1_gdn">
-               <p>Automated mechanisms for tracking incidents and for collecting and analyzing incident information include Computer Incident Response Centers or other electronic databases of incidents and network monitoring devices.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-6">
-         <title>Incident Reporting</title>
-         <param id="ir-6_prm_1">
-            <label>organization-defined time-period</label>
-         </param>
-         <param id="ir-6_prm_2">
-            <label>organization-defined authorities</label>
-         </param>
-         <prop name="label">IR-6</prop>
-         <prop name="sort-id">IR-06</prop>
-         <link rel="reference" href="#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b">[SP 800-61]</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#ir-5">IR-5</link>
-         <link rel="related" href="#ir-8">IR-8</link>
-         <link rel="related" href="#ir-9">IR-9</link>
-         <part name="statement" id="ir-6_smt">
-            <part name="item" id="ir-6_smt.a">
-               <prop name="label">a.</prop>
-               <p>Require personnel to report suspected security, privacy, and supply chain incidents to the organizational incident response capability within <insert param-id="ir-6_prm_1"/>; and</p>
-            </part>
-            <part name="item" id="ir-6_smt.b">
-               <prop name="label">b.</prop>
-               <p>Report security, privacy, and supply chain incident information to <insert param-id="ir-6_prm_2"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ir-6_gdn">
-            <p>The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-6.1">
-            <title>Automated Reporting</title>
-            <param id="ir-6.1_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">IR-6(1)</prop>
-            <prop name="sort-id">IR-06(01)</prop>
-            <link rel="related" href="#ir-7">IR-7</link>
-            <part name="statement" id="ir-6.1_smt">
-               <p>Report incidents using <insert param-id="ir-6.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ir-6.1_gdn">
-               <p>Reporting recipients are as specified in IR-6b. Automated reporting mechanisms include email, posting on web sites, and automated incident response tools and programs.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-6.2">
-            <title>Vulnerabilities Related to Incidents</title>
-            <param id="ir-6.2_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">IR-6(2)</prop>
-            <prop name="sort-id">IR-06(02)</prop>
-            <part name="statement" id="ir-6.2_smt">
-               <p>Report system vulnerabilities associated with reported incidents to <insert param-id="ir-6.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ir-6.2_gdn">
-               <p>Reported incidents that uncover system vulnerabilities are analyzed by organizational personnel including system owners; mission/business owners; senior agency information security officers; senior agency officials for privacy; authorizing officials; and the risk executive (function). The analysis can serve to prioritize and initiate mitigation actions to address the discovered system vulnerability.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-6.3">
-            <title>Supply Chain Coordination</title>
-            <prop name="label">IR-6(3)</prop>
-            <prop name="sort-id">IR-06(03)</prop>
-            <link rel="related" href="#sr-8">SR-8</link>
-            <part name="statement" id="ir-6.3_smt">
-               <p>Provide security and privacy incident information to the provider of the product or service and other organizations involved in the supply chain for systems or system components related to the incident.</p>
-            </part>
-            <part name="guidance" id="ir-6.3_gdn">
-               <p>Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, and distribution processes or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents including the ability to improve processes or to identify the root cause of an incident.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-7">
-         <title>Incident Response Assistance</title>
-         <prop name="label">IR-7</prop>
-         <prop name="sort-id">IR-07</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#09ac1fdb-36a9-483f-a04c-5c1e1bf104fb">[IR 7559]</link>
-         <link rel="related" href="#at-2">AT-2</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#ir-6">IR-6</link>
-         <link rel="related" href="#ir-8">IR-8</link>
-         <link rel="related" href="#pm-22">PM-22</link>
-         <link rel="related" href="#pm-26">PM-26</link>
-         <link rel="related" href="#sa-9">SA-9</link>
-         <link rel="related" href="#si-18">SI-18</link>
-         <part name="statement" id="ir-7_smt">
-            <p>Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of security, privacy, and supply chain incidents.</p>
-         </part>
-         <part name="guidance" id="ir-7_gdn">
-            <p>Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-7.1">
-            <title>Automation Support for Availability of Information and Support</title>
-            <param id="ir-7.1_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">IR-7(1)</prop>
-            <prop name="sort-id">IR-07(01)</prop>
-            <part name="statement" id="ir-7.1_smt">
-               <p>Increase the availability of incident response information and support using <insert param-id="ir-7.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ir-7.1_gdn">
-               <p>Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-7.2">
-            <title>Coordination with External Providers</title>
-            <prop name="label">IR-7(2)</prop>
-            <prop name="sort-id">IR-07(02)</prop>
-            <part name="statement" id="ir-7.2_smt">
-               <part name="item" id="ir-7.2_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Establish a direct, cooperative relationship between its incident response capability and external providers of system protection capability; and</p>
-               </part>
-               <part name="item" id="ir-7.2_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Identify organizational incident response team members to the external providers.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ir-7.2_gdn">
-               <p>External providers of a system protection capability include the Computer Network Defense program within the U.S. Department of Defense. External providers help to protect, monitor, analyze, detect, and respond to unauthorized activity within organizational information systems and networks. It may be beneficial to have agreements in place with external providers to clarify the roles and responsibilities of each party before an incident occurs.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-8">
-         <title>Incident Response Plan</title>
-         <param id="ir-8_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ir-8_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ir-8_prm_3">
-            <label>organization-defined entities, personnel, or roles</label>
-         </param>
-         <param id="ir-8_prm_4">
-            <label>organization-defined incident response personnel (identified by name and/or by role) and organizational elements</label>
-         </param>
-         <param id="ir-8_prm_5">
-            <label>organization-defined incident response personnel (identified by name and/or by role) and organizational elements</label>
-         </param>
-         <prop name="label">IR-8</prop>
-         <prop name="sort-id">IR-08</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b">[SP 800-61]</link>
-         <link rel="reference" href="#389fe193-866e-46b1-bf1d-38904b56aa7b">[OMB M-17-12]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-4">CP-4</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#ir-7">IR-7</link>
-         <link rel="related" href="#ir-9">IR-9</link>
-         <link rel="related" href="#pe-6">PE-6</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#sa-15">SA-15</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <link rel="related" href="#sr-8">SR-8</link>
-         <part name="statement" id="ir-8_smt">
-            <part name="item" id="ir-8_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop an incident response plan that:</p>
-               <part name="item" id="ir-8_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Provides the organization with a roadmap for implementing its incident response capability;</p>
-               </part>
-               <part name="item" id="ir-8_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Describes the structure and organization of the incident response capability;</p>
-               </part>
-               <part name="item" id="ir-8_smt.a.3">
-                  <prop name="label">3.</prop>
-                  <p>Provides a high-level approach for how the incident response capability fits into the overall organization;</p>
-               </part>
-               <part name="item" id="ir-8_smt.a.4">
-                  <prop name="label">4.</prop>
-                  <p>Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;</p>
-               </part>
-               <part name="item" id="ir-8_smt.a.5">
-                  <prop name="label">5.</prop>
-                  <p>Defines reportable incidents;</p>
-               </part>
-               <part name="item" id="ir-8_smt.a.6">
-                  <prop name="label">6.</prop>
-                  <p>Provides metrics for measuring the incident response capability within the organization;</p>
-               </part>
-               <part name="item" id="ir-8_smt.a.7">
-                  <prop name="label">7.</prop>
-                  <p>Defines the resources and management support needed to effectively maintain and mature an incident response capability;</p>
-               </part>
-               <part name="item" id="ir-8_smt.a.8">
-                  <prop name="label">8.</prop>
-                  <p>Is reviewed and approved by <insert param-id="ir-8_prm_1"/>
-                     <insert param-id="ir-8_prm_2"/>; and</p>
-               </part>
-               <part name="item" id="ir-8_smt.a.9">
-                  <prop name="label">9.</prop>
-                  <p>Explicitly designates responsibility for incident response to <insert param-id="ir-8_prm_3"/>.</p>
-               </part>
-            </part>
-            <part name="item" id="ir-8_smt.b">
-               <prop name="label">b.</prop>
-               <p>Distribute copies of the incident response plan to <insert param-id="ir-8_prm_4"/>;</p>
-            </part>
-            <part name="item" id="ir-8_smt.c">
-               <prop name="label">c.</prop>
-               <p>Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;</p>
-            </part>
-            <part name="item" id="ir-8_smt.d">
-               <prop name="label">d.</prop>
-               <p>Communicate incident response plan changes to <insert param-id="ir-8_prm_5"/>; and</p>
-            </part>
-            <part name="item" id="ir-8_smt.e">
-               <prop name="label">e.</prop>
-               <p>Protect the incident response plan from unauthorized disclosure and modification.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ir-8_gdn">
-            <p>It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions and business functions help determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information, include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-8.1">
-            <title>Privacy Breaches</title>
-            <prop name="label">IR-8(1)</prop>
-            <prop name="sort-id">IR-08(01)</prop>
-            <link rel="related" href="#pt-1">PT-1</link>
-            <link rel="related" href="#pt-2">PT-2</link>
-            <link rel="related" href="#pt-3">PT-3</link>
-            <link rel="related" href="#pt-5">PT-5</link>
-            <link rel="related" href="#pt-6">PT-6</link>
-            <link rel="related" href="#pt-8">PT-8</link>
-            <part name="statement" id="ir-8.1_smt">
-               <p>Include the following in the Incident Response Plan for breaches involving personally identifiable information:</p>
-               <part name="item" id="ir-8.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;</p>
-               </part>
-               <part name="item" id="ir-8.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and</p>
-               </part>
-               <part name="item" id="ir-8.1_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Identification of applicable privacy requirements.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ir-8.1_gdn">
-               <p>Organizations may be required by law, regulation, or policy to follow specific procedures relating to privacy breaches, including notice to individuals, affected organizations, and oversight bodies, standards of harm, and mitigation or other specific requirements.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-9">
-         <title>Information Spillage Response</title>
-         <param id="ir-9_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ir-9_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ir-9_prm_3">
-            <label>organization-defined actions</label>
-         </param>
-         <prop name="label">IR-9</prop>
-         <prop name="sort-id">IR-09</prop>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#ir-6">IR-6</link>
-         <link rel="related" href="#pm-26">PM-26</link>
-         <link rel="related" href="#pm-27">PM-27</link>
-         <link rel="related" href="#ra-7">RA-7</link>
-         <part name="statement" id="ir-9_smt">
-            <p>Respond to information spills by:</p>
-            <part name="item" id="ir-9_smt.a">
-               <prop name="label">a.</prop>
-               <p>Assigning <insert param-id="ir-9_prm_1"/> with responsibility for responding to information spills;</p>
-            </part>
-            <part name="item" id="ir-9_smt.b">
-               <prop name="label">b.</prop>
-               <p>Identifying the specific information involved in the system contamination;</p>
-            </part>
-            <part name="item" id="ir-9_smt.c">
-               <prop name="label">c.</prop>
-               <p>Alerting <insert param-id="ir-9_prm_2"/> of the information spill using a method of communication not associated with the spill;</p>
-            </part>
-            <part name="item" id="ir-9_smt.d">
-               <prop name="label">d.</prop>
-               <p>Isolating the contaminated system or system component;</p>
-            </part>
-            <part name="item" id="ir-9_smt.e">
-               <prop name="label">e.</prop>
-               <p>Eradicating the information from the contaminated system or component;</p>
-            </part>
-            <part name="item" id="ir-9_smt.f">
-               <prop name="label">f.</prop>
-               <p>Identifying other systems or system components that may have been subsequently contaminated; and</p>
-            </part>
-            <part name="item" id="ir-9_smt.g">
-               <prop name="label">g.</prop>
-               <p>Performing the following additional actions: <insert param-id="ir-9_prm_3"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ir-9_gdn">
-            <p>Information spillage refers to instances where information is placed on systems that are not authorized to process such information. Information spills occur when information that is thought to be a certain classification or impact level is transmitted to a system and subsequently is determined to be of higher classification or impact level. At that point, corrective action is required. The nature of the response is based upon the classification or impact level of the spilled information, the security capabilities of the system, the specific nature of contaminated storage media, and the access authorizations of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ir-9.1">
-            <title>Responsible Personnel</title>
-            <prop name="label">IR-9(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">IR-09(01)</prop>
-            <link rel="incorporated-into" href="#ir-9">IR-9</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-9.2">
-            <title>Training</title>
-            <param id="ir-9.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">IR-9(2)</prop>
-            <prop name="sort-id">IR-09(02)</prop>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#cp-3">CP-3</link>
-            <link rel="related" href="#ir-2">IR-2</link>
-            <part name="statement" id="ir-9.2_smt">
-               <p>Provide information spillage response training <insert param-id="ir-9.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ir-9.2_gdn">
-               <p>Organizations establish requirements for responding to information spillage incidents in incident response plans. Incident response training on a regular basis helps to ensure that organizational personnel understand their individual responsibilities and what specific actions to take when spillage incidents occur.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-9.3">
-            <title>Post-spill Operations</title>
-            <param id="ir-9.3_prm_1">
-               <label>organization-defined procedures</label>
-            </param>
-            <prop name="label">IR-9(3)</prop>
-            <prop name="sort-id">IR-09(03)</prop>
-            <part name="statement" id="ir-9.3_smt">
-               <p>Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: <insert param-id="ir-9.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ir-9.3_gdn">
-               <p>Correction actions for systems contaminated due to information spillages may be time-consuming. Personnel may not have access to the contaminated systems while corrective actions are being taken, which may potentially affect their ability to conduct organizational business.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ir-9.4">
-            <title>Exposure to Unauthorized Personnel</title>
-            <param id="ir-9.4_prm_1">
-               <label>organization-defined controls</label>
-            </param>
-            <prop name="label">IR-9(4)</prop>
-            <prop name="sort-id">IR-09(04)</prop>
-            <part name="statement" id="ir-9.4_smt">
-               <p>Employ the following controls for personnel exposed to information not within assigned access authorizations: <insert param-id="ir-9.4_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ir-9.4_gdn">
-               <p>Controls include ensuring that personnel who are exposed to spilled information are made aware of the laws, executive orders, directives, regulations, policies, standards, and guidelines regarding the information and the restrictions imposed based on exposure to such information.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ir-10">
-         <title>Incident Analysis</title>
-         <prop name="label">IR-10</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">IR-10</prop>
-         <link rel="incorporated-into" href="#ir-4.11">IR-4(11)</link>
-      </control>
-   </group>
-   <group class="family" id="ma">
-      <title>Maintenance</title>
-      <control class="SP800-53" id="ma-1">
-         <title>Policy and Procedures</title>
-         <param id="ma-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ma-1_prm_2">
-            <select how-many="one or more">
-               <choice>organization-level</choice>
-               <choice>mission/business process-level</choice>
-               <choice>system-level</choice>
-            </select>
-         </param>
-         <param id="ma-1_prm_3">
-            <label>organization-defined official</label>
-         </param>
-         <param id="ma-1_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ma-1_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">MA-1</prop>
-         <prop name="sort-id">MA-01</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#12702585-0c72-43c9-9185-a76a59f74233">[SP 800-12]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#9183bd83-170e-4701-b32c-97e08ef8bedb">[SP 800-100]</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="ma-1_smt">
-            <part name="item" id="ma-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and disseminate to <insert param-id="ma-1_prm_1"/>:</p>
-               <part name="item" id="ma-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="ma-1_prm_2"/> maintenance policy that:</p>
-                  <part name="item" id="ma-1_smt.a.1.a">
-                     <prop name="label">(a)</prop>
-                     <p>Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
-                  </part>
-                  <part name="item" id="ma-1_smt.a.1.b">
-                     <prop name="label">(b)</prop>
-                     <p>Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p>
-                  </part>
-               </part>
-               <part name="item" id="ma-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;</p>
-               </part>
-            </part>
-            <part name="item" id="ma-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate an <insert param-id="ma-1_prm_3"/> to manage the development, documentation, and dissemination of the maintenance policy and procedures; and</p>
-            </part>
-            <part name="item" id="ma-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the current maintenance:</p>
-               <part name="item" id="ma-1_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Policy <insert param-id="ma-1_prm_4"/>; and</p>
-               </part>
-               <part name="item" id="ma-1_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures <insert param-id="ma-1_prm_5"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="ma-1_gdn">
-            <p>This control addresses policy and procedures for the controls in the MA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ma-2">
-         <title>Controlled Maintenance</title>
-         <param id="ma-2_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ma-2_prm_2">
-            <label>organization-defined information</label>
-         </param>
-         <param id="ma-2_prm_3">
-            <label>organization-defined information</label>
-         </param>
-         <prop name="label">MA-2</prop>
-         <prop name="sort-id">MA-02</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#7e7538d7-9c3a-4e5f-bbb4-638cec975415">[IR 8023]</link>
-         <link rel="related" href="#cm-2">CM-2</link>
-         <link rel="related" href="#cm-3">CM-3</link>
-         <link rel="related" href="#cm-4">CM-4</link>
-         <link rel="related" href="#cm-5">CM-5</link>
-         <link rel="related" href="#cm-8">CM-8</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#mp-6">MP-6</link>
-         <link rel="related" href="#pe-16">PE-16</link>
-         <link rel="related" href="#si-2">SI-2</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <link rel="related" href="#sr-4">SR-4</link>
-         <link rel="related" href="#sr-11">SR-11</link>
-         <part name="statement" id="ma-2_smt">
-            <part name="item" id="ma-2_smt.a">
-               <prop name="label">a.</prop>
-               <p>Schedule, document, and review records of maintenance, repair, or replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;</p>
-            </part>
-            <part name="item" id="ma-2_smt.b">
-               <prop name="label">b.</prop>
-               <p>Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;</p>
-            </part>
-            <part name="item" id="ma-2_smt.c">
-               <prop name="label">c.</prop>
-               <p>Require that <insert param-id="ma-2_prm_1"/> explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;</p>
-            </part>
-            <part name="item" id="ma-2_smt.d">
-               <prop name="label">d.</prop>
-               <p>Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: <insert param-id="ma-2_prm_2"/>;</p>
-            </part>
-            <part name="item" id="ma-2_smt.e">
-               <prop name="label">e.</prop>
-               <p>Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and</p>
-            </part>
-            <part name="item" id="ma-2_smt.f">
-               <prop name="label">f.</prop>
-               <p>Include the following information in organizational maintenance records: <insert param-id="ma-2_prm_3"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ma-2_gdn">
-            <p>Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes date and time of maintenance; name of individuals or group performing the maintenance; name of escort, if necessary; a description of the maintenance performed; and system components or equipment removed or replaced. Organizations consider supply chain issues associated with replacement components for systems.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ma-2.1">
-            <title>Record Content</title>
-            <prop name="label">MA-2(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">MA-02(01)</prop>
-            <link rel="incorporated-into" href="#ma-2">MA-2</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-2.2">
-            <title>Automated Maintenance Activities</title>
-            <param id="ma-2.2_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">MA-2(2)</prop>
-            <prop name="sort-id">MA-02(02)</prop>
-            <link rel="related" href="#ma-3">MA-3</link>
-            <part name="statement" id="ma-2.2_smt">
-               <part name="item" id="ma-2.2_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Schedule, conduct, and document maintenance, repair, and replacement actions for the system using <insert param-id="ma-2.2_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="ma-2.2_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ma-2.2_gdn">
-               <p>The use of automated mechanisms to manage and control system maintenance programs and activities helps to ensure the generation of timely, accurate, complete, and consistent maintenance records.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ma-3">
-         <title>Maintenance Tools</title>
-         <param id="ma-3_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">MA-3</prop>
-         <prop name="sort-id">MA-03</prop>
-         <link rel="reference" href="#fed6a3b5-2b74-499f-9172-46671f7c24c8">[SP 800-88]</link>
-         <link rel="related" href="#ma-2">MA-2</link>
-         <link rel="related" href="#pe-16">PE-16</link>
-         <part name="statement" id="ma-3_smt">
-            <part name="item" id="ma-3_smt.a">
-               <prop name="label">a.</prop>
-               <p>Approve, control, and monitor the use of system maintenance tools; and</p>
-            </part>
-            <part name="item" id="ma-3_smt.b">
-               <prop name="label">b.</prop>
-               <p>Review previously approved system maintenance tools <insert param-id="ma-3_prm_1"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ma-3_gdn">
-            <p>Approving, controlling, monitoring, and reviewing maintenance tools are intended to address security-related issues associated with maintenance tools that are not within system boundaries but are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for approval of maintenance tools and how that approval is documented. Periodic review of maintenance tools facilitates withdrawal of the approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items. Such tools can be vehicles for transporting malicious code, intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support system maintenance and are a part of the system, including the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch, are not addressed by maintenance tools.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ma-3.1">
-            <title>Inspect Tools</title>
-            <prop name="label">MA-3(1)</prop>
-            <prop name="sort-id">MA-03(01)</prop>
-            <link rel="related" href="#si-7">SI-7</link>
-            <part name="statement" id="ma-3.1_smt">
-               <p>Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.</p>
-            </part>
-            <part name="guidance" id="ma-3.1_gdn">
-               <p>Maintenance tools can be brought into a facility directly by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-3.2">
-            <title>Inspect Media</title>
-            <prop name="label">MA-3(2)</prop>
-            <prop name="sort-id">MA-03(02)</prop>
-            <link rel="related" href="#si-3">SI-3</link>
-            <part name="statement" id="ma-3.2_smt">
-               <p>Check media containing diagnostic and test programs for malicious code before the media are used in the system.</p>
-            </part>
-            <part name="guidance" id="ma-3.2_gdn">
-               <p>If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-3.3">
-            <title>Prevent Unauthorized Removal</title>
-            <param id="ma-3.3_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">MA-3(3)</prop>
-            <prop name="sort-id">MA-03(03)</prop>
-            <link rel="related" href="#mp-6">MP-6</link>
-            <part name="statement" id="ma-3.3_smt">
-               <p>Prevent the removal of maintenance equipment containing organizational information by:</p>
-               <part name="item" id="ma-3.3_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Verifying that there is no organizational information contained on the equipment;</p>
-               </part>
-               <part name="item" id="ma-3.3_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Sanitizing or destroying the equipment;</p>
-               </part>
-               <part name="item" id="ma-3.3_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Retaining the equipment within the facility; or</p>
-               </part>
-               <part name="item" id="ma-3.3_smt.d">
-                  <prop name="label">(d)</prop>
-                  <p>Obtaining an exemption from <insert param-id="ma-3.3_prm_1"/> explicitly authorizing removal of the equipment from the facility.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ma-3.3_gdn">
-               <p>Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-3.4">
-            <title>Restricted Tool Use</title>
-            <prop name="label">MA-3(4)</prop>
-            <prop name="sort-id">MA-03(04)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <part name="statement" id="ma-3.4_smt">
-               <p>Restrict the use of maintenance tools to authorized personnel only.</p>
-            </part>
-            <part name="guidance" id="ma-3.4_gdn">
-               <p>This control enhancement applies to systems that are used to carry out maintenance functions.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-3.5">
-            <title>Execution with Privilege</title>
-            <prop name="label">MA-3(5)</prop>
-            <prop name="sort-id">MA-03(05)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <part name="statement" id="ma-3.5_smt">
-               <p>Monitor the use of maintenance tools that execute with increased privilege.</p>
-            </part>
-            <part name="guidance" id="ma-3.5_gdn">
-               <p>Maintenance tools that execute with increased system privilege can result in unauthorized access to organizational information and assets that would otherwise be inaccessible.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-3.6">
-            <title>Software Updates and Patches</title>
-            <prop name="label">MA-3(6)</prop>
-            <prop name="sort-id">MA-03(06)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <part name="statement" id="ma-3.6_smt">
-               <p>Inspect maintenance tools to ensure the latest software updates and patches are installed.</p>
-            </part>
-            <part name="guidance" id="ma-3.6_gdn">
-               <p>Maintenance tools using outdated and/or unpatched software can provide a threat vector for adversaries and result in a significant vulnerability for organizations.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ma-4">
-         <title>Nonlocal Maintenance</title>
-         <prop name="label">MA-4</prop>
-         <prop name="sort-id">MA-04</prop>
-         <link rel="reference" href="#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">[FIPS 140-3]</link>
-         <link rel="reference" href="#bbc7085f-b383-444e-af74-722a55cccc0f">[FIPS 197]</link>
-         <link rel="reference" href="#ab414c48-b7a2-4ffe-b74d-4d8b8120adce">[FIPS 201-2]</link>
-         <link rel="reference" href="#549993c0-9bdd-4d49-875c-f56950cc5f30">[SP 800-63-3]</link>
-         <link rel="reference" href="#fed6a3b5-2b74-499f-9172-46671f7c24c8">[SP 800-88]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#au-2">AU-2</link>
-         <link rel="related" href="#au-3">AU-3</link>
-         <link rel="related" href="#ia-2">IA-2</link>
-         <link rel="related" href="#ia-4">IA-4</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <link rel="related" href="#ia-8">IA-8</link>
-         <link rel="related" href="#ma-2">MA-2</link>
-         <link rel="related" href="#ma-5">MA-5</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-10">SC-10</link>
-         <part name="statement" id="ma-4_smt">
-            <part name="item" id="ma-4_smt.a">
-               <prop name="label">a.</prop>
-               <p>Approve and monitor nonlocal maintenance and diagnostic activities;</p>
-            </part>
-            <part name="item" id="ma-4_smt.b">
-               <prop name="label">b.</prop>
-               <p>Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;</p>
-            </part>
-            <part name="item" id="ma-4_smt.c">
-               <prop name="label">c.</prop>
-               <p>Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;</p>
-            </part>
-            <part name="item" id="ma-4_smt.d">
-               <prop name="label">d.</prop>
-               <p>Maintain records for nonlocal maintenance and diagnostic activities; and</p>
-            </part>
-            <part name="item" id="ma-4_smt.e">
-               <prop name="label">e.</prop>
-               <p>Terminate session and network connections when nonlocal maintenance is completed.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ma-4_gdn">
-            <p>Nonlocal maintenance and diagnostic activities are conducted by individuals communicating through a network, either an external network or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the system and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ma-4.1">
-            <title>Logging and Review</title>
-            <param id="ma-4.1_prm_1">
-               <label>organization-defined audit events</label>
-            </param>
-            <prop name="label">MA-4(1)</prop>
-            <prop name="sort-id">MA-04(01)</prop>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <part name="statement" id="ma-4.1_smt">
-               <part name="item" id="ma-4.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Log <insert param-id="ma-4.1_prm_1"/> for nonlocal maintenance and diagnostic sessions; and</p>
-               </part>
-               <part name="item" id="ma-4.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Review the audit records of the maintenance and diagnostic sessions.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ma-4.1_gdn">
-               <p>Audit logging for nonlocal maintenance is enforced by AU-2. Audit events are defined in AU-2a. The review of audit records of maintenance and diagnostic sessions is to detect anomalous behavior.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-4.2">
-            <title>Logically separated communications paths.</title>
-            <prop name="label">MA-4(2)</prop>
-            <prop name="sort-id">MA-04(02)</prop>
-            <part name="statement" id="ma-4.2_smt">
-               <p>Discussion:  Communications paths can be logically separated using encryption.</p>
-            </part>
-            <part name="guidance" id="ma-4.2_gdn"/>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-4.3">
-            <title>Comparable Security and Sanitization</title>
-            <prop name="label">MA-4(3)</prop>
-            <prop name="sort-id">MA-04(03)</prop>
-            <link rel="related" href="#mp-6">MP-6</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-7">SI-7</link>
-            <part name="statement" id="ma-4.3_smt">
-               <part name="item" id="ma-4.3_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or</p>
-               </part>
-               <part name="item" id="ma-4.3_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ma-4.3_gdn">
-               <p>Comparable security capability on systems, diagnostic tools, and equipment providing maintenance services implies that the implemented controls on those systems, tools, and equipment are at least as comprehensive as the controls on the system being serviced.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-4.4">
-            <title>Authentication and Separation of Maintenance Sessions</title>
-            <param id="ma-4.4_prm_1">
-               <label>organization-defined authenticators that are replay resistant</label>
-            </param>
-            <prop name="label">MA-4(4)</prop>
-            <prop name="sort-id">MA-04(04)</prop>
-            <part name="statement" id="ma-4.4_smt">
-               <p>Protect nonlocal maintenance sessions by:</p>
-               <part name="item" id="ma-4.4_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Employing <insert param-id="ma-4.4_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="ma-4.4_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Separating the maintenance sessions from other network sessions with the system by either:</p>
-                  <part name="item" id="ma-4.4_smt.b.1">
-                     <prop name="label">(1)</prop>
-                     <p>Physically separated communications paths; or</p>
-                  </part>
-               </part>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-4.5">
-            <title>Approvals and Notifications</title>
-            <param id="ma-4.5_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="ma-4.5_prm_2">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">MA-4(5)</prop>
-            <prop name="sort-id">MA-04(05)</prop>
-            <part name="statement" id="ma-4.5_smt">
-               <part name="item" id="ma-4.5_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Require the approval of each nonlocal maintenance session by <insert param-id="ma-4.5_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="ma-4.5_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Notify the following personnel or roles of the date and time of planned nonlocal maintenance: <insert param-id="ma-4.5_prm_2"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ma-4.5_gdn">
-               <p>Notification may be performed by maintenance personnel. Approval of nonlocal maintenance is accomplished by personnel with sufficient information security and system knowledge to determine the appropriateness of the proposed maintenance.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-4.6">
-            <title>Cryptographic Protection</title>
-            <param id="ma-4.6_prm_1">
-               <label>organization-defined cryptographic mechanisms</label>
-            </param>
-            <prop name="label">MA-4(6)</prop>
-            <prop name="sort-id">MA-04(06)</prop>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="ma-4.6_smt">
-               <p>Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: <insert param-id="ma-4.6_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ma-4.6_gdn">
-               <p>Failure to protect nonlocal maintenance and diagnostic communications can result in unauthorized individuals gaining access to sensitive organizational information. Unauthorized access during remote maintenance sessions can result in a variety of hostile actions including malicious code insertion, unauthorized changes to system parameters, and exfiltration of organizational information. Such actions can result in the loss or degradation of mission capability.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-4.7">
-            <title>Disconnect Verification</title>
-            <prop name="label">MA-4(7)</prop>
-            <prop name="sort-id">MA-04(07)</prop>
-            <link rel="related" href="#ac-12">AC-12</link>
-            <part name="statement" id="ma-4.7_smt">
-               <p>Verify session and network connection termination after the completion of nonlocal maintenance and diagnostic sessions.</p>
-            </part>
-            <part name="guidance" id="ma-4.7_gdn">
-               <p>This control enhancement ensures that connections established during nonlocal maintenance and diagnostic sessions have been terminated and are no longer available for use.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ma-5">
-         <title>Maintenance Personnel</title>
-         <prop name="label">MA-5</prop>
-         <prop name="sort-id">MA-05</prop>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-5">AC-5</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#ia-2">IA-2</link>
-         <link rel="related" href="#ia-8">IA-8</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#mp-2">MP-2</link>
-         <link rel="related" href="#pe-2">PE-2</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#ps-7">PS-7</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <part name="statement" id="ma-5_smt">
-            <part name="item" id="ma-5_smt.a">
-               <prop name="label">a.</prop>
-               <p>Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;</p>
-            </part>
-            <part name="item" id="ma-5_smt.b">
-               <prop name="label">b.</prop>
-               <p>Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and</p>
-            </part>
-            <part name="item" id="ma-5_smt.c">
-               <prop name="label">c.</prop>
-               <p>Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ma-5_gdn">
-            <p>Maintenance personnel refers to individuals performing hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time-periods.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ma-5.1">
-            <title>Individuals Without Appropriate Access</title>
-            <param id="ma-5.1_prm_1">
-               <label>organization-defined alternate controls</label>
-            </param>
-            <prop name="label">MA-5(1)</prop>
-            <prop name="sort-id">MA-05(01)</prop>
-            <link rel="related" href="#mp-6">MP-6</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <part name="statement" id="ma-5.1_smt">
-               <part name="item" id="ma-5.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:</p>
-                  <part name="item" id="ma-5.1_smt.a.1">
-                     <prop name="label">(1)</prop>
-                     <p>Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;</p>
-                  </part>
-                  <part name="item" id="ma-5.1_smt.a.2">
-                     <prop name="label">(2)</prop>
-                     <p>Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and</p>
-                  </part>
-               </part>
-               <part name="item" id="ma-5.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Develop and implement <insert param-id="ma-5.1_prm_1"/> in the event a system component cannot be sanitized, removed, or disconnected from the system.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ma-5.1_gdn">
-               <p>Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are intended to deny visual and electronic access to classified or controlled unclassified information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-5.2">
-            <title>Security Clearances for Classified Systems</title>
-            <prop name="label">MA-5(2)</prop>
-            <prop name="sort-id">MA-05(02)</prop>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <part name="statement" id="ma-5.2_smt">
-               <p>Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for compartments of information on the system.</p>
-            </part>
-            <part name="guidance" id="ma-5.2_gdn">
-               <p>Personnel conducting maintenance on organizational systems may be exposed to classified information during the course of their maintenance activities. To mitigate the inherent risk of such exposure, organizations use maintenance personnel that are cleared (i.e., possess security clearances) to the classification level of the information stored on the system.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-5.3">
-            <title>Citizenship Requirements for Classified Systems</title>
-            <prop name="label">MA-5(3)</prop>
-            <prop name="sort-id">MA-05(03)</prop>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <part name="statement" id="ma-5.3_smt">
-               <p>Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens.</p>
-            </part>
-            <part name="guidance" id="ma-5.3_gdn">
-               <p>Personnel conducting maintenance on organizational systems may be exposed to classified information during the course of their maintenance activities. If access to classified information on organizational systems is restricted to U. S. citizens, the same restriction is applied to personnel performing maintenance on those systems.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-5.4">
-            <title>Foreign Nationals</title>
-            <prop name="label">MA-5(4)</prop>
-            <prop name="sort-id">MA-05(04)</prop>
-            <link rel="related" href="#ps-3">PS-3</link>
-            <part name="statement" id="ma-5.4_smt">
-               <p>Verify that:</p>
-               <part name="item" id="ma-5.4_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and</p>
-               </part>
-               <part name="item" id="ma-5.4_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ma-5.4_gdn">
-               <p>Personnel conducting maintenance on organizational systems may be exposed to classified information during the course of their maintenance activities. To mitigate the inherent risk of such exposure, organizations use maintenance personnel that are cleared (i.e., possess security clearances) to the classification level of the information stored on the system.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-5.5">
-            <title>Non-system Maintenance</title>
-            <prop name="label">MA-5(5)</prop>
-            <prop name="sort-id">MA-05(05)</prop>
-            <part name="statement" id="ma-5.5_smt">
-               <p>Verify that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorizations.</p>
-            </part>
-            <part name="guidance" id="ma-5.5_gdn">
-               <p>Personnel performing maintenance activities in other capacities not directly related to the system include physical plant personnel and custodial personnel.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ma-6">
-         <title>Timely Maintenance</title>
-         <param id="ma-6_prm_1">
-            <label>organization-defined system components</label>
-         </param>
-         <param id="ma-6_prm_2">
-            <label>organization-defined time-period</label>
-         </param>
-         <prop name="label">MA-6</prop>
-         <prop name="sort-id">MA-06</prop>
-         <link rel="related" href="#cm-8">CM-8</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-7">CP-7</link>
-         <link rel="related" href="#ra-7">RA-7</link>
-         <link rel="related" href="#sa-15">SA-15</link>
-         <link rel="related" href="#si-13">SI-13</link>
-         <link rel="related" href="#sr-2">SR-2</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <link rel="related" href="#sr-4">SR-4</link>
-         <part name="statement" id="ma-6_smt">
-            <p>Obtain maintenance support and/or spare parts for <insert param-id="ma-6_prm_1"/> within <insert param-id="ma-6_prm_2"/> of failure.</p>
-         </part>
-         <part name="guidance" id="ma-6_gdn">
-            <p>Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ma-6.1">
-            <title>Preventive Maintenance</title>
-            <param id="ma-6.1_prm_1">
-               <label>organization-defined system components</label>
-            </param>
-            <param id="ma-6.1_prm_2">
-               <label>organization-defined time intervals</label>
-            </param>
-            <prop name="label">MA-6(1)</prop>
-            <prop name="sort-id">MA-06(01)</prop>
-            <part name="statement" id="ma-6.1_smt">
-               <p>Perform preventive maintenance on <insert param-id="ma-6.1_prm_1"/> at <insert param-id="ma-6.1_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ma-6.1_gdn">
-               <p>Preventive maintenance includes proactive care and the servicing of system components to maintain organizational equipment and facilities in satisfactory operating condition. Such maintenance provides for the systematic inspection, tests, measurements, adjustments, parts replacement, detection, and correction of incipient failures either before they occur or before they develop into major defects. The primary goal of preventive maintenance is to avoid or mitigate the consequences of equipment failures. Preventive maintenance is designed to preserve and restore equipment reliability by replacing worn components before they fail. Methods of determining what preventive (or other) failure management policies to apply include original equipment manufacturer recommendations; statistical failure records; expert opinion; maintenance that has already been conducted on similar equipment; requirements of codes, laws, or regulations within a jurisdiction; or measured values and performance indications.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-6.2">
-            <title>Predictive Maintenance</title>
-            <param id="ma-6.2_prm_1">
-               <label>organization-defined system components</label>
-            </param>
-            <param id="ma-6.2_prm_2">
-               <label>organization-defined time intervals</label>
-            </param>
-            <prop name="label">MA-6(2)</prop>
-            <prop name="sort-id">MA-06(02)</prop>
-            <part name="statement" id="ma-6.2_smt">
-               <p>Perform predictive maintenance on <insert param-id="ma-6.2_prm_1"/> at <insert param-id="ma-6.2_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ma-6.2_gdn">
-               <p>Predictive maintenance evaluates the condition of equipment by performing periodic or continuous (online) equipment condition monitoring. The goal of predictive maintenance is to perform maintenance at a scheduled time when the maintenance activity is most cost-effective and before the equipment loses performance within a threshold. The predictive component of predictive maintenance stems from the objective of predicting the future trend of the equipment's condition. The predictive maintenance approach employs principles of statistical process control to determine at what point in the future maintenance activities will be appropriate. Most predictive maintenance inspections are performed while equipment is in service, thus, minimizing disruption of normal system operations. Predictive maintenance can result in substantial cost savings and higher system reliability.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ma-6.3">
-            <title>Automated Support for Predictive Maintenance</title>
-            <param id="ma-6.3_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">MA-6(3)</prop>
-            <prop name="sort-id">MA-06(03)</prop>
-            <part name="statement" id="ma-6.3_smt">
-               <p>Transfer predictive maintenance data to a maintenance management system using <insert param-id="ma-6.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ma-6.3_gdn">
-               <p>A computerized maintenance management system maintains a database of information about the maintenance operations of organizations and automates processing equipment condition data to trigger maintenance planning, execution, and reporting.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ma-7">
-         <title>Field Maintenance</title>
-         <param id="ma-7_prm_1">
-            <label>organization-defined systems or system components</label>
-         </param>
-         <param id="ma-7_prm_2">
-            <label>organization-defined trusted maintenance facilities</label>
-         </param>
-         <prop name="label">MA-7</prop>
-         <prop name="sort-id">MA-07</prop>
-         <link rel="related" href="#ma-2">MA-2</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#ma-5">MA-5</link>
-         <part name="statement" id="ma-7_smt">
-            <p>Restrict or prohibit field maintenance on <insert param-id="ma-7_prm_1"/> to <insert param-id="ma-7_prm_2"/>.</p>
-         </part>
-         <part name="guidance" id="ma-7_gdn">
-            <p>Field maintenance is the type of maintenance conducted on a system or system component after the system or component has been deployed to a specific site (i.e., operational environment). In certain instances, field maintenance (i.e., local maintenance at the site) may not be executed with the same degree of rigor or with the same quality control checks as depot maintenance. For critical systems designated as such by the organization, it may be necessary to restrict or prohibit field maintenance at the local site and require that such maintenance be conducted in trusted facilities with additional controls.</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="mp">
-      <title>Media Protection</title>
-      <control class="SP800-53" id="mp-1">
-         <title>Policy and Procedures</title>
-         <param id="mp-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="mp-1_prm_2">
-            <select how-many="one or more">
-               <choice>organization-level</choice>
-               <choice>mission/business process-level</choice>
-               <choice>system-level</choice>
-            </select>
-         </param>
-         <param id="mp-1_prm_3">
-            <label>organization-defined official</label>
-         </param>
-         <param id="mp-1_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="mp-1_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">MP-1</prop>
-         <prop name="sort-id">MP-01</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#12702585-0c72-43c9-9185-a76a59f74233">[SP 800-12]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#9183bd83-170e-4701-b32c-97e08ef8bedb">[SP 800-100]</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="mp-1_smt">
-            <part name="item" id="mp-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and disseminate to <insert param-id="mp-1_prm_1"/>:</p>
-               <part name="item" id="mp-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="mp-1_prm_2"/> media protection policy that:</p>
-                  <part name="item" id="mp-1_smt.a.1.a">
-                     <prop name="label">(a)</prop>
-                     <p>Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
-                  </part>
-                  <part name="item" id="mp-1_smt.a.1.b">
-                     <prop name="label">(b)</prop>
-                     <p>Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p>
-                  </part>
-               </part>
-               <part name="item" id="mp-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;</p>
-               </part>
-            </part>
-            <part name="item" id="mp-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate an <insert param-id="mp-1_prm_3"/> to manage the development, documentation, and dissemination of the media protection policy and procedures; and</p>
-            </part>
-            <part name="item" id="mp-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the current media protection:</p>
-               <part name="item" id="mp-1_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Policy <insert param-id="mp-1_prm_4"/>; and</p>
-               </part>
-               <part name="item" id="mp-1_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures <insert param-id="mp-1_prm_5"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="mp-1_gdn">
-            <p>This control addresses policy and procedures for the controls in the MP family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="mp-2">
-         <title>Media Access</title>
-         <param id="mp-2_prm_1">
-            <label>organization-defined types of digital and/or non-digital media</label>
-         </param>
-         <param id="mp-2_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">MP-2</prop>
-         <prop name="sort-id">MP-02</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="reference" href="#1b14b50f-7154-4226-958c-7dfff8276755">[SP 800-111]</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#au-9">AU-9</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-9">CP-9</link>
-         <link rel="related" href="#cp-10">CP-10</link>
-         <link rel="related" href="#ma-5">MA-5</link>
-         <link rel="related" href="#mp-4">MP-4</link>
-         <link rel="related" href="#mp-6">MP-6</link>
-         <link rel="related" href="#pe-2">PE-2</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#sc-13">SC-13</link>
-         <link rel="related" href="#sc-34">SC-34</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="mp-2_smt">
-            <p>Restrict access to <insert param-id="mp-2_prm_1"/> to <insert param-id="mp-2_prm_2"/>.</p>
-         </part>
-         <part name="guidance" id="mp-2_gdn">
-            <p>System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact disks in the media library to individuals on the system development team is an example of restricting access to digital media.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="mp-2.1">
-            <title>Automated Restricted Access</title>
-            <prop name="label">MP-2(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">MP-02(01)</prop>
-            <link rel="incorporated-into" href="#mp-4.2">MP-4(2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-2.2">
-            <title>Cryptographic Protection</title>
-            <prop name="label">MP-2(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">MP-02(02)</prop>
-            <link rel="incorporated-into" href="#sc-28.1">SC-28(1)</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="mp-3">
-         <title>Media Marking</title>
-         <param id="mp-3_prm_1">
-            <label>organization-defined types of system media</label>
-         </param>
-         <param id="mp-3_prm_2">
-            <label>organization-defined controlled areas</label>
-         </param>
-         <prop name="label">MP-3</prop>
-         <prop name="sort-id">MP-03</prop>
-         <link rel="reference" href="#742b7c0e-218e-4fca-9c3d-5f264bbaf2bc">[32 CFR 2002]</link>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="related" href="#ac-16">AC-16</link>
-         <link rel="related" href="#cp-9">CP-9</link>
-         <link rel="related" href="#mp-5">MP-5</link>
-         <link rel="related" href="#pe-22">PE-22</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="mp-3_smt">
-            <part name="item" id="mp-3_smt.a">
-               <prop name="label">a.</prop>
-               <p>Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and</p>
-            </part>
-            <part name="item" id="mp-3_smt.b">
-               <prop name="label">b.</prop>
-               <p>Exempt <insert param-id="mp-3_prm_1"/> from marking if the media remain within <insert param-id="mp-3_prm_2"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="mp-3_gdn">
-            <p>Security marking refers to the application or use of human-readable security attributes. Security labeling refers to the application or use of security attributes regarding internal data structures within systems. System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002]. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="mp-4">
-         <title>Media Storage</title>
-         <param id="mp-4_prm_1">
-            <label>organization-defined types of digital and/or non-digital media</label>
-         </param>
-         <param id="mp-4_prm_2">
-            <label>organization-defined controlled areas</label>
-         </param>
-         <prop name="label">MP-4</prop>
-         <prop name="sort-id">MP-04</prop>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="reference" href="#77dc1838-3664-4faa-bc6e-4e2a16e52f35">[SP 800-56A]</link>
-         <link rel="reference" href="#f417e4ec-cadb-47a8-a363-6006b32c28ad">[SP 800-56B]</link>
-         <link rel="reference" href="#7c3ba335-62bd-4f03-888f-960790409b11">[SP 800-56C]</link>
-         <link rel="reference" href="#770f9bdc-4023-48ef-8206-c65397f061ea">[SP 800-57-1]</link>
-         <link rel="reference" href="#69644a9e-438a-47c3-bac9-cf28b5baf848">[SP 800-57-2]</link>
-         <link rel="reference" href="#9933c883-e8f3-4a83-9a9a-d1e058038080">[SP 800-57-3]</link>
-         <link rel="reference" href="#1b14b50f-7154-4226-958c-7dfff8276755">[SP 800-111]</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-6">CP-6</link>
-         <link rel="related" href="#cp-9">CP-9</link>
-         <link rel="related" href="#cp-10">CP-10</link>
-         <link rel="related" href="#mp-2">MP-2</link>
-         <link rel="related" href="#mp-7">MP-7</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#sc-13">SC-13</link>
-         <link rel="related" href="#sc-28">SC-28</link>
-         <link rel="related" href="#sc-34">SC-34</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="mp-4_smt">
-            <part name="item" id="mp-4_smt.a">
-               <prop name="label">a.</prop>
-               <p>Physically control and securely store <insert param-id="mp-4_prm_1"/> within <insert param-id="mp-4_prm_2"/>; and</p>
-            </part>
-            <part name="item" id="mp-4_smt.b">
-               <prop name="label">b.</prop>
-               <p>Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.</p>
-            </part>
-         </part>
-         <part name="guidance" id="mp-4_gdn">
-            <p>System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state, magnetic), compact disks, and digital video disks. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet; or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. For media containing information determined to be in the public domain, to be publicly releasable, or to have limited adverse impact on organizations, operations, or individuals if accessed by other than authorized personnel, fewer controls may be needed. In these situations, physical access controls provide adequate protection.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="mp-4.1">
-            <title>Cryptographic Protection</title>
-            <prop name="label">MP-4(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">MP-04(01)</prop>
-            <link rel="incorporated-into" href="#sc-28.1">SC-28(1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-4.2">
-            <title>Automated Restricted Access</title>
-            <param id="mp-4.2_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">MP-4(2)</prop>
-            <prop name="sort-id">MP-04(02)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#pe-3">PE-3</link>
-            <part name="statement" id="mp-4.2_smt">
-               <p>Restrict access to media storage areas, log access attempts, and access granted using <insert param-id="mp-4.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="mp-4.2_gdn">
-               <p>Automated mechanisms include keypads or card readers on the external entries to media storage areas.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="mp-5">
-         <title>Media Transport</title>
-         <param id="mp-5_prm_1">
-            <label>organization-defined types of system media</label>
-         </param>
-         <param id="mp-5_prm_2">
-            <label>organization-defined controls</label>
-         </param>
-         <prop name="label">MP-5</prop>
-         <prop name="sort-id">MP-05</prop>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="reference" href="#68949f14-9cf5-4116-91d8-e820b9df3ffd">[SP 800-60 v1]</link>
-         <link rel="reference" href="#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc">[SP 800-60 v2]</link>
-         <link rel="related" href="#ac-7">AC-7</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-9">CP-9</link>
-         <link rel="related" href="#mp-3">MP-3</link>
-         <link rel="related" href="#mp-4">MP-4</link>
-         <link rel="related" href="#pe-16">PE-16</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#sc-13">SC-13</link>
-         <link rel="related" href="#sc-28">SC-28</link>
-         <link rel="related" href="#sc-34">SC-34</link>
-         <part name="statement" id="mp-5_smt">
-            <part name="item" id="mp-5_smt.a">
-               <prop name="label">a.</prop>
-               <p>Protect and control <insert param-id="mp-5_prm_1"/> during transport outside of controlled areas using <insert param-id="mp-5_prm_2"/>;</p>
-            </part>
-            <part name="item" id="mp-5_smt.b">
-               <prop name="label">b.</prop>
-               <p>Maintain accountability for system media during transport outside of controlled areas;</p>
-            </part>
-            <part name="item" id="mp-5_smt.c">
-               <prop name="label">c.</prop>
-               <p>Document activities associated with the transport of system media; and</p>
-            </part>
-            <part name="item" id="mp-5_smt.d">
-               <prop name="label">d.</prop>
-               <p>Restrict the activities associated with the transport of system media to authorized personnel.</p>
-            </part>
-         </part>
-         <part name="guidance" id="mp-5_gdn">
-            <p>System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (solid state and  magnetic), compact disks, and digital video disks. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel, and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="mp-5.1">
-            <title>Protection Outside of Controlled Areas</title>
-            <prop name="label">MP-5(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">MP-05(01)</prop>
-            <link rel="incorporated-into" href="#mp-5">MP-5</link>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-5.2">
-            <title>Documentation of Activities</title>
-            <prop name="label">MP-5(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">MP-05(02)</prop>
-            <link rel="incorporated-into" href="#mp-5">MP-5</link>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-5.3">
-            <title>Custodians</title>
-            <prop name="label">MP-5(3)</prop>
-            <prop name="sort-id">MP-05(03)</prop>
-            <part name="statement" id="mp-5.3_smt">
-               <p>Employ an identified custodian during transport of system media outside of controlled areas.</p>
-            </part>
-            <part name="guidance" id="mp-5.3_gdn">
-               <p>Identified custodians provide organizations with specific points of contact during the media transport process and facilitate individual accountability. Custodial responsibilities can be transferred from one individual to another if an unambiguous custodian is identified.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-5.4">
-            <title>Cryptographic Protection</title>
-            <prop name="label">MP-5(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">MP-05(04)</prop>
-            <link rel="incorporated-into" href="#sc-28.1">SC-28(1)</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="mp-6">
-         <title>Media Sanitization</title>
-         <param id="mp-6_prm_1">
-            <label>organization-defined system media</label>
-         </param>
-         <param id="mp-6_prm_2">
-            <label>organization-defined sanitization techniques and procedures</label>
-         </param>
-         <prop name="label">MP-6</prop>
-         <prop name="sort-id">MP-06</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="reference" href="#68949f14-9cf5-4116-91d8-e820b9df3ffd">[SP 800-60 v1]</link>
-         <link rel="reference" href="#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc">[SP 800-60 v2]</link>
-         <link rel="reference" href="#fed6a3b5-2b74-499f-9172-46671f7c24c8">[SP 800-88]</link>
-         <link rel="reference" href="#18c6942b-95f8-414c-b548-c8e6b8d8a172">[SP 800-124]</link>
-         <link rel="reference" href="#7e7538d7-9c3a-4e5f-bbb4-638cec975415">[IR 8023]</link>
-         <link rel="reference" href="#a52271dc-11b5-423a-8b6f-14867bd94259">[NSA MEDIA]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-7">AC-7</link>
-         <link rel="related" href="#au-11">AU-11</link>
-         <link rel="related" href="#ma-2">MA-2</link>
-         <link rel="related" href="#ma-3">MA-3</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#ma-5">MA-5</link>
-         <link rel="related" href="#pm-22">PM-22</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <link rel="related" href="#si-18">SI-18</link>
-         <link rel="related" href="#si-19">SI-19</link>
-         <link rel="related" href="#sr-11">SR-11</link>
-         <part name="statement" id="mp-6_smt">
-            <part name="item" id="mp-6_smt.a">
-               <prop name="label">a.</prop>
-               <p>Sanitize <insert param-id="mp-6_prm_1"/> prior to disposal, release out of organizational control, or release for reuse using <insert param-id="mp-6_prm_2"/>; and</p>
-            </part>
-            <part name="item" id="mp-6_smt.b">
-               <prop name="label">b.</prop>
-               <p>Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.</p>
-            </part>
-         </part>
-         <part name="guidance" id="mp-6_gdn">
-            <p>Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media such as paper and microfilm. The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NARA policies controls the sanitization process for controlled unclassified information. NSA standards and policies control the sanitization process for media containing classified information.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="mp-6.1">
-            <title>Review, Approve, Track, Document, and Verify</title>
-            <prop name="label">MP-6(1)</prop>
-            <prop name="sort-id">MP-06(01)</prop>
-            <part name="statement" id="mp-6.1_smt">
-               <p>Review, approve, track, document, and verify media sanitization and disposal actions.</p>
-            </part>
-            <part name="guidance" id="mp-6.1_gdn">
-               <p>Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking and documenting actions include listing personnel who reviewed and approved sanitization and disposal actions; types of media sanitized; files stored on the media; sanitization methods used; date and time of the sanitization actions; personnel who performed the sanitization; verification actions taken and personnel who performed the verification; and the disposal actions taken. Organizations verify that the sanitization of the media was effective prior to disposal.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-6.2">
-            <title>Equipment Testing</title>
-            <param id="mp-6.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">MP-6(2)</prop>
-            <prop name="sort-id">MP-06(02)</prop>
-            <part name="statement" id="mp-6.2_smt">
-               <p>Test sanitization equipment and procedures <insert param-id="mp-6.2_prm_1"/> to verify that the intended sanitization is being achieved.</p>
-            </part>
-            <part name="guidance" id="mp-6.2_gdn">
-               <p>Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities, including federal agencies or external service providers.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-6.3">
-            <title>Nondestructive Techniques</title>
-            <param id="mp-6.3_prm_1">
-               <label>organization-defined circumstances requiring sanitization of portable storage devices</label>
-            </param>
-            <prop name="label">MP-6(3)</prop>
-            <prop name="sort-id">MP-06(03)</prop>
-            <part name="statement" id="mp-6.3_smt">
-               <p>Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: <insert param-id="mp-6.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="mp-6.3_gdn">
-               <p>Portable storage devices include external or removable hard disk drives (solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and can contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-6.4">
-            <title>Controlled Unclassified Information</title>
-            <prop name="label">MP-6(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">MP-06(04)</prop>
-            <link rel="incorporated-into" href="#mp-6">MP-6</link>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-6.5">
-            <title>Classified Information</title>
-            <prop name="label">MP-6(5)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">MP-06(05)</prop>
-            <link rel="incorporated-into" href="#mp-6">MP-6</link>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-6.6">
-            <title>Media Destruction</title>
-            <prop name="label">MP-6(6)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">MP-06(06)</prop>
-            <link rel="incorporated-into" href="#mp-6">MP-6</link>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-6.7">
-            <title>Dual Authorization</title>
-            <param id="mp-6.7_prm_1">
-               <label>organization-defined system media</label>
-            </param>
-            <prop name="label">MP-6(7)</prop>
-            <prop name="sort-id">MP-06(07)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <part name="statement" id="mp-6.7_smt">
-               <p>Enforce dual authorization for the sanitization of <insert param-id="mp-6.7_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="mp-6.7_gdn">
-               <p>Organizations employ dual authorization to help ensure that system media sanitization cannot occur unless two technically qualified individuals conduct the designated task. Individuals sanitizing system media possess sufficient skills and expertise to determine if the proposed sanitization reflects applicable federal and organizational standards, policies, and procedures. Dual authorization also helps to ensure that sanitization occurs as intended, both protecting against errors and false claims of having performed the sanitization actions. Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-6.8">
-            <title>Remote Purging or Wiping of Information</title>
-            <param id="mp-6.8_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <param id="mp-6.8_prm_2">
-               <select>
-                  <choice>remotely</choice>
-                  <choice>under the following conditions: <insert param-id="mp-6.8_prm_3"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="mp-6.8_prm_3" depends-on="mp-6.8_prm_2">
-               <label>organization-defined conditions</label>
-            </param>
-            <prop name="label">MP-6(8)</prop>
-            <prop name="sort-id">MP-06(08)</prop>
-            <part name="statement" id="mp-6.8_smt">
-               <p>Provide the capability to purge or wipe information from <insert param-id="mp-6.8_prm_1"/>
-                  <insert param-id="mp-6.8_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="mp-6.8_gdn">
-               <p>Remote purging or wiping of information protects information on organizational systems and system components if systems or components are obtained by unauthorized individuals. Remote purge or wipe commands require strong authentication to help mitigate the risk of unauthorized individuals purging or wiping the system, component, or device. The purge or wipe function can be implemented in a variety of ways, including by overwriting data or information multiple times or by destroying the key necessary to decrypt encrypted data.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="mp-7">
-         <title>Media Use</title>
-         <param id="mp-7_prm_1">
-            <select>
-               <choice>Restrict</choice>
-               <choice>Prohibit</choice>
-            </select>
-         </param>
-         <param id="mp-7_prm_2">
-            <label>organization-defined types of system media</label>
-         </param>
-         <param id="mp-7_prm_3">
-            <label>organization-defined systems or system components</label>
-         </param>
-         <param id="mp-7_prm_4">
-            <label>organization-defined controls</label>
-         </param>
-         <prop name="label">MP-7</prop>
-         <prop name="sort-id">MP-07</prop>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="reference" href="#1b14b50f-7154-4226-958c-7dfff8276755">[SP 800-111]</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#ac-20">AC-20</link>
-         <link rel="related" href="#pl-4">PL-4</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#sc-34">SC-34</link>
-         <link rel="related" href="#sc-41">SC-41</link>
-         <part name="statement" id="mp-7_smt">
-            <part name="item" id="mp-7_smt.a">
-               <prop name="label">a.</prop>
-               <p>
-                  <insert param-id="mp-7_prm_1"/> the use of <insert param-id="mp-7_prm_2"/> on <insert param-id="mp-7_prm_3"/> using <insert param-id="mp-7_prm_4"/>; and</p>
-            </part>
-            <part name="item" id="mp-7_smt.b">
-               <prop name="label">b.</prop>
-               <p>Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.</p>
-            </part>
-         </part>
-         <part name="guidance" id="mp-7_gdn">
-            <p>System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact disks, digital video disks, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capability. In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="mp-7.1">
-            <title>Prohibit Use Without Owner</title>
-            <prop name="label">MP-7(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">MP-07(01)</prop>
-            <link rel="incorporated-into" href="#mp-7">MP-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-7.2">
-            <title>Prohibit Use of Sanitization-resistant Media</title>
-            <prop name="label">MP-7(2)</prop>
-            <prop name="sort-id">MP-07(02)</prop>
-            <link rel="related" href="#mp-6">MP-6</link>
-            <part name="statement" id="mp-7.2_smt">
-               <p>Prohibit the use of sanitization-resistant media in organizational systems.</p>
-            </part>
-            <part name="guidance" id="mp-7.2_gdn">
-               <p>Sanitization-resistance refers to non-destructive sanitization techniques and applies to the capability to purge information from media. Certain types of media do not support sanitization commands, or if supported, the interfaces are not supported in a standardized way across these devices. Sanitization-resistant media include compact flash, embedded flash on boards and devices, solid state drives, and USB removable media.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="mp-8">
-         <title>Media Downgrading</title>
-         <param id="mp-8_prm_1">
-            <label>organization-defined system media downgrading process</label>
-         </param>
-         <param id="mp-8_prm_2">
-            <label>organization-defined system media requiring downgrading</label>
-         </param>
-         <prop name="label">MP-8</prop>
-         <prop name="sort-id">MP-08</prop>
-         <part name="statement" id="mp-8_smt">
-            <part name="item" id="mp-8_smt.a">
-               <prop name="label">a.</prop>
-               <p>Establish <insert param-id="mp-8_prm_1"/> that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;</p>
-            </part>
-            <part name="item" id="mp-8_smt.b">
-               <prop name="label">b.</prop>
-               <p>Verify that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;</p>
-            </part>
-            <part name="item" id="mp-8_smt.c">
-               <prop name="label">c.</prop>
-               <p>Identify <insert param-id="mp-8_prm_2"/>; and</p>
-            </part>
-            <part name="item" id="mp-8_smt.d">
-               <prop name="label">d.</prop>
-               <p>Downgrade the identified system media using the established process.</p>
-            </part>
-         </part>
-         <part name="guidance" id="mp-8_gdn">
-            <p>Media downgrading applies to digital and non-digital media, subject to release outside the organization, whether the media is considered removable or not removable. The downgrading process, when applied to system media, removes information from the media, typically by security category or classification level, such that the information cannot be retrieved or reconstructed. Downgrading of media includes redacting information to enable wider release and distribution. Downgrading also ensures that empty space on the media is devoid of information.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="mp-8.1">
-            <title>Documentation of Process</title>
-            <prop name="label">MP-8(1)</prop>
-            <prop name="sort-id">MP-08(01)</prop>
-            <part name="statement" id="mp-8.1_smt">
-               <p>Document system media downgrading actions.</p>
-            </part>
-            <part name="guidance" id="mp-8.1_gdn">
-               <p>Organizations can document the media downgrading process by providing information such as the downgrading technique employed, the identification number of the downgraded media, and the identity of the individual that authorized and/or performed the downgrading action.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-8.2">
-            <title>Equipment Testing</title>
-            <param id="mp-8.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">MP-8(2)</prop>
-            <prop name="sort-id">MP-08(02)</prop>
-            <part name="statement" id="mp-8.2_smt">
-               <p>Test downgrading equipment and procedures <insert param-id="mp-8.2_prm_1"/> to verify that downgrading actions are being achieved.</p>
-            </part>
-            <part name="guidance" id="mp-8.2_gdn">
-               <p>None.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-8.3">
-            <title>Controlled Unclassified Information</title>
-            <prop name="label">MP-8(3)</prop>
-            <prop name="sort-id">MP-08(03)</prop>
-            <part name="statement" id="mp-8.3_smt">
-               <p>Downgrade system media containing controlled unclassified information prior to public release.</p>
-            </part>
-            <part name="guidance" id="mp-8.3_gdn">
-               <p>Downgrading of controlled unclassified information uses approved sanitization tools, techniques, and procedures.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="mp-8.4">
-            <title>Classified Information</title>
-            <prop name="label">MP-8(4)</prop>
-            <prop name="sort-id">MP-08(04)</prop>
-            <part name="statement" id="mp-8.4_smt">
-               <p>Downgrade system media containing classified information prior to release to individuals without required access authorizations.</p>
-            </part>
-            <part name="guidance" id="mp-8.4_gdn">
-               <p>Downgrading of classified information uses approved sanitization tools, techniques, and procedures to transfer information confirmed to be unclassified from classified systems to unclassified media.</p>
-            </part>
-         </control>
-      </control>
-   </group>
-   <group class="family" id="pe">
-      <title>Physical and Environmental Protection</title>
-      <control class="SP800-53" id="pe-1">
-         <title>Policy and Procedures</title>
-         <param id="pe-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pe-1_prm_2">
-            <select how-many="one or more">
-               <choice>organization-level</choice>
-               <choice>mission/business process-level</choice>
-               <choice>system-level</choice>
-            </select>
-         </param>
-         <param id="pe-1_prm_3">
-            <label>organization-defined official</label>
-         </param>
-         <param id="pe-1_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="pe-1_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PE-1</prop>
-         <prop name="sort-id">PE-01</prop>
-         <link rel="reference" href="#12702585-0c72-43c9-9185-a76a59f74233">[SP 800-12]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#9183bd83-170e-4701-b32c-97e08ef8bedb">[SP 800-100]</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="pe-1_smt">
-            <part name="item" id="pe-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and disseminate to <insert param-id="pe-1_prm_1"/>:</p>
-               <part name="item" id="pe-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="pe-1_prm_2"/> physical and environmental protection policy that:</p>
-                  <part name="item" id="pe-1_smt.a.1.a">
-                     <prop name="label">(a)</prop>
-                     <p>Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
-                  </part>
-                  <part name="item" id="pe-1_smt.a.1.b">
-                     <prop name="label">(b)</prop>
-                     <p>Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p>
-                  </part>
-               </part>
-               <part name="item" id="pe-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;</p>
-               </part>
-            </part>
-            <part name="item" id="pe-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate an <insert param-id="pe-1_prm_3"/> to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and</p>
-            </part>
-            <part name="item" id="pe-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the current physical and environmental protection:</p>
-               <part name="item" id="pe-1_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Policy <insert param-id="pe-1_prm_4"/>; and</p>
-               </part>
-               <part name="item" id="pe-1_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures <insert param-id="pe-1_prm_5"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="pe-1_gdn">
-            <p>This control addresses policy and procedures for the controls in the PE family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-2">
-         <title>Physical Access Authorizations</title>
-         <param id="pe-2_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PE-2</prop>
-         <prop name="sort-id">PE-02</prop>
-         <link rel="reference" href="#ab414c48-b7a2-4ffe-b74d-4d8b8120adce">[FIPS 201-2]</link>
-         <link rel="reference" href="#3d6b3a16-94e7-4a43-8648-8bdeaadb271b">[SP 800-73-4]</link>
-         <link rel="reference" href="#d5ef0056-c807-44c3-a7b5-6eb491538f8e">[SP 800-76-2]</link>
-         <link rel="reference" href="#013e098f-0680-4856-a130-b768c69dab9c">[SP 800-78-4]</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#au-9">AU-9</link>
-         <link rel="related" href="#ia-4">IA-4</link>
-         <link rel="related" href="#ma-5">MA-5</link>
-         <link rel="related" href="#mp-2">MP-2</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#pe-4">PE-4</link>
-         <link rel="related" href="#pe-5">PE-5</link>
-         <link rel="related" href="#pe-8">PE-8</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#ps-3">PS-3</link>
-         <link rel="related" href="#ps-4">PS-4</link>
-         <link rel="related" href="#ps-5">PS-5</link>
-         <link rel="related" href="#ps-6">PS-6</link>
-         <part name="statement" id="pe-2_smt">
-            <part name="item" id="pe-2_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;</p>
-            </part>
-            <part name="item" id="pe-2_smt.b">
-               <prop name="label">b.</prop>
-               <p>Issue authorization credentials for facility access;</p>
-            </part>
-            <part name="item" id="pe-2_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review the access list detailing authorized facility access by individuals <insert param-id="pe-2_prm_1"/>; and</p>
-            </part>
-            <part name="item" id="pe-2_smt.d">
-               <prop name="label">d.</prop>
-               <p>Remove individuals from the facility access list when access is no longer required.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pe-2_gdn">
-            <p>Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include biometrics, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations are not necessary to access areas within facilities that are designated as publicly accessible.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-2.1">
-            <title>Access by Position or Role</title>
-            <prop name="label">PE-2(1)</prop>
-            <prop name="sort-id">PE-02(01)</prop>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <part name="statement" id="pe-2.1_smt">
-               <p>Authorize physical access to the facility where the system resides based on position or role.</p>
-            </part>
-            <part name="guidance" id="pe-2.1_gdn">
-               <p>Role-based facility access includes permanent maintenance personnel, duty officers, or emergency medical staff.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-2.2">
-            <title>Two Forms of Identification</title>
-            <param id="pe-2.2_prm_1">
-               <label>organization-defined list of acceptable forms of identification</label>
-            </param>
-            <prop name="label">PE-2(2)</prop>
-            <prop name="sort-id">PE-02(02)</prop>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-4">IA-4</link>
-            <link rel="related" href="#ia-5">IA-5</link>
-            <part name="statement" id="pe-2.2_smt">
-               <p>Require two forms of identification from the following forms of identification for visitor access to the facility where the system resides: <insert param-id="pe-2.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="pe-2.2_gdn">
-               <p>Acceptable forms of identification include passports, REAL ID-compliant drivers’ licenses, and Personal Identity Verification (PIV) cards. For gaining access to facilities using automated mechanisms, organizations may use PIV cards, key cards, PINs, and biometrics.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-2.3">
-            <title>Restrict Unescorted Access</title>
-            <param id="pe-2.3_prm_1">
-               <select how-many="one or more">
-                  <choice>security clearances for all information contained within the system</choice>
-                  <choice>formal access authorizations for all information contained within the system</choice>
-                  <choice>need for access to all information contained within the system</choice>
-                  <choice>
-                     <insert param-id="pe-2.3_prm_2"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="pe-2.3_prm_2" depends-on="pe-2.3_prm_1">
-               <label>organization-defined credentials</label>
-            </param>
-            <prop name="label">PE-2(3)</prop>
-            <prop name="sort-id">PE-02(03)</prop>
-            <link rel="related" href="#ps-2">PS-2</link>
-            <link rel="related" href="#ps-6">PS-6</link>
-            <part name="statement" id="pe-2.3_smt">
-               <p>Restrict unescorted access to the facility where the system resides to personnel with <insert param-id="pe-2.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="pe-2.3_gdn">
-               <p>Individuals without required security clearances, access approvals, or need to know, are escorted by individuals with appropriate credentials to ensure that information is not exposed or otherwise compromised.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-3">
-         <title>Physical Access Control</title>
-         <param id="pe-3_prm_1">
-            <label>organization-defined entry and exit points to the facility where the system resides</label>
-         </param>
-         <param id="pe-3_prm_2">
-            <select how-many="one or more">
-               <choice>
-                  <insert param-id="pe-3_prm_3"/>
-               </choice>
-               <choice>guards</choice>
-            </select>
-         </param>
-         <param id="pe-3_prm_3" depends-on="pe-3_prm_2">
-            <label>organization-defined physical access control systems or devices</label>
-         </param>
-         <param id="pe-3_prm_4">
-            <label>organization-defined entry or exit points</label>
-         </param>
-         <param id="pe-3_prm_5">
-            <label>organization-defined controls</label>
-         </param>
-         <param id="pe-3_prm_6">
-            <label>organization-defined circumstances requiring visitor escorts and monitoring</label>
-         </param>
-         <param id="pe-3_prm_7">
-            <label>organization-defined physical access devices</label>
-         </param>
-         <param id="pe-3_prm_8">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="pe-3_prm_9">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PE-3</prop>
-         <prop name="sort-id">PE-03</prop>
-         <link rel="reference" href="#ab414c48-b7a2-4ffe-b74d-4d8b8120adce">[FIPS 201-2]</link>
-         <link rel="reference" href="#3d6b3a16-94e7-4a43-8648-8bdeaadb271b">[SP 800-73-4]</link>
-         <link rel="reference" href="#d5ef0056-c807-44c3-a7b5-6eb491538f8e">[SP 800-76-2]</link>
-         <link rel="reference" href="#013e098f-0680-4856-a130-b768c69dab9c">[SP 800-78-4]</link>
-         <link rel="reference" href="#ad7d575f-b5fe-489b-8d48-36a93d964a5f">[SP 800-116]</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#au-2">AU-2</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#au-9">AU-9</link>
-         <link rel="related" href="#au-13">AU-13</link>
-         <link rel="related" href="#cp-10">CP-10</link>
-         <link rel="related" href="#ia-3">IA-3</link>
-         <link rel="related" href="#ia-8">IA-8</link>
-         <link rel="related" href="#ma-5">MA-5</link>
-         <link rel="related" href="#mp-2">MP-2</link>
-         <link rel="related" href="#mp-4">MP-4</link>
-         <link rel="related" href="#pe-2">PE-2</link>
-         <link rel="related" href="#pe-4">PE-4</link>
-         <link rel="related" href="#pe-5">PE-5</link>
-         <link rel="related" href="#pe-8">PE-8</link>
-         <link rel="related" href="#ps-2">PS-2</link>
-         <link rel="related" href="#ps-3">PS-3</link>
-         <link rel="related" href="#ps-6">PS-6</link>
-         <link rel="related" href="#ps-7">PS-7</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#sc-28">SC-28</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <part name="statement" id="pe-3_smt">
-            <part name="item" id="pe-3_smt.a">
-               <prop name="label">a.</prop>
-               <p>Enforce physical access authorizations at <insert param-id="pe-3_prm_1"/> by:</p>
-               <part name="item" id="pe-3_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Verifying individual access authorizations before granting access to the facility; and</p>
-               </part>
-               <part name="item" id="pe-3_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Controlling ingress and egress to the facility using <insert param-id="pe-3_prm_2"/>;</p>
-               </part>
-            </part>
-            <part name="item" id="pe-3_smt.b">
-               <prop name="label">b.</prop>
-               <p>Maintain physical access audit logs for <insert param-id="pe-3_prm_4"/>;</p>
-            </part>
-            <part name="item" id="pe-3_smt.c">
-               <prop name="label">c.</prop>
-               <p>Control access to areas within the facility designated as publicly accessible by implementing the following controls: <insert param-id="pe-3_prm_5"/>;</p>
-            </part>
-            <part name="item" id="pe-3_smt.d">
-               <prop name="label">d.</prop>
-               <p>Escort visitors and monitor visitor activity <insert param-id="pe-3_prm_6"/>;</p>
-            </part>
-            <part name="item" id="pe-3_smt.e">
-               <prop name="label">e.</prop>
-               <p>Secure keys, combinations, and other physical access devices;</p>
-            </part>
-            <part name="item" id="pe-3_smt.f">
-               <prop name="label">f.</prop>
-               <p>Inventory <insert param-id="pe-3_prm_7"/> every <insert param-id="pe-3_prm_8"/>; and</p>
-            </part>
-            <part name="item" id="pe-3_smt.g">
-               <prop name="label">g.</prop>
-               <p>Change combinations and keys <insert param-id="pe-3_prm_9"/> and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pe-3_gdn">
-            <p>Physical access control applies to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems requiring supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-3.1">
-            <title>System Access</title>
-            <param id="pe-3.1_prm_1">
-               <label>organization-defined physical spaces containing one or more components of the system</label>
-            </param>
-            <prop name="label">PE-3(1)</prop>
-            <prop name="sort-id">PE-03(01)</prop>
-            <part name="statement" id="pe-3.1_smt">
-               <p>Enforce physical access authorizations to the system in addition to the physical access controls for the facility at <insert param-id="pe-3.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="pe-3.1_gdn">
-               <p>Control of physical access to the system provides additional physical security for those areas within facilities where there is a concentration of system components.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-3.2">
-            <title>Facility and Systems</title>
-            <param id="pe-3.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">PE-3(2)</prop>
-            <prop name="sort-id">PE-03(02)</prop>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <part name="statement" id="pe-3.2_smt">
-               <p>Perform security checks <insert param-id="pe-3.2_prm_1"/> at the physical perimeter of the facility or system for exfiltration of information or removal of system components.</p>
-            </part>
-            <part name="guidance" id="pe-3.2_gdn">
-               <p>Organizations determine the extent, frequency, and/or randomness of security checks to adequately mitigate risk associated with exfiltration.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-3.3">
-            <title>Continuous Guards</title>
-            <param id="pe-3.3_prm_1">
-               <label>organization-defined physical access points</label>
-            </param>
-            <prop name="label">PE-3(3)</prop>
-            <prop name="sort-id">PE-03(03)</prop>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-            <part name="statement" id="pe-3.3_smt">
-               <p>Employ guards to control <insert param-id="pe-3.3_prm_1"/> to the facility where the system resides 24 hours per day, 7 days per week.</p>
-            </part>
-            <part name="guidance" id="pe-3.3_gdn">
-               <p>Employing guards at selected physical access points to the facility provides a more rapid response capability for organizations. Guards also provide the opportunity for human surveillance in areas of the facility not covered by video surveillance.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-3.4">
-            <title>Lockable Casings</title>
-            <param id="pe-3.4_prm_1">
-               <label>organization-defined system components</label>
-            </param>
-            <prop name="label">PE-3(4)</prop>
-            <prop name="sort-id">PE-03(04)</prop>
-            <part name="statement" id="pe-3.4_smt">
-               <p>Use lockable physical casings to protect <insert param-id="pe-3.4_prm_1"/> from unauthorized physical access.</p>
-            </part>
-            <part name="guidance" id="pe-3.4_gdn">
-               <p>The greatest risk from the use of portable devices such as notebook computers, tablets, and smart phones is theft. Organizations can employ lockable, physical casings to reduce or eliminate the risk of equipment theft. Such casings come in a variety of sizes, from units that protect a single notebook computer to full cabinets that can protect multiple servers, computers, and peripherals. Lockable physical casings can be used in conjunction with cable locks or lockdown plates to prevent the theft of the locked casing containing the computer equipment.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-3.5">
-            <title>Tamper Protection</title>
-            <param id="pe-3.5_prm_1">
-               <label>organization-defined controls</label>
-            </param>
-            <param id="pe-3.5_prm_2">
-               <select how-many="one or more">
-                  <choice>detect</choice>
-                  <choice>prevent</choice>
-               </select>
-            </param>
-            <param id="pe-3.5_prm_3">
-               <label>organization-defined hardware components</label>
-            </param>
-            <prop name="label">PE-3(5)</prop>
-            <prop name="sort-id">PE-03(05)</prop>
-            <link rel="related" href="#sa-16">SA-16</link>
-            <link rel="related" href="#sr-9">SR-9</link>
-            <link rel="related" href="#sr-11">SR-11</link>
-            <part name="statement" id="pe-3.5_smt">
-               <p>Employ <insert param-id="pe-3.5_prm_1"/> to <insert param-id="pe-3.5_prm_2"/> physical tampering or alteration of <insert param-id="pe-3.5_prm_3"/> within the system.</p>
-            </part>
-            <part name="guidance" id="pe-3.5_gdn">
-               <p>Organizations can implement tamper detection and prevention at selected hardware components or implement tamper detection at some components and tamper prevention at other components. Detection and prevention activities can employ many types of anti-tamper technologies, including tamper-detection seals and anti-tamper coatings. Anti-tamper programs help to detect hardware alterations through counterfeiting and other supply chain-related risks.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-3.6">
-            <title>Facility Penetration Testing</title>
-            <prop name="label">PE-3(6)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">PE-03(06)</prop>
-            <link rel="incorporated-into" href="#ca-8">CA-8</link>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-3.7">
-            <title>Physical Barriers</title>
-            <prop name="label">PE-3(7)</prop>
-            <prop name="sort-id">PE-03(07)</prop>
-            <part name="statement" id="pe-3.7_smt">
-               <p>Limit access using physical barriers.</p>
-            </part>
-            <part name="guidance" id="pe-3.7_gdn">
-               <p>Physical barriers include bollards, concrete slabs, jersey walls, and hydraulic active vehicle barriers.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-3.8">
-            <title>Access Control Vestibules</title>
-            <param id="pe-3.8_prm_1">
-               <label>organization-defined locations within the facility</label>
-            </param>
-            <prop name="label">PE-3(8)</prop>
-            <prop name="sort-id">PE-03(08)</prop>
-            <part name="statement" id="pe-3.8_smt">
-               <p>Employ access control vestibules at <insert param-id="pe-3.8_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="pe-3.8_gdn">
-               <p>An access control vestibule, or mantrap, is part of a physical access control system that typically provides a space between two sets of interlocking doors. Mantraps are designed to prevent unauthorized individuals from following authorized individuals into facilities with controlled access. This activity, also known as piggybacking or tailgating, results in unauthorized access to the facility. Mantraps can also be used to limit the number of individuals entering controlled access points and to provide containment areas to verify credentials. Mantraps can be fully automated, controlling the opening and closing of the interlocking doors, or partially automated using security guards to control the number of individuals entering the mantrap.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-4">
-         <title>Access Control for Transmission</title>
-         <param id="pe-4_prm_1">
-            <label>organization-defined system distribution and transmission lines</label>
-         </param>
-         <param id="pe-4_prm_2">
-            <label>organization-defined security controls</label>
-         </param>
-         <prop name="label">PE-4</prop>
-         <prop name="sort-id">PE-04</prop>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#ia-4">IA-4</link>
-         <link rel="related" href="#mp-2">MP-2</link>
-         <link rel="related" href="#mp-4">MP-4</link>
-         <link rel="related" href="#pe-2">PE-2</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#pe-5">PE-5</link>
-         <link rel="related" href="#pe-9">PE-9</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-8">SC-8</link>
-         <part name="statement" id="pe-4_smt">
-            <p>Control physical access to <insert param-id="pe-4_prm_1"/> within organizational facilities using <insert param-id="pe-4_prm_2"/>.</p>
-         </part>
-         <part name="guidance" id="pe-4_gdn">
-            <p>Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include locked wiring closets; disconnected or locked spare jacks; protection of cabling by conduit or cable trays; and wiretapping sensors.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-5">
-         <title>Access Control for Output Devices</title>
-         <param id="pe-5_prm_1">
-            <label>organization-defined output devices</label>
-         </param>
-         <prop name="label">PE-5</prop>
-         <prop name="sort-id">PE-05</prop>
-         <link rel="reference" href="#7e7538d7-9c3a-4e5f-bbb4-638cec975415">[IR 8023]</link>
-         <link rel="related" href="#pe-2">PE-2</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#pe-4">PE-4</link>
-         <link rel="related" href="#pe-18">PE-18</link>
-         <part name="statement" id="pe-5_smt">
-            <p>Control physical access to output from <insert param-id="pe-5_prm_1"/> to prevent unauthorized individuals from obtaining the output.</p>
-         </part>
-         <part name="guidance" id="pe-5_gdn">
-            <p>Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only; placing output devices in locations that can be monitored by personnel; installing monitor or screen filters; and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-5.1">
-            <title>Access to Output by Authorized Individuals</title>
-            <prop name="label">PE-5(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">PE-05(01)</prop>
-            <link rel="incorporated-into" href="#pe-5">PE-5</link>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-5.2">
-            <title>Link to Individual Identity</title>
-            <prop name="label">PE-5(2)</prop>
-            <prop name="sort-id">PE-05(02)</prop>
-            <part name="statement" id="pe-5.2_smt">
-               <p>Link individual identity to receipt of output from output devices.</p>
-            </part>
-            <part name="guidance" id="pe-5.2_gdn">
-               <p>Methods to link individual identity to receipt of output from output devices include installing security functionality on facsimile machines, copiers, and printers. Such functionality allows organizations to implement authentication on output devices prior to the release of output to individuals.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-5.3">
-            <title>Marking Output Devices</title>
-            <param id="pe-5.3_prm_1">
-               <label>organization-defined system output devices</label>
-            </param>
-            <prop name="label">PE-5(3)</prop>
-            <prop name="sort-id">PE-05(03)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#pe-22">PE-22</link>
-            <part name="statement" id="pe-5.3_smt">
-               <p>Mark <insert param-id="pe-5.3_prm_1"/> indicating the security marking of the types of information output from the device.</p>
-            </part>
-            <part name="guidance" id="pe-5.3_gdn">
-               <p>Permissions controlling the output to outputs devices are addressed in AC-3 or AC-4. Outputs devices include printers, monitors, facsimile machines, scanners, copiers, and audio devices.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-6">
-         <title>Monitoring Physical Access</title>
-         <param id="pe-6_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="pe-6_prm_2">
-            <label>organization-defined events or potential indications of events</label>
-         </param>
-         <prop name="label">PE-6</prop>
-         <prop name="sort-id">PE-06</prop>
-         <link rel="related" href="#au-2">AU-2</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#au-9">AU-9</link>
-         <link rel="related" href="#au-12">AU-12</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#cp-10">CP-10</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#ir-8">IR-8</link>
-         <part name="statement" id="pe-6_smt">
-            <part name="item" id="pe-6_smt.a">
-               <prop name="label">a.</prop>
-               <p>Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;</p>
-            </part>
-            <part name="item" id="pe-6_smt.b">
-               <prop name="label">b.</prop>
-               <p>Review physical access logs <insert param-id="pe-6_prm_1"/> and upon occurrence of <insert param-id="pe-6_prm_2"/>; and</p>
-            </part>
-            <part name="item" id="pe-6_smt.c">
-               <prop name="label">c.</prop>
-               <p>Coordinate results of reviews and investigations with the organizational incident response capability.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pe-6_gdn">
-            <p>Physical access monitoring includes publicly accessible areas within organizational facilities. Physical access monitoring can be accomplished, for example, by the employment of guards, video surveillance equipment (i.e., cameras), or sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls such as AU-2 if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours; repeated accesses to areas not normally accessed; accesses for unusual lengths of time; and out-of-sequence accesses.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-6.1">
-            <title>Intrusion Alarms and Surveillance Equipment</title>
-            <prop name="label">PE-6(1)</prop>
-            <prop name="sort-id">PE-06(01)</prop>
-            <part name="statement" id="pe-6.1_smt">
-               <p>Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.</p>
-            </part>
-            <part name="guidance" id="pe-6.1_gdn">
-               <p>Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards, triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, for example, motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-6.2">
-            <title>Automated Intrusion Recognition and Responses</title>
-            <param id="pe-6.2_prm_1">
-               <label>organization-defined classes or types of intrusions</label>
-            </param>
-            <param id="pe-6.2_prm_2">
-               <label>organization-defined response actions</label>
-            </param>
-            <param id="pe-6.2_prm_3">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">PE-6(2)</prop>
-            <prop name="sort-id">PE-06(02)</prop>
-            <link rel="related" href="#si-4">SI-4</link>
-            <part name="statement" id="pe-6.2_smt">
-               <p>Recognize <insert param-id="pe-6.2_prm_1"/> and initiate <insert param-id="pe-6.2_prm_2"/> using <insert param-id="pe-6.2_prm_3"/>.</p>
-            </part>
-            <part name="guidance" id="pe-6.2_gdn">
-               <p>Response actions can include notifying selected organizational personnel or law enforcement personnel. Automated mechanisms implemented to initiate response actions include system alert notifications, email and text messages, and activating door locking mechanisms. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide integrated threat coverage for the organization.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-6.3">
-            <title>Video Surveillance</title>
-            <param id="pe-6.3_prm_1">
-               <label>organization-defined operational areas</label>
-            </param>
-            <param id="pe-6.3_prm_2">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="pe-6.3_prm_3">
-               <label>organization-defined time-period</label>
-            </param>
-            <prop name="label">PE-6(3)</prop>
-            <prop name="sort-id">PE-06(03)</prop>
-            <part name="statement" id="pe-6.3_smt">
-               <part name="item" id="pe-6.3_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Employ video surveillance of <insert param-id="pe-6.3_prm_1"/>;</p>
-               </part>
-               <part name="item" id="pe-6.3_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Review video recordings <insert param-id="pe-6.3_prm_2"/>; and</p>
-               </part>
-               <part name="item" id="pe-6.3_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Retain video recordings for <insert param-id="pe-6.3_prm_3"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="pe-6.3_gdn">
-               <p>Video surveillance focuses on recording activity in specified areas for purposes of subsequent review, if circumstances so warrant. Video recordings are typically reviewed to detect anomalous events or incidents. Monitoring the surveillance video is not required although organizations may choose to do so. There may be legal considerations when performing and retaining video surveillance, especially if such surveillance is in a public location.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-6.4">
-            <title>Monitoring Physical Access to Systems</title>
-            <param id="pe-6.4_prm_1">
-               <label>organization-defined physical spaces containing one or more components of the system</label>
-            </param>
-            <prop name="label">PE-6(4)</prop>
-            <prop name="sort-id">PE-06(04)</prop>
-            <part name="statement" id="pe-6.4_smt">
-               <p>Monitor physical access to the system in addition to the physical access monitoring of the facility at <insert param-id="pe-6.4_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="pe-6.4_gdn">
-               <p>Monitoring physical access to systems provides additional monitoring for those areas within facilities where there is a concentration of system components, including server rooms, media storage areas, and communications centers. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide comprehensive and integrated threat coverage for the organization.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-7">
-         <title>Visitor Control</title>
-         <prop name="label">PE-7</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">PE-07</prop>
-         <link rel="incorporated-into" href="#pe-2">PE-2</link>
-         <link rel="incorporated-into" href="#pe-3">PE-3</link>
-      </control>
-      <control class="SP800-53" id="pe-8">
-         <title>Visitor Access Records</title>
-         <param id="pe-8_prm_1">
-            <label>organization-defined time-period</label>
-         </param>
-         <param id="pe-8_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="pe-8_prm_3">
-            <label>organization-defined personnel</label>
-         </param>
-         <prop name="label">PE-8</prop>
-         <prop name="sort-id">PE-08</prop>
-         <link rel="related" href="#pe-2">PE-2</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#pe-6">PE-6</link>
-         <part name="statement" id="pe-8_smt">
-            <part name="item" id="pe-8_smt.a">
-               <prop name="label">a.</prop>
-               <p>Maintain visitor access records to the facility where the system resides for <insert param-id="pe-8_prm_1"/>;</p>
-            </part>
-            <part name="item" id="pe-8_smt.b">
-               <prop name="label">b.</prop>
-               <p>Review visitor access records <insert param-id="pe-8_prm_2"/>; and</p>
-            </part>
-            <part name="item" id="pe-8_smt.c">
-               <prop name="label">c.</prop>
-               <p>Report anomalies in visitor access records to <insert param-id="pe-8_prm_3"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pe-8_gdn">
-            <p>Visitor access records include names and organizations of persons visiting; visitor signatures; forms of identification; dates of access; entry and departure times; purpose of visits; and names and organizations of persons visited. Reviews of access records determines if access authorizations are current and still required to support organizational missions and business functions. Access records are not required for publicly accessible areas.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-8.1">
-            <title>Automated Records Maintenance and Review</title>
-            <param id="pe-8.1_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">PE-8(1)</prop>
-            <prop name="sort-id">PE-08(01)</prop>
-            <part name="statement" id="pe-8.1_smt">
-               <p>Maintain and review visitor access records using <insert param-id="pe-8.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="pe-8.1_gdn">
-               <p>Visitor access records can be stored and maintained, for example, in a database management system that is accessible by organizational personnel. Automated access to such records facilitates record reviews on regular basis to determine if access authorizations are current and still required to support organizational missions and business functions.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-8.2">
-            <title>Physical Access Records</title>
-            <prop name="label">PE-8(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">PE-08(02)</prop>
-            <link rel="incorporated-into" href="#pe-2">PE-2</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-9">
-         <title>Power Equipment and Cabling</title>
-         <prop name="label">PE-9</prop>
-         <prop name="sort-id">PE-09</prop>
-         <link rel="related" href="#pe-4">PE-4</link>
-         <part name="statement" id="pe-9_smt">
-            <p>Protect power equipment and power cabling for the system from damage and destruction.</p>
-         </part>
-         <part name="guidance" id="pe-9_gdn">
-            <p>Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. Power equipment and cabling includes generators and power cabling outside of buildings; internal cabling and uninterruptable power sources in offices or data centers; and power sources for self-contained components such as satellites, vehicles, and other deployable systems.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-9.1">
-            <title>Redundant Cabling</title>
-            <param id="pe-9.1_prm_1">
-               <label>organization-defined distance</label>
-            </param>
-            <prop name="label">PE-9(1)</prop>
-            <prop name="sort-id">PE-09(01)</prop>
-            <part name="statement" id="pe-9.1_smt">
-               <p>Employ redundant power cabling paths that are physically separated by <insert param-id="pe-9.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="pe-9.1_gdn">
-               <p>Physically separate and redundant power cables ensure that power continues to flow in the event one of the cables is cut or otherwise damaged.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-9.2">
-            <title>Automatic Voltage Controls</title>
-            <param id="pe-9.2_prm_1">
-               <label>organization-defined critical system components</label>
-            </param>
-            <prop name="label">PE-9(2)</prop>
-            <prop name="sort-id">PE-09(02)</prop>
-            <part name="statement" id="pe-9.2_smt">
-               <p>Employ automatic voltage controls for <insert param-id="pe-9.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="pe-9.2_gdn">
-               <p>Automatic voltage controls can monitor and control voltage. Such controls include voltage regulators, voltage conditioners, and voltage stabilizers.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-10">
-         <title>Emergency Shutoff</title>
-         <param id="pe-10_prm_1">
-            <label>organization-defined system or individual system components</label>
-         </param>
-         <param id="pe-10_prm_2">
-            <label>organization-defined location by system or system component</label>
-         </param>
-         <prop name="label">PE-10</prop>
-         <prop name="sort-id">PE-10</prop>
-         <link rel="related" href="#pe-15">PE-15</link>
-         <part name="statement" id="pe-10_smt">
-            <part name="item" id="pe-10_smt.a">
-               <prop name="label">a.</prop>
-               <p>Provide the capability of shutting off power to <insert param-id="pe-10_prm_1"/> in emergency situations;</p>
-            </part>
-            <part name="item" id="pe-10_smt.b">
-               <prop name="label">b.</prop>
-               <p>Place emergency shutoff switches or devices in <insert param-id="pe-10_prm_2"/> to facilitate access for authorized personnel; and</p>
-            </part>
-            <part name="item" id="pe-10_smt.c">
-               <prop name="label">c.</prop>
-               <p>Protect emergency power shutoff capability from unauthorized activation.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pe-10_gdn">
-            <p>Emergency power shutoff applies primarily to organizational facilities containing concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-10.1">
-            <title>Accidental and Unauthorized Activation</title>
-            <prop name="label">PE-10(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">PE-10(01)</prop>
-            <link rel="incorporated-into" href="#pe-10">PE-10</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-11">
-         <title>Emergency Power</title>
-         <param id="pe-11_prm_1">
-            <select how-many="one or more">
-               <choice>an orderly shutdown of the system</choice>
-               <choice>transition of the system to long-term alternate power</choice>
-            </select>
-         </param>
-         <prop name="label">PE-11</prop>
-         <prop name="sort-id">PE-11</prop>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-7">CP-7</link>
-         <part name="statement" id="pe-11_smt">
-            <p>Provide an uninterruptible power supply to facilitate <insert param-id="pe-11_prm_1"/> in the event of a primary power source loss.</p>
-         </part>
-         <part name="guidance" id="pe-11_gdn">
-            <p>An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of most UPS is relatively short but provides sufficient time to start a standby power source such as a backup generator or properly shut down the system.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-11.1">
-            <title>Alternate Power Supply — Minimal Operational Capability</title>
-            <param id="pe-11.1_prm_1">
-               <select>
-                  <choice>manually</choice>
-                  <choice>automatically</choice>
-               </select>
-            </param>
-            <prop name="label">PE-11(1)</prop>
-            <prop name="sort-id">PE-11(01)</prop>
-            <part name="statement" id="pe-11.1_smt">
-               <p>Provide an alternate power supply for the system that is activated <insert param-id="pe-11.1_prm_1"/> and that can maintain minimally required operational capability in the event of an extended loss of the primary power source.</p>
-            </part>
-            <part name="guidance" id="pe-11.1_gdn">
-               <p>Provision of an alternate power supply with minimal operating capability can be satisfied, for example, by accessing a secondary commercial power supply or other external power supply.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-11.2">
-            <title>Alternate Power Supply — Self-contained</title>
-            <param id="pe-11.2_prm_1">
-               <select>
-                  <choice>manually</choice>
-                  <choice>automatically</choice>
-               </select>
-            </param>
-            <param id="pe-11.2_prm_2">
-               <select>
-                  <choice>minimally required operational capability</choice>
-                  <choice>full operational capability</choice>
-               </select>
-            </param>
-            <prop name="label">PE-11(2)</prop>
-            <prop name="sort-id">PE-11(02)</prop>
-            <part name="statement" id="pe-11.2_smt">
-               <p>Provide an alternate power supply for the system that is activated <insert param-id="pe-11.2_prm_1"/> and that is:</p>
-               <part name="item" id="pe-11.2_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Self-contained;</p>
-               </part>
-               <part name="item" id="pe-11.2_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Not reliant on external power generation; and</p>
-               </part>
-               <part name="item" id="pe-11.2_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Capable of maintaining <insert param-id="pe-11.2_prm_2"/> in the event of an extended loss of the primary power source.</p>
-               </part>
-            </part>
-            <part name="guidance" id="pe-11.2_gdn">
-               <p>The provision of a long-term, self-contained power supply, can be satisfied by using one or more generators with sufficient capacity to meet the needs of the organization.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-12">
-         <title>Emergency Lighting</title>
-         <prop name="label">PE-12</prop>
-         <prop name="sort-id">PE-12</prop>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-7">CP-7</link>
-         <part name="statement" id="pe-12_smt">
-            <p>Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.</p>
-         </part>
-         <part name="guidance" id="pe-12_gdn">
-            <p>The provision of emergency lighting applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system cannot be provided or fails, organizations consider alternate processing sites.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-12.1">
-            <title>Essential Missions and Business Functions</title>
-            <prop name="label">PE-12(1)</prop>
-            <prop name="sort-id">PE-12(01)</prop>
-            <part name="statement" id="pe-12.1_smt">
-               <p>Provide emergency lighting for all areas within the facility supporting essential missions and business functions.</p>
-            </part>
-            <part name="guidance" id="pe-12.1_gdn">
-               <p>Organizations define their essential missions and functions.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-13">
-         <title>Fire Protection</title>
-         <prop name="label">PE-13</prop>
-         <prop name="sort-id">PE-13</prop>
-         <link rel="related" href="#at-3">AT-3</link>
-         <part name="statement" id="pe-13_smt">
-            <p>Employ and maintain fire detection and suppression systems that are supported by an independent energy source.</p>
-         </part>
-         <part name="guidance" id="pe-13_gdn">
-            <p>The provision of fire detection and suppression systems applies to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems, fixed fire hoses, and smoke detectors.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-13.1">
-            <title>Detection Systems – Automatic Activation and Notification</title>
-            <param id="pe-13.1_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="pe-13.1_prm_2">
-               <label>organization-defined emergency responders</label>
-            </param>
-            <prop name="label">PE-13(1)</prop>
-            <prop name="sort-id">PE-13(01)</prop>
-            <part name="statement" id="pe-13.1_smt">
-               <p>Employ fire detection systems that activate automatically and notify <insert param-id="pe-13.1_prm_1"/> and <insert param-id="pe-13.1_prm_2"/> in the event of a fire.</p>
-            </part>
-            <part name="guidance" id="pe-13.1_gdn">
-               <p>Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances, for example, to enter to facilities where access is restricted due to the classification or impact level of information within the facility. Notification mechanisms may require independent energy sources to ensure the notification capability is not adversely affected by the fire.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-13.2">
-            <title>Suppression Systems – Automatic Activation and Notification</title>
-            <param id="pe-13.2_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="pe-13.2_prm_2">
-               <label>organization-defined emergency responders</label>
-            </param>
-            <prop name="label">PE-13(2)</prop>
-            <prop name="sort-id">PE-13(02)</prop>
-            <part name="statement" id="pe-13.2_smt">
-               <part name="item" id="pe-13.2_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Employ fire suppression systems that activate automatically and notify <insert param-id="pe-13.2_prm_1"/> and <insert param-id="pe-13.2_prm_2"/>; and</p>
-               </part>
-               <part name="item" id="pe-13.2_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis.</p>
-               </part>
-            </part>
-            <part name="guidance" id="pe-13.2_gdn">
-               <p>Organizations can identify specific personnel, roles, and emergency responders if individuals on the notification list need to have appropriate access authorizations and/or clearances, for example, to enter to facilities where access is restricted due to the impact level or classification of information within the facility. Notification mechanisms may require independent energy sources to ensure the notification capability is not adversely affected by the fire.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-13.3">
-            <title>Automatic Fire Suppression</title>
-            <prop name="label">PE-13(3)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">PE-13(03)</prop>
-            <link rel="incorporated-into" href="#pe-13.2">PE-13(2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-13.4">
-            <title>Inspections</title>
-            <param id="pe-13.4_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="pe-13.4_prm_2">
-               <label>organization-defined time-period</label>
-            </param>
-            <prop name="label">PE-13(4)</prop>
-            <prop name="sort-id">PE-13(04)</prop>
-            <part name="statement" id="pe-13.4_smt">
-               <p>Ensure that the facility undergoes <insert param-id="pe-13.4_prm_1"/> fire protection inspections by authorized and qualified inspectors and identified deficiencies are resolved within <insert param-id="pe-13.4_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="pe-13.4_gdn">
-               <p>Authorized and qualified personnel within the jurisdiction of the organization include state, county, and city fire inspectors and fire marshals. Organizations provide escorts during inspections in situations where the systems that reside within the facilities contain sensitive information.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-14">
-         <title>Environmental Controls</title>
-         <param id="pe-14_prm_1">
-            <select how-many="one or more">
-               <choice>temperature</choice>
-               <choice>humidity</choice>
-               <choice>pressure</choice>
-               <choice>radiation</choice>
-               <choice>
-                  <insert param-id="pe-14_prm_2"/>
-               </choice>
-            </select>
-         </param>
-         <param id="pe-14_prm_2" depends-on="pe-14_prm_1">
-            <label>organization-defined environmental control</label>
-         </param>
-         <param id="pe-14_prm_3">
-            <label>organization-defined acceptable levels</label>
-         </param>
-         <param id="pe-14_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PE-14</prop>
-         <prop name="sort-id">PE-14</prop>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#pe-21">PE-21</link>
-         <part name="statement" id="pe-14_smt">
-            <part name="item" id="pe-14_smt.a">
-               <prop name="label">a.</prop>
-               <p>Maintain <insert param-id="pe-14_prm_1"/> levels within the facility where the system resides at <insert param-id="pe-14_prm_3"/>; and</p>
-            </part>
-            <part name="item" id="pe-14_smt.b">
-               <prop name="label">b.</prop>
-               <p>Monitor environmental control levels <insert param-id="pe-14_prm_4"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pe-14_gdn">
-            <p>The provision of environmental controls applies primarily to organizational facilities containing concentrations of system resources, for example, data centers, server rooms, and mainframe computer rooms. Insufficient controls, especially in harsh environments, can have a significant adverse impact on the systems and system components that are needed to support organizational missions and business functions. Environmental controls, such as electromagnetic pulse (EMP) protection described in PE-21, are especially significant for systems and applications that are part of the U.S. critical infrastructure.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-14.1">
-            <title>Automatic Controls</title>
-            <param id="pe-14.1_prm_1">
-               <label>organization-defined automatic environmental controls</label>
-            </param>
-            <prop name="label">PE-14(1)</prop>
-            <prop name="sort-id">PE-14(01)</prop>
-            <part name="statement" id="pe-14.1_smt">
-               <p>Employ the following automatic environmental controls in the facility to prevent fluctuations potentially harmful to the system: <insert param-id="pe-14.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="pe-14.1_gdn">
-               <p>The implementation of automatic environmental controls provides an immediate response to environmental conditions that can damage, degrade, or destroy organizational systems or systems components.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pe-14.2">
-            <title>Monitoring with Alarms and Notifications</title>
-            <param id="pe-14.2_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">PE-14(2)</prop>
-            <prop name="sort-id">PE-14(02)</prop>
-            <part name="statement" id="pe-14.2_smt">
-               <p>Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to <insert param-id="pe-14.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="pe-14.2_gdn">
-               <p>The alarm or notification may be, for example, an audible alarm or a message in real time to personnel or roles defined by the organization. Such alarms and/or notifications can help to minimize harm to individuals and damage to organizational assets by facilitating a timely incident response.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-15">
-         <title>Water Damage Protection</title>
-         <prop name="label">PE-15</prop>
-         <prop name="sort-id">PE-15</prop>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#pe-10">PE-10</link>
-         <part name="statement" id="pe-15_smt">
-            <p>Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.</p>
-         </part>
-         <part name="guidance" id="pe-15_gdn">
-            <p>The provision of water damage protection applies primarily to organizational facilities containing concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-15.1">
-            <title>Automation Support</title>
-            <param id="pe-15.1_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="pe-15.1_prm_2">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">PE-15(1)</prop>
-            <prop name="sort-id">PE-15(01)</prop>
-            <part name="statement" id="pe-15.1_smt">
-               <p>Detect the presence of water near the system and alert <insert param-id="pe-15.1_prm_1"/> using <insert param-id="pe-15.1_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="pe-15.1_gdn">
-               <p>Automated mechanisms include notification systems, water detection sensors, and alarms.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-16">
-         <title>Delivery and Removal</title>
-         <param id="pe-16_prm_1">
-            <label>organization-defined types of system components</label>
-         </param>
-         <prop name="label">PE-16</prop>
-         <prop name="sort-id">PE-16</prop>
-         <link rel="related" href="#cm-3">CM-3</link>
-         <link rel="related" href="#cm-8">CM-8</link>
-         <link rel="related" href="#ma-2">MA-2</link>
-         <link rel="related" href="#ma-3">MA-3</link>
-         <link rel="related" href="#mp-5">MP-5</link>
-         <link rel="related" href="#pe-20">PE-20</link>
-         <link rel="related" href="#sr-2">SR-2</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <link rel="related" href="#sr-4">SR-4</link>
-         <link rel="related" href="#sr-6">SR-6</link>
-         <part name="statement" id="pe-16_smt">
-            <part name="item" id="pe-16_smt.a">
-               <prop name="label">a.</prop>
-               <p>Authorize and control <insert param-id="pe-16_prm_1"/> entering and exiting the facility; and</p>
-            </part>
-            <part name="item" id="pe-16_smt.b">
-               <prop name="label">b.</prop>
-               <p>Maintain records of the system components.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pe-16_gdn">
-            <p>Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-17">
-         <title>Alternate Work Site</title>
-         <param id="pe-17_prm_1">
-            <label>organization-defined alternate work sites</label>
-         </param>
-         <param id="pe-17_prm_2">
-            <label>organization-defined controls</label>
-         </param>
-         <prop name="label">PE-17</prop>
-         <prop name="sort-id">PE-17</prop>
-         <link rel="reference" href="#7768c184-088d-4ee8-a316-f9286b52df7f">[SP 800-46]</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#ac-18">AC-18</link>
-         <link rel="related" href="#cp-7">CP-7</link>
-         <part name="statement" id="pe-17_smt">
-            <part name="item" id="pe-17_smt.a">
-               <prop name="label">a.</prop>
-               <p>Determine and document the <insert param-id="pe-17_prm_1"/> allowed for use by employees;</p>
-            </part>
-            <part name="item" id="pe-17_smt.b">
-               <prop name="label">b.</prop>
-               <p>Employ the following controls at alternate work sites: <insert param-id="pe-17_prm_2"/>;</p>
-            </part>
-            <part name="item" id="pe-17_smt.c">
-               <prop name="label">c.</prop>
-               <p>Assess the effectiveness of controls at alternate work sites; and</p>
-            </part>
-            <part name="item" id="pe-17_smt.d">
-               <prop name="label">d.</prop>
-               <p>Provide a means for employees to communicate with information security and privacy personnel in case of incidents.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pe-17_gdn">
-            <p>Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-18">
-         <title>Location of System Components</title>
-         <param id="pe-18_prm_1">
-            <label>organization-defined physical and environmental hazards</label>
-         </param>
-         <prop name="label">PE-18</prop>
-         <prop name="sort-id">PE-18</prop>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#pe-5">PE-5</link>
-         <link rel="related" href="#pe-19">PE-19</link>
-         <link rel="related" href="#pe-20">PE-20</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <part name="statement" id="pe-18_smt">
-            <p>Position system components within the facility to minimize potential damage from <insert param-id="pe-18_prm_1"/> and to minimize the opportunity for unauthorized access.</p>
-         </part>
-         <part name="guidance" id="pe-18_gdn">
-            <p>Physical and environmental hazards include floods, fires, tornados, earthquakes, hurricanes, terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications, including using wireless sniffers or microphones.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-18.1">
-            <title>Facility Site</title>
-            <prop name="label">PE-18(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">PE-18(01)</prop>
-            <link rel="moved-to" href="#pe-23">PE-23</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-19">
-         <title>Information Leakage</title>
-         <prop name="label">PE-19</prop>
-         <prop name="sort-id">PE-19</prop>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="related" href="#ac-18">AC-18</link>
-         <link rel="related" href="#pe-18">PE-18</link>
-         <link rel="related" href="#pe-20">PE-20</link>
-         <part name="statement" id="pe-19_smt">
-            <p>Protect the system from information leakage due to electromagnetic signals emanations.</p>
-         </part>
-         <part name="guidance" id="pe-19_gdn">
-            <p>Information leakage is the intentional or unintentional release of data or information to an untrusted environment from electromagnetic signals emanations. The security categories or classifications of systems (with respect to confidentiality), organizational security policies, and risk tolerance guide the selection of controls employed to protect systems against information leakage due to electromagnetic signals emanations.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pe-19.1">
-            <title>National Emissions and Tempest Policies and Procedures</title>
-            <prop name="label">PE-19(1)</prop>
-            <prop name="sort-id">PE-19(01)</prop>
-            <part name="statement" id="pe-19.1_smt">
-               <p>Protect system components, associated data communications, and networks in accordance with national Emissions Security policies and procedures based on the security category or classification of the information.</p>
-            </part>
-            <part name="guidance" id="pe-19.1_gdn">
-               <p>Emissions Security (EMSEC) policies include the former TEMPEST policies.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pe-20">
-         <title>Asset Monitoring and Tracking</title>
-         <param id="pe-20_prm_1">
-            <label>organization-defined asset location technologies</label>
-         </param>
-         <param id="pe-20_prm_2">
-            <label>organization-defined assets</label>
-         </param>
-         <param id="pe-20_prm_3">
-            <label>organization-defined controlled areas</label>
-         </param>
-         <prop name="label">PE-20</prop>
-         <prop name="sort-id">PE-20</prop>
-         <link rel="related" href="#cm-8">CM-8</link>
-         <link rel="related" href="#pe-16">PE-16</link>
-         <link rel="related" href="#pm-8">PM-8</link>
-         <part name="statement" id="pe-20_smt">
-            <p>Employ <insert param-id="pe-20_prm_1"/> to track and monitor the location and movement of <insert param-id="pe-20_prm_2"/> within <insert param-id="pe-20_prm_3"/>.</p>
-         </part>
-         <part name="guidance" id="pe-20_gdn">
-            <p>Asset location technologies can help ensure that critical assets, including vehicles, equipment, or system components remain in authorized locations. Organizations consult with the Office of the General Counsel and senior agency official for privacy regarding the deployment and use of asset location technologies to address potential privacy concerns.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-21">
-         <title>Electromagnetic Pulse Protection</title>
-         <param id="pe-21_prm_1">
-            <label>organization-defined controls</label>
-         </param>
-         <param id="pe-21_prm_2">
-            <label>organization-defined systems and system components</label>
-         </param>
-         <prop name="label">PE-21</prop>
-         <prop name="sort-id">PE-21</prop>
-         <link rel="related" href="#pe-18">PE-18</link>
-         <link rel="related" href="#pe-19">PE-19</link>
-         <part name="statement" id="pe-21_smt">
-            <p>Employ <insert param-id="pe-21_prm_1"/> against electromagnetic pulse damage for <insert param-id="pe-21_prm_2"/>.</p>
-         </part>
-         <part name="guidance" id="pe-21_gdn">
-            <p>An electromagnetic pulse (EMP) is a short burst of electromagnetic energy that is spread over a range of frequencies. Such energy bursts may be natural or man-made. EMP interference may be disruptive or damaging to electronic equipment. Protective measures used to mitigate EMP risk include shielding, surge suppressors, ferro-resonant transformers, and earth grounding.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-22">
-         <title>Component Marking</title>
-         <param id="pe-22_prm_1">
-            <label>organization-defined system hardware components</label>
-         </param>
-         <prop name="label">PE-22</prop>
-         <prop name="sort-id">PE-22</prop>
-         <link rel="related" href="#ac-16">AC-16</link>
-         <link rel="related" href="#mp-3">MP-3</link>
-         <part name="statement" id="pe-22_smt">
-            <p>Mark <insert param-id="pe-22_prm_1"/> indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.</p>
-         </part>
-         <part name="guidance" id="pe-22_gdn">
-            <p>Hardware components that require marking include input devices marked to indicate the classification of the network to which the devices are connected or a multifunction printer or copier residing in a classified area. Security marking refers to the use of human-readable security attributes. Security labeling refers to the use of security attributes for internal data structures within systems. Security marking is generally not required for hardware components processing, storing, or transmitting information determined by organizations to be in the public domain or to be publicly releasable. However, organizations may require markings for hardware components processing, storing, or transmitting public information indicating that such information is publicly releasable. Marking of system hardware components reflects applicable laws, executive orders, directives, policies, regulations, and standards.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pe-23">
-         <title>Facility Location</title>
-         <prop name="label">PE-23</prop>
-         <prop name="sort-id">PE-23</prop>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#pe-18">PE-18</link>
-         <link rel="related" href="#pe-19">PE-19</link>
-         <link rel="related" href="#pm-8">PM-8</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <part name="statement" id="pe-23_smt">
-            <part name="item" id="pe-23_smt.a">
-               <prop name="label">a.</prop>
-               <p>Plan the location or site of the facility where the system resides considering physical and environmental hazards; and</p>
-            </part>
-            <part name="item" id="pe-23_smt.b">
-               <prop name="label">b.</prop>
-               <p>For existing facilities, consider the physical and environmental hazards in the organizational risk management strategy.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pe-23_gdn">
-            <p>Physical and environmental hazards include floods, fires, tornados, earthquakes, hurricanes, terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. The location of system components within the facility is addressed in PE-18.</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="pl">
-      <title>Planning</title>
-      <control class="SP800-53" id="pl-1">
-         <title>Policy and Procedures</title>
-         <param id="pl-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pl-1_prm_2">
-            <select how-many="one or more">
-               <choice>organization-level</choice>
-               <choice>mission/business process-level</choice>
-               <choice>system-level</choice>
-            </select>
-         </param>
-         <param id="pl-1_prm_3">
-            <label>organization-defined official</label>
-         </param>
-         <param id="pl-1_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="pl-1_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PL-1</prop>
-         <prop name="sort-id">PL-01</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#12702585-0c72-43c9-9185-a76a59f74233">[SP 800-12]</link>
-         <link rel="reference" href="#ae962073-f9bb-4210-b1ad-53ef6f6afad6">[SP 800-18]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#9183bd83-170e-4701-b32c-97e08ef8bedb">[SP 800-100]</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="pl-1_smt">
-            <part name="item" id="pl-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and disseminate to <insert param-id="pl-1_prm_1"/>:</p>
-               <part name="item" id="pl-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="pl-1_prm_2"/> planning policy that:</p>
-                  <part name="item" id="pl-1_smt.a.1.a">
-                     <prop name="label">(a)</prop>
-                     <p>Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
-                  </part>
-                  <part name="item" id="pl-1_smt.a.1.b">
-                     <prop name="label">(b)</prop>
-                     <p>Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p>
-                  </part>
-               </part>
-               <part name="item" id="pl-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the planning policy and the associated planning controls;</p>
-               </part>
-            </part>
-            <part name="item" id="pl-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate an <insert param-id="pl-1_prm_3"/> to manage the development, documentation, and dissemination of the planning policy and procedures; and</p>
-            </part>
-            <part name="item" id="pl-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the current planning:</p>
-               <part name="item" id="pl-1_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Policy <insert param-id="pl-1_prm_4"/>; and</p>
-               </part>
-               <part name="item" id="pl-1_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures <insert param-id="pl-1_prm_5"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="pl-1_gdn">
-            <p>This control addresses policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pl-2">
-         <title>System Security and Privacy Plans</title>
-         <param id="pl-2_prm_1">
-            <label>organization-defined individuals or groups</label>
-         </param>
-         <param id="pl-2_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pl-2_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PL-2</prop>
-         <prop name="sort-id">PL-02</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130, Appendix II]</link>
-         <link rel="reference" href="#ae962073-f9bb-4210-b1ad-53ef6f6afad6">[SP 800-18]</link>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="reference" href="#8411e6e8-09bd-431d-bbcb-3423d36ad880">[SP 800-160 v2]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#ac-14">AC-14</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#ac-20">AC-20</link>
-         <link rel="related" href="#ca-2">CA-2</link>
-         <link rel="related" href="#ca-3">CA-3</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#cm-9">CM-9</link>
-         <link rel="related" href="#cm-13">CM-13</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-4">CP-4</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#ir-8">IR-8</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#ma-5">MA-5</link>
-         <link rel="related" href="#mp-4">MP-4</link>
-         <link rel="related" href="#mp-5">MP-5</link>
-         <link rel="related" href="#pl-7">PL-7</link>
-         <link rel="related" href="#pl-8">PL-8</link>
-         <link rel="related" href="#pl-10">PL-10</link>
-         <link rel="related" href="#pl-11">PL-11</link>
-         <link rel="related" href="#pm-1">PM-1</link>
-         <link rel="related" href="#pm-7">PM-7</link>
-         <link rel="related" href="#pm-8">PM-8</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#pm-10">PM-10</link>
-         <link rel="related" href="#pm-11">PM-11</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#ra-8">RA-8</link>
-         <link rel="related" href="#ra-9">RA-9</link>
-         <link rel="related" href="#sa-5">SA-5</link>
-         <link rel="related" href="#sa-17">SA-17</link>
-         <link rel="related" href="#sa-22">SA-22</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <link rel="related" href="#sr-2">SR-2</link>
-         <link rel="related" href="#sr-4">SR-4</link>
-         <part name="statement" id="pl-2_smt">
-            <part name="item" id="pl-2_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop security and privacy plans for the system that:</p>
-               <part name="item" id="pl-2_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Are consistent with the organization’s enterprise architecture;</p>
-               </part>
-               <part name="item" id="pl-2_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Explicitly define the constituent system components;</p>
-               </part>
-               <part name="item" id="pl-2_smt.a.3">
-                  <prop name="label">3.</prop>
-                  <p>Describe the operational context of the system in terms of missions and business processes;</p>
-               </part>
-               <part name="item" id="pl-2_smt.a.4">
-                  <prop name="label">4.</prop>
-                  <p>Provide the security categorization of the system, including supporting rationale;</p>
-               </part>
-               <part name="item" id="pl-2_smt.a.5">
-                  <prop name="label">5.</prop>
-                  <p>Describe any specific threats to the system that are of concern to the organization;</p>
-               </part>
-               <part name="item" id="pl-2_smt.a.6">
-                  <prop name="label">6.</prop>
-                  <p>Provide the results of a privacy risk assessment for systems processing personally identifiable information;</p>
-               </part>
-               <part name="item" id="pl-2_smt.a.7">
-                  <prop name="label">7.</prop>
-                  <p>Describe the operational environment for the system and any dependencies on or connections to other systems or system components;</p>
-               </part>
-               <part name="item" id="pl-2_smt.a.8">
-                  <prop name="label">8.</prop>
-                  <p>Provide an overview of the security and privacy requirements for the system;</p>
-               </part>
-               <part name="item" id="pl-2_smt.a.9">
-                  <prop name="label">9.</prop>
-                  <p>Identify any relevant control baselines or overlays, if applicable;</p>
-               </part>
-               <part name="item" id="pl-2_smt.a.10">
-                  <prop name="label">10.</prop>
-                  <p>Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;</p>
-               </part>
-               <part name="item" id="pl-2_smt.a.11">
-                  <prop name="label">11.</prop>
-                  <p>Include risk determinations for security and privacy architecture and design decisions;</p>
-               </part>
-               <part name="item" id="pl-2_smt.a.12">
-                  <prop name="label">12.</prop>
-                  <p>Include security- and privacy-related activities affecting the system that require planning and coordination with <insert param-id="pl-2_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="pl-2_smt.a.13">
-                  <prop name="label">13.</prop>
-                  <p>Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.</p>
-               </part>
-            </part>
-            <part name="item" id="pl-2_smt.b">
-               <prop name="label">b.</prop>
-               <p>Distribute copies of the plans and communicate subsequent changes to the plans to <insert param-id="pl-2_prm_2"/>;</p>
-            </part>
-            <part name="item" id="pl-2_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review the plans <insert param-id="pl-2_prm_3"/>;</p>
-            </part>
-            <part name="item" id="pl-2_smt.d">
-               <prop name="label">d.</prop>
-               <p>Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and</p>
-            </part>
-            <part name="item" id="pl-2_smt.e">
-               <prop name="label">e.</prop>
-               <p>Protect the plans from unauthorized disclosure and modification.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pl-2_gdn">
-            <p>System security and privacy plans contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle, for example, during capability determination, analysis of alternatives, requests for proposal, and design reviews. Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.
-Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment statements explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented. Organizations can also apply the tailoring guidance to the control baselines in [SP 800-53B] to develop overlays for community-wide use or to address specialized requirements, technologies, missions, business applications, or environments of operation.
-Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps to reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but instead can provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.
-Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include: assessments, audits, and inspections; hardware and software maintenance; patch management; and contingency plan testing. Planning and coordination includes emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included other documents, as appropriate.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pl-2.1">
-            <title>Concept of Operations</title>
-            <prop name="label">PL-2(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">PL-02(01)</prop>
-            <link rel="incorporated-into" href="#pl-7">PL-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="pl-2.2">
-            <title>Functional Architecture</title>
-            <prop name="label">PL-2(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">PL-02(02)</prop>
-            <link rel="incorporated-into" href="#pl-8">PL-8</link>
-         </control>
-         <control class="SP800-53-enhancement" id="pl-2.3">
-            <title>Plan and Coordinate with Other Organizational Entities</title>
-            <prop name="label">PL-2(3)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">PL-02(03)</prop>
-            <link rel="incorporated-into" href="#pl-2">PL-2</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="pl-3">
-         <title>System Security Plan Update</title>
-         <prop name="label">PL-3</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">PL-03</prop>
-         <link rel="incorporated-into" href="#pl-2">PL-2</link>
-      </control>
-      <control class="SP800-53" id="pl-4">
-         <title>Rules of Behavior</title>
-         <param id="pl-4_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="pl-4_prm_2">
-            <select how-many="one or more">
-               <choice>
-                  <insert param-id="pl-4_prm_3"/>
-               </choice>
-               <choice>when the rules are revised or updated</choice>
-            </select>
-         </param>
-         <param id="pl-4_prm_3" depends-on="pl-4_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PL-4</prop>
-         <prop name="sort-id">PL-04</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#ae962073-f9bb-4210-b1ad-53ef6f6afad6">[SP 800-18]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#ac-8">AC-8</link>
-         <link rel="related" href="#ac-9">AC-9</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#ac-18">AC-18</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#ac-20">AC-20</link>
-         <link rel="related" href="#at-2">AT-2</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#cm-11">CM-11</link>
-         <link rel="related" href="#ia-2">IA-2</link>
-         <link rel="related" href="#ia-4">IA-4</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <link rel="related" href="#mp-7">MP-7</link>
-         <link rel="related" href="#ps-6">PS-6</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#sa-5">SA-5</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="pl-4_smt">
-            <part name="item" id="pl-4_smt.a">
-               <prop name="label">a.</prop>
-               <p>Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;</p>
-            </part>
-            <part name="item" id="pl-4_smt.b">
-               <prop name="label">b.</prop>
-               <p>Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;</p>
-            </part>
-            <part name="item" id="pl-4_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the rules of behavior <insert param-id="pl-4_prm_1"/>; and</p>
-            </part>
-            <part name="item" id="pl-4_smt.d">
-               <prop name="label">d.</prop>
-               <p>Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge <insert param-id="pl-4_prm_2"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pl-4_gdn">
-            <p>Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities, and differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who simply receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior.  PL-4b, the documented acknowledgment portion of the control, may be satisfied by the awareness training and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures; and electronic agreement check boxes or radio buttons.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pl-4.1">
-            <title>Social Media and External Site/application Usage Restrictions</title>
-            <prop name="label">PL-4(1)</prop>
-            <prop name="sort-id">PL-04(01)</prop>
-            <link rel="related" href="#ac-22">AC-22</link>
-            <link rel="related" href="#au-13">AU-13</link>
-            <part name="statement" id="pl-4.1_smt">
-               <p>Include in the rules of behavior, restrictions on:</p>
-               <part name="item" id="pl-4.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Use of social media, social networking sites, and external sites/applications;</p>
-               </part>
-               <part name="item" id="pl-4.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Posting organizational information on public websites; and</p>
-               </part>
-               <part name="item" id="pl-4.1_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Use of organization-provided credentials (i.e., email addresses) for creating accounts on external sites/applications.</p>
-               </part>
-            </part>
-            <part name="guidance" id="pl-4.1_gdn">
-               <p>Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of these sites when organizational personnel are using such sites for official duties or in the conduct of official business; when organizational information is involved in social media and networking transactions; and when personnel are accessing social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining, either directly or through inference, non-public organizational information from social media and networking sites. Non-public information includes, for example, personally identifiable information and system account information.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pl-5">
-         <title>Privacy Impact Assessment</title>
-         <prop name="label">PL-5</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">PL-05</prop>
-         <link rel="incorporated-into" href="#ra-8">RA-8</link>
-      </control>
-      <control class="SP800-53" id="pl-6">
-         <title>Security-related Activity Planning</title>
-         <prop name="label">PL-6</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">PL-06</prop>
-         <link rel="incorporated-into" href="#pl-2">PL-2</link>
-      </control>
-      <control class="SP800-53" id="pl-7">
-         <title>Concept of Operations</title>
-         <param id="pl-7_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PL-7</prop>
-         <prop name="sort-id">PL-07</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130, Appendix II]</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#sa-2">SA-2</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="pl-7_smt">
-            <part name="item" id="pl-7_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy; and</p>
-            </part>
-            <part name="item" id="pl-7_smt.b">
-               <prop name="label">b.</prop>
-               <p>Review and update the CONOPS <insert param-id="pl-7_prm_1"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pl-7_gdn">
-            <p>The CONOPS may be included in the security or privacy plans for the system or in other system development life cycle documents. The CONOPS is a living document that requires updating throughout the system development life cycle. For example, during system design reviews, the concept of operations is checked to ensure that it remains consistent with the design for controls, the system architecture, and the operational procedures. Changes to the CONOPS are reflected in ongoing updates to the security and privacy plans, security and privacy architectures, and other appropriate organizational documents, for example, procurement specifications, system development life cycle documents, and systems engineering documents.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pl-8">
-         <title>Security and Privacy Architectures</title>
-         <param id="pl-8_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PL-8</prop>
-         <prop name="sort-id">PL-08</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="reference" href="#8411e6e8-09bd-431d-bbcb-3423d36ad880">[SP 800-160 v2]</link>
-         <link rel="related" href="#cm-2">CM-2</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pl-7">PL-7</link>
-         <link rel="related" href="#pl-9">PL-9</link>
-         <link rel="related" href="#pm-5">PM-5</link>
-         <link rel="related" href="#pm-7">PM-7</link>
-         <link rel="related" href="#ra-9">RA-9</link>
-         <link rel="related" href="#sa-3">SA-3</link>
-         <link rel="related" href="#sa-5">SA-5</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-17">SA-17</link>
-         <part name="statement" id="pl-8_smt">
-            <part name="item" id="pl-8_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop security and privacy architectures for the system that:</p>
-               <part name="item" id="pl-8_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;</p>
-               </part>
-               <part name="item" id="pl-8_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;</p>
-               </part>
-               <part name="item" id="pl-8_smt.a.3">
-                  <prop name="label">3.</prop>
-                  <p>Describe how the architectures are integrated into and support the enterprise architecture; and</p>
-               </part>
-               <part name="item" id="pl-8_smt.a.4">
-                  <prop name="label">4.</prop>
-                  <p>Describe any assumptions about, and dependencies on, external systems and services;</p>
-               </part>
-            </part>
-            <part name="item" id="pl-8_smt.b">
-               <prop name="label">b.</prop>
-               <p>Review and update the architectures <insert param-id="pl-8_prm_1"/> to reflect changes in the enterprise architecture; and</p>
-            </part>
-            <part name="item" id="pl-8_smt.c">
-               <prop name="label">c.</prop>
-               <p>Reflect planned architecture changes in the security and privacy plans, the Concept of Operations (CONOPS), organizational procedures, and procurements and acquisitions.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pl-8_gdn">
-            <p>The system-level security and privacy architectures are consistent with organization-wide security and privacy architectures described in PM-7 that are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, for example, user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; restoration priorities of information and system services; and other protection needs.
-[SP 800-160 v1] provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03] requires the use of the systems security engineering concepts described in [SP 800-160 v1] for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle from analysis of alternatives through review of the proposed architecture in the RFP responses, to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).
-In today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that controls needed to support security and privacy requirements are identified and effectively implemented.
-PL-8 is primarily directed at organizations to ensure that architectures are developed for the system, and moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17, which is complementary to PL-8, is selected when organizations outsource the development of systems or components to external entities, and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pl-8.1">
-            <title>Defense-in-depth</title>
-            <param id="pl-8.1_prm_1">
-               <label>organization-defined controls</label>
-            </param>
-            <param id="pl-8.1_prm_2">
-               <label>organization-defined locations and architectural layers</label>
-            </param>
-            <prop name="label">PL-8(1)</prop>
-            <prop name="sort-id">PL-08(01)</prop>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-            <link rel="related" href="#sc-29">SC-29</link>
-            <link rel="related" href="#sc-36">SC-36</link>
-            <part name="statement" id="pl-8.1_smt">
-               <p>Design the security and privacy architectures for the system using a defense-in-depth approach that:</p>
-               <part name="item" id="pl-8.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Allocates <insert param-id="pl-8.1_prm_1"/> to <insert param-id="pl-8.1_prm_2"/>; and</p>
-               </part>
-               <part name="item" id="pl-8.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Ensures that the allocated controls operate in a coordinated and mutually reinforcing manner.</p>
-               </part>
-            </part>
-            <part name="guidance" id="pl-8.1_gdn">
-               <p>Organizations strategically allocate security and privacy controls in the security and privacy architectures so that adversaries must overcome multiple controls to achieve their objective. Requiring adversaries to defeat multiple controls makes it more difficult to attack information resources by increasing the work factor of the adversary; and increases the likelihood of detection. The coordination of allocated controls is essential to ensure that an attack that involves one control does not create adverse unintended consequences by interfering with other controls. Unintended consequences can include system lockout and cascading alarms. The placement of controls in systems and organizations is an important activity requiring thoughtful analysis. The value of organizational assets is an important consideration in providing additional layering. Defense-in-depth architectural approaches include modularity and layering (see SA-8(3)); separation of system and user functionality (see SC-2); and security function isolation (see SC-3).</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pl-8.2">
-            <title>Supplier Diversity</title>
-            <param id="pl-8.2_prm_1">
-               <label>organization-defined controls</label>
-            </param>
-            <param id="pl-8.2_prm_2">
-               <label>organization-defined locations and architectural layers</label>
-            </param>
-            <prop name="label">PL-8(2)</prop>
-            <prop name="sort-id">PL-08(02)</prop>
-            <link rel="related" href="#sc-29">SC-29</link>
-            <link rel="related" href="#sr-3">SR-3</link>
-            <part name="statement" id="pl-8.2_smt">
-               <p>Require that <insert param-id="pl-8.2_prm_1"/> allocated to <insert param-id="pl-8.2_prm_2"/> are obtained from different suppliers.</p>
-            </part>
-            <part name="guidance" id="pl-8.2_gdn">
-               <p>Information technology products have different strengths and weaknesses. Providing a broad spectrum of products complements the individual offerings. For example, vendors offering malicious code protection typically update their products at different times, often developing solutions for known viruses, Trojans, or worms based on their priorities and development schedules. By deploying different products at different locations, there is an increased likelihood that at least one of the products will detect the malicious code. With respect to privacy, vendors may offer products that track personally identifiable information in systems. Products may use different tracking methods. Using multiple products may result in more assurance that personally identifiable information is inventoried.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pl-9">
-         <title>Central Management</title>
-         <param id="pl-9_prm_1">
-            <label>organization-defined controls and related processes</label>
-         </param>
-         <prop name="label">PL-9</prop>
-         <prop name="sort-id">PL-09</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="related" href="#pl-8">PL-8</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <part name="statement" id="pl-9_smt">
-            <p>Centrally manage <insert param-id="pl-9_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="pl-9_gdn">
-            <p>Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed controls and processes. As the central management of controls is generally associated with the concept of common (inherited) controls, such management promotes and facilitates standardization of control implementations and management and judicious use of organizational resources. Centrally-managed controls and processes may also meet independence requirements for assessments in support of initial and ongoing authorizations to operate and as part of organizational continuous monitoring.
-As part of the control selection processes, organizations determine the controls that may be suitable for central management based on resources and capabilities. It is not always possible to centrally manage every aspect of a control. In such cases, the control can be treated as a hybrid control with the control managed and implemented centrally or at the system level. The controls and control enhancements that are candidates for full or partial central management include, but are not limited to: AC-2(1), AC-2(2), AC-2(3), AC-2(4), AC-17(1), AC-17(2), AC-17(3), AC-17(9), AC-18(1), AC-18(3), AC-18(4), AC-18(5), AC-19(4), AC-22, AC-23, AT-2(1), AT-2(2), AT-3(1), AT-3(2), AT-3(3), AT-4, AU-6(1), AU-6(3), AU-6(5), AU-6(6), AU-6(9), AU-7(1), AU-7(2), AU-11, AU-13, AU-16, CA-2(1), CA-2(2), CA-2(3), CA-3(1), CA-3(2), CA-3(3), CA-7(1), CA-9, CM-2(2), CM-3(1), CM-3(4), CM-4, CM-6(1), CM-7(4), CM-7(5), CM-8(all), CM-9(1), CM-10, CM-11, CP-7(all), CP-8(all), SC-43, SI-2, SI-3, SI-7, SI-8.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pl-10">
-         <title>Baseline Selection</title>
-         <prop name="label">PL-10</prop>
-         <prop name="sort-id">PL-10</prop>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="reference" href="#f2163084-3287-45e2-9ee7-95f020415495">[FIPS 200]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#31f3c9de-c57c-4281-929b-f9951f9640f1">[SP 800-53B]</link>
-         <link rel="reference" href="#68949f14-9cf5-4116-91d8-e820b9df3ffd">[SP 800-60 v1]</link>
-         <link rel="reference" href="#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc">[SP 800-60 v2]</link>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="reference" href="#ee96f130-3f91-46ed-a4d8-57e5f220a623">[CNSSI 1253]</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pl-11">PL-11</link>
-         <link rel="related" href="#ra-2">RA-2</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <part name="statement" id="pl-10_smt">
-            <p>Select a control baseline for the system.</p>
-         </part>
-         <part name="guidance" id="pl-10_gdn">
-            <p>Control baselines are pre-defined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines either to satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, or guidelines; or to address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems, with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11). Federal control baselines are provided in [SP 800-53B]. The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements and as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B] are based on the requirements from [FISMA] and [PRIVACT]. The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations or the Nation; and considering the results from system and organizational risk assessments.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pl-11">
-         <title>Baseline Tailoring</title>
-         <prop name="label">PL-11</prop>
-         <prop name="sort-id">PL-11</prop>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="reference" href="#f2163084-3287-45e2-9ee7-95f020415495">[FIPS 200]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#31f3c9de-c57c-4281-929b-f9951f9640f1">[SP 800-53B]</link>
-         <link rel="reference" href="#68949f14-9cf5-4116-91d8-e820b9df3ffd">[SP 800-60 v1]</link>
-         <link rel="reference" href="#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc">[SP 800-60 v2]</link>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="reference" href="#ee96f130-3f91-46ed-a4d8-57e5f220a623">[CNSSI 1253]</link>
-         <link rel="related" href="#pl-10">PL-10</link>
-         <link rel="related" href="#ra-2">RA-2</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#ra-9">RA-9</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <part name="statement" id="pl-11_smt">
-            <p>Tailor the selected control baseline by applying specified tailoring actions.</p>
-         </part>
-         <part name="guidance" id="pl-11_gdn">
-            <p>The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific missions and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B]. Tailoring a control baseline is accomplished by identifying and designating common controls; applying scoping considerations; selecting compensating controls; assigning values to control parameters; supplementing the control baseline with additional controls, as needed; and providing information for control implementation. The general tailoring actions in [SP 800-53B] can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B] in accordance with the security and privacy requirements from [FISMA] and [PRIVACT]. Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B] to specialize or customize the controls that represent the specific needs and concerns of those entities.</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="pm">
-      <title>Program Management</title>
-      <control class="SP800-53" id="pm-1">
-         <title>Information Security Program Plan</title>
-         <param id="pm-1_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PM-1</prop>
-         <prop name="sort-id">PM-01</prop>
-         <link rel="reference" href="#14958422-54f6-471f-a345-802dca594dd8">[FISMA]</link>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pm-8">PM-8</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#ra-9">RA-9</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <link rel="related" href="#sr-2">SR-2</link>
-         <part name="statement" id="pm-1_smt">
-            <part name="item" id="pm-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop and disseminate an organization-wide information security program plan that:</p>
-               <part name="item" id="pm-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;</p>
-               </part>
-               <part name="item" id="pm-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;</p>
-               </part>
-               <part name="item" id="pm-1_smt.a.3">
-                  <prop name="label">3.</prop>
-                  <p>Reflects the coordination among organizational entities responsible for information security; and</p>
-               </part>
-               <part name="item" id="pm-1_smt.a.4">
-                  <prop name="label">4.</prop>
-                  <p>Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;</p>
-               </part>
-            </part>
-            <part name="item" id="pm-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Review the organization-wide information security program plan <insert param-id="pm-1_prm_1"/>;</p>
-            </part>
-            <part name="item" id="pm-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Update the information security program plan to address organizational changes and problems identified during plan implementation or control assessments; and</p>
-            </part>
-            <part name="item" id="pm-1_smt.d">
-               <prop name="label">d.</prop>
-               <p>Protect the information security program plan from unauthorized disclosure and modification.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-1_gdn">
-            <p>An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. Information security program plans can be represented in single documents or compilations of documents.
-Information security program plans document the program management and common controls. The plans provide sufficient information about the controls (including specification of parameters for assignment and selection statements explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
-Program management controls are generally implemented at the organization level and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The individual system security plans and the organization-wide information security program plan together, provide complete coverage for the security controls employed within the organization.
-Common controls are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-2">
-         <title>Information Security Program Leadership Role</title>
-         <prop name="label">PM-2</prop>
-         <prop name="sort-id">PM-02</prop>
-         <link rel="reference" href="#ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3">[OMB M-17-25]</link>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <part name="statement" id="pm-2_smt">
-            <p>Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.</p>
-         </part>
-         <part name="guidance" id="pm-2_gdn">
-            <p>The senior agency information security officer is an organizational official. For federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-3">
-         <title>Information Security and Privacy Resources</title>
-         <prop name="label">PM-3</prop>
-         <prop name="sort-id">PM-03</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="related" href="#pm-4">PM-4</link>
-         <link rel="related" href="#sa-2">SA-2</link>
-         <part name="statement" id="pm-3_smt">
-            <part name="item" id="pm-3_smt.a">
-               <prop name="label">a.</prop>
-               <p>Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;</p>
-            </part>
-            <part name="item" id="pm-3_smt.b">
-               <prop name="label">b.</prop>
-               <p>Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and</p>
-            </part>
-            <part name="item" id="pm-3_smt.c">
-               <prop name="label">c.</prop>
-               <p>Make available for expenditure, the planned information security and privacy resources.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-3_gdn">
-            <p>Organizations consider establishing champions for information security and privacy and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-4">
-         <title>Plan of Action and Milestones Process</title>
-         <prop name="label">PM-4</prop>
-         <prop name="sort-id">PM-04</prop>
-         <link rel="reference" href="#a7dfa526-b81f-41d7-9875-c8b0faafe74b">[PRIVACT]</link>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="related" href="#ca-5">CA-5</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#pm-3">PM-3</link>
-         <link rel="related" href="#ra-7">RA-7</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="pm-4_smt">
-            <part name="item" id="pm-4_smt.a">
-               <prop name="label">a.</prop>
-               <p>Implement a process to ensure that plans of action and milestones for the information security and privacy programs and associated organizational systems:</p>
-               <part name="item" id="pm-4_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Are developed and maintained;</p>
-               </part>
-               <part name="item" id="pm-4_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Document the remedial information security and privacy actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and</p>
-               </part>
-               <part name="item" id="pm-4_smt.a.3">
-                  <prop name="label">3.</prop>
-                  <p>Are reported in accordance with established reporting requirements.</p>
-               </part>
-            </part>
-            <part name="item" id="pm-4_smt.b">
-               <prop name="label">b.</prop>
-               <p>Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-4_gdn">
-            <p>The plan of action and milestones is a key document in the information security and privacy programs of organizations and is subject to reporting requirements established by the Office of Management and Budget. Organizations view plans of action and milestones from an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple levels of plan of action and milestones documents corresponding to the information system level, mission/business process level, and organizational/governance level. While the plan of action and milestones is required for federal organizations, any type of organization can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones for organizational systems in described in CA-5.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-5">
-         <title>System Inventory</title>
-         <param id="pm-5_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PM-5</prop>
-         <prop name="sort-id">PM-05</prop>
-         <link rel="reference" href="#817b4227-5857-494d-9032-915980b32f15">[IR 8062]</link>
-         <part name="statement" id="pm-5_smt">
-            <p>Develop and update <insert param-id="pm-5_prm_1"/> an inventory of organizational systems.</p>
-         </part>
-         <part name="guidance" id="pm-5_gdn">
-            <p>[OMB A-130] provides guidance on developing systems inventories and associated reporting requirements. This control refers to an organization-wide inventory of systems, not system components as described in CM-8.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pm-5.1">
-            <title>Inventory of Personally Identifiable Information</title>
-            <param id="pm-5.1_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">PM-5(1)</prop>
-            <prop name="sort-id">PM-05(01)</prop>
-            <link rel="related" href="#cm-8">CM-8</link>
-            <link rel="related" href="#cm-12">CM-12</link>
-            <link rel="related" href="#cm-13">CM-13</link>
-            <link rel="related" href="#pl-8">PL-8</link>
-            <link rel="related" href="#pm-22">PM-22</link>
-            <link rel="related" href="#pt-3">PT-3</link>
-            <link rel="related" href="#pt-6">PT-6</link>
-            <link rel="related" href="#si-12">SI-12</link>
-            <link rel="related" href="#si-18">SI-18</link>
-            <part name="statement" id="pm-5.1_smt">
-               <p>Establish, maintain, and update <insert param-id="pm-5.1_prm_1"/> an inventory of all systems, applications, and projects that process personally identifiable information.</p>
-            </part>
-            <part name="guidance" id="pm-5.1_gdn">
-               <p>An inventory of systems, applications, and projects that process personally identifiable information supports mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pm-6">
-         <title>Measures of Performance</title>
-         <prop name="label">PM-6</prop>
-         <prop name="sort-id">PM-06</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#8ba0d54e-fa16-4f5d-baa1-763ec3e33e26">[SP 800-55]</link>
-         <link rel="reference" href="#c3b34083-77b2-4dab-a980-73068f8933bd">[SP 800-137]</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <part name="statement" id="pm-6_smt">
-            <p>Develop, monitor, and report on the results of information security and privacy measures of performance.</p>
-         </part>
-         <part name="guidance" id="pm-6_gdn">
-            <p>Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-7">
-         <title>Enterprise Architecture</title>
-         <prop name="label">PM-7</prop>
-         <prop name="sort-id">PM-07</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="reference" href="#8411e6e8-09bd-431d-bbcb-3423d36ad880">[SP 800-160 v2]</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pl-8">PL-8</link>
-         <link rel="related" href="#pm-11">PM-11</link>
-         <link rel="related" href="#ra-2">RA-2</link>
-         <link rel="related" href="#sa-3">SA-3</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-17">SA-17</link>
-         <part name="statement" id="pm-7_smt">
-            <p>Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.</p>
-         </part>
-         <part name="guidance" id="pm-7_gdn">
-            <p>The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture, the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8, the security and privacy architectures are developed at a level representing an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37] and supporting security standards and guidelines.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pm-7.1">
-            <title>Offloading</title>
-            <param id="pm-7.1_prm_1">
-               <label>organization-defined non-essential functions or services</label>
-            </param>
-            <prop name="label">PM-7(1)</prop>
-            <prop name="sort-id">PM-07(01)</prop>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <part name="statement" id="pm-7.1_smt">
-               <p>Offload <insert param-id="pm-7.1_prm_1"/> to other systems, system components, or an external provider.</p>
-            </part>
-            <part name="guidance" id="pm-7.1_gdn">
-               <p>Not every function or service a system provides is essential to an organization’s missions or business operations. Printing or copying is an example of a non-essential but supporting service for an organization. Whenever feasible, such supportive but non-essential functions or services are not co-located with the functions or services supporting essential missions or business operations. Maintaining such functions on the same system or system component increases the attack surface of the organization’s mission essential functions or services. Moving supportive but non-essential functions to a non-critical system, system component, or external provider can also increase efficiency by putting those functions or services under the control of individuals or providers who are subject matter experts in the functions or services.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pm-8">
-         <title>Critical Infrastructure Plan</title>
-         <prop name="label">PM-8</prop>
-         <prop name="sort-id">PM-08</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#cde25174-38e0-4a00-8919-8ee3674b8088">[HSPD 7]</link>
-         <link rel="reference" href="#24b7b1ec-6430-41de-9353-29fdb1b488fc">[DHS NIPP]</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-4">CP-4</link>
-         <link rel="related" href="#pe-18">PE-18</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#pm-11">PM-11</link>
-         <link rel="related" href="#pm-18">PM-18</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="pm-8_smt">
-            <p>Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.</p>
-         </part>
-         <part name="guidance" id="pm-8_gdn">
-            <p>Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-9">
-         <title>Risk Management Strategy</title>
-         <param id="pm-9_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PM-9</prop>
-         <prop name="sort-id">PM-09</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#66476e76-46b4-47fb-be19-d13e6f3840df">[SP 800-161]</link>
-         <link rel="reference" href="#7e7538d7-9c3a-4e5f-bbb4-638cec975415">[IR 8023]</link>
-         <link rel="related" href="#ac-1">AC-1</link>
-         <link rel="related" href="#au-1">AU-1</link>
-         <link rel="related" href="#at-1">AT-1</link>
-         <link rel="related" href="#ca-1">CA-1</link>
-         <link rel="related" href="#ca-2">CA-2</link>
-         <link rel="related" href="#ca-5">CA-5</link>
-         <link rel="related" href="#ca-6">CA-6</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#cm-1">CM-1</link>
-         <link rel="related" href="#cp-1">CP-1</link>
-         <link rel="related" href="#ia-1">IA-1</link>
-         <link rel="related" href="#ir-1">IR-1</link>
-         <link rel="related" href="#ma-1">MA-1</link>
-         <link rel="related" href="#mp-1">MP-1</link>
-         <link rel="related" href="#pe-1">PE-1</link>
-         <link rel="related" href="#pl-1">PL-1</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pm-2">PM-2</link>
-         <link rel="related" href="#pm-8">PM-8</link>
-         <link rel="related" href="#pm-18">PM-18</link>
-         <link rel="related" href="#pm-28">PM-28</link>
-         <link rel="related" href="#pm-30">PM-30</link>
-         <link rel="related" href="#ps-1">PS-1</link>
-         <link rel="related" href="#pt-1">PT-1</link>
-         <link rel="related" href="#pt-2">PT-2</link>
-         <link rel="related" href="#pt-3">PT-3</link>
-         <link rel="related" href="#ra-1">RA-1</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#ra-9">RA-9</link>
-         <link rel="related" href="#sa-1">SA-1</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sc-1">SC-1</link>
-         <link rel="related" href="#sc-38">SC-38</link>
-         <link rel="related" href="#si-1">SI-1</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <link rel="related" href="#sr-1">SR-1</link>
-         <link rel="related" href="#sr-2">SR-2</link>
-         <part name="statement" id="pm-9_smt">
-            <part name="item" id="pm-9_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develops a comprehensive strategy to manage:</p>
-               <part name="item" id="pm-9_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and</p>
-               </part>
-               <part name="item" id="pm-9_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Privacy risk to individuals resulting from the authorized processing of personally identifiable information;</p>
-               </part>
-            </part>
-            <part name="item" id="pm-9_smt.b">
-               <prop name="label">b.</prop>
-               <p>Implement the risk management strategy consistently across the organization; and</p>
-            </part>
-            <part name="item" id="pm-9_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the risk management strategy <insert param-id="pm-9_prm_1"/> or as required, to address organizational changes.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-9_gdn">
-            <p>An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization; security and privacy risk mitigation strategies; acceptable risk assessment methodologies; a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance; and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure the strategy is broad-based and comprehensive.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-10">
-         <title>Authorization Process</title>
-         <prop name="label">PM-10</prop>
-         <prop name="sort-id">PM-10</prop>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="related" href="#ca-6">CA-6</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <part name="statement" id="pm-10_smt">
-            <part name="item" id="pm-10_smt.a">
-               <prop name="label">a.</prop>
-               <p>Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;</p>
-            </part>
-            <part name="item" id="pm-10_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and</p>
-            </part>
-            <part name="item" id="pm-10_smt.c">
-               <prop name="label">c.</prop>
-               <p>Integrate the authorization processes into an organization-wide risk management program.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-10_gdn">
-            <p>Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The organizational authorization processes are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-11">
-         <title>Mission and Business Process Definition</title>
-         <param id="pm-11_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PM-11</prop>
-         <prop name="sort-id">PM-11</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="reference" href="#68949f14-9cf5-4116-91d8-e820b9df3ffd">[SP 800-60 v1]</link>
-         <link rel="reference" href="#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc">[SP 800-60 v2]</link>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pm-7">PM-7</link>
-         <link rel="related" href="#pm-8">PM-8</link>
-         <link rel="related" href="#ra-2">RA-2</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#sa-2">SA-2</link>
-         <part name="statement" id="pm-11_smt">
-            <part name="item" id="pm-11_smt.a">
-               <prop name="label">a.</prop>
-               <p>Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and</p>
-            </part>
-            <part name="item" id="pm-11_smt.b">
-               <prop name="label">b.</prop>
-               <p>Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and</p>
-            </part>
-            <part name="item" id="pm-11_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and revise the mission and business processes <insert param-id="pm-11_prm_1"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-11_gdn">
-            <p>Protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by the stakeholders in organizations, the mission and business processes defined to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent in defining protection and personally identifiable information processing needs, is an understanding of adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of authorized processing of information at any stage of the data life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policy and procedures.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-12">
-         <title>Insider Threat Program</title>
-         <prop name="label">PM-12</prop>
-         <prop name="sort-id">PM-12</prop>
-         <link rel="reference" href="#2b5e12fb-633f-49e6-8aff-81d75bf53545">[EO 13587]</link>
-         <link rel="reference" href="#286d42a1-efbe-49a2-9ce1-4c9bf68feb3b">[ODNI NITP]</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#at-2">AT-2</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#au-7">AU-7</link>
-         <link rel="related" href="#au-10">AU-10</link>
-         <link rel="related" href="#au-12">AU-12</link>
-         <link rel="related" href="#au-13">AU-13</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#ia-4">IA-4</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#mp-7">MP-7</link>
-         <link rel="related" href="#pe-2">PE-2</link>
-         <link rel="related" href="#pm-16">PM-16</link>
-         <link rel="related" href="#ps-3">PS-3</link>
-         <link rel="related" href="#ps-4">PS-4</link>
-         <link rel="related" href="#ps-5">PS-5</link>
-         <link rel="related" href="#ps-7">PS-7</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-38">SC-38</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#pm-14">PM-14</link>
-         <part name="statement" id="pm-12_smt">
-            <p>Implement an insider threat program that includes a cross-discipline insider threat incident handling team.</p>
-         </part>
-         <part name="guidance" id="pm-12_gdn">
-            <p>Organizations handling classified information are required, under Executive Order 13587 [EO 13587] and the National Insider Threat Policy [ODNI NITP], to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and non-technical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans; conduct host-based user monitoring of individual employee activities on government-owned classified computers; provide insider threat awareness training to employees; receive access to information from offices in the department or agency for insider threat analysis; and conduct self-assessments of department or agency insider threat posture.
-Insider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-13">
-         <title>Security and Privacy Workforce</title>
-         <prop name="label">PM-13</prop>
-         <prop name="sort-id">PM-13</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#f4c3f657-de83-47ae-9aec-e144de8268d1">[SP 800-181]</link>
-         <link rel="related" href="#at-2">AT-2</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <part name="statement" id="pm-13_smt">
-            <p>Establish a security and privacy workforce development and improvement program.</p>
-         </part>
-         <part name="guidance" id="pm-13_gdn">
-            <p>Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-14">
-         <title>Testing, Training, and Monitoring</title>
-         <prop name="label">PM-14</prop>
-         <prop name="sort-id">PM-14</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#5db6dfe4-788e-4183-93b9-f6fb29d75e41">[SP 800-53A]</link>
-         <link rel="reference" href="#a6b97214-55d4-4b86-a3a4-53d5911d96f7">[SP 800-115]</link>
-         <link rel="reference" href="#c3b34083-77b2-4dab-a980-73068f8933bd">[SP 800-137]</link>
-         <link rel="related" href="#at-2">AT-2</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#cp-4">CP-4</link>
-         <link rel="related" href="#ir-3">IR-3</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <part name="statement" id="pm-14_smt">
-            <part name="item" id="pm-14_smt.a">
-               <prop name="label">a.</prop>
-               <p>Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:</p>
-               <part name="item" id="pm-14_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Are developed and maintained; and</p>
-               </part>
-               <part name="item" id="pm-14_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Continue to be executed; and</p>
-               </part>
-            </part>
-            <part name="item" id="pm-14_smt.b">
-               <prop name="label">b.</prop>
-               <p>Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-14_gdn">
-            <p>This control ensures that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-15">
-         <title>Security and Privacy Groups and Associations</title>
-         <prop name="label">PM-15</prop>
-         <prop name="sort-id">PM-15</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="related" href="#sa-11">SA-11</link>
-         <link rel="related" href="#si-5">SI-5</link>
-         <part name="statement" id="pm-15_smt">
-            <p>Establish and institutionalize contact with selected groups and associations within the security and privacy communities:</p>
-            <part name="item" id="pm-15_smt.a">
-               <prop name="label">a.</prop>
-               <p>To facilitate ongoing security and privacy education and training for organizational personnel;</p>
-            </part>
-            <part name="item" id="pm-15_smt.b">
-               <prop name="label">b.</prop>
-               <p>To maintain currency with recommended security and privacy practices, techniques, and technologies; and</p>
-            </part>
-            <part name="item" id="pm-15_smt.c">
-               <prop name="label">c.</prop>
-               <p>To share current security and privacy information, including threats, vulnerabilities, and incidents.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-15_gdn">
-            <p>Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on missions and business functions. Organizations share threat, vulnerability, and incident information as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-16">
-         <title>Threat Awareness Program</title>
-         <prop name="label">PM-16</prop>
-         <prop name="sort-id">PM-16</prop>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <part name="statement" id="pm-16_smt">
-            <p>Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.</p>
-         </part>
-         <part name="guidance" id="pm-16_gdn">
-            <p>Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced; mitigations that organizations have found are effective against certain types of threats; and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may be highly sensitive requiring special agreements and protection, or less sensitive and freely shared.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pm-16.1">
-            <title>Automated Means for Sharing Threat Intelligence</title>
-            <prop name="label">PM-16(1)</prop>
-            <prop name="sort-id">PM-16(01)</prop>
-            <part name="statement" id="pm-16.1_smt">
-               <p>Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information.</p>
-            </part>
-            <part name="guidance" id="pm-16.1_gdn">
-               <p>To maximize the effectiveness of monitoring, it is important to know what threat observables and indicators the sensors need to be searching for. By utilizing well established frameworks, services, and automated tools, organizations improve their ability to rapidly share and feed into monitoring tools, the relevant threat detection signatures.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pm-17">
-         <title>Protecting Controlled Unclassified Information on External Systems</title>
-         <param id="pm-17_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PM-17</prop>
-         <prop name="sort-id">PM-17</prop>
-         <link rel="reference" href="#742b7c0e-218e-4fca-9c3d-5f264bbaf2bc">[32 CFR 2002]</link>
-         <link rel="reference" href="#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a">[SP 800-171]</link>
-         <link rel="reference" href="#dd87fdf0-840d-4392-9de4-220b2327e340">[NARA CUI]</link>
-         <link rel="related" href="#ca-6">CA-6</link>
-         <link rel="related" href="#pm-10">PM-10</link>
-         <part name="statement" id="pm-17_smt">
-            <part name="item" id="pm-17_smt.a">
-               <prop name="label">a.</prop>
-               <p>Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards.</p>
-            </part>
-            <part name="item" id="pm-17_smt.b">
-               <prop name="label">b.</prop>
-               <p>Update the policy and procedures <insert param-id="pm-17_prm_1"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-17_gdn">
-            <p>Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002] and specifically, for systems external to the federal organization, in 32 CFR 2002.14h. The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-18">
-         <title>Privacy Program Plan</title>
-         <prop name="label">PM-18</prop>
-         <prop name="sort-id">PM-18</prop>
-         <link rel="reference" href="#a7dfa526-b81f-41d7-9875-c8b0faafe74b">[PRIVACT]</link>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="related" href="#pm-8">PM-8</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#pm-19">PM-19</link>
-         <part name="statement" id="pm-18_smt">
-            <part name="item" id="pm-18_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:</p>
-               <part name="item" id="pm-18_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;</p>
-               </part>
-               <part name="item" id="pm-18_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;</p>
-               </part>
-               <part name="item" id="pm-18_smt.a.3">
-                  <prop name="label">3.</prop>
-                  <p>Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;</p>
-               </part>
-               <part name="item" id="pm-18_smt.a.4">
-                  <prop name="label">4.</prop>
-                  <p>Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;</p>
-               </part>
-               <part name="item" id="pm-18_smt.a.5">
-                  <prop name="label">5.</prop>
-                  <p>Reflects coordination among organizational entities responsible for the different aspects of privacy; and</p>
-               </part>
-               <part name="item" id="pm-18_smt.a.6">
-                  <prop name="label">6.</prop>
-                  <p>Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and</p>
-               </part>
-            </part>
-            <part name="item" id="pm-18_smt.b">
-               <prop name="label">b.</prop>
-               <p>Update the plan to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-18_gdn">
-            <p>A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program; the resources dedicated to the privacy program; the role of the senior agency official for privacy and other privacy officials and staff; the strategic goals and objectives of the privacy program; and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents.
-The senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection statements explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended.
-Program management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. The privacy plans for individual systems and the organization-wide privacy program plan together, provide complete coverage for the privacy controls employed within the organization.
-Common controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-19">
-         <title>Privacy Program Leadership Role</title>
-         <prop name="label">PM-19</prop>
-         <prop name="sort-id">PM-19</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="related" href="#pm-18">PM-18</link>
-         <link rel="related" href="#pm-20">PM-20</link>
-         <link rel="related" href="#pm-23">PM-23</link>
-         <link rel="related" href="#pm-24">PM-24</link>
-         <part name="statement" id="pm-19_smt">
-            <p>Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program.</p>
-         </part>
-         <part name="guidance" id="pm-19_gdn">
-            <p>The privacy officer is an organizational official. For federal agencies, as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has a role in the data management board (see PM-23) and the data integrity board (see PM-24).</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-20">
-         <title>Dissemination of Privacy Program Information</title>
-         <prop name="label">PM-20</prop>
-         <prop name="sort-id">PM-20</prop>
-         <link rel="reference" href="#a7dfa526-b81f-41d7-9875-c8b0faafe74b">[PRIVACT]</link>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#f7d3617a-9a4f-4f1a-a688-845081b70390">[OMB M-17-06]</link>
-         <link rel="related" href="#pm-19">PM-19</link>
-         <link rel="related" href="#pt-6">PT-6</link>
-         <link rel="related" href="#pt-7">PT-7</link>
-         <link rel="related" href="#ra-8">RA-8</link>
-         <part name="statement" id="pm-20_smt">
-            <p>Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:</p>
-            <part name="item" id="pm-20_smt.a">
-               <prop name="label">a.</prop>
-               <p>Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;</p>
-            </part>
-            <part name="item" id="pm-20_smt.b">
-               <prop name="label">b.</prop>
-               <p>Ensures that organizational privacy practices and reports are publicly available; and</p>
-            </part>
-            <part name="item" id="pm-20_smt.c">
-               <prop name="label">c.</prop>
-               <p>Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-20_gdn">
-            <p>Organizations maintain a central resource webpage on their principal public website for their privacy program. For federal agencies, this page is located at www.[agency].gov/privacy. Organizations should use the webpage to inform the public about privacy policies and practices, including privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT] exemption and implementation rules, instructions for individuals making an access or amendment request, privacy reports, privacy policies, email addresses for questions/complaints, blogs, and periodic publications.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-21">
-         <title>Accounting of Disclosures</title>
-         <prop name="label">PM-21</prop>
-         <prop name="sort-id">PM-21</prop>
-         <link rel="reference" href="#a7dfa526-b81f-41d7-9875-c8b0faafe74b">[PRIVACT]</link>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="related" href="#au-2">AU-2</link>
-         <link rel="related" href="#pt-2">PT-2</link>
-         <part name="statement" id="pm-21_smt">
-            <part name="item" id="pm-21_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:</p>
-               <part name="item" id="pm-21_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Date, nature, and purpose of each disclosure; and</p>
-               </part>
-               <part name="item" id="pm-21_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Name and address, or other contact information of the person or organization to which the disclosure was made;</p>
-               </part>
-            </part>
-            <part name="item" id="pm-21_smt.b">
-               <prop name="label">b.</prop>
-               <p>Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and</p>
-            </part>
-            <part name="item" id="pm-21_smt.c">
-               <prop name="label">c.</prop>
-               <p>Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-21_gdn">
-            <p>The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed; to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information; and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.
-Organizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services providing notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing disclosure or dissemination of information and dissemination restrictions.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-22">
-         <title>Personally Identifiable Information Quality Management</title>
-         <prop name="label">PM-22</prop>
-         <prop name="sort-id">PM-22</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#eadef75e-7e4d-4554-b818-44946c1dde0e">[SP 800-188]</link>
-         <link rel="related" href="#pm-23">PM-23</link>
-         <link rel="related" href="#si-18">SI-18</link>
-         <part name="statement" id="pm-22_smt">
-            <p>Develop and document policies and procedures for:</p>
-            <part name="item" id="pm-22_smt.a">
-               <prop name="label">a.</prop>
-               <p>Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;</p>
-            </part>
-            <part name="item" id="pm-22_smt.b">
-               <prop name="label">b.</prop>
-               <p>Correcting or deleting inaccurate or outdated personally identifiable information;</p>
-            </part>
-            <part name="item" id="pm-22_smt.c">
-               <prop name="label">c.</prop>
-               <p>Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and</p>
-            </part>
-            <part name="item" id="pm-22_smt.d">
-               <prop name="label">d.</prop>
-               <p>Appeals of adverse decisions on correction or deletion requests.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-22_gdn">
-            <p>Personally identifiable information quality management include steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information.
-The senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations.
-Organizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to complexity of data flows and storage, other entities may need to be informed of correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-23">
-         <title>Data Governance Body</title>
-         <param id="pm-23_prm_1">
-            <label>organization-defined roles</label>
-         </param>
-         <param id="pm-23_prm_2">
-            <label>organization-defined responsibilities</label>
-         </param>
-         <prop name="label">PM-23</prop>
-         <prop name="sort-id">PM-23</prop>
-         <link rel="reference" href="#43facb7b-0afb-480f-8191-34790d5b444b">[EVIDACT]</link>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#d843e915-eeb6-4bbe-8cab-ccc802088703">[OMB M-19-23]</link>
-         <link rel="reference" href="#eadef75e-7e4d-4554-b818-44946c1dde0e">[SP 800-188]</link>
-         <link rel="related" href="#at-2">AT-2</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#pm-19">PM-19</link>
-         <link rel="related" href="#pm-22">PM-22</link>
-         <link rel="related" href="#pm-24">PM-24</link>
-         <link rel="related" href="#pt-8">PT-8</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#si-19">SI-19</link>
-         <part name="statement" id="pm-23_smt">
-            <p>Establish a Data Governance Body consisting of <insert param-id="pm-23_prm_1"/> with <insert param-id="pm-23_prm_2"/>.</p>
-         </part>
-         <part name="guidance" id="pm-23_gdn">
-            <p>A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines supporting data modeling, quality, integrity, and de-identification needs of personally identifiable information across the information life cycle and reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the [EVIDACT] and policies set forth under [OMB M-19-23].</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-24">
-         <title>Data Integrity Board</title>
-         <prop name="label">PM-24</prop>
-         <prop name="sort-id">PM-24</prop>
-         <link rel="reference" href="#a7dfa526-b81f-41d7-9875-c8b0faafe74b">[PRIVACT]</link>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130, Appendix II]</link>
-         <link rel="reference" href="#395f6bb9-bcc2-41fc-977f-04372f4a6a82">[OMB A-108]</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#pm-19">PM-19</link>
-         <link rel="related" href="#pm-23">PM-23</link>
-         <link rel="related" href="#pt-8">PT-8</link>
-         <part name="statement" id="pm-24_smt">
-            <p>Establish a Data Integrity Board to:</p>
-            <part name="item" id="pm-24_smt.a">
-               <prop name="label">a.</prop>
-               <p>Review proposals to conduct or participate in a matching program; and</p>
-            </part>
-            <part name="item" id="pm-24_smt.b">
-               <prop name="label">b.</prop>
-               <p>Conduct an annual review of all matching programs in which the agency has participated.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-24_gdn">
-            <p>A Data Integrity Board is the board of senior officials designated by the head of a federal agency that is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records.  At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-25">
-         <title>Minimization of Pii Used in Testing, Training, and Research</title>
-         <param id="pm-25_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PM-25</prop>
-         <prop name="sort-id">PM-25</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130, Appendix II]</link>
-         <link rel="related" href="#pm-23">PM-23</link>
-         <link rel="related" href="#pt-3">PT-3</link>
-         <link rel="related" href="#sa-3">SA-3</link>
-         <part name="statement" id="pm-25_smt">
-            <part name="item" id="pm-25_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;</p>
-            </part>
-            <part name="item" id="pm-25_smt.b">
-               <prop name="label">b.</prop>
-               <p>Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;</p>
-            </part>
-            <part name="item" id="pm-25_smt.c">
-               <prop name="label">c.</prop>
-               <p>Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and</p>
-            </part>
-            <part name="item" id="pm-25_smt.d">
-               <prop name="label">d.</prop>
-               <p>Review and update policies and procedures <insert param-id="pm-25_prm_1"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-25_gdn">
-            <p>The use of personally identifiable information in testing, research, and training increases risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research. The use of live data for testing, training, and research is also addressed in SA-3(2).</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-26">
-         <title>Complaint Management</title>
-         <param id="pm-26_prm_1">
-            <label>organization-defined time-period</label>
-         </param>
-         <param id="pm-26_prm_2">
-            <label>organization-defined time-period</label>
-         </param>
-         <param id="pm-26_prm_3">
-            <label>organization-defined time-period</label>
-         </param>
-         <prop name="label">PM-26</prop>
-         <prop name="sort-id">PM-26</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="related" href="#ir-7">IR-7</link>
-         <link rel="related" href="#ir-9">IR-9</link>
-         <link rel="related" href="#pm-22">PM-22</link>
-         <link rel="related" href="#si-18">SI-18</link>
-         <part name="statement" id="pm-26_smt">
-            <p>Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices that includes:</p>
-            <part name="item" id="pm-26_smt.a">
-               <prop name="label">a.</prop>
-               <p>Mechanisms that are easy to use and readily accessible by the public;</p>
-            </part>
-            <part name="item" id="pm-26_smt.b">
-               <prop name="label">b.</prop>
-               <p>All information necessary for successfully filing complaints;</p>
-            </part>
-            <part name="item" id="pm-26_smt.c">
-               <prop name="label">c.</prop>
-               <p>Tracking mechanisms to ensure all complaints received are reviewed and addressed within <insert param-id="pm-26_prm_1"/>;</p>
-            </part>
-            <part name="item" id="pm-26_smt.d">
-               <prop name="label">d.</prop>
-               <p>Acknowledgement of receipt of complaints, concerns, or questions from individuals within <insert param-id="pm-26_prm_2"/>; and</p>
-            </part>
-            <part name="item" id="pm-26_smt.e">
-               <prop name="label">e.</prop>
-               <p>Response to complaints, concerns, or questions from individuals within <insert param-id="pm-26_prm_3"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-26_gdn">
-            <p>Complaints, concerns, and questions from individuals can serve as a valuable source of input to organizations that ultimately improves operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-27">
-         <title>Privacy Reporting</title>
-         <param id="pm-27_prm_1">
-            <label>organization-defined privacy reports</label>
-         </param>
-         <param id="pm-27_prm_2">
-            <label>organization-defined officials</label>
-         </param>
-         <param id="pm-27_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PM-27</prop>
-         <prop name="sort-id">PM-27</prop>
-         <link rel="reference" href="#14958422-54f6-471f-a345-802dca594dd8">[FISMA]</link>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#395f6bb9-bcc2-41fc-977f-04372f4a6a82">[OMB A-108]</link>
-         <link rel="related" href="#ir-9">IR-9</link>
-         <link rel="related" href="#pm-19">PM-19</link>
-         <part name="statement" id="pm-27_smt">
-            <part name="item" id="pm-27_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop <insert param-id="pm-27_prm_1"/> and disseminate to:</p>
-               <part name="item" id="pm-27_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>OMB, Congress, and other oversight bodies to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and</p>
-               </part>
-               <part name="item" id="pm-27_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>
-                     <insert param-id="pm-27_prm_2"/> and other personnel with responsibility for monitoring privacy program compliance; and</p>
-               </part>
-            </part>
-            <part name="item" id="pm-27_smt.b">
-               <prop name="label">b.</prop>
-               <p>Review and update privacy reports <insert param-id="pm-27_prm_3"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-27_gdn">
-            <p>Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. Privacy reports include annual senior agency official for privacy reports to OMB; reports to Congress required by Implementing Regulations of the 9/11 Commission Act; and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-28">
-         <title>Risk Framing</title>
-         <param id="pm-28_prm_1">
-            <label>organization-defined personnel</label>
-         </param>
-         <param id="pm-28_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PM-28</prop>
-         <prop name="sort-id">PM-28</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#ra-7">RA-7</link>
-         <part name="statement" id="pm-28_smt">
-            <part name="item" id="pm-28_smt.a">
-               <prop name="label">a.</prop>
-               <p>Identify and document:</p>
-               <part name="item" id="pm-28_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Assumptions affecting risk assessments, risk responses, and risk monitoring;</p>
-               </part>
-               <part name="item" id="pm-28_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Constraints affecting risk assessments, risk responses, and risk monitoring;</p>
-               </part>
-               <part name="item" id="pm-28_smt.a.3">
-                  <prop name="label">3.</prop>
-                  <p>Priorities and trade-offs considered by the organization for managing risk; and</p>
-               </part>
-               <part name="item" id="pm-28_smt.a.4">
-                  <prop name="label">4.</prop>
-                  <p>Organizational risk tolerance; and</p>
-               </part>
-            </part>
-            <part name="item" id="pm-28_smt.b">
-               <prop name="label">b.</prop>
-               <p>Distribute the results of risk framing activities to <insert param-id="pm-28_prm_1"/>;</p>
-            </part>
-            <part name="item" id="pm-28_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update risk framing considerations <insert param-id="pm-28_prm_2"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-28_gdn">
-            <p>Risk framing is most effective when conducted at the organization level. The assumptions, constraints, risk tolerance, priorities, and tradeoffs identified as part of the risk framing process, inform the risk management strategy which in turn, informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel including mission/business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-29">
-         <title>Risk Management Program Leadership Roles</title>
-         <prop name="label">PM-29</prop>
-         <prop name="sort-id">PM-29</prop>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="related" href="#pm-2">PM-2</link>
-         <link rel="related" href="#pm-19">PM-19</link>
-         <part name="statement" id="pm-29_smt">
-            <part name="item" id="pm-29_smt.a">
-               <prop name="label">a.</prop>
-               <p>Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and</p>
-            </part>
-            <part name="item" id="pm-29_smt.b">
-               <prop name="label">b.</prop>
-               <p>Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-29_gdn">
-            <p>The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-30">
-         <title>Supply Chain Risk Management Strategy</title>
-         <param id="pm-30_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PM-30</prop>
-         <prop name="sort-id">PM-30</prop>
-         <link rel="reference" href="#66476e76-46b4-47fb-be19-d13e6f3840df">[SP 800-161]</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#sr-1">SR-1</link>
-         <link rel="related" href="#sr-2">SR-2</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <link rel="related" href="#sr-4">SR-4</link>
-         <link rel="related" href="#sr-5">SR-5</link>
-         <link rel="related" href="#sr-6">SR-6</link>
-         <link rel="related" href="#sr-7">SR-7</link>
-         <link rel="related" href="#sr-8">SR-8</link>
-         <link rel="related" href="#sr-9">SR-9</link>
-         <link rel="related" href="#sr-11">SR-11</link>
-         <part name="statement" id="pm-30_smt">
-            <part name="item" id="pm-30_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;</p>
-            </part>
-            <part name="item" id="pm-30_smt.b">
-               <prop name="label">b.</prop>
-               <p>Implement the supply chain risk management strategy consistently across the organization; and</p>
-            </part>
-            <part name="item" id="pm-30_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the supply chain risk management strategy on <insert param-id="pm-30_prm_1"/> or as required, to address organizational changes.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-30_gdn">
-            <p>An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of both security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform the system-level supply chain risk management plan. The use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organizational level, whereas the supply chain risk management plan (see SR-2) is applied at the system-level.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-31">
-         <title>Continuous Monitoring Strategy</title>
-         <param id="pm-31_prm_1">
-            <label>organization-defined metrics</label>
-         </param>
-         <param id="pm-31_prm_2">
-            <label>organization-defined frequencies</label>
-         </param>
-         <param id="pm-31_prm_3">
-            <label>organization-defined frequencies</label>
-         </param>
-         <param id="pm-31_prm_4">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pm-31_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PM-31</prop>
-         <prop name="sort-id">PM-31</prop>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="reference" href="#c3b34083-77b2-4dab-a980-73068f8933bd">[SP 800-137]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#at-4">AT-4</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#au-13">AU-13</link>
-         <link rel="related" href="#ca-2">CA-2</link>
-         <link rel="related" href="#ca-5">CA-5</link>
-         <link rel="related" href="#ca-6">CA-6</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#cm-3">CM-3</link>
-         <link rel="related" href="#cm-4">CM-4</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#cm-11">CM-11</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <link rel="related" href="#ir-5">IR-5</link>
-         <link rel="related" href="#ma-2">MA-2</link>
-         <link rel="related" href="#ma-3">MA-3</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#pe-6">PE-6</link>
-         <link rel="related" href="#pe-14">PE-14</link>
-         <link rel="related" href="#pe-16">PE-16</link>
-         <link rel="related" href="#pe-20">PE-20</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pm-4">PM-4</link>
-         <link rel="related" href="#pm-6">PM-6</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#pm-10">PM-10</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#pm-14">PM-14</link>
-         <link rel="related" href="#pm-23">PM-23</link>
-         <link rel="related" href="#pm-28">PM-28</link>
-         <link rel="related" href="#ps-7">PS-7</link>
-         <link rel="related" href="#pt-8">PT-8</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#ra-5">RA-5</link>
-         <link rel="related" href="#ra-7">RA-7</link>
-         <link rel="related" href="#sa-9">SA-9</link>
-         <link rel="related" href="#sa-11">SA-11</link>
-         <link rel="related" href="#sc-5">SC-5</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-18">SC-18</link>
-         <link rel="related" href="#sc-38">SC-38</link>
-         <link rel="related" href="#sc-43">SC-43</link>
-         <link rel="related" href="#sc-38">SC-38</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <link rel="related" href="#sr-2">SR-2</link>
-         <link rel="related" href="#sr-4">SR-4</link>
-         <part name="statement" id="pm-31_smt">
-            <p>Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:</p>
-            <part name="item" id="pm-31_smt.a">
-               <prop name="label">a.</prop>
-               <p>Establishing the following organization-wide metrics to be monitored: <insert param-id="pm-31_prm_1"/>;</p>
-            </part>
-            <part name="item" id="pm-31_smt.b">
-               <prop name="label">b.</prop>
-               <p>Establishing <insert param-id="pm-31_prm_2"/> for monitoring and <insert param-id="pm-31_prm_3"/> for assessment of control effectiveness;</p>
-            </part>
-            <part name="item" id="pm-31_smt.c">
-               <prop name="label">c.</prop>
-               <p>Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;</p>
-            </part>
-            <part name="item" id="pm-31_smt.d">
-               <prop name="label">d.</prop>
-               <p>Correlation and analysis of information generated by control assessments and monitoring;</p>
-            </part>
-            <part name="item" id="pm-31_smt.e">
-               <prop name="label">e.</prop>
-               <p>Response actions to address results of the analysis of control assessment and monitoring information; and</p>
-            </part>
-            <part name="item" id="pm-31_smt.f">
-               <prop name="label">f.</prop>
-               <p>Reporting the security and privacy status of organizational systems to <insert param-id="pm-31_prm_4"/>
-                  <insert param-id="pm-31_prm_5"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-31_gdn">
-            <p>Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective and timely risk management decisions, including ongoing authorization decisions. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, for example, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b, SI-4.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-32">
-         <title>Purposing</title>
-         <param id="pm-32_prm_1">
-            <label>organization-defined systems or systems components</label>
-         </param>
-         <prop name="label">PM-32</prop>
-         <prop name="sort-id">PM-32</prop>
-         <link rel="reference" href="#c3b34083-77b2-4dab-a980-73068f8933bd">[SP 800-137]</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#ra-9">RA-9</link>
-         <part name="statement" id="pm-32_smt">
-            <p>Analyze <insert param-id="pm-32_prm_1"/> supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose.</p>
-         </part>
-         <part name="guidance" id="pm-32_gdn">
-            <p>Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are in turn more vulnerable to compromise, and can ultimately impact the services and functions for which they were intended. This is especially impactful for mission essential services and functions. By analyzing resource use, organizations can identify such potential exposures.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pm-33">
-         <title>Privacy Policies on Websites, Applications, and Digital Services</title>
-         <prop name="label">PM-33</prop>
-         <prop name="sort-id">PM-33</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="related" href="#pm-19">PM-19</link>
-         <link rel="related" href="#pm-20">PM-20</link>
-         <link rel="related" href="#pt-6">PT-6</link>
-         <link rel="related" href="#pt-7">PT-7</link>
-         <link rel="related" href="#ra-8">RA-8</link>
-         <part name="statement" id="pm-33_smt">
-            <p>Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that:</p>
-            <part name="item" id="pm-33_smt.a">
-               <prop name="label">a.</prop>
-               <p>Are written in plain language and organized in a way that is easy to understand and navigate;</p>
-            </part>
-            <part name="item" id="pm-33_smt.b">
-               <prop name="label">b.</prop>
-               <p>Provide useful information that the public would need to make an informed decision about whether and how to interact with the organization; and</p>
-            </part>
-            <part name="item" id="pm-33_smt.c">
-               <prop name="label">c.</prop>
-               <p>Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pm-33_gdn">
-            <p>Organizations post privacy policies on all external-facing websites, mobile applications, and other digital services. Organizations should post a link to the relevant privacy policy on any known, major entry points to the website, application, or digital service. In addition, organizations should provide a link to the privacy policy on any webpage that collects personally identifiable information.</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ps">
-      <title>Personnel Security</title>
-      <control class="SP800-53" id="ps-1">
-         <title>Policy and Procedures</title>
-         <param id="ps-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-1_prm_2">
-            <select how-many="one or more">
-               <choice>organization-level</choice>
-               <choice>mission/business process-level</choice>
-               <choice>system-level</choice>
-            </select>
-         </param>
-         <param id="ps-1_prm_3">
-            <label>organization-defined official</label>
-         </param>
-         <param id="ps-1_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ps-1_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PS-1</prop>
-         <prop name="sort-id">PS-01</prop>
-         <link rel="reference" href="#12702585-0c72-43c9-9185-a76a59f74233">[SP 800-12]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#9183bd83-170e-4701-b32c-97e08ef8bedb">[SP 800-100]</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="ps-1_smt">
-            <part name="item" id="ps-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and disseminate to <insert param-id="ps-1_prm_1"/>:</p>
-               <part name="item" id="ps-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="ps-1_prm_2"/> personnel security policy that:</p>
-                  <part name="item" id="ps-1_smt.a.1.a">
-                     <prop name="label">(a)</prop>
-                     <p>Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
-                  </part>
-                  <part name="item" id="ps-1_smt.a.1.b">
-                     <prop name="label">(b)</prop>
-                     <p>Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p>
-                  </part>
-               </part>
-               <part name="item" id="ps-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;</p>
-               </part>
-            </part>
-            <part name="item" id="ps-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate an <insert param-id="ps-1_prm_3"/> to manage the development, documentation, and dissemination of the personnel security policy and procedures; and</p>
-            </part>
-            <part name="item" id="ps-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the current personnel security:</p>
-               <part name="item" id="ps-1_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Policy <insert param-id="ps-1_prm_4"/>; and</p>
-               </part>
-               <part name="item" id="ps-1_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures <insert param-id="ps-1_prm_5"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="ps-1_gdn">
-            <p>This control addresses policy and procedures for the controls in the PS family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-2">
-         <title>Position Risk Designation</title>
-         <param id="ps-2_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PS-2</prop>
-         <prop name="sort-id">PS-02</prop>
-         <link rel="reference" href="#2383ccfd-d8a0-4e3a-bf40-21288ae1e07a">[5 CFR 731]</link>
-         <link rel="related" href="#ac-5">AC-5</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#pe-2">PE-2</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#ps-3">PS-3</link>
-         <link rel="related" href="#ps-6">PS-6</link>
-         <link rel="related" href="#sa-5">SA-5</link>
-         <link rel="related" href="#sa-21">SA-21</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="ps-2_smt">
-            <part name="item" id="ps-2_smt.a">
-               <prop name="label">a.</prop>
-               <p>Assign a risk designation to all organizational positions;</p>
-            </part>
-            <part name="item" id="ps-2_smt.b">
-               <prop name="label">b.</prop>
-               <p>Establish screening criteria for individuals filling those positions; and</p>
-            </part>
-            <part name="item" id="ps-2_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update position risk designations <insert param-id="ps-2_prm_1"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ps-2_gdn">
-            <p>Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service from misconduct of an incumbent of a position. This establishes the risk level of that position. This assessment also determines if a position’s duties and responsibilities present the potential for position incumbents to bring about a material adverse effect on the national security, and the degree of that potential effect, which establishes the sensitivity level of a position. The results of this assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-3">
-         <title>Personnel Screening</title>
-         <param id="ps-3_prm_1">
-            <label>organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening</label>
-         </param>
-         <prop name="label">PS-3</prop>
-         <prop name="sort-id">PS-03</prop>
-         <link rel="reference" href="#52a8b0c6-0c6b-424b-928d-41c50ba87838">[EO 13526]</link>
-         <link rel="reference" href="#2b5e12fb-633f-49e6-8aff-81d75bf53545">[EO 13587]</link>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="reference" href="#ab414c48-b7a2-4ffe-b74d-4d8b8120adce">[FIPS 201-2]</link>
-         <link rel="reference" href="#68949f14-9cf5-4116-91d8-e820b9df3ffd">[SP 800-60 v1]</link>
-         <link rel="reference" href="#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc">[SP 800-60 v2]</link>
-         <link rel="reference" href="#3d6b3a16-94e7-4a43-8648-8bdeaadb271b">[SP 800-73-4]</link>
-         <link rel="reference" href="#d5ef0056-c807-44c3-a7b5-6eb491538f8e">[SP 800-76-2]</link>
-         <link rel="reference" href="#013e098f-0680-4856-a130-b768c69dab9c">[SP 800-78-4]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ia-4">IA-4</link>
-         <link rel="related" href="#ma-5">MA-5</link>
-         <link rel="related" href="#pe-2">PE-2</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#ps-2">PS-2</link>
-         <link rel="related" href="#ps-6">PS-6</link>
-         <link rel="related" href="#ps-7">PS-7</link>
-         <link rel="related" href="#sa-21">SA-21</link>
-         <part name="statement" id="ps-3_smt">
-            <part name="item" id="ps-3_smt.a">
-               <prop name="label">a.</prop>
-               <p>Screen individuals prior to authorizing access to the system; and</p>
-            </part>
-            <part name="item" id="ps-3_smt.b">
-               <prop name="label">b.</prop>
-               <p>Rescreen individuals in accordance with <insert param-id="ps-3_prm_1"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ps-3_gdn">
-            <p>Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ps-3.1">
-            <title>Classified Information</title>
-            <prop name="label">PS-3(1)</prop>
-            <prop name="sort-id">PS-03(01)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <part name="statement" id="ps-3.1_smt">
-               <p>Verify that individuals accessing a system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.</p>
-            </part>
-            <part name="guidance" id="ps-3.1_gdn">
-               <p>Classified information is the most sensitive information the federal government processes, stores, or transmits. It is imperative that individuals have the requisite security clearances and system access authorizations prior to gaining access to such information. Access authorizations are enforced by system access controls (see AC-3) and flow controls (see AC-4).</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ps-3.2">
-            <title>Formal Indoctrination</title>
-            <prop name="label">PS-3(2)</prop>
-            <prop name="sort-id">PS-03(02)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <part name="statement" id="ps-3.2_smt">
-               <p>Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant types of information to which they have access on the system.</p>
-            </part>
-            <part name="guidance" id="ps-3.2_gdn">
-               <p>Types of classified information requiring formal indoctrination include Special Access Program (SAP), Restricted Data (RD), and Sensitive Compartment Information (SCI).</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ps-3.3">
-            <title>Information with Special Protective Measures</title>
-            <param id="ps-3.3_prm_1">
-               <label>organization-defined additional personnel screening criteria</label>
-            </param>
-            <prop name="label">PS-3(3)</prop>
-            <prop name="sort-id">PS-03(03)</prop>
-            <part name="statement" id="ps-3.3_smt">
-               <p>Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection:</p>
-               <part name="item" id="ps-3.3_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Have valid access authorizations that are demonstrated by assigned official government duties; and</p>
-               </part>
-               <part name="item" id="ps-3.3_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Satisfy <insert param-id="ps-3.3_prm_1"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ps-3.3_gdn">
-               <p>Organizational information requiring special protection includes controlled unclassified information. Personnel security criteria include position sensitivity background screening requirements.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ps-3.4">
-            <title>Citizenship Requirements</title>
-            <param id="ps-3.4_prm_1">
-               <label>organization-defined information types</label>
-            </param>
-            <param id="ps-3.4_prm_2">
-               <label>organization-defined citizenship requirements</label>
-            </param>
-            <prop name="label">PS-3(4)</prop>
-            <prop name="sort-id">PS-03(04)</prop>
-            <part name="statement" id="ps-3.4_smt">
-               <p>Verify that individuals accessing a system processing, storing, or transmitting <insert param-id="ps-3.4_prm_1"/> meet <insert param-id="ps-3.4_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ps-3.4_gdn">
-               <p>None.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ps-4">
-         <title>Personnel Termination</title>
-         <param id="ps-4_prm_1">
-            <label>organization-defined time-period</label>
-         </param>
-         <param id="ps-4_prm_2">
-            <label>organization-defined information security topics</label>
-         </param>
-         <prop name="label">PS-4</prop>
-         <prop name="sort-id">PS-04</prop>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ia-4">IA-4</link>
-         <link rel="related" href="#pe-2">PE-2</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#ps-6">PS-6</link>
-         <link rel="related" href="#ps-7">PS-7</link>
-         <part name="statement" id="ps-4_smt">
-            <p>Upon termination of individual employment:</p>
-            <part name="item" id="ps-4_smt.a">
-               <prop name="label">a.</prop>
-               <p>Disable system access within <insert param-id="ps-4_prm_1"/>;</p>
-            </part>
-            <part name="item" id="ps-4_smt.b">
-               <prop name="label">b.</prop>
-               <p>Terminate or revoke any authenticators and credentials associated with the individual;</p>
-            </part>
-            <part name="item" id="ps-4_smt.c">
-               <prop name="label">c.</prop>
-               <p>Conduct exit interviews that include a discussion of <insert param-id="ps-4_prm_2"/>;</p>
-            </part>
-            <part name="item" id="ps-4_smt.d">
-               <prop name="label">d.</prop>
-               <p>Retrieve all security-related organizational system-related property; and</p>
-            </part>
-            <part name="item" id="ps-4_smt.e">
-               <prop name="label">e.</prop>
-               <p>Retain access to organizational information and systems formerly controlled by terminated individual.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ps-4_gdn">
-            <p>System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals including in cases related to unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling system accounts of individuals that are being terminated prior to the individuals being notified.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ps-4.1">
-            <title>Post-employment Requirements</title>
-            <prop name="label">PS-4(1)</prop>
-            <prop name="sort-id">PS-04(01)</prop>
-            <part name="statement" id="ps-4.1_smt">
-               <part name="item" id="ps-4.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Notify terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and</p>
-               </part>
-               <part name="item" id="ps-4.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Require terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ps-4.1_gdn">
-               <p>Organizations consult with the Office of the General Counsel regarding matters of post-employment requirements on terminated individuals.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ps-4.2">
-            <title>Automated Notification</title>
-            <param id="ps-4.2_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="ps-4.2_prm_2">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">PS-4(2)</prop>
-            <prop name="sort-id">PS-04(02)</prop>
-            <part name="statement" id="ps-4.2_smt">
-               <p>Notify <insert param-id="ps-4.2_prm_1"/> of individual termination actions using <insert param-id="ps-4.2_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ps-4.2_gdn">
-               <p>In organizations with many employees, not all personnel who need to know about termination actions receive the appropriate notifications—or, if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to organizational personnel or roles when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including telephonically, via electronic mail, via text message, or via websites.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ps-5">
-         <title>Personnel Transfer</title>
-         <param id="ps-5_prm_1">
-            <label>organization-defined transfer or reassignment actions</label>
-         </param>
-         <param id="ps-5_prm_2">
-            <label>organization-defined time-period following the formal transfer action</label>
-         </param>
-         <param id="ps-5_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-5_prm_4">
-            <label>organization-defined time-period</label>
-         </param>
-         <prop name="label">PS-5</prop>
-         <prop name="sort-id">PS-05</prop>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ia-4">IA-4</link>
-         <link rel="related" href="#pe-2">PE-2</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#ps-4">PS-4</link>
-         <link rel="related" href="#ps-7">PS-7</link>
-         <part name="statement" id="ps-5_smt">
-            <part name="item" id="ps-5_smt.a">
-               <prop name="label">a.</prop>
-               <p>Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;</p>
-            </part>
-            <part name="item" id="ps-5_smt.b">
-               <prop name="label">b.</prop>
-               <p>Initiate <insert param-id="ps-5_prm_1"/> within <insert param-id="ps-5_prm_2"/>;</p>
-            </part>
-            <part name="item" id="ps-5_smt.c">
-               <prop name="label">c.</prop>
-               <p>Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and</p>
-            </part>
-            <part name="item" id="ps-5_smt.d">
-               <prop name="label">d.</prop>
-               <p>Notify <insert param-id="ps-5_prm_3"/> within <insert param-id="ps-5_prm_4"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ps-5_gdn">
-            <p>Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-6">
-         <title>Access Agreements</title>
-         <param id="ps-6_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ps-6_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PS-6</prop>
-         <prop name="sort-id">PS-06</prop>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#pe-2">PE-2</link>
-         <link rel="related" href="#pl-4">PL-4</link>
-         <link rel="related" href="#ps-2">PS-2</link>
-         <link rel="related" href="#ps-3">PS-3</link>
-         <link rel="related" href="#ps-6">PS-6</link>
-         <link rel="related" href="#ps-7">PS-7</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#sa-21">SA-21</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="ps-6_smt">
-            <part name="item" id="ps-6_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop and document access agreements for organizational systems;</p>
-            </part>
-            <part name="item" id="ps-6_smt.b">
-               <prop name="label">b.</prop>
-               <p>Review and update the access agreements <insert param-id="ps-6_prm_1"/>; and</p>
-            </part>
-            <part name="item" id="ps-6_smt.c">
-               <prop name="label">c.</prop>
-               <p>Verify that individuals requiring access to organizational information and systems:</p>
-               <part name="item" id="ps-6_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Sign appropriate access agreements prior to being granted access; and</p>
-               </part>
-               <part name="item" id="ps-6_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or <insert param-id="ps-6_prm_2"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="ps-6_gdn">
-            <p>Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ps-6.1">
-            <title>Information Requiring Special Protection</title>
-            <prop name="label">PS-6(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">PS-06(01)</prop>
-            <link rel="incorporated-into" href="#ps-3">PS-3</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ps-6.2">
-            <title>Classified Information Requiring Special Protection</title>
-            <prop name="label">PS-6(2)</prop>
-            <prop name="sort-id">PS-06(02)</prop>
-            <part name="statement" id="ps-6.2_smt">
-               <p>Verify that access to classified information requiring special protection is granted only to individuals who:</p>
-               <part name="item" id="ps-6.2_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Have a valid access authorization that is demonstrated by assigned official government duties;</p>
-               </part>
-               <part name="item" id="ps-6.2_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Satisfy associated personnel security criteria; and</p>
-               </part>
-               <part name="item" id="ps-6.2_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Have read, understood, and signed a nondisclosure agreement.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ps-6.2_gdn">
-               <p>Classified information requiring special protection includes collateral information, Special Access Program (SAP) information, and Sensitive Compartmented Information (SCI). Personnel security criteria reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ps-6.3">
-            <title>Post-employment Requirements</title>
-            <prop name="label">PS-6(3)</prop>
-            <prop name="sort-id">PS-06(03)</prop>
-            <link rel="related" href="#ps-4">PS-4</link>
-            <part name="statement" id="ps-6.3_smt">
-               <part name="item" id="ps-6.3_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Notify individuals of applicable, legally binding post-employment requirements for protection of organizational information; and</p>
-               </part>
-               <part name="item" id="ps-6.3_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Require individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ps-6.3_gdn">
-               <p>Organizations consult with the Office of the General Counsel regarding matters of post-employment requirements on terminated individuals.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ps-7">
-         <title>External Personnel Security</title>
-         <param id="ps-7_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-7_prm_2">
-            <label>organization-defined time-period</label>
-         </param>
-         <prop name="label">PS-7</prop>
-         <prop name="sort-id">PS-07</prop>
-         <link rel="reference" href="#ed919d0d-8e21-4df6-801d-3fbc4cb8a505">[SP 800-35]</link>
-         <link rel="related" href="#at-2">AT-2</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#ma-5">MA-5</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#ps-2">PS-2</link>
-         <link rel="related" href="#ps-3">PS-3</link>
-         <link rel="related" href="#ps-4">PS-4</link>
-         <link rel="related" href="#ps-5">PS-5</link>
-         <link rel="related" href="#ps-6">PS-6</link>
-         <link rel="related" href="#sa-5">SA-5</link>
-         <link rel="related" href="#sa-9">SA-9</link>
-         <link rel="related" href="#sa-21">SA-21</link>
-         <part name="statement" id="ps-7_smt">
-            <part name="item" id="ps-7_smt.a">
-               <prop name="label">a.</prop>
-               <p>Establish personnel security requirements, including security roles and responsibilities for external providers;</p>
-            </part>
-            <part name="item" id="ps-7_smt.b">
-               <prop name="label">b.</prop>
-               <p>Require external providers to comply with personnel security policies and procedures established by the organization;</p>
-            </part>
-            <part name="item" id="ps-7_smt.c">
-               <prop name="label">c.</prop>
-               <p>Document personnel security requirements;</p>
-            </part>
-            <part name="item" id="ps-7_smt.d">
-               <prop name="label">d.</prop>
-               <p>Require external providers to notify <insert param-id="ps-7_prm_1"/> of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within <insert param-id="ps-7_prm_2"/>; and</p>
-            </part>
-            <part name="item" id="ps-7_smt.e">
-               <prop name="label">e.</prop>
-               <p>Monitor provider compliance with personnel security requirements.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ps-7_gdn">
-            <p>External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations providing system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and nature of credentials or privileges associated with individuals transferred or terminated.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ps-8">
-         <title>Personnel Sanctions</title>
-         <param id="ps-8_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ps-8_prm_2">
-            <label>organization-defined time-period</label>
-         </param>
-         <prop name="label">PS-8</prop>
-         <prop name="sort-id">PS-08</prop>
-         <link rel="related" href="#ac-1">AC-1</link>
-         <link rel="related" href="#at-1">AT-1</link>
-         <link rel="related" href="#au-1">AU-1</link>
-         <link rel="related" href="#ca-1">CA-1</link>
-         <link rel="related" href="#cm-1">CM-1</link>
-         <link rel="related" href="#cp-1">CP-1</link>
-         <link rel="related" href="#ia-1">IA-1</link>
-         <link rel="related" href="#ir-1">IR-1</link>
-         <link rel="related" href="#ma-1">MA-1</link>
-         <link rel="related" href="#mp-1">MP-1</link>
-         <link rel="related" href="#pe-1">PE-1</link>
-         <link rel="related" href="#pl-1">PL-1</link>
-         <link rel="related" href="#pm-1">PM-1</link>
-         <link rel="related" href="#ps-1">PS-1</link>
-         <link rel="related" href="#pt-1">PT-1</link>
-         <link rel="related" href="#ra-1">RA-1</link>
-         <link rel="related" href="#sa-1">SA-1</link>
-         <link rel="related" href="#sc-1">SC-1</link>
-         <link rel="related" href="#si-1">SI-1</link>
-         <link rel="related" href="#sr-1">SR-1</link>
-         <link rel="related" href="#pl-4">PL-4</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#ps-6">PS-6</link>
-         <link rel="related" href="#pt-1">PT-1</link>
-         <part name="statement" id="ps-8_smt">
-            <part name="item" id="ps-8_smt.a">
-               <prop name="label">a.</prop>
-               <p>Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and</p>
-            </part>
-            <part name="item" id="ps-8_smt.b">
-               <prop name="label">b.</prop>
-               <p>Notify <insert param-id="ps-8_prm_1"/> within <insert param-id="ps-8_prm_2"/> when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ps-8_gdn">
-            <p>Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="pt">
-      <title>Personally Identifiable Information Processing and Transparency</title>
-      <control class="SP800-53" id="pt-1">
-         <title>Policy and Procedures</title>
-         <param id="pt-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="pt-1_prm_2">
-            <select how-many="one or more">
-               <choice>organization-level</choice>
-               <choice>mission/business process-level</choice>
-               <choice>system-level</choice>
-            </select>
-         </param>
-         <param id="pt-1_prm_3">
-            <label>organization-defined official</label>
-         </param>
-         <param id="pt-1_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="pt-1_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">PT-1</prop>
-         <prop name="sort-id">PT-01</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <part name="statement" id="pt-1_smt">
-            <part name="item" id="pt-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and disseminate to <insert param-id="pt-1_prm_1"/>:</p>
-               <part name="item" id="pt-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="pt-1_prm_2"/> personally identifiable information processing and transparency policy that:</p>
-                  <part name="item" id="pt-1_smt.a.1.a">
-                     <prop name="label">(a)</prop>
-                     <p>Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
-                  </part>
-                  <part name="item" id="pt-1_smt.a.1.b">
-                     <prop name="label">(b)</prop>
-                     <p>Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p>
-                  </part>
-               </part>
-               <part name="item" id="pt-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls;</p>
-               </part>
-            </part>
-            <part name="item" id="pt-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate an <insert param-id="pt-1_prm_3"/> to manage the development, documentation, and dissemination of the incident personally identifiable information processing and transparency policy and procedures; and</p>
-            </part>
-            <part name="item" id="pt-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the current personally identifiable information processing and transparency:</p>
-               <part name="item" id="pt-1_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Policy <insert param-id="pt-1_prm_4"/>; and</p>
-               </part>
-               <part name="item" id="pt-1_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures <insert param-id="pt-1_prm_5"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="pt-1_gdn">
-            <p>This control addresses policy and procedures for the controls in the PT family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pt-2">
-         <title>Authority to Process Personally Identifiable Information</title>
-         <param id="pt-2_prm_1">
-            <label>organization-defined authority</label>
-         </param>
-         <param id="pt-2_prm_2">
-            <label>organization-defined processing</label>
-         </param>
-         <param id="pt-2_prm_3">
-            <label>organization-defined processing</label>
-         </param>
-         <prop name="label">PT-2</prop>
-         <prop name="sort-id">PT-02</prop>
-         <link rel="reference" href="#a7dfa526-b81f-41d7-9875-c8b0faafe74b">[PRIVACT]</link>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130, Appendix II]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#cm-13">CM-13</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#pm-24">PM-24</link>
-         <link rel="related" href="#pt-1">PT-1</link>
-         <link rel="related" href="#pt-3">PT-3</link>
-         <link rel="related" href="#pt-6">PT-6</link>
-         <link rel="related" href="#pt-7">PT-7</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#ra-8">RA-8</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <link rel="related" href="#si-18">SI-18</link>
-         <part name="statement" id="pt-2_smt">
-            <part name="item" id="pt-2_smt.a">
-               <prop name="label">a.</prop>
-               <p>Determine and document the <insert param-id="pt-2_prm_1"/> that permits the <insert param-id="pt-2_prm_2"/> of personally identifiable information; and</p>
-            </part>
-            <part name="item" id="pt-2_smt.b">
-               <prop name="label">b.</prop>
-               <p>Restrict the <insert param-id="pt-2_prm_3"/> of personally identifiable information to only that which is authorized.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pt-2_gdn">
-            <p>Processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information across the information life cycle. Processing includes, but is not limited to, creation, collection,  use, processing, storage, maintenance, dissemination, disclosure, and disposal. Processing operations also include logging, generation, and transformation, as well as analysis techniques, such as data mining.
-Organizations may be subject to laws, executive orders, directives, regulations, or policies that establish the organization’s authority and thereby limit certain types of processing of personally identifiable information or establish other requirements related to the processing. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such authority, particularly if the organization is subject to multiple jurisdictions or sources of authority. For organizations whose processing is not determined according to legal authorities, the organizations’ policies and determinations govern how they process personally identifiable information. While processing of personally identifiable information may be legally permissible, privacy risks may still arise from its processing. Privacy risk assessments can identify the privacy risks associated with the authorized processing of personally identifiable information and support solutions to manage such risks.
-Organizations consider applicable requirements and organizational policies to determine how to document this authority. For federal agencies, the authority to process personally identifiable information is documented in privacy policies and notices, system of records notices, privacy impact assessments, [PRIVACT] statements, computer matching agreements and notices, contracts, information sharing agreements, memoranda of understanding, and/or other documentation.
-Organizations take steps to ensure that personally identifiable information is processed only for authorized purposes, including training organizational personnel on the authorized processing of personally identifiable information and monitoring and auditing organizational use of personally identifiable information.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pt-2.1">
-            <title>Data Tagging</title>
-            <param id="pt-2.1_prm_1">
-               <label>organization-defined permissible processing</label>
-            </param>
-            <param id="pt-2.1_prm_2">
-               <label>organization-defined elements of personally identifiable information</label>
-            </param>
-            <prop name="label">PT-2(1)</prop>
-            <prop name="sort-id">PT-02(01)</prop>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#cm-12">CM-12</link>
-            <link rel="related" href="#pm-5">PM-5</link>
-            <link rel="related" href="#pm-22">PM-22</link>
-            <link rel="related" href="#sc-16">SC-16</link>
-            <link rel="related" href="#sc-43">SC-43</link>
-            <link rel="related" href="#si-10">SI-10</link>
-            <link rel="related" href="#si-15">SI-15</link>
-            <link rel="related" href="#si-19">SI-19</link>
-            <part name="statement" id="pt-2.1_smt">
-               <p>Attach data tags containing <insert param-id="pt-2.1_prm_1"/> to <insert param-id="pt-2.1_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="pt-2.1_gdn">
-               <p>Data tags support tracking and enforcement of authorized processing by conveying the types of processing that are authorized along with the relevant elements of personally identifiable information throughout the system. Data tags may also support the use of automated tools.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pt-2.2">
-            <title>Automation</title>
-            <param id="pt-2.2_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">PT-2(2)</prop>
-            <prop name="sort-id">PT-02(02)</prop>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#cm-12">CM-12</link>
-            <link rel="related" href="#pm-5">PM-5</link>
-            <link rel="related" href="#pm-22">PM-22</link>
-            <link rel="related" href="#sc-16">SC-16</link>
-            <link rel="related" href="#sc-43">SC-43</link>
-            <link rel="related" href="#si-10">SI-10</link>
-            <link rel="related" href="#si-15">SI-15</link>
-            <link rel="related" href="#si-19">SI-19</link>
-            <part name="statement" id="pt-2.2_smt">
-               <p>Manage enforcement of the authorized processing of personally identifiable information using <insert param-id="pt-2.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="pt-2.2_gdn">
-               <p>Automated mechanisms augment verification that only authorized processing is occurring.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pt-3">
-         <title>Personally Identifiable Information Processing Purposes</title>
-         <param id="pt-3_prm_1">
-            <label>Assignment organization-defined purpose(s)</label>
-         </param>
-         <param id="pt-3_prm_2">
-            <label>organization-defined processing</label>
-         </param>
-         <param id="pt-3_prm_3">
-            <label>organization-defined mechanisms</label>
-         </param>
-         <param id="pt-3_prm_4">
-            <label>organization-defined requirements</label>
-         </param>
-         <prop name="label">PT-3</prop>
-         <prop name="sort-id">PT-03</prop>
-         <link rel="reference" href="#a7dfa526-b81f-41d7-9875-c8b0faafe74b">[PRIVACT]</link>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130, Appendix II]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#cm-13">CM-13</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#pm-25">PM-25</link>
-         <link rel="related" href="#pt-2">PT-2</link>
-         <link rel="related" href="#pt-6">PT-6</link>
-         <link rel="related" href="#pt-7">PT-7</link>
-         <link rel="related" href="#pt-8">PT-8</link>
-         <link rel="related" href="#ra-8">RA-8</link>
-         <link rel="related" href="#sc-43">SC-43</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <link rel="related" href="#si-18">SI-18</link>
-         <part name="statement" id="pt-3_smt">
-            <part name="item" id="pt-3_smt.a">
-               <prop name="label">a.</prop>
-               <p>Identify and document the <insert param-id="pt-3_prm_1"/> for processing personally identifiable information;</p>
-            </part>
-            <part name="item" id="pt-3_smt.b">
-               <prop name="label">b.</prop>
-               <p>Describe the purpose(s) in the public privacy notices and policies of the organization;</p>
-            </part>
-            <part name="item" id="pt-3_smt.c">
-               <prop name="label">c.</prop>
-               <p>Restrict the <insert param-id="pt-3_prm_2"/> of personally identifiable information to only that which is compatible with the identified purpose(s); and</p>
-            </part>
-            <part name="item" id="pt-3_smt.d">
-               <prop name="label">d.</prop>
-               <p>Monitor changes in processing personally identifiable information and implement <insert param-id="pt-3_prm_3"/> to ensure that any changes are made in accordance with <insert param-id="pt-3_prm_4"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pt-3_gdn">
-            <p>Identifying and documenting the purpose for processing provides organizations with a basis for understanding why personally identifiable information may be processed. The term process includes every step of the information life cycle, including creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Identifying and documenting the purpose of processing is a prerequisite to enabling owners and operators of the system, and individuals whose information is processed by the system, to understand how the information will be processed. This enables individuals to make informed decisions about their engagement with information systems and organizations, and to manage their privacy interests. Once the specific processing purpose has been identified, the purpose is described in the organization’s privacy notices, policies, and any related privacy compliance documentation, including privacy impact assessments, system of records notices, [PRIVACT] statements, computer matching notices, and other applicable Federal Register notices.
-Organizations take steps to help ensure that personally identifiable information is processed only for identified purposes, including training organizational personnel and monitoring and auditing organizational processing of personally identifiable information.
-Organizations monitor for changes in personally identifiable information processing. Organizational personnel consult with the senior agency official for privacy and legal counsel to ensure that any new purposes arising from changes in processing are compatible with the purpose for which the information was collected, or if the new purpose is not compatible, implement mechanisms in accordance with defined requirements to allow for the new processing, if appropriate. Mechanisms may include obtaining consent from individuals, revising privacy policies, or other measures to manage privacy risks arising from changes in personally identifiable information processing purposes.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pt-3.1">
-            <title>Data Tagging</title>
-            <param id="pt-3.1_prm_1">
-               <label>organization-defined elements of personally identifiable information</label>
-            </param>
-            <param id="pt-3.1_prm_2">
-               <label>organization-defined processing purposes</label>
-            </param>
-            <prop name="label">PT-3(1)</prop>
-            <prop name="sort-id">PT-03(01)</prop>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#cm-12">CM-12</link>
-            <link rel="related" href="#pm-5">PM-5</link>
-            <link rel="related" href="#pm-22">PM-22</link>
-            <link rel="related" href="#sc-16">SC-16</link>
-            <link rel="related" href="#sc-43">SC-43</link>
-            <link rel="related" href="#si-10">SI-10</link>
-            <link rel="related" href="#si-15">SI-15</link>
-            <link rel="related" href="#si-19">SI-19</link>
-            <part name="statement" id="pt-3.1_smt">
-               <p>Attach data tags containing the following purposes to <insert param-id="pt-3.1_prm_1"/>: <insert param-id="pt-3.1_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="pt-3.1_gdn">
-               <p>Data tags support tracking of processing purposes by conveying the purposes along with the relevant elements of personally identifiable information throughout the system. By conveying the processing purposes in a data tag along with the personally identifiable information as the information transits a system, a system owner or operator can identify whether a change in processing would be compatible with the identified and documented purposes. Data tags may also support the use of automated tools.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pt-3.2">
-            <title>Automation</title>
-            <param id="pt-3.2_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">PT-3(2)</prop>
-            <prop name="sort-id">PT-03(02)</prop>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#cm-12">CM-12</link>
-            <link rel="related" href="#pm-5">PM-5</link>
-            <link rel="related" href="#pm-22">PM-22</link>
-            <link rel="related" href="#sc-16">SC-16</link>
-            <link rel="related" href="#sc-43">SC-43</link>
-            <link rel="related" href="#si-10">SI-10</link>
-            <link rel="related" href="#si-15">SI-15</link>
-            <link rel="related" href="#si-19">SI-19</link>
-            <part name="statement" id="pt-3.2_smt">
-               <p>Track processing purposes of personally identifiable information using <insert param-id="pt-3.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="pt-3.2_gdn">
-               <p>Automated mechanisms augment tracking of the processing purposes.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pt-4">
-         <title>Minimization</title>
-         <param id="pt-4_prm_1">
-            <label>organization-defined processes</label>
-         </param>
-         <prop name="label">PT-4</prop>
-         <prop name="sort-id">PT-04</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="related" href="#pm-25">PM-25</link>
-         <link rel="related" href="#sa-15">SA-15</link>
-         <link rel="related" href="#sc-42">SC-42</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="pt-4_smt">
-            <p>Implement the privacy principle of minimization using <insert param-id="pt-4_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="pt-4_gdn">
-            <p>The principle of minimization states that organizations should only process personally identifiable information that is directly relevant and necessary to accomplish an authorized purpose, and should only maintain personally identifiable information for as long as is necessary to accomplish the purpose. Organizations have processes in place, consistent with applicable laws and policies, to implement the principle of minimization.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="pt-5">
-         <title>Consent</title>
-         <param id="pt-5_prm_1">
-            <label>organization-defined tools or mechanisms</label>
-         </param>
-         <prop name="label">PT-5</prop>
-         <prop name="sort-id">PT-05</prop>
-         <link rel="reference" href="#a7dfa526-b81f-41d7-9875-c8b0faafe74b">[PRIVACT]</link>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#549993c0-9bdd-4d49-875c-f56950cc5f30">[SP 800-63-3]</link>
-         <link rel="related" href="#ac-16">AC-16</link>
-         <link rel="related" href="#pt-6">PT-6</link>
-         <part name="statement" id="pt-5_smt">
-            <p>Implement <insert param-id="pt-5_prm_1"/> for individuals to consent to the processing of their personally identifiable information prior to its collection that:</p>
-            <part name="item" id="pt-5_smt.a">
-               <prop name="label">a.</prop>
-               <p>Facilitate individuals’ informed decision-making; and</p>
-            </part>
-            <part name="item" id="pt-5_smt.b">
-               <prop name="label">b.</prop>
-               <p>Provide a means for individuals to decline consent.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pt-5_gdn">
-            <p>Consent allows individuals to participate in the decision-making about the processing of their information and transfers some of the risk that arises from the processing of personally identifiable information from the organization to an individual. Organizations consider whether other controls may more effectively mitigate privacy risk either alone or in conjunction with consent. Consent may be required by applicable laws, executive orders, directives, regulations, policies, standards, or guidelines. Otherwise, when selecting this control, organizations consider whether individuals can be reasonably expected to understand and accept the privacy risks arising from their authorization. Organizations also consider any demographic or contextual factors that may influence the understanding or behavior of individuals with respect to the data actions carried out by the system or organization. When soliciting consent from individuals, organizations consider the appropriate mechanism for obtaining consent, including how to properly authenticate and identity proof individuals and how to obtain consent through electronic means. In addition, organizations consider providing a mechanism for individuals to revoke consent once it has been provided, as appropriate. Finally, organizations consider usability factors to help individuals understand the risks being accepted when providing consent, including the use of plain language and avoiding technical jargon.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pt-5.1">
-            <title>Tailored Consent</title>
-            <param id="pt-5.1_prm_1">
-               <label>organization-defined mechanisms</label>
-            </param>
-            <prop name="label">PT-5(1)</prop>
-            <prop name="sort-id">PT-05(01)</prop>
-            <link rel="related" href="#pt-2">PT-2</link>
-            <part name="statement" id="pt-5.1_smt">
-               <p>Provide <insert param-id="pt-5.1_prm_1"/> to allow individuals to tailor processing permissions to selected elements of personally identifiable information.</p>
-            </part>
-            <part name="guidance" id="pt-5.1_gdn">
-               <p>While some processing may be necessary for the basic functionality of the product or service, other processing may not be necessary for the functionality of the product or service. In these circumstances, organizations allow individuals to select how specific personally identifiable information elements may be processed. More tailored consent may help reduce privacy risk, increase individual satisfaction, and avoid adverse behaviors such as abandonment of the product or service.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pt-5.2">
-            <title>Just-in-time Consent</title>
-            <param id="pt-5.2_prm_1">
-               <label>organization-defined consent mechanisms</label>
-            </param>
-            <prop name="label">PT-5(2)</prop>
-            <prop name="sort-id">PT-05(02)</prop>
-            <link rel="related" href="#pt-2">PT-2</link>
-            <part name="statement" id="pt-5.2_smt">
-               <p>Present <insert param-id="pt-5.2_prm_1"/> to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data action.</p>
-            </part>
-            <part name="guidance" id="pt-5.2_gdn">
-               <p>Just-in-time consent enables individuals to participate in how their personally identifiable information is being processed at the time when such participation may be most useful to the individual. Individual assumptions about how personally identifiable information will be processed might not be accurate or reliable if time has passed since the individual last gave consent or the particular circumstances under which consent was given have changed. Organizations use discretion to determine when to use just-in-time consent and may use supporting information on demographics, focus groups, or surveys to learn more about individuals’ privacy interests and concerns.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pt-6">
-         <title>Privacy Notice</title>
-         <param id="pt-6_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="pt-6_prm_2">
-            <label>organization-defined information</label>
-         </param>
-         <prop name="label">PT-6</prop>
-         <prop name="sort-id">PT-06</prop>
-         <link rel="reference" href="#a7dfa526-b81f-41d7-9875-c8b0faafe74b">[PRIVACT]</link>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#395f6bb9-bcc2-41fc-977f-04372f4a6a82">[OMB A-108]</link>
-         <link rel="related" href="#pm-20">PM-20</link>
-         <link rel="related" href="#pm-22">PM-22</link>
-         <link rel="related" href="#pt-2">PT-2</link>
-         <link rel="related" href="#pt-3">PT-3</link>
-         <link rel="related" href="#pt-5">PT-5</link>
-         <link rel="related" href="#pt-8">PT-8</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#si-18">SI-18</link>
-         <part name="statement" id="pt-6_smt">
-            <p>Provide notice to individuals about the processing of personally identifiable information that:</p>
-            <part name="item" id="pt-6_smt.a">
-               <prop name="label">a.</prop>
-               <p>Is available to individuals upon first interacting with an organization, and subsequently at <insert param-id="pt-6_prm_1"/>;</p>
-            </part>
-            <part name="item" id="pt-6_smt.b">
-               <prop name="label">b.</prop>
-               <p>Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language;</p>
-            </part>
-            <part name="item" id="pt-6_smt.c">
-               <prop name="label">c.</prop>
-               <p>Identifies the authority that authorizes the processing of personally identifiable information;</p>
-            </part>
-            <part name="item" id="pt-6_smt.d">
-               <prop name="label">d.</prop>
-               <p>Identifies the purposes for which personally identifiable information is to be processed; and</p>
-            </part>
-            <part name="item" id="pt-6_smt.e">
-               <prop name="label">e.</prop>
-               <p>Includes <insert param-id="pt-6_prm_2"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pt-6_gdn">
-            <p>Privacy notices help inform individuals about how their personally identifiable information is being processed by the system or organization. Organizations use privacy notices to inform individuals about how, under what authority, and for what purpose their personally identifiable information is processed, as well as other information such as choices individuals might have with respect to that processing and, other parties with whom information is shared. Laws, executive orders, directives, regulations, or policies may require that privacy notices include specific elements or be provided in specific formats. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding when and where to provide privacy notices, as well as elements to include in privacy notices and required formats. In circumstances where laws or government-wide policies do not require privacy notices, organizational policies and determinations may require privacy notices and may serve as a source of the elements to include in privacy notices.
-Privacy risk assessments identify the privacy risks associated with the processing of personally identifiable information and may help organizations determine appropriate elements to include in a privacy notice to manage such risks. To help individuals understand how their information is being processed, organizations write materials in plain language and avoid technical jargon.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pt-6.1">
-            <title>Just-in-time Notice</title>
-            <param id="pt-6.1_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">PT-6(1)</prop>
-            <prop name="sort-id">PT-06(01)</prop>
-            <link rel="related" href="#pm-21">PM-21</link>
-            <part name="statement" id="pt-6.1_smt">
-               <p>Present notice of personally identifiable information processing to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data action, or <insert param-id="pt-6.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="pt-6.1_gdn">
-               <p>Just-in-time notice enables individuals to be informed of how organizations process their personally identifiable information at a time when such notice may be most useful to the individual. Individual assumption about how personally identifiable information will be processed might not be accurate or reliable if time has passed since the organization last presented notice or the circumstances under which the individual was last provided notice have changed. Just-in-time notice can explain data actions that organizations have identified as potentially giving rise to greater privacy risk for individuals. Organizations can use just-in-time notice to update or remind individuals about specific data actions as they occur or highlight specific changes that occurred since last presenting notice. Just-in-time notice can be used in conjunction with just-in-time consent to explain what will occur if consent is declined. Organizations use discretion to determine when to use just-in-time notice and may use supporting information on user demographics, focus groups, or surveys to learn about users’ privacy interests and concerns.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pt-6.2">
-            <title>Privacy Act Statements</title>
-            <prop name="label">PT-6(2)</prop>
-            <prop name="sort-id">PT-06(02)</prop>
-            <link rel="related" href="#pt-7">PT-7</link>
-            <part name="statement" id="pt-6.2_smt">
-               <p>Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals.</p>
-            </part>
-            <part name="guidance" id="pt-6.2_gdn">
-               <p>If a federal agency asks individuals to supply information that will become part of a system of records, the agency is required to provide a [PRIVACT] statement on the form used to collect the information or on a separate form that can be retained by the individual. The agency provides a [PRIVACT] statement in such circumstances regardless of whether the information will be collected on a paper or electronic form, on a website, on a mobile application, over the telephone, or through some other medium. This requirement ensures that the individual is provided with sufficient information about the request for information to make an informed decision on whether or not to respond.
-[PRIVACT] statements provide formal notice to individuals of the authority that authorizes the solicitation of the information; whether providing the information is mandatory or voluntary; the principal purpose(s) for which the information is to be used; the published routine uses to which the information is subject; the effects on the individual, if any, of not providing all or any part of the information requested; and an appropriate citation and link to the relevant system of records notice. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding the notice provisions of the [PRIVACT].</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pt-7">
-         <title>System of Records Notice</title>
-         <prop name="label">PT-7</prop>
-         <prop name="sort-id">PT-07</prop>
-         <link rel="reference" href="#a7dfa526-b81f-41d7-9875-c8b0faafe74b">[PRIVACT]</link>
-         <link rel="reference" href="#395f6bb9-bcc2-41fc-977f-04372f4a6a82">[OMB A-108]</link>
-         <link rel="related" href="#pm-20">PM-20</link>
-         <link rel="related" href="#pt-2">PT-2</link>
-         <link rel="related" href="#pt-3">PT-3</link>
-         <link rel="related" href="#pt-6">PT-6</link>
-         <part name="statement" id="pt-7_smt">
-            <p>For systems that process information that will be maintained in a Privacy Act system of records:</p>
-            <part name="item" id="pt-7_smt.a">
-               <prop name="label">a.</prop>
-               <p>Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review;</p>
-            </part>
-            <part name="item" id="pt-7_smt.b">
-               <prop name="label">b.</prop>
-               <p>Publish system of records notices in the Federal Register; and</p>
-            </part>
-            <part name="item" id="pt-7_smt.c">
-               <prop name="label">c.</prop>
-               <p>Keep system of records notices accurate, up-to-date, and scoped in accordance with policy.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pt-7_gdn">
-            <p>The [PRIVACT] requires that federal agencies publish a system of records notice in the Federal Register upon the establishment and/or modification of a [PRIVACT] system of records. As a general matter, a system of records notice is required when an agency maintains a group of any records under the control of the agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifier. The notice describes the existence and character of the system, and identifies the system of records, the purpose(s) of the system, the authority for maintenance of the records, the categories of records maintained in the system, the categories of individuals about whom records are maintained, the routine uses to which the records are subject, and additional details about the system as described in [OMB A-108].</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pt-7.1">
-            <title>Routine Uses</title>
-            <param id="pt-7.1_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">PT-7(1)</prop>
-            <prop name="sort-id">PT-07(01)</prop>
-            <part name="statement" id="pt-7.1_smt">
-               <p>Review all routine uses published in the system of records notice at <insert param-id="pt-7.1_prm_1"/> to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.</p>
-            </part>
-            <part name="guidance" id="pt-7.1_gdn">
-               <p>A [PRIVACT] routine use is a particular kind of disclosure of a record outside of the federal agency maintaining the system of records. A routine use is an exception to the [PRIVACT] prohibition on the disclosure of a record in a system of records without the prior written consent of the individual to whom the record pertains. To qualify as a routine use, the disclosure must be for a purpose that is compatible with the purpose for which the information was originally collected. The [PRIVACT] requires agencies to describe each routine use of the records maintained in the system of records, including the categories of users of the records and the purpose of the use. Agencies may only establish routine uses by explicitly publishing them in the relevant system of records notice.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pt-7.2">
-            <title>Exemption Rules</title>
-            <param id="pt-7.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">PT-7(2)</prop>
-            <prop name="sort-id">PT-07(02)</prop>
-            <part name="statement" id="pt-7.2_smt">
-               <p>Review all Privacy Act exemptions claimed for the system of records at <insert param-id="pt-7.2_prm_1"/> to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice.</p>
-            </part>
-            <part name="guidance" id="pt-7.2_gdn">
-               <p>The [PRIVACT] includes two sets of provisions that allow federal agencies to claim exemptions from certain requirements in the statute. These provisions allow agencies in certain circumstances to promulgate regulations to exempt a system of records from select provisions of the [PRIVACT]. At a minimum, organizations’ [PRIVACT] exemption regulations include the specific name(s) of any system(s) of records that will be exempt, the specific provisions of the [PRIVACT] from which the system(s) of records is to be exempted, the reasons for the exemption, and an explanation for why the exemption is both necessary and appropriate.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pt-8">
-         <title>Specific  Categories of Personally Identifiable Information</title>
-         <param id="pt-8_prm_1">
-            <label>organization-defined processing conditions</label>
-         </param>
-         <prop name="label">PT-8</prop>
-         <prop name="sort-id">PT-08</prop>
-         <link rel="reference" href="#a7dfa526-b81f-41d7-9875-c8b0faafe74b">[PRIVACT]</link>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#395f6bb9-bcc2-41fc-977f-04372f4a6a82">[OMB A-108]</link>
-         <link rel="related" href="#pt-2">PT-2</link>
-         <link rel="related" href="#pt-3">PT-3</link>
-         <part name="statement" id="pt-8_smt">
-            <p>Apply <insert param-id="pt-8_prm_1"/> for specific categories of personally identifiable information.</p>
-         </part>
-         <part name="guidance" id="pt-8_gdn">
-            <p>Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, directives, regulations, policies, standards, or guidelines. The requirements may also come from organizational policies and determinations when an organization has determined that a particular category of personally identifiable information is particularly sensitive or raises particular privacy risks. Organizations consult with the senior agency official for privacy and legal counsel regarding any protections that may be necessary.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="pt-8.1">
-            <title>Social Security Numbers</title>
-            <prop name="label">PT-8(1)</prop>
-            <prop name="sort-id">PT-08(01)</prop>
-            <part name="statement" id="pt-8.1_smt">
-               <p>When a system processes Social Security numbers:</p>
-               <part name="item" id="pt-8.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier;</p>
-               </part>
-               <part name="item" id="pt-8.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Do not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his or her Social Security number; and</p>
-               </part>
-               <part name="item" id="pt-8.1_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.</p>
-               </part>
-            </part>
-            <part name="guidance" id="pt-8.1_gdn">
-               <p>Federal law and policy establish specific requirements for organizations’ processing of Social Security numbers. Organizations take steps to eliminate unnecessary uses of Social Security numbers and other sensitive information, and observe any particular requirements that apply.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="pt-8.2">
-            <title>First Amendment Information</title>
-            <prop name="label">PT-8(2)</prop>
-            <prop name="sort-id">PT-08(02)</prop>
-            <part name="statement" id="pt-8.2_smt">
-               <p>Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity.</p>
-            </part>
-            <part name="guidance" id="pt-8.2_gdn">
-               <p>None.
-Related Controls: The [PRIVACT] limits agencies’ ability to process information that describes how individuals exercise rights guaranteed by the First Amendment. Organizations consult with the senior agency official for privacy and legal counsel regarding these requirements.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="pt-9">
-         <title>Computer Matching Requirements</title>
-         <prop name="label">PT-9</prop>
-         <prop name="sort-id">PT-09</prop>
-         <link rel="reference" href="#a7dfa526-b81f-41d7-9875-c8b0faafe74b">[PRIVACT]</link>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#395f6bb9-bcc2-41fc-977f-04372f4a6a82">[OMB A-108]</link>
-         <link rel="related" href="#pm-24">PM-24</link>
-         <part name="statement" id="pt-9_smt">
-            <p>When a system or organization processes information for the purpose of conducting a matching program:</p>
-            <part name="item" id="pt-9_smt.a">
-               <prop name="label">a.</prop>
-               <p>Obtain approval from the Data Integrity Board to conduct the matching program;</p>
-            </part>
-            <part name="item" id="pt-9_smt.b">
-               <prop name="label">b.</prop>
-               <p>Develop and enter into a computer matching agreement;</p>
-            </part>
-            <part name="item" id="pt-9_smt.c">
-               <prop name="label">c.</prop>
-               <p>Publish a matching notice in the Federal Register;</p>
-            </part>
-            <part name="item" id="pt-9_smt.d">
-               <prop name="label">d.</prop>
-               <p>Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and</p>
-            </part>
-            <part name="item" id="pt-9_smt.e">
-               <prop name="label">e.</prop>
-               <p>Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual.</p>
-            </part>
-         </part>
-         <part name="guidance" id="pt-9_gdn">
-            <p>The [PRIVACT] establishes a set of requirements for federal and non-federal agencies when they engage in a matching program. In general, a matching program is a computerized comparison of records from two or more automated [PRIVACT] systems of records, or an automated system of records and automated records maintained by a non-Federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. A Federal benefit match is performed for purposes of determining or verifying eligibility for payments under Federal benefit programs, or recouping payments or delinquent debts under Federal benefit programs. A matching program involves not just the matching activity itself, but also the investigative follow-up and ultimate action, if any.</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="ra">
-      <title>Risk Assessment</title>
-      <control class="SP800-53" id="ra-1">
-         <title>Policy and Procedures</title>
-         <param id="ra-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ra-1_prm_2">
-            <select how-many="one or more">
-               <choice>organization-level</choice>
-               <choice>mission/business process-level</choice>
-               <choice>system-level</choice>
-            </select>
-         </param>
-         <param id="ra-1_prm_3">
-            <label>organization-defined official</label>
-         </param>
-         <param id="ra-1_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ra-1_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">RA-1</prop>
-         <prop name="sort-id">RA-01</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#12702585-0c72-43c9-9185-a76a59f74233">[SP 800-12]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#9183bd83-170e-4701-b32c-97e08ef8bedb">[SP 800-100]</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="ra-1_smt">
-            <part name="item" id="ra-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and disseminate to <insert param-id="ra-1_prm_1"/>:</p>
-               <part name="item" id="ra-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="ra-1_prm_2"/> risk assessment policy that:</p>
-                  <part name="item" id="ra-1_smt.a.1.a">
-                     <prop name="label">(a)</prop>
-                     <p>Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
-                  </part>
-                  <part name="item" id="ra-1_smt.a.1.b">
-                     <prop name="label">(b)</prop>
-                     <p>Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p>
-                  </part>
-               </part>
-               <part name="item" id="ra-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;</p>
-               </part>
-            </part>
-            <part name="item" id="ra-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate an <insert param-id="ra-1_prm_3"/> to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and</p>
-            </part>
-            <part name="item" id="ra-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the current risk assessment:</p>
-               <part name="item" id="ra-1_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Policy <insert param-id="ra-1_prm_4"/>; and</p>
-               </part>
-               <part name="item" id="ra-1_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures <insert param-id="ra-1_prm_5"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="ra-1_gdn">
-            <p>This control addresses policy and procedures for the controls in the RA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-2">
-         <title>Security Categorization</title>
-         <prop name="label">RA-2</prop>
-         <prop name="sort-id">RA-02</prop>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="reference" href="#f2163084-3287-45e2-9ee7-95f020415495">[FIPS 200]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#68949f14-9cf5-4116-91d8-e820b9df3ffd">[SP 800-60 v1]</link>
-         <link rel="reference" href="#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc">[SP 800-60 v2]</link>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="related" href="#cm-8">CM-8</link>
-         <link rel="related" href="#mp-4">MP-4</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pl-10">PL-10</link>
-         <link rel="related" href="#pl-11">PL-11</link>
-         <link rel="related" href="#pm-7">PM-7</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#ra-5">RA-5</link>
-         <link rel="related" href="#ra-7">RA-7</link>
-         <link rel="related" href="#ra-8">RA-8</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-38">SC-38</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="ra-2_smt">
-            <part name="item" id="ra-2_smt.a">
-               <prop name="label">a.</prop>
-               <p>Categorize the system and information it processes, stores, and transmits;</p>
-            </part>
-            <part name="item" id="ra-2_smt.b">
-               <prop name="label">b.</prop>
-               <p>Document the security categorization results, including supporting rationale, in the security plan for the system; and</p>
-            </part>
-            <part name="item" id="ra-2_smt.c">
-               <prop name="label">c.</prop>
-               <p>Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ra-2_gdn">
-            <p>Clearly defined system boundaries are a prerequisite for security categorization decisions. Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are comprised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals.
-Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT] and Homeland Security Presidential Directives, potential national-level adverse impacts.
-Security categorization processes facilitate the development of inventories of information assets, and along with CM-8, mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure the security categories remain accurate and relevant.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ra-2.1">
-            <title>Impact-level Prioritization</title>
-            <prop name="label">RA-2(1)</prop>
-            <prop name="sort-id">RA-02(01)</prop>
-            <part name="statement" id="ra-2.1_smt">
-               <p>Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels.</p>
-            </part>
-            <part name="guidance" id="ra-2.1_gdn">
-               <p>Organizations apply the “high water mark” concept to each system categorized in accordance with [FIPS 199] resulting in systems designated as low impact, moderate impact, or high impact. Organizations desiring additional granularity in the system impact designations for risk-based decision making, can further partition the systems into sub-categories of the initial system categorization. For example, an impact-level prioritization on a moderate-impact system can produce three new sub-categories: low-moderate systems, moderate-moderate systems, and high-moderate systems. Impact-level prioritization and the resulting sub-categories of the system give organizations an opportunity to focus their investments related to security control selection and the tailoring of control baselines in responding to identified risks. Impact-level prioritization can also be used to determine those systems that may be of heightened interest or value to adversaries or represent a critical loss to the federal enterprise, sometimes described as high value assets. For such high value assets, organizations may be more focused on complexity, aggregation, and interconnections. Systems with high value assets can be prioritized by partitioning high-impact systems into low-high systems, moderate-high systems, and high-high systems.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ra-3">
-         <title>Risk Assessment</title>
-         <param id="ra-3_prm_1">
-            <select>
-               <choice>security and privacy plans</choice>
-               <choice>risk assessment report</choice>
-               <choice>
-                  <insert param-id="ra-3_prm_2"/>
-               </choice>
-            </select>
-         </param>
-         <param id="ra-3_prm_2" depends-on="ra-3_prm_1">
-            <label>organization-defined document</label>
-         </param>
-         <param id="ra-3_prm_3">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ra-3_prm_4">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="ra-3_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">RA-3</prop>
-         <prop name="sort-id">RA-03</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#66476e76-46b4-47fb-be19-d13e6f3840df">[SP 800-161]</link>
-         <link rel="reference" href="#7e7538d7-9c3a-4e5f-bbb4-638cec975415">[IR 8023]</link>
-         <link rel="reference" href="#817b4227-5857-494d-9032-915980b32f15">[IR 8062]</link>
-         <link rel="related" href="#ca-3">CA-3</link>
-         <link rel="related" href="#cm-4">CM-4</link>
-         <link rel="related" href="#cm-13">CM-13</link>
-         <link rel="related" href="#cp-6">CP-6</link>
-         <link rel="related" href="#cp-7">CP-7</link>
-         <link rel="related" href="#ia-8">IA-8</link>
-         <link rel="related" href="#ma-5">MA-5</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#pe-18">PE-18</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pl-10">PL-10</link>
-         <link rel="related" href="#pl-11">PL-11</link>
-         <link rel="related" href="#pm-8">PM-8</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#pm-28">PM-28</link>
-         <link rel="related" href="#ra-2">RA-2</link>
-         <link rel="related" href="#ra-5">RA-5</link>
-         <link rel="related" href="#ra-7">RA-7</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-9">SA-9</link>
-         <link rel="related" href="#sc-38">SC-38</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="ra-3_smt">
-            <part name="item" id="ra-3_smt.a">
-               <prop name="label">a.</prop>
-               <p>Conduct a risk assessment, including:</p>
-               <part name="item" id="ra-3_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>The likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and</p>
-               </part>
-               <part name="item" id="ra-3_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>The likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;</p>
-               </part>
-            </part>
-            <part name="item" id="ra-3_smt.b">
-               <prop name="label">b.</prop>
-               <p>Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;</p>
-            </part>
-            <part name="item" id="ra-3_smt.c">
-               <prop name="label">c.</prop>
-               <p>Document risk assessment results in <insert param-id="ra-3_prm_1"/>;</p>
-            </part>
-            <part name="item" id="ra-3_smt.d">
-               <prop name="label">d.</prop>
-               <p>Review risk assessment results <insert param-id="ra-3_prm_3"/>;</p>
-            </part>
-            <part name="item" id="ra-3_smt.e">
-               <prop name="label">e.</prop>
-               <p>Disseminate risk assessment results to <insert param-id="ra-3_prm_4"/>; and</p>
-            </part>
-            <part name="item" id="ra-3_smt.f">
-               <prop name="label">f.</prop>
-               <p>Update the risk assessment <insert param-id="ra-3_prm_5"/> or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ra-3_gdn">
-            <p>Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of systems. Risk assessments also consider risk from external parties, including individuals accessing organizational systems; contractors operating systems on behalf of the organization; service providers; and outsourcing entities.
-Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, control selection, control implementation, control assessment, system authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.
-In addition to the information processed, stored, and transmitted by the system, risk assessments can also address any information related to the system, including system design, the intended use of the system, testing results, and other supply chain-related information or artifacts. Assessments of risk can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ra-3.1">
-            <title>Supply Chain Risk Assessment</title>
-            <param id="ra-3.1_prm_1">
-               <label>organization-defined systems, system components, and system services</label>
-            </param>
-            <param id="ra-3.1_prm_2">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">RA-3(1)</prop>
-            <prop name="sort-id">RA-03(01)</prop>
-            <link rel="related" href="#ra-2">RA-2</link>
-            <link rel="related" href="#ra-9">RA-9</link>
-            <link rel="related" href="#pm-17">PM-17</link>
-            <link rel="related" href="#sr-2">SR-2</link>
-            <part name="statement" id="ra-3.1_smt">
-               <part name="item" id="ra-3.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Assess supply chain risks associated with <insert param-id="ra-3.1_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="ra-3.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Update the supply chain risk assessment <insert param-id="ra-3.1_prm_2"/>, when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.</p>
-               </part>
-            </part>
-            <part name="guidance" id="ra-3.1_gdn">
-               <p>Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-3.2">
-            <title>Use of All-source Intelligence</title>
-            <prop name="label">RA-3(2)</prop>
-            <prop name="sort-id">RA-03(02)</prop>
-            <part name="statement" id="ra-3.2_smt">
-               <p>Use all-source intelligence to assist in the analysis of risk.</p>
-            </part>
-            <part name="guidance" id="ra-3.2_gdn">
-               <p>Organizations employ all-source intelligence to inform engineering, acquisition, and risk management decisions. All-source intelligence consists of information derived from all available sources, including publicly available or open-source information; measurement and signature intelligence; human intelligence; signals intelligence; and imagery intelligence. All-source intelligence is used to analyze the risk of vulnerabilities (both intentional and unintentional) from development, manufacturing, and delivery processes, people, and the environment. The risk analysis may be performed on suppliers at multiple tiers in the supply chain sufficient to manage risks. Organizations may develop agreements to share all-source intelligence information or resulting decisions with other organizations, as appropriate.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-3.3">
-            <title>Dynamic Threat Awareness</title>
-            <param id="ra-3.3_prm_1">
-               <label>organization-defined means</label>
-            </param>
-            <prop name="label">RA-3(3)</prop>
-            <prop name="sort-id">RA-03(03)</prop>
-            <link rel="related" href="#at-2">AT-2</link>
-            <part name="statement" id="ra-3.3_smt">
-               <p>Determine the current cyber threat environment on an ongoing basis using <insert param-id="ra-3.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ra-3.3_gdn">
-               <p>The threat awareness information that is gathered feeds into the organization’s information security operations to ensure that procedures are updated in response to the changing threat environment.  For example, at higher threat levels, organizations may change the privilege or authentication thresholds required to perform certain operations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-3.4">
-            <title>Predictive Cyber Analytics</title>
-            <param id="ra-3.4_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <param id="ra-3.4_prm_2">
-               <label>organization-defined advanced automation and analytics capabilities</label>
-            </param>
-            <prop name="label">RA-3(4)</prop>
-            <prop name="sort-id">RA-03(04)</prop>
-            <part name="statement" id="ra-3.4_smt">
-               <p>Employ the following advanced automation and analytics capabilities to predict and identify risks to <insert param-id="ra-3.4_prm_1"/>: <insert param-id="ra-3.4_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ra-3.4_gdn">
-               <p>A properly resourced Security Operations Center (SOC) or Computer Incident Response Team (CIRT) may be overwhelmed by the volume of information generated by the proliferation of security tools and appliances unless it employs advanced automation and analytics to analyze the data. Advanced automation and analytics capabilities are typically supported by artificial intelligence concepts including, machine learning. Examples include Automated Threat Discovery and Response (which includes broad-based collection, context-based analysis, and adaptive response capabilities), Automated Workflow Operations, and Machine Assisted Decision tools. Note, however, that sophisticated adversaries may be able to extract information related to analytic parameters and retrain the machine learning to classify malicious activity as benign. Accordingly, machine learning is augmented by human monitoring to ensure sophisticated adversaries are not able to conceal their activity.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ra-4">
-         <title>Risk Assessment Update</title>
-         <prop name="label">RA-4</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">RA-04</prop>
-         <link rel="incorporated-into" href="#ra-3">RA-3</link>
-      </control>
-      <control class="SP800-53" id="ra-5">
-         <title>Vulnerability Monitoring and Scanning</title>
-         <param id="ra-5_prm_1">
-            <label>organization-defined frequency and/or randomly in accordance with organization-defined process</label>
-         </param>
-         <param id="ra-5_prm_2">
-            <label>organization-defined response times</label>
-         </param>
-         <param id="ra-5_prm_3">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">RA-5</prop>
-         <prop name="sort-id">RA-05</prop>
-         <link rel="reference" href="#1126ec09-2b27-4a21-80b2-fef70b31c49d">[SP 800-40]</link>
-         <link rel="reference" href="#5db6dfe4-788e-4183-93b9-f6fb29d75e41">[SP 800-53A]</link>
-         <link rel="reference" href="#14a7d982-9747-48e0-a877-3e8fbf6ae381">[SP 800-70]</link>
-         <link rel="reference" href="#a6b97214-55d4-4b86-a3a4-53d5911d96f7">[SP 800-115]</link>
-         <link rel="reference" href="#0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f">[SP 800-126]</link>
-         <link rel="reference" href="#bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c">[IR 7788]</link>
-         <link rel="reference" href="#7e7538d7-9c3a-4e5f-bbb4-638cec975415">[IR 8023]</link>
-         <link rel="related" href="#ca-2">CA-2</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#cm-2">CM-2</link>
-         <link rel="related" href="#cm-4">CM-4</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#cm-8">CM-8</link>
-         <link rel="related" href="#ra-2">RA-2</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#sa-11">SA-11</link>
-         <link rel="related" href="#sa-15">SA-15</link>
-         <link rel="related" href="#sc-38">SC-38</link>
-         <link rel="related" href="#si-2">SI-2</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <link rel="related" href="#sr-11">SR-11</link>
-         <part name="statement" id="ra-5_smt">
-            <part name="item" id="ra-5_smt.a">
-               <prop name="label">a.</prop>
-               <p>Monitor and scan for vulnerabilities in the system and hosted applications <insert param-id="ra-5_prm_1"/> and when new vulnerabilities potentially affecting the system are identified and reported;</p>
-            </part>
-            <part name="item" id="ra-5_smt.b">
-               <prop name="label">b.</prop>
-               <p>Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:</p>
-               <part name="item" id="ra-5_smt.b.1">
-                  <prop name="label">1.</prop>
-                  <p>Enumerating platforms, software flaws, and improper configurations;</p>
-               </part>
-               <part name="item" id="ra-5_smt.b.2">
-                  <prop name="label">2.</prop>
-                  <p>Formatting checklists and test procedures; and</p>
-               </part>
-               <part name="item" id="ra-5_smt.b.3">
-                  <prop name="label">3.</prop>
-                  <p>Measuring vulnerability impact;</p>
-               </part>
-            </part>
-            <part name="item" id="ra-5_smt.c">
-               <prop name="label">c.</prop>
-               <p>Analyze vulnerability scan reports and results from vulnerability monitoring;</p>
-            </part>
-            <part name="item" id="ra-5_smt.d">
-               <prop name="label">d.</prop>
-               <p>Remediate legitimate vulnerabilities <insert param-id="ra-5_prm_2"/> in accordance with an organizational assessment of risk;</p>
-            </part>
-            <part name="item" id="ra-5_smt.e">
-               <prop name="label">e.</prop>
-               <p>Share information obtained from the vulnerability monitoring process and control assessments with <insert param-id="ra-5_prm_3"/> to help eliminate similar vulnerabilities in other systems; and</p>
-            </part>
-            <part name="item" id="ra-5_smt.f">
-               <prop name="label">f.</prop>
-               <p>Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ra-5_gdn">
-            <p>Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities such as infrastructure components (e.g., switches, routers, sensors), networked printers, scanners, and copiers are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced, and as new scanning methods are developed, helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.
-Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP) validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments such as red team exercises provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).
-Vulnerability monitoring also includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization, and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.
-Organizations may also employ the use of financial incentives (also known as “bug bounties”) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time, and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously, and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="ra-5.1">
-            <title>Update Tool Capability</title>
-            <prop name="label">RA-5(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">RA-05(01)</prop>
-            <link rel="incorporated-into" href="#ra-5">RA-5</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.2">
-            <title>Update System Vulnerabilities</title>
-            <param id="ra-5.2_prm_1">
-               <select how-many="one or more">
-                  <choice>
-                     <insert param-id="ra-5.2_prm_2"/>
-                  </choice>
-                  <choice>prior to a new scan</choice>
-                  <choice>when new vulnerabilities are identified and reported</choice>
-               </select>
-            </param>
-            <param id="ra-5.2_prm_2" depends-on="ra-5.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">RA-5(2)</prop>
-            <prop name="sort-id">RA-05(02)</prop>
-            <link rel="related" href="#si-5">SI-5</link>
-            <part name="statement" id="ra-5.2_smt">
-               <p>Update the system vulnerabilities to be scanned <insert param-id="ra-5.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ra-5.2_gdn">
-               <p>Due to the complexity of modern software and systems and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.3">
-            <title>Breadth and Depth of Coverage</title>
-            <prop name="label">RA-5(3)</prop>
-            <prop name="sort-id">RA-05(03)</prop>
-            <part name="statement" id="ra-5.3_smt">
-               <p>Define the breadth and depth of vulnerability scanning coverage.</p>
-            </part>
-            <part name="guidance" id="ra-5.3_gdn">
-               <p>The breadth of vulnerability scanning coverage can be expressed, for example,  as a percentage of components within the system, by the particular types of systems, by the criticality of systems, or by the number of vulnerabilities to be checked. Conversely, the depth of vulnerability scanning coverage can be expressed as the level of the system design the organization intends to monitor (e.g., component, module, subsystem). Organizations can determine the sufficiency of vulnerability scanning coverage with regard to its risk tolerance and other factors. [SP 800-53A] provides additional information on the breadth and depth of coverage.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.4">
-            <title>Discoverable Information</title>
-            <param id="ra-5.4_prm_1">
-               <label>organization-defined corrective actions</label>
-            </param>
-            <prop name="label">RA-5(4)</prop>
-            <prop name="sort-id">RA-05(04)</prop>
-            <link rel="related" href="#au-13">AU-13</link>
-            <link rel="related" href="#sc-26">SC-26</link>
-            <part name="statement" id="ra-5.4_smt">
-               <p>Determine information about the system that is discoverable and take <insert param-id="ra-5.4_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ra-5.4_gdn">
-               <p>Discoverable information includes information that adversaries could obtain without compromising or breaching the system, for example, by collecting information the system is exposing or by conducting extensive web searches. Corrective actions include notifying appropriate organizational personnel, removing designated information, or changing the system to make the designated information less relevant or attractive to adversaries. This enhancement excludes intentionally discoverable information that may be part of a decoy capability (e.g., honeypots, honeynets, or deception nets) deployed by the organization.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.5">
-            <title>Privileged Access</title>
-            <param id="ra-5.5_prm_1">
-               <label>organization-defined system components</label>
-            </param>
-            <param id="ra-5.5_prm_2">
-               <label>organization-defined vulnerability scanning activities</label>
-            </param>
-            <prop name="label">RA-5(5)</prop>
-            <prop name="sort-id">RA-05(05)</prop>
-            <part name="statement" id="ra-5.5_smt">
-               <p>Implement privileged access authorization to <insert param-id="ra-5.5_prm_1"/> for <insert param-id="ra-5.5_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ra-5.5_gdn">
-               <p>In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.6">
-            <title>Automated Trend Analyses</title>
-            <param id="ra-5.6_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">RA-5(6)</prop>
-            <prop name="sort-id">RA-05(06)</prop>
-            <part name="statement" id="ra-5.6_smt">
-               <p>Compare the results of multiple vulnerability scans using <insert param-id="ra-5.6_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="ra-5.6_gdn">
-               <p>Using automated mechanisms to analyze multiple vulnerability scans over time can help to determine trends in system vulnerabilities.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.7">
-            <title>Automated Detection and Notification of Unauthorized Components</title>
-            <prop name="label">RA-5(7)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">RA-05(07)</prop>
-            <link rel="incorporated-into" href="#cm-8">CM-8</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.8">
-            <title>Review Historic Audit Logs</title>
-            <param id="ra-5.8_prm_1">
-               <label>organization-defined system</label>
-            </param>
-            <param id="ra-5.8_prm_2">
-               <label>organization-defined time period</label>
-            </param>
-            <prop name="label">RA-5(8)</prop>
-            <prop name="sort-id">RA-05(08)</prop>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-11">AU-11</link>
-            <part name="statement" id="ra-5.8_smt">
-               <p>Review historic audit logs to determine if a vulnerability identified in a <insert param-id="ra-5.8_prm_1"/> has been previously exploited within an <insert param-id="ra-5.8_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="ra-5.8_gdn">
-               <p>Reviewing historic audit logs to determine if a recently detected vulnerability in a system has been previously exploited by an adversary can provide important information for forensic analyses. Such analyses can help identify, for example, the extent of a previous intrusion, the trade craft employed during the attack, organizational information exfiltrated or modified, mission or business capabilities affected, and the duration of the attack.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.9">
-            <title>Penetration Testing and Analyses</title>
-            <prop name="label">RA-5(9)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">RA-05(09)</prop>
-            <link rel="incorporated-into" href="#ca-8">CA-8</link>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.10">
-            <title>Correlate Scanning Information</title>
-            <prop name="label">RA-5(10)</prop>
-            <prop name="sort-id">RA-05(10)</prop>
-            <part name="statement" id="ra-5.10_smt">
-               <p>Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors.</p>
-            </part>
-            <part name="guidance" id="ra-5.10_gdn">
-               <p>An attack vector is a path or means by which an adversary can gain access to a system in order to deliver malicious code or exfiltrate information. Organizations can use attack trees to show how hostile activities by adversaries interact and combine to produce adverse impacts or negative consequences to systems and organizations. Such information, together with correlated data from vulnerability scanning tools, can provide greater clarity regarding multi-vulnerability and multi-hop attack vectors. The correlation of vulnerability scanning information is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). During such transitions, some system components may inadvertently be unmanaged and create opportunities for adversary exploitation.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="ra-5.11">
-            <title>Public Disclosure Program</title>
-            <param id="ra-5.11_prm_1">
-               <label>organization-defined public reporting channel</label>
-            </param>
-            <prop name="label">RA-5(11)</prop>
-            <prop name="sort-id">RA-05(11)</prop>
-            <part name="statement" id="ra-5.11_smt">
-               <p>Establish an <insert param-id="ra-5.11_prm_1"/> for receiving reports of vulnerabilities in organizational systems and system components.</p>
-            </part>
-            <part name="guidance" id="ra-5.11_gdn">
-               <p>The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity, but may request a specific time period to properly remediate the vulnerability.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="ra-6">
-         <title>Technical Surveillance Countermeasures Survey</title>
-         <param id="ra-6_prm_1">
-            <label>organization-defined locations</label>
-         </param>
-         <param id="ra-6_prm_2">
-            <select how-many="one or more">
-               <choice>
-                  <insert param-id="ra-6_prm_3"/>
-               </choice>
-               <choice>
-                  <insert param-id="ra-6_prm_4"/>
-               </choice>
-            </select>
-         </param>
-         <param id="ra-6_prm_3" depends-on="ra-6_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="ra-6_prm_4" depends-on="ra-6_prm_2">
-            <label>organization-defined events or indicators occur</label>
-         </param>
-         <prop name="label">RA-6</prop>
-         <prop name="sort-id">RA-06</prop>
-         <part name="statement" id="ra-6_smt">
-            <p>Employ a technical surveillance countermeasures survey at <insert param-id="ra-6_prm_1"/>
-               <insert param-id="ra-6_prm_2"/>.</p>
-         </part>
-         <part name="guidance" id="ra-6_gdn">
-            <p>A technical surveillance countermeasures survey is a service provided by qualified personnel to detect the presence of technical surveillance devices and hazards and to identify technical security weaknesses that could be used in the conduct of a technical penetration of the surveyed facility. Technical surveillance countermeasures surveys also provide evaluations of the technical security posture of organizations and facilities and include visual, electronic, and physical examinations of surveyed facilities, internally and externally. The surveys also provide useful input for risk assessments and information regarding organizational exposure to potential adversaries.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-7">
-         <title>Risk Response</title>
-         <prop name="label">RA-7</prop>
-         <prop name="sort-id">RA-07</prop>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="reference" href="#f2163084-3287-45e2-9ee7-95f020415495">[FIPS 200]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="related" href="#ca-5">CA-5</link>
-         <link rel="related" href="#ir-9">IR-9</link>
-         <link rel="related" href="#pm-4">PM-4</link>
-         <link rel="related" href="#pm-28">PM-28</link>
-         <link rel="related" href="#ra-2">RA-2</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#sr-2">SR-2</link>
-         <part name="statement" id="ra-7_smt">
-            <p>Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.</p>
-         </part>
-         <part name="guidance" id="ra-7_gdn">
-            <p>Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls; accepting risk with appropriate justification or rationale; sharing or transferring risk; or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-8">
-         <title>Privacy Impact Assessments</title>
-         <prop name="label">RA-8</prop>
-         <prop name="sort-id">RA-08</prop>
-         <link rel="reference" href="#bc2bf069-c3a5-48a4-a274-684d997be0c2">[EGOV]</link>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130, Appendix II]</link>
-         <link rel="related" href="#cm-13">CM-13</link>
-         <link rel="related" href="#pt-2">PT-2</link>
-         <link rel="related" href="#pt-3">PT-3</link>
-         <link rel="related" href="#pt-6">PT-6</link>
-         <link rel="related" href="#ra-1">RA-1</link>
-         <link rel="related" href="#ra-2">RA-2</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#ra-7">RA-7</link>
-         <part name="statement" id="ra-8_smt">
-            <p>Conduct privacy impact assessments for systems, programs, or other activities before:</p>
-            <part name="item" id="ra-8_smt.a">
-               <prop name="label">a.</prop>
-               <p>Developing or procuring information technology that processes personally identifiable information; and</p>
-            </part>
-            <part name="item" id="ra-8_smt.b">
-               <prop name="label">b.</prop>
-               <p>Initiating a new collection of personally identifiable information that:</p>
-               <part name="item" id="ra-8_smt.b.1">
-                  <prop name="label">1.</prop>
-                  <p>Will be processed using information technology; and</p>
-               </part>
-               <part name="item" id="ra-8_smt.b.2">
-                  <prop name="label">2.</prop>
-                  <p>Includes personally identifiable information permitting the physical or online contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more persons, other than agencies, instrumentalities, or employees of the federal government.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="ra-8_gdn">
-            <p>A privacy impact assessment is an analysis of how personally identifiable information is handled to ensure that handling conforms to applicable privacy requirements, determine the privacy risks associated with an information system or activity, and evaluate ways to mitigate privacy risks. A privacy impact assessment is both an analysis and a formal document detailing the process and the outcome of the analysis.
-Organizations conduct and develop a privacy impact assessment with sufficient clarity and specificity to demonstrate that the organization fully considered privacy and incorporated appropriate privacy protections from the earliest stages of the organization’s activity and throughout the information life cycle. In order to conduct a meaningful privacy impact assessment, the organization’s senior agency official for privacy works closely with program managers, system owners, information technology experts, security officials, counsel, and other relevant organization personnel. Moreover, a privacy impact assessment is not a time-restricted activity that is limited to a particular milestone or stage of the information system or personally identifiable information life cycles. Rather, the privacy analysis continues throughout the system and personally identifiable information life cycles. Accordingly, a privacy impact assessment is a living document that organizations update whenever changes to the information technology, changes to the organization’s practices, or other factors alter the privacy risks associated with the use of such information technology.
-To conduct the privacy impact assessment, organizations can use security and privacy risk assessments. Organizations may also use other related processes which may have different labels, including privacy threshold analyses. A privacy impact assessment can also serve as notice to the public regarding the organization’s practices with respect to privacy. Although conducting and publishing privacy impact assessments may be required by law, organizations may develop such policies in the absence of applicable laws. For federal agencies, privacy impact assessments may be required by [EGOV]; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-9">
-         <title>Criticality Analysis</title>
-         <param id="ra-9_prm_1">
-            <label>organization-defined systems, system components, or system services</label>
-         </param>
-         <param id="ra-9_prm_2">
-            <label>organization-defined decision points in the system development life cycle</label>
-         </param>
-         <prop name="label">RA-9</prop>
-         <prop name="sort-id">RA-09</prop>
-         <link rel="reference" href="#7a93e915-fd58-4147-be12-e48044c367e6">[IR 8179]</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pl-8">PL-8</link>
-         <link rel="related" href="#pl-11">PL-11</link>
-         <link rel="related" href="#pm-1">PM-1</link>
-         <link rel="related" href="#ra-2">RA-2</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-15">SA-15</link>
-         <link rel="related" href="#sa-20">SA-20</link>
-         <part name="statement" id="ra-9_smt">
-            <p>Identify critical system components and functions by performing a criticality analysis for <insert param-id="ra-9_prm_1"/> at <insert param-id="ra-9_prm_2"/>.</p>
-         </part>
-         <part name="guidance" id="ra-9_gdn">
-            <p>Not all system components, functions, or services necessarily require significant protections. Criticality analysis is a key tenet of, for example, supply chain risk management, and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders regulations, directives, policies, and standards; system functionality requirements; system and component interfaces; and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system; decomposition into the specific functions to perform those missions; and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and  external to the system.
-The operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system containing the components and functions. Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, for example, by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="ra-10">
-         <title>Threat Hunting</title>
-         <param id="ra-10_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">RA-10</prop>
-         <prop name="sort-id">RA-10</prop>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#ra-5">RA-5</link>
-         <link rel="related" href="#ra-6">RA-6</link>
-         <part name="statement" id="ra-10_smt">
-            <part name="item" id="ra-10_smt.a">
-               <prop name="label">a.</prop>
-               <p>Establish and maintain a cyber threat hunting capability to:</p>
-               <part name="item" id="ra-10_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Search for indicators of compromise in organizational systems; and</p>
-               </part>
-               <part name="item" id="ra-10_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Detect, track, and disrupt threats that evade existing controls; and</p>
-               </part>
-            </part>
-            <part name="item" id="ra-10_smt.b">
-               <prop name="label">b.</prop>
-               <p>Employ the threat hunting capability <insert param-id="ra-10_prm_1"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="ra-10_gdn">
-            <p>Threat hunting is an active means of cyber defense in contrast to the traditional protection measures such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indications of compromise include unusual network traffic, unusual file changes, and the presence of malicious code. Threat hunting teams leverage existing threat intelligence and may create new threat intelligence, which is shared with peer organizations, Information Sharing and Analysis Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant government departments and agencies.</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="sa">
-      <title>System and Services Acquisition</title>
-      <control class="SP800-53" id="sa-1">
-         <title>Policy and Procedures</title>
-         <param id="sa-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="sa-1_prm_2">
-            <select how-many="one or more">
-               <choice>organization-level</choice>
-               <choice>mission/business process-level</choice>
-               <choice>system-level</choice>
-            </select>
-         </param>
-         <param id="sa-1_prm_3">
-            <label>organization-defined official</label>
-         </param>
-         <param id="sa-1_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="sa-1_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">SA-1</prop>
-         <prop name="sort-id">SA-01</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#12702585-0c72-43c9-9185-a76a59f74233">[SP 800-12]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#9183bd83-170e-4701-b32c-97e08ef8bedb">[SP 800-100]</link>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="sa-1_smt">
-            <part name="item" id="sa-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and disseminate to <insert param-id="sa-1_prm_1"/>:</p>
-               <part name="item" id="sa-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="sa-1_prm_2"/> system and services acquisition policy that:</p>
-                  <part name="item" id="sa-1_smt.a.1.a">
-                     <prop name="label">(a)</prop>
-                     <p>Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
-                  </part>
-                  <part name="item" id="sa-1_smt.a.1.b">
-                     <prop name="label">(b)</prop>
-                     <p>Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p>
-                  </part>
-               </part>
-               <part name="item" id="sa-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;</p>
-               </part>
-            </part>
-            <part name="item" id="sa-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate an <insert param-id="sa-1_prm_3"/> to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and</p>
-            </part>
-            <part name="item" id="sa-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the current system and services acquisition:</p>
-               <part name="item" id="sa-1_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Policy <insert param-id="sa-1_prm_4"/>; and</p>
-               </part>
-               <part name="item" id="sa-1_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures <insert param-id="sa-1_prm_5"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="sa-1_gdn">
-            <p>This control addresses policy and procedures for the controls in the SA family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-2">
-         <title>Allocation of Resources</title>
-         <prop name="label">SA-2</prop>
-         <prop name="sort-id">SA-02</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="related" href="#pl-7">PL-7</link>
-         <link rel="related" href="#pm-3">PM-3</link>
-         <link rel="related" href="#pm-11">PM-11</link>
-         <link rel="related" href="#sa-9">SA-9</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <link rel="related" href="#sr-5">SR-5</link>
-         <part name="statement" id="sa-2_smt">
-            <part name="item" id="sa-2_smt.a">
-               <prop name="label">a.</prop>
-               <p>Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;</p>
-            </part>
-            <part name="item" id="sa-2_smt.b">
-               <prop name="label">b.</prop>
-               <p>Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and</p>
-            </part>
-            <part name="item" id="sa-2_smt.c">
-               <prop name="label">c.</prop>
-               <p>Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sa-2_gdn">
-            <p>Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain concerns throughout the system development life cycle.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-3">
-         <title>System Development Life Cycle</title>
-         <param id="sa-3_prm_1">
-            <label>organization-defined system development life cycle</label>
-         </param>
-         <prop name="label">SA-3</prop>
-         <prop name="sort-id">SA-03</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="reference" href="#0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a">[SP 800-171]</link>
-         <link rel="reference" href="#aad55f03-8ece-4b21-b09c-9ef65b5a9f55">[SP 800-171B]</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#pl-8">PL-8</link>
-         <link rel="related" href="#pm-7">PM-7</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-5">SA-5</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-11">SA-11</link>
-         <link rel="related" href="#sa-15">SA-15</link>
-         <link rel="related" href="#sa-17">SA-17</link>
-         <link rel="related" href="#sa-22">SA-22</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <link rel="related" href="#sr-5">SR-5</link>
-         <link rel="related" href="#sr-9">SR-9</link>
-         <part name="statement" id="sa-3_smt">
-            <part name="item" id="sa-3_smt.a">
-               <prop name="label">a.</prop>
-               <p>Acquire, develop, and manage the system using <insert param-id="sa-3_prm_1"/> that incorporates information security and privacy considerations;</p>
-            </part>
-            <part name="item" id="sa-3_smt.b">
-               <prop name="label">b.</prop>
-               <p>Define and document information security and privacy roles and responsibilities throughout the system development life cycle;</p>
-            </part>
-            <part name="item" id="sa-3_smt.c">
-               <prop name="label">c.</prop>
-               <p>Identify individuals having information security and privacy roles and responsibilities; and</p>
-            </part>
-            <part name="item" id="sa-3_smt.d">
-               <prop name="label">d.</prop>
-               <p>Integrate the organizational information security and privacy risk management process into system development life cycle activities.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sa-3_gdn">
-            <p>A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical missions and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include in system development life cycle processes, qualified personnel, including senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals having key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.
-The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, and service providers), acquisition and supply chain risk management functions and controls play a significant role in the effective management of the system during the life cycle.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-3.1">
-            <title>Manage Preproduction Environment</title>
-            <prop name="label">SA-3(1)</prop>
-            <prop name="sort-id">SA-03(01)</prop>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#ra-9">RA-9</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <part name="statement" id="sa-3.1_smt">
-               <p>Protect system preproduction environments commensurate with risk throughout the system development life cycle for the system, system component, or system service.</p>
-            </part>
-            <part name="guidance" id="sa-3.1_gdn">
-               <p>The preproduction environment includes development, test, and integration environments. The program protection planning processes established by the Department of Defense is an example of managing the preproduction environment for defense contractors. Criticality analysis and the application of controls on developers also contribution to a more secure system development environment.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-3.2">
-            <title>Use of Live or Operational Data</title>
-            <prop name="label">SA-3(2)</prop>
-            <prop name="sort-id">SA-03(02)</prop>
-            <link rel="related" href="#pm-25">PM-25</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <part name="statement" id="sa-3.2_smt">
-               <part name="item" id="sa-3.2_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and</p>
-               </part>
-               <part name="item" id="sa-3.2_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Protect preproduction environments for the system, system component, or system service at the same impact or classification level as any live data in use within the preproduction environments.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sa-3.2_gdn">
-               <p>Live data is also referred to as operational data. The use of live or operational data in preproduction (i.e., development, test, and integration) environments can result in significant risk to organizations. In addition, the use of personally identifiable information in testing, research, and training increases risk of unauthorized disclosure or misuse of such information. Thus, it is important for the organization to manage any additional risks that may result from use of live or operational data. Organizations can minimize such risk by using test or dummy data during the design, development, and testing of systems, system components, and system services. Risk assessment techniques may be used to determine if the risk of using live or operational data is acceptable.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-3.3">
-            <title>Technology Refresh</title>
-            <prop name="label">SA-3(3)</prop>
-            <prop name="sort-id">SA-03(03)</prop>
-            <part name="statement" id="sa-3.3_smt">
-               <p>Plan for and implement a technology refresh schedule for the system throughout the system development life cycle.</p>
-            </part>
-            <part name="guidance" id="sa-3.3_gdn">
-               <p>Technology refresh planning may encompass hardware, software, firmware, processes, personnel skill sets, suppliers, service providers, and facilities. The use of obsolete or nearing obsolete technology may increase security and privacy risks associated with, for example, unsupported components, components unable to implement security or privacy requirements, counterfeit or re-purposed components, slow or inoperable components, components from untrusted sources, inadvertent personnel error, or increased complexity. Technology refreshes typically occur during the operations and maintenance stage of the system development life cycle.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-4">
-         <title>Acquisition Process</title>
-         <param id="sa-4_prm_1">
-            <select how-many="one or more">
-               <choice>standardized contract language</choice>
-               <choice>
-                  <insert param-id="sa-4_prm_2"/>
-               </choice>
-            </select>
-         </param>
-         <param id="sa-4_prm_2" depends-on="sa-4_prm_1">
-            <label>organization-defined contract language</label>
-         </param>
-         <prop name="label">SA-4</prop>
-         <prop name="sort-id">SA-04</prop>
-         <link rel="reference" href="#a7dfa526-b81f-41d7-9875-c8b0faafe74b">[PRIVACT]</link>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#6ddb507b-6ddb-4e15-a8d4-0854e704446e">[ISO 15408-1]</link>
-         <link rel="reference" href="#18abb755-c10f-407d-b0ef-4f99e5ec4a49">[ISO 15408-2]</link>
-         <link rel="reference" href="#2ce3a8bf-7f8b-4249-bd16-808231415b14">[ISO 15408-3]</link>
-         <link rel="reference" href="#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">[FIPS 140-3]</link>
-         <link rel="reference" href="#ab414c48-b7a2-4ffe-b74d-4d8b8120adce">[FIPS 201-2]</link>
-         <link rel="reference" href="#ed919d0d-8e21-4df6-801d-3fbc4cb8a505">[SP 800-35]</link>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="reference" href="#14a7d982-9747-48e0-a877-3e8fbf6ae381">[SP 800-70]</link>
-         <link rel="reference" href="#3d6b3a16-94e7-4a43-8648-8bdeaadb271b">[SP 800-73-4]</link>
-         <link rel="reference" href="#c3b34083-77b2-4dab-a980-73068f8933bd">[SP 800-137]</link>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="reference" href="#66476e76-46b4-47fb-be19-d13e6f3840df">[SP 800-161]</link>
-         <link rel="reference" href="#d4779b49-8acc-45ef-b4f0-30f945e81d1b">[IR 7539]</link>
-         <link rel="reference" href="#7b03adec-4405-4aac-94a0-6a9eb3f42e31">[IR 7622]</link>
-         <link rel="reference" href="#daf69edb-a0ef-4447-9880-8c4bf553181f">[IR 7676]</link>
-         <link rel="reference" href="#197f7ba7-9af8-4a67-b3a4-5523d850e53b">[IR 7870]</link>
-         <link rel="reference" href="#817b4227-5857-494d-9032-915980b32f15">[IR 8062]</link>
-         <link rel="reference" href="#5dac2312-1d0d-416f-aebb-400fa9775b74">[NIAP CCEVS]</link>
-         <link rel="reference" href="#634dec27-df88-4c30-b1a4-b57cdfd24f20">[NSA CSFC]</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#cm-8">CM-8</link>
-         <link rel="related" href="#ps-7">PS-7</link>
-         <link rel="related" href="#sa-3">SA-3</link>
-         <link rel="related" href="#sa-5">SA-5</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-11">SA-11</link>
-         <link rel="related" href="#sa-15">SA-15</link>
-         <link rel="related" href="#sa-16">SA-16</link>
-         <link rel="related" href="#sa-17">SA-17</link>
-         <link rel="related" href="#sa-21">SA-21</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <link rel="related" href="#sr-5">SR-5</link>
-         <part name="statement" id="sa-4_smt">
-            <p>Include the following requirements, descriptions, and criteria, explicitly or by reference, using <insert param-id="sa-4_prm_1"/> in the acquisition contract for the system, system component, or system service:</p>
-            <part name="item" id="sa-4_smt.a">
-               <prop name="label">a.</prop>
-               <p>Security and privacy functional requirements;</p>
-            </part>
-            <part name="item" id="sa-4_smt.b">
-               <prop name="label">b.</prop>
-               <p>Strength of mechanism requirements;</p>
-            </part>
-            <part name="item" id="sa-4_smt.c">
-               <prop name="label">c.</prop>
-               <p>Security and privacy assurance requirements;</p>
-            </part>
-            <part name="item" id="sa-4_smt.d">
-               <prop name="label">d.</prop>
-               <p>Controls needed to satisfy the security and privacy requirements.</p>
-            </part>
-            <part name="item" id="sa-4_smt.e">
-               <prop name="label">e.</prop>
-               <p>Security and privacy documentation requirements;</p>
-            </part>
-            <part name="item" id="sa-4_smt.f">
-               <prop name="label">f.</prop>
-               <p>Requirements for protecting security and privacy documentation;</p>
-            </part>
-            <part name="item" id="sa-4_smt.g">
-               <prop name="label">g.</prop>
-               <p>Description of the system development environment and environment in which the system is intended to operate;</p>
-            </part>
-            <part name="item" id="sa-4_smt.h">
-               <prop name="label">h.</prop>
-               <p>Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and</p>
-            </part>
-            <part name="item" id="sa-4_smt.i">
-               <prop name="label">i.</prop>
-               <p>Acceptance criteria.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sa-4_gdn">
-            <p>Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, practices, and methodologies; and the evidence from development and assessment activities providing grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160 v1] describes the process of requirements engineering as part of the system development life cycle.
-Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical aspects, administrative aspects, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.
-Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as such criteria for any organizational acquisition or procurement.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-4.1">
-            <title>Functional Properties of Controls</title>
-            <prop name="label">SA-4(1)</prop>
-            <prop name="sort-id">SA-04(01)</prop>
-            <part name="statement" id="sa-4.1_smt">
-               <p>Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.</p>
-            </part>
-            <part name="guidance" id="sa-4.1_gdn">
-               <p>Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.2">
-            <title>Design and Implementation Information for Controls</title>
-            <param id="sa-4.2_prm_1">
-               <select how-many="one or more">
-                  <choice>security-relevant external system interfaces</choice>
-                  <choice>high-level design</choice>
-                  <choice>low-level design</choice>
-                  <choice>source code or hardware schematics</choice>
-                  <choice>
-                     <insert param-id="sa-4.2_prm_2"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="sa-4.2_prm_2" depends-on="sa-4.2_prm_1">
-               <label>organization-defined design and implementation information</label>
-            </param>
-            <param id="sa-4.2_prm_3">
-               <label>organization-defined level of detail</label>
-            </param>
-            <prop name="label">SA-4(2)</prop>
-            <prop name="sort-id">SA-04(02)</prop>
-            <part name="statement" id="sa-4.2_smt">
-               <p>Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: <insert param-id="sa-4.2_prm_1"/> at <insert param-id="sa-4.2_prm_3"/>.</p>
-            </part>
-            <part name="guidance" id="sa-4.2_gdn">
-               <p>Organizations may require different levels of detail in the documentation for the design and implementation for controls in organizational systems, system components, or system services based on mission and business requirements; requirements for resiliency and trustworthiness; and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.3">
-            <title>Development Methods, Techniques, and Practices</title>
-            <param id="sa-4.3_prm_1">
-               <label>organization-defined systems engineering methods</label>
-            </param>
-            <param id="sa-4.3_prm_2">
-               <label>organization-defined Selection (one or more): systems security; privacy</label>
-            </param>
-            <param id="sa-4.3_prm_3">
-               <label>organization-defined software development methods; testing, evaluation, assessment, verification, and validation methods; and quality control processes</label>
-            </param>
-            <prop name="label">SA-4(3)</prop>
-            <prop name="sort-id">SA-04(03)</prop>
-            <part name="statement" id="sa-4.3_smt">
-               <p>Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes:</p>
-               <part name="item" id="sa-4.3_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>
-                     <insert param-id="sa-4.3_prm_1"/>;</p>
-               </part>
-               <part name="item" id="sa-4.3_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>
-                     <insert param-id="sa-4.3_prm_2"/> engineering methods];</p>
-               </part>
-               <part name="item" id="sa-4.3_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>
-                     <insert param-id="sa-4.3_prm_3"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sa-4.3_gdn">
-               <p>Following a system development life cycle that includes state-of-the-practice software development methods, systems engineering methods, systems security and privacy engineering methods, and quality control processes helps to reduce the number and severity of the latent errors within systems, system components, and system services. Reducing the number and severity of such errors reduces the number of vulnerabilities in those systems, components, and services. Transparency in the methods developers select and implement for systems engineering, systems security and privacy engineering, software development, component and system assessments, and quality control processes provide an increased level of assurance in the trustworthiness of the system, system component, or system service being acquired.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.4">
-            <title>Assignment of Components to Systems</title>
-            <prop name="label">SA-4(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-04(04)</prop>
-            <link rel="incorporated-into" href="#cm-8.9">CM-8(9)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.5">
-            <title>System, Component, and Service Configurations</title>
-            <param id="sa-4.5_prm_1">
-               <label>organization-defined security configurations</label>
-            </param>
-            <prop name="label">SA-4(5)</prop>
-            <prop name="sort-id">SA-04(05)</prop>
-            <part name="statement" id="sa-4.5_smt">
-               <p>Require the developer of the system, system component, or system service to:</p>
-               <part name="item" id="sa-4.5_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Deliver the system, component, or service with <insert param-id="sa-4.5_prm_1"/> implemented; and</p>
-               </part>
-               <part name="item" id="sa-4.5_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sa-4.5_gdn">
-               <p>Examples of security configurations include the U.S. Government Configuration Baseline (USGCB), Security Technical Implementation Guides (STIGs), and any limitations on functions, ports, protocols, and services. Security characteristics can include requiring that default passwords have been changed.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.6">
-            <title>Use of Information Assurance Products</title>
-            <prop name="label">SA-4(6)</prop>
-            <prop name="sort-id">SA-04(06)</prop>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="sa-4.6_smt">
-               <part name="item" id="sa-4.6_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and</p>
-               </part>
-               <part name="item" id="sa-4.6_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Ensure that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sa-4.6_gdn">
-               <p>Commercial off-the-shelf IA or IA-enabled information technology products used to protect classified information by cryptographic means may be required to use NSA-approved key management. See [NSA CSFC].</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.7">
-            <title>Niap-approved Protection Profiles</title>
-            <prop name="label">SA-4(7)</prop>
-            <prop name="sort-id">SA-04(07)</prop>
-            <link rel="related" href="#ia-7">IA-7</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="sa-4.7_smt">
-               <part name="item" id="sa-4.7_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and</p>
-               </part>
-               <part name="item" id="sa-4.7_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Require, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated or NSA-approved.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sa-4.7_gdn">
-               <p>See [NIAP CCEVS] for additional information on NIAP. See [NIST CMVP] for additional information on FIPS-validated cryptographic modules.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.8">
-            <title>Continuous Monitoring Plan for Controls</title>
-            <param id="sa-4.8_prm_1">
-               <label>organization-defined level of detail</label>
-            </param>
-            <prop name="label">SA-4(8)</prop>
-            <prop name="sort-id">SA-04(08)</prop>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <part name="statement" id="sa-4.8_smt">
-               <p>Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that contains the following level of detail: <insert param-id="sa-4.8_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-4.8_gdn">
-               <p>The objective of continuous monitoring plans is to determine if the planned, required, and deployed controls within the system, system component, or system service continue to be effective over time based on the inevitable changes that occur. Developer continuous monitoring plans include a sufficient level of detail such that the information can be incorporated into continuous monitoring strategies and programs implemented by organizations. Continuous monitoring plans can include the frequency of control monitoring, types of control assessment and monitoring activities planned, and actions to be taken when controls fail or become ineffective.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.9">
-            <title>Functions, Ports, Protocols, and Services in Use</title>
-            <prop name="label">SA-4(9)</prop>
-            <prop name="sort-id">SA-04(09)</prop>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#sa-9">SA-9</link>
-            <part name="statement" id="sa-4.9_smt">
-               <p>Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use.</p>
-            </part>
-            <part name="guidance" id="sa-4.9_gdn">
-               <p>The identification of functions, ports, protocols, and services early in the system development life cycle, for example, during the initial requirements definition and design stages, allows organizations to influence the design of the system, system component, or system service. This early involvement in the system life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or when requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. SA-9 describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.10">
-            <title>Use of Approved PIV Products</title>
-            <prop name="label">SA-4(10)</prop>
-            <prop name="sort-id">SA-04(10)</prop>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#pm-9">PM-9</link>
-            <part name="statement" id="sa-4.10_smt">
-               <p>Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.</p>
-            </part>
-            <part name="guidance" id="sa-4.10_gdn">
-               <p>Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multifactor authentication in systems and organizations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.11">
-            <title>System of Records</title>
-            <param id="sa-4.11_prm_1">
-               <label>organization-defined Privacy Act requirements</label>
-            </param>
-            <prop name="label">SA-4(11)</prop>
-            <prop name="sort-id">SA-04(11)</prop>
-            <link rel="related" href="#pt-7">PT-7</link>
-            <part name="statement" id="sa-4.11_smt">
-               <p>Include <insert param-id="sa-4.11_prm_1"/> in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.</p>
-            </part>
-            <part name="guidance" id="sa-4.11_gdn">
-               <p>When an organization provides by a contract for the operation of a system of records to accomplish an organizational mission or function, the organization, consistent with its authority, causes the requirements of the [PRIVACT] to be applied to the system of records.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-4.12">
-            <title>Data Ownership</title>
-            <param id="sa-4.12_prm_1">
-               <label>organization-defined timeframe</label>
-            </param>
-            <prop name="label">SA-4(12)</prop>
-            <prop name="sort-id">SA-04(12)</prop>
-            <part name="statement" id="sa-4.12_smt">
-               <part name="item" id="sa-4.12_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Include organizational data ownership requirements in the acquisition contract; and</p>
-               </part>
-               <part name="item" id="sa-4.12_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Require all data to be removed from the contractor’s system and returned to the organization within <insert param-id="sa-4.12_prm_1"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sa-4.12_gdn">
-               <p>Contractors operating a system that contains data owned by an organization initiating the contract, have policies and procedures in place to remove the data from their systems and/or return the data in a timeframe defined by the contract.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-5">
-         <title>System Documentation</title>
-         <param id="sa-5_prm_1">
-            <label>organization-defined actions</label>
-         </param>
-         <param id="sa-5_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">SA-5</prop>
-         <prop name="sort-id">SA-05</prop>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="related" href="#cm-4">CM-4</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#cm-7">CM-7</link>
-         <link rel="related" href="#cm-8">CM-8</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pl-4">PL-4</link>
-         <link rel="related" href="#pl-8">PL-8</link>
-         <link rel="related" href="#ps-2">PS-2</link>
-         <link rel="related" href="#sa-3">SA-3</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-9">SA-9</link>
-         <link rel="related" href="#sa-10">SA-10</link>
-         <link rel="related" href="#sa-11">SA-11</link>
-         <link rel="related" href="#sa-15">SA-15</link>
-         <link rel="related" href="#sa-16">SA-16</link>
-         <link rel="related" href="#sa-17">SA-17</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <part name="statement" id="sa-5_smt">
-            <part name="item" id="sa-5_smt.a">
-               <prop name="label">a.</prop>
-               <p>Obtain administrator documentation for the system, system component, or system service that describes:</p>
-               <part name="item" id="sa-5_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Secure configuration, installation, and operation of the system, component, or service;</p>
-               </part>
-               <part name="item" id="sa-5_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Effective use and maintenance of security and privacy functions and mechanisms; and</p>
-               </part>
-               <part name="item" id="sa-5_smt.a.3">
-                  <prop name="label">3.</prop>
-                  <p>Known vulnerabilities regarding configuration and use of administrative or privileged functions;</p>
-               </part>
-            </part>
-            <part name="item" id="sa-5_smt.b">
-               <prop name="label">b.</prop>
-               <p>Obtain user documentation for the system, system component, or system service that describes:</p>
-               <part name="item" id="sa-5_smt.b.1">
-                  <prop name="label">1.</prop>
-                  <p>User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;</p>
-               </part>
-               <part name="item" id="sa-5_smt.b.2">
-                  <prop name="label">2.</prop>
-                  <p>Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and</p>
-               </part>
-               <part name="item" id="sa-5_smt.b.3">
-                  <prop name="label">3.</prop>
-                  <p>User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;</p>
-               </part>
-            </part>
-            <part name="item" id="sa-5_smt.c">
-               <prop name="label">c.</prop>
-               <p>Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and takes <insert param-id="sa-5_prm_1"/> in response;</p>
-            </part>
-            <part name="item" id="sa-5_smt.d">
-               <prop name="label">d.</prop>
-               <p>Protect documentation as required, in accordance with the organizational risk management strategy; and</p>
-            </part>
-            <part name="item" id="sa-5_smt.e">
-               <prop name="label">e.</prop>
-               <p>Distribute documentation to <insert param-id="sa-5_prm_2"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sa-5_gdn">
-            <p>System documentation helps personnel understand the implementation and the operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used, for example, to support the management of supply chain risk, incident response, and other functions. Personnel or roles requiring documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-5.1">
-            <title>Functional Properties of Security Controls</title>
-            <prop name="label">SA-5(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-05(01)</prop>
-            <link rel="incorporated-into" href="#sa-4.1">SA-4(1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-5.2">
-            <title>Security-relevant External System Interfaces</title>
-            <prop name="label">SA-5(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-05(02)</prop>
-            <link rel="incorporated-into" href="#sa-4.2">SA-4(2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-5.3">
-            <title>High-level Design</title>
-            <prop name="label">SA-5(3)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-05(03)</prop>
-            <link rel="incorporated-into" href="#sa-4.2">SA-4(2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-5.4">
-            <title>Low-level Design</title>
-            <prop name="label">SA-5(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-05(04)</prop>
-            <link rel="incorporated-into" href="#sa-4.2">SA-4(2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-5.5">
-            <title>Source Code</title>
-            <prop name="label">SA-5(5)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-05(05)</prop>
-            <link rel="incorporated-into" href="#sa-4.2">SA-4(2)</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-6">
-         <title>Software Usage Restrictions</title>
-         <prop name="label">SA-6</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">SA-06</prop>
-         <link rel="incorporated-into" href="#cm-10">CM-10</link>
-         <link rel="incorporated-into" href="#si-7">SI-7</link>
-      </control>
-      <control class="SP800-53" id="sa-7">
-         <title>User-installed Software</title>
-         <prop name="label">SA-7</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">SA-07</prop>
-         <link rel="incorporated-into" href="#cm-11">CM-11</link>
-         <link rel="incorporated-into" href="#si-7">SI-7</link>
-      </control>
-      <control class="SP800-53" id="sa-8">
-         <title>Security and Privacy Engineering Principles</title>
-         <param id="sa-8_prm_1">
-            <label>organization-defined systems security and privacy engineering principles</label>
-         </param>
-         <prop name="label">SA-8</prop>
-         <prop name="sort-id">SA-08</prop>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="reference" href="#f2163084-3287-45e2-9ee7-95f020415495">[FIPS 200]</link>
-         <link rel="reference" href="#5db6dfe4-788e-4183-93b9-f6fb29d75e41">[SP 800-53A]</link>
-         <link rel="reference" href="#68949f14-9cf5-4116-91d8-e820b9df3ffd">[SP 800-60 v1]</link>
-         <link rel="reference" href="#e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc">[SP 800-60 v2]</link>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="reference" href="#817b4227-5857-494d-9032-915980b32f15">[IR 8062]</link>
-         <link rel="related" href="#pl-8">PL-8</link>
-         <link rel="related" href="#pm-7">PM-7</link>
-         <link rel="related" href="#ra-2">RA-2</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#ra-9">RA-9</link>
-         <link rel="related" href="#sa-3">SA-3</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-15">SA-15</link>
-         <link rel="related" href="#sa-17">SA-17</link>
-         <link rel="related" href="#sa-20">SA-20</link>
-         <link rel="related" href="#sc-2">SC-2</link>
-         <link rel="related" href="#sc-3">SC-3</link>
-         <link rel="related" href="#sc-32">SC-32</link>
-         <link rel="related" href="#sc-39">SC-39</link>
-         <link rel="related" href="#sr-2">SR-2</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <link rel="related" href="#sr-5">SR-5</link>
-         <part name="statement" id="sa-8_smt">
-            <p>Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: <insert param-id="sa-8_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="sa-8_gdn">
-            <p>Systems security and privacy engineering principles are closely related to and are implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.
-The application of systems security and privacy engineering principles help organizations develop trustworthy, secure, and resilient systems and reduce the susceptibility to disruptions, hazards, threats, and creating privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.
-Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks including incorporating tamper-resistant hardware into a design.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-8.1">
-            <title>Clear Abstractions</title>
-            <prop name="label">SA-8(1)</prop>
-            <prop name="sort-id">SA-08(01)</prop>
-            <part name="statement" id="sa-8.1_smt">
-               <p>Implement the security design principle of clear abstractions.</p>
-            </part>
-            <part name="guidance" id="sa-8.1_gdn">
-               <p>The principle of clear abstractions states that a system has simple, well-defined interfaces and functions that provide a consistent and intuitive view of the data and how it is managed. The elegance (e.g., clarity, simplicity, necessity, and sufficiency) of the system interfaces, combined with a precise definition of their functional behavior promotes ease of analysis, inspection, and testing as well as the correct and secure use of the system. The clarity of an abstraction is subjective. Examples reflecting application of this principle include avoidance of redundant, unused interfaces; information hiding; and avoidance of semantic overloading of interfaces or their parameters (e.g., not using a single function to provide different functionality, depending on how it is used). Information hiding, also known as representation-independent programming, is a design discipline to ensure that the internal representation of information in one system component is not visible to another system component invoking or calling the first component, such that the published abstraction is not influenced by how the data may be managed internally.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.2">
-            <title>Least Common Mechanism</title>
-            <param id="sa-8.2_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(2)</prop>
-            <prop name="sort-id">SA-08(02)</prop>
-            <part name="statement" id="sa-8.2_smt">
-               <p>Implement the security design principle of least common mechanism in <insert param-id="sa-8.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.2_gdn">
-               <p>The principle of least common mechanism states that the amount of mechanism common to more than one user and depended on by all users is minimized [POPEK74]. Minimization of mechanism implies that different components of a system refrain from using the same mechanism to access a system resource. Every shared mechanism (especially a mechanism involving shared variables) represents a potential information path between users and is designed with great care to be sure it does not unintentionally compromise security [SALTZER75]. Implementing the principle of least common mechanism helps to reduce the adverse consequences of sharing system state among different programs. A single program corrupting a shared state (including shared variables) has the potential to corrupt other programs that are dependent on the state. The principle of least common mechanism also supports the principle of simplicity of design and addresses the issue of covert storage channels [LAMPSON73].</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.3">
-            <title>Modularity and Layering</title>
-            <param id="sa-8.3_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(3)</prop>
-            <prop name="sort-id">SA-08(03)</prop>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-            <part name="statement" id="sa-8.3_smt">
-               <p>Implement the security design principles of modularity and layering in <insert param-id="sa-8.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.3_gdn">
-               <p>The principles of modularity and layering are fundamental across system engineering disciplines. Modularity and layering derived from functional decomposition are effective in managing system complexity, by making it possible to comprehend the structure of the system. Modular decomposition, or refinement in system design, is challenging and resists general statements of principle. Modularity serves to isolate functions and related data structures into well-defined logical units. Layering allows the relationships of these units to be better understood, so that dependencies are clear and undesired complexity can be avoided. The security design principle of modularity extends functional modularity to include considerations based on trust, trustworthiness, privilege, and security policy. Security-informed modular decomposition includes the following: allocation of policies to systems in a network; separation of system applications into processes with distinct address spaces; allocation of system policies to layers; and separation of processes into subjects with distinct privileges based on hardware-supported privilege domains.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.4">
-            <title>Partially Ordered Dependencies</title>
-            <param id="sa-8.4_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(4)</prop>
-            <prop name="sort-id">SA-08(04)</prop>
-            <part name="statement" id="sa-8.4_smt">
-               <p>Implement the security design principle of partially ordered dependencies in <insert param-id="sa-8.4_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.4_gdn">
-               <p>The principle of partially ordered dependencies states that the synchronization, calling, and other dependencies in the system are partially ordered. A fundamental concept in system design is layering, whereby the system is organized into well-defined, functionally related modules or components. The layers are linearly ordered with respect to inter-layer dependencies, such that higher layers are dependent on lower layers. While providing functionality to higher layers, some layers can be self-contained and not dependent upon lower layers. While a partial ordering of all functions in a given system may not be possible, if circular dependencies are constrained to occur within layers, the inherent problems of circularity can be more easily managed. Partially ordered dependencies and system layering contribute significantly to the simplicity and the coherency of the system design. Partially ordered dependencies also facilitate system testing and analysis.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.5">
-            <title>Efficiently Mediated Access</title>
-            <param id="sa-8.5_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(5)</prop>
-            <prop name="sort-id">SA-08(05)</prop>
-            <part name="statement" id="sa-8.5_smt">
-               <p>Implement the security design principle of efficiently mediated access in <insert param-id="sa-8.5_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.5_gdn">
-               <p>The principle of efficiently mediated access states that policy-enforcement mechanisms utilize the least common mechanism available while satisfying stakeholder requirements within expressed constraints. The mediation of access to system resources (i.e., CPU, memory, devices, communication ports, services, infrastructure, data and information) is often the predominant security function of secure systems. It also enables the realization of protections for the capability provided to stakeholders by the system. Mediation of resource access can result in performance bottlenecks if the system is not designed correctly. For example, by using hardware mechanisms, efficiently mediated access can be achieved. Once access to a low-level resource such as memory has been obtained, hardware protection mechanisms can ensure that out-of-bounds access does not occur.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.6">
-            <title>Minimized Sharing</title>
-            <param id="sa-8.6_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(6)</prop>
-            <prop name="sort-id">SA-08(06)</prop>
-            <link rel="related" href="#sc-31">SC-31</link>
-            <part name="statement" id="sa-8.6_smt">
-               <p>Implement the security design principle of minimized sharing in <insert param-id="sa-8.6_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.6_gdn">
-               <p>The principle of minimized sharing states that no computer resource is shared between system components (e.g., subjects, processes, functions) unless it is absolutely necessary to do so. Minimized sharing helps to simplify system design and implementation. In order to protect user-domain resources from arbitrary active entities, no resource is shared unless that sharing has been explicitly requested and granted. The need for resource sharing can be motivated by the design principle of least common mechanism in the case internal entities, or driven by stakeholder requirements. However, internal sharing is carefully designed to avoid performance and covert storage- and timing-channel problems. Sharing via common mechanism can increase the susceptibility of data and information to unauthorized access, disclosure, use, or modification and can adversely affect the inherent capability provided by the system. To minimize sharing induced by common mechanisms, such mechanisms can be designed to be reentrant or virtualized to preserve separation. Moreover, use of global data to share information is carefully scrutinized. The lack of encapsulation may obfuscate relationships among the sharing entities.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.7">
-            <title>Reduced Complexity</title>
-            <param id="sa-8.7_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(7)</prop>
-            <prop name="sort-id">SA-08(07)</prop>
-            <part name="statement" id="sa-8.7_smt">
-               <p>Implement the security design principle of reduced complexity in <insert param-id="sa-8.7_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.7_gdn">
-               <p>The principle of reduced complexity states that the system design is as simple and small as possible. A small and simple design is more understandable, more analyzable, and less prone to error. The reduced complexity principle applies to any aspect of a system, but it has particular importance for security due to the various analyses performed to obtain evidence about the emergent security property of the system. For such analyses to be successful, a small and simple design is essential. Application of the principle of reduced complexity contributes to the ability of system developers to understand the correctness and completeness of system security functions. It also facilitates identification of potential vulnerabilities. The corollary of reduced complexity states that the simplicity of the system is directly related to the number of vulnerabilities it will contain—that is, simpler systems contain fewer vulnerabilities. An important benefit of reduced complexity is that it is easier to understand whether the intended security policy has been captured in the system design, and that fewer vulnerabilities are likely to be introduced during engineering development. An additional benefit is that any such conclusion about correctness, completeness, and existence of vulnerabilities can be reached with a higher degree of assurance in contrast to conclusions reached in situations where the system design is inherently more complex. Transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6) may require implementing the older and newer technologies simultaneously during the transition period. This may result in a temporary increase in system complexity during the transition.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.8">
-            <title>Secure Evolvability</title>
-            <param id="sa-8.8_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(8)</prop>
-            <prop name="sort-id">SA-08(08)</prop>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <part name="statement" id="sa-8.8_smt">
-               <p>Implement the security design principle of secure evolvability in <insert param-id="sa-8.8_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.8_gdn">
-               <p>The principle of secure evolvability states that a system is developed to facilitate the maintenance of its security properties when there are changes to the system’s structure, interfaces, interconnections (i.e., system architecture), functionality, or its configuration (i.e., security policy enforcement). Changes include a new, an enhanced, or an upgraded system capability; maintenance and sustainment activities; and reconfiguration. Although it is not possible to plan for every aspect of system evolution, system upgrades and changes can be anticipated by analyses of mission or business strategic direction; anticipated changes in the threat environment; and anticipated maintenance and sustainment needs. It is unrealistic to expect that complex systems remain secure in contexts not envisioned during development, whether such contexts are related to the operational environment or to usage. A system may be secure in some new contexts, but there is no guarantee that its emergent behavior will always be secure. It is easier to build trustworthiness into a system from the outset, and it follows that the sustainment of system trustworthiness requires planning for change as opposed to adapting in an ad hoc or non-methodical manner. The benefits of this principle include reduced vendor life-cycle costs; reduced cost of ownership; improved system security; more effective management of security risk; and less risk uncertainty.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.9">
-            <title>Trusted Components</title>
-            <param id="sa-8.9_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(9)</prop>
-            <prop name="sort-id">SA-08(09)</prop>
-            <part name="statement" id="sa-8.9_smt">
-               <p>Implement the security design principle of trusted components in <insert param-id="sa-8.9_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.9_gdn">
-               <p>The principle of trusted components states that a component is trustworthy to at least a level commensurate with the security dependencies it supports (i.e., how much it is trusted to perform its security functions by other components). This principle enables the composition of components such that trustworthiness is not inadvertently diminished and where consequently the trust is not misplaced. Ultimately this principle demands some metric by which the trust in a component and the trustworthiness of a component can be measured on the same abstract scale. The principle of trusted components is particularly relevant when considering systems and components in which there are complex chains of trust dependencies. A trust dependency is also referred to as a trust relationship and there may be chains of trust relationships.
-The principle of trusted components also applies to a compound component that consists of subcomponents (e.g., a subsystem), which may have varying levels of trustworthiness. The conservative assumption is that the trustworthiness of a compound component is that of its least trustworthy subcomponent. It may be possible to provide a security engineering rationale that the trustworthiness of a particular compound component is greater than the conservative assumption; however, any such rationale reflects logical reasoning based on a clear statement of the trustworthiness objectives, and relevant and credible evidence. The trustworthiness of a compound component is not the same as increased application of defense-in-depth layering within the component, or replication of components. Defense-in-depth techniques do not increase the trustworthiness of the whole above that of the least trustworthy component.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.10">
-            <title>Hierarchical Trust</title>
-            <param id="sa-8.10_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(10)</prop>
-            <prop name="sort-id">SA-08(10)</prop>
-            <part name="statement" id="sa-8.10_smt">
-               <p>Implement the security design principle of hierarchical trust in <insert param-id="sa-8.10_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.10_gdn">
-               <p>The principle of hierarchical trust for components builds on the principle of trusted components and states that the security dependencies in a system will form a partial ordering if they preserve the principle of trusted components. The partial ordering provides the basis for trustworthiness reasoning or providing an assurance case or argument when composing a secure system from heterogeneously trustworthy components. To analyze a system composed of heterogeneously trustworthy components for its trustworthiness, it is essential to eliminate circular dependencies with regard to the trustworthiness. If a more trustworthy component located in a lower layer of the system were to depend upon a less trustworthy component in a higher layer, this would in effect, put the components in the same “less trustworthy” equivalence class per the principle of trusted components. Trust relationships, or chains of trust, can have various manifestations. For example, the root certificate of a certificate hierarchy is the most trusted node in the hierarchy, whereas the leaves in the hierarchy may be the least trustworthy nodes. Another example occurs in a layered high-assurance system where the security kernel (including the hardware base), which is located at the lowest layer of the system, is the most trustworthy component. The principle of hierarchical trust, however, does not prohibit the use of overly trustworthy components. There may be cases in a system of low trustworthiness, where it is reasonable to employ a highly trustworthy component rather than one that is less trustworthy (e.g., due to availability or other cost-benefit driver). For such a case, any dependency of the highly trustworthy component upon a less trustworthy component does not degrade the trustworthiness of the resulting low-trust system.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.11">
-            <title>Inverse Modification Threshold</title>
-            <param id="sa-8.11_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(11)</prop>
-            <prop name="sort-id">SA-08(11)</prop>
-            <part name="statement" id="sa-8.11_smt">
-               <p>Implement the security design principle of inverse modification threshold in <insert param-id="sa-8.11_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.11_gdn">
-               <p>The principle of inverse modification threshold builds on the principle of trusted components and the principle of hierarchical trust, and states that the degree of protection provided to a component is commensurate with its trustworthiness. As the trust placed in a component increases, the protection against unauthorized modification of the component also increases to the same degree. Protection from unauthorized modification can come in the form of the component’s own self-protection and innate trustworthiness, or it can come from the protections afforded to the component from other elements or attributes of the security architecture (to include protections in the environment of operation).</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.12">
-            <title>Hierarchical Protection</title>
-            <param id="sa-8.12_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(12)</prop>
-            <prop name="sort-id">SA-08(12)</prop>
-            <part name="statement" id="sa-8.12_smt">
-               <p>Implement the security design principle of hierarchical protection in <insert param-id="sa-8.12_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.12_gdn">
-               <p>The principle of hierarchical protection states that a component need not be protected from more trustworthy components. In the degenerate case of the most trusted component, it protects itself from all other components. For example, if an operating system kernel is deemed the most trustworthy component in a system, then it protects itself from all untrusted applications it supports, but the applications, conversely, do not need to protect themselves from the kernel. The trustworthiness of users is a consideration for applying the principle of hierarchical protection. A trusted system need not protect itself from an equally trustworthy user, reflecting use of untrusted systems in “system high” environments where users are highly trustworthy and where other protections are put in place to bound and protect the “system high” execution environment.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.13">
-            <title>Minimized Security Elements</title>
-            <param id="sa-8.13_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(13)</prop>
-            <prop name="sort-id">SA-08(13)</prop>
-            <part name="statement" id="sa-8.13_smt">
-               <p>Implement the security design principle of minimized security elements in <insert param-id="sa-8.13_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.13_gdn">
-               <p>The principle of minimized security elements states that the system does not have extraneous trusted components. The principle of minimized security elements has two aspects: the overall cost of security analysis and the complexity of security analysis. Trusted components are generally costlier to construct and implement, owing to increased rigor of development processes. Trusted components also require greater security analysis to qualify their trustworthiness. Thus, to reduce the cost and decrease the complexity of the security analysis, a system contains as few trustworthy components as possible. The analysis of the interaction of trusted components with other components of the system is one of the most important aspects of system security verification. If the interactions between components are unnecessarily complex, the security of the system will also be more difficult to ascertain than one whose internal trust relationships are simple and elegantly constructed. In general, fewer trusted components result in fewer internal trust relationships and a simpler system.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.14">
-            <title>Least Privilege</title>
-            <param id="sa-8.14_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(14)</prop>
-            <prop name="sort-id">SA-08(14)</prop>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <part name="statement" id="sa-8.14_smt">
-               <p>Implement the security design principle of least privilege in <insert param-id="sa-8.14_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.14_gdn">
-               <p>The principle of least privilege states that each system component is allocated sufficient privileges to accomplish its specified functions, but no more. Applying the principle of least privilege limits the scope of the component’s actions, which has two desirable effects: the security impact of a failure, corruption, or misuse of the component will have a minimized security impact; and the security analysis of the component will be simplified. Least privilege is a pervasive principle that is reflected in all aspects of the secure system design. Interfaces used to invoke component capability are available to only certain subsets of the user population, and component design supports a sufficiently fine granularity of privilege decomposition. For example, in the case of an audit mechanism, there may be an interface for the audit manager, who configures the audit settings; an interface for the audit operator, who ensures that audit data is safely collected and stored; and, finally, yet another interface for the audit reviewer, who has need only to view the audit data that has been collected but no need to perform operations on that data.
-In addition to its manifestations at the system interface, least privilege can be used as a guiding principle for the internal structure of the system itself. One aspect of internal least privilege is to construct modules so that only the elements encapsulated by the module are directly operated upon by the functions within the module. Elements external to a module that may be affected by the module’s operation are indirectly accessed through interaction (e.g., via a function call) with the module that contains those elements. Another aspect of internal least privilege is that the scope of a given module or component includes only those system elements that are necessary for its functionality, and that the access modes for the elements (e.g., read, write) are minimal.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.15">
-            <title>Predicate Permission</title>
-            <param id="sa-8.15_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(15)</prop>
-            <prop name="sort-id">SA-08(15)</prop>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <part name="statement" id="sa-8.15_smt">
-               <p>Implement the security design principle of predicate permission in <insert param-id="sa-8.15_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.15_gdn">
-               <p>The principle of predicate permission states that system designers consider requiring multiple authorized entities to provide consent before a highly critical operation or access to highly sensitive data, information, or resources is allowed to proceed. [SALTZER75] originally named predicate permission the separation of privilege. It is also equivalent to separation of duty. The division of privilege among multiple parties decreases the likelihood of abuse and provides the safeguard that no single accident, deception, or breach of trust is sufficient to enable an unrecoverable action that can lead to significantly damaging effects. The design options for such a mechanism may require simultaneous action (e.g., the firing of a nuclear weapon requires two different authorized individuals to give the correct command within a small time window) or a sequence of operations where each successive action is enabled by some prior action, but no single individual is able to enable more than one action.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.16">
-            <title>Self-reliant Trustworthiness</title>
-            <param id="sa-8.16_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(16)</prop>
-            <prop name="sort-id">SA-08(16)</prop>
-            <part name="statement" id="sa-8.16_smt">
-               <p>Implement the security design principle of self-reliant trustworthiness in <insert param-id="sa-8.16_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.16_gdn">
-               <p>The principle of self-reliant trustworthiness states that systems minimize their reliance on other systems for their own trustworthiness. A system is trustworthy by default with any connection to an external entity used to supplement its function. If a system were required to maintain a connection with another external entity in order to maintain its trustworthiness, then that system would be vulnerable to malicious and non-malicious threats that result in loss or degradation of that connection. The benefit to the principle of self-reliant trustworthiness is that the isolation of a system will make it less vulnerable to attack. A corollary to this principle relates to the ability of the system (or system component) to operate in isolation and then resynchronize with other components when it is rejoined with them.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.17">
-            <title>Secure Distributed Composition</title>
-            <param id="sa-8.17_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(17)</prop>
-            <prop name="sort-id">SA-08(17)</prop>
-            <part name="statement" id="sa-8.17_smt">
-               <p>Implement the security design principle of secure distributed composition in <insert param-id="sa-8.17_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.17_gdn">
-               <p>The principle of secure distributed composition states that the composition of distributed components that enforce the same system security policy result in a system that enforces that policy at least as well as the individual components do. Many of the design principles for secure systems deal with how components can or should interact. The need to create or enable capability from the composition of distributed components can magnify the relevancy of these principles. In particular, the translation of security policy from a stand-alone to a distributed system or a system-of-systems can have unexpected or emergent results. Communication protocols and distributed data consistency mechanisms help to ensure consistent policy enforcement across a distributed system. To ensure a system-wide level of assurance of correct policy enforcement, the security architecture of a distributed composite system is thoroughly analyzed.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.18">
-            <title>Trusted Communications Channels</title>
-            <param id="sa-8.18_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(18)</prop>
-            <prop name="sort-id">SA-08(18)</prop>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="sa-8.18_smt">
-               <p>Implement the security design principle of trusted communications channels in <insert param-id="sa-8.18_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.18_gdn">
-               <p>The principle of trusted communication channels states that when composing a system where there is a potential threat to communications between components (i.e., the interconnections between components), each communication channel is trustworthy to a level commensurate with the security dependencies it supports (i.e., how much it is trusted by other components to perform its security functions). Trusted communication channels are achieved by a combination of restricting access to the communication channel (to ensure an acceptable match in the trustworthiness of the endpoints involved in the communication) and employing end-to-end protections for the data transmitted over the communication channel (to protect against interception, modification, and to further increase the assurance of proper end-to-end communication).</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.19">
-            <title>Continuous Protection</title>
-            <param id="sa-8.19_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(19)</prop>
-            <prop name="sort-id">SA-08(19)</prop>
-            <link rel="related" href="#ac-25">AC-25</link>
-            <part name="statement" id="sa-8.19_smt">
-               <p>Implement the security design principle of continuous protection in <insert param-id="sa-8.19_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.19_gdn">
-               <p>The principle of continuous protection states that components and data used to enforce the security policy have uninterrupted protection that is consistent with the security policy and the security architecture assumptions. No assurances that the system can provide the confidentiality, integrity, availability, and privacy protections for its design capability can be made if there are gaps in the protection. Any assurances about the ability to secure a delivered capability require that data and information are continuously protected. That is, there are no periods during which data and information are left unprotected while under control of the system (i.e., during the creation, storage, processing, or communication of the data and information, as well as during system initialization, execution, failure, interruption, and shutdown). Continuous protection requires adherence to the precepts of the reference monitor concept (i.e., every request is validated by the reference monitor, the reference monitor is able to protect itself from tampering, and sufficient assurance of the correctness and completeness of the mechanism can be ascertained from analysis and testing), and the principle of secure failure and recovery (i.e., preservation of a secure state during error, fault, failure, and successful attack; preservation of a secure state during recovery to normal, degraded, or alternative operational modes).
-Continuous protection also applies to systems designed to operate in varying configurations, including those that deliver full operational capability and degraded-mode configurations that deliver partial operational capability. The continuous protection principle requires that changes to the system security policies be traceable to the operational need that drives the configuration and be verifiable (i.e., it is possible to verify that the proposed changes will not put the system into an insecure state). Insufficient traceability and verification may lead to inconsistent states or protection discontinuities due to the complex or undecidable nature of the problem. The use of pre-verified configuration definitions that reflect the new security policy enables analysis to determine that a transition from old to new policies is essentially atomic, and that any residual effects from the old policy are guaranteed to not conflict with the new policy. The ability to demonstrate continuous protection is rooted in the clear articulation of life cycle protection needs as stakeholder security requirements.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.20">
-            <title>Secure Metadata Management</title>
-            <param id="sa-8.20_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(20)</prop>
-            <prop name="sort-id">SA-08(20)</prop>
-            <part name="statement" id="sa-8.20_smt">
-               <p>Implement the security design principle of secure metadata management in <insert param-id="sa-8.20_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.20_gdn">
-               <p>The principle of secure metadata management states that metadata are “first class” objects with respect to security policy when the policy requires complete protection of information or it requires that the security subsystem to be self-protecting. The principle of secure metadata management is driven by the recognition that a system, subsystem, or component cannot achieve self-protection unless it protects the data it relies upon for correct execution. Data is generally not interpreted by the system that stores it. It may have semantic value (i.e., it comprises information) to users and programs that process the data. In contrast, metadata is information about data, such as a file name or the date when the file was created. Metadata is bound to the target data that it describes in a way that the system can interpret, but it need not be stored inside of or proximate to its target data. There may be metadata whose target is itself metadata (e.g., the sensitivity level of a file name), to include self-referential metadata.
-The apparent secondary nature of metadata can lead to a neglect of its legitimate need for protection, resulting in a violation of the security policy that includes the exfiltration of information. A particular concern associated with insufficient protections for metadata is associated with multilevel secure (MLS) systems. MLS systems mediate access by a subject to an object based on relative sensitivity levels. It follows that all subjects and objects in the scope of control of the MLS system are either directly labeled or indirectly attributed with sensitivity levels. The corollary of labeled metadata for MLS systems states that objects containing metadata are labeled. As with protection needs assessment for data, attention is given to ensure that the confidentiality and integrity protections are individually assessed, specified, and allocated to metadata, as would be done for mission, business, and system data.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.21">
-            <title>Self-analysis</title>
-            <param id="sa-8.21_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(21)</prop>
-            <prop name="sort-id">SA-08(21)</prop>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <part name="statement" id="sa-8.21_smt">
-               <p>Implement the security design principle of self-analysis in <insert param-id="sa-8.21_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.21_gdn">
-               <p>The principle of self-analysis states that a system component is able to assess its internal state and functionality to a limited extent at various stages of execution, and that this self-analysis capability is commensurate with the level of trustworthiness invested in the system. At the system level, self-analysis can be achieved through hierarchical assessments of trustworthiness established in a bottom up fashion. In this approach, the lower-level components check for data integrity and correct functionality (to a limited extent) of higher-level components. For example, trusted boot sequences involve a trusted lower-level component attesting to the trustworthiness of the next higher-level components so that a transitive chain of trust can be established. At the root, a component attests to itself, which usually involves an axiomatic or environmentally enforced assumption about its integrity. Results of the self-analyses can be used to guard against externally induced errors, or internal malfunction or transient errors. By following this principle, some simple errors or malfunctions can be detected without allowing the effects of the error or malfunction to propagate outside the component. Further, the self-test can also be used to attest to the configuration of the component, detecting any potential conflicts in configuration with respect to the expected configuration.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.22">
-            <title>Accountability and Traceability</title>
-            <param id="sa-8.22_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(22)</prop>
-            <prop name="sort-id">SA-08(22)</prop>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-9">AU-9</link>
-            <link rel="related" href="#au-10">AU-10</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <part name="statement" id="sa-8.22_smt">
-               <p>Implement the security design principle of accountability and traceability in <insert param-id="sa-8.22_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.22_gdn">
-               <p>The principle of accountability and traceability states that it is possible to trace security-relevant actions (i.e., subject-object interactions) to the entity on whose behalf the action is being taken. The principle of accountability and traceability requires a trustworthy infrastructure that can record details about actions that affect system security (e.g., an audit subsystem). To record the details about actions, the system is able to uniquely identify the entity on whose behalf the action is being carried out and also record the relevant sequence of actions that are carried out. The accountability policy also requires the audit trail itself be protected from unauthorized access and modification. The principle of least privilege assists in tracing the actions to particular entities, as it increases the granularity of accountability. Associating specific actions with system entities, and ultimately with users, and making the audit trail secure against unauthorized access and modifications provides non-repudiation, because once an action is recorded, it is not possible to change the audit trail. Another important function that accountability and traceability serves is in the routine and forensic analysis of events associated with the violation of security policy. Analysis of audit logs may provide additional information that may be helpful in determining the path or component that allowed the violation of the security policy, and the actions of individuals associated with the violation of security policy.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.23">
-            <title>Secure Defaults</title>
-            <param id="sa-8.23_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(23)</prop>
-            <prop name="sort-id">SA-08(23)</prop>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <part name="statement" id="sa-8.23_smt">
-               <p>Implement the security design principle of secure defaults in <insert param-id="sa-8.23_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.23_gdn">
-               <p>The principle of secure defaults states that the default configuration of a system (to include its constituent subsystems, components, and mechanisms) reflects a restrictive and conservative enforcement of security policy. The principle of secure defaults applies to the initial (i.e., default) configuration of a system as well as to the security engineering and design of access control and other security functions that follow a “deny unless explicitly authorized” strategy. The initial configuration aspect of this principle requires that any “as shipped” configuration of a system, subsystem, or system component does not aid in the violation of the security policy, and can prevent the system from operating in the default configuration for those cases where the security policy itself requires configuration by the operational user.
-Restrictive defaults mean that the system will operate “as-shipped” with adequate self-protection, and is able to prevent security breaches before the intended security policy and system configuration is established. In cases where the protection provided by the “as-shipped” product is inadequate, stakeholders assess the risk of using it prior to establishing a secure initial state. Adherence to the principle of secure defaults guarantees that a system is established in a secure state upon successfully completing initialization. In situations where the system fails to complete initialization, either it will perform a requested operation using secure defaults or it will not perform the operation. Refer to the principles of continuous protection and secure failure and recovery that parallel this principle to provide the ability to detect and recover from failure.
-The security engineering approach to this principle states that security mechanisms deny requests unless the request is found to be well-formed and consistent with the security policy. The insecure alternative is to allow a request unless it is shown to be inconsistent with the policy. In a large system, the conditions that are satisfied to grant a request that is by default denied are often far more compact and complete than those that would need to be checked in order to deny a request that is by default granted.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.24">
-            <title>Secure Failure and Recovery</title>
-            <param id="sa-8.24_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(24)</prop>
-            <prop name="sort-id">SA-08(24)</prop>
-            <link rel="related" href="#cp-10">CP-10</link>
-            <link rel="related" href="#cp-12">CP-12</link>
-            <link rel="related" href="#sc-7">SC-7</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <link rel="related" href="#sc-24">SC-24</link>
-            <link rel="related" href="#si-13">SI-13</link>
-            <part name="statement" id="sa-8.24_smt">
-               <p>Implement the security design principle of secure failure and recovery in <insert param-id="sa-8.24_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.24_gdn">
-               <p>The principle of secure failure and recovery states that neither a failure in a system function or mechanism nor any recovery action in response to failure leads to a violation of security policy. The principle of secure failure and recovery parallels the principle of continuous protection to ensure that a system is capable of detecting (within limits) actual and impending failure at any stage of its operation (i.e., initialization, normal operation, shutdown, and maintenance) and to take appropriate steps to ensure that security policies are not violated. In addition, when specified, the system is capable of recovering from impending or actual failure to resume normal, degraded, or alternative secure operation while ensuring that a secure state is maintained such that security policies are not violated.
-Failure is a condition in which the behavior of a component deviates from its specified or expected behavior for an explicitly documented input. Once a failed security function is detected, the system may reconfigure itself to circumvent the failed component, while maintaining security, and provide all or part of the functionality of the original system, or completely shut itself down to prevent any further violation of security policies. For this to occur, the reconfiguration functions of the system are designed to ensure continuous enforcement of security policy during the various phases of reconfiguration.
-Another technique that can be used to recover from failures is to perform a rollback to a secure state (which may be the initial state) and then either shutdown or replace the service or component that failed such that secure operation may resume. Failure of a component may or may not be detectable to the components using it. The principle of secure failure indicates that components fail in a state that denies rather than grants access. For example, a nominally “atomic” operation interrupted before completion does not violate security policy and is designed to handle interruption events by employing higher-level atomicity and rollback mechanisms (e.g., transactions). If a service is being used, its atomicity properties are well-documented and characterized so that the component availing itself of that service can detect and handle interruption events appropriately. For example, a system is designed to gracefully respond to disconnection and support resynchronization and data consistency after disconnection.
-Failure protection strategies that employ replication of policy enforcement mechanisms, sometimes called defense in depth, can allow the system to continue in a secure state even when one mechanism has failed to protect the system. If the mechanisms are similar, however, the additional protection may be illusory, as the adversary can simply attack in series. Similarly, in a networked system, breaking the security on one system or service may enable an attacker to do the same on other similar replicated systems and services. By employing multiple protection mechanisms, whose features are significantly different, the possibility of attack replication or repetition can be reduced. Analyses are conducted to weigh the costs and benefits of such redundancy techniques against increased resource usage and adverse effects on the overall system performance. Additional analyses are conducted as the complexity of these mechanisms increases, as could be the case for dynamic behaviors. Increased complexity generally reduces trustworthiness. When a resource cannot be continuously protected, it is critical to detect and repair any security breaches before the resource is once again used in a secure context.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.25">
-            <title>Economic Security</title>
-            <param id="sa-8.25_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(25)</prop>
-            <prop name="sort-id">SA-08(25)</prop>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <part name="statement" id="sa-8.25_smt">
-               <p>Implement the security design principle of economic security in <insert param-id="sa-8.25_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.25_gdn">
-               <p>The principle of economic security states that security mechanisms are not costlier than the potential damage that could occur from a security breach. This is the security-relevant form of the cost-benefit analyses used in risk management. The cost assumptions of cost-benefit analysis prevent the system designer from incorporating security mechanisms of greater strength than necessary, where strength of mechanism is proportional to cost. The principle of economic security also requires analysis of the benefits of assurance relative to the cost of that assurance in terms of the effort expended to obtain relevant and credible evidence, and to perform the analyses necessary to assess and draw trustworthiness and risk conclusions from the evidence.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.26">
-            <title>Performance Security</title>
-            <param id="sa-8.26_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(26)</prop>
-            <prop name="sort-id">SA-08(26)</prop>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#si-2">SI-2</link>
-            <link rel="related" href="#si-7">SI-7</link>
-            <part name="statement" id="sa-8.26_smt">
-               <p>Implement the security design principle of performance security in <insert param-id="sa-8.26_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.26_gdn">
-               <p>The principle of performance security states that security mechanisms are constructed so that they do not degrade system performance unnecessarily. Stakeholder and system design requirements for performance and security are precisely articulated and prioritized. For the system implementation to meet its design requirements and be found acceptable to stakeholders (i.e., validation against stakeholder requirements), the designers adhere to the specified constraints that capability performance needs place on protection needs. The overall impact of computationally intensive security services (e.g., cryptography) are assessed and demonstrated to pose no significant impact to higher-priority performance considerations or are deemed to be providing an acceptable trade-off of performance for trustworthy protection. The trade-off considerations include less computationally intensive security services unless they are unavailable or insufficient. The insufficiency of a security service is determined by functional capability and strength of mechanism. The strength of mechanism is selected with respect to security requirements as well as performance-critical overhead issues (e.g., cryptographic key management) and an assessment of the capability of the threat.
-The principle of performance security leads to the incorporation of features that help in the enforcement of security policy, but incur minimum overhead, such as low-level hardware mechanisms upon which higher-level services can be built. Such low-level mechanisms are usually very specific, have very limited functionality, and are optimized for performance. For example, once access rights to a portion of memory is granted, many systems use hardware mechanisms to ensure that all further accesses involve the correct memory address and access mode. Application of this principle reinforces the need to design security into the system from the ground up, and to incorporate simple mechanisms at the lower layers that can be used as building blocks for higher-level mechanisms.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.27">
-            <title>Human Factored Security</title>
-            <param id="sa-8.27_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(27)</prop>
-            <prop name="sort-id">SA-08(27)</prop>
-            <part name="statement" id="sa-8.27_smt">
-               <p>Implement the security design principle of human factored security in <insert param-id="sa-8.27_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.27_gdn">
-               <p>The principle of human factored security states that the user interface for security functions and supporting services is intuitive, user friendly, and provides feedback for user actions that affect such policy and its enforcement. The mechanisms that enforce security policy are not intrusive to the user and are designed not to degrade user efficiency. Security policy enforcement mechanisms also provide the user with meaningful, clear, and relevant feedback and warnings when insecure choices are being made. Particular attention is given to interfaces through which personnel responsible for system administration and operation configure and set up the security policies. Ideally, these personnel are able to understand the impact of their choices. The personnel with system administrative and operation responsibility are able to configure systems before start-up and administer them during runtime, in both cases with confidence that their intent is correctly mapped to the system’s mechanisms. Security services, functions, and mechanisms do not impede or unnecessarily complicate the intended use of the system. There is a trade-off between system usability and the strictness necessitated for security policy enforcement. If security mechanisms are frustrating or difficult to use, then users may disable or avoid them, or use the mechanisms in ways inconsistent with the security requirements and protection needs the mechanisms were designed to satisfy.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.28">
-            <title>Acceptable Security</title>
-            <param id="sa-8.28_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(28)</prop>
-            <prop name="sort-id">SA-08(28)</prop>
-            <part name="statement" id="sa-8.28_smt">
-               <p>Implement the security design principle of acceptable security in <insert param-id="sa-8.28_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.28_gdn">
-               <p>The principle of acceptable security requires that the level of privacy and performance the system provides is consistent with the users’ expectations. The perception of personal privacy may affect user behavior, morale, and effectiveness. Based on the organizational privacy policy and the system design, users should be able to restrict their actions to protect their privacy. When systems fail to provide intuitive interfaces, or meet privacy and performance expectations, users may either choose to completely avoid the system or use it in ways that may be inefficient or even insecure.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.29">
-            <title>Repeatable and Documented Procedures</title>
-            <param id="sa-8.29_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(29)</prop>
-            <prop name="sort-id">SA-08(29)</prop>
-            <link rel="related" href="#cm-1">CM-1</link>
-            <link rel="related" href="#sa-1">SA-1</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#sa-15">SA-15</link>
-            <link rel="related" href="#sa-17">SA-17</link>
-            <link rel="related" href="#sc-1">SC-1</link>
-            <link rel="related" href="#si-1">SI-1</link>
-            <part name="statement" id="sa-8.29_smt">
-               <p>Implement the security design principle of repeatable and documented procedures in <insert param-id="sa-8.29_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.29_gdn">
-               <p>The principle of repeatable and documented procedures states that the techniques and methods employed to construct a system component permits the same component to be completely and correctly reconstructed at a later time. Repeatable and documented procedures support the development of a component that is identical to the component created earlier that may be in widespread use. In the case of other system artifacts (e.g., documentation and testing results), repeatability supports consistency and ability to inspect the artifacts. Repeatable and documented procedures can be introduced at various stages within the system development life cycle and can contribute to the ability to evaluate assurance claims for the system. Examples include systematic procedures for code development and review; procedures for configuration management of development tools and system artifacts; and procedures for system delivery.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.30">
-            <title>Procedural Rigor</title>
-            <param id="sa-8.30_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(30)</prop>
-            <prop name="sort-id">SA-08(30)</prop>
-            <part name="statement" id="sa-8.30_smt">
-               <p>Implement the security design principle of procedural rigor in <insert param-id="sa-8.30_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.30_gdn">
-               <p>The principle of procedural rigor states that the rigor of a system life cycle process is commensurate with its intended trustworthiness. Procedural rigor defines the scope, depth, and detail of the system life cycle procedures. Rigorous system life cycle procedures contribute to the assurance that the system is correct and free of unintended functionality in several ways. First, the procedures impose checks and balances on the life cycle process such that the introduction of unspecified functionality is prevented.
-Second, rigorous procedures applied to systems security engineering activities that produce specifications and other system design documents contribute to the ability to understand the system as it has been built, rather than trusting that the component as implemented, is the authoritative (and potentially misleading) specification.
-Finally, modifications to an existing system component are easier when there are detailed specifications describing its current design, instead of studying source code or schematics to try to understand how it works. Procedural rigor helps to ensure that security functional and assurance requirements have been satisfied, and it contributes to a better-informed basis for the determination of trustworthiness and risk posture. Procedural rigor is commensurate with the degree of assurance desired for the system. If the required trustworthiness of the system is low, a high level of procedural rigor may add unnecessary cost, whereas when high trustworthiness is critical, the cost of high procedural rigor is merited.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.31">
-            <title>Secure System Modification</title>
-            <param id="sa-8.31_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(31)</prop>
-            <prop name="sort-id">SA-08(31)</prop>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-4">CM-4</link>
-            <part name="statement" id="sa-8.31_smt">
-               <p>Implement the security design principle of secure system modification in <insert param-id="sa-8.31_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.31_gdn">
-               <p>The principle of secure system modification states that system modification maintains system security with respect to the security requirements and risk tolerance of stakeholders. Upgrades or modifications to systems can transform secure systems into systems that are not secure. The procedures for system modification ensure that, if the system is to maintain its trustworthiness, the same rigor that was applied to its initial development is applied to any system changes. Because modifications can affect the ability of the system to maintain its secure state, a careful security analysis of the modification is needed prior to its implementation and deployment. This principle parallels the principle of secure evolvability.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-8.32">
-            <title>Sufficient Documentation</title>
-            <param id="sa-8.32_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <prop name="label">SA-8(32)</prop>
-            <prop name="sort-id">SA-08(32)</prop>
-            <link rel="related" href="#at-2">AT-2</link>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <part name="statement" id="sa-8.32_smt">
-               <p>Implement the security design principle of sufficient documentation in <insert param-id="sa-8.32_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-8.32_gdn">
-               <p>The principle of sufficient documentation states that organizational personnel with responsibility to interact with the system are provided with adequate documentation and other information such that the personnel contribute to rather than detract from system security. Despite attempts to comply with principles such as human factored security and acceptable security, systems are inherently complex, and the design intent for the use of security mechanisms is not always intuitively obvious. Neither are the ramifications of the misuse or misconfiguration of security mechanisms. Uninformed and insufficiently trained users can introduce vulnerabilities due to errors of omission and commission. The availability of documentation and training can help to ensure a knowledgeable cadre of personnel, all of whom have a critical role in the achievement of principles such as continuous protection. Documentation is written clearly and supported by training that provides security awareness and understanding of security-relevant responsibilities.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-9">
-         <title>External System Services</title>
-         <param id="sa-9_prm_1">
-            <label>organization-defined controls</label>
-         </param>
-         <param id="sa-9_prm_2">
-            <label>organization-defined processes, methods, and techniques</label>
-         </param>
-         <prop name="label">SA-9</prop>
-         <prop name="sort-id">SA-09</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#ed919d0d-8e21-4df6-801d-3fbc4cb8a505">[SP 800-35]</link>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="reference" href="#66476e76-46b4-47fb-be19-d13e6f3840df">[SP 800-161]</link>
-         <link rel="related" href="#ac-20">AC-20</link>
-         <link rel="related" href="#ca-3">CA-3</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#ir-7">IR-7</link>
-         <link rel="related" href="#pl-10">PL-10</link>
-         <link rel="related" href="#pl-11">PL-11</link>
-         <link rel="related" href="#ps-7">PS-7</link>
-         <link rel="related" href="#sa-2">SA-2</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <link rel="related" href="#sr-5">SR-5</link>
-         <part name="statement" id="sa-9_smt">
-            <part name="item" id="sa-9_smt.a">
-               <prop name="label">a.</prop>
-               <p>Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: <insert param-id="sa-9_prm_1"/>;</p>
-            </part>
-            <part name="item" id="sa-9_smt.b">
-               <prop name="label">b.</prop>
-               <p>Define and document organizational oversight and user roles and responsibilities with regard to external system services; and</p>
-            </part>
-            <part name="item" id="sa-9_smt.c">
-               <prop name="label">c.</prop>
-               <p>Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: <insert param-id="sa-9_prm_2"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sa-9_gdn">
-            <p>External system services are services that are provided by an external provider and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-9.1">
-            <title>Risk Assessments and Organizational Approvals</title>
-            <param id="sa-9.1_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">SA-9(1)</prop>
-            <prop name="sort-id">SA-09(01)</prop>
-            <link rel="related" href="#ca-6">CA-6</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <part name="statement" id="sa-9.1_smt">
-               <part name="item" id="sa-9.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and</p>
-               </part>
-               <part name="item" id="sa-9.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Verify that the acquisition or outsourcing of dedicated information security services is approved by <insert param-id="sa-9.1_prm_1"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sa-9.1_gdn">
-               <p>Information security services include the operation of security devices such as firewalls, or key management services; and incident monitoring, analysis, and response. Risks assessed can include system, mission or business, privacy, or supply chain risks.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-9.2">
-            <title>Identification of Functions, Ports, Protocols, and Services</title>
-            <param id="sa-9.2_prm_1">
-               <label>organization-defined external system services</label>
-            </param>
-            <prop name="label">SA-9(2)</prop>
-            <prop name="sort-id">SA-09(02)</prop>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <part name="statement" id="sa-9.2_smt">
-               <p>Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: <insert param-id="sa-9.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-9.2_gdn">
-               <p>Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-9.3">
-            <title>Establish and Maintain Trust Relationship with Providers</title>
-            <param id="sa-9.3_prm_1">
-               <label>organization-defined security and privacy requirements, properties, factors, or conditions defining acceptable trust relationships</label>
-            </param>
-            <prop name="label">SA-9(3)</prop>
-            <prop name="sort-id">SA-09(03)</prop>
-            <link rel="related" href="#sr-2">SR-2</link>
-            <part name="statement" id="sa-9.3_smt">
-               <p>Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: <insert param-id="sa-9.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-9.3_gdn">
-               <p>The degree of confidence that the risk from using external services is at an acceptable level depends on the trust that organizations place in the external providers, individually or in combination. Trust relationships can help organizations to gain increased levels of confidence that participating service providers are providing adequate protection for the services rendered and can also be useful when conducting incident response or when planning for upgrades or obsolescence. Trust relationships can be complicated due to the potentially large number of entities participating in the consumer-provider interactions, subordinate relationships and levels of trust, and types of interactions between the parties. In some cases, the degree of trust is based on the level of control organizations can exert on external service providers regarding the controls necessary for the protection of the service, information, or individual privacy and the evidence brought forth as to the effectiveness of the implemented controls. The level of control is established by the terms and conditions of the contracts or service-level agreements.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-9.4">
-            <title>Consistent Interests of Consumers and Providers</title>
-            <param id="sa-9.4_prm_1">
-               <label>organization-defined external service providers</label>
-            </param>
-            <param id="sa-9.4_prm_2">
-               <label>organization-defined actions</label>
-            </param>
-            <prop name="label">SA-9(4)</prop>
-            <prop name="sort-id">SA-09(04)</prop>
-            <part name="statement" id="sa-9.4_smt">
-               <p>Take the following actions to verify that the interests of <insert param-id="sa-9.4_prm_1"/> are consistent with and reflect organizational interests: <insert param-id="sa-9.4_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sa-9.4_gdn">
-               <p>As organizations increasingly use external service providers, it is possible that the interests of the service providers may diverge from organizational interests. In such situations, simply having the required technical, management, or operational controls in place may not be sufficient if the providers that implement and manage those controls are not operating in a manner consistent with the interests of the consuming organizations. Actions that organizations take to address such concerns include requiring background checks for selected service provider personnel; examining ownership records; employing only trustworthy service providers, including providers with which organizations have had successful trust relationships; and conducting routine periodic, unscheduled visits to service provider facilities.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-9.5">
-            <title>Processing, Storage, and Service Location</title>
-            <param id="sa-9.5_prm_1">
-               <select how-many="one or more">
-                  <choice>information processing</choice>
-                  <choice>information or data</choice>
-                  <choice>system services</choice>
-               </select>
-            </param>
-            <param id="sa-9.5_prm_2">
-               <label>organization-defined locations</label>
-            </param>
-            <param id="sa-9.5_prm_3">
-               <label>organization-defined requirements or conditions</label>
-            </param>
-            <prop name="label">SA-9(5)</prop>
-            <prop name="sort-id">SA-09(05)</prop>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sr-4">SR-4</link>
-            <part name="statement" id="sa-9.5_smt">
-               <p>Restrict the location of <insert param-id="sa-9.5_prm_1"/> to <insert param-id="sa-9.5_prm_2"/> based on <insert param-id="sa-9.5_prm_3"/>.</p>
-            </part>
-            <part name="guidance" id="sa-9.5_gdn">
-               <p>The location of information processing, information and data storage, or system services that are critical to organizations can have a direct impact on the ability of those organizations to successfully execute their missions and business functions. The impact occurs when external providers control the location of processing, storage, or services. The criteria that external providers use for the selection of processing, storage, or service locations may be different from the criteria organizations use. For example, organizations may desire that data or information storage locations are restricted to certain locations to help facilitate incident response activities in case of information security or privacy incidents. Incident response activities including forensic analyses and after-the-fact investigations, may be adversely affected by the governing laws, policies, or protocols in the locations where processing and storage occur and/or the locations from which system services emanate.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-9.6">
-            <title>Organization-controlled Cryptographic Keys</title>
-            <prop name="label">SA-9(6)</prop>
-            <prop name="sort-id">SA-09(06)</prop>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <part name="statement" id="sa-9.6_smt">
-               <p>Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.</p>
-            </part>
-            <part name="guidance" id="sa-9.6_gdn">
-               <p>Maintaining exclusive control of cryptographic keys in an external system prevents decryption of organizational data by external system staff. Organizational control of cryptographic keys can be implemented by encrypting and decrypting data inside the organization as data is sent to and received from the external system or by employing a component that permits encryption and decryption functions to be local to the external system, but allows exclusive organizational access to the encryption keys.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-9.7">
-            <title>Organization-controlled Integrity Checking</title>
-            <prop name="label">SA-9(7)</prop>
-            <prop name="sort-id">SA-09(07)</prop>
-            <link rel="related" href="#si-7">SI-7</link>
-            <part name="statement" id="sa-9.7_smt">
-               <p>Provide the capability to check the integrity of information while it resides in the external system.</p>
-            </part>
-            <part name="guidance" id="sa-9.7_gdn">
-               <p>Storage of organizational information in an external system could limit visibility into the security status of its data. The ability for the organization to verify and validate the integrity of its stored data without transferring it out of the external system provides such visibility.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-9.8">
-            <title>Processing and Storage Location — U.s. Jurisdiction</title>
-            <prop name="label">SA-9(8)</prop>
-            <prop name="sort-id">SA-09(08)</prop>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sr-4">SR-4</link>
-            <part name="statement" id="sa-9.8_smt">
-               <p>Restrict the geographic location of information processing and data storage to facilities located within in the legal jurisdictional boundary of the United States.</p>
-            </part>
-            <part name="guidance" id="sa-9.8_gdn">
-               <p>The geographic location of information processing and data storage can have a direct impact on the ability of organizations to successfully execute their core missions and business functions. High impact information and systems, if compromised or breached, can have a severe or catastrophic adverse impact on organizational assets and operations, individuals, other organizations, and the Nation. Restricting the processing and storage of high-impact information to facilities within the legal jurisdictional boundary of the United States provides greater control over such processing and storage.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-10">
-         <title>Developer Configuration Management</title>
-         <param id="sa-10_prm_1">
-            <select how-many="one or more">
-               <choice>design</choice>
-               <choice>development</choice>
-               <choice>implementation</choice>
-               <choice>operation</choice>
-               <choice>disposal</choice>
-            </select>
-         </param>
-         <param id="sa-10_prm_2">
-            <label>organization-defined configuration items under configuration management</label>
-         </param>
-         <param id="sa-10_prm_3">
-            <label>organization-defined personnel</label>
-         </param>
-         <prop name="label">SA-10</prop>
-         <prop name="sort-id">SA-10</prop>
-         <link rel="reference" href="#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">[FIPS 140-3]</link>
-         <link rel="reference" href="#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd">[FIPS 180-4]</link>
-         <link rel="reference" href="#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa">[FIPS 202]</link>
-         <link rel="reference" href="#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4">[SP 800-128]</link>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="related" href="#cm-2">CM-2</link>
-         <link rel="related" href="#cm-3">CM-3</link>
-         <link rel="related" href="#cm-4">CM-4</link>
-         <link rel="related" href="#cm-7">CM-7</link>
-         <link rel="related" href="#cm-9">CM-9</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-5">SA-5</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-15">SA-15</link>
-         <link rel="related" href="#si-2">SI-2</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <link rel="related" href="#sr-4">SR-4</link>
-         <link rel="related" href="#sr-5">SR-5</link>
-         <link rel="related" href="#sr-6">SR-6</link>
-         <part name="statement" id="sa-10_smt">
-            <p>Require the developer of the system, system component, or system service to:</p>
-            <part name="item" id="sa-10_smt.a">
-               <prop name="label">a.</prop>
-               <p>Perform configuration management during system, component, or service <insert param-id="sa-10_prm_1"/>;</p>
-            </part>
-            <part name="item" id="sa-10_smt.b">
-               <prop name="label">b.</prop>
-               <p>Document, manage, and control the integrity of changes to <insert param-id="sa-10_prm_2"/>;</p>
-            </part>
-            <part name="item" id="sa-10_smt.c">
-               <prop name="label">c.</prop>
-               <p>Implement only organization-approved changes to the system, component, or service;</p>
-            </part>
-            <part name="item" id="sa-10_smt.d">
-               <prop name="label">d.</prop>
-               <p>Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and</p>
-            </part>
-            <part name="item" id="sa-10_smt.e">
-               <prop name="label">e.</prop>
-               <p>Track security flaws and flaw resolution within the system, component, or service and report findings to <insert param-id="sa-10_prm_3"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sa-10_gdn">
-            <p>Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting from unauthorized modification or destruction, the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and to prevent unauthorized changes.
-The configuration items that are placed under configuration management include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-10.1">
-            <title>Software and Firmware Integrity Verification</title>
-            <prop name="label">SA-10(1)</prop>
-            <prop name="sort-id">SA-10(01)</prop>
-            <link rel="related" href="#si-7">SI-7</link>
-            <link rel="related" href="#sr-11">SR-11</link>
-            <part name="statement" id="sa-10.1_smt">
-               <p>Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components.</p>
-            </part>
-            <part name="guidance" id="sa-10.1_gdn">
-               <p>Software and firmware integrity verification allows organizations to detect unauthorized changes to software and firmware components using developer-provided tools, techniques, and mechanisms. The integrity checking mechanisms can also address counterfeiting of software and firmware components. Organizations verify the integrity of software and firmware components, for example, through secure one-way hashes provided by developers. Delivered software and firmware components also include any updates to such components.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-10.2">
-            <title>Alternative Configuration Management</title>
-            <prop name="label">SA-10(2)</prop>
-            <prop name="sort-id">SA-10(02)</prop>
-            <part name="statement" id="sa-10.2_smt">
-               <p>Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.</p>
-            </part>
-            <part name="guidance" id="sa-10.2_gdn">
-               <p>Alternate configuration management processes may be required, for example, when organizations use commercial off-the-shelf information technology products. Alternate configuration management processes include organizational personnel that review and approve proposed changes to systems, system components, and system services; and that conduct security and privacy impact analyses prior to the implementation of changes to systems, components, or services.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-10.3">
-            <title>Hardware Integrity Verification</title>
-            <prop name="label">SA-10(3)</prop>
-            <prop name="sort-id">SA-10(03)</prop>
-            <link rel="related" href="#si-7">SI-7</link>
-            <part name="statement" id="sa-10.3_smt">
-               <p>Require the developer of the system, system component, or system service to enable integrity verification of hardware components.</p>
-            </part>
-            <part name="guidance" id="sa-10.3_gdn">
-               <p>Hardware integrity verification allows organizations to detect unauthorized changes to hardware components using developer-provided tools, techniques, methods, and mechanisms. Organizations verify the integrity of hardware components, for example, with hard-to-copy labels and verifiable serial numbers provided by developers, and by requiring the implementation of anti-tamper technologies. Delivered hardware components also include hardware and firmware updates to such components.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-10.4">
-            <title>Trusted Generation</title>
-            <prop name="label">SA-10(4)</prop>
-            <prop name="sort-id">SA-10(04)</prop>
-            <part name="statement" id="sa-10.4_smt">
-               <p>Require the developer of the system, system component, or system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions, source code, and object code with previous versions.</p>
-            </part>
-            <part name="guidance" id="sa-10.4_gdn">
-               <p>Trusted generation of descriptions, source code, and object code addresses authorized changes to hardware, software, and firmware components between versions during development. The focus is on the efficacy of the configuration management process by the developer to ensure that newly generated versions of security-relevant hardware descriptions, source code, and object code continue to enforce the security policy for the system, system component, or system service. In contrast, SA-10(1) and SA-10(3) allow organizations to detect unauthorized changes to hardware, software, and firmware components using tools, techniques, or mechanisms provided by developers.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-10.5">
-            <title>Mapping Integrity for Version Control</title>
-            <prop name="label">SA-10(5)</prop>
-            <prop name="sort-id">SA-10(05)</prop>
-            <part name="statement" id="sa-10.5_smt">
-               <p>Require the developer of the system, system component, or system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.</p>
-            </part>
-            <part name="guidance" id="sa-10.5_gdn">
-               <p>Mapping integrity for version control addresses changes to hardware, software, and firmware components during initial development and during system development life cycle updates. Maintaining the integrity between the master copies of security-relevant hardware, software, and firmware (including designs and source code) and the equivalent data in master copies in operational environments is essential to ensure the availability of organizational systems supporting critical missions and business functions.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-10.6">
-            <title>Trusted Distribution</title>
-            <prop name="label">SA-10(6)</prop>
-            <prop name="sort-id">SA-10(06)</prop>
-            <part name="statement" id="sa-10.6_smt">
-               <p>Require the developer of the system, system component, or system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.</p>
-            </part>
-            <part name="guidance" id="sa-10.6_gdn">
-               <p>The trusted distribution of security-relevant hardware, software, and firmware updates help to ensure that the updates are correct representations of the master copies maintained by the developer and have not been tampered with during distribution.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-11">
-         <title>Developer Testing and Evaluation</title>
-         <param id="sa-11_prm_1">
-            <select how-many="one or more">
-               <choice>unit</choice>
-               <choice>integration</choice>
-               <choice>system</choice>
-               <choice>regression</choice>
-            </select>
-         </param>
-         <param id="sa-11_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="sa-11_prm_3">
-            <label>organization-defined depth and coverage</label>
-         </param>
-         <prop name="label">SA-11</prop>
-         <prop name="sort-id">SA-11</prop>
-         <link rel="reference" href="#2ce3a8bf-7f8b-4249-bd16-808231415b14">[ISO 15408-3]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#5db6dfe4-788e-4183-93b9-f6fb29d75e41">[SP 800-53A]</link>
-         <link rel="reference" href="#fd0f14f5-8910-45c4-b60a-0c8936e00daa">[SP 800-154]</link>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="related" href="#ca-2">CA-2</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#cm-4">CM-4</link>
-         <link rel="related" href="#sa-3">SA-3</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-5">SA-5</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-15">SA-15</link>
-         <link rel="related" href="#sa-17">SA-17</link>
-         <link rel="related" href="#si-2">SI-2</link>
-         <link rel="related" href="#sr-5">SR-5</link>
-         <link rel="related" href="#sr-6">SR-6</link>
-         <link rel="related" href="#sr-7">SR-7</link>
-         <part name="statement" id="sa-11_smt">
-            <p>Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:</p>
-            <part name="item" id="sa-11_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop and implement a plan for ongoing security and privacy assessments;</p>
-            </part>
-            <part name="item" id="sa-11_smt.b">
-               <prop name="label">b.</prop>
-               <p>Perform <insert param-id="sa-11_prm_1"/> testing/evaluation <insert param-id="sa-11_prm_2"/> at <insert param-id="sa-11_prm_3"/>;</p>
-            </part>
-            <part name="item" id="sa-11_smt.c">
-               <prop name="label">c.</prop>
-               <p>Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;</p>
-            </part>
-            <part name="item" id="sa-11_smt.d">
-               <prop name="label">d.</prop>
-               <p>Implement a verifiable flaw remediation process; and</p>
-            </part>
-            <part name="item" id="sa-11_smt.e">
-               <prop name="label">e.</prop>
-               <p>Correct flaws identified during testing and evaluation.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sa-11_gdn">
-            <p>Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes, including upgrading or replacing applications, operating systems, and firmware, may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review; security architecture review; penetration testing; and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.
-Developers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, the frequency of the ongoing testing and evaluation, and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-11.1">
-            <title>Static Code Analysis</title>
-            <prop name="label">SA-11(1)</prop>
-            <prop name="sort-id">SA-11(01)</prop>
-            <part name="statement" id="sa-11.1_smt">
-               <p>Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.</p>
-            </part>
-            <part name="guidance" id="sa-11.1_gdn">
-               <p>Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code and checking for incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and to enforce secure coding practices and Static code analysis is most effective when used early in the development process, when each code change can be automatically scanned for potential weaknesses. Static code analysis can provide clear remediation guidance along with defects to enable developers to fix such defects. Evidence of correct implementation of static analysis include aggregate defect density for critical defect types; evidence that defects were inspected by developers or security professionals; and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-11.2">
-            <title>Threat Modeling and Vulnerability Analyses</title>
-            <param id="sa-11.2_prm_1">
-               <label>organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels</label>
-            </param>
-            <param id="sa-11.2_prm_2">
-               <label>organization-defined tools and methods</label>
-            </param>
-            <param id="sa-11.2_prm_3">
-               <label>organization-defined breadth and depth of modeling and analyses</label>
-            </param>
-            <param id="sa-11.2_prm_4">
-               <label>organization-defined acceptance criteria</label>
-            </param>
-            <prop name="label">SA-11(2)</prop>
-            <prop name="sort-id">SA-11(02)</prop>
-            <part name="statement" id="sa-11.2_smt">
-               <p>Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that:</p>
-               <part name="item" id="sa-11.2_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Uses the following contextual information: <insert param-id="sa-11.2_prm_1"/>;</p>
-               </part>
-               <part name="item" id="sa-11.2_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Employs the following tools and methods: <insert param-id="sa-11.2_prm_2"/>;</p>
-               </part>
-               <part name="item" id="sa-11.2_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Conducts the modeling and analyses at the following level of rigor: <insert param-id="sa-11.2_prm_3"/>; and</p>
-               </part>
-               <part name="item" id="sa-11.2_smt.d">
-                  <prop name="label">(d)</prop>
-                  <p>Produces evidence that meets the following acceptance criteria: <insert param-id="sa-11.2_prm_4"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sa-11.2_gdn">
-               <p>Systems, system components, and system services may deviate significantly from the functional and design specifications created during the requirements and design stages of the system development life cycle. Therefore, updates to threat modeling and vulnerability analyses of those systems, system components, and system services during development and prior to delivery are critical to the effective operation of those systems, components, and services. Threat modeling and vulnerability analyses at this stage of the system development life cycle ensure that design and implementation changes have been accounted for and vulnerabilities created because of those changes have been reviewed and mitigated.
-Related controls: PM-15, RA-3, RA-5.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-11.3">
-            <title>Independent Verification of Assessment Plans and Evidence</title>
-            <param id="sa-11.3_prm_1">
-               <label>organization-defined independence criteria</label>
-            </param>
-            <prop name="label">SA-11(3)</prop>
-            <prop name="sort-id">SA-11(03)</prop>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <part name="statement" id="sa-11.3_smt">
-               <part name="item" id="sa-11.3_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Require an independent agent satisfying <insert param-id="sa-11.3_prm_1"/> to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation; and</p>
-               </part>
-               <part name="item" id="sa-11.3_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sa-11.3_gdn">
-               <p>Independent agents have the qualifications, including the expertise, skills, training, certifications, and experience to verify the correct implementation of developer security and privacy assessment plans.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-11.4">
-            <title>Manual Code Reviews</title>
-            <param id="sa-11.4_prm_1">
-               <label>organization-defined specific code</label>
-            </param>
-            <param id="sa-11.4_prm_2">
-               <label>organization-defined processes, procedures, and/or techniques</label>
-            </param>
-            <prop name="label">SA-11(4)</prop>
-            <prop name="sort-id">SA-11(04)</prop>
-            <part name="statement" id="sa-11.4_smt">
-               <p>Require the developer of the system, system component, or system service to perform a manual code review of <insert param-id="sa-11.4_prm_1"/> using the following processes, procedures, and/or techniques: <insert param-id="sa-11.4_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sa-11.4_gdn">
-               <p>Manual code reviews are usually reserved for the critical software and firmware components of systems. Manual code reviews are effective in identifying weaknesses that require knowledge of the application’s requirements or context which in most cases, are unavailable to automated analytic tools and techniques, for example, static and dynamic analysis. The benefits of manual code review include the ability to verify access control matrices against application controls and review detailed aspects of cryptographic implementations and controls.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-11.5">
-            <title>Penetration Testing</title>
-            <param id="sa-11.5_prm_1">
-               <label>organization-defined breadth and depth of testing</label>
-            </param>
-            <param id="sa-11.5_prm_2">
-               <label>organization-defined constraints</label>
-            </param>
-            <prop name="label">SA-11(5)</prop>
-            <prop name="sort-id">SA-11(05)</prop>
-            <link rel="related" href="#ca-8">CA-8</link>
-            <link rel="related" href="#pm-14">PM-14</link>
-            <link rel="related" href="#pm-25">PM-25</link>
-            <link rel="related" href="#pt-2">PT-2</link>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <link rel="related" href="#si-2">SI-2</link>
-            <link rel="related" href="#si-6">SI-6</link>
-            <part name="statement" id="sa-11.5_smt">
-               <p>Require the developer of the system, system component, or system service to perform penetration testing:</p>
-               <part name="item" id="sa-11.5_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>At the following level of rigor: <insert param-id="sa-11.5_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="sa-11.5_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Under the following constraints: <insert param-id="sa-11.5_prm_2"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sa-11.5_gdn">
-               <p>Penetration testing is an assessment methodology in which assessors, using all available information technology product or system documentation and working under specific constraints, attempt to circumvent implemented security and privacy features of information technology products and systems. Useful information for assessors conducting penetration testing includes product and system design specifications, source code, and administrator and operator manuals. Penetration testing can include white-box, gray-box, or black box testing with analyses performed by skilled professionals simulating adversary actions. The objective of penetration testing is to discover vulnerabilities in systems, system components and services resulting from implementation errors, configuration faults, or other operational weaknesses or deficiencies. Penetration tests can be performed in conjunction with automated and manual code reviews to provide greater levels of analysis than would ordinarily be possible. When user session information and other personally identifiable information is captured or recorded during penetration testing, such information is handled appropriately to protect privacy.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-11.6">
-            <title>Attack Surface Reviews</title>
-            <prop name="label">SA-11(6)</prop>
-            <prop name="sort-id">SA-11(06)</prop>
-            <link rel="related" href="#sa-15">SA-15</link>
-            <part name="statement" id="sa-11.6_smt">
-               <p>Require the developer of the system, system component, or system service to perform attack surface reviews.</p>
-            </part>
-            <part name="guidance" id="sa-11.6_gdn">
-               <p>Attack surfaces of systems and system components are exposed areas that make those systems more vulnerable to attacks. Attack surfaces include any accessible areas where weaknesses or deficiencies in the hardware, software, and firmware components provide opportunities for adversaries to exploit vulnerabilities. Attack surface reviews ensure that developers analyze the design and implementation changes to systems and mitigate attack vectors generated as a result of the changes. Correction of identified flaws includes deprecation of unsafe functions.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-11.7">
-            <title>Verify Scope of Testing and Evaluation</title>
-            <param id="sa-11.7_prm_1">
-               <label>organization-defined breadth and depth of testing and evaluation</label>
-            </param>
-            <prop name="label">SA-11(7)</prop>
-            <prop name="sort-id">SA-11(07)</prop>
-            <link rel="related" href="#sa-15">SA-15</link>
-            <part name="statement" id="sa-11.7_smt">
-               <p>Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: <insert param-id="sa-11.7_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-11.7_gdn">
-               <p>Verifying that testing and evaluation provides complete coverage of required controls can be accomplished by a variety of analytic techniques ranging from informal to formal. Each of these techniques provides an increasing level of assurance corresponding to the degree of formality of the analysis. Rigorously demonstrating control coverage at the highest levels of assurance can be provided using formal modeling and analysis techniques, including correlation between control implementation and corresponding test cases.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-11.8">
-            <title>Dynamic Code Analysis</title>
-            <prop name="label">SA-11(8)</prop>
-            <prop name="sort-id">SA-11(08)</prop>
-            <part name="statement" id="sa-11.8_smt">
-               <p>Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.</p>
-            </part>
-            <part name="guidance" id="sa-11.8_gdn">
-               <p>Dynamic code analysis provides run-time verification of software programs, using tools capable of monitoring programs for memory corruption, user privilege issues, and other potential security problems. Dynamic code analysis employs run-time tools to ensure that security functionality performs in the way it was designed. A specialized type of dynamic analysis, known as fuzz testing, induces program failures by deliberately introducing malformed or random data into software programs. Fuzz testing strategies derive from the intended use of applications and the associated functional and design specifications for the applications. To understand the scope of dynamic code analysis and hence the assurance provided, organizations may also consider conducting code coverage analysis (checking the degree to which the code has been tested using metrics such as percent of subroutines tested or percent of program statements called during execution of the test suite) and/or concordance analysis (checking for words that are out of place in software code such as non-English language words or derogatory terms).</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-11.9">
-            <title>Interactive Application Security Testing</title>
-            <prop name="label">SA-11(9)</prop>
-            <prop name="sort-id">SA-11(09)</prop>
-            <part name="statement" id="sa-11.9_smt">
-               <p>Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results.</p>
-            </part>
-            <part name="guidance" id="sa-11.9_gdn">
-               <p>Interactive (also known as instrumentation-based) application security testing is a method of detecting vulnerabilities by observing applications as they run during testing. The use of instrumentation relies on direct measurements of the actual running applications, and uses access to the code, user interaction, libraries, frameworks, backend connections, and configurations to measure control effectiveness directly. When combined with analysis techniques, interactive application security testing can identify a broad range of potential vulnerabilities and confirm control effectiveness. Instrumentation-based testing works in real time and can be used continuously throughout the system development life cycle.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-12">
-         <title>Supply Chain Protection</title>
-         <prop name="label">SA-12</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">SA-12</prop>
-         <link href="#sr" rel="incorporated-into">SR Family</link>
-         <control class="SP800-53-enhancement" id="sa-12.1">
-            <title>Acquisition Strategies / Tools / Methods</title>
-            <prop name="label">SA-12(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-12(01)</prop>
-            <link rel="moved-to" href="#sr-5">SR-5</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.2">
-            <title>Supplier Reviews</title>
-            <prop name="label">SA-12(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-12(02)</prop>
-            <link rel="moved-to" href="#sr-6">SR-6</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.3">
-            <title>Trusted Shipping and Warehousing</title>
-            <prop name="label">SA-12(3)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-12(03)</prop>
-            <link rel="incorporated-into" href="#sr-3">SR-3</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.4">
-            <title>Diversity of Suppliers</title>
-            <prop name="label">SA-12(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-12(04)</prop>
-            <link rel="moved-to" href="#sr-3.1">SR-3(1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.5">
-            <title>Limitation of Harm</title>
-            <prop name="label">SA-12(5)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-12(05)</prop>
-            <link rel="moved-to" href="#sr-3.2">SR-3(2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.6">
-            <title>Minimizing Procurement Time</title>
-            <prop name="label">SA-12(6)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-12(06)</prop>
-            <link rel="incorporated-into" href="#sr-5.1">SR-5(1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.7">
-            <title>Assessments Prior to Selection / Acceptance / Update</title>
-            <prop name="label">SA-12(7)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-12(07)</prop>
-            <link rel="moved-to" href="#sr-5.2">SR-5(2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.8">
-            <title>Use of All-source Intelligence</title>
-            <prop name="label">SA-12(8)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-12(08)</prop>
-            <link rel="incorporated-into" href="#ra-3.2">RA-3(2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.9">
-            <title>Operations Security</title>
-            <prop name="label">SA-12(9)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-12(09)</prop>
-            <link rel="moved-to" href="#sr-7">SR-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.10">
-            <title>Validate as Genuine and Not Altered</title>
-            <prop name="label">SA-12(10)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-12(10)</prop>
-            <link rel="moved-to" href="#sr-4.3">SR-4(3)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.11">
-            <title>Penetration Testing / Analysis of Elements, Processes, and Actors</title>
-            <prop name="label">SA-12(11)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-12(11)</prop>
-            <link rel="moved-to" href="#sr-6.1">SR-6(1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.12">
-            <title>Inter-organizational Agreements</title>
-            <prop name="label">SA-12(12)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-12(12)</prop>
-            <link rel="moved-to" href="#sr-8">SR-8</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.13">
-            <title>Critical Information System Components</title>
-            <prop name="label">SA-12(13)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-12(13)</prop>
-            <link rel="incorporated-into" href="#ma-6">MA-6</link>
-            <link rel="incorporated-into" href="#ra-9">RA-9</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.14">
-            <title>Identity and Traceability</title>
-            <prop name="label">SA-12(14)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-12(14)</prop>
-            <link rel="moved-to" href="#sr-4.1">SR-4(1)</link>
-            <link rel="moved-to" href="#sr-4.2">SR-4(2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-12.15">
-            <title>Processes to Address Weaknesses or Deficiencies</title>
-            <prop name="label">SA-12(15)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-12(15)</prop>
-            <link rel="incorporated-into" href="#sr-3">SR-3</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-13">
-         <title>Trustworthiness</title>
-         <prop name="label">SA-13</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">SA-13</prop>
-         <link rel="incorporated-into" href="#sa-8">SA-8</link>
-      </control>
-      <control class="SP800-53" id="sa-14">
-         <title>Criticality Analysis</title>
-         <prop name="label">SA-14</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">SA-14</prop>
-         <link rel="incorporated-into" href="#ra-9">RA-9</link>
-         <control class="SP800-53-enhancement" id="sa-14.1">
-            <title>Critical Components with No Viable Alternative Sourcing</title>
-            <prop name="label">SA-14(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-14(01)</prop>
-            <link rel="incorporated-into" href="#sa-20">SA-20</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-15">
-         <title>Development Process, Standards, and Tools</title>
-         <param id="sa-15_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="sa-15_prm_2">
-            <label>organization-defined security and privacy requirements</label>
-         </param>
-         <prop name="label">SA-15</prop>
-         <prop name="sort-id">SA-15</prop>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="reference" href="#7a93e915-fd58-4147-be12-e48044c367e6">[IR 8179]</link>
-         <link rel="related" href="#ma-6">MA-6</link>
-         <link rel="related" href="#sa-3">SA-3</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-10">SA-10</link>
-         <link rel="related" href="#sa-11">SA-11</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <link rel="related" href="#sr-4">SR-4</link>
-         <link rel="related" href="#sr-5">SR-5</link>
-         <link rel="related" href="#sr-6">SR-6</link>
-         <link rel="related" href="#sr-9">SR-9</link>
-         <part name="statement" id="sa-15_smt">
-            <part name="item" id="sa-15_smt.a">
-               <prop name="label">a.</prop>
-               <p>Require the developer of the system, system component, or system service to follow a documented development process that:</p>
-               <part name="item" id="sa-15_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Explicitly addresses security and privacy requirements;</p>
-               </part>
-               <part name="item" id="sa-15_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Identifies the standards and tools used in the development process;</p>
-               </part>
-               <part name="item" id="sa-15_smt.a.3">
-                  <prop name="label">3.</prop>
-                  <p>Documents the specific tool options and tool configurations used in the development process; and</p>
-               </part>
-               <part name="item" id="sa-15_smt.a.4">
-                  <prop name="label">4.</prop>
-                  <p>Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and</p>
-               </part>
-            </part>
-            <part name="item" id="sa-15_smt.b">
-               <prop name="label">b.</prop>
-               <p>Review the development process, standards, tools, tool options, and tool configurations <insert param-id="sa-15_prm_1"/> to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: <insert param-id="sa-15_prm_2"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sa-15_gdn">
-            <p>Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and to prevent unauthorized changes.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-15.1">
-            <title>Quality Metrics</title>
-            <param id="sa-15.1_prm_1">
-               <select how-many="one or more">
-                  <choice>
-                     <insert param-id="sa-15.1_prm_2"/>
-                  </choice>
-                  <choice>
-                     <insert param-id="sa-15.1_prm_3"/>
-                  </choice>
-                  <choice>upon delivery</choice>
-               </select>
-            </param>
-            <param id="sa-15.1_prm_2" depends-on="sa-15.1_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="sa-15.1_prm_3" depends-on="sa-15.1_prm_1">
-               <label>organization-defined program review milestones</label>
-            </param>
-            <prop name="label">SA-15(1)</prop>
-            <prop name="sort-id">SA-15(01)</prop>
-            <part name="statement" id="sa-15.1_smt">
-               <p>Require the developer of the system, system component, or system service to:</p>
-               <part name="item" id="sa-15.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Define quality metrics at the beginning of the development process; and</p>
-               </part>
-               <part name="item" id="sa-15.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Provide evidence of meeting the quality metrics <insert param-id="sa-15.1_prm_1"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sa-15.1_gdn">
-               <p>Organizations use quality metrics to establish acceptable levels of system quality. Metrics can include quality gates, which are collections of completion criteria or sufficiency standards representing the satisfactory execution of specific phases of the system development project. A quality gate, for example, may require the elimination of all compiler warnings or a determination that such warnings have no impact on the effectiveness of required security or privacy capabilities. During the execution phases of development projects, quality gates provide clear, unambiguous indications of progress. Other metrics apply to the entire development project. These metrics can include defining the severity thresholds of vulnerabilities, for example, requiring no known vulnerabilities in the delivered system with a Common Vulnerability Scoring System (CVSS) severity of Medium or High.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.2">
-            <title>Security Tracking Tools</title>
-            <prop name="label">SA-15(2)</prop>
-            <prop name="sort-id">SA-15(02)</prop>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <part name="statement" id="sa-15.2_smt">
-               <p>Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process.</p>
-            </part>
-            <part name="guidance" id="sa-15.2_gdn">
-               <p>System development teams select and deploy security and privacy tracking tools, including vulnerability or work item tracking systems that facilitate assignment, sorting, filtering, and tracking of completed work items or tasks associated with development processes.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.3">
-            <title>Criticality Analysis</title>
-            <param id="sa-15.3_prm_1">
-               <label>organization-defined decision points in the system development life cycle</label>
-            </param>
-            <param id="sa-15.3_prm_2">
-               <label>organization-defined breadth and depth of criticality analysis</label>
-            </param>
-            <prop name="label">SA-15(3)</prop>
-            <prop name="sort-id">SA-15(03)</prop>
-            <link rel="related" href="#ra-9">RA-9</link>
-            <part name="statement" id="sa-15.3_smt">
-               <p>Require the developer of the system, system component, or system service to perform a criticality analysis:</p>
-               <part name="item" id="sa-15.3_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>At the following decision points in the system development life cycle: <insert param-id="sa-15.3_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="sa-15.3_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>At the following level of rigor: <insert param-id="sa-15.3_prm_2"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sa-15.3_gdn">
-               <p>Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, and source code and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.4">
-            <title>Threat Modeling and Vulnerability Analysis</title>
-            <prop name="label">SA-15(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-15(04)</prop>
-            <link rel="incorporated-into" href="#sa-11.2">SA-11(2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.5">
-            <title>Attack Surface Reduction</title>
-            <param id="sa-15.5_prm_1">
-               <label>organization-defined thresholds</label>
-            </param>
-            <prop name="label">SA-15(5)</prop>
-            <prop name="sort-id">SA-15(05)</prop>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <part name="statement" id="sa-15.5_smt">
-               <p>Require the developer of the system, system component, or system service to reduce attack surfaces to <insert param-id="sa-15.5_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sa-15.5_gdn">
-               <p>Attack surface reduction is closely aligned with threat and vulnerability analyses and system architecture and design. Attack surface reduction is a means of reducing risk to organizations by giving attackers less opportunity to exploit weaknesses or deficiencies (i.e., potential vulnerabilities) within systems, system components, and system services. Attack surface reduction includes implementing the concept of layered defenses; applying the principles of least privilege and least functionality; applying secure software development practices; deprecating unsafe functions; reducing entry points available to unauthorized users; reducing the amount of code executing; and eliminating application programming interfaces (APIs) that are vulnerable to attacks.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.6">
-            <title>Continuous Improvement</title>
-            <prop name="label">SA-15(6)</prop>
-            <prop name="sort-id">SA-15(06)</prop>
-            <part name="statement" id="sa-15.6_smt">
-               <p>Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process.</p>
-            </part>
-            <part name="guidance" id="sa-15.6_gdn">
-               <p>Developers of systems, system components, and system services consider the effectiveness and efficiency of their current development processes for meeting quality objectives and for addressing the security and privacy capabilities in current threat environments.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.7">
-            <title>Automated Vulnerability Analysis</title>
-            <param id="sa-15.7_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="sa-15.7_prm_2">
-               <label>organization-defined tools</label>
-            </param>
-            <param id="sa-15.7_prm_3">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">SA-15(7)</prop>
-            <prop name="sort-id">SA-15(07)</prop>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <part name="statement" id="sa-15.7_smt">
-               <p>Require the developer of the system, system component, or system service <insert param-id="sa-15.7_prm_1"/> to:</p>
-               <part name="item" id="sa-15.7_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Perform an automated vulnerability analysis using <insert param-id="sa-15.7_prm_2"/>;</p>
-               </part>
-               <part name="item" id="sa-15.7_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Determine the exploitation potential for discovered vulnerabilities;</p>
-               </part>
-               <part name="item" id="sa-15.7_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Determine potential risk mitigations for delivered vulnerabilities; and</p>
-               </part>
-               <part name="item" id="sa-15.7_smt.d">
-                  <prop name="label">(d)</prop>
-                  <p>Deliver the outputs of the tools and results of the analysis to <insert param-id="sa-15.7_prm_3"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sa-15.7_gdn">
-               <p>Automated tools can be more effective in analyzing exploitable weaknesses or deficiencies in large and complex systems; prioritizing vulnerabilities by severity; and providing recommendations for risk mitigations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.8">
-            <title>Reuse of Threat and Vulnerability Information</title>
-            <prop name="label">SA-15(8)</prop>
-            <prop name="sort-id">SA-15(08)</prop>
-            <part name="statement" id="sa-15.8_smt">
-               <p>Require the developer of the system, system component, or system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.</p>
-            </part>
-            <part name="guidance" id="sa-15.8_gdn">
-               <p>Analysis of vulnerabilities found in similar software applications can inform potential design and implementation issues for systems under development. Similar systems or system components may exist within developer organizations. Vulnerability information is available from a variety of public and private sector sources, including the NIST National Vulnerability Database.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.9">
-            <title>Use of Live Data</title>
-            <prop name="label">SA-15(9)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-15(09)</prop>
-            <link rel="incorporated-into" href="#sa-3.2">SA-3(2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.10">
-            <title>Incident Response Plan</title>
-            <prop name="label">SA-15(10)</prop>
-            <prop name="sort-id">SA-15(10)</prop>
-            <link rel="related" href="#ir-8">IR-8</link>
-            <part name="statement" id="sa-15.10_smt">
-               <p>Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan.</p>
-            </part>
-            <part name="guidance" id="sa-15.10_gdn">
-               <p>The incident response plan provided by developers may be incorporated into organizational incident response plans. Developer incident response information provides information that is not readily available to organizations. Such information may be extremely helpful, for example, when organizations respond to vulnerabilities in commercial off-the-shelf products.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.11">
-            <title>Archive System or Component</title>
-            <prop name="label">SA-15(11)</prop>
-            <prop name="sort-id">SA-15(11)</prop>
-            <link rel="related" href="#cm-2">CM-2</link>
-            <part name="statement" id="sa-15.11_smt">
-               <p>Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review.</p>
-            </part>
-            <part name="guidance" id="sa-15.11_gdn">
-               <p>Archiving system or system components requires the developer to retain key development artifacts, including hardware specifications, source code, object code, and relevant documentation from the development process that can provide a readily available configuration baseline for system and component upgrades or modifications.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-15.12">
-            <title>Minimize Personally Identifiable Information</title>
-            <prop name="label">SA-15(12)</prop>
-            <prop name="sort-id">SA-15(12)</prop>
-            <link rel="related" href="#pm-25">PM-25</link>
-            <part name="statement" id="sa-15.12_smt">
-               <p>Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.</p>
-            </part>
-            <part name="guidance" id="sa-15.12_gdn">
-               <p>Organizations can minimize the risk to an individual’s privacy by using techniques such as de-identification or synthetic data. Limiting the use of personally identifiable information in development and test environments helps reduce the level of privacy risk created by a system.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-16">
-         <title>Developer-provided Training</title>
-         <param id="sa-16_prm_1">
-            <label>organization-defined training</label>
-         </param>
-         <prop name="label">SA-16</prop>
-         <prop name="sort-id">SA-16</prop>
-         <link rel="related" href="#at-2">AT-2</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-5">SA-5</link>
-         <part name="statement" id="sa-16_smt">
-            <p>Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: <insert param-id="sa-16_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="sa-16_gdn">
-            <p>Developer-provided training applies to external and internal (in-house) developers. Training of personnel is an essential element to help ensure the effectiveness of the controls implemented within organizational systems. Types of training include web-based and computer-based training; classroom-style training; and hands-on training (including micro-training). Organizations can also request training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security and privacy functions, controls, and mechanisms.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-17">
-         <title>Developer Security Architecture and Design</title>
-         <prop name="label">SA-17</prop>
-         <prop name="sort-id">SA-17</prop>
-         <link rel="reference" href="#18abb755-c10f-407d-b0ef-4f99e5ec4a49">[ISO 15408-2]</link>
-         <link rel="reference" href="#2ce3a8bf-7f8b-4249-bd16-808231415b14">[ISO 15408-3]</link>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pl-8">PL-8</link>
-         <link rel="related" href="#pm-7">PM-7</link>
-         <link rel="related" href="#sa-3">SA-3</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <part name="statement" id="sa-17_smt">
-            <p>Require the developer of the system, system component, or system service to produce a design specification and security architecture that:</p>
-            <part name="item" id="sa-17_smt.a">
-               <prop name="label">a.</prop>
-               <p>Is consistent with the organization’s security architecture that is an integral part the organization’s enterprise architecture;</p>
-            </part>
-            <part name="item" id="sa-17_smt.b">
-               <prop name="label">b.</prop>
-               <p>Accurately and completely describes the required security functionality, and the allocation of controls among physical and logical components; and</p>
-            </part>
-            <part name="item" id="sa-17_smt.c">
-               <prop name="label">c.</prop>
-               <p>Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sa-17_gdn">
-            <p>Developer security architecture and design is directed at external developers, although it could also be applied to internal (in-house) development. In contrast, PL-8 is directed at internal developers to ensure that organizations develop a security architecture and that the architecture is integrated with the enterprise architecture. The distinction between SA-17 and PL-8 is especially important when organizations outsource the development of systems, system components, or system services, and when there is a requirement to demonstrate consistency with the enterprise architecture and security architecture of the organization. [ISO 15408-2], [ISO 15408-3], and [SP 800-160 v1] provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-17.1">
-            <title>Formal Policy Model</title>
-            <param id="sa-17.1_prm_1">
-               <label>organization-defined elements of organizational security policy</label>
-            </param>
-            <prop name="label">SA-17(1)</prop>
-            <prop name="sort-id">SA-17(01)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-25">AC-25</link>
-            <part name="statement" id="sa-17.1_smt">
-               <p>Require the developer of the system, system component, or system service to:</p>
-               <part name="item" id="sa-17.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Produce, as an integral part of the development process, a formal policy model describing the <insert param-id="sa-17.1_prm_1"/> to be enforced; and</p>
-               </part>
-               <part name="item" id="sa-17.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sa-17.1_gdn">
-               <p>Formal models describe specific behaviors or security policies using formal languages, thus enabling the correctness of those behaviors and policies to be formally proven. Not all components of systems can be modeled. Generally, formal specifications are scoped to the specific behaviors or policies of interest, for example, nondiscretionary access control policies. Organizations choose the formal modeling language and approach based on the nature of the behaviors and policies to be described and the available tools. Formal modeling tools include Gypsy and Zed.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-17.2">
-            <title>Security-relevant Components</title>
-            <prop name="label">SA-17(2)</prop>
-            <prop name="sort-id">SA-17(02)</prop>
-            <link rel="related" href="#ac-25">AC-25</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <part name="statement" id="sa-17.2_smt">
-               <p>Require the developer of the system, system component, or system service to:</p>
-               <part name="item" id="sa-17.2_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Define security-relevant hardware, software, and firmware; and</p>
-               </part>
-               <part name="item" id="sa-17.2_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sa-17.2_gdn">
-               <p>The security-relevant hardware, software, and firmware represent the portion of the system, component, or service that is trusted to perform correctly to maintain required security properties.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-17.3">
-            <title>Formal Correspondence</title>
-            <prop name="label">SA-17(3)</prop>
-            <prop name="sort-id">SA-17(03)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-25">AC-25</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <part name="statement" id="sa-17.3_smt">
-               <p>Require the developer of the system, system component, or system service to:</p>
-               <part name="item" id="sa-17.3_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;</p>
-               </part>
-               <part name="item" id="sa-17.3_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;</p>
-               </part>
-               <part name="item" id="sa-17.3_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;</p>
-               </part>
-               <part name="item" id="sa-17.3_smt.d">
-                  <prop name="label">(d)</prop>
-                  <p>Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and</p>
-               </part>
-               <part name="item" id="sa-17.3_smt.e">
-                  <prop name="label">(e)</prop>
-                  <p>Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sa-17.3_gdn">
-               <p>Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details that are present have no impact on the behaviors or policies being modeled. Formal methods can be used to show that the high-level security properties are satisfied by the formal system description, and that the formal system description is correctly implemented by a description of some lower level, including a hardware description. Consistency between the formal top-level specification and the formal policy models is generally not amenable to being fully proven. Therefore, a combination of formal and informal methods may be needed to demonstrate such consistency. Consistency between the formal top-level specification and the actual implementation may require the use of an informal demonstration due to limitations in the applicability of formal methods to prove that the specification accurately reflects the implementation. Hardware, software, and firmware mechanisms internal to security-relevant components include mapping registers and direct memory input and output.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-17.4">
-            <title>Informal Correspondence</title>
-            <param id="sa-17.4_prm_1">
-               <select>
-                  <choice>informal demonstration</choice>
-                  <choice>convincing argument with formal methods as feasible</choice>
-               </select>
-            </param>
-            <prop name="label">SA-17(4)</prop>
-            <prop name="sort-id">SA-17(04)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-4">AC-4</link>
-            <link rel="related" href="#ac-25">AC-25</link>
-            <link rel="related" href="#sa-4">SA-4</link>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <part name="statement" id="sa-17.4_smt">
-               <p>Require the developer of the system, system component, or system service to:</p>
-               <part name="item" id="sa-17.4_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;</p>
-               </part>
-               <part name="item" id="sa-17.4_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Show via <insert param-id="sa-17.4_prm_1"/> that the descriptive top-level specification is consistent with the formal policy model;</p>
-               </part>
-               <part name="item" id="sa-17.4_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;</p>
-               </part>
-               <part name="item" id="sa-17.4_smt.d">
-                  <prop name="label">(d)</prop>
-                  <p>Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and</p>
-               </part>
-               <part name="item" id="sa-17.4_smt.e">
-                  <prop name="label">(e)</prop>
-                  <p>Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sa-17.4_gdn">
-               <p>Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present has no impact on the behaviors or policies being modeled. Consistency between the descriptive top-level specification (i.e., high-level/low-level design) and the formal policy model is generally not amenable to being fully proven. Therefore, a combination of formal and informal methods may be needed to show such consistency. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include mapping registers and direct memory input and output.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-17.5">
-            <title>Conceptually Simple Design</title>
-            <prop name="label">SA-17(5)</prop>
-            <prop name="sort-id">SA-17(05)</prop>
-            <link rel="related" href="#ac-25">AC-25</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-            <part name="statement" id="sa-17.5_smt">
-               <p>Require the developer of the system, system component, or system service to:</p>
-               <part name="item" id="sa-17.5_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and</p>
-               </part>
-               <part name="item" id="sa-17.5_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sa-17.5_gdn">
-               <p>The principle of reduced complexity states that the system design is as simple and small as possible (see SA-8(7)). A small and simple design is easier to understand and analyze, and is also less prone to error (see AC-25, SA-8(13)). The principle of reduced complexity applies to any aspect of a system, but it has particular importance for security due to the various analyses performed to obtain evidence about the emergent security property of the system. For such analyses to be successful, a small and simple design is essential. Application of the principle of reduced complexity contributes to the ability of system developers to understand the correctness and completeness of system security functions and facilitates the identification of potential vulnerabilities. The corollary of reduced complexity states that the simplicity of the system is directly related to the number of vulnerabilities it will contain—that is, simpler systems contain fewer vulnerabilities. An important benefit of reduced complexity is that it is easier to understand whether the security policy has been captured in the system design, and that fewer vulnerabilities are likely to be introduced during engineering development. An additional benefit is that any such conclusion about correctness, completeness, and existence of vulnerabilities can be reached with a higher degree of assurance in contrast to conclusions reached in situations where the system design is inherently more complex.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-17.6">
-            <title>Structure for Testing</title>
-            <prop name="label">SA-17(6)</prop>
-            <prop name="sort-id">SA-17(06)</prop>
-            <link rel="related" href="#sa-5">SA-5</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <part name="statement" id="sa-17.6_smt">
-               <p>Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate testing.</p>
-            </part>
-            <part name="guidance" id="sa-17.6_gdn">
-               <p>Applying the security design principles in [SP 800-160 v1] promotes complete, consistent, and comprehensive testing and evaluation of systems, system components, and services. The thoroughness of such testing contributes to the evidence produced to generate an effective assurance case or argument as to the trustworthiness of the system, system component, or service.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-17.7">
-            <title>Structure for Least Privilege</title>
-            <prop name="label">SA-17(7)</prop>
-            <prop name="sort-id">SA-17(07)</prop>
-            <link rel="related" href="#ac-5">AC-5</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <link rel="related" href="#sa-8">SA-8</link>
-            <part name="statement" id="sa-17.7_smt">
-               <p>Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.</p>
-            </part>
-            <part name="guidance" id="sa-17.7_gdn">
-               <p>The principle of least privilege states that each component is allocated sufficient privileges to accomplish its specified functions, but no more (see SA-8(14)). Applying the principle of least privilege limits the scope of the component’s actions, which has two desirable effects. First, the security impact of a failure, corruption, or misuse of the system component results in a minimized security impact. Second, the security analysis of the component is simplified. Least privilege is a pervasive principle that is reflected in all aspects of the secure system design. Interfaces used to invoke component capability are available to only certain subsets of the user population, and component design supports a sufficiently fine granularity of privilege decomposition. For example, in the case of an audit mechanism, there may be an interface for the audit manager, who configures the audit settings; an interface for the audit operator, who ensures that audit data is safely collected and stored; and, finally, yet another interface for the audit reviewer, who has need only to view the audit data that has been collected but no need to perform operations on that data.
-In addition to its manifestations at the system interface, least privilege can be used as a guiding principle for the internal structure of the system itself. One aspect of internal least privilege is to construct modules so that only the elements encapsulated by the module are directly operated upon by the functions within the module. Elements external to a module that may be affected by the module’s operation are indirectly accessed through interaction (e.g., via a function call) with the module that contains those elements. Another aspect of internal least privilege is that the scope of a given module or component includes only those system elements that are necessary for its functionality, and that the access modes to the elements (e.g., read, write) are minimal.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-17.8">
-            <title>Orchestration</title>
-            <param id="sa-17.8_prm_1">
-               <label>organization-defined critical systems or system components</label>
-            </param>
-            <param id="sa-17.8_prm_2">
-               <label>organization-defined capabilities, by system or component</label>
-            </param>
-            <prop name="label">SA-17(8)</prop>
-            <prop name="sort-id">SA-17(08)</prop>
-            <part name="statement" id="sa-17.8_smt">
-               <p>Design <insert param-id="sa-17.8_prm_1"/> with coordinated behavior to implement the following capabilities: <insert param-id="sa-17.8_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sa-17.8_gdn">
-               <p>Security resources that are distributed, located at different layers or in different system elements, or are implemented to support different aspects of trustworthiness can interact in unforeseen or incorrect ways. Adverse consequences can include cascading failures, interference, or coverage gaps. Coordination of the behavior of security resources (e.g., by ensuring that one patch is installed across all resources before making a configuration change that assumes that the patch is propagated) can avert such negative interactions.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-17.9">
-            <title>Design Diversity</title>
-            <param id="sa-17.9_prm_1">
-               <label>organization-defined critical systems or system components</label>
-            </param>
-            <prop name="label">SA-17(9)</prop>
-            <prop name="sort-id">SA-17(09)</prop>
-            <part name="statement" id="sa-17.9_smt">
-               <p>Use different designs for <insert param-id="sa-17.9_prm_1"/> to satisfy a common set of requirements or to provide equivalent functionality.</p>
-            </part>
-            <part name="guidance" id="sa-17.9_gdn">
-               <p>Design diversity is achieved by supplying the same requirements specification to multiple developers, each of which is responsible for developing a variant of the system or system component that meets the requirements. Variants can be in software design, in hardware design, or in both hardware and a software design. Differences in the designs of the variants can result from developer experience (e.g., prior use of a design pattern), design style (e.g., when decomposing a required function into smaller tasks, determining what constitutes a separate task, and determining how far to decompose tasks into sub-tasks), selection of libraries to incorporate into the variant, and the development environment (e.g., different design tools make some design patterns easier to visualize). Hardware design diversity includes making different decisions about what information to keep in analog form and what to convert to digital form; transmitting the same information at different times; and introducing delays in sampling (temporal diversity). Design diversity is commonly used to support fault tolerance.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-18">
-         <title>Tamper Resistance and Detection</title>
-         <prop name="label">SA-18</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">SA-18</prop>
-         <link rel="moved-to" href="#sr-9">SR-9</link>
-         <control class="SP800-53-enhancement" id="sa-18.1">
-            <title>Multiple Phases of System Development Life Cycle</title>
-            <prop name="label">SA-18(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-18(01)</prop>
-            <link rel="moved-to" href="#sr-9.1">SR-9(1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-18.2">
-            <title>Inspection of Systems or Components</title>
-            <prop name="label">SA-18(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-18(02)</prop>
-            <link rel="moved-to" href="#sr-10">SR-10</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-19">
-         <title>Component Authenticity</title>
-         <prop name="label">SA-19</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">SA-19</prop>
-         <link rel="moved-to" href="#sr-11">SR-11</link>
-         <control class="SP800-53-enhancement" id="sa-19.1">
-            <title>Anti-counterfeit Training</title>
-            <prop name="label">SA-19(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-19(01)</prop>
-            <link rel="moved-to" href="#sr-11.1">SR-11(1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-19.2">
-            <title>Configuration Control for Component Service and Repair</title>
-            <prop name="label">SA-19(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-19(02)</prop>
-            <link rel="moved-to" href="#sr-11.2">SR-11(2)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-19.3">
-            <title>Component Disposal</title>
-            <prop name="label">SA-19(3)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-19(03)</prop>
-            <link rel="moved-to" href="#sr-11.3">SR-11(3)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sa-19.4">
-            <title>Anti-counterfeit Scanning</title>
-            <prop name="label">SA-19(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-19(04)</prop>
-            <link rel="moved-to" href="#sr-11.4">SR-11(4)</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-20">
-         <title>Customized Development of Critical Components</title>
-         <param id="sa-20_prm_1">
-            <label>organization-defined critical system components</label>
-         </param>
-         <prop name="label">SA-20</prop>
-         <prop name="sort-id">SA-20</prop>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#ra-9">RA-9</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <part name="statement" id="sa-20_smt">
-            <p>Re-implement or custom develop the following critical system components: <insert param-id="sa-20_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="sa-20_gdn">
-            <p>Organizations determine that certain system components likely cannot be trusted due to specific threats to and vulnerabilities in those components, and for which there are no viable security controls to adequately mitigate the resulting risk. Re-implementation or custom development of such components may satisfy requirements for higher assurance and is carried out by initiating changes to system components (including hardware, software, and firmware) such that the standard attacks by adversaries are less likely to succeed. In situations where no alternative sourcing is available and organizations choose not to re-implement or custom develop critical system components, additional controls can be employed. Controls include enhanced auditing; restrictions on source code and system utility access; and protection from deletion of system and application files.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sa-21">
-         <title>Developer Screening</title>
-         <param id="sa-21_prm_1">
-            <label>organization-defined system, system component, or system service</label>
-         </param>
-         <param id="sa-21_prm_2">
-            <label>organization-defined official government duties</label>
-         </param>
-         <param id="sa-21_prm_3">
-            <label>organization-defined additional personnel screening criteria</label>
-         </param>
-         <prop name="label">SA-21</prop>
-         <prop name="sort-id">SA-21</prop>
-         <link rel="related" href="#ps-2">PS-2</link>
-         <link rel="related" href="#ps-3">PS-3</link>
-         <link rel="related" href="#ps-6">PS-6</link>
-         <link rel="related" href="#ps-7">PS-7</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <part name="statement" id="sa-21_smt">
-            <p>Require that the developer of <insert param-id="sa-21_prm_1"/>:</p>
-            <part name="item" id="sa-21_smt.a">
-               <prop name="label">a.</prop>
-               <p>Has appropriate access authorizations as determined by assigned <insert param-id="sa-21_prm_2"/>;</p>
-            </part>
-            <part name="item" id="sa-21_smt.b">
-               <prop name="label">b.</prop>
-               <p>Satisfies the following additional personnel screening criteria: <insert param-id="sa-21_prm_3"/>; and</p>
-            </part>
-            <part name="item" id="sa-21_smt.c">
-               <prop name="label">c.</prop>
-               <p>Provides information that the access authorizations and screening criteria are satisfied.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sa-21_gdn">
-            <p>Developer screening is directed at external developers. Internal developer screening is addressed by PS-3. Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy. The degree of trust required of developers may need to be consistent with that of the individuals accessing the systems, system components, or system services once deployed. Authorization and personnel screening criteria include clearances, background checks, citizenship, and nationality. Developer trustworthiness may also include a review and analysis of company ownership and relationships the company has with entities potentially affecting the quality and reliability of the systems, components, or services being developed. Satisfying the required access authorizations and personnel screening criteria includes providing a list of all individuals who are authorized to perform development activities on the selected system, system component, or system service so that organizations can validate that the developer has satisfied the authorization and screening requirements.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-21.1">
-            <title>Validation of Screening</title>
-            <prop name="label">SA-21(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-21(01)</prop>
-            <link rel="incorporated-into" href="#sa-21">SA-21</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-22">
-         <title>Unsupported System Components</title>
-         <param id="sa-22_prm_1">
-            <select how-many="one or more">
-               <choice>in-house support</choice>
-               <choice>
-                  <insert param-id="sa-22_prm_2"/>
-               </choice>
-            </select>
-         </param>
-         <param id="sa-22_prm_2" depends-on="sa-22_prm_1">
-            <label>organization-defined support from external providers</label>
-         </param>
-         <prop name="label">SA-22</prop>
-         <prop name="sort-id">SA-22</prop>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#sa-3">SA-3</link>
-         <part name="statement" id="sa-22_smt">
-            <part name="item" id="sa-22_smt.a">
-               <prop name="label">a.</prop>
-               <p>Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or</p>
-            </part>
-            <part name="item" id="sa-22_smt.b">
-               <prop name="label">b.</prop>
-               <p>Provide the following options for alternative sources for continued support for unsupported components <insert param-id="sa-22_prm_1"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sa-22_gdn">
-            <p>Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. Unsupported components, for example, when vendors no longer provide critical software patches or product updates, provide an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.
-Alternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business operations. If necessary, organizations can establish in-house support by developing customized patches for critical software components or alternatively, obtain the services of external providers who through contractual relationships, provide ongoing support for the designated unsupported components. Such contractual relationships can include Open Source Software value-added vendors.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sa-22.1">
-            <title>Alternative Sources for Continued Support</title>
-            <prop name="label">SA-22(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SA-22(01)</prop>
-            <link rel="incorporated-into" href="#sa-22">SA-22</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="sa-23">
-         <title>Specialization</title>
-         <param id="sa-23_prm_1">
-            <select how-many="one or more">
-               <choice>design modification</choice>
-               <choice>augmentation</choice>
-               <choice>reconfiguration</choice>
-            </select>
-         </param>
-         <param id="sa-23_prm_2">
-            <label>organization-defined systems or system components</label>
-         </param>
-         <prop name="label">SA-23</prop>
-         <prop name="sort-id">SA-23</prop>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="reference" href="#8411e6e8-09bd-431d-bbcb-3423d36ad880">[SP 800-160 v2]</link>
-         <link rel="related" href="#ra-9">RA-9</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <part name="statement" id="sa-23_smt">
-            <p>Employ <insert param-id="sa-23_prm_1"/> on <insert param-id="sa-23_prm_2"/> supporting mission essential services or functions to increase the trustworthiness in those systems or components.</p>
-         </part>
-         <part name="guidance" id="sa-23_gdn">
-            <p>It is often necessary for a system or system component that supports mission essential services or functions to be enhanced to maximize the trustworthiness of the resource. Sometimes this enhancement is done at the design level. In other instances, it is done post-design, either through modifications of the system in question or by augmenting the system with additional components. For example, supplemental authentication or non-repudiation functions may be added to the system to enhance the identity of critical resources to other resources that depend upon the organization-defined resources.</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="sc">
-      <title>System and Communications Protection</title>
-      <control class="SP800-53" id="sc-1">
-         <title>Policy and Procedures</title>
-         <param id="sc-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="sc-1_prm_2">
-            <select how-many="one or more">
-               <choice>organization-level</choice>
-               <choice>mission/business process-level</choice>
-               <choice>system-level</choice>
-            </select>
-         </param>
-         <param id="sc-1_prm_3">
-            <label>organization-defined official</label>
-         </param>
-         <param id="sc-1_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="sc-1_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">SC-1</prop>
-         <prop name="sort-id">SC-01</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#12702585-0c72-43c9-9185-a76a59f74233">[SP 800-12]</link>
-         <link rel="reference" href="#9183bd83-170e-4701-b32c-97e08ef8bedb">[SP 800-100]</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="sc-1_smt">
-            <part name="item" id="sc-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and disseminate to <insert param-id="sc-1_prm_1"/>:</p>
-               <part name="item" id="sc-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="sc-1_prm_2"/> system and communications protection policy that:</p>
-                  <part name="item" id="sc-1_smt.a.1.a">
-                     <prop name="label">(a)</prop>
-                     <p>Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
-                  </part>
-                  <part name="item" id="sc-1_smt.a.1.b">
-                     <prop name="label">(b)</prop>
-                     <p>Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p>
-                  </part>
-               </part>
-               <part name="item" id="sc-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;</p>
-               </part>
-            </part>
-            <part name="item" id="sc-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate an <insert param-id="sc-1_prm_3"/> to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and</p>
-            </part>
-            <part name="item" id="sc-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the current system and communications protection:</p>
-               <part name="item" id="sc-1_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Policy <insert param-id="sc-1_prm_4"/>; and</p>
-               </part>
-               <part name="item" id="sc-1_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures <insert param-id="sc-1_prm_5"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="sc-1_gdn">
-            <p>This control addresses policy and procedures for the controls in the SC family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-2">
-         <title>Separation of System and User Functionality</title>
-         <prop name="label">SC-2</prop>
-         <prop name="sort-id">SC-02</prop>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sc-3">SC-3</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-22">SC-22</link>
-         <link rel="related" href="#sc-32">SC-32</link>
-         <link rel="related" href="#sc-39">SC-39</link>
-         <part name="statement" id="sc-2_smt">
-            <p>Separate user functionality, including user interface services, from system management functionality.</p>
-         </part>
-         <part name="guidance" id="sc-2_gdn">
-            <p>System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations implement separation of system management functions from user functions, for example, by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in SA-8 including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14), and SA-8(18).</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-2.1">
-            <title>Interfaces for Non-privileged Users</title>
-            <prop name="label">SC-2(1)</prop>
-            <prop name="sort-id">SC-02(01)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <part name="statement" id="sc-2.1_smt">
-               <p>Prevent the presentation of system management functionality at interfaces to non-privileged users.</p>
-            </part>
-            <part name="guidance" id="sc-2.1_gdn">
-               <p>Preventing the presentation of system management functionality at interfaces to non-privileged users ensures that system administration options, including administrator privileges, are not available to the general user population. Restricting user access also prohibits the use of the grey-out option commonly used to eliminate accessibility to such information. One potential solution is to withhold system administration options until users establish sessions with administrator privileges.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-2.2">
-            <title>Disassociability</title>
-            <prop name="label">SC-2(2)</prop>
-            <prop name="sort-id">SC-02(02)</prop>
-            <part name="statement" id="sc-2.2_smt">
-               <p>Store state information from applications and software separately.</p>
-            </part>
-            <part name="guidance" id="sc-2.2_gdn">
-               <p>If a system is compromised, storing applications and software separately from state information about users’ interactions with an application, may better protect individuals’ privacy.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-3">
-         <title>Security Function Isolation</title>
-         <prop name="label">SC-3</prop>
-         <prop name="sort-id">SC-03</prop>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#ac-25">AC-25</link>
-         <link rel="related" href="#cm-2">CM-2</link>
-         <link rel="related" href="#cm-4">CM-4</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-5">SA-5</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-15">SA-15</link>
-         <link rel="related" href="#sa-17">SA-17</link>
-         <link rel="related" href="#sc-2">SC-2</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-32">SC-32</link>
-         <link rel="related" href="#sc-39">SC-39</link>
-         <link rel="related" href="#si-16">SI-16</link>
-         <part name="statement" id="sc-3_smt">
-            <p>Isolate security functions from nonsecurity functions.</p>
-         </part>
-         <part name="guidance" id="sc-3_gdn">
-            <p>Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented via partitions and domains. The isolation boundary controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Systems implement code separation in many ways, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that protect the code on disk and address space protections that protect executing code. Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities. While the ideal is for all code within the defined security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception. The isolation of security functions from nonsecurity functions can be achieved by applying the systems security engineering design principles in SA-8 including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14), and SA-8(18).</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-3.1">
-            <title>Hardware Separation</title>
-            <prop name="label">SC-3(1)</prop>
-            <prop name="sort-id">SC-03(01)</prop>
-            <part name="statement" id="sc-3.1_smt">
-               <p>Employ hardware separation mechanisms to implement security function isolation.</p>
-            </part>
-            <part name="guidance" id="sc-3.1_gdn">
-               <p>Hardware separation mechanisms include hardware ring architectures that are implemented within microprocessors, and hardware-enforced address segmentation used to support logically distinct storage objects with separate attributes (i.e., readable, writeable).</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-3.2">
-            <title>Access and Flow Control Functions</title>
-            <prop name="label">SC-3(2)</prop>
-            <prop name="sort-id">SC-03(02)</prop>
-            <part name="statement" id="sc-3.2_smt">
-               <p>Isolate security functions enforcing access and information flow control from nonsecurity functions and from other security functions.</p>
-            </part>
-            <part name="guidance" id="sc-3.2_gdn">
-               <p>Security function isolation occurs because of implementation. The functions can still be scanned and monitored. Security functions that are potentially isolated from access and flow control enforcement functions include auditing, intrusion detection, and malicious code protection functions.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-3.3">
-            <title>Minimize Nonsecurity Functionality</title>
-            <prop name="label">SC-3(3)</prop>
-            <prop name="sort-id">SC-03(03)</prop>
-            <part name="statement" id="sc-3.3_smt">
-               <p>Minimize the number of nonsecurity functions included within the isolation boundary containing security functions.</p>
-            </part>
-            <part name="guidance" id="sc-3.3_gdn">
-               <p>Where it is not feasible to achieve strict isolation of nonsecurity functions from security functions, it is necessary to take actions to minimize nonsecurity-relevant functions within the security function boundary. Nonsecurity functions contained within the isolation boundary are considered security-relevant because errors or malicious code in the software, can directly impact the security functions of systems. The fundamental design objective is that the specific portions of systems providing information security are of minimal size and complexity. Minimizing the number of nonsecurity functions in the security-relevant system components allows designers and implementers to focus only on those functions which are necessary to provide the desired security capability (typically access enforcement). By minimizing the nonsecurity functions within the isolation boundaries, the amount of code that is trusted to enforce security policies is significantly reduced, thus contributing to understandability.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-3.4">
-            <title>Module Coupling and Cohesiveness</title>
-            <prop name="label">SC-3(4)</prop>
-            <prop name="sort-id">SC-03(04)</prop>
-            <part name="statement" id="sc-3.4_smt">
-               <p>Implement security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.</p>
-            </part>
-            <part name="guidance" id="sc-3.4_gdn">
-               <p>The reduction in inter-module interactions helps to constrain security functions and manage complexity. The concepts of coupling and cohesion are important with respect to modularity in software design. Coupling refers to the dependencies that one module has on other modules. Cohesion refers to the relationship between functions within a module. Best practices in software engineering and systems security engineering rely on layering, minimization, and modular decomposition to reduce and manage complexity. This produces software modules that are highly cohesive and loosely coupled.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-3.5">
-            <title>Layered Structures</title>
-            <prop name="label">SC-3(5)</prop>
-            <prop name="sort-id">SC-03(05)</prop>
-            <part name="statement" id="sc-3.5_smt">
-               <p>Implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.</p>
-            </part>
-            <part name="guidance" id="sc-3.5_gdn">
-               <p>The implementation of layered structures with minimized interactions among security functions and non-looping layers (i.e., lower-layer functions do not depend on higher-layer functions) further enables the isolation of security functions and management of complexity.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-4">
-         <title>Information in Shared System Resources</title>
-         <prop name="label">SC-4</prop>
-         <prop name="sort-id">SC-04</prop>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <part name="statement" id="sc-4_smt">
-            <p>Prevent unauthorized and unintended information transfer via shared system resources.</p>
-         </part>
-         <part name="guidance" id="sc-4_gdn">
-            <p>Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This control also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. This control does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-4.1">
-            <title>Security Levels</title>
-            <prop name="label">SC-4(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SC-04(01)</prop>
-            <link rel="incorporated-into" href="#sc-4">SC-4</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-4.2">
-            <title>Multilevel or Periods Processing</title>
-            <param id="sc-4.2_prm_1">
-               <label>organization-defined procedures</label>
-            </param>
-            <prop name="label">SC-4(2)</prop>
-            <prop name="sort-id">SC-04(02)</prop>
-            <part name="statement" id="sc-4.2_smt">
-               <p>Prevent unauthorized information transfer via shared resources in accordance with <insert param-id="sc-4.2_prm_1"/> when system processing explicitly switches between different information classification levels or security categories.</p>
-            </part>
-            <part name="guidance" id="sc-4.2_gdn">
-               <p>Changes in processing levels during system operations can occur, for example, during multilevel or periods processing with information at different classification levels or security categories. It can also occur during serial reuse of hardware components at different classification levels. Organization-defined procedures can include the approved sanitization processes for electronically stored information.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-5">
-         <title>Denial of Service Protection</title>
-         <param id="sc-5_prm_1">
-            <select>
-               <choice>protect against</choice>
-               <choice>limit</choice>
-            </select>
-         </param>
-         <param id="sc-5_prm_2">
-            <label>organization-defined types of denial of service events</label>
-         </param>
-         <param id="sc-5_prm_3">
-            <label>organization-defined controls by type of denial of service event</label>
-         </param>
-         <prop name="label">SC-5</prop>
-         <prop name="sort-id">SC-05</prop>
-         <link rel="reference" href="#3862cd94-ff25-4631-9a9a-b92c21a0a923">[SP 800-189]</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#sc-6">SC-6</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-40">SC-40</link>
-         <part name="statement" id="sc-5_smt">
-            <part name="item" id="sc-5_smt.a">
-               <prop name="label">a.</prop>
-               <p>
-                  <insert param-id="sc-5_prm_1"/> the effects of the following types of denial of service events: <insert param-id="sc-5_prm_2"/>; and</p>
-            </part>
-            <part name="item" id="sc-5_smt.b">
-               <prop name="label">b.</prop>
-               <p>Employ the following controls to achieve the denial of service objective: <insert param-id="sc-5_prm_3"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sc-5_gdn">
-            <p>Denial of service events may occur due to a variety of internal and external causes such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a variety of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial of service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by, or the source of, denial of service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial of service events.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-5.1">
-            <title>Restrict Ability to Attack Other Systems</title>
-            <param id="sc-5.1_prm_1">
-               <label>organization-defined denial of service attacks</label>
-            </param>
-            <prop name="label">SC-5(1)</prop>
-            <prop name="sort-id">SC-05(01)</prop>
-            <part name="statement" id="sc-5.1_smt">
-               <p>Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: <insert param-id="sc-5.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sc-5.1_gdn">
-               <p>Restricting the ability of individuals to launch denial of service attacks requires the mechanisms commonly used for such attacks are unavailable. Individuals of concern include hostile insiders or external adversaries that have breached or compromised the system and are using the system to launch a denial of service attack. Organizations can restrict the ability of individuals to connect and transmit arbitrary information on the transport medium (i.e., wired networks, wireless networks, spoofed Internet protocol packets). Organizations can also limit the ability of individuals to use excessive system resources. Protection against individuals having the ability to launch denial of service attacks may be implemented on specific systems or on boundary devices prohibiting egress to potential target systems.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-5.2">
-            <title>Capacity, Bandwidth, and Redundancy</title>
-            <prop name="label">SC-5(2)</prop>
-            <prop name="sort-id">SC-05(02)</prop>
-            <part name="statement" id="sc-5.2_smt">
-               <p>Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial of service attacks.</p>
-            </part>
-            <part name="guidance" id="sc-5.2_gdn">
-               <p>Managing capacity ensures that sufficient capacity is available to counter flooding attacks. Managing capacity includes establishing selected usage priorities, quotas, partitioning, or load balancing.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-5.3">
-            <title>Detection and Monitoring</title>
-            <param id="sc-5.3_prm_1">
-               <label>organization-defined monitoring tools</label>
-            </param>
-            <param id="sc-5.3_prm_2">
-               <label>organization-defined system resources</label>
-            </param>
-            <prop name="label">SC-5(3)</prop>
-            <prop name="sort-id">SC-05(03)</prop>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <part name="statement" id="sc-5.3_smt">
-               <part name="item" id="sc-5.3_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Employ the following monitoring tools to detect indicators of denial of service attacks against, or launched from, the system: <insert param-id="sc-5.3_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="sc-5.3_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Monitor the following system resources to determine if sufficient resources exist to prevent effective denial of service attacks: <insert param-id="sc-5.3_prm_2"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sc-5.3_gdn">
-               <p>Organizations consider utilization and capacity of system resources when managing risk from denial of service due to malicious attacks. Denial of service attacks can originate from external or internal sources. System resources sensitive to denial of service include physical disk storage, memory, and CPU cycles. Controls used to prevent denial of service attacks related to storage utilization and capacity include instituting disk quotas; configuring systems to automatically alert administrators when specific storage capacity thresholds are reached; using file compression technologies to maximize available storage space; and imposing separate partitions for system and user data.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-6">
-         <title>Resource Availability</title>
-         <param id="sc-6_prm_1">
-            <label>organization-defined resources</label>
-         </param>
-         <param id="sc-6_prm_2">
-            <select how-many="one or more">
-               <choice>priority</choice>
-               <choice>quota</choice>
-               <choice>
-                  <insert param-id="sc-6_prm_3"/>
-               </choice>
-            </select>
-         </param>
-         <param id="sc-6_prm_3" depends-on="sc-6_prm_2">
-            <label>organization-defined controls</label>
-         </param>
-         <prop name="label">SC-6</prop>
-         <prop name="sort-id">SC-06</prop>
-         <link rel="reference" href="#36f101d0-0efd-4169-8d62-25a2ef414a1d">[OMB M-08-05]</link>
-         <link rel="reference" href="#2ee29e9a-6855-4160-a811-b5c7c50bd127">[DHS TIC]</link>
-         <link rel="related" href="#sc-5">SC-5</link>
-         <part name="statement" id="sc-6_smt">
-            <p>Protect the availability of resources by allocating <insert param-id="sc-6_prm_1"/> by <insert param-id="sc-6_prm_2"/>.</p>
-         </part>
-         <part name="guidance" id="sc-6_gdn">
-            <p>Priority protection prevents lower-priority processes from delaying or interfering with the system servicing higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources. This control does not apply to system components for which there are only single users or roles.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-7">
-         <title>Boundary Protection</title>
-         <param id="sc-7_prm_1">
-            <select>
-               <choice>physically</choice>
-               <choice>logically</choice>
-            </select>
-         </param>
-         <prop name="label">SC-7</prop>
-         <prop name="sort-id">SC-07</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="reference" href="#e07d73ea-96b9-4330-aff2-e0215f455343">[SP 800-37]</link>
-         <link rel="reference" href="#db7877cf-1013-4fb1-b943-ca9361d16370">[SP 800-41]</link>
-         <link rel="reference" href="#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa">[SP 800-77]</link>
-         <link rel="reference" href="#3862cd94-ff25-4631-9a9a-b92c21a0a923">[SP 800-189]</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#ac-18">AC-18</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#ac-20">AC-20</link>
-         <link rel="related" href="#au-13">AU-13</link>
-         <link rel="related" href="#ca-3">CA-3</link>
-         <link rel="related" href="#cm-2">CM-2</link>
-         <link rel="related" href="#cm-4">CM-4</link>
-         <link rel="related" href="#cm-7">CM-7</link>
-         <link rel="related" href="#cm-10">CM-10</link>
-         <link rel="related" href="#cp-8">CP-8</link>
-         <link rel="related" href="#cp-10">CP-10</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sc-5">SC-5</link>
-         <link rel="related" href="#sc-32">SC-32</link>
-         <link rel="related" href="#sc-43">SC-43</link>
-         <part name="statement" id="sc-7_smt">
-            <part name="item" id="sc-7_smt.a">
-               <prop name="label">a.</prop>
-               <p>Monitor and control communications at the external interfaces to the system and at key internal interfaces within the system;</p>
-            </part>
-            <part name="item" id="sc-7_smt.b">
-               <prop name="label">b.</prop>
-               <p>Implement subnetworks for publicly accessible system components that are <insert param-id="sc-7_prm_1"/> separated from internal organizational networks; and</p>
-            </part>
-            <part name="item" id="sc-7_smt.c">
-               <prop name="label">c.</prop>
-               <p>Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sc-7_gdn">
-            <p>Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-7.1">
-            <title>Physically Separated Subnetworks</title>
-            <prop name="label">SC-7(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SC-07(01)</prop>
-            <link rel="incorporated-into" href="#sc-7">SC-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.2">
-            <title>Public Access</title>
-            <prop name="label">SC-7(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SC-07(02)</prop>
-            <link rel="incorporated-into" href="#sc-7">SC-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.3">
-            <title>Access Points</title>
-            <prop name="label">SC-7(3)</prop>
-            <prop name="sort-id">SC-07(03)</prop>
-            <part name="statement" id="sc-7.3_smt">
-               <p>Limit the number of external network connections to the system.</p>
-            </part>
-            <part name="guidance" id="sc-7.3_gdn">
-               <p>Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC] initiative is an example of a federal guideline requiring limits on the number of external network connections. Limiting the number of external network connections to the system is  important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.4">
-            <title>External Telecommunications Services</title>
-            <param id="sc-7.4_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">SC-7(4)</prop>
-            <prop name="sort-id">SC-07(04)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <part name="statement" id="sc-7.4_smt">
-               <part name="item" id="sc-7.4_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Implement a managed interface for each external telecommunication service;</p>
-               </part>
-               <part name="item" id="sc-7.4_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Establish a traffic flow policy for each managed interface;</p>
-               </part>
-               <part name="item" id="sc-7.4_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Protect the confidentiality and integrity of the information being transmitted across each interface;</p>
-               </part>
-               <part name="item" id="sc-7.4_smt.d">
-                  <prop name="label">(d)</prop>
-                  <p>Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;</p>
-               </part>
-               <part name="item" id="sc-7.4_smt.e">
-                  <prop name="label">(e)</prop>
-                  <p>Review exceptions to the traffic flow policy <insert param-id="sc-7.4_prm_1"/> and remove exceptions that are no longer supported by an explicit mission or business need;</p>
-               </part>
-               <part name="item" id="sc-7.4_smt.f">
-                  <prop name="label">(f)</prop>
-                  <p>Prevent unauthorized exchange of control plane traffic with external networks;</p>
-               </part>
-               <part name="item" id="sc-7.4_smt.g">
-                  <prop name="label">(g)</prop>
-                  <p>Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and</p>
-               </part>
-               <part name="item" id="sc-7.4_smt.h">
-                  <prop name="label">(h)</prop>
-                  <p>Filter unauthorized control plane traffic from external networks.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sc-7.4_gdn">
-               <p>External commercial telecommunications services may provide data or voice communications services. Examples of control plane traffic include routing, domain name system (DNS), and management. Unauthorized control plane traffic can occur for example, through a technique known as “spoofing.”</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.5">
-            <title>Deny by Default — Allow by Exception</title>
-            <param id="sc-7.5_prm_1">
-               <select how-many="one or more">
-                  <choice>at managed interfaces</choice>
-                  <choice>for <insert param-id="sc-7.5_prm_2"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="sc-7.5_prm_2" depends-on="sc-7.5_prm_1">
-               <label>organization-defined systems</label>
-            </param>
-            <prop name="label">SC-7(5)</prop>
-            <prop name="sort-id">SC-07(05)</prop>
-            <part name="statement" id="sc-7.5_smt">
-               <p>Deny network communications traffic by default and allow network communications traffic by exception <insert param-id="sc-7.5_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sc-7.5_gdn">
-               <p>Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.6">
-            <title>Response to Recognized Failures</title>
-            <prop name="label">SC-7(6)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SC-07(06)</prop>
-            <link rel="incorporated-into" href="#sc-7.18">SC-7(18)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.7">
-            <title>Prevent Split Tunneling for Remote Devices</title>
-            <prop name="label">SC-7(7)</prop>
-            <prop name="sort-id">SC-07(07)</prop>
-            <part name="statement" id="sc-7.7_smt">
-               <p>Prevent a remote device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.</p>
-            </part>
-            <part name="guidance" id="sc-7.7_gdn">
-               <p>Prevention of split tunneling is implemented in remote devices through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being configurable by users. Prevention of split tunneling is implemented within the system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.8">
-            <title>Route Traffic to Authenticated Proxy Servers</title>
-            <param id="sc-7.8_prm_1">
-               <label>organization-defined internal communications traffic</label>
-            </param>
-            <param id="sc-7.8_prm_2">
-               <label>organization-defined external networks</label>
-            </param>
-            <prop name="label">SC-7(8)</prop>
-            <prop name="sort-id">SC-07(08)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <part name="statement" id="sc-7.8_smt">
-               <p>Route <insert param-id="sc-7.8_prm_1"/> to <insert param-id="sc-7.8_prm_2"/> through authenticated proxy servers at managed interfaces.</p>
-            </part>
-            <part name="guidance" id="sc-7.8_gdn">
-               <p>External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers can support logging of Transmission Control Protocol sessions and blocking specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for “man-in-the-middle” attacks (depending on the implementation).</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.9">
-            <title>Restrict Threatening Outgoing Communications Traffic</title>
-            <prop name="label">SC-7(9)</prop>
-            <prop name="sort-id">SC-07(09)</prop>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#sc-5">SC-5</link>
-            <link rel="related" href="#sc-38">SC-38</link>
-            <link rel="related" href="#sc-44">SC-44</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <part name="statement" id="sc-7.9_smt">
-               <part name="item" id="sc-7.9_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Detect and deny outgoing communications traffic posing a threat to external systems; and</p>
-               </part>
-               <part name="item" id="sc-7.9_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Audit the identity of internal users associated with denied communications.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sc-7.9_gdn">
-               <p>Detecting outgoing communications traffic from internal actions that may pose threats to external systems is known as extrusion detection. Extrusion detection is carried out at system boundaries as part of managed interfaces. Extrusion detection includes the analysis of incoming and outgoing communications traffic while searching for indications of internal threats to the security of external systems. Internal threats to external systems include traffic indicative of denial of service attacks, traffic with spoofed source addresses, and traffic containing malicious code.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.10">
-            <title>Prevent Exfiltration</title>
-            <param id="sc-7.10_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">SC-7(10)</prop>
-            <prop name="sort-id">SC-07(10)</prop>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <part name="statement" id="sc-7.10_smt">
-               <part name="item" id="sc-7.10_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Prevent the exfiltration of information; and</p>
-               </part>
-               <part name="item" id="sc-7.10_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Conduct exfiltration tests <insert param-id="sc-7.10_prm_1"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sc-7.10_gdn">
-               <p>This control applies to intentional and unintentional exfiltration of information. Controls to prevent exfiltration of information from systems may be implemented at internal endpoints, external boundaries, and across managed interfaces and include adherence to protocol formats; monitoring for beaconing activity from systems; disconnecting external network interfaces except when explicitly needed; employing traffic profile analysis to detect deviations from the volume and types of traffic expected or call backs to command and control centers; monitoring for steganography; disassembling and reassembling packet headers; and employing data loss and data leakage prevention tools. Devices that enforce strict adherence to protocol formats include deep packet inspection firewalls and XML gateways. The devices verify adherence to protocol formats and specifications at the application layer and identify vulnerabilities that cannot be detected by devices operating at the network or transport layers. Prevention of exfiltration is similar to data loss prevention or data leakage prevention and is closely associated with cross-domain solutions and system guards enforcing information flow requirements.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.11">
-            <title>Restrict Incoming Communications Traffic</title>
-            <param id="sc-7.11_prm_1">
-               <label>organization-defined authorized sources</label>
-            </param>
-            <param id="sc-7.11_prm_2">
-               <label>organization-defined authorized destinations</label>
-            </param>
-            <prop name="label">SC-7(11)</prop>
-            <prop name="sort-id">SC-07(11)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <part name="statement" id="sc-7.11_smt">
-               <p>Only allow incoming communications from <insert param-id="sc-7.11_prm_1"/> to be routed to <insert param-id="sc-7.11_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sc-7.11_gdn">
-               <p>General source address validation techniques should be applied to restrict the use of illegal and unallocated source addresses and source addresses that should only be used inside the system boundary. Restriction of incoming communications traffic provides determinations that source and destination address pairs represent authorized or allowed communications. Determinations can be based on several factors, including the presence of such address pairs in the lists of authorized or allowed communications; the absence of such address pairs in lists of unauthorized or disallowed pairs; or meeting more general rules for authorized or allowed source and destination pairs. Strong authentication of network addresses is not possible without the use of explicit security protocols and thus, addresses can often be spoofed. Further, identity-based incoming traffic restriction methods can be employed, including router access control lists and firewall rules.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.12">
-            <title>Host-based Protection</title>
-            <param id="sc-7.12_prm_1">
-               <label>organization-defined host-based boundary protection mechanisms</label>
-            </param>
-            <param id="sc-7.12_prm_2">
-               <label>organization-defined system components</label>
-            </param>
-            <prop name="label">SC-7(12)</prop>
-            <prop name="sort-id">SC-07(12)</prop>
-            <part name="statement" id="sc-7.12_smt">
-               <p>Implement <insert param-id="sc-7.12_prm_1"/> at <insert param-id="sc-7.12_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sc-7.12_gdn">
-               <p>Host-based boundary protection mechanisms include host-based firewalls. System components employing host-based boundary protection mechanisms include servers, workstations, notebook computers, and mobile devices.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.13">
-            <title>Isolation of Security Tools, Mechanisms, and Support Components</title>
-            <param id="sc-7.13_prm_1">
-               <label>organization-defined information security tools, mechanisms, and support components</label>
-            </param>
-            <prop name="label">SC-7(13)</prop>
-            <prop name="sort-id">SC-07(13)</prop>
-            <link rel="related" href="#sc-2">SC-2</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-            <part name="statement" id="sc-7.13_smt">
-               <p>Isolate <insert param-id="sc-7.13_prm_1"/> from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.</p>
-            </part>
-            <part name="guidance" id="sc-7.13_gdn">
-               <p>Physically separate subnetworks with managed interfaces are useful, for example, in isolating computer network defenses from critical operational processing networks to prevent adversaries from discovering the analysis and forensics techniques employed by organizations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.14">
-            <title>Protect Against Unauthorized Physical Connections</title>
-            <param id="sc-7.14_prm_1">
-               <label>organization-defined managed interfaces</label>
-            </param>
-            <prop name="label">SC-7(14)</prop>
-            <prop name="sort-id">SC-07(14)</prop>
-            <link rel="related" href="#pe-4">PE-4</link>
-            <link rel="related" href="#pe-19">PE-19</link>
-            <part name="statement" id="sc-7.14_smt">
-               <p>Protect against unauthorized physical connections at <insert param-id="sc-7.14_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sc-7.14_gdn">
-               <p>Systems operating at different security categories or classification levels may share common physical and environmental controls, since the systems may share space within the same facilities. In practice, it is possible that these separate systems may share common equipment rooms, wiring closets, and cable distribution paths. Protection against unauthorized physical connections can be achieved, for example, by using clearly identified and physically separated cable trays, connection frames, and patch panels for each side of managed interfaces with physical access controls enforcing limited authorized access to these items.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.15">
-            <title>Networked Privileged Accesses</title>
-            <prop name="label">SC-7(15)</prop>
-            <prop name="sort-id">SC-07(15)</prop>
-            <link rel="related" href="#ac-2">AC-2</link>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <part name="statement" id="sc-7.15_smt">
-               <p>Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.</p>
-            </part>
-            <part name="guidance" id="sc-7.15_gdn">
-               <p>Privileged access provides greater accessibility to system functions, including security functions. Adversaries typically attempt to gain privileged access to systems through remote access to cause adverse mission or business impact, for example, by exfiltrating sensitive information or bringing down a critical system capability. Routing networked, privileged access requests through a dedicated, managed interface can facilitate strong access controls (including strong authentication) and a comprehensive auditing capability.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.16">
-            <title>Prevent Discovery of Components and Devices</title>
-            <prop name="label">SC-7(16)</prop>
-            <prop name="sort-id">SC-07(16)</prop>
-            <part name="statement" id="sc-7.16_smt">
-               <p>Prevent the discovery of specific system components that represent a managed interface.</p>
-            </part>
-            <part name="guidance" id="sc-7.16_gdn">
-               <p>This control enhancement protects network addresses of system components that are part of managed interfaces from discovery through common tools and techniques used to identify devices on networks. Network addresses are not available for discovery, requiring prior knowledge for access. Preventing discovery of components and devices can be accomplished by not publishing network addresses, using network address translation, or not entering the addresses in domain name systems. Another prevention technique is to periodically change network addresses.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.17">
-            <title>Automated Enforcement of Protocol Formats</title>
-            <prop name="label">SC-7(17)</prop>
-            <prop name="sort-id">SC-07(17)</prop>
-            <link rel="related" href="#sc-4">SC-4</link>
-            <part name="statement" id="sc-7.17_smt">
-               <p>Enforce adherence to protocol formats.</p>
-            </part>
-            <part name="guidance" id="sc-7.17_gdn">
-               <p>System components that enforce protocol formats include deep packet inspection firewalls and XML gateways. The components verify adherence to protocol formats and specifications at the application layer and identify vulnerabilities that cannot be detected by devices operating at the network or transport layers.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.18">
-            <title>Fail Secure</title>
-            <prop name="label">SC-7(18)</prop>
-            <prop name="sort-id">SC-07(18)</prop>
-            <link rel="related" href="#cp-2">CP-2</link>
-            <link rel="related" href="#cp-12">CP-12</link>
-            <link rel="related" href="#sc-24">SC-24</link>
-            <part name="statement" id="sc-7.18_smt">
-               <p>Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device.</p>
-            </part>
-            <part name="guidance" id="sc-7.18_gdn">
-               <p>Fail secure is a condition achieved by employing mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces, systems do not enter into unsecure states where intended security properties no longer hold. Managed interfaces include routers, firewalls, and application gateways residing on protected subnetworks commonly referred to as demilitarized zones. Failures of boundary protection devices cannot lead to, or cause information external to the devices to enter the devices, nor can failures permit unauthorized information releases.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.19">
-            <title>Block Communication from Non-organizationally Configured Hosts</title>
-            <param id="sc-7.19_prm_1">
-               <label>organization-defined communication clients</label>
-            </param>
-            <prop name="label">SC-7(19)</prop>
-            <prop name="sort-id">SC-07(19)</prop>
-            <part name="statement" id="sc-7.19_smt">
-               <p>Block inbound and outbound communications traffic between <insert param-id="sc-7.19_prm_1"/> that are independently configured by end users and external service providers.</p>
-            </part>
-            <part name="guidance" id="sc-7.19_gdn">
-               <p>Communication clients independently configured by end users and external service providers include instant messaging clients. Traffic blocking does not apply to communication clients that are configured by organizations to perform authorized functions.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.20">
-            <title>Dynamic Isolation and Segregation</title>
-            <param id="sc-7.20_prm_1">
-               <label>organization-defined system components</label>
-            </param>
-            <prop name="label">SC-7(20)</prop>
-            <prop name="sort-id">SC-07(20)</prop>
-            <part name="statement" id="sc-7.20_smt">
-               <p>Provide the capability to dynamically isolate <insert param-id="sc-7.20_prm_1"/> from other system components.</p>
-            </part>
-            <part name="guidance" id="sc-7.20_gdn">
-               <p>The capability to dynamically isolate certain internal system components is useful when it is necessary to partition or separate system components of questionable origin from those components possessing greater trustworthiness. Component isolation reduces the attack surface of organizational systems. Isolating selected system components can also limit the damage from successful attacks when such attacks occur.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.21">
-            <title>Isolation of System Components</title>
-            <param id="sc-7.21_prm_1">
-               <label>organization-defined system components</label>
-            </param>
-            <param id="sc-7.21_prm_2">
-               <label>organization-defined missions and/or business functions</label>
-            </param>
-            <prop name="label">SC-7(21)</prop>
-            <prop name="sort-id">SC-07(21)</prop>
-            <link rel="related" href="#ca-9">CA-9</link>
-            <link rel="related" href="#sc-3">SC-3</link>
-            <part name="statement" id="sc-7.21_smt">
-               <p>Employ boundary protection mechanisms to isolate <insert param-id="sc-7.21_prm_1"/> supporting <insert param-id="sc-7.21_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sc-7.21_gdn">
-               <p>Organizations can isolate system components performing different missions or business functions. Such isolation limits unauthorized information flows among system components and provides the opportunity to deploy greater levels of protection for selected system components. Isolating system components with boundary protection mechanisms provides the capability for increased protection of individual system components and to more effectively control information flows between those components. Isolating system components provides enhanced protection that limits the potential harm from hostile cyber-attacks and errors. The degree of isolation varies depending upon the mechanisms chosen. Boundary protection mechanisms include routers, gateways, and firewalls separating system components into physically separate networks or subnetworks; virtualization techniques; cross-domain devices separating subnetworks; and encrypting information flows among system components using distinct encryption keys.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.22">
-            <title>Separate Subnets for Connecting to Different Security Domains</title>
-            <prop name="label">SC-7(22)</prop>
-            <prop name="sort-id">SC-07(22)</prop>
-            <part name="statement" id="sc-7.22_smt">
-               <p>Implement separate network addresses to connect to systems in different security domains.</p>
-            </part>
-            <part name="guidance" id="sc-7.22_gdn">
-               <p>The decomposition of systems into subnetworks (i.e., subnets) helps to provide the appropriate level of protection for network connections to different security domains containing information with different security categories or classification levels.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.23">
-            <title>Disable Sender Feedback on Protocol Validation Failure</title>
-            <prop name="label">SC-7(23)</prop>
-            <prop name="sort-id">SC-07(23)</prop>
-            <part name="statement" id="sc-7.23_smt">
-               <p>Disable feedback to senders on protocol format validation failure.</p>
-            </part>
-            <part name="guidance" id="sc-7.23_gdn">
-               <p>Disabling feedback to senders when there is a failure in protocol validation format prevents adversaries from obtaining information that would otherwise be unavailable.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.24">
-            <title>Personally Identifiable Information</title>
-            <param id="sc-7.24_prm_1">
-               <label>organization-defined processing rules</label>
-            </param>
-            <prop name="label">SC-7(24)</prop>
-            <prop name="sort-id">SC-07(24)</prop>
-            <link rel="related" href="#pt-2">PT-2</link>
-            <link rel="related" href="#si-15">SI-15</link>
-            <part name="statement" id="sc-7.24_smt">
-               <p>For systems that process personally identifiable information:</p>
-               <part name="item" id="sc-7.24_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Apply the following processing rules to data elements of personally identifiable information: <insert param-id="sc-7.24_prm_1"/>;</p>
-               </part>
-               <part name="item" id="sc-7.24_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system;</p>
-               </part>
-               <part name="item" id="sc-7.24_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Document each processing exception; and</p>
-               </part>
-               <part name="item" id="sc-7.24_smt.d">
-                  <prop name="label">(d)</prop>
-                  <p>Review and remove exceptions that are no longer supported.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sc-7.24_gdn">
-               <p>Managing the processing of personally identifiable information is an important aspect of protecting an individual’s privacy. Applying, monitoring for and documenting exceptions to processing rules ensures that personally identifiable information is processed only in accordance with established privacy requirements.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.25">
-            <title>Unclassified National Security System Connections</title>
-            <param id="sc-7.25_prm_1">
-               <label>organization-defined unclassified, national security system</label>
-            </param>
-            <param id="sc-7.25_prm_2">
-               <label>organization-defined boundary protection device</label>
-            </param>
-            <prop name="label">SC-7(25)</prop>
-            <prop name="sort-id">SC-07(25)</prop>
-            <part name="statement" id="sc-7.25_smt">
-               <p>Prohibit the direct connection of <insert param-id="sc-7.25_prm_1"/> to an external network without the use of <insert param-id="sc-7.25_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sc-7.25_gdn">
-               <p>A direct connection is a dedicated physical or virtual connection between two or more systems. Organizations typically do not have complete control over external networks, including the Internet. Boundary protection devices, including firewalls, gateways, and routers mediate communications and information flows between unclassified national security systems and external networks.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.26">
-            <title>Classified National Security System Connections</title>
-            <param id="sc-7.26_prm_1">
-               <label>organization-defined boundary protection device</label>
-            </param>
-            <prop name="label">SC-7(26)</prop>
-            <prop name="sort-id">SC-07(26)</prop>
-            <part name="statement" id="sc-7.26_smt">
-               <p>Prohibit the direct connection of a classified, national security system to an external network without the use of <insert param-id="sc-7.26_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sc-7.26_gdn">
-               <p>A direct connection is a dedicated physical or virtual connection between two or more systems. Organizations typically do not have complete control over external networks, including the Internet. Boundary protection devices, including firewalls, gateways, and routers mediate communications and information flows between classified national security systems and external networks. In addition, approved boundary protection devices (typically managed interface or cross-domain systems) provide information flow enforcement from systems to external networks.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.27">
-            <title>Unclassified Non-national Security System Connections</title>
-            <param id="sc-7.27_prm_1">
-               <label>organization-defined unclassified, non-national security system</label>
-            </param>
-            <param id="sc-7.27_prm_2">
-               <label>organization-defined boundary protection device</label>
-            </param>
-            <prop name="label">SC-7(27)</prop>
-            <prop name="sort-id">SC-07(27)</prop>
-            <part name="statement" id="sc-7.27_smt">
-               <p>Prohibit the direct connection of <insert param-id="sc-7.27_prm_1"/> to an external network without the use of <insert param-id="sc-7.27_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sc-7.27_gdn">
-               <p>A direct connection is a dedicated physical or virtual connection between two or more systems. Organizations typically do not have complete control over external networks, including the Internet. Boundary protection devices, including firewalls, gateways, and routers mediate communications and information flows between unclassified non-national security systems and external networks.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.28">
-            <title>Connections to Public Networks</title>
-            <param id="sc-7.28_prm_1">
-               <label>organization-defined system</label>
-            </param>
-            <prop name="label">SC-7(28)</prop>
-            <prop name="sort-id">SC-07(28)</prop>
-            <part name="statement" id="sc-7.28_smt">
-               <p>Prohibit the direct connection of <insert param-id="sc-7.28_prm_1"/> to a public network.</p>
-            </part>
-            <part name="guidance" id="sc-7.28_gdn">
-               <p>A direct connection is a dedicated physical or virtual connection between two or more systems. A public network is a network accessible to the public, including the Internet and organizational extranets with public access.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-7.29">
-            <title>Separate Subnets to Isolate Functions</title>
-            <param id="sc-7.29_prm_1">
-               <select>
-                  <choice>physically</choice>
-                  <choice>logically</choice>
-               </select>
-            </param>
-            <param id="sc-7.29_prm_2">
-               <label>organization-defined critical system components and functions</label>
-            </param>
-            <prop name="label">SC-7(29)</prop>
-            <prop name="sort-id">SC-07(29)</prop>
-            <part name="statement" id="sc-7.29_smt">
-               <p>Implement <insert param-id="sc-7.29_prm_1"/> separate subnetworks to isolate the following critical system components and functions: <insert param-id="sc-7.29_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sc-7.29_gdn">
-               <p>Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce the susceptibility to a catastrophic or debilitating breach or compromise resulting in system failure. For example, physically separating the command and control function from the entertainment function through separate subnetworks in a commercial aircraft provides an increased level of assurance in the trustworthiness of critical system functions.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-8">
-         <title>Transmission Confidentiality and Integrity</title>
-         <param id="sc-8_prm_1">
-            <select how-many="one or more">
-               <choice>confidentiality</choice>
-               <choice>integrity</choice>
-            </select>
-         </param>
-         <prop name="label">SC-8</prop>
-         <prop name="sort-id">SC-08</prop>
-         <link rel="reference" href="#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">[FIPS 140-3]</link>
-         <link rel="reference" href="#bbc7085f-b383-444e-af74-722a55cccc0f">[FIPS 197]</link>
-         <link rel="reference" href="#286604ec-e383-4c1d-bd8c-d88f88e54a0f">[SP 800-52]</link>
-         <link rel="reference" href="#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa">[SP 800-77]</link>
-         <link rel="reference" href="#93d44344-59f9-4669-845d-6cc2a5852621">[SP 800-81-2]</link>
-         <link rel="reference" href="#36132a58-56fd-4980-9f6c-c010d3faf52b">[SP 800-113]</link>
-         <link rel="reference" href="#64e044e4-b2a9-490f-a079-1106407c812f">[SP 800-177]</link>
-         <link rel="reference" href="#7e7538d7-9c3a-4e5f-bbb4-638cec975415">[IR 8023]</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#ac-18">AC-18</link>
-         <link rel="related" href="#au-10">AU-10</link>
-         <link rel="related" href="#ia-3">IA-3</link>
-         <link rel="related" href="#ia-8">IA-8</link>
-         <link rel="related" href="#ia-9">IA-9</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#pe-4">PE-4</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-16">SC-16</link>
-         <link rel="related" href="#sc-20">SC-20</link>
-         <link rel="related" href="#sc-23">SC-23</link>
-         <link rel="related" href="#sc-28">SC-28</link>
-         <part name="statement" id="sc-8_smt">
-            <p>Protect the <insert param-id="sc-8_prm_1"/> of transmitted information.</p>
-         </part>
-         <part name="guidance" id="sc-8_gdn">
-            <p>Protecting the confidentiality and integrity of transmitted information applies to internal and external networks, and any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical means or by logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a term for wireline or fiber-optics telecommunication system that includes terminals and adequate acoustical, electrical, electromagnetic, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.
-Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services, may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunication service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-8.1">
-            <title>Cryptographic Protection</title>
-            <param id="sc-8.1_prm_1">
-               <select how-many="one or more">
-                  <choice>prevent unauthorized disclosure of information</choice>
-                  <choice>detect changes to information</choice>
-               </select>
-            </param>
-            <prop name="label">SC-8(1)</prop>
-            <prop name="sort-id">SC-08(01)</prop>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="sc-8.1_smt">
-               <p>Implement cryptographic mechanisms to <insert param-id="sc-8.1_prm_1"/> during transmission.</p>
-            </part>
-            <part name="guidance" id="sc-8.1_gdn">
-               <p>Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have application in digital signatures, checksums, and message authentication codes. SC-13 is used to specify the specific protocols, algorithms, and algorithm parameters to be implemented on each transmission path.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-8.2">
-            <title>Pre- and Post-transmission Handling</title>
-            <param id="sc-8.2_prm_1">
-               <select how-many="one or more">
-                  <choice>confidentiality</choice>
-                  <choice>integrity</choice>
-               </select>
-            </param>
-            <prop name="label">SC-8(2)</prop>
-            <prop name="sort-id">SC-08(02)</prop>
-            <part name="statement" id="sc-8.2_smt">
-               <p>Maintain the <insert param-id="sc-8.2_prm_1"/> of information during preparation for transmission and during reception.</p>
-            </part>
-            <part name="guidance" id="sc-8.2_gdn">
-               <p>Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission or during reception, including during aggregation, at protocol transformation points, and during packing and unpacking. Such unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-8.3">
-            <title>Cryptographic Protection for Message Externals</title>
-            <param id="sc-8.3_prm_1">
-               <label>organization-defined alternative physical controls</label>
-            </param>
-            <prop name="label">SC-8(3)</prop>
-            <prop name="sort-id">SC-08(03)</prop>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="sc-8.3_smt">
-               <p>Implement cryptographic mechanisms to protect message externals unless otherwise protected by <insert param-id="sc-8.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sc-8.3_gdn">
-               <p>Cryptographic protection for message externals addresses protection from unauthorized disclosure of information. Message externals include message headers and routing information. Cryptographic protection prevents the exploitation of message externals and applies to internal and external networks or links that may be visible to individuals who are not authorized users. Header and routing information is sometimes transmitted in clear text (i.e., unencrypted) because the information is not identified by organizations as having significant value or because encrypting the information can result in lower network performance or higher costs. Alternative physical controls include protected distribution systems.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-8.4">
-            <title>Conceal or Randomize Communications</title>
-            <param id="sc-8.4_prm_1">
-               <label>organization-defined alternative physical controls</label>
-            </param>
-            <prop name="label">SC-8(4)</prop>
-            <prop name="sort-id">SC-08(04)</prop>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="sc-8.4_smt">
-               <p>Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by <insert param-id="sc-8.4_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sc-8.4_gdn">
-               <p>Concealing or randomizing communication patterns addresses protection from unauthorized disclosure of information. Communication patterns include frequency, periods, predictability, and amount. Changes to communications patterns can reveal information having intelligence value especially when combined with other available information related to the missions and business functions of the organization. This control enhancement prevents the derivation of intelligence based on communications patterns and applies to both internal and external networks or links that may be visible to individuals who are not authorized users. Encrypting the links and transmitting in continuous, fixed or random patterns prevents the derivation of intelligence from the system communications patterns. Alternative physical controls include protected distribution systems.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-8.5">
-            <title>Protected Distribution System</title>
-            <param id="sc-8.5_prm_1">
-               <label>organization-defined protected distribution system</label>
-            </param>
-            <param id="sc-8.5_prm_2">
-               <select how-many="one or more">
-                  <choice>prevent unauthorized disclosure of information</choice>
-                  <choice>detect changes to information</choice>
-               </select>
-            </param>
-            <prop name="label">SC-8(5)</prop>
-            <prop name="sort-id">SC-08(05)</prop>
-            <part name="statement" id="sc-8.5_smt">
-               <p>Implement <insert param-id="sc-8.5_prm_1"/> to <insert param-id="sc-8.5_prm_2"/> during transmission.</p>
-            </part>
-            <part name="guidance" id="sc-8.5_gdn">
-               <p>The purpose of a protected distribution system is to deter, detect and/or make difficult physical access to the communication lines carrying national security information.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-9">
-         <title>Transmission Confidentiality</title>
-         <prop name="label">SC-9</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">SC-09</prop>
-         <link rel="incorporated-into" href="#sc-8">SC-8</link>
-      </control>
-      <control class="SP800-53" id="sc-10">
-         <title>Network Disconnect</title>
-         <param id="sc-10_prm_1">
-            <label>organization-defined time-period</label>
-         </param>
-         <prop name="label">SC-10</prop>
-         <prop name="sort-id">SC-10</prop>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#sc-23">SC-23</link>
-         <part name="statement" id="sc-10_smt">
-            <p>Terminate the network connection associated with a communications session at the end of the session or after <insert param-id="sc-10_prm_1"/> of inactivity.</p>
-         </part>
-         <part name="guidance" id="sc-10_gdn">
-            <p>Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time-periods by type of network access or for specific network accesses.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-11">
-         <title>Trusted Path</title>
-         <param id="sc-11_prm_1">
-            <select>
-               <choice>physically</choice>
-               <choice>logically</choice>
-            </select>
-         </param>
-         <param id="sc-11_prm_2">
-            <label>organization-defined security functions</label>
-         </param>
-         <prop name="label">SC-11</prop>
-         <prop name="sort-id">SC-11</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="related" href="#ac-16">AC-16</link>
-         <link rel="related" href="#ac-25">AC-25</link>
-         <link rel="related" href="#sc-12">SC-12</link>
-         <link rel="related" href="#sc-23">SC-23</link>
-         <part name="statement" id="sc-11_smt">
-            <part name="item" id="sc-11_smt.a">
-               <prop name="label">a.</prop>
-               <p>Provide a <insert param-id="sc-11_prm_1"/> isolated trusted communications path for communications between the user and the trusted components of the system; and</p>
-            </part>
-            <part name="item" id="sc-11_smt.b">
-               <prop name="label">b.</prop>
-               <p>Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, including at a minimum, authentication and re-authentication: <insert param-id="sc-11_prm_2"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sc-11_gdn">
-            <p>Trusted paths are mechanisms by which users (through input devices) can communicate directly with security functions of systems with the requisite assurance to support security policies. These mechanisms can be activated only by users or the security functions of organizational systems. User responses via trusted paths are protected from modifications by or disclosure to untrusted applications. Organizations employ trusted paths for trustworthy, high-assurance connections between security functions of systems and users, including during system logons. The original implementations of trusted path employed an out-of-band signal to initiate the path, for example using the &lt;BREAK&gt; key, which does not transmit characters that can be spoofed. In later implementations, a key combination that could not be hijacked was used, for example, the &lt;CTRL&gt; + &lt;ALT&gt; + &lt;DEL&gt; keys. Note, however, that any such key combinations are platform-specific and may not provide a trusted path implementation in every case. Enforcement of trusted communications paths is typically provided by a specific implementation that meets the reference monitor concept.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-11.1">
-            <title>Irrefutable Communications Path</title>
-            <param id="sc-11.1_prm_1">
-               <label>organization-defined security functions</label>
-            </param>
-            <prop name="label">SC-11(1)</prop>
-            <prop name="sort-id">SC-11(01)</prop>
-            <part name="statement" id="sc-11.1_smt">
-               <part name="item" id="sc-11.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Provide a trusted communications path that is irrefutably distinguishable from other communications paths; and</p>
-               </part>
-               <part name="item" id="sc-11.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Initiate the trusted communications path for communications between the <insert param-id="sc-11.1_prm_1"/> of the system and the user.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sc-11.1_gdn">
-               <p>An irrefutable communications path permits the system to initiate a trusted path which necessitates that the user can unmistakably recognize the source of the communication as a trusted system component. For example, the trusted path may appear in an area of the display that other applications cannot access or be based on the presence of an identifier that cannot be spoofed.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-12">
-         <title>Cryptographic Key Establishment and Management</title>
-         <param id="sc-12_prm_1">
-            <label>organization-defined requirements for key generation, distribution, storage, access, and destruction</label>
-         </param>
-         <prop name="label">SC-12</prop>
-         <prop name="sort-id">SC-12</prop>
-         <link rel="reference" href="#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">[FIPS 140-3]</link>
-         <link rel="reference" href="#77dc1838-3664-4faa-bc6e-4e2a16e52f35">[SP 800-56A]</link>
-         <link rel="reference" href="#f417e4ec-cadb-47a8-a363-6006b32c28ad">[SP 800-56B]</link>
-         <link rel="reference" href="#7c3ba335-62bd-4f03-888f-960790409b11">[SP 800-56C]</link>
-         <link rel="reference" href="#770f9bdc-4023-48ef-8206-c65397f061ea">[SP 800-57-1]</link>
-         <link rel="reference" href="#69644a9e-438a-47c3-bac9-cf28b5baf848">[SP 800-57-2]</link>
-         <link rel="reference" href="#9933c883-e8f3-4a83-9a9a-d1e058038080">[SP 800-57-3]</link>
-         <link rel="reference" href="#549993c0-9bdd-4d49-875c-f56950cc5f30">[SP 800-63-3]</link>
-         <link rel="reference" href="#f437b52f-7f26-42aa-8e8f-999e7d67b2fe">[IR 7956]</link>
-         <link rel="reference" href="#30213e10-2aca-47b3-8cdb-61303e0959f5">[IR 7966]</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#au-9">AU-9</link>
-         <link rel="related" href="#au-10">AU-10</link>
-         <link rel="related" href="#cm-3">CM-3</link>
-         <link rel="related" href="#ia-3">IA-3</link>
-         <link rel="related" href="#ia-7">IA-7</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-9">SA-9</link>
-         <link rel="related" href="#sc-8">SC-8</link>
-         <link rel="related" href="#sc-11">SC-11</link>
-         <link rel="related" href="#sc-13">SC-13</link>
-         <link rel="related" href="#sc-17">SC-17</link>
-         <link rel="related" href="#sc-20">SC-20</link>
-         <link rel="related" href="#sc-37">SC-37</link>
-         <link rel="related" href="#sc-40">SC-40</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <part name="statement" id="sc-12_smt">
-            <p>Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: <insert param-id="sc-12_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="sc-12_gdn">
-            <p>Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, specifying appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP] and [NIST CAVP] provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-12.1">
-            <title>Availability</title>
-            <prop name="label">SC-12(1)</prop>
-            <prop name="sort-id">SC-12(01)</prop>
-            <part name="statement" id="sc-12.1_smt">
-               <p>Maintain availability of information in the event of the loss of cryptographic keys by users.</p>
-            </part>
-            <part name="guidance" id="sc-12.1_gdn">
-               <p>Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys. A forgotten passphrase is an example of losing a cryptographic key.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-12.2">
-            <title>Symmetric Keys</title>
-            <param id="sc-12.2_prm_1">
-               <select>
-                  <choice>NIST FIPS-validated</choice>
-                  <choice>NSA-approved</choice>
-               </select>
-            </param>
-            <prop name="label">SC-12(2)</prop>
-            <prop name="sort-id">SC-12(02)</prop>
-            <part name="statement" id="sc-12.2_smt">
-               <p>Produce, control, and distribute symmetric cryptographic keys using <insert param-id="sc-12.2_prm_1"/> key management technology and processes.</p>
-            </part>
-            <part name="guidance" id="sc-12.2_gdn">
-               <p>[SP 800-56A], [SP 800-56B], and [SP 800-56C] provide guidance on cryptographic key establishment schemes and key derivation methods. [SP 800-57-1], [SP 800-57-2], and [SP 800-57-3] provide guidance on cryptographic key management.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-12.3">
-            <title>Asymmetric Keys</title>
-            <param id="sc-12.3_prm_1">
-               <select>
-                  <choice>NSA-approved key management technology and processes</choice>
-                  <choice>prepositioned keying material</choice>
-                  <choice>DoD-approved or DoD-issued Medium Assurance PKI certificates</choice>
-                  <choice>DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user’s private key</choice>
-                  <choice>certificates issued in accordance with organization-defined requirements</choice>
-               </select>
-            </param>
-            <prop name="label">SC-12(3)</prop>
-            <prop name="sort-id">SC-12(03)</prop>
-            <part name="statement" id="sc-12.3_smt">
-               <p>Produce, control, and distribute asymmetric cryptographic keys using <insert param-id="sc-12.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sc-12.3_gdn">
-               <p>[SP 800-56A], [SP 800-56B], and [SP 800-56C] provide guidance on cryptographic key establishment schemes and key derivation methods. [SP 800-57-1], [SP 800-57-2], and [SP 800-57-3] provide guidance on cryptographic key management.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-12.4">
-            <title>PKI Certificates</title>
-            <prop name="label">SC-12(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SC-12(04)</prop>
-            <link rel="incorporated-into" href="#sc-12.3">SC-12(3)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-12.5">
-            <title>PKI Certificates / Hardware Tokens</title>
-            <prop name="label">SC-12(5)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SC-12(05)</prop>
-            <link rel="incorporated-into" href="#sc-12.3">SC-12(3)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-12.6">
-            <title>Physical Control of Keys</title>
-            <prop name="label">SC-12(6)</prop>
-            <prop name="sort-id">SC-12(06)</prop>
-            <part name="statement" id="sc-12.6_smt">
-               <p>Maintain physical control of cryptographic keys when stored information is encrypted by external service providers.</p>
-            </part>
-            <part name="guidance" id="sc-12.6_gdn">
-               <p>For organizations using external service providers, for example, cloud service providers or data center providers, physical control of cryptographic keys provides additional assurance that information stored by such external providers is not subject to unauthorized disclosure or modification.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-13">
-         <title>Cryptographic Protection</title>
-         <param id="sc-13_prm_1">
-            <label>organization-defined cryptographic uses</label>
-         </param>
-         <param id="sc-13_prm_2">
-            <label>organization-defined types of cryptography for each specified cryptographic use</label>
-         </param>
-         <prop name="label">SC-13</prop>
-         <prop name="sort-id">SC-13</prop>
-         <link rel="reference" href="#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">[FIPS 140-3]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-7">AC-7</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#ac-18">AC-18</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#au-9">AU-9</link>
-         <link rel="related" href="#au-10">AU-10</link>
-         <link rel="related" href="#cm-11">CM-11</link>
-         <link rel="related" href="#cp-9">CP-9</link>
-         <link rel="related" href="#ia-3">IA-3</link>
-         <link rel="related" href="#ia-7">IA-7</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#mp-2">MP-2</link>
-         <link rel="related" href="#mp-4">MP-4</link>
-         <link rel="related" href="#mp-5">MP-5</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-9">SA-9</link>
-         <link rel="related" href="#sc-8">SC-8</link>
-         <link rel="related" href="#sc-12">SC-12</link>
-         <link rel="related" href="#sc-20">SC-20</link>
-         <link rel="related" href="#sc-23">SC-23</link>
-         <link rel="related" href="#sc-28">SC-28</link>
-         <link rel="related" href="#sc-40">SC-40</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <part name="statement" id="sc-13_smt">
-            <part name="item" id="sc-13_smt.a">
-               <prop name="label">a.</prop>
-               <p>Determine the <insert param-id="sc-13_prm_1"/>; and</p>
-            </part>
-            <part name="item" id="sc-13_smt.b">
-               <prop name="label">b.</prop>
-               <p>Implement the following types of cryptography required for each specified cryptographic use: <insert param-id="sc-13_prm_2"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sc-13_gdn">
-            <p>Cryptography can be employed to support a variety of security solutions including, the protection of classified information and controlled unclassified information; the provision and implementation of digital signatures; and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-13.1">
-            <title>Fips-validated Cryptography</title>
-            <prop name="label">SC-13(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SC-13(01)</prop>
-            <link rel="incorporated-into" href="#sc-13">SC-13</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-13.2">
-            <title>Nsa-approved Cryptography</title>
-            <prop name="label">SC-13(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SC-13(02)</prop>
-            <link rel="incorporated-into" href="#sc-13">SC-13</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-13.3">
-            <title>Individuals Without Formal Access Approvals</title>
-            <prop name="label">SC-13(3)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SC-13(03)</prop>
-            <link rel="incorporated-into" href="#sc-13">SC-13</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-13.4">
-            <title>Digital Signatures</title>
-            <prop name="label">SC-13(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SC-13(04)</prop>
-            <link rel="incorporated-into" href="#sc-13">SC-13</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-14">
-         <title>Public Access Protections</title>
-         <prop name="label">SC-14</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">SC-14</prop>
-         <link rel="incorporated-into" href="#ac-2">AC-2</link>
-         <link rel="incorporated-into" href="#ac-3">AC-3</link>
-         <link rel="incorporated-into" href="#ac-5">AC-5</link>
-         <link rel="incorporated-into" href="#ac-6">AC-6</link>
-         <link rel="incorporated-into" href="#si-3">SI-3</link>
-         <link rel="incorporated-into" href="#si-4">SI-4</link>
-         <link rel="incorporated-into" href="#si-5">SI-5</link>
-         <link rel="incorporated-into" href="#si-7">SI-7</link>
-         <link rel="incorporated-into" href="#si-10">SI-10</link>
-      </control>
-      <control class="SP800-53" id="sc-15">
-         <title>Collaborative Computing Devices and Applications</title>
-         <param id="sc-15_prm_1">
-            <label>organization-defined exceptions where remote activation is to be allowed</label>
-         </param>
-         <prop name="label">SC-15</prop>
-         <prop name="sort-id">SC-15</prop>
-         <link rel="related" href="#ac-21">AC-21</link>
-         <link rel="related" href="#sc-42">SC-42</link>
-         <part name="statement" id="sc-15_smt">
-            <part name="item" id="sc-15_smt.a">
-               <prop name="label">a.</prop>
-               <p>Prohibit remote activation of collaborative computing devices and applications with the following exceptions: <insert param-id="sc-15_prm_1"/>; and</p>
-            </part>
-            <part name="item" id="sc-15_smt.b">
-               <prop name="label">b.</prop>
-               <p>Provide an explicit indication of use to users physically present at the devices.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sc-15_gdn">
-            <p>Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. Explicit indication of use includes signals to users when collaborative computing devices and applications are activated.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-15.1">
-            <title>Physical or Logical Disconnect</title>
-            <param id="sc-15.1_prm_1">
-               <select how-many="one or more">
-                  <choice>physical</choice>
-                  <choice>logical</choice>
-               </select>
-            </param>
-            <prop name="label">SC-15(1)</prop>
-            <prop name="sort-id">SC-15(01)</prop>
-            <part name="statement" id="sc-15.1_smt">
-               <p>Provide <insert param-id="sc-15.1_prm_1"/> disconnect of collaborative computing devices in a manner that supports ease of use.</p>
-            </part>
-            <part name="guidance" id="sc-15.1_gdn">
-               <p>Failing to disconnect from collaborative computing devices can result in subsequent compromises of organizational information. Providing easy methods to disconnect from such devices after a collaborative computing session ensures that participants carry out the disconnect activity without having to go through complex and tedious procedures.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-15.2">
-            <title>Blocking Inbound and Outbound Communications Traffic</title>
-            <prop name="label">SC-15(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SC-15(02)</prop>
-            <link rel="incorporated-into" href="#sc-7">SC-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-15.3">
-            <title>Disabling and Removal in Secure Work Areas</title>
-            <param id="sc-15.3_prm_1">
-               <label>organization-defined systems or system components</label>
-            </param>
-            <param id="sc-15.3_prm_2">
-               <label>organization-defined secure work areas</label>
-            </param>
-            <prop name="label">SC-15(3)</prop>
-            <prop name="sort-id">SC-15(03)</prop>
-            <part name="statement" id="sc-15.3_smt">
-               <p>Disable or remove collaborative computing devices and applications from <insert param-id="sc-15.3_prm_1"/> in <insert param-id="sc-15.3_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sc-15.3_gdn">
-               <p>Failing to disable or remove collaborative computing devices and applications from systems or system components can result in compromises of information, including eavesdropping on conversations. A secure work area includes a sensitive compartmented information facility (SCIF).</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-15.4">
-            <title>Explicitly Indicate Current Participants</title>
-            <param id="sc-15.4_prm_1">
-               <label>organization-defined online meetings and teleconferences</label>
-            </param>
-            <prop name="label">SC-15(4)</prop>
-            <prop name="sort-id">SC-15(04)</prop>
-            <part name="statement" id="sc-15.4_smt">
-               <p>Provide an explicit indication of current participants in <insert param-id="sc-15.4_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sc-15.4_gdn">
-               <p>Explicitly indicating current participants prevents unauthorized individuals from participating in collaborative computing sessions without the explicit knowledge of other participants.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-16">
-         <title>Transmission of Security and Privacy Attributes</title>
-         <param id="sc-16_prm_1">
-            <label>organization-defined security and privacy attributes</label>
-         </param>
-         <prop name="label">SC-16</prop>
-         <prop name="sort-id">SC-16</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#ac-16">AC-16</link>
-         <part name="statement" id="sc-16_smt">
-            <p>Associate <insert param-id="sc-16_prm_1"/> with information exchanged between systems and between system components.</p>
-         </part>
-         <part name="guidance" id="sc-16_gdn">
-            <p>Security and privacy attributes can be explicitly or implicitly associated with the information contained in organizational systems or system components. Attributes are an abstraction representing the basic properties or characteristics of an entity with respect to protecting information or the management of personally identifiable information. Attributes are typically associated with internal data structures, including records, buffers, and files within the system. Security and privacy attributes are used to implement access control and information flow control policies; reflect special dissemination, management, or distribution instructions, including permitted uses of personally identifiable information; or support other aspects of the information security and privacy policies. Privacy attributes may be used independently, or in conjunction with security attributes.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-16.1">
-            <title>Integrity Verification</title>
-            <prop name="label">SC-16(1)</prop>
-            <prop name="sort-id">SC-16(01)</prop>
-            <link rel="related" href="#au-10">AU-10</link>
-            <link rel="related" href="#sc-8">SC-8</link>
-            <part name="statement" id="sc-16.1_smt">
-               <p>Verify the integrity of transmitted security and privacy attributes.</p>
-            </part>
-            <part name="guidance" id="sc-16.1_gdn">
-               <p>A part of verifying the integrity of transmitted information is ensuring that security and privacy attributes that are associated with such information, have not been modified in an unauthorized manner. Unauthorized modification of security or privacy attributes can result in a loss of integrity for transmitted information.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-16.2">
-            <title>Anti-spoofing Mechanisms</title>
-            <prop name="label">SC-16(2)</prop>
-            <prop name="sort-id">SC-16(02)</prop>
-            <link rel="related" href="#si-3">SI-3</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#si-7">SI-7</link>
-            <part name="statement" id="sc-16.2_smt">
-               <p>Implement anti-spoofing mechanisms to prevent adversaries from falsifying the security attributes indicating the successful application of the security process.</p>
-            </part>
-            <part name="guidance" id="sc-16.2_gdn">
-               <p>Some attack vectors operate by altering the security attributes of an information system to intentionally and maliciously implement an insufficient level of security within the system. The alteration of attributes leads organizations to believe that a greater number of security functions are in place and operational than have actually been implemented.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-17">
-         <title>Public Key Infrastructure Certificates</title>
-         <param id="sc-17_prm_1">
-            <label>organization-defined certificate policy</label>
-         </param>
-         <prop name="label">SC-17</prop>
-         <prop name="sort-id">SC-17</prop>
-         <link rel="reference" href="#b7140427-d4c4-467a-97a1-5ca9f7c6584a">[SP 800-32]</link>
-         <link rel="reference" href="#770f9bdc-4023-48ef-8206-c65397f061ea">[SP 800-57-1]</link>
-         <link rel="reference" href="#69644a9e-438a-47c3-bac9-cf28b5baf848">[SP 800-57-2]</link>
-         <link rel="reference" href="#9933c883-e8f3-4a83-9a9a-d1e058038080">[SP 800-57-3]</link>
-         <link rel="reference" href="#549993c0-9bdd-4d49-875c-f56950cc5f30">[SP 800-63-3]</link>
-         <link rel="related" href="#au-10">AU-10</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <link rel="related" href="#sc-12">SC-12</link>
-         <part name="statement" id="sc-17_smt">
-            <part name="item" id="sc-17_smt.a">
-               <prop name="label">a.</prop>
-               <p>Issue public key certificates under an <insert param-id="sc-17_prm_1"/> or obtain public key certificates from an approved service provider; and</p>
-            </part>
-            <part name="item" id="sc-17_smt.b">
-               <prop name="label">b.</prop>
-               <p>Include only approved trust anchors in trust stores or certificate stores managed by the organization.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sc-17_gdn">
-            <p>This control addresses certificates with visibility external to organizational systems and certificates related to internal operations of systems, for example, application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-18">
-         <title>Mobile Code</title>
-         <prop name="label">SC-18</prop>
-         <prop name="sort-id">SC-18</prop>
-         <link rel="reference" href="#8e334d74-fc06-47a9-bbb1-804fdfae0e44">[SP 800-28]</link>
-         <link rel="related" href="#au-2">AU-2</link>
-         <link rel="related" href="#au-12">AU-12</link>
-         <link rel="related" href="#cm-2">CM-2</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <part name="statement" id="sc-18_smt">
-            <part name="item" id="sc-18_smt.a">
-               <prop name="label">a.</prop>
-               <p>Define acceptable and unacceptable mobile code and mobile code technologies; and</p>
-            </part>
-            <part name="item" id="sc-18_smt.b">
-               <prop name="label">b.</prop>
-               <p>Authorize, monitor, and control the use of mobile code within the system.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sc-18_gdn">
-            <p>Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java, JavaScript, Flash animations, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-18.1">
-            <title>Identify Unacceptable Code and Take Corrective Actions</title>
-            <param id="sc-18.1_prm_1">
-               <label>organization-defined unacceptable mobile code</label>
-            </param>
-            <param id="sc-18.1_prm_2">
-               <label>organization-defined corrective actions</label>
-            </param>
-            <prop name="label">SC-18(1)</prop>
-            <prop name="sort-id">SC-18(01)</prop>
-            <part name="statement" id="sc-18.1_smt">
-               <p>Identify <insert param-id="sc-18.1_prm_1"/> and take <insert param-id="sc-18.1_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sc-18.1_gdn">
-               <p>Corrective actions when unacceptable mobile code is detected include blocking, quarantine, or alerting administrators. Blocking includes preventing transmission of word processing files with embedded macros when such macros have been determined to be unacceptable mobile code.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-18.2">
-            <title>Acquisition, Development, and Use</title>
-            <param id="sc-18.2_prm_1">
-               <label>organization-defined mobile code requirements</label>
-            </param>
-            <prop name="label">SC-18(2)</prop>
-            <prop name="sort-id">SC-18(02)</prop>
-            <part name="statement" id="sc-18.2_smt">
-               <p>Verify that the acquisition, development, and use of mobile code to be deployed in the system meets <insert param-id="sc-18.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sc-18.2_gdn">
-               <p>None.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-18.3">
-            <title>Prevent Downloading and Execution</title>
-            <param id="sc-18.3_prm_1">
-               <label>organization-defined unacceptable mobile code</label>
-            </param>
-            <prop name="label">SC-18(3)</prop>
-            <prop name="sort-id">SC-18(03)</prop>
-            <part name="statement" id="sc-18.3_smt">
-               <p>Prevent the download and execution of <insert param-id="sc-18.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sc-18.3_gdn">
-               <p>None.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-18.4">
-            <title>Prevent Automatic Execution</title>
-            <param id="sc-18.4_prm_1">
-               <label>organization-defined software applications</label>
-            </param>
-            <param id="sc-18.4_prm_2">
-               <label>organization-defined actions</label>
-            </param>
-            <prop name="label">SC-18(4)</prop>
-            <prop name="sort-id">SC-18(04)</prop>
-            <part name="statement" id="sc-18.4_smt">
-               <p>Prevent the automatic execution of mobile code in <insert param-id="sc-18.4_prm_1"/> and enforce <insert param-id="sc-18.4_prm_2"/> prior to executing the code.</p>
-            </part>
-            <part name="guidance" id="sc-18.4_gdn">
-               <p>Actions enforced before executing mobile code include prompting users prior to opening email attachments or clicking on web links. Preventing automatic execution of mobile code includes disabling auto execute features on system components employing portable storage devices such as Compact Disks (CDs), Digital Versatile Disks (DVDs), and Universal Serial Bus (USB) devices.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-18.5">
-            <title>Allow Execution Only in Confined Environments</title>
-            <prop name="label">SC-18(5)</prop>
-            <prop name="sort-id">SC-18(05)</prop>
-            <link rel="related" href="#sc-44">SC-44</link>
-            <link rel="related" href="#si-7">SI-7</link>
-            <part name="statement" id="sc-18.5_smt">
-               <p>Allow execution of permitted mobile code only in confined virtual machine environments.</p>
-            </part>
-            <part name="guidance" id="sc-18.5_gdn">
-               <p>Permitting execution of mobile code only in confined virtual machine environments helps prevent the introduction of malicious code into other systems and system components.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-19">
-         <title>Voice Over Internet Protocol</title>
-         <prop name="label">SC-19</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">SC-19</prop>
-         <part name="statement" id="sc-19_smt">
-            <p>
-               <em>Technology-specific; addressed by other controls for protocols.</em>
-            </p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-20">
-         <title>Secure Name/address Resolution Service (authoritative Source)</title>
-         <prop name="label">SC-20</prop>
-         <prop name="sort-id">SC-20</prop>
-         <link rel="reference" href="#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">[FIPS 140-3]</link>
-         <link rel="reference" href="#0b9fe06d-1b89-4dba-b9f8-3baf51504b17">[FIPS 186-4]</link>
-         <link rel="reference" href="#93d44344-59f9-4669-845d-6cc2a5852621">[SP 800-81-2]</link>
-         <link rel="related" href="#au-10">AU-10</link>
-         <link rel="related" href="#sc-8">SC-8</link>
-         <link rel="related" href="#sc-12">SC-12</link>
-         <link rel="related" href="#sc-13">SC-13</link>
-         <link rel="related" href="#sc-21">SC-21</link>
-         <link rel="related" href="#sc-22">SC-22</link>
-         <part name="statement" id="sc-20_smt">
-            <part name="item" id="sc-20_smt.a">
-               <prop name="label">a.</prop>
-               <p>Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and</p>
-            </part>
-            <part name="item" id="sc-20_smt.b">
-               <prop name="label">b.</prop>
-               <p>Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sc-20_gdn">
-            <p>This control enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security (DNSSEC) digital signatures and cryptographic keys. Authoritative data include DNS resource records. The means to indicate the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-20.1">
-            <title>Child Subspaces</title>
-            <prop name="label">SC-20(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SC-20(01)</prop>
-            <link rel="incorporated-into" href="#sc-20">SC-20</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-20.2">
-            <title>Data Origin and Integrity</title>
-            <prop name="label">SC-20(2)</prop>
-            <prop name="sort-id">SC-20(02)</prop>
-            <part name="statement" id="sc-20.2_smt">
-               <p>Provide data origin and integrity protection artifacts for internal name/address resolution queries.</p>
-            </part>
-            <part name="guidance" id="sc-20.2_gdn">
-               <p>None.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-21">
-         <title>Secure Name/address Resolution Service (recursive or Caching Resolver)</title>
-         <prop name="label">SC-21</prop>
-         <prop name="sort-id">SC-21</prop>
-         <link rel="reference" href="#93d44344-59f9-4669-845d-6cc2a5852621">[SP 800-81-2]</link>
-         <link rel="related" href="#sc-20">SC-20</link>
-         <link rel="related" href="#sc-22">SC-22</link>
-         <part name="statement" id="sc-21_smt">
-            <p>Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.</p>
-         </part>
-         <part name="guidance" id="sc-21_gdn">
-            <p>Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host/service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-21.1">
-            <title>Data Origin and Integrity</title>
-            <prop name="label">SC-21(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SC-21(01)</prop>
-            <link rel="incorporated-into" href="#sc-21">SC-21</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-22">
-         <title>Architecture and Provisioning for Name/address Resolution Service</title>
-         <prop name="label">SC-22</prop>
-         <prop name="sort-id">SC-22</prop>
-         <link rel="reference" href="#93d44344-59f9-4669-845d-6cc2a5852621">[SP 800-81-2]</link>
-         <link rel="related" href="#sc-2">SC-2</link>
-         <link rel="related" href="#sc-20">SC-20</link>
-         <link rel="related" href="#sc-21">SC-21</link>
-         <link rel="related" href="#sc-24">SC-24</link>
-         <part name="statement" id="sc-22_smt">
-            <p>Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.</p>
-         </part>
-         <part name="guidance" id="sc-22_gdn">
-            <p>Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers; one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles, for example, by address ranges and explicit lists.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-23">
-         <title>Session Authenticity</title>
-         <prop name="label">SC-23</prop>
-         <prop name="sort-id">SC-23</prop>
-         <link rel="reference" href="#286604ec-e383-4c1d-bd8c-d88f88e54a0f">[SP 800-52]</link>
-         <link rel="reference" href="#8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa">[SP 800-77]</link>
-         <link rel="reference" href="#1d91d984-0cb6-4f96-a01d-c39a3eee7d43">[SP 800-95]</link>
-         <link rel="reference" href="#36132a58-56fd-4980-9f6c-c010d3faf52b">[SP 800-113]</link>
-         <link rel="related" href="#au-10">AU-10</link>
-         <link rel="related" href="#sc-8">SC-8</link>
-         <link rel="related" href="#sc-10">SC-10</link>
-         <link rel="related" href="#sc-11">SC-11</link>
-         <part name="statement" id="sc-23_smt">
-            <p>Protect the authenticity of communications sessions.</p>
-         </part>
-         <part name="guidance" id="sc-23_gdn">
-            <p>Protecting session authenticity addresses communications protection at the session, level; not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of information transmitted. Authenticity protection includes protecting against man-in-the-middle attacks and session hijacking, and the insertion of false information into sessions.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-23.1">
-            <title>Invalidate Session Identifiers at Logout</title>
-            <prop name="label">SC-23(1)</prop>
-            <prop name="sort-id">SC-23(01)</prop>
-            <part name="statement" id="sc-23.1_smt">
-               <p>Invalidate session identifiers upon user logout or other session termination.</p>
-            </part>
-            <part name="guidance" id="sc-23.1_gdn">
-               <p>Invalidating session identifiers at logout curtails the ability of adversaries from capturing and continuing to employ previously valid session IDs.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-23.2">
-            <title>User-initiated Logouts and Message Displays</title>
-            <prop name="label">SC-23(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SC-23(02)</prop>
-            <link rel="incorporated-into" href="#ac-12.1">AC-12(1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-23.3">
-            <title>Unique System-generated Session Identifiers</title>
-            <param id="sc-23.3_prm_1">
-               <label>organization-defined randomness requirements</label>
-            </param>
-            <prop name="label">SC-23(3)</prop>
-            <prop name="sort-id">SC-23(03)</prop>
-            <link rel="related" href="#ac-10">AC-10</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="sc-23.3_smt">
-               <p>Generate a unique session identifier for each session with <insert param-id="sc-23.3_prm_1"/> and recognize only session identifiers that are system-generated.</p>
-            </part>
-            <part name="guidance" id="sc-23.3_gdn">
-               <p>Generating unique session identifiers curtails the ability of adversaries from reusing previously valid session IDs. Employing the concept of randomness in the generation of unique session identifiers protects against brute-force attacks to determine future session identifiers.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-23.4">
-            <title>Unique Session Identifiers with Randomization</title>
-            <prop name="label">SC-23(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SC-23(04)</prop>
-            <link rel="incorporated-into" href="#sc-23.3">SC-23(3)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-23.5">
-            <title>Allowed Certificate Authorities</title>
-            <param id="sc-23.5_prm_1">
-               <label>organization-defined certificate authorities</label>
-            </param>
-            <prop name="label">SC-23(5)</prop>
-            <prop name="sort-id">SC-23(05)</prop>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="sc-23.5_smt">
-               <p>Only allow the use of <insert param-id="sc-23.5_prm_1"/> for verification of the establishment of protected sessions.</p>
-            </part>
-            <part name="guidance" id="sc-23.5_gdn">
-               <p>Reliance on certificate authorities for the establishment of secure sessions includes the use of Transport Layer Security (TLS) certificates. These certificates, after verification by their respective certificate authorities, facilitate the establishment of protected sessions between web clients and web servers.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-24">
-         <title>Fail in Known State</title>
-         <param id="sc-24_prm_1">
-            <label>organization-defined known system state</label>
-         </param>
-         <param id="sc-24_prm_2">
-            <label>organization-defined system state information</label>
-         </param>
-         <param id="sc-24_prm_3">
-            <label>list of organization-defined types of system failures on organization-defined system components</label>
-         </param>
-         <prop name="label">SC-24</prop>
-         <prop name="sort-id">SC-24</prop>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-4">CP-4</link>
-         <link rel="related" href="#cp-10">CP-10</link>
-         <link rel="related" href="#cp-12">CP-12</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-22">SC-22</link>
-         <link rel="related" href="#si-13">SI-13</link>
-         <part name="statement" id="sc-24_smt">
-            <p>Fail to a <insert param-id="sc-24_prm_1"/> for the following failures on the indicated components while preserving <insert param-id="sc-24_prm_2"/> in failure: <insert param-id="sc-24_prm_3"/>.</p>
-         </part>
-         <part name="guidance" id="sc-24_gdn">
-            <p>Failure in a known state addresses security concerns in accordance with the mission and business needs of organizations. Failure in a known state prevents the loss of confidentiality, integrity, or availability of information in the event of failures of organizational systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving system state information facilitates system restart and return to the operational mode with less disruption of mission and business processes.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-25">
-         <title>Thin Nodes</title>
-         <param id="sc-25_prm_1">
-            <label>organization-defined system components</label>
-         </param>
-         <prop name="label">SC-25</prop>
-         <prop name="sort-id">SC-25</prop>
-         <link rel="related" href="#sc-30">SC-30</link>
-         <link rel="related" href="#sc-44">SC-44</link>
-         <part name="statement" id="sc-25_smt">
-            <p>Employ minimal functionality and information storage on the following system components: <insert param-id="sc-25_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="sc-25_gdn">
-            <p>The deployment of system components with minimal functionality reduces the need to secure every endpoint, and may reduce the exposure of information, systems, and services to attacks. Reduced or minimal functionality includes diskless nodes and thin client technologies.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-26">
-         <title>Decoys</title>
-         <prop name="label">SC-26</prop>
-         <prop name="sort-id">SC-26</prop>
-         <link rel="related" href="#ra-5">RA-5</link>
-         <link rel="related" href="#sc-30">SC-30</link>
-         <link rel="related" href="#sc-35">SC-35</link>
-         <link rel="related" href="#sc-44">SC-44</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <part name="statement" id="sc-26_smt">
-            <p>Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks.</p>
-         </part>
-         <part name="guidance" id="sc-26_gdn">
-            <p>Decoys (i.e., honeypots, honeynets, or deception nets) are established to attract adversaries and to deflect attacks away from the operational systems supporting organizational missions and business functions. Depending upon the specific usage of the decoy, consultation with the Office of the General Counsel before deployment may be needed.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-26.1">
-            <title>Detection of Malicious Code</title>
-            <prop name="label">SC-26(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SC-26(01)</prop>
-            <link rel="incorporated-into" href="#sc-35">SC-35</link>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-27">
-         <title>Platform-independent Applications</title>
-         <param id="sc-27_prm_1">
-            <label>organization-defined platform-independent applications</label>
-         </param>
-         <prop name="label">SC-27</prop>
-         <prop name="sort-id">SC-27</prop>
-         <link rel="related" href="#sc-29">SC-29</link>
-         <part name="statement" id="sc-27_smt">
-            <p>Include within organizational systems, the following platform independent applications: <insert param-id="sc-27_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="sc-27_gdn">
-            <p>Platforms are combinations of hardware, firmware, and software components used to execute software applications. Platforms include operating systems; the underlying computer architectures; or both. Platform-independent applications are applications with the capability to execute on multiple platforms. Such applications promote portability and reconstitution on different platforms. Application portability and the ability to reconstitute on different platforms increases the availability of mission essential functions within organizations in situations where systems with specific operating systems are under attack.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-28">
-         <title>Protection of Information at Rest</title>
-         <param id="sc-28_prm_1">
-            <select how-many="one or more">
-               <choice>confidentiality</choice>
-               <choice>integrity</choice>
-            </select>
-         </param>
-         <param id="sc-28_prm_2">
-            <label>organization-defined information at rest</label>
-         </param>
-         <prop name="label">SC-28</prop>
-         <prop name="sort-id">SC-28</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#77dc1838-3664-4faa-bc6e-4e2a16e52f35">[SP 800-56A]</link>
-         <link rel="reference" href="#f417e4ec-cadb-47a8-a363-6006b32c28ad">[SP 800-56B]</link>
-         <link rel="reference" href="#7c3ba335-62bd-4f03-888f-960790409b11">[SP 800-56C]</link>
-         <link rel="reference" href="#770f9bdc-4023-48ef-8206-c65397f061ea">[SP 800-57-1]</link>
-         <link rel="reference" href="#69644a9e-438a-47c3-bac9-cf28b5baf848">[SP 800-57-2]</link>
-         <link rel="reference" href="#9933c883-e8f3-4a83-9a9a-d1e058038080">[SP 800-57-3]</link>
-         <link rel="reference" href="#1b14b50f-7154-4226-958c-7dfff8276755">[SP 800-111]</link>
-         <link rel="reference" href="#18c6942b-95f8-414c-b548-c8e6b8d8a172">[SP 800-124]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#cm-3">CM-3</link>
-         <link rel="related" href="#cm-5">CM-5</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#cp-9">CP-9</link>
-         <link rel="related" href="#mp-4">MP-4</link>
-         <link rel="related" href="#mp-5">MP-5</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#sc-8">SC-8</link>
-         <link rel="related" href="#sc-12">SC-12</link>
-         <link rel="related" href="#sc-13">SC-13</link>
-         <link rel="related" href="#sc-34">SC-34</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <link rel="related" href="#si-16">SI-16</link>
-         <part name="statement" id="sc-28_smt">
-            <p>Protect the <insert param-id="sc-28_prm_1"/> of the following information at rest: <insert param-id="sc-28_prm_2"/>.</p>
-         </part>
-         <part name="guidance" id="sc-28_gdn">
-            <p>Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information requiring protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure off-line storage in lieu of online storage.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-28.1">
-            <title>Cryptographic Protection</title>
-            <param id="sc-28.1_prm_1">
-               <label>organization-defined system components or media</label>
-            </param>
-            <param id="sc-28.1_prm_2">
-               <label>organization-defined information</label>
-            </param>
-            <prop name="label">SC-28(1)</prop>
-            <prop name="sort-id">SC-28(01)</prop>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <part name="statement" id="sc-28.1_smt">
-               <p>Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on <insert param-id="sc-28.1_prm_1"/>: <insert param-id="sc-28.1_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sc-28.1_gdn">
-               <p>Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields. Organizations using cryptographic mechanisms also consider cryptographic key management solutions (see SC-12 and SC-13).</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-28.2">
-            <title>Off-line Storage</title>
-            <param id="sc-28.2_prm_1">
-               <label>organization-defined information</label>
-            </param>
-            <prop name="label">SC-28(2)</prop>
-            <prop name="sort-id">SC-28(02)</prop>
-            <part name="statement" id="sc-28.2_smt">
-               <p>Remove the following information from online storage and store off-line in a secure location: <insert param-id="sc-28.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sc-28.2_gdn">
-               <p>Removing organizational information from online storage to off-line storage eliminates the possibility of individuals gaining unauthorized access to the information through a network. Therefore, organizations may choose to move information to off-line storage in lieu of protecting such information in online storage.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-28.3">
-            <title>Cryptographic Keys</title>
-            <param id="sc-28.3_prm_1">
-               <select>
-                  <choice>
-                     <insert param-id="sc-28.3_prm_2"/>
-                  </choice>
-                  <choice>hardware-protected key store</choice>
-               </select>
-            </param>
-            <param id="sc-28.3_prm_2" depends-on="sc-28.3_prm_1">
-               <label>organization-defined safeguards</label>
-            </param>
-            <prop name="label">SC-28(3)</prop>
-            <prop name="sort-id">SC-28(03)</prop>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="sc-28.3_smt">
-               <p>Provide protected storage for cryptographic keys <insert param-id="sc-28.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sc-28.3_gdn">
-               <p>A Trusted Platform Module (TPM) is an example of a hardware-projected data store that can be used to protect cryptographic keys. .</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-29">
-         <title>Heterogeneity</title>
-         <param id="sc-29_prm_1">
-            <label>organization-defined system components</label>
-         </param>
-         <prop name="label">SC-29</prop>
-         <prop name="sort-id">SC-29</prop>
-         <link rel="related" href="#au-9">AU-9</link>
-         <link rel="related" href="#pl-8">PL-8</link>
-         <link rel="related" href="#sc-27">SC-27</link>
-         <link rel="related" href="#sc-30">SC-30</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <part name="statement" id="sc-29_smt">
-            <p>Employ a diverse set of information technologies for the following system components in the implementation of the system: <insert param-id="sc-29_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="sc-29_gdn">
-            <p>Increasing the diversity of information technologies within organizational systems reduces the impact of potential exploitations or compromises of specific technologies. Such diversity protects against common mode failures, including those failures induced by supply chain attacks. Diversity in information technologies also reduces the likelihood that the means adversaries use to compromise one system component will be effective against other system components, thus further increasing the adversary work factor to successfully complete planned attacks. An increase in diversity may add complexity and management overhead that could ultimately lead to mistakes and unauthorized configurations.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-29.1">
-            <title>Virtualization Techniques</title>
-            <param id="sc-29.1_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">SC-29(1)</prop>
-            <prop name="sort-id">SC-29(01)</prop>
-            <part name="statement" id="sc-29.1_smt">
-               <p>Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed <insert param-id="sc-29.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sc-29.1_gdn">
-               <p>While frequent changes to operating systems and applications can pose significant configuration management challenges, the changes can result in an increased work factor for adversaries to conduct successful attacks. Changing virtual operating systems or applications, as opposed to changing actual operating systems or applications, provides virtual changes that impede attacker success while reducing configuration management efforts. Virtualization techniques can assist in isolating untrustworthy software or software of dubious provenance into confined execution environments.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-30">
-         <title>Concealment and Misdirection</title>
-         <param id="sc-30_prm_1">
-            <label>organization-defined systems</label>
-         </param>
-         <param id="sc-30_prm_2">
-            <label>organization-defined time-periods</label>
-         </param>
-         <param id="sc-30_prm_3">
-            <label>organization-defined concealment and misdirection techniques</label>
-         </param>
-         <prop name="label">SC-30</prop>
-         <prop name="sort-id">SC-30</prop>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#sc-25">SC-25</link>
-         <link rel="related" href="#sc-26">SC-26</link>
-         <link rel="related" href="#sc-29">SC-29</link>
-         <link rel="related" href="#sc-44">SC-44</link>
-         <link rel="related" href="#si-14">SI-14</link>
-         <part name="statement" id="sc-30_smt">
-            <p>Employ the following concealment and misdirection techniques for <insert param-id="sc-30_prm_1"/> at <insert param-id="sc-30_prm_2"/> to confuse and mislead adversaries: <insert param-id="sc-30_prm_3"/>.</p>
-         </part>
-         <part name="guidance" id="sc-30_gdn">
-            <p>Concealment and misdirection techniques can significantly reduce the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks. For example, virtualization techniques provide organizations with the ability to disguise systems, potentially reducing the likelihood of successful attacks without the cost of having multiple platforms. The increased use of concealment and misdirection techniques and methods, including randomness, uncertainty, and virtualization, may sufficiently confuse and mislead adversaries and subsequently increase the risk of discovery and/or exposing tradecraft. Concealment and misdirection techniques may provide additional time to perform core missions and business functions. The implementation of concealment and misdirection techniques may add to the complexity and management overhead required for the system.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-30.1">
-            <title>Virtualization Techniques</title>
-            <prop name="label">SC-30(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SC-30(01)</prop>
-            <link rel="incorporated-into" href="#sc-29.1">SC-29(1)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-30.2">
-            <title>Randomness</title>
-            <param id="sc-30.2_prm_1">
-               <label>organization-defined techniques</label>
-            </param>
-            <prop name="label">SC-30(2)</prop>
-            <prop name="sort-id">SC-30(02)</prop>
-            <part name="statement" id="sc-30.2_smt">
-               <p>Employ <insert param-id="sc-30.2_prm_1"/> to introduce randomness into organizational operations and assets.</p>
-            </part>
-            <part name="guidance" id="sc-30.2_gdn">
-               <p>Randomness introduces increased levels of uncertainty for adversaries regarding the actions organizations take in defending their systems against attacks. Such actions may impede the ability of adversaries to correctly target information resources of organizations supporting critical missions or business functions. Uncertainty may also cause adversaries to hesitate before initiating attacks or continuing the attacks. Misdirection techniques involving randomness include performing certain routine actions at different times of day, employing different information technologies, using different suppliers, and rotating roles and responsibilities of organizational personnel.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-30.3">
-            <title>Change Processing and Storage Locations</title>
-            <param id="sc-30.3_prm_1">
-               <label>organization-defined processing and/or storage</label>
-            </param>
-            <param id="sc-30.3_prm_2">
-               <select>
-                  <choice>
-                     <insert param-id="sc-30.3_prm_3"/>
-                  </choice>
-                  <choice>at random time intervals</choice>
-               </select>
-            </param>
-            <param id="sc-30.3_prm_3" depends-on="sc-30.3_prm_2">
-               <label>organization-defined time frequency</label>
-            </param>
-            <prop name="label">SC-30(3)</prop>
-            <prop name="sort-id">SC-30(03)</prop>
-            <part name="statement" id="sc-30.3_smt">
-               <p>Change the location of <insert param-id="sc-30.3_prm_1"/>
-                  <insert param-id="sc-30.3_prm_2"/>].</p>
-            </part>
-            <part name="guidance" id="sc-30.3_gdn">
-               <p>Adversaries target critical missions and business functions and the systems supporting those missions and functions while at the same time, trying to minimize exposure of their existence and tradecraft. The static, homogeneous, and deterministic nature of organizational systems targeted by adversaries, make such systems more susceptible to attacks with less adversary cost and effort to be successful. Changing processing and storage locations (also referred to as moving target defense) addresses the advanced persistent threat using techniques such as virtualization, distributed processing, and replication. This enables organizations to relocate the system components (i.e., processing and/or storage) supporting critical missions and business functions. Changing the locations of processing activities and/or storage sites introduces a degree of uncertainty into the targeting activities by adversaries. The targeting uncertainty increases the work factor of adversaries making compromises or breaches to organizational systems more difficult and time-consuming. It also increases the chances that adversaries may inadvertently disclose aspects of tradecraft while attempting to locate critical organizational resources.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-30.4">
-            <title>Misleading Information</title>
-            <param id="sc-30.4_prm_1">
-               <label>organization-defined system components</label>
-            </param>
-            <prop name="label">SC-30(4)</prop>
-            <prop name="sort-id">SC-30(04)</prop>
-            <link rel="related" href="#sc-26">SC-26</link>
-            <part name="statement" id="sc-30.4_smt">
-               <p>Employ realistic, but misleading information in <insert param-id="sc-30.4_prm_1"/> about its security state or posture.</p>
-            </part>
-            <part name="guidance" id="sc-30.4_gdn">
-               <p>This control enhancement is intended to mislead potential adversaries regarding the nature and extent of controls deployed by organizations. Thus, adversaries may employ incorrect and ineffective, attack techniques. One technique for misleading adversaries is for organizations to place misleading information regarding the specific controls deployed in external systems that are known to be targeted by adversaries. Another technique is the use of deception nets that mimic actual aspects of organizational systems but use, for example, out-of-date software configurations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-30.5">
-            <title>Concealment of System Components</title>
-            <param id="sc-30.5_prm_1">
-               <label>organization-defined system components</label>
-            </param>
-            <param id="sc-30.5_prm_2">
-               <label>organization-defined techniques</label>
-            </param>
-            <prop name="label">SC-30(5)</prop>
-            <prop name="sort-id">SC-30(05)</prop>
-            <part name="statement" id="sc-30.5_smt">
-               <p>Employ the following techniques to hide or conceal <insert param-id="sc-30.5_prm_1"/>: <insert param-id="sc-30.5_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sc-30.5_gdn">
-               <p>By hiding, disguising, or concealing critical system components, organizations may be able to decrease the probability that adversaries target and successfully compromise those assets. Potential means to hide, disguise, or conceal system components include configuration of routers or the use of encryption or virtualization techniques.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-31">
-         <title>Covert Channel Analysis</title>
-         <param id="sc-31_prm_1">
-            <select how-many="one or more">
-               <choice>storage</choice>
-               <choice>timing</choice>
-            </select>
-         </param>
-         <prop name="label">SC-31</prop>
-         <prop name="sort-id">SC-31</prop>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#si-11">SI-11</link>
-         <part name="statement" id="sc-31_smt">
-            <part name="item" id="sc-31_smt.a">
-               <prop name="label">a.</prop>
-               <p>Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert <insert param-id="sc-31_prm_1"/> channels; and</p>
-            </part>
-            <part name="item" id="sc-31_smt.b">
-               <prop name="label">b.</prop>
-               <p>Estimate the maximum bandwidth of those channels.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sc-31_gdn">
-            <p>Developers are in the best position to identify potential areas within systems that might lead to covert channels. Covert channel analysis is a meaningful activity when there is the potential for unauthorized information flows across security domains, for example, in the case of systems containing export-controlled information and having connections to external networks (i.e., networks that are not controlled by organizations). Covert channel analysis is also useful for multilevel secure systems, multiple security level systems, and cross-domain systems.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-31.1">
-            <title>Test Covert Channels for Exploitability</title>
-            <prop name="label">SC-31(1)</prop>
-            <prop name="sort-id">SC-31(01)</prop>
-            <part name="statement" id="sc-31.1_smt">
-               <p>Test a subset of the identified covert channels to determine the channels that are exploitable.</p>
-            </part>
-            <part name="guidance" id="sc-31.1_gdn">
-               <p>None.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-31.2">
-            <title>Maximum Bandwidth</title>
-            <param id="sc-31.2_prm_1">
-               <select how-many="one or more">
-                  <choice>storage</choice>
-                  <choice>timing</choice>
-               </select>
-            </param>
-            <param id="sc-31.2_prm_2">
-               <label>organization-defined values</label>
-            </param>
-            <prop name="label">SC-31(2)</prop>
-            <prop name="sort-id">SC-31(02)</prop>
-            <part name="statement" id="sc-31.2_smt">
-               <p>Reduce the maximum bandwidth for identified covert <insert param-id="sc-31.2_prm_1"/> channels to <insert param-id="sc-31.2_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sc-31.2_gdn">
-               <p>The complete elimination of covert channels, especially covert timing channels, is usually not possible without significant performance impacts.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-31.3">
-            <title>Measure Bandwidth in Operational Environments</title>
-            <param id="sc-31.3_prm_1">
-               <label>organization-defined subset of identified covert channels</label>
-            </param>
-            <prop name="label">SC-31(3)</prop>
-            <prop name="sort-id">SC-31(03)</prop>
-            <part name="statement" id="sc-31.3_smt">
-               <p>Measure the bandwidth of <insert param-id="sc-31.3_prm_1"/> in the operational environment of the system.</p>
-            </part>
-            <part name="guidance" id="sc-31.3_gdn">
-               <p>Measuring covert channel bandwidth in specified operational environments helps organizations to determine how much information can be covertly leaked before such leakage adversely affects missions or business functions. Covert channel bandwidth may be significantly different when measured in those settings that are independent of the specific environments of operation, including laboratories or system development environments.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-32">
-         <title>System Partitioning</title>
-         <param id="sc-32_prm_1">
-            <label>organization-defined system components</label>
-         </param>
-         <param id="sc-32_prm_2">
-            <select>
-               <choice>physical</choice>
-               <choice>logical</choice>
-            </select>
-         </param>
-         <param id="sc-32_prm_3">
-            <label>organization-defined circumstances for physical or logical separation of components</label>
-         </param>
-         <prop name="label">SC-32</prop>
-         <prop name="sort-id">SC-32</prop>
-         <link rel="reference" href="#b3e26423-0687-47c7-ba9a-a96870d58a27">[FIPS 199]</link>
-         <link rel="reference" href="#7a93e915-fd58-4147-be12-e48044c367e6">[IR 8179]</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sc-2">SC-2</link>
-         <link rel="related" href="#sc-3">SC-3</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-36">SC-36</link>
-         <part name="statement" id="sc-32_smt">
-            <p>Partition the system into <insert param-id="sc-32_prm_1"/> residing in separate <insert param-id="sc-32_prm_2"/> domains or environments based on <insert param-id="sc-32_prm_3"/>.</p>
-         </part>
-         <part name="guidance" id="sc-32_gdn">
-            <p>System partitioning is a part of a defense-in-depth protection strategy. Organizations determine the degree of physical separation of system components. Physical separation options include: physically distinct components in separate racks in the same room; critical components in separate rooms; and geographical separation of the most critical components. Security categorization can guide the selection of appropriate candidates for domain partitioning. Managed interfaces restrict or prohibit network access and information flow among partitioned system components.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-32.1">
-            <title>Separate Physical Domains for Privileged Functions</title>
-            <prop name="label">SC-32(1)</prop>
-            <prop name="sort-id">SC-32(01)</prop>
-            <part name="statement" id="sc-32.1_smt">
-               <p>Partition privileged functions into separate physical domains.</p>
-            </part>
-            <part name="guidance" id="sc-32.1_gdn">
-               <p>Privileged functions operating in a single physical domain may represent a single point of failure if that domain becomes compromised or experiences a denial of service.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-33">
-         <title>Transmission Preparation Integrity</title>
-         <prop name="label">SC-33</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">SC-33</prop>
-         <link rel="incorporated-into" href="#sc-8">SC-8</link>
-      </control>
-      <control class="SP800-53" id="sc-34">
-         <title>Non-modifiable Executable Programs</title>
-         <param id="sc-34_prm_1">
-            <label>organization-defined system components</label>
-         </param>
-         <param id="sc-34_prm_2">
-            <label>organization-defined applications</label>
-         </param>
-         <prop name="label">SC-34</prop>
-         <prop name="sort-id">SC-34</prop>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <link rel="related" href="#si-14">SI-14</link>
-         <part name="statement" id="sc-34_smt">
-            <p>For <insert param-id="sc-34_prm_1"/>, load and execute:</p>
-            <part name="item" id="sc-34_smt.a">
-               <prop name="label">a.</prop>
-               <p>The operating environment from hardware-enforced, read-only media; and</p>
-            </part>
-            <part name="item" id="sc-34_smt.b">
-               <prop name="label">b.</prop>
-               <p>The following applications from hardware-enforced, read-only media: <insert param-id="sc-34_prm_2"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sc-34_gdn">
-            <p>The operating environment for a system contains the code that hosts applications, including operating systems, executives, or virtual machine monitors (i.e., hypervisors). It can also include certain applications running directly on hardware platforms. Hardware-enforced, read-only media include Compact Disk-Recordable (CD-R) and Digital Versatile Disk-Recordable (DVD-R) disk drives and one-time programmable read-only memory. The use of non-modifiable storage ensures the integrity of software from the point of creation of the read-only image. Use of reprogrammable read-only memory can be accepted as read-only media provided integrity can be adequately protected from the point of initial writing to the insertion of the memory into the system; and there are reliable hardware protections against reprogramming the memory while installed in organizational systems.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-34.1">
-            <title>No Writable Storage</title>
-            <param id="sc-34.1_prm_1">
-               <label>organization-defined system components</label>
-            </param>
-            <prop name="label">SC-34(1)</prop>
-            <prop name="sort-id">SC-34(01)</prop>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <link rel="related" href="#mp-7">MP-7</link>
-            <part name="statement" id="sc-34.1_smt">
-               <p>Employ <insert param-id="sc-34.1_prm_1"/> with no writeable storage that is persistent across component restart or power on/off.</p>
-            </part>
-            <part name="guidance" id="sc-34.1_gdn">
-               <p>Disallowing writeable storage eliminates the possibility of malicious code insertion via persistent, writeable storage within the designated system components. The restriction applies to fixed and removable storage, with the latter being addressed either directly or as specific restrictions imposed through access controls for mobile devices.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-34.2">
-            <title>Integrity Protection on Read-only Media</title>
-            <prop name="label">SC-34(2)</prop>
-            <prop name="sort-id">SC-34(02)</prop>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <link rel="related" href="#cm-9">CM-9</link>
-            <link rel="related" href="#mp-2">MP-2</link>
-            <link rel="related" href="#mp-4">MP-4</link>
-            <link rel="related" href="#mp-5">MP-5</link>
-            <link rel="related" href="#sc-28">SC-28</link>
-            <link rel="related" href="#si-3">SI-3</link>
-            <part name="statement" id="sc-34.2_smt">
-               <p>Protect the integrity of information prior to storage on read-only media and control the media after such information has been recorded onto the media.</p>
-            </part>
-            <part name="guidance" id="sc-34.2_gdn">
-               <p>Controls prevent the substitution of media into systems or the reprogramming of programmable read-only media prior to installation into the systems. Integrity protection controls include a combination of prevention, detection, and response.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-34.3">
-            <title>Hardware-based Protection</title>
-            <param id="sc-34.3_prm_1">
-               <label>organization-defined system firmware components</label>
-            </param>
-            <param id="sc-34.3_prm_2">
-               <label>organization-defined authorized individuals</label>
-            </param>
-            <prop name="label">SC-34(3)</prop>
-            <prop name="sort-id">SC-34(03)</prop>
-            <part name="statement" id="sc-34.3_smt">
-               <part name="item" id="sc-34.3_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Employ hardware-based, write-protect for <insert param-id="sc-34.3_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="sc-34.3_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Implement specific procedures for <insert param-id="sc-34.3_prm_2"/> to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sc-34.3_gdn">
-               <p>None.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-35">
-         <title>External Malicious Code Identification</title>
-         <prop name="label">SC-35</prop>
-         <prop name="sort-id">SC-35</prop>
-         <link rel="related" href="#sc-26">SC-26</link>
-         <link rel="related" href="#sc-44">SC-44</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <part name="statement" id="sc-35_smt">
-            <p>Include system components that proactively seek to identify network-based malicious code or malicious websites.</p>
-         </part>
-         <part name="guidance" id="sc-35_gdn">
-            <p>External malicious code identification differs from decoys in SC-26 in that the components actively probe networks, including the Internet, in search of malicious code contained on external websites. Like decoys, the use of external malicious code identification techniques requires some supporting isolation measures to ensure that any malicious code discovered during the search and subsequently executed does not infect organizational systems. Virtualization is a common technique for achieving such isolation.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-36">
-         <title>Distributed Processing and Storage</title>
-         <param id="sc-36_prm_1">
-            <select>
-               <choice>physical locations</choice>
-               <choice>logical domains</choice>
-            </select>
-         </param>
-         <param id="sc-36_prm_2">
-            <label>organization-defined processing and storage components</label>
-         </param>
-         <prop name="label">SC-36</prop>
-         <prop name="sort-id">SC-36</prop>
-         <link rel="reference" href="#8411e6e8-09bd-431d-bbcb-3423d36ad880">[SP 800-160 v2]</link>
-         <link rel="related" href="#cp-6">CP-6</link>
-         <link rel="related" href="#cp-7">CP-7</link>
-         <link rel="related" href="#pl-8">PL-8</link>
-         <link rel="related" href="#sc-32">SC-32</link>
-         <part name="statement" id="sc-36_smt">
-            <p>Distribute the following processing and storage components across multiple <insert param-id="sc-36_prm_1"/>: <insert param-id="sc-36_prm_2"/>.</p>
-         </part>
-         <part name="guidance" id="sc-36_gdn">
-            <p>Distributing processing and storage across multiple physical locations or logical domains provides a degree of redundancy or overlap for organizations. The redundancy and overlap increases the work factor of adversaries to adversely impact organizational operations, assets, and individuals. The use of distributed processing and storage does not assume a single primary processing or storage location. Therefore, it allows for parallel processing and storage.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-36.1">
-            <title>Polling Techniques</title>
-            <param id="sc-36.1_prm_1">
-               <label>organization-defined distributed processing and storage components</label>
-            </param>
-            <param id="sc-36.1_prm_2">
-               <label>organization-defined actions</label>
-            </param>
-            <prop name="label">SC-36(1)</prop>
-            <prop name="sort-id">SC-36(01)</prop>
-            <link rel="related" href="#si-4">SI-4</link>
-            <part name="statement" id="sc-36.1_smt">
-               <part name="item" id="sc-36.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: <insert param-id="sc-36.1_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="sc-36.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Take the following actions in response to identified faults, errors, or compromises: <insert param-id="sc-36.1_prm_2"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="sc-36.1_gdn">
-               <p>Distributed processing and/or storage may be used to reduce opportunities for adversaries to compromise the confidentiality, integrity, or availability of organizational information and systems. However, distribution of processing and/or storage components does not prevent adversaries from compromising one or more of the components. Polling compares the processing results and/or storage content from the distributed components and subsequently votes on the outcomes. Polling identifies potential faults, compromises, or errors in the distributed processing and storage components. Polling techniques may also be applied to processing and storage components that are not physically distributed.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-36.2">
-            <title>Synchronization</title>
-            <param id="sc-36.2_prm_1">
-               <label>organization-defined duplicate systems or system components</label>
-            </param>
-            <prop name="label">SC-36(2)</prop>
-            <prop name="sort-id">SC-36(02)</prop>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <part name="statement" id="sc-36.2_smt">
-               <p>Synchronize the following duplicate systems or system components: <insert param-id="sc-36.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sc-36.2_gdn">
-               <p>SC-36 and CP-9(6) require the duplication of systems or system components in distributed locations. Synchronization of duplicated and redundant services and data helps to ensure that information contained in the distributed locations can be used in the missions or business functions of organizations, as needed.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-37">
-         <title>Out-of-band Channels</title>
-         <param id="sc-37_prm_1">
-            <label>organization-defined information, system components, or devices</label>
-         </param>
-         <param id="sc-37_prm_2">
-            <label>organization-defined individuals or systems</label>
-         </param>
-         <param id="sc-37_prm_3">
-            <label>organization-defined out-of-band channels</label>
-         </param>
-         <prop name="label">SC-37</prop>
-         <prop name="sort-id">SC-37</prop>
-         <link rel="reference" href="#770f9bdc-4023-48ef-8206-c65397f061ea">[SP 800-57-1]</link>
-         <link rel="reference" href="#69644a9e-438a-47c3-bac9-cf28b5baf848">[SP 800-57-2]</link>
-         <link rel="reference" href="#9933c883-e8f3-4a83-9a9a-d1e058038080">[SP 800-57-3]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#cm-3">CM-3</link>
-         <link rel="related" href="#cm-5">CM-5</link>
-         <link rel="related" href="#cm-7">CM-7</link>
-         <link rel="related" href="#ia-2">IA-2</link>
-         <link rel="related" href="#ia-4">IA-4</link>
-         <link rel="related" href="#ia-5">IA-5</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#sc-12">SC-12</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <part name="statement" id="sc-37_smt">
-            <p>Employ the following out-of-band channels for the physical delivery or electronic transmission of <insert param-id="sc-37_prm_1"/> to <insert param-id="sc-37_prm_2"/>: <insert param-id="sc-37_prm_3"/>.</p>
-         </part>
-         <part name="guidance" id="sc-37_gdn">
-            <p>Out-of-band channels include local nonnetwork accesses to systems; network paths physically separate from network paths used for operational traffic; or nonelectronic paths such as the US Postal Service. The use of out-of-band channels is contrasted with the use of in-band channels (i.e., the same channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality, integrity, or availability compromises of in-band channels will not compromise or adversely affect the out-of-band channels. Organizations may employ out-of-band channels in the delivery or the transmission of organizational items, including identifiers and authenticators; cryptographic key management information; system and data backups; configuration management changes for hardware, firmware, or software; security updates; maintenance information; and malicious code protection updates.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-37.1">
-            <title>Ensure Delivery and Transmission</title>
-            <param id="sc-37.1_prm_1">
-               <label>organization-defined controls</label>
-            </param>
-            <param id="sc-37.1_prm_2">
-               <label>organization-defined individuals or systems</label>
-            </param>
-            <param id="sc-37.1_prm_3">
-               <label>organization-defined information, system components, or devices</label>
-            </param>
-            <prop name="label">SC-37(1)</prop>
-            <prop name="sort-id">SC-37(01)</prop>
-            <part name="statement" id="sc-37.1_smt">
-               <p>Employ <insert param-id="sc-37.1_prm_1"/> to ensure that only <insert param-id="sc-37.1_prm_2"/> receive the following information, system components, or devices: <insert param-id="sc-37.1_prm_3"/>.</p>
-            </part>
-            <part name="guidance" id="sc-37.1_gdn">
-               <p>Techniques employed by organizations to ensure that only designated systems or individuals receive certain information, system components, or devices include, sending authenticators via an approved courier service but requiring recipients to show some form of government-issued photographic identification as a condition of receipt.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-38">
-         <title>Operations Security</title>
-         <param id="sc-38_prm_1">
-            <label>organization-defined operations security controls</label>
-         </param>
-         <prop name="label">SC-38</prop>
-         <prop name="sort-id">SC-38</prop>
-         <link rel="related" href="#ca-2">CA-2</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#pl-1">PL-1</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#ra-2">RA-2</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#ra-5">RA-5</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <link rel="related" href="#sr-7">SR-7</link>
-         <part name="statement" id="sc-38_smt">
-            <p>Employ the following operations security controls to protect key organizational information throughout the system development life cycle: <insert param-id="sc-38_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="sc-38_gdn">
-            <p>Operations security (OPSEC) is a systematic process by which potential adversaries can be denied information about the capabilities and intentions of organizations by identifying, controlling, and protecting generally unclassified information that specifically relates to the planning and execution of sensitive organizational activities. The OPSEC process involves five steps: identification of critical information; analysis of threats; analysis of vulnerabilities; assessment of risks; and the application of appropriate countermeasures. OPSEC controls are applied to organizational systems and the environments in which those systems operate. OPSEC controls protect the confidentiality of information, including limiting the sharing of information with suppliers and potential suppliers of system components and services, and with other non-organizational elements and individuals. Information critical to organizational missions and business functions includes user identities, element uses, suppliers, supply chain processes, functional requirements, security requirements, system design specifications, testing and evaluation protocols, and security control implementation details.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-39">
-         <title>Process Isolation</title>
-         <prop name="label">SC-39</prop>
-         <prop name="sort-id">SC-39</prop>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#ac-6">AC-6</link>
-         <link rel="related" href="#ac-25">AC-25</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sc-2">SC-2</link>
-         <link rel="related" href="#sc-3">SC-3</link>
-         <link rel="related" href="#si-16">SI-16</link>
-         <part name="statement" id="sc-39_smt">
-            <p>Maintain a separate execution domain for each executing system process.</p>
-         </part>
-         <part name="guidance" id="sc-39_gdn">
-            <p>Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-39.1">
-            <title>Hardware Separation</title>
-            <prop name="label">SC-39(1)</prop>
-            <prop name="sort-id">SC-39(01)</prop>
-            <part name="statement" id="sc-39.1_smt">
-               <p>Implement hardware separation mechanisms to facilitate process isolation.</p>
-            </part>
-            <part name="guidance" id="sc-39.1_gdn">
-               <p>Hardware-based separation of system processes is generally less susceptible to compromise than software-based separation, thus providing greater assurance that the separation will be enforced. Hardware separation mechanisms include hardware memory management.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-39.2">
-            <title>Separate Execution Domain Per Thread</title>
-            <param id="sc-39.2_prm_1">
-               <label>organization-defined multi-threaded processing</label>
-            </param>
-            <prop name="label">SC-39(2)</prop>
-            <prop name="sort-id">SC-39(02)</prop>
-            <part name="statement" id="sc-39.2_smt">
-               <p>Maintain a separate execution domain for each thread in <insert param-id="sc-39.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sc-39.2_gdn">
-               <p>None.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-40">
-         <title>Wireless Link Protection</title>
-         <param id="sc-40_prm_1">
-            <label>organization-defined wireless links</label>
-         </param>
-         <param id="sc-40_prm_2">
-            <label>organization-defined types of signal parameter attacks or references to sources for such attacks</label>
-         </param>
-         <prop name="label">SC-40</prop>
-         <prop name="sort-id">SC-40</prop>
-         <link rel="related" href="#ac-18">AC-18</link>
-         <link rel="related" href="#sc-5">SC-5</link>
-         <part name="statement" id="sc-40_smt">
-            <p>Protect external and internal <insert param-id="sc-40_prm_1"/> from the following signal parameter attacks: <insert param-id="sc-40_prm_2"/>.</p>
-         </part>
-         <part name="guidance" id="sc-40_gdn">
-            <p>Wireless link protection applies to internal and external wireless communication links that may be visible to individuals who are not authorized system users. Adversaries can exploit the signal parameters of wireless links if such links are not adequately protected. There are many ways to exploit the signal parameters of wireless links to gain intelligence, deny service, or spoof system users. Protection of wireless links reduces the impact of attacks that are unique to wireless systems. If organizations rely on commercial service providers for transmission services as commodity items rather than as fully dedicated services, it may not be possible to implement this control.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-40.1">
-            <title>Electromagnetic Interference</title>
-            <param id="sc-40.1_prm_1">
-               <label>organization-defined level of protection</label>
-            </param>
-            <prop name="label">SC-40(1)</prop>
-            <prop name="sort-id">SC-40(01)</prop>
-            <link rel="related" href="#pe-21">PE-21</link>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="sc-40.1_smt">
-               <p>Implement cryptographic mechanisms that achieve <insert param-id="sc-40.1_prm_1"/> against the effects of intentional electromagnetic interference.</p>
-            </part>
-            <part name="guidance" id="sc-40.1_gdn">
-               <p>Implementation of cryptographic mechanisms for electromagnetic interference protects against intentional jamming that might deny or impair communications by ensuring that wireless spread spectrum waveforms used to provide anti-jam protection are not predictable by unauthorized individuals. The implementation of cryptographic mechanisms may also coincidentally mitigate the effects of unintentional jamming due to interference from legitimate transmitters sharing the same spectrum. Mission requirements, projected threats, concept of operations, and applicable laws, executive orders, directives, regulations, policies, and standards determine levels of wireless link availability, cryptography needed, or performance.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-40.2">
-            <title>Reduce Detection Potential</title>
-            <param id="sc-40.2_prm_1">
-               <label>organization-defined level of reduction</label>
-            </param>
-            <prop name="label">SC-40(2)</prop>
-            <prop name="sort-id">SC-40(02)</prop>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="sc-40.2_smt">
-               <p>Implement cryptographic mechanisms to reduce the detection potential of wireless links to <insert param-id="sc-40.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sc-40.2_gdn">
-               <p>Implementation of cryptographic mechanisms to reduce detection potential is used for covert communications and to protect wireless transmitters from geo-location. It also ensures that spread spectrum waveforms used to achieve low probability of detection are not predictable by unauthorized individuals. Mission requirements, projected threats, concept of operations, and applicable laws, executive orders, directives, regulations, policies, and standards determine the levels to which wireless links are undetectable.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-40.3">
-            <title>Imitative or Manipulative Communications Deception</title>
-            <prop name="label">SC-40(3)</prop>
-            <prop name="sort-id">SC-40(03)</prop>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <part name="statement" id="sc-40.3_smt">
-               <p>Implement cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.</p>
-            </part>
-            <part name="guidance" id="sc-40.3_gdn">
-               <p>Implementation of cryptographic mechanisms to identify and reject imitative or manipulative communications ensures that the signal parameters of wireless transmissions are not predictable by unauthorized individuals. Such unpredictability reduces the probability of imitative or manipulative communications deception based upon signal parameters alone.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-40.4">
-            <title>Signal Parameter Identification</title>
-            <param id="sc-40.4_prm_1">
-               <label>organization-defined wireless transmitters</label>
-            </param>
-            <prop name="label">SC-40(4)</prop>
-            <prop name="sort-id">SC-40(04)</prop>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="sc-40.4_smt">
-               <p>Implement cryptographic mechanisms to prevent the identification of <insert param-id="sc-40.4_prm_1"/> by using the transmitter signal parameters.</p>
-            </part>
-            <part name="guidance" id="sc-40.4_gdn">
-               <p>Radio fingerprinting techniques identify the unique signal parameters of transmitters to fingerprint such transmitters for purposes of tracking and mission or user identification. Implementation of cryptographic mechanisms to prevent the identification of wireless transmitters protects against the unique identification of wireless transmitters for purposes of intelligence exploitation by ensuring that anti-fingerprinting alterations to signal parameters are not predictable by unauthorized individuals. It also provides anonymity when required.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-41">
-         <title>Port and I/O Device Access</title>
-         <param id="sc-41_prm_1">
-            <select>
-               <choice>Physically</choice>
-               <choice>Logically</choice>
-            </select>
-         </param>
-         <param id="sc-41_prm_2">
-            <label>organization-defined connection ports or input/output devices</label>
-         </param>
-         <param id="sc-41_prm_3">
-            <label>organization-defined systems or system components</label>
-         </param>
-         <prop name="label">SC-41</prop>
-         <prop name="sort-id">SC-41</prop>
-         <link rel="related" href="#ac-20">AC-20</link>
-         <link rel="related" href="#mp-7">MP-7</link>
-         <part name="statement" id="sc-41_smt">
-            <p>
-               <insert param-id="sc-41_prm_1"/> disable or remove <insert param-id="sc-41_prm_2"/> on the following systems or system components: <insert param-id="sc-41_prm_3"/>.</p>
-         </part>
-         <part name="guidance" id="sc-41_gdn">
-            <p>Connection ports include Universal Serial Bus (USB), Thunderbolt, Firewire (IEEE 1394). Input/output (I/O) devices include Compact Disk (CD) and Digital Versatile Disk (DVD) drives. Disabling or removing such connection ports and I/O devices helps prevent exfiltration of information from systems and the introduction of malicious code into systems from those ports or devices. Physically disabling or removing ports and/or devices is the stronger action.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-42">
-         <title>Sensor Capability and Data</title>
-         <param id="sc-42_prm_1">
-            <label>organization-defined exceptions where remote activation of sensors is allowed</label>
-         </param>
-         <param id="sc-42_prm_2">
-            <label>organization-defined class of users</label>
-         </param>
-         <prop name="label">SC-42</prop>
-         <prop name="sort-id">SC-42</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#18c6942b-95f8-414c-b548-c8e6b8d8a172">[SP 800-124]</link>
-         <link rel="related" href="#sc-15">SC-15</link>
-         <part name="statement" id="sc-42_smt">
-            <part name="item" id="sc-42_smt.a">
-               <prop name="label">a.</prop>
-               <p>Prohibit the remote activation of environmental sensing capabilities on organizational systems or system components with the following exceptions: <insert param-id="sc-42_prm_1"/>; and</p>
-            </part>
-            <part name="item" id="sc-42_smt.b">
-               <prop name="label">b.</prop>
-               <p>Provide an explicit indication of sensor use to <insert param-id="sc-42_prm_2"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sc-42_gdn">
-            <p>Sensor capability and data applies to types of systems or system components characterized as mobile devices, for example, smart phones and tablets. Mobile devices often include sensors that can collect and record data regarding the environment where the system is in use. Sensors that are embedded within mobile devices include cameras, microphones, Global Positioning System (GPS) mechanisms, and accelerometers. While the sensors on mobiles devices provide an important function, if activated covertly such devices can potentially provide a means for adversaries to learn valuable information about individuals and organizations. For example, remotely activating the GPS function on a mobile device could provide an adversary with the ability to track the specific movements of an individual.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-42.1">
-            <title>Reporting to Authorized Individuals or Roles</title>
-            <param id="sc-42.1_prm_1">
-               <label>organization-defined sensors</label>
-            </param>
-            <prop name="label">SC-42(1)</prop>
-            <prop name="sort-id">SC-42(01)</prop>
-            <part name="statement" id="sc-42.1_smt">
-               <p>Verify that the system is configured so that data or information collected by the <insert param-id="sc-42.1_prm_1"/> is only reported to authorized individuals or roles.</p>
-            </part>
-            <part name="guidance" id="sc-42.1_gdn">
-               <p>In situations where sensors are activated by authorized individuals, it is still possible that the data or information collected by the sensors will be sent to unauthorized entities.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-42.2">
-            <title>Authorized Use</title>
-            <param id="sc-42.2_prm_1">
-               <label>organization-defined sensors</label>
-            </param>
-            <param id="sc-42.2_prm_2">
-               <label>organization-defined measures</label>
-            </param>
-            <prop name="label">SC-42(2)</prop>
-            <prop name="sort-id">SC-42(02)</prop>
-            <link rel="related" href="#pt-2">PT-2</link>
-            <part name="statement" id="sc-42.2_smt">
-               <p>Employ the following measures so that data or information collected by <insert param-id="sc-42.2_prm_1"/> is only used for authorized purposes: <insert param-id="sc-42.2_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sc-42.2_gdn">
-               <p>Information collected by sensors for a specific authorized purpose could be misused for some unauthorized purpose. For example, GPS sensors that are used to support traffic navigation could be misused to track movements of individuals. Measures to mitigate such activities include additional training to ensure that authorized individuals do not abuse their authority; and in the case where sensor data or information is maintained by external parties, contractual restrictions on the use of such data or information.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-42.3">
-            <title>Prohibit Use of Devices</title>
-            <param id="sc-42.3_prm_1">
-               <label>organization-defined environmental sensing capabilities</label>
-            </param>
-            <param id="sc-42.3_prm_2">
-               <label>organization-defined facilities, areas, or systems</label>
-            </param>
-            <prop name="label">SC-42(3)</prop>
-            <prop name="sort-id">SC-42(03)</prop>
-            <part name="statement" id="sc-42.3_smt">
-               <p>Prohibit the use of devices possessing <insert param-id="sc-42.3_prm_1"/> in <insert param-id="sc-42.3_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sc-42.3_gdn">
-               <p>For example, organizations may prohibit individuals from bringing cell phones or digital cameras into certain designated facilities or controlled areas within facilities where classified information is stored or sensitive conversations are taking place.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-42.4">
-            <title>Notice of Collection</title>
-            <param id="sc-42.4_prm_1">
-               <label>organization-defined sensors</label>
-            </param>
-            <param id="sc-42.4_prm_2">
-               <label>organization-defined measures</label>
-            </param>
-            <prop name="label">SC-42(4)</prop>
-            <prop name="sort-id">SC-42(04)</prop>
-            <link rel="related" href="#pt-1">PT-1</link>
-            <link rel="related" href="#pt-5">PT-5</link>
-            <link rel="related" href="#pt-6">PT-6</link>
-            <part name="statement" id="sc-42.4_smt">
-               <p>Employ the following measures to facilitate an individual’s awareness that personally identifiable information is being collected by <insert param-id="sc-42.4_prm_1"/>: <insert param-id="sc-42.4_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sc-42.4_gdn">
-               <p>Awareness that organizational sensors are collecting data enable individuals to more effectively engage in managing their privacy. Measures can include conventional written notices and sensor configurations that make individuals aware directly or indirectly through other devices that the sensor is collecting information. Usability and efficacy of the notice are important considerations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sc-42.5">
-            <title>Collection Minimization</title>
-            <param id="sc-42.5_prm_1">
-               <label>organization-defined sensors</label>
-            </param>
-            <prop name="label">SC-42(5)</prop>
-            <prop name="sort-id">SC-42(05)</prop>
-            <link rel="related" href="#si-12">SI-12</link>
-            <part name="statement" id="sc-42.5_smt">
-               <p>Employ <insert param-id="sc-42.5_prm_1"/> that are configured to minimize the collection of information about individuals that is not needed.</p>
-            </part>
-            <part name="guidance" id="sc-42.5_gdn">
-               <p>Although policies to control for authorized use can be applied to information once it is collected, minimizing the collection of information that is not needed mitigates privacy risk at the system entry point and mitigates the risk of policy control failures. Sensor configurations include the obscuring of human features such as blurring or pixelating flesh tones.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-43">
-         <title>Usage Restrictions</title>
-         <param id="sc-43_prm_1">
-            <label>organization-defined system components</label>
-         </param>
-         <prop name="label">SC-43</prop>
-         <prop name="sort-id">SC-43</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#18c6942b-95f8-414c-b548-c8e6b8d8a172">[SP 800-124]</link>
-         <link rel="related" href="#ac-18">AC-18</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-18">SC-18</link>
-         <part name="statement" id="sc-43_smt">
-            <part name="item" id="sc-43_smt.a">
-               <prop name="label">a.</prop>
-               <p>Establish usage restrictions and implementation guidelines for the following system components: <insert param-id="sc-43_prm_1"/>; and</p>
-            </part>
-            <part name="item" id="sc-43_smt.b">
-               <prop name="label">b.</prop>
-               <p>Authorize, monitor, and control the use of such components within the system.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sc-43_gdn">
-            <p>Usage restrictions apply to all system components including, but not limited to, mobile code, mobile devices, wireless access, and wired and wireless peripheral components (e.g., copiers, printers, scanners, optical devices, and other similar technologies). The usage restrictions and implementation guidelines are based on the potential for system components to cause damage to the system and help to ensure that only authorized system use occurs.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-44">
-         <title>Detonation Chambers</title>
-         <param id="sc-44_prm_1">
-            <label>organization-defined system, system component, or location</label>
-         </param>
-         <prop name="label">SC-44</prop>
-         <prop name="sort-id">SC-44</prop>
-         <link rel="reference" href="#64e044e4-b2a9-490f-a079-1106407c812f">[SP 800-177]</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-25">SC-25</link>
-         <link rel="related" href="#sc-26">SC-26</link>
-         <link rel="related" href="#sc-30">SC-30</link>
-         <link rel="related" href="#sc-35">SC-35</link>
-         <link rel="related" href="#sc-39">SC-39</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <part name="statement" id="sc-44_smt">
-            <p>Employ a detonation chamber capability within <insert param-id="sc-44_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="sc-44_gdn">
-            <p>Detonation chambers, also known as dynamic execution environments, allow organizations to open email attachments, execute untrusted or suspicious applications, and execute Universal Resource Locator requests in the safety of an isolated environment or a virtualized sandbox. These protected and isolated execution environments provide a means of determining whether the associated attachments or applications contain malicious code. While related to the concept of deception nets, this control is not intended to maintain a long-term environment in which adversaries can operate and their actions can be observed. Rather, it is intended to quickly identify malicious code and either reduce the likelihood that the code is propagated to user environments of operation or prevent such propagation completely.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-45">
-         <title>System Time Synchronization</title>
-         <prop name="label">SC-45</prop>
-         <prop name="sort-id">SC-45</prop>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#au-8">AU-8</link>
-         <link rel="related" href="#ia-2">IA-2</link>
-         <link rel="related" href="#ia-8">IA-8</link>
-         <part name="statement" id="sc-45_smt">
-            <p>Synchronize system clocks within and between systems and system components.</p>
-         </part>
-         <part name="guidance" id="sc-45_gdn">
-            <p>Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes involving certificates and time-of-day restrictions as part of access control. Denial-of-service or failure to deny expired credentials may result without properly synchronized clocks within and between systems and system components. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support the capabilities.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-46">
-         <title>Cross Domain Policy Enforcement</title>
-         <param id="sc-46_prm_1">
-            <select>
-               <choice>physically</choice>
-               <choice>logically</choice>
-            </select>
-         </param>
-         <prop name="label">SC-46</prop>
-         <prop name="sort-id">SC-46</prop>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <part name="statement" id="sc-46_smt">
-            <p>Implement a policy enforcement mechanism <insert param-id="sc-46_prm_1"/> between the physical and/or network interfaces for the connecting security domains.</p>
-         </part>
-         <part name="guidance" id="sc-46_gdn">
-            <p>For logical policy enforcement mechanisms, organizations avoid creating a logical path between interfaces to prevent the ability to bypass the policy enforcement mechanism. For physical policy enforcement mechanisms, the robustness of physical isolation afforded by the physical implementation of policy enforcement to preclude the presence of logical covert channels penetrating the security boundary may be needed.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-47">
-         <title>Communications Path Diversity</title>
-         <param id="sc-47_prm_1">
-            <label>organization-defined alternate communications paths</label>
-         </param>
-         <prop name="label">SC-47</prop>
-         <prop name="sort-id">SC-47</prop>
-         <link rel="reference" href="#65774382-fcc6-4bbc-89fc-9d35aab19952">[SP 800-34]</link>
-         <link rel="reference" href="#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b">[SP 800-61]</link>
-         <link rel="reference" href="#8411e6e8-09bd-431d-bbcb-3423d36ad880">[SP 800-160 v2]</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-8">CP-8</link>
-         <part name="statement" id="sc-47_smt">
-            <p>Establish <insert param-id="sc-47_prm_1"/> for system operations organizational command and control.</p>
-         </part>
-         <part name="guidance" id="sc-47_gdn">
-            <p>An incident, whether adversarial- or nonadversarial-based, can disrupt established communications paths used for system operations and organizational command and control. The inability of organizational officials to obtain timely information about disruptions or to provide timely direction to operational elements can impact the organization’s ability to respond in a timely manner to such incidents. Establishing alternate communications paths for command and control purposes, including designating alternative decision makers if primary decision makers are unavailable and establishing the extent and limitations of their actions, can greatly facilitate the organization’s ability to continue to operate and take appropriate actions during an incident.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-48">
-         <title>Sensor Relocation</title>
-         <param id="sc-48_prm_1">
-            <label>organization-defined sensors and monitoring capabilities</label>
-         </param>
-         <param id="sc-48_prm_2">
-            <label>organization-defined locations</label>
-         </param>
-         <param id="sc-48_prm_3">
-            <label>organization-defined conditions or circumstances</label>
-         </param>
-         <prop name="label">SC-48</prop>
-         <prop name="sort-id">SC-48</prop>
-         <link rel="reference" href="#8411e6e8-09bd-431d-bbcb-3423d36ad880">[SP 800-160 v2]</link>
-         <link rel="related" href="#au-2">AU-2</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <part name="statement" id="sc-48_smt">
-            <p>Relocate <insert param-id="sc-48_prm_1"/> to <insert param-id="sc-48_prm_2"/> under the following conditions or circumstances: <insert param-id="sc-48_prm_3"/>.</p>
-         </part>
-         <part name="guidance" id="sc-48_gdn">
-            <p>Adversaries may take various paths and use different approaches as they move laterally through an organization (including its systems) to reach their target or as they attempt to exfiltrate information from the organization. The organization often only has a limited set of monitoring and detection capabilities and they may be focused on the critical or likely infiltration or exfiltration paths. By using communications paths that the organization typically does not monitor, the adversary can increase its chances of achieving its desired goals. By relocating its sensors or monitoring capabilities to new locations, the organization can impede the adversary’s ability to achieve its goals. The relocation of the sensors or monitoring capabilities might be done based on threat information the organization has acquired or randomly to confuse the adversary and make its lateral transition through the system or organization more challenging.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sc-48.1">
-            <title>Dynamic Relocation of Sensors or Monitoring Capabilities</title>
-            <param id="sc-48.1_prm_1">
-               <label>organization-defined sensors and monitoring capabilities</label>
-            </param>
-            <param id="sc-48.1_prm_2">
-               <label>organization-defined locations</label>
-            </param>
-            <param id="sc-48.1_prm_3">
-               <label>organization-defined conditions or circumstances</label>
-            </param>
-            <prop name="label">SC-48(1)</prop>
-            <prop name="sort-id">SC-48(01)</prop>
-            <part name="statement" id="sc-48.1_smt">
-               <p>Dynamically relocate <insert param-id="sc-48.1_prm_1"/> to <insert param-id="sc-48.1_prm_2"/> under the following conditions or circumstances: <insert param-id="sc-48.1_prm_3"/>.</p>
-            </part>
-            <part name="guidance" id="sc-48.1_gdn">
-               <p>None.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sc-49">
-         <title>Hardware-enforced Separation and Policy Enforcement</title>
-         <param id="sc-49_prm_1">
-            <label>organization-defined security domains</label>
-         </param>
-         <prop name="label">SC-49</prop>
-         <prop name="sort-id">SC-49</prop>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sc-50">SC-50</link>
-         <part name="statement" id="sc-49_smt">
-            <p>Implement hardware-enforced separation and policy enforcement mechanisms between <insert param-id="sc-49_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="sc-49_gdn">
-            <p>System owners may require additional strength of mechanism and robustness to ensure domain separation and policy enforcement for specific types of threats and environments of operation. Hardware-enforced separation and policy enforcement provide greater strength of mechanism than software-enforced separation and policy enforcement.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-50">
-         <title>Software-enforced Separation and Policy Enforcement</title>
-         <param id="sc-50_prm_1">
-            <label>organization-defined security domains</label>
-         </param>
-         <prop name="label">SC-50</prop>
-         <prop name="sort-id">SC-50</prop>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sc-2">SC-2</link>
-         <link rel="related" href="#sc-3">SC-3</link>
-         <link rel="related" href="#sc-49">SC-49</link>
-         <part name="statement" id="sc-50_smt">
-            <p>Implement software-enforced separation and policy enforcement mechanisms between <insert param-id="sc-50_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="sc-50_gdn">
-            <p>System owners may require additional strength of mechanism and robustness to ensure domain separation and policy enforcement (e.g., filtering) for specific types of threats and environments of operation.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sc-51">
-         <title>Operational and Internet-based Technologies</title>
-         <param id="sc-51_prm_1">
-            <label>organization-defined Operational Technology (OT), Internet of Things (IoT), and/or Industrial Internet of Things (IIoT) systems, components, or devices</label>
-         </param>
-         <param id="sc-51_prm_2">
-            <label>organization-defined systems or networks</label>
-         </param>
-         <param id="sc-51_prm_3">
-            <label>organization-defined controls</label>
-         </param>
-         <prop name="label">SC-51</prop>
-         <prop name="sort-id">SC-51</prop>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sc-2">SC-2</link>
-         <link rel="related" href="#sc-3">SC-3</link>
-         <link rel="related" href="#sc-49">SC-49</link>
-         <part name="statement" id="sc-51_smt">
-            <part name="item" id="sc-51_smt.a">
-               <prop name="label">a.</prop>
-               <p>Implement the following controls on <insert param-id="sc-51_prm_1"/> prior to connecting to <insert param-id="sc-51_prm_2"/>: <insert param-id="sc-51_prm_3"/>; or</p>
-            </part>
-            <part name="item" id="sc-51_smt.b">
-               <prop name="label">b.</prop>
-               <p>Isolate the OT, IoT, and IIoT systems, components, or devices from the designated organizational systems or prohibit network connectivity by the systems, components, or devices.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sc-51_gdn">
-            <p>Operational Technology (OT) is the hardware, software, and firmware components of a system used to detect or cause changes in physical processes through the direct control and monitoring of physical devices. Examples include distributed control systems (DCS), supervisory control and data acquisition (SCADA) systems, and programmable logic controllers (PLC). The term operational technology is used to demonstrate the differences between industrial control systems (ICS) that are typically found in manufacturing and power plants and the information technology (IT) systems that typically support traditional data processing applications. The term Internet of Things (IoT) is used to describe the network of devices (e.g., vehicles, medical devices, wearables, and home appliances) that contain the hardware, software, firmware, and actuators which allow the devices to connect,  interact, and exchange data and information. IoT extends Internet connectivity beyond workstations, notebook computers, smartphones and tablets to physical devices that do not typically have such connectivity. IoT devices can communicate and interact over the Internet, and they can be remotely monitored and controlled. Finally, the term Industrial Internet of Things (IIoT) is used to describe the sensors, instruments, machines, and other devices that are networked together and use Internet connectivity to enhance industrial and manufacturing business processes and applications.
-The recent convergence of IT and OT, producing cyber-physical systems, increases the attack surface of organizations significantly and provides attack vectors that are challenging to address.  Unfortunately, most of the current generation of IoT, OT and IIOT devices are not designed with security as a foundational property. Connections to and from such devices are generally not encrypted, do not provide the necessary authentication, are not monitored, and are not logged. As a result, these devices pose a significant cyber threat. In some instances, gaps in IoT, OT, and IIoT security capabilities may be addressed by employing intermediary devices that can provide encryption, authentication, security scanning, and logging capabilities, and preclude the devices from being accessible from the Internet. But such mitigating options are not always available. The situation is further complicated because some of the IoT/OT/IIoT devices are needed for essential missions and functions. In those instances, it is necessary that such devices are isolated from the Internet to reduce the susceptibility to hostile cyber-attacks.</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="si">
-      <title>System and Information Integrity</title>
-      <control class="SP800-53" id="si-1">
-         <title>Policy and Procedures</title>
-         <param id="si-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-1_prm_2">
-            <select how-many="one or more">
-               <choice>organization-level</choice>
-               <choice>mission/business process-level</choice>
-               <choice>system-level</choice>
-            </select>
-         </param>
-         <param id="si-1_prm_3">
-            <label>organization-defined official</label>
-         </param>
-         <param id="si-1_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="si-1_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">SI-1</prop>
-         <prop name="sort-id">SI-01</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#12702585-0c72-43c9-9185-a76a59f74233">[SP 800-12]</link>
-         <link rel="reference" href="#9183bd83-170e-4701-b32c-97e08ef8bedb">[SP 800-100]</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="si-1_smt">
-            <part name="item" id="si-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and disseminate to <insert param-id="si-1_prm_1"/>:</p>
-               <part name="item" id="si-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="si-1_prm_2"/> system and information integrity policy that:</p>
-                  <part name="item" id="si-1_smt.a.1.a">
-                     <prop name="label">(a)</prop>
-                     <p>Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
-                  </part>
-                  <part name="item" id="si-1_smt.a.1.b">
-                     <prop name="label">(b)</prop>
-                     <p>Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p>
-                  </part>
-               </part>
-               <part name="item" id="si-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;</p>
-               </part>
-            </part>
-            <part name="item" id="si-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate an <insert param-id="si-1_prm_3"/> to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and</p>
-            </part>
-            <part name="item" id="si-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the current system and information integrity:</p>
-               <part name="item" id="si-1_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Policy <insert param-id="si-1_prm_4"/>; and</p>
-               </part>
-               <part name="item" id="si-1_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures <insert param-id="si-1_prm_5"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="si-1_gdn">
-            <p>This control addresses policy and procedures for the controls in the SI family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-2">
-         <title>Flaw Remediation</title>
-         <param id="si-2_prm_1">
-            <label>organization-defined time-period</label>
-         </param>
-         <prop name="label">SI-2</prop>
-         <prop name="sort-id">SI-02</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">[FIPS 140-3]</link>
-         <link rel="reference" href="#0b9fe06d-1b89-4dba-b9f8-3baf51504b17">[FIPS 186-4]</link>
-         <link rel="reference" href="#1126ec09-2b27-4a21-80b2-fef70b31c49d">[SP 800-40]</link>
-         <link rel="reference" href="#a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4">[SP 800-128]</link>
-         <link rel="reference" href="#bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c">[IR 7788]</link>
-         <link rel="related" href="#ca-5">CA-5</link>
-         <link rel="related" href="#cm-3">CM-3</link>
-         <link rel="related" href="#cm-4">CM-4</link>
-         <link rel="related" href="#cm-5">CM-5</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#cm-8">CM-8</link>
-         <link rel="related" href="#ma-2">MA-2</link>
-         <link rel="related" href="#ra-5">RA-5</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-10">SA-10</link>
-         <link rel="related" href="#sa-11">SA-11</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-5">SI-5</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <link rel="related" href="#si-11">SI-11</link>
-         <part name="statement" id="si-2_smt">
-            <part name="item" id="si-2_smt.a">
-               <prop name="label">a.</prop>
-               <p>Identify, report, and correct system flaws;</p>
-            </part>
-            <part name="item" id="si-2_smt.b">
-               <prop name="label">b.</prop>
-               <p>Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;</p>
-            </part>
-            <part name="item" id="si-2_smt.c">
-               <prop name="label">c.</prop>
-               <p>Install security-relevant software and firmware updates within <insert param-id="si-2_prm_1"/> of the release of the updates; and</p>
-            </part>
-            <part name="item" id="si-2_smt.d">
-               <prop name="label">d.</prop>
-               <p>Incorporate flaw remediation into the organizational configuration management process.</p>
-            </part>
-         </part>
-         <part name="guidance" id="si-2_gdn">
-            <p>The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.
-Organization-defined time-periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw); the organizational mission; or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, for example, when implementing simple malicious code signature updates. Organizations consider in testing decisions whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="si-2.1">
-            <title>Central Management</title>
-            <prop name="label">SI-2(1)</prop>
-            <prop name="sort-id">SI-02(01)</prop>
-            <link rel="related" href="#pl-9">PL-9</link>
-            <part name="statement" id="si-2.1_smt">
-               <p>Centrally manage the flaw remediation process.</p>
-            </part>
-            <part name="guidance" id="si-2.1_gdn">
-               <p>Central management is the organization-wide management and implementation of flaw remediation processes. It includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw remediation controls.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-2.2">
-            <title>Automated Flaw Remediation Status</title>
-            <param id="si-2.2_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <param id="si-2.2_prm_2">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">SI-2(2)</prop>
-            <prop name="sort-id">SI-02(02)</prop>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <part name="statement" id="si-2.2_smt">
-               <p>Determine if system components have applicable security-relevant software and firmware updates installed using <insert param-id="si-2.2_prm_1"/>
-                  <insert param-id="si-2.2_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="si-2.2_gdn">
-               <p>Automated mechanisms can track and determine the status of known flaws for system components.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-2.3">
-            <title>Time to Remediate Flaws and Benchmarks for Corrective Actions</title>
-            <param id="si-2.3_prm_1">
-               <label>organization-defined benchmarks</label>
-            </param>
-            <prop name="label">SI-2(3)</prop>
-            <prop name="sort-id">SI-02(03)</prop>
-            <part name="statement" id="si-2.3_smt">
-               <part name="item" id="si-2.3_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Measure the time between flaw identification and flaw remediation; and</p>
-               </part>
-               <part name="item" id="si-2.3_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Establish the following benchmarks for taking corrective actions: <insert param-id="si-2.3_prm_1"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="si-2.3_gdn">
-               <p>Organizations determine the time it takes on average to correct system flaws after such flaws have been identified, and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by the type of flaw or the severity of the potential vulnerability if the flaw can be exploited.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-2.4">
-            <title>Automated Patch Management Tools</title>
-            <param id="si-2.4_prm_1">
-               <label>organization-defined system components</label>
-            </param>
-            <prop name="label">SI-2(4)</prop>
-            <prop name="sort-id">SI-02(04)</prop>
-            <part name="statement" id="si-2.4_smt">
-               <p>Employ automated patch management tools to facilitate flaw remediation to the following system components: <insert param-id="si-2.4_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-2.4_gdn">
-               <p>Using automated tools to support patch management helps to ensure the timeliness and completeness of system patching operations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-2.5">
-            <title>Automatic Software and Firmware Updates</title>
-            <param id="si-2.5_prm_1">
-               <label>organization-defined security-relevant software and firmware updates</label>
-            </param>
-            <param id="si-2.5_prm_2">
-               <label>organization-defined system components</label>
-            </param>
-            <prop name="label">SI-2(5)</prop>
-            <prop name="sort-id">SI-02(05)</prop>
-            <part name="statement" id="si-2.5_smt">
-               <p>Install <insert param-id="si-2.5_prm_1"/> automatically to <insert param-id="si-2.5_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="si-2.5_gdn">
-               <p>Due to system integrity and availability concerns, organizations consider the methodology used to carry out automatic updates. Organizations balance the need to ensure that the updates are installed as soon as possible with the need to maintain configuration management and control with any mission or operational impacts that automatic updates might impose.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-2.6">
-            <title>Removal of Previous Versions of Software and Firmware</title>
-            <param id="si-2.6_prm_1">
-               <label>organization-defined software and firmware components</label>
-            </param>
-            <prop name="label">SI-2(6)</prop>
-            <prop name="sort-id">SI-02(06)</prop>
-            <part name="statement" id="si-2.6_smt">
-               <p>Remove previous versions of <insert param-id="si-2.6_prm_1"/> after updated versions have been installed.</p>
-            </part>
-            <part name="guidance" id="si-2.6_gdn">
-               <p>Previous versions of software or firmware components that are not removed from the system after updates have been installed may be exploited by adversaries. Some products may remove previous versions of software and firmware automatically from the system.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-3">
-         <title>Malicious Code Protection</title>
-         <param id="si-3_prm_1">
-            <select how-many="one or more">
-               <choice>signature based</choice>
-               <choice>non-signature based</choice>
-            </select>
-         </param>
-         <param id="si-3_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="si-3_prm_3">
-            <select how-many="one or more">
-               <choice>endpoint</choice>
-               <choice>network entry/exit points</choice>
-            </select>
-         </param>
-         <param id="si-3_prm_4">
-            <select how-many="one or more">
-               <choice>block malicious code</choice>
-               <choice>quarantine malicious code</choice>
-               <choice>take <insert param-id="si-3_prm_5"/>
-               </choice>
-            </select>
-         </param>
-         <param id="si-3_prm_5" depends-on="si-3_prm_4">
-            <label>organization-defined action</label>
-         </param>
-         <param id="si-3_prm_6">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">SI-3</prop>
-         <prop name="sort-id">SI-03</prop>
-         <link rel="reference" href="#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b">[SP 800-83]</link>
-         <link rel="reference" href="#c972a85c-fa75-4596-be25-a338dc7e4e46">[SP 800-125B]</link>
-         <link rel="reference" href="#64e044e4-b2a9-490f-a079-1106407c812f">[SP 800-177]</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#ac-19">AC-19</link>
-         <link rel="related" href="#cm-3">CM-3</link>
-         <link rel="related" href="#cm-8">CM-8</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#ma-3">MA-3</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#ra-5">RA-5</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-23">SC-23</link>
-         <link rel="related" href="#sc-26">SC-26</link>
-         <link rel="related" href="#sc-28">SC-28</link>
-         <link rel="related" href="#sc-44">SC-44</link>
-         <link rel="related" href="#si-2">SI-2</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <link rel="related" href="#si-8">SI-8</link>
-         <link rel="related" href="#si-15">SI-15</link>
-         <part name="statement" id="si-3_smt">
-            <part name="item" id="si-3_smt.a">
-               <prop name="label">a.</prop>
-               <p>Implement <insert param-id="si-3_prm_1"/> malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;</p>
-            </part>
-            <part name="item" id="si-3_smt.b">
-               <prop name="label">b.</prop>
-               <p>Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;</p>
-            </part>
-            <part name="item" id="si-3_smt.c">
-               <prop name="label">c.</prop>
-               <p>Configure malicious code protection mechanisms to:</p>
-               <part name="item" id="si-3_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Perform periodic scans of the system <insert param-id="si-3_prm_2"/> and real-time scans of files from external sources at <insert param-id="si-3_prm_3"/> as the files are downloaded, opened, or executed in accordance with organizational policy; and</p>
-               </part>
-               <part name="item" id="si-3_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>
-                     <insert param-id="si-3_prm_4"/>; and send alert to <insert param-id="si-3_prm_6"/> in response to malicious code detection.</p>
-               </part>
-            </part>
-            <part name="item" id="si-3_smt.d">
-               <prop name="label">d.</prop>
-               <p>Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.</p>
-            </part>
-         </part>
-         <part name="guidance" id="si-3_gdn">
-            <p>System entry and exit points include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.
-Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software and in custom-built software and could include logic bombs, back doors, and other types of attacks that could affect organizational missions and business functions.
-In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, or actions in response to detection of maliciousness when attempting to open or execute files.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="si-3.1">
-            <title>Central Management</title>
-            <prop name="label">SI-3(1)</prop>
-            <prop name="sort-id">SI-03(01)</prop>
-            <link rel="related" href="#pl-9">PL-9</link>
-            <part name="statement" id="si-3.1_smt">
-               <p>Centrally manage malicious code protection mechanisms.</p>
-            </part>
-            <part name="guidance" id="si-3.1_gdn">
-               <p>Central management addresses the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw and malicious code protection controls.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.2">
-            <title>Automatic Updates</title>
-            <prop name="label">SI-3(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SI-03(02)</prop>
-            <link rel="incorporated-into" href="#si-3">SI-3</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.3">
-            <title>Non-privileged Users</title>
-            <prop name="label">SI-3(3)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SI-03(03)</prop>
-            <link rel="incorporated-into" href="#ac-6.10">AC-6(10)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.4">
-            <title>Updates Only by Privileged Users</title>
-            <prop name="label">SI-3(4)</prop>
-            <prop name="sort-id">SI-03(04)</prop>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <part name="statement" id="si-3.4_smt">
-               <p>Update malicious code protection mechanisms only when directed by a privileged user.</p>
-            </part>
-            <part name="guidance" id="si-3.4_gdn">
-               <p>Protection mechanisms for malicious code are typically categorized as security-related software and as such, are only updated by organizational personnel with appropriate access privileges.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.5">
-            <title>Portable Storage Devices</title>
-            <prop name="label">SI-3(5)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SI-03(05)</prop>
-            <link rel="incorporated-into" href="#mp-7">MP-7</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.6">
-            <title>Testing and Verification</title>
-            <param id="si-3.6_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">SI-3(6)</prop>
-            <prop name="sort-id">SI-03(06)</prop>
-            <link rel="related" href="#ca-2">CA-2</link>
-            <link rel="related" href="#ca-7">CA-7</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <part name="statement" id="si-3.6_smt">
-               <part name="item" id="si-3.6_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Test malicious code protection mechanisms <insert param-id="si-3.6_prm_1"/> by introducing known benign code into the system; and</p>
-               </part>
-               <part name="item" id="si-3.6_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Verify that the detection of the code and the associated incident reporting occur.</p>
-               </part>
-            </part>
-            <part name="guidance" id="si-3.6_gdn">
-               <p>None.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.7">
-            <title>Nonsignature-based Detection</title>
-            <prop name="label">SI-3(7)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SI-03(07)</prop>
-            <link rel="incorporated-into" href="#si-3">SI-3</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.8">
-            <title>Detect Unauthorized Commands</title>
-            <param id="si-3.8_prm_1">
-               <label>organization-defined system hardware components</label>
-            </param>
-            <param id="si-3.8_prm_2">
-               <label>organization-defined unauthorized operating system commands</label>
-            </param>
-            <param id="si-3.8_prm_3">
-               <select how-many="one or more">
-                  <choice>issue a warning</choice>
-                  <choice>audit the command execution</choice>
-                  <choice>prevent the execution of the command</choice>
-               </select>
-            </param>
-            <prop name="label">SI-3(8)</prop>
-            <prop name="sort-id">SI-03(08)</prop>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <part name="statement" id="si-3.8_smt">
-               <part name="item" id="si-3.8_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Detect the following unauthorized operating system commands through the kernel application programming interface on <insert param-id="si-3.8_prm_1"/>: <insert param-id="si-3.8_prm_2"/>; and</p>
-               </part>
-               <part name="item" id="si-3.8_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>
-                     <insert param-id="si-3.8_prm_3"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="si-3.8_gdn">
-               <p>Detecting unauthorized commands can be applied to critical interfaces other than kernel-based interfaces, including interfaces with virtual machines and privileged applications. Unauthorized operating system commands include commands for kernel functions from system processes that are not trusted to initiate such commands, or commands for kernel functions that are suspicious even though commands of that type are reasonable for processes to initiate. Organizations can define the malicious commands to be detected by a combination of command types, command classes, or specific instances of commands. Organizations can also define hardware components by component type, component, component location in the network, or combination therein. Organizations may select different actions for different types, classes, or instances of malicious commands.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.9">
-            <title>Authenticate Remote Commands</title>
-            <param id="si-3.9_prm_1">
-               <label>organization-defined mechanisms</label>
-            </param>
-            <param id="si-3.9_prm_2">
-               <label>organization-defined remote commands</label>
-            </param>
-            <prop name="label">SI-3(9)</prop>
-            <prop name="sort-id">SI-03(09)</prop>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <link rel="related" href="#sc-23">SC-23</link>
-            <part name="statement" id="si-3.9_smt">
-               <p>Implement <insert param-id="si-3.9_prm_1"/> to authenticate <insert param-id="si-3.9_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="si-3.9_gdn">
-               <p>This control enhancement protects against unauthorized remote commands and the replay of authorized commands. This capability is important for those remote systems whose loss, malfunction, misdirection, or exploitation would have immediate and/or serious consequences, including, for example, injury or death, property damage, loss of high-value assets, compromise of classified or controlled unclassified information, or failure of missions or business functions. Authentication safeguards for remote commands ensure that systems accept and execute commands in the order intended, execute only authorized commands, and reject unauthorized commands. Cryptographic mechanisms can be employed, for example, to authenticate remote commands.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-3.10">
-            <title>Malicious Code Analysis</title>
-            <param id="si-3.10_prm_1">
-               <label>organization-defined tools and techniques</label>
-            </param>
-            <prop name="label">SI-3(10)</prop>
-            <prop name="sort-id">SI-03(10)</prop>
-            <part name="statement" id="si-3.10_smt">
-               <part name="item" id="si-3.10_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Employ the following tools and techniques to analyze the characteristics and behavior of malicious code: <insert param-id="si-3.10_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="si-3.10_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Incorporate the results from malicious code analysis into organizational incident response and flaw remediation processes.</p>
-               </part>
-            </part>
-            <part name="guidance" id="si-3.10_gdn">
-               <p>The use of malicious code analysis tools provides organizations with a more in-depth understanding of adversary tradecraft (i.e., tactics, techniques, and procedures) and the functionality and purpose of specific instances of malicious code. Understanding the characteristics of malicious code facilitates effective organizational responses to current and future threats. Organizations can conduct malicious code analyses by employing reverse engineering techniques or by monitoring the behavior of executing code.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-4">
-         <title>System Monitoring</title>
-         <param id="si-4_prm_1">
-            <label>organization-defined monitoring objectives</label>
-         </param>
-         <param id="si-4_prm_2">
-            <label>organization-defined techniques and methods</label>
-         </param>
-         <param id="si-4_prm_3">
-            <label>organization-defined system monitoring information</label>
-         </param>
-         <param id="si-4_prm_4">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-4_prm_5">
-            <select how-many="one or more">
-               <choice>as needed</choice>
-               <choice>
-                  <insert param-id="si-4_prm_6"/>
-               </choice>
-            </select>
-         </param>
-         <param id="si-4_prm_6" depends-on="si-4_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">SI-4</prop>
-         <prop name="sort-id">SI-04</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b">[SP 800-61]</link>
-         <link rel="reference" href="#8b0f8559-1185-45f9-b0a9-876d7b3c1c7b">[SP 800-83]</link>
-         <link rel="reference" href="#02d8ec60-6197-43f8-9f47-18732127963e">[SP 800-92]</link>
-         <link rel="reference" href="#41e2e2c6-2260-4258-85c8-09db17c43103">[SP 800-94]</link>
-         <link rel="reference" href="#c3b34083-77b2-4dab-a980-73068f8933bd">[SP 800-137]</link>
-         <link rel="related" href="#ac-2">AC-2</link>
-         <link rel="related" href="#ac-3">AC-3</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#ac-8">AC-8</link>
-         <link rel="related" href="#ac-17">AC-17</link>
-         <link rel="related" href="#au-2">AU-2</link>
-         <link rel="related" href="#au-6">AU-6</link>
-         <link rel="related" href="#au-7">AU-7</link>
-         <link rel="related" href="#au-9">AU-9</link>
-         <link rel="related" href="#au-12">AU-12</link>
-         <link rel="related" href="#au-13">AU-13</link>
-         <link rel="related" href="#au-14">AU-14</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#cm-3">CM-3</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#cm-8">CM-8</link>
-         <link rel="related" href="#cm-11">CM-11</link>
-         <link rel="related" href="#ia-10">IA-10</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#ma-3">MA-3</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#pm-12">PM-12</link>
-         <link rel="related" href="#ra-5">RA-5</link>
-         <link rel="related" href="#sc-5">SC-5</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-18">SC-18</link>
-         <link rel="related" href="#sc-26">SC-26</link>
-         <link rel="related" href="#sc-31">SC-31</link>
-         <link rel="related" href="#sc-35">SC-35</link>
-         <link rel="related" href="#sc-36">SC-36</link>
-         <link rel="related" href="#sc-37">SC-37</link>
-         <link rel="related" href="#sc-43">SC-43</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-6">SI-6</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <link rel="related" href="#sr-9">SR-9</link>
-         <link rel="related" href="#sr-10">SR-10</link>
-         <part name="statement" id="si-4_smt">
-            <part name="item" id="si-4_smt.a">
-               <prop name="label">a.</prop>
-               <p>Monitor the system to detect:</p>
-               <part name="item" id="si-4_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>Attacks and indicators of potential attacks in accordance with the following monitoring objectives: <insert param-id="si-4_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="si-4_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Unauthorized local, network, and remote connections;</p>
-               </part>
-            </part>
-            <part name="item" id="si-4_smt.b">
-               <prop name="label">b.</prop>
-               <p>Identify unauthorized use of the system through the following techniques and methods: <insert param-id="si-4_prm_2"/>;</p>
-            </part>
-            <part name="item" id="si-4_smt.c">
-               <prop name="label">c.</prop>
-               <p>Invoke internal monitoring capabilities or deploy monitoring devices:</p>
-               <part name="item" id="si-4_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Strategically within the system to collect organization-determined essential information; and</p>
-               </part>
-               <part name="item" id="si-4_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>At ad hoc locations within the system to track specific types of transactions of interest to the organization;</p>
-               </part>
-            </part>
-            <part name="item" id="si-4_smt.d">
-               <prop name="label">d.</prop>
-               <p>Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;</p>
-            </part>
-            <part name="item" id="si-4_smt.e">
-               <prop name="label">e.</prop>
-               <p>Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;</p>
-            </part>
-            <part name="item" id="si-4_smt.f">
-               <prop name="label">f.</prop>
-               <p>Obtain legal opinion regarding system monitoring activities; and</p>
-            </part>
-            <part name="item" id="si-4_smt.g">
-               <prop name="label">g.</prop>
-               <p>Provide <insert param-id="si-4_prm_3"/> to <insert param-id="si-4_prm_4"/>
-                  <insert param-id="si-4_prm_5"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="si-4_gdn">
-            <p>System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at system boundaries. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capability is achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.
-Depending on the security architecture implementation, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries, and at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms supporting critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18c, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="si-4.1">
-            <title>System-wide Intrusion Detection System</title>
-            <prop name="label">SI-4(1)</prop>
-            <prop name="sort-id">SI-04(01)</prop>
-            <part name="statement" id="si-4.1_smt">
-               <p>Connect and configure individual intrusion detection tools into a system-wide intrusion detection system.</p>
-            </part>
-            <part name="guidance" id="si-4.1_gdn">
-               <p>Linking individual intrusion detection tools into a system-wide intrusion detection system provides additional coverage and effective detection capability. The information contained in one intrusion detection tool can be shared widely across the organization making the system-wide detection capability more robust and powerful.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.2">
-            <title>Automated Tools and Mechanisms for Real-time Analysis</title>
-            <prop name="label">SI-4(2)</prop>
-            <prop name="sort-id">SI-04(02)</prop>
-            <link rel="related" href="#pm-23">PM-23</link>
-            <link rel="related" href="#pm-25">PM-25</link>
-            <part name="statement" id="si-4.2_smt">
-               <p>Employ automated tools and mechanisms to support near real-time analysis of events.</p>
-            </part>
-            <part name="guidance" id="si-4.2_gdn">
-               <p>Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or Security Information and Event Management technologies that provide real time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.3">
-            <title>Automated Tool and Mechanism Integration</title>
-            <prop name="label">SI-4(3)</prop>
-            <prop name="sort-id">SI-04(03)</prop>
-            <link rel="related" href="#pm-23">PM-23</link>
-            <link rel="related" href="#pm-25">PM-25</link>
-            <part name="statement" id="si-4.3_smt">
-               <p>Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms.</p>
-            </part>
-            <part name="guidance" id="si-4.3_gdn">
-               <p>Using automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access and flow control mechanisms facilitates a rapid response to attacks by enabling reconfiguration of mechanisms in support of attack isolation and elimination.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.4">
-            <title>Inbound and Outbound Communications Traffic</title>
-            <param id="si-4.4_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">SI-4(4)</prop>
-            <prop name="sort-id">SI-04(04)</prop>
-            <part name="statement" id="si-4.4_smt">
-               <p>Monitor inbound and outbound communications traffic <insert param-id="si-4.4_prm_1"/> for unusual or unauthorized activities or conditions.</p>
-            </part>
-            <part name="guidance" id="si-4.4_gdn">
-               <p>Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code within organizational systems or propagating among system components; the unauthorized exporting of information; or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.5">
-            <title>System-generated Alerts</title>
-            <param id="si-4.5_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="si-4.5_prm_2">
-               <label>organization-defined compromise indicators</label>
-            </param>
-            <prop name="label">SI-4(5)</prop>
-            <prop name="sort-id">SI-04(05)</prop>
-            <link rel="related" href="#au-4">AU-4</link>
-            <link rel="related" href="#au-5">AU-5</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-            <part name="statement" id="si-4.5_smt">
-               <p>Alert <insert param-id="si-4.5_prm_1"/> when the following system-generated indications of compromise or potential compromise occur: <insert param-id="si-4.5_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="si-4.5_gdn">
-               <p>Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms; intrusion detection or prevention mechanisms; or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. This control enhancement addresses the security alerts generated by the system. Alternatively, alerts generated by organizations in SI-4(12) focus on information sources external to the system such as suspicious activity reports and reports on potential insider threats.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.6">
-            <title>Restrict Non-privileged Users</title>
-            <prop name="label">SI-4(6)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SI-04(06)</prop>
-            <link rel="incorporated-into" href="#ac-6.10">AC-6(10)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.7">
-            <title>Automated Response to Suspicious Events</title>
-            <param id="si-4.7_prm_1">
-               <label>organization-defined incident response personnel (identified by name and/or by role)</label>
-            </param>
-            <param id="si-4.7_prm_2">
-               <label>organization-defined least-disruptive actions to terminate suspicious events</label>
-            </param>
-            <prop name="label">SI-4(7)</prop>
-            <prop name="sort-id">SI-04(07)</prop>
-            <part name="statement" id="si-4.7_smt">
-               <part name="item" id="si-4.7_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Notify <insert param-id="si-4.7_prm_1"/> of detected suspicious events; and</p>
-               </part>
-               <part name="item" id="si-4.7_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Take the following actions upon detection: <insert param-id="si-4.7_prm_2"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="si-4.7_gdn">
-               <p>Least-disruptive actions include initiating requests for human responses.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.8">
-            <title>Protection of Monitoring Information</title>
-            <prop name="label">SI-4(8)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SI-04(08)</prop>
-            <link rel="incorporated-into" href="#si-4">SI-4</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.9">
-            <title>Testing of Monitoring Tools and Mechanisms</title>
-            <param id="si-4.9_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">SI-4(9)</prop>
-            <prop name="sort-id">SI-04(09)</prop>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <part name="statement" id="si-4.9_smt">
-               <p>Test intrusion-monitoring tools and mechanisms <insert param-id="si-4.9_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-4.9_gdn">
-               <p>Testing intrusion-monitoring tools and mechanism is necessary to ensure that the tools and mechanisms are operating correctly and continue to satisfy the monitoring objectives of organizations. The frequency and depth of testing depends on the types of tools and mechanisms used by organizations and the methods of deployment.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.10">
-            <title>Visibility of Encrypted Communications</title>
-            <param id="si-4.10_prm_1">
-               <label>organization-defined encrypted communications traffic</label>
-            </param>
-            <param id="si-4.10_prm_2">
-               <label>organization-defined system monitoring tools and mechanisms</label>
-            </param>
-            <prop name="label">SI-4(10)</prop>
-            <prop name="sort-id">SI-04(10)</prop>
-            <part name="statement" id="si-4.10_smt">
-               <p>Make provisions so that <insert param-id="si-4.10_prm_1"/> is visible to <insert param-id="si-4.10_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="si-4.10_gdn">
-               <p>Organizations balance the need for encrypting communications traffic to protect data confidentiality with the need for having visibility into such traffic from a monitoring perspective. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.11">
-            <title>Analyze Communications Traffic Anomalies</title>
-            <param id="si-4.11_prm_1">
-               <label>organization-defined interior points within the system</label>
-            </param>
-            <prop name="label">SI-4(11)</prop>
-            <prop name="sort-id">SI-04(11)</prop>
-            <part name="statement" id="si-4.11_smt">
-               <p>Analyze outbound communications traffic at the external interfaces to the system and selected <insert param-id="si-4.11_prm_1"/> to discover anomalies.</p>
-            </part>
-            <part name="guidance" id="si-4.11_gdn">
-               <p>Organization-defined interior points include subnetworks and subsystems. Anomalies within organizational systems include large file transfers, long-time persistent connections, attempts to access information from unexpected locations, the use of unusual protocols and ports, the use of unmonitored network protocols (e.g. IPv6 usage during IPv4 transition), and attempted communications with suspected malicious external addresses.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.12">
-            <title>Automated Organization-generated Alerts</title>
-            <param id="si-4.12_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="si-4.12_prm_2">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <param id="si-4.12_prm_3">
-               <label>organization-defined activities that trigger alerts</label>
-            </param>
-            <prop name="label">SI-4(12)</prop>
-            <prop name="sort-id">SI-04(12)</prop>
-            <part name="statement" id="si-4.12_smt">
-               <p>Alert <insert param-id="si-4.12_prm_1"/> using <insert param-id="si-4.12_prm_2"/> when the following indications of inappropriate or unusual activities with security or privacy implications occur: <insert param-id="si-4.12_prm_3"/>.</p>
-            </part>
-            <part name="guidance" id="si-4.12_gdn">
-               <p>Organizational personnel on the system alert notification list include system administrators, mission or business owners, system owners, senior agency information security officer, senior agency official for privacy, system security officers, or privacy officers. This control enhancement focuses on the security alerts generated by organizations and transmitted using automated means. In contrast to the alerts generated by systems in SI-4(5) that focus on information sources that are internal to the systems such as audit records, the sources of information for this enhancement focus on other entities such as suspicious activity reports and reports on potential insider threats.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.13">
-            <title>Analyze Traffic and Event Patterns</title>
-            <prop name="label">SI-4(13)</prop>
-            <prop name="sort-id">SI-04(13)</prop>
-            <part name="statement" id="si-4.13_smt">
-               <part name="item" id="si-4.13_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Analyze communications traffic and event patterns for the system;</p>
-               </part>
-               <part name="item" id="si-4.13_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Develop profiles representing common traffic and event patterns; and</p>
-               </part>
-               <part name="item" id="si-4.13_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Use the traffic and event profiles in tuning system-monitoring devices.</p>
-               </part>
-            </part>
-            <part name="guidance" id="si-4.13_gdn">
-               <p>Identifying and understanding common communications traffic and event patterns helps organizations provide useful information to system monitoring devices to more effectively identify suspicious or anomalous traffic and events when they occur. Such information can help reduce the number of false positives and false negatives during system monitoring.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.14">
-            <title>Wireless Intrusion Detection</title>
-            <prop name="label">SI-4(14)</prop>
-            <prop name="sort-id">SI-04(14)</prop>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ia-3">IA-3</link>
-            <part name="statement" id="si-4.14_smt">
-               <p>Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system.</p>
-            </part>
-            <part name="guidance" id="si-4.14_gdn">
-               <p>Wireless signals may radiate beyond organizational facilities. Organizations proactively search for unauthorized wireless connections, including the conduct of thorough scans for unauthorized wireless access points. Wireless scans are not limited to those areas within facilities containing systems, but also include areas outside of facilities to verify that unauthorized wireless access points are not connected to organizational systems.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.15">
-            <title>Wireless to Wireline Communications</title>
-            <prop name="label">SI-4(15)</prop>
-            <prop name="sort-id">SI-04(15)</prop>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <part name="statement" id="si-4.15_smt">
-               <p>Employ an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.</p>
-            </part>
-            <part name="guidance" id="si-4.15_gdn">
-               <p>Wireless networks are inherently less secure than wired networks. For example, wireless networks are more susceptible to eavesdroppers or traffic analysis than wireline networks. Employing intrusion detection systems to monitor wireless communications traffic helps to ensure that the traffic does not contain malicious code prior to transitioning to the wireline network.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.16">
-            <title>Correlate Monitoring Information</title>
-            <prop name="label">SI-4(16)</prop>
-            <prop name="sort-id">SI-04(16)</prop>
-            <link rel="related" href="#au-6">AU-6</link>
-            <part name="statement" id="si-4.16_smt">
-               <p>Correlate information from monitoring tools and mechanisms employed throughout the system.</p>
-            </part>
-            <part name="guidance" id="si-4.16_gdn">
-               <p>Correlating information from different system monitoring tools and mechanisms can provide a more comprehensive view of system activity. Correlating system monitoring tools and mechanisms that typically work in isolation, including malicious code protection software, host monitoring, and network monitoring, can provide an organization-wide monitoring view and may reveal otherwise unseen attack patterns. Understanding capabilities and limitations of diverse monitoring tools and mechanisms and how to maximize the utility of information generated by those tools and mechanisms can help organizations to develop, operate, and maintain effective monitoring programs. Correlation of monitoring information is especially important during the transition from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.17">
-            <title>Integrated Situational Awareness</title>
-            <prop name="label">SI-4(17)</prop>
-            <prop name="sort-id">SI-04(17)</prop>
-            <link rel="related" href="#au-16">AU-16</link>
-            <link rel="related" href="#pe-6">PE-6</link>
-            <part name="statement" id="si-4.17_smt">
-               <p>Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.</p>
-            </part>
-            <part name="guidance" id="si-4.17_gdn">
-               <p>Correlating monitoring information from a more diverse set of information sources helps to achieve integrated situational awareness. Integrated situational awareness from a combination of physical, cyber, and supply chain monitoring activities enhances the capability of organizations to more quickly detect sophisticated attacks and investigate the methods and techniques employed to carry out such attacks. In contrast to SI-4(16) that correlates the various cyber monitoring information, this control enhancement correlates monitoring beyond the cyber domain. Such monitoring may help reveal attacks on organizations that are operating across multiple attack vectors.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.18">
-            <title>Analyze Traffic and Covert Exfiltration</title>
-            <param id="si-4.18_prm_1">
-               <label>organization-defined interior points within the system</label>
-            </param>
-            <prop name="label">SI-4(18)</prop>
-            <prop name="sort-id">SI-04(18)</prop>
-            <part name="statement" id="si-4.18_smt">
-               <p>Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: <insert param-id="si-4.18_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-4.18_gdn">
-               <p>Organization-defined interior points include subnetworks and subsystems. Covert means that can be used to exfiltrate information include steganography.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.19">
-            <title>Risk for Individuals</title>
-            <param id="si-4.19_prm_1">
-               <label>organization-defined additional monitoring</label>
-            </param>
-            <param id="si-4.19_prm_2">
-               <label>organization-defined sources</label>
-            </param>
-            <prop name="label">SI-4(19)</prop>
-            <prop name="sort-id">SI-04(19)</prop>
-            <part name="statement" id="si-4.19_smt">
-               <p>Implement <insert param-id="si-4.19_prm_1"/> of individuals who have been identified by <insert param-id="si-4.19_prm_2"/> as posing an increased level of risk.</p>
-            </part>
-            <part name="guidance" id="si-4.19_gdn">
-               <p>Indications of increased risk from individuals can be obtained from different sources, including personnel records, intelligence agencies, law enforcement organizations, and other sources. The monitoring of individuals is coordinated with management, legal, security, privacy and human resource officials conducting such monitoring. Monitoring is conducted in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.20">
-            <title>Privileged Users</title>
-            <param id="si-4.20_prm_1">
-               <label>organization-defined additional monitoring</label>
-            </param>
-            <prop name="label">SI-4(20)</prop>
-            <prop name="sort-id">SI-04(20)</prop>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <part name="statement" id="si-4.20_smt">
-               <p>Implement the following additional monitoring of privileged users: <insert param-id="si-4.20_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-4.20_gdn">
-               <p>Privileged users have access to more sensitive information, including security-related information, than the general user population. Access to such information means that privileged users can potentially do greater damage to systems and organizations than non-privileged users. Therefore, implementing additional monitoring on privileged users helps to ensure that organizations can identify malicious activity at the earliest possible time and take appropriate actions.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.21">
-            <title>Probationary Periods</title>
-            <param id="si-4.21_prm_1">
-               <label>organization-defined probationary period</label>
-            </param>
-            <param id="si-4.21_prm_2">
-               <label>organization-defined additional monitoring</label>
-            </param>
-            <prop name="label">SI-4(21)</prop>
-            <prop name="sort-id">SI-04(21)</prop>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <part name="statement" id="si-4.21_smt">
-               <p>Implement the following additional monitoring of individuals during <insert param-id="si-4.21_prm_1"/>: <insert param-id="si-4.21_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="si-4.21_gdn">
-               <p>During probationary periods, employees do not have permanent employment status within organizations. Without such status and having access to information that is resident on the system, additional monitoring can help identify any potentially malicious activity or inappropriate behavior.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.22">
-            <title>Unauthorized Network Services</title>
-            <param id="si-4.22_prm_1">
-               <label>organization-defined authorization or approval processes</label>
-            </param>
-            <param id="si-4.22_prm_2">
-               <select how-many="one or more">
-                  <choice>audit</choice>
-                  <choice>alert <insert param-id="si-4.22_prm_3"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="si-4.22_prm_3" depends-on="si-4.22_prm_2">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">SI-4(22)</prop>
-            <prop name="sort-id">SI-04(22)</prop>
-            <link rel="related" href="#cm-7">CM-7</link>
-            <part name="statement" id="si-4.22_smt">
-               <part name="item" id="si-4.22_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Detect network services that have not been authorized or approved by <insert param-id="si-4.22_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="si-4.22_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>
-                     <insert param-id="si-4.22_prm_2"/> when detected.</p>
-               </part>
-            </part>
-            <part name="guidance" id="si-4.22_gdn">
-               <p>Unauthorized or unapproved network services include services in service-oriented architectures that lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.23">
-            <title>Host-based Devices</title>
-            <param id="si-4.23_prm_1">
-               <label>organization-defined system components</label>
-            </param>
-            <param id="si-4.23_prm_2">
-               <label>organization-defined host-based monitoring mechanisms</label>
-            </param>
-            <prop name="label">SI-4(23)</prop>
-            <prop name="sort-id">SI-04(23)</prop>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <link rel="related" href="#ac-19">AC-19</link>
-            <part name="statement" id="si-4.23_smt">
-               <p>Implement the following host-based monitoring mechanisms at <insert param-id="si-4.23_prm_1"/>: <insert param-id="si-4.23_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="si-4.23_gdn">
-               <p>System components where host-based monitoring can be implemented include servers, notebook computers, and mobile devices. Organizations may consider employing host-based monitoring mechanisms from multiple product developers or vendors.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.24">
-            <title>Indicators of Compromise</title>
-            <param id="si-4.24_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="si-4.24_prm_2">
-               <label>organization-defined sources</label>
-            </param>
-            <prop name="label">SI-4(24)</prop>
-            <prop name="sort-id">SI-04(24)</prop>
-            <link rel="related" href="#ac-18">AC-18</link>
-            <part name="statement" id="si-4.24_smt">
-               <p>Discover, collect, and distribute to <insert param-id="si-4.24_prm_1"/>, indicators of compromise provided by <insert param-id="si-4.24_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="si-4.24_gdn">
-               <p>Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on organizational systems at the host or network level. IOCs provide valuable information on systems that have been compromised. IOCs can include the creation of registry key values. IOCs for network traffic include Universal Resource Locator or protocol elements that indicate malicious code command and control servers. The rapid distribution and adoption of IOCs can improve information security by reducing the time that systems and organizations are vulnerable to the same exploit or attack. Threat indicators, signatures, tactics, techniques and procedures, and other indicators of compromise may be available via government and non-government cooperatives including Forum of Incident Response and Security Teams, United States Computer Emergency Readiness Team, Defense Industrial Base Cybersecurity Information Sharing Program, and CERT Coordination Center.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-4.25">
-            <title>Optimize Network Traffic Analysis</title>
-            <prop name="label">SI-4(25)</prop>
-            <prop name="sort-id">SI-04(25)</prop>
-            <part name="statement" id="si-4.25_smt">
-               <p>Provide visibility into network traffic at external and key internal system boundaries to optimize the effectiveness of monitoring devices.</p>
-            </part>
-            <part name="guidance" id="si-4.25_gdn">
-               <p>Encrypted traffic, asymmetric routing architectures, capacity and latency limitations, and  transitioning from older to newer technologies (e.g., IPv4 to IPv6 network protocol transition), may result in blind spots for organizations when analyzing network traffic. Collecting, decrypting, pre-processing and distributing only relevant traffic to monitoring devices can streamline efficiency and use of the devices and optimize traffic analysis.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-5">
-         <title>Security Alerts, Advisories, and Directives</title>
-         <param id="si-5_prm_1">
-            <label>organization-defined external organizations</label>
-         </param>
-         <param id="si-5_prm_2">
-            <select how-many="one or more">
-               <choice>
-                  <insert param-id="si-5_prm_3"/>
-               </choice>
-               <choice>
-                  <insert param-id="si-5_prm_4"/>
-               </choice>
-               <choice>
-                  <insert param-id="si-5_prm_5"/>
-               </choice>
-            </select>
-         </param>
-         <param id="si-5_prm_3" depends-on="si-5_prm_2">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-5_prm_4" depends-on="si-5_prm_2">
-            <label>organization-defined elements within the organization</label>
-         </param>
-         <param id="si-5_prm_5" depends-on="si-5_prm_2">
-            <label>organization-defined external organizations</label>
-         </param>
-         <prop name="label">SI-5</prop>
-         <prop name="sort-id">SI-05</prop>
-         <link rel="reference" href="#1126ec09-2b27-4a21-80b2-fef70b31c49d">[SP 800-40]</link>
-         <link rel="related" href="#pm-15">PM-15</link>
-         <link rel="related" href="#ra-5">RA-5</link>
-         <link rel="related" href="#si-2">SI-2</link>
-         <part name="statement" id="si-5_smt">
-            <part name="item" id="si-5_smt.a">
-               <prop name="label">a.</prop>
-               <p>Receive system security alerts, advisories, and directives from <insert param-id="si-5_prm_1"/> on an ongoing basis;</p>
-            </part>
-            <part name="item" id="si-5_smt.b">
-               <prop name="label">b.</prop>
-               <p>Generate internal security alerts, advisories, and directives as deemed necessary;</p>
-            </part>
-            <part name="item" id="si-5_smt.c">
-               <prop name="label">c.</prop>
-               <p>Disseminate security alerts, advisories, and directives to: <insert param-id="si-5_prm_2"/>; and</p>
-            </part>
-            <part name="item" id="si-5_smt.d">
-               <prop name="label">d.</prop>
-               <p>Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.</p>
-            </part>
-         </part>
-         <part name="guidance" id="si-5_gdn">
-            <p>The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="si-5.1">
-            <title>Automated Alerts and Advisories</title>
-            <param id="si-5.1_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">SI-5(1)</prop>
-            <prop name="sort-id">SI-05(01)</prop>
-            <part name="statement" id="si-5.1_smt">
-               <p>Broadcast security alert and advisory information throughout the organization using <insert param-id="si-5.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-5.1_gdn">
-               <p>The significant number of changes to organizational systems and environments of operation requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational missions and business functions. Based on information provided by security alerts and advisories, changes may be required at one or more of the three levels related to the management of information security and privacy risk, including the governance level, mission and business process level, and the information system level.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-6">
-         <title>Security and Privacy Function Verification</title>
-         <param id="si-6_prm_1">
-            <label>organization-defined security and privacy functions</label>
-         </param>
-         <param id="si-6_prm_2">
-            <select how-many="one or more">
-               <choice>
-                  <insert param-id="si-6_prm_3"/>
-               </choice>
-               <choice>upon command by user with appropriate privilege</choice>
-               <choice>
-                  <insert param-id="si-6_prm_4"/>
-               </choice>
-            </select>
-         </param>
-         <param id="si-6_prm_3" depends-on="si-6_prm_2">
-            <label>organization-defined system transitional states</label>
-         </param>
-         <param id="si-6_prm_4" depends-on="si-6_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="si-6_prm_5">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="si-6_prm_6">
-            <select how-many="one or more">
-               <choice>Shut the system down</choice>
-               <choice>Restart the system</choice>
-               <choice>
-                  <insert param-id="si-6_prm_7"/>
-               </choice>
-            </select>
-         </param>
-         <param id="si-6_prm_7" depends-on="si-6_prm_6">
-            <label>organization-defined alternative action(s)</label>
-         </param>
-         <prop name="label">SI-6</prop>
-         <prop name="sort-id">SI-06</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#cm-4">CM-4</link>
-         <link rel="related" href="#cm-6">CM-6</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <part name="statement" id="si-6_smt">
-            <part name="item" id="si-6_smt.a">
-               <prop name="label">a.</prop>
-               <p>Verify the correct operation of <insert param-id="si-6_prm_1"/>;</p>
-            </part>
-            <part name="item" id="si-6_smt.b">
-               <prop name="label">b.</prop>
-               <p>Perform the verification of the functions specified in SI-6a <insert param-id="si-6_prm_2"/>;</p>
-            </part>
-            <part name="item" id="si-6_smt.c">
-               <prop name="label">c.</prop>
-               <p>Notify <insert param-id="si-6_prm_5"/> of failed security and privacy verification tests; and</p>
-            </part>
-            <part name="item" id="si-6_smt.d">
-               <prop name="label">d.</prop>
-               <p>
-                  <insert param-id="si-6_prm_6"/> when anomalies are discovered.</p>
-            </part>
-         </part>
-         <part name="guidance" id="si-6_gdn">
-            <p>Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy, or that privacy attributes are applied or used as expected.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="si-6.1">
-            <title>Notification of Failed Security Tests</title>
-            <prop name="label">SI-6(1)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SI-06(01)</prop>
-            <link rel="incorporated-into" href="#si-6">SI-6</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-6.2">
-            <title>Automation Support for Distributed Testing</title>
-            <prop name="label">SI-6(2)</prop>
-            <prop name="sort-id">SI-06(02)</prop>
-            <link rel="related" href="#si-2">SI-2</link>
-            <part name="statement" id="si-6.2_smt">
-               <p>Implement automated mechanisms to support the management of distributed security and privacy function testing.</p>
-            </part>
-            <part name="guidance" id="si-6.2_gdn">
-               <p>The use of automated mechanisms to support the management of distributed function testing helps to ensure the integrity, timeliness, completeness, and efficacy of such testing.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-6.3">
-            <title>Report Verification Results</title>
-            <param id="si-6.3_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">SI-6(3)</prop>
-            <prop name="sort-id">SI-06(03)</prop>
-            <link rel="related" href="#si-4">SI-4</link>
-            <link rel="related" href="#sr-4">SR-4</link>
-            <link rel="related" href="#sr-5">SR-5</link>
-            <part name="statement" id="si-6.3_smt">
-               <p>Report the results of security and privacy function verification to <insert param-id="si-6.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-6.3_gdn">
-               <p>Organizational personnel with potential interest in the results of the verification of security and privacy function include systems security officers, senior agency information security officers, and senior agency officials for privacy.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-7">
-         <title>Software, Firmware, and Information Integrity</title>
-         <param id="si-7_prm_1">
-            <label>organization-defined software, firmware, and information</label>
-         </param>
-         <param id="si-7_prm_2">
-            <label>organization-defined actions</label>
-         </param>
-         <prop name="label">SI-7</prop>
-         <prop name="sort-id">SI-07</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">[FIPS 140-3]</link>
-         <link rel="reference" href="#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd">[FIPS 180-4]</link>
-         <link rel="reference" href="#0b9fe06d-1b89-4dba-b9f8-3baf51504b17">[FIPS 186-4]</link>
-         <link rel="reference" href="#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa">[FIPS 202]</link>
-         <link rel="reference" href="#14a7d982-9747-48e0-a877-3e8fbf6ae381">[SP 800-70]</link>
-         <link rel="reference" href="#e9224c9b-4fa5-40b7-bfbb-02bff7712d92">[SP 800-147]</link>
-         <link rel="related" href="#ac-4">AC-4</link>
-         <link rel="related" href="#cm-3">CM-3</link>
-         <link rel="related" href="#cm-7">CM-7</link>
-         <link rel="related" href="#cm-8">CM-8</link>
-         <link rel="related" href="#ma-3">MA-3</link>
-         <link rel="related" href="#ma-4">MA-4</link>
-         <link rel="related" href="#ra-5">RA-5</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-9">SA-9</link>
-         <link rel="related" href="#sa-10">SA-10</link>
-         <link rel="related" href="#sc-8">SC-8</link>
-         <link rel="related" href="#sc-12">SC-12</link>
-         <link rel="related" href="#sc-13">SC-13</link>
-         <link rel="related" href="#sc-28">SC-28</link>
-         <link rel="related" href="#sc-37">SC-37</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <link rel="related" href="#sr-4">SR-4</link>
-         <link rel="related" href="#sr-5">SR-5</link>
-         <link rel="related" href="#sr-6">SR-6</link>
-         <link rel="related" href="#sr-9">SR-9</link>
-         <link rel="related" href="#sr-10">SR-10</link>
-         <link rel="related" href="#sr-11">SR-11</link>
-         <part name="statement" id="si-7_smt">
-            <part name="item" id="si-7_smt.a">
-               <prop name="label">a.</prop>
-               <p>Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: <insert param-id="si-7_prm_1"/>; and</p>
-            </part>
-            <part name="item" id="si-7_smt.b">
-               <prop name="label">b.</prop>
-               <p>Take the following actions when unauthorized changes to the software, firmware, and information are detected: <insert param-id="si-7_prm_2"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="si-7_gdn">
-            <p>Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes the Basic Input Output System (BIOS). Information includes personally identifiable information and metadata containing security and privacy attributes associated with information. Integrity-checking mechanisms, including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools can automatically monitor the integrity of systems and hosted applications.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="si-7.1">
-            <title>Integrity Checks</title>
-            <param id="si-7.1_prm_1">
-               <label>organization-defined software, firmware, and information</label>
-            </param>
-            <param id="si-7.1_prm_2">
-               <select how-many="one or more">
-                  <choice>at startup</choice>
-                  <choice>at <insert param-id="si-7.1_prm_3"/>
-                  </choice>
-                  <choice>
-                     <insert param-id="si-7.1_prm_4"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="si-7.1_prm_3" depends-on="si-7.1_prm_2">
-               <label>organization-defined transitional states or security-relevant events</label>
-            </param>
-            <param id="si-7.1_prm_4" depends-on="si-7.1_prm_2">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">SI-7(1)</prop>
-            <prop name="sort-id">SI-07(01)</prop>
-            <part name="statement" id="si-7.1_smt">
-               <p>Perform an integrity check of <insert param-id="si-7.1_prm_1"/>
-                  <insert param-id="si-7.1_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="si-7.1_gdn">
-               <p>Security-relevant events include the identification of a new threat to which organizational systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.2">
-            <title>Automated Notifications of Integrity Violations</title>
-            <param id="si-7.2_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">SI-7(2)</prop>
-            <prop name="sort-id">SI-07(02)</prop>
-            <part name="statement" id="si-7.2_smt">
-               <p>Employ automated tools that provide notification to <insert param-id="si-7.2_prm_1"/> upon discovering discrepancies during integrity verification.</p>
-            </part>
-            <part name="guidance" id="si-7.2_gdn">
-               <p>The employment of automated tools to report system and information integrity violations and to notify organizational personnel in a timely matter is essential to effective risk response. Personnel having an interest in system and information integrity violations include mission and business owners, system owners, senior agency information security official, senior agency official for privacy, systems administrators, software developers, systems integrators, and information security officers, and privacy officers.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.3">
-            <title>Centrally-managed Integrity Tools</title>
-            <prop name="label">SI-7(3)</prop>
-            <prop name="sort-id">SI-07(03)</prop>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#si-2">SI-2</link>
-            <link rel="related" href="#si-8">SI-8</link>
-            <part name="statement" id="si-7.3_smt">
-               <p>Employ centrally managed integrity verification tools.</p>
-            </part>
-            <part name="guidance" id="si-7.3_gdn">
-               <p>Centrally-managed integrity verification tools provides greater consistency in the application of such tools and can facilitate more comprehensive coverage of integrity verification actions.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.4">
-            <title>Tamper-evident Packaging</title>
-            <prop name="label">SI-7(4)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SI-07(04)</prop>
-            <link rel="incorporated-into" href="#sr-9">SR-9</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.5">
-            <title>Automated Response to Integrity Violations</title>
-            <param id="si-7.5_prm_1">
-               <select how-many="one or more">
-                  <choice>shut the system down</choice>
-                  <choice>restart the system</choice>
-                  <choice>implement <insert param-id="si-7.5_prm_2"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="si-7.5_prm_2" depends-on="si-7.5_prm_1">
-               <label>organization-defined controls</label>
-            </param>
-            <prop name="label">SI-7(5)</prop>
-            <prop name="sort-id">SI-07(05)</prop>
-            <part name="statement" id="si-7.5_smt">
-               <p>Automatically <insert param-id="si-7.5_prm_1"/> when integrity violations are discovered.</p>
-            </part>
-            <part name="guidance" id="si-7.5_gdn">
-               <p>Organizations may define different integrity checking responses by type of information, by specific information, or a combination of both. Types of information include firmware, software, and user data. Specific information includes boot firmware for certain types of machines. The automatic implementation of controls within organizational systems includes reversing the changes, halting the system, or triggering audit alerts when unauthorized modifications to critical security files occur.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.6">
-            <title>Cryptographic Protection</title>
-            <prop name="label">SI-7(6)</prop>
-            <prop name="sort-id">SI-07(06)</prop>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="si-7.6_smt">
-               <p>Implement cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.</p>
-            </part>
-            <part name="guidance" id="si-7.6_gdn">
-               <p>Cryptographic mechanisms used to protect integrity include digital signatures and the computation and application of signed hashes using asymmetric cryptography; protecting the confidentiality of the key used to generate the hash; and using the public key to verify the hash information. Organizations employing cryptographic mechanisms also consider cryptographic key management solutions (see SC-12 and SC-13).</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.7">
-            <title>Integration of Detection and Response</title>
-            <param id="si-7.7_prm_1">
-               <label>organization-defined security-relevant changes to the system</label>
-            </param>
-            <prop name="label">SI-7(7)</prop>
-            <prop name="sort-id">SI-07(07)</prop>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#ir-4">IR-4</link>
-            <link rel="related" href="#ir-5">IR-5</link>
-            <link rel="related" href="#si-4">SI-4</link>
-            <part name="statement" id="si-7.7_smt">
-               <p>Incorporate the detection of the following unauthorized changes into the organizational incident response capability: <insert param-id="si-7.7_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-7.7_gdn">
-               <p>This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended time-period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or unauthorized elevation of system privileges.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.8">
-            <title>Auditing Capability for Significant Events</title>
-            <param id="si-7.8_prm_1">
-               <select how-many="one or more">
-                  <choice>generate an audit record</choice>
-                  <choice>alert current user</choice>
-                  <choice>alert <insert param-id="si-7.8_prm_2"/>
-                  </choice>
-                  <choice>
-                     <insert param-id="si-7.8_prm_3"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="si-7.8_prm_2" depends-on="si-7.8_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <param id="si-7.8_prm_3" depends-on="si-7.8_prm_1">
-               <label>organization-defined other actions</label>
-            </param>
-            <prop name="label">SI-7(8)</prop>
-            <prop name="sort-id">SI-07(08)</prop>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-6">AU-6</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <part name="statement" id="si-7.8_smt">
-               <p>Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: <insert param-id="si-7.8_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-7.8_gdn">
-               <p>Organizations select response actions based on types of software, specific software, or information for which there are potential integrity violations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.9">
-            <title>Verify Boot Process</title>
-            <param id="si-7.9_prm_1">
-               <label>organization-defined system components</label>
-            </param>
-            <prop name="label">SI-7(9)</prop>
-            <prop name="sort-id">SI-07(09)</prop>
-            <link rel="related" href="#si-6">SI-6</link>
-            <part name="statement" id="si-7.9_smt">
-               <p>Verify the integrity of the boot process of the following system components: <insert param-id="si-7.9_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-7.9_gdn">
-               <p>Ensuring the integrity of boot processes is critical to starting system components in known, trustworthy states. Integrity verification mechanisms provide a level of assurance that only trusted code is executed during boot processes.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.10">
-            <title>Protection of Boot Firmware</title>
-            <param id="si-7.10_prm_1">
-               <label>organization-defined system components</label>
-            </param>
-            <param id="si-7.10_prm_2">
-               <label>organization-defined mechanisms</label>
-            </param>
-            <prop name="label">SI-7(10)</prop>
-            <prop name="sort-id">SI-07(10)</prop>
-            <link rel="related" href="#si-6">SI-6</link>
-            <part name="statement" id="si-7.10_smt">
-               <p>Implement the following mechanisms to protect the integrity of boot firmware in <insert param-id="si-7.10_prm_1"/>: <insert param-id="si-7.10_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="si-7.10_gdn">
-               <p>Unauthorized modifications to boot firmware may indicate a sophisticated, targeted attack. These types of targeted attacks can result in a permanent denial of service or a persistent malicious code presence. These situations can occur, for example, if the firmware is corrupted or if the malicious code is embedded within the firmware. System components can protect the integrity of boot firmware in organizational systems by verifying the integrity and authenticity of all updates to the firmware prior to applying changes to the system component; and preventing unauthorized processes from modifying the boot firmware.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.11">
-            <title>Confined Environments with Limited Privileges</title>
-            <prop name="label">SI-7(11)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SI-07(11)</prop>
-            <link rel="moved-to" href="#cm-7.6">CM-7(6)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.12">
-            <title>Integrity Verification</title>
-            <param id="si-7.12_prm_1">
-               <label>organization-defined user-installed software</label>
-            </param>
-            <prop name="label">SI-7(12)</prop>
-            <prop name="sort-id">SI-07(12)</prop>
-            <link rel="related" href="#cm-11">CM-11</link>
-            <part name="statement" id="si-7.12_smt">
-               <p>Require that the integrity of the following user-installed software be verified prior to execution: <insert param-id="si-7.12_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-7.12_gdn">
-               <p>Organizations verify the integrity of user-installed software prior to execution to reduce the likelihood of executing malicious code or executing code that contains errors from unauthorized modifications. Organizations consider the practicality of approaches to verifying software integrity, including availability of checksums of adequate trustworthiness from software developers or vendors.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.13">
-            <title>Code Execution in Protected Environments</title>
-            <prop name="label">SI-7(13)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SI-07(13)</prop>
-            <link rel="moved-to" href="#cm-7.7">CM-7(7)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.14">
-            <title>Binary or Machine Executable Code</title>
-            <prop name="label">SI-7(14)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SI-07(14)</prop>
-            <link rel="moved-to" href="#cm-7.8">CM-7(8)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.15">
-            <title>Code Authentication</title>
-            <param id="si-7.15_prm_1">
-               <label>organization-defined software or firmware components</label>
-            </param>
-            <prop name="label">SI-7(15)</prop>
-            <prop name="sort-id">SI-07(15)</prop>
-            <link rel="related" href="#cm-5">CM-5</link>
-            <part name="statement" id="si-7.15_smt">
-               <p>Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: <insert param-id="si-7.15_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-7.15_gdn">
-               <p>Cryptographic authentication includes verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. Organizations employing cryptographic mechanisms also consider cryptographic key management solutions (see SC-12 and SC-13).</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.16">
-            <title>Time Limit on Process Execution Without Supervision</title>
-            <param id="si-7.16_prm_1">
-               <label>organization-defined time-period</label>
-            </param>
-            <prop name="label">SI-7(16)</prop>
-            <prop name="sort-id">SI-07(16)</prop>
-            <part name="statement" id="si-7.16_smt">
-               <p>Prohibit processes from executing without supervision for more than <insert param-id="si-7.16_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-7.16_gdn">
-               <p>This control enhancement addresses processes for which typical or normal execution periods can be determined and situations in which organizations exceed such periods. Supervision includes timers on operating systems, automated responses, or manual oversight and response when system process anomalies occur.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-7.17">
-            <title>Runtime Application Self-protection</title>
-            <param id="si-7.17_prm_1">
-               <label>organization-defined controls</label>
-            </param>
-            <prop name="label">SI-7(17)</prop>
-            <prop name="sort-id">SI-07(17)</prop>
-            <link rel="related" href="#si-16">SI-16</link>
-            <part name="statement" id="si-7.17_smt">
-               <p>Implement <insert param-id="si-7.17_prm_1"/> for application self-protection at runtime.</p>
-            </part>
-            <part name="guidance" id="si-7.17_gdn">
-               <p>This control enhancement employs runtime instrumentation to detect and block the exploitation of software vulnerabilities by taking advantage of information from the software in execution. Runtime exploit prevention differs from traditional perimeter-based protections such as guards and firewalls, that can only detect and block attacks by using network information without contextual awareness. Runtime application self-protection technology can reduce the susceptibility of software to attacks by monitoring its inputs, and blocking those inputs that could allow attacks. It can also help protect the runtime environment from unwanted changes and tampering. When a threat is detected, runtime application self-protection technology can prevent exploitation and take other actions (e.g., sending a warning message to the user, terminating the user's session, terminating the application, or sending an alert to organizational personnel). Runtime application self-protection solutions can be deployed in either a monitor or protection mode.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-8">
-         <title>Spam Protection</title>
-         <prop name="label">SI-8</prop>
-         <prop name="sort-id">SI-08</prop>
-         <link rel="reference" href="#23b0a203-c020-47dd-b86c-9f8c35ecaa4e">[SP 800-45]</link>
-         <link rel="reference" href="#64e044e4-b2a9-490f-a079-1106407c812f">[SP 800-177]</link>
-         <link rel="related" href="#sc-5">SC-5</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-38">SC-38</link>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <part name="statement" id="si-8_smt">
-            <part name="item" id="si-8_smt.a">
-               <prop name="label">a.</prop>
-               <p>Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and</p>
-            </part>
-            <part name="item" id="si-8_smt.b">
-               <prop name="label">b.</prop>
-               <p>Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.</p>
-            </part>
-         </part>
-         <part name="guidance" id="si-8_gdn">
-            <p>System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="si-8.1">
-            <title>Central Management</title>
-            <prop name="label">SI-8(1)</prop>
-            <prop name="sort-id">SI-08(01)</prop>
-            <link rel="related" href="#au-3">AU-3</link>
-            <link rel="related" href="#cm-6">CM-6</link>
-            <link rel="related" href="#si-2">SI-2</link>
-            <link rel="related" href="#si-7">SI-7</link>
-            <part name="statement" id="si-8.1_smt">
-               <p>Centrally manage spam protection mechanisms.</p>
-            </part>
-            <part name="guidance" id="si-8.1_gdn">
-               <p>Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection controls.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-8.2">
-            <title>Automatic Updates</title>
-            <param id="si-8.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">SI-8(2)</prop>
-            <prop name="sort-id">SI-08(02)</prop>
-            <part name="statement" id="si-8.2_smt">
-               <p>Automatically update spam protection mechanisms <insert param-id="si-8.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-8.2_gdn">
-               <p>Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capability.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-8.3">
-            <title>Continuous Learning Capability</title>
-            <prop name="label">SI-8(3)</prop>
-            <prop name="sort-id">SI-08(03)</prop>
-            <part name="statement" id="si-8.3_smt">
-               <p>Implement spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.</p>
-            </part>
-            <part name="guidance" id="si-8.3_gdn">
-               <p>Learning mechanisms include Bayesian filters that respond to user inputs identifying specific traffic as spam or legitimate by updating algorithm parameters and thereby more accurately separating types of traffic.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-9">
-         <title>Information Input Restrictions</title>
-         <prop name="label">SI-9</prop>
-         <prop name="status">Withdrawn</prop>
-         <prop name="sort-id">SI-09</prop>
-         <link rel="incorporated-into" href="#ac-2">AC-2</link>
-         <link rel="incorporated-into" href="#ac-3">AC-3</link>
-         <link rel="incorporated-into" href="#ac-5">AC-5</link>
-         <link rel="incorporated-into" href="#ac-6">AC-6</link>
-      </control>
-      <control class="SP800-53" id="si-10">
-         <title>Information Input Validation</title>
-         <param id="si-10_prm_1">
-            <label>organization-defined information inputs to the system</label>
-         </param>
-         <prop name="label">SI-10</prop>
-         <prop name="sort-id">SI-10</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130, Appendix II]</link>
-         <part name="statement" id="si-10_smt">
-            <p>Check the validity of the following information inputs: <insert param-id="si-10_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="si-10_gdn">
-            <p>Checking the valid syntax and semantics of system inputs, including character set, length, numerical range, and acceptable values, verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of 387, abc, or %K% are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="si-10.1">
-            <title>Manual Override Capability</title>
-            <param id="si-10.1_prm_1">
-               <label>organization-defined inputs</label>
-            </param>
-            <param id="si-10.1_prm_2">
-               <label>organization-defined authorized individuals</label>
-            </param>
-            <prop name="label">SI-10(1)</prop>
-            <prop name="sort-id">SI-10(01)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#au-2">AU-2</link>
-            <link rel="related" href="#au-12">AU-12</link>
-            <part name="statement" id="si-10.1_smt">
-               <part name="item" id="si-10.1_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Provide a manual override capability for input validation of the following information inputs: <insert param-id="si-10.1_prm_1"/>;</p>
-               </part>
-               <part name="item" id="si-10.1_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Restrict the use of the manual override capability to only <insert param-id="si-10.1_prm_2"/>; and</p>
-               </part>
-               <part name="item" id="si-10.1_smt.c">
-                  <prop name="label">(c)</prop>
-                  <p>Audit the use of the manual override capability.</p>
-               </part>
-            </part>
-            <part name="guidance" id="si-10.1_gdn">
-               <p>In certain situations, for example, during events that are defined in contingency plans, a manual override capability for input validation may be needed. Manual overrides are used only in limited circumstances and with the inputs defined by the organization.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-10.2">
-            <title>Review and Resolve Errors</title>
-            <param id="si-10.2_prm_1">
-               <label>organization-defined time-period</label>
-            </param>
-            <prop name="label">SI-10(2)</prop>
-            <prop name="sort-id">SI-10(02)</prop>
-            <part name="statement" id="si-10.2_smt">
-               <p>Review and resolve input validation errors within <insert param-id="si-10.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-10.2_gdn">
-               <p>Resolution of input validation errors includes correcting systemic causes of errors and resubmitting transactions with corrected input.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-10.3">
-            <title>Predictable Behavior</title>
-            <prop name="label">SI-10(3)</prop>
-            <prop name="sort-id">SI-10(03)</prop>
-            <part name="statement" id="si-10.3_smt">
-               <p>Verify that the system behaves in a predictable and documented manner when invalid inputs are received.</p>
-            </part>
-            <part name="guidance" id="si-10.3_gdn">
-               <p>A common vulnerability in organizational systems is unpredictable behavior when invalid inputs are received. This control enhancement ensures that there is predictable behavior when the system receives invalid inputs by specifying system responses that allow the system to transition to known states without adverse, unintended side effects. The invalid inputs are those inputs related to the information inputs defined by the organization in the base control.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-10.4">
-            <title>Timing Interactions</title>
-            <prop name="label">SI-10(4)</prop>
-            <prop name="sort-id">SI-10(04)</prop>
-            <part name="statement" id="si-10.4_smt">
-               <p>Account for timing interactions among system components in determining appropriate responses for invalid inputs.</p>
-            </part>
-            <part name="guidance" id="si-10.4_gdn">
-               <p>In addressing invalid system inputs received across protocol interfaces, timing interactions become relevant, where one protocol needs to consider the impact of the error response on other protocols in the protocol stack. For example, 802.11 standard wireless network protocols do not interact well with Transmission Control Protocols (TCP) when packets are dropped (which could be due to invalid packet input). TCP assumes packet losses are due to congestion, while packets lost over 802.11 links are typically dropped due to noise or collisions on the link. If TCP makes a congestion response, it takes the wrong action in response to a collision event. Adversaries may be able to use what appears to be acceptable individual behaviors of the protocols in concert to achieve adverse effects through suitable construction of invalid input.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-10.5">
-            <title>Restrict Inputs to Trusted Sources and Approved Formats</title>
-            <param id="si-10.5_prm_1">
-               <label>organization-defined trusted sources</label>
-            </param>
-            <param id="si-10.5_prm_2">
-               <label>organization-defined formats</label>
-            </param>
-            <prop name="label">SI-10(5)</prop>
-            <prop name="sort-id">SI-10(05)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <part name="statement" id="si-10.5_smt">
-               <p>Restrict the use of information inputs to <insert param-id="si-10.5_prm_1"/> and/or <insert param-id="si-10.5_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="si-10.5_gdn">
-               <p>This control enhancement applies the concept of whitelisting to information inputs. Specifying known trusted sources for information inputs and acceptable formats for such inputs can reduce the probability of malicious activity.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-10.6">
-            <title>Injection Prevention</title>
-            <prop name="label">SI-10(6)</prop>
-            <prop name="sort-id">SI-10(06)</prop>
-            <link rel="related" href="#ac-3">AC-3</link>
-            <link rel="related" href="#ac-6">AC-6</link>
-            <part name="statement" id="si-10.6_smt">
-               <p>Prevent untrusted data injections.</p>
-            </part>
-            <part name="guidance" id="si-10.6_gdn">
-               <p>Untrusted data injections may be prevented using, for example, a parameterized interface or output escaping (output encoding). Parameterized interfaces separate data from code so injections of malicious or unintended data cannot change the semantics of the command being sent. Output escaping uses specified characters to inform the interpreter’s parser whether data is trusted.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-11">
-         <title>Error Handling</title>
-         <param id="si-11_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">SI-11</prop>
-         <prop name="sort-id">SI-11</prop>
-         <link rel="related" href="#au-2">AU-2</link>
-         <link rel="related" href="#au-3">AU-3</link>
-         <link rel="related" href="#sc-31">SC-31</link>
-         <link rel="related" href="#si-2">SI-2</link>
-         <part name="statement" id="si-11_smt">
-            <part name="item" id="si-11_smt.a">
-               <prop name="label">a.</prop>
-               <p>Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and</p>
-            </part>
-            <part name="item" id="si-11_smt.b">
-               <prop name="label">b.</prop>
-               <p>Reveal error messages only to <insert param-id="si-11_prm_1"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="si-11_gdn">
-            <p>Organizations consider the structure and the content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-12">
-         <title>Information Management and Retention</title>
-         <prop name="label">SI-12</prop>
-         <prop name="sort-id">SI-12</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130, Appendix II]</link>
-         <link rel="related" href="#ac-1">AC-1</link>
-         <link rel="related" href="#at-1">AT-1</link>
-         <link rel="related" href="#au-1">AU-1</link>
-         <link rel="related" href="#ca-1">CA-1</link>
-         <link rel="related" href="#cm-1">CM-1</link>
-         <link rel="related" href="#cp-1">CP-1</link>
-         <link rel="related" href="#ia-1">IA-1</link>
-         <link rel="related" href="#ir-1">IR-1</link>
-         <link rel="related" href="#ma-1">MA-1</link>
-         <link rel="related" href="#mp-1">MP-1</link>
-         <link rel="related" href="#pe-1">PE-1</link>
-         <link rel="related" href="#pl-1">PL-1</link>
-         <link rel="related" href="#pm-1">PM-1</link>
-         <link rel="related" href="#ps-1">PS-1</link>
-         <link rel="related" href="#pt-1">PT-1</link>
-         <link rel="related" href="#ra-1">RA-1</link>
-         <link rel="related" href="#sa-1">SA-1</link>
-         <link rel="related" href="#sc-1">SC-1</link>
-         <link rel="related" href="#si-1">SI-1</link>
-         <link rel="related" href="#sr-1">SR-1</link>
-         <link rel="related" href="#ac-16">AC-16</link>
-         <link rel="related" href="#au-5">AU-5</link>
-         <link rel="related" href="#au-11">AU-11</link>
-         <link rel="related" href="#ca-2">CA-2</link>
-         <link rel="related" href="#ca-3">CA-3</link>
-         <link rel="related" href="#ca-5">CA-5</link>
-         <link rel="related" href="#ca-6">CA-6</link>
-         <link rel="related" href="#ca-7">CA-7</link>
-         <link rel="related" href="#ca-9">CA-9</link>
-         <link rel="related" href="#cm-5">CM-5</link>
-         <link rel="related" href="#cm-9">CM-9</link>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#ir-8">IR-8</link>
-         <link rel="related" href="#mp-2">MP-2</link>
-         <link rel="related" href="#mp-3">MP-3</link>
-         <link rel="related" href="#mp-4">MP-4</link>
-         <link rel="related" href="#mp-6">MP-6</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pl-4">PL-4</link>
-         <link rel="related" href="#pm-4">PM-4</link>
-         <link rel="related" href="#pm-8">PM-8</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#ps-2">PS-2</link>
-         <link rel="related" href="#ps-6">PS-6</link>
-         <link rel="related" href="#pt-1">PT-1</link>
-         <link rel="related" href="#pt-2">PT-2</link>
-         <link rel="related" href="#pt-3">PT-3</link>
-         <link rel="related" href="#ra-2">RA-2</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#sa-5">SA-5</link>
-         <link rel="related" href="#sr-1">SR-1</link>
-         <part name="statement" id="si-12_smt">
-            <p>Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.</p>
-         </part>
-         <part name="guidance" id="si-12_gdn">
-            <p>Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention. If organizations have a records management office, consider coordinating with records management personnel.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="si-12.1">
-            <title>Limit Personally Identifiable Information Elements</title>
-            <param id="si-12.1_prm_1">
-               <label>organization-defined elements of personally identifiable information</label>
-            </param>
-            <prop name="label">SI-12(1)</prop>
-            <prop name="sort-id">SI-12(01)</prop>
-            <link rel="related" href="#pm-25">PM-25</link>
-            <link rel="related" href="#pt-2">PT-2</link>
-            <link rel="related" href="#pt-3">PT-3</link>
-            <link rel="related" href="#ra-3">RA-3</link>
-            <part name="statement" id="si-12.1_smt">
-               <p>Limit personally identifiable information being processed in the information life cycle to the following elements of PII: <insert param-id="si-12.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-12.1_gdn">
-               <p>Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for operational purposes helps to reduce the level of privacy risk created by a system. The information life cycle includes information creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining which elements of personally identifiable information may create risk.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-12.2">
-            <title>Minimize Personally Identifiable Information in Testing, Training, and Research</title>
-            <param id="si-12.2_prm_1">
-               <label>organization-defined techniques</label>
-            </param>
-            <prop name="label">SI-12(2)</prop>
-            <prop name="sort-id">SI-12(02)</prop>
-            <link rel="related" href="#pm-22">PM-22</link>
-            <link rel="related" href="#pm-25">PM-25</link>
-            <link rel="related" href="#si-19">SI-19</link>
-            <part name="statement" id="si-12.2_smt">
-               <p>Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: <insert param-id="si-12.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-12.2_gdn">
-               <p>Organizations can minimize the risk to an individual’s privacy by employing techniques such as de-identification or synthetic data. Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for research, testing, or training helps reduce the level of privacy risk created by a system. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining the techniques to use and when to use them.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-12.3">
-            <title>Information Disposal</title>
-            <param id="si-12.3_prm_1">
-               <label>organization-defined techniques</label>
-            </param>
-            <prop name="label">SI-12(3)</prop>
-            <prop name="sort-id">SI-12(03)</prop>
-            <link rel="related" href="#mp-6">MP-6</link>
-            <part name="statement" id="si-12.3_smt">
-               <p>Use the following techniques to dispose of, destroy, or erase information following the retention period: <insert param-id="si-12.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-12.3_gdn">
-               <p>Organizations can minimize both security and privacy risks by disposing of information when it is no longer needed. Disposal or destruction of information applies to originals as well as copies and archived records, including system logs that may contain personally identifiable information.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-13">
-         <title>Predictable Failure Prevention</title>
-         <param id="si-13_prm_1">
-            <label>organization-defined system components</label>
-         </param>
-         <param id="si-13_prm_2">
-            <label>organization-defined MTTF substitution criteria</label>
-         </param>
-         <prop name="label">SI-13</prop>
-         <prop name="sort-id">SI-13</prop>
-         <link rel="related" href="#cp-2">CP-2</link>
-         <link rel="related" href="#cp-10">CP-10</link>
-         <link rel="related" href="#cp-13">CP-13</link>
-         <link rel="related" href="#ma-2">MA-2</link>
-         <link rel="related" href="#ma-6">MA-6</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sc-6">SC-6</link>
-         <part name="statement" id="si-13_smt">
-            <part name="item" id="si-13_smt.a">
-               <prop name="label">a.</prop>
-               <p>Determine mean time to failure (MTTF) for the following system components in specific environments of operation: <insert param-id="si-13_prm_1"/>; and</p>
-            </part>
-            <part name="item" id="si-13_smt.b">
-               <prop name="label">b.</prop>
-               <p>Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: <insert param-id="si-13_prm_2"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="si-13_gdn">
-            <p>While MTTF is primarily a reliability issue, this control addresses potential failures of system components that provide security capability. Failure rates reflect installation-specific consideration, not industry-average. Organizations define the criteria for substitution of system components based on the MTTF value with consideration for resulting potential harm from component failures. Transfer of responsibilities between active and standby components does not compromise safety, operational readiness, or security capability. This includes preservation of system state variables. Standby components remain available at all times except for maintenance issues or recovery failures in progress.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="si-13.1">
-            <title>Transferring Component Responsibilities</title>
-            <param id="si-13.1_prm_1">
-               <label>organization-defined fraction or percentage</label>
-            </param>
-            <prop name="label">SI-13(1)</prop>
-            <prop name="sort-id">SI-13(01)</prop>
-            <part name="statement" id="si-13.1_smt">
-               <p>Take system components out of service by transferring component responsibilities to substitute components no later than <insert param-id="si-13.1_prm_1"/> of mean time to failure.</p>
-            </part>
-            <part name="guidance" id="si-13.1_gdn">
-               <p>Transferring primary system component responsibilities to other substitute components prior to primary component failure is important to reduce the risk of degraded or debilitated mission or business operations. Making such transfers based on a percentage of mean time to failure allows organizations to be proactive based on their risk tolerance. However, premature replacement of system components can result in increased cost of system operations.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-13.2">
-            <title>Time Limit on Process Execution Without Supervision</title>
-            <prop name="label">SI-13(2)</prop>
-            <prop name="status">Withdrawn</prop>
-            <prop name="sort-id">SI-13(02)</prop>
-            <link rel="incorporated-into" href="#si-7.16">SI-7(16)</link>
-         </control>
-         <control class="SP800-53-enhancement" id="si-13.3">
-            <title>Manual Transfer Between Components</title>
-            <param id="si-13.3_prm_1">
-               <label>organization-defined percentage</label>
-            </param>
-            <prop name="label">SI-13(3)</prop>
-            <prop name="sort-id">SI-13(03)</prop>
-            <part name="statement" id="si-13.3_smt">
-               <p>Manually initiate transfers between active and standby system components when the use of the active component reaches <insert param-id="si-13.3_prm_1"/> of the mean time to failure.</p>
-            </part>
-            <part name="guidance" id="si-13.3_gdn">
-               <p>For example, if the MTTF for a system component is one hundred days and the organization-defined percentage is ninety percent, the manual transfer would occur after ninety days.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-13.4">
-            <title>Standby Component Installation and Notification</title>
-            <param id="si-13.4_prm_1">
-               <label>organization-defined time-period</label>
-            </param>
-            <param id="si-13.4_prm_2">
-               <select how-many="one or more">
-                  <choice>Activate <insert param-id="si-13.4_prm_3"/>
-                  </choice>
-                  <choice>Automatically shut down the system</choice>
-                  <choice>
-                     <insert param-id="si-13.4_prm_4"/>
-                  </choice>
-               </select>
-            </param>
-            <param id="si-13.4_prm_3" depends-on="si-13.4_prm_2">
-               <label>organization-defined alarm</label>
-            </param>
-            <param id="si-13.4_prm_4" depends-on="si-13.4_prm_2">
-               <label>organization-defined action</label>
-            </param>
-            <prop name="label">SI-13(4)</prop>
-            <prop name="sort-id">SI-13(04)</prop>
-            <part name="statement" id="si-13.4_smt">
-               <p>If system component failures are detected:</p>
-               <part name="item" id="si-13.4_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>Ensure that the standby components are successfully and transparently installed within <insert param-id="si-13.4_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="si-13.4_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>
-                     <insert param-id="si-13.4_prm_2"/>.</p>
-               </part>
-            </part>
-            <part name="guidance" id="si-13.4_gdn">
-               <p>Automatic or manual transfer of components from standby to active mode can occur, for example, upon detection of component failures.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-13.5">
-            <title>Failover Capability</title>
-            <param id="si-13.5_prm_1">
-               <select>
-                  <choice>real-time</choice>
-                  <choice>near real-time</choice>
-               </select>
-            </param>
-            <param id="si-13.5_prm_2">
-               <label>organization-defined failover capability</label>
-            </param>
-            <prop name="label">SI-13(5)</prop>
-            <prop name="sort-id">SI-13(05)</prop>
-            <link rel="related" href="#cp-6">CP-6</link>
-            <link rel="related" href="#cp-7">CP-7</link>
-            <link rel="related" href="#cp-9">CP-9</link>
-            <part name="statement" id="si-13.5_smt">
-               <p>Provide <insert param-id="si-13.5_prm_1"/>
-                  <insert param-id="si-13.5_prm_2"/> for the system.</p>
-            </part>
-            <part name="guidance" id="si-13.5_gdn">
-               <p>Failover refers to the automatic switchover to an alternate system upon the failure of the primary system. Failover capability includes incorporating mirrored system operations at alternate processing sites or periodic data mirroring at regular intervals defined by recovery time-periods of organizations.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-14">
-         <title>Non-persistence</title>
-         <param id="si-14_prm_1">
-            <label>organization-defined system components and services</label>
-         </param>
-         <param id="si-14_prm_2">
-            <select how-many="one or more">
-               <choice>upon end of session of use</choice>
-               <choice>periodically at <insert param-id="si-14_prm_3"/>
-               </choice>
-            </select>
-         </param>
-         <param id="si-14_prm_3" depends-on="si-14_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">SI-14</prop>
-         <prop name="sort-id">SI-14</prop>
-         <link rel="related" href="#sc-30">SC-30</link>
-         <link rel="related" href="#sc-34">SC-34</link>
-         <link rel="related" href="#si-21">SI-21</link>
-         <part name="statement" id="si-14_smt">
-            <p>Implement non-persistent <insert param-id="si-14_prm_1"/> that are initiated in a known state and terminated <insert param-id="si-14_prm_2"/>.</p>
-         </part>
-         <part name="guidance" id="si-14_gdn">
-            <p>This control mitigates risk from advanced persistent threats (APTs) by significantly reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks. By implementing the concept of non-persistence for selected system components, organizations can provide a known state computing resource for a specific time-period that does not give adversaries sufficient time to exploit vulnerabilities in organizational systems and the environments in which those systems operate. Since the APT is a high-end, sophisticated threat regarding capability, intent, and targeting, organizations assume that over an extended period, a percentage of attacks will be successful. Non-persistent system components and services are activated as required using protected information and terminated periodically or at the end of sessions. Non-persistence increases the work factor of adversaries in attempting to compromise or breach organizational systems.
-Non-persistence can be achieved by refreshing system components by periodically re-imaging components or by using a variety of common virtualization techniques. Non-persistent services can be implemented by using virtualization techniques as part of virtual machines or as new instances of processes on physical machines (either persistent or non-persistent). The benefit of periodic refreshes of system components and services is that it does not require organizations to first determine whether compromises of components or services have occurred (something that may often be difficult to determine). The refresh of selected system components and services occurs with sufficient frequency to prevent the spread or intended impact of attacks, but not with such frequency that it makes the system unstable. Refreshes of critical components and services may be done periodically to hinder the ability of adversaries to exploit optimum windows of vulnerabilities.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="si-14.1">
-            <title>Refresh from Trusted Sources</title>
-            <param id="si-14.1_prm_1">
-               <label>organization-defined trusted sources</label>
-            </param>
-            <prop name="label">SI-14(1)</prop>
-            <prop name="sort-id">SI-14(01)</prop>
-            <part name="statement" id="si-14.1_smt">
-               <p>Obtain software and data employed during system component and service refreshes from the following trusted sources: <insert param-id="si-14.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-14.1_gdn">
-               <p>Trusted sources include software and data from write-once, read-only media or from selected off-line secure storage facilities.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-14.2">
-            <title>Non-persistent Information</title>
-            <param id="si-14.2_prm_1">
-               <select>
-                  <choice>refresh <insert param-id="si-14.2_prm_2"/>
-                     <insert param-id="si-14.2_prm_3"/>
-                  </choice>
-                  <choice>generate <insert param-id="si-14.2_prm_4"/> on demand</choice>
-               </select>
-            </param>
-            <param id="si-14.2_prm_2" depends-on="si-14.2_prm_1">
-               <label>organization-defined information</label>
-            </param>
-            <param id="si-14.2_prm_3" depends-on="si-14.2_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <param id="si-14.2_prm_4" depends-on="si-14.2_prm_1">
-               <label>organization-defined information</label>
-            </param>
-            <prop name="label">SI-14(2)</prop>
-            <prop name="sort-id">SI-14(02)</prop>
-            <part name="statement" id="si-14.2_smt">
-               <part name="item" id="si-14.2_smt.a">
-                  <prop name="label">(a)</prop>
-                  <p>
-                     <insert param-id="si-14.2_prm_1"/>; and</p>
-               </part>
-               <part name="item" id="si-14.2_smt.b">
-                  <prop name="label">(b)</prop>
-                  <p>Delete information when no longer needed.</p>
-               </part>
-            </part>
-            <part name="guidance" id="si-14.2_gdn">
-               <p>Retaining information longer than it is needed makes the information a potential target for advanced adversaries searching for high value assets to compromise through unauthorized disclosure, unauthorized modification, or exfiltration. For system-related information, unnecessary retention provides advanced adversaries information that can assist in their reconnaissance and lateral movement through the system.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-14.3">
-            <title>Non-persistent Connectivity</title>
-            <param id="si-14.3_prm_1">
-               <select>
-                  <choice>completion of a request</choice>
-                  <choice>a period of non-use</choice>
-               </select>
-            </param>
-            <prop name="label">SI-14(3)</prop>
-            <prop name="sort-id">SI-14(03)</prop>
-            <link rel="related" href="#sc-10">SC-10</link>
-            <part name="statement" id="si-14.3_smt">
-               <p>Establish connections to the system on demand and terminate connections after <insert param-id="si-14.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-14.3_gdn">
-               <p>Persistent connections to systems can provide advanced adversaries with paths to move laterally through systems, and potentially position themselves closer to high value assets. Limiting the availability of such connections impedes the adversary’s ability to move freely organizational systems.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-15">
-         <title>Information Output Filtering</title>
-         <param id="si-15_prm_1">
-            <label>organization-defined software programs and/or applications</label>
-         </param>
-         <prop name="label">SI-15</prop>
-         <prop name="sort-id">SI-15</prop>
-         <link rel="related" href="#si-3">SI-3</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <part name="statement" id="si-15_smt">
-            <p>Validate information output from the following software programs and/or applications to ensure that the information is consistent with the expected content: <insert param-id="si-15_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="si-15_gdn">
-            <p>Certain types of attacks, including SQL injections, produce output results that are unexpected or inconsistent with the output results that would be expected from software programs or applications. Information output filtering focuses on detecting extraneous content, preventing such extraneous content from being displayed, and then alerting monitoring tools that anomalous behavior has been discovered.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-16">
-         <title>Memory Protection</title>
-         <param id="si-16_prm_1">
-            <label>organization-defined controls</label>
-         </param>
-         <prop name="label">SI-16</prop>
-         <prop name="sort-id">SI-16</prop>
-         <link rel="related" href="#ac-25">AC-25</link>
-         <link rel="related" href="#sc-3">SC-3</link>
-         <part name="statement" id="si-16_smt">
-            <p>Implement the following controls to protect the system memory from unauthorized code execution: <insert param-id="si-16_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="si-16_gdn">
-            <p>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-17">
-         <title>Fail-safe Procedures</title>
-         <param id="si-17_prm_1">
-            <label>organization-defined list of failure conditions and associated fail-safe procedures</label>
-         </param>
-         <prop name="label">SI-17</prop>
-         <prop name="sort-id">SI-17</prop>
-         <link rel="related" href="#cp-12">CP-12</link>
-         <link rel="related" href="#cp-13">CP-13</link>
-         <link rel="related" href="#sc-24">SC-24</link>
-         <link rel="related" href="#si-13">SI-13</link>
-         <part name="statement" id="si-17_smt">
-            <p>Implement the indicated fail-safe procedures when the indicated failures occur: <insert param-id="si-17_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="si-17_gdn">
-            <p>Failure conditions include loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include alerting operator personnel and providing specific instructions on subsequent steps to take. These steps include doing nothing, reestablishing system settings, shutting down processes, restarting the system, or contacting designated organizational personnel.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-18">
-         <title>Personally Identifiable Information Quality Operations</title>
-         <param id="si-18_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">SI-18</prop>
-         <prop name="sort-id">SI-18</prop>
-         <link rel="reference" href="#eadef75e-7e4d-4554-b818-44946c1dde0e">[SP 800-188]</link>
-         <link rel="related" href="#pm-22">PM-22</link>
-         <link rel="related" href="#pm-24">PM-24</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <part name="statement" id="si-18_smt">
-            <part name="item" id="si-18_smt.a">
-               <prop name="label">a.</prop>
-               <p>Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle <insert param-id="si-18_prm_1"/>; and</p>
-            </part>
-            <part name="item" id="si-18_smt.b">
-               <prop name="label">b.</prop>
-               <p>Correct or delete inaccurate or outdated personally identifiable information.</p>
-            </part>
-         </part>
-         <part name="guidance" id="si-18_gdn">
-            <p>Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information. Personally identifiable information quality operations include editing and validating addresses as they are collected or entered into systems using automated address verification look-up application programming interfaces. Checking personally identifiable information quality includes the tracking of updates or changes to data over time, which enables organizations to know how and what personally identifiable information was changed should erroneous information be identified. The measures taken to protect personally identifiable information quality are based on the nature and context of the personally identifiable information, how it is to be used, how it was obtained, and potential de-identification methods employed. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals covered under federal programs may be more comprehensive than the measures used to validate personally identifiable information used for less sensitive purposes.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="si-18.1">
-            <title>Automation</title>
-            <param id="si-18.1_prm_1">
-               <label>organization-defined automated mechanisms</label>
-            </param>
-            <prop name="label">SI-18(1)</prop>
-            <prop name="sort-id">SI-18(01)</prop>
-            <link rel="related" href="#pm-18">PM-18</link>
-            <link rel="related" href="#pm-22">PM-22</link>
-            <link rel="related" href="#ra-8">RA-8</link>
-            <part name="statement" id="si-18.1_smt">
-               <p>Correct or delete personally identifiable information that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified using <insert param-id="si-18.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="si-18.1_gdn">
-               <p>The use of automated mechanisms to improve data quality may inadvertently create privacy risks. Automated tools may connect to external or otherwise unrelated systems, and the matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.
-As data is obtained and used across the information life cycle, it is important to confirm the accuracy and relevance of personally identifiable information. Automated mechanisms can augment existing data quality processes and procedures and enable an organization to better identify and manage personally identifiable information in large-scale systems. For example, automated tools can greatly improve efforts to consistently normalize data or identify malformed data. Automated tools can also be used to improve auditing of data and detect errors that may incorrectly alter personally identifiable information or incorrectly associate such information with the wrong individual. Automated capabilities backstop processes and procedures at-scale and enable more fine-grained detection and correction of data quality errors.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-18.2">
-            <title>Data Tags</title>
-            <prop name="label">SI-18(2)</prop>
-            <prop name="sort-id">SI-18(02)</prop>
-            <link rel="related" href="#sc-16">SC-16</link>
-            <part name="statement" id="si-18.2_smt">
-               <p>Employ data tags to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems.</p>
-            </part>
-            <part name="guidance" id="si-18.2_gdn">
-               <p>Data tagging personally identifiable information includes tags noting processing permissions, authority to process, de-identification, impact level, information life cycle stage, and retention or last updated dates. Employing data tags for personally identifiable information can support the use of automation tools to correct or delete relevant personally identifiable information.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-18.3">
-            <title>Collection</title>
-            <prop name="label">SI-18(3)</prop>
-            <prop name="sort-id">SI-18(03)</prop>
-            <part name="statement" id="si-18.3_smt">
-               <p>Collect personally identifiable information directly from the individual.</p>
-            </part>
-            <part name="guidance" id="si-18.3_gdn">
-               <p>Individuals, or their designated representatives, can be a source of correct personally identifiable information about themselves. Organizations consider contextual factors that may incentivize individuals to provide correct data versus providing false data. Additional steps may be necessary to validate collected information based on the nature and context of the personally identifiable information, how it is to be used, and how it was obtained. Measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than those used to validate less sensitive personally identifiable information.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-18.4">
-            <title>Individual Requests</title>
-            <prop name="label">SI-18(4)</prop>
-            <prop name="sort-id">SI-18(04)</prop>
-            <link rel="related" href="#pm-22">PM-22</link>
-            <part name="statement" id="si-18.4_smt">
-               <p>Correct or delete personally identifiable information upon request by individuals or their designated representatives.</p>
-            </part>
-            <part name="guidance" id="si-18.4_gdn">
-               <p>Inaccurate personally identifiable information maintained by organizations may cause problems for individuals, especially in those business functions where inaccurate information may result in inappropriate decisions or the denial of benefits and services to individuals. Even correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of an organization maintaining the information. Organizations use discretion in determining if personally identifiable information is to be corrected or deleted, based on the scope of requests, the changes sought, the impact of the changes, and applicable laws, regulations, and policies. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding appropriate instances of correction or deletion.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-18.5">
-            <title>Notice of Collection or Deletion</title>
-            <param id="si-18.5_prm_1">
-               <label>organization-defined recipients of personally identifiable information</label>
-            </param>
-            <prop name="label">SI-18(5)</prop>
-            <prop name="sort-id">SI-18(05)</prop>
-            <part name="statement" id="si-18.5_smt">
-               <p>Notify <insert param-id="si-18.5_prm_1"/> and individuals that the personally identifiable information has been corrected or deleted.</p>
-            </part>
-            <part name="guidance" id="si-18.5_gdn">
-               <p>When personally identifiable information is corrected or deleted, organizations take steps to ensure that all authorized recipients of such information, and the individual with which the information is associated or their designated representative, are informed of the corrected or deleted information.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-19">
-         <title>De-identification</title>
-         <param id="si-19_prm_1">
-            <label>organization-defined elements of personally identifiable information</label>
-         </param>
-         <param id="si-19_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">SI-19</prop>
-         <prop name="sort-id">SI-19</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130, Appendix II]</link>
-         <link rel="reference" href="#eadef75e-7e4d-4554-b818-44946c1dde0e">[SP 800-188]</link>
-         <link rel="related" href="#mp-6">MP-6</link>
-         <link rel="related" href="#pm-22">PM-22</link>
-         <link rel="related" href="#pm-23">PM-23</link>
-         <link rel="related" href="#pm-24">PM-24</link>
-         <link rel="related" href="#ra-2">RA-2</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="si-19_smt">
-            <part name="item" id="si-19_smt.a">
-               <prop name="label">a.</prop>
-               <p>Remove the following elements of personally identifiable information from datasets: <insert param-id="si-19_prm_1"/>; and</p>
-            </part>
-            <part name="item" id="si-19_smt.b">
-               <prop name="label">b.</prop>
-               <p>Evaluate <insert param-id="si-19_prm_2"/> for effectiveness of de-identification.</p>
-            </part>
-         </part>
-         <part name="guidance" id="si-19_gdn">
-            <p>De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection, since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time supports management of this residual risk.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="si-19.1">
-            <title>Collection</title>
-            <prop name="label">SI-19(1)</prop>
-            <prop name="sort-id">SI-19(01)</prop>
-            <part name="statement" id="si-19.1_smt">
-               <p>De-identify the dataset upon collection by not collecting personally identifiable information.</p>
-            </part>
-            <part name="guidance" id="si-19.1_gdn">
-               <p>If a data source contains personally identifiable information but the information will not be used, the dataset can be de-identified upon creation by not collecting the data elements containing the personally identifiable information. For example, if an organization does not intend to use the social security number of an applicant, then application forms do not ask for a social security number.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-19.2">
-            <title>Archiving</title>
-            <prop name="label">SI-19(2)</prop>
-            <prop name="sort-id">SI-19(02)</prop>
-            <part name="statement" id="si-19.2_smt">
-               <p>Prohibit archiving of personally identifiable information elements if those elements in a dataset will not be needed after the dataset is archived.</p>
-            </part>
-            <part name="guidance" id="si-19.2_gdn">
-               <p>Datasets can be archived for many reasons. The envisioned purposes for the archived dataset are specified and if personally identifiable information elements are not required, the elements are not archived. For example, social security numbers may have been collected for record linkage, but the archived dataset may include the required elements from the linked records. In this case, it is not necessary to archive the social security numbers.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-19.3">
-            <title>Release</title>
-            <prop name="label">SI-19(3)</prop>
-            <prop name="sort-id">SI-19(03)</prop>
-            <part name="statement" id="si-19.3_smt">
-               <p>Remove personally identifiable information elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.</p>
-            </part>
-            <part name="guidance" id="si-19.3_gdn">
-               <p>Prior to releasing a dataset, a data custodian considers the intended uses of the dataset and determines if it is necessary to release personally identifiable information. If the personally identifiable information is not necessary, the information can be removed using de-identification techniques.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-19.4">
-            <title>Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers</title>
-            <prop name="label">SI-19(4)</prop>
-            <prop name="sort-id">SI-19(04)</prop>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="si-19.4_smt">
-               <p>Remove, mask, encrypt, hash, or replace direct identifiers in a dataset.</p>
-            </part>
-            <part name="guidance" id="si-19.4_gdn">
-               <p>There are many possible processes for removing direct identifiers from a dataset. Columns in a dataset that contain a direct identifier can be removed. In masking, the direct identifier is transformed into a repeating character, for example, XXXXXX or 999999.  Identifiers can be encrypted or hashed, so that the linked records remain linked. In the case of encryption or hashing, algorithms are employed that require the use of a key, including the Advanced Encryption Standard or a Hash-based Message Authentication Code. Implementations may use the same key for all identifiers or use a different key for each identifier. Using a different key for each identifier provides for a higher degree of security and privacy. Identifiers can alternatively be replaced with a keyword, including transforming “George Washington” to “PATIENT,” or replaced with a surrogate value, for example, transforming “George Washington” to “Abraham Polk.”</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-19.5">
-            <title>Statistical Disclosure Control</title>
-            <prop name="label">SI-19(5)</prop>
-            <prop name="sort-id">SI-19(05)</prop>
-            <part name="statement" id="si-19.5_smt">
-               <p>Manipulate numerical data, contingency tables, and statistical findings so that no person or organization is identifiable in the results of the analysis.</p>
-            </part>
-            <part name="guidance" id="si-19.5_gdn">
-               <p>Many types of statistical analyses can result in the disclosure of information about individuals even if only summary information is provided. For example, if a school publishes a monthly table with the number of minority students, and in January the school reports that it has 10-19 such students, but in March it reports that it has 20-29 students, then it can be inferred that the student who enrolled in February was a minority.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-19.6">
-            <title>Differential Privacy</title>
-            <prop name="label">SI-19(6)</prop>
-            <prop name="sort-id">SI-19(06)</prop>
-            <link rel="related" href="#sc-12">SC-12</link>
-            <link rel="related" href="#sc-13">SC-13</link>
-            <part name="statement" id="si-19.6_smt">
-               <p>Prevent disclosure of personally identifiable information by adding non-deterministic noise to the results of mathematical operations before the results are reported.</p>
-            </part>
-            <part name="guidance" id="si-19.6_gdn">
-               <p>The mathematical definition for differential privacy holds that the result of a dataset analysis should be approximately the same before and after the addition or removal of a single data record (which is assumed to be the data from a single individual). In its most basic form, differential privacy applies only to online query systems. However, it can also be used to produce machine-learning statistical classifiers and synthetic data. Differential privacy comes at the cost of decreased accuracy of results, forcing organizations to quantify the trade-off between privacy protection and the overall accuracy, usefulness, and utility of the de-identified dataset. Non-deterministic noise can include adding small random values to the results of mathematical operations in dataset analysis.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-19.7">
-            <title>Validated Software</title>
-            <prop name="label">SI-19(7)</prop>
-            <prop name="sort-id">SI-19(07)</prop>
-            <part name="statement" id="si-19.7_smt">
-               <p>Perform de-identification using validated algorithms and software that is validated to implement the algorithms.</p>
-            </part>
-            <part name="guidance" id="si-19.7_gdn">
-               <p>Algorithms that appear to remove personally identifiable information from a dataset may in fact leave information that is personally identifiable or data that are re-identifiable. Software that is claimed to implement a validated algorithm may contain bugs or may implement a different algorithm. Software may de-identify one type of data, for example, integers, but not another type of data, for example, floating point numbers. For these reasons, de-identification is performed using algorithms and software that are validated.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="si-19.8">
-            <title>Motivated Intruder</title>
-            <prop name="label">SI-19(8)</prop>
-            <prop name="sort-id">SI-19(08)</prop>
-            <part name="statement" id="si-19.8_smt">
-               <p>Perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.</p>
-            </part>
-            <part name="guidance" id="si-19.8_gdn">
-               <p>A motivated intruder test is a test in which a person or group takes a data release and specified resources and attempts to re-identify one or more individuals in the de-identified dataset. Such tests specify the amount of inside knowledge, computational resources, financial resources, data, and skills that intruders have at their disposal to conduct the tests. A motivated intruder test can determine if de-identification is insufficient. It can also be a useful diagnostic tool to assess if de-identification is likely to be sufficient. However, the test alone cannot prove that de-identification is sufficient.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="si-20">
-         <title>Tainting</title>
-         <param id="si-20_prm_1">
-            <label>organization-defined systems or system components</label>
-         </param>
-         <prop name="label">SI-20</prop>
-         <prop name="sort-id">SI-20</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130, Appendix II]</link>
-         <link rel="reference" href="#8411e6e8-09bd-431d-bbcb-3423d36ad880">[SP 800-160 v2]</link>
-         <part name="statement" id="si-20_smt">
-            <p>Embed data or capabilities in the following systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization: <insert param-id="si-20_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="si-20_gdn">
-            <p>Many cyber-attacks target organizational information (or sensitive information the organization holds on behalf of other entities (e.g., personally identifiable information) and exfiltrate that data. In addition, insider attacks and erroneous user procedures can remove information from the system in violation of the organizational policies. Tainting approaches can range from passive to active. A passive tainting approach can be as simple as adding false email names and addresses to an internal database. If the organization receives email at one of the false email addresses, it knows that the database has been compromised. Moreover, the organization knows that the email was sent by an unauthorized entity so any packets it includes potentially contain malicious code and that the unauthorized entity potentially has obtained a copy of the database. A less passive tainting approach can include embedding false data or steganographic data in files to enable the data to be found via open source analysis. And finally, an active tainting approach can include embedding software in the data that is able to “call home” alerting the organization to its “capture” and possibly its location and the path by which it was exfiltrated or removed.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-21">
-         <title>Information Refresh</title>
-         <param id="si-21_prm_1">
-            <label>organization-defined information</label>
-         </param>
-         <param id="si-21_prm_2">
-            <label>organization-defined frequencies</label>
-         </param>
-         <prop name="label">SI-21</prop>
-         <prop name="sort-id">SI-21</prop>
-         <link rel="reference" href="#a646d45d-775f-4887-86d3-5a00ffbc4090">[OMB A-130]</link>
-         <link rel="reference" href="#8411e6e8-09bd-431d-bbcb-3423d36ad880">[SP 800-160 v2]</link>
-         <link rel="related" href="#si-14">SI-14</link>
-         <part name="statement" id="si-21_smt">
-            <p>Refresh <insert param-id="si-21_prm_1"/> at <insert param-id="si-21_prm_2"/> or generate the information on demand and delete the information when no longer needed.</p>
-         </part>
-         <part name="guidance" id="si-21_gdn">
-            <p>Retaining critical or sensitive information (e.g., classified information or controlled unclassified information) for longer than it is needed makes it an increasing valuable and enticing target for adversaries. Keeping such information available for the minimum period of time needed for mission accomplishment reduces the opportunity for adversaries to compromise, capture, and exfiltrate that information.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-22">
-         <title>Information Diversity</title>
-         <param id="si-22_prm_1">
-            <label>organization-defined essential functions and services</label>
-         </param>
-         <param id="si-22_prm_2">
-            <label>organization-defined alternative information sources</label>
-         </param>
-         <param id="si-22_prm_3">
-            <label>organization-defined systems or system components</label>
-         </param>
-         <prop name="label">SI-22</prop>
-         <prop name="sort-id">SI-22</prop>
-         <link rel="reference" href="#8411e6e8-09bd-431d-bbcb-3423d36ad880">[SP 800-160 v2]</link>
-         <part name="statement" id="si-22_smt">
-            <part name="item" id="si-22_smt.a">
-               <prop name="label">a.</prop>
-               <p>Identify the following alternative sources of information for <insert param-id="si-22_prm_1"/>: <insert param-id="si-22_prm_2"/>; and</p>
-            </part>
-            <part name="item" id="si-22_smt.b">
-               <prop name="label">b.</prop>
-               <p>Use an alternative information source for the execution of essential functions or services on <insert param-id="si-22_prm_3"/> when the primary source of information is corrupted or unavailable.</p>
-            </part>
-         </part>
-         <part name="guidance" id="si-22_gdn">
-            <p>Actions taken by a system service or a function are often driven by the information it receives. Corruption, fabrication, modification, or deletion of that information could impact the ability of the service function to properly carry out its intended actions. By having multiple sources of input, the service or function can continue operation if one source is corrupted or no longer available. It is possible that the alternative sources of information may be less precise or less accurate than the primary source of information. But having such sub-optimal information sources may still provide a sufficient level of quality that the essential service or function can be carried out, even in a degraded or debilitated manner.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="si-23">
-         <title>Information Fragmentation</title>
-         <param id="si-23_prm_1">
-            <label>organization-defined circumstances</label>
-         </param>
-         <param id="si-23_prm_2">
-            <label>organization-defined information</label>
-         </param>
-         <param id="si-23_prm_3">
-            <label>Assignment organization-defined systems or system components</label>
-         </param>
-         <prop name="label">SI-23</prop>
-         <prop name="sort-id">SI-23</prop>
-         <link rel="reference" href="#8411e6e8-09bd-431d-bbcb-3423d36ad880">[SP 800-160 v2]</link>
-         <part name="statement" id="si-23_smt">
-            <p>Based on <insert param-id="si-23_prm_1"/>:</p>
-            <part name="item" id="si-23_smt.a">
-               <prop name="label">a.</prop>
-               <p>Fragment the following information: <insert param-id="si-23_prm_2"/>; and</p>
-            </part>
-            <part name="item" id="si-23_smt.b">
-               <prop name="label">b.</prop>
-               <p>Distribute the fragmented information across the following systems or system components: <insert param-id="si-23_prm_3"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="si-23_gdn">
-            <p>One major objective of the advanced persistent threat is to exfiltrate sensitive and valuable information.  Once exfiltrated, there is generally no way for the organization to recover the lost information. Therefore, organizations may consider taking the information and dividing it into disparate elements and then distributing those elements across multiple systems or system components and locations. Such actions will increase the adversary’s work factor to capture and exfiltrate the desired information and in so doing, increase the probability of detection. The fragmentation of information also impacts the organization’s ability to access the information in a timely manner. The extent of the fragmentation would likely be dictated by the sensitivity (and value) of the information, threat intelligence information received, and if data tainting is used (i.e., data tainting derived information about exfiltration of some information could result in the fragmentation of the remaining information).</p>
-         </part>
-      </control>
-   </group>
-   <group class="family" id="sr">
-      <title>Supply Chain Risk Management</title>
-      <control class="SP800-53" id="sr-1">
-         <title>Policy and Procedures</title>
-         <param id="sr-1_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <param id="sr-1_prm_2">
-            <select how-many="one or more">
-               <choice>organization-level</choice>
-               <choice>mission/business process-level</choice>
-               <choice>system-level</choice>
-            </select>
-         </param>
-         <param id="sr-1_prm_3">
-            <label>organization-defined official</label>
-         </param>
-         <param id="sr-1_prm_4">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="sr-1_prm_5">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">SR-1</prop>
-         <prop name="sort-id">SR-01</prop>
-         <link rel="reference" href="#12702585-0c72-43c9-9185-a76a59f74233">[SP 800-12]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#9183bd83-170e-4701-b32c-97e08ef8bedb">[SP 800-100]</link>
-         <link rel="reference" href="#66476e76-46b4-47fb-be19-d13e6f3840df">[SP 800-161]</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#pm-30">PM-30</link>
-         <link rel="related" href="#ps-8">PS-8</link>
-         <link rel="related" href="#si-12">SI-12</link>
-         <part name="statement" id="sr-1_smt">
-            <part name="item" id="sr-1_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop, document, and disseminate to <insert param-id="sr-1_prm_1"/>:</p>
-               <part name="item" id="sr-1_smt.a.1">
-                  <prop name="label">1.</prop>
-                  <p>
-                     <insert param-id="sr-1_prm_2"/> supply chain risk management policy that:</p>
-                  <part name="item" id="sr-1_smt.a.1.a">
-                     <prop name="label">(a)</prop>
-                     <p>Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p>
-                  </part>
-                  <part name="item" id="sr-1_smt.a.1.b">
-                     <prop name="label">(b)</prop>
-                     <p>Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p>
-                  </part>
-               </part>
-               <part name="item" id="sr-1_smt.a.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;</p>
-               </part>
-            </part>
-            <part name="item" id="sr-1_smt.b">
-               <prop name="label">b.</prop>
-               <p>Designate an <insert param-id="sr-1_prm_3"/> to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and</p>
-            </part>
-            <part name="item" id="sr-1_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the current supply chain risk management:</p>
-               <part name="item" id="sr-1_smt.c.1">
-                  <prop name="label">1.</prop>
-                  <p>Policy <insert param-id="sr-1_prm_4"/>; and</p>
-               </part>
-               <part name="item" id="sr-1_smt.c.2">
-                  <prop name="label">2.</prop>
-                  <p>Procedures <insert param-id="sr-1_prm_5"/>.</p>
-               </part>
-            </part>
-         </part>
-         <part name="guidance" id="sr-1_gdn">
-            <p>This control addresses policy and procedures for the controls in the SR family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures help provide security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or can be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Restating controls does not constitute an organizational policy or procedure.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sr-2">
-         <title>Supply Chain Risk Management Plan</title>
-         <param id="sr-2_prm_1">
-            <label>organization-defined systems, system components, or system services</label>
-         </param>
-         <param id="sr-2_prm_2">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">SR-2</prop>
-         <prop name="sort-id">SR-02</prop>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#451e9636-402e-4c27-b3f5-e0e50f957f27">[SP 800-39]</link>
-         <link rel="reference" href="#8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">[SP 800-160 v1]</link>
-         <link rel="reference" href="#66476e76-46b4-47fb-be19-d13e6f3840df">[SP 800-161]</link>
-         <link rel="reference" href="#7b03adec-4405-4aac-94a0-6a9eb3f42e31">[IR 7622]</link>
-         <link rel="related" href="#ca-2">CA-2</link>
-         <link rel="related" href="#cp-4">CP-4</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#ma-2">MA-2</link>
-         <link rel="related" href="#ma-6">MA-6</link>
-         <link rel="related" href="#pe-16">PE-16</link>
-         <link rel="related" href="#pl-2">PL-2</link>
-         <link rel="related" href="#pm-9">PM-9</link>
-         <link rel="related" href="#pm-30">PM-30</link>
-         <link rel="related" href="#ra-3">RA-3</link>
-         <link rel="related" href="#ra-7">RA-7</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <part name="statement" id="sr-2_smt">
-            <part name="item" id="sr-2_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, and disposal of the following systems, system components or system services: <insert param-id="sr-2_prm_1"/>;</p>
-            </part>
-            <part name="item" id="sr-2_smt.b">
-               <prop name="label">b.</prop>
-               <p>Implement the supply chain risk management plan consistently across the organization; and</p>
-            </part>
-            <part name="item" id="sr-2_smt.c">
-               <prop name="label">c.</prop>
-               <p>Review and update the supply chain risk management plan <insert param-id="sr-2_prm_2"/> or as required, to address threat, organizational or environmental changes.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sr-2_gdn">
-            <p>The growing dependence on products, systems, and services from external providers, along with the nature of the relationships with those providers, present an increasing level of risk to an organization. Specific threat actions that may increase risk include the insertion or use of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the supply chain that can create security or privacy risks. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking requiring a coordinated effort across an organization building trust relationships and communicating with both internal and external stakeholders. Supply chain risk management (SCRM) activities involve identifying and assessing risks, determining appropriate mitigating actions, developing SCRM plans to document selected mitigating actions, and monitoring performance against plans.
-Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a system is fit for purpose; and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations to focus their resources on the most critical missions and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy secure, privacy-protective,  and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8).</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sr-2.1">
-            <title>Establish Scrm Team</title>
-            <param id="sr-2.1_prm_1">
-               <label>organization-defined personnel, roles, and responsibilities</label>
-            </param>
-            <param id="sr-2.1_prm_2">
-               <label>organization-defined supply chain risk management activities</label>
-            </param>
-            <prop name="label">SR-2(1)</prop>
-            <prop name="sort-id">SR-02(01)</prop>
-            <part name="statement" id="sr-2.1_smt">
-               <p>Establish a supply chain risk management team consisting of <insert param-id="sr-2.1_prm_1"/> to lead and support the following SCRM activities: <insert param-id="sr-2.1_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sr-2.1_gdn">
-               <p>To implement supply chain risk management plans, organizations establish a coordinated team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, and other relevant functions. Members of the SCRM team are involved in the various aspects of the SDLC and collectively, have an awareness of, and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or can be included as part of a general organizational risk management team.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sr-3">
-         <title>Supply Chain Controls and Processes</title>
-         <param id="sr-3_prm_1">
-            <label>organization-defined system or system component</label>
-         </param>
-         <param id="sr-3_prm_2">
-            <label>organization-defined supply chain personnel</label>
-         </param>
-         <param id="sr-3_prm_3">
-            <label>organization-defined supply chain controls</label>
-         </param>
-         <param id="sr-3_prm_4">
-            <select>
-               <choice>security and privacy plans</choice>
-               <choice>supply chain risk management plan</choice>
-               <choice>
-                  <insert param-id="sr-3_prm_5"/>
-               </choice>
-            </select>
-         </param>
-         <param id="sr-3_prm_5" depends-on="sr-3_prm_4">
-            <label>organization-defined document</label>
-         </param>
-         <prop name="label">SR-3</prop>
-         <prop name="sort-id">SR-03</prop>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#66476e76-46b4-47fb-be19-d13e6f3840df">[SP 800-161]</link>
-         <link rel="reference" href="#7b03adec-4405-4aac-94a0-6a9eb3f42e31">[IR 7622]</link>
-         <link rel="related" href="#ca-2">CA-2</link>
-         <link rel="related" href="#ma-2">MA-2</link>
-         <link rel="related" href="#ma-6">MA-6</link>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#pe-16">PE-16</link>
-         <link rel="related" href="#pl-8">PL-8</link>
-         <link rel="related" href="#pm-30">PM-30</link>
-         <link rel="related" href="#sa-2">SA-2</link>
-         <link rel="related" href="#sa-3">SA-3</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-5">SA-5</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-9">SA-9</link>
-         <link rel="related" href="#sa-10">SA-10</link>
-         <link rel="related" href="#sa-15">SA-15</link>
-         <link rel="related" href="#sc-7">SC-7</link>
-         <link rel="related" href="#sc-29">SC-29</link>
-         <link rel="related" href="#sc-30">SC-30</link>
-         <link rel="related" href="#sc-38">SC-38</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <link rel="related" href="#sr-6">SR-6</link>
-         <link rel="related" href="#sr-9">SR-9</link>
-         <link rel="related" href="#sr-11">SR-11</link>
-         <part name="statement" id="sr-3_smt">
-            <part name="item" id="sr-3_smt.a">
-               <prop name="label">a.</prop>
-               <p>Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of <insert param-id="sr-3_prm_1"/> in coordination with <insert param-id="sr-3_prm_2"/>;</p>
-            </part>
-            <part name="item" id="sr-3_smt.b">
-               <prop name="label">b.</prop>
-               <p>Employ the following supply chain controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: <insert param-id="sr-3_prm_3"/>; and</p>
-            </part>
-            <part name="item" id="sr-3_smt.c">
-               <prop name="label">c.</prop>
-               <p>Document the selected and implemented supply chain processes and controls in <insert param-id="sr-3_prm_4"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sr-3_gdn">
-            <p>Supply chain elements include organizations, entities, or tools employed for the development, acquisition, delivery, maintenance, sustainment, or disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sr-3.1">
-            <title>Diverse Supply Base</title>
-            <param id="sr-3.1_prm_1">
-               <label>organization-defined system components and services</label>
-            </param>
-            <prop name="label">SR-3(1)</prop>
-            <prop name="sort-id">SR-03(01)</prop>
-            <part name="statement" id="sr-3.1_smt">
-               <p>Employ a diverse set of sources for the following system components and services:  <insert param-id="sr-3.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sr-3.1_gdn">
-               <p>Diversifying the supply of system, system components and services can reduce the probability that adversaries will successfully identify and target the supply chain, and can reduce the impact of a supply chain event or compromise. Identifying multiple suppliers for replacement components can reduce the probability that the replacement component will become unavailable; employing a diverse set of developers or logistics service providers can reduce the impact of a natural disaster or other supply chain event. Organizations consider designing the system to include diversity of materials and components.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sr-3.2">
-            <title>Limitation of Harm</title>
-            <param id="sr-3.2_prm_1">
-               <label>organization-defined controls</label>
-            </param>
-            <prop name="label">SR-3(2)</prop>
-            <prop name="sort-id">SR-03(02)</prop>
-            <part name="statement" id="sr-3.2_smt">
-               <p>Employ the following supply chain controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: <insert param-id="sr-3.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sr-3.2_gdn">
-               <p>Controls that can be implemented to reduce the probability of adversaries successfully identifying and targeting the supply chain include avoiding the purchase of custom or non-standardized configurations; employing approved vendor lists with standing reputations in industry; following pre-agreed maintenance schedules and update and patch delivery mechanisms; maintaining a contingency plan in case of a supply chain event, and using procurement carve outs that provide exclusions to commitments or obligations, using diverse delivery routes; and minimizing the time between purchase decisions and delivery.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sr-4">
-         <title>Provenance</title>
-         <param id="sr-4_prm_1">
-            <label>organization-defined systems, system components, and associated data</label>
-         </param>
-         <prop name="label">SR-4</prop>
-         <prop name="sort-id">SR-04</prop>
-         <link rel="reference" href="#66476e76-46b4-47fb-be19-d13e6f3840df">[SP 800-161]</link>
-         <link rel="reference" href="#7b03adec-4405-4aac-94a0-6a9eb3f42e31">[IR 7622]</link>
-         <link rel="related" href="#cm-8">CM-8</link>
-         <link rel="related" href="#ma-2">MA-2</link>
-         <link rel="related" href="#ma-6">MA-6</link>
-         <link rel="related" href="#ra-9">RA-9</link>
-         <part name="statement" id="sr-4_smt">
-            <p>Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: <insert param-id="sr-4_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="sr-4_gdn">
-            <p>Every system and system component has a point of origin and may be changed throughout its existence. Provenance is the chronology of the origin, development, ownership, location, and changes to a system or system component and associated data. It may also include personnel and processes used to interact with or make modifications to the system, component, or associated data. Organizations consider developing procedures (see SR-1) for allocating responsibilities for the creation, maintenance, and monitoring of provenance for systems and system components; transferring provenance documentation and responsibility between organizations; and preventing and monitoring for unauthorized changes to the provenance records. Organizations consider developing methods to document, monitor, and maintain valid provenance baselines for systems, system components, and related data. Such actions help track, assess, and document changes to the provenance, including changes in supply chain elements or configuration, and help ensure non-repudiation of provenance information and the provenance change records.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sr-4.1">
-            <title>Identity</title>
-            <param id="sr-4.1_prm_1">
-               <label>organization-defined supply chain elements, processes, and personnel associated with organization-defined systems and critical system components</label>
-            </param>
-            <prop name="label">SR-4(1)</prop>
-            <prop name="sort-id">SR-04(01)</prop>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#pe-16">PE-16</link>
-            <part name="statement" id="sr-4.1_smt">
-               <p>Establish and maintain unique identification of the following supply chain elements, processes, and personnel associated with the identified system and critical system components: <insert param-id="sr-4.1_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sr-4.1_gdn">
-               <p>Knowing who and what is in the supply chains of organizations is critical to gaining visibility into supply chain activities. Visibility into supply chain activities is also important for monitoring and identifying high-risk events and activities. Without reasonable visibility into supply chains elements, processes, and personnel, it is very difficult for organizations to understand and manage risk, and ultimately reduce the susceptibility to adverse events. Supply chain elements include organizations, entities, or tools used for the development, acquisition, delivery, maintenance and disposal of systems and system components. Supply chain processes include development processes for hardware, software, and firmware; shipping and handling procedures; configuration management tools, techniques, and measures to maintain provenance; personnel and physical security programs; or other programs, processes, or procedures associated with the production and distribution of supply chain elements. Supply chain personnel are individuals with specific roles and responsibilities related to the secure development, delivery, maintenance, and disposal of a system or system component. Identification methods are sufficient to support an investigation in case of a supply chain change (e.g. if a supply company is purchased), compromise, or event.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sr-4.2">
-            <title>Track and Trace</title>
-            <param id="sr-4.2_prm_1">
-               <label>organization-defined systems and critical system components</label>
-            </param>
-            <prop name="label">SR-4(2)</prop>
-            <prop name="sort-id">SR-04(02)</prop>
-            <link rel="related" href="#ia-2">IA-2</link>
-            <link rel="related" href="#ia-8">IA-8</link>
-            <link rel="related" href="#pe-16">PE-16</link>
-            <link rel="related" href="#pl-2">PL-2</link>
-            <part name="statement" id="sr-4.2_smt">
-               <p>Establish and maintain unique identification of the following systems and critical system components for tracking through the supply chain: <insert param-id="sr-4.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sr-4.2_gdn">
-               <p>Tracking the unique identification of systems and system components during development and transport activities provides a foundational identity structure for the establishment and maintenance of provenance. For example, system components may be labeled using serial numbers or tagged using radio-frequency identification tags. Labels and tags can help provide better visibility into the provenance of a system or system component. A system or system component may have more than one unique identifier. Identification methods are sufficient to support a forensic investigation after a supply chain compromise or event.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sr-4.3">
-            <title>Validate as Genuine and Not Altered</title>
-            <param id="sr-4.3_prm_1">
-               <label>organization-defined controls</label>
-            </param>
-            <prop name="label">SR-4(3)</prop>
-            <prop name="sort-id">SR-04(03)</prop>
-            <link rel="related" href="#at-3">AT-3</link>
-            <link rel="related" href="#sr-9">SR-9</link>
-            <link rel="related" href="#sr-10">SR-10</link>
-            <link rel="related" href="#sr-11">SR-11</link>
-            <part name="statement" id="sr-4.3_smt">
-               <p>Employ the following controls to validate that the system or system component received is genuine and has not been altered: <insert param-id="sr-4.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sr-4.3_gdn">
-               <p>For many systems and system components, especially hardware, there are technical means to determine if the items are genuine or have been altered, including optical and nanotechnology tagging; physically unclonable functions; side-channel analysis; cryptographic hash verifications or digital signatures; and visible anti-tamper labels or stickers. Controls can also include monitoring for out of specification performance, which can be an indicator of tampering or counterfeits. Organizations may leverage supplier and contractor processes for validating that a system or component is genuine and has not been altered, and for replacing a suspect system or component. Some indications of tampering may be visible and addressable before accepting delivery, including inconsistent packaging, broken seals, and incorrect labels. When a system or system component is suspected of being altered or counterfeit, the supplier, contractor, or original equipment manufacturer may be able to replace the item or provide a forensic capability to determine the origin of the counterfeit or altered item. Organizations can provide training to personnel on how to identify suspicious system or component deliveries.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sr-5">
-         <title>Acquisition Strategies, Tools, and Methods</title>
-         <param id="sr-5_prm_1">
-            <label>organization-defined acquisition strategies, contract tools, and procurement methods</label>
-         </param>
-         <prop name="label">SR-5</prop>
-         <prop name="sort-id">SR-05</prop>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#66476e76-46b4-47fb-be19-d13e6f3840df">[SP 800-161]</link>
-         <link rel="reference" href="#7b03adec-4405-4aac-94a0-6a9eb3f42e31">[IR 7622]</link>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#sa-2">SA-2</link>
-         <link rel="related" href="#sa-3">SA-3</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#sa-5">SA-5</link>
-         <link rel="related" href="#sa-8">SA-8</link>
-         <link rel="related" href="#sa-9">SA-9</link>
-         <link rel="related" href="#sa-10">SA-10</link>
-         <link rel="related" href="#sa-15">SA-15</link>
-         <link rel="related" href="#sr-6">SR-6</link>
-         <link rel="related" href="#sr-9">SR-9</link>
-         <link rel="related" href="#sr-10">SR-10</link>
-         <link rel="related" href="#sr-11">SR-11</link>
-         <part name="statement" id="sr-5_smt">
-            <p>Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: <insert param-id="sr-5_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="sr-5_gdn">
-            <p>The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component; using blind or filtered buys; requiring tamper-evident packaging; or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls; promote transparency into their processes and security and privacy practices; provide contract language that addresses the prohibition of tainted or counterfeit components; and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sr-5.1">
-            <title>Adequate Supply</title>
-            <param id="sr-5.1_prm_1">
-               <label>organization-defined critical system components</label>
-            </param>
-            <param id="sr-5.1_prm_2">
-               <label>organization-defined controls</label>
-            </param>
-            <prop name="label">SR-5(1)</prop>
-            <prop name="sort-id">SR-05(01)</prop>
-            <part name="statement" id="sr-5.1_smt">
-               <p>Employ the following controls to ensure an adequate supply of <insert param-id="sr-5.1_prm_1"/>: <insert param-id="sr-5.1_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sr-5.1_gdn">
-               <p>Adversaries can attempt to impede organizational operations by disrupting the supply of critical system components or corrupting supplier operations. Organizations may track systems and component mean time to failure to mitigate the loss of temporary or permanent system function. Controls to ensure that adequate supplies of critical system components include the use of multiple suppliers throughout the supply chain for the identified critical components; stockpiling spare components to ensure operation during mission-critical times, and the identification of functionally-identical or similar components that may be used, if necessary.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sr-5.2">
-            <title>Assessments Prior to Selection, Acceptance, Modification, or Update</title>
-            <prop name="label">SR-5(2)</prop>
-            <prop name="sort-id">SR-05(02)</prop>
-            <link rel="related" href="#ca-8">CA-8</link>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <link rel="related" href="#sa-11">SA-11</link>
-            <link rel="related" href="#si-7">SI-7</link>
-            <link rel="related" href="#sr-9">SR-9</link>
-            <part name="statement" id="sr-5.2_smt">
-               <p>Assess the system, system component, or system service prior to selection, acceptance, modification, or update.</p>
-            </part>
-            <part name="guidance" id="sr-5.2_gdn">
-               <p>Organizational personnel or independent, external entities conduct assessments of systems, components, products, tools, and services to uncover evidence of tampering, unintentional and intentional vulnerabilities, or evidence of non-compliance with supply chain controls. These include malicious code, malicious processes, defective software, backdoors, and counterfeits. Assessments can include evaluations; design proposal reviews; visual or physical inspection; static and dynamic analyses; visual, x-ray, or magnetic particle inspections; simulations; white, gray, or black box testing; fuzz testing; stress testing; and penetration testing (see SR-6(1)). Evidence generated during assessments is documented for follow-on actions by organizations. The evidence generated during the organizational or independent assessments of supply chain elements may be used to improve supply chain processes and to inform the supply chain risk management process. The evidence can be leveraged in follow-on assessments. Evidence and other documentation may be shared in accordance with organizational agreements.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sr-6">
-         <title>Supplier Reviews</title>
-         <param id="sr-6_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <prop name="label">SR-6</prop>
-         <prop name="sort-id">SR-06</prop>
-         <link rel="reference" href="#aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">[FIPS 140-3]</link>
-         <link rel="reference" href="#d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd">[FIPS 180-4]</link>
-         <link rel="reference" href="#0b9fe06d-1b89-4dba-b9f8-3baf51504b17">[FIPS 186-4]</link>
-         <link rel="reference" href="#11b9fa15-bc4e-4669-ab65-a2bf74daa9fa">[FIPS 202]</link>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#66476e76-46b4-47fb-be19-d13e6f3840df">[SP 800-161]</link>
-         <link rel="reference" href="#7b03adec-4405-4aac-94a0-6a9eb3f42e31">[IR 7622]</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <link rel="related" href="#sr-5">SR-5</link>
-         <part name="statement" id="sr-6_smt">
-            <p>Review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide <insert param-id="sr-6_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="sr-6_gdn">
-            <p>A review of supplier risk includes security processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess any subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate to share review results with other organizations in accordance with any applicable inter-organizational agreements or contracts.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sr-6.1">
-            <title>Penetration Testing and Analysis</title>
-            <param id="sr-6.1_prm_1">
-               <select how-many="one or more">
-                  <choice>organizational analysis</choice>
-                  <choice>independent third-party analysis</choice>
-                  <choice>organizational penetration testing</choice>
-                  <choice>independent third-party penetration testing</choice>
-               </select>
-            </param>
-            <param id="sr-6.1_prm_2">
-               <label>organization-defined supply chain elements, processes, and actors</label>
-            </param>
-            <prop name="label">SR-6(1)</prop>
-            <prop name="sort-id">SR-06(01)</prop>
-            <link rel="related" href="#ca-8">CA-8</link>
-            <part name="statement" id="sr-6.1_smt">
-               <p>Employ <insert param-id="sr-6.1_prm_1"/> of the following supply chain elements, processes, and actors associated with the system, system component, or system service: <insert param-id="sr-6.1_prm_2"/>.</p>
-            </part>
-            <part name="guidance" id="sr-6.1_gdn">
-               <p>Penetration testing and analysis addresses the analysis or testing of the supply chain. Relationships between entities and procedures within the supply chain, including development and delivery, are considered. Supply chain elements include organizations, entities, or tools use for the development, acquisition, deliver, maintenance and disposal of systems, system components, or system services. Supply chain processes include personnel and physical security programs; hardware, software, and firmware development processes; configuration management tools, techniques, and measures to maintain provenance; shipping and handling procedures; and programs, processes, or procedures associated with the production and distribution of supply chain elements. Supply chain actors are individuals with specific roles and responsibilities in the supply chain. The evidence generated and collected during analyses and testing of supply chain elements, processes, and actors is documented and used to inform organizational risk management activities and decisions.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sr-7">
-         <title>Supply Chain Operations Security</title>
-         <param id="sr-7_prm_1">
-            <label>organization-defined Operations Security (OPSEC) controls</label>
-         </param>
-         <prop name="label">SR-7</prop>
-         <prop name="sort-id">SR-07</prop>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#66476e76-46b4-47fb-be19-d13e6f3840df">[SP 800-161]</link>
-         <link rel="reference" href="#7b03adec-4405-4aac-94a0-6a9eb3f42e31">[IR 7622]</link>
-         <link rel="related" href="#sc-38">SC-38</link>
-         <part name="statement" id="sr-7_smt">
-            <p>Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: <insert param-id="sr-7_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="sr-7_gdn">
-            <p>Supply chain OPSEC expands the scope of OPSEC to include suppliers and potential suppliers. OPSEC is a process that includes identifying critical information; analyzing friendly actions related to operations and other activities to identify those actions that can be observed by potential adversaries; determining indicators that potential adversaries might obtain that could be interpreted or pieced together to derive information in sufficient time to cause harm to organizations; implementing safeguards or countermeasures to eliminate or reduce exploitable vulnerabilities and thus risk to an acceptable level; and finally, considering how aggregated information may expose users or specific uses of the supply chain. Supply chain information includes user identities; uses for systems, system components, and system services; supplier identities; security and privacy requirements; system and component configurations; supplier processes; design specifications; and testing and evaluation results. Supply chain OPSEC may require organizations to withhold mission or business information from suppliers and may include the use of intermediaries to hide the end use, or users of systems, system components, or system services.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sr-8">
-         <title>Notification Agreements</title>
-         <param id="sr-8_prm_1">
-            <select how-many="one or more">
-               <choice>notification of supply chain compromises</choice>
-               <choice>results of assessments or audits</choice>
-               <choice>
-                  <insert param-id="sr-8_prm_2"/>
-               </choice>
-            </select>
-         </param>
-         <param id="sr-8_prm_2" depends-on="sr-8_prm_1">
-            <label>organization-defined information</label>
-         </param>
-         <prop name="label">SR-8</prop>
-         <prop name="sort-id">SR-08</prop>
-         <link rel="reference" href="#1d9f757b-00d5-4db1-b15b-0ad641c6df7c">[SP 800-30]</link>
-         <link rel="reference" href="#66476e76-46b4-47fb-be19-d13e6f3840df">[SP 800-161]</link>
-         <link rel="reference" href="#7b03adec-4405-4aac-94a0-6a9eb3f42e31">[IR 7622]</link>
-         <link rel="related" href="#ir-4">IR-4</link>
-         <link rel="related" href="#ir-6">IR-6</link>
-         <link rel="related" href="#ir-8">IR-8</link>
-         <part name="statement" id="sr-8_smt">
-            <p>Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the <insert param-id="sr-8_prm_1"/>.</p>
-         </part>
-         <part name="guidance" id="sr-8_gdn">
-            <p>The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components, is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sr-9">
-         <title>Tamper Resistance and Detection</title>
-         <prop name="label">SR-9</prop>
-         <prop name="sort-id">SR-09</prop>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#pm-30">PM-30</link>
-         <link rel="related" href="#sa-15">SA-15</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <link rel="related" href="#sr-4">SR-4</link>
-         <link rel="related" href="#sr-5">SR-5</link>
-         <link rel="related" href="#sr-10">SR-10</link>
-         <link rel="related" href="#sr-11">SR-11</link>
-         <part name="statement" id="sr-9_smt">
-            <p>Implement a tamper protection program for the system, system component, or system service.</p>
-         </part>
-         <part name="guidance" id="sr-9_gdn">
-            <p>Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system components, and services against many threats, including reverse engineering, modification, and substitution. Strong identification combined with tamper resistance and/or tamper detection is essential to protecting systems and components during distribution and when in use.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sr-9.1">
-            <title>Multiple Stages of System Development Life Cycle</title>
-            <prop name="label">SR-9(1)</prop>
-            <prop name="sort-id">SR-09(01)</prop>
-            <link rel="related" href="#sa-3">SA-3</link>
-            <part name="statement" id="sr-9.1_smt">
-               <p>Employ anti-tamper technologies, tools, and techniques during multiple stages in the system development life cycle, including design, development, integration, operations, and maintenance.</p>
-            </part>
-            <part name="guidance" id="sr-9.1_gdn">
-               <p>Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations employ obfuscation and self-checking, for example, to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. The customization of systems and system components can make substitutions easier to detect and therefore limit damage.</p>
-            </part>
-         </control>
-      </control>
-      <control class="SP800-53" id="sr-10">
-         <title>Inspection of Systems or Components</title>
-         <param id="sr-10_prm_1">
-            <select how-many="one or more">
-               <choice>at random</choice>
-               <choice>at <insert param-id="sr-10_prm_2"/>, upon <insert param-id="sr-10_prm_3"/>
-               </choice>
-            </select>
-         </param>
-         <param id="sr-10_prm_2" depends-on="sr-10_prm_1">
-            <label>organization-defined frequency</label>
-         </param>
-         <param id="sr-10_prm_3" depends-on="sr-10_prm_1">
-            <label>organization-defined indications of need for inspection</label>
-         </param>
-         <param id="sr-10_prm_4">
-            <label>organization-defined systems or system components</label>
-         </param>
-         <prop name="label">SR-10</prop>
-         <prop name="sort-id">SR-10</prop>
-         <link rel="related" href="#at-3">AT-3</link>
-         <link rel="related" href="#pm-30">PM-30</link>
-         <link rel="related" href="#si-4">SI-4</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <link rel="related" href="#sr-3">SR-3</link>
-         <link rel="related" href="#sr-4">SR-4</link>
-         <link rel="related" href="#sr-5">SR-5</link>
-         <link rel="related" href="#sr-9">SR-9</link>
-         <link rel="related" href="#sr-11">SR-11</link>
-         <part name="statement" id="sr-10_smt">
-            <p>Inspect the following systems or system components <insert param-id="sr-10_prm_1"/> to detect tampering: <insert param-id="sr-10_prm_4"/>.</p>
-         </part>
-         <part name="guidance" id="sr-10_gdn">
-            <p>Inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components taken out of organization-controlled areas. Indications of a need for inspection include when individuals return from travel to high-risk locations.</p>
-         </part>
-      </control>
-      <control class="SP800-53" id="sr-11">
-         <title>Component Authenticity</title>
-         <param id="sr-11_prm_1">
-            <select how-many="one or more">
-               <choice>source of counterfeit component</choice>
-               <choice>
-                  <insert param-id="sr-11_prm_2"/>
-               </choice>
-               <choice>
-                  <insert param-id="sr-11_prm_3"/>
-               </choice>
-            </select>
-         </param>
-         <param id="sr-11_prm_2" depends-on="sr-11_prm_1">
-            <label>organization-defined external reporting organizations</label>
-         </param>
-         <param id="sr-11_prm_3" depends-on="sr-11_prm_1">
-            <label>organization-defined personnel or roles</label>
-         </param>
-         <prop name="label">SR-11</prop>
-         <prop name="sort-id">SR-11</prop>
-         <link rel="related" href="#pe-3">PE-3</link>
-         <link rel="related" href="#sa-4">SA-4</link>
-         <link rel="related" href="#si-7">SI-7</link>
-         <link rel="related" href="#sr-9">SR-9</link>
-         <link rel="related" href="#sr-10">SR-10</link>
-         <part name="statement" id="sr-11_smt">
-            <part name="item" id="sr-11_smt.a">
-               <prop name="label">a.</prop>
-               <p>Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and</p>
-            </part>
-            <part name="item" id="sr-11_smt.b">
-               <prop name="label">b.</prop>
-               <p>Report counterfeit system components to <insert param-id="sr-11_prm_1"/>.</p>
-            </part>
-         </part>
-         <part name="guidance" id="sr-11_gdn">
-            <p>Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA.</p>
-         </part>
-         <control class="SP800-53-enhancement" id="sr-11.1">
-            <title>Anti-counterfeit Training</title>
-            <param id="sr-11.1_prm_1">
-               <label>organization-defined personnel or roles</label>
-            </param>
-            <prop name="label">SR-11(1)</prop>
-            <prop name="sort-id">SR-11(01)</prop>
-            <link rel="related" href="#at-3">AT-3</link>
-            <part name="statement" id="sr-11.1_smt">
-               <p>Train <insert param-id="sr-11.1_prm_1"/> to detect counterfeit system components (including hardware, software, and firmware).</p>
-            </part>
-            <part name="guidance" id="sr-11.1_gdn">
-               <p>None.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sr-11.2">
-            <title>Configuration Control for Component Service and Repair</title>
-            <param id="sr-11.2_prm_1">
-               <label>organization-defined system components</label>
-            </param>
-            <prop name="label">SR-11(2)</prop>
-            <prop name="sort-id">SR-11(02)</prop>
-            <link rel="related" href="#cm-3">CM-3</link>
-            <link rel="related" href="#ma-2">MA-2</link>
-            <link rel="related" href="#ma-4">MA-4</link>
-            <link rel="related" href="#sa-10">SA-10</link>
-            <part name="statement" id="sr-11.2_smt">
-               <p>Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: <insert param-id="sr-11.2_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sr-11.2_gdn">
-               <p>None.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sr-11.3">
-            <title>Component Disposal</title>
-            <param id="sr-11.3_prm_1">
-               <label>organization-defined techniques and methods</label>
-            </param>
-            <prop name="label">SR-11(3)</prop>
-            <prop name="sort-id">SR-11(03)</prop>
-            <link rel="related" href="#mp-6">MP-6</link>
-            <part name="statement" id="sr-11.3_smt">
-               <p>Dispose of system components using the following techniques and methods: <insert param-id="sr-11.3_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sr-11.3_gdn">
-               <p>Proper disposal of system components helps to prevent such components from entering the gray market.</p>
-            </part>
-         </control>
-         <control class="SP800-53-enhancement" id="sr-11.4">
-            <title>Anti-counterfeit Scanning</title>
-            <param id="sr-11.4_prm_1">
-               <label>organization-defined frequency</label>
-            </param>
-            <prop name="label">SR-11(4)</prop>
-            <prop name="sort-id">SR-11(04)</prop>
-            <link rel="related" href="#ra-5">RA-5</link>
-            <part name="statement" id="sr-11.4_smt">
-               <p>Scan for counterfeit system components <insert param-id="sr-11.4_prm_1"/>.</p>
-            </part>
-            <part name="guidance" id="sr-11.4_gdn">
-               <p>The type of component determines the type of scanning to be conducted (e.g., web application scanning if the component is a web application).</p>
-            </part>
-         </control>
-      </control>
-   </group>
-   <back-matter>
-      <resource uuid="c31c3c89-792c-4d07-b0af-2cf253e96921">
-         <title>[ATOM54]</title>
-         <citation>
-            <text>Atomic Energy Act (P.L. 107), August 1954.</text>
-         </citation>
-         <rlink href="https://www.govinfo.gov/content/pkg/STATUTE-68/pdf/STATUTE-68-Pg919.pdf"/>
-      </resource>
-      <resource uuid="a7dfa526-b81f-41d7-9875-c8b0faafe74b">
-         <title>[PRIVACT]</title>
-         <citation>
-            <text>Privacy Act (P.L. 93-579), December 1974.</text>
-         </citation>
-         <rlink href="https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf"/>
-      </resource>
-      <resource uuid="79dd7845-9b53-490e-8e9b-e01218aebb20">
-         <title>[CMPPA]</title>
-         <citation>
-            <text>Computer Matching and Privacy Protection Act of 1988 (P.L. 100-503), October 1988.</text>
-         </citation>
-         <rlink href="https://www.govinfo.gov/content/pkg/STATUTE-102/pdf/STATUTE-102-Pg2507.pdf"/>
-      </resource>
-      <resource uuid="bc2bf069-c3a5-48a4-a274-684d997be0c2">
-         <title>[EGOV]</title>
-         <citation>
-            <text>E-Government Act [includes FISMA] (P.L. 107-347), December 2002.</text>
-         </citation>
-         <rlink href="https://www.congress.gov/107/plaws/publ347/PLAW-107publ347.pdf"/>
-      </resource>
-      <resource uuid="43facb7b-0afb-480f-8191-34790d5b444b">
-         <title>[EVIDACT]</title>
-         <citation>
-            <text>Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435), January 2019.</text>
-         </citation>
-         <rlink href="https://www.congress.gov/115/plaws/publ435/PLAW-115publ435.pdf"/>
-      </resource>
-      <resource uuid="52a62e17-382f-4429-8820-0211c884ad41">
-         <title>[FOIA96]</title>
-         <citation>
-            <text>Freedom of Information Act (FOIA), 5 U.S.C. § 552, As Amended By Public Law No. 104-231, 110 Stat. 3048, Electronic Freedom of Information Act Amendments of 1996.</text>
-         </citation>
-         <rlink href="https://www.govinfo.gov/content/pkg/PLAW-104publ231/pdf/PLAW-104publ231.pdf"/>
-      </resource>
-      <resource uuid="7e0c8220-9cd1-442e-8c20-bb2f24324301">
-         <title>[USA PATRIOT]</title>
-         <citation>
-            <text>USA Patriot Act (P.L. 107-56), October 2001.</text>
-         </citation>
-         <rlink href="https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf"/>
-      </resource>
-      <resource uuid="52a8b0c6-0c6b-424b-928d-41c50ba87838">
-         <title>[EO 13526]</title>
-         <citation>
-            <text>Executive Order 13526, <em>Classified National Security Information</em>, December 2009.</text>
-         </citation>
-         <rlink href="https://www.archives.gov/isoo/policy-documents/cnsi-eo.html"/>
-      </resource>
-      <resource uuid="8d8ad86b-fc8a-49e1-a641-aaa29cb0fd5f">
-         <title>[EO 13556]</title>
-         <citation>
-            <text>Executive Order 13556, <em>Controlled Unclassified Information</em>, November 2010.</text>
-         </citation>
-         <rlink href="https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information"/>
-      </resource>
-      <resource uuid="14958422-54f6-471f-a345-802dca594dd8">
-         <title>[FISMA]</title>
-         <citation>
-            <text>Federal Information Security Modernization Act (P.L. 113-283), December 2014.</text>
-         </citation>
-         <rlink href="https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf"/>
-      </resource>
-      <resource uuid="2b5e12fb-633f-49e6-8aff-81d75bf53545">
-         <title>[EO 13587]</title>
-         <citation>
-            <text>Executive Order 13587, <em>Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information</em>, October 2011.</text>
-         </citation>
-         <rlink href="https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net"/>
-      </resource>
-      <resource uuid="8d594f57-d2da-4677-92d0-31fbafc3b871">
-         <title>[EO 13636]</title>
-         <citation>
-            <text>Executive Order 13636, <em>Improving Critical Infrastructure Cybersecurity</em>, February 2013.</text>
-         </citation>
-         <rlink href="https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity"/>
-      </resource>
-      <resource uuid="c1235ba8-5785-48e5-ba25-6c365dcc72a8">
-         <title>[EO 13800]</title>
-         <citation>
-            <text>Executive Order 13800, <em>Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure</em>, May 2017.</text>
-         </citation>
-         <rlink href="https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure"/>
-      </resource>
-      <resource uuid="a0b98ab4-73e0-4c24-a3ad-18e4ea1f5d3c">
-         <title>[USC 552]</title>
-         <citation>
-            <text>United States Code, 2006 Edition, Supplement 4, Title 5 - <em>Government Organization and Employees</em>, January 2011.</text>
-         </citation>
-         <rlink href="https://www.govinfo.gov/content/pkg/USCODE-2010-title5/pdf/USCODE-2010-title5-partI-chap5-subchapII-sec552a.pdf"/>
-      </resource>
-      <resource uuid="cde25174-38e0-4a00-8919-8ee3674b8088">
-         <title>[HSPD 7]</title>
-         <citation>
-            <text>Homeland Security Presidential Directive 7, <em>Critical Infrastructure Identification, Prioritization, and Protection</em>, December 2003.</text>
-         </citation>
-         <rlink href="https://www.dhs.gov/homeland-security-presidential-directive-7"/>
-      </resource>
-      <resource uuid="91e04021-c3d6-4ff2-b707-53bfde32ac69">
-         <title>[HSPD 12]</title>
-         <citation>
-            <text>Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004.</text>
-         </citation>
-         <rlink href="https://www.dhs.gov/homeland-security-presidential-directive-12"/>
-      </resource>
-      <resource uuid="0d8c0f0f-6b34-4c67-b555-2aeb093459e5">
-         <title>[NITP12]</title>
-         <citation>
-            <text>Presidential Memorandum for the Heads of Executive Departments and Agencies, <em>National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs</em>, November 2012.</text>
-         </citation>
-         <rlink href="https://obamawhitehouse.archives.gov/the-press-office/2012/11/21/presidential-memorandum-national-insider-threat-policy-and-minimum-stand"/>
-      </resource>
-      <resource uuid="2383ccfd-d8a0-4e3a-bf40-21288ae1e07a">
-         <title>[5 CFR 731]</title>
-         <citation>
-            <text>Code of Federal Regulations, Title 5, <em>Administrative Personnel</em>, Section 731.106, <em>Designation of Public Trust Positions and Investigative Requirements</em>(5 C.F.R. 731.106).</text>
-         </citation>
-         <rlink href="https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf"/>
-      </resource>
-      <resource uuid="742b7c0e-218e-4fca-9c3d-5f264bbaf2bc">
-         <title>[32 CFR 2002]</title>
-         <citation>
-            <text>Code of Federal Regulations, Title 32, <em>Controlled Unclassified Information</em>(32 C.F.R 2002).</text>
-         </citation>
-         <rlink href="https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information"/>
-      </resource>
-      <resource uuid="286d42a1-efbe-49a2-9ce1-4c9bf68feb3b">
-         <title>[ODNI NITP]</title>
-         <citation>
-            <text>Office of the Director National Intelligence, <em>National Insider Threat Policy</em>
-            </text>
-         </citation>
-         <rlink href="https://www.dni.gov/files/NCSC/documents/nittf/National_Insider_Threat_Policy.pdf"/>
-      </resource>
-      <resource uuid="395f6bb9-bcc2-41fc-977f-04372f4a6a82">
-         <title>[OMB A-108]</title>
-         <citation>
-            <text>Office of Management and Budget Memorandum Circular A-108, <em>Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act</em>, December 2016. <em/>
-            </text>
-         </citation>
-         <rlink href="https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a-108.pdf"/>
-      </resource>
-      <resource uuid="a646d45d-775f-4887-86d3-5a00ffbc4090">
-         <title>[OMB A-130]</title>
-         <citation>
-            <text>Office of Management and Budget Memorandum Circular A-130, <em>Managing Information as a Strategic Resource</em>, July 2016.</text>
-         </citation>
-         <rlink href="https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf"/>
-      </resource>
-      <resource uuid="36f101d0-0efd-4169-8d62-25a2ef414a1d">
-         <title>[OMB M-08-05]</title>
-         <citation>
-            <text>Office of Management and Budget Memorandum M-08-05, <em>Implementation of Trusted Internet Connections (TIC)</em>, November 2007. <em/>
-            </text>
-         </citation>
-         <rlink href="https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-05.pdf"/>
-      </resource>
-      <resource uuid="f7d3617a-9a4f-4f1a-a688-845081b70390">
-         <title>[OMB M-17-06]</title>
-         <citation>
-            <text>Office of Management and Budget Memorandum M-17-06, <em>Policies for Federal Agency Public Websites and Digital Services</em>, November 2016. <em/>
-            </text>
-         </citation>
-         <rlink href="https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-06.pdf"/>
-      </resource>
-      <resource uuid="389fe193-866e-46b1-bf1d-38904b56aa7b">
-         <title>[OMB M-17-12]</title>
-         <citation>
-            <text>Office of Management and Budget Memorandum M-17-12, <em>Preparing for and Responding to a Breach of Personally Identifiable Information</em>, January 2017. <em/>
-            </text>
-         </citation>
-         <rlink href="https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf"/>
-      </resource>
-      <resource uuid="ed5c66ba-0ed8-4aef-abb7-dc9f529d9af3">
-         <title>[OMB M-17-25]</title>
-         <citation>
-            <text>Office of Management and Budget Memorandum M-17-25, <em>Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure</em>, May 2017. <em/>
-            </text>
-         </citation>
-         <rlink href="https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/M-17-25.pdf"/>
-      </resource>
-      <resource uuid="9f4f8352-c956-4a27-b3ee-5549de5b72ef">
-         <title>[OMB M-19-03]</title>
-         <citation>
-            <text>Office of Management and Budget Memorandum M-19-03, <em>Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program</em>, December 2018.</text>
-         </citation>
-         <rlink href="https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf"/>
-      </resource>
-      <resource uuid="18d2b055-e41d-41f9-9ece-cc5a2082a6fc">
-         <title>[OMB M-19-15]</title>
-         <citation>
-            <text>Office of Management and Budget Memorandum M-19-15, <em>Improving Implementation of the Information Quality Act</em>, April 2019.</text>
-         </citation>
-         <rlink href="https://www.whitehouse.gov/wp-content/uploads/2019/04/M-19-15.pdf"/>
-      </resource>
-      <resource uuid="d843e915-eeb6-4bbe-8cab-ccc802088703">
-         <title>[OMB M-19-23]</title>
-         <citation>
-            <text>Office of Management and Budget Memorandum M-19-23, <em>Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance</em>, July 2019. <em/>
-            </text>
-         </citation>
-         <rlink href="https://www.whitehouse.gov/wp-content/uploads/2019/07/M-19-23.pdf"/>
-      </resource>
-      <resource uuid="2ef80c00-f8d2-4087-b5b6-9ecee8e48036">
-         <title>[CNSSD 505]</title>
-         <citation>
-            <text>Committee on National Security Systems Directive No. 505, <em>Supply Chain Risk Management (SCRM)</em>, August 2017.</text>
-         </citation>
-         <rlink href="https://www.cnss.gov/CNSS/issuances/Directives.cfm"/>
-      </resource>
-      <resource uuid="12fdc214-8062-4c3a-affd-dcc60f8d4150">
-         <title>[CNSSP 22]</title>
-         <citation>
-            <text>Committee on National Security Systems Policy No. 22, <em>Cybersecurity Risk Management Policy</em>, August 2016.</text>
-         </citation>
-         <rlink href="https://www.cnss.gov/CNSS/issuances/Policies.cfm"/>
-      </resource>
-      <resource uuid="ee96f130-3f91-46ed-a4d8-57e5f220a623">
-         <title>[CNSSI 1253]</title>
-         <citation>
-            <text>Committee on National Security Systems Instruction No. 1253, <em>Security Categorization and Control Selection for National Security Systems</em>, March 2014.</text>
-         </citation>
-         <rlink href="https://www.cnss.gov/CNSS/issuances/Instructions.cfm"/>
-      </resource>
-      <resource uuid="df9c61f7-8b1a-48fb-a0f3-b28364d40f37">
-         <title>[CNSSI 4009]</title>
-         <citation>
-            <text>Committee on National Security Systems Instruction No. 4009, <em>Committee on National Security Systems (CNSS) Glossary</em>, April 2015.</text>
-         </citation>
-         <rlink href="https://www.cnss.gov/CNSS/issuances/Instructions.cfm"/>
-      </resource>
-      <resource uuid="e1dbe16d-db1e-4116-9d03-c02b66ab6f44">
-         <title>[DODI 8510.01]</title>
-         <citation>
-            <text>Department of Defense Instruction 8510.01, <em>Risk Management Framework (RMF) for DoD Information Technology (IT)</em>, March 2014.</text>
-         </citation>
-         <rlink href="https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001_2014.pdf"/>
-      </resource>
-      <resource uuid="24b7b1ec-6430-41de-9353-29fdb1b488fc">
-         <title>[DHS NIPP]</title>
-         <citation>
-            <text>Department of Homeland Security, <em>National Infrastructure Protection Plan (NIPP)</em>, 2009.</text>
-         </citation>
-         <rlink href="https://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf"/>
-      </resource>
-      <resource uuid="20855583-232a-4d83-a9f6-c1079a9e4521">
-         <title>[ISO 15026-1]</title>
-         <citation>
-            <text>International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 15026-1:2013, <em>Systems and software engineering -- Systems and software assurance -- Part 1: Concepts and vocabulary</em>, November 2013.</text>
-         </citation>
-         <rlink href="https://www.iso.org/standard/62526.html"/>
-      </resource>
-      <resource uuid="6ddb507b-6ddb-4e15-a8d4-0854e704446e">
-         <title>[ISO 15408-1]</title>
-         <citation>
-            <text>International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, <em>Information technology—Security techniques— Evaluation criteria for IT security—Part 1: Introduction and general model</em>, April 2017. <em/>
-            </text>
-         </citation>
-         <rlink href="https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf"/>
-      </resource>
-      <resource uuid="18abb755-c10f-407d-b0ef-4f99e5ec4a49">
-         <title>[ISO 15408-2]</title>
-         <citation>
-            <text>International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, <em>Information technology—Security techniques— Evaluation criteria for IT security—Part 2: Security functional requirements</em>, April 2017. <em/>
-            </text>
-         </citation>
-         <rlink href="https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf"/>
-      </resource>
-      <resource uuid="2ce3a8bf-7f8b-4249-bd16-808231415b14">
-         <title>[ISO 15408-3]</title>
-         <citation>
-            <text>International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, <em>Information technology—Security techniques— Evaluation criteria for IT security—Part 3: Security assurance requirements</em>, April 2017. <em/>
-            </text>
-         </citation>
-         <rlink href="https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf"/>
-      </resource>
-      <resource uuid="735d5420-a7a8-4f80-a657-8a8b579b816e">
-         <title>[ISO 15288]</title>
-         <citation>
-            <text>International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 15288:2015, <em>Systems and software engineering—Systems life cycle processes</em>, May 2015.</text>
-         </citation>
-         <rlink href="https://www.iso.org/standard/63711.html"/>
-      </resource>
-      <resource uuid="55e4488b-cc3e-4543-81d9-174e53684a46">
-         <title>[ISO 25237]</title>
-         <citation>
-            <text>International Organization for Standardization/International Electrotechnical Commission 25237:2017, <em>Health informatics</em>
-               <em>—Pseudonymization</em>, January 2017. <em/>
-            </text>
-         </citation>
-         <rlink href="https://www.iso.org/standard/63553.html"/>
-      </resource>
-      <resource uuid="9db406e5-7b96-434a-b516-a4fcf861978a">
-         <title>[ISO 28001]</title>
-         <citation>
-            <text>International Organization for Standardization/International Electrotechnical Commission 28001:2007, <em>Security management systems for the supply chain</em>
-               <em>—Best practices for implementing supply chain security, assessments and plans—Requirements and guidance</em>, October 2007. <em/>
-            </text>
-         </citation>
-         <rlink href="https://www.iso.org/standard/45654.html"/>
-      </resource>
-      <resource uuid="2a85a00e-25f9-4018-8730-7d877adda309">
-         <title>[ISO 29100]</title>
-         <citation>
-            <text>International Organization for Standardization/International Electrotechnical Commission 29100:2011, <em>Information technology</em>
-               <em>—Security techniques—Privacy framework</em>, December 2011. <em/>
-            </text>
-         </citation>
-         <rlink href="https://www.iso.org/standard/45123.html"/>
-      </resource>
-      <resource uuid="e2de21ad-c8cc-48ed-8d4f-2db3ab0a8f28">
-         <title>[ISO 29148]</title>
-         <citation>
-            <text>International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2011, <em>Systems and software engineering—Life cycle processes—Requirements engineering</em>, December 2011.</text>
-         </citation>
-         <rlink href="https://www.iso.org/standard/45171.html"/>
-      </resource>
-      <resource uuid="aa1e8ce8-7a76-4b90-ae82-4f6f374eb96b">
-         <title>[FIPS 140-3]</title>
-         <citation>
-            <text>National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.FIPS.140-3"/>
-      </resource>
-      <resource uuid="d96f75ec-a4a4-417c-92f6-8f0ea23c8fcd">
-         <title>[FIPS 180-4]</title>
-         <citation>
-            <text>National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.FIPS.180-4"/>
-      </resource>
-      <resource uuid="0b9fe06d-1b89-4dba-b9f8-3baf51504b17">
-         <title>[FIPS 186-4]</title>
-         <citation>
-            <text>National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.FIPS.186-4"/>
-      </resource>
-      <resource uuid="bbc7085f-b383-444e-af74-722a55cccc0f">
-         <title>[FIPS 197]</title>
-         <citation>
-            <text>National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.FIPS.197"/>
-      </resource>
-      <resource uuid="b3e26423-0687-47c7-ba9a-a96870d58a27">
-         <title>[FIPS 199]</title>
-         <citation>
-            <text>National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.FIPS.199"/>
-      </resource>
-      <resource uuid="f2163084-3287-45e2-9ee7-95f020415495">
-         <title>[FIPS 200]</title>
-         <citation>
-            <text>National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.FIPS.200"/>
-      </resource>
-      <resource uuid="ab414c48-b7a2-4ffe-b74d-4d8b8120adce">
-         <title>[FIPS 201-2]</title>
-         <citation>
-            <text>National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.FIPS.201-2"/>
-      </resource>
-      <resource uuid="11b9fa15-bc4e-4669-ab65-a2bf74daa9fa">
-         <title>[FIPS 202]</title>
-         <citation>
-            <text>National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.FIPS.202"/>
-      </resource>
-      <resource uuid="12702585-0c72-43c9-9185-a76a59f74233">
-         <title>[SP 800-12]</title>
-         <citation>
-            <text>Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. <em/>
-            </text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-12r1"/>
-      </resource>
-      <resource uuid="ae962073-f9bb-4210-b1ad-53ef6f6afad6">
-         <title>[SP 800-18]</title>
-         <citation>
-            <text>Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. <em/>
-            </text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-18r1"/>
-      </resource>
-      <resource uuid="8e334d74-fc06-47a9-bbb1-804fdfae0e44">
-         <title>[SP 800-28]</title>
-         <citation>
-            <text>Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2. <em/>
-            </text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-28ver2"/>
-      </resource>
-      <resource uuid="1d9f757b-00d5-4db1-b15b-0ad641c6df7c">
-         <title>[SP 800-30]</title>
-         <citation>
-            <text>Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-30r1"/>
-      </resource>
-      <resource uuid="b7140427-d4c4-467a-97a1-5ca9f7c6584a">
-         <title>[SP 800-32]</title>
-         <citation>
-            <text>Kuhn R, Hu VC, Polk T, Chang S-jH (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-32"/>
-      </resource>
-      <resource uuid="65774382-fcc6-4bbc-89fc-9d35aab19952">
-         <title>[SP 800-34]</title>
-         <citation>
-            <text>Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-34r1"/>
-      </resource>
-      <resource uuid="ed919d0d-8e21-4df6-801d-3fbc4cb8a505">
-         <title>[SP 800-35]</title>
-         <citation>
-            <text>Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-35"/>
-      </resource>
-      <resource uuid="e07d73ea-96b9-4330-aff2-e0215f455343">
-         <title>[SP 800-37]</title>
-         <citation>
-            <text>Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-37r2"/>
-      </resource>
-      <resource uuid="451e9636-402e-4c27-b3f5-e0e50f957f27">
-         <title>[SP 800-39]</title>
-         <citation>
-            <text>Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-39"/>
-      </resource>
-      <resource uuid="1126ec09-2b27-4a21-80b2-fef70b31c49d">
-         <title>[SP 800-40]</title>
-         <citation>
-            <text>Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-40r3"/>
-      </resource>
-      <resource uuid="db7877cf-1013-4fb1-b943-ca9361d16370">
-         <title>[SP 800-41]</title>
-         <citation>
-            <text>Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-41r1"/>
-      </resource>
-      <resource uuid="23b0a203-c020-47dd-b86c-9f8c35ecaa4e">
-         <title>[SP 800-45]</title>
-         <citation>
-            <text>Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-45ver2"/>
-      </resource>
-      <resource uuid="7768c184-088d-4ee8-a316-f9286b52df7f">
-         <title>[SP 800-46]</title>
-         <citation>
-            <text>Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-46r2"/>
-      </resource>
-      <resource uuid="2e66c31a-190e-49ad-8e00-f306f8a0df17">
-         <title>[SP 800-47]</title>
-         <citation>
-            <text>Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-47"/>
-      </resource>
-      <resource uuid="2e29c363-d5be-47ba-92f5-f8a58a69b65e">
-         <title>[SP 800-50]</title>
-         <citation>
-            <text>Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-50"/>
-      </resource>
-      <resource uuid="286604ec-e383-4c1d-bd8c-d88f88e54a0f">
-         <title>[SP 800-52]</title>
-         <citation>
-            <text>McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-52r2"/>
-      </resource>
-      <resource uuid="5db6dfe4-788e-4183-93b9-f6fb29d75e41">
-         <title>[SP 800-53A]</title>
-         <citation>
-            <text>Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-53Ar4"/>
-      </resource>
-      <resource uuid="31f3c9de-c57c-4281-929b-f9951f9640f1">
-         <title>[SP 800-53B]</title>
-         <citation>
-            <text>National Institute of Standards and Technology Special Publication 800-53B, <em>Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations</em>. Projected for publication in 2020.</text>
-         </citation>
-      </resource>
-      <resource uuid="8ba0d54e-fa16-4f5d-baa1-763ec3e33e26">
-         <title>[SP 800-55]</title>
-         <citation>
-            <text>Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-55r1"/>
-      </resource>
-      <resource uuid="77dc1838-3664-4faa-bc6e-4e2a16e52f35">
-         <title>[SP 800-56A]</title>
-         <citation>
-            <text>Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-56Ar3"/>
-      </resource>
-      <resource uuid="f417e4ec-cadb-47a8-a363-6006b32c28ad">
-         <title>[SP 800-56B]</title>
-         <citation>
-            <text>Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-56Br2"/>
-      </resource>
-      <resource uuid="7c3ba335-62bd-4f03-888f-960790409b11">
-         <title>[SP 800-56C]</title>
-         <citation>
-            <text>Barker EB, Chen L, Davis R (2018) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 1.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-56Cr1"/>
-      </resource>
-      <resource uuid="770f9bdc-4023-48ef-8206-c65397f061ea">
-         <title>[SP 800-57-1]</title>
-         <citation>
-            <text>Barker EB (2016) Recommendation for Key Management, Part 1: General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 4.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-57pt1r4"/>
-      </resource>
-      <resource uuid="69644a9e-438a-47c3-bac9-cf28b5baf848">
-         <title>[SP 800-57-2]</title>
-         <citation>
-            <text>Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-57pt2r1"/>
-      </resource>
-      <resource uuid="9933c883-e8f3-4a83-9a9a-d1e058038080">
-         <title>[SP 800-57-3]</title>
-         <citation>
-            <text>Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-57pt3r1"/>
-      </resource>
-      <resource uuid="c4627621-1d6e-45ce-85d8-8b087c77ec66">
-         <title>[SP 800-58]</title>
-         <citation>
-            <text>Kuhn R, Walsh TJ, Fries S (2005) Security Considerations for Voice Over IP Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-58.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-58"/>
-      </resource>
-      <resource uuid="68949f14-9cf5-4116-91d8-e820b9df3ffd">
-         <title>[SP 800-60 v1]</title>
-         <citation>
-            <text>Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-60v1r1"/>
-      </resource>
-      <resource uuid="e8e2fdb4-b0a7-44a4-9b64-848d4e3d8edc">
-         <title>[SP 800-60 v2]</title>
-         <citation>
-            <text>Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-60v2r1"/>
-      </resource>
-      <resource uuid="7c14a87c-9a1e-4e0c-9fd9-3485a8a7829b">
-         <title>[SP 800-61]</title>
-         <citation>
-            <text>Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-61r2"/>
-      </resource>
-      <resource uuid="549993c0-9bdd-4d49-875c-f56950cc5f30">
-         <title>[SP 800-63-3]</title>
-         <citation>
-            <text>Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-63-3"/>
-      </resource>
-      <resource uuid="3c50fa31-7f4d-4d30-91d7-27ee87cd5f75">
-         <title>[SP 800-63A]</title>
-         <citation>
-            <text>Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-63a"/>
-      </resource>
-      <resource uuid="14a7d982-9747-48e0-a877-3e8fbf6ae381">
-         <title>[SP 800-70]</title>
-         <citation>
-            <text>Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-70r4"/>
-      </resource>
-      <resource uuid="3d6b3a16-94e7-4a43-8648-8bdeaadb271b">
-         <title>[SP 800-73-4]</title>
-         <citation>
-            <text>Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-73-4"/>
-      </resource>
-      <resource uuid="d5ef0056-c807-44c3-a7b5-6eb491538f8e">
-         <title>[SP 800-76-2]</title>
-         <citation>
-            <text>Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. <em/>
-            </text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-76-2"/>
-      </resource>
-      <resource uuid="8da76f8f-acf9-4c62-9b1d-b0c1b28c87fa">
-         <title>[SP 800-77]</title>
-         <citation>
-            <text>Frankel SE, Kent K, Lewkowski R, Orebaugh AD, Ritchey RW, Sharma SR (2005) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-77"/>
-      </resource>
-      <resource uuid="013e098f-0680-4856-a130-b768c69dab9c">
-         <title>[SP 800-78-4]</title>
-         <citation>
-            <text>Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4. <em/>
-            </text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-78-4"/>
-      </resource>
-      <resource uuid="bb55e71a-e059-4263-8dd8-bc96fd3f063d">
-         <title>[SP 800-79-2]</title>
-         <citation>
-            <text>Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2. <em/>
-            </text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-79-2"/>
-      </resource>
-      <resource uuid="93d44344-59f9-4669-845d-6cc2a5852621">
-         <title>[SP 800-81-2]</title>
-         <citation>
-            <text>Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2. <em/>
-            </text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-81-2"/>
-      </resource>
-      <resource uuid="90a2ca84-5624-42f0-b446-e69e5ed77e6a">
-         <title>[SP 800-82]</title>
-         <citation>
-            <text>Stouffer KA, Lightman S, Pillitteri VY, Abrams M, Hahn A (2015) Guide to Industrial Control Systems (ICS) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-82, Rev. 2.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-82r2"/>
-      </resource>
-      <resource uuid="8b0f8559-1185-45f9-b0a9-876d7b3c1c7b">
-         <title>[SP 800-83]</title>
-         <citation>
-            <text>Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-83r1"/>
-      </resource>
-      <resource uuid="20bf433b-074c-47a0-8fca-cd591772ccd6">
-         <title>[SP 800-84]</title>
-         <citation>
-            <text>Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-84"/>
-      </resource>
-      <resource uuid="35dfd59f-eef2-4f71-bdb5-6d878267456a">
-         <title>[SP 800-86]</title>
-         <citation>
-            <text>Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-86"/>
-      </resource>
-      <resource uuid="fed6a3b5-2b74-499f-9172-46671f7c24c8">
-         <title>[SP 800-88]</title>
-         <citation>
-            <text>Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-88r1"/>
-      </resource>
-      <resource uuid="02d8ec60-6197-43f8-9f47-18732127963e">
-         <title>[SP 800-92]</title>
-         <citation>
-            <text>Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-92"/>
-      </resource>
-      <resource uuid="41e2e2c6-2260-4258-85c8-09db17c43103">
-         <title>[SP 800-94]</title>
-         <citation>
-            <text>Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-94"/>
-      </resource>
-      <resource uuid="1d91d984-0cb6-4f96-a01d-c39a3eee7d43">
-         <title>[SP 800-95]</title>
-         <citation>
-            <text>Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-95"/>
-      </resource>
-      <resource uuid="6bed1550-cd5d-4e80-8d83-4e597c1514fe">
-         <title>[SP 800-97]</title>
-         <citation>
-            <text>Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-97"/>
-      </resource>
-      <resource uuid="9183bd83-170e-4701-b32c-97e08ef8bedb">
-         <title>[SP 800-100]</title>
-         <citation>
-            <text>Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-100"/>
-      </resource>
-      <resource uuid="1e2c475a-84ae-4c60-b420-8fb2ea552b71">
-         <title>[SP 800-101]</title>
-         <citation>
-            <text>Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. <em/>
-            </text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-101r1"/>
-      </resource>
-      <resource uuid="1b14b50f-7154-4226-958c-7dfff8276755">
-         <title>[SP 800-111]</title>
-         <citation>
-            <text>Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. <em/>
-            </text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-111"/>
-      </resource>
-      <resource uuid="36132a58-56fd-4980-9f6c-c010d3faf52b">
-         <title>[SP 800-113]</title>
-         <citation>
-            <text>Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-113"/>
-      </resource>
-      <resource uuid="49fa1ee1-aaf7-4270-bb5a-a86497f717dc">
-         <title>[SP 800-114]</title>
-         <citation>
-            <text>Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-114r1"/>
-      </resource>
-      <resource uuid="a6b97214-55d4-4b86-a3a4-53d5911d96f7">
-         <title>[SP 800-115]</title>
-         <citation>
-            <text>Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-115"/>
-      </resource>
-      <resource uuid="ad7d575f-b5fe-489b-8d48-36a93d964a5f">
-         <title>[SP 800-116]</title>
-         <citation>
-            <text>Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-116r1"/>
-      </resource>
-      <resource uuid="60b24979-65b8-4ca5-a442-11b74339fab5">
-         <title>[SP 800-121]</title>
-         <citation>
-            <text>Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-121r2"/>
-      </resource>
-      <resource uuid="18c6942b-95f8-414c-b548-c8e6b8d8a172">
-         <title>[SP 800-124]</title>
-         <citation>
-            <text>Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-124r1"/>
-      </resource>
-      <resource uuid="c972a85c-fa75-4596-be25-a338dc7e4e46">
-         <title>[SP 800-125B]</title>
-         <citation>
-            <text>Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-125B"/>
-      </resource>
-      <resource uuid="0b6ef8e9-4e93-4d0a-8d9c-526c63c6503f">
-         <title>[SP 800-126]</title>
-         <citation>
-            <text>Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-126r3"/>
-      </resource>
-      <resource uuid="a536b9a9-bad0-4f8f-8b8b-81222e3ac2e4">
-         <title>[SP 800-128]</title>
-         <citation>
-            <text>Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-128"/>
-      </resource>
-      <resource uuid="ae412317-c2b4-47bb-b47b-c329ce0d7a0b">
-         <title>[SP 800-130]</title>
-         <citation>
-            <text>Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-130"/>
-      </resource>
-      <resource uuid="c3b34083-77b2-4dab-a980-73068f8933bd">
-         <title>[SP 800-137]</title>
-         <citation>
-            <text>Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-137"/>
-      </resource>
-      <resource uuid="e9224c9b-4fa5-40b7-bfbb-02bff7712d92">
-         <title>[SP 800-147]</title>
-         <citation>
-            <text>Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-147"/>
-      </resource>
-      <resource uuid="ad3e8f21-07c6-4968-b002-00b64dfa70ae">
-         <title>[SP 800-150]</title>
-         <citation>
-            <text>Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-150"/>
-      </resource>
-      <resource uuid="38dbdf55-9a14-446f-b563-c48e4e3d37fb">
-         <title>[SP 800-152]</title>
-         <citation>
-            <text>Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-152"/>
-      </resource>
-      <resource uuid="fd0f14f5-8910-45c4-b60a-0c8936e00daa">
-         <title>[SP 800-154]</title>
-         <citation>
-            <text>Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154.</text>
-         </citation>
-         <rlink href="https://csrc.nist.gov/publications/detail/sp/800-154/draft"/>
-      </resource>
-      <resource uuid="f5dd7fb6-5e00-4ba3-9c10-9a8fc0255eaa">
-         <title>[SP 800-156]</title>
-         <citation>
-            <text>Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-156"/>
-      </resource>
-      <resource uuid="8724b5bb-bc81-4fdc-bc94-2fc39b49ff9e">
-         <title>[SP 800-160 v1]</title>
-         <citation>
-            <text>Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-160v1"/>
-      </resource>
-      <resource uuid="8411e6e8-09bd-431d-bbcb-3423d36ad880">
-         <title>[SP 800-160 v2]</title>
-         <citation>
-            <text>Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-160v2"/>
-      </resource>
-      <resource uuid="66476e76-46b4-47fb-be19-d13e6f3840df">
-         <title>[SP 800-161]</title>
-         <citation>
-            <text>Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-161"/>
-      </resource>
-      <resource uuid="359f960c-2598-454c-ba3b-a30c553e498f">
-         <title>[SP 800-162]</title>
-         <citation>
-            <text>Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of February 25, 2019.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-162"/>
-      </resource>
-      <resource uuid="a8f55663-86c5-415b-aabe-d2a126981d65">
-         <title>[SP 800-166]</title>
-         <citation>
-            <text>Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-166"/>
-      </resource>
-      <resource uuid="893d1736-324c-41d6-a5f4-d526b5ca981a">
-         <title>[SP 800-167]</title>
-         <citation>
-            <text>Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-167"/>
-      </resource>
-      <resource uuid="0a3abb6f-9670-4fa9-ba17-f956c6ad9e2a">
-         <title>[SP 800-171]</title>
-         <citation>
-            <text>Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-171r2"/>
-      </resource>
-      <resource uuid="aad55f03-8ece-4b21-b09c-9ef65b5a9f55">
-         <title>[SP 800-171B]</title>
-         <citation>
-            <text>Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2019) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171B.</text>
-         </citation>
-         <rlink href="https://csrc.nist.gov/CSRC/media/Publications/sp/800-171b/draft/documents/sp800-171B-draft-ipd.pdf"/>
-      </resource>
-      <resource uuid="64e044e4-b2a9-490f-a079-1106407c812f">
-         <title>[SP 800-177]</title>
-         <citation>
-            <text>Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-177r1"/>
-      </resource>
-      <resource uuid="223b23a9-baea-4a50-8058-63cf7967b61f">
-         <title>[SP 800-178]</title>
-         <citation>
-            <text>Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-178"/>
-      </resource>
-      <resource uuid="f4c3f657-de83-47ae-9aec-e144de8268d1">
-         <title>[SP 800-181]</title>
-         <citation>
-            <text>Newhouse WD, Witte GA, Scribner B, Keith S (2017) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-181"/>
-      </resource>
-      <resource uuid="08f518f7-f9b9-4bee-8986-860214f46b16">
-         <title>[SP 800-184]</title>
-         <citation>
-            <text>Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-184"/>
-      </resource>
-      <resource uuid="eadef75e-7e4d-4554-b818-44946c1dde0e">
-         <title>[SP 800-188]</title>
-         <citation>
-            <text>Garfinkel S (2016) De-Identifying Government Datasets. <em/>(National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188.</text>
-         </citation>
-         <rlink href="https://csrc.nist.gov/publications/detail/sp/800-188/draft"/>
-      </resource>
-      <resource uuid="3862cd94-ff25-4631-9a9a-b92c21a0a923">
-         <title>[SP 800-189]</title>
-         <citation>
-            <text>Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-189"/>
-      </resource>
-      <resource uuid="06d3c11a-4a00-42d9-ad75-e6a777ffae5e">
-         <title>[SP 800-192]</title>
-         <citation>
-            <text>Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.SP.800-192"/>
-      </resource>
-      <resource uuid="d4779b49-8acc-45ef-b4f0-30f945e81d1b">
-         <title>[IR 7539]</title>
-         <citation>
-            <text>Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. <em/>(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.IR.7539"/>
-      </resource>
-      <resource uuid="09ac1fdb-36a9-483f-a04c-5c1e1bf104fb">
-         <title>[IR 7559]</title>
-         <citation>
-            <text>Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.IR.7559"/>
-      </resource>
-      <resource uuid="7b03adec-4405-4aac-94a0-6a9eb3f42e31">
-         <title>[IR 7622]</title>
-         <citation>
-            <text>Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.IR.7622"/>
-      </resource>
-      <resource uuid="daf69edb-a0ef-4447-9880-8c4bf553181f">
-         <title>[IR 7676]</title>
-         <citation>
-            <text>Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.IR.7676"/>
-      </resource>
-      <resource uuid="bcd95f8b-230d-4e9e-a186-7d00b6dfdb9c">
-         <title>[IR 7788]</title>
-         <citation>
-            <text>Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.IR.7788"/>
-      </resource>
-      <resource uuid="a49f67fc-827c-40e6-9a37-2b1cbe8142fd">
-         <title>[IR 7817]</title>
-         <citation>
-            <text>Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.IR.7817"/>
-      </resource>
-      <resource uuid="972c10bd-aedf-485f-b0db-f46a402127e2">
-         <title>[IR 7849]</title>
-         <citation>
-            <text>Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.IR.7849"/>
-      </resource>
-      <resource uuid="197f7ba7-9af8-4a67-b3a4-5523d850e53b">
-         <title>[IR 7870]</title>
-         <citation>
-            <text>Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.IR.7870"/>
-      </resource>
-      <resource uuid="bb22d510-54a9-4588-b725-00d37576562b">
-         <title>[IR 7874]</title>
-         <citation>
-            <text>Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.IR.7874"/>
-      </resource>
-      <resource uuid="f437b52f-7f26-42aa-8e8f-999e7d67b2fe">
-         <title>[IR 7956]</title>
-         <citation>
-            <text>Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues &amp; Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.IR.7956"/>
-      </resource>
-      <resource uuid="30213e10-2aca-47b3-8cdb-61303e0959f5">
-         <title>[IR 7966]</title>
-         <citation>
-            <text>Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.IR.7966"/>
-      </resource>
-      <resource uuid="851b5ba4-6aa0-4583-857c-4c360cbdf2a0">
-         <title>[IR 8011 v1]</title>
-         <citation>
-            <text>Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal (IR) 8011, Volume 1.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.IR.8011-1"/>
-      </resource>
-      <resource uuid="7e7538d7-9c3a-4e5f-bbb4-638cec975415">
-         <title>[IR 8023]</title>
-         <citation>
-            <text>Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.IR.8023"/>
-      </resource>
-      <resource uuid="24738ee6-b3f3-4e37-825b-58775846bdbc">
-         <title>[IR 8040]</title>
-         <citation>
-            <text>Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. <em/>(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.IR.8040"/>
-      </resource>
-      <resource uuid="817b4227-5857-494d-9032-915980b32f15">
-         <title>[IR 8062]</title>
-         <citation>
-            <text>Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. <em/>(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.IR.8062"/>
-      </resource>
-      <resource uuid="7a93e915-fd58-4147-be12-e48044c367e6">
-         <title>[IR 8179]</title>
-         <citation>
-            <text>Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. <em/>(National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179.</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.IR.8179"/>
-      </resource>
-      <resource uuid="2ee29e9a-6855-4160-a811-b5c7c50bd127">
-         <title>[DHS TIC]</title>
-         <citation>
-            <text>Department of Homeland Security, <em>Trusted Internet Connections (TIC)</em>.</text>
-         </citation>
-         <rlink href="https://www.dhs.gov/trusted-internet-connections"/>
-      </resource>
-      <resource uuid="4e5415c1-7fc4-4fec-8328-d31319fffc4a">
-         <title>[DSB 2017]</title>
-         <citation>
-            <text>Department of Defense, Defense Science Board, <em>Task Force on Cyber Deterrence</em>, February 2017.</text>
-         </citation>
-         <rlink href="https://www.acq.osd.mil/dsb/reports/2010s/DSB-CyberDeterrenceReport_02-28-17_Final.pdf"/>
-      </resource>
-      <resource uuid="294eed19-7471-4517-9480-2ec73e7c6a78">
-         <title>[DOD STIG]</title>
-         <citation>
-            <text>Defense Information Systems Agency, <em>Security Technical Implementation Guides (STIG)</em>.</text>
-         </citation>
-         <rlink href="https://iase.disa.mil/stigs/Pages/index.aspx"/>
-      </resource>
-      <resource uuid="5a0f9c51-a5e9-4ef1-a2f7-446d5e9068ff">
-         <title>[DODTERMS]</title>
-         <citation>
-            <text>Department of Defense, <em>Dictionary of Military and Associated Terms</em>.</text>
-         </citation>
-         <rlink href="http://www.dtic.mil/dtic/tr/fulltext/u2/a485800.pdf"/>
-      </resource>
-      <resource uuid="17ca9481-ea11-4ef2-81c1-885fd37d4be5">
-         <title>[IETF 5905]</title>
-         <citation>
-            <text/>
-         </citation>
-      </resource>
-      <resource uuid="19067e94-7e15-4a4f-9344-9002a5be9755">
-         <title>[LAMPSON73]</title>
-         <citation>
-            <text>B. W. Lampson, <em>A Note on the Confinement Problem</em>, Communications of the ACM 16, 10, pp. 613-615, October 1973.</text>
-         </citation>
-      </resource>
-      <resource uuid="dd87fdf0-840d-4392-9de4-220b2327e340">
-         <title>[NARA CUI]</title>
-         <citation>
-            <text>National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry.</text>
-         </citation>
-         <rlink href="https://www.archives.gov/cui"/>
-      </resource>
-      <resource uuid="5dac2312-1d0d-416f-aebb-400fa9775b74">
-         <title>[NIAP CCEVS]</title>
-         <citation>
-            <text>National Information Assurance Partnership, <em>Common Criteria Evaluation and Validation Scheme</em>.</text>
-         </citation>
-         <rlink href="https://www.niap-ccevs.org/"/>
-      </resource>
-      <resource uuid="22b43fc3-c1a2-4166-8ef1-ab1c31ad094d">
-         <title>[NIST CAVP]</title>
-         <citation>
-            <text>National Institute of Standards and Technology (2020) <em>Cryptographic Algorithm Validation Program</em>. Available at</text>
-         </citation>
-         <rlink href="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program"/>
-      </resource>
-      <resource uuid="8c3295fe-f40e-4ff0-a6bf-5b31d54c967e">
-         <title>[NIST CMVP]</title>
-         <citation>
-            <text>National Institute of Standards and Technology (2020) <em>Cryptographic Module Validation Program</em>. Available at</text>
-         </citation>
-         <rlink href="https://csrc.nist.gov/projects/cryptographic-module-validation-program"/>
-      </resource>
-      <resource uuid="3c47d111-9f82-4571-ab3d-5aaeb4373a04">
-         <title>[NIST CSF]</title>
-         <citation>
-            <text>National Institute of Standards and Technology (2018) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. (National Institute of Standards and Technology, Gaithersburg, MD).</text>
-         </citation>
-         <rlink href="https://doi.org/10.6028/NIST.CSWP.04162018"/>
-      </resource>
-      <resource uuid="5cc04a1c-5489-4751-a493-746a9639067b">
-         <title>[NCPR]</title>
-         <citation>
-            <text>National Institute of Standards and Technology (2020) <em>National Checklist Program Repository</em>. Available at</text>
-         </citation>
-         <rlink href="https://nvd.nist.gov/ncp/repository"/>
-      </resource>
-      <resource uuid="6dbf7321-9ab2-47c6-9101-6041735d8136">
-         <title>[NVD 800-53]</title>
-         <citation>
-            <text>National Institute of Standards and Technology (2020) <em>National Vulnerability Database: NIST Special Publication 800-53 [database of controls].</em> Available at</text>
-         </citation>
-         <rlink href="https://nvd.nist.gov/800-53"/>
-      </resource>
-      <resource uuid="b0ef4899-9682-4afc-a2dd-0f5f71c78042">
-         <title>[NEUM04]</title>
-         <citation>
-            <text>
-               <em>Principled Assuredly Trustworthy Composable Architectures</em>, P. Neumann, CDRL A001 Final Report, SRI International, December 2004.</text>
-         </citation>
-         <rlink href="http://www.csl.sri.com/users/neumann/chats4.pdf"/>
-      </resource>
-      <resource uuid="634dec27-df88-4c30-b1a4-b57cdfd24f20">
-         <title>[NSA CSFC]</title>
-         <citation>
-            <text>National Security Agency, <em>Commercial Solutions for Classified Program (CSfC)</em>.</text>
-         </citation>
-         <rlink href="https://www.nsa.gov/resources/everyone/csfc"/>
-      </resource>
-      <resource uuid="a52271dc-11b5-423a-8b6f-14867bd94259">
-         <title>[NSA MEDIA]</title>
-         <citation>
-            <text>National Security Agency, <em>Media Destruction Guidance</em>.</text>
-         </citation>
-         <rlink href="https://www.nsa.gov/resources/everyone/media-destruction"/>
-      </resource>
-      <resource uuid="8d64f754-fde9-4e7b-8dea-8fffedef4347">
-         <title>[POPEK74]</title>
-         <citation>
-            <text>G. Popek, <em>The Principle of Kernel Design</em>, in 1974 NCC, AFIPS Cong. Proc., Vol. 43, pp. 977-978.</text>
-         </citation>
-      </resource>
-      <resource uuid="3c2331ad-9b35-4679-b9b2-7d70e7be6beb">
-         <title>[SALTZER75]</title>
-         <citation>
-            <text>J. Saltzer and M. Schroeder, <em>The Protection of Information in Computer Systems</em>, in Proceedings of the IEEE 63(9), September 1975, pp. 1278-1308.</text>
-         </citation>
-      </resource>
-      <resource uuid="06842bea-64c9-4e20-807a-b8fc003fa737">
-         <title>[USGCB]</title>
-         <citation>
-            <text>National Institute of Standards and Technology (2020) <em>United States Government Configuration Baseline</em>. Available at</text>
-         </citation>
-         <rlink href="https://csrc.nist.gov/projects/united-states-government-configuration-baseline"/>
-      </resource>
-      <resource uuid="90ec1671-8dcf-4bcf-8efe-ac6d06a806f0">
-         <rlink media-type="application/pdf"
-                href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5-draft.pdf"/>
-      </resource>
-      <resource uuid="abe434a3-7630-4138-8699-2ab8c7a9aa6c">
-         <rlink media-type="application/pdf"
-                href="https://doi.org/10.6028/NIST.SP.800-53r5-draft"/>
-      </resource>
-   </back-matter>
-</catalog>
diff --git a/src/content/ssp-example/Master Validation List - DRAFT.xlsx b/src/content/ssp-example/Master Validation List - DRAFT.xlsx
deleted file mode 100644
index 7dc8012a848bc4eec472cb0f4413229ba820c715..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 30805
zcmeFYW1B5Yw=G&WX4$rF&eAN~#w^>mZQHhO+qP}%)>`kq_w4hW{SWqu5Alr5jEopP
zqqWu}N3<a;0Stl+00sa7002M$;J~V0<OT=;5C94QfCK;mq#<Z+<zQ&#prhz&V`#5M
z>tbnvp9ca&o&x~%)BgXK|G`h7LUB?Wh~ZaP`U_mTHmt^tZiL>hkDDUm4WJoU4eVyq
zDGY@5wZ(6J7y$^)rq!nVPf6n<K25eN)!zbG9wcstD#$yI^h?uJw+x<_++jdsuKAib
zvZ1g!=x|onZ}U<h)a+{pBxZRp#3W~!n1O~NJFkCH<?}<l=QTwN(ahlPy4F2oI9-5b
zaLgD6a=u}h8XXinDqP*m59ZzEBATAn%fw62GZ({DOEg{YgA0(1n96%WIxW!K22%Jj
zDgaAt4JDH>=0QSM(4kyon0)*1MV+g}qbB-lnh>s6-uPfHN589_Y_C7CM={BVC}-2n
zR@ybWUQy=um;!`du@5#D4v-Tg>%RUxBYb&a7;3wzpw7LG_mDaKT1FrF=+qPl;`klX
zVC%Ci?GDB>s96qTB%s-OUk?2e=_wGbEFEn|8%sr|7wsOAt>Km-Ae4m(IfZsJpJ(Yn
z#`uf4uEu&!aInkxAlAOtz{EHW(B4Pm2!rzl3;^K!8yG<Lf1_-p5<Stw4-O@N7zzDD
zSsgn=3wt`+f9n5B)&If#{4b$b#7W8Y)58Q^i+%);JTGp>{1T9G{w>;0py=fzwgKN5
znNN(h*-eK1OA*r__>Xs|*T>lUCU@l72*J}Hb455JG8a*kb7fHSo2?@_C8=GKh;7C0
z0D{xv<Kk25A8}W5r_N}~@|KcZiP3E$k@;Jp+F#SODwvQ+h1fx;JgL6wLsDv6`Y%<0
zivkLll|ePlY&mD~)9K#JNkylyd?6f?7jvm7Blh~nt5qH&76gy4m`VyJ9Huq;S$3R+
zt~!4$dhUhNyOBOUXrwbn<O!J(Ul^zV43p$MdaE}u-;QUx4zNM?myg_x`i0|_Z2e@f
z|C1zf;0YHXKUesG0RS)oAOKw~=>EeKXKOoieQRs;e=^(u#~Hw%^!C&Ce|D*e8#f!E
zhY@}b{PLgevSsv?4YD<wl~1uu_wunxV3*Vf*YG^JHkaod?TN9fV-W3o#tm&>_jay)
zA;!ZrM)@lS<yYZkXkZR{Jvcr|6w+fNVUbA!3Jkh(ysXl$Vivn!teeIgQljq<)W2a}
z2(u;|Okm5i%3hjr9b<56zM9XgFJ%{B1V1;;g3mXP94zn4m(YwKmK#0wZQfpH#>~U@
zIU9Qjjmmg4GXyH++eNB;qd^vnaA5d8nf8P|EfD{%I(9pmgkHyj(UrjmCOCjJT#9nQ
zt`^X$gCt^5o(;q5<j2vNL~GY<Mh@dfxxF$xF<sAK{oOlKzjDm?Gxh%`hMa_kW~qNf
z)&K+m0RE@N4~G6LdMXrVt=938J+m9U`8&AKhn*0qq?Oo0QBBjzD9y7&BMp!(sC%UH
zOuxI#HyTRYg3Z>TZRj@ar+0fkjua&xCK?gS#29d1(Qipr0!^MMzFM{16(S-GrFsj@
zT*9U|cG3rz>F)FAf-~j8K>#AfYz-~bf9c<aEl)%!j$^G*Bvz#c%3g<>vKR-JvNtyp
z`(6(h80GZ>3*_<n=Z?uAc$D5%9Yx~sGbc{~c`Af1Y0jK|Fxjxo2Uk7XDK!JsBFV4R
z0}qx=#ZPw0rCkz_@Xnt2!HmPtG>$YfmNgLh5CV_FyOqk2;}Fvw6~=tnwm1!}J%N|M
z(;^a$Mrfh*-4PBl1e}d*lQ=9JWyaJ<^wZxksCB5@RwMMNS6w%{7`<Xd=_=mDInG)2
zCP@g64Cl(2>a1(LkiX1!^ga-9@`M)24kP#bv+Gnw(|!^|X%w<U_@O@qZ?MrmB}&~=
zN95zCYX0V$&kanM+aK5xmpw;J*M<?{M5vib??WI;PRkg@PI!#xLI-E!yu!MP|Fo(|
zmn#+y^PZjQ&U~q#xmVdAfiAA^Ne|lZX@^ekrA(_xDyM$?^!5x`j?wHAn6A@bvtk*C
zzwyO&No4@;g7fpaW?7|9Gx|a&4>E6i65zb=qz)IPQ?DAH4WPYNo_&k7pzHn^c4i}~
zN@H3#ed!8+9UT<otJ0~f9<>wgNO`!@BZHSPzR(#DjbDzQLbhv77{vQ;fmLsmZl;C{
z0KlaQ0D$}-VA-4K*%|&-aIiDAGPeImn-(<Jtu~h8JlS@<S7rb(AZ42u;z)G%ppjRl
z9fp#alj0<8Y<|gZCJY#`mI~I9JaZr79XTEy-;vZSD_u&}jV_VIgBbhtm^#M4%eP-O
znss~J8>Y3Lw~)tkyEigoT2-~MV;#p6x4SgneV)Ge)}yE>%dv*eafj<vPVCzqPM!}(
zYbO~V-dHJjskc^?m7`%{9lkJTi5${*hcSKFWueWN^kokYinuBb%ocP+?3<-oSy)<K
zSxM#-YuN64Bq>!ZJ7wu^sU>|FpkAM|<riyERqG^;o+mG!d%L#Eb$Ye-@;!vZzfSI{
z;N6ezsce&=C5LZ+A}43E<-e+Ryd3Ivy-aRZjMd`Bj9&U<j}n)0T3;TkDIJu)6NtZZ
zWocm_mb67ct7wU!A5H~(hlC$^L=_u2XBC@z`3u^{dvK=@sVTLUglHjT4}-!{XSEQ=
zljWC%4JCW@6^f}<a#1INU;Huq$kL6lWeJ~ixU%6V*-~>hz90IV!6{WYE!gaa7;P*p
zzdOn;H6*54)qX8;aj2gpx##$7nlw~6KE26yYv_=9FxY1Ci)!fX=!!j(@%4ziH3da3
zP9^mn-EdZznrbl{zK&t2ua9r=P$?_1wxel@C%w!)tg`{re*haED-ucmD{vjFt-Pe9
zMc(S_<gfR&f4`crPJ4&VHq3R=$qbHe@_9G7)HZC7QnE<KK4EJVf0_R&iuB-RqM>F|
z!BiVpXsyv9PsRIX1<>p7t}@ZCigx%}*eQhI4~njo!aL-tBLJ@M9xmMo{|n6ggTal@
z6twK=yN`Q9F^Um7aY<-EG!gQu{lw+qKgHMDEua4JH@J|m&ln(lc83<6k@UnXJUA0o
zqB8R78!~2NenUHV^((%>`dXu|u`*c1cx{9Ep6OgR`FN!cx`ivkI|uB26|(%asoI5o
zOyY1QMP|yJCRq$lPlJiJn9;STY~e)9gcKELU13EkI$S8jK_+-dJRObTzvB&kzvFEe
zRCQEgjU1x!I%V>q*{--jZNW$BMYSco_b2s&d)b~)yWgS*>EOh7w{5kNS8BL8IGl<Z
zO#G3Y>+6C6WYuSIswRq8BF-3Zh8$-U1)p(&et83G$&WCpV7A{eW)~t^e37Olb4$2>
zLS>|pqPgHOp&ZWOjE(w06YwB8!%@QYCZRO+OI;Mn_M>b^PR*?-wE{oy1r*2F$Qitl
zrb))bj6rF}p^Z)K6Vi?UmbF$)P3))S9N?5~JWidyHym8W2am_j6A+VOWD!-|DWa5`
zB-UIm#{Ncrg;gd+4iwKAAelmhK0X)zh*s;{)SKJ^f`JMYBO$RiFmdLUn2twYyX%t{
zDah>)>6650bd#3^TM)K4%X)zxNsMit^I!$ULt7q2uP>N=VG8!Zli|Je<aSa-ca8lh
zuJgVYb9aK3U|mbl9(7(?*on+tzu#-J0TFZ-*lNv?>J@`rfKCWV5#*COHes(2C8dUP
z4nZm^y=!9&FUKM$b_NUQ%cV^vMo?UGh+RC_3xM3CQ(@*ukq!Zi`m<-MGIjgBP#($8
zRO2qiq}qakl5%ArZkZ%NB0qkUVF`OMFBZY$$I#1lOdAB5NjC)&L@c*^gRC04Qgy%`
zN+ywlOo@K9k|{I`8U2y+y&b&M2k94c$Tl|0mi$+kyoq6=%C5O1MA*hR!6BsZ<ioX+
zqBe%ue}WVrq7ZGJ<MZ?dVCk}7#tQRKswkikCMEX4k>98?xTZfhO#(o@0oU@%=-(4*
zVNh9X;VbU0-lO4L6qybOU~(Wkdgkg1oNKwWQpB1V2nPyAICx*UFSrx}+OQ6EUatp&
zSL|(Kk_8ynz-uh%x>M+?deRbH^(3~ZaKl~zPt@V!PU|)niY2t9S&pcnzU4=7B%(Pw
z@dT)DZ68K%5DNb$63B(>G-49PsumN4WM6pU?%f1+Y889-$p+*15_Fxth8-V0sv)Pt
zJ^6PUds#EGGSUs^>;a0CTZ{;#dE2}mNUmWOQ(iPYiEK!)x!K5FqJtg~xJz`Xb_c5A
zdZrLGZu?n5?m(!x9yxxqGqZQ$NX$<85T6cUV?@kyhw@Q++^Tl!>WyZO0n+%>dl*6i
zCk^*~PN(mL3S>Cn_ZZh{y+=Kv4<p6DwO}JyiLDez=O7c1%`DPLqEyI4=<w^oby<<G
zse7<!h09ed9DYXZpe(wK85GV4$qbs<wv<=S?Au*j9?y`{hx{;S%)x#LB%*)=sHe!W
z%*-LZFfzL8Lo+5jWt<Z`@xG+6()P0`j?%F+OKg*vt>I*0<YmZ{k_J>w;qGDKuq61%
z5fwm5Faw2?%GT}YQL}L+M8A6Vh2tTqb!bJzwL0sT+ib@e9w;k7WqK?A#+9vN_a~d1
zOEib|pS#%X{Z7l(ws~8i52sW=ujs)N9|)n_057>*h_pd<cgGXC2|L_=enFc`Q&SX*
z+RJ(?ZhknWamD=JJFR>(1xx%Iwe+;p$QtN&v1{KimKz}#{!3f^N;La9<JEUaMG-0C
z0I03iTeT>LJm}${16uvK_Qe*B$Kw@X0wy1kgBp=<e5mY)q3b}y3(??^d?K>8(-2;t
zf2I{ALVgfD#OPYoBv}G@FMSfhq__)T$}KN)^9$cSIVUdK-tgTl)qRzOTK*G4+(Hln
z)9bFS9U=VSGjhr#PdH%40p`R=Hq`!9s+2JeX1Cg(<_TP*JipP=3w^idwcFUr(cWFk
z>(i^IyxWU!Wn*Yr!vitf`Svx`(<^K`p9SYq5zn2_`uZA{^_Ga4m@wI)t7(ehnNME;
z&L4iAk(GC3rTwi?I)pB}((0UT`r|%7RwEF#c?A@vN<3*`2{IZye{v`w<9cU)CsfiO
zp6d(vcqe-Jn*NdV`&rVf4}8k^awM5Z3%`5tsMX|sB=D99Ji%6)el*F08}PRn#pmup
zk5f3jug}XwF~ZW`I2pQ&0^j-F&7s2g`TQb|dxUYFV|R^Gf--m4gcal>YGK1T#{nk#
z@f5k*Och;(H*5388H5JFxo-GfH;x{$P3VWP5uorZ7oWbw*Z%z5{{78t^rIp!k+ZL|
z$3Dh4j^$YQjNwN=9x5Ld-dOdM{EpG|&h%sDvGj@f)^>t*QxA*X$z9^H{Rg*v6WFjp
z{I4)avWxC{WYG60jef5Oz=>af1GA-+MP%Cvfzoq+y=DR1+P-kFAv*<5_>dd~0(%?*
zd!%MNM`jz+9N>MydgaH&mVI!qT^wBIpmhQnq8f@<XQjpNlJ=nsLAxgPtDTg@uf?!&
z>v1MQ_{6+~49fX@NmMP?mAV?gki#8}ZZRY^Jd5!R?&tG}ad`YyMIfP2EW<Q@xp!!^
zXSY<`6>aNr(T|7#lt$3do;rTc*(_P-#HFz_g&;CDXP31ZGlwTK-YM)RJdm8KwaWf&
zAw>XLJ9T62i5&UYD&h4+p^hm}d)j1k7wlN|mN|$CdOE<&RF?SAIHeU4H#DEce{ppy
z;5l{(<~4>g&Dk?#n-PO7Q|i6Q-D}z5=pY0>Vg&qDw$L_Heo+&s9<0#y`)afe7<ztp
zE%4flR%|8A%XIV?!R1X{kvVZf+wX`V_LVtkeOphV3xAo~Np`dJDkk-u7;j%z<Ovv^
zU3==`9{g0Dg!@yqC|KJ<QK^~ACGz>L4tJAqUuM`&;tB@7KqLn+p)FO9+2gBaov(3E
zvfW%GkXVX}OgI@o_2aT}ACGZI`2$SBjKLfYzn3E26>qdecC^-e7iG;*7hkYz<J2K*
zFW&USU7|mp<$tOix~D8+PcA(s+0xE*-%j+Hz$oFeA#i$SV#o9R)bt8O(I6-=R_q}s
zucT<QSqKNcJ`cOgUzIe!-p0RUqz%2a3G%EBFFDg7UAG9^+9Zd32Xj<pA^4qGMI#T*
zKYBwoX%G^Xb@%NNcSop#))sc-<OTF&q8L@S;t$Vh1yLG=>gUzeNkm=R5OZ6?Lf^I(
zV@8CZUQ&d4+xgWM=Y@?xE7Eq9+Q-n5YqwuHS5gp)f_&oCb#DU2EaXRvS>~YAUQuy>
zYuCm`TpT4ylT>rAVMj>zg@s}(`y)`e9t}WG;vgkb{<c{HcBDv$;SdB2h0#<=X=}J)
zvL2lv%aZyUNNqMe5*#O9N{s5oYtzY8n#;urBFYS;RX7NwcBR%sC~3D*bhKiwVLap8
zDIChdQNSLO6}HJhL&@vjC#<$3rlii+bIp}6ndfvR-BM`b*K!^P!^ObM6s1)<6BUkU
z;OcN#4$<)9*Wup?cD9i_uHn!XHK90dxUi2di&D8w>&Gl+BBo8n{S78D)dODUs9Y-t
z`U~awl0ZozxR<XqdYRk6a}-&vzCqlR0#~#001jSS8mG>Dnw1T_{icBf`}_iK>mA-T
zjIqjJW3sqU&^+_Li6z9&JYc=>@1PC+v00AXaOu$qx#+44ubu5Ii{|7=2UF3k;^RVM
z%#xG3o0_AUJ9K6Ry9!BkkG|yIJ;Yi9s~{qf&5No)7-<Fio@&fNt;0TI))r<8u5VSq
zAJ}TQD0%mA6?`o4NF;8QJU$;HJ=SeJ?Ch4=`(r5{=k%z2InyGJf&^cvc4GBU#{2s2
z`AJ`rCsPM2r8@iyI#I6yW9>%tJ_P*gdeb8~Njlwc2?_(u;qaKn5SGrzU!fJw{oJ)W
zU9>fxAI~cg+OmbUEGyb=c1jA{LMyxy6o4W%GD{?={2l$<IZ94Kt)`Hf!W;+H6dK=F
zqtoE0yf=Z{qg4x}!op?<>y#DT&hw$c6LxYP7uWe%$SujL!<D^O-<*#ZTk4UgZ1Q@;
z4(1Bv7IIP!!f=iJ?LcY$O)BusP+X*GJogzv#G|+0u4!89aEly(F!H~6*f}`t%5%QB
z6m{jQht#Th{(_I_H&I&2hs5lN*T0?fCOq>#%@f$^bK@TT&23i4^(f}Q$L!acnhpcG
zh2YWRE5g)r^Kek|4=3RO(otQyIiU7K!!pC>1VVR(<m1us+FJ-35q(da2{wtcK^7@a
z7tn=`MLdqbs?l^-yEPsHe3wUc(@0KC;gzw@6ea`*HsRJSG9>e%Il^QCj})H-Wpoxj
z+5`rqtnI7D<&9+(!_@hOfp6vawz@@j6)u`a3n0o8n5XwO#MQH&2R8s-ogZgqu}Mv?
zp;d^YRQhSvrV(eb0&p+klXL5LBg^(B(6U<|f@-8|p_~>sflU+>+L#<rLW5Tx3JqM~
zs|%1{g__Jv&c2ck3~PI0`1?Ci<rW?Enjr@VCPX%I$R45u43kF;r6D)1_sDm$jiRVM
zWS^(8<^iC5R>~~WFZBB<OLp?6P#XHFP-tcj(h)QW;g>m`eoT!e`z^LMkNm+3EfI7z
zCPY%b3pQYAt|D7ApJ+!b4>nSwwX@9xCuW&GzjJ8&$Skm5o^}~WAHS4*h@so=97B%(
zj5t6O^-MX=Til$V0mA|qb6F2xObOxs+gk|e`*9LVtqb3U9CTR8Z$JG%-%G>T6@5qo
zy=Fzqsl<~5n7?*a?Svd{F-{1TIpl_C8DcYho+-i6`0@7&oA_xp1HFMQhE&|R9p~);
zNmTUF97~~W<v9Gu1My)3TE{~F^g}_*qV?J!Z1*sLdDPN}By~m@j2VL(Jakj~3HQhe
zb-VtFn1K)6XsumRQ2Pv<rz-l(`%UwUYy`i2IjkmTtUQ+uu&f~Th&bzy=~tR9TB$6R
z?>0W~)>(~+g-b)wPKshI2o!Vf`Ihvn>d_3}DjQUzjj`!=S(ThRIstz`z{~HGX2lB+
zQ2G%Jd^#V*rBZY;GX=RN7xMiQ_59etWTt7vESA4}$gbY<L`WvN;6^V6Wkv9#yQrhb
zNpIF6yfTAzyc2tZ(l>bGTQlK6<&|L=wFcA>4fj%}RbOVyxi_@AJy8qdGpWC9LPsOd
zB0$@55pCev1>qF$195Dw37V7-$IC`i0WA%y8SX2v_W>QGupEOk5zvw2W#U7*c-O#-
zZY<$s#kgm%Aqzx$X(n=QopvO-c3C-o6A84mF~1sZT_+^2VZL#@sk+LNwJoAfv(=~S
z65WDctsEf`;?p2PD1@rRQ;4p{6J~}KHyrnrH3HsoU0Z|#3pxbm3O+SIf!C?7!qdVv
zG?Mcb-C;Gg#xfS6&IN?I?hLqxb^rB|`OCz!SM`oWu``RuE|M^H^xMaVUovphR8;-c
zLRa(vdFOT6t3egAw}8GKAAqR5nC34vHI<zCg%Lg7dHw{e9n@9^hRVFslW#5jFGZB_
z)w5AjYE*m@De@<@8x7n;DG;UTMK>k%4syBcfaRPJ6+`@lQDsqzISK}y-%S^bsxZ*7
zHNa3n0Q`Wy8PIzgF;$L|d1gB4)M+Nd@WibAReM$dh#(;?vHHVUi-uH>Qe(1872vnC
zeksc1Zc{CZ7_i*10zIw}Ub$=h*D6kPdw!e5jMZeGRz1YgGr%*_skr^ioKePPHiA3x
z0EP6|6&kE2#MfLJubDE60E|4tZb$^VAo<_ZPIWf&gL8|fR(UstW(mJ-XG57Q%1jUx
z6@a@adeUFQT{(MXh6eGZ_P_reeBM6}^HJqf?0iI5)c}axk=@+?36EO~tI~o5*_)zV
zYDRNZyji0NU6;s3n;}lEMz0YoCO$A~PCw<ZRXOLCUE<NFs-r9=x(&Ecvu2zmAQXkC
z1u_o61*qth{*oYosoO?ymcfM|DqsTk(NLj5-+4{)i;BKSzL;~G>oTlQ<C@%j4(O54
zG01NPQo^tdaL^D;Fkjhav-M8xZCulG)<`Gv;q8E~Ve()sh*u1=CbF@&o|1#Q{eoA@
zWmlFrI<+v8fmw~ym%I#aFvt`c&b9`<fcd~(fX?LB=c`!YZ$52GL-4XnjF`Y9T>*%2
zCp|GM=-SaiS`^g~SLFB<Ya?~&5&V+xAiWKh!-24^@&1@1p^Cm=e6QBysUV$Lrfhp*
z$bQHYBEmQ`?dH}9te{h;l-)rT<;I@%X?^;gV1Xka5TtfmG<GJ=xy`}5xz5hJVy>Kf
zb2F!$MylM6Ojq}Z)3Z^b@S*zl28iC{l(Dy!5%7^sV^kkyW@*9(;1&gkE7#}vq^Rgt
zcwk9$6aPsO0CVkoIS)cvejj#f1{c3HFXck$DVFHW3>>ycW7qANAO<4uIrCs|5Ztu2
zi&{8HQVI5Na!s36l@eU6Lpi8JNMFxrNUBi~)}ED1ljr?&W@woL0(>ASHKtz_BC6Jj
z={D2=wE)a)vPdr*z^3LKdO6q@lK^hplCI+c^_fQBG%9~~XZISrei=@P`DphJ-Vv{@
zW=`#sYs?U;{c67piq+=~#_=T{_Tr>>QSiB9DPFa)S2Sb3+0@LsuXJn6hX#1P2HCdU
zgRc2ncGRFMloOU^-aI<?F#A_h&BxXbwY3ww723x#*z<PKLc3$HHA)O-7zC{Uk~Atv
zebFzbYD9ofq34RH0NPBGV^B)>H4EZcDM92ygLoq%^i`29tWW|fP6su4q<!3#J*Mr`
z4)BgbNKQ==en}-oar455oW?bc6kqiWjWvQXY!Xal^s#BbZCK04iDE{!{dA$xPz5SW
zgR!<^tHeeF6TJqyJ#YSbLZc<Sp0;+NU#U?@RwANYQrFudVGD$h_6q<gpe3qP36rw}
ztP*C*v5_f@J;vv4NM_3xtUUg_{;x?xo4hc2DAY8%MIb>HAd{Z5JlH<$1^^|=S&#O>
zRFo(4{tZuQp4QflhxfiFqB`Z<ziDPPjTSeYl^AO64XWZi$VtIZy<?)2@tD&U2I+Or
zg`;R0O)26Z@=h{_$RoiFApK^y&`hv(qx}XTOE}viP>@-N&wZ)Rw&I|&#$AK!Is$*o
z!fEtdngg%y_r$@jY1{K*9yG2JJh8TlQW7V^xikVXu!M1|u2FPjrdU)iv8Zz|>L@2C
zDJ;wW<@m!xFZbZq?wjUFHSLzxZFtzZiBp6@d`<+@I!GH_*+u3+>@*Fokp-B<ACI-!
zS7{|p@GUUZEn$@&6u8Nf9s+6Ncvkv(=B0Ofd7s8!pvICFPc{lF3v%)D*9cCMIJXy+
zk`I~jwn$Bwg}T(aM!-_AJ_-h`KsYQ@N?6D&|1n7_MX}!)pn8k2h9_Ww2nX=7nG}^u
zs9<tUVH0UPCpUrjf-w%03jVlOLS$F2GyX3KElaFaUnjDqhxKN)?KugmH3;&a2G;{&
zv?r!-!0V!$O=R`eG8b_&YDn0#q2`7FKF-&T!$lQ{azu{SA#J#b3OH@&39BraD~=^x
zWDoMY2w*69bpFNYDqUZCzr+~DUQ#2$a^uvs61JG|iJm#Zco=}=p{^|opwwk?mpSD<
z<rPc(1HFSeT_hoJDxBER@6SX%(v%NNjFP8-XJUwe_Q+kUg-s6$P<WeM^}3o?r`(1=
zCuYu8Ev=+H2-puAtz;yRC3Ve_M<Ky1&=r^<)Fb>fYZ=CXn|NiP-q;1*%FDm}cDmmL
z>YkZ+e0t8&fgfBwOMDYp5LS8B1GiCS&tWqb219ne#!v2aMtAZE>cIp|c2UhdeD%PI
zLmI*%XKow{$u%9ksM*e@gEe5Okiv8!+NdRkmH$-bmMHyBUrfTJcZq05(AHcQ1^``@
zFOhFvH?&G6yXbj*bI)zEvIFbi?KaD<|7J}A6QreaW(Ai~Cv_7`Uql4jYQ8Vqbz#0x
z&FnK@=<_7LT-}H`ncJts(G3=5IGYr*0vA|^p&%yJ^X$~~>&$@$Kp7SDzW}BWrO(5J
z=aLI}bvm0CJ?{xOtOTY5sfs$`Dlqi;Qcbs-DaF@fqajuc!QsN;I)ZVoBZXI=C1eId
zlUb<L64J$huT_=74}u3*=hqf)!4EU={N?1K972KeIJHi6Ct0>6<!enA%Mp91a4w{$
z^QBe2sb7yq6HlfX4AQY()aCPccZ-NWvCPijE5E_nA|Tv1;00PVVeND`pd%KPX?oRh
zlq(e3UiduJfjK?j7q;97;zqArE7V_Ob&i9e)X%WwI{3_Fo)Z;=#Q@>{UUvmkY+T|A
z^;H_cE+OI6nr>?R6M`G-wk5sNPl5mtTdi16XaS+of=GR1kPP3c`joy5*fqrAsgLMW
zrN$#sS;rlDWm;0MzT|FE_>rYdZ0dFyT5-I(kL{_DXZ54a9c%2GqlvoE(|c&z&2$Y6
zZI*&HFAf@lr0vD#K7I3e$^CE*I$=`Uekido#6;9Yd)$d|xsD}U_pkl2V3-c1PetId
z<7!89FFZDG2-#P;ffJjAQ}OXIPk&miTt1JB3(hlgp7!B4H;ASIT?3M1IBG%-C)MXs
zB-h3Y5_;~RM%yCRPtIo<Mx)qqE`Wd<+R#A-Q@%KHvcX?oL_END9-Cg1>A3^Hp9IBT
zg`m6&wFyJoeO;ilcdtLDXOd8MN~7@>SHJ{nxeb<6X|xyho!jx-Cj{nop1N#@{X6H0
zsBpwv1>0vXpAg^&Zm53Y6ImmcaTQN;)2oGTfTr~$`TW6xy~`li^v_cf*B24XqS+E7
za$X;y2?X%M$Ad)!remurjsqg_<eVvMh7(@Nz0_>Q$|~)i9`cU<V$od5yQx`3`M#gN
zw0MFtuJTS8!@5U}N7+!$Nt?7<Ap!{+^?&1D10sRT$*UmoX*m2a-^b)^*Zm_MtHRbs
zbC4rO$-wWI9<T91eNHhbA+{ORj;+Vj{`_>($ip1k;WNGcG&tUoSC`1Fb(0=AelW$R
zjt3@*qyBy6HU)QlJha=uLepTgve%~;x^;A2*2#8-8$SLl6ZoEosnD%HhU%I2>`WG<
z=`_2^d;FW!0QH$>Zw6l>yqPX6>iG^$G5oL30~m9ff9#u-h_9lQhv#8X9X$>K@-C6)
zpWBz&q^@0XqpII@hciBZI*M*?npzEq-u&%E24PN<HhnJTV)+7D|8_h4BAOhb;*B8@
zTMcQ776sFJFqGe=Ma$qqWS`k$sX%RuvI_ffVs+rF8|`RUe&7g;25LP3^_4A18$^cx
z!&=$B|J0Thxd*xtORW%L8CK+Teza5gc9anH>ytcQa3Z|bX|Tth$f>#uL7X8>hBcO|
zvicoFGjrKzq|!R6US!aRI8nuR^<H>WiLS+ylr9x|n;#Z0`7<ayurPnIZp)Y<u=812
z+&4naw;<q%F4ycpsi?yK6sOlP*SMusk`Cg~$?i545V87GGm~|Ngqsj_ESGBzT6$sh
za?4rR6MBpp!lyf@4{^!&VXASfjCQc_D#Y5|<?)%P&H=ue!DvgAM6p1puQ?m7J<^uM
zI<8_N8Wcd(o#AB-!RXGc@U{Zgh@oH;pdudz%s*e|#rWoB_Om&ds=J?N1FPlZ{qY;>
zzuk)FvSgI#{kbCW<9{Lg&sOw59tV39LqiAq|JO3}?*YUAZ<q;)?hWgsM;3kt{t|R?
zk6#Le5maC!Y*9J})_+?ATThO8M*eiK$2ROaJhYiUWKDnPF2yo}i=|#@0}4DaKr^Yi
zabKh9{$0y{wt);u!yThHPurCSEG;b_Ivk^l0$m#@NBoK2?=`Sm8wFV!!+W$U7V1hr
z`WlWkQ&DDSd8Y&3KquXJO?}|0;?Kz=ul98j<%!2_mES!jdN&;)#u1~-n<vUKB7Ax0
zqyPKd`6<iX6Aq-va$@}c3G%;lc{uW>n#TVa?IJM$alroT@^COQv^1pqxBfTm3pI`K
zbrEDQx(7apPOdJoy3PSCi&g2h3sQpff&*KN=*rP3W)Y^XNJ!r}?#Dt|Q3)L=&vQWv
zSmv3T<gb*#0M<_g9;Ud;)JOL8@uCJ2bJc=b=P3{SsaZBOtqupeqA3Jv4n48;O6`&s
zIO!n^fjG7GP8RHhw5onkang`FkmgO2qpQNrXuh@(C!qj?3m?xuXW8}0fRyWmaSxcu
z5FK6njGlT52?OFC*33jQ3Qn+Y2AXBc#2jp*xE5(YeH(XAP7;F)m_i9>=fe(}T~-85
z)(BHKd@X~10X?!{rO+J-+_?n~frd)~J|rjZf#-m8*#S^)lXjHH<0NOgq*-Yzp+QuQ
zNvoVMyY>xTJ5>eGqWal3h3WgwocgC~07Z+vw@9xU_@ysofXHF`xrp$q`Rk@O9=>6-
zoQt`=_T`hsaxm?Co$Z~C+r#M|D%qp$^&WUI0-@QT&q2>L45kYL|C|njXT6COFFt00
z=>QT=AP&Yl3Bz0HUo=^cp~zRMxJkN(#cbSg_4PATRY|_kA49CIT+(+)E(8V;#TWJ?
zj#8bvMUKo36BHUHCz--c6_$0ePoRgJOjI|NE$#Pyy<bQSgIMbotxxLkf!sEU^T6hn
z9@T8vl<6%m|DDC>?sRu^I@+%zgUiF|`eMJ;Y-hNl^?OvZ+5NR&#oP0__5PS{yW8W#
zap}>Nd-;~m>uqn)y1RRfC!z&n@ZLJB!{zPZwOQxucHbcUSvpLF(?e8$BGde3rFB#v
zJtvS4x6s;%A>tPUwJb;%P1QRgqt9|u$eN9oMbM2C6r};Mw)O@~3$D<qz%PkumHZWe
zD<+Y4>PE1gvI~ju8=KgPi_BtZ9A~6lB8_bV@d%J-H2WA8eR~X%l^j?9JfR#6=^C2@
zCZ~{ELkDLFhP^hKA&Pwq$_%c7Q$l^%(U^z`0m_J~81%ck27~}btlHJ?O9za`$hP2U
zN#YLF5cLsw29`b-3>uIyOWI)aBDbFBm=FtM_@q<S;m1}V$!U5+X>UJ{=2cA@y$<!c
zYQMgf`7W8{+E7VQj)vC_!HCllTrL<Q<mt)`F~rjqnHPctayu(}J^yQ_d)V0L81MuO
zsb@>SNQZ11kY;{OM{!}_5wh@wxbg9n)a(5?X#{0T;5BPeH_14r$Ipbi_wR_hb(S}5
z=FO`Yt%Z(w#B(mk!-OE~{!j44_F&XeSQxtTqlw4gEqoBo@7-uume+T$<BqvA_*;YO
zT9q67mC(-=xexr*6kGddms5J$X)rl*mXr%qcAc^5e{52%kzh8cg~x`(QePrMPVfcn
zRd-YtSsjM#mzl06FoGSs&6Kh9J;s{Xc&PV0Sx2AB7t1!%jrMwD$=9g9+HjsQ2?fC;
z_2HYGs+}5{8dbCrVw$W41kNXj<(gwmDliG4s|j;OoM@@lQBkE%y%NimP?vK7%zm~n
z`$l~amDe9TFR%fc6hrnxCls8BYsRW1r&^8NH0VpU0c*lkmH1;%lMdP(UF;mxN;^f0
zU=h_@Q;8cGBW6I37fbOnGK{M<gvDXq7?I1Hb8}`*x}r5D5I729nP(IINT+PqVb6Fo
zA|q!zE~WLh;gfH%&4R~4>GGJ^xv|2T-FLS|)Q%|7cn0#Rcf=hSSwcd4N(IF>oDOf6
z7x|G23BoiQ!TfHjNtS`sUYle63)01g<|%NYc`nt%BOIKdp|VW_A4?g%-D?{DLW@5C
zX6A4bafsa#lGXRhrvzpvz>e}RQ)4CrnPOTNP+r(B4W&rd`s9~elwFEC;TCv}$P0G`
zQz2|C%D-A-n7O)R5aeeQWKSD~e9AQ5tS>gh;E-Yt=a`p8;V@qteE5{Q!z|ZFWKlJo
zt89Ypm}y%QKhKe^tRKLrzcQDEz--K8@=yEQLD4T?f3F<B#z70wAPS<f*OWz65$m#^
zigzKcQkj9Td@io^a@HUG^@F}EKbMCcWS8HdDy0E*@DzT+I!;j;qhK9`&q7@y0aV7Z
zaZT>sd(Is-N5O^S^Vi88Z7LKjpVFNRx1Vl}*D6$<R+oU1)P!N>UQe@z0N`>CsorjK
zmsr_4dy8u8fehi}lAhWWRC{Ol5{*rt_u+#44p-ofzstAIzzUT+naEu`t?Cz`{H;pS
z0wT9^(B3AOc6`sVDQcEWgSBU@ll;uklR9z;PuVmIgH*~LJ4A|CpE=?03}GU;<D<Dz
ze`ybzKU@E|S)6AiaEScp9~`lS006N6$zk>mt`>&>I>`>yHLUm8k-c<GzXcPXnb8oT
zLg+Eq2qT%f$`+~`s!45o%8>F09CVf6x1U#9(Z~r3kT1I$YHOpr?VF={zUm-L@51&2
zYDSbMu>_TD4j8h9pjAHaU5j89Np{Ka5Db5O!8Fnfbn)BXSY#d&xATYwRRE#nwu>ak
z<*`*{TZqBrt$I}0y>x)#f&;l2bPs<~3=YWj<wYIG>EGN!L<@?LMRJz|L__wHAI0xg
zTLdyDAW1x^OiRU2BD-h^QS&)KOR(levg#P#YZI&S+nrD$L(%F3KtI4j&Zr?mf}LyO
z9&@8Q;t*pj|BN~~^owI;M*ySV3f-=7?p3XUp8-9bkm&Q}r@lZs<Q3(U?jI!Ig^@p`
zl<{J?N7SkA;#=$}JqeKyoQ7}-jdGLftNI8CG@CY)a29yg*%APnhDvMgj4Y>y%LOkp
z4g^3~E>h@_jYL-(_!%66f4wRPbt()#CIu>pdUp&J?jg-^=Qh*`YNTL0NDl4jV-L^5
zV2VF|c4+zb3jczY7aOttBSNSDvzRV^4G56?G4qAD<1l3#dlKK>g1zssHW6#~Qo^)B
zRsoOm|2hz2FEH9jd9q>0UTJQ!HRn>^jyvN9^%DX@%&K1rW>0_TWVhX7!%)Dsu_;TT
zPTJ!$rh4Hr&Jg5Ii}3VAr4~?pF%>W5MFL_T&{sK>2q|>cb)mwk6>1X5zeNlWm@{GL
zpF&{6%w}}XXl_${iklM1fst?n{i89uc!GnZVR?g)iUZ`9QC>91xrivQ(GCUrEfZ0v
za9r~1Ui-^D%UeXz{SUed;*#{z23MAw$j5lTITJfg|GF=GMj_)!1a8rTSV2v<A0dyr
z?o>K|=+Z9r!8ZP=pfsxc!Us~F`%|jXKm(w}A}Q>+7@Wsdc0tZ!nAM<_MpaysuE}cJ
z*n(D5w|rfQfM(_mI#U!6t&E&0X_;N(ovL2-aulB-(uHwDtV7r;#V`u(fHp`J428lT
z`$#C6G-iy{;gT6r!>maAV?s8AI?q0=iQrY^g9Oc$uYj!^X4_31S*=A<5X|w~+?%_N
z%S1)K*(`mB{;Vri^GU~M4=QHZar~~MK2MLJRszj{BgV2?UCM{w2uTKug6yDYwY*^_
zKkBWO4zqQ2Yn7faS5g-Rl&s@+!s{W7HTQ7GMbtz)l1{rN?2#ZW<X9GsU{5e6qJ;_X
za*Uagr5~1dtX4m2b$pFyoR+`&b)*oNbdnYQw8N`(&Si_Hgh{6A8^P<P(49F*D-uZ+
z!a<aV<`yD>*@3hjG2NJgs<HbLsTv}-V>Pf&@(TW3(t0RWP*XaB8K$Mn5jXA;CE2^6
zdoSSx%8{b~oQuph?*t3LkN?>m?5C0eRx7pEeDZnCZRfDvULUN@fs)r$Eddv2Zz~b|
zjZ!9WSB|m~7MDm^<*fA>+|pi*5_8XzYr~|xkh3N2GEmEIf5gPEl!$TqsKWp%`;uO_
zLl$nNxv?=Wuj>oVe7z4)N#RZF<*<174u28v2+<y5u|VW%s2OMTbEdsTjp;ov1vIhn
z8d5W`*BjKzRqOFO`1JDTOV7v@*no590@tY_m#K3Z``yaTn-2>!$@W?15V98o9^$|r
zyreMoi9Gja0)HxHvWG9xvr65x;Kq;wPFJNCzOw6fkpb3niAi$uD&Lp&<Qd!YC}qiW
zJByc{sn~DR^!0D=j1-f1T@6Df0vSOO@t9+xdC3~IxZe?%<Vh>(!yV1&fzE#`sS8!j
zRC>$+06`jn0O<db)c^8g^uJz-3Np3qv0LM^u5ot1dvq@bIXkFo!#1Vl32Y5s7A?${
zw{BJq-jj$LMIwko83$)GZmXS9DUtXIb%<pjCOMc=CWP*#00O~Ft~}o9yuaTLcaFbK
zhx_-NorC+!^ZWfjo8hDJ@VY*qu5PNoZSSXxgTeW-uDd-uzVBWvzprklKcoA-IliaA
zPcQMJWxU^SUAw(`b0D_8I=DW5%ID<yG9RzUmUrj(?b+@77uIL8Otg&7b@r)FwwL?o
z{`>sbmx0aO+u@^&Lxbz*<Ja!`F81!Ef=tA)Og1j>MKvzp$Cu;xr7PTB!?)eHWcK&)
zaqu-C@!B#x&u-Ti-{<A?_4mi_?YT45?RkH4@G+m@Ouv6M-qwZJ`_qfV_c_{I`!{dJ
z6`$zE4ISynaxlD1G#@S>Pj{Y8^)bBJ_fh?_aW%!<>v}Z&1Da$V9`_|*C)bCe%e|N8
zPt?5LSjcbL@b7$Hf4@C$JigC$o^+n@vYzoM<buH!fV@0CKGy%X<QEZzy?%bJf9*_n
zdld8SZ|=Id+<d%z>O5y>(LL*QN%F|jUh{GDeQbPlt^V}>c>DT#d;a&A-G`)9b{6jU
z^_RxWuiWa>eW~A#x7dH9-2UJl4u3;>_if%BS+T2UR>`m`1T5cPk9@0r6{XYDe|?_r
z?0?OFUh8Ci5AWkOzXxyg&V%DE5kC|>r$>8hUwV7w2+e0dn`z3(@o{_Q{(9&J*TE}7
zkO*!2ey1MkA3mPGhEu6tBKtE8tTx~CX+MUu>hbak{#p8M-h|FRh3)$n3gP7Ydk3Pp
zT6zENfI0g2_hP8+1jCemM7>J?nMu57h{ED2|GmZ6#smD^<<X)`8}3r;atjCd%g4>_
zzSoyRW;DGJNl`7sH^F)S6yL#Pg_-Ee;^+P6>w57pADoGR^l0J7`~&WmB+m@r%r>WY
z1c!ewm~r?V^I%KLr}A%~(p@{N6qHoVs<EK+y4|36(nb^NkDT1E`;UXm^K9liUK_S`
z6UN9mii=9q)zl<<57U_e_-EethH9}ua?nVhZ)*y#RKE_cf?SO6u%F)tH78ILo=g}j
z8b=Q;1Po|WO~R?n8O*}X&21}atSSb}er>2DXFn{dTR24Eyl8}VY!L`Ur9bx=h47Rz
z&)q1QIs{+Q#k0V=Vj{_%&lBp+3I%N*ZV1c^t5->mH=4FG&}hutnX5Y$9a>po^v4rR
z`aicu&gm<eFwk^irRjH(#xJ+`$J2wykK8L}f3H8}gt}EirAsvB$|Me16P%%}AIy7_
zTU4zEeN|%~7v)!5UQktG6&a$vBc`{v8Y*^HhtGayMHZ3OR;ZUVBPr1q4J&ocJss-b
zrP<$}ek3n?la%sFNf<D!(;3whd}9kTq|>bqNkOl-nCfA%(cpMm8t5?4{L^2UX{tui
zu~m~-)+xn%)~0kHEs4&)=_-pD`qCr@L#r*SKy&tW_7fhwt4_1){kWN15qAL18r^wH
zfqrjiO8yD4W!P{(30A9`J{FsV#lBJLzu(npwBbTuhe5(#f=J@RDX!Q~L2YsL1hn4x
z4#+iKK^X7p*p)$y)+n0r&)|Nl<py$XWIAD!t-`|WGV2qH!e4c#+Uk_N*1}jqr+OsQ
zyrIML)q}(1{1siz30z7%1BPna)uBo7^_Ev%EH=FV1cUc)Fs~^ZVIIiQ1J4&l#gd1<
zg71IYmm(({t?cgY6}ds^jNlXV_xAuDM_H|+R)!`K)>}BvPRz01!#Ege+E-L2W;f<W
z5ZX_%3mM8;L6Jziba6r1_{0Xm-u$#4Bq^P(^bd-}A~v`~W7A6(GRZqGA-&Qg2CS3c
z!bkT=d6iOJZaY;ETQTN|_=}5#_FoV3IJ{HxiZAbrJ?dk49K`!{(RlpFl%yl(y1vEJ
zJ|rhPxL$sC<>_wM7ql{%n@q{1LR+p|#HQ1wY8SfE{_xnEtx}kJj!m&Y?$l2f*c!M}
zvBsla<kc%w_$KQo7#m-O4P}ft(kOe;u1rq{LV8j4DtNaq=%k_48|=5zMY+;O&Bx`D
zjRj;MYU{FF$|PWDbcQk}1d{>hTfuP-4?46V=X0Z7Bp>^we`wakW<w)=DDw(rg|Fz0
z4Q?!qfpV2;7W^)=X8<f69W3IZF^X}tm%{~>q#ARuD%oisz+kw`CdVGt8D1HgM#Cyx
zus%d`>9vlRbITj}lJ7by(#N5i1|d$;9yW^y$AN~yfgFbeqm)U_<t9#v+8hsn#bR=I
zn}Q@x$ga(b2MRryrgvA4;r%_9!b785PH1pw>pO5ZuId^z<FYf6P%e!=iA1_KvTesf
zk3FqIc#px!R%kG6UJJF%u<LU*#A#JX!LhYglo{zbEcGgvZ?_;ZJrFh?Ym<V&RKb1R
z4RiYNmpoc#MLv@UHywu>shpFW4jzwVZa`o$e$bp@EIMeMXbkIB()bpmTdH@SHdKwv
z8`DN%Y&4U-40I}kJuJ};s7OhrxS-%+NY--S)wRTh!LYxAV(_I4ndqBf#{UFy)Eh!b
zR7O=VRa4+l?35j_#h`mH*Af>fcHxxiqyV3m&-^-RO;dY|NDIbiVw`5N5dC%ZRL?&2
zfUG!pibQ^FveI&`@M{hU6X8v)mco@T>PgjH9r5Dpw58P>%8NG!{;(GE{iJ^AZbK+y
z<02%sJ?jUBnORp&rR^<!t3_I8bVkAH4+|U=NjJ}XC0Rp>_wfk7-QI(!T3F_kaC2&+
zrIR_15vlleB-g#V+*)`X(ULh$?Vj65$*-~sDE6JK#$;p%#4~dgarub!AC%l_8xcA^
z;B*42pinU;j`%A+4utBQSiuoTvn6@(>0;{&r&urLy-gW~W0H%W^$SI7?R*5%Ios!O
z*zg2<D;ey^E@|G8nTol$f5zlMXzV-?nscI!QgAjsQjJ2RvSz#-AkXHAy-=_N7>YiH
zk?aohqyH-4v0p>xOIwx$7=#}_+`M&w<+c3L_Xph$p*!QKL6_U{W3fN~LYxC(U%`$Y
zc?AKV|JtRm;njm0Ua{y{zcm?mGAIXpnk4Sq=d{;8Gy$iiVCVD}@3n(>-)S#dCVo|h
zN0&Xpt*4+eK8utjESTsmYI99;Zp&1q^nLIlPdhck;C@eeIPxt~=q`TV-kUCVqdtB?
zOFX%=53QV=;}(%m3dzQhPg%NYC^-`xgzXzpK^s7)M&{OsVRSbi&>Pl(h>yeKpjxlC
z{lO=+SAmlAZGCh*nJjo3e(rU~y;h!y49D{%RUr#TlBw9he2JG}q-y?%ZAipHz(#W`
zJ0vk1Tkv*yFS(%g6tWQ||HD?_`qc7)%Sv8CIq~t&z#9&HH0!xB7kCmz&6g_fK*038
zN5peYm(X1?|KCq$&<U3J%7D9P)hEWRPeszbO)kfhZ77=Fu3Pn!zgwz-;#t|O)AvXM
zUuzPkV^(<u6z!pLMHVm`!<CL5jZ$1#=TYf)nFC{1&PDcS_5gE3emhGu<sfEHv(JA>
zP(otW(Z(|86IENwo6uVYSs&4YEue5!F0;OzO1oR`4@eWChCDpi<XnqziSn*Sq|;0O
z+%GZpm$z+F)#7_(+40n_o)VZr9vYJ&I*vtkLL|#x`Nh3Stkw$AD0{B{7TxqJ!JXDU
zxe}2mFv`{+R?t2SO?;O{A@aU@z;`^OH5?{%l=0?b7<1y@C^&-SKbwb=$0I7Z5|zd(
zjg}~Y(@O0xxl^N7_Of$}Q73#=7$$6dF?7#aIPlRtqm#l3U(ipK$uzUm23tisWyzX5
z#Ml9SKS`~p)Y16$15lg=cbeEAh?mGPk%7s`Wa5rVe-<97j-gW30P;(2GRUlnYGozr
zU;`K6PBe=RjL8TSs~>C1626v(KxE77*}N(Xyhf*t+)$t-m69Z+ktG608w@PqOn+mb
zc9Kolx~}84QKHpewA1)<(hiQvNW&{g5dVw{(VZyzT4&Vbp8O^;S}RGTteb`Jhr4Dh
zGi(_^E2BfVQmk4(q0FJ}&b8ehC;K(uwU7HDLTE_lPvN3o&uR7OyqC;(Y0UT75S^0w
z)iu8+g5m2tOt}PheK&EvhptsuJt5t?zxFOJ@H!ewe6e9ATENYb)ZzZN9x9iW;WAF^
z>P4q)hEk5rTPcp34VS&vjMY17JaMOb>gO5u4@koj+rxfj2Ajc7rFKEfW1wKi_UPfE
zS>kh0DI)zYl}MSABauzCUuAV{xn+%stc4{`0T-Y~CN|^luk4RvJZzNw6XvbdOF{-Z
zH%W1R_m51G7(XeD0)hh=Ct^J=j$1AGYdpS(m)}m(_0Kl^DX^x83w~gkC-4lc<wo6+
z6`l&4&<;z?uFo<63_UoWz=aOcX@V4$f?F^6lApS$^-(=UI;*&w99$fi2KCc06bMWP
z^UlIcE(W?#ATH)c`DbnsHZoxwf9TvFTlXjS<#6=$<R@cGjHZ4r1OOES87E$kRBAg>
z{@VCBNDy`H<vn{`)KkiW`k`V*mcq}VWWzrPI$0S}|KL0U+no|$+3ZMB`zkGqla4(c
z&MNXCC7T66<@%xXW-q)Od(|6SAmYPQV0zR2jFu<tqLlw%)Uw)c6d1v^xbu~F@HGe=
zgIFTN{@j_ct)Yw8Sy4GzE&Z_3DM8N1!Q*_5IGSGavm#jISZQ~z9g8=Zh8z%|%ox)<
zhRQ^8u-MD62l6_q7_;}AQF4{8q1{$Tpz>Bb=OBv_{i;KqhMb!?h4@(s)I0Ync$=!#
zAA{%@#wl<NsO84{KSA&OtIRq~y4m_i3E<%Rhh)XT2h}8T*%>a<v2pVVAIg5mqoLp^
z6dX@G{Mh#gFz0J+LDF!XODx9+{6*5Q>tIwib~TI^YxXwyu^)z&$2<Iluj6Sv;-cC7
zjJ5Ga9%}VJy%ritA1WHZ<tCw7K=^4G93>>bUMO^A=+K($A5Q&XDV|8=YU1?ND!nay
z8hgFr2TiH{Qm;Y$6&JV1Z-&>9Ak89_V+KG^6!LPk`uc~(dB-U~!<5zxgX|?+W+=q_
zXZ%bAl)EIpGCs<QY|dxg?3ybDzj8&~*J`n7;A?Ja)bmy~aRMI|dt5e@#5aXY8Zb^V
zEZ6OL61A0ly`NwyNx9vU7~jilUiN1i2I|&|sGay5yjE(a>MQrp!_0b^`G4B`&Zwx8
zZfzt;Gk_$?QF6{ANS2l$QBXutK@jMcAfN)0gCZ@l$r%X}L<W!^&>>3_kSsYWB9d(~
zBJkB|jEwJn=l=VCT-UPCX{g$@Ylmk)RjhNW8iWhYOtlh0DYZbF9G0ejT5DFUjYfM9
zXUw_FajQ$!N9kVgG~~k@N!QaEx!6A&CO(UMnI+&Mpab1Jo$NdLjgQ<gk(vsi{b1F<
zVms}gO6;WNL_crzRNR`fY1?`FiT0^2Asvb!ZEjbi=)bjX!_wDMOs0fFDpTo&{<35h
zQYcpE9xL9JKd~Okx*`?uu~Et6kZ0A=BkZ|rv3U$z08+6y4iL?%{mvrBrYZ8di66@U
zc{w@7oQ!Ls_9B4NjA)xmi>bnO#Ss8;y-LnyWkXGihJrdhqHA%+9<8GmM23F+<y^Gw
zYZb2_Mn3D;NuNF6yv(E>@<nG=r4+s_)rFO;G3K1=7~Lf4zSVz9M*c~TMnwvr#!g+1
z7}xBbq}+a<vnAo)kDpg0Q*$ZPP&uV+Q=s14aN>I^EK*iq-oRy!G@tO<VA{>Ko;d8v
zs&HPVHQ%j__crTY3H%rMB%Gy=sV@ec3K`MKTD0Ib{Pdh|4Tmy1jz&s+^?zJ{XSG?8
z@S?NM{|>5SK2z%KRe2OT4aMdjtLe?lsVLt;f{JdVh9c>)j)^;+Py`9QV_~{JTeo8_
zGIdbH>g9+8)IK#I&@G#cfZj4{fe!c=LaZG6vvxw!g=q^SNk4-ZUdUo(=JMZgD@ZA^
z==xV3a0&r{Uo?tY!sulk6GKoEz$XxoiVV)7$DI67PZlvYdv14RtsyX7YFs{Hm`h?=
zsuulanvi)55PSNK_fk^{L1`RqD8Q-fN3v3B?7&E`%6FcOtZqAn^0}<54X@C{1~ocR
z%hBh7y>D0KcmpTtz}xlp?K}uX(<@#t8Tts&&{Z^?@!L2%W&e~Me<_S8pL{Hdx<c(j
z!{AkyfaABy0F^|&nX|LQCGy+UNXv-NpdK}&lG7qBUzncqLxO<tB7BCtwbA$`NICP#
zrJ|M<fg|(P{G95${tcsB2|)uXlGl!v=TxUKSn+X;WYGzS{h6aRMf9AU6Pv!H_P(}5
z*<m!Azg@|lO6ct6kS}+;1Kv?Lcj!?()XoAN<*dS5+y_+U5}i;=N(-|iGkls=KVBv!
zPWh836;$^k+Z$einwNsBdHr*ysA#^X%YM+z<YL<!&hX_dA08pWUk?*YAgpeDBY;Zr
zS_Pk1_IYm6cb@y|Qz;UxwFcj2dtRe~hRWyUgS{K>*qi9n)FZ*pXGR&Fs(@&<pBn_*
zSN($1;<kpbA1!N!fSVL+VU@NAI><|Q1#T`+qs2~LXyCMdxETb6QcxTSC3lXioL0f{
z5D_=z6|N7CN#%`+qtd7BFGET`Kc21Cyf&YitwnM&&H`fXbC9`TtvTJ|_1={(zMKY?
z@XKPxC*@*V>!L^$TMM^ubKCG5Q>?X`U8#g!iIK|j%sdkUNJgg%gF5F{^IJ{PS?w&(
z5B2&Hec}!+F75NVY~prAeMNCsp6P?XdCkUE7rECexhF>Fim3zT49qyU5{h!gpwV3C
z^QxtFg=cXp_Pgay6r}L7QpC&5rbXwn|1FrKwe>ItvV^J^umoR5)vc>y=w+lu;eZja
zIo%r0=1d(V8GAA>ArgDbuv;0hA*1eUD3p8`3$7`yj`xfjhb+I3=kf=DWIJH@xUWca
zFZ$G-UXSHx+8YynukH!FAr>7y!83Eqe2+yv#Pc#LZlb;HPmjNcvlprVH0cI}nI?9%
z;SUAfGfy|n?B$V@U$pKHf*2BwmK9Uqz5KEEF6zD5IYn8Z+6!|hrL{OZ!Qd4OD=BeW
z6?ZLE{kqk*7HTm)e;Iu?qnzPI0wtHLXb?IHg~K~pdOLt$^is9DTTi%+XVK{M@&=^6
zGp&o`0j8Gef?Xhlqy@UJ0CTTCD#vm8JyG;Cq(u_0hzBoP5M?*FcJ5$87x|`k<hOHm
zqNAM!AS-uX0apH~>WYfCc{x^{0|mn0I4fsv_r#@pINIt&QI8I4@a0rQ(gUuq_)!$%
zjkjG(E2#za!%lC!F*_4>+O@cQc&w!?T~GV=20ONPM85^OrR_4G87UcW7DFqfETs4v
zbbGogUJh?5u}Dx{i+d(%n#ZSoecg`XdT;M)6wx)$ZIvlZC^ly*u5VC7KVezrG&C1z
zB@{&?F_t8`e#Fc_#}h2UfIlZ2&J^0jY)2d2!?HFbEx#a9*z|l0edBlUajVQ)C>?T$
zCwUB&ZV5MnDLD%_2GhFDb6GFFst-vWdohV@p3e!%-wNH)y8DO|vO+v$g$d28t{_)!
zUP^k*idnssEI0AfsR$X=w_&;?byiY-`y)}lf+7__e8sXAfCd0_E8s0s*P!W0UQ4+0
zRE4+myk}D~qQqmpJb$J2YR>EO8+y?>d=>zNAB=+RL9w~SY2M`(F2|X<JUFJUe$|#t
z>^UuoL#T*x^WuEwH2m&EPIU*~`d3!2ph|T0jLO`h9~_02o)R=8(Mv_R;@~=Ovp_#p
zk`|UcO}PD0Cpw288iM!@7=py3Nz{9>KvR->&=sHn3F)lG<1(WddX9F=@-q6T6MgZ#
zJmn?fdV0_}VC^sfCJxr+!2Kd75ZZv8o)?93+IFKPt{AwVJLkIV`q^fIi_3<PLyB<0
zRksK^-wNk^E8zU*yvyZjG4o>^fnJU)QBga$xy5XC3b!(=;LX}c=FOsm(0jgb7r(qO
zLYMF8jy@(P+qR14Hy%7qaw3nI48GY?+cMZnsRYq!P6a40IRUIm<q*Gx5QptvoaWZ+
z;uBba0Jnr+g4mRcN!paU_i4eb;}3{a!a9^r%1zl)Lm>5|%Ux&TmpIph9(sCHyt`y)
zy|xv<K+vfLU@e@t)sQ95V#+3m7{axbpf%1J<1fpXO@fwC-c9N^u1p%3Plgm#?KHMr
zWS%QAyZ4@t?D<1w5egGo$4Qc&fHf!p>OV)L!Y0b76?|US=kH1D3-<+QCh}eU>--%}
z&(e7prT7ycH15iGC`l{7H!?e8v|cCG9lbkZi)`_B<CROT-ns3)HNN+GeAm)-CHzEP
zQc_8e&q>)Y;}7<x7UuM)Z~COhRT~!TVw<IsVLnwpLp}-$ZbLrquCjYJpL=Jp;_9PE
zZkC>Y^X&Rg0sEcZj-zX`rz=^<3~uz=w0Z0CkWHrS)Pe1_Hd!Tm7_r&3&(>V^&Scx*
zAhR<axt@^iq~kd@!Oe~1C0<-}Q%HZ=DP*|)#W73M*v)}htE)q~rSGHNKO33t)ouI8
zW-3d(-~QP9*{)LQ(#^oAlBlRPlSQGjuD#pKWdy#v+exE#a1vA2)Sd`_cZNW$$y$a_
z^hW7e!>Y%Jw>P)$davG4V9tAroxv6jvDoVwt4Ww`s&yJD2q`1k)Hl57x7%AB)fpEO
z6<A_&7z>VdDmBUqjh~2@Cpkgk^r1=SIN>{i`vX@r<c|~1Gr}>gsW%>l!mY;bTt)4-
zvL3o<mMll4Kfbu#=3BCS`<kppbcb>4K(@40|6&$nnLyjSE)~x&aQVjxm5sz$MDk#r
zFXDl;&|vlB!H|-%YrE3ZKHYQP?Cs<2`a5rfv@Rm)@=SLZ^AS0*Or=JNjAoaV$U=KO
z%kHrazmY8oVOxl>=7}tmPC|G0gv8==UCP4RIjb|Z!=<vc2}Cmf8W^oFo$p_>OkzUB
zCaWqiAxctGlc`ek%>D{bXjOl2#*RSsfxW`NYJwWC=cy;&HA_}cJZ3;0I{Zdcs!F<h
zK1CXlN!wP>)g|1cE-&4E=AJ#u_=Wco4}QVX;`Gm~Z*A|dR+t*?9GR7;`}FAi%iL!E
z+&3X63FN8)Az8d-0>?we@{pd$u}g$RSWR8h^sXa$7bR`9+ZYojD#*jJY10@ThAsw7
zG$L>v0b?rV>Uyq=veu&7j6}rJswz<1m-eib{_&vhtkwgOE*9aCjF|q)TVhjs^}dWK
z>qSE?X|*eufs45WRosb{Nnix&V5hDlp%|+-GAwfRC1){_!}Z!r6O+9N8O650_)v}Z
zH?kPb5>p%F;3fUJ9Be3SF~dw&N_!Jc#oDS<if5$*6z3nqqe?yZc<r~Y!iSu@o-Vl*
zRh2!mrypLfgl#{W5x_<uNae0M${u@Yt>RaSL0Fgg91lvNZnK-enQ^6xz8Gk7h=Q8j
z7rzYIHE;w~N_jLpvu^0bbOs{u=zw;xwaYd)69*B}h>JYJe~qULPhh~!)gtG#r5X3o
zDZ}{orNj)zbLL_qOe#dhpv@!yfjsnKgWASSwDmhQ0*|&H5=ncQnD%;B%!AAH1RlsP
zJV7u%)KZ{}jIL9YAeY1bhA#MY(Znnp7Zgu1u$&9}NodBQbCmKtKt6N0I{0+x>4{nZ
zb2@u1_tDGSfwZTk;5An-NvjZA<iH8w94=?Ttqd^KyRKD2@KqCYA1;2IverDv7fjw4
zR<DOT9HcTIjj-O(@1dde!{p77fbT#c%KV9CzdI#aAPh`<zYVUrwaXr`06x+v;}9pM
zJeV~n!^xmW3JKZ7hn8O7T920b>je=Q=tk=yAZJ;MYgoOfhw`wlKG295p5(oyU3q!X
zjgoNtFcnU8s5G+mH1JrKmZ@ms+Gyaoc&3~R^WEBKrk$n1_FI~hZnLT!UL0L?)U^Yu
zgaOC!*Sm28^8g)+TXS+CA5du~L6Mfxi!#5gNmyHTyqk=wD2|St(hu0QW)%8-y_g1>
z!~Tr4qbr9CB1?qZzc>JPSdDQ0@#$}7!dc9G5;9bcy?a(ME4BSGst{IqM5RK_3DJKx
zL?d{|QZUG_**N0sW%H_?s)U)x{5!RsU;_5Ds(7Ll^?Hi1nkm15JYqkT22grJM&wco
ztnogaa-P|C2mw5>stJvKBMY+R@oqe-0XN9B4m}ygtcj_lDBr8D2nPp^-zf>kX2aR^
z0o+uR(2|%c<e;Ap2h}ukb?GQjLuNPz?02Zrp_>i)Aq;Z-L>T1rZ=X;@JSxYe)Koj*
zqAJN}_h9~Bwz^OxodND)C+v<51_>2V^VxxT&VzKwrC4M<r?`+>_Z=j+)`^%Z`f-Km
z;a@zXk@(Fs-^Q<XYGSR0X8lXt`NHfJn2?YmXVAvgT(Vbj4pb!n;XphpC_gCuLVwsW
zjGkJx=w^^{)tFvSlxzQ1R|F>Sc-#DJVP@f_9x~m|L@@bMGzjnKy1~YL{*#c&O*0rd
z&BYYEYgmCt(1#a6=!Z%>YM4*{ww(wRUi%>qMH+KBh@KkzOPG^XEMnaL=Ht|Dl!u_)
z{i+*?uwT6A?k>vhKY4^xR_3?acsR&+7=y6G`L2l-?r8TrtAIHl0w6RCFS_)@Ce*q^
z%Q-oisSGXC-BnE0aP8+Y|I#aVttZOn^Wjl$=2-=FkZAz8{*tz$?8v^juL%GW5jSxD
ze^M_LK*mV628dN-QWVEP87L^fWF2IdB7oIUtJC>3wKtAY5pD+}gjR?MKnVEBLx$V`
z{I%U`XfKb3T5T22zmXS<_<cY_aY|R9N0|S^r~lbkPrn-DUzqp5Ddi4La$hMFue}_V
zCV(r<6x`gaEMTpY$i93a_NK$&1r#r~=7URR1jrw4>0k3UE?jy}8(1zv1_xbg832Or
z5K}$<397zDQ>X?P<a>}1eEw^vIAQArXzTxZ3b?E}cIl$Qt_4(l{!{Ee#pMm^-w69(
z*yHEwu#Y<5oHX~Zob+#$65siABr-GoYvKuXWr^_N;|fPI?57gnCbBKq#mzP_;_zF?
zFQcu!v_RN)XX8pER11q{IQ;+mU3en^C{M^Jc7yc0_>Y?M!%^R1T?R^(6L6t?BQvt!
zm5Ogz)CT!er0cg{|5aES{P(4NA3W}G4ha8OAOZ!k<ae<MQG=g>?~}(>Qg0KHf&Vt7
zEMy9{pho4VF3zhT;v_28wX0K$61+|9Z^e3>6bQ?BN;t|s&c;ju4)Y?hJ2umQZM0D-
za!CX++)(P---?Y+>?R&qOBIISH#cMSPnu!wUah;q9PkHZF~E4vNc;X_5l5j4CCWJ{
zQ2>hqi2}b*Lrj~2I7|yM5d&3Fxd4#@#0AHz4jcFluWIIJzHB~q4woqg5Uu;#V85*$
zD1wh5LN}Z1_>7X)-%Abij7hWrS+USwZ4R+5so|ZukNJJl0gRaJL+6U@xpBlQqxbCF
z>&FD4w1<Wchm^~KIM+V2gX+;asHU^h>d|GKf<X6Q46QBw>uiB5av@jX(L%LK<9^ir
zTwJaCP9lHed!Q+<1_>q$S1913ND!hqIO_O~MgFW6{k~SB6a(4-v$lGS03ps2@o~R2
zzF_WkQ*~IhbSlYo{d|U&LeUGwD^Qdl%=*^flyM|6RWbu8rT>5#bsTr$0^pqUZ|a6>
zu66aqYknwcT4k@|k|vHA;$ZuqzXYg(vNsB`qQtoCS%K$q@$duq<mjESv)$Qjgw_{)
zSiO1!YB~uOVW0%de6O06vww?G*^lvUgSsCvi-mY_sf8lMc8A^o+Vykz8~A%c(g*3=
zC{>@hr2P?+^=^G;deYwMF2p<59;1Jy69ytbnhWZr0g*L*etducWHGJheWA!b#_rX_
zr1d?SPhDH#$!OcYZUzcMUZ5v0u#)Ms6p(=tEp0ZS)la3=FK=sX^P*wlfQKg~1E=QH
zSQH{}#62;!H2U+JxozHfeW|A|LCj$06{T(!dlyh<d-F>u(l2lNqd)Xog@cJ|#tce9
zOytQlAd>#)>J>w!=RBCbVj!kE04-=J{REQ6n2>;T+z8@0uhRhmK|VSPP$fgBH6381
zM}Nx&X=JojK~yK+`GZK;2d`(<*^uPdILR;H;v}ys&_I-|i~y^N8N2{U7QT^n1<z20
zzRPJTqDEqY+LWapLshJuE`cjyspp9T<U|<WQG#%n8}9g=cxyG8Vu0T+!7Bb9f0mt+
zAn$)}OP(1tsi7OnhNzh#`jZ{N-y-Y}6gF>hE>ph*LJz1y`vRv5{s2yu3VEC=KiHwp
zi}_dtn4vY8VM{w4(!lUI@DfMw8}RL`=T$DwAs%E;zm&%>%(#=B8VJiuF1geLOy}N(
zle&A7hJ1v|_j3;in<C8G3|9z>CRQiTCx-z$;~mf8p+4W!48@;5<U^wTvMy1P&lr6v
zoX&Vt$(bpv$jO)fZ6#il3JXuU@v$u(Jr<_Cm+V^G!PP~Y(6g*&gATI*UNekr)wqNK
zI9JZa@ZwZa^%Or!r2>P9g=K(sDYYu5Rs0XIo?Z{*D7A70wd-^~buB~7_PXU8yKyEY
z4^>bc9n{Jw<05AeKu~Q$4z^Hf4-F2$Rt2d-(vN(i?m8J%b51VRqf42cefZ6)bou8w
zL{4^2I!R(`EKG$NWxWK;0^q~rFY#vM3g@LH7~(kplgI6q(HVpC{)im)#7eFpuu2(}
z$EOU3mw;8&CCn^qEyL`#C{=-%hKkTVs<ttz*NRaQP@C@^2772QXfTVfqNB0<qVJ1m
zU>8pg=d>xtWh7it)YaD}tclCc;lb}z2Q!EOcp3w1G-z~1A?!IH(Y_37EO+Ed<niC?
z$^ER(4Q>Xqp~gQe^1LV>YqzAVh{TD$gtA7dWZ0Ze*94|02D=d`Jh1yQ&*}$OYER(e
zfs$3)>X){|e2rmTOiM3gfL+aZrKdDY;FJr|;0x4P7%V913fwisMTM;uhH?DY;I#>7
z9`PZ5YnFxOZx>wnFJ|eYjK!=KfLv1b#0#(E2cwLGoU{Ba8gF$p1mGQ&3Ije-qZvj(
zH5cz8V{jqFUNKr`%TwzTU%9m*FzHsT+R(CBA_i;%=th8av}4|<;ecSP@(-3@&-x1m
zRF>*?b4@8kmU3WwVGkLba8wek$iUWuFHA*Z5<%>%7(EZ{OiUGT(Z~g~1=~O+u7q8B
zkdHG`5>t8EKqB};1rvy!EQe!`a59il`C2q)ifHNp*6Amr<VoO(bRUw3{BejAuOTFp
zl?mBX1^mGZ7iWNepkW#j59LuXMHJ$Lx8MG}G|ImqV9;zeG01V8TyfCS;I(XN-VD-Z
zt-ni8S6__=q!zxxYliwvk*4|l9Geu_spc^pI4)5}8k4VZ;K9vFse3e~%H1Ix=eH*F
zoKZE$ZC&gyzV1a<YQyI^@Qq%(5jKQ?O)(@$i=jNUHNqdNJ~+{6ne7|UstH8JM_Q@a
zwgLfb;j1^&4nJhnDEHjIuw>dDdv8j46YL5dCx?_a*Cl=IMIRzv81Hnn4H{Ts$iMyq
zh#mk&DiW3x5OD`HZvab1h>&pO|I&~<aj@5{snpZm-=eW54!#co`>Xv^jN?391pzP}
ziAgFjko{I7qzBl);lKwZC&7bYf1WH0otjDOzs?P+JveWa6$7#hEIE{S+<x&wH~{8|
zQAsGLk4mwri8VAl1VIBaQYL_)(6XKv<p2KKY@A9MM6i1UcmcT-&|X_vvF*>)KBy9I
zibHMsK;nU|39wj$#HY`^h=5gCG@g~dr2!%}yp%%%s%>=ayg<B(88x(vSi_3Tfd~YM
zh~~sTRl@9eEG`m{D;}a6cvr`r_`>YbaR@mr8oTrgkR^qwsdqSGR-SP|pmF94uCMU}
zdCSxj7e-#ltOPe{ur9|*uF*6#dF{3ef_nyuvpp&cx=bSCl)qi<Dp-SD`M_3SZ!lwc
z`t>DH{b;3dsN4`Tof^D98L;t#6X;b!9|JZb+q_G_1kt5mC#XjFC?1O-r8a9Q1+jpA
z%REs|1hxr7e^40GV8)K>z24_0jBSt{Vf5-M;Z5>EFhfZ5=aA-5HmA@P?DloOv}m*}
zh{t}ZyRn)!^Pu-s0paIs$4}l)^0pG$En*U3ol<4abr!yYIDSZQ;7NTJ?{fvb^I@4O
ziDeVZc<1E8st{wMaH7H%C)nOfax4iK)6Mb~TS3#j_zxl~M5ZxdtXy+1Bn<x?=+&S{
zQF~HQ_^GpkI}m~R011fIbk72`^*l-oP}I^4;5CCo=j7<*MK0~!$+&+$Oaq8M+V%(^
z=zxZ(vE6wKXv47pp##VzPG+!iwE}F-D{lTYwAq-@N?<VMhKYHIbjSZD7TP|DBYxCU
z3~0n`E+vHhZL0VA6IF@!o8pERgodvD90|ryiLopOJ91(abjEUQm4Z!RZ}tz+8*bP`
z17_^9^(Q@akrNznlc!wL8;VA(2{ui>6l^N-vLc{AEtQM+ghiWMBvEd@8Uj#X(AR0T
zt&HWX0);g9KUa}v=UkYQeP|6$md*b0yZiyL;3zl)@C#R2yTDc|kfI@9q;G06<+ciL
zyT}B61)Hd~ASz$FudJ~&h;Hbo7C9P#$$!<BGcnIu`0A`?zp)@7BtbRCJYREwyh4xg
z2@B+Q@4H1sE!dCe<#3UAK8z=l4GCZyGA*Sa&a|9gP0Q#1-3OG1_I>dGf5T`5us8<n
zE8#Avn#N&2H&?K5&c7hXMsF;ay1)!Cl7#Pj3Cf6=&BL1xmPyoK4TP(5=~YYkoS&Ys
zG=c345T;*!MB`U*Mkm8hjA7tmV;RI%0O<rn5dg$)!Fo21G9d$DAbL<)8aTN)j1Xdi
zC@L<dxZ0>|=h)LWwx{#Ar?*$i%r^9^7obN%zQ}HV+T1Ric74$F;NqO>bB5=PWAlMC
zHk=u2BYJl(j2U!Eu9}67U%uzD)}I%!QZ~NiGrTvv({qzz+?&O7&?lok>}prt&dl4g
zj^&Py@NqSv1yLU_PjBxpf_v+CefFI8q<5HiRMXhl)27TmTIxFOJ@eV!*{+@JsoNc1
z*;&Co-!smhmYTN6o|^aI1O@vztI~o}VD-B-=qVmjrsO?k=s=Qxo=FjzV0RLFSHoFw
zE(H}h*W~(5O9SVdj<>`tZ#r8+uV?^A0R7)_Cct!_k!Qh?6i4rm6YZ%rdn9GuxfNJS
z5ThtZnap2x|Gk5d3{o>=bhi>&-g~6J$)ls$wWE^TjO`q&SHPX~nWS(Uf6mSfbj%p-
z$2%nt>G_>gZJX!R)%?OHI-gZkwcNj!QT)k{nV|2&M21Rt7>UuN%8kHl^Yv^;U9}uP
zayT&OKc{#+dabU3Z~TxRNrEL&s`jGXqHi%H>f^m=3wWZK=?0#F_?t&69uJVGu!a2r
z=NCJOD<z$tw6N<A%p7%XiM62A*r+|9S!_R?)%Ka;m~z9?Tuz*K@AK}_0>Vd<asDKv
zBPU8<V==G?`7c)H94GCGmUkIemE8?jorqzt_zBI`MoN}r6%`zeb9G2k8m_ZN4F-xb
zR9XpaeN?|%v4l@feuwFcvJ;gNQ&c&*)}U_Vv#on>hsj=uDXVUQBXj;4c;RfA7qZ|t
zhZynjDEFU-v%F?!sfM_Qbb#XS_Mn;VkU9AK>q>2v+N-U^jj9!&+|!3kEpvv6VTtEe
zGZ`3%%gh?Z(`WA(eoT__66IP5&ncN6f8e#6ueecec_Mu6=)2s7zNWT6J(8M~s|uCQ
zJAub59D3%%ugHh*VZ6RnY;ImFby%Mh8@BF0UB~*jH``6IxSnb5nf~GR&Q<*;qhaz3
z-fSHYK1h1HduxC0d0{WJQ)(~v!0R35!}sDN99LiWb=_qXi)rX`VBic}-&5k9yz8yV
z?*01q?xlW;>Rl^^>alBgT$jnKTpx>9;8O%{p1ksWY;A4#<J2zVF01!z0k%Hj)+TJ-
z+@4Re>q4u<&Q5XT%+2-(^lM%A*JbtJp1qut%yxu~KfY5u{o1Lzdu)83X0uq`+qZT%
zburQkN5VTMKPYwDe$-7raewTnyU~FgGIyzuZI4a_jQx6(e&WFxi~FsQZNJ>$yOVwt
zc~s^*_Ulc0*}XApckPcN&`sp7r^-!|N}g5YPE*yJM3uA$ZpbT-ul99<6aT*7=&Gn3
zqol%TJVr^4FD;~k!9ORYQi^|Dh*AMRMk*|q<u12i8kq;FxFCH@aLehb>!MVD!)K|B
zwcm?URa_V3b4Shd7|G3O*NdU6;dnG8I&g7xEgVK8pi?i7u7gw3Xz9Qu&<$_~8l+CW
z1iA^%L4(qPOQM_M{4{ww^^)jTxHwI-4qOV|2A8Fo(W#e0cfeI>NOa-S=q|V>jeu^w
zG`a_FK%=D#KaTE&n;2<T52I{33sE(^)JZ{hoF%AEUc;myd(JY{1aD+gkOOBq>Jx8w
zQqWD#Y7`zHb#jnnV(hsS@<B+gJ05<e{MTip-s%KOF}DA76Wr45$Xk~{X47>9MP?(J
z-0av`$tc?Hc1t~9Y9!_DatN8t<+QiE-~#;)*YbaJGwo5wGpQ^_=L10epIN3*oq*K>
z*);<G^X+GuBRCS~ww1Gy)$QBR*)U=UzDtN&ARR2sACZYa6E7J(#8msV;}xEN;qzrV
zLtklSH9{Jih%j@D!;wm4d1O2)@ht}MbT5vD5CbU{X`1LgcG!qwfNn%6F&OKg+GH!+
zdISMIkAS?V{JGd%b9DT_S_4e>^<Q$N>dj$svinN}pV`SqndKG?$o!sWXr5Rtx^^hC
z)J8YkGW{8M&{On$e|Txvn;Dm((Dz)aN{U*eY$wfDBf1(4P*WL4i3pi(>DOc2M!d?u
zaQ?wfb7Rud_YBLShJvciEEzf8SMTviOJOFcSpI@6`0yzk$69Ce$EX)l_4Z?}1Jdm;
zy)cEWgpn7l?sC0Vp}dhR*3)dD6PBO4+m8uznW)Pdm5?Yhb``j5Lyi?$qp-PEKVX1e
zGp`krqo?h$udTAy(6}NfceA&TiNaQ<FBA(qQ$_KHApRI8)QR!0S!8d(<9O2B)pDgm
zXTM0o2=sW|qf$ufP3nf;g#4wic~QCPi@yk7dSrz-d6RRMeBr1~B@6v?Su++gUP`)l
zD%UWDi4JQ^$(;Z<IX*T<-Z7Ht_FE3@6OG%;66_)U#oD|q7iG_nUvaB#!US&wPKdOw
zqz{$ys<mO$o+**PA!v%<F@NTuJD|2xx>6=y0iIl~TwAt2do}J$Zb?Gq68puy@40jc
zUj*+z9d7!~Ti>p~IqK9v`&R+K9<}(bBXlhRDe=?6iw8UYdi>na9S6XxrriGHVRQ%O
z96W;Tha?v8GAkhG=L5+Oc0PE_)Q`@0NO7J2ap=@R2?yT}_Co@m;P>JGr+0-N6nOAu
zTR#Ni3*iJFeD&5r0SDi7@<TwQ#QvPVzxU)|*Mm>=|LDqi;^1U{Jl}s%%C7|chYUQt
zB3nGXf6(!R-4D{J9|8m%a7z3_st)!(SRQ`#4tK)!K2RKfTPzL={T1bZh{VHVb^d8a
ZUoqc6n+QZO^qLuRyz3wdhHpdP{vWw?r0D<v

diff --git a/src/content/ssp-example/OSCAL Implementation Layer - FedRAMP System Security Plan (SSP) Modeling.md b/src/content/ssp-example/OSCAL Implementation Layer - FedRAMP System Security Plan (SSP) Modeling.md
deleted file mode 100644
index f22cdd25c5..0000000000
--- a/src/content/ssp-example/OSCAL Implementation Layer - FedRAMP System Security Plan (SSP) Modeling.md	
+++ /dev/null
@@ -1,716 +0,0 @@
-# OSCAL Implementation Layer - FedRAMP System Security Plan (SSP) Modeling
-This defines the data fields to express a FedRAMP SSP in machine redable format. The intent is to translate this to XML and JSON for adoption as part of the Open OSCAL Implementation Layer specification.
-This is part of the NIST OSCAL effort as covered by [Issue #246](https://github.com/usnistgov/OSCAL/issues/246).
-
----
-Modeled Sample SSP:
-https://hackmd.io/UPEc5ya7Sfmu3wcg2UzGzw
-
----
-
-# User stories
-
-1. As a system owner and/or administrator I am able to express my existing MS Word or PDF-based FedRAMP SSP in an OSCAL-compliant, machine readable format. 
-
-1. As a FedRAMP reviewer, I am able to use tools to expedite the review of a FedRAMP SSP submitted in an OSCAL-compliant format through automated:
--- **validation of the information submitted;**
---- is all appropriate content provided?
- (i.e. every control has an implementation status? were any controls incorrectly omitted?; was the system owerner identified?)
---- does the content correlate? 
-(i.e. if a control indicates inheritence, were details provided about the underlying system in the appropriate section?; if FIPS 140-2 validated modules are indicated, were the certificate numbers provided? If a role was specified for a control, was the role described in the appropriate section?)
---- can external references be validated? 
-(i.e. can the indicated FIPS 140-2 validation certificate numbers be found in the NIST Labs Database; are all attachments and external references accessible?)
--- **review tracking;**
---- Has this control been reviewed?
---- Did the reviewer find the content to be fully compliant, partially compliant, or non-compliant?
---- What feedback does the reviewer have? 
-(if not fully compliant, the reviewer must cite the nature of the partial- or non-compliance)
---- What is the disposition of cited partial- or non-compliance?
-
----
-
-## FedRAMP SSP Overview
-FedRAMP currently provides SSP templates in MS Word format. There are SSP templates for FedRAMP High, Moderate, and Low cloud service offerings, as well as a template for Low Impact (LI) SaaS Systems under FedRAMP Tailored.
-
-Relevant Links:
-* High: https://www.fedramp.gov/assets/resources/templates/FedRAMP-SSP-High-Baseline-Template.docx
-* Moderate: https://www.fedramp.gov/assets/resources/templates/FedRAMP-SSP-Moderate-Baseline-Template.docx
-* Low: https://www.fedramp.gov/assets/resources/templates/FedRAMP-SSP-Low-Baseline-Template.docx
-* LI-SaaS: https://www.fedramp.gov/assets/resources/templates/APPENDIX-B-FedRAMP-Tailored-LI-SaaS-Template.docx
-
-The information requires for High, Moderate, and Low SSPs are identical from a data modeling perspective. The front-matter (Title page through chapter 12) of each is essentially identical, and contains a significant amount of structured data. The fundamental difference between these three SSP templates is the specific controls required in each baseline.
-
-When complete, these templates include attachments and diagrams. Some attachments are also based on FedRAMP templates, such as for system inventory and the privacy impact analysis. Some of these attachments are highly structured and easily modled. Others are not. All are assessed and addressed following the core SSP content.
-
-The structure of the FedRAMP Tailored for LI-SaaS template provides for a sub-set of the typical FedRAMP SSP data, as well as a place to capture assessment details in an attmept to keep that package lgiht-weight. Anything we model for the High/Moderate/Low SSP templates above will work for for the LI-SaaS template with the exception that much of the required content from these SSP templates becomes optional for the LI-SaaS template.
-
-## Proto-model
-
-The following applies to FedRAMP High, Moderate, and Low SSPs unless otherwise noted.
-
-
-
-### Authoritative Control References
-Points back to the specific authoritative control references, such as the FedRAMp Moderate baseline, or the NIST High baseline.
-```yaml=    
-# Indicates what control data should be referenced
-# Cardinality: 1 or more
-import: What OSCAL profile(s) or catalog(s) should be used as the source for control information?
-    href: Where can it be found?
-```
-
-
-### Publication Characteristics
-
-```yaml=
-# High level "document" identification
-# Cardinality: 1
-publication: 
-  publication_id: Unique document ID, generated by the publishing organization (for SSPs this is typically the CSP)
-  publication_title: The title of the publication (typically "FedRAMP System Security Plan (SSP) [High | Moderate | Low ] Baseline [CSP Name] [System Name]")
-  publication_version: The CSP-assigned version number of this publication
-  publication_date: The CSP's publication date for this publication
-  publication_sensitivity: Indicates any document sensitivity such as Controlled Unclassified Information (CUI), Proprietary, Confidential
-
-    # What is the history of this publication?
-    # Cardinality: 1 or more
-    publication_history:
-      publication_date: 
-      publication_version: 
-      publication_notes: Notes about what was changed.
-
-    # Other publication meta-data relevant to the FedRAMP PMO
-    # Cardinality: 1
-    publication_details:
-      prepared_by:
-          organization_name
-          organization_address
-      prepared_for:
-          organization_name
-          organization_address
-```
-
-### Approvals
-The content of an officially delivered SSP must be signed by one or more appropriate approving officials within the CSP's organization.
-```yaml=    
-    # Approvals - 
-    # Cardinality: 1 or more
-    publication_approvals:
-      approver:
-          approver_signature: Scanned image or certificate-based
-          approval_date
-          approver_name
-          approver_title
-          approver_organization: Typically the name of the CSP.
-```
-
-### Attachments
-Whether for the formally required attachments in Chapter 15, or other attachments as needed, a mechanism is needed to embed and/or reference attachments from within the SSP data.
-
-```yaml=
-    # Attachments - .
-    # Cardinality: 0 or more
-publication_attachments:
-    attachment_id
-    attachment_name
-    attachment_description
-    attachment_format
-    attachment_date
-    attachment_version
-    attachment_type
-    attachment_href (either this or base64_embeded is required, but not both)
-    attachment_base64_embeded (either this or href is required, but not both)
-        attachment_base64_filename
-```
-
-### System
-FedRAMP requires the following information about the system. Much of this information is re-used across many FedRAMP artifacts including the FedRAMP Marketplace, authorization letters, and monthly ConMon Reporting. 
-
-```yaml=
-
-    # Chararacteristics and meta-data about the system itself
-    # Cardinality: 1
-    system_information:
-        # Table 1-1: Information System Name and Title
-        # Cardinality: 1
-        system_id: This is the FedRAMP Application Number - a unique ID assigned by the FedRAMP PMO
-        # Table 1-1: Information System Name and Title
-        # Cardinality: 1
-        system_name: The full name of the system
-        # Table 1-1: Information System Name and Title
-        # Cardinality: 1
-        system_name_short: Often the system acronym or abbreviation
-        # Section 9.1 System Function or Purpose
-        # Cardinality: 1
-        description: A brief description of the function or purpose of the system (1 - 3 paragraphs)
-        
-        # Table 2-1: Security Categorization
-        # ALSO -- Table 2-4: Baseline Security Configuration
-        # Cardinality: 1
-        security_sensitivity_level:
-            - low
-            - moderate
-            - high 
-        
-        # Table 2-3: Security Impact Level
-        security_objective_confidentiality:
-            - low
-            - moderate
-            - high 
-        # Table 2-3: Security Impact Level
-        security_objective_integrity:
-            - low
-            - moderate
-            - high 
-        # Table 2-3: Security Impact Level
-        security_objective_availability:
-            - low
-            - moderate
-            - high 
-        
-        # Optional for FedRAMP. Only overall eauth_level is required based on high water mark of ial, aal, and fal.
-        # Cardinality: 0 or 1
-        security_auth_ial:
-            - low
-            - moderate
-            - high 
-        # Optional for FedRAMP. Only overall eauth_level is required based on high water mark of ial, aal, and fal.
-        # Cardinality: 0 or 1
-        security_auth_aal:
-            - low
-            - moderate
-            - high 
-        # Optional for FedRAMP. Only overall eauth_level is required based on high water mark of ial, aal, and fal.
-        # Cardinality: 0 or 1
-        security_auth_fal:
-            - low
-            - moderate
-            - high 
-        # Table 15-5: Digital Identity Level
-        # Cardinality: 1
-        security_eauth_level:
-            - low
-            - moderate
-            - high 
-        
-        # Table 7-1: System Status
-        # Cardinality: 1
-        deployment_status:
-            - operational
-            - under_development
-            - major_modification
-            - other
-            other_description: if deployment_status = "other", this contains an explamantion
-
-        # Table 8-1: Service Layers Represented
-        # FedRAMP limits values to "SaaS", "PaaS", "IaaS", and/or "other"; however, outside of FedRAMP, this field may be used more broadly
-        # Cardinality: 1 or more
-        deployment_model:
-            - saas
-            - paas
-            - iaas
-            - other
-            other_description: if deployment_model = "other", this contains an explamantion
-        
-        # Table 8-2: Cloud Deployment Model Represented in this SSP
-        # FedRAMP limits values to "Public", "Private", "Government Only Community", and/or "other"; however, outside of FedRAMP, this field may be used more broadly
-        # Cardinality: 1 or more
-        service_model:
-            - public
-            - private
-            - government_only_community
-            - other
-            other_description: if service_model = "other", this contains an explamantion
-        
-        # Table 8-3: Leveraged Authorizations
-        # The Leveraged Authorizations table details the pre-existing FedRAMP Authorizations being leveraged by this Information System
-        # Cardinality 0 or more
-        leveraged_authorizations:
-            leveraged_authorization_name: The Leveraged Information System Name
-            leveraged_authorization_service_provider: The Leveraged Information System Service Provider
-            leveraged_authorization_date_granted: The date this system started leveraging the Leveraged Information System 
-```
-
-### Boundaries and Components
-
-```yaml=
-    # Section 9 General System Description
-    # Cardinality: 1
-    system_boundary:
-        boundary_description: one or more paragraphs that describe the system's authorization boundary.
-        
-        # Section 9.2 Information System Components and Boundaries
-        #Cardinality: 1 or more
-        boundary_diagram:
-            diagram-id: unique id for the diagram
-            diagram_attachment_id: [id of attachment]
-            diagram_title: title of the diagram
-            diagram_description: description of the diagram
-
-        # Section 9.4 Network Architecture
-        #Cardinality: 1 or more
-        network_diagram:
-            diagram-id: unique id for the diagram
-            diagram_attachment_id: [id of attachment]
-            diagram_title: title of the diagram
-            diagram_description: description of the diagram
-            
-        # Section 10.1 Data Flow
-        #Cardinality: 1 or more
-        data_flow_description
-        data_flow_diagram:
-            diagram-id: unique id for the diagram
-            diagram_attachment_id: [id of attachment]
-            diagram_title: title of the diagram
-            diagram_description: description of the diagram
-            
-        # This needs to tie tightly to the OSCAL Capabilities/Components Definition    
-        system_components:
-            [Model based on OSCAL capabilities/components definition]
-```
-
-### Authorized Connections
-Although this is part of CA-3, it may not be part of the standard set of elements for controls. This could be merged into the standard OSCAL controls set later.
-
-```yaml=
-    # Table 13-3. CA-3 Authorized Connections
-    # Cardinality: 0 or more
-    authorized_connections:
-        external_system_name: Name of the system to which this system connects
-        external_system_org: Organization that owns the system to which this system connects
-        isa_authorization: Who signed and authorized the Interconnection Security Agreement (ISA)?
-        isa_name: Name of the ISA
-        isa_date: Date of the ISA
-```
-
-
-### Types of Users
-
-```yaml=
-    # Section 9.3 Types of Users
-
-
-    # Table 9-1: Personnel Roles and Privileges
-    # Cardinality: 1 or more
-    system_user:
-        user_role
-        #Cardinality: 1
-        user_type:
-            - internal
-            - external
-        #Cardinality: 1
-        user_privilege_type:
-            - p   # Privileged
-            - np  # Non-Privileged
-            - nla # No Logical Access
-        user_sensitivity_level:
-            - moderate
-            - limited
-            - n_a
-            - ???? others?
-        user_authorized_privilege: [description, such as "Full administrative access (root)", or "Portal administration"]
-        functions_performed: [description, such as "add/remove users, install and configure software, OS updates, patches and hotfixes, perform backups"]
-    
-    internal_user_total_current: number of internal personnel now
-    internal_user_total_future: expected number of internal personnel within one year
-    external_user_total_current: number of external personnel now
-    external_user_total_future: expected number of external personnel within one year
-```
-
-### Information Types
-
-```yaml=
-    # Table 2-2: Sensitivity Categorization of Information Types
-    # Cardinality: 0 or more *
-    # * NOTE: In theory, an IaaS or PaaS may have no data. Any leveraging SaaS would have data and be responsible for enumerating it in the SSP for the SaaS. In reality, cardinality should probably be "1 or more", not "0 or more".
-    information_types:
-        information_type_id: NIST 800-60 identifier (ie. C.3.5.1)
-        information_type: NIST 800-60 information type name
-        information_description: Description of information that fits this type
-        information_sensitivity_confidentiality: 
-            - low
-            - moderate
-            - high 
-        information_sensitivity_integrity: 
-            - low
-            - moderate
-            - high 
-        information_sensitivity_availability:
-            - low
-            - moderate
-            - high 
-```
-
-### Ports, Protocols and Services
-
-```yaml=
-    # Section 10.2 Ports, Protocols and Services
-    # Table 10-1: Ports, Protocols and Services
-    # Cardinality: 0 or more (realistically 1 or more)
-    ports_protocols_services_entry:
-        #Cardinality: 0 or more
-        port_range
-        #Cardinality: 0 or more
-        port_type:
-            - tcp
-            - udp
-        #Cardinality: 0 or more
-        protocol
-        #Cardinality: 0 or more
-        service
-        #Cardinality: 1 or more
-        purpose
-        #Cardinality: 1 or more
-        used_by
-```
-
-
-### Information System Owner
-
-```yaml=
-    # Table 3-1: Information System Owner
-    # Cardinality: 1
-    system_owner_information: Contact information for the system owner
-        system_owner_name: Who is the main system owner
-        system_owner_title: What is their title within their organization
-        system_owner_organization: What organization does the system owner work with
-        system_owner_address: What is the organization street adress
-        system_owner_city: What city is the organization based out of
-        system_owner_state: What state is the organization based out of
-        system_owner_zip: What is the zip code for the organization
-        system_owner_phone: What is the contact number for the system owner
-        system_owner_email: What is the email for the system owner
-```
-### Authorizing Official
-
-```yaml=
-    # Section 4. Authorizing Officials
-    # Cardinality: 1 or more
-    authorizing_official: The Authorizing Official is determined by the path that the CSP is using to gain authorization
-        jab_or_agency: Is the CSP going through the JAB P-ATO process or direct Agency Authorization
-        authorizing_offical_name: The name of the authorizing official
-        authorizing_official_title: The title of the authorizing official
-        authorizing_official_organization: The organization that the authorizing official belongs to
-        authorizing_official_email: The email address of the authorizing official
-        authorizing_official_phone: The phone number of the authorizing official
-```
-## Other Designated Contacts
-### Information System Management Point of Contact
-```yaml=
-    # Table 5-1: Information System Management Point of Contact
-    # Cardinality 1 or more
-    system_management_information: Contact information for the system management point of contact
-        system_management_name: Who is the system management POC
-        system_management_title: What is their title within their organization
-        system_management_organization: What organization does the system management POC work with
-        system_management_address: What is the organization street adress
-        system_management_city: What city is the organization based out of
-        system_management_state: What state is the organization based out of
-        system_management_zip: What is the zip code for the organization
-        system_management_phone: What is the contact number for the system management POC
-        system_management_email: What is the email for the system management POC
-```
-### Information System Technical Point of Contact
-
-```yaml=
-
-    # Table 5-2: Information System Technical Point of Contact
-    # Cardinality 1 or more
-    system_technical_information: Contact information for the system technical point of contact
-        system_technical_name: Who is the system technical POC
-        system_technical_title: What is their title within their organization
-        system_technical_organization: What organization does the system technical POC work with
-        system_technical_address: What is the organization street adress
-        system_technical_city: What city is the organization based out of
-        system_technical_state: What state is the organization based out of
-        system_technical_zip: What is the zip code for the organization
-        system_technical_phone: What is the contact number for the system technical POC
-        system_technical_email: What is the email for the system technical POC
-```
-### Information System Additional Point of Contact
-
-```yaml=
-
-    # Table 5-3: Information System Additional Point of Contact
-    # Cardinality 0 or more
-    system_additional_information: Contact information for the system additional  point of contact
-        system_additional_name: Who is the system additional POC
-        system_additional_title: What is their title within their organization
-        system_additional_organization: What organization does the system additional POC work with
-        system_additional_address: What is the organization street adress
-        system_additional_city: What city is the organization based out of
-        system_additional_state: What state is the organization based out of
-        system_additional_zip: What is the zip code for the organization
-        system_additional_phone: What is the contact number for the system additional POC
-        system_additional_email: What is the email for the system additional POC
-```
-### CSP Internal ISSO (or Equivalent) Point of Contact
-
-```yaml=
-    #Table 6-1: CSP Internal ISSO (or Equivalent) Point of Contact
-    #Cardinality 1 or more
-    csp_isso_information: The contact information for the CSP ISSO
-        csp_isso_name: Who is the CSP ISSO
-        csp_isso_title: What is the title of the CSP ISSO
-        csp_isso_organization: What organization does the CSP ISSO work with
-        csp_isso_address: What is the organization street address
-        csp_isso_city: What city is the organization based out of
-        csp_isso_state: What state is the organization based out of
-        csp_isso_zip: What is the zip code for the organization
-        csp_isso_number: What is the contact number for the CSP ISSO
-        csp_isso_email: What is the email address for the CSP ISSO
-```
-### AO Point of Contact
-
-```yaml=
-    # Table 6-2: AO Point of Contact
-    # Cardinality 1 or more
-    ao_information: The contact information for the Authorizing Official
-        ao_name: Who is the AO
-        ao_title: What is the title of the AO
-        ao_organization: What organization does the AO work with
-        ao_address: What is the organization street address
-        ao_city: What city is the organization based out of
-        ao_state: What state is the organization based out of
-        ao_zip: What is the zip code for the organization
-        ao_number: What is the contact number for the AO
-        ao_email: What is the email address for the AO
-```
-
-## SSP Minimum Security Controls
-Security controls are the main focus of OSCAL. The implementation layer control modeling is being addressed in a parallel effort as part of [Issue #217](https://github.com/usnistgov/OSCAL/issues/217), with the modeling efforts found [HERE](https://hackmd.io/x43sK8IvSyOhW3no7fdh2w?view). That effort will be merged with this representation after each is developed separately
-
-It is import each control traces back to the control requirement statements. Each control should trace to the most down-stream reference to it. This is especially important to ensure proper parameter values are established. 
-
-For example AC-2 appears in the FedRAMP Moderate Profile, which references the NIST Moderate Profile, which in turn references the 800-53 catalog. This should point to the FedRAMP Moderate profile to ensure the FedRAMp parameter constraint in (j) is maintained.
-
-```yaml=
-    # Section 13: Security Controls
-
-    # Cardinality: one
-    control_id: The ID of the control as it appears in the appropriate profile or catalog.
-        href: A pointer to the actual profile or catalog.
-        
-    # Cardinality: zero or more
-    # Validation: one for each parameter
-    parameter-value: The actual value of the paramter supplied by the system owner to complete the requirement statement.
-        parameter_id: The ID of the parameter as it appears in the appropriate profile or catalog.
-
-    # Cardinality: one or more
-    # Validation: Every role here should match a role in the roles and responsibilities table
-    responsible_role: Who is responsible for maintaining the control?
-    
-    # Cardinality: one
-    implementation_status: The status of the control (Implemented, Partially Implemented, Planned, Alternative Implementation, N/A)
-        # Cardinality: one if marked Planned or Partialy Implemented above. Zero otherwise
-        planned_implementation_date
-        
-    # Cardinality: one or more
-    control_origination: The origina of the control (Service Provicder Corporate, Service Provider System Specific, Configured by Customer, Provided by Customer, Inherited)
-        # Cardinality: one if marked Configured by Customer or provided by Customer above. Zero otherwise.
-        customer_responsibility: 
-        # Cardinality: one if marked Inherited above. Zero otherwise.
-        inherited_system_id: The id of the underlying cloud or general support system from which this control is inherited.
-        # NOTE: Other data about the underlying system, such as name and authorization date, can be presented as a result of the pointer to that system.
-
-    # Cardinality: one or more (One per control part)
-    control_response: A description of HOW the organization is meeting the control. One per control part.
-
-```
-### Cryptography
-
-
-```yaml=
-    # Need a list of all crpytography used within 
-    # within the system, along with the NIST Labs
-    # certifiate number and supporting details
-    # for FIPS 140-2 validation
-
-    cryptography:
-        certificate_no
-        module_name
-        version_number
-
-```
-
-
-
-## SSP Attachments
-
-### Attachment 1: Information Security Policies and Procedures
-- This is typically not structured information. 
-- With the OSCAL SSP format, this will only exist as an entry in the &lt;attachments&gt; element that points to the external documents.
-- This will continue to be handled only as an attachment. The content will not appear in the OSCAL SSP format at this time. 
-
-### Attachment 2: User Guide
-- This is typically not structured information. 
-- With the OSCAL SSP format, this will only exist as an entry in the &lt;attachments&gt; element that points to the external documents.
-- This will continue to be handled only as an attachment. The content will not appear in the OSCAL SSP format at this time. 
-
-### Attachment 3: Digital Identity Worksheet
-- This section is mostly guidance, which should be addressed by tooling external to the OSCAL SSP content.
--Table 15-2 Information System Name and Title, duplicates the content in Table 1-1, thus this content will be visually repeated here, rather than entered a second time. 
-- The only data entered by a CSP is as follows:
-```yaml=
-    # Table 15-5
-    # Cardinality: Exactly 1
-    digital_identity_level: Level 1 (AAL1, IAL1, FAL1), 2 (AAL2, IAL2, FAL2) or 3 (AAL3, IAL3, FAL3)
-```
-
-### Attachment 4a: Privay Threshold Analysis
-- Table 15-6 Privacy POC is simply another system role that will be addressed in the OSCAL SSP content with all other system roles (Approver, ISSO, Managemet POC, etc.)
-- Table 15-7 Laws and Regulations and Table 15-8 Standards and Guidance are addressed in the OSCAL SSP content with the other Laws, Regulations, Standards, and Guidance. That content will have an attribute to flag it as privacy-related.
-- This is structured information, and will appear in in the OSCAL SSP structure as follows:
-```yaml=
-    # Attachment 4: Privay Threshold Analysis
-    # Cardinality 4
-    # FedRAMP has four (4) yes/no questions, that must be present and answered. Answering any one "yes" requires the PIA
-    pta_question: 
-        question_text: The FedRAMP question
-        response_text: The CSP's yes/no response
-```
-
-### Attachment 4b: Privacy Impact Assessment
-- Attachment Table 1-1 Privacy POC is simply another system role that will be addressed in the OSCAL SSP content with all other system roles (Approver, ISSO, Managemet POC, etc.)
-- Attachment Table 1-2 Laws and Regulations is addressed in the OSCAL SSP content with the other Laws, Regulations, Standards, and Guidance. That content will have an attribute to flag it as privacy-related. 
-
-**Privacy Designation**
-```yaml=
-    # Attachment Section 2 
-    # Cardinality 1
-    privacy_designation: boolean ("yes" to indicate the vendor is willing to host privacy information in system. "no" to opt-out)
-    
-    # Attachment Table 3-1 PII Mapped to Components 
-    # Cardinality 1 or more
-    components: 
-        # Cardinality 1
-        component
-        # Cardinality 1
-        pii_contact: "yes" if the component stores, processes, or transmits PII; "no" otherwise.
-        # Cardinality 1 or more
-        pii_type: identify the type of PII stored, processed or transmitted by the component
-        # Cardinality 1
-        pii_reason: Explain why the PII is collected. (NOTE: This may be more appropriately addressed with the data types, rather than the components.)
-        # Cardinality 1 or more
-        pii_safeguard: Describe safeguards for protecting the PII relative to this component.
-
-    # Attachment Sections 3.2 thru 3.10 
-    # These are a series of questions. Most require a text-field response. One also requires a yes/no response.
-    # Cardinality 36
-    pia_question: 
-        # Cardinality 1
-        question_text: The FedRAMP question
-
-        # Cardinality 1 or more (one quesiton has a yes/no, and a text response if yes, which requires two responses in that case. All others are a single text field response.)
-        response_type: typically "text" or "boolean" - indicates the type of response required.
-        response_text: The response provided by the CSP
-
-    signatures:
-        assessor_signature
-        chief_privacy_officer_signature
-```
-
-### Attachment 5: Rules of Behavior
-- This is typically not structured information. 
-- With the OSCAL SSP format, this will only exist as an entry in the &lt;attachments&gt; element that points to the external documents.
-- This will continue to be handled only as an attachment. The content will not appear in the OSCAL SSP format at this time. 
-
-### Attachment 6: Information System Contingency Plan
-- This is typically not structured information. 
-- With the OSCAL SSP format, this will only exist as an entry in the &lt;attachments&gt; element that points to the external documents.
-- This will continue to be handled only as an attachment. The content will not appear in the OSCAL SSP format at this time. 
-
-### Attachment 7: Configuration Management Plan
-- This is typically not structured information. 
-- With the OSCAL SSP format, this will only exist as an entry in the &lt;attachments&gt; element that points to the external documents.
-- This will continue to be handled only as an attachment. The content will not appear in the OSCAL SSP format at this time. 
-
-### Attachment 8: Incident Response Plan
-- This is typically not structured information. 
-- With the OSCAL SSP format, this will only exist as an entry in the &lt;attachments&gt; element that points to the external documents.
-- This will continue to be handled only as an attachment. The content will not appear in the OSCAL SSP format at this time. 
-
-### Attachment 9: CIS Workbook
-- This will exist as a summary view of control information
-- There is no additional information in this summary view. It is simply a reduction of control information that already exists in the complete detail of each control. 
-
-### Attachment 10: FIPS 199
-- This is structured information
-- This is a more detailed version of the information that exists in Table 2-2. The two will be combined into one structure, with different views of the data presented by tools to re-create Table 2-2 and Table 15-9. 
-
-### Attachment 11: Separaton of Duties Matrix
-- There is no set template for this; however, this is structured information
-- The syntax for expressing the system's user roles (Table 9-1) will be extended to enable basic separation of duties information.
-- Until this has more maturity, the CSP will have the option of either using the extended syntax, or attaching their own matrix.
-
-### Attachment 12: FedRAMP Laws and Regulations
-- The syntax ... **** 
-
-### Attachment 13: FedRAMP Inventory Workbook
-- This is structured information, and will appear in in the OSCAL SSP structure as follows:
-```yaml=
-    # Inventory Workbook (Spreadsheet) 
-    # NOTE: Each inventory_item must have either one set of host_item details or one set of software_item details.
-    # Cardinality 1 or more
-    inventory_item: 
-        # Cardinality 1 per inventory_item
-        asset_id: unique asset identifier
-        # Cardinality 0 or more per inventory item
-        ip_address: IPv4 or IPv6
-        # Cardinality 1 per inventory_item
-        virtual: yes/no field
-        # Cardinality 1 per inventory_item
-        public: yes/no field
-        # Cardinality 0 or more per inventory_item
-        network_name: DNS Name or URL
-
-        # Cardinality 0 or more per inventory_item
-        host_item: OS/Infrastructure Inventory
-            # Cardinality 0 or more per host_item
-            netbios_name: NetBIOS Name
-            # Cardinality 0 or more per host_item
-            mac_address: MAC Address
-            # Cardinality 1 per host_item
-            authenticated_scan: Authenticated Scan
-            # Cardinality 1 per host_item
-            baseline_template: Baseline Configuration Name
-            # Cardinality 0 or 1 per host_item
-            os_name
-            # Cardinality 0 or 1 per host_item
-            os_version
-            # Cardinality 0 or 1 per host_item
-            location
-            # Cardinality 1 per host_item
-            asset_type
-            # Cardinality 1 per host_item
-            hardware_vendor
-            # Cardinality 1 per host_item
-            hardware_model
-            # Cardinality 1 per host_item
-            scanned: In Latest Scan? (yes/no)
-
-        # Cardinality 0 or more per inventory_item
-        software_item: Software and Database Inventories
-            # Cardinality 1 per software_item
-            software_vendor: Software/ Database Vendor
-            # Cardinality 1 per software_item
-            software_name: Software/ Database Name & Version
-            # Cardinality 1 per software_item
-            software_version
-            # Cardinality 0 or 1 per software_item
-            software_patch_level
-            # Cardinality 1 per software_item
-            function: A description of the function provided by the software or database
-
-        # Cardinality 0 or 1 per software_item
-        Comments: Any comments about the inventory item
-        # Cardinality 0 or 1 per software_item
-        serial_no: Product serial number or asset Tag number
-        # Cardinality 0 or 1 per software_item
-        network_id: VLAN/Network ID
-        # Cardinality 1 or more per software_item
-        asset_owner: organizational owner of the hardware or software asset.
-        # Cardinality 1 or more per software_item
-        asset_administrator: organizational administrator of the hardware or software asset.
-```
-
diff --git a/src/content/ssp-example/OSCAL Implementation Layer_ FedRAMP System Security Plan (SSP) Mock Up.md b/src/content/ssp-example/OSCAL Implementation Layer_ FedRAMP System Security Plan (SSP) Mock Up.md
deleted file mode 100644
index 51eb861cf1..0000000000
--- a/src/content/ssp-example/OSCAL Implementation Layer_ FedRAMP System Security Plan (SSP) Mock Up.md	
+++ /dev/null
@@ -1,945 +0,0 @@
-# OSCAL Implementation Layer: FedRAMP System Security Plan (SSP) Mock Up<br>**ALL DATA IS FICTICIOUS**
-What follows is an example of a FedRAMP SSP expressed in OSCAL-compliant XML. It is part of the NIST OSCAL effort as covered by [Issue #246](https://github.com/usnistgov/OSCAL/issues/246).
-
-## XML Now. JSON Next.
-If you are JSON fan, fret-not. As with all OSCAL content, the final specification allows for both XML and JSON. We had to start somewhere.
-
-## Intended Next Steps
-Once this mock-up is complete:
-1. The OSCAL Team will peer-review it, adjust for OSCAL alignment, and consider any community input.
-2. The OSCAL Team will also reach concensus as to which portions of the mock-up become part of the official OSCAL specification, and which are handled as a FedRAMP-specific extension.
-3. The OSCAL Team will develop the specification details, and document the relevant syntax.
-4. In cooperation with the OSCAL Team, the FedRAMP PMO will develop the specification for any FedRAMP-specific extensions as a parallel effort.
-
-## FedRAMP SSP Modeling Effort
-This is based on the OSCAL Implementation Layer FedRAMP SSP Modeling effort: 
-https://hackmd.io/dATVzahrQludJILDJH675g
-
-# The Mock Up 
-
-This mock-up below exists in two parts:
-- **Higher Level SSP Elements:** There is no content here, just the tags. View this to understand the suggested elements.
-- **The Full Example:** Fully populated ficticious content. View this to understand how the tags might be used in practice.
-
-
-## Higher Level SSP Elements (No Content)
-This is to enumerate the suggested elements in context of their parent elements. There is no content here. Not even attributes, and some of the more detailed elements are missing to keep focus on the higher-level structure.
-**An example with content exists in the next section.**
-
-```yaml=
-<fedramp_system_security_plan>
-	<title/>
-    <version/>
-    <date/>
-    
-    <import href=""/>
-
-    <publication_information>
-        <sensitivity/>
-		<org_name/>
-		<org_short_name/>
-		<org_email/>
-		<org_website/>
-        <prepared_by/>
-        <prepared_for/>
-    </publication_information>
-
-    <publication_history>
-        <published>
-            <date/> 
-            <version/> 
-            <notes/>
-        </published>
-    </publication_history>
- 
-     <system_characteristics>
-        <system_id/>
-        <system_name/>
-        <system_name_short/>
-        <description/></description>
-        <security_sensitivity_level/>
-        
-        <system_information>
-            <information_type>
-                <description/>
-                <confidentiality_impact>
-                    <base/>
-                    <selected/>
-                    <adjustment_justification/>
-                </confidentiality_impact>
-                <integrity_impact>
-                    <base/>
-                    <selected/>
-                    <adjustment_justification/>
-                </integrity_impact>
-                <availability_impact>
-                    <base/>
-                    <selected/>
-                    <adjustment_justification/>
-                </availability_impact>
-                <qualifiers>
-                    <qualifier response="">
-                        <sorn id=""/>
-                    </qualifier>
-                </qualifiers>
-            </information_type>
-        </system_information>
-
-        <security_impact_level>
-            <security_objective_confidentiality/>
-            <security_objective_availability/>
-            <security_objective_integrity/>
-        </security_impact_level>
-
-        <security_eauth>
-            <security_auth_ial/>
-            <security_auth_aal/>
-            <security_auth_fal/>
-            <security_eauth_level/>
-        </security_eauth>
-
-        <status/>
-        <status_other_description/>
-        <deployment_model/>
-        <deployment_model_other_description/>
-        <service_model/>
-        <service_model_hybrid_description/>
-        
-        <leveraged_authorizations>
-            <leveraged_authorization>
-                <leveraged_authorization_name/>
-                <leveraged_authorization_service_provider/>
-                <leveraged_authorization_date_granted/>
-            </leveraged_authorization>
-        </leveraged_authorizations>
-
-        <authorization_boundary>
-            <boundary_diagram>
-                <boundary_description/>
-            </boundary_diagram>
-        </authorization_boundary>
-
-        <network_architecture>
-            <network_diagram>
-                <network_description/>
-            </network_diagram>
-        </network_architecture>
-
-        <data_flow>
-            <data_flow_diagram>
-                <data_flow_description/>
-            </data_flow_diagram>
-        </data_flow>
-
-        <users>
-            <role name="" internal="yes" access="nla" sensitivity_level="limited">
-                <privilege/>
-                <function/>
-            </role>
-            <statistics>
-                <internal_user_total_current/>
-                <internal_user_total_future/>
-                <external_user_total_current/>
-                <external_user_total_future/>
-            </statistics>
-        </users>
-
-    </system_characteristics>
-    
-    <system_implementation>
-        <ports_protocols_services>
-            <service>
-                <protocol>
-                    <port_range transport="">
-                </protocol>
-                <purpose/>
-                <used_by/>
-            </service>
-        </ports_protocols_services>
-
-        <system_inventory>
-            <component id="comp-01">
-                <name/>
-                <description/>
-            </component>
-            <inventory_item id="asset_id" virtual="" public="">
-                <asset_id/>
-                <ip_address/>
-                <network_name/>
-
-                <host_item>
-                    <netbios_name/>
-                    <mac_address/>
-                    <authenticated_scan/>
-                    <baseline_template/>
-                    <os_name/>
-                    <os_version/>
-                    <location/>
-                    <asset_type/>
-                    <hardware_vendor/>
-                    <hardware_model/>
-                    <scanned/>
-                </host_item>
-
-                <software_item>
-                    <software_vendor/>
-                    <software_name/>
-                    <software_version/>
-                    <software_patch_level/>
-                    <function/>
-                </software_item>
-
-                <Comments/>
-                <serial_no/>
-                <network_id/>
-                <asset_owner/>
-                <asset_administrator/>
-            </inventory_item>
-        </system_inventory>
-
-        <system_interconnections>
-            <interconnection>
-                <external_system_name/>
-                <external_system_org/>
-                <isa_authorization/>
-                <isa_name/>
-                <isa_date/>
-            <interconnection>
-        </system_interconnections>
-
-    </system_implementation>
-
-    <security_controls>
-        <group>
-            <control>
-                <responsible_role/>
-                <param>
-                    <value/>
-                </param>
-                <implementation_status/>
-                    <planned_implementation_date/>
-                <control_origination/>
-                <control_response/>
-                <crypto/>
-
-                <subcontrol>
-                    <responsible_role/>
-                    <param>
-                        <value/>
-                    </param>
-                    <implementation_status/>
-                        <planned_implementation_date/>
-                    <control_origination/>
-                    <control_response/>
-                </subcontrol>
-
-            </control>
-        </group>
-    </security_controls>
-    
-    <cryptography>
-        <module>
-            <validation/>
-            <module_name/>
-            <version_number/>
-        </module>
-    </cryptography>
-
-    <organizations>
-        <org>
-            <name/>
-            <address/>
-            <phone/>
-            <email/>
-            <url/>
-        </org>
-    </organizations>
-
-    <individuals>
-        <individual>
-            <name/>
-            <title/>
-            <address/>
-            <phone/>
-            <email/>
-        </individual>
-    </individuals>
-    
-    <parties>
-        <party>
-    </parties>
-
-    <roles>
-        <role title=""/>
-    </roles>
-
-    <references>
-        <ref id="" ref_type="">
-            <citation href=""/>
-        </ref>
-    </references>
-
-    <attachments>
-        <attachment>
-            <name/>
-            <description/>
-            <format/>
-            <date/> 
-            <version/>
-            <type/>
-            <href/>
-            <base64/>
-        </attachment>
-    <attachments>
-
-</fedramp_system_security_plan>
-```
-
-## The Full Example
-
-### Fictitious Information
-
-All information used in this SSP example is fictitious. The imaginary company and system used is:
-
-* **Organization Name:** Alpha - Cloud Service Processing (A-CSP)
-* **System Name:** Alpha - Service and Automation System (A-SaaS)
-
-### Template References
-
-All SSP page, section, and table references are based on the FedRAMP SSP High BAseline Template published to fedramp.gov on August 8, 2018.
-
-```yaml=
-<?xml version="1.0" encoding="UTF-8"?>
-<fedramp_system_security_plan id="uuid-a_csp-a_saas-20180925-195545" xmlns="http://fedramp.gov/ns/oscal/1.0">
-    <!-- Title page -->
-    <title>System Security Plan (SSP) Moderate Baseline</title>
-    <version>2.1</version>
-    <date iso-date="iso-date3">2018-09-25</date>
-    
-    <!-- "import" links this SSP to the appropriate FedRAMP -->
-    <!-- baseline, using the same syntax as OSCAL profiles -->
-    <import href="https://github.com/usnistgov/OSCAL/raw/master/content/fedramp.gov/FedRAMP_HIGH-baseline_profile.xml"/>
-
-    <!-- "import" also allows linking to additional controls in -->
-    <!-- the 800-53 catalog that are not in the FedRAMP baseline -->
-    <import href="https://github.com/usnistgov/OSCAL/blob/master/content/nist.gov/SP800-53/rev4/NIST_SP-800-53_rev4_catalog.xml">
-        <include>
-            <call subcontrol-id="cm-7.3"/>    
-            <call subcontrol-id="cm-7.4"/>    
-        </include>
-    </import>
-    
-    <publication_information>
-        <sensitivity>Controlled Unclassified Information</sensitivity>
-        <org_name>Alpha - Cloud Service Processing</org_name>
-        <org_short_name>A-CSP</org_short_name>
-        <org_email>info@a-csp.com</org_email>
-        <org_website>https://www.a-csp.com</org_website>
-
-        <!-- Page ii -->
-        <prepared_by>
-            <org_id>org-02</org_id>
-        </prepared_by>
-        <prepared_for>
-            <org_id>org-01</org_id>
-        </prepared_for>
-    </publication_information>
-
-    <!-- Page iii -->
-    <publication_history>
-        <published id="pub-1.0">
-            <date iso-date="iso-date3">2017-01-02</date> 
-            <version>1.0</version> 
-            <notes>Initial publication.</notes>
-        </published>
-        <published id="pub-1.1">
-            <date iso-date="iso-date3">2017-06-06</date> 
-            <version>1.1</version> 
-            <notes>Updated to reflect new security widget in AC-2.</notes>
-        </published>
-        <published id="pub-2.0">
-            <date iso-date="iso-date3">2018-03-08</date> 
-            <version>2.0</version> 
-            <notes>Updated to reflect new active directory technology in IA-4.</notes>
-        </published>
-        <published id="pub-2.1">
-            <date iso-date="iso-date3">2018-09-25</date> 
-            <version>2.1</version> 
-            <notes>Updated to reflect new use of row-based database security in AC-5.</notes>
-        </published>
-    </publication_history>
-    
-    <system_characteristics>
-        <!-- Table 1-1 Information System Name and Title -->
-        <system_id>F12345</system_id>
-        <system_name>Alpha - Service and Automation System</system_name>
-        <system_name_short>A-SaaS</system_name_short>
-
-        <!-- Section 9.1 -->
-        <description>
-            <p>A brief description of the function or purpose of the system (1 - 3 paragraphs)</p>
-        </description>
-
-        <!-- Table 2-1 Security Categorization -->
-        <!-- Table 2-4 Baseline Security Configuration -->
-        <system_sensitivity_level>moderate</security_sensitivity_level>
-
-        <!-- Table 2-2 Sensitivity Categorization of Information Types -->
-        <!-- Table 15-9 CSP Applicable Information Types with Security Impact Levels -->
-        <!-- Attachment 4. Privacy Threshold Analysis (PTA) -->
-        <system_information>
-            <information_type id="info-01" nist_id="D.2.1">
-                <description>Border and Transportation Security</description>
-                <confidentiality_impact>
-                    <base>moderate</base>
-                    <selected>moderate</selected>
-                </confidentiality_base_impact>
-
-                <integrity_impact>
-                    <base>moderate</base>
-                    <selected>moderate</selected>
-                </integrity_impact>
-                
-                <availability_impact>
-                    <base>moderate</base>
-                    <selected>moderate</selected>
-                </availability_impact>
-            </information_type>
-            
-            <information_type id="info-02" nist_id="D.4.1">
-                <description>Disaster Management and Prediction</description>
-                
-                <confidentiality_impact>
-                    <base>low</base>
-                    <selected>low</selected>
-                </confidentiality_base_impact>
-
-                <integrity_impact>
-                    <base>high</base>
-                    <selected>high</selected>
-                </integrity_impact>
-                
-                <availability_impact>
-                    <base>high</base>
-                    <selected>low</selected>
-                    <adjustment_justification>
-                        <p>System is for research and analysis only. Access to information in this system at the time of a disaster is not critical.</p>
-                    </adjustment_justification>
-                </availability_impact>
-            </information_type>
-
-            <information_type id="info-03" type="pii">
-                <description>A Privacy Sensitive System</description>
-
-                <!-- Attachment 4, Qualifying Questions -->
-                <qualifiers>
-                    <qualifier id="pta-01" response="yes">
-                        <p>Does the ISA collect, maintain, or share PII in any identifiable form?</p>
-                    </qualifier>
-                    <qualifier id="pta-02" response="yes">
-                        <p>Does the ISA collect, maintain, or share PII information from or about the public?</p>
-                    </qualifier>
-                    <qualifier id="pta-03" response="yes">
-                        <p>Has a Privacy Impact Assessment ever been performed for the ISA?</p>
-                    </qualifier>
-                    <qualifier id="pta-04" response="yes">
-                        <p>Is there a Privacy Act System of Records Notice (SORN) for this ISA system?</p>
-                        <sorn id="[SORN ID]">Sorn Name</sorn>
-                    </qualifier>
-                </qualifiers>
-            </information_type>
-
-        </system_information>
-
-        <!-- Table 2-3 Security Impact Level -->
-        <security_impact_level
-            <security_objective_confidentiality>moderate</security_objective_confidentiality>
-            <security_objective_availability>moderate</security_objective_availability>
-            <security_objective_integrity>moderate</security_objective_integrity>
-        </security_impact_level>
-
-        <!-- Section 2.3 Digital Identity Determination -->
-        <!-- Attachment 3, Digital Identity Worksheet -->
-        <security_eauth>
-            <security_auth_ial>moderate</security_auth_ial>
-            <security_auth_aal>moderate</security_auth_aal>
-            <security_auth_fal>moderate</security_auth_fal>
-            <security_eauth_level>moderate</security_eauth_level>
-        </security_eauth>
-
-        <!-- Table 7-1 System Status -->
-        <status>operational</status>
-        <status_other_description>N/A</status_other_description>
-
-        <!-- Table 8-1 Service Layers Represented in this SSP -->
-        <deployment_model>saas</deployment_model>
-        <deployment_model_other_description>N/A</deployment_model_other_description>
-
-        <!-- Table 8-2 Cloud Deployment Model Represented in this SSP -->
-        <service_model>government_only_community</service_model>
-        <service_model_other_description>N/A</service_model_other_description>
-		        
-        <!-- Table 8-3 Leveraged Authorizations -->
-        <leveraged_authorizations>
-            <leveraged_authorization id="la-01">
-                <leveraged_authorization_name>A Big IaaS (ABI)</leveraged_authorization_name>
-                <leveraged_authorization_service_provider>A Big IaaS Provider (ABIP)</leveraged_authorization_service_provider>
-                <leveraged_authorization_date_granted iso-date="iso-date3">2016-09-09</leveraged_authorization_date_grantved>
-            </leveraged_authorization>
-        </leveraged_authorizations>
-
-        <!-- Figure 9-1. Authorization Boundary Diagram -->
-        <authorization_boundary>
-            <boundary_diagram id="dia-01" attachment_id="att-003">
-                <boundary_description>
-                    <p>This is optional text that provides additional, written detail to the attached boundary diagram.</p>
-                </boundary_description>
-            </boundary_diagram>
-        </authorization_boundary>
-
-        <!-- Figure 9-2. Network Diagram -->
-        <network_architecture>
-            <network_diagram id="dia-02" attachment_id="att-004">
-                <network_description>
-                    <p>This is optional text that provides additional, written detail to the attached network diagram.</p>
-                </network_description>
-            </network_diagram>
-        </network_architecture>
-
-        <!-- Figure 10-1. Data Flow Diagram -->
-        <data_flow>
-            <data_flow_diagram id="dia-03" attachment_id="att-005">
-                <data_flow_description>
-                    <p>This is optional text that provides additional, written detail to the attached data flow diagram.</p>
-                </data_flow_description>
-            </data_flow_diagram>
-        </data_flow>
-
-        <!-- Table 9-1. Personnel Roles and Privileges -->
-        <users>
-            <role id="ut-01" name="UNIX System Administrator" internal="yes" access="p" sensitivity_level="moderate">
-                <privilege>Full administrative access (root)</privilege>
-                <function>Add/remove users and hardware</function>
-                <function>Install and configure software</function>
-                <function>OS updates</function>
-                <function>patches and hotfixes</function>
-                <function>perform backups</functions>
-            </role>
-            <role id="ut-02" name="Client Administrator" external="yes" access="np" sensitivity_level="n/a">
-                <privilege>Portal administration</privilege>
-                <function>Add/remove client users</function>
-                <function>Create, modify, and delete client applications</function>
-            </role>
-            <role id="ut-03" name="Program Director" internal="yes" access="nla" sensitivity_level="limited">
-                <privilege>none</privilege>
-                <function>Reviews, approves, and enforces policy</function>
-            </role>
-            <statistics>
-                <internal_user_total_current>22</internal_user_total_current>
-                <internal_user_total_future>33</internal_user_total_future>
-                <external_user_total_current>75</external_user_total_current>
-                <external_user_total_future>100</external_user_total_future>
-            </statistics>
-        </users>
-
-    </system_characteristics>	    
-
-    <system_implementation>
-        <!-- Table 10-1 Ports, Protocols and Services -->
-        <!-- NOTE: For now, this captures the same detail as the SSP. -->
-        <!-- It is possible to capture more accurate/complete content. -->
-        <ports_protocols_services>
-            <service id="svc-01" name="Domain Name Service (DNS) Lookup">
-                <protocol name="dns">
-                    <port_range start="53" end="53" transport="tcp"/>
-                </protocol>
-                <purpose>Allows name resolution of hosts.</purpose>
-                <used_by>external user workstations</used_by>
-                <used_by>internal hosts</used_by>
-            </service>
-            <service id="svc-02" name="Web Services">
-                <protocol name="http">
-                    <port_range start="80" end="80" transport="tcp"/>
-                </protocol>
-                <protocol name="https">
-                    <port_range start="443" end="443" transport="tcp"/>
-                </protocol>
-                <purpose>Provides web services for the application.</purpose>
-                <used_by>External users to access the application</used_by>
-            </service>
-        </ports_protocols_services>
-
-        <!-- Table 13-3 CA-3 Authorized Connections -->
-        <system_interconnections>
-            <interconnection id="ic-01">
-                <external_system_name>Weather Server</external_system_name>
-                <external_system_org>NOAA</external_system_org>
-                <isa_authorization>M.Y. Ayaoh</isa_authorization>
-                <isa_name>Weather Connection</isa_name>
-                <isa_date iso-date="iso-date3">2018-09-25</isa_date>
-            </interconnection>
-        </system_interconnections>
-
-        <!-- Attachment 13 Integrated Inventory Workbook -->
-        <system_inventory>
-            <component id="comp-01">
-                <name>Linux Host</name>
-                <crypto crypto_id="crypto-01"/>
-                <crypto crypto_id="crypto-02"/>
-                <description>
-                    <p>Physical and virtual linux hosts are used as the primary platform for all server needs within the system, unless another platform is needed to achieve a specific requirement.</p>
-                </description>
-            </component>
-            <component id="comp-02">
-                <name>Web Server</name>
-                <description>
-                    <p>Apache is used for all web servers, and is always installed on a Linux OS.</p>
-                </description>
-            </component>
-            <component id="comp-03">
-                <name>SQL Server</name>
-                <description>
-                    <p>We use Acme BigSQL for our database needs, and always run it on a Linux platform.</p>
-                </description>
-            </component>
-        
-            <inventory_item id="123.45.67.96" virtual="no" public="yes" comp_id="comp-01" comp_id="comp-02">
-                <ip_address>123.45.67.96</ip_address>
-                <ip_address>123.45.68.96</ip_address>
-                <network_name>acme-web-a.a-csp.com</network_name>
-
-                <host_item>
-                    <netbios_name>acme-web-a</netbios_name>
-                    <mac_address>00:01:02:03:04:05</mac_address>
-                    <authenticated_scan>yes</authenticated_scan>
-                    <baseline_template>Base Config 1</baseline_template>
-                    <os_name>CentOS</os_name>
-                    <os_version>5.1</os_version>
-                    <location>Primary data center, Rack A-1</location>
-                    <asset_type>Web Server</asset_type>
-                    <hardware_vendor>Acme</hardware_vendor>
-                    <hardware_model>web-1000</hardware_model>
-                    <scanned>yes</scanned>
-                </host_item>
-
-                <Comments>This is a public-facing hardware-based web server</Comments>
-                <serial_no>aw-12345</serial_no>
-                <network_id id="vlan-01">123.45.67.00/24</network_id>
-                <network_id id="vlan-02">123.45.68.00/24</network_id>
-                <asset_owner>Jonathan Jacob</asset_owner>
-                <asset_administrator>Mr. L.N.X. Guru</asset_administrator>
-            </inventory_item>
-            <inventory_item id="123.46.78.400" virtual="no" public="no" comp_id="comp-01" comp_id="comp-03">
-                <ip_address>123.46.78.400</ip_address>
-                <ip_address>123.47.78.400</ip_address>
-                <network_name>big-db.a-csp.com</network_name>
-
-                <software_item>
-                    <software_vendor>Acme</software_vendor>
-                    <software_name>Big SQL</software_name>
-                    <software_version>7.7</software_version>
-                    <software_patch_level>Level 7</software_patch_level>
-                    <function>Houses all the data</function>
-                </software_item>
-
-                <Comments>All the sensitive information is stored here.</Comments>
-                <serial_no>asq-121212</serial_no>
-                <network_id id="vlan-03">123.46.0.0/16</network_id>
-                <network_id id="vlan-04">123.47.0.0/16</network_id>
-                <asset_owner>Jonathan Jacob</asset_owner>
-                <asset_administrator>Mr. L.N.X. Guru</asset_administrator>
-            </inventory_item>
-        </system_inventory>
-
-    </system_implementation>
-
-    <!-- Section 13 -->
-    <security_controls>
-        <group class="family" id="ac">
-            <control class="SP800-53" id="ac-1" href="https://github.com/usnistgov/OSCAL/raw/master/content/fedramp.gov/FedRAMP_MODERATE-baseline_profile.xml">
-
-                <responsible_role role_id="ut-04"/>
-
-                <param id="ac-1_prm_1">
-                    <value>all staff with system access</value>
-                </param>
-                <param id="ac-1_prm_2">
-                    <value>annually, and as needed</value>
-                </param>
-                <param id="ac-1_prm_3">
-                    <value>every three years, and when the system undergoes a significant change</value>
-                </param>
-
-                <implementation_status>implemented</implementation_status>
-
-                <control_origination>service_provider_corporate</control_origination>
-                <control_origination>service_provider_system_specific</control_origination>
-
-                <control_response id="ac-1_smt.a" origination="service_provider_corporate">
-                    <p>The A-CSP CIO's office maintains the <attached id="att-101">A-CSP Access Control Policy</attached>. This CIO's office ensures this policy is disseminated to all A-CSP staff.</p>
-                </control_response>
-                <control_response id="ac-1_smt.a" origination="service_provider_system_specific">
-                    <p>The A-SAAS ISSO is responsible for maintaining the <attached id="att-102">A-SaaS Access Control Policy</attached>. This ISSO ensures this policy is disseminated to all individuals with logical access to A-SAAS.</p>
-                </control_response>
-                <control_response id="ac-1_smt.b" origination="service_provider_system_specific">
-                    <p>The A-SAAS ISSO maintains the <attached id="att-103">A-SaaS Access Control Procedure</attached>, which is used for granting all system access. This ISSO ensures this procedure is disseminated to all individuals with administrative access to A-SAAS.</p>
-                </control_response>
-
-            </control>
-
-            <control class="SP800-53" id="ac-2" href="https://github.com/usnistgov/OSCAL/raw/master/content/fedramp.gov/FedRAMP_MODERATE-baseline_profile.xml">
-
-                <responsible_role role_id="ut-01"/>
-                <responsible_role role_id="ut-02"/>
-                <responsible_role role_id="ut-03"/>
-
-                <param id="ac-2_prm_1">
-                    <value>all system accounts</value>
-                </param>
-                <param id="ac-2_prm_2">
-                    <value>immediate supervisor or system ISSO</value>
-                </param>
-                <param id="ac-2_prm_3">
-                    <value>the A-CSP Access Control Policy</value>
-                </param>
-                <param id="ac-2_prm_4">
-                    <value>as needed</value>
-                </param>
-
-                <implementation_status>implemented</implementation_status>
-
-                <control_origination>service_provider_system_specific</control_origination>
-                <control_origination>customer_responsibility</control_origination>
-                <control_origination>inherited</control_origination>
-
-                <control_response id="ac-2_smt.a" origination="service_provider_system_specific">
-                    <p>In accordance with the <attached id="att-102">A-SaaS Access Control Policy</attached>, the system ISSO identifies all A-SaaS system administrators to support the A-SaaS mission.</p>
-                </control_response>
-                <control_response id="ac-2_smt.a" origination="customer_responsibility">
-                    <p>The customer must define which A-SAAS application user account types support the customer's mission.</p>
-                </control_response>
-                <control_response id="ac-2_smt.a" origination="inherited" inherited_from="la-01">
-                    <p>For the hypervisor and below, this is inherited from ABI.</p>
-                </control_response>
-                <!-- Sniped statements b through k -->
-
-
-                <subcontrol class="SP800-53" id="ac-2.1" href="https://github.com/usnistgov/OSCAL/raw/master/content/fedramp.gov/FedRAMP_MODERATE-baseline_profile.xml">
-
-                    <responsible_role role_id="ut-04"/>
-                    <responsible_role role_id="ut-02"/>
-                    <responsible_role role_id="ut-03"/>
-
-                    <implementation_status>partially_implemented</implementation_status>
-                        <planned_implementation_date>2019-06-01</planned_implementation_date>
-
-                    <control_origination>service_provider_system_specific</control_origination>
-                    <control_origination>inherited</control_origination>
-
-                    <control_response id="ac-2.1_smt" origination="service_provider_system_specific">
-                        <p>This is where the CSP describes how they have implemented automated mechanisms in the support of system account management</p>
-                    </control_response>
-                    <control_response id="ac-2.1_smt" origination="inherited" inherited_from="la-01">
-                        <p>This where the CSP describes what they inherit from ABI in support of AC-2(2).</p>
-                    </control_response>
-
-                </subcontrol>
-            </control>
-        </group>
-    </security_controls>
-
-    <cryptography>
-        <module id="crypto-01">
-            <validation type="certificate_no" org="NIST Labs">00000001</validation>
-            <module_name>crypto_guard_supreme</module_name>
-            <version_number>1.23</version_number>
-        </module>
-        <module id="crypto-02">
-            <validation type="certificate_no" org="NIST Labs">00000010</validation>
-            <module_name>crypto_guard_supreme</module_name>
-            <version_number>1.23</version_number>
-        </module>
-    </cryptography>
-
-    <organizations>
-        <org id="org-01">
-            <name>Alpha - Cloud Service Processing</name>
-            <address>
-              <addr-line>12345 S. Main Street</addr-line>
-              <city>Star City</city>
-              <state>ST</state>
-              <postal-code>54321</postal-code>
-              <country>US</country>
-            </address>
-            <email>main@a-csp.com</email>
-            <phone>703-555-1212</phone>
-            <url>https://www.a-csp.com</url>
-        </org>
-        <org id="org-02">
-            <name>Three Partners Auditing Objectives (3PAO)</name>
-            <address></address>
-            <email>main@3pao.com</email>
-            <phone>703-555-1212</phone>
-            <url>https://www.3pao.com</url>
-        </org>
-        <org id="org-03">
-            <name>Three Letter Agency (TLA)</name>
-            <address></address>
-            <email>main@tla.gov</email>
-            <phone>703-555-1212</phone>
-            <url>https://www.tla.gov</url>
-        </org>
-        <org id="org-04">
-            <name>Department of Homeland Security (DHS), Office of the CIO</name>
-            <!-- Table 6-1 AO POC -->
-            <role title="DHS AO POC" individual_id="ind-05">
-        </org>
-        <org id="org-05">
-            <name>Department of Defense (DoD), Office of the CIO</name>
-            <!-- Table 6-1 AO POC -->
-            <role title="DoD AO POC" individual_id="ind-06">
-        </org>
-        <org id="org-06">
-            <name>General Services Administration (GSA), Office of the CIO</name>
-            <!-- Table 6-1 AO POC -->
-            <role title="GSA AO POC" individual_id="ind-07">
-        </org>
-    </organizations>
-
-    <individuals>
-        <individual id="ind-01" org="org-01">
-            <name>I.M. DaBoss</name>
-            <title>VP Operations</title>
-            <phone type="mobile">703-555-6161</phone>
-            <email>imdaboss@a-csp.com</email>
-        </individual>
-        <individual id="ind-02" org="org-01">
-            <name>Blurry Face</name>
-            <title>Cyber Security Director</title>
-            <phone type="mobile">703-555-9111</phone>
-            <email>bface@a-csp.com</email>
-        </individual>
-        <individual id="ind-03" org="org-03">
-            <name>Buck Stops-Here</name>
-            <title>CIO</title>
-            <phone type="office">703-555-0000</phone>
-            <email>bstops-here@tla.gov</email>
-        </individual>
-    </individuals>
-
-    <parties>
-        <party title="Joint Authorization Board (JAB)" id="jab">
-            <member org_id="org-04">
-            <member org_id="org-05">
-            <member org_id="org-06">
-        </party>
-    </parties>
-
-    <roles>
-        <!-- Page xvii -->
-        <role id="role-01" title="Approver" individual_id="ind-01"/>
-        <role title="Approver" individual_id="ind-02"/>
-        <!-- Table 3-1 Information System Owner -->
-        <role id="role-02" title="System Owner" individual_id="ind-01"/>
-        
-        <!-- Table 5-1 Information System Management POC -->
-        <role id="role-03" title="System Management POC" individual_id="ind-01"/>
-
-        <!-- Table 5-2 Information System Technical POC -->
-        <!-- NOTE: role-04 twice is not a typo. The id is for the role. -->
-        <role id="role-04" title="System Technical POC" individual_id="ind-02"/>
-        <role id="role-04" title="System Technical POC" individual_id="ind-04"/>
-
-        <!-- Table 6-1 System ISSO (CSP) -->
-        <role id="role-05" title="System Internal ISSO" individual_id="ind-02"/>
-
-        <!-- Section 4. Authorizing Officials -->
-        <role id="role_ao" title="Authorizing Official" party_id="jab"/>
-        
-        <!-- Page ii -->
-        <role id="role-06" title="Prepared By" org_id="org-02"/>
-        <role id="role-07" title="Prepared For" org_id="org-01"/>
-
-        <!-- Table 15-6 System Privacy POC -->
-        <role id="role-08" title="Privacy POC" individual_id="ind-01"/>
-
-    </roles>
-
-    <!-- Section 12, Table 12-1, Table 12-2, plus other external references as needed. -->
-    <!-- Attachment 12. -->
-    <references>
-        <ref id="ref-01" ref_type="other">
-            <citation href="https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx">FedRAMP Applicable Laws and Regulations</citation>
-        </ref>
-        <ref id="ref-02" ref_type="law">
-            <citation href="http://www.gpo.gov/fdsys/granule/CFR-2012-title5-vol2/CFR-2012-title5-vol2-sec731-106/content-detail.html">5 C.F.R. 731.106</citation>
-        </ref>
-    </references>
-
-    <!-- Table 15-1 Mames of Provided Attachments -->
-    <attachments>
-        <attachment id="att-001" href="./attachments/rob.docx">
-            <name>Rules of Behavior</name>
-            <description>The Rules of Behavior document</description>
-            <format>.docx</format>
-            <date iso-date="iso-date3">2017-02-03</date> 
-            <version>2.0</version>
-            <type>MS Word</type>
-        </attachment>
-
-        <attachment id="att-101" href="./attachments/policies/01_a_csp_access_cotrol_policy.docx">
-            <name>A-CSP Access Control Policy</name>
-            <description>Corporate A-CSP Access Control Policy</description>
-            <format>.docx</format>
-            <date iso-date="iso-date3">2015-06-06</date> 
-            <version>2.1</version>
-            <type>MS Word</type>
-        </attachment>
-
-        <attachment id="att-102" href="./attachments/policies/01_a_saas_access_cotrol_policy.docx">
-            <name>A-SaaS Access Control Policy</name>
-            <description>System-specific A-SaaS Access Control Policy</description>
-            <format>.docx</format>
-            <date iso-date="iso-date3">2017-12-12</date> 
-            <version>1.1</version>
-            <type>MS Word</type>
-        </attachment>
-
-        <attachment id="att-103" href="./attachments/policies/01_a_saas_access_cotrol_process.docx">
-            <name>A-SaaS Access Control Process</name>
-            <description>System-specific A-SaaS Access Control Process</description>
-            <format>.docx</format>
-            <date iso-date="iso-date3">2017-12-12</date> 
-            <version>1.2</version>
-            <type>MS Word</type>
-        </attachment>
-
-        <!-- If the OSCAL Team decides to allow Base64 encoding of -->
-        <!-- graphics (logos, boundary diagrams) and/or attachment, -->
-        <!-- I recommend the attachments element be listed last, and -->
-        <!-- all Base64 encoded attachments, be listed at the back -->
-        <!-- of the list of attachments. -->
-        <!-- This keeps the large, non-human-readable Base64 data -->
-        <!-- out of the way. -->
-        <attachment id="att-002">
-          <name>Logo</name>
-          <description>A-CSP Logo</description>
-          <format>.png</format>
-          <date iso-date="iso-date3">2017-01-02</date> 
-          <version>1.0</version>
-          <type>graphic</type>
-          <base64 filename='csp_logo.png'>iVBORw0KGgoAAAANSUhEUgAAAMoAAAAtCAIAAABgRmPFAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAATBSURBVHhe7ZpLjqQwDIbnIL2c09SqzsKCs7RUR0F1FLjBLFAtSkhIPc4DsCGJHUikmpE/ZdFNheDYv/OA/PpRlGqovJSKqLyUiqi8lIqovJSKqLyUiqi8lIqovJSKqLyUiqi8lIqovJSKZMtr7p+v2338+v3Hldv91Q2z/5Fh7h7k3q/7eGvf3eB//p/oh+m7HW/3paemwL+v7+fc+yo5DHvXnW/KUti8KFnyGt6NMWhskBHe0HbaroD+HnvBmYvQB9sBfwkYQKyun+j689U8/Z9di/ufKNDC2BilCoXu6R9I69Hy6nx1ETb93I1j85j6NXmso7br/irLHL7LuA7CgS/OXTt+c7la2rw0Ynn1kD3m2RFfg3EPE93OBmwnLx/F+ztu9GzaNxIxT1nl5YHGaZ4dnehU7irkDKiWYQ3hVm5nXIzaiXQWortUACP9xSjD2/o85bpFZD7zk/IqbR6PTF6QFu6p+8ATIHusZVDayV8zTA1/r2VI1PQ/2RJ1Ih6NjiNokpkomNgvBLeQGvCQkckQrtpiRANMVlvpmqXNEyGQF3mevxZj6QMOz5IQonjbykEhoolS6ESBoBFYmlk3OvA8zvVUEOlNW0Ktu/SLeqaweVJYeZ3rZ0he0HlYtPmLccARF+RF/Jg1CF2S19ZHKIKQ4PohI3EvpMaYNiOeKW2eGE5eOar3mDhhm7BATbG7xcQOBS3tMR8sLzJkih5KfHLoTvrXKGBGsHJp8zJg5IVXPHKnw1KArBxJyEkx2z3hZlgmL+LKrOXXeXnR/JE9NGUntiRvegpmZmnzckjLiwyqGU7vHruNidkz46ZChe6TD0jkdT4wV+R1xkt0REll48XVT3nzcqgjrzCDERnOpGDBr9AwSXnN+MWEKfn76o+RF/1J5cUwTPtI23fQy146VEL9ic+wa7EvV83rN39LFv+SvOgTY8Vb8rnyotP2WXm9m/jkbUYd80J1e4orx/letvY6T668unYJ/OXFzW65nTM5BlYd++G/tHk5MEt78hj5Eq+HIcT/6bonGOHt1Lk+65gxHyYv2PSsncoPRjrkZLzhO0vkGBhpSpuXASMv4nSximFAQgZZW6Umrp79bHnZyihniCAEucTUz9uwY8vDfi5snhxOXlT7oieRoQtYUkHyTnV73EHKnyQvF37iDTyEcLeT4SRcGQWYz0xB5cLmSeHlBWzJxHa1f772sUcjreA7setbQEA5DjqDWF6r93fJhqOSzEOZdFB/mazmRy9DYfNkiOQFiD6amv3gMTBOXvY0RLM7e3PAfbEPRZfMF5e7fUSYsuizfSBI/JEElGywyWV6sekmsXdbzgG4kvRMYfMESOUF2BNtrg/0ZFXvD7sdxi0HWEw7sx5Uoo24F1eh75L7AznWhmJnkqD9/YGckLy27i8lPAaQA1X4gwTau8gPUVpfLa3R187WY5Cxa1Ng4cgmXlnzODLk5fCn2LCjmVOOkRcTrp21ETO8HRSDJ8RYuTKS4Wklv6SmGBd7cjTXHgdNf5mI4l/f0NbaU01ZCpsXJVteiiJH5aVUROWlVETlpVRE5aVUROWlVETlpVRE5aVUROWlVETlpVRE5aVUROWlVETlpVRE5aVUROWlVOPn5y9OeK7Cv/yElwAAAABJRU5ErkJggg==</base64>
-        <attachment id="att-003">
-          <name>Signature - Chief Privacy Officer</name>
-          <description>Digital signature of the CPO</description>
-          <format></format>
-          <date iso-date="iso-date3">2017-01-02</date> 
-          <version>1.0</version>
-          <type>digital signature</type>
-          <base64>iVBORw0KGgoAAAANSUhEUgAAAMoAAAAtCAIAAABgRmPFAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAATBSURBVHhe7ZpLjqQwDIbnIL2c09SqzsKCs7RUR0F1FLjBLFAtSkhIPc4DsCGJHUikmpE/ZdFNheDYv/OA/PpRlGqovJSKqLyUiqi8lIqovJSKqLyUiqi8lIqovJSKqLyUkRcTrp21ETO8HRSDJ8RYuTKS4Wklv6SmGBd7cjTXHgdNf5mI4l/f0NbaU01ZCpsXJVteiiJH5aVUROWlVETlpVRE5aVUROWlVETlpVRE5aVUROWlVETlpVRE5aVUROWlVETlpVRE5aVUROWlVOPn5y9OeK7Cv/yElwAAAABJRU5ErkJggg==</base64>
-        </attachment>
-    </attachments>
-
-</fedramp_system_security_plan>
-
-```
diff --git a/src/content/ssp-example/json/ssp-example.json b/src/content/ssp-example/json/ssp-example.json
deleted file mode 100644
index f84bc74309..0000000000
--- a/src/content/ssp-example/json/ssp-example.json
+++ /dev/null
@@ -1,376 +0,0 @@
-{
-    "system-security-plan": {
-        "uuid": "66c2a1c8-5830-48bd-8fdd-55a1c3a52888",
-        "metadata": {
-            "title": "Enterprise Logging and Auditing System Security Plan",
-            "last-modified": "2019-09-23T18:14:50.591Z",
-            "version": "1.0",
-            "oscal-version": "1.0.0-milestone3",
-            "roles": [
-                {
-                    "id": "legal-officer",
-                    "title": "Legal Officer"
-                }
-            ],
-            "parties": [
-                {
-                    "uuid": "3b2a5599-cc37-403f-ae36-5708fa804b27",
-                    "type": "organization",
-                    "party-name": "Enterprise Asset Owners"
-                },
-                {
-                    "uuid": "833ac398-5c9a-4e6b-acba-2a9c11399da0",
-                    "type": "organization",
-                    "party-name": "Enterprise Asset Administrators"
-                },
-                {
-                    "uuid": "ec485dcf-2519-43f5-8e7d-014cc315332d",
-                    "type": "organization",
-                    "party-name": "Legal Department"
-                },
-                {
-                    "uuid": "0f0c15ed-565e-4ce9-8670-b54853d0bf03",
-                    "type": "organization",
-                    "party-name": "IT Department"
-                },
-                {
-                    "uuid": "96c362ee-a012-4e07-92f3-486ab303b0e7",
-                    "type": "organization",
-                    "party-name": "Acme Corp"
-                }
-            ]
-        },
-        "import-profile": {"href": "../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline_profile.json"},
-        "system-characteristics": {
-            "system-name": "Enterprise Logging and Auditing System",
-            "description": "This is an example of a system that provides enterprise logging and log auditing capabilities.",
-            "system-ids": [
-                {
-                    "id": "d7456980-9277-4dcb-83cf-f8ff0442623b",
-                    "identifier-type": "https://ietf.org/rfc/rfc4122"
-                }
-            ],
-            "security-sensitivity-level": "moderate",
-            "system-information": {
-                "information-types": [
-                    {
-                        "uuid": "7d28ac6e-5970-4f4c-a508-5a3715f0f02b",
-                        "title": "System and Network Monitoring",
-                        "information-type-ids": {
-                            "https://doi.org/10.6028/NIST.SP.800-60v2r1": {"id": "C.3.5.8"}
-                        },
-                        "description": "This system maintains historical logging and auditing information for all client devices connected to this system.",
-                        "confidentiality-impact": {"base": "fips-199-moderate"},
-                        "integrity-impact": {"base": "fips-199-moderate"},
-                        "availability-impact": {"base": "fips-199-low"}
-                    }
-                ]
-            },
-            "security-impact-level": {
-                "security-objective-confidentiality": "fips-199-moderate",
-                "security-objective-integrity": "fips-199-moderate",
-                "security-objective-availability": "fips-199-low"
-            },
-            "status": {
-                "state": "other",
-                "remarks": "This is an example, and is not intended to be implemented as a system"
-            },
-            "annotations": [
-                {
-                    "name": "deployment-model",
-                    "value": "private"
-                },
-                {
-                    "name": "service-models",
-                    "value": "iaas"
-                }
-            ],
-            "authorization-boundary": {"description": "The description of the authorization boundary would go here."}
-        },
-        "system-implementation": {
-            "remarks": "This is a partial implementation that addresses the logging server portion of the auditing system.",
-            "users": {
-                "9824089b-322c-456f-86c4-4111c4200f69": {
-                    "title": "System Administrator",
-                    "role-ids": ["asset-administrator"],
-                    "annotations": [
-                        {
-                            "name": "type",
-                            "value": "internal"
-                        }
-                    ]
-                },
-                "ae8de94c-835d-4303-83b1-114b6a117a07": {
-                    "title": "Audit Team",
-                    "role-ids": ["asset-owner"],
-                    "annotations": [
-                        {
-                            "name": "type",
-                            "value": "internal"
-                        }
-                    ]
-                },
-                "372ce7a3-92b0-437e-a98c-24d29f9bfab8": {
-                    "title": "Legal Department",
-                    "role-ids": ["legal-officer"],
-                    "annotations": [
-                        {
-                            "name": "type",
-                            "value": "internal"
-                        }
-                    ]
-                }
-            },
-            "components": {
-                "e00acdcf-911b-437d-a42f-b0b558cc4f03": {
-                    "title": "Logging Server",
-                    "description": "Provides a means for hosts to publish logged events to a central server.",
-                    "status": {"state": "operational"},
-                    "component-type": "software",
-                    "responsible-roles": {
-                        "provider": {
-                            "party-uuids": ["96c362ee-a012-4e07-92f3-486ab303b0e7"]
-                        },
-                        "asset-owner": {
-                            "party-uuids": ["3b2a5599-cc37-403f-ae36-5708fa804b27"]
-                        },
-                        "asset-administrator": {
-                            "party-uuids": ["833ac398-5c9a-4e6b-acba-2a9c11399da0"]
-                        }
-                    }
-                },
-                "795533ab-9427-4abe-820f-0b571bacfe6d": {
-                    "title": "Enterprise Logging, Monitoring, and Alerting Policy",
-                    "component-type": "policy",
-                    "description": "Requires all components to send logs to the enterprise logging solution\n\u2014 Requires all components synchronize their time with the appropriate enterprise time service, and at what frequency.\n\u2014 Identifies the events that must be captured\n\u2014 Identifies who is responsible/accountable for performing these functions",
-                    "status": {"state": "operational"},
-                    "properties": [
-                        {
-                            "name": "version",
-                            "value": "2.1"
-                        },
-                        {
-                            "name": "last-modified-date",
-                            "value": "20181015"
-                        }
-                    ],
-                    "responsible-roles": {
-                        "maintainer": {
-                            "party-uuids": ["ec485dcf-2519-43f5-8e7d-014cc315332d"]
-                        }
-                    }
-                },
-                "941e2a87-46f4-4b3e-9e87-bbd187091ca1": {
-                    "title": "System Integration Process",
-                    "component-type": "process",
-                    "description": "Ensures proper integration into the enterprise as new systems are brought into production.",
-                    "status": {"state": "operational"},
-                    "properties": [
-                        {
-                            "name": "last-modified-date",
-                            "value": "20181015"
-                        }
-                    ],
-                    "responsible-roles": {
-                        "maintainer": {
-                            "party-uuids": ["0f0c15ed-565e-4ce9-8670-b54853d0bf03"]
-                        }
-                    },
-                    "links": [
-                        {
-                            "rel": "implements-policy",
-                            "href": "#795533ab-9427-4abe-820f-0b571bacfe6d",
-                            "text": "Ensures logs from components in new system are able to published to the logging server. Ensures log monitoring capabilities recognize new system as authorized."
-                        }
-                    ]
-                },
-                "fa39eb84-3014-46b4-b6bc-7da10527c262": {
-                    "title": "Inventory Management Process",
-                    "component-type": "process",
-                    "description": "Describes how new components are introduced into the system - ensures monitoring teams know about every asset that should be producing logs, thus should be monitored.",
-                    "status": {"state": "operational"},
-                    "properties": [
-                        {
-                            "name": "last-modified-date",
-                            "value": "20181015"
-                        }
-                    ],
-                    "responsible-roles": {
-                        "maintainer": {
-                            "party-uuids": ["0f0c15ed-565e-4ce9-8670-b54853d0bf03"]
-                        }
-                    },
-                    "links": [
-                        {
-                            "rel": "implements-policy",
-                            "href": "#795533ab-9427-4abe-820f-0b571bacfe6d",
-                            "text": "Ensures that all host are known and authorized. Ensures that these hosts publish log events to the logging server."
-                        }
-                    ]
-                },
-                "4938767c-dd8b-4ea4-b74a-fafffd48ac99": {
-                    "title": "Configuration Management Guidance",
-                    "component-type": "guidance",
-                    "description": "Describes how to configure a component to ensure its logs are transmitted to Splunk in the appropriate format. Also describes how to configure time synchronization.",
-                    "status": {"state": "operational"},
-                    "properties": [
-                        {
-                            "name": "last-modified-date",
-                            "value": "20181015"
-                        }
-                    ],
-                    "responsible-roles": {
-                        "maintainer": {
-                            "party-uuids": ["0f0c15ed-565e-4ce9-8670-b54853d0bf03"]
-                        }
-                    },
-                    "links": [
-                        {
-                            "rel": "implements-policy",
-                            "href": "#795533ab-9427-4abe-820f-0b571bacfe6d",
-                            "text": "Ensures that all host are configured to publish log events to the logging server."
-                        }
-                    ]
-                }
-            },
-            "system-inventory": {
-                "inventory-items": {
-                    "c9c32657-a0eb-4cf2-b5c1-20928983063c": {
-                        "description": "The logging server.",
-                        "asset-id": "asset-id-logging-server",
-                        "responsible-parties": {
-                            "asset-administrator": {
-                                "party-uuids": ["833ac398-5c9a-4e6b-acba-2a9c11399da0"]
-                            },
-                            "asset-owner": {
-                                "party-uuids": ["3b2a5599-cc37-403f-ae36-5708fa804b27"]
-                            }
-                        },
-                        "implemented-components": {
-                            "e00acdcf-911b-437d-a42f-b0b558cc4f03": {"use": "runs-software"},
-                            "795533ab-9427-4abe-820f-0b571bacfe6d": {"use": "enforces-policy"}
-                        }
-                    }
-                }
-            }
-        },
-        "control-implementation": {
-            "description": "This is the control implementation for the system.",
-            "implemented-requirements": [
-                {
-                    "uuid": "aaadb3ff-6ae8-4332-92db-211468c52af2",
-                    "control-id": "au-1",
-                    "description": "This should be a description of how au-1 is implemented.",
-                    "statements": {
-                        "au-1smt": {
-                            "uuid": "7ad47329-dc55-4196-a19d-178a8fe7438d",
-                            "description": "N/A"
-                        },
-                        "au-1smt.a": {
-                            "uuid": "f3887a91-9ed3-425c-b305-21e4634a1c34",
-                            "description": "",
-                            "by-components": {
-                                "795533ab-9427-4abe-820f-0b571bacfe6d": {
-                                    "uuid": "a74681b2-fbcb-46eb-90fd-0d55aa74ac7b",
-                                    "description": "The legal department develops, documents, and disseminates this policy to all staff and contractors within the organization.",
-                                    "parameter-settings": {
-                                        "au-1_prm_1": {"value": "all staff and contractors within the organization"}
-                                    }
-                                },
-                                "941e2a87-46f4-4b3e-9e87-bbd187091ca1": {
-                                    "uuid": "4f873ce6-dd49-4a46-bd4a-5041c22665f1",
-                                    "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.",
-                                    "parameter-settings": {
-                                        "au-1_prm_1": {"value": "all IT staff who administer this system when the staff member is assigned and annually through training"}
-                                    }
-                                },
-                                "fa39eb84-3014-46b4-b6bc-7da10527c262": {
-                                    "uuid": "ea85a624-cd21-4c63-abe0-f66087e97241",
-                                    "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.",
-                                    "parameter-settings": {
-                                        "au-1_prm_1": {"value": "all IT staff who administer this system when the staff member is assigned and annually through training"}
-                                    }
-                                },
-                                "4938767c-dd8b-4ea4-b74a-fafffd48ac99": {
-                                    "uuid": "b5e5823a-844f-4306-a5ab-7e110679e0d5",
-                                    "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.",
-                                    "parameter-settings": {
-                                        "au-1_prm_1": {"value": "all IT staff who administer this system when the staff member is assigned and annually through training"}
-                                    }
-                                }
-                            }
-                        },
-                        "au-1smt.a.1": {
-                            "uuid": "6fe632bd-33aa-4eea-a507-a37f0d212085",
-                            "by-components": {
-                                "795533ab-9427-4abe-820f-0b571bacfe6d": {
-                                    "uuid": "2d0a7b08-da7f-4691-b99c-8fd9df02b25c",
-                                    "description": "This policy explicitly states the purpose and scope of the policy in Section 1. Roles and responsibilities are described in Section 2. This section also describes responsibilities for organizational coordination. Management commitment and compliance statements are made in the board\u2019s directive memo dated January 1, 2012."
-                                }
-                            }
-                        },
-                        "au-1smt.a.2": {
-                            "uuid": "dbe9af68-1cd9-4ff1-965b-8f887351d411",
-                            "by-components": {
-                                "941e2a87-46f4-4b3e-9e87-bbd187091ca1": {
-                                    "uuid": "dd4fd380-7a2a-4fba-9e98-933ba5cfc04d",
-                                    "description": "This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process"
-                                },
-                                "fa39eb84-3014-46b4-b6bc-7da10527c262": {
-                                    "uuid": "3b912d0f-2463-497c-8d8a-72416f38e999",
-                                    "description": "This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process"
-                                },
-                                "4938767c-dd8b-4ea4-b74a-fafffd48ac99": {
-                                    "uuid": "226ee2a2-cbdb-498f-8182-94dfa013476c",
-                                    "description": "This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process"
-                                }
-                            }
-                        },
-                        "au-1_smt.b": {
-                            "uuid": "b1773cd6-afc5-4c87-84a7-f182e6be5af9",
-                            "remarks": "N/A"
-                        },
-                        "au-1_smt.b.1": {
-                            "uuid": "75873308-f37d-4e89-9c27-29f3dee4b314",
-                            "by-components": {
-                                "795533ab-9427-4abe-820f-0b571bacfe6d": {
-                                    "uuid": "23903c59-1327-46f0-9c28-09ec7f144214",
-                                    "parameter-settings": {
-                                        "au-1_prm_2": {"value": "annually, and other times as necessary in response to regulatory or organizational changes"}
-                                    },
-                                    "description": "The legal department reviews this policy annually, and other times as necessary in response to regulatory or organizational changes. The legal department updates the policy as needed based on these reviews."
-                                }
-                            }
-                        },
-                        "au-1_smt.b.2": {
-                            "uuid": "74b5b0f2-9915-4f80-b7cd-379566442ab6",
-                            "by-components": {
-                                "941e2a87-46f4-4b3e-9e87-bbd187091ca1": {
-                                    "uuid": "0c45b6e2-f85b-4656-a6cc-2a302d184720",
-                                    "parameter-settings": {
-                                        "au-1_prm_3": {"value": "annually, and other times as necessary in response to regulatory or organizational changes"}
-                                    },
-                                    "description": "The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews."
-                                },
-                                "fa39eb84-3014-46b4-b6bc-7da10527c262": {
-                                    "uuid": "094f02ce-4b7a-405c-90a5-ab4d95133f74",
-                                    "parameter-settings": {
-                                        "au-1_prm_3": {"value": "annually, and other times as necessary in response to regulatory or organizational changes"}
-                                    },
-                                    "description": "The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews."
-                                },
-                                "4938767c-dd8b-4ea4-b74a-fafffd48ac99": {
-                                    "uuid": "7ec8b7ec-d931-4055-ac74-6d288d636787",
-                                    "parameter-settings": {
-                                        "au-1_prm_3": {"value": "annually, and other times as necessary in response to regulatory or organizational changes"}
-                                    },
-                                    "description": "The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews"
-                                }
-                            }
-                        }
-                    }
-                }
-            ]
-        }
-    }
-}
\ No newline at end of file
diff --git a/src/content/ssp-example/readme.md b/src/content/ssp-example/readme.md
deleted file mode 100644
index 2ecc7b0840..0000000000
--- a/src/content/ssp-example/readme.md
+++ /dev/null
@@ -1 +0,0 @@
-This contains both the SSP data model, and SSP mock-up with sample information.
diff --git a/src/content/ssp-example/ssp.sch b/src/content/ssp-example/ssp.sch
deleted file mode 100644
index 57c881819e..0000000000
--- a/src/content/ssp-example/ssp.sch
+++ /dev/null
@@ -1,35 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron"
-  xmlns:sqf="http://www.schematron-quickfix.com/validator/process"
-  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-  xmlns:json="http://www.w3.org/2005/xpath-functions"
-  queryBinding="xslt2">
-  
-  <sch:ns prefix="json" uri="http://www.w3.org/2005/xpath-functions"/>
-
-  <xsl:key name="roles" match="json:map[@key='metadata']/json:map[@key='roles']|json:map[@key='metadata']/json:array[@key='roles']/json:map" use="json:string[@key='id']"/>
-  <xsl:key name="system-roles" match="json:map[@key='system-roles']" use="json:map/@key"/>
-  <xsl:key name="parties" match="json:map[@key='metadata']/json:map[@key='parties' and json:string[@key='id']] | json:map[@key='metadata']/json:array[@key='parties']/json:map[json:string[@key='id']]" use="json:string[@key='id']"/>
-
-  <sch:pattern>
-    <sch:rule context="json:string[@key='role-id']">
-      <sch:assert test="exists(key('roles',.))">Referenced role-id not defined in this document: <sch:value-of select="."/>. Must be one of: <sch:value-of select="ancestor::json:map[@key='system-security-plan']/json:map[@key='metadata']/(json:map[@key='roles']|json:array[@key='roles']/json:map)/json:string[@key='id'e]"/></sch:assert>
-    </sch:rule>
-    <sch:rule context="json:map[@key='metadata']/json:map[@key='parties'] | json:map[@key='metadata']/json:array[@key='parties']/json:map">
-      <sch:assert test="not(json:string[@key='id']) or
-        self::json:map[@key='parties'] or (count(preceding-sibling::json:map/json:string[@key='id' and text() = json:string[@key='id']]) = 0 and count(following-sibling::json:map/json:string[@key='id' and text() = json:string[@key='id']]) = 0)">Duplicate party identifier:  <sch:value-of select="json:string[@key='id']"/></sch:assert>
-    </sch:rule>
-
-    <sch:rule context="json:map[@key='system-roles']">
-      <sch:assert test="count(json:map) = count(distinct-values(json:map/@key))">Duplicate system roles:  <sch:value-of select="string-join(distinct-values(json:map[@key = following-sibling::json:map/@key or @key = preceding-sibling::json:map/@key]/@key),', ')"/></sch:assert>
-    </sch:rule>
-
-    <sch:rule context="json:map[@key='responsible-parties']/json:string[@key='party-ids'] | json:map[@key='responsible-parties']/json:array[@key='party-ids']/json:string | json:array[@key='responsible-parties']/json:map/json:string[@key='party-ids'] | json:array[@key='responsible-parties']/json:map/json:array[@key='party-ids']/json:string">
-      <sch:assert test="exists(key('parties',.))">Referenced party-id not defined in metadata: <sch:value-of select="."/>. Must be one of: <sch:value-of select="ancestor::json:map[@key='system-security-plan']/json:map[@key='metadata']/(json:map[@key='parties']|json:array[@key='parties']/json:map)"/></sch:assert>
-    </sch:rule>
-
-    <sch:rule context="json:map[@key='responsible-parties'] | json:array[@key='responsible-parties']/json:map">
-      <sch:assert test="exists(key('parties',json:string[@key='system-role-id']))">Referenced system-role-id not defined in this document: <sch:value-of select="json:string[@key='system-role-id']"/>. Must be one of: <sch:value-of select="ancestor::json:map[@key='system-implementation']/json:map[@key='system-roles']/json:map/@key"/></sch:assert>
-    </sch:rule>
-  </sch:pattern>
-</sch:schema>
\ No newline at end of file
diff --git a/src/content/ssp-example/validate.sh b/src/content/ssp-example/validate.sh
deleted file mode 100644
index 493878d5b5..0000000000
--- a/src/content/ssp-example/validate.sh
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/bash
-
-if [[ -z "$OSCALDIR" ]]; then
-    DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
-    source "$DIR/../../../build/ci-cd/include/common-environment.sh"
-fi
-source "$OSCALDIR/build/ci-cd/include/init-validate-json.sh"
-source "$OSCALDIR/build/ci-cd/include/schematron-init.sh"
-
-shopt -s nullglob
-shopt -s globstar
-
-# compile the schematron
-compiled_schematron="compiled-schematron.xsl"
-build_schematron "$OSCALDIR/src/content/ssp-draft/ssp.sch" "$compiled_schematron"
-cmd_exitcode=$?
-if [ $? -ne 0 ]; then
-  echo "${P_ERROR}Compilation of Schematron failed.${P_END}"
-  exit 1
-fi
-
-input="$1"
-input="$(realpath "${input}" )"
-output="${input}-to-xml.json"
-transform="${OSCALDIR}/build/metaschema/json/json-to-xml.xsl"
-svrl="${input}-to-xml.svrl"
-
-#input-relative="$(realpath --relative-to="$transform" "$input")"
-
-xsl_transform "${transform}" "" "${output}" "-it" "json-file=${input}"
-if [ $? -ne 0 ]; then
-  echo "${P_ERROR}Conversion of JSON file to XML failed.${P_END}"
-  exit 1
-fi
-
-validate_with_schematron "$compiled_schematron" "${output}" "${svrl}"
-exit $?